1 use crate::check::check_message;
2 use crate::cipher;
3 use crate::error::TLSError;
4 use crate::key_schedule::{
5 KeyScheduleEarly, KeyScheduleHandshake, KeyScheduleNonSecret, KeyScheduleTraffic,
6 KeyScheduleTrafficWithClientFinishedPending,
7 };
8 #[cfg(feature = "logging")]
9 use crate::log::{debug, trace, warn};
10 use crate::msgs::base::{Payload, PayloadU8};
11 use crate::msgs::ccs::ChangeCipherSpecPayload;
12 use crate::msgs::codec::Codec;
13 use crate::msgs::enums::KeyUpdateRequest;
14 use crate::msgs::enums::{AlertDescription, NamedGroup, SignatureScheme};
15 use crate::msgs::enums::{Compression, PSKKeyExchangeMode};
16 use crate::msgs::enums::{ContentType, HandshakeType, ProtocolVersion};
17 use crate::msgs::handshake::CertReqExtension;
18 use crate::msgs::handshake::CertificateEntry;
19 use crate::msgs::handshake::CertificateExtension;
20 use crate::msgs::handshake::CertificatePayloadTLS13;
21 use crate::msgs::handshake::CertificateRequestPayloadTLS13;
22 use crate::msgs::handshake::CertificateStatus;
23 use crate::msgs::handshake::ClientHelloPayload;
24 use crate::msgs::handshake::DigitallySignedStruct;
25 use crate::msgs::handshake::HandshakeMessagePayload;
26 use crate::msgs::handshake::HandshakePayload;
27 use crate::msgs::handshake::HelloRetryExtension;
28 use crate::msgs::handshake::HelloRetryRequest;
29 use crate::msgs::handshake::KeyShareEntry;
30 use crate::msgs::handshake::NewSessionTicketPayloadTLS13;
31 use crate::msgs::handshake::Random;
32 use crate::msgs::handshake::ServerExtension;
33 use crate::msgs::handshake::ServerHelloPayload;
34 use crate::msgs::handshake::SessionID;
35 use crate::msgs::message::{Message, MessagePayload};
36 use crate::msgs::persist;
37 use crate::rand;
38 use crate::server::ServerSessionImpl;
39 use crate::sign;
40 use crate::suites;
41 use crate::verify;
42 #[cfg(feature = "quic")]
43 use crate::{msgs::handshake::NewSessionTicketExtension, quic, session::Protocol};
44
45 use crate::server::common::{ClientCertDetails, HandshakeDetails};
46 use crate::server::hs;
47
48 use ring::constant_time;
49
50 pub struct CompleteClientHelloHandling {
51 pub handshake: HandshakeDetails,
52 pub done_retry: bool,
53 pub send_cert_status: bool,
54 pub send_sct: bool,
55 pub send_ticket: bool,
56 }
57
58 impl CompleteClientHelloHandling {
check_binder( &self, sess: &mut ServerSessionImpl, client_hello: &Message, psk: &[u8], binder: &[u8], ) -> bool59 fn check_binder(
60 &self,
61 sess: &mut ServerSessionImpl,
62 client_hello: &Message,
63 psk: &[u8],
64 binder: &[u8],
65 ) -> bool {
66 let binder_plaintext = match client_hello.payload {
67 MessagePayload::Handshake(ref hmp) => hmp.get_encoding_for_binder_signing(),
68 _ => unreachable!(),
69 };
70
71 let suite = sess.common.get_suite_assert();
72 let suite_hash = suite.get_hash();
73 let handshake_hash = self
74 .handshake
75 .transcript
76 .get_hash_given(suite_hash, &binder_plaintext);
77
78 let key_schedule = KeyScheduleEarly::new(suite.hkdf_algorithm, &psk);
79 let real_binder =
80 key_schedule.resumption_psk_binder_key_and_sign_verify_data(&handshake_hash);
81
82 constant_time::verify_slices_are_equal(&real_binder, binder).is_ok()
83 }
84
into_expect_retried_client_hello(self) -> hs::NextState85 fn into_expect_retried_client_hello(self) -> hs::NextState {
86 Box::new(hs::ExpectClientHello {
87 handshake: self.handshake,
88 done_retry: true,
89 send_cert_status: self.send_cert_status,
90 send_sct: self.send_sct,
91 send_ticket: self.send_ticket,
92 })
93 }
94
into_expect_certificate( self, key_schedule: KeyScheduleTrafficWithClientFinishedPending, ) -> hs::NextState95 fn into_expect_certificate(
96 self,
97 key_schedule: KeyScheduleTrafficWithClientFinishedPending,
98 ) -> hs::NextState {
99 Box::new(ExpectCertificate {
100 handshake: self.handshake,
101 key_schedule,
102 send_ticket: self.send_ticket,
103 })
104 }
105
into_expect_finished( self, key_schedule: KeyScheduleTrafficWithClientFinishedPending, ) -> hs::NextState106 fn into_expect_finished(
107 self,
108 key_schedule: KeyScheduleTrafficWithClientFinishedPending,
109 ) -> hs::NextState {
110 Box::new(ExpectFinished {
111 handshake: self.handshake,
112 key_schedule,
113 send_ticket: self.send_ticket,
114 })
115 }
116
emit_server_hello( &mut self, sess: &mut ServerSessionImpl, session_id: &SessionID, share: &KeyShareEntry, chosen_psk_idx: Option<usize>, resuming_psk: Option<&[u8]>, ) -> Result<KeyScheduleHandshake, TLSError>117 fn emit_server_hello(
118 &mut self,
119 sess: &mut ServerSessionImpl,
120 session_id: &SessionID,
121 share: &KeyShareEntry,
122 chosen_psk_idx: Option<usize>,
123 resuming_psk: Option<&[u8]>,
124 ) -> Result<KeyScheduleHandshake, TLSError> {
125 let mut extensions = Vec::new();
126
127 // Do key exchange
128 let kxr = suites::KeyExchange::start_ecdhe(share.group)
