1 use crate::msgs::enums::{ContentType, HandshakeType, ProtocolVersion};
2 use crate::msgs::enums::{Compression, NamedGroup, ECPointFormat, CipherSuite};
3 use crate::msgs::enums::{ExtensionType, AlertDescription};
4 use crate::msgs::enums::{ClientCertificateType, SignatureScheme};
5 use crate::msgs::message::{Message, MessagePayload};
6 use crate::msgs::handshake::{HandshakePayload, SupportedSignatureSchemes};
7 use crate::msgs::handshake::{HandshakeMessagePayload, ServerHelloPayload, Random};
8 use crate::msgs::handshake::{ClientHelloPayload, ServerExtension, SessionID};
9 use crate::msgs::handshake::{ConvertProtocolNameList, ConvertServerNameList};
10 use crate::msgs::handshake::ClientExtension;
11 use crate::msgs::handshake::{ECPointFormatList, SupportedPointFormats};
12 use crate::msgs::handshake::{ServerECDHParams, DigitallySignedStruct};
13 use crate::msgs::handshake::{ServerKeyExchangePayload, ECDHEServerKeyExchange};
14 use crate::msgs::handshake::CertificateRequestPayload;
15 use crate::msgs::handshake::CertificateStatus;
16 use crate::msgs::codec::Codec;
17 use crate::msgs::persist;
18 use crate::session::SessionSecrets;
19 use crate::server::{ServerSessionImpl, ServerConfig, ClientHello};
20 use crate::suites;
21 use crate::rand;
22 use crate::sign;
23 #[cfg(feature = "logging")]
24 use crate::log::{trace, debug};
25 use crate::error::TLSError;
26 use webpki;
27 #[cfg(feature = "quic")]
28 use crate::session::Protocol;
29
30 use crate::server::common::{HandshakeDetails, ServerKXDetails};
31 use crate::server::{tls12, tls13};
32
33 pub type NextState = Box<dyn State + Send + Sync>;
34 pub type NextStateOrError = Result<NextState, TLSError>;
35
36 pub trait State {
handle(self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> NextStateOrError37 fn handle(self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> NextStateOrError;
38
export_keying_material(&self, _output: &mut [u8], _label: &[u8], _context: Option<&[u8]>) -> Result<(), TLSError>39 fn export_keying_material(&self,
40 _output: &mut [u8],
41 _label: &[u8],
42 _context: Option<&[u8]>) -> Result<(), TLSError> {
43 Err(TLSError::HandshakeNotComplete)
44 }
45
perhaps_write_key_update(&mut self, _sess: &mut ServerSessionImpl)46 fn perhaps_write_key_update(&mut self, _sess: &mut ServerSessionImpl) {
47 }
48 }
49
incompatible(sess: &mut ServerSessionImpl, why: &str) -> TLSError50 pub fn incompatible(sess: &mut ServerSessionImpl, why: &str) -> TLSError {
51 sess.common.send_fatal_alert(AlertDescription::HandshakeFailure);
52 TLSError::PeerIncompatibleError(why.to_string())
53 }
54
bad_version(sess: &mut ServerSessionImpl, why: &str) -> TLSError55 fn bad_version(sess: &mut ServerSessionImpl, why: &str) -> TLSError {
56 sess.common.send_fatal_alert(AlertDescription::ProtocolVersion);
57 TLSError::PeerIncompatibleError(why.to_string())
58 }
59
illegal_param(sess: &mut ServerSessionImpl, why: &str) -> TLSError60 pub fn illegal_param(sess: &mut ServerSessionImpl, why: &str) -> TLSError {
61 sess.common.send_fatal_alert(AlertDescription::IllegalParameter);
62 TLSError::PeerMisbehavedError(why.to_string())
63 }
64
decode_error(sess: &mut ServerSessionImpl, why: &str) -> TLSError65 pub fn decode_error(sess: &mut ServerSessionImpl, why: &str) -> TLSError {
66 sess.common.send_fatal_alert(AlertDescription::DecodeError);
67 TLSError::PeerMisbehavedError(why.to_string())
68 }
69
can_resume(sess: &ServerSessionImpl, handshake: &HandshakeDetails, resumedata: &Option<persist::ServerSessionValue>) -> bool70 pub fn can_resume(sess: &ServerSessionImpl,
71 handshake: &HandshakeDetails,
72 resumedata: &Option<persist::ServerSessionValue>) -> bool {
73 // The RFCs underspecify what happens if we try to resume to
74 // an unoffered/varying suite. We merely don't resume in weird cases.
