rustls/server/
tls13.rs

1use alloc::boxed::Box;
2use alloc::vec;
3use alloc::vec::Vec;
4
5pub(super) use client_hello::CompleteClientHelloHandling;
6use pki_types::{CertificateDer, UnixTime};
7use subtle::ConstantTimeEq;
8
9use super::hs::{self, HandshakeHashOrBuffer, ServerContext};
10use super::server_conn::ServerConnectionData;
11use crate::check::{inappropriate_handshake_message, inappropriate_message};
12use crate::common_state::{
13    CommonState, HandshakeFlightTls13, HandshakeKind, Protocol, Side, State,
14};
15use crate::conn::ConnectionRandoms;
16use crate::conn::kernel::{Direction, KernelContext, KernelState};
17use crate::enums::{AlertDescription, ContentType, HandshakeType, ProtocolVersion};
18use crate::error::{Error, InvalidMessage, PeerIncompatible, PeerMisbehaved};
19use crate::hash_hs::HandshakeHash;
20use crate::log::{debug, trace, warn};
21use crate::msgs::codec::{Codec, Reader};
22use crate::msgs::enums::KeyUpdateRequest;
23use crate::msgs::handshake::{
24    CERTIFICATE_MAX_SIZE_LIMIT, CertificateChain, CertificatePayloadTls13, HandshakeMessagePayload,
25    HandshakePayload, NewSessionTicketExtension, NewSessionTicketPayloadTls13,
26};
27use crate::msgs::message::{Message, MessagePayload};
28use crate::msgs::persist;
29use crate::server::ServerConfig;
30use crate::suites::PartiallyExtractedSecrets;
31use crate::sync::Arc;
32use crate::tls13::key_schedule::{
33    KeyScheduleTraffic, KeyScheduleTrafficWithClientFinishedPending, ResumptionSecret,
34};
35use crate::tls13::{
36    Tls13CipherSuite, construct_client_verify_message, construct_server_verify_message,
37};
38use crate::{ConnectionTrafficSecrets, compress, rand, verify};
39
40mod client_hello {
41    use super::*;
42    use crate::compress::CertCompressor;
43    use crate::crypto::SupportedKxGroup;
44    use crate::enums::SignatureScheme;
45    use crate::msgs::base::{Payload, PayloadU8};
46    use crate::msgs::ccs::ChangeCipherSpecPayload;
47    use crate::msgs::enums::{Compression, NamedGroup, PskKeyExchangeMode};
48    use crate::msgs::handshake::{
49        CertReqExtension, CertificatePayloadTls13, CertificateRequestPayloadTls13,
50        ClientHelloPayload, HelloRetryExtension, HelloRetryRequest, KeyShareEntry, Random,
51        ServerExtension, ServerHelloPayload, SessionId,
52    };
53    use crate::server::common::ActiveCertifiedKey;
54    use crate::sign;
55    use crate::tls13::key_schedule::{
56        KeyScheduleEarly, KeyScheduleHandshake, KeySchedulePreHandshake,
57    };
58    use crate::verify::DigitallySignedStruct;
59
60    #[derive(PartialEq)]
61    pub(super) enum EarlyDataDecision {
62        Disabled,
63        RequestedButRejected,
64        Accepted,
65    }
66
67    pub(in crate::server) struct CompleteClientHelloHandling {
68        pub(in crate::server) config: Arc<ServerConfig>,
69        pub(in crate::server) transcript: HandshakeHash,
70        pub(in crate::server) suite: &'static Tls13CipherSuite,
71        pub(in crate::server) randoms: ConnectionRandoms,
72        pub(in crate::server) done_retry: bool,
73        pub(in crate::server) send_tickets: usize,
74        pub(in crate::server) extra_exts: Vec<ServerExtension>,
75    }
76
77    fn max_early_data_size(configured: u32) -> usize {
78        if configured != 0 {
79            configured as usize
80        } else {
81            // The relevant max_early_data_size may in fact be unknowable: if
82            // we (the server) have turned off early_data but the client has
83            // a stale ticket from when we allowed early_data: we'll naturally
84            // reject early_data but need an upper bound on the amount of data
85            // to drop.
86            //
87            // Use a single maximum-sized message.
88            16384
89        }
90    }
91
92    impl CompleteClientHelloHandling {
93        fn check_binder(
94            &self,
95            suite: &'static Tls13CipherSuite,
96            client_hello: &Message<'_>,
97            psk: &[u8],
98            binder: &[u8],
99        ) -> bool {
100            let binder_plaintext = match &client_hello.payload {
101                MessagePayload::Handshake { parsed, encoded } => {
102                    &encoded.bytes()[..encoded.bytes().len() - parsed.total_binder_length()]
103                }
104                _ => unreachable!(),
105            };
106
107            let handshake_hash = self
108                .transcript
109                .hash_given(binder_plaintext);
110
111            let key_schedule = KeyScheduleEarly::new(suite, psk);
112            let real_binder =
113                key_schedule.resumption_psk_binder_key_and_sign_verify_data(&handshake_hash);
114
115            ConstantTimeEq::ct_eq(real_binder.as_ref(), binder).into()
116        }
117
118        fn attempt_tls13_ticket_decryption(
119            &mut self,
120            ticket: &[u8],
121        ) -> Option<persist::ServerSessionValue> {
122            if self.config.ticketer.enabled() {
123                self.config
124                    .ticketer
125                    .decrypt(ticket)
126                    .and_then(|plain| persist::ServerSessionValue::read_bytes(&plain).ok())
127            } else {
128                self.config
129                    .session_storage
130                    .take(ticket)
131                    .and_then(|plain| persist::ServerSessionValue::read_bytes(&plain).ok())
132            }
133        }
134
135        pub(in crate::server) fn handle_client_hello(
136            mut self,
137            cx: &mut ServerContext<'_>,
138            server_key: ActiveCertifiedKey<'_>,
139            chm: &Message<'_>,
140            client_hello: &ClientHelloPayload,
141            selected_kxg: &'static dyn SupportedKxGroup,
142            mut sigschemes_ext: Vec<SignatureScheme>,
143        ) -> hs::NextStateOrError<'static> {
144            if client_hello.compression_methods.len() != 1 {
145                return Err(cx.common.send_fatal_alert(
146                    AlertDescription::IllegalParameter,
147                    PeerMisbehaved::OfferedIncorrectCompressions,
148                ));
149            }
150
151            sigschemes_ext.retain(SignatureScheme::supported_in_tls13);
152
153            let shares_ext = client_hello
154                .keyshare_extension()
155                .ok_or_else(|| {
156                    cx.common.send_fatal_alert(
157                        AlertDescription::HandshakeFailure,
158                        PeerIncompatible::KeyShareExtensionRequired,
159                    )
160                })?;
161
162            if client_hello.has_keyshare_extension_with_duplicates() {
163                return Err(cx.common.send_fatal_alert(
164                    AlertDescription::IllegalParameter,
165                    PeerMisbehaved::OfferedDuplicateKeyShares,
166                ));
167            }
168
169            if client_hello.has_certificate_compression_extension_with_duplicates() {
170                return Err(cx.common.send_fatal_alert(
171                    AlertDescription::IllegalParameter,
172                    PeerMisbehaved::OfferedDuplicateCertificateCompressions,
173                ));
174            }
175
176            let cert_compressor = client_hello
177                .certificate_compression_extension()
178                .and_then(|offered|
179                    // prefer server order when choosing a compression: the client's
180                    // extension here does not denote any preference.
