rustls/server/
tls12.rs

1use alloc::boxed::Box;
2use alloc::string::ToString;
3use alloc::vec;
4use alloc::vec::Vec;
5
6pub(super) use client_hello::CompleteClientHelloHandling;
7use pki_types::UnixTime;
8use subtle::ConstantTimeEq;
9
10use super::common::ActiveCertifiedKey;
11use super::hs::{self, ServerContext};
12use super::server_conn::{ProducesTickets, ServerConfig, ServerConnectionData};
13use crate::check::inappropriate_message;
14use crate::common_state::{CommonState, HandshakeFlightTls12, HandshakeKind, Side, State};
15use crate::conn::ConnectionRandoms;
16use crate::conn::kernel::{Direction, KernelContext, KernelState};
17use crate::crypto::ActiveKeyExchange;
18use crate::enums::{AlertDescription, ContentType, HandshakeType, ProtocolVersion};
19use crate::error::{Error, PeerIncompatible, PeerMisbehaved};
20use crate::hash_hs::HandshakeHash;
21use crate::log::{debug, trace};
22use crate::msgs::base::Payload;
23use crate::msgs::ccs::ChangeCipherSpecPayload;
24use crate::msgs::codec::Codec;
25use crate::msgs::handshake::{
26    CertificateChain, ClientKeyExchangeParams, HandshakeMessagePayload, HandshakePayload,
27    NewSessionTicketPayload, NewSessionTicketPayloadTls13, SessionId,
28};
29use crate::msgs::message::{Message, MessagePayload};
30use crate::msgs::persist;
31use crate::suites::PartiallyExtractedSecrets;
32use crate::sync::Arc;
33use crate::tls12::{self, ConnectionSecrets, Tls12CipherSuite};
34use crate::{ConnectionTrafficSecrets, verify};
35
36mod client_hello {
37    use pki_types::CertificateDer;
38
39    use super::*;
40    use crate::common_state::KxState;
41    use crate::crypto::SupportedKxGroup;
42    use crate::enums::SignatureScheme;
43    use crate::msgs::enums::{ClientCertificateType, Compression, ECPointFormat};
44    use crate::msgs::handshake::{
45        CertificateRequestPayload, CertificateStatus, ClientExtension, ClientHelloPayload,
46        ClientSessionTicket, Random, ServerExtension, ServerHelloPayload, ServerKeyExchange,
47        ServerKeyExchangeParams, ServerKeyExchangePayload,
48    };
49    use crate::sign;
50    use crate::verify::DigitallySignedStruct;
51
52    pub(in crate::server) struct CompleteClientHelloHandling {
53        pub(in crate::server) config: Arc<ServerConfig>,
54        pub(in crate::server) transcript: HandshakeHash,
55        pub(in crate::server) session_id: SessionId,
56        pub(in crate::server) suite: &'static Tls12CipherSuite,
57        pub(in crate::server) using_ems: bool,
58        pub(in crate::server) randoms: ConnectionRandoms,
59        pub(in crate::server) send_ticket: bool,
60        pub(in crate::server) extra_exts: Vec<ServerExtension>,
61    }
62
63    impl CompleteClientHelloHandling {
64        pub(in crate::server) fn handle_client_hello(
65            mut self,
66            cx: &mut ServerContext<'_>,
67            server_key: ActiveCertifiedKey<'_>,
68            chm: &Message<'_>,
69            client_hello: &ClientHelloPayload,
70            selected_kxg: &'static dyn SupportedKxGroup,
71            sigschemes_ext: Vec<SignatureScheme>,
72            tls13_enabled: bool,
73        ) -> hs::NextStateOrError<'static> {
74            // -- TLS1.2 only from hereon in --
75            self.transcript.add_message(chm);
76
77            if client_hello.ems_support_offered() {
78                self.using_ems = true;
79            } else if self.config.require_ems {
80                return Err(cx.common.send_fatal_alert(
81                    AlertDescription::HandshakeFailure,
82                    PeerIncompatible::ExtendedMasterSecretExtensionRequired,
83                ));
84            }
85
86            // "RFC 4492 specified that if this extension is missing,
87            // it means that only the uncompressed point format is
88            // supported"
89            // - <https://datatracker.ietf.org/doc/html/rfc8422#section-5.1.2>
90            let ecpoints_ext = client_hello
91                .ecpoints_extension()
92                .unwrap_or(&[ECPointFormat::Uncompressed]);
93
94            trace!("ecpoints {ecpoints_ext:?}");
95
96            if !ecpoints_ext.contains(&ECPointFormat::Uncompressed) {
97                return Err(cx.common.send_fatal_alert(
98                    AlertDescription::IllegalParameter,
99                    PeerIncompatible::UncompressedEcPointsRequired,
100                ));
101            }
102
103            // -- If TLS1.3 is enabled, signal the downgrade in the server random
104            if tls13_enabled {
105                self.randoms.server[24..].copy_from_slice(&tls12::DOWNGRADE_SENTINEL);
106            }
107
108            // -- Check for resumption --
109            // We can do this either by (in order of preference):
110            // 1. receiving a ticket that decrypts
111            // 2. receiving a sessionid that is in our cache
112            //
113            // If we receive a ticket, the sessionid won't be in our
114            // cache, so don't check.