75 //
76 // RFC 6066 says "A server that implements this extension MUST NOT accept
77 // the request to resume the session if the server_name extension contains
78 // a different name. Instead, it proceeds with a full handshake to
79 // establish a new session."
80
81 if let Some(ref resume) = *resumedata {
82 resume.cipher_suite == sess.common.get_suite_assert().suite &&
83 (resume.extended_ms == handshake.using_ems ||
84 (resume.extended_ms && !handshake.using_ems)) &&
85 same_dns_name_or_both_none(resume.sni.as_ref(), sess.sni.as_ref())
86 } else {
87 false
88 }
89 }
90
91 // Require an exact match for the purpose of comparing SNI DNS Names from two
92 // client hellos, even though a case-insensitive comparison might also be OK.
same_dns_name_or_both_none(a: Option<&webpki::DNSName>, b: Option<&webpki::DNSName>) -> bool93 fn same_dns_name_or_both_none(a: Option<&webpki::DNSName>,
94 b: Option<&webpki::DNSName>) -> bool {
95 match (a, b) {
96 (Some(a), Some(b)) => {
97 let a: &str = a.as_ref().into();
98 let b: &str = b.as_ref().into();
99 a == b
100 },
101 (None, None) => true,
102 _ => false,
103 }
104 }
105
106 // Changing the keys must not span any fragmented handshake
107 // messages. Otherwise the defragmented messages will have
108 // been protected with two different record layer protections,
109 // which is illegal. Not mentioned in RFC.
check_aligned_handshake(sess: &mut ServerSessionImpl) -> Result<(), TLSError>110 pub fn check_aligned_handshake(sess: &mut ServerSessionImpl) -> Result<(), TLSError> {
111 if !sess.common.handshake_joiner.is_empty() {
112 sess.common.send_fatal_alert(AlertDescription::UnexpectedMessage);
113 Err(TLSError::PeerMisbehavedError("key epoch or handshake flight with pending fragment".to_string()))
114 } else {
115 Ok(())
116 }
117 }
118
save_sni(sess: &mut ServerSessionImpl, sni: Option<webpki::DNSName>)119 pub fn save_sni(sess: &mut ServerSessionImpl,
120 sni: Option<webpki::DNSName>) {
121 if let Some(sni) = sni {
122 // Save the SNI into the session.
123 sess.set_sni(sni);
124 }
125 }
126
127 #[derive(Default)]
128 pub struct ExtensionProcessing {
129 // extensions to reply with
130 pub exts: Vec<ServerExtension>,
131
132 // effects on later handshake steps
133 pub send_cert_status: bool,
134 pub send_sct: bool,
135 pub send_ticket: bool,
136 }
137
138 impl ExtensionProcessing {
new() -> Self139 pub fn new() -> Self { Default::default() }
140
process_common(&mut self, sess: &mut ServerSessionImpl, server_key: Option<&mut sign::CertifiedKey>, hello: &ClientHelloPayload, resumedata: Option<&persist::ServerSessionValue>, handshake: &HandshakeDetails) -> Result<(), TLSError>141 pub fn process_common(&mut self,
142 sess: &mut ServerSessionImpl,
143 server_key: Option<&mut sign::CertifiedKey>,
144 hello: &ClientHelloPayload,
145 resumedata: Option<&persist::ServerSessionValue>,
146 handshake: &HandshakeDetails)
147 -> Result<(), TLSError> {
148 // ALPN
149 let our_protocols = &sess.config.alpn_protocols;
150 let maybe_their_protocols = hello.get_alpn_extension();
151 if let Some(their_protocols) = maybe_their_protocols {
152 let their_protocols = their_protocols.to_slices();
153
154 if their_protocols.iter().any(|protocol| protocol.is_empty()) {
155 return Err(TLSError::PeerMisbehavedError("client offered empty ALPN protocol"
156 .to_string()));
157 }
158
159 sess.alpn_protocol = our_protocols.iter()
160 .filter(|protocol| their_protocols.contains(&protocol.as_slice()))
