1use alloc::boxed::Box;
2use alloc::string::ToString;
3use alloc::vec;
4use alloc::vec::Vec;
5
6pub(super) use client_hello::CompleteClientHelloHandling;
7use pki_types::UnixTime;
8use subtle::ConstantTimeEq;
9
10use super::common::ActiveCertifiedKey;
11use super::hs::{self, ServerContext};
12use super::server_conn::{ProducesTickets, ServerConfig, ServerConnectionData};
13use crate::check::inappropriate_message;
14use crate::common_state::{CommonState, HandshakeFlightTls12, HandshakeKind, Side, State};
15use crate::conn::ConnectionRandoms;
16use crate::conn::kernel::{Direction, KernelContext, KernelState};
17use crate::crypto::ActiveKeyExchange;
18use crate::enums::{AlertDescription, ContentType, HandshakeType, ProtocolVersion};
19use crate::error::{Error, PeerIncompatible, PeerMisbehaved};
20use crate::hash_hs::HandshakeHash;
21use crate::log::{debug, trace};
22use crate::msgs::base::Payload;
23use crate::msgs::ccs::ChangeCipherSpecPayload;
24use crate::msgs::codec::Codec;
25use crate::msgs::handshake::{
26 CertificateChain, ClientKeyExchangeParams, HandshakeMessagePayload, HandshakePayload,
27 NewSessionTicketPayload, NewSessionTicketPayloadTls13, SessionId,
28};
29use crate::msgs::message::{Message, MessagePayload};
30use crate::msgs::persist;
31use crate::suites::PartiallyExtractedSecrets;
32use crate::sync::Arc;
33use crate::tls12::{self, ConnectionSecrets, Tls12CipherSuite};
34use crate::{ConnectionTrafficSecrets, verify};
35
36mod client_hello {
37 use pki_types::CertificateDer;
38
39 use super::*;
40 use crate::common_state::KxState;
41 use crate::crypto::SupportedKxGroup;
42 use crate::enums::SignatureScheme;
43 use crate::msgs::enums::{ClientCertificateType, Compression, ECPointFormat};
44 use crate::msgs::handshake::{
45 CertificateRequestPayload, CertificateStatus, ClientExtension, ClientHelloPayload,
46 ClientSessionTicket, Random, ServerExtension, ServerHelloPayload, ServerKeyExchange,
47 ServerKeyExchangeParams, ServerKeyExchangePayload,
48 };
49 use crate::sign;
50 use crate::verify::DigitallySignedStruct;
51
52 pub(in crate::server) struct CompleteClientHelloHandling {
53 pub(in crate::server) config: Arc<ServerConfig>,
54 pub(in crate::server) transcript: HandshakeHash,
55 pub(in crate::server) session_id: SessionId,
56 pub(in crate::server) suite: &'static Tls12CipherSuite,
57 pub(in crate::server) using_ems: bool,
58 pub(in crate::server) randoms: ConnectionRandoms,
59 pub(in crate::server) send_ticket: bool,
60 pub(in crate::server) extra_exts: Vec<ServerExtension>,
61 }
62
63 impl CompleteClientHelloHandling {
64 pub(in crate::server) fn handle_client_hello(
65 mut self,
66 cx: &mut ServerContext<'_>,
67 server_key: ActiveCertifiedKey<'_>,
68 chm: &Message<'_>,
69 client_hello: &ClientHelloPayload,
70 selected_kxg: &'static dyn SupportedKxGroup,
71 sigschemes_ext: Vec<SignatureScheme>,
72 tls13_enabled: bool,
73 ) -> hs::NextStateOrError<'static> {
74 self.transcript.add_message(chm);
76
77 if client_hello.ems_support_offered() {
78 self.using_ems = true;
79 } else if self.config.require_ems {
80 return Err(cx.common.send_fatal_alert(
81 AlertDescription::HandshakeFailure,
82 PeerIncompatible::ExtendedMasterSecretExtensionRequired,
83 ));
