ddn.net.dtls.server13

DTLS 1.3 server handshake state machine (RFC 9147).

Drives the DTLS 1.3 server handshake as a resumable state machine. The server handles handshakes from a single client, identified by their DatagramEndpoint. The server:

  • Receives ClientHello and optionally performs HelloRetryRequest
  • Sends ServerHello, EncryptedExtensions, Certificate, CertificateVerify, Finished
  • All messages after ServerHello are encrypted with handshake traffic keys
  • Receives client Finished and derives application traffic keys

Uses Tls13KeySchedule for cryptographic key derivation, DtlsTranscriptHash for transcript hashing, and Dtls13ServerKeySchedule for the "dtls13 " HKDF label prefix.

var DTLS_1_3_RECORD_VERSION
class Dtls13Server Dtls13ServerKeySchedule

Types 2

classDtls13ServerKeySchedule : Tls13KeySchedule

DTLS 1.3 key schedule with "dtls13 " HKDF label prefix.

Overrides hkdfExpandLabel to use "dtls13 " instead of "tls13 " per RFC 9147 §5.

Fields
HKDF hkdf13_
size_t hashLen13_
Methods
void setCipherSuite(ushort cipherSuite)Reconfigures the hash algorithm based on the negotiated cipher suite.
ubyte[] hkdfExpandLabel(const(ubyte)[] secret, string label, const(ubyte)[] context, size_t length)HKDF-Expand-Label with "dtls13 " prefix for DTLS 1.3.
Constructors
this()Constructs a DTLS 1.3 key schedule.
classDtls13Server

DTLS 1.3 server handshake engine.

Drives the server side of a DTLS 1.3 handshake over a datagram transport for a single peer. Uses flight-based retransmission with exponential backoff and supports the HelloRetryRequest cookie exchange for DoS mitigation.

Call processDatagram() when data arrives from a client. The server will advance its state machine and send responses as needed.

