1 use crate::msgs::enums::{ContentType, HandshakeType, ExtensionType, SignatureScheme};
2 use crate::msgs::enums::{ProtocolVersion, AlertDescription, NamedGroup};
3 use crate::msgs::enums::KeyUpdateRequest;
4 use crate::msgs::message::{Message, MessagePayload};
5 use crate::msgs::base::{Payload, PayloadU8};
6 use crate::msgs::handshake::{HandshakePayload, HandshakeMessagePayload};
7 use crate::msgs::handshake::{SessionID, ServerHelloPayload, HasServerExtensions};
8 use crate::msgs::handshake::{ClientExtension, HelloRetryRequest, KeyShareEntry};
9 use crate::msgs::handshake::EncryptedExtensions;
10 use crate::msgs::handshake::{CertificatePayloadTLS13, CertificateEntry};
11 use crate::msgs::handshake::{PresharedKeyIdentity, PresharedKeyOffer};
12 use crate::msgs::handshake::DigitallySignedStruct;
13 use crate::msgs::ccs::ChangeCipherSpecPayload;
14 use crate::msgs::codec::Codec;
15 use crate::msgs::persist;
16 use crate::client::ClientSessionImpl;
17 use crate::key_schedule::{
18 KeyScheduleEarly,
19 KeyScheduleNonSecret,
20 KeyScheduleHandshake,
21 KeyScheduleTrafficWithClientFinishedPending,
22 KeyScheduleTraffic
23 };
24 use crate::cipher;
25 use crate::verify;
26 use crate::sign;
27 use crate::suites;
28 use crate::ticketer;
29 #[cfg(feature = "logging")]
30 use crate::log::{debug, warn};
31 use crate::error::TLSError;
32 use crate::handshake::{check_message, check_handshake_message};
33 #[cfg(feature = "quic")]
34 use crate::{
35 quic,
36 msgs::base::PayloadU16,
37 session::Protocol
38 };
39
40 use crate::client::common::{ServerCertDetails, HandshakeDetails};
41 use crate::client::common::{ClientHelloDetails, ClientAuthDetails};
42 use crate::client::hs;
43
44 use ring::constant_time;
45 use webpki;
46
47 // Extensions we expect in plaintext in the ServerHello.
48 static ALLOWED_PLAINTEXT_EXTS: &[ExtensionType] = &[
49 ExtensionType::KeyShare,
50 ExtensionType::PreSharedKey,
51 ExtensionType::SupportedVersions,
52 ];
53
54 // Only the intersection of things we offer, and those disallowed
55 // in TLS1.3
56 static DISALLOWED_TLS13_EXTS: &[ExtensionType] = &[
57 ExtensionType::ECPointFormats,
58 ExtensionType::SessionTicket,
59 ExtensionType::RenegotiationInfo,
60 ExtensionType::ExtendedMasterSecret,
61 ];
62
validate_server_hello(sess: &mut ClientSessionImpl, server_hello: &ServerHelloPayload) -> Result<(), TLSError>63 pub fn validate_server_hello(sess: &mut ClientSessionImpl,
64 server_hello: &ServerHelloPayload) -> Result<(), TLSError> {
65 for ext in &server_hello.extensions {
66 if !ALLOWED_PLAINTEXT_EXTS.contains(&ext.get_type()) {
67 sess.common.send_fatal_alert(AlertDescription::UnsupportedExtension);
68 return Err(TLSError::PeerMisbehavedError("server sent unexpected cleartext ext"
69 .to_string()));
70 }
71 }
72
73 Ok(())
74 }
75
find_kx_hint(sess: &mut ClientSessionImpl, dns_name: webpki::DNSNameRef) -> Option<NamedGroup>76 fn find_kx_hint(sess: &mut ClientSessionImpl, dns_name: webpki::DNSNameRef) -> Option<NamedGroup> {
77 let key = persist::ClientSessionKey::hint_for_dns_name(dns_name);
78 let key_buf = key.get_encoding();
79
80 let maybe_value = sess.config.session_persistence.get(&key_buf);
81 maybe_value.and_then(|enc| NamedGroup::read_bytes(&enc))
82 }
83
save_kx_hint(sess: &mut ClientSessionImpl, dns_name: webpki::DNSNameRef, group: NamedGroup)84 fn save_kx_hint(sess: &mut ClientSessionImpl, dns_name: webpki::DNSNameRef, group: NamedGroup) {
85 let key = persist::ClientSessionKey::hint_for_dns_name(dns_name);
86
87 sess.config.session_persistence.put(key.get_encoding(), group.get_encoding());
88 }
89
choose_kx_groups(sess: &mut ClientSessionImpl, exts: &mut Vec<ClientExtension>, hello: &mut ClientHelloDetails, handshake: &mut HandshakeDetails, retryreq: Option<&HelloRetryRequest>)90 pub fn choose_kx_groups(sess: &mut ClientSessionImpl,
91 exts: &mut Vec<ClientExtension>,
92 hello: &mut ClientHelloDetails,
93 handshake: &mut HandshakeDetails,
94 retryreq: Option<&HelloRetryRequest>) {
95 // Choose our groups:
96 // - if we've been asked via HelloRetryRequest for a specific
97 // one, do that.
98 // - if not, we might have a hint of what the server supports
99 // - if not, send just X25519.
