Clear DTLS Server

This commit is contained in:
Ludovic Chenut 2023-10-03 16:36:38 +02:00
parent 12debd98a9
commit bf8ea1bbaa
No known key found for this signature in database
GPG Key ID: D9A59B1907F1D50C
2 changed files with 66 additions and 78 deletions

View File

@ -47,7 +47,6 @@ type
entropy: mbedtls_entropy_context entropy: mbedtls_entropy_context
proc dtlsSend*(ctx: pointer, buf: ptr byte, len: uint): cint {.cdecl.} = proc dtlsSend*(ctx: pointer, buf: ptr byte, len: uint): cint {.cdecl.} =
echo "\e[36m<DTLS>\e[0;1m Send\e[0m: ", len
var self = cast[DtlsConn](ctx) var self = cast[DtlsConn](ctx)
var toWrite = newSeq[byte](len) var toWrite = newSeq[byte](len)
if len > 0: if len > 0:
@ -57,16 +56,12 @@ proc dtlsSend*(ctx: pointer, buf: ptr byte, len: uint): cint {.cdecl.} =
proc dtlsRecv*(ctx: pointer, buf: ptr byte, len: uint): cint {.cdecl.} = proc dtlsRecv*(ctx: pointer, buf: ptr byte, len: uint): cint {.cdecl.} =
var self = cast[DtlsConn](ctx) var self = cast[DtlsConn](ctx)
echo "\e[36m<DTLS>\e[0;1m Recv\e[0m: ", self.recvData[0].len()
result = self.recvData[0].len().cint result = self.recvData[0].len().cint
copyMem(buf, addr self.recvData[0][0], self.recvData[0].len()) copyMem(buf, addr self.recvData[0][0], self.recvData[0].len())
self.recvData.delete(0..0) self.recvData.delete(0..0)
method init*(self: DtlsConn, conn: WebRTCConn, address: TransportAddress) {.async.} = method init*(self: DtlsConn, conn: WebRTCConn, address: TransportAddress) {.async.} =
await procCall(WebRTCConn(self).init(conn, address)) await procCall(WebRTCConn(self).init(conn, address))
# self.recvEvent = AsyncEvent()
# self.sendEvent = AsyncEvent()
#
method write*(self: DtlsConn, msg: seq[byte]) {.async.} = method write*(self: DtlsConn, msg: seq[byte]) {.async.} =
var buf = msg var buf = msg
@ -109,38 +104,28 @@ proc handshake(self: DtlsConn) {.async.} =
MBEDTLS_ERR_SSL_WANT_WRITE MBEDTLS_ERR_SSL_WANT_WRITE
while self.ssl.private_state != MBEDTLS_SSL_HANDSHAKE_OVER: while self.ssl.private_state != MBEDTLS_SSL_HANDSHAKE_OVER:
echo "State: ", mb_ssl_states[self.ssl.private_state.int], "(", self.ssl.private_state, ")" if endpoint == MBEDTLS_ERR_SSL_WANT_READ or
if endpoint == MBEDTLS_ERR_SSL_WANT_READ: self.ssl.private_state == MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
self.recvData.add(await self.conn.read()) self.recvData.add(await self.conn.read())
echo "=====> ", self.recvData.len()
# TODO: Change set_client_transport_id in mbedtls.nim directly
var ta = self.getRemoteAddress() var ta = self.getRemoteAddress()
case ta.family case ta.family
of AddressFamily.IPv4: of AddressFamily.IPv4:
discard mbedtls_ssl_set_client_transport_id(addr self.ssl, mb_ssl_set_client_transport_id(self.ssl, ta.address_v4)
addr ta.address_v4[0],
ta.address_v4.len().uint)
of AddressFamily.IPv6: of AddressFamily.IPv6:
discard mbedtls_ssl_set_client_transport_id(addr self.ssl, mb_ssl_set_client_transport_id(self.ssl, ta.address_v6)
addr ta.address_v6[0], else:
ta.address_v6.len().uint) discard # TODO: raise ?
else: discard # TODO: raise ?
self.sendFuture = nil self.sendFuture = nil
let res = mbedtls_ssl_handshake_step(addr self.ssl) # TODO: Change in mbedtls.nim let res = mb_ssl_handshake_step(self.ssl)
