1 use crate::msgs::enums::{ContentType, HandshakeType};
2 use crate::msgs::enums::{ProtocolVersion, AlertDescription};
3 use crate::msgs::message::{Message, MessagePayload};
4 use crate::msgs::base::{Payload, PayloadU8};
5 use crate::msgs::handshake::{HandshakePayload, HandshakeMessagePayload};
6 use crate::msgs::handshake::DecomposedSignatureScheme;
7 use crate::msgs::handshake::ServerKeyExchangePayload;
8 use crate::msgs::handshake::DigitallySignedStruct;
9 use crate::msgs::codec::Codec;
10 use crate::msgs::persist;
11 use crate::msgs::ccs::ChangeCipherSpecPayload;
12 use crate::client::ClientSessionImpl;
13 use crate::session::SessionSecrets;
14 use crate::suites;
15 use crate::verify;
16 use crate::ticketer;
17 #[cfg(feature = "logging")]
18 use crate::log::{debug, trace};
19 use crate::error::TLSError;
20 use crate::check::check_message;
21
22 use crate::client::common::{ServerCertDetails, ServerKXDetails, HandshakeDetails};
23 use crate::client::common::{ReceivedTicketDetails, ClientAuthDetails};
24 use crate::client::hs;
25
26 use std::mem;
27 use ring::constant_time;
28
29 pub struct ExpectCertificate {
30 pub handshake: HandshakeDetails,
31 pub server_cert: ServerCertDetails,
32 pub may_send_cert_status: bool,
33 pub must_issue_new_ticket: bool,
34 }
35
36 impl ExpectCertificate {
into_expect_certificate_status_or_server_kx(self) -> hs::NextState37 fn into_expect_certificate_status_or_server_kx(self) -> hs::NextState {
38 Box::new(ExpectCertificateStatusOrServerKX {
39 handshake: self.handshake,
40 server_cert: self.server_cert,
41 must_issue_new_ticket: self.must_issue_new_ticket,
42 })
43 }
44
into_expect_server_kx(self) -> hs::NextState45 fn into_expect_server_kx(self) -> hs::NextState {
46 Box::new(ExpectServerKX {
47 handshake: self.handshake,
48 server_cert: self.server_cert,
49 must_issue_new_ticket: self.must_issue_new_ticket,
50 })
51 }
52 }
53
54 impl hs::State for ExpectCertificate {
handle(mut self: Box<Self>, _sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError55 fn handle(mut self: Box<Self>, _sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
56 let cert_chain = require_handshake_msg!(m, HandshakeType::Certificate, HandshakePayload::Certificate)?;
57 self.handshake.transcript.add_message(&m);
58
59 self.server_cert.cert_chain = cert_chain.clone();
60
61 if self.may_send_cert_status {
62 Ok(self.into_expect_certificate_status_or_server_kx())
63 } else {
64 Ok(self.into_expect_server_kx())
65 }
66 }
67 }
68
69 struct ExpectCertificateStatus {
70 handshake: HandshakeDetails,
71 server_cert: ServerCertDetails,
72 must_issue_new_ticket: bool,
73 }
74
75 impl ExpectCertificateStatus {
into_expect_server_kx(self) -> hs::NextState76 fn into_expect_server_kx(self) -> hs::NextState {
77 Box::new(ExpectServerKX {
78 handshake: self.handshake,
79 server_cert: self.server_cert,
80 must_issue_new_ticket: self.must_issue_new_ticket,
81 })
82 }
83 }
84
85 impl hs::State for ExpectCertificateStatus {
handle(mut self: Box<Self>, _sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError86 fn handle(mut self: Box<Self>, _sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
87 self.handshake.transcript.add_message(&m);
88 let mut status = require_handshake_msg_mut!(m, HandshakeType::CertificateStatus, HandshakePayload::CertificateStatus)?;
89
90 self.server_cert.ocsp_response = status.take_ocsp_response();
91 trace!("Server stapled OCSP response is {:?}", self.server_cert.ocsp_response);
92 Ok(self.into_expect_server_kx())
93 }
94 }
95
96 struct ExpectCertificateStatusOrServerKX {
97 handshake: HandshakeDetails,
98 server_cert: ServerCertDetails,
99 must_issue_new_ticket: bool,
100 }
101
102 impl ExpectCertificateStatusOrServerKX {
into_expect_server_kx(self) -> hs::NextState103 fn into_expect_server_kx(self) -> hs::NextState {
104 Box::new(ExpectServerKX {
105 handshake: self.handshake,
106 server_cert: self.server_cert,
107 must_issue_new_ticket: self.must_issue_new_ticket,
108 })
109 }
110
into_expect_certificate_status(self) -> hs::NextState111 fn into_expect_certificate_status(self) -> hs::NextState {
112 Box::new(ExpectCertificateStatus {
113 handshake: self.handshake,
114 server_cert: self.server_cert,
115 must_issue_new_ticket: self.must_issue_new_ticket,
116 })
117 }
118 }
119
120 impl hs::State for ExpectCertificateStatusOrServerKX {
handle(self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError121 fn handle(self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
122 check_message(&m,
123 &[ContentType::Handshake],
124 &[HandshakeType::ServerKeyExchange, HandshakeType::CertificateStatus])?;
125 if m.is_handshake_type(HandshakeType::ServerKeyExchange) {
126 self.into_expect_server_kx().handle(sess, m)
127 } else {
128 self.into_expect_certificate_status().handle(sess, m)
129 }
130 }
131 }
132
133 struct ExpectServerKX {
134 handshake: HandshakeDetails,
135 server_cert: ServerCertDetails,
136 must_issue_new_ticket: bool,
137 }
138
139 impl ExpectServerKX {
into_expect_server_done_or_certreq(self, skx: ServerKXDetails) -> hs::NextState140 fn into_expect_server_done_or_certreq(self, skx: ServerKXDetails) -> hs::NextState {
141 Box::new(ExpectServerDoneOrCertReq {
142 handshake: self.handshake,
143 server_cert: self.server_cert,
144 server_kx: skx,
145 must_issue_new_ticket: self.must_issue_new_ticket,
146 })
147 }
148 }
149
150 impl hs::State for ExpectServerKX {
handle(mut self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError151 fn handle(mut self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
152 let opaque_kx = require_handshake_msg!(m, HandshakeType::ServerKeyExchange, HandshakePayload::ServerKeyExchange)?;
153 let maybe_decoded_kx = opaque_kx.unwrap_given_kxa(&sess.common.get_suite_assert().kx);
154 self.handshake.transcript.add_message(&m);
155
156 if maybe_decoded_kx.is_none() {
157 sess.common.send_fatal_alert(AlertDescription::DecodeError);
158 return Err(TLSError::CorruptMessagePayload(ContentType::Handshake));
159 }
160
161 let decoded_kx = maybe_decoded_kx.unwrap();
162
163 // Save the signature and signed parameters for later verification.
164 let mut kx_params = Vec::new();
165 decoded_kx.encode_params(&mut kx_params);
166 let skx = ServerKXDetails::new(kx_params, decoded_kx.get_sig().unwrap());
167
168 #[cfg_attr(not(feature = "logging"), allow(unused_variables))]
169 {
170 if let ServerKeyExchangePayload::ECDHE(ecdhe) = decoded_kx {
171 debug!("ECDHE curve is {:?}", ecdhe.params.curve_params);
172 }
173 }
174
175 Ok(self.into_expect_server_done_or_certreq(skx))
176 }
177 }
178
emit_certificate(handshake: &mut HandshakeDetails, client_auth: &mut ClientAuthDetails, sess: &mut ClientSessionImpl)179 fn emit_certificate(handshake: &mut HandshakeDetails,
180 client_auth: &mut ClientAuthDetails,
181 sess: &mut ClientSessionImpl) {
182 let chosen_cert = client_auth.cert.take();
183
184 let cert = Message {
185 typ: ContentType::Handshake,
186 version: ProtocolVersion::TLSv1_2,
187 payload: MessagePayload::Handshake(HandshakeMessagePayload {
188 typ: HandshakeType::Certificate,
189 payload: HandshakePayload::Certificate(chosen_cert.unwrap_or_else(Vec::new)),
190 }),
191 };
192
193 handshake.transcript.add_message(&cert);
194 sess.common.send_msg(cert, false);
195 }
196
emit_clientkx(handshake: &mut HandshakeDetails, sess: &mut ClientSessionImpl, kxd: &suites::KeyExchangeResult)197 fn emit_clientkx(handshake: &mut HandshakeDetails,
198 sess: &mut ClientSessionImpl,
199 kxd: &suites::KeyExchangeResult) {
200 let mut buf = Vec::new();
201 let ecpoint = PayloadU8::new(Vec::from(kxd.pubkey.as_ref()));
202 ecpoint.encode(&mut buf);
203 let pubkey = Payload::new(buf);
204
205 let ckx = Message {
206 typ: ContentType::Handshake,
207 version: ProtocolVersion::TLSv1_2,
208 payload: MessagePayload::Handshake(HandshakeMessagePayload {
209 typ: HandshakeType::ClientKeyExchange,
210 payload: HandshakePayload::ClientKeyExchange(pubkey),
211 }),
212 };
213
214 handshake.transcript.add_message(&ckx);
215 sess.common.send_msg(ckx, false);
216 }
217
emit_certverify(handshake: &mut HandshakeDetails, client_auth: &mut ClientAuthDetails, sess: &mut ClientSessionImpl) -> Result<(), TLSError>218 fn emit_certverify(handshake: &mut HandshakeDetails,
219 client_auth: &mut ClientAuthDetails,
220 sess: &mut ClientSessionImpl) -> Result<(), TLSError> {
221 if client_auth.signer.is_none() {
222 trace!("Not sending CertificateVerify, no key");
223 handshake.transcript.abandon_client_auth();
224 return Ok(());
225 }
226
227 let message = handshake.transcript.take_handshake_buf();
228 let signer = client_auth.signer.take().unwrap();
229 let scheme = signer.get_scheme();
230 let sig = signer.sign(&message)?;
231 let body = DigitallySignedStruct::new(scheme, sig);
232
233 let m = Message {
234 typ: ContentType::Handshake,
235 version: ProtocolVersion::TLSv1_2,
236 payload: MessagePayload::Handshake(HandshakeMessagePayload {
237 typ: HandshakeType::CertificateVerify,
238 payload: HandshakePayload::CertificateVerify(body),
239 }),
240 };
241
242 handshake.transcript.add_message(&m);
243 sess.common.send_msg(m, false);
244 Ok(())
245 }
246
emit_ccs(sess: &mut ClientSessionImpl)247 fn emit_ccs(sess: &mut ClientSessionImpl) {
248 let ccs = Message {
249 typ: ContentType::ChangeCipherSpec,
250 version: ProtocolVersion::TLSv1_2,
251 payload: MessagePayload::ChangeCipherSpec(ChangeCipherSpecPayload {}),
252 };
253
254 sess.common.send_msg(ccs, false);
255 }
256
emit_finished(secrets: &SessionSecrets, handshake: &mut HandshakeDetails, sess: &mut ClientSessionImpl)257 fn emit_finished(secrets: &SessionSecrets,
258 handshake: &mut HandshakeDetails,
259 sess: &mut ClientSessionImpl) {
260 let vh = handshake.transcript.get_current_hash();
261 let verify_data = secrets.client_verify_data(&vh);
262 let verify_data_payload = Payload::new(verify_data);
263
264 let f = Message {
265 typ: ContentType::Handshake,
266 version: ProtocolVersion::TLSv1_2,
267 payload: MessagePayload::Handshake(HandshakeMessagePayload {
268 typ: HandshakeType::Finished,
269 payload: HandshakePayload::Finished(verify_data_payload),
270 }),
271 };
272
273 handshake.transcript.add_message(&f);
274 sess.common.send_msg(f, true);
275 }
276
277 // --- Either a CertificateRequest, or a ServerHelloDone. ---
278 // Existence of the CertificateRequest tells us the server is asking for
279 // client auth. Otherwise we go straight to ServerHelloDone.
280 struct ExpectCertificateRequest {
281 handshake: HandshakeDetails,
282 server_cert: ServerCertDetails,
283 server_kx: ServerKXDetails,
284 must_issue_new_ticket: bool,
285 }
286
287 impl ExpectCertificateRequest {
into_expect_server_done(self, client_auth: ClientAuthDetails) -> hs::NextState288 fn into_expect_server_done(self, client_auth: ClientAuthDetails) -> hs::NextState {
289 Box::new(ExpectServerDone {
290 handshake: self.handshake,
291 server_cert: self.server_cert,
292 server_kx: self.server_kx,
293 client_auth: Some(client_auth),
294 must_issue_new_ticket: self.must_issue_new_ticket,
295 })
296 }
297 }
298
299 impl hs::State for ExpectCertificateRequest {
handle(mut self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError300 fn handle(mut self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
301 let certreq = require_handshake_msg!(m, HandshakeType::CertificateRequest, HandshakePayload::CertificateRequest)?;
302 self.handshake.transcript.add_message(&m);
303 debug!("Got CertificateRequest {:?}", certreq);
304
305 let mut client_auth = ClientAuthDetails::new();
306
307 // The RFC jovially describes the design here as 'somewhat complicated'
308 // and 'somewhat underspecified'. So thanks for that.
309 //
310 // We ignore certreq.certtypes as a result, since the information it contains
311 // is entirely duplicated in certreq.sigschemes.
312
313 let canames = certreq.canames
314 .iter()
315 .map(|p| p.0.as_slice())
316 .collect::<Vec<&[u8]>>();
317 let maybe_certkey =
318 sess.config.client_auth_cert_resolver.resolve(&canames, &certreq.sigschemes);
319
320 if let Some(mut certkey) = maybe_certkey {
321 let maybe_signer = certkey.key.choose_scheme(&certreq.sigschemes);
322
323 if let Some(_) = &maybe_signer {
324 debug!("Attempting client auth");
325 client_auth.cert = Some(certkey.take_cert());
326 }
327 client_auth.signer = maybe_signer;
328 } else {
329 debug!("Client auth requested but no cert/sigscheme available");
330 }
331
332 Ok(self.into_expect_server_done(client_auth))
333 }
334 }
335
336 struct ExpectServerDoneOrCertReq {
337 handshake: HandshakeDetails,
338 server_cert: ServerCertDetails,
339 server_kx: ServerKXDetails,
340 must_issue_new_ticket: bool,
341 }
342
343 impl ExpectServerDoneOrCertReq {
into_expect_certificate_req(self) -> hs::NextState344 fn into_expect_certificate_req(self) -> hs::NextState {
345 Box::new(ExpectCertificateRequest {
346 handshake: self.handshake,
347 server_cert: self.server_cert,
348 server_kx: self.server_kx,
349 must_issue_new_ticket: self.must_issue_new_ticket,
350 })
351 }
352
into_expect_server_done(self) -> hs::NextState353 fn into_expect_server_done(self) -> hs::NextState {
354 Box::new(ExpectServerDone {
355 handshake: self.handshake,
356 server_cert: self.server_cert,
357 server_kx: self.server_kx,
358 client_auth: None,
359 must_issue_new_ticket: self.must_issue_new_ticket,
360 })
361 }
362 }
363
364 impl hs::State for ExpectServerDoneOrCertReq {
handle(mut self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError365 fn handle(mut self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
366 if require_handshake_msg!(m, HandshakeType::CertificateRequest, HandshakePayload::CertificateRequest).is_ok() {
367 self.into_expect_certificate_req().handle(sess, m)
368 } else {
369 self.handshake.transcript.abandon_client_auth();
370 self.into_expect_server_done().handle(sess, m)
371 }
372 }
373 }
374
375
376 struct ExpectServerDone {
377 handshake: HandshakeDetails,
378 server_cert: ServerCertDetails,
379 server_kx: ServerKXDetails,
380 client_auth: Option<ClientAuthDetails>,
381 must_issue_new_ticket: bool,
382 }
383
384 impl ExpectServerDone {
into_expect_new_ticket(self, secrets: SessionSecrets, certv: verify::ServerCertVerified, sigv: verify::HandshakeSignatureValid) -> hs::NextState385 fn into_expect_new_ticket(self,
386 secrets: SessionSecrets,
387 certv: verify::ServerCertVerified,
388 sigv: verify::HandshakeSignatureValid) -> hs::NextState {
389 Box::new(ExpectNewTicket {
390 secrets,
391 handshake: self.handshake,
392 resuming: false,
393 cert_verified: certv,
394 sig_verified: sigv,
395 })
396 }
397
into_expect_ccs(self, secrets: SessionSecrets, certv: verify::ServerCertVerified, sigv: verify::HandshakeSignatureValid) -> hs::NextState398 fn into_expect_ccs(self,
399 secrets: SessionSecrets,
400 certv: verify::ServerCertVerified,
401 sigv: verify::HandshakeSignatureValid) -> hs::NextState {
402 Box::new(ExpectCCS {
403 secrets,
404 handshake: self.handshake,
405 ticket: ReceivedTicketDetails::new(),
406 resuming: false,
407 cert_verified: certv,
408 sig_verified: sigv,
409 })
410 }
411 }
412
413 impl hs::State for ExpectServerDone {
handle(self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError414 fn handle(self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
415 let mut st = *self;
416 check_message(&m, &[ContentType::Handshake], &[HandshakeType::ServerHelloDone])?;
417 st.handshake.transcript.add_message(&m);
418
419 hs::check_aligned_handshake(sess)?;
420
421 trace!("Server cert is {:?}", st.server_cert.cert_chain);
422 debug!("Server DNS name is {:?}", st.handshake.dns_name);
423
424 // 1. Verify the cert chain.
