tls1.3: server returns early on handshake when no cert is provided by client

Under TLS1.3 the server knows the negotiated keys early, if no client
certificate is sent. In that case, the server is not only able to
transmit the session ticket immediately after its finished message,
but is also able to transmit data, similarly to false start.

Resolves #481
Resolves #457

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>

7 files changed, 396 insertions, 20 deletions

diff --git a/tests/Makefile.am b/tests/Makefile.am
index c870ec3605..c9f62f16f0 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -127,6 +127,8 @@ ctests += tls13/no-psk-exts
 
 ctests += tls13/psk-dumbfw
 
+ctests += tls13-early-start
+
 ctests += mini-record-2 simple gnutls_hmac_fast set_pkcs12_cred cert certuniqueid tls-neg-ext-key \
 	 mpi certificate_set_x509_crl dn parse_ca x509-dn x509-dn-decode record-sizes \
 	 hostname-check cve-2008-4989 pkcs12_s2k chainverify record-sizes-range \
diff --git a/tests/resume-lifetime.c b/tests/resume-lifetime.c
index 99c9c5b346..ad71d41059 100644
--- a/tests/resume-lifetime.c
+++ b/tests/resume-lifetime.c
@@ -66,7 +66,7 @@ static int handshake_callback(gnutls_session_t session, unsigned int htype,
 {
 	struct hsk_st *h = gnutls_session_get_ptr(session);
 
-	if (htype == GNUTLS_HANDSHAKE_FINISHED && incoming) {
+	if (htype == GNUTLS_HANDSHAKE_FINISHED && !incoming) {
 		if (h->sleep_at_finished)
 			virt_sec_sleep(h->sleep_at_finished);
 		return 0;
diff --git a/tests/resume.c b/tests/resume.c
index 891a209313..1a08e0f0bb 100644
--- a/tests/resume.c
+++ b/tests/resume.c
@@ -81,6 +81,8 @@ struct params_res {
 	int try_sni;
 	int expire_ticket;
 	int change_ciphersuite;
+	int early_start;
+	int no_early_start;
 };
 
 pid_t child;
@@ -119,7 +121,7 @@ struct params_res resume_tests[] = {
 	 .first_no_ext_master = 1,
 	 .second_no_ext_master = 0},
 #endif
-#ifdef TLS13
+#if defined(TLS13)
 	/* only makes sense under TLS1.3 as negotiation involves a new
 	 * handshake with different parameters */
 	{.desc = "try to resume from session ticket (different cipher order)",
@@ -129,6 +131,23 @@ struct params_res resume_tests[] = {
 	 .change_ciphersuite = 1,
 	 .expect_resume = 1},
 #endif
+#if defined(TLS13) && !defined(USE_PSK)
+	{.desc = "try to resume from session ticket (early start)",
+	 .enable_db = 0,
+	 .enable_session_ticket_server = 1,
+	 .enable_session_ticket_client = 1,
+	 .early_start = 1,
+	 .expect_resume = 1},
+#endif
+#if defined(TLS13) && defined(USE_PSK)
+	/* early start should no happen on PSK. */
+	{.desc = "try to resume from session ticket (early start)",
+	 .enable_db = 0,
+	 .enable_session_ticket_server = 1,
+	 .enable_session_ticket_client = 1,
+	 .no_early_start = 1,
+	 .expect_resume = 1},
+#endif
 	{.desc = "try to resume from session ticket",
 	 .enable_db = 0,
 	 .enable_session_ticket_server = 1,
@@ -330,6 +349,18 @@ static void verify_server_params(gnutls_session_t session, unsigned counter, str
 	}
 #endif
 
+	if (counter == 0 && params->early_start) {
+		if (!(gnutls_session_get_flags(session) & GNUTLS_SFLAGS_EARLY_START)) {
+			fail("early start did not happen on %d!\n", counter);
+		}
+	}
+
+	if (params->no_early_start) {
+		if (gnutls_session_get_flags(session) & GNUTLS_SFLAGS_EARLY_START) {
+			fail("early start did happen on %d but was not expected!\n", counter);
+		}
+	}
+
 #if defined(USE_X509)
 	unsigned int l;
 
