1 use crate::msgs::enums::{ContentType, HandshakeType, ProtocolVersion};
2 use crate::msgs::enums::{AlertDescription, SignatureScheme, NamedGroup};
3 use crate::msgs::enums::{Compression, PSKKeyExchangeMode};
4 use crate::msgs::enums::KeyUpdateRequest;
5 use crate::msgs::message::{Message, MessagePayload};
6 use crate::msgs::handshake::HandshakePayload;
7 use crate::msgs::handshake::HandshakeMessagePayload;
8 use crate::msgs::handshake::NewSessionTicketPayloadTLS13;
9 use crate::msgs::handshake::CertificateEntry;
10 use crate::msgs::handshake::CertificateExtension;
11 use crate::msgs::handshake::CertificateStatus;
12 use crate::msgs::handshake::CertificatePayloadTLS13;
13 use crate::msgs::handshake::CertificateRequestPayloadTLS13;
14 use crate::msgs::handshake::CertReqExtension;
15 use crate::msgs::handshake::ClientHelloPayload;
16 use crate::msgs::handshake::HelloRetryRequest;
17 use crate::msgs::handshake::HelloRetryExtension;
18 use crate::msgs::handshake::ServerHelloPayload;
19 use crate::msgs::handshake::KeyShareEntry;
20 use crate::msgs::handshake::SessionID;
21 use crate::msgs::handshake::ServerExtension;
22 use crate::msgs::handshake::Random;
23 use crate::msgs::handshake::DigitallySignedStruct;
24 use crate::msgs::ccs::ChangeCipherSpecPayload;
25 use crate::msgs::base::{Payload, PayloadU8};
26 use crate::msgs::codec::Codec;
27 use crate::msgs::persist;
28 use crate::server::ServerSessionImpl;
29 use crate::key_schedule::{
30 KeyScheduleNonSecret,
31 KeyScheduleEarly,
32 KeyScheduleHandshake,
33 KeyScheduleTrafficWithClientFinishedPending,
34 KeyScheduleTraffic
35 };
36 use crate::cipher;
37 use crate::verify;
38 use crate::rand;
39 use crate::sign;
40 use crate::suites;
41 #[cfg(feature = "logging")]
42 use crate::log::{warn, trace, debug};
43 use crate::error::TLSError;
44 use crate::check::check_message;
45 #[cfg(feature = "quic")]
46 use crate::{
47 quic,
48 msgs::handshake::NewSessionTicketExtension,
49 session::Protocol
50 };
51
52 use crate::server::common::{HandshakeDetails, ClientCertDetails};
53 use crate::server::hs;
54
55 use ring::constant_time;
56
57 pub struct CompleteClientHelloHandling {
58 pub handshake: HandshakeDetails,
59 pub done_retry: bool,
60 pub send_cert_status: bool,
61 pub send_sct: bool,
62 pub send_ticket: bool,
63 }
64
65 impl CompleteClientHelloHandling {
check_binder(&self, sess: &mut ServerSessionImpl, client_hello: &Message, psk: &[u8], binder: &[u8]) -> bool66 fn check_binder(&self,
67 sess: &mut ServerSessionImpl,
68 client_hello: &Message,
69 psk: &[u8],
70 binder: &[u8])
71 -> bool {
72 let binder_plaintext = match client_hello.payload {
73 MessagePayload::Handshake(ref hmp) => hmp.get_encoding_for_binder_signing(),
74 _ => unreachable!(),
75 };
76
77 let suite = sess.common.get_suite_assert();
78 let suite_hash = suite.get_hash();
79 let handshake_hash = self.handshake.transcript.get_hash_given(suite_hash, &binder_plaintext);
80
81 let key_schedule = KeyScheduleEarly::new(suite.hkdf_algorithm, &psk);
82 let real_binder = key_schedule.resumption_psk_binder_key_and_sign_verify_data(&handshake_hash);
83
84 constant_time::verify_slices_are_equal(&real_binder, binder).is_ok()
85 }
86
into_expect_retried_client_hello(self) -> hs::NextState87 fn into_expect_retried_client_hello(self) -> hs::NextState {
88 Box::new(hs::ExpectClientHello {
89 handshake: self.handshake,
90 done_retry: true,
91 send_cert_status: self.send_cert_status,
92 send_sct: self.send_sct,
93 send_ticket: self.send_ticket,
94 })
95 }
96
into_expect_certificate(self, key_schedule: KeyScheduleTrafficWithClientFinishedPending) -> hs::NextState97 fn into_expect_certificate(self, key_schedule: KeyScheduleTrafficWithClientFinishedPending) -> hs::NextState {
98 Box::new(ExpectCertificate {
99 handshake: self.handshake,
100 key_schedule,
101 send_ticket: self.send_ticket,
102 })
103 }
104
into_expect_finished(self, key_schedule: KeyScheduleTrafficWithClientFinishedPending) -> hs::NextState105 fn into_expect_finished(self, key_schedule: KeyScheduleTrafficWithClientFinishedPending) -> hs::NextState {
