添加 github.com/pion/dtls 代码

dtls-2.0.9/internal/ciphersuite/aes_128_ccm.go

@@ -0,0 +1,108 @@
+package ciphersuite
+
+import (
+	"crypto/sha256"
+	"fmt"
+	"hash"
+	"sync/atomic"
+
+	"github.com/pion/dtls/v2/pkg/crypto/ciphersuite"
+	"github.com/pion/dtls/v2/pkg/crypto/clientcertificate"
+	"github.com/pion/dtls/v2/pkg/crypto/prf"
+	"github.com/pion/dtls/v2/pkg/protocol/recordlayer"
+)
+
+// Aes128Ccm is a base class used by multiple AES-CCM Ciphers
+type Aes128Ccm struct {
+	ccm                   atomic.Value // *cryptoCCM
+	clientCertificateType clientcertificate.Type
+	id                    ID
+	psk                   bool
+	cryptoCCMTagLen       ciphersuite.CCMTagLen
+}
+
+func newAes128Ccm(clientCertificateType clientcertificate.Type, id ID, psk bool, cryptoCCMTagLen ciphersuite.CCMTagLen) *Aes128Ccm {
+	return &Aes128Ccm{
+		clientCertificateType: clientCertificateType,
+		id:                    id,
+		psk:                   psk,
+		cryptoCCMTagLen:       cryptoCCMTagLen,
+	}
+}
+
+// CertificateType returns what type of certificate this CipherSuite exchanges
+func (c *Aes128Ccm) CertificateType() clientcertificate.Type {
+	return c.clientCertificateType
+}
+
+// ID returns the ID of the CipherSuite
+func (c *Aes128Ccm) ID() ID {
+	return c.id
+}
+
+func (c *Aes128Ccm) String() string {
+	return c.id.String()
+}
+
+// HashFunc returns the hashing func for this CipherSuite
+func (c *Aes128Ccm) HashFunc() func() hash.Hash {
+	return sha256.New
+}
+
+// AuthenticationType controls what authentication method is using during the handshake
+func (c *Aes128Ccm) AuthenticationType() AuthenticationType {
+	if c.psk {
+		return AuthenticationTypePreSharedKey
+	}
+	return AuthenticationTypeCertificate
+}
+
+// IsInitialized returns if the CipherSuite has keying material and can
+// encrypt/decrypt packets
+func (c *Aes128Ccm) IsInitialized() bool {
+	return c.ccm.Load() != nil
+}
+
+// Init initializes the internal Cipher with keying material
+func (c *Aes128Ccm) Init(masterSecret, clientRandom, serverRandom []byte, isClient bool) error {
+	const (
+		prfMacLen = 0
+		prfKeyLen = 16
+		prfIvLen  = 4
+	)
+
+	keys, err := prf.GenerateEncryptionKeys(masterSecret, clientRandom, serverRandom, prfMacLen, prfKeyLen, prfIvLen, c.HashFunc())
+	if err != nil {
+		return err
+	}
+
+	var ccm *ciphersuite.CCM
+	if isClient {
+		ccm, err = ciphersuite.NewCCM(c.cryptoCCMTagLen, keys.ClientWriteKey, keys.ClientWriteIV, keys.ServerWriteKey, keys.ServerWriteIV)
+	} else {
+		ccm, err = ciphersuite.NewCCM(c.cryptoCCMTagLen, keys.ServerWriteKey, keys.ServerWriteIV, keys.ClientWriteKey, keys.ClientWriteIV)
+	}
+	c.ccm.Store(ccm)
+
+	return err
+}
+
+// Encrypt encrypts a single TLS RecordLayer
+func (c *Aes128Ccm) Encrypt(pkt *recordlayer.RecordLayer, raw []byte) ([]byte, error) {
+	ccm := c.ccm.Load()
+	if ccm == nil {
+		return nil, fmt.Errorf("%w, unable to encrypt", errCipherSuiteNotInit)
+	}
+
+	return ccm.(*ciphersuite.CCM).Encrypt(pkt, raw)
+}
+
+// Decrypt decrypts a single TLS RecordLayer
+func (c *Aes128Ccm) Decrypt(raw []byte) ([]byte, error) {
+	ccm := c.ccm.Load()
+	if ccm == nil {
+		return nil, fmt.Errorf("%w, unable to decrypt", errCipherSuiteNotInit)
+	}
+
+	return ccm.(*ciphersuite.CCM).Decrypt(raw)
+}

