1 use crate::check::check_message;
2 use crate::cipher;
3 use crate::client::ClientSessionImpl;
4 use crate::error::TLSError;
5 use crate::key_schedule::{
6 KeyScheduleEarly, KeyScheduleHandshake, KeyScheduleNonSecret, KeyScheduleTraffic,
7 KeyScheduleTrafficWithClientFinishedPending,
8 };
9 #[cfg(feature = "logging")]
10 use crate::log::{debug, trace, warn};
11 use crate::msgs::base::{Payload, PayloadU8};
12 use crate::msgs::ccs::ChangeCipherSpecPayload;
13 use crate::msgs::codec::Codec;
14 use crate::msgs::enums::KeyUpdateRequest;
15 use crate::msgs::enums::{AlertDescription, NamedGroup, ProtocolVersion};
16 use crate::msgs::enums::{ContentType, ExtensionType, HandshakeType, SignatureScheme};
17 use crate::msgs::handshake::DigitallySignedStruct;
18 use crate::msgs::handshake::EncryptedExtensions;
19 use crate::msgs::handshake::NewSessionTicketPayloadTLS13;
20 use crate::msgs::handshake::{CertificateEntry, CertificatePayloadTLS13};
21 use crate::msgs::handshake::{ClientExtension, HelloRetryRequest, KeyShareEntry};
22 use crate::msgs::handshake::{HandshakeMessagePayload, HandshakePayload};
23 use crate::msgs::handshake::{HasServerExtensions, ServerHelloPayload, SessionID};
24 use crate::msgs::handshake::{PresharedKeyIdentity, PresharedKeyOffer};
25 use crate::msgs::message::{Message, MessagePayload};
26 use crate::msgs::persist;
27 use crate::sign;
28 use crate::suites;
29 use crate::ticketer;
30 use crate::verify;
31 #[cfg(feature = "quic")]
32 use crate::{msgs::base::PayloadU16, quic, session::Protocol};
33
34 use crate::client::common::{ClientAuthDetails, ClientHelloDetails};
35 use crate::client::common::{HandshakeDetails, ServerCertDetails};
36 use crate::client::hs;
37
38 use ring::constant_time;
39 use webpki;
40
41 // Extensions we expect in plaintext in the ServerHello.
42 static ALLOWED_PLAINTEXT_EXTS: &[ExtensionType] = &[
43 ExtensionType::KeyShare,
44 ExtensionType::PreSharedKey,
45 ExtensionType::SupportedVersions,
46 ];
47
48 // Only the intersection of things we offer, and those disallowed
49 // in TLS1.3
50 static DISALLOWED_TLS13_EXTS: &[ExtensionType] = &[
51 ExtensionType::ECPointFormats,
52 ExtensionType::SessionTicket,
53 ExtensionType::RenegotiationInfo,
54 ExtensionType::ExtendedMasterSecret,
55 ];
56
validate_server_hello( sess: &mut ClientSessionImpl, server_hello: &ServerHelloPayload, ) -> Result<(), TLSError>57 pub fn validate_server_hello(
58 sess: &mut ClientSessionImpl,
59 server_hello: &ServerHelloPayload,
60 ) -> Result<(), TLSError> {
61 for ext in &server_hello.extensions {
62 if !ALLOWED_PLAINTEXT_EXTS.contains(&ext.get_type()) {
63 sess.common
64 .send_fatal_alert(AlertDescription::UnsupportedExtension);
65 return Err(TLSError::PeerMisbehavedError(
66 "server sent unexpected cleartext ext".to_string(),
67 ));
68 }
69 }
70
71 Ok(())
72 }
73
find_kx_hint(sess: &mut ClientSessionImpl, dns_name: webpki::DNSNameRef) -> Option<NamedGroup>74 fn find_kx_hint(sess: &mut ClientSessionImpl, dns_name: webpki::DNSNameRef) -> Option<NamedGroup> {
75 let key = persist::ClientSessionKey::hint_for_dns_name(dns_name);
76 let key_buf = key.get_encoding();
77
78 let maybe_value = sess
79 .config
80 .session_persistence
81 .get(&key_buf);
82 maybe_value.and_then(|enc| NamedGroup::read_bytes(&enc))
83 }
84
save_kx_hint(sess: &mut ClientSessionImpl, dns_name: webpki::DNSNameRef, group: NamedGroup)85 fn save_kx_hint(sess: &mut ClientSessionImpl, dns_name: webpki::DNSNameRef, group: NamedGroup) {
86 let key = persist::ClientSessionKey::hint_for_dns_name(dns_name);
87
88 sess.config
89 .session_persistence
90 .put(key.get_encoding(), group.get_encoding());
91 }
92
choose_kx_groups( sess: &mut ClientSessionImpl, exts: &mut Vec<ClientExtension>, hello: &mut ClientHelloDetails, handshake: &mut HandshakeDetails, retryreq: Option<&HelloRetryRequest>, )93 pub fn choose_kx_groups(
94 sess: &mut ClientSessionImpl,
95 exts: &mut Vec<ClientExtension>,
96 hello: &mut ClientHelloDetails,
97 handshake: &mut HandshakeDetails,
98 retryreq: Option<&HelloRetryRequest>,
99 ) {
100 // Choose our groups:
101 // - if we've been asked via HelloRetryRequest for a specific
102 // one, do that.
103 // - if not, we might have a hint of what the server supports
104 // - if not, send just X25519.
105 //
106 let groups = retryreq
107 .and_then(HelloRetryRequest::get_requested_key_share_group)
108 .or_else(|| find_kx_hint(sess, handshake.dns_name.as_ref()))
109 .or_else(|| Some(NamedGroup::X25519))
110 .map(|grp| vec![grp])
111 .unwrap();
112
113 let mut key_shares = vec![];
114
115 for group in groups {
116 // in reply to HelloRetryRequest, we must not alter any existing key
117 // shares
118 if let Some(already_offered_share) = hello.find_key_share(group) {
119 key_shares.push(KeyShareEntry::new(
120 group,
121 already_offered_share.pubkey.as_ref(),
122 ));
123 hello
124 .offered_key_shares
125 .push(already_offered_share);
126 continue;
127 }
128
129 if let Some(key_share) = suites::KeyExchange::start_ecdhe(group) {
130 key_shares.push(KeyShareEntry::new(group, key_share.pubkey.as_ref()));
131 hello.offered_key_shares.push(key_share);
132 }
133 }
134
135 exts.push(ClientExtension::KeyShare(key_shares));
136 }
137
138 /// This implements the horrifying TLS1.3 hack where PSK binders have a
139 /// data dependency on the message they are contained within.
fill_in_psk_binder( sess: &mut ClientSessionImpl, handshake: &mut HandshakeDetails, hmp: &mut HandshakeMessagePayload, ) -> KeyScheduleEarly140 pub fn fill_in_psk_binder(
141 sess: &mut ClientSessionImpl,
142 handshake: &mut HandshakeDetails,
143 hmp: &mut HandshakeMessagePayload,
144 ) -> KeyScheduleEarly {
145 // We need to know the hash function of the suite we're trying to resume into.
