Minimal number of changes needed to udpate to draft-28 (#115)

* includes AD in authentication check of TLS records

As per 5.2 of TLS 1.3 draft-28, the additional data is record header.

* tests: Update tests in order to support draft-28

* Interoperability: Updates NSS and BoringSSL versions to the
  one supporting draft-28
* Bogo: Updates revision number to use tests for draft-28
* FIX: makefile was using test-compat target instead of
  test-interop

* DC test: constify

* Use binary interface to encode in big-endian

README.md

@@ -71,7 +71,7 @@ We run 3 kinds of test:.
 
 * Unit testing: <br/>``make -f _dev/Makefile test-unit``
 * Testing against BoringSSL test suite: <br/>``make -f _dev/Makefile test-bogo``
-* Compatibility testing (see below):<br/>``make -f _dev/Makefile test-compat``
+* Compatibility testing (see below):<br/>``make -f _dev/Makefile test-interop``
 
 To run all the tests in one go use:
 ```

_dev/Makefile

@@ -115,4 +115,4 @@ clean-all: clean
 fmtcheck:
 	$(DEV_DIR)/utils/fmtcheck.sh
 
-.PHONY: $(BUILD_DIR) clean build build-test test test-unit test-bogo test-compat
+.PHONY: $(BUILD_DIR) clean build build-test test test-unit test-bogo test-interop

_dev/bogo/Dockerfile

@@ -26,7 +26,10 @@ RUN git clone https://github.com/henrydcase/crypto-tls-bogo-shim \
 #ARG REVISION=d07b9e80a87c871c2569ce4aabd06695336c5dc5
 
 # Draft 23 (+ client authentication)
-ARG REVISION=cd33ad248ae9490854f0077ca046b47cac3735bf
+# ARG REVISION=cd33ad248ae9490854f0077ca046b47cac3735bf
+
+# Draft 28
+ARG REVISION=33204d1eaa497819c6325998d7ba6b66316790f3
 
 RUN cd /go/src/github.com/henrydcase/crypto-tls-bogo-shim && \
     git checkout $REVISION

_dev/boring/run.sh

@@ -2,7 +2,7 @@
 set -e
 
 /boringssl/build/tool/bssl client -grease -min-version tls1.3 -max-version tls1.3 \
-	-tls13-variant draft23 -session-out /session -connect "$@" < /httpreq.txt
+	-tls13-variant draft28 -session-out /session -connect "$@" < /httpreq.txt
 exec /boringssl/build/tool/bssl client -grease -min-version tls1.3 -max-version tls1.3 \
-	-tls13-variant draft23 -session-in /session -connect "$@" < /httpreq.txt
+	-tls13-variant draft28 -session-in /session -connect "$@" < /httpreq.txt
 

_dev/boring/server.sh

@@ -6,21 +6,21 @@ set -x
 bssl server \
     -key rsa.pem \
     -min-version tls1.2 -max-version tls1.3 \
-    -tls13-variant draft23 \
+    -tls13-variant draft28 \
     -accept 1443 -loop -www 2>&1 &
 
 # ECDSA
 bssl server \
     -key ecdsa.pem \
     -min-version tls1.2 -max-version tls1.3 \
-    -tls13-variant draft23 \
+    -tls13-variant draft28 \
     -accept 2443 -loop -www 2>&1 &
 
 # Require client authentication (with ECDSA)
 bssl server \
     -key ecdsa.pem \
