1 use crate::check::check_message;
2 use crate::client::ClientSessionImpl;
3 use crate::error::TLSError;
4 #[cfg(feature = "logging")]
5 use crate::log::{debug, trace};
6 use crate::msgs::base::{Payload, PayloadU8};
7 use crate::msgs::ccs::ChangeCipherSpecPayload;
8 use crate::msgs::codec::Codec;
9 use crate::msgs::enums::{AlertDescription, ProtocolVersion};
10 use crate::msgs::enums::{ContentType, HandshakeType};
11 use crate::msgs::handshake::DecomposedSignatureScheme;
12 use crate::msgs::handshake::DigitallySignedStruct;
13 use crate::msgs::handshake::ServerKeyExchangePayload;
14 use crate::msgs::handshake::{HandshakeMessagePayload, HandshakePayload};
15 use crate::msgs::message::{Message, MessagePayload};
16 use crate::msgs::persist;
17 use crate::session::SessionSecrets;
18 use crate::suites;
19 use crate::ticketer;
20 use crate::verify;
21
22 use crate::client::common::{ClientAuthDetails, ReceivedTicketDetails};
23 use crate::client::common::{HandshakeDetails, ServerCertDetails, ServerKXDetails};
24 use crate::client::hs;
25
26 use ring::constant_time;
27 use std::mem;
28
29 pub struct ExpectCertificate {
30 pub handshake: HandshakeDetails,
31 pub server_cert: ServerCertDetails,
32 pub may_send_cert_status: bool,
33 pub must_issue_new_ticket: bool,
34 }
35
36 impl ExpectCertificate {
into_expect_certificate_status_or_server_kx(self) -> hs::NextState37 fn into_expect_certificate_status_or_server_kx(self) -> hs::NextState {
38 Box::new(ExpectCertificateStatusOrServerKX {
39 handshake: self.handshake,
40 server_cert: self.server_cert,
41 must_issue_new_ticket: self.must_issue_new_ticket,
42 })
43 }
44
into_expect_server_kx(self) -> hs::NextState45 fn into_expect_server_kx(self) -> hs::NextState {
46 Box::new(ExpectServerKX {
47 handshake: self.handshake,
48 server_cert: self.server_cert,
49 must_issue_new_ticket: self.must_issue_new_ticket,
50 })
51 }
52 }
53
54 impl hs::State for ExpectCertificate {
handle( mut self: Box<Self>, _sess: &mut ClientSessionImpl, m: Message, ) -> hs::NextStateOrError55 fn handle(
56 mut self: Box<Self>,
57 _sess: &mut ClientSessionImpl,
58 m: Message,
59 ) -> hs::NextStateOrError {
60 let cert_chain =
61 require_handshake_msg!(m, HandshakeType::Certificate, HandshakePayload::Certificate)?;
62 self.handshake
63 .transcript
64 .add_message(&m);
65
66 self.server_cert.cert_chain = cert_chain.clone();
67
68 if self.may_send_cert_status {
69 Ok(self.into_expect_certificate_status_or_server_kx())
70 } else {
71 Ok(self.into_expect_server_kx())
72 }
73 }
74 }
75
76 struct ExpectCertificateStatus {
77 handshake: HandshakeDetails,
78 server_cert: ServerCertDetails,
79 must_issue_new_ticket: bool,
80 }
81
82 impl ExpectCertificateStatus {
into_expect_server_kx(self) -> hs::NextState83 fn into_expect_server_kx(self) -> hs::NextState {
84 Box::new(ExpectServerKX {
85 handshake: self.handshake,
86 server_cert: self.server_cert,
87 must_issue_new_ticket: self.must_issue_new_ticket,
88 })
89 }
90 }
91
92 impl hs::State for ExpectCertificateStatus {
handle( mut self: Box<Self>, _sess: &mut ClientSessionImpl, m: Message, ) -> hs::NextStateOrError93 fn handle(
94 mut self: Box<Self>,
95 _sess: &mut ClientSessionImpl,