161 .nth(0)
162 .cloned();
163 if let Some(ref selected_protocol) = sess.alpn_protocol {
164 debug!("Chosen ALPN protocol {:?}", selected_protocol);
165 self.exts.push(ServerExtension::make_alpn(&[selected_protocol]));
166 } else {
167 // For compatibility, strict ALPN validation is not employed unless targeting QUIC
168 #[cfg(feature = "quic")] {
169 if sess.common.protocol == Protocol::Quic && !our_protocols.is_empty() {
170 sess.common.send_fatal_alert(AlertDescription::NoApplicationProtocol);
171 return Err(TLSError::NoApplicationProtocol);
172 }
173 }
174 }
175 }
176
177 #[cfg(feature = "quic")] {
178 if sess.common.protocol == Protocol::Quic {
179 if let Some(params) = hello.get_quic_params_extension() {
180 sess.common.quic.params = Some(params);
181 }
182
183 if let Some(resume) = resumedata {
184 if sess.config.max_early_data_size > 0
185 && hello.early_data_extension_offered()
186 && resume.version == sess.common.negotiated_version.unwrap()
187 && resume.cipher_suite == sess.common.get_suite_assert().suite
188 && resume.alpn.as_ref().map(|x| &x.0) == sess.alpn_protocol.as_ref()
189 && !sess.reject_early_data
190 {
191 self.exts.push(ServerExtension::EarlyData);
192 } else {
193 // Clobber value set in tls13::emit_server_hello
194 sess.common.quic.early_secret = None;
195 }
196 }
197 }
198 }
199
200 let for_resume = resumedata.is_some();
201 // SNI
202 if !for_resume && hello.get_sni_extension().is_some() {
203 self.exts.push(ServerExtension::ServerNameAck);
204 }
205
206 if let Some(server_key) = server_key {
207 // Send status_request response if we have one. This is not allowed
208 // if we're resuming, and is only triggered if we have an OCSP response
209 // to send.
210 if !for_resume &&
211 hello.find_extension(ExtensionType::StatusRequest).is_some() &&
212 server_key.has_ocsp() {
213 self.send_cert_status = true;
214
215 if !sess.common.is_tls13() {
216 // Only TLS1.2 sends confirmation in ServerHello
217 self.exts.push(ServerExtension::CertificateStatusAck);
218 }
219 }
220
221 if !for_resume &&
222 hello.find_extension(ExtensionType::SCT).is_some() &&
223 server_key.has_sct_list() {
224 self.send_sct = true;
225
226 if !sess.common.is_tls13() {
227 let sct_list = server_key
228 .take_sct_list()
229 .unwrap();
230 self.exts.push(ServerExtension::make_sct(sct_list));
231 }
232 }
233 }
234
235 if !sess.common.is_tls13() {
236 }
237
238 self.exts.extend(handshake.extra_exts.iter().cloned());
239
240 Ok(())
241 }
242
process_tls12(&mut self, sess: &ServerSessionImpl, hello: &ClientHelloPayload, handshake: &HandshakeDetails)243 fn process_tls12(&mut self, sess: &ServerSessionImpl, hello: &ClientHelloPayload,
244 handshake: &HandshakeDetails) {
245 // Renegotiation.
246 // (We don't do reneg at all, but would support the secure version if we did.)
247 let secure_reneg_offered =
248 hello.find_extension(ExtensionType::RenegotiationInfo).is_some() ||
249 hello.cipher_suites.contains(&CipherSuite::TLS_EMPTY_RENEGOTIATION_INFO_SCSV);
250
251 if secure_reneg_offered {
252 self.exts.push(ServerExtension::make_empty_renegotiation_info());
253 }
254
255 // Tickets:
256 // If we get any SessionTicket extension and have tickets enabled,
257 // we send an ack.
258 if hello.find_extension(ExtensionType::SessionTicket).is_some() &&
259 sess.config.ticketer.enabled() {
260 self.send_ticket = true;
261 self.exts.push(ServerExtension::SessionTicketAck);
262 }
263
264 // Confirm use of EMS if offered.
