Merge pull request #177 from ekr/enhance_dtls2

Enhance dtls2

Author: bifurcation

README.md

@@ -18,6 +18,12 @@ library](https://golang.org/pkg/crypto/tls/), especially where TLS 1.3 aligns
 with earlier TLS versions.  However, unnecessary parts will be ruthlessly cut
 off.
 
+## DTLS Support
+
+Mint has partial support for DTLS, but that support is not yet complete
+and may still contain serious defects.
+
+
 ## Quickstart
 
 Installation is the same as for any other Go package:

client-state-machine.go

@@ -58,7 +58,7 @@ type clientStateStart struct {
 	cookie            []byte
 	firstClientHello  *HandshakeMessage
 	helloRetryRequest *HandshakeMessage
-	hsCtx             HandshakeContext
+	hsCtx             *HandshakeContext
 }
 
 var _ HandshakeState = &clientStateStart{}
@@ -172,8 +172,10 @@ func (state clientStateStart) Next(hr handshakeMessageReader) (HandshakeState, [
 		}
 		ch.CipherSuites = compatibleSuites
 
+		// TODO([email protected]): Check that the ticket can be used for early
+		// data.
 		// Signal early data if we're going to do it
-		if len(state.Opts.EarlyData) > 0 {
+		if state.Config.AllowEarlyData && state.helloRetryRequest == nil {
 			state.Params.ClientSendingEarlyData = true
 			ed = &EarlyDataExtension{}
 			err = ch.Extensions.Add(ed)
@@ -255,9 +257,6 @@ func (state clientStateStart) Next(hr handshakeMessageReader) (HandshakeState, [
 		earlyTrafficSecret := deriveSecret(params, earlySecret, labelEarlyTrafficSecret, chHash)
 		logf(logTypeCrypto, "early traffic secret: [%d] %x", len(earlyTrafficSecret), earlyTrafficSecret)
 		clientEarlyTrafficKeys = makeTrafficKeys(params, earlyTrafficSecret)
-	} else if len(state.Opts.EarlyData) > 0 {
-		logf(logTypeHandshake, "[ClientStateWaitSH] Early data without PSK")
-		return nil, nil, AlertInternalError
 	} else {
 		clientHello, err = state.hsCtx.hOut.HandshakeMessageFromBody(ch)
 		if err != nil {
@@ -291,7 +290,6 @@ func (state clientStateStart) Next(hr handshakeMessageReader) (HandshakeState, [
 	if state.Params.ClientSendingEarlyData {
 		toSend = append(toSend, []HandshakeAction{
 			RekeyOut{epoch: EpochEarlyData, KeySet: clientEarlyTrafficKeys},
-			SendEarlyData{},
 		}...)
 	}
 
@@ -302,7 +300,7 @@ type clientStateWaitSH struct {
 	Config     *Config
 	Opts       ConnectionOptions
 	Params     ConnectionParameters
-	hsCtx      HandshakeContext
+	hsCtx      *HandshakeContext
 	OfferedDH  map[NamedGroup][]byte
 	OfferedPSK PreSharedKey
 	PSK        []byte
@@ -412,6 +410,11 @@ func (state clientStateWaitSH) Next(hr handshakeMessageReader) (HandshakeState,
 			body:    h.Sum(nil),
 		}
 
+		state.hsCtx.receivedEndOfFlight()
+
+		// TODO([email protected]): Need to rekey with cleartext if we are on 0-RTT
+		// mode. In DTLS, we also need to bump the sequence number.
+		// This is a pre-existing defect in Mint. Issue #175.
 		logf(logTypeHandshake, "[ClientStateWaitSH] -> [ClientStateStart]")
 		return clientStateStart{
 			Config:            state.Config,
@@ -420,7 +423,7 @@ func (state clientStateWaitSH) Next(hr handshakeMessageReader) (HandshakeState,
 			cookie:            serverCookie.Cookie,
 			firstClientHello:  firstClientHello,
 			helloRetryRequest: hm,
-		}, nil, AlertNoAlert
+		}, []HandshakeAction{ResetOut{1}}, AlertNoAlert
 	}
 
 	// This is SH.
@@ -515,7 +518,6 @@ func (state clientStateWaitSH) Next(hr handshakeMessageReader) (HandshakeState,
 	logf(logTypeCrypto, "master secret: [%d] %x", len(masterSecret), masterSecret)
 
 	serverHandshakeKeys := makeTrafficKeys(params, serverHandshakeTrafficSecret)
-
 	logf(logTypeHandshake, "[ClientStateWaitSH] -> [ClientStateWaitEE]")
 	nextState := clientStateWaitEE{
 		Config:                       state.Config,
@@ -530,13 +532,20 @@ func (state clientStateWaitSH) Next(hr handshakeMessageReader) (HandshakeState,
 	toSend := []HandshakeAction{
 		RekeyIn{epoch: EpochHandshakeData, KeySet: serverHandshakeKeys},
 	}
+	// We're definitely not going to have to send anything with
+	// early data.
+	if !state.Params.ClientSendingEarlyData {
+		toSend = append(toSend, RekeyOut{epoch: EpochHandshakeData,
+			KeySet: makeTrafficKeys(params, clientHandshakeTrafficSecret)})
+	}
+
 	return nextState, toSend, AlertNoAlert
 }
 
 type clientStateWaitEE struct {
 	Config                       *Config
 	Params                       ConnectionParameters
-	hsCtx                        HandshakeContext
+	hsCtx                        *HandshakeContext
 	cryptoParams                 CipherSuiteParams
 	handshakeHash                hash.Hash
 	masterSecret                 []byte
@@ -596,6 +605,14 @@ func (state clientStateWaitEE) Next(hr handshakeMessageReader) (HandshakeState,
 
 	state.handshakeHash.Write(hm.Marshal())
 
+	toSend := []HandshakeAction{}
+
+	if state.Params.ClientSendingEarlyData && !state.Params.UsingEarlyData {
+		// We didn't get 0-RTT, so rekey to handshake.
+		toSend = append(toSend, RekeyOut{epoch: EpochHandshakeData,
+			KeySet: makeTrafficKeys(state.cryptoParams, state.clientHandshakeTrafficSecret)})
+	}
+
 	if state.Params.UsingPSK {
 		logf(logTypeHandshake, "[ClientStateWaitEE] -> [ClientStateWaitFinished]")
 		nextState := clientStateWaitFinished{
@@ -608,7 +625,7 @@ func (state clientStateWaitEE) Next(hr handshakeMessageReader) (HandshakeState,
 			clientHandshakeTrafficSecret: state.clientHandshakeTrafficSecret,
 			serverHandshakeTrafficSecret: state.serverHandshakeTrafficSecret,
 		}
-		return nextState, nil, AlertNoAlert
+		return nextState, toSend, AlertNoAlert
 	}
 
 	logf(logTypeHandshake, "[ClientStateWaitEE] -> [ClientStateWaitCertCR]")
@@ -622,13 +639,13 @@ func (state clientStateWaitEE) Next(hr handshakeMessageReader) (HandshakeState,
 		clientHandshakeTrafficSecret: state.clientHandshakeTrafficSecret,
 		serverHandshakeTrafficSecret: state.serverHandshakeTrafficSecret,
 	}
-	return nextState, nil, AlertNoAlert
+	return nextState, toSend, AlertNoAlert
 }
 
 type clientStateWaitCertCR struct {
 	Config                       *Config
 	Params                       ConnectionParameters
-	hsCtx                        HandshakeContext
+	hsCtx                        *HandshakeContext
 	cryptoParams                 CipherSuiteParams
 	handshakeHash                hash.Hash
 	masterSecret                 []byte
@@ -706,7 +723,7 @@ func (state clientStateWaitCertCR) Next(hr handshakeMessageReader) (HandshakeSta
 type clientStateWaitCert struct {
 	Config        *Config
 	Params        ConnectionParameters
-	hsCtx         HandshakeContext
+	hsCtx         *HandshakeContext
 	cryptoParams  CipherSuiteParams
 	handshakeHash hash.Hash
 
@@ -760,7 +777,7 @@ func (state clientStateWaitCert) Next(hr handshakeMessageReader) (HandshakeState
 type clientStateWaitCV struct {
 	Config        *Config
 	Params        ConnectionParameters
-	hsCtx         HandshakeContext
+	hsCtx         *HandshakeContext
 	cryptoParams  CipherSuiteParams
 	handshakeHash hash.Hash
 
@@ -861,7 +878,7 @@ func (state clientStateWaitCV) Next(hr handshakeMessageReader) (HandshakeState,
 
 type clientStateWaitFinished struct {
 	Params        ConnectionParameters
-	hsCtx         HandshakeContext
+	hsCtx         *HandshakeContext
 	cryptoParams  CipherSuiteParams
 	handshakeHash hash.Hash
 
@@ -933,6 +950,7 @@ func (state clientStateWaitFinished) Next(hr handshakeMessageReader) (HandshakeS
 	toSend := []HandshakeAction{}
 
 	if state.Params.UsingEarlyData {
+		logf(logTypeHandshake, "Sending end of early data")
 		// Note: We only send EOED if the server is actually going to use the early
 		// data.  Otherwise, it will never see it, and the transcripts will
 		// mismatch.
@@ -942,10 +960,11 @@ func (state clientStateWaitFinished) Next(hr handshakeMessageReader) (HandshakeS
 
 		state.handshakeHash.Write(eoedm.Marshal())
 		logf(logTypeCrypto, "input to handshake hash [%d]: %x", len(eoedm.Marshal()), eoedm.Marshal())
-	}
 
-	clientHandshakeKeys := makeTrafficKeys(state.cryptoParams, state.clientHandshakeTrafficSecret)
-	toSend = append(toSend, RekeyOut{epoch: EpochHandshakeData, KeySet: clientHandshakeKeys})
+		// And then rekey to handshake
+		toSend = append(toSend, RekeyOut{epoch: EpochHandshakeData,
+			KeySet: makeTrafficKeys(state.cryptoParams, state.clientHandshakeTrafficSecret)})
+	}
 
 	if state.Params.UsingClientAuth {
 		// Extract constraints from certicateRequest
@@ -1045,6 +1064,8 @@ func (state clientStateWaitFinished) Next(hr handshakeMessageReader) (HandshakeS
 		RekeyOut{epoch: EpochApplicationData, KeySet: clientTrafficKeys},
 	}...)
 
+	state.hsCtx.receivedEndOfFlight()
+
 	logf(logTypeHandshake, "[ClientStateWaitFinished] -> [StateConnected]")
 	nextState := stateConnected{
 		Params:              state.Params,

common.go

@@ -25,6 +25,7 @@ const (
 	RecordTypeAlert           RecordType = 21
 	RecordTypeHandshake       RecordType = 22
 	RecordTypeApplicationData RecordType = 23
+	RecordTypeAck             RecordType = 25
 )
 
 // enum {...} HandshakeType;
@@ -166,6 +167,8 @@ const (
 type State uint8
 
 const (
+	StateInit = 0
+
 	// states valid for the client
 	StateClientStart State = iota
 	StateClientWaitSH
@@ -179,6 +182,7 @@ const (
 	StateServerStart State = iota
 	StateServerRecvdCH
 	StateServerNegotiated
+	StateServerReadPastEarlyData
 	StateServerWaitEOED
 	StateServerWaitFlight2
 	StateServerWaitCert
@@ -211,6 +215,8 @@ func (s State) String() string {
 		return "Server RECVD_CH"
 	case StateServerNegotiated:
 		return "Server NEGOTIATED"
+	case StateServerReadPastEarlyData:
+		return "Server READ_PAST_EARLY_DATA"
 	case StateServerWaitEOED:
 		return "Server WAIT_EOED"
 	case StateServerWaitFlight2:
@@ -252,3 +258,9 @@ func (e Epoch) label() string {
 	}
 	return "Application data (updated)"
 }
+
+func assert(b bool) {
+	if !b {
+		panic("Assertion failed")
+	}
+}

common_test.go

@@ -6,6 +6,7 @@ import (
 	"fmt"
 	"reflect"
 	"runtime"
+	"sort"
 	"testing"
 )
 
@@ -17,7 +18,7 @@ func unhex(h string) []byte {
 	return b
 }
 
-func assert(t *testing.T, test bool, msg string) {
+func assertTrue(t *testing.T, test bool, msg string) {
 	t.Helper()
 	prefix := string("")
 	for i := 1; ; i++ {
@@ -34,40 +35,40 @@ func assert(t *testing.T, test bool, msg string) {
 
 func assertError(t *testing.T, err error, msg string) {
 	t.Helper()
-	assert(t, err != nil, msg)
+	assertTrue(t, err != nil, msg)
 }
 
 func assertNotError(t *testing.T, err error, msg string) {
 	t.Helper()
 	if err != nil {
 		msg += ": " + err.Error()
 	}
-	assert(t, err == nil, msg)
+	assertTrue(t, err == nil, msg)
 }
 
 func assertNil(t *testing.T, x interface{}, msg string) {
 	t.Helper()
-	assert(t, x == nil, msg)
+	assertTrue(t, x == nil, msg)
 }
 
 func assertNotNil(t *testing.T, x interface{}, msg string) {
 	t.Helper()
-	assert(t, x != nil, msg)
+	assertTrue(t, x != nil, msg)
 }
 
 func assertEquals(t *testing.T, a, b interface{}) {
 	t.Helper()
-	assert(t, a == b, fmt.Sprintf("%+v != %+v", a, b))
+	assertTrue(t, a == b, fmt.Sprintf("%+v != %+v", a, b))
 }
 
 func assertByteEquals(t *testing.T, a, b []byte) {
 	t.Helper()
-	assert(t, bytes.Equal(a, b), fmt.Sprintf("%+v != %+v", hex.EncodeToString(a), hex.EncodeToString(b)))
+	assertTrue(t, bytes.Equal(a, b), fmt.Sprintf("%+v != %+v", hex.EncodeToString(a), hex.EncodeToString(b)))
 }
 
 func assertNotByteEquals(t *testing.T, a, b []byte) {
 	t.Helper()
-	assert(t, !bytes.Equal(a, b), fmt.Sprintf("%+v == %+v", hex.EncodeToString(a), hex.EncodeToString(b)))
+	assertTrue(t, !bytes.Equal(a, b), fmt.Sprintf("%+v == %+v", hex.EncodeToString(a), hex.EncodeToString(b)))
 }
 
 func assertCipherSuiteParamsEquals(t *testing.T, a, b CipherSuiteParams) {
@@ -81,12 +82,61 @@ func assertCipherSuiteParamsEquals(t *testing.T, a, b CipherSuiteParams) {
 
 func assertDeepEquals(t *testing.T, a, b interface{}) {
 	t.Helper()
-	assert(t, reflect.DeepEqual(a, b), fmt.Sprintf("%+v != %+v", a, b))
+	assertTrue(t, reflect.DeepEqual(a, b), fmt.Sprintf("%+v != %+v", a, b))
 }
 
 func assertSameType(t *testing.T, a, b interface{}) {
 	t.Helper()
 	A := reflect.TypeOf(a)
 	B := reflect.TypeOf(b)
-	assert(t, A == B, fmt.Sprintf("%s != %s", A.Name(), B.Name()))
+	assertTrue(t, A == B, fmt.Sprintf("%s != %s", A.Name(), B.Name()))
+}
+
+// Utilities for parametrized tests
+// Represents the configuration for a given test instance.
+type testInstanceState map[string]string
+
+// Helper function.
+func runParametrizedInner(t *testing.T, name string, state testInstanceState, inparams map[string][]string, inparamList []string, f parametrizedTest) {
+
+	paramName := inparamList[0]
+	param := inparams[paramName]
+	next := inparamList[1:]
+
+	for _, paramVal := range param {
+		state[paramName] = paramVal
+		var n string
+		if len(name) > 0 {
+			n = name + "/"
+		}
+		n = n + paramName + "=" + paramVal
+
+		if len(next) == 0 {
+			t.Run(n, func(t *testing.T) {
+				f(t, n, state)
+			})
+			continue
+		}
+		runParametrizedInner(t, n, state, inparams, next, f)
+	}
+}
+
+// Nominally public API.
+type testParameter struct {
+	name string
+	vals []string
+}
+
+type parametrizedTest func(t *testing.T, name string, p testInstanceState)
+
+// This is the function you call.
+func runParametrizedTest(t *testing.T, inparams map[string][]string, f parametrizedTest) {
+	// Make a sorted list of the names, so we get a consistent order.
+	il := make([]string, 0)
+	for k := range inparams {
+		il = append(il, k)
+	}
+	sort.Slice(il, func(i, j int) bool { return il[i] < il[j] })
+
+	runParametrizedInner(t, "", make(map[string]string), inparams, il, f)
 }