renet/SaiTLS
10
1
Fork 0
Code Issues 3 Pull Requests Releases Wiki Activity

session: code reuse handshake secret

Browse Source
This commit is contained in:
occheung 2020-11-27 15:54:41 +08:00
parent e55b2e266b
commit 73f95555eb
2 changed files with 47 additions and 349 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

392
src/session.rs
View File

@ -196,335 +196,29 @@ impl<'a> Session<'a> {
todo!() todo!()
} }
// Generate Handshake secret // Select and update hash
match cipher_suite { match cipher_suite {
CipherSuite::TLS_AES_128_GCM_SHA256 | CipherSuite::TLS_AES_128_GCM_SHA256 |
CipherSuite::TLS_CHACHA20_POLY1305_SHA256 | CipherSuite::TLS_CHACHA20_POLY1305_SHA256 |
CipherSuite::TLS_AES_128_CCM_SHA256 => { CipherSuite::TLS_AES_128_CCM_SHA256 => {
// Select 1 hash function, then update the hash
self.hash = Hash::select_sha256(self.hash.clone()); self.hash = Hash::select_sha256(self.hash.clone());
self.hash.update(sh_slice); self.hash.update(sh_slice);
// Find early secret in terms wrapped in HKDF
let empty_psk: GenericArray<u8, <Sha256 as FixedOutput>::OutputSize> = Default::default();
let early_secret_hkdf =
Hkdf::<Sha256>::new(None, &empty_psk);
// Find handshake secret
let empty_hash = Sha256::new().chain("");
let derived_secret = derive_secret(
&early_secret_hkdf,
"derived",
empty_hash
);
let (handshake_secret, handshake_secret_hkdf) =
Hkdf::<Sha256>::extract(
Some(&derived_secret),
&shared_secret_bytes
);
// Store the handshake secret
self.latest_secret.replace(
Vec::from_slice(&handshake_secret)
.unwrap()
);
let client_handshake_traffic_secret = derive_secret(
&handshake_secret_hkdf,
"c hs traffic",
self.hash.get_sha256_clone().unwrap()
);
let server_handshake_traffic_secret = derive_secret(
&handshake_secret_hkdf,
"s hs traffic",
self.hash.get_sha256_clone().unwrap()
);
// Store client_handshake_traffic_secret and
// server_handshake_traffic_secret
// Initial values of both secrets don't matter
self.client_handshake_traffic_secret.replace(
Vec::from_slice(&client_handshake_traffic_secret).unwrap()
);
self.server_handshake_traffic_secret.replace(
Vec::from_slice(&server_handshake_traffic_secret).unwrap()
);
let client_handshake_traffic_secret_hkdf = Hkdf::<Sha256>::from_prk(&client_handshake_traffic_secret).unwrap();
let server_handshake_traffic_secret_hkdf = Hkdf::<Sha256>::from_prk(&server_handshake_traffic_secret).unwrap();
// Prepare holder for key and IV
let client_handshake_key: Vec<u8, U64> = {
let mut client_handshake_key_holder: Vec<u8, U64> = match cipher_suite {
// 16 bytes key size
CipherSuite::TLS_AES_128_GCM_SHA256 |
CipherSuite::TLS_AES_128_CCM_SHA256 => {
Vec::from_slice(&[0; 16]).unwrap()
},
// 32 bytes key size
CipherSuite::TLS_CHACHA20_POLY1305_SHA256 => {
Vec::from_slice(&[0; 32]).unwrap()
},
// Not using Sha256 (AES_GCM_256) / not supported (CCM_8)
_ => unreachable!()
};
hkdf_expand_label(
&client_handshake_traffic_secret_hkdf,
"key",
"",
&mut client_handshake_key_holder
);
client_handshake_key_holder
};
let client_handshake_iv: Vec<u8, U12> = {
let mut client_handshake_iv_holder = Vec::from_slice(&[0; 12]).unwrap();
hkdf_expand_label(
&client_handshake_traffic_secret_hkdf,
"iv",
"",
&mut client_handshake_iv_holder
);
client_handshake_iv_holder
};
let server_handshake_key: Vec<u8, U64> = {
let mut server_handshake_key_holder: Vec<u8, U64> = match cipher_suite {
// 16 bytes key size
CipherSuite::TLS_AES_128_GCM_SHA256 |
CipherSuite::TLS_AES_128_CCM_SHA256 => {
Vec::from_slice(&[0; 16]).unwrap()
},
