//! Directory synchronized handshake //! 1-RTT connection //! //! The simplest, fastest handshake supported by Fenrir //! Downside: It does not offer protection from DDos, //! no perfect forward secrecy //! //! To grant a form of perfect forward secrecy, the server should periodically //! change the DNSSEC public/private keys use super::{Error, HandshakeData}; use crate::{ auth, connection::{ProtocolVersion, ID}, enc::{ asym::{ExchangePubKey, KeyExchange, KeyID}, sym::{CipherKind, HeadLen, Secret, TagLen}, }, }; use ::arrayref::array_mut_ref; type Nonce = [u8; 16]; /// Parsed handshake #[derive(Debug, Clone)] pub enum DirSync { /// Directory synchronized handshake: client request Req(Req), /// Directory synchronized handshake: server response Resp(Resp), } impl DirSync { /// actual length of the dirsync handshake data pub fn len(&self) -> usize { match self { DirSync::Req(req) => req.len(), DirSync::Resp(resp) => resp.len(), } } /// Serialize into raw bytes /// NOTE: assumes that there is exactly asa much buffer as needed pub fn serialize( &self, head_len: HeadLen, tag_len: TagLen, out: &mut [u8], ) { match self { DirSync::Req(req) => req.serialize(head_len, tag_len, out), DirSync::Resp(resp) => resp.serialize(head_len, tag_len, out), } } } /// Client request of a directory synchronized handshake #[derive(Debug, Clone)] pub struct Req { /// Id of the server key used for the key exchange pub key_id: KeyID, /// Selected key exchange pub exchange: KeyExchange, /// Selected cipher pub cipher: CipherKind, /// Client ephemeral public key used for key exchanges pub exchange_key: ExchangePubKey, /// encrypted data pub data: ReqInner, // Security: Add padding to min: 1200 bytes to avoid amplification attaks } impl Req { /// return the offset of the encrypted data /// NOTE: starts from the beginning of the fenrir packet pub fn encrypted_offset(&self) -> usize { ProtocolVersion::len() + KeyID::len() + KeyExchange::len() + CipherKind::len() + self.exchange_key.len() } /// return the total length of the cleartext data pub fn encrypted_length(&self) -> usize { match &self.data { ReqInner::ClearText(data) => data.len(), _ => 0, } } /// actual length of the directory synchronized request pub fn len(&self) -> usize { KeyID::len() + KeyExchange::len() + CipherKind::len() + self.exchange_key.len() + self.data.len() } /// Serialize into raw bytes /// NOTE: assumes that there is exactly as much buffer as needed pub fn serialize( &self, head_len: HeadLen, tag_len: TagLen, out: &mut [u8], ) { //assert!(out.len() > , ": not enough buffer to serialize"); todo!() } } impl super::HandshakeParsing for Req { fn deserialize(raw: &[u8]) -> Result { const MIN_PKT_LEN: usize = 10; if raw.len() < MIN_PKT_LEN { return Err(Error::NotEnoughData); } let key_id: KeyID = KeyID(u16::from_le_bytes(raw[0..1].try_into().unwrap())); use ::num_traits::FromPrimitive; let exchange: KeyExchange = match KeyExchange::from_u8(raw[2]) { Some(exchange) => exchange, None => return Err(Error::Parsing), }; let cipher: CipherKind = match CipherKind::from_u8(raw[3]) { Some(cipher) => cipher, None => return Err(Error::Parsing), }; let (exchange_key, len) = match ExchangePubKey::from_slice(&raw[4..]) { Ok(exchange_key) => exchange_key, Err(e) => return Err(e.into()), }; let data = ReqInner::CipherText(raw.len() - (4 + len)); Ok(HandshakeData::DirSync(DirSync::Req(Self { key_id, exchange, cipher, exchange_key, data, }))) } } /// Quick way to avoid mixing cipher and clear text #[derive(Debug, Clone)] pub enum ReqInner { /// Data is still encrytped, we only keep the length CipherText(usize), /// Client data, decrypted and parsed ClearText(ReqData), } impl ReqInner { /// The length of the data pub fn len(&self) -> usize { match self { ReqInner::CipherText(len) => *len, ReqInner::ClearText(data) => data.len(), } } /// parse the cleartext pub fn deserialize_as_cleartext(&mut self, raw: &[u8]) { let clear = match self { ReqInner::CipherText(len) => { assert!