1 use crate::msgs::enums::{ContentType, HandshakeType, ProtocolVersion};
2 use crate::msgs::enums::{AlertDescription, SignatureScheme, NamedGroup};
3 use crate::msgs::enums::{Compression, PSKKeyExchangeMode};
4 use crate::msgs::enums::KeyUpdateRequest;
5 use crate::msgs::message::{Message, MessagePayload};
6 use crate::msgs::handshake::HandshakePayload;
7 use crate::msgs::handshake::HandshakeMessagePayload;
8 use crate::msgs::handshake::NewSessionTicketPayloadTLS13;
9 use crate::msgs::handshake::CertificateEntry;
10 use crate::msgs::handshake::CertificateExtension;
11 use crate::msgs::handshake::CertificateStatus;
12 use crate::msgs::handshake::CertificatePayloadTLS13;
13 use crate::msgs::handshake::CertificateRequestPayloadTLS13;
14 use crate::msgs::handshake::CertReqExtension;
15 use crate::msgs::handshake::ClientHelloPayload;
16 use crate::msgs::handshake::HelloRetryRequest;
17 use crate::msgs::handshake::HelloRetryExtension;
18 use crate::msgs::handshake::ServerHelloPayload;
19 use crate::msgs::handshake::KeyShareEntry;
20 use crate::msgs::handshake::SessionID;
21 use crate::msgs::handshake::ServerExtension;
22 use crate::msgs::handshake::Random;
23 use crate::msgs::handshake::DigitallySignedStruct;
24 use crate::msgs::ccs::ChangeCipherSpecPayload;
25 use crate::msgs::base::{Payload, PayloadU8};
26 use crate::msgs::codec::Codec;
27 use crate::msgs::persist;
28 use crate::server::ServerSessionImpl;
29 use crate::key_schedule::{
30 KeyScheduleNonSecret,
31 KeyScheduleEarly,
32 KeyScheduleHandshake,
33 KeyScheduleTrafficWithClientFinishedPending,
34 KeyScheduleTraffic
35 };
36 use crate::cipher;
37 use crate::verify;
38 use crate::rand;
39 use crate::sign;
40 use crate::suites;
41 #[cfg(feature = "logging")]
42 use crate::log::{warn, trace, debug};
43 use crate::error::TLSError;
44 use crate::handshake::{check_handshake_message, check_message};
45 #[cfg(feature = "quic")]
46 use crate::{
47 quic,
48 msgs::handshake::NewSessionTicketExtension,
49 session::Protocol
50 };
51
52 use crate::server::common::{HandshakeDetails, ClientCertDetails};
53 use crate::server::hs;
54
55 use ring::constant_time;
56
57 pub struct CompleteClientHelloHandling {
58 pub handshake: HandshakeDetails,
59 pub done_retry: bool,
60 pub send_cert_status: bool,
61 pub send_sct: bool,
62 pub send_ticket: bool,
63 }
64
65 impl CompleteClientHelloHandling {
check_binder(&self, sess: &mut ServerSessionImpl, client_hello: &Message, psk: &[u8], binder: &[u8]) -> bool66 fn check_binder(&self,
67 sess: &mut ServerSessionImpl,
68 client_hello: &Message,
69 psk: &[u8],
70 binder: &[u8])
71 -> bool {
72 let binder_plaintext = match client_hello.payload {
73 MessagePayload::Handshake(ref hmp) => hmp.get_encoding_for_binder_signing(),
74 _ => unreachable!(),
75 };
76
77 let suite = sess.common.get_suite_assert();
78 let suite_hash = suite.get_hash();
79 let handshake_hash = self.handshake.transcript.get_hash_given(suite_hash, &binder_plaintext);
80
81 let key_schedule = KeyScheduleEarly::new(suite.hkdf_algorithm, &psk);
82 let real_binder = key_schedule.resumption_psk_binder_key_and_sign_verify_data(&handshake_hash);
83
84 constant_time::verify_slices_are_equal(&real_binder, binder).is_ok()
85 }
86
into_expect_retried_client_hello(self) -> hs::NextState87 fn into_expect_retried_client_hello(self) -> hs::NextState {
88 Box::new(hs::ExpectClientHello {
89 handshake: self.handshake,
90 done_retry: true,
91 send_cert_status: self.send_cert_status,
92 send_sct: self.send_sct,
93 send_ticket: self.send_ticket,
94 })
95 }
96
into_expect_certificate(self, key_schedule: KeyScheduleTrafficWithClientFinishedPending) -> hs::NextState97 fn into_expect_certificate(self, key_schedule: KeyScheduleTrafficWithClientFinishedPending) -> hs::NextState {
98 Box::new(ExpectCertificate {
99 handshake: self.handshake,
100 key_schedule,
101 send_ticket: self.send_ticket,
102 })
103 }
104
into_expect_finished(self, key_schedule: KeyScheduleTrafficWithClientFinishedPending) -> hs::NextState105 fn into_expect_finished(self, key_schedule: KeyScheduleTrafficWithClientFinishedPending) -> hs::NextState {
106 Box::new(ExpectFinished {
107 handshake: self.handshake,
108 key_schedule,
109 send_ticket: self.send_ticket,
110 })
111 }
112
emit_server_hello(&mut self, sess: &mut ServerSessionImpl, session_id: &SessionID, share: &KeyShareEntry, chosen_psk_idx: Option<usize>, resuming_psk: Option<&[u8]>) -> Result<KeyScheduleHandshake, TLSError>113 fn emit_server_hello(&mut self,
114 sess: &mut ServerSessionImpl,
115 session_id: &SessionID,
116 share: &KeyShareEntry,
117 chosen_psk_idx: Option<usize>,
118 resuming_psk: Option<&[u8]>)
119 -> Result<KeyScheduleHandshake, TLSError> {
120 let mut extensions = Vec::new();
121
122 // Do key exchange
123 let kxr = suites::KeyExchange::start_ecdhe(share.group)
124 .and_then(|kx| kx.complete(&share.payload.0))
125 .ok_or_else(|| TLSError::PeerMisbehavedError("key exchange failed".to_string()))?;
126
127 let kse = KeyShareEntry::new(share.group, kxr.pubkey.as_ref());
128 extensions.push(ServerExtension::KeyShare(kse));
129 extensions.push(ServerExtension::SupportedVersions(ProtocolVersion::TLSv1_3));
130
131 if let Some(psk_idx) = chosen_psk_idx {
132 extensions.push(ServerExtension::PresharedKey(psk_idx as u16));
133 }
134
135 let sh = Message {
136 typ: ContentType::Handshake,
137 version: ProtocolVersion::TLSv1_2,
138 payload: MessagePayload::Handshake(HandshakeMessagePayload {
139 typ: HandshakeType::ServerHello,
140 payload: HandshakePayload::ServerHello(ServerHelloPayload {
141 legacy_version: ProtocolVersion::TLSv1_2,
142 random: Random::from_slice(&self.handshake.randoms.server),
143 session_id: *session_id,
144 cipher_suite: sess.common.get_suite_assert().suite,
145 compression_method: Compression::Null,
146 extensions,
147 }),
148 }),
149 };
150
151 hs::check_aligned_handshake(sess)?;
152
153 #[cfg(feature = "quic")]
154 let client_hello_hash = self.handshake.transcript
155 .get_hash_given(sess.common.get_suite_assert().get_hash(), &[]);
156
157 trace!("sending server hello {:?}", sh);
158 self.handshake.transcript.add_message(&sh);
159 sess.common.send_msg(sh, false);
160
161 // Start key schedule
162 let suite = sess.common.get_suite_assert();
163 let mut key_schedule = if let Some(psk) = resuming_psk {
164 let early_key_schedule = KeyScheduleEarly::new(suite.hkdf_algorithm, psk);
165
166 #[cfg(feature = "quic")] {
167 if sess.common.protocol == Protocol::Quic {
168 let client_early_traffic_secret = early_key_schedule
169 .client_early_traffic_secret(&client_hello_hash,
170 &*sess.config.key_log,
171 &self.handshake.randoms.client);
172 // If 0-RTT should be rejected, this will be clobbered by ExtensionProcessing
173 // before the application can see.
174 sess.common.quic.early_secret = Some(client_early_traffic_secret);
175 }
176 }
177
178 early_key_schedule
179 .into_handshake(&kxr.shared_secret)
180 } else {
181 KeyScheduleNonSecret::new(suite.hkdf_algorithm)
182 .into_handshake(&kxr.shared_secret)
183 };
184
185 let handshake_hash = self.handshake.transcript.get_current_hash();
186 let write_key = key_schedule
187 .server_handshake_traffic_secret(&handshake_hash,
188 &*sess.config.key_log,
189 &self.handshake.randoms.client);
190 sess.common
191 .record_layer
192 .set_message_encrypter(cipher::new_tls13_write(suite, &write_key));
193
194 let read_key = key_schedule
195 .client_handshake_traffic_secret(&handshake_hash,
196 &*sess.config.key_log,
197 &self.handshake.randoms.client);
198 sess.common
199 .record_layer
200 .set_message_decrypter(cipher::new_tls13_read(suite, &read_key));
201
202 #[cfg(feature = "quic")] {
203 sess.common.quic.hs_secrets = Some(quic::Secrets {
204 client: read_key,
205 server: write_key,
206 });
207 }
208
209 Ok(key_schedule)
210 }
211
emit_fake_ccs(&mut self, sess: &mut ServerSessionImpl)212 fn emit_fake_ccs(&mut self,
213 sess: &mut ServerSessionImpl) {
214 #[cfg(feature = "quic")] {
215 if let Protocol::Quic = sess.common.protocol { return; }
216 }
217 let m = Message {
218 typ: ContentType::ChangeCipherSpec,
219 version: ProtocolVersion::TLSv1_2,
220 payload: MessagePayload::ChangeCipherSpec(ChangeCipherSpecPayload {})
221 };
222 sess.common.send_msg(m, false);
223 }
224
emit_hello_retry_request(&mut self, sess: &mut ServerSessionImpl, group: NamedGroup)225 fn emit_hello_retry_request(&mut self,
226 sess: &mut ServerSessionImpl,
227 group: NamedGroup) {
228 let mut req = HelloRetryRequest {
229 legacy_version: ProtocolVersion::TLSv1_2,
230 session_id: SessionID::empty(),
231 cipher_suite: sess.common.get_suite_assert().suite,
232 extensions: Vec::new(),
233 };
234
235 req.extensions.push(HelloRetryExtension::KeyShare(group));
236 req.extensions.push(HelloRetryExtension::SupportedVersions(ProtocolVersion::TLSv1_3));
237
238 let m = Message {
239 typ: ContentType::Handshake,
240 version: ProtocolVersion::TLSv1_2,
241 payload: MessagePayload::Handshake(HandshakeMessagePayload {
242 typ: HandshakeType::HelloRetryRequest,
243 payload: HandshakePayload::HelloRetryRequest(req),
244 }),
245 };
246
247 trace!("Requesting retry {:?}", m);
248 self.handshake.transcript.rollup_for_hrr();
249 self.handshake.transcript.add_message(&m);
250 sess.common.send_msg(m, false);
251 }
252
emit_encrypted_extensions(&mut self, sess: &mut ServerSessionImpl, server_key: &mut sign::CertifiedKey, hello: &ClientHelloPayload, resumedata: Option<&persist::ServerSessionValue>) -> Result<(), TLSError>253 fn emit_encrypted_extensions(&mut self,
254 sess: &mut ServerSessionImpl,
255 server_key: &mut sign::CertifiedKey,
256 hello: &ClientHelloPayload,
257 resumedata: Option<&persist::ServerSessionValue>)
258 -> Result<(), TLSError> {
259 let mut ep = hs::ExtensionProcessing::new();
260 ep.process_common(sess, Some(server_key), hello, resumedata, &self.handshake)?;
261
262 self.send_cert_status = ep.send_cert_status;
263 self.send_sct = ep.send_sct;
264
265 let ee = Message {
266 typ: ContentType::Handshake,
267 version: ProtocolVersion::TLSv1_3,
268 payload: MessagePayload::Handshake(HandshakeMessagePayload {
269 typ: HandshakeType::EncryptedExtensions,
270 payload: HandshakePayload::EncryptedExtensions(ep.exts),
271 }),
272 };
273
274 trace!("sending encrypted extensions {:?}", ee);
275 self.handshake.transcript.add_message(&ee);
276 sess.common.send_msg(ee, true);
277 Ok(())
278 }
279
emit_certificate_req_tls13(&mut self, sess: &mut ServerSessionImpl) -> Result<bool, TLSError>280 fn emit_certificate_req_tls13(&mut self, sess: &mut ServerSessionImpl) -> Result<bool, TLSError> {
281 if !sess.config.verifier.offer_client_auth() {
282 return Ok(false);
283 }
284
285 let mut cr = CertificateRequestPayloadTLS13 {
286 context: PayloadU8::empty(),
287 extensions: Vec::new(),
288 };
289
290 let schemes = verify::supported_verify_schemes();
291 cr.extensions.push(CertReqExtension::SignatureAlgorithms(schemes.to_vec()));
292
293 let names = sess.config.verifier.client_auth_root_subjects(sess.get_sni())
294 .ok_or_else(|| {
295 debug!("could not determine root subjects based on SNI");
296 sess.common.send_fatal_alert(AlertDescription::AccessDenied);
297 TLSError::General("client rejected by client_auth_root_subjects".into())
298 })?;
299
300 if !names.is_empty() {
301 cr.extensions.push(CertReqExtension::AuthorityNames(names));
302 }
303
304 let m = Message {
305 typ: ContentType::Handshake,
306 version: ProtocolVersion::TLSv1_3,
307 payload: MessagePayload::Handshake(HandshakeMessagePayload {
308 typ: HandshakeType::CertificateRequest,
309 payload: HandshakePayload::CertificateRequestTLS13(cr),
310 }),
311 };
312
313 trace!("Sending CertificateRequest {:?}", m);
314 self.handshake.transcript.add_message(&m);
315 sess.common.send_msg(m, true);
316 Ok(true)
317 }
318
emit_certificate_tls13(&mut self, sess: &mut ServerSessionImpl, server_key: &mut sign::CertifiedKey)319 fn emit_certificate_tls13(&mut self,
320 sess: &mut ServerSessionImpl,
321 server_key: &mut sign::CertifiedKey) {
322 let mut cert_entries = vec![];
323 for cert in server_key.take_cert() {
324 let entry = CertificateEntry {
325 cert,
326 exts: Vec::new(),
327 };
328
329 cert_entries.push(entry);
330 }
331
332 if let Some(end_entity_cert) = cert_entries.first_mut() {
333 // Apply OCSP response to first certificate (we don't support OCSP
334 // except for leaf certs).
