Created
June 21, 2021 13:55
-
-
Save bobmcwhirter/62ac15b3bc5a6c8b1e2215b3bb4cdb6f to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
diff --git a/Cargo.toml b/Cargo.toml | |
index 26f7901..651b25e 100644 | |
--- a/Cargo.toml | |
+++ b/Cargo.toml | |
@@ -5,3 +5,8 @@ members = [ | |
# tests and example code that depend on mio | |
"rustls-mio", | |
] | |
+ | |
+ | |
+ | |
+[patch.crates-io] | |
+ring = { path = '../ring' } | |
diff --git a/rustls-mio/Cargo.toml b/rustls-mio/Cargo.toml | |
index 09ae1ec..c1c6297 100644 | |
--- a/rustls-mio/Cargo.toml | |
+++ b/rustls-mio/Cargo.toml | |
@@ -38,3 +38,4 @@ path = "examples/tlsclient.rs" | |
[[example]] | |
name = "tlsserver" | |
path = "examples/tlsserver.rs" | |
+ | |
diff --git a/rustls/src/cipher.rs b/rustls/src/cipher.rs | |
index ece32a6..b9c4409 100644 | |
--- a/rustls/src/cipher.rs | |
+++ b/rustls/src/cipher.rs | |
@@ -153,8 +153,10 @@ pub fn new_tls13_read( | |
scs: &'static SupportedCipherSuite, | |
secret: &hkdf::Prk, | |
) -> Box<dyn MessageDecrypter> { | |
+ log::info!("NEW TLS13 READ"); | |
let key = derive_traffic_key(secret, scs.aead_algorithm); | |
let iv = derive_traffic_iv(secret); | |
+ log::info!("NEW TLS13 READ DONE"); | |
Box::new(TLS13MessageDecrypter::new(key, iv)) | |
} | |
@@ -163,6 +165,7 @@ pub fn new_tls13_write( | |
scs: &'static SupportedCipherSuite, | |
secret: &hkdf::Prk, | |
) -> Box<dyn MessageEncrypter> { | |
+ log::info!("DANGIT"); | |
let key = derive_traffic_key(secret, scs.aead_algorithm); | |
let iv = derive_traffic_iv(secret); | |
@@ -343,6 +346,8 @@ fn make_tls13_nonce(iv: &Iv, seq: u64) -> ring::aead::Nonce { | |
let mut nonce = [0u8; ring::aead::NONCE_LEN]; | |
codec::put_u64(seq, &mut nonce[4..]); | |
+ log::info!("seq{} iv {:x?}", seq, iv.0); | |
+ | |
nonce | |
.iter_mut() | |
.zip(iv.0.iter()) | |
@@ -350,6 +355,8 @@ fn make_tls13_nonce(iv: &Iv, seq: u64) -> ring::aead::Nonce { | |
*nonce ^= *iv; | |
}); | |
+ log::info!("nonce nonce {:x?}", nonce); | |
+ | |
aead::Nonce::assume_unique_for_key(nonce) | |
} | |
@@ -398,11 +405,14 @@ impl MessageDecrypter for TLS13MessageDecrypter { | |
let nonce = make_tls13_nonce(&self.iv, seq); | |
let aad = make_tls13_aad(buf.len()); | |
+ log::info!("addition data via len={}", buf.len()); | |
+ log::info!("decrypt buf {:x?}", buf); | |
let plain_len = self | |
.dec_key | |
.open_in_place(nonce, aad, &mut buf) | |
.map_err(|_| TlsError::DecryptError)? | |
.len(); | |
+ log::info!("decrypted buf {:x?}", buf); | |
buf.truncate(plain_len); | |
@@ -410,7 +420,9 @@ impl MessageDecrypter for TLS13MessageDecrypter { | |
return Err(TlsError::PeerSentOversizedRecord); | |
} | |
+ | |
let content_type = unpad_tls13(&mut buf); | |
+ log::info!("content type {:?}", content_type); | |
if content_type == ContentType::Unknown(0) { | |
let msg = "peer sent bad TLSInnerPlaintext".to_string(); | |
return Err(TlsError::PeerMisbehavedError(msg)); | |
diff --git a/rustls/src/client/hs.rs b/rustls/src/client/hs.rs | |
