blob: 83ac3a5c5416833ca7e1d0251481505d32ee813d [file] [log] [blame]
Adam Langley95c29f32014-06-20 12:00:00 -07001// Copyright 2009 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
Adam Langleydc7e9c42015-09-29 15:21:04 -07005package runner
Adam Langley95c29f32014-06-20 12:00:00 -07006
7import (
8 "bytes"
Nick Harper60edffd2016-06-21 15:19:24 -07009 "crypto"
Adam Langley95c29f32014-06-20 12:00:00 -070010 "crypto/ecdsa"
David Benjamind30a9902014-08-24 01:44:23 -040011 "crypto/elliptic"
Adam Langley95c29f32014-06-20 12:00:00 -070012 "crypto/rsa"
13 "crypto/subtle"
14 "crypto/x509"
Adam Langley95c29f32014-06-20 12:00:00 -070015 "errors"
16 "fmt"
17 "io"
David Benjaminde620d92014-07-18 15:03:41 -040018 "math/big"
Adam Langley95c29f32014-06-20 12:00:00 -070019 "net"
20 "strconv"
Nick Harper0b3625b2016-07-25 16:16:28 -070021 "time"
Adam Langley95c29f32014-06-20 12:00:00 -070022)
23
24type clientHandshakeState struct {
David Benjamin83f90402015-01-27 01:09:43 -050025 c *Conn
26 serverHello *serverHelloMsg
27 hello *clientHelloMsg
28 suite *cipherSuite
29 finishedHash finishedHash
Nick Harperb41d2e42016-07-01 17:50:32 -040030 keyShares map[CurveID]ecdhCurve
David Benjamin83f90402015-01-27 01:09:43 -050031 masterSecret []byte
32 session *ClientSessionState
33 finishedBytes []byte
Adam Langley95c29f32014-06-20 12:00:00 -070034}
35
36func (c *Conn) clientHandshake() error {
37 if c.config == nil {
38 c.config = defaultConfig()
39 }
40
41 if len(c.config.ServerName) == 0 && !c.config.InsecureSkipVerify {
42 return errors.New("tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config")
43 }
44
David Benjamin83c0bc92014-08-04 01:23:53 -040045 c.sendHandshakeSeq = 0
46 c.recvHandshakeSeq = 0
47
David Benjaminfa055a22014-09-15 16:51:51 -040048 nextProtosLength := 0
49 for _, proto := range c.config.NextProtos {
Adam Langleyefb0e162015-07-09 11:35:04 -070050 if l := len(proto); l > 255 {
David Benjaminfa055a22014-09-15 16:51:51 -040051 return errors.New("tls: invalid NextProtos value")
52 } else {
53 nextProtosLength += 1 + l
54 }
55 }
56 if nextProtosLength > 0xffff {
57 return errors.New("tls: NextProtos values too large")
58 }
59
Steven Valdezfdd10992016-09-15 16:27:05 -040060 minVersion := c.config.minVersion(c.isDTLS)
David Benjamin3c6a1ea2016-09-26 18:30:05 -040061 maxVersion := c.config.maxVersion(c.isDTLS)
Adam Langley95c29f32014-06-20 12:00:00 -070062 hello := &clientHelloMsg{
David Benjaminca6c8262014-11-15 19:06:08 -050063 isDTLS: c.isDTLS,
David Benjamin3c6a1ea2016-09-26 18:30:05 -040064 vers: versionToWire(maxVersion, c.isDTLS),
David Benjaminca6c8262014-11-15 19:06:08 -050065 compressionMethods: []uint8{compressionNone},
66 random: make([]byte, 32),
David Benjamin53210cb2016-11-16 09:01:48 +090067 ocspStapling: !c.config.Bugs.NoOCSPStapling,
68 sctListSupported: !c.config.Bugs.NoSignedCertificateTimestamps,
David Benjaminca6c8262014-11-15 19:06:08 -050069 serverName: c.config.ServerName,
70 supportedCurves: c.config.curvePreferences(),
Steven Valdeza833c352016-11-01 13:39:36 -040071 pskKEModes: []byte{pskDHEKEMode},
David Benjaminca6c8262014-11-15 19:06:08 -050072 supportedPoints: []uint8{pointFormatUncompressed},
73 nextProtoNeg: len(c.config.NextProtos) > 0,
74 secureRenegotiation: []byte{},
75 alpnProtocols: c.config.NextProtos,
76 duplicateExtension: c.config.Bugs.DuplicateExtension,
77 channelIDSupported: c.config.ChannelID != nil,
Steven Valdeza833c352016-11-01 13:39:36 -040078 npnAfterAlpn: c.config.Bugs.SwapNPNAndALPN,
Steven Valdezfdd10992016-09-15 16:27:05 -040079 extendedMasterSecret: maxVersion >= VersionTLS10,
David Benjaminca6c8262014-11-15 19:06:08 -050080 srtpProtectionProfiles: c.config.SRTPProtectionProfiles,
81 srtpMasterKeyIdentifier: c.config.Bugs.SRTPMasterKeyIdentifer,
Adam Langley09505632015-07-30 18:10:13 -070082 customExtension: c.config.Bugs.CustomExtension,
Steven Valdeza833c352016-11-01 13:39:36 -040083 pskBinderFirst: c.config.Bugs.PSKBinderFirst,
David Benjamin6f600d62016-12-21 16:06:54 -050084 shortHeaderSupported: c.config.Bugs.EnableShortHeader,
Adam Langley95c29f32014-06-20 12:00:00 -070085 }
86
David Benjamin163c9562016-08-29 23:14:17 -040087 disableEMS := c.config.Bugs.NoExtendedMasterSecret
88 if c.cipherSuite != nil {
89 disableEMS = c.config.Bugs.NoExtendedMasterSecretOnRenegotiation
90 }
91
92 if disableEMS {
Adam Langley75712922014-10-10 16:23:43 -070093 hello.extendedMasterSecret = false
94 }
95
David Benjamin55a43642015-04-20 14:45:55 -040096 if c.config.Bugs.NoSupportedCurves {
97 hello.supportedCurves = nil
98 }
99
Steven Valdeza833c352016-11-01 13:39:36 -0400100 if len(c.config.Bugs.SendPSKKeyExchangeModes) != 0 {
101 hello.pskKEModes = c.config.Bugs.SendPSKKeyExchangeModes
102 }
103
David Benjaminc241d792016-09-09 10:34:20 -0400104 if c.config.Bugs.SendCompressionMethods != nil {
105 hello.compressionMethods = c.config.Bugs.SendCompressionMethods
106 }
107
David Benjamina81967b2016-12-22 09:16:57 -0500108 if c.config.Bugs.SendSupportedPointFormats != nil {
109 hello.supportedPoints = c.config.Bugs.SendSupportedPointFormats
110 }
111
Adam Langley2ae77d22014-10-28 17:29:33 -0700112 if len(c.clientVerify) > 0 && !c.config.Bugs.EmptyRenegotiationInfo {
113 if c.config.Bugs.BadRenegotiationInfo {
114 hello.secureRenegotiation = append(hello.secureRenegotiation, c.clientVerify...)
115 hello.secureRenegotiation[0] ^= 0x80
116 } else {
117 hello.secureRenegotiation = c.clientVerify
118 }
119 }
120
David Benjamin3e052de2015-11-25 20:10:31 -0500121 if c.noRenegotiationInfo() {
David Benjaminca6554b2014-11-08 12:31:52 -0500122 hello.secureRenegotiation = nil
123 }
124
Nick Harperb41d2e42016-07-01 17:50:32 -0400125 var keyShares map[CurveID]ecdhCurve
David Benjamin3c6a1ea2016-09-26 18:30:05 -0400126 if maxVersion >= VersionTLS13 {
Nick Harperb41d2e42016-07-01 17:50:32 -0400127 keyShares = make(map[CurveID]ecdhCurve)
Nick Harperdcfbc672016-07-16 17:47:31 +0200128 hello.hasKeyShares = true
David Benjamin7e1f9842016-09-20 19:24:40 -0400129 hello.trailingKeyShareData = c.config.Bugs.TrailingKeyShareData
Nick Harperdcfbc672016-07-16 17:47:31 +0200130 curvesToSend := c.config.defaultCurves()
Nick Harperb41d2e42016-07-01 17:50:32 -0400131 for _, curveID := range hello.supportedCurves {
Nick Harperdcfbc672016-07-16 17:47:31 +0200132 if !curvesToSend[curveID] {
133 continue
134 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400135 curve, ok := curveForCurveID(curveID)
136 if !ok {
137 continue
138 }
139 publicKey, err := curve.offer(c.config.rand())
140 if err != nil {
141 return err
142 }
Steven Valdez0ee2e112016-07-15 06:51:15 -0400143
144 if c.config.Bugs.SendCurve != 0 {
145 curveID = c.config.Bugs.SendCurve
146 }
147 if c.config.Bugs.InvalidECDHPoint {
148 publicKey[0] ^= 0xff
149 }
150
Nick Harperb41d2e42016-07-01 17:50:32 -0400151 hello.keyShares = append(hello.keyShares, keyShareEntry{
152 group: curveID,
153 keyExchange: publicKey,
154 })
155 keyShares[curveID] = curve
Steven Valdez143e8b32016-07-11 13:19:03 -0400156
157 if c.config.Bugs.DuplicateKeyShares {
158 hello.keyShares = append(hello.keyShares, hello.keyShares[len(hello.keyShares)-1])
159 }
160 }
161
162 if c.config.Bugs.MissingKeyShare {
Steven Valdez5440fe02016-07-18 12:40:30 -0400163 hello.hasKeyShares = false
Nick Harperb41d2e42016-07-01 17:50:32 -0400164 }
165 }
166
Adam Langley95c29f32014-06-20 12:00:00 -0700167 possibleCipherSuites := c.config.cipherSuites()
168 hello.cipherSuites = make([]uint16, 0, len(possibleCipherSuites))
169
170NextCipherSuite:
171 for _, suiteId := range possibleCipherSuites {
172 for _, suite := range cipherSuites {
173 if suite.id != suiteId {
174 continue
175 }
David Benjamin5ecb88b2016-10-04 17:51:35 -0400176 // Don't advertise TLS 1.2-only cipher suites unless
177 // we're attempting TLS 1.2.
178 if maxVersion < VersionTLS12 && suite.flags&suiteTLS12 != 0 {
179 continue
180 }
181 // Don't advertise non-DTLS cipher suites in DTLS.
182 if c.isDTLS && suite.flags&suiteNoDTLS != 0 {
183 continue
David Benjamin83c0bc92014-08-04 01:23:53 -0400184 }
Adam Langley95c29f32014-06-20 12:00:00 -0700185 hello.cipherSuites = append(hello.cipherSuites, suiteId)
186 continue NextCipherSuite
187 }
188 }
189
David Benjamin5ecb88b2016-10-04 17:51:35 -0400190 if c.config.Bugs.AdvertiseAllConfiguredCiphers {
191 hello.cipherSuites = possibleCipherSuites
192 }
193
Adam Langley5021b222015-06-12 18:27:58 -0700194 if c.config.Bugs.SendRenegotiationSCSV {
195 hello.cipherSuites = append(hello.cipherSuites, renegotiationSCSV)
196 }
197
David Benjaminbef270a2014-08-02 04:22:02 -0400198 if c.config.Bugs.SendFallbackSCSV {
199 hello.cipherSuites = append(hello.cipherSuites, fallbackSCSV)
200 }
201
Adam Langley95c29f32014-06-20 12:00:00 -0700202 _, err := io.ReadFull(c.config.rand(), hello.random)
203 if err != nil {
204 c.sendAlert(alertInternalError)
205 return errors.New("tls: short read from Rand: " + err.Error())
206 }
207
David Benjamin3c6a1ea2016-09-26 18:30:05 -0400208 if maxVersion >= VersionTLS12 && !c.config.Bugs.NoSignatureAlgorithms {
David Benjamin7a41d372016-07-09 11:21:54 -0700209 hello.signatureAlgorithms = c.config.verifySignatureAlgorithms()
Adam Langley95c29f32014-06-20 12:00:00 -0700210 }
211
212 var session *ClientSessionState
213 var cacheKey string
214 sessionCache := c.config.ClientSessionCache
Adam Langley95c29f32014-06-20 12:00:00 -0700215
216 if sessionCache != nil {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500217 hello.ticketSupported = !c.config.SessionTicketsDisabled
Adam Langley95c29f32014-06-20 12:00:00 -0700218
219 // Try to resume a previously negotiated TLS session, if
220 // available.