dtls-2.0.9/internal/ciphersuite/ciphersuite.go

@@ -0,0 +1,71 @@
+// Package ciphersuite provides TLS Ciphers as registered with the IANA  https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4
+package ciphersuite
+
+import (
+	"errors"
+	"fmt"
+
+	"github.com/pion/dtls/v2/pkg/protocol"
+)
+
+var errCipherSuiteNotInit = &protocol.TemporaryError{Err: errors.New("CipherSuite has not been initialized")} //nolint:goerr113
+
+// ID is an ID for our supported CipherSuites
+type ID uint16
+
+func (i ID) String() string {
+	switch i {
+	case TLS_ECDHE_ECDSA_WITH_AES_128_CCM:
+		return "TLS_ECDHE_ECDSA_WITH_AES_128_CCM"
+	case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8:
+		return "TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8"
+	case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
+		return "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
+	case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
+		return "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
+	case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:
+		return "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
+	case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
+		return "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
+	case TLS_PSK_WITH_AES_128_CCM:
+		return "TLS_PSK_WITH_AES_128_CCM"
+	case TLS_PSK_WITH_AES_128_CCM_8:
+		return "TLS_PSK_WITH_AES_128_CCM_8"
+	case TLS_PSK_WITH_AES_128_GCM_SHA256:
+		return "TLS_PSK_WITH_AES_128_GCM_SHA256"
+	case TLS_PSK_WITH_AES_128_CBC_SHA256:
+		return "TLS_PSK_WITH_AES_128_CBC_SHA256"
+	default:
+		return fmt.Sprintf("unknown(%v)", uint16(i))
+	}
+}
+
+// Supported Cipher Suites
+const (
+	// AES-128-CCM
+	TLS_ECDHE_ECDSA_WITH_AES_128_CCM   ID = 0xc0ac //nolint:golint,stylecheck
+	TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 ID = 0xc0ae //nolint:golint,stylecheck
+
+	// AES-128-GCM-SHA256
+	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ID = 0xc02b //nolint:golint,stylecheck
+	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256   ID = 0xc02f //nolint:golint,stylecheck
+
+	// AES-256-CBC-SHA
+	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ID = 0xc00a //nolint:golint,stylecheck
+	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA   ID = 0xc014 //nolint:golint,stylecheck
+
+	TLS_PSK_WITH_AES_128_CCM        ID = 0xc0a4 //nolint:golint,stylecheck
+	TLS_PSK_WITH_AES_128_CCM_8      ID = 0xc0a8 //nolint:golint,stylecheck
+	TLS_PSK_WITH_AES_128_GCM_SHA256 ID = 0x00a8 //nolint:golint,stylecheck
+	TLS_PSK_WITH_AES_128_CBC_SHA256 ID = 0x00ae //nolint:golint,stylecheck
+)
+
+// AuthenticationType controls what authentication method is using during the handshake
+type AuthenticationType int
+
+// AuthenticationType Enums
+const (
+	AuthenticationTypeCertificate AuthenticationType = iota + 1
+	AuthenticationTypePreSharedKey
+	AuthenticationTypeAnonymous
+)

dtls-2.0.9/internal/ciphersuite/tls_ecdhe_ecdsa_with_aes_128_ccm.go

@@ -0,0 +1,11 @@
+package ciphersuite
+
+import (
+	"github.com/pion/dtls/v2/pkg/crypto/ciphersuite"
+	"github.com/pion/dtls/v2/pkg/crypto/clientcertificate"
+)
+
+// NewTLSEcdheEcdsaWithAes128Ccm constructs a TLS_ECDHE_ECDSA_WITH_AES_128_CCM Cipher
+func NewTLSEcdheEcdsaWithAes128Ccm() *Aes128Ccm {
+	return newAes128Ccm(clientcertificate.ECDSASign, TLS_ECDHE_ECDSA_WITH_AES_128_CCM, false, ciphersuite.CCMTagLength)
+}

dtls-2.0.9/internal/ciphersuite/tls_ecdhe_ecdsa_with_aes_128_ccm8.go

@@ -0,0 +1,11 @@
+package ciphersuite
+
+import (
+	"github.com/pion/dtls/v2/pkg/crypto/ciphersuite"
+	"github.com/pion/dtls/v2/pkg/crypto/clientcertificate"
+)
+
+// NewTLSEcdheEcdsaWithAes128Ccm8 creates a new TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 CipherSuite
+func NewTLSEcdheEcdsaWithAes128Ccm8() *Aes128Ccm {
+	return newAes128Ccm(clientcertificate.ECDSASign, TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, false, ciphersuite.CCMTagLength8)
+}