100 //
101 let groups = retryreq.and_then(HelloRetryRequest::get_requested_key_share_group)
102 .or_else(|| find_kx_hint(sess, handshake.dns_name.as_ref()))
103 .or_else(|| Some(NamedGroup::X25519))
104 .map(|grp| vec![ grp ])
105 .unwrap();
106
107 let mut key_shares = vec![];
108
109 for group in groups {
110 // in reply to HelloRetryRequest, we must not alter any existing key
111 // shares
112 if let Some(already_offered_share) = hello.find_key_share(group) {
113 key_shares.push(KeyShareEntry::new(group, already_offered_share.pubkey.as_ref()));
114 hello.offered_key_shares.push(already_offered_share);
115 continue;
116 }
117
118 if let Some(key_share) = suites::KeyExchange::start_ecdhe(group) {
119 key_shares.push(KeyShareEntry::new(group, key_share.pubkey.as_ref()));
120 hello.offered_key_shares.push(key_share);
121 }
122 }
123
124 exts.push(ClientExtension::KeyShare(key_shares));
125 }
126
127 /// This implements the horrifying TLS1.3 hack where PSK binders have a
128 /// data dependency on the message they are contained within.
fill_in_psk_binder(sess: &mut ClientSessionImpl, handshake: &mut HandshakeDetails, hmp: &mut HandshakeMessagePayload) -> KeyScheduleEarly129 pub fn fill_in_psk_binder(sess: &mut ClientSessionImpl,
130 handshake: &mut HandshakeDetails,
131 hmp: &mut HandshakeMessagePayload) -> KeyScheduleEarly {
132 // We need to know the hash function of the suite we're trying to resume into.
133 let resuming = handshake.resuming_session.as_ref().unwrap();
134 let suite = sess.find_cipher_suite(resuming.cipher_suite).unwrap();
135 let hkdf_alg = suite.hkdf_algorithm;
136 let suite_hash = suite.get_hash();
137
138 // The binder is calculated over the clienthello, but doesn't include itself or its
139 // length, or the length of its container.
140 let binder_plaintext = hmp.get_encoding_for_binder_signing();
141 let handshake_hash =
142 handshake.transcript.get_hash_given(suite_hash, &binder_plaintext);
143
144 // Run a fake key_schedule to simulate what the server will do if it choses
145 // to resume.
146 let key_schedule = KeyScheduleEarly::new(hkdf_alg, &resuming.master_secret.0);
147 let real_binder = key_schedule.resumption_psk_binder_key_and_sign_verify_data(&handshake_hash);
148
149 if let HandshakePayload::ClientHello(ref mut ch) = hmp.payload {
150 ch.set_psk_binder(real_binder);
151 };
152
153 key_schedule
154 }
155
start_handshake_traffic(sess: &mut ClientSessionImpl, early_key_schedule: Option<KeyScheduleEarly>, server_hello: &ServerHelloPayload, handshake: &mut HandshakeDetails, hello: &mut ClientHelloDetails) -> Result<KeyScheduleHandshake, TLSError>156 pub fn start_handshake_traffic(sess: &mut ClientSessionImpl,
157 early_key_schedule: Option<KeyScheduleEarly>,
158 server_hello: &ServerHelloPayload,
159 handshake: &mut HandshakeDetails,
160 hello: &mut ClientHelloDetails)
161 -> Result<KeyScheduleHandshake, TLSError> {
162 let suite = sess.common.get_suite_assert();
163
164 let their_key_share = server_hello.get_key_share()
165 .ok_or_else(|| {
166 sess.common.send_fatal_alert(AlertDescription::MissingExtension);
167 TLSError::PeerMisbehavedError("missing key share".to_string())
168 })?;
169
170 let our_key_share = hello.find_key_share_and_discard_others(their_key_share.group)
171 .ok_or_else(|| hs::illegal_param(sess, "wrong group for key share"))?;
172 let shared = our_key_share.complete(&their_key_share.payload.0)
173 .ok_or_else(|| TLSError::PeerMisbehavedError("key exchange failed"
174 .to_string()))?;
175
176 let mut key_schedule = if let Some(selected_psk) = server_hello.get_psk_index() {
177 if let Some(ref resuming) = handshake.resuming_session {
178 let resume_from_suite = sess.find_cipher_suite(resuming.cipher_suite).unwrap();
179 if !resume_from_suite.can_resume_to(suite) {
180 return Err(TLSError::PeerMisbehavedError("server resuming incompatible suite"
181 .to_string()));
182 }
183
184 if selected_psk != 0 {
185 return Err(TLSError::PeerMisbehavedError("server selected invalid psk"
186 .to_string()));
187 }
188
189 debug!("Resuming using PSK");
190 // The key schedule has been initialized and set in fill_in_psk_binder()
191 } else {
192 return Err(TLSError::PeerMisbehavedError("server selected unoffered psk".to_string()));
193 }
194 early_key_schedule.unwrap()
195 .into_handshake(&shared.shared_secret)
196 } else {
197 debug!("Not resuming");
198 // Discard the early data key schedule.
199 sess.early_data.rejected();
200 sess.common.early_traffic = false;
201 handshake.resuming_session.take();
202 KeyScheduleNonSecret::new(suite.hkdf_algorithm)
203 .into_handshake(&shared.shared_secret)
204 };
205
206 // Remember what KX group the server liked for next time.
207 save_kx_hint(sess, handshake.dns_name.as_ref(), their_key_share.group);
208
209 // If we change keying when a subsequent handshake message is being joined,
210 // the two halves will have different record layer protections. Disallow this.
211 hs::check_aligned_handshake(sess)?;
212
213 handshake.hash_at_client_recvd_server_hello =
214 handshake.transcript.get_current_hash();
215
216 let _maybe_write_key = if !sess.early_data.is_enabled() {
217 // Set the client encryption key for handshakes if early data is not used
218 let write_key = key_schedule
219 .client_handshake_traffic_secret(&handshake.hash_at_client_recvd_server_hello,
220 &*sess.config.key_log,
221 &handshake.randoms.client);
222 sess.common
223 .record_layer
224 .set_message_encrypter(cipher::new_tls13_write(suite, &write_key));
225 Some(write_key)
226 } else {
227 None
228 };
229
230 let read_key = key_schedule
231 .server_handshake_traffic_secret(&handshake.hash_at_client_recvd_server_hello,
232 &*sess.config.key_log,
233 &handshake.randoms.client);
234 sess.common
235 .record_layer
236 .set_message_decrypter(cipher::new_tls13_read(suite, &read_key));
237
238 #[cfg(feature = "quic")] {
239 let write_key = if sess.early_data.is_enabled() {
240 // Traffic secret wasn't computed and stored above, so do it here.
241 key_schedule
242 .client_handshake_traffic_secret(&handshake.hash_at_client_recvd_server_hello,
243 &*sess.config.key_log,
244 &handshake.randoms.client)
245 } else {
246 _maybe_write_key.unwrap()
247 };
248 sess.common.quic.hs_secrets = Some(quic::Secrets {
249 client: write_key,
250 server: read_key,
251 });
252 }
253
254 Ok(key_schedule)
255 }
256
prepare_resumption(sess: &mut ClientSessionImpl, ticket: Vec<u8>, handshake: &HandshakeDetails, exts: &mut Vec<ClientExtension>, doing_retry: bool) -> bool257 pub fn prepare_resumption(sess: &mut ClientSessionImpl,
258 ticket: Vec<u8>,
259 handshake: &HandshakeDetails,
260 exts: &mut Vec<ClientExtension>,
261 doing_retry: bool) -> bool {
262 let resuming_suite = handshake.resuming_session
263 .as_ref()
264 .and_then(|resume| sess.find_cipher_suite(resume.cipher_suite));
265
266 if hs::compatible_suite(sess, resuming_suite) {
267 sess.resumption_ciphersuite = resuming_suite;
268 // The EarlyData extension MUST be supplied together with the
269 // PreSharedKey extension.
270 let max_early_data_size = handshake
271 .resuming_session
272 .as_ref()
273 .map_or(0, |resume| resume.max_early_data_size);
274 if sess.config.enable_early_data && max_early_data_size > 0 && !doing_retry {
275 sess.early_data.enable(max_early_data_size as usize);
276 exts.push(ClientExtension::EarlyData);
277 }
278
279 // Finally, and only for TLS1.3 with a ticket resumption, include a binder
280 // for our ticket. This must go last.
281 //
282 // Include an empty binder. It gets filled in below because it depends on
283 // the message it's contained in (!!!).
284 let (obfuscated_ticket_age, suite) = {
285 let resuming = handshake.resuming_session
286 .as_ref()
287 .unwrap();
288 (resuming.get_obfuscated_ticket_age(ticketer::timebase()), resuming.cipher_suite)
289 };
290
291 let binder_len = sess.find_cipher_suite(suite).unwrap().get_hash().output_len;
292 let binder = vec![0u8; binder_len];
293
294 let psk_identity = PresharedKeyIdentity::new(ticket, obfuscated_ticket_age);
295 let psk_ext = PresharedKeyOffer::new(psk_identity, binder);
296 exts.push(ClientExtension::PresharedKey(psk_ext));
297 true
298 } else {
299 false
300 }
301 }
302
emit_fake_ccs(hs: &mut HandshakeDetails, sess: &mut ClientSessionImpl)303 pub fn emit_fake_ccs(hs: &mut HandshakeDetails, sess: &mut ClientSessionImpl) {
304 #[cfg(feature = "quic")] {
305 if let Protocol::Quic = sess.common.protocol { return; }
306 }
307
308 if hs.sent_tls13_fake_ccs {
309 return;
310 }
311
312 let m = Message {
313 typ: ContentType::ChangeCipherSpec,
314 version: ProtocolVersion::TLSv1_2,
315 payload: MessagePayload::ChangeCipherSpec(ChangeCipherSpecPayload {})
316 };
317 sess.common.send_msg(m, false);
318 hs.sent_tls13_fake_ccs = true;
319 }
320
validate_encrypted_extensions(sess: &mut ClientSessionImpl, hello: &ClientHelloDetails, exts: &EncryptedExtensions) -> Result<(), TLSError>321 fn validate_encrypted_extensions(sess: &mut ClientSessionImpl,
322 hello: &ClientHelloDetails,
323 exts: &EncryptedExtensions) -> Result<(), TLSError> {
324 if exts.has_duplicate_extension() {
325 sess.common.send_fatal_alert(AlertDescription::DecodeError);
326 return Err(TLSError::PeerMisbehavedError("server sent duplicate encrypted extensions"
327 .to_string()));
328 }
329
330 if hello.server_sent_unsolicited_extensions(exts, &[]) {
331 sess.common.send_fatal_alert(AlertDescription::UnsupportedExtension);
332 let msg = "server sent unsolicited encrypted extension".to_string();
333 return Err(TLSError::PeerMisbehavedError(msg));
334 }
335
336 for ext in exts {
337 if ALLOWED_PLAINTEXT_EXTS.contains(&ext.get_type()) ||
338 DISALLOWED_TLS13_EXTS.contains(&ext.get_type()) {
339 sess.common.send_fatal_alert(AlertDescription::UnsupportedExtension);
340 let msg = "server sent inappropriate encrypted extension".to_string();
341 return Err(TLSError::PeerMisbehavedError(msg));
342 }
343 }
344
345 Ok(())
346 }
347
348 pub struct ExpectEncryptedExtensions {
349 pub handshake: HandshakeDetails,
350 pub key_schedule: KeyScheduleHandshake,
351 pub server_cert: ServerCertDetails,
352 pub hello: ClientHelloDetails,
353 }
354
355 impl ExpectEncryptedExtensions {
into_expect_finished_resume(self, certv: verify::ServerCertVerified, sigv: verify::HandshakeSignatureValid) -> hs::NextState356 fn into_expect_finished_resume(self,
357 certv: verify::ServerCertVerified,
358 sigv: verify::HandshakeSignatureValid) -> hs::NextState {
359 Box::new(ExpectFinished {
360 handshake: self.handshake,
361 key_schedule: self.key_schedule,
362 client_auth: None,
363 cert_verified: certv,
364 sig_verified: sigv,
365 })
366 }
367
into_expect_certificate_or_certreq(self) -> hs::NextState368 fn into_expect_certificate_or_certreq(self) -> hs::NextState {
369 Box::new(ExpectCertificateOrCertReq {
370 handshake: self.handshake,
371 key_schedule: self.key_schedule,
372 server_cert: self.server_cert,
373 })
374 }
375 }
376
377 impl hs::State for ExpectEncryptedExtensions {
check_message(&self, m: &Message) -> Result<(), TLSError>378 fn check_message(&self, m: &Message) -> Result<(), TLSError> {
