1 use crate::msgs::enums::{ContentType, HandshakeType, ProtocolVersion};
2 use crate::msgs::enums::{Compression, NamedGroup, ECPointFormat, CipherSuite};
3 use crate::msgs::enums::{ExtensionType, AlertDescription};
4 use crate::msgs::enums::{ClientCertificateType, SignatureScheme};
5 use crate::msgs::message::{Message, MessagePayload};
6 use crate::msgs::handshake::{HandshakePayload, SupportedSignatureSchemes};
7 use crate::msgs::handshake::{HandshakeMessagePayload, ServerHelloPayload, Random};
8 use crate::msgs::handshake::{ClientHelloPayload, ServerExtension, SessionID};
9 use crate::msgs::handshake::{ConvertProtocolNameList, ConvertServerNameList};
10 use crate::msgs::handshake::ClientExtension;
11 use crate::msgs::handshake::{ECPointFormatList, SupportedPointFormats};
12 use crate::msgs::handshake::{ServerECDHParams, DigitallySignedStruct};
13 use crate::msgs::handshake::{ServerKeyExchangePayload, ECDHEServerKeyExchange};
14 use crate::msgs::handshake::CertificateRequestPayload;
15 use crate::msgs::handshake::CertificateStatus;
16 use crate::msgs::codec::Codec;
17 use crate::msgs::persist;
18 use crate::session::SessionSecrets;
19 use crate::server::{ServerSessionImpl, ServerConfig, ClientHello};
20 use crate::suites;
21 use crate::verify;
22 use crate::rand;
23 use crate::sign;
24 #[cfg(feature = "logging")]
25 use crate::log::{trace, debug};
26 use crate::error::TLSError;
27 use crate::handshake::check_handshake_message;
28 use webpki;
29 #[cfg(feature = "quic")]
30 use crate::session::Protocol;
31
32 use crate::server::common::{HandshakeDetails, ServerKXDetails};
33 use crate::server::{tls12, tls13};
34
35 macro_rules! extract_handshake(
36 ( $m:expr, $t:path ) => (
37 match $m.payload {
38 MessagePayload::Handshake(ref hsp) => match hsp.payload {
39 $t(ref hm) => Some(hm),
40 _ => None
41 },
42 _ => None
43 }
44 )
45 );
46
47 pub type CheckResult = Result<(), TLSError>;
48 pub type NextState = Box<dyn State + Send + Sync>;
49 pub type NextStateOrError = Result<NextState, TLSError>;
50
51 pub trait State {
check_message(&self, m: &Message) -> CheckResult52 fn check_message(&self, m: &Message) -> CheckResult;
handle(self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> NextStateOrError53 fn handle(self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> NextStateOrError;
54
export_keying_material(&self, _output: &mut [u8], _label: &[u8], _context: Option<&[u8]>) -> Result<(), TLSError>55 fn export_keying_material(&self,
56 _output: &mut [u8],
57 _label: &[u8],
58 _context: Option<&[u8]>) -> Result<(), TLSError> {
59 Err(TLSError::HandshakeNotComplete)
60 }
61
perhaps_write_key_update(&mut self, _sess: &mut ServerSessionImpl)62 fn perhaps_write_key_update(&mut self, _sess: &mut ServerSessionImpl) {
63 }
64 }
65
incompatible(sess: &mut ServerSessionImpl, why: &str) -> TLSError66 pub fn incompatible(sess: &mut ServerSessionImpl, why: &str) -> TLSError {
67 sess.common.send_fatal_alert(AlertDescription::HandshakeFailure);
68 TLSError::PeerIncompatibleError(why.to_string())
69 }
70
bad_version(sess: &mut ServerSessionImpl, why: &str) -> TLSError71 fn bad_version(sess: &mut ServerSessionImpl, why: &str) -> TLSError {
72 sess.common.send_fatal_alert(AlertDescription::ProtocolVersion);
73 TLSError::PeerIncompatibleError(why.to_string())
74 }
75
illegal_param(sess: &mut ServerSessionImpl, why: &str) -> TLSError76 pub fn illegal_param(sess: &mut ServerSessionImpl, why: &str) -> TLSError {
77 sess.common.send_fatal_alert(AlertDescription::IllegalParameter);
78 TLSError::PeerMisbehavedError(why.to_string())
79 }
80
decode_error(sess: &mut ServerSessionImpl, why: &str) -> TLSError81 pub fn decode_error(sess: &mut ServerSessionImpl, why: &str) -> TLSError {
82 sess.common.send_fatal_alert(AlertDescription::DecodeError);
83 TLSError::PeerMisbehavedError(why.to_string())
84 }
85
can_resume(sess: &ServerSessionImpl, handshake: &HandshakeDetails, resumedata: &Option<persist::ServerSessionValue>) -> bool86 pub fn can_resume(sess: &ServerSessionImpl,
87 handshake: &HandshakeDetails,
88 resumedata: &Option<persist::ServerSessionValue>) -> bool {
89 // The RFCs underspecify what happens if we try to resume to
90 // an unoffered/varying suite. We merely don't resume in weird cases.
91 //
92 // RFC 6066 says "A server that implements this extension MUST NOT accept
93 // the request to resume the session if the server_name extension contains
94 // a different name. Instead, it proceeds with a full handshake to
95 // establish a new session."
96
97 if let Some(ref resume) = *resumedata {
98 resume.cipher_suite == sess.common.get_suite_assert().suite &&
99 (resume.extended_ms == handshake.using_ems ||
100 (resume.extended_ms && !handshake.using_ems)) &&
101 same_dns_name_or_both_none(resume.sni.as_ref(), sess.sni.as_ref())
102 } else {
103 false
104 }
105 }
106
107 // Require an exact match for the purpose of comparing SNI DNS Names from two
108 // client hellos, even though a case-insensitive comparison might also be OK.
same_dns_name_or_both_none(a: Option<&webpki::DNSName>, b: Option<&webpki::DNSName>) -> bool109 fn same_dns_name_or_both_none(a: Option<&webpki::DNSName>,
110 b: Option<&webpki::DNSName>) -> bool {
111 match (a, b) {
112 (Some(a), Some(b)) => {
113 let a: &str = a.as_ref().into();
114 let b: &str = b.as_ref().into();
115 a == b
116 },
117 (None, None) => true,
118 _ => false,
119 }
120 }
121
122 // Changing the keys must not span any fragmented handshake
123 // messages. Otherwise the defragmented messages will have
124 // been protected with two different record layer protections,
125 // which is illegal. Not mentioned in RFC.
check_aligned_handshake(sess: &mut ServerSessionImpl) -> Result<(), TLSError>126 pub fn check_aligned_handshake(sess: &mut ServerSessionImpl) -> Result<(), TLSError> {
127 if !sess.common.handshake_joiner.is_empty() {
128 Err(illegal_param(sess, "keys changed with pending hs fragment"))
129 } else {
130 Ok(())
131 }
132 }
133
save_sni(sess: &mut ServerSessionImpl, sni: Option<webpki::DNSName>)134 pub fn save_sni(sess: &mut ServerSessionImpl,
135 sni: Option<webpki::DNSName>) {
136 if let Some(sni) = sni {
137 // Save the SNI into the session.
138 sess.set_sni(sni);
139 }
140 }
141
142 #[derive(Default)]
143 pub struct ExtensionProcessing {
144 // extensions to reply with
145 pub exts: Vec<ServerExtension>,
146
147 // effects on later handshake steps
148 pub send_cert_status: bool,
149 pub send_sct: bool,
150 pub send_ticket: bool,
151 }
152
153 impl ExtensionProcessing {
new() -> Self154 pub fn new() -> Self { Default::default() }
155
process_common(&mut self, sess: &mut ServerSessionImpl, server_key: Option<&mut sign::CertifiedKey>, hello: &ClientHelloPayload, resumedata: Option<&persist::ServerSessionValue>, handshake: &HandshakeDetails) -> Result<(), TLSError>156 pub fn process_common(&mut self,
157 sess: &mut ServerSessionImpl,
158 server_key: Option<&mut sign::CertifiedKey>,
159 hello: &ClientHelloPayload,
160 resumedata: Option<&persist::ServerSessionValue>,
161 handshake: &HandshakeDetails)
162 -> Result<(), TLSError> {
163 // ALPN
164 let our_protocols = &sess.config.alpn_protocols;
165 let maybe_their_protocols = hello.get_alpn_extension();
166 if let Some(their_protocols) = maybe_their_protocols {
167 let their_protocols = their_protocols.to_slices();
168
169 if their_protocols.iter().any(|protocol| protocol.is_empty()) {
170 return Err(TLSError::PeerMisbehavedError("client offered empty ALPN protocol"
171 .to_string()));
172 }
173
174 sess.alpn_protocol = our_protocols.iter()
175 .filter(|protocol| their_protocols.contains(&protocol.as_slice()))
176 .nth(0)
177 .cloned();
178 if let Some(ref selected_protocol) = sess.alpn_protocol {
179 debug!("Chosen ALPN protocol {:?}", selected_protocol);
180 self.exts.push(ServerExtension::make_alpn(&[selected_protocol]));
181 } else {
182 // For compatibility, strict ALPN validation is not employed unless targeting QUIC
183 #[cfg(feature = "quic")] {
184 if sess.common.protocol == Protocol::Quic && !our_protocols.is_empty() {
185 sess.common.send_fatal_alert(AlertDescription::NoApplicationProtocol);
186 return Err(TLSError::NoApplicationProtocol);
187 }
188 }
189 }
190 }
191
192 #[cfg(feature = "quic")] {
193 if sess.common.protocol == Protocol::Quic {
194 if let Some(params) = hello.get_quic_params_extension() {
195 sess.common.quic.params = Some(params);
196 }
197
198 if let Some(resume) = resumedata {
199 if sess.config.max_early_data_size > 0
200 && hello.early_data_extension_offered()
201 && resume.version == sess.common.negotiated_version.unwrap()
202 && resume.cipher_suite == sess.common.get_suite_assert().suite
203 && resume.alpn.as_ref().map(|x| &x.0) == sess.alpn_protocol.as_ref()
204 && !sess.reject_early_data
205 {
206 self.exts.push(ServerExtension::EarlyData);
207 } else {
208 // Clobber value set in tls13::emit_server_hello
209 sess.common.quic.early_secret = None;
210 }
211 }
212 }
213 }
214
215 let for_resume = resumedata.is_some();
216 // SNI
217 if !for_resume && hello.get_sni_extension().is_some() {
218 self.exts.push(ServerExtension::ServerNameAck);
219 }
220
221 if let Some(server_key) = server_key {
222 // Send status_request response if we have one. This is not allowed
223 // if we're resuming, and is only triggered if we have an OCSP response
224 // to send.
225 if !for_resume &&
226 hello.find_extension(ExtensionType::StatusRequest).is_some() &&
227 server_key.has_ocsp() {
228 self.send_cert_status = true;
229
230 if !sess.common.is_tls13() {
231 // Only TLS1.2 sends confirmation in ServerHello
232 self.exts.push(ServerExtension::CertificateStatusAck);
233 }
234 }
235
236 if !for_resume &&
237 hello.find_extension(ExtensionType::SCT).is_some() &&
238 server_key.has_sct_list() {
239 self.send_sct = true;
240
241 if !sess.common.is_tls13() {
242 let sct_list = server_key
243 .take_sct_list()
244 .unwrap();
245 self.exts.push(ServerExtension::make_sct(sct_list));
246 }
247 }
248 }
249
250 if !sess.common.is_tls13() {
251 }
252
253 self.exts.extend(handshake.extra_exts.iter().cloned());
254
255 Ok(())
256 }
257
process_tls12(&mut self, sess: &ServerSessionImpl, hello: &ClientHelloPayload, handshake: &HandshakeDetails)258 fn process_tls12(&mut self, sess: &ServerSessionImpl, hello: &ClientHelloPayload,
259 handshake: &HandshakeDetails) {
260 // Renegotiation.
261 // (We don't do reneg at all, but would support the secure version if we did.)
262 let secure_reneg_offered =
263 hello.find_extension(ExtensionType::RenegotiationInfo).is_some() ||
264 hello.cipher_suites.contains(&CipherSuite::TLS_EMPTY_RENEGOTIATION_INFO_SCSV);
265
266 if secure_reneg_offered {
267 self.exts.push(ServerExtension::make_empty_renegotiation_info());
268 }
269
270 // Tickets:
271 // If we get any SessionTicket extension and have tickets enabled,
272 // we send an ack.
273 if hello.find_extension(ExtensionType::SessionTicket).is_some() &&
274 sess.config.ticketer.enabled() {
275 self.send_ticket = true;
276 self.exts.push(ServerExtension::SessionTicketAck);
277 }
278
279 // Confirm use of EMS if offered.
280 if handshake.using_ems {
281 self.exts.push(ServerExtension::ExtendedMasterSecretAck);
282 }
283 }
284 }
285
286 pub struct ExpectClientHello {
287 pub handshake: HandshakeDetails,
288 pub done_retry: bool,
289 pub send_cert_status: bool,
290 pub send_sct: bool,
291 pub send_ticket: bool,
292 }
293
294 impl ExpectClientHello {
new(server_config: &ServerConfig, extra_exts: Vec<ServerExtension>) -> ExpectClientHello295 pub fn new(server_config: &ServerConfig, extra_exts: Vec<ServerExtension>) -> ExpectClientHello {
296 let mut ech = ExpectClientHello {
297 handshake: HandshakeDetails::new(extra_exts),
298 done_retry: false,
299 send_cert_status: false,
300 send_sct: false,
301 send_ticket: false,
302 };
303
304 if server_config.verifier.offer_client_auth() {
305 ech.handshake.transcript.set_client_auth_enabled();
306 }
307
308 ech
309 }
310
into_expect_tls12_ccs(self, secrets: SessionSecrets) -> NextState311 fn into_expect_tls12_ccs(self, secrets: SessionSecrets) -> NextState {
312 Box::new(tls12::ExpectCCS {
313 secrets,
314 handshake: self.handshake,
315 resuming: true,
316 send_ticket: self.send_ticket,
317 })
318 }
319
into_complete_tls13_client_hello_handling(self) -> tls13::CompleteClientHelloHandling320 fn into_complete_tls13_client_hello_handling(self) -> tls13::CompleteClientHelloHandling {
321 tls13::CompleteClientHelloHandling {
322 handshake: self.handshake,
323 done_retry: self.done_retry,
324 send_cert_status: self.send_cert_status,
325 send_sct: self.send_sct,
326 send_ticket: self.send_ticket,
327 }
328 }
329
into_expect_tls12_certificate(self, kx: suites::KeyExchange) -> NextState330 fn into_expect_tls12_certificate(self, kx: suites::KeyExchange) -> NextState {
331 Box::new(tls12::ExpectCertificate {
332 handshake: self.handshake,
333 server_kx: ServerKXDetails::new(kx),
334 send_ticket: self.send_ticket,
335 })
336 }
337
into_expect_tls12_client_kx(self, kx: suites::KeyExchange) -> NextState338 fn into_expect_tls12_client_kx(self, kx: suites::KeyExchange) -> NextState {
339 Box::new(tls12::ExpectClientKX {
340 handshake: self.handshake,
341 server_kx: ServerKXDetails::new(kx),
342 client_cert: None,
343 send_ticket: self.send_ticket,
344 })
345 }
346
emit_server_hello(&mut self, sess: &mut ServerSessionImpl, server_key: Option<&mut sign::CertifiedKey>, hello: &ClientHelloPayload, resumedata: Option<&persist::ServerSessionValue>) -> Result<(), TLSError>347 fn emit_server_hello(&mut self,
348 sess: &mut ServerSessionImpl,
349 server_key: Option<&mut sign::CertifiedKey>,
350 hello: &ClientHelloPayload,
351 resumedata: Option<&persist::ServerSessionValue>)
352 -> Result<(), TLSError> {
353 let mut ep = ExtensionProcessing::new();
354 ep.process_common(sess, server_key, hello, resumedata, &self.handshake)?;
355 ep.process_tls12(sess, hello, &self.handshake);
356
357 self.send_ticket = ep.send_ticket;
358 self.send_cert_status = ep.send_cert_status;
359 self.send_sct = ep.send_sct;
360
361 let sh = Message {
362 typ: ContentType::Handshake,
363 version: ProtocolVersion::TLSv1_2,
364 payload: MessagePayload::Handshake(HandshakeMessagePayload {
365 typ: HandshakeType::ServerHello,
366 payload: HandshakePayload::ServerHello(ServerHelloPayload {
367 legacy_version: ProtocolVersion::TLSv1_2,
368 random: Random::from_slice(&self.handshake.randoms.server),
369 session_id: self.handshake.session_id,
370 cipher_suite: sess.common.get_suite_assert().suite,
371 compression_method: Compression::Null,
372 extensions: ep.exts,
373 }),
374 }),
375 };
376
377 trace!("sending server hello {:?}", sh);
378 self.handshake.transcript.add_message(&sh);
379 sess.common.send_msg(sh, false);
380 Ok(())
381 }
382
emit_certificate(&mut self, sess: &mut ServerSessionImpl, server_certkey: &mut sign::CertifiedKey)383 fn emit_certificate(&mut self,
384 sess: &mut ServerSessionImpl,
385 server_certkey: &mut sign::CertifiedKey) {
386 let cert_chain = server_certkey.take_cert();
387
388 let c = Message {
389 typ: ContentType::Handshake,