129 .and_then(|kx| kx.complete(&share.payload.0))
130 .ok_or_else(|| TLSError::PeerMisbehavedError("key exchange failed".to_string()))?;
131
132 let kse = KeyShareEntry::new(share.group, kxr.pubkey.as_ref());
133 extensions.push(ServerExtension::KeyShare(kse));
134 extensions.push(ServerExtension::SupportedVersions(ProtocolVersion::TLSv1_3));
135
136 if let Some(psk_idx) = chosen_psk_idx {
137 extensions.push(ServerExtension::PresharedKey(psk_idx as u16));
138 }
139
140 let sh = Message {
141 typ: ContentType::Handshake,
142 version: ProtocolVersion::TLSv1_2,
143 payload: MessagePayload::Handshake(HandshakeMessagePayload {
144 typ: HandshakeType::ServerHello,
145 payload: HandshakePayload::ServerHello(ServerHelloPayload {
146 legacy_version: ProtocolVersion::TLSv1_2,
147 random: Random::from_slice(&self.handshake.randoms.server),
148 session_id: *session_id,
149 cipher_suite: sess.common.get_suite_assert().suite,
150 compression_method: Compression::Null,
151 extensions,
152 }),
153 }),
154 };
155
156 hs::check_aligned_handshake(sess)?;
157
158 #[cfg(feature = "quic")]
159 let client_hello_hash = self
160 .handshake
161 .transcript
162 .get_hash_given(
163 sess.common
164 .get_suite_assert()
165 .get_hash(),
166 &[],
167 );
168
169 trace!("sending server hello {:?}", sh);
170 self.handshake
171 .transcript
172 .add_message(&sh);
173 sess.common.send_msg(sh, false);
174
175 // Start key schedule
176 let suite = sess.common.get_suite_assert();
177 let mut key_schedule = if let Some(psk) = resuming_psk {
178 let early_key_schedule = KeyScheduleEarly::new(suite.hkdf_algorithm, psk);
179
180 #[cfg(feature = "quic")]
181 {
182 if sess.common.protocol == Protocol::Quic {
183 let client_early_traffic_secret = early_key_schedule
184 .client_early_traffic_secret(
185 &client_hello_hash,
186 &*sess.config.key_log,
187 &self.handshake.randoms.client,
188 );
189 // If 0-RTT should be rejected, this will be clobbered by ExtensionProcessing
190 // before the application can see.
191 sess.common.quic.early_secret = Some(client_early_traffic_secret);
192 }
193 }
194
195 early_key_schedule.into_handshake(&kxr.shared_secret)
196 } else {
197 KeyScheduleNonSecret::new(suite.hkdf_algorithm).into_handshake(&kxr.shared_secret)
198 };
199
200 let handshake_hash = self
201 .handshake
202 .transcript
203 .get_current_hash();
204 let write_key = key_schedule.server_handshake_traffic_secret(
205 &handshake_hash,
206 &*sess.config.key_log,
207 &self.handshake.randoms.client,
208 );
209 sess.common
210 .record_layer
211 .set_message_encrypter(cipher::new_tls13_write(suite, &write_key));
212
213 let read_key = key_schedule.client_handshake_traffic_secret(
214 &handshake_hash,
215 &*sess.config.key_log,
216 &self.handshake.randoms.client,
217 );
218 sess.common
219 .record_layer
220 .set_message_decrypter(cipher::new_tls13_read(suite, &read_key));
221
222 #[cfg(feature = "quic")]
223 {
224 sess.common.quic.hs_secrets = Some(quic::Secrets {
225 client: read_key,
226 server: write_key,
227 });
228 }
229
230 Ok(key_schedule)
231 }
232
emit_fake_ccs(&mut self, sess: &mut ServerSessionImpl)233 fn emit_fake_ccs(&mut self, sess: &mut ServerSessionImpl) {
234 if sess.common.is_quic() {
235 return;
236 }
237 let m = Message {
238 typ: ContentType::ChangeCipherSpec,
239 version: ProtocolVersion::TLSv1_2,
240 payload: MessagePayload::ChangeCipherSpec(ChangeCipherSpecPayload {}),
241 };
242 sess.common.send_msg(m, false);
243 }
244
emit_hello_retry_request(&mut self, sess: &mut ServerSessionImpl, group: NamedGroup)245 fn emit_hello_retry_request(&mut self, sess: &mut ServerSessionImpl, group: NamedGroup) {
246 let mut req = HelloRetryRequest {
247 legacy_version: ProtocolVersion::TLSv1_2,
248 session_id: SessionID::empty(),
249 cipher_suite: sess.common.get_suite_assert().suite,
250 extensions: Vec::new(),
251 };
252
253 req.extensions
254 .push(HelloRetryExtension::KeyShare(group));
255 req.extensions
256 .push(HelloRetryExtension::SupportedVersions(
257 ProtocolVersion::TLSv1_3,
258 ));
259
260 let m = Message {
261 typ: ContentType::Handshake,
262 version: ProtocolVersion::TLSv1_2,
263 payload: MessagePayload::Handshake(HandshakeMessagePayload {
264 typ: HandshakeType::HelloRetryRequest,
265 payload: HandshakePayload::HelloRetryRequest(req),
266 }),
267 };
268
269 trace!("Requesting retry {:?}", m);
270 self.handshake
271 .transcript
272 .rollup_for_hrr();
273 self.handshake
274 .transcript
275 .add_message(&m);
276 sess.common.send_msg(m, false);
277 }
278
emit_encrypted_extensions( &mut self, sess: &mut ServerSessionImpl, server_key: &mut sign::CertifiedKey, hello: &ClientHelloPayload, resumedata: Option<&persist::ServerSessionValue>, ) -> Result<(), TLSError>279 fn emit_encrypted_extensions(
280 &mut self,
281 sess: &mut ServerSessionImpl,
282 server_key: &mut sign::CertifiedKey,
283 hello: &ClientHelloPayload,
284 resumedata: Option<&persist::ServerSessionValue>,
285 ) -> Result<(), TLSError> {
286 let mut ep = hs::ExtensionProcessing::new();
287 ep.process_common(sess, Some(server_key), hello, resumedata, &self.handshake)?;
288
289 self.send_cert_status = ep.send_cert_status;
290 self.send_sct = ep.send_sct;
291
292 let ee = Message {
293 typ: ContentType::Handshake,
294 version: ProtocolVersion::TLSv1_3,
295 payload: MessagePayload::Handshake(HandshakeMessagePayload {
296 typ: HandshakeType::EncryptedExtensions,
297 payload: HandshakePayload::EncryptedExtensions(ep.exts),
298 }),
299 };
300
301 trace!("sending encrypted extensions {:?}", ee);
302 self.handshake
303 .transcript
304 .add_message(&ee);
305 sess.common.send_msg(ee, true);
306 Ok(())
307 }
308
emit_certificate_req_tls13( &mut self, sess: &mut ServerSessionImpl, ) -> Result<bool, TLSError>309 fn emit_certificate_req_tls13(
310 &mut self,
311 sess: &mut ServerSessionImpl,
312 ) -> Result<bool, TLSError> {
313 if !sess.config.verifier.offer_client_auth() {
314 return Ok(false);
315 }
316
317 let mut cr = CertificateRequestPayloadTLS13 {
318 context: PayloadU8::empty(),
319 extensions: Vec::new(),
320 };
321
322 let schemes = sess
323 .config
324 .get_verifier()
325 .supported_verify_schemes();
326 cr.extensions
327 .push(CertReqExtension::SignatureAlgorithms(schemes.to_vec()));
328
329 let names = sess
330 .config
331 .verifier
332 .client_auth_root_subjects(sess.get_sni())
333 .ok_or_else(|| {
334 debug!("could not determine root subjects based on SNI");
335 sess.common
336 .send_fatal_alert(AlertDescription::AccessDenied);
337 TLSError::General("client rejected by client_auth_root_subjects".into())
338 })?;
339
340 if !names.is_empty() {
341 cr.extensions
342 .push(CertReqExtension::AuthorityNames(names));
343 }
344
345 let m = Message {
346 typ: ContentType::Handshake,
347 version: ProtocolVersion::TLSv1_3,
348 payload: MessagePayload::Handshake(HandshakeMessagePayload {
349 typ: HandshakeType::CertificateRequest,
350 payload: HandshakePayload::CertificateRequestTLS13(cr),
351 }),
352 };
353
354 trace!("Sending CertificateRequest {:?}", m);
355 self.handshake
356 .transcript
357 .add_message(&m);
358 sess.common.send_msg(m, true);
359 Ok(true)
360 }
361
emit_certificate_tls13( &mut self, sess: &mut ServerSessionImpl, server_key: &mut sign::CertifiedKey, )362 fn emit_certificate_tls13(
363 &mut self,
364 sess: &mut ServerSessionImpl,
365 server_key: &mut sign::CertifiedKey,
366 ) {
367 let mut cert_entries = vec![];
368 for cert in server_key.take_cert() {
369 let entry = CertificateEntry {
370 cert,
371 exts: Vec::new(),
372 };
373
374 cert_entries.push(entry);
375 }
376
377 if let Some(end_entity_cert) = cert_entries.first_mut() {
378 // Apply OCSP response to first certificate (we don't support OCSP
379 // except for leaf certs).
380 if self.send_cert_status {
381 if let Some(ocsp) = server_key.take_ocsp() {
382 let cst = CertificateStatus::new(ocsp);
383 end_entity_cert
384 .exts
385 .push(CertificateExtension::CertificateStatus(cst));
386 }
387 }
388
389 // Likewise, SCT
390 if self.send_sct {
391 if let Some(sct_list) = server_key.take_sct_list() {
392 end_entity_cert
393 .exts
394 .push(CertificateExtension::make_sct(sct_list));
395 }
396 }
397 }
398
399 let cert_body = CertificatePayloadTLS13::new(cert_entries);
400 let c = Message {
401 typ: ContentType::Handshake,
402 version: ProtocolVersion::TLSv1_3,
403 payload: MessagePayload::Handshake(HandshakeMessagePayload {
404 typ: HandshakeType::Certificate,
405 payload: HandshakePayload::CertificateTLS13(cert_body),
406 }),
407 };
408
409 trace!("sending certificate {:?}", c);
410 self.handshake
411 .transcript
412 .add_message(&c);
413 sess.common.send_msg(c, true);
414 }
415
emit_certificate_verify_tls13( &mut self, sess: &mut ServerSessionImpl, server_key: &mut sign::CertifiedKey, schemes: &[SignatureScheme], ) -> Result<(), TLSError>416 fn emit_certificate_verify_tls13(
417 &mut self,
418 sess: &mut ServerSessionImpl,
419 server_key: &mut sign::CertifiedKey,
420 schemes: &[SignatureScheme],
421 ) -> Result<(), TLSError> {
422 let message = verify::construct_tls13_server_verify_message(
423 &self
424 .handshake
425 .transcript
426 .get_current_hash(),
427 );
428
429 let signing_key = &server_key.key;
430 let signer = signing_key
431 .choose_scheme(schemes)
432 .ok_or_else(|| hs::incompatible(sess, "no overlapping sigschemes"))?;
433
434 let scheme = signer.get_scheme();
435 let sig = signer.sign(&message)?;
436
437 let cv = DigitallySignedStruct::new(scheme, sig);
438
439 let m = Message {
440 typ: ContentType::Handshake,
441 version: ProtocolVersion::TLSv1_3,
442 payload: MessagePayload::Handshake(HandshakeMessagePayload {
443 typ: HandshakeType::CertificateVerify,
444 payload: HandshakePayload::CertificateVerify(cv),
445 }),
446 };
447
448 trace!("sending certificate-verify {:?}", m);
449 self.handshake
450 .transcript
451 .add_message(&m);
452 sess.common.send_msg(m, true);
453 Ok(())
454 }
455
emit_finished_tls13( &mut self, sess: &mut ServerSessionImpl, key_schedule: KeyScheduleHandshake, ) -> KeyScheduleTrafficWithClientFinishedPending456 fn emit_finished_tls13(
457 &mut self,
458 sess: &mut ServerSessionImpl,
459 key_schedule: KeyScheduleHandshake,
460 ) -> KeyScheduleTrafficWithClientFinishedPending {
461 let handshake_hash = self
462 .handshake
463 .transcript
464 .get_current_hash();
465 let verify_data = key_schedule.sign_server_finish(&handshake_hash);
466 let verify_data_payload = Payload::new(verify_data);
467
468 let m = Message {
469 typ: ContentType::Handshake,
470 version: ProtocolVersion::TLSv1_3,
471 payload: MessagePayload::Handshake(HandshakeMessagePayload {
472 typ: HandshakeType::Finished,
473 payload: HandshakePayload::Finished(verify_data_payload),
474 }),
475 };
476
477 trace!("sending finished {:?}", m);
478 self.handshake
479 .transcript
480 .add_message(&m);
481 self.handshake.hash_at_server_fin = self
482 .handshake
483 .transcript
484 .get_current_hash();
485 sess.common.send_msg(m, true);
486
487 // Now move to application data keys. Read key change is deferred until
488 // the Finish message is received & validated.
489 let mut key_schedule_traffic = key_schedule.into_traffic_with_client_finished_pending();
490 let suite = sess.common.get_suite_assert();
491 let write_key = key_schedule_traffic.server_application_traffic_secret(
492 &self.handshake.hash_at_server_fin,
493 &*sess.config.key_log,
494 &self.handshake.randoms.client,
495 );
496 sess.common
497 .record_layer
498 .set_message_encrypter(cipher::new_tls13_write(suite, &write_key));
499
500 key_schedule_traffic.exporter_master_secret(
501 &self.handshake.hash_at_server_fin,
502 &*sess.config.key_log,
503 &self.handshake.randoms.client,
504 );
505
506 let _read_key = key_schedule_traffic.client_application_traffic_secret(
507 &self.handshake.hash_at_server_fin,
508 &*sess.config.key_log,
509 &self.handshake.randoms.client,
510 );
511
512 #[cfg(feature = "quic")]
513 {
514 sess.common.quic.traffic_secrets = Some(quic::Secrets {
515 client: _read_key,
516 server: write_key,
517 });
518 }
519
520 key_schedule_traffic
521 }
522
attempt_tls13_ticket_decryption( &mut self, sess: &mut ServerSessionImpl, ticket: &[u8], ) -> Option<persist::ServerSessionValue>523 fn attempt_tls13_ticket_decryption(
524 &mut self,
525 sess: &mut ServerSessionImpl,
526 ticket: &[u8],
527 ) -> Option<persist::ServerSessionValue> {
528 if sess.config.ticketer.enabled() {
529 sess.config
530 .ticketer
531 .decrypt(ticket)
532 .and_then(|plain| persist::ServerSessionValue::read_bytes(&plain))
533 } else {
534 sess.config
535 .session_storage
536 .take(ticket)
537 .and_then(|plain| persist::ServerSessionValue::read_bytes(&plain))
538 }
539 }
540
handle_client_hello( mut self, sess: &mut ServerSessionImpl, mut server_key: sign::CertifiedKey, chm: &Message, ) -> hs::NextStateOrError541 pub fn handle_client_hello(
542 mut self,
543 sess: &mut ServerSessionImpl,
544 mut server_key: sign::CertifiedKey,
545 chm: &Message,
546 ) -> hs::NextStateOrError {
547 let client_hello = require_handshake_msg!(
548 chm,
549 HandshakeType::ClientHello,
550 HandshakePayload::ClientHello
551 )?;
552
553 if client_hello.compression_methods.len() != 1 {
554 return Err(hs::illegal_param(sess, "client offered wrong compressions"));
555 }
556
557 let groups_ext = client_hello
558 .get_namedgroups_extension()
559 .ok_or_else(|| hs::incompatible(sess, "client didn't describe groups"))?;
560
561 let mut sigschemes_ext = client_hello
562 .get_sigalgs_extension()
563 .ok_or_else(|| hs::incompatible(sess, "client didn't describe sigschemes"))?
564 .clone();
565
566 let tls13_schemes = sign::supported_sign_tls13();
567 sigschemes_ext.retain(|scheme| tls13_schemes.contains(scheme));
568
569 let shares_ext = client_hello
570 .get_keyshare_extension()
571 .ok_or_else(|| hs::incompatible(sess, "client didn't send keyshares"))?;
572
573 if client_hello.has_keyshare_extension_with_duplicates() {
574 return Err(hs::illegal_param(sess, "client sent duplicate keyshares"));
575 }
576
577 let share_groups: Vec<NamedGroup> = shares_ext
578 .iter()
579 .map(|share| share.group)
580 .collect();
581
582 let supported_groups = suites::KeyExchange::supported_groups();
583 let chosen_group = supported_groups
584 .iter()
585 .filter(|group| share_groups.contains(group))
586 .nth(0)
587 .cloned();
588
589 if chosen_group.is_none() {
590 // We don't have a suitable key share. Choose a suitable group and
591 // send a HelloRetryRequest.
592 let retry_group_maybe = supported_groups
593 .iter()
594 .filter(|group| groups_ext.contains(group))
595 .nth(0)
596 .cloned();
597 self.handshake
598 .transcript
599 .add_message(chm);
600
601 if let Some(group) = retry_group_maybe {
602 if self.done_retry {
603 return Err(hs::illegal_param(sess, "did not follow retry request"));
604 }
605
606 self.emit_hello_retry_request(sess, group);
607 self.emit_fake_ccs(sess);
608 return Ok(self.into_expect_retried_client_hello());
609 }
610
611 return Err(hs::incompatible(sess, "no kx group overlap with client"));
612 }
613
614 let chosen_group = chosen_group.unwrap();
615 let chosen_share = shares_ext
616 .iter()
617 .find(|share| share.group == chosen_group)
618 .unwrap();
619
620 let mut chosen_psk_index = None;
621 let mut resumedata = None;
622 if let Some(psk_offer) = client_hello.get_psk() {
623 if !client_hello.check_psk_ext_is_last() {
624 return Err(hs::illegal_param(sess, "psk extension in wrong position"));
625 }
626
627 if psk_offer.binders.is_empty() {
628 return Err(hs::decode_error(sess, "psk extension missing binder"));
629 }
630
631 if psk_offer.binders.len() != psk_offer.identities.len() {
632 return Err(hs::illegal_param(
633 sess,
634 "psk extension mismatched ids/binders",
635 ));
636 }
637
638 for (i, psk_id) in psk_offer.identities.iter().enumerate() {
639 let maybe_resume = self.attempt_tls13_ticket_decryption(sess, &psk_id.identity.0);
640
641 if !hs::can_resume(sess, &self.handshake, &maybe_resume) {
642 continue;
643 }
644
645 let resume = maybe_resume.unwrap();
646
647 if !self.check_binder(sess, chm, &resume.master_secret.0, &psk_offer.binders[i].0) {
648 sess.common
649 .send_fatal_alert(AlertDescription::DecryptError);
650 return Err(TLSError::PeerMisbehavedError(
651 "client sent wrong binder".to_string(),
652 ));
653 }
654
655 chosen_psk_index = Some(i);
656 resumedata = Some(resume);
657 break;
658 }
659 }
660
661 if !client_hello.psk_mode_offered(PSKKeyExchangeMode::PSK_DHE_KE) {
662 debug!("Client unwilling to resume, DHE_KE not offered");
663 self.send_ticket = false;
664 chosen_psk_index = None;
665 resumedata = None;
666 } else {
667 self.send_ticket = true;
668 }
669
670 if let Some(ref resume) = resumedata {
671 sess.received_resumption_data = Some(resume.application_data.0.clone());
672 sess.client_cert_chain = resume.client_cert_chain.clone();
673 }
674
675 let full_handshake = resumedata.is_none();
676 self.handshake
677 .transcript
678 .add_message(chm);
679 let key_schedule = self.emit_server_hello(
680 sess,
681 &client_hello.session_id,
682 chosen_share,
683 chosen_psk_index,
684 resumedata
685 .as_ref()
686 .map(|x| &x.master_secret.0[..]),
687 )?;
688 if !self.done_retry {
689 self.emit_fake_ccs(sess);
690 }
691 self.emit_encrypted_extensions(sess, &mut server_key, client_hello, resumedata.as_ref())?;
692
693 let doing_client_auth = if full_handshake {
694 let client_auth = self.emit_certificate_req_tls13(sess)?;
695 self.emit_certificate_tls13(sess, &mut server_key);
696 self.emit_certificate_verify_tls13(sess, &mut server_key, &sigschemes_ext)?;
697 client_auth
698 } else {
699 false
700 };
701
702 hs::check_aligned_handshake(sess)?;
703 let key_schedule_traffic = self.emit_finished_tls13(sess, key_schedule);
704
705 if doing_client_auth {
706 Ok(self.into_expect_certificate(key_schedule_traffic))
707 } else {
708 Ok(self.into_expect_finished(key_schedule_traffic))
709 }
710 }
711 }
712
713 pub struct ExpectCertificate {
714 pub handshake: HandshakeDetails,
715 pub key_schedule: KeyScheduleTrafficWithClientFinishedPending,
716 pub send_ticket: bool,
717 }
718
719 impl ExpectCertificate {
into_expect_finished(self) -> hs::NextState720 fn into_expect_finished(self) -> hs::NextState {
721 Box::new(ExpectFinished {
722 key_schedule: self.key_schedule,
723 handshake: self.handshake,
724 send_ticket: self.send_ticket,
725 })
726 }
727
into_expect_certificate_verify(self, cert: ClientCertDetails) -> hs::NextState728 fn into_expect_certificate_verify(self, cert: ClientCertDetails) -> hs::NextState {
729 Box::new(ExpectCertificateVerify {
730 handshake: self.handshake,
731 key_schedule: self.key_schedule,
732 client_cert: cert,
733 send_ticket: self.send_ticket,
734 })
735 }
736 }
737
738 impl hs::State for ExpectCertificate {
handle( mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message, ) -> hs::NextStateOrError739 fn handle(
740 mut self: Box<Self>,
741 sess: &mut ServerSessionImpl,
742 m: Message,
743 ) -> hs::NextStateOrError {
744 let certp = require_handshake_msg!(
745 m,
746 HandshakeType::Certificate,
747 HandshakePayload::CertificateTLS13
748 )?;
749 self.handshake
750 .transcript
751 .add_message(&m);
752
753 // We don't send any CertificateRequest extensions, so any extensions
754 // here are illegal.
