Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 0b7ca7dc0098f329d6348a45e372bd884f92bc97 / . / ssl / test / runner / handshake_client.go
blob: 67609fcd6cd5f299ea35eb6b452862bc88395251 [file] [log] [blame]
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1// Copyright 2009 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
Adam Langleydc7e9c42015-09-29 15:21:04 -0700[diff] [blame]5package runner
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]6
7import (
8 "bytes"
9 "crypto/ecdsa"
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]10 "crypto/elliptic"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]11 "crypto/rsa"
12 "crypto/subtle"
13 "crypto/x509"
14 "encoding/asn1"
15 "errors"
16 "fmt"
17 "io"
David Benjaminde620d92014-07-18 15:03:41 -0400[diff] [blame]18 "math/big"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]19 "net"
20 "strconv"
21)
22
23type clientHandshakeState struct {
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]24 c *Conn
25 serverHello *serverHelloMsg
26 hello *clientHelloMsg
27 suite *cipherSuite
28 finishedHash finishedHash
29 masterSecret []byte
30 session *ClientSessionState
31 finishedBytes []byte
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]32}
33
34func (c *Conn) clientHandshake() error {
35 if c.config == nil {
36 c.config = defaultConfig()
37 }
38
39 if len(c.config.ServerName) == 0 && !c.config.InsecureSkipVerify {
40 return errors.New("tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config")
41 }
42
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]43 c.sendHandshakeSeq = 0
44 c.recvHandshakeSeq = 0
45
David Benjaminfa055a22014-09-15 16:51:51 -0400[diff] [blame]46 nextProtosLength := 0
47 for _, proto := range c.config.NextProtos {
Adam Langleyefb0e162015-07-09 11:35:04 -0700[diff] [blame]48 if l := len(proto); l > 255 {
David Benjaminfa055a22014-09-15 16:51:51 -0400[diff] [blame]49 return errors.New("tls: invalid NextProtos value")
50 } else {
51 nextProtosLength += 1 + l
52 }
53 }
54 if nextProtosLength > 0xffff {
55 return errors.New("tls: NextProtos values too large")
56 }
57
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]58 hello := &clientHelloMsg{
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]59 isDTLS: c.isDTLS,
60 vers: c.config.maxVersion(),
61 compressionMethods: []uint8{compressionNone},
62 random: make([]byte, 32),
63 ocspStapling: true,
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]64 sctListSupported: true,
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]65 serverName: c.config.ServerName,
66 supportedCurves: c.config.curvePreferences(),
67 supportedPoints: []uint8{pointFormatUncompressed},
68 nextProtoNeg: len(c.config.NextProtos) > 0,
69 secureRenegotiation: []byte{},
70 alpnProtocols: c.config.NextProtos,
71 duplicateExtension: c.config.Bugs.DuplicateExtension,
72 channelIDSupported: c.config.ChannelID != nil,
73 npnLast: c.config.Bugs.SwapNPNAndALPN,
74 extendedMasterSecret: c.config.maxVersion() >= VersionTLS10,
75 srtpProtectionProfiles: c.config.SRTPProtectionProfiles,
76 srtpMasterKeyIdentifier: c.config.Bugs.SRTPMasterKeyIdentifer,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]77 customExtension: c.config.Bugs.CustomExtension,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]78 }
79
David Benjamin98e882e2014-08-08 13:24:34 -0400[diff] [blame]80 if c.config.Bugs.SendClientVersion != 0 {
81 hello.vers = c.config.Bugs.SendClientVersion
82 }
83
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]84 if c.config.Bugs.NoExtendedMasterSecret {
85 hello.extendedMasterSecret = false
86 }
87
David Benjamin55a43642015-04-20 14:45:55 -0400[diff] [blame]88 if c.config.Bugs.NoSupportedCurves {
89 hello.supportedCurves = nil
90 }
91
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]92 if len(c.clientVerify) > 0 && !c.config.Bugs.EmptyRenegotiationInfo {
93 if c.config.Bugs.BadRenegotiationInfo {
94 hello.secureRenegotiation = append(hello.secureRenegotiation, c.clientVerify...)
95 hello.secureRenegotiation[0] ^= 0x80
96 } else {
97 hello.secureRenegotiation = c.clientVerify
98 }
99 }
100
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]101 if c.noRenegotiationInfo() {
David Benjaminca6554b2014-11-08 12:31:52 -0500[diff] [blame]102 hello.secureRenegotiation = nil
103 }
104
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]105 possibleCipherSuites := c.config.cipherSuites()
106 hello.cipherSuites = make([]uint16, 0, len(possibleCipherSuites))
107
108NextCipherSuite:
109 for _, suiteId := range possibleCipherSuites {
110 for _, suite := range cipherSuites {
111 if suite.id != suiteId {
112 continue
113 }
114 // Don't advertise TLS 1.2-only cipher suites unless
115 // we're attempting TLS 1.2.
116 if hello.vers < VersionTLS12 && suite.flags&suiteTLS12 != 0 {
117 continue
118 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]119 // Don't advertise non-DTLS cipher suites on DTLS.