@@ -423,7 +454,6 @@ static void client(int sds[], struct params_res *params)
 		gnutls_global_set_log_function(tls_log_func);
 		gnutls_global_set_log_level(2);
 	}
-	global_init();
 
 #ifdef USE_PSK
 	gnutls_psk_allocate_client_credentials(&pskcred);
@@ -443,9 +473,7 @@ static void client(int sds[], struct params_res *params)
 	for (t = 0; t < SESSIONS; t++) {
 		int sd = sds[t];
 
-		/* Initialize TLS session
-		 */
-		gnutls_init(&session, GNUTLS_CLIENT);
+		assert(gnutls_init(&session, GNUTLS_CLIENT)>=0);
 
 		snprintf(prio_str, sizeof(prio_str), "%s", PRIO_STR);
 
@@ -663,8 +691,6 @@ static void global_stop(void)
 	gnutls_certificate_free_credentials(serverx509cred);
 #endif
 	gnutls_dh_params_deinit(dh_params);
-
-	gnutls_global_deinit();
 }
 
 #ifdef USE_PSK
@@ -691,6 +717,10 @@ static void server(int sds[], struct params_res *params)
 	gnutls_session_t session;
 	char buffer[MAX_BUF + 1];
 	gnutls_group_t pgroup;
+	unsigned iflags = GNUTLS_SERVER;
+
+	if (params->early_start || params->no_early_start)
+		iflags |= GNUTLS_ENABLE_EARLY_START;
 
 	/* this must be called once in the program, it is mostly for the server.
 	 */
@@ -699,8 +729,6 @@ static void server(int sds[], struct params_res *params)
 		gnutls_global_set_log_level(2);
 	}
 
-	global_init();
-
 #ifdef USE_PSK
 	gnutls_psk_allocate_server_credentials(&pskcred);
 	gnutls_psk_set_server_credentials_function(pskcred, pskfunc);
@@ -731,7 +759,7 @@ static void server(int sds[], struct params_res *params)
 	for (t = 0; t < SESSIONS; t++) {
 		int sd = sds[t];
 
-		assert(gnutls_init(&session, GNUTLS_SERVER) >= 0);
+		assert(gnutls_init(&session, iflags) >= 0);
 