181                    self.config
182                        .cert_compressors
183                        .iter()
184                        .find(|compressor| offered.contains(&compressor.algorithm()))
185                        .cloned());
186
187            let early_data_requested = client_hello.early_data_extension_offered();
188
189            // EarlyData extension is illegal in second ClientHello
190            if self.done_retry && early_data_requested {
191                return Err({
192                    cx.common.send_fatal_alert(
193                        AlertDescription::IllegalParameter,
194                        PeerMisbehaved::EarlyDataAttemptedInSecondClientHello,
195                    )
196                });
197            }
198
199            // See if there is a KeyShare for the selected kx group.
200            let chosen_share_and_kxg = shares_ext.iter().find_map(|share| {
201                (share.group == selected_kxg.name()).then_some((share, selected_kxg))
202            });
203
204            let Some(chosen_share_and_kxg) = chosen_share_and_kxg else {
205                // We don't have a suitable key share.  Send a HelloRetryRequest
206                // for the mutually_preferred_group.
207                self.transcript.add_message(chm);
208
209                if self.done_retry {
210                    return Err(cx.common.send_fatal_alert(
211                        AlertDescription::IllegalParameter,
212                        PeerMisbehaved::RefusedToFollowHelloRetryRequest,
213                    ));
214                }
215
216                emit_hello_retry_request(
217                    &mut self.transcript,
218                    self.suite,
219                    client_hello.session_id,
220                    cx.common,
221                    selected_kxg.name(),
222                );
223                emit_fake_ccs(cx.common);
224
225                let skip_early_data = max_early_data_size(self.config.max_early_data_size);
226
227                let next = Box::new(hs::ExpectClientHello {
228                    config: self.config,
229                    transcript: HandshakeHashOrBuffer::Hash(self.transcript),
230                    #[cfg(feature = "tls12")]
231                    session_id: SessionId::empty(),
232                    #[cfg(feature = "tls12")]
233                    using_ems: false,
234                    done_retry: true,
235                    send_tickets: self.send_tickets,
236                    extra_exts: self.extra_exts,
237                });
238
239                return if early_data_requested {
240                    Ok(Box::new(ExpectAndSkipRejectedEarlyData {
241                        skip_data_left: skip_early_data,
242                        next,
243                    }))
244                } else {
245                    Ok(next)
246                };
247            };
248
249            let mut chosen_psk_index = None;
250            let mut resumedata = None;
251
252            if let Some(psk_offer) = client_hello.psk() {
253                if !client_hello.check_psk_ext_is_last() {
254                    return Err(cx.common.send_fatal_alert(
255                        AlertDescription::IllegalParameter,
256                        PeerMisbehaved::PskExtensionMustBeLast,
257                    ));
258                }
259
260                // "A client MUST provide a "psk_key_exchange_modes" extension if it
261                //  offers a "pre_shared_key" extension. If clients offer
262                //  "pre_shared_key" without a "psk_key_exchange_modes" extension,
263                //  servers MUST abort the handshake." - RFC8446 4.2.9
264                if client_hello.psk_modes().is_none() {
265                    return Err(cx.common.send_fatal_alert(
266                        AlertDescription::MissingExtension,
267                        PeerMisbehaved::MissingPskModesExtension,
268                    ));
269                }
270
271                if psk_offer.binders.is_empty() {
272                    return Err(cx.common.send_fatal_alert(
273                        AlertDescription::DecodeError,
274                        PeerMisbehaved::MissingBinderInPskExtension,
275                    ));
276                }
277
278                if psk_offer.binders.len() != psk_offer.identities.len() {
279                    return Err(cx.common.send_fatal_alert(
280                        AlertDescription::IllegalParameter,
281                        PeerMisbehaved::PskExtensionWithMismatchedIdsAndBinders,
282                    ));
283                }
284
285                let now = self.config.current_time()?;
286
287                for (i, psk_id) in psk_offer.identities.iter().enumerate() {
288                    let maybe_resume_data = self
289                        .attempt_tls13_ticket_decryption(&psk_id.identity.0)
290                        .map(|resumedata| {
291                            resumedata.set_freshness(psk_id.obfuscated_ticket_age, now)
292                        })
293                        .filter(|resumedata| {
294                            hs::can_resume(self.suite.into(), &cx.data.sni, false, resumedata)
295                        });
296
297                    let Some(resume) = maybe_resume_data else {
298                        continue;
299                    };
300
301                    if !self.check_binder(
302                        self.suite,
303                        chm,
304                        &resume.master_secret.0,
305                        psk_offer.binders[i].as_ref(),
306                    ) {
307                        return Err(cx.common.send_fatal_alert(
308                            AlertDescription::DecryptError,
309                            PeerMisbehaved::IncorrectBinder,
310                        ));
311                    }
312
313                    chosen_psk_index = Some(i);
314                    resumedata = Some(resume);
315                    break;
316                }
317            }
318
319            if !client_hello.psk_mode_offered(PskKeyExchangeMode::PSK_DHE_KE) {
320                debug!("Client unwilling to resume, DHE_KE not offered");
321                self.send_tickets = 0;
322                chosen_psk_index = None;
323                resumedata = None;
324            } else {
325                self.send_tickets = self.config.send_tls13_tickets;
326            }
327
328            if let Some(resume) = &resumedata {
329                cx.data.received_resumption_data = Some(resume.application_data.0.clone());
330                cx.common
331                    .peer_certificates
332                    .clone_from(&resume.client_cert_chain);
333            }
334
335            let full_handshake = resumedata.is_none();
336            self.transcript.add_message(chm);
337            let key_schedule = emit_server_hello(
338                &mut self.transcript,
339                &self.randoms,
340                self.suite,
341                cx,
342                &client_hello.session_id,
343                chosen_share_and_kxg,
344                chosen_psk_index,
345                resumedata
346                    .as_ref()
347                    .map(|x| &x.master_secret.0[..]),
348                &self.config,
349            )?;
350            if !self.done_retry {
351                emit_fake_ccs(cx.common);
352            }
353
354            if full_handshake {
355                cx.common
356                    .handshake_kind
357                    .get_or_insert(HandshakeKind::Full);
358            } else {
359                cx.common.handshake_kind = Some(HandshakeKind::Resumed);
360            }
361
362            let mut ocsp_response = server_key.get_ocsp();
363            let mut flight = HandshakeFlightTls13::new(&mut self.transcript);
364            let doing_early_data = emit_encrypted_extensions(
365                &mut flight,
366                self.suite,
367                cx,
368                &mut ocsp_response,
369                client_hello,
370                resumedata.as_ref(),
371                self.extra_exts,
372                &self.config,
373            )?;
374
375            let doing_client_auth = if full_handshake {
376                let client_auth = emit_certificate_req_tls13(&mut flight, &self.config)?;
377
378                if let Some(compressor) = cert_compressor {
379                    emit_compressed_certificate_tls13(
380                        &mut flight,
381                        &self.config,
382                        server_key.get_cert(),
383                        ocsp_response,
384                        compressor,
385                    );
386                } else {
387                    emit_certificate_tls13(&mut flight, server_key.get_cert(), ocsp_response);
388                }
389                emit_certificate_verify_tls13(
390                    &mut flight,
391                    cx.common,
392                    server_key.get_key(),
393                    &sigschemes_ext,
394                )?;
395                client_auth
396            } else {
397                false
398            };
399
400            // If we're not doing early data, then the next messages we receive
401            // are encrypted with the handshake keys.