335 if self.send_cert_status {
336 if let Some(ocsp) = server_key.take_ocsp() {
337 let cst = CertificateStatus::new(ocsp);
338 end_entity_cert.exts.push(CertificateExtension::CertificateStatus(cst));
339 }
340 }
341
342 // Likewise, SCT
343 if self.send_sct {
344 if let Some(sct_list) = server_key.take_sct_list() {
345 end_entity_cert.exts.push(CertificateExtension::make_sct(sct_list));
346 }
347 }
348 }
349
350 let cert_body = CertificatePayloadTLS13::new(cert_entries);
351 let c = Message {
352 typ: ContentType::Handshake,
353 version: ProtocolVersion::TLSv1_3,
354 payload: MessagePayload::Handshake(HandshakeMessagePayload {
355 typ: HandshakeType::Certificate,
356 payload: HandshakePayload::CertificateTLS13(cert_body),
357 }),
358 };
359
360 trace!("sending certificate {:?}", c);
361 self.handshake.transcript.add_message(&c);
362 sess.common.send_msg(c, true);
363 }
364
emit_certificate_verify_tls13(&mut self, sess: &mut ServerSessionImpl, server_key: &mut sign::CertifiedKey, schemes: &[SignatureScheme]) -> Result<(), TLSError>365 fn emit_certificate_verify_tls13(&mut self,
366 sess: &mut ServerSessionImpl,
367 server_key: &mut sign::CertifiedKey,
368 schemes: &[SignatureScheme])
369 -> Result<(), TLSError> {
370 let mut message = Vec::new();
371 message.resize(64, 0x20u8);
372 message.extend_from_slice(b"TLS 1.3, server CertificateVerify\x00");
373 message.extend_from_slice(&self.handshake.transcript.get_current_hash());
374
375 let signing_key = &server_key.key;
376 let signer = signing_key.choose_scheme(schemes)
377 .ok_or_else(|| hs::incompatible(sess, "no overlapping sigschemes"))?;
378
379 let scheme = signer.get_scheme();
380 let sig = signer.sign(&message)?;
381
382 let cv = DigitallySignedStruct::new(scheme, sig);
383
384 let m = Message {
385 typ: ContentType::Handshake,
386 version: ProtocolVersion::TLSv1_3,
387 payload: MessagePayload::Handshake(HandshakeMessagePayload {
388 typ: HandshakeType::CertificateVerify,
389 payload: HandshakePayload::CertificateVerify(cv),
390 }),
391 };
392
393 trace!("sending certificate-verify {:?}", m);
394 self.handshake.transcript.add_message(&m);
395 sess.common.send_msg(m, true);
396 Ok(())
397 }
398
emit_finished_tls13(&mut self, sess: &mut ServerSessionImpl, key_schedule: KeyScheduleHandshake) -> KeyScheduleTrafficWithClientFinishedPending399 fn emit_finished_tls13(&mut self, sess: &mut ServerSessionImpl,
400 key_schedule: KeyScheduleHandshake) -> KeyScheduleTrafficWithClientFinishedPending {
401 let handshake_hash = self.handshake.transcript.get_current_hash();
402 let verify_data = key_schedule.sign_server_finish(&handshake_hash);
403 let verify_data_payload = Payload::new(verify_data);
404
405 let m = Message {
406 typ: ContentType::Handshake,
407 version: ProtocolVersion::TLSv1_3,
408 payload: MessagePayload::Handshake(HandshakeMessagePayload {
409 typ: HandshakeType::Finished,
410 payload: HandshakePayload::Finished(verify_data_payload),
411 }),
412 };
413
414 trace!("sending finished {:?}", m);
415 self.handshake.transcript.add_message(&m);
416 self.handshake.hash_at_server_fin = self.handshake.transcript.get_current_hash();
417 sess.common.send_msg(m, true);
418
419 // Now move to application data keys. Read key change is deferred until
420 // the Finish message is received & validated.
421 let mut key_schedule_traffic = key_schedule.into_traffic_with_client_finished_pending();
422 let suite = sess.common.get_suite_assert();
423 let write_key = key_schedule_traffic
424 .server_application_traffic_secret(&self.handshake.hash_at_server_fin,
425 &*sess.config.key_log,
426 &self.handshake.randoms.client);
427 sess.common
428 .record_layer
429 .set_message_encrypter(cipher::new_tls13_write(suite, &write_key));
430
431 key_schedule_traffic
432 .exporter_master_secret(&self.handshake.hash_at_server_fin,
433 &*sess.config.key_log,
434 &self.handshake.randoms.client);
435
436 let _read_key = key_schedule_traffic
437 .client_application_traffic_secret(&self.handshake.hash_at_server_fin,
438 &*sess.config.key_log,
439 &self.handshake.randoms.client);
440
441 #[cfg(feature = "quic")] {
442 sess.common.quic.traffic_secrets = Some(quic::Secrets {
443 client: _read_key,
444 server: write_key,
445 });
446 }
447
448 key_schedule_traffic
449 }
450
attempt_tls13_ticket_decryption(&mut self, sess: &mut ServerSessionImpl, ticket: &[u8]) -> Option<persist::ServerSessionValue>451 fn attempt_tls13_ticket_decryption(&mut self,
452 sess: &mut ServerSessionImpl,
453 ticket: &[u8]) -> Option<persist::ServerSessionValue> {
454 if sess.config.ticketer.enabled() {
455 sess.config
456 .ticketer
457 .decrypt(ticket)
458 .and_then(|plain| persist::ServerSessionValue::read_bytes(&plain))
459 } else {
460 sess.config
461 .session_storage
462 .take(ticket)
463 .and_then(|plain| persist::ServerSessionValue::read_bytes(&plain))
464 }
465 }
466
handle_client_hello(mut self, sess: &mut ServerSessionImpl, sni: Option<webpki::DNSName>, mut server_key: sign::CertifiedKey, chm: &Message) -> hs::NextStateOrError467 pub fn handle_client_hello(mut self,
468 sess: &mut ServerSessionImpl,
469 sni: Option<webpki::DNSName>,
470 mut server_key: sign::CertifiedKey,
471 chm: &Message) -> hs::NextStateOrError {
472 let client_hello = extract_handshake!(chm, HandshakePayload::ClientHello).unwrap();
473
474 if client_hello.compression_methods.len() != 1 {
475 return Err(hs::illegal_param(sess, "client offered wrong compressions"));
476 }
477
478 let groups_ext = client_hello.get_namedgroups_extension()
479 .ok_or_else(|| hs::incompatible(sess, "client didn't describe groups"))?;
480
481 let mut sigschemes_ext = client_hello.get_sigalgs_extension()
482 .ok_or_else(|| hs::incompatible(sess, "client didn't describe sigschemes"))?
