1 use crate::msgs::enums::{ContentType, HandshakeType, ExtensionType};
2 use crate::msgs::enums::{Compression, ProtocolVersion, AlertDescription};
3 use crate::msgs::message::{Message, MessagePayload};
4 use crate::msgs::base::Payload;
5 use crate::msgs::handshake::{HandshakePayload, HandshakeMessagePayload, ClientHelloPayload};
6 use crate::msgs::handshake::{SessionID, Random};
7 use crate::msgs::handshake::{ClientExtension, HasServerExtensions};
8 use crate::msgs::handshake::{ECPointFormatList, SupportedPointFormats};
9 use crate::msgs::handshake::{ProtocolNameList, ConvertProtocolNameList};
10 use crate::msgs::handshake::HelloRetryRequest;
11 use crate::msgs::handshake::{CertificateStatusRequest, SCTList};
12 use crate::msgs::enums::{PSKKeyExchangeMode, ECPointFormat};
13 use crate::msgs::codec::{Codec, Reader};
14 use crate::msgs::persist;
15 use crate::client::ClientSessionImpl;
16 use crate::session::SessionSecrets;
17 use crate::key_schedule::{KeyScheduleEarly, KeyScheduleHandshake};
18 use crate::cipher;
19 use crate::suites;
20 use crate::verify;
21 use crate::rand;
22 use crate::ticketer;
23 #[cfg(feature = "logging")]
24 use crate::log::{debug, trace};
25 use crate::check::check_message;
26 use crate::error::TLSError;
27 #[cfg(feature = "quic")]
28 use crate::msgs::base::PayloadU16;
29
30 use crate::client::common::{ServerCertDetails, HandshakeDetails};
31 use crate::client::common::{ClientHelloDetails, ReceivedTicketDetails};
32 use crate::client::{tls12, tls13};
33
34 use webpki;
35
36 pub type NextState = Box<dyn State + Send + Sync>;
37 pub type NextStateOrError = Result<NextState, TLSError>;
38
39 pub trait State {
40 /// Each handle() implementation consumes a whole TLS message, and returns
41 /// either an error or the next state.
handle(self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> NextStateOrError42 fn handle(self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> NextStateOrError;
43
export_keying_material(&self, _output: &mut [u8], _label: &[u8], _context: Option<&[u8]>) -> Result<(), TLSError>44 fn export_keying_material(&self,
45 _output: &mut [u8],
46 _label: &[u8],
47 _context: Option<&[u8]>) -> Result<(), TLSError> {
48 Err(TLSError::HandshakeNotComplete)
49 }
50
perhaps_write_key_update(&mut self, _sess: &mut ClientSessionImpl)51 fn perhaps_write_key_update(&mut self, _sess: &mut ClientSessionImpl) {
52 }
53 }
54
illegal_param(sess: &mut ClientSessionImpl, why: &str) -> TLSError55 pub fn illegal_param(sess: &mut ClientSessionImpl, why: &str) -> TLSError {
56 sess.common.send_fatal_alert(AlertDescription::IllegalParameter);
57 TLSError::PeerMisbehavedError(why.to_string())
58 }
59
check_aligned_handshake(sess: &mut ClientSessionImpl) -> Result<(), TLSError>60 pub fn check_aligned_handshake(sess: &mut ClientSessionImpl) -> Result<(), TLSError> {
61 if !sess.common.handshake_joiner.is_empty() {
62 sess.common.send_fatal_alert(AlertDescription::UnexpectedMessage);
63 Err(TLSError::PeerMisbehavedError("key epoch or handshake flight with pending fragment".to_string()))
64 } else {
65 Ok(())
66 }
67 }
68
find_session(sess: &mut ClientSessionImpl, dns_name: webpki::DNSNameRef) -> Option<persist::ClientSessionValue>69 fn find_session(sess: &mut ClientSessionImpl, dns_name: webpki::DNSNameRef)
70 -> Option<persist::ClientSessionValue> {
71 let key = persist::ClientSessionKey::session_for_dns_name(dns_name);
72 let key_buf = key.get_encoding();
73
74 let maybe_value = sess.config.session_persistence.get(&key_buf);
