use std::{any::Any, convert::TryInto, io, str, sync::Arc};
use bytes::BytesMut;
use ring::aead;
pub use rustls::Error;
use rustls::{
self,
quic::{
ClientQuicExt, HeaderProtectionKey, KeyChange, PacketKey, QuicExt, Secrets, ServerQuicExt,
Version,
},
Connection,
};
use crate::{
crypto::{
self, CryptoError, ExportKeyingMaterialError, HeaderKey, KeyPair, Keys, UnsupportedVersion,
},
transport_parameters::TransportParameters,
ConnectError, ConnectionId, Side, TransportError, TransportErrorCode,
};
pub struct TlsSession {
version: Version,
got_handshake_data: bool,
next_secrets: Option<Secrets>,
inner: Connection,
}
impl TlsSession {
fn side(&self) -> Side {
match self.inner {
Connection::Client(_) => Side::Client,
Connection::Server(_) => Side::Server,
}
}
}
impl crypto::Session for TlsSession {
fn initial_keys(&self, dst_cid: &ConnectionId, side: Side) -> Keys {
initial_keys(self.version, dst_cid, side)
}
fn handshake_data(&self) -> Option<Box<dyn Any>> {
if !self.got_handshake_data {
return None;
}
Some(Box::new(HandshakeData {
protocol: self.inner.alpn_protocol().map(|x| x.into()),
server_name: match self.inner {
Connection::Client(_) => None,
Connection::Server(ref session) => session.sni_hostname().map(|x| x.into()),
},
}))
}
fn peer_identity(&self) -> Option<Box<dyn Any>> {
self.inner
.peer_certificates()
.map(|v| -> Box<dyn Any> { Box::new(v.to_vec()) })
}
fn early_crypto(&self) -> Option<(Box<dyn HeaderKey>, Box<dyn crypto::PacketKey>)> {
let keys = self.inner.zero_rtt_keys()?;
Some((Box::new(keys.header), Box::new(keys.packet)))
}
fn early_data_accepted(&self) -> Option<bool> {
match self.inner {
Connection::Client(ref session) => Some(session.is_early_data_accepted()),
_ => None,
}
}
fn is_handshaking(&self) -> bool {
self.inner.is_handshaking()
}
fn read_handshake(&mut self, buf: &[u8]) -> Result<bool, TransportError> {
self.inner.read_hs(buf).map_err(|e| {
if let Some(alert) = self.inner.alert() {
TransportError {
code: TransportErrorCode::crypto(alert.get_u8()),
frame: None,
reason: e.to_string(),
}
} else {
TransportError::PROTOCOL_VIOLATION(format!("TLS error: {}", e))
}
})?;
if !self.got_handshake_data {
let have_server_name = match self.inner {
Connection::Client(_) => false,
Connection::Server(ref session) => session.sni_hostname().is_some(),
};
if self.inner.alpn_protocol().is_some() || have_server_name || !self.is_handshaking() {
self.got_handshake_data = true;
return Ok(true);
}
}
Ok(false)
}
fn transport_parameters(&self) -> Result<Option<TransportParameters>, TransportError> {
match self.inner.quic_transport_parameters() {
None => Ok(None),
Some(buf) => match TransportParameters::read(self.side(), &mut io::Cursor::new(buf)) {
Ok(params) => Ok(Some(params)),
Err(e) => Err(e.into()),
},
}
}
fn write_handshake(&mut self, buf: &mut Vec<u8>) -> Option<Keys> {
let keys = match self.inner.write_hs(buf)? {
KeyChange::Handshake { keys } => keys,
KeyChange::OneRtt { keys, next } => {
self.next_secrets = Some(next);
keys
}
};
Some(Keys {
header: KeyPair {
local: Box::new(keys.local.header),
remote: Box::new(keys.remote.header),
},
packet: KeyPair {
local: Box::new(keys.local.packet),
remote: Box::new(keys.remote.packet),
},
})
}
fn next_1rtt_keys(&mut self) -> Option<KeyPair<Box<dyn crypto::PacketKey>>> {
let secrets = self.next_secrets.as_mut()?;
let keys = secrets.next_packet_keys();
Some(KeyPair {
local: Box::new(keys.local),
remote: Box::new(keys.remote),
})
}
