retransmit the diversification nonce in the packet carrying the SHLO

The packet containing the SHLO is the only packet that is sent with initial encryption. If it is lost, we need to make sure that the diversification nonce is included in the PublicHeader, otherwise the client will not be able to derive the keys for the forward-secure encryption.
2017-03-01 15:06:10 +07:00
parent b5c8c11c0c
commit 8c5e7818a0
6 changed files with 44 additions and 20 deletions
--- a/handshake/crypto_setup_server_test.go
+++ b/handshake/crypto_setup_server_test.go
@@ -185,23 +185,28 @@ var _ = Describe("Crypto setup", func() {
 			cs.secureAEAD = &mockAEAD{}
 			cs.receivedForwardSecurePacket = false

-			Expect(cs.DiversificationNonce()).To(BeEmpty())
+			Expect(cs.DiversificationNonce(false)).To(BeEmpty())
 			// Div nonce is created after CHLO
 			cs.handleCHLO("", nil, map[Tag][]byte{TagNONC: nonce32})
 		})

 		It("returns diversification nonces", func() {
-			Expect(cs.DiversificationNonce()).To(HaveLen(32))
+			Expect(cs.DiversificationNonce(false)).To(HaveLen(32))
 		})

 		It("does not return nonce after sending the SHLO", func() {
 			cs.sentSHLO = true
-			Expect(cs.DiversificationNonce()).To(BeEmpty())
+			Expect(cs.DiversificationNonce(false)).To(BeEmpty())
+		})
+
+		It("returns a nonce for a retransmission, even after sending the SHLO", func() {
+			cs.sentSHLO = true
+			Expect(cs.DiversificationNonce(true)).To(HaveLen(32))
 		})

 		It("does not return nonce for unencrypted packets", func() {
 			cs.secureAEAD = nil
-			Expect(cs.DiversificationNonce()).To(BeEmpty())
+			Expect(cs.DiversificationNonce(false)).To(BeEmpty())
 		})
 	})