From 769655c43e7f2b9556487fc6196ef9d031ba7867 Mon Sep 17 00:00:00 2001 From: Lucas Clemente Date: Thu, 28 Jul 2016 18:25:29 +0200 Subject: [PATCH] delay server nonce generation until after the CHLO fixes the second part of #136 --- handshake/crypto_setup.go | 17 ++++++++--------- handshake/crypto_setup_test.go | 11 +---------- 2 files changed, 9 insertions(+), 19 deletions(-) diff --git a/handshake/crypto_setup.go b/handshake/crypto_setup.go index d2cbce821..943060f8c 100644 --- a/handshake/crypto_setup.go +++ b/handshake/crypto_setup.go @@ -25,7 +25,6 @@ type CryptoSetup struct { ip net.IP version protocol.VersionNumber scfg *ServerConfig - nonce []byte diversificationNonce []byte secureAEAD crypto.AEAD @@ -56,16 +55,11 @@ func NewCryptoSetup( connectionParametersManager *ConnectionParametersManager, aeadChanged chan struct{}, ) (*CryptoSetup, error) { - nonce := make([]byte, 32) - if _, err := io.ReadFull(rand.Reader, nonce); err != nil { - return nil, err - } return &CryptoSetup{ connID: connID, ip: ip, version: version, scfg: scfg, - nonce: nonce, keyDerivation: crypto.DeriveKeysAESGCM, keyExchange: crypto.NewCurve25519KEX, cryptoStream: cryptoStream, @@ -240,8 +234,13 @@ func (h *CryptoSetup) handleCHLO(sni string, data []byte, cryptoData map[Tag][]b return nil, err } + nonce := make([]byte, 32) + if _, err = io.ReadFull(rand.Reader, nonce); err != nil { + return nil, err + } + h.diversificationNonce = make([]byte, 32) - if _, err := io.ReadFull(rand.Reader, h.diversificationNonce); err != nil { + if _, err = io.ReadFull(rand.Reader, h.diversificationNonce); err != nil { return nil, err } @@ -263,7 +262,7 @@ func (h *CryptoSetup) handleCHLO(sni string, data []byte, cryptoData map[Tag][]b // Generate a new curve instance to derive the forward secure key var fsNonce bytes.Buffer fsNonce.Write(cryptoData[TagNONC]) - fsNonce.Write(h.nonce) + fsNonce.Write(nonce) ephermalKex, err := h.keyExchange() if err != nil { return nil, err @@ -294,7 +293,7 @@ func (h *CryptoSetup) handleCHLO(sni string, data []byte, cryptoData map[Tag][]b replyMap := h.connectionParametersManager.GetSHLOMap() // add crypto parameters replyMap[TagPUBS] = ephermalKex.PublicKey() - replyMap[TagSNO] = h.nonce + replyMap[TagSNO] = nonce replyMap[TagVER] = protocol.SupportedVersionsAsTags var reply bytes.Buffer diff --git a/handshake/crypto_setup_test.go b/handshake/crypto_setup_test.go index c813f2582..cbb9b6d3e 100644 --- a/handshake/crypto_setup_test.go +++ b/handshake/crypto_setup_test.go @@ -167,15 +167,6 @@ var _ = Describe("Crypto setup", func() { cs.keyExchange = func() (crypto.KeyExchange, error) { return &mockKEX{ephermal: true}, nil } }) - It("has a nonce", func() { - Expect(cs.nonce).To(HaveLen(32)) - s := 0 - for _, b := range cs.nonce { - s += int(b) - } - Expect(s).ToNot(BeZero()) - }) - Context("diversification nonce", func() { BeforeEach(func() { cs.version = protocol.Version33 @@ -232,7 +223,7 @@ var _ = Describe("Crypto setup", func() { Expect(err).ToNot(HaveOccurred()) Expect(response).To(HavePrefix("SHLO")) Expect(response).To(ContainSubstring("ephermal pub")) - Expect(response).To(ContainSubstring(string(cs.nonce))) + Expect(response).To(ContainSubstring("SNO\x00")) Expect(response).To(ContainSubstring(string(protocol.SupportedVersionsAsTags))) Expect(cs.secureAEAD).ToNot(BeNil()) Expect(cs.secureAEAD.(*mockAEAD).forwardSecure).To(BeFalse())