index 8395e66..e279f12 100644 | |
--- a/rustls/src/client/hs.rs | |
+++ b/rustls/src/client/hs.rs | |
@@ -404,6 +404,7 @@ fn emit_client_hello_for_retry( | |
&randoms.client, | |
); | |
// Set early data encryption key | |
+ log::info!("set tls13_write for early"); | |
sess.common | |
.record_layer | |
.set_message_encrypter(cipher::new_tls13_write( | |
diff --git a/rustls/src/client/tls13.rs b/rustls/src/client/tls13.rs | |
index d352158..ef40fd1 100644 | |
--- a/rustls/src/client/tls13.rs | |
+++ b/rustls/src/client/tls13.rs | |
@@ -254,6 +254,7 @@ pub fn start_handshake_traffic( | |
&*sess.config.key_log, | |
&randoms.client, | |
); | |
+ log::info!("tlswrite:: no early data set write"); | |
sess.common | |
.record_layer | |
.set_message_encrypter(cipher::new_tls13_write(suite, &write_key)); | |
@@ -443,6 +444,7 @@ impl hs::State for ExpectEncryptedExtensions { | |
&*sess.config.key_log, | |
&self.randoms.client, | |
); | |
+ log::info!("tlswrite:: was early data set write"); | |
sess.common | |
.record_layer | |
.set_message_encrypter(cipher::new_tls13_write(suite, &write_key)); | |
@@ -945,6 +947,7 @@ impl hs::State for ExpectFinished { | |
emit_end_of_early_data_tls13(&mut st.transcript, sess); | |
sess.common.early_traffic = false; | |
sess.early_data.finished(); | |
+ log::info!("tlswrite:: maybe after handshake write"); | |
sess.common | |
.record_layer | |
.set_message_encrypter(cipher::new_tls13_write(suite, &write_key)); | |
@@ -986,6 +989,7 @@ impl hs::State for ExpectFinished { | |
&*sess.config.key_log, | |
&st.randoms.client, | |
); | |
+ log::info!("tlswrite:: application write now"); | |
sess.common | |
.record_layer | |
.set_message_encrypter(cipher::new_tls13_write(suite, &write_key)); | |
@@ -1191,6 +1195,7 @@ impl hs::State for ExpectTraffic { | |
.key_schedule | |
.next_client_application_traffic_secret(); | |
let scs = sess.common.get_suite_assert(); | |
+ log::info!("tlswrite:: perhaps write key update"); | |
sess.common | |
.record_layer | |
.set_message_encrypter(cipher::new_tls13_write(scs, &write_key)); | |
diff --git a/rustls/src/hash_hs.rs b/rustls/src/hash_hs.rs | |
index 1c9685d..f53d87c 100644 | |
--- a/rustls/src/hash_hs.rs | |
+++ b/rustls/src/hash_hs.rs | |
@@ -63,6 +63,7 @@ impl HandshakeHash { | |
} | |
let mut ctx = digest::Context::new(alg); | |
+ log::info!("hash [{:x?}", &self.buffer); | |
ctx.update(&self.buffer); | |
self.ctx = Some(ctx); | |
@@ -88,7 +89,9 @@ impl HandshakeHash { | |
/// Hash or buffer a byte slice. | |
fn update_raw(&mut self, buf: &[u8]) -> &mut Self { | |
if let Some(ctx) = &mut self.ctx { | |
+ log::info!("hash [{:x?}]", &buf); | |
ctx.update(buf); | |
+ log::info!("cur value: {:x?}", ctx.clone().finish().as_ref()) | |
} | |
if self.ctx.is_none() || self.client_auth_enabled { | |
diff --git a/rustls/src/key_schedule.rs b/rustls/src/key_schedule.rs | |
index a18347d..8b58e9d 100644 | |
--- a/rustls/src/key_schedule.rs | |
+++ b/rustls/src/key_schedule.rs | |
