[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: TLS 1.2 PRF incorrect

From: Simon Josefsson
Subject: Re: TLS 1.2 PRF incorrect
Date: Fri, 19 Dec 2008 12:13:05 +0100
User-agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.0.60 (gnu/linux)

Crispin Flowerday <address@hidden> writes:

> Hi,
> I have recently been looking at TLS 1.2 support, which gnutls claims to
> implement. However the PRF is wrong (gnutls_state.c::_gnutls_PRF()):
>   if (ver >= GNUTLS_TLS1_2)
>     {
>       result =
>      _gnutls_P_hash (GNUTLS_MAC_SHA1, secret, secret_size,
>                s_seed, s_seed_size, total_bytes, ret);
>    ...
> Note the use of SHA1. RFC 5246, section 5 says:
> "In this section, we define one PRF, based on HMAC.  This PRF with the
> SHA-256 hash function is used for all cipher suites defined in this
> document and in TLS documents published prior to this document when
> TLS 1.2 is negotiated."
> Appendix A.6 (Security Parameters) also clearly shows that the
> PRFAlgorithm is sha-256.
> I assume this is a hang-over from when TLS 1.2 was still draft and the
> PRF was using sha-1. I haven't been able to investigate whether there
> are other implementation errors against the RFC.

Indeed, the TLS 1.2 support in GnuTLS is against an earlier draft.  I
hope we can bring this up to the RFC before the GnuTLS 2.8 release.
Help wanted!  It should be much easier to finish this now when there are
multiple TLS 1.2 implementations around, compared to before when there
were none.  Connect it to a known working TLS 1.2 implementation and
debug and fix each failure until it works...


reply via email to

[Prev in Thread] Current Thread [Next in Thread]