mirror of https://github.com/ctz/rustls
759 lines
29 KiB
Rust
759 lines
29 KiB
Rust
use crate::msgs::enums::{ContentType, HandshakeType, ProtocolVersion};
|
|
use crate::msgs::enums::{Compression, NamedGroup, ECPointFormat, CipherSuite};
|
|
use crate::msgs::enums::{ExtensionType, AlertDescription};
|
|
use crate::msgs::enums::{ClientCertificateType, SignatureScheme};
|
|
use crate::msgs::message::{Message, MessagePayload};
|
|
use crate::msgs::handshake::{HandshakePayload, SupportedSignatureSchemes};
|
|
use crate::msgs::handshake::{HandshakeMessagePayload, ServerHelloPayload, Random};
|
|
use crate::msgs::handshake::{ClientHelloPayload, ServerExtension, SessionID};
|
|
use crate::msgs::handshake::{ConvertProtocolNameList, ConvertServerNameList};
|
|
use crate::msgs::handshake::ClientExtension;
|
|
use crate::msgs::handshake::{ECPointFormatList, SupportedPointFormats};
|
|
use crate::msgs::handshake::{ServerECDHParams, DigitallySignedStruct};
|
|
use crate::msgs::handshake::{ServerKeyExchangePayload, ECDHEServerKeyExchange};
|
|
use crate::msgs::handshake::CertificateRequestPayload;
|
|
use crate::msgs::handshake::CertificateStatus;
|
|
use crate::msgs::codec::Codec;
|
|
use crate::msgs::persist;
|
|
use crate::session::SessionSecrets;
|
|
use crate::server::{ServerSessionImpl, ServerConfig};
|
|
use crate::suites;
|
|
use crate::verify;
|
|
use crate::util;
|
|
use crate::rand;
|
|
use crate::sign;
|
|
#[cfg(feature = "logging")]
|
|
use crate::log::{trace, debug};
|
|
use crate::error::TLSError;
|
|
use crate::handshake::check_handshake_message;
|
|
use webpki;
|
|
#[cfg(feature = "quic")]
|
|
use crate::session::Protocol;
|
|
|
|
use crate::server::common::{HandshakeDetails, ServerKXDetails};
|
|
use crate::server::{tls12, tls13};
|
|
|
|
macro_rules! extract_handshake(
|
|
( $m:expr, $t:path ) => (
|
|
match $m.payload {
|
|
MessagePayload::Handshake(ref hsp) => match hsp.payload {
|
|
$t(ref hm) => Some(hm),
|
|
_ => None
|
|
},
|
|
_ => None
|
|
}
|
|
)
|
|
);
|
|
|
|
pub type CheckResult = Result<(), TLSError>;
|
|
pub type NextState = Box<dyn State + Send + Sync>;
|
|
pub type NextStateOrError = Result<NextState, TLSError>;
|
|
|
|
pub trait State {
|
|
fn check_message(&self, m: &Message) -> CheckResult;
|
|
fn handle(self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> NextStateOrError;
|
|
}
|
|
|
|
pub fn incompatible(sess: &mut ServerSessionImpl, why: &str) -> TLSError {
|
|
sess.common.send_fatal_alert(AlertDescription::HandshakeFailure);
|
|
TLSError::PeerIncompatibleError(why.to_string())
|
|
}
|
|
|
|
fn bad_version(sess: &mut ServerSessionImpl, why: &str) -> TLSError {
|
|
sess.common.send_fatal_alert(AlertDescription::ProtocolVersion);
|
|
TLSError::PeerIncompatibleError(why.to_string())
|
|
}
|
|
|
|
pub fn illegal_param(sess: &mut ServerSessionImpl, why: &str) -> TLSError {
|
|
sess.common.send_fatal_alert(AlertDescription::IllegalParameter);
|
|
TLSError::PeerMisbehavedError(why.to_string())
|
|
}
|
|
|
|
pub fn decode_error(sess: &mut ServerSessionImpl, why: &str) -> TLSError {
|
|
sess.common.send_fatal_alert(AlertDescription::DecodeError);
|
|
TLSError::PeerMisbehavedError(why.to_string())
|
|
}
|
|
|
|
pub fn can_resume(sess: &ServerSessionImpl,
|
|
handshake: &HandshakeDetails,
|
|
resumedata: &Option<persist::ServerSessionValue>) -> bool {
|
|
// The RFCs underspecify what happens if we try to resume to
|
|
// an unoffered/varying suite. We merely don't resume in weird cases.
