rustls/server/
tls13.rs

Help
1use crate::check::inappropriate_handshake_message;
2#[cfg(feature = "quic")]
3use crate::check::inappropriate_message;
4#[cfg(feature = "quic")]
5use crate::common_state::Protocol;
6#[cfg(feature = "secret_extraction")]
7use crate::common_state::Side;
8use crate::common_state::{CommonState, State};
9use crate::conn::ConnectionRandoms;
10use crate::enums::ProtocolVersion;
11use crate::enums::{AlertDescription, ContentType, HandshakeType};
12use crate::error::{Error, PeerIncompatible, PeerMisbehaved};
13use crate::hash_hs::HandshakeHash;
14use crate::key::Certificate;
15#[cfg(feature = "logging")]
16use crate::log::{debug, trace, warn};
17use crate::msgs::codec::Codec;
18use crate::msgs::enums::KeyUpdateRequest;
19use crate::msgs::handshake::HandshakeMessagePayload;
20use crate::msgs::handshake::HandshakePayload;
21use crate::msgs::handshake::{NewSessionTicketExtension, NewSessionTicketPayloadTLS13};
22use crate::msgs::message::{Message, MessagePayload};
23use crate::msgs::persist;
24use crate::rand;
25use crate::server::ServerConfig;
26#[cfg(feature = "secret_extraction")]
27use crate::suites::PartiallyExtractedSecrets;
28use crate::ticketer;
29use crate::tls13::key_schedule::{KeyScheduleTraffic, KeyScheduleTrafficWithClientFinishedPending};
30use crate::tls13::Tls13CipherSuite;
31use crate::verify;
32
33use super::hs::{self, HandshakeHashOrBuffer, ServerContext};
34use super::server_conn::ServerConnectionData;
35
36use std::sync::Arc;
37
38use ring::constant_time;
39
40pub(super) use client_hello::CompleteClientHelloHandling;
41
42mod client_hello {
43    use crate::enums::SignatureScheme;
44    use crate::kx;
45    use crate::msgs::base::{Payload, PayloadU8};
46    use crate::msgs::ccs::ChangeCipherSpecPayload;
47    use crate::msgs::enums::NamedGroup;
48    use crate::msgs::enums::{Compression, PSKKeyExchangeMode};
49    use crate::msgs::handshake::CertReqExtension;
50    use crate::msgs::handshake::CertificateEntry;
51    use crate::msgs::handshake::CertificateExtension;
52    use crate::msgs::handshake::CertificatePayloadTLS13;
53    use crate::msgs::handshake::CertificateRequestPayloadTLS13;
54    use crate::msgs::handshake::CertificateStatus;
55    use crate::msgs::handshake::ClientHelloPayload;
56    use crate::msgs::handshake::HelloRetryExtension;
57    use crate::msgs::handshake::HelloRetryRequest;
58    use crate::msgs::handshake::KeyShareEntry;
59    use crate::msgs::handshake::Random;
60    use crate::msgs::handshake::ServerExtension;
61    use crate::msgs::handshake::ServerHelloPayload;
62    use crate::msgs::handshake::SessionId;
63    use crate::server::common::ActiveCertifiedKey;
64    use crate::sign;
65    use crate::tls13::key_schedule::{
66        KeyScheduleEarly, KeyScheduleHandshake, KeySchedulePreHandshake,
67    };
68    use crate::verify::DigitallySignedStruct;
69
70    use super::*;
71
72    #[derive(PartialEq)]
73    pub(super) enum EarlyDataDecision {
74        Disabled,
75        RequestedButRejected,
76        Accepted,
77    }
78
79    pub(in crate::server) struct CompleteClientHelloHandling {
80        pub(in crate::server) config: Arc<ServerConfig>,
81        pub(in crate::server) transcript: HandshakeHash,
82        pub(in crate::server) suite: &'static Tls13CipherSuite,
83        pub(in crate::server) randoms: ConnectionRandoms,
84        pub(in crate::server) done_retry: bool,
85        pub(in crate::server) send_tickets: usize,
86        pub(in crate::server) extra_exts: Vec<ServerExtension>,
87    }
88
89    fn max_early_data_size(configured: u32) -> usize {
90        if configured != 0 {
91            configured as usize
92        } else {
93            // The relevant max_early_data_size may in fact be unknowable: if
94            // we (the server) have turned off early_data but the client has
95            // a stale ticket from when we allowed early_data: we'll naturally
96            // reject early_data but need an upper bound on the amount of data
97            // to drop.
98            //
99            // Use a single maximum-sized message.