425 // 2. Verify any SCTs provided with the certificate.
426 // 3. Verify that the top certificate signed their kx.
427 // 4. If doing client auth, send our Certificate.
428 // 5. Complete the key exchange:
429 // a) generate our kx pair
430 // b) emit a ClientKeyExchange containing it
431 // c) if doing client auth, emit a CertificateVerify
432 // d) emit a CCS
433 // e) derive the shared keys, and start encryption
434 // 6. emit a Finished, our first encrypted message under the new keys.
435
436 // 1.
437 if st.server_cert.cert_chain.is_empty() {
438 return Err(TLSError::NoCertificatesPresented);
439 }
440
441 let certv = sess.config
442 .get_verifier()
443 .verify_server_cert(&sess.config.root_store,
444 &st.server_cert.cert_chain,
445 st.handshake.dns_name.as_ref(),
446 &st.server_cert.ocsp_response)
447 .map_err(|err| hs::send_cert_error_alert(sess, err))?;
448
449 // 2. Verify any included SCTs.
450 match (st.server_cert.scts.as_ref(), sess.config.ct_logs) {
451 (Some(scts), Some(logs)) => {
452 verify::verify_scts(&st.server_cert.cert_chain[0],
453 scts,
454 logs)?;
455 }
456 (_, _) => {}
457 }
458
459 // 3.
460 // Build up the contents of the signed message.
461 // It's ClientHello.random || ServerHello.random || ServerKeyExchange.params
462 let sigv = {
463 let mut message = Vec::new();
464 message.extend_from_slice(&st.handshake.randoms.client);
465 message.extend_from_slice(&st.handshake.randoms.server);
466 message.extend_from_slice(&st.server_kx.kx_params);
467
468 // Check the signature is compatible with the ciphersuite.
469 let sig = &st.server_kx.kx_sig;
470 let scs = sess.common.get_suite_assert();
471 if !scs.usable_for_sigalg(sig.scheme.sign()) {
472 let error_message =
473 format!("peer signed kx with wrong algorithm (got {:?} expect {:?})",
474 sig.scheme.sign(), scs.sign);
475 return Err(TLSError::PeerMisbehavedError(error_message));
476 }
477
478 sess.config
479 .get_verifier()
480 .verify_tls12_signature(&message,
481 &st.server_cert.cert_chain[0],
482 sig)
483 .map_err(|err| hs::send_cert_error_alert(sess, err))?
484 };
485 sess.server_cert_chain = st.server_cert.take_chain();
486
487 // 4.
488 if st.client_auth.is_some() {
489 emit_certificate(&mut st.handshake,
490 st.client_auth.as_mut().unwrap(),
491 sess);
492 }
493
494 // 5a.
495 let kxd = sess.common.get_suite_assert()
496 .do_client_kx(&st.server_kx.kx_params)
497 .ok_or_else(|| TLSError::PeerMisbehavedError("key exchange failed".to_string()))?;
498
499 // 5b.
500 emit_clientkx(&mut st.handshake, sess, &kxd);
501 // nb. EMS handshake hash only runs up to ClientKeyExchange.
502 let handshake_hash = st.handshake.transcript.get_current_hash();
503
504 // 5c.
505 if st.client_auth.is_some() {
506 emit_certverify(&mut st.handshake,
507 st.client_auth.as_mut().unwrap(),
508 sess)?;
509 }
510
511 // 5d.
512 emit_ccs(sess);
513
514 // 5e. Now commit secrets.