Fields
DtlsTransport transport_
DtlsTimerSink timer_
DatagramEndpoint clientAddr_
Dtls13ServerPhase phase_
ushort messageSeq_
ushort epoch_
ulong recordSeq_
SecureRandom rng_
DtlsFlight pendingFlight_
int retryCount_
ubyte[32] clientRandom_
ubyte[32] serverRandom_
ubyte[] sharedSecret_
ubyte[] receivedCookie_
X25519PrivateKey ecdhePrivate_
NamedGroup selectedGroup_
DtlsVersion minVersion_
DtlsVersion maxVersion_
string[] alpnProtocols_
SrtpProfile[] srtpProfiles_
string negotiatedAlpn_
CipherSuiteId negotiatedCipher_
DtlsVersion negotiatedVersion_
SrtpProfile negotiatedSrtpProfile_
bool cidEnabled_
ubyte localCidLength_
DtlsConnectionId localCid_
DtlsConnectionId peerCid_
bool cidNegotiated_
const(ubyte)[][] certChainDer_
string privateKeyPem_
Dtls13ServerKeySchedule keySchedule_
DtlsTranscriptHash transcript_
TlsAead writeAead_
TlsAead readAead_
ubyte[] cookieSecret_
DtlsFragmentBuffer reassembly_
ubyte[] pendingDatagram_
bool sessionResumptionEnabled_
uint ticketLifetimeSeconds_
size_t maxEarlyDataSize_
DtlsSessionCallback onSessionTicket_
DtlsEarlyDataCallback onEarlyData_
DtlsTicketKeyManager ticketKeyMgr_
ubyte[] receivedPskTicket_
ubyte[] receivedPskBinder_
bool pskValid_
ubyte[] pskFromTicket_
TlsAead earlyDataAead_
bool earlyDataReceived_
size_t earlyDataBytesReceived_
const(ubyte)[] chBody_
Methods
void setMinVersion(DtlsVersion ver) @safe pure nothrow @nogcSets the minimum DTLS version.
void setMaxVersion(DtlsVersion ver) @safe pure nothrow @nogcSets the maximum DTLS version.
void setAlpnProtocols(string[] protocols) @safe pure nothrowSets the ALPN protocols.
void setSrtpProfiles(SrtpProfile[] profiles) @safe pure nothrow
void setCidConfig(bool enabled, ubyte cidLength = DtlsCidConstants.DEFAULT_CID_LENGTH) @safe pure nothrow @nogcEnables Connection ID and sets the local CID length.
DtlsConnectionId localCid() @property @safe pure nothrow @nogcReturns: The local Connection ID.
DtlsConnectionId peerCid() @property @safe pure nothrow @nogcReturns: The peer's Connection ID.
bool cidNegotiated() @property const @safe pure nothrow @nogcReturns: true if CID was negotiated.
void setSessionResumption(bool enable) @safe pure nothrow @nogcEnables session resumption.
void setTicketLifetime(uint seconds) @safe pure nothrow @nogcSets the session ticket lifetime.
void setMaxEarlyDataSize(size_t bytes) @safe pure nothrow @nogcSets the maximum early data size.
void setOnSessionTicket(DtlsSessionCallback callback) @safe pure nothrowSets the callback for issued session tickets.
bool sessionResumptionEnabled() @property const @safe pure nothrow @nogcReturns: Whether session resumption is enabled.
TlsProgress processDatagram(const(ubyte)[] data) @trustedProcess a received datagram and advance the handshake.
bool processClientHello(const(ubyte)[] datagram)Process a ClientHello datagram.
bool parseClientHelloPayload(const(ubyte)[] payload)Parse a ClientHello handshake payload.
void selectCipherSuite(const(ubyte)[] cipherSuites)Select a cipher suite from the client's offered list.
void parseClientHelloExtensions(const(ubyte)[] extData)Parse extensions from a ClientHello.
void parsePskExtension(const(ubyte)[] data)Parses the presharedkey extension from ClientHello.
bool validatePskBinder(const(ubyte)[] clientHelloBody)Validates the PSK binder against the ClientHello transcript.
bool pskValid() @property const @safe pure nothrow @nogcReturns: Whether a valid PSK was received from the client.
void setTicketKeyManager(DtlsTicketKeyManager mgr) @safe pure nothrowSets the ticket key manager for session resumption.
void setOnEarlyData(DtlsEarlyDataCallback callback) @safe pure nothrowSets the early data callback.
void initEarlyDataKeys()Initializes early traffic keys from the validated PSK.
bool processEarlyDataRecord(const(ubyte)[] recordData, DtlsReplayCache replayCache = null)Attempts to decrypt an early data record.
bool earlyDataReceived() @property const @safe pure nothrow @nogcReturns: true if early data was received.
size_t earlyDataBytesReceived() @property const @safe pure nothrow @nogcReturns: total bytes of early data received.
void negotiateAlpn(const(ubyte)[] alpnData)Negotiate ALPN from the client's extension data.
void parseSupportedGroups(const(ubyte)[] groupsData)Parse supported groups extension to select ECDHE group.
void parseKeyShare(const(ubyte)[] ksData)Parse key_share extension to extract client's ephemeral public key.
void parseSupportedVersions(const(ubyte)[] svData)Parse supported_versions extension to confirm DTLS 1.3 support.
ubyte[] buildHelloRetryRequest(DtlsVersion dtlsVer, ushort msgSeq, const(ubyte)[] cookie)Build a HelloRetryRequest handshake message.
ubyte[] buildServerHello()Build a ServerHello handshake message.
ubyte[] buildEncryptedExtensions()Build an EncryptedExtensions handshake message.
ubyte[] buildCertificate()Build a Certificate handshake message.
ubyte[] buildCertificateVerify()Build a CertificateVerify handshake message.
ubyte[] signCertificateVerify(const(ubyte)[] message)Sign the CertificateVerify message content.
ubyte[] buildFinished()Build a Finished handshake message.
ubyte[] buildNewSessionTicket(DtlsTicketKeyManager ticketKeyMgr)Builds a NewSessionTicket message for session resumption.
bool sendNewSessionTicket(DtlsTicketKeyManager ticketKeyMgr)Builds, encrypts, and sends a NewSessionTicket to the client.
bool processClientFinished(const(ubyte)[] datagram)Process a client Finished datagram.
ubyte[] decryptRecordPayload(const(ubyte)[] payload, DtlsRecordHeader header)Decrypt a record payload using the read AEAD.
bool processClientFinishedPayload(const(ubyte)[] payload)Process a decrypted client Finished payload.
void generateEphemeralKey(NamedGroup group, ref ubyte[] pubKeyBytes)Generate an ephemeral ECDHE key pair.
void performKeyExchange(NamedGroup group, const(ubyte)[] peerPubKey)Perform ECDHE key exchange with the client's public key.
void deriveHandshakeKeys()Derives handshake traffic keys from the shared secret.
void deriveAppKeys()Derives application traffic keys.
size_t cipherKeyLength(CipherSuiteId cs) @safe pure nothrow @nogcReturns the AEAD key length for the given cipher suite.
ubyte[] wrapHandshakeMessage(HandshakeType msgType, const(ubyte)[] body)Wraps a handshake message body in a DTLS handshake header.
ubyte[] wrapInRecord(ContentType contentType, const(ubyte)[] payload)Wraps a handshake message in a DTLS record.
ubyte[] buildDtlsRecord(ContentType contentType, const(ubyte)[] payload)Builds a complete DTLS record with 13-byte header.
ubyte[] encryptRecord(ContentType contentType, const(ubyte)[] plaintext)Encrypts a record payload using the current write AEAD.
const(ubyte)[] receiveDatagram()Receive a datagram from pending buffer or transport.
void sendDatagram(const(ubyte)[] data)Send a datagram via the transport.
void sendFlight(ubyte[][] records)Send a flight of records as a single datagram.
void scheduleRetransmit()Schedule retransmission timer for the current flight.
void retransmitFlight()Retransmit the pending flight.
Dtls13ServerPhase phase() @property const @safe pure nothrow @nogcReturns: The current handshake phase.
CipherSuiteId negotiatedCipher() @property const @safe pure nothrow @nogcReturns: The negotiated cipher suite.
DtlsVersion negotiatedVersion() @property const @safe pure nothrow @nogcReturns: The negotiated DTLS version.
string alpnProtocol() @property const @safe pure nothrowReturns: The negotiated ALPN protocol.
ushort epoch() @property const @safe pure nothrow @nogcReturns: The current epoch.
SrtpProfile negotiatedSrtpProfile() @property const @safe pure nothrow @nogc
ubyte[] srtpMasterSecret() @property @trusted
ubyte[] srtpClientRandom() @property @safe pure nothrow @nogc
ubyte[] srtpServerRandom() @property @safe pure nothrow @nogc
TlsAead writeAead() @propertyReturns: The write AEAD cipher (after key derivation).
TlsAead readAead() @propertyReturns: The read AEAD cipher (after key derivation).
Constructors
this(DtlsTransport transport, DtlsTimerSink timer, DatagramEndpoint clientAddr, const(ubyte)[] cookieSecret, const(ubyte)[][] certChainDer, string privateKeyPem)Constructs a DTLS 1.3 server handshake engine.

Variables 1

enumvarDTLS_1_3_RECORD_VERSION = [0xFE, 0xFD]

DTLS 1.3 record version used on the wire.

DTLS 1.3 uses the same record layer version as DTLS 1.2 (0xFEFD) for backwards compatibility per RFC 9147.