1// Copyright 2009 The Go Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style 3// license that can be found in the LICENSE file. 4 5package runner 6 7import ( 8 "bytes" 9 "crypto" 10 "crypto/ecdsa" 11 "crypto/ed25519" 12 "crypto/elliptic" 13 "crypto/rsa" 14 "crypto/subtle" 15 "crypto/x509" 16 "errors" 17 "fmt" 18 "io" 19 "math/big" 20 "net" 21 "time" 22) 23 24type clientHandshakeState struct { 25 c *Conn 26 serverHello *serverHelloMsg 27 hello *clientHelloMsg 28 suite *cipherSuite 29 finishedHash finishedHash 30 keyShares map[CurveID]ecdhCurve 31 masterSecret []byte 32 session *ClientSessionState 33 finishedBytes []byte 34 peerPublicKey crypto.PublicKey 35 skxAlgo signatureAlgorithm 36} 37 38func mapClientHelloVersion(vers uint16, isDTLS bool) uint16 { 39 if !isDTLS { 40 return vers 41 } 42 43 switch vers { 44 case VersionTLS12: 45 return VersionDTLS12 46 case VersionTLS10: 47 return VersionDTLS10 48 } 49 50 panic("Unknown ClientHello version.") 51} 52 53func fixClientHellos(hello *clientHelloMsg, in []byte) ([]byte, error) { 54 ret := append([]byte{}, in...) 55 newHello := new(clientHelloMsg) 56 if !newHello.unmarshal(ret) { 57 return nil, errors.New("tls: invalid ClientHello") 58 } 59 60 hello.random = newHello.random 61 hello.sessionId = newHello.sessionId 62 63 // Replace |ret|'s key shares with those of |hello|. For simplicity, we 64 // require their lengths match, which is satisfied by matching the 65 // DefaultCurves setting to the selection in the replacement 66 // ClientHello. 67 bb := newByteBuilder() 68 hello.marshalKeyShares(bb) 69 keyShares := bb.finish() 70 if len(keyShares) != len(newHello.keySharesRaw) { 71 return nil, errors.New("tls: ClientHello key share length is inconsistent with DefaultCurves setting") 72 } 73 // |newHello.keySharesRaw| aliases |ret|. 74 copy(newHello.keySharesRaw, keyShares) 75 76 return ret, nil 77} 78 79func (c *Conn) clientHandshake() error { 80 if c.config == nil { 81 c.config = defaultConfig() 82 } 83 84 if len(c.config.ServerName) == 0 && !c.config.InsecureSkipVerify { 85 return errors.New("tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config") 86 } 87 88 c.sendHandshakeSeq = 0 89 c.recvHandshakeSeq = 0 90 91 nextProtosLength := 0 92 for _, proto := range c.config.NextProtos { 93 if l := len(proto); l > 255 { 94 return errors.New("tls: invalid NextProtos value") 95 } else { 96 nextProtosLength += 1 + l 97 } 98 } 99 if nextProtosLength > 0xffff { 100 return errors.New("tls: NextProtos values too large") 101 } 102 103 // Translate the bugs that modify ClientHello extension order into a 104 // list of prefix extensions. The marshal function will try these 105 // extensions before any others, followed by any remaining extensions in 106 // the default order. 107 var prefixExtensions []uint16 108 if c.config.Bugs.PSKBinderFirst && !c.config.Bugs.OnlyCorruptSecondPSKBinder { 109 prefixExtensions = append(prefixExtensions, extensionPreSharedKey) 110 } 111 if c.config.Bugs.SwapNPNAndALPN { 112 prefixExtensions = append(prefixExtensions, extensionALPN) 113 prefixExtensions = append(prefixExtensions, extensionNextProtoNeg) 114 } 115 116 minVersion := c.config.minVersion(c.isDTLS) 117 maxVersion := c.config.maxVersion(c.isDTLS) 118 hello := &clientHelloMsg{ 119 isDTLS: c.isDTLS, 120 compressionMethods: []uint8{compressionNone}, 121 random: make([]byte, 32), 122 ocspStapling: !c.config.Bugs.NoOCSPStapling, 123 sctListSupported: !c.config.Bugs.NoSignedCertificateTimestamps, 124 serverName: c.config.ServerName, 125 supportedCurves: c.config.curvePreferences(), 126 supportedPoints: []uint8{pointFormatUncompressed}, 127 nextProtoNeg: len(c.config.NextProtos) > 0, 128 secureRenegotiation: []byte{}, 129 alpnProtocols: c.config.NextProtos, 130 quicTransportParams: c.config.QUICTransportParams, 131 duplicateExtension: c.config.Bugs.DuplicateExtension, 132 channelIDSupported: c.config.ChannelID != nil, 133 tokenBindingParams: c.config.TokenBindingParams, 134 tokenBindingVersion: c.config.TokenBindingVersion, 135 extendedMasterSecret: maxVersion >= VersionTLS10, 136 srtpProtectionProfiles: c.config.SRTPProtectionProfiles, 137 srtpMasterKeyIdentifier: c.config.Bugs.SRTPMasterKeyIdentifer, 138 customExtension: c.config.Bugs.CustomExtension, 139 omitExtensions: c.config.Bugs.OmitExtensions, 140 emptyExtensions: c.config.Bugs.EmptyExtensions, 141 delegatedCredentials: !c.config.Bugs.DisableDelegatedCredentials, 142 prefixExtensions: prefixExtensions, 143 } 144 145 if maxVersion >= VersionTLS13 { 146 hello.vers = mapClientHelloVersion(VersionTLS12, c.isDTLS) 147 if !c.config.Bugs.OmitSupportedVersions { 148 hello.supportedVersions = c.config.supportedVersions(c.isDTLS) 149 } 150 hello.pskKEModes = []byte{pskDHEKEMode} 151 } else { 152 hello.vers = mapClientHelloVersion(maxVersion, c.isDTLS) 153 } 154 155 if c.config.Bugs.SendClientVersion != 0 { 156 hello.vers = c.config.Bugs.SendClientVersion 157 } 158 159 if len(c.config.Bugs.SendSupportedVersions) > 0 { 160 hello.supportedVersions = c.config.Bugs.SendSupportedVersions 161 } 162 163 disableEMS := c.config.Bugs.NoExtendedMasterSecret 164 if c.cipherSuite != nil { 165 disableEMS = c.config.Bugs.NoExtendedMasterSecretOnRenegotiation 166 } 167 168 if disableEMS { 169 hello.extendedMasterSecret = false 170 } 171 172 if c.config.Bugs.NoSupportedCurves { 173 hello.supportedCurves = nil 174 } 175 176 if len(c.config.Bugs.SendPSKKeyExchangeModes) != 0 { 177 hello.pskKEModes = c.config.Bugs.SendPSKKeyExchangeModes 178 } 179 180 if c.config.Bugs.SendCompressionMethods != nil { 181 hello.compressionMethods = c.config.Bugs.SendCompressionMethods 182 } 183 184 if c.config.Bugs.SendSupportedPointFormats != nil { 185 hello.supportedPoints = c.config.Bugs.SendSupportedPointFormats 186 } 187 188 if len(c.clientVerify) > 0 && !c.config.Bugs.EmptyRenegotiationInfo { 189 if c.config.Bugs.BadRenegotiationInfo { 190 hello.secureRenegotiation = append(hello.secureRenegotiation, c.clientVerify...) 191 hello.secureRenegotiation[0] ^= 0x80 192 } else { 193 hello.secureRenegotiation = c.clientVerify 194 } 195 } 196 197 if c.config.Bugs.DuplicateCompressedCertAlgs { 198 hello.compressedCertAlgs = []uint16{1, 1} 199 } else if len(c.config.CertCompressionAlgs) > 0 { 200 hello.compressedCertAlgs = make([]uint16, 0, len(c.config.CertCompressionAlgs)) 201 for id, _ := range c.config.CertCompressionAlgs { 202 hello.compressedCertAlgs = append(hello.compressedCertAlgs, uint16(id)) 203 } 204 } 205 206 if c.noRenegotiationInfo() { 207 hello.secureRenegotiation = nil 208 } 209 210 for protocol, _ := range c.config.ApplicationSettings { 211 hello.alpsProtocols = append(hello.alpsProtocols, protocol) 212 } 213 214 var keyShares map[CurveID]ecdhCurve 215 if maxVersion >= VersionTLS13 { 216 keyShares = make(map[CurveID]ecdhCurve) 217 hello.hasKeyShares = true 218 hello.trailingKeyShareData = c.config.Bugs.TrailingKeyShareData 219 curvesToSend := c.config.defaultCurves() 220 for _, curveID := range hello.supportedCurves { 221 if !curvesToSend[curveID] { 222 continue 223 } 224 curve, ok := curveForCurveID(curveID, c.config) 225 if !ok { 226 continue 227 } 228 publicKey, err := curve.offer(c.config.rand()) 229 if err != nil { 230 return err 231 } 232 233 if c.config.Bugs.SendCurve != 0 { 234 curveID = c.config.Bugs.SendCurve 235 } 236 if c.config.Bugs.InvalidECDHPoint { 237 publicKey[0] ^= 0xff 238 } 239 240 hello.keyShares = append(hello.keyShares, keyShareEntry{ 241 group: curveID, 242 keyExchange: publicKey, 243 }) 244 keyShares[curveID] = curve 245 246 if c.config.Bugs.DuplicateKeyShares { 247 hello.keyShares = append(hello.keyShares, hello.keyShares[len(hello.keyShares)-1]) 248 } 249 } 250 251 if c.config.Bugs.MissingKeyShare { 252 hello.hasKeyShares = false 253 } 254 } 255 256 possibleCipherSuites := c.config.cipherSuites() 257 hello.cipherSuites = make([]uint16, 0, len(possibleCipherSuites)) 258 259NextCipherSuite: 260 for _, suiteId := range possibleCipherSuites { 261 for _, suite := range cipherSuites { 262 if suite.id != suiteId { 263 continue 264 } 265 // Don't advertise TLS 1.2-only cipher suites unless 266 // we're attempting TLS 1.2. 267 if maxVersion < VersionTLS12 && suite.flags&suiteTLS12 != 0 { 268 continue 269 } 270 hello.cipherSuites = append(hello.cipherSuites, suiteId) 271 continue NextCipherSuite 272 } 273 } 274 275 if c.config.Bugs.AdvertiseAllConfiguredCiphers { 276 hello.cipherSuites = possibleCipherSuites 277 } 278 279 if c.config.Bugs.SendRenegotiationSCSV { 280 hello.cipherSuites = append(hello.cipherSuites, renegotiationSCSV) 281 } 282 283 if c.config.Bugs.SendFallbackSCSV { 284 hello.cipherSuites = append(hello.cipherSuites, fallbackSCSV) 285 } 286 287 _, err := io.ReadFull(c.config.rand(), hello.random) 288 if err != nil { 289 c.sendAlert(alertInternalError) 290 return errors.New("tls: short read from Rand: " + err.Error()) 291 } 292 293 if maxVersion >= VersionTLS12 && !c.config.Bugs.NoSignatureAlgorithms { 294 hello.signatureAlgorithms = c.config.verifySignatureAlgorithms() 295 } 296 297 var session *ClientSessionState 298 var cacheKey string 299 sessionCache := c.config.ClientSessionCache 300 301 if sessionCache != nil { 302 hello.ticketSupported = !c.config.SessionTicketsDisabled 303 304 // Try to resume a previously negotiated TLS session, if 305 // available. 