115            //
116            // If either works, we end up with a ServerConnectionValue
117            // which is passed to start_resumption and concludes
118            // our handling of the ClientHello.
119            //
120            let mut ticket_received = false;
121            let resume_data = client_hello
122                .ticket_extension()
123                .and_then(|ticket_ext| match ticket_ext {
124                    ClientExtension::SessionTicket(ClientSessionTicket::Offer(ticket)) => {
125                        Some(ticket)
126                    }
127                    _ => None,
128                })
129                .and_then(|ticket| {
130                    ticket_received = true;
131                    debug!("Ticket received");
132                    let data = self
133                        .config
134                        .ticketer
135                        .decrypt(ticket.bytes());
136                    if data.is_none() {
137                        debug!("Ticket didn't decrypt");
138                    }
139                    data
140                })
141                .or_else(|| {
142                    // Perhaps resume?  If we received a ticket, the sessionid
143                    // does not correspond to a real session.
144                    if client_hello.session_id.is_empty() || ticket_received {
145                        return None;
146                    }
147
148                    self.config
149                        .session_storage
150                        .get(client_hello.session_id.as_ref())
151                })
152                .and_then(|x| persist::ServerSessionValue::read_bytes(&x).ok())
153                .filter(|resumedata| {
154                    hs::can_resume(self.suite.into(), &cx.data.sni, self.using_ems, resumedata)
155                });
156
157            if let Some(data) = resume_data {
158                return self.start_resumption(cx, client_hello, &client_hello.session_id, data);
159            }
160
161            // Now we have chosen a ciphersuite, we can make kx decisions.
162            let sigschemes = self
163                .suite
164                .resolve_sig_schemes(&sigschemes_ext);
165
166            if sigschemes.is_empty() {
167                return Err(cx.common.send_fatal_alert(
168                    AlertDescription::HandshakeFailure,
169                    PeerIncompatible::NoSignatureSchemesInCommon,
170                ));
171            }
172
173            let ecpoint = ECPointFormat::SUPPORTED
174                .iter()
175                .find(|format| ecpoints_ext.contains(format))
176                .cloned()
177                .ok_or_else(|| {
178                    cx.common.send_fatal_alert(
179                        AlertDescription::HandshakeFailure,
180                        PeerIncompatible::NoEcPointFormatsInCommon,
181                    )
182                })?;
183
184            debug_assert_eq!(ecpoint, ECPointFormat::Uncompressed);
185
186            let mut ocsp_response = server_key.get_ocsp();
187
188            // If we're not offered a ticket or a potential session ID, allocate a session ID.
