rustls/client/ech.rs
1use alloc::boxed::Box;
2use alloc::vec;
3use alloc::vec::Vec;
4
5use pki_types::{DnsName, EchConfigListBytes, FipsStatus, ServerName};
6use subtle::ConstantTimeEq;
7
8use super::config::ClientConfig;
9use super::{Retrieved, Tls13Session, tls13};
10use crate::common_state::Protocol;
11use crate::crypto::cipher::Payload;
12use crate::crypto::hash::Hash;
13use crate::crypto::hpke::{
14 EncapsulatedSecret, Hpke, HpkeKem, HpkePublicKey, HpkeSealer, HpkeSuite,
15 HpkeSymmetricCipherSuite,
16};
17use crate::crypto::{CipherSuite, SecureRandom};
18use crate::enums::ProtocolVersion;
19use crate::error::{EncryptedClientHelloError, Error, PeerMisbehaved, RejectedEch};
20use crate::hash_hs::{HandshakeHash, HandshakeHashBuffer};
21use crate::log::{debug, trace, warn};
22use crate::msgs::{
23 ClientExtensions, ClientHelloPayload, Codec, EchConfigContents, EchConfigPayload, Encoding,
24 EncryptedClientHello, EncryptedClientHelloOuter, ExtensionType, HandshakeAlignedProof,
25 HandshakeMessagePayload, HandshakePayload, HelloRetryRequest, HpkeKeyConfig, Message,
26 MessagePayload, PresharedKeyBinder, PresharedKeyOffer, Random, Reader, ServerHelloPayload,
27 ServerNamePayload, SizedPayload,
28};
29use crate::tls13::Tls13CipherSuite;
30use crate::tls13::key_schedule::{
31 KeyScheduleEarlyClient, KeyScheduleHandshakeStart, server_ech_hrr_confirmation_secret,
32};
33
34/// Controls how Encrypted Client Hello (ECH) is used in a client handshake.
35#[non_exhaustive]
36#[derive(Clone, Debug)]
37pub enum EchMode {
38 /// ECH is enabled and the ClientHello will be encrypted based on the provided
39 /// configuration.
40 Enable(EchConfig),
41
42 /// No ECH configuration is available but the client should act as though it were.
43 ///
44 /// This is an anti-ossification measure, sometimes referred to as "GREASE"[^0].
45 /// [^0]: <https://www.rfc-editor.org/rfc/rfc8701>
46 Grease(EchGreaseConfig),
47}
48
49impl EchMode {
50 /// Returns true if the ECH mode will use a FIPS approved HPKE suite.
51 pub fn fips(&self) -> FipsStatus {
52 match self {
53 Self::Enable(ech_config) => ech_config.suite.fips(),
54 Self::Grease(grease_config) => grease_config.suite.fips(),
55 }
56 }
57}
58
59impl From<EchConfig> for EchMode {
60 fn from(config: EchConfig) -> Self {
61 Self::Enable(config)
62 }
63}
64
65impl From<EchGreaseConfig> for EchMode {
66 fn from(config: EchGreaseConfig) -> Self {
67 Self::Grease(config)
68 }
69}
70
71/// Configuration for performing encrypted client hello.
72///
73/// Note: differs from the protocol-encoded EchConfig (`EchConfigMsg`).
74#[derive(Clone, Debug)]
75pub struct EchConfig {
76 /// The selected EchConfig.
77 pub(crate) config: EchConfigPayload,
78
79 /// An HPKE instance corresponding to a suite from the `config` we have selected as
80 /// a compatible choice.
81 pub(crate) suite: &'static dyn Hpke,
82}
83
84impl EchConfig {
85 /// Construct an EchConfig by selecting a ECH config from the provided bytes that is compatible
86 /// with one of the given HPKE suites.
87 ///
88 /// The config list bytes should be sourced from a DNS-over-HTTPS lookup resolving the `HTTPS`
89 /// resource record for the host name of the server you wish to connect via ECH,
90 /// and extracting the ECH configuration from the `ech` parameter. The extracted bytes should
91 /// be base64 decoded to yield the `EchConfigListBytes` you provide to rustls.
92 ///
93 /// One of the provided ECH configurations must be compatible with the HPKE provider's supported
94 /// suites or an error will be returned.
95 ///
96 /// See the [`ech-client.rs`] example for a complete example of fetching ECH configs from DNS.