306 cacheKey = clientSessionCacheKey(c.conn.RemoteAddr(), c.config) 307 // TODO(nharper): Support storing more than one session 308 // ticket for TLS 1.3. 309 candidateSession, ok := sessionCache.Get(cacheKey) 310 if ok { 311 ticketOk := !c.config.SessionTicketsDisabled || candidateSession.sessionTicket == nil 312 313 // Check that the ciphersuite/version used for the 314 // previous session are still valid. 315 cipherSuiteOk := false 316 if candidateSession.vers <= VersionTLS12 { 317 for _, id := range hello.cipherSuites { 318 if id == candidateSession.cipherSuite { 319 cipherSuiteOk = true 320 break 321 } 322 } 323 } else { 324 // TLS 1.3 allows the cipher to change on 325 // resumption. 326 cipherSuiteOk = true 327 } 328 329 versOk := candidateSession.vers >= minVersion && 330 candidateSession.vers <= maxVersion 331 if ticketOk && versOk && cipherSuiteOk { 332 session = candidateSession 333 } 334 } 335 } 336 337 var pskCipherSuite *cipherSuite 338 if session != nil && c.config.time().Before(session.ticketExpiration) { 339 ticket := session.sessionTicket 340 if c.config.Bugs.FilterTicket != nil && len(ticket) > 0 { 341 // Copy the ticket so FilterTicket may act in-place. 342 ticket = make([]byte, len(session.sessionTicket)) 343 copy(ticket, session.sessionTicket) 344 345 ticket, err = c.config.Bugs.FilterTicket(ticket) 346 if err != nil { 347 return err 348 } 349 } 350 351 if session.vers >= VersionTLS13 || c.config.Bugs.SendBothTickets { 352 pskCipherSuite = cipherSuiteFromID(session.cipherSuite) 353 if pskCipherSuite == nil { 354 return errors.New("tls: client session cache has invalid cipher suite") 355 } 356 // TODO(nharper): Support sending more 357 // than one PSK identity. 358 ticketAge := uint32(c.config.time().Sub(session.ticketCreationTime) / time.Millisecond) 359 if c.config.Bugs.SendTicketAge != 0 { 360 ticketAge = uint32(c.config.Bugs.SendTicketAge / time.Millisecond) 361 } 362 psk := pskIdentity{ 363 ticket: ticket, 364 obfuscatedTicketAge: session.ticketAgeAdd + ticketAge, 365 } 366 hello.pskIdentities = []pskIdentity{psk} 367 368 if c.config.Bugs.ExtraPSKIdentity { 369 hello.pskIdentities = append(hello.pskIdentities, psk) 370 } 371 } 372 373 if session.vers < VersionTLS13 || c.config.Bugs.SendBothTickets { 374 if ticket != nil { 375 hello.sessionTicket = ticket 376 // A random session ID is used to detect when the 377 // server accepted the ticket and is resuming a session 378 // (see RFC 5077). 379 sessionIdLen := 16 380 if c.config.Bugs.TicketSessionIDLength != 0 { 381 sessionIdLen = c.config.Bugs.TicketSessionIDLength 382 } 383 if c.config.Bugs.EmptyTicketSessionID { 384 sessionIdLen = 0 385 } 386 hello.sessionId = make([]byte, sessionIdLen) 387 if _, err := io.ReadFull(c.config.rand(), hello.sessionId); err != nil { 388 c.sendAlert(alertInternalError) 389 return errors.New("tls: short read from Rand: " + err.Error()) 390 } 391 } else { 392 hello.sessionId = session.sessionId 393 } 394 } 395 } 396 397 // Request compatibility mode from the client by sending a fake session 398 // ID. Although BoringSSL always enables compatibility mode, other 399 // implementations make it conditional on the ClientHello. We test 400 // BoringSSL's expected behavior with SendClientHelloSessionID. 401 if len(hello.sessionId) == 0 && maxVersion >= VersionTLS13 { 402 hello.sessionId = make([]byte, 32) 403 if _, err := io.ReadFull(c.config.rand(), hello.sessionId); err != nil { 404 c.sendAlert(alertInternalError) 405 return errors.New("tls: short read from Rand: " + err.Error()) 406 } 407 } 408 if c.config.Bugs.MockQUICTransport != nil && !c.config.Bugs.CompatModeWithQUIC { 409 hello.sessionId = []byte{} 410 } 411 412 if c.config.Bugs.SendCipherSuites != nil { 413 hello.cipherSuites = c.config.Bugs.SendCipherSuites 414 } 415 416 var sendEarlyData bool 417 if len(hello.pskIdentities) > 0 && c.config.Bugs.SendEarlyData != nil { 418 hello.hasEarlyData = true 419 sendEarlyData = true 420 } 421 if c.config.Bugs.SendFakeEarlyDataLength > 0 { 422 hello.hasEarlyData = true 423 } 424 if c.config.Bugs.OmitEarlyDataExtension { 425 hello.hasEarlyData = false 426 } 427 if c.config.Bugs.SendClientHelloSessionID != nil { 428 hello.sessionId = c.config.Bugs.SendClientHelloSessionID 429 } 430 431 var helloBytes []byte 432 if c.config.Bugs.SendV2ClientHello { 433 // Test that the peer left-pads random. 434 hello.random[0] = 0 435 v2Hello := &v2ClientHelloMsg{ 436 vers: hello.vers, 437 cipherSuites: hello.cipherSuites, 438 // No session resumption for V2ClientHello. 439 sessionId: nil, 440 challenge: hello.random[1:], 441 } 442 helloBytes = v2Hello.marshal() 443 c.writeV2Record(helloBytes) 444 } else { 445 if len(hello.pskIdentities) > 0 { 446 version := session.wireVersion 447 // We may have a pre-1.3 session if SendBothTickets is 448 // set. 449 if session.vers < VersionTLS13 { 450 version = VersionTLS13 451 } 452 generatePSKBinders(version, hello, pskCipherSuite, session.masterSecret, []byte{}, []byte{}, c.config) 453 } 454 if c.config.Bugs.SendClientHelloWithFixes != nil { 455 helloBytes, err = fixClientHellos(hello, c.config.Bugs.SendClientHelloWithFixes) 456 if err != nil { 457 return err 458 } 459 } else { 460 helloBytes = hello.marshal() 461 } 462 463 var appendToHello byte 464 if c.config.Bugs.PartialClientFinishedWithClientHello { 465 appendToHello = typeFinished 466 } else if c.config.Bugs.PartialEndOfEarlyDataWithClientHello { 467 appendToHello = typeEndOfEarlyData 468 } else if c.config.Bugs.PartialSecondClientHelloAfterFirst { 469 appendToHello = typeClientHello 470 } else if c.config.Bugs.PartialClientKeyExchangeWithClientHello { 471 appendToHello = typeClientKeyExchange 472 } 473 if appendToHello != 0 { 474 c.writeRecord(recordTypeHandshake, append(helloBytes[:len(helloBytes):len(helloBytes)], appendToHello)) 475 } else { 476 c.writeRecord(recordTypeHandshake, helloBytes) 477 } 478 } 479 c.flushHandshake() 480 481 if err := c.simulatePacketLoss(nil); err != nil { 482 return err 483 } 484 if c.config.Bugs.SendEarlyAlert { 485 c.sendAlert(alertHandshakeFailure) 486 } 487 if c.config.Bugs.SendFakeEarlyDataLength > 0 { 488 c.sendFakeEarlyData(c.config.Bugs.SendFakeEarlyDataLength) 489 } 490 491 // Derive early write keys and set Conn state to allow early writes. 492 if sendEarlyData { 493 finishedHash := newFinishedHash(session.wireVersion, c.isDTLS, pskCipherSuite) 494 finishedHash.addEntropy(session.masterSecret) 495 finishedHash.Write(helloBytes) 496 497 if !c.config.Bugs.SkipChangeCipherSpec { 498 c.wireVersion = session.wireVersion 499 c.vers = VersionTLS13 500 c.writeRecord(recordTypeChangeCipherSpec, []byte{1}) 501 c.wireVersion = 0 502 c.vers = 0 503 } 504 505 earlyTrafficSecret := finishedHash.deriveSecret(earlyTrafficLabel) 506 c.earlyExporterSecret = finishedHash.deriveSecret(earlyExporterLabel) 507 508 c.useOutTrafficSecret(session.wireVersion, pskCipherSuite, earlyTrafficSecret) 509 for _, earlyData := range c.config.Bugs.SendEarlyData { 510 if _, err := c.writeRecord(recordTypeApplicationData, earlyData); err != nil { 511 return err 512 } 513 } 514 } 515 516 msg, err := c.readHandshake() 517 if err != nil { 518 return err 519 } 520 521 if c.isDTLS { 522 helloVerifyRequest, ok := msg.(*helloVerifyRequestMsg) 523 if ok { 524 if helloVerifyRequest.vers != VersionDTLS10 { 525 // Per RFC 6347, the version field in 526 // HelloVerifyRequest SHOULD be always DTLS 527 // 1.0. Enforce this for testing purposes. 528 return errors.New("dtls: bad HelloVerifyRequest version") 529 } 530 531 hello.raw = nil 532 hello.cookie = helloVerifyRequest.cookie 533 helloBytes = hello.marshal() 534 c.writeRecord(recordTypeHandshake, helloBytes) 535 c.flushHandshake() 536 537 if err := c.simulatePacketLoss(nil); err != nil { 538 return err 539 } 540 msg, err = c.readHandshake() 541 if err != nil { 542 return err 543 } 544 } 545 } 546 547 var serverWireVersion uint16 548 switch m := msg.(type) { 549 case *helloRetryRequestMsg: 550 serverWireVersion = m.vers 551 case *serverHelloMsg: 552 serverWireVersion = m.vers 553 default: 554 c.sendAlert(alertUnexpectedMessage) 555 return fmt.Errorf("tls: received unexpected message of type %T when waiting for HelloRetryRequest or ServerHello", msg) 556 } 557 558 serverVersion, ok := c.config.isSupportedVersion(serverWireVersion, c.isDTLS) 559 if !ok { 560 c.sendAlert(alertProtocolVersion) 561 return fmt.Errorf("tls: server selected unsupported protocol version %x", c.vers) 562 } 563 c.wireVersion = serverWireVersion 564 c.vers = serverVersion 565 c.haveVers = true 566 567 if c.vers >= VersionTLS13 { 568 // The first server message must be followed by a ChangeCipherSpec. 569 c.expectTLS13ChangeCipherSpec = true 570 } 571 572 helloRetryRequest, haveHelloRetryRequest := msg.