blob: 76118b39ae21d7a029f840463594c85a17a9cfca [file] [log] [blame]
Adam Langley95c29f32014-06-20 12:00:00 -07001// Copyright 2009 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
Adam Langleydc7e9c42015-09-29 15:21:04 -07005package runner
Adam Langley95c29f32014-06-20 12:00:00 -07006
7import (
8 "bytes"
9 "crypto/ecdsa"
David Benjamind30a9902014-08-24 01:44:23 -040010 "crypto/elliptic"
Adam Langley95c29f32014-06-20 12:00:00 -070011 "crypto/rsa"
12 "crypto/subtle"
13 "crypto/x509"
14 "encoding/asn1"
15 "errors"
16 "fmt"
17 "io"
David Benjaminde620d92014-07-18 15:03:41 -040018 "math/big"
Adam Langley95c29f32014-06-20 12:00:00 -070019 "net"
20 "strconv"
21)
22
23type clientHandshakeState struct {
David Benjamin83f90402015-01-27 01:09:43 -050024 c *Conn
25 serverHello *serverHelloMsg
26 hello *clientHelloMsg
27 suite *cipherSuite
28 finishedHash finishedHash
29 masterSecret []byte
30 session *ClientSessionState
31 finishedBytes []byte
Adam Langley95c29f32014-06-20 12:00:00 -070032}
33
34func (c *Conn) clientHandshake() error {
35 if c.config == nil {
36 c.config = defaultConfig()
37 }
38
39 if len(c.config.ServerName) == 0 && !c.config.InsecureSkipVerify {
40 return errors.New("tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config")
41 }
42
David Benjamin83c0bc92014-08-04 01:23:53 -040043 c.sendHandshakeSeq = 0
44 c.recvHandshakeSeq = 0
45
David Benjaminfa055a22014-09-15 16:51:51 -040046 nextProtosLength := 0
47 for _, proto := range c.config.NextProtos {
Adam Langleyefb0e162015-07-09 11:35:04 -070048 if l := len(proto); l > 255 {
David Benjaminfa055a22014-09-15 16:51:51 -040049 return errors.New("tls: invalid NextProtos value")
50 } else {
51 nextProtosLength += 1 + l
52 }
53 }
54 if nextProtosLength > 0xffff {
55 return errors.New("tls: NextProtos values too large")
56 }
57
Adam Langley95c29f32014-06-20 12:00:00 -070058 hello := &clientHelloMsg{
David Benjaminca6c8262014-11-15 19:06:08 -050059 isDTLS: c.isDTLS,
60 vers: c.config.maxVersion(),
61 compressionMethods: []uint8{compressionNone},
62 random: make([]byte, 32),
63 ocspStapling: true,
Paul Lietar4fac72e2015-09-09 13:44:55 +010064 sctListSupported: true,
David Benjaminca6c8262014-11-15 19:06:08 -050065 serverName: c.config.ServerName,
66 supportedCurves: c.config.curvePreferences(),
67 supportedPoints: []uint8{pointFormatUncompressed},
68 nextProtoNeg: len(c.config.NextProtos) > 0,
69 secureRenegotiation: []byte{},
70 alpnProtocols: c.config.NextProtos,
71 duplicateExtension: c.config.Bugs.DuplicateExtension,
72 channelIDSupported: c.config.ChannelID != nil,
73 npnLast: c.config.Bugs.SwapNPNAndALPN,
74 extendedMasterSecret: c.config.maxVersion() >= VersionTLS10,
75 srtpProtectionProfiles: c.config.SRTPProtectionProfiles,
76 srtpMasterKeyIdentifier: c.config.Bugs.SRTPMasterKeyIdentifer,
Adam Langley09505632015-07-30 18:10:13 -070077 customExtension: c.config.Bugs.CustomExtension,
Adam Langley95c29f32014-06-20 12:00:00 -070078 }
79
David Benjamin98e882e2014-08-08 13:24:34 -040080 if c.config.Bugs.SendClientVersion != 0 {
81 hello.vers = c.config.Bugs.SendClientVersion
82 }
83
Adam Langley75712922014-10-10 16:23:43 -070084 if c.config.Bugs.NoExtendedMasterSecret {
85 hello.extendedMasterSecret = false
86 }
87
David Benjamin55a43642015-04-20 14:45:55 -040088 if c.config.Bugs.NoSupportedCurves {
89 hello.supportedCurves = nil
90 }
91
Adam Langley2ae77d22014-10-28 17:29:33 -070092 if len(c.clientVerify) > 0 && !c.config.Bugs.EmptyRenegotiationInfo {
93 if c.config.Bugs.BadRenegotiationInfo {
94 hello.secureRenegotiation = append(hello.secureRenegotiation, c.clientVerify...)
95 hello.secureRenegotiation[0] ^= 0x80
96 } else {
97 hello.secureRenegotiation = c.clientVerify
98 }
99 }
100
David Benjamin3e052de2015-11-25 20:10:31 -0500101 if c.noRenegotiationInfo() {
David Benjaminca6554b2014-11-08 12:31:52 -0500102 hello.secureRenegotiation = nil
103 }
104
Adam Langley95c29f32014-06-20 12:00:00 -0700105 possibleCipherSuites := c.config.cipherSuites()
106 hello.cipherSuites = make([]uint16, 0, len(possibleCipherSuites))
107
108NextCipherSuite:
109 for _, suiteId := range possibleCipherSuites {
110 for _, suite := range cipherSuites {
111 if suite.id != suiteId {
112 continue
113 }
David Benjamin0407e762016-06-17 16:41:18 -0400114 if !c.config.Bugs.EnableAllCiphers {
115 // Don't advertise TLS 1.2-only cipher suites unless
116 // we're attempting TLS 1.2.
117 if hello.vers < VersionTLS12 && suite.flags&suiteTLS12 != 0 {
118 continue
119 }
120 // Don't advertise non-DTLS cipher suites in DTLS.