100            16384
101        }
102    }
103
104    impl CompleteClientHelloHandling {
105        fn check_binder(
106            &self,
107            suite: &'static Tls13CipherSuite,
108            client_hello: &Message,
109            psk: &[u8],
110            binder: &[u8],
111        ) -> bool {
112            let binder_plaintext = match &client_hello.payload {
113                MessagePayload::Handshake { parsed, .. } => {
114                    parsed.get_encoding_for_binder_signing()
115                }
116                _ => unreachable!(),
117            };
118
119            let handshake_hash = self
120                .transcript
121                .get_hash_given(&binder_plaintext);
122
123            let key_schedule = KeyScheduleEarly::new(suite, psk);
124            let real_binder =
125                key_schedule.resumption_psk_binder_key_and_sign_verify_data(&handshake_hash);
126
127            constant_time::verify_slices_are_equal(real_binder.as_ref(), binder).is_ok()
128        }
129
130        fn attempt_tls13_ticket_decryption(
131            &mut self,
132            ticket: &[u8],
133        ) -> Option<persist::ServerSessionValue> {
134            if self.config.ticketer.enabled() {
135                self.config
136                    .ticketer
137                    .decrypt(ticket)
138                    .and_then(|plain| persist::ServerSessionValue::read_bytes(&plain).ok())
139            } else {
140                self.config
141                    .session_storage
142                    .take(ticket)
143                    .and_then(|plain| persist::ServerSessionValue::read_bytes(&plain).ok())
144            }
145        }
146
147        pub(in crate::server) fn handle_client_hello(
148            mut self,
149            cx: &mut ServerContext<'_>,
150            server_key: ActiveCertifiedKey,
151            chm: &Message,
152            client_hello: &ClientHelloPayload,
153            mut sigschemes_ext: Vec<SignatureScheme>,
154        ) -> hs::NextStateOrError {
155            if client_hello.compression_methods.len() != 1 {
156                return Err(cx.common.send_fatal_alert(
157                    AlertDescription::IllegalParameter,
158                    PeerMisbehaved::OfferedIncorrectCompressions,
159                ));
160            }
161
162            let groups_ext = client_hello
163                .get_namedgroups_extension()
164                .ok_or_else(|| {
165                    cx.common.send_fatal_alert(
166                        AlertDescription::HandshakeFailure,
167                        PeerIncompatible::NamedGroupsExtensionRequired,
168                    )
169                })?;
170
171            let tls13_schemes = sign::supported_sign_tls13();
172            sigschemes_ext.retain(|scheme| tls13_schemes.contains(scheme));
173
174            let shares_ext = client_hello
175                .get_keyshare_extension()
176                .ok_or_else(|| {
177                    cx.common.send_fatal_alert(
178                        AlertDescription::HandshakeFailure,
179                        PeerIncompatible::KeyShareExtensionRequired,
180                    )
181                })?;
182
183            if client_hello.has_keyshare_extension_with_duplicates() {
184                return Err(cx.common.send_fatal_alert(
185                    AlertDescription::IllegalParameter,
186                    PeerMisbehaved::OfferedDuplicateKeyShares,
187                ));
188            }
189
190            let early_data_requested = client_hello.early_data_extension_offered();
191
192            // EarlyData extension is illegal in second ClientHello
193            if self.done_retry && early_data_requested {
194                return Err({
195                    cx.common.send_fatal_alert(
196                        AlertDescription::IllegalParameter,
197                        PeerMisbehaved::EarlyDataAttemptedInSecondClientHello,
198                    )
199                });
200            }
201
202            // choose a share that we support
203            let chosen_share = self
204                .config
205                .kx_groups
206                .iter()
207                .find_map(|group| {
208                    shares_ext
209                        .iter()
210                        .find(|share| share.group == group.name)
211                });
212
213            let chosen_share = match chosen_share {
214                Some(s) => s,
215                None => {
216                    // We don't have a suitable key share.  Choose a suitable group and
217                    // send a HelloRetryRequest.
218                    let retry_group_maybe = self
219                        .config
220                        .kx_groups
221                        .iter()
222                        .find(|group| groups_ext.contains(&group.name))
223                        .cloned();
224
225                    self.transcript.add_message(chm);
226
227                    if let Some(group) = retry_group_maybe {
228                        if self.done_retry {
229                            return Err(cx.common.send_fatal_alert(
230                                AlertDescription::IllegalParameter,
231                                PeerMisbehaved::RefusedToFollowHelloRetryRequest,
232                            ));
233                        }
234
235                        emit_hello_retry_request(
236                            &mut self.transcript,
237                            self.suite,
238                            client_hello.session_id,
239                            cx.common,
240                            group.name,
241                        );
242                        emit_fake_ccs(cx.common);
243
244                        let skip_early_data = max_early_data_size(self.config.max_early_data_size);
245
246                        let next = Box::new(hs::ExpectClientHello {
247                            config: self.config,
248                            transcript: HandshakeHashOrBuffer::Hash(self.transcript),
249                            #[cfg(feature = "tls12")]
250                            session_id: SessionId::empty(),
251                            #[cfg(feature = "tls12")]
252                            using_ems: false,
253                            done_retry: true,
254                            send_tickets: self.send_tickets,
255                            extra_exts: self.extra_exts,
256                        });
257
258                        return if early_data_requested {
259                            Ok(Box::new(ExpectAndSkipRejectedEarlyData {
260                                skip_data_left: skip_early_data,
261                                next,
262                            }))
263                        } else {
264                            Ok(next)
265                        };
266                    }
267
268                    return Err(cx.common.send_fatal_alert(
269                        AlertDescription::HandshakeFailure,
270                        PeerIncompatible::NoKxGroupsInCommon,
271                    ));
272                }
273            };
274
275            let mut chosen_psk_index = None;
276            let mut resumedata = None;
277            let time_now = ticketer::TimeBase::now()?;
278
279            if let Some(psk_offer) = client_hello.get_psk() {
280                if !client_hello.check_psk_ext_is_last() {
281                    return Err(cx.common.send_fatal_alert(
282                        AlertDescription::IllegalParameter,
283                        PeerMisbehaved::PskExtensionMustBeLast,
284                    ));
285                }
286
287                // "A client MUST provide a "psk_key_exchange_modes" extension if it
