rustls/server/
tls13.rs

1use alloc::boxed::Box;
2use alloc::sync::Arc;
3use alloc::vec;
4use alloc::vec::Vec;
5
6pub(super) use client_hello::CompleteClientHelloHandling;
7use pki_types::{CertificateDer, UnixTime};
8use subtle::ConstantTimeEq;
9
10use super::hs::{self, HandshakeHashOrBuffer, ServerContext};
11use super::server_conn::ServerConnectionData;
12use crate::check::{inappropriate_handshake_message, inappropriate_message};
13use crate::common_state::{
14    CommonState, HandshakeFlightTls13, HandshakeKind, Protocol, Side, State,
15};
16use crate::conn::ConnectionRandoms;
17use crate::enums::{AlertDescription, ContentType, HandshakeType, ProtocolVersion};
18use crate::error::{Error, InvalidMessage, PeerIncompatible, PeerMisbehaved};
19use crate::hash_hs::HandshakeHash;
20use crate::log::{debug, trace, warn};
21use crate::msgs::codec::{Codec, Reader};
22use crate::msgs::enums::KeyUpdateRequest;
23use crate::msgs::handshake::{
24    CertificateChain, CertificatePayloadTls13, HandshakeMessagePayload, HandshakePayload,
25    NewSessionTicketExtension, NewSessionTicketPayloadTls13, CERTIFICATE_MAX_SIZE_LIMIT,
26};
27use crate::msgs::message::{Message, MessagePayload};
28use crate::msgs::persist;
29use crate::server::ServerConfig;
30use crate::suites::PartiallyExtractedSecrets;
31use crate::tls13::key_schedule::{
32    KeyScheduleTraffic, KeyScheduleTrafficWithClientFinishedPending, ResumptionSecret,
33};
34use crate::tls13::{
35    construct_client_verify_message, construct_server_verify_message, Tls13CipherSuite,
36};
37use crate::{compress, rand, verify};
38
39mod client_hello {
40    use super::*;
41    use crate::compress::CertCompressor;
42    use crate::crypto::SupportedKxGroup;
43    use crate::enums::SignatureScheme;
44    use crate::msgs::base::{Payload, PayloadU8};
45    use crate::msgs::ccs::ChangeCipherSpecPayload;
46    use crate::msgs::enums::{Compression, NamedGroup, PSKKeyExchangeMode};
47    use crate::msgs::handshake::{
48        CertReqExtension, CertificatePayloadTls13, CertificateRequestPayloadTls13,
49        ClientHelloPayload, HelloRetryExtension, HelloRetryRequest, KeyShareEntry, Random,
50        ServerExtension, ServerHelloPayload, SessionId,
51    };
52    use crate::server::common::ActiveCertifiedKey;
53    use crate::sign;
54    use crate::tls13::key_schedule::{
55        KeyScheduleEarly, KeyScheduleHandshake, KeySchedulePreHandshake,
56    };
57    use crate::verify::DigitallySignedStruct;
58
59    #[derive(PartialEq)]
60    pub(super) enum EarlyDataDecision {
61        Disabled,
62        RequestedButRejected,
63        Accepted,
64    }
65
66    pub(in crate::server) struct CompleteClientHelloHandling {
67        pub(in crate::server) config: Arc<ServerConfig>,
68        pub(in crate::server) transcript: HandshakeHash,
69        pub(in crate::server) suite: &'static Tls13CipherSuite,
70        pub(in crate::server) randoms: ConnectionRandoms,
71        pub(in crate::server) done_retry: bool,
72        pub(in crate::server) send_tickets: usize,
73        pub(in crate::server) extra_exts: Vec<ServerExtension>,
74    }
75
76    fn max_early_data_size(configured: u32) -> usize {
77        if configured != 0 {
78            configured as usize
79        } else {
80            // The relevant max_early_data_size may in fact be unknowable: if
81            // we (the server) have turned off early_data but the client has
82            // a stale ticket from when we allowed early_data: we'll naturally
83            // reject early_data but need an upper bound on the amount of data
84            // to drop.
85            //
86            // Use a single maximum-sized message.
87            16384
88        }
89    }
90
91    impl CompleteClientHelloHandling {
92        fn check_binder(
93            &self,
94            suite: &'static Tls13CipherSuite,
95            client_hello: &Message<'_>,
96            psk: &[u8],
97            binder: &[u8],
98        ) -> bool {
99            let binder_plaintext = match &client_hello.payload {
100                MessagePayload::Handshake { parsed, .. } => parsed.encoding_for_binder_signing(),
101                _ => unreachable!(),
102            };
103
104            let handshake_hash = self
105                .transcript
106                .hash_given(&binder_plaintext);
107
108            let key_schedule = KeyScheduleEarly::new(suite, psk);
109            let real_binder =
110                key_schedule.resumption_psk_binder_key_and_sign_verify_data(&handshake_hash);
111
112            ConstantTimeEq::ct_eq(real_binder.as_ref(), binder).into()
113        }
114
115        fn attempt_tls13_ticket_decryption(
116            &mut self,
117            ticket: &[u8],
118        ) -> Option<persist::ServerSessionValue> {
119            if self.config.ticketer.enabled() {
120                self.config
121                    .ticketer
122                    .decrypt(ticket)
123                    .and_then(|plain| persist::ServerSessionValue::read_bytes(&plain).ok())
124            } else {
125                self.config
126                    .session_storage
127                    .take(ticket)
128                    .and_then(|plain| persist::ServerSessionValue::read_bytes(&plain).ok())
129            }
130        }
131
132        pub(in crate::server) fn handle_client_hello(
133            mut self,
134            cx: &mut ServerContext<'_>,
135            server_key: ActiveCertifiedKey<'_>,
136            chm: &Message<'_>,
137            client_hello: &ClientHelloPayload,
138            selected_kxg: &'static dyn SupportedKxGroup,
139            mut sigschemes_ext: Vec<SignatureScheme>,
140        ) -> hs::NextStateOrError<'static> {
141            if client_hello.compression_methods.len() != 1 {
142                return Err(cx.common.send_fatal_alert(
143                    AlertDescription::IllegalParameter,
144                    PeerMisbehaved::OfferedIncorrectCompressions,
145                ));
146            }
147
148            sigschemes_ext.retain(SignatureScheme::supported_in_tls13);
149
150            let shares_ext = client_hello
151                .keyshare_extension()
152                .ok_or_else(|| {
153                    cx.common.send_fatal_alert(
154                        AlertDescription::HandshakeFailure,
155                        PeerIncompatible::KeyShareExtensionRequired,
156                    )
157                })?;
158
159            if client_hello.has_keyshare_extension_with_duplicates() {
160                return Err(cx.common.send_fatal_alert(
161                    AlertDescription::IllegalParameter,
162                    PeerMisbehaved::OfferedDuplicateKeyShares,
163                ));
164            }
165
166            if client_hello.has_certificate_compression_extension_with_duplicates() {
167                return Err(cx.common.send_fatal_alert(
168                    AlertDescription::IllegalParameter,
169                    PeerMisbehaved::OfferedDuplicateCertificateCompressions,
170                ));
171            }
172
173            let cert_compressor = client_hello
174                .certificate_compression_extension()
175                .and_then(|offered|
176                    // prefer server order when choosing a compression: the client's
177                    // extension here does not denote any preference.
178                    self.config
179                        .cert_compressors
180                        .iter()
181                        .find(|compressor| offered.contains(&compressor.algorithm()))
182                        .cloned());
183
184            let early_data_requested = client_hello.early_data_extension_offered();
185
186            // EarlyData extension is illegal in second ClientHello
187            if self.done_retry && early_data_requested {
188                return Err({
189                    cx.common.send_fatal_alert(
190                        AlertDescription::IllegalParameter,
191                        PeerMisbehaved::EarlyDataAttemptedInSecondClientHello,
192                    )
193                });
194            }
195
196            // See if there is a KeyShare for the selected kx group.
197            let chosen_share_and_kxg = shares_ext.iter().find_map(|share| {
198                (share.group == selected_kxg.name()).then_some((share, selected_kxg))
199            });
200
201            let Some(chosen_share_and_kxg) = chosen_share_and_kxg else {
202                // We don't have a suitable key share.  Send a HelloRetryRequest
203                // for the mutually_preferred_group.
204                self.transcript.add_message(chm);
205
206                if self.done_retry {
207                    return Err(cx.common.send_fatal_alert(
208                        AlertDescription::IllegalParameter,
209                        PeerMisbehaved::RefusedToFollowHelloRetryRequest,
210                    ));
211                }
212
213                emit_hello_retry_request(
214                    &mut self.transcript,
215                    self.suite,
216                    client_hello.session_id,
217                    cx.common,
218                    selected_kxg.name(),
219                );
220                emit_fake_ccs(cx.common);
221
222                let skip_early_data = max_early_data_size(self.config.max_early_data_size);
223
224                let next = Box::new(hs::ExpectClientHello {
225                    config: self.config,
226                    transcript: HandshakeHashOrBuffer::Hash(self.transcript),
227                    #[cfg(feature = "tls12")]
228                    session_id: SessionId::empty(),
229                    #[cfg(feature = "tls12")]
230                    using_ems: false,
231                    done_retry: true,
232                    send_tickets: self.send_tickets,
233                    extra_exts: self.extra_exts,
234                });
235
236                return if early_data_requested {
237                    Ok(Box::new(ExpectAndSkipRejectedEarlyData {
238                        skip_data_left: skip_early_data,
239                        next,
240                    }))
241                } else {
242                    Ok(next)
243                };
244            };
245
246            let mut chosen_psk_index = None;
247            let mut resumedata = None;
248
249            if let Some(psk_offer) = client_hello.psk() {
250                if !client_hello.check_psk_ext_is_last() {
251                    return Err(cx.common.send_fatal_alert(
252                        AlertDescription::IllegalParameter,
253                        PeerMisbehaved::PskExtensionMustBeLast,
254                    ));
255                }
256
257                // "A client MUST provide a "psk_key_exchange_modes" extension if it
258                //  offers a "pre_shared_key" extension. If clients offer
259                //  "pre_shared_key" without a "psk_key_exchange_modes" extension,
260                //  servers MUST abort the handshake." - RFC8446 4.2.9
261                if client_hello.psk_modes().is_none() {
262                    return Err(cx.common.send_fatal_alert(
263                        AlertDescription::MissingExtension,
264                        PeerMisbehaved::MissingPskModesExtension,
265                    ));
266                }
267
268                if psk_offer.binders.is_empty() {
269                    return Err(cx.common.send_fatal_alert(
270                        AlertDescription::DecodeError,
271                        PeerMisbehaved::MissingBinderInPskExtension,
272                    ));
273                }
274
275                if psk_offer.binders.len() != psk_offer.identities.len() {
276                    return Err(cx.common.send_fatal_alert(
277                        AlertDescription::IllegalParameter,
278                        PeerMisbehaved::PskExtensionWithMismatchedIdsAndBinders,
279                    ));
280                }
281
282                let now = self.config.current_time()?;
283
284                for (i, psk_id) in psk_offer.identities.iter().enumerate() {
285                    let maybe_resume_data = self
286                        .attempt_tls13_ticket_decryption(&psk_id.identity.0)
287                        .map(|resumedata| {
288                            resumedata.set_freshness(psk_id.obfuscated_ticket_age, now)
289                        })
290                        .filter(|resumedata| {
291                            hs::can_resume(self.suite.into(), &cx.data.sni, false, resumedata)
292                        });
293
294                    let Some(resume) = maybe_resume_data else {
295                        continue;
296                    };
297
298                    if !self.check_binder(
299                        self.suite,
300                        chm,
301                        &resume.master_secret.0,
302                        psk_offer.binders[i].as_ref(),
303                    ) {
304                        return Err(cx.common.send_fatal_alert(
305                            AlertDescription::DecryptError,
306                            PeerMisbehaved::IncorrectBinder,
307                        ));
308                    }
309
310                    chosen_psk_index = Some(i);
311                    resumedata = Some(resume);
312                    break;
313                }
314            }
315
316            if !client_hello.psk_mode_offered(PSKKeyExchangeMode::PSK_DHE_KE) {
317                debug!("Client unwilling to resume, DHE_KE not offered");
318                self.send_tickets = 0;
319                chosen_psk_index = None;
320                resumedata = None;
321            } else {
322                self.send_tickets = self.config.send_tls13_tickets;
323            }
324
325            if let Some(ref resume) = resumedata {
326                cx.data.received_resumption_data = Some(resume.application_data.0.clone());
327                cx.common
328                    .peer_certificates
329                    .clone_from(&resume.client_cert_chain);
330            }
331
332            let full_handshake = resumedata.is_none();
333            self.transcript.add_message(chm);
334            let key_schedule = emit_server_hello(
335                &mut self.transcript,
336                &self.randoms,
337                self.suite,
338                cx,
339                &client_hello.session_id,
340                chosen_share_and_kxg,
341                chosen_psk_index,
342                resumedata
343                    .as_ref()
344                    .map(|x| &x.master_secret.0[..]),
345                &self.config,
346            )?;
347            if !self.done_retry {
348                emit_fake_ccs(cx.common);
349            }
350
351            if full_handshake {
352                cx.common
353                    .handshake_kind
354                    .get_or_insert(HandshakeKind::Full);
355            } else {
356                cx.common.handshake_kind = Some(HandshakeKind::Resumed);
357            }
358
359            let mut ocsp_response = server_key.get_ocsp();
360            let mut flight = HandshakeFlightTls13::new(&mut self.transcript);
361            let doing_early_data = emit_encrypted_extensions(
362                &mut flight,
363                self.suite,
364                cx,
365                &mut ocsp_response,
366                client_hello,
367                resumedata.as_ref(),
368                self.extra_exts,
369                &self.config,
370            )?;
371
372            let doing_client_auth = if full_handshake {
373                let client_auth = emit_certificate_req_tls13(&mut flight, &self.config)?;
374
375                if let Some(compressor) = cert_compressor {
376                    emit_compressed_certificate_tls13(
377                        &mut flight,
378                        &self.config,
379                        server_key.get_cert(),
380                        ocsp_response,
381                        compressor,
382                    );
383                } else {
384                    emit_certificate_tls13(&mut flight, server_key.get_cert(), ocsp_response);
385                }
386                emit_certificate_verify_tls13(
387                    &mut flight,
388                    cx.common,
389                    server_key.get_key(),
390                    &sigschemes_ext,
391                )?;
392                client_auth
393            } else {
394                false
395            };
396
397            // If we're not doing early data, then the next messages we receive
398            // are encrypted with the handshake keys.
