Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 5440fe0cd10aab3c106eadf9873bb6d61344e29f / . / ssl / test / runner / handshake_client.go
blob: 50f3fa8271adf28b040619a628cec1f807f14f44 [file] [log] [blame]
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1// Copyright 2009 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
Adam Langleydc7e9c42015-09-29 15:21:04 -0700[diff] [blame]5package runner
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]6
7import (
8 "bytes"
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]9 "crypto"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10 "crypto/ecdsa"
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]11 "crypto/elliptic"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]12 "crypto/rsa"
13 "crypto/subtle"
14 "crypto/x509"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]15 "errors"
16 "fmt"
17 "io"
David Benjaminde620d92014-07-18 15:03:41 -0400[diff] [blame]18 "math/big"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]19 "net"
20 "strconv"
21)
22
23type clientHandshakeState struct {
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]24 c *Conn
25 serverHello *serverHelloMsg
26 hello *clientHelloMsg
27 suite *cipherSuite
28 finishedHash finishedHash
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]29 keyShares map[CurveID]ecdhCurve
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]30 masterSecret []byte
31 session *ClientSessionState
32 finishedBytes []byte
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]33}
34
35func (c *Conn) clientHandshake() error {
36 if c.config == nil {
37 c.config = defaultConfig()
38 }
39
40 if len(c.config.ServerName) == 0 && !c.config.InsecureSkipVerify {
41 return errors.New("tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config")
42 }
43
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]44 c.sendHandshakeSeq = 0
45 c.recvHandshakeSeq = 0
46
David Benjaminfa055a22014-09-15 16:51:51 -0400[diff] [blame]47 nextProtosLength := 0
48 for _, proto := range c.config.NextProtos {
Adam Langleyefb0e162015-07-09 11:35:04 -0700[diff] [blame]49 if l := len(proto); l > 255 {
David Benjaminfa055a22014-09-15 16:51:51 -0400[diff] [blame]50 return errors.New("tls: invalid NextProtos value")
51 } else {
52 nextProtosLength += 1 + l
53 }
54 }
55 if nextProtosLength > 0xffff {
56 return errors.New("tls: NextProtos values too large")
57 }
58
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]59 hello := &clientHelloMsg{
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]60 isDTLS: c.isDTLS,
David Benjamincecee272016-06-30 13:33:47 -0400[diff] [blame]61 vers: c.config.maxVersion(c.isDTLS),
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]62 compressionMethods: []uint8{compressionNone},
63 random: make([]byte, 32),
64 ocspStapling: true,
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]65 sctListSupported: true,
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]66 serverName: c.config.ServerName,
67 supportedCurves: c.config.curvePreferences(),
68 supportedPoints: []uint8{pointFormatUncompressed},
69 nextProtoNeg: len(c.config.NextProtos) > 0,
70 secureRenegotiation: []byte{},
71 alpnProtocols: c.config.NextProtos,
72 duplicateExtension: c.config.Bugs.DuplicateExtension,
73 channelIDSupported: c.config.ChannelID != nil,
74 npnLast: c.config.Bugs.SwapNPNAndALPN,
David Benjamincecee272016-06-30 13:33:47 -0400[diff] [blame]75 extendedMasterSecret: c.config.maxVersion(c.isDTLS) >= VersionTLS10,
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]76 srtpProtectionProfiles: c.config.SRTPProtectionProfiles,
77 srtpMasterKeyIdentifier: c.config.Bugs.SRTPMasterKeyIdentifer,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]78 customExtension: c.config.Bugs.CustomExtension,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]79 }
80
David Benjamin98e882e2014-08-08 13:24:34 -0400[diff] [blame]81 if c.config.Bugs.SendClientVersion != 0 {
82 hello.vers = c.config.Bugs.SendClientVersion
83 }
84
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]85 if c.config.Bugs.NoExtendedMasterSecret {
86 hello.extendedMasterSecret = false
87 }
88
David Benjamin55a43642015-04-20 14:45:55 -0400[diff] [blame]89 if c.config.Bugs.NoSupportedCurves {
90 hello.supportedCurves = nil
91 }
92
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]93 if len(c.clientVerify) > 0 && !c.config.Bugs.EmptyRenegotiationInfo {
94 if c.config.Bugs.BadRenegotiationInfo {
95 hello.secureRenegotiation = append(hello.secureRenegotiation, c.clientVerify...)
96 hello.secureRenegotiation[0] ^= 0x80
97 } else {
98 hello.secureRenegotiation = c.clientVerify
99 }
100 }
101
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]102 if c.noRenegotiationInfo() {
David Benjaminca6554b2014-11-08 12:31:52 -0500[diff] [blame]103 hello.secureRenegotiation = nil
104 }
105
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]106 var keyShares map[CurveID]ecdhCurve
David Benjamin8d315d72016-07-18 01:03:18 +0200[diff] [blame]107 if hello.vers >= VersionTLS13 {
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]108 keyShares = make(map[CurveID]ecdhCurve)
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]109 hello.hasKeyShares = true
110 curvesToSend := c.config.defaultCurves()
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]111 for _, curveID := range hello.supportedCurves {
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]112 if !curvesToSend[curveID] {
113 continue
114 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]115 curve, ok := curveForCurveID(curveID)
116 if !ok {
117 continue
118 }
119 publicKey, err := curve.offer(c.config.rand())
120 if err != nil {
121 return err
122 }
Steven Valdez0ee2e112016-07-15 06:51:15 -0400[diff] [blame]123
124 if c.config.Bugs.SendCurve != 0 {
125 curveID = c.config.Bugs.SendCurve
126 }
127 if c.config.Bugs.InvalidECDHPoint {
128 publicKey[0] ^= 0xff
129 }
130
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]131 hello.keyShares = append(hello.keyShares, keyShareEntry{
132 group: curveID,
133 keyExchange: publicKey,
134 })
135 keyShares[curveID] = curve
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]136
137 if c.config.Bugs.DuplicateKeyShares {
138 hello.keyShares = append(hello.keyShares, hello.keyShares[len(hello.keyShares)-1])
139 }
140 }
141
142 if c.config.Bugs.MissingKeyShare {
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame^]143 hello.hasKeyShares = false
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]144 }
145 }
146
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]147 possibleCipherSuites := c.config.cipherSuites()
148 hello.cipherSuites = make([]uint16, 0, len(possibleCipherSuites))
149
150NextCipherSuite:
151 for _, suiteId := range possibleCipherSuites {
152 for _, suite := range cipherSuites {
153 if suite.id != suiteId {
154 continue
155 }
David Benjamin0407e762016-06-17 16:41:18 -0400[diff] [blame]156 if !c.config.Bugs.EnableAllCiphers {
157 // Don't advertise TLS 1.2-only cipher suites unless
158 // we're attempting TLS 1.2.
159 if hello.vers < VersionTLS12 && suite.flags&suiteTLS12 != 0 {
160 continue
161 }
162 // Don't advertise non-DTLS cipher suites in DTLS.
163 if c.isDTLS && suite.flags&suiteNoDTLS != 0 {
164 continue
165 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]166 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]167 hello.cipherSuites = append(hello.cipherSuites, suiteId)
168 continue NextCipherSuite
169 }
170 }
171
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]172 if c.config.Bugs.SendRenegotiationSCSV {
173 hello.cipherSuites = append(hello.cipherSuites, renegotiationSCSV)
174 }
175
David Benjaminbef270a2014-08-02 04:22:02 -0400[diff] [blame]176 if c.config.Bugs.SendFallbackSCSV {
177 hello.cipherSuites = append(hello.cipherSuites, fallbackSCSV)
178 }
179
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]180 _, err := io.ReadFull(c.config.rand(), hello.random)
181 if err != nil {
182 c.sendAlert(alertInternalError)
183 return errors.New("tls: short read from Rand: " + err.Error())
184 }
185
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]186 if hello.vers >= VersionTLS12 && !c.config.Bugs.NoSignatureAlgorithms {
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]187 hello.signatureAlgorithms = c.config.verifySignatureAlgorithms()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]188 }
189
190 var session *ClientSessionState
191 var cacheKey string
192 sessionCache := c.config.ClientSessionCache
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]193
194 if sessionCache != nil {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]195 hello.ticketSupported = !c.config.SessionTicketsDisabled
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]196
197 // Try to resume a previously negotiated TLS session, if
198 // available.
