delay server nonce generation until after the CHLO

fixes the second part of #136
2016-07-28 18:25:29 +02:00
parent 5c4a7a9ec1
commit 769655c43e
2 changed files with 9 additions and 19 deletions
--- a/handshake/crypto_setup.go
+++ b/handshake/crypto_setup.go
@@ -25,7 +25,6 @@ type CryptoSetup struct {
 	ip                   net.IP
 	version              protocol.VersionNumber
 	scfg                 *ServerConfig
-	nonce                []byte
 	diversificationNonce []byte

 	secureAEAD                  crypto.AEAD
@@ -56,16 +55,11 @@ func NewCryptoSetup(
 	connectionParametersManager *ConnectionParametersManager,
 	aeadChanged chan struct{},
 ) (*CryptoSetup, error) {
-	nonce := make([]byte, 32)
-	if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
-		return nil, err
-	}
 	return &CryptoSetup{
 		connID:                      connID,
 		ip:                          ip,
 		version:                     version,
 		scfg:                        scfg,
-		nonce:                       nonce,
 		keyDerivation:               crypto.DeriveKeysAESGCM,
 		keyExchange:                 crypto.NewCurve25519KEX,
 		cryptoStream:                cryptoStream,
@@ -240,8 +234,13 @@ func (h *CryptoSetup) handleCHLO(sni string, data []byte, cryptoData map[Tag][]b
 		return nil, err
 	}

+	nonce := make([]byte, 32)
+	if _, err = io.ReadFull(rand.Reader, nonce); err != nil {
+		return nil, err
+	}
+
 	h.diversificationNonce = make([]byte, 32)
-	if _, err := io.ReadFull(rand.Reader, h.diversificationNonce); err != nil {
+	if _, err = io.ReadFull(rand.Reader, h.diversificationNonce); err != nil {
 		return nil, err
 	}

@@ -263,7 +262,7 @@ func (h *CryptoSetup) handleCHLO(sni string, data []byte, cryptoData map[Tag][]b
 	// Generate a new curve instance to derive the forward secure key
 	var fsNonce bytes.Buffer
 	fsNonce.Write(cryptoData[TagNONC])
-	fsNonce.Write(h.nonce)
+	fsNonce.Write(nonce)
 	ephermalKex, err := h.keyExchange()
 	if err != nil {
 		return nil, err
@@ -294,7 +293,7 @@ func (h *CryptoSetup) handleCHLO(sni string, data []byte, cryptoData map[Tag][]b
 	replyMap := h.connectionParametersManager.GetSHLOMap()
 	// add crypto parameters
 	replyMap[TagPUBS] = ephermalKex.PublicKey()
-	replyMap[TagSNO] = h.nonce
+	replyMap[TagSNO] = nonce
 	replyMap[TagVER] = protocol.SupportedVersionsAsTags

 	var reply bytes.Buffer
--- a/handshake/crypto_setup_test.go
+++ b/handshake/crypto_setup_test.go
@@ -167,15 +167,6 @@ var _ = Describe("Crypto setup", func() {
 		cs.keyExchange = func() (crypto.KeyExchange, error) { return &mockKEX{ephermal: true}, nil }
 	})

-	It("has a nonce", func() {
-		Expect(cs.nonce).To(HaveLen(32))
-		s := 0
-		for _, b := range cs.nonce {
-			s += int(b)
-		}
-		Expect(s).ToNot(BeZero())
-	})
-
 	Context("diversification nonce", func() {
 		BeforeEach(func() {
 			cs.version = protocol.Version33
@@ -232,7 +223,7 @@ var _ = Describe("Crypto setup", func() {
 			Expect(err).ToNot(HaveOccurred())
 			Expect(response).To(HavePrefix("SHLO"))
 			Expect(response).To(ContainSubstring("ephermal pub"))
-			Expect(response).To(ContainSubstring(string(cs.nonce)))
+			Expect(response).To(ContainSubstring("SNO\x00"))
 			Expect(response).To(ContainSubstring(string(protocol.SupportedVersionsAsTags)))
 			Expect(cs.secureAEAD).ToNot(BeNil())
 			Expect(cs.secureAEAD.(*mockAEAD).forwardSecure).To(BeFalse())