75
76 if maybe_value.is_none() {
77 debug!("No cached session for {:?}", dns_name);
78 return None;
79 }
80
81 let value = maybe_value.unwrap();
82 let mut reader = Reader::init(&value[..]);
83 if let Some(result) = persist::ClientSessionValue::read(&mut reader) {
84 if result.has_expired(ticketer::timebase()) {
85 None
86 } else {
87 #[cfg(feature = "quic")] {
88 if sess.common.is_quic() {
89 let params = PayloadU16::read(&mut reader)?;
90 sess.common.quic.params = Some(params.0);
91 }
92 }
93 Some(result)
94 }
95 } else {
96 None
97 }
98 }
99
random_sessionid() -> SessionID100 fn random_sessionid() -> SessionID {
101 let mut random_id = [0u8; 32];
102 rand::fill_random(&mut random_id);
103 SessionID::new(&random_id)
104 }
105
106 /// If we have a ticket, we use the sessionid as a signal that we're
107 /// doing an abbreviated handshake. See section 3.4 in RFC5077.
random_sessionid_for_ticket(csv: &mut persist::ClientSessionValue)108 fn random_sessionid_for_ticket(csv: &mut persist::ClientSessionValue) {
109 if !csv.ticket.0.is_empty() {
110 csv.session_id = random_sessionid();
111 }
112 }
113
114 struct InitialState {
115 handshake: HandshakeDetails,
116 }
117
118 impl InitialState {
new(host_name: webpki::DNSName, extra_exts: Vec<ClientExtension>) -> InitialState119 fn new(host_name: webpki::DNSName, extra_exts: Vec<ClientExtension>) -> InitialState {
120 InitialState {
121 handshake: HandshakeDetails::new(host_name, extra_exts),
122 }
123 }
124
emit_initial_client_hello(mut self, sess: &mut ClientSessionImpl) -> NextState125 fn emit_initial_client_hello(mut self, sess: &mut ClientSessionImpl) -> NextState {
126 if sess.config.client_auth_cert_resolver.has_certs() {
127 self.handshake.transcript.set_client_auth_enabled();
128 }
129 let hello_details = ClientHelloDetails::new();
130 emit_client_hello_for_retry(sess, self.handshake, hello_details, None)
131 }
132 }
133
134
start_handshake(sess: &mut ClientSessionImpl, host_name: webpki::DNSName, extra_exts: Vec<ClientExtension>) -> NextState135 pub fn start_handshake(sess: &mut ClientSessionImpl, host_name: webpki::DNSName,
136 extra_exts: Vec<ClientExtension>) -> NextState {
137 InitialState::new(host_name, extra_exts)
138 .emit_initial_client_hello(sess)
139 }
140
141 struct ExpectServerHello {
142 handshake: HandshakeDetails,
143 early_key_schedule: Option<KeyScheduleEarly>,
144 hello: ClientHelloDetails,
145 server_cert: ServerCertDetails,
146 may_send_cert_status: bool,
147 must_issue_new_ticket: bool,
148 }
149
150 struct ExpectServerHelloOrHelloRetryRequest(ExpectServerHello);
151
compatible_suite(sess: &ClientSessionImpl, resuming_suite: Option<&suites::SupportedCipherSuite>) -> bool152 pub fn compatible_suite(sess: &ClientSessionImpl,
153 resuming_suite: Option<&suites::SupportedCipherSuite>) -> bool {
154 match resuming_suite {
155 Some(resuming_suite) => {
156 if let Some(suite) = sess.common.get_suite() {
157 suite.can_resume_to(&resuming_suite)
158 } else {
159 true
160 }
161 }
162 None => false
163 }
164 }
165
emit_client_hello_for_retry(sess: &mut ClientSessionImpl, mut handshake: HandshakeDetails, mut hello: ClientHelloDetails, retryreq: Option<&HelloRetryRequest>) -> NextState166 fn emit_client_hello_for_retry(sess: &mut ClientSessionImpl,
167 mut handshake: HandshakeDetails,
168 mut hello: ClientHelloDetails,
169 retryreq: Option<&HelloRetryRequest>) -> NextState {
170 // Do we have a SessionID or ticket cached for this host?
