Hi, Thank you very much for the clarification and the advise.
I had indeed forgotten to consider the client certificate and its verify message. iPhoneから送信 2016/10/07 19:14、Ilari Liusvaara <ilariliusva...@welho.com> のメッセージ: >> On Fri, Oct 07, 2016 at 06:41:35PM +0900, Kazuho Oku wrote: >> Hi, >> >> Recently I have started writing a TLS 1.3 implementation. While >> working on it, I have noticed the following. >> >> In section 4.4.3, the hash value used for building the HMAC is defined >> as: Hash(Handshake Context + Certificate* + CertificateVerify*). >> >> For ServerFinished, this corresponds to the statement following the >> formula that states, quote: >> >> the HMAC input can generally be implemented by a running hash, >> i.e., just the handshake hash at this point. >> >> since Handshake Context for 1-RTT server is (as defined in section >> 4.4): ClientHello … later of EncryptedExtensions/CertificateRequest. >> >> However, for ClientFinished, the two descriptions do not match, since >> Handshake Context for 1RTT client is: ClientHello … ServerFinished. >> >> If we follow the way it is defined in the formula, then Certificate >> and CertificateVerify needs to be applied to the hash after >> ServerFinished, which is in discordance with the statement that it >> could be implemented using a running hash. > > Nope, it is a running hash: > > The server Finished includes the following messages, in this order: > > - ClientHello > - HelloRetryRequest (if sent) > - Clienthello (another, if HRR was sent) > - ServerHello > - EncryptedExtensions > - CertificateRequest (if sent) > - Certificate (server's) > - CertificateVerify (server's) > > And this exactly corresponds to the send/receive order. > > > The client finished includes, in this order: > > - ClientHello > - HelloRetryRequest (if sent) > - Clienthello (another, if HRR was sent) > - ServerHello > - EncryptedExtensions > - CertificateRequest (if sent) > - Certificate (server's) > - CertificateVerify (server's) > - Finished (server's) > - Certificate (client's, if CR was sent). > - CertificateVerify (client's, if non-empty client cert was sent) > > And this exactly corresponds to the send/receive order. > > > One place to be careful of is client application keys: The hash used > for those is taken immediately after ServerFinished, but the keys are > only commissioned after ClientFinished (whereas server keys have the > hash taken in the same time as those are commissioned in). > > > > -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
