1use super::bytes::Bytes;
2use super::message::key_exchange::{NamedCurve, ServerKeyExchange};
3use super::message::server_hello::{ServerHello, ServerHelloDone};
4use super::prf::Prf;
5use super::record::{RecordLayer, RecordType};
6use super::suite::iv::Iv;
7use super::suite::CipherSuite;
8use super::suite::TlsCipher;
9use super::version::Version;
10use crate::boring::{certificate, AlgorithmSigner};
11use crate::buffer::{RecordDecodeBuffer, RecordEncodeBuffer};
12use crate::error::RlsResult;
13use crate::ffi::Buf;
14use crate::message::certificate::CertificateRequest;
15use crate::share_key::SharedKey;
16use crate::*;
17use std::fs::OpenOptions;
18use std::io::Write;
19use std::mem;
20
21pub struct Connection {
22 client_random: Bytes,
23 server_random: Bytes,
24 read: TlsCipher,
25 write: TlsCipher,
26 use_ems: bool,
27 master_secret: [u8; 48],
28 named_curve: NamedCurve,
29 exchange_pub_key: Bytes,
30 alpn: Option<ALPN>,
31 cipher_suite: CipherSuite,
32 session_bytes: Vec<u8>,
33 prf: Prf,
34 certificates: Vec<Certificate>,
35 shared_key: SharedKey,
36 verify: bool,
37 root_stores: &'static CertStore,
38 mtls_hash: SignatureAlgorithm,
39}
40impl Default for Connection {
41 fn default() -> Self {
42 Connection {
43 client_random: Bytes::none(),
44 server_random: Bytes::none(),
45 read: TlsCipher::none(),
46 write: TlsCipher::none(),
47 use_ems: false,
48 master_secret: [0; 48],
49 named_curve: NamedCurve::x25519,
50 exchange_pub_key: Bytes::none(),
51 alpn: None,
52 cipher_suite: CipherSuite::new(0),
53 session_bytes: vec![],
54 prf: Prf::default(),
55 certificates: vec![],
56 shared_key: SharedKey::None,
57 verify: false,
58 root_stores: &certificate::ROOT_STORES,
59 mtls_hash: SignatureAlgorithm::new(0),
60 }
61 }
62}
63
64impl Connection {
65 pub fn with_client_random(mut self, client_random: Vec<u8>) -> Connection {
66 self.client_random = Bytes::new(client_random);
67 self
68 }
69
70 pub fn with_verify(mut self, verify: bool) -> Connection {
71 self.verify = verify;
72 self
73 }
74
75 pub fn disable_verify(mut self) -> Connection {
76 self.verify = false;
77 self
78 }
79
80 pub fn set_by_server_hello(&mut self, server_hello: &ServerHello) -> RlsResult<()> {
81 self.use_ems = server_hello.use_ems();
82 self.alpn = server_hello.alpn();
83 self.server_random = server_hello.random.clone();
84 self.cipher_suite = server_hello.cipher_suite.clone();
85 self.cipher_suite.init_aead_hasher()?;
86 self.cipher_suite.update(&self.session_bytes)?;
87 let hasher = self.cipher_suite.hasher().as_ref().ok_or(RlsError::HasherNone)?;
88 self.prf = Prf::from_hasher(hasher);
89 Ok(())
90 }
91
92 pub fn set_by_certificate(&mut self, certificate: Certificates, ext_cas: &[Certificate], sni: &str) -> RlsResult<()> {
93 for certificate in certificate.certificates() {
94 self.certificates.push(Certificate::from_der(certificate.as_ref())?);
95 }
96 if !self.verify { return Ok(()); }
97 self.root_stores.verify_cert(&mut self.certificates, ext_cas, sni)
98 }
99
100 fn gen_key_sign_data(&self, server_key: &ServerKeyExchange) -> Vec<u8> {
101 let mut sign_data = vec![];
