1 use crate::check::{check_message, inappropriate_message};
2 use crate::conn::{CommonState, ConnectionRandoms, State};
3 use crate::error::Error;
4 use crate::hash_hs::HandshakeHash;
5 #[cfg(feature = "logging")]
6 use crate::log::{debug, trace};
7 use crate::msgs::base::{Payload, PayloadU8};
8 use crate::msgs::ccs::ChangeCipherSpecPayload;
9 use crate::msgs::codec::Codec;
10 use crate::msgs::enums::{AlertDescription, ProtocolVersion};
11 use crate::msgs::enums::{ContentType, HandshakeType};
12 use crate::msgs::handshake::{CertificatePayload, DecomposedSignatureScheme, SCTList, SessionID};
13 use crate::msgs::handshake::{DigitallySignedStruct, ServerECDHParams};
14 use crate::msgs::handshake::{HandshakeMessagePayload, HandshakePayload, NewSessionTicketPayload};
15 use crate::msgs::message::{Message, MessagePayload};
16 use crate::msgs::persist;
17 use crate::suites::SupportedCipherSuite;
18 use crate::ticketer::TimeBase;
19 use crate::tls12::{self, ConnectionSecrets, Tls12CipherSuite};
20 use crate::{kx, verify};
21
22 use super::client_conn::ClientConnectionData;
23 use super::hs::ClientContext;
24 use crate::client::common::ClientAuthDetails;
25 use crate::client::common::ServerCertDetails;
26 use crate::client::{hs, ClientConfig, ServerName};
27
28 use ring::constant_time;
29
30 use std::sync::Arc;
31
32 pub(super) use server_hello::CompleteServerHelloHandling;
33
34 mod server_hello {
35 use crate::msgs::enums::ExtensionType;
36 use crate::msgs::handshake::HasServerExtensions;
37 use crate::msgs::handshake::ServerHelloPayload;
38
39 use super::*;
40
41 pub(in crate::client) struct CompleteServerHelloHandling {
42 pub(in crate::client) config: Arc<ClientConfig>,
43 pub(in crate::client) resuming_session: Option<persist::Tls12ClientSessionValue>,
44 pub(in crate::client) server_name: ServerName,
45 pub(in crate::client) randoms: ConnectionRandoms,
46 pub(in crate::client) using_ems: bool,
47 pub(in crate::client) transcript: HandshakeHash,
48 }
49
50 impl CompleteServerHelloHandling {
handle_server_hello( mut self, cx: &mut ClientContext, suite: &'static Tls12CipherSuite, server_hello: &ServerHelloPayload, tls13_supported: bool, ) -> hs::NextStateOrError51 pub(in crate::client) fn handle_server_hello(
52 mut self,
53 cx: &mut ClientContext,
54 suite: &'static Tls12CipherSuite,
55 server_hello: &ServerHelloPayload,
56 tls13_supported: bool,
57 ) -> hs::NextStateOrError {
58 server_hello
59 .random
60 .write_slice(&mut self.randoms.server);
61
62 // Look for TLS1.3 downgrade signal in server random
63 if tls13_supported
64 && self
65 .randoms
66 .has_tls12_downgrade_marker()
67 {
68 return Err(cx
69 .common
70 .illegal_param("downgrade to TLS1.2 when TLS1.3 is supported"));
71 }
72
73 // Doing EMS?
74 self.using_ems = server_hello.ems_support_acked();
75
76 // Might the server send a ticket?
77 let must_issue_new_ticket = if server_hello
78 .find_extension(ExtensionType::SessionTicket)
79 .is_some()
80 {
81 debug!("Server supports tickets");
82 true
83 } else {
84 false
85 };
86
87 // Might the server send a CertificateStatus between Certificate and
88 // ServerKeyExchange?
89 let may_send_cert_status = server_hello
90 .find_extension(ExtensionType::StatusRequest)
91 .is_some();
92 if may_send_cert_status {
93 debug!("Server may staple OCSP response");
94 }
95
96 // Save any sent SCTs for verification against the certificate.
97 let server_cert_sct_list = if let Some(sct_list) = server_hello.get_sct_list() {
98 debug!("Server sent {:?} SCTs", sct_list.len());
99
100 if hs::sct_list_is_invalid(sct_list) {
101 let error_msg = "server sent invalid SCT list".to_string();
102 return Err(Error::PeerMisbehavedError(error_msg));
103 }
104 Some(sct_list.clone())
105 } else {
106 None
107 };
108
109 // See if we're successfully resuming.
110 if let Some(ref resuming) = self.resuming_session {
111 if resuming.session_id == server_hello.session_id {
112 debug!("Server agreed to resume");
113
114 // Is the server telling lies about the ciphersuite?
115 if resuming.suite() != suite {
116 let error_msg =
117 "abbreviated handshake offered, but with varied cs".to_string();
118 return Err(Error::PeerMisbehavedError(error_msg));
119 }
120
121 // And about EMS support?
