1 use crate::check::{check_message, inappropriate_handshake_message, inappropriate_message};
2 use crate::conn::{CommonState, ConnectionRandoms, State};
3 use crate::error::Error;
4 use crate::hash_hs::{HandshakeHash, HandshakeHashBuffer};
5 use crate::kx;
6 #[cfg(feature = "logging")]
7 use crate::log::{debug, trace, warn};
8 use crate::msgs::base::{Payload, PayloadU8};
9 use crate::msgs::ccs::ChangeCipherSpecPayload;
10 use crate::msgs::codec::Codec;
11 use crate::msgs::enums::KeyUpdateRequest;
12 use crate::msgs::enums::{AlertDescription, NamedGroup, ProtocolVersion};
13 use crate::msgs::enums::{ContentType, ExtensionType, HandshakeType, SignatureScheme};
14 use crate::msgs::handshake::ClientExtension;
15 use crate::msgs::handshake::DigitallySignedStruct;
16 use crate::msgs::handshake::EncryptedExtensions;
17 use crate::msgs::handshake::NewSessionTicketPayloadTLS13;
18 use crate::msgs::handshake::{CertificateEntry, CertificatePayloadTLS13};
19 use crate::msgs::handshake::{HandshakeMessagePayload, HandshakePayload};
20 use crate::msgs::handshake::{HasServerExtensions, ServerHelloPayload};
21 use crate::msgs::handshake::{PresharedKeyIdentity, PresharedKeyOffer};
22 use crate::msgs::message::{Message, MessagePayload};
23 use crate::msgs::persist;
24 use crate::tls13::key_schedule::{
25 KeyScheduleEarly, KeyScheduleHandshake, KeyScheduleNonSecret, KeyScheduleTraffic,
26 };
27 use crate::tls13::Tls13CipherSuite;
28 use crate::verify;
29 #[cfg(feature = "quic")]
30 use crate::{conn::Protocol, msgs::base::PayloadU16, quic};
31 use crate::{sign, KeyLog};
32
33 use super::client_conn::ClientConnectionData;
34 use super::hs::ClientContext;
35 use crate::client::common::ServerCertDetails;
36 use crate::client::common::{ClientAuthDetails, ClientHelloDetails};
37 use crate::client::{hs, ClientConfig, ServerName};
38
39 use crate::ticketer::TimeBase;
40 use ring::constant_time;
41
42 use std::sync::Arc;
43
44 // Extensions we expect in plaintext in the ServerHello.
45 static ALLOWED_PLAINTEXT_EXTS: &[ExtensionType] = &[
46 ExtensionType::KeyShare,
47 ExtensionType::PreSharedKey,
48 ExtensionType::SupportedVersions,
49 ];
50
51 // Only the intersection of things we offer, and those disallowed
52 // in TLS1.3
53 static DISALLOWED_TLS13_EXTS: &[ExtensionType] = &[
54 ExtensionType::ECPointFormats,
55 ExtensionType::SessionTicket,
56 ExtensionType::RenegotiationInfo,
57 ExtensionType::ExtendedMasterSecret,
58 ];
59
handle_server_hello( config: Arc<ClientConfig>, cx: &mut ClientContext, server_hello: &ServerHelloPayload, mut resuming_session: Option<persist::Tls13ClientSessionValue>, server_name: ServerName, randoms: ConnectionRandoms, suite: &'static Tls13CipherSuite, transcript: HandshakeHash, early_key_schedule: Option<KeyScheduleEarly>, hello: ClientHelloDetails, our_key_share: kx::KeyExchange, mut sent_tls13_fake_ccs: bool, ) -> hs::NextStateOrError60 pub(super) fn handle_server_hello(
61 config: Arc<ClientConfig>,
62 cx: &mut ClientContext,
63 server_hello: &ServerHelloPayload,
64 mut resuming_session: Option<persist::Tls13ClientSessionValue>,
65 server_name: ServerName,
66 randoms: ConnectionRandoms,
67 suite: &'static Tls13CipherSuite,
68 transcript: HandshakeHash,
69 early_key_schedule: Option<KeyScheduleEarly>,
70 hello: ClientHelloDetails,
71 our_key_share: kx::KeyExchange,
72 mut sent_tls13_fake_ccs: bool,
73 ) -> hs::NextStateOrError {
74 validate_server_hello(cx.common, server_hello)?;
75
76 let their_key_share = server_hello
77 .get_key_share()
78 .ok_or_else(|| {
79 cx.common
80 .send_fatal_alert(AlertDescription::MissingExtension);
81 Error::PeerMisbehavedError("missing key share".to_string())
82 })?;
83
84 if our_key_share.group() != their_key_share.group {
85 return Err(cx
86 .common
87 .illegal_param("wrong group for key share"));
88 }
89
90 let shared = our_key_share
91 .complete(&their_key_share.payload.0)
92 .ok_or_else(|| Error::PeerMisbehavedError("key exchange failed".to_string()))?;
93
94 let key_schedule = if let (Some(selected_psk), Some(early_key_schedule)) =
95 (server_hello.get_psk_index(), early_key_schedule)
96 {
97 if let Some(ref resuming) = resuming_session {
98 let resuming_suite = match suite.can_resume_from(resuming.suite()) {
99 Some(resuming) => resuming,
100 None => {
101 return Err(cx
102 .common
103 .illegal_param("server resuming incompatible suite"));
104 }
105 };
106
107 // If the server varies the suite here, we will have encrypted early data with
108 // the wrong suite.
109 if cx.data.early_data.is_enabled() && resuming_suite != suite {
110 return Err(cx
111 .common
112 .illegal_param("server varied suite with early data"));
113 }
114
115 if selected_psk != 0 {
116 return Err(cx
117 .common
118 .illegal_param("server selected invalid psk"));
119 }
120
121 debug!("Resuming using PSK");
122 // The key schedule has been initialized and set in fill_in_psk_binder()
123 } else {
124 return Err(Error::PeerMisbehavedError(
125 "server selected unoffered psk".to_string(),
126 ));
127 }
128 early_key_schedule.into_handshake(&shared.shared_secret)
129 } else {
130 debug!("Not resuming");
131 // Discard the early data key schedule.