121 if c.isDTLS && suite.flags&suiteNoDTLS != 0 {
122 continue
123 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400124 }
Adam Langley95c29f32014-06-20 12:00:00 -0700125 hello.cipherSuites = append(hello.cipherSuites, suiteId)
126 continue NextCipherSuite
127 }
128 }
129
Adam Langley5021b222015-06-12 18:27:58 -0700130 if c.config.Bugs.SendRenegotiationSCSV {
131 hello.cipherSuites = append(hello.cipherSuites, renegotiationSCSV)
132 }
133
David Benjaminbef270a2014-08-02 04:22:02 -0400134 if c.config.Bugs.SendFallbackSCSV {
135 hello.cipherSuites = append(hello.cipherSuites, fallbackSCSV)
136 }
137
Adam Langley95c29f32014-06-20 12:00:00 -0700138 _, err := io.ReadFull(c.config.rand(), hello.random)
139 if err != nil {
140 c.sendAlert(alertInternalError)
141 return errors.New("tls: short read from Rand: " + err.Error())
142 }
143
David Benjamin44d3eed2015-05-21 01:29:55 -0400144 if hello.vers >= VersionTLS12 && !c.config.Bugs.NoSignatureAndHashes {
David Benjamin000800a2014-11-14 01:43:59 -0500145 hello.signatureAndHashes = c.config.signatureAndHashesForClient()
Adam Langley95c29f32014-06-20 12:00:00 -0700146 }
147
148 var session *ClientSessionState
149 var cacheKey string
150 sessionCache := c.config.ClientSessionCache
Adam Langley95c29f32014-06-20 12:00:00 -0700151
152 if sessionCache != nil {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500153 hello.ticketSupported = !c.config.SessionTicketsDisabled
Adam Langley95c29f32014-06-20 12:00:00 -0700154
155 // Try to resume a previously negotiated TLS session, if
156 // available.
157 cacheKey = clientSessionCacheKey(c.conn.RemoteAddr(), c.config)
158 candidateSession, ok := sessionCache.Get(cacheKey)
159 if ok {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500160 ticketOk := !c.config.SessionTicketsDisabled || candidateSession.sessionTicket == nil
161
Adam Langley95c29f32014-06-20 12:00:00 -0700162 // Check that the ciphersuite/version used for the
163 // previous session are still valid.
164 cipherSuiteOk := false
165 for _, id := range hello.cipherSuites {
166 if id == candidateSession.cipherSuite {
167 cipherSuiteOk = true
168 break
169 }
170 }
171
172 versOk := candidateSession.vers >= c.config.minVersion() &&
173 candidateSession.vers <= c.config.maxVersion()
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500174 if ticketOk && versOk && cipherSuiteOk {
Adam Langley95c29f32014-06-20 12:00:00 -0700175 session = candidateSession
176 }
177 }
178 }
179
180 if session != nil {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500181 if session.sessionTicket != nil {
182 hello.sessionTicket = session.sessionTicket
183 if c.config.Bugs.CorruptTicket {
184 hello.sessionTicket = make([]byte, len(session.sessionTicket))
185 copy(hello.sessionTicket, session.sessionTicket)
186 if len(hello.sessionTicket) > 0 {
187 offset := 40
188 if offset > len(hello.sessionTicket) {
189 offset = len(hello.sessionTicket) - 1
190 }
191 hello.sessionTicket[offset] ^= 0x40
Adam Langley38311732014-10-16 19:04:35 -0700192 }
Adam Langley38311732014-10-16 19:04:35 -0700193 }
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500194 // A random session ID is used to detect when the
195 // server accepted the ticket and is resuming a session
196 // (see RFC 5077).
197 sessionIdLen := 16
198 if c.config.Bugs.OversizedSessionId {
199 sessionIdLen = 33
200 }
201 hello.sessionId = make([]byte, sessionIdLen)
202 if _, err := io.ReadFull(c.config.rand(), hello.sessionId); err != nil {
203 c.sendAlert(alertInternalError)
204 return errors.New("tls: short read from Rand: " + err.Error())
205 }
206 } else {
207 hello.sessionId = session.sessionId
Adam Langley95c29f32014-06-20 12:00:00 -0700208 }
209 }
210
David Benjamind86c7672014-08-02 04:07:12 -0400211 var helloBytes []byte
212 if c.config.Bugs.SendV2ClientHello {
David Benjamin94d701b2014-11-30 13:54:41 -0500213 // Test that the peer left-pads random.
214 hello.random[0] = 0
David Benjamind86c7672014-08-02 04:07:12 -0400215 v2Hello := &v2ClientHelloMsg{
216 vers: hello.vers,
217 cipherSuites: hello.cipherSuites,
218 // No session resumption for V2ClientHello.
219 sessionId: nil,
David Benjamin94d701b2014-11-30 13:54:41 -0500220 challenge: hello.random[1:],
David Benjamind86c7672014-08-02 04:07:12 -0400221 }
222 helloBytes = v2Hello.marshal()
223 c.writeV2Record(helloBytes)
224 } else {
225 helloBytes = hello.marshal()
226 c.writeRecord(recordTypeHandshake, helloBytes)
227 }
David Benjamina4e6d482015-03-02 19:10:53 -0500228 c.dtlsFlushHandshake()
Adam Langley95c29f32014-06-20 12:00:00 -0700229
David Benjamin83f90402015-01-27 01:09:43 -0500230 if err := c.simulatePacketLoss(nil); err != nil {
231 return err
232 }
Adam Langley95c29f32014-06-20 12:00:00 -0700233 msg, err := c.readHandshake()
234 if err != nil {
235 return err
236 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400237
238 if c.isDTLS {
239 helloVerifyRequest, ok := msg.(*helloVerifyRequestMsg)
240 if ok {
David Benjamin8bc38f52014-08-16 12:07:27 -0400241 if helloVerifyRequest.vers != VersionTLS10 {
242 // Per RFC 6347, the version field in
243 // HelloVerifyRequest SHOULD be always DTLS
244 // 1.0. Enforce this for testing purposes.