199 cacheKey = clientSessionCacheKey(c.conn.RemoteAddr(), c.config)
200 candidateSession, ok := sessionCache.Get(cacheKey)
201 if ok {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]202 ticketOk := !c.config.SessionTicketsDisabled || candidateSession.sessionTicket == nil
203
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]204 // Check that the ciphersuite/version used for the
205 // previous session are still valid.
206 cipherSuiteOk := false
207 for _, id := range hello.cipherSuites {
208 if id == candidateSession.cipherSuite {
209 cipherSuiteOk = true
210 break
211 }
212 }
213
David Benjamincecee272016-06-30 13:33:47 -0400[diff] [blame]214 versOk := candidateSession.vers >= c.config.minVersion(c.isDTLS) &&
215 candidateSession.vers <= c.config.maxVersion(c.isDTLS)
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]216 if ticketOk && versOk && cipherSuiteOk {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]217 session = candidateSession
218 }
219 }
220 }
221
222 if session != nil {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]223 if session.sessionTicket != nil {
224 hello.sessionTicket = session.sessionTicket
225 if c.config.Bugs.CorruptTicket {
226 hello.sessionTicket = make([]byte, len(session.sessionTicket))
227 copy(hello.sessionTicket, session.sessionTicket)
228 if len(hello.sessionTicket) > 0 {
229 offset := 40
230 if offset > len(hello.sessionTicket) {
231 offset = len(hello.sessionTicket) - 1
232 }
233 hello.sessionTicket[offset] ^= 0x40
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]234 }
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]235 }
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]236 // A random session ID is used to detect when the
237 // server accepted the ticket and is resuming a session
238 // (see RFC 5077).
239 sessionIdLen := 16
240 if c.config.Bugs.OversizedSessionId {
241 sessionIdLen = 33
242 }
243 hello.sessionId = make([]byte, sessionIdLen)
244 if _, err := io.ReadFull(c.config.rand(), hello.sessionId); err != nil {
245 c.sendAlert(alertInternalError)
246 return errors.New("tls: short read from Rand: " + err.Error())
247 }
248 } else {
249 hello.sessionId = session.sessionId
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]250 }
251 }
252
David Benjamind86c7672014-08-02 04:07:12 -0400[diff] [blame]253 var helloBytes []byte
254 if c.config.Bugs.SendV2ClientHello {
David Benjamin94d701b2014-11-30 13:54:41 -0500[diff] [blame]255 // Test that the peer left-pads random.
256 hello.random[0] = 0
David Benjamind86c7672014-08-02 04:07:12 -0400[diff] [blame]257 v2Hello := &v2ClientHelloMsg{
258 vers: hello.vers,
259 cipherSuites: hello.cipherSuites,
260 // No session resumption for V2ClientHello.
261 sessionId: nil,
David Benjamin94d701b2014-11-30 13:54:41 -0500[diff] [blame]262 challenge: hello.random[1:],
David Benjamind86c7672014-08-02 04:07:12 -0400[diff] [blame]263 }
264 helloBytes = v2Hello.marshal()
265 c.writeV2Record(helloBytes)
266 } else {
267 helloBytes = hello.marshal()
David Benjamin7964b182016-07-14 23:36:30 -0400[diff] [blame]268 if c.config.Bugs.PartialClientFinishedWithClientHello {
269 // Include one byte of Finished. We can compute it
270 // without completing the handshake. This assumes we
271 // negotiate TLS 1.3 with no HelloRetryRequest or
272 // CertificateRequest.
273 toWrite := make([]byte, 0, len(helloBytes)+1)
274 toWrite = append(toWrite, helloBytes...)
275 toWrite = append(toWrite, typeFinished)
276 c.writeRecord(recordTypeHandshake, toWrite)
277 } else {
278 c.writeRecord(recordTypeHandshake, helloBytes)
279 }
David Benjamind86c7672014-08-02 04:07:12 -0400[diff] [blame]280 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]281 c.flushHandshake()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]282
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]283 if err := c.simulatePacketLoss(nil); err != nil {
284 return err
285 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]286 msg, err := c.readHandshake()
287 if err != nil {
288 return err
289 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]290
291 if c.isDTLS {
292 helloVerifyRequest, ok := msg.(*helloVerifyRequestMsg)
293 if ok {
David Benjamin8bc38f52014-08-16 12:07:27 -0400[diff] [blame]294 if helloVerifyRequest.vers != VersionTLS10 {
295 // Per RFC 6347, the version field in
296 // HelloVerifyRequest SHOULD be always DTLS
297 // 1.0. Enforce this for testing purposes.
298 return errors.New("dtls: bad HelloVerifyRequest version")
299 }
300
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]301 hello.raw = nil
302 hello.cookie = helloVerifyRequest.cookie
303 helloBytes = hello.marshal()
304 c.writeRecord(recordTypeHandshake, helloBytes)
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]305 c.flushHandshake()
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]306
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]307 if err := c.simulatePacketLoss(nil); err != nil {
308 return err
309 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]310 msg, err = c.readHandshake()
311 if err != nil {
312 return err
313 }
314 }
315 }
316
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]317 var serverVersion uint16
318 switch m := msg.(type) {
319 case *helloRetryRequestMsg:
320 serverVersion = m.vers
321 case *serverHelloMsg:
322 serverVersion = m.vers
323 default:
324 c.sendAlert(alertUnexpectedMessage)
325 return fmt.Errorf("tls: received unexpected message of type %T when waiting for HelloRetryRequest or ServerHello", msg)
326 }
327
328 var ok bool
329 c.vers, ok = c.config.mutualVersion(serverVersion, c.isDTLS)
330 if !ok {
331 c.sendAlert(alertProtocolVersion)
332 return fmt.Errorf("tls: server selected unsupported protocol version %x", c.vers)
333 }
334 c.haveVers = true
335
336 helloRetryRequest, haveHelloRetryRequest := msg.(*helloRetryRequestMsg)
337 var secondHelloBytes []byte
338 if haveHelloRetryRequest {
339 var hrrCurveFound bool
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame^]340 if c.config.Bugs.MisinterpretHelloRetryRequestCurve != 0 {
341 helloRetryRequest.selectedGroup = c.config.Bugs.MisinterpretHelloRetryRequestCurve
342 }
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]343 group := helloRetryRequest.selectedGroup
344 for _, curveID := range hello.supportedCurves {
345 if group == curveID {
346 hrrCurveFound = true
347 break
348 }
349 }
350 if !hrrCurveFound || keyShares[group] != nil {
351 c.sendAlert(alertHandshakeFailure)
352 return errors.New("tls: received invalid HelloRetryRequest")
353 }
354 curve, ok := curveForCurveID(group)
355 if !ok {
356 return errors.New("tls: Unable to get curve requested in HelloRetryRequest")
357 }
358 publicKey, err := curve.offer(c.config.rand())
359 if err != nil {
360 return err
361 }
362 keyShares[group] = curve
363 hello.keyShares = append(hello.keyShares, keyShareEntry{
364 group: group,
365 keyExchange: publicKey,
366 })
367
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame^]368 if c.config.Bugs.SecondClientHelloMissingKeyShare {
369 hello.hasKeyShares = false
370 }
371
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]372 hello.hasEarlyData = false
373 hello.earlyDataContext = nil
374 hello.raw = nil
375
376 secondHelloBytes = hello.marshal()
377 c.writeRecord(recordTypeHandshake, secondHelloBytes)
378 c.flushHandshake()
379
380 msg, err = c.readHandshake()
381 if err != nil {
382 return err
383 }
384 }
385
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]386 serverHello, ok := msg.(*serverHelloMsg)
387 if !ok {
388 c.sendAlert(alertUnexpectedMessage)
389 return unexpectedMessageError(serverHello, msg)
390 }
391
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]392 if c.vers != serverHello.vers {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]393 c.sendAlert(alertProtocolVersion)
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]394 return fmt.Errorf("tls: server sent non-matching version %x vs %x", serverHello.vers, c.vers)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]395 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]396
Nick Harper85f20c22016-07-04 10:11:59 -0700[diff] [blame]397 // Check for downgrade signals in the server random, per
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]398 // draft-ietf-tls-tls13-14, section 6.3.1.2.
