Merge pull request #729 from tls-attacker/sess_ticket_version37

Author: mmaehren

TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/constants/AlgorithmResolver.java

@@ -297,9 +297,9 @@ public static CipherAlgorithm getCipher(CipherSuite cipherSuite) {
             return CipherAlgorithm.GOST_28147_CNT;
         } else if (cipher.contains("CHACHA20_POLY1305")) {
             if (cipher.contains("UNOFFICIAL")) {
-                return CipherAlgorithm.UNOFFICIAL_CHA_CHA_20_POLY1305;
+                return CipherAlgorithm.UNOFFICIAL_CHACHA20_POLY1305;
             } else {
-                return CipherAlgorithm.CHA_CHA_20_POLY1305;
+                return CipherAlgorithm.CHACHA20_POLY1305;
             }
         }
         if (cipherSuite == CipherSuite.TLS_FALLBACK_SCSV

TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/constants/CipherAlgorithm.java

@@ -31,8 +31,8 @@ public enum CipherAlgorithm {
     SEED_CBC(16, 16, 0, 16, "SEED/CBC/NoPadding"),
     AES_128_CCM(16, 4, 8, 16, "AES/CCM/NoPadding"),
     AES_256_CCM(32, 4, 8, 16, "AES/CCM/NoPadding"),
-    CHA_CHA_20_POLY1305(32, 12, 0, 0, "ChaCha20Poly1305"),
-    UNOFFICIAL_CHA_CHA_20_POLY1305(32, 12, 0, 0, "ChaCha20Poly1305"),
+    CHACHA20_POLY1305(32, 12, 0, 0, "ChaCha20-Poly1305"),
+    UNOFFICIAL_CHACHA20_POLY1305(32, 12, 0, 0, "ChaCha20-Poly1305"),
     DES40_CBC(8, 8, 0, 8, "DES/CBC/NoPadding"), // currently
     // uses
     // des
@@ -42,7 +42,9 @@ public enum CipherAlgorithm {
     ARIA_128_GCM(16, 16, 8, 16, "ARIA/GCM/NoPadding"), // not tested yet
     ARIA_256_GCM(16, 16, 8, 16, "ARIA/GCM/NoPadding"), // not tested yet
     GOST_28147_CNT(32, 8, 0, 8, "GOST28147/ECB/NoPadding"),
-    FORTEZZA_CBC(0, 0, 0, 0); // TODO
+    FORTEZZA_CBC(0, 0, 0, 0), // TODO
+    AES_128_CTR(16, 16, 0, 0, "AES/CTR/NoPadding"),
+    AES_256_CTR(32, 16, 0, 0, "AES/CTR/NoPadding");
 
     CipherAlgorithm(int keySize, int nonceBytesFromHandshake, int nonceBytesFromRecord, int blocksize,
         String javaName) {

TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/crypto/cipher/CipherWrapper.java

@@ -30,9 +30,9 @@ public static EncryptionCipher getEncryptionCipher(CipherSuite cipherSuite, Conn
         if (cipherAlg == CipherAlgorithm.GOST_28147_CNT) {
             return new GOST28147Cipher(GOSTUtils.getGostSpec(cipherSuite), keySet.getWriteKey(connectionEndType),
                 keySet.getWriteIv(connectionEndType));
-        } else if (cipherAlg == CipherAlgorithm.CHA_CHA_20_POLY1305) {
+        } else if (cipherAlg == CipherAlgorithm.CHACHA20_POLY1305) {
             return new StandardizedChaCha20Poly1305Cipher(keySet.getWriteKey(connectionEndType));
-        } else if (cipherAlg == CipherAlgorithm.UNOFFICIAL_CHA_CHA_20_POLY1305) {
+        } else if (cipherAlg == CipherAlgorithm.UNOFFICIAL_CHACHA20_POLY1305) {
             return new UnofficialChaCha20Poly1305Cipher(keySet.getWriteKey(connectionEndType));
         } else if (cipherAlg.getJavaName() != null) {
             return new JavaCipher(cipherAlg, keySet.getWriteKey(connectionEndType),
@@ -51,9 +51,9 @@ public static DecryptionCipher getDecryptionCipher(CipherSuite cipherSuite, Conn
         if (cipherAlg == CipherAlgorithm.GOST_28147_CNT) {
             return new GOST28147Cipher(GOSTUtils.getGostSpec(cipherSuite), keySet.getReadKey(connectionEndType),
                 keySet.getReadIv(connectionEndType));
-        } else if (cipherAlg == CipherAlgorithm.CHA_CHA_20_POLY1305) {
+        } else if (cipherAlg == CipherAlgorithm.CHACHA20_POLY1305) {
             return new StandardizedChaCha20Poly1305Cipher(keySet.getReadKey(connectionEndType));
-        } else if (cipherAlg == CipherAlgorithm.UNOFFICIAL_CHA_CHA_20_POLY1305) {
+        } else if (cipherAlg == CipherAlgorithm.UNOFFICIAL_CHACHA20_POLY1305) {
             return new UnofficialChaCha20Poly1305Cipher(keySet.getReadKey(connectionEndType));
         } else if (cipherAlg.getJavaName() != null) {
             return new JavaCipher(cipherAlg, keySet.getReadKey(connectionEndType),

TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/protocol/handler/FinishedHandler.java

@@ -10,15 +10,13 @@
 package de.rub.nds.tlsattacker.core.protocol.handler;
 
 import de.rub.nds.modifiablevariable.util.ArrayConverter;
-import de.rub.nds.tlsattacker.core.constants.AlgorithmResolver;
-import de.rub.nds.tlsattacker.core.constants.DigestAlgorithm;
-import de.rub.nds.tlsattacker.core.constants.ExtensionType;
-import de.rub.nds.tlsattacker.core.constants.HKDFAlgorithm;
-import de.rub.nds.tlsattacker.core.constants.Tls13KeySetType;
+import de.rub.nds.tlsattacker.core.constants.*;
 import de.rub.nds.tlsattacker.core.crypto.HKDFunction;
 import de.rub.nds.tlsattacker.core.exceptions.AdjustmentException;
 import de.rub.nds.tlsattacker.core.exceptions.CryptoException;
+import de.rub.nds.tlsattacker.core.protocol.handler.factory.HandlerFactory;
 import de.rub.nds.tlsattacker.core.protocol.message.FinishedMessage;
+import de.rub.nds.tlsattacker.core.protocol.message.extension.psk.PskSet;
 import de.rub.nds.tlsattacker.core.protocol.parser.FinishedParser;
 import de.rub.nds.tlsattacker.core.protocol.preparator.FinishedPreparator;
 import de.rub.nds.tlsattacker.core.protocol.serializer.FinishedSerializer;
@@ -28,11 +26,12 @@
 import de.rub.nds.tlsattacker.core.record.cipher.cryptohelper.KeySetGenerator;
 import de.rub.nds.tlsattacker.core.state.TlsContext;
 import de.rub.nds.tlsattacker.transport.ConnectionEndType;
-import java.security.NoSuchAlgorithmException;
-import javax.crypto.Mac;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
+import javax.crypto.Mac;
+import java.security.NoSuchAlgorithmException;
+
 public class FinishedHandler extends HandshakeMessageHandler<FinishedMessage> {
 
     private static final Logger LOGGER = LogManager.getLogger();
@@ -64,13 +63,25 @@ public void adjustTLSContext(FinishedMessage message) {
                 if (tlsContext.getTalkingConnectionEndType() == ConnectionEndType.SERVER) {
                     adjustApplicationTrafficSecrets();
                     setServerRecordCipher(Tls13KeySetType.APPLICATION_TRAFFIC_SECRETS);
-
                 } else {
                     setClientRecordCipher(Tls13KeySetType.APPLICATION_TRAFFIC_SECRETS);
                 }
             } else if (tlsContext.getChooser().getConnectionEndType() == ConnectionEndType.CLIENT
                 || !tlsContext.isExtensionNegotiated(ExtensionType.EARLY_DATA)) {
                 setClientRecordCipher(Tls13KeySetType.HANDSHAKE_TRAFFIC_SECRETS);
+
+                if (tlsContext.getTalkingConnectionEndType() == ConnectionEndType.CLIENT) {
+                    NewSessionTicketHandler ticketHandler = (NewSessionTicketHandler) HandlerFactory
+                            .getHandshakeHandler(tlsContext, HandshakeMessageType.NEW_SESSION_TICKET);
+                    if (tlsContext.getPskSets() != null) {
+                        for (PskSet pskSet : tlsContext.getPskSets()) {
+                            // if psk was derived earliers, skip derivation (especially for state reusage helpful)
+                            if (pskSet.getPreSharedKey() == null) {
+                                pskSet.setPreSharedKey(ticketHandler.derivePsk(pskSet));
+                            }
+                        }
+                    }
+                }
             }
         }
         if (tlsContext.getTalkingConnectionEndType() == ConnectionEndType.CLIENT) {

TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/protocol/handler/NewSessionTicketHandler.java

@@ -13,6 +13,7 @@
 import de.rub.nds.tlsattacker.core.constants.AlgorithmResolver;
 import de.rub.nds.tlsattacker.core.constants.DigestAlgorithm;
 import de.rub.nds.tlsattacker.core.constants.HKDFAlgorithm;
+import de.rub.nds.tlsattacker.core.constants.Tls13KeySetType;
 import de.rub.nds.tlsattacker.core.crypto.HKDFunction;
 import de.rub.nds.tlsattacker.core.exceptions.CryptoException;
 import de.rub.nds.tlsattacker.core.exceptions.WorkflowExecutionException;
@@ -80,11 +81,21 @@ private void adjustPskSets(NewSessionTicketMessage message) {
         if (message.getTicket().getIdentity() != null) {
             pskSet.setPreSharedKeyIdentity(message.getTicket().getIdentity().getValue());
         } else {
-            LOGGER.warn("No Identity in ticket. Using new byte[] instead");
+            LOGGER.warn("No Identity in ticket. Using new byte[0] instead");
             pskSet.setPreSharedKeyIdentity(new byte[0]);
         }
         pskSet.setTicketAge(getTicketAge());
-        pskSet.setPreSharedKey(derivePsk(message));
+        if (message.getTicket().getTicketNonce() != null) {
+            pskSet.setTicketNonce(message.getTicket().getTicketNonce().getValue());
+        } else {
+            LOGGER.warn("No nonce in ticket. Using new byte[0] instead");
+            pskSet.setTicketNonce(new byte[0]);
+        }
+        // only derive PSK if client finished was already sent, because full handshake transcript is required
+        if (tlsContext.getActiveClientKeySetType() == Tls13KeySetType.APPLICATION_TRAFFIC_SECRETS) {
+            pskSet.setPreSharedKey(derivePsk(pskSet));
+        }
+
         LOGGER.debug("Adding PSK Set");
         pskSets.add(pskSet);
         tlsContext.setPskSets(pskSets);
@@ -98,7 +109,7 @@ private String getTicketAge() {
         return ticketDate.format(dateTimeFormatter);
     }
 
-    private byte[] derivePsk(NewSessionTicketMessage message) {
+    protected byte[] derivePsk(PskSet pskSet) {
         try {
             LOGGER.debug("Deriving PSK from current session");
             HKDFAlgorithm hkdfAlgorithm =
@@ -109,10 +120,14 @@ private byte[] derivePsk(NewSessionTicketMessage message) {
             byte[] resumptionMasterSecret =
                 HKDFunction.deriveSecret(hkdfAlgorithm, digestAlgo.getJavaName(), tlsContext.getMasterSecret(),
                     HKDFunction.RESUMPTION_MASTER_SECRET, tlsContext.getDigest().getRawBytes());
+            tlsContext.setResumptionMasterSecret(resumptionMasterSecret);
             LOGGER.debug("Derived ResumptionMasterSecret: " + ArrayConverter.bytesToHexString(resumptionMasterSecret));
+            LOGGER.debug("Derived Master Secret: " + ArrayConverter.bytesToHexString(tlsContext.getMasterSecret()));
+            LOGGER.debug("Handshake Transcript Raw Bytes: "
+                + ArrayConverter.bytesToHexString(tlsContext.getDigest().getRawBytes()));
             byte[] psk = HKDFunction.expandLabel(hkdfAlgorithm, resumptionMasterSecret, HKDFunction.RESUMPTION,
-                message.getTicket().getTicketNonce().getValue(), macLength);
-            LOGGER.debug("Derived PSK: " + ArrayConverter.bytesToHexString(psk));
+                pskSet.getTicketNonce(), macLength);
+            LOGGER.debug("New derived pre-shared-key: " + ArrayConverter.bytesToHexString(psk));
             return psk;
 
