rustls · ctz · Mar 19, 2017 · Mar 19, 2017 · Mar 19, 2017 · Mar 30, 2017
diff --git a/README.md b/README.md
@@ -48,7 +48,7 @@ obsolete cryptography.
 
 ## Current features
 
-* TLS1.2 and TLS1.3 (draft 18) only.
+* TLS1.2 and TLS1.3 (draft 20) only.
 * ECDSA or RSA server authentication by clients.
 * RSA server authentication by servers.
 * Forward secrecy using ECDHE; with curve25519, nistp256 or nistp384 curves.

diff --git a/src/cipher.rs b/src/cipher.rs
@@ -8,7 +8,7 @@ use msgs::fragmenter::MAX_FRAGMENT_LEN;
 use error::TLSError;
 use session::SessionSecrets;
 use suites::{SupportedCipherSuite, BulkAlgorithm};
-use key_schedule::hkdf_expand_label;
+use key_schedule::{derive_traffic_key, derive_traffic_iv};
 
 // accum[i] ^= offset[i] for all i in 0..len(accum)
 fn xor(accum: &mut [u8], offset: &[u8]) {
@@ -113,8 +113,8 @@ pub fn new_tls12(scs: &'static SupportedCipherSuite,
 pub fn new_tls13_read(scs: &'static SupportedCipherSuite,
                       secret: &[u8]) -> Box<MessageDecrypter> {
     let hash = scs.get_hash();
-    let key = hkdf_expand_label(hash, secret, b"key", &[], scs.enc_key_len as u16);
-    let iv = hkdf_expand_label(hash, secret, b"iv", &[], scs.fixed_iv_len as u16);
+    let key = derive_traffic_key(hash, secret, scs.enc_key_len);
+    let iv = derive_traffic_iv(hash, secret, scs.fixed_iv_len);
     let aead_alg = scs.get_aead_alg();
 
     Box::new(TLS13MessageDecrypter::new(aead_alg, &key, &iv))
@@ -123,8 +123,8 @@ pub fn new_tls13_read(scs: &'static SupportedCipherSuite,
 pub fn new_tls13_write(scs: &'static SupportedCipherSuite,
                        secret: &[u8]) -> Box<MessageEncrypter> {
     let hash = scs.get_hash();
-    let key = hkdf_expand_label(hash, secret, b"key", &[], scs.enc_key_len as u16);
-    let iv = hkdf_expand_label(hash, secret, b"iv", &[], scs.fixed_iv_len as u16);
+    let key = derive_traffic_key(hash, secret, scs.enc_key_len);
+    let iv = derive_traffic_iv(hash, secret, scs.fixed_iv_len);
     let aead_alg = scs.get_aead_alg();
 
     Box::new(TLS13MessageEncrypter::new(aead_alg, &key, &iv))

diff --git a/src/client_hs.rs b/src/client_hs.rs
@@ -32,8 +32,8 @@ use handshake::Expectation;
 
 use std::mem;
 
-// draft-ietf-tls-tls13-18
-const TLS13_DRAFT: u16 = 0x7f12;
+// draft-ietf-tls-tls13-20
+const TLS13_DRAFT: u16 = 0x7f14;
 
 macro_rules! extract_handshake(
   ( $m:expr, $t:path ) => (
@@ -615,7 +615,6 @@ pub static EXPECT_SERVER_HELLO: State = State {
 fn handle_hello_retry_request(sess: &mut ClientSessionImpl,
                               m: Message) -> StateResult {
     let hrr = extract_handshake!(m, HandshakePayload::HelloRetryRequest).unwrap();
-    sess.handshake_data.transcript.add_message(&m);
     debug!("Got HRR {:?}", hrr);
 
     let has_cookie = hrr.get_cookie().is_some();
@@ -665,6 +664,20 @@ fn handle_hello_retry_request(sess: &mut ClientSessionImpl,
         }
     }
 
+    // Or asks us to use a ciphersuite we didn't offer.
+    let maybe_cs = sess.find_cipher_suite(hrr.cipher_suite);
+    let cs = match maybe_cs {
+        Some(cs) => cs,
+        None => {
+            return Err(illegal_param(sess, "server requested unsupported cs in hrr"));
+        }
+    };
+
+    // This is the draft19 change where the transcript became a tree
+    sess.handshake_data.transcript.start_hash(cs.get_hash());
+    sess.handshake_data.transcript.rollup_for_hrr();
+    sess.handshake_data.transcript.add_message(&m);
+
     Ok(emit_client_hello_for_retry(sess, Some(hrr)))
 }
 
@@ -1019,7 +1032,9 @@ fn handle_certificate_req_tls13(sess: &mut ClientSessionImpl,
     }
 
     let tls13_sign_schemes = SupportedSignatureSchemes::supported_sign_tls13();
-    let compat_sigschemes = certreq.sigschemes
+    let no_sigschemes = Vec::new();
+    let compat_sigschemes = certreq.get_sigalgs_extension()
+        .unwrap_or(&no_sigschemes)
         .iter()
         .cloned()
         .filter(|scheme| tls13_sign_schemes.contains(scheme))
@@ -1030,7 +1045,9 @@ fn handle_certificate_req_tls13(sess: &mut ClientSessionImpl,
         return Err(TLSError::PeerIncompatibleError("server sent bad certreq schemes".to_string()));
     }
 
-    let canames = certreq.canames
+    let no_canames = Vec::new();
+    let canames = certreq.get_authorities_extension()
+        .unwrap_or(&no_canames)
         .iter()
         .map(|p| p.0.as_slice())
         .collect::<Vec<&[u8]>>();

diff --git a/src/hash_hs.rs b/src/hash_hs.rs
@@ -2,6 +2,7 @@ use ring::digest;
 use std::mem;
 use msgs::codec::Codec;
 use msgs::message::{Message, MessagePayload};
+use msgs::handshake::HandshakeMessagePayload;
 
 /// This deals with keeping a running hash of the handshake
 /// payloads.  This is computed by buffering initially.  Once
@@ -128,6 +129,17 @@ impl HandshakeHash {
         ret
     }
 
+    /// Take the current hash value, and encapsulate it in a
+    /// 'handshake_hash' handshake message.  Start this hash
+    /// again, with that message at the front.
+    pub fn rollup_for_hrr(&mut self) {
+        let old_hash = self.ctx.take().unwrap().finish();
+        let old_handshake_hash_msg = HandshakeMessagePayload::build_handshake_hash(old_hash.as_ref());
+
+        self.ctx = Some(digest::Context::new(self.alg.unwrap()));
+        self.update_raw(&old_handshake_hash_msg.get_encoding());
+    }
+
     /// Get the current hash value.
     pub fn get_current_hash(&self) -> Vec<u8> {
         let hash = self.ctx.as_ref().unwrap().clone().finish();