Add preliminary TLS1.3 PSK-mode implementation.

[rfk]

Fixes #24

(This currently targets #23 but I will rebase against master once that's merged)

This adds actually-appears-to-be-functioning code to implement the TLS1.3 PSK mode. It needs a lot of tests, but I have confirmed that it interoperates successfully with an existing TLS library (tlslite-ng) so I have some base level of confidence that it's doing the right thing in the happy case.

@vladikoff @eoger please try building against this branch and check if things work OK. I will rebase this branch as I add additional testcases and cleanups.

Things still to do:

• Implement the basics of the "alert" protocol, for cleanly closing on crypto errors etc.
• Just, like, lots more tests in general.
• More thorough interop tests with tlslite-ng.
• Look in the NSS codebase for specific testcases to duplicate here.

[vladikoff]

First look at this, we cannot make this work yet:

[vladikoff]

Ok we got it to work, it was a problem with psk

[rfk]

@vladikoff @eoger thanks for the fixes; heads-up that I'm going to port some of them to master and squash the others with my latest work.

[eoger]

Could we rebase this on master?

[rfk]

Rebased.

[martinthomson]

Since I was looking, I spent a little time on this. Hopefully some of my suggestions result in more tests being added :)

[martinthomson]

Shouldn't you assert on < 0 as well? And why not check the input before applying it?

[martinthomson]

If you can't shrink, then grow() might be the name you want.

[martinthomson]

In TLS, this is probably a hazard. You should always know how many bytes you are reading.

[rfk]

👍 ; from a quick grep it looks like this is actually a leftover that is no longer used, so I guess I refactored away whatever hazard was using it...

[martinthomson]

I would disable this feature. The callback should be run once for each item in the list until it is done.

One thing I would do with the callback is pass it a different instance of this object that offers a view onto the same buffer, but with a the shorter length. Then they can't read past "length" by design and you don't have to worry about inner reads going outside of the space that is available.

[martinthomson]

assert that limit <= this.length()

[martinthomson]

As we discussed, crypto.subtle.verify might be what you want here.

[martinthomson]

Some tests to consider, though I'm guessing that you have some of these already:

• test reading and writing more thoroughly, including short reads and long reads
• skipping records fails
• damage the ciphertext and the recipient explodes
• skipping handshake messages fails
• missing extensions means failure
• extra extensions (in ClientHello are ignored, in ServerHello generate alerts)
• test that writing blocks/fails prior to the handshake being complete (you could write at the server in 0.5-RTT, but please disable that and test that it is disabled)
• test that you ignore ChangeCipherSpec (or that you choke cleanly) and limit it to during the handshake if you do accept it, if you do ignore it, the server should probably emit one if the client sends a non-zero session ID
• test that you are actually encrypting (yep, that's somewhat tricky, but it's pretty important)
• test without a mocked RNG and see that you get different ClientHello/ServerHello when you run the handshake multiple times
• check that reordered extensions still work fine
• add dummy versions, ciphersuites, and PSK modes to extensions and see that these are ignored
• add a non-zero compression mode and the server should explode
• validate that the version in the record header is correct (TLS 1.0 I think is right: 0x0301)
• validate the version in the ServerHello is TLS 1.2 (0x0303)
• handle padded records properly
• abort if a record only contains zeros (i.e., it is over-padded)
• abort if a handshake record is empty (i.e., it is properly padded with a handshake type, but no data)
• abort if an alert of any kind is received

[rfk]

you could write at the server in 0.5-RTT

To clarify, do you mean the server sending application data after it has sent its Finished, but before it has received Finished from the client in return?

[martinthomson]

Right. In TLS 1.3, the server can send before it receives the Finished from the client, but that is generally considered risky in mutually authenticated modes. For your purposes, you want to wait until you have verified the peer's Finished, in both directions.

[rfk]

Things still to do:
More thorough interop tests with tlslite-ng.

The latest push includes both (tlslite-ng => fxa-pairing-channel) and (fxa-pairing-channel => tlslite-ng) test vectors and they appear to be passing \o/

Look in the NSS codebase for specific testcases to duplicate here.

I can honestly say I looked, but also am not short on testcases to add as evidenced by comment above...

[vladikoff]

is this sendAlertMessage used? I see _sendAlertMessage elsewhere?

[vladikoff]

typo: indiciate -> indicate

[vladikoff]

typo, per spec OfferredPsks --> OfferedPsks?

[vladikoff]

already ?

[vladikoff]

transcript

[rfk]

I would prefer to make the caller pass in an explicit "I don't have an ECDHE output" indicator, seems safer to me. I think I'll make this a more explicit check for null rather than just falsiness.

[vladikoff]

Sounds good!

[vladikoff]

messages -> message ?

[vladikoff]

messages -> message?

[vladikoff]

new DataView(nonce.buffer).setUint32(IV_LENGTH - 4, this.seqnum); ? remove extra (?

[vladikoff]

do you want to assert that sendCallback is set?

