Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Relax computation of the acceptance signal. #420

Merged
merged 2 commits into from
Apr 19, 2021
Merged

Relax computation of the acceptance signal. #420

merged 2 commits into from
Apr 19, 2021

Conversation

chris-wood
Copy link
Collaborator

@chris-wood chris-wood commented Apr 14, 2021
edited
Loading

We previously derived the acceptance signal from the handshake secret.
This meant that clients which used the wrong ECHConfig might need to
process ServerHello extensions twice before computing the signal, which
can be problematic for some libraries. Given that the signal's secrecy
is entirely dependent on ClientHelloInner.random, we can relax the signal
computation and base it on the transcript alone, which includes
ClientHelloInner.random, rather than a secret derived from that transcript.

Closes #399.

cc @davidben, @cjpatton, @sftcd

@chris-wood
Relax computation of the acceptance signal.
2859bab 
We previously derived the acceptance signal from the handshake secret.
This meant that clients which used the wrong ECHConfig might need to
process ServerHello extensions twice before computing the sigal, which
can be problematic for some libraries. Given that the signal's secrecy
is entirely dependent on ClientHelloInner.random, we can relax the signal
computation and base it on the transcript alone, which includes
ClientHelloInner.random, rather than a secret derived from that transcript.

Closes #399.
@sftcd
Copy link
Collaborator

sftcd commented Apr 14, 2021 via email

@cjpatton cjpatton mentioned this pull request Apr 15, 2021
Merged
martinthomson
martinthomson approved these changes Apr 19, 2021
View reviewed changes
Copy link
Contributor

@martinthomson martinthomson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems fine to me.

draft-ietf-tls-esni.md Outdated Show resolved Hide resolved
@chris-wood chris-wood merged commit 5a37838 into master Apr 19, 2021
@cjpatton cjpatton mentioned this pull request Apr 19, 2021
Open
@chris-wood chris-wood deleted the caw/relax-accept-signal branch April 19, 2021 15:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@martinthomson martinthomson martinthomson approved these changes

@davidben davidben davidben approved these changes

@cjpatton cjpatton cjpatton approved these changes

@cbartle891 cbartle891 cbartle891 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

The serverhello.random trick is ugly and might interact with ticket handling...
6 participants
@chris-wood @sftcd @martinthomson @davidben @cjpatton @cbartle891