On Tue, Oct 24, 2017 at 12:42:01AM +0000, Andrei Popov wrote: > Draft-21 says: > "Handshake messages MUST NOT span key changes. Implementations > MUST verify that all messages immediately preceding a key change > align with a record boundary; if not, then they MUST terminate the > connection with an "unexpected_message" alert. Because the > ClientHello, EndOfEarlyData, ServerHello, Finished, and KeyUpdate > messages can immediately precede a key change, implementations > MUST send these messages in alignment with a record boundary." > > It is not clear to me what "sending messages in alignment with a record > boundary" means. > Does it mean that each record is either all plaintext or all encrypted with > key X?
Yes, where key X could be the client/server handshake, traffic secret, etc. > And therefore one cannot combine, e.g., ServerHello (plaintext) and > EncryptedExtensions (encrypted with the handshake traffic key) > messages in one record? Correct. And before you switch to a new cipher context, you MUST check that you have no more remaining data in the record. For example, no more data is allowed in the same record following the Server Hello. And the record after the Server Hello, there is an encrypted record containing Encrypted Extensions (encrypted with the server handshake secret). -- Kind regards, Peter Wu https://lekensteyn.nl _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
