1// Copyright 2009 The Go Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style 3// license that can be found in the LICENSE file. 4 5package runner 6 7import ( 8 "bytes" 9 "crypto" 10 "crypto/ecdsa" 11 "crypto/ed25519" 12 "crypto/elliptic" 13 "crypto/rsa" 14 "crypto/subtle" 15 "crypto/x509" 16 "errors" 17 "fmt" 18 "io" 19 "math/big" 20 "net" 21 "time" 22) 23 24type clientHandshakeState struct { 25 c *Conn 26 serverHello *serverHelloMsg 27 hello *clientHelloMsg 28 suite *cipherSuite 29 finishedHash finishedHash 30 keyShares map[CurveID]ecdhCurve 31 masterSecret []byte 32 session *ClientSessionState 33 finishedBytes []byte 34 peerPublicKey crypto.PublicKey 35 skxAlgo signatureAlgorithm 36} 37 38func mapClientHelloVersion(vers uint16, isDTLS bool) uint16 { 39 if !isDTLS { 40 return vers 41 } 42 43 switch vers { 44 case VersionTLS12: 45 return VersionDTLS12 46 case VersionTLS10: 47 return VersionDTLS10 48 } 49 50 panic("Unknown ClientHello version.") 51} 52 53func fixClientHellos(hello *clientHelloMsg, in []byte) ([]byte, error) { 54 ret := append([]byte{}, in...) 55 newHello := new(clientHelloMsg) 56 if !newHello.unmarshal(ret) { 57 return nil, errors.New("tls: invalid ClientHello") 58 } 59 60 hello.random = newHello.random 61 hello.sessionId = newHello.sessionId 62 63 // Replace |ret|'s key shares with those of |hello|. For simplicity, we 64 // require their lengths match, which is satisfied by matching the 65 // DefaultCurves setting to the selection in the replacement 66 // ClientHello. 67 bb := newByteBuilder() 68 hello.marshalKeyShares(bb) 69 keyShares := bb.finish() 70 if len(keyShares) != len(newHello.keySharesRaw) { 71 return nil, errors.New("tls: ClientHello key share length is inconsistent with DefaultCurves setting") 72 } 73 // |newHello.keySharesRaw| aliases |ret|. 74 copy(newHello.keySharesRaw, keyShares) 75 76 return ret, nil 77} 78 79func (c *Conn) clientHandshake() error { 80 if c.config == nil { 81 c.config = defaultConfig() 82 } 83 84 if len(c.config.ServerName) == 0 && !c.config.InsecureSkipVerify { 85 return errors.New("tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config") 86 } 87 88 c.sendHandshakeSeq = 0 89 c.recvHandshakeSeq = 0 90 91 nextProtosLength := 0 92 for _, proto := range c.config.NextProtos { 93 if l := len(proto); l > 255 { 94 return errors.New("tls: invalid NextProtos value") 95 } else { 96 nextProtosLength += 1 + l 97 } 98 } 99 if nextProtosLength > 0xffff { 100 return errors.New("tls: NextProtos values too large") 101 } 102 103 minVersion := c.config.minVersion(c.isDTLS) 104 maxVersion := c.config.maxVersion(c.isDTLS) 105 hello := &clientHelloMsg{ 106 isDTLS: c.isDTLS, 107 compressionMethods: []uint8{compressionNone}, 108 random: make([]byte, 32), 109 ocspStapling: !c.config.Bugs.NoOCSPStapling, 110 sctListSupported: !c.config.Bugs.NoSignedCertificateTimestamps, 111 serverName: c.config.ServerName, 112 supportedCurves: c.config.curvePreferences(), 113 supportedPoints: []uint8{pointFormatUncompressed}, 114 nextProtoNeg: len(c.config.NextProtos) > 0, 115 secureRenegotiation: []byte{}, 116 alpnProtocols: c.config.NextProtos, 117 quicTransportParams: c.config.QUICTransportParams, 118 duplicateExtension: c.config.Bugs.DuplicateExtension, 119 channelIDSupported: c.config.ChannelID != nil, 120 tokenBindingParams: c.config.TokenBindingParams, 121 tokenBindingVersion: c.config.TokenBindingVersion, 122 npnAfterAlpn: c.config.Bugs.SwapNPNAndALPN, 123 extendedMasterSecret: maxVersion >= VersionTLS10, 124 srtpProtectionProfiles: c.config.SRTPProtectionProfiles, 125 srtpMasterKeyIdentifier: c.config.Bugs.SRTPMasterKeyIdentifer, 126 customExtension: c.config.Bugs.CustomExtension, 127 pskBinderFirst: c.config.Bugs.PSKBinderFirst && !c.config.Bugs.OnlyCorruptSecondPSKBinder, 128 omitExtensions: c.config.Bugs.OmitExtensions, 129 emptyExtensions: c.config.Bugs.EmptyExtensions, 130 delegatedCredentials: !c.config.Bugs.DisableDelegatedCredentials, 131 } 132 133 if maxVersion >= VersionTLS13 { 134 hello.vers = mapClientHelloVersion(VersionTLS12, c.isDTLS) 135 if !c.config.Bugs.OmitSupportedVersions { 136 hello.supportedVersions = c.config.supportedVersions(c.isDTLS) 137 } 138 hello.pskKEModes = []byte{pskDHEKEMode} 139 } else { 140 hello.vers = mapClientHelloVersion(maxVersion, c.isDTLS) 141 } 142 143 if c.config.Bugs.SendClientVersion != 0 { 144 hello.vers = c.config.Bugs.SendClientVersion 145 } 146 147 if len(c.config.Bugs.SendSupportedVersions) > 0 { 148 hello.supportedVersions = c.config.Bugs.SendSupportedVersions 149 } 150 151 disableEMS := c.config.Bugs.NoExtendedMasterSecret 152 if c.cipherSuite != nil { 153 disableEMS = c.config.Bugs.NoExtendedMasterSecretOnRenegotiation 154 } 155 156 if disableEMS { 157 hello.extendedMasterSecret = false 158 } 159 160 if c.config.Bugs.NoSupportedCurves { 161 hello.supportedCurves = nil 162 } 163 164 if len(c.config.Bugs.SendPSKKeyExchangeModes) != 0 { 165 hello.pskKEModes = c.config.Bugs.SendPSKKeyExchangeModes 166 } 167 168 if c.config.Bugs.SendCompressionMethods != nil { 169 hello.compressionMethods = c.config.Bugs.SendCompressionMethods 170 } 171 172 if c.config.Bugs.SendSupportedPointFormats != nil { 173 hello.supportedPoints = c.config.Bugs.SendSupportedPointFormats 174 } 175 176 if len(c.clientVerify) > 0 && !c.config.Bugs.EmptyRenegotiationInfo { 177 if c.config.Bugs.BadRenegotiationInfo { 178 hello.secureRenegotiation = append(hello.secureRenegotiation, c.clientVerify...) 179 hello.secureRenegotiation[0] ^= 0x80 180 } else { 181 hello.secureRenegotiation = c.clientVerify 182 } 183 } 184 185 if c.config.Bugs.DuplicateCompressedCertAlgs { 186 hello.compressedCertAlgs = []uint16{1, 1} 187 } else if len(c.config.CertCompressionAlgs) > 0 { 188 hello.compressedCertAlgs = make([]uint16, 0, len(c.config.CertCompressionAlgs)) 189 for id, _ := range c.config.CertCompressionAlgs { 190 hello.compressedCertAlgs = append(hello.compressedCertAlgs, uint16(id)) 191 } 192 } 193 194 if c.noRenegotiationInfo() { 195 hello.secureRenegotiation = nil 196 } 197 198 var keyShares map[CurveID]ecdhCurve 199 if maxVersion >= VersionTLS13 { 200 keyShares = make(map[CurveID]ecdhCurve) 201 hello.hasKeyShares = true 202 hello.trailingKeyShareData = c.config.Bugs.TrailingKeyShareData 203 curvesToSend := c.config.defaultCurves() 204 for _, curveID := range hello.supportedCurves { 205 if !curvesToSend[curveID] { 206 continue 207 } 208 curve, ok := curveForCurveID(curveID, c.config) 209 if !ok { 210 continue 211 } 212 publicKey, err := curve.offer(c.config.rand()) 213 if err != nil { 214 return err 215 } 216 217 if c.config.Bugs.SendCurve != 0 { 218 curveID = c.config.Bugs.SendCurve 219 } 220 if c.config.Bugs.InvalidECDHPoint { 221 publicKey[0] ^= 0xff 222 } 223 224 hello.keyShares = append(hello.keyShares, keyShareEntry{ 225 group: curveID, 226 keyExchange: publicKey, 227 }) 228 keyShares[curveID] = curve 229 230 if c.config.Bugs.DuplicateKeyShares { 231 hello.keyShares = append(hello.keyShares, hello.keyShares[len(hello.keyShares)-1]) 232 } 233 } 234 235 if c.config.Bugs.MissingKeyShare { 236 hello.hasKeyShares = false 237 } 238 } 239 240 possibleCipherSuites := c.config.cipherSuites() 241 hello.cipherSuites = make([]uint16, 0, len(possibleCipherSuites)) 242 243NextCipherSuite: 244 for _, suiteId := range possibleCipherSuites { 245 for _, suite := range cipherSuites { 246 if suite.id != suiteId { 247 continue 248 } 249 // Don't advertise TLS 1.2-only cipher suites unless 250 // we're attempting TLS 1.2. 251 if maxVersion < VersionTLS12 && suite.flags&suiteTLS12 != 0 { 252 continue 253 } 254 hello.cipherSuites = append(hello.cipherSuites, suiteId) 255 continue NextCipherSuite 256 } 257 } 258 259 if c.config.Bugs.AdvertiseAllConfiguredCiphers { 260 hello.cipherSuites = possibleCipherSuites 261 } 262 263 if c.config.Bugs.SendRenegotiationSCSV { 264 hello.cipherSuites = append(hello.cipherSuites, renegotiationSCSV) 265 } 266 267 if c.config.Bugs.SendFallbackSCSV { 268 hello.cipherSuites = append(hello.cipherSuites, fallbackSCSV) 269 } 270 271 _, err := io.ReadFull(c.config.rand(), hello.random) 272 if err != nil { 273 c.sendAlert(alertInternalError) 274 return errors.New("tls: short read from Rand: " + err.Error()) 275 } 276 277 if maxVersion >= VersionTLS12 && !c.config.Bugs.NoSignatureAlgorithms { 278 hello.signatureAlgorithms = c.config.verifySignatureAlgorithms() 279 } 280 281 var session *ClientSessionState 282 var cacheKey string 283 sessionCache := c.config.ClientSessionCache 284 285 if sessionCache != nil { 286 hello.ticketSupported = !c.config.SessionTicketsDisabled 287 288 // Try to resume a previously negotiated TLS session, if 289 // available. 290 cacheKey = clientSessionCacheKey(c.conn.RemoteAddr(), c.config) 291 // TODO(nharper): Support storing more than one session 292 // ticket for TLS 1.3. 293 candidateSession, ok := sessionCache.Get(cacheKey) 294 if ok { 295 ticketOk := !c.config.SessionTicketsDisabled || candidateSession.sessionTicket == nil 296 297 // Check that the ciphersuite/version used for the 298 // previous session are still valid. 299 cipherSuiteOk := false 300 if candidateSession.vers <= VersionTLS12 { 301 for _, id := range hello.cipherSuites { 302 if id == candidateSession.cipherSuite { 303 cipherSuiteOk = true 304 break 305 } 306 } 307 } else { 308 // TLS 1.3 allows the cipher to change on 309 // resumption. 310 cipherSuiteOk = true 311 } 312 313 versOk := candidateSession.vers >= minVersion && 314 candidateSession.vers <= maxVersion 315 if ticketOk && versOk && cipherSuiteOk { 316 session = candidateSession 317 } 318 } 319 } 320 321 var pskCipherSuite *cipherSuite 322 if session != nil && c.config.time().Before(session.ticketExpiration) { 323 ticket := session.sessionTicket 324 if c.config.Bugs.FilterTicket != nil && len(ticket) > 0 { 325 // Copy the ticket so FilterTicket may act in-place. 326 ticket = make([]byte, len(session.sessionTicket)) 327 copy(ticket, session.sessionTicket) 328 329 ticket, err = c.config.Bugs.FilterTicket(ticket) 330 if err != nil { 331 return err 332 } 333 } 334 335 if session.vers >= VersionTLS13 || c.config.Bugs.SendBothTickets { 336 pskCipherSuite = cipherSuiteFromID(session.cipherSuite) 337 if pskCipherSuite == nil { 338 return errors.New("tls: client session cache has invalid cipher suite") 339 } 340 // TODO(nharper): Support sending more 341 // than one PSK identity. 342 ticketAge := uint32(c.config.time().Sub(session.ticketCreationTime) / time.Millisecond) 343 if c.config.Bugs.SendTicketAge != 0 { 344 ticketAge = uint32(c.config.Bugs.SendTicketAge / time.Millisecond) 345 } 346 psk := pskIdentity{ 347 ticket: ticket, 348 obfuscatedTicketAge: session.ticketAgeAdd + ticketAge, 349 } 350 hello.pskIdentities = []pskIdentity{psk} 351 352 if c.config.Bugs.ExtraPSKIdentity { 353 hello.pskIdentities = append(hello.pskIdentities, psk) 354 } 355 } 356 357 if session.vers < VersionTLS13 || c.config.Bugs.SendBothTickets { 358 if ticket != nil { 359 hello.sessionTicket = ticket 360 // A random session ID is used to detect when the 361 // server accepted the ticket and is resuming a session 362 // (see RFC 5077). 363 sessionIdLen := 16 364 if c.config.Bugs.TicketSessionIDLength != 0 { 365 sessionIdLen = c.config.Bugs.TicketSessionIDLength 366 } 367 if c.config.Bugs.EmptyTicketSessionID { 368 sessionIdLen = 0 369 } 370 hello.sessionId = make([]byte, sessionIdLen) 371 if _, err := io.ReadFull(c.config.rand(), hello.sessionId); err != nil { 372 c.sendAlert(alertInternalError) 373 return errors.New("tls: short read from Rand: " + err.Error()) 374 } 375 } else { 376 hello.sessionId = session.sessionId 377 } 378 } 379 } 380 381 // Request compatibility mode from the client by sending a fake session 382 // ID. Although BoringSSL always enables compatibility mode, other 383 // implementations make it conditional on the ClientHello. We test 384 // BoringSSL's expected behavior with SendClientHelloSessionID. 385 if len(hello.sessionId) == 0 && maxVersion >= VersionTLS13 { 386 hello.sessionId = make([]byte, 32) 387 if _, err := io.ReadFull(c.config.rand(), hello.sessionId); err != nil { 388 c.sendAlert(alertInternalError) 389 return errors.New("tls: short read from Rand: " + err.Error()) 390 } 391 } 392 393 if c.config.Bugs.SendCipherSuites != nil { 394 hello.cipherSuites = c.config.Bugs.SendCipherSuites 395 } 396 397 var sendEarlyData bool 398 if len(hello.pskIdentities) > 0 && c.config.Bugs.SendEarlyData != nil { 399 hello.hasEarlyData = true 400 sendEarlyData = true 401 } 402 if c.config.Bugs.SendFakeEarlyDataLength > 0 { 403 hello.hasEarlyData = true 404 } 405 if c.config.Bugs.OmitEarlyDataExtension { 406 hello.hasEarlyData = false 407 } 408 if c.config.Bugs.SendClientHelloSessionID != nil { 409 hello.sessionId = c.config.Bugs.SendClientHelloSessionID 410 } 411 412 var helloBytes []byte 413 if c.config.Bugs.SendV2ClientHello { 414 // Test that the peer left-pads random. 415 hello.random[0] = 0 416 v2Hello := &v2ClientHelloMsg{ 417 vers: hello.vers, 418 cipherSuites: hello.cipherSuites, 419 // No session resumption for V2ClientHello. 420 sessionId: nil, 421 challenge: hello.random[1:], 422 } 423 helloBytes = v2Hello.marshal() 424 c.writeV2Record(helloBytes) 425 } else { 426 if len(hello.pskIdentities) > 0 { 427 version := session.wireVersion 428 // We may have a pre-1.3 session if SendBothTickets is 429 // set. 430 if session.vers < VersionTLS13 { 431 version = VersionTLS13 432 } 433 generatePSKBinders(version, hello, pskCipherSuite, session.masterSecret, []byte{}, []byte{}, c.config) 434 } 435 if c.config.Bugs.SendClientHelloWithFixes != nil { 436 helloBytes, err = fixClientHellos(hello, c.config.Bugs.SendClientHelloWithFixes) 437 if err != nil { 438 return err 439 } 440 } else { 441 helloBytes = hello.marshal() 442 } 443 444 var appendToHello byte 445 if c.config.Bugs.PartialClientFinishedWithClientHello { 446 appendToHello = typeFinished 447 } else if c.config.Bugs.PartialEndOfEarlyDataWithClientHello { 448 appendToHello = typeEndOfEarlyData 449 } else if c.config.Bugs.PartialSecondClientHelloAfterFirst { 450 appendToHello = typeClientHello 451 } else if c.config.Bugs.PartialClientKeyExchangeWithClientHello { 452 appendToHello = typeClientKeyExchange 453 } 454 if appendToHello != 0 { 455 c.writeRecord(recordTypeHandshake, append(helloBytes[:len(helloBytes):len(helloBytes)], appendToHello)) 456 } else { 457 c.writeRecord(recordTypeHandshake, helloBytes) 458 } 459 } 460 c.flushHandshake() 461 462 if err := c.simulatePacketLoss(nil); err != nil { 463 return err 464 } 465 if c.config.Bugs.SendEarlyAlert { 466 c.sendAlert(alertHandshakeFailure) 467 } 468 if c.config.Bugs.SendFakeEarlyDataLength > 0 { 469 c.sendFakeEarlyData(c.config.Bugs.SendFakeEarlyDataLength) 470 } 471 472 // Derive early write keys and set Conn state to allow early writes. 473 if sendEarlyData { 474 finishedHash := newFinishedHash(session.wireVersion, c.isDTLS, pskCipherSuite) 475 finishedHash.addEntropy(session.masterSecret) 476 finishedHash.Write(helloBytes) 477 478 if !c.config.Bugs.SkipChangeCipherSpec { 479 c.wireVersion = session.wireVersion 480 c.vers = VersionTLS13 481 c.writeRecord(recordTypeChangeCipherSpec, []byte{1}) 482 c.wireVersion = 0 483 c.vers = 0 484 } 485 486 earlyTrafficSecret := finishedHash.deriveSecret(earlyTrafficLabel) 487 c.earlyExporterSecret = finishedHash.deriveSecret(earlyExporterLabel) 488 489 c.useOutTrafficSecret(session.wireVersion, pskCipherSuite, earlyTrafficSecret) 490 for _, earlyData := range c.config.Bugs.SendEarlyData { 491 if _, err := c.writeRecord(recordTypeApplicationData, earlyData); err != nil { 492 return err 493 } 494 } 495 } 496 497 msg, err := c.readHandshake() 498 if err != nil { 499 return err 500 } 501 502 if c.isDTLS { 503 helloVerifyRequest, ok := msg.(*helloVerifyRequestMsg) 504 if ok { 505 if helloVerifyRequest.vers != VersionDTLS10 { 506 // Per RFC 6347, the version field in 507 // HelloVerifyRequest SHOULD be always DTLS 508 // 1.0. Enforce this for testing purposes. 509 return errors.New("dtls: bad HelloVerifyRequest version") 510 } 511 512 hello.raw = nil 513 hello.cookie = helloVerifyRequest.cookie 514 helloBytes = hello.marshal() 515 c.writeRecord(recordTypeHandshake, helloBytes) 516 c.flushHandshake() 517 518 if err := c.simulatePacketLoss(nil); err != nil { 519 return err 520 } 521 msg, err = c.readHandshake() 522 if err != nil { 523 return err 524 } 525 } 526 } 527 528 var serverWireVersion uint16 529 switch m := msg.(type) { 530 case *helloRetryRequestMsg: 531 serverWireVersion = m.vers 532 case *serverHelloMsg: 533 serverWireVersion = m.vers 534 default: 535 c.sendAlert(alertUnexpectedMessage) 536 return fmt.Errorf("tls: received unexpected message of type %T when waiting for HelloRetryRequest or ServerHello", msg) 537 } 538 539 serverVersion, ok := c.config.isSupportedVersion(serverWireVersion, c.isDTLS) 540 if !ok { 541 c.sendAlert(alertProtocolVersion) 542 return fmt.Errorf("tls: server selected unsupported protocol version %x", c.vers) 543 } 544 c.wireVersion = serverWireVersion 545 c.vers = serverVersion 546 c.haveVers = true 547 548 if c.vers >= VersionTLS13 { 549 // The first server message must be followed by a ChangeCipherSpec. 550 c.expectTLS13ChangeCipherSpec = true 551 } 552 553 helloRetryRequest, haveHelloRetryRequest := msg.