Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / eed2401cac6816e7b46395372e60f76d117b4036 / . / ssl / test / runner / handshake_client.go
blob: 84625dc665056e0527a820f4798e958da91a3375 [file] [log] [blame]
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1// Copyright 2009 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
Adam Langleydc7e9c42015-09-29 15:21:04 -0700[diff] [blame]5package runner
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]6
7import (
8 "bytes"
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]9 "crypto"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10 "crypto/ecdsa"
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]11 "crypto/elliptic"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]12 "crypto/rsa"
13 "crypto/subtle"
14 "crypto/x509"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]15 "errors"
16 "fmt"
17 "io"
David Benjaminde620d92014-07-18 15:03:41 -0400[diff] [blame]18 "math/big"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]19 "net"
20 "strconv"
Nick Harper0b3625b2016-07-25 16:16:28 -0700[diff] [blame]21 "time"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]22)
23
24type clientHandshakeState struct {
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]25 c *Conn
26 serverHello *serverHelloMsg
27 hello *clientHelloMsg
28 suite *cipherSuite
29 finishedHash finishedHash
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]30 keyShares map[CurveID]ecdhCurve
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]31 masterSecret []byte
32 session *ClientSessionState
33 finishedBytes []byte
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]34}
35
36func (c *Conn) clientHandshake() error {
37 if c.config == nil {
38 c.config = defaultConfig()
39 }
40
41 if len(c.config.ServerName) == 0 && !c.config.InsecureSkipVerify {
42 return errors.New("tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config")
43 }
44
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]45 c.sendHandshakeSeq = 0
46 c.recvHandshakeSeq = 0
47
David Benjaminfa055a22014-09-15 16:51:51 -0400[diff] [blame]48 nextProtosLength := 0
49 for _, proto := range c.config.NextProtos {
Adam Langleyefb0e162015-07-09 11:35:04 -0700[diff] [blame]50 if l := len(proto); l > 255 {
David Benjaminfa055a22014-09-15 16:51:51 -0400[diff] [blame]51 return errors.New("tls: invalid NextProtos value")
52 } else {
53 nextProtosLength += 1 + l
54 }
55 }
56 if nextProtosLength > 0xffff {
57 return errors.New("tls: NextProtos values too large")
58 }
59
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]60 hello := &clientHelloMsg{
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]61 isDTLS: c.isDTLS,
David Benjamincecee272016-06-30 13:33:47 -0400[diff] [blame]62 vers: c.config.maxVersion(c.isDTLS),
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]63 compressionMethods: []uint8{compressionNone},
64 random: make([]byte, 32),
65 ocspStapling: true,
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]66 sctListSupported: true,
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]67 serverName: c.config.ServerName,
68 supportedCurves: c.config.curvePreferences(),
69 supportedPoints: []uint8{pointFormatUncompressed},
70 nextProtoNeg: len(c.config.NextProtos) > 0,
71 secureRenegotiation: []byte{},
72 alpnProtocols: c.config.NextProtos,
73 duplicateExtension: c.config.Bugs.DuplicateExtension,
74 channelIDSupported: c.config.ChannelID != nil,
75 npnLast: c.config.Bugs.SwapNPNAndALPN,
David Benjamincecee272016-06-30 13:33:47 -0400[diff] [blame]76 extendedMasterSecret: c.config.maxVersion(c.isDTLS) >= VersionTLS10,
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]77 srtpProtectionProfiles: c.config.SRTPProtectionProfiles,
78 srtpMasterKeyIdentifier: c.config.Bugs.SRTPMasterKeyIdentifer,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]79 customExtension: c.config.Bugs.CustomExtension,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]80 }
81
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]82 if c.config.Bugs.NoExtendedMasterSecret {
83 hello.extendedMasterSecret = false
84 }
85
David Benjamin55a43642015-04-20 14:45:55 -0400[diff] [blame]86 if c.config.Bugs.NoSupportedCurves {
87 hello.supportedCurves = nil
88 }
89
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]90 if len(c.clientVerify) > 0 && !c.config.Bugs.EmptyRenegotiationInfo {
91 if c.config.Bugs.BadRenegotiationInfo {
92 hello.secureRenegotiation = append(hello.secureRenegotiation, c.clientVerify...)
93 hello.secureRenegotiation[0] ^= 0x80
94 } else {
95 hello.secureRenegotiation = c.clientVerify
96 }
97 }
98
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]99 if c.noRenegotiationInfo() {
David Benjaminca6554b2014-11-08 12:31:52 -0500[diff] [blame]100 hello.secureRenegotiation = nil
101 }
102
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]103 var keyShares map[CurveID]ecdhCurve
David Benjamin8d315d72016-07-18 01:03:18 +0200[diff] [blame]104 if hello.vers >= VersionTLS13 {
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]105 keyShares = make(map[CurveID]ecdhCurve)
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]106 hello.hasKeyShares = true
107 curvesToSend := c.config.defaultCurves()
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]108 for _, curveID := range hello.supportedCurves {
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]109 if !curvesToSend[curveID] {
110 continue
111 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]112 curve, ok := curveForCurveID(curveID)
113 if !ok {
114 continue
115 }
116 publicKey, err := curve.offer(c.config.rand())
117 if err != nil {
118 return err
119 }
Steven Valdez0ee2e112016-07-15 06:51:15 -0400[diff] [blame]120
121 if c.config.Bugs.SendCurve != 0 {
122 curveID = c.config.Bugs.SendCurve
123 }
124 if c.config.Bugs.InvalidECDHPoint {
125 publicKey[0] ^= 0xff
126 }
127
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]128 hello.keyShares = append(hello.keyShares, keyShareEntry{
129 group: curveID,
130 keyExchange: publicKey,
131 })
132 keyShares[curveID] = curve
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]133
134 if c.config.Bugs.DuplicateKeyShares {
135 hello.keyShares = append(hello.keyShares, hello.keyShares[len(hello.keyShares)-1])
136 }
137 }
138
139 if c.config.Bugs.MissingKeyShare {
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]140 hello.hasKeyShares = false
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]141 }
142 }
143
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]144 possibleCipherSuites := c.config.cipherSuites()
145 hello.cipherSuites = make([]uint16, 0, len(possibleCipherSuites))
146
147NextCipherSuite:
148 for _, suiteId := range possibleCipherSuites {
149 for _, suite := range cipherSuites {
150 if suite.id != suiteId {
151 continue
152 }
David Benjamin0407e762016-06-17 16:41:18 -0400[diff] [blame]153 if !c.config.Bugs.EnableAllCiphers {
154 // Don't advertise TLS 1.2-only cipher suites unless
155 // we're attempting TLS 1.2.
