Merge pull request #660 from RUB-NDS/esni_improvements

Fixed ESNI Extension

Author: jurajsomorovsky

TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/config/Config.java

@@ -1140,6 +1140,13 @@ public static Config createEmptyConfig() {
 
     private ECPointFormat defaultSelectedPointFormat = ECPointFormat.UNCOMPRESSED;
 
+    /**
+     * Private Key of the Client for the EncryptedServerNameIndication
+     * extension.
+     */
+    private BigInteger defaultEsniClientPrivateKey = new BigInteger(
+            "191991257030464195512760799659436374116556484140110877679395918219072292938297573720808302564562486757422301181089761");
+
     /**
      * Supported Ciphersuites for EncryptedServerNameIndication extension.
      */
@@ -3645,4 +3652,13 @@ public String getKeylogFilePath() {
     public void setKeylogFilePath(String keylogFilePath) {
         this.keylogFilePath = keylogFilePath;
     }
+
+    public BigInteger getDefaultEsniClientPrivateKey() {
+        return defaultEsniClientPrivateKey;
+    }
+
+    public void setDefaultEsniClientPrivateKey(BigInteger defaultEsniClientPrivateKey) {
+        this.defaultEsniClientPrivateKey = defaultEsniClientPrivateKey;
+    }
+
 }

TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/protocol/parser/extension/EncryptedServerNameIndicationExtensionParser.java

@@ -75,7 +75,7 @@ private void parseKeyShareEntry(EncryptedServerNameIndicationExtensionMessage ms
     private void parseRecordDigestLength(EncryptedServerNameIndicationExtensionMessage msg) {
         int digestLen = parseIntField(ExtensionByteLength.RECORD_DIGEST_LENGTH);
         msg.setRecordDigestLength(digestLen);
-        LOGGER.debug("recordDigestLength: " + msg.getRecordDigestLength().getOriginalValue());
+        LOGGER.debug("recordDigestLength: " + msg.getRecordDigestLength().getValue());
     }
 
     private void parseRecordDigest(EncryptedServerNameIndicationExtensionMessage msg) {

TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/protocol/preparator/extension/EncryptedServerNameIndicationExtensionPreparator.java

@@ -40,6 +40,8 @@
 import de.rub.nds.tlsattacker.core.protocol.message.ClientHelloMessage;
 import de.rub.nds.tlsattacker.core.protocol.message.extension.ClientEsniInner;
 import de.rub.nds.tlsattacker.core.protocol.message.extension.EncryptedServerNameIndicationExtensionMessage;
+import de.rub.nds.tlsattacker.core.protocol.message.extension.ExtensionMessage;
+import de.rub.nds.tlsattacker.core.protocol.message.extension.KeyShareExtensionMessage;
 import de.rub.nds.tlsattacker.core.protocol.message.extension.keyshare.KeyShareEntry;
 import de.rub.nds.tlsattacker.core.protocol.message.extension.keyshare.KeyShareStoreEntry;
 import de.rub.nds.tlsattacker.core.protocol.parser.extension.ClientEsniInnerParser;
@@ -240,6 +242,7 @@ private void prepareNamedGroup(EncryptedServerNameIndicationExtensionMessage msg
 
     private void prepareKeyShareEntry(EncryptedServerNameIndicationExtensionMessage msg) {
         KeyShareEntry keyShareEntry = msg.getKeyShareEntry();
+        keyShareEntry.setPrivateKey(chooser.getConfig().getDefaultEsniClientPrivateKey());
         KeyShareEntryPreparator keyShareEntryPreparator = new KeyShareEntryPreparator(chooser, keyShareEntry);
         keyShareEntryPreparator.prepare();
         LOGGER.debug("ClientPrivateKey: "
@@ -382,6 +385,7 @@ private void prepareEsniMasterSecret(EncryptedServerNameIndicationExtensionMessa
     }
 
     private void prepareEsniKey(EncryptedServerNameIndicationExtensionMessage msg) {
+
         byte[] key = null;
         byte[] esniMasterSecret = msg.getEncryptedSniComputation().getEsniMasterSecret().getValue();
         byte[] hashIn = msg.getEncryptedSniComputation().getEsniContentsHash().getValue();
@@ -415,36 +419,53 @@ private void prepareEsniIv(EncryptedServerNameIndicationExtensionMessage msg) {
     }
 
     private void prepareClientHelloKeyShare(EncryptedServerNameIndicationExtensionMessage msg) {
-        ByteArrayOutputStream clientKeyShareStream = new ByteArrayOutputStream();
+        int keyShareListBytesLength = 0;
+        byte[] keyShareListBytesLengthField = null;
+        byte[] keyShareListBytes = null;
         ByteArrayOutputStream clientHelloKeyShareStream = new ByteArrayOutputStream();
+        boolean isClientHelloExensionsFound = false;
+        if (clientHelloMessage != null) {
 