755 if certp.any_entry_has_extension() {
756 return Err(TLSError::PeerMisbehavedError(
757 "client sent unsolicited cert extension".to_string(),
758 ));
759 }
760
761 let cert_chain = certp.convert();
762
763 let mandatory = sess
764 .config
765 .verifier
766 .client_auth_mandatory(sess.get_sni())
767 .ok_or_else(|| {
768 debug!("could not determine if client auth is mandatory based on SNI");
769 sess.common
770 .send_fatal_alert(AlertDescription::AccessDenied);
771 TLSError::General("client rejected by client_auth_mandatory".into())
772 })?;
773
774 if cert_chain.is_empty() {
775 if !mandatory {
776 debug!("client auth requested but no certificate supplied");
777 self.handshake
778 .transcript
779 .abandon_client_auth();
780 return Ok(self.into_expect_finished());
781 }
782
783 sess.common
784 .send_fatal_alert(AlertDescription::CertificateRequired);
785 return Err(TLSError::NoCertificatesPresented);
786 }
787
788 sess.config
789 .get_verifier()
790 .verify_client_cert(&cert_chain, sess.get_sni())
791 .or_else(|err| {
792 hs::incompatible(sess, "certificate invalid");
793 Err(err)
794 })?;
795
796 let cert = ClientCertDetails::new(cert_chain);
797 Ok(self.into_expect_certificate_verify(cert))
798 }
799 }
800
801 pub struct ExpectCertificateVerify {
802 handshake: HandshakeDetails,
803 key_schedule: KeyScheduleTrafficWithClientFinishedPending,
804 client_cert: ClientCertDetails,
805 send_ticket: bool,
806 }
807
808 impl ExpectCertificateVerify {
into_expect_finished(self) -> hs::NextState809 fn into_expect_finished(self) -> hs::NextState {
810 Box::new(ExpectFinished {
811 key_schedule: self.key_schedule,
812 handshake: self.handshake,
813 send_ticket: self.send_ticket,
814 })
815 }
816 }
817
818 impl hs::State for ExpectCertificateVerify {
handle( mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message, ) -> hs::NextStateOrError819 fn handle(
820 mut self: Box<Self>,
821 sess: &mut ServerSessionImpl,
822 m: Message,
823 ) -> hs::NextStateOrError {
824 let rc = {
825 let sig = require_handshake_msg!(
826 m,
827 HandshakeType::CertificateVerify,
828 HandshakePayload::CertificateVerify
829 )?;
830 let handshake_hash = self
831 .handshake
832 .transcript
833 .get_current_hash();
834 self.handshake
835 .transcript
836 .abandon_client_auth();
837 let certs = &self.client_cert.cert_chain;
838 let msg = verify::construct_tls13_client_verify_message(&handshake_hash);
839
840 sess.config
841 .get_verifier()
842 .verify_tls13_signature(&msg, &certs[0], sig)
843 };
844
845 if let Err(e) = rc {
846 sess.common
847 .send_fatal_alert(AlertDescription::AccessDenied);
848 return Err(e);
849 }
850
851 trace!("client CertificateVerify OK");
852 sess.client_cert_chain = Some(self.client_cert.take_chain());
853
854 self.handshake
855 .transcript
856 .add_message(&m);
857 Ok(self.into_expect_finished())
858 }
859 }
860
861 // --- Process client's Finished ---
get_server_session_value( handshake: &mut HandshakeDetails, key_schedule: &KeyScheduleTraffic, sess: &ServerSessionImpl, nonce: &[u8], ) -> persist::ServerSessionValue862 fn get_server_session_value(
863 handshake: &mut HandshakeDetails,
864 key_schedule: &KeyScheduleTraffic,
865 sess: &ServerSessionImpl,
866 nonce: &[u8],
867 ) -> persist::ServerSessionValue {
868 let scs = sess.common.get_suite_assert();
869 let version = ProtocolVersion::TLSv1_3;
870
871 let handshake_hash = handshake.transcript.get_current_hash();
872 let secret =
873 key_schedule.resumption_master_secret_and_derive_ticket_psk(&handshake_hash, nonce);
874
875 persist::ServerSessionValue::new(
876 sess.get_sni(),
877 version,
878 scs.suite,
879 secret,
880 &sess.client_cert_chain,
881 sess.alpn_protocol.clone(),
882 sess.resumption_data.clone(),
883 )
884 }
885
886 pub struct ExpectFinished {
887 pub handshake: HandshakeDetails,
888 pub key_schedule: KeyScheduleTrafficWithClientFinishedPending,
889 pub send_ticket: bool,
890 }
891
892 impl ExpectFinished {
into_expect_traffic( fin: verify::FinishedMessageVerified, ks: KeyScheduleTraffic, ) -> hs::NextState893 fn into_expect_traffic(
894 fin: verify::FinishedMessageVerified,
895 ks: KeyScheduleTraffic,
896 ) -> hs::NextState {
897 Box::new(ExpectTraffic {
898 key_schedule: ks,
899 want_write_key_update: false,
