1 use crate::msgs::enums::{ContentType, HandshakeType};
2 use crate::msgs::enums::{ProtocolVersion, AlertDescription};
3 use crate::msgs::message::{Message, MessagePayload};
4 use crate::msgs::base::{Payload, PayloadU8};
5 use crate::msgs::handshake::{HandshakePayload, HandshakeMessagePayload};
6 use crate::msgs::handshake::DecomposedSignatureScheme;
7 use crate::msgs::handshake::ServerKeyExchangePayload;
8 use crate::msgs::handshake::DigitallySignedStruct;
9 use crate::msgs::enums::ClientCertificateType;
10 use crate::msgs::codec::Codec;
11 use crate::msgs::persist;
12 use crate::msgs::ccs::ChangeCipherSpecPayload;
13 use crate::client::ClientSessionImpl;
14 use crate::session::SessionSecrets;
15 use crate::suites;
16 use crate::verify;
17 use crate::ticketer;
18 #[cfg(feature = "logging")]
19 use crate::log::{debug, trace, warn};
20 use crate::error::TLSError;
21 use crate::handshake::{check_message, check_handshake_message};
22
23 use crate::client::common::{ServerCertDetails, ServerKXDetails, HandshakeDetails};
24 use crate::client::common::{ReceivedTicketDetails, ClientAuthDetails};
25 use crate::client::hs;
26
27 use std::mem;
28 use ring::constant_time;
29
30 pub struct ExpectCertificate {
31 pub handshake: HandshakeDetails,
32 pub server_cert: ServerCertDetails,
33 pub may_send_cert_status: bool,
34 pub must_issue_new_ticket: bool,
35 }
36
37 impl ExpectCertificate {
into_expect_certificate_status_or_server_kx(self) -> hs::NextState38 fn into_expect_certificate_status_or_server_kx(self) -> hs::NextState {
39 Box::new(ExpectCertificateStatusOrServerKX {
40 handshake: self.handshake,
41 server_cert: self.server_cert,
42 must_issue_new_ticket: self.must_issue_new_ticket,
43 })
44 }
45
into_expect_server_kx(self) -> hs::NextState46 fn into_expect_server_kx(self) -> hs::NextState {
47 Box::new(ExpectServerKX {
48 handshake: self.handshake,
49 server_cert: self.server_cert,
50 must_issue_new_ticket: self.must_issue_new_ticket,
51 })
52 }
53 }
54
55 impl hs::State for ExpectCertificate {
check_message(&self, m: &Message) -> Result<(), TLSError>56 fn check_message(&self, m: &Message) -> Result<(), TLSError> {
57 check_handshake_message(m, &[HandshakeType::Certificate])
58 }
59
handle(mut self: Box<Self>, _sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError60 fn handle(mut self: Box<Self>, _sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
61 let cert_chain = extract_handshake!(m, HandshakePayload::Certificate).unwrap();
62 self.handshake.transcript.add_message(&m);
63
64 self.server_cert.cert_chain = cert_chain.clone();
65
66 if self.may_send_cert_status {
67 Ok(self.into_expect_certificate_status_or_server_kx())
68 } else {
69 Ok(self.into_expect_server_kx())
70 }
71 }
72 }
73
74 struct ExpectCertificateStatus {
75 handshake: HandshakeDetails,
76 server_cert: ServerCertDetails,
77 must_issue_new_ticket: bool,
78 }
79
80 impl ExpectCertificateStatus {
into_expect_server_kx(self) -> hs::NextState81 fn into_expect_server_kx(self) -> hs::NextState {
82 Box::new(ExpectServerKX {
83 handshake: self.handshake,
84 server_cert: self.server_cert,
85 must_issue_new_ticket: self.must_issue_new_ticket,
86 })
87 }
88 }
89
90 impl hs::State for ExpectCertificateStatus {
check_message(&self, m: &Message) -> Result<(), TLSError>91 fn check_message(&self, m: &Message) -> Result<(), TLSError> {
92 check_handshake_message(m, &[HandshakeType::CertificateStatus])