390 version: ProtocolVersion::TLSv1_2,
391 payload: MessagePayload::Handshake(HandshakeMessagePayload {
392 typ: HandshakeType::Certificate,
393 payload: HandshakePayload::Certificate(cert_chain),
394 }),
395 };
396
397 self.handshake.transcript.add_message(&c);
398 sess.common.send_msg(c, false);
399 }
400
emit_cert_status(&mut self, sess: &mut ServerSessionImpl, server_certkey: &mut sign::CertifiedKey)401 fn emit_cert_status(&mut self,
402 sess: &mut ServerSessionImpl,
403 server_certkey: &mut sign::CertifiedKey) {
404 if !self.send_cert_status ||
405 !server_certkey.has_ocsp() {
406 return;
407 }
408
409 let ocsp = server_certkey.take_ocsp();
410 let st = CertificateStatus::new(ocsp.unwrap());
411
412 let c = Message {
413 typ: ContentType::Handshake,
414 version: ProtocolVersion::TLSv1_2,
415 payload: MessagePayload::Handshake(HandshakeMessagePayload {
416 typ: HandshakeType::CertificateStatus,
417 payload: HandshakePayload::CertificateStatus(st)
418 }),
419 };
420
421 self.handshake.transcript.add_message(&c);
422 sess.common.send_msg(c, false);
423 }
424
emit_server_kx(&mut self, sess: &mut ServerSessionImpl, sigschemes: Vec<SignatureScheme>, group: NamedGroup, server_certkey: &mut sign::CertifiedKey) -> Result<suites::KeyExchange, TLSError>425 fn emit_server_kx(&mut self,
426 sess: &mut ServerSessionImpl,
427 sigschemes: Vec<SignatureScheme>,
428 group: NamedGroup,
429 server_certkey: &mut sign::CertifiedKey)
430 -> Result<suites::KeyExchange, TLSError> {
431 let kx = sess.common.get_suite_assert()
432 .start_server_kx(group)
433 .ok_or_else(|| TLSError::PeerMisbehavedError("key exchange failed".to_string()))?;
434 let secdh = ServerECDHParams::new(group, kx.pubkey.as_ref());
435
436 let mut msg = Vec::new();
437 msg.extend(&self.handshake.randoms.client);
438 msg.extend(&self.handshake.randoms.server);
439 secdh.encode(&mut msg);
440
441 let signing_key = &server_certkey.key;
442 let signer = signing_key.choose_scheme(&sigschemes)
443 .ok_or_else(|| TLSError::General("incompatible signing key".to_string()))?;
444 let sigscheme = signer.get_scheme();
445 let sig = signer.sign(&msg)?;
446
447 let skx = ServerKeyExchangePayload::ECDHE(ECDHEServerKeyExchange {
448 params: secdh,
449 dss: DigitallySignedStruct::new(sigscheme, sig),
450 });
451
452 let m = Message {
453 typ: ContentType::Handshake,
454 version: ProtocolVersion::TLSv1_2,
455 payload: MessagePayload::Handshake(HandshakeMessagePayload {
456 typ: HandshakeType::ServerKeyExchange,
457 payload: HandshakePayload::ServerKeyExchange(skx),
458 }),
459 };
460
461 self.handshake.transcript.add_message(&m);
462 sess.common.send_msg(m, false);
463 Ok(kx)
464 }
465
emit_certificate_req(&mut self, sess: &mut ServerSessionImpl) -> Result<bool, TLSError>466 fn emit_certificate_req(&mut self, sess: &mut ServerSessionImpl) -> Result<bool, TLSError> {
467 let client_auth = &sess.config.verifier;
468
469 if !client_auth.offer_client_auth() {
470 return Ok(false);
471 }
472
473 let names = client_auth.client_auth_root_subjects(sess.get_sni())
474 .ok_or_else(|| {
475 debug!("could not determine root subjects based on SNI");
476 sess.common.send_fatal_alert(AlertDescription::AccessDenied);
477 TLSError::General("client rejected by client_auth_root_subjects".into())
478 })?;
479
480 let cr = CertificateRequestPayload {
481 certtypes: vec![ ClientCertificateType::RSASign,
482 ClientCertificateType::ECDSASign ],
483 sigschemes: verify::supported_verify_schemes().to_vec(),
484 canames: names,
485 };
486
487 let m = Message {
488 typ: ContentType::Handshake,
489 version: ProtocolVersion::TLSv1_2,
490 payload: MessagePayload::Handshake(HandshakeMessagePayload {
491 typ: HandshakeType::CertificateRequest,
492 payload: HandshakePayload::CertificateRequest(cr),
493 }),
494 };
495
496 trace!("Sending CertificateRequest {:?}", m);
497 self.handshake.transcript.add_message(&m);
498 sess.common.send_msg(m, false);
499 Ok(true)
500 }
501