dtls-2.0.9/internal/ciphersuite/tls_ecdhe_ecdsa_with_aes_128_gcm_sha256.go

@@ -0,0 +1,92 @@
+package ciphersuite
+
+import (
+	"crypto/sha256"
+	"fmt"
+	"hash"
+	"sync/atomic"
+
+	"github.com/pion/dtls/v2/pkg/crypto/ciphersuite"
+	"github.com/pion/dtls/v2/pkg/crypto/clientcertificate"
+	"github.com/pion/dtls/v2/pkg/crypto/prf"
+	"github.com/pion/dtls/v2/pkg/protocol/recordlayer"
+)
+
+// TLSEcdheEcdsaWithAes128GcmSha256  represents a TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 CipherSuite
+type TLSEcdheEcdsaWithAes128GcmSha256 struct {
+	gcm atomic.Value // *cryptoGCM
+}
+
+// CertificateType returns what type of certficate this CipherSuite exchanges
+func (c *TLSEcdheEcdsaWithAes128GcmSha256) CertificateType() clientcertificate.Type {
+	return clientcertificate.ECDSASign
+}
+
+// ID returns the ID of the CipherSuite
+func (c *TLSEcdheEcdsaWithAes128GcmSha256) ID() ID {
+	return TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+}
+
+func (c *TLSEcdheEcdsaWithAes128GcmSha256) String() string {
+	return "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
+}
+
+// HashFunc returns the hashing func for this CipherSuite
+func (c *TLSEcdheEcdsaWithAes128GcmSha256) HashFunc() func() hash.Hash {
+	return sha256.New
+}
+
+// AuthenticationType controls what authentication method is using during the handshake
+func (c *TLSEcdheEcdsaWithAes128GcmSha256) AuthenticationType() AuthenticationType {
+	return AuthenticationTypeCertificate
+}
+
+// IsInitialized returns if the CipherSuite has keying material and can
+// encrypt/decrypt packets
+func (c *TLSEcdheEcdsaWithAes128GcmSha256) IsInitialized() bool {
+	return c.gcm.Load() != nil
+}
+
+// Init initializes the internal Cipher with keying material
+func (c *TLSEcdheEcdsaWithAes128GcmSha256) Init(masterSecret, clientRandom, serverRandom []byte, isClient bool) error {
+	const (
+		prfMacLen = 0
+		prfKeyLen = 16
+		prfIvLen  = 4
+	)
+
+	keys, err := prf.GenerateEncryptionKeys(masterSecret, clientRandom, serverRandom, prfMacLen, prfKeyLen, prfIvLen, c.HashFunc())
+	if err != nil {
+		return err
+	}
+
+	var gcm *ciphersuite.GCM
+	if isClient {
+		gcm, err = ciphersuite.NewGCM(keys.ClientWriteKey, keys.ClientWriteIV, keys.ServerWriteKey, keys.ServerWriteIV)
+	} else {
+		gcm, err = ciphersuite.NewGCM(keys.ServerWriteKey, keys.ServerWriteIV, keys.ClientWriteKey, keys.ClientWriteIV)
+	}
+	c.gcm.Store(gcm)
+
+	return err
+}
+
+// Encrypt encrypts a single TLS RecordLayer
+func (c *TLSEcdheEcdsaWithAes128GcmSha256) Encrypt(pkt *recordlayer.RecordLayer, raw []byte) ([]byte, error) {
+	gcm := c.gcm.Load()
+	if gcm == nil {
+		return nil, fmt.Errorf("%w, unable to encrypt", errCipherSuiteNotInit)
+	}
+
+	return gcm.(*ciphersuite.GCM).Encrypt(pkt, raw)
+}
+
+// Decrypt decrypts a single TLS RecordLayer
+func (c *TLSEcdheEcdsaWithAes128GcmSha256) Decrypt(raw []byte) ([]byte, error) {
+	gcm := c.gcm.Load()
+	if gcm == nil {
+		return nil, fmt.Errorf("%w, unable to decrypt", errCipherSuiteNotInit)
+	}
+
+	return gcm.(*ciphersuite.GCM).Decrypt(raw)
+}

