Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 97a0a0829331ca51d730adec5b74ec520c8b3ebd / . / ssl / test / runner / handshake_client.go
blob: 10c847e3418600d8e0fef52f93421dc8fa44030c [file] [log] [blame]
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1// Copyright 2009 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
Adam Langleydc7e9c42015-09-29 15:21:04 -0700[diff] [blame]5package runner
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]6
7import (
8 "bytes"
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]9 "crypto"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10 "crypto/ecdsa"
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]11 "crypto/elliptic"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]12 "crypto/rsa"
13 "crypto/subtle"
14 "crypto/x509"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]15 "errors"
16 "fmt"
17 "io"
David Benjaminde620d92014-07-18 15:03:41 -0400[diff] [blame]18 "math/big"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]19 "net"
20 "strconv"
21)
22
23type clientHandshakeState struct {
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]24 c *Conn
25 serverHello *serverHelloMsg
26 hello *clientHelloMsg
27 suite *cipherSuite
28 finishedHash finishedHash
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]29 keyShares map[CurveID]ecdhCurve
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]30 masterSecret []byte
31 session *ClientSessionState
32 finishedBytes []byte
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]33}
34
35func (c *Conn) clientHandshake() error {
36 if c.config == nil {
37 c.config = defaultConfig()
38 }
39
40 if len(c.config.ServerName) == 0 && !c.config.InsecureSkipVerify {
41 return errors.New("tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config")
42 }
43
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]44 c.sendHandshakeSeq = 0
45 c.recvHandshakeSeq = 0
46
David Benjaminfa055a22014-09-15 16:51:51 -0400[diff] [blame]47 nextProtosLength := 0
48 for _, proto := range c.config.NextProtos {
Adam Langleyefb0e162015-07-09 11:35:04 -0700[diff] [blame]49 if l := len(proto); l > 255 {
David Benjaminfa055a22014-09-15 16:51:51 -0400[diff] [blame]50 return errors.New("tls: invalid NextProtos value")
51 } else {
52 nextProtosLength += 1 + l
53 }
54 }
55 if nextProtosLength > 0xffff {
56 return errors.New("tls: NextProtos values too large")
57 }
58
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]59 hello := &clientHelloMsg{
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]60 isDTLS: c.isDTLS,
David Benjamincecee272016-06-30 13:33:47 -0400[diff] [blame]61 vers: c.config.maxVersion(c.isDTLS),
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]62 compressionMethods: []uint8{compressionNone},
63 random: make([]byte, 32),
64 ocspStapling: true,
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]65 sctListSupported: true,
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]66 serverName: c.config.ServerName,
67 supportedCurves: c.config.curvePreferences(),
68 supportedPoints: []uint8{pointFormatUncompressed},
69 nextProtoNeg: len(c.config.NextProtos) > 0,
70 secureRenegotiation: []byte{},
71 alpnProtocols: c.config.NextProtos,
72 duplicateExtension: c.config.Bugs.DuplicateExtension,
73 channelIDSupported: c.config.ChannelID != nil,
74 npnLast: c.config.Bugs.SwapNPNAndALPN,
David Benjamincecee272016-06-30 13:33:47 -0400[diff] [blame]75 extendedMasterSecret: c.config.maxVersion(c.isDTLS) >= VersionTLS10,
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]76 srtpProtectionProfiles: c.config.SRTPProtectionProfiles,
77 srtpMasterKeyIdentifier: c.config.Bugs.SRTPMasterKeyIdentifer,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]78 customExtension: c.config.Bugs.CustomExtension,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]79 }
80
David Benjamin98e882e2014-08-08 13:24:34 -0400[diff] [blame]81 if c.config.Bugs.SendClientVersion != 0 {
82 hello.vers = c.config.Bugs.SendClientVersion
83 }
84
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]85 if c.config.Bugs.NoExtendedMasterSecret {
86 hello.extendedMasterSecret = false
87 }
88
David Benjamin55a43642015-04-20 14:45:55 -0400[diff] [blame]89 if c.config.Bugs.NoSupportedCurves {
90 hello.supportedCurves = nil
91 }
92
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]93 if len(c.clientVerify) > 0 && !c.config.Bugs.EmptyRenegotiationInfo {
94 if c.config.Bugs.BadRenegotiationInfo {
95 hello.secureRenegotiation = append(hello.secureRenegotiation, c.clientVerify...)
96 hello.secureRenegotiation[0] ^= 0x80
97 } else {
98 hello.secureRenegotiation = c.clientVerify
99 }
100 }
101
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]102 if c.noRenegotiationInfo() {
David Benjaminca6554b2014-11-08 12:31:52 -0500[diff] [blame]103 hello.secureRenegotiation = nil
104 }
105
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]106 var keyShares map[CurveID]ecdhCurve
107 if hello.vers >= VersionTLS13 && enableTLS13Handshake {
108 // Offer every supported curve in the initial ClientHello.
109 //
110 // TODO(davidben): For real code, default to a more conservative
111 // set like P-256 and X25519. Make it configurable for tests to
112 // stress the HelloRetryRequest logic when implemented.
113 keyShares = make(map[CurveID]ecdhCurve)
114 for _, curveID := range hello.supportedCurves {
115 curve, ok := curveForCurveID(curveID)
116 if !ok {
117 continue
118 }
119 publicKey, err := curve.offer(c.config.rand())
120 if err != nil {
121 return err
122 }
123 hello.keyShares = append(hello.keyShares, keyShareEntry{
124 group: curveID,
125 keyExchange: publicKey,
126 })
127 keyShares[curveID] = curve
128 }
129 }
130
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]131 possibleCipherSuites := c.config.cipherSuites()
132 hello.cipherSuites = make([]uint16, 0, len(possibleCipherSuites))
133
134NextCipherSuite:
135 for _, suiteId := range possibleCipherSuites {
136 for _, suite := range cipherSuites {
137 if suite.id != suiteId {
138 continue
139 }
David Benjamin0407e762016-06-17 16:41:18 -0400[diff] [blame]140 if !c.config.Bugs.EnableAllCiphers {
141 // Don't advertise TLS 1.2-only cipher suites unless
142 // we're attempting TLS 1.2.
143 if hello.vers < VersionTLS12 && suite.flags&suiteTLS12 != 0 {
144 continue
145 }
146 // Don't advertise non-DTLS cipher suites in DTLS.
147 if c.isDTLS && suite.flags&suiteNoDTLS != 0 {
148 continue
149 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]150 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]151 hello.cipherSuites = append(hello.cipherSuites, suiteId)
152 continue NextCipherSuite
153 }
154 }
155
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]156 if c.config.Bugs.SendRenegotiationSCSV {
157 hello.cipherSuites = append(hello.cipherSuites, renegotiationSCSV)
158 }
159
David Benjaminbef270a2014-08-02 04:22:02 -0400[diff] [blame]160 if c.config.Bugs.SendFallbackSCSV {
161 hello.cipherSuites = append(hello.cipherSuites, fallbackSCSV)
162 }
163
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]164 _, err := io.ReadFull(c.config.rand(), hello.random)
165 if err != nil {
166 c.sendAlert(alertInternalError)
167 return errors.New("tls: short read from Rand: " + err.Error())
168 }
169
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]170 if hello.vers >= VersionTLS12 && !c.config.Bugs.NoSignatureAlgorithms {
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]171 hello.signatureAlgorithms = c.config.verifySignatureAlgorithms()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]172 }
173
174 var session *ClientSessionState
175 var cacheKey string
176 sessionCache := c.config.ClientSessionCache
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]177
178 if sessionCache != nil {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]179 hello.ticketSupported = !c.config.SessionTicketsDisabled
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]180
181 // Try to resume a previously negotiated TLS session, if
182 // available.