93 }
94
handle(mut self: Box<Self>, _sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError95 fn handle(mut self: Box<Self>, _sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
96 self.handshake.transcript.add_message(&m);
97 let mut status = extract_handshake_mut!(m, HandshakePayload::CertificateStatus).unwrap();
98
99 self.server_cert.ocsp_response = status.take_ocsp_response();
100 debug!("Server stapled OCSP response is {:?}", self.server_cert.ocsp_response);
101 Ok(self.into_expect_server_kx())
102 }
103 }
104
105 struct ExpectCertificateStatusOrServerKX {
106 handshake: HandshakeDetails,
107 server_cert: ServerCertDetails,
108 must_issue_new_ticket: bool,
109 }
110
111 impl ExpectCertificateStatusOrServerKX {
into_expect_server_kx(self) -> hs::NextState112 fn into_expect_server_kx(self) -> hs::NextState {
113 Box::new(ExpectServerKX {
114 handshake: self.handshake,
115 server_cert: self.server_cert,
116 must_issue_new_ticket: self.must_issue_new_ticket,
117 })
118 }
119
into_expect_certificate_status(self) -> hs::NextState120 fn into_expect_certificate_status(self) -> hs::NextState {
121 Box::new(ExpectCertificateStatus {
122 handshake: self.handshake,
123 server_cert: self.server_cert,
124 must_issue_new_ticket: self.must_issue_new_ticket,
125 })
126 }
127 }
128
129 impl hs::State for ExpectCertificateStatusOrServerKX {
check_message(&self, m: &Message) -> Result<(), TLSError>130 fn check_message(&self, m: &Message) -> Result<(), TLSError> {
131 check_handshake_message(m,
132 &[HandshakeType::ServerKeyExchange,
133 HandshakeType::CertificateStatus])
134 }
135
handle(self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError136 fn handle(self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
137 if m.is_handshake_type(HandshakeType::ServerKeyExchange) {
138 self.into_expect_server_kx().handle(sess, m)
139 } else {
140 self.into_expect_certificate_status().handle(sess, m)
141 }
142 }
143 }
144
145 struct ExpectServerKX {
146 handshake: HandshakeDetails,
147 server_cert: ServerCertDetails,
148 must_issue_new_ticket: bool,
149 }
150
151 impl ExpectServerKX {
into_expect_server_done_or_certreq(self, skx: ServerKXDetails) -> hs::NextState152 fn into_expect_server_done_or_certreq(self, skx: ServerKXDetails) -> hs::NextState {
153 Box::new(ExpectServerDoneOrCertReq {
154 handshake: self.handshake,
155 server_cert: self.server_cert,
156 server_kx: skx,
157 must_issue_new_ticket: self.must_issue_new_ticket,
158 })
159 }
160 }
161
162 impl hs::State for ExpectServerKX {
check_message(&self, m: &Message) -> Result<(), TLSError>163 fn check_message(&self, m: &Message) -> Result<(), TLSError> {
164 check_handshake_message(m, &[HandshakeType::ServerKeyExchange])
165 }
166
handle(mut self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError167 fn handle(mut self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
168 let opaque_kx = extract_handshake!(m, HandshakePayload::ServerKeyExchange).unwrap();
169 let maybe_decoded_kx = opaque_kx.unwrap_given_kxa(&sess.common.get_suite_assert().kx);
170 self.handshake.transcript.add_message(&m);
171
172 if maybe_decoded_kx.is_none() {
173 sess.common.send_fatal_alert(AlertDescription::DecodeError);
174 return Err(TLSError::CorruptMessagePayload(ContentType::Handshake));
175 }
176
177 let decoded_kx = maybe_decoded_kx.unwrap();
178
179 // Save the signature and signed parameters for later verification.
