1// Copyright 2009 The Go Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style 3// license that can be found in the LICENSE file. 4 5package runner 6 7import ( 8 "bytes" 9 "crypto/ecdsa" 10 "crypto/elliptic" 11 "crypto/rsa" 12 "crypto/subtle" 13 "crypto/x509" 14 "encoding/asn1" 15 "errors" 16 "fmt" 17 "io" 18 "math/big" 19 "net" 20 "strconv" 21) 22 23type clientHandshakeState struct { 24 c *Conn 25 serverHello *serverHelloMsg 26 hello *clientHelloMsg 27 suite *cipherSuite 28 finishedHash finishedHash 29 masterSecret []byte 30 session *ClientSessionState 31 finishedBytes []byte 32} 33 34func (c *Conn) clientHandshake() error { 35 if c.config == nil { 36 c.config = defaultConfig() 37 } 38 39 if len(c.config.ServerName) == 0 && !c.config.InsecureSkipVerify { 40 return errors.New("tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config") 41 } 42 43 c.sendHandshakeSeq = 0 44 c.recvHandshakeSeq = 0 45 46 nextProtosLength := 0 47 for _, proto := range c.config.NextProtos { 48 if l := len(proto); l > 255 { 49 return errors.New("tls: invalid NextProtos value") 50 } else { 51 nextProtosLength += 1 + l 52 } 53 } 54 if nextProtosLength > 0xffff { 55 return errors.New("tls: NextProtos values too large") 56 } 57 58 hello := &clientHelloMsg{ 59 isDTLS: c.isDTLS, 60 vers: c.config.maxVersion(), 61 compressionMethods: []uint8{compressionNone}, 62 random: make([]byte, 32), 63 ocspStapling: true, 64 sctListSupported: true, 65 serverName: c.config.ServerName, 66 supportedCurves: c.config.curvePreferences(), 67 supportedPoints: []uint8{pointFormatUncompressed}, 68 nextProtoNeg: len(c.config.NextProtos) > 0, 69 secureRenegotiation: []byte{}, 70 alpnProtocols: c.config.NextProtos, 71 duplicateExtension: c.config.Bugs.DuplicateExtension, 72 channelIDSupported: c.config.ChannelID != nil, 73 npnLast: c.config.Bugs.SwapNPNAndALPN, 74 extendedMasterSecret: c.config.maxVersion() >= VersionTLS10, 75 srtpProtectionProfiles: c.config.SRTPProtectionProfiles, 76 srtpMasterKeyIdentifier: c.config.Bugs.SRTPMasterKeyIdentifer, 77 customExtension: c.config.Bugs.CustomExtension, 78 } 79 80 if c.config.Bugs.SendClientVersion != 0 { 81 hello.vers = c.config.Bugs.SendClientVersion 82 } 83 84 if c.config.Bugs.NoExtendedMasterSecret { 85 hello.extendedMasterSecret = false 86 } 87 88 if c.config.Bugs.NoSupportedCurves { 89 hello.supportedCurves = nil 90 } 91 92 if len(c.clientVerify) > 0 && !c.config.Bugs.EmptyRenegotiationInfo { 93 if c.config.Bugs.BadRenegotiationInfo { 94 hello.secureRenegotiation = append(hello.secureRenegotiation, c.clientVerify...) 95 hello.secureRenegotiation[0] ^= 0x80 96 } else { 97 hello.secureRenegotiation = c.clientVerify 98 } 99 } 100 101 if c.noRenegotiationInfo() { 102 hello.secureRenegotiation = nil 103 } 104 105 possibleCipherSuites := c.config.cipherSuites() 106 hello.cipherSuites = make([]uint16, 0, len(possibleCipherSuites)) 107 108NextCipherSuite: 109 for _, suiteId := range possibleCipherSuites { 110 for _, suite := range cipherSuites { 111 if suite.id != suiteId { 112 continue 113 } 114 // Don't advertise TLS 1.2-only cipher suites unless 115 // we're attempting TLS 1.2. 116 if hello.vers < VersionTLS12 && suite.flags&suiteTLS12 != 0 { 117 continue 118 } 119 // Don't advertise non-DTLS cipher suites on DTLS. 120 if c.isDTLS && suite.flags&suiteNoDTLS != 0 && !c.config.Bugs.EnableAllCiphersInDTLS { 121 continue 122 } 123 hello.cipherSuites = append(hello.cipherSuites, suiteId) 124 continue NextCipherSuite 125 } 126 } 127 128 if c.config.Bugs.SendRenegotiationSCSV { 129 hello.cipherSuites = append(hello.cipherSuites, renegotiationSCSV) 130 } 131 132 if c.config.Bugs.SendFallbackSCSV { 133 hello.cipherSuites = append(hello.cipherSuites, fallbackSCSV) 134 } 135 136 _, err := io.ReadFull(c.config.rand(), hello.random) 137 if err != nil { 138 c.sendAlert(alertInternalError) 139 return errors.New("tls: short read from Rand: " + err.Error()) 140 } 141 142 if hello.vers >= VersionTLS12 && !c.config.Bugs.NoSignatureAndHashes { 143 hello.signatureAndHashes = c.config.signatureAndHashesForClient() 144 } 145 146 var session *ClientSessionState 147 var cacheKey string 148 sessionCache := c.config.ClientSessionCache 149 150 if sessionCache != nil { 151 hello.ticketSupported = !c.config.SessionTicketsDisabled 152 153 // Try to resume a previously negotiated TLS session, if 154 // available. 