97 ///
98 /// [`ech-client.rs`]: https://github.com/rustls/rustls/blob/main/examples/src/bin/ech-client.rs
99 pub fn new(
100 ech_config_list: EchConfigListBytes<'_>,
101 hpke_suites: &[&'static dyn Hpke],
102 ) -> Result<Self, Error> {
103 let ech_configs = Vec::<EchConfigPayload>::read(&mut Reader::new(&ech_config_list))
104 .map_err(|_| {
105 Error::InvalidEncryptedClientHello(EncryptedClientHelloError::InvalidConfigList)
106 })?;
107
108 Self::new_for_configs(ech_configs, hpke_suites)
109 }
110
111 /// Build an EchConfig for retrying ECH using a retry config from a server's previous rejection
112 ///
113 /// Returns an error if the server provided no retry configurations in `RejectedEch`, or if
114 /// none of the retry configurations are compatible with the supported `hpke_suites`.
115 pub fn for_retry(
116 rejection: RejectedEch,
117 hpke_suites: &[&'static dyn Hpke],
118 ) -> Result<Self, Error> {
119 let Some(configs) = rejection.retry_configs else {
120 return Err(EncryptedClientHelloError::NoCompatibleConfig.into());
121 };
122
123 Self::new_for_configs(configs, hpke_suites)
124 }
125
126 pub(super) fn state(
127 &self,
128 server_name: ServerName<'static>,
129 protocol: Protocol,
130 config: &ClientConfig,
131 ) -> Result<EchState, Error> {
132 EchState::new(
133 self,
134 server_name.clone(),
135 protocol,
136 !config
137 .resolver()
138 .supported_certificate_types()
139 .is_empty(),
140 config.provider().secure_random,
141 config.enable_sni,
142 )
143 }
144
145 /// Compute the HPKE `SetupBaseS` `info` parameter for this ECH configuration.
146 ///
147 /// See <https://datatracker.ietf.org/doc/html/rfc9849#section-6.1>.
148 pub(crate) fn hpke_info(&self) -> Vec<u8> {
149 let mut info = Vec::with_capacity(128);
150 // "tls ech" || 0x00 || ECHConfig
151 info.extend_from_slice(b"tls ech\0");
152 self.config.encode(&mut info);
153 info
154 }
155
156 fn new_for_configs(
157 ech_configs: Vec<EchConfigPayload>,
158 hpke_suites: &[&'static dyn Hpke],
159 ) -> Result<Self, Error> {
160 for (i, config) in ech_configs.iter().enumerate() {
161 let contents = match config {
162 EchConfigPayload::V18(contents) => contents,
163 EchConfigPayload::Unknown { version, .. } => {
164 warn!("ECH config {} has unsupported version {:?}", i + 1, version);
165 continue; // Unsupported version.
166 }
167 };
168
169 if contents.has_unknown_mandatory_extension() || contents.has_duplicate_extension() {
170 warn!("ECH config has duplicate, or unknown mandatory extensions: {contents:?}",);
171 continue; // Unsupported, or malformed extensions.
172 }
173
174 let key_config = &contents.key_config;
175 for cipher_suite in &key_config.symmetric_cipher_suites {
176 if cipher_suite.aead_id.tag_len().is_none() {
177 continue; // Unsupported EXPORT_ONLY AEAD cipher suite.
178 }
179
180 let suite = HpkeSuite {
181 kem: key_config.kem_id,
182 sym: *cipher_suite,
183 };
184 if let Some(hpke) = hpke_suites
185 .iter()
186 .find(|hpke| hpke.suite() == suite)
187 {
188 debug!(
189 "selected ECH config ID {:?} suite {:?} public_name {:?}",
190 key_config.config_id, suite, contents.public_name
191 );
192 return Ok(Self {
193 config: config.clone(),
194 suite: *hpke,
195 });
196 }
197 }
198 }
199
200 Err(EncryptedClientHelloError::NoCompatibleConfig.into())
201 }
202}
203
204/// Configuration for GREASE Encrypted Client Hello.
205#[derive(Clone, Debug)]
206pub struct EchGreaseConfig {
207 pub(crate) suite: &'static dyn Hpke,
208 pub(crate) placeholder_key: HpkePublicKey,
209}
210
211impl EchGreaseConfig {
212 /// Construct a GREASE ECH configuration.
213 ///
214 /// This configuration is used when the client wishes to offer ECH to prevent ossification,
215 /// but doesn't have a real ECH configuration to use for the remote server. In this case
216 /// a placeholder or "GREASE"[^0] extension is used.
217 ///
218 /// Returns an error if the HPKE provider does not support the given suite.
219 ///
220 /// [^0]: <https://www.rfc-editor.org/rfc/rfc8701>
221 pub fn new(suite: &'static dyn Hpke, placeholder_key: HpkePublicKey) -> Self {
222 Self {
223 suite,
224 placeholder_key,
225 }
226 }
227
228 /// Build a GREASE ECH extension based on the placeholder configuration.