David Benjamin0fa40122015-05-30 17:13:12 -0400[diff] [blame]120 if c.isDTLS && suite.flags&suiteNoDTLS != 0 && !c.config.Bugs.EnableAllCiphersInDTLS {
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]121 continue
122 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]123 hello.cipherSuites = append(hello.cipherSuites, suiteId)
124 continue NextCipherSuite
125 }
126 }
127
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]128 if c.config.Bugs.SendRenegotiationSCSV {
129 hello.cipherSuites = append(hello.cipherSuites, renegotiationSCSV)
130 }
131
David Benjaminbef270a2014-08-02 04:22:02 -0400[diff] [blame]132 if c.config.Bugs.SendFallbackSCSV {
133 hello.cipherSuites = append(hello.cipherSuites, fallbackSCSV)
134 }
135
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]136 _, err := io.ReadFull(c.config.rand(), hello.random)
137 if err != nil {
138 c.sendAlert(alertInternalError)
139 return errors.New("tls: short read from Rand: " + err.Error())
140 }
141
David Benjamin44d3eed2015-05-21 01:29:55 -0400[diff] [blame]142 if hello.vers >= VersionTLS12 && !c.config.Bugs.NoSignatureAndHashes {
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]143 hello.signatureAndHashes = c.config.signatureAndHashesForClient()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]144 }
145
146 var session *ClientSessionState
147 var cacheKey string
148 sessionCache := c.config.ClientSessionCache
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]149
150 if sessionCache != nil {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]151 hello.ticketSupported = !c.config.SessionTicketsDisabled
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]152
153 // Try to resume a previously negotiated TLS session, if
154 // available.
155 cacheKey = clientSessionCacheKey(c.conn.RemoteAddr(), c.config)
156 candidateSession, ok := sessionCache.Get(cacheKey)
157 if ok {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]158 ticketOk := !c.config.SessionTicketsDisabled || candidateSession.sessionTicket == nil
159
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]160 // Check that the ciphersuite/version used for the
161 // previous session are still valid.
162 cipherSuiteOk := false
163 for _, id := range hello.cipherSuites {
164 if id == candidateSession.cipherSuite {
165 cipherSuiteOk = true
166 break
167 }
168 }
169
170 versOk := candidateSession.vers >= c.config.minVersion() &&
171 candidateSession.vers <= c.config.maxVersion()
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]172 if ticketOk && versOk && cipherSuiteOk {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]173 session = candidateSession
174 }
175 }
176 }
177
178 if session != nil {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]179 if session.sessionTicket != nil {
180 hello.sessionTicket = session.sessionTicket
181 if c.config.Bugs.CorruptTicket {
182 hello.sessionTicket = make([]byte, len(session.sessionTicket))
183 copy(hello.sessionTicket, session.sessionTicket)
184 if len(hello.sessionTicket) > 0 {
185 offset := 40
186 if offset > len(hello.sessionTicket) {
187 offset = len(hello.sessionTicket) - 1
188 }
189 hello.sessionTicket[offset] ^= 0x40
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]190 }
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]191 }
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]192 // A random session ID is used to detect when the
193 // server accepted the ticket and is resuming a session
194 // (see RFC 5077).
195 sessionIdLen := 16
196 if c.config.Bugs.OversizedSessionId {
197 sessionIdLen = 33
198 }
199 hello.sessionId = make([]byte, sessionIdLen)
200 if _, err := io.ReadFull(c.config.rand(), hello.sessionId); err != nil {
201 c.sendAlert(alertInternalError)
202 return errors.New("tls: short read from Rand: " + err.Error())
203 }
204 } else {
205 hello.sessionId = session.sessionId
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]206 }
207 }
208
David Benjamind86c7672014-08-02 04:07:12 -0400[diff] [blame]209 var helloBytes []byte
210 if c.config.Bugs.SendV2ClientHello {
David Benjamin94d701b2014-11-30 13:54:41 -0500[diff] [blame]211 // Test that the peer left-pads random.
212 hello.random[0] = 0
David Benjamind86c7672014-08-02 04:07:12 -0400[diff] [blame]213 v2Hello := &v2ClientHelloMsg{
214 vers: hello.vers,
215 cipherSuites: hello.cipherSuites,
216 // No session resumption for V2ClientHello.
217 sessionId: nil,
David Benjamin94d701b2014-11-30 13:54:41 -0500[diff] [blame]218 challenge: hello.random[1:],
David Benjamind86c7672014-08-02 04:07:12 -0400[diff] [blame]219 }
220 helloBytes = v2Hello.marshal()
221 c.writeV2Record(helloBytes)
222 } else {
223 helloBytes = hello.marshal()
224 c.writeRecord(recordTypeHandshake, helloBytes)
225 }
David Benjamina4e6d482015-03-02 19:10:53 -0500[diff] [blame]226 c.dtlsFlushHandshake()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]227
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]228 if err := c.simulatePacketLoss(nil); err != nil {
229 return err
230 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]231 msg, err := c.readHandshake()
232 if err != nil {
233 return err
234 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]235
236 if c.isDTLS {
237 helloVerifyRequest, ok := msg.(*helloVerifyRequestMsg)
238 if ok {
David Benjamin8bc38f52014-08-16 12:07:27 -0400[diff] [blame]239 if helloVerifyRequest.vers != VersionTLS10 {
240 // Per RFC 6347, the version field in
241 // HelloVerifyRequest SHOULD be always DTLS
242 // 1.0. Enforce this for testing purposes.