 		/* avoid calling all the priority functions, since the defaults
 		 * are adequate.
@@ -894,7 +922,6 @@ void doit(void)
 			for (j = 0; j < SESSIONS; j++)
 				close(server_sds[j]);
 			client(client_sds, &resume_tests[i]);
-			gnutls_global_deinit();
 			exit(0);
 		}
 	}
diff --git a/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json b/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json
index 89c8853c68..a31eec4858 100644
--- a/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json
+++ b/tests/suite/tls-fuzzer/gnutls-nocert-tls13.json
@@ -43,18 +43,19 @@
 	 {"name" : "test-tls13-version-negotiation.py",
 	  "arguments": ["-p", "@PORT@"]},
 	 {"name" : "test-tls13-zero-length-data.py",
-	  "comment" : "in these tests tlsfuzzer splits ClientHello into the first 2 bytes and the remainder, which gnutls doesn't support, last 3 related to #481",
+	  "comment" : "in these tests tlsfuzzer splits ClientHello into the first 2 bytes and the remainder, which gnutls doesn't support",
 	  "arguments": ["-p", "@PORT@",
+			"-e", "zero-length app data interleaved in handshake",
 			"-e", "zero-len app data with large padding during handshake",
 			"-e", "zero-len app data with large padding interleaved in handshake",
-			"-e", "zero-len app data with padding interleaved in handshake",
-			"-e", "zero-length app data during handshake",
-			"-e", "zero-length app data interleaved in handshake",
-			"-e", "zero-length app data with padding during handshake"]},
+			"-e", "zero-len app data with padding interleaved in handshake"]},
 	 {"name" : "test-tls13-finished.py",
-	  "arguments": ["-p", "@PORT@", "-n", "5"],
-	  "exp_pass" : false,
-	  "comment" : "we do not switch the keys early enough for this test see #481"}
+	  "commoent" : "the disabled tests timeout very often due to slow tls-fuzzer implementation",
+	  "arguments": ["-p", "@PORT@", "-n", "5",
+			"-e", "padding - cipher TLS_AES_128_GCM_SHA256, pad_byte 0, pad_left 0, pad_right 16777183",
+			"-e", "padding - cipher TLS_AES_256_GCM_SHA384, pad_byte 0, pad_left 0, pad_right 16777167"]},
+	 {"name" : "test-tls13-count-tickets.py",
+	  "arguments": ["-p", "@PORT@", "-t", "1"]}
      ]
     }
 ]
diff --git a/tests/suite/tls-fuzzer/tlsfuzzer b/tests/suite/tls-fuzzer/tlsfuzzer
-Subproject 65af9ab3615a14c59f579085e13fe5a4557a356
+Subproject 23d66d990f1773af5701fb510a3a0ffa59beac5
diff --git a/tests/suite/tls-fuzzer/tlslite-ng b/tests/suite/tls-fuzzer/tlslite-ng
-Subproject d976188fe7fd7466dc5cf0818a4ef87e3738189
+Subproject 3029e014231ffe34445d29300f0193a4be4b6cc
diff --git a/tests/tls13-early-start.c b/tests/tls13-early-start.c
new file mode 100644
index 0000000000..6e0d7da82e
--- /dev/null
+++ b/tests/tls13-early-start.c
@@ -0,0 +1,346 @@
+/*
+ * Copyright (C) 2015-2018 Red Hat, Inc.
+ *
+ * Author: Nikos Mavrogiannopoulos
+ *
+ * This file is part of GnuTLS.
+ *
+ * GnuTLS is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GnuTLS is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+/* This program tests support for early start in TLS1.3 handshake */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <errno.h>
+#include <gnutls/gnutls.h>
+#include "utils.h"
+#include "eagain-common.h"
+#include <assert.h>
+
+#define USE_CERT 1
+#define ASK_CERT 2
+
+const char *side;
+