221 cacheKey = clientSessionCacheKey(c.conn.RemoteAddr(), c.config)
Nick Harper0b3625b2016-07-25 16:16:28 -0700222 // TODO(nharper): Support storing more than one session
223 // ticket for TLS 1.3.
Adam Langley95c29f32014-06-20 12:00:00 -0700224 candidateSession, ok := sessionCache.Get(cacheKey)
225 if ok {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500226 ticketOk := !c.config.SessionTicketsDisabled || candidateSession.sessionTicket == nil
227
Adam Langley95c29f32014-06-20 12:00:00 -0700228 // Check that the ciphersuite/version used for the
229 // previous session are still valid.
230 cipherSuiteOk := false
David Benjamin2b02f4b2016-11-16 16:11:47 +0900231 if candidateSession.vers <= VersionTLS12 {
232 for _, id := range hello.cipherSuites {
233 if id == candidateSession.cipherSuite {
234 cipherSuiteOk = true
235 break
236 }
Adam Langley95c29f32014-06-20 12:00:00 -0700237 }
David Benjamin2b02f4b2016-11-16 16:11:47 +0900238 } else {
239 // TLS 1.3 allows the cipher to change on
240 // resumption.
241 cipherSuiteOk = true
Adam Langley95c29f32014-06-20 12:00:00 -0700242 }
243
Steven Valdezfdd10992016-09-15 16:27:05 -0400244 versOk := candidateSession.vers >= minVersion &&
245 candidateSession.vers <= maxVersion
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500246 if ticketOk && versOk && cipherSuiteOk {
Adam Langley95c29f32014-06-20 12:00:00 -0700247 session = candidateSession
248 }
249 }
250 }
251
Steven Valdeza833c352016-11-01 13:39:36 -0400252 var pskCipherSuite *cipherSuite
Nick Harper0b3625b2016-07-25 16:16:28 -0700253 if session != nil && c.config.time().Before(session.ticketExpiration) {
David Benjamind5a4ecb2016-07-18 01:17:13 +0200254 ticket := session.sessionTicket
David Benjamin4199b0d2016-11-01 13:58:25 -0400255 if c.config.Bugs.FilterTicket != nil && len(ticket) > 0 {
256 // Copy the ticket so FilterTicket may act in-place.
David Benjamind5a4ecb2016-07-18 01:17:13 +0200257 ticket = make([]byte, len(session.sessionTicket))
258 copy(ticket, session.sessionTicket)
David Benjamin4199b0d2016-11-01 13:58:25 -0400259
260 ticket, err = c.config.Bugs.FilterTicket(ticket)
261 if err != nil {
262 return err
Adam Langley38311732014-10-16 19:04:35 -0700263 }
David Benjamind5a4ecb2016-07-18 01:17:13 +0200264 }
265
David Benjamin405da482016-08-08 17:25:07 -0400266 if session.vers >= VersionTLS13 || c.config.Bugs.SendBothTickets {
Steven Valdeza833c352016-11-01 13:39:36 -0400267 pskCipherSuite = cipherSuiteFromID(session.cipherSuite)
268 if pskCipherSuite == nil {
269 return errors.New("tls: client session cache has invalid cipher suite")
270 }
Nick Harper0b3625b2016-07-25 16:16:28 -0700271 // TODO(nharper): Support sending more
272 // than one PSK identity.
Steven Valdeza833c352016-11-01 13:39:36 -0400273 ticketAge := uint32(c.config.time().Sub(session.ticketCreationTime) / time.Millisecond)
Steven Valdez5b986082016-09-01 12:29:49 -0400274 psk := pskIdentity{
Steven Valdeza833c352016-11-01 13:39:36 -0400275 ticket: ticket,
276 obfuscatedTicketAge: session.ticketAgeAdd + ticketAge,
Nick Harper0b3625b2016-07-25 16:16:28 -0700277 }
Steven Valdez5b986082016-09-01 12:29:49 -0400278 hello.pskIdentities = []pskIdentity{psk}
Steven Valdezaf3b8a92016-11-01 12:49:22 -0400279
280 if c.config.Bugs.ExtraPSKIdentity {
281 hello.pskIdentities = append(hello.pskIdentities, psk)
282 }
David Benjamin405da482016-08-08 17:25:07 -0400283 }
284
285 if session.vers < VersionTLS13 || c.config.Bugs.SendBothTickets {
286 if ticket != nil {
287 hello.sessionTicket = ticket
288 // A random session ID is used to detect when the
289 // server accepted the ticket and is resuming a session
290 // (see RFC 5077).
291 sessionIdLen := 16
292 if c.config.Bugs.OversizedSessionId {
293 sessionIdLen = 33
294 }
295 hello.sessionId = make([]byte, sessionIdLen)
296 if _, err := io.ReadFull(c.config.rand(), hello.sessionId); err != nil {
297 c.sendAlert(alertInternalError)
298 return errors.New("tls: short read from Rand: " + err.Error())
299 }
300 } else {
301 hello.sessionId = session.sessionId
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500302 }
Adam Langley95c29f32014-06-20 12:00:00 -0700303 }
304 }
305
Steven Valdezfdd10992016-09-15 16:27:05 -0400306 if maxVersion == VersionTLS13 && !c.config.Bugs.OmitSupportedVersions {
307 if hello.vers >= VersionTLS13 {
308 hello.vers = VersionTLS12
309 }
310 for version := maxVersion; version >= minVersion; version-- {
311 hello.supportedVersions = append(hello.supportedVersions, versionToWire(version, c.isDTLS))
312 }
313 }
314
315 if len(c.config.Bugs.SendSupportedVersions) > 0 {
316 hello.supportedVersions = c.config.Bugs.SendSupportedVersions
317 }
318
David Benjamineed24012016-08-13 19:26:00 -0400319 if c.config.Bugs.SendClientVersion != 0 {
320 hello.vers = c.config.Bugs.SendClientVersion
321 }
322
David Benjamin75f99142016-11-12 12:36:06 +0900323 if c.config.Bugs.SendCipherSuites != nil {
324 hello.cipherSuites = c.config.Bugs.SendCipherSuites
325 }
326
Nick Harperf2511f12016-12-06 16:02:31 -0800327 var sendEarlyData bool
328 if len(hello.pskIdentities) > 0 && session.maxEarlyDataSize > 0 && c.config.Bugs.SendEarlyData != nil {
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500329 hello.hasEarlyData = true
Nick Harperf2511f12016-12-06 16:02:31 -0800330 sendEarlyData = true
331 }
332 if c.config.Bugs.SendFakeEarlyDataLength > 0 {
333 hello.hasEarlyData = true
334 }
335 if c.config.Bugs.OmitEarlyDataExtension {
336 hello.hasEarlyData = false
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500337 }
338
David Benjamind86c7672014-08-02 04:07:12 -0400339 var helloBytes []byte
340 if c.config.Bugs.SendV2ClientHello {
David Benjamin94d701b2014-11-30 13:54:41 -0500341 // Test that the peer left-pads random.
342 hello.random[0] = 0
David Benjamind86c7672014-08-02 04:07:12 -0400343 v2Hello := &v2ClientHelloMsg{
344 vers: hello.vers,
345 cipherSuites: hello.cipherSuites,
346 // No session resumption for V2ClientHello.
347 sessionId: nil,
David Benjamin94d701b2014-11-30 13:54:41 -0500348 challenge: hello.random[1:],
David Benjamind86c7672014-08-02 04:07:12 -0400349 }
350 helloBytes = v2Hello.marshal()
351 c.writeV2Record(helloBytes)
352 } else {
Steven Valdeza833c352016-11-01 13:39:36 -0400353 if len(hello.pskIdentities) > 0 {
354 generatePSKBinders(hello, pskCipherSuite, session.masterSecret, []byte{}, c.config)
355 }
David Benjamind86c7672014-08-02 04:07:12 -0400356 helloBytes = hello.marshal()
Steven Valdeza833c352016-11-01 13:39:36 -0400357
David Benjamin7964b182016-07-14 23:36:30 -0400358 if c.config.Bugs.PartialClientFinishedWithClientHello {
359 // Include one byte of Finished. We can compute it
360 // without completing the handshake. This assumes we
361 // negotiate TLS 1.3 with no HelloRetryRequest or
362 // CertificateRequest.
363 toWrite := make([]byte, 0, len(helloBytes)+1)
364 toWrite = append(toWrite, helloBytes...)
365 toWrite = append(toWrite, typeFinished)
366 c.writeRecord(recordTypeHandshake, toWrite)
367 } else {
368 c.writeRecord(recordTypeHandshake, helloBytes)
369 }
David Benjamind86c7672014-08-02 04:07:12 -0400370 }
David Benjamin582ba042016-07-07 12:33:25 -0700371 c.flushHandshake()
Adam Langley95c29f32014-06-20 12:00:00 -0700372
David Benjamin83f90402015-01-27 01:09:43 -0500373 if err := c.simulatePacketLoss(nil); err != nil {
374 return err
375 }
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500376 if c.config.Bugs.SendEarlyAlert {
377 c.sendAlert(alertHandshakeFailure)
378 }
Nick Harperf2511f12016-12-06 16:02:31 -0800379 if c.config.Bugs.SendFakeEarlyDataLength > 0 {
380 c.sendFakeEarlyData(c.config.Bugs.SendFakeEarlyDataLength)
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500381 }
Nick Harperf2511f12016-12-06 16:02:31 -0800382
383 // Derive early write keys and set Conn state to allow early writes.
384 if sendEarlyData {
385 finishedHash := newFinishedHash(session.vers, pskCipherSuite)
386 finishedHash.addEntropy(session.masterSecret)
387 finishedHash.Write(helloBytes)
388 earlyTrafficSecret := finishedHash.deriveSecret(earlyTrafficLabel)
389 c.out.useTrafficSecret(session.vers, pskCipherSuite, earlyTrafficSecret, clientWrite)
390
391 for _, earlyData := range c.config.Bugs.SendEarlyData {
392 if _, err := c.writeRecord(recordTypeApplicationData, earlyData); err != nil {
393 return err
394 }
395 }
396 }
397
Adam Langley95c29f32014-06-20 12:00:00 -0700398 msg, err := c.readHandshake()
399 if err != nil {
400 return err
401 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400402
403 if c.isDTLS {
404 helloVerifyRequest, ok := msg.(*helloVerifyRequestMsg)
405 if ok {
David Benjaminda4789e2016-10-31 19:23:34 -0400406 if helloVerifyRequest.vers != versionToWire(VersionTLS10, c.isDTLS) {
David Benjamin8bc38f52014-08-16 12:07:27 -0400407 // Per RFC 6347, the version field in
408 // HelloVerifyRequest SHOULD be always DTLS
409 // 1.0. Enforce this for testing purposes.