     -min-version tls1.2 -max-version tls1.3 \
-    -tls13-variant draft23 \
+    -tls13-variant draft28 \
     -accept 6443 -loop -www \
     -require-any-client-cert -debug 2>&1 &
 

_dev/tris-localserver/server.go

@@ -44,6 +44,7 @@ var tlsVersionToName = map[uint16]string{
 	tls.VersionTLS13Draft21: "1.3 (draft 21)",
 	tls.VersionTLS13Draft22: "1.3 (draft 22)",
 	tls.VersionTLS13Draft23: "1.3 (draft 23)",
+	tls.VersionTLS13Draft28: "1.3 (draft 28)",
 }
 
 func NewServer() *server {

_dev/tris-testclient/client.go

@@ -18,6 +18,7 @@ var tlsVersionToName = map[uint16]string{
 	tls.VersionTLS13:        "1.3",
 	tls.VersionTLS13Draft18: "1.3 (draft 18)",
 	tls.VersionTLS13Draft23: "1.3 (draft 23)",
+	tls.VersionTLS13Draft28: "1.3 (draft 28)",
 }
 
 var cipherSuiteIdToName = map[uint16]string{

_dev/tstclnt/Dockerfile

@@ -24,7 +24,10 @@ ENV USE_64=1 NSS_ENABLE_TLS_1_3=1
 #ARG REVISION=88c3f3fa581b
 
 # Draft 23
-ARG REVISION=16c622c9e1cc
+# ARG REVISION=16c622c9e1cc
+
+# Latest
+ARG REVISION=09ab3310e710
 
 RUN cd nss && hg pull
 RUN cd nss && hg checkout -C $REVISION

cipher_suites.go

@@ -174,7 +174,10 @@ type fixedNonceAEAD struct {
 	aead  cipher.AEAD
 }
 
-func (f *fixedNonceAEAD) NonceSize() int        { return 8 }
+func (f *fixedNonceAEAD) NonceSize() int { return 8 }
+
+// Overhead returns the maximum difference between the lengths of a
+// plaintext and its ciphertext.
 func (f *fixedNonceAEAD) Overhead() int         { return f.aead.Overhead() }
 func (f *fixedNonceAEAD) explicitNonceLen() int { return 8 }
 

common.go

@@ -31,6 +31,7 @@ const (
 	VersionTLS13Draft21 = 0x7f00 | 21
 	VersionTLS13Draft22 = 0x7f00 | 22
 	VersionTLS13Draft23 = 0x7f00 | 23
+	VersionTLS13Draft28 = 0x7f00 | 28
 )
 
 const (
@@ -41,7 +42,7 @@ const (
 	maxWarnAlertCount = 5            // maximum number of consecutive warning alerts
 
 	minVersion = VersionTLS12
-	maxVersion = VersionTLS13Draft23
+	maxVersion = VersionTLS13Draft28
 )
 
 // TLS record types.
@@ -888,7 +889,7 @@ var configSuppVersArray = [...]uint16{VersionTLS13, VersionTLS12, VersionTLS11,
 // with TLS 1.3 draft versions included.
 //
 // TODO: remove once TLS 1.3 is finalised.
-var tls13DraftSuppVersArray = [...]uint16{VersionTLS13Draft23, VersionTLS12, VersionTLS11, VersionTLS10, VersionSSL30}
+var tls13DraftSuppVersArray = [...]uint16{VersionTLS13Draft28, VersionTLS12, VersionTLS11, VersionTLS10, VersionSSL30}
 
 // getSupportedVersions returns the protocol versions that are supported by the
 // current configuration.

conn.go

@@ -11,6 +11,7 @@ import (
 	"crypto/cipher"
 	"crypto/subtle"
 	"crypto/x509"
+	"encoding/binary"
 	"errors"
 	"fmt"
 	"io"
@@ -358,6 +359,15 @@ func (hc *halfConn) decrypt(b *block) (ok bool, prefixLen int, alertValue alert)