+static void tls_log_func(int level, const char *str)
+{
+	fprintf(stderr, "%s|<%d>| %s", side, level, str);
+}
+
+#define try_ok(name, client_prio) \
+	try_with_key(name, client_prio, \
+		&server_ca3_localhost_cert, &server_ca3_key, NULL, NULL, 0)
+
+#define MSG "hello there ppl"
+
+static
+void try_with_key_fail(const char *name, const char *client_prio,
+			const gnutls_datum_t *serv_cert,
+			const gnutls_datum_t *serv_key,
+			const gnutls_datum_t *cli_cert,
+			const gnutls_datum_t *cli_key,
+			unsigned init_flags)
+{
+	int ret;
+	char buffer[256];
+	gnutls_certificate_credentials_t serverx509cred;
+	gnutls_session_t server;
+	int sret = GNUTLS_E_AGAIN;
+	/* Client stuff. */
+	gnutls_certificate_credentials_t clientx509cred;
+	gnutls_session_t client;
+	int cret = GNUTLS_E_AGAIN, version;
+	const char *err;
+
+	gnutls_global_set_log_function(tls_log_func);
+	if (debug)
+		gnutls_global_set_log_level(6);
+
+	reset_buffers();
+	/* Init server */
+	gnutls_certificate_allocate_credentials(&serverx509cred);
+
+	ret = gnutls_certificate_set_x509_key_mem(serverx509cred,
+						  serv_cert, serv_key,
+						  GNUTLS_X509_FMT_PEM);
+	if (ret < 0)
+		fail("Could not set key/cert: %s\n", gnutls_strerror(ret));
+
+	assert(gnutls_init(&server, GNUTLS_SERVER|init_flags)>=0);
+	gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE,
+			       serverx509cred);
+
+	assert(gnutls_priority_set_direct(server, client_prio, NULL) >= 0);
+
+	gnutls_transport_set_push_function(server, server_push);
+	gnutls_transport_set_pull_function(server, server_pull);
+	gnutls_transport_set_ptr(server, server);
+
+	/* Init client */
+	ret = gnutls_certificate_allocate_credentials(&clientx509cred);
+	if (ret < 0)
+		exit(1);
+
+	if (cli_cert) {
+		gnutls_certificate_set_x509_key_mem(clientx509cred,
+						    cli_cert, cli_key,
+						    GNUTLS_X509_FMT_PEM);
+		gnutls_certificate_server_set_request(server, GNUTLS_CERT_REQUIRE);
+	}
+
+	ret = gnutls_init(&client, GNUTLS_CLIENT);
+	if (ret < 0)
+		exit(1);
+
+	ret = gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE,
+				clientx509cred);
+	if (ret < 0)
+		exit(1);
+
+	gnutls_transport_set_push_function(client, client_push);
+	gnutls_transport_set_pull_function(client, client_pull);
+	gnutls_transport_set_ptr(client, client);
+
+	ret = gnutls_priority_set_direct(client, client_prio, &err);
+	if (ret < 0) {
+		if (ret == GNUTLS_E_INVALID_REQUEST)
+			fprintf(stderr, "Error in %s\n", err);
+		exit(1);
+	}
+
+	success("negotiating %s\n", name);
+	HANDSHAKE(client, server);
+
+	assert(!(gnutls_session_get_flags(server) & GNUTLS_SFLAGS_EARLY_START));
+	assert(!(gnutls_session_get_flags(client) & GNUTLS_SFLAGS_EARLY_START));
+
+	version = gnutls_protocol_get_version(client);
+	assert(version == GNUTLS_TLS1_3);
+
+	memset(buffer, 0, sizeof(buffer));
+	assert(gnutls_record_send(server, MSG, strlen(MSG))>=0);
+
+	ret = gnutls_record_recv(client, buffer, sizeof(buffer));
+	if (ret == 0) {
+		fail("client: Peer has closed the TLS connection\n");
+		exit(1);
+	} else if (ret < 0) {
+		fail("client: Error: %s\n", gnutls_strerror(ret));
+		exit(1);
+	}
+
+	if (ret != strlen(MSG) || memcmp(MSG, buffer, ret) != 0) {
+		fail("client: Error in data received. Expected %d, got %d\n", (int)strlen(MSG), ret);
+		exit(1);
+	}
+
+	memset(buffer, 0, sizeof(buffer));
