1use alloc::boxed::Box;
2use alloc::vec;
3use alloc::vec::Vec;
4
5pub(super) use client_hello::CompleteClientHelloHandling;
6use pki_types::{CertificateDer, UnixTime};
7use subtle::ConstantTimeEq;
8
9use super::hs::{self, HandshakeHashOrBuffer, ServerContext};
10use super::server_conn::ServerConnectionData;
11use crate::check::{inappropriate_handshake_message, inappropriate_message};
12use crate::common_state::{
13 CommonState, HandshakeFlightTls13, HandshakeKind, Protocol, Side, State,
14};
15use crate::conn::ConnectionRandoms;
16use crate::conn::kernel::{Direction, KernelContext, KernelState};
17use crate::enums::{AlertDescription, ContentType, HandshakeType, ProtocolVersion};
18use crate::error::{Error, InvalidMessage, PeerIncompatible, PeerMisbehaved};
19use crate::hash_hs::HandshakeHash;
20use crate::log::{debug, trace, warn};
21use crate::msgs::codec::{Codec, Reader};
22use crate::msgs::enums::KeyUpdateRequest;
23use crate::msgs::handshake::{
24 CERTIFICATE_MAX_SIZE_LIMIT, CertificateChain, CertificatePayloadTls13, HandshakeMessagePayload,
25 HandshakePayload, NewSessionTicketExtension, NewSessionTicketPayloadTls13,
26};
27use crate::msgs::message::{Message, MessagePayload};
28use crate::msgs::persist;
29use crate::server::ServerConfig;
30use crate::suites::PartiallyExtractedSecrets;
31use crate::sync::Arc;
32use crate::tls13::key_schedule::{
33 KeyScheduleTraffic, KeyScheduleTrafficWithClientFinishedPending, ResumptionSecret,
34};
35use crate::tls13::{
36 Tls13CipherSuite, construct_client_verify_message, construct_server_verify_message,
37};
38use crate::{ConnectionTrafficSecrets, compress, rand, verify};
39
40mod client_hello {
41 use super::*;
42 use crate::compress::CertCompressor;
43 use crate::crypto::SupportedKxGroup;
44 use crate::enums::SignatureScheme;
45 use crate::msgs::base::{Payload, PayloadU8};
46 use crate::msgs::ccs::ChangeCipherSpecPayload;
47 use crate::msgs::enums::{Compression, NamedGroup, PskKeyExchangeMode};
48 use crate::msgs::handshake::{
49 CertReqExtension, CertificatePayloadTls13, CertificateRequestPayloadTls13,
50 ClientHelloPayload, HelloRetryExtension, HelloRetryRequest, KeyShareEntry, Random,
51 ServerExtension, ServerHelloPayload, SessionId,
52 };
53 use crate::server::common::ActiveCertifiedKey;
54 use crate::sign;
55 use crate::tls13::key_schedule::{
56 KeyScheduleEarly, KeyScheduleHandshake, KeySchedulePreHandshake,
57 };
58 use crate::verify::DigitallySignedStruct;
59
60 #[derive(PartialEq)]
61 pub(super) enum EarlyDataDecision {
62 Disabled,
63 RequestedButRejected,
64 Accepted,
65 }
66
67 pub(in crate::server) struct CompleteClientHelloHandling {
68 pub(in crate::server) config: Arc<ServerConfig>,
69 pub(in crate::server) transcript: HandshakeHash,
70 pub(in crate::server) suite: &'static Tls13CipherSuite,
71 pub(in crate::server) randoms: ConnectionRandoms,
72 pub(in crate::server) done_retry: bool,
73 pub(in crate::server) send_tickets: usize,
74 pub(in crate::server) extra_exts: Vec<ServerExtension>,
75 }
76
77 fn max_early_data_size(configured: u32) -> usize {
78 if configured != 0 {
79 configured as usize
80 } else {
81 16384
89 }
90 }
91
92 impl CompleteClientHelloHandling {
93 fn check_binder(
94 &self,
95 suite: &'static Tls13CipherSuite,
96 client_hello: &Message<'_>,
97 psk: &[u8],
98 binder: &[u8],
99 ) -> bool {
100 let binder_plaintext = match &client_hello.payload {
101 MessagePayload::Handshake { parsed, encoded } => {
102 &encoded.bytes()[..encoded.bytes().len() - parsed.total_binder_length()]
103 }
104 _ => unreachable!(),
105 };
106
107 let handshake_hash = self
108 .transcript
109 .hash_given(binder_plaintext);
110
111 let key_schedule = KeyScheduleEarly::new(suite, psk);
112 let real_binder =
113 key_schedule.resumption_psk_binder_key_and_sign_verify_data(&handshake_hash);
114
115 ConstantTimeEq::ct_eq(real_binder.as_ref(), binder).into()
116 }
117
118 fn attempt_tls13_ticket_decryption(
119 &mut self,
120 ticket: &[u8],
121 ) -> Option<persist::ServerSessionValue> {
122 if self.config.ticketer.enabled() {
123 self.config
124 .ticketer
125 .decrypt(ticket)
126 .and_then(|plain| persist::ServerSessionValue::read_bytes(&plain).ok())
127 } else {
128 self.config
129 .session_storage
130 .take(ticket)
131 .and_then(|plain| persist::ServerSessionValue::read_bytes(&plain).ok())
132 }
133 }
134
135 pub(in crate::server) fn handle_client_hello(
136 mut self,
137 cx: &mut ServerContext<'_>,
138 server_key: ActiveCertifiedKey<'_>,
139 chm: &Message<'_>,
140 client_hello: &ClientHelloPayload,
141 selected_kxg: &'static dyn SupportedKxGroup,
142 mut sigschemes_ext: Vec<SignatureScheme>,
143 ) -> hs::NextStateOrError<'static> {
144 if client_hello.compression_methods.len() != 1 {
145 return Err(cx.common.send_fatal_alert(
146 AlertDescription::IllegalParameter,
147 PeerMisbehaved::OfferedIncorrectCompressions,
148 ));
149 }
150
151 sigschemes_ext.retain(SignatureScheme::supported_in_tls13);
152
153 let shares_ext = client_hello
154 .keyshare_extension()
155 .ok_or_else(|| {
156 cx.common.send_fatal_alert(
157 AlertDescription::HandshakeFailure,
158 PeerIncompatible::KeyShareExtensionRequired,
159 )
160 })?;
161
162 if client_hello.has_keyshare_extension_with_duplicates() {
163 return Err(cx.common.send_fatal_alert(
164 AlertDescription::IllegalParameter,
165 PeerMisbehaved::OfferedDuplicateKeyShares,
166 ));
167 }
168
169 if client_hello.has_certificate_compression_extension_with_duplicates() {