146 let resuming = handshake
147 .resuming_session
148 .as_ref()
149 .unwrap();
150 let suite = sess
151 .find_cipher_suite(resuming.cipher_suite)
152 .unwrap();
153 let hkdf_alg = suite.hkdf_algorithm;
154 let suite_hash = suite.get_hash();
155
156 // The binder is calculated over the clienthello, but doesn't include itself or its
157 // length, or the length of its container.
158 let binder_plaintext = hmp.get_encoding_for_binder_signing();
159 let handshake_hash = handshake
160 .transcript
161 .get_hash_given(suite_hash, &binder_plaintext);
162
163 // Run a fake key_schedule to simulate what the server will do if it choses
164 // to resume.
165 let key_schedule = KeyScheduleEarly::new(hkdf_alg, &resuming.master_secret.0);
166 let real_binder = key_schedule.resumption_psk_binder_key_and_sign_verify_data(&handshake_hash);
167
168 if let HandshakePayload::ClientHello(ref mut ch) = hmp.payload {
169 ch.set_psk_binder(real_binder);
170 };
171
172 key_schedule
173 }
174
start_handshake_traffic( sess: &mut ClientSessionImpl, early_key_schedule: Option<KeyScheduleEarly>, server_hello: &ServerHelloPayload, handshake: &mut HandshakeDetails, hello: &mut ClientHelloDetails, ) -> Result<KeyScheduleHandshake, TLSError>175 pub fn start_handshake_traffic(
176 sess: &mut ClientSessionImpl,
177 early_key_schedule: Option<KeyScheduleEarly>,
178 server_hello: &ServerHelloPayload,
179 handshake: &mut HandshakeDetails,
180 hello: &mut ClientHelloDetails,
181 ) -> Result<KeyScheduleHandshake, TLSError> {
182 let suite = sess.common.get_suite_assert();
183
184 let their_key_share = server_hello
185 .get_key_share()
186 .ok_or_else(|| {
187 sess.common
188 .send_fatal_alert(AlertDescription::MissingExtension);
189 TLSError::PeerMisbehavedError("missing key share".to_string())
190 })?;
191
192 let our_key_share = hello
193 .find_key_share_and_discard_others(their_key_share.group)
194 .ok_or_else(|| hs::illegal_param(sess, "wrong group for key share"))?;
195 let shared = our_key_share
196 .complete(&their_key_share.payload.0)
197 .ok_or_else(|| TLSError::PeerMisbehavedError("key exchange failed".to_string()))?;
198
199 let mut key_schedule = if let Some(selected_psk) = server_hello.get_psk_index() {
200 if let Some(ref resuming) = handshake.resuming_session {
201 let resume_from_suite = sess
202 .find_cipher_suite(resuming.cipher_suite)
203 .unwrap();
204 if !resume_from_suite.can_resume_to(suite) {
205 return Err(hs::illegal_param(
206 sess,
207 "server resuming incompatible suite",
208 ));
209 }
210
211 // If the server varies the suite here, we will have encrypted early data with
212 // the wrong suite.
213 if sess.early_data.is_enabled() && resume_from_suite != suite {
214 return Err(hs::illegal_param(
215 sess,
216 "server varied suite with early data",
217 ));
218 }
219
220 if selected_psk != 0 {
221 return Err(hs::illegal_param(sess, "server selected invalid psk"));
222 }
223
224 debug!("Resuming using PSK");
225 // The key schedule has been initialized and set in fill_in_psk_binder()
226 } else {
227 return Err(TLSError::PeerMisbehavedError(
228 "server selected unoffered psk".to_string(),
229 ));
230 }
231 early_key_schedule
232 .unwrap()
233 .into_handshake(&shared.shared_secret)
234 } else {
235 debug!("Not resuming");
236 // Discard the early data key schedule.
237 sess.early_data.rejected();
238 sess.common.early_traffic = false;
239 handshake.resuming_session.take();
240 KeyScheduleNonSecret::new(suite.hkdf_algorithm).into_handshake(&shared.shared_secret)
241 };
242
243 // Remember what KX group the server liked for next time.
244 save_kx_hint(sess, handshake.dns_name.as_ref(), their_key_share.group);
245
246 // If we change keying when a subsequent handshake message is being joined,
247 // the two halves will have different record layer protections. Disallow this.
248 hs::check_aligned_handshake(sess)?;
249
250 handshake.hash_at_client_recvd_server_hello = handshake.transcript.get_current_hash();
251
252 let _maybe_write_key = if !sess.early_data.is_enabled() {
253 // Set the client encryption key for handshakes if early data is not used
254 let write_key = key_schedule.client_handshake_traffic_secret(
255 &handshake.hash_at_client_recvd_server_hello,
256 &*sess.config.key_log,
257 &handshake.randoms.client,
258 );
259 sess.common
260 .record_layer
261 .set_message_encrypter(cipher::new_tls13_write(suite, &write_key));
262 Some(write_key)
263 } else {
264 None
265 };
266
267 let read_key = key_schedule.server_handshake_traffic_secret(
268 &handshake.hash_at_client_recvd_server_hello,
269 &*sess.config.key_log,
270 &handshake.randoms.client,
271 );
272 sess.common
273 .record_layer
274 .set_message_decrypter(cipher::new_tls13_read(suite, &read_key));
275
276 #[cfg(feature = "quic")]
277 {
278 let write_key = if sess.early_data.is_enabled() {
279 // Traffic secret wasn't computed and stored above, so do it here.