106 Box::new(ExpectFinished {
107 handshake: self.handshake,
108 key_schedule,
109 send_ticket: self.send_ticket,
110 })
111 }
112
emit_server_hello(&mut self, sess: &mut ServerSessionImpl, session_id: &SessionID, share: &KeyShareEntry, chosen_psk_idx: Option<usize>, resuming_psk: Option<&[u8]>) -> Result<KeyScheduleHandshake, TLSError>113 fn emit_server_hello(&mut self,
114 sess: &mut ServerSessionImpl,
115 session_id: &SessionID,
116 share: &KeyShareEntry,
117 chosen_psk_idx: Option<usize>,
118 resuming_psk: Option<&[u8]>)
119 -> Result<KeyScheduleHandshake, TLSError> {
120 let mut extensions = Vec::new();
121
122 // Do key exchange
123 let kxr = suites::KeyExchange::start_ecdhe(share.group)
124 .and_then(|kx| kx.complete(&share.payload.0))
125 .ok_or_else(|| TLSError::PeerMisbehavedError("key exchange failed".to_string()))?;
126
127 let kse = KeyShareEntry::new(share.group, kxr.pubkey.as_ref());
128 extensions.push(ServerExtension::KeyShare(kse));
129 extensions.push(ServerExtension::SupportedVersions(ProtocolVersion::TLSv1_3));
130
131 if let Some(psk_idx) = chosen_psk_idx {
132 extensions.push(ServerExtension::PresharedKey(psk_idx as u16));
133 }
134
135 let sh = Message {
136 typ: ContentType::Handshake,
137 version: ProtocolVersion::TLSv1_2,
138 payload: MessagePayload::Handshake(HandshakeMessagePayload {
139 typ: HandshakeType::ServerHello,
140 payload: HandshakePayload::ServerHello(ServerHelloPayload {
141 legacy_version: ProtocolVersion::TLSv1_2,
142 random: Random::from_slice(&self.handshake.randoms.server),
143 session_id: *session_id,
144 cipher_suite: sess.common.get_suite_assert().suite,
145 compression_method: Compression::Null,
146 extensions,
147 }),
148 }),
149 };
150
151 hs::check_aligned_handshake(sess)?;
152
153 #[cfg(feature = "quic")]
154 let client_hello_hash = self.handshake.transcript
155 .get_hash_given(sess.common.get_suite_assert().get_hash(), &[]);
156
157 trace!("sending server hello {:?}", sh);
158 self.handshake.transcript.add_message(&sh);
159 sess.common.send_msg(sh, false);
160
161 // Start key schedule
162 let suite = sess.common.get_suite_assert();
163 let mut key_schedule = if let Some(psk) = resuming_psk {
164 let early_key_schedule = KeyScheduleEarly::new(suite.hkdf_algorithm, psk);
165
166 #[cfg(feature = "quic")] {
167 if sess.common.protocol == Protocol::Quic {
168 let client_early_traffic_secret = early_key_schedule
169 .client_early_traffic_secret(&client_hello_hash,
170 &*sess.config.key_log,
171 &self.handshake.randoms.client);
172 // If 0-RTT should be rejected, this will be clobbered by ExtensionProcessing
173 // before the application can see.
174 sess.common.quic.early_secret = Some(client_early_traffic_secret);
175 }
176 }
177
178 early_key_schedule
179 .into_handshake(&kxr.shared_secret)
180 } else {
181 KeyScheduleNonSecret::new(suite.hkdf_algorithm)
182 .into_handshake(&kxr.shared_secret)
183 };
184
185 let handshake_hash = self.handshake.transcript.get_current_hash();
186 let write_key = key_schedule
187 .server_handshake_traffic_secret(&handshake_hash,
188 &*sess.config.key_log,
189 &self.handshake.randoms.client);
190 sess.common
191 .record_layer
192 .set_message_encrypter(cipher::new_tls13_write(suite, &write_key));
193
194 let read_key = key_schedule
195 .client_handshake_traffic_secret(&handshake_hash,
196 &*sess.config.key_log,
197 &self.handshake.randoms.client);
198 sess.common
199 .record_layer
200 .set_message_decrypter(cipher::new_tls13_read(suite, &read_key));
201
202 #[cfg(feature = "quic")] {
203 sess.common.quic.hs_secrets = Some(quic::Secrets {
204 client: read_key,
205 server: write_key,
206 });
207 }
208
209 Ok(key_schedule)
210 }
211
emit_fake_ccs(&mut self, sess: &mut ServerSessionImpl)212 fn emit_fake_ccs(&mut self,
213 sess: &mut ServerSessionImpl) {
214 if sess.common.is_quic() { return; }
215 let m = Message {
216 typ: ContentType::ChangeCipherSpec,
217 version: ProtocolVersion::TLSv1_2,
218 payload: MessagePayload::ChangeCipherSpec(ChangeCipherSpecPayload {})
219 };
220 sess.common.send_msg(m, false);
221 }
222