170 return Err(cx.common.send_fatal_alert(
171 AlertDescription::IllegalParameter,
172 PeerMisbehaved::OfferedDuplicateCertificateCompressions,
173 ));
174 }
175
176 let cert_compressor = client_hello
177 .certificate_compression_extension()
178 .and_then(|offered|
179 self.config
182 .cert_compressors
183 .iter()
184 .find(|compressor| offered.contains(&compressor.algorithm()))
185 .cloned());
186
187 let early_data_requested = client_hello.early_data_extension_offered();
188
189 if self.done_retry && early_data_requested {
191 return Err({
192 cx.common.send_fatal_alert(
193 AlertDescription::IllegalParameter,
194 PeerMisbehaved::EarlyDataAttemptedInSecondClientHello,
195 )
196 });
197 }
198
199 let chosen_share_and_kxg = shares_ext.iter().find_map(|share| {
201 (share.group == selected_kxg.name()).then_some((share, selected_kxg))
202 });
203
204 let Some(chosen_share_and_kxg) = chosen_share_and_kxg else {
205 self.transcript.add_message(chm);
208
209 if self.done_retry {
210 return Err(cx.common.send_fatal_alert(
211 AlertDescription::IllegalParameter,
212 PeerMisbehaved::RefusedToFollowHelloRetryRequest,
213 ));
214 }
215
216 emit_hello_retry_request(
217 &mut self.transcript,
218 self.suite,
219 client_hello.session_id,
220 cx.common,
221 selected_kxg.name(),
222 );
223 emit_fake_ccs(cx.common);
224
225 let skip_early_data = max_early_data_size(self.config.max_early_data_size);
226
227 let next = Box::new(hs::ExpectClientHello {
228 config: self.config,
229 transcript: HandshakeHashOrBuffer::Hash(self.transcript),
230 #[cfg(feature = "tls12")]
231 session_id: SessionId::empty(),
232 #[cfg(feature = "tls12")]
233 using_ems: false,
234 done_retry: true,
235 send_tickets: self.send_tickets,
236 extra_exts: self.extra_exts,
237 });
238
239 return if early_data_requested {
240 Ok(Box::new(ExpectAndSkipRejectedEarlyData {
241 skip_data_left: skip_early_data,
242 next,
243 }))
244 } else {
245 Ok(next)
246 };
247 };
248
249 let mut chosen_psk_index = None;
250 let mut resumedata = None;
251
252 if let Some(psk_offer) = client_hello.psk() {
253 if !client_hello.check_psk_ext_is_last() {
254 return Err(cx.common.send_fatal_alert(
255 AlertDescription::IllegalParameter,
256 PeerMisbehaved::PskExtensionMustBeLast,
257 ));
258 }
259
260 if client_hello.psk_modes().is_none() {
265 return Err(cx.common.send_fatal_alert(
266 AlertDescription::MissingExtension,
267 PeerMisbehaved::MissingPskModesExtension,
268 ));
269 }
270
271 if psk_offer.binders.is_empty() {
272 return Err(cx.common.send_fatal_alert(
273 AlertDescription::DecodeError,
274 PeerMisbehaved::MissingBinderInPskExtension,
275 ));
276 }
277
278 if psk_offer.binders.len() != psk_offer.identities.len() {
279 return Err(cx.common.send_fatal_alert(
280 AlertDescription::IllegalParameter,
281 PeerMisbehaved::PskExtensionWithMismatchedIdsAndBinders,
282 ));
283 }
284
285 let now = self.config.current_time()?;
286
287 for (i, psk_id) in psk_offer.identities.iter().enumerate() {
288 let maybe_resume_data = self
289 .attempt_tls13_ticket_decryption(&psk_id.identity.0)
290 .map(|resumedata| {
291 resumedata.set_freshness(psk_id.obfuscated_ticket_age, now)
292 })
293 .filter(|resumedata| {
294 hs::can_resume(self.suite.into(), &cx.data.sni, false, resumedata)
295 });
296
297 let Some(resume) = maybe_resume_data else {
298 continue;
299 };
300
301 if !self.check_binder(
302 self.suite,
303 chm,
304 &resume.master_secret.0,
305 psk_offer.binders[i].as_ref(),
306 ) {
307 return Err(cx.common.send_fatal_alert(
308 AlertDescription::DecryptError,
309 PeerMisbehaved::IncorrectBinder,
310 ));
311 }
312
313 chosen_psk_index = Some(i);
314 resumedata = Some(resume);
315 break;
316 }
317 }
318
319 if !client_hello.psk_mode_offered(PskKeyExchangeMode::PSK_DHE_KE) {
320 debug!("Client unwilling to resume, DHE_KE not offered");
321 self.send_tickets = 0;
322 chosen_psk_index = None;
323 resumedata = None;
324 } else {
325 self.send_tickets = self.config.send_tls13_tickets;
326 }
327
328 if let Some(resume) = &resumedata {
329 cx.data.received_resumption_data = Some(resume.application_data.0.clone());
330 cx.common
331 .peer_certificates
332 .clone_from(&resume.client_cert_chain);
333 }
334
335 let full_handshake = resumedata.is_none();
336 self.transcript.add_message(chm);
337 let key_schedule = emit_server_hello(
338 &mut self.transcript,
339 &self.randoms,
340 self.suite,
341 cx,
342 &client_hello.session_id,
343 chosen_share_and_kxg,
344 chosen_psk_index,
345 resumedata
346 .as_ref()
347 .map(|x| &x.master_secret.0[..]),
348 &self.config,
349 )?;
350 if !self.done_retry {
351 emit_fake_ccs(cx.common);
352 }
353
354 if full_handshake {
355 cx.common
356 .handshake_kind
357 .get_or_insert(HandshakeKind::Full);
358 } else {
359 cx.common.handshake_kind = Some(HandshakeKind::Resumed);
360 }
361
362 let mut ocsp_response = server_key.get_ocsp();
363 let mut flight = HandshakeFlightTls13::new(&mut self.transcript);
364 let doing_early_data = emit_encrypted_extensions(
365 &mut flight,
366 self.suite,
367 cx,
368 &mut ocsp_response,
369 client_hello,
370 resumedata.as_ref(),
371 self.extra_exts,
372 &self.config,
373 )?;
374
375 let doing_client_auth = if full_handshake {
376 let client_auth = emit_certificate_req_tls13(&mut flight, &self.config)?;
377
378 if let Some(compressor) = cert_compressor {
379 emit_compressed_certificate_tls13(
380 &mut flight,
