Merge pull request #397 from RUB-NDS/0rttPskOnly

Derivation of Handshake Secret for 0-RTT PSK-only

Author: ic0ns

TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/constants/CipherSuite.java

@@ -676,6 +676,8 @@ public static List<CipherSuite> getImplemented() {
         list.add(TLS_DHE_RSA_WITH_AES_256_CCM);
         list.add(TLS_ECDHE_ECDSA_WITH_AES_128_CCM);
         list.add(TLS_ECDHE_ECDSA_WITH_AES_256_CCM);
+        list.add(TLS_AES_128_GCM_SHA256);
+        list.add(TLS_AES_256_GCM_SHA384);
 
         return list;
     }

TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/protocol/handler/HandshakeMessageHandler.java

@@ -30,21 +30,10 @@ public HandshakeMessageHandler(TlsContext tlsContext) {
 
     protected void adjustExtensions(ProtocolMessage message, HandshakeMessageType handshakeMessageType) {
         if (message.getExtensions() != null) {
-            KeyShareExtensionHandler keyShareHandler = null;
-            KeyShareExtensionMessage keyShareExtension = null;
             for (ExtensionMessage extension : message.getExtensions()) {
                 ExtensionHandler handler = HandlerFactory.getExtensionHandler(tlsContext,
                         extension.getExtensionTypeConstant(), handshakeMessageType);
-                if (handler instanceof KeyShareExtensionHandler) {
-                    keyShareHandler = (KeyShareExtensionHandler) handler;
-                    keyShareExtension = (KeyShareExtensionMessage) extension;
-                } else {
-                    handler.adjustTLSContext(extension);
-                }
-            }
-            if (keyShareHandler != null) // delay KeyShare to process PSK first
-            {
-                keyShareHandler.adjustTLSContext(keyShareExtension);
+                handler.adjustTLSContext(extension);
             }
         }
     }

TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/protocol/handler/ServerHelloHandler.java

@@ -12,11 +12,20 @@
 import de.rub.nds.tlsattacker.core.constants.AlgorithmResolver;
 import de.rub.nds.tlsattacker.core.constants.CipherSuite;
 import de.rub.nds.tlsattacker.core.constants.CompressionMethod;
+import de.rub.nds.tlsattacker.core.constants.DigestAlgorithm;
+import de.rub.nds.tlsattacker.core.constants.ExtensionType;
+import de.rub.nds.tlsattacker.core.constants.HKDFAlgorithm;
 import de.rub.nds.tlsattacker.core.constants.HandshakeMessageType;
+import de.rub.nds.tlsattacker.core.constants.NamedCurve;
 import de.rub.nds.tlsattacker.core.constants.ProtocolVersion;
 import de.rub.nds.tlsattacker.core.constants.Tls13KeySetType;
+import de.rub.nds.tlsattacker.core.crypto.HKDFunction;
+import de.rub.nds.tlsattacker.core.crypto.ec.Curve25519;
+import de.rub.nds.tlsattacker.core.exceptions.CryptoException;
+import de.rub.nds.tlsattacker.core.exceptions.PreparationException;
 import static de.rub.nds.tlsattacker.core.protocol.handler.ProtocolMessageHandler.LOGGER;
 import de.rub.nds.tlsattacker.core.protocol.message.ServerHelloMessage;
+import de.rub.nds.tlsattacker.core.protocol.message.extension.KS.KSEntry;
 import de.rub.nds.tlsattacker.core.protocol.parser.ServerHelloParser;
 import de.rub.nds.tlsattacker.core.protocol.preparator.ServerHelloMessagePreparator;
 import de.rub.nds.tlsattacker.core.protocol.serializer.ServerHelloMessageSerializer;
@@ -29,6 +38,7 @@
 import de.rub.nds.tlsattacker.core.workflow.chooser.Chooser;
 import de.rub.nds.tlsattacker.transport.ConnectionEndType;
 import java.security.NoSuchAlgorithmException;
+import javax.crypto.Mac;
 
 public class ServerHelloHandler extends HandshakeMessageHandler<ServerHelloMessage> {
 