379 check_handshake_message(m, &[HandshakeType::EncryptedExtensions])
380 }
381
handle(mut self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError382 fn handle(mut self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
383 let exts = extract_handshake!(m, HandshakePayload::EncryptedExtensions).unwrap();
384 debug!("TLS1.3 encrypted extensions: {:?}", exts);
385 self.handshake.transcript.add_message(&m);
386
387 validate_encrypted_extensions(sess, &self.hello, exts)?;
388 hs::process_alpn_protocol(sess, exts.get_alpn_protocol())?;
389
390 #[cfg(feature = "quic")] {
391 // QUIC transport parameters
392 if let Some(params) = exts.get_quic_params_extension() {
393 sess.common.quic.params = Some(params);
394 }
395 }
396
397 if self.handshake.resuming_session.is_some() {
398 let was_early_traffic = sess.common.early_traffic;
399 if was_early_traffic {
400 if exts.early_data_extension_offered() {
401 sess.early_data.accepted();
402 } else {
403 sess.early_data.rejected();
404 sess.common.early_traffic = false;
405 }
406 }
407
408 if was_early_traffic && !sess.common.early_traffic {
409 // If no early traffic, set the encryption key for handshakes
410 let suite = sess.common.get_suite_assert();
411 let write_key = self.key_schedule
412 .client_handshake_traffic_secret(
413 &self.handshake.hash_at_client_recvd_server_hello,
414 &*sess.config.key_log,
415 &self.handshake.randoms.client);
416 sess.common
417 .record_layer
418 .set_message_encrypter(cipher::new_tls13_write(suite, &write_key));
419 }
420 let certv = verify::ServerCertVerified::assertion();
421 let sigv = verify::HandshakeSignatureValid::assertion();
422 Ok(self.into_expect_finished_resume(certv, sigv))
423 } else {
424 if exts.early_data_extension_offered() {
425 let msg = "server sent early data extension without resumption".to_string();
426 return Err(TLSError::PeerMisbehavedError(msg));
427 }
428 Ok(self.into_expect_certificate_or_certreq())
429 }
430 }
431 }
432
433 struct ExpectCertificate {
434 handshake: HandshakeDetails,
435 key_schedule: KeyScheduleHandshake,
436 server_cert: ServerCertDetails,
437 client_auth: Option<ClientAuthDetails>,
438 }
439
440 impl ExpectCertificate {
into_expect_certificate_verify(self) -> hs::NextState441 fn into_expect_certificate_verify(self) -> hs::NextState {
442 Box::new(ExpectCertificateVerify {
443 handshake: self.handshake,
444 key_schedule: self.key_schedule,
445 server_cert: self.server_cert,
446 client_auth: self.client_auth,
447 })
448 }
449 }
450
451 impl hs::State for ExpectCertificate {
check_message(&self, m: &Message) -> Result<(), TLSError>452 fn check_message(&self, m: &Message) -> Result<(), TLSError> {
453 check_handshake_message(m, &[HandshakeType::Certificate])
454 }
455
handle(mut self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError456 fn handle(mut self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
457 let cert_chain = extract_handshake!(m, HandshakePayload::CertificateTLS13).unwrap();
458 self.handshake.transcript.add_message(&m);
459
460 // This is only non-empty for client auth.
461 if !cert_chain.context.0.is_empty() {
462 warn!("certificate with non-empty context during handshake");
463 sess.common.send_fatal_alert(AlertDescription::DecodeError);
464 return Err(TLSError::CorruptMessagePayload(ContentType::Handshake));
465 }
466
467 if cert_chain.any_entry_has_duplicate_extension() ||
468 cert_chain.any_entry_has_unknown_extension() {
469 warn!("certificate chain contains unsolicited/unknown extension");
470 sess.common.send_fatal_alert(AlertDescription::UnsupportedExtension);
471 return Err(TLSError::PeerMisbehavedError("bad cert chain extensions".to_string()));
472 }
473
474 self.server_cert.ocsp_response = cert_chain.get_end_entity_ocsp();
475 self.server_cert.scts = cert_chain.get_end_entity_scts();
476 self.server_cert.cert_chain = cert_chain.convert();
477
478 if let Some(sct_list) = self.server_cert.scts.as_ref() {
479 if hs::sct_list_is_invalid(sct_list) {
480 let error_msg = "server sent invalid SCT list".to_string();
481 return Err(TLSError::PeerMisbehavedError(error_msg));
482 }
483
484 if sess.config.ct_logs.is_none() {
485 let error_msg = "server sent unsolicited SCT list".to_string();
486 return Err(TLSError::PeerMisbehavedError(error_msg));
487 }
488 }
489
490 Ok(self.into_expect_certificate_verify())
491 }
492 }
493
494 struct ExpectCertificateOrCertReq {
495 handshake: HandshakeDetails,
496 key_schedule: KeyScheduleHandshake,
497 server_cert: ServerCertDetails,
498 }
499
500 impl ExpectCertificateOrCertReq {
into_expect_certificate(self) -> hs::NextState501 fn into_expect_certificate(self) -> hs::NextState {
502 Box::new(ExpectCertificate {
503 handshake: self.handshake,
504 key_schedule: self.key_schedule,
505 server_cert: self.server_cert,
506 client_auth: None,
507 })
508 }
509
into_expect_certificate_req(self) -> hs::NextState510 fn into_expect_certificate_req(self) -> hs::NextState {
511 Box::new(ExpectCertificateRequest {
512 handshake: self.handshake,
513 key_schedule: self.key_schedule,
514 server_cert: self.server_cert,
515 })
516 }
517 }
518