+	assert(gnutls_record_send(client, MSG, strlen(MSG))>=0);
+
+	ret = gnutls_record_recv(server, buffer, sizeof(buffer));
+	if (ret == 0) {
+		fail("server: Peer has closed the TLS connection\n");
+	} else if (ret < 0) {
+		fail("server: Error: %s\n", gnutls_strerror(ret));
+	}
+
+	if (ret != strlen(MSG) || memcmp(MSG, buffer, ret) != 0) {
+		fail("client: Error in data received. Expected %d, got %d\n", (int)strlen(MSG), ret);
+		exit(1);
+	}
+
+	gnutls_deinit(client);
+	gnutls_deinit(server);
+
+	gnutls_certificate_free_credentials(serverx509cred);
+	gnutls_certificate_free_credentials(clientx509cred);
+}
+
+static
+void try_with_key_ks(const char *name, const char *client_prio,
+		const gnutls_datum_t *serv_cert,
+		const gnutls_datum_t *serv_key,
+		const gnutls_datum_t *client_cert,
+		const gnutls_datum_t *client_key,
+		unsigned cert_flags,
+		unsigned init_flags)
+{
+	int ret;
+	char buffer[256];
+	/* Server stuff. */
+	gnutls_certificate_credentials_t serverx509cred;
+	gnutls_session_t server;
+	int sret = GNUTLS_E_AGAIN;
+	/* Client stuff. */
+	gnutls_certificate_credentials_t clientx509cred;
+	gnutls_session_t client;
+	int cret = GNUTLS_E_AGAIN, version;
+	const char *err;
+
+	/* General init. */
+	gnutls_global_set_log_function(tls_log_func);
+	if (debug)
+		gnutls_global_set_log_level(6);
+
+	reset_buffers();
+	/* Init server */
+	gnutls_certificate_allocate_credentials(&serverx509cred);
+
+	ret = gnutls_certificate_set_x509_key_mem(serverx509cred,
+					    serv_cert, serv_key,
+					    GNUTLS_X509_FMT_PEM);
+	if (ret < 0) {
+		fail("Could not set key/cert: %s\n", gnutls_strerror(ret));
+	}
+
+	assert(gnutls_init(&server, GNUTLS_SERVER|init_flags)>=0);
+	gnutls_credentials_set(server, GNUTLS_CRD_CERTIFICATE,
+				serverx509cred);
+
+
+	assert(gnutls_priority_set_direct(server,
+				   "NORMAL:-VERS-ALL:+VERS-TLS1.3",
+				   NULL)>=0);
+	gnutls_transport_set_push_function(server, server_push);
+	gnutls_transport_set_pull_function(server, server_pull);
+	gnutls_transport_set_ptr(server, server);
+
+	/* Init client */
+
+	ret = gnutls_certificate_allocate_credentials(&clientx509cred);
+	if (ret < 0)
+		exit(1);
+
+	if (cert_flags == USE_CERT) {
+		gnutls_certificate_set_x509_key_mem(clientx509cred,
+						    client_cert, client_key,
+						    GNUTLS_X509_FMT_PEM);
+		gnutls_certificate_server_set_request(server, GNUTLS_CERT_REQUIRE);
+	} else if (cert_flags == ASK_CERT) {
+		gnutls_certificate_server_set_request(server, GNUTLS_CERT_REQUEST);
+	}
+
+	ret = gnutls_init(&client, GNUTLS_CLIENT);
+	if (ret < 0)
+		exit(1);
+
+
+	ret = gnutls_credentials_set(client, GNUTLS_CRD_CERTIFICATE,
+				clientx509cred);
+	if (ret < 0)
+		exit(1);
+
+	gnutls_transport_set_push_function(client, client_push);
+	gnutls_transport_set_pull_function(client, client_pull);
+	gnutls_transport_set_ptr(client, client);
+
+	ret = gnutls_priority_set_direct(client, client_prio, &err);
+	if (ret < 0) {
+		if (ret == GNUTLS_E_INVALID_REQUEST)
+			fprintf(stderr, "Error in %s\n", err);
+		exit(1);
+	}
+	success("negotiating %s\n", name);
+	HANDSHAKE(client, server);
+
+	assert(gnutls_session_get_flags(server) & GNUTLS_SFLAGS_EARLY_START);
+	assert(!(gnutls_session_get_flags(client) & GNUTLS_SFLAGS_EARLY_START));
+
+	version = gnutls_protocol_get_version(client);