@@ -151,6 +151,7 @@ impl KeyScheduleHandshake { | |
client_random: &[u8; 32], | |
) -> hkdf::Prk { | |
// Use an empty handshake hash for the initial handshake. | |
+ log::info!("derive client secret"); | |
let secret = self.ks.derive_logged_secret( | |
SecretKind::ClientHandshakeTrafficSecret, | |
hs_hash.as_ref(), | |
@@ -158,6 +159,7 @@ impl KeyScheduleHandshake { | |
client_random, | |
); | |
self.current_client_traffic_secret = Some(secret.clone()); | |
+ log::info!("c hs secret {:x?}", secret); | |
secret | |
} | |
@@ -167,6 +169,7 @@ impl KeyScheduleHandshake { | |
key_log: &dyn KeyLog, | |
client_random: &[u8; 32], | |
) -> hkdf::Prk { | |
+ log::info!("derive server secret"); | |
let secret = self.ks.derive_logged_secret( | |
SecretKind::ServerHandshakeTrafficSecret, | |
hs_hash.as_ref(), | |
@@ -224,6 +227,7 @@ impl KeyScheduleTrafficWithClientFinishedPending { | |
key_log: &dyn KeyLog, | |
client_random: &[u8; 32], | |
) -> hkdf::Prk { | |
+ log::info!("derive server traffic secret"); | |
let secret = self.ks.derive_logged_secret( | |
SecretKind::ServerApplicationTrafficSecret, | |
hs_hash.as_ref(), | |
@@ -240,6 +244,7 @@ impl KeyScheduleTrafficWithClientFinishedPending { | |
key_log: &dyn KeyLog, | |
client_random: &[u8; 32], | |
) -> hkdf::Prk { | |
+ log::info!("derive client traffic secret"); | |
let secret = self.ks.derive_logged_secret( | |
SecretKind::ClientApplicationTrafficSecret, | |
hs_hash.as_ref(), | |
@@ -335,10 +340,14 @@ impl KeySchedule { | |
let zeroes = [0u8; digest::MAX_OUTPUT_LEN]; | |
let zeroes = &zeroes[..algorithm.len()]; | |
let salt = hkdf::Salt::new(algorithm, &zeroes); | |
- KeySchedule { | |
+ let ks = KeySchedule { | |
current: salt.extract(secret), | |
algorithm, | |
- } | |
+ }; | |
+ | |
+ log::info!("ks-initial: {:x?}", ks.current); | |
+ | |
+ ks | |
} | |
#[inline] | |
@@ -361,6 +370,7 @@ impl KeySchedule { | |
fn input_secret(&mut self, secret: &[u8]) { | |
let salt: hkdf::Salt = self.derive_for_empty_hash(SecretKind::DerivedSecret); | |
self.current = salt.extract(secret); | |
+ log::info!("input_secret now -> {:x?}", self.current); | |
} | |
/// Derive a secret of given `kind`, using current handshake hash `hs_hash`. | |
@@ -369,6 +379,9 @@ impl KeySchedule { | |
T: for<'a> From<hkdf::Okm<'a, L>>, | |
L: hkdf::KeyType, | |
{ | |
+ let loggable = hkdf_expand::<PayloadU8, _>( &self.current, PayloadU8Len(self.algorithm.len()), kind.to_bytes(), hs_hash.as_ref()).into_inner(); | |
+ log::info!("---loggable--> {:x?}", loggable); | |
+ | |
hkdf_expand(&self.current, key_type, kind.to_bytes(), hs_hash.as_ref()) | |
} | |
@@ -404,6 +417,7 @@ impl KeySchedule { | |
.hmac_algorithm() | |
.digest_algorithm(); | |
let empty_hash = digest::digest(digest_alg, &[]); | |
+ log::info!("derive_for_empty_hash"); | |
self.derive(self.algorithm, kind, empty_hash.as_ref()) | |
} | |
@@ -417,7 +431,13 @@ impl KeySchedule { | |
/// `base_key`. | |
fn sign_verify_data(&self, base_key: &hkdf::Prk, hs_hash: &Digest) -> hmac::Tag { | |
