1 use crate::msgs::enums::{ContentType, HandshakeType, ProtocolVersion};
2 use crate::msgs::enums::AlertDescription;
3 use crate::msgs::message::{Message, MessagePayload};
4 use crate::msgs::base::Payload;
5 use crate::msgs::handshake::HandshakePayload;
6 use crate::msgs::handshake::HandshakeMessagePayload;
7 use crate::msgs::handshake::NewSessionTicketPayload;
8 use crate::msgs::ccs::ChangeCipherSpecPayload;
9 use crate::msgs::codec::Codec;
10 use crate::msgs::persist;
11 use crate::session::SessionSecrets;
12 use crate::server::ServerSessionImpl;
13 use crate::verify;
14 #[cfg(feature = "logging")]
15 use crate::log::{warn, trace, debug};
16 use crate::error::TLSError;
17 use crate::handshake::{check_handshake_message, check_message};
18
19 use crate::server::common::{HandshakeDetails, ServerKXDetails, ClientCertDetails};
20 use crate::server::hs;
21
22 use ring::constant_time;
23
24 // --- Process client's Certificate for client auth ---
25 pub struct ExpectCertificate {
26 pub handshake: HandshakeDetails,
27 pub server_kx: ServerKXDetails,
28 pub send_ticket: bool,
29 }
30
31 impl ExpectCertificate {
into_expect_tls12_client_kx(self, cert: Option<ClientCertDetails>) -> hs::NextState32 fn into_expect_tls12_client_kx(self, cert: Option<ClientCertDetails>) -> hs::NextState {
33 Box::new(ExpectClientKX {
34 handshake: self.handshake,
35 server_kx: self.server_kx,
36 client_cert: cert,
37 send_ticket: self.send_ticket,
38 })
39 }
40 }
41
42 impl hs::State for ExpectCertificate {
check_message(&self, m: &Message) -> hs::CheckResult43 fn check_message(&self, m: &Message) -> hs::CheckResult {
44 check_handshake_message(m, &[HandshakeType::Certificate])
45 }
46
handle(mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> hs::NextStateOrError47 fn handle(mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> hs::NextStateOrError {
48 let cert_chain = extract_handshake!(m, HandshakePayload::Certificate).unwrap();
49 self.handshake.transcript.add_message(&m);
50
51 // If we can't determine if the auth is mandatory, abort
52 let mandatory = sess.config.verifier.client_auth_mandatory(sess.get_sni())
53 .ok_or_else(|| {
54 debug!("could not determine if client auth is mandatory based on SNI");
55 sess.common.send_fatal_alert(AlertDescription::AccessDenied);
56 TLSError::General("client rejected by client_auth_mandatory".into())
57 })?;
58
59 if cert_chain.is_empty() {
60 if !mandatory {
61 debug!("client auth requested but no certificate supplied");
62 self.handshake.transcript.abandon_client_auth();
63 return Ok(self.into_expect_tls12_client_kx(None));
64 }
65 sess.common.send_fatal_alert(AlertDescription::CertificateRequired);
66 return Err(TLSError::NoCertificatesPresented);
67 }
68
69 trace!("certs {:?}", cert_chain);
70
71 sess.config.verifier.verify_client_cert(cert_chain, sess.get_sni())
72 .or_else(|err| {
73 hs::incompatible(sess, "certificate invalid");
74 Err(err)
75 })?;
76
77 let cert = ClientCertDetails::new(cert_chain.clone());
78 Ok(self.into_expect_tls12_client_kx(Some(cert)))
79 }
80 }
81
82 // --- Process client's KeyExchange ---
83 pub struct ExpectClientKX {
84 pub handshake: HandshakeDetails,
85 pub server_kx: ServerKXDetails,
86 pub client_cert: Option<ClientCertDetails>,
87 pub send_ticket: bool,
88 }
89
90 impl ExpectClientKX {
into_expect_tls12_certificate_verify(self, secrets: SessionSecrets) -> hs::NextState91 fn into_expect_tls12_certificate_verify(self, secrets: SessionSecrets) -> hs::NextState {
92 Box::new(ExpectCertificateVerify {
93 secrets,
94 handshake: self.handshake,
95 client_cert: self.client_cert.unwrap(),
96 send_ticket: self.send_ticket,
97 })
98 }
99
into_expect_tls12_ccs(self, secrets: SessionSecrets) -> hs::NextState100 fn into_expect_tls12_ccs(self, secrets: SessionSecrets) -> hs::NextState {
101 Box::new(ExpectCCS {
102 secrets,
103 handshake: self.handshake,
104 resuming: false,
105 send_ticket: self.send_ticket,
106 })
107 }
108 }
109
110 impl hs::State for ExpectClientKX {
check_message(&self, m: &Message) -> hs::CheckResult111 fn check_message(&self, m: &Message) -> hs::CheckResult {
112 check_handshake_message(m, &[HandshakeType::ClientKeyExchange])
113 }
114
handle(mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> hs::NextStateOrError115 fn handle(mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> hs::NextStateOrError {
116 let client_kx = extract_handshake!(m, HandshakePayload::ClientKeyExchange).unwrap();
117 self.handshake.transcript.add_message(&m);
118
119 // Complete key agreement, and set up encryption with the
120 // resulting premaster secret.