183 cacheKey = clientSessionCacheKey(c.conn.RemoteAddr(), c.config)
184 candidateSession, ok := sessionCache.Get(cacheKey)
185 if ok {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]186 ticketOk := !c.config.SessionTicketsDisabled || candidateSession.sessionTicket == nil
187
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]188 // Check that the ciphersuite/version used for the
189 // previous session are still valid.
190 cipherSuiteOk := false
191 for _, id := range hello.cipherSuites {
192 if id == candidateSession.cipherSuite {
193 cipherSuiteOk = true
194 break
195 }
196 }
197
David Benjamincecee272016-06-30 13:33:47 -0400[diff] [blame]198 versOk := candidateSession.vers >= c.config.minVersion(c.isDTLS) &&
199 candidateSession.vers <= c.config.maxVersion(c.isDTLS)
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]200 if ticketOk && versOk && cipherSuiteOk {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]201 session = candidateSession
202 }
203 }
204 }
205
206 if session != nil {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]207 if session.sessionTicket != nil {
208 hello.sessionTicket = session.sessionTicket
209 if c.config.Bugs.CorruptTicket {
210 hello.sessionTicket = make([]byte, len(session.sessionTicket))
211 copy(hello.sessionTicket, session.sessionTicket)
212 if len(hello.sessionTicket) > 0 {
213 offset := 40
214 if offset > len(hello.sessionTicket) {
215 offset = len(hello.sessionTicket) - 1
216 }
217 hello.sessionTicket[offset] ^= 0x40
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]218 }
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]219 }
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]220 // A random session ID is used to detect when the
221 // server accepted the ticket and is resuming a session
222 // (see RFC 5077).
223 sessionIdLen := 16
224 if c.config.Bugs.OversizedSessionId {
225 sessionIdLen = 33
226 }
227 hello.sessionId = make([]byte, sessionIdLen)
228 if _, err := io.ReadFull(c.config.rand(), hello.sessionId); err != nil {
229 c.sendAlert(alertInternalError)
230 return errors.New("tls: short read from Rand: " + err.Error())
231 }
232 } else {
233 hello.sessionId = session.sessionId
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]234 }
235 }
236
David Benjamind86c7672014-08-02 04:07:12 -0400[diff] [blame]237 var helloBytes []byte
238 if c.config.Bugs.SendV2ClientHello {
David Benjamin94d701b2014-11-30 13:54:41 -0500[diff] [blame]239 // Test that the peer left-pads random.
240 hello.random[0] = 0
David Benjamind86c7672014-08-02 04:07:12 -0400[diff] [blame]241 v2Hello := &v2ClientHelloMsg{
242 vers: hello.vers,
243 cipherSuites: hello.cipherSuites,
244 // No session resumption for V2ClientHello.
245 sessionId: nil,
David Benjamin94d701b2014-11-30 13:54:41 -0500[diff] [blame]246 challenge: hello.random[1:],
David Benjamind86c7672014-08-02 04:07:12 -0400[diff] [blame]247 }
248 helloBytes = v2Hello.marshal()
249 c.writeV2Record(helloBytes)
250 } else {
251 helloBytes = hello.marshal()
252 c.writeRecord(recordTypeHandshake, helloBytes)
253 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]254 c.flushHandshake()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]255
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]256 if err := c.simulatePacketLoss(nil); err != nil {
257 return err
258 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]259 msg, err := c.readHandshake()
260 if err != nil {
261 return err
262 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]263
264 if c.isDTLS {
265 helloVerifyRequest, ok := msg.(*helloVerifyRequestMsg)
266 if ok {
David Benjamin8bc38f52014-08-16 12:07:27 -0400[diff] [blame]267 if helloVerifyRequest.vers != VersionTLS10 {
268 // Per RFC 6347, the version field in
269 // HelloVerifyRequest SHOULD be always DTLS
270 // 1.0. Enforce this for testing purposes.
271 return errors.New("dtls: bad HelloVerifyRequest version")
272 }
273
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]274 hello.raw = nil
275 hello.cookie = helloVerifyRequest.cookie
276 helloBytes = hello.marshal()
277 c.writeRecord(recordTypeHandshake, helloBytes)
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]278 c.flushHandshake()
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]279
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]280 if err := c.simulatePacketLoss(nil); err != nil {
281 return err
282 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]283 msg, err = c.readHandshake()
284 if err != nil {
285 return err
286 }
287 }
288 }
289
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]290 // TODO(davidben): Handle HelloRetryRequest.
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]291 serverHello, ok := msg.(*serverHelloMsg)
292 if !ok {
293 c.sendAlert(alertUnexpectedMessage)
294 return unexpectedMessageError(serverHello, msg)
295 }
296
David Benjamincecee272016-06-30 13:33:47 -0400[diff] [blame]297 c.vers, ok = c.config.mutualVersion(serverHello.vers, c.isDTLS)
David Benjamin76d8abe2014-08-14 16:25:34 -0400[diff] [blame]298 if !ok {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]299 c.sendAlert(alertProtocolVersion)
300 return fmt.Errorf("tls: server selected unsupported protocol version %x", serverHello.vers)
301 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]302 c.haveVers = true
303
Nick Harper85f20c22016-07-04 10:11:59 -0700[diff] [blame]304 // Check for downgrade signals in the server random, per
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]305 // draft-ietf-tls-tls13-14, section 6.3.1.2.
