1 use crate::error::TLSError;
2 #[cfg(feature = "logging")]
3 use crate::log::{debug, trace};
4 use crate::msgs::codec::Codec;
5 use crate::msgs::enums::{AlertDescription, ExtensionType};
6 use crate::msgs::enums::{CipherSuite, Compression, ECPointFormat, NamedGroup};
7 use crate::msgs::enums::{ClientCertificateType, SignatureScheme};
8 use crate::msgs::enums::{ContentType, HandshakeType, ProtocolVersion};
9 use crate::msgs::handshake::CertificateRequestPayload;
10 use crate::msgs::handshake::CertificateStatus;
11 use crate::msgs::handshake::ClientExtension;
12 use crate::msgs::handshake::{ClientHelloPayload, ServerExtension, SessionID};
13 use crate::msgs::handshake::{ConvertProtocolNameList, ConvertServerNameList};
14 use crate::msgs::handshake::{DigitallySignedStruct, ServerECDHParams};
15 use crate::msgs::handshake::{ECDHEServerKeyExchange, ServerKeyExchangePayload};
16 use crate::msgs::handshake::{ECPointFormatList, SupportedPointFormats};
17 use crate::msgs::handshake::{HandshakeMessagePayload, Random, ServerHelloPayload};
18 use crate::msgs::handshake::{HandshakePayload, SupportedSignatureSchemes};
19 use crate::msgs::message::{Message, MessagePayload};
20 use crate::msgs::persist;
21 use crate::rand;
22 use crate::server::{ClientHello, ServerConfig, ServerSessionImpl};
23 #[cfg(feature = "quic")]
24 use crate::session::Protocol;
25 use crate::session::SessionSecrets;
26 use crate::sign;
27 use crate::suites;
28 use webpki;
29
30 use crate::server::common::{HandshakeDetails, ServerKXDetails};
31 use crate::server::{tls12, tls13};
32
33 pub type NextState = Box<dyn State + Send + Sync>;
34 pub type NextStateOrError = Result<NextState, TLSError>;
35
36 pub trait State {
handle(self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> NextStateOrError37 fn handle(self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> NextStateOrError;
38
export_keying_material( &self, _output: &mut [u8], _label: &[u8], _context: Option<&[u8]>, ) -> Result<(), TLSError>39 fn export_keying_material(
40 &self,
41 _output: &mut [u8],
42 _label: &[u8],
43 _context: Option<&[u8]>,
44 ) -> Result<(), TLSError> {
45 Err(TLSError::HandshakeNotComplete)
46 }
47
perhaps_write_key_update(&mut self, _sess: &mut ServerSessionImpl)48 fn perhaps_write_key_update(&mut self, _sess: &mut ServerSessionImpl) {}
49 }
50
incompatible(sess: &mut ServerSessionImpl, why: &str) -> TLSError51 pub fn incompatible(sess: &mut ServerSessionImpl, why: &str) -> TLSError {
52 sess.common
53 .send_fatal_alert(AlertDescription::HandshakeFailure);
54 TLSError::PeerIncompatibleError(why.to_string())
55 }
56
bad_version(sess: &mut ServerSessionImpl, why: &str) -> TLSError57 fn bad_version(sess: &mut ServerSessionImpl, why: &str) -> TLSError {
58 sess.common
59 .send_fatal_alert(AlertDescription::ProtocolVersion);
60 TLSError::PeerIncompatibleError(why.to_string())
61 }
62
illegal_param(sess: &mut ServerSessionImpl, why: &str) -> TLSError63 pub fn illegal_param(sess: &mut ServerSessionImpl, why: &str) -> TLSError {
64 sess.common
65 .send_fatal_alert(AlertDescription::IllegalParameter);
66 TLSError::PeerMisbehavedError(why.to_string())
67 }
68
decode_error(sess: &mut ServerSessionImpl, why: &str) -> TLSError69 pub fn decode_error(sess: &mut ServerSessionImpl, why: &str) -> TLSError {
70 sess.common
71 .send_fatal_alert(AlertDescription::DecodeError);
72 TLSError::PeerMisbehavedError(why.to_string())
73 }
74
can_resume( sess: &ServerSessionImpl, handshake: &HandshakeDetails, resumedata: &Option<persist::ServerSessionValue>, ) -> bool75 pub fn can_resume(
76 sess: &ServerSessionImpl,
77 handshake: &HandshakeDetails,
78 resumedata: &Option<persist::ServerSessionValue>,
79 ) -> bool {
80 // The RFCs underspecify what happens if we try to resume to
81 // an unoffered/varying suite. We merely don't resume in weird cases.