96 m: Message,
97 ) -> hs::NextStateOrError {
98 self.handshake
99 .transcript
100 .add_message(&m);
101 let mut status = require_handshake_msg_mut!(
102 m,
103 HandshakeType::CertificateStatus,
104 HandshakePayload::CertificateStatus
105 )?;
106
107 self.server_cert.ocsp_response = status.take_ocsp_response();
108 trace!(
109 "Server stapled OCSP response is {:?}",
110 self.server_cert.ocsp_response
111 );
112 Ok(self.into_expect_server_kx())
113 }
114 }
115
116 struct ExpectCertificateStatusOrServerKX {
117 handshake: HandshakeDetails,
118 server_cert: ServerCertDetails,
119 must_issue_new_ticket: bool,
120 }
121
122 impl ExpectCertificateStatusOrServerKX {
into_expect_server_kx(self) -> hs::NextState123 fn into_expect_server_kx(self) -> hs::NextState {
124 Box::new(ExpectServerKX {
125 handshake: self.handshake,
126 server_cert: self.server_cert,
127 must_issue_new_ticket: self.must_issue_new_ticket,
128 })
129 }
130
into_expect_certificate_status(self) -> hs::NextState131 fn into_expect_certificate_status(self) -> hs::NextState {
132 Box::new(ExpectCertificateStatus {
133 handshake: self.handshake,
134 server_cert: self.server_cert,
135 must_issue_new_ticket: self.must_issue_new_ticket,
136 })
137 }
138 }
139
140 impl hs::State for ExpectCertificateStatusOrServerKX {
handle(self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError141 fn handle(self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
142 check_message(
143 &m,
144 &[ContentType::Handshake],
145 &[
146 HandshakeType::ServerKeyExchange,
147 HandshakeType::CertificateStatus,
148 ],
149 )?;
150 if m.is_handshake_type(HandshakeType::ServerKeyExchange) {
151 self.into_expect_server_kx()
152 .handle(sess, m)
153 } else {
154 self.into_expect_certificate_status()
155 .handle(sess, m)
156 }
157 }
158 }
159
160 struct ExpectServerKX {
161 handshake: HandshakeDetails,
162 server_cert: ServerCertDetails,
163 must_issue_new_ticket: bool,
164 }
165
166 impl ExpectServerKX {
into_expect_server_done_or_certreq(self, skx: ServerKXDetails) -> hs::NextState167 fn into_expect_server_done_or_certreq(self, skx: ServerKXDetails) -> hs::NextState {
168 Box::new(ExpectServerDoneOrCertReq {
169 handshake: self.handshake,
170 server_cert: self.server_cert,
171 server_kx: skx,
172 must_issue_new_ticket: self.must_issue_new_ticket,
173 })
174 }
175 }
176
177 impl hs::State for ExpectServerKX {
handle( mut self: Box<Self>, sess: &mut ClientSessionImpl, m: Message, ) -> hs::NextStateOrError178 fn handle(
179 mut self: Box<Self>,
180 sess: &mut ClientSessionImpl,
181 m: Message,
182 ) -> hs::NextStateOrError {
183 let opaque_kx = require_handshake_msg!(
184 m,
185 HandshakeType::ServerKeyExchange,
186 HandshakePayload::ServerKeyExchange
187 )?;
188 let maybe_decoded_kx = opaque_kx.unwrap_given_kxa(&sess.common.get_suite_assert().kx);
189 self.handshake
190 .transcript
191 .add_message(&m);
192
193 if maybe_decoded_kx.is_none() {
194 sess.common
195 .send_fatal_alert(AlertDescription::DecodeError);
196 return Err(TLSError::CorruptMessagePayload(ContentType::Handshake));
197 }
198
199 let decoded_kx = maybe_decoded_kx.unwrap();
200
201 // Save the signature and signed parameters for later verification.