122 if resuming.extended_ms() != self.using_ems {
123 let error_msg = "server varied ems support over resume".to_string();
124 return Err(Error::PeerMisbehavedError(error_msg));
125 }
126
127 let secrets =
128 ConnectionSecrets::new_resume(&self.randoms, suite, resuming.secret());
129 self.config.key_log.log(
130 "CLIENT_RANDOM",
131 &secrets.randoms.client,
132 &secrets.master_secret,
133 );
134 cx.common
135 .start_encryption_tls12(&secrets);
136
137 // Since we're resuming, we verified the certificate and
138 // proof of possession in the prior session.
139 cx.common.peer_certificates = Some(resuming.server_cert_chain().to_vec());
140 let cert_verified = verify::ServerCertVerified::assertion();
141 let sig_verified = verify::HandshakeSignatureValid::assertion();
142
143 return if must_issue_new_ticket {
144 Ok(Box::new(ExpectNewTicket {
145 config: self.config,
146 secrets,
147 resuming_session: self.resuming_session,
148 session_id: server_hello.session_id,
149 server_name: self.server_name,
150 using_ems: self.using_ems,
151 transcript: self.transcript,
152 resuming: true,
153 cert_verified,
154 sig_verified,
155 }))
156 } else {
157 Ok(Box::new(ExpectCcs {
158 config: self.config,
159 secrets,
160 resuming_session: self.resuming_session,
161 session_id: server_hello.session_id,
162 server_name: self.server_name,
163 using_ems: self.using_ems,
164 transcript: self.transcript,
165 ticket: None,
166 resuming: true,
167 cert_verified,
168 sig_verified,
169 }))
170 };
171 }
172 }
173
174 Ok(Box::new(ExpectCertificate {
175 config: self.config,
176 resuming_session: self.resuming_session,
177 session_id: server_hello.session_id,
178 server_name: self.server_name,
179 randoms: self.randoms,
180 using_ems: self.using_ems,
181 transcript: self.transcript,
182 suite,
183 may_send_cert_status,
184 must_issue_new_ticket,
185 server_cert_sct_list,
186 }))
187 }
188 }
189 }
190
191 struct ExpectCertificate {
192 config: Arc<ClientConfig>,
193 resuming_session: Option<persist::Tls12ClientSessionValue>,
194 session_id: SessionID,
195 server_name: ServerName,
196 randoms: ConnectionRandoms,
197 using_ems: bool,
198 transcript: HandshakeHash,
199 pub(super) suite: &'static Tls12CipherSuite,
200 may_send_cert_status: bool,
201 must_issue_new_ticket: bool,
202 server_cert_sct_list: Option<SCTList>,
203 }
204
205 impl State<ClientConnectionData> for ExpectCertificate {
handle( mut self: Box<Self>, _cx: &mut ClientContext<'_>, m: Message, ) -> hs::NextStateOrError206 fn handle(
207 mut self: Box<Self>,
208 _cx: &mut ClientContext<'_>,
209 m: Message,
210 ) -> hs::NextStateOrError {
211 self.transcript.add_message(&m);
212 let server_cert_chain = require_handshake_msg_move!(
213 m,
214 HandshakeType::Certificate,
215 HandshakePayload::Certificate
216 )?;
217
218 if self.may_send_cert_status {
219 Ok(Box::new(ExpectCertificateStatusOrServerKx {
220 config: self.config,
221 resuming_session: self.resuming_session,
222 session_id: self.session_id,
223 server_name: self.server_name,
224 randoms: self.randoms,
225 using_ems: self.using_ems,
226 transcript: self.transcript,
227 suite: self.suite,
228 server_cert_sct_list: self.server_cert_sct_list,
229 server_cert_chain,
230 must_issue_new_ticket: self.must_issue_new_ticket,
231 }))
232 } else {
233 let server_cert =
234 ServerCertDetails::new(server_cert_chain, vec![], self.server_cert_sct_list);
235
236 Ok(Box::new(ExpectServerKx {
237 config: self.config,
238 resuming_session: self.resuming_session,
239 session_id: self.session_id,
240 server_name: self.server_name,
241 randoms: self.randoms,
242 using_ems: self.using_ems,
243 transcript: self.transcript,
244 suite: self.suite,
245 server_cert,
246 must_issue_new_ticket: self.must_issue_new_ticket,
247 }))
248 }
249 }
250 }
251
252 struct ExpectCertificateStatusOrServerKx {
253 config: Arc<ClientConfig>,
254 resuming_session: Option<persist::Tls12ClientSessionValue>,
255 session_id: SessionID,
256 server_name: ServerName,
257 randoms: ConnectionRandoms,
258 using_ems: bool,
259 transcript: HandshakeHash,
260 suite: &'static Tls12CipherSuite,
261 server_cert_sct_list: Option<SCTList>,
262 server_cert_chain: CertificatePayload,