243 return errors.New("dtls: bad HelloVerifyRequest version")
244 }
245
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]246 hello.raw = nil
247 hello.cookie = helloVerifyRequest.cookie
248 helloBytes = hello.marshal()
249 c.writeRecord(recordTypeHandshake, helloBytes)
David Benjamina4e6d482015-03-02 19:10:53 -0500[diff] [blame]250 c.dtlsFlushHandshake()
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]251
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]252 if err := c.simulatePacketLoss(nil); err != nil {
253 return err
254 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]255 msg, err = c.readHandshake()
256 if err != nil {
257 return err
258 }
259 }
260 }
261
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]262 serverHello, ok := msg.(*serverHelloMsg)
263 if !ok {
264 c.sendAlert(alertUnexpectedMessage)
265 return unexpectedMessageError(serverHello, msg)
266 }
267
David Benjamin76d8abe2014-08-14 16:25:34 -0400[diff] [blame]268 c.vers, ok = c.config.mutualVersion(serverHello.vers)
269 if !ok {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]270 c.sendAlert(alertProtocolVersion)
271 return fmt.Errorf("tls: server selected unsupported protocol version %x", serverHello.vers)
272 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]273 c.haveVers = true
274
275 suite := mutualCipherSuite(c.config.cipherSuites(), serverHello.cipherSuite)
276 if suite == nil {
277 c.sendAlert(alertHandshakeFailure)
278 return fmt.Errorf("tls: server selected an unsupported cipher suite")
279 }
280
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]281 if c.config.Bugs.RequireRenegotiationInfo && serverHello.secureRenegotiation == nil {
282 return errors.New("tls: renegotiation extension missing")
283 }
284
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]285 if len(c.clientVerify) > 0 && !c.noRenegotiationInfo() {
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]286 var expectedRenegInfo []byte
287 expectedRenegInfo = append(expectedRenegInfo, c.clientVerify...)
288 expectedRenegInfo = append(expectedRenegInfo, c.serverVerify...)
289 if !bytes.Equal(serverHello.secureRenegotiation, expectedRenegInfo) {
290 c.sendAlert(alertHandshakeFailure)
291 return fmt.Errorf("tls: renegotiation mismatch")
292 }
293 }
294
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]295 if expected := c.config.Bugs.ExpectedCustomExtension; expected != nil {
296 if serverHello.customExtension != *expected {
297 return fmt.Errorf("tls: bad custom extension contents %q", serverHello.customExtension)
298 }
299 }
300
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]301 hs := &clientHandshakeState{
302 c: c,
303 serverHello: serverHello,
304 hello: hello,
305 suite: suite,
306 finishedHash: newFinishedHash(c.vers, suite),
307 session: session,
308 }
309
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]310 hs.writeHash(helloBytes, hs.c.sendHandshakeSeq-1)
311 hs.writeServerHash(hs.serverHello.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]312
David Benjaminf3ec83d2014-07-21 22:42:34 -0400[diff] [blame]313 if c.config.Bugs.EarlyChangeCipherSpec > 0 {
314 hs.establishKeys()
315 c.writeRecord(recordTypeChangeCipherSpec, []byte{1})
316 }
317
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]318 isResume, err := hs.processServerHello()
319 if err != nil {
320 return err
321 }
322
323 if isResume {
David Benjaminf3ec83d2014-07-21 22:42:34 -0400[diff] [blame]324 if c.config.Bugs.EarlyChangeCipherSpec == 0 {
325 if err := hs.establishKeys(); err != nil {
326 return err
327 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]328 }
329 if err := hs.readSessionTicket(); err != nil {
330 return err
331 }
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]332 if err := hs.readFinished(c.firstFinished[:]); err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]333 return err
334 }
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]335 if err := hs.sendFinished(nil, isResume); err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]336 return err
337 }
338 } else {
339 if err := hs.doFullHandshake(); err != nil {
340 return err
341 }
342 if err := hs.establishKeys(); err != nil {
343 return err
344 }
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]345 if err := hs.sendFinished(c.firstFinished[:], isResume); err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]346 return err
347 }
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]348 // Most retransmits are triggered by a timeout, but the final
349 // leg of the handshake is retransmited upon re-receiving a
350 // Finished.