202 let mut kx_params = Vec::new();
203 decoded_kx.encode_params(&mut kx_params);
204 let skx = ServerKXDetails::new(kx_params, decoded_kx.get_sig().unwrap());
205
206 #[cfg_attr(not(feature = "logging"), allow(unused_variables))]
207 {
208 if let ServerKeyExchangePayload::ECDHE(ecdhe) = decoded_kx {
209 debug!("ECDHE curve is {:?}", ecdhe.params.curve_params);
210 }
211 }
212
213 Ok(self.into_expect_server_done_or_certreq(skx))
214 }
215 }
216
emit_certificate( handshake: &mut HandshakeDetails, client_auth: &mut ClientAuthDetails, sess: &mut ClientSessionImpl, )217 fn emit_certificate(
218 handshake: &mut HandshakeDetails,
219 client_auth: &mut ClientAuthDetails,
220 sess: &mut ClientSessionImpl,
221 ) {
222 let chosen_cert = client_auth.cert.take();
223
224 let cert = Message {
225 typ: ContentType::Handshake,
226 version: ProtocolVersion::TLSv1_2,
227 payload: MessagePayload::Handshake(HandshakeMessagePayload {
228 typ: HandshakeType::Certificate,
229 payload: HandshakePayload::Certificate(chosen_cert.unwrap_or_else(Vec::new)),
230 }),
231 };
232
233 handshake.transcript.add_message(&cert);
234 sess.common.send_msg(cert, false);
235 }
236
emit_clientkx( handshake: &mut HandshakeDetails, sess: &mut ClientSessionImpl, kxd: &suites::KeyExchangeResult, )237 fn emit_clientkx(
238 handshake: &mut HandshakeDetails,
239 sess: &mut ClientSessionImpl,
240 kxd: &suites::KeyExchangeResult,
241 ) {
242 let mut buf = Vec::new();
243 let ecpoint = PayloadU8::new(Vec::from(kxd.pubkey.as_ref()));
244 ecpoint.encode(&mut buf);
245 let pubkey = Payload::new(buf);
246
247 let ckx = Message {
248 typ: ContentType::Handshake,
249 version: ProtocolVersion::TLSv1_2,
250 payload: MessagePayload::Handshake(HandshakeMessagePayload {
251 typ: HandshakeType::ClientKeyExchange,
252 payload: HandshakePayload::ClientKeyExchange(pubkey),
253 }),
254 };
255
256 handshake.transcript.add_message(&ckx);
257 sess.common.send_msg(ckx, false);
258 }
259
emit_certverify( handshake: &mut HandshakeDetails, client_auth: &mut ClientAuthDetails, sess: &mut ClientSessionImpl, ) -> Result<(), TLSError>260 fn emit_certverify(
261 handshake: &mut HandshakeDetails,
262 client_auth: &mut ClientAuthDetails,
263 sess: &mut ClientSessionImpl,
264 ) -> Result<(), TLSError> {
265 if client_auth.signer.is_none() {
266 trace!("Not sending CertificateVerify, no key");
267 handshake
268 .transcript
269 .abandon_client_auth();
270 return Ok(());
271 }
272
273 let message = handshake
274 .transcript
275 .take_handshake_buf();
276 let signer = client_auth.signer.take().unwrap();
277 let scheme = signer.get_scheme();
278 let sig = signer.sign(&message)?;
279 let body = DigitallySignedStruct::new(scheme, sig);
280
281 let m = Message {
282 typ: ContentType::Handshake,
283 version: ProtocolVersion::TLSv1_2,
284 payload: MessagePayload::Handshake(HandshakeMessagePayload {
285 typ: HandshakeType::CertificateVerify,
286 payload: HandshakePayload::CertificateVerify(body),
287 }),
288 };
289
290 handshake.transcript.add_message(&m);
291 sess.common.send_msg(m, false);
292 Ok(())
293 }
294
emit_ccs(sess: &mut ClientSessionImpl)295 fn emit_ccs(sess: &mut ClientSessionImpl) {
296 let ccs = Message {
297 typ: ContentType::ChangeCipherSpec,
298 version: ProtocolVersion::TLSv1_2,
299 payload: MessagePayload::ChangeCipherSpec(ChangeCipherSpecPayload {}),
300 };
301
302 sess.common.send_msg(ccs, false);
303 }
304
emit_finished( secrets: &SessionSecrets, handshake: &mut HandshakeDetails, sess: &mut ClientSessionImpl, )305 fn emit_finished(
306 secrets: &SessionSecrets,
307 handshake: &mut HandshakeDetails,
308 sess: &mut ClientSessionImpl,
309 ) {
310 let vh = handshake.transcript.get_current_hash();
311 let verify_data = secrets.client_verify_data(&vh);
312 let verify_data_payload = Payload::new(verify_data);
313
314 let f = Message {
315 typ: ContentType::Handshake,
316 version: ProtocolVersion::TLSv1_2,
317 payload: MessagePayload::Handshake(HandshakeMessagePayload {
318 typ: HandshakeType::Finished,
319 payload: HandshakePayload::Finished(verify_data_payload),
320 }),
321 };
322
323 handshake.transcript.add_message(&f);
324 sess.common.send_msg(f, true);
325 }
326
327 // --- Either a CertificateRequest, or a ServerHelloDone. ---
328 // Existence of the CertificateRequest tells us the server is asking for
329 // client auth. Otherwise we go straight to ServerHelloDone.