263 must_issue_new_ticket: bool,
264 }
265
266 impl State<ClientConnectionData> for ExpectCertificateStatusOrServerKx {
handle(self: Box<Self>, cx: &mut ClientContext<'_>, m: Message) -> hs::NextStateOrError267 fn handle(self: Box<Self>, cx: &mut ClientContext<'_>, m: Message) -> hs::NextStateOrError {
268 check_message(
269 &m,
270 &[ContentType::Handshake],
271 &[
272 HandshakeType::ServerKeyExchange,
273 HandshakeType::CertificateStatus,
274 ],
275 )?;
276
277 if m.is_handshake_type(HandshakeType::ServerKeyExchange) {
278 Box::new(ExpectServerKx {
279 config: self.config,
280 resuming_session: self.resuming_session,
281 session_id: self.session_id,
282 server_name: self.server_name,
283 randoms: self.randoms,
284 using_ems: self.using_ems,
285 transcript: self.transcript,
286 suite: self.suite,
287 server_cert: ServerCertDetails::new(
288 self.server_cert_chain,
289 vec![],
290 self.server_cert_sct_list,
291 ),
292 must_issue_new_ticket: self.must_issue_new_ticket,
293 })
294 .handle(cx, m)
295 } else {
296 Box::new(ExpectCertificateStatus {
297 config: self.config,
298 resuming_session: self.resuming_session,
299 session_id: self.session_id,
300 server_name: self.server_name,
301 randoms: self.randoms,
302 using_ems: self.using_ems,
303 transcript: self.transcript,
304 suite: self.suite,
305 server_cert_sct_list: self.server_cert_sct_list,
306 server_cert_chain: self.server_cert_chain,
307 must_issue_new_ticket: self.must_issue_new_ticket,
308 })
309 .handle(cx, m)
310 }
311 }
312 }
313
314 struct ExpectCertificateStatus {
315 config: Arc<ClientConfig>,
316 resuming_session: Option<persist::Tls12ClientSessionValue>,
317 session_id: SessionID,
318 server_name: ServerName,
319 randoms: ConnectionRandoms,
320 using_ems: bool,
321 transcript: HandshakeHash,
322 suite: &'static Tls12CipherSuite,
323 server_cert_sct_list: Option<SCTList>,
324 server_cert_chain: CertificatePayload,
325 must_issue_new_ticket: bool,
326 }
327
328 impl State<ClientConnectionData> for ExpectCertificateStatus {
handle( mut self: Box<Self>, _cx: &mut ClientContext<'_>, m: Message, ) -> hs::NextStateOrError329 fn handle(
330 mut self: Box<Self>,
331 _cx: &mut ClientContext<'_>,
332 m: Message,
333 ) -> hs::NextStateOrError {
334 self.transcript.add_message(&m);
335 let server_cert_ocsp_response = require_handshake_msg_move!(
336 m,
337 HandshakeType::CertificateStatus,
338 HandshakePayload::CertificateStatus
339 )?
340 .into_inner();
341
342 trace!(
343 "Server stapled OCSP response is {:?}",
344 &server_cert_ocsp_response
345 );
346
347 let server_cert = ServerCertDetails::new(
348 self.server_cert_chain,
349 server_cert_ocsp_response,
350 self.server_cert_sct_list,
351 );
352
353 Ok(Box::new(ExpectServerKx {
354 config: self.config,
355 resuming_session: self.resuming_session,
356 session_id: self.session_id,
357 server_name: self.server_name,
358 randoms: self.randoms,
359 using_ems: self.using_ems,
360 transcript: self.transcript,
361 suite: self.suite,
362 server_cert,
363 must_issue_new_ticket: self.must_issue_new_ticket,
364 }))
365 }
366 }
367
368 struct ExpectServerKx {
369 config: Arc<ClientConfig>,
370 resuming_session: Option<persist::Tls12ClientSessionValue>,
371 session_id: SessionID,
372 server_name: ServerName,
373 randoms: ConnectionRandoms,
374 using_ems: bool,
375 transcript: HandshakeHash,
376 suite: &'static Tls12CipherSuite,
377 server_cert: ServerCertDetails,
378 must_issue_new_ticket: bool,
379 }
380
381 impl State<ClientConnectionData> for ExpectServerKx {
handle(mut self: Box<Self>, cx: &mut ClientContext<'_>, m: Message) -> hs::NextStateOrError382 fn handle(mut self: Box<Self>, cx: &mut ClientContext<'_>, m: Message) -> hs::NextStateOrError {
383 let opaque_kx = require_handshake_msg!(
384 m,
385 HandshakeType::ServerKeyExchange,
386 HandshakePayload::ServerKeyExchange
387 )?;
388 self.transcript.add_message(&m);
389
390 let ecdhe = opaque_kx
391 .unwrap_given_kxa(&self.suite.kx)
392 .ok_or_else(|| {
393 cx.common
394 .send_fatal_alert(AlertDescription::DecodeError);
395 Error::CorruptMessagePayload(ContentType::Handshake)
396 })?;
397
398 // Save the signature and signed parameters for later verification.