410 return errors.New("dtls: bad HelloVerifyRequest version")
411 }
412
David Benjamin83c0bc92014-08-04 01:23:53 -0400413 hello.raw = nil
414 hello.cookie = helloVerifyRequest.cookie
415 helloBytes = hello.marshal()
416 c.writeRecord(recordTypeHandshake, helloBytes)
David Benjamin582ba042016-07-07 12:33:25 -0700417 c.flushHandshake()
David Benjamin83c0bc92014-08-04 01:23:53 -0400418
David Benjamin83f90402015-01-27 01:09:43 -0500419 if err := c.simulatePacketLoss(nil); err != nil {
420 return err
421 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400422 msg, err = c.readHandshake()
423 if err != nil {
424 return err
425 }
426 }
427 }
428
David Benjamin3c6a1ea2016-09-26 18:30:05 -0400429 var serverWireVersion uint16
Nick Harperdcfbc672016-07-16 17:47:31 +0200430 switch m := msg.(type) {
431 case *helloRetryRequestMsg:
David Benjamin3c6a1ea2016-09-26 18:30:05 -0400432 serverWireVersion = m.vers
Nick Harperdcfbc672016-07-16 17:47:31 +0200433 case *serverHelloMsg:
David Benjamin3c6a1ea2016-09-26 18:30:05 -0400434 serverWireVersion = m.vers
Nick Harperdcfbc672016-07-16 17:47:31 +0200435 default:
436 c.sendAlert(alertUnexpectedMessage)
437 return fmt.Errorf("tls: received unexpected message of type %T when waiting for HelloRetryRequest or ServerHello", msg)
438 }
439
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400440 serverVersion, ok := wireToVersion(serverWireVersion, c.isDTLS)
441 if ok {
Steven Valdezfdd10992016-09-15 16:27:05 -0400442 ok = c.config.isSupportedVersion(serverVersion, c.isDTLS)
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400443 }
Nick Harperdcfbc672016-07-16 17:47:31 +0200444 if !ok {
445 c.sendAlert(alertProtocolVersion)
446 return fmt.Errorf("tls: server selected unsupported protocol version %x", c.vers)
447 }
Steven Valdezfdd10992016-09-15 16:27:05 -0400448 c.vers = serverVersion
Nick Harperdcfbc672016-07-16 17:47:31 +0200449 c.haveVers = true
450
451 helloRetryRequest, haveHelloRetryRequest := msg.(*helloRetryRequestMsg)
452 var secondHelloBytes []byte
453 if haveHelloRetryRequest {
Nick Harperf2511f12016-12-06 16:02:31 -0800454 c.out.resetCipher()
David Benjamin3baa6e12016-10-07 21:10:38 -0400455 if len(helloRetryRequest.cookie) > 0 {
456 hello.tls13Cookie = helloRetryRequest.cookie
457 }
458
Steven Valdez5440fe02016-07-18 12:40:30 -0400459 if c.config.Bugs.MisinterpretHelloRetryRequestCurve != 0 {
David Benjamin3baa6e12016-10-07 21:10:38 -0400460 helloRetryRequest.hasSelectedGroup = true
Steven Valdez5440fe02016-07-18 12:40:30 -0400461 helloRetryRequest.selectedGroup = c.config.Bugs.MisinterpretHelloRetryRequestCurve
462 }
David Benjamin3baa6e12016-10-07 21:10:38 -0400463 if helloRetryRequest.hasSelectedGroup {
464 var hrrCurveFound bool
465 group := helloRetryRequest.selectedGroup
466 for _, curveID := range hello.supportedCurves {
467 if group == curveID {
468 hrrCurveFound = true
469 break
470 }
Nick Harperdcfbc672016-07-16 17:47:31 +0200471 }
David Benjamin3baa6e12016-10-07 21:10:38 -0400472 if !hrrCurveFound || keyShares[group] != nil {
473 c.sendAlert(alertHandshakeFailure)
474 return errors.New("tls: received invalid HelloRetryRequest")
475 }
476 curve, ok := curveForCurveID(group)
477 if !ok {
478 return errors.New("tls: Unable to get curve requested in HelloRetryRequest")
479 }
480 publicKey, err := curve.offer(c.config.rand())
481 if err != nil {
482 return err
483 }
484 keyShares[group] = curve
Steven Valdeza833c352016-11-01 13:39:36 -0400485 hello.keyShares = []keyShareEntry{{
David Benjamin3baa6e12016-10-07 21:10:38 -0400486 group: group,
487 keyExchange: publicKey,
Steven Valdeza833c352016-11-01 13:39:36 -0400488 }}
Nick Harperdcfbc672016-07-16 17:47:31 +0200489 }
Nick Harperdcfbc672016-07-16 17:47:31 +0200490
Steven Valdez5440fe02016-07-18 12:40:30 -0400491 if c.config.Bugs.SecondClientHelloMissingKeyShare {
492 hello.hasKeyShares = false
493 }
494
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500495 hello.hasEarlyData = c.config.Bugs.SendEarlyDataOnSecondClientHello
Nick Harperdcfbc672016-07-16 17:47:31 +0200496 hello.raw = nil
497
Steven Valdeza833c352016-11-01 13:39:36 -0400498 if len(hello.pskIdentities) > 0 {
499 generatePSKBinders(hello, pskCipherSuite, session.masterSecret, append(helloBytes, helloRetryRequest.marshal()...), c.config)
500 }
Nick Harperdcfbc672016-07-16 17:47:31 +0200501 secondHelloBytes = hello.marshal()
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500502
503 if c.config.Bugs.InterleaveEarlyData {
504 c.sendFakeEarlyData(4)
505 c.writeRecord(recordTypeHandshake, secondHelloBytes[:16])
506 c.sendFakeEarlyData(4)
507 c.writeRecord(recordTypeHandshake, secondHelloBytes[16:])
508 } else {
509 c.writeRecord(recordTypeHandshake, secondHelloBytes)
510 }
Nick Harperdcfbc672016-07-16 17:47:31 +0200511 c.flushHandshake()
512
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500513 if c.config.Bugs.SendEarlyDataOnSecondClientHello {
514 c.sendFakeEarlyData(4)
515 }
516
Nick Harperdcfbc672016-07-16 17:47:31 +0200517 msg, err = c.readHandshake()
518 if err != nil {
519 return err
520 }
521 }
522
Adam Langley95c29f32014-06-20 12:00:00 -0700523 serverHello, ok := msg.(*serverHelloMsg)
524 if !ok {
525 c.sendAlert(alertUnexpectedMessage)
526 return unexpectedMessageError(serverHello, msg)
527 }
528
David Benjamin3c6a1ea2016-09-26 18:30:05 -0400529 if serverWireVersion != serverHello.vers {
Adam Langley95c29f32014-06-20 12:00:00 -0700530 c.sendAlert(alertProtocolVersion)
David Benjamin3c6a1ea2016-09-26 18:30:05 -0400531 return fmt.Errorf("tls: server sent non-matching version %x vs %x", serverWireVersion, serverHello.vers)
Adam Langley95c29f32014-06-20 12:00:00 -0700532 }
Adam Langley95c29f32014-06-20 12:00:00 -0700533
Nick Harper85f20c22016-07-04 10:11:59 -0700534 // Check for downgrade signals in the server random, per
David Benjamina128a552016-10-13 14:26:33 -0400535 // draft-ietf-tls-tls13-16, section 4.1.3.
Nick Harper85f20c22016-07-04 10:11:59 -0700536 if c.vers <= VersionTLS12 && c.config.maxVersion(c.isDTLS) >= VersionTLS13 {
David Benjamin1f61f0d2016-07-10 12:20:35 -0400537 if bytes.Equal(serverHello.random[len(serverHello.random)-8:], downgradeTLS13) {
Nick Harper85f20c22016-07-04 10:11:59 -0700538 c.sendAlert(alertProtocolVersion)
539 return errors.New("tls: downgrade from TLS 1.3 detected")
540 }
541 }
542 if c.vers <= VersionTLS11 && c.config.maxVersion(c.isDTLS) >= VersionTLS12 {
David Benjamin1f61f0d2016-07-10 12:20:35 -0400543 if bytes.Equal(serverHello.random[len(serverHello.random)-8:], downgradeTLS12) {
Nick Harper85f20c22016-07-04 10:11:59 -0700544 c.sendAlert(alertProtocolVersion)
545 return errors.New("tls: downgrade from TLS 1.2 detected")
546 }
547 }
548
Nick Harper0b3625b2016-07-25 16:16:28 -0700549 suite := mutualCipherSuite(hello.cipherSuites, serverHello.cipherSuite)
Adam Langley95c29f32014-06-20 12:00:00 -0700550 if suite == nil {
551 c.sendAlert(alertHandshakeFailure)
552 return fmt.Errorf("tls: server selected an unsupported cipher suite")
553 }
554
David Benjamin3baa6e12016-10-07 21:10:38 -0400555 if haveHelloRetryRequest && helloRetryRequest.hasSelectedGroup && helloRetryRequest.selectedGroup != serverHello.keyShare.group {
Nick Harperdcfbc672016-07-16 17:47:31 +0200556 c.sendAlert(alertHandshakeFailure)
557 return errors.New("tls: ServerHello parameters did not match HelloRetryRequest")
558 }
559
Adam Langley95c29f32014-06-20 12:00:00 -0700560 hs := &clientHandshakeState{
561 c: c,
562 serverHello: serverHello,
563 hello: hello,
564 suite: suite,
565 finishedHash: newFinishedHash(c.vers, suite),
Nick Harperb41d2e42016-07-01 17:50:32 -0400566 keyShares: keyShares,
Adam Langley95c29f32014-06-20 12:00:00 -0700567 session: session,
568 }
569
David Benjamin83c0bc92014-08-04 01:23:53 -0400570 hs.writeHash(helloBytes, hs.c.sendHandshakeSeq-1)
Nick Harperdcfbc672016-07-16 17:47:31 +0200571 if haveHelloRetryRequest {
572 hs.writeServerHash(helloRetryRequest.marshal())
573 hs.writeClientHash(secondHelloBytes)
574 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400575 hs.writeServerHash(hs.serverHello.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700576
David Benjamin8d315d72016-07-18 01:03:18 +0200577 if c.vers >= VersionTLS13 {
Nick Harperb41d2e42016-07-01 17:50:32 -0400578 if err := hs.doTLS13Handshake(); err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700579 return err
580 }
581 } else {
Nick Harperb41d2e42016-07-01 17:50:32 -0400582 if c.config.Bugs.EarlyChangeCipherSpec > 0 {
583 hs.establishKeys()
584 c.writeRecord(recordTypeChangeCipherSpec, []byte{1})
585 }
586
587 if hs.serverHello.compressionMethod != compressionNone {
588 c.sendAlert(alertUnexpectedMessage)
589 return errors.New("tls: server selected unsupported compression format")
590 }
591
592 err = hs.processServerExtensions(&serverHello.extensions)
593 if err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700594 return err
595 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400596
597 isResume, err := hs.processServerHello()
598 if err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700599 return err
600 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400601
602 if isResume {
603 if c.config.Bugs.EarlyChangeCipherSpec == 0 {
604 if err := hs.establishKeys(); err != nil {
605 return err
606 }
607 }
608 if err := hs.readSessionTicket(); err != nil {
609 return err
610 }
611 if err := hs.readFinished(c.firstFinished[:]); err != nil {
612 return err
613 }
614 if err := hs.sendFinished(nil, isResume); err != nil {
615 return err
616 }
617 } else {
618 if err := hs.doFullHandshake(); err != nil {
619 return err
620 }
621 if err := hs.establishKeys(); err != nil {
622 return err
623 }
624 if err := hs.sendFinished(c.firstFinished[:], isResume); err != nil {
625 return err
626 }
627 // Most retransmits are triggered by a timeout, but the final
628 // leg of the handshake is retransmited upon re-receiving a
629 // Finished.
630 if err := c.simulatePacketLoss(func() {
David Benjamin02edcd02016-07-27 17:40:37 -0400631 c.sendHandshakeSeq--
Nick Harperb41d2e42016-07-01 17:50:32 -0400632 c.writeRecord(recordTypeHandshake, hs.finishedBytes)
633 c.flushHandshake()
634 }); err != nil {
635 return err
636 }
637 if err := hs.readSessionTicket(); err != nil {
638 return err
639 }
640 if err := hs.readFinished(nil); err != nil {
641 return err
642 }
Adam Langley95c29f32014-06-20 12:00:00 -0700643 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400644
645 if sessionCache != nil && hs.session != nil && session != hs.session {
646 if c.config.Bugs.RequireSessionTickets && len(hs.session.sessionTicket) == 0 {
647 return errors.New("tls: new session used session IDs instead of tickets")
648 }
649 sessionCache.Put(cacheKey, hs.session)
David Benjamin83f90402015-01-27 01:09:43 -0500650 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400651
652 c.didResume = isResume
David Benjamin97a0a082016-07-13 17:57:35 -0400653 c.exporterSecret = hs.masterSecret
Adam Langley95c29f32014-06-20 12:00:00 -0700654 }
655
Adam Langley95c29f32014-06-20 12:00:00 -0700656 c.handshakeComplete = true
David Benjaminc565ebb2015-04-03 04:06:36 -0400657 c.cipherSuite = suite
658 copy(c.clientRandom[:], hs.hello.random)
659 copy(c.serverRandom[:], hs.serverHello.random)
Paul Lietar4fac72e2015-09-09 13:44:55 +0100660
Adam Langley95c29f32014-06-20 12:00:00 -0700661 return nil
662}
663
Nick Harperb41d2e42016-07-01 17:50:32 -0400664func (hs *clientHandshakeState) doTLS13Handshake() error {
665 c := hs.c
666
667 // Once the PRF hash is known, TLS 1.3 does not require a handshake
668 // buffer.
