Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 163c95691a0e6f115d0b51db36325e77fae7f018 / . / ssl / test / runner / handshake_client.go
blob: 472185e55734cb7d13c2defdde159a262d5f88e1 [file] [log] [blame]
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1// Copyright 2009 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
Adam Langleydc7e9c42015-09-29 15:21:04 -0700[diff] [blame]5package runner
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]6
7import (
8 "bytes"
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]9 "crypto"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10 "crypto/ecdsa"
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]11 "crypto/elliptic"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]12 "crypto/rsa"
13 "crypto/subtle"
14 "crypto/x509"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]15 "errors"
16 "fmt"
17 "io"
David Benjaminde620d92014-07-18 15:03:41 -0400[diff] [blame]18 "math/big"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]19 "net"
20 "strconv"
Nick Harper0b3625b2016-07-25 16:16:28 -0700[diff] [blame]21 "time"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]22)
23
24type clientHandshakeState struct {
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]25 c *Conn
26 serverHello *serverHelloMsg
27 hello *clientHelloMsg
28 suite *cipherSuite
29 finishedHash finishedHash
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]30 keyShares map[CurveID]ecdhCurve
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]31 masterSecret []byte
32 session *ClientSessionState
33 finishedBytes []byte
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]34}
35
36func (c *Conn) clientHandshake() error {
37 if c.config == nil {
38 c.config = defaultConfig()
39 }
40
41 if len(c.config.ServerName) == 0 && !c.config.InsecureSkipVerify {
42 return errors.New("tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config")
43 }
44
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]45 c.sendHandshakeSeq = 0
46 c.recvHandshakeSeq = 0
47
David Benjaminfa055a22014-09-15 16:51:51 -0400[diff] [blame]48 nextProtosLength := 0
49 for _, proto := range c.config.NextProtos {
Adam Langleyefb0e162015-07-09 11:35:04 -0700[diff] [blame]50 if l := len(proto); l > 255 {
David Benjaminfa055a22014-09-15 16:51:51 -0400[diff] [blame]51 return errors.New("tls: invalid NextProtos value")
52 } else {
53 nextProtosLength += 1 + l
54 }
55 }
56 if nextProtosLength > 0xffff {
57 return errors.New("tls: NextProtos values too large")
58 }
59
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]60 hello := &clientHelloMsg{
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]61 isDTLS: c.isDTLS,
David Benjamincecee272016-06-30 13:33:47 -0400[diff] [blame]62 vers: c.config.maxVersion(c.isDTLS),
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]63 compressionMethods: []uint8{compressionNone},
64 random: make([]byte, 32),
65 ocspStapling: true,
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]66 sctListSupported: true,
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]67 serverName: c.config.ServerName,
68 supportedCurves: c.config.curvePreferences(),
69 supportedPoints: []uint8{pointFormatUncompressed},
70 nextProtoNeg: len(c.config.NextProtos) > 0,
71 secureRenegotiation: []byte{},
72 alpnProtocols: c.config.NextProtos,
73 duplicateExtension: c.config.Bugs.DuplicateExtension,
74 channelIDSupported: c.config.ChannelID != nil,
75 npnLast: c.config.Bugs.SwapNPNAndALPN,
David Benjamincecee272016-06-30 13:33:47 -0400[diff] [blame]76 extendedMasterSecret: c.config.maxVersion(c.isDTLS) >= VersionTLS10,
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]77 srtpProtectionProfiles: c.config.SRTPProtectionProfiles,
78 srtpMasterKeyIdentifier: c.config.Bugs.SRTPMasterKeyIdentifer,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]79 customExtension: c.config.Bugs.CustomExtension,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]80 }
81
David Benjamin163c9562016-08-29 23:14:17 -0400[diff] [blame^]82 disableEMS := c.config.Bugs.NoExtendedMasterSecret
83 if c.cipherSuite != nil {
84 disableEMS = c.config.Bugs.NoExtendedMasterSecretOnRenegotiation
85 }
86
87 if disableEMS {
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]88 hello.extendedMasterSecret = false
89 }
90
David Benjamin55a43642015-04-20 14:45:55 -0400[diff] [blame]91 if c.config.Bugs.NoSupportedCurves {
92 hello.supportedCurves = nil
93 }
94
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]95 if len(c.clientVerify) > 0 && !c.config.Bugs.EmptyRenegotiationInfo {
96 if c.config.Bugs.BadRenegotiationInfo {
97 hello.secureRenegotiation = append(hello.secureRenegotiation, c.clientVerify...)
98 hello.secureRenegotiation[0] ^= 0x80
99 } else {
100 hello.secureRenegotiation = c.clientVerify
101 }
102 }
103
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]104 if c.noRenegotiationInfo() {
David Benjaminca6554b2014-11-08 12:31:52 -0500[diff] [blame]105 hello.secureRenegotiation = nil
106 }
107
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]108 var keyShares map[CurveID]ecdhCurve
David Benjamin8d315d72016-07-18 01:03:18 +0200[diff] [blame]109 if hello.vers >= VersionTLS13 {
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]110 keyShares = make(map[CurveID]ecdhCurve)
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]111 hello.hasKeyShares = true
112 curvesToSend := c.config.defaultCurves()
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]113 for _, curveID := range hello.supportedCurves {
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]114 if !curvesToSend[curveID] {
115 continue
116 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]117 curve, ok := curveForCurveID(curveID)
118 if !ok {
119 continue
120 }
121 publicKey, err := curve.offer(c.config.rand())
122 if err != nil {
123 return err
124 }
Steven Valdez0ee2e112016-07-15 06:51:15 -0400[diff] [blame]125
126 if c.config.Bugs.SendCurve != 0 {
127 curveID = c.config.Bugs.SendCurve
128 }
129 if c.config.Bugs.InvalidECDHPoint {
130 publicKey[0] ^= 0xff
131 }
132
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]133 hello.keyShares = append(hello.keyShares, keyShareEntry{
134 group: curveID,
135 keyExchange: publicKey,
136 })
137 keyShares[curveID] = curve
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]138
139 if c.config.Bugs.DuplicateKeyShares {
140 hello.keyShares = append(hello.keyShares, hello.keyShares[len(hello.keyShares)-1])
141 }
142 }
143
144 if c.config.Bugs.MissingKeyShare {
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]145 hello.hasKeyShares = false
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]146 }
147 }
148
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]149 possibleCipherSuites := c.config.cipherSuites()
150 hello.cipherSuites = make([]uint16, 0, len(possibleCipherSuites))
151
152NextCipherSuite:
153 for _, suiteId := range possibleCipherSuites {
154 for _, suite := range cipherSuites {
155 if suite.id != suiteId {
156 continue
157 }
David Benjamin0407e762016-06-17 16:41:18 -0400[diff] [blame]158 if !c.config.Bugs.EnableAllCiphers {
159 // Don't advertise TLS 1.2-only cipher suites unless
160 // we're attempting TLS 1.2.
161 if hello.vers < VersionTLS12 && suite.flags&suiteTLS12 != 0 {
162 continue
163 }
164 // Don't advertise non-DTLS cipher suites in DTLS.
165 if c.isDTLS && suite.flags&suiteNoDTLS != 0 {
166 continue
167 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]168 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]169 hello.cipherSuites = append(hello.cipherSuites, suiteId)
170 continue NextCipherSuite
171 }
172 }
173
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]174 if c.config.Bugs.SendRenegotiationSCSV {
175 hello.cipherSuites = append(hello.cipherSuites, renegotiationSCSV)
176 }
177
David Benjaminbef270a2014-08-02 04:22:02 -0400[diff] [blame]178 if c.config.Bugs.SendFallbackSCSV {
179 hello.cipherSuites = append(hello.cipherSuites, fallbackSCSV)
180 }
181
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]182 _, err := io.ReadFull(c.config.rand(), hello.random)
183 if err != nil {
184 c.sendAlert(alertInternalError)
185 return errors.New("tls: short read from Rand: " + err.Error())
186 }
187
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]188 if hello.vers >= VersionTLS12 && !c.config.Bugs.NoSignatureAlgorithms {
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]189 hello.signatureAlgorithms = c.config.verifySignatureAlgorithms()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]190 }
191
192 var session *ClientSessionState
193 var cacheKey string
194 sessionCache := c.config.ClientSessionCache
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]195
196 if sessionCache != nil {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]197 hello.ticketSupported = !c.config.SessionTicketsDisabled
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]198
199 // Try to resume a previously negotiated TLS session, if
200 // available.
201 cacheKey = clientSessionCacheKey(c.conn.RemoteAddr(), c.config)
Nick Harper0b3625b2016-07-25 16:16:28 -0700[diff] [blame]202 // TODO(nharper): Support storing more than one session
203 // ticket for TLS 1.3.
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]204 candidateSession, ok := sessionCache.Get(cacheKey)
205 if ok {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]206 ticketOk := !c.config.SessionTicketsDisabled || candidateSession.sessionTicket == nil
207
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]208 // Check that the ciphersuite/version used for the
209 // previous session are still valid.
210 cipherSuiteOk := false
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]211 if candidateSession.vers >= VersionTLS13 {
212 // Account for ciphers changing on resumption.
213 //
214 // TODO(davidben): This will be gone with the
215 // new cipher negotiation scheme.
216 resumeCipher := ecdhePSKSuite(candidateSession.cipherSuite)
217 for _, id := range hello.cipherSuites {
218 if ecdhePSKSuite(id) == resumeCipher {
219 cipherSuiteOk = true
220 break
221 }
222 }
223 } else {
224 for _, id := range hello.cipherSuites {
225 if id == candidateSession.cipherSuite {
226 cipherSuiteOk = true
227 break
228 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]229 }
230 }
231
David Benjamincecee272016-06-30 13:33:47 -0400[diff] [blame]232 versOk := candidateSession.vers >= c.config.minVersion(c.isDTLS) &&
233 candidateSession.vers <= c.config.maxVersion(c.isDTLS)
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]234 if ticketOk && versOk && cipherSuiteOk {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]235 session = candidateSession
236 }
237 }
238 }
239
Nick Harper0b3625b2016-07-25 16:16:28 -0700[diff] [blame]240 if session != nil && c.config.time().Before(session.ticketExpiration) {
David Benjamind5a4ecb2016-07-18 01:17:13 +0200[diff] [blame]241 ticket := session.sessionTicket
242 if c.config.Bugs.CorruptTicket && len(ticket) > 0 {
243 ticket = make([]byte, len(session.sessionTicket))
244 copy(ticket, session.sessionTicket)
245 offset := 40
246 if offset >= len(ticket) {
247 offset = len(ticket) - 1
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]248 }
David Benjamind5a4ecb2016-07-18 01:17:13 +0200[diff] [blame]249 ticket[offset] ^= 0x40
250 }
251
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]252 if session.vers >= VersionTLS13 || c.config.Bugs.SendBothTickets {
Nick Harper0b3625b2016-07-25 16:16:28 -0700[diff] [blame]253 // TODO(nharper): Support sending more
254 // than one PSK identity.
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]255 if session.ticketFlags&ticketAllowDHEResumption != 0 || c.config.Bugs.SendBothTickets {
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]256 hello.pskIdentities = [][]uint8{ticket}
257 hello.cipherSuites = append(hello.cipherSuites, ecdhePSKSuite(session.cipherSuite))
Nick Harper0b3625b2016-07-25 16:16:28 -0700[diff] [blame]258 }
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]259 }
260
261 if session.vers < VersionTLS13 || c.config.Bugs.SendBothTickets {
262 if ticket != nil {
263 hello.sessionTicket = ticket
264 // A random session ID is used to detect when the
265 // server accepted the ticket and is resuming a session
266 // (see RFC 5077).
267 sessionIdLen := 16
268 if c.config.Bugs.OversizedSessionId {
269 sessionIdLen = 33
270 }
271 hello.sessionId = make([]byte, sessionIdLen)
272 if _, err := io.ReadFull(c.config.rand(), hello.sessionId); err != nil {
273 c.sendAlert(alertInternalError)
274 return errors.New("tls: short read from Rand: " + err.Error())
275 }
276 } else {
277 hello.sessionId = session.sessionId
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]278 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]279 }
280 }
281
David Benjamineed24012016-08-13 19:26:00 -0400[diff] [blame]282 if c.config.Bugs.SendClientVersion != 0 {
283 hello.vers = c.config.Bugs.SendClientVersion
284 }
285
David Benjamind86c7672014-08-02 04:07:12 -0400[diff] [blame]286 var helloBytes []byte
287 if c.config.Bugs.SendV2ClientHello {
David Benjamin94d701b2014-11-30 13:54:41 -0500[diff] [blame]288 // Test that the peer left-pads random.
289 hello.random[0] = 0
David Benjamind86c7672014-08-02 04:07:12 -0400[diff] [blame]290 v2Hello := &v2ClientHelloMsg{
291 vers: hello.vers,
292 cipherSuites: hello.cipherSuites,
293 // No session resumption for V2ClientHello.
294 sessionId: nil,
David Benjamin94d701b2014-11-30 13:54:41 -0500[diff] [blame]295 challenge: hello.random[1:],
David Benjamind86c7672014-08-02 04:07:12 -0400[diff] [blame]296 }
297 helloBytes = v2Hello.marshal()
298 c.writeV2Record(helloBytes)
299 } else {
300 helloBytes = hello.marshal()
David Benjamin7964b182016-07-14 23:36:30 -0400[diff] [blame]301 if c.config.Bugs.PartialClientFinishedWithClientHello {
302 // Include one byte of Finished. We can compute it
303 // without completing the handshake. This assumes we
304 // negotiate TLS 1.3 with no HelloRetryRequest or
305 // CertificateRequest.
306 toWrite := make([]byte, 0, len(helloBytes)+1)
307 toWrite = append(toWrite, helloBytes...)
308 toWrite = append(toWrite, typeFinished)
309 c.writeRecord(recordTypeHandshake, toWrite)
310 } else {
311 c.writeRecord(recordTypeHandshake, helloBytes)
312 }
David Benjamind86c7672014-08-02 04:07:12 -0400[diff] [blame]313 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]314 c.flushHandshake()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]315
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]316 if err := c.simulatePacketLoss(nil); err != nil {
317 return err
318 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]319 msg, err := c.readHandshake()
320 if err != nil {
321 return err
322 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]323
324 if c.isDTLS {
325 helloVerifyRequest, ok := msg.(*helloVerifyRequestMsg)
326 if ok {
David Benjamin8bc38f52014-08-16 12:07:27 -0400[diff] [blame]327 if helloVerifyRequest.vers != VersionTLS10 {
328 // Per RFC 6347, the version field in
329 // HelloVerifyRequest SHOULD be always DTLS
330 // 1.0. Enforce this for testing purposes.
331 return errors.New("dtls: bad HelloVerifyRequest version")
332 }
333
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]334 hello.raw = nil
335 hello.cookie = helloVerifyRequest.cookie
336 helloBytes = hello.marshal()
337 c.writeRecord(recordTypeHandshake, helloBytes)
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]338 c.flushHandshake()
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]339
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]340 if err := c.simulatePacketLoss(nil); err != nil {
341 return err
342 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]343 msg, err = c.readHandshake()
344 if err != nil {
345 return err
346 }
347 }
348 }
349
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]350 var serverVersion uint16
351 switch m := msg.(type) {
352 case *helloRetryRequestMsg:
353 serverVersion = m.vers
354 case *serverHelloMsg:
355 serverVersion = m.vers
356 default:
357 c.sendAlert(alertUnexpectedMessage)
358 return fmt.Errorf("tls: received unexpected message of type %T when waiting for HelloRetryRequest or ServerHello", msg)
359 }
360
361 var ok bool
362 c.vers, ok = c.config.mutualVersion(serverVersion, c.isDTLS)
363 if !ok {
364 c.sendAlert(alertProtocolVersion)
365 return fmt.Errorf("tls: server selected unsupported protocol version %x", c.vers)
366 }
367 c.haveVers = true
368
369 helloRetryRequest, haveHelloRetryRequest := msg.(*helloRetryRequestMsg)
370 var secondHelloBytes []byte
371 if haveHelloRetryRequest {
372 var hrrCurveFound bool
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]373 if c.config.Bugs.MisinterpretHelloRetryRequestCurve != 0 {
374 helloRetryRequest.selectedGroup = c.config.Bugs.MisinterpretHelloRetryRequestCurve
375 }
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]376 group := helloRetryRequest.selectedGroup
377 for _, curveID := range hello.supportedCurves {
378 if group == curveID {
379 hrrCurveFound = true
380 break
381 }
382 }
383 if !hrrCurveFound || keyShares[group] != nil {
384 c.sendAlert(alertHandshakeFailure)
385 return errors.New("tls: received invalid HelloRetryRequest")
386 }
387 curve, ok := curveForCurveID(group)
388 if !ok {
389 return errors.New("tls: Unable to get curve requested in HelloRetryRequest")
390 }
391 publicKey, err := curve.offer(c.config.rand())
392 if err != nil {
393 return err
394 }
395 keyShares[group] = curve
396 hello.keyShares = append(hello.keyShares, keyShareEntry{
397 group: group,
398 keyExchange: publicKey,
399 })
400
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]401 if c.config.Bugs.SecondClientHelloMissingKeyShare {
402 hello.hasKeyShares = false
403 }
404
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]405 hello.hasEarlyData = false
406 hello.earlyDataContext = nil
407 hello.raw = nil
408
409 secondHelloBytes = hello.marshal()
410 c.writeRecord(recordTypeHandshake, secondHelloBytes)
411 c.flushHandshake()
412
413 msg, err = c.readHandshake()
414 if err != nil {
415 return err
416 }
417 }
418
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]419 serverHello, ok := msg.(*serverHelloMsg)
420 if !ok {
421 c.sendAlert(alertUnexpectedMessage)
422 return unexpectedMessageError(serverHello, msg)
423 }
424
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]425 if c.vers != serverHello.vers {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]426 c.sendAlert(alertProtocolVersion)
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]427 return fmt.Errorf("tls: server sent non-matching version %x vs %x", serverHello.vers, c.vers)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]428 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]429
Nick Harper85f20c22016-07-04 10:11:59 -0700[diff] [blame]430 // Check for downgrade signals in the server random, per
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]431 // draft-ietf-tls-tls13-14, section 6.3.1.2.
Nick Harper85f20c22016-07-04 10:11:59 -0700[diff] [blame]432 if c.vers <= VersionTLS12 && c.config.maxVersion(c.isDTLS) >= VersionTLS13 {
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]433 if bytes.Equal(serverHello.random[len(serverHello.random)-8:], downgradeTLS13) {
Nick Harper85f20c22016-07-04 10:11:59 -0700[diff] [blame]434 c.sendAlert(alertProtocolVersion)
435 return errors.New("tls: downgrade from TLS 1.3 detected")
436 }
437 }
438 if c.vers <= VersionTLS11 && c.config.maxVersion(c.isDTLS) >= VersionTLS12 {
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]439 if bytes.Equal(serverHello.random[len(serverHello.random)-8:], downgradeTLS12) {
Nick Harper85f20c22016-07-04 10:11:59 -0700[diff] [blame]440 c.sendAlert(alertProtocolVersion)
441 return errors.New("tls: downgrade from TLS 1.2 detected")
442 }
443 }
444
Nick Harper0b3625b2016-07-25 16:16:28 -0700[diff] [blame]445 suite := mutualCipherSuite(hello.cipherSuites, serverHello.cipherSuite)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]446 if suite == nil {
447 c.sendAlert(alertHandshakeFailure)
448 return fmt.Errorf("tls: server selected an unsupported cipher suite")
449 }
450
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]451 if haveHelloRetryRequest && (helloRetryRequest.cipherSuite != serverHello.cipherSuite || helloRetryRequest.selectedGroup != serverHello.keyShare.group) {
452 c.sendAlert(alertHandshakeFailure)
453 return errors.New("tls: ServerHello parameters did not match HelloRetryRequest")
454 }
455
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]456 hs := &clientHandshakeState{
457 c: c,
458 serverHello: serverHello,
459 hello: hello,
460 suite: suite,
461 finishedHash: newFinishedHash(c.vers, suite),
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]462 keyShares: keyShares,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]463 session: session,
464 }
465
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]466 hs.writeHash(helloBytes, hs.c.sendHandshakeSeq-1)
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]467 if haveHelloRetryRequest {
468 hs.writeServerHash(helloRetryRequest.marshal())
469 hs.writeClientHash(secondHelloBytes)
470 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]471 hs.writeServerHash(hs.serverHello.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]472
David Benjamin8d315d72016-07-18 01:03:18 +0200[diff] [blame]473 if c.vers >= VersionTLS13 {
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]474 if err := hs.doTLS13Handshake(); err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]475 return err
476 }
477 } else {
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]478 if c.config.Bugs.EarlyChangeCipherSpec > 0 {
479 hs.establishKeys()
480 c.writeRecord(recordTypeChangeCipherSpec, []byte{1})
481 }
482
483 if hs.serverHello.compressionMethod != compressionNone {
484 c.sendAlert(alertUnexpectedMessage)
485 return errors.New("tls: server selected unsupported compression format")
486 }
487
488 err = hs.processServerExtensions(&serverHello.extensions)
489 if err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]490 return err
491 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]492
493 isResume, err := hs.processServerHello()
494 if err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]495 return err
496 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]497
498 if isResume {
499 if c.config.Bugs.EarlyChangeCipherSpec == 0 {
500 if err := hs.establishKeys(); err != nil {
501 return err
502 }
503 }
504 if err := hs.readSessionTicket(); err != nil {
505 return err
506 }
507 if err := hs.readFinished(c.firstFinished[:]); err != nil {
508 return err
509 }
510 if err := hs.sendFinished(nil, isResume); err != nil {
511 return err
512 }
513 } else {
514 if err := hs.doFullHandshake(); err != nil {
515 return err
516 }
517 if err := hs.establishKeys(); err != nil {
518 return err
519 }
520 if err := hs.sendFinished(c.firstFinished[:], isResume); err != nil {
521 return err
522 }
523 // Most retransmits are triggered by a timeout, but the final
524 // leg of the handshake is retransmited upon re-receiving a
525 // Finished.
526 if err := c.simulatePacketLoss(func() {
David Benjamin02edcd02016-07-27 17:40:37 -0400[diff] [blame]527 c.sendHandshakeSeq--
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]528 c.writeRecord(recordTypeHandshake, hs.finishedBytes)
529 c.flushHandshake()
530 }); err != nil {
531 return err
532 }
533 if err := hs.readSessionTicket(); err != nil {
534 return err
535 }
536 if err := hs.readFinished(nil); err != nil {
537 return err
538 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]539 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]540
541 if sessionCache != nil && hs.session != nil && session != hs.session {
542 if c.config.Bugs.RequireSessionTickets && len(hs.session.sessionTicket) == 0 {
543 return errors.New("tls: new session used session IDs instead of tickets")
544 }
545 sessionCache.Put(cacheKey, hs.session)
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]546 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]547
548 c.didResume = isResume
David Benjamin97a0a082016-07-13 17:57:35 -0400[diff] [blame]549 c.exporterSecret = hs.masterSecret
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]550 }
551
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]552 c.handshakeComplete = true
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]553 c.cipherSuite = suite
554 copy(c.clientRandom[:], hs.hello.random)
555 copy(c.serverRandom[:], hs.serverHello.random)
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]556
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]557 return nil
558}
559
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]560func (hs *clientHandshakeState) doTLS13Handshake() error {
561 c := hs.c
562
563 // Once the PRF hash is known, TLS 1.3 does not require a handshake
564 // buffer.
565 hs.finishedHash.discardHandshakeBuffer()
566
567 zeroSecret := hs.finishedHash.zeroSecret()
568
569 // Resolve PSK and compute the early secret.
570 //
571 // TODO(davidben): This will need to be handled slightly earlier once
572 // 0-RTT is implemented.
573 var psk []byte
574 if hs.suite.flags&suitePSK != 0 {
575 if !hs.serverHello.hasPSKIdentity {
576 c.sendAlert(alertMissingExtension)
577 return errors.New("tls: server omitted the PSK identity extension")
578 }
579
Nick Harper0b3625b2016-07-25 16:16:28 -0700[diff] [blame]580 // We send at most one PSK identity.
581 if hs.session == nil || hs.serverHello.pskIdentity != 0 {
582 c.sendAlert(alertUnknownPSKIdentity)
583 return errors.New("tls: server sent unknown PSK identity")
584 }
585 if ecdhePSKSuite(hs.session.cipherSuite) != hs.suite.id {
586 c.sendAlert(alertHandshakeFailure)
587 return errors.New("tls: server sent invalid cipher suite for PSK")
588 }
589 psk = deriveResumptionPSK(hs.suite, hs.session.masterSecret)
590 hs.finishedHash.setResumptionContext(deriveResumptionContext(hs.suite, hs.session.masterSecret))
591 c.didResume = true
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]592 } else {
593 if hs.serverHello.hasPSKIdentity {
594 c.sendAlert(alertUnsupportedExtension)
595 return errors.New("tls: server sent unexpected PSK identity")
596 }
597
598 psk = zeroSecret
599 hs.finishedHash.setResumptionContext(zeroSecret)
600 }
601
602 earlySecret := hs.finishedHash.extractKey(zeroSecret, psk)
603
604 // Resolve ECDHE and compute the handshake secret.
