1 use crate::msgs::enums::{ContentType, HandshakeType, ExtensionType};
2 use crate::msgs::enums::{Compression, ProtocolVersion, AlertDescription};
3 use crate::msgs::message::{Message, MessagePayload};
4 use crate::msgs::base::Payload;
5 use crate::msgs::handshake::{HandshakePayload, HandshakeMessagePayload, ClientHelloPayload};
6 use crate::msgs::handshake::{SessionID, Random};
7 use crate::msgs::handshake::{ClientExtension, HasServerExtensions};
8 use crate::msgs::handshake::{ECPointFormatList, SupportedPointFormats};
9 use crate::msgs::handshake::{ProtocolNameList, ConvertProtocolNameList};
10 use crate::msgs::handshake::HelloRetryRequest;
11 use crate::msgs::handshake::{CertificateStatusRequest, SCTList};
12 use crate::msgs::enums::{PSKKeyExchangeMode, ECPointFormat};
13 use crate::msgs::codec::{Codec, Reader};
14 use crate::msgs::persist;
15 use crate::client::ClientSessionImpl;
16 use crate::session::SessionSecrets;
17 use crate::key_schedule::{KeyScheduleEarly, KeyScheduleHandshake};
18 use crate::cipher;
19 use crate::suites;
20 use crate::verify;
21 use crate::rand;
22 use crate::ticketer;
23 #[cfg(feature = "logging")]
24 use crate::log::{debug, trace};
25 use crate::error::TLSError;
26 use crate::handshake::check_handshake_message;
27 #[cfg(feature = "quic")]
28 use crate::{
29 msgs::base::PayloadU16,
30 session::Protocol
31 };
32
33 use crate::client::common::{ServerCertDetails, HandshakeDetails};
34 use crate::client::common::{ClientHelloDetails, ReceivedTicketDetails};
35 use crate::client::{tls12, tls13};
36
37 use webpki;
38
39 macro_rules! extract_handshake(
40 ( $m:expr, $t:path ) => (
41 match $m.payload {
42 MessagePayload::Handshake(ref hsp) => match hsp.payload {
43 $t(ref hm) => Some(hm),
44 _ => None
45 },
46 _ => None
47 }
48 )
49 );
50
51 macro_rules! extract_handshake_mut(
52 ( $m:expr, $t:path ) => (
53 match $m.payload {
54 MessagePayload::Handshake(hsp) => match hsp.payload {
55 $t(hm) => Some(hm),
56 _ => None
57 },
58 _ => None
59 }
60 )
61 );
62
63 pub type CheckResult = Result<(), TLSError>;
64 pub type NextState = Box<dyn State + Send + Sync>;
65 pub type NextStateOrError = Result<NextState, TLSError>;
66
67 pub trait State {
check_message(&self, m: &Message) -> CheckResult68 fn check_message(&self, m: &Message) -> CheckResult;
handle(self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> NextStateOrError69 fn handle(self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> NextStateOrError;
70
export_keying_material(&self, _output: &mut [u8], _label: &[u8], _context: Option<&[u8]>) -> Result<(), TLSError>71 fn export_keying_material(&self,
72 _output: &mut [u8],
73 _label: &[u8],
74 _context: Option<&[u8]>) -> Result<(), TLSError> {
75 Err(TLSError::HandshakeNotComplete)
76 }
77
perhaps_write_key_update(&mut self, _sess: &mut ClientSessionImpl)78 fn perhaps_write_key_update(&mut self, _sess: &mut ClientSessionImpl) {
79 }
80 }
81
illegal_param(sess: &mut ClientSessionImpl, why: &str) -> TLSError82 pub fn illegal_param(sess: &mut ClientSessionImpl, why: &str) -> TLSError {
83 sess.common.send_fatal_alert(AlertDescription::IllegalParameter);
84 TLSError::PeerMisbehavedError(why.to_string())
85 }
86
check_aligned_handshake(sess: &mut ClientSessionImpl) -> Result<(), TLSError>87 pub fn check_aligned_handshake(sess: &mut ClientSessionImpl) -> Result<(), TLSError> {
88 if !sess.common.handshake_joiner.is_empty() {
89 Err(illegal_param(sess, "keys changed with pending hs fragment"))
90 } else {
91 Ok(())
92 }
93 }
94
find_session(sess: &mut ClientSessionImpl, dns_name: webpki::DNSNameRef) -> Option<persist::ClientSessionValue>95 fn find_session(sess: &mut ClientSessionImpl, dns_name: webpki::DNSNameRef)
96 -> Option<persist::ClientSessionValue> {
97 let key = persist::ClientSessionKey::session_for_dns_name(dns_name);
98 let key_buf = key.get_encoding();
99
100 let maybe_value = sess.config.session_persistence.get(&key_buf);
101
102 if maybe_value.is_none() {
103 debug!("No cached session for {:?}", dns_name);
104 return None;
105 }
106
107 let value = maybe_value.unwrap();
108 let mut reader = Reader::init(&value[..]);
109 if let Some(result) = persist::ClientSessionValue::read(&mut reader) {
110 if result.has_expired(ticketer::timebase()) {
111 None
112 } else {
113 #[cfg(feature = "quic")] {
114 if sess.common.protocol == Protocol::Quic {
115 let params = PayloadU16::read(&mut reader)?;
116 sess.common.quic.params = Some(params.0);
117 }
118 }
119 Some(result)
120 }
121 } else {
122 None
123 }
124 }
125
random_sessionid() -> SessionID126 fn random_sessionid() -> SessionID {
127 let mut random_id = [0u8; 32];
128 rand::fill_random(&mut random_id);
129 SessionID::new(&random_id)
130 }
131
132 /// If we have a ticket, we use the sessionid as a signal that we're
133 /// doing an abbreviated handshake. See section 3.4 in RFC5077.
random_sessionid_for_ticket(csv: &mut persist::ClientSessionValue)134 fn random_sessionid_for_ticket(csv: &mut persist::ClientSessionValue) {
135 if !csv.ticket.0.is_empty() {
136 csv.session_id = random_sessionid();
137 }
138 }
139
140 struct InitialState {
141 handshake: HandshakeDetails,
142 }
143
144 impl InitialState {
new(host_name: webpki::DNSName, extra_exts: Vec<ClientExtension>) -> InitialState145 fn new(host_name: webpki::DNSName, extra_exts: Vec<ClientExtension>) -> InitialState {
146 InitialState {
147 handshake: HandshakeDetails::new(host_name, extra_exts),
148 }
149 }
150
emit_initial_client_hello(mut self, sess: &mut ClientSessionImpl) -> NextState151 fn emit_initial_client_hello(mut self, sess: &mut ClientSessionImpl) -> NextState {
152 if sess.config.client_auth_cert_resolver.has_certs() {
153 self.handshake.transcript.set_client_auth_enabled();
154 }
155 let hello_details = ClientHelloDetails::new();
156 emit_client_hello_for_retry(sess, self.handshake, hello_details, None)
157 }
158 }
159
160
start_handshake(sess: &mut ClientSessionImpl, host_name: webpki::DNSName, extra_exts: Vec<ClientExtension>) -> NextState161 pub fn start_handshake(sess: &mut ClientSessionImpl, host_name: webpki::DNSName,
162 extra_exts: Vec<ClientExtension>) -> NextState {
163 InitialState::new(host_name, extra_exts)
164 .emit_initial_client_hello(sess)
165 }
166
167 struct ExpectServerHello {
168 handshake: HandshakeDetails,
169 early_key_schedule: Option<KeyScheduleEarly>,
170 hello: ClientHelloDetails,
171 server_cert: ServerCertDetails,
172 may_send_cert_status: bool,
173 must_issue_new_ticket: bool,
174 }
175
176 struct ExpectServerHelloOrHelloRetryRequest(ExpectServerHello);
177
compatible_suite(sess: &ClientSessionImpl, resuming_suite: Option<&suites::SupportedCipherSuite>) -> bool178 pub fn compatible_suite(sess: &ClientSessionImpl,
179 resuming_suite: Option<&suites::SupportedCipherSuite>) -> bool {
180 match resuming_suite {
181 Some(resuming_suite) => {
182 if let Some(suite) = sess.common.get_suite() {
183 suite.can_resume_to(&resuming_suite)
184 } else {
185 true
186 }
187 }
188 None => false
189 }
190 }
191
emit_client_hello_for_retry(sess: &mut ClientSessionImpl, mut handshake: HandshakeDetails, mut hello: ClientHelloDetails, retryreq: Option<&HelloRetryRequest>) -> NextState192 fn emit_client_hello_for_retry(sess: &mut ClientSessionImpl,
193 mut handshake: HandshakeDetails,
194 mut hello: ClientHelloDetails,
195 retryreq: Option<&HelloRetryRequest>) -> NextState {
196 // Do we have a SessionID or ticket cached for this host?