132 cx.data.early_data.rejected();
133 cx.common.early_traffic = false;
134 resuming_session.take();
135 KeyScheduleNonSecret::new(suite.hkdf_algorithm).into_handshake(&shared.shared_secret)
136 };
137
138 // Remember what KX group the server liked for next time.
139 save_kx_hint(&config, &server_name, their_key_share.group);
140
141 // If we change keying when a subsequent handshake message is being joined,
142 // the two halves will have different record layer protections. Disallow this.
143 cx.common.check_aligned_handshake()?;
144
145 let hash_at_client_recvd_server_hello = transcript.get_current_hash();
146
147 let (key_schedule, client_key, server_key) = key_schedule.derive_handshake_secrets(
148 hash_at_client_recvd_server_hello,
149 &*config.key_log,
150 &randoms.client,
151 );
152
153 // Decrypt with the peer's key, encrypt with our own key
154 cx.common
155 .record_layer
156 .set_message_decrypter(suite.derive_decrypter(&server_key));
157
158 if !cx.data.early_data.is_enabled() {
159 // Set the client encryption key for handshakes if early data is not used
160 cx.common
161 .record_layer
162 .set_message_encrypter(suite.derive_encrypter(&client_key));
163 }
164
165 #[cfg(feature = "quic")]
166 {
167 cx.common.quic.hs_secrets = Some(quic::Secrets::new(client_key, server_key, suite, true));
168 }
169
170 emit_fake_ccs(&mut sent_tls13_fake_ccs, cx.common);
171
172 Ok(Box::new(ExpectEncryptedExtensions {
173 config,
174 resuming_session,
175 server_name,
176 randoms,
177 suite,
178 transcript,
179 key_schedule,
180 hello,
181 }))
182 }
183
validate_server_hello( common: &mut CommonState, server_hello: &ServerHelloPayload, ) -> Result<(), Error>184 fn validate_server_hello(
185 common: &mut CommonState,
186 server_hello: &ServerHelloPayload,
187 ) -> Result<(), Error> {
188 for ext in &server_hello.extensions {
189 if !ALLOWED_PLAINTEXT_EXTS.contains(&ext.get_type()) {
190 common.send_fatal_alert(AlertDescription::UnsupportedExtension);
191 return Err(Error::PeerMisbehavedError(
192 "server sent unexpected cleartext ext".to_string(),
193 ));
194 }
195 }
196
197 Ok(())
198 }
199
initial_key_share( config: &ClientConfig, server_name: &ServerName, ) -> Result<kx::KeyExchange, Error>200 pub(super) fn initial_key_share(
201 config: &ClientConfig,
202 server_name: &ServerName,
203 ) -> Result<kx::KeyExchange, Error> {
204 let key = persist::ClientSessionKey::hint_for_server_name(server_name);
205 let key_buf = key.get_encoding();
206
207 let maybe_value = config.session_storage.get(&key_buf);
208
209 let group = maybe_value
210 .and_then(|enc| NamedGroup::read_bytes(&enc))
211 .and_then(|group| kx::KeyExchange::choose(group, &config.kx_groups))
212 .unwrap_or_else(|| {
213 config
214 .kx_groups
215 .first()
216 .expect("No kx groups configured")
217 });
218
219 kx::KeyExchange::start(group).ok_or(Error::FailedToGetRandomBytes)
220 }
221
save_kx_hint(config: &ClientConfig, server_name: &ServerName, group: NamedGroup)222 fn save_kx_hint(config: &ClientConfig, server_name: &ServerName, group: NamedGroup) {
223 let key = persist::ClientSessionKey::hint_for_server_name(server_name);
224
225 config
226 .session_storage
227 .put(key.get_encoding(), group.get_encoding());
228 }
229
230 /// This implements the horrifying TLS1.3 hack where PSK binders have a
231 /// data dependency on the message they are contained within.
fill_in_psk_binder( resuming: &persist::Tls13ClientSessionValue, transcript: &HandshakeHashBuffer, hmp: &mut HandshakeMessagePayload, ) -> KeyScheduleEarly232 pub(super) fn fill_in_psk_binder(
233 resuming: &persist::Tls13ClientSessionValue,
234 transcript: &HandshakeHashBuffer,
235 hmp: &mut HandshakeMessagePayload,
236 ) -> KeyScheduleEarly {
237 // We need to know the hash function of the suite we're trying to resume into.
238 let hkdf_alg = resuming.suite().hkdf_algorithm;
239 let suite_hash = resuming.suite().hash_algorithm();
240
241 // The binder is calculated over the clienthello, but doesn't include itself or its
242 // length, or the length of its container.
243 let binder_plaintext = hmp.get_encoding_for_binder_signing();
244 let handshake_hash = transcript.get_hash_given(suite_hash, &binder_plaintext);
245
246 // Run a fake key_schedule to simulate what the server will do if it chooses
247 // to resume.
248 let key_schedule = KeyScheduleEarly::new(hkdf_alg, resuming.secret());
249 let real_binder = key_schedule.resumption_psk_binder_key_and_sign_verify_data(&handshake_hash);
250
251 if let HandshakePayload::ClientHello(ref mut ch) = hmp.payload {
252 ch.set_psk_binder(real_binder.as_ref());
253 };
254
255 key_schedule
256 }
257
prepare_resumption( config: &ClientConfig, cx: &mut ClientContext<'_>, ticket: Vec<u8>, resuming_session: &persist::Retrieved<&persist::Tls13ClientSessionValue>, exts: &mut Vec<ClientExtension>, doing_retry: bool, )258 pub(super) fn prepare_resumption(
259 config: &ClientConfig,
260 cx: &mut ClientContext<'_>,
261 ticket: Vec<u8>,
262 resuming_session: &persist::Retrieved<&persist::Tls13ClientSessionValue>,
263 exts: &mut Vec<ClientExtension>,
264 doing_retry: bool,
265 ) {
266 let resuming_suite = resuming_session.suite();
267 cx.common.suite = Some(resuming_suite.into());
268 cx.data.resumption_ciphersuite = Some(resuming_suite.into());
269 // The EarlyData extension MUST be supplied together with the
270 // PreSharedKey extension.
