retransmit the diversification nonce in the packet carrying the SHLO

The packet containing the SHLO is the only packet that is sent with initial encryption. If it is lost, we need to make sure that the diversification nonce is included in the PublicHeader, otherwise the client will not be able to derive the keys for the forward-secure encryption.
2017-03-01 15:06:10 +07:00
parent b5c8c11c0c
commit 8c5e7818a0
6 changed files with 44 additions and 20 deletions
--- a/handshake/crypto_setup_client.go
+++ b/handshake/crypto_setup_client.go
@@ -331,7 +331,7 @@ func (h *cryptoSetupClient) SealWith(dst, src []byte, packetNumber protocol.Pack
 	return nil, protocol.EncryptionUnspecified, errors.New("no encryption level specified")
 }

-func (h *cryptoSetupClient) DiversificationNonce() []byte {
+func (h *cryptoSetupClient) DiversificationNonce(bool) []byte {
 	panic("not needed for cryptoSetupClient")
 }

--- a/handshake/crypto_setup_interface.go
+++ b/handshake/crypto_setup_interface.go
@@ -12,6 +12,6 @@ type CryptoSetup interface {
 	UnlockForSealing()
 	HandshakeComplete() bool
 	// TODO: clean up this interface
-	DiversificationNonce() []byte         // only needed for cryptoSetupServer
-	SetDiversificationNonce([]byte) error // only needed for cryptoSetupClient
+	DiversificationNonce(force bool) []byte // only needed for cryptoSetupServer
+	SetDiversificationNonce([]byte) error   // only needed for cryptoSetupClient
 }
--- a/handshake/crypto_setup_server.go
+++ b/handshake/crypto_setup_server.go
@@ -390,11 +390,11 @@ func (h *cryptoSetupServer) handleCHLO(sni string, data []byte, cryptoData map[T
 }

 // DiversificationNonce returns a diversification nonce if required in the next packet to be Seal'ed. See LockForSealing()!
-func (h *cryptoSetupServer) DiversificationNonce() []byte {
-	if h.secureAEAD == nil || h.sentSHLO {
-		return nil
+func (h *cryptoSetupServer) DiversificationNonce(force bool) []byte {
+	if force || (h.secureAEAD != nil && !h.sentSHLO) {
+		return h.diversificationNonce
 	}
-	return h.diversificationNonce
+	return nil
 }

 func (h *cryptoSetupServer) SetDiversificationNonce(data []byte) error {
--- a/handshake/crypto_setup_server_test.go
+++ b/handshake/crypto_setup_server_test.go
@@ -185,23 +185,28 @@ var _ = Describe("Crypto setup", func() {
 			cs.secureAEAD = &mockAEAD{}
 			cs.receivedForwardSecurePacket = false

-			Expect(cs.DiversificationNonce()).To(BeEmpty())
+			Expect(cs.DiversificationNonce(false)).To(BeEmpty())
 			// Div nonce is created after CHLO
 			cs.handleCHLO("", nil, map[Tag][]byte{TagNONC: nonce32})
 		})

 		It("returns diversification nonces", func() {
-			Expect(cs.DiversificationNonce()).To(HaveLen(32))
+			Expect(cs.DiversificationNonce(false)).To(HaveLen(32))
 		})

 		It("does not return nonce after sending the SHLO", func() {
 			cs.sentSHLO = true
-			Expect(cs.DiversificationNonce()).To(BeEmpty())
+			Expect(cs.DiversificationNonce(false)).To(BeEmpty())
+		})
+
+		It("returns a nonce for a retransmission, even after sending the SHLO", func() {
+			cs.sentSHLO = true
+			Expect(cs.DiversificationNonce(true)).To(HaveLen(32))
 		})

 		It("does not return nonce for unencrypted packets", func() {
 			cs.secureAEAD = nil
-			Expect(cs.DiversificationNonce()).To(BeEmpty())
+			Expect(cs.DiversificationNonce(false)).To(BeEmpty())
 		})
 	})