Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 46662482b898da0fee9ac49dea0b532eb60d84ef / . / ssl / test / runner / handshake_client.go
blob: e8e56d7a4eb8b75301930990d87eab7e0f6c9a5b [file] [log] [blame]
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1// Copyright 2009 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
Adam Langleydc7e9c42015-09-29 15:21:04 -0700[diff] [blame]5package runner
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]6
7import (
8 "bytes"
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]9 "crypto"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10 "crypto/ecdsa"
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]11 "crypto/elliptic"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]12 "crypto/rsa"
13 "crypto/subtle"
14 "crypto/x509"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]15 "errors"
16 "fmt"
17 "io"
David Benjaminde620d92014-07-18 15:03:41 -0400[diff] [blame]18 "math/big"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]19 "net"
20 "strconv"
Nick Harper0b3625b2016-07-25 16:16:28 -0700[diff] [blame]21 "time"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]22)
23
24type clientHandshakeState struct {
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]25 c *Conn
26 serverHello *serverHelloMsg
27 hello *clientHelloMsg
28 suite *cipherSuite
29 finishedHash finishedHash
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]30 keyShares map[CurveID]ecdhCurve
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]31 masterSecret []byte
32 session *ClientSessionState
33 finishedBytes []byte
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]34}
35
36func (c *Conn) clientHandshake() error {
37 if c.config == nil {
38 c.config = defaultConfig()
39 }
40
41 if len(c.config.ServerName) == 0 && !c.config.InsecureSkipVerify {
42 return errors.New("tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config")
43 }
44
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]45 c.sendHandshakeSeq = 0
46 c.recvHandshakeSeq = 0
47
David Benjaminfa055a22014-09-15 16:51:51 -0400[diff] [blame]48 nextProtosLength := 0
49 for _, proto := range c.config.NextProtos {
Adam Langleyefb0e162015-07-09 11:35:04 -0700[diff] [blame]50 if l := len(proto); l > 255 {
David Benjaminfa055a22014-09-15 16:51:51 -0400[diff] [blame]51 return errors.New("tls: invalid NextProtos value")
52 } else {
53 nextProtosLength += 1 + l
54 }
55 }
56 if nextProtosLength > 0xffff {
57 return errors.New("tls: NextProtos values too large")
58 }
59
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]60 hello := &clientHelloMsg{
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]61 isDTLS: c.isDTLS,
David Benjamincecee272016-06-30 13:33:47 -0400[diff] [blame]62 vers: c.config.maxVersion(c.isDTLS),
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]63 compressionMethods: []uint8{compressionNone},
64 random: make([]byte, 32),
65 ocspStapling: true,
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]66 sctListSupported: true,
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]67 serverName: c.config.ServerName,
68 supportedCurves: c.config.curvePreferences(),
69 supportedPoints: []uint8{pointFormatUncompressed},
70 nextProtoNeg: len(c.config.NextProtos) > 0,
71 secureRenegotiation: []byte{},
72 alpnProtocols: c.config.NextProtos,
73 duplicateExtension: c.config.Bugs.DuplicateExtension,
74 channelIDSupported: c.config.ChannelID != nil,
75 npnLast: c.config.Bugs.SwapNPNAndALPN,
David Benjamincecee272016-06-30 13:33:47 -0400[diff] [blame]76 extendedMasterSecret: c.config.maxVersion(c.isDTLS) >= VersionTLS10,
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]77 srtpProtectionProfiles: c.config.SRTPProtectionProfiles,
78 srtpMasterKeyIdentifier: c.config.Bugs.SRTPMasterKeyIdentifer,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]79 customExtension: c.config.Bugs.CustomExtension,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]80 }
81
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]82 if c.config.Bugs.NoExtendedMasterSecret {
83 hello.extendedMasterSecret = false
84 }
85
David Benjamin55a43642015-04-20 14:45:55 -0400[diff] [blame]86 if c.config.Bugs.NoSupportedCurves {
87 hello.supportedCurves = nil
88 }
89
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]90 if len(c.clientVerify) > 0 && !c.config.Bugs.EmptyRenegotiationInfo {
91 if c.config.Bugs.BadRenegotiationInfo {
92 hello.secureRenegotiation = append(hello.secureRenegotiation, c.clientVerify...)
93 hello.secureRenegotiation[0] ^= 0x80
94 } else {
95 hello.secureRenegotiation = c.clientVerify
96 }
97 }
98
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]99 if c.noRenegotiationInfo() {
David Benjaminca6554b2014-11-08 12:31:52 -0500[diff] [blame]100 hello.secureRenegotiation = nil
101 }
102
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]103 var keyShares map[CurveID]ecdhCurve
David Benjamin8d315d72016-07-18 01:03:18 +0200[diff] [blame]104 if hello.vers >= VersionTLS13 {
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]105 keyShares = make(map[CurveID]ecdhCurve)
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]106 hello.hasKeyShares = true
107 curvesToSend := c.config.defaultCurves()
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]108 for _, curveID := range hello.supportedCurves {
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]109 if !curvesToSend[curveID] {
110 continue
111 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]112 curve, ok := curveForCurveID(curveID)
113 if !ok {
114 continue
115 }
116 publicKey, err := curve.offer(c.config.rand())
117 if err != nil {
118 return err
119 }
Steven Valdez0ee2e112016-07-15 06:51:15 -0400[diff] [blame]120
121 if c.config.Bugs.SendCurve != 0 {
122 curveID = c.config.Bugs.SendCurve
123 }
124 if c.config.Bugs.InvalidECDHPoint {
125 publicKey[0] ^= 0xff
126 }
127
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]128 hello.keyShares = append(hello.keyShares, keyShareEntry{
129 group: curveID,
130 keyExchange: publicKey,
131 })
132 keyShares[curveID] = curve
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]133
134 if c.config.Bugs.DuplicateKeyShares {
135 hello.keyShares = append(hello.keyShares, hello.keyShares[len(hello.keyShares)-1])
136 }
137 }
138
139 if c.config.Bugs.MissingKeyShare {
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]140 hello.hasKeyShares = false
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]141 }
142 }
143
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]144 possibleCipherSuites := c.config.cipherSuites()
145 hello.cipherSuites = make([]uint16, 0, len(possibleCipherSuites))
146
147NextCipherSuite:
148 for _, suiteId := range possibleCipherSuites {
149 for _, suite := range cipherSuites {
150 if suite.id != suiteId {
151 continue
152 }
David Benjamin0407e762016-06-17 16:41:18 -0400[diff] [blame]153 if !c.config.Bugs.EnableAllCiphers {
154 // Don't advertise TLS 1.2-only cipher suites unless
155 // we're attempting TLS 1.2.
156 if hello.vers < VersionTLS12 && suite.flags&suiteTLS12 != 0 {
157 continue
158 }
159 // Don't advertise non-DTLS cipher suites in DTLS.
160 if c.isDTLS && suite.flags&suiteNoDTLS != 0 {
161 continue
162 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]163 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]164 hello.cipherSuites = append(hello.cipherSuites, suiteId)
165 continue NextCipherSuite
166 }
167 }
168
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]169 if c.config.Bugs.SendRenegotiationSCSV {
170 hello.cipherSuites = append(hello.cipherSuites, renegotiationSCSV)
171 }
172
David Benjaminbef270a2014-08-02 04:22:02 -0400[diff] [blame]173 if c.config.Bugs.SendFallbackSCSV {
174 hello.cipherSuites = append(hello.cipherSuites, fallbackSCSV)
175 }
176
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]177 _, err := io.ReadFull(c.config.rand(), hello.random)
178 if err != nil {
179 c.sendAlert(alertInternalError)
180 return errors.New("tls: short read from Rand: " + err.Error())
181 }
182
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]183 if hello.vers >= VersionTLS12 && !c.config.Bugs.NoSignatureAlgorithms {
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]184 hello.signatureAlgorithms = c.config.verifySignatureAlgorithms()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]185 }
186
187 var session *ClientSessionState
188 var cacheKey string
189 sessionCache := c.config.ClientSessionCache
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]190
191 if sessionCache != nil {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]192 hello.ticketSupported = !c.config.SessionTicketsDisabled
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]193
194 // Try to resume a previously negotiated TLS session, if
195 // available.
196 cacheKey = clientSessionCacheKey(c.conn.RemoteAddr(), c.config)
Nick Harper0b3625b2016-07-25 16:16:28 -0700[diff] [blame]197 // TODO(nharper): Support storing more than one session
198 // ticket for TLS 1.3.