330 struct ExpectCertificateRequest {
331 handshake: HandshakeDetails,
332 server_cert: ServerCertDetails,
333 server_kx: ServerKXDetails,
334 must_issue_new_ticket: bool,
335 }
336
337 impl ExpectCertificateRequest {
into_expect_server_done(self, client_auth: ClientAuthDetails) -> hs::NextState338 fn into_expect_server_done(self, client_auth: ClientAuthDetails) -> hs::NextState {
339 Box::new(ExpectServerDone {
340 handshake: self.handshake,
341 server_cert: self.server_cert,
342 server_kx: self.server_kx,
343 client_auth: Some(client_auth),
344 must_issue_new_ticket: self.must_issue_new_ticket,
345 })
346 }
347 }
348
349 impl hs::State for ExpectCertificateRequest {
handle( mut self: Box<Self>, sess: &mut ClientSessionImpl, m: Message, ) -> hs::NextStateOrError350 fn handle(
351 mut self: Box<Self>,
352 sess: &mut ClientSessionImpl,
353 m: Message,
354 ) -> hs::NextStateOrError {
355 let certreq = require_handshake_msg!(
356 m,
357 HandshakeType::CertificateRequest,
358 HandshakePayload::CertificateRequest
359 )?;
360 self.handshake
361 .transcript
362 .add_message(&m);
363 debug!("Got CertificateRequest {:?}", certreq);
364
365 let mut client_auth = ClientAuthDetails::new();
366
367 // The RFC jovially describes the design here as 'somewhat complicated'
368 // and 'somewhat underspecified'. So thanks for that.
369 //
370 // We ignore certreq.certtypes as a result, since the information it contains
371 // is entirely duplicated in certreq.sigschemes.
372
373 let canames = certreq
374 .canames
375 .iter()
376 .map(|p| p.0.as_slice())
377 .collect::<Vec<&[u8]>>();
378 let maybe_certkey = sess
379 .config
380 .client_auth_cert_resolver
381 .resolve(&canames, &certreq.sigschemes);
382
383 if let Some(mut certkey) = maybe_certkey {
384 let maybe_signer = certkey
385 .key
386 .choose_scheme(&certreq.sigschemes);
387
388 if let Some(_) = &maybe_signer {
389 debug!("Attempting client auth");
390 client_auth.cert = Some(certkey.take_cert());
391 }
392 client_auth.signer = maybe_signer;
393 } else {
394 debug!("Client auth requested but no cert/sigscheme available");
395 }
396
397 Ok(self.into_expect_server_done(client_auth))
398 }
399 }
400
401 struct ExpectServerDoneOrCertReq {
402 handshake: HandshakeDetails,
403 server_cert: ServerCertDetails,
404 server_kx: ServerKXDetails,
405 must_issue_new_ticket: bool,
406 }
407
408 impl ExpectServerDoneOrCertReq {
into_expect_certificate_req(self) -> hs::NextState409 fn into_expect_certificate_req(self) -> hs::NextState {
410 Box::new(ExpectCertificateRequest {
411 handshake: self.handshake,
412 server_cert: self.server_cert,
413 server_kx: self.server_kx,
414 must_issue_new_ticket: self.must_issue_new_ticket,
415 })
416 }
417
into_expect_server_done(self) -> hs::NextState418 fn into_expect_server_done(self) -> hs::NextState {
419 Box::new(ExpectServerDone {
420 handshake: self.handshake,
421 server_cert: self.server_cert,
422 server_kx: self.server_kx,
423 client_auth: None,
424 must_issue_new_ticket: self.must_issue_new_ticket,