245 return errors.New("dtls: bad HelloVerifyRequest version")
246 }
247
David Benjamin83c0bc92014-08-04 01:23:53 -0400248 hello.raw = nil
249 hello.cookie = helloVerifyRequest.cookie
250 helloBytes = hello.marshal()
251 c.writeRecord(recordTypeHandshake, helloBytes)
David Benjamina4e6d482015-03-02 19:10:53 -0500252 c.dtlsFlushHandshake()
David Benjamin83c0bc92014-08-04 01:23:53 -0400253
David Benjamin83f90402015-01-27 01:09:43 -0500254 if err := c.simulatePacketLoss(nil); err != nil {
255 return err
256 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400257 msg, err = c.readHandshake()
258 if err != nil {
259 return err
260 }
261 }
262 }
263
Adam Langley95c29f32014-06-20 12:00:00 -0700264 serverHello, ok := msg.(*serverHelloMsg)
265 if !ok {
266 c.sendAlert(alertUnexpectedMessage)
267 return unexpectedMessageError(serverHello, msg)
268 }
269
David Benjamin76d8abe2014-08-14 16:25:34 -0400270 c.vers, ok = c.config.mutualVersion(serverHello.vers)
271 if !ok {
Adam Langley95c29f32014-06-20 12:00:00 -0700272 c.sendAlert(alertProtocolVersion)
273 return fmt.Errorf("tls: server selected unsupported protocol version %x", serverHello.vers)
274 }
Adam Langley95c29f32014-06-20 12:00:00 -0700275 c.haveVers = true
276
277 suite := mutualCipherSuite(c.config.cipherSuites(), serverHello.cipherSuite)
278 if suite == nil {
279 c.sendAlert(alertHandshakeFailure)
280 return fmt.Errorf("tls: server selected an unsupported cipher suite")
281 }
282
Adam Langley5021b222015-06-12 18:27:58 -0700283 if c.config.Bugs.RequireRenegotiationInfo && serverHello.secureRenegotiation == nil {
284 return errors.New("tls: renegotiation extension missing")
285 }
286
David Benjamin3e052de2015-11-25 20:10:31 -0500287 if len(c.clientVerify) > 0 && !c.noRenegotiationInfo() {
Adam Langley2ae77d22014-10-28 17:29:33 -0700288 var expectedRenegInfo []byte
289 expectedRenegInfo = append(expectedRenegInfo, c.clientVerify...)
290 expectedRenegInfo = append(expectedRenegInfo, c.serverVerify...)
291 if !bytes.Equal(serverHello.secureRenegotiation, expectedRenegInfo) {
292 c.sendAlert(alertHandshakeFailure)
293 return fmt.Errorf("tls: renegotiation mismatch")
294 }
295 }
296
Adam Langley09505632015-07-30 18:10:13 -0700297 if expected := c.config.Bugs.ExpectedCustomExtension; expected != nil {
298 if serverHello.customExtension != *expected {
299 return fmt.Errorf("tls: bad custom extension contents %q", serverHello.customExtension)
300 }
301 }
302
Adam Langley95c29f32014-06-20 12:00:00 -0700303 hs := &clientHandshakeState{
304 c: c,
305 serverHello: serverHello,
306 hello: hello,
307 suite: suite,
308 finishedHash: newFinishedHash(c.vers, suite),
309 session: session,
310 }
311
David Benjamin83c0bc92014-08-04 01:23:53 -0400312 hs.writeHash(helloBytes, hs.c.sendHandshakeSeq-1)
313 hs.writeServerHash(hs.serverHello.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700314
David Benjaminf3ec83d2014-07-21 22:42:34 -0400315 if c.config.Bugs.EarlyChangeCipherSpec > 0 {
316 hs.establishKeys()
317 c.writeRecord(recordTypeChangeCipherSpec, []byte{1})
318 }
319
Adam Langley95c29f32014-06-20 12:00:00 -0700320 isResume, err := hs.processServerHello()
321 if err != nil {
322 return err
323 }
324
325 if isResume {
David Benjaminf3ec83d2014-07-21 22:42:34 -0400326 if c.config.Bugs.EarlyChangeCipherSpec == 0 {
327 if err := hs.establishKeys(); err != nil {
328 return err
329 }
Adam Langley95c29f32014-06-20 12:00:00 -0700330 }
331 if err := hs.readSessionTicket(); err != nil {
332 return err
333 }
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700334 if err := hs.readFinished(c.firstFinished[:]); err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700335 return err
336 }
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700337 if err := hs.sendFinished(nil, isResume); err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700338 return err
339 }
340 } else {
341 if err := hs.doFullHandshake(); err != nil {
342 return err
343 }
344 if err := hs.establishKeys(); err != nil {
345 return err
346 }
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700347 if err := hs.sendFinished(c.firstFinished[:], isResume); err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700348 return err
349 }
David Benjamin83f90402015-01-27 01:09:43 -0500350 // Most retransmits are triggered by a timeout, but the final
351 // leg of the handshake is retransmited upon re-receiving a
352 // Finished.
