rustls/client/ech.rs
1use alloc::boxed::Box;
2use alloc::vec;
3use alloc::vec::Vec;
4
5use pki_types::{DnsName, EchConfigListBytes, ServerName};
6use subtle::ConstantTimeEq;
7
8use super::config::ClientConfig;
9use super::tls13;
10use crate::Tls13CipherSuite;
11use crate::crypto::CipherSuite::TLS_EMPTY_RENEGOTIATION_INFO_SCSV;
12use crate::crypto::SecureRandom;
13use crate::crypto::cipher::Payload;
14use crate::crypto::hash::Hash;
15use crate::crypto::hpke::{
16 EncapsulatedSecret, Hpke, HpkeKem, HpkePublicKey, HpkeSealer, HpkeSuite,
17 HpkeSymmetricCipherSuite,
18};
19use crate::enums::ProtocolVersion;
20use crate::error::{EncryptedClientHelloError, Error, PeerMisbehaved, RejectedEch};
21use crate::hash_hs::{HandshakeHash, HandshakeHashBuffer};
22use crate::log::{debug, trace, warn};
23use crate::msgs::base::PayloadU16;
24use crate::msgs::codec::{Codec, Reader};
25use crate::msgs::deframer::HandshakeAlignedProof;
26use crate::msgs::enums::ExtensionType;
27use crate::msgs::handshake::{
28 ClientExtensions, ClientHelloPayload, EchConfigContents, EchConfigPayload, Encoding,
29 EncryptedClientHello, EncryptedClientHelloOuter, HandshakeMessagePayload, HandshakePayload,
30 HelloRetryRequest, HpkeKeyConfig, PresharedKeyBinder, PresharedKeyOffer, Random,
31 ServerHelloPayload, ServerNamePayload,
32};
33use crate::msgs::message::{Message, MessagePayload};
34use crate::msgs::persist;
35use crate::msgs::persist::Retrieved;
36use crate::tls13::key_schedule::{
37 KeyScheduleEarly, KeyScheduleHandshakeStart, server_ech_hrr_confirmation_secret,
38};
39
40/// Controls how Encrypted Client Hello (ECH) is used in a client handshake.
41#[non_exhaustive]
42#[derive(Clone, Debug)]
43pub enum EchMode {
44 /// ECH is enabled and the ClientHello will be encrypted based on the provided
45 /// configuration.
46 Enable(EchConfig),
47
48 /// No ECH configuration is available but the client should act as though it were.
49 ///
50 /// This is an anti-ossification measure, sometimes referred to as "GREASE"[^0].
51 /// [^0]: <https://www.rfc-editor.org/rfc/rfc8701>
52 Grease(EchGreaseConfig),
53}
54
55impl EchMode {
56 /// Returns true if the ECH mode will use a FIPS approved HPKE suite.
57 pub fn fips(&self) -> bool {
58 match self {
59 Self::Enable(ech_config) => ech_config.suite.fips(),
60 Self::Grease(grease_config) => grease_config.suite.fips(),
61 }
62 }
63}
64
65impl From<EchConfig> for EchMode {
66 fn from(config: EchConfig) -> Self {
67 Self::Enable(config)
68 }
69}
70
71impl From<EchGreaseConfig> for EchMode {
72 fn from(config: EchGreaseConfig) -> Self {
73 Self::Grease(config)
74 }
75}
76
77/// Configuration for performing encrypted client hello.
78///
79/// Note: differs from the protocol-encoded EchConfig (`EchConfigMsg`).
80#[derive(Clone, Debug)]
81pub struct EchConfig {
82 /// The selected EchConfig.
83 pub(crate) config: EchConfigPayload,
84
85 /// An HPKE instance corresponding to a suite from the `config` we have selected as
86 /// a compatible choice.
87 pub(crate) suite: &'static dyn Hpke,
88}
89
90impl EchConfig {
91 /// Construct an EchConfig by selecting a ECH config from the provided bytes that is compatible
92 /// with one of the given HPKE suites.
93 ///
94 /// The config list bytes should be sourced from a DNS-over-HTTPS lookup resolving the `HTTPS`
95 /// resource record for the host name of the server you wish to connect via ECH,
96 /// and extracting the ECH configuration from the `ech` parameter. The extracted bytes should
97 /// be base64 decoded to yield the `EchConfigListBytes` you provide to rustls.
98 ///
99 /// One of the provided ECH configurations must be compatible with the HPKE provider's supported
100 /// suites or an error will be returned.
101 ///
102 /// See the [`ech-client.rs`] example for a complete example of fetching ECH configs from DNS.