82 //
83 // RFC 6066 says "A server that implements this extension MUST NOT accept
84 // the request to resume the session if the server_name extension contains
85 // a different name. Instead, it proceeds with a full handshake to
86 // establish a new session."
87
88 if let Some(ref resume) = *resumedata {
89 resume.cipher_suite == sess.common.get_suite_assert().suite
90 && (resume.extended_ms == handshake.using_ems
91 || (resume.extended_ms && !handshake.using_ems))
92 && same_dns_name_or_both_none(resume.sni.as_ref(), sess.sni.as_ref())
93 } else {
94 false
95 }
96 }
97
98 // Require an exact match for the purpose of comparing SNI DNS Names from two
99 // client hellos, even though a case-insensitive comparison might also be OK.
same_dns_name_or_both_none(a: Option<&webpki::DNSName>, b: Option<&webpki::DNSName>) -> bool100 fn same_dns_name_or_both_none(a: Option<&webpki::DNSName>, b: Option<&webpki::DNSName>) -> bool {
101 match (a, b) {
102 (Some(a), Some(b)) => {
103 let a: &str = a.as_ref().into();
104 let b: &str = b.as_ref().into();
105 a == b
106 }
107 (None, None) => true,
108 _ => false,
109 }
110 }
111
112 // Changing the keys must not span any fragmented handshake
113 // messages. Otherwise the defragmented messages will have
114 // been protected with two different record layer protections,
115 // which is illegal. Not mentioned in RFC.
check_aligned_handshake(sess: &mut ServerSessionImpl) -> Result<(), TLSError>116 pub fn check_aligned_handshake(sess: &mut ServerSessionImpl) -> Result<(), TLSError> {
117 if !sess.common.handshake_joiner.is_empty() {
118 sess.common
119 .send_fatal_alert(AlertDescription::UnexpectedMessage);
120 Err(TLSError::PeerMisbehavedError(
121 "key epoch or handshake flight with pending fragment".to_string(),
122 ))
123 } else {
124 Ok(())
125 }
126 }
127
save_sni(sess: &mut ServerSessionImpl, sni: Option<webpki::DNSName>)128 pub fn save_sni(sess: &mut ServerSessionImpl, sni: Option<webpki::DNSName>) {
129 if let Some(sni) = sni {
130 // Save the SNI into the session.
131 sess.set_sni(sni);
132 }
133 }
134
135 #[derive(Default)]
136 pub struct ExtensionProcessing {
137 // extensions to reply with
138 pub exts: Vec<ServerExtension>,
139
140 // effects on later handshake steps
141 pub send_cert_status: bool,
142 pub send_sct: bool,
143 pub send_ticket: bool,
144 }
145
146 impl ExtensionProcessing {
new() -> Self147 pub fn new() -> Self {
148 Default::default()
149 }
150
process_common( &mut self, sess: &mut ServerSessionImpl, server_key: Option<&mut sign::CertifiedKey>, hello: &ClientHelloPayload, resumedata: Option<&persist::ServerSessionValue>, handshake: &HandshakeDetails, ) -> Result<(), TLSError>151 pub fn process_common(
152 &mut self,
153 sess: &mut ServerSessionImpl,
154 server_key: Option<&mut sign::CertifiedKey>,
155 hello: &ClientHelloPayload,
156 resumedata: Option<&persist::ServerSessionValue>,
157 handshake: &HandshakeDetails,
158 ) -> Result<(), TLSError> {
159 // ALPN
160 let our_protocols = &sess.config.alpn_protocols;
161 let maybe_their_protocols = hello.get_alpn_extension();
162 if let Some(their_protocols) = maybe_their_protocols {
163 let their_protocols = their_protocols.to_slices();
164
165 if their_protocols
166 .iter()
167 .any(|protocol| protocol.is_empty())
168 {
169 return Err(TLSError::PeerMisbehavedError(
170 "client offered empty ALPN protocol".to_string(),
171 ));
172 }
173
174 sess.alpn_protocol = our_protocols
175 .iter()
176 .filter(|protocol| their_protocols.contains(&protocol.as_slice()))
177 .nth(0)
178 .cloned();
179 if let Some(ref selected_protocol) = sess.alpn_protocol {
180 debug!("Chosen ALPN protocol {:?}", selected_protocol);
181 self.exts
182 .push(ServerExtension::make_alpn(&[selected_protocol]));
183 } else {
184 // For compatibility, strict ALPN validation is not employed unless targeting QUIC
185 #[cfg(feature = "quic")]
186 {
187 if sess.common.protocol == Protocol::Quic && !our_protocols.is_empty() {
188 sess.common
189 .send_fatal_alert(AlertDescription::NoApplicationProtocol);
190 return Err(TLSError::NoApplicationProtocol);
191 }
192 }
193 }
194 }
195
196 #[cfg(feature = "quic")]
197 {
198 if sess.common.protocol == Protocol::Quic {
199 if let Some(params) = hello.get_quic_params_extension() {
200 sess.common.quic.params = Some(params);
201 }
202
203 if let Some(resume) = resumedata {
204 if sess.config.max_early_data_size > 0
205 && hello.early_data_extension_offered()
206 && resume.version == sess.common.negotiated_version.unwrap()
207 && resume.cipher_suite == sess.common.get_suite_assert().suite
208 && resume.alpn.as_ref().map(|x| &x.0) == sess.alpn_protocol.as_ref()
209 && !sess.reject_early_data
210 {
211 self.exts
212 .push(ServerExtension::EarlyData);
213 } else {
214 // Clobber value set in tls13::emit_server_hello
215 sess.common.quic.early_secret = None;
216 }
217 }
218 }
219 }
220
221 let for_resume = resumedata.is_some();
222 // SNI
223 if !for_resume && hello.get_sni_extension().is_some() {
224 self.exts
225 .push(ServerExtension::ServerNameAck);
226 }
227
228 if let Some(server_key) = server_key {
229 // Send status_request response if we have one. This is not allowed
230 // if we're resuming, and is only triggered if we have an OCSP response
231 // to send.