288                //  offers a "pre_shared_key" extension. If clients offer
289                //  "pre_shared_key" without a "psk_key_exchange_modes" extension,
290                //  servers MUST abort the handshake." - RFC8446 4.2.9
291                if client_hello.get_psk_modes().is_none() {
292                    return Err(cx.common.send_fatal_alert(
293                        AlertDescription::MissingExtension,
294                        PeerMisbehaved::MissingPskModesExtension,
295                    ));
296                }
297
298                if psk_offer.binders.is_empty() {
299                    return Err(cx.common.send_fatal_alert(
300                        AlertDescription::DecodeError,
301                        PeerMisbehaved::MissingBinderInPskExtension,
302                    ));
303                }
304
305                if psk_offer.binders.len() != psk_offer.identities.len() {
306                    return Err(cx.common.send_fatal_alert(
307                        AlertDescription::IllegalParameter,
308                        PeerMisbehaved::PskExtensionWithMismatchedIdsAndBinders,
309                    ));
310                }
311
312                for (i, psk_id) in psk_offer.identities.iter().enumerate() {
313                    let resume = match self
314                        .attempt_tls13_ticket_decryption(&psk_id.identity.0)
315                        .map(|resumedata| {
316                            resumedata.set_freshness(psk_id.obfuscated_ticket_age, time_now)
317                        })
318                        .filter(|resumedata| {
319                            hs::can_resume(self.suite.into(), &cx.data.sni, false, resumedata)
320                        }) {
321                        Some(resume) => resume,
322                        None => continue,
323                    };
324
325                    if !self.check_binder(
326                        self.suite,
327                        chm,
328                        &resume.master_secret.0,
329                        psk_offer.binders[i].as_ref(),
330                    ) {
331                        return Err(cx.common.send_fatal_alert(
332                            AlertDescription::DecryptError,
333                            PeerMisbehaved::IncorrectBinder,
334                        ));
335                    }
336
337                    chosen_psk_index = Some(i);
338                    resumedata = Some(resume);
339                    break;
340                }
341            }
342
343            if !client_hello.psk_mode_offered(PSKKeyExchangeMode::PSK_DHE_KE) {
344                debug!("Client unwilling to resume, DHE_KE not offered");
345                self.send_tickets = 0;
346                chosen_psk_index = None;
347                resumedata = None;
348            } else {
349                self.send_tickets = self.config.send_tls13_tickets;
350            }
351
352            if let Some(ref resume) = resumedata {
353                cx.data.received_resumption_data = Some(resume.application_data.0.clone());
354                cx.common
355                    .peer_certificates
356                    .clone_from(&resume.client_cert_chain);
357            }
358
359            let full_handshake = resumedata.is_none();
360            self.transcript.add_message(chm);
361            let key_schedule = emit_server_hello(
362                &mut self.transcript,
363                &self.randoms,
364                self.suite,
365                cx,
366                &client_hello.session_id,
367                chosen_share,
368                chosen_psk_index,
369                resumedata
370                    .as_ref()
371                    .map(|x| &x.master_secret.0[..]),
372                &self.config,
373            )?;
374            if !self.done_retry {
375                emit_fake_ccs(cx.common);
376            }
377
378            let (mut ocsp_response, mut sct_list) =
379                (server_key.get_ocsp(), server_key.get_sct_list());
380            let doing_early_data = emit_encrypted_extensions(
381                &mut self.transcript,
382                self.suite,
383                cx,
384                &mut ocsp_response,
385                &mut sct_list,
386                client_hello,
387                resumedata.as_ref(),
388                self.extra_exts,
389                &self.config,
390            )?;
391
392            let doing_client_auth = if full_handshake {
393                let client_auth =
394                    emit_certificate_req_tls13(&mut self.transcript, cx, &self.config)?;
395                emit_certificate_tls13(
396                    &mut self.transcript,
397                    cx.common,
398                    server_key.get_cert(),
399                    ocsp_response,
400                    sct_list,
401                );
402                emit_certificate_verify_tls13(
403                    &mut self.transcript,
404                    cx.common,
405                    server_key.get_key(),
406                    &sigschemes_ext,
407                )?;
408                client_auth
409            } else {
410                false
411            };
412
413            // If we're not doing early data, then the next messages we receive
414            // are encrypted with the handshake keys.
415            match doing_early_data {
416                EarlyDataDecision::Disabled => {
417                    key_schedule.set_handshake_decrypter(None, cx.common);
418                    cx.data.early_data.reject();
419                }
420                EarlyDataDecision::RequestedButRejected => {
421                    debug!("Client requested early_data, but not accepted: switching to handshake keys with trial decryption");
422                    key_schedule.set_handshake_decrypter(
423                        Some(max_early_data_size(self.config.max_early_data_size)),
424                        cx.common,
425                    );
426                    cx.data.early_data.reject();
427                }
428                EarlyDataDecision::Accepted => {
429                    cx.data
430                        .early_data
431                        .accept(self.config.max_early_data_size as usize);
432                }
433            }
434
435            cx.common.check_aligned_handshake()?;
436            let key_schedule_traffic = emit_finished_tls13(
437                &mut self.transcript,
438                &self.randoms,
439                cx,
440                key_schedule,
441                &self.config,
442            );
443
444            if !doing_client_auth && self.config.send_half_rtt_data {
445                // Application data can be sent immediately after Finished, in one
446                // flight.  However, if client auth is enabled, we don't want to send
447                // application data to an unauthenticated peer.
448                cx.common.start_outgoing_traffic();
449            }
450
451            if doing_client_auth {
452                Ok(Box::new(ExpectCertificate {
453                    config: self.config,
454                    transcript: self.transcript,
455                    suite: self.suite,
456                    key_schedule: key_schedule_traffic,
457                    send_tickets: self.send_tickets,
458                }))
459            } else if doing_early_data == EarlyDataDecision::Accepted && !cx.common.is_quic() {
460                // Not used for QUIC: RFC 9001 §8.3: Clients MUST NOT send the EndOfEarlyData
461                // message. A server MUST treat receipt of a CRYPTO frame in a 0-RTT packet as a
462                // connection error of type PROTOCOL_VIOLATION.