Nick Harper85f20c22016-07-04 10:11:59 -0700[diff] [blame]306 if c.vers <= VersionTLS12 && c.config.maxVersion(c.isDTLS) >= VersionTLS13 {
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]307 if bytes.Equal(serverHello.random[len(serverHello.random)-8:], downgradeTLS13) {
Nick Harper85f20c22016-07-04 10:11:59 -0700[diff] [blame]308 c.sendAlert(alertProtocolVersion)
309 return errors.New("tls: downgrade from TLS 1.3 detected")
310 }
311 }
312 if c.vers <= VersionTLS11 && c.config.maxVersion(c.isDTLS) >= VersionTLS12 {
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]313 if bytes.Equal(serverHello.random[len(serverHello.random)-8:], downgradeTLS12) {
Nick Harper85f20c22016-07-04 10:11:59 -0700[diff] [blame]314 c.sendAlert(alertProtocolVersion)
315 return errors.New("tls: downgrade from TLS 1.2 detected")
316 }
317 }
318
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]319 suite := mutualCipherSuite(c.config.cipherSuites(), serverHello.cipherSuite)
320 if suite == nil {
321 c.sendAlert(alertHandshakeFailure)
322 return fmt.Errorf("tls: server selected an unsupported cipher suite")
323 }
324
325 hs := &clientHandshakeState{
326 c: c,
327 serverHello: serverHello,
328 hello: hello,
329 suite: suite,
330 finishedHash: newFinishedHash(c.vers, suite),
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]331 keyShares: keyShares,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]332 session: session,
333 }
334
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]335 hs.writeHash(helloBytes, hs.c.sendHandshakeSeq-1)
336 hs.writeServerHash(hs.serverHello.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]337
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]338 if c.vers >= VersionTLS13 && enableTLS13Handshake {
339 if err := hs.doTLS13Handshake(); err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]340 return err
341 }
342 } else {
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]343 if c.config.Bugs.EarlyChangeCipherSpec > 0 {
344 hs.establishKeys()
345 c.writeRecord(recordTypeChangeCipherSpec, []byte{1})
346 }
347
348 if hs.serverHello.compressionMethod != compressionNone {
349 c.sendAlert(alertUnexpectedMessage)
350 return errors.New("tls: server selected unsupported compression format")
351 }
352
353 err = hs.processServerExtensions(&serverHello.extensions)
354 if err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]355 return err
356 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]357
358 isResume, err := hs.processServerHello()
359 if err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]360 return err
361 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]362
363 if isResume {
364 if c.config.Bugs.EarlyChangeCipherSpec == 0 {
365 if err := hs.establishKeys(); err != nil {
366 return err
367 }
368 }
369 if err := hs.readSessionTicket(); err != nil {
370 return err
371 }
372 if err := hs.readFinished(c.firstFinished[:]); err != nil {
373 return err
374 }
375 if err := hs.sendFinished(nil, isResume); err != nil {
376 return err
377 }
378 } else {
379 if err := hs.doFullHandshake(); err != nil {
380 return err
381 }
382 if err := hs.establishKeys(); err != nil {
383 return err
384 }
385 if err := hs.sendFinished(c.firstFinished[:], isResume); err != nil {
386 return err
387 }
388 // Most retransmits are triggered by a timeout, but the final
389 // leg of the handshake is retransmited upon re-receiving a
390 // Finished.
391 if err := c.simulatePacketLoss(func() {
392 c.writeRecord(recordTypeHandshake, hs.finishedBytes)
393 c.flushHandshake()
394 }); err != nil {
395 return err
396 }
397 if err := hs.readSessionTicket(); err != nil {
398 return err
399 }
400 if err := hs.readFinished(nil); err != nil {
401 return err
402 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]403 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]404
405 if sessionCache != nil && hs.session != nil && session != hs.session {
406 if c.config.Bugs.RequireSessionTickets && len(hs.session.sessionTicket) == 0 {
407 return errors.New("tls: new session used session IDs instead of tickets")
408 }
409 sessionCache.Put(cacheKey, hs.session)
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]410 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]411
412 c.didResume = isResume
David Benjamin97a0a082016-07-13 17:57:35 -0400[diff] [blame^]413 c.exporterSecret = hs.masterSecret
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]414 }
415
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]416 c.handshakeComplete = true
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]417 c.cipherSuite = suite
418 copy(c.clientRandom[:], hs.hello.random)
419 copy(c.serverRandom[:], hs.serverHello.random)
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]420
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]421 return nil
422}
423
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]424func (hs *clientHandshakeState) doTLS13Handshake() error {
425 c := hs.c
426
427 // Once the PRF hash is known, TLS 1.3 does not require a handshake
428 // buffer.
429 hs.finishedHash.discardHandshakeBuffer()
430
431 zeroSecret := hs.finishedHash.zeroSecret()
432
433 // Resolve PSK and compute the early secret.
434 //
435 // TODO(davidben): This will need to be handled slightly earlier once
436 // 0-RTT is implemented.
437 var psk []byte
438 if hs.suite.flags&suitePSK != 0 {
439 if !hs.serverHello.hasPSKIdentity {
440 c.sendAlert(alertMissingExtension)
441 return errors.New("tls: server omitted the PSK identity extension")
442 }
443
444 // TODO(davidben): Support PSK ciphers and PSK resumption. Set
445 // the resumption context appropriately if resuming.
446 return errors.New("tls: PSK ciphers not implemented for TLS 1.3")
447 } else {
448 if hs.serverHello.hasPSKIdentity {
449 c.sendAlert(alertUnsupportedExtension)
450 return errors.New("tls: server sent unexpected PSK identity")
451 }
452
453 psk = zeroSecret
454 hs.finishedHash.setResumptionContext(zeroSecret)
455 }
456
457 earlySecret := hs.finishedHash.extractKey(zeroSecret, psk)
458
459 // Resolve ECDHE and compute the handshake secret.
460 var ecdheSecret []byte
461 if hs.suite.flags&suiteECDHE != 0 {
462 if !hs.serverHello.hasKeyShare {
463 c.sendAlert(alertMissingExtension)
464 return errors.New("tls: server omitted the key share extension")
465 }
466
467 curve, ok := hs.keyShares[hs.serverHello.keyShare.group]
468 if !ok {
469 c.sendAlert(alertHandshakeFailure)
470 return errors.New("tls: server selected an unsupported group")
471 }
472
473 var err error
474 ecdheSecret, err = curve.finish(hs.serverHello.keyShare.keyExchange)
475 if err != nil {
476 return err
477 }
478 } else {
479 if hs.serverHello.hasKeyShare {
480 c.sendAlert(alertUnsupportedExtension)
481 return errors.New("tls: server sent unexpected key share extension")
482 }
483
484 ecdheSecret = zeroSecret
485 }
486
487 // Compute the handshake secret.
488 handshakeSecret := hs.finishedHash.extractKey(earlySecret, ecdheSecret)
489
490 // Switch to handshake traffic keys.