605 var ecdheSecret []byte
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]606 if hs.suite.flags&suiteECDHE != 0 && !c.config.Bugs.MissingKeyShare && !c.config.Bugs.SecondClientHelloMissingKeyShare {
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]607 if !hs.serverHello.hasKeyShare {
608 c.sendAlert(alertMissingExtension)
609 return errors.New("tls: server omitted the key share extension")
610 }
611
612 curve, ok := hs.keyShares[hs.serverHello.keyShare.group]
613 if !ok {
614 c.sendAlert(alertHandshakeFailure)
615 return errors.New("tls: server selected an unsupported group")
616 }
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]617 c.curveID = hs.serverHello.keyShare.group
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]618
619 var err error
620 ecdheSecret, err = curve.finish(hs.serverHello.keyShare.keyExchange)
621 if err != nil {
622 return err
623 }
624 } else {
625 if hs.serverHello.hasKeyShare {
626 c.sendAlert(alertUnsupportedExtension)
627 return errors.New("tls: server sent unexpected key share extension")
628 }
629
630 ecdheSecret = zeroSecret
631 }
632
633 // Compute the handshake secret.
634 handshakeSecret := hs.finishedHash.extractKey(earlySecret, ecdheSecret)
635
636 // Switch to handshake traffic keys.
637 handshakeTrafficSecret := hs.finishedHash.deriveSecret(handshakeSecret, handshakeTrafficLabel)
David Benjamin21c00282016-07-18 21:56:23 +0200[diff] [blame]638 c.out.useTrafficSecret(c.vers, hs.suite, handshakeTrafficSecret, handshakePhase, clientWrite)
639 c.in.useTrafficSecret(c.vers, hs.suite, handshakeTrafficSecret, handshakePhase, serverWrite)
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]640
641 msg, err := c.readHandshake()
642 if err != nil {
643 return err
644 }
645
646 encryptedExtensions, ok := msg.(*encryptedExtensionsMsg)
647 if !ok {
648 c.sendAlert(alertUnexpectedMessage)
649 return unexpectedMessageError(encryptedExtensions, msg)
650 }
651 hs.writeServerHash(encryptedExtensions.marshal())
652
653 err = hs.processServerExtensions(&encryptedExtensions.extensions)
654 if err != nil {
655 return err
656 }
657
658 var chainToSend *Certificate
David Benjamin8d343b42016-07-09 14:26:01 -0700[diff] [blame]659 var certReq *certificateRequestMsg
David Benjamin44b33bc2016-07-01 22:40:23 -0400[diff] [blame]660 if hs.suite.flags&suitePSK != 0 {
661 if encryptedExtensions.extensions.ocspResponse != nil {
662 c.sendAlert(alertUnsupportedExtension)
663 return errors.New("tls: server sent OCSP response without a certificate")
664 }
665 if encryptedExtensions.extensions.sctList != nil {
666 c.sendAlert(alertUnsupportedExtension)
667 return errors.New("tls: server sent SCT list without a certificate")
668 }
Nick Harper0b3625b2016-07-25 16:16:28 -0700[diff] [blame]669
670 // Copy over authentication from the session.
671 c.peerCertificates = hs.session.serverCertificates
672 c.sctList = hs.session.sctList
673 c.ocspResponse = hs.session.ocspResponse
David Benjamin44b33bc2016-07-01 22:40:23 -0400[diff] [blame]674 } else {
675 c.ocspResponse = encryptedExtensions.extensions.ocspResponse
676 c.sctList = encryptedExtensions.extensions.sctList
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]677
678 msg, err := c.readHandshake()
679 if err != nil {
680 return err
681 }
682
David Benjamin8d343b42016-07-09 14:26:01 -0700[diff] [blame]683 var ok bool
684 certReq, ok = msg.(*certificateRequestMsg)
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]685 if ok {
David Benjamin8a8349b2016-08-18 02:32:23 -0400[diff] [blame]686 if len(certReq.requestContext) != 0 {
687 return errors.New("tls: non-empty certificate request context sent in handshake")
688 }
689
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]690 if c.config.Bugs.IgnorePeerSignatureAlgorithmPreferences {
691 certReq.signatureAlgorithms = c.config.signSignatureAlgorithms()
692 }
693
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]694 hs.writeServerHash(certReq.marshal())
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]695
696 chainToSend, err = selectClientCertificate(c, certReq)
697 if err != nil {
698 return err
699 }
700
701 msg, err = c.readHandshake()
702 if err != nil {
703 return err
704 }
705 }
706
707 certMsg, ok := msg.(*certificateMsg)
708 if !ok {
709 c.sendAlert(alertUnexpectedMessage)
710 return unexpectedMessageError(certMsg, msg)
711 }
712 hs.writeServerHash(certMsg.marshal())
713
714 if err := hs.verifyCertificates(certMsg); err != nil {
715 return err
716 }
717 leaf := c.peerCertificates[0]
718
719 msg, err = c.readHandshake()
720 if err != nil {
721 return err
722 }
723 certVerifyMsg, ok := msg.(*certificateVerifyMsg)
724 if !ok {
725 c.sendAlert(alertUnexpectedMessage)
726 return unexpectedMessageError(certVerifyMsg, msg)
727 }
728
David Benjaminf74ec792016-07-13 21:18:49 -0400[diff] [blame]729 c.peerSignatureAlgorithm = certVerifyMsg.signatureAlgorithm
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]730 input := hs.finishedHash.certificateVerifyInput(serverCertificateVerifyContextTLS13)
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]731 err = verifyMessage(c.vers, leaf.PublicKey, c.config, certVerifyMsg.signatureAlgorithm, input, certVerifyMsg.signature)
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]732 if err != nil {
733 return err
734 }
735
736 hs.writeServerHash(certVerifyMsg.marshal())
737 }
738
739 msg, err = c.readHandshake()
740 if err != nil {
741 return err
742 }
743 serverFinished, ok := msg.(*finishedMsg)
744 if !ok {
745 c.sendAlert(alertUnexpectedMessage)
746 return unexpectedMessageError(serverFinished, msg)
747 }
748
749 verify := hs.finishedHash.serverSum(handshakeTrafficSecret)
750 if len(verify) != len(serverFinished.verifyData) ||
751 subtle.ConstantTimeCompare(verify, serverFinished.verifyData) != 1 {
752 c.sendAlert(alertHandshakeFailure)
753 return errors.New("tls: server's Finished message was incorrect")
754 }
755
756 hs.writeServerHash(serverFinished.marshal())
757
758 // The various secrets do not incorporate the client's final leg, so
759 // derive them now before updating the handshake context.
760 masterSecret := hs.finishedHash.extractKey(handshakeSecret, zeroSecret)
761 trafficSecret := hs.finishedHash.deriveSecret(masterSecret, applicationTrafficLabel)
762
Steven Valdez0ee2e112016-07-15 06:51:15 -0400[diff] [blame]763 if certReq != nil && !c.config.Bugs.SkipClientCertificate {
David Benjamin8d343b42016-07-09 14:26:01 -0700[diff] [blame]764 certMsg := &certificateMsg{
765 hasRequestContext: true,
766 requestContext: certReq.requestContext,
767 }
768 if chainToSend != nil {
769 certMsg.certificates = chainToSend.Certificate
770 }
771 hs.writeClientHash(certMsg.marshal())
772 c.writeRecord(recordTypeHandshake, certMsg.marshal())
773
774 if chainToSend != nil {
775 certVerify := &certificateVerifyMsg{
776 hasSignatureAlgorithm: true,
777 }
778
779 // Determine the hash to sign.
780 privKey := chainToSend.PrivateKey
781
782 var err error
783 certVerify.signatureAlgorithm, err = selectSignatureAlgorithm(c.vers, privKey, c.config, certReq.signatureAlgorithms)
784 if err != nil {
785 c.sendAlert(alertInternalError)
786 return err
787 }
788
789 input := hs.finishedHash.certificateVerifyInput(clientCertificateVerifyContextTLS13)
790 certVerify.signature, err = signMessage(c.vers, privKey, c.config, certVerify.signatureAlgorithm, input)
791 if err != nil {
792 c.sendAlert(alertInternalError)
793 return err
794 }
Steven Valdez0ee2e112016-07-15 06:51:15 -0400[diff] [blame]795 if c.config.Bugs.SendSignatureAlgorithm != 0 {
796 certVerify.signatureAlgorithm = c.config.Bugs.SendSignatureAlgorithm
797 }
David Benjamin8d343b42016-07-09 14:26:01 -0700[diff] [blame]798
799 hs.writeClientHash(certVerify.marshal())
800 c.writeRecord(recordTypeHandshake, certVerify.marshal())
801 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]802 }
803
804 // Send a client Finished message.
805 finished := new(finishedMsg)
806 finished.verifyData = hs.finishedHash.clientSum(handshakeTrafficSecret)
807 if c.config.Bugs.BadFinished {
808 finished.verifyData[0]++
809 }
David Benjamin97a0a082016-07-13 17:57:35 -0400[diff] [blame]810 hs.writeClientHash(finished.marshal())
David Benjamin7964b182016-07-14 23:36:30 -0400[diff] [blame]811 if c.config.Bugs.PartialClientFinishedWithClientHello {
812 // The first byte has already been sent.
813 c.writeRecord(recordTypeHandshake, finished.marshal()[1:])
814 } else {
815 c.writeRecord(recordTypeHandshake, finished.marshal())
816 }
David Benjamin02edcd02016-07-27 17:40:37 -0400[diff] [blame]817 if c.config.Bugs.SendExtraFinished {
818 c.writeRecord(recordTypeHandshake, finished.marshal())
819 }
David Benjaminee51a222016-07-07 18:34:12 -0700[diff] [blame]820 c.flushHandshake()
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]821
822 // Switch to application data keys.
David Benjamin21c00282016-07-18 21:56:23 +0200[diff] [blame]823 c.out.useTrafficSecret(c.vers, hs.suite, trafficSecret, applicationPhase, clientWrite)
824 c.in.useTrafficSecret(c.vers, hs.suite, trafficSecret, applicationPhase, serverWrite)
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]825
David Benjamin97a0a082016-07-13 17:57:35 -0400[diff] [blame]826 c.exporterSecret = hs.finishedHash.deriveSecret(masterSecret, exporterLabel)
David Benjamind5a4ecb2016-07-18 01:17:13 +0200[diff] [blame]827 c.resumptionSecret = hs.finishedHash.deriveSecret(masterSecret, resumptionLabel)
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]828 return nil
829}
830
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]831func (hs *clientHandshakeState) doFullHandshake() error {
832 c := hs.c
833
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]834 var leaf *x509.Certificate
835 if hs.suite.flags&suitePSK == 0 {
836 msg, err := c.readHandshake()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]837 if err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]838 return err
839 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]840
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]841 certMsg, ok := msg.(*certificateMsg)
David Benjamin75051442016-07-01 18:58:51 -0400[diff] [blame]842 if !ok {
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]843 c.sendAlert(alertUnexpectedMessage)
844 return unexpectedMessageError(certMsg, msg)
845 }
846 hs.writeServerHash(certMsg.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]847
David Benjamin75051442016-07-01 18:58:51 -0400[diff] [blame]848 if err := hs.verifyCertificates(certMsg); err != nil {
849 return err
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]850 }
David Benjamin75051442016-07-01 18:58:51 -0400[diff] [blame]851 leaf = c.peerCertificates[0]
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]852 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]853
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]854 if hs.serverHello.extensions.ocspStapling {
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]855 msg, err := c.readHandshake()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]856 if err != nil {
857 return err
858 }
859 cs, ok := msg.(*certificateStatusMsg)
860 if !ok {
861 c.sendAlert(alertUnexpectedMessage)
862 return unexpectedMessageError(cs, msg)
863 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]864 hs.writeServerHash(cs.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]865
866 if cs.statusType == statusTypeOCSP {
867 c.ocspResponse = cs.response
868 }
869 }
870
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]871 msg, err := c.readHandshake()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]872 if err != nil {
873 return err
874 }
875
876 keyAgreement := hs.suite.ka(c.vers)
877
878 skx, ok := msg.(*serverKeyExchangeMsg)
879 if ok {
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]880 hs.writeServerHash(skx.marshal())
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]881 err = keyAgreement.processServerKeyExchange(c.config, hs.hello, hs.serverHello, leaf, skx)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]882 if err != nil {
883 c.sendAlert(alertUnexpectedMessage)
884 return err
885 }
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]886 if ecdhe, ok := keyAgreement.(*ecdheKeyAgreement); ok {
887 c.curveID = ecdhe.curveID
888 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]889
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]890 c.peerSignatureAlgorithm = keyAgreement.peerSignatureAlgorithm()
891
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]892 msg, err = c.readHandshake()
893 if err != nil {
894 return err
895 }
896 }
897
898 var chainToSend *Certificate
899 var certRequested bool
900 certReq, ok := msg.(*certificateRequestMsg)
901 if ok {
902 certRequested = true
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]903 if c.config.Bugs.IgnorePeerSignatureAlgorithmPreferences {
904 certReq.signatureAlgorithms = c.config.signSignatureAlgorithms()
905 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]906
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]907 hs.writeServerHash(certReq.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]908
David Benjamina6f82632016-07-01 18:44:02 -0400[diff] [blame]909 chainToSend, err = selectClientCertificate(c, certReq)
910 if err != nil {
911 return err
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]912 }
913
914 msg, err = c.readHandshake()
915 if err != nil {
916 return err
917 }
918 }
919
920 shd, ok := msg.(*serverHelloDoneMsg)
921 if !ok {
922 c.sendAlert(alertUnexpectedMessage)
923 return unexpectedMessageError(shd, msg)
924 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]925 hs.writeServerHash(shd.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]926
927 // If the server requested a certificate then we have to send a
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]928 // Certificate message in TLS, even if it's empty because we don't have
929 // a certificate to send. In SSL 3.0, skip the message and send a
930 // no_certificate warning alert.
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]931 if certRequested {
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]932 if c.vers == VersionSSL30 && chainToSend == nil {
933 c.sendAlert(alertNoCertficate)
934 } else if !c.config.Bugs.SkipClientCertificate {
935 certMsg := new(certificateMsg)
936 if chainToSend != nil {
937 certMsg.certificates = chainToSend.Certificate
938 }
939 hs.writeClientHash(certMsg.marshal())
940 c.writeRecord(recordTypeHandshake, certMsg.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]941 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]942 }
943
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]944 preMasterSecret, ckx, err := keyAgreement.generateClientKeyExchange(c.config, hs.hello, leaf)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]945 if err != nil {
946 c.sendAlert(alertInternalError)
947 return err
948 }
949 if ckx != nil {
David Benjaminf3ec83d2014-07-21 22:42:34 -0400[diff] [blame]950 if c.config.Bugs.EarlyChangeCipherSpec < 2 {
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]951 hs.writeClientHash(ckx.marshal())
David Benjaminf3ec83d2014-07-21 22:42:34 -0400[diff] [blame]952 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]953 c.writeRecord(recordTypeHandshake, ckx.marshal())
954 }
955
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]956 if hs.serverHello.extensions.extendedMasterSecret && c.vers >= VersionTLS10 {
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]957 hs.masterSecret = extendedMasterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.finishedHash)
958 c.extendedMasterSecret = true
959 } else {
960 if c.config.Bugs.RequireExtendedMasterSecret {
961 return errors.New("tls: extended master secret required but not supported by peer")
962 }
963 hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.hello.random, hs.serverHello.random)
964 }
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]965
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]966 if chainToSend != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]967 certVerify := &certificateVerifyMsg{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]968 hasSignatureAlgorithm: c.vers >= VersionTLS12,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]969 }
970
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]971 // Determine the hash to sign.
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]972 privKey := c.config.Certificates[0].PrivateKey
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]973
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]974 if certVerify.hasSignatureAlgorithm {
David Benjamin0a8deb22016-07-09 21:02:01 -0700[diff] [blame]975 certVerify.signatureAlgorithm, err = selectSignatureAlgorithm(c.vers, privKey, c.config, certReq.signatureAlgorithms)
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]976 if err != nil {
977 c.sendAlert(alertInternalError)
978 return err
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]979 }
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]980 }
981
982 if c.vers > VersionSSL30 {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]983 certVerify.signature, err = signMessage(c.vers, privKey, c.config, certVerify.signatureAlgorithm, hs.finishedHash.buffer)
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]984 if err == nil && c.config.Bugs.SendSignatureAlgorithm != 0 {
985 certVerify.signatureAlgorithm = c.config.Bugs.SendSignatureAlgorithm
986 }
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]987 } else {
988 // SSL 3.0's client certificate construction is
989 // incompatible with signatureAlgorithm.
990 rsaKey, ok := privKey.(*rsa.PrivateKey)
991 if !ok {
992 err = errors.New("unsupported signature type for client certificate")
993 } else {
994 digest := hs.finishedHash.hashForClientCertificateSSL3(hs.masterSecret)
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]995 if c.config.Bugs.InvalidSignature {
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]996 digest[0] ^= 0x80
997 }
998 certVerify.signature, err = rsa.SignPKCS1v15(c.config.rand(), rsaKey, crypto.MD5SHA1, digest)
999 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1000 }
1001 if err != nil {
1002 c.sendAlert(alertInternalError)
1003 return errors.New("tls: failed to sign handshake with client certificate: " + err.Error())
1004 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1005
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]1006 hs.writeClientHash(certVerify.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1007 c.writeRecord(recordTypeHandshake, certVerify.marshal())
1008 }
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]1009 // flushHandshake will be called in sendFinished.
