rustls/client/ech.rs
1use alloc::boxed::Box;
2use alloc::vec;
3use alloc::vec::Vec;
4
5use pki_types::{DnsName, EchConfigListBytes, FipsStatus, ServerName};
6use subtle::ConstantTimeEq;
7
8use super::config::ClientConfig;
9use super::{Retrieved, Tls13ClientSessionValue, tls13};
10use crate::common_state::Protocol;
11use crate::crypto::CipherSuite::TLS_EMPTY_RENEGOTIATION_INFO_SCSV;
12use crate::crypto::SecureRandom;
13use crate::crypto::cipher::Payload;
14use crate::crypto::hash::Hash;
15use crate::crypto::hpke::{
16 EncapsulatedSecret, Hpke, HpkeKem, HpkePublicKey, HpkeSealer, HpkeSuite,
17 HpkeSymmetricCipherSuite,
18};
19use crate::enums::ProtocolVersion;
20use crate::error::{EncryptedClientHelloError, Error, PeerMisbehaved, RejectedEch};
21use crate::hash_hs::{HandshakeHash, HandshakeHashBuffer};
22use crate::log::{debug, trace, warn};
23use crate::msgs::{
24 ClientExtensions, ClientHelloPayload, Codec, EchConfigContents, EchConfigPayload, Encoding,
25 EncryptedClientHello, EncryptedClientHelloOuter, ExtensionType, HandshakeAlignedProof,
26 HandshakeMessagePayload, HandshakePayload, HelloRetryRequest, HpkeKeyConfig, Message,
27 MessagePayload, PresharedKeyBinder, PresharedKeyOffer, Random, Reader, ServerHelloPayload,
28 ServerNamePayload, SizedPayload,
29};
30use crate::tls13::Tls13CipherSuite;
31use crate::tls13::key_schedule::{
32 KeyScheduleEarlyClient, KeyScheduleHandshakeStart, server_ech_hrr_confirmation_secret,
33};
34
35/// Controls how Encrypted Client Hello (ECH) is used in a client handshake.
36#[non_exhaustive]
37#[derive(Clone, Debug)]
38pub enum EchMode {
39 /// ECH is enabled and the ClientHello will be encrypted based on the provided
40 /// configuration.
41 Enable(EchConfig),
42
43 /// No ECH configuration is available but the client should act as though it were.
44 ///
45 /// This is an anti-ossification measure, sometimes referred to as "GREASE"[^0].
46 /// [^0]: <https://www.rfc-editor.org/rfc/rfc8701>
47 Grease(EchGreaseConfig),
48}
49
50impl EchMode {
51 /// Returns true if the ECH mode will use a FIPS approved HPKE suite.
52 pub fn fips(&self) -> FipsStatus {
53 match self {
54 Self::Enable(ech_config) => ech_config.suite.fips(),
55 Self::Grease(grease_config) => grease_config.suite.fips(),
56 }
57 }
58}
59
60impl From<EchConfig> for EchMode {
61 fn from(config: EchConfig) -> Self {
62 Self::Enable(config)
63 }
64}
65
66impl From<EchGreaseConfig> for EchMode {
67 fn from(config: EchGreaseConfig) -> Self {
68 Self::Grease(config)
69 }
70}
71
72/// Configuration for performing encrypted client hello.
73///
74/// Note: differs from the protocol-encoded EchConfig (`EchConfigMsg`).
75#[derive(Clone, Debug)]
76pub struct EchConfig {
77 /// The selected EchConfig.
78 pub(crate) config: EchConfigPayload,
79
80 /// An HPKE instance corresponding to a suite from the `config` we have selected as
81 /// a compatible choice.
82 pub(crate) suite: &'static dyn Hpke,
83}
84
85impl EchConfig {
86 /// Construct an EchConfig by selecting a ECH config from the provided bytes that is compatible
87 /// with one of the given HPKE suites.
88 ///
89 /// The config list bytes should be sourced from a DNS-over-HTTPS lookup resolving the `HTTPS`
90 /// resource record for the host name of the server you wish to connect via ECH,
91 /// and extracting the ECH configuration from the `ech` parameter. The extracted bytes should
92 /// be base64 decoded to yield the `EchConfigListBytes` you provide to rustls.
93 ///
94 /// One of the provided ECH configurations must be compatible with the HPKE provider's supported
95 /// suites or an error will be returned.
96 ///
97 /// See the [`ech-client.rs`] example for a complete example of fetching ECH configs from DNS.
