-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathsession-wire.go
102 lines (84 loc) · 2.22 KB
/
session-wire.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
package jess
import (
"errors"
"fmt"
"github.com/safing/jess/tools"
)
const (
wireStateInit uint8 = iota
wireStateIdle
wireStateSendKey
wireStateAwaitKey
wireStateSendApply
wireStatsAwaitApply
)
var (
// Re-exchange keys every x messages.
// At 10_000_000 msgs with 1500 bytes per msg, this would result in
// re-exchanging keys every 15 GB.
wireReKeyAfterMsgs uint64 = 10_000_000
requiredWireSessionRequirements = NewRequirements().Remove(SenderAuthentication)
)
// WireSession holds session information specific to communication over a network connection.
type WireSession struct { //nolint:maligned // TODO
session *Session
server bool
msgNo uint64
lastReKeyAtMsgNo uint64
sendKeyCarryover []byte
recvKeyCarryover []byte
// key mgmt state
eKXSignets []*kxPair
eKESignets []*kePair
handshakeState uint8
newKeyMaterial [][]byte
}
// kxPair is key exchange pair.
type kxPair struct {
tool tools.ToolLogic
signet *Signet
peer *Signet
}
// kePair is key encapsulation "pair".
type kePair struct {
tool tools.ToolLogic
signet *Signet
seal *Seal
}
// initWireSession is called after newSession() to make a wire session from a regular one.
func (s *Session) initWireSession() error {
// check required requirements
err := s.toolRequirements.CheckComplianceTo(requiredWireSessionRequirements)
if err != nil {
return err
}
// check for currently unsupported features
for _, tool := range s.all {
switch tool.Info().Purpose {
case tools.PurposePassDerivation,
tools.PurposeSigning:
return fmt.Errorf("wire sessions currently do not support %s", tool.Info().Name)
}
}
// check for static pre shared keys
err = s.envelope.LoopSecrets(SignetSchemeKey, func(signet *Signet) error {
return errors.New("wire sessions currently do not support pre-shared keys")
})
if err != nil {
return err
}
s.wire = &WireSession{
session: s,
}
return nil
}
// Server marks a wire session as being in the role of the server, rather than the client.
func (s *Session) Server() {
if s.wire != nil {
s.wire.server = true
}
}
// reKeyNeeded returns whether rekeying is needed.
func (w *WireSession) reKeyNeeded() bool {
return w.msgNo-w.lastReKeyAtMsgNo > wireReKeyAfterMsgs
}