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1010
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]1011 hs.finishedHash.discardHandshakeBuffer()
1012
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1013 return nil
1014}
1015
David Benjamin75051442016-07-01 18:58:51 -0400[diff] [blame]1016func (hs *clientHandshakeState) verifyCertificates(certMsg *certificateMsg) error {
1017 c := hs.c
1018
1019 if len(certMsg.certificates) == 0 {
1020 c.sendAlert(alertIllegalParameter)
1021 return errors.New("tls: no certificates sent")
1022 }
1023
1024 certs := make([]*x509.Certificate, len(certMsg.certificates))
1025 for i, asn1Data := range certMsg.certificates {
1026 cert, err := x509.ParseCertificate(asn1Data)
1027 if err != nil {
1028 c.sendAlert(alertBadCertificate)
1029 return errors.New("tls: failed to parse certificate from server: " + err.Error())
1030 }
1031 certs[i] = cert
1032 }
1033
1034 if !c.config.InsecureSkipVerify {
1035 opts := x509.VerifyOptions{
1036 Roots: c.config.RootCAs,
1037 CurrentTime: c.config.time(),
1038 DNSName: c.config.ServerName,
1039 Intermediates: x509.NewCertPool(),
1040 }
1041
1042 for i, cert := range certs {
1043 if i == 0 {
1044 continue
1045 }
1046 opts.Intermediates.AddCert(cert)
1047 }
1048 var err error
1049 c.verifiedChains, err = certs[0].Verify(opts)
1050 if err != nil {
1051 c.sendAlert(alertBadCertificate)
1052 return err
1053 }
1054 }
1055
1056 switch certs[0].PublicKey.(type) {
1057 case *rsa.PublicKey, *ecdsa.PublicKey:
1058 break
1059 default:
1060 c.sendAlert(alertUnsupportedCertificate)
1061 return fmt.Errorf("tls: server's certificate contains an unsupported type of public key: %T", certs[0].PublicKey)
1062 }
1063
1064 c.peerCertificates = certs
1065 return nil
1066}
1067
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1068func (hs *clientHandshakeState) establishKeys() error {
1069 c := hs.c
1070
1071 clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV :=
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1072 keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.hello.random, hs.serverHello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen(c.vers))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1073 var clientCipher, serverCipher interface{}
1074 var clientHash, serverHash macFunction
1075 if hs.suite.cipher != nil {
1076 clientCipher = hs.suite.cipher(clientKey, clientIV, false /* not for reading */)
1077 clientHash = hs.suite.mac(c.vers, clientMAC)
1078 serverCipher = hs.suite.cipher(serverKey, serverIV, true /* for reading */)
1079 serverHash = hs.suite.mac(c.vers, serverMAC)
1080 } else {
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1081 clientCipher = hs.suite.aead(c.vers, clientKey, clientIV)
1082 serverCipher = hs.suite.aead(c.vers, serverKey, serverIV)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1083 }
1084
1085 c.in.prepareCipherSpec(c.vers, serverCipher, serverHash)
1086 c.out.prepareCipherSpec(c.vers, clientCipher, clientHash)
1087 return nil
1088}
1089
David Benjamin75101402016-07-01 13:40:23 -0400[diff] [blame]1090func (hs *clientHandshakeState) processServerExtensions(serverExtensions *serverExtensions) error {
1091 c := hs.c
1092
David Benjamin8d315d72016-07-18 01:03:18 +0200[diff] [blame]1093 if c.vers < VersionTLS13 {
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]1094 if c.config.Bugs.RequireRenegotiationInfo && serverExtensions.secureRenegotiation == nil {
1095 return errors.New("tls: renegotiation extension missing")
1096 }
David Benjamin75101402016-07-01 13:40:23 -0400[diff] [blame]1097
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]1098 if len(c.clientVerify) > 0 && !c.noRenegotiationInfo() {
1099 var expectedRenegInfo []byte
1100 expectedRenegInfo = append(expectedRenegInfo, c.clientVerify...)
1101 expectedRenegInfo = append(expectedRenegInfo, c.serverVerify...)
1102 if !bytes.Equal(serverExtensions.secureRenegotiation, expectedRenegInfo) {
1103 c.sendAlert(alertHandshakeFailure)
1104 return fmt.Errorf("tls: renegotiation mismatch")
1105 }
David Benjamin75101402016-07-01 13:40:23 -0400[diff] [blame]1106 }
David Benjamincea0ab42016-07-14 12:33:14 -0400[diff] [blame]1107 } else if serverExtensions.secureRenegotiation != nil {
1108 return errors.New("tls: renegotiation info sent in TLS 1.3")
David Benjamin75101402016-07-01 13:40:23 -0400[diff] [blame]1109 }
1110
1111 if expected := c.config.Bugs.ExpectedCustomExtension; expected != nil {
1112 if serverExtensions.customExtension != *expected {
1113 return fmt.Errorf("tls: bad custom extension contents %q", serverExtensions.customExtension)
1114 }
1115 }
1116
1117 clientDidNPN := hs.hello.nextProtoNeg
1118 clientDidALPN := len(hs.hello.alpnProtocols) > 0
1119 serverHasNPN := serverExtensions.nextProtoNeg
1120 serverHasALPN := len(serverExtensions.alpnProtocol) > 0
1121
1122 if !clientDidNPN && serverHasNPN {
1123 c.sendAlert(alertHandshakeFailure)
1124 return errors.New("server advertised unrequested NPN extension")
1125 }
1126
1127 if !clientDidALPN && serverHasALPN {
1128 c.sendAlert(alertHandshakeFailure)
1129 return errors.New("server advertised unrequested ALPN extension")
1130 }
1131
1132 if serverHasNPN && serverHasALPN {
1133 c.sendAlert(alertHandshakeFailure)
1134 return errors.New("server advertised both NPN and ALPN extensions")
1135 }
1136
1137 if serverHasALPN {
1138 c.clientProtocol = serverExtensions.alpnProtocol
1139 c.clientProtocolFallback = false
1140 c.usedALPN = true
1141 }
1142
David Benjamin8d315d72016-07-18 01:03:18 +0200[diff] [blame]1143 if serverHasNPN && c.vers >= VersionTLS13 {
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]1144 c.sendAlert(alertHandshakeFailure)
1145 return errors.New("server advertised NPN over TLS 1.3")
1146 }
1147
David Benjamin75101402016-07-01 13:40:23 -0400[diff] [blame]1148 if !hs.hello.channelIDSupported && serverExtensions.channelIDRequested {
1149 c.sendAlert(alertHandshakeFailure)
1150 return errors.New("server advertised unrequested Channel ID extension")
1151 }
1152
David Benjamin8d315d72016-07-18 01:03:18 +0200[diff] [blame]1153 if serverExtensions.channelIDRequested && c.vers >= VersionTLS13 {
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]1154 c.sendAlert(alertHandshakeFailure)
1155 return errors.New("server advertised Channel ID over TLS 1.3")
1156 }
1157
David Benjamin8d315d72016-07-18 01:03:18 +0200[diff] [blame]1158 if serverExtensions.extendedMasterSecret && c.vers >= VersionTLS13 {
David Benjamine9077652016-07-13 21:02:08 -0400[diff] [blame]1159 return errors.New("tls: server advertised extended master secret over TLS 1.3")
1160 }
1161
David Benjamin8d315d72016-07-18 01:03:18 +0200[diff] [blame]1162 if serverExtensions.ticketSupported && c.vers >= VersionTLS13 {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1163 return errors.New("tls: server advertised ticket extension over TLS 1.3")
1164 }
1165
David Benjamin75101402016-07-01 13:40:23 -0400[diff] [blame]1166 if serverExtensions.srtpProtectionProfile != 0 {
1167 if serverExtensions.srtpMasterKeyIdentifier != "" {
1168 return errors.New("tls: server selected SRTP MKI value")
1169 }
1170
1171 found := false
1172 for _, p := range c.config.SRTPProtectionProfiles {
1173 if p == serverExtensions.srtpProtectionProfile {
1174 found = true
1175 break
1176 }
1177 }
1178 if !found {
1179 return errors.New("tls: server advertised unsupported SRTP profile")
1180 }
1181
1182 c.srtpProtectionProfile = serverExtensions.srtpProtectionProfile
1183 }
1184
1185 return nil
1186}
1187
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1188func (hs *clientHandshakeState) serverResumedSession() bool {
1189 // If the server responded with the same sessionId then it means the
1190 // sessionTicket is being used to resume a TLS session.