280 key_schedule.client_handshake_traffic_secret(
281 &handshake.hash_at_client_recvd_server_hello,
282 &*sess.config.key_log,
283 &handshake.randoms.client,
284 )
285 } else {
286 _maybe_write_key.unwrap()
287 };
288 sess.common.quic.hs_secrets = Some(quic::Secrets {
289 client: write_key,
290 server: read_key,
291 });
292 }
293
294 Ok(key_schedule)
295 }
296
prepare_resumption( sess: &mut ClientSessionImpl, ticket: Vec<u8>, handshake: &HandshakeDetails, exts: &mut Vec<ClientExtension>, doing_retry: bool, ) -> bool297 pub fn prepare_resumption(
298 sess: &mut ClientSessionImpl,
299 ticket: Vec<u8>,
300 handshake: &HandshakeDetails,
301 exts: &mut Vec<ClientExtension>,
302 doing_retry: bool,
303 ) -> bool {
304 let resuming_suite = handshake
305 .resuming_session
306 .as_ref()
307 .and_then(|resume| sess.find_cipher_suite(resume.cipher_suite));
308
309 if hs::compatible_suite(sess, resuming_suite) {
310 sess.resumption_ciphersuite = resuming_suite;
311 // The EarlyData extension MUST be supplied together with the
312 // PreSharedKey extension.
313 let max_early_data_size = handshake
314 .resuming_session
315 .as_ref()
316 .map_or(0, |resume| resume.max_early_data_size);
317 if sess.config.enable_early_data && max_early_data_size > 0 && !doing_retry {
318 sess.early_data
319 .enable(max_early_data_size as usize);
320 exts.push(ClientExtension::EarlyData);
321 }
322
323 // Finally, and only for TLS1.3 with a ticket resumption, include a binder
324 // for our ticket. This must go last.
325 //
326 // Include an empty binder. It gets filled in below because it depends on
327 // the message it's contained in (!!!).
328 let (obfuscated_ticket_age, suite) = {
329 let resuming = handshake
330 .resuming_session
331 .as_ref()
332 .unwrap();
333 (
334 resuming.get_obfuscated_ticket_age(ticketer::timebase()),
335 resuming.cipher_suite,
336 )
337 };
338
339 let binder_len = sess
340 .find_cipher_suite(suite)
341 .unwrap()
342 .get_hash()
343 .output_len;
344 let binder = vec![0u8; binder_len];
345
346 let psk_identity = PresharedKeyIdentity::new(ticket, obfuscated_ticket_age);
347 let psk_ext = PresharedKeyOffer::new(psk_identity, binder);
348 exts.push(ClientExtension::PresharedKey(psk_ext));
349 true
350 } else {
351 false
352 }
353 }
354
emit_fake_ccs(hs: &mut HandshakeDetails, sess: &mut ClientSessionImpl)355 pub fn emit_fake_ccs(hs: &mut HandshakeDetails, sess: &mut ClientSessionImpl) {
356 if sess.common.is_quic() {
357 return;
358 }
359
360 if hs.sent_tls13_fake_ccs {
361 return;
362 }
363
364 let m = Message {
365 typ: ContentType::ChangeCipherSpec,
366 version: ProtocolVersion::TLSv1_2,
367 payload: MessagePayload::ChangeCipherSpec(ChangeCipherSpecPayload {}),
368 };
369 sess.common.send_msg(m, false);
370 hs.sent_tls13_fake_ccs = true;
371 }
372
validate_encrypted_extensions( sess: &mut ClientSessionImpl, hello: &ClientHelloDetails, exts: &EncryptedExtensions, ) -> Result<(), TLSError>373 fn validate_encrypted_extensions(
374 sess: &mut ClientSessionImpl,
375 hello: &ClientHelloDetails,
376 exts: &EncryptedExtensions,
377 ) -> Result<(), TLSError> {
378 if exts.has_duplicate_extension() {
379 sess.common
380 .send_fatal_alert(AlertDescription::DecodeError);
381 return Err(TLSError::PeerMisbehavedError(
382 "server sent duplicate encrypted extensions".to_string(),
383 ));
384 }
385
386 if hello.server_sent_unsolicited_extensions(exts, &[]) {
387 sess.common
388 .send_fatal_alert(AlertDescription::UnsupportedExtension);
389 let msg = "server sent unsolicited encrypted extension".to_string();
390 return Err(TLSError::PeerMisbehavedError(msg));
391 }
392
393 for ext in exts {
394 if ALLOWED_PLAINTEXT_EXTS.contains(&ext.get_type())
395 || DISALLOWED_TLS13_EXTS.contains(&ext.get_type())
396 {
397 sess.common
398 .send_fatal_alert(AlertDescription::UnsupportedExtension);
399 let msg = "server sent inappropriate encrypted extension".to_string();
400 return Err(TLSError::PeerMisbehavedError(msg));
401 }
402 }
403
404 Ok(())
405 }
406
407 pub struct ExpectEncryptedExtensions {
408 pub handshake: HandshakeDetails,
409 pub key_schedule: KeyScheduleHandshake,
410 pub server_cert: ServerCertDetails,
411 pub hello: ClientHelloDetails,
412 }
413
414 impl ExpectEncryptedExtensions {
into_expect_finished_resume( self, certv: verify::ServerCertVerified, sigv: verify::HandshakeSignatureValid, ) -> hs::NextState415 fn into_expect_finished_resume(
416 self,
417 certv: verify::ServerCertVerified,
418 sigv: verify::HandshakeSignatureValid,
419 ) -> hs::NextState {
420 Box::new(ExpectFinished {
421 handshake: self.handshake,
422 key_schedule: self.key_schedule,
423 client_auth: None,
424 cert_verified: certv,
425 sig_verified: sigv,
426 })
427 }
428
into_expect_certificate_or_certreq(self) -> hs::NextState429 fn into_expect_certificate_or_certreq(self) -> hs::NextState {
430 Box::new(ExpectCertificateOrCertReq {
431 handshake: self.handshake,
432 key_schedule: self.key_schedule,
433 server_cert: self.server_cert,
434 })
435 }
436 }
437
438 impl hs::State for ExpectEncryptedExtensions {
handle( mut self: Box<Self>, sess: &mut ClientSessionImpl, m: Message, ) -> hs::NextStateOrError439 fn handle(
440 mut self: Box<Self>,
441 sess: &mut ClientSessionImpl,
442 m: Message,
443 ) -> hs::NextStateOrError {
444 let exts = require_handshake_msg!(
445 m,
446 HandshakeType::EncryptedExtensions,
447 HandshakePayload::EncryptedExtensions
448 )?;
449 debug!("TLS1.3 encrypted extensions: {:?}", exts);
450 self.handshake
451 .transcript
452 .add_message(&m);
453
454 validate_encrypted_extensions(sess, &self.hello, &exts)?;
455 hs::process_alpn_protocol(sess, exts.get_alpn_protocol())?;
456
457 #[cfg(feature = "quic")]
458 {
459 // QUIC transport parameters
460 if let Some(params) = exts.get_quic_params_extension() {
461 sess.common.quic.params = Some(params);
462 }
463 }
464
465 if let Some(resuming_session) = &self.handshake.resuming_session {
466 let was_early_traffic = sess.common.early_traffic;
467 if was_early_traffic {
468 if exts.early_data_extension_offered() {
469 sess.early_data.accepted();
470 } else {
471 sess.early_data.rejected();
472 sess.common.early_traffic = false;
473 }
474 }
475
476 if was_early_traffic && !sess.common.early_traffic {
477 // If no early traffic, set the encryption key for handshakes
478 let suite = sess.common.get_suite_assert();
479 let write_key = self
480 .key_schedule
481 .client_handshake_traffic_secret(
482 &self
483 .handshake
484 .hash_at_client_recvd_server_hello,
485 &*sess.config.key_log,
486 &self.handshake.randoms.client,
487 );
488 sess.common
489 .record_layer
490 .set_message_encrypter(cipher::new_tls13_write(suite, &write_key));
491 }
492
493 sess.server_cert_chain = resuming_session
494 .server_cert_chain
495 .clone();
496
497 // We *don't* reverify the certificate chain here: resumption is a
498 // continuation of the previous session in terms of security policy.