emit_hello_retry_request(&mut self, sess: &mut ServerSessionImpl, group: NamedGroup)223 fn emit_hello_retry_request(&mut self,
224 sess: &mut ServerSessionImpl,
225 group: NamedGroup) {
226 let mut req = HelloRetryRequest {
227 legacy_version: ProtocolVersion::TLSv1_2,
228 session_id: SessionID::empty(),
229 cipher_suite: sess.common.get_suite_assert().suite,
230 extensions: Vec::new(),
231 };
232
233 req.extensions.push(HelloRetryExtension::KeyShare(group));
234 req.extensions.push(HelloRetryExtension::SupportedVersions(ProtocolVersion::TLSv1_3));
235
236 let m = Message {
237 typ: ContentType::Handshake,
238 version: ProtocolVersion::TLSv1_2,
239 payload: MessagePayload::Handshake(HandshakeMessagePayload {
240 typ: HandshakeType::HelloRetryRequest,
241 payload: HandshakePayload::HelloRetryRequest(req),
242 }),
243 };
244
245 trace!("Requesting retry {:?}", m);
246 self.handshake.transcript.rollup_for_hrr();
247 self.handshake.transcript.add_message(&m);
248 sess.common.send_msg(m, false);
249 }
250
emit_encrypted_extensions(&mut self, sess: &mut ServerSessionImpl, server_key: &mut sign::CertifiedKey, hello: &ClientHelloPayload, resumedata: Option<&persist::ServerSessionValue>) -> Result<(), TLSError>251 fn emit_encrypted_extensions(&mut self,
252 sess: &mut ServerSessionImpl,
253 server_key: &mut sign::CertifiedKey,
254 hello: &ClientHelloPayload,
255 resumedata: Option<&persist::ServerSessionValue>)
256 -> Result<(), TLSError> {
257 let mut ep = hs::ExtensionProcessing::new();
258 ep.process_common(sess, Some(server_key), hello, resumedata, &self.handshake)?;
259
260 self.send_cert_status = ep.send_cert_status;
261 self.send_sct = ep.send_sct;
262
263 let ee = Message {
264 typ: ContentType::Handshake,
265 version: ProtocolVersion::TLSv1_3,
266 payload: MessagePayload::Handshake(HandshakeMessagePayload {
267 typ: HandshakeType::EncryptedExtensions,
268 payload: HandshakePayload::EncryptedExtensions(ep.exts),
269 }),
270 };
271
272 trace!("sending encrypted extensions {:?}", ee);
273 self.handshake.transcript.add_message(&ee);
274 sess.common.send_msg(ee, true);
275 Ok(())
276 }
277
emit_certificate_req_tls13(&mut self, sess: &mut ServerSessionImpl) -> Result<bool, TLSError>278 fn emit_certificate_req_tls13(&mut self, sess: &mut ServerSessionImpl) -> Result<bool, TLSError> {
279 if !sess.config.verifier.offer_client_auth() {
280 return Ok(false);
281 }
282
283 let mut cr = CertificateRequestPayloadTLS13 {
284 context: PayloadU8::empty(),
285 extensions: Vec::new(),
286 };
287
288 let schemes = sess.config.get_verifier()
289 .supported_verify_schemes();
290 cr.extensions.push(CertReqExtension::SignatureAlgorithms(schemes.to_vec()));
291
292 let names = sess.config.verifier.client_auth_root_subjects(sess.get_sni())
293 .ok_or_else(|| {
294 debug!("could not determine root subjects based on SNI");
295 sess.common.send_fatal_alert(AlertDescription::AccessDenied);
296 TLSError::General("client rejected by client_auth_root_subjects".into())
297 })?;
298
299 if !names.is_empty() {
300 cr.extensions.push(CertReqExtension::AuthorityNames(names));
301 }
302
303 let m = Message {
304 typ: ContentType::Handshake,
305 version: ProtocolVersion::TLSv1_3,
306 payload: MessagePayload::Handshake(HandshakeMessagePayload {
307 typ: HandshakeType::CertificateRequest,
308 payload: HandshakePayload::CertificateRequestTLS13(cr),
309 }),
310 };
311
312 trace!("Sending CertificateRequest {:?}", m);
313 self.handshake.transcript.add_message(&m);
314 sess.common.send_msg(m, true);
315 Ok(true)
316 }
317
emit_certificate_tls13(&mut self, sess: &mut ServerSessionImpl, server_key: &mut sign::CertifiedKey)318 fn emit_certificate_tls13(&mut self,
319 sess: &mut ServerSessionImpl,
320 server_key: &mut sign::CertifiedKey) {
321 let mut cert_entries = vec![];
322 for cert in server_key.take_cert() {
323 let entry = CertificateEntry {
324 cert,
325 exts: Vec::new(),
326 };
327
328 cert_entries.push(entry);
329 }
330
331 if let Some(end_entity_cert) = cert_entries.first_mut() {
332 // Apply OCSP response to first certificate (we don't support OCSP
333 // except for leaf certs).