402            match doing_early_data {
403                EarlyDataDecision::Disabled => {
404                    key_schedule.set_handshake_decrypter(None, cx.common);
405                    cx.data.early_data.reject();
406                }
407                EarlyDataDecision::RequestedButRejected => {
408                    debug!(
409                        "Client requested early_data, but not accepted: switching to handshake keys with trial decryption"
410                    );
411                    key_schedule.set_handshake_decrypter(
412                        Some(max_early_data_size(self.config.max_early_data_size)),
413                        cx.common,
414                    );
415                    cx.data.early_data.reject();
416                }
417                EarlyDataDecision::Accepted => {
418                    cx.data
419                        .early_data
420                        .accept(self.config.max_early_data_size as usize);
421                }
422            }
423
424            cx.common.check_aligned_handshake()?;
425            let key_schedule_traffic =
426                emit_finished_tls13(flight, &self.randoms, cx, key_schedule, &self.config);
427
428            if !doing_client_auth && self.config.send_half_rtt_data {
429                // Application data can be sent immediately after Finished, in one
430                // flight.  However, if client auth is enabled, we don't want to send
431                // application data to an unauthenticated peer.
432                cx.common
433                    .start_outgoing_traffic(&mut cx.sendable_plaintext);
434            }
435
436            if doing_client_auth {
437                if self
438                    .config
439                    .cert_decompressors
440                    .is_empty()
441                {
442                    Ok(Box::new(ExpectCertificate {
443                        config: self.config,
444                        transcript: self.transcript,
445                        suite: self.suite,
446                        key_schedule: key_schedule_traffic,
447                        send_tickets: self.send_tickets,
448                        message_already_in_transcript: false,
449                    }))
450                } else {
451                    Ok(Box::new(ExpectCertificateOrCompressedCertificate {
452                        config: self.config,
453                        transcript: self.transcript,
454                        suite: self.suite,
455                        key_schedule: key_schedule_traffic,
456                        send_tickets: self.send_tickets,
457                    }))
458                }
459            } else if doing_early_data == EarlyDataDecision::Accepted && !cx.common.is_quic() {
460                // Not used for QUIC: RFC 9001 §8.3: Clients MUST NOT send the EndOfEarlyData
461                // message. A server MUST treat receipt of a CRYPTO frame in a 0-RTT packet as a
462                // connection error of type PROTOCOL_VIOLATION.
463                Ok(Box::new(ExpectEarlyData {
464                    config: self.config,
465                    transcript: self.transcript,
466                    suite: self.suite,
467                    key_schedule: key_schedule_traffic,
468                    send_tickets: self.send_tickets,
469                }))
470            } else {
471                Ok(Box::new(ExpectFinished {
472                    config: self.config,
473                    transcript: self.transcript,
474                    suite: self.suite,
475                    key_schedule: key_schedule_traffic,
476                    send_tickets: self.send_tickets,
477                }))
478            }
479        }
480    }
481
482    fn emit_server_hello(
483        transcript: &mut HandshakeHash,
484        randoms: &ConnectionRandoms,
485        suite: &'static Tls13CipherSuite,
486        cx: &mut ServerContext<'_>,
487        session_id: &SessionId,
488        share_and_kxgroup: (&KeyShareEntry, &'static dyn SupportedKxGroup),
489        chosen_psk_idx: Option<usize>,
490        resuming_psk: Option<&[u8]>,
491        config: &ServerConfig,
492    ) -> Result<KeyScheduleHandshake, Error> {
493        let mut extensions = Vec::new();
494
495        // Prepare key exchange; the caller already found the matching SupportedKxGroup
496        let (share, kxgroup) = share_and_kxgroup;
497        debug_assert_eq!(kxgroup.name(), share.group);
498        let ckx = kxgroup
499            .start_and_complete(&share.payload.0)
500            .map_err(|err| {
501                cx.common
502                    .send_fatal_alert(AlertDescription::IllegalParameter, err)
503            })?;
504        cx.common.kx_state.complete();
505
506        extensions.push(ServerExtension::KeyShare(KeyShareEntry::new(
507            ckx.group,
508            ckx.pub_key,
509        )));
510        extensions.push(ServerExtension::SupportedVersions(ProtocolVersion::TLSv1_3));
511
512        if let Some(psk_idx) = chosen_psk_idx {
513            extensions.push(ServerExtension::PresharedKey(psk_idx as u16));
514        }
515
516        let sh = Message {
517            version: ProtocolVersion::TLSv1_2,
518            payload: MessagePayload::handshake(HandshakeMessagePayload(
519                HandshakePayload::ServerHello(ServerHelloPayload {
520                    legacy_version: ProtocolVersion::TLSv1_2,
521                    random: Random::from(randoms.server),
522                    session_id: *session_id,
523                    cipher_suite: suite.common.suite,
524                    compression_method: Compression::Null,
525                    extensions,
526                }),
527            )),
528        };
529
530        cx.common.check_aligned_handshake()?;
531
532        let client_hello_hash = transcript.hash_given(&[]);
533
534        trace!("sending server hello {sh:?}");
535        transcript.add_message(&sh);
536        cx.common.send_msg(sh, false);
537
538        // Start key schedule
539        let key_schedule_pre_handshake = if let Some(psk) = resuming_psk {
540            let early_key_schedule = KeyScheduleEarly::new(suite, psk);
541            early_key_schedule.client_early_traffic_secret(
542                &client_hello_hash,
543                &*config.key_log,
544                &randoms.client,
545                cx.common,
546            );
547
548            KeySchedulePreHandshake::from(early_key_schedule)
549        } else {