900 _fin_verified: fin,
901 })
902 }
903
emit_stateless_ticket( handshake: &mut HandshakeDetails, sess: &mut ServerSessionImpl, key_schedule: &KeyScheduleTraffic, )904 fn emit_stateless_ticket(
905 handshake: &mut HandshakeDetails,
906 sess: &mut ServerSessionImpl,
907 key_schedule: &KeyScheduleTraffic,
908 ) {
909 let nonce = rand::random_vec(32);
910 let plain = get_server_session_value(handshake, key_schedule, sess, &nonce).get_encoding();
911 let maybe_ticket = sess.config.ticketer.encrypt(&plain);
912 let ticket_lifetime = sess.config.ticketer.get_lifetime();
913
914 if maybe_ticket.is_none() {
915 return;
916 }
917
918 let ticket = maybe_ticket.unwrap();
919 let age_add = rand::random_u32(); // nb, we don't do 0-RTT data, so whatever
920 #[allow(unused_mut)]
921 let mut payload =
922 NewSessionTicketPayloadTLS13::new(ticket_lifetime, age_add, nonce, ticket);
923 #[cfg(feature = "quic")]
924 {
925 if sess.config.max_early_data_size > 0 && sess.common.protocol == Protocol::Quic {
926 payload
927 .exts
928 .push(NewSessionTicketExtension::EarlyData(
929 sess.config.max_early_data_size,
930 ));
931 }
932 }
933 let m = Message {
934 typ: ContentType::Handshake,
935 version: ProtocolVersion::TLSv1_3,
936 payload: MessagePayload::Handshake(HandshakeMessagePayload {
937 typ: HandshakeType::NewSessionTicket,
938 payload: HandshakePayload::NewSessionTicketTLS13(payload),
939 }),
940 };
941
942 trace!("sending new ticket {:?}", m);
943 handshake.transcript.add_message(&m);
944 sess.common.send_msg(m, true);
945 }
946
emit_stateful_ticket( handshake: &mut HandshakeDetails, sess: &mut ServerSessionImpl, key_schedule: &KeyScheduleTraffic, )947 fn emit_stateful_ticket(
948 handshake: &mut HandshakeDetails,
949 sess: &mut ServerSessionImpl,
950 key_schedule: &KeyScheduleTraffic,
951 ) {
952 let nonce = rand::random_vec(32);
953 let id = rand::random_vec(32);
954 let plain = get_server_session_value(handshake, key_schedule, sess, &nonce).get_encoding();
955
956 if sess
957 .config
958 .session_storage
959 .put(id.clone(), plain)
960 {
961 let stateful_lifetime = 24 * 60 * 60; // this is a bit of a punt
962 let age_add = rand::random_u32();
963 #[allow(unused_mut)]
964 let mut payload =
965 NewSessionTicketPayloadTLS13::new(stateful_lifetime, age_add, nonce, id);
966 #[cfg(feature = "quic")]
967 {
968 if sess.config.max_early_data_size > 0 && sess.common.protocol == Protocol::Quic {
969 payload
970 .exts
971 .push(NewSessionTicketExtension::EarlyData(
972 sess.config.max_early_data_size,
973 ));
974 }
975 }
976 let m = Message {
977 typ: ContentType::Handshake,
978 version: ProtocolVersion::TLSv1_3,
979 payload: MessagePayload::Handshake(HandshakeMessagePayload {
980 typ: HandshakeType::NewSessionTicket,
981 payload: HandshakePayload::NewSessionTicketTLS13(payload),
982 }),
983 };
984
985 trace!("sending new stateful ticket {:?}", m);
986 handshake.transcript.add_message(&m);
987 sess.common.send_msg(m, true);
988 } else {
989 trace!("resumption not available; not issuing ticket");
990 }
991 }
992 }
993
994 impl hs::State for ExpectFinished {
handle( mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message, ) -> hs::NextStateOrError995 fn handle(
996 mut self: Box<Self>,
997 sess: &mut ServerSessionImpl,
998 m: Message,
999 ) -> hs::NextStateOrError {
1000 let finished =
1001 require_handshake_msg!(m, HandshakeType::Finished, HandshakePayload::Finished)?;
1002
1003 let handshake_hash = self
1004 .handshake
1005 .transcript
1006 .get_current_hash();
1007 let expect_verify_data = self
1008 .key_schedule
1009 .sign_client_finish(&handshake_hash);
1010
1011 let fin = constant_time::verify_slices_are_equal(&expect_verify_data, &finished.0)
1012 .map_err(|_| {
1013 sess.common
1014 .send_fatal_alert(AlertDescription::DecryptError);
1015 warn!("Finished wrong");
1016 TLSError::DecryptError
1017 })
1018 .map(|_| verify::FinishedMessageVerified::assertion())?;
1019
1020 // nb. future derivations include Client Finished, but not the
1021 // main application data keying.
1022 self.handshake
1023 .transcript
1024 .add_message(&m);
1025
1026 hs::check_aligned_handshake(sess)?;
1027
1028 let suite = sess.common.get_suite_assert();
1029
1030 // Install keying to read future messages.