 				hc.additionalData[11] = byte(n >> 8)
 				hc.additionalData[12] = byte(n)
 				additionalData = hc.additionalData[:]
+			} else {
+				if len(payload) > int((1<<14)+256) {
+					return false, 0, alertRecordOverflow
+				}
+				// Check AD header, see 5.2 of RFC8446
+				additionalData = make([]byte, 5)
+				additionalData[0] = 23
+				binary.BigEndian.PutUint16(additionalData[1:], 0x0303)
+				binary.BigEndian.PutUint16(additionalData[3:], uint16(len(payload)))
 			}
 			var err error
 			payload, err = c.Open(payload[:0], nonce, payload, additionalData)
@@ -460,10 +470,11 @@ func (hc *halfConn) encrypt(b *block, explicitIVLen int) (bool, alert) {
 		case cipher.Stream:
 			c.XORKeyStream(payload, payload)
 		case aead:
+			// explicitIVLen is always 0 for TLS1.3
 			payloadLen := len(b.data) - recordHeaderLen - explicitIVLen
 			overhead := c.Overhead()
 			if hc.version >= VersionTLS13 {
-				overhead++
+				overhead++ // TODO(kk): why this is done?
 			}
 			b.resize(len(b.data) + overhead)
 
@@ -478,16 +489,19 @@ func (hc *halfConn) encrypt(b *block, explicitIVLen int) (bool, alert) {
 			if hc.version < VersionTLS13 {
 				copy(hc.additionalData[:], hc.seq[:])
 				copy(hc.additionalData[8:], b.data[:3])
-				hc.additionalData[11] = byte(payloadLen >> 8)
-				hc.additionalData[12] = byte(payloadLen)
+				binary.BigEndian.PutUint16(hc.additionalData[11:], uint16(payloadLen))
 				additionalData = hc.additionalData[:]
-			}
-
-			if hc.version >= VersionTLS13 {
+			} else {
 				// opaque type
 				payload = payload[:len(payload)+1]
 				payload[len(payload)-1] = b.data[0]
 				b.data[0] = byte(recordTypeApplicationData)
+
+				// Add AD header, see 5.2 of RFC8446
+				additionalData = make([]byte, 5)
+				additionalData[0] = byte(recordTypeApplicationData)
+				binary.BigEndian.PutUint16(additionalData[1:], VersionTLS12)
+				binary.BigEndian.PutUint16(additionalData[3:], uint16(payloadLen+overhead))
 			}
 
 			c.Seal(payload[:0], nonce, payload, additionalData)

example_test.go

@@ -155,8 +155,8 @@ func ExampleConfig_keyLogWriter_TLS13() {
 	// preferences.
 
 	// Output:
-	// CLIENT_HANDSHAKE_TRAFFIC_SECRET 0000000000000000000000000000000000000000000000000000000000000000 a829dab06ccbe9323e0ad6cf331cd64d9a499f7f4b1e0b52d0dfaba90c07f275
-	// SERVER_HANDSHAKE_TRAFFIC_SECRET 0000000000000000000000000000000000000000000000000000000000000000 5f6a288b5b5aba5cfc65d9966b279e911ac58bd7f81abbb67b10427106f01940
-	// SERVER_TRAFFIC_SECRET_0 0000000000000000000000000000000000000000000000000000000000000000 1f202d1c1d43e74a8c4f46a56eae2cef9de417ff9f5f3927195eacc168f459b3
-	// CLIENT_TRAFFIC_SECRET_0 0000000000000000000000000000000000000000000000000000000000000000 67ece7874ec4f661fe1f06fb4240decd25f54062d78f0784844bf222d1967c20