669 hs.finishedHash.discardHandshakeBuffer()
670
671 zeroSecret := hs.finishedHash.zeroSecret()
672
673 // Resolve PSK and compute the early secret.
674 //
675 // TODO(davidben): This will need to be handled slightly earlier once
676 // 0-RTT is implemented.
Steven Valdez803c77a2016-09-06 14:13:43 -0400677 if hs.serverHello.hasPSKIdentity {
Nick Harper0b3625b2016-07-25 16:16:28 -0700678 // We send at most one PSK identity.
679 if hs.session == nil || hs.serverHello.pskIdentity != 0 {
680 c.sendAlert(alertUnknownPSKIdentity)
681 return errors.New("tls: server sent unknown PSK identity")
682 }
David Benjamin2b02f4b2016-11-16 16:11:47 +0900683 sessionCipher := cipherSuiteFromID(hs.session.cipherSuite)
684 if sessionCipher == nil || sessionCipher.hash() != hs.suite.hash() {
Nick Harper0b3625b2016-07-25 16:16:28 -0700685 c.sendAlert(alertHandshakeFailure)
David Benjamin2b02f4b2016-11-16 16:11:47 +0900686 return errors.New("tls: server resumed an invalid session for the cipher suite")
Nick Harper0b3625b2016-07-25 16:16:28 -0700687 }
David Benjamin48891ad2016-12-04 00:02:43 -0500688 hs.finishedHash.addEntropy(hs.session.masterSecret)
Nick Harper0b3625b2016-07-25 16:16:28 -0700689 c.didResume = true
Nick Harperb41d2e42016-07-01 17:50:32 -0400690 } else {
David Benjamin48891ad2016-12-04 00:02:43 -0500691 hs.finishedHash.addEntropy(zeroSecret)
Nick Harperb41d2e42016-07-01 17:50:32 -0400692 }
693
Steven Valdeza833c352016-11-01 13:39:36 -0400694 if !hs.serverHello.hasKeyShare {
695 c.sendAlert(alertUnsupportedExtension)
696 return errors.New("tls: server omitted KeyShare on resumption.")
697 }
698
Nick Harperb41d2e42016-07-01 17:50:32 -0400699 // Resolve ECDHE and compute the handshake secret.
Steven Valdez803c77a2016-09-06 14:13:43 -0400700 if !c.config.Bugs.MissingKeyShare && !c.config.Bugs.SecondClientHelloMissingKeyShare {
Nick Harperb41d2e42016-07-01 17:50:32 -0400701 curve, ok := hs.keyShares[hs.serverHello.keyShare.group]
702 if !ok {
703 c.sendAlert(alertHandshakeFailure)
704 return errors.New("tls: server selected an unsupported group")
705 }
Steven Valdez5440fe02016-07-18 12:40:30 -0400706 c.curveID = hs.serverHello.keyShare.group
Nick Harperb41d2e42016-07-01 17:50:32 -0400707
David Benjamin48891ad2016-12-04 00:02:43 -0500708 ecdheSecret, err := curve.finish(hs.serverHello.keyShare.keyExchange)
Nick Harperb41d2e42016-07-01 17:50:32 -0400709 if err != nil {
710 return err
711 }
David Benjamin48891ad2016-12-04 00:02:43 -0500712 hs.finishedHash.addEntropy(ecdheSecret)
Nick Harperb41d2e42016-07-01 17:50:32 -0400713 } else {
David Benjamin48891ad2016-12-04 00:02:43 -0500714 hs.finishedHash.addEntropy(zeroSecret)
Nick Harperb41d2e42016-07-01 17:50:32 -0400715 }
716
David Benjamin6f600d62016-12-21 16:06:54 -0500717 if hs.serverHello.shortHeader && !hs.hello.shortHeaderSupported {
718 return errors.New("tls: server sent unsolicited short header extension")
719 }
720
721 if hs.serverHello.shortHeader && hs.hello.hasEarlyData {
722 return errors.New("tls: server sent short header extension in response to early data")
723 }
724
725 if hs.serverHello.shortHeader {
726 c.setShortHeader()
727 }
728
Nick Harperf2511f12016-12-06 16:02:31 -0800729 // Derive handshake traffic keys and switch read key to handshake
730 // traffic key.
David Benjamin48891ad2016-12-04 00:02:43 -0500731 clientHandshakeTrafficSecret := hs.finishedHash.deriveSecret(clientHandshakeTrafficLabel)
David Benjamin48891ad2016-12-04 00:02:43 -0500732 serverHandshakeTrafficSecret := hs.finishedHash.deriveSecret(serverHandshakeTrafficLabel)
Steven Valdeza833c352016-11-01 13:39:36 -0400733 c.in.useTrafficSecret(c.vers, hs.suite, serverHandshakeTrafficSecret, serverWrite)
Nick Harperb41d2e42016-07-01 17:50:32 -0400734
735 msg, err := c.readHandshake()
736 if err != nil {
737 return err
738 }
739
740 encryptedExtensions, ok := msg.(*encryptedExtensionsMsg)
741 if !ok {
742 c.sendAlert(alertUnexpectedMessage)
743 return unexpectedMessageError(encryptedExtensions, msg)
744 }
745 hs.writeServerHash(encryptedExtensions.marshal())
746
747 err = hs.processServerExtensions(&encryptedExtensions.extensions)
748 if err != nil {
749 return err
750 }
751
752 var chainToSend *Certificate
David Benjamin8d343b42016-07-09 14:26:01 -0700753 var certReq *certificateRequestMsg
Steven Valdeza833c352016-11-01 13:39:36 -0400754 if c.didResume {
Nick Harper0b3625b2016-07-25 16:16:28 -0700755 // Copy over authentication from the session.
756 c.peerCertificates = hs.session.serverCertificates
757 c.sctList = hs.session.sctList
758 c.ocspResponse = hs.session.ocspResponse
David Benjamin44b33bc2016-07-01 22:40:23 -0400759 } else {
Nick Harperb41d2e42016-07-01 17:50:32 -0400760 msg, err := c.readHandshake()
761 if err != nil {
762 return err
763 }
764
David Benjamin8d343b42016-07-09 14:26:01 -0700765 var ok bool
766 certReq, ok = msg.(*certificateRequestMsg)
Nick Harperb41d2e42016-07-01 17:50:32 -0400767 if ok {
David Benjamin8a8349b2016-08-18 02:32:23 -0400768 if len(certReq.requestContext) != 0 {
769 return errors.New("tls: non-empty certificate request context sent in handshake")
770 }
771
David Benjaminb62d2872016-07-18 14:55:02 +0200772 if c.config.Bugs.IgnorePeerSignatureAlgorithmPreferences {
773 certReq.signatureAlgorithms = c.config.signSignatureAlgorithms()
774 }
775
Nick Harperb41d2e42016-07-01 17:50:32 -0400776 hs.writeServerHash(certReq.marshal())
Nick Harperb41d2e42016-07-01 17:50:32 -0400777
778 chainToSend, err = selectClientCertificate(c, certReq)
779 if err != nil {
780 return err
781 }
782
783 msg, err = c.readHandshake()
784 if err != nil {
785 return err
786 }
787 }
788
789 certMsg, ok := msg.(*certificateMsg)
790 if !ok {
791 c.sendAlert(alertUnexpectedMessage)
792 return unexpectedMessageError(certMsg, msg)
793 }
794 hs.writeServerHash(certMsg.marshal())
795
David Benjamin53210cb2016-11-16 09:01:48 +0900796 // Check for unsolicited extensions.
797 for i, cert := range certMsg.certificates {
798 if c.config.Bugs.NoOCSPStapling && cert.ocspResponse != nil {
799 c.sendAlert(alertUnsupportedExtension)
800 return errors.New("tls: unexpected OCSP response in the server certificate")
801 }
802 if c.config.Bugs.NoSignedCertificateTimestamps && cert.sctList != nil {
803 c.sendAlert(alertUnsupportedExtension)
804 return errors.New("tls: unexpected SCT list in the server certificate")
805 }
806 if i > 0 && c.config.Bugs.ExpectNoExtensionsOnIntermediate && (cert.ocspResponse != nil || cert.sctList != nil) {
807 c.sendAlert(alertUnsupportedExtension)
808 return errors.New("tls: unexpected extensions in the server certificate")
809 }
810 }
811
Nick Harperb41d2e42016-07-01 17:50:32 -0400812 if err := hs.verifyCertificates(certMsg); err != nil {
813 return err
814 }
815 leaf := c.peerCertificates[0]
Steven Valdeza833c352016-11-01 13:39:36 -0400816 c.ocspResponse = certMsg.certificates[0].ocspResponse
817 c.sctList = certMsg.certificates[0].sctList
818
Nick Harperb41d2e42016-07-01 17:50:32 -0400819 msg, err = c.readHandshake()
820 if err != nil {
821 return err
822 }
823 certVerifyMsg, ok := msg.(*certificateVerifyMsg)
824 if !ok {
825 c.sendAlert(alertUnexpectedMessage)
826 return unexpectedMessageError(certVerifyMsg, msg)
827 }
828
David Benjaminf74ec792016-07-13 21:18:49 -0400829 c.peerSignatureAlgorithm = certVerifyMsg.signatureAlgorithm
Nick Harperb41d2e42016-07-01 17:50:32 -0400830 input := hs.finishedHash.certificateVerifyInput(serverCertificateVerifyContextTLS13)
David Benjamin1fb125c2016-07-08 18:52:12 -0700831 err = verifyMessage(c.vers, leaf.PublicKey, c.config, certVerifyMsg.signatureAlgorithm, input, certVerifyMsg.signature)
Nick Harperb41d2e42016-07-01 17:50:32 -0400832 if err != nil {
833 return err
834 }
835
836 hs.writeServerHash(certVerifyMsg.marshal())
837 }
838
839 msg, err = c.readHandshake()
840 if err != nil {
841 return err
842 }
843 serverFinished, ok := msg.(*finishedMsg)
844 if !ok {
845 c.sendAlert(alertUnexpectedMessage)
846 return unexpectedMessageError(serverFinished, msg)
847 }
848
Steven Valdezc4aa7272016-10-03 12:25:56 -0400849 verify := hs.finishedHash.serverSum(serverHandshakeTrafficSecret)
Nick Harperb41d2e42016-07-01 17:50:32 -0400850 if len(verify) != len(serverFinished.verifyData) ||
851 subtle.ConstantTimeCompare(verify, serverFinished.verifyData) != 1 {
852 c.sendAlert(alertHandshakeFailure)
853 return errors.New("tls: server's Finished message was incorrect")
854 }
855
856 hs.writeServerHash(serverFinished.marshal())
857
858 // The various secrets do not incorporate the client's final leg, so
859 // derive them now before updating the handshake context.
David Benjamin48891ad2016-12-04 00:02:43 -0500860 hs.finishedHash.addEntropy(zeroSecret)
861 clientTrafficSecret := hs.finishedHash.deriveSecret(clientApplicationTrafficLabel)
862 serverTrafficSecret := hs.finishedHash.deriveSecret(serverApplicationTrafficLabel)
David Benjamincdb6fe92017-02-07 16:06:48 -0500863 c.exporterSecret = hs.finishedHash.deriveSecret(exporterLabel)
864
865 // Switch to application data keys on read. In particular, any alerts
866 // from the client certificate are read over these keys.
Nick Harper7cd0a972016-12-02 11:08:40 -0800867 c.in.useTrafficSecret(c.vers, hs.suite, serverTrafficSecret, serverWrite)
868
869 // If we're expecting 0.5-RTT messages from the server, read them
870 // now.
871 for _, expectedMsg := range c.config.Bugs.ExpectHalfRTTData {
872 if err := c.readRecord(recordTypeApplicationData); err != nil {
873 return err
874 }
875 if !bytes.Equal(c.input.data[c.input.off:], expectedMsg) {
876 return errors.New("ExpectHalfRTTData: did not get expected message")
877 }
878 c.in.freeBlock(c.input)
879 c.input = nil
880 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400881
Nick Harperf2511f12016-12-06 16:02:31 -0800882 // Send EndOfEarlyData and then switch write key to handshake
883 // traffic key.