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]199 candidateSession, ok := sessionCache.Get(cacheKey)
200 if ok {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]201 ticketOk := !c.config.SessionTicketsDisabled || candidateSession.sessionTicket == nil
202
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]203 // Check that the ciphersuite/version used for the
204 // previous session are still valid.
205 cipherSuiteOk := false
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame^]206 if candidateSession.vers >= VersionTLS13 {
207 // Account for ciphers changing on resumption.
208 //
209 // TODO(davidben): This will be gone with the
210 // new cipher negotiation scheme.
211 resumeCipher := ecdhePSKSuite(candidateSession.cipherSuite)
212 for _, id := range hello.cipherSuites {
213 if ecdhePSKSuite(id) == resumeCipher {
214 cipherSuiteOk = true
215 break
216 }
217 }
218 } else {
219 for _, id := range hello.cipherSuites {
220 if id == candidateSession.cipherSuite {
221 cipherSuiteOk = true
222 break
223 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]224 }
225 }
226
David Benjamincecee272016-06-30 13:33:47 -0400[diff] [blame]227 versOk := candidateSession.vers >= c.config.minVersion(c.isDTLS) &&
228 candidateSession.vers <= c.config.maxVersion(c.isDTLS)
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]229 if ticketOk && versOk && cipherSuiteOk {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]230 session = candidateSession
231 }
232 }
233 }
234
Nick Harper0b3625b2016-07-25 16:16:28 -0700[diff] [blame]235 if session != nil && c.config.time().Before(session.ticketExpiration) {
David Benjamind5a4ecb2016-07-18 01:17:13 +0200[diff] [blame]236 ticket := session.sessionTicket
237 if c.config.Bugs.CorruptTicket && len(ticket) > 0 {
238 ticket = make([]byte, len(session.sessionTicket))
239 copy(ticket, session.sessionTicket)
240 offset := 40
241 if offset >= len(ticket) {
242 offset = len(ticket) - 1
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]243 }
David Benjamind5a4ecb2016-07-18 01:17:13 +0200[diff] [blame]244 ticket[offset] ^= 0x40
245 }
246
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]247 if session.vers >= VersionTLS13 || c.config.Bugs.SendBothTickets {
Nick Harper0b3625b2016-07-25 16:16:28 -0700[diff] [blame]248 // TODO(nharper): Support sending more
249 // than one PSK identity.
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]250 if session.ticketFlags&ticketAllowDHEResumption != 0 || c.config.Bugs.SendBothTickets {
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame^]251 hello.pskIdentities = [][]uint8{ticket}
252 hello.cipherSuites = append(hello.cipherSuites, ecdhePSKSuite(session.cipherSuite))
Nick Harper0b3625b2016-07-25 16:16:28 -0700[diff] [blame]253 }
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]254 }
255
256 if session.vers < VersionTLS13 || c.config.Bugs.SendBothTickets {
257 if ticket != nil {
258 hello.sessionTicket = ticket
259 // A random session ID is used to detect when the
260 // server accepted the ticket and is resuming a session
261 // (see RFC 5077).
262 sessionIdLen := 16
263 if c.config.Bugs.OversizedSessionId {
264 sessionIdLen = 33
265 }
266 hello.sessionId = make([]byte, sessionIdLen)
267 if _, err := io.ReadFull(c.config.rand(), hello.sessionId); err != nil {
268 c.sendAlert(alertInternalError)
269 return errors.New("tls: short read from Rand: " + err.Error())
270 }
271 } else {
272 hello.sessionId = session.sessionId
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]273 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]274 }
275 }
276
David Benjamineed24012016-08-13 19:26:00 -0400[diff] [blame]277 if c.config.Bugs.SendClientVersion != 0 {
278 hello.vers = c.config.Bugs.SendClientVersion
279 }
280
David Benjamind86c7672014-08-02 04:07:12 -0400[diff] [blame]281 var helloBytes []byte
282 if c.config.Bugs.SendV2ClientHello {
David Benjamin94d701b2014-11-30 13:54:41 -0500[diff] [blame]283 // Test that the peer left-pads random.
284 hello.random[0] = 0
David Benjamind86c7672014-08-02 04:07:12 -0400[diff] [blame]285 v2Hello := &v2ClientHelloMsg{
286 vers: hello.vers,
287 cipherSuites: hello.cipherSuites,
288 // No session resumption for V2ClientHello.
289 sessionId: nil,
David Benjamin94d701b2014-11-30 13:54:41 -0500[diff] [blame]290 challenge: hello.random[1:],
David Benjamind86c7672014-08-02 04:07:12 -0400[diff] [blame]291 }
292 helloBytes = v2Hello.marshal()
293 c.writeV2Record(helloBytes)
294 } else {
295 helloBytes = hello.marshal()
David Benjamin7964b182016-07-14 23:36:30 -0400[diff] [blame]296 if c.config.Bugs.PartialClientFinishedWithClientHello {
297 // Include one byte of Finished. We can compute it
298 // without completing the handshake. This assumes we
299 // negotiate TLS 1.3 with no HelloRetryRequest or
300 // CertificateRequest.
301 toWrite := make([]byte, 0, len(helloBytes)+1)
302 toWrite = append(toWrite, helloBytes...)
303 toWrite = append(toWrite, typeFinished)
304 c.writeRecord(recordTypeHandshake, toWrite)
305 } else {
306 c.writeRecord(recordTypeHandshake, helloBytes)
307 }
David Benjamind86c7672014-08-02 04:07:12 -0400[diff] [blame]308 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]309 c.flushHandshake()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]310
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]311 if err := c.simulatePacketLoss(nil); err != nil {
312 return err
313 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]314 msg, err := c.readHandshake()
315 if err != nil {
316 return err
317 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]318
319 if c.isDTLS {
320 helloVerifyRequest, ok := msg.(*helloVerifyRequestMsg)
321 if ok {
David Benjamin8bc38f52014-08-16 12:07:27 -0400[diff] [blame]322 if helloVerifyRequest.vers != VersionTLS10 {
323 // Per RFC 6347, the version field in
324 // HelloVerifyRequest SHOULD be always DTLS
325 // 1.0. Enforce this for testing purposes.
326 return errors.New("dtls: bad HelloVerifyRequest version")
327 }
328
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]329 hello.raw = nil
330 hello.cookie = helloVerifyRequest.cookie
331 helloBytes = hello.marshal()
332 c.writeRecord(recordTypeHandshake, helloBytes)
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]333 c.flushHandshake()
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]334
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]335 if err := c.simulatePacketLoss(nil); err != nil {
336 return err
337 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]338 msg, err = c.readHandshake()
339 if err != nil {
340 return err
341 }
342 }
343 }
344
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]345 var serverVersion uint16
346 switch m := msg.(type) {
347 case *helloRetryRequestMsg:
348 serverVersion = m.vers
349 case *serverHelloMsg:
350 serverVersion = m.vers
351 default:
352 c.sendAlert(alertUnexpectedMessage)
353 return fmt.Errorf("tls: received unexpected message of type %T when waiting for HelloRetryRequest or ServerHello", msg)
354 }
355
356 var ok bool
357 c.vers, ok = c.config.mutualVersion(serverVersion, c.isDTLS)
358 if !ok {
359 c.sendAlert(alertProtocolVersion)
360 return fmt.Errorf("tls: server selected unsupported protocol version %x", c.vers)
361 }
362 c.haveVers = true
363
364 helloRetryRequest, haveHelloRetryRequest := msg.(*helloRetryRequestMsg)
365 var secondHelloBytes []byte
366 if haveHelloRetryRequest {
367 var hrrCurveFound bool
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]368 if c.config.Bugs.MisinterpretHelloRetryRequestCurve != 0 {
369 helloRetryRequest.selectedGroup = c.config.Bugs.MisinterpretHelloRetryRequestCurve
370 }
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]371 group := helloRetryRequest.selectedGroup
372 for _, curveID := range hello.supportedCurves {
373 if group == curveID {
374 hrrCurveFound = true
375 break
376 }
377 }
378 if !hrrCurveFound || keyShares[group] != nil {
379 c.sendAlert(alertHandshakeFailure)
380 return errors.New("tls: received invalid HelloRetryRequest")
381 }
382 curve, ok := curveForCurveID(group)
383 if !ok {
384 return errors.New("tls: Unable to get curve requested in HelloRetryRequest")
385 }
386 publicKey, err := curve.offer(c.config.rand())
387 if err != nil {
388 return err
389 }
390 keyShares[group] = curve
391 hello.keyShares = append(hello.keyShares, keyShareEntry{
392 group: group,
393 keyExchange: publicKey,
394 })
395
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]396 if c.config.Bugs.SecondClientHelloMissingKeyShare {
397 hello.hasKeyShares = false
398 }
399
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]400 hello.hasEarlyData = false
401 hello.earlyDataContext = nil
402 hello.raw = nil
403
404 secondHelloBytes = hello.marshal()
405 c.writeRecord(recordTypeHandshake, secondHelloBytes)
406 c.flushHandshake()
407
408 msg, err = c.readHandshake()
409 if err != nil {
410 return err
411 }
412 }
413
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]414 serverHello, ok := msg.(*serverHelloMsg)
415 if !ok {
416 c.sendAlert(alertUnexpectedMessage)
417 return unexpectedMessageError(serverHello, msg)
418 }
419
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]420 if c.vers != serverHello.vers {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]421 c.sendAlert(alertProtocolVersion)
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]422 return fmt.Errorf("tls: server sent non-matching version %x vs %x", serverHello.vers, c.vers)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]423 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]424
Nick Harper85f20c22016-07-04 10:11:59 -0700[diff] [blame]425 // Check for downgrade signals in the server random, per
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]426 // draft-ietf-tls-tls13-14, section 6.3.1.2.