[rfk]

By way of a brief update here, I'm working my way through the recommended testcases and expect to have them wrapped by in the next day or two. I also managed to get the test runner to emit coverage reports and run them automatically on CircleCI, latest one from the build output here:

https://87-160715051-gh.circle-artifacts.com/0/home/circleci/project/coverage/Firefox%2064.0.0%20%28Linux%200.0.0%29/src/index.html

This does a pretty good job of highlighting the error cases that are not yet covered by tests!

@vladikoff, whenever you have a few moments, I'd appreciate your feedback on this commit which adds the test coverage reporting. I had to add a third build configuration with babel-plugin-instanbul in order to get coverage reporting working with the combination of async/await, babel and karma, but maybe you know of a better approach?

[rfk]

Ugh, this one test "FxAccountsPairingChannel a Client and Server connected together should communicate successfully if they have the same PSK FAILED" is perma-failing due to a timeout, I wonder if there's some timing issue in setting up the websocket listeners or something, because it passes reliably on my machine...

[rfk]

@vladikoff do either or both of these pass in Firefox chrome code, or do we need to keep looking for a suitable approach here?

[rfk]

@martinthomson I've pushed a bunch of tests for the client side of the handshake, and I'm pretty happy with the level of test coverage overall; if you're interested you can view the built coverage report here:

https://94-160715051-gh.circle-artifacts.com/0/home/circleci/project/coverage/Firefox%2064.0.0%20%28Linux%200.0.0%29/src/index.html

I don't have anything else I plan to add here in response to your first round of comments.

[martinthomson]

I'm going to try to review all the TLS stuff here, and not a lot more, but I do have a few comments outside of that.

Running npm install;npm test produces changes to checked-in code. That's not cool. I don't pretend to know how to manage this stuff, but I find the fact that you have build output in the tree to be unhygienic (for this exact reason).

The changes to package-lock.json seem to be the addition of an optional key to most of the dev dependencies, which might be a cleanup performed by npm 6.5.0 (if you are running an earlier version, that is).

This is part1. I need to continue this later. I haven't really started looking at the tests, so it might take a few more hours.

[martinthomson]

Do you use the user_cancelled alert? Because if you don't, then it might pay not to have the case here. TLS 1.3 treats all alerts as fatal other than close_notify, so this might not work out anyway.

Put differently: if you aren't testing this, remove it.

[rfk]

I'm not using it, and only included it because it was mentioned alongside close_notify in [1]. I'll be very happy to remove it.

[1] https://tools.ietf.org/html/rfc8446#section-6.1

[martinthomson]

If you put the return inside the try, would that mean you have to deal with warnings about the function not returning?

[rfk]

Nope, I think I might have just had it outside for some console.log debugging at some point

[martinthomson]

I'm not sure about this assertion regarding strings. They take ABV: https://html.spec.whatwg.org/multipage/web-sockets.html#dom-websocket-send

[rfk]

This is an implementation detail of the server we're talking to, rather than of websockets in general. (The comment could be worded more clearly in that regard).

[martinthomson]

It would be good to have a comment explaining the state machine: UNINITIALIZED --addPSK--> EARLY_SECRET --addECDHE--> HANDSHAKE_SECRET --finalize--> MASTER_SECRET.

[martinthomson]

is len => this.writeUint8(len) better than using bind()?

[martinthomson]

You run against a network-based service in test? That seems brittle. Can you run this server locally? Or at least a cut-down version of the same.

[martinthomson]

The problem with this function is that if it does trigger an error, then you won't ever know what conditions produced that error. If you are going to fuzz, record the way in which your tampering was applied so that you can reproduce problems easily.

[martinthomson]

You use typeof opts.x !== 'undefined' ? opts.x : blah here, but the simpler opts.x || blah above. Any particular reason?

[rfk]

IIRC the simpler opts.x || default form is used when the default is falsy, and hence there's no reason for the caller to want to pass in an explicit falsy value. Probably cleaner to just use typeof opts.x !== 'undefined' consistently throughout.

[martinthomson]

-35 = magic number

[rfk]

Note to self: this won't actually throw the error, but it should!

[martinthomson]

Maybe you should name the function error when you have it throw.

[rfk]

yep; in my head it's something like handleAndRethrowError to make it super clear what will happen.

[martinthomson]

Looking good.

It's tedious going through all these tests, but I'm fairly happy with the coverage you are getting. I see some unreachable code that is not tested, but the rest seems fairly thorough.

I have a few suggestions for more tests, a couple of minor problems, and probably a need for another round before I'm completely happy with this. But this is a very competent effort. A good example of how to do this right.

[martinthomson]

The coverage report here seems to suggest that this test always passes - as in, the callback doesn't get called if the buffer is empty. You can remove the check in that case.

[martinthomson]

I didn't review this bit.

[martinthomson]

What about null or invalid inputs?

[martinthomson]

Is a regex necessary? Can this be a more specific test?

[rfk]

This is mostly just using the existing convenience API of assert.throws; I could instead check for a specific numeric value of the alert description, if that seems better?