David Benjaminb3774b92015-01-31 17:16:01 -0500[diff] [blame]351 if err := c.simulatePacketLoss(func() {
352 c.writeRecord(recordTypeHandshake, hs.finishedBytes)
David Benjamina4e6d482015-03-02 19:10:53 -0500[diff] [blame]353 c.dtlsFlushHandshake()
David Benjaminb3774b92015-01-31 17:16:01 -0500[diff] [blame]354 }); err != nil {
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]355 return err
356 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]357 if err := hs.readSessionTicket(); err != nil {
358 return err
359 }
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]360 if err := hs.readFinished(nil); err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]361 return err
362 }
363 }
364
365 if sessionCache != nil && hs.session != nil && session != hs.session {
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]366 if c.config.Bugs.RequireSessionTickets && len(hs.session.sessionTicket) == 0 {
367 return errors.New("tls: new session used session IDs instead of tickets")
368 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]369 sessionCache.Put(cacheKey, hs.session)
370 }
371
372 c.didResume = isResume
373 c.handshakeComplete = true
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]374 c.cipherSuite = suite
375 copy(c.clientRandom[:], hs.hello.random)
376 copy(c.serverRandom[:], hs.serverHello.random)
377 copy(c.masterSecret[:], hs.masterSecret)
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]378
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]379 return nil
380}
381
382func (hs *clientHandshakeState) doFullHandshake() error {
383 c := hs.c
384
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]385 var leaf *x509.Certificate
386 if hs.suite.flags&suitePSK == 0 {
387 msg, err := c.readHandshake()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]388 if err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]389 return err
390 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]391
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]392 certMsg, ok := msg.(*certificateMsg)
393 if !ok || len(certMsg.certificates) == 0 {
394 c.sendAlert(alertUnexpectedMessage)
395 return unexpectedMessageError(certMsg, msg)
396 }
397 hs.writeServerHash(certMsg.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]398
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]399 certs := make([]*x509.Certificate, len(certMsg.certificates))
400 for i, asn1Data := range certMsg.certificates {
401 cert, err := x509.ParseCertificate(asn1Data)
402 if err != nil {
403 c.sendAlert(alertBadCertificate)
404 return errors.New("tls: failed to parse certificate from server: " + err.Error())
405 }
406 certs[i] = cert
407 }
408 leaf = certs[0]
409
410 if !c.config.InsecureSkipVerify {
411 opts := x509.VerifyOptions{
412 Roots: c.config.RootCAs,
413 CurrentTime: c.config.time(),
414 DNSName: c.config.ServerName,
415 Intermediates: x509.NewCertPool(),
416 }
417
418 for i, cert := range certs {
419 if i == 0 {
420 continue
421 }
422 opts.Intermediates.AddCert(cert)
423 }
424 c.verifiedChains, err = leaf.Verify(opts)
425 if err != nil {
426 c.sendAlert(alertBadCertificate)
427 return err
428 }
429 }
430
431 switch leaf.PublicKey.(type) {
432 case *rsa.PublicKey, *ecdsa.PublicKey:
433 break
434 default:
435 c.sendAlert(alertUnsupportedCertificate)
436 return fmt.Errorf("tls: server's certificate contains an unsupported type of public key: %T", leaf.PublicKey)
437 }
438
439 c.peerCertificates = certs
440 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]441
442 if hs.serverHello.ocspStapling {
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]443 msg, err := c.readHandshake()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]444 if err != nil {
445 return err
446 }
447 cs, ok := msg.(*certificateStatusMsg)
448 if !ok {
449 c.sendAlert(alertUnexpectedMessage)
450 return unexpectedMessageError(cs, msg)
451 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]452 hs.writeServerHash(cs.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]453
454 if cs.statusType == statusTypeOCSP {
455 c.ocspResponse = cs.response
456 }
457 }
458
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]459 msg, err := c.readHandshake()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]460 if err != nil {
461 return err
462 }
463
464 keyAgreement := hs.suite.ka(c.vers)
465
466 skx, ok := msg.(*serverKeyExchangeMsg)
467 if ok {
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]468 hs.writeServerHash(skx.marshal())
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]469 err = keyAgreement.processServerKeyExchange(c.config, hs.hello, hs.serverHello, leaf, skx)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]470 if err != nil {
471 c.sendAlert(alertUnexpectedMessage)
472 return err
473 }
474
475 msg, err = c.readHandshake()
476 if err != nil {
477 return err
478 }
479 }
480
481 var chainToSend *Certificate
482 var certRequested bool
483 certReq, ok := msg.(*certificateRequestMsg)
484 if ok {
485 certRequested = true
486
487 // RFC 4346 on the certificateAuthorities field:
488 // A list of the distinguished names of acceptable certificate
489 // authorities. These distinguished names may specify a desired
490 // distinguished name for a root CA or for a subordinate CA;
491 // thus, this message can be used to describe both known roots
492 // and a desired authorization space. If the
493 // certificate_authorities list is empty then the client MAY
494 // send any certificate of the appropriate
495 // ClientCertificateType, unless there is some external
496 // arrangement to the contrary.
497
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]498 hs.writeServerHash(certReq.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]499
500 var rsaAvail, ecdsaAvail bool
501 for _, certType := range certReq.certificateTypes {
502 switch certType {
David Benjamin7b030512014-07-08 17:30:11 -0400[diff] [blame]503 case CertTypeRSASign:
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]504 rsaAvail = true
David Benjamin7b030512014-07-08 17:30:11 -0400[diff] [blame]505 case CertTypeECDSASign:
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]506 ecdsaAvail = true
507 }
508 }
509
510 // We need to search our list of client certs for one
511 // where SignatureAlgorithm is RSA and the Issuer is in
512 // certReq.certificateAuthorities
513 findCert:
514 for i, chain := range c.config.Certificates {
515 if !rsaAvail && !ecdsaAvail {
516 continue
517 }
518
519 for j, cert := range chain.Certificate {
520 x509Cert := chain.Leaf
521 // parse the certificate if this isn't the leaf
522 // node, or if chain.Leaf was nil
523 if j != 0 || x509Cert == nil {
524 if x509Cert, err = x509.ParseCertificate(cert); err != nil {
525 c.sendAlert(alertInternalError)
526 return errors.New("tls: failed to parse client certificate #" + strconv.Itoa(i) + ": " + err.Error())
527 }
528 }
529
530 switch {
531 case rsaAvail && x509Cert.PublicKeyAlgorithm == x509.RSA:
532 case ecdsaAvail && x509Cert.PublicKeyAlgorithm == x509.ECDSA:
533 default:
534 continue findCert
535 }
536
537 if len(certReq.certificateAuthorities) == 0 {
538 // they gave us an empty list, so just take the
539 // first RSA cert from c.config.Certificates
540 chainToSend = &chain
541 break findCert
542 }
543
544 for _, ca := range certReq.certificateAuthorities {
545 if bytes.Equal(x509Cert.RawIssuer, ca) {
546 chainToSend = &chain
547 break findCert
548 }
549 }
550 }
551 }
552
553 msg, err = c.readHandshake()
554 if err != nil {
555 return err
556 }
557 }
558
559 shd, ok := msg.(*serverHelloDoneMsg)
560 if !ok {
561 c.sendAlert(alertUnexpectedMessage)
562 return unexpectedMessageError(shd, msg)
563 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]564 hs.writeServerHash(shd.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]565
566 // If the server requested a certificate then we have to send a
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame^]567 // Certificate message in TLS, even if it's empty because we don't have
568 // a certificate to send. In SSL 3.0, skip the message and send a
569 // no_certificate warning alert.