550            KeySchedulePreHandshake::new(suite)
551        };
552
553        // Do key exchange
554        let key_schedule = key_schedule_pre_handshake.into_handshake(ckx.secret);
555
556        let handshake_hash = transcript.current_hash();
557        let key_schedule = key_schedule.derive_server_handshake_secrets(
558            handshake_hash,
559            &*config.key_log,
560            &randoms.client,
561            cx.common,
562        );
563
564        Ok(key_schedule)
565    }
566
567    fn emit_fake_ccs(common: &mut CommonState) {
568        if common.is_quic() {
569            return;
570        }
571        let m = Message {
572            version: ProtocolVersion::TLSv1_2,
573            payload: MessagePayload::ChangeCipherSpec(ChangeCipherSpecPayload {}),
574        };
575        common.send_msg(m, false);
576    }
577
578    fn emit_hello_retry_request(
579        transcript: &mut HandshakeHash,
580        suite: &'static Tls13CipherSuite,
581        session_id: SessionId,
582        common: &mut CommonState,
583        group: NamedGroup,
584    ) {
585        let mut req = HelloRetryRequest {
586            legacy_version: ProtocolVersion::TLSv1_2,
587            session_id,
588            cipher_suite: suite.common.suite,
589            extensions: Vec::new(),
590        };
591
592        req.extensions
593            .push(HelloRetryExtension::KeyShare(group));
594        req.extensions
595            .push(HelloRetryExtension::SupportedVersions(
596                ProtocolVersion::TLSv1_3,
597            ));
598
599        let m = Message {
600            version: ProtocolVersion::TLSv1_2,
601            payload: MessagePayload::handshake(HandshakeMessagePayload(
602                HandshakePayload::HelloRetryRequest(req),
603            )),
604        };
605
606        trace!("Requesting retry {m:?}");
607        transcript.rollup_for_hrr();
608        transcript.add_message(&m);
609        common.send_msg(m, false);
610        common.handshake_kind = Some(HandshakeKind::FullWithHelloRetryRequest);
611    }
612
613    fn decide_if_early_data_allowed(
614        cx: &mut ServerContext<'_>,
615        client_hello: &ClientHelloPayload,
616        resumedata: Option<&persist::ServerSessionValue>,
617        suite: &'static Tls13CipherSuite,
618        config: &ServerConfig,
619    ) -> EarlyDataDecision {
620        let early_data_requested = client_hello.early_data_extension_offered();
621        let rejected_or_disabled = match early_data_requested {
622            true => EarlyDataDecision::RequestedButRejected,
623            false => EarlyDataDecision::Disabled,
624        };
625
626        let Some(resume) = resumedata else {
627            // never any early data if not resuming.
628            return rejected_or_disabled;
629        };
630
631        /* Non-zero max_early_data_size controls whether early_data is allowed at all.
632         * We also require stateful resumption. */
633        let early_data_configured = config.max_early_data_size > 0 && !config.ticketer.enabled();
634
635        /* "For PSKs provisioned via NewSessionTicket, a server MUST validate
636         *  that the ticket age for the selected PSK identity (computed by
637         *  subtracting ticket_age_add from PskIdentity.obfuscated_ticket_age
638         *  modulo 2^32) is within a small tolerance of the time since the ticket
639         *  was issued (see Section 8)." -- this is implemented in ServerSessionValue::set_freshness()
640         *  and related.
641         *
642         * "In order to accept early data, the server [...] MUST verify that the
643         *  following values are the same as those associated with the
644         *  selected PSK:
645         *
646         *  - The TLS version number
647         *  - The selected cipher suite
648         *  - The selected ALPN [RFC7301] protocol, if any"
649         *
650         * (RFC8446, 4.2.10) */
651        let early_data_possible = early_data_requested
652            && resume.is_fresh()
653            && Some(resume.version) == cx.common.negotiated_version
654            && resume.cipher_suite == suite.common.suite
655            && resume.alpn.as_ref().map(|p| &p.0[..]) == cx.common.alpn_protocol.as_deref();
656
657        if early_data_configured && early_data_possible && !cx.data.early_data.was_rejected() {
658            EarlyDataDecision::Accepted
659        } else {
660            if cx.common.is_quic() {
661                // Clobber value set in tls13::emit_server_hello
662                cx.common.quic.early_secret = None;
663            }
664
665            rejected_or_disabled
666        }
667    }
668
669    fn emit_encrypted_extensions(
670        flight: &mut HandshakeFlightTls13<'_>,
671        suite: &'static Tls13CipherSuite,
672        cx: &mut ServerContext<'_>,
673        ocsp_response: &mut Option<&[u8]>,
674        hello: &ClientHelloPayload,
675        resumedata: Option<&persist::ServerSessionValue>,
676        extra_exts: Vec<ServerExtension>,
677        config: &ServerConfig,
678    ) -> Result<EarlyDataDecision, Error> {
679        let mut ep = hs::ExtensionProcessing::new();
680        ep.process_common(config, cx, ocsp_response, hello, resumedata, extra_exts)?;
681
682        let early_data = decide_if_early_data_allowed(cx, hello, resumedata, suite, config);
683        if early_data == EarlyDataDecision::Accepted {
684            ep.exts.push(ServerExtension::EarlyData);
685        }
686
687        let ee = HandshakeMessagePayload(HandshakePayload::EncryptedExtensions(ep.exts));
688
689        trace!("sending encrypted extensions {ee:?}");
690        flight.add(ee);
691        Ok(early_data)
692    }
693
694    fn emit_certificate_req_tls13(
695        flight: &mut HandshakeFlightTls13<'_>,
696        config: &ServerConfig,
697    ) -> Result<bool, Error> {
698        if !config.verifier.offer_client_auth() {
699            return Ok(false);
700        }
701
702        let mut cr = CertificateRequestPayloadTls13 {
703            context: PayloadU8::empty(),
704            extensions: Vec::new(),
705        };
706
707        let schemes = config
708            .verifier
709            .supported_verify_schemes();
710        cr.extensions
711            .push(CertReqExtension::SignatureAlgorithms(schemes.to_vec()));
712
713        if !config.cert_decompressors.is_empty() {
714            cr.extensions
715                .push(CertReqExtension::CertificateCompressionAlgorithms(
716                    config
717                        .cert_decompressors