399            match doing_early_data {
400                EarlyDataDecision::Disabled => {
401                    key_schedule.set_handshake_decrypter(None, cx.common);
402                    cx.data.early_data.reject();
403                }
404                EarlyDataDecision::RequestedButRejected => {
405                    debug!("Client requested early_data, but not accepted: switching to handshake keys with trial decryption");
406                    key_schedule.set_handshake_decrypter(
407                        Some(max_early_data_size(self.config.max_early_data_size)),
408                        cx.common,
409                    );
410                    cx.data.early_data.reject();
411                }
412                EarlyDataDecision::Accepted => {
413                    cx.data
414                        .early_data
415                        .accept(self.config.max_early_data_size as usize);
416                }
417            }
418
419            cx.common.check_aligned_handshake()?;
420            let key_schedule_traffic =
421                emit_finished_tls13(flight, &self.randoms, cx, key_schedule, &self.config);
422
423            if !doing_client_auth && self.config.send_half_rtt_data {
424                // Application data can be sent immediately after Finished, in one
425                // flight.  However, if client auth is enabled, we don't want to send
426                // application data to an unauthenticated peer.
427                cx.common
428                    .start_outgoing_traffic(&mut cx.sendable_plaintext);
429            }
430
431            if doing_client_auth {
432                if self
433                    .config
434                    .cert_decompressors
435                    .is_empty()
436                {
437                    Ok(Box::new(ExpectCertificate {
438                        config: self.config,
439                        transcript: self.transcript,
440                        suite: self.suite,
441                        key_schedule: key_schedule_traffic,
442                        send_tickets: self.send_tickets,
443                        message_already_in_transcript: false,
444                    }))
445                } else {
446                    Ok(Box::new(ExpectCertificateOrCompressedCertificate {
447                        config: self.config,
448                        transcript: self.transcript,
449                        suite: self.suite,
450                        key_schedule: key_schedule_traffic,
451                        send_tickets: self.send_tickets,
452                    }))
453                }
454            } else if doing_early_data == EarlyDataDecision::Accepted && !cx.common.is_quic() {
455                // Not used for QUIC: RFC 9001 ยง8.3: Clients MUST NOT send the EndOfEarlyData
456                // message. A server MUST treat receipt of a CRYPTO frame in a 0-RTT packet as a
457                // connection error of type PROTOCOL_VIOLATION.
458                Ok(Box::new(ExpectEarlyData {
459                    config: self.config,
460                    transcript: self.transcript,
461                    suite: self.suite,
462                    key_schedule: key_schedule_traffic,
463                    send_tickets: self.send_tickets,
464                }))
465            } else {
466                Ok(Box::new(ExpectFinished {
467                    config: self.config,
468                    transcript: self.transcript,
469                    suite: self.suite,
470                    key_schedule: key_schedule_traffic,
471                    send_tickets: self.send_tickets,
472                }))
473            }
474        }
475    }
476
477    fn emit_server_hello(
478        transcript: &mut HandshakeHash,
479        randoms: &ConnectionRandoms,
480        suite: &'static Tls13CipherSuite,
481        cx: &mut ServerContext<'_>,
482        session_id: &SessionId,
483        share_and_kxgroup: (&KeyShareEntry, &'static dyn SupportedKxGroup),
484        chosen_psk_idx: Option<usize>,
485        resuming_psk: Option<&[u8]>,
486        config: &ServerConfig,
487    ) -> Result<KeyScheduleHandshake, Error> {
488        let mut extensions = Vec::new();
489
490        // Prepare key exchange; the caller already found the matching SupportedKxGroup
491        let (share, kxgroup) = share_and_kxgroup;
492        debug_assert_eq!(kxgroup.name(), share.group);
493        let ckx = kxgroup
494            .start_and_complete(&share.payload.0)
495            .map_err(|err| {
496                cx.common
497                    .send_fatal_alert(AlertDescription::IllegalParameter, err)
498            })?;
499        cx.common.kx_state.complete();
500
501        extensions.push(ServerExtension::KeyShare(KeyShareEntry::new(
502            ckx.group,
503            ckx.pub_key,
504        )));
505        extensions.push(ServerExtension::SupportedVersions(ProtocolVersion::TLSv1_3));
506
507        if let Some(psk_idx) = chosen_psk_idx {
508            extensions.push(ServerExtension::PresharedKey(psk_idx as u16));
509        }
510
511        let sh = Message {
512            version: ProtocolVersion::TLSv1_2,
513            payload: MessagePayload::handshake(HandshakeMessagePayload {
514                typ: HandshakeType::ServerHello,
515                payload: HandshakePayload::ServerHello(ServerHelloPayload {
516                    legacy_version: ProtocolVersion::TLSv1_2,
517                    random: Random::from(randoms.server),
518                    session_id: *session_id,
519                    cipher_suite: suite.common.suite,
520                    compression_method: Compression::Null,
521                    extensions,
522                }),
523            }),
524        };
525
526        cx.common.check_aligned_handshake()?;
527
528        let client_hello_hash = transcript.hash_given(&[]);
529
530        trace!("sending server hello {:?}", sh);
531        transcript.add_message(&sh);
532        cx.common.send_msg(sh, false);
533
534        // Start key schedule
535        let key_schedule_pre_handshake = if let Some(psk) = resuming_psk {
536            let early_key_schedule = KeyScheduleEarly::new(suite, psk);
537            early_key_schedule.client_early_traffic_secret(
538                &client_hello_hash,
539                &*config.key_log,
540                &randoms.client,
541                cx.common,
542            );
543
544            KeySchedulePreHandshake::from(early_key_schedule)
545        } else {
546            KeySchedulePreHandshake::new(suite)
547        };
548
549        // Do key exchange
550        let key_schedule = key_schedule_pre_handshake.into_handshake(ckx.secret);
551
552        let handshake_hash = transcript.current_hash();
553        let key_schedule = key_schedule.derive_server_handshake_secrets(
