ytls_server/server_ctx/
s_handshake.rs

1//! yTls Server Handshake Context
2
3use ytls_record::Content;
4use ytls_record::MsgType;
5use ytls_record::Record;
6
7mod r_server_hello;
8mod s_client_finished;
9mod s_client_hello;
10
11mod r_encrypted_extensions;
12mod r_server_certificate_verify;
13mod r_server_certificates;
14mod r_server_handshake_finished;
15
16use ytls_traits::CryptoConfig;
17use ytls_traits::{TlsLeftIn, TlsLeftOut};
18
19use ytls_traits::CryptoSha256HkdfExtractProcessor;
20use ytls_traits::CryptoSha256HkdfGenProcessor;
21use ytls_traits::CryptoSha256TranscriptProcessor;
22use ytls_traits::CryptoSha384TranscriptProcessor;
23use ytls_traits::CryptoX25519Processor;
24
25use ytls_keys::Tls13Keys;
26use ytls_traits::SecretStore;
27use ytls_traits::Tls13KeyScheduleApSha256;
28use ytls_traits::Tls13KeyScheduleDerivedSha256;
29use ytls_traits::Tls13KeyScheduleHandshakeSha256;
30use ytls_traits::Tls13KeyScheduleInit;
31
32use rand_core::CryptoRng;
33
34use crate::TlsServerCtxConfig;
35use crate::{CtxError, Rfc8446Error};
36
37use ytls_util::Nonce12;
38
39use ytls_keys::Tls13KeysHandshakeSha256;
40
41/// State machine context for yTLS Server
42pub struct ServerHandshakeCtx<Config, Crypto, Rng> {
43    /// Downstream config implementation
44    config: Config,
45    /// Downstream crypto implementation
46    crypto: Crypto,
47    /// Downstream rng implementation
48    rng: Rng,
49    /// Downstream found host through SNI
50    downstream_found_host: bool,
51    /// X25519 Group supported
52    group_x25519_supported: bool,
53    /// TLS_CHACHA20_POLY1305_SHA256 supported
54    chacha20_poly1305_sha256_supported: bool,
55    /// Ed25519 Signature Algorithm supported
56    sig_alg_ed25519_supported: bool,
57    /// TLS 1.3 supported
58    tls13_supported: bool,
59    /// Extended main secret used
60    extended_main_secret: bool,
61    /// Record size limit
62    record_size_limit: u16,
63    /// Signed Certificage Timestamps
64    signed_cert_ts: bool,
65    /// Sig alg RsaPkcs1Sha256 supported ?
66    sig_alg_rsa_pkcs1_sha256_supported: bool,
67
68    //--------------------------------------------
69    // TODO: Move all of the below away from here
70    //       some of these shoul get zeroized too
71    //       probably best to do through type state
72    //--------------------------------------------
73    /// Client supplied random
74    client_random: Option<[u8; 32]>,
75    /// Client X25519 pk
76    client_x25519_pk: Option<[u8; 32]>,
77    /// Client Session Id (max 100 bytes)
78    // TODO: handle this better.. this is wasteful - protocol is dumb wasting bytes here.
79    client_session_id: Option<[u8; 100]>,
80    /// Client Session Id len (max 100 bytes)
81    client_session_len: usize,
82    /// Curve25519 Public Key
83    public_key: Option<[u8; 32]>,
84    /// Handshake secrets
85    // TODO: move these to vault provider and make sure they get zeroized
86    /// Shared Secret
87    shared_secret: Option<[u8; 32]>,
88    /// Key Share for X25519
89    key_share: [u8; 36],
90    handshake_server_key: Option<[u8; 32]>,
91    handshake_client_key: Option<[u8; 32]>,
92    handshake_server_iv: Option<Nonce12>,
93    handshake_client_iv: Option<Nonce12>,
94    handshake_finished_server_key: Option<[u8; 32]>,
95    handshake_finished_client_key: Option<[u8; 32]>,
96
97    // TODO: get rid of these (atleast from here)
98    signature_cert_verify: Option<[u8; 100]>,
99    signature_cert_verify_len: usize,
100    /// cert verify ctx hash sha256
101    cert_verify_hash: Option<[u8; 32]>,
102    /// Client+Server hellos hash
103    hello_hash: Option<[u8; 32]>,
104    /// Handshake finished hash
105    hash_finished: Option<[u8; 32]>,
106
107    is_complete: bool,
108}
109
110impl<Config, Crypto, Rng> ServerHandshakeCtx<Config, Crypto, Rng>
111where
112    Config: TlsServerCtxConfig,
113    Crypto: CryptoConfig,
114    Rng: CryptoRng,
115{
116    /// New yTLS server context with the given configuration
117    pub fn with_required(config: Config, crypto: Crypto, rng: Rng) -> Self {
118        Self {
119            config,
120            crypto,
121            rng,
122            downstream_found_host: false,
123            group_x25519_supported: false,
124            chacha20_poly1305_sha256_supported: false,
125            sig_alg_ed25519_supported: false,
126            tls13_supported: false,
127            extended_main_secret: false,
128            record_size_limit: 0,
129            signed_cert_ts: false,
130            sig_alg_rsa_pkcs1_sha256_supported: false,
131            client_random: None,
132            client_x25519_pk: None,
133            client_session_id: None,
134            client_session_len: 0,