dtls-2.0.9/internal/ciphersuite/tls_ecdhe_ecdsa_with_aes_256_cbc_sha.go

@@ -0,0 +1,101 @@
+package ciphersuite
+
+import (
+	"crypto/sha1" //nolint: gosec,gci
+	"crypto/sha256"
+	"fmt"
+	"hash"
+	"sync/atomic"
+
+	"github.com/pion/dtls/v2/pkg/crypto/ciphersuite"
+	"github.com/pion/dtls/v2/pkg/crypto/clientcertificate"
+	"github.com/pion/dtls/v2/pkg/crypto/prf"
+	"github.com/pion/dtls/v2/pkg/protocol/recordlayer"
+)
+
+// TLSEcdheEcdsaWithAes256CbcSha represents a TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA CipherSuite
+type TLSEcdheEcdsaWithAes256CbcSha struct {
+	cbc atomic.Value // *cryptoCBC
+}
+
+// CertificateType returns what type of certficate this CipherSuite exchanges
+func (c *TLSEcdheEcdsaWithAes256CbcSha) CertificateType() clientcertificate.Type {
+	return clientcertificate.ECDSASign
+}
+
+// ID returns the ID of the CipherSuite
+func (c *TLSEcdheEcdsaWithAes256CbcSha) ID() ID {
+	return TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
+}
+
+func (c *TLSEcdheEcdsaWithAes256CbcSha) String() string {
+	return "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
+}
+
+// HashFunc returns the hashing func for this CipherSuite
+func (c *TLSEcdheEcdsaWithAes256CbcSha) HashFunc() func() hash.Hash {
+	return sha256.New
+}
+
+// AuthenticationType controls what authentication method is using during the handshake
+func (c *TLSEcdheEcdsaWithAes256CbcSha) AuthenticationType() AuthenticationType {
+	return AuthenticationTypeCertificate
+}
+
+// IsInitialized returns if the CipherSuite has keying material and can
+// encrypt/decrypt packets
+func (c *TLSEcdheEcdsaWithAes256CbcSha) IsInitialized() bool {
+	return c.cbc.Load() != nil
+}
+
+// Init initializes the internal Cipher with keying material
+func (c *TLSEcdheEcdsaWithAes256CbcSha) Init(masterSecret, clientRandom, serverRandom []byte, isClient bool) error {
+	const (
+		prfMacLen = 20
+		prfKeyLen = 32
+		prfIvLen  = 16
+	)
+
+	keys, err := prf.GenerateEncryptionKeys(masterSecret, clientRandom, serverRandom, prfMacLen, prfKeyLen, prfIvLen, c.HashFunc())
+	if err != nil {
+		return err
+	}
+
+	var cbc *ciphersuite.CBC
+	if isClient {
+		cbc, err = ciphersuite.NewCBC(
+			keys.ClientWriteKey, keys.ClientWriteIV, keys.ClientMACKey,
+			keys.ServerWriteKey, keys.ServerWriteIV, keys.ServerMACKey,
+			sha1.New,
+		)
+	} else {
+		cbc, err = ciphersuite.NewCBC(
+			keys.ServerWriteKey, keys.ServerWriteIV, keys.ServerMACKey,
+			keys.ClientWriteKey, keys.ClientWriteIV, keys.ClientMACKey,
+			sha1.New,
+		)
+	}
+	c.cbc.Store(cbc)
+
+	return err
+}
+
+// Encrypt encrypts a single TLS RecordLayer
+func (c *TLSEcdheEcdsaWithAes256CbcSha) Encrypt(pkt *recordlayer.RecordLayer, raw []byte) ([]byte, error) {
+	cbc := c.cbc.Load()
+	if cbc == nil { // !c.isInitialized()
+		return nil, fmt.Errorf("%w, unable to encrypt", errCipherSuiteNotInit)
+	}
+
+	return cbc.(*ciphersuite.CBC).Encrypt(pkt, raw)
+}
+
+// Decrypt decrypts a single TLS RecordLayer
+func (c *TLSEcdheEcdsaWithAes256CbcSha) Decrypt(raw []byte) ([]byte, error) {
+	cbc := c.cbc.Load()
+	if cbc == nil { // !c.isInitialized()
+		return nil, fmt.Errorf("%w, unable to decrypt", errCipherSuiteNotInit)
+	}
+
+	return cbc.(*ciphersuite.CBC).Decrypt(raw)
+}

dtls-2.0.9/internal/ciphersuite/tls_ecdhe_rsa_with_aes_128_gcm_sha256.go

@@ -0,0 +1,22 @@
+package ciphersuite
+
+import "github.com/pion/dtls/v2/pkg/crypto/clientcertificate"
+
+// TLSEcdheRsaWithAes128GcmSha256 implements the TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 CipherSuite
+type TLSEcdheRsaWithAes128GcmSha256 struct {
+	TLSEcdheEcdsaWithAes128GcmSha256
+}
+
+// CertificateType returns what type of certificate this CipherSuite exchanges
+func (c *TLSEcdheRsaWithAes128GcmSha256) CertificateType() clientcertificate.Type {
+	return clientcertificate.RSASign
+}
+
+// ID returns the ID of the CipherSuite
+func (c *TLSEcdheRsaWithAes128GcmSha256) ID() ID {
+	return TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+}
+
+func (c *TLSEcdheRsaWithAes128GcmSha256) String() string {
+	return "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
+}