(*helloRetryRequestMsg) 573 var secondHelloBytes []byte 574 if haveHelloRetryRequest { 575 if c.config.Bugs.FailIfHelloRetryRequested { 576 return errors.New("tls: unexpected HelloRetryRequest") 577 } 578 // Explicitly read the ChangeCipherSpec now; it should 579 // be attached to the first flight, not the second flight. 580 if err := c.readTLS13ChangeCipherSpec(); err != nil { 581 return err 582 } 583 584 c.out.resetCipher() 585 if len(helloRetryRequest.cookie) > 0 { 586 hello.tls13Cookie = helloRetryRequest.cookie 587 } 588 589 if c.config.Bugs.MisinterpretHelloRetryRequestCurve != 0 { 590 helloRetryRequest.hasSelectedGroup = true 591 helloRetryRequest.selectedGroup = c.config.Bugs.MisinterpretHelloRetryRequestCurve 592 } 593 if helloRetryRequest.hasSelectedGroup { 594 var hrrCurveFound bool 595 group := helloRetryRequest.selectedGroup 596 for _, curveID := range hello.supportedCurves { 597 if group == curveID { 598 hrrCurveFound = true 599 break 600 } 601 } 602 if !hrrCurveFound || keyShares[group] != nil { 603 c.sendAlert(alertHandshakeFailure) 604 return errors.New("tls: received invalid HelloRetryRequest") 605 } 606 curve, ok := curveForCurveID(group, c.config) 607 if !ok { 608 return errors.New("tls: Unable to get curve requested in HelloRetryRequest") 609 } 610 publicKey, err := curve.offer(c.config.rand()) 611 if err != nil { 612 return err 613 } 614 keyShares[group] = curve 615 hello.keyShares = []keyShareEntry{{ 616 group: group, 617 keyExchange: publicKey, 618 }} 619 } 620 621 if c.config.Bugs.SecondClientHelloMissingKeyShare { 622 hello.hasKeyShares = false 623 } 624 625 hello.hasEarlyData = c.config.Bugs.SendEarlyDataOnSecondClientHello 626 // The first ClientHello may have skipped this due to OnlyCorruptSecondPSKBinder. 627 if c.config.Bugs.PSKBinderFirst && c.config.Bugs.OnlyCorruptSecondPSKBinder { 628 hello.prefixExtensions = append(hello.prefixExtensions, extensionPreSharedKey) 629 } 630 if c.config.Bugs.OmitPSKsOnSecondClientHello { 631 hello.pskIdentities = nil 632 hello.pskBinders = nil 633 } 634 hello.raw = nil 635 636 if len(hello.pskIdentities) > 0 { 637 generatePSKBinders(c.wireVersion, hello, pskCipherSuite, session.masterSecret, helloBytes, helloRetryRequest.marshal(), c.config) 638 } 639 secondHelloBytes = hello.marshal() 640 secondHelloBytesToWrite := secondHelloBytes 641 642 if c.config.Bugs.PartialSecondClientHelloAfterFirst { 643 // The first byte has already been sent. 644 secondHelloBytesToWrite = secondHelloBytesToWrite[1:] 645 } 646 647 if c.config.Bugs.InterleaveEarlyData { 648 c.sendFakeEarlyData(4) 649 c.writeRecord(recordTypeHandshake, secondHelloBytesToWrite[:16]) 650 c.sendFakeEarlyData(4) 651 c.writeRecord(recordTypeHandshake, secondHelloBytesToWrite[16:]) 652 } else if c.config.Bugs.PartialClientFinishedWithSecondClientHello { 653 toWrite := make([]byte, len(secondHelloBytesToWrite)+1) 654 copy(toWrite, secondHelloBytesToWrite) 655 toWrite[len(secondHelloBytesToWrite)] = typeFinished 656 c.writeRecord(recordTypeHandshake, toWrite) 657 } else { 658 c.writeRecord(recordTypeHandshake, secondHelloBytesToWrite) 659 } 660 c.flushHandshake() 661 662 if c.config.Bugs.SendEarlyDataOnSecondClientHello { 663 c.sendFakeEarlyData(4) 664 } 665 666 msg, err = c.readHandshake() 667 if err != nil { 668 return err 669 } 670 } 671 672 serverHello, ok := msg.(*serverHelloMsg) 673 if !ok { 674 c.sendAlert(alertUnexpectedMessage) 675 return unexpectedMessageError(serverHello, msg) 676 } 677 678 if serverWireVersion != serverHello.vers { 679 c.sendAlert(alertIllegalParameter) 680 return fmt.Errorf("tls: server sent non-matching version %x vs %x", serverWireVersion, serverHello.vers) 681 } 682 683 _, supportsTLS13 := c.config.isSupportedVersion(VersionTLS13, false) 684 // Check for downgrade signals in the server random, per RFC 8446, section 4.1.3. 685 gotDowngrade := serverHello.random[len(serverHello.random)-8:] 686 if (supportsTLS13 || c.config.Bugs.CheckTLS13DowngradeRandom) && !c.config.Bugs.IgnoreTLS13DowngradeRandom { 687 if c.vers <= VersionTLS12 && c.config.maxVersion(c.isDTLS) >= VersionTLS13 { 688 if bytes.Equal(gotDowngrade, downgradeTLS13) { 689 c.sendAlert(alertProtocolVersion) 690 return errors.New("tls: downgrade from TLS 1.3 detected") 691 } 692 } 693 if c.vers <= VersionTLS11 && c.config.maxVersion(c.isDTLS) >= VersionTLS12 { 694 if bytes.Equal(gotDowngrade, downgradeTLS12) { 695 c.sendAlert(alertProtocolVersion) 696 return errors.New("tls: downgrade from TLS 1.2 detected") 697 } 698 } 699 } 700 701 if bytes.Equal(gotDowngrade, downgradeJDK11) != c.config.Bugs.ExpectJDK11DowngradeRandom { 702 c.sendAlert(alertProtocolVersion) 703 if c.config.Bugs.ExpectJDK11DowngradeRandom { 704 return errors.New("tls: server did not send a JDK 11 downgrade signal") 705 } 706 return errors.New("tls: server sent an unexpected JDK 11 downgrade signal") 707 } 708 709 suite := mutualCipherSuite(hello.cipherSuites, serverHello.cipherSuite) 710 if suite == nil { 711 c.sendAlert(alertHandshakeFailure) 712 return fmt.Errorf("tls: server selected an unsupported cipher suite") 713 } 714 715 if haveHelloRetryRequest && helloRetryRequest.hasSelectedGroup && helloRetryRequest.selectedGroup != serverHello.keyShare.group { 716 c.sendAlert(alertHandshakeFailure) 717 return errors.New("tls: ServerHello parameters did not match HelloRetryRequest") 718 } 719 720 if c.config.Bugs.ExpectOmitExtensions && !serverHello.omitExtensions { 721 return errors.New("tls: ServerHello did not omit extensions") 722 } 723 724 hs := &clientHandshakeState{ 725 c: c, 726 serverHello: serverHello, 727 hello: hello, 728 suite: suite, 729 finishedHash: newFinishedHash(c.wireVersion, c.isDTLS, suite), 730 keyShares: keyShares, 731 session: session, 732 } 733 734 hs.writeHash(helloBytes, hs.c.sendHandshakeSeq-1) 735 if haveHelloRetryRequest { 736 err = hs.finishedHash.UpdateForHelloRetryRequest() 737 if err != nil { 738 return err 739 } 740 hs.writeServerHash(helloRetryRequest.marshal()) 741 hs.writeClientHash(secondHelloBytes) 742 } 743 hs.writeServerHash(hs.serverHello.marshal()) 744 745 if c.vers >= VersionTLS13 { 746 if err := hs.doTLS13Handshake(); err != nil { 747 return err 748 } 749 } else { 750 if c.config.Bugs.EarlyChangeCipherSpec > 0 { 751 hs.establishKeys() 752 c.writeRecord(recordTypeChangeCipherSpec, []byte{1}) 753 } 754 755 if hs.serverHello.compressionMethod != compressionNone { 756 c.sendAlert(alertUnexpectedMessage) 757 return errors.New("tls: server selected unsupported compression format") 758 } 759 760 err = hs.processServerExtensions(&serverHello.extensions) 761 if err != nil { 762 return err 763 } 764 765 isResume, err := hs.processServerHello() 766 if err != nil { 767 return err 768 } 769 770 if isResume { 771 if c.config.Bugs.EarlyChangeCipherSpec == 0 { 772 if err := hs.establishKeys(); err != nil { 773 return err 774 } 775 } 776 if err := hs.readSessionTicket(); err != nil { 777 return err 778 } 779 if err := hs.readFinished(c.firstFinished[:]); err != nil { 780 return err 781 } 782 if err := hs.sendFinished(nil, isResume); err != nil { 783 return err 784 } 785 } else { 786 if err := hs.doFullHandshake(); err != nil { 787 return err 788 } 789 if err := hs.establishKeys(); err != nil { 790 return err 791 } 792 if err := hs.sendFinished(c.firstFinished[:], isResume); err != nil { 793 return err 794 } 795 // Most retransmits are triggered by a timeout, but the final 796 // leg of the handshake is retransmited upon re-receiving a 797 // Finished. 798 if err := c.simulatePacketLoss(func() { 799 c.sendHandshakeSeq-- 800 c.writeRecord(recordTypeHandshake, hs.finishedBytes) 801 c.flushHandshake() 802 }); err != nil { 803 return err 804 } 805 if err := hs.readSessionTicket(); err != nil { 806 return err 807 } 808 if err := hs.readFinished(nil); err != nil { 809 return err 810 } 811 } 812 813 if sessionCache != nil && hs.session != nil && session != hs.session { 814 if c.config.Bugs.RequireSessionTickets && len(hs.session.sessionTicket) == 0 { 815 return errors.New("tls: new session used session IDs instead of tickets") 816 } 817 if c.config.Bugs.RequireSessionIDs && len(hs.session.sessionId) == 0 { 818 return errors.New("tls: new session used session tickets instead of IDs") 819 } 820 sessionCache.Put(cacheKey, hs.session) 821 } 822 823 c.didResume = isResume 824 c.exporterSecret = hs.masterSecret 825 } 826 827 c.handshakeComplete = true 828 c.cipherSuite = suite 829 copy(c.clientRandom[:], hs.hello.random) 830 copy(c.serverRandom[:], hs.serverHello.random) 831 832 return nil 833} 834 835func (hs *clientHandshakeState) doTLS13Handshake() error { 836 c := hs.c 837 838 if !bytes.Equal(hs.hello.sessionId, hs.serverHello.sessionId) { 839 return errors.New("tls: session IDs did not match.") 840 } 841 842 // Once the PRF hash is known, TLS 1.3 does not require a handshake 843 // buffer. 844 hs.finishedHash.discardHandshakeBuffer() 845 846 zeroSecret := hs.finishedHash.zeroSecret() 847 848 // Resolve PSK and compute the early secret. 