turtls 0.2.0

A TLS library.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326

use std::mem::MaybeUninit;

use crate::aead::TlsAead;
use crate::client_hello::client_hello_client;
use crate::config::TurtlsConfig;
use crate::error::{FullError, TurtlsError};
use crate::extensions::parse_encrypted_extensions;
use crate::record::{ContentType, RecordLayer};
use crate::server_hello::server_hello_client;
use crate::state::{
    GlobalState, MaybeProt, ProtShakeMsg, ShakeState, TranscriptHasher, UnprotShakeMsg,
};
use crate::TurtlsAlert;

/// Performs the TLS 1.3 handshake as the client.
///
/// Alerts are handled and sent in this function. Do not send alerts on higher levels.
pub(crate) fn handshake_client(
    shake_state: &mut ShakeState,
    global_state: &mut GlobalState,
    config: &TurtlsConfig,
) -> Result<(), ()> {
    // This would be so much cleaner with C-style switch statement :)
    loop {
        match shake_state.state {
            MaybeProt::Unprot {
                ref mut next,
                ref mut unprot_state,
            } => match next {
                UnprotShakeMsg::ClientHello => {
                    // Don't send alert because handshake hasn't started.
                    client_hello_client(unprot_state, &mut shake_state.buf, config)
                        .map_err(|err| global_state.error.turtls_error = err)?;

                    shake_state
                        .buf
                        .write_raw(&mut global_state.rl, &mut global_state.transcript)
                        .map_err(|err| global_state.error.turtls_error = err)?;

                    *next = UnprotShakeMsg::ServerHello;
                },
                UnprotShakeMsg::ServerHello => {
                    shake_state
                        .buf
                        .read_raw(&mut global_state.rl, &mut global_state.transcript)
                        .map_err(|err| {
                            if let TurtlsError::Tls = err.turtls_error {
                                global_state.rl.close_raw(err.alert);
                            }
                            global_state.error = err
                        })?;
                    let aead =
                        server_hello_client(shake_state.buf.data(), unprot_state, global_state)
                            .map_err(|alert| {
                                global_state.rl.close_raw(alert);
                                global_state.error = FullError::sending_alert(alert);
                            })?;
                    shake_state.state = MaybeProt::Prot {
                        next: ProtShakeMsg::EncryptedExtensions,
                        aead,
                    };
                },
            },
            MaybeProt::Prot {
                ref mut next,
                ref mut aead,
            } => match next {
                ProtShakeMsg::EncryptedExtensions => {
                    shake_state
                        .buf
                        .read(&mut global_state.rl, aead, &mut global_state.transcript)
                        .map_err(|err| {
                            if let TurtlsError::Tls = err.turtls_error {
                                global_state.rl.close(err.alert, aead);
                            }
                            global_state.error = err
                        })?;
                    parse_encrypted_extensions(shake_state.buf.data(), global_state).map_err(
                        |alert| {
                            global_state.rl.close(alert, aead);
                            global_state.error = FullError::sending_alert(alert);
                        },
                    )?;
                    *next = ProtShakeMsg::Certificate;
                },
                ProtShakeMsg::Certificate => {
                    shake_state
                        .buf
                        .read(&mut global_state.rl, aead, &mut global_state.transcript)
                        .map_err(|err| {
                            if let TurtlsError::Tls = err.turtls_error {
                                global_state.rl.close(err.alert, aead);
                            }
                            global_state.error = err
                        })?;
                    let cert_msg = shake_state.buf.data();

                    let context_len = cert_msg[0] as usize;
                    let certs = &cert_msg[1 + context_len as usize..];

                    let data_len = u32::from_be_bytes([0, certs[0], certs[1], certs[2]]) as usize;
                    for cert in crate::certificates::CertIter::new(&certs[3..][..data_len]) {
                        crate::certificates::x509::validate_cert(cert.data).unwrap();
                    }
                    todo!("validate certificates");
                },
                _ => todo!("Finish handshake"),
            },
        };
    }
}

/// The message type of a handshake message.
#[derive(Debug, PartialEq, Eq)]
#[expect(unused, reason = "not all handshake messages are implemented yet")]
pub(crate) enum ShakeType {
    ClientHello = 1,
    ServerHello = 2,
    NewSessionTicket = 4,
    EndOfEarlyData = 5,
    EncryptedExtensions = 8,
    Certificate = 11,
    CertificateRequest = 13,
    CertificateVerify = 15,
    Finished = 20,
    KeyUpdate = 24,
    MessageHash = 254,
}

impl ShakeType {
    pub const fn to_byte(self) -> u8 {
        self as u8
    }
}

/// Stores handshake messages for them to be parsed.
pub(crate) struct ShakeBuf {
    buf: Box<[u8]>,
    /// The length of the message excluding the header.
    len: usize,
    /// The maximum size `buf` is allowed to be.
    max_size: usize,
    status: ReadStatus,
}

enum ReadStatus {
    /// The message header has not been completely read yet.
    ///
    /// The internal value represents the number of header bytes already read.
    NeedsHeader(usize),
    /// The message data has not be completely read yet.
    ///
    /// The internal value represents the number of data bytes already read.
    NeedsData(usize),
}

impl ReadStatus {
    const fn new() -> Self {
        Self::NeedsHeader(0)
    }
}

impl ShakeBuf {
    const INIT_SIZE: usize = 0x4000;
    pub(crate) const LEN_SIZE: usize = 3;
    pub(crate) const HEADER_SIZE: usize = size_of::<ShakeType>() + Self::LEN_SIZE;

