添加 github.com/pion/dtls 代码

2025-08-08 22:08:19 +08:00 · 2021-05-21 19:03:00 +08:00
parent 54a0cb7928
commit 28b5119f50
380 changed files with 16870 additions and 0 deletions
--- a/dtls-2.0.9/pkg/crypto/ciphersuite/cbc.go
+++ b/dtls-2.0.9/pkg/crypto/ciphersuite/cbc.go
@@ -0,0 +1,164 @@
+package ciphersuite
+
+import ( //nolint:gci
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/hmac"
+	"crypto/rand"
+	"encoding/binary"
+	"hash"
+
+	"github.com/pion/dtls/v2/internal/util"
+	"github.com/pion/dtls/v2/pkg/crypto/prf"
+	"github.com/pion/dtls/v2/pkg/protocol"
+	"github.com/pion/dtls/v2/pkg/protocol/recordlayer"
+)
+
+// block ciphers using cipher block chaining.
+type cbcMode interface {
+	cipher.BlockMode
+	SetIV([]byte)
+}
+
+// CBC Provides an API to Encrypt/Decrypt DTLS 1.2 Packets
+type CBC struct {
+	writeCBC, readCBC cbcMode
+	writeMac, readMac []byte
+	h                 prf.HashFunc
+}
+
+// NewCBC creates a DTLS CBC Cipher
+func NewCBC(localKey, localWriteIV, localMac, remoteKey, remoteWriteIV, remoteMac []byte, h prf.HashFunc) (*CBC, error) {
+	writeBlock, err := aes.NewCipher(localKey)
+	if err != nil {
+		return nil, err
+	}
+
+	readBlock, err := aes.NewCipher(remoteKey)
+	if err != nil {
+		return nil, err
+	}
+
+	return &CBC{
+		writeCBC: cipher.NewCBCEncrypter(writeBlock, localWriteIV).(cbcMode),
+		writeMac: localMac,
+
+		readCBC: cipher.NewCBCDecrypter(readBlock, remoteWriteIV).(cbcMode),
+		readMac: remoteMac,
+		h:       h,
+	}, nil
+}
+
+// Encrypt encrypt a DTLS RecordLayer message
+func (c *CBC) Encrypt(pkt *recordlayer.RecordLayer, raw []byte) ([]byte, error) {
+	payload := raw[recordlayer.HeaderSize:]
+	raw = raw[:recordlayer.HeaderSize]
+	blockSize := c.writeCBC.BlockSize()
+
+	// Generate + Append MAC
+	h := pkt.Header
+
+	MAC, err := c.hmac(h.Epoch, h.SequenceNumber, h.ContentType, h.Version, payload, c.writeMac, c.h)
+	if err != nil {
+		return nil, err
+	}
+	payload = append(payload, MAC...)
+
+	// Generate + Append padding
+	padding := make([]byte, blockSize-len(payload)%blockSize)
+	paddingLen := len(padding)
+	for i := 0; i < paddingLen; i++ {
+		padding[i] = byte(paddingLen - 1)
+	}
+	payload = append(payload, padding...)
+
+	// Generate IV
+	iv := make([]byte, blockSize)
+	if _, err := rand.Read(iv); err != nil {
+		return nil, err
+	}
+
+	// Set IV + Encrypt + Prepend IV
+	c.writeCBC.SetIV(iv)
+	c.writeCBC.CryptBlocks(payload, payload)
+	payload = append(iv, payload...)
+
+	// Prepend unencrypte header with encrypted payload
+	raw = append(raw, payload...)