84 }
85
86 let ecpoints_ext = client_hello
91 .ecpoints_extension()
92 .unwrap_or(&[ECPointFormat::Uncompressed]);
93
94 trace!("ecpoints {ecpoints_ext:?}");
95
96 if !ecpoints_ext.contains(&ECPointFormat::Uncompressed) {
97 return Err(cx.common.send_fatal_alert(
98 AlertDescription::IllegalParameter,
99 PeerIncompatible::UncompressedEcPointsRequired,
100 ));
101 }
102
103 if tls13_enabled {
105 self.randoms.server[24..].copy_from_slice(&tls12::DOWNGRADE_SENTINEL);
106 }
107
108 let mut ticket_received = false;
121 let resume_data = client_hello
122 .ticket_extension()
123 .and_then(|ticket_ext| match ticket_ext {
124 ClientExtension::SessionTicket(ClientSessionTicket::Offer(ticket)) => {
125 Some(ticket)
126 }
127 _ => None,
128 })
129 .and_then(|ticket| {
130 ticket_received = true;
131 debug!("Ticket received");
132 let data = self
133 .config
134 .ticketer
135 .decrypt(ticket.bytes());
136 if data.is_none() {
137 debug!("Ticket didn't decrypt");
138 }
139 data
140 })
141 .or_else(|| {
142 if client_hello.session_id.is_empty() || ticket_received {
145 return None;
146 }
147
148 self.config
149 .session_storage
150 .get(client_hello.session_id.as_ref())
151 })
152 .and_then(|x| persist::ServerSessionValue::read_bytes(&x).ok())
153 .filter(|resumedata| {
154 hs::can_resume(self.suite.into(), &cx.data.sni, self.using_ems, resumedata)
155 });
156
157 if let Some(data) = resume_data {
158 return self.start_resumption(cx, client_hello, &client_hello.session_id, data);
159 }
160
161 let sigschemes = self
163 .suite
164 .resolve_sig_schemes(&sigschemes_ext);
165
166 if sigschemes.is_empty() {
167 return Err(cx.common.send_fatal_alert(
168 AlertDescription::HandshakeFailure,
169 PeerIncompatible::NoSignatureSchemesInCommon,
170 ));
171 }
172
173 let ecpoint = ECPointFormat::SUPPORTED
174 .iter()
175 .find(|format| ecpoints_ext.contains(format))
176 .cloned()
177 .ok_or_else(|| {
178 cx.common.send_fatal_alert(
179 AlertDescription::HandshakeFailure,
180 PeerIncompatible::NoEcPointFormatsInCommon,
181 )
182 })?;
183
184 debug_assert_eq!(ecpoint, ECPointFormat::Uncompressed);
185
186 let mut ocsp_response = server_key.get_ocsp();
187
188 if !self.config.session_storage.can_cache() {
190 self.session_id = SessionId::empty();
191 } else if self.session_id.is_empty() && !ticket_received {
192 self.session_id = SessionId::random(self.config.provider.secure_random)?;
193 }
194
195 cx.common.kx_state = KxState::Start(selected_kxg);
196 cx.common.handshake_kind = Some(HandshakeKind::Full);
197
198 let mut flight = HandshakeFlightTls12::new(&mut self.transcript);
199
200 self.send_ticket = emit_server_hello(
201 &mut flight,
202 &self.config,
203 cx,
204 self.session_id,
205 self.suite,
206 self.using_ems,
207 &mut ocsp_response,
208 client_hello,
209 None,
210 &self.randoms,
211 self.extra_exts,
212 )?;
213 emit_certificate(&mut flight, server_key.get_cert());
214 if let Some(ocsp_response) = ocsp_response {
215 emit_cert_status(&mut flight, ocsp_response);
216 }
217 let server_kx = emit_server_kx(
218 &mut flight,
219 sigschemes,
220 selected_kxg,
221 server_key.get_key(),
222 &self.randoms,
223 )?;
224 let doing_client_auth = emit_certificate_req(&mut flight, &self.config)?;