-        for (KeyShareStoreEntry pair : chooser.getClientKeyShares()) {
-            KeyShareEntry entry = new KeyShareEntry();
-            KeyShareEntrySerializer serializer = new KeyShareEntrySerializer(entry);
-            entry.setGroup(pair.getGroup().getValue());
-            entry.setPublicKeyLength(pair.getPublicKey().length);
-            entry.setPublicKey(pair.getPublicKey());
-            try {
-                clientKeyShareStream.write(serializer.serialize());
-            } catch (IOException e) {
-                throw new PreparationException("Failed to write esniContents", e);
+            List<ExtensionMessage> clientHelloExtensions = clientHelloMessage.getExtensions();
+            for (ExtensionMessage m : clientHelloExtensions) {
+                if (m instanceof KeyShareExtensionMessage) {
+                    KeyShareExtensionMessage keyShareExtensionMessage = (KeyShareExtensionMessage) m;
+                    keyShareListBytesLength = keyShareExtensionMessage.getKeyShareListLength().getValue();
+                    keyShareListBytes = keyShareExtensionMessage.getKeyShareListBytes().getValue();
+                    isClientHelloExensionsFound = true;
+                    break;
+                }
             }
         }
-        byte[] keyShareListBytes = clientKeyShareStream.toByteArray();
-        int keyShareListBytesLength = keyShareListBytes.length;
-        byte[] keyShareListBytesLengthFild = ArrayConverter.intToBytes(keyShareListBytesLength,
+        if (!isClientHelloExensionsFound) {
+            ByteArrayOutputStream keyShareListStream = new ByteArrayOutputStream();
+            for (KeyShareStoreEntry pair : chooser.getClientKeyShares()) {
+                KeyShareEntry entry = new KeyShareEntry();
+                KeyShareEntrySerializer serializer = new KeyShareEntrySerializer(entry);
+                entry.setGroup(pair.getGroup().getValue());
+                entry.setPublicKeyLength(pair.getPublicKey().length);
+                entry.setPublicKey(pair.getPublicKey());
+                try {
+                    keyShareListStream.write(serializer.serialize());
+                } catch (IOException e) {
+                    throw new PreparationException("Failed to write esniContents", e);
+                }
+            }
+            keyShareListBytes = keyShareListStream.toByteArray();
+            keyShareListBytesLength = keyShareListBytes.length;
+        }
+
+        keyShareListBytesLengthField = ArrayConverter.intToBytes(keyShareListBytesLength,
                 ExtensionByteLength.KEY_SHARE_LIST_LENGTH);
         try {
-            clientHelloKeyShareStream.write(keyShareListBytesLengthFild);
+            clientHelloKeyShareStream.write(keyShareListBytesLengthField);
             clientHelloKeyShareStream.write(keyShareListBytes);
         } catch (IOException e) {
-            throw new PreparationException("Failed to write esniContents", e);
+            throw new PreparationException("Failed to write ClientHelloKeyShare", e);
         }
-
         byte[] clientHelloKeyShareBytes = clientHelloKeyShareStream.toByteArray();
         msg.getEncryptedSniComputation().setClientHelloKeyShare(clientHelloKeyShareBytes);
-        LOGGER.debug("clientHelloKeyShare: "
-                + ArrayConverter.bytesToHexString(msg.getEncryptedSniComputation().getClientHelloKeyShare().getValue()));
+        LOGGER.debug("clientHelloKeyShare: " + ArrayConverter.bytesToHexString(clientHelloKeyShareBytes));
     }
 
     private void prepareEncryptedSni(EncryptedServerNameIndicationExtensionMessage msg) {
@@ -513,7 +534,7 @@ private void prepareEncryptedSniLength(EncryptedServerNameIndicationExtensionMes
     private void prepareServerNonce(EncryptedServerNameIndicationExtensionMessage msg) {
         byte[] receivedClientNonce = chooser.getEsniClientNonce();
         msg.setServerNonce(receivedClientNonce);
-        LOGGER.debug("ServerNonce: " + msg.getServerNonce().getValue());
+        LOGGER.debug("ServerNonce: " + ArrayConverter.bytesToHexString(msg.getServerNonce().getValue()));
     }
 
     private byte[] generateEsniContents(EncryptedServerNameIndicationExtensionMessage msg) {

TLS-Core/src/main/resources/default_config.xml

@@ -1133,6 +1133,7 @@ A9 DA F4 93 96 CF 12 EC  47 EF A7 A0 D3 88 2F 8B
     <defaultServerPWDSalt>96 3C 77 CD C1 3A 2A 8D 75 CD DD D1 E0 44 99 29 84 37 11 C2 1D 47 CE 6E 63 83 CD DA 37 E4 7D A3</defaultServerPWDSalt>
     <parseInvalidRecordsUnencrypted>false</parseInvalidRecordsUnencrypted>
     <defaultSelectedPointFormat>UNCOMPRESSED</defaultSelectedPointFormat>
+    <defaultEsniClientPrivateKey>191991257030464195512760799659436374116556484140110877679395918219072292938297573720808302564562486757422301181089761</defaultEsniClientPrivateKey>
     <defaultEsniClientNonce>A7 28 4C 9A 52 F1 5C 13 64 4B 94 72 61 77 46 57</defaultEsniClientNonce>
     <defaultEsniServerNonce>00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00</defaultEsniServerNonce>
     <defaultEsniRecordBytes>FF 01 00 12 4B 2A 00 24 00 1D 00 20 FA 57 2D 03 E2 1E 15 F9 CA 1A A7 FB 85 F6 1B 9F C7 84 58 A7 80 50 AC 58 18 11 86 33 25 94 44 12 00 02 13 01 01 04 00 00 00 00 5D CC 3A 45 00 00 00 00 5D DA 12 05 00 00</defaultEsniRecordBytes>