102 sign_data.extend_from_slice(self.client_random.as_ref());
103 sign_data.extend_from_slice(self.server_random.as_ref());
104 sign_data.push(*server_key.hellman_param().curve_type() as u8);
105 sign_data.extend(server_key.hellman_param().named_curve().as_u16().to_be_bytes());
106 sign_data.push(server_key.hellman_param().pub_key().len() as u8);
107 sign_data.extend(server_key.hellman_param().pub_key().as_bytes());
108 sign_data
109 }
110
111 pub fn set_by_cert_req(&mut self, req: CertificateRequest, cert: Option<&mut Certificate>) -> RlsResult<()> {
112 if let Some(cert) = cert {
113 for hash in req.into_hashes() {
114 match (&hash, cert.cert_type()?) {
115 (&SignatureAlgorithm::RSA_PSS_RSAE_SHA256, CertType::RSA) => self.mtls_hash = hash,
116 (&SignatureAlgorithm::RSA_PSS_RSAE_SHA384, CertType::RSA) => self.mtls_hash = hash,
117 (&SignatureAlgorithm::RSA_PSS_RSAE_SHA512, CertType::RSA) => self.mtls_hash = hash,
118 (&SignatureAlgorithm::ECDSA_SECP256R1_SHA256, CertType::ECDSA) => self.mtls_hash = hash,
119 (&SignatureAlgorithm::ECDSA_SECP384R1_SHA384, CertType::ECDSA) => self.mtls_hash = hash,
120 (&SignatureAlgorithm::ECDSA_SECP521R1_SHA512, CertType::ECDSA) => self.mtls_hash = hash,
121 (&SignatureAlgorithm::RSA_PKCS1_SHA1, CertType::RSA) => self.mtls_hash = hash,
122 (&SignatureAlgorithm::RSA_PKCS1_SHA256, CertType::RSA) => self.mtls_hash = hash,
123 (&SignatureAlgorithm::RSA_PKCS1_SHA384, CertType::RSA) => self.mtls_hash = hash,
124 (&SignatureAlgorithm::RSA_PKCS1_SHA512, CertType::RSA) => self.mtls_hash = hash,
125 _ => continue,
126 }
127 break;
128 }
129 } else { self.mtls_hash = SignatureAlgorithm::RSA_PKCS1_SHA1 }
130 Ok(())
131 }
132
133 pub fn set_by_server_exchange_key(&mut self, server_key: ServerKeyExchange) -> RlsResult<()> {
134 if self.verify {
135 let sign_data = self.gen_key_sign_data(&server_key);
136 let signature = AlgorithmSigner::new_verify(self.certificates[0].pub_key()?, server_key.hellman_param().signature_algorithm())?;
137 signature.verify(sign_data, server_key.hellman_param().signature().as_ref())?;
138 }
139 self.exchange_pub_key = server_key.hellman_param().pub_key().clone();
140 self.named_curve = *server_key.hellman_param().named_curve();
141 self.shared_key = SharedKey::new(&self.named_curve)?;
142 Ok(())
143 }
144
145 pub fn set_by_client_exchange_key(&mut self, client_key: ClientKeyExchange) {
146 self.exchange_pub_key = client_key.hellman_param().pub_key().clone();
147 }
148
149 pub fn pub_share_key(&mut self) -> RlsResult<Buf<'_>> {
150 if let SharedKey::None = self.shared_key {
151 self.shared_key = SharedKey::new_pre_master_secret()?;
152 let rsa = RsaCipher::new(self.certificates[0].pub_key()?)?;
153 return Ok(Buf::Vec(rsa.encrypt(self.shared_key.pub_key()?.as_slice())?));
154 }
155 self.shared_key.pub_key()
156 }
157
158 pub fn make_cipher(&mut self, server: bool) -> RlsResult<()> {
159 let share_secret = self.shared_key.diffie_hellman(self.exchange_pub_key.as_ref())?;
160 let (label, seed) = match self.use_ems {
161 true => ("extended master secret", self.cipher_suite.current_session_hash()?.to_vec()),