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]570 if certRequested {
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame^]571 if c.vers == VersionSSL30 && chainToSend == nil {
572 c.sendAlert(alertNoCertficate)
573 } else if !c.config.Bugs.SkipClientCertificate {
574 certMsg := new(certificateMsg)
575 if chainToSend != nil {
576 certMsg.certificates = chainToSend.Certificate
577 }
578 hs.writeClientHash(certMsg.marshal())
579 c.writeRecord(recordTypeHandshake, certMsg.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]580 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]581 }
582
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]583 preMasterSecret, ckx, err := keyAgreement.generateClientKeyExchange(c.config, hs.hello, leaf)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]584 if err != nil {
585 c.sendAlert(alertInternalError)
586 return err
587 }
588 if ckx != nil {
David Benjaminf3ec83d2014-07-21 22:42:34 -0400[diff] [blame]589 if c.config.Bugs.EarlyChangeCipherSpec < 2 {
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]590 hs.writeClientHash(ckx.marshal())
David Benjaminf3ec83d2014-07-21 22:42:34 -0400[diff] [blame]591 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]592 c.writeRecord(recordTypeHandshake, ckx.marshal())
593 }
594
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]595 if hs.serverHello.extendedMasterSecret && c.vers >= VersionTLS10 {
596 hs.masterSecret = extendedMasterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.finishedHash)
597 c.extendedMasterSecret = true
598 } else {
599 if c.config.Bugs.RequireExtendedMasterSecret {
600 return errors.New("tls: extended master secret required but not supported by peer")
601 }
602 hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.hello.random, hs.serverHello.random)
603 }
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]604
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]605 if chainToSend != nil {
606 var signed []byte
607 certVerify := &certificateVerifyMsg{
608 hasSignatureAndHash: c.vers >= VersionTLS12,
609 }
610
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]611 // Determine the hash to sign.
612 var signatureType uint8
613 switch c.config.Certificates[0].PrivateKey.(type) {
614 case *ecdsa.PrivateKey:
615 signatureType = signatureECDSA
616 case *rsa.PrivateKey:
617 signatureType = signatureRSA
618 default:
619 c.sendAlert(alertInternalError)
620 return errors.New("unknown private key type")
621 }
622 if c.config.Bugs.IgnorePeerSignatureAlgorithmPreferences {
623 certReq.signatureAndHashes = c.config.signatureAndHashesForClient()
624 }
625 certVerify.signatureAndHash, err = hs.finishedHash.selectClientCertSignatureAlgorithm(certReq.signatureAndHashes, c.config.signatureAndHashesForClient(), signatureType)
626 if err != nil {
627 c.sendAlert(alertInternalError)
628 return err
629 }
630 digest, hashFunc, err := hs.finishedHash.hashForClientCertificate(certVerify.signatureAndHash, hs.masterSecret)
631 if err != nil {
632 c.sendAlert(alertInternalError)
633 return err
634 }
David Benjamin6de0e532015-07-28 22:43:19 -0400[diff] [blame]635 if c.config.Bugs.InvalidCertVerifySignature {
636 digest[0] ^= 0x80
637 }
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]638
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]639 switch key := c.config.Certificates[0].PrivateKey.(type) {
640 case *ecdsa.PrivateKey:
David Benjaminde620d92014-07-18 15:03:41 -0400[diff] [blame]641 var r, s *big.Int
642 r, s, err = ecdsa.Sign(c.config.rand(), key, digest)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]643 if err == nil {
644 signed, err = asn1.Marshal(ecdsaSignature{r, s})
645 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]646 case *rsa.PrivateKey:
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]647 signed, err = rsa.SignPKCS1v15(c.config.rand(), key, hashFunc, digest)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]648 default:
649 err = errors.New("unknown private key type")
650 }
651 if err != nil {
652 c.sendAlert(alertInternalError)
653 return errors.New("tls: failed to sign handshake with client certificate: " + err.Error())
654 }
655 certVerify.signature = signed
656
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]657 hs.writeClientHash(certVerify.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]658 c.writeRecord(recordTypeHandshake, certVerify.marshal())
659 }
David Benjamina4e6d482015-03-02 19:10:53 -0500[diff] [blame]660 c.dtlsFlushHandshake()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]661
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]662 hs.finishedHash.discardHandshakeBuffer()
663
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]664 return nil
665}
666
667func (hs *clientHandshakeState) establishKeys() error {
668 c := hs.c
669
670 clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV :=
671 keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.hello.random, hs.serverHello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen)
672 var clientCipher, serverCipher interface{}
673 var clientHash, serverHash macFunction
674 if hs.suite.cipher != nil {
675 clientCipher = hs.suite.cipher(clientKey, clientIV, false /* not for reading */)
676 clientHash = hs.suite.mac(c.vers, clientMAC)
677 serverCipher = hs.suite.cipher(serverKey, serverIV, true /* for reading */)
678 serverHash = hs.suite.mac(c.vers, serverMAC)
679 } else {
680 clientCipher = hs.suite.aead(clientKey, clientIV)
681 serverCipher = hs.suite.aead(serverKey, serverIV)
682 }
683
684 c.in.prepareCipherSpec(c.vers, serverCipher, serverHash)
685 c.out.prepareCipherSpec(c.vers, clientCipher, clientHash)
686 return nil
687}
688
689func (hs *clientHandshakeState) serverResumedSession() bool {
690 // If the server responded with the same sessionId then it means the
691 // sessionTicket is being used to resume a TLS session.