463                Ok(Box::new(ExpectEarlyData {
464                    config: self.config,
465                    transcript: self.transcript,
466                    suite: self.suite,
467                    key_schedule: key_schedule_traffic,
468                    send_tickets: self.send_tickets,
469                }))
470            } else {
471                Ok(Box::new(ExpectFinished {
472                    config: self.config,
473                    transcript: self.transcript,
474                    suite: self.suite,
475                    key_schedule: key_schedule_traffic,
476                    send_tickets: self.send_tickets,
477                }))
478            }
479        }
480    }
481
482    fn emit_server_hello(
483        transcript: &mut HandshakeHash,
484        randoms: &ConnectionRandoms,
485        suite: &'static Tls13CipherSuite,
486        cx: &mut ServerContext<'_>,
487        session_id: &SessionId,
488        share: &KeyShareEntry,
489        chosen_psk_idx: Option<usize>,
490        resuming_psk: Option<&[u8]>,
491        config: &ServerConfig,
492    ) -> Result<KeyScheduleHandshake, Error> {
493        let mut extensions = Vec::new();
494
495        // Prepare key exchange
496        let kx = kx::KeyExchange::choose(share.group, &config.kx_groups)
497            .and_then(kx::KeyExchange::start)
498            .ok_or(Error::FailedToGetRandomBytes)?;
499
500        let kse = KeyShareEntry::new(share.group, kx.pubkey.as_ref());
501        extensions.push(ServerExtension::KeyShare(kse));
502        extensions.push(ServerExtension::SupportedVersions(ProtocolVersion::TLSv1_3));
503
504        if let Some(psk_idx) = chosen_psk_idx {
505            extensions.push(ServerExtension::PresharedKey(psk_idx as u16));
506        }
507
508        let sh = Message {
509            version: ProtocolVersion::TLSv1_2,
510            payload: MessagePayload::handshake(HandshakeMessagePayload {
511                typ: HandshakeType::ServerHello,
512                payload: HandshakePayload::ServerHello(ServerHelloPayload {
513                    legacy_version: ProtocolVersion::TLSv1_2,
514                    random: Random::from(randoms.server),
515                    session_id: *session_id,
516                    cipher_suite: suite.common.suite,
517                    compression_method: Compression::Null,
518                    extensions,
519                }),
520            }),
521        };
522
523        cx.common.check_aligned_handshake()?;
524
525        let client_hello_hash = transcript.get_hash_given(&[]);
526
527        trace!("sending server hello {:?}", sh);
528        transcript.add_message(&sh);
529        cx.common.send_msg(sh, false);
530
531        // Start key schedule
532        let key_schedule_pre_handshake = if let Some(psk) = resuming_psk {
533            let early_key_schedule = KeyScheduleEarly::new(suite, psk);
534            early_key_schedule.client_early_traffic_secret(
535                &client_hello_hash,
536                &*config.key_log,
537                &randoms.client,
538                cx.common,
539            );
540
541            KeySchedulePreHandshake::from(early_key_schedule)
542        } else {
543            KeySchedulePreHandshake::new(suite)
544        };
545
546        // Do key exchange
547        let key_schedule = kx.complete(&share.payload.0, |secret| {
548            key_schedule_pre_handshake.into_handshake(secret)
549        })?;
550
551        let handshake_hash = transcript.get_current_hash();
552        let key_schedule = key_schedule.derive_server_handshake_secrets(
553            handshake_hash,
554            &*config.key_log,
555            &randoms.client,
556            cx.common,
557        );
558
559        Ok(key_schedule)
560    }
561
562    fn emit_fake_ccs(common: &mut CommonState) {
563        if common.is_quic() {
564            return;
565        }
566        let m = Message {
567            version: ProtocolVersion::TLSv1_2,
568            payload: MessagePayload::ChangeCipherSpec(ChangeCipherSpecPayload {}),
569        };
570        common.send_msg(m, false);
571    }
572
573    fn emit_hello_retry_request(
574        transcript: &mut HandshakeHash,
575        suite: &'static Tls13CipherSuite,
576        session_id: SessionId,
577        common: &mut CommonState,
578        group: NamedGroup,
579    ) {
580        let mut req = HelloRetryRequest {
581            legacy_version: ProtocolVersion::TLSv1_2,
582            session_id,
583            cipher_suite: suite.common.suite,
584            extensions: Vec::new(),
585        };
586
587        req.extensions
588            .push(HelloRetryExtension::KeyShare(group));
589        req.extensions
590            .push(HelloRetryExtension::SupportedVersions(
591                ProtocolVersion::TLSv1_3,
592            ));
593
594        let m = Message {
595            version: ProtocolVersion::TLSv1_2,
596            payload: MessagePayload::handshake(HandshakeMessagePayload {
597                typ: HandshakeType::HelloRetryRequest,
598                payload: HandshakePayload::HelloRetryRequest(req),
599            }),
600        };
601
602        trace!("Requesting retry {:?}", m);
603        transcript.rollup_for_hrr();
604        transcript.add_message(&m);
605        common.send_msg(m, false);
606    }
607
608    #[cfg_attr(not(feature = "quic"), allow(clippy::needless_pass_by_ref_mut))]
609    fn decide_if_early_data_allowed(
610        cx: &mut ServerContext<'_>,
611        client_hello: &ClientHelloPayload,
612        resumedata: Option<&persist::ServerSessionValue>,
613        suite: &'static Tls13CipherSuite,
614        config: &ServerConfig,
615    ) -> EarlyDataDecision {
616        let early_data_requested = client_hello.early_data_extension_offered();
617        let rejected_or_disabled = match early_data_requested {
618            true => EarlyDataDecision::RequestedButRejected,
619            false => EarlyDataDecision::Disabled,
620        };
621
622        let resume = match resumedata {
623            Some(resume) => resume,
624            None => {
625                // never any early data if not resuming.
626                return rejected_or_disabled;
627            }
628        };
629
630        /* Non-zero max_early_data_size controls whether early_data is allowed at all.
631         * We also require stateful resumption. */
632        let early_data_configured = config.max_early_data_size > 0 && !config.ticketer.enabled();
633
634        /* "For PSKs provisioned via NewSessionTicket, a server MUST validate
635         *  that the ticket age for the selected PSK identity (computed by
636         *  subtracting ticket_age_add from PskIdentity.obfuscated_ticket_age
637         *  modulo 2^32) is within a small tolerance of the time since the ticket
638         *  was issued (see Section 8)." -- this is implemented in ServerSessionValue::set_freshness()
639         *  and related.