225 emit_server_hello_done(&mut flight);
226
227 flight.finish(cx.common);
228
229 if doing_client_auth {
230 Ok(Box::new(ExpectCertificate {
231 config: self.config,
232 transcript: self.transcript,
233 randoms: self.randoms,
234 session_id: self.session_id,
235 suite: self.suite,
236 using_ems: self.using_ems,
237 server_kx,
238 send_ticket: self.send_ticket,
239 }))
240 } else {
241 Ok(Box::new(ExpectClientKx {
242 config: self.config,
243 transcript: self.transcript,
244 randoms: self.randoms,
245 session_id: self.session_id,
246 suite: self.suite,
247 using_ems: self.using_ems,
248 server_kx,
249 client_cert: None,
250 send_ticket: self.send_ticket,
251 }))
252 }
253 }
254
255 fn start_resumption(
256 mut self,
257 cx: &mut ServerContext<'_>,
258 client_hello: &ClientHelloPayload,
259 id: &SessionId,
260 resumedata: persist::ServerSessionValue,
261 ) -> hs::NextStateOrError<'static> {
262 debug!("Resuming connection");
263
264 if resumedata.extended_ms && !self.using_ems {
265 return Err(cx.common.send_fatal_alert(
266 AlertDescription::IllegalParameter,
267 PeerMisbehaved::ResumptionAttemptedWithVariedEms,
268 ));
269 }
270
271 self.session_id = *id;
272 let mut flight = HandshakeFlightTls12::new(&mut self.transcript);
273 self.send_ticket = emit_server_hello(
274 &mut flight,
275 &self.config,
276 cx,
277 self.session_id,
278 self.suite,
279 self.using_ems,
280 &mut None,
281 client_hello,
282 Some(&resumedata),
283 &self.randoms,
284 self.extra_exts,
285 )?;
286 flight.finish(cx.common);
287
288 let secrets = ConnectionSecrets::new_resume(
289 self.randoms,
290 self.suite,
291 &resumedata.master_secret.0,
292 );
293 self.config.key_log.log(
294 "CLIENT_RANDOM",
295 &secrets.randoms.client,
296 &secrets.master_secret,
297 );
298 cx.common
299 .start_encryption_tls12(&secrets, Side::Server);
300 cx.common.peer_certificates = resumedata.client_cert_chain;
301 cx.common.handshake_kind = Some(HandshakeKind::Resumed);
302
303 if self.send_ticket {
304 let now = self.config.current_time()?;
305
306 emit_ticket(
307 &secrets,
308 &mut self.transcript,
309 self.using_ems,
310 cx,
311 &*self.config.ticketer,
312 now,
313 )?;
314 }
315 emit_ccs(cx.common);
316 cx.common
317 .record_layer
318 .start_encrypting();
319 emit_finished(&secrets, &mut self.transcript, cx.common);
320
321 Ok(Box::new(ExpectCcs {
322 config: self.config,
323 secrets,
324 transcript: self.transcript,
325 session_id: self.session_id,
326 using_ems: self.using_ems,
327 resuming: true,
328 send_ticket: self.send_ticket,
329 }))
330 }
331 }
332
333 fn emit_server_hello(
334 flight: &mut HandshakeFlightTls12<'_>,
335 config: &ServerConfig,
336 cx: &mut ServerContext<'_>,
337 session_id: SessionId,
338 suite: &'static Tls12CipherSuite,
339 using_ems: bool,
340 ocsp_response: &mut Option<&[u8]>,
341 hello: &ClientHelloPayload,
342 resumedata: Option<&persist::ServerSessionValue>,
343 randoms: &ConnectionRandoms,
344 extra_exts: Vec<ServerExtension>,
345 ) -> Result<bool, Error> {
346 let mut ep = hs::ExtensionProcessing::new();
347 ep.process_common(config, cx, ocsp_response, hello, resumedata, extra_exts)?;
348 ep.process_tls12(config, hello, using_ems);
349