197 handshake.resuming_session = find_session(sess, handshake.dns_name.as_ref());
198 let (session_id, ticket, resume_version) = if handshake.resuming_session.is_some() {
199 let resuming = handshake.resuming_session.as_mut().unwrap();
200 if resuming.version == ProtocolVersion::TLSv1_2 {
201 random_sessionid_for_ticket(resuming);
202 }
203 debug!("Resuming session");
204 (resuming.session_id, resuming.ticket.0.clone(), resuming.version)
205 } else {
206 debug!("Not resuming any session");
207 if handshake.session_id.is_empty() {
208 handshake.session_id = random_sessionid();
209 }
210 (handshake.session_id, Vec::new(), ProtocolVersion::Unknown(0))
211 };
212
213 let support_tls12 = sess.config.supports_version(ProtocolVersion::TLSv1_2);
214 let support_tls13 = sess.config.supports_version(ProtocolVersion::TLSv1_3);
215
216 let mut supported_versions = Vec::new();
217 if support_tls13 {
218 supported_versions.push(ProtocolVersion::TLSv1_3);
219 }
220
221 if support_tls12 {
222 supported_versions.push(ProtocolVersion::TLSv1_2);
223 }
224
225 let mut exts = Vec::new();
226 if !supported_versions.is_empty() {
227 exts.push(ClientExtension::SupportedVersions(supported_versions));
228 }
229 if sess.config.enable_sni {
230 exts.push(ClientExtension::make_sni(handshake.dns_name.as_ref()));
231 }
232 exts.push(ClientExtension::ECPointFormats(ECPointFormatList::supported()));
233 exts.push(ClientExtension::NamedGroups(suites::KeyExchange::supported_groups().to_vec()));
234 exts.push(ClientExtension::SignatureAlgorithms(verify::supported_verify_schemes().to_vec()));
235 exts.push(ClientExtension::ExtendedMasterSecretRequest);
236 exts.push(ClientExtension::CertificateStatusRequest(CertificateStatusRequest::build_ocsp()));
237
238 if sess.config.ct_logs.is_some() {
239 exts.push(ClientExtension::SignedCertificateTimestampRequest);
240 }
241
242 if support_tls13 {
243 tls13::choose_kx_groups(sess, &mut exts, &mut hello, &mut handshake, retryreq);
244 }
245
246 if let Some(cookie) = retryreq.and_then(HelloRetryRequest::get_cookie) {
247 exts.push(ClientExtension::Cookie(cookie.clone()));
248 }
249
250 if support_tls13 && sess.config.enable_tickets {
251 // We could support PSK_KE here too. Such connections don't
252 // have forward secrecy, and are similar to TLS1.2 resumption.
253 let psk_modes = vec![ PSKKeyExchangeMode::PSK_DHE_KE ];
254 exts.push(ClientExtension::PresharedKeyModes(psk_modes));
255 }
256
257 if !sess.config.alpn_protocols.is_empty() {
258 exts.push(ClientExtension::Protocols(ProtocolNameList::from_slices(&sess.config
259 .alpn_protocols
260 .iter()
261 .map(|proto| &proto[..])
