rustls/client/ech.rs
1use alloc::boxed::Box;
2use alloc::vec;
3use alloc::vec::Vec;
4
5use pki_types::{DnsName, EchConfigListBytes, ServerName};
6use subtle::ConstantTimeEq;
7
8use crate::CipherSuite::TLS_EMPTY_RENEGOTIATION_INFO_SCSV;
9use crate::client::tls13;
10use crate::crypto::SecureRandom;
11use crate::crypto::hash::Hash;
12use crate::crypto::hpke::{EncapsulatedSecret, Hpke, HpkePublicKey, HpkeSealer, HpkeSuite};
13use crate::hash_hs::{HandshakeHash, HandshakeHashBuffer};
14use crate::log::{debug, trace, warn};
15use crate::msgs::base::{Payload, PayloadU16};
16use crate::msgs::codec::{Codec, Reader};
17use crate::msgs::enums::{ExtensionType, HpkeKem};
18use crate::msgs::handshake::{
19 ClientExtensions, ClientHelloPayload, EchConfigContents, EchConfigPayload, Encoding,
20 EncryptedClientHello, EncryptedClientHelloOuter, HandshakeMessagePayload, HandshakePayload,
21 HelloRetryRequest, HpkeKeyConfig, HpkeSymmetricCipherSuite, PresharedKeyBinder,
22 PresharedKeyOffer, Random, ServerHelloPayload, ServerNamePayload,
23};
24use crate::msgs::message::{Message, MessagePayload};
25use crate::msgs::persist;
26use crate::msgs::persist::Retrieved;
27use crate::tls13::key_schedule::{
28 KeyScheduleEarly, KeyScheduleHandshakeStart, server_ech_hrr_confirmation_secret,
29};
30use crate::{
31 AlertDescription, ClientConfig, CommonState, EncryptedClientHelloError, Error,
32 PeerIncompatible, PeerMisbehaved, ProtocolVersion, Tls13CipherSuite,
33};
34
35/// Controls how Encrypted Client Hello (ECH) is used in a client handshake.
36#[derive(Clone, Debug)]
37pub enum EchMode {
38 /// ECH is enabled and the ClientHello will be encrypted based on the provided
39 /// configuration.
40 Enable(EchConfig),
41
42 /// No ECH configuration is available but the client should act as though it were.
43 ///
44 /// This is an anti-ossification measure, sometimes referred to as "GREASE"[^0].
45 /// [^0]: <https://www.rfc-editor.org/rfc/rfc8701>
46 Grease(EchGreaseConfig),
47}
48
49impl EchMode {
50 /// Returns true if the ECH mode will use a FIPS approved HPKE suite.
51 pub fn fips(&self) -> bool {
52 match self {
53 Self::Enable(ech_config) => ech_config.suite.fips(),
54 Self::Grease(grease_config) => grease_config.suite.fips(),
55 }
56 }
57}
58
59impl From<EchConfig> for EchMode {
60 fn from(config: EchConfig) -> Self {
61 Self::Enable(config)
62 }
63}
64
65impl From<EchGreaseConfig> for EchMode {
66 fn from(config: EchGreaseConfig) -> Self {
67 Self::Grease(config)
68 }
69}
70
71/// Configuration for performing encrypted client hello.
72///
73/// Note: differs from the protocol-encoded EchConfig (`EchConfigMsg`).
74#[derive(Clone, Debug)]
75pub struct EchConfig {
76 /// The selected EchConfig.
77 pub(crate) config: EchConfigPayload,
78
79 /// An HPKE instance corresponding to a suite from the `config` we have selected as
80 /// a compatible choice.
81 pub(crate) suite: &'static dyn Hpke,
82}
83
84impl EchConfig {
85 /// Construct an EchConfig by selecting a ECH config from the provided bytes that is compatible
86 /// with one of the given HPKE suites.
87 ///
88 /// The config list bytes should be sourced from a DNS-over-HTTPS lookup resolving the `HTTPS`
89 /// resource record for the host name of the server you wish to connect via ECH,
90 /// and extracting the ECH configuration from the `ech` parameter. The extracted bytes should
91 /// be base64 decoded to yield the `EchConfigListBytes` you provide to rustls.
92 ///
93 /// One of the provided ECH configurations must be compatible with the HPKE provider's supported
94 /// suites or an error will be returned.
95 ///
96 /// See the [`ech-client.rs`] example for a complete example of fetching ECH configs from DNS.
