From 35c7a5982639ba2e965e0c62faa608b68797cac8 Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Wed, 3 Jul 2019 16:14:30 +1000 Subject: [PATCH 1/3] Initial secrets change after Retry This was implied, but not explicit previously. Closes #2823. --- draft-ietf-quic-tls.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/draft-ietf-quic-tls.md b/draft-ietf-quic-tls.md index 373a99e628..0ae2aa9d68 100644 --- a/draft-ietf-quic-tls.md +++ b/draft-ietf-quic-tls.md @@ -800,8 +800,8 @@ modifying the contents of packets from future versions. The HKDF-Expand-Label function defined in TLS 1.3 MUST be used for Initial packets even where the TLS versions offered do not include TLS 1.3. -{{test-vectors-initial}} contains test vectors for the initial packet -encryption. +The secrets used for protecting Initial packets changes when a server sends a +Retry packet to use the connection ID value selected by the server. Note: @@ -811,6 +811,9 @@ Note: that the server received its packet; the client has to rely on the exchange that included the Retry packet for that property. +{{test-vectors-initial}} contains test vectors for the initial packet +encryption. + ## AEAD Usage {#aead} From b71c607b6e43bf5ae79b5859b1aabc6c936ad0bd Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Thu, 4 Jul 2019 11:16:07 +1000 Subject: [PATCH 2/3] First Initial is misleading --- draft-ietf-quic-tls.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/draft-ietf-quic-tls.md b/draft-ietf-quic-tls.md index 0ae2aa9d68..ce449bcc2d 100644 --- a/draft-ietf-quic-tls.md +++ b/draft-ietf-quic-tls.md @@ -767,8 +767,7 @@ TLS 1.3 (see {{initial-secrets}}). ## Initial Secrets {#initial-secrets} Initial packets are protected with a secret derived from the Destination -Connection ID field from the client's first Initial packet of the -connection. Specifically: +Connection ID field from the client's Initial packet. Specifically: ~~~ initial_salt = 0x7fbcdb0e7c66bbe9193a96cd21519ebd7a02644a @@ -801,7 +800,9 @@ The HKDF-Expand-Label function defined in TLS 1.3 MUST be used for Initial packets even where the TLS versions offered do not include TLS 1.3. The secrets used for protecting Initial packets changes when a server sends a -Retry packet to use the connection ID value selected by the server. +Retry packet to use the connection ID value selected by the server. The secrets +do not change when a client changes the Destination Connection ID it uses in +response to an Initial packet from the server. Note: From 78520c873f5ea45399d683e32f8437c87c79736a Mon Sep 17 00:00:00 2001 From: Martin Thomson Date: Thu, 8 Aug 2019 09:25:51 +1000 Subject: [PATCH 3/3] Un- plural Co-Authored-By: Mike Bishop --- draft-ietf-quic-tls.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-quic-tls.md b/draft-ietf-quic-tls.md index ce449bcc2d..90a47cbc56 100644 --- a/draft-ietf-quic-tls.md +++ b/draft-ietf-quic-tls.md @@ -799,7 +799,7 @@ modifying the contents of packets from future versions. The HKDF-Expand-Label function defined in TLS 1.3 MUST be used for Initial packets even where the TLS versions offered do not include TLS 1.3. -The secrets used for protecting Initial packets changes when a server sends a +The secrets used for protecting Initial packets change when a server sends a Retry packet to use the connection ID value selected by the server. The secrets do not change when a client changes the Destination Connection ID it uses in response to an Initial packet from the server.