271 let max_early_data_size = resuming_session.max_early_data_size();
272 if config.enable_early_data && max_early_data_size > 0 && !doing_retry {
273 cx.data
274 .early_data
275 .enable(max_early_data_size as usize);
276 exts.push(ClientExtension::EarlyData);
277 }
278
279 // Finally, and only for TLS1.3 with a ticket resumption, include a binder
280 // for our ticket. This must go last.
281 //
282 // Include an empty binder. It gets filled in below because it depends on
283 // the message it's contained in (!!!).
284 let obfuscated_ticket_age = resuming_session.obfuscated_ticket_age();
285
286 let binder_len = resuming_suite
287 .hash_algorithm()
288 .output_len;
289 let binder = vec![0u8; binder_len];
290
291 let psk_identity = PresharedKeyIdentity::new(ticket, obfuscated_ticket_age);
292 let psk_ext = PresharedKeyOffer::new(psk_identity, binder);
293 exts.push(ClientExtension::PresharedKey(psk_ext));
294 }
295
derive_early_traffic_secret( key_log: &dyn KeyLog, cx: &mut ClientContext<'_>, resuming_suite: &'static Tls13CipherSuite, early_key_schedule: &KeyScheduleEarly, sent_tls13_fake_ccs: &mut bool, transcript_buffer: &HandshakeHashBuffer, client_random: &[u8; 32], )296 pub(super) fn derive_early_traffic_secret(
297 key_log: &dyn KeyLog,
298 cx: &mut ClientContext<'_>,
299 resuming_suite: &'static Tls13CipherSuite,
300 early_key_schedule: &KeyScheduleEarly,
301 sent_tls13_fake_ccs: &mut bool,
302 transcript_buffer: &HandshakeHashBuffer,
303 client_random: &[u8; 32],
304 ) {
305 // For middlebox compatibility
306 emit_fake_ccs(sent_tls13_fake_ccs, cx.common);
307
308 let client_hello_hash = transcript_buffer.get_hash_given(resuming_suite.hash_algorithm(), &[]);
309 let client_early_traffic_secret =
310 early_key_schedule.client_early_traffic_secret(&client_hello_hash, key_log, client_random);
311 // Set early data encryption key
312 cx.common
313 .record_layer
314 .set_message_encrypter(resuming_suite.derive_encrypter(&client_early_traffic_secret));
315
316 #[cfg(feature = "quic")]
317 {
318 cx.common.quic.early_secret = Some(client_early_traffic_secret);
319 }
320
321 // Now the client can send encrypted early data
322 cx.common.early_traffic = true;
323 trace!("Starting early data traffic");
324 }
325
emit_fake_ccs(sent_tls13_fake_ccs: &mut bool, common: &mut CommonState)326 pub(super) fn emit_fake_ccs(sent_tls13_fake_ccs: &mut bool, common: &mut CommonState) {
327 if common.is_quic() {
328 return;
329 }
330
331 if std::mem::replace(sent_tls13_fake_ccs, true) {
332 return;
333 }
334
335 let m = Message {
336 version: ProtocolVersion::TLSv1_2,
337 payload: MessagePayload::ChangeCipherSpec(ChangeCipherSpecPayload {}),
338 };
339 common.send_msg(m, false);
340 }
341
validate_encrypted_extensions( common: &mut CommonState, hello: &ClientHelloDetails, exts: &EncryptedExtensions, ) -> Result<(), Error>342 fn validate_encrypted_extensions(
343 common: &mut CommonState,
344 hello: &ClientHelloDetails,
345 exts: &EncryptedExtensions,
346 ) -> Result<(), Error> {
347 if exts.has_duplicate_extension() {
348 common.send_fatal_alert(AlertDescription::DecodeError);
349 return Err(Error::PeerMisbehavedError(
350 "server sent duplicate encrypted extensions".to_string(),
351 ));
352 }
353
354 if hello.server_sent_unsolicited_extensions(exts, &[]) {
355 common.send_fatal_alert(AlertDescription::UnsupportedExtension);
356 let msg = "server sent unsolicited encrypted extension".to_string();
357 return Err(Error::PeerMisbehavedError(msg));
358 }
359
360 for ext in exts {
361 if ALLOWED_PLAINTEXT_EXTS.contains(&ext.get_type())
362 || DISALLOWED_TLS13_EXTS.contains(&ext.get_type())
363 {
364 common.send_fatal_alert(AlertDescription::UnsupportedExtension);
365 let msg = "server sent inappropriate encrypted extension".to_string();
366 return Err(Error::PeerMisbehavedError(msg));
367 }
368 }
369
370 Ok(())
371 }
372
373 struct ExpectEncryptedExtensions {
374 config: Arc<ClientConfig>,
375 resuming_session: Option<persist::Tls13ClientSessionValue>,
376 server_name: ServerName,
377 randoms: ConnectionRandoms,
378 suite: &'static Tls13CipherSuite,
379 transcript: HandshakeHash,
380 key_schedule: KeyScheduleHandshake,
381 hello: ClientHelloDetails,
382 }
383
384 impl State<ClientConnectionData> for ExpectEncryptedExtensions {
handle(mut self: Box<Self>, cx: &mut ClientContext<'_>, m: Message) -> hs::NextStateOrError385 fn handle(mut self: Box<Self>, cx: &mut ClientContext<'_>, m: Message) -> hs::NextStateOrError {
386 let exts = require_handshake_msg!(
387 m,
388 HandshakeType::EncryptedExtensions,
389 HandshakePayload::EncryptedExtensions
390 )?;
391 debug!("TLS1.3 encrypted extensions: {:?}", exts);
392 self.transcript.add_message(&m);
393
394 validate_encrypted_extensions(cx.common, &self.hello, exts)?;
395 hs::process_alpn_protocol(cx, &self.config, exts.get_alpn_protocol())?;
396
397 #[cfg(feature = "quic")]
398 {
399 // QUIC transport parameters
400 if cx.common.is_quic() {
401 match exts.get_quic_params_extension() {
402 Some(params) => cx.common.quic.params = Some(params),
403 None => {
404 return Err(cx
405 .common
406 .missing_extension("QUIC transport parameters not found"));
407 }
408 }
409 }
410 }
411
412 if let Some(resuming_session) = self.resuming_session {
413 let was_early_traffic = cx.common.early_traffic;
414 if was_early_traffic {
415 if exts.early_data_extension_offered() {
416 cx.data.early_data.accepted();
417 } else {
418 cx.data.early_data.rejected();
419 cx.common.early_traffic = false;
420 }
421 }
422
423 if was_early_traffic && !cx.common.early_traffic {
424 // If no early traffic, set the encryption key for handshakes
425 cx.common
426 .record_layer
427 .set_message_encrypter(
428 self.suite
429 .derive_encrypter(self.key_schedule.client_key()),
430 );
431 }
432
433 cx.common.peer_certificates = Some(
434 resuming_session
435 .server_cert_chain()
436 .to_vec(),
437 );
438
439 // We *don't* reverify the certificate chain here: resumption is a
440 // continuation of the previous session in terms of security policy.
441 let cert_verified = verify::ServerCertVerified::assertion();
442 let sig_verified = verify::HandshakeSignatureValid::assertion();
443 Ok(Box::new(ExpectFinished {
444 config: self.config,
445 server_name: self.server_name,
446 randoms: self.randoms,
447 suite: self.suite,
448 transcript: self.transcript,
449 key_schedule: self.key_schedule,
450 client_auth: None,
451 cert_verified,
452 sig_verified,
453 }))
454 } else {
455 if exts.early_data_extension_offered() {
456 let msg = "server sent early data extension without resumption".to_string();
457 return Err(Error::PeerMisbehavedError(msg));
458 }
459 Ok(Box::new(ExpectCertificateOrCertReq {
460 config: self.config,
461 server_name: self.server_name,
462 randoms: self.randoms,
463 suite: self.suite,
464 transcript: self.transcript,
465 key_schedule: self.key_schedule,
466 may_send_sct_list: self.hello.server_may_send_sct_list(),
467 }))
468 }
469 }
470 }
471
472 struct ExpectCertificateOrCertReq {
473 config: Arc<ClientConfig>,
474 server_name: ServerName,
475 randoms: ConnectionRandoms,
476 suite: &'static Tls13CipherSuite,
477 transcript: HandshakeHash,
478 key_schedule: KeyScheduleHandshake,
479 may_send_sct_list: bool,
480 }
481
482 impl State<ClientConnectionData> for ExpectCertificateOrCertReq {
handle(self: Box<Self>, cx: &mut ClientContext<'_>, m: Message) -> hs::NextStateOrError483 fn handle(self: Box<Self>, cx: &mut ClientContext<'_>, m: Message) -> hs::NextStateOrError {
484 check_message(
485 &m,
486 &[ContentType::Handshake],
487 &[
488 HandshakeType::Certificate,
489 HandshakeType::CertificateRequest,
490 ],
491 )?;
492 if m.is_handshake_type(HandshakeType::Certificate) {
493 Box::new(ExpectCertificate {
494 config: self.config,
495 server_name: self.server_name,
496 randoms: self.randoms,
497 suite: self.suite,
498 transcript: self.transcript,
499 key_schedule: self.key_schedule,
500 may_send_sct_list: self.may_send_sct_list,
501 client_auth: None,
502 })
503 .handle(cx, m)
504 } else {
505 Box::new(ExpectCertificateRequest {
506 config: self.config,
507 server_name: self.server_name,
508 randoms: self.randoms,
509 suite: self.suite,
510 transcript: self.transcript,
511 key_schedule: self.key_schedule,
512 may_send_sct_list: self.may_send_sct_list,
513 })
514 .handle(cx, m)
515 }
516 }
517 }
518
519 // TLS1.3 version of CertificateRequest handling. We then move to expecting the server
520 // Certificate. Unfortunately the CertificateRequest type changed in an annoying way
521 // in TLS1.3.
522 struct ExpectCertificateRequest {
523 config: Arc<ClientConfig>,
524 server_name: ServerName,
525 randoms: ConnectionRandoms,
526 suite: &'static Tls13CipherSuite,
527 transcript: HandshakeHash,
528 key_schedule: KeyScheduleHandshake,
529 may_send_sct_list: bool,
530 }
531
532 impl State<ClientConnectionData> for ExpectCertificateRequest {
handle(mut self: Box<Self>, cx: &mut ClientContext<'_>, m: Message) -> hs::NextStateOrError533 fn handle(mut self: Box<Self>, cx: &mut ClientContext<'_>, m: Message) -> hs::NextStateOrError {
534 let certreq = &require_handshake_msg!(
535 m,
536 HandshakeType::CertificateRequest,
537 HandshakePayload::CertificateRequestTLS13
538 )?;
539 self.transcript.add_message(&m);
540 debug!("Got CertificateRequest {:?}", certreq);
541
542 // Fortunately the problems here in TLS1.2 and prior are corrected in
543 // TLS1.3.
544
545 // Must be empty during handshake.