97 ///
98 /// [`ech-client.rs`]: https://github.com/rustls/rustls/blob/main/examples/src/bin/ech-client.rs
99 pub fn new(
100 ech_config_list: EchConfigListBytes<'_>,
101 hpke_suites: &[&'static dyn Hpke],
102 ) -> Result<Self, Error> {
103 let ech_configs = Vec::<EchConfigPayload>::read(&mut Reader::init(&ech_config_list))
104 .map_err(|_| {
105 Error::InvalidEncryptedClientHello(EncryptedClientHelloError::InvalidConfigList)
106 })?;
107
108 // Note: we name the index var _i because if the log feature is disabled
109 // it is unused.
110 #[cfg_attr(not(feature = "log"), allow(clippy::unused_enumerate_index))]
111 for (_i, config) in ech_configs.iter().enumerate() {
112 let contents = match config {
113 EchConfigPayload::V18(contents) => contents,
114 EchConfigPayload::Unknown {
115 version: _version, ..
116 } => {
117 warn!(
118 "ECH config {} has unsupported version {:?}",
119 _i + 1,
120 _version
121 );
122 continue; // Unsupported version.
123 }
124 };
125
126 if contents.has_unknown_mandatory_extension() || contents.has_duplicate_extension() {
127 warn!("ECH config has duplicate, or unknown mandatory extensions: {contents:?}",);
128 continue; // Unsupported, or malformed extensions.
129 }
130
131 let key_config = &contents.key_config;
132 for cipher_suite in &key_config.symmetric_cipher_suites {
133 if cipher_suite.aead_id.tag_len().is_none() {
134 continue; // Unsupported EXPORT_ONLY AEAD cipher suite.
135 }
136
137 let suite = HpkeSuite {
138 kem: key_config.kem_id,
139 sym: *cipher_suite,
140 };
141 if let Some(hpke) = hpke_suites
142 .iter()
143 .find(|hpke| hpke.suite() == suite)
144 {
145 debug!(
146 "selected ECH config ID {:?} suite {:?} public_name {:?}",
147 key_config.config_id, suite, contents.public_name
148 );
149 return Ok(Self {
150 config: config.clone(),
151 suite: *hpke,
152 });
153 }
154 }
155 }
156
157 Err(EncryptedClientHelloError::NoCompatibleConfig.into())
158 }
159
160 pub(super) fn state(
161 &self,
162 server_name: ServerName<'static>,
163 config: &ClientConfig,
164 ) -> Result<EchState, Error> {
165 EchState::new(
166 self,
167 server_name.clone(),
168 config
169 .client_auth_cert_resolver
170 .has_certs(),
171 config.provider.secure_random,
172 config.enable_sni,
173 )
174 }
175
176 /// Compute the HPKE `SetupBaseS` `info` parameter for this ECH configuration.
177 ///
178 /// See <https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-17#section-6.1>.
179 pub(crate) fn hpke_info(&self) -> Vec<u8> {
180 let mut info = Vec::with_capacity(128);
181 // "tls ech" || 0x00 || ECHConfig
182 info.extend_from_slice(b"tls ech\0");
183 self.config.encode(&mut info);
184 info
185 }
186}
187
188/// Configuration for GREASE Encrypted Client Hello.
189#[derive(Clone, Debug)]
190pub struct EchGreaseConfig {
191 pub(crate) suite: &'static dyn Hpke,
192 pub(crate) placeholder_key: HpkePublicKey,
193}
194
195impl EchGreaseConfig {
196 /// Construct a GREASE ECH configuration.
197 ///
198 /// This configuration is used when the client wishes to offer ECH to prevent ossification,
199 /// but doesn't have a real ECH configuration to use for the remote server. In this case
200 /// a placeholder or "GREASE"[^0] extension is used.
201 ///
202 /// Returns an error if the HPKE provider does not support the given suite.
203 ///
204 /// [^0]: <https://www.rfc-editor.org/rfc/rfc8701>
205 pub fn new(suite: &'static dyn Hpke, placeholder_key: HpkePublicKey) -> Self {
206 Self {
207 suite,
208 placeholder_key,
209 }
210 }
211
212 /// Build a GREASE ECH extension based on the placeholder configuration.
213 ///
214 /// See <https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-18#name-grease-ech> for
215 /// more information.
216 pub(crate) fn grease_ext(
217 &self,
218 secure_random: &'static dyn SecureRandom,
219 inner_name: ServerName<'static>,
220 outer_hello: &ClientHelloPayload,
221 ) -> Result<EncryptedClientHello, Error> {
222 trace!("Preparing GREASE ECH extension");
223
224 // Pick a random config id.
225 let mut config_id: [u8; 1] = [0; 1];
226 secure_random.fill(&mut config_id[..])?;
227
228 let suite = self.suite.suite();
229
230 // Construct a dummy ECH state - we don't have a real ECH config from a server since
231 // this is for GREASE.