// 32 bytes key size
CipherSuite::TLS_CHACHA20_POLY1305_SHA256 => {
Vec::from_slice(&[0; 32]).unwrap()
},
// Not using Sha256 (AES_GCM_256) / not supported (CCM_8)
_ => unreachable!()
};
hkdf_expand_label(
&server_handshake_traffic_secret_hkdf,
"key",
"",
&mut server_handshake_key_holder
);
server_handshake_key_holder
};
let server_handshake_iv: Vec<u8, U12> = {
let mut server_handshake_iv_holder = Vec::from_slice(&[0; 12]).unwrap();
hkdf_expand_label(
&server_handshake_traffic_secret_hkdf,
"iv",
"",
&mut server_handshake_iv_holder
);
server_handshake_iv_holder
};
// Store nonce
self.client_handshake_nonce = Some(client_handshake_iv);
self.server_handshake_nonce = Some(server_handshake_iv);
// Construct cipher from key & IV for client & server
// Store the ciphers
match cipher_suite {
CipherSuite::TLS_AES_128_GCM_SHA256 => {
let client_handshake_cipher = Aes128Gcm::new(
GenericArray::from_slice(&client_handshake_key)
);
let server_handshake_cipher = Aes128Gcm::new(
GenericArray::from_slice(&server_handshake_key)
);
self.client_handshake_cipher = Some(
Cipher::Aes128Gcm {
aes128gcm: client_handshake_cipher
}
);
self.server_handshake_cipher = Some(
Cipher::Aes128Gcm {
aes128gcm: server_handshake_cipher
}
);
},
CipherSuite::TLS_CHACHA20_POLY1305_SHA256 => {
let client_handshake_cipher = ChaCha20Poly1305::new(
GenericArray::from_slice(&client_handshake_key)
);
let server_handshake_cipher = ChaCha20Poly1305::new(
GenericArray::from_slice(&server_handshake_key)
);
self.client_handshake_cipher = Some(
Cipher::Chacha20poly1305 {
chacha20poly1305: client_handshake_cipher
}
);
self.server_handshake_cipher = Some(
Cipher::Chacha20poly1305 {
chacha20poly1305: server_handshake_cipher
}
);
},
CipherSuite::TLS_AES_128_CCM_SHA256 => {
let client_handshake_cipher = Aes128Ccm::new(
GenericArray::from_slice(&client_handshake_key)
);
let server_handshake_cipher = Aes128Ccm::new(
GenericArray::from_slice(&server_handshake_key)
);
self.client_handshake_cipher = Some(
Cipher::Ccm {
ccm: client_handshake_cipher
}
);
self.server_handshake_cipher = Some(
Cipher::Ccm {
ccm: server_handshake_cipher
}
);
},
_ => unreachable!()
}
}, },
CipherSuite::TLS_AES_256_GCM_SHA384 => { CipherSuite::TLS_AES_256_GCM_SHA384 => {
// Select 1 hash function, then update the hash
self.hash = Hash::select_sha384(self.hash.clone()); self.hash = Hash::select_sha384(self.hash.clone());
self.hash.update(sh_slice); self.hash.update(sh_slice);
// Find early secret in terms wrapped in HKDF
let empty_psk: GenericArray<u8, <Sha384 as FixedOutput>::OutputSize> = Default::default();
let early_secret_hkdf =
Hkdf::<Sha384>::new(None, &empty_psk);
// Find handshake secret
let empty_hash = Sha384::new().chain("");
let derived_secret = derive_secret(
&early_secret_hkdf,
"derived",
empty_hash
);
let (handshake_secret, handshake_secret_hkdf) =
Hkdf::<Sha384>::extract(
Some(&derived_secret),
&shared_secret_bytes
);
// Store the handshake secret
self.latest_secret.replace(
Vec::from_slice(&handshake_secret)
.unwrap()
);
let client_handshake_traffic_secret = derive_secret(
&handshake_secret_hkdf,
"c hs traffic",
self.hash.get_sha384_clone().unwrap()
);
let server_handshake_traffic_secret = derive_secret(
&handshake_secret_hkdf,
"s hs traffic",
self.hash.get_sha384_clone().unwrap()
);
// Store client_handshake_traffic_secret and
// server_handshake_traffic_secret
// Initial values of both secrets don't matter
self.client_handshake_traffic_secret.replace(
Vec::from_slice(&client_handshake_traffic_secret).unwrap()