Nick Harper85f20c22016-07-04 10:11:59 -0700[diff] [blame]427 if c.vers <= VersionTLS12 && c.config.maxVersion(c.isDTLS) >= VersionTLS13 {
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]428 if bytes.Equal(serverHello.random[len(serverHello.random)-8:], downgradeTLS13) {
Nick Harper85f20c22016-07-04 10:11:59 -0700[diff] [blame]429 c.sendAlert(alertProtocolVersion)
430 return errors.New("tls: downgrade from TLS 1.3 detected")
431 }
432 }
433 if c.vers <= VersionTLS11 && c.config.maxVersion(c.isDTLS) >= VersionTLS12 {
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]434 if bytes.Equal(serverHello.random[len(serverHello.random)-8:], downgradeTLS12) {
Nick Harper85f20c22016-07-04 10:11:59 -0700[diff] [blame]435 c.sendAlert(alertProtocolVersion)
436 return errors.New("tls: downgrade from TLS 1.2 detected")
437 }
438 }
439
Nick Harper0b3625b2016-07-25 16:16:28 -0700[diff] [blame]440 suite := mutualCipherSuite(hello.cipherSuites, serverHello.cipherSuite)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]441 if suite == nil {
442 c.sendAlert(alertHandshakeFailure)
443 return fmt.Errorf("tls: server selected an unsupported cipher suite")
444 }
445
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]446 if haveHelloRetryRequest && (helloRetryRequest.cipherSuite != serverHello.cipherSuite || helloRetryRequest.selectedGroup != serverHello.keyShare.group) {
447 c.sendAlert(alertHandshakeFailure)
448 return errors.New("tls: ServerHello parameters did not match HelloRetryRequest")
449 }
450
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]451 hs := &clientHandshakeState{
452 c: c,
453 serverHello: serverHello,
454 hello: hello,
455 suite: suite,
456 finishedHash: newFinishedHash(c.vers, suite),
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]457 keyShares: keyShares,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]458 session: session,
459 }
460
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]461 hs.writeHash(helloBytes, hs.c.sendHandshakeSeq-1)
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]462 if haveHelloRetryRequest {
463 hs.writeServerHash(helloRetryRequest.marshal())
464 hs.writeClientHash(secondHelloBytes)
465 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]466 hs.writeServerHash(hs.serverHello.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]467
David Benjamin8d315d72016-07-18 01:03:18 +0200[diff] [blame]468 if c.vers >= VersionTLS13 {
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]469 if err := hs.doTLS13Handshake(); err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]470 return err
471 }
472 } else {
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]473 if c.config.Bugs.EarlyChangeCipherSpec > 0 {
474 hs.establishKeys()
475 c.writeRecord(recordTypeChangeCipherSpec, []byte{1})
476 }
477
478 if hs.serverHello.compressionMethod != compressionNone {
479 c.sendAlert(alertUnexpectedMessage)
480 return errors.New("tls: server selected unsupported compression format")
481 }
482
483 err = hs.processServerExtensions(&serverHello.extensions)
484 if err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]485 return err
486 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]487
488 isResume, err := hs.processServerHello()
489 if err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]490 return err
491 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]492
493 if isResume {
494 if c.config.Bugs.EarlyChangeCipherSpec == 0 {
495 if err := hs.establishKeys(); err != nil {
496 return err
497 }
498 }
499 if err := hs.readSessionTicket(); err != nil {
500 return err
501 }
502 if err := hs.readFinished(c.firstFinished[:]); err != nil {
503 return err
504 }
505 if err := hs.sendFinished(nil, isResume); err != nil {
506 return err
507 }
508 } else {
509 if err := hs.doFullHandshake(); err != nil {
510 return err
511 }
512 if err := hs.establishKeys(); err != nil {
513 return err
514 }
515 if err := hs.sendFinished(c.firstFinished[:], isResume); err != nil {
516 return err
517 }
518 // Most retransmits are triggered by a timeout, but the final
519 // leg of the handshake is retransmited upon re-receiving a
520 // Finished.
521 if err := c.simulatePacketLoss(func() {
David Benjamin02edcd02016-07-27 17:40:37 -0400[diff] [blame]522 c.sendHandshakeSeq--
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]523 c.writeRecord(recordTypeHandshake, hs.finishedBytes)
524 c.flushHandshake()
525 }); err != nil {
526 return err
527 }
528 if err := hs.readSessionTicket(); err != nil {
529 return err
530 }
531 if err := hs.readFinished(nil); err != nil {
532 return err
533 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]534 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]535
536 if sessionCache != nil && hs.session != nil && session != hs.session {
537 if c.config.Bugs.RequireSessionTickets && len(hs.session.sessionTicket) == 0 {
538 return errors.New("tls: new session used session IDs instead of tickets")
539 }
540 sessionCache.Put(cacheKey, hs.session)
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]541 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]542
543 c.didResume = isResume
David Benjamin97a0a082016-07-13 17:57:35 -0400[diff] [blame]544 c.exporterSecret = hs.masterSecret
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]545 }
546
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]547 c.handshakeComplete = true
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]548 c.cipherSuite = suite
549 copy(c.clientRandom[:], hs.hello.random)
550 copy(c.serverRandom[:], hs.serverHello.random)
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]551
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]552 return nil
553}
554
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]555func (hs *clientHandshakeState) doTLS13Handshake() error {
556 c := hs.c
557
558 // Once the PRF hash is known, TLS 1.3 does not require a handshake
559 // buffer.
560 hs.finishedHash.discardHandshakeBuffer()
561
562 zeroSecret := hs.finishedHash.zeroSecret()
563
564 // Resolve PSK and compute the early secret.
565 //
566 // TODO(davidben): This will need to be handled slightly earlier once
567 // 0-RTT is implemented.
568 var psk []byte
569 if hs.suite.flags&suitePSK != 0 {
570 if !hs.serverHello.hasPSKIdentity {
571 c.sendAlert(alertMissingExtension)
572 return errors.New("tls: server omitted the PSK identity extension")
573 }
574
Nick Harper0b3625b2016-07-25 16:16:28 -0700[diff] [blame]575 // We send at most one PSK identity.
576 if hs.session == nil || hs.serverHello.pskIdentity != 0 {
577 c.sendAlert(alertUnknownPSKIdentity)
578 return errors.New("tls: server sent unknown PSK identity")
579 }
580 if ecdhePSKSuite(hs.session.cipherSuite) != hs.suite.id {
581 c.sendAlert(alertHandshakeFailure)
582 return errors.New("tls: server sent invalid cipher suite for PSK")
583 }
584 psk = deriveResumptionPSK(hs.suite, hs.session.masterSecret)
585 hs.finishedHash.setResumptionContext(deriveResumptionContext(hs.suite, hs.session.masterSecret))
586 c.didResume = true
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]587 } else {
588 if hs.serverHello.hasPSKIdentity {
589 c.sendAlert(alertUnsupportedExtension)
590 return errors.New("tls: server sent unexpected PSK identity")
591 }
592
593 psk = zeroSecret
594 hs.finishedHash.setResumptionContext(zeroSecret)
595 }
596
597 earlySecret := hs.finishedHash.extractKey(zeroSecret, psk)
598
599 // Resolve ECDHE and compute the handshake secret.
