178 lines
4.8 KiB
Go
178 lines
4.8 KiB
Go
package handshake
|
|
|
|
import (
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"sync"
|
|
|
|
"github.com/bifurcation/mint"
|
|
"github.com/lucas-clemente/quic-go/internal/crypto"
|
|
"github.com/lucas-clemente/quic-go/internal/protocol"
|
|
)
|
|
|
|
// ErrCloseSessionForRetry is returned by HandleCryptoStream when the server wishes to perform a stateless retry
|
|
var ErrCloseSessionForRetry = errors.New("closing session in order to recreate after a retry")
|
|
|
|
// KeyDerivationFunction is used for key derivation
|
|
type KeyDerivationFunction func(crypto.TLSExporter, protocol.Perspective) (crypto.AEAD, error)
|
|
|
|
type cryptoSetupTLS struct {
|
|
mutex sync.RWMutex
|
|
|
|
perspective protocol.Perspective
|
|
|
|
keyDerivation KeyDerivationFunction
|
|
nullAEAD crypto.AEAD
|
|
aead crypto.AEAD
|
|
|
|
tls MintTLS
|
|
cryptoStream *CryptoStreamConn
|
|
handshakeEvent chan<- struct{}
|
|
}
|
|
|
|
// NewCryptoSetupTLSServer creates a new TLS CryptoSetup instance for a server
|
|
func NewCryptoSetupTLSServer(
|
|
tls MintTLS,
|
|
cryptoStream *CryptoStreamConn,
|
|
nullAEAD crypto.AEAD,
|
|
handshakeEvent chan<- struct{},
|
|
version protocol.VersionNumber,
|
|
) CryptoSetup {
|
|
return &cryptoSetupTLS{
|
|
tls: tls,
|
|
cryptoStream: cryptoStream,
|
|
nullAEAD: nullAEAD,
|
|
perspective: protocol.PerspectiveServer,
|
|
keyDerivation: crypto.DeriveAESKeys,
|
|
handshakeEvent: handshakeEvent,
|
|
}
|
|
}
|
|
|
|
// NewCryptoSetupTLSClient creates a new TLS CryptoSetup instance for a client
|
|
func NewCryptoSetupTLSClient(
|
|
cryptoStream io.ReadWriter,
|
|
connID protocol.ConnectionID,
|
|
hostname string,
|
|
handshakeEvent chan<- struct{},
|
|
tls MintTLS,
|
|
version protocol.VersionNumber,
|
|
) (CryptoSetup, error) {
|
|
nullAEAD, err := crypto.NewNullAEAD(protocol.PerspectiveClient, connID, version)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return &cryptoSetupTLS{
|
|
perspective: protocol.PerspectiveClient,
|
|
tls: tls,
|
|
nullAEAD: nullAEAD,
|
|
keyDerivation: crypto.DeriveAESKeys,
|
|
handshakeEvent: handshakeEvent,
|
|
}, nil
|
|
}
|
|
|
|
func (h *cryptoSetupTLS) HandleCryptoStream() error {
|
|
if h.perspective == protocol.PerspectiveServer {
|
|
// mint already wrote the ServerHello, EncryptedExtensions and the certificate chain to the buffer
|
|
// send out that data now
|
|
if _, err := h.cryptoStream.Flush(); err != nil {
|
|
return err
|
|
}
|
|
}
|
|
|
|
handshakeLoop:
|
|
for {
|
|
if alert := h.tls.Handshake(); alert != mint.AlertNoAlert {
|
|
return fmt.Errorf("TLS handshake error: %s (Alert %d)", alert.String(), alert)
|
|
}
|
|
switch h.tls.State() {
|
|
case mint.StateClientStart: // this happens if a stateless retry is performed
|
|
return ErrCloseSessionForRetry
|
|
case mint.StateClientConnected, mint.StateServerConnected:
|
|
break handshakeLoop
|
|
}
|
|
}
|
|
|
|
aead, err := h.keyDerivation(h.tls, h.perspective)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
h.mutex.Lock()
|
|
h.aead = aead
|
|
h.mutex.Unlock()
|
|
|
|
h.handshakeEvent <- struct{}{}
|
|
close(h.handshakeEvent)
|
|
return nil
|
|
}
|
|
|
|
func (h *cryptoSetupTLS) Open(dst, src []byte, packetNumber protocol.PacketNumber, associatedData []byte) ([]byte, protocol.EncryptionLevel, error) {
|
|
h.mutex.RLock()
|
|
defer h.mutex.RUnlock()
|
|
|
|
if h.aead != nil {
|
|
data, err := h.aead.Open(dst, src, packetNumber, associatedData)
|
|
if err != nil {
|
|
return nil, protocol.EncryptionUnspecified, err
|
|
}
|
|
return data, protocol.EncryptionForwardSecure, nil
|
|
}
|
|
data, err := h.nullAEAD.Open(dst, src, packetNumber, associatedData)
|
|
if err != nil {
|
|
return nil, protocol.EncryptionUnspecified, err
|
|
}
|
|
return data, protocol.EncryptionUnencrypted, nil
|
|
}
|
|
|
|
func (h *cryptoSetupTLS) GetSealer() (protocol.EncryptionLevel, Sealer) {
|
|
h.mutex.RLock()
|
|
defer h.mutex.RUnlock()
|
|
|
|
if h.aead != nil {
|
|
return protocol.EncryptionForwardSecure, h.aead
|
|
}
|
|
return protocol.EncryptionUnencrypted, h.nullAEAD
|
|
}
|
|
|
|
func (h *cryptoSetupTLS) GetSealerWithEncryptionLevel(encLevel protocol.EncryptionLevel) (Sealer, error) {
|
|
errNoSealer := fmt.Errorf("CryptoSetup: no sealer with encryption level %s", encLevel.String())
|
|
h.mutex.RLock()
|
|
defer h.mutex.RUnlock()
|
|
|
|
switch encLevel {
|
|
case protocol.EncryptionUnencrypted:
|
|
return h.nullAEAD, nil
|
|
case protocol.EncryptionForwardSecure:
|
|
if h.aead == nil {
|
|
return nil, errNoSealer
|
|
}
|
|
return h.aead, nil
|
|
default:
|
|
return nil, errNoSealer
|
|
}
|
|
}
|
|
|
|
func (h *cryptoSetupTLS) GetSealerForCryptoStream() (protocol.EncryptionLevel, Sealer) {
|
|
return protocol.EncryptionUnencrypted, h.nullAEAD
|
|
}
|
|
|
|
func (h *cryptoSetupTLS) DiversificationNonce() []byte {
|
|
panic("diversification nonce not needed for TLS")
|
|
}
|
|
|
|
func (h *cryptoSetupTLS) SetDiversificationNonce([]byte) {
|
|
panic("diversification nonce not needed for TLS")
|
|
}
|
|
|
|
func (h *cryptoSetupTLS) ConnectionState() ConnectionState {
|
|
h.mutex.Lock()
|
|
defer h.mutex.Unlock()
|
|
mintConnState := h.tls.ConnectionState()
|
|
return ConnectionState{
|
|
// TODO: set the ServerName, once mint exports it
|
|
HandshakeComplete: h.aead != nil,
|
|
PeerCertificates: mintConnState.PeerCertificates,
|
|
}
|
|
}
|