692 return hs.session != nil && hs.hello.sessionId != nil &&
693 bytes.Equal(hs.serverHello.sessionId, hs.hello.sessionId)
694}
695
696func (hs *clientHandshakeState) processServerHello() (bool, error) {
697 c := hs.c
698
699 if hs.serverHello.compressionMethod != compressionNone {
700 c.sendAlert(alertUnexpectedMessage)
701 return false, errors.New("tls: server selected unsupported compression format")
702 }
703
David Benjaminfa055a22014-09-15 16:51:51 -0400[diff] [blame]704 clientDidNPN := hs.hello.nextProtoNeg
705 clientDidALPN := len(hs.hello.alpnProtocols) > 0
706 serverHasNPN := hs.serverHello.nextProtoNeg
707 serverHasALPN := len(hs.serverHello.alpnProtocol) > 0
708
709 if !clientDidNPN && serverHasNPN {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]710 c.sendAlert(alertHandshakeFailure)
711 return false, errors.New("server advertised unrequested NPN extension")
712 }
713
David Benjaminfa055a22014-09-15 16:51:51 -0400[diff] [blame]714 if !clientDidALPN && serverHasALPN {
715 c.sendAlert(alertHandshakeFailure)
716 return false, errors.New("server advertised unrequested ALPN extension")
717 }
718
719 if serverHasNPN && serverHasALPN {
720 c.sendAlert(alertHandshakeFailure)
721 return false, errors.New("server advertised both NPN and ALPN extensions")
722 }
723
724 if serverHasALPN {
725 c.clientProtocol = hs.serverHello.alpnProtocol
726 c.clientProtocolFallback = false
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]727 c.usedALPN = true
David Benjaminfa055a22014-09-15 16:51:51 -0400[diff] [blame]728 }
729
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]730 if !hs.hello.channelIDSupported && hs.serverHello.channelIDRequested {
731 c.sendAlert(alertHandshakeFailure)
732 return false, errors.New("server advertised unrequested Channel ID extension")
733 }
734
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]735 if hs.serverHello.srtpProtectionProfile != 0 {
736 if hs.serverHello.srtpMasterKeyIdentifier != "" {
737 return false, errors.New("tls: server selected SRTP MKI value")
738 }
739
740 found := false
741 for _, p := range c.config.SRTPProtectionProfiles {
742 if p == hs.serverHello.srtpProtectionProfile {
743 found = true
744 break
745 }
746 }
747 if !found {
748 return false, errors.New("tls: server advertised unsupported SRTP profile")
749 }
750
751 c.srtpProtectionProfile = hs.serverHello.srtpProtectionProfile
752 }
753
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]754 if hs.serverResumedSession() {
David Benjamin4b27d9f2015-05-12 22:42:52 -0400[diff] [blame]755 // For test purposes, assert that the server never accepts the
756 // resumption offer on renegotiation.