884 if c.out.cipher != nil {
885 c.sendAlert(alertEndOfEarlyData)
886 }
887 c.out.useTrafficSecret(c.vers, hs.suite, clientHandshakeTrafficSecret, clientWrite)
888
Steven Valdez0ee2e112016-07-15 06:51:15 -0400889 if certReq != nil && !c.config.Bugs.SkipClientCertificate {
David Benjamin8d343b42016-07-09 14:26:01 -0700890 certMsg := &certificateMsg{
891 hasRequestContext: true,
892 requestContext: certReq.requestContext,
893 }
894 if chainToSend != nil {
Steven Valdeza833c352016-11-01 13:39:36 -0400895 for _, certData := range chainToSend.Certificate {
896 certMsg.certificates = append(certMsg.certificates, certificateEntry{
897 data: certData,
898 extraExtension: c.config.Bugs.SendExtensionOnCertificate,
899 })
900 }
David Benjamin8d343b42016-07-09 14:26:01 -0700901 }
902 hs.writeClientHash(certMsg.marshal())
903 c.writeRecord(recordTypeHandshake, certMsg.marshal())
904
905 if chainToSend != nil {
906 certVerify := &certificateVerifyMsg{
907 hasSignatureAlgorithm: true,
908 }
909
910 // Determine the hash to sign.
911 privKey := chainToSend.PrivateKey
912
913 var err error
914 certVerify.signatureAlgorithm, err = selectSignatureAlgorithm(c.vers, privKey, c.config, certReq.signatureAlgorithms)
915 if err != nil {
916 c.sendAlert(alertInternalError)
917 return err
918 }
919
920 input := hs.finishedHash.certificateVerifyInput(clientCertificateVerifyContextTLS13)
921 certVerify.signature, err = signMessage(c.vers, privKey, c.config, certVerify.signatureAlgorithm, input)
922 if err != nil {
923 c.sendAlert(alertInternalError)
924 return err
925 }
Steven Valdez0ee2e112016-07-15 06:51:15 -0400926 if c.config.Bugs.SendSignatureAlgorithm != 0 {
927 certVerify.signatureAlgorithm = c.config.Bugs.SendSignatureAlgorithm
928 }
David Benjamin8d343b42016-07-09 14:26:01 -0700929
930 hs.writeClientHash(certVerify.marshal())
931 c.writeRecord(recordTypeHandshake, certVerify.marshal())
932 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400933 }
934
Nick Harper60a85cb2016-09-23 16:25:11 -0700935 if encryptedExtensions.extensions.channelIDRequested {
936 channelIDHash := crypto.SHA256.New()
937 channelIDHash.Write(hs.finishedHash.certificateVerifyInput(channelIDContextTLS13))
938 channelIDMsgBytes, err := hs.writeChannelIDMessage(channelIDHash.Sum(nil))
939 if err != nil {
940 return err
941 }
942 hs.writeClientHash(channelIDMsgBytes)
943 c.writeRecord(recordTypeHandshake, channelIDMsgBytes)
944 }
945
Nick Harperb41d2e42016-07-01 17:50:32 -0400946 // Send a client Finished message.
947 finished := new(finishedMsg)
Steven Valdezc4aa7272016-10-03 12:25:56 -0400948 finished.verifyData = hs.finishedHash.clientSum(clientHandshakeTrafficSecret)
Nick Harperb41d2e42016-07-01 17:50:32 -0400949 if c.config.Bugs.BadFinished {
950 finished.verifyData[0]++
951 }
David Benjamin97a0a082016-07-13 17:57:35 -0400952 hs.writeClientHash(finished.marshal())
David Benjamin7964b182016-07-14 23:36:30 -0400953 if c.config.Bugs.PartialClientFinishedWithClientHello {
954 // The first byte has already been sent.
955 c.writeRecord(recordTypeHandshake, finished.marshal()[1:])
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500956 } else if c.config.Bugs.InterleaveEarlyData {
957 finishedBytes := finished.marshal()
958 c.sendFakeEarlyData(4)
959 c.writeRecord(recordTypeHandshake, finishedBytes[:1])
960 c.sendFakeEarlyData(4)
961 c.writeRecord(recordTypeHandshake, finishedBytes[1:])
David Benjamin7964b182016-07-14 23:36:30 -0400962 } else {
963 c.writeRecord(recordTypeHandshake, finished.marshal())
964 }
David Benjamin02edcd02016-07-27 17:40:37 -0400965 if c.config.Bugs.SendExtraFinished {
966 c.writeRecord(recordTypeHandshake, finished.marshal())
967 }
David Benjaminee51a222016-07-07 18:34:12 -0700968 c.flushHandshake()
Nick Harperb41d2e42016-07-01 17:50:32 -0400969
970 // Switch to application data keys.
Steven Valdeza833c352016-11-01 13:39:36 -0400971 c.out.useTrafficSecret(c.vers, hs.suite, clientTrafficSecret, clientWrite)
Nick Harperb41d2e42016-07-01 17:50:32 -0400972
David Benjamin48891ad2016-12-04 00:02:43 -0500973 c.resumptionSecret = hs.finishedHash.deriveSecret(resumptionLabel)
Nick Harperb41d2e42016-07-01 17:50:32 -0400974 return nil
975}
976
Adam Langley95c29f32014-06-20 12:00:00 -0700977func (hs *clientHandshakeState) doFullHandshake() error {
978 c := hs.c
979
David Benjamin48cae082014-10-27 01:06:24 -0400980 var leaf *x509.Certificate
981 if hs.suite.flags&suitePSK == 0 {
982 msg, err := c.readHandshake()
Adam Langley95c29f32014-06-20 12:00:00 -0700983 if err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700984 return err
985 }
Adam Langley95c29f32014-06-20 12:00:00 -0700986
David Benjamin48cae082014-10-27 01:06:24 -0400987 certMsg, ok := msg.(*certificateMsg)
David Benjamin75051442016-07-01 18:58:51 -0400988 if !ok {
David Benjamin48cae082014-10-27 01:06:24 -0400989 c.sendAlert(alertUnexpectedMessage)
990 return unexpectedMessageError(certMsg, msg)
991 }
992 hs.writeServerHash(certMsg.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700993
David Benjamin75051442016-07-01 18:58:51 -0400994 if err := hs.verifyCertificates(certMsg); err != nil {
995 return err
David Benjamin48cae082014-10-27 01:06:24 -0400996 }
David Benjamin75051442016-07-01 18:58:51 -0400997 leaf = c.peerCertificates[0]
David Benjamin48cae082014-10-27 01:06:24 -0400998 }
Adam Langley95c29f32014-06-20 12:00:00 -0700999
Nick Harperb3d51be2016-07-01 11:43:18 -04001000 if hs.serverHello.extensions.ocspStapling {
David Benjamin48cae082014-10-27 01:06:24 -04001001 msg, err := c.readHandshake()
Adam Langley95c29f32014-06-20 12:00:00 -07001002 if err != nil {
1003 return err
1004 }
1005 cs, ok := msg.(*certificateStatusMsg)
1006 if !ok {
1007 c.sendAlert(alertUnexpectedMessage)
1008 return unexpectedMessageError(cs, msg)
1009 }
David Benjamin83c0bc92014-08-04 01:23:53 -04001010 hs.writeServerHash(cs.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -07001011
1012 if cs.statusType == statusTypeOCSP {
1013 c.ocspResponse = cs.response
1014 }
1015 }
1016
David Benjamin48cae082014-10-27 01:06:24 -04001017 msg, err := c.readHandshake()
Adam Langley95c29f32014-06-20 12:00:00 -07001018 if err != nil {
1019 return err
1020 }
1021
1022 keyAgreement := hs.suite.ka(c.vers)
1023
1024 skx, ok := msg.(*serverKeyExchangeMsg)
1025 if ok {
David Benjamin83c0bc92014-08-04 01:23:53 -04001026 hs.writeServerHash(skx.marshal())
David Benjamin48cae082014-10-27 01:06:24 -04001027 err = keyAgreement.processServerKeyExchange(c.config, hs.hello, hs.serverHello, leaf, skx)
Adam Langley95c29f32014-06-20 12:00:00 -07001028 if err != nil {
1029 c.sendAlert(alertUnexpectedMessage)
1030 return err
1031 }
Steven Valdez5440fe02016-07-18 12:40:30 -04001032 if ecdhe, ok := keyAgreement.(*ecdheKeyAgreement); ok {
1033 c.curveID = ecdhe.curveID
1034 }
Adam Langley95c29f32014-06-20 12:00:00 -07001035
Nick Harper60edffd2016-06-21 15:19:24 -07001036 c.peerSignatureAlgorithm = keyAgreement.peerSignatureAlgorithm()
1037
Adam Langley95c29f32014-06-20 12:00:00 -07001038 msg, err = c.readHandshake()
1039 if err != nil {
1040 return err
1041 }
1042 }
1043
1044 var chainToSend *Certificate
1045 var certRequested bool
1046 certReq, ok := msg.(*certificateRequestMsg)
1047 if ok {
1048 certRequested = true
David Benjamin7a41d372016-07-09 11:21:54 -07001049 if c.config.Bugs.IgnorePeerSignatureAlgorithmPreferences {
1050 certReq.signatureAlgorithms = c.config.signSignatureAlgorithms()
1051 }
Adam Langley95c29f32014-06-20 12:00:00 -07001052
David Benjamin83c0bc92014-08-04 01:23:53 -04001053 hs.writeServerHash(certReq.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -07001054
David Benjamina6f82632016-07-01 18:44:02 -04001055 chainToSend, err = selectClientCertificate(c, certReq)
1056 if err != nil {
1057 return err
Adam Langley95c29f32014-06-20 12:00:00 -07001058 }
1059
1060 msg, err = c.readHandshake()
1061 if err != nil {
1062 return err
1063 }
1064 }
1065
1066 shd, ok := msg.(*serverHelloDoneMsg)
1067 if !ok {
1068 c.sendAlert(alertUnexpectedMessage)
1069 return unexpectedMessageError(shd, msg)
1070 }
David Benjamin83c0bc92014-08-04 01:23:53 -04001071 hs.writeServerHash(shd.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -07001072
1073 // If the server requested a certificate then we have to send a
David Benjamin0b7ca7d2016-03-10 15:44:22 -05001074 // Certificate message in TLS, even if it's empty because we don't have
1075 // a certificate to send. In SSL 3.0, skip the message and send a
1076 // no_certificate warning alert.
Adam Langley95c29f32014-06-20 12:00:00 -07001077 if certRequested {
David Benjamin0b7ca7d2016-03-10 15:44:22 -05001078 if c.vers == VersionSSL30 && chainToSend == nil {
David Benjamin053fee92017-01-02 08:30:36 -05001079 c.sendAlert(alertNoCertificate)
David Benjamin0b7ca7d2016-03-10 15:44:22 -05001080 } else if !c.config.Bugs.SkipClientCertificate {
1081 certMsg := new(certificateMsg)
1082 if chainToSend != nil {
Steven Valdeza833c352016-11-01 13:39:36 -04001083 for _, certData := range chainToSend.Certificate {
1084 certMsg.certificates = append(certMsg.certificates, certificateEntry{
1085 data: certData,
1086 })
1087 }
David Benjamin0b7ca7d2016-03-10 15:44:22 -05001088 }
1089 hs.writeClientHash(certMsg.marshal())
1090 c.writeRecord(recordTypeHandshake, certMsg.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -07001091 }
Adam Langley95c29f32014-06-20 12:00:00 -07001092 }
1093
David Benjamin48cae082014-10-27 01:06:24 -04001094 preMasterSecret, ckx, err := keyAgreement.generateClientKeyExchange(c.config, hs.hello, leaf)
Adam Langley95c29f32014-06-20 12:00:00 -07001095 if err != nil {
1096 c.sendAlert(alertInternalError)
1097 return err
1098 }
1099 if ckx != nil {
David Benjaminf3ec83d2014-07-21 22:42:34 -04001100 if c.config.Bugs.EarlyChangeCipherSpec < 2 {
David Benjamin83c0bc92014-08-04 01:23:53 -04001101 hs.writeClientHash(ckx.marshal())
David Benjaminf3ec83d2014-07-21 22:42:34 -04001102 }
Adam Langley95c29f32014-06-20 12:00:00 -07001103 c.writeRecord(recordTypeHandshake, ckx.marshal())
1104 }
1105
Nick Harperb3d51be2016-07-01 11:43:18 -04001106 if hs.serverHello.extensions.extendedMasterSecret && c.vers >= VersionTLS10 {
Adam Langley75712922014-10-10 16:23:43 -07001107 hs.masterSecret = extendedMasterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.finishedHash)
1108 c.extendedMasterSecret = true
1109 } else {
1110 if c.config.Bugs.RequireExtendedMasterSecret {
1111 return errors.New("tls: extended master secret required but not supported by peer")
1112 }
1113 hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.hello.random, hs.serverHello.random)
1114 }
David Benjamine098ec22014-08-27 23:13:20 -04001115
Adam Langley95c29f32014-06-20 12:00:00 -07001116 if chainToSend != nil {
Adam Langley95c29f32014-06-20 12:00:00 -07001117 certVerify := &certificateVerifyMsg{
Nick Harper60edffd2016-06-21 15:19:24 -07001118 hasSignatureAlgorithm: c.vers >= VersionTLS12,
Adam Langley95c29f32014-06-20 12:00:00 -07001119 }
1120
David Benjamin72dc7832015-03-16 17:49:43 -04001121 // Determine the hash to sign.