171 handshake.resuming_session = find_session(sess, handshake.dns_name.as_ref());
172 let (session_id, ticket, resume_version) = if handshake.resuming_session.is_some() {
173 let resuming = handshake.resuming_session.as_mut().unwrap();
174 if resuming.version == ProtocolVersion::TLSv1_2 {
175 random_sessionid_for_ticket(resuming);
176 }
177 debug!("Resuming session");
178 (resuming.session_id, resuming.ticket.0.clone(), resuming.version)
179 } else {
180 debug!("Not resuming any session");
181 if handshake.session_id.is_empty() && !sess.common.is_quic() {
182 handshake.session_id = random_sessionid();
183 }
184 (handshake.session_id, Vec::new(), ProtocolVersion::Unknown(0))
185 };
186
187 let support_tls12 = sess.config.supports_version(ProtocolVersion::TLSv1_2);
188 let support_tls13 = sess.config.supports_version(ProtocolVersion::TLSv1_3);
189
190 let mut supported_versions = Vec::new();
191 if support_tls13 {
192 supported_versions.push(ProtocolVersion::TLSv1_3);
193 }
194
195 if support_tls12 {
196 supported_versions.push(ProtocolVersion::TLSv1_2);
197 }
198
199 let mut exts = Vec::new();
200 if !supported_versions.is_empty() {
201 exts.push(ClientExtension::SupportedVersions(supported_versions));
202 }
203 if sess.config.enable_sni {
204 exts.push(ClientExtension::make_sni(handshake.dns_name.as_ref()));
205 }
206 exts.push(ClientExtension::ECPointFormats(ECPointFormatList::supported()));
207 exts.push(ClientExtension::NamedGroups(suites::KeyExchange::supported_groups().to_vec()));
208 exts.push(ClientExtension::SignatureAlgorithms(sess.config.get_verifier().supported_verify_schemes()));
209 exts.push(ClientExtension::ExtendedMasterSecretRequest);
210 exts.push(ClientExtension::CertificateStatusRequest(CertificateStatusRequest::build_ocsp()));
211
212 if sess.config.ct_logs.is_some() {
213 exts.push(ClientExtension::SignedCertificateTimestampRequest);
214 }
215
216 if support_tls13 {
217 tls13::choose_kx_groups(sess, &mut exts, &mut hello, &mut handshake, retryreq);
218 }
219
220 if let Some(cookie) = retryreq.and_then(HelloRetryRequest::get_cookie) {
221 exts.push(ClientExtension::Cookie(cookie.clone()));
222 }
223
224 if support_tls13 && sess.config.enable_tickets {
225 // We could support PSK_KE here too. Such connections don't
226 // have forward secrecy, and are similar to TLS1.2 resumption.
227 let psk_modes = vec![ PSKKeyExchangeMode::PSK_DHE_KE ];
228 exts.push(ClientExtension::PresharedKeyModes(psk_modes));
229 }
230
231 if !sess.config.alpn_protocols.is_empty() {
232 exts.push(ClientExtension::Protocols(ProtocolNameList::from_slices(&sess.config
233 .alpn_protocols
234 .iter()
235 .map(|proto| &proto[..])
236 .collect::<Vec<_>>()
237 )));
238 }
239
240 // Extra extensions must be placed before the PSK extension
241 exts.extend(handshake.extra_exts.iter().cloned());
242
243 let fill_in_binder = if support_tls13 && sess.config.enable_tickets &&
244 resume_version == ProtocolVersion::TLSv1_3 &&
245 !ticket.is_empty() {
246 tls13::prepare_resumption(sess, ticket, &handshake, &mut exts,
247 retryreq.is_some())
248 } else if sess.config.enable_tickets {
249 // If we have a ticket, include it. Otherwise, request one.
250 if ticket.is_empty() {
251 exts.push(ClientExtension::SessionTicketRequest);
252 } else {
253 exts.push(ClientExtension::SessionTicketOffer(Payload::new(ticket)));
254 }
255 false
256 } else {
257 false
258 };
259
260 // Note what extensions we sent.
261 hello.sent_extensions = exts.iter()
262 .map(ClientExtension::get_type)
263 .collect();
264
265 let mut chp = HandshakeMessagePayload {
266 typ: HandshakeType::ClientHello,
267 payload: HandshakePayload::ClientHello(ClientHelloPayload {
268 client_version: ProtocolVersion::TLSv1_2,
269 random: Random::from_slice(&handshake.randoms.client),
270 session_id,
271 cipher_suites: sess.get_cipher_suites(),
272 compression_methods: vec![Compression::Null],
273 extensions: exts,
274 }),
275 };
276
277 let early_key_schedule = if fill_in_binder {
278 Some(tls13::fill_in_psk_binder(sess, &mut handshake, &mut chp))
279 } else {
280 None
281 };
282
283 let ch = Message {
284 typ: ContentType::Handshake,
285 // "This value MUST be set to 0x0303 for all records generated
286 // by a TLS 1.3 implementation other than an initial ClientHello
287 // (i.e., one not generated after a HelloRetryRequest)"
288 version: if retryreq.is_some() {
289 ProtocolVersion::TLSv1_2
290 } else {
291 ProtocolVersion::TLSv1_0
292 },
293 payload: MessagePayload::Handshake(chp),
294 };
295
296 if retryreq.is_some() {
297 // send dummy CCS to fool middleboxes prior
298 // to second client hello
299 tls13::emit_fake_ccs(&mut handshake, sess);
300 }
301
302 trace!("Sending ClientHello {:#?}", ch);
303
304 handshake.transcript.add_message(&ch);
305 sess.common.send_msg(ch, false);
306
307 // Calculate the hash of ClientHello and use it to derive EarlyTrafficSecret
308 if sess.early_data.is_enabled() {
309 // For middlebox compatibility
310 tls13::emit_fake_ccs(&mut handshake, sess);
311
312 // It is safe to call unwrap() because fill_in_binder is true.
313 let resuming_suite = handshake.resuming_session
314 .as_ref()
315 .and_then(|resume| sess.find_cipher_suite(resume.cipher_suite)).unwrap();
316
317 let client_hello_hash = handshake.transcript.get_hash_given(resuming_suite.get_hash(), &[]);
318 let client_early_traffic_secret = early_key_schedule
319 .as_ref()
320 .unwrap()
321 .client_early_traffic_secret(&client_hello_hash,
322 &*sess.config.key_log,
323 &handshake.randoms.client);
324 // Set early data encryption key
325 sess.common
326 .record_layer
327 .set_message_encrypter(cipher::new_tls13_write(resuming_suite, &client_early_traffic_secret));
328
329 #[cfg(feature = "quic")]
330 {
331 sess.common.quic.early_secret = Some(client_early_traffic_secret);
332 }
333
334 // Now the client can send encrypted early data
335 sess.common.early_traffic = true;
336 trace!("Starting early data traffic");
337 }
338
339 let next = ExpectServerHello {
340 handshake,
341 hello,
342 early_key_schedule,
343 server_cert: ServerCertDetails::new(),
344 may_send_cert_status: false,
345 must_issue_new_ticket: false,
346 };
347
348 if support_tls13 && retryreq.is_none() {
349 Box::new(ExpectServerHelloOrHelloRetryRequest(next))
350 } else {
351 Box::new(next)
352 }
353 }
354
process_alpn_protocol(sess: &mut ClientSessionImpl, proto: Option<&[u8]>) -> Result<(), TLSError>355 pub fn process_alpn_protocol(sess: &mut ClientSessionImpl,
356 proto: Option<&[u8]>)
357 -> Result<(), TLSError> {
358 sess.alpn_protocol = proto.map(ToOwned::to_owned);
359 if sess.alpn_protocol.is_some() &&
360 !sess.config.alpn_protocols.contains(sess.alpn_protocol.as_ref().unwrap()) {
361 return Err(illegal_param(sess, "server sent non-offered ALPN protocol"));
362 }
363 debug!("ALPN protocol is {:?}", sess.alpn_protocol);
364 Ok(())
365 }
366
sct_list_is_invalid(scts: &SCTList) -> bool367 pub fn sct_list_is_invalid(scts: &SCTList) -> bool {
368 scts.is_empty() ||
369 scts.iter().any(|sct| sct.0.is_empty())
370 }
371
372 impl ExpectServerHello {
into_expect_tls13_encrypted_extensions(self, key_schedule: KeyScheduleHandshake) -> NextState373 fn into_expect_tls13_encrypted_extensions(self, key_schedule: KeyScheduleHandshake) -> NextState {
374 Box::new(tls13::ExpectEncryptedExtensions {
375 handshake: self.handshake,
376 key_schedule,
377 server_cert: self.server_cert,
378 hello: self.hello,
379 })
380 }
381
into_expect_tls12_new_ticket_resume(self, secrets: SessionSecrets, certv: verify::ServerCertVerified, sigv: verify::HandshakeSignatureValid) -> NextState382 fn into_expect_tls12_new_ticket_resume(self,
383 secrets: SessionSecrets,
384 certv: verify::ServerCertVerified,
385 sigv: verify::HandshakeSignatureValid) -> NextState {
386 Box::new(tls12::ExpectNewTicket {
387 secrets,
388 handshake: self.handshake,
389 resuming: true,
390 cert_verified: certv,
391 sig_verified: sigv,
392 })
393 }
394
into_expect_tls12_ccs_resume(self, secrets: SessionSecrets, certv: verify::ServerCertVerified, sigv: verify::HandshakeSignatureValid) -> NextState395 fn into_expect_tls12_ccs_resume(self,
396 secrets: SessionSecrets,
397 certv: verify::ServerCertVerified,
398 sigv: verify::HandshakeSignatureValid) -> NextState {
399 Box::new(tls12::ExpectCCS {
400 secrets,
401 handshake: self.handshake,
402 ticket: ReceivedTicketDetails::new(),
403 resuming: true,
404 cert_verified: certv,
405 sig_verified: sigv,
406 })
407 }
408
into_expect_tls12_certificate(self) -> NextState409 fn into_expect_tls12_certificate(self) -> NextState {
410 Box::new(tls12::ExpectCertificate {
411 handshake: self.handshake,
412 server_cert: self.server_cert,
413 may_send_cert_status: self.may_send_cert_status,
414 must_issue_new_ticket: self.must_issue_new_ticket,
415 })
416 }
417 }
418
419 impl State for ExpectServerHello {
handle(mut self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> NextStateOrError420 fn handle(mut self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> NextStateOrError {
421 let server_hello = require_handshake_msg!(m, HandshakeType::ServerHello, HandshakePayload::ServerHello)?;
422 trace!("We got ServerHello {:#?}", server_hello);
423
424 use crate::ProtocolVersion::{TLSv1_2, TLSv1_3};
425 let tls13_supported = sess.config.supports_version(TLSv1_3);
426
427 let server_version = if server_hello.legacy_version == TLSv1_2 {
428 server_hello.get_supported_versions()
429 .unwrap_or(server_hello.legacy_version)
430 } else {
431 server_hello.legacy_version
432 };
433
434 match server_version {
435 TLSv1_3 if tls13_supported => {
436 sess.common.negotiated_version = Some(TLSv1_3);
437 }
438 TLSv1_2 if sess.config.supports_version(TLSv1_2) => {
439 if sess.early_data.is_enabled() && sess.common.early_traffic {
440 // The client must fail with a dedicated error code if the server
441 // responds with TLS 1.2 when offering 0-RTT.