515 let hashalg = sess.common.get_suite_assert().get_hash();
516 let secrets = if st.handshake.using_ems {
517 SessionSecrets::new_ems(&st.handshake.randoms,
518 &handshake_hash,
519 hashalg,
520 &kxd.shared_secret)
521 } else {
522 SessionSecrets::new(&st.handshake.randoms,
523 hashalg,
524 &kxd.shared_secret)
525 };
526 sess.config.key_log.log("CLIENT_RANDOM",
527 &secrets.randoms.client,
528 &secrets.master_secret);
529 sess.common.start_encryption_tls12(&secrets);
530 sess.common
531 .record_layer
532 .start_encrypting();
533
534 // 6.
535 emit_finished(&secrets, &mut st.handshake, sess);
536
537 if st.must_issue_new_ticket {
538 Ok(st.into_expect_new_ticket(secrets, certv, sigv))
539 } else {
540 Ok(st.into_expect_ccs(secrets, certv, sigv))
541 }
542 }
543 }
544
545 // -- Waiting for their CCS --
546 pub struct ExpectCCS {
547 pub secrets: SessionSecrets,
548 pub handshake: HandshakeDetails,
549 pub ticket: ReceivedTicketDetails,
550 pub resuming: bool,
551 pub cert_verified: verify::ServerCertVerified,
552 pub sig_verified: verify::HandshakeSignatureValid,
553 }
554
555 impl ExpectCCS {
into_expect_finished(self) -> hs::NextState556 fn into_expect_finished(self) -> hs::NextState {
557 Box::new(ExpectFinished {
558 secrets: self.secrets,
559 handshake: self.handshake,
560 ticket: self.ticket,
561 resuming: self.resuming,
562 cert_verified: self.cert_verified,
563 sig_verified: self.sig_verified,
564 })
565 }
566 }
567
568 impl hs::State for ExpectCCS {
handle(self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError569 fn handle(self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
570 check_message(&m, &[ContentType::ChangeCipherSpec], &[])?;
571 // CCS should not be received interleaved with fragmented handshake-level
572 // message.
573 hs::check_aligned_handshake(sess)?;
574
575 // nb. msgs layer validates trivial contents of CCS
576 sess.common
577 .record_layer
578 .start_decrypting();
579
580 Ok(self.into_expect_finished())
581 }
582 }
583
584 pub struct ExpectNewTicket {
585 pub secrets: SessionSecrets,
586 pub handshake: HandshakeDetails,
587 pub resuming: bool,
588 pub cert_verified: verify::ServerCertVerified,
589 pub sig_verified: verify::HandshakeSignatureValid,
590 }
591
592 impl ExpectNewTicket {
into_expect_ccs(self, ticket: ReceivedTicketDetails) -> hs::NextState593 fn into_expect_ccs(self, ticket: ReceivedTicketDetails) -> hs::NextState {
594 Box::new(ExpectCCS {
595 secrets: self.secrets,
596 handshake: self.handshake,
597 ticket,
598 resuming: self.resuming,
599 cert_verified: self.cert_verified,
600 sig_verified: self.sig_verified,
601 })
602 }
603 }
604
605 impl hs::State for ExpectNewTicket {
handle(mut self: Box<Self>, _sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError606 fn handle(mut self: Box<Self>, _sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
607 self.handshake.transcript.add_message(&m);
608
609 let nst = require_handshake_msg_mut!(m, HandshakeType::NewSessionTicket, HandshakePayload::NewSessionTicket)?;
610 let recvd = ReceivedTicketDetails::from(nst.ticket.0, nst.lifetime_hint);
611 Ok(self.into_expect_ccs(recvd))
612 }
613 }
614
615 // -- Waiting for their finished --
save_session(secrets: &SessionSecrets, handshake: &mut HandshakeDetails, recvd_ticket: &mut ReceivedTicketDetails, sess: &mut ClientSessionImpl)616 fn save_session(secrets: &SessionSecrets,
617 handshake: &mut HandshakeDetails,
618 recvd_ticket: &mut ReceivedTicketDetails,
619 sess: &mut ClientSessionImpl) {
620 // Save a ticket. If we got a new ticket, save that. Otherwise, save the
621 // original ticket again.
