1 #[cfg(feature = "quic")]
2 use crate::check::check_message;
3 use crate::check::{inappropriate_handshake_message, inappropriate_message};
4 use crate::conn::{CommonState, ConnectionRandoms, State};
5 use crate::error::Error;
6 use crate::hash_hs::HandshakeHash;
7 use crate::key::Certificate;
8 #[cfg(feature = "logging")]
9 use crate::log::{debug, trace, warn};
10 use crate::msgs::codec::Codec;
11 use crate::msgs::enums::{AlertDescription, KeyUpdateRequest};
12 use crate::msgs::enums::{ContentType, HandshakeType, ProtocolVersion};
13 use crate::msgs::handshake::HandshakeMessagePayload;
14 use crate::msgs::handshake::HandshakePayload;
15 use crate::msgs::handshake::NewSessionTicketPayloadTLS13;
16 use crate::msgs::message::{Message, MessagePayload};
17 use crate::msgs::persist;
18 use crate::rand;
19 use crate::server::ServerConfig;
20 use crate::tls13::key_schedule::{KeyScheduleTraffic, KeyScheduleTrafficWithClientFinishedPending};
21 use crate::tls13::Tls13CipherSuite;
22 use crate::verify;
23 #[cfg(feature = "quic")]
24 use crate::{conn::Protocol, msgs::handshake::NewSessionTicketExtension};
25
26 use super::hs::{self, HandshakeHashOrBuffer, ServerContext};
27 use super::server_conn::ServerConnectionData;
28
29 use std::sync::Arc;
30
31 use ring::constant_time;
32
33 pub(super) use client_hello::CompleteClientHelloHandling;
34
35 mod client_hello {
36 use crate::kx;
37 use crate::msgs::base::{Payload, PayloadU8};
38 use crate::msgs::ccs::ChangeCipherSpecPayload;
39 use crate::msgs::enums::{Compression, PSKKeyExchangeMode};
40 use crate::msgs::enums::{NamedGroup, SignatureScheme};
41 use crate::msgs::handshake::CertReqExtension;
42 use crate::msgs::handshake::CertificateEntry;
43 use crate::msgs::handshake::CertificateExtension;
44 use crate::msgs::handshake::CertificatePayloadTLS13;
45 use crate::msgs::handshake::CertificateRequestPayloadTLS13;
46 use crate::msgs::handshake::CertificateStatus;
47 use crate::msgs::handshake::ClientHelloPayload;
48 use crate::msgs::handshake::DigitallySignedStruct;
49 use crate::msgs::handshake::HelloRetryExtension;
50 use crate::msgs::handshake::HelloRetryRequest;
51 use crate::msgs::handshake::KeyShareEntry;
52 use crate::msgs::handshake::Random;
53 use crate::msgs::handshake::ServerExtension;
54 use crate::msgs::handshake::ServerHelloPayload;
55 use crate::msgs::handshake::SessionID;
56 #[cfg(feature = "quic")]
57 use crate::quic;
58 use crate::server::common::ActiveCertifiedKey;
59 use crate::sign;
60 use crate::tls13::key_schedule::{
61 KeyScheduleEarly, KeyScheduleHandshake, KeyScheduleNonSecret,
62 };
63
64 use super::*;
65
66 pub(in crate::server) struct CompleteClientHelloHandling {
67 pub(in crate::server) config: Arc<ServerConfig>,
68 pub(in crate::server) transcript: HandshakeHash,
69 pub(in crate::server) suite: &'static Tls13CipherSuite,
70 pub(in crate::server) randoms: ConnectionRandoms,
71 pub(in crate::server) done_retry: bool,
72 pub(in crate::server) send_ticket: bool,
73 pub(in crate::server) extra_exts: Vec<ServerExtension>,
74 }
75
76 impl CompleteClientHelloHandling {
check_binder( &self, suite: &'static Tls13CipherSuite, client_hello: &Message, psk: &[u8], binder: &[u8], ) -> bool77 fn check_binder(
78 &self,
79 suite: &'static Tls13CipherSuite,
80 client_hello: &Message,
81 psk: &[u8],
82 binder: &[u8],
83 ) -> bool {
84 let binder_plaintext = match client_hello.payload {
85 MessagePayload::Handshake(ref hmp) => hmp.get_encoding_for_binder_signing(),
86 _ => unreachable!(),
87 };
88
89 let handshake_hash = self
90 .transcript
91 .get_hash_given(&binder_plaintext);
92
93 let key_schedule = KeyScheduleEarly::new(suite.hkdf_algorithm, psk);
94 let real_binder =
95 key_schedule.resumption_psk_binder_key_and_sign_verify_data(&handshake_hash);
96
97 constant_time::verify_slices_are_equal(real_binder.as_ref(), binder).is_ok()
98 }
99
attempt_tls13_ticket_decryption( &mut self, ticket: &[u8], ) -> Option<persist::ServerSessionValue>100 fn attempt_tls13_ticket_decryption(
101 &mut self,
102 ticket: &[u8],
103 ) -> Option<persist::ServerSessionValue> {
104 if self.config.ticketer.enabled() {
105 self.config
106 .ticketer
107 .decrypt(ticket)
108 .and_then(|plain| persist::ServerSessionValue::read_bytes(&plain))
109 } else {
110 self.config
111 .session_storage
112 .take(ticket)
113 .and_then(|plain| persist::ServerSessionValue::read_bytes(&plain))
114 }
115 }
116
