Skip to content

Commit

Permalink
Use the DTLS ClientHello structure in ECH with DTLS
Browse files Browse the repository at this point in the history 
This PR implements the option if we decide to use DTLS's ClientHello as
the payload and AAD, rather than somehow fit TLS's in there.

Fixes tlswg#639.
  • Loading branch information
@davidben
davidben committed Nov 27, 2024
1 parent d2e6019 commit 90d732b
Showing 1 changed file with 12 additions and 10 deletions.
22 changes: 12 additions & 10 deletions draft-ietf-tls-esni.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -481,10 +481,12 @@ into a EncodedClientHelloInner structure, defined below:
~~~

The `client_hello` field is computed by first making a copy of ClientHelloInner
and setting the `legacy_session_id` field to the empty string. Note this field
uses the ClientHello structure, defined in {{Section 4.1.2 of RFC8446}} which
does not include the Handshake structure's four byte header. The `zeros` field
MUST be all zeroes.
and setting the `legacy_session_id` field to the empty string. In TLS, this
field uses the ClientHello structure defined in {{Section 4.1.2 of RFC8446}}.
In DTLS, it uses the ClientHello structured defined in
{{Section 5.3 of RFC9147}}. This does not include Handshake structure's
four-byte header in TLS, nor twelve-byte header in DTLS. The `zeros` field MUST
be all zeroes.

Repeating large extensions, such as "key_share" with post-quantum algorithms,
between ClientHelloInner and ClientHelloOuter can lead to excessive size. To
Expand Down Expand Up @@ -556,12 +558,12 @@ while keeping the same encrypted `ClientHelloInner`
(see {{flow-clienthello-malleability}}), ECH authenticates ClientHelloOuter
by passing ClientHelloOuterAAD as the associated data for HPKE sealing
and opening operations. The ClientHelloOuterAAD is a serialized
ClientHello structure, defined in {{Section 4.1.2 of RFC8446}}, which
matches the ClientHelloOuter except that the `payload` field of the
"encrypted_client_hello" is replaced with a byte string of the same
length but whose contents are zeros. This value does not include the
four-byte header from the Handshake structure.

ClientHello structure, defined in {{Section 4.1.2 of RFC8446}} for TLS and
{{Section 5.3 of RFC9147}} for DTLS, which matches the ClientHelloOuter except
that the `payload` field of the "encrypted_client_hello" is replaced with a byte
string of the same length but whose contents are zeros. This value does not
include Handshake structure's four-byte header in TLS, nor twelve-byte header in
DTLS.

# Client Behavior

Expand Down

0 comments on commit 90d732b

Please sign in to comment.