155 cacheKey = clientSessionCacheKey(c.conn.RemoteAddr(), c.config) 156 candidateSession, ok := sessionCache.Get(cacheKey) 157 if ok { 158 ticketOk := !c.config.SessionTicketsDisabled || candidateSession.sessionTicket == nil 159 160 // Check that the ciphersuite/version used for the 161 // previous session are still valid. 162 cipherSuiteOk := false 163 for _, id := range hello.cipherSuites { 164 if id == candidateSession.cipherSuite { 165 cipherSuiteOk = true 166 break 167 } 168 } 169 170 versOk := candidateSession.vers >= c.config.minVersion() && 171 candidateSession.vers <= c.config.maxVersion() 172 if ticketOk && versOk && cipherSuiteOk { 173 session = candidateSession 174 } 175 } 176 } 177 178 if session != nil { 179 if session.sessionTicket != nil { 180 hello.sessionTicket = session.sessionTicket 181 if c.config.Bugs.CorruptTicket { 182 hello.sessionTicket = make([]byte, len(session.sessionTicket)) 183 copy(hello.sessionTicket, session.sessionTicket) 184 if len(hello.sessionTicket) > 0 { 185 offset := 40 186 if offset > len(hello.sessionTicket) { 187 offset = len(hello.sessionTicket) - 1 188 } 189 hello.sessionTicket[offset] ^= 0x40 190 } 191 } 192 // A random session ID is used to detect when the 193 // server accepted the ticket and is resuming a session 194 // (see RFC 5077). 195 sessionIdLen := 16 196 if c.config.Bugs.OversizedSessionId { 197 sessionIdLen = 33 198 } 199 hello.sessionId = make([]byte, sessionIdLen) 200 if _, err := io.ReadFull(c.config.rand(), hello.sessionId); err != nil { 201 c.sendAlert(alertInternalError) 202 return errors.New("tls: short read from Rand: " + err.Error()) 203 } 204 } else { 205 hello.sessionId = session.sessionId 206 } 207 } 208 209 var helloBytes []byte 210 if c.config.Bugs.SendV2ClientHello { 211 // Test that the peer left-pads random. 212 hello.random[0] = 0 213 v2Hello := &v2ClientHelloMsg{ 214 vers: hello.vers, 215 cipherSuites: hello.cipherSuites, 216 // No session resumption for V2ClientHello. 217 sessionId: nil, 218 challenge: hello.random[1:], 219 } 220 helloBytes = v2Hello.marshal() 221 c.writeV2Record(helloBytes) 222 } else { 223 helloBytes = hello.marshal() 224 c.writeRecord(recordTypeHandshake, helloBytes) 225 } 226 c.dtlsFlushHandshake() 227 228 if err := c.simulatePacketLoss(nil); err != nil { 229 return err 230 } 231 msg, err := c.readHandshake() 232 if err != nil { 233 return err 234 } 235 236 if c.isDTLS { 237 helloVerifyRequest, ok := msg.(*helloVerifyRequestMsg) 238 if ok { 239 if helloVerifyRequest.vers != VersionTLS10 { 240 // Per RFC 6347, the version field in 241 // HelloVerifyRequest SHOULD be always DTLS 242 // 1.0. Enforce this for testing purposes. 243 return errors.New("dtls: bad HelloVerifyRequest version") 244 } 245 246 hello.raw = nil 247 hello.cookie = helloVerifyRequest.cookie 248 helloBytes = hello.marshal() 249 c.writeRecord(recordTypeHandshake, helloBytes) 250 c.dtlsFlushHandshake() 251 252 if err := c.simulatePacketLoss(nil); err != nil { 253 return err 254 } 255 msg, err = c.readHandshake() 256 if err != nil { 257 return err 258 } 259 } 260 } 261 262 serverHello, ok := msg.(*serverHelloMsg) 263 if !ok { 264 c.sendAlert(alertUnexpectedMessage) 265 return unexpectedMessageError(serverHello, msg) 266 } 267 268 c.vers, ok = c.config.mutualVersion(serverHello.vers) 269 if !ok { 270 c.sendAlert(alertProtocolVersion) 271 return fmt.Errorf("tls: server selected unsupported protocol version %x", serverHello.vers) 272 } 273 c.haveVers = true 274 275 suite := mutualCipherSuite(c.config.cipherSuites(), serverHello.cipherSuite) 276 if suite == nil { 277 c.sendAlert(alertHandshakeFailure) 278 return fmt.Errorf("tls: server selected an unsupported cipher suite") 279 } 280 281 if c.config.Bugs.RequireRenegotiationInfo && serverHello.secureRenegotiation == nil { 282 return errors.New("tls: renegotiation extension missing") 283 } 284 285 if len(c.clientVerify) > 0 && !c.noRenegotiationInfo() { 286 var expectedRenegInfo []byte 287 expectedRenegInfo = append(expectedRenegInfo, c.clientVerify...) 288 expectedRenegInfo = append(expectedRenegInfo, c.serverVerify...) 289 if !bytes.Equal(serverHello.secureRenegotiation, expectedRenegInfo) { 290 c.sendAlert(alertHandshakeFailure) 291 return fmt.Errorf("tls: renegotiation mismatch") 292 } 293 } 294 295 if expected := c.config.Bugs.ExpectedCustomExtension; expected != nil { 296 if serverHello.customExtension != *expected { 297 return fmt.Errorf("tls: bad custom extension contents %q", serverHello.customExtension) 298 } 299 } 300 301 hs := &clientHandshakeState{ 302 c: c, 303 serverHello: serverHello, 304 hello: hello, 305 suite: suite, 306 finishedHash: newFinishedHash(c.vers, suite), 307 session: session, 308 } 309 310 hs.writeHash(helloBytes, hs.c.sendHandshakeSeq-1) 311 hs.writeServerHash(hs.serverHello.marshal()) 312 313 if c.config.Bugs.EarlyChangeCipherSpec > 0 { 314 hs.establishKeys() 315 c.writeRecord(recordTypeChangeCipherSpec, []byte{1}) 316 } 317 318 isResume, err := hs.processServerHello() 319 if err != nil { 320 return err 321 } 322 323 if isResume { 324 if c.config.Bugs.EarlyChangeCipherSpec == 0 { 325 if err := hs.establishKeys(); err != nil { 326 return err 327 } 328 } 329 if err := hs.readSessionTicket(); err != nil { 330 return err 331 } 332 if err := hs.readFinished(c.firstFinished[:]); err != nil { 333 return err 334 } 335 if err := hs.sendFinished(nil, isResume); err != nil { 336 return err 337 } 338 } else { 339 if err := hs.doFullHandshake(); err != nil { 340 return err 341 } 342 if err := hs.establishKeys(); err != nil { 343 return err 344 } 345 if err := hs.sendFinished(c.firstFinished[:], isResume); err != nil { 346 return err 347 } 348 // Most retransmits are triggered by a timeout, but the final 349 // leg of the handshake is retransmited upon re-receiving a 350 // Finished. 351 if err := c.simulatePacketLoss(func() { 352 c.writeRecord(recordTypeHandshake, hs.finishedBytes) 353 c.dtlsFlushHandshake() 354 }); err != nil { 355 return err 356 } 357 if err := hs.readSessionTicket(); err != nil { 358 return err 359 } 360 if err := hs.readFinished(nil); err != nil { 361 return err 362 } 363 } 364 365 if sessionCache != nil && hs.session != nil && session != hs.session { 366 if c.config.Bugs.RequireSessionTickets && len(hs.session.sessionTicket) == 0 { 367 return errors.New("tls: new session used session IDs instead of tickets") 368 } 369 sessionCache.Put(cacheKey, hs.session) 370 } 371 372 c.didResume = isResume 373 c.handshakeComplete = true 374 c.cipherSuite = suite 375 copy(c.clientRandom[:], hs.hello.random) 376 copy(c.serverRandom[:], hs.serverHello.random) 377 copy(c.masterSecret[:], hs.masterSecret) 378 379 return nil 380} 381 382func (hs *clientHandshakeState) doFullHandshake() error { 383 c := hs.c 384 385 var leaf *x509.Certificate 386 if hs.suite.flags&suitePSK == 0 { 387 msg, err := c.readHandshake() 388 if err != nil { 389 return err 390 } 391 392 certMsg, ok := msg.(*certificateMsg) 393 if !ok || len(certMsg.certificates) == 0 { 394 c.sendAlert(alertUnexpectedMessage) 395 return unexpectedMessageError(certMsg, msg) 396 } 397 hs.writeServerHash(certMsg.marshal()) 398 399 certs := make([]*x509.Certificate, len(certMsg.certificates)) 400 for i, asn1Data := range certMsg.certificates { 401 cert, err := x509.ParseCertificate(asn1Data) 402 if err != nil { 403 c.sendAlert(alertBadCertificate) 404 return errors.New("tls: failed to parse certificate from server: " + err.Error()) 405 } 406 certs[i] = cert 407 } 408 leaf = certs[0] 409 410 if !c.config.InsecureSkipVerify { 411 opts := x509.VerifyOptions{ 412 Roots: c.config.RootCAs, 413 CurrentTime: c.config.time(), 414 DNSName: c.config.ServerName, 415 Intermediates: x509.NewCertPool(), 416 } 417 418 for i, cert := range certs { 419 if i == 0 { 420 continue 421 } 422 opts.Intermediates.AddCert(cert) 423 } 424 c.verifiedChains, err = leaf.Verify(opts) 425 if err != nil { 426 c.sendAlert(alertBadCertificate) 427 return err 428 } 429 } 430 431 switch leaf.PublicKey.(type) { 432 case *rsa.PublicKey, *ecdsa.PublicKey: 433 break 434 default: 435 c.sendAlert(alertUnsupportedCertificate) 436 return fmt.Errorf("tls: server's certificate contains an unsupported type of public key: %T", leaf.PublicKey) 437 } 438 439 c.peerCertificates = certs 440 } 441 442 if hs.serverHello.ocspStapling { 443 msg, err := c.readHandshake() 444 if err != nil { 445 return err 446 } 447 cs, ok := msg.(*certificateStatusMsg) 448 if !ok { 449 c.sendAlert(alertUnexpectedMessage) 450 return unexpectedMessageError(cs, msg) 451 } 452 hs.writeServerHash(cs.marshal()) 453 454 if cs.statusType == statusTypeOCSP { 455 c.ocspResponse = cs.response 456 } 457 } 458 459 msg, err := c.readHandshake() 460 if err != nil { 461 return err 462 } 463 464 keyAgreement := hs.suite.ka(c.vers) 465 466 skx, ok := msg.(*serverKeyExchangeMsg) 467 if ok { 468 hs.writeServerHash(skx.marshal()) 469 err = keyAgreement.processServerKeyExchange(c.config, hs.hello, hs.serverHello, leaf, skx) 470 if err != nil { 471 c.sendAlert(alertUnexpectedMessage) 472 return err 473 } 474 475 msg, err = c.readHandshake() 476 if err != nil { 477 return err 478 } 479 } 480 481 var chainToSend *Certificate 482 var certRequested bool 483 certReq, ok := msg.(*certificateRequestMsg) 484 if ok { 485 certRequested = true 486 487 // RFC 4346 on the certificateAuthorities field: 488 // A list of the distinguished names of acceptable certificate 489 // authorities. These distinguished names may specify a desired 490 // distinguished name for a root CA or for a subordinate CA; 491 // thus, this message can be used to describe both known roots 492 // and a desired authorization space. If the 493 // certificate_authorities list is empty then the client MAY 494 // send any certificate of the appropriate 495 // ClientCertificateType, unless there is some external 496 // arrangement to the contrary. 497 498 hs.writeServerHash(certReq.marshal()) 499 500 var rsaAvail, ecdsaAvail bool 501 for _, certType := range certReq.certificateTypes { 502 switch certType { 503 case CertTypeRSASign: 504 rsaAvail = true 505 case CertTypeECDSASign: 506 ecdsaAvail = true 507 } 508 } 509 510 // We need to search our list of client certs for one 511 // where SignatureAlgorithm is RSA and the Issuer is in 512 // certReq.certificateAuthorities 513 findCert: 514 for i, chain := range c.config.Certificates { 515 if !rsaAvail && !ecdsaAvail { 516 continue 517 } 518 519 for j, cert := range chain.Certificate { 520 x509Cert := chain.Leaf 521 // parse the certificate if this isn't the leaf 522 // node, or if chain.Leaf was nil 523 if j != 0 || x509Cert == nil { 524 if x509Cert, err = x509.ParseCertificate(cert); err != nil { 525 c.sendAlert(alertInternalError) 526 return errors.New("tls: failed to parse client certificate #" + strconv.Itoa(i) + ": " + err.Error()) 527 } 528 } 529 530 switch { 531 case rsaAvail && x509Cert.PublicKeyAlgorithm == x509.RSA: 532 case ecdsaAvail && x509Cert.PublicKeyAlgorithm == x509.ECDSA: 533 default: 534 continue findCert 535 } 536 537 if len(certReq.certificateAuthorities) == 0 { 538 // they gave us an empty list, so just take the 539 // first RSA cert from c.config.Certificates 540 chainToSend = &chain 541 break findCert 542 } 543 544 for _, ca := range certReq.certificateAuthorities { 545 if bytes.Equal(x509Cert.RawIssuer, ca) { 546 chainToSend = &chain 547 break findCert 548 } 549 } 550 } 551 } 552 553 msg, err = c.readHandshake() 554 if err != nil { 555 return err 556 } 557 } 558 559 shd, ok := msg.(*serverHelloDoneMsg) 560 if !ok { 561 c.sendAlert(alertUnexpectedMessage) 562 return unexpectedMessageError(shd, msg) 563 } 564 hs.writeServerHash(shd.marshal()) 565 566 // If the server requested a certificate then we have to send a 567 // Certificate message in TLS, even if it's empty because we don't have 568 // a certificate to send. In SSL 3.0, skip the message and send a 569 // no_certificate warning alert. 570 if certRequested { 571 if c.vers == VersionSSL30 && chainToSend == nil { 572 c.sendAlert(alertNoCertficate) 573 } else if !c.config.Bugs.SkipClientCertificate { 574 certMsg := new(certificateMsg) 575 if chainToSend != nil { 576 certMsg.certificates = chainToSend.Certificate 577 } 578 hs.writeClientHash(certMsg.marshal()) 579 c.writeRecord(recordTypeHandshake, certMsg.marshal()) 580 } 581 } 582 583 preMasterSecret, ckx, err := keyAgreement.generateClientKeyExchange(c.config, hs.hello, leaf) 584 if err != nil { 585 c.sendAlert(alertInternalError) 586 return err 587 } 588 if ckx != nil { 589 if c.config.Bugs.EarlyChangeCipherSpec < 2 { 590 hs.writeClientHash(ckx.marshal()) 591 } 592 c.writeRecord(recordTypeHandshake, ckx.marshal()) 593 } 594 595 if hs.serverHello.extendedMasterSecret && c.vers >= VersionTLS10 { 596 hs.masterSecret = extendedMasterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.finishedHash) 597 c.extendedMasterSecret = true 598 } else { 599 if c.config.Bugs.RequireExtendedMasterSecret { 600 return errors.New("tls: extended master secret required but not supported by peer") 601 } 602 hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.hello.random, hs.serverHello.random) 603 } 604 605 if chainToSend != nil { 606 var signed []byte 607 certVerify := &certificateVerifyMsg{ 608 hasSignatureAndHash: c.vers >= VersionTLS12, 609 } 610 611 // Determine the hash to sign. 612 var signatureType uint8 613 switch c.config.Certificates[0].PrivateKey.(type) { 614 case *ecdsa.PrivateKey: 615 signatureType = signatureECDSA 616 case *rsa.PrivateKey: 617 signatureType = signatureRSA 618 default: 619 c.sendAlert(alertInternalError) 620 return errors.New("unknown private key type") 621 } 622 if c.config.Bugs.IgnorePeerSignatureAlgorithmPreferences { 623 certReq.signatureAndHashes = c.config.signatureAndHashesForClient() 624 } 625 certVerify.signatureAndHash, err = hs.finishedHash.selectClientCertSignatureAlgorithm(certReq.signatureAndHashes, c.config.signatureAndHashesForClient(), signatureType) 626 if err != nil { 627 c.sendAlert(alertInternalError) 628 return err 629 } 630 digest, hashFunc, err := hs.finishedHash.hashForClientCertificate(certVerify.signatureAndHash, hs.masterSecret) 631 if err != nil { 632 c.sendAlert(alertInternalError) 633 return err 634 } 635 if c.config.Bugs.InvalidCertVerifySignature { 636 digest[0] ^= 0x80 637 } 638 639 switch key := c.config.Certificates[0].PrivateKey.(type) { 640 case *ecdsa.PrivateKey: 641 var r, s *big.Int 642 r, s, err = ecdsa.Sign(c.config.rand(), key, digest) 643 if err == nil { 644 signed, err = asn1.Marshal(ecdsaSignature{r, s}) 645 } 646 case *rsa.PrivateKey: 647 signed, err = rsa.SignPKCS1v15(c.config.rand(), key, hashFunc, digest) 648 default: 649 err = errors.New("unknown private key type") 650 } 651 if err != nil { 652 c.sendAlert(alertInternalError) 653 return errors.New("tls: failed to sign handshake with client certificate: " + err.Error()) 654 } 655 certVerify.signature = signed 656 657 hs.writeClientHash(certVerify.marshal()) 658 c.writeRecord(recordTypeHandshake, certVerify.marshal()) 659 } 660 c.dtlsFlushHandshake() 661 662 hs.finishedHash.discardHandshakeBuffer() 663 664 return nil 665} 666 667func (hs *clientHandshakeState) establishKeys() error { 668 c := hs.c 669 670 clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV := 671 keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.hello.random, hs.serverHello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen) 672 var clientCipher, serverCipher interface{} 673 var clientHash, serverHash macFunction 674 if hs.suite.cipher != nil { 675 clientCipher = hs.suite.cipher(clientKey, clientIV, false /* not for reading */) 676 clientHash = hs.suite.mac(c.vers, clientMAC) 677 serverCipher = hs.suite.cipher(serverKey, serverIV, true /* for reading */) 678 serverHash = hs.suite.mac(c.vers, serverMAC) 679 } else { 680 clientCipher = hs.suite.aead(clientKey, clientIV) 681 serverCipher = hs.suite.aead(serverKey, serverIV) 682 } 683 684 c.in.prepareCipherSpec(c.vers, serverCipher, serverHash) 685 c.out.prepareCipherSpec(c.vers, clientCipher, clientHash) 686 return nil 687} 688 689func (hs *clientHandshakeState) serverResumedSession() bool { 690 // If the server responded with the same sessionId then it means the 691 // sessionTicket is being used to resume a TLS session. 692 return hs.session != nil && hs.hello.sessionId != nil && 693 bytes.Equal(hs.serverHello.sessionId, hs.hello.sessionId) 694} 695 696func (hs *clientHandshakeState) processServerHello() (bool, error) { 697 c := hs.c 698 699 if hs.serverHello.compressionMethod != compressionNone { 700 c.sendAlert(alertUnexpectedMessage) 701 return false, errors.New("tls: server selected unsupported compression format") 702 } 703 704 clientDidNPN := hs.hello.nextProtoNeg 705 clientDidALPN := len(hs.hello.alpnProtocols) > 0 706 serverHasNPN := hs.serverHello.nextProtoNeg 707 serverHasALPN := len(hs.serverHello.alpnProtocol) > 0 708 709 if !clientDidNPN && serverHasNPN { 710 c.sendAlert(alertHandshakeFailure) 711 return false, errors.New("server advertised unrequested NPN extension") 712 } 713 714 if !clientDidALPN && serverHasALPN { 715 c.sendAlert(alertHandshakeFailure) 716 return false, errors.New("server advertised unrequested ALPN extension") 717 } 718 719 if serverHasNPN && serverHasALPN { 720 c.sendAlert(alertHandshakeFailure) 721 return false, errors.New("server advertised both NPN and ALPN extensions") 722 } 723 724 if serverHasALPN { 725 c.clientProtocol = hs.serverHello.alpnProtocol 726 c.clientProtocolFallback = false 727 c.usedALPN = true 728 } 729 730 if !hs.hello.channelIDSupported && hs.serverHello.channelIDRequested { 731 c.sendAlert(alertHandshakeFailure) 732 return false, errors.New("server advertised unrequested Channel ID extension") 733 } 734 735 if hs.serverHello.srtpProtectionProfile != 0 { 736 if hs.serverHello.srtpMasterKeyIdentifier != "" { 737 return false, errors.New("tls: server selected SRTP MKI value") 738 } 739 740 found := false 741 for _, p := range c.config.SRTPProtectionProfiles { 742 if p == hs.serverHello.srtpProtectionProfile { 743 found = true 744 break 745 } 746 } 747 if !found { 748 return false, errors.New("tls: server advertised unsupported SRTP profile") 749 } 750 751 c.srtpProtectionProfile = hs.serverHello.srtpProtectionProfile 752 } 753 754 if hs.serverResumedSession() { 755 // For test purposes, assert that the server never accepts the 756 // resumption offer on renegotiation. 757 if c.cipherSuite != nil && c.config.Bugs.FailIfResumeOnRenego { 758 return false, errors.New("tls: server resumed session on renegotiation") 759 } 760 761 if hs.serverHello.sctList != nil { 762 return false, errors.New("tls: server sent SCT extension on session resumption") 763 } 764 765 if hs.serverHello.ocspStapling { 766 return false, errors.New("tls: server sent OCSP extension on session resumption") 767 } 768 769 // Restore masterSecret and peerCerts from previous state 770 hs.masterSecret = hs.session.masterSecret 771 c.peerCertificates = hs.session.serverCertificates 772 c.extendedMasterSecret = hs.session.extendedMasterSecret 773 c.sctList = hs.session.sctList 774 c.ocspResponse = hs.session.ocspResponse 775 hs.finishedHash.discardHandshakeBuffer() 776 return true, nil 777 } 778 779 if hs.serverHello.sctList != nil { 780 c.sctList = hs.serverHello.sctList 781 } 782 783 return false, nil 784} 785 786func (hs *clientHandshakeState) readFinished(out []byte) error { 787 c := hs.c 788 789 c.readRecord(recordTypeChangeCipherSpec) 790 if err := c.in.error(); err != nil { 791 return err 792 } 793 794 msg, err := c.readHandshake() 795 if err != nil { 796 return err 797 } 798 serverFinished, ok := msg.(*finishedMsg) 799 if !ok { 800 c.sendAlert(alertUnexpectedMessage) 801 return unexpectedMessageError(serverFinished, msg) 802 } 803 804 if c.config.Bugs.EarlyChangeCipherSpec == 0 { 805 verify := hs.finishedHash.serverSum(hs.masterSecret) 806 if len(verify) != len(serverFinished.verifyData) || 807 subtle.ConstantTimeCompare(verify, serverFinished.verifyData) != 1 { 808 c.sendAlert(alertHandshakeFailure) 809 return errors.New("tls: server's Finished message was incorrect") 810 } 811 } 812 c.serverVerify = append(c.serverVerify[:0], serverFinished.verifyData...) 813 copy(out, serverFinished.verifyData) 814 hs.writeServerHash(serverFinished.marshal()) 815 return nil 816} 817 818func (hs *clientHandshakeState) readSessionTicket() error { 819 c := hs.c 820 821 // Create a session with no server identifier. Either a 822 // session ID or session ticket will be attached. 823 session := &ClientSessionState{ 824 vers: c.vers, 825 cipherSuite: hs.suite.id, 826 masterSecret: hs.masterSecret, 827 handshakeHash: hs.finishedHash.server.Sum(nil), 828 serverCertificates: c.peerCertificates, 829 sctList: c.sctList, 830 ocspResponse: c.ocspResponse, 831 } 832 833 if !hs.serverHello.ticketSupported { 834 if c.config.Bugs.ExpectNewTicket { 835 return errors.New("tls: expected new ticket") 836 } 837 if hs.session == nil && len(hs.serverHello.sessionId) > 0 { 838 session.sessionId = hs.serverHello.sessionId 839 hs.session = session 840 } 841 return nil 842 } 843 844 if c.vers == VersionSSL30 { 845 return errors.New("tls: negotiated session tickets in SSL 3.0") 846 } 847 848 msg, err := c.readHandshake() 849 if err != nil { 850 return err 851 } 852 sessionTicketMsg, ok := msg.(*newSessionTicketMsg) 853 if !ok { 854 c.sendAlert(alertUnexpectedMessage) 855 return unexpectedMessageError(sessionTicketMsg, msg) 856 } 857 858 session.sessionTicket = sessionTicketMsg.ticket 859 hs.session = session 860 861 hs.writeServerHash(sessionTicketMsg.marshal()) 862 863 return nil 864} 865 866func (hs *clientHandshakeState) sendFinished(out []byte, isResume bool) error { 867 c := hs.c 868 869 var postCCSBytes []byte 870 seqno := hs.c.sendHandshakeSeq 871 if hs.serverHello.nextProtoNeg { 872 nextProto := new(nextProtoMsg) 873 proto, fallback := mutualProtocol(c.config.NextProtos, hs.serverHello.nextProtos) 874 nextProto.proto = proto 875 c.clientProtocol = proto 876 c.clientProtocolFallback = fallback 877 878 nextProtoBytes := nextProto.marshal() 879 hs.writeHash(nextProtoBytes, seqno) 880 seqno++ 881 postCCSBytes = append(postCCSBytes, nextProtoBytes...) 882 } 883 884 if hs.serverHello.channelIDRequested { 885 encryptedExtensions := new(encryptedExtensionsMsg) 886 if c.config.ChannelID.Curve != elliptic.P256() { 887 return fmt.Errorf("tls: Channel ID is not on P-256.") 888 } 889 var resumeHash []byte 890 if isResume { 891 resumeHash = hs.session.handshakeHash 892 } 893 r, s, err := ecdsa.Sign(c.config.rand(), c.config.ChannelID, hs.finishedHash.hashForChannelID(resumeHash)) 894 if err != nil { 895 return err 896 } 897 channelID := make([]byte, 128) 898 writeIntPadded(channelID[0:32], c.config.ChannelID.X) 899 writeIntPadded(channelID[32:64], c.config.ChannelID.Y) 900 writeIntPadded(channelID[64:96], r) 901 writeIntPadded(channelID[96:128], s) 902 encryptedExtensions.channelID = channelID 903 904 c.channelID = &c.config.ChannelID.PublicKey 905 906 encryptedExtensionsBytes := encryptedExtensions.marshal() 907 hs.writeHash(encryptedExtensionsBytes, seqno) 908 seqno++ 909 postCCSBytes = append(postCCSBytes, encryptedExtensionsBytes...) 910 } 911 912 finished := new(finishedMsg) 913 if c.config.Bugs.EarlyChangeCipherSpec == 2 { 914 finished.verifyData = hs.finishedHash.clientSum(nil) 915 } else { 916 finished.verifyData = hs.finishedHash.clientSum(hs.masterSecret) 917 } 918 copy(out, finished.verifyData) 919 if c.config.Bugs.BadFinished { 920 finished.verifyData[0]++ 921 } 922 c.clientVerify = append(c.clientVerify[:0], finished.verifyData...) 923 hs.finishedBytes = finished.marshal() 924 hs.writeHash(hs.finishedBytes, seqno) 925 postCCSBytes = append(postCCSBytes, hs.finishedBytes...) 926 927 if c.config.Bugs.FragmentAcrossChangeCipherSpec { 928 c.writeRecord(recordTypeHandshake, postCCSBytes[:5]) 929 postCCSBytes = postCCSBytes[5:] 930 } 931 c.dtlsFlushHandshake() 932 933 if !c.config.Bugs.SkipChangeCipherSpec && 934 c.config.Bugs.EarlyChangeCipherSpec == 0 { 935 ccs := []byte{1} 936 if c.config.Bugs.BadChangeCipherSpec != nil { 937 ccs = c.config.Bugs.BadChangeCipherSpec 938 } 939 c.writeRecord(recordTypeChangeCipherSpec, ccs) 940 } 941 942 if c.config.Bugs.AppDataAfterChangeCipherSpec != nil { 943 c.writeRecord(recordTypeApplicationData, c.config.Bugs.AppDataAfterChangeCipherSpec) 944 } 945 if c.config.Bugs.AlertAfterChangeCipherSpec != 0 { 946 c.sendAlert(c.config.Bugs.AlertAfterChangeCipherSpec) 947 return errors.New("tls: simulating post-CCS alert") 948 } 949 950 if !c.config.Bugs.SkipFinished { 951 c.writeRecord(recordTypeHandshake, postCCSBytes) 952 c.dtlsFlushHandshake() 953 } 954 return nil 955} 956 957func (hs *clientHandshakeState) writeClientHash(msg []byte) { 958 // writeClientHash is called before writeRecord. 959 hs.writeHash(msg, hs.c.sendHandshakeSeq) 960} 961 962func (hs *clientHandshakeState) writeServerHash(msg []byte) { 963 // writeServerHash is called after readHandshake. 964 hs.writeHash(msg, hs.c.recvHandshakeSeq-1) 965} 966 967func (hs *clientHandshakeState) writeHash(msg []byte, seqno uint16) { 968 if hs.c.isDTLS { 969 // This is somewhat hacky. DTLS hashes a slightly different format. 970 // First, the TLS header. 971 hs.finishedHash.Write(msg[:4]) 972 // Then the sequence number and reassembled fragment offset (always 0). 973 hs.finishedHash.Write([]byte{byte(seqno >> 8), byte(seqno), 0, 0, 0}) 974 // Then the reassembled fragment (always equal to the message length). 975 hs.finishedHash.Write(msg[1:4]) 976 // And then the message body. 977 hs.finishedHash.Write(msg[4:]) 978 } else { 979 hs.finishedHash.Write(msg) 980 } 981} 982 983// clientSessionCacheKey returns a key used to cache sessionTickets that could 984// be used to resume previously negotiated TLS sessions with a server. 985func clientSessionCacheKey(serverAddr net.Addr, config *Config) string { 986 if len(config.ServerName) > 0 { 987 return config.ServerName 988 } 989 return serverAddr.String() 990} 991 992// mutualProtocol finds the mutual Next Protocol Negotiation or ALPN protocol 993// given list of possible protocols and a list of the preference order. The 994// first list must not be empty. It returns the resulting protocol and flag 995// indicating if the fallback case was reached. 996func mutualProtocol(protos, preferenceProtos []string) (string, bool) { 997 for _, s := range preferenceProtos { 998 for _, c := range protos { 999 if s == c { 1000 return s, false 1001 } 1002 } 1003 } 1004 1005 return protos[0], true 1006} 1007 1008// writeIntPadded writes x into b, padded up with leading zeros as 1009// needed. 1010func writeIntPadded(b []byte, x *big.Int) { 1011 for i := range b { 1012 b[i] = 0 1013 } 1014 xb := x.Bytes() 1015 copy(b[len(b)-len(xb):], xb) 1016} 1017