gr1ffon/quic-go
1
0
Fork 0
forked from quic-go/quic-go
Code Pull Requests Activity

reject CHLOs with wrong length client nonces

Browse Source 
fixes #352
This commit is contained in:
Marten Seemann
2016-11-27 21:18:14 +07:00
parent 6d6e8f941a
commit 2ae196761b
2 changed files with 24 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
handshake/crypto_setup.go
View File

@@ -237,8 +237,8 @@ func (h *CryptoSetup) handleCHLO(sni string, data []byte, cryptoData map[Tag][]b
return nil, err return nil, err
} }
nonce := make([]byte, 32) serverNonce := make([]byte, 32)
if _, err = rand.Read(nonce); err != nil { if _, err = rand.Read(serverNonce); err != nil {
return nil, err return nil, err
} }
@@ -247,10 +247,15 @@ func (h *CryptoSetup) handleCHLO(sni string, data []byte, cryptoData map[Tag][]b
return nil, err return nil, err
} }
clientNonce := cryptoData[TagNONC]
if len(clientNonce) != 32 {
return nil, qerr.Error(qerr.InvalidCryptoMessageParameter, "invalid client nonce length")
}
h.secureAEAD, err = h.keyDerivation( h.secureAEAD, err = h.keyDerivation(
false, false,
sharedSecret, sharedSecret,
cryptoData[TagNONC], clientNonce,
h.connID, h.connID,
data, data,
h.scfg.Get(), h.scfg.Get(),
@@ -263,13 +268,14 @@ func (h *CryptoSetup) handleCHLO(sni string, data []byte, cryptoData map[Tag][]b
// Generate a new curve instance to derive the forward secure key // Generate a new curve instance to derive the forward secure key
var fsNonce bytes.Buffer var fsNonce bytes.Buffer
fsNonce.Write(cryptoData[TagNONC]) fsNonce.Write(clientNonce)
fsNonce.Write(nonce) fsNonce.Write(serverNonce)
ephermalKex := h.keyExchange() ephermalKex := h.keyExchange()
ephermalSharedSecret, err := ephermalKex.CalculateSharedKey(cryptoData[TagPUBS]) ephermalSharedSecret, err := ephermalKex.CalculateSharedKey(cryptoData[TagPUBS])
if err != nil { if err != nil {
return nil, err return nil, err
} }
h.forwardSecureAEAD, err = h.keyDerivation( h.forwardSecureAEAD, err = h.keyDerivation(
true, true,
ephermalSharedSecret, ephermalSharedSecret,
@@ -292,7 +298,7 @@ func (h *CryptoSetup) handleCHLO(sni string, data []byte, cryptoData map[Tag][]b
replyMap := h.connectionParametersManager.GetSHLOMap() replyMap := h.connectionParametersManager.GetSHLOMap()
// add crypto parameters // add crypto parameters
replyMap[TagPUBS] = ephermalKex.PublicKey() replyMap[TagPUBS] = ephermalKex.PublicKey()
replyMap[TagSNO] = nonce replyMap[TagSNO] = serverNonce
replyMap[TagVER] = protocol.SupportedVersionsAsTags replyMap[TagVER] = protocol.SupportedVersionsAsTags
var reply bytes.Buffer var reply bytes.Buffer

12
handshake/crypto_setup_test.go
View File

@@ -262,6 +262,18 @@ var _ = Describe("Crypto setup", func() {
Expect(aeadChanged).To(Receive()) Expect(aeadChanged).To(Receive())
}) })
It("rejects client nonces that have the wrong length", func() {
WriteHandshakeMessage(&stream.dataToRead, TagCHLO, map[Tag][]byte{
TagSCID: scfg.ID,
TagSNI: []byte("quic.clemente.io"),
TagNONC: []byte("too short client nonce"),
TagSTK: validSTK,
TagPUBS: nil,
})
err := cs.HandleCryptoStream()
Expect(err).To(MatchError(qerr.Error(qerr.InvalidCryptoMessageParameter, "invalid client nonce length")))
})
It("handles 0-RTT handshake", func() { It("handles 0-RTT handshake", func() {
WriteHandshakeMessage(&stream.dataToRead, TagCHLO, map[Tag][]byte{ WriteHandshakeMessage(&stream.dataToRead, TagCHLO, map[Tag][]byte{
TagSCID: scfg.ID, TagSCID: scfg.ID,