handle_client_hello( mut self, cx: &mut ServerContext<'_>, server_key: ActiveCertifiedKey, chm: &Message, client_hello: &ClientHelloPayload, mut sigschemes_ext: Vec<SignatureScheme>, ) -> hs::NextStateOrError117 pub(in crate::server) fn handle_client_hello(
118 mut self,
119 cx: &mut ServerContext<'_>,
120 server_key: ActiveCertifiedKey,
121 chm: &Message,
122 client_hello: &ClientHelloPayload,
123 mut sigschemes_ext: Vec<SignatureScheme>,
124 ) -> hs::NextStateOrError {
125 if client_hello.compression_methods.len() != 1 {
126 return Err(cx
127 .common
128 .illegal_param("client offered wrong compressions"));
129 }
130
131 let groups_ext = client_hello
132 .get_namedgroups_extension()
133 .ok_or_else(|| hs::incompatible(&mut cx.common, "client didn't describe groups"))?;
134
135 let tls13_schemes = sign::supported_sign_tls13();
136 sigschemes_ext.retain(|scheme| tls13_schemes.contains(scheme));
137
138 let shares_ext = client_hello
139 .get_keyshare_extension()
140 .ok_or_else(|| hs::incompatible(&mut cx.common, "client didn't send keyshares"))?;
141
142 if client_hello.has_keyshare_extension_with_duplicates() {
143 return Err(cx
144 .common
145 .illegal_param("client sent duplicate keyshares"));
146 }
147
148 // choose a share that we support
149 let chosen_share = self
150 .config
151 .kx_groups
152 .iter()
153 .find_map(|group| {
154 shares_ext
155 .iter()
156 .find(|share| share.group == group.name)
157 });
158
159 let chosen_share = match chosen_share {
160 Some(s) => s,
161 None => {
162 // We don't have a suitable key share. Choose a suitable group and
163 // send a HelloRetryRequest.
164 let retry_group_maybe = self
165 .config
166 .kx_groups
167 .iter()
168 .find(|group| groups_ext.contains(&group.name))
169 .cloned();
170
171 self.transcript.add_message(chm);
172
173 if let Some(group) = retry_group_maybe {
174 if self.done_retry {
175 return Err(cx
176 .common
177 .illegal_param("did not follow retry request"));
178 }
179
180 emit_hello_retry_request(
181 &mut self.transcript,
182 self.suite,
183 &mut cx.common,
184 group.name,
185 );
186 emit_fake_ccs(&mut cx.common);
187 return Ok(Box::new(hs::ExpectClientHello {
188 config: self.config,
189 transcript: HandshakeHashOrBuffer::Hash(self.transcript),
190 #[cfg(feature = "tls12")]
191 session_id: SessionID::empty(),
192 #[cfg(feature = "tls12")]
193 using_ems: false,
194 done_retry: true,
195 send_ticket: self.send_ticket,
196 extra_exts: self.extra_exts,
197 }));
198 }
199
200 return Err(hs::incompatible(
201 &mut cx.common,
202 "no kx group overlap with client",
203 ));
204 }
205 };
206
207 let mut chosen_psk_index = None;
208 let mut resumedata = None;
209 if let Some(psk_offer) = client_hello.get_psk() {
210 if !client_hello.check_psk_ext_is_last() {
211 return Err(cx
212 .common
213 .illegal_param("psk extension in wrong position"));
214 }
215
216 if psk_offer.binders.is_empty() {
217 return Err(hs::decode_error(
218 &mut cx.common,
219 "psk extension missing binder",
220 ));
221 }
222
223 if psk_offer.binders.len() != psk_offer.identities.len() {
224 return Err(cx
225 .common
226 .illegal_param("psk extension mismatched ids/binders"));
227 }
228
229 for (i, psk_id) in psk_offer.identities.iter().enumerate() {
230 let resume = match self
231 .attempt_tls13_ticket_decryption(&psk_id.identity.0)
232 .filter(|resumedata| {
233 hs::can_resume(self.suite.into(), &cx.data.sni, false, resumedata)
234 }) {
235 Some(resume) => resume,
236 None => continue,
237 };
238
239 if !self.check_binder(
240 self.suite,
241 chm,
242 &resume.master_secret.0,
243 &psk_offer.binders[i].0,
244 ) {
245 cx.common
246 .send_fatal_alert(AlertDescription::DecryptError);
247 return Err(Error::PeerMisbehavedError(
248 "client sent wrong binder".to_string(),
249 ));
250 }
251
252 chosen_psk_index = Some(i);
253 resumedata = Some(resume);
254 break;
255 }
256 }
257
258 if !client_hello.psk_mode_offered(PSKKeyExchangeMode::PSK_DHE_KE) {
259 debug!("Client unwilling to resume, DHE_KE not offered");
260 self.send_ticket = false;
261 chosen_psk_index = None;
262 resumedata = None;
263 } else {
264 self.send_ticket = true;
265 }
266
267 if let Some(ref resume) = resumedata {
268 cx.data.received_resumption_data = Some(resume.application_data.0.clone());
269 cx.common.peer_certificates = resume.client_cert_chain.clone();
270 }
271
272 let full_handshake = resumedata.is_none();
273 self.transcript.add_message(chm);