350 let sh = HandshakeMessagePayload(HandshakePayload::ServerHello(ServerHelloPayload {
351 legacy_version: ProtocolVersion::TLSv1_2,
352 random: Random::from(randoms.server),
353 session_id,
354 cipher_suite: suite.common.suite,
355 compression_method: Compression::Null,
356 extensions: ep.exts,
357 }));
358 trace!("sending server hello {sh:?}");
359 flight.add(sh);
360
361 Ok(ep.send_ticket)
362 }
363
364 fn emit_certificate(
365 flight: &mut HandshakeFlightTls12<'_>,
366 cert_chain: &[CertificateDer<'static>],
367 ) {
368 flight.add(HandshakeMessagePayload(HandshakePayload::Certificate(
369 CertificateChain(cert_chain.to_vec()),
370 )));
371 }
372
373 fn emit_cert_status(flight: &mut HandshakeFlightTls12<'_>, ocsp: &[u8]) {
374 flight.add(HandshakeMessagePayload(
375 HandshakePayload::CertificateStatus(CertificateStatus::new(ocsp)),
376 ));
377 }
378
379 fn emit_server_kx(
380 flight: &mut HandshakeFlightTls12<'_>,
381 sigschemes: Vec<SignatureScheme>,
382 selected_group: &'static dyn SupportedKxGroup,
383 signing_key: &dyn sign::SigningKey,
384 randoms: &ConnectionRandoms,
385 ) -> Result<Box<dyn ActiveKeyExchange>, Error> {
386 let kx = selected_group.start()?;
387 let kx_params = ServerKeyExchangeParams::new(&*kx);
388
389 let mut msg = Vec::new();
390 msg.extend(randoms.client);
391 msg.extend(randoms.server);
392 kx_params.encode(&mut msg);
393
394 let signer = signing_key
395 .choose_scheme(&sigschemes)
396 .ok_or_else(|| Error::General("incompatible signing key".to_string()))?;
397 let sigscheme = signer.scheme();
398 let sig = signer.sign(&msg)?;
399
400 let skx = ServerKeyExchangePayload::from(ServerKeyExchange {
401 params: kx_params,
402 dss: DigitallySignedStruct::new(sigscheme, sig),
403 });
404
405 flight.add(HandshakeMessagePayload(
406 HandshakePayload::ServerKeyExchange(skx),
407 ));
408 Ok(kx)
409 }
410
411 fn emit_certificate_req(
412 flight: &mut HandshakeFlightTls12<'_>,
413 config: &ServerConfig,
414 ) -> Result<bool, Error> {
415 let client_auth = &config.verifier;
416
417 if !client_auth.offer_client_auth() {
418 return Ok(false);
419 }
420
421 let verify_schemes = client_auth.supported_verify_schemes();
422
423 let names = config
424 .verifier
425 .root_hint_subjects()
426 .to_vec();
427
428 let cr = CertificateRequestPayload {
429 certtypes: vec![
430 ClientCertificateType::RSASign,
431 ClientCertificateType::ECDSASign,
432 ],
433 sigschemes: verify_schemes,
434 canames: names,
435 };
436
437 let creq = HandshakeMessagePayload(HandshakePayload::CertificateRequest(cr));
438
439 trace!("Sending CertificateRequest {creq:?}");
440 flight.add(creq);
441 Ok(true)
442 }
443
444 fn emit_server_hello_done(flight: &mut HandshakeFlightTls12<'_>) {
445 flight.add(HandshakeMessagePayload(HandshakePayload::ServerHelloDone));
446 }
447}
448
449struct ExpectCertificate {
451 config: Arc<ServerConfig>,
452 transcript: HandshakeHash,
453 randoms: ConnectionRandoms,
454 session_id: SessionId,
455 suite: &'static Tls12CipherSuite,
456 using_ems: bool,
457 server_kx: Box<dyn ActiveKeyExchange>,
458 send_ticket: bool,
459}
460
461impl State<ServerConnectionData> for ExpectCertificate {
462 fn handle<'m>(
463 mut self: Box<Self>,
464 cx: &mut ServerContext<'_>,
465 m: Message<'m>,