399 let mut kx_params = Vec::new();
400 ecdhe.params.encode(&mut kx_params);
401 let server_kx = ServerKxDetails::new(kx_params, ecdhe.dss);
402
403 #[cfg_attr(not(feature = "logging"), allow(unused_variables))]
404 {
405 debug!("ECDHE curve is {:?}", ecdhe.params.curve_params);
406 }
407
408 Ok(Box::new(ExpectServerDoneOrCertReq {
409 config: self.config,
410 resuming_session: self.resuming_session,
411 session_id: self.session_id,
412 server_name: self.server_name,
413 randoms: self.randoms,
414 using_ems: self.using_ems,
415 transcript: self.transcript,
416 suite: self.suite,
417 server_cert: self.server_cert,
418 server_kx,
419 must_issue_new_ticket: self.must_issue_new_ticket,
420 }))
421 }
422 }
423
emit_certificate( transcript: &mut HandshakeHash, cert_chain: CertificatePayload, common: &mut CommonState, )424 fn emit_certificate(
425 transcript: &mut HandshakeHash,
426 cert_chain: CertificatePayload,
427 common: &mut CommonState,
428 ) {
429 let cert = Message {
430 version: ProtocolVersion::TLSv1_2,
431 payload: MessagePayload::Handshake(HandshakeMessagePayload {
432 typ: HandshakeType::Certificate,
433 payload: HandshakePayload::Certificate(cert_chain),
434 }),
435 };
436
437 transcript.add_message(&cert);
438 common.send_msg(cert, false);
439 }
440
emit_clientkx( transcript: &mut HandshakeHash, common: &mut CommonState, kxd: &kx::KeyExchangeResult, )441 fn emit_clientkx(
442 transcript: &mut HandshakeHash,
443 common: &mut CommonState,
444 kxd: &kx::KeyExchangeResult,
445 ) {
446 let mut buf = Vec::new();
447 let ecpoint = PayloadU8::new(Vec::from(kxd.pubkey.as_ref()));
448 ecpoint.encode(&mut buf);
449 let pubkey = Payload::new(buf);
450
451 let ckx = Message {
452 version: ProtocolVersion::TLSv1_2,
453 payload: MessagePayload::Handshake(HandshakeMessagePayload {
454 typ: HandshakeType::ClientKeyExchange,
455 payload: HandshakePayload::ClientKeyExchange(pubkey),
456 }),
457 };
458
459 transcript.add_message(&ckx);
460 common.send_msg(ckx, false);
461 }
462
emit_certverify( transcript: &mut HandshakeHash, client_auth: &mut ClientAuthDetails, common: &mut CommonState, ) -> Result<(), Error>463 fn emit_certverify(
464 transcript: &mut HandshakeHash,
465 client_auth: &mut ClientAuthDetails,
466 common: &mut CommonState,
467 ) -> Result<(), Error> {
468 let (signer, message) = match (client_auth.signer.take(), transcript.take_handshake_buf()) {
469 (Some(signer), Some(msg)) => (signer, msg),
470 (None, _) => {
471 trace!("Not sending CertificateVerify, no key");
472 transcript.abandon_client_auth();
473 return Ok(());
474 }
475 (_, None) => {
476 trace!("Not sending CertificateVerify, no transcript");
477 return Ok(());
478 }
479 };
480
481 let scheme = signer.scheme();
482 let sig = signer.sign(&message)?;
483 let body = DigitallySignedStruct::new(scheme, sig);
484
485 let m = Message {
486 version: ProtocolVersion::TLSv1_2,
487 payload: MessagePayload::Handshake(HandshakeMessagePayload {
488 typ: HandshakeType::CertificateVerify,
489 payload: HandshakePayload::CertificateVerify(body),
490 }),
491 };
492
493 transcript.add_message(&m);
494 common.send_msg(m, false);
495 Ok(())
496 }
497
emit_ccs(common: &mut CommonState)498 fn emit_ccs(common: &mut CommonState) {
499 let ccs = Message {
500 version: ProtocolVersion::TLSv1_2,
501 payload: MessagePayload::ChangeCipherSpec(ChangeCipherSpecPayload {}),
502 };
503
504 common.send_msg(ccs, false);
505 }
506
emit_finished( secrets: &ConnectionSecrets, transcript: &mut HandshakeHash, common: &mut CommonState, )507 fn emit_finished(
508 secrets: &ConnectionSecrets,
509 transcript: &mut HandshakeHash,
510 common: &mut CommonState,
511 ) {
512 let vh = transcript.get_current_hash();
513 let verify_data = secrets.client_verify_data(&vh);
514 let verify_data_payload = Payload::new(verify_data);
515
516 let f = Message {
517 version: ProtocolVersion::TLSv1_2,
518 payload: MessagePayload::Handshake(HandshakeMessagePayload {
519 typ: HandshakeType::Finished,
520 payload: HandshakePayload::Finished(verify_data_payload),
521 }),
522 };
523
524 transcript.add_message(&f);
525 common.send_msg(f, true);
526 }
527
528 struct ServerKxDetails {
529 kx_params: Vec<u8>,
530 kx_sig: DigitallySignedStruct,
531 }
532
533 impl ServerKxDetails {
new(params: Vec<u8>, sig: DigitallySignedStruct) -> Self534 fn new(params: Vec<u8>, sig: DigitallySignedStruct) -> Self {
535 Self {
536 kx_params: params,
537 kx_sig: sig,
538 }
539 }
540 }
541
542 // --- Either a CertificateRequest, or a ServerHelloDone. ---
543 // Existence of the CertificateRequest tells us the server is asking for
544 // client auth. Otherwise we go straight to ServerHelloDone.
