renet
/
SaiTLS
10
1
Fork 0
Code Issues 3 Pull Requests Releases Wiki Activity

session: init

This commit is contained in:
occheung 2020-10-17 20:10:18 +08:00
parent ec53973aec
commit ec0662e752
6 changed files with 648 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/buffer.rs
View File

@ -12,7 +12,7 @@ use crate::key::*;
// Only designed to support read or write the entire buffer
// TODO: Stricter visibility
pub(crate) struct TlsBuffer<'a> {
pub struct TlsBuffer<'a> {
buffer: &'a mut [u8],
index: RefCell<usize>,
}

18
src/key.rs
View File

@ -9,19 +9,19 @@ use crate::buffer::TlsBuffer;
use core::convert::TryFrom;
#[derive(Debug, Clone)]
pub(crate) struct HkdfLabel<'a> {
pub struct HkdfLabel<'a> {
// Length of hash function
pub(crate) length: u16,
pub length: u16,
// Label vector: "tls13 " + label
pub(crate) label_length: u8,
pub(crate) label: &'a [u8],
pub label_length: u8,
pub label: &'a [u8],
// Context vector: Hashed message
pub(crate) context_length: u8,
pub(crate) context: &'a [u8],
pub context_length: u8,
pub context: &'a [u8],
}
// Implementation of Derive-Secret function in RFC8446
pub(crate) fn derive_secret<Hash>(
pub fn derive_secret<Hash>(
hkdf: &Hkdf<Hash>,
label: &str,
hash: Hash
@ -66,7 +66,7 @@ where
// Implementation of HKDF-Expand-Label function in RFC8446
// Secret is embedded inside hkdf through salt and input key material (IKM)
pub(crate) fn hkdf_expand_label<Hash>(
pub fn hkdf_expand_label<Hash>(
hkdf: &Hkdf<Hash>,
label: &str,
context: &str,
@ -104,7 +104,7 @@ where
// context_vec: 48 bytes for SHA384 + 1 byte (len)
let mut array = [0; 100];
let mut buffer = TlsBuffer::new(&mut array);
buffer.enqueue_hkdf_label(hkdf_label);
buffer.enqueue_hkdf_label(hkdf_label).unwrap();
let info: &[u8] = buffer.into();
hkdf.expand(info, okm).unwrap();

1
src/lib.rs
View File

@ -9,6 +9,7 @@ pub mod parse;
pub mod cipher_suite;
pub mod buffer;
pub mod key;
pub mod session;
// TODO: Implement errors
// Details: Encapsulate smoltcp & nom errors