         } catch (NoSuchAlgorithmException | CryptoException ex) {

TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/protocol/message/extension/psk/PskSet.java

@@ -47,17 +47,24 @@ public class PskSet implements Serializable {
     @XmlJavaTypeAdapter(UnformattedByteArrayAdapter.class)
     private byte[] ticketAgeAdd;
 
+    /**
+     * ticket nonce used to derive PSK
+     */
+    @XmlJavaTypeAdapter(UnformattedByteArrayAdapter.class)
+    private byte[] ticketNonce;
+
     private CipherSuite cipherSuite;
 
     public PskSet() {
     }
 
     public PskSet(byte[] preSharedKeyIdentity, byte[] preSharedKey, String ticketAge, byte[] ticketAgeAdd,
-        CipherSuite cipherSuite) {
+        byte[] ticketNonce, CipherSuite cipherSuite) {
         this.preSharedKeyIdentity = preSharedKeyIdentity;
         this.preSharedKey = preSharedKey;
         this.ticketAge = ticketAge;
         this.ticketAgeAdd = ticketAgeAdd;
+        this.ticketNonce = ticketNonce;
         this.cipherSuite = cipherSuite;
     }
 
@@ -121,6 +128,14 @@ public void setTicketAgeAdd(byte[] ticketAgeAdd) {
         this.ticketAgeAdd = ticketAgeAdd;
     }
 
+    public byte[] getTicketNonce() {
+        return ticketNonce;
+    }
+
+    public void setTicketNonce(byte[] ticketNonce) {
+        this.ticketNonce = ticketNonce;
+    }
+
     /**
      * @return the cipherSuite
      */
@@ -143,6 +158,7 @@ public int hashCode() {
         hash = 43 * hash + Arrays.hashCode(this.preSharedKey);
         hash = 43 * hash + Objects.hashCode(this.ticketAge);
         hash = 43 * hash + Arrays.hashCode(this.ticketAgeAdd);
+        hash = 43 * hash + Objects.hashCode(this.ticketNonce);
         hash = 43 * hash + Objects.hashCode(this.cipherSuite);
         return hash;
     }
@@ -171,6 +187,10 @@ public boolean equals(Object obj) {
         if (!Arrays.equals(this.ticketAgeAdd, other.ticketAgeAdd)) {
             return false;
         }
+        if (!Arrays.equals(this.ticketNonce, other.ticketNonce)) {
+            return false;
+        }
         return this.cipherSuite == other.cipherSuite;
     }
+
 }

TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/protocol/preparator/extension/PSKIdentityPreparator.java

@@ -16,8 +16,12 @@
 import de.rub.nds.tlsattacker.core.workflow.chooser.Chooser;
 import java.math.BigInteger;
 import java.time.Duration;
+import java.time.Instant;
 import java.time.LocalDateTime;
+import java.time.ZoneId;
 import java.time.format.DateTimeFormatter;
+
+import de.rub.nds.tlsattacker.util.TimeHelper;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
@@ -52,7 +56,10 @@ private void prepareObfuscatedTicketAge() {
     private byte[] getObfuscatedTicketAge(byte[] ticketAgeAdd, String ticketAge) {
         DateTimeFormatter dateTimeFormatter = DateTimeFormatter.ofPattern("yyyy-MM-dd HH:mm:ss.SSS");
         LocalDateTime ticketDate = LocalDateTime.parse(ticketAge, dateTimeFormatter);
-        BigInteger difference = BigInteger.valueOf(Duration.between(ticketDate, LocalDateTime.now()).toMillis());
+        long time = TimeHelper.getTime();
+        LocalDateTime dateNow = LocalDateTime.ofInstant(Instant.ofEpochMilli(time), ZoneId.systemDefault());
+
+        BigInteger difference = BigInteger.valueOf(Duration.between(ticketDate, dateNow).toMillis());
         BigInteger addValue = BigInteger.valueOf(ArrayConverter.bytesToLong(ticketAgeAdd));
         BigInteger mod = BigInteger.valueOf(2).pow(32);
         difference = difference.add(addValue);

TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/record/cipher/RecordAEADCipher.java

@@ -81,9 +81,9 @@ private byte[] prepareEncryptionGcmNonce(byte[] aeadSalt, byte[] explicitNonce,
         byte[] gcmNonce = ArrayConverter.concatenate(aeadSalt, explicitNonce);
 