499 let certv = verify::ServerCertVerified::assertion();
500 let sigv = verify::HandshakeSignatureValid::assertion();
501 Ok(self.into_expect_finished_resume(certv, sigv))
502 } else {
503 if exts.early_data_extension_offered() {
504 let msg = "server sent early data extension without resumption".to_string();
505 return Err(TLSError::PeerMisbehavedError(msg));
506 }
507 Ok(self.into_expect_certificate_or_certreq())
508 }
509 }
510 }
511
512 struct ExpectCertificate {
513 handshake: HandshakeDetails,
514 key_schedule: KeyScheduleHandshake,
515 server_cert: ServerCertDetails,
516 client_auth: Option<ClientAuthDetails>,
517 }
518
519 impl ExpectCertificate {
into_expect_certificate_verify(self) -> hs::NextState520 fn into_expect_certificate_verify(self) -> hs::NextState {
521 Box::new(ExpectCertificateVerify {
522 handshake: self.handshake,
523 key_schedule: self.key_schedule,
524 server_cert: self.server_cert,
525 client_auth: self.client_auth,
526 })
527 }
528 }
529
530 impl hs::State for ExpectCertificate {
handle( mut self: Box<Self>, sess: &mut ClientSessionImpl, m: Message, ) -> hs::NextStateOrError531 fn handle(
532 mut self: Box<Self>,
533 sess: &mut ClientSessionImpl,
534 m: Message,
535 ) -> hs::NextStateOrError {
536 let cert_chain = require_handshake_msg!(
537 m,
538 HandshakeType::Certificate,
539 HandshakePayload::CertificateTLS13
540 )?;
541 self.handshake
542 .transcript
543 .add_message(&m);
544
545 // This is only non-empty for client auth.
546 if !cert_chain.context.0.is_empty() {
547 warn!("certificate with non-empty context during handshake");
548 sess.common
549 .send_fatal_alert(AlertDescription::DecodeError);
550 return Err(TLSError::CorruptMessagePayload(ContentType::Handshake));
551 }
552
553 if cert_chain.any_entry_has_duplicate_extension()
554 || cert_chain.any_entry_has_unknown_extension()
555 {
556 warn!("certificate chain contains unsolicited/unknown extension");
557 sess.common
558 .send_fatal_alert(AlertDescription::UnsupportedExtension);
559 return Err(TLSError::PeerMisbehavedError(
560 "bad cert chain extensions".to_string(),
561 ));
562 }
563
564 self.server_cert.ocsp_response = cert_chain.get_end_entity_ocsp();
565 self.server_cert.scts = cert_chain.get_end_entity_scts();
566 self.server_cert.cert_chain = cert_chain.convert();
567
568 if let Some(sct_list) = self.server_cert.scts.as_ref() {
569 if hs::sct_list_is_invalid(sct_list) {
570 let error_msg = "server sent invalid SCT list".to_string();
571 return Err(TLSError::PeerMisbehavedError(error_msg));
572 }
573
574 if sess.config.ct_logs.is_none() {
575 let error_msg = "server sent unsolicited SCT list".to_string();
576 return Err(TLSError::PeerMisbehavedError(error_msg));
577 }
578 }
579
580 Ok(self.into_expect_certificate_verify())
581 }
582 }
583
584 struct ExpectCertificateOrCertReq {
585 handshake: HandshakeDetails,
586 key_schedule: KeyScheduleHandshake,
587 server_cert: ServerCertDetails,
588 }
589
590 impl ExpectCertificateOrCertReq {
into_expect_certificate(self) -> hs::NextState591 fn into_expect_certificate(self) -> hs::NextState {
592 Box::new(ExpectCertificate {
593 handshake: self.handshake,
594 key_schedule: self.key_schedule,
595 server_cert: self.server_cert,
596 client_auth: None,
597 })
598 }
599
into_expect_certificate_req(self) -> hs::NextState600 fn into_expect_certificate_req(self) -> hs::NextState {
601 Box::new(ExpectCertificateRequest {
602 handshake: self.handshake,
603 key_schedule: self.key_schedule,
604 server_cert: self.server_cert,
605 })
606 }
607 }
608
609 impl hs::State for ExpectCertificateOrCertReq {
handle(self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError610 fn handle(self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
611 check_message(
612 &m,
613 &[ContentType::Handshake],
614 &[
615 HandshakeType::Certificate,
616 HandshakeType::CertificateRequest,
617 ],
618 )?;
619 if m.is_handshake_type(HandshakeType::Certificate) {
620 self.into_expect_certificate()
621 .handle(sess, m)
622 } else {
623 self.into_expect_certificate_req()
624 .handle(sess, m)
625 }
626 }
627 }
628
629 // --- TLS1.3 CertificateVerify ---
630 struct ExpectCertificateVerify {
631 handshake: HandshakeDetails,
632 key_schedule: KeyScheduleHandshake,
633 server_cert: ServerCertDetails,