162 false => ("master secret", [self.client_random.as_bytes(), self.server_random.as_bytes()].concat())
163 };
164 self.prf.prf(&share_secret, label, &seed, &mut self.master_secret)?;
165 let mut f = OpenOptions::new().create(true).append(true).open("2.log")?;
166 f.write_all(format!("CLIENT_RANDOM {} {}\r\n", hex::encode(self.client_random.as_ref()), hex::encode(self.master_secret)).as_bytes())?;
167 let aead = self.cipher_suite.aead().ok_or(RlsError::AeadNone)?;
168 let block_size = (aead.mac_key_len() + aead.key_len() + aead.fix_iv_len()) * 2 + aead.explicit_len();
169 let mut key_block = vec![0; block_size];
170 let seed = [self.server_random.as_bytes(), self.client_random.as_bytes()].concat();
171 self.prf.prf(&self.master_secret, "key expansion", &seed, key_block.as_mut_slice())?;
172 let (client_mac_key, remain) = key_block.split_at(aead.mac_key_len());
173 let (server_mac_key, remain) = remain.split_at(aead.mac_key_len());
174 let (client_key, remain) = remain.split_at(aead.key_len());
175 let (server_key, remain) = remain.split_at(aead.key_len());
176 let (client_iv, remain) = remain.split_at(aead.fix_iv_len());
177 let (server_iv, explicit) = remain.split_at(aead.fix_iv_len());
178 match server {
179 true => {
180 self.write.set_key(server_key, server_mac_key, aead, self.cipher_suite.mac_hash().ok_or(RlsError::HasherNone)?)?;
181 self.write.set_iv(Iv::new(server_iv, vec![0; 8]));
182 self.read.set_key(client_key, client_mac_key, aead, self.cipher_suite.mac_hash().ok_or(RlsError::HasherNone)?)?;
183 self.read.set_iv(Iv::new(client_iv, vec![]));
184 }
185 false => {
186 self.write.set_key(client_key, client_mac_key, aead, self.cipher_suite.mac_hash().ok_or(RlsError::HasherNone)?)?;
187 self.write.set_iv(Iv::new(client_iv, explicit.to_vec()));
188 self.read.set_key(server_key, server_mac_key, aead, self.cipher_suite.mac_hash().ok_or(RlsError::HasherNone)?)?;
189 self.read.set_iv(Iv::new(server_iv, vec![]));
190 }
191 }
192
193 Ok(())
194 }
195
196 pub fn gen_server_hello<'a>(&mut self, mut client_hello: ClientHello, certificate: &'a mut [Certificate], pri_key: &RsaKey, random: &'a [u8]) -> RlsResult<RecordLayer<'a>> {
197 self.client_random = client_hello.client_random().clone();
198 let mut record = RecordLayer {
199 context_type: RecordType::HandShake,
200 version: Version::TLS_1_2,
201 len: 0,
202 messages: vec![],
203 };
204 let mut server_hello = ServerHello::from_client_hello(client_hello)?;
206 server_hello.set_random(random);
207 self.set_by_server_hello(&server_hello)?;
208 record.messages.push(Message::ServerHello(server_hello));
209 let mut certificates = Certificates::default();
211 for certificate in certificate.iter_mut() {
212 certificates.add_certificate(certificate.as_der().as_slice());
213 }
214 record.messages.push(Message::Certificate(certificates));
215 let mut server_key_exchange = ServerKeyExchange::default();
217 self.shared_key = SharedKey::new(server_key_exchange.hellman_param().named_curve())?;
218 server_key_exchange.hellman_param_mut().set_pub_key(self.shared_key.pub_key()?.as_slice());
219 let sign_data = self.gen_key_sign_data(&server_key_exchange);