232 if !for_resume
233 && hello
234 .find_extension(ExtensionType::StatusRequest)
235 .is_some()
236 && server_key.has_ocsp()
237 {
238 self.send_cert_status = true;
239
240 if !sess.common.is_tls13() {
241 // Only TLS1.2 sends confirmation in ServerHello
242 self.exts
243 .push(ServerExtension::CertificateStatusAck);
244 }
245 }
246
247 if !for_resume
248 && hello
249 .find_extension(ExtensionType::SCT)
250 .is_some()
251 && server_key.has_sct_list()
252 {
253 self.send_sct = true;
254
255 if !sess.common.is_tls13() {
256 let sct_list = server_key.take_sct_list().unwrap();
257 self.exts
258 .push(ServerExtension::make_sct(sct_list));
259 }
260 }
261 }
262
263 if !sess.common.is_tls13() {}
264
265 self.exts
266 .extend(handshake.extra_exts.iter().cloned());
267
268 Ok(())
269 }
270
process_tls12( &mut self, sess: &ServerSessionImpl, hello: &ClientHelloPayload, handshake: &HandshakeDetails, )271 fn process_tls12(
272 &mut self,
273 sess: &ServerSessionImpl,
274 hello: &ClientHelloPayload,
275 handshake: &HandshakeDetails,
276 ) {
277 // Renegotiation.
278 // (We don't do reneg at all, but would support the secure version if we did.)
279 let secure_reneg_offered = hello
280 .find_extension(ExtensionType::RenegotiationInfo)
281 .is_some()
282 || hello
283 .cipher_suites
284 .contains(&CipherSuite::TLS_EMPTY_RENEGOTIATION_INFO_SCSV);
285
286 if secure_reneg_offered {
287 self.exts
288 .push(ServerExtension::make_empty_renegotiation_info());
289 }
290
291 // Tickets:
292 // If we get any SessionTicket extension and have tickets enabled,
293 // we send an ack.
294 if hello
295 .find_extension(ExtensionType::SessionTicket)
296 .is_some()
297 && sess.config.ticketer.enabled()
298 {
299 self.send_ticket = true;
300 self.exts
301 .push(ServerExtension::SessionTicketAck);
302 }
303
304 // Confirm use of EMS if offered.