640         *
641         * "In order to accept early data, the server [...] MUST verify that the
642         *  following values are the same as those associated with the
643         *  selected PSK:
644         *
645         *  - The TLS version number
646         *  - The selected cipher suite
647         *  - The selected ALPN [RFC7301] protocol, if any"
648         *
649         * (RFC8446, 4.2.10) */
650        let early_data_possible = early_data_requested
651            && resume.is_fresh()
652            && Some(resume.version) == cx.common.negotiated_version
653            && resume.cipher_suite == suite.common.suite
654            && resume.alpn.as_ref().map(|x| &x.0) == cx.common.alpn_protocol.as_ref();
655
656        if early_data_configured && early_data_possible && !cx.data.early_data.was_rejected() {
657            EarlyDataDecision::Accepted
658        } else {
659            #[cfg(feature = "quic")]
660            if cx.common.is_quic() {
661                // Clobber value set in tls13::emit_server_hello
662                cx.common.quic.early_secret = None;
663            }
664
665            rejected_or_disabled
666        }
667    }
668
669    fn emit_encrypted_extensions(
670        transcript: &mut HandshakeHash,
671        suite: &'static Tls13CipherSuite,
672        cx: &mut ServerContext<'_>,
673        ocsp_response: &mut Option<&[u8]>,
674        sct_list: &mut Option<&[u8]>,
675        hello: &ClientHelloPayload,
676        resumedata: Option<&persist::ServerSessionValue>,
677        extra_exts: Vec<ServerExtension>,
678        config: &ServerConfig,
679    ) -> Result<EarlyDataDecision, Error> {
680        let mut ep = hs::ExtensionProcessing::new();
681        ep.process_common(
682            config,
683            cx,
684            ocsp_response,
685            sct_list,
686            hello,
687            resumedata,
688            extra_exts,
689        )?;
690
691        let early_data = decide_if_early_data_allowed(cx, hello, resumedata, suite, config);
692        if early_data == EarlyDataDecision::Accepted {
693            ep.exts.push(ServerExtension::EarlyData);
694        }
695
696        let ee = Message {
697            version: ProtocolVersion::TLSv1_3,
698            payload: MessagePayload::handshake(HandshakeMessagePayload {
699                typ: HandshakeType::EncryptedExtensions,
700                payload: HandshakePayload::EncryptedExtensions(ep.exts),
701            }),
702        };
703
704        trace!("sending encrypted extensions {:?}", ee);
705        transcript.add_message(&ee);
706        cx.common.send_msg(ee, true);
707        Ok(early_data)
708    }
709
710    fn emit_certificate_req_tls13(
711        transcript: &mut HandshakeHash,
712        cx: &mut ServerContext<'_>,
713        config: &ServerConfig,
714    ) -> Result<bool, Error> {
715        if !config.verifier.offer_client_auth() {
716            return Ok(false);
717        }
718
719        let mut cr = CertificateRequestPayloadTLS13 {
720            context: PayloadU8::empty(),
721            extensions: Vec::new(),
722        };
723
724        let schemes = config
725            .verifier
726            .supported_verify_schemes();
727        cr.extensions
728            .push(CertReqExtension::SignatureAlgorithms(schemes.to_vec()));
729
730        let names = config
731            .verifier
732            .client_auth_root_subjects()
733            .to_vec();
734
735        if !names.is_empty() {
736            cr.extensions
737                .push(CertReqExtension::AuthorityNames(names));
738        }
739
740        let m = Message {
741            version: ProtocolVersion::TLSv1_3,
742            payload: MessagePayload::handshake(HandshakeMessagePayload {
743                typ: HandshakeType::CertificateRequest,
744                payload: HandshakePayload::CertificateRequestTLS13(cr),
745            }),
746        };
747
748        trace!("Sending CertificateRequest {:?}", m);
749        transcript.add_message(&m);
750        cx.common.send_msg(m, true);
751        Ok(true)
752    }
753
754    fn emit_certificate_tls13(
755        transcript: &mut HandshakeHash,
756        common: &mut CommonState,
757        cert_chain: &[Certificate],
758        ocsp_response: Option<&[u8]>,
759        sct_list: Option<&[u8]>,
760    ) {
761        let mut cert_entries = vec![];
762        for cert in cert_chain {
763            let entry = CertificateEntry {
764                cert: cert.to_owned(),
765                exts: Vec::new(),
766            };
767
768            cert_entries.push(entry);
769        }
770
771        if let Some(end_entity_cert) = cert_entries.first_mut() {
772            // Apply OCSP response to first certificate (we don't support OCSP
773            // except for leaf certs).
774            if let Some(ocsp) = ocsp_response {
775                let cst = CertificateStatus::new(ocsp.to_owned());
776                end_entity_cert
777                    .exts
778                    .push(CertificateExtension::CertificateStatus(cst));
779            }
780
781            // Likewise, SCT
782            if let Some(sct_list) = sct_list {
783                end_entity_cert
784                    .exts
785                    .push(CertificateExtension::make_sct(sct_list.to_owned()));
786            }
787        }
788
789        let cert_body = CertificatePayloadTLS13::new(cert_entries);
790        let c = Message {
791            version: ProtocolVersion::TLSv1_3,
792            payload: MessagePayload::handshake(HandshakeMessagePayload {
793                typ: HandshakeType::Certificate,
794                payload: HandshakePayload::CertificateTLS13(cert_body),
795            }),
796        };
797
798        trace!("sending certificate {:?}", c);
799        transcript.add_message(&c);
800        common.send_msg(c, true);
801    }
802
803    fn emit_certificate_verify_tls13(
804        transcript: &mut HandshakeHash,
805        common: &mut CommonState,
806        signing_key: &dyn sign::SigningKey,
807        schemes: &[SignatureScheme],
808    ) -> Result<(), Error> {
809        let message = verify::construct_tls13_server_verify_message(&transcript.get_current_hash());
810
811        let signer = signing_key
812            .choose_scheme(schemes)
813            .ok_or_else(|| {
814                common.send_fatal_alert(
815                    AlertDescription::HandshakeFailure,
816                    PeerIncompatible::NoSignatureSchemesInCommon,
817                )
818            })?;
819
820        let scheme = signer.scheme();
821        let sig = signer.sign(&message)?;
822
823        let cv = DigitallySignedStruct::new(scheme, sig);
824
825        let m = Message {
826            version: ProtocolVersion::TLSv1_3,
827            payload: MessagePayload::handshake(HandshakeMessagePayload {
828                typ: HandshakeType::CertificateVerify,
829                payload: HandshakePayload::CertificateVerify(cv),
830            }),
831        };
832
833        trace!("sending certificate-verify {:?}", m);
834        transcript.add_message(&m);
835        common.send_msg(m, true);
836        Ok(())
837    }
838
839    fn emit_finished_tls13(
840        transcript: &mut HandshakeHash,
841        randoms: &ConnectionRandoms,
842        cx: &mut ServerContext<'_>,
843        key_schedule: KeyScheduleHandshake,
844        config: &ServerConfig,
845    ) -> KeyScheduleTrafficWithClientFinishedPending {
846        let handshake_hash = transcript.get_current_hash();
847        let verify_data = key_schedule.sign_server_finish(&handshake_hash);
848        let verify_data_payload = Payload::new(verify_data.as_ref());
849
850        let m = Message {
851            version: ProtocolVersion::TLSv1_3,
852            payload: MessagePayload::handshake(HandshakeMessagePayload {
853                typ: HandshakeType::Finished,
854                payload: HandshakePayload::Finished(verify_data_payload),
855            }),
856        };
857
858        trace!("sending finished {:?}", m);
859        transcript.add_message(&m);
860        let hash_at_server_fin = transcript.get_current_hash();
861        cx.common.send_msg(m, true);
862
863        // Now move to application data keys.  Read key change is deferred until
864        // the Finish message is received & validated.