381 &self.config,
382 server_key.get_cert(),
383 ocsp_response,
384 compressor,
385 );
386 } else {
387 emit_certificate_tls13(&mut flight, server_key.get_cert(), ocsp_response);
388 }
389 emit_certificate_verify_tls13(
390 &mut flight,
391 cx.common,
392 server_key.get_key(),
393 &sigschemes_ext,
394 )?;
395 client_auth
396 } else {
397 false
398 };
399
400 match doing_early_data {
403 EarlyDataDecision::Disabled => {
404 key_schedule.set_handshake_decrypter(None, cx.common);
405 cx.data.early_data.reject();
406 }
407 EarlyDataDecision::RequestedButRejected => {
408 debug!(
409 "Client requested early_data, but not accepted: switching to handshake keys with trial decryption"
410 );
411 key_schedule.set_handshake_decrypter(
412 Some(max_early_data_size(self.config.max_early_data_size)),
413 cx.common,
414 );
415 cx.data.early_data.reject();
416 }
417 EarlyDataDecision::Accepted => {
418 cx.data
419 .early_data
420 .accept(self.config.max_early_data_size as usize);
421 }
422 }
423
424 cx.common.check_aligned_handshake()?;
425 let key_schedule_traffic =
426 emit_finished_tls13(flight, &self.randoms, cx, key_schedule, &self.config);
427
428 if !doing_client_auth && self.config.send_half_rtt_data {
429 cx.common
433 .start_outgoing_traffic(&mut cx.sendable_plaintext);
434 }
435
436 if doing_client_auth {
437 if self
438 .config
439 .cert_decompressors
440 .is_empty()
441 {
442 Ok(Box::new(ExpectCertificate {
443 config: self.config,
444 transcript: self.transcript,
445 suite: self.suite,
446 key_schedule: key_schedule_traffic,
447 send_tickets: self.send_tickets,
448 message_already_in_transcript: false,
449 }))
450 } else {
451 Ok(Box::new(ExpectCertificateOrCompressedCertificate {
452 config: self.config,
453 transcript: self.transcript,
454 suite: self.suite,
455 key_schedule: key_schedule_traffic,
456 send_tickets: self.send_tickets,
457 }))
458 }
459 } else if doing_early_data == EarlyDataDecision::Accepted && !cx.common.is_quic() {
460 Ok(Box::new(ExpectEarlyData {
464 config: self.config,
465 transcript: self.transcript,
466 suite: self.suite,
467 key_schedule: key_schedule_traffic,
468 send_tickets: self.send_tickets,
469 }))
470 } else {
471 Ok(Box::new(ExpectFinished {
472 config: self.config,
473 transcript: self.transcript,
474 suite: self.suite,
475 key_schedule: key_schedule_traffic,
476 send_tickets: self.send_tickets,
477 }))
478 }
479 }
480 }
481
482 fn emit_server_hello(
483 transcript: &mut HandshakeHash,
484 randoms: &ConnectionRandoms,
485 suite: &'static Tls13CipherSuite,
486 cx: &mut ServerContext<'_>,
487 session_id: &SessionId,
488 share_and_kxgroup: (&KeyShareEntry, &'static dyn SupportedKxGroup),
489 chosen_psk_idx: Option<usize>,
490 resuming_psk: Option<&[u8]>,
491 config: &ServerConfig,
492 ) -> Result<KeyScheduleHandshake, Error> {
493 let mut extensions = Vec::new();
494
495 let (share, kxgroup) = share_and_kxgroup;
497 debug_assert_eq!(kxgroup.name(), share.group);
498 let ckx = kxgroup
499 .start_and_complete(&share.payload.0)
500 .map_err(|err| {
501 cx.common
502 .send_fatal_alert(AlertDescription::IllegalParameter, err)
503 })?;
504 cx.common.kx_state.complete();
505
506 extensions.push(ServerExtension::KeyShare(KeyShareEntry::new(
507 ckx.group,
508 ckx.pub_key,
509 )));
510 extensions.push(ServerExtension::SupportedVersions(ProtocolVersion::TLSv1_3));
511
512 if let Some(psk_idx) = chosen_psk_idx {
513 extensions.push(ServerExtension::PresharedKey(psk_idx as u16));
514 }
515
516 let sh = Message {
517 version: ProtocolVersion::TLSv1_2,
518 payload: MessagePayload::handshake(HandshakeMessagePayload(
519 HandshakePayload::ServerHello(ServerHelloPayload {
520 legacy_version: ProtocolVersion::TLSv1_2,
521 random: Random::from(randoms.server),
522 session_id: *session_id,
523 cipher_suite: suite.common.suite,
524 compression_method: Compression::Null,
525 extensions,
526 }),
527 )),
528 };
529
530 cx.common.check_aligned_handshake()?;
531
532 let client_hello_hash = transcript.hash_given(&[]);
533
534 trace!("sending server hello {sh:?}");
535 transcript.add_message(&sh);
536 cx.common.send_msg(sh, false);
537
538 let key_schedule_pre_handshake = if let Some(psk) = resuming_psk {
540 let early_key_schedule = KeyScheduleEarly::new(suite, psk);
541 early_key_schedule.client_early_traffic_secret(
542 &client_hello_hash,
543 &*config.key_log,
544 &randoms.client,
545 cx.common,
546 );
547
548 KeySchedulePreHandshake::from(early_key_schedule)
549 } else {
550 KeySchedulePreHandshake::new(suite)
551 };
552
553 let key_schedule = key_schedule_pre_handshake.into_handshake(ckx.secret);
555
556 let handshake_hash = transcript.current_hash();
557 let key_schedule = key_schedule.derive_server_handshake_secrets(
558 handshake_hash,
559 &*config.key_log,
560 &randoms.client,
561 cx.common,
562 );
563
564 Ok(key_schedule)
565 }
566
567 fn emit_fake_ccs(common: &mut CommonState) {
568 if common.is_quic() {
569 return;
570 }
571 let m = Message {
572 version: ProtocolVersion::TLSv1_2,
573 payload: MessagePayload::ChangeCipherSpec(ChangeCipherSpecPayload {}),
574 };
575 common.send_msg(m, false);
576 }
577
578 fn emit_hello_retry_request(
579 transcript: &mut HandshakeHash,
580 suite: &'static Tls13CipherSuite,
581 session_id: SessionId,
582 common: &mut CommonState,
583 group: NamedGroup,
584 ) {
585 let mut req = HelloRetryRequest {
586 legacy_version: ProtocolVersion::TLSv1_2,
587 session_id,