554            handshake_hash,
555            &*config.key_log,
556            &randoms.client,
557            cx.common,
558        );
559
560        Ok(key_schedule)
561    }
562
563    fn emit_fake_ccs(common: &mut CommonState) {
564        if common.is_quic() {
565            return;
566        }
567        let m = Message {
568            version: ProtocolVersion::TLSv1_2,
569            payload: MessagePayload::ChangeCipherSpec(ChangeCipherSpecPayload {}),
570        };
571        common.send_msg(m, false);
572    }
573
574    fn emit_hello_retry_request(
575        transcript: &mut HandshakeHash,
576        suite: &'static Tls13CipherSuite,
577        session_id: SessionId,
578        common: &mut CommonState,
579        group: NamedGroup,
580    ) {
581        let mut req = HelloRetryRequest {
582            legacy_version: ProtocolVersion::TLSv1_2,
583            session_id,
584            cipher_suite: suite.common.suite,
585            extensions: Vec::new(),
586        };
587
588        req.extensions
589            .push(HelloRetryExtension::KeyShare(group));
590        req.extensions
591            .push(HelloRetryExtension::SupportedVersions(
592                ProtocolVersion::TLSv1_3,
593            ));
594
595        let m = Message {
596            version: ProtocolVersion::TLSv1_2,
597            payload: MessagePayload::handshake(HandshakeMessagePayload {
598                typ: HandshakeType::HelloRetryRequest,
599                payload: HandshakePayload::HelloRetryRequest(req),
600            }),
601        };
602
603        trace!("Requesting retry {:?}", m);
604        transcript.rollup_for_hrr();
605        transcript.add_message(&m);
606        common.send_msg(m, false);
607        common.handshake_kind = Some(HandshakeKind::FullWithHelloRetryRequest);
608    }
609
610    fn decide_if_early_data_allowed(
611        cx: &mut ServerContext<'_>,
612        client_hello: &ClientHelloPayload,
613        resumedata: Option<&persist::ServerSessionValue>,
614        suite: &'static Tls13CipherSuite,
615        config: &ServerConfig,
616    ) -> EarlyDataDecision {
617        let early_data_requested = client_hello.early_data_extension_offered();
618        let rejected_or_disabled = match early_data_requested {
619            true => EarlyDataDecision::RequestedButRejected,
620            false => EarlyDataDecision::Disabled,
621        };
622
623        let Some(resume) = resumedata else {
624            // never any early data if not resuming.
625            return rejected_or_disabled;
626        };
627
628        /* Non-zero max_early_data_size controls whether early_data is allowed at all.
629         * We also require stateful resumption. */
630        let early_data_configured = config.max_early_data_size > 0 && !config.ticketer.enabled();
631
632        /* "For PSKs provisioned via NewSessionTicket, a server MUST validate
633         *  that the ticket age for the selected PSK identity (computed by
634         *  subtracting ticket_age_add from PskIdentity.obfuscated_ticket_age
635         *  modulo 2^32) is within a small tolerance of the time since the ticket
636         *  was issued (see Section 8)." -- this is implemented in ServerSessionValue::set_freshness()
637         *  and related.
638         *
639         * "In order to accept early data, the server [...] MUST verify that the
640         *  following values are the same as those associated with the
641         *  selected PSK:
642         *
643         *  - The TLS version number
644         *  - The selected cipher suite
645         *  - The selected ALPN [RFC7301] protocol, if any"
646         *
647         * (RFC8446, 4.2.10) */
648        let early_data_possible = early_data_requested
649            && resume.is_fresh()
650            && Some(resume.version) == cx.common.negotiated_version
651            && resume.cipher_suite == suite.common.suite
652            && resume.alpn.as_ref().map(|x| &x.0) == cx.common.alpn_protocol.as_ref();
653
654        if early_data_configured && early_data_possible && !cx.data.early_data.was_rejected() {
655            EarlyDataDecision::Accepted
656        } else {
657            if cx.common.is_quic() {
658                // Clobber value set in tls13::emit_server_hello
659                cx.common.quic.early_secret = None;
660            }
661
662            rejected_or_disabled
663        }
664    }
665
666    fn emit_encrypted_extensions(
667        flight: &mut HandshakeFlightTls13<'_>,
668        suite: &'static Tls13CipherSuite,
669        cx: &mut ServerContext<'_>,
670        ocsp_response: &mut Option<&[u8]>,
671        hello: &ClientHelloPayload,
672        resumedata: Option<&persist::ServerSessionValue>,
673        extra_exts: Vec<ServerExtension>,
674        config: &ServerConfig,
675    ) -> Result<EarlyDataDecision, Error> {
676        let mut ep = hs::ExtensionProcessing::new();
677        ep.process_common(config, cx, ocsp_response, hello, resumedata, extra_exts)?;
678
679        let early_data = decide_if_early_data_allowed(cx, hello, resumedata, suite, config);
680        if early_data == EarlyDataDecision::Accepted {
681            ep.exts.push(ServerExtension::EarlyData);
682        }
683
684        let ee = HandshakeMessagePayload {
685            typ: HandshakeType::EncryptedExtensions,
686            payload: HandshakePayload::EncryptedExtensions(ep.exts),
687        };
688
689        trace!("sending encrypted extensions {:?}", ee);
690        flight.add(ee);
691        Ok(early_data)
692    }
693
694    fn emit_certificate_req_tls13(
695        flight: &mut HandshakeFlightTls13<'_>,
696        config: &ServerConfig,
697    ) -> Result<bool, Error> {
698        if !config.verifier.offer_client_auth() {
699            return Ok(false);
700        }
701
702        let mut cr = CertificateRequestPayloadTls13 {
703            context: PayloadU8::empty(),
704            extensions: Vec::new(),
705        };
706
707        let schemes = config
708            .verifier
709            .supported_verify_schemes();
710        cr.extensions
711            .push(CertReqExtension::SignatureAlgorithms(schemes.to_vec()));
712
713        if !config.cert_decompressors.is_empty() {
714            cr.extensions
715                .push(CertReqExtension::CertificateCompressionAlgorithms(
716                    config
717                        .cert_decompressors
718                        .iter()
719                        .map(|decomp| decomp.algorithm())
720                        .collect(),
721                ));
722        }
723
724        let authorities = config.verifier.root_hint_subjects();
725        if !authorities.is_empty() {
726            cr.extensions
727                .push(CertReqExtension::AuthorityNames(authorities.to_vec()));
728        }