466 ) -> hs::NextStateOrError<'m>
467 where
468 Self: 'm,
469 {
470 self.transcript.add_message(&m);
471 let cert_chain = require_handshake_msg_move!(
472 m,
473 HandshakeType::Certificate,
474 HandshakePayload::Certificate
475 )?;
476
477 let mandatory = self
479 .config
480 .verifier
481 .client_auth_mandatory();
482
483 trace!("certs {cert_chain:?}");
484
485 let client_cert = match cert_chain.split_first() {
486 None if mandatory => {
487 return Err(cx.common.send_fatal_alert(
488 AlertDescription::CertificateRequired,
489 Error::NoCertificatesPresented,
490 ));
491 }
492 None => {
493 debug!("client auth requested but no certificate supplied");
494 self.transcript.abandon_client_auth();
495 None
496 }
497 Some((end_entity, intermediates)) => {
498 let now = self.config.current_time()?;
499
500 self.config
501 .verifier
502 .verify_client_cert(end_entity, intermediates, now)
503 .map_err(|err| {
504 cx.common
505 .send_cert_verify_error_alert(err)
506 })?;
507
508 Some(cert_chain)
509 }
510 };
511
512 Ok(Box::new(ExpectClientKx {
513 config: self.config,
514 transcript: self.transcript,
515 randoms: self.randoms,
516 session_id: self.session_id,
517 suite: self.suite,
518 using_ems: self.using_ems,
519 server_kx: self.server_kx,
520 client_cert,
521 send_ticket: self.send_ticket,
522 }))
523 }
524
525 fn into_owned(self: Box<Self>) -> hs::NextState<'static> {
526 self
527 }
528}
529
530struct ExpectClientKx<'a> {
532 config: Arc<ServerConfig>,
533 transcript: HandshakeHash,
534 randoms: ConnectionRandoms,
535 session_id: SessionId,
536 suite: &'static Tls12CipherSuite,
537 using_ems: bool,
538 server_kx: Box<dyn ActiveKeyExchange>,
539 client_cert: Option<CertificateChain<'a>>,
540 send_ticket: bool,
541}
542
543impl State<ServerConnectionData> for ExpectClientKx<'_> {
544 fn handle<'m>(
545 mut self: Box<Self>,
546 cx: &mut ServerContext<'_>,
547 m: Message<'m>,
548 ) -> hs::NextStateOrError<'m>
549 where
550 Self: 'm,
551 {
552 let client_kx = require_handshake_msg!(
553 m,
554 HandshakeType::ClientKeyExchange,
555 HandshakePayload::ClientKeyExchange
556 )?;
557 self.transcript.add_message(&m);
558 let ems_seed = self
559 .using_ems
560 .then(|| self.transcript.current_hash());
561
562 let peer_kx_params = tls12::decode_kx_params::<ClientKeyExchangeParams>(
565 self.suite.kx,
566 cx.common,
567 client_kx.bytes(),
568 )?;
569 let secrets = ConnectionSecrets::from_key_exchange(
570 self.server_kx,
571 peer_kx_params.pub_key(),
572 ems_seed,
573 self.randoms,
574 self.suite,
575 )
576 .map_err(|err| {
577 cx.common
578 .send_fatal_alert(AlertDescription::IllegalParameter, err)
579 })?;
580 cx.common.kx_state.complete();
581
582 self.config.key_log.log(
583 "CLIENT_RANDOM",
584 &secrets.randoms.client,
585 &secrets.master_secret,
586 );
587 cx.common
588 .start_encryption_tls12(&secrets, Side::Server);
589
590 match self.client_cert {
591 Some(client_cert) => Ok(Box::new(ExpectCertificateVerify {
592 config: self.config,
593 secrets,
594 transcript: self.transcript,
595 session_id: self.session_id,
596 using_ems: self.using_ems,
597 client_cert,
598 send_ticket: self.send_ticket,
599 })),
600 _ => Ok(Box::new(ExpectCcs {
601 config: self.config,
602 secrets,