156 if hello.vers < VersionTLS12 && suite.flags&suiteTLS12 != 0 {
157 continue
158 }
159 // Don't advertise non-DTLS cipher suites in DTLS.
160 if c.isDTLS && suite.flags&suiteNoDTLS != 0 {
161 continue
162 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]163 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]164 hello.cipherSuites = append(hello.cipherSuites, suiteId)
165 continue NextCipherSuite
166 }
167 }
168
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]169 if c.config.Bugs.SendRenegotiationSCSV {
170 hello.cipherSuites = append(hello.cipherSuites, renegotiationSCSV)
171 }
172
David Benjaminbef270a2014-08-02 04:22:02 -0400[diff] [blame]173 if c.config.Bugs.SendFallbackSCSV {
174 hello.cipherSuites = append(hello.cipherSuites, fallbackSCSV)
175 }
176
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]177 _, err := io.ReadFull(c.config.rand(), hello.random)
178 if err != nil {
179 c.sendAlert(alertInternalError)
180 return errors.New("tls: short read from Rand: " + err.Error())
181 }
182
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]183 if hello.vers >= VersionTLS12 && !c.config.Bugs.NoSignatureAlgorithms {
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]184 hello.signatureAlgorithms = c.config.verifySignatureAlgorithms()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]185 }
186
187 var session *ClientSessionState
188 var cacheKey string
189 sessionCache := c.config.ClientSessionCache
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]190
191 if sessionCache != nil {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]192 hello.ticketSupported = !c.config.SessionTicketsDisabled
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]193
194 // Try to resume a previously negotiated TLS session, if
195 // available.
196 cacheKey = clientSessionCacheKey(c.conn.RemoteAddr(), c.config)
Nick Harper0b3625b2016-07-25 16:16:28 -0700[diff] [blame]197 // TODO(nharper): Support storing more than one session
198 // ticket for TLS 1.3.
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]199 candidateSession, ok := sessionCache.Get(cacheKey)
200 if ok {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]201 ticketOk := !c.config.SessionTicketsDisabled || candidateSession.sessionTicket == nil
202
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]203 // Check that the ciphersuite/version used for the
204 // previous session are still valid.
205 cipherSuiteOk := false
206 for _, id := range hello.cipherSuites {
207 if id == candidateSession.cipherSuite {
208 cipherSuiteOk = true
209 break
210 }
211 }
212
David Benjamincecee272016-06-30 13:33:47 -0400[diff] [blame]213 versOk := candidateSession.vers >= c.config.minVersion(c.isDTLS) &&
214 candidateSession.vers <= c.config.maxVersion(c.isDTLS)
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]215 if ticketOk && versOk && cipherSuiteOk {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]216 session = candidateSession
217 }
218 }
219 }
220
Nick Harper0b3625b2016-07-25 16:16:28 -0700[diff] [blame]221 if session != nil && c.config.time().Before(session.ticketExpiration) {
David Benjamind5a4ecb2016-07-18 01:17:13 +0200[diff] [blame]222 ticket := session.sessionTicket
223 if c.config.Bugs.CorruptTicket && len(ticket) > 0 {
224 ticket = make([]byte, len(session.sessionTicket))
225 copy(ticket, session.sessionTicket)
226 offset := 40
227 if offset >= len(ticket) {
228 offset = len(ticket) - 1
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]229 }
David Benjamind5a4ecb2016-07-18 01:17:13 +0200[diff] [blame]230 ticket[offset] ^= 0x40
231 }
232
233 if session.vers >= VersionTLS13 {
Nick Harper0b3625b2016-07-25 16:16:28 -0700[diff] [blame]234 // TODO(nharper): Support sending more
235 // than one PSK identity.
236 if session.ticketFlags&ticketAllowDHEResumption != 0 {
237 var found bool
238 for _, id := range hello.cipherSuites {
239 if id == session.cipherSuite {
240 found = true
241 break
242 }
243 }
244 if found {
245 hello.pskIdentities = [][]uint8{ticket}
246 hello.cipherSuites = append(hello.cipherSuites, ecdhePSKSuite(session.cipherSuite))
247 }
248 }
David Benjamind5a4ecb2016-07-18 01:17:13 +0200[diff] [blame]249 } else if ticket != nil {
250 hello.sessionTicket = ticket
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]251 // A random session ID is used to detect when the
252 // server accepted the ticket and is resuming a session
253 // (see RFC 5077).
254 sessionIdLen := 16
255 if c.config.Bugs.OversizedSessionId {
256 sessionIdLen = 33
257 }
258 hello.sessionId = make([]byte, sessionIdLen)
259 if _, err := io.ReadFull(c.config.rand(), hello.sessionId); err != nil {
260 c.sendAlert(alertInternalError)
261 return errors.New("tls: short read from Rand: " + err.Error())
262 }
263 } else {
264 hello.sessionId = session.sessionId
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]265 }
266 }
267
David Benjamineed24012016-08-13 19:26:00 -0400[diff] [blame^]268 if c.config.Bugs.SendClientVersion != 0 {
269 hello.vers = c.config.Bugs.SendClientVersion
270 }
271
David Benjamind86c7672014-08-02 04:07:12 -0400[diff] [blame]272 var helloBytes []byte
273 if c.config.Bugs.SendV2ClientHello {
David Benjamin94d701b2014-11-30 13:54:41 -0500[diff] [blame]274 // Test that the peer left-pads random.
275 hello.random[0] = 0
David Benjamind86c7672014-08-02 04:07:12 -0400[diff] [blame]276 v2Hello := &v2ClientHelloMsg{
277 vers: hello.vers,
278 cipherSuites: hello.cipherSuites,
279 // No session resumption for V2ClientHello.
280 sessionId: nil,
David Benjamin94d701b2014-11-30 13:54:41 -0500[diff] [blame]281 challenge: hello.random[1:],
David Benjamind86c7672014-08-02 04:07:12 -0400[diff] [blame]282 }
283 helloBytes = v2Hello.marshal()
284 c.writeV2Record(helloBytes)
285 } else {
286 helloBytes = hello.marshal()
David Benjamin7964b182016-07-14 23:36:30 -0400[diff] [blame]287 if c.config.Bugs.PartialClientFinishedWithClientHello {
288 // Include one byte of Finished. We can compute it
289 // without completing the handshake. This assumes we
290 // negotiate TLS 1.3 with no HelloRetryRequest or
291 // CertificateRequest.
292 toWrite := make([]byte, 0, len(helloBytes)+1)
293 toWrite = append(toWrite, helloBytes...)