@@ -62,6 +72,7 @@ public void adjustTLSContext(ServerHelloMessage message) {
         adjustServerRandom(message);
         adjustExtensions(message, HandshakeMessageType.SERVER_HELLO);
         if (tlsContext.getChooser().getSelectedProtocolVersion().isTLS13()) {
+            adjustHandshakeTrafficSecrets();
             if (tlsContext.getTalkingConnectionEndType() != tlsContext.getChooser().getConnectionEndType()) {
                 setServerRecordCipher();
             }
@@ -168,4 +179,71 @@ public void adjustTlsContextAfterSerialize(ServerHelloMessage message) {
             setServerRecordCipher();
         }
     }
+
+    private void adjustHandshakeTrafficSecrets() {
+        HKDFAlgorithm hkdfAlgortihm = AlgorithmResolver.getHKDFAlgorithm(tlsContext.getChooser()
+                .getSelectedCipherSuite());
+        DigestAlgorithm digestAlgo = AlgorithmResolver.getDigestAlgorithm(tlsContext.getChooser()
+                .getSelectedProtocolVersion(), tlsContext.getChooser().getSelectedCipherSuite());
+
+        try {
+            int macLength = Mac.getInstance(hkdfAlgortihm.getMacAlgorithm().getJavaName()).getMacLength();
+            byte[] psk = (tlsContext.getConfig().isUsePsk() || tlsContext.getPsk() != null) ? tlsContext.getChooser()
+                    .getPsk() : new byte[macLength]; // use PSK if available
+            byte[] earlySecret = HKDFunction.extract(hkdfAlgortihm, new byte[0], psk);
+            byte[] saltHandshakeSecret = HKDFunction.deriveSecret(hkdfAlgortihm, digestAlgo.getJavaName(), earlySecret,
+                    HKDFunction.DERIVED, ArrayConverter.hexStringToByteArray(""));
+            byte[] sharedSecret = new byte[macLength];
+            if (tlsContext.getChooser().getConnectionEndType() == ConnectionEndType.CLIENT
+                    && tlsContext.isExtensionNegotiated(ExtensionType.KEY_SHARE)) {
+                if (tlsContext.getChooser().getServerKSEntry().getGroup() == NamedCurve.ECDH_X25519) {
+                    sharedSecret = computeSharedSecretECDH(tlsContext.getChooser().getServerKSEntry());
+                } else {
+                    throw new PreparationException("Currently only the key exchange group ECDH_X25519 is supported");
+                }
+            } else if (tlsContext.isExtensionNegotiated(ExtensionType.KEY_SHARE)) {
+                int pos = 0;
+                for (KSEntry entry : tlsContext.getChooser().getClientKeyShareEntryList()) {
+                    if (entry.getGroup() == NamedCurve.ECDH_X25519) {
+                        pos = tlsContext.getChooser().getClientKeyShareEntryList().indexOf(entry);
+                    }
+                }
+                if (tlsContext.getChooser().getClientKeyShareEntryList().get(pos).getGroup() == NamedCurve.ECDH_X25519) {
+                    sharedSecret = computeSharedSecretECDH(tlsContext.getChooser().getClientKeyShareEntryList()
+                            .get(pos));
+                } else {
+                    throw new PreparationException("Currently only the key exchange group ECDH_X25519 is supported");
+                }
+            }
+            byte[] handshakeSecret = HKDFunction.extract(hkdfAlgortihm, saltHandshakeSecret, sharedSecret);
+            tlsContext.setHandshakeSecret(handshakeSecret);
+            LOGGER.debug("Set handshakeSecret in Context to " + ArrayConverter.bytesToHexString(handshakeSecret));
+            byte[] clientHandshakeTrafficSecret = HKDFunction.deriveSecret(hkdfAlgortihm, digestAlgo.getJavaName(),
+                    handshakeSecret, HKDFunction.CLIENT_HANDSHAKE_TRAFFIC_SECRET, tlsContext.getDigest().getRawBytes());
+            tlsContext.setClientHandshakeTrafficSecret(clientHandshakeTrafficSecret);
+            LOGGER.debug("Set clientHandshakeTrafficSecret in Context to "
+                    + ArrayConverter.bytesToHexString(clientHandshakeTrafficSecret));
+            byte[] serverHandshakeTrafficSecret = HKDFunction.deriveSecret(hkdfAlgortihm, digestAlgo.getJavaName(),
+                    handshakeSecret, HKDFunction.SERVER_HANDSHAKE_TRAFFIC_SECRET, tlsContext.getDigest().getRawBytes());
+            tlsContext.setServerHandshakeTrafficSecret(serverHandshakeTrafficSecret);
+            LOGGER.debug("Set serverHandshakeTrafficSecret in Context to "
+                    + ArrayConverter.bytesToHexString(serverHandshakeTrafficSecret));
+        } catch (NoSuchAlgorithmException ex) {
+            throw new CryptoException(ex);
+        }
+    }
+
+    /**
+     * Computes the shared secret for ECDH_X25519
+     *
+     * @return
+     */
+    private byte[] computeSharedSecretECDH(KSEntry keyShare) {
+        byte[] privateKey = tlsContext.getConfig().getKeySharePrivate();
+        byte[] publicKey = keyShare.getSerializedPublicKey();
+        Curve25519.clamp(privateKey);
+        byte[] sharedSecret = new byte[32];
+        Curve25519.curve(sharedSecret, privateKey, publicKey);
+        return sharedSecret;
+    }
 }

TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/protocol/handler/extension/KeyShareExtensionHandler.java

@@ -73,74 +73,8 @@ public void adjustTLSExtensionContext(KeyShareExtensionMessage message) {
             if (ksEntryList.size() > 0) {
                 context.setServerKSEntry(ksEntryList.get(0));
             }
-            adjustHandshakeTrafficSecrets();
         } else {
             context.setClientKeyShareEntryList(ksEntryList);
         }
     }
-
-    private void adjustHandshakeTrafficSecrets() {
-        HKDFAlgorithm hkdfAlgortihm = AlgorithmResolver.getHKDFAlgorithm(context.getChooser().getSelectedCipherSuite());
-        DigestAlgorithm digestAlgo = AlgorithmResolver.getDigestAlgorithm(context.getChooser()
-                .getSelectedProtocolVersion(), context.getChooser().getSelectedCipherSuite());
-
-        try {
-            int macLength = Mac.getInstance(hkdfAlgortihm.getMacAlgorithm().getJavaName()).getMacLength();
-            byte[] psk = (context.getConfig().isUsePsk() || context.getPsk() != null) ? context.getChooser().getPsk()
-                    : new byte[macLength]; // use PSK if available
-            byte[] earlySecret = HKDFunction.extract(hkdfAlgortihm, new byte[0], psk);
-            byte[] saltHandshakeSecret = HKDFunction.deriveSecret(hkdfAlgortihm, digestAlgo.getJavaName(), earlySecret,
-                    HKDFunction.DERIVED, ArrayConverter.hexStringToByteArray(""));
-            byte[] sharedSecret;
-            if (context.getChooser().getConnectionEndType() == ConnectionEndType.CLIENT) {
-                if (context.getChooser().getServerKSEntry().getGroup() == NamedCurve.ECDH_X25519) {
-                    sharedSecret = computeSharedSecretECDH(context.getChooser().getServerKSEntry());
-                } else {
-                    throw new PreparationException("Currently only the key exchange group ECDH_X25519 is supported");
-                }
-            } else {
-                int pos = 0;
-                for (KSEntry entry : context.getChooser().getClientKeyShareEntryList()) {
-                    if (entry.getGroup() == NamedCurve.ECDH_X25519) {
-                        pos = context.getChooser().getClientKeyShareEntryList().indexOf(entry);
-                    }
-                }
-                if (context.getChooser().getClientKeyShareEntryList().get(pos).getGroup() == NamedCurve.ECDH_X25519) {
-                    sharedSecret = computeSharedSecretECDH(context.getChooser().getClientKeyShareEntryList().get(pos));
-                } else {
-                    throw new PreparationException("Currently only the key exchange group ECDH_X25519 is supported");
-                }
-            }
-            byte[] handshakeSecret = HKDFunction.extract(hkdfAlgortihm, saltHandshakeSecret, sharedSecret);
-            context.setHandshakeSecret(handshakeSecret);
-            LOGGER.debug("Set handshakeSecret in Context to " + ArrayConverter.bytesToHexString(handshakeSecret));
-            byte[] clientHandshakeTrafficSecret = HKDFunction.deriveSecret(hkdfAlgortihm, digestAlgo.getJavaName(),
-                    handshakeSecret, HKDFunction.CLIENT_HANDSHAKE_TRAFFIC_SECRET, context.getDigest().getRawBytes());
-            context.setClientHandshakeTrafficSecret(clientHandshakeTrafficSecret);
-            LOGGER.debug("Set clientHandshakeTrafficSecret in Context to "
-                    + ArrayConverter.bytesToHexString(clientHandshakeTrafficSecret));
-            byte[] serverHandshakeTrafficSecret = HKDFunction.deriveSecret(hkdfAlgortihm, digestAlgo.getJavaName(),
-                    handshakeSecret, HKDFunction.SERVER_HANDSHAKE_TRAFFIC_SECRET, context.getDigest().getRawBytes());
-            context.setServerHandshakeTrafficSecret(serverHandshakeTrafficSecret);
-            LOGGER.debug("Set serverHandshakeTrafficSecret in Context to "
-                    + ArrayConverter.bytesToHexString(serverHandshakeTrafficSecret));
-        } catch (NoSuchAlgorithmException ex) {
-            throw new CryptoException(ex);
-        }
-    }
-
-    /**
-     * Computes the shared secret for ECDH_X25519
-     *
-     * @return
-     */
-    private byte[] computeSharedSecretECDH(KSEntry keyShare) {
-        byte[] privateKey = context.getConfig().getKeySharePrivate();
-        byte[] publicKey = keyShare.getSerializedPublicKey();
-        Curve25519.clamp(privateKey);
-        byte[] sharedSecret = new byte[32];
-        Curve25519.curve(sharedSecret, privateKey, publicKey);
-        return sharedSecret;
-    }
-
 }

TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/record/cipher/cryptohelper/KeySetGenerator.java

@@ -62,9 +62,12 @@ private static KeySet getTls13KeySet(TlsContext context, Tls13KeySetType keySetT
         } else if (keySetType == Tls13KeySetType.EARLY_TRAFFIC_SECRETS) {
             cipherSuite = context.getChooser().getEarlyDataCipherSuite();
             clientSecret = context.getChooser().getClientEarlyTrafficSecret();
-            serverSecret = context.getChooser().getClientEarlyTrafficSecret(); // won't
-                                                                               // be
-            // used
+            serverSecret = context.getChooser().getClientEarlyTrafficSecret();
+        } else if (keySetType == Tls13KeySetType.NONE) {
+            LOGGER.warn("KeySet is NONE! , returning empty KeySet");
+            return new KeySet(keySetType);
+        } else {
+            throw new CryptoException("Unknown KeySetType:" + keySetType.name());
         }
         LOGGER.debug("ActiveKeySetType is " + keySetType);
         CipherAlgorithm cipherAlg = AlgorithmResolver.getCipher(cipherSuite);

TLS-Core/src/test/java/de/rub/nds/tlsattacker/core/protocol/handler/ServerHelloHandlerTest.java

@@ -8,14 +8,21 @@
  */
 package de.rub.nds.tlsattacker.core.protocol.handler;
 
+import de.rub.nds.modifiablevariable.util.ArrayConverter;
 import de.rub.nds.tlsattacker.core.constants.CipherSuite;
 import de.rub.nds.tlsattacker.core.constants.CompressionMethod;
+import de.rub.nds.tlsattacker.core.constants.ExtensionType;
+import de.rub.nds.tlsattacker.core.constants.NamedCurve;
 import de.rub.nds.tlsattacker.core.constants.ProtocolVersion;
 import de.rub.nds.tlsattacker.core.protocol.message.ServerHelloMessage;
+import de.rub.nds.tlsattacker.core.protocol.message.extension.KS.KSEntry;
 import de.rub.nds.tlsattacker.core.protocol.parser.ServerHelloParser;
 import de.rub.nds.tlsattacker.core.protocol.preparator.ServerHelloMessagePreparator;
 import de.rub.nds.tlsattacker.core.protocol.serializer.ServerHelloMessageSerializer;
+import de.rub.nds.tlsattacker.core.record.layer.RecordLayerFactory;
+import de.rub.nds.tlsattacker.core.record.layer.RecordLayerType;
 import de.rub.nds.tlsattacker.core.state.TlsContext;
+import de.rub.nds.tlsattacker.transport.ConnectionEndType;
 import org.junit.After;
 import static org.junit.Assert.*;
 import org.junit.Before;
@@ -82,4 +89,29 @@ public void testAdjustTLSContext() {
         assertArrayEquals(context.getSelectedProtocolVersion().getValue(), ProtocolVersion.TLS12.getValue());
     }
 
