rustls/conn/
kernel.rs

1//! Kernel connection API.
2//!
3//! This module gives you the bare minimum you need to implement a TLS connection
4//! that does its own encryption and decryption while still using rustls to manage
5//! connection secrets and session tickets. It is intended for use cases like kTLS
6//! where you want to use rustls to establish the connection but want to use
7//! something else to do the encryption/decryption after that.
8//!
9//! There are only two things that [`KernelConnection`] is able to do:
10//! 1. Compute new traffic secrets when a key update occurs.
11//! 2. Save received session tickets sent by a server peer.
12//!
13//! That's it. Everything else you will need to implement yourself.
14//!
15//! # Entry Point
16//! The entry points into this API are
17//! [`UnbufferedClientConnection::dangerous_into_kernel_connection`][client-into]
18//! and
19//! [`UnbufferedServerConnection::dangerous_into_kernel_connection`][server-into].
20//!
21//! In order to actually create an [`KernelConnection`] all of the following
22//! must be true:
23//! - the connection must have completed its handshake,
24//! - the connection must have no buffered TLS data waiting to be sent, and,
25//! - the config used to create the connection must have `enable_extract_secrets`
26//!   set to true.
27//!
28//! This sounds fairly complicated to achieve at first glance. However, if you
29//! drive an unbuffered connection through the handshake until it returns
30//! [`WriteTraffic`] then it will end up in an appropriate state to convert
31//! into an external connection.
32//!
33//! [client-into]: crate::client::UnbufferedClientConnection::dangerous_into_kernel_connection
34//! [server-into]: crate::server::UnbufferedServerConnection::dangerous_into_kernel_connection
35//! [`WriteTraffic`]: crate::unbuffered::ConnectionState::WriteTraffic
36//!
37//! # Cipher Suite Confidentiality Limits
38//! Some cipher suites (notably AES-GCM) have vulnerabilities where they are no
39//! longer secure once a certain number of messages have been sent. Normally,
40//! rustls tracks how many messages have been written or read and will
41//! automatically either refresh keys or emit an error when approaching the
42//! confidentiality limit of the cipher suite.
43//!
44//! [`KernelConnection`] has no way to track this. It is the responsibility
45//! of the user of the API to track approximately how many messages have been
46//! sent and either refresh the traffic keys or abort the connection before the
47//! confidentiality limit is reached.
48//!
49//! You can find the current confidentiality limit by looking at
50//! [`CipherSuiteCommon::confidentiality_limit`] for the cipher suite selected
51//! by the connection.
52//!
53//! [`CipherSuiteCommon::confidentiality_limit`]: crate::CipherSuiteCommon::confidentiality_limit
54//! [`KernelConnection`]: crate::kernel::KernelConnection
55
56use alloc::boxed::Box;
57use core::marker::PhantomData;
58
59use crate::client::ClientConnectionData;
60use crate::common_state::Protocol;
61use crate::msgs::codec::Codec;
62use crate::msgs::handshake::{CertificateChain, NewSessionTicketPayloadTls13};
63use crate::quic::Quic;
64use crate::{CommonState, ConnectionTrafficSecrets, Error, ProtocolVersion, SupportedCipherSuite};
65
66/// A kernel connection.
67///
68/// This does not directly wrap a kernel connection, rather it gives you the
69/// minimal interfaces you need to implement a well-behaved TLS connection on
70/// top of kTLS.
71///
72/// See the [`crate::kernel`] module docs for more details.
73pub struct KernelConnection<Data> {
74    state: Box<dyn KernelState>,
75
76    peer_certificates: Option<CertificateChain<'static>>,
77    quic: Quic,
78
79    negotiated_version: ProtocolVersion,
80    protocol: Protocol,
81    suite: SupportedCipherSuite,
82
83    _data: PhantomData<Data>,
84}
85
86impl<Data> KernelConnection<Data> {
87    pub(crate) fn new(state: Box<dyn KernelState>, common: CommonState) -> Result<Self, Error> {
88        Ok(Self {
89            state,
90
91            peer_certificates: common.peer_certificates,
92            quic: common.quic,
93            negotiated_version: common
94                .negotiated_version
95                .ok_or(Error::HandshakeNotComplete)?,
96            protocol: common.protocol,
97            suite: common
98                .suite
99                .ok_or(Error::HandshakeNotComplete)?,
100
101            _data: PhantomData,
102        })
103    }
104
105    /// Retrieves the ciphersuite agreed with the peer.
106    pub fn negotiated_cipher_suite(&self) -> SupportedCipherSuite {
107        self.suite
108    }
109
110    /// Retrieves the protocol version agreed with the peer.
111    pub fn protocol_version(&self) -> ProtocolVersion {
112        self.negotiated_version
113    }
114
115    /// Update the traffic secret used for encrypting messages sent to the peer.
116    ///
117    /// Returns the new traffic secret and initial sequence number to use.
118    ///
119    /// In order to use the new secret you should send a TLS 1.3 key update to
120    /// the peer and then use the new traffic secrets to encrypt any future
121    /// messages.
122    ///
123    /// Note that it is only possible to update the traffic secrets on a TLS 1.3
124    /// connection. Attempting to do so on a non-TLS 1.3 connection will result
125    /// in an error.
126    pub fn update_tx_secret(&mut self) -> Result<(u64, ConnectionTrafficSecrets), Error> {
127        // The sequence number always starts at 0 after a key update.
128        self.state
129            .update_secrets(Direction::Transmit)
130            .map(|secret| (0, secret))
131    }
132
133    /// Update the traffic secret used for decrypting messages received from the
134    /// peer.
