Fixed wrong key usage for finish message when using early data

tls-attacker · Jul 31, 2024 · 3a9e896 · 3a9e896
1 parent 5fe4faf
commit 3a9e896
Show file tree

Hide file tree

Showing 3 changed files with 72 additions and 1 deletion.
diff --git a/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/layer/context/TlsContext.java b/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/layer/context/TlsContext.java
@@ -31,6 +31,7 @@
 import de.rub.nds.tlsattacker.core.protocol.message.extension.trustedauthority.TrustedAuthority;
 import de.rub.nds.tlsattacker.core.record.Record;
 import de.rub.nds.tlsattacker.core.record.cipher.RecordNullCipher;
+import de.rub.nds.tlsattacker.core.record.cipher.cryptohelper.KeySet;
 import de.rub.nds.tlsattacker.core.state.Context;
 import de.rub.nds.tlsattacker.core.state.Keylogfile;
 import de.rub.nds.tlsattacker.core.state.session.IdSession;
@@ -71,6 +72,9 @@ public class TlsContext extends LayerContext {
     /** Early traffic secret used to encrypt early data. */
     private byte[] clientEarlyTrafficSecret;
 
+    /** Handshake traffic secret in case it needs to be precalculated during early data * */
+    private KeySet keySetHandshake;
+
     /** CipherSuite used for early data. */
     private CipherSuite earlyDataCipherSuite;
 
@@ -1747,6 +1751,20 @@ public void setUseExtendedMasterSecret(boolean useExtendedMasterSecret) {
         this.useExtendedMasterSecret = useExtendedMasterSecret;
     }
 
+    /**
+     * @return the keySetHandshake
+     */
+    public KeySet getkeySetHandshake() {
+        return keySetHandshake;
+    }
+
+    /**
+     * @param keySetHandshake the keySetHandshake to set
+     */
+    public void setkeySetHandshake(KeySet keySetHandshake) {
+        this.keySetHandshake = keySetHandshake;
+    }
+
     /**
      * @return the clientEarlyTrafficSecret
      */

diff --git a/...ore/src/main/java/de/rub/nds/tlsattacker/core/protocol/handler/EndOfEarlyDataHandler.java b/...ore/src/main/java/de/rub/nds/tlsattacker/core/protocol/handler/EndOfEarlyDataHandler.java
@@ -54,4 +54,46 @@ private void adjustClientCipherAfterEarly() {
             throw new WorkflowExecutionException(ex);
         }
     }
+
+    @Override
+    public void adjustContextAfterSerialize(EndOfEarlyDataMessage message) {
+        if (tlsContext.getChooser().getSelectedProtocolVersion().isTLS13()) {
+            setClientRecordCipher();
+            setServertRecordCipher();
+        }
+    }
+
+    private void setClientRecordCipher() {
+        tlsContext.setActiveClientKeySetType(Tls13KeySetType.HANDSHAKE_TRAFFIC_SECRETS);
+        KeySet keySet = tlsContext.getkeySetHandshake();
+
+        if (tlsContext.getChooser().getConnectionEndType() == ConnectionEndType.SERVER) {
+            tlsContext
+                    .getRecordLayer()
+                    .updateDecryptionCipher(
+                            RecordCipherFactory.getRecordCipher(tlsContext, keySet, false));
+        } else {
+            tlsContext
+                    .getRecordLayer()
+                    .updateEncryptionCipher(
+                            RecordCipherFactory.getRecordCipher(tlsContext, keySet, true));
+        }
+    }
+
+    private void setServertRecordCipher() {
+        tlsContext.setActiveClientKeySetType(Tls13KeySetType.HANDSHAKE_TRAFFIC_SECRETS);
+        KeySet keySet = tlsContext.getkeySetHandshake();
+
+        if (tlsContext.getChooser().getConnectionEndType() == ConnectionEndType.SERVER) {
+            tlsContext
+                    .getRecordLayer()
+                    .updateDecryptionCipher(
+                            RecordCipherFactory.getRecordCipher(tlsContext, keySet, true));
+        } else {
+            tlsContext
+                    .getRecordLayer()
+                    .updateEncryptionCipher(
+                            RecordCipherFactory.getRecordCipher(tlsContext, keySet, false));
+        }
+    }
 }
diff --git a/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/protocol/handler/FinishedHandler.java b/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/protocol/handler/FinishedHandler.java
@@ -9,7 +9,11 @@
 package de.rub.nds.tlsattacker.core.protocol.handler;
 
 import de.rub.nds.modifiablevariable.util.ArrayConverter;
-import de.rub.nds.tlsattacker.core.constants.*;
+import de.rub.nds.tlsattacker.core.constants.AlgorithmResolver;
+import de.rub.nds.tlsattacker.core.constants.DigestAlgorithm;
+import de.rub.nds.tlsattacker.core.constants.ExtensionType;
+import de.rub.nds.tlsattacker.core.constants.HKDFAlgorithm;
+import de.rub.nds.tlsattacker.core.constants.Tls13KeySetType;
 import de.rub.nds.tlsattacker.core.crypto.HKDFunction;
 import de.rub.nds.tlsattacker.core.exceptions.AdjustmentException;
 import de.rub.nds.tlsattacker.core.exceptions.CryptoException;
@@ -43,6 +47,8 @@ public void adjustContext(FinishedMessage message) {
                     setServerRecordCipher(Tls13KeySetType.APPLICATION_TRAFFIC_SECRETS);
                     if (!tlsContext.isExtensionNegotiated(ExtensionType.EARLY_DATA)) {
                         setClientRecordCipher(Tls13KeySetType.HANDSHAKE_TRAFFIC_SECRETS);
+                    } else {
+                        precalculateHandshakeKeys();
                     }
                 } else {
                     setClientRecordCipher(Tls13KeySetType.APPLICATION_TRAFFIC_SECRETS);
@@ -186,4 +192,9 @@ private void setClientRecordCipher(Tls13KeySetType keySetType) {
                             RecordCipherFactory.getRecordCipher(tlsContext, clientKeySet, true));
         }
     }
+
+    private void precalculateHandshakeKeys() {
+        KeySet keySet = getKeySet(tlsContext, Tls13KeySetType.HANDSHAKE_TRAFFIC_SECRETS);
+        tlsContext.setkeySetHandshake(keySet);
+    }
 }