491 handshakeTrafficSecret := hs.finishedHash.deriveSecret(handshakeSecret, handshakeTrafficLabel)
492 c.out.updateKeys(deriveTrafficAEAD(c.vers, hs.suite, handshakeTrafficSecret, handshakePhase, clientWrite), c.vers)
493 c.in.updateKeys(deriveTrafficAEAD(c.vers, hs.suite, handshakeTrafficSecret, handshakePhase, serverWrite), c.vers)
494
495 msg, err := c.readHandshake()
496 if err != nil {
497 return err
498 }
499
500 encryptedExtensions, ok := msg.(*encryptedExtensionsMsg)
501 if !ok {
502 c.sendAlert(alertUnexpectedMessage)
503 return unexpectedMessageError(encryptedExtensions, msg)
504 }
505 hs.writeServerHash(encryptedExtensions.marshal())
506
507 err = hs.processServerExtensions(&encryptedExtensions.extensions)
508 if err != nil {
509 return err
510 }
511
512 var chainToSend *Certificate
David Benjamin8d343b42016-07-09 14:26:01 -0700[diff] [blame]513 var certReq *certificateRequestMsg
David Benjamin44b33bc2016-07-01 22:40:23 -0400[diff] [blame]514 if hs.suite.flags&suitePSK != 0 {
515 if encryptedExtensions.extensions.ocspResponse != nil {
516 c.sendAlert(alertUnsupportedExtension)
517 return errors.New("tls: server sent OCSP response without a certificate")
518 }
519 if encryptedExtensions.extensions.sctList != nil {
520 c.sendAlert(alertUnsupportedExtension)
521 return errors.New("tls: server sent SCT list without a certificate")
522 }
523 } else {
524 c.ocspResponse = encryptedExtensions.extensions.ocspResponse
525 c.sctList = encryptedExtensions.extensions.sctList
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]526
527 msg, err := c.readHandshake()
528 if err != nil {
529 return err
530 }
531
David Benjamin8d343b42016-07-09 14:26:01 -0700[diff] [blame]532 var ok bool
533 certReq, ok = msg.(*certificateRequestMsg)
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]534 if ok {
535 hs.writeServerHash(certReq.marshal())
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]536
537 chainToSend, err = selectClientCertificate(c, certReq)
538 if err != nil {
539 return err
540 }
541
542 msg, err = c.readHandshake()
543 if err != nil {
544 return err
545 }
546 }
547
548 certMsg, ok := msg.(*certificateMsg)
549 if !ok {
550 c.sendAlert(alertUnexpectedMessage)
551 return unexpectedMessageError(certMsg, msg)
552 }
553 hs.writeServerHash(certMsg.marshal())
554
555 if err := hs.verifyCertificates(certMsg); err != nil {
556 return err
557 }
558 leaf := c.peerCertificates[0]
559
560 msg, err = c.readHandshake()
561 if err != nil {
562 return err
563 }
564 certVerifyMsg, ok := msg.(*certificateVerifyMsg)
565 if !ok {
566 c.sendAlert(alertUnexpectedMessage)
567 return unexpectedMessageError(certVerifyMsg, msg)
568 }
569
570 input := hs.finishedHash.certificateVerifyInput(serverCertificateVerifyContextTLS13)
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]571 err = verifyMessage(c.vers, leaf.PublicKey, c.config, certVerifyMsg.signatureAlgorithm, input, certVerifyMsg.signature)
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]572 if err != nil {
573 return err
574 }
575
576 hs.writeServerHash(certVerifyMsg.marshal())
577 }
578
579 msg, err = c.readHandshake()
580 if err != nil {
581 return err
582 }
583 serverFinished, ok := msg.(*finishedMsg)
584 if !ok {
585 c.sendAlert(alertUnexpectedMessage)
586 return unexpectedMessageError(serverFinished, msg)
587 }
588
589 verify := hs.finishedHash.serverSum(handshakeTrafficSecret)
590 if len(verify) != len(serverFinished.verifyData) ||
591 subtle.ConstantTimeCompare(verify, serverFinished.verifyData) != 1 {
592 c.sendAlert(alertHandshakeFailure)
593 return errors.New("tls: server's Finished message was incorrect")
594 }
595
596 hs.writeServerHash(serverFinished.marshal())
597
598 // The various secrets do not incorporate the client's final leg, so
599 // derive them now before updating the handshake context.
600 masterSecret := hs.finishedHash.extractKey(handshakeSecret, zeroSecret)
601 trafficSecret := hs.finishedHash.deriveSecret(masterSecret, applicationTrafficLabel)
602
David Benjamin8d343b42016-07-09 14:26:01 -0700[diff] [blame]603 if certReq != nil {
604 certMsg := &certificateMsg{
605 hasRequestContext: true,
606 requestContext: certReq.requestContext,
607 }
608 if chainToSend != nil {
609 certMsg.certificates = chainToSend.Certificate
610 }
611 hs.writeClientHash(certMsg.marshal())
612 c.writeRecord(recordTypeHandshake, certMsg.marshal())
613
614 if chainToSend != nil {
615 certVerify := &certificateVerifyMsg{
616 hasSignatureAlgorithm: true,
617 }
618
619 // Determine the hash to sign.
620 privKey := chainToSend.PrivateKey
621
622 var err error
623 certVerify.signatureAlgorithm, err = selectSignatureAlgorithm(c.vers, privKey, c.config, certReq.signatureAlgorithms)
624 if err != nil {
625 c.sendAlert(alertInternalError)
626 return err
627 }
628
629 input := hs.finishedHash.certificateVerifyInput(clientCertificateVerifyContextTLS13)
630 certVerify.signature, err = signMessage(c.vers, privKey, c.config, certVerify.signatureAlgorithm, input)
631 if err != nil {
632 c.sendAlert(alertInternalError)
633 return err
634 }
635
636 hs.writeClientHash(certVerify.marshal())
637 c.writeRecord(recordTypeHandshake, certVerify.marshal())
638 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]639 }
640
641 // Send a client Finished message.
642 finished := new(finishedMsg)
643 finished.verifyData = hs.finishedHash.clientSum(handshakeTrafficSecret)
644 if c.config.Bugs.BadFinished {
645 finished.verifyData[0]++
646 }
David Benjamin97a0a082016-07-13 17:57:35 -0400[diff] [blame^]647 hs.writeClientHash(finished.marshal())
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]648 c.writeRecord(recordTypeHandshake, finished.marshal())
David Benjaminee51a222016-07-07 18:34:12 -0700[diff] [blame]649 c.flushHandshake()
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]650
651 // Switch to application data keys.
652 c.out.updateKeys(deriveTrafficAEAD(c.vers, hs.suite, trafficSecret, applicationPhase, clientWrite), c.vers)
653 c.in.updateKeys(deriveTrafficAEAD(c.vers, hs.suite, trafficSecret, applicationPhase, serverWrite), c.vers)
654
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]655 // TODO(davidben): Derive and save the resumption master secret for receiving tickets.
656 // TODO(davidben): Save the traffic secret for KeyUpdate.
David Benjamin97a0a082016-07-13 17:57:35 -0400[diff] [blame^]657 c.exporterSecret = hs.finishedHash.deriveSecret(masterSecret, exporterLabel)
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]658 return nil
659}
660
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]661func (hs *clientHandshakeState) doFullHandshake() error {
662 c := hs.c
663
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]664 var leaf *x509.Certificate
665 if hs.suite.flags&suitePSK == 0 {
666 msg, err := c.readHandshake()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]667 if err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]668 return err
669 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]670
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]671 certMsg, ok := msg.(*certificateMsg)
David Benjamin75051442016-07-01 18:58:51 -0400[diff] [blame]672 if !ok {
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]673 c.sendAlert(alertUnexpectedMessage)
674 return unexpectedMessageError(certMsg, msg)
675 }
676 hs.writeServerHash(certMsg.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]677
David Benjamin75051442016-07-01 18:58:51 -0400[diff] [blame]678 if err := hs.verifyCertificates(certMsg); err != nil {
679 return err
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]680 }
David Benjamin75051442016-07-01 18:58:51 -0400[diff] [blame]681 leaf = c.peerCertificates[0]
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]682 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]683
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]684 if hs.serverHello.extensions.ocspStapling {
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]685 msg, err := c.readHandshake()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]686 if err != nil {
687 return err
688 }
689 cs, ok := msg.(*certificateStatusMsg)
690 if !ok {
691 c.sendAlert(alertUnexpectedMessage)
692 return unexpectedMessageError(cs, msg)
693 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]694 hs.writeServerHash(cs.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]695
696 if cs.statusType == statusTypeOCSP {
697 c.ocspResponse = cs.response
698 }
699 }
700
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]701 msg, err := c.readHandshake()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]702 if err != nil {
703 return err
704 }
705
706 keyAgreement := hs.suite.ka(c.vers)
707
708 skx, ok := msg.(*serverKeyExchangeMsg)
709 if ok {
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]710 hs.writeServerHash(skx.marshal())
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]711 err = keyAgreement.processServerKeyExchange(c.config, hs.hello, hs.serverHello, leaf, skx)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]712 if err != nil {
713 c.sendAlert(alertUnexpectedMessage)
714 return err
715 }
716
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]717 c.peerSignatureAlgorithm = keyAgreement.peerSignatureAlgorithm()
718
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]719 msg, err = c.readHandshake()
720 if err != nil {
721 return err
722 }
723 }
724
725 var chainToSend *Certificate
726 var certRequested bool
727 certReq, ok := msg.(*certificateRequestMsg)
728 if ok {
729 certRequested = true
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]730 if c.config.Bugs.IgnorePeerSignatureAlgorithmPreferences {
731 certReq.signatureAlgorithms = c.config.signSignatureAlgorithms()
732 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]733
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]734 hs.writeServerHash(certReq.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]735
David Benjamina6f82632016-07-01 18:44:02 -0400[diff] [blame]736 chainToSend, err = selectClientCertificate(c, certReq)
737 if err != nil {
738 return err
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]739 }
740
741 msg, err = c.readHandshake()
742 if err != nil {
743 return err
744 }
745 }
746
747 shd, ok := msg.(*serverHelloDoneMsg)
748 if !ok {
749 c.sendAlert(alertUnexpectedMessage)
750 return unexpectedMessageError(shd, msg)
751 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]752 hs.writeServerHash(shd.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]753
754 // If the server requested a certificate then we have to send a
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]755 // Certificate message in TLS, even if it's empty because we don't have
756 // a certificate to send. In SSL 3.0, skip the message and send a
757 // no_certificate warning alert.