294 toWrite = append(toWrite, typeFinished)
295 c.writeRecord(recordTypeHandshake, toWrite)
296 } else {
297 c.writeRecord(recordTypeHandshake, helloBytes)
298 }
David Benjamind86c7672014-08-02 04:07:12 -0400[diff] [blame]299 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]300 c.flushHandshake()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]301
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]302 if err := c.simulatePacketLoss(nil); err != nil {
303 return err
304 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]305 msg, err := c.readHandshake()
306 if err != nil {
307 return err
308 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]309
310 if c.isDTLS {
311 helloVerifyRequest, ok := msg.(*helloVerifyRequestMsg)
312 if ok {
David Benjamin8bc38f52014-08-16 12:07:27 -0400[diff] [blame]313 if helloVerifyRequest.vers != VersionTLS10 {
314 // Per RFC 6347, the version field in
315 // HelloVerifyRequest SHOULD be always DTLS
316 // 1.0. Enforce this for testing purposes.
317 return errors.New("dtls: bad HelloVerifyRequest version")
318 }
319
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]320 hello.raw = nil
321 hello.cookie = helloVerifyRequest.cookie
322 helloBytes = hello.marshal()
323 c.writeRecord(recordTypeHandshake, helloBytes)
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]324 c.flushHandshake()
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]325
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]326 if err := c.simulatePacketLoss(nil); err != nil {
327 return err
328 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]329 msg, err = c.readHandshake()
330 if err != nil {
331 return err
332 }
333 }
334 }
335
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]336 var serverVersion uint16
337 switch m := msg.(type) {
338 case *helloRetryRequestMsg:
339 serverVersion = m.vers
340 case *serverHelloMsg:
341 serverVersion = m.vers
342 default:
343 c.sendAlert(alertUnexpectedMessage)
344 return fmt.Errorf("tls: received unexpected message of type %T when waiting for HelloRetryRequest or ServerHello", msg)
345 }
346
347 var ok bool
348 c.vers, ok = c.config.mutualVersion(serverVersion, c.isDTLS)
349 if !ok {
350 c.sendAlert(alertProtocolVersion)
351 return fmt.Errorf("tls: server selected unsupported protocol version %x", c.vers)
352 }
353 c.haveVers = true
354
355 helloRetryRequest, haveHelloRetryRequest := msg.(*helloRetryRequestMsg)
356 var secondHelloBytes []byte
357 if haveHelloRetryRequest {
358 var hrrCurveFound bool
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]359 if c.config.Bugs.MisinterpretHelloRetryRequestCurve != 0 {
360 helloRetryRequest.selectedGroup = c.config.Bugs.MisinterpretHelloRetryRequestCurve
361 }
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]362 group := helloRetryRequest.selectedGroup
363 for _, curveID := range hello.supportedCurves {
364 if group == curveID {
365 hrrCurveFound = true
366 break
367 }
368 }
369 if !hrrCurveFound || keyShares[group] != nil {
370 c.sendAlert(alertHandshakeFailure)
371 return errors.New("tls: received invalid HelloRetryRequest")
372 }
373 curve, ok := curveForCurveID(group)
374 if !ok {
375 return errors.New("tls: Unable to get curve requested in HelloRetryRequest")
376 }
377 publicKey, err := curve.offer(c.config.rand())
378 if err != nil {
379 return err
380 }
381 keyShares[group] = curve
382 hello.keyShares = append(hello.keyShares, keyShareEntry{
383 group: group,
384 keyExchange: publicKey,
385 })
386
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]387 if c.config.Bugs.SecondClientHelloMissingKeyShare {
388 hello.hasKeyShares = false
389 }
390
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]391 hello.hasEarlyData = false
392 hello.earlyDataContext = nil
393 hello.raw = nil
394
395 secondHelloBytes = hello.marshal()
396 c.writeRecord(recordTypeHandshake, secondHelloBytes)
397 c.flushHandshake()
398
399 msg, err = c.readHandshake()
400 if err != nil {
401 return err
402 }
403 }
404
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]405 serverHello, ok := msg.(*serverHelloMsg)
406 if !ok {
407 c.sendAlert(alertUnexpectedMessage)
408 return unexpectedMessageError(serverHello, msg)
409 }
410
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]411 if c.vers != serverHello.vers {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]412 c.sendAlert(alertProtocolVersion)
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]413 return fmt.Errorf("tls: server sent non-matching version %x vs %x", serverHello.vers, c.vers)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]414 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]415
Nick Harper85f20c22016-07-04 10:11:59 -0700[diff] [blame]416 // Check for downgrade signals in the server random, per
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]417 // draft-ietf-tls-tls13-14, section 6.3.1.2.
Nick Harper85f20c22016-07-04 10:11:59 -0700[diff] [blame]418 if c.vers <= VersionTLS12 && c.config.maxVersion(c.isDTLS) >= VersionTLS13 {
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]419 if bytes.Equal(serverHello.random[len(serverHello.random)-8:], downgradeTLS13) {
Nick Harper85f20c22016-07-04 10:11:59 -0700[diff] [blame]420 c.sendAlert(alertProtocolVersion)
421 return errors.New("tls: downgrade from TLS 1.3 detected")
422 }
423 }
424 if c.vers <= VersionTLS11 && c.config.maxVersion(c.isDTLS) >= VersionTLS12 {
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]425 if bytes.Equal(serverHello.random[len(serverHello.random)-8:], downgradeTLS12) {
Nick Harper85f20c22016-07-04 10:11:59 -0700[diff] [blame]426 c.sendAlert(alertProtocolVersion)
427 return errors.New("tls: downgrade from TLS 1.2 detected")
428 }
429 }
430
Nick Harper0b3625b2016-07-25 16:16:28 -0700[diff] [blame]431 suite := mutualCipherSuite(hello.cipherSuites, serverHello.cipherSuite)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]432 if suite == nil {
433 c.sendAlert(alertHandshakeFailure)
434 return fmt.Errorf("tls: server selected an unsupported cipher suite")
435 }
436
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]437 if haveHelloRetryRequest && (helloRetryRequest.cipherSuite != serverHello.cipherSuite || helloRetryRequest.selectedGroup != serverHello.keyShare.group) {
438 c.sendAlert(alertHandshakeFailure)
439 return errors.New("tls: ServerHello parameters did not match HelloRetryRequest")
440 }
441
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]442 hs := &clientHandshakeState{
443 c: c,
444 serverHello: serverHello,
445 hello: hello,
446 suite: suite,
447 finishedHash: newFinishedHash(c.vers, suite),
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]448 keyShares: keyShares,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]449 session: session,
450 }
451
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]452 hs.writeHash(helloBytes, hs.c.sendHandshakeSeq-1)
Nick Harperdcfbc672016-07-16 17:47:31 +0200[diff] [blame]453 if haveHelloRetryRequest {
454 hs.writeServerHash(helloRetryRequest.marshal())
455 hs.writeClientHash(secondHelloBytes)
456 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]457 hs.writeServerHash(hs.serverHello.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]458
David Benjamin8d315d72016-07-18 01:03:18 +0200[diff] [blame]459 if c.vers >= VersionTLS13 {
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]460 if err := hs.doTLS13Handshake(); err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]461 return err
462 }
463 } else {
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]464 if c.config.Bugs.EarlyChangeCipherSpec > 0 {
465 hs.establishKeys()
466 c.writeRecord(recordTypeChangeCipherSpec, []byte{1})
467 }
468
469 if hs.serverHello.compressionMethod != compressionNone {
470 c.sendAlert(alertUnexpectedMessage)
471 return errors.New("tls: server selected unsupported compression format")
472 }
473
474 err = hs.processServerExtensions(&serverHello.extensions)
475 if err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]476 return err
477 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]478
479 isResume, err := hs.processServerHello()
480 if err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]481 return err
482 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]483
484 if isResume {
485 if c.config.Bugs.EarlyChangeCipherSpec == 0 {
486 if err := hs.establishKeys(); err != nil {
487 return err
488 }
489 }
490 if err := hs.readSessionTicket(); err != nil {
491 return err
492 }
493 if err := hs.readFinished(c.firstFinished[:]); err != nil {
494 return err
495 }
496 if err := hs.sendFinished(nil, isResume); err != nil {
497 return err
498 }
499 } else {
500 if err := hs.doFullHandshake(); err != nil {
501 return err
502 }
503 if err := hs.establishKeys(); err != nil {
504 return err
505 }
506 if err := hs.sendFinished(c.firstFinished[:], isResume); err != nil {
507 return err
508 }
509 // Most retransmits are triggered by a timeout, but the final
510 // leg of the handshake is retransmited upon re-receiving a
511 // Finished.
512 if err := c.simulatePacketLoss(func() {
David Benjamin02edcd02016-07-27 17:40:37 -0400[diff] [blame]513 c.sendHandshakeSeq--
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]514 c.writeRecord(recordTypeHandshake, hs.finishedBytes)
515 c.flushHandshake()
516 }); err != nil {
517 return err
518 }
519 if err := hs.readSessionTicket(); err != nil {
520 return err
521 }
522 if err := hs.readFinished(nil); err != nil {
523 return err
524 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]525 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]526
527 if sessionCache != nil && hs.session != nil && session != hs.session {
528 if c.config.Bugs.RequireSessionTickets && len(hs.session.sessionTicket) == 0 {
529 return errors.New("tls: new session used session IDs instead of tickets")
530 }
531 sessionCache.Put(cacheKey, hs.session)
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]532 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]533
534 c.didResume = isResume
David Benjamin97a0a082016-07-13 17:57:35 -0400[diff] [blame]535 c.exporterSecret = hs.masterSecret
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]536 }
537
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]538 c.handshakeComplete = true
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]539 c.cipherSuite = suite
540 copy(c.clientRandom[:], hs.hello.random)
541 copy(c.serverRandom[:], hs.serverHello.random)
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]542
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]543 return nil
544}
545
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]546func (hs *clientHandshakeState) doTLS13Handshake() error {
547 c := hs.c
548
549 // Once the PRF hash is known, TLS 1.3 does not require a handshake
550 // buffer.
551 hs.finishedHash.discardHandshakeBuffer()
552
553 zeroSecret := hs.finishedHash.zeroSecret()
554
555 // Resolve PSK and compute the early secret.
556 //
557 // TODO(davidben): This will need to be handled slightly earlier once
558 // 0-RTT is implemented.
559 var psk []byte
560 if hs.suite.flags&suitePSK != 0 {
561 if !hs.serverHello.hasPSKIdentity {
562 c.sendAlert(alertMissingExtension)
563 return errors.New("tls: server omitted the PSK identity extension")
564 }
565
Nick Harper0b3625b2016-07-25 16:16:28 -0700[diff] [blame]566 // We send at most one PSK identity.
567 if hs.session == nil || hs.serverHello.pskIdentity != 0 {
568 c.sendAlert(alertUnknownPSKIdentity)
569 return errors.New("tls: server sent unknown PSK identity")
570 }
571 if ecdhePSKSuite(hs.session.cipherSuite) != hs.suite.id {
572 c.sendAlert(alertHandshakeFailure)
573 return errors.New("tls: server sent invalid cipher suite for PSK")
574 }
575 psk = deriveResumptionPSK(hs.suite, hs.session.masterSecret)
576 hs.finishedHash.setResumptionContext(deriveResumptionContext(hs.suite, hs.session.masterSecret))
577 c.didResume = true
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]578 } else {
579 if hs.serverHello.hasPSKIdentity {
580 c.sendAlert(alertUnsupportedExtension)
581 return errors.New("tls: server sent unexpected PSK identity")
582 }
583
584 psk = zeroSecret
585 hs.finishedHash.setResumptionContext(zeroSecret)
586 }
587
588 earlySecret := hs.finishedHash.extractKey(zeroSecret, psk)
589
590 // Resolve ECDHE and compute the handshake secret.
591 var ecdheSecret []byte
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]592 if hs.suite.flags&suiteECDHE != 0 && !c.config.Bugs.MissingKeyShare && !c.config.Bugs.SecondClientHelloMissingKeyShare {
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]593 if !hs.serverHello.hasKeyShare {
594 c.sendAlert(alertMissingExtension)
595 return errors.New("tls: server omitted the key share extension")
596 }
597
598 curve, ok := hs.keyShares[hs.serverHello.keyShare.group]
599 if !ok {
600 c.sendAlert(alertHandshakeFailure)
601 return errors.New("tls: server selected an unsupported group")
602 }
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]603 c.curveID = hs.serverHello.keyShare.group
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]604
605 var err error
606 ecdheSecret, err = curve.finish(hs.serverHello.keyShare.keyExchange)
607 if err != nil {
608 return err
609 }
610 } else {
611 if hs.serverHello.hasKeyShare {
612 c.sendAlert(alertUnsupportedExtension)
613 return errors.New("tls: server sent unexpected key share extension")
614 }
615
616 ecdheSecret = zeroSecret
617 }
618
619 // Compute the handshake secret.
620 handshakeSecret := hs.finishedHash.extractKey(earlySecret, ecdheSecret)
621
622 // Switch to handshake traffic keys.