545 struct ExpectServerDoneOrCertReq {
546 config: Arc<ClientConfig>,
547 resuming_session: Option<persist::Tls12ClientSessionValue>,
548 session_id: SessionID,
549 server_name: ServerName,
550 randoms: ConnectionRandoms,
551 using_ems: bool,
552 transcript: HandshakeHash,
553 suite: &'static Tls12CipherSuite,
554 server_cert: ServerCertDetails,
555 server_kx: ServerKxDetails,
556 must_issue_new_ticket: bool,
557 }
558
559 impl State<ClientConnectionData> for ExpectServerDoneOrCertReq {
handle(mut self: Box<Self>, cx: &mut ClientContext<'_>, m: Message) -> hs::NextStateOrError560 fn handle(mut self: Box<Self>, cx: &mut ClientContext<'_>, m: Message) -> hs::NextStateOrError {
561 if require_handshake_msg!(
562 m,
563 HandshakeType::CertificateRequest,
564 HandshakePayload::CertificateRequest
565 )
566 .is_ok()
567 {
568 Box::new(ExpectCertificateRequest {
569 config: self.config,
570 resuming_session: self.resuming_session,
571 session_id: self.session_id,
572 server_name: self.server_name,
573 randoms: self.randoms,
574 using_ems: self.using_ems,
575 transcript: self.transcript,
576 suite: self.suite,
577 server_cert: self.server_cert,
578 server_kx: self.server_kx,
579 must_issue_new_ticket: self.must_issue_new_ticket,
580 })
581 .handle(cx, m)
582 } else {
583 self.transcript.abandon_client_auth();
584
585 Box::new(ExpectServerDone {
586 config: self.config,
587 resuming_session: self.resuming_session,
588 session_id: self.session_id,
589 server_name: self.server_name,
590 randoms: self.randoms,
591 using_ems: self.using_ems,
592 transcript: self.transcript,
593 suite: self.suite,
594 server_cert: self.server_cert,
595 server_kx: self.server_kx,
596 client_auth: None,
597 must_issue_new_ticket: self.must_issue_new_ticket,
598 })
599 .handle(cx, m)
600 }
601 }
602 }
603
604 struct ExpectCertificateRequest {
605 config: Arc<ClientConfig>,
606 resuming_session: Option<persist::Tls12ClientSessionValue>,
607 session_id: SessionID,
608 server_name: ServerName,
609 randoms: ConnectionRandoms,
610 using_ems: bool,
611 transcript: HandshakeHash,
612 suite: &'static Tls12CipherSuite,
613 server_cert: ServerCertDetails,
614 server_kx: ServerKxDetails,
615 must_issue_new_ticket: bool,
616 }
617
618 impl State<ClientConnectionData> for ExpectCertificateRequest {
handle( mut self: Box<Self>, _cx: &mut ClientContext<'_>, m: Message, ) -> hs::NextStateOrError619 fn handle(
620 mut self: Box<Self>,
621 _cx: &mut ClientContext<'_>,
622 m: Message,
623 ) -> hs::NextStateOrError {
624 let certreq = require_handshake_msg!(
625 m,
626 HandshakeType::CertificateRequest,
627 HandshakePayload::CertificateRequest
628 )?;
629 self.transcript.add_message(&m);
630 debug!("Got CertificateRequest {:?}", certreq);
631
632 let mut client_auth = ClientAuthDetails::new();
633
634 // The RFC jovially describes the design here as 'somewhat complicated'
635 // and 'somewhat underspecified'. So thanks for that.
636 //
637 // We ignore certreq.certtypes as a result, since the information it contains
638 // is entirely duplicated in certreq.sigschemes.
