TLS 1.2 PRF incorrect

Simon Josefsson simon at josefsson.org
Fri Dec 19 12:13:05 CET 2008


Crispin Flowerday <gnome at flowerday.cx> writes:

> Hi,
>
> I have recently been looking at TLS 1.2 support, which gnutls claims to
> implement. However the PRF is wrong (gnutls_state.c::_gnutls_PRF()):
>
>   if (ver >= GNUTLS_TLS1_2)
>     {
>       result =
>      _gnutls_P_hash (GNUTLS_MAC_SHA1, secret, secret_size,
>                s_seed, s_seed_size, total_bytes, ret);
>
>    ...
>
> Note the use of SHA1. RFC 5246, section 5 says:
>
> "In this section, we define one PRF, based on HMAC.  This PRF with the
> SHA-256 hash function is used for all cipher suites defined in this
> document and in TLS documents published prior to this document when
> TLS 1.2 is negotiated."
>
> Appendix A.6 (Security Parameters) also clearly shows that the
> PRFAlgorithm is sha-256.
>
> I assume this is a hang-over from when TLS 1.2 was still draft and the
> PRF was using sha-1. I haven't been able to investigate whether there
> are other implementation errors against the RFC.

Indeed, the TLS 1.2 support in GnuTLS is against an earlier draft.  I
hope we can bring this up to the RFC before the GnuTLS 2.8 release.
Help wanted!  It should be much easier to finish this now when there are
multiple TLS 1.2 implementations around, compared to before when there
were none.  Connect it to a known working TLS 1.2 implementation and
debug and fix each failure until it works...

/Simon





More information about the Gnutls-devel mailing list