121 let kx = self.server_kx.take_kx();
122 if !kx.check_client_params(&client_kx.0) {
123 sess.common.send_fatal_alert(AlertDescription::DecodeError);
124 return Err(TLSError::CorruptMessagePayload(ContentType::Handshake));
125 }
126
127 let kxd = kx.server_complete(&client_kx.0)
128 .ok_or_else(|| TLSError::PeerMisbehavedError("key exchange completion failed"
129 .to_string()))?;
130
131 let hashalg = sess.common.get_suite_assert().get_hash();
132 let secrets = if self.handshake.using_ems {
133 let handshake_hash = self.handshake.transcript.get_current_hash();
134 SessionSecrets::new_ems(&self.handshake.randoms,
135 &handshake_hash,
136 hashalg,
137 &kxd.shared_secret)
138 } else {
139 SessionSecrets::new(&self.handshake.randoms,
140 hashalg,
141 &kxd.shared_secret)
142 };
143 sess.config.key_log.log("CLIENT_RANDOM",
144 &secrets.randoms.client,
145 &secrets.master_secret);
146 sess.common.start_encryption_tls12(&secrets);
147
148 if self.client_cert.is_some() {
149 Ok(self.into_expect_tls12_certificate_verify(secrets))
150 } else {
151 Ok(self.into_expect_tls12_ccs(secrets))
152 }
153 }
154 }
155
156 // --- Process client's certificate proof ---
157 pub struct ExpectCertificateVerify {
158 secrets: SessionSecrets,
159 handshake: HandshakeDetails,
160 client_cert: ClientCertDetails,
161 send_ticket: bool,
162 }
163
164 impl ExpectCertificateVerify {
into_expect_tls12_ccs(self) -> hs::NextState165 fn into_expect_tls12_ccs(self) -> hs::NextState {
166 Box::new(ExpectCCS {
167 secrets: self.secrets,
168 handshake: self.handshake,
169 resuming: false,
170 send_ticket: self.send_ticket,
171 })
172 }
173 }
174
175 impl hs::State for ExpectCertificateVerify {
check_message(&self, m: &Message) -> hs::CheckResult176 fn check_message(&self, m: &Message) -> hs::CheckResult {
177 check_handshake_message(m, &[HandshakeType::CertificateVerify])
178 }
179
handle(mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> hs::NextStateOrError180 fn handle(mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> hs::NextStateOrError {
181 let rc = {
182 let sig = extract_handshake!(m, HandshakePayload::CertificateVerify).unwrap();
183 let handshake_msgs = self.handshake.transcript.take_handshake_buf();
184 let certs = &self.client_cert.cert_chain;
185
186 verify::verify_signed_struct(&handshake_msgs, &certs[0], sig)
187 };
188
189 if let Err(e) = rc {
190 sess.common.send_fatal_alert(AlertDescription::AccessDenied);
191 return Err(e);
192 }
193
194 trace!("client CertificateVerify OK");
195 sess.client_cert_chain = Some(self.client_cert.take_chain());
196
197 self.handshake.transcript.add_message(&m);
198 Ok(self.into_expect_tls12_ccs())
199 }
200 }
201
202 // --- Process client's ChangeCipherSpec ---
203 pub struct ExpectCCS {
204 pub secrets: SessionSecrets,
205 pub handshake: HandshakeDetails,
206 pub resuming: bool,
207 pub send_ticket: bool,
208 }
209
210 impl ExpectCCS {
into_expect_tls12_finished(self) -> hs::NextState211 fn into_expect_tls12_finished(self) -> hs::NextState {
212 Box::new(ExpectFinished {
213 secrets: self.secrets,
214 handshake: self.handshake,
215 resuming: self.resuming,
216 send_ticket: self.send_ticket,
217 })
218 }
219 }
220
221 impl hs::State for ExpectCCS {
check_message(&self, m: &Message) -> hs::CheckResult222 fn check_message(&self, m: &Message) -> hs::CheckResult {
223 check_message(m, &[ContentType::ChangeCipherSpec], &[])
224 }
225
handle(self: Box<Self>, sess: &mut ServerSessionImpl, _m: Message) -> hs::NextStateOrError226 fn handle(self: Box<Self>, sess: &mut ServerSessionImpl, _m: Message) -> hs::NextStateOrError {
227 // CCS should not be received interleaved with fragmented handshake-level
228 // message.