265 if handshake.using_ems {
266 self.exts.push(ServerExtension::ExtendedMasterSecretAck);
267 }
268 }
269 }
270
271 pub struct ExpectClientHello {
272 pub handshake: HandshakeDetails,
273 pub done_retry: bool,
274 pub send_cert_status: bool,
275 pub send_sct: bool,
276 pub send_ticket: bool,
277 }
278
279 impl ExpectClientHello {
new(server_config: &ServerConfig, extra_exts: Vec<ServerExtension>) -> ExpectClientHello280 pub fn new(server_config: &ServerConfig, extra_exts: Vec<ServerExtension>) -> ExpectClientHello {
281 let mut ech = ExpectClientHello {
282 handshake: HandshakeDetails::new(extra_exts),
283 done_retry: false,
284 send_cert_status: false,
285 send_sct: false,
286 send_ticket: false,
287 };
288
289 if server_config.verifier.offer_client_auth() {
290 ech.handshake.transcript.set_client_auth_enabled();
291 }
292
293 ech
294 }
295
into_expect_tls12_ccs(self, secrets: SessionSecrets) -> NextState296 fn into_expect_tls12_ccs(self, secrets: SessionSecrets) -> NextState {
297 Box::new(tls12::ExpectCCS {
298 secrets,
299 handshake: self.handshake,
300 resuming: true,
301 send_ticket: self.send_ticket,
302 })
303 }
304
into_complete_tls13_client_hello_handling(self) -> tls13::CompleteClientHelloHandling305 fn into_complete_tls13_client_hello_handling(self) -> tls13::CompleteClientHelloHandling {
306 tls13::CompleteClientHelloHandling {
307 handshake: self.handshake,
308 done_retry: self.done_retry,
309 send_cert_status: self.send_cert_status,
310 send_sct: self.send_sct,
311 send_ticket: self.send_ticket,
312 }
313 }
314
into_expect_tls12_certificate(self, kx: suites::KeyExchange) -> NextState315 fn into_expect_tls12_certificate(self, kx: suites::KeyExchange) -> NextState {
316 Box::new(tls12::ExpectCertificate {
317 handshake: self.handshake,
318 server_kx: ServerKXDetails::new(kx),
319 send_ticket: self.send_ticket,
320 })
321 }
322
into_expect_tls12_client_kx(self, kx: suites::KeyExchange) -> NextState323 fn into_expect_tls12_client_kx(self, kx: suites::KeyExchange) -> NextState {
324 Box::new(tls12::ExpectClientKX {
325 handshake: self.handshake,
326 server_kx: ServerKXDetails::new(kx),
327 client_cert: None,
328 send_ticket: self.send_ticket,
329 })
330 }
331
emit_server_hello(&mut self, sess: &mut ServerSessionImpl, server_key: Option<&mut sign::CertifiedKey>, hello: &ClientHelloPayload, resumedata: Option<&persist::ServerSessionValue>) -> Result<(), TLSError>332 fn emit_server_hello(&mut self,
333 sess: &mut ServerSessionImpl,
334 server_key: Option<&mut sign::CertifiedKey>,
335 hello: &ClientHelloPayload,
336 resumedata: Option<&persist::ServerSessionValue>)
337 -> Result<(), TLSError> {
338 let mut ep = ExtensionProcessing::new();
339 ep.process_common(sess, server_key, hello, resumedata, &self.handshake)?;
340 ep.process_tls12(sess, hello, &self.handshake);
341
342 self.send_ticket = ep.send_ticket;
343 self.send_cert_status = ep.send_cert_status;
344 self.send_sct = ep.send_sct;
345
346 let sh = Message {
347 typ: ContentType::Handshake,
348 version: ProtocolVersion::TLSv1_2,
349 payload: MessagePayload::Handshake(HandshakeMessagePayload {
350 typ: HandshakeType::ServerHello,
351 payload: HandshakePayload::ServerHello(ServerHelloPayload {
352 legacy_version: ProtocolVersion::TLSv1_2,
353 random: Random::from_slice(&self.handshake.randoms.server),
354 session_id: self.handshake.session_id,
355 cipher_suite: sess.common.get_suite_assert().suite,
356 compression_method: Compression::Null,
357 extensions: ep.exts,
358 }),
359 }),
360 };
361
362 trace!("sending server hello {:?}", sh);
363 self.handshake.transcript.add_message(&sh);
364 sess.common.send_msg(sh, false);
365 Ok(())
366 }
367
emit_certificate(&mut self, sess: &mut ServerSessionImpl, server_certkey: &mut sign::CertifiedKey)368 fn emit_certificate(&mut self,
369 sess: &mut ServerSessionImpl,
370 server_certkey: &mut sign::CertifiedKey) {
371 let cert_chain = server_certkey.take_cert();
372
373 let c = Message {
374 typ: ContentType::Handshake,