fn is_valid_retry(&self, orig_dst_cid: &ConnectionId, header: &[u8], payload: &[u8]) -> bool {
let tag_start = match payload.len().checked_sub(16) {
Some(x) => x,
None => return false,
};
let mut pseudo_packet =
Vec::with_capacity(header.len() + payload.len() + orig_dst_cid.len() + 1);
pseudo_packet.push(orig_dst_cid.len() as u8);
pseudo_packet.extend_from_slice(orig_dst_cid);
pseudo_packet.extend_from_slice(header);
let tag_start = tag_start + pseudo_packet.len();
pseudo_packet.extend_from_slice(payload);
let (nonce, key) = match self.version {
Version::V1 => (RETRY_INTEGRITY_NONCE_V1, RETRY_INTEGRITY_KEY_V1),
Version::V1Draft => (RETRY_INTEGRITY_NONCE_DRAFT, RETRY_INTEGRITY_KEY_DRAFT),
_ => unreachable!(),
};
let nonce = aead::Nonce::assume_unique_for_key(nonce);
let key = aead::LessSafeKey::new(aead::UnboundKey::new(&aead::AES_128_GCM, &key).unwrap());
let (aad, tag) = pseudo_packet.split_at_mut(tag_start);
key.open_in_place(nonce, aead::Aad::from(aad), tag).is_ok()
}
fn export_keying_material(
&self,
output: &mut [u8],
label: &[u8],
context: &[u8],
) -> Result<(), ExportKeyingMaterialError> {
self.inner
.export_keying_material(output, label, Some(context))
.map_err(|_| ExportKeyingMaterialError)
}
}
const RETRY_INTEGRITY_KEY_DRAFT: [u8; 16] = [
0xcc, 0xce, 0x18, 0x7e, 0xd0, 0x9a, 0x09, 0xd0, 0x57, 0x28, 0x15, 0x5a, 0x6c, 0xb9, 0x6b, 0xe1,
];
const RETRY_INTEGRITY_NONCE_DRAFT: [u8; 12] = [
0xe5, 0x49, 0x30, 0xf9, 0x7f, 0x21, 0x36, 0xf0, 0x53, 0x0a, 0x8c, 0x1c,
];
const RETRY_INTEGRITY_KEY_V1: [u8; 16] = [
0xbe, 0x0c, 0x69, 0x0b, 0x9f, 0x66, 0x57, 0x5a, 0x1d, 0x76, 0x6b, 0x54, 0xe3, 0x68, 0xc8, 0x4e,
];
const RETRY_INTEGRITY_NONCE_V1: [u8; 12] = [
0x46, 0x15, 0x99, 0xd3, 0x5d, 0x63, 0x2b, 0xf2, 0x23, 0x98, 0x25, 0xbb,
];
impl crypto::HeaderKey for HeaderProtectionKey {
fn decrypt(&self, pn_offset: usize, packet: &mut [u8]) {
let (header, sample) = packet.split_at_mut(pn_offset + 4);
let (first, rest) = header.split_at_mut(1);
let pn_end = Ord::min(pn_offset + 3, rest.len());
self.decrypt_in_place(
&sample[..self.sample_size()],
&mut first[0],
&mut rest[pn_offset - 1..pn_end],
)
.unwrap();
}
fn encrypt(&self, pn_offset: usize, packet: &mut [u8]) {
let (header, sample) = packet.split_at_mut(pn_offset + 4);
let (first, rest) = header.split_at_mut(1);
let pn_end = Ord::min(pn_offset + 3, rest.len());
self.encrypt_in_place(
&sample[..self.sample_size()],
&mut first[0],
&mut rest[pn_offset - 1..pn_end],
)
.unwrap();
}
fn sample_size(&self) -> usize {
self.sample_len()
}
}
pub struct HandshakeData {
pub protocol: Option<Vec<u8>>,
pub server_name: Option<String>,
}
impl crypto::ClientConfig for rustls::ClientConfig {
fn start_session(
self: Arc<Self>,
version: u32,
server_name: &str,
params: &TransportParameters,
) -> Result<Box<dyn crypto::Session>, ConnectError> {
let version = interpret_version(version)?;
Ok(Box::new(TlsSession {
version,
got_handshake_data: false,
next_secrets: None,
inner: Connection::Client(
rustls::ClientConnection::new_quic(
self,
version,
server_name
.try_into()
.map_err(|_| ConnectError::InvalidDnsName(server_name.into()))?,
to_vec(params),
)
.unwrap(),
),
}))
}
}
impl crypto::ServerConfig for rustls::ServerConfig {
fn start_session(
self: Arc<Self>,
version: u32,
params: &TransportParameters,
) -> Box<dyn crypto::Session> {
let version = interpret_version(version).unwrap();
Box::new(TlsSession {
version,
got_handshake_data: false,
next_secrets: None,
inner: Connection::Server(