623 handshakeTrafficSecret := hs.finishedHash.deriveSecret(handshakeSecret, handshakeTrafficLabel)
David Benjamin21c00282016-07-18 21:56:23 +0200[diff] [blame]624 c.out.useTrafficSecret(c.vers, hs.suite, handshakeTrafficSecret, handshakePhase, clientWrite)
625 c.in.useTrafficSecret(c.vers, hs.suite, handshakeTrafficSecret, handshakePhase, serverWrite)
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]626
627 msg, err := c.readHandshake()
628 if err != nil {
629 return err
630 }
631
632 encryptedExtensions, ok := msg.(*encryptedExtensionsMsg)
633 if !ok {
634 c.sendAlert(alertUnexpectedMessage)
635 return unexpectedMessageError(encryptedExtensions, msg)
636 }
637 hs.writeServerHash(encryptedExtensions.marshal())
638
639 err = hs.processServerExtensions(&encryptedExtensions.extensions)
640 if err != nil {
641 return err
642 }
643
644 var chainToSend *Certificate
David Benjamin8d343b42016-07-09 14:26:01 -0700[diff] [blame]645 var certReq *certificateRequestMsg
David Benjamin44b33bc2016-07-01 22:40:23 -0400[diff] [blame]646 if hs.suite.flags&suitePSK != 0 {
647 if encryptedExtensions.extensions.ocspResponse != nil {
648 c.sendAlert(alertUnsupportedExtension)
649 return errors.New("tls: server sent OCSP response without a certificate")
650 }
651 if encryptedExtensions.extensions.sctList != nil {
652 c.sendAlert(alertUnsupportedExtension)
653 return errors.New("tls: server sent SCT list without a certificate")
654 }
Nick Harper0b3625b2016-07-25 16:16:28 -0700[diff] [blame]655
656 // Copy over authentication from the session.
657 c.peerCertificates = hs.session.serverCertificates
658 c.sctList = hs.session.sctList
659 c.ocspResponse = hs.session.ocspResponse
David Benjamin44b33bc2016-07-01 22:40:23 -0400[diff] [blame]660 } else {
661 c.ocspResponse = encryptedExtensions.extensions.ocspResponse
662 c.sctList = encryptedExtensions.extensions.sctList
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]663
664 msg, err := c.readHandshake()
665 if err != nil {
666 return err
667 }
668
David Benjamin8d343b42016-07-09 14:26:01 -0700[diff] [blame]669 var ok bool
670 certReq, ok = msg.(*certificateRequestMsg)
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]671 if ok {
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]672 if c.config.Bugs.IgnorePeerSignatureAlgorithmPreferences {
673 certReq.signatureAlgorithms = c.config.signSignatureAlgorithms()
674 }
675
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]676 hs.writeServerHash(certReq.marshal())
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]677
678 chainToSend, err = selectClientCertificate(c, certReq)
679 if err != nil {
680 return err
681 }
682
683 msg, err = c.readHandshake()
684 if err != nil {
685 return err
686 }
687 }
688
689 certMsg, ok := msg.(*certificateMsg)
690 if !ok {
691 c.sendAlert(alertUnexpectedMessage)
692 return unexpectedMessageError(certMsg, msg)
693 }
694 hs.writeServerHash(certMsg.marshal())
695
696 if err := hs.verifyCertificates(certMsg); err != nil {
697 return err
698 }
699 leaf := c.peerCertificates[0]
700
701 msg, err = c.readHandshake()
702 if err != nil {
703 return err
704 }
705 certVerifyMsg, ok := msg.(*certificateVerifyMsg)
706 if !ok {
707 c.sendAlert(alertUnexpectedMessage)
708 return unexpectedMessageError(certVerifyMsg, msg)
709 }
710
David Benjaminf74ec792016-07-13 21:18:49 -0400[diff] [blame]711 c.peerSignatureAlgorithm = certVerifyMsg.signatureAlgorithm
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]712 input := hs.finishedHash.certificateVerifyInput(serverCertificateVerifyContextTLS13)
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]713 err = verifyMessage(c.vers, leaf.PublicKey, c.config, certVerifyMsg.signatureAlgorithm, input, certVerifyMsg.signature)
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]714 if err != nil {
715 return err
716 }
717
718 hs.writeServerHash(certVerifyMsg.marshal())
719 }
720
721 msg, err = c.readHandshake()
722 if err != nil {
723 return err
724 }
725 serverFinished, ok := msg.(*finishedMsg)
726 if !ok {
727 c.sendAlert(alertUnexpectedMessage)
728 return unexpectedMessageError(serverFinished, msg)
729 }
730
731 verify := hs.finishedHash.serverSum(handshakeTrafficSecret)
732 if len(verify) != len(serverFinished.verifyData) ||
733 subtle.ConstantTimeCompare(verify, serverFinished.verifyData) != 1 {
734 c.sendAlert(alertHandshakeFailure)
735 return errors.New("tls: server's Finished message was incorrect")
736 }
737
738 hs.writeServerHash(serverFinished.marshal())
739
740 // The various secrets do not incorporate the client's final leg, so
741 // derive them now before updating the handshake context.
742 masterSecret := hs.finishedHash.extractKey(handshakeSecret, zeroSecret)
743 trafficSecret := hs.finishedHash.deriveSecret(masterSecret, applicationTrafficLabel)
744
Steven Valdez0ee2e112016-07-15 06:51:15 -0400[diff] [blame]745 if certReq != nil && !c.config.Bugs.SkipClientCertificate {
David Benjamin8d343b42016-07-09 14:26:01 -0700[diff] [blame]746 certMsg := &certificateMsg{
747 hasRequestContext: true,
748 requestContext: certReq.requestContext,
749 }
750 if chainToSend != nil {
751 certMsg.certificates = chainToSend.Certificate
752 }
753 hs.writeClientHash(certMsg.marshal())
754 c.writeRecord(recordTypeHandshake, certMsg.marshal())
755
756 if chainToSend != nil {
757 certVerify := &certificateVerifyMsg{
758 hasSignatureAlgorithm: true,
759 }
760
761 // Determine the hash to sign.
762 privKey := chainToSend.PrivateKey
763
764 var err error
765 certVerify.signatureAlgorithm, err = selectSignatureAlgorithm(c.vers, privKey, c.config, certReq.signatureAlgorithms)
766 if err != nil {
767 c.sendAlert(alertInternalError)
768 return err
769 }
770
771 input := hs.finishedHash.certificateVerifyInput(clientCertificateVerifyContextTLS13)
772 certVerify.signature, err = signMessage(c.vers, privKey, c.config, certVerify.signatureAlgorithm, input)
773 if err != nil {
774 c.sendAlert(alertInternalError)
775 return err
776 }
Steven Valdez0ee2e112016-07-15 06:51:15 -0400[diff] [blame]777 if c.config.Bugs.SendSignatureAlgorithm != 0 {
778 certVerify.signatureAlgorithm = c.config.Bugs.SendSignatureAlgorithm
779 }
David Benjamin8d343b42016-07-09 14:26:01 -0700[diff] [blame]780
781 hs.writeClientHash(certVerify.marshal())
782 c.writeRecord(recordTypeHandshake, certVerify.marshal())
783 }
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]784 }
785
786 // Send a client Finished message.