+
+	// Update recordLayer size to include IV+MAC+Padding
+	binary.BigEndian.PutUint16(raw[recordlayer.HeaderSize-2:], uint16(len(raw)-recordlayer.HeaderSize))
+
+	return raw, nil
+}
+
+// Decrypt decrypts a DTLS RecordLayer message
+func (c *CBC) Decrypt(in []byte) ([]byte, error) {
+	body := in[recordlayer.HeaderSize:]
+	blockSize := c.readCBC.BlockSize()
+	mac := c.h()
+
+	var h recordlayer.Header
+	err := h.Unmarshal(in)
+	switch {
+	case err != nil:
+		return nil, err
+	case h.ContentType == protocol.ContentTypeChangeCipherSpec:
+		// Nothing to encrypt with ChangeCipherSpec
+		return in, nil
+	case len(body)%blockSize != 0 || len(body) < blockSize+util.Max(mac.Size()+1, blockSize):
+		return nil, errNotEnoughRoomForNonce
+	}
+
+	// Set + remove per record IV
+	c.readCBC.SetIV(body[:blockSize])
+	body = body[blockSize:]
+
+	// Decrypt
+	c.readCBC.CryptBlocks(body, body)
+
+	// Padding+MAC needs to be checked in constant time
+	// Otherwise we reveal information about the level of correctness
+	paddingLen, paddingGood := examinePadding(body)
+	if paddingGood != 255 {
+		return nil, errInvalidMAC
+	}
+
+	macSize := mac.Size()
+	if len(body) < macSize {
+		return nil, errInvalidMAC
+	}
+
+	dataEnd := len(body) - macSize - paddingLen
+
+	expectedMAC := body[dataEnd : dataEnd+macSize]
+	actualMAC, err := c.hmac(h.Epoch, h.SequenceNumber, h.ContentType, h.Version, body[:dataEnd], c.readMac, c.h)
+
+	// Compute Local MAC and compare
+	if err != nil || !hmac.Equal(actualMAC, expectedMAC) {
+		return nil, errInvalidMAC
+	}
+
+	return append(in[:recordlayer.HeaderSize], body[:dataEnd]...), nil
+}
+
+func (c *CBC) hmac(epoch uint16, sequenceNumber uint64, contentType protocol.ContentType, protocolVersion protocol.Version, payload []byte, key []byte, hf func() hash.Hash) ([]byte, error) {
+	h := hmac.New(hf, key)
+
+	msg := make([]byte, 13)
+
+	binary.BigEndian.PutUint16(msg, epoch)
+	util.PutBigEndianUint48(msg[2:], sequenceNumber)
+	msg[8] = byte(contentType)
+	msg[9] = protocolVersion.Major
+	msg[10] = protocolVersion.Minor
+	binary.BigEndian.PutUint16(msg[11:], uint16(len(payload)))
+
+	if _, err := h.Write(msg); err != nil {
+		return nil, err
+	} else if _, err := h.Write(payload); err != nil {
+		return nil, err
+	}
+
+	return h.Sum(nil), nil
+}
--- a/dtls-2.0.9/pkg/crypto/ciphersuite/ccm.go
+++ b/dtls-2.0.9/pkg/crypto/ciphersuite/ccm.go
@@ -0,0 +1,104 @@
+package ciphersuite
+
+import (
+	"crypto/aes"
+	"crypto/rand"
+	"encoding/binary"
+	"fmt"
+
+	"github.com/pion/dtls/v2/pkg/crypto/ccm"
+	"github.com/pion/dtls/v2/pkg/protocol"
+	"github.com/pion/dtls/v2/pkg/protocol/recordlayer"
+)
+
+// CCMTagLen is the length of Authentication Tag
+type CCMTagLen int
+
+// CCM Enums
+const (
+	CCMTagLength8  CCMTagLen = 8
+	CCMTagLength   CCMTagLen = 16
+	ccmNonceLength           = 12
+)
+
+// CCM Provides an API to Encrypt/Decrypt DTLS 1.2 Packets
+type CCM struct {
+	localCCM, remoteCCM         ccm.CCM
+	localWriteIV, remoteWriteIV []byte
+	tagLen                      CCMTagLen
+}
+
+// NewCCM creates a DTLS GCM Cipher
+func NewCCM(tagLen CCMTagLen, localKey, localWriteIV, remoteKey, remoteWriteIV []byte) (*CCM, error) {
+	localBlock, err := aes.NewCipher(localKey)
+	if err != nil {
+		return nil, err
+	}
+	localCCM, err := ccm.NewCCM(localBlock, int(tagLen), ccmNonceLength)
+	if err != nil {
+		return nil, err
+	}
+
+	remoteBlock, err := aes.NewCipher(remoteKey)
+	if err != nil {
+		return nil, err
+	}
+	remoteCCM, err := ccm.NewCCM(remoteBlock, int(tagLen), ccmNonceLength)
+	if err != nil {
+		return nil, err
+	}
+
+	return &CCM{
+		localCCM:      localCCM,
+		localWriteIV:  localWriteIV,
+		remoteCCM:     remoteCCM,
+		remoteWriteIV: remoteWriteIV,
+		tagLen:        tagLen,
+	}, nil
+}
+
+// Encrypt encrypt a DTLS RecordLayer message
+func (c *CCM) Encrypt(pkt *recordlayer.RecordLayer, raw []byte) ([]byte, error) {
+	payload := raw[recordlayer.HeaderSize:]
+	raw = raw[:recordlayer.HeaderSize]
+
+	nonce := append(append([]byte{}, c.localWriteIV[:4]...), make([]byte, 8)...)