425 })
426 }
427 }
428
429 impl hs::State for ExpectServerDoneOrCertReq {
handle( mut self: Box<Self>, sess: &mut ClientSessionImpl, m: Message, ) -> hs::NextStateOrError430 fn handle(
431 mut self: Box<Self>,
432 sess: &mut ClientSessionImpl,
433 m: Message,
434 ) -> hs::NextStateOrError {
435 if require_handshake_msg!(
436 m,
437 HandshakeType::CertificateRequest,
438 HandshakePayload::CertificateRequest
439 )
440 .is_ok()
441 {
442 self.into_expect_certificate_req()
443 .handle(sess, m)
444 } else {
445 self.handshake
446 .transcript
447 .abandon_client_auth();
448 self.into_expect_server_done()
449 .handle(sess, m)
450 }
451 }
452 }
453
454 struct ExpectServerDone {
455 handshake: HandshakeDetails,
456 server_cert: ServerCertDetails,
457 server_kx: ServerKXDetails,
458 client_auth: Option<ClientAuthDetails>,
459 must_issue_new_ticket: bool,
460 }
461
462 impl ExpectServerDone {
into_expect_new_ticket( self, secrets: SessionSecrets, certv: verify::ServerCertVerified, sigv: verify::HandshakeSignatureValid, ) -> hs::NextState463 fn into_expect_new_ticket(
464 self,
465 secrets: SessionSecrets,
466 certv: verify::ServerCertVerified,
467 sigv: verify::HandshakeSignatureValid,
468 ) -> hs::NextState {
469 Box::new(ExpectNewTicket {
470 secrets,
471 handshake: self.handshake,
472 resuming: false,
473 cert_verified: certv,
474 sig_verified: sigv,
475 })
476 }
477
into_expect_ccs( self, secrets: SessionSecrets, certv: verify::ServerCertVerified, sigv: verify::HandshakeSignatureValid, ) -> hs::NextState478 fn into_expect_ccs(
479 self,
480 secrets: SessionSecrets,
481 certv: verify::ServerCertVerified,
482 sigv: verify::HandshakeSignatureValid,
483 ) -> hs::NextState {
484 Box::new(ExpectCCS {
485 secrets,
486 handshake: self.handshake,
487 ticket: ReceivedTicketDetails::new(),
488 resuming: false,
489 cert_verified: certv,
490 sig_verified: sigv,
491 })
492 }
493 }
494
495 impl hs::State for ExpectServerDone {
handle(self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError496 fn handle(self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
497 let mut st = *self;
498 check_message(
499 &m,
500 &[ContentType::Handshake],
501 &[HandshakeType::ServerHelloDone],
502 )?;
503 st.handshake.transcript.add_message(&m);
504
505 hs::check_aligned_handshake(sess)?;
506
507 trace!("Server cert is {:?}", st.server_cert.cert_chain);
508 debug!("Server DNS name is {:?}", st.handshake.dns_name);
509
510 // 1. Verify the cert chain.
511 // 2. Verify any SCTs provided with the certificate.
512 // 3. Verify that the top certificate signed their kx.
513 // 4. If doing client auth, send our Certificate.
514 // 5. Complete the key exchange:
515 // a) generate our kx pair
516 // b) emit a ClientKeyExchange containing it
517 // c) if doing client auth, emit a CertificateVerify
518 // d) emit a CCS
519 // e) derive the shared keys, and start encryption
520 // 6. emit a Finished, our first encrypted message under the new keys.
521
522 // 1.