Nick Harper60edffd2016-06-21 15:19:24 -07001122 privKey := c.config.Certificates[0].PrivateKey
David Benjamin72dc7832015-03-16 17:49:43 -04001123
Nick Harper60edffd2016-06-21 15:19:24 -07001124 if certVerify.hasSignatureAlgorithm {
David Benjamin0a8deb22016-07-09 21:02:01 -07001125 certVerify.signatureAlgorithm, err = selectSignatureAlgorithm(c.vers, privKey, c.config, certReq.signatureAlgorithms)
Nick Harper60edffd2016-06-21 15:19:24 -07001126 if err != nil {
1127 c.sendAlert(alertInternalError)
1128 return err
Adam Langley95c29f32014-06-20 12:00:00 -07001129 }
Nick Harper60edffd2016-06-21 15:19:24 -07001130 }
1131
1132 if c.vers > VersionSSL30 {
David Benjamin5208fd42016-07-13 21:43:25 -04001133 certVerify.signature, err = signMessage(c.vers, privKey, c.config, certVerify.signatureAlgorithm, hs.finishedHash.buffer)
David Benjamina95e9f32016-07-08 16:28:04 -07001134 if err == nil && c.config.Bugs.SendSignatureAlgorithm != 0 {
1135 certVerify.signatureAlgorithm = c.config.Bugs.SendSignatureAlgorithm
1136 }
Nick Harper60edffd2016-06-21 15:19:24 -07001137 } else {
1138 // SSL 3.0's client certificate construction is
1139 // incompatible with signatureAlgorithm.
1140 rsaKey, ok := privKey.(*rsa.PrivateKey)
1141 if !ok {
1142 err = errors.New("unsupported signature type for client certificate")
1143 } else {
1144 digest := hs.finishedHash.hashForClientCertificateSSL3(hs.masterSecret)
David Benjamin5208fd42016-07-13 21:43:25 -04001145 if c.config.Bugs.InvalidSignature {
Nick Harper60edffd2016-06-21 15:19:24 -07001146 digest[0] ^= 0x80
1147 }
1148 certVerify.signature, err = rsa.SignPKCS1v15(c.config.rand(), rsaKey, crypto.MD5SHA1, digest)
1149 }
Adam Langley95c29f32014-06-20 12:00:00 -07001150 }
1151 if err != nil {
1152 c.sendAlert(alertInternalError)
1153 return errors.New("tls: failed to sign handshake with client certificate: " + err.Error())
1154 }
Adam Langley95c29f32014-06-20 12:00:00 -07001155
David Benjamin83c0bc92014-08-04 01:23:53 -04001156 hs.writeClientHash(certVerify.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -07001157 c.writeRecord(recordTypeHandshake, certVerify.marshal())
1158 }
David Benjamin82261be2016-07-07 14:32:50 -07001159 // flushHandshake will be called in sendFinished.
Adam Langley95c29f32014-06-20 12:00:00 -07001160
David Benjamine098ec22014-08-27 23:13:20 -04001161 hs.finishedHash.discardHandshakeBuffer()
1162
Adam Langley95c29f32014-06-20 12:00:00 -07001163 return nil
1164}
1165
David Benjamin75051442016-07-01 18:58:51 -04001166func (hs *clientHandshakeState) verifyCertificates(certMsg *certificateMsg) error {
1167 c := hs.c
1168
1169 if len(certMsg.certificates) == 0 {
1170 c.sendAlert(alertIllegalParameter)
1171 return errors.New("tls: no certificates sent")
1172 }
1173
1174 certs := make([]*x509.Certificate, len(certMsg.certificates))
Steven Valdeza833c352016-11-01 13:39:36 -04001175 for i, certEntry := range certMsg.certificates {
1176 cert, err := x509.ParseCertificate(certEntry.data)
David Benjamin75051442016-07-01 18:58:51 -04001177 if err != nil {
1178 c.sendAlert(alertBadCertificate)
1179 return errors.New("tls: failed to parse certificate from server: " + err.Error())
1180 }
1181 certs[i] = cert
1182 }
1183
1184 if !c.config.InsecureSkipVerify {
1185 opts := x509.VerifyOptions{
1186 Roots: c.config.RootCAs,
1187 CurrentTime: c.config.time(),
1188 DNSName: c.config.ServerName,
1189 Intermediates: x509.NewCertPool(),
1190 }
1191
1192 for i, cert := range certs {
1193 if i == 0 {
1194 continue
1195 }
1196 opts.Intermediates.AddCert(cert)
1197 }
1198 var err error
1199 c.verifiedChains, err = certs[0].Verify(opts)
1200 if err != nil {
1201 c.sendAlert(alertBadCertificate)
1202 return err
1203 }
1204 }
1205
1206 switch certs[0].PublicKey.(type) {
1207 case *rsa.PublicKey, *ecdsa.PublicKey:
1208 break
1209 default:
1210 c.sendAlert(alertUnsupportedCertificate)
1211 return fmt.Errorf("tls: server's certificate contains an unsupported type of public key: %T", certs[0].PublicKey)
1212 }
1213
1214 c.peerCertificates = certs
1215 return nil
1216}
1217
Adam Langley95c29f32014-06-20 12:00:00 -07001218func (hs *clientHandshakeState) establishKeys() error {
1219 c := hs.c
1220
1221 clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV :=
Nick Harper1fd39d82016-06-14 18:14:35 -07001222 keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.hello.random, hs.serverHello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen(c.vers))
Adam Langley95c29f32014-06-20 12:00:00 -07001223 var clientCipher, serverCipher interface{}
1224 var clientHash, serverHash macFunction
1225 if hs.suite.cipher != nil {
1226 clientCipher = hs.suite.cipher(clientKey, clientIV, false /* not for reading */)
1227 clientHash = hs.suite.mac(c.vers, clientMAC)
1228 serverCipher = hs.suite.cipher(serverKey, serverIV, true /* for reading */)
1229 serverHash = hs.suite.mac(c.vers, serverMAC)
1230 } else {
Nick Harper1fd39d82016-06-14 18:14:35 -07001231 clientCipher = hs.suite.aead(c.vers, clientKey, clientIV)
1232 serverCipher = hs.suite.aead(c.vers, serverKey, serverIV)
Adam Langley95c29f32014-06-20 12:00:00 -07001233 }
1234
1235 c.in.prepareCipherSpec(c.vers, serverCipher, serverHash)
1236 c.out.prepareCipherSpec(c.vers, clientCipher, clientHash)
1237 return nil
1238}
1239
David Benjamin75101402016-07-01 13:40:23 -04001240func (hs *clientHandshakeState) processServerExtensions(serverExtensions *serverExtensions) error {
1241 c := hs.c
1242
David Benjamin8d315d72016-07-18 01:03:18 +02001243 if c.vers < VersionTLS13 {
Nick Harperb41d2e42016-07-01 17:50:32 -04001244 if c.config.Bugs.RequireRenegotiationInfo && serverExtensions.secureRenegotiation == nil {
1245 return errors.New("tls: renegotiation extension missing")
1246 }
David Benjamin75101402016-07-01 13:40:23 -04001247
Nick Harperb41d2e42016-07-01 17:50:32 -04001248 if len(c.clientVerify) > 0 && !c.noRenegotiationInfo() {
1249 var expectedRenegInfo []byte
1250 expectedRenegInfo = append(expectedRenegInfo, c.clientVerify...)
1251 expectedRenegInfo = append(expectedRenegInfo, c.serverVerify...)
1252 if !bytes.Equal(serverExtensions.secureRenegotiation, expectedRenegInfo) {
1253 c.sendAlert(alertHandshakeFailure)
1254 return fmt.Errorf("tls: renegotiation mismatch")
1255 }
David Benjamin75101402016-07-01 13:40:23 -04001256 }
David Benjamincea0ab42016-07-14 12:33:14 -04001257 } else if serverExtensions.secureRenegotiation != nil {
1258 return errors.New("tls: renegotiation info sent in TLS 1.3")
David Benjamin75101402016-07-01 13:40:23 -04001259 }
1260
1261 if expected := c.config.Bugs.ExpectedCustomExtension; expected != nil {
1262 if serverExtensions.customExtension != *expected {
1263 return fmt.Errorf("tls: bad custom extension contents %q", serverExtensions.customExtension)
1264 }
1265 }
1266
1267 clientDidNPN := hs.hello.nextProtoNeg
1268 clientDidALPN := len(hs.hello.alpnProtocols) > 0
1269 serverHasNPN := serverExtensions.nextProtoNeg
1270 serverHasALPN := len(serverExtensions.alpnProtocol) > 0
1271
1272 if !clientDidNPN && serverHasNPN {
1273 c.sendAlert(alertHandshakeFailure)
1274 return errors.New("server advertised unrequested NPN extension")
1275 }
1276
1277 if !clientDidALPN && serverHasALPN {
1278 c.sendAlert(alertHandshakeFailure)
1279 return errors.New("server advertised unrequested ALPN extension")
1280 }
1281
1282 if serverHasNPN && serverHasALPN {
1283 c.sendAlert(alertHandshakeFailure)
1284 return errors.New("server advertised both NPN and ALPN extensions")
1285 }
1286
1287 if serverHasALPN {
1288 c.clientProtocol = serverExtensions.alpnProtocol
1289 c.clientProtocolFallback = false
1290 c.usedALPN = true
1291 }
1292
David Benjamin8d315d72016-07-18 01:03:18 +02001293 if serverHasNPN && c.vers >= VersionTLS13 {
Nick Harperb41d2e42016-07-01 17:50:32 -04001294 c.sendAlert(alertHandshakeFailure)
1295 return errors.New("server advertised NPN over TLS 1.3")
1296 }
1297
David Benjamin75101402016-07-01 13:40:23 -04001298 if !hs.hello.channelIDSupported && serverExtensions.channelIDRequested {
1299 c.sendAlert(alertHandshakeFailure)
1300 return errors.New("server advertised unrequested Channel ID extension")
1301 }
1302
David Benjamin8d315d72016-07-18 01:03:18 +02001303 if serverExtensions.extendedMasterSecret && c.vers >= VersionTLS13 {
David Benjamine9077652016-07-13 21:02:08 -04001304 return errors.New("tls: server advertised extended master secret over TLS 1.3")
1305 }
1306
David Benjamin8d315d72016-07-18 01:03:18 +02001307 if serverExtensions.ticketSupported && c.vers >= VersionTLS13 {
Steven Valdez143e8b32016-07-11 13:19:03 -04001308 return errors.New("tls: server advertised ticket extension over TLS 1.3")
1309 }
1310
Steven Valdeza833c352016-11-01 13:39:36 -04001311 if serverExtensions.ocspStapling && c.vers >= VersionTLS13 {
1312 return errors.New("tls: server advertised OCSP in ServerHello over TLS 1.3")
1313 }
1314
David Benjamin53210cb2016-11-16 09:01:48 +09001315 if serverExtensions.ocspStapling && c.config.Bugs.NoOCSPStapling {
1316 return errors.New("tls: server advertised unrequested OCSP extension")
1317 }
1318
Steven Valdeza833c352016-11-01 13:39:36 -04001319 if len(serverExtensions.sctList) > 0 && c.vers >= VersionTLS13 {
1320 return errors.New("tls: server advertised SCTs in ServerHello over TLS 1.3")
1321 }
1322
David Benjamin53210cb2016-11-16 09:01:48 +09001323 if len(serverExtensions.sctList) > 0 && c.config.Bugs.NoSignedCertificateTimestamps {
1324 return errors.New("tls: server advertised unrequested SCTs")
1325 }
1326
David Benjamin75101402016-07-01 13:40:23 -04001327 if serverExtensions.srtpProtectionProfile != 0 {
1328 if serverExtensions.srtpMasterKeyIdentifier != "" {
1329 return errors.New("tls: server selected SRTP MKI value")
1330 }
1331
1332 found := false
1333 for _, p := range c.config.SRTPProtectionProfiles {
1334 if p == serverExtensions.srtpProtectionProfile {
1335 found = true
1336 break
1337 }
1338 }
1339 if !found {
1340 return errors.New("tls: server advertised unsupported SRTP profile")
1341 }
1342
1343 c.srtpProtectionProfile = serverExtensions.srtpProtectionProfile
1344 }
1345
1346 return nil
1347}
1348
Adam Langley95c29f32014-06-20 12:00:00 -07001349func (hs *clientHandshakeState) serverResumedSession() bool {
1350 // If the server responded with the same sessionId then it means the
1351 // sessionTicket is being used to resume a TLS session.