dtls-2.0.9/internal/ciphersuite/tls_ecdhe_rsa_with_aes_256_cbc_sha.go

@@ -0,0 +1,22 @@
+package ciphersuite
+
+import "github.com/pion/dtls/v2/pkg/crypto/clientcertificate"
+
+// TLSEcdheRsaWithAes256CbcSha implements the TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA CipherSuite
+type TLSEcdheRsaWithAes256CbcSha struct {
+	TLSEcdheEcdsaWithAes256CbcSha
+}
+
+// CertificateType returns what type of certificate this CipherSuite exchanges
+func (c *TLSEcdheRsaWithAes256CbcSha) CertificateType() clientcertificate.Type {
+	return clientcertificate.RSASign
+}
+
+// ID returns the ID of the CipherSuite
+func (c *TLSEcdheRsaWithAes256CbcSha) ID() ID {
+	return TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
+}
+
+func (c *TLSEcdheRsaWithAes256CbcSha) String() string {
+	return "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA"
+}

dtls-2.0.9/internal/ciphersuite/tls_psk_with_aes_128_cbc_sha256.go

@@ -0,0 +1,100 @@
+package ciphersuite
+
+import (
+	"crypto/sha256"
+	"fmt"
+	"hash"
+	"sync/atomic"
+
+	"github.com/pion/dtls/v2/pkg/crypto/ciphersuite"
+	"github.com/pion/dtls/v2/pkg/crypto/clientcertificate"
+	"github.com/pion/dtls/v2/pkg/crypto/prf"
+	"github.com/pion/dtls/v2/pkg/protocol/recordlayer"
+)
+
+// TLSPskWithAes128CbcSha256 implements the TLS_PSK_WITH_AES_128_CBC_SHA256 CipherSuite
+type TLSPskWithAes128CbcSha256 struct {
+	cbc atomic.Value // *cryptoCBC
+}
+
+// CertificateType returns what type of certificate this CipherSuite exchanges
+func (c *TLSPskWithAes128CbcSha256) CertificateType() clientcertificate.Type {
+	return clientcertificate.Type(0)
+}
+
+// ID returns the ID of the CipherSuite
+func (c *TLSPskWithAes128CbcSha256) ID() ID {
+	return TLS_PSK_WITH_AES_128_CBC_SHA256
+}
+
+func (c *TLSPskWithAes128CbcSha256) String() string {
+	return "TLS_PSK_WITH_AES_128_CBC_SHA256"
+}
+
+// HashFunc returns the hashing func for this CipherSuite
+func (c *TLSPskWithAes128CbcSha256) HashFunc() func() hash.Hash {
+	return sha256.New
+}
+
+// AuthenticationType controls what authentication method is using during the handshake
+func (c *TLSPskWithAes128CbcSha256) AuthenticationType() AuthenticationType {
+	return AuthenticationTypePreSharedKey
+}
+
+// IsInitialized returns if the CipherSuite has keying material and can
+// encrypt/decrypt packets
+func (c *TLSPskWithAes128CbcSha256) IsInitialized() bool {
+	return c.cbc.Load() != nil
+}
+
+// Init initializes the internal Cipher with keying material
+func (c *TLSPskWithAes128CbcSha256) Init(masterSecret, clientRandom, serverRandom []byte, isClient bool) error {
+	const (
+		prfMacLen = 32
+		prfKeyLen = 16
+		prfIvLen  = 16
+	)
+
+	keys, err := prf.GenerateEncryptionKeys(masterSecret, clientRandom, serverRandom, prfMacLen, prfKeyLen, prfIvLen, c.HashFunc())
+	if err != nil {
+		return err
+	}
+
+	var cbc *ciphersuite.CBC
+	if isClient {
+		cbc, err = ciphersuite.NewCBC(
+			keys.ClientWriteKey, keys.ClientWriteIV, keys.ClientMACKey,
+			keys.ServerWriteKey, keys.ServerWriteIV, keys.ServerMACKey,
+			c.HashFunc(),
+		)
+	} else {
+		cbc, err = ciphersuite.NewCBC(
+			keys.ServerWriteKey, keys.ServerWriteIV, keys.ServerMACKey,
+			keys.ClientWriteKey, keys.ClientWriteIV, keys.ClientMACKey,
+			c.HashFunc(),
+		)
+	}
+	c.cbc.Store(cbc)
+
+	return err
+}
+
+// Encrypt encrypts a single TLS RecordLayer
+func (c *TLSPskWithAes128CbcSha256) Encrypt(pkt *recordlayer.RecordLayer, raw []byte) ([]byte, error) {
+	cbc := c.cbc.Load()
+	if cbc == nil { // !c.isInitialized()
+		return nil, fmt.Errorf("%w, unable to decrypt", errCipherSuiteNotInit)
+	}
+
+	return cbc.(*ciphersuite.CBC).Encrypt(pkt, raw)
+}
+
+// Decrypt decrypts a single TLS RecordLayer
+func (c *TLSPskWithAes128CbcSha256) Decrypt(raw []byte) ([]byte, error) {
+	cbc := c.cbc.Load()
+	if cbc == nil { // !c.isInitialized()
+		return nil, fmt.Errorf("%w, unable to decrypt", errCipherSuiteNotInit)
+	}
+
+	return cbc.(*ciphersuite.CBC).Decrypt(raw)
+}