305 if handshake.using_ems {
306 self.exts
307 .push(ServerExtension::ExtendedMasterSecretAck);
308 }
309 }
310 }
311
312 pub struct ExpectClientHello {
313 pub handshake: HandshakeDetails,
314 pub done_retry: bool,
315 pub send_cert_status: bool,
316 pub send_sct: bool,
317 pub send_ticket: bool,
318 }
319
320 impl ExpectClientHello {
new( server_config: &ServerConfig, extra_exts: Vec<ServerExtension>, ) -> ExpectClientHello321 pub fn new(
322 server_config: &ServerConfig,
323 extra_exts: Vec<ServerExtension>,
324 ) -> ExpectClientHello {
325 let mut ech = ExpectClientHello {
326 handshake: HandshakeDetails::new(extra_exts),
327 done_retry: false,
328 send_cert_status: false,
329 send_sct: false,
330 send_ticket: false,
331 };
332
333 if server_config
334 .verifier
335 .offer_client_auth()
336 {
337 ech.handshake
338 .transcript
339 .set_client_auth_enabled();
340 }
341
342 ech
343 }
344
into_expect_tls12_ccs(self, secrets: SessionSecrets) -> NextState345 fn into_expect_tls12_ccs(self, secrets: SessionSecrets) -> NextState {
346 Box::new(tls12::ExpectCCS {
347 secrets,
348 handshake: self.handshake,
349 resuming: true,
350 send_ticket: self.send_ticket,
351 })
352 }
353
into_complete_tls13_client_hello_handling(self) -> tls13::CompleteClientHelloHandling354 fn into_complete_tls13_client_hello_handling(self) -> tls13::CompleteClientHelloHandling {
355 tls13::CompleteClientHelloHandling {
356 handshake: self.handshake,
357 done_retry: self.done_retry,
358 send_cert_status: self.send_cert_status,
359 send_sct: self.send_sct,
360 send_ticket: self.send_ticket,
361 }
362 }
363
into_expect_tls12_certificate(self, kx: suites::KeyExchange) -> NextState364 fn into_expect_tls12_certificate(self, kx: suites::KeyExchange) -> NextState {
365 Box::new(tls12::ExpectCertificate {
366 handshake: self.handshake,
367 server_kx: ServerKXDetails::new(kx),
368 send_ticket: self.send_ticket,
369 })
370 }
371
into_expect_tls12_client_kx(self, kx: suites::KeyExchange) -> NextState372 fn into_expect_tls12_client_kx(self, kx: suites::KeyExchange) -> NextState {
373 Box::new(tls12::ExpectClientKX {
374 handshake: self.handshake,
375 server_kx: ServerKXDetails::new(kx),
376 client_cert: None,
377 send_ticket: self.send_ticket,
378 })
379 }
380
emit_server_hello( &mut self, sess: &mut ServerSessionImpl, server_key: Option<&mut sign::CertifiedKey>, hello: &ClientHelloPayload, resumedata: Option<&persist::ServerSessionValue>, ) -> Result<(), TLSError>381 fn emit_server_hello(
382 &mut self,
383 sess: &mut ServerSessionImpl,
384 server_key: Option<&mut sign::CertifiedKey>,
385 hello: &ClientHelloPayload,
386 resumedata: Option<&persist::ServerSessionValue>,
387 ) -> Result<(), TLSError> {
388 let mut ep = ExtensionProcessing::new();
389 ep.process_common(sess, server_key, hello, resumedata, &self.handshake)?;
390 ep.process_tls12(sess, hello, &self.handshake);
391
392 self.send_ticket = ep.send_ticket;
393 self.send_cert_status = ep.send_cert_status;
394 self.send_sct = ep.send_sct;
395
396 let sh = Message {
397 typ: ContentType::Handshake,
398 version: ProtocolVersion::TLSv1_2,
399 payload: MessagePayload::Handshake(HandshakeMessagePayload {
400 typ: HandshakeType::ServerHello,
401 payload: HandshakePayload::ServerHello(ServerHelloPayload {
402 legacy_version: ProtocolVersion::TLSv1_2,
403 random: Random::from_slice(&self.handshake.randoms.server),
404 session_id: self.handshake.session_id,
405 cipher_suite: sess.common.get_suite_assert().suite,
406 compression_method: Compression::Null,
407 extensions: ep.exts,
408 }),
409 }),
410 };
411
412 trace!("sending server hello {:?}", sh);
413 self.handshake
414 .transcript
415 .add_message(&sh);
416 sess.common.send_msg(sh, false);
417 Ok(())
418 }
419
emit_certificate( &mut self, sess: &mut ServerSessionImpl, server_certkey: &mut sign::CertifiedKey, )420 fn emit_certificate(
421 &mut self,
422 sess: &mut ServerSessionImpl,
423 server_certkey: &mut sign::CertifiedKey,
424 ) {
425 let cert_chain = server_certkey.take_cert();
426
427 let c = Message {
428 typ: ContentType::Handshake,
429 version: ProtocolVersion::TLSv1_2,
430 payload: MessagePayload::Handshake(HandshakeMessagePayload {
