Skip to content

Commit

Permalink
TLS 1.2 Client: Thread negotiated cipher suite through state machine.
Browse files Browse the repository at this point in the history 
Avoid using `get_suite_assert()`.
  • Loading branch information
@briansmith @djc
briansmith authored and djc committed Feb 16, 2021
1 parent c5bc060 commit d3c5ff6
Show file tree
Hide file tree
Showing 2 changed files with 25 additions and 8 deletions.
9 changes: 5 additions & 4 deletions rustls/src/client/hs.rs
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
#[cfg(feature = "logging")]
use crate::bs_debug;
use crate::check::check_message;
use crate::cipher;
use crate::{cipher, SupportedCipherSuite};
use crate::client::ClientSessionImpl;
use crate::error::TLSError;
use crate::key_schedule::{KeyScheduleEarly, KeyScheduleHandshake};
Expand Down Expand Up @@ -199,7 +199,7 @@ struct ExpectServerHelloOrHelloRetryRequest {

pub fn compatible_suite(
sess: &ClientSessionImpl,
resuming_suite: &suites::SupportedCipherSuite,
resuming_suite: &SupportedCipherSuite,
) -> bool {
match sess.common.get_suite() {
Some(suite) => suite.can_resume_to(&resuming_suite),
Expand Down Expand Up @@ -496,9 +496,10 @@ impl ExpectServerHello {
})
}

fn into_expect_tls12_certificate(self) -> NextState {
fn into_expect_tls12_certificate(self, suite: &'static SupportedCipherSuite) -> NextState {
Box::new(tls12::ExpectCertificate {
handshake: self.handshake,
suite,
server_cert: self.server_cert,
may_send_cert_status: self.may_send_cert_status,
must_issue_new_ticket: self.must_issue_new_ticket,
Expand Down Expand Up @@ -746,7 +747,7 @@ impl State for ExpectServerHello {
}
}

Ok(self.into_expect_tls12_certificate())
Ok(self.into_expect_tls12_certificate(scs))
}
}

Expand Down
24 changes: 20 additions & 4 deletions rustls/src/client/tls12.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ use crate::msgs::handshake::{HandshakeMessagePayload, HandshakePayload};
use crate::msgs::message::{Message, MessagePayload};
use crate::msgs::persist;
use crate::session::SessionSecrets;
use crate::suites;
use crate::{suites, SupportedCipherSuite};
use crate::ticketer;
use crate::verify;

Expand All @@ -28,6 +28,7 @@ use std::mem;

pub struct ExpectCertificate {
pub handshake: HandshakeDetails,
pub suite: &'static SupportedCipherSuite,
pub server_cert: ServerCertDetails,
pub may_send_cert_status: bool,
pub must_issue_new_ticket: bool,
Expand All @@ -37,6 +38,7 @@ impl ExpectCertificate {
fn into_expect_certificate_status_or_server_kx(self) -> hs::NextState {
Box::new(ExpectCertificateStatusOrServerKX {
handshake: self.handshake,
suite: self.suite,
server_cert: self.server_cert,
must_issue_new_ticket: self.must_issue_new_ticket,
})
Expand All @@ -45,6 +47,7 @@ impl ExpectCertificate {
fn into_expect_server_kx(self) -> hs::NextState {
Box::new(ExpectServerKX {
handshake: self.handshake,
suite: self.suite,
server_cert: self.server_cert,
must_issue_new_ticket: self.must_issue_new_ticket,
})
Expand Down Expand Up @@ -75,6 +78,7 @@ impl hs::State for ExpectCertificate {

struct ExpectCertificateStatus {
handshake: HandshakeDetails,
suite: &'static SupportedCipherSuite,
server_cert: ServerCertDetails,
must_issue_new_ticket: bool,
}
Expand All @@ -83,6 +87,7 @@ impl ExpectCertificateStatus {
fn into_expect_server_kx(self) -> hs::NextState {
Box::new(ExpectServerKX {
handshake: self.handshake,
suite: self.suite,
server_cert: self.server_cert,
must_issue_new_ticket: self.must_issue_new_ticket,
})
Expand Down Expand Up @@ -115,6 +120,7 @@ impl hs::State for ExpectCertificateStatus {