[martinthomson]

Magic number. Make a constant or share the one you have.

[martinthomson]

You don't seem to have a separate case for server.close() without having first received a close.

[martinthomson]

can you test for sending the close without having received the close first?

[martinthomson]

Maybe add version: 0x0304 to this, maybe as a supplementary test, so that you catch the case where the version field in the SH is used to drive version negotiation. (Not that your code is at all vulnerable to this currently, but it's a good paranoia check.)

[rfk]

To be clear, the handshake should fail if SH.version is 0x0304, right?

[martinthomson]

Correct. Fail.

[martinthomson]

Do you have a test for a partial record being present after the ServerHello or Finished? I see that you have the code for checking this, but I can't find the test.

[rfk]

No, I don't believe I do - perhaps that check is being exercised accidentally by some other test. I'll add one.

[martinthomson]

Can you add tests here for the promise I talked about.

Also, can you add a test that includes calls to send(). It would be good if you could also test that you can close in one direction then continue sending and receiving in the other direction.

[vladikoff]

Running npm install;npm test produces changes to checked-in code. That's not cool

In my experience, at this point npm install cannot be trusted to properly use package-lock, it just keeps fetching new things. We should strictly instruct to use the npm ci command, that one should never produce changes to the checked-in code.

[vladikoff]

some helpers reading/writing -> some helpers for reading/writing ?

[vladikoff]

also this comment didn't make it to the final bundle, need to regenerate the build

[rfk]

Thanks for the detailed feedback @martinthomson, I've updated based on your review with the following key points:

• Extension parsing has been moved into a separate file and helper classes. This involved refactoring a little bit of the logic of what validation checks live where, but I think the end result is much more easily understood in aggregate.
• Addition on the connected promise to resolve/reject on handshake completion, and blocking of sends until it resolves.
• Addition of an explicit TLSCloseNotify exception to make it easier to detect close, and some modifications of the websocket wrapper to deal with it appropriately.
• More careful handling of change_cipher_spec, and support for cleanly ignoring NewSessionTicket.
• Split CipherState into independent DecryptionStateandEncryptionState` classes
• The various extra tests you suggested

The diff from the version you reviewed is here, and the latest coverage report is here for completeness.

[vladikoff]

I got into a Error: TLS Alert: DECODE_ERROR (50) with bce404a545165a791ebcd7d1ca984bd9861120ee, trying to it track down, probably incompat with the Firefox build.

[vladikoff]

let's try to use npm ci here

[vladikoff]

also this comment didn't make it to the final bundle, need to regenerate the build

[vladikoff]

let's add a doc about running npm ci and npm run build to ensure the build is consistent and no new sub-deps show up. Maybe we can do it as a separate PR.

[rfk]

Maybe this should be a pre-commit hook or something? (TBH it kind of weirds me out checking in the build output on every commit, and I wonder if we can only do it on releases or something; but if we're going to do it we should be able to automate it)

[martinthomson]

pre-commit hooks are local only, you want something in CI ideally

[vladikoff]

is this still used , needed ? I think we use _sendAlertMessage in other places

[vladikoff]

unexepectedly --> unexpectedly

[vladikoff]

encrypted

[vladikoff]

encrypted

[vladikoff]

contains ?

[vladikoff]

representation ?

[vladikoff]

EncryptedExtensions ?

[martinthomson]

I'm done with this.

Thanks for catching a few extra things with the new code.

[martinthomson]

This makes me think. Can you null-out the old secrets as you go, so that we get something like post-compromise security?

[martinthomson]

Might pay to assert that buf.byteLength === 0 here too.

[martinthomson]

This breaks encapsulation a little, but I think that it's OK.

[martinthomson]

I'm not so sure about throwing when a close alert is received. It's not an error condition. Is the problem here that you don't have an alternative means of signaling a close from the peer?

[rfk]

Basically, yes. I think a better approach is probably to shuffle the API to use an EventEmitter style, so it can emit a close event in this case, which is basically what the higher-level PairingChannel abstraction does anyway. But it was a bigger refactor than I wanted to take on inline in this PR.

[martinthomson]

CCS appears between ClientHello and Finished. CCS also happens between CCS and EncryptedExtensions, if you request - as you do - compatibility mode.

I wonder if you shouldn't have an CLIENT_WAIT_CCS state immediately after handling the ServerHello then.

[martinthomson]

// CH

[martinthomson]

// SH

[martinthomson]

// EE+Finished

[rfk]

I'll add comments, but for completeness, this is ChangeCipherSpec...

[martinthomson]

?? Finished?

NSS bundles everything together, so I'm unused to multiple messages.

[rfk]

...and this is EE+Finished.

[martinthomson]

// Client Finished

[rfk]

Thanks so much @martinthomson!

[vladikoff]

I've used the latest SHA to produce a firefox build + content server, and everything seems to be working!
🎉 🎉 🎉 🎉 🎉 🎉

One nit: on a Mac I did get a diff with a line ending and a js-e file created due to sed substitution we are doing: