Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / a833c357edae4eb7f47b9808bf744bd9bb0df18d / . / ssl / test / runner / handshake_client.go
blob: f8cf1247ec5f3fa059a5cc77dfb1e486b500b56e [file] [log] [blame]
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1// Copyright 2009 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
Adam Langleydc7e9c42015-09-29 15:21:04 -0700[diff] [blame]5package runner
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]6
7import (
8 "bytes"
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]9 "crypto"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10 "crypto/ecdsa"
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]11 "crypto/elliptic"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]12 "crypto/rsa"
13 "crypto/subtle"
14 "crypto/x509"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]15 "errors"
16 "fmt"
17 "io"
David Benjaminde620d92014-07-18 15:03:41 -0400[diff] [blame]18 "math/big"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]19 "net"
20 "strconv"
Nick Harper0b3625b2016-07-25 16:16:28 -0700[diff] [blame]21 "time"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]22)
23
24type clientHandshakeState struct {
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]25 c *Conn
26 serverHello *serverHelloMsg
27 hello *clientHelloMsg
28 suite *cipherSuite
29 finishedHash finishedHash
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]30 keyShares map[CurveID]ecdhCurve
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]31 masterSecret []byte
32 session *ClientSessionState
33 finishedBytes []byte
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]34}
35
36func (c *Conn) clientHandshake() error {
37 if c.config == nil {
38 c.config = defaultConfig()
39 }
40
41 if len(c.config.ServerName) == 0 && !c.config.InsecureSkipVerify {
42 return errors.New("tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config")
43 }
44
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]45 c.sendHandshakeSeq = 0
46 c.recvHandshakeSeq = 0
47
David Benjaminfa055a22014-09-15 16:51:51 -0400[diff] [blame]48 nextProtosLength := 0
49 for _, proto := range c.config.NextProtos {
Adam Langleyefb0e162015-07-09 11:35:04 -0700[diff] [blame]50 if l := len(proto); l > 255 {
David Benjaminfa055a22014-09-15 16:51:51 -0400[diff] [blame]51 return errors.New("tls: invalid NextProtos value")
52 } else {
53 nextProtosLength += 1 + l
54 }
55 }
56 if nextProtosLength > 0xffff {
57 return errors.New("tls: NextProtos values too large")
58 }
59
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]60 minVersion := c.config.minVersion(c.isDTLS)
David Benjamin3c6a1ea2016-09-26 18:30:05 -0400[diff] [blame]61 maxVersion := c.config.maxVersion(c.isDTLS)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]62 hello := &clientHelloMsg{
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]63 isDTLS: c.isDTLS,
David Benjamin3c6a1ea2016-09-26 18:30:05 -0400[diff] [blame]64 vers: versionToWire(maxVersion, c.isDTLS),
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]65 compressionMethods: []uint8{compressionNone},
66 random: make([]byte, 32),
67 ocspStapling: true,
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]68 sctListSupported: true,
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]69 serverName: c.config.ServerName,
70 supportedCurves: c.config.curvePreferences(),
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame^]71 pskKEModes: []byte{pskDHEKEMode},
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]72 supportedPoints: []uint8{pointFormatUncompressed},
73 nextProtoNeg: len(c.config.NextProtos) > 0,
74 secureRenegotiation: []byte{},
75 alpnProtocols: c.config.NextProtos,
76 duplicateExtension: c.config.Bugs.DuplicateExtension,
77 channelIDSupported: c.config.ChannelID != nil,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame^]78 npnAfterAlpn: c.config.Bugs.SwapNPNAndALPN,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]79 extendedMasterSecret: maxVersion >= VersionTLS10,
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]80 srtpProtectionProfiles: c.config.SRTPProtectionProfiles,
81 srtpMasterKeyIdentifier: c.config.Bugs.SRTPMasterKeyIdentifer,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]82 customExtension: c.config.Bugs.CustomExtension,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame^]83 pskBinderFirst: c.config.Bugs.PSKBinderFirst,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]84 }
85
David Benjamin163c9562016-08-29 23:14:17 -0400[diff] [blame]86 disableEMS := c.config.Bugs.NoExtendedMasterSecret
87 if c.cipherSuite != nil {
88 disableEMS = c.config.Bugs.NoExtendedMasterSecretOnRenegotiation
89 }
90
91 if disableEMS {
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]92 hello.extendedMasterSecret = false
93 }
94
David Benjamin55a43642015-04-20 14:45:55 -0400[diff] [blame]95 if c.config.Bugs.NoSupportedCurves {
96 hello.supportedCurves = nil
97 }
98
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame^]99 if len(c.config.Bugs.SendPSKKeyExchangeModes) != 0 {
100 hello.pskKEModes = c.config.Bugs.SendPSKKeyExchangeModes
101 }
102
David Benjaminc241d792016-09-09 10:34:20 -0400[diff] [blame]103 if c.config.Bugs.SendCompressionMethods != nil {
104 hello.compressionMethods = c.config.Bugs.SendCompressionMethods
105 }
106
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]107 if len(c.clientVerify) > 0 && !c.config.Bugs.EmptyRenegotiationInfo {
108 if c.config.Bugs.BadRenegotiationInfo {
109 hello.secureRenegotiation = append(hello.secureRenegotiation, c.clientVerify...)
110 hello.secureRenegotiation[0] ^= 0x80
111 } else {
112 hello.secureRenegotiation = c.clientVerify
113 }
114 }
115
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]116 if c.noRenegotiationInfo() {
David Benjaminca6554b2014-11-08 12:31:52 -0500[diff] [blame]117 hello.secureRenegotiation = nil
118 }
119
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]120 var keyShares map[CurveID]ecdhCurve
David Benjamin3c6a1ea2016-09-26 18:30:05 -0400[diff] [blame]121 if maxVersion >= VersionTLS13 {
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]122 keyShares = make(map[CurveID]ecdhCurve)
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]123 hello.hasKeyShares = true
David Benjamin7e1f9842016-09-20 19:24:40 -0400[diff] [blame]124 hello.trailingKeyShareData = c.config.Bugs.TrailingKeyShareData
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]125 curvesToSend := c.config.defaultCurves()
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]126 for _, curveID := range hello.supportedCurves {
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]127 if !curvesToSend[curveID] {
128 continue
129 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]130 curve, ok := curveForCurveID(curveID)
131 if !ok {
132 continue
133 }
134 publicKey, err := curve.offer(c.config.rand())
135 if err != nil {
136 return err
137 }
Steven Valdez0ee2e112016-07-15 06:51:15 -0400[diff] [blame]138
139 if c.config.Bugs.SendCurve != 0 {
140 curveID = c.config.Bugs.SendCurve
141 }
142 if c.config.Bugs.InvalidECDHPoint {
143 publicKey[0] ^= 0xff
144 }
145
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]146 hello.keyShares = append(hello.keyShares, keyShareEntry{
147 group: curveID,
148 keyExchange: publicKey,
149 })
150 keyShares[curveID] = curve
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]151
152 if c.config.Bugs.DuplicateKeyShares {
153 hello.keyShares = append(hello.keyShares, hello.keyShares[len(hello.keyShares)-1])
154 }
155 }
156
157 if c.config.Bugs.MissingKeyShare {
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]158 hello.hasKeyShares = false
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]159 }
160 }
161
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]162 possibleCipherSuites := c.config.cipherSuites()
163 hello.cipherSuites = make([]uint16, 0, len(possibleCipherSuites))
164
165NextCipherSuite:
166 for _, suiteId := range possibleCipherSuites {
167 for _, suite := range cipherSuites {
168 if suite.id != suiteId {
169 continue
170 }
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]171 // Don't advertise TLS 1.2-only cipher suites unless
172 // we're attempting TLS 1.2.
173 if maxVersion < VersionTLS12 && suite.flags&suiteTLS12 != 0 {
174 continue
175 }
176 // Don't advertise non-DTLS cipher suites in DTLS.
177 if c.isDTLS && suite.flags&suiteNoDTLS != 0 {
178 continue
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]179 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]180 hello.cipherSuites = append(hello.cipherSuites, suiteId)
181 continue NextCipherSuite
182 }
183 }
184
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]185 if c.config.Bugs.AdvertiseAllConfiguredCiphers {
186 hello.cipherSuites = possibleCipherSuites
187 }
188
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]189 if c.config.Bugs.SendRenegotiationSCSV {
190 hello.cipherSuites = append(hello.cipherSuites, renegotiationSCSV)
191 }
192
David Benjaminbef270a2014-08-02 04:22:02 -0400[diff] [blame]193 if c.config.Bugs.SendFallbackSCSV {
194 hello.cipherSuites = append(hello.cipherSuites, fallbackSCSV)
195 }
196
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]197 _, err := io.ReadFull(c.config.rand(), hello.random)
198 if err != nil {
199 c.sendAlert(alertInternalError)
200 return errors.New("tls: short read from Rand: " + err.Error())
201 }
202
David Benjamin3c6a1ea2016-09-26 18:30:05 -0400[diff] [blame]203 if maxVersion >= VersionTLS12 && !c.config.Bugs.NoSignatureAlgorithms {
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]204 hello.signatureAlgorithms = c.config.verifySignatureAlgorithms()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]205 }
206
207 var session *ClientSessionState
208 var cacheKey string
209 sessionCache := c.config.ClientSessionCache
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]210
211 if sessionCache != nil {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]212 hello.ticketSupported = !c.config.SessionTicketsDisabled
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]213
214 // Try to resume a previously negotiated TLS session, if
215 // available.
216 cacheKey = clientSessionCacheKey(c.conn.RemoteAddr(), c.config)
Nick Harper0b3625b2016-07-25 16:16:28 -0700[diff] [blame]217 // TODO(nharper): Support storing more than one session
218 // ticket for TLS 1.3.
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]219 candidateSession, ok := sessionCache.Get(cacheKey)
220 if ok {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]221 ticketOk := !c.config.SessionTicketsDisabled || candidateSession.sessionTicket == nil
222
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]223 // Check that the ciphersuite/version used for the
224 // previous session are still valid.
225 cipherSuiteOk := false
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]226 for _, id := range hello.cipherSuites {
227 if id == candidateSession.cipherSuite {
228 cipherSuiteOk = true
229 break
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]230 }
231 }
232
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]233 versOk := candidateSession.vers >= minVersion &&
234 candidateSession.vers <= maxVersion
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]235 if ticketOk && versOk && cipherSuiteOk {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]236 session = candidateSession
237 }
238 }
239 }
240
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame^]241 var pskCipherSuite *cipherSuite
Nick Harper0b3625b2016-07-25 16:16:28 -0700[diff] [blame]242 if session != nil && c.config.time().Before(session.ticketExpiration) {
David Benjamind5a4ecb2016-07-18 01:17:13 +0200[diff] [blame]243 ticket := session.sessionTicket
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]244 if c.config.Bugs.FilterTicket != nil && len(ticket) > 0 {
245 // Copy the ticket so FilterTicket may act in-place.
David Benjamind5a4ecb2016-07-18 01:17:13 +0200[diff] [blame]246 ticket = make([]byte, len(session.sessionTicket))
247 copy(ticket, session.sessionTicket)
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]248
249 ticket, err = c.config.Bugs.FilterTicket(ticket)
250 if err != nil {
251 return err
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]252 }
David Benjamind5a4ecb2016-07-18 01:17:13 +0200[diff] [blame]253 }
254
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]255 if session.vers >= VersionTLS13 || c.config.Bugs.SendBothTickets {
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame^]256 pskCipherSuite = cipherSuiteFromID(session.cipherSuite)
257 if pskCipherSuite == nil {
258 return errors.New("tls: client session cache has invalid cipher suite")
259 }
Nick Harper0b3625b2016-07-25 16:16:28 -0700[diff] [blame]260 // TODO(nharper): Support sending more
261 // than one PSK identity.
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame^]262 ticketAge := uint32(c.config.time().Sub(session.ticketCreationTime) / time.Millisecond)
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]263 psk := pskIdentity{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame^]264 ticket: ticket,
265 obfuscatedTicketAge: session.ticketAgeAdd + ticketAge,
Nick Harper0b3625b2016-07-25 16:16:28 -0700[diff] [blame]266 }
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]267 hello.pskIdentities = []pskIdentity{psk}
Steven Valdezaf3b8a92016-11-01 12:49:22 -0400[diff] [blame]268
269 if c.config.Bugs.ExtraPSKIdentity {
270 hello.pskIdentities = append(hello.pskIdentities, psk)
271 }
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]272 }
273
274 if session.vers < VersionTLS13 || c.config.Bugs.SendBothTickets {
275 if ticket != nil {
276 hello.sessionTicket = ticket
277 // A random session ID is used to detect when the
278 // server accepted the ticket and is resuming a session
279 // (see RFC 5077).
280 sessionIdLen := 16
281 if c.config.Bugs.OversizedSessionId {
282 sessionIdLen = 33
283 }
284 hello.sessionId = make([]byte, sessionIdLen)
285 if _, err := io.ReadFull(c.config.rand(), hello.sessionId); err != nil {
286 c.sendAlert(alertInternalError)
287 return errors.New("tls: short read from Rand: " + err.Error())
288 }
289 } else {
290 hello.sessionId = session.sessionId
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]291 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]292 }
293 }
294
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]295 if maxVersion == VersionTLS13 && !c.config.Bugs.OmitSupportedVersions {
296 if hello.vers >= VersionTLS13 {
297 hello.vers = VersionTLS12
298 }
299 for version := maxVersion; version >= minVersion; version-- {
300 hello.supportedVersions = append(hello.supportedVersions, versionToWire(version, c.isDTLS))
301 }
302 }
303
304 if len(c.config.Bugs.SendSupportedVersions) > 0 {
305 hello.supportedVersions = c.config.Bugs.SendSupportedVersions
306 }
307
David Benjamineed24012016-08-13 19:26:00 -0400[diff] [blame]308 if c.config.Bugs.SendClientVersion != 0 {
309 hello.vers = c.config.Bugs.SendClientVersion
310 }
311
David Benjamind86c7672014-08-02 04:07:12 -0400[diff] [blame]312 var helloBytes []byte
313 if c.config.Bugs.SendV2ClientHello {
David Benjamin94d701b2014-11-30 13:54:41 -0500[diff] [blame]314 // Test that the peer left-pads random.
315 hello.random[0] = 0
David Benjamind86c7672014-08-02 04:07:12 -0400[diff] [blame]316 v2Hello := &v2ClientHelloMsg{
317 vers: hello.vers,
318 cipherSuites: hello.cipherSuites,
319 // No session resumption for V2ClientHello.
320 sessionId: nil,
David Benjamin94d701b2014-11-30 13:54:41 -0500[diff] [blame]321 challenge: hello.random[1:],
David Benjamind86c7672014-08-02 04:07:12 -0400[diff] [blame]322 }
323 helloBytes = v2Hello.marshal()
324 c.writeV2Record(helloBytes)
325 } else {
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame^]326 if len(hello.pskIdentities) > 0 {
327 generatePSKBinders(hello, pskCipherSuite, session.masterSecret, []byte{}, c.config)
328 }
David Benjamind86c7672014-08-02 04:07:12 -0400[diff] [blame]329 helloBytes = hello.marshal()
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame^]330
David Benjamin7964b182016-07-14 23:36:30 -0400[diff] [blame]331 if c.config.Bugs.PartialClientFinishedWithClientHello {
332 // Include one byte of Finished. We can compute it
333 // without completing the handshake. This assumes we
334 // negotiate TLS 1.3 with no HelloRetryRequest or
335 // CertificateRequest.
336 toWrite := make([]byte, 0, len(helloBytes)+1)
337 toWrite = append(toWrite, helloBytes...)
338 toWrite = append(toWrite, typeFinished)
339 c.writeRecord(recordTypeHandshake, toWrite)
340 } else {
341 c.writeRecord(recordTypeHandshake, helloBytes)
342 }
David Benjamind86c7672014-08-02 04:07:12 -0400[diff] [blame]343 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]344 c.flushHandshake()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]345
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]346 if err := c.simulatePacketLoss(nil); err != nil {
347 return err
348 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]349 msg, err := c.readHandshake()
350 if err != nil {
351 return err
352 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]353
354 if c.isDTLS {
355 helloVerifyRequest, ok := msg.(*helloVerifyRequestMsg)
356 if ok {
David Benjaminda4789e2016-10-31 19:23:34 -0400[diff] [blame]357 if helloVerifyRequest.vers != versionToWire(VersionTLS10, c.isDTLS) {
David Benjamin8bc38f52014-08-16 12:07:27 -0400[diff] [blame]358 // Per RFC 6347, the version field in
359 // HelloVerifyRequest SHOULD be always DTLS
360 // 1.0. Enforce this for testing purposes.
361 return errors.New("dtls: bad HelloVerifyRequest version")
362 }
363
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]364 hello.raw = nil
365 hello.cookie = helloVerifyRequest.cookie
366 helloBytes = hello.marshal()
367 c.writeRecord(recordTypeHandshake, helloBytes)
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]368 c.flushHandshake()
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]369
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]370 if err := c.simulatePacketLoss(nil); err != nil {
371 return err
372 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]373 msg, err = c.readHandshake()
374 if err != nil {
375 return err
376 }
377 }
378 }
379
David Benjamin3c6a1ea2016-09-26 18:30:05 -0400[diff] [blame]380 var serverWireVersion uint16
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]381 switch m := msg.(type) {
382 case *helloRetryRequestMsg:
David Benjamin3c6a1ea2016-09-26 18:30:05 -0400[diff] [blame]383 serverWireVersion = m.vers
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]384 case *serverHelloMsg:
David Benjamin3c6a1ea2016-09-26 18:30:05 -0400[diff] [blame]385 serverWireVersion = m.vers
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]386 default:
387 c.sendAlert(alertUnexpectedMessage)
388 return fmt.Errorf("tls: received unexpected message of type %T when waiting for HelloRetryRequest or ServerHello", msg)
389 }
390
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400[diff] [blame]391 serverVersion, ok := wireToVersion(serverWireVersion, c.isDTLS)
392 if ok {
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]393 ok = c.config.isSupportedVersion(serverVersion, c.isDTLS)
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400[diff] [blame]394 }
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]395 if !ok {
396 c.sendAlert(alertProtocolVersion)
397 return fmt.Errorf("tls: server selected unsupported protocol version %x", c.vers)
398 }
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]399 c.vers = serverVersion
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]400 c.haveVers = true
401
402 helloRetryRequest, haveHelloRetryRequest := msg.(*helloRetryRequestMsg)
403 var secondHelloBytes []byte
404 if haveHelloRetryRequest {
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]405 if len(helloRetryRequest.cookie) > 0 {
406 hello.tls13Cookie = helloRetryRequest.cookie
407 }
408
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]409 if c.config.Bugs.MisinterpretHelloRetryRequestCurve != 0 {
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]410 helloRetryRequest.hasSelectedGroup = true
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]411 helloRetryRequest.selectedGroup = c.config.Bugs.MisinterpretHelloRetryRequestCurve
412 }
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]413 if helloRetryRequest.hasSelectedGroup {
414 var hrrCurveFound bool
415 group := helloRetryRequest.selectedGroup
416 for _, curveID := range hello.supportedCurves {
417 if group == curveID {
418 hrrCurveFound = true
419 break
420 }
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]421 }
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]422 if !hrrCurveFound || keyShares[group] != nil {
423 c.sendAlert(alertHandshakeFailure)
424 return errors.New("tls: received invalid HelloRetryRequest")
425 }
426 curve, ok := curveForCurveID(group)
427 if !ok {
428 return errors.New("tls: Unable to get curve requested in HelloRetryRequest")
429 }
430 publicKey, err := curve.offer(c.config.rand())
431 if err != nil {
432 return err
433 }
434 keyShares[group] = curve
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame^]435 hello.keyShares = []keyShareEntry{{
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]436 group: group,
437 keyExchange: publicKey,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame^]438 }}
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]439 }
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]440
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]441 if c.config.Bugs.SecondClientHelloMissingKeyShare {
442 hello.hasKeyShares = false
443 }
444
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]445 hello.hasEarlyData = false
446 hello.earlyDataContext = nil
447 hello.raw = nil
448
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame^]449 if len(hello.pskIdentities) > 0 {
450 generatePSKBinders(hello, pskCipherSuite, session.masterSecret, append(helloBytes, helloRetryRequest.marshal()...), c.config)
451 }
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]452 secondHelloBytes = hello.marshal()
453 c.writeRecord(recordTypeHandshake, secondHelloBytes)
454 c.flushHandshake()
455
456 msg, err = c.readHandshake()
457 if err != nil {
458 return err
459 }
460 }
461
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]462 serverHello, ok := msg.(*serverHelloMsg)
463 if !ok {
464 c.sendAlert(alertUnexpectedMessage)
465 return unexpectedMessageError(serverHello, msg)
466 }
467
David Benjamin3c6a1ea2016-09-26 18:30:05 -0400[diff] [blame]468 if serverWireVersion != serverHello.vers {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]469 c.sendAlert(alertProtocolVersion)
David Benjamin3c6a1ea2016-09-26 18:30:05 -0400[diff] [blame]470 return fmt.Errorf("tls: server sent non-matching version %x vs %x", serverWireVersion, serverHello.vers)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]471 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]472
Nick Harper85f20c22016-07-04 10:11:59 -0700[diff] [blame]473 // Check for downgrade signals in the server random, per
David Benjamina128a552016-10-13 14:26:33 -0400[diff] [blame]474 // draft-ietf-tls-tls13-16, section 4.1.3.
Nick Harper85f20c22016-07-04 10:11:59 -0700[diff] [blame]475 if c.vers <= VersionTLS12 && c.config.maxVersion(c.isDTLS) >= VersionTLS13 {
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]476 if bytes.Equal(serverHello.random[len(serverHello.random)-8:], downgradeTLS13) {
Nick Harper85f20c22016-07-04 10:11:59 -0700[diff] [blame]477 c.sendAlert(alertProtocolVersion)
478 return errors.New("tls: downgrade from TLS 1.3 detected")
479 }
480 }
481 if c.vers <= VersionTLS11 && c.config.maxVersion(c.isDTLS) >= VersionTLS12 {
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]482 if bytes.Equal(serverHello.random[len(serverHello.random)-8:], downgradeTLS12) {
Nick Harper85f20c22016-07-04 10:11:59 -0700[diff] [blame]483 c.sendAlert(alertProtocolVersion)
484 return errors.New("tls: downgrade from TLS 1.2 detected")
485 }
486 }
487
Nick Harper0b3625b2016-07-25 16:16:28 -0700[diff] [blame]488 suite := mutualCipherSuite(hello.cipherSuites, serverHello.cipherSuite)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]489 if suite == nil {
490 c.sendAlert(alertHandshakeFailure)
491 return fmt.Errorf("tls: server selected an unsupported cipher suite")
492 }
493
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]494 if haveHelloRetryRequest && helloRetryRequest.hasSelectedGroup && helloRetryRequest.selectedGroup != serverHello.keyShare.group {
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]495 c.sendAlert(alertHandshakeFailure)
496 return errors.New("tls: ServerHello parameters did not match HelloRetryRequest")
497 }
498
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]499 hs := &clientHandshakeState{
500 c: c,
501 serverHello: serverHello,
502 hello: hello,
503 suite: suite,
504 finishedHash: newFinishedHash(c.vers, suite),
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]505 keyShares: keyShares,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]506 session: session,
507 }
508
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]509 hs.writeHash(helloBytes, hs.c.sendHandshakeSeq-1)
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]510 if haveHelloRetryRequest {
511 hs.writeServerHash(helloRetryRequest.marshal())
512 hs.writeClientHash(secondHelloBytes)
513 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]514 hs.writeServerHash(hs.serverHello.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]515
David Benjamin8d315d72016-07-18 01:03:18 +0200[diff] [blame]516 if c.vers >= VersionTLS13 {
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]517 if err := hs.doTLS13Handshake(); err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]518 return err
519 }
520 } else {
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]521 if c.config.Bugs.EarlyChangeCipherSpec > 0 {
522 hs.establishKeys()
523 c.writeRecord(recordTypeChangeCipherSpec, []byte{1})
524 }
525
526 if hs.serverHello.compressionMethod != compressionNone {
527 c.sendAlert(alertUnexpectedMessage)
528 return errors.New("tls: server selected unsupported compression format")
529 }
530
531 err = hs.processServerExtensions(&serverHello.extensions)
532 if err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]533 return err
534 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]535
536 isResume, err := hs.processServerHello()
537 if err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]538 return err
539 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]540
541 if isResume {
542 if c.config.Bugs.EarlyChangeCipherSpec == 0 {
543 if err := hs.establishKeys(); err != nil {
544 return err
545 }
546 }
547 if err := hs.readSessionTicket(); err != nil {
548 return err
549 }
550 if err := hs.readFinished(c.firstFinished[:]); err != nil {
551 return err
552 }
553 if err := hs.sendFinished(nil, isResume); err != nil {
554 return err
555 }
556 } else {
557 if err := hs.doFullHandshake(); err != nil {
558 return err
559 }
560 if err := hs.establishKeys(); err != nil {
561 return err
562 }
563 if err := hs.sendFinished(c.firstFinished[:], isResume); err != nil {
564 return err
565 }
566 // Most retransmits are triggered by a timeout, but the final
567 // leg of the handshake is retransmited upon re-receiving a
568 // Finished.
569 if err := c.simulatePacketLoss(func() {
David Benjamin02edcd02016-07-27 17:40:37 -0400[diff] [blame]570 c.sendHandshakeSeq--
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]571 c.writeRecord(recordTypeHandshake, hs.finishedBytes)
572 c.flushHandshake()
573 }); err != nil {
574 return err
575 }
576 if err := hs.readSessionTicket(); err != nil {
577 return err
578 }
579 if err := hs.readFinished(nil); err != nil {
580 return err
581 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]582 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]583
584 if sessionCache != nil && hs.session != nil && session != hs.session {
585 if c.config.Bugs.RequireSessionTickets && len(hs.session.sessionTicket) == 0 {
586 return errors.New("tls: new session used session IDs instead of tickets")
587 }
588 sessionCache.Put(cacheKey, hs.session)
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]589 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]590
591 c.didResume = isResume
David Benjamin97a0a082016-07-13 17:57:35 -0400[diff] [blame]592 c.exporterSecret = hs.masterSecret
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]593 }
594
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]595 c.handshakeComplete = true
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]596 c.cipherSuite = suite
597 copy(c.clientRandom[:], hs.hello.random)
598 copy(c.serverRandom[:], hs.serverHello.random)
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]599
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]600 return nil
601}
602
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]603func (hs *clientHandshakeState) doTLS13Handshake() error {
604 c := hs.c
605
606 // Once the PRF hash is known, TLS 1.3 does not require a handshake
607 // buffer.
608 hs.finishedHash.discardHandshakeBuffer()
609
610 zeroSecret := hs.finishedHash.zeroSecret()
611
612 // Resolve PSK and compute the early secret.
613 //
614 // TODO(davidben): This will need to be handled slightly earlier once
615 // 0-RTT is implemented.
616 var psk []byte
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]617 if hs.serverHello.hasPSKIdentity {
Nick Harper0b3625b2016-07-25 16:16:28 -0700[diff] [blame]618 // We send at most one PSK identity.
619 if hs.session == nil || hs.serverHello.pskIdentity != 0 {
620 c.sendAlert(alertUnknownPSKIdentity)
621 return errors.New("tls: server sent unknown PSK identity")
622 }
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]623 if hs.session.cipherSuite != hs.suite.id {
Nick Harper0b3625b2016-07-25 16:16:28 -0700[diff] [blame]624 c.sendAlert(alertHandshakeFailure)
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]625 return errors.New("tls: server sent invalid cipher suite")
Nick Harper0b3625b2016-07-25 16:16:28 -0700[diff] [blame]626 }
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame^]627 psk = hs.session.masterSecret
Nick Harper0b3625b2016-07-25 16:16:28 -0700[diff] [blame]628 c.didResume = true
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]629 } else {
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]630 psk = zeroSecret
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]631 }
632
633 earlySecret := hs.finishedHash.extractKey(zeroSecret, psk)
634
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame^]635 if !hs.serverHello.hasKeyShare {
636 c.sendAlert(alertUnsupportedExtension)
637 return errors.New("tls: server omitted KeyShare on resumption.")
638 }
639
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]640 // Resolve ECDHE and compute the handshake secret.
641 var ecdheSecret []byte
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]642 if !c.config.Bugs.MissingKeyShare && !c.config.Bugs.SecondClientHelloMissingKeyShare {
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]643 curve, ok := hs.keyShares[hs.serverHello.keyShare.group]
644 if !ok {
645 c.sendAlert(alertHandshakeFailure)
646 return errors.New("tls: server selected an unsupported group")
647 }
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]648 c.curveID = hs.serverHello.keyShare.group
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]649
650 var err error
651 ecdheSecret, err = curve.finish(hs.serverHello.keyShare.keyExchange)
652 if err != nil {
653 return err
654 }
655 } else {
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]656 ecdheSecret = zeroSecret
657 }
658
659 // Compute the handshake secret.
660 handshakeSecret := hs.finishedHash.extractKey(earlySecret, ecdheSecret)
661
662 // Switch to handshake traffic keys.
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]663 clientHandshakeTrafficSecret := hs.finishedHash.deriveSecret(handshakeSecret, clientHandshakeTrafficLabel)
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame^]664 c.out.useTrafficSecret(c.vers, hs.suite, clientHandshakeTrafficSecret, clientWrite)
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]665 serverHandshakeTrafficSecret := hs.finishedHash.deriveSecret(handshakeSecret, serverHandshakeTrafficLabel)
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame^]666 c.in.useTrafficSecret(c.vers, hs.suite, serverHandshakeTrafficSecret, serverWrite)
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]667
668 msg, err := c.readHandshake()
669 if err != nil {
670 return err
671 }
672
673 encryptedExtensions, ok := msg.(*encryptedExtensionsMsg)
674 if !ok {
675 c.sendAlert(alertUnexpectedMessage)
676 return unexpectedMessageError(encryptedExtensions, msg)
677 }
678 hs.writeServerHash(encryptedExtensions.marshal())
679
680 err = hs.processServerExtensions(&encryptedExtensions.extensions)
681 if err != nil {
682 return err
683 }
684
685 var chainToSend *Certificate
David Benjamin8d343b42016-07-09 14:26:01 -0700[diff] [blame]686 var certReq *certificateRequestMsg
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame^]687 if c.didResume {
Nick Harper0b3625b2016-07-25 16:16:28 -0700[diff] [blame]688 // Copy over authentication from the session.
689 c.peerCertificates = hs.session.serverCertificates
690 c.sctList = hs.session.sctList
691 c.ocspResponse = hs.session.ocspResponse
David Benjamin44b33bc2016-07-01 22:40:23 -0400[diff] [blame]692 } else {
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]693 msg, err := c.readHandshake()
694 if err != nil {
695 return err
696 }
697
David Benjamin8d343b42016-07-09 14:26:01 -0700[diff] [blame]698 var ok bool
699 certReq, ok = msg.(*certificateRequestMsg)
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]700 if ok {
David Benjamin8a8349b2016-08-18 02:32:23 -0400[diff] [blame]701 if len(certReq.requestContext) != 0 {
702 return errors.New("tls: non-empty certificate request context sent in handshake")
703 }
704
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]705 if c.config.Bugs.IgnorePeerSignatureAlgorithmPreferences {
706 certReq.signatureAlgorithms = c.config.signSignatureAlgorithms()
707 }
708
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]709 hs.writeServerHash(certReq.marshal())
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]710
711 chainToSend, err = selectClientCertificate(c, certReq)
712 if err != nil {
713 return err
714 }
715
716 msg, err = c.readHandshake()
717 if err != nil {
718 return err
719 }
720 }
721
722 certMsg, ok := msg.(*certificateMsg)
723 if !ok {
724 c.sendAlert(alertUnexpectedMessage)
725 return unexpectedMessageError(certMsg, msg)
726 }
727 hs.writeServerHash(certMsg.marshal())
728
729 if err := hs.verifyCertificates(certMsg); err != nil {
730 return err
731 }
732 leaf := c.peerCertificates[0]
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame^]733 c.ocspResponse = certMsg.certificates[0].ocspResponse
734 c.sctList = certMsg.certificates[0].sctList
735
736 if c.config.Bugs.ExpectNoExtensionsOnIntermediate {
737 for _, cert := range certMsg.certificates[1:] {
738 if cert.ocspResponse != nil || cert.sctList != nil {
739 c.sendAlert(alertUnsupportedExtension)
740 return errors.New("tls: unexpected extensions in the client certificate")
741 }
742 }
743 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]744
745 msg, err = c.readHandshake()
746 if err != nil {
747 return err
748 }
749 certVerifyMsg, ok := msg.(*certificateVerifyMsg)
750 if !ok {
751 c.sendAlert(alertUnexpectedMessage)
752 return unexpectedMessageError(certVerifyMsg, msg)
753 }
754
David Benjaminf74ec792016-07-13 21:18:49 -0400[diff] [blame]755 c.peerSignatureAlgorithm = certVerifyMsg.signatureAlgorithm
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]756 input := hs.finishedHash.certificateVerifyInput(serverCertificateVerifyContextTLS13)
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]757 err = verifyMessage(c.vers, leaf.PublicKey, c.config, certVerifyMsg.signatureAlgorithm, input, certVerifyMsg.signature)
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]758 if err != nil {
759 return err
760 }
761
762 hs.writeServerHash(certVerifyMsg.marshal())
763 }
764
765 msg, err = c.readHandshake()
766 if err != nil {
767 return err
768 }
769 serverFinished, ok := msg.(*finishedMsg)
770 if !ok {
771 c.sendAlert(alertUnexpectedMessage)
772 return unexpectedMessageError(serverFinished, msg)
773 }
774
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]775 verify := hs.finishedHash.serverSum(serverHandshakeTrafficSecret)
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]776 if len(verify) != len(serverFinished.verifyData) ||
777 subtle.ConstantTimeCompare(verify, serverFinished.verifyData) != 1 {
778 c.sendAlert(alertHandshakeFailure)
779 return errors.New("tls: server's Finished message was incorrect")
780 }
781
782 hs.writeServerHash(serverFinished.marshal())
783
784 // The various secrets do not incorporate the client's final leg, so
785 // derive them now before updating the handshake context.
786 masterSecret := hs.finishedHash.extractKey(handshakeSecret, zeroSecret)
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]787 clientTrafficSecret := hs.finishedHash.deriveSecret(masterSecret, clientApplicationTrafficLabel)
788 serverTrafficSecret := hs.finishedHash.deriveSecret(masterSecret, serverApplicationTrafficLabel)
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]789
Steven Valdez0ee2e112016-07-15 06:51:15 -0400[diff] [blame]790 if certReq != nil && !c.config.Bugs.SkipClientCertificate {
David Benjamin8d343b42016-07-09 14:26:01 -0700[diff] [blame]791 certMsg := &certificateMsg{
792 hasRequestContext: true,
793 requestContext: certReq.requestContext,
794 }
795 if chainToSend != nil {
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame^]796 for _, certData := range chainToSend.Certificate {
797 certMsg.certificates = append(certMsg.certificates, certificateEntry{
798 data: certData,
799 extraExtension: c.config.Bugs.SendExtensionOnCertificate,
800 })
801 }
David Benjamin8d343b42016-07-09 14:26:01 -0700[diff] [blame]802 }
803 hs.writeClientHash(certMsg.marshal())
804 c.writeRecord(recordTypeHandshake, certMsg.marshal())
805
806 if chainToSend != nil {
807 certVerify := &certificateVerifyMsg{
808 hasSignatureAlgorithm: true,
809 }
810
811 // Determine the hash to sign.
812 privKey := chainToSend.PrivateKey
813
814 var err error
815 certVerify.signatureAlgorithm, err = selectSignatureAlgorithm(c.vers, privKey, c.config, certReq.signatureAlgorithms)
816 if err != nil {
817 c.sendAlert(alertInternalError)
818 return err
819 }
820
821 input := hs.finishedHash.certificateVerifyInput(clientCertificateVerifyContextTLS13)
822 certVerify.signature, err = signMessage(c.vers, privKey, c.config, certVerify.signatureAlgorithm, input)
823 if err != nil {
824 c.sendAlert(alertInternalError)
825 return err
826 }
Steven Valdez0ee2e112016-07-15 06:51:15 -0400[diff] [blame]827 if c.config.Bugs.SendSignatureAlgorithm != 0 {
828 certVerify.signatureAlgorithm = c.config.Bugs.SendSignatureAlgorithm
829 }
David Benjamin8d343b42016-07-09 14:26:01 -0700[diff] [blame]830
831 hs.writeClientHash(certVerify.marshal())
832 c.writeRecord(recordTypeHandshake, certVerify.marshal())
833 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]834 }
835
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]836 if encryptedExtensions.extensions.channelIDRequested {
837 channelIDHash := crypto.SHA256.New()
838 channelIDHash.Write(hs.finishedHash.certificateVerifyInput(channelIDContextTLS13))
839 channelIDMsgBytes, err := hs.writeChannelIDMessage(channelIDHash.Sum(nil))
840 if err != nil {
841 return err
842 }
843 hs.writeClientHash(channelIDMsgBytes)
844 c.writeRecord(recordTypeHandshake, channelIDMsgBytes)
845 }
846
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]847 // Send a client Finished message.
848 finished := new(finishedMsg)
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]849 finished.verifyData = hs.finishedHash.clientSum(clientHandshakeTrafficSecret)
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]850 if c.config.Bugs.BadFinished {
851 finished.verifyData[0]++
852 }
David Benjamin97a0a082016-07-13 17:57:35 -0400[diff] [blame]853 hs.writeClientHash(finished.marshal())
David Benjamin7964b182016-07-14 23:36:30 -0400[diff] [blame]854 if c.config.Bugs.PartialClientFinishedWithClientHello {
855 // The first byte has already been sent.
856 c.writeRecord(recordTypeHandshake, finished.marshal()[1:])
857 } else {
858 c.writeRecord(recordTypeHandshake, finished.marshal())
859 }
David Benjamin02edcd02016-07-27 17:40:37 -0400[diff] [blame]860 if c.config.Bugs.SendExtraFinished {
861 c.writeRecord(recordTypeHandshake, finished.marshal())
862 }
David Benjaminee51a222016-07-07 18:34:12 -0700[diff] [blame]863 c.flushHandshake()
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]864
865 // Switch to application data keys.
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame^]866 c.out.useTrafficSecret(c.vers, hs.suite, clientTrafficSecret, clientWrite)
867 c.in.useTrafficSecret(c.vers, hs.suite, serverTrafficSecret, serverWrite)
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]868
David Benjamin97a0a082016-07-13 17:57:35 -0400[diff] [blame]869 c.exporterSecret = hs.finishedHash.deriveSecret(masterSecret, exporterLabel)
David Benjamind5a4ecb2016-07-18 01:17:13 +0200[diff] [blame]870 c.resumptionSecret = hs.finishedHash.deriveSecret(masterSecret, resumptionLabel)
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]871 return nil
872}
873
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]874func (hs *clientHandshakeState) doFullHandshake() error {
875 c := hs.c
876
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]877 var leaf *x509.Certificate
878 if hs.suite.flags&suitePSK == 0 {
879 msg, err := c.readHandshake()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]880 if err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]881 return err
882 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]883
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]884 certMsg, ok := msg.(*certificateMsg)
David Benjamin75051442016-07-01 18:58:51 -0400[diff] [blame]885 if !ok {
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]886 c.sendAlert(alertUnexpectedMessage)
887 return unexpectedMessageError(certMsg, msg)
888 }
889 hs.writeServerHash(certMsg.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]890
David Benjamin75051442016-07-01 18:58:51 -0400[diff] [blame]891 if err := hs.verifyCertificates(certMsg); err != nil {
892 return err
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]893 }
David Benjamin75051442016-07-01 18:58:51 -0400[diff] [blame]894 leaf = c.peerCertificates[0]
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]895 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]896
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]897 if hs.serverHello.extensions.ocspStapling {
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]898 msg, err := c.readHandshake()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]899 if err != nil {
900 return err
901 }
902 cs, ok := msg.(*certificateStatusMsg)
903 if !ok {
904 c.sendAlert(alertUnexpectedMessage)
905 return unexpectedMessageError(cs, msg)
906 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]907 hs.writeServerHash(cs.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]908
909 if cs.statusType == statusTypeOCSP {
910 c.ocspResponse = cs.response
911 }
912 }
913
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]914 msg, err := c.readHandshake()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]915 if err != nil {
916 return err
917 }
918
919 keyAgreement := hs.suite.ka(c.vers)
920
921 skx, ok := msg.(*serverKeyExchangeMsg)
922 if ok {
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]923 hs.writeServerHash(skx.marshal())
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]924 err = keyAgreement.processServerKeyExchange(c.config, hs.hello, hs.serverHello, leaf, skx)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]925 if err != nil {
926 c.sendAlert(alertUnexpectedMessage)
927 return err
928 }
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]929 if ecdhe, ok := keyAgreement.(*ecdheKeyAgreement); ok {
930 c.curveID = ecdhe.curveID
931 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]932
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]933 c.peerSignatureAlgorithm = keyAgreement.peerSignatureAlgorithm()
934
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]935 msg, err = c.readHandshake()
936 if err != nil {
937 return err
938 }
939 }
940
941 var chainToSend *Certificate
942 var certRequested bool
943 certReq, ok := msg.(*certificateRequestMsg)
944 if ok {
945 certRequested = true
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]946 if c.config.Bugs.IgnorePeerSignatureAlgorithmPreferences {
947 certReq.signatureAlgorithms = c.config.signSignatureAlgorithms()
948 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]949
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]950 hs.writeServerHash(certReq.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]951
David Benjamina6f82632016-07-01 18:44:02 -0400[diff] [blame]952 chainToSend, err = selectClientCertificate(c, certReq)
953 if err != nil {
954 return err
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]955 }
956
957 msg, err = c.readHandshake()
958 if err != nil {
959 return err
960 }
961 }
962
963 shd, ok := msg.(*serverHelloDoneMsg)
964 if !ok {
965 c.sendAlert(alertUnexpectedMessage)
966 return unexpectedMessageError(shd, msg)
967 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]968 hs.writeServerHash(shd.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]969
970 // If the server requested a certificate then we have to send a
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]971 // Certificate message in TLS, even if it's empty because we don't have
972 // a certificate to send. In SSL 3.0, skip the message and send a
973 // no_certificate warning alert.
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]974 if certRequested {
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]975 if c.vers == VersionSSL30 && chainToSend == nil {
976 c.sendAlert(alertNoCertficate)
977 } else if !c.config.Bugs.SkipClientCertificate {
978 certMsg := new(certificateMsg)
979 if chainToSend != nil {
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame^]980 for _, certData := range chainToSend.Certificate {
981 certMsg.certificates = append(certMsg.certificates, certificateEntry{
982 data: certData,
983 })
984 }
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]985 }
986 hs.writeClientHash(certMsg.marshal())
987 c.writeRecord(recordTypeHandshake, certMsg.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]988 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]989 }
990
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]991 preMasterSecret, ckx, err := keyAgreement.generateClientKeyExchange(c.config, hs.hello, leaf)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]992 if err != nil {
993 c.sendAlert(alertInternalError)
994 return err
995 }
996 if ckx != nil {
David Benjaminf3ec83d2014-07-21 22:42:34 -0400[diff] [blame]997 if c.config.Bugs.EarlyChangeCipherSpec < 2 {
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]998 hs.writeClientHash(ckx.marshal())
David Benjaminf3ec83d2014-07-21 22:42:34 -0400[diff] [blame]999 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1000 c.writeRecord(recordTypeHandshake, ckx.marshal())
1001 }
1002
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1003 if hs.serverHello.extensions.extendedMasterSecret && c.vers >= VersionTLS10 {
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]1004 hs.masterSecret = extendedMasterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.finishedHash)
1005 c.extendedMasterSecret = true
1006 } else {
1007 if c.config.Bugs.RequireExtendedMasterSecret {
1008 return errors.New("tls: extended master secret required but not supported by peer")
1009 }
1010 hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.hello.random, hs.serverHello.random)
1011 }
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]1012
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1013 if chainToSend != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1014 certVerify := &certificateVerifyMsg{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]1015 hasSignatureAlgorithm: c.vers >= VersionTLS12,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1016 }
1017
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]1018 // Determine the hash to sign.
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]1019 privKey := c.config.Certificates[0].PrivateKey
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]1020
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]1021 if certVerify.hasSignatureAlgorithm {
David Benjamin0a8deb22016-07-09 21:02:01 -0700[diff] [blame]1022 certVerify.signatureAlgorithm, err = selectSignatureAlgorithm(c.vers, privKey, c.config, certReq.signatureAlgorithms)
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]1023 if err != nil {
1024 c.sendAlert(alertInternalError)
1025 return err
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1026 }
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]1027 }
1028
1029 if c.vers > VersionSSL30 {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]1030 certVerify.signature, err = signMessage(c.vers, privKey, c.config, certVerify.signatureAlgorithm, hs.finishedHash.buffer)
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]1031 if err == nil && c.config.Bugs.SendSignatureAlgorithm != 0 {
1032 certVerify.signatureAlgorithm = c.config.Bugs.SendSignatureAlgorithm
1033 }
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]1034 } else {
1035 // SSL 3.0's client certificate construction is
1036 // incompatible with signatureAlgorithm.
1037 rsaKey, ok := privKey.(*rsa.PrivateKey)
1038 if !ok {
1039 err = errors.New("unsupported signature type for client certificate")
1040 } else {
1041 digest := hs.finishedHash.hashForClientCertificateSSL3(hs.masterSecret)
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]1042 if c.config.Bugs.InvalidSignature {
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]1043 digest[0] ^= 0x80
1044 }
1045 certVerify.signature, err = rsa.SignPKCS1v15(c.config.rand(), rsaKey, crypto.MD5SHA1, digest)
1046 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1047 }
1048 if err != nil {
1049 c.sendAlert(alertInternalError)
1050 return errors.New("tls: failed to sign handshake with client certificate: " + err.Error())
1051 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1052
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]1053 hs.writeClientHash(certVerify.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1054 c.writeRecord(recordTypeHandshake, certVerify.marshal())
1055 }
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]1056 // flushHandshake will be called in sendFinished.
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1057
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]1058 hs.finishedHash.discardHandshakeBuffer()
1059
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1060 return nil
1061}
1062
David Benjamin75051442016-07-01 18:58:51 -0400[diff] [blame]1063func (hs *clientHandshakeState) verifyCertificates(certMsg *certificateMsg) error {
1064 c := hs.c
1065
1066 if len(certMsg.certificates) == 0 {
1067 c.sendAlert(alertIllegalParameter)
1068 return errors.New("tls: no certificates sent")
1069 }
1070
1071 certs := make([]*x509.Certificate, len(certMsg.certificates))
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame^]1072 for i, certEntry := range certMsg.certificates {
1073 cert, err := x509.ParseCertificate(certEntry.data)
David Benjamin75051442016-07-01 18:58:51 -0400[diff] [blame]1074 if err != nil {
1075 c.sendAlert(alertBadCertificate)
1076 return errors.New("tls: failed to parse certificate from server: " + err.Error())
1077 }
1078 certs[i] = cert
1079 }
1080
1081 if !c.config.InsecureSkipVerify {
1082 opts := x509.VerifyOptions{
1083 Roots: c.config.RootCAs,
1084 CurrentTime: c.config.time(),
1085 DNSName: c.config.ServerName,
1086 Intermediates: x509.NewCertPool(),
1087 }
1088
1089 for i, cert := range certs {
1090 if i == 0 {
1091 continue
1092 }
1093 opts.Intermediates.AddCert(cert)
1094 }
1095 var err error
1096 c.verifiedChains, err = certs[0].Verify(opts)
1097 if err != nil {
1098 c.sendAlert(alertBadCertificate)
1099 return err
1100 }
1101 }
1102
1103 switch certs[0].PublicKey.(type) {
1104 case *rsa.PublicKey, *ecdsa.PublicKey:
1105 break
1106 default:
1107 c.sendAlert(alertUnsupportedCertificate)
1108 return fmt.Errorf("tls: server's certificate contains an unsupported type of public key: %T", certs[0].PublicKey)
1109 }
1110
1111 c.peerCertificates = certs
1112 return nil
1113}
1114
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1115func (hs *clientHandshakeState) establishKeys() error {
1116 c := hs.c
1117
1118 clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV :=
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1119 keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.hello.random, hs.serverHello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen(c.vers))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1120 var clientCipher, serverCipher interface{}
1121 var clientHash, serverHash macFunction
1122 if hs.suite.cipher != nil {
1123 clientCipher = hs.suite.cipher(clientKey, clientIV, false /* not for reading */)
1124 clientHash = hs.suite.mac(c.vers, clientMAC)
1125 serverCipher = hs.suite.cipher(serverKey, serverIV, true /* for reading */)
1126 serverHash = hs.suite.mac(c.vers, serverMAC)
1127 } else {
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1128 clientCipher = hs.suite.aead(c.vers, clientKey, clientIV)
1129 serverCipher = hs.suite.aead(c.vers, serverKey, serverIV)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1130 }
1131
1132 c.in.prepareCipherSpec(c.vers, serverCipher, serverHash)
1133 c.out.prepareCipherSpec(c.vers, clientCipher, clientHash)
1134 return nil
1135}
1136
David Benjamin75101402016-07-01 13:40:23 -0400[diff] [blame]1137func (hs *clientHandshakeState) processServerExtensions(serverExtensions *serverExtensions) error {
1138 c := hs.c
1139
David Benjamin8d315d72016-07-18 01:03:18 +0200[diff] [blame]1140 if c.vers < VersionTLS13 {
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]1141 if c.config.Bugs.RequireRenegotiationInfo && serverExtensions.secureRenegotiation == nil {
1142 return errors.New("tls: renegotiation extension missing")
1143 }
David Benjamin75101402016-07-01 13:40:23 -0400[diff] [blame]1144
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]1145 if len(c.clientVerify) > 0 && !c.noRenegotiationInfo() {
1146 var expectedRenegInfo []byte
1147 expectedRenegInfo = append(expectedRenegInfo, c.clientVerify...)
1148 expectedRenegInfo = append(expectedRenegInfo, c.serverVerify...)
1149 if !bytes.Equal(serverExtensions.secureRenegotiation, expectedRenegInfo) {
1150 c.sendAlert(alertHandshakeFailure)
1151 return fmt.Errorf("tls: renegotiation mismatch")
1152 }
David Benjamin75101402016-07-01 13:40:23 -0400[diff] [blame]1153 }
David Benjamincea0ab42016-07-14 12:33:14 -0400[diff] [blame]1154 } else if serverExtensions.secureRenegotiation != nil {
1155 return errors.New("tls: renegotiation info sent in TLS 1.3")
David Benjamin75101402016-07-01 13:40:23 -0400[diff] [blame]1156 }
1157
1158 if expected := c.config.Bugs.ExpectedCustomExtension; expected != nil {
1159 if serverExtensions.customExtension != *expected {
1160 return fmt.Errorf("tls: bad custom extension contents %q", serverExtensions.customExtension)
1161 }
1162 }
1163
1164 clientDidNPN := hs.hello.nextProtoNeg
1165 clientDidALPN := len(hs.hello.alpnProtocols) > 0
1166 serverHasNPN := serverExtensions.nextProtoNeg
1167 serverHasALPN := len(serverExtensions.alpnProtocol) > 0
1168
1169 if !clientDidNPN && serverHasNPN {
1170 c.sendAlert(alertHandshakeFailure)
1171 return errors.New("server advertised unrequested NPN extension")
1172 }
1173
1174 if !clientDidALPN && serverHasALPN {
1175 c.sendAlert(alertHandshakeFailure)
1176 return errors.New("server advertised unrequested ALPN extension")
1177 }
1178
1179 if serverHasNPN && serverHasALPN {
1180 c.sendAlert(alertHandshakeFailure)
1181 return errors.New("server advertised both NPN and ALPN extensions")
1182 }
1183
1184 if serverHasALPN {
1185 c.clientProtocol = serverExtensions.alpnProtocol
1186 c.clientProtocolFallback = false
1187 c.usedALPN = true
1188 }
1189
David Benjamin8d315d72016-07-18 01:03:18 +0200[diff] [blame]1190 if serverHasNPN && c.vers >= VersionTLS13 {
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]1191 c.sendAlert(alertHandshakeFailure)
1192 return errors.New("server advertised NPN over TLS 1.3")
1193 }
1194
David Benjamin75101402016-07-01 13:40:23 -0400[diff] [blame]1195 if !hs.hello.channelIDSupported && serverExtensions.channelIDRequested {
1196 c.sendAlert(alertHandshakeFailure)
1197 return errors.New("server advertised unrequested Channel ID extension")
1198 }
1199
David Benjamin8d315d72016-07-18 01:03:18 +0200[diff] [blame]1200 if serverExtensions.extendedMasterSecret && c.vers >= VersionTLS13 {
David Benjamine9077652016-07-13 21:02:08 -0400[diff] [blame]1201 return errors.New("tls: server advertised extended master secret over TLS 1.3")
1202 }
1203
David Benjamin8d315d72016-07-18 01:03:18 +0200[diff] [blame]1204 if serverExtensions.ticketSupported && c.vers >= VersionTLS13 {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1205 return errors.New("tls: server advertised ticket extension over TLS 1.3")
1206 }
1207
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame^]1208 if serverExtensions.ocspStapling && c.vers >= VersionTLS13 {
1209 return errors.New("tls: server advertised OCSP in ServerHello over TLS 1.3")
1210 }
1211
1212 if len(serverExtensions.sctList) > 0 && c.vers >= VersionTLS13 {
1213 return errors.New("tls: server advertised SCTs in ServerHello over TLS 1.3")
1214 }
1215
David Benjamin75101402016-07-01 13:40:23 -0400[diff] [blame]1216 if serverExtensions.srtpProtectionProfile != 0 {
1217 if serverExtensions.srtpMasterKeyIdentifier != "" {
1218 return errors.New("tls: server selected SRTP MKI value")
1219 }
1220
1221 found := false
1222 for _, p := range c.config.SRTPProtectionProfiles {
1223 if p == serverExtensions.srtpProtectionProfile {
1224 found = true
1225 break
1226 }
1227 }
1228 if !found {
1229 return errors.New("tls: server advertised unsupported SRTP profile")
1230 }
1231
1232 c.srtpProtectionProfile = serverExtensions.srtpProtectionProfile
1233 }
1234
1235 return nil
1236}
1237
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1238func (hs *clientHandshakeState) serverResumedSession() bool {
1239 // If the server responded with the same sessionId then it means the
1240 // sessionTicket is being used to resume a TLS session.