483 .clone();
484
485 let tls13_schemes = sign::supported_sign_tls13();
486 sigschemes_ext.retain(|scheme| tls13_schemes.contains(scheme));
487
488 let shares_ext = client_hello.get_keyshare_extension()
489 .ok_or_else(|| hs::incompatible(sess, "client didn't send keyshares"))?;
490
491 if client_hello.has_keyshare_extension_with_duplicates() {
492 return Err(hs::illegal_param(sess, "client sent duplicate keyshares"));
493 }
494
495 let share_groups: Vec<NamedGroup> = shares_ext.iter()
496 .map(|share| share.group)
497 .collect();
498
499 let supported_groups = suites::KeyExchange::supported_groups();
500 let chosen_group = supported_groups
501 .iter()
502 .filter(|group| share_groups.contains(group))
503 .nth(0)
504 .cloned();
505
506 if chosen_group.is_none() {
507 // We don't have a suitable key share. Choose a suitable group and
508 // send a HelloRetryRequest.
509 let retry_group_maybe = supported_groups
510 .iter()
511 .filter(|group| groups_ext.contains(group))
512 .nth(0)
513 .cloned();
514 self.handshake.transcript.add_message(chm);
515
516 if let Some(group) = retry_group_maybe {
517 if self.done_retry {
518 return Err(hs::illegal_param(sess, "did not follow retry request"));
519 }
520
521 self.emit_hello_retry_request(sess, group);
522 self.emit_fake_ccs(sess);
523 return Ok(self.into_expect_retried_client_hello());
524 }
525
526 return Err(hs::incompatible(sess, "no kx group overlap with client"));
527 }
528
529 hs::save_sni(sess, sni);
530
531 let chosen_group = chosen_group.unwrap();
532 let chosen_share = shares_ext.iter()
533 .find(|share| share.group == chosen_group)
534 .unwrap();
535
536 let mut chosen_psk_index = None;
537 let mut resumedata = None;
538 if let Some(psk_offer) = client_hello.get_psk() {
539 if !client_hello.check_psk_ext_is_last() {
540 return Err(hs::illegal_param(sess, "psk extension in wrong position"));
541 }
542
543 if psk_offer.binders.is_empty() {
544 return Err(hs::decode_error(sess, "psk extension missing binder"));
545 }
546
547 if psk_offer.binders.len() != psk_offer.identities.len() {
548 return Err(hs::illegal_param(sess, "psk extension mismatched ids/binders"));
549 }
550
551 for (i, psk_id) in psk_offer.identities.iter().enumerate() {
552 let maybe_resume = self.attempt_tls13_ticket_decryption(sess, &psk_id.identity.0);
553
554 if !hs::can_resume(sess, &self.handshake, &maybe_resume) {
555 continue;
556 }
557
558 let resume = maybe_resume.unwrap();
559
560 if !self.check_binder(sess, chm, &resume.master_secret.0, &psk_offer.binders[i].0) {
561 sess.common.send_fatal_alert(AlertDescription::DecryptError);
562 return Err(TLSError::PeerMisbehavedError("client sent wrong binder".to_string()));
563 }
564
565 chosen_psk_index = Some(i);
566 resumedata = Some(resume);
567 break;
568 }
569 }
570
571 if !client_hello.psk_mode_offered(PSKKeyExchangeMode::PSK_DHE_KE) {
572 warn!("Resumption ignored, DHE_KE not offered");
573 self.send_ticket = false;
574 chosen_psk_index = None;
575 resumedata = None;
576 } else {
577 self.send_ticket = true;
578 }
579
580 if let Some(ref resume) = resumedata {
581 sess.received_resumption_data = Some(resume.application_data.0.clone());
582 }
583
584 let full_handshake = resumedata.is_none();
585 self.handshake.transcript.add_message(chm);
586 let key_schedule = self.emit_server_hello(sess, &client_hello.session_id,
587 chosen_share, chosen_psk_index,
588 resumedata.as_ref().map(|x| &x.master_secret.0[..]))?;
589 if !self.done_retry {
590 self.emit_fake_ccs(sess);
591 }
592 self.emit_encrypted_extensions(sess, &mut server_key, client_hello, resumedata.as_ref())?;
593
594 let doing_client_auth = if full_handshake {
595 let client_auth = self.emit_certificate_req_tls13(sess)?;
596 self.emit_certificate_tls13(sess, &mut server_key);
597 self.emit_certificate_verify_tls13(sess, &mut server_key, &sigschemes_ext)?;
598 client_auth
599 } else {
600 false
601 };
602
603 hs::check_aligned_handshake(sess)?;
604 let key_schedule_traffic = self.emit_finished_tls13(sess, key_schedule);
605
606 if doing_client_auth {
607 Ok(self.into_expect_certificate(key_schedule_traffic))
608 } else {
609 Ok(self.into_expect_finished(key_schedule_traffic))
610 }
611 }
612 }
613
614 pub struct ExpectCertificate {
615 pub handshake: HandshakeDetails,
616 pub key_schedule: KeyScheduleTrafficWithClientFinishedPending,
617 pub send_ticket: bool,
618 }
619
620 impl ExpectCertificate {
into_expect_finished(self) -> hs::NextState621 fn into_expect_finished(self) -> hs::NextState {
622 Box::new(ExpectFinished {
623 key_schedule: self.key_schedule,
624 handshake: self.handshake,
625 send_ticket: self.send_ticket,
626 })
627 }
628
into_expect_certificate_verify(self, cert: ClientCertDetails) -> hs::NextState629 fn into_expect_certificate_verify(self,
630 cert: ClientCertDetails) -> hs::NextState {
631 Box::new(ExpectCertificateVerify {
632 handshake: self.handshake,
633 key_schedule: self.key_schedule,
634 client_cert: cert,
635 send_ticket: self.send_ticket,
636 })
637 }
638 }
639
640 impl hs::State for ExpectCertificate {
check_message(&self, m: &Message) -> hs::CheckResult641 fn check_message(&self, m: &Message) -> hs::CheckResult {
642 check_handshake_message(m, &[HandshakeType::Certificate])
643 }
644
handle(mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> hs::NextStateOrError645 fn handle(mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> hs::NextStateOrError {
646 let certp = extract_handshake!(m, HandshakePayload::CertificateTLS13).unwrap();
647 self.handshake.transcript.add_message(&m);
648
649 // We don't send any CertificateRequest extensions, so any extensions
650 // here are illegal.