let hmac_alg = self.algorithm.hmac_algorithm(); | |
+ | |
+ log::info!("hmac len {}", self.algorithm.hmac_algorithm().len()); | |
+ let loggable = hkdf_expand::<PayloadU8, _>( base_key, PayloadU8Len(self.algorithm.hmac_algorithm().len()), b"finished", &[]); | |
+ log::info!("---sign key--> {:x?}", loggable); | |
+ | |
let hmac_key = hkdf_expand(base_key, hmac_alg, b"finished", &[]); | |
+ log::info!("signing {:?} {:x?}", hmac_key, hs_hash.as_ref()); | |
hmac::sign(&hmac_key, hs_hash.as_ref()) | |
} | |
@@ -491,10 +511,13 @@ where | |
F: for<'b> FnOnce(hkdf::Okm<'b, L>) -> T, | |
L: hkdf::KeyType, | |
{ | |
+ | |
+ log::info!("expand context={:x?}", context); | |
const LABEL_PREFIX: &[u8] = b"tls13 "; | |
let output_len = u16::to_be_bytes(key_type.len() as u16); | |
let label_len = u8::to_be_bytes((LABEL_PREFIX.len() + label.len()) as u8); | |
+ log::info!("label len {} {:x?}", LABEL_PREFIX.len() + label.len(), label_len); | |
let context_len = u8::to_be_bytes(context.len() as u8); | |
let info = &[ | |
@@ -505,6 +528,8 @@ where | |
&context_len[..], | |
context, | |
]; | |
+ | |
+ log::debug!("expand info={:x?}", info); | |
let okm = secret.expand(info, key_type).unwrap(); | |
f(okm) | |
@@ -529,10 +554,16 @@ pub fn derive_traffic_key( | |
secret: &hkdf::Prk, | |
aead_algorithm: &'static aead::Algorithm, | |
) -> aead::UnboundKey { | |
+ log::info!("derive traffic key"); | |
+ let loggable = hkdf_expand::<PayloadU8, _>( secret, PayloadU8Len(aead_algorithm.len()), b"key", &[]); | |
+ log::info!("---traffic key--> {:x?}", loggable); | |
hkdf_expand(secret, aead_algorithm, b"key", &[]) | |
} | |
pub(crate) fn derive_traffic_iv(secret: &hkdf::Prk) -> Iv { | |
+ log::info!("derive traffic iv"); | |
+ let loggable = hkdf_expand::<PayloadU8, _>( secret, PayloadU8Len(IvLen.len()), b"iv", &[]); | |
+ log::info!("---traffic iv--> {:x?}", loggable); | |
hkdf_expand(secret, IvLen, b"iv", &[]) | |
} | |
diff --git a/rustls/src/keylog.rs b/rustls/src/keylog.rs | |
index dc06f24..c89ec9f 100644 | |
--- a/rustls/src/keylog.rs | |
+++ b/rustls/src/keylog.rs | |
@@ -120,6 +120,7 @@ impl KeyLogFileInner { | |
write!(self.buf, "{:02x}", b)?; | |
} | |
writeln!(self.buf)?; | |
+ log::info!("LOGGING {} {:x?}", label, secret); | |
file.write_all(&self.buf) | |
} | |
} | |
diff --git a/rustls/src/server/tls13.rs b/rustls/src/server/tls13.rs | |
index 2617cad..7bcf8fe 100644 | |
--- a/rustls/src/server/tls13.rs | |
+++ b/rustls/src/server/tls13.rs | |
@@ -131,6 +131,8 @@ impl CompleteClientHelloHandling { | |
.and_then(|kx| kx.complete(&share.payload.0)) | |
.ok_or_else(|| TlsError::PeerMisbehavedError("key exchange failed".to_string()))?; | |
+ log::info!("ecdhe {:x?}", kxr.shared_secret); | |
+ | |
let kse = KeyShareEntry::new(share.group, kxr.pubkey.as_ref()); | |
extensions.push(ServerExtension::KeyShare(kse)); | |
extensions.push(ServerExtension::SupportedVersions(ProtocolVersion::TLSv1_3)); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment