1 use crate::msgs::enums::{ContentType, HandshakeType, ProtocolVersion};
2 use crate::msgs::enums::AlertDescription;
3 use crate::msgs::message::{Message, MessagePayload};
4 use crate::msgs::base::Payload;
5 use crate::msgs::handshake::HandshakePayload;
6 use crate::msgs::handshake::HandshakeMessagePayload;
7 use crate::msgs::handshake::NewSessionTicketPayload;
8 use crate::msgs::ccs::ChangeCipherSpecPayload;
9 use crate::msgs::codec::Codec;
10 use crate::msgs::persist;
11 use crate::session::SessionSecrets;
12 use crate::server::ServerSessionImpl;
13 use crate::verify;
14 #[cfg(feature = "logging")]
15 use crate::log::{trace, debug};
16 use crate::error::TLSError;
17 use crate::check::check_message;
18
19 use crate::server::common::{HandshakeDetails, ServerKXDetails, ClientCertDetails};
20 use crate::server::hs;
21
22 use ring::constant_time;
23
24 // --- Process client's Certificate for client auth ---
25 pub struct ExpectCertificate {
26 pub handshake: HandshakeDetails,
27 pub server_kx: ServerKXDetails,
28 pub send_ticket: bool,
29 }
30
31 impl ExpectCertificate {
into_expect_tls12_client_kx(self, cert: Option<ClientCertDetails>) -> hs::NextState32 fn into_expect_tls12_client_kx(self, cert: Option<ClientCertDetails>) -> hs::NextState {
33 Box::new(ExpectClientKX {
34 handshake: self.handshake,
35 server_kx: self.server_kx,
36 client_cert: cert,
37 send_ticket: self.send_ticket,
38 })
39 }
40 }
41
42 impl hs::State for ExpectCertificate {
handle(mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> hs::NextStateOrError43 fn handle(mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> hs::NextStateOrError {
44 let cert_chain = require_handshake_msg!(m, HandshakeType::Certificate, HandshakePayload::Certificate)?;
45 self.handshake.transcript.add_message(&m);
46
47 // If we can't determine if the auth is mandatory, abort
48 let mandatory = sess.config.verifier.client_auth_mandatory(sess.get_sni())
49 .ok_or_else(|| {
50 debug!("could not determine if client auth is mandatory based on SNI");
51 sess.common.send_fatal_alert(AlertDescription::AccessDenied);
52 TLSError::General("client rejected by client_auth_mandatory".into())
53 })?;
54
55 if cert_chain.is_empty() {
56 if !mandatory {
57 debug!("client auth requested but no certificate supplied");
58 self.handshake.transcript.abandon_client_auth();
59 return Ok(self.into_expect_tls12_client_kx(None));
60 }
61 sess.common.send_fatal_alert(AlertDescription::CertificateRequired);
62 return Err(TLSError::NoCertificatesPresented);
63 }
64
65 trace!("certs {:?}", cert_chain);
66
67 sess.config.verifier.verify_client_cert(cert_chain, sess.get_sni())
68 .or_else(|err| {
69 hs::incompatible(sess, "certificate invalid");
70 Err(err)
71 })?;
72
73 let cert = ClientCertDetails::new(cert_chain.clone());
74 Ok(self.into_expect_tls12_client_kx(Some(cert)))
75 }
76 }
77
78 // --- Process client's KeyExchange ---
79 pub struct ExpectClientKX {
80 pub handshake: HandshakeDetails,
81 pub server_kx: ServerKXDetails,
82 pub client_cert: Option<ClientCertDetails>,
83 pub send_ticket: bool,
84 }
85
86 impl ExpectClientKX {
into_expect_tls12_certificate_verify(self, secrets: SessionSecrets) -> hs::NextState87 fn into_expect_tls12_certificate_verify(self, secrets: SessionSecrets) -> hs::NextState {
88 Box::new(ExpectCertificateVerify {
89 secrets,
90 handshake: self.handshake,
91 client_cert: self.client_cert.unwrap(),
92 send_ticket: self.send_ticket,
93 })
94 }
95
into_expect_tls12_ccs(self, secrets: SessionSecrets) -> hs::NextState96 fn into_expect_tls12_ccs(self, secrets: SessionSecrets) -> hs::NextState {
97 Box::new(ExpectCCS {
98 secrets,
99 handshake: self.handshake,
100 resuming: false,
101 send_ticket: self.send_ticket,
102 })
103 }
104 }
105
106 impl hs::State for ExpectClientKX {
handle(mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> hs::NextStateOrError107 fn handle(mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> hs::NextStateOrError {
108 let client_kx = require_handshake_msg!(m, HandshakeType::ClientKeyExchange, HandshakePayload::ClientKeyExchange)?;
109 self.handshake.transcript.add_message(&m);
110
111 // Complete key agreement, and set up encryption with the
112 // resulting premaster secret.
113 let kx = self.server_kx.take_kx();
114 if !kx.check_client_params(&client_kx.0) {
115 sess.common.send_fatal_alert(AlertDescription::DecodeError);
116 return Err(TLSError::CorruptMessagePayload(ContentType::Handshake));
117 }
118
119 let kxd = kx.server_complete(&client_kx.0)
120 .ok_or_else(|| TLSError::PeerMisbehavedError("key exchange completion failed"
121 .to_string()))?;
122
123 let hashalg = sess.common.get_suite_assert().get_hash();
124 let secrets = if self.handshake.using_ems {
125 let handshake_hash = self.handshake.transcript.get_current_hash();
126 SessionSecrets::new_ems(&self.handshake.randoms,
127 &handshake_hash,
128 hashalg,
129 &kxd.shared_secret)
130 } else {
131 SessionSecrets::new(&self.handshake.randoms,
132 hashalg,
133 &kxd.shared_secret)
134 };
135 sess.config.key_log.log("CLIENT_RANDOM",
136 &secrets.randoms.client,
137 &secrets.master_secret);
138 sess.common.start_encryption_tls12(&secrets);
139
140 if self.client_cert.is_some() {
141 Ok(self.into_expect_tls12_certificate_verify(secrets))
142 } else {
143 Ok(self.into_expect_tls12_ccs(secrets))
144 }
145 }
146 }
147
148 // --- Process client's certificate proof ---
149 pub struct ExpectCertificateVerify {
150 secrets: SessionSecrets,
151 handshake: HandshakeDetails,
152 client_cert: ClientCertDetails,
153 send_ticket: bool,
154 }
155
156 impl ExpectCertificateVerify {
into_expect_tls12_ccs(self) -> hs::NextState157 fn into_expect_tls12_ccs(self) -> hs::NextState {
158 Box::new(ExpectCCS {
159 secrets: self.secrets,
160 handshake: self.handshake,
161 resuming: false,
162 send_ticket: self.send_ticket,
163 })
164 }
165 }
166
167 impl hs::State for ExpectCertificateVerify {
handle(mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> hs::NextStateOrError168 fn handle(mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> hs::NextStateOrError {
169 let rc = {
170 let sig = require_handshake_msg!(m, HandshakeType::CertificateVerify, HandshakePayload::CertificateVerify)?;
171 let handshake_msgs = self.handshake.transcript.take_handshake_buf();
172 let certs = &self.client_cert.cert_chain;
173
174 sess.config
175 .get_verifier()
176 .verify_tls12_signature(&handshake_msgs, &certs[0], sig)
177 };
178
179 if let Err(e) = rc {
180 sess.common.send_fatal_alert(AlertDescription::AccessDenied);
181 return Err(e);
182 }
183
184 trace!("client CertificateVerify OK");
185 sess.client_cert_chain = Some(self.client_cert.take_chain());
186
187 self.handshake.transcript.add_message(&m);
188 Ok(self.into_expect_tls12_ccs())
189 }
190 }
191
192 // --- Process client's ChangeCipherSpec ---
193 pub struct ExpectCCS {
194 pub secrets: SessionSecrets,
195 pub handshake: HandshakeDetails,
196 pub resuming: bool,
197 pub send_ticket: bool,
198 }
199
200 impl ExpectCCS {
into_expect_tls12_finished(self) -> hs::NextState201 fn into_expect_tls12_finished(self) -> hs::NextState {
202 Box::new(ExpectFinished {
203 secrets: self.secrets,
204 handshake: self.handshake,
205 resuming: self.resuming,
206 send_ticket: self.send_ticket,
207 })
208 }
209 }
210
211 impl hs::State for ExpectCCS {
handle(self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> hs::NextStateOrError212 fn handle(self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> hs::NextStateOrError {
213 check_message(&m, &[ContentType::ChangeCipherSpec], &[])?;
214
215 // CCS should not be received interleaved with fragmented handshake-level
216 // message.
