Add parsing of flight 0

Author: theodorsm

conn.go

@@ -311,7 +311,7 @@ func (c *Conn) HandshakeContext(ctx context.Context) error { //nolint:cyclop
 	c.closeLock.Unlock()
 
 	if c.isVersion13Enabled() {
-		c.state.version = protocol.Version1_3
+		c.state.localVersion = protocol.Version1_3
 		var initialFlight flightVal
 		if c.state.isClient {
 			initialFlight = flightVal(flight13_1)
@@ -327,7 +327,7 @@ func (c *Conn) HandshakeContext(ctx context.Context) error { //nolint:cyclop
 
 		return nil
 	}
-	c.state.version = protocol.Version1_2
+	c.state.localVersion = protocol.Version1_2
 
 	// rfc5246#section-7.4.3
 	// In addition, the hash and signature algorithms MUST be compatible
@@ -1178,7 +1178,7 @@ func (c *Conn) recvHandshake() <-chan recvHandshakeState {
 
 func (c *Conn) notify(ctx context.Context, level alert.Level, desc alert.Description) error {
 	if level == alert.Fatal && len(c.state.SessionID) > 0 { //nolint:nestif
-		if c.state.version == protocol.Version1_2 {
+		if c.state.localVersion == protocol.Version1_2 {
 			// According to the RFC, we need to delete the stored session.
 			// https://datatracker.ietf.org/doc/html/rfc5246#section-7.2
 			if ss := c.fsm.(*handshakeFSM12).cfg.sessionStore; ss != nil { //nolint:forcetypeassert
@@ -1224,7 +1224,7 @@ func (c *Conn) handshake(
 	initialState handshakeState,
 ) error {
 	done := make(chan struct{})
-	if c.state.version == protocol.Version1_3 {
+	if c.state.localVersion == protocol.Version1_3 {
 		c.fsm = &handshakeFSM13{
 			currentFlight:      flightVal13(initialFlight),
 			state:              &c.state,
@@ -1455,7 +1455,7 @@ func (c *Conn) sessionKey() []byte {
 		// As ServerName can be like 0.example.com, it's better to add
 		// delimiter character which is not allowed to be in
 		// neither address or domain name.
-		if c.state.version == protocol.Version1_3 {
+		if c.state.localVersion == protocol.Version1_3 {
 			return []byte(c.rAddr.String() + "_" + c.fsm.(*handshakeFSM13).cfg.serverName) //nolint:forcetypeassert
 		}
 

errors.go

@@ -108,6 +108,8 @@ var (
 	//nolint:err113
 	errUnsupportedProtocolVersion = &FatalError{Err: errors.New("unsupported protocol version")}
 	//nolint:err113
+	errInvalidProtocolVersionState = &FatalError{Err: errors.New("invalid protocol version in state")}
+	//nolint:err113
 	errPSKAndIdentityMustBeSetForClient = &FatalError{
 		Err: errors.New("PSK and PSK Identity Hint must both be set for client"),
 	}
@@ -219,6 +221,10 @@ var (
 	errNilOnConnectionAttempt = &FatalError{
 		Err: errors.New("on connection attempt option requires a non-nil callback"),
 	}
+	//nolint:err113
+	errInvalidGroupInKeyShare = &FatalError{
+		Err: errors.New("groups offered in the key share extension must be included in the supported groups extension"),
+	}
 )
 
 // FatalError indicates that the DTLS connection is no longer available.

flighthandler_13.go

@@ -23,14 +23,19 @@ type flightGenerator13 func(flightConn, *State, *handshakeCache, *handshakeConfi
 
 //nolint:unused
 func (f flightVal13) getFlightParser13() (flightParser13, error) {
-	return nil, errFlightUnimplemented13
+	switch f {
+	case flight13_0:
+		return flight13_0Parse, nil
+	default:
+		return nil, errFlightUnimplemented13
+	}
 }
 
 //nolint:unused
 func (f flightVal13) getFlightGenerator13() (gen flightGenerator13, retransmit bool, err error) {
 	switch f {
 	case flight13_0:
-		return flight13_0Generate, true, nil
+		return flight0Generate, true, nil
 	case flight13_1:
 		return flight13_1Generate, true, nil
 	default:

flighthandlers_client_13.go

@@ -41,8 +41,8 @@ func flight13_1Generate(
 	_ *handshakeCache,
 	cfg *handshakeConfig,
 ) ([]*packet, *alert.Alert, error) {
-	if state.version != protocol.Version1_3 {
-		return nil, &alert.Alert{Level: alert.Fatal, Description: alert.InternalError}, errUnsupportedProtocolVersion
+	if state.localVersion != protocol.Version1_3 {
+		return nil, &alert.Alert{Level: alert.Fatal, Description: alert.InternalError}, errInvalidProtocolVersionState
 	}
 	var zeroEpoch uint16
 	state.localEpoch.Store(zeroEpoch)

flighthandlers_server_13.go

@@ -4,9 +4,14 @@
 package dtls
 
 import (
-	"crypto/rand"
+	"context"
+	"slices"
 