431 typ: HandshakeType::Certificate,
432 payload: HandshakePayload::Certificate(cert_chain),
433 }),
434 };
435
436 self.handshake
437 .transcript
438 .add_message(&c);
439 sess.common.send_msg(c, false);
440 }
441
emit_cert_status( &mut self, sess: &mut ServerSessionImpl, server_certkey: &mut sign::CertifiedKey, )442 fn emit_cert_status(
443 &mut self,
444 sess: &mut ServerSessionImpl,
445 server_certkey: &mut sign::CertifiedKey,
446 ) {
447 if !self.send_cert_status || !server_certkey.has_ocsp() {
448 return;
449 }
450
451 let ocsp = server_certkey.take_ocsp();
452 let st = CertificateStatus::new(ocsp.unwrap());
453
454 let c = Message {
455 typ: ContentType::Handshake,
456 version: ProtocolVersion::TLSv1_2,
457 payload: MessagePayload::Handshake(HandshakeMessagePayload {
458 typ: HandshakeType::CertificateStatus,
459 payload: HandshakePayload::CertificateStatus(st),
460 }),
461 };
462
463 self.handshake
464 .transcript
465 .add_message(&c);
466 sess.common.send_msg(c, false);
467 }
468
emit_server_kx( &mut self, sess: &mut ServerSessionImpl, sigschemes: Vec<SignatureScheme>, group: NamedGroup, server_certkey: &mut sign::CertifiedKey, ) -> Result<suites::KeyExchange, TLSError>469 fn emit_server_kx(
470 &mut self,
471 sess: &mut ServerSessionImpl,
472 sigschemes: Vec<SignatureScheme>,
473 group: NamedGroup,
474 server_certkey: &mut sign::CertifiedKey,
475 ) -> Result<suites::KeyExchange, TLSError> {
476 let kx = sess
477 .common
478 .get_suite_assert()
479 .start_server_kx(group)
480 .ok_or_else(|| TLSError::PeerMisbehavedError("key exchange failed".to_string()))?;
481 let secdh = ServerECDHParams::new(group, kx.pubkey.as_ref());
482
483 let mut msg = Vec::new();
484 msg.extend(&self.handshake.randoms.client);
485 msg.extend(&self.handshake.randoms.server);
486 secdh.encode(&mut msg);
487
488 let signing_key = &server_certkey.key;
489 let signer = signing_key
490 .choose_scheme(&sigschemes)
491 .ok_or_else(|| TLSError::General("incompatible signing key".to_string()))?;
492 let sigscheme = signer.get_scheme();
493 let sig = signer.sign(&msg)?;
494
495 let skx = ServerKeyExchangePayload::ECDHE(ECDHEServerKeyExchange {
496 params: secdh,
497 dss: DigitallySignedStruct::new(sigscheme, sig),
498 });
499
500 let m = Message {
501 typ: ContentType::Handshake,
502 version: ProtocolVersion::TLSv1_2,
503 payload: MessagePayload::Handshake(HandshakeMessagePayload {
504 typ: HandshakeType::ServerKeyExchange,
505 payload: HandshakePayload::ServerKeyExchange(skx),
506 }),
507 };
508
509 self.handshake
510 .transcript
511 .add_message(&m);
512 sess.common.send_msg(m, false);
513 Ok(kx)
514 }
515
emit_certificate_req(&mut self, sess: &mut ServerSessionImpl) -> Result<bool, TLSError>516 fn emit_certificate_req(&mut self, sess: &mut ServerSessionImpl) -> Result<bool, TLSError> {
517 let client_auth = sess.config.get_verifier();
518
519 if !client_auth.offer_client_auth() {
520 return Ok(false);
521 }
522
523 let verify_schemes = client_auth.supported_verify_schemes();
524
525 let names = client_auth
526 .client_auth_root_subjects(sess.get_sni())
527 .ok_or_else(|| {
528 debug!("could not determine root subjects based on SNI");
529 sess.common
530 .send_fatal_alert(AlertDescription::AccessDenied);
531 TLSError::General("client rejected by client_auth_root_subjects".into())
532 })?;
533
534 let cr = CertificateRequestPayload {
535 certtypes: vec![
536 ClientCertificateType::RSASign,
537 ClientCertificateType::ECDSASign,
538 ],
539 sigschemes: verify_schemes,
540 canames: names,
541 };
542
543 let m = Message {
544 typ: ContentType::Handshake,
545 version: ProtocolVersion::TLSv1_2,
546 payload: MessagePayload::Handshake(HandshakeMessagePayload {
547 typ: HandshakeType::CertificateRequest,
548 payload: HandshakePayload::CertificateRequest(cr),
549 }),
550 };
551
552 trace!("Sending CertificateRequest {:?}", m);
553 self.handshake
554 .transcript
555 .add_message(&m);
556 sess.common.send_msg(m, false);
557 Ok(true)
558 }
559
emit_server_hello_done(&mut self, sess: &mut ServerSessionImpl)560 fn emit_server_hello_done(&mut self, sess: &mut ServerSessionImpl) {
561 let m = Message {
562 typ: ContentType::Handshake,
563 version: ProtocolVersion::TLSv1_2,
