Merge pull request #133 from bifurcation/draft-21

Support draft-21

common.go

@@ -1,7 +1,7 @@
 package mint
 
 var (
-	supportedVersion uint16 = 0x7f14 // draft-20
+	supportedVersion uint16 = 0x7f15 // draft-21
 
 	// Flags for some minor compat issues
 	allowWrongVersionNumber = true

crypto.go

@@ -573,6 +573,7 @@ const (
 	labelResumptionSecret               = "res master"
 	labelDerived                        = "derived"
 	labelFinished                       = "finished"
+	labelResumption                     = "resumption"
 )
 
 // struct HkdfLabel {

handshake-messages.go

@@ -368,27 +368,32 @@ func (cr *CertificateRequestBody) Unmarshal(data []byte) (int, error) {
 // struct {
 //     uint32 ticket_lifetime;
 //     uint32 ticket_age_add;
+//		 opaque ticket_nonce<1..255>;
 //     opaque ticket<1..2^16-1>;
 //     Extension extensions<0..2^16-2>;
 // } NewSessionTicket;
 type NewSessionTicketBody struct {
 	TicketLifetime uint32
 	TicketAgeAdd   uint32
+	TicketNonce    []byte        `tls:"head=1,min=1"`
 	Ticket         []byte        `tls:"head=2,min=1"`
 	Extensions     ExtensionList `tls:"head=2"`
 }
 
+const ticketNonceLen = 16
+
 func NewSessionTicket(ticketLen int, ticketLifetime uint32) (*NewSessionTicketBody, error) {
-	buf := make([]byte, ticketLen+4)
+	buf := make([]byte, 4+ticketNonceLen+ticketLen)
 	_, err := prng.Read(buf)
 	if err != nil {
 		return nil, err
 	}
 
 	tkt := &NewSessionTicketBody{
 		TicketLifetime: ticketLifetime,
-		TicketAgeAdd:   binary.BigEndian.Uint32(buf[ticketLen:]),
-		Ticket:         buf[:ticketLen],
+		TicketAgeAdd:   binary.BigEndian.Uint32(buf[:4]),
+		TicketNonce:    buf[4 : 4+ticketNonceLen],
+		Ticket:         buf[4+ticketNonceLen:],
 	}
 
 	return tkt, err

handshake-messages_test.go

@@ -198,11 +198,12 @@ var (
 		"000a000d0006000404030503" // extensions
 
 	// NewSessionTicket test cases
-	ticketValidHex = "00010203" + "04050607" + "000408090a0b" + "0006eeff00021122"
+	ticketValidHex = "00010203" + "04050607" + "0408090a0b" + "00040c0d0e0f" + "0006eeff00021122"
 	ticketValidIn  = NewSessionTicketBody{
 		TicketLifetime: 0x00010203,
 		TicketAgeAdd:   0x04050607,
-		Ticket:         []byte{0x08, 0x09, 0x0a, 0x0b},
+		TicketNonce:    []byte{0x08, 0x09, 0x0a, 0x0b},
+		Ticket:         []byte{0x0c, 0x0d, 0x0e, 0x0f},
 		Extensions: []Extension{
 			{
 				ExtensionType: 0xeeff,

state-machine.go

@@ -127,11 +127,14 @@ func (state *StateConnected) NewSessionTicket(length int, lifetime, earlyDataLif
 		return nil, AlertInternalError
 	}
 
+	resumptionKey := hkdfExpandLabel(state.cryptoParams.hash, state.resumptionSecret,
+		labelResumption, tkt.TicketNonce, state.cryptoParams.hash.Size())
+
 	newPSK := PreSharedKey{
 		CipherSuite:  state.cryptoParams.suite,
 		IsResumption: true,
 		Identity:     tkt.Ticket,
-		Key:          state.resumptionSecret,
+		Key:          resumptionKey,
 		NextProto:    state.Params.NextProto,
 		ReceivedAt:   time.Now(),
 		ExpiresAt:    time.Now().Add(time.Duration(tkt.TicketLifetime) * time.Second),
@@ -196,11 +199,14 @@ func (state StateConnected) Next(hm *HandshakeMessage) (HandshakeState, []Handsh
 			return nil, nil, AlertUnexpectedMessage
 		}
 
+		resumptionKey := hkdfExpandLabel(state.cryptoParams.hash, state.resumptionSecret,
+			labelResumption, body.TicketNonce, state.cryptoParams.hash.Size())
+
 		psk := PreSharedKey{
 			CipherSuite:  state.cryptoParams.suite,
 			IsResumption: true,
 			Identity:     body.Ticket,
-			Key:          state.resumptionSecret,
+			Key:          resumptionKey,
 			NextProto:    state.Params.NextProto,
 			ReceivedAt:   time.Now(),
 			ExpiresAt:    time.Now().Add(time.Duration(body.TicketLifetime) * time.Second),