emit_server_hello_done(&mut self, sess: &mut ServerSessionImpl)502 fn emit_server_hello_done(&mut self, sess: &mut ServerSessionImpl) {
503 let m = Message {
504 typ: ContentType::Handshake,
505 version: ProtocolVersion::TLSv1_2,
506 payload: MessagePayload::Handshake(HandshakeMessagePayload {
507 typ: HandshakeType::ServerHelloDone,
508 payload: HandshakePayload::ServerHelloDone,
509 }),
510 };
511
512 self.handshake.transcript.add_message(&m);
513 sess.common.send_msg(m, false);
514 }
515
start_resumption(mut self, sess: &mut ServerSessionImpl, client_hello: &ClientHelloPayload, sni: Option<&webpki::DNSName>, id: &SessionID, resumedata: persist::ServerSessionValue) -> NextStateOrError516 fn start_resumption(mut self,
517 sess: &mut ServerSessionImpl,
518 client_hello: &ClientHelloPayload,
519 sni: Option<&webpki::DNSName>,
520 id: &SessionID,
521 resumedata: persist::ServerSessionValue)
522 -> NextStateOrError {
523 debug!("Resuming session");
524
525 if resumedata.extended_ms && !self.handshake.using_ems {
526 return Err(illegal_param(sess, "refusing to resume without ems"));
527 }
528
529 self.handshake.session_id = *id;
530 self.emit_server_hello(sess, None, client_hello, Some(&resumedata))?;
531
532 let hashalg = sess.common.get_suite_assert().get_hash();
533 let secrets = SessionSecrets::new_resume(&self.handshake.randoms,
534 hashalg,
535 &resumedata.master_secret.0);
536 sess.config.key_log.log("CLIENT_RANDOM",
537 &secrets.randoms.client,
538 &secrets.master_secret);
539 sess.common.start_encryption_tls12(&secrets);
540 sess.client_cert_chain = resumedata.client_cert_chain;
541
542 if self.send_ticket {
543 tls12::emit_ticket(&secrets, &mut self.handshake, sess);
544 }
545 tls12::emit_ccs(sess);
546 sess.common
547 .record_layer
548 .start_encrypting();
549 tls12::emit_finished(&secrets, &mut self.handshake, sess);
550
551 assert!(same_dns_name_or_both_none(sni, sess.get_sni()));
552
553 Ok(self.into_expect_tls12_ccs(secrets))
554 }
555
556 }
557
558 impl State for ExpectClientHello {
check_message(&self, m: &Message) -> CheckResult559 fn check_message(&self, m: &Message) -> CheckResult {
560 check_handshake_message(m, &[HandshakeType::ClientHello])
561 }
562
handle(mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> NextStateOrError563 fn handle(mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> NextStateOrError {
564 let client_hello = extract_handshake!(m, HandshakePayload::ClientHello).unwrap();
565 let tls13_enabled = sess.config.supports_version(ProtocolVersion::TLSv1_3);
566 let tls12_enabled = sess.config.supports_version(ProtocolVersion::TLSv1_2);
567 trace!("we got a clienthello {:?}", client_hello);
568
569 if !client_hello.compression_methods.contains(&Compression::Null) {
570 sess.common.send_fatal_alert(AlertDescription::IllegalParameter);
571 return Err(TLSError::PeerIncompatibleError("client did not offer Null compression"
572 .to_string()));
573 }
574
575 if client_hello.has_duplicate_extension() {
576 return Err(decode_error(sess, "client sent duplicate extensions"));
577 }
578
579 // Are we doing TLS1.3?
580 let maybe_versions_ext = client_hello.get_versions_extension();
581 if let Some(versions) = maybe_versions_ext {
582 if versions.contains(&ProtocolVersion::TLSv1_3) && tls13_enabled {
583 sess.common.negotiated_version = Some(ProtocolVersion::TLSv1_3);
584 } else if !versions.contains(&ProtocolVersion::TLSv1_2) || !tls12_enabled {
585 return Err(bad_version(sess, "TLS1.2 not offered/enabled"));
586 }
587 } else if client_hello.client_version.get_u16() < ProtocolVersion::TLSv1_2.get_u16() {
588 return Err(bad_version(sess, "Client does not support TLSv1_2"));
589 } else if !tls12_enabled && tls13_enabled {
590 return Err(bad_version(sess, "Server requires TLS1.3, but client omitted versions ext"));
591 }
592
593 if sess.common.negotiated_version == None {
594 sess.common.negotiated_version = Some(ProtocolVersion::TLSv1_2);
595 }
596
597 // --- Common to TLS1.2 and TLS1.3: ciphersuite and certificate selection.