442 return Err(TLSError::PeerMisbehavedError("server chose v1.2 when offering 0-rtt"
443 .to_string()));
444 }
445 sess.common.negotiated_version = Some(TLSv1_2);
446
447 if server_hello.get_supported_versions().is_some() {
448 return Err(illegal_param(sess, "server chose v1.2 using v1.3 extension"));
449 }
450 }
451 _ => {
452 sess.common.send_fatal_alert(AlertDescription::ProtocolVersion);
453 return Err(TLSError::PeerIncompatibleError("server does not support TLS v1.2/v1.3"
454 .to_string()));
455 }
456 };
457
458 if server_hello.compression_method != Compression::Null {
459 return Err(illegal_param(sess, "server chose non-Null compression"));
460 }
461
462 if server_hello.has_duplicate_extension() {
463 sess.common.send_fatal_alert(AlertDescription::DecodeError);
464 return Err(TLSError::PeerMisbehavedError("server sent duplicate extensions".to_string()));
465 }
466
467 let allowed_unsolicited = [ ExtensionType::RenegotiationInfo ];
468 if self.hello.server_sent_unsolicited_extensions(&server_hello.extensions,
469 &allowed_unsolicited) {
470 sess.common.send_fatal_alert(AlertDescription::UnsupportedExtension);
471 return Err(TLSError::PeerMisbehavedError("server sent unsolicited extension".to_string()));
472 }
473
474 // Extract ALPN protocol
475 if !sess.common.is_tls13() {
476 process_alpn_protocol(sess, server_hello.get_alpn_protocol())?;
477 }
478
479 // If ECPointFormats extension is supplied by the server, it must contain
480 // Uncompressed. But it's allowed to be omitted.
481 if let Some(point_fmts) = server_hello.get_ecpoints_extension() {
482 if !point_fmts.contains(&ECPointFormat::Uncompressed) {
483 sess.common.send_fatal_alert(AlertDescription::HandshakeFailure);
484 return Err(TLSError::PeerMisbehavedError("server does not support uncompressed points"
485 .to_string()));
486 }
487 }
488
489 let scs = sess.find_cipher_suite(server_hello.cipher_suite);
490
491 if scs.is_none() {
492 sess.common.send_fatal_alert(AlertDescription::HandshakeFailure);
493 return Err(TLSError::PeerMisbehavedError("server chose non-offered ciphersuite"
494 .to_string()));
495 }
496
497 debug!("Using ciphersuite {:?}", server_hello.cipher_suite);
498 if !sess.common.set_suite(scs.unwrap()) {
499 return Err(illegal_param(sess, "server varied selected ciphersuite"));
500 }
501
502 let version = sess.common.negotiated_version.unwrap();
503 if !sess.common.get_suite_assert().usable_for_version(version) {
504 return Err(illegal_param(sess, "server chose unusable ciphersuite for version"));
505 }
506
507 // Start our handshake hash, and input the server-hello.
508 let starting_hash = sess.common.get_suite_assert().get_hash();
509 self.handshake.transcript.start_hash(starting_hash);
510 self.handshake.transcript.add_message(&m);
511
512 // For TLS1.3, start message encryption using
513 // handshake_traffic_secret.
514 if sess.common.is_tls13() {
515 tls13::validate_server_hello(sess, &server_hello)?;
516 let key_schedule = tls13::start_handshake_traffic(sess,
517 self.early_key_schedule.take(),
518 &server_hello,
519 &mut self.handshake,
520 &mut self.hello)?;
521 tls13::emit_fake_ccs(&mut self.handshake, sess);
522 return Ok(self.into_expect_tls13_encrypted_extensions(key_schedule));
523 }
524
525 // TLS1.2 only from here-on
526
527 // Save ServerRandom and SessionID
528 server_hello.random.write_slice(&mut self.handshake.randoms.server);
529 self.handshake.session_id = server_hello.session_id;
530
531 // Look for TLS1.3 downgrade signal in server random
532 if tls13_supported && self.handshake.randoms.has_tls12_downgrade_marker() {
533 return Err(illegal_param(sess, "downgrade to TLS1.2 when TLS1.3 is supported"));
534 }
535
536 // Doing EMS?
537 if server_hello.ems_support_acked() {
538 self.handshake.using_ems = true;
539 }
540
541 // Might the server send a ticket?
542 let with_tickets = if server_hello.find_extension(ExtensionType::SessionTicket).is_some() {
543 debug!("Server supports tickets");
544 true
545 } else {
546 false
547 };
548 self.must_issue_new_ticket = with_tickets;
549
550 // Might the server send a CertificateStatus between Certificate and
551 // ServerKeyExchange?
552 if server_hello.find_extension(ExtensionType::StatusRequest).is_some() {
553 debug!("Server may staple OCSP response");
554 self.may_send_cert_status = true;
555 }
556
557 // Save any sent SCTs for verification against the certificate.
558 if let Some(sct_list) = server_hello.get_sct_list() {
559 debug!("Server sent {:?} SCTs", sct_list.len());
560
561 if sct_list_is_invalid(sct_list) {
562 let error_msg = "server sent invalid SCT list".to_string();
563 return Err(TLSError::PeerMisbehavedError(error_msg));
564 }
565 self.server_cert.scts = Some(sct_list.clone());
566 }
567
568 // See if we're successfully resuming.
569 if let Some(ref resuming) = self.handshake.resuming_session {
570 if resuming.session_id == self.handshake.session_id {
571 debug!("Server agreed to resume");
572
573 // Is the server telling lies about the ciphersuite?
574 if resuming.cipher_suite != scs.unwrap().suite {
575 let error_msg = "abbreviated handshake offered, but with varied cs".to_string();
576 return Err(TLSError::PeerMisbehavedError(error_msg));
577 }
578
579 // And about EMS support?
580 if resuming.extended_ms != self.handshake.using_ems {
581 let error_msg = "server varied ems support over resume".to_string();
582 return Err(TLSError::PeerMisbehavedError(error_msg));
583 }
584
585 let secrets = SessionSecrets::new_resume(&self.handshake.randoms,
586 scs.unwrap().get_hash(),
587 &resuming.master_secret.0);
588 sess.config.key_log.log("CLIENT_RANDOM",
589 &secrets.randoms.client,
590 &secrets.master_secret);
591 sess.common.start_encryption_tls12(&secrets);
592
593 // Since we're resuming, we verified the certificate and
594 // proof of possession in the prior session.
595 let certv = verify::ServerCertVerified::assertion();
596 let sigv = verify::HandshakeSignatureValid::assertion();
597
598 return if self.must_issue_new_ticket {
599 Ok(self.into_expect_tls12_new_ticket_resume(secrets, certv, sigv))
600 } else {
601 Ok(self.into_expect_tls12_ccs_resume(secrets, certv, sigv))
602 };
603 }
604 }
605
606 Ok(self.into_expect_tls12_certificate())
607 }
608 }
609
610 impl ExpectServerHelloOrHelloRetryRequest {
into_expect_server_hello(self) -> NextState611 fn into_expect_server_hello(self) -> NextState {
612 Box::new(self.0)
613 }
614
handle_hello_retry_request(mut self, sess: &mut ClientSessionImpl, m: Message) -> NextStateOrError615 fn handle_hello_retry_request(mut self, sess: &mut ClientSessionImpl, m: Message) -> NextStateOrError {
616 let hrr = require_handshake_msg!(m, HandshakeType::HelloRetryRequest, HandshakePayload::HelloRetryRequest)?;
617 trace!("Got HRR {:?}", hrr);
618
619 check_aligned_handshake(sess)?;
620
621 let has_cookie = hrr.get_cookie().is_some();
622 let req_group = hrr.get_requested_key_share_group();
623
624 // A retry request is illegal if it contains no cookie and asks for
625 // retry of a group we already sent.
