[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

TLS 1.2 PRF incorrect

From: Crispin Flowerday
Subject: TLS 1.2 PRF incorrect
Date: Thu, 18 Dec 2008 13:00:40 +0000


I have recently been looking at TLS 1.2 support, which gnutls claims to
implement. However the PRF is wrong (gnutls_state.c::_gnutls_PRF()):

  if (ver >= GNUTLS_TLS1_2)
      result =
     _gnutls_P_hash (GNUTLS_MAC_SHA1, secret, secret_size,
               s_seed, s_seed_size, total_bytes, ret);


Note the use of SHA1. RFC 5246, section 5 says:

"In this section, we define one PRF, based on HMAC.  This PRF with the
SHA-256 hash function is used for all cipher suites defined in this
document and in TLS documents published prior to this document when
TLS 1.2 is negotiated."

Appendix A.6 (Security Parameters) also clearly shows that the
PRFAlgorithm is sha-256.

I assume this is a hang-over from when TLS 1.2 was still draft and the
PRF was using sha-1. I haven't been able to investigate whether there
are other implementation errors against the RFC.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]