180 let mut kx_params = Vec::new();
181 decoded_kx.encode_params(&mut kx_params);
182 let skx = ServerKXDetails::new(kx_params, decoded_kx.get_sig().unwrap());
183
184 #[cfg_attr(not(feature = "logging"), allow(unused_variables))]
185 {
186 if let ServerKeyExchangePayload::ECDHE(ecdhe) = decoded_kx {
187 debug!("ECDHE curve is {:?}", ecdhe.params.curve_params);
188 }
189 }
190
191 Ok(self.into_expect_server_done_or_certreq(skx))
192 }
193 }
194
emit_certificate(handshake: &mut HandshakeDetails, client_auth: &mut ClientAuthDetails, sess: &mut ClientSessionImpl)195 fn emit_certificate(handshake: &mut HandshakeDetails,
196 client_auth: &mut ClientAuthDetails,
197 sess: &mut ClientSessionImpl) {
198 let chosen_cert = client_auth.cert.take();
199
200 let cert = Message {
201 typ: ContentType::Handshake,
202 version: ProtocolVersion::TLSv1_2,
203 payload: MessagePayload::Handshake(HandshakeMessagePayload {
204 typ: HandshakeType::Certificate,
205 payload: HandshakePayload::Certificate(chosen_cert.unwrap_or_else(Vec::new)),
206 }),
207 };
208
209 handshake.transcript.add_message(&cert);
210 sess.common.send_msg(cert, false);
211 }
212
emit_clientkx(handshake: &mut HandshakeDetails, sess: &mut ClientSessionImpl, kxd: &suites::KeyExchangeResult)213 fn emit_clientkx(handshake: &mut HandshakeDetails,
214 sess: &mut ClientSessionImpl,
215 kxd: &suites::KeyExchangeResult) {
216 let mut buf = Vec::new();
217 let ecpoint = PayloadU8::new(Vec::from(kxd.pubkey.as_ref()));
218 ecpoint.encode(&mut buf);
219 let pubkey = Payload::new(buf);
220
221 let ckx = Message {
222 typ: ContentType::Handshake,
223 version: ProtocolVersion::TLSv1_2,
224 payload: MessagePayload::Handshake(HandshakeMessagePayload {
225 typ: HandshakeType::ClientKeyExchange,
226 payload: HandshakePayload::ClientKeyExchange(pubkey),
227 }),
228 };
229
230 handshake.transcript.add_message(&ckx);
231 sess.common.send_msg(ckx, false);
232 }
233
emit_certverify(handshake: &mut HandshakeDetails, client_auth: &mut ClientAuthDetails, sess: &mut ClientSessionImpl) -> Result<(), TLSError>234 fn emit_certverify(handshake: &mut HandshakeDetails,
235 client_auth: &mut ClientAuthDetails,
236 sess: &mut ClientSessionImpl) -> Result<(), TLSError> {
237 if client_auth.signer.is_none() {
238 trace!("Not sending CertificateVerify, no key");
239 handshake.transcript.abandon_client_auth();
240 return Ok(());
241 }
242
243 let message = handshake.transcript.take_handshake_buf();
244 let signer = client_auth.signer.take().unwrap();
245 let scheme = signer.get_scheme();
246 let sig = signer.sign(&message)?;
247 let body = DigitallySignedStruct::new(scheme, sig);
248
249 let m = Message {
250 typ: ContentType::Handshake,
251 version: ProtocolVersion::TLSv1_2,
252 payload: MessagePayload::Handshake(HandshakeMessagePayload {
253 typ: HandshakeType::CertificateVerify,
254 payload: HandshakePayload::CertificateVerify(body),
255 }),
256 };
257
258 handshake.transcript.add_message(&m);
259 sess.common.send_msg(m, false);
260 Ok(())
261 }
262
emit_ccs(sess: &mut ClientSessionImpl)263 fn emit_ccs(sess: &mut ClientSessionImpl) {
264 let ccs = Message {
265 typ: ContentType::ChangeCipherSpec,
266 version: ProtocolVersion::TLSv1_2,
267 payload: MessagePayload::ChangeCipherSpec(ChangeCipherSpecPayload {}),
268 };
269
270 sess.common.send_msg(ccs, false);
271 }
272
emit_finished(secrets: &SessionSecrets, handshake: &mut HandshakeDetails, sess: &mut ClientSessionImpl)273 fn emit_finished(secrets: &SessionSecrets,
274 handshake: &mut HandshakeDetails,
275 sess: &mut ClientSessionImpl) {
276 let vh = handshake.transcript.get_current_hash();
277 let verify_data = secrets.client_verify_data(&vh);
278 let verify_data_payload = Payload::new(verify_data);
279
280 let f = Message {
281 typ: ContentType::Handshake,
282 version: ProtocolVersion::TLSv1_2,
283 payload: MessagePayload::Handshake(HandshakeMessagePayload {
284 typ: HandshakeType::Finished,
285 payload: HandshakePayload::Finished(verify_data_payload),
286 }),
287 };
288
289 handshake.transcript.add_message(&f);
290 sess.common.send_msg(f, true);
291 }
292
293 // --- Either a CertificateRequest, or a ServerHelloDone. ---
294 // Existence of the CertificateRequest tells us the server is asking for
295 // client auth. Otherwise we go straight to ServerHelloDone.