600 var ecdheSecret []byte
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]601 if hs.suite.flags&suiteECDHE != 0 && !c.config.Bugs.MissingKeyShare && !c.config.Bugs.SecondClientHelloMissingKeyShare {
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]602 if !hs.serverHello.hasKeyShare {
603 c.sendAlert(alertMissingExtension)
604 return errors.New("tls: server omitted the key share extension")
605 }
606
607 curve, ok := hs.keyShares[hs.serverHello.keyShare.group]
608 if !ok {
609 c.sendAlert(alertHandshakeFailure)
610 return errors.New("tls: server selected an unsupported group")
611 }
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]612 c.curveID = hs.serverHello.keyShare.group
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]613
614 var err error
615 ecdheSecret, err = curve.finish(hs.serverHello.keyShare.keyExchange)
616 if err != nil {
617 return err
618 }
619 } else {
620 if hs.serverHello.hasKeyShare {
621 c.sendAlert(alertUnsupportedExtension)
622 return errors.New("tls: server sent unexpected key share extension")
623 }
624
625 ecdheSecret = zeroSecret
626 }
627
628 // Compute the handshake secret.
629 handshakeSecret := hs.finishedHash.extractKey(earlySecret, ecdheSecret)
630
631 // Switch to handshake traffic keys.
632 handshakeTrafficSecret := hs.finishedHash.deriveSecret(handshakeSecret, handshakeTrafficLabel)
David Benjamin21c00282016-07-18 21:56:23 +0200[diff] [blame]633 c.out.useTrafficSecret(c.vers, hs.suite, handshakeTrafficSecret, handshakePhase, clientWrite)
634 c.in.useTrafficSecret(c.vers, hs.suite, handshakeTrafficSecret, handshakePhase, serverWrite)
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]635
636 msg, err := c.readHandshake()
637 if err != nil {
638 return err
639 }
640
641 encryptedExtensions, ok := msg.(*encryptedExtensionsMsg)
642 if !ok {
643 c.sendAlert(alertUnexpectedMessage)
644 return unexpectedMessageError(encryptedExtensions, msg)
645 }
646 hs.writeServerHash(encryptedExtensions.marshal())
647
648 err = hs.processServerExtensions(&encryptedExtensions.extensions)
649 if err != nil {
650 return err
651 }
652
653 var chainToSend *Certificate
David Benjamin8d343b42016-07-09 14:26:01 -0700[diff] [blame]654 var certReq *certificateRequestMsg
David Benjamin44b33bc2016-07-01 22:40:23 -0400[diff] [blame]655 if hs.suite.flags&suitePSK != 0 {
656 if encryptedExtensions.extensions.ocspResponse != nil {
657 c.sendAlert(alertUnsupportedExtension)
658 return errors.New("tls: server sent OCSP response without a certificate")
659 }
660 if encryptedExtensions.extensions.sctList != nil {
661 c.sendAlert(alertUnsupportedExtension)
662 return errors.New("tls: server sent SCT list without a certificate")
663 }
Nick Harper0b3625b2016-07-25 16:16:28 -0700[diff] [blame]664
665 // Copy over authentication from the session.
666 c.peerCertificates = hs.session.serverCertificates
667 c.sctList = hs.session.sctList
668 c.ocspResponse = hs.session.ocspResponse
David Benjamin44b33bc2016-07-01 22:40:23 -0400[diff] [blame]669 } else {
670 c.ocspResponse = encryptedExtensions.extensions.ocspResponse
671 c.sctList = encryptedExtensions.extensions.sctList
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]672
673 msg, err := c.readHandshake()
674 if err != nil {
675 return err
676 }
677
David Benjamin8d343b42016-07-09 14:26:01 -0700[diff] [blame]678 var ok bool
679 certReq, ok = msg.(*certificateRequestMsg)
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]680 if ok {
David Benjamin8a8349b2016-08-18 02:32:23 -0400[diff] [blame]681 if len(certReq.requestContext) != 0 {
682 return errors.New("tls: non-empty certificate request context sent in handshake")
683 }
684
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]685 if c.config.Bugs.IgnorePeerSignatureAlgorithmPreferences {
686 certReq.signatureAlgorithms = c.config.signSignatureAlgorithms()
687 }
688
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]689 hs.writeServerHash(certReq.marshal())
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]690
691 chainToSend, err = selectClientCertificate(c, certReq)
692 if err != nil {
693 return err
694 }
695
696 msg, err = c.readHandshake()
697 if err != nil {
698 return err
699 }
700 }
701
702 certMsg, ok := msg.(*certificateMsg)
703 if !ok {
704 c.sendAlert(alertUnexpectedMessage)
705 return unexpectedMessageError(certMsg, msg)
706 }
707 hs.writeServerHash(certMsg.marshal())
708
709 if err := hs.verifyCertificates(certMsg); err != nil {
710 return err
711 }
712 leaf := c.peerCertificates[0]
713
714 msg, err = c.readHandshake()
715 if err != nil {
716 return err
717 }
718 certVerifyMsg, ok := msg.(*certificateVerifyMsg)
719 if !ok {
720 c.sendAlert(alertUnexpectedMessage)
721 return unexpectedMessageError(certVerifyMsg, msg)
722 }
723
David Benjaminf74ec792016-07-13 21:18:49 -0400[diff] [blame]724 c.peerSignatureAlgorithm = certVerifyMsg.signatureAlgorithm
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]725 input := hs.finishedHash.certificateVerifyInput(serverCertificateVerifyContextTLS13)
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]726 err = verifyMessage(c.vers, leaf.PublicKey, c.config, certVerifyMsg.signatureAlgorithm, input, certVerifyMsg.signature)
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]727 if err != nil {
728 return err
729 }
730
731 hs.writeServerHash(certVerifyMsg.marshal())
732 }
733
734 msg, err = c.readHandshake()
735 if err != nil {
736 return err
737 }
738 serverFinished, ok := msg.(*finishedMsg)
739 if !ok {
740 c.sendAlert(alertUnexpectedMessage)
741 return unexpectedMessageError(serverFinished, msg)
742 }
743
744 verify := hs.finishedHash.serverSum(handshakeTrafficSecret)
745 if len(verify) != len(serverFinished.verifyData) ||
746 subtle.ConstantTimeCompare(verify, serverFinished.verifyData) != 1 {
747 c.sendAlert(alertHandshakeFailure)
748 return errors.New("tls: server's Finished message was incorrect")
749 }
750
751 hs.writeServerHash(serverFinished.marshal())
752
753 // The various secrets do not incorporate the client's final leg, so
754 // derive them now before updating the handshake context.
755 masterSecret := hs.finishedHash.extractKey(handshakeSecret, zeroSecret)
756 trafficSecret := hs.finishedHash.deriveSecret(masterSecret, applicationTrafficLabel)
757
Steven Valdez0ee2e112016-07-15 06:51:15 -0400[diff] [blame]758 if certReq != nil && !c.config.Bugs.SkipClientCertificate {
David Benjamin8d343b42016-07-09 14:26:01 -0700[diff] [blame]759 certMsg := &certificateMsg{
760 hasRequestContext: true,
761 requestContext: certReq.requestContext,
762 }
763 if chainToSend != nil {
764 certMsg.certificates = chainToSend.Certificate
765 }
766 hs.writeClientHash(certMsg.marshal())
767 c.writeRecord(recordTypeHandshake, certMsg.marshal())
768
769 if chainToSend != nil {
770 certVerify := &certificateVerifyMsg{
771 hasSignatureAlgorithm: true,
772 }
773
774 // Determine the hash to sign.
775 privKey := chainToSend.PrivateKey
776
777 var err error
778 certVerify.signatureAlgorithm, err = selectSignatureAlgorithm(c.vers, privKey, c.config, certReq.signatureAlgorithms)
779 if err != nil {
780 c.sendAlert(alertInternalError)
781 return err
782 }
783
784 input := hs.finishedHash.certificateVerifyInput(clientCertificateVerifyContextTLS13)
785 certVerify.signature, err = signMessage(c.vers, privKey, c.config, certVerify.signatureAlgorithm, input)
786 if err != nil {
787 c.sendAlert(alertInternalError)
788 return err
789 }
Steven Valdez0ee2e112016-07-15 06:51:15 -0400[diff] [blame]790 if c.config.Bugs.SendSignatureAlgorithm != 0 {
791 certVerify.signatureAlgorithm = c.config.Bugs.SendSignatureAlgorithm
792 }
David Benjamin8d343b42016-07-09 14:26:01 -0700[diff] [blame]793
794 hs.writeClientHash(certVerify.marshal())
795 c.writeRecord(recordTypeHandshake, certVerify.marshal())
796 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]797 }
798
799 // Send a client Finished message.