634 client_auth: Option<ClientAuthDetails>,
635 }
636
637 impl ExpectCertificateVerify {
into_expect_finished( self, certv: verify::ServerCertVerified, sigv: verify::HandshakeSignatureValid, ) -> hs::NextState638 fn into_expect_finished(
639 self,
640 certv: verify::ServerCertVerified,
641 sigv: verify::HandshakeSignatureValid,
642 ) -> hs::NextState {
643 Box::new(ExpectFinished {
644 handshake: self.handshake,
645 key_schedule: self.key_schedule,
646 client_auth: self.client_auth,
647 cert_verified: certv,
648 sig_verified: sigv,
649 })
650 }
651 }
652
send_cert_error_alert(sess: &mut ClientSessionImpl, err: TLSError) -> TLSError653 fn send_cert_error_alert(sess: &mut ClientSessionImpl, err: TLSError) -> TLSError {
654 match err {
655 TLSError::WebPKIError(webpki::Error::BadDER) => {
656 sess.common
657 .send_fatal_alert(AlertDescription::DecodeError);
658 }
659 TLSError::PeerMisbehavedError(_) => {
660 sess.common
661 .send_fatal_alert(AlertDescription::IllegalParameter);
662 }
663 _ => {
664 sess.common
665 .send_fatal_alert(AlertDescription::BadCertificate);
666 }
667 };
668
669 err
670 }
671
672 impl hs::State for ExpectCertificateVerify {
handle( mut self: Box<Self>, sess: &mut ClientSessionImpl, m: Message, ) -> hs::NextStateOrError673 fn handle(
674 mut self: Box<Self>,
675 sess: &mut ClientSessionImpl,
676 m: Message,
677 ) -> hs::NextStateOrError {
678 let cert_verify = require_handshake_msg!(
679 m,
680 HandshakeType::CertificateVerify,
681 HandshakePayload::CertificateVerify
682 )?;
683
684 trace!("Server cert is {:?}", self.server_cert.cert_chain);
685
686 // 1. Verify the certificate chain.
687 if self.server_cert.cert_chain.is_empty() {
688 return Err(TLSError::NoCertificatesPresented);
689 }
690
691 let certv = sess
692 .config
693 .get_verifier()
694 .verify_server_cert(
695 &sess.config.root_store,
696 &self.server_cert.cert_chain,
697 self.handshake.dns_name.as_ref(),
698 &self.server_cert.ocsp_response,
699 )
700 .map_err(|err| send_cert_error_alert(sess, err))?;
701
702 // 2. Verify their signature on the handshake.
703 let handshake_hash = self
704 .handshake
705 .transcript
706 .get_current_hash();
707 let sigv = sess
708 .config
709 .get_verifier()
710 .verify_tls13_signature(
711 &verify::construct_tls13_server_verify_message(&handshake_hash),
712 &self.server_cert.cert_chain[0],
713 &cert_verify,
714 )
715 .map_err(|err| send_cert_error_alert(sess, err))?;
716
717 // 3. Verify any included SCTs.
718 match (self.server_cert.scts.as_ref(), sess.config.ct_logs) {
719 (Some(scts), Some(logs)) => {
720 verify::verify_scts(&self.server_cert.cert_chain[0], scts, logs)?;
721 }
722 (_, _) => {}
723 }
724
725 sess.server_cert_chain = self.server_cert.take_chain();
726 self.handshake
727 .transcript
728 .add_message(&m);
729
730 Ok(self.into_expect_finished(certv, sigv))
731 }
732 }
733
734 // TLS1.3 version of CertificateRequest handling. We then move to expecting the server
735 // Certificate. Unfortunately the CertificateRequest type changed in an annoying way
736 // in TLS1.3.
737 struct ExpectCertificateRequest {
738 handshake: HandshakeDetails,
739 key_schedule: KeyScheduleHandshake,
740 server_cert: ServerCertDetails,
741 }
742
743 impl ExpectCertificateRequest {
into_expect_certificate(self, client_auth: ClientAuthDetails) -> hs::NextState744 fn into_expect_certificate(self, client_auth: ClientAuthDetails) -> hs::NextState {
745 Box::new(ExpectCertificate {
746 handshake: self.handshake,
747 key_schedule: self.key_schedule,
748 server_cert: self.server_cert,
749 client_auth: Some(client_auth),
750 })
751 }
752 }
753
754 impl hs::State for ExpectCertificateRequest {
handle( mut self: Box<Self>, sess: &mut ClientSessionImpl, m: Message, ) -> hs::NextStateOrError755 fn handle(
756 mut self: Box<Self>,
757 sess: &mut ClientSessionImpl,
758 m: Message,
759 ) -> hs::NextStateOrError {
760 let certreq = &require_handshake_msg!(
761 m,
762 HandshakeType::CertificateRequest,
763 HandshakePayload::CertificateRequestTLS13
764 )?;
765 self.handshake
766 .transcript
767 .add_message(&m);
768 debug!("Got CertificateRequest {:?}", certreq);
769
770 // Fortunately the problems here in TLS1.2 and prior are corrected in
771 // TLS1.3.
772
773 // Must be empty during handshake.
