rust/rustls
rust
/
rustls
mirror of https://github.com/ctz/rustls
1
0
Fork 0
Code Issues Releases Wiki Activity

Move handshake hashing into state machine 

hash_hs::HandshakerHash is a large type and is not needed after
the handshake.
This commit is contained in:
Joseph Birr-Pixton 2019-05-26 20:17:41 +01:00
parent c57a939653
commit 8aec7342fc
10 changed files with 158 additions and 138 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/client/common.rs
View File

@ -8,6 +8,7 @@ use crate::msgs::persist;
use crate::msgs::enums::ExtensionType;
use crate::msgs::enums::NamedGroup;
use crate::session::SessionRandoms;
use crate::hash_hs;
use crate::sign;
use crate::suites;
#[cfg(feature = "logging")]
@ -52,6 +53,7 @@ impl ServerKXDetails {
pub struct HandshakeDetails {
pub resuming_session: Option<persist::ClientSessionValue>,
pub transcript: hash_hs::HandshakeHash,
pub hash_at_client_recvd_server_hello: Vec<u8>,
pub randoms: SessionRandoms,
pub using_ems: bool,
@ -64,8 +66,9 @@ pub struct HandshakeDetails {
impl HandshakeDetails {
pub fn new(host_name: webpki::DNSName, extra_exts: Vec<ClientExtension>) -> HandshakeDetails {
HandshakeDetails {
hash_at_client_recvd_server_hello: Vec::new(),
resuming_session: None,
transcript: hash_hs::HandshakeHash::new(),
hash_at_client_recvd_server_hello: Vec::new(),
randoms: SessionRandoms::for_client(),
using_ems: false,
session_id: SessionID::empty(),

20
src/client/hs.rs
View File

@ -138,9 +138,9 @@ impl InitialState {
}
}
fn emit_initial_client_hello(self, sess: &mut ClientSessionImpl) -> NextState {
fn emit_initial_client_hello(mut self, sess: &mut ClientSessionImpl) -> NextState {
if sess.config.client_auth_cert_resolver.has_certs() {
sess.common.hs_transcript.set_client_auth_enabled();
self.handshake.transcript.set_client_auth_enabled();
}
let hello_details = ClientHelloDetails::new();
emit_client_hello_for_retry(sess, self.handshake, hello_details, None)
@ -314,7 +314,7 @@ fn emit_client_hello_for_retry(sess: &mut ClientSessionImpl,
trace!("Sending ClientHello {:#?}", ch);
sess.common.hs_transcript.add_message(&ch);
handshake.transcript.add_message(&ch);
sess.common.send_msg(ch, false);
// Calculate the hash of ClientHello and use it to derive EarlyTrafficSecret
@ -327,7 +327,7 @@ fn emit_client_hello_for_retry(sess: &mut ClientSessionImpl,
.as_ref()
.and_then(|resume| sess.find_cipher_suite(resume.cipher_suite)).unwrap();
let client_hello_hash = sess.common.hs_transcript.get_hash_given(resuming_suite.get_hash(), &[]);
let client_hello_hash = handshake.transcript.get_hash_given(resuming_suite.get_hash(), &[]);
let client_early_traffic_secret = sess.common
.get_key_schedule()
.derive(SecretKind::ClientEarlyTrafficSecret, &client_hello_hash);
@ -517,8 +517,8 @@ impl State for ExpectServerHello {
// Start our handshake hash, and input the server-hello.
let starting_hash = sess.common.get_suite_assert().get_hash();
sess.common.hs_transcript.start_hash(starting_hash);
sess.common.hs_transcript.add_message(&m);
self.handshake.transcript.start_hash(starting_hash);
self.handshake.transcript.add_message(&m);
// For TLS1.3, start message encryption using
// handshake_traffic_secret.
@ -623,7 +623,7 @@ impl ExpectServerHelloOrHelloRetryRequest {
Box::new(self.0)
}
fn handle_hello_retry_request(self, sess: &mut ClientSessionImpl, m: Message) -> NextStateOrError {
fn handle_hello_retry_request(mut self, sess: &mut ClientSessionImpl, m: Message) -> NextStateOrError {
check_handshake_message(&m, &[HandshakeType::HelloRetryRequest])?;
let hrr = extract_handshake!(m, HandshakePayload::HelloRetryRequest).unwrap();
@ -690,9 +690,9 @@ impl ExpectServerHelloOrHelloRetryRequest {
sess.common.set_suite(cs);
// This is the draft19 change where the transcript became a tree
sess.common.hs_transcript.start_hash(cs.get_hash());
sess.common.hs_transcript.rollup_for_hrr();
sess.common.hs_transcript.add_message(&m);
self.0.handshake.transcript.start_hash(cs.get_hash());
self.0.handshake.transcript.rollup_for_hrr();
self.0.handshake.transcript.add_message(&m);
// Early data is not alllowed after HelloRetryrequest
if sess.early_data.is_enabled() {