519 impl hs::State for ExpectCertificateOrCertReq {
check_message(&self, m: &Message) -> Result<(), TLSError>520 fn check_message(&self, m: &Message) -> Result<(), TLSError> {
521 check_handshake_message(m,
522 &[HandshakeType::Certificate,
523 HandshakeType::CertificateRequest])
524 }
525
handle(self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError526 fn handle(self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
527 if m.is_handshake_type(HandshakeType::Certificate) {
528 self.into_expect_certificate().handle(sess, m)
529 } else {
530 self.into_expect_certificate_req().handle(sess, m)
531 }
532 }
533 }
534
535 // --- TLS1.3 CertificateVerify ---
536 struct ExpectCertificateVerify {
537 handshake: HandshakeDetails,
538 key_schedule: KeyScheduleHandshake,
539 server_cert: ServerCertDetails,
540 client_auth: Option<ClientAuthDetails>,
541 }
542
543 impl ExpectCertificateVerify {
into_expect_finished(self, certv: verify::ServerCertVerified, sigv: verify::HandshakeSignatureValid) -> hs::NextState544 fn into_expect_finished(self,
545 certv: verify::ServerCertVerified,
546 sigv: verify::HandshakeSignatureValid) -> hs::NextState {
547 Box::new(ExpectFinished {
548 handshake: self.handshake,
549 key_schedule: self.key_schedule,
550 client_auth: self.client_auth,
551 cert_verified: certv,
552 sig_verified: sigv,
553 })
554 }
555 }
556
send_cert_error_alert(sess: &mut ClientSessionImpl, err: TLSError) -> TLSError557 fn send_cert_error_alert(sess: &mut ClientSessionImpl, err: TLSError) -> TLSError {
558 match err {
559 TLSError::WebPKIError(webpki::Error::BadDER) => {
560 sess.common.send_fatal_alert(AlertDescription::DecodeError);
561 }
562 TLSError::PeerMisbehavedError(_) => {
563 sess.common.send_fatal_alert(AlertDescription::IllegalParameter);
564 }
565 _ => {
566 sess.common.send_fatal_alert(AlertDescription::BadCertificate);
567 }
568 };
569
570 err
571 }
572
573 impl hs::State for ExpectCertificateVerify {
check_message(&self, m: &Message) -> Result<(), TLSError>574 fn check_message(&self, m: &Message) -> Result<(), TLSError> {
575 check_handshake_message(m, &[HandshakeType::CertificateVerify])
576 }
577
handle(mut self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError578 fn handle(mut self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
579 let cert_verify = extract_handshake!(m, HandshakePayload::CertificateVerify).unwrap();
580
581 debug!("Server cert is {:?}", self.server_cert.cert_chain);
582
583 // 1. Verify the certificate chain.
584 if self.server_cert.cert_chain.is_empty() {
585 return Err(TLSError::NoCertificatesPresented);
586 }
587
588 let certv = sess.config
589 .get_verifier()
590 .verify_server_cert(&sess.config.root_store,
591 &self.server_cert.cert_chain,
592 self.handshake.dns_name.as_ref(),
593 &self.server_cert.ocsp_response)
594 .map_err(|err| send_cert_error_alert(sess, err))?;
595
596 // 2. Verify their signature on the handshake.
597 let handshake_hash = self.handshake.transcript.get_current_hash();
598 let sigv = verify::verify_tls13(&self.server_cert.cert_chain[0],
599 cert_verify,
600 &handshake_hash,
601 b"TLS 1.3, server CertificateVerify\x00")
602 .map_err(|err| send_cert_error_alert(sess, err))?;
603
604 // 3. Verify any included SCTs.
605 match (self.server_cert.scts.as_ref(), sess.config.ct_logs) {
606 (Some(scts), Some(logs)) => {
607 verify::verify_scts(&self.server_cert.cert_chain[0],
608 scts,
609 logs)?;
610 }
611 (_, _) => {}
612 }
613
614 sess.server_cert_chain = self.server_cert.take_chain();
615 self.handshake.transcript.add_message(&m);
616
617 Ok(self.into_expect_finished(certv, sigv))
618 }
619 }
620
621 // TLS1.3 version of CertificateRequest handling. We then move to expecting the server
622 // Certificate. Unfortunately the CertificateRequest type changed in an annoying way
623 // in TLS1.3.
624 struct ExpectCertificateRequest {
625 handshake: HandshakeDetails,
626 key_schedule: KeyScheduleHandshake,
627 server_cert: ServerCertDetails,
628 }
629
630 impl ExpectCertificateRequest {
into_expect_certificate(self, client_auth: ClientAuthDetails) -> hs::NextState631 fn into_expect_certificate(self, client_auth: ClientAuthDetails) -> hs::NextState {
632 Box::new(ExpectCertificate {
633 handshake: self.handshake,
634 key_schedule: self.key_schedule,
635 server_cert: self.server_cert,
636 client_auth: Some(client_auth),
637 })
638 }
639 }
640
641 impl hs::State for ExpectCertificateRequest {
check_message(&self, m: &Message) -> Result<(), TLSError>642 fn check_message(&self, m: &Message) -> Result<(), TLSError> {
643 check_handshake_message(m, &[HandshakeType::CertificateRequest])
644 }
645
handle(mut self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError646 fn handle(mut self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
647 let certreq = &extract_handshake!(m, HandshakePayload::CertificateRequestTLS13).unwrap();
648 self.handshake.transcript.add_message(&m);
649 debug!("Got CertificateRequest {:?}", certreq);
650
651 // Fortunately the problems here in TLS1.2 and prior are corrected in
652 // TLS1.3.
653
654 // Must be empty during handshake.