800 finished := new(finishedMsg)
801 finished.verifyData = hs.finishedHash.clientSum(handshakeTrafficSecret)
802 if c.config.Bugs.BadFinished {
803 finished.verifyData[0]++
804 }
David Benjamin97a0a082016-07-13 17:57:35 -0400[diff] [blame]805 hs.writeClientHash(finished.marshal())
David Benjamin7964b182016-07-14 23:36:30 -0400[diff] [blame]806 if c.config.Bugs.PartialClientFinishedWithClientHello {
807 // The first byte has already been sent.
808 c.writeRecord(recordTypeHandshake, finished.marshal()[1:])
809 } else {
810 c.writeRecord(recordTypeHandshake, finished.marshal())
811 }
David Benjamin02edcd02016-07-27 17:40:37 -0400[diff] [blame]812 if c.config.Bugs.SendExtraFinished {
813 c.writeRecord(recordTypeHandshake, finished.marshal())
814 }
David Benjaminee51a222016-07-07 18:34:12 -0700[diff] [blame]815 c.flushHandshake()
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]816
817 // Switch to application data keys.
David Benjamin21c00282016-07-18 21:56:23 +0200[diff] [blame]818 c.out.useTrafficSecret(c.vers, hs.suite, trafficSecret, applicationPhase, clientWrite)
819 c.in.useTrafficSecret(c.vers, hs.suite, trafficSecret, applicationPhase, serverWrite)
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]820
David Benjamin97a0a082016-07-13 17:57:35 -0400[diff] [blame]821 c.exporterSecret = hs.finishedHash.deriveSecret(masterSecret, exporterLabel)
David Benjamind5a4ecb2016-07-18 01:17:13 +0200[diff] [blame]822 c.resumptionSecret = hs.finishedHash.deriveSecret(masterSecret, resumptionLabel)
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]823 return nil
824}
825
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]826func (hs *clientHandshakeState) doFullHandshake() error {
827 c := hs.c
828
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]829 var leaf *x509.Certificate
830 if hs.suite.flags&suitePSK == 0 {
831 msg, err := c.readHandshake()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]832 if err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]833 return err
834 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]835
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]836 certMsg, ok := msg.(*certificateMsg)
David Benjamin75051442016-07-01 18:58:51 -0400[diff] [blame]837 if !ok {
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]838 c.sendAlert(alertUnexpectedMessage)
839 return unexpectedMessageError(certMsg, msg)
840 }
841 hs.writeServerHash(certMsg.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]842
David Benjamin75051442016-07-01 18:58:51 -0400[diff] [blame]843 if err := hs.verifyCertificates(certMsg); err != nil {
844 return err
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]845 }
David Benjamin75051442016-07-01 18:58:51 -0400[diff] [blame]846 leaf = c.peerCertificates[0]
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]847 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]848
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]849 if hs.serverHello.extensions.ocspStapling {
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]850 msg, err := c.readHandshake()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]851 if err != nil {
852 return err
853 }
854 cs, ok := msg.(*certificateStatusMsg)
855 if !ok {
856 c.sendAlert(alertUnexpectedMessage)
857 return unexpectedMessageError(cs, msg)
858 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]859 hs.writeServerHash(cs.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]860
861 if cs.statusType == statusTypeOCSP {
862 c.ocspResponse = cs.response
863 }
864 }
865
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]866 msg, err := c.readHandshake()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]867 if err != nil {
868 return err
869 }
870
871 keyAgreement := hs.suite.ka(c.vers)
872
873 skx, ok := msg.(*serverKeyExchangeMsg)
874 if ok {
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]875 hs.writeServerHash(skx.marshal())
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]876 err = keyAgreement.processServerKeyExchange(c.config, hs.hello, hs.serverHello, leaf, skx)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]877 if err != nil {
878 c.sendAlert(alertUnexpectedMessage)
879 return err
880 }
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]881 if ecdhe, ok := keyAgreement.(*ecdheKeyAgreement); ok {
882 c.curveID = ecdhe.curveID
883 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]884
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]885 c.peerSignatureAlgorithm = keyAgreement.peerSignatureAlgorithm()
886
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]887 msg, err = c.readHandshake()
888 if err != nil {
889 return err
890 }
891 }
892
893 var chainToSend *Certificate
894 var certRequested bool
895 certReq, ok := msg.(*certificateRequestMsg)
896 if ok {
897 certRequested = true
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]898 if c.config.Bugs.IgnorePeerSignatureAlgorithmPreferences {
899 certReq.signatureAlgorithms = c.config.signSignatureAlgorithms()
900 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]901
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]902 hs.writeServerHash(certReq.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]903
David Benjamina6f82632016-07-01 18:44:02 -0400[diff] [blame]904 chainToSend, err = selectClientCertificate(c, certReq)
905 if err != nil {
906 return err
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]907 }
908
909 msg, err = c.readHandshake()
910 if err != nil {
911 return err
912 }
913 }
914
915 shd, ok := msg.(*serverHelloDoneMsg)
916 if !ok {
917 c.sendAlert(alertUnexpectedMessage)
918 return unexpectedMessageError(shd, msg)
919 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]920 hs.writeServerHash(shd.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]921
922 // If the server requested a certificate then we have to send a
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]923 // Certificate message in TLS, even if it's empty because we don't have
924 // a certificate to send. In SSL 3.0, skip the message and send a
925 // no_certificate warning alert.
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]926 if certRequested {
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]927 if c.vers == VersionSSL30 && chainToSend == nil {
928 c.sendAlert(alertNoCertficate)
929 } else if !c.config.Bugs.SkipClientCertificate {
930 certMsg := new(certificateMsg)
931 if chainToSend != nil {
932 certMsg.certificates = chainToSend.Certificate
933 }
934 hs.writeClientHash(certMsg.marshal())
935 c.writeRecord(recordTypeHandshake, certMsg.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]936 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]937 }
938
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]939 preMasterSecret, ckx, err := keyAgreement.generateClientKeyExchange(c.config, hs.hello, leaf)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]940 if err != nil {
941 c.sendAlert(alertInternalError)
942 return err
943 }
944 if ckx != nil {
David Benjaminf3ec83d2014-07-21 22:42:34 -0400[diff] [blame]945 if c.config.Bugs.EarlyChangeCipherSpec < 2 {
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]946 hs.writeClientHash(ckx.marshal())
David Benjaminf3ec83d2014-07-21 22:42:34 -0400[diff] [blame]947 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]948 c.writeRecord(recordTypeHandshake, ckx.marshal())
949 }
950
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]951 if hs.serverHello.extensions.extendedMasterSecret && c.vers >= VersionTLS10 {
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]952 hs.masterSecret = extendedMasterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.finishedHash)
953 c.extendedMasterSecret = true
954 } else {
955 if c.config.Bugs.RequireExtendedMasterSecret {
956 return errors.New("tls: extended master secret required but not supported by peer")
957 }
958 hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.hello.random, hs.serverHello.random)
959 }
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]960
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]961 if chainToSend != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]962 certVerify := &certificateVerifyMsg{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]963 hasSignatureAlgorithm: c.vers >= VersionTLS12,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]964 }
965
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]966 // Determine the hash to sign.
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]967 privKey := c.config.Certificates[0].PrivateKey
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]968
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]969 if certVerify.hasSignatureAlgorithm {
David Benjamin0a8deb22016-07-09 21:02:01 -0700[diff] [blame]970 certVerify.signatureAlgorithm, err = selectSignatureAlgorithm(c.vers, privKey, c.config, certReq.signatureAlgorithms)
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]971 if err != nil {
972 c.sendAlert(alertInternalError)
973 return err
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]974 }
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]975 }
976
977 if c.vers > VersionSSL30 {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]978 certVerify.signature, err = signMessage(c.vers, privKey, c.config, certVerify.signatureAlgorithm, hs.finishedHash.buffer)
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]979 if err == nil && c.config.Bugs.SendSignatureAlgorithm != 0 {
980 certVerify.signatureAlgorithm = c.config.Bugs.SendSignatureAlgorithm
981 }
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]982 } else {
983 // SSL 3.0's client certificate construction is
984 // incompatible with signatureAlgorithm.
985 rsaKey, ok := privKey.(*rsa.PrivateKey)
986 if !ok {
987 err = errors.New("unsupported signature type for client certificate")
988 } else {
989 digest := hs.finishedHash.hashForClientCertificateSSL3(hs.masterSecret)
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]990 if c.config.Bugs.InvalidSignature {
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]991 digest[0] ^= 0x80
992 }
993 certVerify.signature, err = rsa.SignPKCS1v15(c.config.rand(), rsaKey, crypto.MD5SHA1, digest)
994 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]995 }
996 if err != nil {
997 c.sendAlert(alertInternalError)
998 return errors.New("tls: failed to sign handshake with client certificate: " + err.Error())
999 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1000
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]1001 hs.writeClientHash(certVerify.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1002 c.writeRecord(recordTypeHandshake, certVerify.marshal())
1003 }
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]1004 // flushHandshake will be called in sendFinished.