|
|
//
|
|
// RFC 6066 says "A server that implements this extension MUST NOT accept
|
|
// the request to resume the session if the server_name extension contains
|
|
// a different name. Instead, it proceeds with a full handshake to
|
|
// establish a new session."
|
|
|
|
if let Some(ref resume) = *resumedata {
|
|
resume.cipher_suite == sess.common.get_suite_assert().suite &&
|
|
(resume.extended_ms == handshake.using_ems ||
|
|
(resume.extended_ms && !handshake.using_ems)) &&
|
|
same_dns_name_or_both_none(resume.sni.as_ref(), sess.sni.as_ref())
|
|
} else {
|
|
false
|
|
}
|
|
}
|
|
|
|
// Require an exact match for the purpose of comparing SNI DNS Names from two
|
|
// client hellos, even though a case-insensitive comparison might also be OK.
|
|
fn same_dns_name_or_both_none(a: Option<&webpki::DNSName>,
|
|
b: Option<&webpki::DNSName>) -> bool {
|
|
match (a, b) {
|
|
(Some(a), Some(b)) => {
|
|
let a: &str = a.as_ref().into();
|
|
let b: &str = b.as_ref().into();
|
|
a == b
|
|
},
|
|
(None, None) => true,
|
|
_ => false,
|
|
}
|
|
}
|
|
|
|
// Changing the keys must not span any fragmented handshake
|
|
// messages. Otherwise the defragmented messages will have
|
|
// been protected with two different record layer protections,
|
|
// which is illegal. Not mentioned in RFC.
|
|
pub fn check_aligned_handshake(sess: &mut ServerSessionImpl) -> Result<(), TLSError> {
|
|
if !sess.common.handshake_joiner.is_empty() {
|
|
Err(illegal_param(sess, "keys changed with pending hs fragment"))
|
|
} else {
|
|
Ok(())
|
|
}
|
|
}
|
|
|
|
pub fn save_sni(sess: &mut ServerSessionImpl,
|
|
sni: Option<webpki::DNSName>) {
|
|
if let Some(sni) = sni {
|
|
// Save the SNI into the session.
|
|
sess.set_sni(sni);
|
|
}
|
|
}
|
|
|
|
#[derive(Default)]
|
|
pub struct ExtensionProcessing {
|
|
// extensions to reply with
|
|
pub exts: Vec<ServerExtension>,
|
|
|
|
// effects on later handshake steps
|
|
pub send_cert_status: bool,
|
|
pub send_sct: bool,
|
|
pub send_ticket: bool,
|
|
}
|
|
|
|
impl ExtensionProcessing {
|
|
pub fn new() -> Self { Default::default() }
|
|
|
|
pub fn process_common(&mut self,
|
|
sess: &mut ServerSessionImpl,
|
|
server_key: Option<&mut sign::CertifiedKey>,
|
|
hello: &ClientHelloPayload,
|
|
resumedata: Option<&persist::ServerSessionValue>,
|
|
handshake: &HandshakeDetails)
|
|
-> Result<(), TLSError> {
|
|
// ALPN
|
|
let our_protocols = &sess.config.alpn_protocols;
|
|
let maybe_their_protocols = hello.get_alpn_extension();
|
|
if let Some(their_protocols) = maybe_their_protocols {
|
|
let their_proto_vecs = their_protocols.to_vecs();
|
|
|
|
if their_proto_vecs.iter().any(Vec::is_empty) {
|
|
return Err(TLSError::PeerMisbehavedError("client offered empty ALPN protocol"
|
|
.to_string()));
|
|
}
|
|
|
|
sess.alpn_protocol = util::first_in_both(our_protocols, &their_proto_vecs);
|
|
if let Some(ref selected_protocol) = sess.alpn_protocol {
|
|
debug!("Chosen ALPN protocol {:?}", selected_protocol);
|
|
self.exts.push(ServerExtension::make_alpn(&[selected_protocol]));
|
|
}
|
|
}
|
|
|
|
#[cfg(feature = "quic")] {
|
|
if sess.common.protocol == Protocol::Quic {
|
|
if let Some(params) = hello.get_quic_params_extension() {
|
|
sess.common.quic.params = Some(params);
|
|
}
|
|
|
|
if let Some(resume) = resumedata {
|
|
if sess.config.max_early_data_size > 0
|
|
&& hello.early_data_extension_offered()
|
|
&& resume.version == sess.common.negotiated_version.unwrap()
|
|
&& resume.cipher_suite == sess.common.get_suite_assert().suite
|
|
&& resume.alpn.as_ref().map(|x| &x.0) == sess.alpn_protocol.as_ref()
|
|
{
|
|
self.exts.push(ServerExtension::EarlyData);
|
|
} else {
|
|
// Clobber value set in tls13::emit_server_hello
|
|
sess.common.quic.early_secret = None;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
let for_resume = resumedata.is_some();
|
|
// SNI
|
|
if !for_resume && hello.get_sni_extension().is_some() {
|
|
self.exts.push(ServerExtension::ServerNameAck);
|
|
}
|
|
|
|
// Send status_request response if we have one. This is not allowed
|
|
// if we're resuming, and is only triggered if we have an OCSP response
|
|
// to send.