588 cipher_suite: suite.common.suite,
589 extensions: Vec::new(),
590 };
591
592 req.extensions
593 .push(HelloRetryExtension::KeyShare(group));
594 req.extensions
595 .push(HelloRetryExtension::SupportedVersions(
596 ProtocolVersion::TLSv1_3,
597 ));
598
599 let m = Message {
600 version: ProtocolVersion::TLSv1_2,
601 payload: MessagePayload::handshake(HandshakeMessagePayload(
602 HandshakePayload::HelloRetryRequest(req),
603 )),
604 };
605
606 trace!("Requesting retry {m:?}");
607 transcript.rollup_for_hrr();
608 transcript.add_message(&m);
609 common.send_msg(m, false);
610 common.handshake_kind = Some(HandshakeKind::FullWithHelloRetryRequest);
611 }
612
613 fn decide_if_early_data_allowed(
614 cx: &mut ServerContext<'_>,
615 client_hello: &ClientHelloPayload,
616 resumedata: Option<&persist::ServerSessionValue>,
617 suite: &'static Tls13CipherSuite,
618 config: &ServerConfig,
619 ) -> EarlyDataDecision {
620 let early_data_requested = client_hello.early_data_extension_offered();
621 let rejected_or_disabled = match early_data_requested {
622 true => EarlyDataDecision::RequestedButRejected,
623 false => EarlyDataDecision::Disabled,
624 };
625
626 let Some(resume) = resumedata else {
627 return rejected_or_disabled;
629 };
630
631 let early_data_configured = config.max_early_data_size > 0 && !config.ticketer.enabled();
634
635 let early_data_possible = early_data_requested
652 && resume.is_fresh()
653 && Some(resume.version) == cx.common.negotiated_version
654 && resume.cipher_suite == suite.common.suite
655 && resume.alpn.as_ref().map(|p| &p.0[..]) == cx.common.alpn_protocol.as_deref();
656
657 if early_data_configured && early_data_possible && !cx.data.early_data.was_rejected() {
658 EarlyDataDecision::Accepted
659 } else {
660 if cx.common.is_quic() {
661 cx.common.quic.early_secret = None;
663 }
664
665 rejected_or_disabled
666 }
667 }
668
669 fn emit_encrypted_extensions(
670 flight: &mut HandshakeFlightTls13<'_>,
671 suite: &'static Tls13CipherSuite,
672 cx: &mut ServerContext<'_>,
673 ocsp_response: &mut Option<&[u8]>,
674 hello: &ClientHelloPayload,
675 resumedata: Option<&persist::ServerSessionValue>,
676 extra_exts: Vec<ServerExtension>,
677 config: &ServerConfig,
678 ) -> Result<EarlyDataDecision, Error> {
679 let mut ep = hs::ExtensionProcessing::new();
680 ep.process_common(config, cx, ocsp_response, hello, resumedata, extra_exts)?;
681
682 let early_data = decide_if_early_data_allowed(cx, hello, resumedata, suite, config);
683 if early_data == EarlyDataDecision::Accepted {
684 ep.exts.push(ServerExtension::EarlyData);
685 }
686
687 let ee = HandshakeMessagePayload(HandshakePayload::EncryptedExtensions(ep.exts));
688
689 trace!("sending encrypted extensions {ee:?}");
690 flight.add(ee);
691 Ok(early_data)
692 }
693
694 fn emit_certificate_req_tls13(
695 flight: &mut HandshakeFlightTls13<'_>,
696 config: &ServerConfig,
697 ) -> Result<bool, Error> {
698 if !config.verifier.offer_client_auth() {
699 return Ok(false);
700 }
701
702 let mut cr = CertificateRequestPayloadTls13 {
703 context: PayloadU8::empty(),
704 extensions: Vec::new(),
705 };
706
707 let schemes = config
708 .verifier
709 .supported_verify_schemes();
710 cr.extensions
711 .push(CertReqExtension::SignatureAlgorithms(schemes.to_vec()));
712
713 if !config.cert_decompressors.is_empty() {
714 cr.extensions
715 .push(CertReqExtension::CertificateCompressionAlgorithms(
716 config
717 .cert_decompressors
718 .iter()
719 .map(|decomp| decomp.algorithm())
720 .collect(),
721 ));
722 }
723
724 let authorities = config.verifier.root_hint_subjects();
725 if !authorities.is_empty() {
726 cr.extensions
727 .push(CertReqExtension::AuthorityNames(authorities.to_vec()));
728 }
729
730 let creq = HandshakeMessagePayload(HandshakePayload::CertificateRequestTls13(cr));
731
732 trace!("Sending CertificateRequest {creq:?}");
733 flight.add(creq);
734 Ok(true)
735 }
736
737 fn emit_certificate_tls13(
738 flight: &mut HandshakeFlightTls13<'_>,
739 cert_chain: &[CertificateDer<'static>],
740 ocsp_response: Option<&[u8]>,
741 ) {
742 let cert = HandshakeMessagePayload(HandshakePayload::CertificateTls13(
743 CertificatePayloadTls13::new(cert_chain.iter(), ocsp_response),
744 ));
745
746 trace!("sending certificate {cert:?}");
747 flight.add(cert);
748 }
749
750 fn emit_compressed_certificate_tls13(
751 flight: &mut HandshakeFlightTls13<'_>,
752 config: &ServerConfig,
753 cert_chain: &[CertificateDer<'static>],
754 ocsp_response: Option<&[u8]>,
755 cert_compressor: &'static dyn CertCompressor,
756 ) {
757 let payload = CertificatePayloadTls13::new(cert_chain.iter(), ocsp_response);
758
759 let Ok(entry) = config
760 .cert_compression_cache
761 .compression_for(cert_compressor, &payload)
762 else {
763 return emit_certificate_tls13(flight, cert_chain, ocsp_response);
764 };
765
766 let c = HandshakeMessagePayload(HandshakePayload::CompressedCertificate(
767 entry.compressed_cert_payload(),
768 ));
769
770 trace!("sending compressed certificate {c:?}");
771 flight.add(c);
772 }
773
774 fn emit_certificate_verify_tls13(
775 flight: &mut HandshakeFlightTls13<'_>,
776 common: &mut CommonState,
777 signing_key: &dyn sign::SigningKey,
778 schemes: &[SignatureScheme],
779 ) -> Result<(), Error> {
780 let message = construct_server_verify_message(&flight.transcript.current_hash());
781
782 let signer = signing_key
783 .choose_scheme(schemes)
784 .ok_or_else(|| {
785 common.send_fatal_alert(