757 if c.cipherSuite != nil && c.config.Bugs.FailIfResumeOnRenego {
758 return false, errors.New("tls: server resumed session on renegotiation")
759 }
760
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]761 if hs.serverHello.sctList != nil {
762 return false, errors.New("tls: server sent SCT extension on session resumption")
763 }
764
765 if hs.serverHello.ocspStapling {
766 return false, errors.New("tls: server sent OCSP extension on session resumption")
767 }
768
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]769 // Restore masterSecret and peerCerts from previous state
770 hs.masterSecret = hs.session.masterSecret
771 c.peerCertificates = hs.session.serverCertificates
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]772 c.extendedMasterSecret = hs.session.extendedMasterSecret
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]773 c.sctList = hs.session.sctList
774 c.ocspResponse = hs.session.ocspResponse
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]775 hs.finishedHash.discardHandshakeBuffer()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]776 return true, nil
777 }
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]778
779 if hs.serverHello.sctList != nil {
780 c.sctList = hs.serverHello.sctList
781 }
782
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]783 return false, nil
784}
785
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]786func (hs *clientHandshakeState) readFinished(out []byte) error {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]787 c := hs.c
788
789 c.readRecord(recordTypeChangeCipherSpec)
790 if err := c.in.error(); err != nil {
791 return err
792 }
793
794 msg, err := c.readHandshake()
795 if err != nil {
796 return err
797 }
798 serverFinished, ok := msg.(*finishedMsg)
799 if !ok {
800 c.sendAlert(alertUnexpectedMessage)
801 return unexpectedMessageError(serverFinished, msg)
802 }
803
David Benjaminf3ec83d2014-07-21 22:42:34 -0400[diff] [blame]804 if c.config.Bugs.EarlyChangeCipherSpec == 0 {
805 verify := hs.finishedHash.serverSum(hs.masterSecret)
806 if len(verify) != len(serverFinished.verifyData) ||
807 subtle.ConstantTimeCompare(verify, serverFinished.verifyData) != 1 {
808 c.sendAlert(alertHandshakeFailure)
809 return errors.New("tls: server's Finished message was incorrect")
810 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]811 }
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]812 c.serverVerify = append(c.serverVerify[:0], serverFinished.verifyData...)
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]813 copy(out, serverFinished.verifyData)
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]814 hs.writeServerHash(serverFinished.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]815 return nil
816}
817
818func (hs *clientHandshakeState) readSessionTicket() error {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]819 c := hs.c
820
821 // Create a session with no server identifier. Either a
822 // session ID or session ticket will be attached.
823 session := &ClientSessionState{
824 vers: c.vers,
825 cipherSuite: hs.suite.id,
826 masterSecret: hs.masterSecret,
827 handshakeHash: hs.finishedHash.server.Sum(nil),
828 serverCertificates: c.peerCertificates,
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]829 sctList: c.sctList,
830 ocspResponse: c.ocspResponse,
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]831 }
832
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]833 if !hs.serverHello.ticketSupported {
David Benjamind98452d2015-06-16 14:16:23 -0400[diff] [blame]834 if c.config.Bugs.ExpectNewTicket {
835 return errors.New("tls: expected new ticket")
836 }
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]837 if hs.session == nil && len(hs.serverHello.sessionId) > 0 {
838 session.sessionId = hs.serverHello.sessionId
839 hs.session = session
840 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]841 return nil
842 }
843
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]844 if c.vers == VersionSSL30 {
845 return errors.New("tls: negotiated session tickets in SSL 3.0")
846 }
847
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]848 msg, err := c.readHandshake()
849 if err != nil {
850 return err
851 }
852 sessionTicketMsg, ok := msg.(*newSessionTicketMsg)
853 if !ok {
854 c.sendAlert(alertUnexpectedMessage)
855 return unexpectedMessageError(sessionTicketMsg, msg)
856 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]857
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]858 session.sessionTicket = sessionTicketMsg.ticket
859 hs.session = session
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]860
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]861 hs.writeServerHash(sessionTicketMsg.marshal())
862
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]863 return nil
864}
865
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]866func (hs *clientHandshakeState) sendFinished(out []byte, isResume bool) error {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]867 c := hs.c
868
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]869 var postCCSBytes []byte
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]870 seqno := hs.c.sendHandshakeSeq
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]871 if hs.serverHello.nextProtoNeg {
872 nextProto := new(nextProtoMsg)
873 proto, fallback := mutualProtocol(c.config.NextProtos, hs.serverHello.nextProtos)
874 nextProto.proto = proto
875 c.clientProtocol = proto
876 c.clientProtocolFallback = fallback
877
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]878 nextProtoBytes := nextProto.marshal()
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]879 hs.writeHash(nextProtoBytes, seqno)
880 seqno++
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]881 postCCSBytes = append(postCCSBytes, nextProtoBytes...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]882 }
883
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]884 if hs.serverHello.channelIDRequested {
885 encryptedExtensions := new(encryptedExtensionsMsg)
886 if c.config.ChannelID.Curve != elliptic.P256() {
887 return fmt.Errorf("tls: Channel ID is not on P-256.")
888 }
889 var resumeHash []byte
890 if isResume {
891 resumeHash = hs.session.handshakeHash
892 }
893 r, s, err := ecdsa.Sign(c.config.rand(), c.config.ChannelID, hs.finishedHash.hashForChannelID(resumeHash))
894 if err != nil {
895 return err
896 }
897 channelID := make([]byte, 128)
898 writeIntPadded(channelID[0:32], c.config.ChannelID.X)
899 writeIntPadded(channelID[32:64], c.config.ChannelID.Y)
900 writeIntPadded(channelID[64:96], r)
901 writeIntPadded(channelID[96:128], s)
902 encryptedExtensions.channelID = channelID
903
904 c.channelID = &c.config.ChannelID.PublicKey
905
906 encryptedExtensionsBytes := encryptedExtensions.marshal()
907 hs.writeHash(encryptedExtensionsBytes, seqno)
908 seqno++
909 postCCSBytes = append(postCCSBytes, encryptedExtensionsBytes...)