         // Nonce construction is different for chacha & tls1.3
-        if (version.isTLS13() || cipherAlg == CipherAlgorithm.CHA_CHA_20_POLY1305) {
+        if (version.isTLS13() || cipherAlg == CipherAlgorithm.CHACHA20_POLY1305) {
             gcmNonce = preprocessIv(record.getSequenceNumber().getValue().longValue(), gcmNonce);
-        } else if (cipherAlg == CipherAlgorithm.UNOFFICIAL_CHA_CHA_20_POLY1305) {
+        } else if (cipherAlg == CipherAlgorithm.UNOFFICIAL_CHACHA20_POLY1305) {
             gcmNonce = ArrayConverter.longToUint64Bytes(record.getSequenceNumber().getValue().longValue());
         }
         record.getComputations().setGcmNonce(gcmNonce);
@@ -216,9 +216,9 @@ public void decrypt(Record record) throws CryptoException {
         byte[] gcmNonce = ArrayConverter.concatenate(salt, explicitNonce);
 
         // Nonce construction is different for chacha & tls1.3
-        if (version.isTLS13() || cipherAlg == CipherAlgorithm.CHA_CHA_20_POLY1305) {
+        if (version.isTLS13() || cipherAlg == CipherAlgorithm.CHACHA20_POLY1305) {
             gcmNonce = preprocessIv(record.getSequenceNumber().getValue().longValue(), gcmNonce);
-        } else if (cipherAlg == CipherAlgorithm.UNOFFICIAL_CHA_CHA_20_POLY1305) {
+        } else if (cipherAlg == CipherAlgorithm.UNOFFICIAL_CHACHA20_POLY1305) {
             gcmNonce = ArrayConverter.longToUint64Bytes(record.getSequenceNumber().getValue().longValue());
         }
         record.getComputations().setGcmNonce(gcmNonce);

TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/state/TlsContext.java

@@ -42,6 +42,7 @@
 import de.rub.nds.tlsattacker.core.dtls.FragmentManager;
 import de.rub.nds.tlsattacker.core.exceptions.ConfigurationException;
 import de.rub.nds.tlsattacker.core.exceptions.TransportHandlerConnectException;
+import de.rub.nds.tlsattacker.core.protocol.message.NewSessionTicketMessage;
 import de.rub.nds.tlsattacker.core.protocol.message.ProtocolMessage;
 import de.rub.nds.tlsattacker.core.protocol.message.extension.cachedinfo.CachedObject;
 import de.rub.nds.tlsattacker.core.protocol.message.extension.keyshare.KeyShareEntry;
@@ -177,6 +178,11 @@ public class TlsContext {
      */
     private byte[] preMasterSecret;
 
+    /**
+     * Master secret established during the handshake.
+     */
+    private byte[] resumptionMasterSecret;
+
     /**
      * Client Extended Random used in Extended Random Extension
      */
@@ -1377,6 +1383,10 @@ public byte[] getMasterSecret() {
         return masterSecret;
     }
 
+    public byte[] getResumptionMasterSecret() {
+        return resumptionMasterSecret;
+    }
+
     public CipherSuite getSelectedCipherSuite() {
         return selectedCipherSuite;
     }
@@ -1390,6 +1400,10 @@ public void setMasterSecret(byte[] masterSecret) {
         this.masterSecret = masterSecret;
     }
 
+    public byte[] setResumptionMasterSecret(byte[] resumptionMasterSecret) {
+        return this.resumptionMasterSecret = resumptionMasterSecret;
+    }
+
     public void setSelectedCipherSuite(CipherSuite selectedCipherSuite) {
         this.selectedCipherSuite = selectedCipherSuite;
     }

TLS-Core/src/main/resources/Config.xsd

@@ -1217,6 +1217,7 @@
       <xs:element name="preSharedKey" type="xs:string" minOccurs="0"/>
       <xs:element name="ticketAge" type="xs:string" minOccurs="0"/>
       <xs:element name="ticketAgeAdd" type="xs:string" minOccurs="0"/>
+      <xs:element name="ticketNonce" type="xs:string" minOccurs="0"/>
       <xs:element name="cipherSuite" type="cipherSuite" minOccurs="0"/>
     </xs:sequence>
   </xs:complexType>