+	if _, err := rand.Read(nonce[4:]); err != nil {
+		return nil, err
+	}
+
+	additionalData := generateAEADAdditionalData(&pkt.Header, len(payload))
+	encryptedPayload := c.localCCM.Seal(nil, nonce, payload, additionalData)
+
+	encryptedPayload = append(nonce[4:], encryptedPayload...)
+	raw = append(raw, encryptedPayload...)
+
+	// Update recordLayer size to include explicit nonce
+	binary.BigEndian.PutUint16(raw[recordlayer.HeaderSize-2:], uint16(len(raw)-recordlayer.HeaderSize))
+	return raw, nil
+}
+
+// Decrypt decrypts a DTLS RecordLayer message
+func (c *CCM) Decrypt(in []byte) ([]byte, error) {
+	var h recordlayer.Header
+	err := h.Unmarshal(in)
+	switch {
+	case err != nil:
+		return nil, err
+	case h.ContentType == protocol.ContentTypeChangeCipherSpec:
+		// Nothing to encrypt with ChangeCipherSpec
+		return in, nil
+	case len(in) <= (8 + recordlayer.HeaderSize):
+		return nil, errNotEnoughRoomForNonce
+	}
+
+	nonce := append(append([]byte{}, c.remoteWriteIV[:4]...), in[recordlayer.HeaderSize:recordlayer.HeaderSize+8]...)
+	out := in[recordlayer.HeaderSize+8:]
+
+	additionalData := generateAEADAdditionalData(&h, len(out)-int(c.tagLen))
+	out, err = c.remoteCCM.Open(out[:0], nonce, out, additionalData)
+	if err != nil {
+		return nil, fmt.Errorf("%w: %v", errDecryptPacket, err)
+	}
+	return append(in[:recordlayer.HeaderSize], out...), nil
+}
--- a/dtls-2.0.9/pkg/crypto/ciphersuite/ciphersuite.go
+++ b/dtls-2.0.9/pkg/crypto/ciphersuite/ciphersuite.go
@@ -0,0 +1,72 @@
+// Package ciphersuite provides the crypto operations needed for a DTLS CipherSuite
+package ciphersuite
+
+import (
+	"encoding/binary"
+	"errors"
+
+	"github.com/pion/dtls/v2/pkg/protocol"
+	"github.com/pion/dtls/v2/pkg/protocol/recordlayer"
+)
+
+var (
+	errNotEnoughRoomForNonce = &protocol.InternalError{Err: errors.New("buffer not long enough to contain nonce")} //nolint:goerr113
+	errDecryptPacket         = &protocol.TemporaryError{Err: errors.New("failed to decrypt packet")}               //nolint:goerr113
+	errInvalidMAC            = &protocol.TemporaryError{Err: errors.New("invalid mac")}                            //nolint:goerr113
+)
+
+func generateAEADAdditionalData(h *recordlayer.Header, payloadLen int) []byte {
+	var additionalData [13]byte
+	// SequenceNumber MUST be set first
+	// we only want uint48, clobbering an extra 2 (using uint64, Golang doesn't have uint48)
+	binary.BigEndian.PutUint64(additionalData[:], h.SequenceNumber)
+	binary.BigEndian.PutUint16(additionalData[:], h.Epoch)
+	additionalData[8] = byte(h.ContentType)
+	additionalData[9] = h.Version.Major
+	additionalData[10] = h.Version.Minor
+	binary.BigEndian.PutUint16(additionalData[len(additionalData)-2:], uint16(payloadLen))
+
+	return additionalData[:]
+}
+
+// examinePadding returns, in constant time, the length of the padding to remove
+// from the end of payload. It also returns a byte which is equal to 255 if the
+// padding was valid and 0 otherwise. See RFC 2246, Section 6.2.3.2.
+//
+// https://github.com/golang/go/blob/039c2081d1178f90a8fa2f4e6958693129f8de33/src/crypto/tls/conn.go#L245
+func examinePadding(payload []byte) (toRemove int, good byte) {
+	if len(payload) < 1 {
+		return 0, 0
+	}
+
+	paddingLen := payload[len(payload)-1]
+	t := uint(len(payload)-1) - uint(paddingLen)
+	// if len(payload) >= (paddingLen - 1) then the MSB of t is zero
+	good = byte(int32(^t) >> 31)
+
+	// The maximum possible padding length plus the actual length field
+	toCheck := 256
+	// The length of the padded data is public, so we can use an if here
+	if toCheck > len(payload) {
+		toCheck = len(payload)
+	}
+
+	for i := 0; i < toCheck; i++ {
+		t := uint(paddingLen) - uint(i)
+		// if i <= paddingLen then the MSB of t is zero
+		mask := byte(int32(^t) >> 31)
+		b := payload[len(payload)-1-i]
+		good &^= mask&paddingLen ^ mask&b
+	}
+
+	// We AND together the bits of good and replicate the result across
+	// all the bits.