229 if !sess.common.handshake_joiner.is_empty() {
230 warn!("CCS received interleaved with fragmented handshake");
231 return Err(TLSError::InappropriateMessage {
232 expect_types: vec![ ContentType::Handshake ],
233 got_type: ContentType::ChangeCipherSpec,
234 });
235 }
236
237 sess.common
238 .record_layer
239 .start_decrypting();
240 Ok(self.into_expect_tls12_finished())
241 }
242 }
243
244 // --- Process client's Finished ---
get_server_session_value_tls12(secrets: &SessionSecrets, handshake: &HandshakeDetails, sess: &ServerSessionImpl) -> persist::ServerSessionValue245 fn get_server_session_value_tls12(secrets: &SessionSecrets,
246 handshake: &HandshakeDetails,
247 sess: &ServerSessionImpl) -> persist::ServerSessionValue {
248 let scs = sess.common.get_suite_assert();
249 let version = ProtocolVersion::TLSv1_2;
250 let secret = secrets.get_master_secret();
251
252 let mut v = persist::ServerSessionValue::new(
253 sess.get_sni(), version,
254 scs.suite, secret,
255 &sess.client_cert_chain,
256 sess.alpn_protocol.clone(),
257 sess.resumption_data.clone(),
258 );
259
260 if handshake.using_ems {
261 v.set_extended_ms_used();
262 }
263
264 v
265 }
266
emit_ticket(secrets: &SessionSecrets, handshake: &mut HandshakeDetails, sess: &mut ServerSessionImpl)267 pub fn emit_ticket(secrets: &SessionSecrets,
268 handshake: &mut HandshakeDetails,
269 sess: &mut ServerSessionImpl) {
270 // If we can't produce a ticket for some reason, we can't
271 // report an error. Send an empty one.
272 let plain = get_server_session_value_tls12(secrets, handshake, sess)
273 .get_encoding();
274 let ticket = sess.config
275 .ticketer
276 .encrypt(&plain)
277 .unwrap_or_else(Vec::new);
278 let ticket_lifetime = sess.config.ticketer.get_lifetime();
279
280 let m = Message {
281 typ: ContentType::Handshake,
282 version: ProtocolVersion::TLSv1_2,
283 payload: MessagePayload::Handshake(HandshakeMessagePayload {
284 typ: HandshakeType::NewSessionTicket,
285 payload:
286 HandshakePayload::NewSessionTicket(NewSessionTicketPayload::new(ticket_lifetime,
287 ticket)),
288 }),
289 };
290
291 handshake.transcript.add_message(&m);
292 sess.common.send_msg(m, false);
293 }
294
emit_ccs(sess: &mut ServerSessionImpl)295 pub fn emit_ccs(sess: &mut ServerSessionImpl) {
296 let m = Message {
297 typ: ContentType::ChangeCipherSpec,
298 version: ProtocolVersion::TLSv1_2,
299 payload: MessagePayload::ChangeCipherSpec(ChangeCipherSpecPayload {}),
300 };
301
302 sess.common.send_msg(m, false);
303 }
304
emit_finished(secrets: &SessionSecrets, handshake: &mut HandshakeDetails, sess: &mut ServerSessionImpl)305 pub fn emit_finished(secrets: &SessionSecrets,
306 handshake: &mut HandshakeDetails,
307 sess: &mut ServerSessionImpl) {
308 let vh = handshake.transcript.get_current_hash();
309 let verify_data = secrets.server_verify_data(&vh);
310 let verify_data_payload = Payload::new(verify_data);
311
312 let f = Message {
313 typ: ContentType::Handshake,
314 version: ProtocolVersion::TLSv1_2,
315 payload: MessagePayload::Handshake(HandshakeMessagePayload {
316 typ: HandshakeType::Finished,
317 payload: HandshakePayload::Finished(verify_data_payload),
318 }),
319 };
320
321 handshake.transcript.add_message(&f);
322 sess.common.send_msg(f, true);