70
src/client/tls12.rs
View File

@ -57,9 +57,9 @@ impl hs::State for ExpectCertificate {
check_handshake_message(m, &[HandshakeType::Certificate])
}
fn handle(mut self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
fn handle(mut self: Box<Self>, _sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
let cert_chain = extract_handshake!(m, HandshakePayload::Certificate).unwrap();
sess.common.hs_transcript.add_message(&m);
self.handshake.transcript.add_message(&m);
self.server_cert.cert_chain = cert_chain.clone();
@ -92,8 +92,8 @@ impl hs::State for ExpectCertificateStatus {
check_handshake_message(m, &[HandshakeType::CertificateStatus])
}
fn handle(mut self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
sess.common.hs_transcript.add_message(&m);
fn handle(mut self: Box<Self>, _sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
self.handshake.transcript.add_message(&m);
let mut status = extract_handshake_mut!(m, HandshakePayload::CertificateStatus).unwrap();
self.server_cert.ocsp_response = status.take_ocsp_response();
@ -164,10 +164,10 @@ impl hs::State for ExpectServerKX {
check_handshake_message(m, &[HandshakeType::ServerKeyExchange])
}
fn handle(self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
fn handle(mut self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
let opaque_kx = extract_handshake!(m, HandshakePayload::ServerKeyExchange).unwrap();
let maybe_decoded_kx = opaque_kx.unwrap_given_kxa(&sess.common.get_suite_assert().kx);
sess.common.hs_transcript.add_message(&m);
self.handshake.transcript.add_message(&m);
if maybe_decoded_kx.is_none() {
sess.common.send_fatal_alert(AlertDescription::DecodeError);
@ -192,7 +192,8 @@ impl hs::State for ExpectServerKX {
}
}
fn emit_certificate(client_auth: &mut ClientAuthDetails,
fn emit_certificate(handshake: &mut HandshakeDetails,
client_auth: &mut ClientAuthDetails,
sess: &mut ClientSessionImpl) {
let chosen_cert = client_auth.cert.take();
@ -205,11 +206,12 @@ fn emit_certificate(client_auth: &mut ClientAuthDetails,
}),
};
sess.common.hs_transcript.add_message(&cert);
handshake.transcript.add_message(&cert);
sess.common.send_msg(cert, false);
}
fn emit_clientkx(sess: &mut ClientSessionImpl,
fn emit_clientkx(handshake: &mut HandshakeDetails,
sess: &mut ClientSessionImpl,
kxd: &suites::KeyExchangeResult) {
let mut buf = Vec::new();
let ecpoint = PayloadU8::new(Vec::from(kxd.pubkey.as_ref()));
@ -225,19 +227,20 @@ fn emit_clientkx(sess: &mut ClientSessionImpl,
}),
};
sess.common.hs_transcript.add_message(&ckx);
handshake.transcript.add_message(&ckx);
sess.common.send_msg(ckx, false);
}
fn emit_certverify(client_auth: &mut ClientAuthDetails,
fn emit_certverify(handshake: &mut HandshakeDetails,
client_auth: &mut ClientAuthDetails,
sess: &mut ClientSessionImpl) -> Result<(), TLSError> {
if client_auth.signer.is_none() {
trace!("Not sending CertificateVerify, no key");
sess.common.hs_transcript.abandon_client_auth();
handshake.transcript.abandon_client_auth();
return Ok(());
}
let message = sess.common.hs_transcript.take_handshake_buf();
let message = handshake.transcript.take_handshake_buf();
let signer = client_auth.signer.take().unwrap();
let scheme = signer.get_scheme();
let sig = signer.sign(&message)?;
@ -252,7 +255,7 @@ fn emit_certverify(client_auth: &mut ClientAuthDetails,
}),
};
sess.common.hs_transcript.add_message(&m);
handshake.transcript.add_message(&m);
sess.common.send_msg(m, false);
Ok(())
}
@ -268,8 +271,9 @@ fn emit_ccs(sess: &mut ClientSessionImpl) {
sess.common.we_now_encrypting();
}
fn emit_finished(sess: &mut ClientSessionImpl) {
let vh = sess.common.hs_transcript.get_current_hash();
fn emit_finished(handshake: &mut HandshakeDetails,
sess: &mut ClientSessionImpl) {
let vh = handshake.transcript.get_current_hash();
let verify_data = sess.common.secrets
.as_ref()
.unwrap()
@ -285,7 +289,7 @@ fn emit_finished(sess: &mut ClientSessionImpl) {
}),
};
sess.common.hs_transcript.add_message(&f);
handshake.transcript.add_message(&f);
sess.common.send_msg(f, true);
}
@ -316,9 +320,9 @@ impl hs::State for ExpectCertificateRequest {
check_handshake_message(m, &[HandshakeType::CertificateRequest])
}
fn handle(self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
fn handle(mut self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
let certreq = extract_handshake!(m, HandshakePayload::CertificateRequest).unwrap();
sess.common.hs_transcript.add_message(&m);
self.handshake.transcript.add_message(&m);
debug!("Got CertificateRequest {:?}", certreq);
let mut client_auth = ClientAuthDetails::new();
@ -388,11 +392,11 @@ impl hs::State for ExpectServerDoneOrCertReq {
HandshakeType::ServerHelloDone])
}
fn handle(self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
fn handle(mut self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
if extract_handshake!(m, HandshakePayload::CertificateRequest).is_some() {
self.into_expect_certificate_req().handle(sess, m)
} else {
sess.common.hs_transcript.abandon_client_auth();
self.handshake.transcript.abandon_client_auth();
self.into_expect_server_done().handle(sess, m)
}
}
@ -439,7 +443,7 @@ impl hs::State for ExpectServerDone {
fn handle(self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
let mut st = *self;
sess.common.hs_transcript.add_message(&m);
st.handshake.transcript.add_message(&m);
debug!("Server cert is {:?}", st.server_cert.cert_chain);
debug!("Server DNS name is {:?}", st.handshake.dns_name);
@ -507,7 +511,8 @@ impl hs::State for ExpectServerDone {
// 4.
if st.client_auth.is_some() {
emit_certificate(st.client_auth.as_mut().unwrap(),
emit_certificate(&mut st.handshake,
st.client_auth.as_mut().unwrap(),
sess);
}
@ -517,13 +522,14 @@ impl hs::State for ExpectServerDone {
.ok_or_else(|| TLSError::PeerMisbehavedError("key exchange failed".to_string()))?;
// 5b.
emit_clientkx(sess, &kxd);
emit_clientkx(&mut st.handshake, sess, &kxd);
// nb. EMS handshake hash only runs up to ClientKeyExchange.
let handshake_hash = sess.common.hs_transcript.get_current_hash();
let handshake_hash = st.handshake.transcript.get_current_hash();
// 5c.
if st.client_auth.is_some() {
emit_certverify(st.client_auth.as_mut().unwrap(),
emit_certverify(&mut st.handshake,
st.client_auth.as_mut().unwrap(),
sess)?;
}
@ -548,7 +554,7 @@ impl hs::State for ExpectServerDone {
sess.common.start_encryption_tls12(secrets);
// 6.
emit_finished(sess);
emit_finished(&mut st.handshake, sess);
if st.must_issue_new_ticket {
Ok(st.into_expect_new_ticket(certv, sigv))
@ -626,8 +632,8 @@ impl hs::State for ExpectNewTicket {
check_handshake_message(m, &[HandshakeType::NewSessionTicket])
}
fn handle(self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
sess.common.hs_transcript.add_message(&m);
fn handle(mut self: Box<Self>, _sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
self.handshake.transcript.add_message(&m);
let nst = extract_handshake_mut!(m, HandshakePayload::NewSessionTicket).unwrap();
let recvd = ReceivedTicketDetails::from(nst.ticket.0, nst.lifetime_hint);
@ -706,7 +712,7 @@ impl hs::State for ExpectFinished {
let finished = extract_handshake!(m, HandshakePayload::Finished).unwrap();
// Work out what verify_data we expect.
let vh = sess.common.hs_transcript.get_current_hash();
let vh = st.handshake.transcript.get_current_hash();
let expect_verify_data = sess.common.secrets
.as_ref()
.unwrap()
@ -722,7 +728,7 @@ impl hs::State for ExpectFinished {
.map(|_| verify::FinishedMessageVerified::assertion())?;
// Hash this message too.
sess.common.hs_transcript.add_message(&m);
st.handshake.transcript.add_message(&m);
save_session(&mut st.handshake,
&mut st.ticket,
@ -730,7 +736,7 @@ impl hs::State for ExpectFinished {
if st.resuming {
emit_ccs(sess);
emit_finished(sess);
emit_finished(&mut st.handshake, sess);
}
sess.common.we_now_encrypting();