523 if st.server_cert.cert_chain.is_empty() {
524 return Err(TLSError::NoCertificatesPresented);
525 }
526
527 let certv = sess
528 .config
529 .get_verifier()
530 .verify_server_cert(
531 &sess.config.root_store,
532 &st.server_cert.cert_chain,
533 st.handshake.dns_name.as_ref(),
534 &st.server_cert.ocsp_response,
535 )
536 .map_err(|err| hs::send_cert_error_alert(sess, err))?;
537
538 // 2. Verify any included SCTs.
539 match (st.server_cert.scts.as_ref(), sess.config.ct_logs) {
540 (Some(scts), Some(logs)) => {
541 verify::verify_scts(&st.server_cert.cert_chain[0], scts, logs)?;
542 }
543 (_, _) => {}
544 }
545
546 // 3.
547 // Build up the contents of the signed message.
548 // It's ClientHello.random || ServerHello.random || ServerKeyExchange.params
549 let sigv = {
550 let mut message = Vec::new();
551 message.extend_from_slice(&st.handshake.randoms.client);
552 message.extend_from_slice(&st.handshake.randoms.server);
553 message.extend_from_slice(&st.server_kx.kx_params);
554
555 // Check the signature is compatible with the ciphersuite.
556 let sig = &st.server_kx.kx_sig;
557 let scs = sess.common.get_suite_assert();
558 if !scs.usable_for_sigalg(sig.scheme.sign()) {
559 let error_message = format!(
560 "peer signed kx with wrong algorithm (got {:?} expect {:?})",
561 sig.scheme.sign(),
562 scs.sign
563 );
564 return Err(TLSError::PeerMisbehavedError(error_message));
565 }
566
567 sess.config
568 .get_verifier()
569 .verify_tls12_signature(&message, &st.server_cert.cert_chain[0], sig)
570 .map_err(|err| hs::send_cert_error_alert(sess, err))?
571 };
572 sess.server_cert_chain = st.server_cert.take_chain();
573
574 // 4.
575 if st.client_auth.is_some() {
576 emit_certificate(&mut st.handshake, st.client_auth.as_mut().unwrap(), sess);
577 }
578
579 // 5a.
580 let kxd = sess
581 .common
582 .get_suite_assert()
583 .do_client_kx(&st.server_kx.kx_params)
584 .ok_or_else(|| TLSError::PeerMisbehavedError("key exchange failed".to_string()))?;
585
586 // 5b.
587 emit_clientkx(&mut st.handshake, sess, &kxd);
588 // nb. EMS handshake hash only runs up to ClientKeyExchange.
589 let handshake_hash = st
590 .handshake
591 .transcript
592 .get_current_hash();
593
594 // 5c.
595 if st.client_auth.is_some() {
596 emit_certverify(&mut st.handshake, st.client_auth.as_mut().unwrap(), sess)?;
597 }
598
599 // 5d.
600 emit_ccs(sess);
601
602 // 5e. Now commit secrets.
603 let hashalg = sess
604 .common
605 .get_suite_assert()
606 .get_hash();
607 let secrets = if st.handshake.using_ems {
608 SessionSecrets::new_ems(
609 &st.handshake.randoms,
610 &handshake_hash,
611 hashalg,
612 &kxd.shared_secret,
613 )
614 } else {
615 SessionSecrets::new(&st.handshake.randoms, hashalg, &kxd.shared_secret)
616 };
617 sess.config.key_log.log(
618 "CLIENT_RANDOM",
619 &secrets.randoms.client,
620 &secrets.master_secret,
621 );
622 sess.common
623 .start_encryption_tls12(&secrets);
624 sess.common
625 .record_layer
626 .start_encrypting();
627
628 // 6.