546 if !certreq.context.0.is_empty() {
547 warn!("Server sent non-empty certreq context");
548 cx.common
549 .send_fatal_alert(AlertDescription::DecodeError);
550 return Err(Error::CorruptMessagePayload(ContentType::Handshake));
551 }
552
553 let tls13_sign_schemes = sign::supported_sign_tls13();
554 let no_sigschemes = Vec::new();
555 let compat_sigschemes = certreq
556 .get_sigalgs_extension()
557 .unwrap_or(&no_sigschemes)
558 .iter()
559 .cloned()
560 .filter(|scheme| tls13_sign_schemes.contains(scheme))
561 .collect::<Vec<SignatureScheme>>();
562
563 if compat_sigschemes.is_empty() {
564 cx.common
565 .send_fatal_alert(AlertDescription::HandshakeFailure);
566 return Err(Error::PeerIncompatibleError(
567 "server sent bad certreq schemes".to_string(),
568 ));
569 }
570
571 let no_canames = Vec::new();
572 let canames = certreq
573 .get_authorities_extension()
574 .unwrap_or(&no_canames)
575 .iter()
576 .map(|p| p.0.as_slice())
577 .collect::<Vec<&[u8]>>();
578 let maybe_certkey = self
579 .config
580 .client_auth_cert_resolver
581 .resolve(&canames, &compat_sigschemes);
582
583 let mut client_auth = ClientAuthDetails::new();
584 if let Some(certkey) = maybe_certkey {
585 debug!("Attempting client auth");
586 let maybe_signer = certkey
587 .key
588 .choose_scheme(&compat_sigschemes);
589 client_auth.certkey = Some(certkey);
590 client_auth.signer = maybe_signer;
591 client_auth.auth_context = Some(certreq.context.0.clone());
592 } else {
593 debug!("Client auth requested but no cert selected");
594 }
595
596 Ok(Box::new(ExpectCertificate {
597 config: self.config,
598 server_name: self.server_name,
599 randoms: self.randoms,
600 suite: self.suite,
601 transcript: self.transcript,
602 key_schedule: self.key_schedule,
603 may_send_sct_list: self.may_send_sct_list,
604 client_auth: Some(client_auth),
605 }))
606 }
607 }
608
609 struct ExpectCertificate {
610 config: Arc<ClientConfig>,
611 server_name: ServerName,
612 randoms: ConnectionRandoms,
613 suite: &'static Tls13CipherSuite,
614 transcript: HandshakeHash,
615 key_schedule: KeyScheduleHandshake,
616 may_send_sct_list: bool,
617 client_auth: Option<ClientAuthDetails>,
618 }
619
620 impl State<ClientConnectionData> for ExpectCertificate {
handle(mut self: Box<Self>, cx: &mut ClientContext<'_>, m: Message) -> hs::NextStateOrError621 fn handle(mut self: Box<Self>, cx: &mut ClientContext<'_>, m: Message) -> hs::NextStateOrError {
622 let cert_chain = require_handshake_msg!(
623 m,
624 HandshakeType::Certificate,
625 HandshakePayload::CertificateTLS13
626 )?;
627 self.transcript.add_message(&m);
628
629 // This is only non-empty for client auth.
630 if !cert_chain.context.0.is_empty() {
631 warn!("certificate with non-empty context during handshake");
632 cx.common
633 .send_fatal_alert(AlertDescription::DecodeError);
634 return Err(Error::CorruptMessagePayload(ContentType::Handshake));
635 }
636
637 if cert_chain.any_entry_has_duplicate_extension()
638 || cert_chain.any_entry_has_unknown_extension()
639 {
640 warn!("certificate chain contains unsolicited/unknown extension");
641 cx.common
642 .send_fatal_alert(AlertDescription::UnsupportedExtension);
643 return Err(Error::PeerMisbehavedError(
644 "bad cert chain extensions".to_string(),
645 ));
646 }
647
648 let server_cert = ServerCertDetails::new(
649 cert_chain.convert(),
650 cert_chain.get_end_entity_ocsp(),
651 cert_chain.get_end_entity_scts(),
652 );
653
654 if let Some(sct_list) = server_cert.scts.as_ref() {
655 if hs::sct_list_is_invalid(sct_list) {
656 let error_msg = "server sent invalid SCT list".to_string();
657 return Err(Error::PeerMisbehavedError(error_msg));
658 }
659
660 if !self.may_send_sct_list {
661 let error_msg = "server sent unsolicited SCT list".to_string();
662 return Err(Error::PeerMisbehavedError(error_msg));
663 }
664 }
665
666 Ok(Box::new(ExpectCertificateVerify {
667 config: self.config,
668 server_name: self.server_name,
669 randoms: self.randoms,
670 suite: self.suite,
671 transcript: self.transcript,
672 key_schedule: self.key_schedule,
673 server_cert,
674 client_auth: self.client_auth,
675 }))
676 }
677 }
678
679 // --- TLS1.3 CertificateVerify ---
680 struct ExpectCertificateVerify {
681 config: Arc<ClientConfig>,
682 server_name: ServerName,
683 randoms: ConnectionRandoms,
684 suite: &'static Tls13CipherSuite,
685 transcript: HandshakeHash,
686 key_schedule: KeyScheduleHandshake,
687 server_cert: ServerCertDetails,
688 client_auth: Option<ClientAuthDetails>,
689 }
690
691 impl State<ClientConnectionData> for ExpectCertificateVerify {
handle(mut self: Box<Self>, cx: &mut ClientContext<'_>, m: Message) -> hs::NextStateOrError692 fn handle(mut self: Box<Self>, cx: &mut ClientContext<'_>, m: Message) -> hs::NextStateOrError {
693 let cert_verify = require_handshake_msg!(
694 m,
695 HandshakeType::CertificateVerify,
696 HandshakePayload::CertificateVerify
697 )?;
698
699 trace!("Server cert is {:?}", self.server_cert.cert_chain);
700
701 // 1. Verify the certificate chain.