    pub(crate) fn new(max_len: usize) -> Self {
        // TODO: use new_zeroed_slice or similar once stabilized.
        let mut buf = Box::new_uninit_slice(Self::INIT_SIZE);
        buf.fill(MaybeUninit::zeroed());
        Self {
            // SAFETY: a zeroed integer slice is valid.
            buf: unsafe { buf.assume_init() },
            len: 0,
            max_size: max_len,
            status: ReadStatus::new(),
        }
    }

    pub(crate) fn start(&mut self, msg_type: ShakeType) {
        self.len = 0;
        self.buf[0] = msg_type.to_byte();
        self.buf[1..][..Self::LEN_SIZE].copy_from_slice(&[0; Self::LEN_SIZE]);
    }

    pub(crate) fn push(&mut self, value: u8) {
        if self.len + Self::HEADER_SIZE + 1 > self.buf.len() {
            todo!("grow handshake buffer");
        }
        self.buf[self.len + Self::HEADER_SIZE] = value;
        self.len += 1;
    }

    pub(crate) fn extend_from_slice(&mut self, slice: &[u8]) {
        if self.len + Self::HEADER_SIZE + slice.len() > self.buf.len() {
            todo!("grow handshake buffer");
        }
        self.buf[Self::HEADER_SIZE + self.len..][..slice.len()].copy_from_slice(slice);
        self.len += slice.len();
    }

    /// Returns the data sent in the handshake message.
    ///
    /// This does NOT include the header.
    pub(crate) fn data(&self) -> &[u8] {
        &self.buf[Self::HEADER_SIZE..][..self.len]
    }

    fn read_inner(
        &mut self,
        rl: &mut RecordLayer,
        mut get_fn: impl FnMut(&mut RecordLayer) -> Result<(), FullError>,
        transcript: &mut TranscriptHasher,
    ) -> Result<(), FullError> {
        loop {
            match self.status {
                ReadStatus::NeedsHeader(ref mut amt) => {
                    if *amt == 0 {
                        get_fn(rl)?;
                        if rl.msg_type() == ContentType::ChangeCipherSpec.to_byte() {
                            rl.discard();
                            get_fn(rl)?;
                        }
                        rl.check_alert()
                            .map_err(|alert| FullError::recving_alert(alert))?;
                        if rl.msg_type() != ContentType::Handshake.to_byte() {
                            return Err(FullError::sending_alert(TurtlsAlert::UnexpectedMessage));
                        }
                    }
                    while *amt < Self::HEADER_SIZE {
                        get_fn(rl)?;
                        let new_bytes = rl.read_remaining(&mut self.buf[*amt..Self::HEADER_SIZE]);
                        if new_bytes == 0 {
                            return Err(FullError::sending_alert(TurtlsAlert::IllegalParam));
                        }
                        *amt += new_bytes;
                    }
                    self.len =
                        u32::from_be_bytes([0, self.buf[1], self.buf[2], self.buf[3]]) as usize;
                    if self.len > self.buf.len() {
                        todo!("grow handshake buffer");
                    }
                    self.status = ReadStatus::NeedsData(0);
                },
                ReadStatus::NeedsData(ref mut amt) => {
                    while *amt < self.len {
                        get_fn(rl)?;
                        let new_bytes = rl.read_remaining(
                            &mut self.buf[Self::HEADER_SIZE + *amt..Self::HEADER_SIZE + self.len],
                        );
                        if new_bytes == 0 {
                            return Err(FullError::sending_alert(TurtlsAlert::IllegalParam));
                        }
                        *amt += new_bytes;
                    }
                    self.status = ReadStatus::new();
                    transcript.update_with(&self.buf[..Self::HEADER_SIZE + self.len]);
                    return Ok(());
                },
            }
        }
    }

    /// Reads an entire plaintext handshake message.
    pub(crate) fn read_raw(
        &mut self,
        rl: &mut RecordLayer,
        transcript: &mut TranscriptHasher,
    ) -> Result<(), FullError> {
        let get_fn = RecordLayer::get_raw;
        self.read_inner(rl, get_fn, transcript)
    }

    pub(crate) fn read(
        &mut self,
        rl: &mut RecordLayer,
        aead: &mut TlsAead,
        transcript: &mut TranscriptHasher,
    ) -> Result<(), FullError> {
        let get_fn = |rl: &mut RecordLayer| RecordLayer::get(rl, aead);
        self.read_inner(rl, get_fn, transcript)
    }

    pub(crate) fn write_raw(
        &mut self,
        rl: &mut RecordLayer,
        transcript: &mut TranscriptHasher,
    ) -> Result<(), TurtlsError> {
        self.encode_len();

        transcript.update_with(&self.buf[..Self::HEADER_SIZE + self.len]);
        rl.write_raw(
            &self.buf[..Self::HEADER_SIZE + self.len],
            ContentType::Handshake,
        )
    }

    pub(crate) fn write(
        &mut self,
        rl: &mut RecordLayer,
        transcript: &mut TranscriptHasher,
        aead: &mut TlsAead,
    ) -> Result<(), TurtlsError> {
        self.encode_len();
        transcript.update_with(&self.buf);
        rl.write(
            &self.buf[..Self::HEADER_SIZE + self.len],
            ContentType::Handshake,
            aead,
        )
    }

    /// Returns the type of handshake message the message is.
    ///
    /// A `u8` is returned instead of a [`ShakeType`] to avoid having to validate the type. The
    /// returned type may not be a valid [`ShakeType`].
    pub(crate) fn msg_type(&self) -> u8 {
        self.buf[0]
    }

    pub(crate) fn encode_len(&mut self) {
        let len = (self.len as u32).to_be_bytes();
        self.buf[1..][..Self::LEN_SIZE].copy_from_slice(&len[1..]);
    }
}