655 if !certreq.context.0.is_empty() {
656 warn!("Server sent non-empty certreq context");
657 sess.common.send_fatal_alert(AlertDescription::DecodeError);
658 return Err(TLSError::CorruptMessagePayload(ContentType::Handshake));
659 }
660
661 let tls13_sign_schemes = sign::supported_sign_tls13();
662 let no_sigschemes = Vec::new();
663 let compat_sigschemes = certreq.get_sigalgs_extension()
664 .unwrap_or(&no_sigschemes)
665 .iter()
666 .cloned()
667 .filter(|scheme| tls13_sign_schemes.contains(scheme))
668 .collect::<Vec<SignatureScheme>>();
669
670 if compat_sigschemes.is_empty() {
671 sess.common.send_fatal_alert(AlertDescription::HandshakeFailure);
672 return Err(TLSError::PeerIncompatibleError("server sent bad certreq schemes".to_string()));
673 }
674
675 let no_canames = Vec::new();
676 let canames = certreq.get_authorities_extension()
677 .unwrap_or(&no_canames)
678 .iter()
679 .map(|p| p.0.as_slice())
680 .collect::<Vec<&[u8]>>();
681 let maybe_certkey =
682 sess.config.client_auth_cert_resolver.resolve(&canames, &compat_sigschemes);
683
684 let mut client_auth = ClientAuthDetails::new();
685 if let Some(mut certkey) = maybe_certkey {
686 debug!("Attempting client auth");
687 let maybe_signer = certkey.key.choose_scheme(&compat_sigschemes);
688 client_auth.cert = Some(certkey.take_cert());
689 client_auth.signer = maybe_signer;
690 client_auth.auth_context = Some(certreq.context.0.clone());
691 } else {
692 debug!("Client auth requested but no cert selected");
693 }
694
695 Ok(self.into_expect_certificate(client_auth))
696 }
697 }
698
emit_certificate_tls13(handshake: &mut HandshakeDetails, client_auth: &mut ClientAuthDetails, sess: &mut ClientSessionImpl)699 fn emit_certificate_tls13(handshake: &mut HandshakeDetails,
700 client_auth: &mut ClientAuthDetails,
701 sess: &mut ClientSessionImpl) {
702 let context = client_auth.auth_context
703 .take()
704 .unwrap_or_else(Vec::new);
705
706 let mut cert_payload = CertificatePayloadTLS13 {
707 context: PayloadU8::new(context),
708 entries: Vec::new(),
709 };
710
711 if let Some(cert_chain) = client_auth.cert.take() {
712 for cert in cert_chain {
713 cert_payload.entries.push(CertificateEntry::new(cert));
714 }
715 }
716
717 let m = Message {
718 typ: ContentType::Handshake,
719 version: ProtocolVersion::TLSv1_3,
720 payload: MessagePayload::Handshake(HandshakeMessagePayload {
721 typ: HandshakeType::Certificate,
722 payload: HandshakePayload::CertificateTLS13(cert_payload),
723 }),
724 };
725 handshake.transcript.add_message(&m);
726 sess.common.send_msg(m, true);
727 }
728
emit_certverify_tls13(handshake: &mut HandshakeDetails, client_auth: &mut ClientAuthDetails, sess: &mut ClientSessionImpl) -> Result<(), TLSError>729 fn emit_certverify_tls13(handshake: &mut HandshakeDetails,
730 client_auth: &mut ClientAuthDetails,
731 sess: &mut ClientSessionImpl) -> Result<(), TLSError> {
732 if client_auth.signer.is_none() {
733 debug!("Skipping certverify message (no client scheme/key)");
734 return Ok(());
735 }
736
737 let mut message = Vec::new();
738 message.resize(64, 0x20u8);
739 message.extend_from_slice(b"TLS 1.3, client CertificateVerify\x00");
740 message.extend_from_slice(&handshake.transcript.get_current_hash());
741
742 let signer = client_auth.signer.take().unwrap();
743 let scheme = signer.get_scheme();
744 let sig = signer.sign(&message)?;
745 let dss = DigitallySignedStruct::new(scheme, sig);
746
747 let m = Message {
748 typ: ContentType::Handshake,
749 version: ProtocolVersion::TLSv1_3,
750 payload: MessagePayload::Handshake(HandshakeMessagePayload {
751 typ: HandshakeType::CertificateVerify,
752 payload: HandshakePayload::CertificateVerify(dss),
753 }),
754 };
755
756 handshake.transcript.add_message(&m);
757 sess.common.send_msg(m, true);
758 Ok(())
759 }
760
emit_finished_tls13(handshake: &mut HandshakeDetails, key_schedule: &KeyScheduleTrafficWithClientFinishedPending, sess: &mut ClientSessionImpl)761 fn emit_finished_tls13(handshake: &mut HandshakeDetails,
762 key_schedule: &KeyScheduleTrafficWithClientFinishedPending,
763 sess: &mut ClientSessionImpl) {
764 let handshake_hash = handshake.transcript.get_current_hash();
765 let verify_data = key_schedule.sign_client_finish(&handshake_hash);
766 let verify_data_payload = Payload::new(verify_data);
767
768 let m = Message {
769 typ: ContentType::Handshake,
770 version: ProtocolVersion::TLSv1_3,
771 payload: MessagePayload::Handshake(HandshakeMessagePayload {
772 typ: HandshakeType::Finished,
773 payload: HandshakePayload::Finished(verify_data_payload),
774 }),
775 };
776
777 handshake.transcript.add_message(&m);
778 sess.common.send_msg(m, true);
779 }
780
emit_end_of_early_data_tls13(handshake: &mut HandshakeDetails, sess: &mut ClientSessionImpl)781 fn emit_end_of_early_data_tls13(handshake: &mut HandshakeDetails,
782 sess: &mut ClientSessionImpl) {
783 #[cfg(feature = "quic")]
784 {
785 if let Protocol::Quic = sess.common.protocol { return; }
786 }
787
788 let m = Message {
789 typ: ContentType::Handshake,
790 version: ProtocolVersion::TLSv1_3,
791 payload: MessagePayload::Handshake(HandshakeMessagePayload {