910 }
911
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]912 finished := new(finishedMsg)
David Benjaminf3ec83d2014-07-21 22:42:34 -0400[diff] [blame]913 if c.config.Bugs.EarlyChangeCipherSpec == 2 {
914 finished.verifyData = hs.finishedHash.clientSum(nil)
915 } else {
916 finished.verifyData = hs.finishedHash.clientSum(hs.masterSecret)
917 }
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]918 copy(out, finished.verifyData)
David Benjamin513f0ea2015-04-02 19:33:31 -0400[diff] [blame]919 if c.config.Bugs.BadFinished {
920 finished.verifyData[0]++
921 }
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]922 c.clientVerify = append(c.clientVerify[:0], finished.verifyData...)
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]923 hs.finishedBytes = finished.marshal()
924 hs.writeHash(hs.finishedBytes, seqno)
925 postCCSBytes = append(postCCSBytes, hs.finishedBytes...)
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]926
927 if c.config.Bugs.FragmentAcrossChangeCipherSpec {
928 c.writeRecord(recordTypeHandshake, postCCSBytes[:5])
929 postCCSBytes = postCCSBytes[5:]
930 }
David Benjamina4e6d482015-03-02 19:10:53 -0500[diff] [blame]931 c.dtlsFlushHandshake()
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]932
933 if !c.config.Bugs.SkipChangeCipherSpec &&
934 c.config.Bugs.EarlyChangeCipherSpec == 0 {
David Benjamin8411b242015-11-26 12:07:28 -0500[diff] [blame]935 ccs := []byte{1}
936 if c.config.Bugs.BadChangeCipherSpec != nil {
937 ccs = c.config.Bugs.BadChangeCipherSpec
938 }
939 c.writeRecord(recordTypeChangeCipherSpec, ccs)
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]940 }
941
David Benjamin4189bd92015-01-25 23:52:39 -0500[diff] [blame]942 if c.config.Bugs.AppDataAfterChangeCipherSpec != nil {
943 c.writeRecord(recordTypeApplicationData, c.config.Bugs.AppDataAfterChangeCipherSpec)
944 }
David Benjamindc3da932015-03-12 15:09:02 -0400[diff] [blame]945 if c.config.Bugs.AlertAfterChangeCipherSpec != 0 {
946 c.sendAlert(c.config.Bugs.AlertAfterChangeCipherSpec)
947 return errors.New("tls: simulating post-CCS alert")
948 }
David Benjamin4189bd92015-01-25 23:52:39 -0500[diff] [blame]949
David Benjaminb80168e2015-02-08 18:30:14 -0500[diff] [blame]950 if !c.config.Bugs.SkipFinished {
951 c.writeRecord(recordTypeHandshake, postCCSBytes)
David Benjamina4e6d482015-03-02 19:10:53 -0500[diff] [blame]952 c.dtlsFlushHandshake()
David Benjaminb3774b92015-01-31 17:16:01 -0500[diff] [blame]953 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]954 return nil
955}
956
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]957func (hs *clientHandshakeState) writeClientHash(msg []byte) {
958 // writeClientHash is called before writeRecord.
959 hs.writeHash(msg, hs.c.sendHandshakeSeq)
960}
961
962func (hs *clientHandshakeState) writeServerHash(msg []byte) {
963 // writeServerHash is called after readHandshake.
964 hs.writeHash(msg, hs.c.recvHandshakeSeq-1)
965}
966
967func (hs *clientHandshakeState) writeHash(msg []byte, seqno uint16) {
968 if hs.c.isDTLS {
969 // This is somewhat hacky. DTLS hashes a slightly different format.
970 // First, the TLS header.
971 hs.finishedHash.Write(msg[:4])
972 // Then the sequence number and reassembled fragment offset (always 0).
973 hs.finishedHash.Write([]byte{byte(seqno >> 8), byte(seqno), 0, 0, 0})
974 // Then the reassembled fragment (always equal to the message length).
975 hs.finishedHash.Write(msg[1:4])
976 // And then the message body.
977 hs.finishedHash.Write(msg[4:])
978 } else {
979 hs.finishedHash.Write(msg)
980 }
981}
982
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]983// clientSessionCacheKey returns a key used to cache sessionTickets that could
984// be used to resume previously negotiated TLS sessions with a server.
985func clientSessionCacheKey(serverAddr net.Addr, config *Config) string {
986 if len(config.ServerName) > 0 {
987 return config.ServerName
988 }
989 return serverAddr.String()
990}
991
David Benjaminfa055a22014-09-15 16:51:51 -0400[diff] [blame]992// mutualProtocol finds the mutual Next Protocol Negotiation or ALPN protocol
993// given list of possible protocols and a list of the preference order. The
994// first list must not be empty. It returns the resulting protocol and flag
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]995// indicating if the fallback case was reached.
David Benjaminfa055a22014-09-15 16:51:51 -0400[diff] [blame]996func mutualProtocol(protos, preferenceProtos []string) (string, bool) {
997 for _, s := range preferenceProtos {
998 for _, c := range protos {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]999 if s == c {
1000 return s, false
1001 }
1002 }
1003 }
1004
David Benjaminfa055a22014-09-15 16:51:51 -0400[diff] [blame]1005 return protos[0], true
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1006}
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]1007
1008// writeIntPadded writes x into b, padded up with leading zeros as
1009// needed.
1010func writeIntPadded(b []byte, x *big.Int) {
1011 for i := range b {
1012 b[i] = 0
1013 }
1014 xb := x.Bytes()
1015 copy(b[len(b)-len(xb):], xb)
1016}