From d4430c888ac4f9391e43515b9ed13c42e3adb703 Mon Sep 17 00:00:00 2001 From: Dave Garrett Date: Fri, 21 Aug 2015 19:47:00 -0400 Subject: [PATCH] new random on retry --- draft-ietf-tls-tls13.md | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/draft-ietf-tls-tls13.md b/draft-ietf-tls-tls13.md index a03853a05..cb6f429fd 100644 --- a/draft-ietf-tls-tls13.md +++ b/draft-ietf-tls-tls13.md @@ -872,7 +872,9 @@ master secret client random -: A 32-byte value provided by the client. +: A 32-byte value provided by the client. In the event of a + HelloRetryRequest, the client random from the accepted ClientHello + is used and the prior attempt's value is discarded. server random @@ -1847,7 +1849,9 @@ client_version {{backward-compatibility}} for details about backward compatibility.) random -: A client-generated random structure. +: A client-generated random structure. This value MUST be separately + generated for every ClientHello message, including retries in response + to a HelloRetryRequest. session_id : Versions of TLS prior to TLS 1.3 supported a session resumption @@ -1984,14 +1988,16 @@ Upon receipt of a HelloRetryRequest, the client MUST first verify that the "selected_group" field does not identify a group which was not in the original ClientHello. If it was present, then the client MUST abort the handshake with a fatal "handshake_failure" -alert. Clients SHOULD also abort with "handshake_failure" in response to any second -HelloRetryRequest which was sent in the same connection (i.e., -where the ClientHello was itself in response to a HelloRetryRequest). +alert. Clients SHOULD also abort with "handshake_failure" in response +to any second HelloRetryRequest which was sent in the same connection +(i.e., where the ClientHello was itself in response to a HelloRetryRequest). Otherwise, the client MUST send a ClientHello with a new ClientKeyShare extension to the server. The ClientKeyShare MUST append a new ClientKeyShareOffer which is consistent with the "selected_group" field to the groups in the original ClientKeyShare. +The ClientHello.random value MUST be newly generated and servers +MAY reject retried ClientHello messages that reuse random values. Upon re-sending the ClientHello and receiving the server's ServerHello/ServerKeyShare, the client MUST verify that @@ -2907,8 +2913,8 @@ Structure of this message: } } CertificateVerify; -> Where session_hash is as described in {{the-handshake-hash}} and -includes the messages sent or received, starting at ClientHello and up +> Where handshake_hash is as described in {{the-handshake-hash}} and includes +all messages sent or received, starting at the initial ClientHello and up to, but not including, this message, including the type and length fields of the handshake messages. This is a digest of the concatenation of all the Handshake structures (as defined in