1031 let read_key = self
1032 .key_schedule
1033 .client_application_traffic_secret(
1034 &self.handshake.hash_at_server_fin,
1035 &*sess.config.key_log,
1036 &self.handshake.randoms.client,
1037 );
1038 sess.common
1039 .record_layer
1040 .set_message_decrypter(cipher::new_tls13_read(suite, &read_key));
1041
1042 let key_schedule_traffic = self.key_schedule.into_traffic();
1043
1044 if self.send_ticket {
1045 if sess.config.ticketer.enabled() {
1046 Self::emit_stateless_ticket(&mut self.handshake, sess, &key_schedule_traffic);
1047 } else {
1048 Self::emit_stateful_ticket(&mut self.handshake, sess, &key_schedule_traffic);
1049 }
1050 }
1051
1052 sess.common.start_traffic();
1053
1054 #[cfg(feature = "quic")]
1055 {
1056 if sess.common.protocol == Protocol::Quic {
1057 return Ok(Box::new(ExpectQUICTraffic {
1058 key_schedule: key_schedule_traffic,
1059 _fin_verified: fin,
1060 }));
1061 }
1062 }
1063
1064 Ok(Self::into_expect_traffic(fin, key_schedule_traffic))
1065 }
1066 }
1067
1068 // --- Process traffic ---
1069 pub struct ExpectTraffic {
1070 key_schedule: KeyScheduleTraffic,
1071 want_write_key_update: bool,
1072 _fin_verified: verify::FinishedMessageVerified,
1073 }
1074
1075 impl ExpectTraffic {
handle_traffic(&self, sess: &mut ServerSessionImpl, mut m: Message) -> Result<(), TLSError>1076 fn handle_traffic(&self, sess: &mut ServerSessionImpl, mut m: Message) -> Result<(), TLSError> {
1077 sess.common
1078 .take_received_plaintext(m.take_opaque_payload().unwrap());
1079 Ok(())
1080 }
1081
handle_key_update( &mut self, sess: &mut ServerSessionImpl, kur: &KeyUpdateRequest, ) -> Result<(), TLSError>1082 fn handle_key_update(
1083 &mut self,
1084 sess: &mut ServerSessionImpl,
1085 kur: &KeyUpdateRequest,
1086 ) -> Result<(), TLSError> {
1087 #[cfg(feature = "quic")]
1088 {
1089 if let Protocol::Quic = sess.common.protocol {
1090 sess.common
1091 .send_fatal_alert(AlertDescription::UnexpectedMessage);
1092 let msg = "KeyUpdate received in QUIC connection".to_string();
1093 warn!("{}", msg);
1094 return Err(TLSError::PeerMisbehavedError(msg));
1095 }
1096 }
1097
1098 hs::check_aligned_handshake(sess)?;
1099
1100 match kur {
1101 KeyUpdateRequest::UpdateNotRequested => {}
1102 KeyUpdateRequest::UpdateRequested => {
1103 self.want_write_key_update = true;
1104 }
1105 _ => {
1106 sess.common
1107 .send_fatal_alert(AlertDescription::IllegalParameter);
1108 return Err(TLSError::CorruptMessagePayload(ContentType::Handshake));
1109 }
1110 }
1111
1112 // Update our read-side keys.
1113 let new_read_key = self
1114 .key_schedule
1115 .next_client_application_traffic_secret();
1116 let suite = sess.common.get_suite_assert();
1117 sess.common
1118 .record_layer
1119 .set_message_decrypter(cipher::new_tls13_read(suite, &new_read_key));
1120
1121 Ok(())
1122 }
1123 }
1124
1125 impl hs::State for ExpectTraffic {
handle( mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message, ) -> hs::NextStateOrError1126 fn handle(
1127 mut self: Box<Self>,
1128 sess: &mut ServerSessionImpl,
1129 m: Message,
1130 ) -> hs::NextStateOrError {
1131 if m.is_content_type(ContentType::ApplicationData) {
1132 self.handle_traffic(sess, m)?;
1133 } else if let Ok(key_update) =
1134 require_handshake_msg!(m, HandshakeType::KeyUpdate, HandshakePayload::KeyUpdate)
1135 {
1136 self.handle_key_update(sess, key_update)?;
1137 } else {
1138 check_message(
1139 &m,
1140 &[ContentType::ApplicationData, ContentType::Handshake],
1141 &[HandshakeType::KeyUpdate],
1142 )?;
1143 }
1144
1145 Ok(self)
1146 }
1147
export_keying_material( &self, output: &mut [u8], label: &[u8], context: Option<&[u8]>, ) -> Result<(), TLSError>1148 fn export_keying_material(
1149 &self,
1150 output: &mut [u8],
1151 label: &[u8],
1152 context: Option<&[u8]>,
1153 ) -> Result<(), TLSError> {
1154 self.key_schedule
1155 .export_keying_material(output, label, context)
1156 }
1157
perhaps_write_key_update(&mut self, sess: &mut ServerSessionImpl)1158 fn perhaps_write_key_update(&mut self, sess: &mut ServerSessionImpl) {
1159 if self.want_write_key_update {
1160 self.want_write_key_update = false;
1161 sess.common
1162 .send_msg_encrypt(Message::build_key_update_notify());
1163
1164 let write_key = self
1165 .key_schedule
1166 .next_server_application_traffic_secret();
1167 let scs = sess.common.get_suite_assert();
1168 sess.common
1169 .record_layer
1170 .set_message_encrypter(cipher::new_tls13_write(scs, &write_key));
1171 }
1172 }
1173 }
1174
1175 #[cfg(feature = "quic")]
1176 pub struct ExpectQUICTraffic {
1177 key_schedule: KeyScheduleTraffic,
1178 _fin_verified: verify::FinishedMessageVerified,
1179 }
1180
1181 #[cfg(feature = "quic")]
1182 impl hs::State for ExpectQUICTraffic {
handle(self: Box<Self>, _: &mut ServerSessionImpl, m: Message) -> hs::NextStateOrError1183 fn handle(self: Box<Self>, _: &mut ServerSessionImpl, m: Message) -> hs::NextStateOrError {
1184 // reject all messages
1185 check_message(&m, &[], &[])?;
1186 unreachable!();
1187 }
1188
export_keying_material( &self, output: &mut [u8], label: &[u8], context: Option<&[u8]>, ) -> Result<(), TLSError>1189 fn export_keying_material(
1190 &self,
1191 output: &mut [u8],
1192 label: &[u8],
1193 context: Option<&[u8]>,
1194 ) -> Result<(), TLSError> {
1195 self.key_schedule
1196 .export_keying_material(output, label, context)
1197 }
1198 }
1199