651 if certp.any_entry_has_extension() {
652 return Err(TLSError::PeerMisbehavedError("client sent unsolicited cert extension"
653 .to_string()));
654 }
655
656 let cert_chain = certp.convert();
657
658 let mandatory = sess.config.verifier.client_auth_mandatory(sess.get_sni())
659 .ok_or_else(|| {
660 debug!("could not determine if client auth is mandatory based on SNI");
661 sess.common.send_fatal_alert(AlertDescription::AccessDenied);
662 TLSError::General("client rejected by client_auth_mandatory".into())
663 })?;
664
665 if cert_chain.is_empty() {
666 if !mandatory {
667 debug!("client auth requested but no certificate supplied");
668 self.handshake.transcript.abandon_client_auth();
669 return Ok(self.into_expect_finished());
670 }
671
672 sess.common.send_fatal_alert(AlertDescription::CertificateRequired);
673 return Err(TLSError::NoCertificatesPresented);
674 }
675
676 sess.config.get_verifier().verify_client_cert(&cert_chain, sess.get_sni())
677 .or_else(|err| {
678 hs::incompatible(sess, "certificate invalid");
679 Err(err)
680 })?;
681
682 let cert = ClientCertDetails::new(cert_chain);
683 Ok(self.into_expect_certificate_verify(cert))
684 }
685 }
686
687 pub struct ExpectCertificateVerify {
688 handshake: HandshakeDetails,
689 key_schedule: KeyScheduleTrafficWithClientFinishedPending,
690 client_cert: ClientCertDetails,
691 send_ticket: bool,
692 }
693
694 impl ExpectCertificateVerify {
into_expect_finished(self) -> hs::NextState695 fn into_expect_finished(self) -> hs::NextState {
696 Box::new(ExpectFinished {
697 key_schedule: self.key_schedule,
698 handshake: self.handshake,
699 send_ticket: self.send_ticket,
700 })
701 }
702 }
703
704 impl hs::State for ExpectCertificateVerify {
check_message(&self, m: &Message) -> hs::CheckResult705 fn check_message(&self, m: &Message) -> hs::CheckResult {
706 check_handshake_message(m, &[HandshakeType::CertificateVerify])
707 }
708
handle(mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> hs::NextStateOrError709 fn handle(mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> hs::NextStateOrError {
710 let rc = {
711 let sig = extract_handshake!(m, HandshakePayload::CertificateVerify).unwrap();
712 let handshake_hash = self.handshake.transcript.get_current_hash();
713 self.handshake.transcript.abandon_client_auth();
714 let certs = &self.client_cert.cert_chain;
715
716 verify::verify_tls13(&certs[0],
717 sig,
718 &handshake_hash,
719 b"TLS 1.3, client CertificateVerify\x00")
720 };
721
722 if let Err(e) = rc {
723 sess.common.send_fatal_alert(AlertDescription::AccessDenied);
724 return Err(e);
725 }
726
727 trace!("client CertificateVerify OK");
728 sess.client_cert_chain = Some(self.client_cert.take_chain());
729
730 self.handshake.transcript.add_message(&m);
731 Ok(self.into_expect_finished())
732 }
733 }
734
735 // --- Process client's Finished ---
get_server_session_value(handshake: &mut HandshakeDetails, key_schedule: &KeyScheduleTraffic, sess: &ServerSessionImpl, nonce: &[u8]) -> persist::ServerSessionValue736 fn get_server_session_value(handshake: &mut HandshakeDetails,
737 key_schedule: &KeyScheduleTraffic,
738 sess: &ServerSessionImpl,
739 nonce: &[u8]) -> persist::ServerSessionValue {
740 let scs = sess.common.get_suite_assert();
741 let version = ProtocolVersion::TLSv1_3;
742
743 let handshake_hash = handshake
744 .transcript
745 .get_current_hash();
746 let secret = key_schedule
747 .resumption_master_secret_and_derive_ticket_psk(&handshake_hash, nonce);
748
749 persist::ServerSessionValue::new(
750 sess.get_sni(), version,
751 scs.suite, secret,
752 &sess.client_cert_chain,
753 sess.alpn_protocol.clone(),
754 sess.resumption_data.clone(),
755 )
756 }
757
758 pub struct ExpectFinished {
759 pub handshake: HandshakeDetails,
760 pub key_schedule: KeyScheduleTrafficWithClientFinishedPending,
761 pub send_ticket: bool,
762 }
763
764 impl ExpectFinished {
into_expect_traffic(fin: verify::FinishedMessageVerified, ks: KeyScheduleTraffic) -> hs::NextState765 fn into_expect_traffic(fin: verify::FinishedMessageVerified, ks: KeyScheduleTraffic) -> hs::NextState {
766 Box::new(ExpectTraffic {
767 key_schedule: ks,
768 want_write_key_update: false,
769 _fin_verified: fin,