105
src/main.rs
View File

@ -8,6 +8,20 @@ use rand_core::CryptoRng;
use rand_core::impls;
use rand_core::Error;
use p256::{EncodedPoint, AffinePoint, ecdh::EphemeralSecret, ecdh::SharedSecret};
use aes_gcm::{Aes128Gcm, Aes256Gcm};
use chacha20poly1305::{ChaCha20Poly1305, Key};
use ccm::{Ccm, consts::*};
use aes_gcm::aes::Aes128;
use aes_gcm::{AeadInPlace, NewAead};
use generic_array::GenericArray;
use sha2::{ Digest, Sha256, Sha384, Sha512 };
use heapless::Vec;
use hkdf::Hkdf;
use smoltcp_tls::key::*;
use smoltcp_tls::buffer::TlsBuffer;
struct CountingRng(u64);
impl RngCore for CountingRng {
@ -57,5 +71,92 @@ fn main() {
49600
).unwrap();
tls_socket.tls_connect(&mut sockets).unwrap();
}
// tls_socket.tls_connect(&mut sockets).unwrap();
let psk: [u8; 32] = [0; 32];
let early_secret = Hkdf::<Sha256>::new(None, &psk);
let derived_secret = derive_secret(
&early_secret,
"derived",
Sha256::new().chain("")
);
let (handshake_secret, handshake_secret_hkdf) = Hkdf::<Sha256>::extract(
Some(&derived_secret),
&SHARED_SECRET
);
let client_handshake_traffic_secret = {
let hkdf_label = HkdfLabel {
length: 32,
label_length: 18,
label: b"tls13 c hs traffic",
context_length: 32,
context: &HELLO_HASH,
};
let mut array = [0; 100];
let mut buffer = TlsBuffer::new(&mut array);
buffer.enqueue_hkdf_label(hkdf_label);
let info: &[u8] = buffer.into();
// Define output key material (OKM), dynamically sized by hash
let mut okm: GenericArray<u8, U32> = GenericArray::default();
handshake_secret_hkdf.expand(info, &mut okm).unwrap();
okm
};
let server_handshake_traffic_secret = {
let hkdf_label = HkdfLabel {
length: 32,
label_length: 18,
label: b"tls13 s hs traffic",
context_length: 32,
context: &HELLO_HASH,
};
let mut array = [0; 100];
let mut buffer = TlsBuffer::new(&mut array);
buffer.enqueue_hkdf_label(hkdf_label);
let info: &[u8] = buffer.into();
// Define output key material (OKM), dynamically sized by hash
let mut okm: GenericArray<u8, U32> = GenericArray::default();
handshake_secret_hkdf.expand(info, &mut okm).unwrap();
okm
};
let client_handshake_write_key = {
let hkdf_label = HkdfLabel {
length: 16,
label_length: 9,
label: b"tls13 key",
context_length: 0,
context: b"",
};
let mut array = [0; 100];
let mut buffer = TlsBuffer::new(&mut array);
buffer.enqueue_hkdf_label(hkdf_label);
let info: &[u8] = buffer.into();
// Define output key material (OKM), dynamically sized by hash
let mut okm: GenericArray<u8, U16> = GenericArray::default();
Hkdf::<Sha256>::from_prk(&client_handshake_traffic_secret)
.unwrap()
.expand(info, &mut okm);
okm
};
println!("{:x?}", client_handshake_traffic_secret);
println!("{:x?}", server_handshake_traffic_secret);
println!("{:x?}", client_handshake_write_key);
}
const SHARED_SECRET: [u8; 32] = [
0xdf, 0x4a, 0x29, 0x1b, 0xaa, 0x1e, 0xb7, 0xcf,
0xa6, 0x93, 0x4b, 0x29, 0xb4, 0x74, 0xba, 0xad,
0x26, 0x97, 0xe2, 0x9f, 0x1f, 0x92, 0x0d, 0xcc,
0x77, 0xc8, 0xa0, 0xa0, 0x88, 0x44, 0x76, 0x24
];
const HELLO_HASH: [u8; 32] = [
0xda, 0x75, 0xce, 0x11, 0x39, 0xac, 0x80, 0xda,
0xe4, 0x04, 0x4d, 0xa9, 0x32, 0x35, 0x0c, 0xf6,
0x5c, 0x97, 0xcc, 0xc9, 0xe3, 0x3f, 0x1e, 0x6f,
0x7d, 0x2d, 0x4b, 0x18, 0xb7, 0x36, 0xff, 0xd5
];