274 let key_schedule = emit_server_hello(
275 &mut self.transcript,
276 &self.randoms,
277 self.suite,
278 cx,
279 &client_hello.session_id,
280 chosen_share,
281 chosen_psk_index,
282 resumedata
283 .as_ref()
284 .map(|x| &x.master_secret.0[..]),
285 &self.config,
286 )?;
287 if !self.done_retry {
288 emit_fake_ccs(&mut cx.common);
289 }
290
291 let (mut ocsp_response, mut sct_list) =
292 (server_key.get_ocsp(), server_key.get_sct_list());
293 emit_encrypted_extensions(
294 &mut self.transcript,
295 self.suite,
296 cx,
297 &mut ocsp_response,
298 &mut sct_list,
299 client_hello,
300 resumedata.as_ref(),
301 self.extra_exts,
302 &self.config,
303 )?;
304
305 let doing_client_auth = if full_handshake {
306 let client_auth =
307 emit_certificate_req_tls13(&mut self.transcript, cx, &self.config)?;
308 emit_certificate_tls13(
309 &mut self.transcript,
310 &mut cx.common,
311 server_key.get_cert(),
312 ocsp_response,
313 sct_list,
314 );
315 emit_certificate_verify_tls13(
316 &mut self.transcript,
317 &mut cx.common,
318 server_key.get_key(),
319 &sigschemes_ext,
320 )?;
321 client_auth
322 } else {
323 false
324 };
325
326 cx.common.check_aligned_handshake()?;
327 let key_schedule_traffic = emit_finished_tls13(
328 &mut self.transcript,
329 self.suite,
330 &self.randoms,
331 cx,
332 key_schedule,
333 &self.config,
334 );
335
336 if doing_client_auth {
337 Ok(Box::new(ExpectCertificate {
338 config: self.config,
339 transcript: self.transcript,
340 suite: self.suite,
341 key_schedule: key_schedule_traffic,
342 send_ticket: self.send_ticket,
343 }))
344 } else {
345 Ok(Box::new(ExpectFinished {
346 config: self.config,
347 transcript: self.transcript,
348 suite: self.suite,
349 key_schedule: key_schedule_traffic,
350 send_ticket: self.send_ticket,
351 }))
352 }
353 }
354 }
355
emit_server_hello( transcript: &mut HandshakeHash, randoms: &ConnectionRandoms, suite: &'static Tls13CipherSuite, cx: &mut ServerContext<'_>, session_id: &SessionID, share: &KeyShareEntry, chosen_psk_idx: Option<usize>, resuming_psk: Option<&[u8]>, config: &ServerConfig, ) -> Result<KeyScheduleHandshake, Error>356 fn emit_server_hello(
357 transcript: &mut HandshakeHash,
358 randoms: &ConnectionRandoms,
359 suite: &'static Tls13CipherSuite,
360 cx: &mut ServerContext<'_>,
361 session_id: &SessionID,
362 share: &KeyShareEntry,
363 chosen_psk_idx: Option<usize>,
364 resuming_psk: Option<&[u8]>,
365 config: &ServerConfig,
366 ) -> Result<KeyScheduleHandshake, Error> {
367 let mut extensions = Vec::new();
368
369 // Do key exchange
370 let kxr = kx::KeyExchange::choose(share.group, &config.kx_groups)
371 .and_then(kx::KeyExchange::start)
372 .ok_or(Error::FailedToGetRandomBytes)?
373 .complete(&share.payload.0)
374 .ok_or_else(|| Error::PeerMisbehavedError("key exchange failed".to_string()))?;
375
376 let kse = KeyShareEntry::new(share.group, kxr.pubkey.as_ref());
377 extensions.push(ServerExtension::KeyShare(kse));
378 extensions.push(ServerExtension::SupportedVersions(ProtocolVersion::TLSv1_3));
379
380 if let Some(psk_idx) = chosen_psk_idx {
381 extensions.push(ServerExtension::PresharedKey(psk_idx as u16));
382 }
383
384 let sh = Message {
385 version: ProtocolVersion::TLSv1_2,
386 payload: MessagePayload::Handshake(HandshakeMessagePayload {
387 typ: HandshakeType::ServerHello,
388 payload: HandshakePayload::ServerHello(ServerHelloPayload {
389 legacy_version: ProtocolVersion::TLSv1_2,
390 random: Random::from(randoms.server),
391 session_id: *session_id,
392 cipher_suite: suite.common.suite,
393 compression_method: Compression::Null,
394 extensions,
395 }),
396 }),
397 };
398
399 cx.common.check_aligned_handshake()?;
400
401 #[cfg(feature = "quic")]
402 let client_hello_hash = transcript.get_hash_given(&[]);
403
404 trace!("sending server hello {:?}", sh);
405 transcript.add_message(&sh);
406 cx.common.send_msg(sh, false);
407
408 // Start key schedule
409 let key_schedule = if let Some(psk) = resuming_psk {
410 let early_key_schedule = KeyScheduleEarly::new(suite.hkdf_algorithm, psk);
411
412 #[cfg(feature = "quic")]
413 {
414 if cx.common.protocol == Protocol::Quic {
415 let client_early_traffic_secret = early_key_schedule
416 .client_early_traffic_secret(
417 &client_hello_hash,
418 &*config.key_log,
419 &randoms.client,
420 );
421 // If 0-RTT should be rejected, this will be clobbered by ExtensionProcessing
422 // before the application can see.