849 // 850 // TODO(davidben): This will need to be handled slightly earlier once 851 // 0-RTT is implemented. 852 if hs.serverHello.hasPSKIdentity { 853 // We send at most one PSK identity. 854 if hs.session == nil || hs.serverHello.pskIdentity != 0 { 855 c.sendAlert(alertUnknownPSKIdentity) 856 return errors.New("tls: server sent unknown PSK identity") 857 } 858 sessionCipher := cipherSuiteFromID(hs.session.cipherSuite) 859 if sessionCipher == nil || sessionCipher.hash() != hs.suite.hash() { 860 c.sendAlert(alertHandshakeFailure) 861 return errors.New("tls: server resumed an invalid session for the cipher suite") 862 } 863 hs.finishedHash.addEntropy(hs.session.masterSecret) 864 c.didResume = true 865 } else { 866 hs.finishedHash.addEntropy(zeroSecret) 867 } 868 869 if !hs.serverHello.hasKeyShare { 870 c.sendAlert(alertUnsupportedExtension) 871 return errors.New("tls: server omitted KeyShare on resumption.") 872 } 873 874 // Resolve ECDHE and compute the handshake secret. 875 if !c.config.Bugs.MissingKeyShare && !c.config.Bugs.SecondClientHelloMissingKeyShare { 876 curve, ok := hs.keyShares[hs.serverHello.keyShare.group] 877 if !ok { 878 c.sendAlert(alertHandshakeFailure) 879 return errors.New("tls: server selected an unsupported group") 880 } 881 c.curveID = hs.serverHello.keyShare.group 882 883 ecdheSecret, err := curve.finish(hs.serverHello.keyShare.keyExchange) 884 if err != nil { 885 return err 886 } 887 hs.finishedHash.nextSecret() 888 hs.finishedHash.addEntropy(ecdheSecret) 889 } else { 890 hs.finishedHash.nextSecret() 891 hs.finishedHash.addEntropy(zeroSecret) 892 } 893 894 // Derive handshake traffic keys and switch read key to handshake 895 // traffic key. 896 clientHandshakeTrafficSecret := hs.finishedHash.deriveSecret(clientHandshakeTrafficLabel) 897 serverHandshakeTrafficSecret := hs.finishedHash.deriveSecret(serverHandshakeTrafficLabel) 898 if err := c.useInTrafficSecret(c.wireVersion, hs.suite, serverHandshakeTrafficSecret); err != nil { 899 return err 900 } 901 902 msg, err := c.readHandshake() 903 if err != nil { 904 return err 905 } 906 907 encryptedExtensions, ok := msg.(*encryptedExtensionsMsg) 908 if !ok { 909 c.sendAlert(alertUnexpectedMessage) 910 return unexpectedMessageError(encryptedExtensions, msg) 911 } 912 hs.writeServerHash(encryptedExtensions.marshal()) 913 914 err = hs.processServerExtensions(&encryptedExtensions.extensions) 915 if err != nil { 916 return err 917 } 918 919 var chainToSend *Certificate 920 var certReq *certificateRequestMsg 921 if c.didResume { 922 // Copy over authentication from the session. 923 c.peerCertificates = hs.session.serverCertificates 924 c.sctList = hs.session.sctList 925 c.ocspResponse = hs.session.ocspResponse 926 } else { 927 msg, err := c.readHandshake() 928 if err != nil { 929 return err 930 } 931 932 var ok bool 933 certReq, ok = msg.(*certificateRequestMsg) 934 if ok { 935 if len(certReq.requestContext) != 0 { 936 return errors.New("tls: non-empty certificate request context sent in handshake") 937 } 938 939 if c.config.Bugs.ExpectNoCertificateAuthoritiesExtension && certReq.hasCAExtension { 940 return errors.New("tls: expected no certificate_authorities extension") 941 } 942 943 if c.config.Bugs.IgnorePeerSignatureAlgorithmPreferences { 944 certReq.signatureAlgorithms = c.config.signSignatureAlgorithms() 945 } 946 947 hs.writeServerHash(certReq.marshal()) 948 949 chainToSend, err = selectClientCertificate(c, certReq) 950 if err != nil { 951 return err 952 } 953 954 msg, err = c.readHandshake() 955 if err != nil { 956 return err 957 } 958 } 959 960 var certMsg *certificateMsg 961 962 if compressedCertMsg, ok := msg.(*compressedCertificateMsg); ok { 963 hs.writeServerHash(compressedCertMsg.marshal()) 964 965 alg, ok := c.config.CertCompressionAlgs[compressedCertMsg.algID] 966 if !ok { 967 c.sendAlert(alertBadCertificate) 968 return fmt.Errorf("tls: received certificate compressed with unknown algorithm %x", compressedCertMsg.algID) 969 } 970 971 decompressed := make([]byte, 4+int(compressedCertMsg.uncompressedLength)) 972 if !alg.Decompress(decompressed[4:], compressedCertMsg.compressed) { 973 c.sendAlert(alertBadCertificate) 974 return fmt.Errorf("tls: failed to decompress certificate with algorithm %x", compressedCertMsg.algID) 975 } 976 977 certMsg = &certificateMsg{ 978 hasRequestContext: true, 979 } 980 981 if !certMsg.unmarshal(decompressed) { 982 c.sendAlert(alertBadCertificate) 983 return errors.New("tls: failed to parse decompressed certificate") 984 } 985 986 if expected := c.config.Bugs.ExpectedCompressedCert; expected != 0 && expected != compressedCertMsg.algID { 987 return fmt.Errorf("tls: expected certificate compressed with algorithm %x, but message used %x", expected, compressedCertMsg.algID) 988 } 989 } else { 990 if certMsg, ok = msg.(*certificateMsg); !ok { 991 c.sendAlert(alertUnexpectedMessage) 992 return unexpectedMessageError(certMsg, msg) 993 } 994 hs.writeServerHash(certMsg.marshal()) 995 996 if c.config.Bugs.ExpectedCompressedCert != 0 { 997 return errors.New("tls: uncompressed certificate received") 998 } 999 } 1000 1001 // Check for unsolicited extensions. 1002 for i, cert := range certMsg.certificates { 1003 if c.config.Bugs.NoOCSPStapling && cert.ocspResponse != nil { 1004 c.sendAlert(alertUnsupportedExtension) 1005 return errors.New("tls: unexpected OCSP response in the server certificate") 1006 } 1007 if c.config.Bugs.NoSignedCertificateTimestamps && cert.sctList != nil { 1008 c.sendAlert(alertUnsupportedExtension) 1009 return errors.New("tls: unexpected SCT list in the server certificate") 1010 } 1011 if i > 0 && c.config.Bugs.ExpectNoExtensionsOnIntermediate && (cert.ocspResponse != nil || cert.sctList != nil) { 1012 c.sendAlert(alertUnsupportedExtension) 1013 return errors.New("tls: unexpected extensions in the server certificate") 1014 } 1015 } 1016 1017 if err := hs.verifyCertificates(certMsg); err != nil { 1018 return err 1019 } 1020 c.ocspResponse = certMsg.certificates[0].ocspResponse 1021 c.sctList = certMsg.certificates[0].sctList 1022 1023 msg, err = c.readHandshake() 1024 if err != nil { 1025 return err 1026 } 1027 certVerifyMsg, ok := msg.(*certificateVerifyMsg) 1028 if !ok { 1029 c.sendAlert(alertUnexpectedMessage) 1030 return unexpectedMessageError(certVerifyMsg, msg) 1031 } 1032 1033 c.peerSignatureAlgorithm = certVerifyMsg.signatureAlgorithm 1034 input := hs.finishedHash.certificateVerifyInput(serverCertificateVerifyContextTLS13) 1035 err = verifyMessage(c.vers, hs.peerPublicKey, c.config, certVerifyMsg.signatureAlgorithm, input, certVerifyMsg.signature) 1036 if err != nil { 1037 return err 1038 } 1039 1040 hs.writeServerHash(certVerifyMsg.marshal()) 1041 } 1042 1043 msg, err = c.readHandshake() 1044 if err != nil { 1045 return err 1046 } 1047 serverFinished, ok := msg.(*finishedMsg) 1048 if !ok { 1049 c.sendAlert(alertUnexpectedMessage) 1050 return unexpectedMessageError(serverFinished, msg) 1051 } 1052 1053 verify := hs.finishedHash.serverSum(serverHandshakeTrafficSecret) 1054 if len(verify) != len(serverFinished.verifyData) || 1055 subtle.ConstantTimeCompare(verify, serverFinished.verifyData) != 1 { 1056 c.sendAlert(alertHandshakeFailure) 1057 return errors.New("tls: server's Finished message was incorrect") 1058 } 1059 1060 hs.writeServerHash(serverFinished.marshal()) 1061 1062 // The various secrets do not incorporate the client's final leg, so 1063 // derive them now before updating the handshake context. 1064 hs.finishedHash.nextSecret() 1065 hs.finishedHash.addEntropy(zeroSecret) 1066 1067 clientTrafficSecret := hs.finishedHash.deriveSecret(clientApplicationTrafficLabel) 1068 serverTrafficSecret := hs.finishedHash.deriveSecret(serverApplicationTrafficLabel) 1069 c.exporterSecret = hs.finishedHash.deriveSecret(exporterLabel) 1070 1071 // Switch to application data keys on read. In particular, any alerts 1072 // from the client certificate are read over these keys. 1073 if err := c.useInTrafficSecret(c.wireVersion, hs.suite, serverTrafficSecret); err != nil { 1074 return err 1075 } 1076 1077 // If we're expecting 0.5-RTT messages from the server, read them now. 1078 var deferredTickets []*newSessionTicketMsg 1079 if encryptedExtensions.extensions.hasEarlyData { 1080 // BoringSSL will always send two tickets half-RTT when 1081 // negotiating 0-RTT. 1082 for i := 0; i < shimConfig.HalfRTTTickets; i++ { 1083 msg, err := c.readHandshake() 1084 if err != nil { 1085 return fmt.Errorf("tls: error reading half-RTT ticket: %s", err) 1086 } 1087 newSessionTicket, ok := msg.(*newSessionTicketMsg) 1088 if !ok { 1089 return errors.New("tls: expected half-RTT ticket") 1090 } 1091 // Defer processing until the resumption secret is computed. 1092 deferredTickets = append(deferredTickets, newSessionTicket) 1093 } 1094 for _, expectedMsg := range c.config.Bugs.ExpectHalfRTTData { 1095 if err := c.readRecord(recordTypeApplicationData); err != nil { 1096 return err 1097 } 1098 if !bytes.Equal(c.input.data[c.input.off:], expectedMsg) { 1099 return errors.New("ExpectHalfRTTData: did not get expected message") 1100 } 1101 c.in.freeBlock(c.input) 1102 c.input = nil 1103 } 1104 } 1105 1106 // Send EndOfEarlyData and then switch write key to handshake 1107 // traffic key. 1108 if encryptedExtensions.extensions.hasEarlyData && c.out.cipher != nil && !c.config.Bugs.SkipEndOfEarlyData { 1109 if c.config.Bugs.SendStrayEarlyHandshake { 1110 helloRequest := new(helloRequestMsg) 1111 c.writeRecord(recordTypeHandshake, helloRequest.marshal()) 1112 } 1113 endOfEarlyData := new(endOfEarlyDataMsg) 1114 endOfEarlyData.nonEmpty = c.config.Bugs.NonEmptyEndOfEarlyData 1115 if c.config.Bugs.PartialEndOfEarlyDataWithClientHello { 1116 // The first byte has already been sent. 1117 c.writeRecord(recordTypeHandshake, endOfEarlyData.marshal()[1:]) 1118 } else { 1119 c.writeRecord(recordTypeHandshake, endOfEarlyData.marshal()) 1120 } 1121 hs.writeClientHash(endOfEarlyData.marshal()) 1122 } 1123 1124 if !c.config.Bugs.SkipChangeCipherSpec && !hs.hello.hasEarlyData { 1125 c.writeRecord(recordTypeChangeCipherSpec, []byte{1}) 1126 } 1127 1128 for i := 0; i < c.config.Bugs.SendExtraChangeCipherSpec; i++ { 1129 c.writeRecord(recordTypeChangeCipherSpec, []byte{1}) 1130 } 1131 1132 c.useOutTrafficSecret(c.wireVersion, hs.suite, clientHandshakeTrafficSecret) 1133 1134 // The client EncryptedExtensions message is sent if some extension uses it. 1135 // (Currently only ALPS does.) 1136 hasEncryptedExtensions := c.config.Bugs.AlwaysSendClientEncryptedExtensions 1137 clientEncryptedExtensions := new(clientEncryptedExtensionsMsg) 1138 if encryptedExtensions.extensions.hasApplicationSettings || (c.config.Bugs.SendApplicationSettingsWithEarlyData && c.hasApplicationSettings) { 1139 hasEncryptedExtensions = true 1140 if !c.config.Bugs.OmitClientApplicationSettings { 1141 clientEncryptedExtensions.hasApplicationSettings = true 1142 clientEncryptedExtensions.applicationSettings = c.localApplicationSettings 1143 } 1144 } 1145 if c.config.Bugs.SendExtraClientEncryptedExtension { 1146 hasEncryptedExtensions = true 1147 clientEncryptedExtensions.customExtension = []byte{0} 1148 } 1149 if hasEncryptedExtensions && !c.config.Bugs.OmitClientEncryptedExtensions { 1150 hs.writeClientHash(clientEncryptedExtensions.marshal()) 1151 c.writeRecord(recordTypeHandshake, clientEncryptedExtensions.marshal()) 1152 } 1153 1154 if certReq != nil && !c.config.Bugs.SkipClientCertificate { 1155 certMsg := &certificateMsg{ 1156 hasRequestContext: true, 1157 requestContext: certReq.requestContext, 1158 } 1159 if chainToSend != nil { 1160 for _, certData := range chainToSend.Certificate { 1161 certMsg.certificates = append(certMsg.certificates, certificateEntry{ 1162 data: certData, 1163 extraExtension: c.config.Bugs.SendExtensionOnCertificate, 1164 }) 1165 } 1166 } 1167 hs.writeClientHash(certMsg.marshal()) 1168 c.writeRecord(recordTypeHandshake, certMsg.marshal()) 1169 1170 if chainToSend != nil { 1171 certVerify := &certificateVerifyMsg{ 1172 hasSignatureAlgorithm: true, 1173 } 1174 1175 // Determine the hash to sign. 1176 privKey := chainToSend.PrivateKey 1177 1178 var err error 1179 certVerify.signatureAlgorithm, err = selectSignatureAlgorithm(c.vers, privKey, c.config, certReq.signatureAlgorithms) 1180 if err != nil { 1181 c.sendAlert(alertInternalError) 1182 return err 1183 } 1184 1185 input := hs.finishedHash.certificateVerifyInput(clientCertificateVerifyContextTLS13) 1186 certVerify.signature, err = signMessage(c.vers, privKey, c.config, certVerify.signatureAlgorithm, input) 1187 if err != nil { 1188 c.sendAlert(alertInternalError) 1189 return err 1190 } 1191 if c.config.Bugs.SendSignatureAlgorithm != 0 { 1192 certVerify.signatureAlgorithm = c.config.Bugs.SendSignatureAlgorithm 1193 } 1194 1195 if !c.config.Bugs.SkipCertificateVerify { 1196 hs.writeClientHash(certVerify.marshal()) 1197 c.writeRecord(recordTypeHandshake, certVerify.marshal()) 1198 } 1199 } 1200 } 1201 1202 if encryptedExtensions.extensions.channelIDRequested { 1203 channelIDHash := crypto.SHA256.New() 1204 channelIDHash.Write(hs.finishedHash.certificateVerifyInput(channelIDContextTLS13)) 1205 channelIDMsgBytes, err := hs.writeChannelIDMessage(channelIDHash.Sum(nil)) 1206 if err != nil { 1207 return err 1208 } 1209 hs.writeClientHash(channelIDMsgBytes) 1210 c.writeRecord(recordTypeHandshake, channelIDMsgBytes) 1211 } 1212 1213 // Send a client Finished message. 1214 finished := new(finishedMsg) 1215 finished.verifyData = hs.finishedHash.clientSum(clientHandshakeTrafficSecret) 1216 if c.config.Bugs.BadFinished { 1217 finished.verifyData[0]++ 1218 } 1219 hs.writeClientHash(finished.marshal()) 1220 if c.config.Bugs.PartialClientFinishedWithClientHello { 1221 // The first byte has already been sent. 1222 c.writeRecord(recordTypeHandshake, finished.marshal()[1:]) 1223 } else if c.config.Bugs.InterleaveEarlyData { 1224 finishedBytes := finished.marshal() 1225 c.sendFakeEarlyData(4) 1226 c.writeRecord(recordTypeHandshake, finishedBytes[:1]) 1227 c.sendFakeEarlyData(4) 1228 c.writeRecord(recordTypeHandshake, finishedBytes[1:]) 1229 } else { 1230 c.writeRecord(recordTypeHandshake, finished.marshal()) 1231 } 1232 if c.config.Bugs.SendExtraFinished { 1233 c.writeRecord(recordTypeHandshake, finished.marshal()) 1234 } 1235 c.flushHandshake() 1236 1237 // Switch to application data keys. 1238 c.useOutTrafficSecret(c.wireVersion, hs.suite, clientTrafficSecret) 1239 c.resumptionSecret = hs.finishedHash.deriveSecret(resumptionLabel) 1240 for _, ticket := range deferredTickets { 1241 if err := c.processTLS13NewSessionTicket(ticket, hs.suite); err != nil { 1242 return err 1243 } 1244 } 1245 1246 return nil 1247} 1248 1249func (hs *clientHandshakeState) doFullHandshake() error { 1250 c := hs.c 1251 1252 var leaf *x509.Certificate 1253 if hs.suite.flags&suitePSK == 0 { 1254 msg, err := c.readHandshake() 1255 if err != nil { 1256 return err 1257 } 1258 1259 certMsg, ok := msg.(*certificateMsg) 1260 if !ok { 1261 c.sendAlert(alertUnexpectedMessage) 1262 return unexpectedMessageError(certMsg, msg) 1263 } 1264 hs.writeServerHash(certMsg.marshal()) 1265 1266 if err := hs.verifyCertificates(certMsg); err != nil { 1267 return err 1268 } 1269 leaf = c.peerCertificates[0] 1270 } 1271 1272 if hs.serverHello.extensions.ocspStapling { 1273 msg, err := c.readHandshake() 1274 if err != nil { 1275 return err 1276 } 1277 cs, ok := msg.(*certificateStatusMsg) 1278 if !ok { 1279 c.sendAlert(alertUnexpectedMessage) 1280 return unexpectedMessageError(cs, msg) 1281 } 1282 hs.writeServerHash(cs.marshal()) 1283 1284 if cs.statusType == statusTypeOCSP { 1285 c.ocspResponse = cs.response 1286 } 1287 } 1288 1289 msg, err := c.readHandshake() 1290 if err != nil { 1291 return err 1292 } 1293 1294 keyAgreement := hs.suite.ka(c.vers) 1295 1296 skx, ok := msg.(*serverKeyExchangeMsg) 1297 if ok { 1298 hs.writeServerHash(skx.marshal()) 1299 err = keyAgreement.processServerKeyExchange(c.config, hs.hello, hs.serverHello, hs.peerPublicKey, skx) 1300 if err != nil { 1301 c.sendAlert(alertUnexpectedMessage) 1302 return err 1303 } 1304 if ecdhe, ok := keyAgreement.(*ecdheKeyAgreement); ok { 1305 c.curveID = ecdhe.curveID 1306 } 1307 1308 c.peerSignatureAlgorithm = keyAgreement.peerSignatureAlgorithm() 1309 1310 msg, err = c.readHandshake() 1311 if err != nil { 1312 return err 1313 } 1314 } 1315 1316 var chainToSend *Certificate 1317 var certRequested bool 1318 certReq, ok := msg.(*certificateRequestMsg) 1319 if ok { 1320 certRequested = true 1321 if c.config.Bugs.IgnorePeerSignatureAlgorithmPreferences { 1322 certReq.signatureAlgorithms = c.config.signSignatureAlgorithms() 1323 } 1324 1325 hs.writeServerHash(certReq.marshal()) 1326 1327 chainToSend, err = selectClientCertificate(c, certReq) 1328 if err != nil { 1329 return err 1330 } 1331 1332 msg, err = c.readHandshake() 1333 if err != nil { 1334 return err 1335 } 1336 } 1337 1338 shd, ok := msg.(*serverHelloDoneMsg) 1339 if !ok { 1340 c.sendAlert(alertUnexpectedMessage) 1341 return unexpectedMessageError(shd, msg) 1342 } 1343 hs.writeServerHash(shd.marshal()) 1344 1345 // If the server requested a certificate then we have to send a 1346 // Certificate message in TLS, even if it's empty because we don't have 1347 // a certificate to send. In SSL 3.0, skip the message and send a 1348 // no_certificate warning alert. 1349 if certRequested { 1350 if c.vers == VersionSSL30 && chainToSend == nil { 1351 c.sendAlert(alertNoCertificate) 1352 } else if !c.config.Bugs.SkipClientCertificate { 1353 certMsg := new(certificateMsg) 1354 if chainToSend != nil { 1355 for _, certData := range chainToSend.Certificate { 1356 certMsg.certificates = append(certMsg.certificates, certificateEntry{ 1357 data: certData, 1358 }) 1359 } 1360 } 1361 hs.writeClientHash(certMsg.marshal()) 1362 c.writeRecord(recordTypeHandshake, certMsg.marshal()) 1363 } 1364 } 1365 1366 preMasterSecret, ckx, err := keyAgreement.generateClientKeyExchange(c.config, hs.hello, leaf) 1367 if err != nil { 1368 c.sendAlert(alertInternalError) 1369 return err 1370 } 1371 if ckx != nil { 1372 if c.config.Bugs.EarlyChangeCipherSpec < 2 { 1373 hs.writeClientHash(ckx.marshal()) 1374 } 1375 if c.config.Bugs.PartialClientKeyExchangeWithClientHello { 1376 // The first byte was already written. 1377 c.writeRecord(recordTypeHandshake, ckx.marshal()[1:]) 1378 } else { 1379 c.writeRecord(recordTypeHandshake, ckx.marshal()) 1380 } 1381 } 1382 1383 if hs.serverHello.extensions.extendedMasterSecret && c.vers >= VersionTLS10 { 1384 hs.masterSecret = extendedMasterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.finishedHash) 1385 c.extendedMasterSecret = true 1386 } else { 1387 if c.config.Bugs.RequireExtendedMasterSecret { 1388 return errors.New("tls: extended master secret required but not supported by peer") 1389 } 1390 hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.hello.random, hs.serverHello.random) 1391 } 1392 1393 if chainToSend != nil { 1394 certVerify := &certificateVerifyMsg{ 1395 hasSignatureAlgorithm: c.vers >= VersionTLS12, 1396 } 1397 1398 // Determine the hash to sign. 1399 privKey := c.config.Certificates[0].PrivateKey 1400 1401 if certVerify.hasSignatureAlgorithm { 1402 certVerify.signatureAlgorithm, err = selectSignatureAlgorithm(c.vers, privKey, c.config, certReq.signatureAlgorithms) 1403 if err != nil { 1404 c.sendAlert(alertInternalError) 1405 return err 1406 } 1407 } 1408 1409 if c.vers > VersionSSL30 { 1410 certVerify.signature, err = signMessage(c.vers, privKey, c.config, certVerify.signatureAlgorithm, hs.finishedHash.buffer) 1411 if err == nil && c.config.Bugs.SendSignatureAlgorithm != 0 { 1412 certVerify.signatureAlgorithm = c.config.Bugs.SendSignatureAlgorithm 1413 } 1414 } else { 1415 // SSL 3.0's client certificate construction is 1416 // incompatible with signatureAlgorithm. 1417 rsaKey, ok := privKey.(*rsa.PrivateKey) 1418 if !ok { 1419 err = errors.New("unsupported signature type for client certificate") 1420 } else { 1421 digest := hs.finishedHash.hashForClientCertificateSSL3(hs.masterSecret) 1422 if c.config.Bugs.InvalidSignature { 1423 digest[0] ^= 0x80 1424 } 1425 certVerify.signature, err = rsa.SignPKCS1v15(c.config.rand(), rsaKey, crypto.MD5SHA1, digest) 1426 } 1427 } 1428 if err != nil { 1429 c.sendAlert(alertInternalError) 1430 return errors.New("tls: failed to sign handshake with client certificate: " + err.Error()) 1431 } 1432 1433 if !c.config.Bugs.SkipCertificateVerify { 1434 hs.writeClientHash(certVerify.marshal()) 1435 c.writeRecord(recordTypeHandshake, certVerify.marshal()) 1436 } 1437 } 1438 // flushHandshake will be called in sendFinished. 1439 1440 hs.finishedHash.discardHandshakeBuffer() 1441 1442 return nil 1443} 1444 1445// delegatedCredentialSignedMessage returns the bytes that are signed in order 1446// to authenticate a delegated credential. 1447func delegatedCredentialSignedMessage(credBytes []byte, algorithm signatureAlgorithm, leafDER []byte) []byte { 1448 // https://tools.ietf.org/html/draft-ietf-tls-subcerts-03#section-3 1449 ret := make([]byte, 64, 128) 1450 for i := range ret { 1451 ret[i] = 0x20 1452 } 1453 1454 ret = append(ret, []byte("TLS, server delegated credentials\x00")...) 1455 ret = append(ret, leafDER...) 1456 ret = append(ret, byte(algorithm>>8), byte(algorithm)) 1457 ret = append(ret, credBytes...) 1458 1459 return ret 1460} 1461 1462func (hs *clientHandshakeState) verifyCertificates(certMsg *certificateMsg) error { 1463 c := hs.c 1464 1465 if len(certMsg.certificates) == 0 { 1466 c.sendAlert(alertIllegalParameter) 1467 return errors.New("tls: no certificates sent") 1468 } 1469 1470 var dc *delegatedCredential 1471 certs := make([]*x509.Certificate, len(certMsg.certificates)) 1472 for i, certEntry := range certMsg.certificates { 1473 cert, err := x509.ParseCertificate(certEntry.data) 1474 if err != nil { 1475 c.sendAlert(alertBadCertificate) 1476 return errors.New("tls: failed to parse certificate from server: " + err.Error()) 1477 } 1478 certs[i] = cert 1479 1480 if certEntry.delegatedCredential != nil { 1481 if c.config.Bugs.FailIfDelegatedCredentials { 1482 c.sendAlert(alertIllegalParameter) 1483 return errors.New("tls: unexpected delegated credential") 1484 } 1485 if i != 0 { 1486 c.sendAlert(alertIllegalParameter) 1487 return errors.New("tls: non-leaf certificate has a delegated credential") 1488 } 1489 if c.config.Bugs.DisableDelegatedCredentials { 1490 c.sendAlert(alertIllegalParameter) 1491 return errors.New("tls: server sent delegated credential without it being requested") 1492 } 1493 dc = certEntry.delegatedCredential 1494 } 1495 } 1496 1497 if !c.config.InsecureSkipVerify { 1498 opts := x509.VerifyOptions{ 1499 Roots: c.config.RootCAs, 1500 CurrentTime: c.config.time(), 1501 DNSName: c.config.ServerName, 1502 Intermediates: x509.NewCertPool(), 1503 } 1504 1505 for i, cert := range certs { 1506 if i == 0 { 1507 continue 1508 } 1509 opts.Intermediates.AddCert(cert) 1510 } 1511 var err error 1512 c.verifiedChains, err = certs[0].Verify(opts) 1513 if err != nil { 1514 c.sendAlert(alertBadCertificate) 1515 return err 1516 } 1517 } 1518 1519 leafPublicKey := certs[0].PublicKey 1520 switch leafPublicKey.(type) { 1521 case *rsa.PublicKey, *ecdsa.PublicKey, ed25519.PublicKey: 1522 break 1523 default: 1524 c.sendAlert(alertUnsupportedCertificate) 1525 return fmt.Errorf("tls: server's certificate contains an unsupported type of public key: %T", leafPublicKey) 1526 } 1527 1528 c.peerCertificates = certs 1529 1530 if dc != nil { 1531 // Note that this doesn't check a) the delegated credential temporal 1532 // validity nor b) that the certificate has the special OID asserted. 1533 hs.skxAlgo = dc.expectedCertVerifyAlgo 1534 1535 var err error 1536 if hs.peerPublicKey, err = x509.ParsePKIXPublicKey(dc.pkixPublicKey); err != nil { 1537 c.sendAlert(alertBadCertificate) 1538 return errors.New("tls: failed to parse public key from delegated credential: " + err.Error()) 1539 } 1540 1541 verifier, err := getSigner(c.vers, hs.peerPublicKey, c.config, dc.algorithm, true) 1542 if err != nil { 1543 c.sendAlert(alertBadCertificate) 1544 return errors.New("tls: failed to get verifier for delegated credential: " + err.Error()) 1545 } 1546 1547 if err := verifier.verifyMessage(leafPublicKey, delegatedCredentialSignedMessage(dc.signedBytes, dc.algorithm, certs[0].Raw), dc.signature); err != nil { 1548 c.sendAlert(alertBadCertificate) 1549 return errors.New("tls: failed to verify delegated credential: " + err.Error()) 1550 } 1551 } else if c.config.Bugs.ExpectDelegatedCredentials { 1552 c.sendAlert(alertInternalError) 1553 return errors.New("tls: delegated credentials missing") 1554 } else { 1555 hs.peerPublicKey = leafPublicKey 1556 } 1557 1558 return nil 1559} 1560 1561func (hs *clientHandshakeState) establishKeys() error { 1562 c := hs.c 1563 1564 clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV := 1565 keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.hello.random, hs.serverHello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen(c.vers)) 1566 var clientCipher, serverCipher interface{} 1567 var clientHash, serverHash macFunction 1568 if hs.suite.cipher != nil { 1569 clientCipher = hs.suite.cipher(clientKey, clientIV, false /* not for reading */) 1570 clientHash = hs.suite.mac(c.vers, clientMAC) 1571 serverCipher = hs.suite.cipher(serverKey, serverIV, true /* for reading */) 1572 serverHash = hs.suite.mac(c.vers, serverMAC) 1573 } else { 1574 clientCipher = hs.suite.aead(c.vers, clientKey, clientIV) 1575 serverCipher = hs.suite.aead(c.vers, serverKey, serverIV) 1576 } 1577 1578 c.in.prepareCipherSpec(c.wireVersion, serverCipher, serverHash) 1579 c.out.prepareCipherSpec(c.wireVersion, clientCipher, clientHash) 1580 return nil 1581} 1582 1583func (hs *clientHandshakeState) processServerExtensions(serverExtensions *serverExtensions) error { 1584 c := hs.c 1585 1586 if c.vers < VersionTLS13 { 1587 if c.config.Bugs.RequireRenegotiationInfo && serverExtensions.secureRenegotiation == nil { 1588 return errors.New("tls: renegotiation extension missing") 1589 } 1590 1591 if len(c.clientVerify) > 0 && !c.noRenegotiationInfo() { 1592 var expectedRenegInfo []byte 1593 expectedRenegInfo = append(expectedRenegInfo, c.clientVerify...) 1594 expectedRenegInfo = append(expectedRenegInfo, c.serverVerify...) 1595 if !bytes.Equal(serverExtensions.secureRenegotiation, expectedRenegInfo) { 1596 c.sendAlert(alertHandshakeFailure) 1597 return fmt.Errorf("tls: renegotiation mismatch") 1598 } 1599 } 1600 } else if serverExtensions.secureRenegotiation != nil { 1601 return errors.New("tls: renegotiation info sent in TLS 1.3") 1602 } 1603 1604 if expected := c.config.Bugs.ExpectedCustomExtension; expected != nil { 1605 if serverExtensions.customExtension != *expected { 1606 return fmt.Errorf("tls: bad custom extension contents %q", serverExtensions.customExtension) 1607 } 1608 } 1609 1610 clientDidNPN := hs.hello.nextProtoNeg 1611 clientDidALPN := len(hs.hello.alpnProtocols) > 0 1612 serverHasNPN := serverExtensions.nextProtoNeg 1613 serverHasALPN := len(serverExtensions.alpnProtocol) > 0 1614 1615 if !clientDidNPN && serverHasNPN { 1616 c.sendAlert(alertHandshakeFailure) 1617 return errors.New("server advertised unrequested NPN extension") 1618 } 1619 1620 if !clientDidALPN && serverHasALPN { 1621 c.sendAlert(alertHandshakeFailure) 1622 return errors.New("server advertised unrequested ALPN extension") 1623 } 1624 1625 if serverHasNPN && serverHasALPN { 1626 c.sendAlert(alertHandshakeFailure) 1627 return errors.New("server advertised both NPN and ALPN extensions") 1628 } 1629 1630 if serverHasALPN { 1631 c.clientProtocol = serverExtensions.alpnProtocol 1632 c.clientProtocolFallback = false 1633 c.usedALPN = true 1634 } 1635 1636 if serverHasNPN && c.vers >= VersionTLS13 { 1637 c.sendAlert(alertHandshakeFailure) 1638 return errors.New("server advertised NPN over TLS 1.3") 1639 } 1640 1641 if !hs.hello.channelIDSupported && serverExtensions.channelIDRequested { 1642 c.sendAlert(alertHandshakeFailure) 1643 return errors.New("server advertised unrequested Channel ID extension") 1644 } 1645 1646 if len(serverExtensions.tokenBindingParams) == 1 { 1647 found := false 1648 for _, p := range c.config.TokenBindingParams { 1649 if p == serverExtensions.tokenBindingParams[0] { 1650 c.tokenBindingParam = p 1651 found = true 1652 break 1653 } 1654 } 1655 if !found { 1656 return errors.New("tls: server advertised unsupported Token Binding key param") 1657 } 1658 if serverExtensions.tokenBindingVersion > c.config.TokenBindingVersion { 1659 return errors.New("tls: server's Token Binding version is too new") 1660 } 1661 if c.vers < VersionTLS13 { 1662 if !serverExtensions.extendedMasterSecret || serverExtensions.secureRenegotiation == nil { 1663 return errors.New("server sent Token Binding without EMS or RI") 1664 } 1665 } 1666 c.tokenBindingNegotiated = true 1667 } 1668 1669 if serverExtensions.extendedMasterSecret && c.vers >= VersionTLS13 { 1670 return errors.New("tls: server advertised extended master secret over TLS 1.3") 1671 } 1672 1673 if serverExtensions.ticketSupported && c.vers >= VersionTLS13 { 1674 return errors.New("tls: server advertised ticket extension over TLS 1.3") 1675 } 1676 1677 if serverExtensions.ocspStapling && c.vers >= VersionTLS13 { 1678 return errors.New("tls: server advertised OCSP in ServerHello over TLS 1.3") 1679 } 1680 1681 if serverExtensions.ocspStapling && c.config.Bugs.NoOCSPStapling { 1682 return errors.New("tls: server advertised unrequested OCSP extension") 1683 } 1684 1685 if len(serverExtensions.sctList) > 0 && c.vers >= VersionTLS13 { 1686 return errors.New("tls: server advertised SCTs in ServerHello over TLS 1.3") 1687 } 1688 1689 if len(serverExtensions.sctList) > 0 && c.config.Bugs.NoSignedCertificateTimestamps { 1690 return errors.New("tls: server advertised unrequested SCTs") 1691 } 1692 1693 if serverExtensions.srtpProtectionProfile != 0 { 1694 if serverExtensions.srtpMasterKeyIdentifier != "" { 1695 return errors.New("tls: server selected SRTP MKI value") 1696 } 1697 1698 found := false 1699 for _, p := range c.config.SRTPProtectionProfiles { 1700 if p == serverExtensions.srtpProtectionProfile { 1701 found = true 1702 break 1703 } 1704 } 1705 if !found { 1706 return errors.New("tls: server advertised unsupported SRTP profile") 1707 } 1708 1709 c.srtpProtectionProfile = serverExtensions.srtpProtectionProfile 1710 } 1711 1712 if c.vers >= VersionTLS13 && c.didResume { 1713 if c.config.Bugs.ExpectEarlyDataAccepted && !serverExtensions.hasEarlyData { 1714 c.sendAlert(alertHandshakeFailure) 1715 return errors.New("tls: server did not accept early data when expected") 1716 } 1717 1718 if !c.config.Bugs.ExpectEarlyDataAccepted && serverExtensions.hasEarlyData { 1719 c.sendAlert(alertHandshakeFailure) 1720 return errors.New("tls: server accepted early data when not expected") 1721 } 1722 } else if serverExtensions.hasEarlyData { 1723 return errors.New("tls: server accepted early data when not resuming") 1724 } 1725 1726 if len(serverExtensions.quicTransportParams) > 0 { 1727 if c.vers < VersionTLS13 { 1728 c.sendAlert(alertHandshakeFailure) 1729 return errors.New("tls: server sent QUIC transport params for TLS version less than 1.3") 1730 } 1731 c.quicTransportParams = serverExtensions.quicTransportParams 1732 } 1733 1734 if serverExtensions.hasApplicationSettings { 1735 if c.vers < VersionTLS13 { 1736 return errors.New("tls: server sent application settings at invalid version") 1737 } 1738 if serverExtensions.hasEarlyData { 1739 return errors.New("tls: server sent application settings with 0-RTT") 1740 } 1741 if !serverHasALPN { 1742 return errors.New("tls: server sent application settings without ALPN") 1743 } 1744 settings, ok := c.config.ApplicationSettings[serverExtensions.alpnProtocol] 1745 if !ok { 1746 return errors.New("tls: server sent application settings for invalid protocol") 1747 } 1748 c.hasApplicationSettings = true 1749 c.localApplicationSettings = settings 1750 c.peerApplicationSettings = serverExtensions.applicationSettings 1751 } else if serverExtensions.hasEarlyData { 1752 // 0-RTT connections inherit application settings from the session. 1753 c.hasApplicationSettings = hs.session.hasApplicationSettings 1754 c.localApplicationSettings = hs.session.localApplicationSettings 1755 c.peerApplicationSettings = hs.session.peerApplicationSettings 1756 } 1757 1758 return nil 1759} 1760 1761func (hs *clientHandshakeState) serverResumedSession() bool { 1762 // If the server responded with the same sessionId then it means the 1763 // sessionTicket is being used to resume a TLS session. 1764 // 1765 // Note that, if hs.hello.sessionId is a non-nil empty array, this will 1766 // accept an empty session ID from the server as resumption. See 1767 // EmptyTicketSessionID. 1768 return hs.session != nil && hs.hello.sessionId != nil && 1769 bytes.Equal(hs.serverHello.sessionId, hs.hello.sessionId) 1770} 1771 1772func (hs *clientHandshakeState) processServerHello() (bool, error) { 1773 c := hs.c 1774 1775 if hs.serverResumedSession() { 1776 // For test purposes, assert that the server never accepts the 1777 // resumption offer on renegotiation. 1778 if c.cipherSuite != nil && c.config.Bugs.FailIfResumeOnRenego { 1779 return false, errors.New("tls: server resumed session on renegotiation") 1780 } 1781 1782 if hs.serverHello.extensions.sctList != nil { 1783 return false, errors.New("tls: server sent SCT extension on session resumption") 1784 } 1785 1786 if hs.serverHello.extensions.ocspStapling { 1787 return false, errors.New("tls: server sent OCSP extension on session resumption") 1788 } 1789 1790 // Restore masterSecret and peerCerts from previous state 1791 hs.masterSecret = hs.session.masterSecret 1792 c.peerCertificates = hs.session.serverCertificates 1793 c.extendedMasterSecret = hs.session.extendedMasterSecret 1794 c.sctList = hs.session.sctList 1795 c.ocspResponse = hs.session.ocspResponse 1796 hs.finishedHash.discardHandshakeBuffer() 1797 return true, nil 1798 } 1799 1800 if hs.serverHello.extensions.sctList != nil { 1801 c.sctList = hs.serverHello.extensions.sctList 1802 } 1803 1804 return false, nil 1805} 1806 1807func (hs *clientHandshakeState) readFinished(out []byte) error { 1808 c := hs.c 1809 1810 c.readRecord(recordTypeChangeCipherSpec) 1811 if err := c.in.error(); err != nil { 1812 return err 1813 } 1814 1815 msg, err := c.readHandshake() 1816 if err != nil { 1817 return err 1818 } 1819 serverFinished, ok := msg.(*finishedMsg) 1820 if !ok { 1821 c.sendAlert(alertUnexpectedMessage) 1822 return unexpectedMessageError(serverFinished, msg) 1823 } 1824 1825 if c.config.Bugs.EarlyChangeCipherSpec == 0 { 1826 verify := hs.finishedHash.serverSum(hs.masterSecret) 1827 if len(verify) != len(serverFinished.verifyData) || 1828 subtle.ConstantTimeCompare(verify, serverFinished.verifyData) != 1 { 1829 c.sendAlert(alertHandshakeFailure) 1830 return errors.New("tls: server's Finished message was incorrect") 1831 } 1832 } 1833 c.serverVerify = append(c.serverVerify[:0], serverFinished.verifyData...) 1834 copy(out, serverFinished.verifyData) 1835 hs.writeServerHash(serverFinished.marshal()) 1836 return nil 1837} 1838 1839func (hs *clientHandshakeState) readSessionTicket() error { 1840 c := hs.c 1841 1842 // Create a session with no server identifier. Either a 1843 // session ID or session ticket will be attached. 1844 session := &ClientSessionState{ 1845 vers: c.vers, 1846 wireVersion: c.wireVersion, 1847 cipherSuite: hs.suite.id, 1848 masterSecret: hs.masterSecret, 1849 handshakeHash: hs.finishedHash.Sum(), 1850 serverCertificates: c.peerCertificates, 1851 sctList: c.sctList, 1852 ocspResponse: c.ocspResponse, 1853 ticketExpiration: c.config.time().Add(time.Duration(7 * 24 * time.Hour)), 1854 } 1855 1856 if !hs.serverHello.extensions.ticketSupported { 1857 if c.config.Bugs.ExpectNewTicket { 1858 return errors.New("tls: expected new ticket") 1859 } 1860 if hs.session == nil && len(hs.serverHello.sessionId) > 0 { 1861 session.sessionId = hs.serverHello.sessionId 1862 hs.session = session 1863 } 1864 return nil 1865 } 1866 1867 if c.vers == VersionSSL30 { 1868 return errors.New("tls: negotiated session tickets in SSL 3.0") 1869 } 1870 if c.config.Bugs.ExpectNoNewSessionTicket { 1871 return errors.New("tls: received unexpected NewSessionTicket") 1872 } 1873 1874 msg, err := c.readHandshake() 1875 if err != nil { 1876 return err 1877 } 1878 sessionTicketMsg, ok := msg.