323 }
324
325 pub struct ExpectFinished {
326 secrets: SessionSecrets,
327 handshake: HandshakeDetails,
328 resuming: bool,
329 send_ticket: bool,
330 }
331
332 impl ExpectFinished {
into_expect_tls12_traffic(self, fin: verify::FinishedMessageVerified) -> hs::NextState333 fn into_expect_tls12_traffic(self, fin: verify::FinishedMessageVerified) -> hs::NextState {
334 Box::new(ExpectTraffic {
335 secrets: self.secrets,
336 _fin_verified: fin,
337 })
338 }
339 }
340
341 impl hs::State for ExpectFinished {
check_message(&self, m: &Message) -> hs::CheckResult342 fn check_message(&self, m: &Message) -> hs::CheckResult {
343 check_handshake_message(m, &[HandshakeType::Finished])
344 }
345
handle(mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> hs::NextStateOrError346 fn handle(mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> hs::NextStateOrError {
347 let finished = extract_handshake!(m, HandshakePayload::Finished).unwrap();
348
349 let vh = self.handshake.transcript.get_current_hash();
350 let expect_verify_data = self.secrets.client_verify_data(&vh);
351
352 let fin = constant_time::verify_slices_are_equal(&expect_verify_data, &finished.0)
353 .map_err(|_| {
354 sess.common.send_fatal_alert(AlertDescription::DecryptError);
355 TLSError::DecryptError
356 })
357 .map(|_| verify::FinishedMessageVerified::assertion())?;
358
359 // Save session, perhaps
360 if !self.resuming && !self.handshake.session_id.is_empty() {
361 let value = get_server_session_value_tls12(&self.secrets, &self.handshake, sess);
362
363 let worked = sess.config.session_storage
364 .put(self.handshake.session_id.get_encoding(), value.get_encoding());
365 if worked {
366 debug!("Session saved");
367 } else {
368 debug!("Session not saved");
369 }
370 }
371
372 // Send our CCS and Finished.
373 self.handshake.transcript.add_message(&m);
374 if !self.resuming {
375 if self.send_ticket {
376 emit_ticket(&self.secrets,
377 &mut self.handshake,
378 sess);
379 }
380 emit_ccs(sess);
381 sess.common
382 .record_layer
383 .start_encrypting();
384 emit_finished(&self.secrets, &mut self.handshake, sess);
385 }
386
387 sess.common.start_traffic();
388 Ok(self.into_expect_tls12_traffic(fin))
389 }
390 }
391
392 // --- Process traffic ---
393 pub struct ExpectTraffic {
394 secrets: SessionSecrets,
395 _fin_verified: verify::FinishedMessageVerified,
396 }
397
398 impl ExpectTraffic {
399 }
400
401 impl hs::State for ExpectTraffic {
check_message(&self, m: &Message) -> hs::CheckResult402 fn check_message(&self, m: &Message) -> hs::CheckResult {
403 check_message(m, &[ContentType::ApplicationData], &[])
404 }
405
handle(self: Box<Self>, sess: &mut ServerSessionImpl, mut m: Message) -> hs::NextStateOrError406 fn handle(self: Box<Self>, sess: &mut ServerSessionImpl, mut m: Message) -> hs::NextStateOrError {
407 sess.common.take_received_plaintext(m.take_opaque_payload().unwrap());
408 Ok(self)
409 }
410
export_keying_material(&self, output: &mut [u8], label: &[u8], context: Option<&[u8]>) -> Result<(), TLSError>411 fn export_keying_material(&self,
412 output: &mut [u8],
413 label: &[u8],
414 context: Option<&[u8]>) -> Result<(), TLSError> {
415 self.secrets.export_keying_material(output, label, context);
416 Ok(())
417 }
418 }
419