60
src/client/tls13.rs
View File

@ -131,7 +131,7 @@ pub fn fill_in_psk_binder(sess: &mut ClientSessionImpl,
// length, or the length of its container.
let binder_plaintext = hmp.get_encoding_for_binder_signing();
let handshake_hash =
sess.common.hs_transcript.get_hash_given(suite_hash, &binder_plaintext);
handshake.transcript.get_hash_given(suite_hash, &binder_plaintext);
let mut empty_hash_ctx = hash_hs::HandshakeHash::new();
empty_hash_ctx.start_hash(suite_hash);
@ -207,7 +207,7 @@ pub fn start_handshake_traffic(sess: &mut ClientSessionImpl,
hs::check_aligned_handshake(sess)?;
handshake.hash_at_client_recvd_server_hello =
sess.common.hs_transcript.get_current_hash();
handshake.transcript.get_current_hash();
if !sess.early_data.is_enabled() {
// Set the client encryption key for handshakes if early data is not used
@ -370,10 +370,10 @@ impl hs::State for ExpectEncryptedExtensions {
check_handshake_message(m, &[HandshakeType::EncryptedExtensions])
}
fn handle(self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
fn handle(mut self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
let exts = extract_handshake!(m, HandshakePayload::EncryptedExtensions).unwrap();
debug!("TLS1.3 encrypted extensions: {:?}", exts);
sess.common.hs_transcript.add_message(&m);
self.handshake.transcript.add_message(&m);
validate_encrypted_extensions(sess, &self.hello, exts)?;
hs::process_alpn_protocol(sess, exts.get_alpn_protocol())?;
@ -445,7 +445,7 @@ impl hs::State for ExpectCertificate {
fn handle(mut self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
let cert_chain = extract_handshake!(m, HandshakePayload::CertificateTLS13).unwrap();
sess.common.hs_transcript.add_message(&m);
self.handshake.transcript.add_message(&m);
// This is only non-empty for client auth.
if !cert_chain.context.0.is_empty() {
@ -579,7 +579,7 @@ impl hs::State for ExpectCertificateVerify {
.map_err(|err| send_cert_error_alert(sess, err))?;
// 2. Verify their signature on the handshake.
let handshake_hash = sess.common.hs_transcript.get_current_hash();
let handshake_hash = self.handshake.transcript.get_current_hash();
let sigv = verify::verify_tls13(&self.server_cert.cert_chain[0],
cert_verify,
&handshake_hash,
@ -597,7 +597,7 @@ impl hs::State for ExpectCertificateVerify {
}
sess.server_cert_chain = self.server_cert.take_chain();
sess.common.hs_transcript.add_message(&m);
self.handshake.transcript.add_message(&m);
Ok(self.into_expect_finished(certv, sigv))
}
@ -626,9 +626,9 @@ impl hs::State for ExpectCertificateRequest {
check_handshake_message(m, &[HandshakeType::CertificateRequest])
}
fn handle(self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
fn handle(mut self: Box<Self>, sess: &mut ClientSessionImpl, m: Message) -> hs::NextStateOrError {
let certreq = &extract_handshake!(m, HandshakePayload::CertificateRequestTLS13).unwrap();
sess.common.hs_transcript.add_message(&m);
self.handshake.transcript.add_message(&m);
debug!("Got CertificateRequest {:?}", certreq);
// Fortunately the problems here in TLS1.2 and prior are corrected in
@ -679,7 +679,8 @@ impl hs::State for ExpectCertificateRequest {
}
}
fn emit_certificate_tls13(client_auth: &mut ClientAuthDetails,
fn emit_certificate_tls13(handshake: &mut HandshakeDetails,
client_auth: &mut ClientAuthDetails,
sess: &mut ClientSessionImpl) {
let context = client_auth.auth_context
.take()
@ -704,11 +705,12 @@ fn emit_certificate_tls13(client_auth: &mut ClientAuthDetails,
payload: HandshakePayload::CertificateTLS13(cert_payload),
}),
};
sess.common.hs_transcript.add_message(&m);
handshake.transcript.add_message(&m);
sess.common.send_msg(m, true);
}
fn emit_certverify_tls13(client_auth: &mut ClientAuthDetails,
fn emit_certverify_tls13(handshake: &mut HandshakeDetails,
client_auth: &mut ClientAuthDetails,
sess: &mut ClientSessionImpl) -> Result<(), TLSError> {
if client_auth.signer.is_none() {
debug!("Skipping certverify message (no client scheme/key)");
@ -718,7 +720,7 @@ fn emit_certverify_tls13(client_auth: &mut ClientAuthDetails,
let mut message = Vec::new();
message.resize(64, 0x20u8);