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1005
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]1006 hs.finishedHash.discardHandshakeBuffer()
1007
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1008 return nil
1009}
1010
David Benjamin75051442016-07-01 18:58:51 -0400[diff] [blame]1011func (hs *clientHandshakeState) verifyCertificates(certMsg *certificateMsg) error {
1012 c := hs.c
1013
1014 if len(certMsg.certificates) == 0 {
1015 c.sendAlert(alertIllegalParameter)
1016 return errors.New("tls: no certificates sent")
1017 }
1018
1019 certs := make([]*x509.Certificate, len(certMsg.certificates))
1020 for i, asn1Data := range certMsg.certificates {
1021 cert, err := x509.ParseCertificate(asn1Data)
1022 if err != nil {
1023 c.sendAlert(alertBadCertificate)
1024 return errors.New("tls: failed to parse certificate from server: " + err.Error())
1025 }
1026 certs[i] = cert
1027 }
1028
1029 if !c.config.InsecureSkipVerify {
1030 opts := x509.VerifyOptions{
1031 Roots: c.config.RootCAs,
1032 CurrentTime: c.config.time(),
1033 DNSName: c.config.ServerName,
1034 Intermediates: x509.NewCertPool(),
1035 }
1036
1037 for i, cert := range certs {
1038 if i == 0 {
1039 continue
1040 }
1041 opts.Intermediates.AddCert(cert)
1042 }
1043 var err error
1044 c.verifiedChains, err = certs[0].Verify(opts)
1045 if err != nil {
1046 c.sendAlert(alertBadCertificate)
1047 return err
1048 }
1049 }
1050
1051 switch certs[0].PublicKey.(type) {
1052 case *rsa.PublicKey, *ecdsa.PublicKey:
1053 break
1054 default:
1055 c.sendAlert(alertUnsupportedCertificate)
1056 return fmt.Errorf("tls: server's certificate contains an unsupported type of public key: %T", certs[0].PublicKey)
1057 }
1058
1059 c.peerCertificates = certs
1060 return nil
1061}
1062
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1063func (hs *clientHandshakeState) establishKeys() error {
1064 c := hs.c
1065
1066 clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV :=
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1067 keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.hello.random, hs.serverHello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen(c.vers))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1068 var clientCipher, serverCipher interface{}
1069 var clientHash, serverHash macFunction
1070 if hs.suite.cipher != nil {
1071 clientCipher = hs.suite.cipher(clientKey, clientIV, false /* not for reading */)
1072 clientHash = hs.suite.mac(c.vers, clientMAC)
1073 serverCipher = hs.suite.cipher(serverKey, serverIV, true /* for reading */)
1074 serverHash = hs.suite.mac(c.vers, serverMAC)
1075 } else {
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1076 clientCipher = hs.suite.aead(c.vers, clientKey, clientIV)
1077 serverCipher = hs.suite.aead(c.vers, serverKey, serverIV)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1078 }
1079
1080 c.in.prepareCipherSpec(c.vers, serverCipher, serverHash)
1081 c.out.prepareCipherSpec(c.vers, clientCipher, clientHash)
1082 return nil
1083}
1084
David Benjamin75101402016-07-01 13:40:23 -0400[diff] [blame]1085func (hs *clientHandshakeState) processServerExtensions(serverExtensions *serverExtensions) error {
1086 c := hs.c
1087
David Benjamin8d315d72016-07-18 01:03:18 +0200[diff] [blame]1088 if c.vers < VersionTLS13 {
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]1089 if c.config.Bugs.RequireRenegotiationInfo && serverExtensions.secureRenegotiation == nil {
1090 return errors.New("tls: renegotiation extension missing")
1091 }
David Benjamin75101402016-07-01 13:40:23 -0400[diff] [blame]1092
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]1093 if len(c.clientVerify) > 0 && !c.noRenegotiationInfo() {
1094 var expectedRenegInfo []byte
1095 expectedRenegInfo = append(expectedRenegInfo, c.clientVerify...)
1096 expectedRenegInfo = append(expectedRenegInfo, c.serverVerify...)
1097 if !bytes.Equal(serverExtensions.secureRenegotiation, expectedRenegInfo) {
1098 c.sendAlert(alertHandshakeFailure)
1099 return fmt.Errorf("tls: renegotiation mismatch")
1100 }
David Benjamin75101402016-07-01 13:40:23 -0400[diff] [blame]1101 }
David Benjamincea0ab42016-07-14 12:33:14 -0400[diff] [blame]1102 } else if serverExtensions.secureRenegotiation != nil {
1103 return errors.New("tls: renegotiation info sent in TLS 1.3")
David Benjamin75101402016-07-01 13:40:23 -0400[diff] [blame]1104 }
1105
1106 if expected := c.config.Bugs.ExpectedCustomExtension; expected != nil {
1107 if serverExtensions.customExtension != *expected {
1108 return fmt.Errorf("tls: bad custom extension contents %q", serverExtensions.customExtension)
1109 }
1110 }
1111
1112 clientDidNPN := hs.hello.nextProtoNeg
1113 clientDidALPN := len(hs.hello.alpnProtocols) > 0
1114 serverHasNPN := serverExtensions.nextProtoNeg
1115 serverHasALPN := len(serverExtensions.alpnProtocol) > 0
1116
1117 if !clientDidNPN && serverHasNPN {
1118 c.sendAlert(alertHandshakeFailure)
1119 return errors.New("server advertised unrequested NPN extension")
1120 }
1121
1122 if !clientDidALPN && serverHasALPN {
1123 c.sendAlert(alertHandshakeFailure)
1124 return errors.New("server advertised unrequested ALPN extension")
1125 }
1126
1127 if serverHasNPN && serverHasALPN {
1128 c.sendAlert(alertHandshakeFailure)
1129 return errors.New("server advertised both NPN and ALPN extensions")
1130 }
1131
1132 if serverHasALPN {
1133 c.clientProtocol = serverExtensions.alpnProtocol
1134 c.clientProtocolFallback = false
1135 c.usedALPN = true
1136 }
1137
David Benjamin8d315d72016-07-18 01:03:18 +0200[diff] [blame]1138 if serverHasNPN && c.vers >= VersionTLS13 {
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]1139 c.sendAlert(alertHandshakeFailure)
1140 return errors.New("server advertised NPN over TLS 1.3")
1141 }
1142
David Benjamin75101402016-07-01 13:40:23 -0400[diff] [blame]1143 if !hs.hello.channelIDSupported && serverExtensions.channelIDRequested {
1144 c.sendAlert(alertHandshakeFailure)
1145 return errors.New("server advertised unrequested Channel ID extension")
1146 }
1147
David Benjamin8d315d72016-07-18 01:03:18 +0200[diff] [blame]1148 if serverExtensions.channelIDRequested && c.vers >= VersionTLS13 {
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]1149 c.sendAlert(alertHandshakeFailure)
1150 return errors.New("server advertised Channel ID over TLS 1.3")
1151 }
1152
David Benjamin8d315d72016-07-18 01:03:18 +0200[diff] [blame]1153 if serverExtensions.extendedMasterSecret && c.vers >= VersionTLS13 {
David Benjamine9077652016-07-13 21:02:08 -0400[diff] [blame]1154 return errors.New("tls: server advertised extended master secret over TLS 1.3")
1155 }
1156
David Benjamin8d315d72016-07-18 01:03:18 +0200[diff] [blame]1157 if serverExtensions.ticketSupported && c.vers >= VersionTLS13 {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1158 return errors.New("tls: server advertised ticket extension over TLS 1.3")
1159 }
1160
David Benjamin75101402016-07-01 13:40:23 -0400[diff] [blame]1161 if serverExtensions.srtpProtectionProfile != 0 {
1162 if serverExtensions.srtpMasterKeyIdentifier != "" {
1163 return errors.New("tls: server selected SRTP MKI value")
1164 }
1165
1166 found := false
1167 for _, p := range c.config.SRTPProtectionProfiles {
1168 if p == serverExtensions.srtpProtectionProfile {
1169 found = true
1170 break
1171 }
1172 }
1173 if !found {
1174 return errors.New("tls: server advertised unsupported SRTP profile")
1175 }
1176
1177 c.srtpProtectionProfile = serverExtensions.srtpProtectionProfile
1178 }
1179
1180 return nil
1181}
1182
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1183func (hs *clientHandshakeState) serverResumedSession() bool {
1184 // If the server responded with the same sessionId then it means the
1185 // sessionTicket is being used to resume a TLS session.