729
730        let creq = HandshakeMessagePayload {
731            typ: HandshakeType::CertificateRequest,
732            payload: HandshakePayload::CertificateRequestTls13(cr),
733        };
734
735        trace!("Sending CertificateRequest {:?}", creq);
736        flight.add(creq);
737        Ok(true)
738    }
739
740    fn emit_certificate_tls13(
741        flight: &mut HandshakeFlightTls13<'_>,
742        cert_chain: &[CertificateDer<'static>],
743        ocsp_response: Option<&[u8]>,
744    ) {
745        let cert = HandshakeMessagePayload {
746            typ: HandshakeType::Certificate,
747            payload: HandshakePayload::CertificateTls13(CertificatePayloadTls13::new(
748                cert_chain.iter(),
749                ocsp_response,
750            )),
751        };
752
753        trace!("sending certificate {:?}", cert);
754        flight.add(cert);
755    }
756
757    fn emit_compressed_certificate_tls13(
758        flight: &mut HandshakeFlightTls13<'_>,
759        config: &ServerConfig,
760        cert_chain: &[CertificateDer<'static>],
761        ocsp_response: Option<&[u8]>,
762        cert_compressor: &'static dyn CertCompressor,
763    ) {
764        let payload = CertificatePayloadTls13::new(cert_chain.iter(), ocsp_response);
765
766        let Ok(entry) = config
767            .cert_compression_cache
768            .compression_for(cert_compressor, &payload)
769        else {
770            return emit_certificate_tls13(flight, cert_chain, ocsp_response);
771        };
772
773        let c = HandshakeMessagePayload {
774            typ: HandshakeType::CompressedCertificate,
775            payload: HandshakePayload::CompressedCertificate(entry.compressed_cert_payload()),
776        };
777
778        trace!("sending compressed certificate {:?}", c);
779        flight.add(c);
780    }
781
782    fn emit_certificate_verify_tls13(
783        flight: &mut HandshakeFlightTls13<'_>,
784        common: &mut CommonState,
785        signing_key: &dyn sign::SigningKey,
786        schemes: &[SignatureScheme],
787    ) -> Result<(), Error> {
788        let message = construct_server_verify_message(&flight.transcript.current_hash());
789
790        let signer = signing_key
791            .choose_scheme(schemes)
792            .ok_or_else(|| {
793                common.send_fatal_alert(
794                    AlertDescription::HandshakeFailure,
795                    PeerIncompatible::NoSignatureSchemesInCommon,
796                )
797            })?;
798
799        let scheme = signer.scheme();
800        let sig = signer.sign(message.as_ref())?;
801
802        let cv = DigitallySignedStruct::new(scheme, sig);
803
804        let cv = HandshakeMessagePayload {
805            typ: HandshakeType::CertificateVerify,
806            payload: HandshakePayload::CertificateVerify(cv),
807        };
808
809        trace!("sending certificate-verify {:?}", cv);
810        flight.add(cv);
811        Ok(())
812    }
813
814    fn emit_finished_tls13(
815        mut flight: HandshakeFlightTls13<'_>,
816        randoms: &ConnectionRandoms,
817        cx: &mut ServerContext<'_>,
818        key_schedule: KeyScheduleHandshake,
819        config: &ServerConfig,
820    ) -> KeyScheduleTrafficWithClientFinishedPending {
821        let handshake_hash = flight.transcript.current_hash();
822        let verify_data = key_schedule.sign_server_finish(&handshake_hash);
823        let verify_data_payload = Payload::new(verify_data.as_ref());
824
825        let fin = HandshakeMessagePayload {
826            typ: HandshakeType::Finished,
827            payload: HandshakePayload::Finished(verify_data_payload),
828        };
829
830        trace!("sending finished {:?}", fin);
831        flight.add(fin);
832        let hash_at_server_fin = flight.transcript.current_hash();
833        flight.finish(cx.common);
834
835        // Now move to application data keys.  Read key change is deferred until
836        // the Finish message is received & validated.
837        key_schedule.into_traffic_with_client_finished_pending(
838            hash_at_server_fin,
839            &*config.key_log,
840            &randoms.client,
841            cx.common,
842        )
843    }
844}
845
846struct ExpectAndSkipRejectedEarlyData {
847    skip_data_left: usize,
848    next: Box<hs::ExpectClientHello>,
849}
850
851impl State<ServerConnectionData> for ExpectAndSkipRejectedEarlyData {
852    fn handle<'m>(
853        mut self: Box<Self>,
854        cx: &mut ServerContext<'_>,
855        m: Message<'m>,
856    ) -> hs::NextStateOrError<'m>
857    where
858        Self: 'm,
859    {
860        /* "The server then ignores early data by skipping all records with an external
861         *  content type of "application_data" (indicating that they are encrypted),
862         *  up to the configured max_early_data_size."
863         * (RFC8446, 14.2.10) */
864        if let MessagePayload::ApplicationData(ref skip_data) = m.payload {
865            if skip_data.bytes().len() <= self.skip_data_left {
866                self.skip_data_left -= skip_data.bytes().len();
867                return Ok(self);
868            }
869        }
870
871        self.next.handle(cx, m)
872    }
873
874    fn into_owned(self: Box<Self>) -> hs::NextState<'static> {
875        self
876    }
877}
878
879struct ExpectCertificateOrCompressedCertificate {
880    config: Arc<ServerConfig>,
881    transcript: HandshakeHash,
882    suite: &'static Tls13CipherSuite,
883    key_schedule: KeyScheduleTrafficWithClientFinishedPending,
884    send_tickets: usize,
885}
886
887impl State<ServerConnectionData> for ExpectCertificateOrCompressedCertificate {
888    fn handle<'m>(
889        self: Box<Self>,
890        cx: &mut ServerContext<'_>,
891        m: Message<'m>,
892    ) -> hs::NextStateOrError<'m>
893    where
894        Self: 'm,
895    {
896        match m.payload {
897            MessagePayload::Handshake {
898                parsed:
899                    HandshakeMessagePayload {
900                        payload: HandshakePayload::CertificateTls13(..),
901                        ..
902                    },
903                ..
904            } => Box::new(ExpectCertificate {
905                config: self.config,
906                transcript: self.transcript,
907                suite: self.suite,
908                key_schedule: self.key_schedule,
909                send_tickets: self.send_tickets,
910                message_already_in_transcript: false,
911            })
912            .handle(cx, m),
913
914            MessagePayload::Handshake {
915                parsed:
916                    HandshakeMessagePayload {
917                        payload: HandshakePayload::CompressedCertificate(..),
918                        ..
919                    },
920                ..