229 ///
230 /// See <https://datatracker.ietf.org/doc/html/rfc9849#name-grease-ech> for
231 /// more information.
232 pub(crate) fn grease_ext(
233 &self,
234 secure_random: &'static dyn SecureRandom,
235 protocol: Protocol,
236 inner_name: ServerName<'static>,
237 outer_hello: &ClientHelloPayload,
238 ) -> Result<EncryptedClientHello, Error> {
239 trace!("Preparing GREASE ECH extension");
240
241 // Pick a random config id.
242 let mut config_id: [u8; 1] = [0; 1];
243 secure_random.fill(&mut config_id[..])?;
244
245 let suite = self.suite.suite();
246
247 // Construct a dummy ECH state - we don't have a real ECH config from a server since
248 // this is for GREASE.
249 let mut grease_state = EchState::new(
250 &EchConfig {
251 config: EchConfigPayload::V18(EchConfigContents {
252 key_config: HpkeKeyConfig {
253 config_id: config_id[0],
254 kem_id: HpkeKem::DHKEM_P256_HKDF_SHA256,
255 public_key: SizedPayload::from(self.placeholder_key.0.clone()),
256 symmetric_cipher_suites: vec![suite.sym],
257 },
258 maximum_name_length: 0,
259 public_name: DnsName::try_from("filler").unwrap(),
260 extensions: Vec::default(),
261 }),
262 suite: self.suite,
263 },
264 inner_name,
265 protocol,
266 false,
267 secure_random,
268 false, // Does not matter if we enable/disable SNI here. Inner hello is not used.
269 )?;
270
271 // Construct an inner hello using the outer hello - this allows us to know the size of
272 // dummy payload we should use for the GREASE extension.
273 let encoded_inner_hello = grease_state.encode_inner_hello(outer_hello, None, None);
274
275 // Generate a payload of random data equivalent in length to a real inner hello.
276 let payload_len = encoded_inner_hello.len()
277 + suite
278 .sym
279 .aead_id
280 .tag_len()
281 // Safety: we have confirmed the AEAD is supported when building the config. All
282 // supported AEADs have a tag length.
283 .unwrap();
284 let mut payload = vec![0; payload_len];
285 secure_random.fill(&mut payload)?;
286
287 // Return the GREASE extension.
288 Ok(EncryptedClientHello::Outer(EncryptedClientHelloOuter {
289 cipher_suite: suite.sym,
290 config_id: config_id[0],
291 enc: SizedPayload::from(Payload::new(grease_state.enc.0)),
292 payload: SizedPayload::from(Payload::new(payload)),
293 }))
294 }
295}
296
297/// An enum representing ECH offer status.
298#[non_exhaustive]
299#[derive(Debug, Default, Clone, Copy, Eq, PartialEq)]
300pub enum EchStatus {
301 /// ECH was not offered - it is a normal TLS handshake.
302 #[default]
303 NotOffered,
304 /// GREASE ECH was sent. This is not considered offering ECH.
305 Grease,
306 /// ECH was offered but we do not yet know whether the offer was accepted or rejected.
307 Offered,
308 /// ECH was offered and the server accepted.
309 Accepted,
310 /// ECH was offered and the server rejected.
311 Rejected,
312}
313
314/// Contextual data for a TLS client handshake that has offered encrypted client hello (ECH).
315pub(crate) struct EchState {
316 // The public DNS name from the ECH configuration we've chosen - this is included as the SNI
317 // value for the "outer" client hello. It can only be a DnsName, not an IP address.
318 pub(crate) outer_name: DnsName<'static>,
319 // If we're resuming in the inner hello, this is the early key schedule to use for encrypting
320 // early data if the ECH offer is accepted.
321 pub(crate) early_data_key_schedule: Option<KeyScheduleEarlyClient>,
322 // A random value we use for the inner hello.
323 pub(crate) inner_hello_random: Random,
324 // A transcript buffer maintained for the inner hello. Once ECH is confirmed we switch to
325 // using this transcript for the handshake.
326 pub(crate) inner_hello_transcript: HandshakeHashBuffer,
327 // A source of secure random data.
328 secure_random: &'static dyn SecureRandom,
329 // The top level protocol
330 protocol: Protocol,
331 // An HPKE sealer context that can be used for encrypting ECH data.
332 sender: Box<dyn HpkeSealer>,
333 // The ID of the ECH configuration we've chosen - this is included in the outer ECH extension.
334 config_id: u8,
335 // The private server name we'll use for the inner protected hello.
336 inner_name: ServerName<'static>,
337 // The advertised maximum name length from the ECH configuration we've chosen - this is used
338 // for padding calculations.
339 maximum_name_length: u8,
340 // A supported symmetric cipher suite from the ECH configuration we've chosen - this is
341 // included in the outer ECH extension.