1241 return hs.session != nil && hs.hello.sessionId != nil &&
1242 bytes.Equal(hs.serverHello.sessionId, hs.hello.sessionId)
1243}
1244
1245func (hs *clientHandshakeState) processServerHello() (bool, error) {
1246 c := hs.c
1247
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1248 if hs.serverResumedSession() {
David Benjamin4b27d9f2015-05-12 22:42:52 -0400[diff] [blame]1249 // For test purposes, assert that the server never accepts the
1250 // resumption offer on renegotiation.
1251 if c.cipherSuite != nil && c.config.Bugs.FailIfResumeOnRenego {
1252 return false, errors.New("tls: server resumed session on renegotiation")
1253 }
1254
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1255 if hs.serverHello.extensions.sctList != nil {
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]1256 return false, errors.New("tls: server sent SCT extension on session resumption")
1257 }
1258
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1259 if hs.serverHello.extensions.ocspStapling {
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]1260 return false, errors.New("tls: server sent OCSP extension on session resumption")
1261 }
1262
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1263 // Restore masterSecret and peerCerts from previous state
1264 hs.masterSecret = hs.session.masterSecret
1265 c.peerCertificates = hs.session.serverCertificates
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]1266 c.extendedMasterSecret = hs.session.extendedMasterSecret
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]1267 c.sctList = hs.session.sctList
1268 c.ocspResponse = hs.session.ocspResponse
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]1269 hs.finishedHash.discardHandshakeBuffer()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1270 return true, nil
1271 }
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]1272
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1273 if hs.serverHello.extensions.sctList != nil {
1274 c.sctList = hs.serverHello.extensions.sctList
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]1275 }
1276
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1277 return false, nil
1278}
1279
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]1280func (hs *clientHandshakeState) readFinished(out []byte) error {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1281 c := hs.c
1282
1283 c.readRecord(recordTypeChangeCipherSpec)
1284 if err := c.in.error(); err != nil {
1285 return err
1286 }
1287
1288 msg, err := c.readHandshake()
1289 if err != nil {
1290 return err
1291 }
1292 serverFinished, ok := msg.(*finishedMsg)
1293 if !ok {
1294 c.sendAlert(alertUnexpectedMessage)
1295 return unexpectedMessageError(serverFinished, msg)
1296 }
1297
David Benjaminf3ec83d2014-07-21 22:42:34 -0400[diff] [blame]1298 if c.config.Bugs.EarlyChangeCipherSpec == 0 {
1299 verify := hs.finishedHash.serverSum(hs.masterSecret)
1300 if len(verify) != len(serverFinished.verifyData) ||
1301 subtle.ConstantTimeCompare(verify, serverFinished.verifyData) != 1 {
1302 c.sendAlert(alertHandshakeFailure)
1303 return errors.New("tls: server's Finished message was incorrect")
1304 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1305 }
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]1306 c.serverVerify = append(c.serverVerify[:0], serverFinished.verifyData...)
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]1307 copy(out, serverFinished.verifyData)
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]1308 hs.writeServerHash(serverFinished.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1309 return nil
1310}
1311
1312func (hs *clientHandshakeState) readSessionTicket() error {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]1313 c := hs.c
1314
1315 // Create a session with no server identifier. Either a
1316 // session ID or session ticket will be attached.
1317 session := &ClientSessionState{
1318 vers: c.vers,
1319 cipherSuite: hs.suite.id,
1320 masterSecret: hs.masterSecret,
Nick Harperc9846112016-10-17 15:05:35 -0700[diff] [blame]1321 handshakeHash: hs.finishedHash.Sum(),
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]1322 serverCertificates: c.peerCertificates,
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]1323 sctList: c.sctList,
1324 ocspResponse: c.ocspResponse,
Nick Harper0b3625b2016-07-25 16:16:28 -0700[diff] [blame]1325 ticketExpiration: c.config.time().Add(time.Duration(7 * 24 * time.Hour)),
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]1326 }
1327
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1328 if !hs.serverHello.extensions.ticketSupported {
David Benjamind98452d2015-06-16 14:16:23 -0400[diff] [blame]1329 if c.config.Bugs.ExpectNewTicket {
1330 return errors.New("tls: expected new ticket")
1331 }
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]1332 if hs.session == nil && len(hs.serverHello.sessionId) > 0 {
1333 session.sessionId = hs.serverHello.sessionId
1334 hs.session = session
1335 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1336 return nil
1337 }
1338
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]1339 if c.vers == VersionSSL30 {
1340 return errors.New("tls: negotiated session tickets in SSL 3.0")
1341 }
1342
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1343 msg, err := c.readHandshake()
1344 if err != nil {
1345 return err
1346 }
1347 sessionTicketMsg, ok := msg.(*newSessionTicketMsg)
1348 if !ok {
1349 c.sendAlert(alertUnexpectedMessage)
1350 return unexpectedMessageError(sessionTicketMsg, msg)
1351 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1352
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]1353 session.sessionTicket = sessionTicketMsg.ticket
1354 hs.session = session
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1355
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]1356 hs.writeServerHash(sessionTicketMsg.marshal())
1357
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1358 return nil
1359}
1360
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]1361func (hs *clientHandshakeState) sendFinished(out []byte, isResume bool) error {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1362 c := hs.c
1363
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]1364 var postCCSMsgs [][]byte
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]1365 seqno := hs.c.sendHandshakeSeq
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1366 if hs.serverHello.extensions.nextProtoNeg {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1367 nextProto := new(nextProtoMsg)
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1368 proto, fallback := mutualProtocol(c.config.NextProtos, hs.serverHello.extensions.nextProtos)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1369 nextProto.proto = proto
1370 c.clientProtocol = proto
1371 c.clientProtocolFallback = fallback
1372
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]1373 nextProtoBytes := nextProto.marshal()
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]1374 hs.writeHash(nextProtoBytes, seqno)
1375 seqno++
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]1376 postCCSMsgs = append(postCCSMsgs, nextProtoBytes)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1377 }
1378
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1379 if hs.serverHello.extensions.channelIDRequested {
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]1380 var resumeHash []byte
1381 if isResume {
1382 resumeHash = hs.session.handshakeHash
1383 }
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]1384 channelIDMsgBytes, err := hs.writeChannelIDMessage(hs.finishedHash.hashForChannelID(resumeHash))
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]1385 if err != nil {
1386 return err
1387 }
David Benjamin24599a82016-06-30 18:56:53 -0400[diff] [blame]1388 hs.writeHash(channelIDMsgBytes, seqno)
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]1389 seqno++
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]1390 postCCSMsgs = append(postCCSMsgs, channelIDMsgBytes)
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]1391 }
1392
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1393 finished := new(finishedMsg)
David Benjaminf3ec83d2014-07-21 22:42:34 -0400[diff] [blame]1394 if c.config.Bugs.EarlyChangeCipherSpec == 2 {
1395 finished.verifyData = hs.finishedHash.clientSum(nil)
1396 } else {
1397 finished.verifyData = hs.finishedHash.clientSum(hs.masterSecret)
1398 }
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]1399 copy(out, finished.verifyData)
David Benjamin513f0ea2015-04-02 19:33:31 -0400[diff] [blame]1400 if c.config.Bugs.BadFinished {
1401 finished.verifyData[0]++
1402 }
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]1403 c.clientVerify = append(c.clientVerify[:0], finished.verifyData...)
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]1404 hs.finishedBytes = finished.marshal()
1405 hs.writeHash(hs.finishedBytes, seqno)
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]1406 postCCSMsgs = append(postCCSMsgs, hs.finishedBytes)
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]1407
1408 if c.config.Bugs.FragmentAcrossChangeCipherSpec {
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]1409 c.writeRecord(recordTypeHandshake, postCCSMsgs[0][:5])
1410 postCCSMsgs[0] = postCCSMsgs[0][5:]
David Benjamin61672812016-07-14 23:10:43 -0400[diff] [blame]1411 } else if c.config.Bugs.SendUnencryptedFinished {
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]1412 c.writeRecord(recordTypeHandshake, postCCSMsgs[0])
1413 postCCSMsgs = postCCSMsgs[1:]
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]1414 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]1415 c.flushHandshake()
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]1416
1417 if !c.config.Bugs.SkipChangeCipherSpec &&
1418 c.config.Bugs.EarlyChangeCipherSpec == 0 {
David Benjamin8411b242015-11-26 12:07:28 -0500[diff] [blame]1419 ccs := []byte{1}
1420 if c.config.Bugs.BadChangeCipherSpec != nil {
1421 ccs = c.config.Bugs.BadChangeCipherSpec
1422 }
1423 c.writeRecord(recordTypeChangeCipherSpec, ccs)
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]1424 }
1425
David Benjamin4189bd92015-01-25 23:52:39 -0500[diff] [blame]1426 if c.config.Bugs.AppDataAfterChangeCipherSpec != nil {
1427 c.writeRecord(recordTypeApplicationData, c.config.Bugs.AppDataAfterChangeCipherSpec)
1428 }
David Benjamindc3da932015-03-12 15:09:02 -0400[diff] [blame]1429 if c.config.Bugs.AlertAfterChangeCipherSpec != 0 {
1430 c.sendAlert(c.config.Bugs.AlertAfterChangeCipherSpec)
1431 return errors.New("tls: simulating post-CCS alert")
1432 }
David Benjamin4189bd92015-01-25 23:52:39 -0500[diff] [blame]1433
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]1434 if !c.config.Bugs.SkipFinished {
1435 for _, msg := range postCCSMsgs {
1436 c.writeRecord(recordTypeHandshake, msg)
1437 }
David Benjamin02edcd02016-07-27 17:40:37 -0400[diff] [blame]1438
1439 if c.config.Bugs.SendExtraFinished {
1440 c.writeRecord(recordTypeHandshake, finished.marshal())
1441 }
1442
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]1443 c.flushHandshake()
David Benjaminb3774b92015-01-31 17:16:01 -0500[diff] [blame]1444 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1445 return nil
1446}
1447
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]1448func (hs *clientHandshakeState) writeChannelIDMessage(channelIDHash []byte) ([]byte, error) {
1449 c := hs.c
1450 channelIDMsg := new(channelIDMsg)
1451 if c.config.ChannelID.Curve != elliptic.P256() {
1452 return nil, fmt.Errorf("tls: Channel ID is not on P-256.")