423 cx.common.quic.early_secret = Some(client_early_traffic_secret);
424 }
425 }
426
427 early_key_schedule.into_handshake(&kxr.shared_secret)
428 } else {
429 KeyScheduleNonSecret::new(suite.hkdf_algorithm).into_handshake(&kxr.shared_secret)
430 };
431
432 let handshake_hash = transcript.get_current_hash();
433 let (key_schedule, client_key, server_key) = key_schedule.derive_handshake_secrets(
434 handshake_hash,
435 &*config.key_log,
436 &randoms.client,
437 );
438
439 // Encrypt with our own key, decrypt with the peer's key
440 cx.common
441 .record_layer
442 .set_message_encrypter(suite.derive_encrypter(&server_key));
443 cx.common
444 .record_layer
445 .set_message_decrypter(suite.derive_decrypter(&client_key));
446
447 #[cfg(feature = "quic")]
448 {
449 cx.common.quic.hs_secrets =
450 Some(quic::Secrets::new(client_key, server_key, suite, false));
451 }
452
453 Ok(key_schedule)
454 }
455
emit_fake_ccs(common: &mut CommonState)456 fn emit_fake_ccs(common: &mut CommonState) {
457 if common.is_quic() {
458 return;
459 }
460 let m = Message {
461 version: ProtocolVersion::TLSv1_2,
462 payload: MessagePayload::ChangeCipherSpec(ChangeCipherSpecPayload {}),
463 };
464 common.send_msg(m, false);
465 }
466
emit_hello_retry_request( transcript: &mut HandshakeHash, suite: &'static Tls13CipherSuite, common: &mut CommonState, group: NamedGroup, )467 fn emit_hello_retry_request(
468 transcript: &mut HandshakeHash,
469 suite: &'static Tls13CipherSuite,
470 common: &mut CommonState,
471 group: NamedGroup,
472 ) {
473 let mut req = HelloRetryRequest {
474 legacy_version: ProtocolVersion::TLSv1_2,
475 session_id: SessionID::empty(),
476 cipher_suite: suite.common.suite,
477 extensions: Vec::new(),
478 };
479
480 req.extensions
481 .push(HelloRetryExtension::KeyShare(group));
482 req.extensions
483 .push(HelloRetryExtension::SupportedVersions(
484 ProtocolVersion::TLSv1_3,
485 ));
486
487 let m = Message {
488 version: ProtocolVersion::TLSv1_2,
489 payload: MessagePayload::Handshake(HandshakeMessagePayload {
490 typ: HandshakeType::HelloRetryRequest,
491 payload: HandshakePayload::HelloRetryRequest(req),
492 }),
493 };
494
495 trace!("Requesting retry {:?}", m);
496 transcript.rollup_for_hrr();
497 transcript.add_message(&m);
498 common.send_msg(m, false);
499 }
500
emit_encrypted_extensions( transcript: &mut HandshakeHash, suite: &'static Tls13CipherSuite, cx: &mut ServerContext<'_>, ocsp_response: &mut Option<&[u8]>, sct_list: &mut Option<&[u8]>, hello: &ClientHelloPayload, resumedata: Option<&persist::ServerSessionValue>, extra_exts: Vec<ServerExtension>, config: &ServerConfig, ) -> Result<(), Error>501 fn emit_encrypted_extensions(
502 transcript: &mut HandshakeHash,
503 suite: &'static Tls13CipherSuite,
504 cx: &mut ServerContext<'_>,
505 ocsp_response: &mut Option<&[u8]>,
506 sct_list: &mut Option<&[u8]>,
507 hello: &ClientHelloPayload,
508 resumedata: Option<&persist::ServerSessionValue>,
509 extra_exts: Vec<ServerExtension>,
510 config: &ServerConfig,
511 ) -> Result<(), Error> {
512 let mut ep = hs::ExtensionProcessing::new();
513 ep.process_common(
514 config,
515 cx,
516 suite.into(),
517 ocsp_response,
518 sct_list,
519 hello,
520 resumedata,
521 extra_exts,
522 )?;
523
524 let ee = Message {
525 version: ProtocolVersion::TLSv1_3,
526 payload: MessagePayload::Handshake(HandshakeMessagePayload {
527 typ: HandshakeType::EncryptedExtensions,
528 payload: HandshakePayload::EncryptedExtensions(ep.exts),
529 }),
530 };
531
532 trace!("sending encrypted extensions {:?}", ee);
533 transcript.add_message(&ee);
534 cx.common.send_msg(ee, true);
535 Ok(())
536 }
537
emit_certificate_req_tls13( transcript: &mut HandshakeHash, cx: &mut ServerContext<'_>, config: &ServerConfig, ) -> Result<bool, Error>538 fn emit_certificate_req_tls13(
539 transcript: &mut HandshakeHash,
540 cx: &mut ServerContext<'_>,
541 config: &ServerConfig,
542 ) -> Result<bool, Error> {
543 if !config.verifier.offer_client_auth() {
544 return Ok(false);
545 }
546
547 let mut cr = CertificateRequestPayloadTLS13 {
548 context: PayloadU8::empty(),
549 extensions: Vec::new(),
550 };
551
552 let schemes = config
553 .verifier
554 .supported_verify_schemes();
555 cr.extensions
556 .push(CertReqExtension::SignatureAlgorithms(schemes.to_vec()));
557
558 let names = config
559 .verifier
560 .client_auth_root_subjects()
561 .ok_or_else(|| {
562 debug!("could not determine root subjects based on SNI");
563 cx.common
564 .send_fatal_alert(AlertDescription::AccessDenied);