1186 return hs.session != nil && hs.hello.sessionId != nil &&
1187 bytes.Equal(hs.serverHello.sessionId, hs.hello.sessionId)
1188}
1189
1190func (hs *clientHandshakeState) processServerHello() (bool, error) {
1191 c := hs.c
1192
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1193 if hs.serverResumedSession() {
David Benjamin4b27d9f2015-05-12 22:42:52 -0400[diff] [blame]1194 // For test purposes, assert that the server never accepts the
1195 // resumption offer on renegotiation.
1196 if c.cipherSuite != nil && c.config.Bugs.FailIfResumeOnRenego {
1197 return false, errors.New("tls: server resumed session on renegotiation")
1198 }
1199
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1200 if hs.serverHello.extensions.sctList != nil {
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]1201 return false, errors.New("tls: server sent SCT extension on session resumption")
1202 }
1203
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1204 if hs.serverHello.extensions.ocspStapling {
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]1205 return false, errors.New("tls: server sent OCSP extension on session resumption")
1206 }
1207
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1208 // Restore masterSecret and peerCerts from previous state
1209 hs.masterSecret = hs.session.masterSecret
1210 c.peerCertificates = hs.session.serverCertificates
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]1211 c.extendedMasterSecret = hs.session.extendedMasterSecret
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]1212 c.sctList = hs.session.sctList
1213 c.ocspResponse = hs.session.ocspResponse
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]1214 hs.finishedHash.discardHandshakeBuffer()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1215 return true, nil
1216 }
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]1217
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1218 if hs.serverHello.extensions.sctList != nil {
1219 c.sctList = hs.serverHello.extensions.sctList
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]1220 }
1221
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1222 return false, nil
1223}
1224
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]1225func (hs *clientHandshakeState) readFinished(out []byte) error {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1226 c := hs.c
1227
1228 c.readRecord(recordTypeChangeCipherSpec)
1229 if err := c.in.error(); err != nil {
1230 return err
1231 }
1232
1233 msg, err := c.readHandshake()
1234 if err != nil {
1235 return err
1236 }
1237 serverFinished, ok := msg.(*finishedMsg)
1238 if !ok {
1239 c.sendAlert(alertUnexpectedMessage)
1240 return unexpectedMessageError(serverFinished, msg)
1241 }
1242
David Benjaminf3ec83d2014-07-21 22:42:34 -0400[diff] [blame]1243 if c.config.Bugs.EarlyChangeCipherSpec == 0 {
1244 verify := hs.finishedHash.serverSum(hs.masterSecret)
1245 if len(verify) != len(serverFinished.verifyData) ||
1246 subtle.ConstantTimeCompare(verify, serverFinished.verifyData) != 1 {
1247 c.sendAlert(alertHandshakeFailure)
1248 return errors.New("tls: server's Finished message was incorrect")
1249 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1250 }
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]1251 c.serverVerify = append(c.serverVerify[:0], serverFinished.verifyData...)
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]1252 copy(out, serverFinished.verifyData)
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]1253 hs.writeServerHash(serverFinished.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1254 return nil
1255}
1256
1257func (hs *clientHandshakeState) readSessionTicket() error {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]1258 c := hs.c
1259
1260 // Create a session with no server identifier. Either a
1261 // session ID or session ticket will be attached.
1262 session := &ClientSessionState{
1263 vers: c.vers,
1264 cipherSuite: hs.suite.id,
1265 masterSecret: hs.masterSecret,
1266 handshakeHash: hs.finishedHash.server.Sum(nil),
1267 serverCertificates: c.peerCertificates,
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]1268 sctList: c.sctList,
1269 ocspResponse: c.ocspResponse,
Nick Harper0b3625b2016-07-25 16:16:28 -0700[diff] [blame]1270 ticketExpiration: c.config.time().Add(time.Duration(7 * 24 * time.Hour)),
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]1271 }
1272
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1273 if !hs.serverHello.extensions.ticketSupported {
David Benjamind98452d2015-06-16 14:16:23 -0400[diff] [blame]1274 if c.config.Bugs.ExpectNewTicket {
1275 return errors.New("tls: expected new ticket")
1276 }
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]1277 if hs.session == nil && len(hs.serverHello.sessionId) > 0 {
1278 session.sessionId = hs.serverHello.sessionId
1279 hs.session = session
1280 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1281 return nil
1282 }
1283
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]1284 if c.vers == VersionSSL30 {
1285 return errors.New("tls: negotiated session tickets in SSL 3.0")
1286 }
1287
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1288 msg, err := c.readHandshake()
1289 if err != nil {
1290 return err
1291 }
1292 sessionTicketMsg, ok := msg.(*newSessionTicketMsg)
1293 if !ok {
1294 c.sendAlert(alertUnexpectedMessage)
1295 return unexpectedMessageError(sessionTicketMsg, msg)
1296 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1297
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]1298 session.sessionTicket = sessionTicketMsg.ticket
1299 hs.session = session
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1300
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]1301 hs.writeServerHash(sessionTicketMsg.marshal())
1302
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1303 return nil
1304}
1305
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]1306func (hs *clientHandshakeState) sendFinished(out []byte, isResume bool) error {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1307 c := hs.c
1308
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]1309 var postCCSMsgs [][]byte
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]1310 seqno := hs.c.sendHandshakeSeq
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1311 if hs.serverHello.extensions.nextProtoNeg {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1312 nextProto := new(nextProtoMsg)
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1313 proto, fallback := mutualProtocol(c.config.NextProtos, hs.serverHello.extensions.nextProtos)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1314 nextProto.proto = proto
1315 c.clientProtocol = proto
1316 c.clientProtocolFallback = fallback
1317
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]1318 nextProtoBytes := nextProto.marshal()
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]1319 hs.writeHash(nextProtoBytes, seqno)
1320 seqno++
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]1321 postCCSMsgs = append(postCCSMsgs, nextProtoBytes)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1322 }
1323
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1324 if hs.serverHello.extensions.channelIDRequested {
David Benjamin24599a82016-06-30 18:56:53 -0400[diff] [blame]1325 channelIDMsg := new(channelIDMsg)
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]1326 if c.config.ChannelID.Curve != elliptic.P256() {
1327 return fmt.Errorf("tls: Channel ID is not on P-256.")
1328 }
1329 var resumeHash []byte
1330 if isResume {
1331 resumeHash = hs.session.handshakeHash
1332 }
1333 r, s, err := ecdsa.Sign(c.config.rand(), c.config.ChannelID, hs.finishedHash.hashForChannelID(resumeHash))
1334 if err != nil {
1335 return err
1336 }
1337 channelID := make([]byte, 128)
1338 writeIntPadded(channelID[0:32], c.config.ChannelID.X)
1339 writeIntPadded(channelID[32:64], c.config.ChannelID.Y)
1340 writeIntPadded(channelID[64:96], r)
1341 writeIntPadded(channelID[96:128], s)
David Benjamin24599a82016-06-30 18:56:53 -0400[diff] [blame]1342 channelIDMsg.channelID = channelID
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]1343
1344 c.channelID = &c.config.ChannelID.PublicKey
1345
David Benjamin24599a82016-06-30 18:56:53 -0400[diff] [blame]1346 channelIDMsgBytes := channelIDMsg.marshal()
1347 hs.writeHash(channelIDMsgBytes, seqno)
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]1348 seqno++
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]1349 postCCSMsgs = append(postCCSMsgs, channelIDMsgBytes)
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]1350 }
1351
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1352 finished := new(finishedMsg)
David Benjaminf3ec83d2014-07-21 22:42:34 -0400[diff] [blame]1353 if c.config.Bugs.EarlyChangeCipherSpec == 2 {
1354 finished.verifyData = hs.finishedHash.clientSum(nil)
1355 } else {
1356 finished.verifyData = hs.finishedHash.clientSum(hs.masterSecret)
1357 }
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]1358 copy(out, finished.verifyData)
David Benjamin513f0ea2015-04-02 19:33:31 -0400[diff] [blame]1359 if c.config.Bugs.BadFinished {
1360 finished.verifyData[0]++
1361 }
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]1362 c.clientVerify = append(c.clientVerify[:0], finished.verifyData...)