+	"github.com/pion/dtls/v3/pkg/crypto/elliptic"
+	"github.com/pion/dtls/v3/pkg/protocol"
 	"github.com/pion/dtls/v3/pkg/protocol/alert"
+	"github.com/pion/dtls/v3/pkg/protocol/extension"
+	"github.com/pion/dtls/v3/pkg/protocol/handshake"
 )
 
 // we'll add the flight handlers for the DTLS 1.3 server here.
@@ -33,31 +38,144 @@ import (
 // | Flight 4c |
 // +-----------+
 
-func flight13_0Generate(
+//nolint:cyclop,gocognit
+func flight13_0Parse(
+	_ context.Context,
 	_ flightConn,
 	state *State,
-	_ *handshakeCache,
+	cache *handshakeCache,
 	cfg *handshakeConfig,
-) ([]*packet, *alert.Alert, error) { //nolint:unparam
-	// Initialize
-	if !cfg.insecureSkipHelloVerify {
-		state.cookie = make([]byte, cookieLength)
-		if _, err := rand.Read(state.cookie); err != nil {
-			return nil, nil, err
+) (flightVal13, *alert.Alert, error) {
+	if state.localVersion != protocol.Version1_3 {
+		return 0, &alert.Alert{Level: alert.Fatal, Description: alert.InternalError}, errInvalidProtocolVersionState
+	}
+	seq, msgs, ok := cache.fullPullMap(0, state.cipherSuite,
+		handshakeCachePullRule{handshake.TypeClientHello, cfg.initialEpoch, true, false},
+	)
+	if !ok {
+		// No valid message received. Keep reading
+		return 0, nil, nil
+	}
+
+	// Connection Identifiers must be negotiated afresh on session resumption.
+	// https://datatracker.ietf.org/doc/html/rfc9146#name-the-connection_id-extension
+	state.setLocalConnectionID(nil)
+	state.remoteConnectionID = nil
+
+	state.handshakeRecvSequence = seq
+
+	var clientHello *handshake.MessageClientHello
+
+	// Validate type
+	if clientHello, ok = msgs[handshake.TypeClientHello].(*handshake.MessageClientHello); !ok {
+		return 0, &alert.Alert{Level: alert.Fatal, Description: alert.InternalError}, nil
+	}
+
+	if !clientHello.Version.Equal(protocol.Version1_2) {
+		return 0, &alert.Alert{Level: alert.Fatal, Description: alert.ProtocolVersion}, errUnsupportedProtocolVersion
+	}
+
+	state.remoteRandom = clientHello.Random
+
+	cipherSuites := []CipherSuite{}
+	for _, id := range clientHello.CipherSuiteIDs {
+		if id == renegotiationInfoSCSV {
+			state.remoteSupportsRenegotiation = true
+
+			continue
 		}
+		if c := cipherSuiteForID(CipherSuiteID(id), cfg.customCipherSuites); c != nil {
+			cipherSuites = append(cipherSuites, c)
+		}
+	}
+
+	// Check for DTLS 1.3 cipher suites?
+	if state.cipherSuite, ok = findMatchingCipherSuite(cipherSuites, cfg.localCipherSuites); !ok {
+		return 0, &alert.Alert{Level: alert.Fatal, Description: alert.InsufficientSecurity}, errCipherSuiteNoIntersection
 	}
 