375 version: ProtocolVersion::TLSv1_2,
376 payload: MessagePayload::Handshake(HandshakeMessagePayload {
377 typ: HandshakeType::Certificate,
378 payload: HandshakePayload::Certificate(cert_chain),
379 }),
380 };
381
382 self.handshake.transcript.add_message(&c);
383 sess.common.send_msg(c, false);
384 }
385
emit_cert_status(&mut self, sess: &mut ServerSessionImpl, server_certkey: &mut sign::CertifiedKey)386 fn emit_cert_status(&mut self,
387 sess: &mut ServerSessionImpl,
388 server_certkey: &mut sign::CertifiedKey) {
389 if !self.send_cert_status ||
390 !server_certkey.has_ocsp() {
391 return;
392 }
393
394 let ocsp = server_certkey.take_ocsp();
395 let st = CertificateStatus::new(ocsp.unwrap());
396
397 let c = Message {
398 typ: ContentType::Handshake,
399 version: ProtocolVersion::TLSv1_2,
400 payload: MessagePayload::Handshake(HandshakeMessagePayload {
401 typ: HandshakeType::CertificateStatus,
402 payload: HandshakePayload::CertificateStatus(st)
403 }),
404 };
405
406 self.handshake.transcript.add_message(&c);
407 sess.common.send_msg(c, false);
408 }
409
emit_server_kx(&mut self, sess: &mut ServerSessionImpl, sigschemes: Vec<SignatureScheme>, group: NamedGroup, server_certkey: &mut sign::CertifiedKey) -> Result<suites::KeyExchange, TLSError>410 fn emit_server_kx(&mut self,
411 sess: &mut ServerSessionImpl,
412 sigschemes: Vec<SignatureScheme>,
413 group: NamedGroup,
414 server_certkey: &mut sign::CertifiedKey)
415 -> Result<suites::KeyExchange, TLSError> {
416 let kx = sess.common.get_suite_assert()
417 .start_server_kx(group)
418 .ok_or_else(|| TLSError::PeerMisbehavedError("key exchange failed".to_string()))?;
419 let secdh = ServerECDHParams::new(group, kx.pubkey.as_ref());
420
421 let mut msg = Vec::new();
422 msg.extend(&self.handshake.randoms.client);
423 msg.extend(&self.handshake.randoms.server);
424 secdh.encode(&mut msg);
425
426 let signing_key = &server_certkey.key;
427 let signer = signing_key.choose_scheme(&sigschemes)
428 .ok_or_else(|| TLSError::General("incompatible signing key".to_string()))?;
429 let sigscheme = signer.get_scheme();
430 let sig = signer.sign(&msg)?;
431
432 let skx = ServerKeyExchangePayload::ECDHE(ECDHEServerKeyExchange {
433 params: secdh,
434 dss: DigitallySignedStruct::new(sigscheme, sig),
435 });
436
437 let m = Message {
438 typ: ContentType::Handshake,
439 version: ProtocolVersion::TLSv1_2,
440 payload: MessagePayload::Handshake(HandshakeMessagePayload {
441 typ: HandshakeType::ServerKeyExchange,
442 payload: HandshakePayload::ServerKeyExchange(skx),
443 }),
444 };
445
446 self.handshake.transcript.add_message(&m);
447 sess.common.send_msg(m, false);
448 Ok(kx)
449 }
450
emit_certificate_req(&mut self, sess: &mut ServerSessionImpl) -> Result<bool, TLSError>451 fn emit_certificate_req(&mut self, sess: &mut ServerSessionImpl) -> Result<bool, TLSError> {
452 let client_auth = sess.config.get_verifier();
453
454 if !client_auth.offer_client_auth() {
455 return Ok(false);
456 }
457
458 let verify_schemes = client_auth.supported_verify_schemes();
459
460 let names = client_auth.client_auth_root_subjects(sess.get_sni())
461 .ok_or_else(|| {
462 debug!("could not determine root subjects based on SNI");
463 sess.common.send_fatal_alert(AlertDescription::AccessDenied);
464 TLSError::General("client rejected by client_auth_root_subjects".into())
465 })?;
466
467 let cr = CertificateRequestPayload {
468 certtypes: vec![ ClientCertificateType::RSASign,
469 ClientCertificateType::ECDSASign ],
470 sigschemes: verify_schemes,
471 canames: names,
472 };
473
474 let m = Message {
475 typ: ContentType::Handshake,
476 version: ProtocolVersion::TLSv1_2,
477 payload: MessagePayload::Handshake(HandshakeMessagePayload {
478 typ: HandshakeType::CertificateRequest,
479 payload: HandshakePayload::CertificateRequest(cr),
480 }),
481 };
482
483 trace!("Sending CertificateRequest {:?}", m);
484 self.handshake.transcript.add_message(&m);
485 sess.common.send_msg(m, false);
486 Ok(true)
487 }