865        key_schedule.into_traffic_with_client_finished_pending(
866            hash_at_server_fin,
867            &*config.key_log,
868            &randoms.client,
869            cx.common,
870        )
871    }
872}
873
874struct ExpectAndSkipRejectedEarlyData {
875    skip_data_left: usize,
876    next: Box<hs::ExpectClientHello>,
877}
878
879impl State<ServerConnectionData> for ExpectAndSkipRejectedEarlyData {
880    fn handle(mut self: Box<Self>, cx: &mut ServerContext<'_>, m: Message) -> hs::NextStateOrError {
881        /* "The server then ignores early data by skipping all records with an external
882         *  content type of "application_data" (indicating that they are encrypted),
883         *  up to the configured max_early_data_size."
884         * (RFC8446, 14.2.10) */
885        if let MessagePayload::ApplicationData(ref skip_data) = m.payload {
886            if skip_data.0.len() <= self.skip_data_left {
887                self.skip_data_left -= skip_data.0.len();
888                return Ok(self);
889            }
890        }
891
892        self.next.handle(cx, m)
893    }
894}
895
896struct ExpectCertificate {
897    config: Arc<ServerConfig>,
898    transcript: HandshakeHash,
899    suite: &'static Tls13CipherSuite,
900    key_schedule: KeyScheduleTrafficWithClientFinishedPending,
901    send_tickets: usize,
902}
903
904impl State<ServerConnectionData> for ExpectCertificate {
905    fn handle(mut self: Box<Self>, cx: &mut ServerContext<'_>, m: Message) -> hs::NextStateOrError {
906        let certp = require_handshake_msg!(
907            m,
908            HandshakeType::Certificate,
909            HandshakePayload::CertificateTLS13
910        )?;
911        self.transcript.add_message(&m);
912
913        // We don't send any CertificateRequest extensions, so any extensions
914        // here are illegal.
915        if certp.any_entry_has_extension() {
916            return Err(PeerMisbehaved::UnsolicitedCertExtension.into());
917        }
918
919        let client_cert = certp.convert();
920
921        let mandatory = self
922            .config
923            .verifier
924            .client_auth_mandatory();
925
926        let (end_entity, intermediates) = match client_cert.split_first() {
927            None => {
928                if !mandatory {
929                    debug!("client auth requested but no certificate supplied");
930                    self.transcript.abandon_client_auth();
931                    return Ok(Box::new(ExpectFinished {
932                        config: self.config,
933                        suite: self.suite,
934                        key_schedule: self.key_schedule,
935                        transcript: self.transcript,
936                        send_tickets: self.send_tickets,
937                    }));
938                }
939
940                return Err(cx.common.send_fatal_alert(
941                    AlertDescription::CertificateRequired,
942                    Error::NoCertificatesPresented,
943                ));
944            }
945            Some(chain) => chain,
946        };
947
948        let now = std::time::SystemTime::now();
949        self.config
950            .verifier
951            .verify_client_cert(end_entity, intermediates, now)
952            .map_err(|err| {
953                cx.common
954                    .send_cert_verify_error_alert(err)
955            })?;
956
957        Ok(Box::new(ExpectCertificateVerify {
958            config: self.config,
959            suite: self.suite,
960            transcript: self.transcript,
961            key_schedule: self.key_schedule,
962            client_cert,
963            send_tickets: self.send_tickets,
964        }))
965    }
966}
967
968struct ExpectCertificateVerify {
969    config: Arc<ServerConfig>,
970    transcript: HandshakeHash,
971    suite: &'static Tls13CipherSuite,
972    key_schedule: KeyScheduleTrafficWithClientFinishedPending,
973    client_cert: Vec<Certificate>,
974    send_tickets: usize,
975}
976
977impl State<ServerConnectionData> for ExpectCertificateVerify {
978    fn handle(mut self: Box<Self>, cx: &mut ServerContext<'_>, m: Message) -> hs::NextStateOrError {
979        let rc = {
980            let sig = require_handshake_msg!(
981                m,
982                HandshakeType::CertificateVerify,
983                HandshakePayload::CertificateVerify
984            )?;
985            let handshake_hash = self.transcript.get_current_hash();
986            self.transcript.abandon_client_auth();
987            let certs = &self.client_cert;
988            let msg = verify::construct_tls13_client_verify_message(&handshake_hash);
989
990            self.config
991                .verifier
992                .verify_tls13_signature(&msg, &certs[0], sig)
993        };
994
995        if let Err(e) = rc {
996            return Err(cx
997                .common
998                .send_cert_verify_error_alert(e));
999        }
1000
1001        trace!("client CertificateVerify OK");
1002        cx.common.peer_certificates = Some(self.client_cert);
1003
1004        self.transcript.add_message(&m);
1005        Ok(Box::new(ExpectFinished {
1006            config: self.config,
1007            suite: self.suite,
1008            key_schedule: self.key_schedule,
1009            transcript: self.transcript,
1010            send_tickets: self.send_tickets,
1011        }))
1012    }
1013}
1014
1015// --- Process (any number of) early ApplicationData messages,
1016//     followed by a terminating handshake EndOfEarlyData message ---
1017
1018struct ExpectEarlyData {
1019    config: Arc<ServerConfig>,
1020    transcript: HandshakeHash,
1021    suite: &'static Tls13CipherSuite,
1022    key_schedule: KeyScheduleTrafficWithClientFinishedPending,
1023    send_tickets: usize,
1024}
1025
1026impl State<ServerConnectionData> for ExpectEarlyData {
1027    fn handle(mut self: Box<Self>, cx: &mut ServerContext<'_>, m: Message) -> hs::NextStateOrError {
1028        match m.payload {
1029            MessagePayload::ApplicationData(payload) => {
1030                match cx
1031                    .data
1032                    .early_data
1033                    .take_received_plaintext(payload)
1034                {
