Getting ready for DTLS 1.2

No connection downgrading supported right now

Author: maufl

client_handshake_context.go

@@ -40,7 +40,7 @@ func (ch *clientHandshake) continueHandshake(message *handshake) (complete bool,
 
 func (ch *clientHandshake) prepareFlightOne() {
 	cltHello := handshakeClientHello{
-		ClientVersion: DTLS_10,
+		ClientVersion: ch.Conn.version,
 		Random:        ch.clientRandom,
 		SessionID:     ch.sessionID,
 		Cookie:        ch.cookie,
@@ -90,7 +90,7 @@ func (ch *clientHandshake) prepareFlightThree() {
 	}
 	ch.clientKeyExchange = ch.buildNextHandshakeMessage(clientKeyExchange, cltKeyExchange.Bytes())
 	masterSecret, clientMAC, serverMAC, clientKey, serverKey :=
-		keysFromPreMasterSecret(preMasterSecret, ch.clientRandom.Bytes(), ch.serverRandom.Bytes(),
+		keysFromPreMasterSecret(ch.Conn.version, preMasterSecret, ch.clientRandom.Bytes(), ch.serverRandom.Bytes(),
 			cipherSuite.macLen, cipherSuite.keyLen)
 	ch.masterSecret = masterSecret
 	ch.Conn.pendingWriteState.Cipher = cipherSuite.cipher(clientKey)
@@ -106,7 +106,11 @@ func (ch *clientHandshake) prepareFlightThree() {
 	ch.finishedHash.Write(ch.serverHelloDone.Bytes())
 	ch.finishedHash.Write(ch.clientKeyExchange.Bytes())
 	finishedMessage := new(handshakeFinished)
-	finishedMessage.VerifyData = ch.finishedHash.clientSum(masterSecret)
+	if ch.Conn.version == DTLS_10 {
+		finishedMessage.VerifyData = ch.finishedHash.clientSum10(masterSecret)
+	} else if ch.Conn.version == DTLS_12 {
+		finishedMessage.VerifyData = ch.finishedHash.clientSum12(masterSecret)
+	}
 	ch.clientFinished = ch.buildNextHandshakeMessage(finished, finishedMessage.Bytes())
 }
 
@@ -126,8 +130,13 @@ func (ch *clientHandshake) isFlightFourComplete() (bool, error) {
 		return true, err
 	}
 	ch.finishedHash.Write(ch.clientFinished.Bytes())
-	if !bytes.Equal(serverFinished.VerifyData, ch.finishedHash.serverSum(ch.masterSecret)) {
+	if ch.Conn.version == DTLS_10 && !bytes.Equal(serverFinished.VerifyData, ch.finishedHash.serverSum10(ch.masterSecret)) {
+		err = errors.New("Server sent incorrect verify data")
+	} else if ch.Conn.version == DTLS_12 && !bytes.Equal(serverFinished.VerifyData, ch.finishedHash.serverSum12(ch.masterSecret)) {
 		err = errors.New("Server sent incorrect verify data")
+	} else if ch.Conn.version != DTLS_10 && ch.Conn.version != DTLS_12 {
+		// TODO: This should never happen
+		err = errors.New("Unsupported version ...")
 	}
 	return true, err
 }

conn.go

@@ -40,7 +40,7 @@ func NewConn(c net.Conn, server bool) net.Conn {
 	log.Printf("Opening new DTLS conenction")
 	dtlsConn := &Conn{
 		Conn:    c,
-		version: DTLS_10,
+		version: DTLS_12,
 	}
 	if server {
 		dtlsConn.handshakeContext = &serverHandshake{baseHandshakeContext{Conn: dtlsConn, isServer: true, handshakeMessageBuffer: make(map[uint16]*handshakeFragmentList)}}

prf.go

@@ -5,9 +5,11 @@
 package dtls
 
 import (
+	"bytes"
 	"crypto/hmac"
 	"crypto/md5"
 	"crypto/sha1"
+	"crypto/sha256"
 	"hash"
 )
 