342 cipher_suite: HpkeSymmetricCipherSuite,
343 // A secret encapsulated to the public key of the remote server. This is included in the
344 // outer ECH extension for non-retry outer hello messages.
345 enc: EncapsulatedSecret,
346 // Whether the inner client hello should contain a server name indication (SNI) extension.
347 enable_sni: bool,
348 // The extensions sent in the inner hello.
349 sent_extensions: Vec<ExtensionType>,
350}
351
352impl EchState {
353 pub(crate) fn new(
354 config: &EchConfig,
355 inner_name: ServerName<'static>,
356 protocol: Protocol,
357 client_auth_enabled: bool,
358 secure_random: &'static dyn SecureRandom,
359 enable_sni: bool,
360 ) -> Result<Self, Error> {
361 let EchConfigPayload::V18(config_contents) = &config.config else {
362 // the public EchConfig::new() constructor ensures we only have supported
363 // configurations.
364 unreachable!("ECH config version mismatch");
365 };
366 let key_config = &config_contents.key_config;
367
368 // Encapsulate a secret for the server's public key, and set up a sender context
369 // we can use to seal messages.
370 let (enc, sender) = config.suite.setup_sealer(
371 &config.hpke_info(),
372 &HpkePublicKey(key_config.public_key.to_vec()),
373 )?;
374
375 // Start a new transcript buffer for the inner hello.
376 let mut inner_hello_transcript = HandshakeHashBuffer::new();
377 if client_auth_enabled {
378 inner_hello_transcript.set_client_auth_enabled();
379 }
380
381 Ok(Self {
382 outer_name: config_contents.public_name.clone(),
383 early_data_key_schedule: None,
384 inner_hello_random: Random::new(secure_random)?,
385 inner_hello_transcript,
386 secure_random,
387 sender,
388 config_id: key_config.config_id,
389 inner_name,
390 maximum_name_length: config_contents.maximum_name_length,
391 cipher_suite: config.suite.suite().sym,
392 protocol,
393 enc,
394 enable_sni,
395 sent_extensions: Vec::new(),
396 })
397 }
398
399 /// Construct a ClientHelloPayload offering ECH.
400 ///
401 /// An outer hello, with a protected inner hello for the `inner_name` will be returned, and the
402 /// ECH context will be updated to reflect the inner hello that was offered.
403 ///
404 /// If `retry_req` is `Some`, then the outer hello will be constructed for a hello retry request.
405 ///
406 /// If `resuming` is `Some`, then the inner hello will be constructed for a resumption handshake.
407 pub(crate) fn ech_hello(
408 &mut self,
409 mut outer_hello: ClientHelloPayload,
410 retry_req: Option<&HelloRetryRequest>,
411 resuming: Option<&Retrieved<&Tls13Session>>,
412 ) -> Result<ClientHelloPayload, Error> {
413 trace!(
414 "Preparing ECH offer {}",
415 if retry_req.is_some() { "for retry" } else { "" }
416 );
417
418 // Construct the encoded inner hello and update the transcript.
419 let encoded_inner_hello = self.encode_inner_hello(&outer_hello, retry_req, resuming);
420
421 // Complete the ClientHelloOuterAAD with an ech extension, the payload should be a placeholder
422 // of size L, all zeroes. L == length of encrypting encoded client hello inner w/ the selected
423 // HPKE AEAD. (sum of plaintext + tag length, typically).
424 let payload_len = encoded_inner_hello.len()
425 + self
426 .cipher_suite
427 .aead_id
428 .tag_len()
429 // Safety: we've already verified this AEAD is supported when loading the config
430 // that was used to create the ECH context. All supported AEADs have a tag length.
431 .unwrap();
432
433 // Outer hello's created in response to a hello retry request omit the enc value.
434 let enc = match retry_req.is_some() {
435 true => Vec::default(),
436 false => self.enc.0.clone(),
437 };
438
439 fn outer_hello_ext(ctx: &EchState, enc: Vec<u8>, payload: Vec<u8>) -> EncryptedClientHello {
440 EncryptedClientHello::Outer(EncryptedClientHelloOuter {
441 cipher_suite: ctx.cipher_suite,
442 config_id: ctx.config_id,
443 enc: SizedPayload::from(Payload::new(enc)),
444 payload: SizedPayload::from(Payload::new(payload)),
445 })
446 }
447
448 // The outer handshake is not permitted to resume a session. If we're resuming in the
449 // inner handshake we remove the PSK extension from the outer hello, replacing it
450 // with a GREASE PSK to implement the "ClientHello Malleability Mitigation" mentioned
451 // in 10.12.3.
452 if let Some(psk_offer) = outer_hello.preshared_key_offer.as_mut() {
453 self.grease_psk(psk_offer)?;
454 }
455
456 // To compute the encoded AAD we add a placeholder extension with an empty payload.
457 outer_hello.encrypted_client_hello =
458 Some(outer_hello_ext(self, enc.clone(), vec![0; payload_len]));
459
460 // Next we compute the proper extension payload.
461 let payload = self
462 .sender
463 .seal(&outer_hello.get_encoding(), &encoded_inner_hello)?;
464
465 // And then we replace the placeholder extension with the real one.
466 outer_hello.encrypted_client_hello = Some(outer_hello_ext(self, enc, payload));
467
468 Ok(outer_hello)
469 }
470
471 /// Confirm whether an ECH offer was accepted based on examining the server hello.
472 pub(crate) fn confirm_acceptance(
473 self,
474 ks: &KeyScheduleHandshakeStart,
475 server_hello: &ServerHelloPayload,
476 server_hello_encoded: &Payload<'_>,
477 hash: &'static dyn Hash,
478 ) -> Result<Option<EchAccepted>, Error> {
479 // Start the inner transcript hash now that we know the hash algorithm to use.
480 let inner_transcript = self
481 .inner_hello_transcript
482 .start_hash(hash);
483
484 // Fork the transcript that we've started with the inner hello to use for a confirmation step.
485 // We need to preserve the original inner_transcript to use if this confirmation succeeds.
486 let mut confirmation_transcript = inner_transcript.clone();
487
488 // Add the server hello confirmation - this is computed by altering the received
489 // encoding rather than reencoding it.
490 confirmation_transcript
491 .add_message(&Self::server_hello_conf(server_hello, server_hello_encoded));
492
493 // Derive a confirmation secret from the inner hello random and the confirmation transcript.
494 let derived = ks.server_ech_confirmation_secret(
495 self.inner_hello_random.0.as_ref(),
496 confirmation_transcript.current_hash(),
497 );
498
499 // Check that first 8 digits of the derived secret match the last 8 digits of the original
500 // server random. This match signals that the server accepted the ECH offer.
501 // Indexing safety: Random is [0; 32] by construction.
502
503 match ConstantTimeEq::ct_eq(derived.as_ref(), server_hello.random.0[24..].as_ref()).into() {
504 true => {
505 trace!("ECH accepted by server");
506 Ok(Some(EchAccepted {
507 transcript: inner_transcript,
508 random: self.inner_hello_random,
509 sent_extensions: self.sent_extensions,
510 }))
511 }
512 false => {
513 trace!("ECH rejected by server");
514 Ok(None)
515 }
516 }
517 }
518
519 pub(crate) fn confirm_hrr_acceptance(
520 &self,
521 hrr: &HelloRetryRequest,
522 cs: &Tls13CipherSuite,
523 ) -> Result<bool, Error> {
524 // The client checks for the "encrypted_client_hello" extension.
525 let ech_conf = match &hrr.encrypted_client_hello {
526 // If none is found, the server has implicitly rejected ECH.
527 None => return Ok(false),
528 // Otherwise, if it has a length other than 8, the client aborts the
529 // handshake with a "decode_error" alert.
530 Some(ech_conf) if ech_conf.bytes().len() != 8 => {
531 return Err(PeerMisbehaved::IllegalHelloRetryRequestWithInvalidEch.into());
532 }
533 Some(ech_conf) => ech_conf,
534 };
535
536 // Otherwise the client computes hrr_accept_confirmation as described in Section
537 // 7.2.1
538 let confirmation_transcript = self.inner_hello_transcript.clone();
539 let mut confirmation_transcript =
540 confirmation_transcript.start_hash(cs.common.hash_provider);
541 confirmation_transcript.rollup_for_hrr();
542 confirmation_transcript.add_message(&Self::hello_retry_request_conf(hrr));
543
544 let derived = server_ech_hrr_confirmation_secret(
545 cs.hkdf_provider,
546 &self.inner_hello_random.0,
547 confirmation_transcript.current_hash(),
548 );
549
550 match ConstantTimeEq::ct_eq(derived.as_ref(), ech_conf.bytes()).into() {
551 true => {
552 trace!("ECH accepted by server in hello retry request");
553 Ok(true)
554 }
555 false => {
556 trace!("ECH rejected by server in hello retry request");
557 Ok(false)
558 }
559 }
560 }
561
562 /// Update the ECH context inner hello transcript based on a received hello retry request message.
563 ///
564 /// This will start the in-progress transcript using the given `hash`, convert it into an HRR
565 /// buffer, and then add the hello retry message `m`.
566 pub(crate) fn transcript_hrr_update(
567 &mut self,
568 hash: &'static dyn Hash,
569 m: &Message<'_>,
570 proof: &HandshakeAlignedProof,
571 ) {
572 trace!("Updating ECH inner transcript for HRR");
573
574 let inner_transcript = self
575 .inner_hello_transcript
576 .clone()
577 .start_hash(hash);
578
579 let mut inner_transcript_buffer = inner_transcript.into_hrr_buffer(proof);
580 inner_transcript_buffer.add_message(m);
581 self.inner_hello_transcript = inner_transcript_buffer;
582 }
583
584 // 5.1 "Encoding the ClientHelloInner"
585 fn encode_inner_hello(
586 &mut self,
587 outer_hello: &ClientHelloPayload,
588 retryreq: Option<&HelloRetryRequest>,
589 resuming: Option<&Retrieved<&Tls13Session>>,
590 ) -> Vec<u8> {
591 // Start building an inner hello using the outer_hello as a template.
592 let mut inner_hello = ClientHelloPayload {
593 // Some information is copied over as-is.
594 client_version: outer_hello.client_version,
595
596 // Set the inner hello random to the one we generated when creating the ECH state.
597 // We hold on to the inner_hello_random in the ECH state to use later for confirming
598 // whether ECH was accepted or not.
599 random: self.inner_hello_random,
600 session_id: outer_hello.session_id,
601
602 // We remove the empty renegotiation info SCSV from the outer hello's ciphersuite.
603 // Similar to the TLS 1.2 specific extensions we will filter out, this is seen as a
604 // TLS 1.2 only feature by bogo.
605 cipher_suites: outer_hello
606 .cipher_suites
607 .iter()
608 .filter(|cs| **cs != CipherSuite::TLS_EMPTY_RENEGOTIATION_INFO_SCSV)
609 .copied()
610 .collect(),
611 compression_methods: outer_hello.compression_methods.clone(),
612
613 // We will build up the included extensions ourselves.
614 extensions: Box::new(ClientExtensions::default()),
615 };
616
617 inner_hello.order_seed = outer_hello.order_seed;
618
619 // The inner hello will always have an inner variant of the ECH extension added.
620 // See Section 6.1 rule 4.
621 inner_hello.encrypted_client_hello = Some(EncryptedClientHello::Inner);
622
623 let inner_sni = match &self.inner_name {
624 // The inner hello only gets a SNI value if enable_sni is true and the inner name
625 // is a domain name (not an IP address).
626 ServerName::DnsName(dns_name) if self.enable_sni => Some(dns_name),
627 _ => None,
628 };
629
630 // Now we consider each of the outer hello's extensions - we can either:
631 // 1. Omit the extension if it isn't appropriate (e.g. is a TLS 1.2 extension).
632 // 2. Add the extension to the inner hello as-is.
633 // 3. Compress the extension, by collecting it into a list of to-be-compressed
634 // extensions we'll handle separately.
635 let outer_extensions = outer_hello.used_extensions_in_encoding_order();
636 let mut compressed_exts = Vec::with_capacity(outer_extensions.len());
637 for ext in outer_extensions {
638 // Some outer hello extensions are only useful in the context where a TLS 1.3
639 // connection allows TLS 1.2. This isn't the case for ECH so we skip adding them
640 // to the inner hello.
641 if matches!(
642 ext,
643 ExtensionType::ExtendedMasterSecret
644 | ExtensionType::SessionTicket
645 | ExtensionType::ECPointFormats
646 ) {
647 continue;
648 }
649
650 if ext == ExtensionType::ServerName {
651 // We may want to replace the outer hello SNI with our own inner hello specific SNI.
652 if let Some(sni_value) = inner_sni {
653 inner_hello.server_name = Some(ServerNamePayload::from(sni_value));
654 }
655 // We don't want to add, or compress, the SNI from the outer hello.
656 continue;
657 }
658
659 // Compressed extensions need to be put aside to include in one contiguous block.
660 // Uncompressed extensions get added directly to the inner hello.
661 if ext.ech_compress() {
662 compressed_exts.push(ext);
663 }
664
665 inner_hello.clone_one(outer_hello, ext);
666 }
667
668 // We've added all the uncompressed extensions. Now we need to add the contiguous
669 // block of to-be-compressed extensions.
670 inner_hello.contiguous_extensions = compressed_exts.clone();
671
672 // Note which extensions we're sending in the inner hello. This may differ from
673 // the outer hello (e.g. the inner hello may omit SNI while the outer hello will
674 // always have the ECH cover name in SNI).
675 self.sent_extensions = inner_hello.collect_used();
676
677 // If we're resuming, we need to update the PSK binder in the inner hello.
678 if let Some(resuming) = resuming.as_ref() {
679 let mut chp = HandshakeMessagePayload(HandshakePayload::ClientHello(inner_hello));
680
681 let key_schedule =
682 KeyScheduleEarlyClient::new(self.protocol, resuming.suite, resuming.secret.bytes());
683 tls13::fill_in_psk_binder(&key_schedule, &self.inner_hello_transcript, &mut chp);
684 self.early_data_key_schedule = Some(key_schedule);
685
686 // fill_in_psk_binder works on an owned HandshakeMessagePayload, so we need to
687 // extract our inner hello back out of it to retain ownership.
688 inner_hello = match chp.0 {
689 HandshakePayload::ClientHello(chp) => chp,
690 // Safety: we construct the HMP above and know its type unconditionally.
691 _ => unreachable!(),
692 };
693 }
694
695 trace!("ECH Inner Hello: {inner_hello:#?}");
696
697 // Encode the inner hello according to the rules required for ECH. This differs
698 // from the standard encoding in several ways. Notably this is where we will
699 // replace the block of contiguous to-be-compressed extensions with a marker.
700 let mut encoded_hello = inner_hello.ech_inner_encoding(compressed_exts);
701
702 // Calculate padding
703 // max_name_len = L
704 let max_name_len = self.maximum_name_length;
705 let max_name_len = if max_name_len > 0 { max_name_len } else { 255 };
706
707 let padding_len = match &self.inner_name {
708 ServerName::DnsName(name) => {
709 // name.len() = D
710 // max(0, L - D)
711 core::cmp::max(
712 0,
713 max_name_len.saturating_sub(name.as_ref().len() as u8) as usize,
714 )
715 }
716 _ => {
717 // L + 9
718 // "This is the length of a "server_name" extension with an L-byte name."
719 // We widen to usize here to avoid overflowing u8 + u8.
720 max_name_len as usize + 9
721 }
722 };
723
724 // Let L be the length of the EncodedClientHelloInner with all the padding computed so far
725 // Let N = 31 - ((L - 1) % 32) and add N bytes of padding.
726 let padding_len = 31 - ((encoded_hello.len() + padding_len - 1) % 32);
727 encoded_hello.extend(vec![0; padding_len]);
728
729 // Construct the inner hello message that will be used for the transcript.
730 let inner_hello_msg = Message {
731 version: match retryreq {
732 // <https://datatracker.ietf.org/doc/html/rfc8446#section-5.1>:
733 // "This value MUST be set to 0x0303 for all records generated
734 // by a TLS 1.3 implementation ..."
735 Some(_) => ProtocolVersion::TLSv1_2,
736 // "... other than an initial ClientHello (i.e., one not
737 // generated after a HelloRetryRequest), where it MAY also be
738 // 0x0301 for compatibility purposes"
739 //
740 // (retryreq == None means we're in the "initial ClientHello" case)
741 None => ProtocolVersion::TLSv1_0,
742 },
743 payload: MessagePayload::handshake(HandshakeMessagePayload(
744 HandshakePayload::ClientHello(inner_hello),
745 )),
746 };
747
748 // Update the inner transcript buffer with the inner hello message.
749 self.inner_hello_transcript
750 .add_message(&inner_hello_msg);
751
752 encoded_hello
753 }
754
755 // See https://datatracker.ietf.org/doc/html/rfc9849#name-grease-psk
756 fn grease_psk(&self, psk_offer: &mut PresharedKeyOffer) -> Result<(), Error> {
757 for ident in psk_offer.identities.iter_mut() {
758 // "For each PSK identity advertised in the ClientHelloInner, the
759 // client generates a random PSK identity with the same length."
760 match ident.identity.as_mut() {
761 Some(ident) => self.secure_random.fill(ident)?,
762 None => unreachable!(),
763 }
764
765 // "It also generates a random, 32-bit, unsigned integer to use as
766 // the obfuscated_ticket_age."
767 let mut ticket_age = [0_u8; 4];
768 self.secure_random
769 .fill(&mut ticket_age)?;
770 ident.obfuscated_ticket_age = u32::from_be_bytes(ticket_age);
771 }
772
773 // "Likewise, for each inner PSK binder, the client generates a random string
774 // of the same length."
775 psk_offer.binders = psk_offer
776 .binders
777 .iter()
778 .map(|old_binder| {
779 // We can't access the wrapped binder PresharedKeyBinder's PayloadU8 mutably,
780 // so we construct new PresharedKeyBinder's from scratch with the same length.
781 let mut new_binder = vec![0; old_binder.as_ref().len()];
782 self.secure_random
783 .fill(&mut new_binder)?;
784 Ok::<PresharedKeyBinder, Error>(PresharedKeyBinder::from(new_binder))
785 })
786 .collect::<Result<_, _>>()?;
787 Ok(())
788 }
789
790 fn server_hello_conf(
791 server_hello: &ServerHelloPayload,
792 server_hello_encoded: &Payload<'_>,
793 ) -> Message<'static> {
794 // The confirmation is computed over the server hello, which has had
795 // its `random` field altered to zero the final 8 bytes.
796 //
797 // nb. we don't require that we can round-trip a `ServerHelloPayload`, to
798 // allow for efficiency in its in-memory representation. That means
799 // we operate here on the received encoding, as the confirmation needs
800 // to be computed on that.
801 let mut encoded = server_hello_encoded.clone().into_vec();
802 encoded[SERVER_HELLO_ECH_CONFIRMATION_SPAN].fill(0x00);
803
804 Message {
805 version: ProtocolVersion::TLSv1_3,
806 payload: MessagePayload::Handshake {
807 encoded: Payload::Owned(encoded),
808 parsed: HandshakeMessagePayload(HandshakePayload::ServerHello(
809 server_hello.clone(),
810 )),
811 },
812 }
813 }
814
815 fn hello_retry_request_conf(retry_req: &HelloRetryRequest) -> Message<'_> {
816 Self::ech_conf_message(HandshakeMessagePayload(
817 HandshakePayload::HelloRetryRequest(retry_req.clone()),
818 ))
819 }
820
821 fn ech_conf_message(hmp: HandshakeMessagePayload<'_>) -> Message<'_> {
822 let mut hmp_encoded = Vec::new();
823 hmp.payload_encode(&mut hmp_encoded, Encoding::EchConfirmation);
824 Message {
825 version: ProtocolVersion::TLSv1_3,
826 payload: MessagePayload::Handshake {
827 encoded: Payload::new(hmp_encoded),
828 parsed: hmp,
829 },
830 }
831 }
832}
833
834/// The last eight bytes of the ServerHello's random, taken from a Handshake message containing it.
835///
836/// This has:
837/// - a HandshakeType (1 byte),
838/// - an exterior length (3 bytes),
839/// - the legacy_version (2 bytes), and
840/// - the balance of the random field (24 bytes).
841const SERVER_HELLO_ECH_CONFIRMATION_SPAN: core::ops::Range<usize> =
842 (1 + 3 + 2 + 24)..(1 + 3 + 2 + 32);
843
844/// Returned from EchState::check_acceptance when the server has accepted the ECH offer.
845///
846/// Holds the state required to continue the handshake with the inner hello from the ECH offer.
847pub(crate) struct EchAccepted {
848 pub(crate) transcript: HandshakeHash,
849 pub(crate) random: Random,
850 pub(crate) sent_extensions: Vec<ExtensionType>,
851}
852
853#[cfg(test)]
854mod tests {
855 use super::*;
856 use crate::crypto::CipherSuite;
857 use crate::msgs::{Compression, Random, ServerExtensions, SessionId};
858
859 #[test]
860 fn server_hello_conf_alters_server_hello_random() {
861 let server_hello = ServerHelloPayload {
862 legacy_version: ProtocolVersion::TLSv1_2,
863 random: Random([0xffu8; 32]),
864 session_id: SessionId::empty(),
865 cipher_suite: CipherSuite::TLS13_AES_256_GCM_SHA384,
866 compression_method: Compression::Null,
867 extensions: Box::new(ServerExtensions::default()),
868 };
869 let message = Message {
870 version: ProtocolVersion::TLSv1_3,
871 payload: MessagePayload::handshake(HandshakeMessagePayload(
872 HandshakePayload::ServerHello(server_hello.clone()),
873 )),
874 };
875 let Message {
876 payload:
877 MessagePayload::Handshake {
878 encoded: server_hello_encoded_before,
879 ..
880 },
881 ..
882 } = &message
883 else {
884 unreachable!("ServerHello is a handshake message");
885 };
886
887 let message = EchState::server_hello_conf(&server_hello, server_hello_encoded_before);
888
889 let Message {
890 payload:
891 MessagePayload::Handshake {
892 encoded: server_hello_encoded_after,
893 ..
894 },
895 ..
896 } = &message
897 else {
898 unreachable!("ServerHello is a handshake message");
899 };
900
901 assert_eq!(
902 std::format!("{server_hello_encoded_before:x?}"),
903 "020000280303ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff001302000000",
904 "beforehand eight bytes at end of Random should be 0xff here ^^^^^^^^^^^^^^^^ "
905 );
906 assert_eq!(
907 std::format!("{server_hello_encoded_after:x?}"),
908 "020000280303ffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000001302000000",
909 " afterwards those bytes are zeroed ^^^^^^^^^^^^^^^^ "
910 );
911 }
912}