786 AlertDescription::HandshakeFailure,
787 PeerIncompatible::NoSignatureSchemesInCommon,
788 )
789 })?;
790
791 let scheme = signer.scheme();
792 let sig = signer.sign(message.as_ref())?;
793
794 let cv = DigitallySignedStruct::new(scheme, sig);
795
796 let cv = HandshakeMessagePayload(HandshakePayload::CertificateVerify(cv));
797
798 trace!("sending certificate-verify {cv:?}");
799 flight.add(cv);
800 Ok(())
801 }
802
803 fn emit_finished_tls13(
804 mut flight: HandshakeFlightTls13<'_>,
805 randoms: &ConnectionRandoms,
806 cx: &mut ServerContext<'_>,
807 key_schedule: KeyScheduleHandshake,
808 config: &ServerConfig,
809 ) -> KeyScheduleTrafficWithClientFinishedPending {
810 let handshake_hash = flight.transcript.current_hash();
811 let verify_data = key_schedule.sign_server_finish(&handshake_hash);
812 let verify_data_payload = Payload::new(verify_data.as_ref());
813
814 let fin = HandshakeMessagePayload(HandshakePayload::Finished(verify_data_payload));
815
816 trace!("sending finished {fin:?}");
817 flight.add(fin);
818 let hash_at_server_fin = flight.transcript.current_hash();
819 flight.finish(cx.common);
820
821 key_schedule.into_traffic_with_client_finished_pending(
824 hash_at_server_fin,
825 &*config.key_log,
826 &randoms.client,
827 cx.common,
828 )
829 }
830}
831
832struct ExpectAndSkipRejectedEarlyData {
833 skip_data_left: usize,
834 next: Box<hs::ExpectClientHello>,
835}
836
837impl State<ServerConnectionData> for ExpectAndSkipRejectedEarlyData {
838 fn handle<'m>(
839 mut self: Box<Self>,
840 cx: &mut ServerContext<'_>,
841 m: Message<'m>,
842 ) -> hs::NextStateOrError<'m>
843 where
844 Self: 'm,
845 {
846 if let MessagePayload::ApplicationData(skip_data) = &m.payload {
851 if skip_data.bytes().len() <= self.skip_data_left {
852 self.skip_data_left -= skip_data.bytes().len();
853 return Ok(self);
854 }
855 }
856
857 self.next.handle(cx, m)
858 }
859
860 fn into_owned(self: Box<Self>) -> hs::NextState<'static> {
861 self
862 }
863}
864
865struct ExpectCertificateOrCompressedCertificate {
866 config: Arc<ServerConfig>,
867 transcript: HandshakeHash,
868 suite: &'static Tls13CipherSuite,
869 key_schedule: KeyScheduleTrafficWithClientFinishedPending,
870 send_tickets: usize,
871}
872
873impl State<ServerConnectionData> for ExpectCertificateOrCompressedCertificate {
874 fn handle<'m>(
875 self: Box<Self>,
876 cx: &mut ServerContext<'_>,
877 m: Message<'m>,
878 ) -> hs::NextStateOrError<'m>
879 where
880 Self: 'm,
881 {
882 match m.payload {
883 MessagePayload::Handshake {
884 parsed: HandshakeMessagePayload(HandshakePayload::CertificateTls13(..)),
885 ..
886 } => Box::new(ExpectCertificate {
887 config: self.config,
888 transcript: self.transcript,
889 suite: self.suite,
890 key_schedule: self.key_schedule,
891 send_tickets: self.send_tickets,
892 message_already_in_transcript: false,
893 })
894 .handle(cx, m),
895
896 MessagePayload::Handshake {
897 parsed: HandshakeMessagePayload(HandshakePayload::CompressedCertificate(..)),
898 ..
899 } => Box::new(ExpectCompressedCertificate {
900 config: self.config,
901 transcript: self.transcript,
902 suite: self.suite,
903 key_schedule: self.key_schedule,
904 send_tickets: self.send_tickets,
905 })
906 .handle(cx, m),
907
908 payload => Err(inappropriate_handshake_message(
909 &payload,
910 &[ContentType::Handshake],
911 &[
912 HandshakeType::Certificate,
913 HandshakeType::CompressedCertificate,
914 ],
915 )),
916 }
917 }
918
919 fn into_owned(self: Box<Self>) -> hs::NextState<'static> {
920 self
921 }
922}
923
924struct ExpectCompressedCertificate {
925 config: Arc<ServerConfig>,
926 transcript: HandshakeHash,
927 suite: &'static Tls13CipherSuite,
928 key_schedule: KeyScheduleTrafficWithClientFinishedPending,
929 send_tickets: usize,
930}
931
932impl State<ServerConnectionData> for ExpectCompressedCertificate {
933 fn handle<'m>(
934 mut self: Box<Self>,
935 cx: &mut ServerContext<'_>,
936 m: Message<'m>,
937 ) -> hs::NextStateOrError<'m>
938 where
939 Self: 'm,
940 {
941 self.transcript.add_message(&m);
942 let compressed_cert = require_handshake_msg_move!(
943 m,
944 HandshakeType::CompressedCertificate,
945 HandshakePayload::CompressedCertificate
946 )?;
947
948 let selected_decompressor = self
949 .config
950 .cert_decompressors
951 .iter()
952 .find(|item| item.algorithm() == compressed_cert.alg);
953
954 let Some(decompressor) = selected_decompressor else {
955 return Err(cx.common.send_fatal_alert(
956 AlertDescription::BadCertificate,
957 PeerMisbehaved::SelectedUnofferedCertCompression,
958 ));
959 };
960
961 if compressed_cert.uncompressed_len as usize > CERTIFICATE_MAX_SIZE_LIMIT {
962 return Err(cx.common.send_fatal_alert(
963 AlertDescription::BadCertificate,
964 InvalidMessage::MessageTooLarge,
965 ));
966 }
967
968 let mut decompress_buffer = vec![0u8; compressed_cert.uncompressed_len as usize];
969 if let Err(compress::DecompressionFailed) =
970 decompressor.decompress(compressed_cert.compressed.0.bytes(), &mut decompress_buffer)
971 {
972 return Err(cx.common.send_fatal_alert(
973 AlertDescription::BadCertificate,
974 PeerMisbehaved::InvalidCertCompression,
975 ));
976 }
977
978 let cert_payload =
979 match CertificatePayloadTls13::read(&mut Reader::init(&decompress_buffer)) {
980 Ok(cm) => cm,
981 Err(err) => {
982 return Err(cx
983 .common
984 .send_fatal_alert(AlertDescription::BadCertificate, err));
985 }
986 };
987 trace!(