David Benjaminb3774b92015-01-31 17:16:01 -0500353 if err := c.simulatePacketLoss(func() {
354 c.writeRecord(recordTypeHandshake, hs.finishedBytes)
David Benjamina4e6d482015-03-02 19:10:53 -0500355 c.dtlsFlushHandshake()
David Benjaminb3774b92015-01-31 17:16:01 -0500356 }); err != nil {
David Benjamin83f90402015-01-27 01:09:43 -0500357 return err
358 }
Adam Langley95c29f32014-06-20 12:00:00 -0700359 if err := hs.readSessionTicket(); err != nil {
360 return err
361 }
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700362 if err := hs.readFinished(nil); err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700363 return err
364 }
365 }
366
367 if sessionCache != nil && hs.session != nil && session != hs.session {
David Benjaminef1b0092015-11-21 14:05:44 -0500368 if c.config.Bugs.RequireSessionTickets && len(hs.session.sessionTicket) == 0 {
369 return errors.New("tls: new session used session IDs instead of tickets")
370 }
Adam Langley95c29f32014-06-20 12:00:00 -0700371 sessionCache.Put(cacheKey, hs.session)
372 }
373
374 c.didResume = isResume
375 c.handshakeComplete = true
David Benjaminc565ebb2015-04-03 04:06:36 -0400376 c.cipherSuite = suite
377 copy(c.clientRandom[:], hs.hello.random)
378 copy(c.serverRandom[:], hs.serverHello.random)
379 copy(c.masterSecret[:], hs.masterSecret)
Paul Lietar4fac72e2015-09-09 13:44:55 +0100380
Adam Langley95c29f32014-06-20 12:00:00 -0700381 return nil
382}
383
384func (hs *clientHandshakeState) doFullHandshake() error {
385 c := hs.c
386
David Benjamin48cae082014-10-27 01:06:24 -0400387 var leaf *x509.Certificate
388 if hs.suite.flags&suitePSK == 0 {
389 msg, err := c.readHandshake()
Adam Langley95c29f32014-06-20 12:00:00 -0700390 if err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700391 return err
392 }
Adam Langley95c29f32014-06-20 12:00:00 -0700393
David Benjamin48cae082014-10-27 01:06:24 -0400394 certMsg, ok := msg.(*certificateMsg)
395 if !ok || len(certMsg.certificates) == 0 {
396 c.sendAlert(alertUnexpectedMessage)
397 return unexpectedMessageError(certMsg, msg)
398 }
399 hs.writeServerHash(certMsg.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700400
David Benjamin48cae082014-10-27 01:06:24 -0400401 certs := make([]*x509.Certificate, len(certMsg.certificates))
402 for i, asn1Data := range certMsg.certificates {
403 cert, err := x509.ParseCertificate(asn1Data)
404 if err != nil {
405 c.sendAlert(alertBadCertificate)
406 return errors.New("tls: failed to parse certificate from server: " + err.Error())
407 }
408 certs[i] = cert
409 }
410 leaf = certs[0]
411
412 if !c.config.InsecureSkipVerify {
413 opts := x509.VerifyOptions{
414 Roots: c.config.RootCAs,
415 CurrentTime: c.config.time(),
416 DNSName: c.config.ServerName,
417 Intermediates: x509.NewCertPool(),
418 }
419
420 for i, cert := range certs {
421 if i == 0 {
422 continue
423 }
424 opts.Intermediates.AddCert(cert)
425 }
426 c.verifiedChains, err = leaf.Verify(opts)
427 if err != nil {
428 c.sendAlert(alertBadCertificate)
429 return err
430 }
431 }
432
433 switch leaf.PublicKey.(type) {
434 case *rsa.PublicKey, *ecdsa.PublicKey:
435 break
436 default:
437 c.sendAlert(alertUnsupportedCertificate)
438 return fmt.Errorf("tls: server's certificate contains an unsupported type of public key: %T", leaf.PublicKey)
439 }
440
441 c.peerCertificates = certs
442 }
Adam Langley95c29f32014-06-20 12:00:00 -0700443
444 if hs.serverHello.ocspStapling {
David Benjamin48cae082014-10-27 01:06:24 -0400445 msg, err := c.readHandshake()
Adam Langley95c29f32014-06-20 12:00:00 -0700446 if err != nil {
447 return err
448 }
449 cs, ok := msg.(*certificateStatusMsg)
450 if !ok {
451 c.sendAlert(alertUnexpectedMessage)
452 return unexpectedMessageError(cs, msg)
453 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400454 hs.writeServerHash(cs.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700455
456 if cs.statusType == statusTypeOCSP {
457 c.ocspResponse = cs.response
458 }
459 }
460
David Benjamin48cae082014-10-27 01:06:24 -0400461 msg, err := c.readHandshake()
Adam Langley95c29f32014-06-20 12:00:00 -0700462 if err != nil {
463 return err
464 }
465
466 keyAgreement := hs.suite.ka(c.vers)
467
468 skx, ok := msg.(*serverKeyExchangeMsg)
469 if ok {
David Benjamin83c0bc92014-08-04 01:23:53 -0400470 hs.writeServerHash(skx.marshal())
David Benjamin48cae082014-10-27 01:06:24 -0400471 err = keyAgreement.processServerKeyExchange(c.config, hs.hello, hs.serverHello, leaf, skx)
Adam Langley95c29f32014-06-20 12:00:00 -0700472 if err != nil {
473 c.sendAlert(alertUnexpectedMessage)
474 return err
475 }
476
477 msg, err = c.readHandshake()
478 if err != nil {
479 return err
480 }
481 }
482
483 var chainToSend *Certificate
484 var certRequested bool
485 certReq, ok := msg.(*certificateRequestMsg)
486 if ok {
487 certRequested = true
488
489 // RFC 4346 on the certificateAuthorities field:
490 // A list of the distinguished names of acceptable certificate
491 // authorities. These distinguished names may specify a desired
492 // distinguished name for a root CA or for a subordinate CA;
493 // thus, this message can be used to describe both known roots
494 // and a desired authorization space. If the
495 // certificate_authorities list is empty then the client MAY
496 // send any certificate of the appropriate
497 // ClientCertificateType, unless there is some external
498 // arrangement to the contrary.
499
David Benjamin83c0bc92014-08-04 01:23:53 -0400500 hs.writeServerHash(certReq.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700501
502 var rsaAvail, ecdsaAvail bool
503 for _, certType := range certReq.certificateTypes {
504 switch certType {
David Benjamin7b030512014-07-08 17:30:11 -0400505 case CertTypeRSASign:
Adam Langley95c29f32014-06-20 12:00:00 -0700506 rsaAvail = true
David Benjamin7b030512014-07-08 17:30:11 -0400507 case CertTypeECDSASign:
Adam Langley95c29f32014-06-20 12:00:00 -0700508 ecdsaAvail = true
509 }
510 }
511
512 // We need to search our list of client certs for one
513 // where SignatureAlgorithm is RSA and the Issuer is in
514 // certReq.certificateAuthorities
515 findCert:
516 for i, chain := range c.config.Certificates {
517 if !rsaAvail && !ecdsaAvail {
518 continue
519 }
520
521 for j, cert := range chain.Certificate {
522 x509Cert := chain.Leaf
523 // parse the certificate if this isn't the leaf
524 // node, or if chain.Leaf was nil
525 if j != 0 || x509Cert == nil {
526 if x509Cert, err = x509.ParseCertificate(cert); err != nil {
527 c.sendAlert(alertInternalError)
528 return errors.New("tls: failed to parse client certificate #" + strconv.Itoa(i) + ": " + err.Error())
529 }
530 }
531
532 switch {
533 case rsaAvail && x509Cert.PublicKeyAlgorithm == x509.RSA:
534 case ecdsaAvail && x509Cert.PublicKeyAlgorithm == x509.ECDSA:
535 default:
536 continue findCert
537 }
538
539 if len(certReq.certificateAuthorities) == 0 {
540 // they gave us an empty list, so just take the
541 // first RSA cert from c.config.Certificates
542 chainToSend = &chain
543 break findCert
544 }
545
546 for _, ca := range certReq.certificateAuthorities {
547 if bytes.Equal(x509Cert.RawIssuer, ca) {
548 chainToSend = &chain
549 break findCert
550 }
551 }
552 }
553 }
554
555 msg, err = c.readHandshake()
556 if err != nil {
557 return err
558 }
559 }
560
561 shd, ok := msg.(*serverHelloDoneMsg)
562 if !ok {
563 c.sendAlert(alertUnexpectedMessage)
564 return unexpectedMessageError(shd, msg)
565 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400566 hs.writeServerHash(shd.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700567
568 // If the server requested a certificate then we have to send a
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500569 // Certificate message in TLS, even if it's empty because we don't have
570 // a certificate to send. In SSL 3.0, skip the message and send a
571 // no_certificate warning alert.