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]1363 hs.finishedBytes = finished.marshal()
1364 hs.writeHash(hs.finishedBytes, seqno)
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]1365 postCCSMsgs = append(postCCSMsgs, hs.finishedBytes)
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]1366
1367 if c.config.Bugs.FragmentAcrossChangeCipherSpec {
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]1368 c.writeRecord(recordTypeHandshake, postCCSMsgs[0][:5])
1369 postCCSMsgs[0] = postCCSMsgs[0][5:]
David Benjamin61672812016-07-14 23:10:43 -0400[diff] [blame]1370 } else if c.config.Bugs.SendUnencryptedFinished {
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]1371 c.writeRecord(recordTypeHandshake, postCCSMsgs[0])
1372 postCCSMsgs = postCCSMsgs[1:]
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]1373 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]1374 c.flushHandshake()
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]1375
1376 if !c.config.Bugs.SkipChangeCipherSpec &&
1377 c.config.Bugs.EarlyChangeCipherSpec == 0 {
David Benjamin8411b242015-11-26 12:07:28 -0500[diff] [blame]1378 ccs := []byte{1}
1379 if c.config.Bugs.BadChangeCipherSpec != nil {
1380 ccs = c.config.Bugs.BadChangeCipherSpec
1381 }
1382 c.writeRecord(recordTypeChangeCipherSpec, ccs)
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]1383 }
1384
David Benjamin4189bd92015-01-25 23:52:39 -0500[diff] [blame]1385 if c.config.Bugs.AppDataAfterChangeCipherSpec != nil {
1386 c.writeRecord(recordTypeApplicationData, c.config.Bugs.AppDataAfterChangeCipherSpec)
1387 }
David Benjamindc3da932015-03-12 15:09:02 -0400[diff] [blame]1388 if c.config.Bugs.AlertAfterChangeCipherSpec != 0 {
1389 c.sendAlert(c.config.Bugs.AlertAfterChangeCipherSpec)
1390 return errors.New("tls: simulating post-CCS alert")
1391 }
David Benjamin4189bd92015-01-25 23:52:39 -0500[diff] [blame]1392
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]1393 if !c.config.Bugs.SkipFinished {
1394 for _, msg := range postCCSMsgs {
1395 c.writeRecord(recordTypeHandshake, msg)
1396 }
David Benjamin02edcd02016-07-27 17:40:37 -0400[diff] [blame]1397
1398 if c.config.Bugs.SendExtraFinished {
1399 c.writeRecord(recordTypeHandshake, finished.marshal())
1400 }
1401
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]1402 c.flushHandshake()
David Benjaminb3774b92015-01-31 17:16:01 -0500[diff] [blame]1403 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1404 return nil
1405}
1406
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]1407func (hs *clientHandshakeState) writeClientHash(msg []byte) {
1408 // writeClientHash is called before writeRecord.
1409 hs.writeHash(msg, hs.c.sendHandshakeSeq)
1410}
1411
1412func (hs *clientHandshakeState) writeServerHash(msg []byte) {
1413 // writeServerHash is called after readHandshake.
1414 hs.writeHash(msg, hs.c.recvHandshakeSeq-1)
1415}
1416
1417func (hs *clientHandshakeState) writeHash(msg []byte, seqno uint16) {
1418 if hs.c.isDTLS {
1419 // This is somewhat hacky. DTLS hashes a slightly different format.
1420 // First, the TLS header.
1421 hs.finishedHash.Write(msg[:4])
1422 // Then the sequence number and reassembled fragment offset (always 0).
1423 hs.finishedHash.Write([]byte{byte(seqno >> 8), byte(seqno), 0, 0, 0})
1424 // Then the reassembled fragment (always equal to the message length).
1425 hs.finishedHash.Write(msg[1:4])
1426 // And then the message body.
1427 hs.finishedHash.Write(msg[4:])
1428 } else {
1429 hs.finishedHash.Write(msg)
1430 }
1431}
1432
David Benjamina6f82632016-07-01 18:44:02 -0400[diff] [blame]1433// selectClientCertificate selects a certificate for use with the given
1434// certificate, or none if none match. It may return a particular certificate or
1435// nil on success, or an error on internal error.
1436func selectClientCertificate(c *Conn, certReq *certificateRequestMsg) (*Certificate, error) {
1437 // RFC 4346 on the certificateAuthorities field:
1438 // A list of the distinguished names of acceptable certificate
1439 // authorities. These distinguished names may specify a desired
1440 // distinguished name for a root CA or for a subordinate CA; thus, this
1441 // message can be used to describe both known roots and a desired
1442 // authorization space. If the certificate_authorities list is empty
1443 // then the client MAY send any certificate of the appropriate
1444 // ClientCertificateType, unless there is some external arrangement to
1445 // the contrary.
1446
1447 var rsaAvail, ecdsaAvail bool
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]1448 if !certReq.hasRequestContext {
1449 for _, certType := range certReq.certificateTypes {
1450 switch certType {
1451 case CertTypeRSASign:
1452 rsaAvail = true
1453 case CertTypeECDSASign:
1454 ecdsaAvail = true
1455 }
David Benjamina6f82632016-07-01 18:44:02 -0400[diff] [blame]1456 }
1457 }
1458
1459 // We need to search our list of client certs for one
1460 // where SignatureAlgorithm is RSA and the Issuer is in
1461 // certReq.certificateAuthorities
1462findCert:
1463 for i, chain := range c.config.Certificates {
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]1464 if !certReq.hasRequestContext && !rsaAvail && !ecdsaAvail {
David Benjamina6f82632016-07-01 18:44:02 -0400[diff] [blame]1465 continue
1466 }
1467
1468 // Ensure the private key supports one of the advertised
1469 // signature algorithms.
1470 if certReq.hasSignatureAlgorithm {
David Benjamin0a8deb22016-07-09 21:02:01 -0700[diff] [blame]1471 if _, err := selectSignatureAlgorithm(c.vers, chain.PrivateKey, c.config, certReq.signatureAlgorithms); err != nil {
David Benjamina6f82632016-07-01 18:44:02 -0400[diff] [blame]1472 continue
1473 }
1474 }
1475
1476 for j, cert := range chain.Certificate {
1477 x509Cert := chain.Leaf
1478 // parse the certificate if this isn't the leaf
1479 // node, or if chain.Leaf was nil
1480 if j != 0 || x509Cert == nil {
1481 var err error
1482 if x509Cert, err = x509.ParseCertificate(cert); err != nil {
1483 c.sendAlert(alertInternalError)
1484 return nil, errors.New("tls: failed to parse client certificate #" + strconv.Itoa(i) + ": " + err.Error())
1485 }
1486 }
1487
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]1488 if !certReq.hasRequestContext {
1489 switch {
1490 case rsaAvail && x509Cert.PublicKeyAlgorithm == x509.RSA:
1491 case ecdsaAvail && x509Cert.PublicKeyAlgorithm == x509.ECDSA:
1492 default:
1493 continue findCert
1494 }
David Benjamina6f82632016-07-01 18:44:02 -0400[diff] [blame]1495 }
1496
1497 if len(certReq.certificateAuthorities) == 0 {
1498 // They gave us an empty list, so just take the
1499 // first certificate of valid type from
1500 // c.config.Certificates.
1501 return &chain, nil
1502 }
1503
1504 for _, ca := range certReq.certificateAuthorities {
1505 if bytes.Equal(x509Cert.RawIssuer, ca) {
1506 return &chain, nil
1507 }
1508 }
1509 }
1510 }
1511
1512 return nil, nil
1513}
1514
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1515// clientSessionCacheKey returns a key used to cache sessionTickets that could
1516// be used to resume previously negotiated TLS sessions with a server.
1517func clientSessionCacheKey(serverAddr net.Addr, config *Config) string {
1518 if len(config.ServerName) > 0 {
1519 return config.ServerName
1520 }
1521 return serverAddr.String()
1522}
1523
David Benjaminfa055a22014-09-15 16:51:51 -0400[diff] [blame]1524// mutualProtocol finds the mutual Next Protocol Negotiation or ALPN protocol
1525// given list of possible protocols and a list of the preference order. The
1526// first list must not be empty. It returns the resulting protocol and flag
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1527// indicating if the fallback case was reached.
David Benjaminfa055a22014-09-15 16:51:51 -0400[diff] [blame]1528func mutualProtocol(protos, preferenceProtos []string) (string, bool) {
1529 for _, s := range preferenceProtos {
1530 for _, c := range protos {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1531 if s == c {
1532 return s, false
1533 }
1534 }
1535 }
1536
David Benjaminfa055a22014-09-15 16:51:51 -0400[diff] [blame]1537 return protos[0], true
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1538}
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]1539
1540// writeIntPadded writes x into b, padded up with leading zeros as
1541// needed.
1542func writeIntPadded(b []byte, x *big.Int) {
1543 for i := range b {
1544 b[i] = 0
1545 }
1546 xb := x.Bytes()
1547 copy(b[len(b)-len(xb):], xb)
1548}