528
src/session.rs
View File

@ -0,0 +1,528 @@
use p256::{ EncodedPoint, ecdh::EphemeralSecret };
use heapless::{ Vec, consts::* };
use sha2::{ Digest, Sha256, Sha384, digest::FixedOutput };
use aes_gcm::{ Aes128Gcm, Aes256Gcm, aes::Aes128 };
use aes_gcm::{ AeadInPlace, NewAead, aead::Buffer };
use chacha20poly1305::ChaCha20Poly1305;
use ccm::Ccm;
use hkdf::Hkdf;
use generic_array::GenericArray;
use core::convert::AsRef;
use core::cell::RefCell;
use crate::tls::TlsState;
use crate::tls_packet::CipherSuite;
use crate::key::*;
use crate::Error;
type Aes128Ccm = Ccm<Aes128, U16, U12>;
pub(crate) struct Session {
state: TlsState,
role: TlsRole,
// Session ID for this session
session_id: Option<[u8; 32]>,
// Changed cipher spec
changed_cipher_spec: bool,
// Handshake secret, Master secret
// Early secret is computed right before HS
latest_secret: Option<Vec<u8, U64>>,
// Hash functions needed
hash: Hash,
// Ephemeral secret for ECDHE key exchange
ecdhe_secret: Option<EphemeralSecret>,
// Block ciphers for client & server
client_cipher: Option<Cipher>,
server_cipher: Option<Cipher>,
// Traffic secret for client & server
// Keeping traffic secret for key re-computation
client_traffic_secret: Option<Vec<u8, U64>>,
server_traffic_secret: Option<Vec<u8, U64>>,
// Nonce (IV) for client & server
// Always 12 bytes long
client_nonce: Option<Vec<u8, U12>>,
server_nonce: Option<Vec<u8, U12>>,
}
impl Session {
pub(crate) fn new(role: TlsRole) -> Self {
let hash = Hash::Undetermined {
sha256: Sha256::new(),
sha384: Sha384::new(),
};
Self {
state: TlsState::START,
role,
session_id: None,
changed_cipher_spec: false,
latest_secret: None,
hash,
ecdhe_secret: None,
client_cipher: None,
server_cipher: None,
client_traffic_secret: None,
server_traffic_secret: None,
client_nonce: None,
server_nonce: None,
}
}
// State transition from START to WAIT_SH
pub(crate) fn client_update_for_ch(
&mut self,
ecdhe_secret: EphemeralSecret,
session_id: [u8; 32],
ch_slice: &[u8]
) {
// Handle inappropriate call to move state
if self.state != TlsState::START || self.role != TlsRole::Client {
todo!()
}
self.ecdhe_secret = Some(ecdhe_secret);
self.session_id = Some(session_id);
self.hash.update(ch_slice);
self.state = TlsState::WAIT_SH;
}
// State transition from WAIT_SH to WAIT_EE
pub(crate) fn client_update_for_sh(
&mut self,
cipher_suite: CipherSuite,
encoded_point: EncodedPoint,
sh_slice: &[u8]
) {
// Handle inappropriate call to move state
if self.state != TlsState::WAIT_SH || self.role != TlsRole::Client {
todo!()
}
// Generate ECDHE shared secret
// Remove private secret
let ecdhe_shared_secret =
self.ecdhe_secret
.take()
.unwrap()
.diffie_hellman(&encoded_point)
.unwrap();
// Generate Handshake secret
match cipher_suite {
CipherSuite::TLS_AES_128_GCM_SHA256 |
CipherSuite::TLS_CHACHA20_POLY1305_SHA256 |
CipherSuite::TLS_AES_128_CCM_SHA256 => {
// Select 1 hash function, then update the hash
self.hash = Hash::select_sha256(self.hash.clone());
self.hash.update(sh_slice);
// Find early secret in terms wrapped in HKDF
let empty_psk: GenericArray<u8, <Sha256 as FixedOutput>::OutputSize> = Default::default();
let early_secret_hkdf =
Hkdf::<Sha256>::new(None, &empty_psk);
// Find handshake secret