262 .collect::<Vec<_>>()
263 )));
264 }
265
266 // Extra extensions must be placed before the PSK extension
267 exts.extend(handshake.extra_exts.iter().cloned());
268
269 let fill_in_binder = if support_tls13 && sess.config.enable_tickets &&
270 resume_version == ProtocolVersion::TLSv1_3 &&
271 !ticket.is_empty() {
272 tls13::prepare_resumption(sess, ticket, &handshake, &mut exts,
273 retryreq.is_some())
274 } else if sess.config.enable_tickets {
275 // If we have a ticket, include it. Otherwise, request one.
276 if ticket.is_empty() {
277 exts.push(ClientExtension::SessionTicketRequest);
278 } else {
279 exts.push(ClientExtension::SessionTicketOffer(Payload::new(ticket)));
280 }
281 false
282 } else {
283 false
284 };
285
286 // Note what extensions we sent.
287 hello.sent_extensions = exts.iter()
288 .map(ClientExtension::get_type)
289 .collect();
290
291 let mut chp = HandshakeMessagePayload {
292 typ: HandshakeType::ClientHello,
293 payload: HandshakePayload::ClientHello(ClientHelloPayload {
294 client_version: ProtocolVersion::TLSv1_2,
295 random: Random::from_slice(&handshake.randoms.client),
296 session_id,
297 cipher_suites: sess.get_cipher_suites(),
298 compression_methods: vec![Compression::Null],
299 extensions: exts,
300 }),
301 };
302
303 let early_key_schedule = if fill_in_binder {
304 Some(tls13::fill_in_psk_binder(sess, &mut handshake, &mut chp))
305 } else {
306 None
307 };
308
309 let ch = Message {
310 typ: ContentType::Handshake,
311 // "This value MUST be set to 0x0303 for all records generated
312 // by a TLS 1.3 implementation other than an initial ClientHello
313 // (i.e., one not generated after a HelloRetryRequest)"
314 version: if retryreq.is_some() {
315 ProtocolVersion::TLSv1_2
316 } else {
317 ProtocolVersion::TLSv1_0
318 },
319 payload: MessagePayload::Handshake(chp),
320 };
321
322 if retryreq.is_some() {
323 // send dummy CCS to fool middleboxes prior
324 // to second client hello
325 tls13::emit_fake_ccs(&mut handshake, sess);
326 }
327
328 trace!("Sending ClientHello {:#?}", ch);
329
330 handshake.transcript.add_message(&ch);
331 sess.common.send_msg(ch, false);
332
333 // Calculate the hash of ClientHello and use it to derive EarlyTrafficSecret
334 if sess.early_data.is_enabled() {
335 // For middlebox compatibility
336 tls13::emit_fake_ccs(&mut handshake, sess);
337
338 // It is safe to call unwrap() because fill_in_binder is true.
339 let resuming_suite = handshake.resuming_session
340 .as_ref()
341 .and_then(|resume| sess.find_cipher_suite(resume.cipher_suite)).unwrap();
342
343 let client_hello_hash = handshake.transcript.get_hash_given(resuming_suite.get_hash(), &[]);
344 let client_early_traffic_secret = early_key_schedule
345 .as_ref()
346 .unwrap()
347 .client_early_traffic_secret(&client_hello_hash,
348 &*sess.config.key_log,
349 &handshake.randoms.client);
350 // Set early data encryption key
351 sess.common
352 .record_layer
353 .set_message_encrypter(cipher::new_tls13_write(resuming_suite, &client_early_traffic_secret));
354
355 #[cfg(feature = "quic")]
356 {
357 sess.common.quic.early_secret = Some(client_early_traffic_secret);
358 }
359
360 // Now the client can send encrypted early data
361 sess.common.early_traffic = true;
362 trace!("Starting early data traffic");
363 }
364
365 let next = ExpectServerHello {
366 handshake,
367 hello,
368 early_key_schedule,
369 server_cert: ServerCertDetails::new(),
370 may_send_cert_status: false,
371 must_issue_new_ticket: false,
372 };
373
374 if support_tls13 && retryreq.is_none() {
375 Box::new(ExpectServerHelloOrHelloRetryRequest(next))
376 } else {
377 Box::new(next)
378 }
379 }
380