|
|
if !for_resume &&
|
|
hello.find_extension(ExtensionType::StatusRequest).is_some() &&
|
|
server_key.is_some() &&
|
|
server_key.as_ref().unwrap().has_ocsp() {
|
|
self.send_cert_status = true;
|
|
|
|
if !sess.common.is_tls13() {
|
|
// Only TLS1.2 sends confirmation in ServerHello
|
|
self.exts.push(ServerExtension::CertificateStatusAck);
|
|
}
|
|
}
|
|
|
|
if !for_resume &&
|
|
hello.find_extension(ExtensionType::SCT).is_some() &&
|
|
server_key.is_some() &&
|
|
server_key.as_ref().unwrap().has_sct_list() {
|
|
self.send_sct = true;
|
|
|
|
if !sess.common.is_tls13() {
|
|
let sct_list = server_key
|
|
.unwrap()
|
|
.take_sct_list()
|
|
.unwrap();
|
|
self.exts.push(ServerExtension::make_sct(sct_list));
|
|
}
|
|
}
|
|
|
|
if !sess.common.is_tls13() {
|
|
}
|
|
|
|
self.exts.extend(handshake.extra_exts.iter().cloned());
|
|
|
|
Ok(())
|
|
}
|
|
|
|
fn process_tls12(&mut self, sess: &ServerSessionImpl, hello: &ClientHelloPayload,
|
|
handshake: &HandshakeDetails) {
|
|
// Renegotiation.
|
|
// (We don't do reneg at all, but would support the secure version if we did.)
|
|
let secure_reneg_offered =
|
|
hello.find_extension(ExtensionType::RenegotiationInfo).is_some() ||
|
|
hello.cipher_suites.contains(&CipherSuite::TLS_EMPTY_RENEGOTIATION_INFO_SCSV);
|
|
|
|
if secure_reneg_offered {
|
|
self.exts.push(ServerExtension::make_empty_renegotiation_info());
|
|
}
|
|
|
|
// Tickets:
|
|
// If we get any SessionTicket extension and have tickets enabled,
|
|
// we send an ack.
|
|
if hello.find_extension(ExtensionType::SessionTicket).is_some() &&
|
|
sess.config.ticketer.enabled() {
|
|
self.send_ticket = true;
|
|
self.exts.push(ServerExtension::SessionTicketAck);
|
|
}
|
|
|
|
// Confirm use of EMS if offered.