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]758 if certRequested {
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]759 if c.vers == VersionSSL30 && chainToSend == nil {
760 c.sendAlert(alertNoCertficate)
761 } else if !c.config.Bugs.SkipClientCertificate {
762 certMsg := new(certificateMsg)
763 if chainToSend != nil {
764 certMsg.certificates = chainToSend.Certificate
765 }
766 hs.writeClientHash(certMsg.marshal())
767 c.writeRecord(recordTypeHandshake, certMsg.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]768 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]769 }
770
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]771 preMasterSecret, ckx, err := keyAgreement.generateClientKeyExchange(c.config, hs.hello, leaf)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]772 if err != nil {
773 c.sendAlert(alertInternalError)
774 return err
775 }
776 if ckx != nil {
David Benjaminf3ec83d2014-07-21 22:42:34 -0400[diff] [blame]777 if c.config.Bugs.EarlyChangeCipherSpec < 2 {
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]778 hs.writeClientHash(ckx.marshal())
David Benjaminf3ec83d2014-07-21 22:42:34 -0400[diff] [blame]779 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]780 c.writeRecord(recordTypeHandshake, ckx.marshal())
781 }
782
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]783 if hs.serverHello.extensions.extendedMasterSecret && c.vers >= VersionTLS10 {
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]784 hs.masterSecret = extendedMasterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.finishedHash)
785 c.extendedMasterSecret = true
786 } else {
787 if c.config.Bugs.RequireExtendedMasterSecret {
788 return errors.New("tls: extended master secret required but not supported by peer")
789 }
790 hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.hello.random, hs.serverHello.random)
791 }
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]792
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]793 if chainToSend != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]794 certVerify := &certificateVerifyMsg{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]795 hasSignatureAlgorithm: c.vers >= VersionTLS12,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]796 }
797
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]798 // Determine the hash to sign.
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]799 privKey := c.config.Certificates[0].PrivateKey
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]800
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]801 if certVerify.hasSignatureAlgorithm {
David Benjamin0a8deb22016-07-09 21:02:01 -0700[diff] [blame]802 certVerify.signatureAlgorithm, err = selectSignatureAlgorithm(c.vers, privKey, c.config, certReq.signatureAlgorithms)
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]803 if err != nil {
804 c.sendAlert(alertInternalError)
805 return err
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]806 }
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]807 }
808
809 if c.vers > VersionSSL30 {
810 msg := hs.finishedHash.buffer
811 if c.config.Bugs.InvalidCertVerifySignature {
812 msg = make([]byte, len(hs.finishedHash.buffer))
813 copy(msg, hs.finishedHash.buffer)
814 msg[0] ^= 0x80
815 }
816 certVerify.signature, err = signMessage(c.vers, privKey, c.config, certVerify.signatureAlgorithm, msg)
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]817 if err == nil && c.config.Bugs.SendSignatureAlgorithm != 0 {
818 certVerify.signatureAlgorithm = c.config.Bugs.SendSignatureAlgorithm
819 }
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]820 } else {
821 // SSL 3.0's client certificate construction is
822 // incompatible with signatureAlgorithm.
823 rsaKey, ok := privKey.(*rsa.PrivateKey)
824 if !ok {
825 err = errors.New("unsupported signature type for client certificate")
826 } else {
827 digest := hs.finishedHash.hashForClientCertificateSSL3(hs.masterSecret)
828 if c.config.Bugs.InvalidCertVerifySignature {
829 digest[0] ^= 0x80
830 }
831 certVerify.signature, err = rsa.SignPKCS1v15(c.config.rand(), rsaKey, crypto.MD5SHA1, digest)
832 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]833 }
834 if err != nil {
835 c.sendAlert(alertInternalError)
836 return errors.New("tls: failed to sign handshake with client certificate: " + err.Error())
837 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]838
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]839 hs.writeClientHash(certVerify.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]840 c.writeRecord(recordTypeHandshake, certVerify.marshal())
841 }
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]842 // flushHandshake will be called in sendFinished.