echo "\e[34m<Handshake>\e[0m: ", res
if not self.sendFuture.isNil(): await self.sendFuture if not self.sendFuture.isNil(): await self.sendFuture
echo "Result handshake step: ", res.mbedtls_high_level_strerr(), "(", res, ")"
if res == MBEDTLS_ERR_SSL_WANT_READ or res == MBEDTLS_ERR_SSL_WANT_WRITE: if res == MBEDTLS_ERR_SSL_WANT_READ or res == MBEDTLS_ERR_SSL_WANT_WRITE:
echo if res == MBEDTLS_ERR_SSL_WANT_READ: "WANT_READ" else: "WANT_WRITE"
continue continue
elif res == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED: elif res == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED:
echo "hello verification requested"
mb_ssl_session_reset(self.ssl) mb_ssl_session_reset(self.ssl)
endpoint = MBEDTLS_ERR_SSL_WANT_READ endpoint = MBEDTLS_ERR_SSL_WANT_READ
continue continue
elif res != 0: elif res != 0:
echo "\e[31mRaise Whatever\e[0m"
break # raise whatever break # raise whatever
endpoint = res endpoint = res
@ -153,16 +138,15 @@ proc accept*(self: Dtls, conn: WebRTCConn): Future[DtlsConn] {.async.} =
await res.init(conn, self.address) await res.init(conn, self.address)
mb_ssl_init(res.ssl) mb_ssl_init(res.ssl)
mb_ssl_config_init(res.config) mb_ssl_config_init(res.config)
mbedtls_ssl_cookie_init(addr res.cookie) # TODO: Change in mbedtls.nim mb_ssl_cookie_init(res.cookie)
mbedtls_ssl_cache_init(addr res.cache) # TODO: Change in mbedtls.nim mb_ssl_cache_init(res.cache)
mb_ctr_drbg_init(res.ctr_drbg) mb_ctr_drbg_init(res.ctr_drbg)
mb_entropy_init(res.entropy) mb_entropy_init(res.entropy)
mb_ctr_drbg_seed(res.ctr_drbg, mbedtls_entropy_func, res.entropy, nil, 0) mb_ctr_drbg_seed(res.ctr_drbg, mbedtls_entropy_func, res.entropy, nil, 0)
var srvcert = res.ctr_drbg.generateCertificate()
echo "========> ", srvcert.version, " ", srvcert.raw.len
var pkey = res.ctr_drbg.generateKey() var pkey = res.ctr_drbg.generateKey()
var srvcert = res.ctr_drbg.generateCertificate(pkey)
mb_ssl_config_defaults(res.config, mb_ssl_config_defaults(res.config,
MBEDTLS_SSL_IS_SERVER, MBEDTLS_SSL_IS_SERVER,
@ -172,12 +156,9 @@ proc accept*(self: Dtls, conn: WebRTCConn): Future[DtlsConn] {.async.} =
mb_ssl_conf_read_timeout(res.config, 10000) # in milliseconds mb_ssl_conf_read_timeout(res.config, 10000) # in milliseconds
mb_ssl_conf_ca_chain(res.config, srvcert.next, nil) mb_ssl_conf_ca_chain(res.config, srvcert.next, nil)
mb_ssl_conf_own_cert(res.config, srvcert, pkey) mb_ssl_conf_own_cert(res.config, srvcert, pkey)
discard mbedtls_ssl_cookie_setup(addr res.cookie, mbedtls_ctr_drbg_random, addr res.ctr_drbg) # TODO: Change in mbedtls.nim mb_ssl_cookie_setup(res.cookie, mbedtls_ctr_drbg_random, res.ctr_drbg)
mbedtls_ssl_conf_dtls_cookies(addr res.config, mbedtls_ssl_cookie_write, mb_ssl_conf_dtls_cookies(res.config, res.cookie)
mbedtls_ssl_cookie_check, addr res.cookie) # TODO: Change in mbedtls.nim mb_ssl_set_timer_cb(res.ssl, res.timer)
mbedtls_ssl_set_timer_cb(addr res.ssl, cast[pointer](addr res.timer),
mbedtls_timing_set_delay,
mbedtls_timing_get_delay)
# Add the cookie management (it works without, but it's more secure) # Add the cookie management (it works without, but it's more secure)
mb_ssl_setup(res.ssl, res.config) mb_ssl_setup(res.ssl, res.config)
mb_ssl_session_reset(res.ssl) mb_ssl_session_reset(res.ssl)

