Removed a lot of the old tls 1.3 draft code and got HRR working again (still missing unit tests).

ic0ns · ic0ns · commit 75e3b768b92d · 2020-09-09T00:28:16.000+02:00
diff --git a/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/constants/CipherSuite.java b/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/constants/CipherSuite.java
@@ -1003,6 +1003,26 @@ public static List<CipherSuite> getEsniImplemented() {
         return list;
     }
 
+    public static List<CipherSuite> getTls13CipherSuites() {
+        List<CipherSuite> list = new LinkedList();
+        list.add(CipherSuite.TLS_AES_128_GCM_SHA256);
+        list.add(CipherSuite.TLS_AES_256_GCM_SHA384);
+        list.add(CipherSuite.TLS_CHACHA20_POLY1305_SHA256);
+        list.add(CipherSuite.TLS_AES_128_CCM_SHA256);
+        list.add(CipherSuite.TLS_AES_128_CCM_8_SHA256);
+        return list;
+    }
+
+    public static List<CipherSuite> getImplementedTls13CipherSuites() {
+        List<CipherSuite> list = new LinkedList();
+        list.add(CipherSuite.TLS_AES_128_GCM_SHA256);
+        list.add(CipherSuite.TLS_AES_256_GCM_SHA384);
+        list.add(CipherSuite.TLS_CHACHA20_POLY1305_SHA256);
+        list.add(CipherSuite.TLS_AES_128_CCM_SHA256);
+        list.add(CipherSuite.TLS_AES_128_CCM_8_SHA256);
+        return list;
+    }
+
     public static List<CipherSuite> getNotImplemented() {
         List<CipherSuite> notImplemented = new LinkedList<>();
         for (CipherSuite suite : values()) {
diff --git a/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/constants/SignatureAndHashAlgorithm.java b/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/constants/SignatureAndHashAlgorithm.java
@@ -102,6 +102,23 @@ public static List<? extends SignatureAndHashAlgorithm> getImplemented() {
         return algoList;
     }
 
+    public static List<SignatureAndHashAlgorithm> getTls13SignatureAndHashAlgorithms() {
+        List<SignatureAndHashAlgorithm> algos = new LinkedList<>();
+        algos.add(SignatureAndHashAlgorithm.RSA_SHA256);
+        algos.add(SignatureAndHashAlgorithm.RSA_SHA384);
+        algos.add(SignatureAndHashAlgorithm.RSA_SHA512);
+        algos.add(SignatureAndHashAlgorithm.ECDSA_SHA256);
+        algos.add(SignatureAndHashAlgorithm.ECDSA_SHA384);
+        algos.add(SignatureAndHashAlgorithm.ECDSA_SHA512);
+        algos.add(SignatureAndHashAlgorithm.RSA_PSS_PSS_SHA256);
+        algos.add(SignatureAndHashAlgorithm.RSA_PSS_PSS_SHA384);
+        algos.add(SignatureAndHashAlgorithm.RSA_PSS_PSS_SHA512);
+        algos.add(SignatureAndHashAlgorithm.RSA_PSS_RSAE_SHA256);
+        algos.add(SignatureAndHashAlgorithm.RSA_PSS_RSAE_SHA384);
+        algos.add(SignatureAndHashAlgorithm.RSA_PSS_RSAE_SHA512);
+        return algos;
+    }
+
     private int value;
 
     private static final Map<Integer, SignatureAndHashAlgorithm> MAP;
@@ -306,8 +323,9 @@ public static SignatureAndHashAlgorithm forCertificateKeyPair(CertificateKeyPair
                     break;
             }
 
-            if (found)
+            if (found) {
                 break;
+            }
         }
 
         if (sigHashAlgo == null) {
diff --git a/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/protocol/handler/ServerHelloHandler.java b/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/protocol/handler/ServerHelloHandler.java
@@ -82,19 +82,21 @@ public void adjustTLSContext(ServerHelloMessage message) {
         adjustSelectedCiphersuite(message);
         adjustServerRandom(message);
         adjustExtensions(message, HandshakeMessageType.SERVER_HELLO);
-        if (tlsContext.getChooser().getSelectedProtocolVersion().isTLS13()) {
-            adjustHandshakeTrafficSecrets();
-            if (tlsContext.getTalkingConnectionEndType() != tlsContext.getChooser().getConnectionEndType()) {
-                setServerRecordCipher();
+        if (!message.isTls13HelloRetryRequest()) {
+            if (tlsContext.getChooser().getSelectedProtocolVersion().isTLS13()) {
+                adjustHandshakeTrafficSecrets();
+                if (tlsContext.getTalkingConnectionEndType() != tlsContext.getChooser().getConnectionEndType()) {
+                    setServerRecordCipher();
+                }
+            }
+            adjustPRF(message);
+            if (tlsContext.hasSession(tlsContext.getChooser().getServerSessionId())) {
+                LOGGER.info("Resuming Session");
+                LOGGER.debug("Loading Mastersecret");
+                Session session = tlsContext.getSession(tlsContext.getChooser().getServerSessionId());
+                tlsContext.setMasterSecret(session.getMasterSecret());
+                setRecordCipher();
             }
-        }
-        adjustPRF(message);
-        if (tlsContext.hasSession(tlsContext.getChooser().getServerSessionId())) {
-            LOGGER.info("Resuming Session");
-            LOGGER.debug("Loading Mastersecret");
-            Session session = tlsContext.getSession(tlsContext.getChooser().getServerSessionId());
-            tlsContext.setMasterSecret(session.getMasterSecret());
-            setRecordCipher();
         }
     }
 
@@ -274,6 +276,7 @@ private byte[] computeSharedSecret(KeyShareStoreEntry keyShare) {
         EllipticCurve curve = CurveFactory.getCurve(keyShare.getGroup());
         Point publicPoint = PointFormatter.formatFromByteArray(keyShare.getGroup(), keyShare.getPublicKey());
         tlsContext.setServerEcPublicKey(publicPoint);
+        tlsContext.setSelectedGroup(keyShare.getGroup());
         BigInteger privateKey = tlsContext.getConfig().getKeySharePrivate();
 
         switch (keyShare.getGroup()) {
diff --git a/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/protocol/handler/extension/HrrKeyShareExtensionHandler.java b/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/protocol/handler/extension/HrrKeyShareExtensionHandler.java
@@ -9,6 +9,7 @@
  */
 package de.rub.nds.tlsattacker.core.protocol.handler.extension;
 
+import de.rub.nds.tlsattacker.core.constants.NamedGroup;
 import de.rub.nds.tlsattacker.core.protocol.message.extension.HRRKeyShareExtensionMessage;
 import de.rub.nds.tlsattacker.core.protocol.parser.extension.HRRKeyShareExtensionParser;
 import de.rub.nds.tlsattacker.core.protocol.preparator.extension.HRRKeyShareExtensionPreparator;
@@ -43,6 +44,7 @@ public HRRKeyShareExtensionSerializer getSerializer(HRRKeyShareExtensionMessage
 
     @Override
     public void adjustTLSExtensionContext(HRRKeyShareExtensionMessage message) {
+        context.setSelectedGroup(NamedGroup.getNamedGroup(message.getSelectedGroup().getValue()));
     }
 
 }
diff --git a/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/protocol/message/ClientHelloMessage.java b/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/protocol/message/ClientHelloMessage.java
@@ -106,12 +106,7 @@ public ClientHelloMessage(Config tlsConfig) {
                 addExtension(new SupportedVersionsExtensionMessage());
             }
             if (tlsConfig.isAddKeyShareExtension()) {
-                if (tlsConfig.getHighestProtocolVersion() != ProtocolVersion.TLS13
-                        && tlsConfig.getHighestProtocolVersion().getMinor() < 0x17) {
-                    addExtension(new DraftKeyShareExtensionMessage(tlsConfig));
-                } else {
-                    addExtension(new KeyShareExtensionMessage(tlsConfig));
-                }
+                addExtension(new KeyShareExtensionMessage(tlsConfig));
             }
             if (tlsConfig.isAddEarlyDataExtension()) {
                 addExtension(new EarlyDataExtensionMessage());
diff --git a/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/protocol/message/HandshakeMessage.java b/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/protocol/message/HandshakeMessage.java
@@ -77,7 +77,6 @@ public abstract class HandshakeMessage extends ProtocolMessage {
             @XmlElement(type = TokenBindingExtensionMessage.class, name = "TokenBindingExtension"),
             @XmlElement(type = HRRKeyShareExtensionMessage.class, name = "HRRKeyShareExtension"),
             @XmlElement(type = KeyShareExtensionMessage.class, name = "KeyShareExtension"),
-            @XmlElement(type = DraftKeyShareExtensionMessage.class, name = "DraftKeyShareExtension"),
             @XmlElement(type = SupportedVersionsExtensionMessage.class, name = "SupportedVersions"),
             @XmlElement(type = AlpnExtensionMessage.class, name = "ALPNExtension"),
             @XmlElement(type = CertificateStatusRequestExtensionMessage.class, name = "CertificateStatusRequestExtension"),
diff --git a/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/protocol/message/ServerHelloMessage.java b/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/protocol/message/ServerHelloMessage.java
@@ -25,12 +25,19 @@
 import de.rub.nds.tlsattacker.core.protocol.message.extension.sni.ServerNamePair;
 import de.rub.nds.tlsattacker.core.state.TlsContext;
 import java.nio.charset.Charset;
+import java.util.Arrays;
 import java.util.Date;
 import javax.xml.bind.annotation.XmlRootElement;
 
 @XmlRootElement
 public class ServerHelloMessage extends HelloMessage {
 
+    private static final byte[] HELLO_RETRY_REQUEST_RANDOM = new byte[] { (byte) 0xCF, (byte) 0x21, (byte) 0xAD,
+            (byte) 0x74, (byte) 0xE5, (byte) 0x9A, (byte) 0x61, (byte) 0x11, (byte) 0xBE, (byte) 0x1D, (byte) 0x8C,
+            (byte) 0x02, (byte) 0x1E, (byte) 0x65, (byte) 0xB8, (byte) 0x91, (byte) 0xC2, (byte) 0xA2, (byte) 0x11,
+            (byte) 0x16, (byte) 0x7A, (byte) 0xBB, (byte) 0x8C, (byte) 0x5E, (byte) 0x07, (byte) 0x9E, (byte) 0x09,
+            (byte) 0xE2, (byte) 0xC8, (byte) 0xA8, (byte) 0x33, (byte) 0x9C };
+
     @ModifiableVariableProperty(type = ModifiableVariableProperty.Type.TLS_CONSTANT)
     private ModifiableByteArray selectedCipherSuite;
 
@@ -60,12 +67,7 @@ public ServerHelloMessage(Config tlsConfig) {
             }
 
             if (tlsConfig.isAddKeyShareExtension()) {
-                if (tlsConfig.getHighestProtocolVersion() != ProtocolVersion.TLS13
-                        && tlsConfig.getHighestProtocolVersion().getMinor() < 0x17) {
-                    addExtension(new DraftKeyShareExtensionMessage(tlsConfig));
-                } else {
-                    addExtension(new KeyShareExtensionMessage(tlsConfig));
-                }
+                addExtension(new KeyShareExtensionMessage(tlsConfig));
             }
             if (tlsConfig.isAddEncryptedServerNameIndicationExtension()) {
                 addExtension(new EncryptedServerNameIndicationExtensionMessage());
@@ -178,6 +180,14 @@ public void setSelectedCompressionMethod(byte value) {
                 .safelySetValue(this.selectedCompressionMethod, value);
     }
 
+    public Boolean isTls13HelloRetryRequest() {
+        if (this.getRandom() != null && this.getRandom().getValue() != null) {
+            return Arrays.equals(this.getRandom().getValue(), HELLO_RETRY_REQUEST_RANDOM);
+        } else {
+            return null;
+        }
+    }
+
     @Override
     public String toString() {
         StringBuilder sb = new StringBuilder(super.toString());
diff --git a/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/protocol/message/extension/DraftKeyShareExtensionMessage.java b/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/protocol/message/extension/DraftKeyShareExtensionMessage.java
diff --git a/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/protocol/parser/HandshakeMessageParser.java b/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/protocol/parser/HandshakeMessageParser.java
@@ -16,6 +16,7 @@
 import de.rub.nds.tlsattacker.core.constants.ProtocolVersion;
 import de.rub.nds.tlsattacker.core.exceptions.ParserException;
 import de.rub.nds.tlsattacker.core.protocol.message.HandshakeMessage;
+import de.rub.nds.tlsattacker.core.protocol.message.ServerHelloMessage;
 import de.rub.nds.tlsattacker.core.protocol.message.extension.ExtensionMessage;
 import de.rub.nds.tlsattacker.core.protocol.parser.extension.ExtensionParser;
 import de.rub.nds.tlsattacker.core.protocol.parser.extension.ExtensionParserFactory;
@@ -129,9 +130,19 @@ protected void parseExtensionBytes(T message) {
         LOGGER.debug("ExtensionBytes:" + ArrayConverter.bytesToHexString(extensionBytes, false));
         List<ExtensionMessage> extensionMessages = new LinkedList<>();
         int pointer = 0;
+        HandshakeMessageType type;
+        // This is not so nice but the KeyShareExtension message has to be
+        // parsed with a different
+        //
+        if (message instanceof ServerHelloMessage && ((ServerHelloMessage) message).isTls13HelloRetryRequest()) {
+            type = HandshakeMessageType.HELLO_RETRY_REQUEST;
+        } else {
+            type = message.getHandshakeMessageType();
+        }
         while (pointer < extensionBytes.length) {
-            ExtensionParser parser = ExtensionParserFactory.getExtensionParser(extensionBytes, pointer,
-                    message.getHandshakeMessageType(), this.getConfig());
+
+            ExtensionParser parser = ExtensionParserFactory.getExtensionParser(extensionBytes, pointer, type,
+                    this.getConfig());
             extensionMessages.add(parser.parse());
             if (pointer == parser.getPointer()) {
                 throw new ParserException("Ran into infinite Loop while parsing Extensions");
diff --git a/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/protocol/parser/extension/KeyShareExtensionParser.java b/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/protocol/parser/extension/KeyShareExtensionParser.java
@@ -13,7 +13,6 @@
 import de.rub.nds.tlsattacker.core.constants.ExtensionByteLength;
 import de.rub.nds.tlsattacker.core.constants.ExtensionType;
 import de.rub.nds.tlsattacker.core.exceptions.ParserException;
-import de.rub.nds.tlsattacker.core.protocol.message.extension.DraftKeyShareExtensionMessage;
 import de.rub.nds.tlsattacker.core.protocol.message.extension.KeyShareExtensionMessage;
 import de.rub.nds.tlsattacker.core.protocol.message.extension.keyshare.KeyShareEntry;
 import java.util.LinkedList;
@@ -63,11 +62,7 @@ public void parseExtensionMessageContent(KeyShareExtensionMessage msg) {
 