334 if self.send_cert_status {
335 if let Some(ocsp) = server_key.take_ocsp() {
336 let cst = CertificateStatus::new(ocsp);
337 end_entity_cert.exts.push(CertificateExtension::CertificateStatus(cst));
338 }
339 }
340
341 // Likewise, SCT
342 if self.send_sct {
343 if let Some(sct_list) = server_key.take_sct_list() {
344 end_entity_cert.exts.push(CertificateExtension::make_sct(sct_list));
345 }
346 }
347 }
348
349 let cert_body = CertificatePayloadTLS13::new(cert_entries);
350 let c = Message {
351 typ: ContentType::Handshake,
352 version: ProtocolVersion::TLSv1_3,
353 payload: MessagePayload::Handshake(HandshakeMessagePayload {
354 typ: HandshakeType::Certificate,
355 payload: HandshakePayload::CertificateTLS13(cert_body),
356 }),
357 };
358
359 trace!("sending certificate {:?}", c);
360 self.handshake.transcript.add_message(&c);
361 sess.common.send_msg(c, true);
362 }
363
emit_certificate_verify_tls13(&mut self, sess: &mut ServerSessionImpl, server_key: &mut sign::CertifiedKey, schemes: &[SignatureScheme]) -> Result<(), TLSError>364 fn emit_certificate_verify_tls13(&mut self,
365 sess: &mut ServerSessionImpl,
366 server_key: &mut sign::CertifiedKey,
367 schemes: &[SignatureScheme])
368 -> Result<(), TLSError> {
369 let message = verify::construct_tls13_server_verify_message(
370 &self.handshake.transcript.get_current_hash()
371 );
372
373 let signing_key = &server_key.key;
374 let signer = signing_key.choose_scheme(schemes)
375 .ok_or_else(|| hs::incompatible(sess, "no overlapping sigschemes"))?;
376
377 let scheme = signer.get_scheme();
378 let sig = signer.sign(&message)?;
379
380 let cv = DigitallySignedStruct::new(scheme, sig);
381
382 let m = Message {
383 typ: ContentType::Handshake,
384 version: ProtocolVersion::TLSv1_3,
385 payload: MessagePayload::Handshake(HandshakeMessagePayload {
386 typ: HandshakeType::CertificateVerify,
387 payload: HandshakePayload::CertificateVerify(cv),
388 }),
389 };
390
391 trace!("sending certificate-verify {:?}", m);
392 self.handshake.transcript.add_message(&m);
393 sess.common.send_msg(m, true);
394 Ok(())
395 }
396
emit_finished_tls13(&mut self, sess: &mut ServerSessionImpl, key_schedule: KeyScheduleHandshake) -> KeyScheduleTrafficWithClientFinishedPending397 fn emit_finished_tls13(&mut self, sess: &mut ServerSessionImpl,
398 key_schedule: KeyScheduleHandshake) -> KeyScheduleTrafficWithClientFinishedPending {
399 let handshake_hash = self.handshake.transcript.get_current_hash();
400 let verify_data = key_schedule.sign_server_finish(&handshake_hash);
401 let verify_data_payload = Payload::new(verify_data);
402
403 let m = Message {
404 typ: ContentType::Handshake,
405 version: ProtocolVersion::TLSv1_3,
406 payload: MessagePayload::Handshake(HandshakeMessagePayload {
407 typ: HandshakeType::Finished,
408 payload: HandshakePayload::Finished(verify_data_payload),
409 }),
410 };
411
412 trace!("sending finished {:?}", m);
413 self.handshake.transcript.add_message(&m);
414 self.handshake.hash_at_server_fin = self.handshake.transcript.get_current_hash();
415 sess.common.send_msg(m, true);
416
417 // Now move to application data keys. Read key change is deferred until
418 // the Finish message is received & validated.
419 let mut key_schedule_traffic = key_schedule.into_traffic_with_client_finished_pending();
420 let suite = sess.common.get_suite_assert();
421 let write_key = key_schedule_traffic
422 .server_application_traffic_secret(&self.handshake.hash_at_server_fin,
423 &*sess.config.key_log,
424 &self.handshake.randoms.client);
425 sess.common
426 .record_layer
427 .set_message_encrypter(cipher::new_tls13_write(suite, &write_key));
428
429 key_schedule_traffic
430 .exporter_master_secret(&self.handshake.hash_at_server_fin,
431 &*sess.config.key_log,
432 &self.handshake.randoms.client);
433
434 let _read_key = key_schedule_traffic
435 .client_application_traffic_secret(&self.handshake.hash_at_server_fin,
436 &*sess.config.key_log,
437 &self.handshake.randoms.client);
438
439 #[cfg(feature = "quic")] {
440 sess.common.quic.traffic_secrets = Some(quic::Secrets {
441 client: _read_key,
442 server: write_key,
443 });
444 }
445
446 key_schedule_traffic
447 }
448
attempt_tls13_ticket_decryption(&mut self, sess: &mut ServerSessionImpl, ticket: &[u8]) -> Option<persist::ServerSessionValue>449 fn attempt_tls13_ticket_decryption(&mut self,
450 sess: &mut ServerSessionImpl,
451 ticket: &[u8]) -> Option<persist::ServerSessionValue> {
452 if sess.config.ticketer.enabled() {
453 sess.config
454 .ticketer
455 .decrypt(ticket)
456 .and_then(|plain| persist::ServerSessionValue::read_bytes(&plain))
457 } else {
458 sess.config
459 .session_storage
460 .take(ticket)
461 .and_then(|plain| persist::ServerSessionValue::read_bytes(&plain))
462 }
463 }
464
handle_client_hello(mut self, sess: &mut ServerSessionImpl, mut server_key: sign::CertifiedKey, chm: &Message) -> hs::NextStateOrError465 pub fn handle_client_hello(mut self,
466 sess: &mut ServerSessionImpl,
467 mut server_key: sign::CertifiedKey,
468 chm: &Message) -> hs::NextStateOrError {
469 let client_hello = require_handshake_msg!(chm, HandshakeType::ClientHello, HandshakePayload::ClientHello)?;
470
471 if client_hello.compression_methods.len() != 1 {
472 return Err(hs::illegal_param(sess, "client offered wrong compressions"));
473 }
474
475 let groups_ext = client_hello.get_namedgroups_extension()
476 .ok_or_else(|| hs::incompatible(sess, "client didn't describe groups"))?;
477
478 let mut sigschemes_ext = client_hello.get_sigalgs_extension()
479 .ok_or_else(|| hs::incompatible(sess, "client didn't describe sigschemes"))?