View File

@ -9,6 +9,8 @@
import std/times import std/times
import stew/byteutils
import mbedtls/pk import mbedtls/pk
import mbedtls/rsa import mbedtls/rsa
import mbedtls/ctr_drbg import mbedtls/ctr_drbg
@ -16,50 +18,7 @@ import mbedtls/x509_crt
import mbedtls/bignum import mbedtls/bignum
import mbedtls/md import mbedtls/md
proc mbedtls_pk_rsa*(pk: mbedtls_pk_context): ptr mbedtls_rsa_context = import chronicles
var key = pk
case mbedtls_pk_get_type(addr key)
of MBEDTLS_PK_RSA:
return cast[ptr mbedtls_rsa_context](pk.private_pk_ctx)
else:
return nil
template generateKey*(random: mbedtls_ctr_drbg_context): mbedtls_pk_context =
var res: mbedtls_pk_context
mb_pk_init(res)
discard mbedtls_pk_setup(addr res, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA))
mb_rsa_gen_key(mb_pk_rsa(res), mbedtls_ctr_drbg_random, random, 4096, 65537)
res
template generateCertificate*(random: mbedtls_ctr_drbg_context): mbedtls_x509_crt =
let
name = "C=FR,O=webrtc,CN=webrtc"
time_format = initTimeFormat("YYYYMMddHHmmss")
time_from = times.now().format(time_format)
time_to = (times.now() + times.years(1)).format(time_format)
var issuer_key = random.generateKey()
var write_cert: mbedtls_x509write_cert
var serial_mpi: mbedtls_mpi
mb_x509write_crt_init(write_cert)
mb_x509write_crt_set_md_alg(write_cert, MBEDTLS_MD_SHA256);
mb_x509write_crt_set_subject_key(write_cert, issuer_key)
mb_x509write_crt_set_issuer_key(write_cert, issuer_key)
mb_x509write_crt_set_subject_name(write_cert, name)
mb_x509write_crt_set_issuer_name(write_cert, name)
mb_x509write_crt_set_validity(write_cert, time_from, time_to)
mb_x509write_crt_set_basic_constraints(write_cert, 0, -1)
mb_x509write_crt_set_subject_key_identifier(write_cert)
mb_x509write_crt_set_authority_key_identifier(write_cert)
mb_mpi_init(serial_mpi)
let serial_hex = mb_mpi_read_string(serial_mpi, 16)
mb_x509write_crt_set_serial(write_cert, serial_mpi)
let buf = mb_x509write_crt_pem(write_cert, 4096, mbedtls_ctr_drbg_random, random)
var res: mbedtls_x509_crt
mb_x509_crt_parse(res, buf)
res
const mb_ssl_states* = @[ const mb_ssl_states* = @[
"MBEDTLS_SSL_HELLO_REQUEST", "MBEDTLS_SSL_HELLO_REQUEST",
@ -93,3 +52,51 @@ const mb_ssl_states* = @[
"MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET", "MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET",
"MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH" "MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET_FLUSH"
] ]
proc mbedtls_pk_rsa*(pk: mbedtls_pk_context): ptr mbedtls_rsa_context =
var key = pk
case mbedtls_pk_get_type(addr key)
of MBEDTLS_PK_RSA:
return cast[ptr mbedtls_rsa_context](pk.private_pk_ctx)
else:
return nil
template generateKey*(random: mbedtls_ctr_drbg_context): mbedtls_pk_context =
var res: mbedtls_pk_context
mb_pk_init(res)
discard mbedtls_pk_setup(addr res, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA))
mb_rsa_gen_key(mb_pk_rsa(res), mbedtls_ctr_drbg_random, random, 2048, 65537)
let x = mb_pk_rsa(res)
res
template generateCertificate*(random: mbedtls_ctr_drbg_context,
issuer_key: mbedtls_pk_context): mbedtls_x509_crt =
let
name = "C=FR,O=Status,CN=webrtc"
time_format = initTimeFormat("YYYYMMddHHmmss")
time_from = times.now().format(time_format)
time_to = (times.now() + times.years(1)).format(time_format)
var write_cert: mbedtls_x509write_cert
var serial_mpi: mbedtls_mpi
mb_x509write_crt_init(write_cert)
mb_x509write_crt_set_md_alg(write_cert, MBEDTLS_MD_SHA256);
mb_x509write_crt_set_subject_key(write_cert, issuer_key)
mb_x509write_crt_set_issuer_key(write_cert, issuer_key)
mb_x509write_crt_set_subject_name(write_cert, name)
mb_x509write_crt_set_issuer_name(write_cert, name)
mb_x509write_crt_set_validity(write_cert, time_from, time_to)
mb_x509write_crt_set_basic_constraints(write_cert, 0, -1)
mb_x509write_crt_set_subject_key_identifier(write_cert)
mb_x509write_crt_set_authority_key_identifier(write_cert)
mb_mpi_init(serial_mpi)
let serial_hex = mb_mpi_read_string(serial_mpi, 16)
mb_x509write_crt_set_serial(write_cert, serial_mpi)
let buf =
try:
mb_x509write_crt_pem(write_cert, 2048, mbedtls_ctr_drbg_random, random)
except MbedTLSError as e:
raise e
var res: mbedtls_x509_crt
mb_x509_crt_parse(res, buf)
res