);
self.server_handshake_traffic_secret.replace(
Vec::from_slice(&server_handshake_traffic_secret).unwrap()
);
let client_handshake_traffic_secret_hkdf = Hkdf::<Sha384>::from_prk(&client_handshake_traffic_secret).unwrap();
let server_handshake_traffic_secret_hkdf = Hkdf::<Sha384>::from_prk(&server_handshake_traffic_secret).unwrap();
// Prepare holder for key and IV
let client_handshake_key: Vec<u8, U64> = {
// 32 bytes key size
let mut client_handshake_key_holder: Vec<u8, U64> =
Vec::from_slice(&[0; 32]).unwrap();
hkdf_expand_label(
&client_handshake_traffic_secret_hkdf,
"key",
"",
&mut client_handshake_key_holder
);
client_handshake_key_holder
};
let client_handshake_iv: Vec<u8, U12> = {
let mut client_handshake_iv_holder = Vec::from_slice(&[0; 12]).unwrap();
hkdf_expand_label(
&client_handshake_traffic_secret_hkdf,
"iv",
"",
&mut client_handshake_iv_holder
);
client_handshake_iv_holder
};
let server_handshake_key: Vec<u8, U64> = {
// 32 bytes key size
let mut server_handshake_key_holder: Vec<u8, U64> =
Vec::from_slice(&[0; 32]).unwrap();
hkdf_expand_label(
&server_handshake_traffic_secret_hkdf,
"key",
"",
&mut server_handshake_key_holder
);
server_handshake_key_holder
};
let server_handshake_iv: Vec<u8, U12> = {
let mut server_handshake_iv_holder = Vec::from_slice(&[0; 12]).unwrap();
hkdf_expand_label(
&server_handshake_traffic_secret_hkdf,
"iv",
"",
&mut server_handshake_iv_holder
);
server_handshake_iv_holder
};
// Store nonce
self.client_handshake_nonce = Some(client_handshake_iv);
self.server_handshake_nonce = Some(server_handshake_iv);
let client_handshake_cipher = Aes256Gcm::new(
GenericArray::from_slice(&client_handshake_key)
);
let server_handshake_cipher = Aes256Gcm::new(
GenericArray::from_slice(&server_handshake_key)
);
self.client_handshake_cipher = Some(
Cipher::Aes256Gcm {
aes256gcm: client_handshake_cipher
}
);
self.server_handshake_cipher = Some(
Cipher::Aes256Gcm {
aes256gcm: server_handshake_cipher
}
);
}, },
CipherSuite::TLS_AES_128_CCM_8_SHA256 => { _ => unreachable!()
unreachable!()
} }
};
self.state = TlsState::WAIT_EE;
// Key exchange occurred, set seq_num to 0. // Generate Handshake secret
self.client_sequence_number = 0; // Handle handshake key generation
self.server_sequence_number = 0; self.find_handshake_keying_info(
&shared_secret_bytes,
cipher_suite
);
self.state = TlsState::WAIT_EE;
} }
pub(crate) fn client_update_for_ee(&mut self, ee_slice: &[u8]) { pub(crate) fn client_update_for_ee(&mut self, ee_slice: &[u8]) {
@ -1232,9 +926,40 @@ impl<'a> Session<'a> {
} }
let server_selected_cipher = self.server_selected_cipher.take().unwrap(); let server_selected_cipher = self.server_selected_cipher.take().unwrap();
// Handle handshake key generation
self.find_handshake_keying_info(
&shared_secret_bytes,
server_selected_cipher
)
}
pub(crate) fn server_update_for_encrypted_extension(
&mut self,
encryption_extension_slice: &[u8],
) {
self.hash.update(encryption_extension_slice);
}
pub(crate) fn server_update_for_sent_certificate(
&mut self,
certificate_slice: &[u8]
) {
self.hash.update(certificate_slice);
}
pub(crate) fn server_update_for_sent_certificate_verify(
&mut self,
certificate_verify_slice: &[u8]
) {
self.hash.update(certificate_verify_slice);
}
fn find_handshake_keying_info(&mut self, shared_secret_bytes: &[u8], cipher_suite: CipherSuite) {
// Ensure that it is 32-bytes long
assert!(shared_secret_bytes.len() == 32);
// Find handshake keys and IV // Find handshake keys and IV