let empty_hash = Sha256::new().chain("");
let derived_secret = derive_secret(
&early_secret_hkdf,
"derived",
empty_hash
);
let (handshake_secret, handshake_secret_hkdf) =
Hkdf::<Sha256>::extract(
Some(&derived_secret),
ecdhe_shared_secret.as_bytes()
);
let client_handshake_traffic_secret = derive_secret(
&handshake_secret_hkdf,
"c hs traffic",
self.hash.get_sha256_clone()
);
let server_handshake_traffic_secret = derive_secret(
&handshake_secret_hkdf,
"s hs traffic",
self.hash.get_sha256_clone()
);
let client_handshake_traffic_secret_hkdf = Hkdf::<Sha256>::from_prk(&client_handshake_traffic_secret).unwrap();
let server_handshake_traffic_secret_hkdf = Hkdf::<Sha256>::from_prk(&server_handshake_traffic_secret).unwrap();
// Prepare holder for key and IV
let client_handshake_key: Vec<u8, U64> = {
let mut client_handshake_key_holder: Vec<u8, U64> = match cipher_suite {
// 16 bytes key size
CipherSuite::TLS_AES_128_GCM_SHA256 |
CipherSuite::TLS_AES_128_CCM_SHA256 => {
Vec::from_slice(&[0; 16]).unwrap()
},
// 32 bytes key size
CipherSuite::TLS_CHACHA20_POLY1305_SHA256 => {
Vec::from_slice(&[0; 32]).unwrap()
},
// Not using Sha256 (AES_GCM_256) / not supported (CCM_8)
_ => unreachable!()
};
hkdf_expand_label(
&client_handshake_traffic_secret_hkdf,
"key",
"",
&mut client_handshake_key_holder
);
client_handshake_key_holder
};
let client_handshake_iv: Vec<u8, U12> = {
let mut client_handshake_iv_holder = Vec::from_slice(&[0; 12]).unwrap();
hkdf_expand_label(
&client_handshake_traffic_secret_hkdf,
"iv",
"",
&mut client_handshake_iv_holder
);
client_handshake_iv_holder
};
let server_handshake_key: Vec<u8, U64> = {
let mut server_handshake_key_holder: Vec<u8, U64> = match cipher_suite {
// 16 bytes key size
CipherSuite::TLS_AES_128_GCM_SHA256 |
CipherSuite::TLS_AES_128_CCM_SHA256 => {
Vec::from_slice(&[0; 16]).unwrap()
},
// 32 bytes key size
CipherSuite::TLS_CHACHA20_POLY1305_SHA256 => {
Vec::from_slice(&[0; 32]).unwrap()
},
// Not using Sha256 (AES_GCM_256) / not supported (CCM_8)
_ => unreachable!()
};
hkdf_expand_label(
&server_handshake_traffic_secret_hkdf,
"key",
"",
&mut server_handshake_key_holder
);
server_handshake_key_holder
};
let server_handshake_iv: Vec<u8, U12> = {
let mut server_handshake_iv_holder = Vec::from_slice(&[0; 12]).unwrap();
hkdf_expand_label(
&client_handshake_traffic_secret_hkdf,
"iv",
"",
&mut server_handshake_iv_holder
);
server_handshake_iv_holder
};
// Store nonce
self.client_nonce = Some(client_handshake_iv);
self.server_nonce = Some(server_handshake_iv);
// Construct cipher from key & IV for client & server
// Store the ciphers
match cipher_suite {
CipherSuite::TLS_AES_128_GCM_SHA256 => {
let client_handshake_cipher = Aes128Gcm::new(
GenericArray::from_slice(&client_handshake_key)
);
let server_handshake_cipher = Aes128Gcm::new(
GenericArray::from_slice(&server_handshake_key)
);
self.client_cipher = Some(
Cipher::Aes128Gcm {
aes128gcm: client_handshake_cipher
}
);
self.server_cipher = Some(
Cipher::Aes128Gcm {
aes128gcm: server_handshake_cipher
}
);
},
CipherSuite::TLS_CHACHA20_POLY1305_SHA256 => {
let client_handshake_cipher = ChaCha20Poly1305::new(
GenericArray::from_slice(&client_handshake_key)
);
let server_handshake_cipher = ChaCha20Poly1305::new(