774 if !certreq.context.0.is_empty() {
775 warn!("Server sent non-empty certreq context");
776 sess.common
777 .send_fatal_alert(AlertDescription::DecodeError);
778 return Err(TLSError::CorruptMessagePayload(ContentType::Handshake));
779 }
780
781 let tls13_sign_schemes = sign::supported_sign_tls13();
782 let no_sigschemes = Vec::new();
783 let compat_sigschemes = certreq
784 .get_sigalgs_extension()
785 .unwrap_or(&no_sigschemes)
786 .iter()
787 .cloned()
788 .filter(|scheme| tls13_sign_schemes.contains(scheme))
789 .collect::<Vec<SignatureScheme>>();
790
791 if compat_sigschemes.is_empty() {
792 sess.common
793 .send_fatal_alert(AlertDescription::HandshakeFailure);
794 return Err(TLSError::PeerIncompatibleError(
795 "server sent bad certreq schemes".to_string(),
796 ));
797 }
798
799 let no_canames = Vec::new();
800 let canames = certreq
801 .get_authorities_extension()
802 .unwrap_or(&no_canames)
803 .iter()
804 .map(|p| p.0.as_slice())
805 .collect::<Vec<&[u8]>>();
806 let maybe_certkey = sess
807 .config
808 .client_auth_cert_resolver
809 .resolve(&canames, &compat_sigschemes);
810
811 let mut client_auth = ClientAuthDetails::new();
812 if let Some(mut certkey) = maybe_certkey {
813 debug!("Attempting client auth");
814 let maybe_signer = certkey
815 .key
816 .choose_scheme(&compat_sigschemes);
817 client_auth.cert = Some(certkey.take_cert());
818 client_auth.signer = maybe_signer;
819 client_auth.auth_context = Some(certreq.context.0.clone());
820 } else {
821 debug!("Client auth requested but no cert selected");
822 }
823
824 Ok(self.into_expect_certificate(client_auth))
825 }
826 }
827
emit_certificate_tls13( handshake: &mut HandshakeDetails, client_auth: &mut ClientAuthDetails, sess: &mut ClientSessionImpl, )828 fn emit_certificate_tls13(
829 handshake: &mut HandshakeDetails,
830 client_auth: &mut ClientAuthDetails,
831 sess: &mut ClientSessionImpl,
832 ) {
833 let context = client_auth
834 .auth_context
835 .take()
836 .unwrap_or_else(Vec::new);
837
838 let mut cert_payload = CertificatePayloadTLS13 {
839 context: PayloadU8::new(context),
840 entries: Vec::new(),
841 };
842
843 if let Some(cert_chain) = client_auth.cert.take() {
844 for cert in cert_chain {
845 cert_payload
846 .entries
847 .push(CertificateEntry::new(cert));
848 }
849 }
850
851 let m = Message {
852 typ: ContentType::Handshake,
853 version: ProtocolVersion::TLSv1_3,
854 payload: MessagePayload::Handshake(HandshakeMessagePayload {
855 typ: HandshakeType::Certificate,
856 payload: HandshakePayload::CertificateTLS13(cert_payload),
857 }),
858 };
859 handshake.transcript.add_message(&m);
860 sess.common.send_msg(m, true);
861 }
862
emit_certverify_tls13( handshake: &mut HandshakeDetails, client_auth: &mut ClientAuthDetails, sess: &mut ClientSessionImpl, ) -> Result<(), TLSError>863 fn emit_certverify_tls13(
864 handshake: &mut HandshakeDetails,
865 client_auth: &mut ClientAuthDetails,
866 sess: &mut ClientSessionImpl,
867 ) -> Result<(), TLSError> {
868 if client_auth.signer.is_none() {
869 debug!("Skipping certverify message (no client scheme/key)");
870 return Ok(());
871 }
872
873 let message =
874 verify::construct_tls13_client_verify_message(&handshake.transcript.get_current_hash());
875
876 let signer = client_auth.signer.take().unwrap();
877 let scheme = signer.get_scheme();
878 let sig = signer.sign(&message)?;
879 let dss = DigitallySignedStruct::new(scheme, sig);
880
881 let m = Message {
882 typ: ContentType::Handshake,
883 version: ProtocolVersion::TLSv1_3,
884 payload: MessagePayload::Handshake(HandshakeMessagePayload {
885 typ: HandshakeType::CertificateVerify,
886 payload: HandshakePayload::CertificateVerify(dss),
887 }),
888 };
889
890 handshake.transcript.add_message(&m);
891 sess.common.send_msg(m, true);
892 Ok(())
893 }
894
emit_finished_tls13( handshake: &mut HandshakeDetails, key_schedule: &KeyScheduleTrafficWithClientFinishedPending, sess: &mut ClientSessionImpl, )895 fn emit_finished_tls13(
896 handshake: &mut HandshakeDetails,
897 key_schedule: &KeyScheduleTrafficWithClientFinishedPending,
898 sess: &mut ClientSessionImpl,
899 ) {
900 let handshake_hash = handshake.transcript.get_current_hash();
901 let verify_data = key_schedule.sign_client_finish(&handshake_hash);
902 let verify_data_payload = Payload::new(verify_data);
903
904 let m = Message {
905 typ: ContentType::Handshake,
906 version: ProtocolVersion::TLSv1_3,
907 payload: MessagePayload::Handshake(HandshakeMessagePayload {
908 typ: HandshakeType::Finished,
909 payload: HandshakePayload::Finished(verify_data_payload),
910 }),
911 };
912
913 handshake.transcript.add_message(&m);
914 sess.common.send_msg(m, true);
915 }
916
emit_end_of_early_data_tls13(handshake: &mut HandshakeDetails, sess: &mut ClientSessionImpl)917 fn emit_end_of_early_data_tls13(handshake: &mut HandshakeDetails, sess: &mut ClientSessionImpl) {
918 if sess.common.is_quic() {
919 return;
920 }
921
922 let m = Message {
923 typ: ContentType::Handshake,
924 version: ProtocolVersion::TLSv1_3,
925 payload: MessagePayload::Handshake(HandshakeMessagePayload {
926 typ: HandshakeType::EndOfEarlyData,
927 payload: HandshakePayload::EndOfEarlyData,
928 }),
929 };
930
931 handshake.transcript.add_message(&m);
932 sess.common.send_msg(m, true);
933 }
934
935 struct ExpectFinished {
936 handshake: HandshakeDetails,
937 key_schedule: KeyScheduleHandshake,
938 client_auth: Option<ClientAuthDetails>,
939 cert_verified: verify::ServerCertVerified,
940 sig_verified: verify::HandshakeSignatureValid,
941 }
942
943 impl ExpectFinished {
into_expect_traffic( handshake: HandshakeDetails, key_schedule: KeyScheduleTraffic, cert_verified: verify::ServerCertVerified, sig_verified: verify::HandshakeSignatureValid, fin_verified: verify::FinishedMessageVerified, ) -> ExpectTraffic944 fn into_expect_traffic(
945 handshake: HandshakeDetails,
946 key_schedule: KeyScheduleTraffic,
947 cert_verified: verify::ServerCertVerified,
948 sig_verified: verify::HandshakeSignatureValid,
949 fin_verified: verify::FinishedMessageVerified,
950 ) -> ExpectTraffic {
951 ExpectTraffic {
952 handshake,
953 key_schedule,
954 want_write_key_update: false,
955 _cert_verified: cert_verified,
956 _sig_verified: sig_verified,
957 _fin_verified: fin_verified,
958 }
959 }
960 }
961
962 impl hs::State for ExpectFinished {
handle(self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError963 fn handle(self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
964 let mut st = *self;
965 let finished =