struct ExpectCertificateStatusOrServerKX {
handshake: HandshakeDetails,
suite: &'static SupportedCipherSuite,
server_cert: ServerCertDetails,
must_issue_new_ticket: bool,
}
Expand All @@ -123,6 +129,7 @@ impl ExpectCertificateStatusOrServerKX {
fn into_expect_server_kx(self) -> hs::NextState {
Box::new(ExpectServerKX {
handshake: self.handshake,
suite: self.suite,
server_cert: self.server_cert,
must_issue_new_ticket: self.must_issue_new_ticket,
})
Expand All @@ -131,6 +138,7 @@ impl ExpectCertificateStatusOrServerKX {
fn into_expect_certificate_status(self) -> hs::NextState {
Box::new(ExpectCertificateStatus {
handshake: self.handshake,
suite: self.suite,
server_cert: self.server_cert,
must_issue_new_ticket: self.must_issue_new_ticket,
})
Expand Down Expand Up @@ -159,6 +167,7 @@ impl hs::State for ExpectCertificateStatusOrServerKX {

struct ExpectServerKX {
handshake: HandshakeDetails,
suite: &'static SupportedCipherSuite,
server_cert: ServerCertDetails,
must_issue_new_ticket: bool,
}
Expand All @@ -167,6 +176,7 @@ impl ExpectServerKX {
fn into_expect_server_done_or_certreq(self, skx: ServerKXDetails) -> hs::NextState {
Box::new(ExpectServerDoneOrCertReq {
handshake: self.handshake,
suite: self.suite,
server_cert: self.server_cert,
server_kx: skx,
must_issue_new_ticket: self.must_issue_new_ticket,
Expand All @@ -189,7 +199,7 @@ impl hs::State for ExpectServerKX {
.transcript
.add_message(&m);

let decoded_kx = opaque_kx.unwrap_given_kxa(&sess.common.get_suite_assert().kx)
let decoded_kx = opaque_kx.unwrap_given_kxa(&self.suite.kx)
.ok_or_else(|| {
sess.common
.send_fatal_alert(AlertDescription::DecodeError);
Expand Down Expand Up @@ -331,6 +341,7 @@ fn emit_finished(
// client auth. Otherwise we go straight to ServerHelloDone.
struct ExpectCertificateRequest {
handshake: HandshakeDetails,
suite: &'static SupportedCipherSuite,
server_cert: ServerCertDetails,
server_kx: ServerKXDetails,
must_issue_new_ticket: bool,
Expand All @@ -340,6 +351,7 @@ impl ExpectCertificateRequest {
fn into_expect_server_done(self, client_auth: ClientAuthDetails) -> hs::NextState {
Box::new(ExpectServerDone {
handshake: self.handshake,
suite: self.suite,
server_cert: self.server_cert,
server_kx: self.server_kx,
client_auth: Some(client_auth),
Expand Down Expand Up @@ -402,6 +414,7 @@ impl hs::State for ExpectCertificateRequest {

struct ExpectServerDoneOrCertReq {
handshake: HandshakeDetails,
suite: &'static SupportedCipherSuite,
server_cert: ServerCertDetails,
server_kx: ServerKXDetails,
must_issue_new_ticket: bool,
Expand All @@ -411,6 +424,7 @@ impl ExpectServerDoneOrCertReq {
fn into_expect_certificate_req(self) -> hs::NextState {
Box::new(ExpectCertificateRequest {
handshake: self.handshake,
suite: self.suite,
server_cert: self.server_cert,
server_kx: self.server_kx,
must_issue_new_ticket: self.must_issue_new_ticket,
Expand All @@ -420,6 +434,7 @@ impl ExpectServerDoneOrCertReq {
fn into_expect_server_done(self) -> hs::NextState {
Box::new(ExpectServerDone {
handshake: self.handshake,
suite: self.suite,
server_cert: self.server_cert,
server_kx: self.server_kx,
client_auth: None,
Expand Down Expand Up @@ -455,6 +470,7 @@ impl hs::State for ExpectServerDoneOrCertReq {

struct ExpectServerDone {
handshake: HandshakeDetails,
suite: &'static SupportedCipherSuite,
server_cert: ServerCertDetails,
server_kx: ServerKXDetails,
client_auth: Option<ClientAuthDetails>,
Expand Down Expand Up @@ -509,7 +525,7 @@ impl hs::State for ExpectServerDone {
trace!("Server cert is {:?}", st.server_cert.cert_chain);
debug!("Server DNS name is {:?}", st.handshake.dns_name);

let suite = sess.common.get_suite_assert();
let suite = st.suite;

// 1. Verify the cert chain.
// 2. Verify any SCTs provided with the certificate.
Expand Down Expand Up @@ -613,7 +629,7 @@ impl hs::State for ExpectServerDone {
&kxd.shared_secret,
)
} else {
SessionSecrets::new(&st.handshake.randoms, suite, &kxd.shared_secret)
SessionSecrets::new(&st.handshake.randoms, suite, &kxd.shared_secret)
};
sess.config.key_log.log(
"CLIENT_RANDOM",
Expand Down

0 comments on commit d3c5ff6

Please sign in to comment.