(*newSessionTicketMsg) 1879 if !ok { 1880 c.sendAlert(alertUnexpectedMessage) 1881 return unexpectedMessageError(sessionTicketMsg, msg) 1882 } 1883 1884 session.sessionTicket = sessionTicketMsg.ticket 1885 hs.session = session 1886 1887 hs.writeServerHash(sessionTicketMsg.marshal()) 1888 1889 return nil 1890} 1891 1892func (hs *clientHandshakeState) sendFinished(out []byte, isResume bool) error { 1893 c := hs.c 1894 1895 var postCCSMsgs [][]byte 1896 seqno := hs.c.sendHandshakeSeq 1897 if hs.serverHello.extensions.nextProtoNeg { 1898 nextProto := new(nextProtoMsg) 1899 proto, fallback := mutualProtocol(c.config.NextProtos, hs.serverHello.extensions.nextProtos) 1900 nextProto.proto = proto 1901 c.clientProtocol = proto 1902 c.clientProtocolFallback = fallback 1903 1904 nextProtoBytes := nextProto.marshal() 1905 hs.writeHash(nextProtoBytes, seqno) 1906 seqno++ 1907 postCCSMsgs = append(postCCSMsgs, nextProtoBytes) 1908 } 1909 1910 if hs.serverHello.extensions.channelIDRequested { 1911 var resumeHash []byte 1912 if isResume { 1913 resumeHash = hs.session.handshakeHash 1914 } 1915 channelIDMsgBytes, err := hs.writeChannelIDMessage(hs.finishedHash.hashForChannelID(resumeHash)) 1916 if err != nil { 1917 return err 1918 } 1919 hs.writeHash(channelIDMsgBytes, seqno) 1920 seqno++ 1921 postCCSMsgs = append(postCCSMsgs, channelIDMsgBytes) 1922 } 1923 1924 finished := new(finishedMsg) 1925 if c.config.Bugs.EarlyChangeCipherSpec == 2 { 1926 finished.verifyData = hs.finishedHash.clientSum(nil) 1927 } else { 1928 finished.verifyData = hs.finishedHash.clientSum(hs.masterSecret) 1929 } 1930 copy(out, finished.verifyData) 1931 if c.config.Bugs.BadFinished { 1932 finished.verifyData[0]++ 1933 } 1934 c.clientVerify = append(c.clientVerify[:0], finished.verifyData...) 1935 hs.finishedBytes = finished.marshal() 1936 hs.writeHash(hs.finishedBytes, seqno) 1937 if c.config.Bugs.PartialClientFinishedWithClientHello { 1938 // The first byte has already been written. 1939 postCCSMsgs = append(postCCSMsgs, hs.finishedBytes[1:]) 1940 } else { 1941 postCCSMsgs = append(postCCSMsgs, hs.finishedBytes) 1942 } 1943 1944 if c.config.Bugs.FragmentAcrossChangeCipherSpec { 1945 c.writeRecord(recordTypeHandshake, postCCSMsgs[0][:5]) 1946 postCCSMsgs[0] = postCCSMsgs[0][5:] 1947 } else if c.config.Bugs.SendUnencryptedFinished { 1948 c.writeRecord(recordTypeHandshake, postCCSMsgs[0]) 1949 postCCSMsgs = postCCSMsgs[1:] 1950 } 1951 1952 if !c.config.Bugs.SkipChangeCipherSpec && 1953 c.config.Bugs.EarlyChangeCipherSpec == 0 { 1954 ccs := []byte{1} 1955 if c.config.Bugs.BadChangeCipherSpec != nil { 1956 ccs = c.config.Bugs.BadChangeCipherSpec 1957 } 1958 c.writeRecord(recordTypeChangeCipherSpec, ccs) 1959 } 1960 1961 if c.config.Bugs.AppDataAfterChangeCipherSpec != nil { 1962 c.writeRecord(recordTypeApplicationData, c.config.Bugs.AppDataAfterChangeCipherSpec) 1963 } 1964 if c.config.Bugs.AlertAfterChangeCipherSpec != 0 { 1965 c.sendAlert(c.config.Bugs.AlertAfterChangeCipherSpec) 1966 return errors.New("tls: simulating post-CCS alert") 1967 } 1968 1969 if !c.config.Bugs.SkipFinished { 1970 for _, msg := range postCCSMsgs { 1971 c.writeRecord(recordTypeHandshake, msg) 1972 } 1973 1974 if c.config.Bugs.SendExtraFinished { 1975 c.writeRecord(recordTypeHandshake, finished.marshal()) 1976 } 1977 } 1978 1979 if !isResume || !c.config.Bugs.PackAppDataWithHandshake { 1980 c.flushHandshake() 1981 } 1982 return nil 1983} 1984 1985func (hs *clientHandshakeState) writeChannelIDMessage(channelIDHash []byte) ([]byte, error) { 1986 c := hs.c 1987 channelIDMsg := new(channelIDMsg) 1988 if c.config.ChannelID.Curve != elliptic.P256() { 1989 return nil, fmt.Errorf("tls: Channel ID is not on P-256.") 1990 } 1991 r, s, err := ecdsa.Sign(c.config.rand(), c.config.ChannelID, channelIDHash) 1992 if err != nil { 1993 return nil, err 1994 } 1995 channelID := make([]byte, 128) 1996 writeIntPadded(channelID[0:32], c.config.ChannelID.X) 1997 writeIntPadded(channelID[32:64], c.config.ChannelID.Y) 1998 writeIntPadded(channelID[64:96], r) 1999 writeIntPadded(channelID[96:128], s) 2000 if c.config.Bugs.InvalidChannelIDSignature { 2001 channelID[64] ^= 1 2002 } 2003 channelIDMsg.channelID = channelID 2004 2005 c.channelID = &c.config.ChannelID.PublicKey 2006 2007 return channelIDMsg.marshal(), nil 2008} 2009 2010func (hs *clientHandshakeState) writeClientHash(msg []byte) { 2011 // writeClientHash is called before writeRecord. 2012 hs.writeHash(msg, hs.c.sendHandshakeSeq) 2013} 2014 2015func (hs *clientHandshakeState) writeServerHash(msg []byte) { 2016 // writeServerHash is called after readHandshake. 2017 hs.writeHash(msg, hs.c.recvHandshakeSeq-1) 2018} 2019 2020func (hs *clientHandshakeState) writeHash(msg []byte, seqno uint16) { 2021 if hs.c.isDTLS { 2022 // This is somewhat hacky. DTLS hashes a slightly different format. 2023 // First, the TLS header. 2024 hs.finishedHash.Write(msg[:4]) 2025 // Then the sequence number and reassembled fragment offset (always 0). 2026 hs.finishedHash.Write([]byte{byte(seqno >> 8), byte(seqno), 0, 0, 0}) 2027 // Then the reassembled fragment (always equal to the message length). 2028 hs.finishedHash.Write(msg[1:4]) 2029 // And then the message body. 2030 hs.finishedHash.Write(msg[4:]) 2031 } else { 2032 hs.finishedHash.Write(msg) 2033 } 2034} 2035 2036// selectClientCertificate selects a certificate for use with the given 2037// certificate, or none if none match. It may return a particular certificate or 2038// nil on success, or an error on internal error. 2039func selectClientCertificate(c *Conn, certReq *certificateRequestMsg) (*Certificate, error) { 2040 if len(c.config.Certificates) == 0 { 2041 return nil, nil 2042 } 2043 2044 // The test is assumed to have configured the certificate it meant to 2045 // send. 2046 if len(c.config.Certificates) > 1 { 2047 return nil, errors.New("tls: multiple certificates configured") 2048 } 2049 2050 return &c.config.Certificates[0], nil 2051} 2052 2053// clientSessionCacheKey returns a key used to cache sessionTickets that could 2054// be used to resume previously negotiated TLS sessions with a server. 2055func clientSessionCacheKey(serverAddr net.Addr, config *Config) string { 2056 if len(config.ServerName) > 0 { 2057 return config.ServerName 2058 } 2059 return serverAddr.String() 2060} 2061 2062// mutualProtocol finds the mutual Next Protocol Negotiation or ALPN protocol 2063// given list of possible protocols and a list of the preference order. The 2064// first list must not be empty. It returns the resulting protocol and flag 2065// indicating if the fallback case was reached. 2066func mutualProtocol(protos, preferenceProtos []string) (string, bool) { 2067 for _, s := range preferenceProtos { 2068 for _, c := range protos { 2069 if s == c { 2070 return s, false 2071 } 2072 } 2073 } 2074 2075 return protos[0], true 2076} 2077 2078// writeIntPadded writes x into b, padded up with leading zeros as 2079// needed. 2080func writeIntPadded(b []byte, x *big.Int) { 2081 for i := range b { 2082 b[i] = 0 2083 } 2084 xb := x.Bytes() 2085 copy(b[len(b)-len(xb):], xb) 2086} 2087 2088func generatePSKBinders(version uint16, hello *clientHelloMsg, pskCipherSuite *cipherSuite, psk, firstClientHello, helloRetryRequest []byte, config *Config) { 2089 maybeCorruptBinder := !config.Bugs.OnlyCorruptSecondPSKBinder || len(firstClientHello) > 0 2090 binderLen := pskCipherSuite.hash().Size() 2091 numBinders := 1 2092 if maybeCorruptBinder { 2093 if config.Bugs.SendNoPSKBinder { 2094 // The binders may have been set from the previous 2095 // ClientHello. 2096 hello.pskBinders = nil 2097 return 2098 } 2099 2100 if config.Bugs.SendShortPSKBinder { 2101 binderLen-- 2102 } 2103 2104 if config.Bugs.SendExtraPSKBinder { 2105 numBinders++ 2106 } 2107 } 2108 2109 // Fill hello.pskBinders with appropriate length arrays of zeros so the 2110 // length prefixes are correct when computing the binder over the truncated 2111 // ClientHello message. 2112 hello.pskBinders = make([][]byte, numBinders) 2113 for i := range hello.pskBinders { 2114 hello.pskBinders[i] = make([]byte, binderLen) 2115 } 2116 2117 helloBytes := hello.marshal() 2118 binderSize := len(hello.pskBinders)*(binderLen+1) + 2 2119 truncatedHello := helloBytes[:len(helloBytes)-binderSize] 2120 binder := computePSKBinder(psk, version, resumptionPSKBinderLabel, pskCipherSuite, firstClientHello, helloRetryRequest, truncatedHello) 2121 if maybeCorruptBinder { 2122 if config.Bugs.SendShortPSKBinder { 2123 binder = binder[:binderLen] 2124 } 2125 if config.Bugs.SendInvalidPSKBinder { 2126 binder[0] ^= 1 2127 } 2128 } 2129 2130 for i := range hello.pskBinders { 2131 hello.pskBinders[i] = binder 2132 } 2133 2134 hello.raw = nil 2135} 2136