718                        .iter()
719                        .map(|decomp| decomp.algorithm())
720                        .collect(),
721                ));
722        }
723
724        let authorities = config.verifier.root_hint_subjects();
725        if !authorities.is_empty() {
726            cr.extensions
727                .push(CertReqExtension::AuthorityNames(authorities.to_vec()));
728        }
729
730        let creq = HandshakeMessagePayload(HandshakePayload::CertificateRequestTls13(cr));
731
732        trace!("Sending CertificateRequest {creq:?}");
733        flight.add(creq);
734        Ok(true)
735    }
736
737    fn emit_certificate_tls13(
738        flight: &mut HandshakeFlightTls13<'_>,
739        cert_chain: &[CertificateDer<'static>],
740        ocsp_response: Option<&[u8]>,
741    ) {
742        let cert = HandshakeMessagePayload(HandshakePayload::CertificateTls13(
743            CertificatePayloadTls13::new(cert_chain.iter(), ocsp_response),
744        ));
745
746        trace!("sending certificate {cert:?}");
747        flight.add(cert);
748    }
749
750    fn emit_compressed_certificate_tls13(
751        flight: &mut HandshakeFlightTls13<'_>,
752        config: &ServerConfig,
753        cert_chain: &[CertificateDer<'static>],
754        ocsp_response: Option<&[u8]>,
755        cert_compressor: &'static dyn CertCompressor,
756    ) {
757        let payload = CertificatePayloadTls13::new(cert_chain.iter(), ocsp_response);
758
759        let Ok(entry) = config
760            .cert_compression_cache
761            .compression_for(cert_compressor, &payload)
762        else {
763            return emit_certificate_tls13(flight, cert_chain, ocsp_response);
764        };
765
766        let c = HandshakeMessagePayload(HandshakePayload::CompressedCertificate(
767            entry.compressed_cert_payload(),
768        ));
769
770        trace!("sending compressed certificate {c:?}");
771        flight.add(c);
772    }
773
774    fn emit_certificate_verify_tls13(
775        flight: &mut HandshakeFlightTls13<'_>,
776        common: &mut CommonState,
777        signing_key: &dyn sign::SigningKey,
778        schemes: &[SignatureScheme],
779    ) -> Result<(), Error> {
780        let message = construct_server_verify_message(&flight.transcript.current_hash());
781
782        let signer = signing_key
783            .choose_scheme(schemes)
784            .ok_or_else(|| {
785                common.send_fatal_alert(
786                    AlertDescription::HandshakeFailure,
787                    PeerIncompatible::NoSignatureSchemesInCommon,
788                )
789            })?;
790
791        let scheme = signer.scheme();
792        let sig = signer.sign(message.as_ref())?;
793
794        let cv = DigitallySignedStruct::new(scheme, sig);
795
796        let cv = HandshakeMessagePayload(HandshakePayload::CertificateVerify(cv));
797
798        trace!("sending certificate-verify {cv:?}");
799        flight.add(cv);
800        Ok(())
801    }
802
803    fn emit_finished_tls13(
804        mut flight: HandshakeFlightTls13<'_>,
805        randoms: &ConnectionRandoms,
806        cx: &mut ServerContext<'_>,
807        key_schedule: KeyScheduleHandshake,
808        config: &ServerConfig,
809    ) -> KeyScheduleTrafficWithClientFinishedPending {
810        let handshake_hash = flight.transcript.current_hash();
811        let verify_data = key_schedule.sign_server_finish(&handshake_hash);
812        let verify_data_payload = Payload::new(verify_data.as_ref());
813
814        let fin = HandshakeMessagePayload(HandshakePayload::Finished(verify_data_payload));
815
816        trace!("sending finished {fin:?}");
817        flight.add(fin);
818        let hash_at_server_fin = flight.transcript.current_hash();
819        flight.finish(cx.common);
820
821        // Now move to application data keys.  Read key change is deferred until
822        // the Finish message is received & validated.
823        key_schedule.into_traffic_with_client_finished_pending(
824            hash_at_server_fin,
825            &*config.key_log,
826            &randoms.client,
827            cx.common,
828        )
829    }
830}
831
832struct ExpectAndSkipRejectedEarlyData {
833    skip_data_left: usize,
834    next: Box<hs::ExpectClientHello>,
835}
836
837impl State<ServerConnectionData> for ExpectAndSkipRejectedEarlyData {
838    fn handle<'m>(
839        mut self: Box<Self>,
840        cx: &mut ServerContext<'_>,
841        m: Message<'m>,
842    ) -> hs::NextStateOrError<'m>
843    where
844        Self: 'm,
845    {
846        /* "The server then ignores early data by skipping all records with an external
847         *  content type of "application_data" (indicating that they are encrypted),
848         *  up to the configured max_early_data_size."
849         * (RFC8446, 14.2.10) */
850        if let MessagePayload::ApplicationData(skip_data) = &m.payload {
851            if skip_data.bytes().len() <= self.skip_data_left {
852                self.skip_data_left -= skip_data.bytes().len();
853                return Ok(self);
854            }
855        }
856
857        self.next.handle(cx, m)
858    }
859
860    fn into_owned(self: Box<Self>) -> hs::NextState<'static> {
861        self
862    }
863}
864
865struct ExpectCertificateOrCompressedCertificate {
866    config: Arc<ServerConfig>,
867    transcript: HandshakeHash,
868    suite: &'static Tls13CipherSuite,
869    key_schedule: KeyScheduleTrafficWithClientFinishedPending,
870    send_tickets: usize,
871}
872
873impl State<ServerConnectionData> for ExpectCertificateOrCompressedCertificate {
874    fn handle<'m>(
875        self: Box<Self>,
876        cx: &mut ServerContext<'_>,
877        m: Message<'m>,
878    ) -> hs::NextStateOrError<'m>
879    where
880        Self: 'm,
881    {
882        match m.payload {
883            MessagePayload::Handshake {
884                parsed: HandshakeMessagePayload(HandshakePayload::CertificateTls13(..)),
885                ..
886            } => Box::new(ExpectCertificate {
887                config: self.config,
888                transcript: self.transcript,
889                suite: self.suite,
890                key_schedule: self.key_schedule,
891                send_tickets: self.send_tickets,
892                message_already_in_transcript: false,
893            })
894            .handle(cx, m),
895
896            MessagePayload::Handshake {
897                parsed: HandshakeMessagePayload(HandshakePayload::CompressedCertificate(..)),
898                ..