|
|
if handshake.using_ems {
|
|
self.exts.push(ServerExtension::ExtendedMasterSecretAck);
|
|
}
|
|
}
|
|
}
|
|
|
|
pub struct ExpectClientHello {
|
|
pub handshake: HandshakeDetails,
|
|
pub done_retry: bool,
|
|
pub send_cert_status: bool,
|
|
pub send_sct: bool,
|
|
pub send_ticket: bool,
|
|
}
|
|
|
|
impl ExpectClientHello {
|
|
pub fn new(server_config: &ServerConfig, extra_exts: Vec<ServerExtension>) -> ExpectClientHello {
|
|
let mut ech = ExpectClientHello {
|
|
handshake: HandshakeDetails::new(extra_exts),
|
|
done_retry: false,
|
|
send_cert_status: false,
|
|
send_sct: false,
|
|
send_ticket: false,
|
|
};
|
|
|
|
if server_config.verifier.offer_client_auth() {
|
|
ech.handshake.transcript.set_client_auth_enabled();
|
|
}
|
|
|
|
ech
|
|
}
|
|
|
|
fn into_expect_tls12_ccs(self) -> NextState {
|
|
Box::new(tls12::ExpectCCS {
|
|
handshake: self.handshake,
|
|
resuming: true,
|
|
send_ticket: self.send_ticket,
|
|
})
|
|
}
|
|
|
|
fn into_complete_tls13_client_hello_handling(self) -> tls13::CompleteClientHelloHandling {
|
|
tls13::CompleteClientHelloHandling {
|
|
handshake: self.handshake,
|
|
done_retry: self.done_retry,
|
|
send_cert_status: self.send_cert_status,
|
|
send_sct: self.send_sct,
|
|
send_ticket: self.send_ticket,
|
|
}
|
|
}
|
|
|
|
fn into_expect_tls12_certificate(self, kx: suites::KeyExchange) -> NextState {
|
|
Box::new(tls12::ExpectCertificate {
|
|
handshake: self.handshake,
|
|
server_kx: ServerKXDetails::new(kx),
|
|
send_ticket: self.send_ticket,
|
|
})
|
|
}
|
|
|
|
fn into_expect_tls12_client_kx(self, kx: suites::KeyExchange) -> NextState {
|
|
Box::new(tls12::ExpectClientKX {
|
|
handshake: self.handshake,
|
|
server_kx: ServerKXDetails::new(kx),
|
|
client_cert: None,
|
|
send_ticket: self.send_ticket,
|
|
})
|
|
}
|
|
|
|
fn emit_server_hello(&mut self,
|
|
sess: &mut ServerSessionImpl,
|
|
server_key: Option<&mut sign::CertifiedKey>,
|
|
hello: &ClientHelloPayload,
|
|
resumedata: Option<&persist::ServerSessionValue>)
|
|
-> Result<(), TLSError> {
|
|
let mut ep = ExtensionProcessing::new();
|
|
ep.process_common(sess, server_key, hello, resumedata, &self.handshake)?;
|
|
ep.process_tls12(sess, hello, &self.handshake);
|
|
|
|
self.send_ticket = ep.send_ticket;
|
|
self.send_cert_status = ep.send_cert_status;
|
|
self.send_sct = ep.send_sct;
|
|
|
|
let sh = Message {
|
|
typ: ContentType::Handshake,
|
|
version: ProtocolVersion::TLSv1_2,
|
|
payload: MessagePayload::Handshake(HandshakeMessagePayload {
|
|
typ: HandshakeType::ServerHello,
|
|
payload: HandshakePayload::ServerHello(ServerHelloPayload {
|
|
legacy_version: ProtocolVersion::TLSv1_2,
|
|
random: Random::from_slice(&self.handshake.randoms.server),
|
|
session_id: self.handshake.session_id,
|
|
cipher_suite: sess.common.get_suite_assert().suite,
|
|
compression_method: Compression::Null,
|
|
extensions: ep.exts,
|
|
}),
|
|
}),
|
|
};
|
|
|
|
trace!("sending server hello {:?}", sh);
|
|
self.handshake.transcript.add_message(&sh);
|
|
sess.common.send_msg(sh, false);
|
|
Ok(())
|
|
}
|
|
|
|
fn emit_certificate(&mut self,
|
|
sess: &mut ServerSessionImpl,
|
|
server_certkey: &mut sign::CertifiedKey) {
|
|
let cert_chain = server_certkey.take_cert();
|
|
|
|
let c = Message {
|
|
typ: ContentType::Handshake,
|
|
version: ProtocolVersion::TLSv1_2,
|
|
payload: MessagePayload::Handshake(HandshakeMessagePayload {
|
|
typ: HandshakeType::Certificate,
|
|
payload: HandshakePayload::Certificate(cert_chain),
|
|
}),
|
|
};
|
|
|
|
self.handshake.transcript.add_message(&c);
|
|
sess.common.send_msg(c, false);
|
|
}
|
|
|
|
fn emit_cert_status(&mut self,
|
|
sess: &mut ServerSessionImpl,
|
|
server_certkey: &mut sign::CertifiedKey) {
|
|
if !self.send_cert_status ||
|
|
!server_certkey.has_ocsp() {
|
|
return;
|
|
}
|
|
|
|
let ocsp = server_certkey.take_ocsp();
|
|
let st = CertificateStatus::new(ocsp.unwrap());
|
|
|
|
let c = Message {
|
|
typ: ContentType::Handshake,
|
|
version: ProtocolVersion::TLSv1_2,
|
|
payload: MessagePayload::Handshake(HandshakeMessagePayload {
|
|
typ: HandshakeType::CertificateStatus,
|
|
payload: HandshakePayload::CertificateStatus(st)
|
|
}),
|
|
};
|
|
|
|
self.handshake.transcript.add_message(&c);
|
|
sess.common.send_msg(c, false);
|
|
}
|
|
|
|
fn emit_server_kx(&mut self,
|
|
sess: &mut ServerSessionImpl,
|
|
sigschemes: Vec<SignatureScheme>,
|
|
group: NamedGroup,
|
|
server_certkey: &mut sign::CertifiedKey)
|
|
-> Result<suites::KeyExchange, TLSError> {
|
|
let kx = sess.common.get_suite_assert()
|
|
.start_server_kx(group)
|
|
.ok_or_else(|| TLSError::PeerMisbehavedError("key exchange failed".to_string()))?;
|
|
let secdh = ServerECDHParams::new(group, kx.pubkey.as_ref());
|
|
|
|
let mut msg = Vec::new();
|
|
msg.extend(&self.handshake.randoms.client);
|
|
msg.extend(&self.handshake.randoms.server);
|
|
secdh.encode(&mut msg);
|
|
|
|
let signing_key = &server_certkey.key;
|
|
let signer = signing_key.choose_scheme(&sigschemes)
|
|
.ok_or_else(|| TLSError::General("incompatible signing key".to_string()))?;
|
|
let sigscheme = signer.get_scheme();
|
|
let sig = signer.sign(&msg)?;
|
|
|
|
let skx = ServerKeyExchangePayload::ECDHE(ECDHEServerKeyExchange {
|
|
params: secdh,
|
|
dss: DigitallySignedStruct::new(sigscheme, sig),
|
|
});
|
|
|
|
let m = Message {
|
|
typ: ContentType::Handshake,
|
|
version: ProtocolVersion::TLSv1_2,
|
|
payload: MessagePayload::Handshake(HandshakeMessagePayload {
|
|
typ: HandshakeType::ServerKeyExchange,
|
|
payload: HandshakePayload::ServerKeyExchange(skx),
|
|
}),
|
|
};
|
|
|
|
self.handshake.transcript.add_message(&m);
|
|
sess.common.send_msg(m, false);
|
|
Ok(kx)
|
|
}
|
|
|
|
fn emit_certificate_req(&mut self, sess: &mut ServerSessionImpl) -> bool {
|
|
let client_auth = &sess.config.verifier;
|
|
|
|
if !client_auth.offer_client_auth() {
|
|
return false;
|
|
}
|
|
|
|
let names = client_auth.client_auth_root_subjects();
|
|
|
|
let cr = CertificateRequestPayload {
|
|
certtypes: vec![ ClientCertificateType::RSASign,
|
|
ClientCertificateType::ECDSASign ],
|
|
sigschemes: verify::supported_verify_schemes().to_vec(),
|
|
canames: names,
|
|
};
|
|
|
|
let m = Message {
|
|
typ: ContentType::Handshake,
|
|
version: ProtocolVersion::TLSv1_2,
|
|
payload: MessagePayload::Handshake(HandshakeMessagePayload {
|
|
typ: HandshakeType::CertificateRequest,
|
|
payload: HandshakePayload::CertificateRequest(cr),
|
|
}),
|
|
};
|
|
|
|
trace!("Sending CertificateRequest {:?}", m);
|
|
self.handshake.transcript.add_message(&m);
|
|
sess.common.send_msg(m, false);
|
|
true
|
|
}
|
|
|
|
fn emit_server_hello_done(&mut self, sess: &mut ServerSessionImpl) {
|
|
let m = Message {
|
|
typ: ContentType::Handshake,
|
|
version: ProtocolVersion::TLSv1_2,
|
|