564 payload: MessagePayload::Handshake(HandshakeMessagePayload {
565 typ: HandshakeType::ServerHelloDone,
566 payload: HandshakePayload::ServerHelloDone,
567 }),
568 };
569
570 self.handshake
571 .transcript
572 .add_message(&m);
573 sess.common.send_msg(m, false);
574 }
575
start_resumption( mut self, sess: &mut ServerSessionImpl, client_hello: &ClientHelloPayload, sni: Option<&webpki::DNSName>, id: &SessionID, resumedata: persist::ServerSessionValue, ) -> NextStateOrError576 fn start_resumption(
577 mut self,
578 sess: &mut ServerSessionImpl,
579 client_hello: &ClientHelloPayload,
580 sni: Option<&webpki::DNSName>,
581 id: &SessionID,
582 resumedata: persist::ServerSessionValue,
583 ) -> NextStateOrError {
584 debug!("Resuming session");
585
586 if resumedata.extended_ms && !self.handshake.using_ems {
587 return Err(illegal_param(sess, "refusing to resume without ems"));
588 }
589
590 self.handshake.session_id = *id;
591 self.emit_server_hello(sess, None, client_hello, Some(&resumedata))?;
592
593 let hashalg = sess
594 .common
595 .get_suite_assert()
596 .get_hash();
597 let secrets = SessionSecrets::new_resume(
598 &self.handshake.randoms,
599 hashalg,
600 &resumedata.master_secret.0,
601 );
602 sess.config.key_log.log(
603 "CLIENT_RANDOM",
604 &secrets.randoms.client,
605 &secrets.master_secret,
606 );
607 sess.common
608 .start_encryption_tls12(&secrets);
609 sess.client_cert_chain = resumedata.client_cert_chain;
610
611 if self.send_ticket {
612 tls12::emit_ticket(&secrets, &mut self.handshake, sess);
613 }
614 tls12::emit_ccs(sess);
615 sess.common
616 .record_layer
617 .start_encrypting();
618 tls12::emit_finished(&secrets, &mut self.handshake, sess);
619
620 assert!(same_dns_name_or_both_none(sni, sess.get_sni()));
621
622 Ok(self.into_expect_tls12_ccs(secrets))
623 }
624 }
625
626 impl State for ExpectClientHello {
handle(mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> NextStateOrError627 fn handle(mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> NextStateOrError {
628 let client_hello =
629 require_handshake_msg!(m, HandshakeType::ClientHello, HandshakePayload::ClientHello)?;
630 let tls13_enabled = sess
631 .config
632 .supports_version(ProtocolVersion::TLSv1_3);
633 let tls12_enabled = sess
634 .config
635 .supports_version(ProtocolVersion::TLSv1_2);
636 trace!("we got a clienthello {:?}", client_hello);
637
638 if !client_hello
639 .compression_methods
640 .contains(&Compression::Null)
641 {
642 sess.common
643 .send_fatal_alert(AlertDescription::IllegalParameter);
644 return Err(TLSError::PeerIncompatibleError(
645 "client did not offer Null compression".to_string(),
646 ));
647 }
648
649 if client_hello.has_duplicate_extension() {
650 return Err(decode_error(sess, "client sent duplicate extensions"));
651 }
652
653 // No handshake messages should follow this one in this flight.
654 check_aligned_handshake(sess)?;
655
656 // Are we doing TLS1.3?
657 let maybe_versions_ext = client_hello.get_versions_extension();
658 if let Some(versions) = maybe_versions_ext {
659 if versions.contains(&ProtocolVersion::TLSv1_3) && tls13_enabled {
660 sess.common.negotiated_version = Some(ProtocolVersion::TLSv1_3);
661 } else if !versions.contains(&ProtocolVersion::TLSv1_2) || !tls12_enabled {
662 return Err(bad_version(sess, "TLS1.2 not offered/enabled"));
663 }
664 } else if client_hello.client_version.get_u16() < ProtocolVersion::TLSv1_2.get_u16() {
665 return Err(bad_version(sess, "Client does not support TLSv1_2"));
666 } else if !tls12_enabled && tls13_enabled {
667 return Err(bad_version(
668 sess,
669 "Server requires TLS1.3, but client omitted versions ext",
670 ));
671 }
672
673 if sess.common.negotiated_version == None {
674 sess.common.negotiated_version = Some(ProtocolVersion::TLSv1_2);
675 }
676
677 // --- Common to TLS1.2 and TLS1.3: ciphersuite and certificate selection.
678
679 // Extract and validate the SNI DNS name, if any, before giving it to
680 // the cert resolver. In particular, if it is invalid then we should
681 // send an Illegal Parameter alert instead of the Internal Error alert
682 // (or whatever) that we'd send if this were checked later or in a
683 // different way.