770 })
771 }
772
emit_stateless_ticket(handshake: &mut HandshakeDetails, sess: &mut ServerSessionImpl, key_schedule: &KeyScheduleTraffic)773 fn emit_stateless_ticket(handshake: &mut HandshakeDetails,
774 sess: &mut ServerSessionImpl,
775 key_schedule: &KeyScheduleTraffic) {
776 let nonce = rand::random_vec(32);
777 let plain = get_server_session_value(handshake,
778 key_schedule,
779 sess, &nonce)
780 .get_encoding();
781 let maybe_ticket = sess.config
782 .ticketer
783 .encrypt(&plain);
784 let ticket_lifetime = sess.config.ticketer.get_lifetime();
785
786 if maybe_ticket.is_none() {
787 return;
788 }
789
790 let ticket = maybe_ticket.unwrap();
791 let age_add = rand::random_u32(); // nb, we don't do 0-RTT data, so whatever
792 #[allow(unused_mut)]
793 let mut payload = NewSessionTicketPayloadTLS13::new(ticket_lifetime, age_add, nonce, ticket);
794 #[cfg(feature = "quic")] {
795 if sess.config.max_early_data_size > 0 && sess.common.protocol == Protocol::Quic {
796 payload.exts.push(NewSessionTicketExtension::EarlyData(sess.config.max_early_data_size));
797 }
798 }
799 let m = Message {
800 typ: ContentType::Handshake,
801 version: ProtocolVersion::TLSv1_3,
802 payload: MessagePayload::Handshake(HandshakeMessagePayload {
803 typ: HandshakeType::NewSessionTicket,
804 payload: HandshakePayload::NewSessionTicketTLS13(payload),
805 }),
806 };
807
808 trace!("sending new ticket {:?}", m);
809 handshake.transcript.add_message(&m);
810 sess.common.send_msg(m, true);
811 }
812
emit_stateful_ticket(handshake: &mut HandshakeDetails, sess: &mut ServerSessionImpl, key_schedule: &KeyScheduleTraffic)813 fn emit_stateful_ticket(handshake: &mut HandshakeDetails,
814 sess: &mut ServerSessionImpl,
815 key_schedule: &KeyScheduleTraffic) {
816 let nonce = rand::random_vec(32);
817 let id = rand::random_vec(32);
818 let plain = get_server_session_value(handshake,
819 key_schedule,
820 sess, &nonce)
821 .get_encoding();
822
823 if sess.config.session_storage.put(id.clone(), plain) {
824 let stateful_lifetime = 24 * 60 * 60; // this is a bit of a punt
825 let age_add = rand::random_u32();
826 #[allow(unused_mut)]
827 let mut payload = NewSessionTicketPayloadTLS13::new(stateful_lifetime, age_add, nonce, id);
828 #[cfg(feature = "quic")] {
829 if sess.config.max_early_data_size > 0 && sess.common.protocol == Protocol::Quic {
830 payload.exts.push(NewSessionTicketExtension::EarlyData(sess.config.max_early_data_size));
831 }
832 }
833 let m = Message {
834 typ: ContentType::Handshake,
835 version: ProtocolVersion::TLSv1_3,
836 payload: MessagePayload::Handshake(HandshakeMessagePayload {
837 typ: HandshakeType::NewSessionTicket,
838 payload: HandshakePayload::NewSessionTicketTLS13(payload),
839 }),
840 };
841
842 trace!("sending new stateful ticket {:?}", m);
843 handshake.transcript.add_message(&m);
844 sess.common.send_msg(m, true);
845 } else {
846 trace!("resumption not available; not issuing ticket");
847 }
848 }
849 }
850
851 impl hs::State for ExpectFinished {
check_message(&self, m: &Message) -> hs::CheckResult852 fn check_message(&self, m: &Message) -> hs::CheckResult {
853 check_handshake_message(m, &[HandshakeType::Finished])
854 }
855
handle(mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> hs::NextStateOrError856 fn handle(mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> hs::NextStateOrError {
857 let finished = extract_handshake!(m, HandshakePayload::Finished).unwrap();
858
859 let handshake_hash = self.handshake.transcript.get_current_hash();
860 let expect_verify_data = self.key_schedule.sign_client_finish(&handshake_hash);
861
862 let fin = constant_time::verify_slices_are_equal(&expect_verify_data, &finished.0)
863 .map_err(|_| {
864 sess.common.send_fatal_alert(AlertDescription::DecryptError);
865 warn!("Finished wrong");
866 TLSError::DecryptError
867 })
868 .map(|_| verify::FinishedMessageVerified::assertion())?;
869
870 // nb. future derivations include Client Finished, but not the
871 // main application data keying.
872 self.handshake.transcript.add_message(&m);
873
874 hs::check_aligned_handshake(sess)?;
875
876 let suite = sess.common.get_suite_assert();
877
878 // Install keying to read future messages.