598
599 // Extract and validate the SNI DNS name, if any, before giving it to
600 // the cert resolver. In particular, if it is invalid then we should
601 // send an Illegal Parameter alert instead of the Internal Error alert
602 // (or whatever) that we'd send if this were checked later or in a
603 // different way.
604 let sni: Option<webpki::DNSName> = match client_hello.get_sni_extension() {
605 Some(sni) => {
606 if sni.has_duplicate_names_for_type() {
607 return Err(decode_error(sess, "ClientHello SNI contains duplicate name types"));
608 }
609
610 if let Some(hostname) = sni.get_single_hostname() {
611 Some(hostname.into())
612 } else {
613 return Err(illegal_param(sess, "ClientHello SNI did not contain a hostname"));
614 }
615 },
616 None => None,
617 };
618
619 // We communicate to the upper layer what kind of key they should choose
620 // via the sigschemes value. Clients tend to treat this extension
621 // orthogonally to offered ciphersuites (even though, in TLS1.2 it is not).
622 // So: reduce the offered sigschemes to those compatible with the
623 // intersection of ciphersuites.
624 let mut common_suites = sess.config.ciphersuites.clone();
625 common_suites.retain(|scs| client_hello.cipher_suites.contains(&scs.suite));
626
627 let mut sigschemes_ext = client_hello.get_sigalgs_extension()
628 .cloned()
629 .unwrap_or_else(SupportedSignatureSchemes::default);
630 sigschemes_ext.retain(|scheme| suites::compatible_sigscheme_for_suites(*scheme, &common_suites));
631
632 let alpn_protocols = client_hello.get_alpn_extension()
633 .map(|protos| protos.to_slices());
634
635 // Choose a certificate.
636 let mut certkey = {
637 let sni_ref = sni.as_ref().map(webpki::DNSName::as_ref);
638 trace!("sni {:?}", sni_ref);
639 trace!("sig schemes {:?}", sigschemes_ext);
640 trace!("alpn protocols {:?}", alpn_protocols);
641
642 let alpn_slices = match alpn_protocols {
643 Some(ref vec) => Some(vec.as_slice()),
644 None => None,
645 };
646
647 let client_hello = ClientHello::new(sni_ref, &sigschemes_ext, alpn_slices);
648
649 let certkey = sess.config.cert_resolver.resolve(client_hello);
650 certkey.ok_or_else(|| {
651 sess.common.send_fatal_alert(AlertDescription::AccessDenied);
652 TLSError::General("no server certificate chain resolved".to_string())
653 })?
654 };
655
656 // Reduce our supported ciphersuites by the certificate.
657 // (no-op for TLS1.3)
658 let suitable_suites = suites::reduce_given_sigalg(&sess.config.ciphersuites,
659 certkey.key.algorithm());
660
661 // And version
662 let protocol_version = sess.common.negotiated_version.unwrap();
663 let suitable_suites = suites::reduce_given_version(&suitable_suites, protocol_version);
664
665 let maybe_ciphersuite = if sess.config.ignore_client_order {
666 suites::choose_ciphersuite_preferring_server(&client_hello.cipher_suites, &suitable_suites)
667 } else {
668 suites::choose_ciphersuite_preferring_client(&client_hello.cipher_suites, &suitable_suites)
669 };
670
671 if maybe_ciphersuite.is_none() {
672 return Err(incompatible(sess, "no ciphersuites in common"));
673 }
674
675 debug!("decided upon suite {:?}", maybe_ciphersuite.as_ref().unwrap());
676 sess.common.set_suite(maybe_ciphersuite.unwrap());
677
678 // Start handshake hash.
679 let starting_hash = sess.common.get_suite_assert().get_hash();
680 if !self.handshake.transcript.start_hash(starting_hash) {
681 sess.common.send_fatal_alert(AlertDescription::IllegalParameter);
682 return Err(TLSError::PeerIncompatibleError("hash differed on retry"
683 .to_string()));
684 }
685
686 // Save their Random.