+	// CLIENT_HANDSHAKE_TRAFFIC_SECRET 0000000000000000000000000000000000000000000000000000000000000000 16ca97d21087a14d406b2601b4713dd82b156cc01d54665baaa4bdb62b72b9a4
+	// SERVER_HANDSHAKE_TRAFFIC_SECRET 0000000000000000000000000000000000000000000000000000000000000000 102c68d960da4f5e2b76a99636ac07bb5774e43b8ce8c14aa4dfd9bf54d11754
+	// SERVER_TRAFFIC_SECRET_0 0000000000000000000000000000000000000000000000000000000000000000 f3208d533bb885f32f52142acb484eed104739970c2f426e72a1ee31f6d28650
+	// CLIENT_TRAFFIC_SECRET_0 0000000000000000000000000000000000000000000000000000000000000000 70de6b1936df7db171c02f9cfdb04dfa9405a891c959beb15b86f26b2057ba23
 }

subcerts_test.go

@@ -18,7 +18,7 @@ import (
 // A PEM-encoded "delegation certificate", an X.509 certificate with the
 // DelegationUsage extension. The extension is defined in
 // specified in https://tools.ietf.org/html/draft-ietf-tls-subcerts-02.
-var dcDelegationCertPEM = `-----BEGIN CERTIFICATE-----
+const DcCertWithDelegationUsage = `-----BEGIN CERTIFICATE-----
 MIIBejCCASGgAwIBAgIQXXtl0v50W2OadoW0QwLUlzAKBggqhkjOPQQDAjAUMRIw
 EAYDVQQKEwlBY21lIEluYy4wHhcNMTgwNzMwMjAxMTE5WhcNMTgwODA2MjAxMTE5
 WjAUMRIwEAYDVQQKEwlBY21lIEluYy4wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC
@@ -32,7 +32,7 @@ AQQBgtpLLAQAMAoGCCqGSM49BAMCA0cAMEQCIEMdIkwwmzQAJ6RSDT3wcrsySx2B
 
 // The PEM-encoded "delegation key", the secret key associated with the
 // delegation certificate. This is a key for ECDSA with P256 and SHA256.
-var dcDelegationKeyPEM = `-----BEGIN EC PRIVATE KEY-----
+const DcKeyWithDelegationUsage = `-----BEGIN EC PRIVATE KEY-----
 MHcCAQEEIAS/pGktmxK1hlt3gF4N2nkMrJnoZihvOO63nnNcxXQroAoGCCqGSM49
 AwEHoUQDQgAE3ELrmlDSd5KihrOAwXSVXe81s8hgDU+LgTRlZGdnIGg7HRZ8ffXx
 om34KFnq/By7fWfkuh7PvGwzwRzYE0fy3w==
@@ -40,7 +40,7 @@ om34KFnq/By7fWfkuh7PvGwzwRzYE0fy3w==
 `
 
 // A certificate without the DelegationUsage extension.
-var dcCertPEM = `-----BEGIN CERTIFICATE-----
+const DcCertWithoutDelegationUsage = `-----BEGIN CERTIFICATE-----
 MIIBajCCAQ+gAwIBAgIRAMUg/VFqJaWWJwZ9iHoMjqIwCgYIKoZIzj0EAwIwEjEQ
 MA4GA1UEChMHQWNtZSBDbzAeFw0xODA3MzAyMDExMTlaFw0xOTA3MzAyMDExMTla
 MBIxEDAOBgNVBAoTB0FjbWUgQ28wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATA
@@ -52,8 +52,8 @@ KFyrowMTan791RJnyANH/4uYhmvkfhfrFGSTXUli
 -----END CERTIFICATE-----
 `
 
-// The secret key associatted with dcCertPEM.
-var dcKeyPEM = `-----BEGIN EC PRIVATE KEY-----
+// The secret key associatted with DcCertWithoutDelegationUsage.
+const DcKeyWithoutDelegationUsage = `-----BEGIN EC PRIVATE KEY-----
 MHcCAQEEIEP82pOhzx0tKkky9t0OmUo9MHgmfdAHxDN2cHmWGqOhoAoGCCqGSM49
 AwEHoUQDQgAEwJ/qHlkr0jR4RLJEkYJJHqwkA6FfzQPq90uQLQjhU+QGC7fMZbUk