+    @Test
+    public void testAdjustTLSContextTls13() {
+        ServerHelloMessage message = new ServerHelloMessage();
+        context.setTalkingConnectionEndType(ConnectionEndType.SERVER);
+        message.setUnixTime(new byte[] { 0, 1, 2 });
+        message.setRandom(new byte[] { 0, 1, 2, 3, 4, 5 });
+        message.setSelectedCompressionMethod(CompressionMethod.DEFLATE.getValue());
+        message.setSelectedCipherSuite(CipherSuite.TLS_AES_128_GCM_SHA256.getByteValue());
+        message.setSessionId(new byte[] { 6, 6, 6 });
+        message.setProtocolVersion(ProtocolVersion.TLS13.getValue());
+        context.setServerKSEntry(new KSEntry(NamedCurve.ECDH_X25519, ArrayConverter
+                .hexStringToByteArray("9c1b0a7421919a73cb57b3a0ad9d6805861a9c47e11df8639d25323b79ce201c")));
+        context.addNegotiatedExtension(ExtensionType.KEY_SHARE);
+        context.setRecordLayer(RecordLayerFactory.getRecordLayer(RecordLayerType.RECORD, context));
+        handler.adjustTLSContext(message);
+        assertArrayEquals(
+                ArrayConverter.hexStringToByteArray("EA2F968FD0A381E4B041E6D8DDBF6DA93DE4CEAC862693D3026323E780DB9FC3"),
+                context.getHandshakeSecret());
+        assertArrayEquals(
+                ArrayConverter.hexStringToByteArray("C56CAE0B1A64467A0E3A3337F8636965787C9A741B0DAB63E503076051BCA15C"),
+                context.getClientHandshakeTrafficSecret());
+        assertArrayEquals(
+                ArrayConverter.hexStringToByteArray("DBF731F5EE037C4494F24701FF074AD4048451C0E2803BC686AF1F2D18E861F5"),
+                context.getServerHandshakeTrafficSecret());
+    }
 }

TLS-Core/src/test/java/de/rub/nds/tlsattacker/core/protocol/handler/extension/KeyShareExtensionHandlerTest.java

@@ -66,15 +66,6 @@ public void testAdjustTLSContext() {
                 ArrayConverter.hexStringToByteArray("9c1b0a7421919a73cb57b3a0ad9d6805861a9c47e11df8639d25323b79ce201c"),
                 entry.getSerializedPublicKey());
         assertTrue(entry.getGroup() == NamedCurve.ECDH_X25519);
-        assertArrayEquals(
-                ArrayConverter.hexStringToByteArray("EA2F968FD0A381E4B041E6D8DDBF6DA93DE4CEAC862693D3026323E780DB9FC3"),
-                context.getHandshakeSecret());
-        assertArrayEquals(
-                ArrayConverter.hexStringToByteArray("C56CAE0B1A64467A0E3A3337F8636965787C9A741B0DAB63E503076051BCA15C"),
-                context.getClientHandshakeTrafficSecret());
-        assertArrayEquals(
-                ArrayConverter.hexStringToByteArray("DBF731F5EE037C4494F24701FF074AD4048451C0E2803BC686AF1F2D18E861F5"),
-                context.getServerHandshakeTrafficSecret());
     }
 
     /**

TLS-Core/src/test/java/de/rub/nds/tlsattacker/core/record/cipher/KeySetGeneratorTest.java

@@ -11,6 +11,7 @@
 import de.rub.nds.tlsattacker.core.record.cipher.cryptohelper.KeySetGenerator;
 import de.rub.nds.tlsattacker.core.constants.CipherSuite;
 import de.rub.nds.tlsattacker.core.constants.ProtocolVersion;
+import de.rub.nds.tlsattacker.core.constants.Tls13KeySetType;
 import de.rub.nds.tlsattacker.core.state.TlsContext;
 import de.rub.nds.tlsattacker.util.tests.IntegrationTests;
 import java.security.NoSuchAlgorithmException;
@@ -38,7 +39,7 @@ public void setUp() {
      * be generated without throwing an exception
      */
     @Test
-    @Category(IntegrationTests.class)
+    // @Category(IntegrationTests.class)
     public void testGenerateKeySet() {
         for (CipherSuite suite : CipherSuite.getImplemented()) {
             for (ProtocolVersion version : ProtocolVersion.values()) {