629 emit_finished(&secrets, &mut st.handshake, sess);
630
631 if st.must_issue_new_ticket {
632 Ok(st.into_expect_new_ticket(secrets, certv, sigv))
633 } else {
634 Ok(st.into_expect_ccs(secrets, certv, sigv))
635 }
636 }
637 }
638
639 // -- Waiting for their CCS --
640 pub struct ExpectCCS {
641 pub secrets: SessionSecrets,
642 pub handshake: HandshakeDetails,
643 pub ticket: ReceivedTicketDetails,
644 pub resuming: bool,
645 pub cert_verified: verify::ServerCertVerified,
646 pub sig_verified: verify::HandshakeSignatureValid,
647 }
648
649 impl ExpectCCS {
into_expect_finished(self) -> hs::NextState650 fn into_expect_finished(self) -> hs::NextState {
651 Box::new(ExpectFinished {
652 secrets: self.secrets,
653 handshake: self.handshake,
654 ticket: self.ticket,
655 resuming: self.resuming,
656 cert_verified: self.cert_verified,
657 sig_verified: self.sig_verified,
658 })
659 }
660 }
661
662 impl hs::State for ExpectCCS {
handle(self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError663 fn handle(self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
664 check_message(&m, &[ContentType::ChangeCipherSpec], &[])?;
665 // CCS should not be received interleaved with fragmented handshake-level
666 // message.
667 hs::check_aligned_handshake(sess)?;
668
669 // nb. msgs layer validates trivial contents of CCS
670 sess.common
671 .record_layer
672 .start_decrypting();
673
674 Ok(self.into_expect_finished())
675 }
676 }
677
678 pub struct ExpectNewTicket {
679 pub secrets: SessionSecrets,
680 pub handshake: HandshakeDetails,
681 pub resuming: bool,
682 pub cert_verified: verify::ServerCertVerified,
683 pub sig_verified: verify::HandshakeSignatureValid,
684 }
685
686 impl ExpectNewTicket {
into_expect_ccs(self, ticket: ReceivedTicketDetails) -> hs::NextState687 fn into_expect_ccs(self, ticket: ReceivedTicketDetails) -> hs::NextState {
688 Box::new(ExpectCCS {
689 secrets: self.secrets,
690 handshake: self.handshake,
691 ticket,
692 resuming: self.resuming,
693 cert_verified: self.cert_verified,
694 sig_verified: self.sig_verified,
695 })
696 }
697 }
698
699 impl hs::State for ExpectNewTicket {
handle( mut self: Box<Self>, _sess: &mut ClientSessionImpl, m: Message, ) -> hs::NextStateOrError700 fn handle(
701 mut self: Box<Self>,
702 _sess: &mut ClientSessionImpl,
703 m: Message,
704 ) -> hs::NextStateOrError {
705 self.handshake
706 .transcript
707 .add_message(&m);
708
709 let nst = require_handshake_msg_mut!(
710 m,
711 HandshakeType::NewSessionTicket,
712 HandshakePayload::NewSessionTicket
713 )?;
714 let recvd = ReceivedTicketDetails::from(nst.ticket.0, nst.lifetime_hint);
715 Ok(self.into_expect_ccs(recvd))
716 }
717 }
718
719 // -- Waiting for their finished --
save_session( secrets: &SessionSecrets, handshake: &mut HandshakeDetails, recvd_ticket: &mut ReceivedTicketDetails, sess: &mut ClientSessionImpl, )720 fn save_session(
721 secrets: &SessionSecrets,
722 handshake: &mut HandshakeDetails,
723 recvd_ticket: &mut ReceivedTicketDetails,
724 sess: &mut ClientSessionImpl,
725 ) {
726 // Save a ticket. If we got a new ticket, save that. Otherwise, save the
727 // original ticket again.