687 client_hello.random.write_slice(&mut self.handshake.randoms.client);
688
689 if sess.common.is_tls13() {
690 return self.into_complete_tls13_client_hello_handling()
691 .handle_client_hello(sess, sni, certkey, &m);
692 }
693
694 // -- TLS1.2 only from hereon in --
695 save_sni(sess, sni.clone());
696 self.handshake.transcript.add_message(&m);
697
698 if client_hello.ems_support_offered() {
699 self.handshake.using_ems = true;
700 }
701
702 let groups_ext = client_hello.get_namedgroups_extension()
703 .ok_or_else(|| incompatible(sess, "client didn't describe groups"))?;
704 let ecpoints_ext = client_hello.get_ecpoints_extension()
705 .ok_or_else(|| incompatible(sess, "client didn't describe ec points"))?;
706
707 trace!("namedgroups {:?}", groups_ext);
708 trace!("ecpoints {:?}", ecpoints_ext);
709
710 if !ecpoints_ext.contains(&ECPointFormat::Uncompressed) {
711 sess.common.send_fatal_alert(AlertDescription::IllegalParameter);
712 return Err(TLSError::PeerIncompatibleError("client didn't support uncompressed ec points"
713 .to_string()));
714 }
715
716 // -- If TLS1.3 is enabled, signal the downgrade in the server random
717 if tls13_enabled {
718 self.handshake.randoms.set_tls12_downgrade_marker();
719 }
720
721 // -- Check for resumption --
722 // We can do this either by (in order of preference):
723 // 1. receiving a ticket that decrypts
724 // 2. receiving a sessionid that is in our cache
725 //
726 // If we receive a ticket, the sessionid won't be in our
727 // cache, so don't check.
728 //
729 // If either works, we end up with a ServerSessionValue
730 // which is passed to start_resumption and concludes
731 // our handling of the ClientHello.
732 //
733 let mut ticket_received = false;
734
735 if let Some(ticket_ext) = client_hello.get_ticket_extension() {
736 if let ClientExtension::SessionTicketOffer(ref ticket) = *ticket_ext {
737 ticket_received = true;
738 debug!("Ticket received");
739
740 let maybe_resume = sess.config
741 .ticketer
742 .decrypt(&ticket.0)
743 .and_then(|plain| persist::ServerSessionValue::read_bytes(&plain));
744
745 if can_resume(sess, &self.handshake, &maybe_resume) {
746 return self.start_resumption(sess,
747 client_hello, sni.as_ref(),
748 &client_hello.session_id,
749 maybe_resume.unwrap());
750 } else {
751 debug!("Ticket didn't decrypt");
752 }
753 }
754 }
755
756 // If we're not offered a ticket or a potential session ID,
757 // allocate a session ID.
758 if self.handshake.session_id.is_empty() && !ticket_received {
759 let mut bytes = [0u8; 32];
760 rand::fill_random(&mut bytes);
761 self.handshake.session_id = SessionID::new(&bytes);
762 }
763
764 // Perhaps resume? If we received a ticket, the sessionid
765 // does not correspond to a real session.
766 if !client_hello.session_id.is_empty() && !ticket_received {
767 let maybe_resume = sess.config.session_storage
768 .get(&client_hello.session_id.get_encoding())
769 .and_then(|x| persist::ServerSessionValue::read_bytes(&x));
770
771 if can_resume(sess, &self.handshake, &maybe_resume) {
772 return self.start_resumption(sess,
773 client_hello, sni.as_ref(),
774 &client_hello.session_id,
775 maybe_resume.unwrap());
776 }
777 }
778
779 // Now we have chosen a ciphersuite, we can make kx decisions.
780 let sigschemes = sess.common.get_suite_assert()
781 .resolve_sig_schemes(&sigschemes_ext);
782
783 if sigschemes.is_empty() {
784 return Err(incompatible(sess, "no supported sig scheme"));
785 }
786
787 let group = suites::KeyExchange::supported_groups()
788 .iter()
789 .filter(|group| groups_ext.contains(group))
790 .nth(0)
791 .cloned()
792 .ok_or_else(|| incompatible(sess, "no supported group"))?;
793
794 let ecpoint = ECPointFormatList::supported()
795 .iter()
796 .filter(|format| ecpoints_ext.contains(format))
797 .nth(0)
798 .cloned()
799 .ok_or_else(|| incompatible(sess, "no supported point format"))?;
800
801 debug_assert_eq!(ecpoint, ECPointFormat::Uncompressed);
802
803 self.emit_server_hello(sess, Some(&mut certkey), client_hello, None)?;
804 self.emit_certificate(sess, &mut certkey);
805 self.emit_cert_status(sess, &mut certkey);
806 let kx = self.emit_server_kx(sess, sigschemes, group, &mut certkey)?;
807 let doing_client_auth = self.emit_certificate_req(sess)?;
808 self.emit_server_hello_done(sess);
809
810 if doing_client_auth {
811 Ok(self.into_expect_tls12_certificate(kx))
812 } else {
813 Ok(self.into_expect_tls12_client_kx(kx))
814 }
815 }
816 }
817