488
emit_server_hello_done(&mut self, sess: &mut ServerSessionImpl)489 fn emit_server_hello_done(&mut self, sess: &mut ServerSessionImpl) {
490 let m = Message {
491 typ: ContentType::Handshake,
492 version: ProtocolVersion::TLSv1_2,
493 payload: MessagePayload::Handshake(HandshakeMessagePayload {
494 typ: HandshakeType::ServerHelloDone,
495 payload: HandshakePayload::ServerHelloDone,
496 }),
497 };
498
499 self.handshake.transcript.add_message(&m);
500 sess.common.send_msg(m, false);
501 }
502
start_resumption(mut self, sess: &mut ServerSessionImpl, client_hello: &ClientHelloPayload, sni: Option<&webpki::DNSName>, id: &SessionID, resumedata: persist::ServerSessionValue) -> NextStateOrError503 fn start_resumption(mut self,
504 sess: &mut ServerSessionImpl,
505 client_hello: &ClientHelloPayload,
506 sni: Option<&webpki::DNSName>,
507 id: &SessionID,
508 resumedata: persist::ServerSessionValue)
509 -> NextStateOrError {
510 debug!("Resuming session");
511
512 if resumedata.extended_ms && !self.handshake.using_ems {
513 return Err(illegal_param(sess, "refusing to resume without ems"));
514 }
515
516 self.handshake.session_id = *id;
517 self.emit_server_hello(sess, None, client_hello, Some(&resumedata))?;
518
519 let hashalg = sess.common.get_suite_assert().get_hash();
520 let secrets = SessionSecrets::new_resume(&self.handshake.randoms,
521 hashalg,
522 &resumedata.master_secret.0);
523 sess.config.key_log.log("CLIENT_RANDOM",
524 &secrets.randoms.client,
525 &secrets.master_secret);
526 sess.common.start_encryption_tls12(&secrets);
527 sess.client_cert_chain = resumedata.client_cert_chain;
528
529 if self.send_ticket {
530 tls12::emit_ticket(&secrets, &mut self.handshake, sess);
531 }
532 tls12::emit_ccs(sess);
533 sess.common
534 .record_layer
535 .start_encrypting();
536 tls12::emit_finished(&secrets, &mut self.handshake, sess);
537
538 assert!(same_dns_name_or_both_none(sni, sess.get_sni()));
539
540 Ok(self.into_expect_tls12_ccs(secrets))
541 }
542
543 }
544
545 impl State for ExpectClientHello {
handle(mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> NextStateOrError546 fn handle(mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> NextStateOrError {
547 let client_hello = require_handshake_msg!(m, HandshakeType::ClientHello, HandshakePayload::ClientHello)?;
548 let tls13_enabled = sess.config.supports_version(ProtocolVersion::TLSv1_3);
549 let tls12_enabled = sess.config.supports_version(ProtocolVersion::TLSv1_2);
550 trace!("we got a clienthello {:?}", client_hello);
551
552 if !client_hello.compression_methods.contains(&Compression::Null) {
553 sess.common.send_fatal_alert(AlertDescription::IllegalParameter);
554 return Err(TLSError::PeerIncompatibleError("client did not offer Null compression"
555 .to_string()));
556 }
557
558 if client_hello.has_duplicate_extension() {
559 return Err(decode_error(sess, "client sent duplicate extensions"));
560 }
561
562 // No handshake messages should follow this one in this flight.
563 check_aligned_handshake(sess)?;
564
565 // Are we doing TLS1.3?
566 let maybe_versions_ext = client_hello.get_versions_extension();
567 if let Some(versions) = maybe_versions_ext {
568 if versions.contains(&ProtocolVersion::TLSv1_3) && tls13_enabled {
569 sess.common.negotiated_version = Some(ProtocolVersion::TLSv1_3);
570 } else if !versions.contains(&ProtocolVersion::TLSv1_2) || !tls12_enabled {
571 return Err(bad_version(sess, "TLS1.2 not offered/enabled"));
572 }
573 } else if client_hello.client_version.get_u16() < ProtocolVersion::TLSv1_2.get_u16() {
574 return Err(bad_version(sess, "Client does not support TLSv1_2"));
575 } else if !tls12_enabled && tls13_enabled {
576 return Err(bad_version(sess, "Server requires TLS1.3, but client omitted versions ext"));
577 }
578
579 if sess.common.negotiated_version == None {
580 sess.common.negotiated_version = Some(ProtocolVersion::TLSv1_2);
581 }
582
583 // --- Common to TLS1.2 and TLS1.3: ciphersuite and certificate selection.