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]843
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]844 hs.finishedHash.discardHandshakeBuffer()
845
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]846 return nil
847}
848
David Benjamin75051442016-07-01 18:58:51 -0400[diff] [blame]849func (hs *clientHandshakeState) verifyCertificates(certMsg *certificateMsg) error {
850 c := hs.c
851
852 if len(certMsg.certificates) == 0 {
853 c.sendAlert(alertIllegalParameter)
854 return errors.New("tls: no certificates sent")
855 }
856
857 certs := make([]*x509.Certificate, len(certMsg.certificates))
858 for i, asn1Data := range certMsg.certificates {
859 cert, err := x509.ParseCertificate(asn1Data)
860 if err != nil {
861 c.sendAlert(alertBadCertificate)
862 return errors.New("tls: failed to parse certificate from server: " + err.Error())
863 }
864 certs[i] = cert
865 }
866
867 if !c.config.InsecureSkipVerify {
868 opts := x509.VerifyOptions{
869 Roots: c.config.RootCAs,
870 CurrentTime: c.config.time(),
871 DNSName: c.config.ServerName,
872 Intermediates: x509.NewCertPool(),
873 }
874
875 for i, cert := range certs {
876 if i == 0 {
877 continue
878 }
879 opts.Intermediates.AddCert(cert)
880 }
881 var err error
882 c.verifiedChains, err = certs[0].Verify(opts)
883 if err != nil {
884 c.sendAlert(alertBadCertificate)
885 return err
886 }
887 }
888
889 switch certs[0].PublicKey.(type) {
890 case *rsa.PublicKey, *ecdsa.PublicKey:
891 break
892 default:
893 c.sendAlert(alertUnsupportedCertificate)
894 return fmt.Errorf("tls: server's certificate contains an unsupported type of public key: %T", certs[0].PublicKey)
895 }
896
897 c.peerCertificates = certs
898 return nil
899}
900
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]901func (hs *clientHandshakeState) establishKeys() error {
902 c := hs.c
903
904 clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV :=
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]905 keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.hello.random, hs.serverHello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen(c.vers))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]906 var clientCipher, serverCipher interface{}
907 var clientHash, serverHash macFunction
908 if hs.suite.cipher != nil {
909 clientCipher = hs.suite.cipher(clientKey, clientIV, false /* not for reading */)
910 clientHash = hs.suite.mac(c.vers, clientMAC)
911 serverCipher = hs.suite.cipher(serverKey, serverIV, true /* for reading */)
912 serverHash = hs.suite.mac(c.vers, serverMAC)
913 } else {
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]914 clientCipher = hs.suite.aead(c.vers, clientKey, clientIV)
915 serverCipher = hs.suite.aead(c.vers, serverKey, serverIV)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]916 }
917
918 c.in.prepareCipherSpec(c.vers, serverCipher, serverHash)
919 c.out.prepareCipherSpec(c.vers, clientCipher, clientHash)
920 return nil
921}
922
David Benjamin75101402016-07-01 13:40:23 -0400[diff] [blame]923func (hs *clientHandshakeState) processServerExtensions(serverExtensions *serverExtensions) error {
924 c := hs.c
925
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]926 if c.vers < VersionTLS13 || !enableTLS13Handshake {
927 if c.config.Bugs.RequireRenegotiationInfo && serverExtensions.secureRenegotiation == nil {
928 return errors.New("tls: renegotiation extension missing")
929 }
David Benjamin75101402016-07-01 13:40:23 -0400[diff] [blame]930
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]931 if len(c.clientVerify) > 0 && !c.noRenegotiationInfo() {
932 var expectedRenegInfo []byte
933 expectedRenegInfo = append(expectedRenegInfo, c.clientVerify...)
934 expectedRenegInfo = append(expectedRenegInfo, c.serverVerify...)
935 if !bytes.Equal(serverExtensions.secureRenegotiation, expectedRenegInfo) {
936 c.sendAlert(alertHandshakeFailure)
937 return fmt.Errorf("tls: renegotiation mismatch")
938 }
David Benjamin75101402016-07-01 13:40:23 -0400[diff] [blame]939 }
940 }
941
942 if expected := c.config.Bugs.ExpectedCustomExtension; expected != nil {
943 if serverExtensions.customExtension != *expected {
944 return fmt.Errorf("tls: bad custom extension contents %q", serverExtensions.customExtension)
945 }
946 }
947
948 clientDidNPN := hs.hello.nextProtoNeg
949 clientDidALPN := len(hs.hello.alpnProtocols) > 0
950 serverHasNPN := serverExtensions.nextProtoNeg
951 serverHasALPN := len(serverExtensions.alpnProtocol) > 0
952
953 if !clientDidNPN && serverHasNPN {
954 c.sendAlert(alertHandshakeFailure)
955 return errors.New("server advertised unrequested NPN extension")
956 }
957
958 if !clientDidALPN && serverHasALPN {
959 c.sendAlert(alertHandshakeFailure)
960 return errors.New("server advertised unrequested ALPN extension")
961 }
962
963 if serverHasNPN && serverHasALPN {
964 c.sendAlert(alertHandshakeFailure)
965 return errors.New("server advertised both NPN and ALPN extensions")
966 }
967
968 if serverHasALPN {
969 c.clientProtocol = serverExtensions.alpnProtocol
970 c.clientProtocolFallback = false
971 c.usedALPN = true
972 }
973
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]974 if serverHasNPN && c.vers >= VersionTLS13 && enableTLS13Handshake {
975 c.sendAlert(alertHandshakeFailure)
976 return errors.New("server advertised NPN over TLS 1.3")
977 }
978
David Benjamin75101402016-07-01 13:40:23 -0400[diff] [blame]979 if !hs.hello.channelIDSupported && serverExtensions.channelIDRequested {
980 c.sendAlert(alertHandshakeFailure)
981 return errors.New("server advertised unrequested Channel ID extension")
982 }
983
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]984 if serverExtensions.channelIDRequested && c.vers >= VersionTLS13 && enableTLS13Handshake {
985 c.sendAlert(alertHandshakeFailure)
986 return errors.New("server advertised Channel ID over TLS 1.3")
987 }
988
David Benjamin75101402016-07-01 13:40:23 -0400[diff] [blame]989 if serverExtensions.srtpProtectionProfile != 0 {
990 if serverExtensions.srtpMasterKeyIdentifier != "" {
991 return errors.New("tls: server selected SRTP MKI value")
992 }
993
994 found := false
995 for _, p := range c.config.SRTPProtectionProfiles {
996 if p == serverExtensions.srtpProtectionProfile {
997 found = true
998 break
999 }
1000 }
1001 if !found {
1002 return errors.New("tls: server advertised unsupported SRTP profile")
1003 }
1004
1005 c.srtpProtectionProfile = serverExtensions.srtpProtectionProfile
1006 }
1007
1008 return nil
1009}
1010
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1011func (hs *clientHandshakeState) serverResumedSession() bool {
1012 // If the server responded with the same sessionId then it means the
1013 // sessionTicket is being used to resume a TLS session.
1014 return hs.session != nil && hs.hello.sessionId != nil &&
1015 bytes.Equal(hs.serverHello.sessionId, hs.hello.sessionId)
1016}
1017
1018func (hs *clientHandshakeState) processServerHello() (bool, error) {
1019 c := hs.c
1020
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1021 if hs.serverResumedSession() {
David Benjamin4b27d9f2015-05-12 22:42:52 -0400[diff] [blame]1022 // For test purposes, assert that the server never accepts the
1023 // resumption offer on renegotiation.
1024 if c.cipherSuite != nil && c.config.Bugs.FailIfResumeOnRenego {
1025 return false, errors.New("tls: server resumed session on renegotiation")
1026 }
1027
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1028 if hs.serverHello.extensions.sctList != nil {
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]1029 return false, errors.New("tls: server sent SCT extension on session resumption")
1030 }
1031
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1032 if hs.serverHello.extensions.ocspStapling {
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]1033 return false, errors.New("tls: server sent OCSP extension on session resumption")
1034 }
1035
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1036 // Restore masterSecret and peerCerts from previous state
1037 hs.masterSecret = hs.session.masterSecret
1038 c.peerCertificates = hs.session.serverCertificates
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]1039 c.extendedMasterSecret = hs.session.extendedMasterSecret
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]1040 c.sctList = hs.session.sctList
1041 c.ocspResponse = hs.session.ocspResponse
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]1042 hs.finishedHash.discardHandshakeBuffer()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1043 return true, nil
1044 }
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]1045
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1046 if hs.serverHello.extensions.sctList != nil {
1047 c.sctList = hs.serverHello.extensions.sctList
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]1048 }
1049
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1050 return false, nil
1051}
1052
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]1053func (hs *clientHandshakeState) readFinished(out []byte) error {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1054 c := hs.c
1055
1056 c.readRecord(recordTypeChangeCipherSpec)
1057 if err := c.in.error(); err != nil {
1058 return err
1059 }
1060
1061 msg, err := c.readHandshake()
1062 if err != nil {
1063 return err
1064 }
1065 serverFinished, ok := msg.(*finishedMsg)
1066 if !ok {
1067 c.sendAlert(alertUnexpectedMessage)
1068 return unexpectedMessageError(serverFinished, msg)
1069 }
1070
David Benjaminf3ec83d2014-07-21 22:42:34 -0400[diff] [blame]1071 if c.config.Bugs.EarlyChangeCipherSpec == 0 {
1072 verify := hs.finishedHash.serverSum(hs.masterSecret)
1073 if len(verify) != len(serverFinished.verifyData) ||
1074 subtle.ConstantTimeCompare(verify, serverFinished.verifyData) != 1 {
1075 c.sendAlert(alertHandshakeFailure)
1076 return errors.New("tls: server's Finished message was incorrect")
1077 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1078 }
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]1079 c.serverVerify = append(c.serverVerify[:0], serverFinished.verifyData...)
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]1080 copy(out, serverFinished.verifyData)
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]1081 hs.writeServerHash(serverFinished.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1082 return nil
1083}
1084
1085func (hs *clientHandshakeState) readSessionTicket() error {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]1086 c := hs.c
1087
1088 // Create a session with no server identifier. Either a
1089 // session ID or session ticket will be attached.
1090 session := &ClientSessionState{
1091 vers: c.vers,
1092 cipherSuite: hs.suite.id,
1093 masterSecret: hs.masterSecret,
1094 handshakeHash: hs.finishedHash.server.Sum(nil),
1095 serverCertificates: c.peerCertificates,
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]1096 sctList: c.sctList,
1097 ocspResponse: c.ocspResponse,
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]1098 }
1099
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1100 if !hs.serverHello.extensions.ticketSupported {
David Benjamind98452d2015-06-16 14:16:23 -0400[diff] [blame]1101 if c.config.Bugs.ExpectNewTicket {
1102 return errors.New("tls: expected new ticket")
1103 }
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]1104 if hs.session == nil && len(hs.serverHello.sessionId) > 0 {
1105 session.sessionId = hs.serverHello.sessionId
1106 hs.session = session
1107 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1108 return nil
1109 }
1110
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]1111 if c.vers == VersionSSL30 {
1112 return errors.New("tls: negotiated session tickets in SSL 3.0")
1113 }
1114
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1115 msg, err := c.readHandshake()
1116 if err != nil {
1117 return err
1118 }
1119 sessionTicketMsg, ok := msg.(*newSessionTicketMsg)
1120 if !ok {
1121 c.sendAlert(alertUnexpectedMessage)
1122 return unexpectedMessageError(sessionTicketMsg, msg)
1123 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1124
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]1125 session.sessionTicket = sessionTicketMsg.ticket
1126 hs.session = session
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1127
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]1128 hs.writeServerHash(sessionTicketMsg.marshal())
1129
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1130 return nil
1131}
1132
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]1133func (hs *clientHandshakeState) sendFinished(out []byte, isResume bool) error {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1134 c := hs.c
1135
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]1136 var postCCSBytes []byte
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]1137 seqno := hs.c.sendHandshakeSeq
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1138 if hs.serverHello.extensions.nextProtoNeg {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1139 nextProto := new(nextProtoMsg)
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1140 proto, fallback := mutualProtocol(c.config.NextProtos, hs.serverHello.extensions.nextProtos)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1141 nextProto.proto = proto
1142 c.clientProtocol = proto
1143 c.clientProtocolFallback = fallback
1144
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]1145 nextProtoBytes := nextProto.marshal()
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]1146 hs.writeHash(nextProtoBytes, seqno)
1147 seqno++
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]1148 postCCSBytes = append(postCCSBytes, nextProtoBytes...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1149 }
1150
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1151 if hs.serverHello.extensions.channelIDRequested {
David Benjamin24599a82016-06-30 18:56:53 -0400[diff] [blame]1152 channelIDMsg := new(channelIDMsg)
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]1153 if c.config.ChannelID.Curve != elliptic.P256() {
1154 return fmt.Errorf("tls: Channel ID is not on P-256.")
1155 }
1156 var resumeHash []byte
1157 if isResume {
1158 resumeHash = hs.session.handshakeHash
1159 }
1160 r, s, err := ecdsa.Sign(c.config.rand(), c.config.ChannelID, hs.finishedHash.hashForChannelID(resumeHash))
1161 if err != nil {
1162 return err
1163 }
1164 channelID := make([]byte, 128)
1165 writeIntPadded(channelID[0:32], c.config.ChannelID.X)
1166 writeIntPadded(channelID[32:64], c.config.ChannelID.Y)
1167 writeIntPadded(channelID[64:96], r)
1168 writeIntPadded(channelID[96:128], s)
David Benjamin24599a82016-06-30 18:56:53 -0400[diff] [blame]1169 channelIDMsg.channelID = channelID
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]1170
1171 c.channelID = &c.config.ChannelID.PublicKey
1172
David Benjamin24599a82016-06-30 18:56:53 -0400[diff] [blame]1173 channelIDMsgBytes := channelIDMsg.marshal()
1174 hs.writeHash(channelIDMsgBytes, seqno)
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]1175 seqno++
David Benjamin24599a82016-06-30 18:56:53 -0400[diff] [blame]1176 postCCSBytes = append(postCCSBytes, channelIDMsgBytes...)
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]1177 }
1178
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1179 finished := new(finishedMsg)
David Benjaminf3ec83d2014-07-21 22:42:34 -0400[diff] [blame]1180 if c.config.Bugs.EarlyChangeCipherSpec == 2 {
1181 finished.verifyData = hs.finishedHash.clientSum(nil)
1182 } else {
1183 finished.verifyData = hs.finishedHash.clientSum(hs.masterSecret)
1184 }
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]1185 copy(out, finished.verifyData)
David Benjamin513f0ea2015-04-02 19:33:31 -0400[diff] [blame]1186 if c.config.Bugs.BadFinished {
1187 finished.verifyData[0]++
1188 }
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]1189 c.clientVerify = append(c.clientVerify[:0], finished.verifyData...)
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]1190 hs.finishedBytes = finished.marshal()
1191 hs.writeHash(hs.finishedBytes, seqno)
1192 postCCSBytes = append(postCCSBytes, hs.finishedBytes...)
