diff options
author | Daiki Ueno <ueno@gnu.org> | 2021-04-23 15:36:37 +0200 |
---|---|---|
committer | Daiki Ueno <ueno@gnu.org> | 2021-04-25 08:42:47 +0200 |
commit | 0e1f1f0558e733c39a55172fecbb42c96abc31d3 (patch) | |
tree | ef96a8e807d84388d3a57081163c4446ae76753a /NEWS | |
parent | badb8e4a67bd0b5657f5f7d2fe4d48f2bba30283 (diff) | |
download | gnutls-0e1f1f0558e733c39a55172fecbb42c96abc31d3.tar.gz |
handshake: fix timing of sending early data
Previously, the client was sending early data after receiving a Server
Hello message, which not only negates the benefit of 0-RTT, but also
was a logic error as it can only be decrypted by the server when the
initial handshake and the resuming handshake agree on the same
ciphersuites. This fixes that behavior in the following ways:
- extend the session data format to include the selected ciphersuites,
even in TLS 1.3
- setup the epoch for early data, right before the client sending
early data (also right after the server deciding to accept early
data).
- extend the test case to use different ciphersuites in the initial
and resuming handshakes
Signed-off-by: Daiki Ueno <ueno@gnu.org>
Diffstat (limited to 'NEWS')
-rw-r--r-- | NEWS | 5 |
1 files changed, 5 insertions, 0 deletions
@@ -14,6 +14,11 @@ See the end for copying conditions. This can be enabled with --enable-afalg configure option, when libkcapi package is installed (#308). +** libgnutls: Fixed timing of early data exchange. Previously, the client was + sending early data after receiving Server Hello, which not only negates the + benefit of 0-RTT, but also works under certain assumptions hold (e.g., the + same ciphersuite is selected in initial and resumption handshake) (#1146). + * Version 3.7.1 (released 2021-03-10) ** libgnutls: Fixed potential use-after-free in sending "key_share" |