Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / cea0ab43612e81966f80e209fc851340f56eff5a / . / ssl / test / runner / handshake_client.go
blob: bc8c1d0a6129399fcfe58ab4526a9cc5e33f5273 [file] [log] [blame]
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1// Copyright 2009 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
Adam Langleydc7e9c42015-09-29 15:21:04 -0700[diff] [blame]5package runner
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]6
7import (
8 "bytes"
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]9 "crypto"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10 "crypto/ecdsa"
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]11 "crypto/elliptic"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]12 "crypto/rsa"
13 "crypto/subtle"
14 "crypto/x509"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]15 "errors"
16 "fmt"
17 "io"
David Benjaminde620d92014-07-18 15:03:41 -0400[diff] [blame]18 "math/big"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]19 "net"
20 "strconv"
21)
22
23type clientHandshakeState struct {
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]24 c *Conn
25 serverHello *serverHelloMsg
26 hello *clientHelloMsg
27 suite *cipherSuite
28 finishedHash finishedHash
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]29 keyShares map[CurveID]ecdhCurve
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]30 masterSecret []byte
31 session *ClientSessionState
32 finishedBytes []byte
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]33}
34
35func (c *Conn) clientHandshake() error {
36 if c.config == nil {
37 c.config = defaultConfig()
38 }
39
40 if len(c.config.ServerName) == 0 && !c.config.InsecureSkipVerify {
41 return errors.New("tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config")
42 }
43
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]44 c.sendHandshakeSeq = 0
45 c.recvHandshakeSeq = 0
46
David Benjaminfa055a22014-09-15 16:51:51 -0400[diff] [blame]47 nextProtosLength := 0
48 for _, proto := range c.config.NextProtos {
Adam Langleyefb0e162015-07-09 11:35:04 -0700[diff] [blame]49 if l := len(proto); l > 255 {
David Benjaminfa055a22014-09-15 16:51:51 -0400[diff] [blame]50 return errors.New("tls: invalid NextProtos value")
51 } else {
52 nextProtosLength += 1 + l
53 }
54 }
55 if nextProtosLength > 0xffff {
56 return errors.New("tls: NextProtos values too large")
57 }
58
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]59 hello := &clientHelloMsg{
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]60 isDTLS: c.isDTLS,
David Benjamincecee272016-06-30 13:33:47 -0400[diff] [blame]61 vers: c.config.maxVersion(c.isDTLS),
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]62 compressionMethods: []uint8{compressionNone},
63 random: make([]byte, 32),
64 ocspStapling: true,
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]65 sctListSupported: true,
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]66 serverName: c.config.ServerName,
67 supportedCurves: c.config.curvePreferences(),
68 supportedPoints: []uint8{pointFormatUncompressed},
69 nextProtoNeg: len(c.config.NextProtos) > 0,
70 secureRenegotiation: []byte{},
71 alpnProtocols: c.config.NextProtos,
72 duplicateExtension: c.config.Bugs.DuplicateExtension,
73 channelIDSupported: c.config.ChannelID != nil,
74 npnLast: c.config.Bugs.SwapNPNAndALPN,
David Benjamincecee272016-06-30 13:33:47 -0400[diff] [blame]75 extendedMasterSecret: c.config.maxVersion(c.isDTLS) >= VersionTLS10,
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]76 srtpProtectionProfiles: c.config.SRTPProtectionProfiles,
77 srtpMasterKeyIdentifier: c.config.Bugs.SRTPMasterKeyIdentifer,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]78 customExtension: c.config.Bugs.CustomExtension,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]79 }
80
David Benjamin98e882e2014-08-08 13:24:34 -0400[diff] [blame]81 if c.config.Bugs.SendClientVersion != 0 {
82 hello.vers = c.config.Bugs.SendClientVersion
83 }
84
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]85 if c.config.Bugs.NoExtendedMasterSecret {
86 hello.extendedMasterSecret = false
87 }
88
David Benjamin55a43642015-04-20 14:45:55 -0400[diff] [blame]89 if c.config.Bugs.NoSupportedCurves {
90 hello.supportedCurves = nil
91 }
92
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]93 if len(c.clientVerify) > 0 && !c.config.Bugs.EmptyRenegotiationInfo {
94 if c.config.Bugs.BadRenegotiationInfo {
95 hello.secureRenegotiation = append(hello.secureRenegotiation, c.clientVerify...)
96 hello.secureRenegotiation[0] ^= 0x80
97 } else {
98 hello.secureRenegotiation = c.clientVerify
99 }
100 }
101
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]102 if c.noRenegotiationInfo() {
David Benjaminca6554b2014-11-08 12:31:52 -0500[diff] [blame]103 hello.secureRenegotiation = nil
104 }
105
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]106 var keyShares map[CurveID]ecdhCurve
107 if hello.vers >= VersionTLS13 && enableTLS13Handshake {
108 // Offer every supported curve in the initial ClientHello.
109 //
110 // TODO(davidben): For real code, default to a more conservative
111 // set like P-256 and X25519. Make it configurable for tests to
112 // stress the HelloRetryRequest logic when implemented.
113 keyShares = make(map[CurveID]ecdhCurve)
114 for _, curveID := range hello.supportedCurves {
115 curve, ok := curveForCurveID(curveID)
116 if !ok {
117 continue
118 }
119 publicKey, err := curve.offer(c.config.rand())
120 if err != nil {
121 return err
122 }
Steven Valdez0ee2e112016-07-15 06:51:15 -0400[diff] [blame]123
124 if c.config.Bugs.SendCurve != 0 {
125 curveID = c.config.Bugs.SendCurve
126 }
127 if c.config.Bugs.InvalidECDHPoint {
128 publicKey[0] ^= 0xff
129 }
130
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]131 hello.keyShares = append(hello.keyShares, keyShareEntry{
132 group: curveID,
133 keyExchange: publicKey,
134 })
135 keyShares[curveID] = curve
136 }
137 }
138
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]139 possibleCipherSuites := c.config.cipherSuites()
140 hello.cipherSuites = make([]uint16, 0, len(possibleCipherSuites))
141
142NextCipherSuite:
143 for _, suiteId := range possibleCipherSuites {
144 for _, suite := range cipherSuites {
145 if suite.id != suiteId {
146 continue
147 }
David Benjamin0407e762016-06-17 16:41:18 -0400[diff] [blame]148 if !c.config.Bugs.EnableAllCiphers {
149 // Don't advertise TLS 1.2-only cipher suites unless
150 // we're attempting TLS 1.2.
151 if hello.vers < VersionTLS12 && suite.flags&suiteTLS12 != 0 {
152 continue
153 }
154 // Don't advertise non-DTLS cipher suites in DTLS.
155 if c.isDTLS && suite.flags&suiteNoDTLS != 0 {
156 continue
157 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]158 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]159 hello.cipherSuites = append(hello.cipherSuites, suiteId)
160 continue NextCipherSuite
161 }
162 }
163
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]164 if c.config.Bugs.SendRenegotiationSCSV {
165 hello.cipherSuites = append(hello.cipherSuites, renegotiationSCSV)
166 }
167
David Benjaminbef270a2014-08-02 04:22:02 -0400[diff] [blame]168 if c.config.Bugs.SendFallbackSCSV {
169 hello.cipherSuites = append(hello.cipherSuites, fallbackSCSV)
170 }
171
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]172 _, err := io.ReadFull(c.config.rand(), hello.random)
173 if err != nil {
174 c.sendAlert(alertInternalError)
175 return errors.New("tls: short read from Rand: " + err.Error())
176 }
177
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]178 if hello.vers >= VersionTLS12 && !c.config.Bugs.NoSignatureAlgorithms {
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]179 hello.signatureAlgorithms = c.config.verifySignatureAlgorithms()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]180 }
181
182 var session *ClientSessionState
183 var cacheKey string
184 sessionCache := c.config.ClientSessionCache
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]185
186 if sessionCache != nil {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]187 hello.ticketSupported = !c.config.SessionTicketsDisabled
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]188
189 // Try to resume a previously negotiated TLS session, if
190 // available.
191 cacheKey = clientSessionCacheKey(c.conn.RemoteAddr(), c.config)
192 candidateSession, ok := sessionCache.Get(cacheKey)
193 if ok {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]194 ticketOk := !c.config.SessionTicketsDisabled || candidateSession.sessionTicket == nil
195
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]196 // Check that the ciphersuite/version used for the
197 // previous session are still valid.
198 cipherSuiteOk := false
199 for _, id := range hello.cipherSuites {
200 if id == candidateSession.cipherSuite {
201 cipherSuiteOk = true
202 break
203 }
204 }
205
David Benjamincecee272016-06-30 13:33:47 -0400[diff] [blame]206 versOk := candidateSession.vers >= c.config.minVersion(c.isDTLS) &&
207 candidateSession.vers <= c.config.maxVersion(c.isDTLS)
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]208 if ticketOk && versOk && cipherSuiteOk {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]209 session = candidateSession
210 }
211 }
212 }
213
214 if session != nil {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]215 if session.sessionTicket != nil {
216 hello.sessionTicket = session.sessionTicket
217 if c.config.Bugs.CorruptTicket {
218 hello.sessionTicket = make([]byte, len(session.sessionTicket))
219 copy(hello.sessionTicket, session.sessionTicket)
220 if len(hello.sessionTicket) > 0 {
221 offset := 40
222 if offset > len(hello.sessionTicket) {
223 offset = len(hello.sessionTicket) - 1
224 }
225 hello.sessionTicket[offset] ^= 0x40
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]226 }
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]227 }
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]228 // A random session ID is used to detect when the
229 // server accepted the ticket and is resuming a session
230 // (see RFC 5077).
231 sessionIdLen := 16
232 if c.config.Bugs.OversizedSessionId {
233 sessionIdLen = 33
234 }
235 hello.sessionId = make([]byte, sessionIdLen)
236 if _, err := io.ReadFull(c.config.rand(), hello.sessionId); err != nil {
237 c.sendAlert(alertInternalError)
238 return errors.New("tls: short read from Rand: " + err.Error())
239 }
240 } else {
241 hello.sessionId = session.sessionId
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]242 }
243 }
244
David Benjamind86c7672014-08-02 04:07:12 -0400[diff] [blame]245 var helloBytes []byte
246 if c.config.Bugs.SendV2ClientHello {
David Benjamin94d701b2014-11-30 13:54:41 -0500[diff] [blame]247 // Test that the peer left-pads random.
248 hello.random[0] = 0
David Benjamind86c7672014-08-02 04:07:12 -0400[diff] [blame]249 v2Hello := &v2ClientHelloMsg{
250 vers: hello.vers,
251 cipherSuites: hello.cipherSuites,
252 // No session resumption for V2ClientHello.
253 sessionId: nil,
David Benjamin94d701b2014-11-30 13:54:41 -0500[diff] [blame]254 challenge: hello.random[1:],
David Benjamind86c7672014-08-02 04:07:12 -0400[diff] [blame]255 }
256 helloBytes = v2Hello.marshal()
257 c.writeV2Record(helloBytes)
258 } else {
259 helloBytes = hello.marshal()
260 c.writeRecord(recordTypeHandshake, helloBytes)
261 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]262 c.flushHandshake()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]263
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]264 if err := c.simulatePacketLoss(nil); err != nil {
265 return err
266 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]267 msg, err := c.readHandshake()
268 if err != nil {
269 return err
270 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]271
272 if c.isDTLS {
273 helloVerifyRequest, ok := msg.(*helloVerifyRequestMsg)
274 if ok {
David Benjamin8bc38f52014-08-16 12:07:27 -0400[diff] [blame]275 if helloVerifyRequest.vers != VersionTLS10 {
276 // Per RFC 6347, the version field in
277 // HelloVerifyRequest SHOULD be always DTLS
278 // 1.0. Enforce this for testing purposes.
279 return errors.New("dtls: bad HelloVerifyRequest version")
280 }
281
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]282 hello.raw = nil
283 hello.cookie = helloVerifyRequest.cookie
284 helloBytes = hello.marshal()
285 c.writeRecord(recordTypeHandshake, helloBytes)
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]286 c.flushHandshake()
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]287
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]288 if err := c.simulatePacketLoss(nil); err != nil {
289 return err
290 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]291 msg, err = c.readHandshake()
292 if err != nil {
293 return err
294 }
295 }
296 }
297
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]298 // TODO(davidben): Handle HelloRetryRequest.
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]299 serverHello, ok := msg.(*serverHelloMsg)
300 if !ok {
301 c.sendAlert(alertUnexpectedMessage)
302 return unexpectedMessageError(serverHello, msg)
303 }
304
David Benjamincecee272016-06-30 13:33:47 -0400[diff] [blame]305 c.vers, ok = c.config.mutualVersion(serverHello.vers, c.isDTLS)
David Benjamin76d8abe2014-08-14 16:25:34 -0400[diff] [blame]306 if !ok {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]307 c.sendAlert(alertProtocolVersion)
308 return fmt.Errorf("tls: server selected unsupported protocol version %x", serverHello.vers)
309 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]310 c.haveVers = true
311
Nick Harper85f20c22016-07-04 10:11:59 -0700[diff] [blame]312 // Check for downgrade signals in the server random, per
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]313 // draft-ietf-tls-tls13-14, section 6.3.1.2.
Nick Harper85f20c22016-07-04 10:11:59 -0700[diff] [blame]314 if c.vers <= VersionTLS12 && c.config.maxVersion(c.isDTLS) >= VersionTLS13 {
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]315 if bytes.Equal(serverHello.random[len(serverHello.random)-8:], downgradeTLS13) {
Nick Harper85f20c22016-07-04 10:11:59 -0700[diff] [blame]316 c.sendAlert(alertProtocolVersion)
317 return errors.New("tls: downgrade from TLS 1.3 detected")
318 }
319 }
320 if c.vers <= VersionTLS11 && c.config.maxVersion(c.isDTLS) >= VersionTLS12 {
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]321 if bytes.Equal(serverHello.random[len(serverHello.random)-8:], downgradeTLS12) {
Nick Harper85f20c22016-07-04 10:11:59 -0700[diff] [blame]322 c.sendAlert(alertProtocolVersion)
323 return errors.New("tls: downgrade from TLS 1.2 detected")
324 }
325 }
326
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]327 suite := mutualCipherSuite(c.config.cipherSuites(), serverHello.cipherSuite)
328 if suite == nil {
329 c.sendAlert(alertHandshakeFailure)
330 return fmt.Errorf("tls: server selected an unsupported cipher suite")
331 }
332
333 hs := &clientHandshakeState{
334 c: c,
335 serverHello: serverHello,
336 hello: hello,
337 suite: suite,
338 finishedHash: newFinishedHash(c.vers, suite),
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]339 keyShares: keyShares,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]340 session: session,
341 }
342
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]343 hs.writeHash(helloBytes, hs.c.sendHandshakeSeq-1)
344 hs.writeServerHash(hs.serverHello.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]345
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]346 if c.vers >= VersionTLS13 && enableTLS13Handshake {
347 if err := hs.doTLS13Handshake(); err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]348 return err
349 }
350 } else {
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]351 if c.config.Bugs.EarlyChangeCipherSpec > 0 {
352 hs.establishKeys()
353 c.writeRecord(recordTypeChangeCipherSpec, []byte{1})
354 }
355
356 if hs.serverHello.compressionMethod != compressionNone {
357 c.sendAlert(alertUnexpectedMessage)
358 return errors.New("tls: server selected unsupported compression format")
359 }
360
361 err = hs.processServerExtensions(&serverHello.extensions)
362 if err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]363 return err
364 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]365
366 isResume, err := hs.processServerHello()
367 if err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]368 return err
369 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]370
371 if isResume {
372 if c.config.Bugs.EarlyChangeCipherSpec == 0 {
373 if err := hs.establishKeys(); err != nil {
374 return err
375 }
376 }
377 if err := hs.readSessionTicket(); err != nil {
378 return err
379 }
380 if err := hs.readFinished(c.firstFinished[:]); err != nil {
381 return err
382 }
383 if err := hs.sendFinished(nil, isResume); err != nil {
384 return err
385 }
386 } else {
387 if err := hs.doFullHandshake(); err != nil {
388 return err
389 }
390 if err := hs.establishKeys(); err != nil {
391 return err
392 }
393 if err := hs.sendFinished(c.firstFinished[:], isResume); err != nil {
394 return err
395 }
396 // Most retransmits are triggered by a timeout, but the final
397 // leg of the handshake is retransmited upon re-receiving a
398 // Finished.
399 if err := c.simulatePacketLoss(func() {
400 c.writeRecord(recordTypeHandshake, hs.finishedBytes)
401 c.flushHandshake()
402 }); err != nil {
403 return err
404 }
405 if err := hs.readSessionTicket(); err != nil {
406 return err
407 }
408 if err := hs.readFinished(nil); err != nil {
409 return err
410 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]411 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]412
413 if sessionCache != nil && hs.session != nil && session != hs.session {
414 if c.config.Bugs.RequireSessionTickets && len(hs.session.sessionTicket) == 0 {
415 return errors.New("tls: new session used session IDs instead of tickets")
416 }
417 sessionCache.Put(cacheKey, hs.session)
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]418 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]419
420 c.didResume = isResume
David Benjamin97a0a082016-07-13 17:57:35 -0400[diff] [blame]421 c.exporterSecret = hs.masterSecret
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]422 }
423
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]424 c.handshakeComplete = true
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]425 c.cipherSuite = suite
426 copy(c.clientRandom[:], hs.hello.random)
427 copy(c.serverRandom[:], hs.serverHello.random)
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]428
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]429 return nil
430}
431
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]432func (hs *clientHandshakeState) doTLS13Handshake() error {
433 c := hs.c
434
435 // Once the PRF hash is known, TLS 1.3 does not require a handshake
436 // buffer.
437 hs.finishedHash.discardHandshakeBuffer()
438
439 zeroSecret := hs.finishedHash.zeroSecret()
440
441 // Resolve PSK and compute the early secret.
442 //
443 // TODO(davidben): This will need to be handled slightly earlier once
444 // 0-RTT is implemented.
445 var psk []byte
446 if hs.suite.flags&suitePSK != 0 {
447 if !hs.serverHello.hasPSKIdentity {
448 c.sendAlert(alertMissingExtension)
449 return errors.New("tls: server omitted the PSK identity extension")
450 }
451
452 // TODO(davidben): Support PSK ciphers and PSK resumption. Set
453 // the resumption context appropriately if resuming.
454 return errors.New("tls: PSK ciphers not implemented for TLS 1.3")
455 } else {
456 if hs.serverHello.hasPSKIdentity {
457 c.sendAlert(alertUnsupportedExtension)
458 return errors.New("tls: server sent unexpected PSK identity")
459 }
460
461 psk = zeroSecret
462 hs.finishedHash.setResumptionContext(zeroSecret)
463 }
464
465 earlySecret := hs.finishedHash.extractKey(zeroSecret, psk)
466
467 // Resolve ECDHE and compute the handshake secret.
468 var ecdheSecret []byte
469 if hs.suite.flags&suiteECDHE != 0 {
470 if !hs.serverHello.hasKeyShare {
471 c.sendAlert(alertMissingExtension)
472 return errors.New("tls: server omitted the key share extension")
473 }
474
475 curve, ok := hs.keyShares[hs.serverHello.keyShare.group]
476 if !ok {
477 c.sendAlert(alertHandshakeFailure)
478 return errors.New("tls: server selected an unsupported group")
479 }
480
481 var err error
482 ecdheSecret, err = curve.finish(hs.serverHello.keyShare.keyExchange)
483 if err != nil {
484 return err
485 }
486 } else {
487 if hs.serverHello.hasKeyShare {
488 c.sendAlert(alertUnsupportedExtension)
489 return errors.New("tls: server sent unexpected key share extension")
490 }
491
492 ecdheSecret = zeroSecret
493 }
494
495 // Compute the handshake secret.
496 handshakeSecret := hs.finishedHash.extractKey(earlySecret, ecdheSecret)
497
498 // Switch to handshake traffic keys.
499 handshakeTrafficSecret := hs.finishedHash.deriveSecret(handshakeSecret, handshakeTrafficLabel)
500 c.out.updateKeys(deriveTrafficAEAD(c.vers, hs.suite, handshakeTrafficSecret, handshakePhase, clientWrite), c.vers)
501 c.in.updateKeys(deriveTrafficAEAD(c.vers, hs.suite, handshakeTrafficSecret, handshakePhase, serverWrite), c.vers)
502
503 msg, err := c.readHandshake()
504 if err != nil {
505 return err
506 }
507
508 encryptedExtensions, ok := msg.(*encryptedExtensionsMsg)
509 if !ok {
510 c.sendAlert(alertUnexpectedMessage)
511 return unexpectedMessageError(encryptedExtensions, msg)
512 }
513 hs.writeServerHash(encryptedExtensions.marshal())
514
515 err = hs.processServerExtensions(&encryptedExtensions.extensions)
516 if err != nil {
517 return err
518 }
519
520 var chainToSend *Certificate
David Benjamin8d343b42016-07-09 14:26:01 -0700[diff] [blame]521 var certReq *certificateRequestMsg
David Benjamin44b33bc2016-07-01 22:40:23 -0400[diff] [blame]522 if hs.suite.flags&suitePSK != 0 {
523 if encryptedExtensions.extensions.ocspResponse != nil {
524 c.sendAlert(alertUnsupportedExtension)
525 return errors.New("tls: server sent OCSP response without a certificate")
526 }
527 if encryptedExtensions.extensions.sctList != nil {
528 c.sendAlert(alertUnsupportedExtension)
529 return errors.New("tls: server sent SCT list without a certificate")
530 }
531 } else {
532 c.ocspResponse = encryptedExtensions.extensions.ocspResponse
533 c.sctList = encryptedExtensions.extensions.sctList
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]534
535 msg, err := c.readHandshake()
536 if err != nil {
537 return err
538 }
539
David Benjamin8d343b42016-07-09 14:26:01 -0700[diff] [blame]540 var ok bool
541 certReq, ok = msg.(*certificateRequestMsg)
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]542 if ok {
543 hs.writeServerHash(certReq.marshal())
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]544
545 chainToSend, err = selectClientCertificate(c, certReq)
546 if err != nil {
547 return err
548 }
549
550 msg, err = c.readHandshake()
551 if err != nil {
552 return err
553 }
554 }
555
556 certMsg, ok := msg.(*certificateMsg)
557 if !ok {
558 c.sendAlert(alertUnexpectedMessage)
559 return unexpectedMessageError(certMsg, msg)
560 }
561 hs.writeServerHash(certMsg.marshal())
562
563 if err := hs.verifyCertificates(certMsg); err != nil {
564 return err
565 }
566 leaf := c.peerCertificates[0]
567
568 msg, err = c.readHandshake()
569 if err != nil {
570 return err
571 }
572 certVerifyMsg, ok := msg.(*certificateVerifyMsg)
573 if !ok {
574 c.sendAlert(alertUnexpectedMessage)
575 return unexpectedMessageError(certVerifyMsg, msg)
576 }
577
David Benjaminf74ec792016-07-13 21:18:49 -0400[diff] [blame]578 c.peerSignatureAlgorithm = certVerifyMsg.signatureAlgorithm
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]579 input := hs.finishedHash.certificateVerifyInput(serverCertificateVerifyContextTLS13)
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]580 err = verifyMessage(c.vers, leaf.PublicKey, c.config, certVerifyMsg.signatureAlgorithm, input, certVerifyMsg.signature)
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]581 if err != nil {
582 return err
583 }
584
585 hs.writeServerHash(certVerifyMsg.marshal())
586 }
587
588 msg, err = c.readHandshake()
589 if err != nil {
590 return err
591 }
592 serverFinished, ok := msg.(*finishedMsg)
593 if !ok {
594 c.sendAlert(alertUnexpectedMessage)
595 return unexpectedMessageError(serverFinished, msg)
596 }
597
598 verify := hs.finishedHash.serverSum(handshakeTrafficSecret)
599 if len(verify) != len(serverFinished.verifyData) ||
600 subtle.ConstantTimeCompare(verify, serverFinished.verifyData) != 1 {
601 c.sendAlert(alertHandshakeFailure)
602 return errors.New("tls: server's Finished message was incorrect")
603 }
604
605 hs.writeServerHash(serverFinished.marshal())
606
607 // The various secrets do not incorporate the client's final leg, so
608 // derive them now before updating the handshake context.
609 masterSecret := hs.finishedHash.extractKey(handshakeSecret, zeroSecret)
610 trafficSecret := hs.finishedHash.deriveSecret(masterSecret, applicationTrafficLabel)
611
Steven Valdez0ee2e112016-07-15 06:51:15 -0400[diff] [blame]612 if certReq != nil && !c.config.Bugs.SkipClientCertificate {
David Benjamin8d343b42016-07-09 14:26:01 -0700[diff] [blame]613 certMsg := &certificateMsg{
614 hasRequestContext: true,
615 requestContext: certReq.requestContext,
616 }
617 if chainToSend != nil {
618 certMsg.certificates = chainToSend.Certificate
619 }
620 hs.writeClientHash(certMsg.marshal())
621 c.writeRecord(recordTypeHandshake, certMsg.marshal())
622
623 if chainToSend != nil {
624 certVerify := &certificateVerifyMsg{
625 hasSignatureAlgorithm: true,
626 }
627
628 // Determine the hash to sign.
629 privKey := chainToSend.PrivateKey
630
631 var err error
632 certVerify.signatureAlgorithm, err = selectSignatureAlgorithm(c.vers, privKey, c.config, certReq.signatureAlgorithms)
633 if err != nil {
634 c.sendAlert(alertInternalError)
635 return err
636 }
637
638 input := hs.finishedHash.certificateVerifyInput(clientCertificateVerifyContextTLS13)
639 certVerify.signature, err = signMessage(c.vers, privKey, c.config, certVerify.signatureAlgorithm, input)
640 if err != nil {
641 c.sendAlert(alertInternalError)
642 return err
643 }
Steven Valdez0ee2e112016-07-15 06:51:15 -0400[diff] [blame]644 if c.config.Bugs.SendSignatureAlgorithm != 0 {
645 certVerify.signatureAlgorithm = c.config.Bugs.SendSignatureAlgorithm
646 }
David Benjamin8d343b42016-07-09 14:26:01 -0700[diff] [blame]647
648 hs.writeClientHash(certVerify.marshal())
649 c.writeRecord(recordTypeHandshake, certVerify.marshal())
650 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]651 }
652
653 // Send a client Finished message.
654 finished := new(finishedMsg)
655 finished.verifyData = hs.finishedHash.clientSum(handshakeTrafficSecret)
656 if c.config.Bugs.BadFinished {
657 finished.verifyData[0]++
658 }
David Benjamin97a0a082016-07-13 17:57:35 -0400[diff] [blame]659 hs.writeClientHash(finished.marshal())
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]660 c.writeRecord(recordTypeHandshake, finished.marshal())
David Benjaminee51a222016-07-07 18:34:12 -0700[diff] [blame]661 c.flushHandshake()
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]662
663 // Switch to application data keys.
664 c.out.updateKeys(deriveTrafficAEAD(c.vers, hs.suite, trafficSecret, applicationPhase, clientWrite), c.vers)
665 c.in.updateKeys(deriveTrafficAEAD(c.vers, hs.suite, trafficSecret, applicationPhase, serverWrite), c.vers)
666
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]667 // TODO(davidben): Derive and save the resumption master secret for receiving tickets.
668 // TODO(davidben): Save the traffic secret for KeyUpdate.
David Benjamin97a0a082016-07-13 17:57:35 -0400[diff] [blame]669 c.exporterSecret = hs.finishedHash.deriveSecret(masterSecret, exporterLabel)
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]670 return nil
671}
672
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]673func (hs *clientHandshakeState) doFullHandshake() error {
674 c := hs.c
675
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]676 var leaf *x509.Certificate
677 if hs.suite.flags&suitePSK == 0 {
678 msg, err := c.readHandshake()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]679 if err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]680 return err
681 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]682
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]683 certMsg, ok := msg.(*certificateMsg)
David Benjamin75051442016-07-01 18:58:51 -0400[diff] [blame]684 if !ok {
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]685 c.sendAlert(alertUnexpectedMessage)
686 return unexpectedMessageError(certMsg, msg)
687 }
688 hs.writeServerHash(certMsg.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]689
David Benjamin75051442016-07-01 18:58:51 -0400[diff] [blame]690 if err := hs.verifyCertificates(certMsg); err != nil {
691 return err
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]692 }
David Benjamin75051442016-07-01 18:58:51 -0400[diff] [blame]693 leaf = c.peerCertificates[0]
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]694 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]695
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]696 if hs.serverHello.extensions.ocspStapling {
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]697 msg, err := c.readHandshake()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]698 if err != nil {
699 return err
700 }
701 cs, ok := msg.(*certificateStatusMsg)
702 if !ok {
703 c.sendAlert(alertUnexpectedMessage)
704 return unexpectedMessageError(cs, msg)
705 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]706 hs.writeServerHash(cs.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]707
708 if cs.statusType == statusTypeOCSP {
709 c.ocspResponse = cs.response
710 }
711 }
712
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]713 msg, err := c.readHandshake()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]714 if err != nil {
715 return err
716 }
717
718 keyAgreement := hs.suite.ka(c.vers)
719
720 skx, ok := msg.(*serverKeyExchangeMsg)
721 if ok {
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]722 hs.writeServerHash(skx.marshal())
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]723 err = keyAgreement.processServerKeyExchange(c.config, hs.hello, hs.serverHello, leaf, skx)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]724 if err != nil {
725 c.sendAlert(alertUnexpectedMessage)
726 return err
727 }
728
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]729 c.peerSignatureAlgorithm = keyAgreement.peerSignatureAlgorithm()
730
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]731 msg, err = c.readHandshake()
732 if err != nil {
733 return err
734 }
735 }
736
737 var chainToSend *Certificate
738 var certRequested bool
739 certReq, ok := msg.(*certificateRequestMsg)
740 if ok {
741 certRequested = true
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]742 if c.config.Bugs.IgnorePeerSignatureAlgorithmPreferences {
743 certReq.signatureAlgorithms = c.config.signSignatureAlgorithms()
744 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]745
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]746 hs.writeServerHash(certReq.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]747
David Benjamina6f82632016-07-01 18:44:02 -0400[diff] [blame]748 chainToSend, err = selectClientCertificate(c, certReq)
749 if err != nil {
750 return err
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]751 }
752
753 msg, err = c.readHandshake()
754 if err != nil {
755 return err
756 }
757 }
758
759 shd, ok := msg.(*serverHelloDoneMsg)
760 if !ok {
761 c.sendAlert(alertUnexpectedMessage)
762 return unexpectedMessageError(shd, msg)
763 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]764 hs.writeServerHash(shd.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]765
766 // If the server requested a certificate then we have to send a
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]767 // Certificate message in TLS, even if it's empty because we don't have
768 // a certificate to send. In SSL 3.0, skip the message and send a
769 // no_certificate warning alert.
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]770 if certRequested {
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]771 if c.vers == VersionSSL30 && chainToSend == nil {
772 c.sendAlert(alertNoCertficate)
773 } else if !c.config.Bugs.SkipClientCertificate {
774 certMsg := new(certificateMsg)
775 if chainToSend != nil {
776 certMsg.certificates = chainToSend.Certificate
777 }
778 hs.writeClientHash(certMsg.marshal())
779 c.writeRecord(recordTypeHandshake, certMsg.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]780 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]781 }
782
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]783 preMasterSecret, ckx, err := keyAgreement.generateClientKeyExchange(c.config, hs.hello, leaf)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]784 if err != nil {
785 c.sendAlert(alertInternalError)
786 return err
787 }
788 if ckx != nil {
David Benjaminf3ec83d2014-07-21 22:42:34 -0400[diff] [blame]789 if c.config.Bugs.EarlyChangeCipherSpec < 2 {
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]790 hs.writeClientHash(ckx.marshal())
David Benjaminf3ec83d2014-07-21 22:42:34 -0400[diff] [blame]791 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]792 c.writeRecord(recordTypeHandshake, ckx.marshal())
793 }
794
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]795 if hs.serverHello.extensions.extendedMasterSecret && c.vers >= VersionTLS10 {
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]796 hs.masterSecret = extendedMasterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.finishedHash)
797 c.extendedMasterSecret = true
798 } else {
799 if c.config.Bugs.RequireExtendedMasterSecret {
800 return errors.New("tls: extended master secret required but not supported by peer")
801 }
802 hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.hello.random, hs.serverHello.random)
803 }
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]804
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]805 if chainToSend != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]806 certVerify := &certificateVerifyMsg{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]807 hasSignatureAlgorithm: c.vers >= VersionTLS12,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]808 }
809
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]810 // Determine the hash to sign.
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]811 privKey := c.config.Certificates[0].PrivateKey
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]812
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]813 if certVerify.hasSignatureAlgorithm {
David Benjamin0a8deb22016-07-09 21:02:01 -0700[diff] [blame]814 certVerify.signatureAlgorithm, err = selectSignatureAlgorithm(c.vers, privKey, c.config, certReq.signatureAlgorithms)
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]815 if err != nil {
816 c.sendAlert(alertInternalError)
817 return err
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]818 }
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]819 }
820
821 if c.vers > VersionSSL30 {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]822 certVerify.signature, err = signMessage(c.vers, privKey, c.config, certVerify.signatureAlgorithm, hs.finishedHash.buffer)
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]823 if err == nil && c.config.Bugs.SendSignatureAlgorithm != 0 {
824 certVerify.signatureAlgorithm = c.config.Bugs.SendSignatureAlgorithm
825 }
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]826 } else {
827 // SSL 3.0's client certificate construction is
828 // incompatible with signatureAlgorithm.
829 rsaKey, ok := privKey.(*rsa.PrivateKey)
830 if !ok {
831 err = errors.New("unsupported signature type for client certificate")
832 } else {
833 digest := hs.finishedHash.hashForClientCertificateSSL3(hs.masterSecret)
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]834 if c.config.Bugs.InvalidSignature {
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]835 digest[0] ^= 0x80
836 }
837 certVerify.signature, err = rsa.SignPKCS1v15(c.config.rand(), rsaKey, crypto.MD5SHA1, digest)
838 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]839 }
840 if err != nil {
841 c.sendAlert(alertInternalError)
842 return errors.New("tls: failed to sign handshake with client certificate: " + err.Error())
843 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]844
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]845 hs.writeClientHash(certVerify.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]846 c.writeRecord(recordTypeHandshake, certVerify.marshal())
847 }
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]848 // flushHandshake will be called in sendFinished.
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]849
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]850 hs.finishedHash.discardHandshakeBuffer()
851
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]852 return nil
853}
854
David Benjamin75051442016-07-01 18:58:51 -0400[diff] [blame]855func (hs *clientHandshakeState) verifyCertificates(certMsg *certificateMsg) error {
856 c := hs.c
857
858 if len(certMsg.certificates) == 0 {
859 c.sendAlert(alertIllegalParameter)
860 return errors.New("tls: no certificates sent")
861 }
862
863 certs := make([]*x509.Certificate, len(certMsg.certificates))
864 for i, asn1Data := range certMsg.certificates {
865 cert, err := x509.ParseCertificate(asn1Data)
866 if err != nil {
867 c.sendAlert(alertBadCertificate)
868 return errors.New("tls: failed to parse certificate from server: " + err.Error())
869 }
870 certs[i] = cert
871 }
872
873 if !c.config.InsecureSkipVerify {
874 opts := x509.VerifyOptions{
875 Roots: c.config.RootCAs,
876 CurrentTime: c.config.time(),
877 DNSName: c.config.ServerName,
878 Intermediates: x509.NewCertPool(),
879 }
880
881 for i, cert := range certs {
882 if i == 0 {
883 continue
884 }
885 opts.Intermediates.AddCert(cert)
886 }
887 var err error
888 c.verifiedChains, err = certs[0].Verify(opts)
889 if err != nil {
890 c.sendAlert(alertBadCertificate)
891 return err
892 }
893 }
894
895 switch certs[0].PublicKey.(type) {
896 case *rsa.PublicKey, *ecdsa.PublicKey:
897 break
898 default:
899 c.sendAlert(alertUnsupportedCertificate)
900 return fmt.Errorf("tls: server's certificate contains an unsupported type of public key: %T", certs[0].PublicKey)
901 }
902
903 c.peerCertificates = certs
904 return nil
905}
906
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]907func (hs *clientHandshakeState) establishKeys() error {
908 c := hs.c
909
910 clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV :=
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]911 keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.hello.random, hs.serverHello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen(c.vers))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]912 var clientCipher, serverCipher interface{}
913 var clientHash, serverHash macFunction
914 if hs.suite.cipher != nil {
915 clientCipher = hs.suite.cipher(clientKey, clientIV, false /* not for reading */)
916 clientHash = hs.suite.mac(c.vers, clientMAC)
917 serverCipher = hs.suite.cipher(serverKey, serverIV, true /* for reading */)
918 serverHash = hs.suite.mac(c.vers, serverMAC)
919 } else {
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]920 clientCipher = hs.suite.aead(c.vers, clientKey, clientIV)
921 serverCipher = hs.suite.aead(c.vers, serverKey, serverIV)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]922 }
923
924 c.in.prepareCipherSpec(c.vers, serverCipher, serverHash)
925 c.out.prepareCipherSpec(c.vers, clientCipher, clientHash)
926 return nil
927}
928
David Benjamin75101402016-07-01 13:40:23 -0400[diff] [blame]929func (hs *clientHandshakeState) processServerExtensions(serverExtensions *serverExtensions) error {
930 c := hs.c
931
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]932 if c.vers < VersionTLS13 || !enableTLS13Handshake {
933 if c.config.Bugs.RequireRenegotiationInfo && serverExtensions.secureRenegotiation == nil {
934 return errors.New("tls: renegotiation extension missing")
935 }
David Benjamin75101402016-07-01 13:40:23 -0400[diff] [blame]936
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]937 if len(c.clientVerify) > 0 && !c.noRenegotiationInfo() {
938 var expectedRenegInfo []byte
939 expectedRenegInfo = append(expectedRenegInfo, c.clientVerify...)
940 expectedRenegInfo = append(expectedRenegInfo, c.serverVerify...)
941 if !bytes.Equal(serverExtensions.secureRenegotiation, expectedRenegInfo) {
942 c.sendAlert(alertHandshakeFailure)
943 return fmt.Errorf("tls: renegotiation mismatch")
944 }
David Benjamin75101402016-07-01 13:40:23 -0400[diff] [blame]945 }
David Benjamincea0ab42016-07-14 12:33:14 -0400[diff] [blame^]946 } else if serverExtensions.secureRenegotiation != nil {
947 return errors.New("tls: renegotiation info sent in TLS 1.3")
David Benjamin75101402016-07-01 13:40:23 -0400[diff] [blame]948 }
949
950 if expected := c.config.Bugs.ExpectedCustomExtension; expected != nil {
951 if serverExtensions.customExtension != *expected {
952 return fmt.Errorf("tls: bad custom extension contents %q", serverExtensions.customExtension)
953 }
954 }
955
956 clientDidNPN := hs.hello.nextProtoNeg
957 clientDidALPN := len(hs.hello.alpnProtocols) > 0
958 serverHasNPN := serverExtensions.nextProtoNeg
959 serverHasALPN := len(serverExtensions.alpnProtocol) > 0
960
961 if !clientDidNPN && serverHasNPN {
962 c.sendAlert(alertHandshakeFailure)
963 return errors.New("server advertised unrequested NPN extension")
964 }
965
966 if !clientDidALPN && serverHasALPN {
967 c.sendAlert(alertHandshakeFailure)
968 return errors.New("server advertised unrequested ALPN extension")
969 }
970
971 if serverHasNPN && serverHasALPN {
972 c.sendAlert(alertHandshakeFailure)
973 return errors.New("server advertised both NPN and ALPN extensions")
974 }
975
976 if serverHasALPN {
977 c.clientProtocol = serverExtensions.alpnProtocol
978 c.clientProtocolFallback = false
979 c.usedALPN = true
980 }
981
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]982 if serverHasNPN && c.vers >= VersionTLS13 && enableTLS13Handshake {
983 c.sendAlert(alertHandshakeFailure)
984 return errors.New("server advertised NPN over TLS 1.3")
985 }
986
David Benjamin75101402016-07-01 13:40:23 -0400[diff] [blame]987 if !hs.hello.channelIDSupported && serverExtensions.channelIDRequested {
988 c.sendAlert(alertHandshakeFailure)
989 return errors.New("server advertised unrequested Channel ID extension")
990 }
991
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]992 if serverExtensions.channelIDRequested && c.vers >= VersionTLS13 && enableTLS13Handshake {
993 c.sendAlert(alertHandshakeFailure)
994 return errors.New("server advertised Channel ID over TLS 1.3")
995 }
996
David Benjamine9077652016-07-13 21:02:08 -0400[diff] [blame]997 if serverExtensions.extendedMasterSecret && c.vers >= VersionTLS13 && enableTLS13Handshake {
998 return errors.New("tls: server advertised extended master secret over TLS 1.3")
999 }
1000
David Benjamin75101402016-07-01 13:40:23 -0400[diff] [blame]1001 if serverExtensions.srtpProtectionProfile != 0 {
1002 if serverExtensions.srtpMasterKeyIdentifier != "" {
1003 return errors.New("tls: server selected SRTP MKI value")
1004 }
1005
1006 found := false
1007 for _, p := range c.config.SRTPProtectionProfiles {
1008 if p == serverExtensions.srtpProtectionProfile {
1009 found = true
1010 break
1011 }
1012 }
1013 if !found {
1014 return errors.New("tls: server advertised unsupported SRTP profile")
1015 }
1016
1017 c.srtpProtectionProfile = serverExtensions.srtpProtectionProfile
1018 }
1019
1020 return nil
1021}
1022
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1023func (hs *clientHandshakeState) serverResumedSession() bool {
1024 // If the server responded with the same sessionId then it means the
1025 // sessionTicket is being used to resume a TLS session.
1026 return hs.session != nil && hs.hello.sessionId != nil &&
1027 bytes.Equal(hs.serverHello.sessionId, hs.hello.sessionId)
1028}
1029
1030func (hs *clientHandshakeState) processServerHello() (bool, error) {
1031 c := hs.c
1032
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1033 if hs.serverResumedSession() {
David Benjamin4b27d9f2015-05-12 22:42:52 -0400[diff] [blame]1034 // For test purposes, assert that the server never accepts the
1035 // resumption offer on renegotiation.
1036 if c.cipherSuite != nil && c.config.Bugs.FailIfResumeOnRenego {
1037 return false, errors.New("tls: server resumed session on renegotiation")
1038 }
1039
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1040 if hs.serverHello.extensions.sctList != nil {
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]1041 return false, errors.New("tls: server sent SCT extension on session resumption")
1042 }
1043
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1044 if hs.serverHello.extensions.ocspStapling {
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]1045 return false, errors.New("tls: server sent OCSP extension on session resumption")
1046 }
1047
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1048 // Restore masterSecret and peerCerts from previous state
1049 hs.masterSecret = hs.session.masterSecret
1050 c.peerCertificates = hs.session.serverCertificates
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]1051 c.extendedMasterSecret = hs.session.extendedMasterSecret
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]1052 c.sctList = hs.session.sctList
1053 c.ocspResponse = hs.session.ocspResponse
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]1054 hs.finishedHash.discardHandshakeBuffer()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1055 return true, nil
1056 }
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]1057
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1058 if hs.serverHello.extensions.sctList != nil {
1059 c.sctList = hs.serverHello.extensions.sctList
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]1060 }
1061
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1062 return false, nil
1063}
1064
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]1065func (hs *clientHandshakeState) readFinished(out []byte) error {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1066 c := hs.c
1067
1068 c.readRecord(recordTypeChangeCipherSpec)
1069 if err := c.in.error(); err != nil {
1070 return err
1071 }
1072
1073 msg, err := c.readHandshake()
1074 if err != nil {
1075 return err
1076 }
1077 serverFinished, ok := msg.(*finishedMsg)
1078 if !ok {
1079 c.sendAlert(alertUnexpectedMessage)
1080 return unexpectedMessageError(serverFinished, msg)
1081 }
1082
David Benjaminf3ec83d2014-07-21 22:42:34 -0400[diff] [blame]1083 if c.config.Bugs.EarlyChangeCipherSpec == 0 {
1084 verify := hs.finishedHash.serverSum(hs.masterSecret)
1085 if len(verify) != len(serverFinished.verifyData) ||
1086 subtle.ConstantTimeCompare(verify, serverFinished.verifyData) != 1 {
1087 c.sendAlert(alertHandshakeFailure)
1088 return errors.New("tls: server's Finished message was incorrect")
1089 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1090 }
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]1091 c.serverVerify = append(c.serverVerify[:0], serverFinished.verifyData...)
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]1092 copy(out, serverFinished.verifyData)
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]1093 hs.writeServerHash(serverFinished.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1094 return nil
1095}
1096
1097func (hs *clientHandshakeState) readSessionTicket() error {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]1098 c := hs.c
1099
1100 // Create a session with no server identifier. Either a
1101 // session ID or session ticket will be attached.
1102 session := &ClientSessionState{
1103 vers: c.vers,
1104 cipherSuite: hs.suite.id,
1105 masterSecret: hs.masterSecret,
1106 handshakeHash: hs.finishedHash.server.Sum(nil),
1107 serverCertificates: c.peerCertificates,
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]1108 sctList: c.sctList,
1109 ocspResponse: c.ocspResponse,
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]1110 }
1111
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1112 if !hs.serverHello.extensions.ticketSupported {
David Benjamind98452d2015-06-16 14:16:23 -0400[diff] [blame]1113 if c.config.Bugs.ExpectNewTicket {
1114 return errors.New("tls: expected new ticket")
1115 }
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]1116 if hs.session == nil && len(hs.serverHello.sessionId) > 0 {
1117 session.sessionId = hs.serverHello.sessionId
1118 hs.session = session
1119 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1120 return nil
1121 }
1122
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]1123 if c.vers == VersionSSL30 {
1124 return errors.New("tls: negotiated session tickets in SSL 3.0")
1125 }
1126
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1127 msg, err := c.readHandshake()
1128 if err != nil {
1129 return err
1130 }
1131 sessionTicketMsg, ok := msg.(*newSessionTicketMsg)
1132 if !ok {
1133 c.sendAlert(alertUnexpectedMessage)
1134 return unexpectedMessageError(sessionTicketMsg, msg)
1135 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1136
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]1137 session.sessionTicket = sessionTicketMsg.ticket
1138 hs.session = session
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1139
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]1140 hs.writeServerHash(sessionTicketMsg.marshal())
1141
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1142 return nil
1143}
1144
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]1145func (hs *clientHandshakeState) sendFinished(out []byte, isResume bool) error {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1146 c := hs.c
1147
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]1148 var postCCSBytes []byte
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]1149 seqno := hs.c.sendHandshakeSeq
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1150 if hs.serverHello.extensions.nextProtoNeg {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1151 nextProto := new(nextProtoMsg)
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1152 proto, fallback := mutualProtocol(c.config.NextProtos, hs.serverHello.extensions.nextProtos)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1153 nextProto.proto = proto
1154 c.clientProtocol = proto
1155 c.clientProtocolFallback = fallback
1156
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]1157 nextProtoBytes := nextProto.marshal()
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]1158 hs.writeHash(nextProtoBytes, seqno)
1159 seqno++
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]1160 postCCSBytes = append(postCCSBytes, nextProtoBytes...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1161 }
1162
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1163 if hs.serverHello.extensions.channelIDRequested {
David Benjamin24599a82016-06-30 18:56:53 -0400[diff] [blame]1164 channelIDMsg := new(channelIDMsg)
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]1165 if c.config.ChannelID.Curve != elliptic.P256() {
1166 return fmt.Errorf("tls: Channel ID is not on P-256.")
1167 }
1168 var resumeHash []byte
1169 if isResume {
1170 resumeHash = hs.session.handshakeHash
1171 }
1172 r, s, err := ecdsa.Sign(c.config.rand(), c.config.ChannelID, hs.finishedHash.hashForChannelID(resumeHash))
1173 if err != nil {
1174 return err
1175 }
1176 channelID := make([]byte, 128)
1177 writeIntPadded(channelID[0:32], c.config.ChannelID.X)
1178 writeIntPadded(channelID[32:64], c.config.ChannelID.Y)
1179 writeIntPadded(channelID[64:96], r)
1180 writeIntPadded(channelID[96:128], s)
David Benjamin24599a82016-06-30 18:56:53 -0400[diff] [blame]1181 channelIDMsg.channelID = channelID
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]1182
1183 c.channelID = &c.config.ChannelID.PublicKey
1184
David Benjamin24599a82016-06-30 18:56:53 -0400[diff] [blame]1185 channelIDMsgBytes := channelIDMsg.marshal()
1186 hs.writeHash(channelIDMsgBytes, seqno)
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]1187 seqno++
David Benjamin24599a82016-06-30 18:56:53 -0400[diff] [blame]1188 postCCSBytes = append(postCCSBytes, channelIDMsgBytes...)
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]1189 }
1190
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1191 finished := new(finishedMsg)
David Benjaminf3ec83d2014-07-21 22:42:34 -0400[diff] [blame]1192 if c.config.Bugs.EarlyChangeCipherSpec == 2 {
1193 finished.verifyData = hs.finishedHash.clientSum(nil)
1194 } else {
1195 finished.verifyData = hs.finishedHash.clientSum(hs.masterSecret)
1196 }
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]1197 copy(out, finished.verifyData)
David Benjamin513f0ea2015-04-02 19:33:31 -0400[diff] [blame]1198 if c.config.Bugs.BadFinished {
1199 finished.verifyData[0]++
1200 }
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]1201 c.clientVerify = append(c.clientVerify[:0], finished.verifyData...)
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]1202 hs.finishedBytes = finished.marshal()
1203 hs.writeHash(hs.finishedBytes, seqno)
1204 postCCSBytes = append(postCCSBytes, hs.finishedBytes...)
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]1205
1206 if c.config.Bugs.FragmentAcrossChangeCipherSpec {
1207 c.writeRecord(recordTypeHandshake, postCCSBytes[:5])
1208 postCCSBytes = postCCSBytes[5:]
1209 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]1210 c.flushHandshake()
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]1211
1212 if !c.config.Bugs.SkipChangeCipherSpec &&
1213 c.config.Bugs.EarlyChangeCipherSpec == 0 {
David Benjamin8411b242015-11-26 12:07:28 -0500[diff] [blame]1214 ccs := []byte{1}
1215 if c.config.Bugs.BadChangeCipherSpec != nil {
1216 ccs = c.config.Bugs.BadChangeCipherSpec
1217 }
1218 c.writeRecord(recordTypeChangeCipherSpec, ccs)
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]1219 }
1220
David Benjamin4189bd92015-01-25 23:52:39 -0500[diff] [blame]1221 if c.config.Bugs.AppDataAfterChangeCipherSpec != nil {
1222 c.writeRecord(recordTypeApplicationData, c.config.Bugs.AppDataAfterChangeCipherSpec)
1223 }
David Benjamindc3da932015-03-12 15:09:02 -0400[diff] [blame]1224 if c.config.Bugs.AlertAfterChangeCipherSpec != 0 {
1225 c.sendAlert(c.config.Bugs.AlertAfterChangeCipherSpec)
1226 return errors.New("tls: simulating post-CCS alert")
1227 }
David Benjamin4189bd92015-01-25 23:52:39 -0500[diff] [blame]1228
David Benjaminb80168e2015-02-08 18:30:14 -0500[diff] [blame]1229 if !c.config.Bugs.SkipFinished {
1230 c.writeRecord(recordTypeHandshake, postCCSBytes)
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]1231 c.flushHandshake()
David Benjaminb3774b92015-01-31 17:16:01 -0500[diff] [blame]1232 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1233 return nil
1234}
1235
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]1236func (hs *clientHandshakeState) writeClientHash(msg []byte) {
1237 // writeClientHash is called before writeRecord.
1238 hs.writeHash(msg, hs.c.sendHandshakeSeq)
1239}
1240
1241func (hs *clientHandshakeState) writeServerHash(msg []byte) {
1242 // writeServerHash is called after readHandshake.
1243 hs.writeHash(msg, hs.c.recvHandshakeSeq-1)
1244}
1245
1246func (hs *clientHandshakeState) writeHash(msg []byte, seqno uint16) {
1247 if hs.c.isDTLS {
1248 // This is somewhat hacky. DTLS hashes a slightly different format.
1249 // First, the TLS header.
1250 hs.finishedHash.Write(msg[:4])
1251 // Then the sequence number and reassembled fragment offset (always 0).
1252 hs.finishedHash.Write([]byte{byte(seqno >> 8), byte(seqno), 0, 0, 0})
1253 // Then the reassembled fragment (always equal to the message length).
1254 hs.finishedHash.Write(msg[1:4])
1255 // And then the message body.
1256 hs.finishedHash.Write(msg[4:])
1257 } else {
1258 hs.finishedHash.Write(msg)
1259 }
1260}
1261
David Benjamina6f82632016-07-01 18:44:02 -0400[diff] [blame]1262// selectClientCertificate selects a certificate for use with the given
1263// certificate, or none if none match. It may return a particular certificate or
1264// nil on success, or an error on internal error.
1265func selectClientCertificate(c *Conn, certReq *certificateRequestMsg) (*Certificate, error) {
1266 // RFC 4346 on the certificateAuthorities field:
1267 // A list of the distinguished names of acceptable certificate
1268 // authorities. These distinguished names may specify a desired
1269 // distinguished name for a root CA or for a subordinate CA; thus, this
1270 // message can be used to describe both known roots and a desired
1271 // authorization space. If the certificate_authorities list is empty
1272 // then the client MAY send any certificate of the appropriate
1273 // ClientCertificateType, unless there is some external arrangement to
1274 // the contrary.
1275
1276 var rsaAvail, ecdsaAvail bool
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]1277 if !certReq.hasRequestContext {
1278 for _, certType := range certReq.certificateTypes {
1279 switch certType {
1280 case CertTypeRSASign:
1281 rsaAvail = true
1282 case CertTypeECDSASign:
1283 ecdsaAvail = true
1284 }
David Benjamina6f82632016-07-01 18:44:02 -0400[diff] [blame]1285 }
1286 }
1287
1288 // We need to search our list of client certs for one
1289 // where SignatureAlgorithm is RSA and the Issuer is in
1290 // certReq.certificateAuthorities
1291findCert:
1292 for i, chain := range c.config.Certificates {
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]1293 if !certReq.hasRequestContext && !rsaAvail && !ecdsaAvail {
David Benjamina6f82632016-07-01 18:44:02 -0400[diff] [blame]1294 continue
1295 }
1296
1297 // Ensure the private key supports one of the advertised
1298 // signature algorithms.
1299 if certReq.hasSignatureAlgorithm {
David Benjamin0a8deb22016-07-09 21:02:01 -0700[diff] [blame]1300 if _, err := selectSignatureAlgorithm(c.vers, chain.PrivateKey, c.config, certReq.signatureAlgorithms); err != nil {
David Benjamina6f82632016-07-01 18:44:02 -0400[diff] [blame]1301 continue
1302 }
1303 }
1304
1305 for j, cert := range chain.Certificate {
1306 x509Cert := chain.Leaf
1307 // parse the certificate if this isn't the leaf
1308 // node, or if chain.Leaf was nil
1309 if j != 0 || x509Cert == nil {
1310 var err error
1311 if x509Cert, err = x509.ParseCertificate(cert); err != nil {
1312 c.sendAlert(alertInternalError)
1313 return nil, errors.New("tls: failed to parse client certificate #" + strconv.Itoa(i) + ": " + err.Error())
1314 }
1315 }
1316
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]1317 if !certReq.hasRequestContext {
1318 switch {
1319 case rsaAvail && x509Cert.PublicKeyAlgorithm == x509.RSA:
1320 case ecdsaAvail && x509Cert.PublicKeyAlgorithm == x509.ECDSA:
1321 default:
1322 continue findCert
1323 }
David Benjamina6f82632016-07-01 18:44:02 -0400[diff] [blame]1324 }
1325
1326 if len(certReq.certificateAuthorities) == 0 {
1327 // They gave us an empty list, so just take the
1328 // first certificate of valid type from
1329 // c.config.Certificates.
1330 return &chain, nil
1331 }
1332
1333 for _, ca := range certReq.certificateAuthorities {
1334 if bytes.Equal(x509Cert.RawIssuer, ca) {
1335 return &chain, nil
1336 }
1337 }
1338 }
1339 }
1340
1341 return nil, nil
1342}
1343
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1344// clientSessionCacheKey returns a key used to cache sessionTickets that could
1345// be used to resume previously negotiated TLS sessions with a server.
1346func clientSessionCacheKey(serverAddr net.Addr, config *Config) string {
1347 if len(config.ServerName) > 0 {
1348 return config.ServerName
1349 }
1350 return serverAddr.String()
1351}
1352
David Benjaminfa055a22014-09-15 16:51:51 -0400[diff] [blame]1353// mutualProtocol finds the mutual Next Protocol Negotiation or ALPN protocol
1354// given list of possible protocols and a list of the preference order. The
1355// first list must not be empty. It returns the resulting protocol and flag
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1356// indicating if the fallback case was reached.
David Benjaminfa055a22014-09-15 16:51:51 -0400[diff] [blame]1357func mutualProtocol(protos, preferenceProtos []string) (string, bool) {
1358 for _, s := range preferenceProtos {
1359 for _, c := range protos {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1360 if s == c {
1361 return s, false
1362 }
1363 }
1364 }
1365
David Benjaminfa055a22014-09-15 16:51:51 -0400[diff] [blame]1366 return protos[0], true
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1367}
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]1368
1369// writeIntPadded writes x into b, padded up with leading zeros as
1370// needed.
1371func writeIntPadded(b []byte, x *big.Int) {
1372 for i := range b {
1373 b[i] = 0
1374 }
1375 xb := x.Bytes()
1376 copy(b[len(b)-len(xb):], xb)
1377}