Nick Harper85f20c22016-07-04 10:11:59 -0700[diff] [blame]399 if c.vers <= VersionTLS12 && c.config.maxVersion(c.isDTLS) >= VersionTLS13 {
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]400 if bytes.Equal(serverHello.random[len(serverHello.random)-8:], downgradeTLS13) {
Nick Harper85f20c22016-07-04 10:11:59 -0700[diff] [blame]401 c.sendAlert(alertProtocolVersion)
402 return errors.New("tls: downgrade from TLS 1.3 detected")
403 }
404 }
405 if c.vers <= VersionTLS11 && c.config.maxVersion(c.isDTLS) >= VersionTLS12 {
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]406 if bytes.Equal(serverHello.random[len(serverHello.random)-8:], downgradeTLS12) {
Nick Harper85f20c22016-07-04 10:11:59 -0700[diff] [blame]407 c.sendAlert(alertProtocolVersion)
408 return errors.New("tls: downgrade from TLS 1.2 detected")
409 }
410 }
411
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]412 suite := mutualCipherSuite(c.config.cipherSuites(), serverHello.cipherSuite)
413 if suite == nil {
414 c.sendAlert(alertHandshakeFailure)
415 return fmt.Errorf("tls: server selected an unsupported cipher suite")
416 }
417
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]418 if haveHelloRetryRequest && (helloRetryRequest.cipherSuite != serverHello.cipherSuite || helloRetryRequest.selectedGroup != serverHello.keyShare.group) {
419 c.sendAlert(alertHandshakeFailure)
420 return errors.New("tls: ServerHello parameters did not match HelloRetryRequest")
421 }
422
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]423 hs := &clientHandshakeState{
424 c: c,
425 serverHello: serverHello,
426 hello: hello,
427 suite: suite,
428 finishedHash: newFinishedHash(c.vers, suite),
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]429 keyShares: keyShares,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]430 session: session,
431 }
432
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]433 hs.writeHash(helloBytes, hs.c.sendHandshakeSeq-1)
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]434 if haveHelloRetryRequest {
435 hs.writeServerHash(helloRetryRequest.marshal())
436 hs.writeClientHash(secondHelloBytes)
437 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]438 hs.writeServerHash(hs.serverHello.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]439
David Benjamin8d315d72016-07-18 01:03:18 +0200[diff] [blame]440 if c.vers >= VersionTLS13 {
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]441 if err := hs.doTLS13Handshake(); err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]442 return err
443 }
444 } else {
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]445 if c.config.Bugs.EarlyChangeCipherSpec > 0 {
446 hs.establishKeys()
447 c.writeRecord(recordTypeChangeCipherSpec, []byte{1})
448 }
449
450 if hs.serverHello.compressionMethod != compressionNone {
451 c.sendAlert(alertUnexpectedMessage)
452 return errors.New("tls: server selected unsupported compression format")
453 }
454
455 err = hs.processServerExtensions(&serverHello.extensions)
456 if err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]457 return err
458 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]459
460 isResume, err := hs.processServerHello()
461 if err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]462 return err
463 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]464
465 if isResume {
466 if c.config.Bugs.EarlyChangeCipherSpec == 0 {
467 if err := hs.establishKeys(); err != nil {
468 return err
469 }
470 }
471 if err := hs.readSessionTicket(); err != nil {
472 return err
473 }
474 if err := hs.readFinished(c.firstFinished[:]); err != nil {
475 return err
476 }
477 if err := hs.sendFinished(nil, isResume); err != nil {
478 return err
479 }
480 } else {
481 if err := hs.doFullHandshake(); err != nil {
482 return err
483 }
484 if err := hs.establishKeys(); err != nil {
485 return err
486 }
487 if err := hs.sendFinished(c.firstFinished[:], isResume); err != nil {
488 return err
489 }
490 // Most retransmits are triggered by a timeout, but the final
491 // leg of the handshake is retransmited upon re-receiving a
492 // Finished.
493 if err := c.simulatePacketLoss(func() {
494 c.writeRecord(recordTypeHandshake, hs.finishedBytes)
495 c.flushHandshake()
496 }); err != nil {
497 return err
498 }
499 if err := hs.readSessionTicket(); err != nil {
500 return err
501 }
502 if err := hs.readFinished(nil); err != nil {
503 return err
504 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]505 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]506
507 if sessionCache != nil && hs.session != nil && session != hs.session {
508 if c.config.Bugs.RequireSessionTickets && len(hs.session.sessionTicket) == 0 {
509 return errors.New("tls: new session used session IDs instead of tickets")
510 }
511 sessionCache.Put(cacheKey, hs.session)
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]512 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]513
514 c.didResume = isResume
David Benjamin97a0a082016-07-13 17:57:35 -0400[diff] [blame]515 c.exporterSecret = hs.masterSecret
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]516 }
517
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]518 c.handshakeComplete = true
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]519 c.cipherSuite = suite
520 copy(c.clientRandom[:], hs.hello.random)
521 copy(c.serverRandom[:], hs.serverHello.random)
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]522
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]523 return nil
524}
525
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]526func (hs *clientHandshakeState) doTLS13Handshake() error {
527 c := hs.c
528
529 // Once the PRF hash is known, TLS 1.3 does not require a handshake
530 // buffer.
531 hs.finishedHash.discardHandshakeBuffer()
532
533 zeroSecret := hs.finishedHash.zeroSecret()
534
535 // Resolve PSK and compute the early secret.
536 //
537 // TODO(davidben): This will need to be handled slightly earlier once
538 // 0-RTT is implemented.
539 var psk []byte
540 if hs.suite.flags&suitePSK != 0 {
541 if !hs.serverHello.hasPSKIdentity {
542 c.sendAlert(alertMissingExtension)
543 return errors.New("tls: server omitted the PSK identity extension")
544 }
545
546 // TODO(davidben): Support PSK ciphers and PSK resumption. Set
547 // the resumption context appropriately if resuming.
548 return errors.New("tls: PSK ciphers not implemented for TLS 1.3")
549 } else {
550 if hs.serverHello.hasPSKIdentity {
551 c.sendAlert(alertUnsupportedExtension)
552 return errors.New("tls: server sent unexpected PSK identity")
553 }
554
555 psk = zeroSecret
556 hs.finishedHash.setResumptionContext(zeroSecret)
557 }
558
559 earlySecret := hs.finishedHash.extractKey(zeroSecret, psk)
560
561 // Resolve ECDHE and compute the handshake secret.
562 var ecdheSecret []byte
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame^]563 if hs.suite.flags&suiteECDHE != 0 && !c.config.Bugs.MissingKeyShare && !c.config.Bugs.SecondClientHelloMissingKeyShare {
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]564 if !hs.serverHello.hasKeyShare {
565 c.sendAlert(alertMissingExtension)
566 return errors.New("tls: server omitted the key share extension")
567 }
568
569 curve, ok := hs.keyShares[hs.serverHello.keyShare.group]
570 if !ok {
571 c.sendAlert(alertHandshakeFailure)
572 return errors.New("tls: server selected an unsupported group")
573 }
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame^]574 c.curveID = hs.serverHello.keyShare.group
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]575
576 var err error
577 ecdheSecret, err = curve.finish(hs.serverHello.keyShare.keyExchange)
578 if err != nil {
579 return err
580 }
581 } else {
582 if hs.serverHello.hasKeyShare {
583 c.sendAlert(alertUnsupportedExtension)
584 return errors.New("tls: server sent unexpected key share extension")
585 }
586
587 ecdheSecret = zeroSecret
588 }
589
590 // Compute the handshake secret.
591 handshakeSecret := hs.finishedHash.extractKey(earlySecret, ecdheSecret)
592
593 // Switch to handshake traffic keys.