220 let signer = AlgorithmSigner::new_sign(pri_key.pkey(), server_key_exchange.hellman_param().signature_algorithm())?;
221 server_key_exchange.hellman_param_mut().set_signature(Bytes::new(signer.sign(&sign_data)?));
222 self.exchange_pub_key = server_key_exchange.hellman_param().pub_key().clone();
223 self.named_curve = *server_key_exchange.hellman_param().named_curve();
224 record.messages.push(Message::ServerKeyExchange(server_key_exchange));
225 record.messages.push(Message::ServerHelloDone(ServerHelloDone::new()));
227 Ok(record)
228 }
229
230 pub fn make_finish_message(&mut self, buffer: &mut [u8], server: bool) -> RlsResult<usize> {
234 let finish = self.make_verify_data(server)?;
235 self.update_session(finish)?;
236 self.make_message(RecordType::HandShake, buffer, &finish)
237 }
238
239 pub fn verify_finish(&mut self, data: &[u8], server: bool) -> RlsResult<()> {
240 if !self.verify {
241 self.update_session(data)?;
242 return Ok(());
243 }
244 let out = self.make_verify_data(server)?;
245 self.update_session(data)?;
246 if data != out { return Err(RlsError::Currently("FinishVerifyFail".into())); }
247 Ok(())
248 }
249
250 fn make_verify_data(&mut self, server: bool) -> RlsResult<[u8; 16]> {
251 let mut finish = [0; 16];
252 finish[0..4].copy_from_slice(&[0x14, 0x00, 0x0, 0xc]);
253 let session_hash = self.cipher_suite.current_session_hash()?;
254 self.prf.prf(&self.master_secret, if !server { "client finished" } else { "server finished" }, session_hash, &mut finish[4..16])?;
255 Ok(finish)
256 }
257
258 pub fn make_message(&mut self, cty: RecordType, buffer: &mut [u8], payload: &[u8]) -> RlsResult<usize> {
259 let aead = self.cipher_suite.aead().ok_or(RlsError::AeadNone)?;
260 let buffer = RecordEncodeBuffer::new(cty, buffer, payload, aead);
261 self.write.encrypt(buffer)
262 }
263
264 pub fn read_message(&mut self, origin: &[u8], buffer: &mut [u8]) -> RlsResult<usize> {
265 let aead = self.cipher_suite.aead().ok_or(RlsError::AeadNone)?;
266 let buffer = RecordDecodeBuffer::from_buffer(origin, buffer, aead)?;
267 self.read.decrypt(buffer)
268 }
269
270 pub fn alpn(&self) -> Option<&ALPN> {
271 self.alpn.as_ref()
272 }
273
274 pub fn update_session(&mut self, data: impl AsRef<[u8]>) -> RlsResult<()> {
275 if self.mtls() || self.cipher_suite.hasher().is_none() {
276 self.session_bytes.extend_from_slice(data.as_ref());
277 }
278 if self.cipher_suite.hasher().is_some() {
279 self.cipher_suite.update(data)?;
280 }
281 Ok(())
282 }
283
284 pub fn cipher_suite(&self) -> &CipherSuite { &self.cipher_suite }
285
286 pub fn mtls(&self) -> bool { self.mtls_hash.as_u16() != 0 }
287 pub fn handle_mtls_client<W: WriteExt>(&mut self, writer: &mut W, key: &RsaKey) -> RlsResult<usize> {
288 let mut cert_verify = CertificateVerify::default();
289 cert_verify.set_hash(self.mtls_hash.clone());
290 let signer = AlgorithmSigner::new_sign(key.pkey(), &self.mtls_hash)?;
291 let sign = signer.sign(mem::take(&mut self.session_bytes))?;
292 cert_verify.set_sign(&sign);
293 let mut record = RecordLayer::handshake();
294 record.messages.push(Message::CertificateVerify(cert_verify));
295 record.write_to(writer, 1)
296 }
297}