296 struct ExpectCertificateRequest {
297 handshake: HandshakeDetails,
298 server_cert: ServerCertDetails,
299 server_kx: ServerKXDetails,
300 must_issue_new_ticket: bool,
301 }
302
303 impl ExpectCertificateRequest {
into_expect_server_done(self, client_auth: ClientAuthDetails) -> hs::NextState304 fn into_expect_server_done(self, client_auth: ClientAuthDetails) -> hs::NextState {
305 Box::new(ExpectServerDone {
306 handshake: self.handshake,
307 server_cert: self.server_cert,
308 server_kx: self.server_kx,
309 client_auth: Some(client_auth),
310 must_issue_new_ticket: self.must_issue_new_ticket,
311 })
312 }
313 }
314
315 impl hs::State for ExpectCertificateRequest {
check_message(&self, m: &Message) -> Result<(), TLSError>316 fn check_message(&self, m: &Message) -> Result<(), TLSError> {
317 check_handshake_message(m, &[HandshakeType::CertificateRequest])
318 }
319
handle(mut self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError320 fn handle(mut self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
321 let certreq = extract_handshake!(m, HandshakePayload::CertificateRequest).unwrap();
322 self.handshake.transcript.add_message(&m);
323 debug!("Got CertificateRequest {:?}", certreq);
324
325 let mut client_auth = ClientAuthDetails::new();
326
327 // The RFC jovially describes the design here as 'somewhat complicated'
328 // and 'somewhat underspecified'. So thanks for that.
329
330 // We only support RSA signing at the moment. If you don't support that,
331 // we're not doing client auth.
332 if !certreq.certtypes.contains(&ClientCertificateType::RSASign) {
333 warn!("Server asked for client auth but without RSASign");
334 return Ok(self.into_expect_server_done(client_auth));
335 }
336
337 let canames = certreq.canames
338 .iter()
339 .map(|p| p.0.as_slice())
340 .collect::<Vec<&[u8]>>();
341 let maybe_certkey =
342 sess.config.client_auth_cert_resolver.resolve(&canames, &certreq.sigschemes);
343
344 if let Some(mut certkey) = maybe_certkey {
345 debug!("Attempting client auth");
346 let maybe_signer = certkey.key.choose_scheme(&certreq.sigschemes);
347 client_auth.cert = Some(certkey.take_cert());
348 client_auth.signer = maybe_signer;
349 } else {
350 debug!("Client auth requested but no cert/sigscheme available");
351 }
352
353 Ok(self.into_expect_server_done(client_auth))
354 }
355 }
356
357 struct ExpectServerDoneOrCertReq {
358 handshake: HandshakeDetails,
359 server_cert: ServerCertDetails,
360 server_kx: ServerKXDetails,
361 must_issue_new_ticket: bool,
362 }
363
364 impl ExpectServerDoneOrCertReq {
into_expect_certificate_req(self) -> hs::NextState365 fn into_expect_certificate_req(self) -> hs::NextState {
366 Box::new(ExpectCertificateRequest {
367 handshake: self.handshake,
368 server_cert: self.server_cert,
369 server_kx: self.server_kx,
370 must_issue_new_ticket: self.must_issue_new_ticket,
371 })
372 }
373
into_expect_server_done(self) -> hs::NextState374 fn into_expect_server_done(self) -> hs::NextState {
375 Box::new(ExpectServerDone {
376 handshake: self.handshake,
377 server_cert: self.server_cert,
378 server_kx: self.server_kx,
379 client_auth: None,
380 must_issue_new_ticket: self.must_issue_new_ticket,
381 })
382 }
383 }
384
385 impl hs::State for ExpectServerDoneOrCertReq {
check_message(&self, m: &Message) -> Result<(), TLSError>386 fn check_message(&self, m: &Message) -> Result<(), TLSError> {