(*helloRetryRequestMsg) 554 var secondHelloBytes []byte 555 if haveHelloRetryRequest { 556 if c.config.Bugs.FailIfHelloRetryRequested { 557 return errors.New("tls: unexpected HelloRetryRequest") 558 } 559 // Explicitly read the ChangeCipherSpec now; it should 560 // be attached to the first flight, not the second flight. 561 if err := c.readTLS13ChangeCipherSpec(); err != nil { 562 return err 563 } 564 565 c.out.resetCipher() 566 if len(helloRetryRequest.cookie) > 0 { 567 hello.tls13Cookie = helloRetryRequest.cookie 568 } 569 570 if c.config.Bugs.MisinterpretHelloRetryRequestCurve != 0 { 571 helloRetryRequest.hasSelectedGroup = true 572 helloRetryRequest.selectedGroup = c.config.Bugs.MisinterpretHelloRetryRequestCurve 573 } 574 if helloRetryRequest.hasSelectedGroup { 575 var hrrCurveFound bool 576 group := helloRetryRequest.selectedGroup 577 for _, curveID := range hello.supportedCurves { 578 if group == curveID { 579 hrrCurveFound = true 580 break 581 } 582 } 583 if !hrrCurveFound || keyShares[group] != nil { 584 c.sendAlert(alertHandshakeFailure) 585 return errors.New("tls: received invalid HelloRetryRequest") 586 } 587 curve, ok := curveForCurveID(group, c.config) 588 if !ok { 589 return errors.New("tls: Unable to get curve requested in HelloRetryRequest") 590 } 591 publicKey, err := curve.offer(c.config.rand()) 592 if err != nil { 593 return err 594 } 595 keyShares[group] = curve 596 hello.keyShares = []keyShareEntry{{ 597 group: group, 598 keyExchange: publicKey, 599 }} 600 } 601 602 if c.config.Bugs.SecondClientHelloMissingKeyShare { 603 hello.hasKeyShares = false 604 } 605 606 hello.hasEarlyData = c.config.Bugs.SendEarlyDataOnSecondClientHello 607 // The first ClientHello may have skipped this due to OnlyCorruptSecondPSKBinder. 608 hello.pskBinderFirst = c.config.Bugs.PSKBinderFirst 609 if c.config.Bugs.OmitPSKsOnSecondClientHello { 610 hello.pskIdentities = nil 611 hello.pskBinders = nil 612 } 613 hello.raw = nil 614 615 if len(hello.pskIdentities) > 0 { 616 generatePSKBinders(c.wireVersion, hello, pskCipherSuite, session.masterSecret, helloBytes, helloRetryRequest.marshal(), c.config) 617 } 618 secondHelloBytes = hello.marshal() 619 secondHelloBytesToWrite := secondHelloBytes 620 621 if c.config.Bugs.PartialSecondClientHelloAfterFirst { 622 // The first byte has already been sent. 623 secondHelloBytesToWrite = secondHelloBytesToWrite[1:] 624 } 625 626 if c.config.Bugs.InterleaveEarlyData { 627 c.sendFakeEarlyData(4) 628 c.writeRecord(recordTypeHandshake, secondHelloBytesToWrite[:16]) 629 c.sendFakeEarlyData(4) 630 c.writeRecord(recordTypeHandshake, secondHelloBytesToWrite[16:]) 631 } else if c.config.Bugs.PartialClientFinishedWithSecondClientHello { 632 toWrite := make([]byte, len(secondHelloBytesToWrite)+1) 633 copy(toWrite, secondHelloBytesToWrite) 634 toWrite[len(secondHelloBytesToWrite)] = typeFinished 635 c.writeRecord(recordTypeHandshake, toWrite) 636 } else { 637 c.writeRecord(recordTypeHandshake, secondHelloBytesToWrite) 638 } 639 c.flushHandshake() 640 641 if c.config.Bugs.SendEarlyDataOnSecondClientHello { 642 c.sendFakeEarlyData(4) 643 } 644 645 msg, err = c.readHandshake() 646 if err != nil { 647 return err 648 } 649 } 650 651 serverHello, ok := msg.(*serverHelloMsg) 652 if !ok { 653 c.sendAlert(alertUnexpectedMessage) 654 return unexpectedMessageError(serverHello, msg) 655 } 656 657 if serverWireVersion != serverHello.vers { 658 c.sendAlert(alertIllegalParameter) 659 return fmt.Errorf("tls: server sent non-matching version %x vs %x", serverWireVersion, serverHello.vers) 660 } 661 662 _, supportsTLS13 := c.config.isSupportedVersion(VersionTLS13, false) 663 // Check for downgrade signals in the server random, per RFC 8446, section 4.1.3. 664 gotDowngrade := serverHello.random[len(serverHello.random)-8:] 665 if (supportsTLS13 || c.config.Bugs.CheckTLS13DowngradeRandom) && !c.config.Bugs.IgnoreTLS13DowngradeRandom { 666 if c.vers <= VersionTLS12 && c.config.maxVersion(c.isDTLS) >= VersionTLS13 { 667 if bytes.Equal(gotDowngrade, downgradeTLS13) { 668 c.sendAlert(alertProtocolVersion) 669 return errors.New("tls: downgrade from TLS 1.3 detected") 670 } 671 } 672 if c.vers <= VersionTLS11 && c.config.maxVersion(c.isDTLS) >= VersionTLS12 { 673 if bytes.Equal(gotDowngrade, downgradeTLS12) { 674 c.sendAlert(alertProtocolVersion) 675 return errors.New("tls: downgrade from TLS 1.2 detected") 676 } 677 } 678 } 679 680 if bytes.Equal(gotDowngrade, downgradeJDK11) != c.config.Bugs.ExpectJDK11DowngradeRandom { 681 c.sendAlert(alertProtocolVersion) 682 if c.config.Bugs.ExpectJDK11DowngradeRandom { 683 return errors.New("tls: server did not send a JDK 11 downgrade signal") 684 } 685 return errors.New("tls: server sent an unexpected JDK 11 downgrade signal") 686 } 687 688 suite := mutualCipherSuite(hello.cipherSuites, serverHello.cipherSuite) 689 if suite == nil { 690 c.sendAlert(alertHandshakeFailure) 691 return fmt.Errorf("tls: server selected an unsupported cipher suite") 692 } 693 694 if haveHelloRetryRequest && helloRetryRequest.hasSelectedGroup && helloRetryRequest.selectedGroup != serverHello.keyShare.group { 695 c.sendAlert(alertHandshakeFailure) 696 return errors.New("tls: ServerHello parameters did not match HelloRetryRequest") 697 } 698 699 if c.config.Bugs.ExpectOmitExtensions && !serverHello.omitExtensions { 700 return errors.New("tls: ServerHello did not omit extensions") 701 } 702 703 hs := &clientHandshakeState{ 704 c: c, 705 serverHello: serverHello, 706 hello: hello, 707 suite: suite, 708 finishedHash: newFinishedHash(c.wireVersion, c.isDTLS, suite), 709 keyShares: keyShares, 710 session: session, 711 } 712 713 hs.writeHash(helloBytes, hs.c.sendHandshakeSeq-1) 714 if haveHelloRetryRequest { 715 err = hs.finishedHash.UpdateForHelloRetryRequest() 716 if err != nil { 717 return err 718 } 719 hs.writeServerHash(helloRetryRequest.marshal()) 720 hs.writeClientHash(secondHelloBytes) 721 } 722 hs.writeServerHash(hs.serverHello.marshal()) 723 724 if c.vers >= VersionTLS13 { 725 if err := hs.doTLS13Handshake(); err != nil { 726 return err 727 } 728 } else { 729 if c.config.Bugs.EarlyChangeCipherSpec > 0 { 730 hs.establishKeys() 731 c.writeRecord(recordTypeChangeCipherSpec, []byte{1}) 732 } 733 734 if hs.serverHello.compressionMethod != compressionNone { 735 c.sendAlert(alertUnexpectedMessage) 736 return errors.New("tls: server selected unsupported compression format") 737 } 738 739 err = hs.processServerExtensions(&serverHello.extensions) 740 if err != nil { 741 return err 742 } 743 744 isResume, err := hs.processServerHello() 745 if err != nil { 746 return err 747 } 748 749 if isResume { 750 if c.config.Bugs.EarlyChangeCipherSpec == 0 { 751 if err := hs.establishKeys(); err != nil { 752 return err 753 } 754 } 755 if err := hs.readSessionTicket(); err != nil { 756 return err 757 } 758 if err := hs.readFinished(c.firstFinished[:]); err != nil { 759 return err 760 } 761 if err := hs.sendFinished(nil, isResume); err != nil { 762 return err 763 } 764 } else { 765 if err := hs.doFullHandshake(); err != nil { 766 return err 767 } 768 if err := hs.establishKeys(); err != nil { 769 return err 770 } 771 if err := hs.sendFinished(c.firstFinished[:], isResume); err != nil { 772 return err 773 } 774 // Most retransmits are triggered by a timeout, but the final 775 // leg of the handshake is retransmited upon re-receiving a 776 // Finished. 777 if err := c.simulatePacketLoss(func() { 778 c.sendHandshakeSeq-- 779 c.writeRecord(recordTypeHandshake, hs.finishedBytes) 780 c.flushHandshake() 781 }); err != nil { 782 return err 783 } 784 if err := hs.readSessionTicket(); err != nil { 785 return err 786 } 787 if err := hs.readFinished(nil); err != nil { 788 return err 789 } 790 } 791 792 if sessionCache != nil && hs.session != nil && session != hs.session { 793 if c.config.Bugs.RequireSessionTickets && len(hs.session.sessionTicket) == 0 { 794 return errors.New("tls: new session used session IDs instead of tickets") 795 } 796 if c.config.Bugs.RequireSessionIDs && len(hs.session.sessionId) == 0 { 797 return errors.New("tls: new session used session tickets instead of IDs") 798 } 799 sessionCache.Put(cacheKey, hs.session) 800 } 801 802 c.didResume = isResume 803 c.exporterSecret = hs.masterSecret 804 } 805 806 c.handshakeComplete = true 807 c.cipherSuite = suite 808 copy(c.clientRandom[:], hs.hello.random) 809 copy(c.serverRandom[:], hs.serverHello.random) 810 811 return nil 812} 813 814func (hs *clientHandshakeState) doTLS13Handshake() error { 815 c := hs.c 816 817 if !bytes.Equal(hs.hello.sessionId, hs.serverHello.sessionId) { 818 return errors.New("tls: session IDs did not match.") 819 } 820 821 // Once the PRF hash is known, TLS 1.3 does not require a handshake 822 // buffer. 823 hs.finishedHash.discardHandshakeBuffer() 824 825 zeroSecret := hs.finishedHash.zeroSecret() 826 827 // Resolve PSK and compute the early secret. 828 // 829 // TODO(davidben): This will need to be handled slightly earlier once 830 // 0-RTT is implemented. 831 if hs.serverHello.hasPSKIdentity { 832 // We send at most one PSK identity. 833 if hs.session == nil || hs.serverHello.pskIdentity != 0 { 834 c.sendAlert(alertUnknownPSKIdentity) 835 return errors.New("tls: server sent unknown PSK identity") 836 } 837 sessionCipher := cipherSuiteFromID(hs.session.cipherSuite) 838 if sessionCipher == nil || sessionCipher.hash() != hs.suite.hash() { 839 c.sendAlert(alertHandshakeFailure) 840 return errors.New("tls: server resumed an invalid session for the cipher suite") 841 } 842 hs.finishedHash.addEntropy(hs.session.masterSecret) 843 c.didResume = true 844 } else { 845 hs.finishedHash.addEntropy(zeroSecret) 846 } 847 848 if !hs.serverHello.hasKeyShare { 849 c.sendAlert(alertUnsupportedExtension) 850 return errors.New("tls: server omitted KeyShare on resumption.") 851 } 852 853 // Resolve ECDHE and compute the handshake secret. 854 if !c.config.Bugs.MissingKeyShare && !c.config.Bugs.SecondClientHelloMissingKeyShare { 855 curve, ok := hs.keyShares[hs.serverHello.keyShare.group] 856 if !ok { 857 c.sendAlert(alertHandshakeFailure) 858 return errors.New("tls: server selected an unsupported group") 859 } 860 c.curveID = hs.serverHello.keyShare.group 861 862 ecdheSecret, err := curve.finish(hs.serverHello.keyShare.keyExchange) 863 if err != nil { 864 return err 865 } 866 hs.finishedHash.nextSecret() 867 hs.finishedHash.addEntropy(ecdheSecret) 868 } else { 869 hs.finishedHash.nextSecret() 870 hs.finishedHash.addEntropy(zeroSecret) 871 } 872 873 // Derive handshake traffic keys and switch read key to handshake 874 // traffic key. 875 clientHandshakeTrafficSecret := hs.finishedHash.deriveSecret(clientHandshakeTrafficLabel) 876 serverHandshakeTrafficSecret := hs.finishedHash.deriveSecret(serverHandshakeTrafficLabel) 877 if err := c.useInTrafficSecret(c.wireVersion, hs.suite, serverHandshakeTrafficSecret); err != nil { 878 return err 879 } 880 881 msg, err := c.readHandshake() 882 if err != nil { 883 return err 884 } 885 886 encryptedExtensions, ok := msg.(*encryptedExtensionsMsg) 887 if !ok { 888 c.sendAlert(alertUnexpectedMessage) 889 return unexpectedMessageError(encryptedExtensions, msg) 890 } 891 hs.writeServerHash(encryptedExtensions.marshal()) 892 893 err = hs.processServerExtensions(&encryptedExtensions.extensions) 894 if err != nil { 895 return err 896 } 897 898 var chainToSend *Certificate 899 var certReq *certificateRequestMsg 900 if c.didResume { 901 // Copy over authentication from the session. 902 c.peerCertificates = hs.session.serverCertificates 903 c.sctList = hs.session.sctList 904 c.ocspResponse = hs.session.ocspResponse 905 } else { 906 msg, err := c.readHandshake() 907 if err != nil { 908 return err 909 } 910 911 var ok bool 912 certReq, ok = msg.(*certificateRequestMsg) 913 if ok { 914 if len(certReq.requestContext) != 0 { 915 return errors.New("tls: non-empty certificate request context sent in handshake") 916 } 917 918 if c.config.Bugs.ExpectNoCertificateAuthoritiesExtension && certReq.hasCAExtension { 919 return errors.New("tls: expected no certificate_authorities extension") 920 } 921 922 if c.config.Bugs.IgnorePeerSignatureAlgorithmPreferences { 923 certReq.signatureAlgorithms = c.config.signSignatureAlgorithms() 924 } 925 926 hs.writeServerHash(certReq.marshal()) 927 928 chainToSend, err = selectClientCertificate(c, certReq) 929 if err != nil { 930 return err 931 } 932 933 msg, err = c.readHandshake() 934 if err != nil { 935 return err 936 } 937 } 938 939 var certMsg *certificateMsg 940 941 if compressedCertMsg, ok := msg.(*compressedCertificateMsg); ok { 942 hs.writeServerHash(compressedCertMsg.marshal()) 943 944 alg, ok := c.config.CertCompressionAlgs[compressedCertMsg.algID] 945 if !ok { 946 c.sendAlert(alertBadCertificate) 947 return fmt.Errorf("tls: received certificate compressed with unknown algorithm %x", compressedCertMsg.algID) 948 } 949 950 decompressed := make([]byte, 4+int(compressedCertMsg.uncompressedLength)) 951 if !alg.Decompress(decompressed[4:], compressedCertMsg.compressed) { 952 c.sendAlert(alertBadCertificate) 953 return fmt.Errorf("tls: failed to decompress certificate with algorithm %x", compressedCertMsg.algID) 954 } 955 956 certMsg = &certificateMsg{ 957 hasRequestContext: true, 958 } 959 960 if !certMsg.unmarshal(decompressed) { 961 c.sendAlert(alertBadCertificate) 962 return errors.New("tls: failed to parse decompressed certificate") 963 } 964 965 if expected := c.config.Bugs.ExpectedCompressedCert; expected != 0 && expected != compressedCertMsg.algID { 966 return fmt.Errorf("tls: expected certificate compressed with algorithm %x, but message used %x", expected, compressedCertMsg.algID) 967 } 968 } else { 969 if certMsg, ok = msg.(*certificateMsg); !ok { 970 c.sendAlert(alertUnexpectedMessage) 971 return unexpectedMessageError(certMsg, msg) 972 } 973 hs.writeServerHash(certMsg.marshal()) 974 975 if c.config.Bugs.ExpectedCompressedCert != 0 { 976 return errors.New("tls: uncompressed certificate received") 977 } 978 } 979 980 // Check for unsolicited extensions. 981 for i, cert := range certMsg.certificates { 982 if c.config.Bugs.NoOCSPStapling && cert.ocspResponse != nil { 983 c.sendAlert(alertUnsupportedExtension) 984 return errors.New("tls: unexpected OCSP response in the server certificate") 985 } 986 if c.config.Bugs.NoSignedCertificateTimestamps && cert.sctList != nil { 987 c.sendAlert(alertUnsupportedExtension) 988 return errors.New("tls: unexpected SCT list in the server certificate") 989 } 990 if i > 0 && c.config.Bugs.ExpectNoExtensionsOnIntermediate && (cert.ocspResponse != nil || cert.sctList != nil) { 991 c.sendAlert(alertUnsupportedExtension) 992 return errors.New("tls: unexpected extensions in the server certificate") 993 } 994 } 995 996 if err := hs.verifyCertificates(certMsg); err != nil { 997 return err 998 } 999 c.ocspResponse = certMsg.certificates[0].ocspResponse 1000 c.sctList = certMsg.certificates[0].sctList 1001 1002 msg, err = c.readHandshake() 1003 if err != nil { 1004 return err 1005 } 1006 certVerifyMsg, ok := msg.(*certificateVerifyMsg) 1007 if !ok { 1008 c.sendAlert(alertUnexpectedMessage) 1009 return unexpectedMessageError(certVerifyMsg, msg) 1010 } 1011 1012 c.peerSignatureAlgorithm = certVerifyMsg.signatureAlgorithm 1013 input := hs.finishedHash.certificateVerifyInput(serverCertificateVerifyContextTLS13) 1014 err = verifyMessage(c.vers, hs.peerPublicKey, c.config, certVerifyMsg.signatureAlgorithm, input, certVerifyMsg.signature) 1015 if err != nil { 1016 return err 1017 } 1018 1019 hs.writeServerHash(certVerifyMsg.marshal()) 1020 } 1021 1022 msg, err = c.readHandshake() 1023 if err != nil { 1024 return err 1025 } 1026 serverFinished, ok := msg.(*finishedMsg) 1027 if !ok { 1028 c.sendAlert(alertUnexpectedMessage) 1029 return unexpectedMessageError(serverFinished, msg) 1030 } 1031 1032 verify := hs.finishedHash.serverSum(serverHandshakeTrafficSecret) 1033 if len(verify) != len(serverFinished.verifyData) || 1034 subtle.ConstantTimeCompare(verify, serverFinished.verifyData) != 1 { 1035 c.sendAlert(alertHandshakeFailure) 1036 return errors.New("tls: server's Finished message was incorrect") 1037 } 1038 1039 hs.writeServerHash(serverFinished.marshal()) 1040 1041 // The various secrets do not incorporate the client's final leg, so 1042 // derive them now before updating the handshake context. 1043 hs.finishedHash.nextSecret() 1044 hs.finishedHash.addEntropy(zeroSecret) 1045 1046 clientTrafficSecret := hs.finishedHash.deriveSecret(clientApplicationTrafficLabel) 1047 serverTrafficSecret := hs.finishedHash.deriveSecret(serverApplicationTrafficLabel) 1048 c.exporterSecret = hs.finishedHash.deriveSecret(exporterLabel) 1049 1050 // Switch to application data keys on read. In particular, any alerts 1051 // from the client certificate are read over these keys. 1052 if err := c.useInTrafficSecret(c.wireVersion, hs.suite, serverTrafficSecret); err != nil { 1053 return err 1054 } 1055 1056 // If we're expecting 0.5-RTT messages from the server, read them now. 1057 var deferredTickets []*newSessionTicketMsg 1058 if encryptedExtensions.extensions.hasEarlyData { 1059 // BoringSSL will always send two tickets half-RTT when 1060 // negotiating 0-RTT. 1061 for i := 0; i < shimConfig.HalfRTTTickets; i++ { 1062 msg, err := c.readHandshake() 1063 if err != nil { 1064 return fmt.Errorf("tls: error reading half-RTT ticket: %s", err) 1065 } 1066 newSessionTicket, ok := msg.(*newSessionTicketMsg) 1067 if !ok { 1068 return errors.New("tls: expected half-RTT ticket") 1069 } 1070 // Defer processing until the resumption secret is computed. 1071 deferredTickets = append(deferredTickets, newSessionTicket) 1072 } 1073 for _, expectedMsg := range c.config.Bugs.ExpectHalfRTTData { 1074 if err := c.readRecord(recordTypeApplicationData); err != nil { 1075 return err 1076 } 1077 if !bytes.Equal(c.input.data[c.input.off:], expectedMsg) { 1078 return errors.New("ExpectHalfRTTData: did not get expected message") 1079 } 1080 c.in.freeBlock(c.input) 1081 c.input = nil 1082 } 1083 } 1084 1085 // Send EndOfEarlyData and then switch write key to handshake 1086 // traffic key. 1087 if encryptedExtensions.extensions.hasEarlyData && c.out.cipher != nil && !c.config.Bugs.SkipEndOfEarlyData { 1088 if c.config.Bugs.SendStrayEarlyHandshake { 1089 helloRequest := new(helloRequestMsg) 1090 c.writeRecord(recordTypeHandshake, helloRequest.marshal()) 1091 } 1092 endOfEarlyData := new(endOfEarlyDataMsg) 1093 endOfEarlyData.nonEmpty = c.config.Bugs.NonEmptyEndOfEarlyData 1094 if c.config.Bugs.PartialEndOfEarlyDataWithClientHello { 1095 // The first byte has already been sent. 1096 c.writeRecord(recordTypeHandshake, endOfEarlyData.marshal()[1:]) 1097 } else { 1098 c.writeRecord(recordTypeHandshake, endOfEarlyData.marshal()) 1099 } 1100 hs.writeClientHash(endOfEarlyData.marshal()) 1101 } 1102 1103 if !c.config.Bugs.SkipChangeCipherSpec && !hs.hello.hasEarlyData { 1104 c.writeRecord(recordTypeChangeCipherSpec, []byte{1}) 1105 } 1106 1107 for i := 0; i < c.config.Bugs.SendExtraChangeCipherSpec; i++ { 1108 c.writeRecord(recordTypeChangeCipherSpec, []byte{1}) 1109 } 1110 1111 c.useOutTrafficSecret(c.wireVersion, hs.suite, clientHandshakeTrafficSecret) 1112 1113 if certReq != nil && !c.config.Bugs.SkipClientCertificate { 1114 certMsg := &certificateMsg{ 1115 hasRequestContext: true, 1116 requestContext: certReq.requestContext, 1117 } 1118 if chainToSend != nil { 1119 for _, certData := range chainToSend.Certificate { 1120 certMsg.certificates = append(certMsg.certificates, certificateEntry{ 1121 data: certData, 1122 extraExtension: c.config.Bugs.SendExtensionOnCertificate, 1123 }) 1124 } 1125 } 1126 hs.writeClientHash(certMsg.marshal()) 1127 c.writeRecord(recordTypeHandshake, certMsg.marshal()) 1128 1129 if chainToSend != nil { 1130 certVerify := &certificateVerifyMsg{ 1131 hasSignatureAlgorithm: true, 1132 } 1133 1134 // Determine the hash to sign. 1135 privKey := chainToSend.PrivateKey 1136 1137 var err error 1138 certVerify.signatureAlgorithm, err = selectSignatureAlgorithm(c.vers, privKey, c.config, certReq.signatureAlgorithms) 1139 if err != nil { 1140 c.sendAlert(alertInternalError) 1141 return err 1142 } 1143 1144 input := hs.finishedHash.certificateVerifyInput(clientCertificateVerifyContextTLS13) 1145 certVerify.signature, err = signMessage(c.vers, privKey, c.config, certVerify.signatureAlgorithm, input) 1146 if err != nil { 1147 c.sendAlert(alertInternalError) 1148 return err 1149 } 1150 if c.config.Bugs.SendSignatureAlgorithm != 0 { 1151 certVerify.signatureAlgorithm = c.config.Bugs.SendSignatureAlgorithm 1152 } 1153 1154 if !c.config.Bugs.SkipCertificateVerify { 1155 hs.writeClientHash(certVerify.marshal()) 1156 c.writeRecord(recordTypeHandshake, certVerify.marshal()) 1157 } 1158 } 1159 } 1160 1161 if encryptedExtensions.extensions.channelIDRequested { 1162 channelIDHash := crypto.SHA256.New() 1163 channelIDHash.Write(hs.finishedHash.certificateVerifyInput(channelIDContextTLS13)) 1164 channelIDMsgBytes, err := hs.writeChannelIDMessage(channelIDHash.Sum(nil)) 1165 if err != nil { 1166 return err 1167 } 1168 hs.writeClientHash(channelIDMsgBytes) 1169 c.writeRecord(recordTypeHandshake, channelIDMsgBytes) 1170 } 1171 1172 // Send a client Finished message. 1173 finished := new(finishedMsg) 1174 finished.verifyData = hs.finishedHash.clientSum(clientHandshakeTrafficSecret) 1175 if c.config.Bugs.BadFinished { 1176 finished.verifyData[0]++ 1177 } 1178 hs.writeClientHash(finished.marshal()) 1179 if c.config.Bugs.PartialClientFinishedWithClientHello { 1180 // The first byte has already been sent. 1181 c.writeRecord(recordTypeHandshake, finished.marshal()[1:]) 1182 } else if c.config.Bugs.InterleaveEarlyData { 1183 finishedBytes := finished.marshal() 1184 c.sendFakeEarlyData(4) 1185 c.writeRecord(recordTypeHandshake, finishedBytes[:1]) 1186 c.sendFakeEarlyData(4) 1187 c.writeRecord(recordTypeHandshake, finishedBytes[1:]) 1188 } else { 1189 c.writeRecord(recordTypeHandshake, finished.marshal()) 1190 } 1191 if c.config.Bugs.SendExtraFinished { 1192 c.writeRecord(recordTypeHandshake, finished.marshal()) 1193 } 1194 c.flushHandshake() 1195 1196 // Switch to application data keys. 1197 c.useOutTrafficSecret(c.wireVersion, hs.suite, clientTrafficSecret) 1198 c.resumptionSecret = hs.finishedHash.deriveSecret(resumptionLabel) 1199 for _, ticket := range deferredTickets { 1200 if err := c.processTLS13NewSessionTicket(ticket, hs.suite); err != nil { 1201 return err 1202 } 1203 } 1204 1205 return nil 1206} 1207 1208func (hs *clientHandshakeState) doFullHandshake() error { 1209 c := hs.c 1210 1211 var leaf *x509.Certificate 1212 if hs.suite.flags&suitePSK == 0 { 1213 msg, err := c.readHandshake() 1214 if err != nil { 1215 return err 1216 } 1217 1218 certMsg, ok := msg.(*certificateMsg) 1219 if !ok { 1220 c.sendAlert(alertUnexpectedMessage) 1221 return unexpectedMessageError(certMsg, msg) 1222 } 1223 hs.writeServerHash(certMsg.marshal()) 1224 1225 if err := hs.verifyCertificates(certMsg); err != nil { 1226 return err 1227 } 1228 leaf = c.peerCertificates[0] 1229 } 1230 1231 if hs.serverHello.extensions.ocspStapling { 1232 msg, err := c.readHandshake() 1233 if err != nil { 1234 return err 1235 } 1236 cs, ok := msg.(*certificateStatusMsg) 1237 if !ok { 1238 c.sendAlert(alertUnexpectedMessage) 1239 return unexpectedMessageError(cs, msg) 1240 } 1241 hs.writeServerHash(cs.marshal()) 1242 1243 if cs.statusType == statusTypeOCSP { 1244 c.ocspResponse = cs.response 1245 } 1246 } 1247 1248 msg, err := c.readHandshake() 1249 if err != nil { 1250 return err 1251 } 1252 1253 keyAgreement := hs.suite.ka(c.vers) 1254 1255 skx, ok := msg.(*serverKeyExchangeMsg) 1256 if ok { 1257 hs.writeServerHash(skx.marshal()) 1258 err = keyAgreement.processServerKeyExchange(c.config, hs.hello, hs.serverHello, hs.peerPublicKey, skx) 1259 if err != nil { 1260 c.sendAlert(alertUnexpectedMessage) 1261 return err 1262 } 1263 if ecdhe, ok := keyAgreement.(*ecdheKeyAgreement); ok { 1264 c.curveID = ecdhe.curveID 1265 } 1266 1267 c.peerSignatureAlgorithm = keyAgreement.peerSignatureAlgorithm() 1268 1269 msg, err = c.readHandshake() 1270 if err != nil { 1271 return err 1272 } 1273 } 1274 1275 var chainToSend *Certificate 1276 var certRequested bool 1277 certReq, ok := msg.(*certificateRequestMsg) 1278 if ok { 1279 certRequested = true 1280 if c.config.Bugs.IgnorePeerSignatureAlgorithmPreferences { 1281 certReq.signatureAlgorithms = c.config.signSignatureAlgorithms() 1282 } 1283 1284 hs.writeServerHash(certReq.marshal()) 1285 1286 chainToSend, err = selectClientCertificate(c, certReq) 1287 if err != nil { 1288 return err 1289 } 1290 1291 msg, err = c.readHandshake() 1292 if err != nil { 1293 return err 1294 } 1295 } 1296 1297 shd, ok := msg.(*serverHelloDoneMsg) 1298 if !ok { 1299 c.sendAlert(alertUnexpectedMessage) 1300 return unexpectedMessageError(shd, msg) 1301 } 1302 hs.writeServerHash(shd.marshal()) 1303 1304 // If the server requested a certificate then we have to send a 1305 // Certificate message in TLS, even if it's empty because we don't have 1306 // a certificate to send. In SSL 3.0, skip the message and send a 1307 // no_certificate warning alert. 1308 if certRequested { 1309 if c.vers == VersionSSL30 && chainToSend == nil { 1310 c.sendAlert(alertNoCertificate) 1311 } else if !c.config.Bugs.SkipClientCertificate { 1312 certMsg := new(certificateMsg) 1313 if chainToSend != nil { 1314 for _, certData := range chainToSend.Certificate { 1315 certMsg.certificates = append(certMsg.certificates, certificateEntry{ 1316 data: certData, 1317 }) 1318 } 1319 } 1320 hs.writeClientHash(certMsg.marshal()) 1321 c.writeRecord(recordTypeHandshake, certMsg.marshal()) 1322 } 1323 } 1324 1325 preMasterSecret, ckx, err := keyAgreement.generateClientKeyExchange(c.config, hs.hello, leaf) 1326 if err != nil { 1327 c.sendAlert(alertInternalError) 1328 return err 1329 } 1330 if ckx != nil { 1331 if c.config.Bugs.EarlyChangeCipherSpec < 2 { 1332 hs.writeClientHash(ckx.marshal()) 1333 } 1334 if c.config.Bugs.PartialClientKeyExchangeWithClientHello { 1335 // The first byte was already written. 1336 c.writeRecord(recordTypeHandshake, ckx.marshal()[1:]) 1337 } else { 1338 c.writeRecord(recordTypeHandshake, ckx.marshal()) 1339 } 1340 } 1341 1342 if hs.serverHello.extensions.extendedMasterSecret && c.vers >= VersionTLS10 { 1343 hs.masterSecret = extendedMasterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.finishedHash) 1344 c.extendedMasterSecret = true 1345 } else { 1346 if c.config.Bugs.RequireExtendedMasterSecret { 1347 return errors.New("tls: extended master secret required but not supported by peer") 1348 } 1349 hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.hello.random, hs.serverHello.random) 1350 } 1351 1352 if chainToSend != nil { 1353 certVerify := &certificateVerifyMsg{ 1354 hasSignatureAlgorithm: c.vers >= VersionTLS12, 1355 } 1356 1357 // Determine the hash to sign. 1358 privKey := c.config.Certificates[0].PrivateKey 1359 1360 if certVerify.hasSignatureAlgorithm { 1361 certVerify.signatureAlgorithm, err = selectSignatureAlgorithm(c.vers, privKey, c.config, certReq.signatureAlgorithms) 1362 if err != nil { 1363 c.sendAlert(alertInternalError) 1364 return err 1365 } 1366 } 1367 1368 if c.vers > VersionSSL30 { 1369 certVerify.signature, err = signMessage(c.vers, privKey, c.config, certVerify.signatureAlgorithm, hs.finishedHash.buffer) 1370 if err == nil && c.config.Bugs.SendSignatureAlgorithm != 0 { 1371 certVerify.signatureAlgorithm = c.config.Bugs.SendSignatureAlgorithm 1372 } 1373 } else { 1374 // SSL 3.0's client certificate construction is 1375 // incompatible with signatureAlgorithm. 1376 rsaKey, ok := privKey.(*rsa.PrivateKey) 1377 if !ok { 1378 err = errors.New("unsupported signature type for client certificate") 1379 } else { 1380 digest := hs.finishedHash.hashForClientCertificateSSL3(hs.masterSecret) 1381 if c.config.Bugs.InvalidSignature { 1382 digest[0] ^= 0x80 1383 } 1384 certVerify.signature, err = rsa.SignPKCS1v15(c.config.rand(), rsaKey, crypto.MD5SHA1, digest) 1385 } 1386 } 1387 if err != nil { 1388 c.sendAlert(alertInternalError) 1389 return errors.New("tls: failed to sign handshake with client certificate: " + err.Error()) 1390 } 1391 1392 if !c.config.Bugs.SkipCertificateVerify { 1393 hs.writeClientHash(certVerify.marshal()) 1394 c.writeRecord(recordTypeHandshake, certVerify.marshal()) 1395 } 1396 } 1397 // flushHandshake will be called in sendFinished. 1398 1399 hs.finishedHash.discardHandshakeBuffer() 1400 1401 return nil 1402} 1403 1404// delegatedCredentialSignedMessage returns the bytes that are signed in order 1405// to authenticate a delegated credential. 1406func delegatedCredentialSignedMessage(credBytes []byte, algorithm signatureAlgorithm, leafDER []byte) []byte { 1407 // https://tools.ietf.org/html/draft-ietf-tls-subcerts-03#section-3 1408 ret := make([]byte, 64, 128) 1409 for i := range ret { 1410 ret[i] = 0x20 1411 } 1412 1413 ret = append(ret, []byte("TLS, server delegated credentials\x00")...) 1414 ret = append(ret, leafDER...) 1415 ret = append(ret, byte(algorithm>>8), byte(algorithm)) 1416 ret = append(ret, credBytes...) 1417 1418 return ret 1419} 1420 1421func (hs *clientHandshakeState) verifyCertificates(certMsg *certificateMsg) error { 1422 c := hs.c 1423 1424 if len(certMsg.certificates) == 0 { 1425 c.sendAlert(alertIllegalParameter) 1426 return errors.New("tls: no certificates sent") 1427 } 1428 1429 var dc *delegatedCredential 1430 certs := make([]*x509.Certificate, len(certMsg.certificates)) 1431 for i, certEntry := range certMsg.certificates { 1432 cert, err := x509.ParseCertificate(certEntry.data) 1433 if err != nil { 1434 c.sendAlert(alertBadCertificate) 1435 return errors.New("tls: failed to parse certificate from server: " + err.Error()) 1436 } 1437 certs[i] = cert 1438 1439 if certEntry.delegatedCredential != nil { 1440 if c.config.Bugs.FailIfDelegatedCredentials { 1441 c.sendAlert(alertIllegalParameter) 1442 return errors.New("tls: unexpected delegated credential") 1443 } 1444 if i != 0 { 1445 c.sendAlert(alertIllegalParameter) 1446 return errors.New("tls: non-leaf certificate has a delegated credential") 1447 } 1448 if c.config.Bugs.DisableDelegatedCredentials { 1449 c.sendAlert(alertIllegalParameter) 1450 return errors.New("tls: server sent delegated credential without it being requested") 1451 } 1452 dc = certEntry.delegatedCredential 1453 } 1454 } 1455 1456 if !c.config.InsecureSkipVerify { 1457 opts := x509.VerifyOptions{ 1458 Roots: c.config.RootCAs, 1459 CurrentTime: c.config.time(), 1460 DNSName: c.config.ServerName, 1461 Intermediates: x509.NewCertPool(), 1462 } 1463 1464 for i, cert := range certs { 1465 if i == 0 { 1466 continue 1467 } 1468 opts.Intermediates.AddCert(cert) 1469 } 1470 var err error 1471 c.verifiedChains, err = certs[0].Verify(opts) 1472 if err != nil { 1473 c.sendAlert(alertBadCertificate) 1474 return err 1475 } 1476 } 1477 1478 leafPublicKey := certs[0].PublicKey 1479 switch leafPublicKey.(type) { 1480 case *rsa.PublicKey, *ecdsa.PublicKey, ed25519.PublicKey: 1481 break 1482 default: 1483 c.sendAlert(alertUnsupportedCertificate) 1484 return fmt.Errorf("tls: server's certificate contains an unsupported type of public key: %T", leafPublicKey) 1485 } 1486 1487 c.peerCertificates = certs 1488 1489 if dc != nil { 1490 // Note that this doesn't check a) the delegated credential temporal 1491 // validity nor b) that the certificate has the special OID asserted. 1492 hs.skxAlgo = dc.expectedCertVerifyAlgo 1493 1494 var err error 1495 if hs.peerPublicKey, err = x509.ParsePKIXPublicKey(dc.pkixPublicKey); err != nil { 1496 c.sendAlert(alertBadCertificate) 1497 return errors.New("tls: failed to parse public key from delegated credential: " + err.Error()) 1498 } 1499 1500 verifier, err := getSigner(c.vers, hs.peerPublicKey, c.config, dc.algorithm, true) 1501 if err != nil { 1502 c.sendAlert(alertBadCertificate) 1503 return errors.New("tls: failed to get verifier for delegated credential: " + err.Error()) 1504 } 1505 1506 if err := verifier.verifyMessage(leafPublicKey, delegatedCredentialSignedMessage(dc.signedBytes, dc.algorithm, certs[0].Raw), dc.signature); err != nil { 1507 c.sendAlert(alertBadCertificate) 1508 return errors.New("tls: failed to verify delegated credential: " + err.Error()) 1509 } 1510 } else if c.config.Bugs.ExpectDelegatedCredentials { 1511 c.sendAlert(alertInternalError) 1512 return errors.New("tls: delegated credentials missing") 1513 } else { 1514 hs.peerPublicKey = leafPublicKey 1515 } 1516 1517 return nil 1518} 1519 1520func (hs *clientHandshakeState) establishKeys() error { 1521 c := hs.c 1522 1523 clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV := 1524 keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.hello.random, hs.serverHello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen(c.vers)) 1525 var clientCipher, serverCipher interface{} 1526 var clientHash, serverHash macFunction 1527 if hs.suite.cipher != nil { 1528 clientCipher = hs.suite.cipher(clientKey, clientIV, false /* not for reading */) 1529 clientHash = hs.suite.mac(c.vers, clientMAC) 1530 serverCipher = hs.suite.cipher(serverKey, serverIV, true /* for reading */) 1531 serverHash = hs.suite.mac(c.vers, serverMAC) 1532 } else { 1533 clientCipher = hs.suite.aead(c.vers, clientKey, clientIV) 1534 serverCipher = hs.suite.aead(c.vers, serverKey, serverIV) 1535 } 1536 1537 c.in.prepareCipherSpec(c.wireVersion, serverCipher, serverHash) 1538 c.out.prepareCipherSpec(c.wireVersion, clientCipher, clientHash) 1539 return nil 1540} 1541 1542func (hs *clientHandshakeState) processServerExtensions(serverExtensions *serverExtensions) error { 1543 c := hs.c 1544 1545 if c.vers < VersionTLS13 { 1546 if c.config.Bugs.RequireRenegotiationInfo && serverExtensions.secureRenegotiation == nil { 1547 return errors.New("tls: renegotiation extension missing") 1548 } 1549 1550 if len(c.clientVerify) > 0 && !c.noRenegotiationInfo() { 1551 var expectedRenegInfo []byte 1552 expectedRenegInfo = append(expectedRenegInfo, c.clientVerify...) 1553 expectedRenegInfo = append(expectedRenegInfo, c.serverVerify...) 1554 if !bytes.Equal(serverExtensions.secureRenegotiation, expectedRenegInfo) { 1555 c.sendAlert(alertHandshakeFailure) 1556 return fmt.Errorf("tls: renegotiation mismatch") 1557 } 1558 } 1559 } else if serverExtensions.secureRenegotiation != nil { 1560 return errors.New("tls: renegotiation info sent in TLS 1.3") 1561 } 1562 1563 if expected := c.config.Bugs.ExpectedCustomExtension; expected != nil { 1564 if serverExtensions.customExtension != *expected { 1565 return fmt.Errorf("tls: bad custom extension contents %q", serverExtensions.customExtension) 1566 } 1567 } 1568 1569 clientDidNPN := hs.hello.nextProtoNeg 1570 clientDidALPN := len(hs.hello.alpnProtocols) > 0 1571 serverHasNPN := serverExtensions.nextProtoNeg 1572 serverHasALPN := len(serverExtensions.alpnProtocol) > 0 1573 1574 if !clientDidNPN && serverHasNPN { 1575 c.sendAlert(alertHandshakeFailure) 1576 return errors.New("server advertised unrequested NPN extension") 1577 } 1578 1579 if !clientDidALPN && serverHasALPN { 1580 c.sendAlert(alertHandshakeFailure) 1581 return errors.New("server advertised unrequested ALPN extension") 1582 } 1583 1584 if serverHasNPN && serverHasALPN { 1585 c.sendAlert(alertHandshakeFailure) 1586 return errors.New("server advertised both NPN and ALPN extensions") 1587 } 1588 1589 if serverHasALPN { 1590 c.clientProtocol = serverExtensions.alpnProtocol 1591 c.clientProtocolFallback = false 1592 c.usedALPN = true 1593 } 1594 1595 if serverHasNPN && c.vers >= VersionTLS13 { 1596 c.sendAlert(alertHandshakeFailure) 1597 return errors.New("server advertised NPN over TLS 1.3") 1598 } 1599 1600 if !hs.hello.channelIDSupported && serverExtensions.channelIDRequested { 1601 c.sendAlert(alertHandshakeFailure) 1602 return errors.New("server advertised unrequested Channel ID extension") 1603 } 1604 1605 if len(serverExtensions.tokenBindingParams) == 1 { 1606 found := false 1607 for _, p := range c.config.TokenBindingParams { 1608 if p == serverExtensions.tokenBindingParams[0] { 1609 c.tokenBindingParam = p 1610 found = true 1611 break 1612 } 1613 } 1614 if !found { 1615 return errors.New("tls: server advertised unsupported Token Binding key param") 1616 } 1617 if serverExtensions.tokenBindingVersion > c.config.TokenBindingVersion { 1618 return errors.New("tls: server's Token Binding version is too new") 1619 } 1620 if c.vers < VersionTLS13 { 1621 if !serverExtensions.extendedMasterSecret || serverExtensions.secureRenegotiation == nil { 1622 return errors.New("server sent Token Binding without EMS or RI") 1623 } 1624 } 1625 c.tokenBindingNegotiated = true 1626 } 1627 1628 if serverExtensions.extendedMasterSecret && c.vers >= VersionTLS13 { 1629 return errors.New("tls: server advertised extended master secret over TLS 1.3") 1630 } 1631 1632 if serverExtensions.ticketSupported && c.vers >= VersionTLS13 { 1633 return errors.New("tls: server advertised ticket extension over TLS 1.3") 1634 } 1635 1636 if serverExtensions.ocspStapling && c.vers >= VersionTLS13 { 1637 return errors.New("tls: server advertised OCSP in ServerHello over TLS 1.3") 1638 } 1639 1640 if serverExtensions.ocspStapling && c.config.Bugs.NoOCSPStapling { 1641 return errors.New("tls: server advertised unrequested OCSP extension") 1642 } 1643 1644 if len(serverExtensions.sctList) > 0 && c.vers >= VersionTLS13 { 1645 return errors.New("tls: server advertised SCTs in ServerHello over TLS 1.3") 1646 } 1647 1648 if len(serverExtensions.sctList) > 0 && c.config.Bugs.NoSignedCertificateTimestamps { 1649 return errors.New("tls: server advertised unrequested SCTs") 1650 } 1651 1652 if serverExtensions.srtpProtectionProfile != 0 { 1653 if serverExtensions.srtpMasterKeyIdentifier != "" { 1654 return errors.New("tls: server selected SRTP MKI value") 1655 } 1656 1657 found := false 1658 for _, p := range c.config.SRTPProtectionProfiles { 1659 if p == serverExtensions.srtpProtectionProfile { 1660 found = true 1661 break 1662 } 1663 } 1664 if !found { 1665 return errors.New("tls: server advertised unsupported SRTP profile") 1666 } 1667 1668 c.srtpProtectionProfile = serverExtensions.srtpProtectionProfile 1669 } 1670 1671 if c.vers >= VersionTLS13 && c.didResume { 1672 if c.config.Bugs.ExpectEarlyDataAccepted && !serverExtensions.hasEarlyData { 1673 c.sendAlert(alertHandshakeFailure) 1674 return errors.New("tls: server did not accept early data when expected") 1675 } 1676 1677 if !c.config.Bugs.ExpectEarlyDataAccepted && serverExtensions.hasEarlyData { 1678 c.sendAlert(alertHandshakeFailure) 1679 return errors.New("tls: server accepted early data when not expected") 1680 } 1681 } 1682 1683 if len(serverExtensions.quicTransportParams) > 0 { 1684 if c.vers < VersionTLS13 { 1685 c.sendAlert(alertHandshakeFailure) 1686 return errors.New("tls: server sent QUIC transport params for TLS version less than 1.3") 1687 } 1688 c.quicTransportParams = serverExtensions.quicTransportParams 1689 } 1690 1691 return nil 1692} 1693 1694func (hs *clientHandshakeState) serverResumedSession() bool { 1695 // If the server responded with the same sessionId then it means the 1696 // sessionTicket is being used to resume a TLS session. 1697 // 1698 // Note that, if hs.hello.sessionId is a non-nil empty array, this will 1699 // accept an empty session ID from the server as resumption. See 1700 // EmptyTicketSessionID. 1701 return hs.session != nil && hs.hello.sessionId != nil && 1702 bytes.Equal(hs.serverHello.sessionId, hs.hello.sessionId) 1703} 1704 1705func (hs *clientHandshakeState) processServerHello() (bool, error) { 1706 c := hs.c 1707 1708 if hs.serverResumedSession() { 1709 // For test purposes, assert that the server never accepts the 1710 // resumption offer on renegotiation. 1711 if c.cipherSuite != nil && c.config.Bugs.FailIfResumeOnRenego { 1712 return false, errors.New("tls: server resumed session on renegotiation") 1713 } 1714 1715 if hs.serverHello.extensions.sctList != nil { 1716 return false, errors.New("tls: server sent SCT extension on session resumption") 1717 } 1718 1719 if hs.serverHello.extensions.ocspStapling { 1720 return false, errors.New("tls: server sent OCSP extension on session resumption") 1721 } 1722 1723 // Restore masterSecret and peerCerts from previous state 1724 hs.masterSecret = hs.session.masterSecret 1725 c.peerCertificates = hs.session.serverCertificates 1726 c.extendedMasterSecret = hs.session.extendedMasterSecret 1727 c.sctList = hs.session.sctList 1728 c.ocspResponse = hs.session.ocspResponse 1729 hs.finishedHash.discardHandshakeBuffer() 1730 return true, nil 1731 } 1732 1733 if hs.serverHello.extensions.sctList != nil { 1734 c.sctList = hs.serverHello.extensions.sctList 1735 } 1736 1737 return false, nil 1738} 1739 1740func (hs *clientHandshakeState) readFinished(out []byte) error { 1741 c := hs.c 1742 1743 c.readRecord(recordTypeChangeCipherSpec) 1744 if err := c.in.error(); err != nil { 1745 return err 1746 } 1747 1748 msg, err := c.readHandshake() 1749 if err != nil { 1750 return err 1751 } 1752 serverFinished, ok := msg.(*finishedMsg) 1753 if !ok { 1754 c.sendAlert(alertUnexpectedMessage) 1755 return unexpectedMessageError(serverFinished, msg) 1756 } 1757 1758 if c.config.Bugs.EarlyChangeCipherSpec == 0 { 1759 verify := hs.finishedHash.serverSum(hs.masterSecret) 1760 if len(verify) != len(serverFinished.verifyData) || 1761 subtle.ConstantTimeCompare(verify, serverFinished.verifyData) != 1 { 1762 c.sendAlert(alertHandshakeFailure) 1763 return errors.New("tls: server's Finished message was incorrect") 1764 } 1765 } 1766 c.serverVerify = append(c.serverVerify[:0], serverFinished.verifyData...) 1767 copy(out, serverFinished.verifyData) 1768 hs.writeServerHash(serverFinished.marshal()) 1769 return nil 1770} 1771 1772func (hs *clientHandshakeState) readSessionTicket() error { 1773 c := hs.c 1774 1775 // Create a session with no server identifier. Either a 1776 // session ID or session ticket will be attached. 1777 session := &ClientSessionState{ 1778 vers: c.vers, 1779 wireVersion: c.wireVersion, 1780 cipherSuite: hs.suite.id, 1781 masterSecret: hs.masterSecret, 1782 handshakeHash: hs.finishedHash.Sum(), 1783 serverCertificates: c.peerCertificates, 1784 sctList: c.sctList, 1785 ocspResponse: c.ocspResponse, 1786 ticketExpiration: c.config.time().Add(time.Duration(7 * 24 * time.Hour)), 1787 } 1788 1789 if !hs.serverHello.extensions.ticketSupported { 1790 if c.config.Bugs.ExpectNewTicket { 1791 return errors.New("tls: expected new ticket") 1792 } 1793 if hs.session == nil && len(hs.serverHello.sessionId) > 0 { 1794 session.sessionId = hs.serverHello.sessionId 1795 hs.session = session 1796 } 1797 return nil 1798 } 1799 1800 if c.vers == VersionSSL30 { 1801 return errors.New("tls: negotiated session tickets in SSL 3.0") 1802 } 1803 if c.config.Bugs.ExpectNoNewSessionTicket { 1804 return errors.New("tls: received unexpected NewSessionTicket") 1805 } 1806 1807 msg, err := c.readHandshake() 1808 if err != nil { 1809 return err 1810 } 1811 sessionTicketMsg, ok := msg.(*newSessionTicketMsg) 1812 if !ok { 1813 c.sendAlert(alertUnexpectedMessage) 1814 return unexpectedMessageError(sessionTicketMsg, msg) 1815 } 1816 1817 session.sessionTicket = sessionTicketMsg.ticket 1818 hs.session = session 1819 1820 hs.writeServerHash(sessionTicketMsg.marshal()) 1821 1822 return nil 1823} 1824 1825func (hs *clientHandshakeState) sendFinished(out []byte, isResume bool) error { 1826 c := hs.c 1827 1828 var postCCSMsgs [][]byte 1829 seqno := hs.c.sendHandshakeSeq 1830 if hs.serverHello.extensions.nextProtoNeg { 1831 nextProto := new(nextProtoMsg) 1832 proto, fallback := mutualProtocol(c.config.NextProtos, hs.serverHello.extensions.nextProtos) 1833 nextProto.proto = proto 1834 c.clientProtocol = proto 1835 c.clientProtocolFallback = fallback 1836 1837 nextProtoBytes := nextProto.marshal() 1838 hs.writeHash(nextProtoBytes, seqno) 1839 seqno++ 1840 postCCSMsgs = append(postCCSMsgs, nextProtoBytes) 1841 } 1842 1843 if hs.serverHello.extensions.channelIDRequested { 1844 var resumeHash []byte 1845 if isResume { 1846 resumeHash = hs.session.handshakeHash 1847 } 1848 channelIDMsgBytes, err := hs.writeChannelIDMessage(hs.finishedHash.hashForChannelID(resumeHash)) 1849 if err != nil { 1850 return err 1851 } 1852 hs.writeHash(channelIDMsgBytes, seqno) 1853 seqno++ 1854 postCCSMsgs = append(postCCSMsgs, channelIDMsgBytes) 1855 } 1856 1857 finished := new(finishedMsg) 1858 if c.config.Bugs.EarlyChangeCipherSpec == 2 { 1859 finished.verifyData = hs.finishedHash.clientSum(nil) 1860 } else { 1861 finished.verifyData = hs.finishedHash.clientSum(hs.masterSecret) 1862 } 1863 copy(out, finished.verifyData) 1864 if c.config.Bugs.BadFinished { 1865 finished.verifyData[0]++ 1866 } 1867 c.clientVerify = append(c.clientVerify[:0], finished.verifyData...) 1868 hs.finishedBytes = finished.marshal() 1869 hs.writeHash(hs.finishedBytes, seqno) 1870 if c.config.Bugs.PartialClientFinishedWithClientHello { 1871 // The first byte has already been written. 1872 postCCSMsgs = append(postCCSMsgs, hs.finishedBytes[1:]) 1873 } else { 1874 postCCSMsgs = append(postCCSMsgs, hs.finishedBytes) 1875 } 1876 1877 if c.config.Bugs.FragmentAcrossChangeCipherSpec { 1878 c.writeRecord(recordTypeHandshake, postCCSMsgs[0][:5]) 1879 postCCSMsgs[0] = postCCSMsgs[0][5:] 1880 } else if c.config.Bugs.SendUnencryptedFinished { 1881 c.writeRecord(recordTypeHandshake, postCCSMsgs[0]) 1882 postCCSMsgs = postCCSMsgs[1:] 1883 } 1884 1885 if !c.config.Bugs.SkipChangeCipherSpec && 1886 c.config.Bugs.EarlyChangeCipherSpec == 0 { 1887 ccs := []byte{1} 1888 if c.config.Bugs.BadChangeCipherSpec != nil { 1889 ccs = c.config.Bugs.BadChangeCipherSpec 1890 } 1891 c.writeRecord(recordTypeChangeCipherSpec, ccs) 1892 } 1893 1894 if c.config.Bugs.AppDataAfterChangeCipherSpec != nil { 1895 c.writeRecord(recordTypeApplicationData, c.config.Bugs.AppDataAfterChangeCipherSpec) 1896 } 1897 if c.config.Bugs.AlertAfterChangeCipherSpec != 0 { 1898 c.sendAlert(c.config.Bugs.AlertAfterChangeCipherSpec) 1899 return errors.New("tls: simulating post-CCS alert") 1900 } 1901 1902 if !c.config.Bugs.SkipFinished { 1903 for _, msg := range postCCSMsgs { 1904 c.writeRecord(recordTypeHandshake, msg) 1905 } 1906 1907 if c.config.Bugs.SendExtraFinished { 1908 c.writeRecord(recordTypeHandshake, finished.marshal()) 1909 } 1910 } 1911 1912 if !isResume || !c.config.Bugs.PackAppDataWithHandshake { 1913 c.flushHandshake() 1914 } 1915 return nil 1916} 1917 1918func (hs *clientHandshakeState) writeChannelIDMessage(channelIDHash []byte) ([]byte, error) { 1919 c := hs.c 1920 channelIDMsg := new(channelIDMsg) 1921 if c.config.ChannelID.Curve != elliptic.P256() { 1922 return nil, fmt.Errorf("tls: Channel ID is not on P-256.") 1923 } 1924 r, s, err := ecdsa.Sign(c.config.rand(), c.config.ChannelID, channelIDHash) 1925 if err != nil { 1926 return nil, err 1927 } 1928 channelID := make([]byte, 128) 1929 writeIntPadded(channelID[0:32], c.config.ChannelID.X) 1930 writeIntPadded(channelID[32:64], c.config.ChannelID.Y) 1931 writeIntPadded(channelID[64:96], r) 1932 writeIntPadded(channelID[96:128], s) 1933 if c.config.Bugs.InvalidChannelIDSignature { 1934 channelID[64] ^= 1 1935 } 1936 channelIDMsg.channelID = channelID 1937 1938 c.channelID = &c.config.ChannelID.PublicKey 1939 1940 return channelIDMsg.marshal(), nil 1941} 1942 1943func (hs *clientHandshakeState) writeClientHash(msg []byte) { 1944 // writeClientHash is called before writeRecord. 1945 hs.writeHash(msg, hs.c.sendHandshakeSeq) 1946} 1947 1948func (hs *clientHandshakeState) writeServerHash(msg []byte) { 1949 // writeServerHash is called after readHandshake. 1950 hs.writeHash(msg, hs.c.recvHandshakeSeq-1) 1951} 1952 1953func (hs *clientHandshakeState) writeHash(msg []byte, seqno uint16) { 1954 if hs.c.isDTLS { 1955 // This is somewhat hacky. DTLS hashes a slightly different format. 1956 // First, the TLS header. 1957 hs.finishedHash.Write(msg[:4]) 1958 // Then the sequence number and reassembled fragment offset (always 0). 1959 hs.finishedHash.Write([]byte{byte(seqno >> 8), byte(seqno), 0, 0, 0}) 1960 // Then the reassembled fragment (always equal to the message length). 1961 hs.finishedHash.Write(msg[1:4]) 1962 // And then the message body. 1963 hs.finishedHash.Write(msg[4:]) 1964 } else { 1965 hs.finishedHash.Write(msg) 1966 } 1967} 1968 1969// selectClientCertificate selects a certificate for use with the given 1970// certificate, or none if none match. It may return a particular certificate or 1971// nil on success, or an error on internal error. 1972func selectClientCertificate(c *Conn, certReq *certificateRequestMsg) (*Certificate, error) { 1973 if len(c.config.Certificates) == 0 { 1974 return nil, nil 1975 } 1976 1977 // The test is assumed to have configured the certificate it meant to 1978 // send. 1979 if len(c.config.Certificates) > 1 { 1980 return nil, errors.New("tls: multiple certificates configured") 1981 } 1982 1983 return &c.config.Certificates[0], nil 1984} 1985 1986// clientSessionCacheKey returns a key used to cache sessionTickets that could 1987// be used to resume previously negotiated TLS sessions with a server. 1988func clientSessionCacheKey(serverAddr net.Addr, config *Config) string { 1989 if len(config.ServerName) > 0 { 1990 return config.ServerName 1991 } 1992 return serverAddr.String() 1993} 1994 1995// mutualProtocol finds the mutual Next Protocol Negotiation or ALPN protocol 1996// given list of possible protocols and a list of the preference order. The 1997// first list must not be empty. It returns the resulting protocol and flag 1998// indicating if the fallback case was reached. 1999func mutualProtocol(protos, preferenceProtos []string) (string, bool) { 2000 for _, s := range preferenceProtos { 2001 for _, c := range protos { 2002 if s == c { 2003 return s, false 2004 } 2005 } 2006 } 2007 2008 return protos[0], true 2009} 2010 2011// writeIntPadded writes x into b, padded up with leading zeros as 2012// needed. 2013func writeIntPadded(b []byte, x *big.Int) { 2014 for i := range b { 2015 b[i] = 0 2016 } 2017 xb := x.Bytes() 2018 copy(b[len(b)-len(xb):], xb) 2019} 2020 2021func generatePSKBinders(version uint16, hello *clientHelloMsg, pskCipherSuite *cipherSuite, psk, firstClientHello, helloRetryRequest []byte, config *Config) { 2022 maybeCorruptBinder := !config.Bugs.OnlyCorruptSecondPSKBinder || len(firstClientHello) > 0 2023 binderLen := pskCipherSuite.hash().Size() 2024 numBinders := 1 2025 if maybeCorruptBinder { 2026 if config.Bugs.SendNoPSKBinder { 2027 // The binders may have been set from the previous 2028 // ClientHello. 2029 hello.pskBinders = nil 2030 return 2031 } 2032 2033 if config.Bugs.SendShortPSKBinder { 2034 binderLen-- 2035 } 2036 2037 if config.Bugs.SendExtraPSKBinder { 2038 numBinders++ 2039 } 2040 } 2041 2042 // Fill hello.pskBinders with appropriate length arrays of zeros so the 2043 // length prefixes are correct when computing the binder over the truncated 2044 // ClientHello message. 2045 hello.pskBinders = make([][]byte, numBinders) 2046 for i := range hello.pskBinders { 2047 hello.pskBinders[i] = make([]byte, binderLen) 2048 } 2049 2050 helloBytes := hello.marshal() 2051 binderSize := len(hello.pskBinders)*(binderLen+1) + 2 2052 truncatedHello := helloBytes[:len(helloBytes)-binderSize] 2053 binder := computePSKBinder(psk, version, resumptionPSKBinderLabel, pskCipherSuite, firstClientHello, helloRetryRequest, truncatedHello) 2054 if maybeCorruptBinder { 2055 if config.Bugs.SendShortPSKBinder { 2056 binder = binder[:binderLen] 2057 } 2058 if config.Bugs.SendInvalidPSKBinder { 2059 binder[0] ^= 1 2060 } 2061 } 2062 2063 for i := range hello.pskBinders { 2064 hello.pskBinders[i] = binder 2065 } 2066 2067 hello.raw = nil 2068} 2069