565 Error::General("client rejected by client_auth_root_subjects".into())
566 })?;
567
568 if !names.is_empty() {
569 cr.extensions
570 .push(CertReqExtension::AuthorityNames(names));
571 }
572
573 let m = Message {
574 version: ProtocolVersion::TLSv1_3,
575 payload: MessagePayload::Handshake(HandshakeMessagePayload {
576 typ: HandshakeType::CertificateRequest,
577 payload: HandshakePayload::CertificateRequestTLS13(cr),
578 }),
579 };
580
581 trace!("Sending CertificateRequest {:?}", m);
582 transcript.add_message(&m);
583 cx.common.send_msg(m, true);
584 Ok(true)
585 }
586
emit_certificate_tls13( transcript: &mut HandshakeHash, common: &mut CommonState, cert_chain: &[Certificate], ocsp_response: Option<&[u8]>, sct_list: Option<&[u8]>, )587 fn emit_certificate_tls13(
588 transcript: &mut HandshakeHash,
589 common: &mut CommonState,
590 cert_chain: &[Certificate],
591 ocsp_response: Option<&[u8]>,
592 sct_list: Option<&[u8]>,
593 ) {
594 let mut cert_entries = vec![];
595 for cert in cert_chain {
596 let entry = CertificateEntry {
597 cert: cert.to_owned(),
598 exts: Vec::new(),
599 };
600
601 cert_entries.push(entry);
602 }
603
604 if let Some(end_entity_cert) = cert_entries.first_mut() {
605 // Apply OCSP response to first certificate (we don't support OCSP
606 // except for leaf certs).
607 if let Some(ocsp) = ocsp_response {
608 let cst = CertificateStatus::new(ocsp.to_owned());
609 end_entity_cert
610 .exts
611 .push(CertificateExtension::CertificateStatus(cst));
612 }
613
614 // Likewise, SCT
615 if let Some(sct_list) = sct_list {
616 end_entity_cert
617 .exts
618 .push(CertificateExtension::make_sct(sct_list.to_owned()));
619 }
620 }
621
622 let cert_body = CertificatePayloadTLS13::new(cert_entries);
623 let c = Message {
624 version: ProtocolVersion::TLSv1_3,
625 payload: MessagePayload::Handshake(HandshakeMessagePayload {
626 typ: HandshakeType::Certificate,
627 payload: HandshakePayload::CertificateTLS13(cert_body),
628 }),
629 };
630
631 trace!("sending certificate {:?}", c);
632 transcript.add_message(&c);
633 common.send_msg(c, true);
634 }
635
emit_certificate_verify_tls13( transcript: &mut HandshakeHash, common: &mut CommonState, signing_key: &dyn sign::SigningKey, schemes: &[SignatureScheme], ) -> Result<(), Error>636 fn emit_certificate_verify_tls13(
637 transcript: &mut HandshakeHash,
638 common: &mut CommonState,
639 signing_key: &dyn sign::SigningKey,
640 schemes: &[SignatureScheme],
641 ) -> Result<(), Error> {
642 let message = verify::construct_tls13_server_verify_message(&transcript.get_current_hash());
643
644 let signer = signing_key
645 .choose_scheme(schemes)
646 .ok_or_else(|| hs::incompatible(common, "no overlapping sigschemes"))?;
647
648 let scheme = signer.scheme();
649 let sig = signer.sign(&message)?;
650
651 let cv = DigitallySignedStruct::new(scheme, sig);
652
653 let m = Message {
654 version: ProtocolVersion::TLSv1_3,
655 payload: MessagePayload::Handshake(HandshakeMessagePayload {
656 typ: HandshakeType::CertificateVerify,
657 payload: HandshakePayload::CertificateVerify(cv),
658 }),
659 };
660
661 trace!("sending certificate-verify {:?}", m);
662 transcript.add_message(&m);
663 common.send_msg(m, true);
664 Ok(())
665 }
666
emit_finished_tls13( transcript: &mut HandshakeHash, suite: &'static Tls13CipherSuite, randoms: &ConnectionRandoms, cx: &mut ServerContext<'_>, key_schedule: KeyScheduleHandshake, config: &ServerConfig, ) -> KeyScheduleTrafficWithClientFinishedPending667 fn emit_finished_tls13(
668 transcript: &mut HandshakeHash,
669 suite: &'static Tls13CipherSuite,
670 randoms: &ConnectionRandoms,
671 cx: &mut ServerContext<'_>,
672 key_schedule: KeyScheduleHandshake,
673 config: &ServerConfig,
674 ) -> KeyScheduleTrafficWithClientFinishedPending {
675 let handshake_hash = transcript.get_current_hash();
676 let verify_data = key_schedule.sign_server_finish(&handshake_hash);
677 let verify_data_payload = Payload::new(verify_data.as_ref());
678
679 let m = Message {
680 version: ProtocolVersion::TLSv1_3,
681 payload: MessagePayload::Handshake(HandshakeMessagePayload {
682 typ: HandshakeType::Finished,
683 payload: HandshakePayload::Finished(verify_data_payload),
684 }),
685 };
686
687 trace!("sending finished {:?}", m);
688 transcript.add_message(&m);
689 let hash_at_server_fin = transcript.get_current_hash();
690 cx.common.send_msg(m, true);
691
692 // Now move to application data keys. Read key change is deferred until
693 // the Finish message is received & validated.