387 check_handshake_message(m,
388 &[HandshakeType::CertificateRequest,
389 HandshakeType::ServerHelloDone])
390 }
391
handle(mut self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError392 fn handle(mut self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
393 if extract_handshake!(m, HandshakePayload::CertificateRequest).is_some() {
394 self.into_expect_certificate_req().handle(sess, m)
395 } else {
396 self.handshake.transcript.abandon_client_auth();
397 self.into_expect_server_done().handle(sess, m)
398 }
399 }
400 }
401
402
403 struct ExpectServerDone {
404 handshake: HandshakeDetails,
405 server_cert: ServerCertDetails,
406 server_kx: ServerKXDetails,
407 client_auth: Option<ClientAuthDetails>,
408 must_issue_new_ticket: bool,
409 }
410
411 impl ExpectServerDone {
into_expect_new_ticket(self, secrets: SessionSecrets, certv: verify::ServerCertVerified, sigv: verify::HandshakeSignatureValid) -> hs::NextState412 fn into_expect_new_ticket(self,
413 secrets: SessionSecrets,
414 certv: verify::ServerCertVerified,
415 sigv: verify::HandshakeSignatureValid) -> hs::NextState {
416 Box::new(ExpectNewTicket {
417 secrets,
418 handshake: self.handshake,
419 resuming: false,
420 cert_verified: certv,
421 sig_verified: sigv,
422 })
423 }
424
into_expect_ccs(self, secrets: SessionSecrets, certv: verify::ServerCertVerified, sigv: verify::HandshakeSignatureValid) -> hs::NextState425 fn into_expect_ccs(self,
426 secrets: SessionSecrets,
427 certv: verify::ServerCertVerified,
428 sigv: verify::HandshakeSignatureValid) -> hs::NextState {
429 Box::new(ExpectCCS {
430 secrets,
431 handshake: self.handshake,
432 ticket: ReceivedTicketDetails::new(),
433 resuming: false,
434 cert_verified: certv,
435 sig_verified: sigv,
436 })
437 }
438 }
439
440 impl hs::State for ExpectServerDone {
check_message(&self, m: &Message) -> Result<(), TLSError>441 fn check_message(&self, m: &Message) -> Result<(), TLSError> {
442 check_handshake_message(m, &[HandshakeType::ServerHelloDone])
443 }
444
handle(self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError445 fn handle(self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
446 let mut st = *self;
447 st.handshake.transcript.add_message(&m);
448
449 debug!("Server cert is {:?}", st.server_cert.cert_chain);
450 debug!("Server DNS name is {:?}", st.handshake.dns_name);
451
452 // 1. Verify the cert chain.
453 // 2. Verify any SCTs provided with the certificate.
454 // 3. Verify that the top certificate signed their kx.
455 // 4. If doing client auth, send our Certificate.
456 // 5. Complete the key exchange:
457 // a) generate our kx pair
458 // b) emit a ClientKeyExchange containing it
459 // c) if doing client auth, emit a CertificateVerify
460 // d) emit a CCS
461 // e) derive the shared keys, and start encryption
462 // 6. emit a Finished, our first encrypted message under the new keys.
463
464 // 1.
465 if st.server_cert.cert_chain.is_empty() {
466 return Err(TLSError::NoCertificatesPresented);
467 }
468
469 let certv = sess.config
470 .get_verifier()
471 .verify_server_cert(&sess.config.root_store,
472 &st.server_cert.cert_chain,
473 st.handshake.dns_name.as_ref(),
474 &st.server_cert.ocsp_response)
475 .map_err(|err| hs::send_cert_error_alert(sess, err))?;
476
477 // 2. Verify any included SCTs.