787 finished := new(finishedMsg)
788 finished.verifyData = hs.finishedHash.clientSum(handshakeTrafficSecret)
789 if c.config.Bugs.BadFinished {
790 finished.verifyData[0]++
791 }
David Benjamin97a0a082016-07-13 17:57:35 -0400[diff] [blame]792 hs.writeClientHash(finished.marshal())
David Benjamin7964b182016-07-14 23:36:30 -0400[diff] [blame]793 if c.config.Bugs.PartialClientFinishedWithClientHello {
794 // The first byte has already been sent.
795 c.writeRecord(recordTypeHandshake, finished.marshal()[1:])
796 } else {
797 c.writeRecord(recordTypeHandshake, finished.marshal())
798 }
David Benjamin02edcd02016-07-27 17:40:37 -0400[diff] [blame]799 if c.config.Bugs.SendExtraFinished {
800 c.writeRecord(recordTypeHandshake, finished.marshal())
801 }
David Benjaminee51a222016-07-07 18:34:12 -0700[diff] [blame]802 c.flushHandshake()
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]803
804 // Switch to application data keys.
David Benjamin21c00282016-07-18 21:56:23 +0200[diff] [blame]805 c.out.useTrafficSecret(c.vers, hs.suite, trafficSecret, applicationPhase, clientWrite)
806 c.in.useTrafficSecret(c.vers, hs.suite, trafficSecret, applicationPhase, serverWrite)
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]807
David Benjamin97a0a082016-07-13 17:57:35 -0400[diff] [blame]808 c.exporterSecret = hs.finishedHash.deriveSecret(masterSecret, exporterLabel)
David Benjamind5a4ecb2016-07-18 01:17:13 +0200[diff] [blame]809 c.resumptionSecret = hs.finishedHash.deriveSecret(masterSecret, resumptionLabel)
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]810 return nil
811}
812
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]813func (hs *clientHandshakeState) doFullHandshake() error {
814 c := hs.c
815
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]816 var leaf *x509.Certificate
817 if hs.suite.flags&suitePSK == 0 {
818 msg, err := c.readHandshake()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]819 if err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]820 return err
821 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]822
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]823 certMsg, ok := msg.(*certificateMsg)
David Benjamin75051442016-07-01 18:58:51 -0400[diff] [blame]824 if !ok {
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]825 c.sendAlert(alertUnexpectedMessage)
826 return unexpectedMessageError(certMsg, msg)
827 }
828 hs.writeServerHash(certMsg.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]829
David Benjamin75051442016-07-01 18:58:51 -0400[diff] [blame]830 if err := hs.verifyCertificates(certMsg); err != nil {
831 return err
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]832 }
David Benjamin75051442016-07-01 18:58:51 -0400[diff] [blame]833 leaf = c.peerCertificates[0]
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]834 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]835
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]836 if hs.serverHello.extensions.ocspStapling {
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]837 msg, err := c.readHandshake()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]838 if err != nil {
839 return err
840 }
841 cs, ok := msg.(*certificateStatusMsg)
842 if !ok {
843 c.sendAlert(alertUnexpectedMessage)
844 return unexpectedMessageError(cs, msg)
845 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]846 hs.writeServerHash(cs.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]847
848 if cs.statusType == statusTypeOCSP {
849 c.ocspResponse = cs.response
850 }
851 }
852
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]853 msg, err := c.readHandshake()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]854 if err != nil {
855 return err
856 }
857
858 keyAgreement := hs.suite.ka(c.vers)
859
860 skx, ok := msg.(*serverKeyExchangeMsg)
861 if ok {
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]862 hs.writeServerHash(skx.marshal())
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]863 err = keyAgreement.processServerKeyExchange(c.config, hs.hello, hs.serverHello, leaf, skx)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]864 if err != nil {
865 c.sendAlert(alertUnexpectedMessage)
866 return err
867 }
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]868 if ecdhe, ok := keyAgreement.(*ecdheKeyAgreement); ok {
869 c.curveID = ecdhe.curveID
870 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]871
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]872 c.peerSignatureAlgorithm = keyAgreement.peerSignatureAlgorithm()
873
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]874 msg, err = c.readHandshake()
875 if err != nil {
876 return err
877 }
878 }
879
880 var chainToSend *Certificate
881 var certRequested bool
882 certReq, ok := msg.(*certificateRequestMsg)
883 if ok {
884 certRequested = true
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]885 if c.config.Bugs.IgnorePeerSignatureAlgorithmPreferences {
886 certReq.signatureAlgorithms = c.config.signSignatureAlgorithms()
887 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]888
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]889 hs.writeServerHash(certReq.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]890
David Benjamina6f82632016-07-01 18:44:02 -0400[diff] [blame]891 chainToSend, err = selectClientCertificate(c, certReq)
892 if err != nil {
893 return err
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]894 }
895
896 msg, err = c.readHandshake()
897 if err != nil {
898 return err
899 }
900 }
901
902 shd, ok := msg.(*serverHelloDoneMsg)
903 if !ok {
904 c.sendAlert(alertUnexpectedMessage)
905 return unexpectedMessageError(shd, msg)
906 }
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]907 hs.writeServerHash(shd.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]908
909 // If the server requested a certificate then we have to send a
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]910 // Certificate message in TLS, even if it's empty because we don't have
911 // a certificate to send. In SSL 3.0, skip the message and send a
912 // no_certificate warning alert.
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]913 if certRequested {
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]914 if c.vers == VersionSSL30 && chainToSend == nil {
915 c.sendAlert(alertNoCertficate)
916 } else if !c.config.Bugs.SkipClientCertificate {
917 certMsg := new(certificateMsg)
918 if chainToSend != nil {
919 certMsg.certificates = chainToSend.Certificate
920 }
921 hs.writeClientHash(certMsg.marshal())
922 c.writeRecord(recordTypeHandshake, certMsg.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]923 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]924 }
925
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]926 preMasterSecret, ckx, err := keyAgreement.generateClientKeyExchange(c.config, hs.hello, leaf)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]927 if err != nil {
928 c.sendAlert(alertInternalError)
929 return err
930 }
931 if ckx != nil {
David Benjaminf3ec83d2014-07-21 22:42:34 -0400[diff] [blame]932 if c.config.Bugs.EarlyChangeCipherSpec < 2 {
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]933 hs.writeClientHash(ckx.marshal())
David Benjaminf3ec83d2014-07-21 22:42:34 -0400[diff] [blame]934 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]935 c.writeRecord(recordTypeHandshake, ckx.marshal())
936 }
937
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]938 if hs.serverHello.extensions.extendedMasterSecret && c.vers >= VersionTLS10 {
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]939 hs.masterSecret = extendedMasterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.finishedHash)
940 c.extendedMasterSecret = true
941 } else {
942 if c.config.Bugs.RequireExtendedMasterSecret {
943 return errors.New("tls: extended master secret required but not supported by peer")
944 }
945 hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.hello.random, hs.serverHello.random)
946 }
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]947
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]948 if chainToSend != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]949 certVerify := &certificateVerifyMsg{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]950 hasSignatureAlgorithm: c.vers >= VersionTLS12,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]951 }
952
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]953 // Determine the hash to sign.