966 require_handshake_msg!(m, HandshakeType::Finished, HandshakePayload::Finished)?;
967
968 let handshake_hash = st
969 .handshake
970 .transcript
971 .get_current_hash();
972 let expect_verify_data = st
973 .key_schedule
974 .sign_server_finish(&handshake_hash);
975
976 let fin = constant_time::verify_slices_are_equal(&expect_verify_data, &finished.0)
977 .map_err(|_| {
978 sess.common
979 .send_fatal_alert(AlertDescription::DecryptError);
980 TLSError::DecryptError
981 })
982 .map(|_| verify::FinishedMessageVerified::assertion())?;
983
984 let suite = sess.common.get_suite_assert();
985 let maybe_write_key = if sess.common.early_traffic {
986 /* Derive the client-to-server encryption key before key schedule update */
987 let key = st
988 .key_schedule
989 .client_handshake_traffic_secret(
990 &st.handshake
991 .hash_at_client_recvd_server_hello,
992 &*sess.config.key_log,
993 &st.handshake.randoms.client,
994 );
995 Some(key)
996 } else {
997 None
998 };
999
1000 st.handshake.transcript.add_message(&m);
1001
1002 let hash_after_handshake = st
1003 .handshake
1004 .transcript
1005 .get_current_hash();
1006
1007 /* The EndOfEarlyData message to server is still encrypted with early data keys,
1008 * but appears in the transcript after the server Finished. */
1009 if let Some(write_key) = maybe_write_key {
1010 emit_end_of_early_data_tls13(&mut st.handshake, sess);
1011 sess.common.early_traffic = false;
1012 sess.early_data.finished();
1013 sess.common
1014 .record_layer
1015 .set_message_encrypter(cipher::new_tls13_write(suite, &write_key));
1016 }
1017
1018 /* Send our authentication/finished messages. These are still encrypted
1019 * with our handshake keys. */
1020 if st.client_auth.is_some() {
1021 emit_certificate_tls13(&mut st.handshake, st.client_auth.as_mut().unwrap(), sess);
1022 emit_certverify_tls13(&mut st.handshake, st.client_auth.as_mut().unwrap(), sess)?;
1023 }
1024
1025 let mut key_schedule_finished = st
1026 .key_schedule
1027 .into_traffic_with_client_finished_pending();
1028 emit_finished_tls13(&mut st.handshake, &key_schedule_finished, sess);
1029
1030 /* Now move to our application traffic keys. */
1031 hs::check_aligned_handshake(sess)?;
1032
1033 /* Traffic from server is now decrypted with application data keys. */
1034 let read_key = key_schedule_finished.server_application_traffic_secret(
1035 &hash_after_handshake,
1036 &*sess.config.key_log,
1037 &st.handshake.randoms.client,
1038 );
1039 sess.common
1040 .record_layer
1041 .set_message_decrypter(cipher::new_tls13_read(suite, &read_key));
1042
1043 key_schedule_finished.exporter_master_secret(
1044 &hash_after_handshake,
1045 &*sess.config.key_log,
1046 &st.handshake.randoms.client,
1047 );
1048
1049 let write_key = key_schedule_finished.client_application_traffic_secret(
1050 &hash_after_handshake,
1051 &*sess.config.key_log,
1052 &st.handshake.randoms.client,
1053 );
1054 sess.common
1055 .record_layer
1056 .set_message_encrypter(cipher::new_tls13_write(suite, &write_key));
1057
1058 let key_schedule_traffic = key_schedule_finished.into_traffic();
1059 sess.common.start_traffic();
1060
1061 let st = Self::into_expect_traffic(
1062 st.handshake,
1063 key_schedule_traffic,
1064 st.cert_verified,
1065 st.sig_verified,
1066 fin,
1067 );
1068 #[cfg(feature = "quic")]
1069 {
1070 if sess.common.protocol == Protocol::Quic {
1071 sess.common.quic.traffic_secrets = Some(quic::Secrets {
1072 client: write_key,
1073 server: read_key,
1074 });
1075 return Ok(Box::new(ExpectQUICTraffic(st)));
1076 }
1077 }
1078
1079 Ok(Box::new(st))
1080 }
1081 }
1082
1083 // -- Traffic transit state (TLS1.3) --
1084 // In this state we can be sent tickets, keyupdates,
1085 // and application data.
1086 struct ExpectTraffic {
1087 handshake: HandshakeDetails,
1088 key_schedule: KeyScheduleTraffic,
1089 want_write_key_update: bool,
1090 _cert_verified: verify::ServerCertVerified,
1091 _sig_verified: verify::HandshakeSignatureValid,
1092 _fin_verified: verify::FinishedMessageVerified,
1093 }
1094
1095 impl ExpectTraffic {
handle_new_ticket_tls13( &mut self, sess: &mut ClientSessionImpl, nst: &NewSessionTicketPayloadTLS13, ) -> Result<(), TLSError>1096 fn handle_new_ticket_tls13(
1097 &mut self,
1098 sess: &mut ClientSessionImpl,
1099 nst: &NewSessionTicketPayloadTLS13,
1100 ) -> Result<(), TLSError> {
1101 let handshake_hash = self
1102 .handshake
1103 .transcript
1104 .get_current_hash();
1105 let secret = self
1106 .key_schedule
1107 .resumption_master_secret_and_derive_ticket_psk(&handshake_hash, &nst.nonce.0);
1108
1109 let mut value = persist::ClientSessionValue::new(
1110 ProtocolVersion::TLSv1_3,
1111 sess.common.get_suite_assert().suite,
1112 &SessionID::empty(),
1113 nst.ticket.0.clone(),
1114 secret,
1115 &sess.server_cert_chain,
1116 );
1117 value.set_times(ticketer::timebase(), nst.lifetime, nst.age_add);
1118
1119 if let Some(sz) = nst.get_max_early_data_size() {
1120 value.set_max_early_data_size(sz);
1121 #[cfg(feature = "quic")]
1122 {
1123 if sess.common.protocol == Protocol::Quic {
1124 if sz != 0 && sz != 0xffff_ffff {
1125 return Err(TLSError::PeerMisbehavedError(
1126 "invalid max_early_data_size".into(),
1127 ));
1128 }
1129 }
1130 }
1131 }
1132
1133 let key = persist::ClientSessionKey::session_for_dns_name(self.handshake.dns_name.as_ref());
1134 #[allow(unused_mut)]
1135 let mut ticket = value.get_encoding();
1136
1137 #[cfg(feature = "quic")]
1138 {
1139 if sess.common.protocol == Protocol::Quic {
1140 PayloadU16::encode_slice(
1141 sess.common
1142 .quic
1143 .params
1144 .as_ref()
1145 .unwrap(),
1146 &mut ticket,
1147 );
1148 }
1149 }
1150
1151 let worked = sess
1152 .config
1153 .session_persistence
1154 .put(key.get_encoding(), ticket);
1155
1156 if worked {
1157 debug!("Ticket saved");
1158 } else {
1159 debug!("Ticket not saved");
1160 }
1161 Ok(())
1162 }
1163
handle_key_update( &mut self, sess: &mut ClientSessionImpl, kur: &KeyUpdateRequest, ) -> Result<(), TLSError>1164 fn handle_key_update(
1165 &mut self,
1166 sess: &mut ClientSessionImpl,
1167 kur: &KeyUpdateRequest,
1168 ) -> Result<(), TLSError> {
1169 #[cfg(feature = "quic")]
1170 {
1171 if let Protocol::Quic = sess.common.protocol {
1172 sess.common
1173 .send_fatal_alert(AlertDescription::UnexpectedMessage);
1174 let msg = "KeyUpdate received in QUIC connection".to_string();
1175 warn!("{}", msg);
1176 return Err(TLSError::PeerMisbehavedError(msg));
1177 }
1178 }
1179
1180 // Mustn't be interleaved with other handshake messages.