478 match (st.server_cert.scts.as_ref(), sess.config.ct_logs) {
479 (Some(scts), Some(logs)) => {
480 verify::verify_scts(&st.server_cert.cert_chain[0],
481 scts,
482 logs)?;
483 }
484 (_, _) => {}
485 }
486
487 // 3.
488 // Build up the contents of the signed message.
489 // It's ClientHello.random || ServerHello.random || ServerKeyExchange.params
490 let sigv = {
491 let mut message = Vec::new();
492 message.extend_from_slice(&st.handshake.randoms.client);
493 message.extend_from_slice(&st.handshake.randoms.server);
494 message.extend_from_slice(&st.server_kx.kx_params);
495
496 // Check the signature is compatible with the ciphersuite.
497 let sig = &st.server_kx.kx_sig;
498 let scs = sess.common.get_suite_assert();
499 if scs.sign != sig.scheme.sign() {
500 let error_message =
501 format!("peer signed kx with wrong algorithm (got {:?} expect {:?})",
502 sig.scheme.sign(), scs.sign);
503 return Err(TLSError::PeerMisbehavedError(error_message));
504 }
505
506 verify::verify_signed_struct(&message,
507 &st.server_cert.cert_chain[0],
508 sig)
509 .map_err(|err| hs::send_cert_error_alert(sess, err))?
510 };
511 sess.server_cert_chain = st.server_cert.take_chain();
512
513 // 4.
514 if st.client_auth.is_some() {
515 emit_certificate(&mut st.handshake,
516 st.client_auth.as_mut().unwrap(),
517 sess);
518 }
519
520 // 5a.
521 let kxd = sess.common.get_suite_assert()
522 .do_client_kx(&st.server_kx.kx_params)
523 .ok_or_else(|| TLSError::PeerMisbehavedError("key exchange failed".to_string()))?;
524
525 // 5b.
526 emit_clientkx(&mut st.handshake, sess, &kxd);
527 // nb. EMS handshake hash only runs up to ClientKeyExchange.
528 let handshake_hash = st.handshake.transcript.get_current_hash();
529
530 // 5c.
531 if st.client_auth.is_some() {
532 emit_certverify(&mut st.handshake,
533 st.client_auth.as_mut().unwrap(),
534 sess)?;
535 }
536
537 // 5d.
538 emit_ccs(sess);
539
540 // 5e. Now commit secrets.
541 let hashalg = sess.common.get_suite_assert().get_hash();
542 let secrets = if st.handshake.using_ems {
543 SessionSecrets::new_ems(&st.handshake.randoms,
544 &handshake_hash,
545 hashalg,
546 &kxd.shared_secret)
547 } else {
548 SessionSecrets::new(&st.handshake.randoms,
549 hashalg,
550 &kxd.shared_secret)
551 };
552 sess.config.key_log.log("CLIENT_RANDOM",
553 &secrets.randoms.client,
554 &secrets.master_secret);
555 sess.common.start_encryption_tls12(&secrets);
556 sess.common
557 .record_layer
558 .start_encrypting();
559
560 // 6.
561 emit_finished(&secrets, &mut st.handshake, sess);
562
563 if st.must_issue_new_ticket {
564 Ok(st.into_expect_new_ticket(secrets, certv, sigv))
565 } else {
566 Ok(st.into_expect_ccs(secrets, certv, sigv))
567 }
568 }
569 }
570
571 // -- Waiting for their CCS --
572 pub struct ExpectCCS {
573 pub secrets: SessionSecrets,
574 pub handshake: HandshakeDetails,
575 pub ticket: ReceivedTicketDetails,
576 pub resuming: bool,
577 pub cert_verified: verify::ServerCertVerified,
578 pub sig_verified: verify::HandshakeSignatureValid,
579 }
580
581 impl ExpectCCS {
into_expect_finished(self) -> hs::NextState582 fn into_expect_finished(self) -> hs::NextState {
583 Box::new(ExpectFinished {
584 secrets: self.secrets,
585 handshake: self.handshake,
586 ticket: self.ticket,
587 resuming: self.resuming,
588 cert_verified: self.cert_verified,
589 sig_verified: self.sig_verified,
590 })
591 }
592 }
593
594 impl hs::State for ExpectCCS {
check_message(&self, m: &Message) -> Result<(), TLSError>595 fn check_message(&self, m: &Message) -> Result<(), TLSError> {
596 check_message(m, &[ContentType::ChangeCipherSpec], &[])
597 }
598
handle(self: Box<Self>, sess: &mut ClientSessionImpl, _m: Message) -> hs::NextStateOrError599 fn handle(self: Box<Self>, sess: &mut ClientSessionImpl, _m: Message) -> hs::NextStateOrError {
600 // CCS should not be received interleaved with fragmented handshake-level
601 // message.