684 let sni: Option<webpki::DNSName> = match client_hello.get_sni_extension() {
685 Some(sni) => {
686 if sni.has_duplicate_names_for_type() {
687 return Err(decode_error(
688 sess,
689 "ClientHello SNI contains duplicate name types",
690 ));
691 }
692
693 if let Some(hostname) = sni.get_single_hostname() {
694 Some(hostname.into())
695 } else {
696 return Err(illegal_param(
697 sess,
698 "ClientHello SNI did not contain a hostname",
699 ));
700 }
701 }
702 None => None,
703 };
704
705 if !self.done_retry {
706 // save only the first SNI
707 save_sni(sess, sni.clone());
708 }
709
710 // We communicate to the upper layer what kind of key they should choose
711 // via the sigschemes value. Clients tend to treat this extension
712 // orthogonally to offered ciphersuites (even though, in TLS1.2 it is not).
713 // So: reduce the offered sigschemes to those compatible with the
714 // intersection of ciphersuites.
715 let mut common_suites = sess.config.ciphersuites.clone();
716 common_suites.retain(|scs| {
717 client_hello
718 .cipher_suites
719 .contains(&scs.suite)
720 });
721
722 let mut sigschemes_ext = client_hello
723 .get_sigalgs_extension()
724 .cloned()
725 .unwrap_or_else(SupportedSignatureSchemes::default);
726 sigschemes_ext
727 .retain(|scheme| suites::compatible_sigscheme_for_suites(*scheme, &common_suites));
728
729 let alpn_protocols = client_hello
730 .get_alpn_extension()
731 .map(|protos| protos.to_slices());
732
733 // Choose a certificate.
734 let mut certkey = {
735 let sni_ref = sni
736 .as_ref()
737 .map(webpki::DNSName::as_ref);
738 trace!("sni {:?}", sni_ref);
739 trace!("sig schemes {:?}", sigschemes_ext);
740 trace!("alpn protocols {:?}", alpn_protocols);
741
742 let alpn_slices = match alpn_protocols {
743 Some(ref vec) => Some(vec.as_slice()),
744 None => None,
745 };
746
747 let client_hello = ClientHello::new(sni_ref, &sigschemes_ext, alpn_slices);
748
749 let certkey = sess
750 .config
751 .cert_resolver
752 .resolve(client_hello);
753 certkey.ok_or_else(|| {
754 sess.common
755 .send_fatal_alert(AlertDescription::AccessDenied);
756 TLSError::General("no server certificate chain resolved".to_string())
757 })?
758 };
759
760 // Reduce our supported ciphersuites by the certificate.
761 // (no-op for TLS1.3)
762 let suitable_suites =
763 suites::reduce_given_sigalg(&sess.config.ciphersuites, certkey.key.algorithm());
764
765 // And version
766 let protocol_version = sess.common.negotiated_version.unwrap();
767 let suitable_suites = suites::reduce_given_version(&suitable_suites, protocol_version);
768
769 let maybe_ciphersuite = if sess.config.ignore_client_order {
770 suites::choose_ciphersuite_preferring_server(
771 &client_hello.cipher_suites,
772 &suitable_suites,
773 )
774 } else {
775 suites::choose_ciphersuite_preferring_client(
776 &client_hello.cipher_suites,
777 &suitable_suites,
778 )
779 };
780
781 if maybe_ciphersuite.is_none() {
782 return Err(incompatible(sess, "no ciphersuites in common"));
783 }
784
785 debug!(
786 "decided upon suite {:?}",
787 maybe_ciphersuite.as_ref().unwrap()
788 );
789 sess.common
790 .set_suite(maybe_ciphersuite.unwrap());
791
792 // Start handshake hash.
793 let starting_hash = sess
794 .common
795 .get_suite_assert()
796 .get_hash();
797 if !self
798 .handshake
799 .transcript
800 .start_hash(starting_hash)
801 {
802 sess.common
803 .send_fatal_alert(AlertDescription::IllegalParameter);
804 return Err(TLSError::PeerIncompatibleError(
805 "hash differed on retry".to_string(),
806 ));
807 }
808
809 // Save their Random.