GenericArray::from_slice(&server_handshake_key)
);
self.client_cipher = Some(
Cipher::Chacha20poly1305 {
chacha20poly1305: client_handshake_cipher
}
);
self.server_cipher = Some(
Cipher::Chacha20poly1305 {
chacha20poly1305: server_handshake_cipher
}
);
},
CipherSuite::TLS_AES_128_CCM_SHA256 => {
let client_handshake_cipher = Aes128Ccm::new(
GenericArray::from_slice(&client_handshake_key)
);
let server_handshake_cipher = Aes128Ccm::new(
GenericArray::from_slice(&server_handshake_key)
);
self.client_cipher = Some(
Cipher::Ccm {
ccm: client_handshake_cipher
}
);
self.server_cipher = Some(
Cipher::Ccm {
ccm: server_handshake_cipher
}
);
},
_ => unreachable!()
}
}
CipherSuite::TLS_AES_256_GCM_SHA384 => {
// Select 1 hash function, then update the hash
self.hash = Hash::select_sha384(self.hash.clone());
self.hash.update(sh_slice);
// Find early secret in terms wrapped in HKDF
let empty_psk: GenericArray<u8, <Sha384 as FixedOutput>::OutputSize> = Default::default();
let early_secret_hkdf =
Hkdf::<Sha384>::new(None, &empty_psk);
// Find handshake secret
let empty_hash = Sha384::new().chain("");
let derived_secret = derive_secret(
&early_secret_hkdf,
"derived",
empty_hash
);
let (handshake_secret, handshake_secret_hkdf) =
Hkdf::<Sha384>::extract(
Some(&derived_secret),
ecdhe_shared_secret.as_bytes()
);
let client_handshake_traffic_secret = derive_secret(
&handshake_secret_hkdf,
"c hs traffic",
self.hash.get_sha384_clone()
);
let server_handshake_traffic_secret = derive_secret(
&handshake_secret_hkdf,
"s hs traffic",
self.hash.get_sha384_clone()
);
let client_handshake_traffic_secret_hkdf = Hkdf::<Sha384>::from_prk(&client_handshake_traffic_secret).unwrap();
let server_handshake_traffic_secret_hkdf = Hkdf::<Sha384>::from_prk(&server_handshake_traffic_secret).unwrap();
// Prepare holder for key and IV
let client_handshake_key: Vec<u8, U64> = {
// 32 bytes key size
let mut client_handshake_key_holder: Vec<u8, U64> =
Vec::from_slice(&[0; 32]).unwrap();
hkdf_expand_label(
&client_handshake_traffic_secret_hkdf,
"key",
"",
&mut client_handshake_key_holder
);
client_handshake_key_holder
};
let client_handshake_iv: Vec<u8, U12> = {
let mut client_handshake_iv_holder = Vec::from_slice(&[0; 12]).unwrap();
hkdf_expand_label(
&client_handshake_traffic_secret_hkdf,
"iv",
"",
&mut client_handshake_iv_holder
);
client_handshake_iv_holder
};
let server_handshake_key: Vec<u8, U64> = {
// 32 bytes key size
let mut server_handshake_key_holder: Vec<u8, U64> =
Vec::from_slice(&[0; 32]).unwrap();
hkdf_expand_label(
&server_handshake_traffic_secret_hkdf,
"key",
"",
&mut server_handshake_key_holder
);
server_handshake_key_holder
};
let server_handshake_iv: Vec<u8, U12> = {
let mut server_handshake_iv_holder = Vec::from_slice(&[0; 12]).unwrap();
hkdf_expand_label(
&client_handshake_traffic_secret_hkdf,
"iv",
"",
&mut server_handshake_iv_holder
);
server_handshake_iv_holder
};
// Store nonce
self.client_nonce = Some(client_handshake_iv);
self.server_nonce = Some(server_handshake_iv);
let client_handshake_cipher = Aes256Gcm::new(
GenericArray::from_slice(&client_handshake_key)
);
let server_handshake_cipher = Aes256Gcm::new(
GenericArray::from_slice(&server_handshake_key)
);
self.client_cipher = Some(
Cipher::Aes256Gcm {