602 if !sess.common.handshake_joiner.is_empty() {
603 warn!("CCS received interleaved with fragmented handshake");
604 return Err(TLSError::InappropriateMessage {
605 expect_types: vec![ ContentType::Handshake ],
606 got_type: ContentType::ChangeCipherSpec,
607 });
608 }
609
610 // nb. msgs layer validates trivial contents of CCS
611 sess.common
612 .record_layer
613 .start_decrypting();
614
615 Ok(self.into_expect_finished())
616 }
617 }
618
619 pub struct ExpectNewTicket {
620 pub secrets: SessionSecrets,
621 pub handshake: HandshakeDetails,
622 pub resuming: bool,
623 pub cert_verified: verify::ServerCertVerified,
624 pub sig_verified: verify::HandshakeSignatureValid,
625 }
626
627 impl ExpectNewTicket {
into_expect_ccs(self, ticket: ReceivedTicketDetails) -> hs::NextState628 fn into_expect_ccs(self, ticket: ReceivedTicketDetails) -> hs::NextState {
629 Box::new(ExpectCCS {
630 secrets: self.secrets,
631 handshake: self.handshake,
632 ticket,
633 resuming: self.resuming,
634 cert_verified: self.cert_verified,
635 sig_verified: self.sig_verified,
636 })
637 }
638 }
639
640 impl hs::State for ExpectNewTicket {
check_message(&self, m: &Message) -> Result<(), TLSError>641 fn check_message(&self, m: &Message) -> Result<(), TLSError> {
642 check_handshake_message(m, &[HandshakeType::NewSessionTicket])
643 }
644
handle(mut self: Box<Self>, _sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError645 fn handle(mut self: Box<Self>, _sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
646 self.handshake.transcript.add_message(&m);
647
648 let nst = extract_handshake_mut!(m, HandshakePayload::NewSessionTicket).unwrap();
649 let recvd = ReceivedTicketDetails::from(nst.ticket.0, nst.lifetime_hint);
650 Ok(self.into_expect_ccs(recvd))
651 }
652 }
653
654 // -- Waiting for their finished --
save_session(secrets: &SessionSecrets, handshake: &mut HandshakeDetails, recvd_ticket: &mut ReceivedTicketDetails, sess: &mut ClientSessionImpl)655 fn save_session(secrets: &SessionSecrets,
656 handshake: &mut HandshakeDetails,
657 recvd_ticket: &mut ReceivedTicketDetails,
658 sess: &mut ClientSessionImpl) {
659 // Save a ticket. If we got a new ticket, save that. Otherwise, save the
660 // original ticket again.