1352 return hs.session != nil && hs.hello.sessionId != nil &&
1353 bytes.Equal(hs.serverHello.sessionId, hs.hello.sessionId)
1354}
1355
1356func (hs *clientHandshakeState) processServerHello() (bool, error) {
1357 c := hs.c
1358
David Benjamin6f600d62016-12-21 16:06:54 -05001359 if hs.serverHello.shortHeader {
1360 return false, errors.New("tls: short header extension sent before TLS 1.3")
1361 }
1362
Adam Langley95c29f32014-06-20 12:00:00 -07001363 if hs.serverResumedSession() {
David Benjamin4b27d9f2015-05-12 22:42:52 -04001364 // For test purposes, assert that the server never accepts the
1365 // resumption offer on renegotiation.
1366 if c.cipherSuite != nil && c.config.Bugs.FailIfResumeOnRenego {
1367 return false, errors.New("tls: server resumed session on renegotiation")
1368 }
1369
Nick Harperb3d51be2016-07-01 11:43:18 -04001370 if hs.serverHello.extensions.sctList != nil {
Paul Lietar62be8ac2015-09-16 10:03:30 +01001371 return false, errors.New("tls: server sent SCT extension on session resumption")
1372 }
1373
Nick Harperb3d51be2016-07-01 11:43:18 -04001374 if hs.serverHello.extensions.ocspStapling {
Paul Lietar62be8ac2015-09-16 10:03:30 +01001375 return false, errors.New("tls: server sent OCSP extension on session resumption")
1376 }
1377
Adam Langley95c29f32014-06-20 12:00:00 -07001378 // Restore masterSecret and peerCerts from previous state
1379 hs.masterSecret = hs.session.masterSecret
1380 c.peerCertificates = hs.session.serverCertificates
Adam Langley75712922014-10-10 16:23:43 -07001381 c.extendedMasterSecret = hs.session.extendedMasterSecret
Paul Lietar62be8ac2015-09-16 10:03:30 +01001382 c.sctList = hs.session.sctList
1383 c.ocspResponse = hs.session.ocspResponse
David Benjamine098ec22014-08-27 23:13:20 -04001384 hs.finishedHash.discardHandshakeBuffer()
Adam Langley95c29f32014-06-20 12:00:00 -07001385 return true, nil
1386 }
Paul Lietar62be8ac2015-09-16 10:03:30 +01001387
Nick Harperb3d51be2016-07-01 11:43:18 -04001388 if hs.serverHello.extensions.sctList != nil {
1389 c.sctList = hs.serverHello.extensions.sctList
Paul Lietar62be8ac2015-09-16 10:03:30 +01001390 }
1391
Adam Langley95c29f32014-06-20 12:00:00 -07001392 return false, nil
1393}
1394
Adam Langleyaf0e32c2015-06-03 09:57:23 -07001395func (hs *clientHandshakeState) readFinished(out []byte) error {
Adam Langley95c29f32014-06-20 12:00:00 -07001396 c := hs.c
1397
1398 c.readRecord(recordTypeChangeCipherSpec)
1399 if err := c.in.error(); err != nil {
1400 return err
1401 }
1402
1403 msg, err := c.readHandshake()
1404 if err != nil {
1405 return err
1406 }
1407 serverFinished, ok := msg.(*finishedMsg)
1408 if !ok {
1409 c.sendAlert(alertUnexpectedMessage)
1410 return unexpectedMessageError(serverFinished, msg)
1411 }
1412
David Benjaminf3ec83d2014-07-21 22:42:34 -04001413 if c.config.Bugs.EarlyChangeCipherSpec == 0 {
1414 verify := hs.finishedHash.serverSum(hs.masterSecret)
1415 if len(verify) != len(serverFinished.verifyData) ||
1416 subtle.ConstantTimeCompare(verify, serverFinished.verifyData) != 1 {
1417 c.sendAlert(alertHandshakeFailure)
1418 return errors.New("tls: server's Finished message was incorrect")
1419 }
Adam Langley95c29f32014-06-20 12:00:00 -07001420 }
Adam Langley2ae77d22014-10-28 17:29:33 -07001421 c.serverVerify = append(c.serverVerify[:0], serverFinished.verifyData...)
Adam Langleyaf0e32c2015-06-03 09:57:23 -07001422 copy(out, serverFinished.verifyData)
David Benjamin83c0bc92014-08-04 01:23:53 -04001423 hs.writeServerHash(serverFinished.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -07001424 return nil
1425}
1426
1427func (hs *clientHandshakeState) readSessionTicket() error {
David Benjaminfe8eb9a2014-11-17 03:19:02 -05001428 c := hs.c
1429
1430 // Create a session with no server identifier. Either a
1431 // session ID or session ticket will be attached.
1432 session := &ClientSessionState{
1433 vers: c.vers,
1434 cipherSuite: hs.suite.id,
1435 masterSecret: hs.masterSecret,
Nick Harperc9846112016-10-17 15:05:35 -07001436 handshakeHash: hs.finishedHash.Sum(),
David Benjaminfe8eb9a2014-11-17 03:19:02 -05001437 serverCertificates: c.peerCertificates,
Paul Lietar62be8ac2015-09-16 10:03:30 +01001438 sctList: c.sctList,
1439 ocspResponse: c.ocspResponse,
Nick Harper0b3625b2016-07-25 16:16:28 -07001440 ticketExpiration: c.config.time().Add(time.Duration(7 * 24 * time.Hour)),
David Benjaminfe8eb9a2014-11-17 03:19:02 -05001441 }
1442
Nick Harperb3d51be2016-07-01 11:43:18 -04001443 if !hs.serverHello.extensions.ticketSupported {
David Benjamind98452d2015-06-16 14:16:23 -04001444 if c.config.Bugs.ExpectNewTicket {
1445 return errors.New("tls: expected new ticket")
1446 }
David Benjaminfe8eb9a2014-11-17 03:19:02 -05001447 if hs.session == nil && len(hs.serverHello.sessionId) > 0 {
1448 session.sessionId = hs.serverHello.sessionId
1449 hs.session = session
1450 }
Adam Langley95c29f32014-06-20 12:00:00 -07001451 return nil
1452 }
1453
David Benjaminc7ce9772015-10-09 19:32:41 -04001454 if c.vers == VersionSSL30 {
1455 return errors.New("tls: negotiated session tickets in SSL 3.0")
1456 }
1457
Adam Langley95c29f32014-06-20 12:00:00 -07001458 msg, err := c.readHandshake()
1459 if err != nil {
1460 return err
1461 }
1462 sessionTicketMsg, ok := msg.(*newSessionTicketMsg)
1463 if !ok {
1464 c.sendAlert(alertUnexpectedMessage)
1465 return unexpectedMessageError(sessionTicketMsg, msg)
1466 }
Adam Langley95c29f32014-06-20 12:00:00 -07001467
David Benjaminfe8eb9a2014-11-17 03:19:02 -05001468 session.sessionTicket = sessionTicketMsg.ticket
1469 hs.session = session
Adam Langley95c29f32014-06-20 12:00:00 -07001470
David Benjamind30a9902014-08-24 01:44:23 -04001471 hs.writeServerHash(sessionTicketMsg.marshal())
1472
Adam Langley95c29f32014-06-20 12:00:00 -07001473 return nil
1474}
1475
Adam Langleyaf0e32c2015-06-03 09:57:23 -07001476func (hs *clientHandshakeState) sendFinished(out []byte, isResume bool) error {
Adam Langley95c29f32014-06-20 12:00:00 -07001477 c := hs.c
1478
David Benjamin0b8d5da2016-07-15 00:39:56 -04001479 var postCCSMsgs [][]byte
David Benjamin83c0bc92014-08-04 01:23:53 -04001480 seqno := hs.c.sendHandshakeSeq
Nick Harperb3d51be2016-07-01 11:43:18 -04001481 if hs.serverHello.extensions.nextProtoNeg {
Adam Langley95c29f32014-06-20 12:00:00 -07001482 nextProto := new(nextProtoMsg)
Nick Harperb3d51be2016-07-01 11:43:18 -04001483 proto, fallback := mutualProtocol(c.config.NextProtos, hs.serverHello.extensions.nextProtos)
Adam Langley95c29f32014-06-20 12:00:00 -07001484 nextProto.proto = proto
1485 c.clientProtocol = proto
1486 c.clientProtocolFallback = fallback
1487
David Benjamin86271ee2014-07-21 16:14:03 -04001488 nextProtoBytes := nextProto.marshal()
David Benjamin83c0bc92014-08-04 01:23:53 -04001489 hs.writeHash(nextProtoBytes, seqno)
1490 seqno++
David Benjamin0b8d5da2016-07-15 00:39:56 -04001491 postCCSMsgs = append(postCCSMsgs, nextProtoBytes)
Adam Langley95c29f32014-06-20 12:00:00 -07001492 }
1493
Nick Harperb3d51be2016-07-01 11:43:18 -04001494 if hs.serverHello.extensions.channelIDRequested {
David Benjamind30a9902014-08-24 01:44:23 -04001495 var resumeHash []byte
1496 if isResume {
1497 resumeHash = hs.session.handshakeHash
1498 }
Nick Harper60a85cb2016-09-23 16:25:11 -07001499 channelIDMsgBytes, err := hs.writeChannelIDMessage(hs.finishedHash.hashForChannelID(resumeHash))
David Benjamind30a9902014-08-24 01:44:23 -04001500 if err != nil {
1501 return err
1502 }
David Benjamin24599a82016-06-30 18:56:53 -04001503 hs.writeHash(channelIDMsgBytes, seqno)
David Benjamind30a9902014-08-24 01:44:23 -04001504 seqno++
David Benjamin0b8d5da2016-07-15 00:39:56 -04001505 postCCSMsgs = append(postCCSMsgs, channelIDMsgBytes)
David Benjamind30a9902014-08-24 01:44:23 -04001506 }
1507
Adam Langley95c29f32014-06-20 12:00:00 -07001508 finished := new(finishedMsg)
David Benjaminf3ec83d2014-07-21 22:42:34 -04001509 if c.config.Bugs.EarlyChangeCipherSpec == 2 {
1510 finished.verifyData = hs.finishedHash.clientSum(nil)
1511 } else {
1512 finished.verifyData = hs.finishedHash.clientSum(hs.masterSecret)
1513 }
Adam Langleyaf0e32c2015-06-03 09:57:23 -07001514 copy(out, finished.verifyData)
David Benjamin513f0ea2015-04-02 19:33:31 -04001515 if c.config.Bugs.BadFinished {
1516 finished.verifyData[0]++
1517 }
Adam Langley2ae77d22014-10-28 17:29:33 -07001518 c.clientVerify = append(c.clientVerify[:0], finished.verifyData...)