process_alpn_protocol(sess: &mut ClientSessionImpl, proto: Option<&[u8]>) -> Result<(), TLSError>381 pub fn process_alpn_protocol(sess: &mut ClientSessionImpl,
382 proto: Option<&[u8]>)
383 -> Result<(), TLSError> {
384 sess.alpn_protocol = proto.map(ToOwned::to_owned);
385 if sess.alpn_protocol.is_some() &&
386 !sess.config.alpn_protocols.contains(sess.alpn_protocol.as_ref().unwrap()) {
387 return Err(illegal_param(sess, "server sent non-offered ALPN protocol"));
388 }
389 debug!("ALPN protocol is {:?}", sess.alpn_protocol);
390 Ok(())
391 }
392
sct_list_is_invalid(scts: &SCTList) -> bool393 pub fn sct_list_is_invalid(scts: &SCTList) -> bool {
394 scts.is_empty() ||
395 scts.iter().any(|sct| sct.0.is_empty())
396 }
397
398 impl ExpectServerHello {
into_expect_tls13_encrypted_extensions(self, key_schedule: KeyScheduleHandshake) -> NextState399 fn into_expect_tls13_encrypted_extensions(self, key_schedule: KeyScheduleHandshake) -> NextState {
400 Box::new(tls13::ExpectEncryptedExtensions {
401 handshake: self.handshake,
402 key_schedule,
403 server_cert: self.server_cert,
404 hello: self.hello,
405 })
406 }
407
into_expect_tls12_new_ticket_resume(self, secrets: SessionSecrets, certv: verify::ServerCertVerified, sigv: verify::HandshakeSignatureValid) -> NextState408 fn into_expect_tls12_new_ticket_resume(self,
409 secrets: SessionSecrets,
410 certv: verify::ServerCertVerified,
411 sigv: verify::HandshakeSignatureValid) -> NextState {
412 Box::new(tls12::ExpectNewTicket {
413 secrets,
414 handshake: self.handshake,
415 resuming: true,
416 cert_verified: certv,
417 sig_verified: sigv,
418 })
419 }
420
into_expect_tls12_ccs_resume(self, secrets: SessionSecrets, certv: verify::ServerCertVerified, sigv: verify::HandshakeSignatureValid) -> NextState421 fn into_expect_tls12_ccs_resume(self,
422 secrets: SessionSecrets,
423 certv: verify::ServerCertVerified,
424 sigv: verify::HandshakeSignatureValid) -> NextState {
425 Box::new(tls12::ExpectCCS {
426 secrets,
427 handshake: self.handshake,
428 ticket: ReceivedTicketDetails::new(),
429 resuming: true,
430 cert_verified: certv,
431 sig_verified: sigv,
432 })
433 }
434
into_expect_tls12_certificate(self) -> NextState435 fn into_expect_tls12_certificate(self) -> NextState {
436 Box::new(tls12::ExpectCertificate {
437 handshake: self.handshake,
438 server_cert: self.server_cert,
439 may_send_cert_status: self.may_send_cert_status,
440 must_issue_new_ticket: self.must_issue_new_ticket,
441 })
442 }
443 }
444
445 impl State for ExpectServerHello {
check_message(&self, m: &Message) -> CheckResult446 fn check_message(&self, m: &Message) -> CheckResult {
447 check_handshake_message(m, &[HandshakeType::ServerHello])
448 }
449
handle(mut self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> NextStateOrError450 fn handle(mut self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> NextStateOrError {
451 let server_hello = extract_handshake!(m, HandshakePayload::ServerHello).unwrap();
452 trace!("We got ServerHello {:#?}", server_hello);
453
454 use crate::ProtocolVersion::{TLSv1_2, TLSv1_3};
455 let tls13_supported = sess.config.supports_version(TLSv1_3);
456
457 let server_version = if server_hello.legacy_version == TLSv1_2 {
458 server_hello.get_supported_versions()
459 .unwrap_or(server_hello.legacy_version)
460 } else {
461 server_hello.legacy_version
462 };
463
464 match server_version {
465 TLSv1_3 if tls13_supported => {
466 sess.common.negotiated_version = Some(TLSv1_3);
467 }
468 TLSv1_2 if sess.config.supports_version(TLSv1_2) => {
469 if sess.early_data.is_enabled() && sess.common.early_traffic {
470 // The client must fail with a dedicated error code if the server
471 // responds with TLS 1.2 when offering 0-RTT.