103 ///
104 /// [`ech-client.rs`]: https://github.com/rustls/rustls/blob/main/examples/src/bin/ech-client.rs
105 pub fn new(
106 ech_config_list: EchConfigListBytes<'_>,
107 hpke_suites: &[&'static dyn Hpke],
108 ) -> Result<Self, Error> {
109 let ech_configs = Vec::<EchConfigPayload>::read(&mut Reader::init(&ech_config_list))
110 .map_err(|_| {
111 Error::InvalidEncryptedClientHello(EncryptedClientHelloError::InvalidConfigList)
112 })?;
113
114 Self::new_for_configs(ech_configs, hpke_suites)
115 }
116
117 /// Build an EchConfig for retrying ECH using a retry config from a server's previous rejection
118 ///
119 /// Returns an error if the server provided no retry configurations in `RejectedEch`, or if
120 /// none of the retry configurations are compatible with the supported `hpke_suites`.
121 pub fn for_retry(
122 rejection: RejectedEch,
123 hpke_suites: &[&'static dyn Hpke],
124 ) -> Result<Self, Error> {
125 let Some(configs) = rejection.retry_configs else {
126 return Err(EncryptedClientHelloError::NoCompatibleConfig.into());
127 };
128
129 Self::new_for_configs(configs, hpke_suites)
130 }
131
132 pub(super) fn state(
133 &self,
134 server_name: ServerName<'static>,
135 config: &ClientConfig,
136 ) -> Result<EchState, Error> {
137 EchState::new(
138 self,
139 server_name.clone(),
140 !config
141 .resolver()
142 .supported_certificate_types()
143 .is_empty(),
144 config.provider().secure_random,
145 config.enable_sni,
146 )
147 }
148
149 /// Compute the HPKE `SetupBaseS` `info` parameter for this ECH configuration.
150 ///
151 /// See <https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-17#section-6.1>.
152 pub(crate) fn hpke_info(&self) -> Vec<u8> {
153 let mut info = Vec::with_capacity(128);
154 // "tls ech" || 0x00 || ECHConfig
155 info.extend_from_slice(b"tls ech\0");
156 self.config.encode(&mut info);
157 info
158 }
159
160 fn new_for_configs(
161 ech_configs: Vec<EchConfigPayload>,
162 hpke_suites: &[&'static dyn Hpke],
163 ) -> Result<Self, Error> {
164 for (i, config) in ech_configs.iter().enumerate() {
165 let contents = match config {
166 EchConfigPayload::V18(contents) => contents,
167 EchConfigPayload::Unknown { version, .. } => {
168 warn!("ECH config {} has unsupported version {:?}", i + 1, version);
169 continue; // Unsupported version.
170 }
171 };
172
173 if contents.has_unknown_mandatory_extension() || contents.has_duplicate_extension() {
174 warn!("ECH config has duplicate, or unknown mandatory extensions: {contents:?}",);
175 continue; // Unsupported, or malformed extensions.
176 }
177
178 let key_config = &contents.key_config;
179 for cipher_suite in &key_config.symmetric_cipher_suites {
180 if cipher_suite.aead_id.tag_len().is_none() {
181 continue; // Unsupported EXPORT_ONLY AEAD cipher suite.
182 }
183
184 let suite = HpkeSuite {
185 kem: key_config.kem_id,
186 sym: *cipher_suite,
187 };
188 if let Some(hpke) = hpke_suites
189 .iter()
190 .find(|hpke| hpke.suite() == suite)
191 {
192 debug!(
193 "selected ECH config ID {:?} suite {:?} public_name {:?}",
194 key_config.config_id, suite, contents.public_name
195 );
196 return Ok(Self {
197 config: config.clone(),
198 suite: *hpke,
199 });
200 }
201 }
202 }
203
204 Err(EncryptedClientHelloError::NoCompatibleConfig.into())
205 }
206}
207
208/// Configuration for GREASE Encrypted Client Hello.
209#[derive(Clone, Debug)]
210pub struct EchGreaseConfig {
211 pub(crate) suite: &'static dyn Hpke,
212 pub(crate) placeholder_key: HpkePublicKey,
213}
214
215impl EchGreaseConfig {
216 /// Construct a GREASE ECH configuration.
217 ///
218 /// This configuration is used when the client wishes to offer ECH to prevent ossification,
219 /// but doesn't have a real ECH configuration to use for the remote server. In this case
220 /// a placeholder or "GREASE"[^0] extension is used.
221 ///
222 /// Returns an error if the HPKE provider does not support the given suite.
223 ///
224 /// [^0]: <https://www.rfc-editor.org/rfc/rfc8701>
225 pub fn new(suite: &'static dyn Hpke, placeholder_key: HpkePublicKey) -> Self {
226 Self {
227 suite,
228 placeholder_key,
229 }
230 }
231
232 /// Build a GREASE ECH extension based on the placeholder configuration.