702 let (end_entity, intermediates) = self
703 .server_cert
704 .cert_chain
705 .split_first()
706 .ok_or(Error::NoCertificatesPresented)?;
707 let now = std::time::SystemTime::now();
708 let cert_verified = self
709 .config
710 .verifier
711 .verify_server_cert(
712 end_entity,
713 intermediates,
714 &self.server_name,
715 &mut self.server_cert.scts(),
716 &self.server_cert.ocsp_response,
717 now,
718 )
719 .map_err(|err| hs::send_cert_error_alert(cx.common, err))?;
720
721 // 2. Verify their signature on the handshake.
722 let handshake_hash = self.transcript.get_current_hash();
723 let sig_verified = self
724 .config
725 .verifier
726 .verify_tls13_signature(
727 &verify::construct_tls13_server_verify_message(&handshake_hash),
728 &self.server_cert.cert_chain[0],
729 cert_verify,
730 )
731 .map_err(|err| hs::send_cert_error_alert(cx.common, err))?;
732
733 cx.common.peer_certificates = Some(self.server_cert.cert_chain);
734 self.transcript.add_message(&m);
735
736 Ok(Box::new(ExpectFinished {
737 config: self.config,
738 server_name: self.server_name,
739 randoms: self.randoms,
740 suite: self.suite,
741 transcript: self.transcript,
742 key_schedule: self.key_schedule,
743 client_auth: self.client_auth,
744 cert_verified,
745 sig_verified,
746 }))
747 }
748 }
749
emit_certificate_tls13( transcript: &mut HandshakeHash, client_auth: &mut ClientAuthDetails, common: &mut CommonState, )750 fn emit_certificate_tls13(
751 transcript: &mut HandshakeHash,
752 client_auth: &mut ClientAuthDetails,
753 common: &mut CommonState,
754 ) {
755 let context = client_auth
756 .auth_context
757 .take()
758 .unwrap_or_else(Vec::new);
759
760 let mut cert_payload = CertificatePayloadTLS13 {
761 context: PayloadU8::new(context),
762 entries: Vec::new(),
763 };
764
765 if let Some(cert_key) = &client_auth.certkey {
766 for cert in &cert_key.cert {
767 cert_payload
768 .entries
769 .push(CertificateEntry::new(cert.clone()));
770 }
771 }
772
773 let m = Message {
774 version: ProtocolVersion::TLSv1_3,
775 payload: MessagePayload::Handshake(HandshakeMessagePayload {
776 typ: HandshakeType::Certificate,
777 payload: HandshakePayload::CertificateTLS13(cert_payload),
778 }),
779 };
780 transcript.add_message(&m);
781 common.send_msg(m, true);
782 }
783
emit_certverify_tls13( transcript: &mut HandshakeHash, client_auth: &mut ClientAuthDetails, common: &mut CommonState, ) -> Result<(), Error>784 fn emit_certverify_tls13(
785 transcript: &mut HandshakeHash,
786 client_auth: &mut ClientAuthDetails,
787 common: &mut CommonState,
788 ) -> Result<(), Error> {
789 let signer = match client_auth.signer.take() {
790 Some(s) => s,
791 None => {
792 debug!("Skipping certverify message (no client scheme/key)");
793 return Ok(());
794 }
795 };
796
797 let message = verify::construct_tls13_client_verify_message(&transcript.get_current_hash());
798
799 let scheme = signer.scheme();
800 let sig = signer.sign(&message)?;
801 let dss = DigitallySignedStruct::new(scheme, sig);
802
803 let m = Message {
804 version: ProtocolVersion::TLSv1_3,
805 payload: MessagePayload::Handshake(HandshakeMessagePayload {
806 typ: HandshakeType::CertificateVerify,
807 payload: HandshakePayload::CertificateVerify(dss),
808 }),
809 };
810
811 transcript.add_message(&m);
812 common.send_msg(m, true);
813 Ok(())
814 }
815
emit_finished_tls13( transcript: &mut HandshakeHash, verify_data: ring::hmac::Tag, common: &mut CommonState, )816 fn emit_finished_tls13(
817 transcript: &mut HandshakeHash,
818 verify_data: ring::hmac::Tag,
819 common: &mut CommonState,
820 ) {
821 let verify_data_payload = Payload::new(verify_data.as_ref());
822
823 let m = Message {
824 version: ProtocolVersion::TLSv1_3,
825 payload: MessagePayload::Handshake(HandshakeMessagePayload {
826 typ: HandshakeType::Finished,
827 payload: HandshakePayload::Finished(verify_data_payload),
828 }),
829 };
830
831 transcript.add_message(&m);
832 common.send_msg(m, true);
833 }
834
emit_end_of_early_data_tls13(transcript: &mut HandshakeHash, common: &mut CommonState)835 fn emit_end_of_early_data_tls13(transcript: &mut HandshakeHash, common: &mut CommonState) {
836 if common.is_quic() {
837 return;
838 }
839
840 let m = Message {
841 version: ProtocolVersion::TLSv1_3,
842 payload: MessagePayload::Handshake(HandshakeMessagePayload {
843 typ: HandshakeType::EndOfEarlyData,
844 payload: HandshakePayload::EndOfEarlyData,
845 }),
846 };
847
848 transcript.add_message(&m);
849 common.send_msg(m, true);
850 }
851
852 struct ExpectFinished {
853 config: Arc<ClientConfig>,
854 server_name: ServerName,
855 randoms: ConnectionRandoms,
856 suite: &'static Tls13CipherSuite,
857 transcript: HandshakeHash,
858 key_schedule: KeyScheduleHandshake,
859 client_auth: Option<ClientAuthDetails>,
860 cert_verified: verify::ServerCertVerified,
861 sig_verified: verify::HandshakeSignatureValid,
862 }
863
864 impl State<ClientConnectionData> for ExpectFinished {
handle(self: Box<Self>, cx: &mut ClientContext<'_>, m: Message) -> hs::NextStateOrError865 fn handle(self: Box<Self>, cx: &mut ClientContext<'_>, m: Message) -> hs::NextStateOrError {
866 let mut st = *self;
867 let finished =
868 require_handshake_msg!(m, HandshakeType::Finished, HandshakePayload::Finished)?;
869
870 let handshake_hash = st.transcript.get_current_hash();
871 let expect_verify_data = st
872 .key_schedule
873 .sign_server_finish(&handshake_hash);
874
875 let fin = constant_time::verify_slices_are_equal(expect_verify_data.as_ref(), &finished.0)
876 .map_err(|_| {
877 cx.common