921            } => Box::new(ExpectCompressedCertificate {
922                config: self.config,
923                transcript: self.transcript,
924                suite: self.suite,
925                key_schedule: self.key_schedule,
926                send_tickets: self.send_tickets,
927            })
928            .handle(cx, m),
929
930            payload => Err(inappropriate_handshake_message(
931                &payload,
932                &[ContentType::Handshake],
933                &[
934                    HandshakeType::Certificate,
935                    HandshakeType::CompressedCertificate,
936                ],
937            )),
938        }
939    }
940
941    fn into_owned(self: Box<Self>) -> hs::NextState<'static> {
942        self
943    }
944}
945
946struct ExpectCompressedCertificate {
947    config: Arc<ServerConfig>,
948    transcript: HandshakeHash,
949    suite: &'static Tls13CipherSuite,
950    key_schedule: KeyScheduleTrafficWithClientFinishedPending,
951    send_tickets: usize,
952}
953
954impl State<ServerConnectionData> for ExpectCompressedCertificate {
955    fn handle<'m>(
956        mut self: Box<Self>,
957        cx: &mut ServerContext<'_>,
958        m: Message<'m>,
959    ) -> hs::NextStateOrError<'m>
960    where
961        Self: 'm,
962    {
963        self.transcript.add_message(&m);
964        let compressed_cert = require_handshake_msg_move!(
965            m,
966            HandshakeType::CompressedCertificate,
967            HandshakePayload::CompressedCertificate
968        )?;
969
970        let selected_decompressor = self
971            .config
972            .cert_decompressors
973            .iter()
974            .find(|item| item.algorithm() == compressed_cert.alg);
975
976        let Some(decompressor) = selected_decompressor else {
977            return Err(cx.common.send_fatal_alert(
978                AlertDescription::BadCertificate,
979                PeerMisbehaved::SelectedUnofferedCertCompression,
980            ));
981        };
982
983        if compressed_cert.uncompressed_len as usize > CERTIFICATE_MAX_SIZE_LIMIT {
984            return Err(cx.common.send_fatal_alert(
985                AlertDescription::BadCertificate,
986                InvalidMessage::MessageTooLarge,
987            ));
988        }
989
990        let mut decompress_buffer = vec![0u8; compressed_cert.uncompressed_len as usize];
991        if let Err(compress::DecompressionFailed) =
992            decompressor.decompress(compressed_cert.compressed.0.bytes(), &mut decompress_buffer)
993        {
994            return Err(cx.common.send_fatal_alert(
995                AlertDescription::BadCertificate,
996                PeerMisbehaved::InvalidCertCompression,
997            ));
998        }
999
1000        let cert_payload =
1001            match CertificatePayloadTls13::read(&mut Reader::init(&decompress_buffer)) {
1002                Ok(cm) => cm,
1003                Err(err) => {
1004                    return Err(cx
1005                        .common
1006                        .send_fatal_alert(AlertDescription::BadCertificate, err));
1007                }
1008            };
1009        trace!(
1010            "Client certificate decompressed using {:?} ({} bytes -> {})",
1011            compressed_cert.alg,
1012            compressed_cert
1013                .compressed
1014                .0
1015                .bytes()
1016                .len(),
1017            compressed_cert.uncompressed_len,
1018        );
1019
1020        let m = Message {
1021            version: ProtocolVersion::TLSv1_3,
1022            payload: MessagePayload::handshake(HandshakeMessagePayload {
1023                typ: HandshakeType::Certificate,
1024                payload: HandshakePayload::CertificateTls13(cert_payload.into_owned()),
1025            }),
1026        };
1027
1028        Box::new(ExpectCertificate {
1029            config: self.config,
1030            transcript: self.transcript,
1031            suite: self.suite,
1032            key_schedule: self.key_schedule,
1033            send_tickets: self.send_tickets,
1034            message_already_in_transcript: true,
1035        })
1036        .handle(cx, m)
1037    }
1038
1039    fn into_owned(self: Box<Self>) -> hs::NextState<'static> {
1040        self
1041    }
1042}
1043
1044struct ExpectCertificate {
1045    config: Arc<ServerConfig>,
1046    transcript: HandshakeHash,
1047    suite: &'static Tls13CipherSuite,
1048    key_schedule: KeyScheduleTrafficWithClientFinishedPending,
1049    send_tickets: usize,
1050    message_already_in_transcript: bool,
1051}
1052
1053impl State<ServerConnectionData> for ExpectCertificate {
1054    fn handle<'m>(
1055        mut self: Box<Self>,
1056        cx: &mut ServerContext<'_>,
1057        m: Message<'m>,
1058    ) -> hs::NextStateOrError<'m>
1059    where
1060        Self: 'm,
1061    {
1062        if !self.message_already_in_transcript {
1063            self.transcript.add_message(&m);
1064        }
1065        let certp = require_handshake_msg_move!(
1066            m,
1067            HandshakeType::Certificate,
1068            HandshakePayload::CertificateTls13
1069        )?;
1070
1071        // We don't send any CertificateRequest extensions, so any extensions
1072        // here are illegal.
1073        if certp.any_entry_has_extension() {
1074            return Err(PeerMisbehaved::UnsolicitedCertExtension.into());
1075        }
1076
1077        let client_cert = certp.into_certificate_chain();
1078
1079        let mandatory = self
1080            .config
1081            .verifier
1082            .client_auth_mandatory();
1083
1084        let Some((end_entity, intermediates)) = client_cert.split_first() else {
1085            if !mandatory {
1086                debug!("client auth requested but no certificate supplied");
1087                self.transcript.abandon_client_auth();
1088                return Ok(Box::new(ExpectFinished {
1089                    config: self.config,
1090                    suite: self.suite,
1091                    key_schedule: self.key_schedule,
1092                    transcript: self.transcript,
1093                    send_tickets: self.send_tickets,
1094                }));
1095            }
1096
1097            return Err(cx.common.send_fatal_alert(
1098                AlertDescription::CertificateRequired,
1099                Error::NoCertificatesPresented,
1100            ));
1101        };
1102
1103        let now = self.config.current_time()?;
1104
1105        self.config
1106            .verifier
1107            .verify_client_cert(end_entity, intermediates, now)
1108            .map_err(|err| {
1109                cx.common
1110                    .send_cert_verify_error_alert(err)
1111            })?;
1112
1113        Ok(Box::new(ExpectCertificateVerify {
1114            config: self.config,
1115            suite: self.suite,
1116            transcript: self.transcript,
1117            key_schedule: self.key_schedule,
1118            client_cert: client_cert.into_owned(),
1119            send_tickets: self.send_tickets,
1120        }))
1121    }
1122
1123    fn into_owned(self: Box<Self>) -> hs::NextState<'static> {
1124        self
1125    }
1126}
1127
1128struct ExpectCertificateVerify {
1129    config: Arc<ServerConfig>,
1130    transcript: HandshakeHash,
1131    suite: &'static Tls13CipherSuite,
1132    key_schedule: KeyScheduleTrafficWithClientFinishedPending,
1133    client_cert: CertificateChain<'static>,
1134    send_tickets: usize,
1135}
1136
1137impl State<ServerConnectionData> for ExpectCertificateVerify {
1138    fn handle<'m>(
1139        mut self: Box<Self>,
1140        cx: &mut ServerContext<'_>,
1141        m: Message<'m>,
1142    ) -> hs::NextStateOrError<'m>
1143    where
1144        Self: 'm,
1145    {
1146        let rc = {
1147            let sig = require_handshake_msg!(
1148                m,
1149                HandshakeType::CertificateVerify,
1150                HandshakePayload::CertificateVerify
1151            )?;
1152            let handshake_hash = self.transcript.current_hash();