189            if !self.config.session_storage.can_cache() {
190                self.session_id = SessionId::empty();
191            } else if self.session_id.is_empty() && !ticket_received {
192                self.session_id = SessionId::random(self.config.provider.secure_random)?;
193            }
194
195            cx.common.kx_state = KxState::Start(selected_kxg);
196            cx.common.handshake_kind = Some(HandshakeKind::Full);
197
198            let mut flight = HandshakeFlightTls12::new(&mut self.transcript);
199
200            self.send_ticket = emit_server_hello(
201                &mut flight,
202                &self.config,
203                cx,
204                self.session_id,
205                self.suite,
206                self.using_ems,
207                &mut ocsp_response,
208                client_hello,
209                None,
210                &self.randoms,
211                self.extra_exts,
212            )?;
213            emit_certificate(&mut flight, server_key.get_cert());
214            if let Some(ocsp_response) = ocsp_response {
215                emit_cert_status(&mut flight, ocsp_response);
216            }
217            let server_kx = emit_server_kx(
218                &mut flight,
219                sigschemes,
220                selected_kxg,
221                server_key.get_key(),
222                &self.randoms,
223            )?;
224            let doing_client_auth = emit_certificate_req(&mut flight, &self.config)?;
225            emit_server_hello_done(&mut flight);
226
227            flight.finish(cx.common);
228
229            if doing_client_auth {
230                Ok(Box::new(ExpectCertificate {
231                    config: self.config,
232                    transcript: self.transcript,
233                    randoms: self.randoms,
234                    session_id: self.session_id,
235                    suite: self.suite,
236                    using_ems: self.using_ems,
237                    server_kx,
238                    send_ticket: self.send_ticket,
239                }))
240            } else {
241                Ok(Box::new(ExpectClientKx {
242                    config: self.config,
243                    transcript: self.transcript,
244                    randoms: self.randoms,
245                    session_id: self.session_id,
246                    suite: self.suite,
247                    using_ems: self.using_ems,
248                    server_kx,
249                    client_cert: None,
250                    send_ticket: self.send_ticket,
251                }))
252            }
253        }
254
255        fn start_resumption(
256            mut self,
257            cx: &mut ServerContext<'_>,
258            client_hello: &ClientHelloPayload,
259            id: &SessionId,
260            resumedata: persist::ServerSessionValue,
261        ) -> hs::NextStateOrError<'static> {
262            debug!("Resuming connection");
263
264            if resumedata.extended_ms && !self.using_ems {
265                return Err(cx.common.send_fatal_alert(
266                    AlertDescription::IllegalParameter,
267                    PeerMisbehaved::ResumptionAttemptedWithVariedEms,
268                ));
269            }
270
271            self.session_id = *id;
272            let mut flight = HandshakeFlightTls12::new(&mut self.transcript);
273            self.send_ticket = emit_server_hello(
274                &mut flight,
275                &self.config,
276                cx,
277                self.session_id,
278                self.suite,
279                self.using_ems,
280                &mut None,
281                client_hello,
282                Some(&resumedata),
283                &self.randoms,
284                self.extra_exts,
285            )?;
286            flight.finish(cx.common);
287
288            let secrets = ConnectionSecrets::new_resume(
289                self.randoms,
290                self.suite,
291                &resumedata.master_secret.0,
292            );
293            self.config.key_log.log(
294                "CLIENT_RANDOM",
295                &secrets.randoms.client,
296                &secrets.master_secret,
297            );
298            cx.common
299                .start_encryption_tls12(&secrets, Side::Server);
300            cx.common.peer_certificates = resumedata.client_cert_chain;
301            cx.common.handshake_kind = Some(HandshakeKind::Resumed);