878 .send_fatal_alert(AlertDescription::DecryptError);
879 Error::DecryptError
880 })
881 .map(|_| verify::FinishedMessageVerified::assertion())?;
882
883 st.transcript.add_message(&m);
884
885 let hash_after_handshake = st.transcript.get_current_hash();
886 /* The EndOfEarlyData message to server is still encrypted with early data keys,
887 * but appears in the transcript after the server Finished. */
888 if cx.common.early_traffic {
889 emit_end_of_early_data_tls13(&mut st.transcript, cx.common);
890 cx.common.early_traffic = false;
891 cx.data.early_data.finished();
892 cx.common
893 .record_layer
894 .set_message_encrypter(
895 st.suite
896 .derive_encrypter(st.key_schedule.client_key()),
897 );
898 }
899
900 /* Send our authentication/finished messages. These are still encrypted
901 * with our handshake keys. */
902 if let Some(client_auth) = &mut st.client_auth {
903 emit_certificate_tls13(&mut st.transcript, client_auth, cx.common);
904 emit_certverify_tls13(&mut st.transcript, client_auth, cx.common)?;
905 }
906
907 let (key_schedule_finished, client_key, server_key) = st
908 .key_schedule
909 .into_traffic_with_client_finished_pending(
910 hash_after_handshake,
911 &*st.config.key_log,
912 &st.randoms.client,
913 );
914 let handshake_hash = st.transcript.get_current_hash();
915 let (key_schedule_traffic, verify_data, _) =
916 key_schedule_finished.sign_client_finish(&handshake_hash);
917 emit_finished_tls13(&mut st.transcript, verify_data, cx.common);
918
919 /* Now move to our application traffic keys. */
920 cx.common.check_aligned_handshake()?;
921
922 cx.common
923 .record_layer
924 .set_message_decrypter(st.suite.derive_decrypter(&server_key));
925
926 cx.common
927 .record_layer
928 .set_message_encrypter(st.suite.derive_encrypter(&client_key));
929
930 cx.common.start_traffic();
931
932 let st = ExpectTraffic {
933 config: st.config,
934 server_name: st.server_name,
935 suite: st.suite,
936 transcript: st.transcript,
937 key_schedule: key_schedule_traffic,
938 want_write_key_update: false,
939 _cert_verified: st.cert_verified,
940 _sig_verified: st.sig_verified,
941 _fin_verified: fin,
942 };
943
944 #[cfg(feature = "quic")]
945 {
946 if cx.common.protocol == Protocol::Quic {
947 cx.common.quic.traffic_secrets =
948 Some(quic::Secrets::new(client_key, server_key, st.suite, true));
949 return Ok(Box::new(ExpectQuicTraffic(st)));
950 }
951 }
952
953 Ok(Box::new(st))
954 }
955 }
956
957 // -- Traffic transit state (TLS1.3) --
958 // In this state we can be sent tickets, key updates,
959 // and application data.
960 struct ExpectTraffic {
961 config: Arc<ClientConfig>,
962 server_name: ServerName,
963 suite: &'static Tls13CipherSuite,
964 transcript: HandshakeHash,
965 key_schedule: KeyScheduleTraffic,
966 want_write_key_update: bool,
967 _cert_verified: verify::ServerCertVerified,
968 _sig_verified: verify::HandshakeSignatureValid,
969 _fin_verified: verify::FinishedMessageVerified,
970 }
971
972 impl ExpectTraffic {
973 #[allow(clippy::unnecessary_wraps)] // returns Err for #[cfg(feature = "quic")]
handle_new_ticket_tls13( &mut self, cx: &mut ClientContext<'_>, nst: &NewSessionTicketPayloadTLS13, ) -> Result<(), Error>974 fn handle_new_ticket_tls13(
975 &mut self,
976 cx: &mut ClientContext<'_>,
977 nst: &NewSessionTicketPayloadTLS13,
978 ) -> Result<(), Error> {
979 let handshake_hash = self.transcript.get_current_hash();
980 let secret = self
981 .key_schedule
982 .resumption_master_secret_and_derive_ticket_psk(&handshake_hash, &nst.nonce.0);
983
984 let time_now = match TimeBase::now() {
985 Ok(t) => t,
986 #[allow(unused_variables)]
987 Err(e) => {
988 debug!("Session not saved: {}", e);
989 return Ok(());
990 }
991 };
992
993 let value = persist::Tls13ClientSessionValue::new(
994 self.suite,
995 nst.ticket.0.clone(),
996 secret,
997 cx.common
998 .peer_certificates
999 .clone()
1000 .unwrap_or_default(),
1001 time_now,
1002 nst.lifetime,
1003 nst.age_add,
1004 nst.get_max_early_data_size()
1005 .unwrap_or_default(),
1006 );
1007
1008 #[cfg(feature = "quic")]
1009 if let Some(sz) = nst.get_max_early_data_size() {
1010 if cx.common.protocol == Protocol::Quic && sz != 0 && sz != 0xffff_ffff {
1011 return Err(Error::PeerMisbehavedError(
1012 "invalid max_early_data_size".into(),
1013 ));
1014 }
1015 }
1016
1017 let key = persist::ClientSessionKey::session_for_server_name(&self.server_name);
1018 #[allow(unused_mut)]
1019 let mut ticket = value.get_encoding();
1020
1021 #[cfg(feature = "quic")]
1022 if let (Protocol::Quic, Some(ref quic_params)) =
1023 (cx.common.protocol, &cx.common.quic.params)
1024 {
1025 PayloadU16::encode_slice(quic_params, &mut ticket);
1026 }
1027
1028 let worked = self
1029 .config
1030 .session_storage
1031 .put(key.get_encoding(), ticket);
1032
1033 if worked {
1034 debug!("Ticket saved");
1035 } else {
1036 debug!("Ticket not saved");
1037 }
1038 Ok(())
1039 }
1040
handle_key_update( &mut self, common: &mut CommonState, kur: &KeyUpdateRequest, ) -> Result<(), Error>1041 fn handle_key_update(
1042 &mut self,
1043 common: &mut CommonState,
1044 kur: &KeyUpdateRequest,
1045 ) -> Result<(), Error> {
1046 #[cfg(feature = "quic")]
1047 {
1048 if let Protocol::Quic = common.protocol {
1049 common.send_fatal_alert(AlertDescription::UnexpectedMessage);
1050 let msg = "KeyUpdate received in QUIC connection".to_string();
1051 warn!("{}", msg);
1052 return Err(Error::PeerMisbehavedError(msg));
1053 }
1054 }
1055
1056 // Mustn't be interleaved with other handshake messages.