603 transcript: self.transcript,
604 session_id: self.session_id,
605 using_ems: self.using_ems,
606 resuming: false,
607 send_ticket: self.send_ticket,
608 })),
609 }
610 }
611
612 fn into_owned(self: Box<Self>) -> hs::NextState<'static> {
613 Box::new(ExpectClientKx {
614 config: self.config,
615 transcript: self.transcript,
616 randoms: self.randoms,
617 session_id: self.session_id,
618 suite: self.suite,
619 using_ems: self.using_ems,
620 server_kx: self.server_kx,
621 client_cert: self
622 .client_cert
623 .map(|cert| cert.into_owned()),
624 send_ticket: self.send_ticket,
625 })
626 }
627}
628
629struct ExpectCertificateVerify<'a> {
631 config: Arc<ServerConfig>,
632 secrets: ConnectionSecrets,
633 transcript: HandshakeHash,
634 session_id: SessionId,
635 using_ems: bool,
636 client_cert: CertificateChain<'a>,
637 send_ticket: bool,
638}
639
640impl State<ServerConnectionData> for ExpectCertificateVerify<'_> {
641 fn handle<'m>(
642 mut self: Box<Self>,
643 cx: &mut ServerContext<'_>,
644 m: Message<'m>,
645 ) -> hs::NextStateOrError<'m>
646 where
647 Self: 'm,
648 {
649 let rc = {
650 let sig = require_handshake_msg!(
651 m,
652 HandshakeType::CertificateVerify,
653 HandshakePayload::CertificateVerify
654 )?;
655
656 match self.transcript.take_handshake_buf() {
657 Some(msgs) => {
658 let certs = &self.client_cert;
659 self.config
660 .verifier
661 .verify_tls12_signature(&msgs, &certs[0], sig)
662 }
663 None => {
664 return Err(cx.common.send_fatal_alert(
670 AlertDescription::AccessDenied,
671 Error::General("client authentication not set up".into()),
672 ));
673 }
674 }
675 };
676
677 if let Err(e) = rc {
678 return Err(cx
679 .common
680 .send_cert_verify_error_alert(e));
681 }
682
683 trace!("client CertificateVerify OK");
684 cx.common.peer_certificates = Some(self.client_cert.into_owned());
685
686 self.transcript.add_message(&m);
687 Ok(Box::new(ExpectCcs {
688 config: self.config,
689 secrets: self.secrets,
690 transcript: self.transcript,
691 session_id: self.session_id,
692 using_ems: self.using_ems,
693 resuming: false,
694 send_ticket: self.send_ticket,
695 }))
696 }
697
698 fn into_owned(self: Box<Self>) -> hs::NextState<'static> {
699 Box::new(ExpectCertificateVerify {
700 config: self.config,
701 secrets: self.secrets,
702 transcript: self.transcript,
703 session_id: self.session_id,
704 using_ems: self.using_ems,
705 client_cert: self.client_cert.into_owned(),
706 send_ticket: self.send_ticket,
707 })
708 }
709}
710
711struct ExpectCcs {
713 config: Arc<ServerConfig>,
714 secrets: ConnectionSecrets,
715 transcript: HandshakeHash,
716 session_id: SessionId,
717 using_ems: bool,
718 resuming: bool,
719 send_ticket: bool,
720}
721
722impl State<ServerConnectionData> for ExpectCcs {
723 fn handle<'m>(
724 self: Box<Self>,
725 cx: &mut ServerContext<'_>,
726 m: Message<'m>,
727 ) -> hs::NextStateOrError<'m>
728 where
729 Self: 'm,
730 {
731 match m.payload {
732 MessagePayload::ChangeCipherSpec(..) => {}
733 payload => {
734 return Err(inappropriate_message(
735 &payload,
736 &[ContentType::ChangeCipherSpec],
737 ));
738 }
739 }
740
741 cx.common.check_aligned_handshake()?;
744
745 cx.common
746 .record_layer
747 .start_decrypting();
748 Ok(Box::new(ExpectFinished {