639
640 let canames = certreq
641 .canames
642 .iter()
643 .map(|p| p.0.as_slice())
644 .collect::<Vec<&[u8]>>();
645 let maybe_certkey = self
646 .config
647 .client_auth_cert_resolver
648 .resolve(&canames, &certreq.sigschemes);
649
650 if let Some(certkey) = maybe_certkey {
651 let maybe_signer = certkey
652 .key
653 .choose_scheme(&certreq.sigschemes);
654
655 if maybe_signer.is_some() {
656 debug!("Attempting client auth");
657 client_auth.certkey = Some(certkey);
658 }
659 client_auth.signer = maybe_signer;
660 } else {
661 debug!("Client auth requested but no cert/sigscheme available");
662 }
663
664 Ok(Box::new(ExpectServerDone {
665 config: self.config,
666 resuming_session: self.resuming_session,
667 session_id: self.session_id,
668 server_name: self.server_name,
669 randoms: self.randoms,
670 using_ems: self.using_ems,
671 transcript: self.transcript,
672 suite: self.suite,
673 server_cert: self.server_cert,
674 server_kx: self.server_kx,
675 client_auth: Some(client_auth),
676 must_issue_new_ticket: self.must_issue_new_ticket,
677 }))
678 }
679 }
680
681 struct ExpectServerDone {
682 config: Arc<ClientConfig>,
683 resuming_session: Option<persist::Tls12ClientSessionValue>,
684 session_id: SessionID,
685 server_name: ServerName,
686 randoms: ConnectionRandoms,
687 using_ems: bool,
688 transcript: HandshakeHash,
689 suite: &'static Tls12CipherSuite,
690 server_cert: ServerCertDetails,
691 server_kx: ServerKxDetails,
692 client_auth: Option<ClientAuthDetails>,
693 must_issue_new_ticket: bool,
694 }
695
696 impl State<ClientConnectionData> for ExpectServerDone {
handle(self: Box<Self>, cx: &mut ClientContext<'_>, m: Message) -> hs::NextStateOrError697 fn handle(self: Box<Self>, cx: &mut ClientContext<'_>, m: Message) -> hs::NextStateOrError {
698 let mut st = *self;
699 check_message(
700 &m,
701 &[ContentType::Handshake],
702 &[HandshakeType::ServerHelloDone],
703 )?;
704 st.transcript.add_message(&m);
705
706 cx.common.check_aligned_handshake()?;
707
708 trace!("Server cert is {:?}", st.server_cert.cert_chain);
709 debug!("Server DNS name is {:?}", st.server_name);
710
711 let suite = st.suite;
712
713 // 1. Verify the cert chain.
714 // 2. Verify any SCTs provided with the certificate.
715 // 3. Verify that the top certificate signed their kx.
716 // 4. If doing client auth, send our Certificate.
717 // 5. Complete the key exchange:
718 // a) generate our kx pair
719 // b) emit a ClientKeyExchange containing it
720 // c) if doing client auth, emit a CertificateVerify
721 // d) emit a CCS
722 // e) derive the shared keys, and start encryption
723 // 6. emit a Finished, our first encrypted message under the new keys.
724
725 // 1.
726 let (end_entity, intermediates) = st
727 .server_cert
728 .cert_chain
729 .split_first()
730 .ok_or(Error::NoCertificatesPresented)?;
731 let now = std::time::SystemTime::now();
732 let cert_verified = st
733 .config
734 .verifier
735 .verify_server_cert(
736 end_entity,
737 intermediates,
738 &st.server_name,
739 &mut st.server_cert.scts(),
740 &st.server_cert.ocsp_response,
741 now,
742 )
743 .map_err(|err| hs::send_cert_error_alert(cx.common, err))?;
744
745 // 3.
746 // Build up the contents of the signed message.
747 // It's ClientHello.random || ServerHello.random || ServerKeyExchange.params
748 let sig_verified = {
749 let mut message = Vec::new();
750 message.extend_from_slice(&st.randoms.client);
751 message.extend_from_slice(&st.randoms.server);
752 message.extend_from_slice(&st.server_kx.kx_params);
753
754 // Check the signature is compatible with the ciphersuite.
755 let sig = &st.server_kx.kx_sig;
756 if !SupportedCipherSuite::from(suite).usable_for_signature_algorithm(sig.scheme.sign())
757 {
758 let error_message = format!(
759 "peer signed kx with wrong algorithm (got {:?} expect {:?})",
760 sig.scheme.sign(),
761 suite.sign
762 );
763 return Err(Error::PeerMisbehavedError(error_message));
764 }
765
766 st.config
767 .verifier
768 .verify_tls12_signature(&message, &st.server_cert.cert_chain[0], sig)
769 .map_err(|err| hs::send_cert_error_alert(cx.common, err))?
770 };
771 cx.common.peer_certificates = Some(st.server_cert.cert_chain);
772
773 // 4.
774 if let Some(client_auth) = &mut st.client_auth {
775 if let Some(cert_key) = &client_auth.certkey {
776 emit_certificate(&mut st.transcript, cert_key.cert.clone(), cx.common);
777 } else {
778 emit_certificate(&mut st.transcript, Vec::new(), cx.common);
779 }
780 }
781
782 // 5a.
783 let ecdh_params =
784 tls12::decode_ecdh_params::<ServerECDHParams>(cx.common, &st.server_kx.kx_params)?;
785 let group =
786 kx::KeyExchange::choose(ecdh_params.curve_params.named_group, &st.config.kx_groups)
787 .ok_or_else(|| {
788 Error::PeerMisbehavedError("peer chose an unsupported group".to_string())
789 })?;
790 let kx = kx::KeyExchange::start(group).ok_or(Error::FailedToGetRandomBytes)?;
791 let kxd = tls12::complete_ecdh(kx, &ecdh_params.public.0)?;
792
793 // 5b.
794 emit_clientkx(&mut st.transcript, cx.common, &kxd);
795 // nb. EMS handshake hash only runs up to ClientKeyExchange.
796 let handshake_hash = st.transcript.get_current_hash();
797
798 // 5c.
799 if let Some(client_auth) = &mut st.client_auth {
800 emit_certverify(&mut st.transcript, client_auth, cx.common)?;
801 }
802
803 // 5d.
804 emit_ccs(cx.common);
805
806 // 5e. Now commit secrets.