594 handshakeTrafficSecret := hs.finishedHash.deriveSecret(handshakeSecret, handshakeTrafficLabel)
595 c.out.updateKeys(deriveTrafficAEAD(c.vers, hs.suite, handshakeTrafficSecret, handshakePhase, clientWrite), c.vers)
596 c.in.updateKeys(deriveTrafficAEAD(c.vers, hs.suite, handshakeTrafficSecret, handshakePhase, serverWrite), c.vers)
597
598 msg, err := c.readHandshake()
599 if err != nil {
600 return err
601 }
602
603 encryptedExtensions, ok := msg.(*encryptedExtensionsMsg)
604 if !ok {
605 c.sendAlert(alertUnexpectedMessage)
606 return unexpectedMessageError(encryptedExtensions, msg)
607 }
608 hs.writeServerHash(encryptedExtensions.marshal())
609
610 err = hs.processServerExtensions(&encryptedExtensions.extensions)
611 if err != nil {
612 return err
613 }
614
615 var chainToSend *Certificate
David Benjamin8d343b42016-07-09 14:26:01 -0700[diff] [blame]616 var certReq *certificateRequestMsg
David Benjamin44b33bc2016-07-01 22:40:23 -0400[diff] [blame]617 if hs.suite.flags&suitePSK != 0 {
618 if encryptedExtensions.extensions.ocspResponse != nil {
619 c.sendAlert(alertUnsupportedExtension)
620 return errors.New("tls: server sent OCSP response without a certificate")
621 }
622 if encryptedExtensions.extensions.sctList != nil {
623 c.sendAlert(alertUnsupportedExtension)
624 return errors.New("tls: server sent SCT list without a certificate")
625 }
626 } else {
627 c.ocspResponse = encryptedExtensions.extensions.ocspResponse
628 c.sctList = encryptedExtensions.extensions.sctList
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]629
630 msg, err := c.readHandshake()
631 if err != nil {
632 return err
633 }
634
David Benjamin8d343b42016-07-09 14:26:01 -0700[diff] [blame]635 var ok bool
636 certReq, ok = msg.(*certificateRequestMsg)
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]637 if ok {
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]638 if c.config.Bugs.IgnorePeerSignatureAlgorithmPreferences {
639 certReq.signatureAlgorithms = c.config.signSignatureAlgorithms()
640 }
641
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]642 hs.writeServerHash(certReq.marshal())
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]643
644 chainToSend, err = selectClientCertificate(c, certReq)
645 if err != nil {
646 return err
647 }
648
649 msg, err = c.readHandshake()
650 if err != nil {
651 return err
652 }
653 }
654
655 certMsg, ok := msg.(*certificateMsg)
656 if !ok {
657 c.sendAlert(alertUnexpectedMessage)
658 return unexpectedMessageError(certMsg, msg)
659 }
660 hs.writeServerHash(certMsg.marshal())
661
662 if err := hs.verifyCertificates(certMsg); err != nil {
663 return err
664 }
665 leaf := c.peerCertificates[0]
666
667 msg, err = c.readHandshake()
668 if err != nil {
669 return err
670 }
671 certVerifyMsg, ok := msg.(*certificateVerifyMsg)
672 if !ok {
673 c.sendAlert(alertUnexpectedMessage)
674 return unexpectedMessageError(certVerifyMsg, msg)
675 }
676
David Benjaminf74ec792016-07-13 21:18:49 -0400[diff] [blame]677 c.peerSignatureAlgorithm = certVerifyMsg.signatureAlgorithm
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]678 input := hs.finishedHash.certificateVerifyInput(serverCertificateVerifyContextTLS13)
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]679 err = verifyMessage(c.vers, leaf.PublicKey, c.config, certVerifyMsg.signatureAlgorithm, input, certVerifyMsg.signature)
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]680 if err != nil {
681 return err
682 }
683
684 hs.writeServerHash(certVerifyMsg.marshal())
685 }
686
687 msg, err = c.readHandshake()
688 if err != nil {
689 return err
690 }
691 serverFinished, ok := msg.(*finishedMsg)
692 if !ok {
693 c.sendAlert(alertUnexpectedMessage)
694 return unexpectedMessageError(serverFinished, msg)
695 }
696
697 verify := hs.finishedHash.serverSum(handshakeTrafficSecret)
698 if len(verify) != len(serverFinished.verifyData) ||
699 subtle.ConstantTimeCompare(verify, serverFinished.verifyData) != 1 {
700 c.sendAlert(alertHandshakeFailure)
701 return errors.New("tls: server's Finished message was incorrect")
702 }
703
704 hs.writeServerHash(serverFinished.marshal())
705
706 // The various secrets do not incorporate the client's final leg, so
707 // derive them now before updating the handshake context.
708 masterSecret := hs.finishedHash.extractKey(handshakeSecret, zeroSecret)
709 trafficSecret := hs.finishedHash.deriveSecret(masterSecret, applicationTrafficLabel)
710
Steven Valdez0ee2e112016-07-15 06:51:15 -0400[diff] [blame]711 if certReq != nil && !c.config.Bugs.SkipClientCertificate {
David Benjamin8d343b42016-07-09 14:26:01 -0700[diff] [blame]712 certMsg := &certificateMsg{
713 hasRequestContext: true,
714 requestContext: certReq.requestContext,
715 }
716 if chainToSend != nil {
717 certMsg.certificates = chainToSend.Certificate
718 }
719 hs.writeClientHash(certMsg.marshal())
720 c.writeRecord(recordTypeHandshake, certMsg.marshal())
721
722 if chainToSend != nil {
723 certVerify := &certificateVerifyMsg{
724 hasSignatureAlgorithm: true,
725 }
726
727 // Determine the hash to sign.
728 privKey := chainToSend.PrivateKey
729
730 var err error
731 certVerify.signatureAlgorithm, err = selectSignatureAlgorithm(c.vers, privKey, c.config, certReq.signatureAlgorithms)
732 if err != nil {
733 c.sendAlert(alertInternalError)
734 return err
735 }
736
737 input := hs.finishedHash.certificateVerifyInput(clientCertificateVerifyContextTLS13)
738 certVerify.signature, err = signMessage(c.vers, privKey, c.config, certVerify.signatureAlgorithm, input)
739 if err != nil {
740 c.sendAlert(alertInternalError)
741 return err
742 }
Steven Valdez0ee2e112016-07-15 06:51:15 -0400[diff] [blame]743 if c.config.Bugs.SendSignatureAlgorithm != 0 {
744 certVerify.signatureAlgorithm = c.config.Bugs.SendSignatureAlgorithm
745 }
David Benjamin8d343b42016-07-09 14:26:01 -0700[diff] [blame]746
747 hs.writeClientHash(certVerify.marshal())
748 c.writeRecord(recordTypeHandshake, certVerify.marshal())
749 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]750 }
751
752 // Send a client Finished message.
753 finished := new(finishedMsg)
754 finished.verifyData = hs.finishedHash.clientSum(handshakeTrafficSecret)
755 if c.config.Bugs.BadFinished {
756 finished.verifyData[0]++
757 }
David Benjamin97a0a082016-07-13 17:57:35 -0400[diff] [blame]758 hs.writeClientHash(finished.marshal())
David Benjamin7964b182016-07-14 23:36:30 -0400[diff] [blame]759 if c.config.Bugs.PartialClientFinishedWithClientHello {
760 // The first byte has already been sent.
761 c.writeRecord(recordTypeHandshake, finished.marshal()[1:])
762 } else {
763 c.writeRecord(recordTypeHandshake, finished.marshal())
764 }
David Benjaminee51a222016-07-07 18:34:12 -0700[diff] [blame]765 c.flushHandshake()
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]766
767 // Switch to application data keys.
768 c.out.updateKeys(deriveTrafficAEAD(c.vers, hs.suite, trafficSecret, applicationPhase, clientWrite), c.vers)
769 c.in.updateKeys(deriveTrafficAEAD(c.vers, hs.suite, trafficSecret, applicationPhase, serverWrite), c.vers)
770
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]771 // TODO(davidben): Derive and save the resumption master secret for receiving tickets.
772 // TODO(davidben): Save the traffic secret for KeyUpdate.