@@ -62,6 +64,13 @@ func pRF10(result, secret, label, seed []byte) {
 	}
 }
 
+func pRF12(result, secret, label, seed []byte) {
+	labelAndSeed := make([]byte, len(label)+len(seed))
+	copy(labelAndSeed, label)
+	copy(labelAndSeed[len(label):], seed)
+	pHash(result, secret, labelAndSeed, sha256.New)
+}
+
 const (
 	tlsRandomLength      = 32 // Length of a random nonce in TLS 1.1.
 	masterSecretLength   = 48 // Length of a master secret in TLS 1.1.
@@ -76,8 +85,11 @@ var serverFinishedLabel = []byte("server finished")
 // keysFromPreMasterSecret generates the connection keys from the pre master
 // secret, given the lengths of the MAC key, cipher key and IV, as defined in
 // RFC 2246, section 6.3.
-func keysFromPreMasterSecret(preMasterSecret, clientRandom, serverRandom []byte, macLen, keyLen int) (masterSecret, clientMAC, serverMAC, clientKey, serverKey []byte) {
+func keysFromPreMasterSecret(version protocolVersion, preMasterSecret, clientRandom, serverRandom []byte, macLen, keyLen int) (masterSecret, clientMAC, serverMAC, clientKey, serverKey []byte) {
 	prf := pRF10
+	if version == DTLS_12 {
+		prf = pRF12
+	}
 
 	var seed [tlsRandomLength * 2]byte
 	copy(seed[0:len(clientRandom)], clientRandom)
@@ -102,24 +114,13 @@ func keysFromPreMasterSecret(preMasterSecret, clientRandom, serverRandom []byte,
 }
 
 func newFinishedHash() finishedHash {
-	return finishedHash{md5.New(), sha1.New(), md5.New(), sha1.New()}
+	return finishedHash{Buffer: bytes.Buffer{}}
 }
 
 // A finishedHash calculates the hash of a set of handshake messages suitable
 // for including in a Finished message.
 type finishedHash struct {
-	clientMD5  hash.Hash
-	clientSHA1 hash.Hash
-	serverMD5  hash.Hash
-	serverSHA1 hash.Hash
-}
-
-func (h finishedHash) Write(msg []byte) (n int, err error) {
-	h.clientMD5.Write(msg)
-	h.clientSHA1.Write(msg)
-	h.serverMD5.Write(msg)
-	h.serverSHA1.Write(msg)
-	return len(msg), nil
+	bytes.Buffer
 }
 
 // finishedSum10 calculates the contents of the verify_data member of a TLSv1
@@ -134,18 +135,46 @@ func finishedSum10(md5, sha1, label, masterSecret []byte) []byte {
 	return out
 }
 
-// clientSum returns the contents of the verify_data member of a client's
+func finishedSum12(hash, label, masterSecret []byte) []byte {
+	out := make([]byte, finishedVerifyLength)
+	pRF12(out, masterSecret, label, hash)
+	return out
+}
+
+// clientSum10 returns the contents of the verify_data member of a client's
 // Finished message.
-func (h finishedHash) clientSum(masterSecret []byte) []byte {
-	md5 := h.clientMD5.Sum(nil)
-	sha1 := h.clientSHA1.Sum(nil)
-	return finishedSum10(md5, sha1, clientFinishedLabel, masterSecret)
+func (h finishedHash) clientSum10(masterSecret []byte) []byte {
+	md5 := md5.New()
+	md5.Write(h.Bytes())
+	md5Digest := md5.Sum(nil)
+	sha1 := sha1.New()
+	sha1.Write(h.Bytes())
+	sha1Digest := sha1.Sum(nil)
+	return finishedSum10(md5Digest, sha1Digest, clientFinishedLabel, masterSecret)
 }
 
-// serverSum returns the contents of the verify_data member of a server's
+// serverSum10 returns the contents of the verify_data member of a server's
 // Finished message.
-func (h finishedHash) serverSum(masterSecret []byte) []byte {
-	md5 := h.serverMD5.Sum(nil)
-	sha1 := h.serverSHA1.Sum(nil)
-	return finishedSum10(md5, sha1, serverFinishedLabel, masterSecret)
+func (h finishedHash) serverSum10(masterSecret []byte) []byte {
+	md5 := md5.New()
+	md5.Write(h.Bytes())
+	md5Digest := md5.Sum(nil)
+	sha1 := sha1.New()
+	sha1.Write(h.Bytes())
+	sha1Digest := sha1.Sum(nil)
+	return finishedSum10(md5Digest, sha1Digest, serverFinishedLabel, masterSecret)
+}
+
+func (h finishedHash) clientSum12(masterSecret []byte) []byte {
+	sha256 := sha256.New()
+	sha256.Write(h.Bytes())
+	sha256Digest := sha256.Sum(nil)
+	return finishedSum12(sha256Digest, clientFinishedLabel, masterSecret)
+}
+
+func (h finishedHash) serverSum12(masterSecret []byte) []byte {
+	sha256 := sha256.New()
+	sha256.Write(h.Bytes())
+	sha256Digest := sha256.Sum(nil)
+	return finishedSum12(sha256Digest, serverFinishedLabel, masterSecret)
 }