dtls-2.0.9/internal/ciphersuite/tls_psk_with_aes_128_ccm.go

@@ -0,0 +1,11 @@
+package ciphersuite
+
+import (
+	"github.com/pion/dtls/v2/pkg/crypto/ciphersuite"
+	"github.com/pion/dtls/v2/pkg/crypto/clientcertificate"
+)
+
+// NewTLSPskWithAes128Ccm returns the TLS_PSK_WITH_AES_128_CCM CipherSuite
+func NewTLSPskWithAes128Ccm() *Aes128Ccm {
+	return newAes128Ccm(clientcertificate.Type(0), TLS_PSK_WITH_AES_128_CCM, true, ciphersuite.CCMTagLength)
+}

dtls-2.0.9/internal/ciphersuite/tls_psk_with_aes_128_ccm8.go

@@ -0,0 +1,11 @@
+package ciphersuite
+
+import (
+	"github.com/pion/dtls/v2/pkg/crypto/ciphersuite"
+	"github.com/pion/dtls/v2/pkg/crypto/clientcertificate"
+)
+
+// NewTLSPskWithAes128Ccm8 returns the TLS_PSK_WITH_AES_128_CCM_8 CipherSuite
+func NewTLSPskWithAes128Ccm8() *Aes128Ccm {
+	return newAes128Ccm(clientcertificate.Type(0), TLS_PSK_WITH_AES_128_CCM_8, true, ciphersuite.CCMTagLength8)
+}

dtls-2.0.9/internal/ciphersuite/tls_psk_with_aes_128_gcm_sha256.go

@@ -0,0 +1,27 @@
+package ciphersuite
+
+import "github.com/pion/dtls/v2/pkg/crypto/clientcertificate"
+
+// TLSPskWithAes128GcmSha256 implements the TLS_PSK_WITH_AES_128_GCM_SHA256 CipherSuite
+type TLSPskWithAes128GcmSha256 struct {
+	TLSEcdheEcdsaWithAes128GcmSha256
+}
+
+// CertificateType returns what type of certificate this CipherSuite exchanges
+func (c *TLSPskWithAes128GcmSha256) CertificateType() clientcertificate.Type {
+	return clientcertificate.Type(0)
+}
+
+// ID returns the ID of the CipherSuite
+func (c *TLSPskWithAes128GcmSha256) ID() ID {
+	return TLS_PSK_WITH_AES_128_GCM_SHA256
+}
+
+func (c *TLSPskWithAes128GcmSha256) String() string {
+	return "TLS_PSK_WITH_AES_128_GCM_SHA256"
+}
+
+// AuthenticationType controls what authentication method is using during the handshake
+func (c *TLSPskWithAes128GcmSha256) AuthenticationType() AuthenticationType {
+	return AuthenticationTypePreSharedKey
+}

dtls-2.0.9/internal/closer/closer.go

@@ -0,0 +1,45 @@
+// Package closer provides signaling channel for shutdown
+package closer
+
+import (
+	"context"
+)
+
+// Closer allows for each signaling a channel for shutdown
+type Closer struct {
+	ctx       context.Context
+	closeFunc func()
+}
+
+// NewCloser creates a new instance of Closer
+func NewCloser() *Closer {
+	ctx, closeFunc := context.WithCancel(context.Background())
+	return &Closer{
+		ctx:       ctx,
+		closeFunc: closeFunc,
+	}
+}
+
+// NewCloserWithParent creates a new instance of Closer with a parent context
+func NewCloserWithParent(ctx context.Context) *Closer {
+	ctx, closeFunc := context.WithCancel(ctx)
+	return &Closer{
+		ctx:       ctx,
+		closeFunc: closeFunc,
+	}
+}
+
+// Done returns a channel signaling when it is done
+func (c *Closer) Done() <-chan struct{} {
+	return c.ctx.Done()
+}
+
+// Err returns an error of the context
+func (c *Closer) Err() error {
+	return c.ctx.Err()
+}
+
+// Close sends a signal to trigger the ctx done channel
+func (c *Closer) Close() {
+	c.closeFunc()
+}