payload: MessagePayload::Handshake(HandshakeMessagePayload {
|
|
typ: HandshakeType::ServerHelloDone,
|
|
payload: HandshakePayload::ServerHelloDone,
|
|
}),
|
|
};
|
|
|
|
self.handshake.transcript.add_message(&m);
|
|
sess.common.send_msg(m, false);
|
|
}
|
|
|
|
fn start_resumption(mut self,
|
|
sess: &mut ServerSessionImpl,
|
|
client_hello: &ClientHelloPayload,
|
|
sni: Option<&webpki::DNSName>,
|
|
id: &SessionID,
|
|
resumedata: persist::ServerSessionValue)
|
|
-> NextStateOrError {
|
|
debug!("Resuming session");
|
|
|
|
if resumedata.extended_ms && !self.handshake.using_ems {
|
|
return Err(illegal_param(sess, "refusing to resume without ems"));
|
|
}
|
|
|
|
self.handshake.session_id = *id;
|
|
self.emit_server_hello(sess, None, client_hello, Some(&resumedata))?;
|
|
|
|
let hashalg = sess.common.get_suite_assert().get_hash();
|
|
let secrets = SessionSecrets::new_resume(&self.handshake.randoms,
|
|
hashalg,
|
|
&resumedata.master_secret.0);
|
|
sess.config.key_log.log("CLIENT_RANDOM",
|
|
&secrets.randoms.client,
|
|
&secrets.master_secret);
|
|
sess.common.start_encryption_tls12(secrets);
|
|
sess.client_cert_chain = resumedata.client_cert_chain;
|
|
|
|
if self.send_ticket {
|
|
tls12::emit_ticket(&mut self.handshake, sess);
|
|
}
|
|
tls12::emit_ccs(sess);
|
|
tls12::emit_finished(&mut self.handshake, sess);
|
|
|
|
assert!(same_dns_name_or_both_none(sni, sess.get_sni()));
|
|
|
|
Ok(self.into_expect_tls12_ccs())
|
|
}
|
|
|
|
}
|
|
|
|
impl State for ExpectClientHello {
|
|
fn check_message(&self, m: &Message) -> CheckResult {
|
|
check_handshake_message(m, &[HandshakeType::ClientHello])
|
|
}
|
|
|
|
fn handle(mut self: Box<Self>, sess: &mut ServerSessionImpl, m: Message) -> NextStateOrError {
|
|
let client_hello = extract_handshake!(m, HandshakePayload::ClientHello).unwrap();
|
|
let tls13_enabled = sess.config.supports_version(ProtocolVersion::TLSv1_3);
|
|
let tls12_enabled = sess.config.supports_version(ProtocolVersion::TLSv1_2);
|
|
trace!("we got a clienthello {:?}", client_hello);
|
|
|
|
if !client_hello.compression_methods.contains(&Compression::Null) {
|
|
sess.common.send_fatal_alert(AlertDescription::IllegalParameter);
|
|
return Err(TLSError::PeerIncompatibleError("client did not offer Null compression"
|
|
.to_string()));
|
|
}
|
|
|
|
if client_hello.has_duplicate_extension() {
|
|
return Err(decode_error(sess, "client sent duplicate extensions"));
|
|
}
|
|
|
|
// Are we doing TLS1.3?
|
|
let maybe_versions_ext = client_hello.get_versions_extension();
|
|
if let Some(versions) = maybe_versions_ext {
|
|
if versions.contains(&ProtocolVersion::TLSv1_3) && tls13_enabled {
|
|
sess.common.negotiated_version = Some(ProtocolVersion::TLSv1_3);
|
|
} else if !versions.contains(&ProtocolVersion::TLSv1_2) || !tls12_enabled {
|
|
return Err(bad_version(sess, "TLS1.2 not offered/enabled"));
|
|
}
|
|
} else if client_hello.client_version.get_u16() < ProtocolVersion::TLSv1_2.get_u16() {
|
|
return Err(bad_version(sess, "Client does not support TLSv1_2"));
|
|
} else if !tls12_enabled && tls13_enabled {
|
|
return Err(bad_version(sess, "Server requires TLS1.3, but client omitted versions ext"));
|
|
}
|
|
|
|
if sess.common.negotiated_version == None {
|
|
sess.common.negotiated_version = Some(ProtocolVersion::TLSv1_2);
|
|
}
|
|
|
|
// Common to TLS1.2 and TLS1.3: ciphersuite and certificate selection.