728 let mut ticket = mem::replace(&mut recvd_ticket.new_ticket, Vec::new());
729 if ticket.is_empty() && handshake.resuming_session.is_some() {
730 ticket = handshake
731 .resuming_session
732 .as_mut()
733 .unwrap()
734 .take_ticket();
735 }
736
737 if handshake.session_id.is_empty() && ticket.is_empty() {
738 debug!("Session not saved: server didn't allocate id or ticket");
739 return;
740 }
741
742 let key = persist::ClientSessionKey::session_for_dns_name(handshake.dns_name.as_ref());
743
744 let scs = sess.common.get_suite_assert();
745 let master_secret = secrets.get_master_secret();
746 let version = sess.get_protocol_version().unwrap();
747 let mut value = persist::ClientSessionValue::new(
748 version,
749 scs.suite,
750 &handshake.session_id,
751 ticket,
752 master_secret,
753 &sess.server_cert_chain,
754 );
755 value.set_times(ticketer::timebase(), recvd_ticket.new_ticket_lifetime, 0);
756 if handshake.using_ems {
757 value.set_extended_ms_used();
758 }
759
760 let worked = sess
761 .config
762 .session_persistence
763 .put(key.get_encoding(), value.get_encoding());
764
765 if worked {
766 debug!("Session saved");
767 } else {
768 debug!("Session not saved");
769 }
770 }
771
772 struct ExpectFinished {
773 handshake: HandshakeDetails,
774 ticket: ReceivedTicketDetails,
775 secrets: SessionSecrets,
776 resuming: bool,
777 cert_verified: verify::ServerCertVerified,
778 sig_verified: verify::HandshakeSignatureValid,
779 }
780
781 impl ExpectFinished {
into_expect_traffic(self, fin: verify::FinishedMessageVerified) -> hs::NextState782 fn into_expect_traffic(self, fin: verify::FinishedMessageVerified) -> hs::NextState {
783 Box::new(ExpectTraffic {
784 secrets: self.secrets,
785 _cert_verified: self.cert_verified,
786 _sig_verified: self.sig_verified,
787 _fin_verified: fin,
788 })
789 }
790 }
791
792 impl hs::State for ExpectFinished {
handle(self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError793 fn handle(self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
794 let mut st = *self;
795 let finished =
796 require_handshake_msg!(m, HandshakeType::Finished, HandshakePayload::Finished)?;
797
798 hs::check_aligned_handshake(sess)?;
799
800 // Work out what verify_data we expect.
801 let vh = st
802 .handshake
803 .transcript
804 .get_current_hash();
805 let expect_verify_data = st.secrets.server_verify_data(&vh);
806
807 // Constant-time verification of this is relatively unimportant: they only
808 // get one chance. But it can't hurt.
809 let fin = constant_time::verify_slices_are_equal(&expect_verify_data, &finished.0)
810 .map_err(|_| {
811 sess.common
812 .send_fatal_alert(AlertDescription::DecryptError);
813 TLSError::DecryptError
814 })
815 .map(|_| verify::FinishedMessageVerified::assertion())?;
816
817 // Hash this message too.
818 st.handshake.transcript.add_message(&m);
819
820 save_session(&st.secrets, &mut st.handshake, &mut st.ticket, sess);
821
822 if st.resuming {
823 emit_ccs(sess);
824 sess.common
825 .record_layer
826 .start_encrypting();
827 emit_finished(&st.secrets, &mut st.handshake, sess);
828 }
829
830 sess.common.start_traffic();
831 Ok(st.into_expect_traffic(fin))
832 }
833 }
834
835 // -- Traffic transit state --
836 struct ExpectTraffic {
837 secrets: SessionSecrets,
838 _cert_verified: verify::ServerCertVerified,
839 _sig_verified: verify::HandshakeSignatureValid,
840 _fin_verified: verify::FinishedMessageVerified,
841 }
842
843 impl hs::State for ExpectTraffic {
handle( self: Box<Self>, sess: &mut ClientSessionImpl, mut m: Message, ) -> hs::NextStateOrError844 fn handle(
845 self: Box<Self>,
846 sess: &mut ClientSessionImpl,
847 mut m: Message,
848 ) -> hs::NextStateOrError {
849 check_message(&m, &[ContentType::ApplicationData], &[])?;
850 sess.common
851 .take_received_plaintext(m.take_opaque_payload().unwrap());
852 Ok(self)
853 }
854
export_keying_material( &self, output: &mut [u8], label: &[u8], context: Option<&[u8]>, ) -> Result<(), TLSError>855 fn export_keying_material(
856 &self,
857 output: &mut [u8],
858 label: &[u8],
859 context: Option<&[u8]>,
860 ) -> Result<(), TLSError> {
861 self.secrets
862 .export_keying_material(output, label, context);
863 Ok(())
864 }
865 }
866