792 typ: HandshakeType::EndOfEarlyData,
793 payload: HandshakePayload::EndOfEarlyData,
794 }),
795 };
796
797 handshake.transcript.add_message(&m);
798 sess.common.send_msg(m, true);
799 }
800
801 struct ExpectFinished {
802 handshake: HandshakeDetails,
803 key_schedule: KeyScheduleHandshake,
804 client_auth: Option<ClientAuthDetails>,
805 cert_verified: verify::ServerCertVerified,
806 sig_verified: verify::HandshakeSignatureValid,
807 }
808
809 impl ExpectFinished {
into_expect_traffic(handshake: HandshakeDetails, key_schedule: KeyScheduleTraffic, cert_verified: verify::ServerCertVerified, sig_verified: verify::HandshakeSignatureValid, fin_verified: verify::FinishedMessageVerified) -> ExpectTraffic810 fn into_expect_traffic(handshake: HandshakeDetails,
811 key_schedule: KeyScheduleTraffic,
812 cert_verified: verify::ServerCertVerified,
813 sig_verified: verify::HandshakeSignatureValid,
814 fin_verified: verify::FinishedMessageVerified) -> ExpectTraffic {
815 ExpectTraffic {
816 handshake,
817 key_schedule,
818 want_write_key_update: false,
819 _cert_verified: cert_verified,
820 _sig_verified: sig_verified,
821 _fin_verified: fin_verified,
822 }
823 }
824 }
825
826 impl hs::State for ExpectFinished {
check_message(&self, m: &Message) -> hs::CheckResult827 fn check_message(&self, m: &Message) -> hs::CheckResult {
828 check_handshake_message(m, &[HandshakeType::Finished])
829 }
830
handle(self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError831 fn handle(self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
832 let mut st = *self;
833 let finished = extract_handshake!(m, HandshakePayload::Finished).unwrap();
834
835 let handshake_hash = st.handshake.transcript.get_current_hash();
836 let expect_verify_data = st.key_schedule.sign_server_finish(&handshake_hash);
837
838 let fin = constant_time::verify_slices_are_equal(&expect_verify_data, &finished.0)
839 .map_err(|_| {
840 sess.common.send_fatal_alert(AlertDescription::DecryptError);
841 TLSError::DecryptError
842 })
843 .map(|_| verify::FinishedMessageVerified::assertion())?;
844
845 let suite = sess.common.get_suite_assert();
846 let maybe_write_key = if sess.common.early_traffic {
847 /* Derive the client-to-server encryption key before key schedule update */
848 let key = st.key_schedule
849 .client_handshake_traffic_secret(&st.handshake.hash_at_client_recvd_server_hello,
850 &*sess.config.key_log,
851 &st.handshake.randoms.client);
852 Some(key)
853 } else {
854 None
855 };
856
857 st.handshake.transcript.add_message(&m);
858
859 let hash_after_handshake = st.handshake.transcript.get_current_hash();
860
861 /* The EndOfEarlyData message to server is still encrypted with early data keys,
862 * but appears in the transcript after the server Finished. */
863 if let Some(write_key) = maybe_write_key {
864 emit_end_of_early_data_tls13(&mut st.handshake, sess);
865 sess.common.early_traffic = false;
866 sess.early_data.finished();
867 sess.common
868 .record_layer
869 .set_message_encrypter(cipher::new_tls13_write(suite, &write_key));
870 }
871
872 /* Send our authentication/finished messages. These are still encrypted
873 * with our handshake keys. */
874 if st.client_auth.is_some() {
875 emit_certificate_tls13(&mut st.handshake,
876 st.client_auth.as_mut().unwrap(),
877 sess);
878 emit_certverify_tls13(&mut st.handshake,
879 st.client_auth.as_mut().unwrap(),
880 sess)?;
881 }
882
883 let mut key_schedule_finished = st.key_schedule.into_traffic_with_client_finished_pending();
884 emit_finished_tls13(&mut st.handshake, &key_schedule_finished, sess);
885
886 /* Now move to our application traffic keys. */
887 hs::check_aligned_handshake(sess)?;
888
889 /* Traffic from server is now decrypted with application data keys. */
890 let read_key = key_schedule_finished
891 .server_application_traffic_secret(
892 &hash_after_handshake,
893 &*sess.config.key_log,
894 &st.handshake.randoms.client);
895 sess.common
896 .record_layer
897 .set_message_decrypter(cipher::new_tls13_read(suite, &read_key));
898
899 key_schedule_finished.exporter_master_secret(&hash_after_handshake,
900 &*sess.config.key_log,
901 &st.handshake.randoms.client);
902
903 let write_key = key_schedule_finished
904 .client_application_traffic_secret(&hash_after_handshake,
905 &*sess.config.key_log,
906 &st.handshake.randoms.client);
907 sess.common
908 .record_layer
909 .set_message_encrypter(cipher::new_tls13_write(suite, &write_key));
910
911 let key_schedule_traffic = key_schedule_finished.into_traffic();
912 sess.common.start_traffic();
913
914 let st = Self::into_expect_traffic(st.handshake,
915 key_schedule_traffic,
916 st.cert_verified,
917 st.sig_verified,
918 fin);
919 #[cfg(feature = "quic")] {
920 if sess.common.protocol == Protocol::Quic {
921 sess.common.quic.traffic_secrets = Some(quic::Secrets {
922 client: write_key,
923 server: read_key,
924 });
925 return Ok(Box::new(ExpectQUICTraffic(st)));
926 }
927 }
928
929 Ok(Box::new(st))
930 }
931 }
932
933 // -- Traffic transit state (TLS1.3) --
934 // In this state we can be sent tickets, keyupdates,
935 // and application data.