480 .clone();
481
482 let tls13_schemes = sign::supported_sign_tls13();
483 sigschemes_ext.retain(|scheme| tls13_schemes.contains(scheme));
484
485 let shares_ext = client_hello.get_keyshare_extension()
486 .ok_or_else(|| hs::incompatible(sess, "client didn't send keyshares"))?;
487
488 if client_hello.has_keyshare_extension_with_duplicates() {
489 return Err(hs::illegal_param(sess, "client sent duplicate keyshares"));
490 }
491
492 let share_groups: Vec<NamedGroup> = shares_ext.iter()
493 .map(|share| share.group)
494 .collect();
495
496 let supported_groups = suites::KeyExchange::supported_groups();
497 let chosen_group = supported_groups
498 .iter()
499 .filter(|group| share_groups.contains(group))
500 .nth(0)
501 .cloned();
502
503 if chosen_group.is_none() {
504 // We don't have a suitable key share. Choose a suitable group and
505 // send a HelloRetryRequest.
506 let retry_group_maybe = supported_groups
507 .iter()
508 .filter(|group| groups_ext.contains(group))
509 .nth(0)
510 .cloned();
511 self.handshake.transcript.add_message(chm);
512
513 if let Some(group) = retry_group_maybe {
514 if self.done_retry {
515 return Err(hs::illegal_param(sess, "did not follow retry request"));
516 }
517
518 self.emit_hello_retry_request(sess, group);
519 self.emit_fake_ccs(sess);
520 return Ok(self.into_expect_retried_client_hello());
521 }
522
523 return Err(hs::incompatible(sess, "no kx group overlap with client"));
524 }
525
526 let chosen_group = chosen_group.unwrap();
527 let chosen_share = shares_ext.iter()
528 .find(|share| share.group == chosen_group)
529 .unwrap();
530
531 let mut chosen_psk_index = None;
532 let mut resumedata = None;
533 if let Some(psk_offer) = client_hello.get_psk() {
534 if !client_hello.check_psk_ext_is_last() {
535 return Err(hs::illegal_param(sess, "psk extension in wrong position"));
536 }
537
538 if psk_offer.binders.is_empty() {
539 return Err(hs::decode_error(sess, "psk extension missing binder"));
540 }
541
542 if psk_offer.binders.len() != psk_offer.identities.len() {
543 return Err(hs::illegal_param(sess, "psk extension mismatched ids/binders"));
544 }
545
546 for (i, psk_id) in psk_offer.identities.iter().enumerate() {
547 let maybe_resume = self.attempt_tls13_ticket_decryption(sess, &psk_id.identity.0);
548
549 if !hs::can_resume(sess, &self.handshake, &maybe_resume) {
550 continue;
551 }
552
553 let resume = maybe_resume.unwrap();
554
555 if !self.check_binder(sess, chm, &resume.master_secret.0, &psk_offer.binders[i].0) {
556 sess.common.send_fatal_alert(AlertDescription::DecryptError);
557 return Err(TLSError::PeerMisbehavedError("client sent wrong binder".to_string()));
558 }
559
560 chosen_psk_index = Some(i);
561 resumedata = Some(resume);
562 break;
563 }
564 }
565
566 if !client_hello.psk_mode_offered(PSKKeyExchangeMode::PSK_DHE_KE) {
567 warn!("Resumption ignored, DHE_KE not offered");
568 self.send_ticket = false;
569 chosen_psk_index = None;
570 resumedata = None;
571 } else {
572 self.send_ticket = true;
573 }
574
575 if let Some(ref resume) = resumedata {
576 sess.received_resumption_data = Some(resume.application_data.0.clone());
577 }
578
579 let full_handshake = resumedata.is_none();
580 self.handshake.transcript.add_message(chm);
581 let key_schedule = self.emit_server_hello(sess, &client_hello.session_id,
582 chosen_share, chosen_psk_index,
583 resumedata.as_ref().map(|x| &x.master_secret.0[..]))?;
584 if !self.done_retry {
585 self.emit_fake_ccs(sess);
586 }
587 self.emit_encrypted_extensions(sess, &mut server_key, client_hello, resumedata.as_ref())?;
588
589 let doing_client_auth = if full_handshake {
590 let client_auth = self.emit_certificate_req_tls13(sess)?;
591 self.emit_certificate_tls13(sess, &mut server_key);
592 self.emit_certificate_verify_tls13(sess, &mut server_key, &sigschemes_ext)?;
593 client_auth
594 } else {
595 false
596 };
597
598 hs::check_aligned_handshake(sess)?;
599 let key_schedule_traffic = self.emit_finished_tls13(sess, key_schedule);
600
601 if doing_client_auth {
602 Ok(self.into_expect_certificate(key_schedule_traffic))
603 } else {
604 Ok(self.into_expect_finished(key_schedule_traffic))
605 }
606 }
607 }
608
609 pub struct ExpectCertificate {
610 pub handshake: HandshakeDetails,
611 pub key_schedule: KeyScheduleTrafficWithClientFinishedPending,
612 pub send_ticket: bool,
613 }
614
615 impl ExpectCertificate {
into_expect_finished(self) -> hs::NextState616 fn into_expect_finished(self) -> hs::NextState {
617 Box::new(ExpectFinished {
618 key_schedule: self.key_schedule,
619 handshake: self.handshake,
620 send_ticket: self.send_ticket,
621 })
622 }
623
into_expect_certificate_verify(self, cert: ClientCertDetails) -> hs::NextState624 fn into_expect_certificate_verify(self,
625 cert: ClientCertDetails) -> hs::NextState {
626 Box::new(ExpectCertificateVerify {
627 handshake: self.handshake,
628 key_schedule: self.key_schedule,
629 client_cert: cert,
630 send_ticket: self.send_ticket,
631 })
632 }
633 }
634
635 impl hs::State for ExpectCertificate {
handle(mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> hs::NextStateOrError636 fn handle(mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> hs::NextStateOrError {
637 let certp = require_handshake_msg!(m, HandshakeType::Certificate, HandshakePayload::CertificateTLS13)?;
638 self.handshake.transcript.add_message(&m);
639
640 // We don't send any CertificateRequest extensions, so any extensions
641 // here are illegal.