1191 return hs.session != nil && hs.hello.sessionId != nil &&
1192 bytes.Equal(hs.serverHello.sessionId, hs.hello.sessionId)
1193}
1194
1195func (hs *clientHandshakeState) processServerHello() (bool, error) {
1196 c := hs.c
1197
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1198 if hs.serverResumedSession() {
David Benjamin4b27d9f2015-05-12 22:42:52 -0400[diff] [blame]1199 // For test purposes, assert that the server never accepts the
1200 // resumption offer on renegotiation.
1201 if c.cipherSuite != nil && c.config.Bugs.FailIfResumeOnRenego {
1202 return false, errors.New("tls: server resumed session on renegotiation")
1203 }
1204
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1205 if hs.serverHello.extensions.sctList != nil {
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]1206 return false, errors.New("tls: server sent SCT extension on session resumption")
1207 }
1208
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1209 if hs.serverHello.extensions.ocspStapling {
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]1210 return false, errors.New("tls: server sent OCSP extension on session resumption")
1211 }
1212
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1213 // Restore masterSecret and peerCerts from previous state
1214 hs.masterSecret = hs.session.masterSecret
1215 c.peerCertificates = hs.session.serverCertificates
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]1216 c.extendedMasterSecret = hs.session.extendedMasterSecret
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]1217 c.sctList = hs.session.sctList
1218 c.ocspResponse = hs.session.ocspResponse
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]1219 hs.finishedHash.discardHandshakeBuffer()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1220 return true, nil
1221 }
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]1222
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1223 if hs.serverHello.extensions.sctList != nil {
1224 c.sctList = hs.serverHello.extensions.sctList
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]1225 }
1226
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1227 return false, nil
1228}
1229
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]1230func (hs *clientHandshakeState) readFinished(out []byte) error {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1231 c := hs.c
1232
1233 c.readRecord(recordTypeChangeCipherSpec)
1234 if err := c.in.error(); err != nil {
1235 return err
1236 }
1237
1238 msg, err := c.readHandshake()
1239 if err != nil {
1240 return err
1241 }
1242 serverFinished, ok := msg.(*finishedMsg)
1243 if !ok {
1244 c.sendAlert(alertUnexpectedMessage)
1245 return unexpectedMessageError(serverFinished, msg)
1246 }
1247
David Benjaminf3ec83d2014-07-21 22:42:34 -0400[diff] [blame]1248 if c.config.Bugs.EarlyChangeCipherSpec == 0 {
1249 verify := hs.finishedHash.serverSum(hs.masterSecret)
1250 if len(verify) != len(serverFinished.verifyData) ||
1251 subtle.ConstantTimeCompare(verify, serverFinished.verifyData) != 1 {
1252 c.sendAlert(alertHandshakeFailure)
1253 return errors.New("tls: server's Finished message was incorrect")
1254 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1255 }
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]1256 c.serverVerify = append(c.serverVerify[:0], serverFinished.verifyData...)
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]1257 copy(out, serverFinished.verifyData)
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]1258 hs.writeServerHash(serverFinished.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1259 return nil
1260}
1261
1262func (hs *clientHandshakeState) readSessionTicket() error {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]1263 c := hs.c
1264
1265 // Create a session with no server identifier. Either a
1266 // session ID or session ticket will be attached.
1267 session := &ClientSessionState{
1268 vers: c.vers,
1269 cipherSuite: hs.suite.id,
1270 masterSecret: hs.masterSecret,
1271 handshakeHash: hs.finishedHash.server.Sum(nil),
1272 serverCertificates: c.peerCertificates,
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]1273 sctList: c.sctList,
1274 ocspResponse: c.ocspResponse,
Nick Harper0b3625b2016-07-25 16:16:28 -0700[diff] [blame]1275 ticketExpiration: c.config.time().Add(time.Duration(7 * 24 * time.Hour)),
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]1276 }
1277
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1278 if !hs.serverHello.extensions.ticketSupported {
David Benjamind98452d2015-06-16 14:16:23 -0400[diff] [blame]1279 if c.config.Bugs.ExpectNewTicket {
1280 return errors.New("tls: expected new ticket")
1281 }
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]1282 if hs.session == nil && len(hs.serverHello.sessionId) > 0 {
1283 session.sessionId = hs.serverHello.sessionId
1284 hs.session = session
1285 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1286 return nil
1287 }
1288
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]1289 if c.vers == VersionSSL30 {
1290 return errors.New("tls: negotiated session tickets in SSL 3.0")
1291 }
1292
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1293 msg, err := c.readHandshake()
1294 if err != nil {
1295 return err
1296 }
1297 sessionTicketMsg, ok := msg.(*newSessionTicketMsg)
1298 if !ok {
1299 c.sendAlert(alertUnexpectedMessage)
1300 return unexpectedMessageError(sessionTicketMsg, msg)
1301 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1302
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]1303 session.sessionTicket = sessionTicketMsg.ticket
1304 hs.session = session
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1305
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]1306 hs.writeServerHash(sessionTicketMsg.marshal())
1307
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1308 return nil
1309}
1310
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]1311func (hs *clientHandshakeState) sendFinished(out []byte, isResume bool) error {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1312 c := hs.c
1313
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]1314 var postCCSMsgs [][]byte
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]1315 seqno := hs.c.sendHandshakeSeq
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1316 if hs.serverHello.extensions.nextProtoNeg {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1317 nextProto := new(nextProtoMsg)
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1318 proto, fallback := mutualProtocol(c.config.NextProtos, hs.serverHello.extensions.nextProtos)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1319 nextProto.proto = proto
1320 c.clientProtocol = proto
1321 c.clientProtocolFallback = fallback
1322
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]1323 nextProtoBytes := nextProto.marshal()
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]1324 hs.writeHash(nextProtoBytes, seqno)
1325 seqno++
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]1326 postCCSMsgs = append(postCCSMsgs, nextProtoBytes)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1327 }
1328
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1329 if hs.serverHello.extensions.channelIDRequested {
David Benjamin24599a82016-06-30 18:56:53 -0400[diff] [blame]1330 channelIDMsg := new(channelIDMsg)
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]1331 if c.config.ChannelID.Curve != elliptic.P256() {
1332 return fmt.Errorf("tls: Channel ID is not on P-256.")
1333 }
1334 var resumeHash []byte
1335 if isResume {
1336 resumeHash = hs.session.handshakeHash
1337 }
1338 r, s, err := ecdsa.Sign(c.config.rand(), c.config.ChannelID, hs.finishedHash.hashForChannelID(resumeHash))
1339 if err != nil {
1340 return err
1341 }
1342 channelID := make([]byte, 128)
1343 writeIntPadded(channelID[0:32], c.config.ChannelID.X)
1344 writeIntPadded(channelID[32:64], c.config.ChannelID.Y)
1345 writeIntPadded(channelID[64:96], r)
1346 writeIntPadded(channelID[96:128], s)
David Benjamin24599a82016-06-30 18:56:53 -0400[diff] [blame]1347 channelIDMsg.channelID = channelID
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]1348
1349 c.channelID = &c.config.ChannelID.PublicKey
1350
David Benjamin24599a82016-06-30 18:56:53 -0400[diff] [blame]1351 channelIDMsgBytes := channelIDMsg.marshal()
1352 hs.writeHash(channelIDMsgBytes, seqno)
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]1353 seqno++
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]1354 postCCSMsgs = append(postCCSMsgs, channelIDMsgBytes)
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]1355 }
1356
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1357 finished := new(finishedMsg)
David Benjaminf3ec83d2014-07-21 22:42:34 -0400[diff] [blame]1358 if c.config.Bugs.EarlyChangeCipherSpec == 2 {
1359 finished.verifyData = hs.finishedHash.clientSum(nil)
1360 } else {
1361 finished.verifyData = hs.finishedHash.clientSum(hs.masterSecret)
1362 }
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]1363 copy(out, finished.verifyData)
David Benjamin513f0ea2015-04-02 19:33:31 -0400[diff] [blame]1364 if c.config.Bugs.BadFinished {
1365 finished.verifyData[0]++
1366 }
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]1367 c.clientVerify = append(c.clientVerify[:0], finished.verifyData...)