message.extend_from_slice(b"TLS 1.3, client CertificateVerify\x00");
message.extend_from_slice(&sess.common.hs_transcript.get_current_hash());
message.extend_from_slice(&handshake.transcript.get_current_hash());
let signer = client_auth.signer.take().unwrap();
let scheme = signer.get_scheme();
@ -734,13 +736,14 @@ fn emit_certverify_tls13(client_auth: &mut ClientAuthDetails,
}),
};
sess.common.hs_transcript.add_message(&m);
handshake.transcript.add_message(&m);
sess.common.send_msg(m, true);
Ok(())
}
fn emit_finished_tls13(sess: &mut ClientSessionImpl) {
let handshake_hash = sess.common.hs_transcript.get_current_hash();
fn emit_finished_tls13(handshake: &mut HandshakeDetails,
sess: &mut ClientSessionImpl) {
let handshake_hash = handshake.transcript.get_current_hash();
let verify_data = sess.common
.get_key_schedule()
.sign_finish(SecretKind::ClientHandshakeTrafficSecret, &handshake_hash);
@ -755,11 +758,12 @@ fn emit_finished_tls13(sess: &mut ClientSessionImpl) {
}),
};
sess.common.hs_transcript.add_message(&m);
handshake.transcript.add_message(&m);
sess.common.send_msg(m, true);
}
fn emit_end_of_early_data_tls13(sess: &mut ClientSessionImpl) {
fn emit_end_of_early_data_tls13(handshake: &mut HandshakeDetails,
sess: &mut ClientSessionImpl) {
#[cfg(feature = "quic")]
{
if let Protocol::Quic = sess.common.protocol { return; }
@ -774,7 +778,7 @@ fn emit_end_of_early_data_tls13(sess: &mut ClientSessionImpl) {
}),
};
sess.common.hs_transcript.add_message(&m);
handshake.transcript.add_message(&m);
sess.common.send_msg(m, true);
}
@ -806,7 +810,7 @@ impl hs::State for ExpectFinished {
let mut st = *self;
let finished = extract_handshake!(m, HandshakePayload::Finished).unwrap();
let handshake_hash = sess.common.hs_transcript.get_current_hash();
let handshake_hash = st.handshake.transcript.get_current_hash();
let expect_verify_data = sess.common
.get_key_schedule()
.sign_finish(SecretKind::ServerHandshakeTrafficSecret, &handshake_hash);
@ -830,13 +834,13 @@ impl hs::State for ExpectFinished {
None
};
sess.common.hs_transcript.add_message(&m);
st.handshake.transcript.add_message(&m);
/* Transition to application data */
sess.common.get_mut_key_schedule().input_empty();
/* Traffic from server is now decrypted with application data keys. */
let handshake_hash = sess.common.hs_transcript.get_current_hash();
let handshake_hash = st.handshake.transcript.get_current_hash();
let read_key = sess.common
.get_key_schedule()
.derive(SecretKind::ServerApplicationTrafficSecret, &handshake_hash);
@ -861,7 +865,7 @@ impl hs::State for ExpectFinished {
/* The EndOfEarlyData message to server is still encrypted with early data keys,
* but appears in the transcript after the server Finished. */
if let Some(write_key) = maybe_write_key {
emit_end_of_early_data_tls13(sess);
emit_end_of_early_data_tls13(&mut st.handshake, sess);
sess.common.early_traffic = false;
sess.early_data.finished();
sess.common.set_message_encrypter(cipher::new_tls13_write(suite, &write_key));
@ -874,13 +878,15 @@ impl hs::State for ExpectFinished {
/* Send our authentication/finished messages. These are still encrypted
* with our handshake keys. */
if st.client_auth.is_some() {
emit_certificate_tls13(st.client_auth.as_mut().unwrap(),
emit_certificate_tls13(&mut st.handshake,
st.client_auth.as_mut().unwrap(),
sess);
emit_certverify_tls13(st.client_auth.as_mut().unwrap(),
emit_certverify_tls13(&mut st.handshake,
st.client_auth.as_mut().unwrap(),
sess)?;
}
emit_finished_tls13(sess);
emit_finished_tls13(&mut st.handshake, sess);
/* Now move to our application traffic keys. */
hs::check_aligned_handshake(sess)?;
@ -927,7 +933,7 @@ struct ExpectTraffic {
impl ExpectTraffic {
fn handle_new_ticket_tls13(&mut self, sess: &mut ClientSessionImpl, m: Message) -> Result<(), TLSError> {
let nst = extract_handshake!(m, HandshakePayload::NewSessionTicketTLS13).unwrap();
let handshake_hash = sess.common.hs_transcript.get_current_hash();
let handshake_hash = self.handshake.transcript.get_current_hash();
let resumption_master_secret = sess.common
.get_key_schedule()
.derive(SecretKind::ResumptionMasterSecret, &handshake_hash);