-	var zeroEpoch uint16
-	state.localEpoch.Store(zeroEpoch)
-	state.remoteEpoch.Store(zeroEpoch)
-	if len(cfg.ellipticCurves) < 1 {
-		return nil, nil, errEmptyEllipticCurves
+	for _, val := range clientHello.Extensions {
+		switch ext := val.(type) {
+		case *extension.SupportedEllipticCurves:
+			if len(ext.EllipticCurves) == 0 {
+				return 0, &alert.Alert{Level: alert.Fatal, Description: alert.InsufficientSecurity}, errNoSupportedEllipticCurves
+			}
+			state.remoteGroups = ext.EllipticCurves
+		case *extension.UseSRTP:
+			profile, ok := findMatchingSRTPProfile(cfg.localSRTPProtectionProfiles, ext.ProtectionProfiles)
+			if !ok {
+				return 0, &alert.Alert{Level: alert.Fatal, Description: alert.InsufficientSecurity}, errServerNoMatchingSRTPProfile
+			}
+			state.setSRTPProtectionProfile(profile)
+			state.remoteSRTPMasterKeyIdentifier = ext.MasterKeyIdentifier
+		case *extension.UseExtendedMasterSecret:
+			if cfg.extendedMasterSecret != DisableExtendedMasterSecret {
+				state.extendedMasterSecret = true
+			}
+		case *extension.ServerName:
+			state.serverName = ext.ServerName // remote server name
+		case *extension.RenegotiationInfo:
+			state.remoteSupportsRenegotiation = true
+		case *extension.ALPN:
+			state.peerSupportedProtocols = ext.ProtocolNameList
+		case *extension.ConnectionID:
+			// Only set connection ID to be sent if server supports connection
+			// IDs.
+			if cfg.connectionIDGenerator != nil {
+				state.remoteConnectionID = ext.CID
+			}
+		case *extension.SignatureAlgorithmsCert:
+			// Store the client's certificate signature schemes for later validation
+			state.remoteCertSignatureSchemes = ext.SignatureHashAlgorithms
+		case *extension.SupportedVersions:
+			state.remoteVersions = ext.Versions
+		case *extension.KeyShare:
+			state.remoteKeyEntries = ext.ClientShares
+		}
+	}
+
+	if !slices.Contains(state.remoteVersions, protocol.Version1_3) {
+		// nolint:godox
+		// TODO: This should actually handover the state machine to DTLS 1.2
+		return 0, &alert.Alert{Level: alert.Fatal, Description: alert.InternalError}, errInvalidProtocolVersionState
+	}
+
+	// If the client doesn't support connection IDs, the server should not
+	// expect one to be sent.
+	if state.remoteConnectionID == nil {
+		state.setLocalConnectionID(nil)
+	}
+
+	if cfg.extendedMasterSecret == RequireExtendedMasterSecret && !state.extendedMasterSecret {
+		return 0, &alert.Alert{Level: alert.Fatal, Description: alert.InsufficientSecurity}, errServerRequiredButNoClientEMS
+	}
+
+	if state.localKeypair == nil {
+		var err error
+		state.localKeypair, err = elliptic.GenerateKeypair(state.namedCurve)
+		if err != nil {
+			return 0, &alert.Alert{Level: alert.Fatal, Description: alert.IllegalParameter}, err
+		}
+	}
+
+	nextFlight := flight13_2
+
+	var groups []elliptic.Curve
+	for _, entry := range state.remoteKeyEntries {
+		// Clients MUST NOT offer any KeyShareEntry values
+		// for groups not listed in the client's "supported_groups" extension.
+		// Servers MAY check for violations of these rules and abort the
+		// handshake with an "illegal_parameter" alert if one is violated.
+		if !slices.Contains(state.remoteGroups, entry.Group) {
+			return 0, &alert.Alert{Level: alert.Fatal, Description: alert.IllegalParameter}, errInvalidGroupInKeyShare
+		}
+		groups = append(groups, entry.Group)
 	}
-	state.namedCurve = cfg.ellipticCurves[0]
+	state.namedCurve, _ = findMatchingGroup(groups, cfg.ellipticCurves)
 
-	if err := state.localRandom.Populate(); err != nil {
-		return nil, nil, err
+	if cfg.insecureSkipHelloVerify {
+		nextFlight = flight13_4
 	}
 
-	return nil, nil, nil
+	return nextFlight, nil, nil
 }

state.go

@@ -75,9 +75,11 @@ type State struct {
 	peerSupportedProtocols []string
 	NegotiatedProtocol     string
 
-	version          protocol.Version
+	localVersion     protocol.Version
+	remoteVersions   []protocol.Version
 	localKeyEntries  []extension.KeyShareEntry
 	remoteKeyEntries []extension.KeyShareEntry //nolint:unused
+	remoteGroups     []elliptic.Curve
 }
 
 type serializedState struct {
@@ -123,7 +125,7 @@ func (s *State) serialize() (*serializedState, error) {
 	remoteRnd := s.remoteRandom.MarshalFixed()
 
 	epoch := s.getLocalEpoch()
-	version := uint16(s.version.Major)<<8 + uint16(s.version.Minor)
+	version := uint16(s.localVersion.Major)<<8 + uint16(s.localVersion.Minor)
 
 	return &serializedState{
 		LocalEpoch:            s.getLocalEpoch(),
@@ -191,7 +193,7 @@ func (s *State) deserialize(serialized serializedState) {
 
 	major := uint8((serialized.version & 0xff00) >> 8) //nolint:gosec
 	minor := uint8(serialized.version & 0xff)          //nolint:gosec
-	s.version = protocol.Version{Major: major, Minor: minor}
+	s.localVersion = protocol.Version{Major: major, Minor: minor}
 }
 
 func (s *State) initCipherSuite() error {

util.go

@@ -3,7 +3,11 @@
 
 package dtls
 
-import "slices"
+import (
+	"slices"
+
+	"github.com/pion/dtls/v3/pkg/crypto/elliptic"
+)
 
 func findMatchingSRTPProfile(a, b []SRTPProtectionProfile) (SRTPProtectionProfile, bool) {
 	for _, aProfile := range a {
@@ -15,6 +19,18 @@ func findMatchingSRTPProfile(a, b []SRTPProtectionProfile) (SRTPProtectionProfil
 	return 0, false
 }
 
+func findMatchingGroup(a, b []elliptic.Curve) (elliptic.Curve, bool) {
+	for _, aGroup := range a {
+		for _, bGroup := range b {
+			if aGroup == bGroup {
+				return aGroup, true
+			}
+		}
+	}
+
+	return 0, false
+}
+
 func findMatchingCipherSuite(a, b []CipherSuite) (CipherSuite, bool) {
 	for _, aSuite := range a {
 		for _, bSuite := range b {