David Benjamin97a0a082016-07-13 17:57:35 -0400[diff] [blame]773 c.exporterSecret = hs.finishedHash.deriveSecret(masterSecret, exporterLabel)
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]774 return nil
775}
776
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]777func (hs *clientHandshakeState) doFullHandshake() error {
778 c := hs.c
779
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]780 var leaf *x509.Certificate
781 if hs.suite.flags&suitePSK == 0 {
782 msg, err := c.readHandshake()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]783 if err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]784 return err
785 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]786
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]787 certMsg, ok := msg.(*certificateMsg)
David Benjamin75051442016-07-01 18:58:51 -0400[diff] [blame]788 if !ok {
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]789 c.sendAlert(alertUnexpectedMessage)
790 return unexpectedMessageError(certMsg, msg)
791 }
792 hs.writeServerHash(certMsg.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]793
David Benjamin75051442016-07-01 18:58:51 -0400[diff] [blame]794 if err := hs.verifyCertificates(certMsg); err != nil {
795 return err
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]796 }
David Benjamin75051442016-07-01 18:58:51 -0400[diff] [blame]797 leaf = c.peerCertificates[0]
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]798 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]799
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]800 if hs.serverHello.extensions.ocspStapling {
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]801 msg, err := c.readHandshake()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]802 if err != nil {
803 return err
804 }
805 cs, ok := msg.(*certificateStatusMsg)
806 if !ok {
807 c.sendAlert(alertUnexpectedMessage)
808 return unexpectedMessageError(cs, msg)
809 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]810 hs.writeServerHash(cs.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]811
812 if cs.statusType == statusTypeOCSP {
813 c.ocspResponse = cs.response
814 }
815 }
816
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]817 msg, err := c.readHandshake()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]818 if err != nil {
819 return err
820 }
821
822 keyAgreement := hs.suite.ka(c.vers)
823
824 skx, ok := msg.(*serverKeyExchangeMsg)
825 if ok {
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]826 hs.writeServerHash(skx.marshal())
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]827 err = keyAgreement.processServerKeyExchange(c.config, hs.hello, hs.serverHello, leaf, skx)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]828 if err != nil {
829 c.sendAlert(alertUnexpectedMessage)
830 return err
831 }
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame^]832 if ecdhe, ok := keyAgreement.(*ecdheKeyAgreement); ok {
833 c.curveID = ecdhe.curveID
834 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]835
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]836 c.peerSignatureAlgorithm = keyAgreement.peerSignatureAlgorithm()
837
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]838 msg, err = c.readHandshake()
839 if err != nil {
840 return err
841 }
842 }
843
844 var chainToSend *Certificate
845 var certRequested bool
846 certReq, ok := msg.(*certificateRequestMsg)
847 if ok {
848 certRequested = true
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]849 if c.config.Bugs.IgnorePeerSignatureAlgorithmPreferences {
850 certReq.signatureAlgorithms = c.config.signSignatureAlgorithms()
851 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]852
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]853 hs.writeServerHash(certReq.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]854
David Benjamina6f82632016-07-01 18:44:02 -0400[diff] [blame]855 chainToSend, err = selectClientCertificate(c, certReq)
856 if err != nil {
857 return err
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]858 }
859
860 msg, err = c.readHandshake()
861 if err != nil {
862 return err
863 }
864 }
865
866 shd, ok := msg.(*serverHelloDoneMsg)
867 if !ok {
868 c.sendAlert(alertUnexpectedMessage)
869 return unexpectedMessageError(shd, msg)
870 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]871 hs.writeServerHash(shd.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]872
873 // If the server requested a certificate then we have to send a
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]874 // Certificate message in TLS, even if it's empty because we don't have
875 // a certificate to send. In SSL 3.0, skip the message and send a
876 // no_certificate warning alert.
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]877 if certRequested {
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]878 if c.vers == VersionSSL30 && chainToSend == nil {
879 c.sendAlert(alertNoCertficate)
880 } else if !c.config.Bugs.SkipClientCertificate {
881 certMsg := new(certificateMsg)
882 if chainToSend != nil {
883 certMsg.certificates = chainToSend.Certificate
884 }
885 hs.writeClientHash(certMsg.marshal())
886 c.writeRecord(recordTypeHandshake, certMsg.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]887 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]888 }
889
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]890 preMasterSecret, ckx, err := keyAgreement.generateClientKeyExchange(c.config, hs.hello, leaf)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]891 if err != nil {
892 c.sendAlert(alertInternalError)
893 return err
894 }
895 if ckx != nil {
David Benjaminf3ec83d2014-07-21 22:42:34 -0400[diff] [blame]896 if c.config.Bugs.EarlyChangeCipherSpec < 2 {
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]897 hs.writeClientHash(ckx.marshal())
David Benjaminf3ec83d2014-07-21 22:42:34 -0400[diff] [blame]898 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]899 c.writeRecord(recordTypeHandshake, ckx.marshal())
900 }
901
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]902 if hs.serverHello.extensions.extendedMasterSecret && c.vers >= VersionTLS10 {
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]903 hs.masterSecret = extendedMasterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.finishedHash)
904 c.extendedMasterSecret = true
905 } else {
906 if c.config.Bugs.RequireExtendedMasterSecret {
907 return errors.New("tls: extended master secret required but not supported by peer")
908 }
909 hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.hello.random, hs.serverHello.random)
910 }
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]911
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]912 if chainToSend != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]913 certVerify := &certificateVerifyMsg{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]914 hasSignatureAlgorithm: c.vers >= VersionTLS12,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]915 }
916
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]917 // Determine the hash to sign.
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]918 privKey := c.config.Certificates[0].PrivateKey
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]919
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]920 if certVerify.hasSignatureAlgorithm {
David Benjamin0a8deb22016-07-09 21:02:01 -0700[diff] [blame]921 certVerify.signatureAlgorithm, err = selectSignatureAlgorithm(c.vers, privKey, c.config, certReq.signatureAlgorithms)
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]922 if err != nil {
923 c.sendAlert(alertInternalError)
924 return err
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]925 }
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]926 }
927
928 if c.vers > VersionSSL30 {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]929 certVerify.signature, err = signMessage(c.vers, privKey, c.config, certVerify.signatureAlgorithm, hs.finishedHash.buffer)
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]930 if err == nil && c.config.Bugs.SendSignatureAlgorithm != 0 {
931 certVerify.signatureAlgorithm = c.config.Bugs.SendSignatureAlgorithm
932 }
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]933 } else {
934 // SSL 3.0's client certificate construction is
935 // incompatible with signatureAlgorithm.
936 rsaKey, ok := privKey.(*rsa.PrivateKey)
937 if !ok {
938 err = errors.New("unsupported signature type for client certificate")
939 } else {
940 digest := hs.finishedHash.hashForClientCertificateSSL3(hs.masterSecret)
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]941 if c.config.Bugs.InvalidSignature {
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]942 digest[0] ^= 0x80
943 }
944 certVerify.signature, err = rsa.SignPKCS1v15(c.config.rand(), rsaKey, crypto.MD5SHA1, digest)
945 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]946 }
947 if err != nil {
948 c.sendAlert(alertInternalError)
949 return errors.New("tls: failed to sign handshake with client certificate: " + err.Error())
950 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]951
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]952 hs.writeClientHash(certVerify.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]953 c.writeRecord(recordTypeHandshake, certVerify.marshal())
954 }
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]955 // flushHandshake will be called in sendFinished.