807 let secrets = if st.using_ems {
808 ConnectionSecrets::new_ems(&st.randoms, &handshake_hash, suite, &kxd.shared_secret)
809 } else {
810 ConnectionSecrets::new(&st.randoms, suite, &kxd.shared_secret)
811 };
812 st.config.key_log.log(
813 "CLIENT_RANDOM",
814 &secrets.randoms.client,
815 &secrets.master_secret,
816 );
817 cx.common
818 .start_encryption_tls12(&secrets);
819 cx.common
820 .record_layer
821 .start_encrypting();
822
823 // 6.
824 emit_finished(&secrets, &mut st.transcript, cx.common);
825
826 if st.must_issue_new_ticket {
827 Ok(Box::new(ExpectNewTicket {
828 config: st.config,
829 secrets,
830 resuming_session: st.resuming_session,
831 session_id: st.session_id,
832 server_name: st.server_name,
833 using_ems: st.using_ems,
834 transcript: st.transcript,
835 resuming: false,
836 cert_verified,
837 sig_verified,
838 }))
839 } else {
840 Ok(Box::new(ExpectCcs {
841 config: st.config,
842 secrets,
843 resuming_session: st.resuming_session,
844 session_id: st.session_id,
845 server_name: st.server_name,
846 using_ems: st.using_ems,
847 transcript: st.transcript,
848 ticket: None,
849 resuming: false,
850 cert_verified,
851 sig_verified,
852 }))
853 }
854 }
855 }
856
857 struct ExpectNewTicket {
858 config: Arc<ClientConfig>,
859 secrets: ConnectionSecrets,
860 resuming_session: Option<persist::Tls12ClientSessionValue>,
861 session_id: SessionID,
862 server_name: ServerName,
863 using_ems: bool,
864 transcript: HandshakeHash,
865 resuming: bool,
866 cert_verified: verify::ServerCertVerified,
867 sig_verified: verify::HandshakeSignatureValid,
868 }
869
870 impl State<ClientConnectionData> for ExpectNewTicket {
handle( mut self: Box<Self>, _cx: &mut ClientContext<'_>, m: Message, ) -> hs::NextStateOrError871 fn handle(
872 mut self: Box<Self>,
873 _cx: &mut ClientContext<'_>,
874 m: Message,
875 ) -> hs::NextStateOrError {
876 self.transcript.add_message(&m);
877
878 let nst = require_handshake_msg_move!(
879 m,
880 HandshakeType::NewSessionTicket,
881 HandshakePayload::NewSessionTicket
882 )?;
883
884 Ok(Box::new(ExpectCcs {
885 config: self.config,
886 secrets: self.secrets,
887 resuming_session: self.resuming_session,
888 session_id: self.session_id,
889 server_name: self.server_name,
890 using_ems: self.using_ems,
891 transcript: self.transcript,
892 ticket: Some(nst),
893 resuming: self.resuming,
894 cert_verified: self.cert_verified,
895 sig_verified: self.sig_verified,
896 }))
897 }
898 }
899
900 // -- Waiting for their CCS --
901 struct ExpectCcs {
902 config: Arc<ClientConfig>,
903 secrets: ConnectionSecrets,
904 resuming_session: Option<persist::Tls12ClientSessionValue>,
905 session_id: SessionID,
906 server_name: ServerName,
907 using_ems: bool,
908 transcript: HandshakeHash,
909 ticket: Option<NewSessionTicketPayload>,
910 resuming: bool,
911 cert_verified: verify::ServerCertVerified,
912 sig_verified: verify::HandshakeSignatureValid,
913 }
914
915 impl State<ClientConnectionData> for ExpectCcs {
handle(self: Box<Self>, cx: &mut ClientContext<'_>, m: Message) -> hs::NextStateOrError916 fn handle(self: Box<Self>, cx: &mut ClientContext<'_>, m: Message) -> hs::NextStateOrError {
917 check_message(&m, &[ContentType::ChangeCipherSpec], &[])?;
918 // CCS should not be received interleaved with fragmented handshake-level
919 // message.
920 cx.common.check_aligned_handshake()?;
921
922 // nb. msgs layer validates trivial contents of CCS
923 cx.common
924 .record_layer
925 .start_decrypting();
926
927 Ok(Box::new(ExpectFinished {
928 config: self.config,
929 secrets: self.secrets,
930 resuming_session: self.resuming_session,
931 session_id: self.session_id,
932 server_name: self.server_name,
933 using_ems: self.using_ems,
934 transcript: self.transcript,
935 ticket: self.ticket,
936 resuming: self.resuming,
937 cert_verified: self.cert_verified,
938 sig_verified: self.sig_verified,
939 }))
940 }
941 }
942
943 struct ExpectFinished {
944 config: Arc<ClientConfig>,
945 resuming_session: Option<persist::Tls12ClientSessionValue>,
946 session_id: SessionID,
947 server_name: ServerName,
948 using_ems: bool,
949 transcript: HandshakeHash,
950 ticket: Option<NewSessionTicketPayload>,
951 secrets: ConnectionSecrets,
952 resuming: bool,
953 cert_verified: verify::ServerCertVerified,
954 sig_verified: verify::HandshakeSignatureValid,
955 }
956
957 impl ExpectFinished {
958 // -- Waiting for their finished --
save_session(&mut self, cx: &mut ClientContext<'_>)959 fn save_session(&mut self, cx: &mut ClientContext<'_>) {
960 // Save a ticket. If we got a new ticket, save that. Otherwise, save the
961 // original ticket again.