642 if certp.any_entry_has_extension() {
643 return Err(TLSError::PeerMisbehavedError("client sent unsolicited cert extension"
644 .to_string()));
645 }
646
647 let cert_chain = certp.convert();
648
649 let mandatory = sess.config.verifier.client_auth_mandatory(sess.get_sni())
650 .ok_or_else(|| {
651 debug!("could not determine if client auth is mandatory based on SNI");
652 sess.common.send_fatal_alert(AlertDescription::AccessDenied);
653 TLSError::General("client rejected by client_auth_mandatory".into())
654 })?;
655
656 if cert_chain.is_empty() {
657 if !mandatory {
658 debug!("client auth requested but no certificate supplied");
659 self.handshake.transcript.abandon_client_auth();
660 return Ok(self.into_expect_finished());
661 }
662
663 sess.common.send_fatal_alert(AlertDescription::CertificateRequired);
664 return Err(TLSError::NoCertificatesPresented);
665 }
666
667 sess.config.get_verifier().verify_client_cert(&cert_chain, sess.get_sni())
668 .or_else(|err| {
669 hs::incompatible(sess, "certificate invalid");
670 Err(err)
671 })?;
672
673 let cert = ClientCertDetails::new(cert_chain);
674 Ok(self.into_expect_certificate_verify(cert))
675 }
676 }
677
678 pub struct ExpectCertificateVerify {
679 handshake: HandshakeDetails,
680 key_schedule: KeyScheduleTrafficWithClientFinishedPending,
681 client_cert: ClientCertDetails,
682 send_ticket: bool,
683 }
684
685 impl ExpectCertificateVerify {
into_expect_finished(self) -> hs::NextState686 fn into_expect_finished(self) -> hs::NextState {
687 Box::new(ExpectFinished {
688 key_schedule: self.key_schedule,
689 handshake: self.handshake,
690 send_ticket: self.send_ticket,
691 })
692 }
693 }
694
695 impl hs::State for ExpectCertificateVerify {
handle(mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> hs::NextStateOrError696 fn handle(mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> hs::NextStateOrError {
697 let rc = {
698 let sig = require_handshake_msg!(m, HandshakeType::CertificateVerify, HandshakePayload::CertificateVerify)?;
699 let handshake_hash = self.handshake.transcript.get_current_hash();
700 self.handshake.transcript.abandon_client_auth();
701 let certs = &self.client_cert.cert_chain;
702 let msg = verify::construct_tls13_client_verify_message(&handshake_hash);
703
704 sess.config
705 .get_verifier()
706 .verify_tls13_signature(&msg,
707 &certs[0],
708 sig)
709 };
710
711 if let Err(e) = rc {
712 sess.common.send_fatal_alert(AlertDescription::AccessDenied);
713 return Err(e);
714 }
715
716 trace!("client CertificateVerify OK");
717 sess.client_cert_chain = Some(self.client_cert.take_chain());
718
719 self.handshake.transcript.add_message(&m);
720 Ok(self.into_expect_finished())
721 }
722 }
723
724 // --- Process client's Finished ---
get_server_session_value(handshake: &mut HandshakeDetails, key_schedule: &KeyScheduleTraffic, sess: &ServerSessionImpl, nonce: &[u8]) -> persist::ServerSessionValue725 fn get_server_session_value(handshake: &mut HandshakeDetails,
726 key_schedule: &KeyScheduleTraffic,
727 sess: &ServerSessionImpl,
728 nonce: &[u8]) -> persist::ServerSessionValue {
729 let scs = sess.common.get_suite_assert();
730 let version = ProtocolVersion::TLSv1_3;
731
732 let handshake_hash = handshake
733 .transcript
734 .get_current_hash();
735 let secret = key_schedule
736 .resumption_master_secret_and_derive_ticket_psk(&handshake_hash, nonce);
737
738 persist::ServerSessionValue::new(
739 sess.get_sni(), version,
740 scs.suite, secret,
741 &sess.client_cert_chain,
742 sess.alpn_protocol.clone(),
743 sess.resumption_data.clone(),
744 )
745 }
746
747 pub struct ExpectFinished {
748 pub handshake: HandshakeDetails,
749 pub key_schedule: KeyScheduleTrafficWithClientFinishedPending,
750 pub send_ticket: bool,
751 }
752
753 impl ExpectFinished {
into_expect_traffic(fin: verify::FinishedMessageVerified, ks: KeyScheduleTraffic) -> hs::NextState754 fn into_expect_traffic(fin: verify::FinishedMessageVerified, ks: KeyScheduleTraffic) -> hs::NextState {
755 Box::new(ExpectTraffic {
756 key_schedule: ks,
757 want_write_key_update: false,