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]956
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]957 hs.finishedHash.discardHandshakeBuffer()
958
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]959 return nil
960}
961
David Benjamin75051442016-07-01 18:58:51 -0400[diff] [blame]962func (hs *clientHandshakeState) verifyCertificates(certMsg *certificateMsg) error {
963 c := hs.c
964
965 if len(certMsg.certificates) == 0 {
966 c.sendAlert(alertIllegalParameter)
967 return errors.New("tls: no certificates sent")
968 }
969
970 certs := make([]*x509.Certificate, len(certMsg.certificates))
971 for i, asn1Data := range certMsg.certificates {
972 cert, err := x509.ParseCertificate(asn1Data)
973 if err != nil {
974 c.sendAlert(alertBadCertificate)
975 return errors.New("tls: failed to parse certificate from server: " + err.Error())
976 }
977 certs[i] = cert
978 }
979
980 if !c.config.InsecureSkipVerify {
981 opts := x509.VerifyOptions{
982 Roots: c.config.RootCAs,
983 CurrentTime: c.config.time(),
984 DNSName: c.config.ServerName,
985 Intermediates: x509.NewCertPool(),
986 }
987
988 for i, cert := range certs {
989 if i == 0 {
990 continue
991 }
992 opts.Intermediates.AddCert(cert)
993 }
994 var err error
995 c.verifiedChains, err = certs[0].Verify(opts)
996 if err != nil {
997 c.sendAlert(alertBadCertificate)
998 return err
999 }
1000 }
1001
1002 switch certs[0].PublicKey.(type) {
1003 case *rsa.PublicKey, *ecdsa.PublicKey:
1004 break
1005 default:
1006 c.sendAlert(alertUnsupportedCertificate)
1007 return fmt.Errorf("tls: server's certificate contains an unsupported type of public key: %T", certs[0].PublicKey)
1008 }
1009
1010 c.peerCertificates = certs
1011 return nil
1012}
1013
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1014func (hs *clientHandshakeState) establishKeys() error {
1015 c := hs.c
1016
1017 clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV :=
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1018 keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.hello.random, hs.serverHello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen(c.vers))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1019 var clientCipher, serverCipher interface{}
1020 var clientHash, serverHash macFunction
1021 if hs.suite.cipher != nil {
1022 clientCipher = hs.suite.cipher(clientKey, clientIV, false /* not for reading */)
1023 clientHash = hs.suite.mac(c.vers, clientMAC)
1024 serverCipher = hs.suite.cipher(serverKey, serverIV, true /* for reading */)
1025 serverHash = hs.suite.mac(c.vers, serverMAC)
1026 } else {
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1027 clientCipher = hs.suite.aead(c.vers, clientKey, clientIV)
1028 serverCipher = hs.suite.aead(c.vers, serverKey, serverIV)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1029 }
1030
1031 c.in.prepareCipherSpec(c.vers, serverCipher, serverHash)
1032 c.out.prepareCipherSpec(c.vers, clientCipher, clientHash)
1033 return nil
1034}
1035
David Benjamin75101402016-07-01 13:40:23 -0400[diff] [blame]1036func (hs *clientHandshakeState) processServerExtensions(serverExtensions *serverExtensions) error {
1037 c := hs.c
1038
David Benjamin8d315d72016-07-18 01:03:18 +0200[diff] [blame]1039 if c.vers < VersionTLS13 {
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]1040 if c.config.Bugs.RequireRenegotiationInfo && serverExtensions.secureRenegotiation == nil {
1041 return errors.New("tls: renegotiation extension missing")
1042 }
David Benjamin75101402016-07-01 13:40:23 -0400[diff] [blame]1043
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]1044 if len(c.clientVerify) > 0 && !c.noRenegotiationInfo() {
1045 var expectedRenegInfo []byte
1046 expectedRenegInfo = append(expectedRenegInfo, c.clientVerify...)
1047 expectedRenegInfo = append(expectedRenegInfo, c.serverVerify...)
1048 if !bytes.Equal(serverExtensions.secureRenegotiation, expectedRenegInfo) {
1049 c.sendAlert(alertHandshakeFailure)
1050 return fmt.Errorf("tls: renegotiation mismatch")
1051 }
David Benjamin75101402016-07-01 13:40:23 -0400[diff] [blame]1052 }
David Benjamincea0ab42016-07-14 12:33:14 -0400[diff] [blame]1053 } else if serverExtensions.secureRenegotiation != nil {
1054 return errors.New("tls: renegotiation info sent in TLS 1.3")
David Benjamin75101402016-07-01 13:40:23 -0400[diff] [blame]1055 }
1056
1057 if expected := c.config.Bugs.ExpectedCustomExtension; expected != nil {
1058 if serverExtensions.customExtension != *expected {
1059 return fmt.Errorf("tls: bad custom extension contents %q", serverExtensions.customExtension)
1060 }
1061 }
1062
1063 clientDidNPN := hs.hello.nextProtoNeg
1064 clientDidALPN := len(hs.hello.alpnProtocols) > 0
1065 serverHasNPN := serverExtensions.nextProtoNeg
1066 serverHasALPN := len(serverExtensions.alpnProtocol) > 0
1067
1068 if !clientDidNPN && serverHasNPN {
1069 c.sendAlert(alertHandshakeFailure)
1070 return errors.New("server advertised unrequested NPN extension")
1071 }
1072
1073 if !clientDidALPN && serverHasALPN {
1074 c.sendAlert(alertHandshakeFailure)
1075 return errors.New("server advertised unrequested ALPN extension")
1076 }
1077
1078 if serverHasNPN && serverHasALPN {
1079 c.sendAlert(alertHandshakeFailure)
1080 return errors.New("server advertised both NPN and ALPN extensions")
1081 }
1082
1083 if serverHasALPN {
1084 c.clientProtocol = serverExtensions.alpnProtocol
1085 c.clientProtocolFallback = false
1086 c.usedALPN = true
1087 }
1088
David Benjamin8d315d72016-07-18 01:03:18 +0200[diff] [blame]1089 if serverHasNPN && c.vers >= VersionTLS13 {
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]1090 c.sendAlert(alertHandshakeFailure)
1091 return errors.New("server advertised NPN over TLS 1.3")
1092 }
1093
David Benjamin75101402016-07-01 13:40:23 -0400[diff] [blame]1094 if !hs.hello.channelIDSupported && serverExtensions.channelIDRequested {
1095 c.sendAlert(alertHandshakeFailure)
1096 return errors.New("server advertised unrequested Channel ID extension")
1097 }
1098
David Benjamin8d315d72016-07-18 01:03:18 +0200[diff] [blame]1099 if serverExtensions.channelIDRequested && c.vers >= VersionTLS13 {
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]1100 c.sendAlert(alertHandshakeFailure)
1101 return errors.New("server advertised Channel ID over TLS 1.3")
1102 }
1103
David Benjamin8d315d72016-07-18 01:03:18 +0200[diff] [blame]1104 if serverExtensions.extendedMasterSecret && c.vers >= VersionTLS13 {
David Benjamine9077652016-07-13 21:02:08 -0400[diff] [blame]1105 return errors.New("tls: server advertised extended master secret over TLS 1.3")
1106 }
1107
David Benjamin8d315d72016-07-18 01:03:18 +0200[diff] [blame]1108 if serverExtensions.ticketSupported && c.vers >= VersionTLS13 {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1109 return errors.New("tls: server advertised ticket extension over TLS 1.3")
1110 }
1111
David Benjamin75101402016-07-01 13:40:23 -0400[diff] [blame]1112 if serverExtensions.srtpProtectionProfile != 0 {
1113 if serverExtensions.srtpMasterKeyIdentifier != "" {
1114 return errors.New("tls: server selected SRTP MKI value")
1115 }
1116
1117 found := false
1118 for _, p := range c.config.SRTPProtectionProfiles {
1119 if p == serverExtensions.srtpProtectionProfile {
1120 found = true
1121 break
1122 }
1123 }
1124 if !found {
1125 return errors.New("tls: server advertised unsupported SRTP profile")
1126 }
1127
1128 c.srtpProtectionProfile = serverExtensions.srtpProtectionProfile
1129 }
1130
1131 return nil
1132}
1133
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1134func (hs *clientHandshakeState) serverResumedSession() bool {
1135 // If the server responded with the same sessionId then it means the
1136 // sessionTicket is being used to resume a TLS session.
1137 return hs.session != nil && hs.hello.sessionId != nil &&
1138 bytes.Equal(hs.serverHello.sessionId, hs.hello.sessionId)
1139}
1140
1141func (hs *clientHandshakeState) processServerHello() (bool, error) {
1142 c := hs.c
1143
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1144 if hs.serverResumedSession() {
David Benjamin4b27d9f2015-05-12 22:42:52 -0400[diff] [blame]1145 // For test purposes, assert that the server never accepts the
1146 // resumption offer on renegotiation.