936 struct ExpectTraffic {
937 handshake: HandshakeDetails,
938 key_schedule: KeyScheduleTraffic,
939 want_write_key_update: bool,
940 _cert_verified: verify::ServerCertVerified,
941 _sig_verified: verify::HandshakeSignatureValid,
942 _fin_verified: verify::FinishedMessageVerified,
943 }
944
945 impl ExpectTraffic {
handle_new_ticket_tls13(&mut self, sess: &mut ClientSessionImpl, m: Message) -> Result<(), TLSError>946 fn handle_new_ticket_tls13(&mut self, sess: &mut ClientSessionImpl, m: Message) -> Result<(), TLSError> {
947 let nst = extract_handshake!(m, HandshakePayload::NewSessionTicketTLS13).unwrap();
948 let handshake_hash = self.handshake.transcript.get_current_hash();
949 let secret = self.key_schedule
950 .resumption_master_secret_and_derive_ticket_psk(&handshake_hash, &nst.nonce.0);
951
952 let mut value = persist::ClientSessionValue::new(ProtocolVersion::TLSv1_3,
953 sess.common.get_suite_assert().suite,
954 &SessionID::empty(),
955 nst.ticket.0.clone(),
956 secret);
957 value.set_times(ticketer::timebase(),
958 nst.lifetime,
959 nst.age_add);
960
961 if let Some(sz) = nst.get_max_early_data_size() {
962 value.set_max_early_data_size(sz);
963 #[cfg(feature = "quic")] {
964 if sess.common.protocol == Protocol::Quic {
965 if sz != 0 && sz != 0xffff_ffff {
966 return Err(TLSError::PeerMisbehavedError("invalid max_early_data_size".into()));
967 }
968 }
969 }
970 }
971
972 let key = persist::ClientSessionKey::session_for_dns_name(self.handshake.dns_name.as_ref());
973 #[allow(unused_mut)]
974 let mut ticket = value.get_encoding();
975
976 #[cfg(feature = "quic")] {
977 if sess.common.protocol == Protocol::Quic {
978 PayloadU16::encode_slice(sess.common.quic.params.as_ref().unwrap(), &mut ticket);
979 }
980 }
981
982 let worked = sess.config.session_persistence.put(key.get_encoding(),
983 ticket);
984
985 if worked {
986 debug!("Ticket saved");
987 } else {
988 debug!("Ticket not saved");
989 }
990 Ok(())
991 }
992
handle_key_update(&mut self, sess: &mut ClientSessionImpl, m: Message) -> Result<(), TLSError>993 fn handle_key_update(&mut self, sess: &mut ClientSessionImpl, m: Message) -> Result<(), TLSError> {
994 let kur = extract_handshake!(m, HandshakePayload::KeyUpdate).unwrap();
995
996 #[cfg(feature = "quic")]
997 {
998 if let Protocol::Quic = sess.common.protocol {
999 sess.common.send_fatal_alert(AlertDescription::UnexpectedMessage);
1000 let msg = "KeyUpdate received in QUIC connection".to_string();
1001 warn!("{}", msg);
1002 return Err(TLSError::PeerMisbehavedError(msg));
1003 }
1004 }
1005
1006 // Mustn't be interleaved with other handshake messages.
1007 hs::check_aligned_handshake(sess)?;
1008
1009 match kur {
1010 KeyUpdateRequest::UpdateNotRequested => {}
1011 KeyUpdateRequest::UpdateRequested => {
1012 self.want_write_key_update = true;
1013 }
1014 _ => {
1015 sess.common.send_fatal_alert(AlertDescription::IllegalParameter);
1016 return Err(TLSError::CorruptMessagePayload(ContentType::Handshake));
1017 }
1018 }
1019
1020 // Update our read-side keys.
1021 let new_read_key = self.key_schedule.next_server_application_traffic_secret();
1022 let suite = sess.common.get_suite_assert();
1023 sess.common.record_layer.set_message_decrypter(cipher::new_tls13_read(suite, &new_read_key));
1024
1025 Ok(())
1026 }
1027 }
1028
1029 impl hs::State for ExpectTraffic {
check_message(&self, m: &Message) -> Result<(), TLSError>1030 fn check_message(&self, m: &Message) -> Result<(), TLSError> {
1031 check_message(m,
1032 &[ContentType::ApplicationData, ContentType::Handshake],
1033 &[HandshakeType::NewSessionTicket, HandshakeType::KeyUpdate])
1034 }
1035
handle(mut self: Box<Self>, sess: &mut ClientSessionImpl, mut m: Message) -> hs::NextStateOrError1036 fn handle(mut self: Box<Self>, sess: &mut ClientSessionImpl, mut m: Message) -> hs::NextStateOrError {
1037 if m.is_content_type(ContentType::ApplicationData) {
1038 sess.common.take_received_plaintext(m.take_opaque_payload().unwrap());
1039 } else if m.is_handshake_type(HandshakeType::NewSessionTicket) {
1040 self.handle_new_ticket_tls13(sess, m)?;
1041 } else if m.is_handshake_type(HandshakeType::KeyUpdate) {
1042 self.handle_key_update(sess, m)?;
1043 }
1044
1045 Ok(self)
1046 }
1047
export_keying_material(&self, output: &mut [u8], label: &[u8], context: Option<&[u8]>) -> Result<(), TLSError>1048 fn export_keying_material(&self,
1049 output: &mut [u8],
1050 label: &[u8],
1051 context: Option<&[u8]>) -> Result<(), TLSError> {
1052 self.key_schedule.export_keying_material(output, label, context)
1053 }
1054
perhaps_write_key_update(&mut self, sess: &mut ClientSessionImpl)1055 fn perhaps_write_key_update(&mut self, sess: &mut ClientSessionImpl) {
1056 if self.want_write_key_update {
1057 self.want_write_key_update = false;
1058 sess.common.send_msg_encrypt(Message::build_key_update_notify());
1059
1060 let write_key = self.key_schedule.next_client_application_traffic_secret();
1061 let scs = sess.common.get_suite_assert();
1062 sess.common.record_layer.set_message_encrypter(cipher::new_tls13_write(scs, &write_key));
1063 }
1064 }
1065 }
1066
1067 #[cfg(feature = "quic")]
1068 pub struct ExpectQUICTraffic(ExpectTraffic);
1069
1070 #[cfg(feature = "quic")]
1071 impl hs::State for ExpectQUICTraffic {
check_message(&self, m: &Message) -> hs::CheckResult1072 fn check_message(&self, m: &Message) -> hs::CheckResult {
1073 check_message(m, &[ContentType::Handshake], &[HandshakeType::NewSessionTicket])
1074 }
1075
handle(mut self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError1076 fn handle(mut self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
1077 self.0.handle_new_ticket_tls13(sess, m)?;
1078 Ok(self)
1079 }
1080 }
1081