758 _fin_verified: fin,
759 })
760 }
761
emit_stateless_ticket(handshake: &mut HandshakeDetails, sess: &mut ServerSessionImpl, key_schedule: &KeyScheduleTraffic)762 fn emit_stateless_ticket(handshake: &mut HandshakeDetails,
763 sess: &mut ServerSessionImpl,
764 key_schedule: &KeyScheduleTraffic) {
765 let nonce = rand::random_vec(32);
766 let plain = get_server_session_value(handshake,
767 key_schedule,
768 sess, &nonce)
769 .get_encoding();
770 let maybe_ticket = sess.config
771 .ticketer
772 .encrypt(&plain);
773 let ticket_lifetime = sess.config.ticketer.get_lifetime();
774
775 if maybe_ticket.is_none() {
776 return;
777 }
778
779 let ticket = maybe_ticket.unwrap();
780 let age_add = rand::random_u32(); // nb, we don't do 0-RTT data, so whatever
781 #[allow(unused_mut)]
782 let mut payload = NewSessionTicketPayloadTLS13::new(ticket_lifetime, age_add, nonce, ticket);
783 #[cfg(feature = "quic")] {
784 if sess.config.max_early_data_size > 0 && sess.common.protocol == Protocol::Quic {
785 payload.exts.push(NewSessionTicketExtension::EarlyData(sess.config.max_early_data_size));
786 }
787 }
788 let m = Message {
789 typ: ContentType::Handshake,
790 version: ProtocolVersion::TLSv1_3,
791 payload: MessagePayload::Handshake(HandshakeMessagePayload {
792 typ: HandshakeType::NewSessionTicket,
793 payload: HandshakePayload::NewSessionTicketTLS13(payload),
794 }),
795 };
796
797 trace!("sending new ticket {:?}", m);
798 handshake.transcript.add_message(&m);
799 sess.common.send_msg(m, true);
800 }
801
emit_stateful_ticket(handshake: &mut HandshakeDetails, sess: &mut ServerSessionImpl, key_schedule: &KeyScheduleTraffic)802 fn emit_stateful_ticket(handshake: &mut HandshakeDetails,
803 sess: &mut ServerSessionImpl,
804 key_schedule: &KeyScheduleTraffic) {
805 let nonce = rand::random_vec(32);
806 let id = rand::random_vec(32);
807 let plain = get_server_session_value(handshake,
808 key_schedule,
809 sess, &nonce)
810 .get_encoding();
811
812 if sess.config.session_storage.put(id.clone(), plain) {
813 let stateful_lifetime = 24 * 60 * 60; // this is a bit of a punt
814 let age_add = rand::random_u32();
815 #[allow(unused_mut)]
816 let mut payload = NewSessionTicketPayloadTLS13::new(stateful_lifetime, age_add, nonce, id);
817 #[cfg(feature = "quic")] {
818 if sess.config.max_early_data_size > 0 && sess.common.protocol == Protocol::Quic {
819 payload.exts.push(NewSessionTicketExtension::EarlyData(sess.config.max_early_data_size));
820 }
821 }
822 let m = Message {
823 typ: ContentType::Handshake,
824 version: ProtocolVersion::TLSv1_3,
825 payload: MessagePayload::Handshake(HandshakeMessagePayload {
826 typ: HandshakeType::NewSessionTicket,
827 payload: HandshakePayload::NewSessionTicketTLS13(payload),
828 }),
829 };
830
831 trace!("sending new stateful ticket {:?}", m);
832 handshake.transcript.add_message(&m);
833 sess.common.send_msg(m, true);
834 } else {
835 trace!("resumption not available; not issuing ticket");
836 }
837 }
838 }
839
840 impl hs::State for ExpectFinished {
handle(mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> hs::NextStateOrError841 fn handle(mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> hs::NextStateOrError {
842 let finished = require_handshake_msg!(m, HandshakeType::Finished, HandshakePayload::Finished)?;
843
844 let handshake_hash = self.handshake.transcript.get_current_hash();
845 let expect_verify_data = self.key_schedule.sign_client_finish(&handshake_hash);
846
847 let fin = constant_time::verify_slices_are_equal(&expect_verify_data, &finished.0)
848 .map_err(|_| {
849 sess.common.send_fatal_alert(AlertDescription::DecryptError);
850 warn!("Finished wrong");
851 TLSError::DecryptError
852 })
853 .map(|_| verify::FinishedMessageVerified::assertion())?;
854
855 // nb. future derivations include Client Finished, but not the
856 // main application data keying.
857 self.handshake.transcript.add_message(&m);
858
859 hs::check_aligned_handshake(sess)?;
860
861 let suite = sess.common.get_suite_assert();
862
863 // Install keying to read future messages.