302
303            if self.send_ticket {
304                let now = self.config.current_time()?;
305
306                emit_ticket(
307                    &secrets,
308                    &mut self.transcript,
309                    self.using_ems,
310                    cx,
311                    &*self.config.ticketer,
312                    now,
313                )?;
314            }
315            emit_ccs(cx.common);
316            cx.common
317                .record_layer
318                .start_encrypting();
319            emit_finished(&secrets, &mut self.transcript, cx.common);
320
321            Ok(Box::new(ExpectCcs {
322                config: self.config,
323                secrets,
324                transcript: self.transcript,
325                session_id: self.session_id,
326                using_ems: self.using_ems,
327                resuming: true,
328                send_ticket: self.send_ticket,
329            }))
330        }
331    }
332
333    fn emit_server_hello(
334        flight: &mut HandshakeFlightTls12<'_>,
335        config: &ServerConfig,
336        cx: &mut ServerContext<'_>,
337        session_id: SessionId,
338        suite: &'static Tls12CipherSuite,
339        using_ems: bool,
340        ocsp_response: &mut Option<&[u8]>,
341        hello: &ClientHelloPayload,
342        resumedata: Option<&persist::ServerSessionValue>,
343        randoms: &ConnectionRandoms,
344        extra_exts: Vec<ServerExtension>,
345    ) -> Result<bool, Error> {
346        let mut ep = hs::ExtensionProcessing::new();
347        ep.process_common(config, cx, ocsp_response, hello, resumedata, extra_exts)?;
348        ep.process_tls12(config, hello, using_ems);
349
350        let sh = HandshakeMessagePayload(HandshakePayload::ServerHello(ServerHelloPayload {
351            legacy_version: ProtocolVersion::TLSv1_2,
352            random: Random::from(randoms.server),
353            session_id,
354            cipher_suite: suite.common.suite,
355            compression_method: Compression::Null,
356            extensions: ep.exts,
357        }));
358        trace!("sending server hello {sh:?}");
359        flight.add(sh);
360
361        Ok(ep.send_ticket)
362    }
363
364    fn emit_certificate(
365        flight: &mut HandshakeFlightTls12<'_>,
366        cert_chain: &[CertificateDer<'static>],
367    ) {
368        flight.add(HandshakeMessagePayload(HandshakePayload::Certificate(
369            CertificateChain(cert_chain.to_vec()),
370        )));
371    }
372
373    fn emit_cert_status(flight: &mut HandshakeFlightTls12<'_>, ocsp: &[u8]) {
374        flight.add(HandshakeMessagePayload(
375            HandshakePayload::CertificateStatus(CertificateStatus::new(ocsp)),
376        ));
377    }
378
379    fn emit_server_kx(
380        flight: &mut HandshakeFlightTls12<'_>,
381        sigschemes: Vec<SignatureScheme>,
382        selected_group: &'static dyn SupportedKxGroup,
383        signing_key: &dyn sign::SigningKey,
384        randoms: &ConnectionRandoms,
385    ) -> Result<Box<dyn ActiveKeyExchange>, Error> {
386        let kx = selected_group.start()?;
387        let kx_params = ServerKeyExchangeParams::new(&*kx);
388
389        let mut msg = Vec::new();
390        msg.extend(randoms.client);
391        msg.extend(randoms.server);
392        kx_params.encode(&mut msg);
393
394        let signer = signing_key
395            .choose_scheme(&sigschemes)
396            .ok_or_else(|| Error::General("incompatible signing key".to_string()))?;
397        let sigscheme = signer.scheme();
398        let sig = signer.sign(&msg)?;
399
400        let skx = ServerKeyExchangePayload::from(ServerKeyExchange {
401            params: kx_params,
402            dss: DigitallySignedStruct::new(sigscheme, sig),
403        });
404
405        flight.add(HandshakeMessagePayload(
406            HandshakePayload::ServerKeyExchange(skx),
407        ));
408        Ok(kx)
409    }
410
411    fn emit_certificate_req(
412        flight: &mut HandshakeFlightTls12<'_>,
413        config: &ServerConfig,
414    ) -> Result<bool, Error> {
415        let client_auth = &config.verifier;
416
417        if !client_auth.offer_client_auth() {
418            return Ok(false);
419        }
420
421        let verify_schemes = client_auth.supported_verify_schemes();
422
423        let names = config
424            .verifier
425            .root_hint_subjects()
426            .to_vec();