1057 common.check_aligned_handshake()?;
1058
1059 match kur {
1060 KeyUpdateRequest::UpdateNotRequested => {}
1061 KeyUpdateRequest::UpdateRequested => {
1062 self.want_write_key_update = true;
1063 }
1064 _ => {
1065 common.send_fatal_alert(AlertDescription::IllegalParameter);
1066 return Err(Error::CorruptMessagePayload(ContentType::Handshake));
1067 }
1068 }
1069
1070 // Update our read-side keys.
1071 let new_read_key = self
1072 .key_schedule
1073 .next_server_application_traffic_secret();
1074 common
1075 .record_layer
1076 .set_message_decrypter(
1077 self.suite
1078 .derive_decrypter(&new_read_key),
1079 );
1080
1081 Ok(())
1082 }
1083 }
1084
1085 impl State<ClientConnectionData> for ExpectTraffic {
handle(mut self: Box<Self>, cx: &mut ClientContext<'_>, m: Message) -> hs::NextStateOrError1086 fn handle(mut self: Box<Self>, cx: &mut ClientContext<'_>, m: Message) -> hs::NextStateOrError {
1087 match m.payload {
1088 MessagePayload::ApplicationData(payload) => cx
1089 .common
1090 .take_received_plaintext(payload),
1091 MessagePayload::Handshake(payload) => match payload.payload {
1092 HandshakePayload::NewSessionTicketTLS13(new_ticket) => {
1093 self.handle_new_ticket_tls13(cx, &new_ticket)?
1094 }
1095 HandshakePayload::KeyUpdate(key_update) => {
1096 self.handle_key_update(cx.common, &key_update)?
1097 }
1098 _ => {
1099 return Err(inappropriate_handshake_message(
1100 &payload,
1101 &[HandshakeType::NewSessionTicket, HandshakeType::KeyUpdate],
1102 ));
1103 }
1104 },
1105 _ => {
1106 return Err(inappropriate_message(
1107 &m,
1108 &[ContentType::ApplicationData, ContentType::Handshake],
1109 ));
1110 }
1111 }
1112
1113 Ok(self)
1114 }
1115
export_keying_material( &self, output: &mut [u8], label: &[u8], context: Option<&[u8]>, ) -> Result<(), Error>1116 fn export_keying_material(
1117 &self,
1118 output: &mut [u8],
1119 label: &[u8],
1120 context: Option<&[u8]>,
1121 ) -> Result<(), Error> {
1122 self.key_schedule
1123 .export_keying_material(output, label, context)
1124 }
1125
perhaps_write_key_update(&mut self, common: &mut CommonState)1126 fn perhaps_write_key_update(&mut self, common: &mut CommonState) {
1127 if self.want_write_key_update {
1128 self.want_write_key_update = false;
1129 common.send_msg_encrypt(Message::build_key_update_notify().into());
1130
1131 let write_key = self
1132 .key_schedule
1133 .next_client_application_traffic_secret();
1134 common
1135 .record_layer
1136 .set_message_encrypter(self.suite.derive_encrypter(&write_key));
1137 }
1138 }
1139 }
1140
1141 #[cfg(feature = "quic")]
1142 struct ExpectQuicTraffic(ExpectTraffic);
1143
1144 #[cfg(feature = "quic")]
1145 impl State<ClientConnectionData> for ExpectQuicTraffic {
handle(mut self: Box<Self>, cx: &mut ClientContext<'_>, m: Message) -> hs::NextStateOrError1146 fn handle(mut self: Box<Self>, cx: &mut ClientContext<'_>, m: Message) -> hs::NextStateOrError {
1147 let nst = require_handshake_msg!(
1148 m,
1149 HandshakeType::NewSessionTicket,
1150 HandshakePayload::NewSessionTicketTLS13
1151 )?;
1152 self.0
1153 .handle_new_ticket_tls13(cx, nst)?;
1154 Ok(self)
1155 }
1156
export_keying_material( &self, output: &mut [u8], label: &[u8], context: Option<&[u8]>, ) -> Result<(), Error>1157 fn export_keying_material(
1158 &self,
1159 output: &mut [u8],
1160 label: &[u8],
1161 context: Option<&[u8]>,
1162 ) -> Result<(), Error> {
1163 self.0
1164 .export_keying_material(output, label, context)
1165 }
1166 }
1167