3
src/server/common.rs
View File

@ -2,10 +2,12 @@ use crate::session::SessionRandoms;
use crate::msgs::handshake::{ServerExtension, SessionID};
use crate::suites;
use crate::key;
use crate::hash_hs;
use std::mem;
pub struct HandshakeDetails {
pub transcript: hash_hs::HandshakeHash,
pub hash_at_server_fin: Vec<u8>,
pub session_id: SessionID,
pub randoms: SessionRandoms,
@ -16,6 +18,7 @@ pub struct HandshakeDetails {
impl HandshakeDetails {
pub fn new(extra_exts: Vec<ServerExtension>) -> HandshakeDetails {
HandshakeDetails {
transcript: hash_hs::HandshakeHash::new(),
hash_at_server_fin: Vec::new(),
session_id: SessionID::empty(),
randoms: SessionRandoms::for_server(),

30
src/server/hs.rs
View File

@ -16,7 +16,7 @@ use crate::msgs::handshake::CertificateStatus;
use crate::msgs::codec::Codec;
use crate::msgs::persist;
use crate::session::SessionSecrets;
use crate::server::ServerSessionImpl;
use crate::server::{ServerSessionImpl, ServerConfig};
use crate::suites;
use crate::verify;
use crate::util;
@ -272,14 +272,20 @@ pub struct ExpectClientHello {
}
impl ExpectClientHello {
pub fn new(extra_exts: Vec<ServerExtension>) -> ExpectClientHello {
ExpectClientHello {
pub fn new(server_config: &ServerConfig, extra_exts: Vec<ServerExtension>) -> ExpectClientHello {
let mut ech = ExpectClientHello {
handshake: HandshakeDetails::new(extra_exts),
done_retry: false,
send_cert_status: false,
send_sct: false,
send_ticket: false,
};
if server_config.verifier.offer_client_auth() {
ech.handshake.transcript.set_client_auth_enabled();
}
ech
}
fn into_expect_tls12_ccs(self) -> NextState {
@ -348,7 +354,7 @@ impl ExpectClientHello {
};
trace!("sending server hello {:?}", sh);
sess.common.hs_transcript.add_message(&sh);
self.handshake.transcript.add_message(&sh);
sess.common.send_msg(sh, false);
Ok(())
}
@ -367,7 +373,7 @@ impl ExpectClientHello {
}),
};
sess.common.hs_transcript.add_message(&c);
self.handshake.transcript.add_message(&c);
sess.common.send_msg(c, false);
}
@ -391,7 +397,7 @@ impl ExpectClientHello {
}),
};
sess.common.hs_transcript.add_message(&c);
self.handshake.transcript.add_message(&c);
sess.common.send_msg(c, false);
}
@ -431,7 +437,7 @@ impl ExpectClientHello {
}),
};
sess.common.hs_transcript.add_message(&m);
self.handshake.transcript.add_message(&m);
sess.common.send_msg(m, false);
Ok(kx)
}
@ -462,7 +468,7 @@ impl ExpectClientHello {
};
trace!("Sending CertificateRequest {:?}", m);
sess.common.hs_transcript.add_message(&m);
self.handshake.transcript.add_message(&m);
sess.common.send_msg(m, false);
true
}
@ -477,7 +483,7 @@ impl ExpectClientHello {
}),
};
sess.common.hs_transcript.add_message(&m);
self.handshake.transcript.add_message(&m);
sess.common.send_msg(m, false);
}
@ -511,7 +517,7 @@ impl ExpectClientHello {
tls12::emit_ticket(&mut self.handshake, sess);
}
tls12::emit_ccs(sess);
tls12::emit_finished(sess);
tls12::emit_finished(&mut self.handshake, sess);
assert!(same_dns_name_or_both_none(sni, sess.get_sni()));
@ -619,7 +625,7 @@ impl State for ExpectClientHello {
// Start handshake hash.
let starting_hash = sess.common.get_suite_assert().get_hash();
if !sess.common.hs_transcript.start_hash(starting_hash) {
if !self.handshake.transcript.start_hash(starting_hash) {
sess.common.send_fatal_alert(AlertDescription::IllegalParameter);
return Err(TLSError::PeerIncompatibleError("hash differed on retry"
.to_string()));
@ -635,7 +641,7 @@ impl State for ExpectClientHello {
// -- TLS1.2 only from hereon in --
save_sni(sess, sni.clone());
sess.common.hs_transcript.add_message(&m);
self.handshake.transcript.add_message(&m);
if client_hello.ems_support_offered() {
self.handshake.using_ems = true;