|
|
let default_sigschemes_ext = SupportedSignatureSchemes::default();
|
|
|
|
// Extract and validate the SNI DNS name, if any, before giving it to
|
|
// the cert resolver. In particular, if it is invalid then we should
|
|
// send an Illegal Parameter alert instead of the Internal Error alert
|
|
// (or whatever) that we'd send if this were checked later or in a
|
|
// different way.
|
|
let sni: Option<webpki::DNSName> = match client_hello.get_sni_extension() {
|
|
Some(sni) => {
|
|
match sni.get_hostname() {
|
|
Some(sni) => Some(sni.into()),
|
|
None => {
|
|
return Err(illegal_param(sess,
|
|
"ClientHello SNI did not contain a hostname."));
|
|
},
|
|
}
|
|
},
|
|
None => None,
|
|
};
|
|
|
|
let sigschemes_ext = client_hello.get_sigalgs_extension()
|
|
.unwrap_or(&default_sigschemes_ext);
|
|
|
|
// Choose a certificate.
|
|
let mut certkey = {
|
|
let sni_ref = sni.as_ref().map(webpki::DNSName::as_ref);
|
|
trace!("sni {:?}", sni_ref);
|
|
trace!("sig schemes {:?}", sigschemes_ext);
|
|
let certkey = sess.config.cert_resolver.resolve(sni_ref, sigschemes_ext);
|
|
certkey.ok_or_else(|| {
|
|
sess.common.send_fatal_alert(AlertDescription::AccessDenied);
|
|
TLSError::General("no server certificate chain resolved".to_string())
|
|
})?
|
|
};
|
|
|
|
// Reduce our supported ciphersuites by the certificate.
|
|
// (no-op for TLS1.3)
|
|
let suitable_suites = suites::reduce_given_sigalg(&sess.config.ciphersuites,
|
|
certkey.key.algorithm());
|
|
|
|
// And version
|
|
let protocol_version = sess.common.negotiated_version.unwrap();
|
|
let suitable_suites = suites::reduce_given_version(&suitable_suites, protocol_version);
|
|
|
|
let maybe_ciphersuite = if sess.config.ignore_client_order {
|
|
suites::choose_ciphersuite_preferring_server(&client_hello.cipher_suites, &suitable_suites)
|
|
} else {
|
|
suites::choose_ciphersuite_preferring_client(&client_hello.cipher_suites, &suitable_suites)
|
|
};
|
|
|
|
if maybe_ciphersuite.is_none() {
|
|
return Err(incompatible(sess, "no ciphersuites in common"));
|
|
}
|
|
|
|
debug!("decided upon suite {:?}", maybe_ciphersuite.as_ref().unwrap());
|
|
sess.common.set_suite(maybe_ciphersuite.unwrap());
|
|
|
|
// Start handshake hash.
|
|
let starting_hash = sess.common.get_suite_assert().get_hash();
|
|
if !self.handshake.transcript.start_hash(starting_hash) {
|
|
sess.common.send_fatal_alert(AlertDescription::IllegalParameter);
|
|
return Err(TLSError::PeerIncompatibleError("hash differed on retry"
|
|
.to_string()));
|
|
}
|
|
|
|
// Save their Random.
|
|
client_hello.random.write_slice(&mut self.handshake.randoms.client);
|
|
|
|
if sess.common.is_tls13() {
|
|
return self.into_complete_tls13_client_hello_handling()
|
|
.handle_client_hello(sess, sni, certkey, &m);
|
|
}
|
|
|
|
// -- TLS1.2 only from hereon in --
|
|
save_sni(sess, sni.clone());
|
|
self.handshake.transcript.add_message(&m);
|
|
|
|
if client_hello.ems_support_offered() {
|
|
self.handshake.using_ems = true;
|
|
}
|
|
|
|
let groups_ext = client_hello.get_namedgroups_extension()
|
|
.ok_or_else(|| incompatible(sess, "client didn't describe groups"))?;
|
|
let ecpoints_ext = client_hello.get_ecpoints_extension()
|
|
.ok_or_else(|| incompatible(sess, "client didn't describe ec points"))?;
|
|
|
|
trace!("namedgroups {:?}", groups_ext);
|
|
trace!("ecpoints {:?}", ecpoints_ext);
|
|
|
|
if !ecpoints_ext.contains(&ECPointFormat::Uncompressed) {
|
|
sess.common.send_fatal_alert(AlertDescription::IllegalParameter);
|
|
return Err(TLSError::PeerIncompatibleError("client didn't support uncompressed ec points"
|
|
.to_string()));
|
|
}
|
|
|
|
// -- If TLS1.3 is enabled, signal the downgrade in the server random
|
|
if tls13_enabled {
|
|
self.handshake.randoms.set_tls12_downgrade_marker();
|
|
}
|
|
|
|
// -- Check for resumption --
|
|
// We can do this either by (in order of preference):
|
|
// 1. receiving a ticket that decrypts
|
|
// 2. receiving a sessionid that is in our cache
|
|
//
|
|
// If we receive a ticket, the sessionid won't be in our
|
|
// cache, so don't check.