879 let read_key = self.key_schedule
880 .client_application_traffic_secret(&self.handshake.hash_at_server_fin,
881 &*sess.config.key_log,
882 &self.handshake.randoms.client);
883 sess.common
884 .record_layer
885 .set_message_decrypter(cipher::new_tls13_read(suite, &read_key));
886
887 let key_schedule_traffic = self.key_schedule.into_traffic();
888
889 if self.send_ticket {
890 if sess.config.ticketer.enabled() {
891 Self::emit_stateless_ticket(&mut self.handshake, sess, &key_schedule_traffic);
892 } else {
893 Self::emit_stateful_ticket(&mut self.handshake, sess, &key_schedule_traffic);
894 }
895 }
896
897 sess.common.start_traffic();
898
899 #[cfg(feature = "quic")] {
900 if sess.common.protocol == Protocol::Quic {
901 return Ok(Box::new(ExpectQUICTraffic { _fin_verified: fin }));
902 }
903 }
904
905 Ok(Self::into_expect_traffic(fin, key_schedule_traffic))
906 }
907 }
908
909 // --- Process traffic ---
910 pub struct ExpectTraffic {
911 key_schedule: KeyScheduleTraffic,
912 want_write_key_update: bool,
913 _fin_verified: verify::FinishedMessageVerified,
914 }
915
916 impl ExpectTraffic {
handle_traffic(&self, sess: &mut ServerSessionImpl, mut m: Message) -> Result<(), TLSError>917 fn handle_traffic(&self, sess: &mut ServerSessionImpl, mut m: Message) -> Result<(), TLSError> {
918 sess.common.take_received_plaintext(m.take_opaque_payload().unwrap());
919 Ok(())
920 }
921
handle_key_update(&mut self, sess: &mut ServerSessionImpl, m: Message) -> Result<(), TLSError>922 fn handle_key_update(&mut self, sess: &mut ServerSessionImpl, m: Message) -> Result<(), TLSError> {
923 let kur = extract_handshake!(m, HandshakePayload::KeyUpdate).unwrap();
924
925 #[cfg(feature = "quic")]
926 {
927 if let Protocol::Quic = sess.common.protocol {
928 sess.common.send_fatal_alert(AlertDescription::UnexpectedMessage);
929 let msg = "KeyUpdate received in QUIC connection".to_string();
930 warn!("{}", msg);
931 return Err(TLSError::PeerMisbehavedError(msg));
932 }
933 }
934
935 hs::check_aligned_handshake(sess)?;
936
937 match kur {
938 KeyUpdateRequest::UpdateNotRequested => {}
939 KeyUpdateRequest::UpdateRequested => {
940 self.want_write_key_update = true;
941 }
942 _ => {
943 sess.common.send_fatal_alert(AlertDescription::IllegalParameter);
944 return Err(TLSError::CorruptMessagePayload(ContentType::Handshake));
945 }
946 }
947
948 // Update our read-side keys.
949 let new_read_key = self.key_schedule.next_client_application_traffic_secret();
950 let suite = sess.common.get_suite_assert();
951 sess.common.record_layer.set_message_decrypter(cipher::new_tls13_read(suite, &new_read_key));
952
953 Ok(())
954 }
955 }
956
957 impl hs::State for ExpectTraffic {
check_message(&self, m: &Message) -> hs::CheckResult958 fn check_message(&self, m: &Message) -> hs::CheckResult {
959 check_message(m,
960 &[ContentType::ApplicationData, ContentType::Handshake],
961 &[HandshakeType::KeyUpdate])
962 }
963
handle(mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> hs::NextStateOrError964 fn handle(mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> hs::NextStateOrError {
965 if m.is_content_type(ContentType::ApplicationData) {
966 self.handle_traffic(sess, m)?;
967 } else if m.is_handshake_type(HandshakeType::KeyUpdate) {
968 self.handle_key_update(sess, m)?;
969 }
970
971 Ok(self)
972 }
973
export_keying_material(&self, output: &mut [u8], label: &[u8], context: Option<&[u8]>) -> Result<(), TLSError>974 fn export_keying_material(&self,
975 output: &mut [u8],
976 label: &[u8],
977 context: Option<&[u8]>) -> Result<(), TLSError> {
978 self.key_schedule.export_keying_material(output, label, context)
979 }
980
perhaps_write_key_update(&mut self, sess: &mut ServerSessionImpl)981 fn perhaps_write_key_update(&mut self, sess: &mut ServerSessionImpl) {
982 if self.want_write_key_update {
983 self.want_write_key_update = false;
984 sess.common.send_msg_encrypt(Message::build_key_update_notify());
985
986 let write_key = self.key_schedule.next_server_application_traffic_secret();
987 let scs = sess.common.get_suite_assert();
988 sess.common.record_layer.set_message_encrypter(cipher::new_tls13_write(scs, &write_key));
989 }
990 }
991 }
992
993 #[cfg(feature = "quic")]
994 pub struct ExpectQUICTraffic {
995 _fin_verified: verify::FinishedMessageVerified,
996 }
997
998 #[cfg(feature = "quic")]
999 impl hs::State for ExpectQUICTraffic {
check_message(&self, m: &Message) -> hs::CheckResult1000 fn check_message(&self, m: &Message) -> hs::CheckResult {
1001 Err(TLSError::InappropriateMessage {
1002 expect_types: Vec::new(),
1003 got_type: m.typ,
1004 })
1005 }
1006
handle(self: Box<Self>, _: &mut ServerSessionImpl, _: Message) -> hs::NextStateOrError1007 fn handle(self: Box<Self>, _: &mut ServerSessionImpl, _: Message) -> hs::NextStateOrError {
1008 unreachable!("check_message always fails");
1009 }
1010 }
1011