Adam Langley95c29f32014-06-20 12:00:00 -0700572 if certRequested {
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500573 if c.vers == VersionSSL30 && chainToSend == nil {
574 c.sendAlert(alertNoCertficate)
575 } else if !c.config.Bugs.SkipClientCertificate {
576 certMsg := new(certificateMsg)
577 if chainToSend != nil {
578 certMsg.certificates = chainToSend.Certificate
579 }
580 hs.writeClientHash(certMsg.marshal())
581 c.writeRecord(recordTypeHandshake, certMsg.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700582 }
Adam Langley95c29f32014-06-20 12:00:00 -0700583 }
584
David Benjamin48cae082014-10-27 01:06:24 -0400585 preMasterSecret, ckx, err := keyAgreement.generateClientKeyExchange(c.config, hs.hello, leaf)
Adam Langley95c29f32014-06-20 12:00:00 -0700586 if err != nil {
587 c.sendAlert(alertInternalError)
588 return err
589 }
590 if ckx != nil {
David Benjaminf3ec83d2014-07-21 22:42:34 -0400591 if c.config.Bugs.EarlyChangeCipherSpec < 2 {
David Benjamin83c0bc92014-08-04 01:23:53 -0400592 hs.writeClientHash(ckx.marshal())
David Benjaminf3ec83d2014-07-21 22:42:34 -0400593 }
Adam Langley95c29f32014-06-20 12:00:00 -0700594 c.writeRecord(recordTypeHandshake, ckx.marshal())
595 }
596
Adam Langley75712922014-10-10 16:23:43 -0700597 if hs.serverHello.extendedMasterSecret && c.vers >= VersionTLS10 {
598 hs.masterSecret = extendedMasterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.finishedHash)
599 c.extendedMasterSecret = true
600 } else {
601 if c.config.Bugs.RequireExtendedMasterSecret {
602 return errors.New("tls: extended master secret required but not supported by peer")
603 }
604 hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.hello.random, hs.serverHello.random)
605 }
David Benjamine098ec22014-08-27 23:13:20 -0400606
Adam Langley95c29f32014-06-20 12:00:00 -0700607 if chainToSend != nil {
608 var signed []byte
609 certVerify := &certificateVerifyMsg{
610 hasSignatureAndHash: c.vers >= VersionTLS12,
611 }
612
David Benjamin72dc7832015-03-16 17:49:43 -0400613 // Determine the hash to sign.
614 var signatureType uint8
615 switch c.config.Certificates[0].PrivateKey.(type) {
616 case *ecdsa.PrivateKey:
617 signatureType = signatureECDSA
618 case *rsa.PrivateKey:
619 signatureType = signatureRSA
620 default:
621 c.sendAlert(alertInternalError)
622 return errors.New("unknown private key type")
623 }
624 if c.config.Bugs.IgnorePeerSignatureAlgorithmPreferences {
625 certReq.signatureAndHashes = c.config.signatureAndHashesForClient()
626 }
627 certVerify.signatureAndHash, err = hs.finishedHash.selectClientCertSignatureAlgorithm(certReq.signatureAndHashes, c.config.signatureAndHashesForClient(), signatureType)
628 if err != nil {
629 c.sendAlert(alertInternalError)
630 return err
631 }
632 digest, hashFunc, err := hs.finishedHash.hashForClientCertificate(certVerify.signatureAndHash, hs.masterSecret)
633 if err != nil {
634 c.sendAlert(alertInternalError)
635 return err
636 }
David Benjamin6de0e532015-07-28 22:43:19 -0400637 if c.config.Bugs.InvalidCertVerifySignature {
638 digest[0] ^= 0x80
639 }
David Benjamin72dc7832015-03-16 17:49:43 -0400640
Adam Langley95c29f32014-06-20 12:00:00 -0700641 switch key := c.config.Certificates[0].PrivateKey.(type) {
642 case *ecdsa.PrivateKey:
David Benjaminde620d92014-07-18 15:03:41 -0400643 var r, s *big.Int
644 r, s, err = ecdsa.Sign(c.config.rand(), key, digest)
Adam Langley95c29f32014-06-20 12:00:00 -0700645 if err == nil {
646 signed, err = asn1.Marshal(ecdsaSignature{r, s})
647 }
Adam Langley95c29f32014-06-20 12:00:00 -0700648 case *rsa.PrivateKey:
Adam Langley95c29f32014-06-20 12:00:00 -0700649 signed, err = rsa.SignPKCS1v15(c.config.rand(), key, hashFunc, digest)
Adam Langley95c29f32014-06-20 12:00:00 -0700650 default:
651 err = errors.New("unknown private key type")
652 }
653 if err != nil {
654 c.sendAlert(alertInternalError)
655 return errors.New("tls: failed to sign handshake with client certificate: " + err.Error())
656 }
657 certVerify.signature = signed
658
David Benjamin83c0bc92014-08-04 01:23:53 -0400659 hs.writeClientHash(certVerify.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700660 c.writeRecord(recordTypeHandshake, certVerify.marshal())
661 }
David Benjamina4e6d482015-03-02 19:10:53 -0500662 c.dtlsFlushHandshake()
Adam Langley95c29f32014-06-20 12:00:00 -0700663
David Benjamine098ec22014-08-27 23:13:20 -0400664 hs.finishedHash.discardHandshakeBuffer()
665
Adam Langley95c29f32014-06-20 12:00:00 -0700666 return nil
667}
668
669func (hs *clientHandshakeState) establishKeys() error {
670 c := hs.c
671
672 clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV :=
673 keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.hello.random, hs.serverHello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen)
674 var clientCipher, serverCipher interface{}
675 var clientHash, serverHash macFunction
676 if hs.suite.cipher != nil {
677 clientCipher = hs.suite.cipher(clientKey, clientIV, false /* not for reading */)
678 clientHash = hs.suite.mac(c.vers, clientMAC)
679 serverCipher = hs.suite.cipher(serverKey, serverIV, true /* for reading */)
680 serverHash = hs.suite.mac(c.vers, serverMAC)
681 } else {
682 clientCipher = hs.suite.aead(clientKey, clientIV)
683 serverCipher = hs.suite.aead(serverKey, serverIV)
684 }
685
686 c.in.prepareCipherSpec(c.vers, serverCipher, serverHash)
687 c.out.prepareCipherSpec(c.vers, clientCipher, clientHash)
688 return nil
689}
690
691func (hs *clientHandshakeState) serverResumedSession() bool {
692 // If the server responded with the same sessionId then it means the
693 // sessionTicket is being used to resume a TLS session.