472 return Err(TLSError::PeerMisbehavedError("server chose v1.2 when offering 0-rtt"
473 .to_string()));
474 }
475 sess.common.negotiated_version = Some(TLSv1_2);
476
477 if server_hello.get_supported_versions().is_some() {
478 return Err(illegal_param(sess, "server chose v1.2 using v1.3 extension"));
479 }
480 }
481 _ => {
482 sess.common.send_fatal_alert(AlertDescription::ProtocolVersion);
483 return Err(TLSError::PeerIncompatibleError("server does not support TLS v1.2/v1.3"
484 .to_string()));
485 }
486 };
487
488 if server_hello.compression_method != Compression::Null {
489 return Err(illegal_param(sess, "server chose non-Null compression"));
490 }
491
492 if server_hello.has_duplicate_extension() {
493 sess.common.send_fatal_alert(AlertDescription::DecodeError);
494 return Err(TLSError::PeerMisbehavedError("server sent duplicate extensions".to_string()));
495 }
496
497 let allowed_unsolicited = [ ExtensionType::RenegotiationInfo ];
498 if self.hello.server_sent_unsolicited_extensions(&server_hello.extensions,
499 &allowed_unsolicited) {
500 sess.common.send_fatal_alert(AlertDescription::UnsupportedExtension);
501 return Err(TLSError::PeerMisbehavedError("server sent unsolicited extension".to_string()));
502 }
503
504 // Extract ALPN protocol
505 if !sess.common.is_tls13() {
506 process_alpn_protocol(sess, server_hello.get_alpn_protocol())?;
507 }
508
509 // If ECPointFormats extension is supplied by the server, it must contain
510 // Uncompressed. But it's allowed to be omitted.
511 if let Some(point_fmts) = server_hello.get_ecpoints_extension() {
512 if !point_fmts.contains(&ECPointFormat::Uncompressed) {
513 sess.common.send_fatal_alert(AlertDescription::HandshakeFailure);
514 return Err(TLSError::PeerMisbehavedError("server does not support uncompressed points"
515 .to_string()));
516 }
517 }
518
519 let scs = sess.find_cipher_suite(server_hello.cipher_suite);
520
521 if scs.is_none() {
522 sess.common.send_fatal_alert(AlertDescription::HandshakeFailure);
523 return Err(TLSError::PeerMisbehavedError("server chose non-offered ciphersuite"
524 .to_string()));
525 }
526
527 debug!("Using ciphersuite {:?}", server_hello.cipher_suite);
528 if !sess.common.set_suite(scs.unwrap()) {
529 return Err(illegal_param(sess, "server varied selected ciphersuite"));
530 }
531
532 let version = sess.common.negotiated_version.unwrap();
533 if !sess.common.get_suite_assert().usable_for_version(version) {
534 return Err(illegal_param(sess, "server chose unusable ciphersuite for version"));
535 }
536
537 // Start our handshake hash, and input the server-hello.
538 let starting_hash = sess.common.get_suite_assert().get_hash();
539 self.handshake.transcript.start_hash(starting_hash);
540 self.handshake.transcript.add_message(&m);
541
542 // For TLS1.3, start message encryption using
543 // handshake_traffic_secret.
544 if sess.common.is_tls13() {
545 tls13::validate_server_hello(sess, server_hello)?;
546 let key_schedule = tls13::start_handshake_traffic(sess,
547 self.early_key_schedule.take(),
548 server_hello,
549 &mut self.handshake,
550 &mut self.hello)?;
551 tls13::emit_fake_ccs(&mut self.handshake, sess);
552 return Ok(self.into_expect_tls13_encrypted_extensions(key_schedule));
553 }
554
555 // TLS1.2 only from here-on
556
557 // Save ServerRandom and SessionID
558 server_hello.random.write_slice(&mut self.handshake.randoms.server);
559 self.handshake.session_id = server_hello.session_id;
560
561 // Look for TLS1.3 downgrade signal in server random
562 if tls13_supported && self.handshake.randoms.has_tls12_downgrade_marker() {
563 return Err(illegal_param(sess, "downgrade to TLS1.2 when TLS1.3 is supported"));
564 }
565
566 // Doing EMS?