1147 if c.cipherSuite != nil && c.config.Bugs.FailIfResumeOnRenego {
1148 return false, errors.New("tls: server resumed session on renegotiation")
1149 }
1150
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1151 if hs.serverHello.extensions.sctList != nil {
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]1152 return false, errors.New("tls: server sent SCT extension on session resumption")
1153 }
1154
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1155 if hs.serverHello.extensions.ocspStapling {
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]1156 return false, errors.New("tls: server sent OCSP extension on session resumption")
1157 }
1158
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1159 // Restore masterSecret and peerCerts from previous state
1160 hs.masterSecret = hs.session.masterSecret
1161 c.peerCertificates = hs.session.serverCertificates
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]1162 c.extendedMasterSecret = hs.session.extendedMasterSecret
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]1163 c.sctList = hs.session.sctList
1164 c.ocspResponse = hs.session.ocspResponse
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]1165 hs.finishedHash.discardHandshakeBuffer()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1166 return true, nil
1167 }
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]1168
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1169 if hs.serverHello.extensions.sctList != nil {
1170 c.sctList = hs.serverHello.extensions.sctList
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]1171 }
1172
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1173 return false, nil
1174}
1175
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]1176func (hs *clientHandshakeState) readFinished(out []byte) error {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1177 c := hs.c
1178
1179 c.readRecord(recordTypeChangeCipherSpec)
1180 if err := c.in.error(); err != nil {
1181 return err
1182 }
1183
1184 msg, err := c.readHandshake()
1185 if err != nil {
1186 return err
1187 }
1188 serverFinished, ok := msg.(*finishedMsg)
1189 if !ok {
1190 c.sendAlert(alertUnexpectedMessage)
1191 return unexpectedMessageError(serverFinished, msg)
1192 }
1193
David Benjaminf3ec83d2014-07-21 22:42:34 -0400[diff] [blame]1194 if c.config.Bugs.EarlyChangeCipherSpec == 0 {
1195 verify := hs.finishedHash.serverSum(hs.masterSecret)
1196 if len(verify) != len(serverFinished.verifyData) ||
1197 subtle.ConstantTimeCompare(verify, serverFinished.verifyData) != 1 {
1198 c.sendAlert(alertHandshakeFailure)
1199 return errors.New("tls: server's Finished message was incorrect")
1200 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1201 }
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]1202 c.serverVerify = append(c.serverVerify[:0], serverFinished.verifyData...)
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]1203 copy(out, serverFinished.verifyData)
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]1204 hs.writeServerHash(serverFinished.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1205 return nil
1206}
1207
1208func (hs *clientHandshakeState) readSessionTicket() error {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]1209 c := hs.c
1210
1211 // Create a session with no server identifier. Either a
1212 // session ID or session ticket will be attached.
1213 session := &ClientSessionState{
1214 vers: c.vers,
1215 cipherSuite: hs.suite.id,
1216 masterSecret: hs.masterSecret,
1217 handshakeHash: hs.finishedHash.server.Sum(nil),
1218 serverCertificates: c.peerCertificates,
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]1219 sctList: c.sctList,
1220 ocspResponse: c.ocspResponse,
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]1221 }
1222
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1223 if !hs.serverHello.extensions.ticketSupported {
David Benjamind98452d2015-06-16 14:16:23 -0400[diff] [blame]1224 if c.config.Bugs.ExpectNewTicket {
1225 return errors.New("tls: expected new ticket")
1226 }
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]1227 if hs.session == nil && len(hs.serverHello.sessionId) > 0 {
1228 session.sessionId = hs.serverHello.sessionId
1229 hs.session = session
1230 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1231 return nil
1232 }
1233
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]1234 if c.vers == VersionSSL30 {
1235 return errors.New("tls: negotiated session tickets in SSL 3.0")
1236 }
1237
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1238 msg, err := c.readHandshake()
1239 if err != nil {
1240 return err
1241 }
1242 sessionTicketMsg, ok := msg.(*newSessionTicketMsg)
1243 if !ok {
1244 c.sendAlert(alertUnexpectedMessage)
1245 return unexpectedMessageError(sessionTicketMsg, msg)
1246 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1247
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]1248 session.sessionTicket = sessionTicketMsg.ticket
1249 hs.session = session
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1250
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]1251 hs.writeServerHash(sessionTicketMsg.marshal())
1252
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1253 return nil
1254}
1255
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]1256func (hs *clientHandshakeState) sendFinished(out []byte, isResume bool) error {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1257 c := hs.c
1258
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]1259 var postCCSMsgs [][]byte
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]1260 seqno := hs.c.sendHandshakeSeq
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1261 if hs.serverHello.extensions.nextProtoNeg {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1262 nextProto := new(nextProtoMsg)
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1263 proto, fallback := mutualProtocol(c.config.NextProtos, hs.serverHello.extensions.nextProtos)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1264 nextProto.proto = proto
1265 c.clientProtocol = proto
1266 c.clientProtocolFallback = fallback
1267
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]1268 nextProtoBytes := nextProto.marshal()
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]1269 hs.writeHash(nextProtoBytes, seqno)
1270 seqno++
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]1271 postCCSMsgs = append(postCCSMsgs, nextProtoBytes)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1272 }
1273
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1274 if hs.serverHello.extensions.channelIDRequested {
David Benjamin24599a82016-06-30 18:56:53 -0400[diff] [blame]1275 channelIDMsg := new(channelIDMsg)
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]1276 if c.config.ChannelID.Curve != elliptic.P256() {
1277 return fmt.Errorf("tls: Channel ID is not on P-256.")
1278 }
1279 var resumeHash []byte
1280 if isResume {
1281 resumeHash = hs.session.handshakeHash
1282 }
1283 r, s, err := ecdsa.Sign(c.config.rand(), c.config.ChannelID, hs.finishedHash.hashForChannelID(resumeHash))
1284 if err != nil {
1285 return err
1286 }
1287 channelID := make([]byte, 128)
1288 writeIntPadded(channelID[0:32], c.config.ChannelID.X)
1289 writeIntPadded(channelID[32:64], c.config.ChannelID.Y)
1290 writeIntPadded(channelID[64:96], r)
1291 writeIntPadded(channelID[96:128], s)
David Benjamin24599a82016-06-30 18:56:53 -0400[diff] [blame]1292 channelIDMsg.channelID = channelID
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]1293
1294 c.channelID = &c.config.ChannelID.PublicKey
1295
David Benjamin24599a82016-06-30 18:56:53 -0400[diff] [blame]1296 channelIDMsgBytes := channelIDMsg.marshal()
1297 hs.writeHash(channelIDMsgBytes, seqno)
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]1298 seqno++
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]1299 postCCSMsgs = append(postCCSMsgs, channelIDMsgBytes)
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]1300 }
1301
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1302 finished := new(finishedMsg)
David Benjaminf3ec83d2014-07-21 22:42:34 -0400[diff] [blame]1303 if c.config.Bugs.EarlyChangeCipherSpec == 2 {
1304 finished.verifyData = hs.finishedHash.clientSum(nil)
1305 } else {
1306 finished.verifyData = hs.finishedHash.clientSum(hs.masterSecret)
1307 }
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]1308 copy(out, finished.verifyData)
David Benjamin513f0ea2015-04-02 19:33:31 -0400[diff] [blame]1309 if c.config.Bugs.BadFinished {
1310 finished.verifyData[0]++
1311 }
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]1312 c.clientVerify = append(c.clientVerify[:0], finished.verifyData...)