694 let (key_schedule_traffic, _client_key, server_key) = key_schedule
695 .into_traffic_with_client_finished_pending(
696 hash_at_server_fin,
697 &*config.key_log,
698 &randoms.client,
699 );
700 cx.common
701 .record_layer
702 .set_message_encrypter(suite.derive_encrypter(&server_key));
703
704 #[cfg(feature = "quic")]
705 {
706 cx.common.quic.traffic_secrets =
707 Some(quic::Secrets::new(_client_key, server_key, suite, false));
708 }
709
710 key_schedule_traffic
711 }
712 }
713
714 struct ExpectCertificate {
715 config: Arc<ServerConfig>,
716 transcript: HandshakeHash,
717 suite: &'static Tls13CipherSuite,
718 key_schedule: KeyScheduleTrafficWithClientFinishedPending,
719 send_ticket: bool,
720 }
721
722 impl State<ServerConnectionData> for ExpectCertificate {
handle(mut self: Box<Self>, cx: &mut ServerContext<'_>, m: Message) -> hs::NextStateOrError723 fn handle(mut self: Box<Self>, cx: &mut ServerContext<'_>, m: Message) -> hs::NextStateOrError {
724 let certp = require_handshake_msg!(
725 m,
726 HandshakeType::Certificate,
727 HandshakePayload::CertificateTLS13
728 )?;
729 self.transcript.add_message(&m);
730
731 // We don't send any CertificateRequest extensions, so any extensions
732 // here are illegal.
733 if certp.any_entry_has_extension() {
734 return Err(Error::PeerMisbehavedError(
735 "client sent unsolicited cert extension".to_string(),
736 ));
737 }
738
739 let client_cert = certp.convert();
740
741 let mandatory = self
742 .config
743 .verifier
744 .client_auth_mandatory()
745 .ok_or_else(|| {
746 debug!("could not determine if client auth is mandatory based on SNI");
747 cx.common
748 .send_fatal_alert(AlertDescription::AccessDenied);
749 Error::General("client rejected by client_auth_mandatory".into())
750 })?;
751
752 let (end_entity, intermediates) = match client_cert.split_first() {
753 None => {
754 if !mandatory {
755 debug!("client auth requested but no certificate supplied");
756 self.transcript.abandon_client_auth();
757 return Ok(Box::new(ExpectFinished {
758 config: self.config,
759 suite: self.suite,
760 key_schedule: self.key_schedule,
761 transcript: self.transcript,
762 send_ticket: self.send_ticket,
763 }));
764 }
765
766 cx.common
767 .send_fatal_alert(AlertDescription::CertificateRequired);
768 return Err(Error::NoCertificatesPresented);
769 }
770 Some(chain) => chain,
771 };
772
773 let now = std::time::SystemTime::now();
774 self.config
775 .verifier
776 .verify_client_cert(end_entity, intermediates, now)
777 .map_err(|err| {
778 hs::incompatible(&mut cx.common, "certificate invalid");
779 err
780 })?;
781
782 Ok(Box::new(ExpectCertificateVerify {
783 config: self.config,
784 suite: self.suite,
785 transcript: self.transcript,
786 key_schedule: self.key_schedule,
787 client_cert,
788 send_ticket: self.send_ticket,
789 }))
790 }
791 }
792
793 struct ExpectCertificateVerify {
794 config: Arc<ServerConfig>,
795 transcript: HandshakeHash,
796 suite: &'static Tls13CipherSuite,
797 key_schedule: KeyScheduleTrafficWithClientFinishedPending,
798 client_cert: Vec<Certificate>,
799 send_ticket: bool,
800 }
801
802 impl State<ServerConnectionData> for ExpectCertificateVerify {
handle(mut self: Box<Self>, cx: &mut ServerContext<'_>, m: Message) -> hs::NextStateOrError803 fn handle(mut self: Box<Self>, cx: &mut ServerContext<'_>, m: Message) -> hs::NextStateOrError {
804 let rc = {
805 let sig = require_handshake_msg!(
806 m,
807 HandshakeType::CertificateVerify,
808 HandshakePayload::CertificateVerify
809 )?;
810 let handshake_hash = self.transcript.get_current_hash();
811 self.transcript.abandon_client_auth();
812 let certs = &self.client_cert;
813 let msg = verify::construct_tls13_client_verify_message(&handshake_hash);
814
815 self.config
816 .verifier
817 .verify_tls13_signature(&msg, &certs[0], sig)
818 };
819
820 if let Err(e) = rc {
821 cx.common
822 .send_fatal_alert(AlertDescription::AccessDenied);
823 return Err(e);
824 }
825
826 trace!("client CertificateVerify OK");
827 cx.common.peer_certificates = Some(self.client_cert);
828
829 self.transcript.add_message(&m);
830 Ok(Box::new(ExpectFinished {
831 config: self.config,
832 suite: self.suite,
833 key_schedule: self.key_schedule,
834 transcript: self.transcript,
835 send_ticket: self.send_ticket,
836 }))
837 }
838 }
839