1035                    true => Ok(self),
1036                    false => Err(cx.common.send_fatal_alert(
1037                        AlertDescription::UnexpectedMessage,
1038                        PeerMisbehaved::TooMuchEarlyDataReceived,
1039                    )),
1040                }
1041            }
1042            MessagePayload::Handshake {
1043                parsed:
1044                    HandshakeMessagePayload {
1045                        typ: HandshakeType::EndOfEarlyData,
1046                        payload: HandshakePayload::EndOfEarlyData,
1047                    },
1048                ..
1049            } => {
1050                self.key_schedule
1051                    .update_decrypter(cx.common);
1052                self.transcript.add_message(&m);
1053                Ok(Box::new(ExpectFinished {
1054                    config: self.config,
1055                    suite: self.suite,
1056                    key_schedule: self.key_schedule,
1057                    transcript: self.transcript,
1058                    send_tickets: self.send_tickets,
1059                }))
1060            }
1061            payload => Err(inappropriate_handshake_message(
1062                &payload,
1063                &[ContentType::ApplicationData, ContentType::Handshake],
1064                &[HandshakeType::EndOfEarlyData],
1065            )),
1066        }
1067    }
1068}
1069
1070// --- Process client's Finished ---
1071fn get_server_session_value(
1072    transcript: &HandshakeHash,
1073    suite: &'static Tls13CipherSuite,
1074    key_schedule: &KeyScheduleTraffic,
1075    cx: &ServerContext<'_>,
1076    nonce: &[u8],
1077    time_now: ticketer::TimeBase,
1078    age_obfuscation_offset: u32,
1079) -> persist::ServerSessionValue {
1080    let version = ProtocolVersion::TLSv1_3;
1081
1082    let handshake_hash = transcript.get_current_hash();
1083    let secret =
1084        key_schedule.resumption_master_secret_and_derive_ticket_psk(&handshake_hash, nonce);
1085
1086    persist::ServerSessionValue::new(
1087        cx.data.sni.as_ref(),
1088        version,
1089        suite.common.suite,
1090        secret,
1091        cx.common.peer_certificates.clone(),
1092        cx.common.alpn_protocol.clone(),
1093        cx.data.resumption_data.clone(),
1094        time_now,
1095        age_obfuscation_offset,
1096    )
1097}
1098
1099struct ExpectFinished {
1100    config: Arc<ServerConfig>,
1101    transcript: HandshakeHash,
1102    suite: &'static Tls13CipherSuite,
1103    key_schedule: KeyScheduleTrafficWithClientFinishedPending,
1104    send_tickets: usize,
1105}
1106
1107impl ExpectFinished {
1108    fn emit_ticket(
1109        transcript: &HandshakeHash,
1110        suite: &'static Tls13CipherSuite,
1111        cx: &mut ServerContext<'_>,
1112        key_schedule: &KeyScheduleTraffic,
1113        config: &ServerConfig,
1114    ) -> Result<(), Error> {
1115        let nonce = rand::random_vec(32)?;
1116        let now = ticketer::TimeBase::now()?;
1117        let age_add = rand::random_u32()?;
1118        let plain =
1119            get_server_session_value(transcript, suite, key_schedule, cx, &nonce, now, age_add)
1120                .get_encoding();
1121
1122        let stateless = config.ticketer.enabled();
1123        let (ticket, lifetime) = if stateless {
1124            let ticket = match config.ticketer.encrypt(&plain) {
1125                Some(t) => t,
1126                None => return Ok(()),
1127            };
1128            (ticket, config.ticketer.lifetime())
1129        } else {
1130            let id = rand::random_vec(32)?;
1131            let stored = config
1132                .session_storage
1133                .put(id.clone(), plain);
1134            if !stored {
1135                trace!("resumption not available; not issuing ticket");
1136                return Ok(());
1137            }
1138            let stateful_lifetime = 24 * 60 * 60; // this is a bit of a punt
1139            (id, stateful_lifetime)
1140        };
1141
1142        let mut payload = NewSessionTicketPayloadTLS13::new(lifetime, age_add, nonce, ticket);
1143
1144        if config.max_early_data_size > 0 {
1145            if !stateless {
1146                payload
1147                    .exts
1148                    .push(NewSessionTicketExtension::EarlyData(
1149                        config.max_early_data_size,
1150                    ));
1151            } else {
1152                // We implement RFC8446 section 8.1: by enforcing that 0-RTT is
1153                // only possible if using stateful resumption
1154                warn!("early_data with stateless resumption is not allowed");
1155            }
1156        }
1157
1158        let m = Message {
1159            version: ProtocolVersion::TLSv1_3,
1160            payload: MessagePayload::handshake(HandshakeMessagePayload {
1161                typ: HandshakeType::NewSessionTicket,
1162                payload: HandshakePayload::NewSessionTicketTLS13(payload),
1163            }),
1164        };
1165
1166        trace!("sending new ticket {:?} (stateless: {})", m, stateless);
1167        cx.common.send_msg(m, true);
1168        Ok(())
1169    }
1170}
1171
1172impl State<ServerConnectionData> for ExpectFinished {
1173    fn handle(mut self: Box<Self>, cx: &mut ServerContext<'_>, m: Message) -> hs::NextStateOrError {
1174        let finished =
1175            require_handshake_msg!(m, HandshakeType::Finished, HandshakePayload::Finished)?;
1176
1177        let handshake_hash = self.transcript.get_current_hash();
1178        let (key_schedule_traffic, expect_verify_data) = self
1179            .key_schedule
1180            .sign_client_finish(&handshake_hash, cx.common);
1181
1182        let fin = constant_time::verify_slices_are_equal(expect_verify_data.as_ref(), &finished.0)
1183            .map_err(|_| {
1184                warn!("Finished wrong");
1185                cx.common
1186                    .send_fatal_alert(AlertDescription::DecryptError, Error::DecryptError)
1187            })
1188            .map(|_| verify::FinishedMessageVerified::assertion())?;
1189
1190        // nb. future derivations include Client Finished, but not the
1191        // main application data keying.