dtls-2.0.9/internal/net/dpipe/dpipe.go

@@ -0,0 +1,144 @@
+// Package dpipe provides the pipe works like datagram protocol on memory.
+package dpipe
+
+import (
+	"context"
+	"io"
+	"net"
+	"sync"
+	"time"
+
+	"github.com/pion/transport/deadline"
+)
+
+// Pipe creates pair of non-stream conn on memory.
+// Close of the one end doesn't make effect to the other end.
+func Pipe() (net.Conn, net.Conn) {
+	ch0 := make(chan []byte, 1000)
+	ch1 := make(chan []byte, 1000)
+	return &conn{
+			rCh:           ch0,
+			wCh:           ch1,
+			closed:        make(chan struct{}),
+			closing:       make(chan struct{}),
+			readDeadline:  deadline.New(),
+			writeDeadline: deadline.New(),
+		}, &conn{
+			rCh:           ch1,
+			wCh:           ch0,
+			closed:        make(chan struct{}),
+			closing:       make(chan struct{}),
+			readDeadline:  deadline.New(),
+			writeDeadline: deadline.New(),
+		}
+}
+
+type pipeAddr struct{}
+
+func (pipeAddr) Network() string { return "pipe" }
+func (pipeAddr) String() string  { return ":1" }
+
+type conn struct {
+	rCh       chan []byte
+	wCh       chan []byte
+	closed    chan struct{}
+	closing   chan struct{}
+	closeOnce sync.Once
+
+	readDeadline  *deadline.Deadline
+	writeDeadline *deadline.Deadline
+}
+
+func (*conn) LocalAddr() net.Addr  { return pipeAddr{} }
+func (*conn) RemoteAddr() net.Addr { return pipeAddr{} }
+
+func (c *conn) SetDeadline(t time.Time) error {
+	c.readDeadline.Set(t)
+	c.writeDeadline.Set(t)
+	return nil
+}
+
+func (c *conn) SetReadDeadline(t time.Time) error {
+	c.readDeadline.Set(t)
+	return nil
+}
+
+func (c *conn) SetWriteDeadline(t time.Time) error {
+	c.writeDeadline.Set(t)
+	return nil
+}
+
+func (c *conn) Read(data []byte) (n int, err error) {
+	select {
+	case <-c.closed:
+		return 0, io.EOF
+	case <-c.closing:
+		if len(c.rCh) == 0 {
+			return 0, io.EOF
+		}
+	case <-c.readDeadline.Done():
+		return 0, context.DeadlineExceeded
+	default:
+	}
+
+	for {
+		select {
+		case d := <-c.rCh:
+			if len(d) <= len(data) {
+				copy(data, d)
+				return len(d), nil
+			}
+			copy(data, d[:len(data)])
+			return len(data), nil
+		case <-c.closed:
+			return 0, io.EOF
+		case <-c.closing:
+			if len(c.rCh) == 0 {
+				return 0, io.EOF
+			}
+		case <-c.readDeadline.Done():
+			return 0, context.DeadlineExceeded
+		}
+	}
+}
+
+func (c *conn) cleanWriteBuffer() {
+	for {
+		select {
+		case <-c.wCh:
+		default:
+			return
+		}
+	}
+}
+
+func (c *conn) Write(data []byte) (n int, err error) {
+	select {
+	case <-c.closed:
+		return 0, io.ErrClosedPipe
+	case <-c.writeDeadline.Done():
+		c.cleanWriteBuffer()
+		return 0, context.DeadlineExceeded
+	default:
+	}
+
+	cData := make([]byte, len(data))
+	copy(cData, data)
+
+	select {
+	case <-c.closed:
+		return 0, io.ErrClosedPipe
+	case <-c.writeDeadline.Done():
+		c.cleanWriteBuffer()
+		return 0, context.DeadlineExceeded
+	case c.wCh <- cData:
+		return len(cData), nil
+	}
+}
+
+func (c *conn) Close() error {
+	c.closeOnce.Do(func() {
+		close(c.closed)
+	})
+	return nil
+}