622 let mut ticket = mem::replace(&mut recvd_ticket.new_ticket, Vec::new());
623 if ticket.is_empty() && handshake.resuming_session.is_some() {
624 ticket = handshake.resuming_session.as_mut().unwrap().take_ticket();
625 }
626
627 if handshake.session_id.is_empty() && ticket.is_empty() {
628 debug!("Session not saved: server didn't allocate id or ticket");
629 return;
630 }
631
632 let key = persist::ClientSessionKey::session_for_dns_name(handshake.dns_name.as_ref());
633
634 let scs = sess.common.get_suite_assert();
635 let master_secret = secrets.get_master_secret();
636 let version = sess.get_protocol_version().unwrap();
637 let mut value = persist::ClientSessionValue::new(version,
638 scs.suite,
639 &handshake.session_id,
640 ticket,
641 master_secret);
642 value.set_times(ticketer::timebase(),
643 recvd_ticket.new_ticket_lifetime,
644 0);
645 if handshake.using_ems {
646 value.set_extended_ms_used();
647 }
648
649 let worked = sess.config.session_persistence.put(key.get_encoding(),
650 value.get_encoding());
651
652 if worked {
653 debug!("Session saved");
654 } else {
655 debug!("Session not saved");
656 }
657 }
658
659 struct ExpectFinished {
660 handshake: HandshakeDetails,
661 ticket: ReceivedTicketDetails,
662 secrets: SessionSecrets,
663 resuming: bool,
664 cert_verified: verify::ServerCertVerified,
665 sig_verified: verify::HandshakeSignatureValid,
666 }
667
668 impl ExpectFinished {
into_expect_traffic(self, fin: verify::FinishedMessageVerified) -> hs::NextState669 fn into_expect_traffic(self, fin: verify::FinishedMessageVerified) -> hs::NextState {
670 Box::new(ExpectTraffic {
671 secrets: self.secrets,
672 _cert_verified: self.cert_verified,
673 _sig_verified: self.sig_verified,
674 _fin_verified: fin,
675 })
676 }
677 }
678
679 impl hs::State for ExpectFinished {
handle(self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError680 fn handle(self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
681 let mut st = *self;
682 let finished = require_handshake_msg!(m, HandshakeType::Finished, HandshakePayload::Finished)?;
683
684 hs::check_aligned_handshake(sess)?;
685
686 // Work out what verify_data we expect.
687 let vh = st.handshake.transcript.get_current_hash();
688 let expect_verify_data = st.secrets
689 .server_verify_data(&vh);
690
691 // Constant-time verification of this is relatively unimportant: they only
692 // get one chance. But it can't hurt.
693 let fin = constant_time::verify_slices_are_equal(&expect_verify_data, &finished.0)
694 .map_err(|_| {
695 sess.common.send_fatal_alert(AlertDescription::DecryptError);
696 TLSError::DecryptError
697 })
698 .map(|_| verify::FinishedMessageVerified::assertion())?;
699
700 // Hash this message too.
701 st.handshake.transcript.add_message(&m);
702
703 save_session(&st.secrets,
704 &mut st.handshake,
705 &mut st.ticket,
706 sess);
707
708 if st.resuming {
709 emit_ccs(sess);
710 sess.common
711 .record_layer
712 .start_encrypting();
713 emit_finished(&st.secrets, &mut st.handshake, sess);
714 }
715
716 sess.common.start_traffic();
717 Ok(st.into_expect_traffic(fin))
718 }
719 }
720
721 // -- Traffic transit state --
722 struct ExpectTraffic {
723 secrets: SessionSecrets,
724 _cert_verified: verify::ServerCertVerified,
725 _sig_verified: verify::HandshakeSignatureValid,
726 _fin_verified: verify::FinishedMessageVerified,
727 }
728
729 impl hs::State for ExpectTraffic {
handle(self: Box<Self>, sess: &mut ClientSessionImpl, mut m: Message) -> hs::NextStateOrError730 fn handle(self: Box<Self>, sess: &mut ClientSessionImpl, mut m: Message) -> hs::NextStateOrError {
731 check_message(&m, &[ContentType::ApplicationData], &[])?;
732 sess.common.take_received_plaintext(m.take_opaque_payload().unwrap());
733 Ok(self)
734 }
735
export_keying_material(&self, output: &mut [u8], label: &[u8], context: Option<&[u8]>) -> Result<(), TLSError>736 fn export_keying_material(&self,
737 output: &mut [u8],
738 label: &[u8],
739 context: Option<&[u8]>) -> Result<(), TLSError> {
740 self.secrets.export_keying_material(output, label, context);
741 Ok(())
742 }
743 }
744