1181 hs::check_aligned_handshake(sess)?;
1182
1183 match kur {
1184 KeyUpdateRequest::UpdateNotRequested => {}
1185 KeyUpdateRequest::UpdateRequested => {
1186 self.want_write_key_update = true;
1187 }
1188 _ => {
1189 sess.common
1190 .send_fatal_alert(AlertDescription::IllegalParameter);
1191 return Err(TLSError::CorruptMessagePayload(ContentType::Handshake));
1192 }
1193 }
1194
1195 // Update our read-side keys.
1196 let new_read_key = self
1197 .key_schedule
1198 .next_server_application_traffic_secret();
1199 let suite = sess.common.get_suite_assert();
1200 sess.common
1201 .record_layer
1202 .set_message_decrypter(cipher::new_tls13_read(suite, &new_read_key));
1203
1204 Ok(())
1205 }
1206 }
1207
1208 impl hs::State for ExpectTraffic {
handle( mut self: Box<Self>, sess: &mut ClientSessionImpl, mut m: Message, ) -> hs::NextStateOrError1209 fn handle(
1210 mut self: Box<Self>,
1211 sess: &mut ClientSessionImpl,
1212 mut m: Message,
1213 ) -> hs::NextStateOrError {
1214 if m.is_content_type(ContentType::ApplicationData) {
1215 sess.common
1216 .take_received_plaintext(m.take_opaque_payload().unwrap());
1217 } else if let Ok(ref new_ticket) = require_handshake_msg!(
1218 m,
1219 HandshakeType::NewSessionTicket,
1220 HandshakePayload::NewSessionTicketTLS13
1221 ) {
1222 self.handle_new_ticket_tls13(sess, new_ticket)?;
1223 } else if let Ok(ref key_update) =
1224 require_handshake_msg!(m, HandshakeType::KeyUpdate, HandshakePayload::KeyUpdate)
1225 {
1226 self.handle_key_update(sess, key_update)?;
1227 } else {
1228 check_message(
1229 &m,
1230 &[ContentType::ApplicationData, ContentType::Handshake],
1231 &[HandshakeType::NewSessionTicket, HandshakeType::KeyUpdate],
1232 )?;
1233 }
1234
1235 Ok(self)
1236 }
1237
export_keying_material( &self, output: &mut [u8], label: &[u8], context: Option<&[u8]>, ) -> Result<(), TLSError>1238 fn export_keying_material(
1239 &self,
1240 output: &mut [u8],
1241 label: &[u8],
1242 context: Option<&[u8]>,
1243 ) -> Result<(), TLSError> {
1244 self.key_schedule
1245 .export_keying_material(output, label, context)
1246 }
1247
perhaps_write_key_update(&mut self, sess: &mut ClientSessionImpl)1248 fn perhaps_write_key_update(&mut self, sess: &mut ClientSessionImpl) {
1249 if self.want_write_key_update {
1250 self.want_write_key_update = false;
1251 sess.common
1252 .send_msg_encrypt(Message::build_key_update_notify());
1253
1254 let write_key = self
1255 .key_schedule
1256 .next_client_application_traffic_secret();
1257 let scs = sess.common.get_suite_assert();
1258 sess.common
1259 .record_layer
1260 .set_message_encrypter(cipher::new_tls13_write(scs, &write_key));
1261 }
1262 }
1263 }
1264
1265 #[cfg(feature = "quic")]
1266 pub struct ExpectQUICTraffic(ExpectTraffic);
1267
1268 #[cfg(feature = "quic")]
1269 impl hs::State for ExpectQUICTraffic {
handle( mut self: Box<Self>, sess: &mut ClientSessionImpl, m: Message, ) -> hs::NextStateOrError1270 fn handle(
1271 mut self: Box<Self>,
1272 sess: &mut ClientSessionImpl,
1273 m: Message,
1274 ) -> hs::NextStateOrError {
1275 let nst = require_handshake_msg!(
1276 m,
1277 HandshakeType::NewSessionTicket,
1278 HandshakePayload::NewSessionTicketTLS13
1279 )?;
1280 self.0
1281 .handle_new_ticket_tls13(sess, nst)?;
1282 Ok(self)
1283 }
1284
export_keying_material( &self, output: &mut [u8], label: &[u8], context: Option<&[u8]>, ) -> Result<(), TLSError>1285 fn export_keying_material(
1286 &self,
1287 output: &mut [u8],
1288 label: &[u8],
1289 context: Option<&[u8]>,
1290 ) -> Result<(), TLSError> {
1291 self.0
1292 .export_keying_material(output, label, context)
1293 }
1294 }
1295