135            public_key: None,
136            shared_secret: None,
137            key_share: [0; 36],
138            handshake_server_key: None,
139            handshake_client_key: None,
140            handshake_server_iv: None,
141            handshake_client_iv: None,
142            handshake_finished_server_key: None,
143            handshake_finished_client_key: None,
144
145            cert_verify_hash: None,
146            hello_hash: None,
147            hash_finished: None,
148            signature_cert_verify: None,
149            signature_cert_verify_len: 0,
150
151            is_complete: false,
152        }
153    }
154}
155
156use ytls_traits::CtxApplicationProcessor;
157use ytls_traits::CtxHandshakeProcessor;
158use ytls_traits::HandshakeComplete;
159
160impl<Config, Crypto, Rng> CtxHandshakeProcessor for ServerHandshakeCtx<Config, Crypto, Rng>
161where
162    Config: TlsServerCtxConfig,
163    Crypto: CryptoConfig,
164    Rng: CryptoRng,
165{
166    type Error = CtxError;
167    /// Spin yTLS Server Handshake Context
168    #[inline]
169    fn spin_handshake<Li: TlsLeftIn, Lo: TlsLeftOut, Ks: SecretStore>(
170        &mut self,
171        li: &mut Li,
172        lo: &mut Lo,
173        ks: &mut Ks,
174    ) -> Result<Option<HandshakeComplete>, Self::Error> {
175        if self.is_complete {
176            return Ok(Some(HandshakeComplete));
177        }
178
179        let init_data = li.left_buf_in();
180        let init_len = init_data.len();
181        let mut data = init_data;
182
183        #[allow(unused_assignments)]
184        let mut consumed = 0;
185
186        loop {
187            let (rec, remaining) =
188                Record::parse_client(self, data).map_err(|e| CtxError::Record(e))?;
189
190            consumed = init_len - remaining.len();
191
192            // TODO: why is this still here?
193            if self.shared_secret.is_none() {
194                if let Some(pk) = self.client_x25519_pk {
195                    let x25519_ctx = self.crypto.x25519_init(&mut self.rng);
196                    self.public_key = Some(x25519_ctx.x25519_public_key());
197                    self.shared_secret = Some(x25519_ctx.x25519_shared_secret(&pk));
198                    self.key_share = self.key_share_x25519();
199                }
200            }
201
202            match rec.content() {
203                Content::ChangeCipherSpec => {
204                    // ignore
205                }
206                Content::ApplicationData => {
207                    let key = match self.handshake_client_key {
208                        Some(k) => k,
209                        None => return Err(CtxError::Bug(
210                            "Did not have client key for decrypting. Was supposed to be guarded.",
211                        )),
212                    };
213
214                    let nonce: [u8; 12] = match self.handshake_client_iv {
215                        None => return Err(CtxError::MissingHandshakeIv),
216                        Some(ref mut n) => match n.use_and_incr() {
217                            Some(cur) => cur,
218                            None => return Err(CtxError::ExhaustedIv),
219                        },
220                    };
221
222                    let cipher = Crypto::aead_chaha20poly1305(&key);
223
224                    let full_payload = rec.as_bytes();
225                    let full_payload_len = full_payload.len();
226
227                    let mut tag: [u8; 16] = [0; 16];
228
229                    let body_len = full_payload_len - 16;
230                    let mut body: [u8; 8192] = [0; 8192];
231
232                    body[0..body_len].copy_from_slice(&full_payload[0..body_len]);
233
234                    tag.copy_from_slice(&full_payload[body_len..body_len + 16]);
235
236                    let additional_data = rec.header_as_bytes();
237
238                    use ytls_traits::CryptoChaCha20Poly1305Processor;
239                    cipher
240                        .decrypt_in_place(&nonce, &additional_data, &mut body[0..body_len], &tag)
241                        .map_err(|_| CtxError::Rfc8446(Rfc8446Error::Decrypt))?;
242
243                    use ytls_record::{WrappedMsgType, WrappedRecord};
244                    let r = WrappedRecord::parse_client(&body[0..body_len])
245                        .map_err(|_| CtxError::Rfc8446(Rfc8446Error::Unexpected))?;
246
247                    use ytls_record::HandshakeMsg;
248
249                    match r.msg() {
250                        WrappedMsgType::Handshake(HandshakeMsg {
251                            msg: MsgType::ClientFinished(f),
252                            ..