( *len == raw.len(), "DirSync::ReqInner::CipherText length mismatch" ); match ReqData::deserialize(raw) { Ok(clear) => clear, Err(_) => return, } } _ => return, }; *self = ReqInner::ClearText(clear); } } /// Informations needed for authentication #[derive(Debug, Clone)] pub struct AuthInfo { /// User of the domain pub user: auth::UserID, /// Authentication token pub token: auth::Token, /// service ID that we want to use on the domain pub service_id: auth::ServiceID, /// subdomain on which we authenticate // SECURITY: TODO: this should be padded to multiples of 32 bytes or so // reason: packet length can let you infer the authentication domain pub domain: auth::Domain, } impl AuthInfo { /// Minimum length of the authentication info pub const MIN_PKT_LEN: usize = auth::UserID::len() + auth::Token::len() + auth::ServiceID::len() + 1; /// Actual length of the authentication info pub fn len(&self) -> usize { Self::MIN_PKT_LEN + self.domain.len() } /// deserialize from raw bytes pub fn deserialize(raw: &[u8]) -> Result { if raw.len() < Self::MIN_PKT_LEN { return Err(Error::NotEnoughData); } let raw_user_id: [u8; auth::UserID::len()]; let raw_token: [u8; auth::Token::len()]; let raw_service_id: [u8; auth::ServiceID::len()]; let mut start = 0; let mut end = auth::UserID::len(); raw_user_id = raw[start..end].try_into().unwrap(); let user: auth::UserID = raw_user_id.into(); start = end; end = end + auth::Token::len(); raw_token = raw[start..end].try_into().unwrap(); let token: auth::Token = raw_token.into(); start = end; end = end + auth::ServiceID::len(); raw_service_id = raw[start..end].try_into().unwrap(); let service_id: auth::ServiceID = raw_service_id.into(); start = end; let domain_len = raw[start]; start = start + 1; end = start + domain_len as usize; if raw.len() < end { return Err(Error::NotEnoughData); } let domain: auth::Domain = match raw[start..end].try_into() { Ok(domain) => domain, Err(_) => return Err(Error::Parsing), }; Ok(Self { user, token, service_id, domain, }) } } /// Decrypted request data #[derive(Debug, Clone)] pub struct ReqData { /// Random nonce, the client can use this to track multiple key exchanges pub nonce: Nonce, /// Client key id so the client can use and rotate keys pub client_key_id: KeyID, /// Receiving connection id for the client pub id: ID, /// Authentication data pub auth: AuthInfo, } impl ReqData { /// actual length of the request data pub fn len(&self) -> usize { self.nonce.len() + KeyID::len() + ID::len() + self.auth.len() } /// Minimum byte length of the request data pub const MIN_PKT_LEN: usize = 16 + KeyID::len() + ID::len() + AuthInfo::MIN_PKT_LEN; /// Parse the cleartext raw data pub fn deserialize(raw: &[u8]) -> Result { if raw.len() < Self::MIN_PKT_LEN { return Err(Error::NotEnoughData); } let mut start = 0; let mut end = 16; let nonce: Nonce = raw[start..end].try_into().unwrap(); start = end; end = end + KeyID::len(); let client_key_id = KeyID(u16::from_le_bytes(raw[start..end].try_into().unwrap())); start = end; end = end + ID::len(); let id: ID = u64::from_le_bytes(raw[start..end].try_into().unwrap()).into(); if id.is_handshake() { return Err(Error::Parsing); } start = end; //end = raw.len(); let auth = AuthInfo::deserialize(&raw[start..])?; Ok(Self { nonce, client_key_id, id, auth, }) } } /// Quick way to avoid mixing cipher and clear text #[derive(Debug, Clone)] pub enum RespInner { /// Server data, still in ciphertext CipherText(usize), /// Parsed, cleartext server data ClearText(RespData), } impl RespInner { /// The length of the data pub fn len(&self) -> usize { match self { RespInner::CipherText(len) => *len, RespInner::ClearText(_) => RespData::len(), } } /* /// Get the ciptertext, or panic pub fn ciphertext<'a>(&'a mut self) -> &'a mut VecDeque { match self { RespInner::CipherText(data) => data, _ => panic!