dtls-2.0.9/internal/net/dpipe/dpipe_test.go

@@ -0,0 +1,106 @@
+// +build !js
+
+package dpipe
+
+import (
+	"bytes"
+	"errors"
+	"io"
+	"net"
+	"testing"
+	"time"
+
+	"golang.org/x/net/nettest"
+)
+
+func TestNetTest(t *testing.T) {
+	nettest.TestConn(t, func() (net.Conn, net.Conn, func(), error) {
+		ca, cb := Pipe()
+		return &closePropagator{ca.(*conn), cb.(*conn)},
+			&closePropagator{cb.(*conn), ca.(*conn)},
+			func() {
+				_ = ca.Close()
+				_ = cb.Close()
+			}, nil
+	})
+}
+
+type closePropagator struct {
+	*conn
+	otherEnd *conn
+}
+
+func (c *closePropagator) Close() error {
+	close(c.otherEnd.closing)
+	return c.conn.Close()
+}
+
+func TestPipe(t *testing.T) {
+	ca, cb := Pipe()
+
+	testData := []byte{0x01, 0x02}
+
+	for name, cond := range map[string]struct {
+		ca net.Conn
+		cb net.Conn
+	}{
+		"AtoB": {ca, cb},
+		"BtoA": {cb, ca},
+	} {
+		c0 := cond.ca
+		c1 := cond.cb
+		t.Run(name, func(t *testing.T) {
+			switch n, err := c0.Write(testData); {
+			case err != nil:
+				t.Errorf("Unexpected error on Write: %v", err)
+			case n != len(testData):
+				t.Errorf("Expected to write %d bytes, wrote %d bytes", len(testData), n)
+			}
+
+			readData := make([]byte, 4)
+			switch n, err := c1.Read(readData); {
+			case err != nil:
+				t.Errorf("Unexpected error on Write: %v", err)
+			case n != len(testData):
+				t.Errorf("Expected to read %d bytes, got %d bytes", len(testData), n)
+			case !bytes.Equal(testData, readData[0:n]):
+				t.Errorf("Expected to read %v, got %v", testData, readData[0:n])
+			}
+		})
+	}
+
+	if err := ca.Close(); err != nil {
+		t.Errorf("Unexpected error on Close: %v", err)
+	}
+	if _, err := ca.Write(testData); !errors.Is(err, io.ErrClosedPipe) {
+		t.Errorf("Write to closed conn should fail with %v, got %v", io.ErrClosedPipe, err)
+	}
+
+	// Other side should be writable.
+	if _, err := cb.Write(testData); err != nil {
+		t.Errorf("Unexpected error on Write: %v", err)
+	}
+
+	readData := make([]byte, 4)
+	if _, err := ca.Read(readData); !errors.Is(err, io.EOF) {
+		t.Errorf("Read from closed conn should fail with %v, got %v", io.EOF, err)
+	}
+
+	// Other side should be readable.
+	readDone := make(chan struct{})
+	go func() {
+		readData := make([]byte, 4)
+		if n, err := cb.Read(readData); err == nil {
+			t.Errorf("Unexpected data %v was arrived to orphaned conn", readData[:n])
+		}
+		close(readDone)
+	}()
+	select {
+	case <-readDone:
+		t.Errorf("Read should be blocked if the other side is closed")
+	case <-time.After(10 * time.Millisecond):
+	}
+	if err := cb.Close(); err != nil {
+		t.Errorf("Unexpected error on Close: %v", err)
+	}
+}

dtls-2.0.9/internal/util/util.go

@@ -0,0 +1,39 @@
+// Package util contains small helpers used across the repo
+package util
+
+import (
+	"encoding/binary"
+)
+
+// BigEndianUint24 returns the value of a big endian uint24
+func BigEndianUint24(raw []byte) uint32 {
+	if len(raw) < 3 {
+		return 0
+	}
+
+	rawCopy := make([]byte, 4)
+	copy(rawCopy[1:], raw)
+	return binary.BigEndian.Uint32(rawCopy)
+}
+
+// PutBigEndianUint24 encodes a uint24 and places into out
+func PutBigEndianUint24(out []byte, in uint32) {
+	tmp := make([]byte, 4)
+	binary.BigEndian.PutUint32(tmp, in)
+	copy(out, tmp[1:])
+}
+
+// PutBigEndianUint48 encodes a uint64 and places into out
+func PutBigEndianUint48(out []byte, in uint64) {
+	tmp := make([]byte, 8)
+	binary.BigEndian.PutUint64(tmp, in)
+	copy(out, tmp[2:])
+}
+
+// Max returns the larger value
+func Max(a, b int) int {
+	if a > b {
+		return a
+	}
+	return b
+}