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]1313 hs.finishedBytes = finished.marshal()
1314 hs.writeHash(hs.finishedBytes, seqno)
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]1315 postCCSMsgs = append(postCCSMsgs, hs.finishedBytes)
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]1316
1317 if c.config.Bugs.FragmentAcrossChangeCipherSpec {
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]1318 c.writeRecord(recordTypeHandshake, postCCSMsgs[0][:5])
1319 postCCSMsgs[0] = postCCSMsgs[0][5:]
David Benjamin61672812016-07-14 23:10:43 -0400[diff] [blame]1320 } else if c.config.Bugs.SendUnencryptedFinished {
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]1321 c.writeRecord(recordTypeHandshake, postCCSMsgs[0])
1322 postCCSMsgs = postCCSMsgs[1:]
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]1323 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]1324 c.flushHandshake()
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]1325
1326 if !c.config.Bugs.SkipChangeCipherSpec &&
1327 c.config.Bugs.EarlyChangeCipherSpec == 0 {
David Benjamin8411b242015-11-26 12:07:28 -0500[diff] [blame]1328 ccs := []byte{1}
1329 if c.config.Bugs.BadChangeCipherSpec != nil {
1330 ccs = c.config.Bugs.BadChangeCipherSpec
1331 }
1332 c.writeRecord(recordTypeChangeCipherSpec, ccs)
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]1333 }
1334
David Benjamin4189bd92015-01-25 23:52:39 -0500[diff] [blame]1335 if c.config.Bugs.AppDataAfterChangeCipherSpec != nil {
1336 c.writeRecord(recordTypeApplicationData, c.config.Bugs.AppDataAfterChangeCipherSpec)
1337 }
David Benjamindc3da932015-03-12 15:09:02 -0400[diff] [blame]1338 if c.config.Bugs.AlertAfterChangeCipherSpec != 0 {
1339 c.sendAlert(c.config.Bugs.AlertAfterChangeCipherSpec)
1340 return errors.New("tls: simulating post-CCS alert")
1341 }
David Benjamin4189bd92015-01-25 23:52:39 -0500[diff] [blame]1342
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]1343 if !c.config.Bugs.SkipFinished {
1344 for _, msg := range postCCSMsgs {
1345 c.writeRecord(recordTypeHandshake, msg)
1346 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]1347 c.flushHandshake()
David Benjaminb3774b92015-01-31 17:16:01 -0500[diff] [blame]1348 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1349 return nil
1350}
1351
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]1352func (hs *clientHandshakeState) writeClientHash(msg []byte) {
1353 // writeClientHash is called before writeRecord.
1354 hs.writeHash(msg, hs.c.sendHandshakeSeq)
1355}
1356
1357func (hs *clientHandshakeState) writeServerHash(msg []byte) {
1358 // writeServerHash is called after readHandshake.
1359 hs.writeHash(msg, hs.c.recvHandshakeSeq-1)
1360}
1361
1362func (hs *clientHandshakeState) writeHash(msg []byte, seqno uint16) {
1363 if hs.c.isDTLS {
1364 // This is somewhat hacky. DTLS hashes a slightly different format.
1365 // First, the TLS header.
1366 hs.finishedHash.Write(msg[:4])
1367 // Then the sequence number and reassembled fragment offset (always 0).
1368 hs.finishedHash.Write([]byte{byte(seqno >> 8), byte(seqno), 0, 0, 0})
1369 // Then the reassembled fragment (always equal to the message length).
1370 hs.finishedHash.Write(msg[1:4])
1371 // And then the message body.
1372 hs.finishedHash.Write(msg[4:])
1373 } else {
1374 hs.finishedHash.Write(msg)
1375 }
1376}
1377
David Benjamina6f82632016-07-01 18:44:02 -0400[diff] [blame]1378// selectClientCertificate selects a certificate for use with the given
1379// certificate, or none if none match. It may return a particular certificate or
1380// nil on success, or an error on internal error.
1381func selectClientCertificate(c *Conn, certReq *certificateRequestMsg) (*Certificate, error) {
1382 // RFC 4346 on the certificateAuthorities field:
1383 // A list of the distinguished names of acceptable certificate
1384 // authorities. These distinguished names may specify a desired
1385 // distinguished name for a root CA or for a subordinate CA; thus, this
1386 // message can be used to describe both known roots and a desired
1387 // authorization space. If the certificate_authorities list is empty
1388 // then the client MAY send any certificate of the appropriate
1389 // ClientCertificateType, unless there is some external arrangement to
1390 // the contrary.
1391
1392 var rsaAvail, ecdsaAvail bool
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]1393 if !certReq.hasRequestContext {
1394 for _, certType := range certReq.certificateTypes {
1395 switch certType {
1396 case CertTypeRSASign:
1397 rsaAvail = true
1398 case CertTypeECDSASign:
1399 ecdsaAvail = true
1400 }
David Benjamina6f82632016-07-01 18:44:02 -0400[diff] [blame]1401 }
1402 }
1403
1404 // We need to search our list of client certs for one
1405 // where SignatureAlgorithm is RSA and the Issuer is in
1406 // certReq.certificateAuthorities
1407findCert:
1408 for i, chain := range c.config.Certificates {
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]1409 if !certReq.hasRequestContext && !rsaAvail && !ecdsaAvail {
David Benjamina6f82632016-07-01 18:44:02 -0400[diff] [blame]1410 continue
1411 }
1412
1413 // Ensure the private key supports one of the advertised
1414 // signature algorithms.
1415 if certReq.hasSignatureAlgorithm {
David Benjamin0a8deb22016-07-09 21:02:01 -0700[diff] [blame]1416 if _, err := selectSignatureAlgorithm(c.vers, chain.PrivateKey, c.config, certReq.signatureAlgorithms); err != nil {
David Benjamina6f82632016-07-01 18:44:02 -0400[diff] [blame]1417 continue
1418 }
1419 }
1420
1421 for j, cert := range chain.Certificate {
1422 x509Cert := chain.Leaf
1423 // parse the certificate if this isn't the leaf
1424 // node, or if chain.Leaf was nil
1425 if j != 0 || x509Cert == nil {
1426 var err error
1427 if x509Cert, err = x509.ParseCertificate(cert); err != nil {
1428 c.sendAlert(alertInternalError)
1429 return nil, errors.New("tls: failed to parse client certificate #" + strconv.Itoa(i) + ": " + err.Error())
1430 }
1431 }
1432
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]1433 if !certReq.hasRequestContext {
1434 switch {
1435 case rsaAvail && x509Cert.PublicKeyAlgorithm == x509.RSA:
1436 case ecdsaAvail && x509Cert.PublicKeyAlgorithm == x509.ECDSA:
1437 default:
1438 continue findCert
1439 }
David Benjamina6f82632016-07-01 18:44:02 -0400[diff] [blame]1440 }
1441
1442 if len(certReq.certificateAuthorities) == 0 {
1443 // They gave us an empty list, so just take the
1444 // first certificate of valid type from
1445 // c.config.Certificates.
1446 return &chain, nil
1447 }
1448
1449 for _, ca := range certReq.certificateAuthorities {
1450 if bytes.Equal(x509Cert.RawIssuer, ca) {
1451 return &chain, nil
1452 }
1453 }
1454 }
1455 }
1456
1457 return nil, nil
1458}
1459
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1460// clientSessionCacheKey returns a key used to cache sessionTickets that could
1461// be used to resume previously negotiated TLS sessions with a server.
1462func clientSessionCacheKey(serverAddr net.Addr, config *Config) string {
1463 if len(config.ServerName) > 0 {
1464 return config.ServerName
1465 }
1466 return serverAddr.String()
1467}
1468
David Benjaminfa055a22014-09-15 16:51:51 -0400[diff] [blame]1469// mutualProtocol finds the mutual Next Protocol Negotiation or ALPN protocol
1470// given list of possible protocols and a list of the preference order. The
1471// first list must not be empty. It returns the resulting protocol and flag
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1472// indicating if the fallback case was reached.
David Benjaminfa055a22014-09-15 16:51:51 -0400[diff] [blame]1473func mutualProtocol(protos, preferenceProtos []string) (string, bool) {
1474 for _, s := range preferenceProtos {
1475 for _, c := range protos {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1476 if s == c {
1477 return s, false
1478 }
1479 }
1480 }
1481
David Benjaminfa055a22014-09-15 16:51:51 -0400[diff] [blame]1482 return protos[0], true
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1483}
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]1484
1485// writeIntPadded writes x into b, padded up with leading zeros as
1486// needed.
1487func writeIntPadded(b []byte, x *big.Int) {
1488 for i := range b {
1489 b[i] = 0
1490 }
1491 xb := x.Bytes()
1492 copy(b[len(b)-len(xb):], xb)
1493}