864 let read_key = self.key_schedule
865 .client_application_traffic_secret(&self.handshake.hash_at_server_fin,
866 &*sess.config.key_log,
867 &self.handshake.randoms.client);
868 sess.common
869 .record_layer
870 .set_message_decrypter(cipher::new_tls13_read(suite, &read_key));
871
872 let key_schedule_traffic = self.key_schedule.into_traffic();
873
874 if self.send_ticket {
875 if sess.config.ticketer.enabled() {
876 Self::emit_stateless_ticket(&mut self.handshake, sess, &key_schedule_traffic);
877 } else {
878 Self::emit_stateful_ticket(&mut self.handshake, sess, &key_schedule_traffic);
879 }
880 }
881
882 sess.common.start_traffic();
883
884 #[cfg(feature = "quic")] {
885 if sess.common.protocol == Protocol::Quic {
886 return Ok(Box::new(ExpectQUICTraffic { _fin_verified: fin }));
887 }
888 }
889
890 Ok(Self::into_expect_traffic(fin, key_schedule_traffic))
891 }
892 }
893
894 // --- Process traffic ---
895 pub struct ExpectTraffic {
896 key_schedule: KeyScheduleTraffic,
897 want_write_key_update: bool,
898 _fin_verified: verify::FinishedMessageVerified,
899 }
900
901 impl ExpectTraffic {
handle_traffic(&self, sess: &mut ServerSessionImpl, mut m: Message) -> Result<(), TLSError>902 fn handle_traffic(&self, sess: &mut ServerSessionImpl, mut m: Message) -> Result<(), TLSError> {
903 sess.common.take_received_plaintext(m.take_opaque_payload().unwrap());
904 Ok(())
905 }
906
handle_key_update(&mut self, sess: &mut ServerSessionImpl, kur: &KeyUpdateRequest) -> Result<(), TLSError>907 fn handle_key_update(&mut self, sess: &mut ServerSessionImpl, kur: &KeyUpdateRequest) -> Result<(), TLSError> {
908 #[cfg(feature = "quic")]
909 {
910 if let Protocol::Quic = sess.common.protocol {
911 sess.common.send_fatal_alert(AlertDescription::UnexpectedMessage);
912 let msg = "KeyUpdate received in QUIC connection".to_string();
913 warn!("{}", msg);
914 return Err(TLSError::PeerMisbehavedError(msg));
915 }
916 }
917
918 hs::check_aligned_handshake(sess)?;
919
920 match kur {
921 KeyUpdateRequest::UpdateNotRequested => {}
922 KeyUpdateRequest::UpdateRequested => {
923 self.want_write_key_update = true;
924 }
925 _ => {
926 sess.common.send_fatal_alert(AlertDescription::IllegalParameter);
927 return Err(TLSError::CorruptMessagePayload(ContentType::Handshake));
928 }
929 }
930
931 // Update our read-side keys.
932 let new_read_key = self.key_schedule.next_client_application_traffic_secret();
933 let suite = sess.common.get_suite_assert();
934 sess.common.record_layer.set_message_decrypter(cipher::new_tls13_read(suite, &new_read_key));
935
936 Ok(())
937 }
938 }
939
940 impl hs::State for ExpectTraffic {
handle(mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> hs::NextStateOrError941 fn handle(mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> hs::NextStateOrError {
942 if m.is_content_type(ContentType::ApplicationData) {
943 self.handle_traffic(sess, m)?;
944 } else if let Ok(key_update) = require_handshake_msg!(m, HandshakeType::KeyUpdate, HandshakePayload::KeyUpdate) {
945 self.handle_key_update(sess, key_update)?;
946 } else {
947 check_message(&m,
948 &[ContentType::ApplicationData, ContentType::Handshake],
949 &[HandshakeType::KeyUpdate])?;
950 }
951
952 Ok(self)
953 }
954
export_keying_material(&self, output: &mut [u8], label: &[u8], context: Option<&[u8]>) -> Result<(), TLSError>955 fn export_keying_material(&self,
956 output: &mut [u8],
957 label: &[u8],
958 context: Option<&[u8]>) -> Result<(), TLSError> {
959 self.key_schedule.export_keying_material(output, label, context)
960 }
961
perhaps_write_key_update(&mut self, sess: &mut ServerSessionImpl)962 fn perhaps_write_key_update(&mut self, sess: &mut ServerSessionImpl) {
963 if self.want_write_key_update {
964 self.want_write_key_update = false;
965 sess.common.send_msg_encrypt(Message::build_key_update_notify());
966
967 let write_key = self.key_schedule.next_server_application_traffic_secret();
968 let scs = sess.common.get_suite_assert();
969 sess.common.record_layer.set_message_encrypter(cipher::new_tls13_write(scs, &write_key));
970 }
971 }
972 }
973
974 #[cfg(feature = "quic")]
975 pub struct ExpectQUICTraffic {
976 _fin_verified: verify::FinishedMessageVerified,
977 }
978
979 #[cfg(feature = "quic")]
980 impl hs::State for ExpectQUICTraffic {
handle(self: Box<Self>, _: &mut ServerSessionImpl, m: Message) -> hs::NextStateOrError981 fn handle(self: Box<Self>, _: &mut ServerSessionImpl, m: Message) -> hs::NextStateOrError {
982 // reject all messages
983 check_message(&m, &[], &[])?;
984 unreachable!();
985 }
986 }
987