427
428        let cr = CertificateRequestPayload {
429            certtypes: vec![
430                ClientCertificateType::RSASign,
431                ClientCertificateType::ECDSASign,
432            ],
433            sigschemes: verify_schemes,
434            canames: names,
435        };
436
437        let creq = HandshakeMessagePayload(HandshakePayload::CertificateRequest(cr));
438
439        trace!("Sending CertificateRequest {creq:?}");
440        flight.add(creq);
441        Ok(true)
442    }
443
444    fn emit_server_hello_done(flight: &mut HandshakeFlightTls12<'_>) {
445        flight.add(HandshakeMessagePayload(HandshakePayload::ServerHelloDone));
446    }
447}
448
449// --- Process client's Certificate for client auth ---
450struct ExpectCertificate {
451    config: Arc<ServerConfig>,
452    transcript: HandshakeHash,
453    randoms: ConnectionRandoms,
454    session_id: SessionId,
455    suite: &'static Tls12CipherSuite,
456    using_ems: bool,
457    server_kx: Box<dyn ActiveKeyExchange>,
458    send_ticket: bool,
459}
460
461impl State<ServerConnectionData> for ExpectCertificate {
462    fn handle<'m>(
463        mut self: Box<Self>,
464        cx: &mut ServerContext<'_>,
465        m: Message<'m>,
466    ) -> hs::NextStateOrError<'m>
467    where
468        Self: 'm,
469    {
470        self.transcript.add_message(&m);
471        let cert_chain = require_handshake_msg_move!(
472            m,
473            HandshakeType::Certificate,
474            HandshakePayload::Certificate
475        )?;
476
477        // If we can't determine if the auth is mandatory, abort
478        let mandatory = self
479            .config
480            .verifier
481            .client_auth_mandatory();
482
483        trace!("certs {cert_chain:?}");
484
485        let client_cert = match cert_chain.split_first() {
486            None if mandatory => {
487                return Err(cx.common.send_fatal_alert(
488                    AlertDescription::CertificateRequired,
489                    Error::NoCertificatesPresented,
490                ));
491            }
492            None => {
493                debug!("client auth requested but no certificate supplied");
494                self.transcript.abandon_client_auth();
495                None
496            }
497            Some((end_entity, intermediates)) => {
498                let now = self.config.current_time()?;
499
500                self.config
501                    .verifier
502                    .verify_client_cert(end_entity, intermediates, now)
503                    .map_err(|err| {
504                        cx.common
505                            .send_cert_verify_error_alert(err)
506                    })?;
507
508                Some(cert_chain)
509            }
510        };
511
512        Ok(Box::new(ExpectClientKx {
513            config: self.config,
514            transcript: self.transcript,
515            randoms: self.randoms,
516            session_id: self.session_id,
517            suite: self.suite,
518            using_ems: self.using_ems,
519            server_kx: self.server_kx,
520            client_cert,
521            send_ticket: self.send_ticket,
522        }))
523    }
524
525    fn into_owned(self: Box<Self>) -> hs::NextState<'static> {
526        self
527    }
528}
529
530// --- Process client's KeyExchange ---
531struct ExpectClientKx<'a> {
532    config: Arc<ServerConfig>,
533    transcript: HandshakeHash,
534    randoms: ConnectionRandoms,
535    session_id: SessionId,
536    suite: &'static Tls12CipherSuite,
537    using_ems: bool,
538    server_kx: Box<dyn ActiveKeyExchange>,
539    client_cert: Option<CertificateChain<'a>>,
540    send_ticket: bool,
541}
542
543impl State<ServerConnectionData> for ExpectClientKx<'_> {
544    fn handle<'m>(
545        mut self: Box<Self>,
546        cx: &mut ServerContext<'_>,
547        m: Message<'m>,
548    ) -> hs::NextStateOrError<'m>
549    where
550        Self: 'm,
551    {
552        let client_kx = require_handshake_msg!(
553            m,
554            HandshakeType::ClientKeyExchange,
555            HandshakePayload::ClientKeyExchange
556        )?;
557        self.transcript.add_message(&m);
558        let ems_seed = self
559            .using_ems
560            .then(|| self.transcript.current_hash());
561
562        // Complete key agreement, and set up encryption with the
563        // resulting premaster secret.