217 hs::check_aligned_handshake(sess)?;
218
219 sess.common
220 .record_layer
221 .start_decrypting();
222 Ok(self.into_expect_tls12_finished())
223 }
224 }
225
226 // --- Process client's Finished ---
get_server_session_value_tls12(secrets: &SessionSecrets, handshake: &HandshakeDetails, sess: &ServerSessionImpl) -> persist::ServerSessionValue227 fn get_server_session_value_tls12(secrets: &SessionSecrets,
228 handshake: &HandshakeDetails,
229 sess: &ServerSessionImpl) -> persist::ServerSessionValue {
230 let scs = sess.common.get_suite_assert();
231 let version = ProtocolVersion::TLSv1_2;
232 let secret = secrets.get_master_secret();
233
234 let mut v = persist::ServerSessionValue::new(
235 sess.get_sni(), version,
236 scs.suite, secret,
237 &sess.client_cert_chain,
238 sess.alpn_protocol.clone(),
239 sess.resumption_data.clone(),
240 );
241
242 if handshake.using_ems {
243 v.set_extended_ms_used();
244 }
245
246 v
247 }
248
emit_ticket(secrets: &SessionSecrets, handshake: &mut HandshakeDetails, sess: &mut ServerSessionImpl)249 pub fn emit_ticket(secrets: &SessionSecrets,
250 handshake: &mut HandshakeDetails,
251 sess: &mut ServerSessionImpl) {
252 // If we can't produce a ticket for some reason, we can't
253 // report an error. Send an empty one.
254 let plain = get_server_session_value_tls12(secrets, handshake, sess)
255 .get_encoding();
256 let ticket = sess.config
257 .ticketer
258 .encrypt(&plain)
259 .unwrap_or_else(Vec::new);
260 let ticket_lifetime = sess.config.ticketer.get_lifetime();
261
262 let m = Message {
263 typ: ContentType::Handshake,
264 version: ProtocolVersion::TLSv1_2,
265 payload: MessagePayload::Handshake(HandshakeMessagePayload {
266 typ: HandshakeType::NewSessionTicket,
267 payload:
268 HandshakePayload::NewSessionTicket(NewSessionTicketPayload::new(ticket_lifetime,
269 ticket)),
270 }),
271 };
272
273 handshake.transcript.add_message(&m);
274 sess.common.send_msg(m, false);
275 }
276
emit_ccs(sess: &mut ServerSessionImpl)277 pub fn emit_ccs(sess: &mut ServerSessionImpl) {
278 let m = Message {
279 typ: ContentType::ChangeCipherSpec,
280 version: ProtocolVersion::TLSv1_2,
281 payload: MessagePayload::ChangeCipherSpec(ChangeCipherSpecPayload {}),
282 };
283
284 sess.common.send_msg(m, false);
285 }
286
emit_finished(secrets: &SessionSecrets, handshake: &mut HandshakeDetails, sess: &mut ServerSessionImpl)287 pub fn emit_finished(secrets: &SessionSecrets,
288 handshake: &mut HandshakeDetails,
289 sess: &mut ServerSessionImpl) {
290 let vh = handshake.transcript.get_current_hash();
291 let verify_data = secrets.server_verify_data(&vh);
292 let verify_data_payload = Payload::new(verify_data);
293
294 let f = Message {
295 typ: ContentType::Handshake,
296 version: ProtocolVersion::TLSv1_2,
297 payload: MessagePayload::Handshake(HandshakeMessagePayload {
298 typ: HandshakeType::Finished,
299 payload: HandshakePayload::Finished(verify_data_payload),
300 }),
301 };
302
303 handshake.transcript.add_message(&f);
304 sess.common.send_msg(f, true);
