TLS 1.2 PRF incorrect

Crispin Flowerday gnome at
Thu Dec 18 14:00:40 CET 2008


I have recently been looking at TLS 1.2 support, which gnutls claims to
implement. However the PRF is wrong (gnutls_state.c::_gnutls_PRF()):

  if (ver >= GNUTLS_TLS1_2)
      result =
     _gnutls_P_hash (GNUTLS_MAC_SHA1, secret, secret_size,
               s_seed, s_seed_size, total_bytes, ret);


Note the use of SHA1. RFC 5246, section 5 says:

"In this section, we define one PRF, based on HMAC.  This PRF with the
SHA-256 hash function is used for all cipher suites defined in this
document and in TLS documents published prior to this document when
TLS 1.2 is negotiated."

Appendix A.6 (Security Parameters) also clearly shows that the
PRFAlgorithm is sha-256.

I assume this is a hang-over from when TLS 1.2 was still draft and the
PRF was using sha-1. I haven't been able to investigate whether there
are other implementation errors against the RFC.



More information about the Gnutls-devel mailing list