988 "Client certificate decompressed using {:?} ({} bytes -> {})",
989 compressed_cert.alg,
990 compressed_cert
991 .compressed
992 .0
993 .bytes()
994 .len(),
995 compressed_cert.uncompressed_len,
996 );
997
998 let m = Message {
999 version: ProtocolVersion::TLSv1_3,
1000 payload: MessagePayload::handshake(HandshakeMessagePayload(
1001 HandshakePayload::CertificateTls13(cert_payload.into_owned()),
1002 )),
1003 };
1004
1005 Box::new(ExpectCertificate {
1006 config: self.config,
1007 transcript: self.transcript,
1008 suite: self.suite,
1009 key_schedule: self.key_schedule,
1010 send_tickets: self.send_tickets,
1011 message_already_in_transcript: true,
1012 })
1013 .handle(cx, m)
1014 }
1015
1016 fn into_owned(self: Box<Self>) -> hs::NextState<'static> {
1017 self
1018 }
1019}
1020
1021struct ExpectCertificate {
1022 config: Arc<ServerConfig>,
1023 transcript: HandshakeHash,
1024 suite: &'static Tls13CipherSuite,
1025 key_schedule: KeyScheduleTrafficWithClientFinishedPending,
1026 send_tickets: usize,
1027 message_already_in_transcript: bool,
1028}
1029
1030impl State<ServerConnectionData> for ExpectCertificate {
1031 fn handle<'m>(
1032 mut self: Box<Self>,
1033 cx: &mut ServerContext<'_>,
1034 m: Message<'m>,
1035 ) -> hs::NextStateOrError<'m>
1036 where
1037 Self: 'm,
1038 {
1039 if !self.message_already_in_transcript {
1040 self.transcript.add_message(&m);
1041 }
1042 let certp = require_handshake_msg_move!(
1043 m,
1044 HandshakeType::Certificate,
1045 HandshakePayload::CertificateTls13
1046 )?;
1047
1048 if certp.any_entry_has_extension() {
1051 return Err(PeerMisbehaved::UnsolicitedCertExtension.into());
1052 }
1053
1054 let client_cert = certp.into_certificate_chain();
1055
1056 let mandatory = self
1057 .config
1058 .verifier
1059 .client_auth_mandatory();
1060
1061 let Some((end_entity, intermediates)) = client_cert.split_first() else {
1062 if !mandatory {
1063 debug!("client auth requested but no certificate supplied");
1064 self.transcript.abandon_client_auth();
1065 return Ok(Box::new(ExpectFinished {
1066 config: self.config,
1067 suite: self.suite,
1068 key_schedule: self.key_schedule,
1069 transcript: self.transcript,
1070 send_tickets: self.send_tickets,
1071 }));
1072 }
1073
1074 return Err(cx.common.send_fatal_alert(
1075 AlertDescription::CertificateRequired,
1076 Error::NoCertificatesPresented,
1077 ));
1078 };
1079
1080 let now = self.config.current_time()?;
1081
1082 self.config
1083 .verifier
1084 .verify_client_cert(end_entity, intermediates, now)
1085 .map_err(|err| {
1086 cx.common
1087 .send_cert_verify_error_alert(err)
1088 })?;
1089
1090 Ok(Box::new(ExpectCertificateVerify {
1091 config: self.config,
1092 suite: self.suite,
1093 transcript: self.transcript,
1094 key_schedule: self.key_schedule,
1095 client_cert: client_cert.into_owned(),
1096 send_tickets: self.send_tickets,
1097 }))
1098 }
1099
1100 fn into_owned(self: Box<Self>) -> hs::NextState<'static> {
1101 self
1102 }
1103}
1104
1105struct ExpectCertificateVerify {
1106 config: Arc<ServerConfig>,
1107 transcript: HandshakeHash,
1108 suite: &'static Tls13CipherSuite,
1109 key_schedule: KeyScheduleTrafficWithClientFinishedPending,
1110 client_cert: CertificateChain<'static>,
1111 send_tickets: usize,
1112}
1113
1114impl State<ServerConnectionData> for ExpectCertificateVerify {
1115 fn handle<'m>(
1116 mut self: Box<Self>,
1117 cx: &mut ServerContext<'_>,
1118 m: Message<'m>,
1119 ) -> hs::NextStateOrError<'m>
1120 where
1121 Self: 'm,
1122 {
1123 let rc = {
1124 let sig = require_handshake_msg!(
1125 m,
1126 HandshakeType::CertificateVerify,
1127 HandshakePayload::CertificateVerify
1128 )?;
1129 let handshake_hash = self.transcript.current_hash();
1130 self.transcript.abandon_client_auth();
1131 let certs = &self.client_cert;
1132 let msg = construct_client_verify_message(&handshake_hash);
1133
1134 self.config
1135 .verifier
1136 .verify_tls13_signature(msg.as_ref(), &certs[0], sig)
1137 };
1138
1139 if let Err(e) = rc {
1140 return Err(cx
1141 .common
1142 .send_cert_verify_error_alert(e));
1143 }
1144
1145 trace!("client CertificateVerify OK");
1146 cx.common.peer_certificates = Some(self.client_cert);
1147
1148 self.transcript.add_message(&m);
1149 Ok(Box::new(ExpectFinished {
1150 config: self.config,
1151 suite: self.suite,
1152 key_schedule: self.key_schedule,
1153 transcript: self.transcript,
1154 send_tickets: self.send_tickets,
1155 }))
1156 }
1157
1158 fn into_owned(self: Box<Self>) -> hs::NextState<'static> {
1159 self
1160 }
1161}
1162
1163struct ExpectEarlyData {
1167 config: Arc<ServerConfig>,
1168 transcript: HandshakeHash,
1169 suite: &'static Tls13CipherSuite,
1170 key_schedule: KeyScheduleTrafficWithClientFinishedPending,
1171 send_tickets: usize,
1172}
1173
1174impl State<ServerConnectionData> for ExpectEarlyData {
1175 fn handle<'m>(
1176 mut self: Box<Self>,
1177 cx: &mut ServerContext<'_>,
1178 m: Message<'m>,
1179 ) -> hs::NextStateOrError<'m>
1180 where
1181 Self: 'm,
1182 {
1183 match m.payload {
1184 MessagePayload::ApplicationData(payload) => {
1185 match cx
1186 .data
1187 .early_data
1188 .take_received_plaintext(payload)
1189 {
1190 true => Ok(self),
1191 false => Err(cx.common.send_fatal_alert(
1192 AlertDescription::UnexpectedMessage,
1193 PeerMisbehaved::TooMuchEarlyDataReceived,
1194 )),
1195 }
1196 }
1197 MessagePayload::Handshake {
1198 parsed: HandshakeMessagePayload(HandshakePayload::EndOfEarlyData),
1199 ..