899            } => Box::new(ExpectCompressedCertificate {
900                config: self.config,
901                transcript: self.transcript,
902                suite: self.suite,
903                key_schedule: self.key_schedule,
904                send_tickets: self.send_tickets,
905            })
906            .handle(cx, m),
907
908            payload => Err(inappropriate_handshake_message(
909                &payload,
910                &[ContentType::Handshake],
911                &[
912                    HandshakeType::Certificate,
913                    HandshakeType::CompressedCertificate,
914                ],
915            )),
916        }
917    }
918
919    fn into_owned(self: Box<Self>) -> hs::NextState<'static> {
920        self
921    }
922}
923
924struct ExpectCompressedCertificate {
925    config: Arc<ServerConfig>,
926    transcript: HandshakeHash,
927    suite: &'static Tls13CipherSuite,
928    key_schedule: KeyScheduleTrafficWithClientFinishedPending,
929    send_tickets: usize,
930}
931
932impl State<ServerConnectionData> for ExpectCompressedCertificate {
933    fn handle<'m>(
934        mut self: Box<Self>,
935        cx: &mut ServerContext<'_>,
936        m: Message<'m>,
937    ) -> hs::NextStateOrError<'m>
938    where
939        Self: 'm,
940    {
941        self.transcript.add_message(&m);
942        let compressed_cert = require_handshake_msg_move!(
943            m,
944            HandshakeType::CompressedCertificate,
945            HandshakePayload::CompressedCertificate
946        )?;
947
948        let selected_decompressor = self
949            .config
950            .cert_decompressors
951            .iter()
952            .find(|item| item.algorithm() == compressed_cert.alg);
953
954        let Some(decompressor) = selected_decompressor else {
955            return Err(cx.common.send_fatal_alert(
956                AlertDescription::BadCertificate,
957                PeerMisbehaved::SelectedUnofferedCertCompression,
958            ));
959        };
960
961        if compressed_cert.uncompressed_len as usize > CERTIFICATE_MAX_SIZE_LIMIT {
962            return Err(cx.common.send_fatal_alert(
963                AlertDescription::BadCertificate,
964                InvalidMessage::MessageTooLarge,
965            ));
966        }
967
968        let mut decompress_buffer = vec![0u8; compressed_cert.uncompressed_len as usize];
969        if let Err(compress::DecompressionFailed) =
970            decompressor.decompress(compressed_cert.compressed.0.bytes(), &mut decompress_buffer)
971        {
972            return Err(cx.common.send_fatal_alert(
973                AlertDescription::BadCertificate,
974                PeerMisbehaved::InvalidCertCompression,
975            ));
976        }
977
978        let cert_payload =
979            match CertificatePayloadTls13::read(&mut Reader::init(&decompress_buffer)) {
980                Ok(cm) => cm,
981                Err(err) => {
982                    return Err(cx
983                        .common
984                        .send_fatal_alert(AlertDescription::BadCertificate, err));
985                }
986            };
987        trace!(
988            "Client certificate decompressed using {:?} ({} bytes -> {})",
989            compressed_cert.alg,
990            compressed_cert
991                .compressed
992                .0
993                .bytes()
994                .len(),
995            compressed_cert.uncompressed_len,
996        );
997
998        let m = Message {
999            version: ProtocolVersion::TLSv1_3,
1000            payload: MessagePayload::handshake(HandshakeMessagePayload(
1001                HandshakePayload::CertificateTls13(cert_payload.into_owned()),
1002            )),
1003        };
1004
1005        Box::new(ExpectCertificate {
1006            config: self.config,
1007            transcript: self.transcript,
1008            suite: self.suite,
1009            key_schedule: self.key_schedule,
1010            send_tickets: self.send_tickets,
1011            message_already_in_transcript: true,
1012        })
1013        .handle(cx, m)
1014    }
1015
1016    fn into_owned(self: Box<Self>) -> hs::NextState<'static> {
1017        self
1018    }
1019}
1020
1021struct ExpectCertificate {
1022    config: Arc<ServerConfig>,
1023    transcript: HandshakeHash,
1024    suite: &'static Tls13CipherSuite,
1025    key_schedule: KeyScheduleTrafficWithClientFinishedPending,
1026    send_tickets: usize,
1027    message_already_in_transcript: bool,
1028}
1029
1030impl State<ServerConnectionData> for ExpectCertificate {
1031    fn handle<'m>(
1032        mut self: Box<Self>,
1033        cx: &mut ServerContext<'_>,
1034        m: Message<'m>,
1035    ) -> hs::NextStateOrError<'m>
1036    where
1037        Self: 'm,
1038    {
1039        if !self.message_already_in_transcript {
1040            self.transcript.add_message(&m);
1041        }
1042        let certp = require_handshake_msg_move!(
1043            m,
1044            HandshakeType::Certificate,
1045            HandshakePayload::CertificateTls13
1046        )?;
1047
1048        // We don't send any CertificateRequest extensions, so any extensions
1049        // here are illegal.
1050        if certp.any_entry_has_extension() {
1051            return Err(PeerMisbehaved::UnsolicitedCertExtension.into());
1052        }
1053
1054        let client_cert = certp.into_certificate_chain();
1055
1056        let mandatory = self
1057            .config
1058            .verifier
1059            .client_auth_mandatory();
1060
1061        let Some((end_entity, intermediates)) = client_cert.split_first() else {
1062            if !mandatory {
1063                debug!("client auth requested but no certificate supplied");
1064                self.transcript.abandon_client_auth();
1065                return Ok(Box::new(ExpectFinished {
1066                    config: self.config,
1067                    suite: self.suite,
1068                    key_schedule: self.key_schedule,
1069                    transcript: self.transcript,
1070                    send_tickets: self.send_tickets,
1071                }));
1072            }
1073
1074            return Err(cx.common.send_fatal_alert(
1075                AlertDescription::CertificateRequired,
1076                Error::NoCertificatesPresented,
1077            ));
1078        };
1079
1080        let now = self.config.current_time()?;
1081
1082        self.config
1083            .verifier
1084            .verify_client_cert(end_entity, intermediates, now)
1085            .map_err(|err| {
1086                cx.common
1087                    .send_cert_verify_error_alert(err)
1088            })?;
1089
1090        Ok(Box::new(ExpectCertificateVerify {
1091            config: self.config,
1092            suite: self.suite,
1093            transcript: self.transcript,
1094            key_schedule: self.key_schedule,
1095            client_cert: client_cert.into_owned(),
1096            send_tickets: self.send_tickets,
1097        }))
1098    }
1099
1100    fn into_owned(self: Box<Self>) -> hs::NextState<'static> {
1101        self
1102    }
1103}
1104
1105struct ExpectCertificateVerify {
1106    config: Arc<ServerConfig>,
1107    transcript: HandshakeHash,
1108    suite: &'static Tls13CipherSuite,
1109    key_schedule: KeyScheduleTrafficWithClientFinishedPending,
1110    client_cert: CertificateChain<'static>,
1111    send_tickets: usize,
1112}
1113
1114impl State<ServerConnectionData> for ExpectCertificateVerify {
1115    fn handle<'m>(
1116        mut self: Box<Self>,
1117        cx: &mut ServerContext<'_>,
1118        m: Message<'m>,
1119    ) -> hs::NextStateOrError<'m>
1120    where
1121        Self: 'm,
1122    {
1123        let rc = {
1124            let sig = require_handshake_msg!(
1125                m,
1126                HandshakeType::CertificateVerify,
1127                HandshakePayload::CertificateVerify
1128            )?;
1129            let handshake_hash = self.transcript.current_hash();
1130            self.transcript.abandon_client_auth();
1131            let certs = &self.client_cert;
1132            let msg = construct_client_verify_message(&handshake_hash);
1133
1134            self.config
1135                .verifier
1136                .verify_tls13_signature(msg.as_ref(), &certs[0], sig)
1137        };
1138
1139        if let Err(e) = rc {
1140            return Err(cx
1141                .common
1142                .send_cert_verify_error_alert(e));
1143        }
1144
1145        trace!("client CertificateVerify OK");
1146        cx.common.peer_certificates = Some(self.client_cert);
1147
1148        self.transcript.add_message(&m);
1149        Ok(Box::new(ExpectFinished {
1150            config: self.config,
1151            suite: self.suite,
1152            key_schedule: self.key_schedule,
1153            transcript: self.transcript,
1154            send_tickets: self.send_tickets,
1155        }))
1156    }
1157
1158    fn into_owned(self: Box<Self>) -> hs::NextState<'static> {
1159        self
1160    }
1161}
1162
1163// --- Process (any number of) early ApplicationData messages,
1164//     followed by a terminating handshake EndOfEarlyData message ---
1165
1166struct ExpectEarlyData {
1167    config: Arc<ServerConfig>,
1168    transcript: HandshakeHash,
1169    suite: &'static Tls13CipherSuite,
1170    key_schedule: KeyScheduleTrafficWithClientFinishedPending,
1171    send_tickets: usize,
1172}
1173
1174impl State<ServerConnectionData> for ExpectEarlyData {
1175    fn handle<'m>(
1176        mut self: Box<Self>,
1177        cx: &mut ServerContext<'_>,
1178        m: Message<'m>,
1179    ) -> hs::NextStateOrError<'m>
1180    where
1181        Self: 'm,
1182    {
1183        match m.payload {
1184            MessagePayload::ApplicationData(payload) => {
1185                match cx
1186                    .data
1187                    .early_data
1188                    .take_received_plaintext(payload)
1189                {
1190                    true => Ok(self),
1191                    false => Err(cx.common.send_fatal_alert(
1192                        AlertDescription::UnexpectedMessage,
1193                        PeerMisbehaved::TooMuchEarlyDataReceived,
1194                    )),
1195                }
1196            }
1197            MessagePayload::Handshake {
1198                parsed: HandshakeMessagePayload(HandshakePayload::EndOfEarlyData),
1199                ..