(), } } */ /// parse the cleartext pub fn deserialize_as_cleartext(&mut self, raw: &[u8]) { let clear = match self { RespInner::CipherText(len) => { assert!( *len == raw.len(), "DirSync::RespInner::CipherText length mismatch" ); match RespData::deserialize(raw) { Ok(clear) => clear, Err(_) => return, } } _ => return, }; *self = RespInner::ClearText(clear); } /* /// switch from ciphertext to cleartext pub fn mark_as_cleartext(&mut self) { let mut newdata: VecDeque; match self { RespInner::CipherText(data) => { newdata = VecDeque::new(); ::core::mem::swap(&mut newdata, data); } _ => return, } *self = RespInner::ClearText(newdata); } */ /// serialize, but only if ciphertext pub fn serialize(&self, out: &mut [u8]) { todo!() } } /// Server response in a directory synchronized handshake #[derive(Debug, Clone)] pub struct Resp { /// Tells the client with which key the exchange was done pub client_key_id: KeyID, /// actual response data, might be encrypted pub data: RespInner, } impl super::HandshakeParsing for Resp { fn deserialize(raw: &[u8]) -> Result { const MIN_PKT_LEN: usize = 68; if raw.len() < MIN_PKT_LEN { return Err(Error::NotEnoughData); } let client_key_id: KeyID = KeyID(u16::from_le_bytes(raw[0..1].try_into().unwrap())); Ok(HandshakeData::DirSync(DirSync::Resp(Self { client_key_id, data: RespInner::CipherText(raw[KeyID::len()..].len()), }))) } } impl Resp { /// return the offset of the encrypted data /// NOTE: starts from the beginning of the fenrir packet pub fn encrypted_offset(&self) -> usize { ProtocolVersion::len() + KeyID::len() } /// return the total length of the cleartext data pub fn encrypted_length(&self) -> usize { match &self.data { RespInner::ClearText(_data) => RespData::len(), _ => 0, } } /// Total length of the response handshake pub fn len(&self) -> usize { KeyID::len() + self.data.len() } /// Serialize into raw bytes /// NOTE: assumes that there is exactly as much buffer as needed /// NOTE: assumes that the data is *ClearText* pub fn serialize( &self, head_len: HeadLen, tag_len: TagLen, out: &mut [u8], ) { assert!( out.len() == KeyID::len() + self.data.len(), "DirSync Resp: not enough buffer to serialize" ); self.client_key_id.serialize(array_mut_ref![out, 0, 2]); let end_data = (2 + self.data.len()) - tag_len.0; self.data.serialize(&mut out[(2 + head_len.0)..end_data]); } /// Set the cleartext data after it was parsed pub fn set_data(&mut self, data: RespData) { self.data = RespInner::ClearText(data); } } /// Decrypted response data #[derive(Debug, Clone)] pub struct RespData { /// Client nonce, copied from the request pub client_nonce: Nonce, /// Server Connection ID pub id: ID, /// Service Connection ID pub service_connection_id: ID, /// Service encryption key pub service_key: Secret, } impl RespData { const NONCE_LEN: usize = ::core::mem::size_of::(); /// Return the expected length for buffer allocation pub fn len() -> usize { Self::NONCE_LEN + ID::len() + ID::len() + 32 } /// Serialize the data into a buffer /// NOTE: assumes that there is exactly asa much buffer as needed pub fn serialize(&self, out: &mut [u8]) { assert!(out.len() == Self::len(), "wrong buffer size"); let mut start = 0; let mut end = Self::NONCE_LEN; out[start..end].copy_from_slice(&self.client_nonce); start = end; end = end + Self::NONCE_LEN; self.id.serialize(&mut out[start..end]); start = end; end = end + Self::NONCE_LEN; self.service_connection_id.serialize(&mut out[start..end]); start = end; end = end + Self::NONCE_LEN; out[start..end].copy_from_slice(self.service_key.as_ref()); } /// Parse the cleartext raw data pub fn deserialize(raw: &[u8]) -> Result { todo!(); } }