1192        self.transcript.add_message(&m);
1193
1194        cx.common.check_aligned_handshake()?;
1195
1196        for _ in 0..self.send_tickets {
1197            Self::emit_ticket(
1198                &self.transcript,
1199                self.suite,
1200                cx,
1201                &key_schedule_traffic,
1202                &self.config,
1203            )?;
1204        }
1205
1206        // Application data may now flow, even if we have client auth enabled.
1207        cx.common.start_traffic();
1208
1209        #[cfg(feature = "quic")]
1210        {
1211            if cx.common.protocol == Protocol::Quic {
1212                return Ok(Box::new(ExpectQuicTraffic {
1213                    key_schedule: key_schedule_traffic,
1214                    _fin_verified: fin,
1215                }));
1216            }
1217        }
1218
1219        Ok(Box::new(ExpectTraffic {
1220            key_schedule: key_schedule_traffic,
1221            _fin_verified: fin,
1222        }))
1223    }
1224}
1225
1226// --- Process traffic ---
1227struct ExpectTraffic {
1228    key_schedule: KeyScheduleTraffic,
1229    _fin_verified: verify::FinishedMessageVerified,
1230}
1231
1232impl ExpectTraffic {
1233    fn handle_key_update(
1234        &mut self,
1235        common: &mut CommonState,
1236        key_update_request: &KeyUpdateRequest,
1237    ) -> Result<(), Error> {
1238        #[cfg(feature = "quic")]
1239        {
1240            if let Protocol::Quic = common.protocol {
1241                return Err(common.send_fatal_alert(
1242                    AlertDescription::UnexpectedMessage,
1243                    PeerMisbehaved::KeyUpdateReceivedInQuicConnection,
1244                ));
1245            }
1246        }
1247
1248        common.check_aligned_handshake()?;
1249
1250        if common.should_update_key(key_update_request)? {
1251            self.key_schedule
1252                .update_encrypter_and_notify(common);
1253        }
1254
1255        // Update our read-side keys.
1256        self.key_schedule
1257            .update_decrypter(common);
1258        Ok(())
1259    }
1260}
1261
1262impl State<ServerConnectionData> for ExpectTraffic {
1263    fn handle(mut self: Box<Self>, cx: &mut ServerContext, m: Message) -> hs::NextStateOrError {
1264        match m.payload {
1265            MessagePayload::ApplicationData(payload) => cx
1266                .common
1267                .take_received_plaintext(payload),
1268            MessagePayload::Handshake {
1269                parsed:
1270                    HandshakeMessagePayload {
1271                        payload: HandshakePayload::KeyUpdate(key_update),
1272                        ..
1273                    },
1274                ..
1275            } => self.handle_key_update(cx.common, &key_update)?,
1276            payload => {
1277                return Err(inappropriate_handshake_message(
1278                    &payload,
1279                    &[ContentType::ApplicationData, ContentType::Handshake],
1280                    &[HandshakeType::KeyUpdate],
1281                ));
1282            }
1283        }
1284
1285        Ok(self)
1286    }
1287
1288    fn export_keying_material(
1289        &self,
1290        output: &mut [u8],
1291        label: &[u8],
1292        context: Option<&[u8]>,
1293    ) -> Result<(), Error> {
1294        self.key_schedule
1295            .export_keying_material(output, label, context)
1296    }
1297
1298    #[cfg(feature = "secret_extraction")]
1299    fn extract_secrets(&self) -> Result<PartiallyExtractedSecrets, Error> {
1300        self.key_schedule
1301            .extract_secrets(Side::Server)
1302    }
1303}
1304
1305#[cfg(feature = "quic")]
1306struct ExpectQuicTraffic {
1307    key_schedule: KeyScheduleTraffic,
1308    _fin_verified: verify::FinishedMessageVerified,
1309}
1310
1311#[cfg(feature = "quic")]
1312impl State<ServerConnectionData> for ExpectQuicTraffic {
1313    fn handle(self: Box<Self>, _cx: &mut ServerContext<'_>, m: Message) -> hs::NextStateOrError {
1314        // reject all messages
1315        Err(inappropriate_message(&m.payload, &[]))
1316    }
1317
1318    fn export_keying_material(
1319        &self,
1320        output: &mut [u8],
1321        label: &[u8],
1322        context: Option<&[u8]>,
1323    ) -> Result<(), Error> {
1324        self.key_schedule
1325            .export_keying_material(output, label, context)
1326    }
1327}
rustls/server/tls13.rs

rustls/server/
tls13.rs