626 if !has_cookie && req_group.map(|g| self.0.hello.has_key_share(g)).unwrap_or(false) {
627 return Err(illegal_param(sess, "server requested hrr with our group"));
628 }
629
630 // Or asks for us to retry on an unsupported group.
631 if let Some(group) = req_group {
632 if !suites::KeyExchange::supported_groups().contains(&group) {
633 return Err(illegal_param(sess, "server requested hrr with bad group"));
634 }
635 }
636
637 // Or has an empty cookie.
638 if has_cookie && hrr.get_cookie().unwrap().0.is_empty() {
639 return Err(illegal_param(sess, "server requested hrr with empty cookie"));
640 }
641
642 // Or has something unrecognised
643 if hrr.has_unknown_extension() {
644 sess.common.send_fatal_alert(AlertDescription::UnsupportedExtension);
645 return Err(TLSError::PeerIncompatibleError("server sent hrr with unhandled extension"
646 .to_string()));
647 }
648
649 // Or has the same extensions more than once
650 if hrr.has_duplicate_extension() {
651 return Err(illegal_param(sess, "server send duplicate hrr extensions"));
652 }
653
654 // Or asks us to change nothing.
655 if !has_cookie && req_group.is_none() {
656 return Err(illegal_param(sess, "server requested hrr with no changes"));
657 }
658
659 // Or asks us to talk a protocol we didn't offer, or doesn't support HRR at all.
660 match hrr.get_supported_versions() {
661 Some(ProtocolVersion::TLSv1_3) => {
662 sess.common.negotiated_version = Some(ProtocolVersion::TLSv1_3);
663 }
664 _ => {
665 return Err(illegal_param(sess, "server requested unsupported version in hrr"));
666 }
667 }
668
669 // Or asks us to use a ciphersuite we didn't offer.
670 let maybe_cs = sess.find_cipher_suite(hrr.cipher_suite);
671 let cs = match maybe_cs {
672 Some(cs) => cs,
673 None => {
674 return Err(illegal_param(sess, "server requested unsupported cs in hrr"));
675 }
676 };
677
678 // HRR selects the ciphersuite.
679 sess.common.set_suite(cs);
680
681 // This is the draft19 change where the transcript became a tree
682 self.0.handshake.transcript.start_hash(cs.get_hash());
683 self.0.handshake.transcript.rollup_for_hrr();
684 self.0.handshake.transcript.add_message(&m);
685
686 // Early data is not alllowed after HelloRetryrequest
687 if sess.early_data.is_enabled() {
688 sess.early_data.rejected();
689 }
690
691 Ok(emit_client_hello_for_retry(sess,
692 self.0.handshake,
693 self.0.hello,
694 Some(&hrr)))
695 }
696 }
697
698 impl State for ExpectServerHelloOrHelloRetryRequest {
handle(self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> NextStateOrError699 fn handle(self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> NextStateOrError {
700 check_message(&m,
701 &[ContentType::Handshake],
702 &[HandshakeType::ServerHello, HandshakeType::HelloRetryRequest])?;
703 if m.is_handshake_type(HandshakeType::ServerHello) {
704 self.into_expect_server_hello().handle(sess, m)
705 } else {
706 self.handle_hello_retry_request(sess, m)
707 }
708 }
709 }
710
send_cert_error_alert(sess: &mut ClientSessionImpl, err: TLSError) -> TLSError711 pub fn send_cert_error_alert(sess: &mut ClientSessionImpl, err: TLSError) -> TLSError {
712 match err {
713 TLSError::WebPKIError(webpki::Error::BadDER) => {
714 sess.common.send_fatal_alert(AlertDescription::DecodeError);
715 }
716 TLSError::PeerMisbehavedError(_) => {
717 sess.common.send_fatal_alert(AlertDescription::IllegalParameter);
718 }
719 _ => {
720 sess.common.send_fatal_alert(AlertDescription::BadCertificate);
721 }
722 };
723
724 err
725 }
726