From aa5d2be4912783bac9f24366bdcaf91a44c33dac Mon Sep 17 00:00:00 2001
From: Lucas Clemente <lucas@clemente.io>
Date: Sat, 16 Apr 2016 22:08:57 +0200
Subject: [PATCH] implement forward secure encryption

---
 crypto/key_derivation.go  |  8 ++++--
 handshake/crypto_setup.go | 58 +++++++++++++++++++++++++++++++++++----
 2 files changed, 59 insertions(+), 7 deletions(-)

diff --git a/crypto/key_derivation.go b/crypto/key_derivation.go
index caad6e33a..4b4a9e8e0 100644
--- a/crypto/key_derivation.go
+++ b/crypto/key_derivation.go
@@ -12,9 +12,13 @@ import (
 )
 
 // DeriveKeysChacha20 derives the client and server keys and creates a matching chacha20poly1305 instance
-func DeriveKeysChacha20(sharedSecret, nonces []byte, connID protocol.ConnectionID, chlo []byte, scfg []byte, cert []byte) (AEAD, error) {
+func DeriveKeysChacha20(forwardSecure bool, sharedSecret, nonces []byte, connID protocol.ConnectionID, chlo []byte, scfg []byte, cert []byte) (AEAD, error) {
 	var info bytes.Buffer
-	info.Write([]byte("QUIC key expansion\x00"))
+	if forwardSecure {
+		info.Write([]byte("QUIC forward secure key expansion\x00"))
+	} else {
+		info.Write([]byte("QUIC key expansion\x00"))
+	}
 	utils.WriteUint64(&info, uint64(connID))
 	info.Write(chlo)
 	info.Write(scfg)
diff --git a/handshake/crypto_setup.go b/handshake/crypto_setup.go
index f1c2f2411..6546eeda8 100644
--- a/handshake/crypto_setup.go
+++ b/handshake/crypto_setup.go
@@ -2,8 +2,10 @@ package handshake
 
 import (
 	"bytes"
+	"crypto/rand"
 	"errors"
 	"io"
+	"io/ioutil"
 
 	"github.com/lucas-clemente/quic-go/crypto"
 	"github.com/lucas-clemente/quic-go/protocol"
@@ -13,28 +15,61 @@ import (
 type CryptoSetup struct {
 	connID  protocol.ConnectionID
 	version protocol.VersionNumber
-	aead    crypto.AEAD
 	scfg    *ServerConfig
+	nonce   []byte
+
+	secureAEAD                  crypto.AEAD
+	forwardSecureAEAD           crypto.AEAD
+	receivedSecurePacket        bool
+	receivedForwardSecurePacket bool
 }
 
 // NewCryptoSetup creates a new CryptoSetup instance
 func NewCryptoSetup(connID protocol.ConnectionID, version protocol.VersionNumber, scfg *ServerConfig) *CryptoSetup {
+	nonce := make([]byte, 32)
+	if _, err := rand.Reader.Read(nonce); err != nil {
+		panic(err)
+	}
 	return &CryptoSetup{
 		connID:  connID,
 		version: version,
-		aead:    &crypto.NullAEAD{},
 		scfg:    scfg,
+		nonce:   nonce,
 	}
 }
 
 // Open a message
 func (h *CryptoSetup) Open(packetNumber protocol.PacketNumber, associatedData []byte, ciphertext io.Reader) (*bytes.Reader, error) {
-	return h.aead.Open(packetNumber, associatedData, ciphertext)
+	data, err := ioutil.ReadAll(ciphertext)
+	if err != nil {
+		return nil, err
+	}
+
+	if h.forwardSecureAEAD != nil {
+		res, err := h.forwardSecureAEAD.Open(packetNumber, associatedData, bytes.NewReader(data))
+		if err == nil {
+			h.receivedForwardSecurePacket = true
+			return res, nil
+		}
+		if h.receivedForwardSecurePacket {
+			return nil, err
+		}
+	}
+	if h.secureAEAD != nil {
+		return h.secureAEAD.Open(packetNumber, associatedData, bytes.NewReader(data))
+	}
+	return (&crypto.NullAEAD{}).Open(packetNumber, associatedData, bytes.NewReader(data))
 }
 
 // Seal a messageTag
 func (h *CryptoSetup) Seal(packetNumber protocol.PacketNumber, b *bytes.Buffer, associatedData []byte, plaintext []byte) {
-	h.aead.Seal(packetNumber, b, associatedData, plaintext)
+	if h.receivedForwardSecurePacket {
+		h.forwardSecureAEAD.Seal(packetNumber, b, associatedData, plaintext)
+	} else if h.secureAEAD != nil {
+		h.secureAEAD.Seal(packetNumber, b, associatedData, plaintext)
+	} else {
+		(&crypto.NullAEAD{}).Seal(packetNumber, b, associatedData, plaintext)
+	}
 }
 
 // HandleCryptoMessage handles the crypto handshake and returns the answer
@@ -54,7 +89,16 @@ func (h *CryptoSetup) HandleCryptoMessage(data []byte) ([]byte, error) {
 		if err != nil {
 			return nil, err
 		}
-		h.aead, err = crypto.DeriveKeysChacha20(sharedSecret, cryptoData[TagNONC], h.connID, data, h.scfg.Get(), h.scfg.kd.GetCertUncompressed())
+		var nonce bytes.Buffer
+		nonce.Write(cryptoData[TagNONC])
+		nonce.Write(h.nonce)
+
+		h.secureAEAD, err = crypto.DeriveKeysChacha20(false, sharedSecret, nonce.Bytes(), h.connID, data, h.scfg.Get(), h.scfg.kd.GetCertUncompressed())
+		if err != nil {
+			return nil, err
+		}
+		// TODO: Use new curve
+		h.forwardSecureAEAD, err = crypto.DeriveKeysChacha20(true, sharedSecret, nonce.Bytes(), h.connID, data, h.scfg.Get(), h.scfg.kd.GetCertUncompressed())
 		if err != nil {
 			return nil, err
 		}
@@ -62,7 +106,10 @@ func (h *CryptoSetup) HandleCryptoMessage(data []byte) ([]byte, error) {
 		var reply bytes.Buffer
 		WriteHandshakeMessage(&reply, TagSHLO, map[Tag][]byte{
 			TagPUBS: h.scfg.kex.PublicKey(),
+			TagSNO:  h.nonce,
 			TagVER:  protocol.SupportedVersionsAsTags,
+			TagICSL: []byte{0x1e, 0x00, 0x00, 0x00}, //30
+			TagMSPC: []byte{0x64, 0x00, 0x00, 0x00}, //100
 		})
 		return reply.Bytes(), nil
 	}
@@ -83,6 +130,7 @@ func (h *CryptoSetup) HandleCryptoMessage(data []byte) ([]byte, error) {
 	WriteHandshakeMessage(&serverReply, TagREJ, map[Tag][]byte{
 		TagSCFG: h.scfg.Get(),
 		TagCERT: h.scfg.GetCertCompressed(),
+		TagSNO:  h.nonce,
 		TagPROF: proof,
 	})
 	return serverReply.Bytes(), nil