+	assert(version == GNUTLS_TLS1_3);
+
+	memset(buffer, 0, sizeof(buffer));
+	assert(gnutls_record_send(server, MSG, strlen(MSG))>=0);
+
+	ret = gnutls_record_recv(client, buffer, sizeof(buffer));
+	if (ret == 0) {
+		fail("client: Peer has closed the TLS connection\n");
+		exit(1);
+	} else if (ret < 0) {
+		fail("client: Error: %s\n", gnutls_strerror(ret));
+		exit(1);
+	}
+
+	if (ret != strlen(MSG) || memcmp(MSG, buffer, ret) != 0) {
+		fail("client: Error in data received. Expected %d, got %d\n", (int)strlen(MSG), ret);
+		exit(1);
+	}
+
+	memset(buffer, 0, sizeof(buffer));
+	assert(gnutls_record_send(client, MSG, strlen(MSG))>=0);
+
+	ret = gnutls_record_recv(server, buffer, sizeof(buffer));
+	if (ret == 0) {
+		fail("server: Peer has closed the TLS connection\n");
+	} else if (ret < 0) {
+		fail("server: Error: %s\n", gnutls_strerror(ret));
+	}
+
+	if (ret != strlen(MSG) || memcmp(MSG, buffer, ret) != 0) {
+		fail("client: Error in data received. Expected %d, got %d\n", (int)strlen(MSG), ret);
+		exit(1);
+	}
+
+	gnutls_bye(client, GNUTLS_SHUT_RDWR);
+	gnutls_bye(server, GNUTLS_SHUT_RDWR);
+
+	gnutls_deinit(client);
+	gnutls_deinit(server);
+
+	gnutls_certificate_free_credentials(serverx509cred);
+	gnutls_certificate_free_credentials(clientx509cred);
+}
+
+static
+void try_with_key(const char *name, const char *client_prio,
+		const gnutls_datum_t *serv_cert,
+		const gnutls_datum_t *serv_key,
+		const gnutls_datum_t *cli_cert,
+		const gnutls_datum_t *cli_key,
+		unsigned cert_flags)
+{
+	return try_with_key_ks(name, client_prio,
+			       serv_cert, serv_key, cli_cert, cli_key, cert_flags, GNUTLS_ENABLE_EARLY_START);
+}
+
+#include "cert-common.h"
+
+void doit(void)
+{
+	/* TLS 1.3 no client cert: early start expected */
+	try_ok("TLS 1.3 with ffdhe2048 rsa no-cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-FFDHE2048");
+	try_ok("TLS 1.3 with secp256r1 rsa no-cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-SECP256R1");
+	try_ok("TLS 1.3 with x25519 rsa no-cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-X25519");
+
+	try_with_key_ks("TLS 1.3 with secp256r1 ecdsa no-cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-GROUP-ALL:+GROUP-SECP256R1",
+		&server_ca3_localhost_ecc_cert, &server_ca3_ecc_key, NULL, NULL, 0, GNUTLS_ENABLE_EARLY_START);
+
+	/* client authentication: no early start possible */
+	try_with_key_fail("TLS 1.3 with rsa-pss cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-RSA",
+		&server_ca3_localhost_ecc_cert, &server_ca3_ecc_key, &cli_ca3_rsa_pss_cert, &cli_ca3_rsa_pss_key, GNUTLS_ENABLE_EARLY_START);
+	try_with_key_fail("TLS 1.3 with rsa cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-RSA",
+		&server_ca3_localhost_ecc_cert, &server_ca3_ecc_key, &cli_ca3_cert, &cli_ca3_key, GNUTLS_ENABLE_EARLY_START);
+	try_with_key_fail("TLS 1.3 with ecdsa cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-RSA",
+		&server_ca3_localhost_ecc_cert, &server_ca3_ecc_key, &server_ca3_localhost_ecc_cert, &server_ca3_ecc_key, GNUTLS_ENABLE_EARLY_START);
+
+	/* TLS 1.3 no client cert: no early start flag specified */
+	try_with_key_fail("TLS 1.3 with rsa-pss cli-cert", "NORMAL:-VERS-ALL:+VERS-TLS1.3:-KX-ALL:+ECDHE-RSA",
+		&server_ca3_localhost_ecc_cert, &server_ca3_ecc_key, NULL, NULL, 0);
+}