694 return hs.session != nil && hs.hello.sessionId != nil &&
695 bytes.Equal(hs.serverHello.sessionId, hs.hello.sessionId)
696}
697
698func (hs *clientHandshakeState) processServerHello() (bool, error) {
699 c := hs.c
700
701 if hs.serverHello.compressionMethod != compressionNone {
702 c.sendAlert(alertUnexpectedMessage)
703 return false, errors.New("tls: server selected unsupported compression format")
704 }
705
David Benjaminfa055a22014-09-15 16:51:51 -0400706 clientDidNPN := hs.hello.nextProtoNeg
707 clientDidALPN := len(hs.hello.alpnProtocols) > 0
708 serverHasNPN := hs.serverHello.nextProtoNeg
709 serverHasALPN := len(hs.serverHello.alpnProtocol) > 0
710
711 if !clientDidNPN && serverHasNPN {
Adam Langley95c29f32014-06-20 12:00:00 -0700712 c.sendAlert(alertHandshakeFailure)
713 return false, errors.New("server advertised unrequested NPN extension")
714 }
715
David Benjaminfa055a22014-09-15 16:51:51 -0400716 if !clientDidALPN && serverHasALPN {
717 c.sendAlert(alertHandshakeFailure)
718 return false, errors.New("server advertised unrequested ALPN extension")
719 }
720
721 if serverHasNPN && serverHasALPN {
722 c.sendAlert(alertHandshakeFailure)
723 return false, errors.New("server advertised both NPN and ALPN extensions")
724 }
725
726 if serverHasALPN {
727 c.clientProtocol = hs.serverHello.alpnProtocol
728 c.clientProtocolFallback = false
David Benjaminfc7b0862014-09-06 13:21:53 -0400729 c.usedALPN = true
David Benjaminfa055a22014-09-15 16:51:51 -0400730 }
731
David Benjamind30a9902014-08-24 01:44:23 -0400732 if !hs.hello.channelIDSupported && hs.serverHello.channelIDRequested {
733 c.sendAlert(alertHandshakeFailure)
734 return false, errors.New("server advertised unrequested Channel ID extension")
735 }
736
David Benjaminca6c8262014-11-15 19:06:08 -0500737 if hs.serverHello.srtpProtectionProfile != 0 {
738 if hs.serverHello.srtpMasterKeyIdentifier != "" {
739 return false, errors.New("tls: server selected SRTP MKI value")
740 }
741
742 found := false
743 for _, p := range c.config.SRTPProtectionProfiles {
744 if p == hs.serverHello.srtpProtectionProfile {
745 found = true
746 break
747 }
748 }
749 if !found {
750 return false, errors.New("tls: server advertised unsupported SRTP profile")
751 }
752
753 c.srtpProtectionProfile = hs.serverHello.srtpProtectionProfile
754 }
755
Adam Langley95c29f32014-06-20 12:00:00 -0700756 if hs.serverResumedSession() {
David Benjamin4b27d9f2015-05-12 22:42:52 -0400757 // For test purposes, assert that the server never accepts the
758 // resumption offer on renegotiation.
759 if c.cipherSuite != nil && c.config.Bugs.FailIfResumeOnRenego {
760 return false, errors.New("tls: server resumed session on renegotiation")
761 }
762
Paul Lietar62be8ac2015-09-16 10:03:30 +0100763 if hs.serverHello.sctList != nil {
764 return false, errors.New("tls: server sent SCT extension on session resumption")
765 }
766
767 if hs.serverHello.ocspStapling {
768 return false, errors.New("tls: server sent OCSP extension on session resumption")
769 }
770
Adam Langley95c29f32014-06-20 12:00:00 -0700771 // Restore masterSecret and peerCerts from previous state
772 hs.masterSecret = hs.session.masterSecret
773 c.peerCertificates = hs.session.serverCertificates
Adam Langley75712922014-10-10 16:23:43 -0700774 c.extendedMasterSecret = hs.session.extendedMasterSecret
Paul Lietar62be8ac2015-09-16 10:03:30 +0100775 c.sctList = hs.session.sctList
776 c.ocspResponse = hs.session.ocspResponse
David Benjamine098ec22014-08-27 23:13:20 -0400777 hs.finishedHash.discardHandshakeBuffer()
Adam Langley95c29f32014-06-20 12:00:00 -0700778 return true, nil
779 }
Paul Lietar62be8ac2015-09-16 10:03:30 +0100780
781 if hs.serverHello.sctList != nil {
782 c.sctList = hs.serverHello.sctList
783 }
784
Adam Langley95c29f32014-06-20 12:00:00 -0700785 return false, nil
786}
787
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700788func (hs *clientHandshakeState) readFinished(out []byte) error {
Adam Langley95c29f32014-06-20 12:00:00 -0700789 c := hs.c
790
791 c.readRecord(recordTypeChangeCipherSpec)
792 if err := c.in.error(); err != nil {
793 return err
794 }
795
796 msg, err := c.readHandshake()
797 if err != nil {
798 return err
799 }
800 serverFinished, ok := msg.(*finishedMsg)
801 if !ok {
802 c.sendAlert(alertUnexpectedMessage)
803 return unexpectedMessageError(serverFinished, msg)
804 }
805
David Benjaminf3ec83d2014-07-21 22:42:34 -0400806 if c.config.Bugs.EarlyChangeCipherSpec == 0 {
807 verify := hs.finishedHash.serverSum(hs.masterSecret)
808 if len(verify) != len(serverFinished.verifyData) ||
809 subtle.ConstantTimeCompare(verify, serverFinished.verifyData) != 1 {
810 c.sendAlert(alertHandshakeFailure)
811 return errors.New("tls: server's Finished message was incorrect")
812 }
Adam Langley95c29f32014-06-20 12:00:00 -0700813 }
Adam Langley2ae77d22014-10-28 17:29:33 -0700814 c.serverVerify = append(c.serverVerify[:0], serverFinished.verifyData...)