232 let mut grease_state = EchState::new(
233 &EchConfig {
234 config: EchConfigPayload::V18(EchConfigContents {
235 key_config: HpkeKeyConfig {
236 config_id: config_id[0],
237 kem_id: HpkeKem::DHKEM_P256_HKDF_SHA256,
238 public_key: PayloadU16::new(self.placeholder_key.0.clone()),
239 symmetric_cipher_suites: vec![suite.sym],
240 },
241 maximum_name_length: 0,
242 public_name: DnsName::try_from("filler").unwrap(),
243 extensions: Vec::default(),
244 }),
245 suite: self.suite,
246 },
247 inner_name,
248 false,
249 secure_random,
250 false, // Does not matter if we enable/disable SNI here. Inner hello is not used.
251 )?;
252
253 // Construct an inner hello using the outer hello - this allows us to know the size of
254 // dummy payload we should use for the GREASE extension.
255 let encoded_inner_hello = grease_state.encode_inner_hello(outer_hello, None, &None);
256
257 // Generate a payload of random data equivalent in length to a real inner hello.
258 let payload_len = encoded_inner_hello.len()
259 + suite
260 .sym
261 .aead_id
262 .tag_len()
263 // Safety: we have confirmed the AEAD is supported when building the config. All
264 // supported AEADs have a tag length.
265 .unwrap();
266 let mut payload = vec![0; payload_len];
267 secure_random.fill(&mut payload)?;
268
269 // Return the GREASE extension.
270 Ok(EncryptedClientHello::Outer(EncryptedClientHelloOuter {
271 cipher_suite: suite.sym,
272 config_id: config_id[0],
273 enc: PayloadU16::new(grease_state.enc.0),
274 payload: PayloadU16::new(payload),
275 }))
276 }
277}
278
279/// An enum representing ECH offer status.
280#[derive(Debug, Clone, Copy, Eq, PartialEq)]
281pub enum EchStatus {
282 /// ECH was not offered - it is a normal TLS handshake.
283 NotOffered,
284 /// GREASE ECH was sent. This is not considered offering ECH.
285 Grease,
286 /// ECH was offered but we do not yet know whether the offer was accepted or rejected.
287 Offered,
288 /// ECH was offered and the server accepted.
289 Accepted,
290 /// ECH was offered and the server rejected.
291 Rejected,
292}
293
294/// Contextual data for a TLS client handshake that has offered encrypted client hello (ECH).
295pub(crate) struct EchState {
296 // The public DNS name from the ECH configuration we've chosen - this is included as the SNI
297 // value for the "outer" client hello. It can only be a DnsName, not an IP address.
298 pub(crate) outer_name: DnsName<'static>,
299 // If we're resuming in the inner hello, this is the early key schedule to use for encrypting
300 // early data if the ECH offer is accepted.
301 pub(crate) early_data_key_schedule: Option<KeyScheduleEarly>,
302 // A random value we use for the inner hello.
303 pub(crate) inner_hello_random: Random,
304 // A transcript buffer maintained for the inner hello. Once ECH is confirmed we switch to
305 // using this transcript for the handshake.
306 pub(crate) inner_hello_transcript: HandshakeHashBuffer,
307 // A source of secure random data.
308 secure_random: &'static dyn SecureRandom,
309 // An HPKE sealer context that can be used for encrypting ECH data.
310 sender: Box<dyn HpkeSealer>,
311 // The ID of the ECH configuration we've chosen - this is included in the outer ECH extension.
312 config_id: u8,
313 // The private server name we'll use for the inner protected hello.
314 inner_name: ServerName<'static>,
315 // The advertised maximum name length from the ECH configuration we've chosen - this is used
316 // for padding calculations.
317 maximum_name_length: u8,
318 // A supported symmetric cipher suite from the ECH configuration we've chosen - this is
319 // included in the outer ECH extension.
320 cipher_suite: HpkeSymmetricCipherSuite,
321 // A secret encapsulated to the public key of the remote server. This is included in the
322 // outer ECH extension for non-retry outer hello messages.
323 enc: EncapsulatedSecret,
324 // Whether the inner client hello should contain a server name indication (SNI) extension.
325 enable_sni: bool,
326 // The extensions sent in the inner hello.
327 sent_extensions: Vec<ExtensionType>,
328}
329
330impl EchState {
331 pub(crate) fn new(
332 config: &EchConfig,
333 inner_name: ServerName<'static>,
334 client_auth_enabled: bool,
335 secure_random: &'static dyn SecureRandom,
336 enable_sni: bool,
337 ) -> Result<Self, Error> {
338 let EchConfigPayload::V18(config_contents) = &config.config else {
339 // the public EchConfig::new() constructor ensures we only have supported
340 // configurations.