233 ///
234 /// See <https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-18#name-grease-ech> for
235 /// more information.
236 pub(crate) fn grease_ext(
237 &self,
238 secure_random: &'static dyn SecureRandom,
239 inner_name: ServerName<'static>,
240 outer_hello: &ClientHelloPayload,
241 ) -> Result<EncryptedClientHello, Error> {
242 trace!("Preparing GREASE ECH extension");
243
244 // Pick a random config id.
245 let mut config_id: [u8; 1] = [0; 1];
246 secure_random.fill(&mut config_id[..])?;
247
248 let suite = self.suite.suite();
249
250 // Construct a dummy ECH state - we don't have a real ECH config from a server since
251 // this is for GREASE.
252 let mut grease_state = EchState::new(
253 &EchConfig {
254 config: EchConfigPayload::V18(EchConfigContents {
255 key_config: HpkeKeyConfig {
256 config_id: config_id[0],
257 kem_id: HpkeKem::DHKEM_P256_HKDF_SHA256,
258 public_key: PayloadU16::new(self.placeholder_key.0.clone()),
259 symmetric_cipher_suites: vec![suite.sym],
260 },
261 maximum_name_length: 0,
262 public_name: DnsName::try_from("filler").unwrap(),
263 extensions: Vec::default(),
264 }),
265 suite: self.suite,
266 },
267 inner_name,
268 false,
269 secure_random,
270 false, // Does not matter if we enable/disable SNI here. Inner hello is not used.
271 )?;
272
273 // Construct an inner hello using the outer hello - this allows us to know the size of
274 // dummy payload we should use for the GREASE extension.
275 let encoded_inner_hello = grease_state.encode_inner_hello(outer_hello, None, &None);
276
277 // Generate a payload of random data equivalent in length to a real inner hello.
278 let payload_len = encoded_inner_hello.len()
279 + suite
280 .sym
281 .aead_id
282 .tag_len()
283 // Safety: we have confirmed the AEAD is supported when building the config. All
284 // supported AEADs have a tag length.
285 .unwrap();
286 let mut payload = vec![0; payload_len];
287 secure_random.fill(&mut payload)?;
288
289 // Return the GREASE extension.
290 Ok(EncryptedClientHello::Outer(EncryptedClientHelloOuter {
291 cipher_suite: suite.sym,
292 config_id: config_id[0],
293 enc: PayloadU16::new(grease_state.enc.0),
294 payload: PayloadU16::new(payload),
295 }))
296 }
297}
298
299/// An enum representing ECH offer status.
300#[non_exhaustive]
301#[derive(Debug, Clone, Copy, Eq, PartialEq)]
302pub enum EchStatus {
303 /// ECH was not offered - it is a normal TLS handshake.
304 NotOffered,
305 /// GREASE ECH was sent. This is not considered offering ECH.
306 Grease,
307 /// ECH was offered but we do not yet know whether the offer was accepted or rejected.
308 Offered,
309 /// ECH was offered and the server accepted.
310 Accepted,
311 /// ECH was offered and the server rejected.
312 Rejected,
313}
314
315/// Contextual data for a TLS client handshake that has offered encrypted client hello (ECH).
316pub(crate) struct EchState {
317 // The public DNS name from the ECH configuration we've chosen - this is included as the SNI
318 // value for the "outer" client hello. It can only be a DnsName, not an IP address.
319 pub(crate) outer_name: DnsName<'static>,
320 // If we're resuming in the inner hello, this is the early key schedule to use for encrypting
321 // early data if the ECH offer is accepted.
322 pub(crate) early_data_key_schedule: Option<KeyScheduleEarly>,
323 // A random value we use for the inner hello.
324 pub(crate) inner_hello_random: Random,
325 // A transcript buffer maintained for the inner hello. Once ECH is confirmed we switch to
326 // using this transcript for the handshake.
327 pub(crate) inner_hello_transcript: HandshakeHashBuffer,
328 // A source of secure random data.
329 secure_random: &'static dyn SecureRandom,
330 // An HPKE sealer context that can be used for encrypting ECH data.
331 sender: Box<dyn HpkeSealer>,
332 // The ID of the ECH configuration we've chosen - this is included in the outer ECH extension.
333 config_id: u8,
334 // The private server name we'll use for the inner protected hello.
335 inner_name: ServerName<'static>,
336 // The advertised maximum name length from the ECH configuration we've chosen - this is used
337 // for padding calculations.
338 maximum_name_length: u8,
339 // A supported symmetric cipher suite from the ECH configuration we've chosen - this is
340 // included in the outer ECH extension.
341 cipher_suite: HpkeSymmetricCipherSuite,
342 // A secret encapsulated to the public key of the remote server. This is included in the
343 // outer ECH extension for non-retry outer hello messages.
344 enc: EncapsulatedSecret,
345 // Whether the inner client hello should contain a server name indication (SNI) extension.
346 enable_sni: bool,
347 // The extensions sent in the inner hello.
348 sent_extensions: Vec<ExtensionType>,
349}
350
351impl EchState {
352 pub(crate) fn new(
353 config: &EchConfig,
354 inner_name: ServerName<'static>,
355 client_auth_enabled: bool,
356 secure_random: &'static dyn SecureRandom,
357 enable_sni: bool,
358 ) -> Result<Self, Error> {
359 let EchConfigPayload::V18(config_contents) = &config.config else {
360 // the public EchConfig::new() constructor ensures we only have supported
361 // configurations.
362 unreachable!("ECH config version mismatch");
363 };
364 let key_config = &config_contents.key_config;
365
366 // Encapsulate a secret for the server's public key, and set up a sender context
367 // we can use to seal messages.
368 let (enc, sender) = config.suite.setup_sealer(
369 &config.hpke_info(),
370 &HpkePublicKey(key_config.public_key.0.clone()),
371 )?;
372
373 // Start a new transcript buffer for the inner hello.
374 let mut inner_hello_transcript = HandshakeHashBuffer::new();
375 if client_auth_enabled {
376 inner_hello_transcript.set_client_auth_enabled();
377 }
378
379 Ok(Self {
380 secure_random,
381 sender,
382 config_id: key_config.config_id,
383 inner_name,
384 outer_name: config_contents.public_name.clone(),
385 maximum_name_length: config_contents.maximum_name_length,
386 cipher_suite: config.suite.suite().sym,
387 enc,
388 inner_hello_random: Random::new(secure_random)?,
389 inner_hello_transcript,
390 early_data_key_schedule: None,
391 enable_sni,
392 sent_extensions: Vec::new(),
393 })
394 }
395
396 /// Construct a ClientHelloPayload offering ECH.
397 ///
398 /// An outer hello, with a protected inner hello for the `inner_name` will be returned, and the
399 /// ECH context will be updated to reflect the inner hello that was offered.
400 ///
401 /// If `retry_req` is `Some`, then the outer hello will be constructed for a hello retry request.
402 ///
403 /// If `resuming` is `Some`, then the inner hello will be constructed for a resumption handshake.
404 pub(crate) fn ech_hello(
405 &mut self,
406 mut outer_hello: ClientHelloPayload,
407 retry_req: Option<&HelloRetryRequest>,
408 resuming: &Option<Retrieved<&persist::Tls13ClientSessionValue>>,
409 ) -> Result<ClientHelloPayload, Error> {
410 trace!(
411 "Preparing ECH offer {}",
412 if retry_req.is_some() { "for retry" } else { "" }
413 );
414
415 // Construct the encoded inner hello and update the transcript.
416 let encoded_inner_hello = self.encode_inner_hello(&outer_hello, retry_req, resuming);
417
418 // Complete the ClientHelloOuterAAD with an ech extension, the payload should be a placeholder
419 // of size L, all zeroes. L == length of encrypting encoded client hello inner w/ the selected
420 // HPKE AEAD. (sum of plaintext + tag length, typically).
421 let payload_len = encoded_inner_hello.len()
422 + self
423 .cipher_suite
424 .aead_id
425 .tag_len()
426 // Safety: we've already verified this AEAD is supported when loading the config
427 // that was used to create the ECH context. All supported AEADs have a tag length.
428 .unwrap();
429
430 // Outer hello's created in response to a hello retry request omit the enc value.
431 let enc = match retry_req.is_some() {
432 true => Vec::default(),
433 false => self.enc.0.clone(),
434 };
435
436 fn outer_hello_ext(ctx: &EchState, enc: Vec<u8>, payload: Vec<u8>) -> EncryptedClientHello {
437 EncryptedClientHello::Outer(EncryptedClientHelloOuter {
438 cipher_suite: ctx.cipher_suite,
439 config_id: ctx.config_id,
440 enc: PayloadU16::new(enc),
441 payload: PayloadU16::new(payload),
442 })
443 }
444
445 // The outer handshake is not permitted to resume a session. If we're resuming in the
446 // inner handshake we remove the PSK extension from the outer hello, replacing it
447 // with a GREASE PSK to implement the "ClientHello Malleability Mitigation" mentioned
448 // in 10.12.3.
449 if let Some(psk_offer) = outer_hello.preshared_key_offer.as_mut() {
450 self.grease_psk(psk_offer)?;
451 }
452
453 // To compute the encoded AAD we add a placeholder extension with an empty payload.
454 outer_hello.encrypted_client_hello =
455 Some(outer_hello_ext(self, enc.clone(), vec![0; payload_len]));
456
457 // Next we compute the proper extension payload.
458 let payload = self
459 .sender
460 .seal(&outer_hello.get_encoding(), &encoded_inner_hello)?;
461
462 // And then we replace the placeholder extension with the real one.
463 outer_hello.encrypted_client_hello = Some(outer_hello_ext(self, enc, payload));
464
465 Ok(outer_hello)
466 }
467
468 /// Confirm whether an ECH offer was accepted based on examining the server hello.
469 pub(crate) fn confirm_acceptance(
470 self,
471 ks: &mut KeyScheduleHandshakeStart,
472 server_hello: &ServerHelloPayload,
473 server_hello_encoded: &Payload<'_>,
474 hash: &'static dyn Hash,
475 ) -> Result<Option<EchAccepted>, Error> {
476 // Start the inner transcript hash now that we know the hash algorithm to use.
477 let inner_transcript = self
478 .inner_hello_transcript
479 .start_hash(hash);
480
481 // Fork the transcript that we've started with the inner hello to use for a confirmation step.
482 // We need to preserve the original inner_transcript to use if this confirmation succeeds.
483 let mut confirmation_transcript = inner_transcript.clone();
484
485 // Add the server hello confirmation - this is computed by altering the received
486 // encoding rather than reencoding it.
487 confirmation_transcript
488 .add_message(&Self::server_hello_conf(server_hello, server_hello_encoded));
489
490 // Derive a confirmation secret from the inner hello random and the confirmation transcript.
491 let derived = ks.server_ech_confirmation_secret(
492 self.inner_hello_random.0.as_ref(),
493 confirmation_transcript.current_hash(),
494 );
495
496 // Check that first 8 digits of the derived secret match the last 8 digits of the original
497 // server random. This match signals that the server accepted the ECH offer.
498 // Indexing safety: Random is [0; 32] by construction.
499
500 match ConstantTimeEq::ct_eq(derived.as_ref(), server_hello.random.0[24..].as_ref()).into() {
501 true => {
502 trace!("ECH accepted by server");
503 Ok(Some(EchAccepted {
504 transcript: inner_transcript,
505 random: self.inner_hello_random,
506 sent_extensions: self.sent_extensions,
507 }))
508 }
509 false => {
510 trace!("ECH rejected by server");
511 Ok(None)
512 }
513 }
514 }
515
516 pub(crate) fn confirm_hrr_acceptance(
517 &self,
518 hrr: &HelloRetryRequest,
519 cs: &Tls13CipherSuite,
520 ) -> Result<bool, Error> {
521 // The client checks for the "encrypted_client_hello" extension.
522 let ech_conf = match &hrr.encrypted_client_hello {
523 // If none is found, the server has implicitly rejected ECH.
524 None => return Ok(false),
525 // Otherwise, if it has a length other than 8, the client aborts the
526 // handshake with a "decode_error" alert.
527 Some(ech_conf) if ech_conf.bytes().len() != 8 => {
528 return Err(PeerMisbehaved::IllegalHelloRetryRequestWithInvalidEch.into());
529 }
530 Some(ech_conf) => ech_conf,
531 };
532
533 // Otherwise the client computes hrr_accept_confirmation as described in Section
534 // 7.2.1
535 let confirmation_transcript = self.inner_hello_transcript.clone();
536 let mut confirmation_transcript =
537 confirmation_transcript.start_hash(cs.common.hash_provider);
538 confirmation_transcript.rollup_for_hrr();
539 confirmation_transcript.add_message(&Self::hello_retry_request_conf(hrr));
540
541 let derived = server_ech_hrr_confirmation_secret(
542 cs.hkdf_provider,
543 &self.inner_hello_random.0,
544 confirmation_transcript.current_hash(),
545 );
546
547 match ConstantTimeEq::ct_eq(derived.as_ref(), ech_conf.bytes()).into() {
548 true => {
549 trace!("ECH accepted by server in hello retry request");
550 Ok(true)
551 }
552 false => {
553 trace!("ECH rejected by server in hello retry request");
554 Ok(false)
555 }
556 }
557 }
558
559 /// Update the ECH context inner hello transcript based on a received hello retry request message.
560 ///
561 /// This will start the in-progress transcript using the given `hash`, convert it into an HRR
562 /// buffer, and then add the hello retry message `m`.
563 pub(crate) fn transcript_hrr_update(
564 &mut self,
565 hash: &'static dyn Hash,
566 m: &Message<'_>,
567 proof: &HandshakeAlignedProof,
568 ) {
569 trace!("Updating ECH inner transcript for HRR");
570
571 let inner_transcript = self
572 .inner_hello_transcript
573 .clone()
574 .start_hash(hash);
575
576 let mut inner_transcript_buffer = inner_transcript.into_hrr_buffer(proof);
577 inner_transcript_buffer.add_message(m);
578 self.inner_hello_transcript = inner_transcript_buffer;
579 }
580
581 // 5.1 "Encoding the ClientHelloInner"
582 fn encode_inner_hello(
583 &mut self,
584 outer_hello: &ClientHelloPayload,
585 retryreq: Option<&HelloRetryRequest>,
586 resuming: &Option<Retrieved<&persist::Tls13ClientSessionValue>>,
587 ) -> Vec<u8> {
588 // Start building an inner hello using the outer_hello as a template.
589 let mut inner_hello = ClientHelloPayload {
590 // Some information is copied over as-is.
591 client_version: outer_hello.client_version,
592 session_id: outer_hello.session_id,
593 compression_methods: outer_hello.compression_methods.clone(),
594
595 // We will build up the included extensions ourselves.
596 extensions: Box::new(ClientExtensions::default()),
597
598 // Set the inner hello random to the one we generated when creating the ECH state.
599 // We hold on to the inner_hello_random in the ECH state to use later for confirming
600 // whether ECH was accepted or not.
601 random: self.inner_hello_random,
602
603 // We remove the empty renegotiation info SCSV from the outer hello's ciphersuite.
604 // Similar to the TLS 1.2 specific extensions we will filter out, this is seen as a
605 // TLS 1.2 only feature by bogo.
606 cipher_suites: outer_hello
607 .cipher_suites
608 .iter()
609 .filter(|cs| **cs != TLS_EMPTY_RENEGOTIATION_INFO_SCSV)
610 .copied()
611 .collect(),
612 };
613
614 inner_hello.order_seed = outer_hello.order_seed;
615
616 // The inner hello will always have an inner variant of the ECH extension added.
617 // See Section 6.1 rule 4.
618 inner_hello.encrypted_client_hello = Some(EncryptedClientHello::Inner);
619
620 let inner_sni = match &self.inner_name {
621 // The inner hello only gets a SNI value if enable_sni is true and the inner name
622 // is a domain name (not an IP address).
623 ServerName::DnsName(dns_name) if self.enable_sni => Some(dns_name),
624 _ => None,
625 };
626
627 // Now we consider each of the outer hello's extensions - we can either:
628 // 1. Omit the extension if it isn't appropriate (e.g. is a TLS 1.2 extension).
629 // 2. Add the extension to the inner hello as-is.
630 // 3. Compress the extension, by collecting it into a list of to-be-compressed
631 // extensions we'll handle separately.
632 let outer_extensions = outer_hello.used_extensions_in_encoding_order();
633 let mut compressed_exts = Vec::with_capacity(outer_extensions.len());
634 for ext in outer_extensions {
635 // Some outer hello extensions are only useful in the context where a TLS 1.3
636 // connection allows TLS 1.2. This isn't the case for ECH so we skip adding them
637 // to the inner hello.
638 if matches!(
639 ext,
640 ExtensionType::ExtendedMasterSecret
641 | ExtensionType::SessionTicket
642 | ExtensionType::ECPointFormats
643 ) {
644 continue;
645 }
646
647 if ext == ExtensionType::ServerName {
648 // We may want to replace the outer hello SNI with our own inner hello specific SNI.
649 if let Some(sni_value) = inner_sni {
650 inner_hello.server_name = Some(ServerNamePayload::from(sni_value));
651 }
652 // We don't want to add, or compress, the SNI from the outer hello.
653 continue;
654 }
655
656 // Compressed extensions need to be put aside to include in one contiguous block.
657 // Uncompressed extensions get added directly to the inner hello.
658 if ext.ech_compress() {
659 compressed_exts.push(ext);
660 }
661
662 inner_hello.clone_one(outer_hello, ext);
663 }
664
665 // We've added all the uncompressed extensions. Now we need to add the contiguous
666 // block of to-be-compressed extensions.
667 inner_hello.contiguous_extensions = compressed_exts.clone();
668
669 // Note which extensions we're sending in the inner hello. This may differ from
670 // the outer hello (e.g. the inner hello may omit SNI while the outer hello will
671 // always have the ECH cover name in SNI).
672 self.sent_extensions = inner_hello.collect_used();
673
674 // If we're resuming, we need to update the PSK binder in the inner hello.
675 if let Some(resuming) = resuming.as_ref() {
676 let mut chp = HandshakeMessagePayload(HandshakePayload::ClientHello(inner_hello));
677
678 // Retain the early key schedule we get from processing the binder.
679 self.early_data_key_schedule = Some(tls13::fill_in_psk_binder(
680 resuming,
681 &self.inner_hello_transcript,
682 &mut chp,
683 ));
684
685 // fill_in_psk_binder works on an owned HandshakeMessagePayload, so we need to
686 // extract our inner hello back out of it to retain ownership.
687 inner_hello = match chp.0 {
688 HandshakePayload::ClientHello(chp) => chp,
689 // Safety: we construct the HMP above and know its type unconditionally.
690 _ => unreachable!(),
691 };
692 }
693
694 trace!("ECH Inner Hello: {inner_hello:#?}");
695
696 // Encode the inner hello according to the rules required for ECH. This differs
697 // from the standard encoding in several ways. Notably this is where we will
698 // replace the block of contiguous to-be-compressed extensions with a marker.
699 let mut encoded_hello = inner_hello.ech_inner_encoding(compressed_exts);
700
701 // Calculate padding
702 // max_name_len = L
703 let max_name_len = self.maximum_name_length;
704 let max_name_len = if max_name_len > 0 { max_name_len } else { 255 };
705
706 let padding_len = match &self.inner_name {
707 ServerName::DnsName(name) => {
708 // name.len() = D
709 // max(0, L - D)
710 core::cmp::max(
711 0,
712 max_name_len.saturating_sub(name.as_ref().len() as u8) as usize,
713 )
714 }
715 _ => {
716 // L + 9
717 // "This is the length of a "server_name" extension with an L-byte name."
718 // We widen to usize here to avoid overflowing u8 + u8.
719 max_name_len as usize + 9
720 }
721 };
722
723 // Let L be the length of the EncodedClientHelloInner with all the padding computed so far
724 // Let N = 31 - ((L - 1) % 32) and add N bytes of padding.
725 let padding_len = 31 - ((encoded_hello.len() + padding_len - 1) % 32);
726 encoded_hello.extend(vec![0; padding_len]);
727
728 // Construct the inner hello message that will be used for the transcript.
729 let inner_hello_msg = Message {
730 version: match retryreq {
731 // <https://datatracker.ietf.org/doc/html/rfc8446#section-5.1>:
732 // "This value MUST be set to 0x0303 for all records generated
733 // by a TLS 1.3 implementation ..."
734 Some(_) => ProtocolVersion::TLSv1_2,
735 // "... other than an initial ClientHello (i.e., one not
736 // generated after a HelloRetryRequest), where it MAY also be
737 // 0x0301 for compatibility purposes"
738 //
739 // (retryreq == None means we're in the "initial ClientHello" case)
740 None => ProtocolVersion::TLSv1_0,
741 },
742 payload: MessagePayload::handshake(HandshakeMessagePayload(
743 HandshakePayload::ClientHello(inner_hello),
744 )),
745 };
746
747 // Update the inner transcript buffer with the inner hello message.
748 self.inner_hello_transcript
749 .add_message(&inner_hello_msg);
750
751 encoded_hello
752 }
753
754 // See https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-18#name-grease-psk
755 fn grease_psk(&self, psk_offer: &mut PresharedKeyOffer) -> Result<(), Error> {
756 for ident in psk_offer.identities.iter_mut() {
757 // "For each PSK identity advertised in the ClientHelloInner, the
758 // client generates a random PSK identity with the same length."
759 self.secure_random
760 .fill(&mut ident.identity.0)?;
761 // "It also generates a random, 32-bit, unsigned integer to use as
762 // the obfuscated_ticket_age."
763 let mut ticket_age = [0_u8; 4];
764 self.secure_random
765 .fill(&mut ticket_age)?;
766 ident.obfuscated_ticket_age = u32::from_be_bytes(ticket_age);
767 }
768
769 // "Likewise, for each inner PSK binder, the client generates a random string
770 // of the same length."
771 psk_offer.binders = psk_offer
772 .binders
773 .iter()
774 .map(|old_binder| {
775 // We can't access the wrapped binder PresharedKeyBinder's PayloadU8 mutably,
776 // so we construct new PresharedKeyBinder's from scratch with the same length.
777 let mut new_binder = vec![0; old_binder.as_ref().len()];
778 self.secure_random
779 .fill(&mut new_binder)?;
780 Ok::<PresharedKeyBinder, Error>(PresharedKeyBinder::from(new_binder))
781 })
782 .collect::<Result<_, _>>()?;
783 Ok(())
784 }
785
786 fn server_hello_conf(
787 server_hello: &ServerHelloPayload,
788 server_hello_encoded: &Payload<'_>,
789 ) -> Message<'static> {
790 // The confirmation is computed over the server hello, which has had
791 // its `random` field altered to zero the final 8 bytes.
792 //
793 // nb. we don't require that we can round-trip a `ServerHelloPayload`, to
794 // allow for efficiency in its in-memory representation. That means
795 // we operate here on the received encoding, as the confirmation needs
796 // to be computed on that.
797 let mut encoded = server_hello_encoded.clone().into_vec();
798 encoded[SERVER_HELLO_ECH_CONFIRMATION_SPAN].fill(0x00);
799
800 Message {
801 version: ProtocolVersion::TLSv1_3,
802 payload: MessagePayload::Handshake {
803 encoded: Payload::Owned(encoded),
804 parsed: HandshakeMessagePayload(HandshakePayload::ServerHello(
805 server_hello.clone(),
806 )),
807 },
808 }
809 }
810
811 fn hello_retry_request_conf(retry_req: &HelloRetryRequest) -> Message<'_> {
812 Self::ech_conf_message(HandshakeMessagePayload(
813 HandshakePayload::HelloRetryRequest(retry_req.clone()),
814 ))
815 }
816
817 fn ech_conf_message(hmp: HandshakeMessagePayload<'_>) -> Message<'_> {
818 let mut hmp_encoded = Vec::new();
819 hmp.payload_encode(&mut hmp_encoded, Encoding::EchConfirmation);
820 Message {
821 version: ProtocolVersion::TLSv1_3,
822 payload: MessagePayload::Handshake {
823 encoded: Payload::new(hmp_encoded),
824 parsed: hmp,
825 },
826 }
827 }
828}
829
830/// The last eight bytes of the ServerHello's random, taken from a Handshake message containing it.
831///
832/// This has:
833/// - a HandshakeType (1 byte),
834/// - an exterior length (3 bytes),
835/// - the legacy_version (2 bytes), and
836/// - the balance of the random field (24 bytes).
837const SERVER_HELLO_ECH_CONFIRMATION_SPAN: core::ops::Range<usize> =
838 (1 + 3 + 2 + 24)..(1 + 3 + 2 + 32);
839
840/// Returned from EchState::check_acceptance when the server has accepted the ECH offer.
841///
842/// Holds the state required to continue the handshake with the inner hello from the ECH offer.
843pub(crate) struct EchAccepted {
844 pub(crate) transcript: HandshakeHash,
845 pub(crate) random: Random,
846 pub(crate) sent_extensions: Vec<ExtensionType>,
847}
848
849#[cfg(test)]
850mod tests {
851 use super::*;
852 use crate::crypto::CipherSuite;
853 use crate::msgs::handshake::{Random, ServerExtensions, SessionId};
854
855 #[test]
856 fn server_hello_conf_alters_server_hello_random() {
857 let server_hello = ServerHelloPayload {
858 legacy_version: ProtocolVersion::TLSv1_2,
859 random: Random([0xffu8; 32]),
860 session_id: SessionId::empty(),
861 cipher_suite: CipherSuite::TLS13_AES_256_GCM_SHA384,
862 compression_method: crate::msgs::enums::Compression::Null,
863 extensions: Box::new(ServerExtensions::default()),
864 };
865 let message = Message {
866 version: ProtocolVersion::TLSv1_3,
867 payload: MessagePayload::handshake(HandshakeMessagePayload(
868 HandshakePayload::ServerHello(server_hello.clone()),
869 )),
870 };
871 let Message {
872 payload:
873 MessagePayload::Handshake {
874 encoded: server_hello_encoded_before,
875 ..
876 },
877 ..
878 } = &message
879 else {
880 unreachable!("ServerHello is a handshake message");
881 };
882
883 let message = EchState::server_hello_conf(&server_hello, server_hello_encoded_before);
884
885 let Message {
886 payload:
887 MessagePayload::Handshake {
888 encoded: server_hello_encoded_after,
889 ..
890 },
891 ..
892 } = &message
893 else {
894 unreachable!("ServerHello is a handshake message");
895 };
896
897 assert_eq!(
898 std::format!("{server_hello_encoded_before:x?}"),
899 "020000280303ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff001302000000",
900 "beforehand eight bytes at end of Random should be 0xff here ^^^^^^^^^^^^^^^^ "
901 );
902 assert_eq!(
903 std::format!("{server_hello_encoded_after:x?}"),
904 "020000280303ffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000001302000000",
905 " afterwards those bytes are zeroed ^^^^^^^^^^^^^^^^ "
906 );
907 }
908}