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700815 copy(out, serverFinished.verifyData)
David Benjamin83c0bc92014-08-04 01:23:53 -0400816 hs.writeServerHash(serverFinished.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700817 return nil
818}
819
820func (hs *clientHandshakeState) readSessionTicket() error {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500821 c := hs.c
822
823 // Create a session with no server identifier. Either a
824 // session ID or session ticket will be attached.
825 session := &ClientSessionState{
826 vers: c.vers,
827 cipherSuite: hs.suite.id,
828 masterSecret: hs.masterSecret,
829 handshakeHash: hs.finishedHash.server.Sum(nil),
830 serverCertificates: c.peerCertificates,
Paul Lietar62be8ac2015-09-16 10:03:30 +0100831 sctList: c.sctList,
832 ocspResponse: c.ocspResponse,
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500833 }
834
Adam Langley95c29f32014-06-20 12:00:00 -0700835 if !hs.serverHello.ticketSupported {
David Benjamind98452d2015-06-16 14:16:23 -0400836 if c.config.Bugs.ExpectNewTicket {
837 return errors.New("tls: expected new ticket")
838 }
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500839 if hs.session == nil && len(hs.serverHello.sessionId) > 0 {
840 session.sessionId = hs.serverHello.sessionId
841 hs.session = session
842 }
Adam Langley95c29f32014-06-20 12:00:00 -0700843 return nil
844 }
845
David Benjaminc7ce9772015-10-09 19:32:41 -0400846 if c.vers == VersionSSL30 {
847 return errors.New("tls: negotiated session tickets in SSL 3.0")
848 }
849
Adam Langley95c29f32014-06-20 12:00:00 -0700850 msg, err := c.readHandshake()
851 if err != nil {
852 return err
853 }
854 sessionTicketMsg, ok := msg.(*newSessionTicketMsg)
855 if !ok {
856 c.sendAlert(alertUnexpectedMessage)
857 return unexpectedMessageError(sessionTicketMsg, msg)
858 }
Adam Langley95c29f32014-06-20 12:00:00 -0700859
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500860 session.sessionTicket = sessionTicketMsg.ticket
861 hs.session = session
Adam Langley95c29f32014-06-20 12:00:00 -0700862
David Benjamind30a9902014-08-24 01:44:23 -0400863 hs.writeServerHash(sessionTicketMsg.marshal())
864
Adam Langley95c29f32014-06-20 12:00:00 -0700865 return nil
866}
867
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700868func (hs *clientHandshakeState) sendFinished(out []byte, isResume bool) error {
Adam Langley95c29f32014-06-20 12:00:00 -0700869 c := hs.c
870
David Benjamin86271ee2014-07-21 16:14:03 -0400871 var postCCSBytes []byte
David Benjamin83c0bc92014-08-04 01:23:53 -0400872 seqno := hs.c.sendHandshakeSeq
Adam Langley95c29f32014-06-20 12:00:00 -0700873 if hs.serverHello.nextProtoNeg {
874 nextProto := new(nextProtoMsg)
875 proto, fallback := mutualProtocol(c.config.NextProtos, hs.serverHello.nextProtos)
876 nextProto.proto = proto
877 c.clientProtocol = proto
878 c.clientProtocolFallback = fallback
879
David Benjamin86271ee2014-07-21 16:14:03 -0400880 nextProtoBytes := nextProto.marshal()
David Benjamin83c0bc92014-08-04 01:23:53 -0400881 hs.writeHash(nextProtoBytes, seqno)
882 seqno++
David Benjamin86271ee2014-07-21 16:14:03 -0400883 postCCSBytes = append(postCCSBytes, nextProtoBytes...)
Adam Langley95c29f32014-06-20 12:00:00 -0700884 }
885
David Benjamind30a9902014-08-24 01:44:23 -0400886 if hs.serverHello.channelIDRequested {
887 encryptedExtensions := new(encryptedExtensionsMsg)
888 if c.config.ChannelID.Curve != elliptic.P256() {
889 return fmt.Errorf("tls: Channel ID is not on P-256.")
890 }
891 var resumeHash []byte
892 if isResume {
893 resumeHash = hs.session.handshakeHash
894 }
895 r, s, err := ecdsa.Sign(c.config.rand(), c.config.ChannelID, hs.finishedHash.hashForChannelID(resumeHash))
896 if err != nil {
897 return err
898 }
899 channelID := make([]byte, 128)
900 writeIntPadded(channelID[0:32], c.config.ChannelID.X)
901 writeIntPadded(channelID[32:64], c.config.ChannelID.Y)
902 writeIntPadded(channelID[64:96], r)
903 writeIntPadded(channelID[96:128], s)
904 encryptedExtensions.channelID = channelID
905
906 c.channelID = &c.config.ChannelID.PublicKey
907
908 encryptedExtensionsBytes := encryptedExtensions.marshal()
909 hs.writeHash(encryptedExtensionsBytes, seqno)
910 seqno++
911 postCCSBytes = append(postCCSBytes, encryptedExtensionsBytes...)