1200            } => {
1201                self.key_schedule
1202                    .update_decrypter(cx.common);
1203                self.transcript.add_message(&m);
1204                Ok(Box::new(ExpectFinished {
1205                    config: self.config,
1206                    suite: self.suite,
1207                    key_schedule: self.key_schedule,
1208                    transcript: self.transcript,
1209                    send_tickets: self.send_tickets,
1210                }))
1211            }
1212            payload => Err(inappropriate_handshake_message(
1213                &payload,
1214                &[ContentType::ApplicationData, ContentType::Handshake],
1215                &[HandshakeType::EndOfEarlyData],
1216            )),
1217        }
1218    }
1219
1220    fn into_owned(self: Box<Self>) -> hs::NextState<'static> {
1221        self
1222    }
1223}
1224
1225// --- Process client's Finished ---
1226fn get_server_session_value(
1227    suite: &'static Tls13CipherSuite,
1228    secret: &ResumptionSecret<'_>,
1229    cx: &ServerContext<'_>,
1230    nonce: &[u8],
1231    time_now: UnixTime,
1232    age_obfuscation_offset: u32,
1233) -> persist::ServerSessionValue {
1234    let version = ProtocolVersion::TLSv1_3;
1235
1236    let secret = secret.derive_ticket_psk(nonce);
1237
1238    persist::ServerSessionValue::new(
1239        cx.data.sni.as_ref(),
1240        version,
1241        suite.common.suite,
1242        secret.as_ref(),
1243        cx.common.peer_certificates.clone(),
1244        cx.common.alpn_protocol.clone(),
1245        cx.data.resumption_data.clone(),
1246        time_now,
1247        age_obfuscation_offset,
1248    )
1249}
1250
1251struct ExpectFinished {
1252    config: Arc<ServerConfig>,
1253    transcript: HandshakeHash,
1254    suite: &'static Tls13CipherSuite,
1255    key_schedule: KeyScheduleTrafficWithClientFinishedPending,
1256    send_tickets: usize,
1257}
1258
1259impl ExpectFinished {
1260    fn emit_ticket(
1261        flight: &mut HandshakeFlightTls13<'_>,
1262        suite: &'static Tls13CipherSuite,
1263        cx: &ServerContext<'_>,
1264        secret: &ResumptionSecret<'_>,
1265        config: &ServerConfig,
1266    ) -> Result<(), Error> {
1267        let secure_random = config.provider.secure_random;
1268        let nonce = rand::random_vec(secure_random, 32)?;
1269        let age_add = rand::random_u32(secure_random)?;
1270
1271        let now = config.current_time()?;
1272
1273        let plain =
1274            get_server_session_value(suite, secret, cx, &nonce, now, age_add).get_encoding();
1275
1276        let stateless = config.ticketer.enabled();
1277        let (ticket, lifetime) = if stateless {
1278            let Some(ticket) = config.ticketer.encrypt(&plain) else {
1279                return Ok(());
1280            };
1281            (ticket, config.ticketer.lifetime())
1282        } else {
1283            let id = rand::random_vec(secure_random, 32)?;
1284            let stored = config
1285                .session_storage
1286                .put(id.clone(), plain);
1287            if !stored {
1288                trace!("resumption not available; not issuing ticket");
1289                return Ok(());
1290            }
1291            let stateful_lifetime = 24 * 60 * 60; // this is a bit of a punt
1292            (id, stateful_lifetime)
1293        };
1294
1295        let mut payload = NewSessionTicketPayloadTls13::new(lifetime, age_add, nonce, ticket);
1296
1297        if config.max_early_data_size > 0 {
1298            if !stateless {
1299                payload
1300                    .exts
1301                    .push(NewSessionTicketExtension::EarlyData(
1302                        config.max_early_data_size,
1303                    ));
1304            } else {
1305                // We implement RFC8446 section 8.1: by enforcing that 0-RTT is
1306                // only possible if using stateful resumption
1307                warn!("early_data with stateless resumption is not allowed");
1308            }
1309        }
1310
1311        let t = HandshakeMessagePayload(HandshakePayload::NewSessionTicketTls13(payload));
1312        trace!("sending new ticket {t:?} (stateless: {stateless})");
1313        flight.add(t);
1314
1315        Ok(())
1316    }
1317}
1318
1319impl State<ServerConnectionData> for ExpectFinished {
1320    fn handle<'m>(
1321        mut self: Box<Self>,
1322        cx: &mut ServerContext<'_>,
1323        m: Message<'m>,
1324    ) -> hs::NextStateOrError<'m>
1325    where
1326        Self: 'm,
1327    {
1328        let finished =
1329            require_handshake_msg!(m, HandshakeType::Finished, HandshakePayload::Finished)?;
1330
1331        let handshake_hash = self.transcript.current_hash();
1332        let (key_schedule_traffic, expect_verify_data) = self
1333            .key_schedule
1334            .sign_client_finish(&handshake_hash, cx.common);
1335
1336        let fin = match ConstantTimeEq::ct_eq(expect_verify_data.as_ref(), finished.bytes()).into()
1337        {
1338            true => verify::FinishedMessageVerified::assertion(),
1339            false => {
1340                return Err(cx
1341                    .common
1342                    .send_fatal_alert(AlertDescription::DecryptError, Error::DecryptError));
1343            }
1344        };
1345
1346        // Note: future derivations include Client Finished, but not the
1347        // main application data keying.