1200 } => {
1201 self.key_schedule
1202 .update_decrypter(cx.common);
1203 self.transcript.add_message(&m);
1204 Ok(Box::new(ExpectFinished {
1205 config: self.config,
1206 suite: self.suite,
1207 key_schedule: self.key_schedule,
1208 transcript: self.transcript,
1209 send_tickets: self.send_tickets,
1210 }))
1211 }
1212 payload => Err(inappropriate_handshake_message(
1213 &payload,
1214 &[ContentType::ApplicationData, ContentType::Handshake],
1215 &[HandshakeType::EndOfEarlyData],
1216 )),
1217 }
1218 }
1219
1220 fn into_owned(self: Box<Self>) -> hs::NextState<'static> {
1221 self
1222 }
1223}
1224
1225fn get_server_session_value(
1227 suite: &'static Tls13CipherSuite,
1228 secret: &ResumptionSecret<'_>,
1229 cx: &ServerContext<'_>,
1230 nonce: &[u8],
1231 time_now: UnixTime,
1232 age_obfuscation_offset: u32,
1233) -> persist::ServerSessionValue {
1234 let version = ProtocolVersion::TLSv1_3;
1235
1236 let secret = secret.derive_ticket_psk(nonce);
1237
1238 persist::ServerSessionValue::new(
1239 cx.data.sni.as_ref(),
1240 version,
1241 suite.common.suite,
1242 secret.as_ref(),
1243 cx.common.peer_certificates.clone(),
1244 cx.common.alpn_protocol.clone(),
1245 cx.data.resumption_data.clone(),
1246 time_now,
1247 age_obfuscation_offset,
1248 )
1249}
1250
1251struct ExpectFinished {
1252 config: Arc<ServerConfig>,
1253 transcript: HandshakeHash,
1254 suite: &'static Tls13CipherSuite,
1255 key_schedule: KeyScheduleTrafficWithClientFinishedPending,
1256 send_tickets: usize,
1257}
1258
1259impl ExpectFinished {
1260 fn emit_ticket(
1261 flight: &mut HandshakeFlightTls13<'_>,
1262 suite: &'static Tls13CipherSuite,
1263 cx: &ServerContext<'_>,
1264 secret: &ResumptionSecret<'_>,
1265 config: &ServerConfig,
1266 ) -> Result<(), Error> {
1267 let secure_random = config.provider.secure_random;
1268 let nonce = rand::random_vec(secure_random, 32)?;
1269 let age_add = rand::random_u32(secure_random)?;
1270
1271 let now = config.current_time()?;
1272
1273 let plain =
1274 get_server_session_value(suite, secret, cx, &nonce, now, age_add).get_encoding();
1275
1276 let stateless = config.ticketer.enabled();
1277 let (ticket, lifetime) = if stateless {
1278 let Some(ticket) = config.ticketer.encrypt(&plain) else {
1279 return Ok(());
1280 };
1281 (ticket, config.ticketer.lifetime())
1282 } else {
1283 let id = rand::random_vec(secure_random, 32)?;
1284 let stored = config
1285 .session_storage
1286 .put(id.clone(), plain);
1287 if !stored {
1288 trace!("resumption not available; not issuing ticket");
1289 return Ok(());
1290 }
1291 let stateful_lifetime = 24 * 60 * 60; (id, stateful_lifetime)
1293 };
1294
1295 let mut payload = NewSessionTicketPayloadTls13::new(lifetime, age_add, nonce, ticket);
1296
1297 if config.max_early_data_size > 0 {
1298 if !stateless {
1299 payload
1300 .exts
1301 .push(NewSessionTicketExtension::EarlyData(
1302 config.max_early_data_size,
1303 ));
1304 } else {
1305 warn!("early_data with stateless resumption is not allowed");
1308 }
1309 }
1310
1311 let t = HandshakeMessagePayload(HandshakePayload::NewSessionTicketTls13(payload));
1312 trace!("sending new ticket {t:?} (stateless: {stateless})");
1313 flight.add(t);
1314
1315 Ok(())
1316 }
1317}
1318
1319impl State<ServerConnectionData> for ExpectFinished {
1320 fn handle<'m>(
1321 mut self: Box<Self>,
1322 cx: &mut ServerContext<'_>,
1323 m: Message<'m>,
1324 ) -> hs::NextStateOrError<'m>
1325 where
1326 Self: 'm,
1327 {
1328 let finished =
1329 require_handshake_msg!(m, HandshakeType::Finished, HandshakePayload::Finished)?;
1330
1331 let handshake_hash = self.transcript.current_hash();
1332 let (key_schedule_traffic, expect_verify_data) = self
1333 .key_schedule
1334 .sign_client_finish(&handshake_hash, cx.common);
1335
1336 let fin = match ConstantTimeEq::ct_eq(expect_verify_data.as_ref(), finished.bytes()).into()
1337 {
1338 true => verify::FinishedMessageVerified::assertion(),
1339 false => {
1340 return Err(cx
1341 .common
1342 .send_fatal_alert(AlertDescription::DecryptError, Error::DecryptError));
1343 }
1344 };
1345
1346 self.transcript.add_message(&m);
1349
1350 cx.common.check_aligned_handshake()?;
1351
1352 let handshake_hash = self.transcript.current_hash();
1353 let resumption = ResumptionSecret::new(&key_schedule_traffic, &handshake_hash);
1354
1355 let mut flight = HandshakeFlightTls13::new(&mut self.transcript);
1356 for _ in 0..self.send_tickets {
1357 Self::emit_ticket(&mut flight, self.suite, cx, &resumption, &self.config)?;
1358 }
1359 flight.finish(cx.common);
1360
1361 cx.common
1363 .start_traffic(&mut cx.sendable_plaintext);