1453 }
1454 r, s, err := ecdsa.Sign(c.config.rand(), c.config.ChannelID, channelIDHash)
1455 if err != nil {
1456 return nil, err
1457 }
1458 channelID := make([]byte, 128)
1459 writeIntPadded(channelID[0:32], c.config.ChannelID.X)
1460 writeIntPadded(channelID[32:64], c.config.ChannelID.Y)
1461 writeIntPadded(channelID[64:96], r)
1462 writeIntPadded(channelID[96:128], s)
1463 if c.config.Bugs.InvalidChannelIDSignature {
1464 channelID[64] ^= 1
1465 }
1466 channelIDMsg.channelID = channelID
1467
1468 c.channelID = &c.config.ChannelID.PublicKey
1469
1470 return channelIDMsg.marshal(), nil
1471}
1472
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]1473func (hs *clientHandshakeState) writeClientHash(msg []byte) {
1474 // writeClientHash is called before writeRecord.
1475 hs.writeHash(msg, hs.c.sendHandshakeSeq)
1476}
1477
1478func (hs *clientHandshakeState) writeServerHash(msg []byte) {
1479 // writeServerHash is called after readHandshake.
1480 hs.writeHash(msg, hs.c.recvHandshakeSeq-1)
1481}
1482
1483func (hs *clientHandshakeState) writeHash(msg []byte, seqno uint16) {
1484 if hs.c.isDTLS {
1485 // This is somewhat hacky. DTLS hashes a slightly different format.
1486 // First, the TLS header.
1487 hs.finishedHash.Write(msg[:4])
1488 // Then the sequence number and reassembled fragment offset (always 0).
1489 hs.finishedHash.Write([]byte{byte(seqno >> 8), byte(seqno), 0, 0, 0})
1490 // Then the reassembled fragment (always equal to the message length).
1491 hs.finishedHash.Write(msg[1:4])
1492 // And then the message body.
1493 hs.finishedHash.Write(msg[4:])
1494 } else {
1495 hs.finishedHash.Write(msg)
1496 }
1497}
1498
David Benjamina6f82632016-07-01 18:44:02 -0400[diff] [blame]1499// selectClientCertificate selects a certificate for use with the given
1500// certificate, or none if none match. It may return a particular certificate or
1501// nil on success, or an error on internal error.
1502func selectClientCertificate(c *Conn, certReq *certificateRequestMsg) (*Certificate, error) {
1503 // RFC 4346 on the certificateAuthorities field:
1504 // A list of the distinguished names of acceptable certificate
1505 // authorities. These distinguished names may specify a desired
1506 // distinguished name for a root CA or for a subordinate CA; thus, this
1507 // message can be used to describe both known roots and a desired
1508 // authorization space. If the certificate_authorities list is empty
1509 // then the client MAY send any certificate of the appropriate
1510 // ClientCertificateType, unless there is some external arrangement to
1511 // the contrary.
1512
1513 var rsaAvail, ecdsaAvail bool
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]1514 if !certReq.hasRequestContext {
1515 for _, certType := range certReq.certificateTypes {
1516 switch certType {
1517 case CertTypeRSASign:
1518 rsaAvail = true
1519 case CertTypeECDSASign:
1520 ecdsaAvail = true
1521 }
David Benjamina6f82632016-07-01 18:44:02 -0400[diff] [blame]1522 }
1523 }
1524
1525 // We need to search our list of client certs for one
1526 // where SignatureAlgorithm is RSA and the Issuer is in
1527 // certReq.certificateAuthorities
1528findCert:
1529 for i, chain := range c.config.Certificates {
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]1530 if !certReq.hasRequestContext && !rsaAvail && !ecdsaAvail {
David Benjamina6f82632016-07-01 18:44:02 -0400[diff] [blame]1531 continue
1532 }
1533
1534 // Ensure the private key supports one of the advertised
1535 // signature algorithms.
1536 if certReq.hasSignatureAlgorithm {
David Benjamin0a8deb22016-07-09 21:02:01 -0700[diff] [blame]1537 if _, err := selectSignatureAlgorithm(c.vers, chain.PrivateKey, c.config, certReq.signatureAlgorithms); err != nil {
David Benjamina6f82632016-07-01 18:44:02 -0400[diff] [blame]1538 continue
1539 }
1540 }
1541
1542 for j, cert := range chain.Certificate {
1543 x509Cert := chain.Leaf
1544 // parse the certificate if this isn't the leaf
1545 // node, or if chain.Leaf was nil
1546 if j != 0 || x509Cert == nil {
1547 var err error
1548 if x509Cert, err = x509.ParseCertificate(cert); err != nil {
1549 c.sendAlert(alertInternalError)
1550 return nil, errors.New("tls: failed to parse client certificate #" + strconv.Itoa(i) + ": " + err.Error())
1551 }
1552 }
1553
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]1554 if !certReq.hasRequestContext {
1555 switch {
1556 case rsaAvail && x509Cert.PublicKeyAlgorithm == x509.RSA:
1557 case ecdsaAvail && x509Cert.PublicKeyAlgorithm == x509.ECDSA:
1558 default:
1559 continue findCert
1560 }
David Benjamina6f82632016-07-01 18:44:02 -0400[diff] [blame]1561 }
1562
1563 if len(certReq.certificateAuthorities) == 0 {
1564 // They gave us an empty list, so just take the
1565 // first certificate of valid type from
1566 // c.config.Certificates.
1567 return &chain, nil
1568 }
1569
1570 for _, ca := range certReq.certificateAuthorities {
1571 if bytes.Equal(x509Cert.RawIssuer, ca) {
1572 return &chain, nil
1573 }
1574 }
1575 }
1576 }
1577
1578 return nil, nil
1579}
1580
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1581// clientSessionCacheKey returns a key used to cache sessionTickets that could
1582// be used to resume previously negotiated TLS sessions with a server.
1583func clientSessionCacheKey(serverAddr net.Addr, config *Config) string {
1584 if len(config.ServerName) > 0 {
1585 return config.ServerName
1586 }
1587 return serverAddr.String()
1588}
1589
David Benjaminfa055a22014-09-15 16:51:51 -0400[diff] [blame]1590// mutualProtocol finds the mutual Next Protocol Negotiation or ALPN protocol
1591// given list of possible protocols and a list of the preference order. The
1592// first list must not be empty. It returns the resulting protocol and flag
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1593// indicating if the fallback case was reached.
David Benjaminfa055a22014-09-15 16:51:51 -0400[diff] [blame]1594func mutualProtocol(protos, preferenceProtos []string) (string, bool) {
1595 for _, s := range preferenceProtos {
1596 for _, c := range protos {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1597 if s == c {
1598 return s, false
1599 }
1600 }
1601 }
1602
David Benjaminfa055a22014-09-15 16:51:51 -0400[diff] [blame]1603 return protos[0], true
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1604}
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]1605
1606// writeIntPadded writes x into b, padded up with leading zeros as
1607// needed.
1608func writeIntPadded(b []byte, x *big.Int) {
1609 for i := range b {
1610 b[i] = 0
1611 }
1612 xb := x.Bytes()
1613 copy(b[len(b)-len(xb):], xb)
1614}
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame^]1615
1616func generatePSKBinders(hello *clientHelloMsg, pskCipherSuite *cipherSuite, psk, transcript []byte, config *Config) {
1617 if config.Bugs.SendNoPSKBinder {
1618 return
1619 }
1620
1621 binderLen := pskCipherSuite.hash().Size()
1622 if config.Bugs.SendShortPSKBinder {
1623 binderLen--
1624 }
1625
1626 // Fill hello.pskBinders with appropriate length arrays of zeros so the
1627 // length prefixes are correct when computing the binder over the truncated
1628 // ClientHello message.
1629 hello.pskBinders = make([][]byte, len(hello.pskIdentities))
1630 for i := range hello.pskIdentities {
1631 hello.pskBinders[i] = make([]byte, binderLen)
1632 }
1633
1634 helloBytes := hello.marshal()
1635 binderSize := len(hello.pskBinders)*(binderLen+1) + 2
1636 truncatedHello := helloBytes[:len(helloBytes)-binderSize]
1637 binder := computePSKBinder(psk, resumptionPSKBinderLabel, pskCipherSuite, transcript, truncatedHello)
1638 if config.Bugs.SendShortPSKBinder {
1639 binder = binder[:binderLen]
1640 }
1641 if config.Bugs.SendInvalidPSKBinder {
1642 binder[0] ^= 1
1643 }
1644
1645 for i := range hello.pskBinders {
1646 hello.pskBinders[i] = binder
1647 }
1648
1649 hello.raw = nil
1650}