749 config: self.config,
750 secrets: self.secrets,
751 transcript: self.transcript,
752 session_id: self.session_id,
753 using_ems: self.using_ems,
754 resuming: self.resuming,
755 send_ticket: self.send_ticket,
756 }))
757 }
758
759 fn into_owned(self: Box<Self>) -> hs::NextState<'static> {
760 self
761 }
762}
763
764fn get_server_connection_value_tls12(
766 secrets: &ConnectionSecrets,
767 using_ems: bool,
768 cx: &ServerContext<'_>,
769 time_now: UnixTime,
770) -> persist::ServerSessionValue {
771 let version = ProtocolVersion::TLSv1_2;
772
773 let mut v = persist::ServerSessionValue::new(
774 cx.data.sni.as_ref(),
775 version,
776 secrets.suite().common.suite,
777 secrets.master_secret(),
778 cx.common.peer_certificates.clone(),
779 cx.common.alpn_protocol.clone(),
780 cx.data.resumption_data.clone(),
781 time_now,
782 0,
783 );
784
785 if using_ems {
786 v.set_extended_ms_used();
787 }
788
789 v
790}
791
792fn emit_ticket(
793 secrets: &ConnectionSecrets,
794 transcript: &mut HandshakeHash,
795 using_ems: bool,
796 cx: &mut ServerContext<'_>,
797 ticketer: &dyn ProducesTickets,
798 now: UnixTime,
799) -> Result<(), Error> {
800 let plain = get_server_connection_value_tls12(secrets, using_ems, cx, now).get_encoding();
801
802 let ticket = ticketer
805 .encrypt(&plain)
806 .unwrap_or_default();
807 let ticket_lifetime = ticketer.lifetime();
808
809 let m = Message {
810 version: ProtocolVersion::TLSv1_2,
811 payload: MessagePayload::handshake(HandshakeMessagePayload(
812 HandshakePayload::NewSessionTicket(NewSessionTicketPayload::new(
813 ticket_lifetime,
814 ticket,
815 )),
816 )),
817 };
818
819 transcript.add_message(&m);
820 cx.common.send_msg(m, false);
821 Ok(())
822}
823
824fn emit_ccs(common: &mut CommonState) {
825 let m = Message {
826 version: ProtocolVersion::TLSv1_2,
827 payload: MessagePayload::ChangeCipherSpec(ChangeCipherSpecPayload {}),
828 };
829
830 common.send_msg(m, false);
831}
832
833fn emit_finished(
834 secrets: &ConnectionSecrets,
835 transcript: &mut HandshakeHash,
836 common: &mut CommonState,
837) {
838 let vh = transcript.current_hash();
839 let verify_data = secrets.server_verify_data(&vh);
840 let verify_data_payload = Payload::new(verify_data);
841
842 let f = Message {
843 version: ProtocolVersion::TLSv1_2,
844 payload: MessagePayload::handshake(HandshakeMessagePayload(HandshakePayload::Finished(
845 verify_data_payload,
846 ))),
847 };
848
849 transcript.add_message(&f);
850 common.send_msg(f, true);
851}
852
853struct ExpectFinished {
854 config: Arc<ServerConfig>,
855 secrets: ConnectionSecrets,
856 transcript: HandshakeHash,
857 session_id: SessionId,
858 using_ems: bool,
859 resuming: bool,
860 send_ticket: bool,
861}
862
863impl State<ServerConnectionData> for ExpectFinished {
864 fn handle<'m>(
865 mut self: Box<Self>,
866 cx: &mut ServerContext<'_>,
867 m: Message<'m>,
868 ) -> hs::NextStateOrError<'m>
869 where
870 Self: 'm,
871 {
872 let finished =
873 require_handshake_msg!(m, HandshakeType::Finished, HandshakePayload::Finished)?;
874
875 cx.common.check_aligned_handshake()?;
876
877 let vh = self.transcript.current_hash();
878 let expect_verify_data = self.secrets.client_verify_data(&vh);
879