661 let mut ticket = mem::replace(&mut recvd_ticket.new_ticket, Vec::new());
662 if ticket.is_empty() && handshake.resuming_session.is_some() {
663 ticket = handshake.resuming_session.as_mut().unwrap().take_ticket();
664 }
665
666 if handshake.session_id.is_empty() && ticket.is_empty() {
667 debug!("Session not saved: server didn't allocate id or ticket");
668 return;
669 }
670
671 let key = persist::ClientSessionKey::session_for_dns_name(handshake.dns_name.as_ref());
672
673 let scs = sess.common.get_suite_assert();
674 let master_secret = secrets.get_master_secret();
675 let version = sess.get_protocol_version().unwrap();
676 let mut value = persist::ClientSessionValue::new(version,
677 scs.suite,
678 &handshake.session_id,
679 ticket,
680 master_secret);
681 value.set_times(ticketer::timebase(),
682 recvd_ticket.new_ticket_lifetime,
683 0);
684 if handshake.using_ems {
685 value.set_extended_ms_used();
686 }
687
688 let worked = sess.config.session_persistence.put(key.get_encoding(),
689 value.get_encoding());
690
691 if worked {
692 debug!("Session saved");
693 } else {
694 debug!("Session not saved");
695 }
696 }
697
698 struct ExpectFinished {
699 handshake: HandshakeDetails,
700 ticket: ReceivedTicketDetails,
701 secrets: SessionSecrets,
702 resuming: bool,
703 cert_verified: verify::ServerCertVerified,
704 sig_verified: verify::HandshakeSignatureValid,
705 }
706
707 impl ExpectFinished {
into_expect_traffic(self, fin: verify::FinishedMessageVerified) -> hs::NextState708 fn into_expect_traffic(self, fin: verify::FinishedMessageVerified) -> hs::NextState {
709 Box::new(ExpectTraffic {
710 secrets: self.secrets,
711 _cert_verified: self.cert_verified,
712 _sig_verified: self.sig_verified,
713 _fin_verified: fin,
714 })
715 }
716 }
717
718 impl hs::State for ExpectFinished {
check_message(&self, m: &Message) -> Result<(), TLSError>719 fn check_message(&self, m: &Message) -> Result<(), TLSError> {
720 check_handshake_message(m, &[HandshakeType::Finished])
721 }
722
handle(self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError723 fn handle(self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
724 let mut st = *self;
725 let finished = extract_handshake!(m, HandshakePayload::Finished).unwrap();
726
727 // Work out what verify_data we expect.
728 let vh = st.handshake.transcript.get_current_hash();
729 let expect_verify_data = st.secrets
730 .server_verify_data(&vh);
731
732 // Constant-time verification of this is relatively unimportant: they only
733 // get one chance. But it can't hurt.
734 let fin = constant_time::verify_slices_are_equal(&expect_verify_data, &finished.0)
735 .map_err(|_| {
736 sess.common.send_fatal_alert(AlertDescription::DecryptError);
737 TLSError::DecryptError
738 })
739 .map(|_| verify::FinishedMessageVerified::assertion())?;
740
741 // Hash this message too.
742 st.handshake.transcript.add_message(&m);
743
744 save_session(&st.secrets,
745 &mut st.handshake,
746 &mut st.ticket,
747 sess);
748
749 if st.resuming {
750 emit_ccs(sess);
751 sess.common
752 .record_layer
753 .start_encrypting();
754 emit_finished(&st.secrets, &mut st.handshake, sess);
755 }
756
757 sess.common.start_traffic();
758 Ok(st.into_expect_traffic(fin))
759 }
760 }
761
762 // -- Traffic transit state --
763 struct ExpectTraffic {
764 secrets: SessionSecrets,
765 _cert_verified: verify::ServerCertVerified,
766 _sig_verified: verify::HandshakeSignatureValid,
767 _fin_verified: verify::FinishedMessageVerified,
768 }
769
770 impl hs::State for ExpectTraffic {
check_message(&self, m: &Message) -> Result<(), TLSError>771 fn check_message(&self, m: &Message) -> Result<(), TLSError> {
772 check_message(m, &[ContentType::ApplicationData], &[])
773 }
774
handle(self: Box<Self>, sess: &mut ClientSessionImpl, mut m: Message) -> hs::NextStateOrError775 fn handle(self: Box<Self>, sess: &mut ClientSessionImpl, mut m: Message) -> hs::NextStateOrError {
776 sess.common.take_received_plaintext(m.take_opaque_payload().unwrap());
777 Ok(self)
778 }
779
export_keying_material(&self, output: &mut [u8], label: &[u8], context: Option<&[u8]>) -> Result<(), TLSError>780 fn export_keying_material(&self,
781 output: &mut [u8],
782 label: &[u8],
783 context: Option<&[u8]>) -> Result<(), TLSError> {
784 self.secrets.export_keying_material(output, label, context);
785 Ok(())
786 }
787 }
788