98 ///
99 /// [`ech-client.rs`]: https://github.com/rustls/rustls/blob/main/examples/src/bin/ech-client.rs
100 pub fn new(
101 ech_config_list: EchConfigListBytes<'_>,
102 hpke_suites: &[&'static dyn Hpke],
103 ) -> Result<Self, Error> {
104 let ech_configs = Vec::<EchConfigPayload>::read(&mut Reader::init(&ech_config_list))
105 .map_err(|_| {
106 Error::InvalidEncryptedClientHello(EncryptedClientHelloError::InvalidConfigList)
107 })?;
108
109 Self::new_for_configs(ech_configs, hpke_suites)
110 }
111
112 /// Build an EchConfig for retrying ECH using a retry config from a server's previous rejection
113 ///
114 /// Returns an error if the server provided no retry configurations in `RejectedEch`, or if
115 /// none of the retry configurations are compatible with the supported `hpke_suites`.
116 pub fn for_retry(
117 rejection: RejectedEch,
118 hpke_suites: &[&'static dyn Hpke],
119 ) -> Result<Self, Error> {
120 let Some(configs) = rejection.retry_configs else {
121 return Err(EncryptedClientHelloError::NoCompatibleConfig.into());
122 };
123
124 Self::new_for_configs(configs, hpke_suites)
125 }
126
127 pub(super) fn state(
128 &self,
129 server_name: ServerName<'static>,
130 protocol: Protocol,
131 config: &ClientConfig,
132 ) -> Result<EchState, Error> {
133 EchState::new(
134 self,
135 server_name.clone(),
136 protocol,
137 !config
138 .resolver()
139 .supported_certificate_types()
140 .is_empty(),
141 config.provider().secure_random,
142 config.enable_sni,
143 )
144 }
145
146 /// Compute the HPKE `SetupBaseS` `info` parameter for this ECH configuration.
147 ///
148 /// See <https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-17#section-6.1>.
149 pub(crate) fn hpke_info(&self) -> Vec<u8> {
150 let mut info = Vec::with_capacity(128);
151 // "tls ech" || 0x00 || ECHConfig
152 info.extend_from_slice(b"tls ech\0");
153 self.config.encode(&mut info);
154 info
155 }
156
157 fn new_for_configs(
158 ech_configs: Vec<EchConfigPayload>,
159 hpke_suites: &[&'static dyn Hpke],
160 ) -> Result<Self, Error> {
161 for (i, config) in ech_configs.iter().enumerate() {
162 let contents = match config {
163 EchConfigPayload::V18(contents) => contents,
164 EchConfigPayload::Unknown { version, .. } => {
165 warn!("ECH config {} has unsupported version {:?}", i + 1, version);
166 continue; // Unsupported version.
167 }
168 };
169
170 if contents.has_unknown_mandatory_extension() || contents.has_duplicate_extension() {
171 warn!("ECH config has duplicate, or unknown mandatory extensions: {contents:?}",);
172 continue; // Unsupported, or malformed extensions.
173 }
174
175 let key_config = &contents.key_config;
176 for cipher_suite in &key_config.symmetric_cipher_suites {
177 if cipher_suite.aead_id.tag_len().is_none() {
178 continue; // Unsupported EXPORT_ONLY AEAD cipher suite.
179 }
180
181 let suite = HpkeSuite {
182 kem: key_config.kem_id,
183 sym: *cipher_suite,
184 };
185 if let Some(hpke) = hpke_suites
186 .iter()
187 .find(|hpke| hpke.suite() == suite)
188 {
189 debug!(
190 "selected ECH config ID {:?} suite {:?} public_name {:?}",
191 key_config.config_id, suite, contents.public_name
192 );
193 return Ok(Self {
194 config: config.clone(),
195 suite: *hpke,
196 });
197 }
198 }
199 }
200
201 Err(EncryptedClientHelloError::NoCompatibleConfig.into())
202 }
203}
204
205/// Configuration for GREASE Encrypted Client Hello.
206#[derive(Clone, Debug)]
207pub struct EchGreaseConfig {
208 pub(crate) suite: &'static dyn Hpke,
209 pub(crate) placeholder_key: HpkePublicKey,
210}
211
212impl EchGreaseConfig {
213 /// Construct a GREASE ECH configuration.
214 ///
215 /// This configuration is used when the client wishes to offer ECH to prevent ossification,
216 /// but doesn't have a real ECH configuration to use for the remote server. In this case
217 /// a placeholder or "GREASE"[^0] extension is used.
218 ///
219 /// Returns an error if the HPKE provider does not support the given suite.
220 ///
221 /// [^0]: <https://www.rfc-editor.org/rfc/rfc8701>
222 pub fn new(suite: &'static dyn Hpke, placeholder_key: HpkePublicKey) -> Self {
223 Self {
224 suite,
225 placeholder_key,
226 }
227 }
228
229 /// Build a GREASE ECH extension based on the placeholder configuration.
230 ///
231 /// See <https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-18#name-grease-ech> for
232 /// more information.
233 pub(crate) fn grease_ext(
234 &self,
235 secure_random: &'static dyn SecureRandom,
236 protocol: Protocol,
237 inner_name: ServerName<'static>,
238 outer_hello: &ClientHelloPayload,
239 ) -> Result<EncryptedClientHello, Error> {
240 trace!("Preparing GREASE ECH extension");
241
242 // Pick a random config id.
243 let mut config_id: [u8; 1] = [0; 1];
244 secure_random.fill(&mut config_id[..])?;
245
246 let suite = self.suite.suite();
247
248 // Construct a dummy ECH state - we don't have a real ECH config from a server since
249 // this is for GREASE.
250 let mut grease_state = EchState::new(
251 &EchConfig {
252 config: EchConfigPayload::V18(EchConfigContents {
253 key_config: HpkeKeyConfig {
254 config_id: config_id[0],
255 kem_id: HpkeKem::DHKEM_P256_HKDF_SHA256,
256 public_key: SizedPayload::from(self.placeholder_key.0.clone()),
257 symmetric_cipher_suites: vec![suite.sym],
258 },
259 maximum_name_length: 0,
260 public_name: DnsName::try_from("filler").unwrap(),
261 extensions: Vec::default(),
262 }),
263 suite: self.suite,
264 },
265 inner_name,
266 protocol,
267 false,
268 secure_random,
269 false, // Does not matter if we enable/disable SNI here. Inner hello is not used.
270 )?;
271
272 // Construct an inner hello using the outer hello - this allows us to know the size of
273 // dummy payload we should use for the GREASE extension.
274 let encoded_inner_hello = grease_state.encode_inner_hello(outer_hello, None, None);
275
276 // Generate a payload of random data equivalent in length to a real inner hello.
277 let payload_len = encoded_inner_hello.len()
278 + suite
279 .sym
280 .aead_id
281 .tag_len()
282 // Safety: we have confirmed the AEAD is supported when building the config. All
283 // supported AEADs have a tag length.
284 .unwrap();
285 let mut payload = vec![0; payload_len];
286 secure_random.fill(&mut payload)?;
287
288 // Return the GREASE extension.
289 Ok(EncryptedClientHello::Outer(EncryptedClientHelloOuter {
290 cipher_suite: suite.sym,
291 config_id: config_id[0],
292 enc: SizedPayload::from(Payload::new(grease_state.enc.0)),
293 payload: SizedPayload::from(Payload::new(payload)),
294 }))
295 }
296}
297
298/// An enum representing ECH offer status.
299#[non_exhaustive]
300#[derive(Debug, Default, Clone, Copy, Eq, PartialEq)]
301pub enum EchStatus {
302 /// ECH was not offered - it is a normal TLS handshake.
303 #[default]
304 NotOffered,
305 /// GREASE ECH was sent. This is not considered offering ECH.
306 Grease,
307 /// ECH was offered but we do not yet know whether the offer was accepted or rejected.
308 Offered,
309 /// ECH was offered and the server accepted.
310 Accepted,
311 /// ECH was offered and the server rejected.
312 Rejected,
313}
314
315/// Contextual data for a TLS client handshake that has offered encrypted client hello (ECH).
316pub(crate) struct EchState {
317 // The public DNS name from the ECH configuration we've chosen - this is included as the SNI
318 // value for the "outer" client hello. It can only be a DnsName, not an IP address.
319 pub(crate) outer_name: DnsName<'static>,
320 // If we're resuming in the inner hello, this is the early key schedule to use for encrypting
321 // early data if the ECH offer is accepted.
322 pub(crate) early_data_key_schedule: Option<KeyScheduleEarlyClient>,
323 // A random value we use for the inner hello.
324 pub(crate) inner_hello_random: Random,
325 // A transcript buffer maintained for the inner hello. Once ECH is confirmed we switch to
326 // using this transcript for the handshake.
327 pub(crate) inner_hello_transcript: HandshakeHashBuffer,
328 // A source of secure random data.
329 secure_random: &'static dyn SecureRandom,
330 // The top level protocol
331 protocol: Protocol,
332 // An HPKE sealer context that can be used for encrypting ECH data.
333 sender: Box<dyn HpkeSealer>,
334 // The ID of the ECH configuration we've chosen - this is included in the outer ECH extension.
335 config_id: u8,
336 // The private server name we'll use for the inner protected hello.
337 inner_name: ServerName<'static>,
338 // The advertised maximum name length from the ECH configuration we've chosen - this is used
339 // for padding calculations.
340 maximum_name_length: u8,
341 // A supported symmetric cipher suite from the ECH configuration we've chosen - this is
342 // included in the outer ECH extension.
343 cipher_suite: HpkeSymmetricCipherSuite,
344 // A secret encapsulated to the public key of the remote server. This is included in the
345 // outer ECH extension for non-retry outer hello messages.
346 enc: EncapsulatedSecret,
347 // Whether the inner client hello should contain a server name indication (SNI) extension.
348 enable_sni: bool,
349 // The extensions sent in the inner hello.
350 sent_extensions: Vec<ExtensionType>,
351}
352
353impl EchState {
354 pub(crate) fn new(
355 config: &EchConfig,
356 inner_name: ServerName<'static>,
357 protocol: Protocol,
358 client_auth_enabled: bool,
359 secure_random: &'static dyn SecureRandom,
360 enable_sni: bool,
361 ) -> Result<Self, Error> {
362 let EchConfigPayload::V18(config_contents) = &config.config else {
363 // the public EchConfig::new() constructor ensures we only have supported
364 // configurations.
365 unreachable!("ECH config version mismatch");
366 };
367 let key_config = &config_contents.key_config;
368
369 // Encapsulate a secret for the server's public key, and set up a sender context
370 // we can use to seal messages.
371 let (enc, sender) = config.suite.setup_sealer(
372 &config.hpke_info(),
373 &HpkePublicKey(key_config.public_key.to_vec()),
374 )?;
375
376 // Start a new transcript buffer for the inner hello.
377 let mut inner_hello_transcript = HandshakeHashBuffer::new();
378 if client_auth_enabled {
379 inner_hello_transcript.set_client_auth_enabled();
380 }
381
382 Ok(Self {
383 outer_name: config_contents.public_name.clone(),
384 early_data_key_schedule: None,
385 inner_hello_random: Random::new(secure_random)?,
386 inner_hello_transcript,
387 secure_random,
388 sender,
389 config_id: key_config.config_id,
390 inner_name,
391 maximum_name_length: config_contents.maximum_name_length,
392 cipher_suite: config.suite.suite().sym,
393 protocol,
394 enc,
395 enable_sni,
396 sent_extensions: Vec::new(),
397 })
398 }
399
400 /// Construct a ClientHelloPayload offering ECH.
401 ///
402 /// An outer hello, with a protected inner hello for the `inner_name` will be returned, and the
403 /// ECH context will be updated to reflect the inner hello that was offered.
404 ///
405 /// If `retry_req` is `Some`, then the outer hello will be constructed for a hello retry request.
406 ///
407 /// If `resuming` is `Some`, then the inner hello will be constructed for a resumption handshake.
408 pub(crate) fn ech_hello(
409 &mut self,
410 mut outer_hello: ClientHelloPayload,
411 retry_req: Option<&HelloRetryRequest>,
412 resuming: Option<&Retrieved<&Tls13ClientSessionValue>>,
413 ) -> Result<ClientHelloPayload, Error> {
414 trace!(
415 "Preparing ECH offer {}",
416 if retry_req.is_some() { "for retry" } else { "" }
417 );
418
419 // Construct the encoded inner hello and update the transcript.
420 let encoded_inner_hello = self.encode_inner_hello(&outer_hello, retry_req, resuming);
421
422 // Complete the ClientHelloOuterAAD with an ech extension, the payload should be a placeholder
423 // of size L, all zeroes. L == length of encrypting encoded client hello inner w/ the selected
424 // HPKE AEAD. (sum of plaintext + tag length, typically).
425 let payload_len = encoded_inner_hello.len()
426 + self
427 .cipher_suite
428 .aead_id
429 .tag_len()
430 // Safety: we've already verified this AEAD is supported when loading the config
431 // that was used to create the ECH context. All supported AEADs have a tag length.
432 .unwrap();
433
434 // Outer hello's created in response to a hello retry request omit the enc value.
435 let enc = match retry_req.is_some() {
436 true => Vec::default(),
437 false => self.enc.0.clone(),
438 };
439
440 fn outer_hello_ext(ctx: &EchState, enc: Vec<u8>, payload: Vec<u8>) -> EncryptedClientHello {
441 EncryptedClientHello::Outer(EncryptedClientHelloOuter {
442 cipher_suite: ctx.cipher_suite,
443 config_id: ctx.config_id,
444 enc: SizedPayload::from(Payload::new(enc)),
445 payload: SizedPayload::from(Payload::new(payload)),
446 })
447 }
448
449 // The outer handshake is not permitted to resume a session. If we're resuming in the
450 // inner handshake we remove the PSK extension from the outer hello, replacing it
451 // with a GREASE PSK to implement the "ClientHello Malleability Mitigation" mentioned
452 // in 10.12.3.
453 if let Some(psk_offer) = outer_hello.preshared_key_offer.as_mut() {
454 self.grease_psk(psk_offer)?;
455 }
456
457 // To compute the encoded AAD we add a placeholder extension with an empty payload.
458 outer_hello.encrypted_client_hello =
459 Some(outer_hello_ext(self, enc.clone(), vec![0; payload_len]));
460
461 // Next we compute the proper extension payload.
462 let payload = self
463 .sender
464 .seal(&outer_hello.get_encoding(), &encoded_inner_hello)?;
465
466 // And then we replace the placeholder extension with the real one.
467 outer_hello.encrypted_client_hello = Some(outer_hello_ext(self, enc, payload));
468
469 Ok(outer_hello)
470 }
471
472 /// Confirm whether an ECH offer was accepted based on examining the server hello.
473 pub(crate) fn confirm_acceptance(
474 self,
475 ks: &KeyScheduleHandshakeStart,
476 server_hello: &ServerHelloPayload,
477 server_hello_encoded: &Payload<'_>,
478 hash: &'static dyn Hash,
479 ) -> Result<Option<EchAccepted>, Error> {
480 // Start the inner transcript hash now that we know the hash algorithm to use.
481 let inner_transcript = self
482 .inner_hello_transcript
483 .start_hash(hash);
484
485 // Fork the transcript that we've started with the inner hello to use for a confirmation step.
486 // We need to preserve the original inner_transcript to use if this confirmation succeeds.
487 let mut confirmation_transcript = inner_transcript.clone();
488
489 // Add the server hello confirmation - this is computed by altering the received
490 // encoding rather than reencoding it.
491 confirmation_transcript
492 .add_message(&Self::server_hello_conf(server_hello, server_hello_encoded));
493
494 // Derive a confirmation secret from the inner hello random and the confirmation transcript.
495 let derived = ks.server_ech_confirmation_secret(
496 self.inner_hello_random.0.as_ref(),
497 confirmation_transcript.current_hash(),
498 );
499
500 // Check that first 8 digits of the derived secret match the last 8 digits of the original
501 // server random. This match signals that the server accepted the ECH offer.
502 // Indexing safety: Random is [0; 32] by construction.
503
504 match ConstantTimeEq::ct_eq(derived.as_ref(), server_hello.random.0[24..].as_ref()).into() {
505 true => {
506 trace!("ECH accepted by server");
507 Ok(Some(EchAccepted {
508 transcript: inner_transcript,
509 random: self.inner_hello_random,
510 sent_extensions: self.sent_extensions,
511 }))
512 }
513 false => {
514 trace!("ECH rejected by server");
515 Ok(None)
516 }
517 }
518 }
519
520 pub(crate) fn confirm_hrr_acceptance(
521 &self,
522 hrr: &HelloRetryRequest,
523 cs: &Tls13CipherSuite,
524 ) -> Result<bool, Error> {
525 // The client checks for the "encrypted_client_hello" extension.
526 let ech_conf = match &hrr.encrypted_client_hello {
527 // If none is found, the server has implicitly rejected ECH.
528 None => return Ok(false),
529 // Otherwise, if it has a length other than 8, the client aborts the
530 // handshake with a "decode_error" alert.
531 Some(ech_conf) if ech_conf.bytes().len() != 8 => {
532 return Err(PeerMisbehaved::IllegalHelloRetryRequestWithInvalidEch.into());
533 }
534 Some(ech_conf) => ech_conf,
535 };
536
537 // Otherwise the client computes hrr_accept_confirmation as described in Section
538 // 7.2.1
539 let confirmation_transcript = self.inner_hello_transcript.clone();
540 let mut confirmation_transcript =
541 confirmation_transcript.start_hash(cs.common.hash_provider);
542 confirmation_transcript.rollup_for_hrr();
543 confirmation_transcript.add_message(&Self::hello_retry_request_conf(hrr));
544
545 let derived = server_ech_hrr_confirmation_secret(
546 cs.hkdf_provider,
547 &self.inner_hello_random.0,
548 confirmation_transcript.current_hash(),
549 );
550
551 match ConstantTimeEq::ct_eq(derived.as_ref(), ech_conf.bytes()).into() {
552 true => {
553 trace!("ECH accepted by server in hello retry request");
554 Ok(true)
555 }
556 false => {
557 trace!("ECH rejected by server in hello retry request");
558 Ok(false)
559 }
560 }
561 }
562
563 /// Update the ECH context inner hello transcript based on a received hello retry request message.
564 ///
565 /// This will start the in-progress transcript using the given `hash`, convert it into an HRR
566 /// buffer, and then add the hello retry message `m`.
567 pub(crate) fn transcript_hrr_update(
568 &mut self,
569 hash: &'static dyn Hash,
570 m: &Message<'_>,
571 proof: &HandshakeAlignedProof,
572 ) {
573 trace!("Updating ECH inner transcript for HRR");
574
575 let inner_transcript = self
576 .inner_hello_transcript
577 .clone()
578 .start_hash(hash);
579
580 let mut inner_transcript_buffer = inner_transcript.into_hrr_buffer(proof);
581 inner_transcript_buffer.add_message(m);
582 self.inner_hello_transcript = inner_transcript_buffer;
583 }
584
585 // 5.1 "Encoding the ClientHelloInner"
586 fn encode_inner_hello(
587 &mut self,
588 outer_hello: &ClientHelloPayload,
589 retryreq: Option<&HelloRetryRequest>,
590 resuming: Option<&Retrieved<&Tls13ClientSessionValue>>,
591 ) -> Vec<u8> {
592 // Start building an inner hello using the outer_hello as a template.
593 let mut inner_hello = ClientHelloPayload {
594 // Some information is copied over as-is.
595 client_version: outer_hello.client_version,
596
597 // Set the inner hello random to the one we generated when creating the ECH state.
598 // We hold on to the inner_hello_random in the ECH state to use later for confirming
599 // whether ECH was accepted or not.
600 random: self.inner_hello_random,
601 session_id: outer_hello.session_id,
602
603 // We remove the empty renegotiation info SCSV from the outer hello's ciphersuite.
604 // Similar to the TLS 1.2 specific extensions we will filter out, this is seen as a
605 // TLS 1.2 only feature by bogo.
606 cipher_suites: outer_hello
607 .cipher_suites
608 .iter()
609 .filter(|cs| **cs != TLS_EMPTY_RENEGOTIATION_INFO_SCSV)
610 .copied()
611 .collect(),
612 compression_methods: outer_hello.compression_methods.clone(),
613
614 // We will build up the included extensions ourselves.
615 extensions: Box::new(ClientExtensions::default()),
616 };
617
618 inner_hello.order_seed = outer_hello.order_seed;
619
620 // The inner hello will always have an inner variant of the ECH extension added.
621 // See Section 6.1 rule 4.
622 inner_hello.encrypted_client_hello = Some(EncryptedClientHello::Inner);
623
624 let inner_sni = match &self.inner_name {
625 // The inner hello only gets a SNI value if enable_sni is true and the inner name
626 // is a domain name (not an IP address).
627 ServerName::DnsName(dns_name) if self.enable_sni => Some(dns_name),
628 _ => None,
629 };
630
631 // Now we consider each of the outer hello's extensions - we can either:
632 // 1. Omit the extension if it isn't appropriate (e.g. is a TLS 1.2 extension).
633 // 2. Add the extension to the inner hello as-is.
634 // 3. Compress the extension, by collecting it into a list of to-be-compressed
635 // extensions we'll handle separately.
636 let outer_extensions = outer_hello.used_extensions_in_encoding_order();
637 let mut compressed_exts = Vec::with_capacity(outer_extensions.len());
638 for ext in outer_extensions {
639 // Some outer hello extensions are only useful in the context where a TLS 1.3
640 // connection allows TLS 1.2. This isn't the case for ECH so we skip adding them
641 // to the inner hello.
642 if matches!(
643 ext,
644 ExtensionType::ExtendedMasterSecret
645 | ExtensionType::SessionTicket
646 | ExtensionType::ECPointFormats
647 ) {
648 continue;
649 }
650
651 if ext == ExtensionType::ServerName {
652 // We may want to replace the outer hello SNI with our own inner hello specific SNI.
653 if let Some(sni_value) = inner_sni {
654 inner_hello.server_name = Some(ServerNamePayload::from(sni_value));
655 }
656 // We don't want to add, or compress, the SNI from the outer hello.
657 continue;
658 }
659
660 // Compressed extensions need to be put aside to include in one contiguous block.
661 // Uncompressed extensions get added directly to the inner hello.
662 if ext.ech_compress() {
663 compressed_exts.push(ext);
664 }
665
666 inner_hello.clone_one(outer_hello, ext);
667 }
668
669 // We've added all the uncompressed extensions. Now we need to add the contiguous
670 // block of to-be-compressed extensions.
671 inner_hello.contiguous_extensions = compressed_exts.clone();
672
673 // Note which extensions we're sending in the inner hello. This may differ from
674 // the outer hello (e.g. the inner hello may omit SNI while the outer hello will
675 // always have the ECH cover name in SNI).
676 self.sent_extensions = inner_hello.collect_used();
677
678 // If we're resuming, we need to update the PSK binder in the inner hello.
679 if let Some(resuming) = resuming.as_ref() {
680 let mut chp = HandshakeMessagePayload(HandshakePayload::ClientHello(inner_hello));
681
682 let key_schedule =
683 KeyScheduleEarlyClient::new(self.protocol, resuming.suite(), resuming.secret());
684 tls13::fill_in_psk_binder(&key_schedule, &self.inner_hello_transcript, &mut chp);
685 self.early_data_key_schedule = Some(key_schedule);
686
687 // fill_in_psk_binder works on an owned HandshakeMessagePayload, so we need to
688 // extract our inner hello back out of it to retain ownership.
689 inner_hello = match chp.0 {
690 HandshakePayload::ClientHello(chp) => chp,
691 // Safety: we construct the HMP above and know its type unconditionally.
692 _ => unreachable!(),
693 };
694 }
695
696 trace!("ECH Inner Hello: {inner_hello:#?}");
697
698 // Encode the inner hello according to the rules required for ECH. This differs
699 // from the standard encoding in several ways. Notably this is where we will
700 // replace the block of contiguous to-be-compressed extensions with a marker.
701 let mut encoded_hello = inner_hello.ech_inner_encoding(compressed_exts);
702
703 // Calculate padding
704 // max_name_len = L
705 let max_name_len = self.maximum_name_length;
706 let max_name_len = if max_name_len > 0 { max_name_len } else { 255 };
707
708 let padding_len = match &self.inner_name {
709 ServerName::DnsName(name) => {
710 // name.len() = D
711 // max(0, L - D)
712 core::cmp::max(
713 0,
714 max_name_len.saturating_sub(name.as_ref().len() as u8) as usize,
715 )
716 }
717 _ => {
718 // L + 9
719 // "This is the length of a "server_name" extension with an L-byte name."
720 // We widen to usize here to avoid overflowing u8 + u8.
721 max_name_len as usize + 9
722 }
723 };
724
725 // Let L be the length of the EncodedClientHelloInner with all the padding computed so far
726 // Let N = 31 - ((L - 1) % 32) and add N bytes of padding.
727 let padding_len = 31 - ((encoded_hello.len() + padding_len - 1) % 32);
728 encoded_hello.extend(vec![0; padding_len]);
729
730 // Construct the inner hello message that will be used for the transcript.
731 let inner_hello_msg = Message {
732 version: match retryreq {
733 // <https://datatracker.ietf.org/doc/html/rfc8446#section-5.1>:
734 // "This value MUST be set to 0x0303 for all records generated
735 // by a TLS 1.3 implementation ..."
736 Some(_) => ProtocolVersion::TLSv1_2,
737 // "... other than an initial ClientHello (i.e., one not
738 // generated after a HelloRetryRequest), where it MAY also be
739 // 0x0301 for compatibility purposes"
740 //
741 // (retryreq == None means we're in the "initial ClientHello" case)
742 None => ProtocolVersion::TLSv1_0,
743 },
744 payload: MessagePayload::handshake(HandshakeMessagePayload(
745 HandshakePayload::ClientHello(inner_hello),
746 )),
747 };
748
749 // Update the inner transcript buffer with the inner hello message.
750 self.inner_hello_transcript
751 .add_message(&inner_hello_msg);
752
753 encoded_hello
754 }
755
756 // See https://datatracker.ietf.org/doc/html/draft-ietf-tls-esni-18#name-grease-psk
757 fn grease_psk(&self, psk_offer: &mut PresharedKeyOffer) -> Result<(), Error> {
758 for ident in psk_offer.identities.iter_mut() {
759 // "For each PSK identity advertised in the ClientHelloInner, the
760 // client generates a random PSK identity with the same length."
761 match ident.identity.as_mut() {
762 Some(ident) => self.secure_random.fill(ident)?,
763 None => unreachable!(),
764 }
765
766 // "It also generates a random, 32-bit, unsigned integer to use as
767 // the obfuscated_ticket_age."
768 let mut ticket_age = [0_u8; 4];
769 self.secure_random
770 .fill(&mut ticket_age)?;
771 ident.obfuscated_ticket_age = u32::from_be_bytes(ticket_age);
772 }
773
774 // "Likewise, for each inner PSK binder, the client generates a random string
775 // of the same length."
776 psk_offer.binders = psk_offer
777 .binders
778 .iter()
779 .map(|old_binder| {
780 // We can't access the wrapped binder PresharedKeyBinder's PayloadU8 mutably,
781 // so we construct new PresharedKeyBinder's from scratch with the same length.