server_handshake_context.go

@@ -68,7 +68,7 @@ func (sh *serverHandshake) prepareFlightTwo() error {
 	sh.serverRandom = newRandom()
 
 	srvHello := handshakeServerHello{
-		ServerVersion:     DTLS_10,
+		ServerVersion:     sh.Conn.version,
 		Random:            sh.serverRandom,
 		CipherSuite:       cipherSuite,
 		CompressionMethod: compressionMethod,
@@ -128,7 +128,7 @@ func (sh *serverHandshake) handleKeyExchange() error {
 		return err
 	}
 	masterSecret, clientMAC, serverMAC, clientKey, serverKey :=
-		keysFromPreMasterSecret(preMasterSecret, sh.clientRandom.Bytes(), sh.serverRandom.Bytes(),
+		keysFromPreMasterSecret(sh.Conn.version, preMasterSecret, sh.clientRandom.Bytes(), sh.serverRandom.Bytes(),
 			sh.cipherSuite.macLen, sh.cipherSuite.keyLen)
 	sh.masterSecret = masterSecret
 	sh.Conn.pendingWriteState.Cipher = sh.cipherSuite.cipher(serverKey)
@@ -153,15 +153,21 @@ func (sh *serverHandshake) isFlightThreeComplete() (complete bool, err error) {
 	sh.finishedHash.Write(sh.serverKeyExchange.Bytes())
 	sh.finishedHash.Write(sh.serverHelloDone.Bytes())
 	sh.finishedHash.Write(sh.clientKeyExchange.Bytes())
-	if !bytes.Equal(clientFinished.VerifyData, sh.finishedHash.clientSum(sh.masterSecret)) {
-		err = errors.New("Server sent incorrect verify data")
+	if sh.Conn.version == DTLS_10 && !bytes.Equal(clientFinished.VerifyData, sh.finishedHash.clientSum10(sh.masterSecret)) {
+		err = errors.New("Client sent incorrect verify data")
+	} else if sh.Conn.version == DTLS_12 && !bytes.Equal(clientFinished.VerifyData, sh.finishedHash.clientSum12(sh.masterSecret)) {
+		err = errors.New("Client sent incorrect verify data")
 	}
 	return true, err
 }
 
 func (sh *serverHandshake) prepareFlightFour() {
 	sh.finishedHash.Write(sh.clientFinished.Bytes())
-	serverFinished := &handshakeFinished{VerifyData: sh.finishedHash.serverSum(sh.masterSecret)}
+	if sh.Conn.version == DTLS_10 {
+		serverFinished := &handshakeFinished{VerifyData: sh.finishedHash.serverSum10(sh.masterSecret)}
+	} else if sh.Conn.version == DTLS_12 {
+		serverFinished := &handshakeFinished{VerifyData: sh.finishedHash.serverSum12(sh.masterSecret)}
+	}
 	sh.serverFinished = sh.buildNextHandshakeMessage(finished, serverFinished.Bytes())
 }
 

testclient/testclient.go

@@ -8,21 +8,20 @@ import (
 )
 
 func main() {
-	laddr, err := net.ResolveUDPAddr("udp", "[fe80::1cce:99ff:fe67:3645%client0]:5556")
-	if err != nil {
-		log.Fatalf("Unable to resolve local address: %s\n", err)
-	}
-	raddr, err := net.ResolveUDPAddr("udp", "[fe80::8471:57ff:fe48:9ee2%client0]:5556")
+	raddr, err := net.ResolveUDPAddr("udp", "127.0.0.1:5556")
 	if err != nil {
 		log.Fatalf("Unable to resolve remote address: %v\n", err)
 	}
-	conn, err := net.DialUDP("udp", laddr, raddr)
+	conn, err := net.DialUDP("udp", nil, raddr)
 	if err != nil {
 		log.Fatalf("Unable to connect to remote addr: %v\n", err)
 	}
 	dtlsConn := dtls.NewConn(conn, false)
 	for {
-		dtlsConn.Write([]byte("Hello World"))
+		_, err := dtlsConn.Write([]byte("Hello World"))
+		if err != nil {
+			log.Fatalf("Error while writing hello world: %s:", err)
+		}
 		buffer := make([]byte, dtls.UDP_MAX_SIZE)
 		n, err := dtlsConn.Read(buffer)
 		if err != nil {