840 // --- Process client's Finished ---
get_server_session_value( transcript: &mut HandshakeHash, suite: &'static Tls13CipherSuite, key_schedule: &KeyScheduleTraffic, cx: &ServerContext<'_>, nonce: &[u8], ) -> persist::ServerSessionValue841 fn get_server_session_value(
842 transcript: &mut HandshakeHash,
843 suite: &'static Tls13CipherSuite,
844 key_schedule: &KeyScheduleTraffic,
845 cx: &ServerContext<'_>,
846 nonce: &[u8],
847 ) -> persist::ServerSessionValue {
848 let version = ProtocolVersion::TLSv1_3;
849
850 let handshake_hash = transcript.get_current_hash();
851 let secret =
852 key_schedule.resumption_master_secret_and_derive_ticket_psk(&handshake_hash, nonce);
853
854 persist::ServerSessionValue::new(
855 cx.data.sni.as_ref(),
856 version,
857 suite.common.suite,
858 secret,
859 cx.common.peer_certificates.clone(),
860 cx.common.alpn_protocol.clone(),
861 cx.data.resumption_data.clone(),
862 )
863 }
864
865 struct ExpectFinished {
866 config: Arc<ServerConfig>,
867 transcript: HandshakeHash,
868 suite: &'static Tls13CipherSuite,
869 key_schedule: KeyScheduleTrafficWithClientFinishedPending,
870 send_ticket: bool,
871 }
872
873 impl ExpectFinished {
emit_ticket( transcript: &mut HandshakeHash, suite: &'static Tls13CipherSuite, cx: &mut ServerContext<'_>, key_schedule: &KeyScheduleTraffic, config: &ServerConfig, ) -> Result<(), rand::GetRandomFailed>874 fn emit_ticket(
875 transcript: &mut HandshakeHash,
876 suite: &'static Tls13CipherSuite,
877 cx: &mut ServerContext<'_>,
878 key_schedule: &KeyScheduleTraffic,
879 config: &ServerConfig,
880 ) -> Result<(), rand::GetRandomFailed> {
881 let nonce = rand::random_vec(32)?;
882 let plain =
883 get_server_session_value(transcript, suite, key_schedule, cx, &nonce).get_encoding();
884
885 let stateless = config.ticketer.enabled();
886 let (ticket, lifetime) = if stateless {
887 let ticket = match config.ticketer.encrypt(&plain) {
888 Some(t) => t,
889 None => return Ok(()),
890 };
891 (ticket, config.ticketer.lifetime())
892 } else {
893 let id = rand::random_vec(32)?;
894 let stored = config
895 .session_storage
896 .put(id.clone(), plain);
897 if !stored {
898 trace!("resumption not available; not issuing ticket");
899 return Ok(());
900 }
901 let stateful_lifetime = 24 * 60 * 60; // this is a bit of a punt
902 (id, stateful_lifetime)
903 };
904
905 let age_add = rand::random_u32()?; // nb, we don't do 0-RTT data, so whatever
906 #[allow(unused_mut)]
907 let mut payload = NewSessionTicketPayloadTLS13::new(lifetime, age_add, nonce, ticket);
908 #[cfg(feature = "quic")]
909 {
910 if config.max_early_data_size > 0 && cx.common.protocol == Protocol::Quic {
911 payload
912 .exts
913 .push(NewSessionTicketExtension::EarlyData(
914 config.max_early_data_size,
915 ));
916 }
917 }
918 let m = Message {
919 version: ProtocolVersion::TLSv1_3,
920 payload: MessagePayload::Handshake(HandshakeMessagePayload {
921 typ: HandshakeType::NewSessionTicket,
922 payload: HandshakePayload::NewSessionTicketTLS13(payload),
923 }),
924 };
925
926 trace!("sending new ticket {:?} (stateless: {})", m, stateless);
927 transcript.add_message(&m);
928 cx.common.send_msg(m, true);
929 Ok(())
930 }
931 }
932
933 impl State<ServerConnectionData> for ExpectFinished {
handle(mut self: Box<Self>, cx: &mut ServerContext<'_>, m: Message) -> hs::NextStateOrError934 fn handle(mut self: Box<Self>, cx: &mut ServerContext<'_>, m: Message) -> hs::NextStateOrError {
935 let finished =
936 require_handshake_msg!(m, HandshakeType::Finished, HandshakePayload::Finished)?;
937
938 let handshake_hash = self.transcript.get_current_hash();
939 let (key_schedule_traffic, expect_verify_data, client_key) = self
940 .key_schedule
941 .sign_client_finish(&handshake_hash);
942
943 let fin = constant_time::verify_slices_are_equal(expect_verify_data.as_ref(), &finished.0)
944 .map_err(|_| {
945 cx.common
946 .send_fatal_alert(AlertDescription::DecryptError);
947 warn!("Finished wrong");
948 Error::DecryptError
949 })
950 .map(|_| verify::FinishedMessageVerified::assertion())?;
951
952 // nb. future derivations include Client Finished, but not the
953 // main application data keying.
954 self.transcript.add_message(&m);
955
956 cx.common.check_aligned_handshake()?;
957
958 // Install keying to read future messages.
