1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
use crate::{
cipherstate::StatelessCipherStates,
constants::{CIPHERKEYLEN, MAXDHLEN, MAXMSGLEN, TAGLEN},
error::{Error, StateProblem},
handshakestate::HandshakeState,
params::HandshakePattern,
utils::Toggle,
};
use core::{convert::TryFrom, fmt};
/// A state machine encompassing the transport phase of a Noise session, using the two
/// `CipherState`s (for sending and receiving) that were spawned from the `SymmetricState`'s
/// `Split()` method, called after a handshake has been finished.
///
/// See: <https://noiseprotocol.org/noise.html#the-handshakestate-object>
pub struct StatelessTransportState {
cipherstates: StatelessCipherStates,
pattern: HandshakePattern,
dh_len: usize,
rs: Toggle<[u8; MAXDHLEN]>,
initiator: bool,
}
impl StatelessTransportState {
pub(crate) fn new(handshake: HandshakeState) -> Result<Self, Error> {
if !handshake.is_handshake_finished() {
return Err(StateProblem::HandshakeNotFinished.into());
}
let dh_len = handshake.dh_len();
let HandshakeState { cipherstates, params, rs, initiator, .. } = handshake;
let pattern = params.handshake.pattern;
Ok(Self { cipherstates: cipherstates.into(), pattern, dh_len, rs, initiator })
}
/// Get the remote party's static public key, if available.
///
/// Note: will return `None` if either the chosen Noise pattern
/// doesn't necessitate a remote static key, *or* if the remote
/// static key is not yet known (as can be the case in the `XX`
/// pattern, for example).
#[must_use]
pub fn get_remote_static(&self) -> Option<&[u8]> {
self.rs.get().map(|rs| &rs[..self.dh_len])
}
/// Construct a message from `payload` (and pending handshake tokens if in handshake state),
/// and write it to the `message` buffer.
///
/// Returns the number of bytes written to `message`.
///
/// # Errors
///
/// Will result in `Error::Input` if the size of the output exceeds the max message
/// length in the Noise Protocol (65535 bytes).
pub fn write_message(
&self,
nonce: u64,
payload: &[u8],
message: &mut [u8],
) -> Result<usize, Error> {
if !self.initiator && self.pattern.is_oneway() {
return Err(StateProblem::OneWay.into());
} else if payload.len() + TAGLEN > MAXMSGLEN || payload.len() + TAGLEN > message.len() {
return Err(Error::Input);
}
let cipher = if self.initiator { &self.cipherstates.0 } else { &self.cipherstates.1 };
cipher.encrypt(nonce, payload, message)
}
/// Read a noise message from `message` and write the payload to the `payload` buffer.
///
/// Returns the number of bytes written to `payload`.
///
/// # Errors
/// Will result in `Error::Input` if the message is more than 65535 bytes.
///
/// Will result in `Error::Decrypt` if the contents couldn't be decrypted and/or the
/// authentication tag didn't verify.
///
/// Will result in `StateProblem::Exhausted` if the max nonce overflows.
pub fn read_message(
&self,
nonce: u64,
payload: &[u8],
message: &mut [u8],
) -> Result<usize, Error> {
if payload.len() > MAXMSGLEN {
Err(Error::Input)
} else if self.initiator && self.pattern.is_oneway() {
Err(StateProblem::OneWay.into())
} else {
let cipher = if self.initiator { &self.cipherstates.1 } else { &self.cipherstates.0 };
cipher.decrypt(nonce, payload, message)
}
}
/// Generate a new key for the egress symmetric cipher according to Section 4.2
/// of the Noise Specification. Synchronizing timing of rekey between initiator and
/// responder is the responsibility of the application, as described in Section 11.3
/// of the Noise Specification.
pub fn rekey_outgoing(&mut self) {
if self.initiator {
self.cipherstates.rekey_initiator();
} else {
self.cipherstates.rekey_responder();
}
}
/// Generate a new key for the ingress symmetric cipher according to Section 4.2
/// of the Noise Specification. Synchronizing timing of rekey between initiator and
/// responder is the responsibility of the application, as described in Section 11.3
/// of the Noise Specification.
pub fn rekey_incoming(&mut self) {
if self.initiator {
self.cipherstates.rekey_responder();
} else {
self.cipherstates.rekey_initiator();
}
}
/// Set a new key for the one or both of the initiator-egress and responder-egress symmetric ciphers.
pub fn rekey_manually(
&mut self,
initiator: Option<&[u8; CIPHERKEYLEN]>,
responder: Option<&[u8; CIPHERKEYLEN]>,
) {
if let Some(key) = initiator {
self.rekey_initiator_manually(key);
}
if let Some(key) = responder {
self.rekey_responder_manually(key);
}
}
/// Set a new key for the initiator-egress symmetric cipher.
pub fn rekey_initiator_manually(&mut self, key: &[u8; CIPHERKEYLEN]) {
self.cipherstates.rekey_initiator_manually(key);
}
/// Set a new key for the responder-egress symmetric cipher.
pub fn rekey_responder_manually(&mut self, key: &[u8; CIPHERKEYLEN]) {
self.cipherstates.rekey_responder_manually(key);
}
/// Check if this session was started with the "initiator" role.
#[must_use]
pub fn is_initiator(&self) -> bool {
self.initiator
}
}
impl fmt::Debug for StatelessTransportState {
fn fmt(&self, fmt: &mut fmt::Formatter<'_>) -> fmt::Result {
fmt.debug_struct("StatelessTransportState").finish()
}
}
impl TryFrom<HandshakeState> for StatelessTransportState {
type Error = Error;
fn try_from(old: HandshakeState) -> Result<Self, Self::Error> {
StatelessTransportState::new(old)
}
}