880 let _fin_verified =
881 match ConstantTimeEq::ct_eq(&expect_verify_data[..], finished.bytes()).into() {
882 true => verify::FinishedMessageVerified::assertion(),
883 false => {
884 return Err(cx
885 .common
886 .send_fatal_alert(AlertDescription::DecryptError, Error::DecryptError));
887 }
888 };
889
890 if !self.resuming && !self.session_id.is_empty() {
892 let now = self.config.current_time()?;
893
894 let value = get_server_connection_value_tls12(&self.secrets, self.using_ems, cx, now);
895
896 let worked = self
897 .config
898 .session_storage
899 .put(self.session_id.as_ref().to_vec(), value.get_encoding());
900 #[cfg_attr(not(feature = "logging"), allow(clippy::if_same_then_else))]
901 if worked {
902 debug!("Session saved");
903 } else {
904 debug!("Session not saved");
905 }
906 }
907
908 self.transcript.add_message(&m);
910 if !self.resuming {
911 if self.send_ticket {
912 let now = self.config.current_time()?;
913 emit_ticket(
914 &self.secrets,
915 &mut self.transcript,
916 self.using_ems,
917 cx,
918 &*self.config.ticketer,
919 now,
920 )?;
921 }
922 emit_ccs(cx.common);
923 cx.common
924 .record_layer
925 .start_encrypting();
926 emit_finished(&self.secrets, &mut self.transcript, cx.common);
927 }
928
929 cx.common
930 .start_traffic(&mut cx.sendable_plaintext);
931 Ok(Box::new(ExpectTraffic {
932 secrets: self.secrets,
933 _fin_verified,
934 }))
935 }
936
937 fn into_owned(self: Box<Self>) -> hs::NextState<'static> {
938 self
939 }
940}
941
942struct ExpectTraffic {
944 secrets: ConnectionSecrets,
945 _fin_verified: verify::FinishedMessageVerified,
946}
947
948impl ExpectTraffic {}
949
950impl State<ServerConnectionData> for ExpectTraffic {
951 fn handle<'m>(
952 self: Box<Self>,
953 cx: &mut ServerContext<'_>,
954 m: Message<'m>,
955 ) -> hs::NextStateOrError<'m>
956 where
957 Self: 'm,
958 {
959 match m.payload {
960 MessagePayload::ApplicationData(payload) => cx
961 .common
962 .take_received_plaintext(payload),
963 payload => {
964 return Err(inappropriate_message(
965 &payload,
966 &[ContentType::ApplicationData],
967 ));
968 }
969 }
970 Ok(self)
971 }
972
973 fn export_keying_material(
974 &self,
975 output: &mut [u8],
976 label: &[u8],
977 context: Option<&[u8]>,
978 ) -> Result<(), Error> {
979 self.secrets
980 .export_keying_material(output, label, context);
981 Ok(())
982 }
983
984 fn extract_secrets(&self) -> Result<PartiallyExtractedSecrets, Error> {
985 self.secrets
986 .extract_secrets(Side::Server)
987 }
988
989 fn into_external_state(self: Box<Self>) -> Result<Box<dyn KernelState + 'static>, Error> {
990 Ok(self)
991 }
992
993 fn into_owned(self: Box<Self>) -> hs::NextState<'static> {
994 self
995 }
996}
997
998impl KernelState for ExpectTraffic {
999 fn update_secrets(&mut self, _: Direction) -> Result<ConnectionTrafficSecrets, Error> {
1000 Err(Error::General(
1001 "TLS 1.2 connections do not support traffic secret updates".into(),
1002 ))
1003 }
1004
1005 fn handle_new_session_ticket(
1006 &mut self,
1007 _cx: &mut KernelContext<'_>,
1008 _message: &NewSessionTicketPayloadTls13,
1009 ) -> Result<(), Error> {
1010 unreachable!(
1011 "server connections should never have handle_new_session_ticket called on them"
1012 )
1013 }
1014}