9
src/server/mod.rs
View File

@ -278,19 +278,14 @@ impl fmt::Debug for ServerSessionImpl {
impl ServerSessionImpl {
pub fn new(server_config: &Arc<ServerConfig>, extra_exts: Vec<ServerExtension>)
-> ServerSessionImpl {
let mut common = SessionCommon::new(server_config.mtu, false);
if server_config.verifier.offer_client_auth() {
common.hs_transcript.set_client_auth_enabled();
}
ServerSessionImpl {
config: server_config.clone(),
common,
common: SessionCommon::new(server_config.mtu, false),
sni: None,
alpn_protocol: None,
quic_params: None,
error: None,
state: Some(Box::new(hs::ExpectClientHello::new(extra_exts))),
state: Some(Box::new(hs::ExpectClientHello::new(server_config, extra_exts))),
client_cert_chain: None,
}
}

29
src/server/tls12.rs
View File

@ -44,14 +44,14 @@ impl hs::State for ExpectCertificate {
check_handshake_message(m, &[HandshakeType::Certificate])
}
fn handle(self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> hs::NextStateOrError {
fn handle(mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> hs::NextStateOrError {
let cert_chain = extract_handshake!(m, HandshakePayload::Certificate).unwrap();
sess.common.hs_transcript.add_message(&m);
self.handshake.transcript.add_message(&m);
if cert_chain.is_empty() &&
!sess.config.verifier.client_auth_mandatory() {
debug!("client auth requested but no certificate supplied");
sess.common.hs_transcript.abandon_client_auth();
self.handshake.transcript.abandon_client_auth();
return Ok(self.into_expect_tls12_client_kx(None));
}
@ -101,7 +101,7 @@ impl hs::State for ExpectClientKX {
fn handle(mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> hs::NextStateOrError {
let client_kx = extract_handshake!(m, HandshakePayload::ClientKeyExchange).unwrap();
sess.common.hs_transcript.add_message(&m);
self.handshake.transcript.add_message(&m);
// Complete key agreement, and set up encryption with the
// resulting premaster secret.
@ -117,7 +117,7 @@ impl hs::State for ExpectClientKX {
let hashalg = sess.common.get_suite_assert().get_hash();
let secrets = if self.handshake.using_ems {
let handshake_hash = sess.common.hs_transcript.get_current_hash();
let handshake_hash = self.handshake.transcript.get_current_hash();
SessionSecrets::new_ems(&self.handshake.randoms,
&handshake_hash,
hashalg,
@ -165,7 +165,7 @@ impl hs::State for ExpectCertificateVerify {
fn handle(mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> hs::NextStateOrError {
let rc = {
let sig = extract_handshake!(m, HandshakePayload::CertificateVerify).unwrap();
let handshake_msgs = sess.common.hs_transcript.take_handshake_buf();
let handshake_msgs = self.handshake.transcript.take_handshake_buf();
let certs = &self.client_cert.cert_chain;
verify::verify_signed_struct(&handshake_msgs, &certs[0], sig)
@ -179,7 +179,7 @@ impl hs::State for ExpectCertificateVerify {
trace!("client CertificateVerify OK");
sess.client_cert_chain = Some(self.client_cert.take_chain());
sess.common.hs_transcript.add_message(&m);
self.handshake.transcript.add_message(&m);
Ok(self.into_expect_tls12_ccs())
}
}
@ -268,7 +268,7 @@ pub fn emit_ticket(handshake: &mut HandshakeDetails,
}),
};
sess.common.hs_transcript.add_message(&m);
handshake.transcript.add_message(&m);
sess.common.send_msg(m, false);
}
@ -283,8 +283,9 @@ pub fn emit_ccs(sess: &mut ServerSessionImpl) {
sess.common.we_now_encrypting();
}
pub fn emit_finished(sess: &mut ServerSessionImpl) {
let vh = sess.common.hs_transcript.get_current_hash();
pub fn emit_finished(handshake: &mut HandshakeDetails,
sess: &mut ServerSessionImpl) {
let vh = handshake.transcript.get_current_hash();
let verify_data = sess.common.secrets
.as_ref()
.unwrap()
@ -300,7 +301,7 @@ pub fn emit_finished(sess: &mut ServerSessionImpl) {
}),
};
sess.common.hs_transcript.add_message(&f);
handshake.transcript.add_message(&f);
sess.common.send_msg(f, true);
}
@ -326,7 +327,7 @@ impl hs::State for ExpectFinished {
fn handle(mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> hs::NextStateOrError {
let finished = extract_handshake!(m, HandshakePayload::Finished).unwrap();
let vh = sess.common.hs_transcript.get_current_hash();
let vh = self.handshake.transcript.get_current_hash();
let expect_verify_data = sess.common.secrets
.as_ref()
.unwrap()
@ -353,14 +354,14 @@ impl hs::State for ExpectFinished {
}
// Send our CCS and Finished.
sess.common.hs_transcript.add_message(&m);
self.handshake.transcript.add_message(&m);
if !self.resuming {
if self.send_ticket {
emit_ticket(&mut self.handshake,
sess);
}
emit_ccs(sess);
emit_finished(sess);
emit_finished(&mut self.handshake, sess);
}
sess.common.we_now_encrypting();