rustls::ServerConnection::new_quic(self, version, to_vec(params)).unwrap(),
),
})
}
fn initial_keys(
&self,
version: u32,
dst_cid: &ConnectionId,
side: Side,
) -> Result<Keys, UnsupportedVersion> {
let version = interpret_version(version)?;
Ok(initial_keys(version, dst_cid, side))
}
fn retry_tag(&self, version: u32, orig_dst_cid: &ConnectionId, packet: &[u8]) -> [u8; 16] {
let version = interpret_version(version).unwrap();
let (nonce, key) = match version {
Version::V1 => (RETRY_INTEGRITY_NONCE_V1, RETRY_INTEGRITY_KEY_V1),
Version::V1Draft => (RETRY_INTEGRITY_NONCE_DRAFT, RETRY_INTEGRITY_KEY_DRAFT),
_ => unreachable!(),
};
let mut pseudo_packet = Vec::with_capacity(packet.len() + orig_dst_cid.len() + 1);
pseudo_packet.push(orig_dst_cid.len() as u8);
pseudo_packet.extend_from_slice(orig_dst_cid);
pseudo_packet.extend_from_slice(packet);
let nonce = aead::Nonce::assume_unique_for_key(nonce);
let key = aead::LessSafeKey::new(aead::UnboundKey::new(&aead::AES_128_GCM, &key).unwrap());
let tag = key
.seal_in_place_separate_tag(nonce, aead::Aad::from(pseudo_packet), &mut [])
.unwrap();
let mut result = [0; 16];
result.copy_from_slice(tag.as_ref());
result
}
}
fn to_vec(params: &TransportParameters) -> Vec<u8> {
let mut bytes = Vec::new();
params.write(&mut bytes);
bytes
}
pub(crate) fn initial_keys(version: Version, dst_cid: &ConnectionId, side: Side) -> Keys {
let keys = rustls::quic::Keys::initial(version, dst_cid, side.is_client());
Keys {
header: KeyPair {
local: Box::new(keys.local.header),
remote: Box::new(keys.remote.header),
},
packet: KeyPair {
local: Box::new(keys.local.packet),
remote: Box::new(keys.remote.packet),
},
}
}
impl crypto::PacketKey for PacketKey {
fn encrypt(&self, packet: u64, buf: &mut [u8], header_len: usize) {
let (header, payload_tag) = buf.split_at_mut(header_len);
let (payload, tag_storage) = payload_tag.split_at_mut(payload_tag.len() - self.tag_len());
let tag = self.encrypt_in_place(packet, &*header, payload).unwrap();
tag_storage.copy_from_slice(tag.as_ref());
}
fn decrypt(
&self,
packet: u64,
header: &[u8],
payload: &mut BytesMut,
) -> Result<(), CryptoError> {
let plain = self
.decrypt_in_place(packet, header, payload.as_mut())
.map_err(|_| CryptoError)?;
let plain_len = plain.len();
payload.truncate(plain_len);
Ok(())
}
fn tag_len(&self) -> usize {
self.tag_len()
}
fn confidentiality_limit(&self) -> u64 {
self.confidentiality_limit()
}
fn integrity_limit(&self) -> u64 {
self.integrity_limit()
}
}
pub(crate) fn client_config(roots: rustls::RootCertStore) -> rustls::ClientConfig {
let mut cfg = rustls::ClientConfig::builder()
.with_safe_default_cipher_suites()
.with_safe_default_kx_groups()
.with_protocol_versions(&[&rustls::version::TLS13])
.unwrap()
.with_root_certificates(roots)
.with_no_client_auth();
cfg.enable_early_data = true;
cfg
}
pub(crate) fn server_config(
cert_chain: Vec<rustls::Certificate>,
key: rustls::PrivateKey,
) -> Result<rustls::ServerConfig, Error> {
let mut cfg = rustls::ServerConfig::builder()
.with_safe_default_cipher_suites()
.with_safe_default_kx_groups()
.with_protocol_versions(&[&rustls::version::TLS13])
.unwrap()
.with_no_client_auth()
.with_single_cert(cert_chain, key)?;
cfg.max_early_data_size = u32::MAX;
Ok(cfg)
}
fn interpret_version(version: u32) -> Result<Version, UnsupportedVersion> {
match version {
0xff00_001d..=0xff00_0020 => Ok(Version::V1Draft),
0x0000_0001 | 0xff00_0021..=0xff00_0022 => Ok(Version::V1),
_ => Err(UnsupportedVersion),
}
}