305 }
306
307 pub struct ExpectFinished {
308 secrets: SessionSecrets,
309 handshake: HandshakeDetails,
310 resuming: bool,
311 send_ticket: bool,
312 }
313
314 impl ExpectFinished {
into_expect_tls12_traffic(self, fin: verify::FinishedMessageVerified) -> hs::NextState315 fn into_expect_tls12_traffic(self, fin: verify::FinishedMessageVerified) -> hs::NextState {
316 Box::new(ExpectTraffic {
317 secrets: self.secrets,
318 _fin_verified: fin,
319 })
320 }
321 }
322
323 impl hs::State for ExpectFinished {
handle(mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> hs::NextStateOrError324 fn handle(mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> hs::NextStateOrError {
325 let finished = require_handshake_msg!(m, HandshakeType::Finished, HandshakePayload::Finished)?;
326
327 hs::check_aligned_handshake(sess)?;
328
329 let vh = self.handshake.transcript.get_current_hash();
330 let expect_verify_data = self.secrets.client_verify_data(&vh);
331
332 let fin = constant_time::verify_slices_are_equal(&expect_verify_data, &finished.0)
333 .map_err(|_| {
334 sess.common.send_fatal_alert(AlertDescription::DecryptError);
335 TLSError::DecryptError
336 })
337 .map(|_| verify::FinishedMessageVerified::assertion())?;
338
339 // Save session, perhaps
340 if !self.resuming && !self.handshake.session_id.is_empty() {
341 let value = get_server_session_value_tls12(&self.secrets, &self.handshake, sess);
342
343 let worked = sess.config.session_storage
344 .put(self.handshake.session_id.get_encoding(), value.get_encoding());
345 if worked {
346 debug!("Session saved");
347 } else {
348 debug!("Session not saved");
349 }
350 }
351
352 // Send our CCS and Finished.
353 self.handshake.transcript.add_message(&m);
354 if !self.resuming {
355 if self.send_ticket {
356 emit_ticket(&self.secrets,
357 &mut self.handshake,
358 sess);
359 }
360 emit_ccs(sess);
361 sess.common
362 .record_layer
363 .start_encrypting();
364 emit_finished(&self.secrets, &mut self.handshake, sess);
365 }
366
367 sess.common.start_traffic();
368 Ok(self.into_expect_tls12_traffic(fin))
369 }
370 }
371
372 // --- Process traffic ---
373 pub struct ExpectTraffic {
374 secrets: SessionSecrets,
375 _fin_verified: verify::FinishedMessageVerified,
376 }
377
378 impl ExpectTraffic {
379 }
380
381 impl hs::State for ExpectTraffic {
handle(self: Box<Self>, sess: &mut ServerSessionImpl, mut m: Message) -> hs::NextStateOrError382 fn handle(self: Box<Self>, sess: &mut ServerSessionImpl, mut m: Message) -> hs::NextStateOrError {
383 check_message(&m, &[ContentType::ApplicationData], &[])?;
384 sess.common.take_received_plaintext(m.take_opaque_payload().unwrap());
385 Ok(self)
386 }
387
export_keying_material(&self, output: &mut [u8], label: &[u8], context: Option<&[u8]>) -> Result<(), TLSError>388 fn export_keying_material(&self,
389 output: &mut [u8],
390 label: &[u8],
391 context: Option<&[u8]>) -> Result<(), TLSError> {
392 self.secrets.export_keying_material(output, label, context);
393 Ok(())
394 }
395 }
396