584
585 // Extract and validate the SNI DNS name, if any, before giving it to
586 // the cert resolver. In particular, if it is invalid then we should
587 // send an Illegal Parameter alert instead of the Internal Error alert
588 // (or whatever) that we'd send if this were checked later or in a
589 // different way.
590 let sni: Option<webpki::DNSName> = match client_hello.get_sni_extension() {
591 Some(sni) => {
592 if sni.has_duplicate_names_for_type() {
593 return Err(decode_error(sess, "ClientHello SNI contains duplicate name types"));
594 }
595
596 if let Some(hostname) = sni.get_single_hostname() {
597 Some(hostname.into())
598 } else {
599 return Err(illegal_param(sess, "ClientHello SNI did not contain a hostname"));
600 }
601 },
602 None => None,
603 };
604
605 if !self.done_retry {
606 // save only the first SNI
607 save_sni(sess, sni.clone());
608 }
609
610 // We communicate to the upper layer what kind of key they should choose
611 // via the sigschemes value. Clients tend to treat this extension
612 // orthogonally to offered ciphersuites (even though, in TLS1.2 it is not).
613 // So: reduce the offered sigschemes to those compatible with the
614 // intersection of ciphersuites.
615 let mut common_suites = sess.config.ciphersuites.clone();
616 common_suites.retain(|scs| client_hello.cipher_suites.contains(&scs.suite));
617
618 let mut sigschemes_ext = client_hello.get_sigalgs_extension()
619 .cloned()
620 .unwrap_or_else(SupportedSignatureSchemes::default);
621 sigschemes_ext.retain(|scheme| suites::compatible_sigscheme_for_suites(*scheme, &common_suites));
622
623 let alpn_protocols = client_hello.get_alpn_extension()
624 .map(|protos| protos.to_slices());
625
626 // Choose a certificate.
627 let mut certkey = {
628 let sni_ref = sni.as_ref().map(webpki::DNSName::as_ref);
629 trace!("sni {:?}", sni_ref);
630 trace!("sig schemes {:?}", sigschemes_ext);
631 trace!("alpn protocols {:?}", alpn_protocols);
632
633 let alpn_slices = match alpn_protocols {
634 Some(ref vec) => Some(vec.as_slice()),
635 None => None,
636 };
637
638 let client_hello = ClientHello::new(sni_ref, &sigschemes_ext, alpn_slices);
639
640 let certkey = sess.config.cert_resolver.resolve(client_hello);
641 certkey.ok_or_else(|| {
642 sess.common.send_fatal_alert(AlertDescription::AccessDenied);
643 TLSError::General("no server certificate chain resolved".to_string())
644 })?
645 };
646
647 // Reduce our supported ciphersuites by the certificate.
648 // (no-op for TLS1.3)
649 let suitable_suites = suites::reduce_given_sigalg(&sess.config.ciphersuites,
650 certkey.key.algorithm());
651
652 // And version
653 let protocol_version = sess.common.negotiated_version.unwrap();
654 let suitable_suites = suites::reduce_given_version(&suitable_suites, protocol_version);
655
656 let maybe_ciphersuite = if sess.config.ignore_client_order {
657 suites::choose_ciphersuite_preferring_server(&client_hello.cipher_suites, &suitable_suites)
658 } else {
659 suites::choose_ciphersuite_preferring_client(&client_hello.cipher_suites, &suitable_suites)
660 };
661
662 if maybe_ciphersuite.is_none() {
663 return Err(incompatible(sess, "no ciphersuites in common"));
664 }
665
666 debug!("decided upon suite {:?}", maybe_ciphersuite.as_ref().unwrap());
667 sess.common.set_suite(maybe_ciphersuite.unwrap());
668
669 // Start handshake hash.
670 let starting_hash = sess.common.get_suite_assert().get_hash();
671 if !self.handshake.transcript.start_hash(starting_hash) {
672 sess.common.send_fatal_alert(AlertDescription::IllegalParameter);
673 return Err(TLSError::PeerIncompatibleError("hash differed on retry"
674 .to_string()));
675 }
676
677 // Save their Random.