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]954 privKey := c.config.Certificates[0].PrivateKey
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]955
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]956 if certVerify.hasSignatureAlgorithm {
David Benjamin0a8deb22016-07-09 21:02:01 -0700[diff] [blame]957 certVerify.signatureAlgorithm, err = selectSignatureAlgorithm(c.vers, privKey, c.config, certReq.signatureAlgorithms)
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]958 if err != nil {
959 c.sendAlert(alertInternalError)
960 return err
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]961 }
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]962 }
963
964 if c.vers > VersionSSL30 {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]965 certVerify.signature, err = signMessage(c.vers, privKey, c.config, certVerify.signatureAlgorithm, hs.finishedHash.buffer)
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]966 if err == nil && c.config.Bugs.SendSignatureAlgorithm != 0 {
967 certVerify.signatureAlgorithm = c.config.Bugs.SendSignatureAlgorithm
968 }
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]969 } else {
970 // SSL 3.0's client certificate construction is
971 // incompatible with signatureAlgorithm.
972 rsaKey, ok := privKey.(*rsa.PrivateKey)
973 if !ok {
974 err = errors.New("unsupported signature type for client certificate")
975 } else {
976 digest := hs.finishedHash.hashForClientCertificateSSL3(hs.masterSecret)
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]977 if c.config.Bugs.InvalidSignature {
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]978 digest[0] ^= 0x80
979 }
980 certVerify.signature, err = rsa.SignPKCS1v15(c.config.rand(), rsaKey, crypto.MD5SHA1, digest)
981 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]982 }
983 if err != nil {
984 c.sendAlert(alertInternalError)
985 return errors.New("tls: failed to sign handshake with client certificate: " + err.Error())
986 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]987
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]988 hs.writeClientHash(certVerify.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]989 c.writeRecord(recordTypeHandshake, certVerify.marshal())
990 }
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]991 // flushHandshake will be called in sendFinished.
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]992
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]993 hs.finishedHash.discardHandshakeBuffer()
994
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]995 return nil
996}
997
David Benjamin75051442016-07-01 18:58:51 -0400[diff] [blame]998func (hs *clientHandshakeState) verifyCertificates(certMsg *certificateMsg) error {
999 c := hs.c
1000
1001 if len(certMsg.certificates) == 0 {
1002 c.sendAlert(alertIllegalParameter)
1003 return errors.New("tls: no certificates sent")
1004 }
1005
1006 certs := make([]*x509.Certificate, len(certMsg.certificates))
1007 for i, asn1Data := range certMsg.certificates {
1008 cert, err := x509.ParseCertificate(asn1Data)
1009 if err != nil {
1010 c.sendAlert(alertBadCertificate)
1011 return errors.New("tls: failed to parse certificate from server: " + err.Error())
1012 }
1013 certs[i] = cert
1014 }
1015
1016 if !c.config.InsecureSkipVerify {
1017 opts := x509.VerifyOptions{
1018 Roots: c.config.RootCAs,
1019 CurrentTime: c.config.time(),
1020 DNSName: c.config.ServerName,
1021 Intermediates: x509.NewCertPool(),
1022 }
1023
1024 for i, cert := range certs {
1025 if i == 0 {
1026 continue
1027 }
1028 opts.Intermediates.AddCert(cert)
1029 }
1030 var err error
1031 c.verifiedChains, err = certs[0].Verify(opts)
1032 if err != nil {
1033 c.sendAlert(alertBadCertificate)
1034 return err
1035 }
1036 }
1037
1038 switch certs[0].PublicKey.(type) {
1039 case *rsa.PublicKey, *ecdsa.PublicKey:
1040 break
1041 default:
1042 c.sendAlert(alertUnsupportedCertificate)
1043 return fmt.Errorf("tls: server's certificate contains an unsupported type of public key: %T", certs[0].PublicKey)
1044 }
1045
1046 c.peerCertificates = certs
1047 return nil
1048}
1049
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1050func (hs *clientHandshakeState) establishKeys() error {
1051 c := hs.c
1052
1053 clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV :=
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1054 keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.hello.random, hs.serverHello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen(c.vers))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1055 var clientCipher, serverCipher interface{}
1056 var clientHash, serverHash macFunction
1057 if hs.suite.cipher != nil {
1058 clientCipher = hs.suite.cipher(clientKey, clientIV, false /* not for reading */)
1059 clientHash = hs.suite.mac(c.vers, clientMAC)
1060 serverCipher = hs.suite.cipher(serverKey, serverIV, true /* for reading */)
1061 serverHash = hs.suite.mac(c.vers, serverMAC)
1062 } else {
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1063 clientCipher = hs.suite.aead(c.vers, clientKey, clientIV)
1064 serverCipher = hs.suite.aead(c.vers, serverKey, serverIV)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1065 }
1066
1067 c.in.prepareCipherSpec(c.vers, serverCipher, serverHash)
1068 c.out.prepareCipherSpec(c.vers, clientCipher, clientHash)
1069 return nil
1070}
1071
David Benjamin75101402016-07-01 13:40:23 -0400[diff] [blame]1072func (hs *clientHandshakeState) processServerExtensions(serverExtensions *serverExtensions) error {
1073 c := hs.c
1074
David Benjamin8d315d72016-07-18 01:03:18 +0200[diff] [blame]1075 if c.vers < VersionTLS13 {
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]1076 if c.config.Bugs.RequireRenegotiationInfo && serverExtensions.secureRenegotiation == nil {
1077 return errors.New("tls: renegotiation extension missing")
1078 }
David Benjamin75101402016-07-01 13:40:23 -0400[diff] [blame]1079
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]1080 if len(c.clientVerify) > 0 && !c.noRenegotiationInfo() {
1081 var expectedRenegInfo []byte
1082 expectedRenegInfo = append(expectedRenegInfo, c.clientVerify...)
1083 expectedRenegInfo = append(expectedRenegInfo, c.serverVerify...)