1364
1365 Ok(match cx.common.is_quic() {
1366 true => Box::new(ExpectQuicTraffic {
1367 key_schedule: key_schedule_traffic,
1368 _fin_verified: fin,
1369 }),
1370 false => Box::new(ExpectTraffic {
1371 key_schedule: key_schedule_traffic,
1372 _fin_verified: fin,
1373 }),
1374 })
1375 }
1376
1377 fn into_owned(self: Box<Self>) -> hs::NextState<'static> {
1378 self
1379 }
1380}
1381
1382struct ExpectTraffic {
1384 key_schedule: KeyScheduleTraffic,
1385 _fin_verified: verify::FinishedMessageVerified,
1386}
1387
1388impl ExpectTraffic {
1389 fn handle_key_update(
1390 &mut self,
1391 common: &mut CommonState,
1392 key_update_request: &KeyUpdateRequest,
1393 ) -> Result<(), Error> {
1394 if let Protocol::Quic = common.protocol {
1395 return Err(common.send_fatal_alert(
1396 AlertDescription::UnexpectedMessage,
1397 PeerMisbehaved::KeyUpdateReceivedInQuicConnection,
1398 ));
1399 }
1400
1401 common.check_aligned_handshake()?;
1402
1403 if common.should_update_key(key_update_request)? {
1404 self.key_schedule
1405 .update_encrypter_and_notify(common);
1406 }
1407
1408 self.key_schedule
1410 .update_decrypter(common);
1411 Ok(())
1412 }
1413}
1414
1415impl State<ServerConnectionData> for ExpectTraffic {
1416 fn handle<'m>(
1417 mut self: Box<Self>,
1418 cx: &mut ServerContext<'_>,
1419 m: Message<'m>,
1420 ) -> hs::NextStateOrError<'m>
1421 where
1422 Self: 'm,
1423 {
1424 match m.payload {
1425 MessagePayload::ApplicationData(payload) => cx
1426 .common
1427 .take_received_plaintext(payload),
1428 MessagePayload::Handshake {
1429 parsed: HandshakeMessagePayload(HandshakePayload::KeyUpdate(key_update)),
1430 ..
1431 } => self.handle_key_update(cx.common, &key_update)?,
1432 payload => {
1433 return Err(inappropriate_handshake_message(
1434 &payload,
1435 &[ContentType::ApplicationData, ContentType::Handshake],
1436 &[HandshakeType::KeyUpdate],
1437 ));
1438 }
1439 }
1440
1441 Ok(self)
1442 }
1443
1444 fn export_keying_material(
1445 &self,
1446 output: &mut [u8],
1447 label: &[u8],
1448 context: Option<&[u8]>,
1449 ) -> Result<(), Error> {
1450 self.key_schedule
1451 .export_keying_material(output, label, context)
1452 }
1453
1454 fn extract_secrets(&self) -> Result<PartiallyExtractedSecrets, Error> {
1455 self.key_schedule
1456 .extract_secrets(Side::Server)
1457 }
1458
1459 fn send_key_update_request(&mut self, common: &mut CommonState) -> Result<(), Error> {
1460 self.key_schedule
1461 .request_key_update_and_update_encrypter(common)
1462 }
1463
1464 fn into_external_state(self: Box<Self>) -> Result<Box<dyn KernelState + 'static>, Error> {
1465 Ok(self)
1466 }
1467
1468 fn into_owned(self: Box<Self>) -> hs::NextState<'static> {
1469 self
1470 }
1471}
1472
1473impl KernelState for ExpectTraffic {
1474 fn update_secrets(&mut self, dir: Direction) -> Result<ConnectionTrafficSecrets, Error> {
1475 self.key_schedule
1476 .refresh_traffic_secret(match dir {
1477 Direction::Transmit => Side::Server,
1478 Direction::Receive => Side::Client,
1479 })
1480 }
1481
1482 fn handle_new_session_ticket(
1483 &mut self,
1484 _cx: &mut KernelContext<'_>,
1485 _message: &NewSessionTicketPayloadTls13,
1486 ) -> Result<(), Error> {
1487 unreachable!(
1488 "server connections should never have handle_new_session_ticket called on them"
1489 )
1490 }
1491}
1492
1493struct ExpectQuicTraffic {
1494 key_schedule: KeyScheduleTraffic,
1495 _fin_verified: verify::FinishedMessageVerified,
1496}
1497
1498impl State<ServerConnectionData> for ExpectQuicTraffic {
1499 fn handle<'m>(
1500 self: Box<Self>,
1501 _cx: &mut ServerContext<'_>,
1502 m: Message<'m>,
1503 ) -> hs::NextStateOrError<'m>
1504 where
1505 Self: 'm,
1506 {
1507 Err(inappropriate_message(&m.payload, &[]))
1509 }
1510
1511 fn export_keying_material(
1512 &self,
1513 output: &mut [u8],
1514 label: &[u8],
1515 context: Option<&[u8]>,
1516 ) -> Result<(), Error> {
1517 self.key_schedule
1518 .export_keying_material(output, label, context)
1519 }
1520
1521 fn into_owned(self: Box<Self>) -> hs::NextState<'static> {
1522 self
1523 }
1524}
1525
1526impl KernelState for ExpectQuicTraffic {
1527 fn update_secrets(&mut self, _: Direction) -> Result<ConnectionTrafficSecrets, Error> {
1528 Err(Error::General(
1529 "QUIC connections do not support key updates".into(),
1530 ))
1531 }
1532
1533 fn handle_new_session_ticket(
1534 &mut self,
1535 _cx: &mut KernelContext<'_>,
1536 _message: &NewSessionTicketPayloadTls13,
1537 ) -> Result<(), Error> {
1538 unreachable!("handle_new_session_ticket should not be called for server-side connections")
1539 }
1540}