912 }
913
Adam Langley95c29f32014-06-20 12:00:00 -0700914 finished := new(finishedMsg)
David Benjaminf3ec83d2014-07-21 22:42:34 -0400915 if c.config.Bugs.EarlyChangeCipherSpec == 2 {
916 finished.verifyData = hs.finishedHash.clientSum(nil)
917 } else {
918 finished.verifyData = hs.finishedHash.clientSum(hs.masterSecret)
919 }
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700920 copy(out, finished.verifyData)
David Benjamin513f0ea2015-04-02 19:33:31 -0400921 if c.config.Bugs.BadFinished {
922 finished.verifyData[0]++
923 }
Adam Langley2ae77d22014-10-28 17:29:33 -0700924 c.clientVerify = append(c.clientVerify[:0], finished.verifyData...)
David Benjamin83f90402015-01-27 01:09:43 -0500925 hs.finishedBytes = finished.marshal()
926 hs.writeHash(hs.finishedBytes, seqno)
927 postCCSBytes = append(postCCSBytes, hs.finishedBytes...)
David Benjamin86271ee2014-07-21 16:14:03 -0400928
929 if c.config.Bugs.FragmentAcrossChangeCipherSpec {
930 c.writeRecord(recordTypeHandshake, postCCSBytes[:5])
931 postCCSBytes = postCCSBytes[5:]
932 }
David Benjamina4e6d482015-03-02 19:10:53 -0500933 c.dtlsFlushHandshake()
David Benjamin86271ee2014-07-21 16:14:03 -0400934
935 if !c.config.Bugs.SkipChangeCipherSpec &&
936 c.config.Bugs.EarlyChangeCipherSpec == 0 {
David Benjamin8411b242015-11-26 12:07:28 -0500937 ccs := []byte{1}
938 if c.config.Bugs.BadChangeCipherSpec != nil {
939 ccs = c.config.Bugs.BadChangeCipherSpec
940 }
941 c.writeRecord(recordTypeChangeCipherSpec, ccs)
David Benjamin86271ee2014-07-21 16:14:03 -0400942 }
943
David Benjamin4189bd92015-01-25 23:52:39 -0500944 if c.config.Bugs.AppDataAfterChangeCipherSpec != nil {
945 c.writeRecord(recordTypeApplicationData, c.config.Bugs.AppDataAfterChangeCipherSpec)
946 }
David Benjamindc3da932015-03-12 15:09:02 -0400947 if c.config.Bugs.AlertAfterChangeCipherSpec != 0 {
948 c.sendAlert(c.config.Bugs.AlertAfterChangeCipherSpec)
949 return errors.New("tls: simulating post-CCS alert")
950 }
David Benjamin4189bd92015-01-25 23:52:39 -0500951
David Benjaminb80168e2015-02-08 18:30:14 -0500952 if !c.config.Bugs.SkipFinished {
953 c.writeRecord(recordTypeHandshake, postCCSBytes)
David Benjamina4e6d482015-03-02 19:10:53 -0500954 c.dtlsFlushHandshake()
David Benjaminb3774b92015-01-31 17:16:01 -0500955 }
Adam Langley95c29f32014-06-20 12:00:00 -0700956 return nil
957}
958
David Benjamin83c0bc92014-08-04 01:23:53 -0400959func (hs *clientHandshakeState) writeClientHash(msg []byte) {
960 // writeClientHash is called before writeRecord.
961 hs.writeHash(msg, hs.c.sendHandshakeSeq)
962}
963
964func (hs *clientHandshakeState) writeServerHash(msg []byte) {
965 // writeServerHash is called after readHandshake.
966 hs.writeHash(msg, hs.c.recvHandshakeSeq-1)
967}
968
969func (hs *clientHandshakeState) writeHash(msg []byte, seqno uint16) {
970 if hs.c.isDTLS {
971 // This is somewhat hacky. DTLS hashes a slightly different format.
972 // First, the TLS header.
973 hs.finishedHash.Write(msg[:4])
974 // Then the sequence number and reassembled fragment offset (always 0).
975 hs.finishedHash.Write([]byte{byte(seqno >> 8), byte(seqno), 0, 0, 0})
976 // Then the reassembled fragment (always equal to the message length).
977 hs.finishedHash.Write(msg[1:4])
978 // And then the message body.
979 hs.finishedHash.Write(msg[4:])
980 } else {
981 hs.finishedHash.Write(msg)
982 }
983}
984
Adam Langley95c29f32014-06-20 12:00:00 -0700985// clientSessionCacheKey returns a key used to cache sessionTickets that could
986// be used to resume previously negotiated TLS sessions with a server.
987func clientSessionCacheKey(serverAddr net.Addr, config *Config) string {
988 if len(config.ServerName) > 0 {
989 return config.ServerName
990 }
991 return serverAddr.String()
992}
993
David Benjaminfa055a22014-09-15 16:51:51 -0400994// mutualProtocol finds the mutual Next Protocol Negotiation or ALPN protocol
995// given list of possible protocols and a list of the preference order. The
996// first list must not be empty. It returns the resulting protocol and flag
Adam Langley95c29f32014-06-20 12:00:00 -0700997// indicating if the fallback case was reached.
David Benjaminfa055a22014-09-15 16:51:51 -0400998func mutualProtocol(protos, preferenceProtos []string) (string, bool) {
999 for _, s := range preferenceProtos {
1000 for _, c := range protos {
Adam Langley95c29f32014-06-20 12:00:00 -07001001 if s == c {
1002 return s, false
1003 }
1004 }
1005 }
1006
David Benjaminfa055a22014-09-15 16:51:51 -04001007 return protos[0], true
Adam Langley95c29f32014-06-20 12:00:00 -07001008}
David Benjamind30a9902014-08-24 01:44:23 -04001009
1010// writeIntPadded writes x into b, padded up with leading zeros as
1011// needed.
1012func writeIntPadded(b []byte, x *big.Int) {
1013 for i := range b {
1014 b[i] = 0
1015 }
1016 xb := x.Bytes()
1017 copy(b[len(b)-len(xb):], xb)
1018}