match server_selected_cipher { match cipher_suite {
CipherSuite::TLS_AES_128_CCM_SHA256 | CipherSuite::TLS_AES_128_CCM_SHA256 |
CipherSuite::TLS_CHACHA20_POLY1305_SHA256 | CipherSuite::TLS_CHACHA20_POLY1305_SHA256 |
CipherSuite::TLS_AES_128_GCM_SHA256 => { CipherSuite::TLS_AES_128_GCM_SHA256 => {
@ -1289,7 +1014,7 @@ impl<'a> Session<'a> {
// Prepare holder for key and IV // Prepare holder for key and IV
let client_handshake_key: Vec<u8, U64> = { let client_handshake_key: Vec<u8, U64> = {
let mut client_handshake_key_holder: Vec<u8, U64> = match server_selected_cipher { let mut client_handshake_key_holder: Vec<u8, U64> = match cipher_suite {
// 16 bytes key size // 16 bytes key size
CipherSuite::TLS_AES_128_GCM_SHA256 | CipherSuite::TLS_AES_128_GCM_SHA256 |
CipherSuite::TLS_AES_128_CCM_SHA256 => { CipherSuite::TLS_AES_128_CCM_SHA256 => {
@ -1323,7 +1048,7 @@ impl<'a> Session<'a> {
}; };
let server_handshake_key: Vec<u8, U64> = { let server_handshake_key: Vec<u8, U64> = {
let mut server_handshake_key_holder: Vec<u8, U64> = match server_selected_cipher { let mut server_handshake_key_holder: Vec<u8, U64> = match cipher_suite {
// 16 bytes key size // 16 bytes key size
CipherSuite::TLS_AES_128_GCM_SHA256 | CipherSuite::TLS_AES_128_GCM_SHA256 |
CipherSuite::TLS_AES_128_CCM_SHA256 => { CipherSuite::TLS_AES_128_CCM_SHA256 => {
@ -1362,7 +1087,7 @@ impl<'a> Session<'a> {
// Construct cipher from key & IV for client & server // Construct cipher from key & IV for client & server
// Store the ciphers // Store the ciphers
match server_selected_cipher { match cipher_suite {
CipherSuite::TLS_AES_128_GCM_SHA256 => { CipherSuite::TLS_AES_128_GCM_SHA256 => {
let client_handshake_cipher = Aes128Gcm::new( let client_handshake_cipher = Aes128Gcm::new(
GenericArray::from_slice(&client_handshake_key) GenericArray::from_slice(&client_handshake_key)
@ -1546,33 +1271,8 @@ impl<'a> Session<'a> {
CipherSuite::TLS_AES_128_CCM_8_SHA256 => unreachable!() CipherSuite::TLS_AES_128_CCM_8_SHA256 => unreachable!()
} }
// Will send EE, {CR}, Cert, CV FIN in the same state
// No need to mutate FSM
// Ensure that the sequence numbers start from 0
self.client_sequence_number = 0;
self.server_sequence_number = 0; self.server_sequence_number = 0;
} self.client_sequence_number = 0;
pub(crate) fn server_update_for_encrypted_extension(
&mut self,
encryption_extension_slice: &[u8],
) {
self.hash.update(encryption_extension_slice);
}
pub(crate) fn server_update_for_sent_certificate(
&mut self,
certificate_slice: &[u8]
) {
self.hash.update(certificate_slice);
}
pub(crate) fn server_update_for_sent_certificate_verify(
&mut self,
certificate_verify_slice: &[u8]
) {
self.hash.update(certificate_verify_slice);
} }
pub(crate) fn verify_session_id_echo(&self, session_id_echo: &[u8]) -> bool { pub(crate) fn verify_session_id_echo(&self, session_id_echo: &[u8]) -> bool {

2
src/tls.rs
View File

@ -1156,8 +1156,6 @@ impl<'s> TlsSocket<'s> {
let mut version_check = false; let mut version_check = false;
let mut offered_p256 = false; let mut offered_p256 = false;
let mut offered_x25519 = false; let mut offered_x25519 = false;
// let mut p256_public_key: Option<p256::EncodedPoint> = None;
// let mut x25519_public_key: Option<x25519_dalek::PublicKey> = None;
let mut ecdhe_public_key: Option<DiffieHellmanPublicKey> = None; let mut ecdhe_public_key: Option<DiffieHellmanPublicKey> = None;
let mut signature_algorithm: Option<SignatureScheme> = None; let mut signature_algorithm: Option<SignatureScheme> = None;