341 unreachable!("ECH config version mismatch");
342 };
343 let key_config = &config_contents.key_config;
344
345 // Encapsulate a secret for the server's public key, and set up a sender context
346 // we can use to seal messages.
347 let (enc, sender) = config.suite.setup_sealer(
348 &config.hpke_info(),
349 &HpkePublicKey(key_config.public_key.0.clone()),
350 )?;
351
352 // Start a new transcript buffer for the inner hello.
353 let mut inner_hello_transcript = HandshakeHashBuffer::new();
354 if client_auth_enabled {
355 inner_hello_transcript.set_client_auth_enabled();
356 }
357
358 Ok(Self {
359 secure_random,
360 sender,
361 config_id: key_config.config_id,
362 inner_name,
363 outer_name: config_contents.public_name.clone(),
364 maximum_name_length: config_contents.maximum_name_length,
365 cipher_suite: config.suite.suite().sym,
366 enc,
367 inner_hello_random: Random::new(secure_random)?,
368 inner_hello_transcript,
369 early_data_key_schedule: None,
370 enable_sni,
371 sent_extensions: Vec::new(),
372 })
373 }
374
375 /// Construct a ClientHelloPayload offering ECH.
376 ///
377 /// An outer hello, with a protected inner hello for the `inner_name` will be returned, and the
378 /// ECH context will be updated to reflect the inner hello that was offered.
379 ///
380 /// If `retry_req` is `Some`, then the outer hello will be constructed for a hello retry request.
381 ///
382 /// If `resuming` is `Some`, then the inner hello will be constructed for a resumption handshake.
383 pub(crate) fn ech_hello(
384 &mut self,
385 mut outer_hello: ClientHelloPayload,
386 retry_req: Option<&HelloRetryRequest>,
387 resuming: &Option<Retrieved<&persist::Tls13ClientSessionValue>>,
388 ) -> Result<ClientHelloPayload, Error> {
389 trace!(
390 "Preparing ECH offer {}",
391 if retry_req.is_some() { "for retry" } else { "" }
392 );
393
394 // Construct the encoded inner hello and update the transcript.
395 let encoded_inner_hello = self.encode_inner_hello(&outer_hello, retry_req, resuming);
396
397 // Complete the ClientHelloOuterAAD with an ech extension, the payload should be a placeholder
398 // of size L, all zeroes. L == length of encrypting encoded client hello inner w/ the selected
399 // HPKE AEAD. (sum of plaintext + tag length, typically).
400 let payload_len = encoded_inner_hello.len()
401 + self
402 .cipher_suite
403 .aead_id
404 .tag_len()
405 // Safety: we've already verified this AEAD is supported when loading the config
406 // that was used to create the ECH context. All supported AEADs have a tag length.
407 .unwrap();
408
409 // Outer hello's created in response to a hello retry request omit the enc value.
410 let enc = match retry_req.is_some() {
411 true => Vec::default(),
412 false => self.enc.0.clone(),
413 };
414
415 fn outer_hello_ext(ctx: &EchState, enc: Vec<u8>, payload: Vec<u8>) -> EncryptedClientHello {
416 EncryptedClientHello::Outer(EncryptedClientHelloOuter {
417 cipher_suite: ctx.cipher_suite,
418 config_id: ctx.config_id,
419 enc: PayloadU16::new(enc),
420 payload: PayloadU16::new(payload),
421 })
422 }
423
424 // The outer handshake is not permitted to resume a session. If we're resuming in the
425 // inner handshake we remove the PSK extension from the outer hello, replacing it
426 // with a GREASE PSK to implement the "ClientHello Malleability Mitigation" mentioned
427 // in 10.12.3.
428 if let Some(psk_offer) = outer_hello.preshared_key_offer.as_mut() {
429 self.grease_psk(psk_offer)?;
430 }
431
432 // To compute the encoded AAD we add a placeholder extension with an empty payload.
433 outer_hello.encrypted_client_hello =
434 Some(outer_hello_ext(self, enc.clone(), vec![0; payload_len]));
435
436 // Next we compute the proper extension payload.
437 let payload = self
438 .sender
439 .seal(&outer_hello.get_encoding(), &encoded_inner_hello)?;
440
441 // And then we replace the placeholder extension with the real one.
442 outer_hello.encrypted_client_hello = Some(outer_hello_ext(self, enc, payload));
443
444 Ok(outer_hello)
445 }
446
447 /// Confirm whether an ECH offer was accepted based on examining the server hello.
448 pub(crate) fn confirm_acceptance(
449 self,
450 ks: &mut KeyScheduleHandshakeStart,
451 server_hello: &ServerHelloPayload,
452 server_hello_encoded: &Payload<'_>,
453 hash: &'static dyn Hash,
454 ) -> Result<Option<EchAccepted>, Error> {
455 // Start the inner transcript hash now that we know the hash algorithm to use.
456 let inner_transcript = self
457 .inner_hello_transcript
458 .start_hash(hash);
459
460 // Fork the transcript that we've started with the inner hello to use for a confirmation step.
461 // We need to preserve the original inner_transcript to use if this confirmation succeeds.
462 let mut confirmation_transcript = inner_transcript.clone();
463
464 // Add the server hello confirmation - this is computed by altering the received
465 // encoding rather than reencoding it.
466 confirmation_transcript
467 .add_message(&Self::server_hello_conf(server_hello, server_hello_encoded));
468
469 // Derive a confirmation secret from the inner hello random and the confirmation transcript.
470 let derived = ks.server_ech_confirmation_secret(
471 self.inner_hello_random.0.as_ref(),
472 confirmation_transcript.current_hash(),
473 );
474
475 // Check that first 8 digits of the derived secret match the last 8 digits of the original
476 // server random. This match signals that the server accepted the ECH offer.
477 // Indexing safety: Random is [0; 32] by construction.
478
479 match ConstantTimeEq::ct_eq(derived.as_ref(), server_hello.random.0[24..].as_ref()).into() {
480 true => {
481 trace!("ECH accepted by server");
482 Ok(Some(EchAccepted {
483 transcript: inner_transcript,
484 random: self.inner_hello_random,
485 sent_extensions: self.sent_extensions,
486 }))
487 }
488 false => {
489 trace!("ECH rejected by server");
490 Ok(None)
491 }
492 }
493 }
494
495 pub(crate) fn confirm_hrr_acceptance(
496 &self,
497 hrr: &HelloRetryRequest,
498 cs: &Tls13CipherSuite,
499 common: &mut CommonState,
500 ) -> Result<bool, Error> {
501 // The client checks for the "encrypted_client_hello" extension.
502 let ech_conf = match &hrr.encrypted_client_hello {
503 // If none is found, the server has implicitly rejected ECH.
504 None => return Ok(false),
505 // Otherwise, if it has a length other than 8, the client aborts the
506 // handshake with a "decode_error" alert.
507 Some(ech_conf) if ech_conf.bytes().len() != 8 => {
508 return Err({
509 common.send_fatal_alert(
510 AlertDescription::DecodeError,
511 PeerMisbehaved::IllegalHelloRetryRequestWithInvalidEch,
512 )
513 });
514 }
515 Some(ech_conf) => ech_conf,
516 };
517
518 // Otherwise the client computes hrr_accept_confirmation as described in Section
519 // 7.2.1
520 let confirmation_transcript = self.inner_hello_transcript.clone();
521 let mut confirmation_transcript =
522 confirmation_transcript.start_hash(cs.common.hash_provider);
523 confirmation_transcript.rollup_for_hrr();
524 confirmation_transcript.add_message(&Self::hello_retry_request_conf(hrr));
525
526 let derived = server_ech_hrr_confirmation_secret(
527 cs.hkdf_provider,
528 &self.inner_hello_random.0,
529 confirmation_transcript.current_hash(),
530 );
531
532 match ConstantTimeEq::ct_eq(derived.as_ref(), ech_conf.bytes()).into() {
533 true => {
534 trace!("ECH accepted by server in hello retry request");
535 Ok(true)
536 }
537 false => {
538 trace!("ECH rejected by server in hello retry request");
539 Ok(false)
540 }
541 }
542 }
543
544 /// Update the ECH context inner hello transcript based on a received hello retry request message.
545 ///
546 /// This will start the in-progress transcript using the given `hash`, convert it into an HRR
547 /// buffer, and then add the hello retry message `m`.
548 pub(crate) fn transcript_hrr_update(&mut self, hash: &'static dyn Hash, m: &Message<'_>) {
549 trace!("Updating ECH inner transcript for HRR");
550
551 let inner_transcript = self
552 .inner_hello_transcript
553 .clone()
554 .start_hash(hash);
555
556 let mut inner_transcript_buffer = inner_transcript.into_hrr_buffer();
557 inner_transcript_buffer.add_message(m);
558 self.inner_hello_transcript = inner_transcript_buffer;
559 }
560
561 // 5.1 "Encoding the ClientHelloInner"
562 fn encode_inner_hello(
563 &mut self,
564 outer_hello: &ClientHelloPayload,
565 retryreq: Option<&HelloRetryRequest>,
566 resuming: &Option<Retrieved<&persist::Tls13ClientSessionValue>>,
567 ) -> Vec<u8> {
568 // Start building an inner hello using the outer_hello as a template.
569 let mut inner_hello = ClientHelloPayload {
570 // Some information is copied over as-is.
571 client_version: outer_hello.client_version,
572 session_id: outer_hello.session_id,
573 compression_methods: outer_hello.compression_methods.clone(),
574
575 // We will build up the included extensions ourselves.
576 extensions: Box::new(ClientExtensions::default()),
577
578 // Set the inner hello random to the one we generated when creating the ECH state.
579 // We hold on to the inner_hello_random in the ECH state to use later for confirming
580 // whether ECH was accepted or not.
581 random: self.inner_hello_random,
582
583 // We remove the empty renegotiation info SCSV from the outer hello's ciphersuite.
584 // Similar to the TLS 1.2 specific extensions we will filter out, this is seen as a
585 // TLS 1.2 only feature by bogo.
586 cipher_suites: outer_hello
587 .cipher_suites
588 .iter()
589 .filter(|cs| **cs != TLS_EMPTY_RENEGOTIATION_INFO_SCSV)
590 .cloned()
591 .collect(),
592 };
593
594 inner_hello.order_seed = outer_hello.order_seed;
595
596 // The inner hello will always have an inner variant of the ECH extension added.
597 // See Section 6.1 rule 4.
598 inner_hello.encrypted_client_hello = Some(EncryptedClientHello::Inner);
599
600 let inner_sni = match &self.inner_name {
601 // The inner hello only gets a SNI value if enable_sni is true and the inner name
602 // is a domain name (not an IP address).
603 ServerName::DnsName(dns_name) if self.enable_sni => Some(dns_name),
604 _ => None,
605 };
606
607 // Now we consider each of the outer hello's extensions - we can either:
608 // 1. Omit the extension if it isn't appropriate (e.g. is a TLS 1.2 extension).
609 // 2. Add the extension to the inner hello as-is.
610 // 3. Compress the extension, by collecting it into a list of to-be-compressed
611 // extensions we'll handle separately.
612 let outer_extensions = outer_hello.used_extensions_in_encoding_order();
613 let mut compressed_exts = Vec::with_capacity(outer_extensions.len());
614 for ext in outer_extensions {
615 // Some outer hello extensions are only useful in the context where a TLS 1.3
616 // connection allows TLS 1.2. This isn't the case for ECH so we skip adding them
617 // to the inner hello.
618 if matches!(
619 ext,
620 ExtensionType::ExtendedMasterSecret
621 | ExtensionType::SessionTicket
622 | ExtensionType::ECPointFormats
623 ) {
624 continue;
625 }
626
627 if ext == ExtensionType::ServerName {
628 // We may want to replace the outer hello SNI with our own inner hello specific SNI.
629 if let Some(sni_value) = inner_sni {
630 inner_hello.server_name = Some(ServerNamePayload::from(sni_value));
631 }
632 // We don't want to add, or compress, the SNI from the outer hello.
633 continue;
634 }
635
636 // Compressed extensions need to be put aside to include in one contiguous block.
637 // Uncompressed extensions get added directly to the inner hello.
638 if ext.ech_compress() {
639 compressed_exts.push(ext);
640 }
641
642 inner_hello.clone_one(outer_hello, ext);
643 }
644
645 // We've added all the uncompressed extensions. Now we need to add the contiguous
646 // block of to-be-compressed extensions.
647 inner_hello.contiguous_extensions = compressed_exts.clone();
648
649 // Note which extensions we're sending in the inner hello. This may differ from
650 // the outer hello (e.g. the inner hello may omit SNI while the outer hello will
651 // always have the ECH cover name in SNI).
652 self.sent_extensions = inner_hello.collect_used();
653
654 // If we're resuming, we need to update the PSK binder in the inner hello.
655 if let Some(resuming) = resuming.as_ref() {
656 let mut chp = HandshakeMessagePayload(HandshakePayload::ClientHello(inner_hello));
657
658 // Retain the early key schedule we get from processing the binder.
659 self.early_data_key_schedule = Some(tls13::fill_in_psk_binder(
660 resuming,
661 &self.inner_hello_transcript,
662 &mut chp,
663 ));
664
665 // fill_in_psk_binder works on an owned HandshakeMessagePayload, so we need to
666 // extract our inner hello back out of it to retain ownership.
667 inner_hello = match chp.0 {
668 HandshakePayload::ClientHello(chp) => chp,
669 // Safety: we construct the HMP above and know its type unconditionally.
670 _ => unreachable!(),
671 };
672 }
673
674 trace!("ECH Inner Hello: {inner_hello:#?}");
675
676 // Encode the inner hello according to the rules required for ECH. This differs
677 // from the standard encoding in several ways. Notably this is where we will
678 // replace the block of contiguous to-be-compressed extensions with a marker.
679 let mut encoded_hello = inner_hello.ech_inner_encoding(compressed_exts);
680
681 // Calculate padding
682 // max_name_len = L
683 let max_name_len = self.maximum_name_length;
684 let max_name_len = if max_name_len > 0 { max_name_len } else { 255 };
685
686 let padding_len = match &self.inner_name {
687 ServerName::DnsName(name) => {
688 // name.len() = D
689 // max(0, L - D)
690 core::cmp::max(
691 0,
692 max_name_len.saturating_sub(name.as_ref().len() as u8) as usize,
693 )
694 }
695 _ => {
696 // L + 9
697 // "This is the length of a "server_name" extension with an L-byte name."
698 // We widen to usize here to avoid overflowing u8 + u8.
699 max_name_len as usize + 9
700 }
701 };
702
703 // Let L be the length of the EncodedClientHelloInner with all the padding computed so far
704 // Let N = 31 - ((L - 1) % 32) and add N bytes of padding.
705 let padding_len = 31 - ((encoded_hello.len() + padding_len - 1) % 32);
706 encoded_hello.extend(vec![0; padding_len]);
707
708 // Construct the inner hello message that will be used for the transcript.
709 let inner_hello_msg = Message {
710 version: match retryreq {
711 // <https://datatracker.ietf.org/doc/html/rfc8446#section-5.1>:
712 // "This value MUST be set to 0x0303 for all records generated
713 // by a TLS 1.3 implementation ..."
714 Some(_) => ProtocolVersion::TLSv1_2,
715 // "... other than an initial ClientHello (i.e., one not
716 // generated after a HelloRetryRequest), where it MAY also be
717 // 0x0301 for compatibility purposes"
718 //
719 // (retryreq == None means we're in the "initial ClientHello" case)
720 None => ProtocolVersion::TLSv1_0,
721 },
722 payload: MessagePayload::handshake(HandshakeMessagePayload(
723 HandshakePayload::ClientHello(inner_hello),
724 )),
725 };
726
727 // Update the inner transcript buffer with the inner hello message.
728 self.inner_hello_transcript
729 .add_message(&inner_hello_msg);
730
731 encoded_hello
732 }
733
734 // See https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-18#name-grease-psk
735 fn grease_psk(&self, psk_offer: &mut PresharedKeyOffer) -> Result<(), Error> {
736 for ident in psk_offer.identities.iter_mut() {
737 // "For each PSK identity advertised in the ClientHelloInner, the
738 // client generates a random PSK identity with the same length."
739 self.secure_random
740 .fill(&mut ident.identity.0)?;
741 // "It also generates a random, 32-bit, unsigned integer to use as
742 // the obfuscated_ticket_age."
743 let mut ticket_age = [0_u8; 4];
744 self.secure_random
745 .fill(&mut ticket_age)?;
746 ident.obfuscated_ticket_age = u32::from_be_bytes(ticket_age);
747 }
748
749 // "Likewise, for each inner PSK binder, the client generates a random string
750 // of the same length."
751 psk_offer.binders = psk_offer
752 .binders
753 .iter()
754 .map(|old_binder| {
755 // We can't access the wrapped binder PresharedKeyBinder's PayloadU8 mutably,
756 // so we construct new PresharedKeyBinder's from scratch with the same length.
757 let mut new_binder = vec![0; old_binder.as_ref().len()];
758 self.secure_random
759 .fill(&mut new_binder)?;
760 Ok::<PresharedKeyBinder, Error>(PresharedKeyBinder::from(new_binder))
761 })
762 .collect::<Result<_, _>>()?;
763 Ok(())
764 }
765
766 fn server_hello_conf(
767 server_hello: &ServerHelloPayload,
768 server_hello_encoded: &Payload<'_>,
769 ) -> Message<'static> {
770 // The confirmation is computed over the server hello, which has had
771 // its `random` field altered to zero the final 8 bytes.
772 //
773 // nb. we don't require that we can round-trip a `ServerHelloPayload`, to
774 // allow for efficiency in its in-memory representation. That means
775 // we operate here on the received encoding, as the confirmation needs
776 // to be computed on that.
777 let mut encoded = server_hello_encoded.clone().into_vec();
778 encoded[SERVER_HELLO_ECH_CONFIRMATION_SPAN].fill(0x00);
779
780 Message {
781 version: ProtocolVersion::TLSv1_3,
782 payload: MessagePayload::Handshake {
783 encoded: Payload::Owned(encoded),
784 parsed: HandshakeMessagePayload(HandshakePayload::ServerHello(
785 server_hello.clone(),
786 )),
787 },
788 }
789 }
790
791 fn hello_retry_request_conf(retry_req: &HelloRetryRequest) -> Message<'_> {
792 Self::ech_conf_message(HandshakeMessagePayload(
793 HandshakePayload::HelloRetryRequest(retry_req.clone()),
794 ))
795 }
796
797 fn ech_conf_message(hmp: HandshakeMessagePayload<'_>) -> Message<'_> {
798 let mut hmp_encoded = Vec::new();
799 hmp.payload_encode(&mut hmp_encoded, Encoding::EchConfirmation);
800 Message {
801 version: ProtocolVersion::TLSv1_3,
802 payload: MessagePayload::Handshake {
803 encoded: Payload::new(hmp_encoded),
804 parsed: hmp,
805 },
806 }
807 }
808}
809
810/// The last eight bytes of the ServerHello's random, taken from a Handshake message containing it.
811///
812/// This has:
813/// - a HandshakeType (1 byte),
814/// - an exterior length (3 bytes),
815/// - the legacy_version (2 bytes), and
816/// - the balance of the random field (24 bytes).
817const SERVER_HELLO_ECH_CONFIRMATION_SPAN: core::ops::Range<usize> =
818 (1 + 3 + 2 + 24)..(1 + 3 + 2 + 32);
819
820/// Returned from EchState::check_acceptance when the server has accepted the ECH offer.
821///
822/// Holds the state required to continue the handshake with the inner hello from the ECH offer.
823pub(crate) struct EchAccepted {
824 pub(crate) transcript: HandshakeHash,
825 pub(crate) random: Random,
826 pub(crate) sent_extensions: Vec<ExtensionType>,
827}
828
829pub(crate) fn fatal_alert_required(
830 retry_configs: Option<Vec<EchConfigPayload>>,
831 common: &mut CommonState,
832) -> Error {
833 common.send_fatal_alert(
834 AlertDescription::EncryptedClientHelloRequired,
835 PeerIncompatible::ServerRejectedEncryptedClientHello(retry_configs),
836 )
837}
838
839#[cfg(test)]
840mod tests {
841 use crate::enums::CipherSuite;
842 use crate::msgs::handshake::{Random, ServerExtensions, SessionId};
843
844 use super::*;
845
846 #[test]
847 fn server_hello_conf_alters_server_hello_random() {
848 let server_hello = ServerHelloPayload {
849 legacy_version: ProtocolVersion::TLSv1_2,
850 random: Random([0xffu8; 32]),
851 session_id: SessionId::empty(),
852 cipher_suite: CipherSuite::TLS13_AES_256_GCM_SHA384,
853 compression_method: crate::msgs::enums::Compression::Null,
854 extensions: Box::new(ServerExtensions::default()),
855 };
856 let message = Message {
857 version: ProtocolVersion::TLSv1_3,
858 payload: MessagePayload::handshake(HandshakeMessagePayload(
859 HandshakePayload::ServerHello(server_hello.clone()),
860 )),
861 };
862 let Message {
863 payload:
864 MessagePayload::Handshake {
865 encoded: server_hello_encoded_before,
866 ..
867 },
868 ..
869 } = &message
870 else {
871 unreachable!("ServerHello is a handshake message");
872 };
873
874 let message = EchState::server_hello_conf(&server_hello, server_hello_encoded_before);
875
876 let Message {
877 payload:
878 MessagePayload::Handshake {
879 encoded: server_hello_encoded_after,
880 ..
881 },
882 ..
883 } = &message
884 else {
885 unreachable!("ServerHello is a handshake message");
886 };
887
888 assert_eq!(
889 std::format!("{server_hello_encoded_before:x?}"),
890 "020000280303ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff001302000000",
891 "beforehand eight bytes at end of Random should be 0xff here ^^^^^^^^^^^^^^^^ "
892 );
893 assert_eq!(
894 std::format!("{server_hello_encoded_after:x?}"),
895 "020000280303ffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000001302000000",
896 " afterwards those bytes are zeroed ^^^^^^^^^^^^^^^^ "
897 );
898 }
899}