1153            self.transcript.abandon_client_auth();
1154            let certs = &self.client_cert;
1155            let msg = construct_client_verify_message(&handshake_hash);
1156
1157            self.config
1158                .verifier
1159                .verify_tls13_signature(msg.as_ref(), &certs[0], sig)
1160        };
1161
1162        if let Err(e) = rc {
1163            return Err(cx
1164                .common
1165                .send_cert_verify_error_alert(e));
1166        }
1167
1168        trace!("client CertificateVerify OK");
1169        cx.common.peer_certificates = Some(self.client_cert);
1170
1171        self.transcript.add_message(&m);
1172        Ok(Box::new(ExpectFinished {
1173            config: self.config,
1174            suite: self.suite,
1175            key_schedule: self.key_schedule,
1176            transcript: self.transcript,
1177            send_tickets: self.send_tickets,
1178        }))
1179    }
1180
1181    fn into_owned(self: Box<Self>) -> hs::NextState<'static> {
1182        self
1183    }
1184}
1185
1186// --- Process (any number of) early ApplicationData messages,
1187//     followed by a terminating handshake EndOfEarlyData message ---
1188
1189struct ExpectEarlyData {
1190    config: Arc<ServerConfig>,
1191    transcript: HandshakeHash,
1192    suite: &'static Tls13CipherSuite,
1193    key_schedule: KeyScheduleTrafficWithClientFinishedPending,
1194    send_tickets: usize,
1195}
1196
1197impl State<ServerConnectionData> for ExpectEarlyData {
1198    fn handle<'m>(
1199        mut self: Box<Self>,
1200        cx: &mut ServerContext<'_>,
1201        m: Message<'m>,
1202    ) -> hs::NextStateOrError<'m>
1203    where
1204        Self: 'm,
1205    {
1206        match m.payload {
1207            MessagePayload::ApplicationData(payload) => {
1208                match cx
1209                    .data
1210                    .early_data
1211                    .take_received_plaintext(payload)
1212                {
1213                    true => Ok(self),
1214                    false => Err(cx.common.send_fatal_alert(
1215                        AlertDescription::UnexpectedMessage,
1216                        PeerMisbehaved::TooMuchEarlyDataReceived,
1217                    )),
1218                }
1219            }
1220            MessagePayload::Handshake {
1221                parsed:
1222                    HandshakeMessagePayload {
1223                        typ: HandshakeType::EndOfEarlyData,
1224                        payload: HandshakePayload::EndOfEarlyData,
1225                    },
1226                ..
1227            } => {
1228                self.key_schedule
1229                    .update_decrypter(cx.common);
1230                self.transcript.add_message(&m);
1231                Ok(Box::new(ExpectFinished {
1232                    config: self.config,
1233                    suite: self.suite,
1234                    key_schedule: self.key_schedule,
1235                    transcript: self.transcript,
1236                    send_tickets: self.send_tickets,
1237                }))
1238            }
1239            payload => Err(inappropriate_handshake_message(
1240                &payload,
1241                &[ContentType::ApplicationData, ContentType::Handshake],
1242                &[HandshakeType::EndOfEarlyData],
1243            )),
1244        }
1245    }
1246
1247    fn into_owned(self: Box<Self>) -> hs::NextState<'static> {
1248        self
1249    }
1250}
1251
1252// --- Process client's Finished ---
1253fn get_server_session_value(
1254    suite: &'static Tls13CipherSuite,
1255    secret: &ResumptionSecret<'_>,
1256    cx: &ServerContext<'_>,
1257    nonce: &[u8],
1258    time_now: UnixTime,
1259    age_obfuscation_offset: u32,
1260) -> persist::ServerSessionValue {
1261    let version = ProtocolVersion::TLSv1_3;
1262
1263    let secret = secret.derive_ticket_psk(nonce);
1264
1265    persist::ServerSessionValue::new(
1266        cx.data.sni.as_ref(),
1267        version,
1268        suite.common.suite,
1269        secret.as_ref(),
1270        cx.common.peer_certificates.clone(),
1271        cx.common.alpn_protocol.clone(),
1272        cx.data.resumption_data.clone(),
1273        time_now,
1274        age_obfuscation_offset,
1275    )
1276}
1277
1278struct ExpectFinished {
1279    config: Arc<ServerConfig>,
1280    transcript: HandshakeHash,
1281    suite: &'static Tls13CipherSuite,
1282    key_schedule: KeyScheduleTrafficWithClientFinishedPending,
1283    send_tickets: usize,
1284}
1285
1286impl ExpectFinished {
1287    fn emit_ticket(
1288        flight: &mut HandshakeFlightTls13<'_>,
1289        suite: &'static Tls13CipherSuite,
1290        cx: &ServerContext<'_>,
1291        secret: &ResumptionSecret<'_>,
1292        config: &ServerConfig,
1293    ) -> Result<(), Error> {
1294        let secure_random = config.provider.secure_random;
1295        let nonce = rand::random_vec(secure_random, 32)?;
1296        let age_add = rand::random_u32(secure_random)?;
1297
1298        let now = config.current_time()?;
1299
1300        let plain =
1301            get_server_session_value(suite, secret, cx, &nonce, now, age_add).get_encoding();
1302
1303        let stateless = config.ticketer.enabled();
1304        let (ticket, lifetime) = if stateless {
1305            let Some(ticket) = config.ticketer.encrypt(&plain) else {
1306                return Ok(());
1307            };
1308            (ticket, config.ticketer.lifetime())
1309        } else {
1310            let id = rand::random_vec(secure_random, 32)?;
1311            let stored = config
1312                .session_storage
1313                .put(id.clone(), plain);
1314            if !stored {
1315                trace!("resumption not available; not issuing ticket");
1316                return Ok(());
1317            }
1318            let stateful_lifetime = 24 * 60 * 60; // this is a bit of a punt
1319            (id, stateful_lifetime)
1320        };
1321
1322        let mut payload = NewSessionTicketPayloadTls13::new(lifetime, age_add, nonce, ticket);
1323
1324        if config.max_early_data_size > 0 {
1325            if !stateless {
1326                payload
1327                    .exts
1328                    .push(NewSessionTicketExtension::EarlyData(
1329                        config.max_early_data_size,
1330                    ));
1331            } else {
1332                // We implement RFC8446 section 8.1: by enforcing that 0-RTT is
1333                // only possible if using stateful resumption
1334                warn!("early_data with stateless resumption is not allowed");
1335            }
1336        }
1337
1338        let t = HandshakeMessagePayload {
1339            typ: HandshakeType::NewSessionTicket,
1340            payload: HandshakePayload::NewSessionTicketTls13(payload),
1341        };
1342        trace!("sending new ticket {:?} (stateless: {})", t, stateless);
1343        flight.add(t);
1344
1345        Ok(())
1346    }
1347}
1348
1349impl State<ServerConnectionData> for ExpectFinished {
1350    fn handle<'m>(
1351        mut self: Box<Self>,
1352        cx: &mut ServerContext<'_>,
1353        m: Message<'m>,
1354    ) -> hs::NextStateOrError<'m>
1355    where
1356        Self: 'm,
1357    {
1358        let finished =
1359            require_handshake_msg!(m, HandshakeType::Finished, HandshakePayload::Finished)?;
1360
1361        let handshake_hash = self.transcript.current_hash();
1362        let (key_schedule_traffic, expect_verify_data) = self
1363            .key_schedule
1364            .sign_client_finish(&handshake_hash, cx.common);
1365
1366        let fin = match ConstantTimeEq::ct_eq(expect_verify_data.as_ref(), finished.bytes()).into()
1367        {
1368            true => verify::FinishedMessageVerified::assertion(),
1369            false => {
1370                return Err(cx
1371                    .common
1372                    .send_fatal_alert(AlertDescription::DecryptError, Error::DecryptError));
1373            }
1374        };
1375
1376        // Note: future derivations include Client Finished, but not the
1377        // main application data keying.
1378        self.transcript.add_message(&m);
1379
1380        cx.common.check_aligned_handshake()?;
1381
1382        let handshake_hash = self.transcript.current_hash();
1383        let resumption = ResumptionSecret::new(&key_schedule_traffic, &handshake_hash);
1384
1385        let mut flight = HandshakeFlightTls13::new(&mut self.transcript);
1386        for _ in 0..self.send_tickets {
1387            Self::emit_ticket(&mut flight, self.suite, cx, &resumption, &self.config)?;
1388        }
1389        flight.finish(cx.common);
1390
1391        // Application data may now flow, even if we have client auth enabled.
1392        cx.common
1393            .start_traffic(&mut cx.sendable_plaintext);
1394
1395        Ok(match cx.common.is_quic() {
1396            true => Box::new(ExpectQuicTraffic {
1397                key_schedule: key_schedule_traffic,
1398                _fin_verified: fin,
1399            }),
1400            false => Box::new(ExpectTraffic {
1401                key_schedule: key_schedule_traffic,
1402                _fin_verified: fin,
1403            }),
1404        })
1405    }
1406
1407    fn into_owned(self: Box<Self>) -> hs::NextState<'static> {
1408        self
1409    }
1410}
1411
1412// --- Process traffic ---
1413struct ExpectTraffic {
1414    key_schedule: KeyScheduleTraffic,
1415    _fin_verified: verify::FinishedMessageVerified,
1416}
1417
1418impl ExpectTraffic {
1419    fn handle_key_update(
1420        &mut self,
1421        common: &mut CommonState,
1422        key_update_request: &KeyUpdateRequest,
1423    ) -> Result<(), Error> {
1424        if let Protocol::Quic = common.protocol {
1425            return Err(common.send_fatal_alert(
1426                AlertDescription::UnexpectedMessage,
1427                PeerMisbehaved::KeyUpdateReceivedInQuicConnection,
1428            ));
1429        }
1430
1431        common.check_aligned_handshake()?;
1432
1433        if common.should_update_key(key_update_request)? {
1434            self.key_schedule
1435                .update_encrypter_and_notify(common);
1436        }
1437
1438        // Update our read-side keys.
1439        self.key_schedule
1440            .update_decrypter(common);
1441        Ok(())
1442    }
1443}
1444
1445impl State<ServerConnectionData> for ExpectTraffic {
1446    fn handle<'m>(
1447        mut self: Box<Self>,
1448        cx: &mut ServerContext<'_>,
1449        m: Message<'m>,
1450    ) -> hs::NextStateOrError<'m>
1451    where
1452        Self: 'm,
1453    {
1454        match m.payload {
1455            MessagePayload::ApplicationData(payload) => cx
1456                .common
1457                .take_received_plaintext(payload),
1458            MessagePayload::Handshake {
1459                parsed:
1460                    HandshakeMessagePayload {
1461                        payload: HandshakePayload::KeyUpdate(key_update),
1462                        ..
1463                    },
1464                ..
1465            } => self.handle_key_update(cx.common, &key_update)?,
1466            payload => {
1467                return Err(inappropriate_handshake_message(
1468                    &payload,
1469                    &[ContentType::ApplicationData, ContentType::Handshake],
1470                    &[HandshakeType::KeyUpdate],
1471                ));
1472            }
1473        }
1474
1475        Ok(self)
1476    }
1477
1478    fn export_keying_material(
1479        &self,
1480        output: &mut [u8],
1481        label: &[u8],
1482        context: Option<&[u8]>,
1483    ) -> Result<(), Error> {
1484        self.key_schedule
1485            .export_keying_material(output, label, context)
1486    }
1487
1488    fn extract_secrets(&self) -> Result<PartiallyExtractedSecrets, Error> {
1489        self.key_schedule
1490            .extract_secrets(Side::Server)
1491    }
1492
1493    fn send_key_update_request(&mut self, common: &mut CommonState) -> Result<(), Error> {
1494        self.key_schedule
1495            .request_key_update_and_update_encrypter(common)
1496    }
1497
1498    fn into_owned(self: Box<Self>) -> hs::NextState<'static> {
1499        self
1500    }
1501}
1502
1503struct ExpectQuicTraffic {
1504    key_schedule: KeyScheduleTraffic,
1505    _fin_verified: verify::FinishedMessageVerified,
1506}
1507
1508impl State<ServerConnectionData> for ExpectQuicTraffic {
1509    fn handle<'m>(
1510        self: Box<Self>,
1511        _cx: &mut ServerContext<'_>,
1512        m: Message<'m>,
1513    ) -> hs::NextStateOrError<'m>
1514    where
1515        Self: 'm,
1516    {
1517        // reject all messages
1518        Err(inappropriate_message(&m.payload, &[]))
1519    }
1520
1521    fn export_keying_material(
1522        &self,
1523        output: &mut [u8],
1524        label: &[u8],
1525        context: Option<&[u8]>,
1526    ) -> Result<(), Error> {
1527        self.key_schedule
1528            .export_keying_material(output, label, context)
1529    }
1530
1531    fn into_owned(self: Box<Self>) -> hs::NextState<'static> {
1532        self
1533    }
1534}