567 if server_hello.ems_support_acked() {
568 self.handshake.using_ems = true;
569 }
570
571 // Might the server send a ticket?
572 let with_tickets = if server_hello.find_extension(ExtensionType::SessionTicket).is_some() {
573 debug!("Server supports tickets");
574 true
575 } else {
576 false
577 };
578 self.must_issue_new_ticket = with_tickets;
579
580 // Might the server send a CertificateStatus between Certificate and
581 // ServerKeyExchange?
582 if server_hello.find_extension(ExtensionType::StatusRequest).is_some() {
583 debug!("Server may staple OCSP response");
584 self.may_send_cert_status = true;
585 }
586
587 // Save any sent SCTs for verification against the certificate.
588 if let Some(sct_list) = server_hello.get_sct_list() {
589 debug!("Server sent {:?} SCTs", sct_list.len());
590
591 if sct_list_is_invalid(sct_list) {
592 let error_msg = "server sent invalid SCT list".to_string();
593 return Err(TLSError::PeerMisbehavedError(error_msg));
594 }
595 self.server_cert.scts = Some(sct_list.clone());
596 }
597
598 // See if we're successfully resuming.
599 if let Some(ref resuming) = self.handshake.resuming_session {
600 if resuming.session_id == self.handshake.session_id {
601 debug!("Server agreed to resume");
602
603 // Is the server telling lies about the ciphersuite?
604 if resuming.cipher_suite != scs.unwrap().suite {
605 let error_msg = "abbreviated handshake offered, but with varied cs".to_string();
606 return Err(TLSError::PeerMisbehavedError(error_msg));
607 }
608
609 // And about EMS support?
610 if resuming.extended_ms != self.handshake.using_ems {
611 let error_msg = "server varied ems support over resume".to_string();
612 return Err(TLSError::PeerMisbehavedError(error_msg));
613 }
614
615 let secrets = SessionSecrets::new_resume(&self.handshake.randoms,
616 scs.unwrap().get_hash(),
617 &resuming.master_secret.0);
618 sess.config.key_log.log("CLIENT_RANDOM",
619 &secrets.randoms.client,
620 &secrets.master_secret);
621 sess.common.start_encryption_tls12(&secrets);
622
623 // Since we're resuming, we verified the certificate and
624 // proof of possession in the prior session.
625 let certv = verify::ServerCertVerified::assertion();
626 let sigv = verify::HandshakeSignatureValid::assertion();
627
628 return if self.must_issue_new_ticket {
629 Ok(self.into_expect_tls12_new_ticket_resume(secrets, certv, sigv))
630 } else {
631 Ok(self.into_expect_tls12_ccs_resume(secrets, certv, sigv))
632 };
633 }
634 }
635
636 Ok(self.into_expect_tls12_certificate())
637 }
638 }
639
640 impl ExpectServerHelloOrHelloRetryRequest {
into_expect_server_hello(self) -> NextState641 fn into_expect_server_hello(self) -> NextState {
642 Box::new(self.0)
643 }
644
handle_hello_retry_request(mut self, sess: &mut ClientSessionImpl, m: Message) -> NextStateOrError645 fn handle_hello_retry_request(mut self, sess: &mut ClientSessionImpl, m: Message) -> NextStateOrError {
646 check_handshake_message(&m, &[HandshakeType::HelloRetryRequest])?;
647
648 let hrr = extract_handshake!(m, HandshakePayload::HelloRetryRequest).unwrap();
649 trace!("Got HRR {:?}", hrr);
650
651 let has_cookie = hrr.get_cookie().is_some();
652 let req_group = hrr.get_requested_key_share_group();
653
654 // A retry request is illegal if it contains no cookie and asks for
655 // retry of a group we already sent.