564        let peer_kx_params = tls12::decode_kx_params::<ClientKeyExchangeParams>(
565            self.suite.kx,
566            cx.common,
567            client_kx.bytes(),
568        )?;
569        let secrets = ConnectionSecrets::from_key_exchange(
570            self.server_kx,
571            peer_kx_params.pub_key(),
572            ems_seed,
573            self.randoms,
574            self.suite,
575        )
576        .map_err(|err| {
577            cx.common
578                .send_fatal_alert(AlertDescription::IllegalParameter, err)
579        })?;
580        cx.common.kx_state.complete();
581
582        self.config.key_log.log(
583            "CLIENT_RANDOM",
584            &secrets.randoms.client,
585            &secrets.master_secret,
586        );
587        cx.common
588            .start_encryption_tls12(&secrets, Side::Server);
589
590        match self.client_cert {
591            Some(client_cert) => Ok(Box::new(ExpectCertificateVerify {
592                config: self.config,
593                secrets,
594                transcript: self.transcript,
595                session_id: self.session_id,
596                using_ems: self.using_ems,
597                client_cert,
598                send_ticket: self.send_ticket,
599            })),
600            _ => Ok(Box::new(ExpectCcs {
601                config: self.config,
602                secrets,
603                transcript: self.transcript,
604                session_id: self.session_id,
605                using_ems: self.using_ems,
606                resuming: false,
607                send_ticket: self.send_ticket,
608            })),
609        }
610    }
611
612    fn into_owned(self: Box<Self>) -> hs::NextState<'static> {
613        Box::new(ExpectClientKx {
614            config: self.config,
615            transcript: self.transcript,
616            randoms: self.randoms,
617            session_id: self.session_id,
618            suite: self.suite,
619            using_ems: self.using_ems,
620            server_kx: self.server_kx,
621            client_cert: self
622                .client_cert
623                .map(|cert| cert.into_owned()),
624            send_ticket: self.send_ticket,
625        })
626    }
627}
628
629// --- Process client's certificate proof ---
630struct ExpectCertificateVerify<'a> {
631    config: Arc<ServerConfig>,
632    secrets: ConnectionSecrets,
633    transcript: HandshakeHash,
634    session_id: SessionId,
635    using_ems: bool,
636    client_cert: CertificateChain<'a>,
637    send_ticket: bool,
638}
639
640impl State<ServerConnectionData> for ExpectCertificateVerify<'_> {
641    fn handle<'m>(
642        mut self: Box<Self>,
643        cx: &mut ServerContext<'_>,
644        m: Message<'m>,
645    ) -> hs::NextStateOrError<'m>
646    where
647        Self: 'm,
648    {
649        let rc = {
650            let sig = require_handshake_msg!(
651                m,
652                HandshakeType::CertificateVerify,
653                HandshakePayload::CertificateVerify
654            )?;
655
656            match self.transcript.take_handshake_buf() {
657                Some(msgs) => {
658                    let certs = &self.client_cert;
659                    self.config
660                        .verifier
661                        .verify_tls12_signature(&msgs, &certs[0], sig)
662                }
663                None => {
664                    // This should be unreachable; the handshake buffer was initialized with
665                    // client authentication if the verifier wants to offer it.
666                    // `transcript.abandon_client_auth()` can extract it, but its only caller in
667                    // this flow will also set `ExpectClientKx::client_cert` to `None`, making it
668                    // impossible to reach this state.
669                    return Err(cx.common.send_fatal_alert(
670                        AlertDescription::AccessDenied,
671                        Error::General("client authentication not set up".into()),
672                    ));
673                }
674            }
675        };
676
677        if let Err(e) = rc {
678            return Err(cx
679                .common
680                .send_cert_verify_error_alert(e));
681        }
682
683        trace!("client CertificateVerify OK");
684        cx.common.peer_certificates = Some(self.client_cert.into_owned());
685
686        self.transcript.add_message(&m);
687        Ok(Box::new(ExpectCcs {
688            config: self.config,
689            secrets: self.secrets,
690            transcript: self.transcript,
691            session_id: self.session_id,
692            using_ems: self.using_ems,
693            resuming: false,
694            send_ticket: self.send_ticket,
695        }))
696    }
697
698    fn into_owned(self: Box<Self>) -> hs::NextState<'static> {
699        Box::new(ExpectCertificateVerify {
700            config: self.config,
701            secrets: self.secrets,
702            transcript: self.transcript,
703            session_id: self.session_id,
704            using_ems: self.using_ems,
705            client_cert: self.client_cert.into_owned(),
706            send_ticket: self.send_ticket,
707        })
708    }
709}
710
711// --- Process client's ChangeCipherSpec ---
712struct ExpectCcs {
713    config: Arc<ServerConfig>,
714    secrets: ConnectionSecrets,
715    transcript: HandshakeHash,
716    session_id: SessionId,
717    using_ems: bool,
718    resuming: bool,
719    send_ticket: bool,
720}
721
722impl State<ServerConnectionData> for ExpectCcs {
723    fn handle<'m>(
724        self: Box<Self>,
725        cx: &mut ServerContext<'_>,
726        m: Message<'m>,
727    ) -> hs::NextStateOrError<'m>
728    where
729        Self: 'm,
730    {
731        match m.payload {
732            MessagePayload::ChangeCipherSpec(..) => {}
733            payload => {
734                return Err(inappropriate_message(
735                    &payload,
736                    &[ContentType::ChangeCipherSpec],
737                ));
738            }
739        }
740
741        // CCS should not be received interleaved with fragmented handshake-level
742        // message.