67
src/server/tls13.rs
View File

@ -69,7 +69,7 @@ impl CompleteClientHelloHandling {
};
let suite_hash = sess.common.get_suite_assert().get_hash();
let handshake_hash = sess.common.hs_transcript.get_hash_given(suite_hash, &binder_plaintext);
let handshake_hash = self.handshake.transcript.get_hash_given(suite_hash, &binder_plaintext);
let mut key_schedule = KeySchedule::new(suite_hash);
key_schedule.input_secret(psk);
@ -145,11 +145,11 @@ impl CompleteClientHelloHandling {
hs::check_aligned_handshake(sess)?;
#[cfg(feature = "quic")]
let client_hello_hash = sess.common.hs_transcript
let client_hello_hash = self.handshake.transcript
.get_hash_given(sess.common.get_suite_assert().get_hash(), &[]);
trace!("sending server hello {:?}", sh);
sess.common.hs_transcript.add_message(&sh);
self.handshake.transcript.add_message(&sh);
sess.common.send_msg(sh, false);
// Start key schedule
@ -175,7 +175,7 @@ impl CompleteClientHelloHandling {
}
key_schedule.input_secret(&kxr.premaster_secret);
let handshake_hash = sess.common.hs_transcript.get_current_hash();
let handshake_hash = self.handshake.transcript.get_current_hash();
let write_key = key_schedule.derive(SecretKind::ServerHandshakeTrafficSecret, &handshake_hash);
let read_key = key_schedule.derive(SecretKind::ClientHandshakeTrafficSecret, &handshake_hash);
sess.common.set_message_encrypter(cipher::new_tls13_write(suite, &write_key));
@ -237,8 +237,8 @@ impl CompleteClientHelloHandling {
};
trace!("Requesting retry {:?}", m);
sess.common.hs_transcript.rollup_for_hrr();
sess.common.hs_transcript.add_message(&m);
self.handshake.transcript.rollup_for_hrr();
self.handshake.transcript.add_message(&m);
sess.common.send_msg(m, false);
}
@ -264,7 +264,7 @@ impl CompleteClientHelloHandling {
};
trace!("sending encrypted extensions {:?}", ee);
sess.common.hs_transcript.add_message(&ee);
self.handshake.transcript.add_message(&ee);
sess.common.send_msg(ee, true);
Ok(())
}
@ -297,7 +297,7 @@ impl CompleteClientHelloHandling {
};
trace!("Sending CertificateRequest {:?}", m);
sess.common.hs_transcript.add_message(&m);
self.handshake.transcript.add_message(&m);
sess.common.send_msg(m, true);
true
}
@ -344,7 +344,7 @@ impl CompleteClientHelloHandling {
};
trace!("sending certificate {:?}", c);
sess.common.hs_transcript.add_message(&c);
self.handshake.transcript.add_message(&c);
sess.common.send_msg(c, true);
}
@ -356,7 +356,7 @@ impl CompleteClientHelloHandling {
let mut message = Vec::new();
message.resize(64, 0x20u8);
message.extend_from_slice(b"TLS 1.3, server CertificateVerify\x00");
message.extend_from_slice(&sess.common.hs_transcript.get_current_hash());
message.extend_from_slice(&self.handshake.transcript.get_current_hash());
let signing_key = &server_key.key;
let signer = signing_key.choose_scheme(schemes)
@ -377,13 +377,13 @@ impl CompleteClientHelloHandling {
};
trace!("sending certificate-verify {:?}", m);
sess.common.hs_transcript.add_message(&m);
self.handshake.transcript.add_message(&m);
sess.common.send_msg(m, true);
Ok(())
}
fn emit_finished_tls13(&mut self, sess: &mut ServerSessionImpl) {
let handshake_hash = sess.common.hs_transcript.get_current_hash();
let handshake_hash = self.handshake.transcript.get_current_hash();
let verify_data = sess.common
.get_key_schedule()
.sign_finish(SecretKind::ServerHandshakeTrafficSecret, &handshake_hash);
@ -399,8 +399,8 @@ impl CompleteClientHelloHandling {
};
trace!("sending finished {:?}", m);
sess.common.hs_transcript.add_message(&m);
self.handshake.hash_at_server_fin = sess.common.hs_transcript.get_current_hash();
self.handshake.transcript.add_message(&m);
self.handshake.hash_at_server_fin = self.handshake.transcript.get_current_hash();
sess.common.send_msg(m, true);
// Now move to application data keys.
@ -497,7 +497,7 @@ impl CompleteClientHelloHandling {
// We don't have a suitable key share. Choose a suitable group and
// send a HelloRetryRequest.
let retry_group_maybe = util::first_in_both(supported_groups, groups_ext);
sess.common.hs_transcript.add_message(chm);
self.handshake.transcript.add_message(chm);
if let Some(group) = retry_group_maybe {
if self.done_retry {
@ -564,7 +564,7 @@ impl CompleteClientHelloHandling {
}
let full_handshake = resumedata.is_none();
sess.common.hs_transcript.add_message(chm);
self.handshake.transcript.add_message(chm);
self.emit_server_hello(sess, &client_hello.session_id,
chosen_share, chosen_psk_index,
resumedata.as_ref().map(|x| &x.master_secret.0[..]))?;
@ -621,9 +621,9 @@ impl hs::State for ExpectCertificate {
check_handshake_message(m, &[HandshakeType::Certificate])
}
fn handle(self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> hs::NextStateOrError {
fn handle(mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> hs::NextStateOrError {