962 let (mut ticket, lifetime) = match self.ticket.take() {
963 Some(nst) => (nst.ticket.0, nst.lifetime_hint),
964 None => (Vec::new(), 0),
965 };
966
967 if ticket.is_empty() {
968 if let Some(resuming_session) = &mut self.resuming_session {
969 ticket = resuming_session.take_ticket();
970 }
971 }
972
973 if self.session_id.is_empty() && ticket.is_empty() {
974 debug!("Session not saved: server didn't allocate id or ticket");
975 return;
976 }
977
978 let time_now = match TimeBase::now() {
979 Ok(time_now) => time_now,
980 Err(e) => {
981 debug!("Session not saved: {}", e);
982 return;
983 }
984 };
985
986 let key = persist::ClientSessionKey::session_for_server_name(&self.server_name);
987 let value = persist::Tls12ClientSessionValue::new(
988 self.secrets.suite(),
989 self.session_id,
990 ticket,
991 self.secrets.get_master_secret(),
992 cx.common
993 .peer_certificates
994 .clone()
995 .unwrap_or_default(),
996 time_now,
997 lifetime,
998 self.using_ems,
999 );
1000
1001 let worked = self
1002 .config
1003 .session_storage
1004 .put(key.get_encoding(), value.get_encoding());
1005
1006 if worked {
1007 debug!("Session saved");
1008 } else {
1009 debug!("Session not saved");
1010 }
1011 }
1012 }
1013
1014 impl State<ClientConnectionData> for ExpectFinished {
handle(self: Box<Self>, cx: &mut ClientContext<'_>, m: Message) -> hs::NextStateOrError1015 fn handle(self: Box<Self>, cx: &mut ClientContext<'_>, m: Message) -> hs::NextStateOrError {
1016 let mut st = *self;
1017 let finished =
1018 require_handshake_msg!(m, HandshakeType::Finished, HandshakePayload::Finished)?;
1019
1020 cx.common.check_aligned_handshake()?;
1021
1022 // Work out what verify_data we expect.
1023 let vh = st.transcript.get_current_hash();
1024 let expect_verify_data = st.secrets.server_verify_data(&vh);
1025
1026 // Constant-time verification of this is relatively unimportant: they only
1027 // get one chance. But it can't hurt.
1028 let _fin_verified =
1029 constant_time::verify_slices_are_equal(&expect_verify_data, &finished.0)
1030 .map_err(|_| {
1031 cx.common
1032 .send_fatal_alert(AlertDescription::DecryptError);
1033 Error::DecryptError
1034 })
1035 .map(|_| verify::FinishedMessageVerified::assertion())?;
1036
1037 // Hash this message too.
1038 st.transcript.add_message(&m);
1039
1040 st.save_session(cx);
1041
1042 if st.resuming {
1043 emit_ccs(cx.common);
1044 cx.common
1045 .record_layer
1046 .start_encrypting();
1047 emit_finished(&st.secrets, &mut st.transcript, cx.common);
1048 }
1049
1050 cx.common.start_traffic();
1051 Ok(Box::new(ExpectTraffic {
1052 secrets: st.secrets,
1053 _cert_verified: st.cert_verified,
1054 _sig_verified: st.sig_verified,
1055 _fin_verified,
1056 }))
1057 }
1058 }
1059
1060 // -- Traffic transit state --
1061 struct ExpectTraffic {
1062 secrets: ConnectionSecrets,
1063 _cert_verified: verify::ServerCertVerified,
1064 _sig_verified: verify::HandshakeSignatureValid,
1065 _fin_verified: verify::FinishedMessageVerified,
1066 }
1067
1068 impl State<ClientConnectionData> for ExpectTraffic {
handle(self: Box<Self>, cx: &mut ClientContext<'_>, m: Message) -> hs::NextStateOrError1069 fn handle(self: Box<Self>, cx: &mut ClientContext<'_>, m: Message) -> hs::NextStateOrError {
1070 match m.payload {
1071 MessagePayload::ApplicationData(payload) => cx
1072 .common
1073 .take_received_plaintext(payload),
1074 _ => {
1075 return Err(inappropriate_message(&m, &[ContentType::ApplicationData]));
1076 }
1077 }
1078 Ok(self)
1079 }
1080
export_keying_material( &self, output: &mut [u8], label: &[u8], context: Option<&[u8]>, ) -> Result<(), Error>1081 fn export_keying_material(
1082 &self,
1083 output: &mut [u8],
1084 label: &[u8],
1085 context: Option<&[u8]>,
1086 ) -> Result<(), Error> {
1087 self.secrets
1088 .export_keying_material(output, label, context);
1089 Ok(())
1090 }
1091 }
1092