253                        }) => {
254                            self.check_client_finished(&f)?;
255                            self.is_complete = true;
256                        }
257                        WrappedMsgType::Alert(_alert) => {
258                            // do nothing with it for now
259                        }
260                        _ => {
261                            return Err(CtxError::Rfc8446(Rfc8446Error::Unexpected));
262                        }
263                    }
264                }
265                Content::Handshake(content) => {
266                    let msg = content.msg();
267                    match msg {
268                        MsgType::ClientFinished(_) => {
269                            return Err(CtxError::Rfc8446(Rfc8446Error::Unexpected));
270                        }
271                        MsgType::ClientHello(_h) => {
272                            let shared_secret = match self.shared_secret {
273                                Some(s) => s,
274                                None => {
275                                    return Err(CtxError::Bug(
276                                        "Supposed to have shared secret and was not guarded.",
277                                    ))
278                                }
279                            };
280
281                            // TODO: move this to ctx (generalize)
282                            let mut transcript = Crypto::sha256_init();
283                            transcript.sha256_update(rec.as_bytes());
284                            self.do_server_hello(lo, &mut transcript)?;
285                            let mut transcript_more = transcript.sha256_fork();
286                            let hello_hash = transcript.sha256_finalize();
287
288                            self.hello_hash = Some(hello_hash);
289
290                            let k = Tls13Keys::<Crypto>::no_psk_with_crypto_and_sha256();
291                            let hs_k = k.dh_x25519(&shared_secret, &hello_hash);
292
293                            let mut server_handshake_iv: [u8; 12] = [0; 12];
294                            let mut server_handshake_key: [u8; 32] = [0; 32];
295                            let mut server_handshake_finished_key: [u8; 32] = [0; 32];
296                            hs_k.handshake_server_iv(&mut server_handshake_iv);
297                            hs_k.handshake_server_key(&mut server_handshake_key);
298                            hs_k.handshake_server_finished_key(&mut server_handshake_finished_key);
299
300                            self.handshake_server_key = Some(server_handshake_key);
301                            self.handshake_server_iv =
302                                Some(Nonce12::from_ks_iv(&server_handshake_iv));
303                            self.handshake_finished_server_key =
304                                Some(server_handshake_finished_key);
305
306                            let mut client_handshake_iv: [u8; 12] = [0; 12];
307                            let mut client_handshake_key: [u8; 32] = [0; 32];
308                            let mut client_handshake_finished_key: [u8; 32] = [0; 32];
309                            hs_k.handshake_client_iv(&mut client_handshake_iv);
310                            hs_k.handshake_client_key(&mut client_handshake_key);
311                            hs_k.handshake_client_finished_key(&mut client_handshake_finished_key);
312                            self.handshake_client_key = Some(client_handshake_key);
313                            self.handshake_client_iv =
314                                Some(Nonce12::from_ks_iv(&client_handshake_iv));
315                            self.handshake_finished_client_key =
316                                Some(client_handshake_finished_key);
317
318                            self.do_encrypted_extensions(lo, &mut transcript_more)?;
319
320                            self.do_server_certificates(lo, &mut transcript_more)?;
321
322                            self.do_server_certificate_verify(lo, &mut transcript_more)?;
323
324                            self.do_server_handshake_finished(lo, &mut transcript_more)?;
325
326                            let finish_handshake_hash =
327                                transcript_more.sha256_fork().sha256_finalize();
328                            self.hash_finished = Some(finish_handshake_hash);
329
330                            let ap_k = hs_k.finished_handshake(&finish_handshake_hash);
331
332                            let mut server_application_iv: [u8; 12] = [0; 12];
333                            let mut server_application_key: [u8; 32] = [0; 32];
334                            let mut client_application_iv: [u8; 12] = [0; 12];
335                            let mut client_application_key: [u8; 32] = [0; 32];
336
337                            ap_k.application_server_key(&mut server_application_key);
338                            ap_k.application_server_iv(&mut server_application_iv);
339                            ap_k.application_client_key(&mut client_application_key);
340
341                            ap_k.application_client_iv(&mut client_application_iv);
342
343                            ks.store_ap_client_key(&client_application_key);
344                            ks.store_ap_client_iv(&client_application_iv);
345                            ks.store_ap_server_key(&server_application_key);
346                            ks.store_ap_server_iv(&server_application_iv);
347                        }
348                        _ => return Err(CtxError::Rfc8446(Rfc8446Error::Unexpected)),
349                    }
350                }
351                Content::Alert(_alert) => {
352                    // do nothing with it for now
353                }
354            }
355
356            if remaining.len() == 0 {
357                break;
358            }
359
360            data = remaining;
361        }
362
363        li.left_buf_mark_discard_in(consumed);
364
365        if self.is_complete {
366            return Ok(Some(HandshakeComplete));
367        }
368
369        Ok(None)
370    }
371}
ytls_server/server_ctx/s_handshake.rs

ytls_server/server_ctx/
s_handshake.rs