 1nqxSP2JWSyHC8ZST0+0/l6QZ30usWgLsQ==
@@ -75,7 +75,7 @@ type dcTestDC struct {
 // Use with maxVersion == VersionTLS13Draft23.
 //
 // TODO(henrydcase): Remove this when we drop support for draft23.
-var dcTestDataDraft23PEM = `-----BEGIN DC TEST DATA-----
+const DcTestDataDraft23PEM = `-----BEGIN DC TEST DATA-----
 MIIIPDCCAUETCXRsczEzcDI1NgICfxcCAgQDBIGwAAk6gAQDfxcAWzBZMBMGByqG
 SM49AgEGCCqGSM49AwEHA0IABDFeK+EcMQWKDM6xZJqHEHLcIWE0iHTAL1xAB5r6
 bkm7GLlz1HLWcTy28PNsb9KQLV3Yeay2WYA2d2zGQjNbEhcEAwBHMEUCIQDnXyP4
@@ -126,7 +126,7 @@ AiEiKCRicw1Upfdy+xdSF0N3XXkLHB13criCfJr2rbZ1o8V7CsX6U70o+/48huPI
 // Use with maxVersion == VersionTLS13Draft28.
 //
 // TODO(henrydcase): Remove this when we drop support for draft28.
-var dcTestDataDraft28PEM = `-----BEGIN DC TEST DATA-----
+const DcTestDataDraft28PEM = `-----BEGIN DC TEST DATA-----
 MIIIOjCCAUATCXRsczEzcDI1NgICfxwCAgQDBIGvAAk6gAQDfxwAWzBZMBMGByqG
 SM49AgEGCCqGSM49AwEHA0IABAOcQMVs6VmVQ1BYyK+YhUAucZqH3LmDQmAaVDs8
 brnePHVmSdOoQCU+Ybp3kgnklW958EFZiJ2oK7iWkIpi4TIEAwBGMEQCIB8w0eko
@@ -175,7 +175,7 @@ x/tlNfATUGmFQGwPug4RyWVux22dGrn81/SsIXJ8hz1eb0s9EKOBbxwhJ//ACg==
 `
 
 // Use with maxVersion == VersionTLS13.
-var dcTestDataPEM = `-----BEGIN DC TEST DATA-----
+const DcTestDataTLS13PEM = `-----BEGIN DC TEST DATA-----
 MIIIOzCCAUATCXRsczEzcDI1NgICAwQCAgQDBIGvAAk6gAQDAwQAWzBZMBMGByqG
 SM49AgEGCCqGSM49AwEHA0IABFTImzqflLfyu3rqlCVsezSv45fKJglhjDYcwJ3H
 ylqX6rFCupeCwKmMhFvxRkkWAOobv2DZxLYALFgggC8KckkEAwBGMEQCIBWO8rFt
@@ -273,11 +273,11 @@ func init() {
 	var testData []byte
 	switch maxVersion {
 	case VersionTLS13Draft23:
-		testData = []byte(dcTestDataDraft23PEM)
+		testData = []byte(DcTestDataDraft23PEM)
 	case 0x7f00 | 28: // TODO(henrydcase): Fix once draft 28 is implemented
-		testData = []byte(dcTestDataDraft28PEM)
+		testData = []byte(DcTestDataDraft28PEM)
 	case 0x0304: // TODO(henrydcase): Fix once the final version is implemented
-		testData = []byte(dcTestDataPEM)
+		testData = []byte(DcTestDataTLS13PEM)
 	default:
 		panic(fmt.Errorf("no test data for version %04x", maxVersion))
 	}
@@ -299,7 +299,7 @@ func init() {
 	}
 
 	// The delegation certificate.
-	dcTestDelegationCert, err = X509KeyPair([]byte(dcDelegationCertPEM), []byte(dcDelegationKeyPEM))
+	dcTestDelegationCert, err = X509KeyPair([]byte(DcCertWithDelegationUsage), []byte(DcKeyWithDelegationUsage))
 	if err != nil {
 		panic(err)
 	}
@@ -309,7 +309,7 @@ func init() {
 	}
 
 	// A certificate without the the DelegationUsage extension for X.509.
-	dcTestCert, err = X509KeyPair([]byte(dcCertPEM), []byte(dcKeyPEM))
+	dcTestCert, err = X509KeyPair([]byte(DcCertWithoutDelegationUsage), []byte(DcKeyWithoutDelegationUsage))
 	if err != nil {
 		panic(err)
 	}