aes256gcm: client_handshake_cipher
}
);
self.server_cipher = Some(
Cipher::Aes256Gcm {
aes256gcm: server_handshake_cipher
}
);
}
CipherSuite::TLS_AES_128_CCM_8_SHA256 => {
unreachable!()
}
}
self.state = TlsState::WAIT_EE;
}
pub(crate) fn verify_session_id_echo(&self, session_id_echo: &[u8]) -> bool {
if let Some(session_id_inner) = self.session_id {
session_id_inner == session_id_echo
} else {
false
}
}
pub(crate) fn get_tls_state(&self) -> TlsState {
self.state
}
}
#[derive(Debug, PartialEq, Eq, Clone, Copy)]
pub(crate) enum TlsRole {
Client,
Server,
}
#[derive(Debug, Clone)]
pub(crate) enum Hash {
Undetermined {
sha256: Sha256,
sha384: Sha384,
},
Sha256 {
sha256: Sha256
},
Sha384 {
sha384: Sha384
},
}
impl Hash {
pub(crate) fn update(&mut self, data: &[u8]) {
match self {
Self::Undetermined { sha256, sha384 } => {
sha256.update(data);
sha384.update(data);
},
Self::Sha256 { sha256 } => {
sha256.update(data);
},
Self::Sha384 { sha384 } => {
sha384.update(data);
},
}
}
pub(crate) fn select_sha256(self) -> Self {
match self {
Self::Undetermined { sha256, sha384 } => {
Self::Sha256 {
sha256
}
},
_ => unreachable!()
}
}
pub(crate) fn select_sha384(self) -> Self {
match self {
Self::Undetermined { sha256, sha384 } => {
Self::Sha384 {
sha384
}
},
_ => unreachable!()
}
}
pub(crate) fn get_sha256_clone(&mut self) -> Sha256 {
if let Self::Sha256 { sha256 } = self {
sha256.clone()
} else {
unreachable!()
}
}
pub(crate) fn get_sha384_clone(&mut self) -> Sha384 {
if let Self::Sha384 { sha384 } = self {
sha384.clone()
} else {
unreachable!()
}
}
}
pub(crate) enum Cipher {
Aes128Gcm {
aes128gcm: Aes128Gcm
},
Aes256Gcm {
aes256gcm: Aes256Gcm
},
Chacha20poly1305 {
chacha20poly1305: ChaCha20Poly1305
},
Ccm {
ccm: Aes128Ccm
},
}
impl Cipher {
pub(crate) fn encrypt_in_place(
&mut self,
nonce: &GenericArray<u8, U12>,
associated_data: &[u8],
buffer: &mut dyn Buffer
) -> Result<(), Error> {
match self {
Cipher::Aes128Gcm { aes128gcm } => {
aes128gcm.encrypt_in_place(nonce, associated_data, buffer)
},
Cipher::Aes256Gcm { aes256gcm } => {
aes256gcm.encrypt_in_place(nonce, associated_data, buffer)
},
Cipher::Chacha20poly1305 { chacha20poly1305 } => {
chacha20poly1305.encrypt_in_place(nonce, associated_data, buffer)
},
Cipher::Ccm { ccm } => {
ccm.encrypt_in_place(nonce, associated_data, buffer)
}
}.map_err(|_| Error::EncryptionError)
}
}

7
src/tls.rs
View File

@ -37,10 +37,11 @@ use crate::tls_packet::*;
use crate::parse::parse_tls_repr;
use crate::cipher_suite::CipherSuite;
use crate::buffer::TlsBuffer;
use crate::session::{Session, TlsRole};
#[derive(Debug, PartialEq, Eq, Clone, Copy)]
#[allow(non_camel_case_types)]
enum TlsState {
pub(crate) enum TlsState {
START,
WAIT_SH,
WAIT_EE,
@ -62,6 +63,7 @@ pub struct TlsSocket<R: 'static + RngCore + CryptoRng>
received_change_cipher_spec: RefCell<Option<bool>>,
cipher: RefCell<Option<CipherSuite>>,
handshake_sha256: RefCell<Sha256>,
session: RefCell<Session>,
}
impl<R: RngCore + CryptoRng> TlsSocket<R> {
@ -85,6 +87,9 @@ impl<R: RngCore + CryptoRng> TlsSocket<R> {
received_change_cipher_spec: RefCell::new(None),
cipher: RefCell::new(None),
handshake_sha256: RefCell::new(Sha256::new()),
session: RefCell::new(
Session::new(TlsRole::Client)
),
}
}