678 client_hello.random.write_slice(&mut self.handshake.randoms.client);
679
680 if sess.common.is_tls13() {
681 return self.into_complete_tls13_client_hello_handling()
682 .handle_client_hello(sess, certkey, &m);
683 }
684
685 // -- TLS1.2 only from hereon in --
686 self.handshake.transcript.add_message(&m);
687
688 if client_hello.ems_support_offered() {
689 self.handshake.using_ems = true;
690 }
691
692 let groups_ext = client_hello.get_namedgroups_extension()
693 .ok_or_else(|| incompatible(sess, "client didn't describe groups"))?;
694 let ecpoints_ext = client_hello.get_ecpoints_extension()
695 .ok_or_else(|| incompatible(sess, "client didn't describe ec points"))?;
696
697 trace!("namedgroups {:?}", groups_ext);
698 trace!("ecpoints {:?}", ecpoints_ext);
699
700 if !ecpoints_ext.contains(&ECPointFormat::Uncompressed) {
701 sess.common.send_fatal_alert(AlertDescription::IllegalParameter);
702 return Err(TLSError::PeerIncompatibleError("client didn't support uncompressed ec points"
703 .to_string()));
704 }
705
706 // -- If TLS1.3 is enabled, signal the downgrade in the server random
707 if tls13_enabled {
708 self.handshake.randoms.set_tls12_downgrade_marker();
709 }
710
711 // -- Check for resumption --
712 // We can do this either by (in order of preference):
713 // 1. receiving a ticket that decrypts
714 // 2. receiving a sessionid that is in our cache
715 //
716 // If we receive a ticket, the sessionid won't be in our
717 // cache, so don't check.
718 //
719 // If either works, we end up with a ServerSessionValue
720 // which is passed to start_resumption and concludes
721 // our handling of the ClientHello.
722 //
723 let mut ticket_received = false;
724
725 if let Some(ticket_ext) = client_hello.get_ticket_extension() {
726 if let ClientExtension::SessionTicketOffer(ref ticket) = *ticket_ext {
727 ticket_received = true;
728 debug!("Ticket received");
729
730 let maybe_resume = sess.config
731 .ticketer
732 .decrypt(&ticket.0)
733 .and_then(|plain| persist::ServerSessionValue::read_bytes(&plain));
734
735 if can_resume(sess, &self.handshake, &maybe_resume) {
736 return self.start_resumption(sess,
737 client_hello, sni.as_ref(),
738 &client_hello.session_id,
739 maybe_resume.unwrap());
740 } else {
741 debug!("Ticket didn't decrypt");
742 }
743 }
744 }
745
746 // If we're not offered a ticket or a potential session ID,
747 // allocate a session ID.
748 if self.handshake.session_id.is_empty() && !ticket_received {
749 let mut bytes = [0u8; 32];
750 rand::fill_random(&mut bytes);
751 self.handshake.session_id = SessionID::new(&bytes);
752 }
753
754 // Perhaps resume? If we received a ticket, the sessionid
755 // does not correspond to a real session.
756 if !client_hello.session_id.is_empty() && !ticket_received {
757 let maybe_resume = sess.config.session_storage
758 .get(&client_hello.session_id.get_encoding())
759 .and_then(|x| persist::ServerSessionValue::read_bytes(&x));
760
761 if can_resume(sess, &self.handshake, &maybe_resume) {
762 return self.start_resumption(sess,
763 client_hello, sni.as_ref(),
764 &client_hello.session_id,
765 maybe_resume.unwrap());
766 }
767 }
768
769 // Now we have chosen a ciphersuite, we can make kx decisions.
770 let sigschemes = sess.common.get_suite_assert()
771 .resolve_sig_schemes(&sigschemes_ext);
772
773 if sigschemes.is_empty() {
774 return Err(incompatible(sess, "no supported sig scheme"));
775 }
776
777 let group = suites::KeyExchange::supported_groups()
778 .iter()
779 .filter(|group| groups_ext.contains(group))
780 .nth(0)
781 .cloned()
782 .ok_or_else(|| incompatible(sess, "no supported group"))?;
783
784 let ecpoint = ECPointFormatList::supported()
785 .iter()
786 .filter(|format| ecpoints_ext.contains(format))
787 .nth(0)
788 .cloned()
789 .ok_or_else(|| incompatible(sess, "no supported point format"))?;
790
791 debug_assert_eq!(ecpoint, ECPointFormat::Uncompressed);
792
793 self.emit_server_hello(sess, Some(&mut certkey), client_hello, None)?;
794 self.emit_certificate(sess, &mut certkey);
795 self.emit_cert_status(sess, &mut certkey);
796 let kx = self.emit_server_kx(sess, sigschemes, group, &mut certkey)?;
797 let doing_client_auth = self.emit_certificate_req(sess)?;
798 self.emit_server_hello_done(sess);
799
800 if doing_client_auth {
801 Ok(self.into_expect_tls12_certificate(kx))
802 } else {
803 Ok(self.into_expect_tls12_client_kx(kx))
804 }
805 }
806 }
807