810 client_hello
811 .random
812 .write_slice(&mut self.handshake.randoms.client);
813
814 if sess.common.is_tls13() {
815 return self
816 .into_complete_tls13_client_hello_handling()
817 .handle_client_hello(sess, certkey, &m);
818 }
819
820 // -- TLS1.2 only from hereon in --
821 self.handshake
822 .transcript
823 .add_message(&m);
824
825 if client_hello.ems_support_offered() {
826 self.handshake.using_ems = true;
827 }
828
829 let groups_ext = client_hello
830 .get_namedgroups_extension()
831 .ok_or_else(|| incompatible(sess, "client didn't describe groups"))?;
832 let ecpoints_ext = client_hello
833 .get_ecpoints_extension()
834 .ok_or_else(|| incompatible(sess, "client didn't describe ec points"))?;
835
836 trace!("namedgroups {:?}", groups_ext);
837 trace!("ecpoints {:?}", ecpoints_ext);
838
839 if !ecpoints_ext.contains(&ECPointFormat::Uncompressed) {
840 sess.common
841 .send_fatal_alert(AlertDescription::IllegalParameter);
842 return Err(TLSError::PeerIncompatibleError(
843 "client didn't support uncompressed ec points".to_string(),
844 ));
845 }
846
847 // -- If TLS1.3 is enabled, signal the downgrade in the server random
848 if tls13_enabled {
849 self.handshake
850 .randoms
851 .set_tls12_downgrade_marker();
852 }
853
854 // -- Check for resumption --
855 // We can do this either by (in order of preference):
856 // 1. receiving a ticket that decrypts
857 // 2. receiving a sessionid that is in our cache
858 //
859 // If we receive a ticket, the sessionid won't be in our
860 // cache, so don't check.
861 //
862 // If either works, we end up with a ServerSessionValue
863 // which is passed to start_resumption and concludes
864 // our handling of the ClientHello.
865 //
866 let mut ticket_received = false;
867
868 if let Some(ticket_ext) = client_hello.get_ticket_extension() {
869 if let ClientExtension::SessionTicketOffer(ref ticket) = *ticket_ext {
870 ticket_received = true;
871 debug!("Ticket received");
872
873 let maybe_resume = sess
874 .config
875 .ticketer
876 .decrypt(&ticket.0)
877 .and_then(|plain| persist::ServerSessionValue::read_bytes(&plain));
878
879 if can_resume(sess, &self.handshake, &maybe_resume) {
880 return self.start_resumption(
881 sess,
882 client_hello,
883 sni.as_ref(),
884 &client_hello.session_id,
885 maybe_resume.unwrap(),
886 );
887 } else {
888 debug!("Ticket didn't decrypt");
889 }
890 }
891 }
892
893 // If we're not offered a ticket or a potential session ID,
894 // allocate a session ID.
895 if self.handshake.session_id.is_empty() && !ticket_received {
896 let mut bytes = [0u8; 32];
897 rand::fill_random(&mut bytes);
898 self.handshake.session_id = SessionID::new(&bytes);
899 }
900
901 // Perhaps resume? If we received a ticket, the sessionid
902 // does not correspond to a real session.
903 if !client_hello.session_id.is_empty() && !ticket_received {
904 let maybe_resume = sess
905 .config
906 .session_storage
907 .get(&client_hello.session_id.get_encoding())
908 .and_then(|x| persist::ServerSessionValue::read_bytes(&x));
909
910 if can_resume(sess, &self.handshake, &maybe_resume) {
911 return self.start_resumption(
912 sess,
913 client_hello,
914 sni.as_ref(),
915 &client_hello.session_id,
916 maybe_resume.unwrap(),
917 );
918 }
919 }
920
921 // Now we have chosen a ciphersuite, we can make kx decisions.
922 let sigschemes = sess
923 .common
924 .get_suite_assert()
925 .resolve_sig_schemes(&sigschemes_ext);
926
927 if sigschemes.is_empty() {
928 return Err(incompatible(sess, "no supported sig scheme"));
929 }
930
931 let group = suites::KeyExchange::supported_groups()
932 .iter()
933 .filter(|group| groups_ext.contains(group))
934 .nth(0)
935 .cloned()
936 .ok_or_else(|| incompatible(sess, "no supported group"))?;
937
938 let ecpoint = ECPointFormatList::supported()
939 .iter()
940 .filter(|format| ecpoints_ext.contains(format))
941 .nth(0)
942 .cloned()
943 .ok_or_else(|| incompatible(sess, "no supported point format"))?;
944
945 debug_assert_eq!(ecpoint, ECPointFormat::Uncompressed);
946
947 self.emit_server_hello(sess, Some(&mut certkey), client_hello, None)?;
948 self.emit_certificate(sess, &mut certkey);
949 self.emit_cert_status(sess, &mut certkey);
950 let kx = self.emit_server_kx(sess, sigschemes, group, &mut certkey)?;
951 let doing_client_auth = self.emit_certificate_req(sess)?;
952 self.emit_server_hello_done(sess);
953
954 if doing_client_auth {
955 Ok(self.into_expect_tls12_certificate(kx))
956 } else {
957 Ok(self.into_expect_tls12_client_kx(kx))
958 }
959 }
960 }
961