1348        self.transcript.add_message(&m);
1349
1350        cx.common.check_aligned_handshake()?;
1351
1352        let handshake_hash = self.transcript.current_hash();
1353        let resumption = ResumptionSecret::new(&key_schedule_traffic, &handshake_hash);
1354
1355        let mut flight = HandshakeFlightTls13::new(&mut self.transcript);
1356        for _ in 0..self.send_tickets {
1357            Self::emit_ticket(&mut flight, self.suite, cx, &resumption, &self.config)?;
1358        }
1359        flight.finish(cx.common);
1360
1361        // Application data may now flow, even if we have client auth enabled.
1362        cx.common
1363            .start_traffic(&mut cx.sendable_plaintext);
1364
1365        Ok(match cx.common.is_quic() {
1366            true => Box::new(ExpectQuicTraffic {
1367                key_schedule: key_schedule_traffic,
1368                _fin_verified: fin,
1369            }),
1370            false => Box::new(ExpectTraffic {
1371                key_schedule: key_schedule_traffic,
1372                _fin_verified: fin,
1373            }),
1374        })
1375    }
1376
1377    fn into_owned(self: Box<Self>) -> hs::NextState<'static> {
1378        self
1379    }
1380}
1381
1382// --- Process traffic ---
1383struct ExpectTraffic {
1384    key_schedule: KeyScheduleTraffic,
1385    _fin_verified: verify::FinishedMessageVerified,
1386}
1387
1388impl ExpectTraffic {
1389    fn handle_key_update(
1390        &mut self,
1391        common: &mut CommonState,
1392        key_update_request: &KeyUpdateRequest,
1393    ) -> Result<(), Error> {
1394        if let Protocol::Quic = common.protocol {
1395            return Err(common.send_fatal_alert(
1396                AlertDescription::UnexpectedMessage,
1397                PeerMisbehaved::KeyUpdateReceivedInQuicConnection,
1398            ));
1399        }
1400
1401        common.check_aligned_handshake()?;
1402
1403        if common.should_update_key(key_update_request)? {
1404            self.key_schedule
1405                .update_encrypter_and_notify(common);
1406        }
1407
1408        // Update our read-side keys.
1409        self.key_schedule
1410            .update_decrypter(common);
1411        Ok(())
1412    }
1413}
1414
1415impl State<ServerConnectionData> for ExpectTraffic {
1416    fn handle<'m>(
1417        mut self: Box<Self>,
1418        cx: &mut ServerContext<'_>,
1419        m: Message<'m>,
1420    ) -> hs::NextStateOrError<'m>
1421    where
1422        Self: 'm,
1423    {
1424        match m.payload {
1425            MessagePayload::ApplicationData(payload) => cx
1426                .common
1427                .take_received_plaintext(payload),
1428            MessagePayload::Handshake {
1429                parsed: HandshakeMessagePayload(HandshakePayload::KeyUpdate(key_update)),
1430                ..
1431            } => self.handle_key_update(cx.common, &key_update)?,
1432            payload => {
1433                return Err(inappropriate_handshake_message(
1434                    &payload,
1435                    &[ContentType::ApplicationData, ContentType::Handshake],
1436                    &[HandshakeType::KeyUpdate],
1437                ));
1438            }
1439        }
1440
1441        Ok(self)
1442    }
1443
1444    fn export_keying_material(
1445        &self,
1446        output: &mut [u8],
1447        label: &[u8],
1448        context: Option<&[u8]>,
1449    ) -> Result<(), Error> {
1450        self.key_schedule
1451            .export_keying_material(output, label, context)
1452    }
1453
1454    fn extract_secrets(&self) -> Result<PartiallyExtractedSecrets, Error> {
1455        self.key_schedule
1456            .extract_secrets(Side::Server)
1457    }
1458
1459    fn send_key_update_request(&mut self, common: &mut CommonState) -> Result<(), Error> {
1460        self.key_schedule
1461            .request_key_update_and_update_encrypter(common)
1462    }
1463
1464    fn into_external_state(self: Box<Self>) -> Result<Box<dyn KernelState + 'static>, Error> {
1465        Ok(self)
1466    }
1467
1468    fn into_owned(self: Box<Self>) -> hs::NextState<'static> {
1469        self
1470    }
1471}
1472
1473impl KernelState for ExpectTraffic {
1474    fn update_secrets(&mut self, dir: Direction) -> Result<ConnectionTrafficSecrets, Error> {
1475        self.key_schedule
1476            .refresh_traffic_secret(match dir {
1477                Direction::Transmit => Side::Server,
1478                Direction::Receive => Side::Client,
1479            })
1480    }
1481
1482    fn handle_new_session_ticket(
1483        &mut self,
1484        _cx: &mut KernelContext<'_>,
1485        _message: &NewSessionTicketPayloadTls13,
1486    ) -> Result<(), Error> {
1487        unreachable!(
1488            "server connections should never have handle_new_session_ticket called on them"
1489        )
1490    }
1491}
1492
1493struct ExpectQuicTraffic {
1494    key_schedule: KeyScheduleTraffic,
1495    _fin_verified: verify::FinishedMessageVerified,
1496}
1497
1498impl State<ServerConnectionData> for ExpectQuicTraffic {
1499    fn handle<'m>(
1500        self: Box<Self>,
1501        _cx: &mut ServerContext<'_>,
1502        m: Message<'m>,
1503    ) -> hs::NextStateOrError<'m>
1504    where
1505        Self: 'm,
1506    {
1507        // reject all messages
1508        Err(inappropriate_message(&m.payload, &[]))
1509    }
1510
1511    fn export_keying_material(
1512        &self,
1513        output: &mut [u8],
1514        label: &[u8],
1515        context: Option<&[u8]>,
1516    ) -> Result<(), Error> {
1517        self.key_schedule
1518            .export_keying_material(output, label, context)
1519    }
1520
1521    fn into_owned(self: Box<Self>) -> hs::NextState<'static> {
1522        self
1523    }
1524}
1525
1526impl KernelState for ExpectQuicTraffic {
1527    fn update_secrets(&mut self, _: Direction) -> Result<ConnectionTrafficSecrets, Error> {
1528        Err(Error::General(
1529            "QUIC connections do not support key updates".into(),
1530        ))
1531    }
1532
1533    fn handle_new_session_ticket(
1534        &mut self,
1535        _cx: &mut KernelContext<'_>,
1536        _message: &NewSessionTicketPayloadTls13,
1537    ) -> Result<(), Error> {
1538        unreachable!("handle_new_session_ticket should not be called for server-side connections")
1539    }
1540}