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]1368 hs.finishedBytes = finished.marshal()
1369 hs.writeHash(hs.finishedBytes, seqno)
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]1370 postCCSMsgs = append(postCCSMsgs, hs.finishedBytes)
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]1371
1372 if c.config.Bugs.FragmentAcrossChangeCipherSpec {
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]1373 c.writeRecord(recordTypeHandshake, postCCSMsgs[0][:5])
1374 postCCSMsgs[0] = postCCSMsgs[0][5:]
David Benjamin61672812016-07-14 23:10:43 -0400[diff] [blame]1375 } else if c.config.Bugs.SendUnencryptedFinished {
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]1376 c.writeRecord(recordTypeHandshake, postCCSMsgs[0])
1377 postCCSMsgs = postCCSMsgs[1:]
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]1378 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]1379 c.flushHandshake()
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]1380
1381 if !c.config.Bugs.SkipChangeCipherSpec &&
1382 c.config.Bugs.EarlyChangeCipherSpec == 0 {
David Benjamin8411b242015-11-26 12:07:28 -0500[diff] [blame]1383 ccs := []byte{1}
1384 if c.config.Bugs.BadChangeCipherSpec != nil {
1385 ccs = c.config.Bugs.BadChangeCipherSpec
1386 }
1387 c.writeRecord(recordTypeChangeCipherSpec, ccs)
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]1388 }
1389
David Benjamin4189bd92015-01-25 23:52:39 -0500[diff] [blame]1390 if c.config.Bugs.AppDataAfterChangeCipherSpec != nil {
1391 c.writeRecord(recordTypeApplicationData, c.config.Bugs.AppDataAfterChangeCipherSpec)
1392 }
David Benjamindc3da932015-03-12 15:09:02 -0400[diff] [blame]1393 if c.config.Bugs.AlertAfterChangeCipherSpec != 0 {
1394 c.sendAlert(c.config.Bugs.AlertAfterChangeCipherSpec)
1395 return errors.New("tls: simulating post-CCS alert")
1396 }
David Benjamin4189bd92015-01-25 23:52:39 -0500[diff] [blame]1397
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]1398 if !c.config.Bugs.SkipFinished {
1399 for _, msg := range postCCSMsgs {
1400 c.writeRecord(recordTypeHandshake, msg)
1401 }
David Benjamin02edcd02016-07-27 17:40:37 -0400[diff] [blame]1402
1403 if c.config.Bugs.SendExtraFinished {
1404 c.writeRecord(recordTypeHandshake, finished.marshal())
1405 }
1406
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]1407 c.flushHandshake()
David Benjaminb3774b92015-01-31 17:16:01 -0500[diff] [blame]1408 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1409 return nil
1410}
1411
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]1412func (hs *clientHandshakeState) writeClientHash(msg []byte) {
1413 // writeClientHash is called before writeRecord.
1414 hs.writeHash(msg, hs.c.sendHandshakeSeq)
1415}
1416
1417func (hs *clientHandshakeState) writeServerHash(msg []byte) {
1418 // writeServerHash is called after readHandshake.
1419 hs.writeHash(msg, hs.c.recvHandshakeSeq-1)
1420}
1421
1422func (hs *clientHandshakeState) writeHash(msg []byte, seqno uint16) {
1423 if hs.c.isDTLS {
1424 // This is somewhat hacky. DTLS hashes a slightly different format.
1425 // First, the TLS header.
1426 hs.finishedHash.Write(msg[:4])
1427 // Then the sequence number and reassembled fragment offset (always 0).
1428 hs.finishedHash.Write([]byte{byte(seqno >> 8), byte(seqno), 0, 0, 0})
1429 // Then the reassembled fragment (always equal to the message length).
1430 hs.finishedHash.Write(msg[1:4])
1431 // And then the message body.
1432 hs.finishedHash.Write(msg[4:])
1433 } else {
1434 hs.finishedHash.Write(msg)
1435 }
1436}
1437
David Benjamina6f82632016-07-01 18:44:02 -0400[diff] [blame]1438// selectClientCertificate selects a certificate for use with the given
1439// certificate, or none if none match. It may return a particular certificate or
1440// nil on success, or an error on internal error.
1441func selectClientCertificate(c *Conn, certReq *certificateRequestMsg) (*Certificate, error) {
1442 // RFC 4346 on the certificateAuthorities field:
1443 // A list of the distinguished names of acceptable certificate
1444 // authorities. These distinguished names may specify a desired
1445 // distinguished name for a root CA or for a subordinate CA; thus, this
1446 // message can be used to describe both known roots and a desired
1447 // authorization space. If the certificate_authorities list is empty
1448 // then the client MAY send any certificate of the appropriate
1449 // ClientCertificateType, unless there is some external arrangement to
1450 // the contrary.
1451
1452 var rsaAvail, ecdsaAvail bool
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]1453 if !certReq.hasRequestContext {
1454 for _, certType := range certReq.certificateTypes {
1455 switch certType {
1456 case CertTypeRSASign:
1457 rsaAvail = true
1458 case CertTypeECDSASign:
1459 ecdsaAvail = true
1460 }
David Benjamina6f82632016-07-01 18:44:02 -0400[diff] [blame]1461 }
1462 }
1463
1464 // We need to search our list of client certs for one
1465 // where SignatureAlgorithm is RSA and the Issuer is in
1466 // certReq.certificateAuthorities
1467findCert:
1468 for i, chain := range c.config.Certificates {
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]1469 if !certReq.hasRequestContext && !rsaAvail && !ecdsaAvail {
David Benjamina6f82632016-07-01 18:44:02 -0400[diff] [blame]1470 continue
1471 }
1472
1473 // Ensure the private key supports one of the advertised
1474 // signature algorithms.
1475 if certReq.hasSignatureAlgorithm {
David Benjamin0a8deb22016-07-09 21:02:01 -0700[diff] [blame]1476 if _, err := selectSignatureAlgorithm(c.vers, chain.PrivateKey, c.config, certReq.signatureAlgorithms); err != nil {
David Benjamina6f82632016-07-01 18:44:02 -0400[diff] [blame]1477 continue
1478 }
1479 }
1480
1481 for j, cert := range chain.Certificate {
1482 x509Cert := chain.Leaf
1483 // parse the certificate if this isn't the leaf
1484 // node, or if chain.Leaf was nil
1485 if j != 0 || x509Cert == nil {
1486 var err error
1487 if x509Cert, err = x509.ParseCertificate(cert); err != nil {
1488 c.sendAlert(alertInternalError)
1489 return nil, errors.New("tls: failed to parse client certificate #" + strconv.Itoa(i) + ": " + err.Error())
1490 }
1491 }
1492
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]1493 if !certReq.hasRequestContext {
1494 switch {
1495 case rsaAvail && x509Cert.PublicKeyAlgorithm == x509.RSA:
1496 case ecdsaAvail && x509Cert.PublicKeyAlgorithm == x509.ECDSA:
1497 default:
1498 continue findCert
1499 }
David Benjamina6f82632016-07-01 18:44:02 -0400[diff] [blame]1500 }
1501
1502 if len(certReq.certificateAuthorities) == 0 {
1503 // They gave us an empty list, so just take the
1504 // first certificate of valid type from
1505 // c.config.Certificates.
1506 return &chain, nil
1507 }
1508
1509 for _, ca := range certReq.certificateAuthorities {
1510 if bytes.Equal(x509Cert.RawIssuer, ca) {
1511 return &chain, nil
1512 }
1513 }
1514 }
1515 }
1516
1517 return nil, nil
1518}
1519
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1520// clientSessionCacheKey returns a key used to cache sessionTickets that could
1521// be used to resume previously negotiated TLS sessions with a server.
1522func clientSessionCacheKey(serverAddr net.Addr, config *Config) string {
1523 if len(config.ServerName) > 0 {
1524 return config.ServerName
1525 }
1526 return serverAddr.String()
1527}
1528
David Benjaminfa055a22014-09-15 16:51:51 -0400[diff] [blame]1529// mutualProtocol finds the mutual Next Protocol Negotiation or ALPN protocol
1530// given list of possible protocols and a list of the preference order. The
1531// first list must not be empty. It returns the resulting protocol and flag
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1532// indicating if the fallback case was reached.
David Benjaminfa055a22014-09-15 16:51:51 -0400[diff] [blame]1533func mutualProtocol(protos, preferenceProtos []string) (string, bool) {
1534 for _, s := range preferenceProtos {
1535 for _, c := range protos {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1536 if s == c {
1537 return s, false
1538 }
1539 }
1540 }
1541
David Benjaminfa055a22014-09-15 16:51:51 -0400[diff] [blame]1542 return protos[0], true
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1543}
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]1544
1545// writeIntPadded writes x into b, padded up with leading zeros as
1546// needed.
1547func writeIntPadded(b []byte, x *big.Int) {
1548 for i := range b {
1549 b[i] = 0
1550 }
1551 xb := x.Bytes()
1552 copy(b[len(b)-len(xb):], xb)
1553}