743        cx.common.check_aligned_handshake()?;
744
745        cx.common
746            .record_layer
747            .start_decrypting();
748        Ok(Box::new(ExpectFinished {
749            config: self.config,
750            secrets: self.secrets,
751            transcript: self.transcript,
752            session_id: self.session_id,
753            using_ems: self.using_ems,
754            resuming: self.resuming,
755            send_ticket: self.send_ticket,
756        }))
757    }
758
759    fn into_owned(self: Box<Self>) -> hs::NextState<'static> {
760        self
761    }
762}
763
764// --- Process client's Finished ---
765fn get_server_connection_value_tls12(
766    secrets: &ConnectionSecrets,
767    using_ems: bool,
768    cx: &ServerContext<'_>,
769    time_now: UnixTime,
770) -> persist::ServerSessionValue {
771    let version = ProtocolVersion::TLSv1_2;
772
773    let mut v = persist::ServerSessionValue::new(
774        cx.data.sni.as_ref(),
775        version,
776        secrets.suite().common.suite,
777        secrets.master_secret(),
778        cx.common.peer_certificates.clone(),
779        cx.common.alpn_protocol.clone(),
780        cx.data.resumption_data.clone(),
781        time_now,
782        0,
783    );
784
785    if using_ems {
786        v.set_extended_ms_used();
787    }
788
789    v
790}
791
792fn emit_ticket(
793    secrets: &ConnectionSecrets,
794    transcript: &mut HandshakeHash,
795    using_ems: bool,
796    cx: &mut ServerContext<'_>,
797    ticketer: &dyn ProducesTickets,
798    now: UnixTime,
799) -> Result<(), Error> {
800    let plain = get_server_connection_value_tls12(secrets, using_ems, cx, now).get_encoding();
801
802    // If we can't produce a ticket for some reason, we can't
803    // report an error. Send an empty one.
804    let ticket = ticketer
805        .encrypt(&plain)
806        .unwrap_or_default();
807    let ticket_lifetime = ticketer.lifetime();
808
809    let m = Message {
810        version: ProtocolVersion::TLSv1_2,
811        payload: MessagePayload::handshake(HandshakeMessagePayload(
812            HandshakePayload::NewSessionTicket(NewSessionTicketPayload::new(
813                ticket_lifetime,
814                ticket,
815            )),
816        )),
817    };
818
819    transcript.add_message(&m);
820    cx.common.send_msg(m, false);
821    Ok(())
822}
823
824fn emit_ccs(common: &mut CommonState) {
825    let m = Message {
826        version: ProtocolVersion::TLSv1_2,
827        payload: MessagePayload::ChangeCipherSpec(ChangeCipherSpecPayload {}),
828    };
829
830    common.send_msg(m, false);
831}
832
833fn emit_finished(
834    secrets: &ConnectionSecrets,
835    transcript: &mut HandshakeHash,
836    common: &mut CommonState,
837) {
838    let vh = transcript.current_hash();
839    let verify_data = secrets.server_verify_data(&vh);
840    let verify_data_payload = Payload::new(verify_data);
841
842    let f = Message {
843        version: ProtocolVersion::TLSv1_2,
844        payload: MessagePayload::handshake(HandshakeMessagePayload(HandshakePayload::Finished(
845            verify_data_payload,
846        ))),
847    };
848
849    transcript.add_message(&f);
850    common.send_msg(f, true);
851}
852
853struct ExpectFinished {
854    config: Arc<ServerConfig>,
855    secrets: ConnectionSecrets,
856    transcript: HandshakeHash,
857    session_id: SessionId,
858    using_ems: bool,
859    resuming: bool,
860    send_ticket: bool,
861}
862
863impl State<ServerConnectionData> for ExpectFinished {
864    fn handle<'m>(
865        mut self: Box<Self>,
866        cx: &mut ServerContext<'_>,
867        m: Message<'m>,
868    ) -> hs::NextStateOrError<'m>
869    where
870        Self: 'm,
871    {
872        let finished =
873            require_handshake_msg!(m, HandshakeType::Finished, HandshakePayload::Finished)?;
874
875        cx.common.check_aligned_handshake()?;
876
877        let vh = self.transcript.current_hash();
878        let expect_verify_data = self.secrets.client_verify_data(&vh);
879
880        let _fin_verified =
881            match ConstantTimeEq::ct_eq(&expect_verify_data[..], finished.bytes()).into() {
882                true => verify::FinishedMessageVerified::assertion(),
883                false => {
884                    return Err(cx
885                        .common
886                        .send_fatal_alert(AlertDescription::DecryptError, Error::DecryptError));
887                }
888            };
889
890        // Save connection, perhaps
891        if !self.resuming && !self.session_id.is_empty() {
892            let now = self.config.current_time()?;
893
894            let value = get_server_connection_value_tls12(&self.secrets, self.using_ems, cx, now);
895
896            let worked = self
897                .config
898                .session_storage
899                .put(self.session_id.as_ref().to_vec(), value.get_encoding());
900            #[cfg_attr(not(feature = "logging"), allow(clippy::if_same_then_else))]
901            if worked {
902                debug!("Session saved");
903            } else {
904                debug!("Session not saved");
905            }
906        }
907
908        // Send our CCS and Finished.