959 cx.common
960 .record_layer
961 .set_message_decrypter(self.suite.derive_decrypter(&client_key));
962
963 if self.send_ticket {
964 Self::emit_ticket(
965 &mut self.transcript,
966 self.suite,
967 cx,
968 &key_schedule_traffic,
969 &self.config,
970 )?;
971 }
972
973 cx.common.start_traffic();
974
975 #[cfg(feature = "quic")]
976 {
977 if cx.common.protocol == Protocol::Quic {
978 return Ok(Box::new(ExpectQuicTraffic {
979 key_schedule: key_schedule_traffic,
980 _fin_verified: fin,
981 }));
982 }
983 }
984
985 Ok(Box::new(ExpectTraffic {
986 suite: self.suite,
987 key_schedule: key_schedule_traffic,
988 want_write_key_update: false,
989 _fin_verified: fin,
990 }))
991 }
992 }
993
994 // --- Process traffic ---
995 struct ExpectTraffic {
996 suite: &'static Tls13CipherSuite,
997 key_schedule: KeyScheduleTraffic,
998 want_write_key_update: bool,
999 _fin_verified: verify::FinishedMessageVerified,
1000 }
1001
1002 impl ExpectTraffic {
handle_key_update( &mut self, common: &mut CommonState, kur: &KeyUpdateRequest, ) -> Result<(), Error>1003 fn handle_key_update(
1004 &mut self,
1005 common: &mut CommonState,
1006 kur: &KeyUpdateRequest,
1007 ) -> Result<(), Error> {
1008 #[cfg(feature = "quic")]
1009 {
1010 if let Protocol::Quic = common.protocol {
1011 common.send_fatal_alert(AlertDescription::UnexpectedMessage);
1012 let msg = "KeyUpdate received in QUIC connection".to_string();
1013 warn!("{}", msg);
1014 return Err(Error::PeerMisbehavedError(msg));
1015 }
1016 }
1017
1018 common.check_aligned_handshake()?;
1019
1020 match kur {
1021 KeyUpdateRequest::UpdateNotRequested => {}
1022 KeyUpdateRequest::UpdateRequested => {
1023 self.want_write_key_update = true;
1024 }
1025 _ => {
1026 common.send_fatal_alert(AlertDescription::IllegalParameter);
1027 return Err(Error::CorruptMessagePayload(ContentType::Handshake));
1028 }
1029 }
1030
1031 // Update our read-side keys.
1032 let new_read_key = self
1033 .key_schedule
1034 .next_client_application_traffic_secret();
1035 common
1036 .record_layer
1037 .set_message_decrypter(
1038 self.suite
1039 .derive_decrypter(&new_read_key),
1040 );
1041
1042 Ok(())
1043 }
1044 }
1045
1046 impl State<ServerConnectionData> for ExpectTraffic {
handle(mut self: Box<Self>, cx: &mut ServerContext, m: Message) -> hs::NextStateOrError1047 fn handle(mut self: Box<Self>, cx: &mut ServerContext, m: Message) -> hs::NextStateOrError {
1048 match m.payload {
1049 MessagePayload::ApplicationData(payload) => cx
1050 .common
1051 .take_received_plaintext(payload),
1052 MessagePayload::Handshake(payload) => match payload.payload {
1053 HandshakePayload::KeyUpdate(key_update) => {
1054 self.handle_key_update(cx.common, &key_update)?
1055 }
1056 _ => {
1057 return Err(inappropriate_handshake_message(
1058 &payload,
1059 &[HandshakeType::KeyUpdate],
1060 ));
1061 }
1062 },
1063 _ => {
1064 return Err(inappropriate_message(
1065 &m,
1066 &[ContentType::ApplicationData, ContentType::Handshake],
1067 ));
1068 }
1069 }
1070
1071 Ok(self)
1072 }
1073
export_keying_material( &self, output: &mut [u8], label: &[u8], context: Option<&[u8]>, ) -> Result<(), Error>1074 fn export_keying_material(
1075 &self,
1076 output: &mut [u8],
1077 label: &[u8],
1078 context: Option<&[u8]>,
1079 ) -> Result<(), Error> {
1080 self.key_schedule
1081 .export_keying_material(output, label, context)
1082 }
1083
perhaps_write_key_update(&mut self, common: &mut CommonState)1084 fn perhaps_write_key_update(&mut self, common: &mut CommonState) {
1085 if self.want_write_key_update {
1086 self.want_write_key_update = false;
1087 common.send_msg_encrypt(Message::build_key_update_notify().into());
1088
1089 let write_key = self
1090 .key_schedule
1091 .next_server_application_traffic_secret();
1092 common
1093 .record_layer
1094 .set_message_encrypter(self.suite.derive_encrypter(&write_key));
1095 }
1096 }
1097 }
1098
1099 #[cfg(feature = "quic")]
1100 struct ExpectQuicTraffic {
1101 key_schedule: KeyScheduleTraffic,
1102 _fin_verified: verify::FinishedMessageVerified,
1103 }
1104
1105 #[cfg(feature = "quic")]
1106 impl State<ServerConnectionData> for ExpectQuicTraffic {
handle(self: Box<Self>, _cx: &mut ServerContext<'_>, m: Message) -> hs::NextStateOrError1107 fn handle(self: Box<Self>, _cx: &mut ServerContext<'_>, m: Message) -> hs::NextStateOrError {
1108 // reject all messages
1109 check_message(&m, &[], &[])?;
1110 unreachable!();
1111 }
1112
export_keying_material( &self, output: &mut [u8], label: &[u8], context: Option<&[u8]>, ) -> Result<(), Error>1113 fn export_keying_material(
1114 &self,
1115 output: &mut [u8],
1116 label: &[u8],
1117 context: Option<&[u8]>,
1118 ) -> Result<(), Error> {
1119 self.key_schedule
1120 .export_keying_material(output, label, context)
1121 }
1122 }
1123