     @Override
     protected KeyShareExtensionMessage createExtensionMessage() {
-        if (type == ExtensionType.KEY_SHARE) {
-            return new KeyShareExtensionMessage();
-        } else {
-            return new DraftKeyShareExtensionMessage();
-        }
+        return new KeyShareExtensionMessage();
     }
 
     /**
diff --git a/TLS-Core/src/test/java/de/rub/nds/tlsattacker/core/protocol/serializer/CertificateRequestTls13SerializerTest.java b/TLS-Core/src/test/java/de/rub/nds/tlsattacker/core/protocol/serializer/CertificateRequestTls13SerializerTest.java
@@ -66,7 +66,6 @@ public void testSerializeHandshakeMessageContent() {
         msg.setExtensionsLength(extensionLength);
         msg.setExtensionBytes(extensionBytes);
         CertificateRequestSerializer serializer = new CertificateRequestSerializer(msg, version);
-        System.out.println(ArrayConverter.bytesToHexString(serializer.serialize()));
         assertArrayEquals(this.message, serializer.serialize());
     }
 

Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,7 @@`
`9`	`9`	`*/`
`10`	`10`	`package de.rub.nds.tlsattacker.core.protocol.handler.extension;`
`11`	`11`
	`12`	`+import de.rub.nds.tlsattacker.core.constants.NamedGroup;`
`12`	`13`	`import de.rub.nds.tlsattacker.core.protocol.message.extension.HRRKeyShareExtensionMessage;`
`13`	`14`	`import de.rub.nds.tlsattacker.core.protocol.parser.extension.HRRKeyShareExtensionParser;`
`14`	`15`	`import de.rub.nds.tlsattacker.core.protocol.preparator.extension.HRRKeyShareExtensionPreparator;`
`@@ -43,6 +44,7 @@ public HRRKeyShareExtensionSerializer getSerializer(HRRKeyShareExtensionMessage`
`43`	`44`
`44`	`45`	`@Override`
`45`	`46`	`public void adjustTLSExtensionContext(HRRKeyShareExtensionMessage message) {`
	`47`	`+ context.setSelectedGroup(NamedGroup.getNamedGroup(message.getSelectedGroup().getValue()));`
`46`	`48`	`}`
`47`	`49`
`48`	`50`	`}`
Original file line number	Diff line number	Diff line change
`@@ -106,12 +106,7 @@ public ClientHelloMessage(Config tlsConfig) {`
`106`	`106`	`addExtension(new SupportedVersionsExtensionMessage());`
`107`	`107`	`}`
`108`	`108`	`if (tlsConfig.isAddKeyShareExtension()) {`
`109`		`- if (tlsConfig.getHighestProtocolVersion() != ProtocolVersion.TLS13`
`110`		`- && tlsConfig.getHighestProtocolVersion().getMinor() < 0x17) {`
`111`		`- addExtension(new DraftKeyShareExtensionMessage(tlsConfig));`
`112`		`- } else {`
`113`		`- addExtension(new KeyShareExtensionMessage(tlsConfig));`
`114`		`- }`
	`109`	`+ addExtension(new KeyShareExtensionMessage(tlsConfig));`
`115`	`110`	`}`
`116`	`111`	`if (tlsConfig.isAddEarlyDataExtension()) {`
`117`	`112`	`addExtension(new EarlyDataExtensionMessage());`