|
|
//
|
|
// If either works, we end up with a ServerSessionValue
|
|
// which is passed to start_resumption and concludes
|
|
// our handling of the ClientHello.
|
|
//
|
|
let mut ticket_received = false;
|
|
|
|
if let Some(ticket_ext) = client_hello.get_ticket_extension() {
|
|
if let ClientExtension::SessionTicketOffer(ref ticket) = *ticket_ext {
|
|
ticket_received = true;
|
|
debug!("Ticket received");
|
|
|
|
let maybe_resume = sess.config
|
|
.ticketer
|
|
.decrypt(&ticket.0)
|
|
.and_then(|plain| persist::ServerSessionValue::read_bytes(&plain));
|
|
|
|
if can_resume(sess, &self.handshake, &maybe_resume) {
|
|
return self.start_resumption(sess,
|
|
client_hello, sni.as_ref(),
|
|
&client_hello.session_id,
|
|
maybe_resume.unwrap());
|
|
} else {
|
|
debug!("Ticket didn't decrypt");
|
|
}
|
|
}
|
|
}
|
|
|
|
// If we're not offered a ticket or a potential session ID,
|
|
// allocate a session ID.
|
|
if self.handshake.session_id.is_empty() && !ticket_received {
|
|
let mut bytes = [0u8; 32];
|
|
rand::fill_random(&mut bytes);
|
|
self.handshake.session_id = SessionID::new(&bytes);
|
|
}
|
|
|
|
// Perhaps resume? If we received a ticket, the sessionid
|
|
// does not correspond to a real session.
|
|
if !client_hello.session_id.is_empty() && !ticket_received {
|
|
let maybe_resume = sess.config.session_storage
|
|
.get(&client_hello.session_id.get_encoding())
|
|
.and_then(|x| persist::ServerSessionValue::read_bytes(&x));
|
|
|
|
if can_resume(sess, &self.handshake, &maybe_resume) {
|
|
return self.start_resumption(sess,
|
|
client_hello, sni.as_ref(),
|
|
&client_hello.session_id,
|
|
maybe_resume.unwrap());
|
|
}
|
|
}
|
|
|
|
// Now we have chosen a ciphersuite, we can make kx decisions.
|
|
let sigschemes = sess.common.get_suite_assert()
|
|
.resolve_sig_schemes(sigschemes_ext);
|
|
|
|
if sigschemes.is_empty() {
|
|
return Err(incompatible(sess, "no supported sig scheme"));
|
|
}
|
|
|
|
let group = util::first_in_both(suites::KeyExchange::supported_groups(),
|
|
groups_ext.as_slice())
|
|
.ok_or_else(|| incompatible(sess, "no supported group"))?;
|
|
|
|
let ecpoint = util::first_in_both(ECPointFormatList::supported().as_slice(),
|
|
ecpoints_ext.as_slice())
|
|
.ok_or_else(|| incompatible(sess, "no supported point format"))?;
|
|
|
|
debug_assert_eq!(ecpoint, ECPointFormat::Uncompressed);
|
|
|
|
self.emit_server_hello(sess, Some(&mut certkey), client_hello, None)?;
|
|
self.emit_certificate(sess, &mut certkey);
|
|
self.emit_cert_status(sess, &mut certkey);
|
|
let kx = self.emit_server_kx(sess, sigschemes, group, &mut certkey)?;
|
|
let doing_client_auth = self.emit_certificate_req(sess);
|
|
self.emit_server_hello_done(sess);
|
|
|
|
if doing_client_auth {
|
|
Ok(self.into_expect_tls12_certificate(kx))
|
|
} else {
|
|
Ok(self.into_expect_tls12_client_kx(kx))
|
|
}
|
|
}
|
|
}
|