let certp = extract_handshake!(m, HandshakePayload::CertificateTLS13).unwrap();
sess.common.hs_transcript.add_message(&m);
self.handshake.transcript.add_message(&m);
// We don't send any CertificateRequest extensions, so any extensions
// here are illegal.
@ -637,7 +637,7 @@ impl hs::State for ExpectCertificate {
if cert_chain.is_empty() {
if !sess.config.verifier.client_auth_mandatory() {
debug!("client auth requested but no certificate supplied");
sess.common.hs_transcript.abandon_client_auth();
self.handshake.transcript.abandon_client_auth();
return Ok(self.into_expect_finished());
}
@ -679,8 +679,8 @@ impl hs::State for ExpectCertificateVerify {
fn handle(mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> hs::NextStateOrError {
let rc = {
let sig = extract_handshake!(m, HandshakePayload::CertificateVerify).unwrap();
let handshake_hash = sess.common.hs_transcript.get_current_hash();
sess.common.hs_transcript.abandon_client_auth();
let handshake_hash = self.handshake.transcript.get_current_hash();
self.handshake.transcript.abandon_client_auth();
let certs = &self.client_cert.cert_chain;
verify::verify_tls13(&certs[0],
@ -697,19 +697,20 @@ impl hs::State for ExpectCertificateVerify {
trace!("client CertificateVerify OK");
sess.client_cert_chain = Some(self.client_cert.take_chain());
sess.common.hs_transcript.add_message(&m);
self.handshake.transcript.add_message(&m);
Ok(self.into_expect_finished())
}
}
// --- Process client's Finished ---
fn get_server_session_value(sess: &ServerSessionImpl,
nonce: &[u8]) -> persist::ServerSessionValue {
fn get_server_session_value(handshake: &mut HandshakeDetails,
sess: &ServerSessionImpl,
nonce: &[u8]) -> persist::ServerSessionValue {
let scs = sess.common.get_suite_assert();
let version = ProtocolVersion::TLSv1_3;
let handshake_hash = sess.common
.hs_transcript
let handshake_hash = handshake
.transcript
.get_current_hash();
let resumption_master_secret = sess.common
.get_key_schedule()
@ -740,7 +741,8 @@ impl ExpectFinished {
fn emit_stateless_ticket(&mut self, sess: &mut ServerSessionImpl) {
debug_assert!(self.send_ticket);
let nonce = rand::random_vec(32);
let plain = get_server_session_value(sess, &nonce)
let plain = get_server_session_value(&mut self.handshake,
sess, &nonce)
.get_encoding();
let maybe_ticket = sess.config
.ticketer
@ -770,7 +772,7 @@ impl ExpectFinished {
};
trace!("sending new ticket {:?}", m);
sess.common.hs_transcript.add_message(&m);
self.handshake.transcript.add_message(&m);
sess.common.send_msg(m, true);
}
@ -778,7 +780,8 @@ impl ExpectFinished {
debug_assert!(self.send_ticket);
let nonce = rand::random_vec(32);
let id = rand::random_vec(32);
let plain = get_server_session_value(sess, &nonce)
let plain = get_server_session_value(&mut self.handshake,
sess, &nonce)
.get_encoding();
if sess.config.session_storage.put(id.clone(), plain) {
@ -801,7 +804,7 @@ impl ExpectFinished {
};
trace!("sending new stateful ticket {:?}", m);
sess.common.hs_transcript.add_message(&m);
self.handshake.transcript.add_message(&m);
sess.common.send_msg(m, true);
} else {
trace!("resumption not available; not issuing ticket");
@ -817,7 +820,7 @@ impl hs::State for ExpectFinished {
fn handle(mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> hs::NextStateOrError {
let finished = extract_handshake!(m, HandshakePayload::Finished).unwrap();
let handshake_hash = sess.common.hs_transcript.get_current_hash();
let handshake_hash = self.handshake.transcript.get_current_hash();
let expect_verify_data = sess.common
.get_key_schedule()
.sign_finish(SecretKind::ClientHandshakeTrafficSecret, &handshake_hash);
@ -832,7 +835,7 @@ impl hs::State for ExpectFinished {
// nb. future derivations include Client Finished, but not the
// main application data keying.
sess.common.hs_transcript.add_message(&m);
self.handshake.transcript.add_message(&m);
// Now move to using application data keys for client traffic.
// Server traffic is already done.

3
src/session.rs
View File

@ -17,7 +17,6 @@ use crate::key_schedule::{SecretKind, KeySchedule};
use crate::prf;
use crate::rand;
use crate::quic;
use crate::hash_hs;
#[cfg(feature = "logging")]
use crate::log::{warn, debug, error};
@ -456,7 +455,6 @@ pub struct SessionCommon {
received_plaintext: ChunkVecBuffer,
sendable_plaintext: ChunkVecBuffer,
pub sendable_tls: ChunkVecBuffer,
pub hs_transcript: hash_hs::HandshakeHash,
/// Protocol whose key schedule should be used. Unused for TLS < 1.3.
pub protocol: Protocol,
#[cfg(feature = "quic")]
@ -487,7 +485,6 @@ impl SessionCommon {
received_plaintext: ChunkVecBuffer::new(),
sendable_plaintext: ChunkVecBuffer::new(),
sendable_tls: ChunkVecBuffer::new(),
hs_transcript: hash_hs::HandshakeHash::new(),
protocol: Protocol::Tls13,
#[cfg(feature = "quic")]
quic: Quic::new(),