135    ///
136    /// Returns the new traffic secret and initial sequence number to use.
137    ///
138    /// You should call this method once you receive a TLS 1.3 key update message
139    /// from the peer.
140    ///
141    /// Note that it is only possible to update the traffic secrets on a TLS 1.3
142    /// connection. Attempting to do so on a non-TLS 1.3 connection will result
143    /// in an error.
144    pub fn update_rx_secret(&mut self) -> Result<(u64, ConnectionTrafficSecrets), Error> {
145        // The sequence number always starts at 0 after a key update.
146        self.state
147            .update_secrets(Direction::Receive)
148            .map(|secret| (0, secret))
149    }
150}
151
152impl KernelConnection<ClientConnectionData> {
153    /// Handle a `new_session_ticket` message from the peer.
154    ///
155    /// This will register the session ticket within with rustls so that it can
156    /// be used to establish future TLS connections.
157    ///
158    /// # Getting the right payload
159    ///
160    /// This method expects to be passed the inner payload of the handshake
161    /// message. This means that you will need to parse the header of the
162    /// handshake message in order to determine the correct payload to pass in.
163    /// The message format is described in [RFC 8446 section 4][0]. `payload`
164    /// should not include the `msg_type` or `length` fields.
165    ///
166    /// Code to parse out the payload should look something like this
167    /// ```no_run
168    /// use rustls::{ContentType, HandshakeType};
169    /// use rustls::kernel::KernelConnection;
170    /// use rustls::client::ClientConnectionData;
171    ///
172    /// # fn doctest(conn: &mut KernelConnection<ClientConnectionData>, typ: ContentType, message: &[u8]) -> Result<(), rustls::Error> {
173    /// let conn: &mut KernelConnection<ClientConnectionData> = // ...
174    /// #   conn;
175    /// let typ: ContentType = // ...
176    /// #   typ;
177    /// let mut message: &[u8] = // ...
178    /// #   message;
179    ///
180    /// // Processing for other messages not included in this example
181    /// assert_eq!(typ, ContentType::Handshake);
182    ///
183    /// // There may be multiple handshake payloads within a single handshake message.
184    /// while !message.is_empty() {
185    ///     let (typ, len, rest) = match message {
186    ///         &[typ, a, b, c, ref rest @ ..] => (
187    ///             HandshakeType::from(typ),
188    ///             u32::from_be_bytes([0, a, b, c]) as usize,
189    ///             rest
190    ///         ),
191    ///         _ => panic!("error handling not included in this example")
192    ///     };
193    ///
194    ///     // Processing for other messages not included in this example.
195    ///     assert_eq!(typ, HandshakeType::NewSessionTicket);
196    ///     assert!(rest.len() >= len, "invalid handshake message");
197    ///
198    ///     let (payload, rest) = rest.split_at(len);
199    ///     message = rest;
200    ///
201    ///     conn.handle_new_session_ticket(payload)?;
202    /// }
203    /// # Ok(())
204    /// # }
205    /// ```
206    ///
207    /// # Errors
208    /// This method will return an error if:
209    /// - This connection is not a TLS 1.3 connection (in TLS 1.2 session tickets
210    ///   are sent as part of the handshake).
211    /// - The provided payload is not a valid `new_session_ticket` payload or has
212    ///   extra unparsed trailing data.
213    /// - An error occurs while the connection updates the session ticket store.
214    ///
215    /// [0]: https://datatracker.ietf.org/doc/html/rfc8446#section-4
216    pub fn handle_new_session_ticket(&mut self, payload: &[u8]) -> Result<(), Error> {
217        // We want to return a more specific error here first if this is called
218        // on a non-TLS 1.3 connection since a parsing error isn't the real issue
219        // here.
220        if self.protocol_version() != ProtocolVersion::TLSv1_3 {
221            return Err(Error::General(
222                "TLS 1.2 session tickets may not be sent once the handshake has completed".into(),
223            ));
224        }
225
226        let nst = NewSessionTicketPayloadTls13::read_bytes(payload)?;
227        let mut cx = KernelContext {
228            peer_certificates: self.peer_certificates.as_ref(),
229            protocol: self.protocol,
230            quic: &self.quic,
231        };
232        self.state
233            .handle_new_session_ticket(&mut cx, &nst)
234    }
235}
236
237pub(crate) trait KernelState: Send + Sync {
238    /// Update the traffic secret for the specified direction on the connection.
239    fn update_secrets(&mut self, dir: Direction) -> Result<ConnectionTrafficSecrets, Error>;
240
241    /// Handle a new session ticket.
242    ///
243    /// This will only ever be called for client connections, as [`KernelConnection`]
244    /// only exposes the relevant API for client connections.
245    fn handle_new_session_ticket(
246        &mut self,
247        cx: &mut KernelContext<'_>,
248        message: &NewSessionTicketPayloadTls13,
249    ) -> Result<(), Error>;
250}
251
252pub(crate) struct KernelContext<'a> {
253    pub(crate) peer_certificates: Option<&'a CertificateChain<'static>>,
254    pub(crate) protocol: Protocol,
255    pub(crate) quic: &'a Quic,
256}
257
258impl KernelContext<'_> {
259    pub(crate) fn is_quic(&self) -> bool {
260        self.protocol == Protocol::Quic
261    }
262}
263
264#[derive(Copy, Clone, Debug, Eq, PartialEq)]
265pub(crate) enum Direction {
266    Transmit,
267    Receive,
268}