782 let mut new_binder = vec![0; old_binder.as_ref().len()];
783 self.secure_random
784 .fill(&mut new_binder)?;
785 Ok::<PresharedKeyBinder, Error>(PresharedKeyBinder::from(new_binder))
786 })
787 .collect::<Result<_, _>>()?;
788 Ok(())
789 }
790
791 fn server_hello_conf(
792 server_hello: &ServerHelloPayload,
793 server_hello_encoded: &Payload<'_>,
794 ) -> Message<'static> {
795 // The confirmation is computed over the server hello, which has had
796 // its `random` field altered to zero the final 8 bytes.
797 //
798 // nb. we don't require that we can round-trip a `ServerHelloPayload`, to
799 // allow for efficiency in its in-memory representation. That means
800 // we operate here on the received encoding, as the confirmation needs
801 // to be computed on that.
802 let mut encoded = server_hello_encoded.clone().into_vec();
803 encoded[SERVER_HELLO_ECH_CONFIRMATION_SPAN].fill(0x00);
804
805 Message {
806 version: ProtocolVersion::TLSv1_3,
807 payload: MessagePayload::Handshake {
808 encoded: Payload::Owned(encoded),
809 parsed: HandshakeMessagePayload(HandshakePayload::ServerHello(
810 server_hello.clone(),
811 )),
812 },
813 }
814 }
815
816 fn hello_retry_request_conf(retry_req: &HelloRetryRequest) -> Message<'_> {
817 Self::ech_conf_message(HandshakeMessagePayload(
818 HandshakePayload::HelloRetryRequest(retry_req.clone()),
819 ))
820 }
821
822 fn ech_conf_message(hmp: HandshakeMessagePayload<'_>) -> Message<'_> {
823 let mut hmp_encoded = Vec::new();
824 hmp.payload_encode(&mut hmp_encoded, Encoding::EchConfirmation);
825 Message {
826 version: ProtocolVersion::TLSv1_3,
827 payload: MessagePayload::Handshake {
828 encoded: Payload::new(hmp_encoded),
829 parsed: hmp,
830 },
831 }
832 }
833}
834
835/// The last eight bytes of the ServerHello's random, taken from a Handshake message containing it.
836///
837/// This has:
838/// - a HandshakeType (1 byte),
839/// - an exterior length (3 bytes),
840/// - the legacy_version (2 bytes), and
841/// - the balance of the random field (24 bytes).
842const SERVER_HELLO_ECH_CONFIRMATION_SPAN: core::ops::Range<usize> =
843 (1 + 3 + 2 + 24)..(1 + 3 + 2 + 32);
844
845/// Returned from EchState::check_acceptance when the server has accepted the ECH offer.
846///
847/// Holds the state required to continue the handshake with the inner hello from the ECH offer.
848pub(crate) struct EchAccepted {
849 pub(crate) transcript: HandshakeHash,
850 pub(crate) random: Random,
851 pub(crate) sent_extensions: Vec<ExtensionType>,
852}
853
854#[cfg(test)]
855mod tests {
856 use super::*;
857 use crate::crypto::CipherSuite;
858 use crate::msgs::{Compression, Random, ServerExtensions, SessionId};
859
860 #[test]
861 fn server_hello_conf_alters_server_hello_random() {
862 let server_hello = ServerHelloPayload {
863 legacy_version: ProtocolVersion::TLSv1_2,
864 random: Random([0xffu8; 32]),
865 session_id: SessionId::empty(),
866 cipher_suite: CipherSuite::TLS13_AES_256_GCM_SHA384,
867 compression_method: Compression::Null,
868 extensions: Box::new(ServerExtensions::default()),
869 };
870 let message = Message {
871 version: ProtocolVersion::TLSv1_3,
872 payload: MessagePayload::handshake(HandshakeMessagePayload(
873 HandshakePayload::ServerHello(server_hello.clone()),
874 )),
875 };
876 let Message {
877 payload:
878 MessagePayload::Handshake {
879 encoded: server_hello_encoded_before,
880 ..
881 },
882 ..
883 } = &message
884 else {
885 unreachable!("ServerHello is a handshake message");
886 };
887
888 let message = EchState::server_hello_conf(&server_hello, server_hello_encoded_before);
889
890 let Message {
891 payload:
892 MessagePayload::Handshake {
893 encoded: server_hello_encoded_after,
894 ..
895 },
896 ..
897 } = &message
898 else {
899 unreachable!("ServerHello is a handshake message");
900 };
901
902 assert_eq!(
903 std::format!("{server_hello_encoded_before:x?}"),
904 "020000280303ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff001302000000",
905 "beforehand eight bytes at end of Random should be 0xff here ^^^^^^^^^^^^^^^^ "
906 );
907 assert_eq!(
908 std::format!("{server_hello_encoded_after:x?}"),
909 "020000280303ffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000001302000000",
910 " afterwards those bytes are zeroed ^^^^^^^^^^^^^^^^ "
911 );
912 }
913}