+	good &= good << 4
+	good &= good << 2
+	good &= good << 1
+	good = uint8(int8(good) >> 7)
+
+	toRemove = int(paddingLen) + 1
+
+	return toRemove, good
+}
--- a/dtls-2.0.9/pkg/crypto/ciphersuite/gcm.go
+++ b/dtls-2.0.9/pkg/crypto/ciphersuite/gcm.go
@@ -0,0 +1,100 @@
+package ciphersuite
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/rand"
+	"encoding/binary"
+	"fmt"
+
+	"github.com/pion/dtls/v2/pkg/protocol"
+	"github.com/pion/dtls/v2/pkg/protocol/recordlayer"
+)
+
+const (
+	gcmTagLength   = 16
+	gcmNonceLength = 12
+)
+
+// GCM Provides an API to Encrypt/Decrypt DTLS 1.2 Packets
+type GCM struct {
+	localGCM, remoteGCM         cipher.AEAD
+	localWriteIV, remoteWriteIV []byte
+}
+
+// NewGCM creates a DTLS GCM Cipher
+func NewGCM(localKey, localWriteIV, remoteKey, remoteWriteIV []byte) (*GCM, error) {
+	localBlock, err := aes.NewCipher(localKey)
+	if err != nil {
+		return nil, err
+	}
+	localGCM, err := cipher.NewGCM(localBlock)
+	if err != nil {
+		return nil, err
+	}
+
+	remoteBlock, err := aes.NewCipher(remoteKey)
+	if err != nil {
+		return nil, err
+	}
+	remoteGCM, err := cipher.NewGCM(remoteBlock)
+	if err != nil {
+		return nil, err
+	}
+
+	return &GCM{
+		localGCM:      localGCM,
+		localWriteIV:  localWriteIV,
+		remoteGCM:     remoteGCM,
+		remoteWriteIV: remoteWriteIV,
+	}, nil
+}
+
+// Encrypt encrypt a DTLS RecordLayer message
+func (g *GCM) Encrypt(pkt *recordlayer.RecordLayer, raw []byte) ([]byte, error) {
+	payload := raw[recordlayer.HeaderSize:]
+	raw = raw[:recordlayer.HeaderSize]
+
+	nonce := make([]byte, gcmNonceLength)
+	copy(nonce, g.localWriteIV[:4])
+	if _, err := rand.Read(nonce[4:]); err != nil {
+		return nil, err
+	}
+
+	additionalData := generateAEADAdditionalData(&pkt.Header, len(payload))
+	encryptedPayload := g.localGCM.Seal(nil, nonce, payload, additionalData)
+	r := make([]byte, len(raw)+len(nonce[4:])+len(encryptedPayload))
+	copy(r, raw)
+	copy(r[len(raw):], nonce[4:])
+	copy(r[len(raw)+len(nonce[4:]):], encryptedPayload)
+
+	// Update recordLayer size to include explicit nonce
+	binary.BigEndian.PutUint16(r[recordlayer.HeaderSize-2:], uint16(len(r)-recordlayer.HeaderSize))
+	return r, nil
+}
+
+// Decrypt decrypts a DTLS RecordLayer message
+func (g *GCM) Decrypt(in []byte) ([]byte, error) {
+	var h recordlayer.Header
+	err := h.Unmarshal(in)
+	switch {
+	case err != nil:
+		return nil, err
+	case h.ContentType == protocol.ContentTypeChangeCipherSpec:
+		// Nothing to encrypt with ChangeCipherSpec
+		return in, nil
+	case len(in) <= (8 + recordlayer.HeaderSize):
+		return nil, errNotEnoughRoomForNonce
+	}
+
+	nonce := make([]byte, 0, gcmNonceLength)
+	nonce = append(append(nonce, g.remoteWriteIV[:4]...), in[recordlayer.HeaderSize:recordlayer.HeaderSize+8]...)
+	out := in[recordlayer.HeaderSize+8:]
+
+	additionalData := generateAEADAdditionalData(&h, len(out)-gcmTagLength)
+	out, err = g.remoteGCM.Open(out[:0], nonce, out, additionalData)
+	if err != nil {
+		return nil, fmt.Errorf("%w: %v", errDecryptPacket, err)
+	}
+	return append(in[:recordlayer.HeaderSize], out...), nil
+}