David Benjamin83f90402015-01-27 01:09:43 -05001519 hs.finishedBytes = finished.marshal()
1520 hs.writeHash(hs.finishedBytes, seqno)
David Benjamin0b8d5da2016-07-15 00:39:56 -04001521 postCCSMsgs = append(postCCSMsgs, hs.finishedBytes)
David Benjamin86271ee2014-07-21 16:14:03 -04001522
1523 if c.config.Bugs.FragmentAcrossChangeCipherSpec {
David Benjamin0b8d5da2016-07-15 00:39:56 -04001524 c.writeRecord(recordTypeHandshake, postCCSMsgs[0][:5])
1525 postCCSMsgs[0] = postCCSMsgs[0][5:]
David Benjamin61672812016-07-14 23:10:43 -04001526 } else if c.config.Bugs.SendUnencryptedFinished {
David Benjamin0b8d5da2016-07-15 00:39:56 -04001527 c.writeRecord(recordTypeHandshake, postCCSMsgs[0])
1528 postCCSMsgs = postCCSMsgs[1:]
David Benjamin86271ee2014-07-21 16:14:03 -04001529 }
David Benjamin582ba042016-07-07 12:33:25 -07001530 c.flushHandshake()
David Benjamin86271ee2014-07-21 16:14:03 -04001531
1532 if !c.config.Bugs.SkipChangeCipherSpec &&
1533 c.config.Bugs.EarlyChangeCipherSpec == 0 {
David Benjamin8411b242015-11-26 12:07:28 -05001534 ccs := []byte{1}
1535 if c.config.Bugs.BadChangeCipherSpec != nil {
1536 ccs = c.config.Bugs.BadChangeCipherSpec
1537 }
1538 c.writeRecord(recordTypeChangeCipherSpec, ccs)
David Benjamin86271ee2014-07-21 16:14:03 -04001539 }
1540
David Benjamin4189bd92015-01-25 23:52:39 -05001541 if c.config.Bugs.AppDataAfterChangeCipherSpec != nil {
1542 c.writeRecord(recordTypeApplicationData, c.config.Bugs.AppDataAfterChangeCipherSpec)
1543 }
David Benjamindc3da932015-03-12 15:09:02 -04001544 if c.config.Bugs.AlertAfterChangeCipherSpec != 0 {
1545 c.sendAlert(c.config.Bugs.AlertAfterChangeCipherSpec)
1546 return errors.New("tls: simulating post-CCS alert")
1547 }
David Benjamin4189bd92015-01-25 23:52:39 -05001548
David Benjamin0b8d5da2016-07-15 00:39:56 -04001549 if !c.config.Bugs.SkipFinished {
1550 for _, msg := range postCCSMsgs {
1551 c.writeRecord(recordTypeHandshake, msg)
1552 }
David Benjamin02edcd02016-07-27 17:40:37 -04001553
1554 if c.config.Bugs.SendExtraFinished {
1555 c.writeRecord(recordTypeHandshake, finished.marshal())
1556 }
1557
David Benjamin582ba042016-07-07 12:33:25 -07001558 c.flushHandshake()
David Benjaminb3774b92015-01-31 17:16:01 -05001559 }
Adam Langley95c29f32014-06-20 12:00:00 -07001560 return nil
1561}
1562
Nick Harper60a85cb2016-09-23 16:25:11 -07001563func (hs *clientHandshakeState) writeChannelIDMessage(channelIDHash []byte) ([]byte, error) {
1564 c := hs.c
1565 channelIDMsg := new(channelIDMsg)
1566 if c.config.ChannelID.Curve != elliptic.P256() {
1567 return nil, fmt.Errorf("tls: Channel ID is not on P-256.")
1568 }
1569 r, s, err := ecdsa.Sign(c.config.rand(), c.config.ChannelID, channelIDHash)
1570 if err != nil {
1571 return nil, err
1572 }
1573 channelID := make([]byte, 128)
1574 writeIntPadded(channelID[0:32], c.config.ChannelID.X)
1575 writeIntPadded(channelID[32:64], c.config.ChannelID.Y)
1576 writeIntPadded(channelID[64:96], r)
1577 writeIntPadded(channelID[96:128], s)
1578 if c.config.Bugs.InvalidChannelIDSignature {
1579 channelID[64] ^= 1
1580 }
1581 channelIDMsg.channelID = channelID
1582
1583 c.channelID = &c.config.ChannelID.PublicKey
1584
1585 return channelIDMsg.marshal(), nil
1586}
1587
David Benjamin83c0bc92014-08-04 01:23:53 -04001588func (hs *clientHandshakeState) writeClientHash(msg []byte) {
1589 // writeClientHash is called before writeRecord.
1590 hs.writeHash(msg, hs.c.sendHandshakeSeq)
1591}
1592
1593func (hs *clientHandshakeState) writeServerHash(msg []byte) {
1594 // writeServerHash is called after readHandshake.
1595 hs.writeHash(msg, hs.c.recvHandshakeSeq-1)
1596}
1597
1598func (hs *clientHandshakeState) writeHash(msg []byte, seqno uint16) {
1599 if hs.c.isDTLS {
1600 // This is somewhat hacky. DTLS hashes a slightly different format.
1601 // First, the TLS header.
1602 hs.finishedHash.Write(msg[:4])
1603 // Then the sequence number and reassembled fragment offset (always 0).
1604 hs.finishedHash.Write([]byte{byte(seqno >> 8), byte(seqno), 0, 0, 0})
1605 // Then the reassembled fragment (always equal to the message length).
1606 hs.finishedHash.Write(msg[1:4])
1607 // And then the message body.
1608 hs.finishedHash.Write(msg[4:])
1609 } else {
1610 hs.finishedHash.Write(msg)
1611 }
1612}
1613
David Benjamina6f82632016-07-01 18:44:02 -04001614// selectClientCertificate selects a certificate for use with the given
1615// certificate, or none if none match. It may return a particular certificate or
1616// nil on success, or an error on internal error.
1617func selectClientCertificate(c *Conn, certReq *certificateRequestMsg) (*Certificate, error) {
1618 // RFC 4346 on the certificateAuthorities field:
1619 // A list of the distinguished names of acceptable certificate
1620 // authorities. These distinguished names may specify a desired
1621 // distinguished name for a root CA or for a subordinate CA; thus, this
1622 // message can be used to describe both known roots and a desired
1623 // authorization space. If the certificate_authorities list is empty
1624 // then the client MAY send any certificate of the appropriate
1625 // ClientCertificateType, unless there is some external arrangement to
1626 // the contrary.
1627
1628 var rsaAvail, ecdsaAvail bool
Nick Harperb41d2e42016-07-01 17:50:32 -04001629 if !certReq.hasRequestContext {
1630 for _, certType := range certReq.certificateTypes {
1631 switch certType {
1632 case CertTypeRSASign:
1633 rsaAvail = true
1634 case CertTypeECDSASign:
1635 ecdsaAvail = true
1636 }
David Benjamina6f82632016-07-01 18:44:02 -04001637 }
1638 }
1639
1640 // We need to search our list of client certs for one
1641 // where SignatureAlgorithm is RSA and the Issuer is in
1642 // certReq.certificateAuthorities
1643findCert:
1644 for i, chain := range c.config.Certificates {
Nick Harperb41d2e42016-07-01 17:50:32 -04001645 if !certReq.hasRequestContext && !rsaAvail && !ecdsaAvail {
David Benjamina6f82632016-07-01 18:44:02 -04001646 continue
1647 }
1648
1649 // Ensure the private key supports one of the advertised
1650 // signature algorithms.
1651 if certReq.hasSignatureAlgorithm {
David Benjamin0a8deb22016-07-09 21:02:01 -07001652 if _, err := selectSignatureAlgorithm(c.vers, chain.PrivateKey, c.config, certReq.signatureAlgorithms); err != nil {
David Benjamina6f82632016-07-01 18:44:02 -04001653 continue
1654 }
1655 }
1656
1657 for j, cert := range chain.Certificate {
1658 x509Cert := chain.Leaf
1659 // parse the certificate if this isn't the leaf
1660 // node, or if chain.Leaf was nil
1661 if j != 0 || x509Cert == nil {
1662 var err error
1663 if x509Cert, err = x509.ParseCertificate(cert); err != nil {
1664 c.sendAlert(alertInternalError)
1665 return nil, errors.New("tls: failed to parse client certificate #" + strconv.Itoa(i) + ": " + err.Error())
1666 }
1667 }
1668
Nick Harperb41d2e42016-07-01 17:50:32 -04001669 if !certReq.hasRequestContext {
1670 switch {
1671 case rsaAvail && x509Cert.PublicKeyAlgorithm == x509.RSA:
1672 case ecdsaAvail && x509Cert.PublicKeyAlgorithm == x509.ECDSA:
1673 default:
1674 continue findCert
1675 }
David Benjamina6f82632016-07-01 18:44:02 -04001676 }
1677
1678 if len(certReq.certificateAuthorities) == 0 {
1679 // They gave us an empty list, so just take the
1680 // first certificate of valid type from
1681 // c.config.Certificates.
1682 return &chain, nil
1683 }
1684
1685 for _, ca := range certReq.certificateAuthorities {
1686 if bytes.Equal(x509Cert.RawIssuer, ca) {
1687 return &chain, nil
1688 }
1689 }
1690 }
1691 }
1692
1693 return nil, nil
1694}
1695
Adam Langley95c29f32014-06-20 12:00:00 -07001696// clientSessionCacheKey returns a key used to cache sessionTickets that could
1697// be used to resume previously negotiated TLS sessions with a server.
1698func clientSessionCacheKey(serverAddr net.Addr, config *Config) string {
1699 if len(config.ServerName) > 0 {
1700 return config.ServerName
1701 }
1702 return serverAddr.String()
1703}
1704
David Benjaminfa055a22014-09-15 16:51:51 -04001705// mutualProtocol finds the mutual Next Protocol Negotiation or ALPN protocol
1706// given list of possible protocols and a list of the preference order. The
1707// first list must not be empty. It returns the resulting protocol and flag
Adam Langley95c29f32014-06-20 12:00:00 -07001708// indicating if the fallback case was reached.
David Benjaminfa055a22014-09-15 16:51:51 -04001709func mutualProtocol(protos, preferenceProtos []string) (string, bool) {
1710 for _, s := range preferenceProtos {
1711 for _, c := range protos {
Adam Langley95c29f32014-06-20 12:00:00 -07001712 if s == c {
1713 return s, false
1714 }
1715 }
1716 }
1717
David Benjaminfa055a22014-09-15 16:51:51 -04001718 return protos[0], true
Adam Langley95c29f32014-06-20 12:00:00 -07001719}
David Benjamind30a9902014-08-24 01:44:23 -04001720
1721// writeIntPadded writes x into b, padded up with leading zeros as
1722// needed.
1723func writeIntPadded(b []byte, x *big.Int) {
1724 for i := range b {
1725 b[i] = 0
1726 }
1727 xb := x.Bytes()
1728 copy(b[len(b)-len(xb):], xb)
1729}
Steven Valdeza833c352016-11-01 13:39:36 -04001730
1731func generatePSKBinders(hello *clientHelloMsg, pskCipherSuite *cipherSuite, psk, transcript []byte, config *Config) {
1732 if config.Bugs.SendNoPSKBinder {
1733 return
1734 }
1735
1736 binderLen := pskCipherSuite.hash().Size()
1737 if config.Bugs.SendShortPSKBinder {
1738 binderLen--
1739 }
1740
David Benjaminaedf3032016-12-01 16:47:56 -05001741 numBinders := 1
1742 if config.Bugs.SendExtraPSKBinder {
1743 numBinders++
1744 }
1745
Steven Valdeza833c352016-11-01 13:39:36 -04001746 // Fill hello.pskBinders with appropriate length arrays of zeros so the
1747 // length prefixes are correct when computing the binder over the truncated
1748 // ClientHello message.
David Benjaminaedf3032016-12-01 16:47:56 -05001749 hello.pskBinders = make([][]byte, numBinders)
1750 for i := range hello.pskBinders {
Steven Valdeza833c352016-11-01 13:39:36 -04001751 hello.pskBinders[i] = make([]byte, binderLen)
1752 }
1753
1754 helloBytes := hello.marshal()
1755 binderSize := len(hello.pskBinders)*(binderLen+1) + 2
1756 truncatedHello := helloBytes[:len(helloBytes)-binderSize]
1757 binder := computePSKBinder(psk, resumptionPSKBinderLabel, pskCipherSuite, transcript, truncatedHello)
1758 if config.Bugs.SendShortPSKBinder {
1759 binder = binder[:binderLen]
1760 }
1761 if config.Bugs.SendInvalidPSKBinder {
1762 binder[0] ^= 1
1763 }
1764
1765 for i := range hello.pskBinders {
1766 hello.pskBinders[i] = binder
1767 }
1768
1769 hello.raw = nil
1770}