656 if !has_cookie && req_group.map(|g| self.0.hello.has_key_share(g)).unwrap_or(false) {
657 return Err(illegal_param(sess, "server requested hrr with our group"));
658 }
659
660 // Or asks for us to retry on an unsupported group.
661 if let Some(group) = req_group {
662 if !suites::KeyExchange::supported_groups().contains(&group) {
663 return Err(illegal_param(sess, "server requested hrr with bad group"));
664 }
665 }
666
667 // Or has an empty cookie.
668 if has_cookie && hrr.get_cookie().unwrap().0.is_empty() {
669 return Err(illegal_param(sess, "server requested hrr with empty cookie"));
670 }
671
672 // Or has something unrecognised
673 if hrr.has_unknown_extension() {
674 sess.common.send_fatal_alert(AlertDescription::UnsupportedExtension);
675 return Err(TLSError::PeerIncompatibleError("server sent hrr with unhandled extension"
676 .to_string()));
677 }
678
679 // Or has the same extensions more than once
680 if hrr.has_duplicate_extension() {
681 return Err(illegal_param(sess, "server send duplicate hrr extensions"));
682 }
683
684 // Or asks us to change nothing.
685 if !has_cookie && req_group.is_none() {
686 return Err(illegal_param(sess, "server requested hrr with no changes"));
687 }
688
689 // Or asks us to talk a protocol we didn't offer, or doesn't support HRR at all.
690 match hrr.get_supported_versions() {
691 Some(ProtocolVersion::TLSv1_3) => {
692 sess.common.negotiated_version = Some(ProtocolVersion::TLSv1_3);
693 }
694 _ => {
695 return Err(illegal_param(sess, "server requested unsupported version in hrr"));
696 }
697 }
698
699 // Or asks us to use a ciphersuite we didn't offer.
700 let maybe_cs = sess.find_cipher_suite(hrr.cipher_suite);
701 let cs = match maybe_cs {
702 Some(cs) => cs,
703 None => {
704 return Err(illegal_param(sess, "server requested unsupported cs in hrr"));
705 }
706 };
707
708 // HRR selects the ciphersuite.
709 sess.common.set_suite(cs);
710
711 // This is the draft19 change where the transcript became a tree
712 self.0.handshake.transcript.start_hash(cs.get_hash());
713 self.0.handshake.transcript.rollup_for_hrr();
714 self.0.handshake.transcript.add_message(&m);
715
716 // Early data is not alllowed after HelloRetryrequest
717 if sess.early_data.is_enabled() {
718 sess.early_data.rejected();
719 }
720
721 Ok(emit_client_hello_for_retry(sess,
722 self.0.handshake,
723 self.0.hello,
724 Some(hrr)))
725 }
726 }
727
728 impl State for ExpectServerHelloOrHelloRetryRequest {
check_message(&self, m: &Message) -> CheckResult729 fn check_message(&self, m: &Message) -> CheckResult {
730 check_handshake_message(m,
731 &[HandshakeType::ServerHello,
732 HandshakeType::HelloRetryRequest])
733 }
734
handle(self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> NextStateOrError735 fn handle(self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> NextStateOrError {
736 if m.is_handshake_type(HandshakeType::ServerHello) {
737 self.into_expect_server_hello().handle(sess, m)
738 } else {
739 self.handle_hello_retry_request(sess, m)
740 }
741 }
742 }
743
send_cert_error_alert(sess: &mut ClientSessionImpl, err: TLSError) -> TLSError744 pub fn send_cert_error_alert(sess: &mut ClientSessionImpl, err: TLSError) -> TLSError {
745 match err {
746 TLSError::WebPKIError(webpki::Error::BadDER) => {
747 sess.common.send_fatal_alert(AlertDescription::DecodeError);
748 }
749 TLSError::PeerMisbehavedError(_) => {
750 sess.common.send_fatal_alert(AlertDescription::IllegalParameter);
751 }
752 _ => {
753 sess.common.send_fatal_alert(AlertDescription::BadCertificate);
754 }
755 };
756
757 err
758 }
759