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]1193
1194 if c.config.Bugs.FragmentAcrossChangeCipherSpec {
1195 c.writeRecord(recordTypeHandshake, postCCSBytes[:5])
1196 postCCSBytes = postCCSBytes[5:]
1197 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]1198 c.flushHandshake()
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]1199
1200 if !c.config.Bugs.SkipChangeCipherSpec &&
1201 c.config.Bugs.EarlyChangeCipherSpec == 0 {
David Benjamin8411b242015-11-26 12:07:28 -0500[diff] [blame]1202 ccs := []byte{1}
1203 if c.config.Bugs.BadChangeCipherSpec != nil {
1204 ccs = c.config.Bugs.BadChangeCipherSpec
1205 }
1206 c.writeRecord(recordTypeChangeCipherSpec, ccs)
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]1207 }
1208
David Benjamin4189bd92015-01-25 23:52:39 -0500[diff] [blame]1209 if c.config.Bugs.AppDataAfterChangeCipherSpec != nil {
1210 c.writeRecord(recordTypeApplicationData, c.config.Bugs.AppDataAfterChangeCipherSpec)
1211 }
David Benjamindc3da932015-03-12 15:09:02 -0400[diff] [blame]1212 if c.config.Bugs.AlertAfterChangeCipherSpec != 0 {
1213 c.sendAlert(c.config.Bugs.AlertAfterChangeCipherSpec)
1214 return errors.New("tls: simulating post-CCS alert")
1215 }
David Benjamin4189bd92015-01-25 23:52:39 -0500[diff] [blame]1216
David Benjaminb80168e2015-02-08 18:30:14 -0500[diff] [blame]1217 if !c.config.Bugs.SkipFinished {
1218 c.writeRecord(recordTypeHandshake, postCCSBytes)
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]1219 c.flushHandshake()
David Benjaminb3774b92015-01-31 17:16:01 -0500[diff] [blame]1220 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1221 return nil
1222}
1223
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]1224func (hs *clientHandshakeState) writeClientHash(msg []byte) {
1225 // writeClientHash is called before writeRecord.
1226 hs.writeHash(msg, hs.c.sendHandshakeSeq)
1227}
1228
1229func (hs *clientHandshakeState) writeServerHash(msg []byte) {
1230 // writeServerHash is called after readHandshake.
1231 hs.writeHash(msg, hs.c.recvHandshakeSeq-1)
1232}
1233
1234func (hs *clientHandshakeState) writeHash(msg []byte, seqno uint16) {
1235 if hs.c.isDTLS {
1236 // This is somewhat hacky. DTLS hashes a slightly different format.
1237 // First, the TLS header.
1238 hs.finishedHash.Write(msg[:4])
1239 // Then the sequence number and reassembled fragment offset (always 0).
1240 hs.finishedHash.Write([]byte{byte(seqno >> 8), byte(seqno), 0, 0, 0})
1241 // Then the reassembled fragment (always equal to the message length).
1242 hs.finishedHash.Write(msg[1:4])
1243 // And then the message body.
1244 hs.finishedHash.Write(msg[4:])
1245 } else {
1246 hs.finishedHash.Write(msg)
1247 }
1248}
1249
David Benjamina6f82632016-07-01 18:44:02 -0400[diff] [blame]1250// selectClientCertificate selects a certificate for use with the given
1251// certificate, or none if none match. It may return a particular certificate or
1252// nil on success, or an error on internal error.
1253func selectClientCertificate(c *Conn, certReq *certificateRequestMsg) (*Certificate, error) {
1254 // RFC 4346 on the certificateAuthorities field:
1255 // A list of the distinguished names of acceptable certificate
1256 // authorities. These distinguished names may specify a desired
1257 // distinguished name for a root CA or for a subordinate CA; thus, this
1258 // message can be used to describe both known roots and a desired
1259 // authorization space. If the certificate_authorities list is empty
1260 // then the client MAY send any certificate of the appropriate
1261 // ClientCertificateType, unless there is some external arrangement to
1262 // the contrary.
1263
1264 var rsaAvail, ecdsaAvail bool
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]1265 if !certReq.hasRequestContext {
1266 for _, certType := range certReq.certificateTypes {
1267 switch certType {
1268 case CertTypeRSASign:
1269 rsaAvail = true
1270 case CertTypeECDSASign:
1271 ecdsaAvail = true
1272 }
David Benjamina6f82632016-07-01 18:44:02 -0400[diff] [blame]1273 }
1274 }
1275
1276 // We need to search our list of client certs for one
1277 // where SignatureAlgorithm is RSA and the Issuer is in
1278 // certReq.certificateAuthorities
1279findCert:
1280 for i, chain := range c.config.Certificates {
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]1281 if !certReq.hasRequestContext && !rsaAvail && !ecdsaAvail {
David Benjamina6f82632016-07-01 18:44:02 -0400[diff] [blame]1282 continue
1283 }
1284
1285 // Ensure the private key supports one of the advertised
1286 // signature algorithms.
1287 if certReq.hasSignatureAlgorithm {
David Benjamin0a8deb22016-07-09 21:02:01 -0700[diff] [blame]1288 if _, err := selectSignatureAlgorithm(c.vers, chain.PrivateKey, c.config, certReq.signatureAlgorithms); err != nil {
David Benjamina6f82632016-07-01 18:44:02 -0400[diff] [blame]1289 continue
1290 }
1291 }
1292
1293 for j, cert := range chain.Certificate {
1294 x509Cert := chain.Leaf
1295 // parse the certificate if this isn't the leaf
1296 // node, or if chain.Leaf was nil
1297 if j != 0 || x509Cert == nil {
1298 var err error
1299 if x509Cert, err = x509.ParseCertificate(cert); err != nil {
1300 c.sendAlert(alertInternalError)
1301 return nil, errors.New("tls: failed to parse client certificate #" + strconv.Itoa(i) + ": " + err.Error())
1302 }
1303 }
1304
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]1305 if !certReq.hasRequestContext {
1306 switch {
1307 case rsaAvail && x509Cert.PublicKeyAlgorithm == x509.RSA:
1308 case ecdsaAvail && x509Cert.PublicKeyAlgorithm == x509.ECDSA:
1309 default:
1310 continue findCert
1311 }
David Benjamina6f82632016-07-01 18:44:02 -0400[diff] [blame]1312 }
1313
1314 if len(certReq.certificateAuthorities) == 0 {
1315 // They gave us an empty list, so just take the
1316 // first certificate of valid type from
1317 // c.config.Certificates.
1318 return &chain, nil
1319 }
1320
1321 for _, ca := range certReq.certificateAuthorities {
1322 if bytes.Equal(x509Cert.RawIssuer, ca) {
1323 return &chain, nil
1324 }
1325 }
1326 }
1327 }
1328
1329 return nil, nil
1330}
1331
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1332// clientSessionCacheKey returns a key used to cache sessionTickets that could
1333// be used to resume previously negotiated TLS sessions with a server.
1334func clientSessionCacheKey(serverAddr net.Addr, config *Config) string {
1335 if len(config.ServerName) > 0 {
1336 return config.ServerName
1337 }
1338 return serverAddr.String()
1339}
1340
David Benjaminfa055a22014-09-15 16:51:51 -0400[diff] [blame]1341// mutualProtocol finds the mutual Next Protocol Negotiation or ALPN protocol
1342// given list of possible protocols and a list of the preference order. The
1343// first list must not be empty. It returns the resulting protocol and flag
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1344// indicating if the fallback case was reached.
David Benjaminfa055a22014-09-15 16:51:51 -0400[diff] [blame]1345func mutualProtocol(protos, preferenceProtos []string) (string, bool) {
1346 for _, s := range preferenceProtos {
1347 for _, c := range protos {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1348 if s == c {
1349 return s, false
1350 }
1351 }
1352 }
1353
David Benjaminfa055a22014-09-15 16:51:51 -0400[diff] [blame]1354 return protos[0], true
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1355}
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]1356
1357// writeIntPadded writes x into b, padded up with leading zeros as
1358// needed.
1359func writeIntPadded(b []byte, x *big.Int) {
1360 for i := range b {
1361 b[i] = 0
1362 }
1363 xb := x.Bytes()
1364 copy(b[len(b)-len(xb):], xb)
1365}