909        self.transcript.add_message(&m);
910        if !self.resuming {
911            if self.send_ticket {
912                let now = self.config.current_time()?;
913                emit_ticket(
914                    &self.secrets,
915                    &mut self.transcript,
916                    self.using_ems,
917                    cx,
918                    &*self.config.ticketer,
919                    now,
920                )?;
921            }
922            emit_ccs(cx.common);
923            cx.common
924                .record_layer
925                .start_encrypting();
926            emit_finished(&self.secrets, &mut self.transcript, cx.common);
927        }
928
929        cx.common
930            .start_traffic(&mut cx.sendable_plaintext);
931        Ok(Box::new(ExpectTraffic {
932            secrets: self.secrets,
933            _fin_verified,
934        }))
935    }
936
937    fn into_owned(self: Box<Self>) -> hs::NextState<'static> {
938        self
939    }
940}
941
942// --- Process traffic ---
943struct ExpectTraffic {
944    secrets: ConnectionSecrets,
945    _fin_verified: verify::FinishedMessageVerified,
946}
947
948impl ExpectTraffic {}
949
950impl State<ServerConnectionData> for ExpectTraffic {
951    fn handle<'m>(
952        self: Box<Self>,
953        cx: &mut ServerContext<'_>,
954        m: Message<'m>,
955    ) -> hs::NextStateOrError<'m>
956    where
957        Self: 'm,
958    {
959        match m.payload {
960            MessagePayload::ApplicationData(payload) => cx
961                .common
962                .take_received_plaintext(payload),
963            payload => {
964                return Err(inappropriate_message(
965                    &payload,
966                    &[ContentType::ApplicationData],
967                ));
968            }
969        }
970        Ok(self)
971    }
972
973    fn export_keying_material(
974        &self,
975        output: &mut [u8],
976        label: &[u8],
977        context: Option<&[u8]>,
978    ) -> Result<(), Error> {
979        self.secrets
980            .export_keying_material(output, label, context);
981        Ok(())
982    }
983
984    fn extract_secrets(&self) -> Result<PartiallyExtractedSecrets, Error> {
985        self.secrets
986            .extract_secrets(Side::Server)
987    }
988
989    fn into_external_state(self: Box<Self>) -> Result<Box<dyn KernelState + 'static>, Error> {
990        Ok(self)
991    }
992
993    fn into_owned(self: Box<Self>) -> hs::NextState<'static> {
994        self
995    }
996}
997
998impl KernelState for ExpectTraffic {
999    fn update_secrets(&mut self, _: Direction) -> Result<ConnectionTrafficSecrets, Error> {
1000        Err(Error::General(
1001            "TLS 1.2 connections do not support traffic secret updates".into(),
1002        ))
1003    }
1004
1005    fn handle_new_session_ticket(
1006        &mut self,
1007        _cx: &mut KernelContext<'_>,
1008        _message: &NewSessionTicketPayloadTls13,
1009    ) -> Result<(), Error> {
1010        unreachable!(
1011            "server connections should never have handle_new_session_ticket called on them"
1012        )
1013    }
1014}