1084 if !bytes.Equal(serverExtensions.secureRenegotiation, expectedRenegInfo) {
1085 c.sendAlert(alertHandshakeFailure)
1086 return fmt.Errorf("tls: renegotiation mismatch")
1087 }
David Benjamin75101402016-07-01 13:40:23 -0400[diff] [blame]1088 }
David Benjamincea0ab42016-07-14 12:33:14 -0400[diff] [blame]1089 } else if serverExtensions.secureRenegotiation != nil {
1090 return errors.New("tls: renegotiation info sent in TLS 1.3")
David Benjamin75101402016-07-01 13:40:23 -0400[diff] [blame]1091 }
1092
1093 if expected := c.config.Bugs.ExpectedCustomExtension; expected != nil {
1094 if serverExtensions.customExtension != *expected {
1095 return fmt.Errorf("tls: bad custom extension contents %q", serverExtensions.customExtension)
1096 }
1097 }
1098
1099 clientDidNPN := hs.hello.nextProtoNeg
1100 clientDidALPN := len(hs.hello.alpnProtocols) > 0
1101 serverHasNPN := serverExtensions.nextProtoNeg
1102 serverHasALPN := len(serverExtensions.alpnProtocol) > 0
1103
1104 if !clientDidNPN && serverHasNPN {
1105 c.sendAlert(alertHandshakeFailure)
1106 return errors.New("server advertised unrequested NPN extension")
1107 }
1108
1109 if !clientDidALPN && serverHasALPN {
1110 c.sendAlert(alertHandshakeFailure)
1111 return errors.New("server advertised unrequested ALPN extension")
1112 }
1113
1114 if serverHasNPN && serverHasALPN {
1115 c.sendAlert(alertHandshakeFailure)
1116 return errors.New("server advertised both NPN and ALPN extensions")
1117 }
1118
1119 if serverHasALPN {
1120 c.clientProtocol = serverExtensions.alpnProtocol
1121 c.clientProtocolFallback = false
1122 c.usedALPN = true
1123 }
1124
David Benjamin8d315d72016-07-18 01:03:18 +0200[diff] [blame]1125 if serverHasNPN && c.vers >= VersionTLS13 {
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]1126 c.sendAlert(alertHandshakeFailure)
1127 return errors.New("server advertised NPN over TLS 1.3")
1128 }
1129
David Benjamin75101402016-07-01 13:40:23 -0400[diff] [blame]1130 if !hs.hello.channelIDSupported && serverExtensions.channelIDRequested {
1131 c.sendAlert(alertHandshakeFailure)
1132 return errors.New("server advertised unrequested Channel ID extension")
1133 }
1134
David Benjamin8d315d72016-07-18 01:03:18 +0200[diff] [blame]1135 if serverExtensions.channelIDRequested && c.vers >= VersionTLS13 {
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]1136 c.sendAlert(alertHandshakeFailure)
1137 return errors.New("server advertised Channel ID over TLS 1.3")
1138 }
1139
David Benjamin8d315d72016-07-18 01:03:18 +0200[diff] [blame]1140 if serverExtensions.extendedMasterSecret && c.vers >= VersionTLS13 {
David Benjamine9077652016-07-13 21:02:08 -0400[diff] [blame]1141 return errors.New("tls: server advertised extended master secret over TLS 1.3")
1142 }
1143
David Benjamin8d315d72016-07-18 01:03:18 +0200[diff] [blame]1144 if serverExtensions.ticketSupported && c.vers >= VersionTLS13 {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1145 return errors.New("tls: server advertised ticket extension over TLS 1.3")
1146 }
1147
David Benjamin75101402016-07-01 13:40:23 -0400[diff] [blame]1148 if serverExtensions.srtpProtectionProfile != 0 {
1149 if serverExtensions.srtpMasterKeyIdentifier != "" {
1150 return errors.New("tls: server selected SRTP MKI value")
1151 }
1152
1153 found := false
1154 for _, p := range c.config.SRTPProtectionProfiles {
1155 if p == serverExtensions.srtpProtectionProfile {
1156 found = true
1157 break
1158 }
1159 }
1160 if !found {
1161 return errors.New("tls: server advertised unsupported SRTP profile")
1162 }
1163
1164 c.srtpProtectionProfile = serverExtensions.srtpProtectionProfile
1165 }
1166
1167 return nil
1168}
1169
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1170func (hs *clientHandshakeState) serverResumedSession() bool {
1171 // If the server responded with the same sessionId then it means the
1172 // sessionTicket is being used to resume a TLS session.
1173 return hs.session != nil && hs.hello.sessionId != nil &&
1174 bytes.Equal(hs.serverHello.sessionId, hs.hello.sessionId)
1175}
1176
1177func (hs *clientHandshakeState) processServerHello() (bool, error) {
1178 c := hs.c
1179
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1180 if hs.serverResumedSession() {
David Benjamin4b27d9f2015-05-12 22:42:52 -0400[diff] [blame]1181 // For test purposes, assert that the server never accepts the
1182 // resumption offer on renegotiation.
1183 if c.cipherSuite != nil && c.config.Bugs.FailIfResumeOnRenego {
1184 return false, errors.New("tls: server resumed session on renegotiation")
1185 }
1186
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1187 if hs.serverHello.extensions.sctList != nil {
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]1188 return false, errors.New("tls: server sent SCT extension on session resumption")
1189 }
1190
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1191 if hs.serverHello.extensions.ocspStapling {
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]1192 return false, errors.New("tls: server sent OCSP extension on session resumption")
1193 }
1194
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1195 // Restore masterSecret and peerCerts from previous state
1196 hs.masterSecret = hs.session.masterSecret
1197 c.peerCertificates = hs.session.serverCertificates
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]1198 c.extendedMasterSecret = hs.session.extendedMasterSecret
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]1199 c.sctList = hs.session.sctList
1200 c.ocspResponse = hs.session.ocspResponse
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]1201 hs.finishedHash.discardHandshakeBuffer()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1202 return true, nil
1203 }
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]1204
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1205 if hs.serverHello.extensions.sctList != nil {
1206 c.sctList = hs.serverHello.extensions.sctList
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]1207 }
1208
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1209 return false, nil
1210}
1211
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]1212func (hs *clientHandshakeState) readFinished(out []byte) error {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1213 c := hs.c
1214
1215 c.readRecord(recordTypeChangeCipherSpec)
1216 if err := c.in.error(); err != nil {
1217 return err
1218 }
1219
1220 msg, err := c.readHandshake()
1221 if err != nil {
1222 return err
1223 }
1224 serverFinished, ok := msg.(*finishedMsg)
1225 if !ok {
1226 c.sendAlert(alertUnexpectedMessage)
1227 return unexpectedMessageError(serverFinished, msg)
1228 }
1229
David Benjaminf3ec83d2014-07-21 22:42:34 -0400[diff] [blame]1230 if c.config.Bugs.EarlyChangeCipherSpec == 0 {
1231 verify := hs.finishedHash.serverSum(hs.masterSecret)
1232 if len(verify) != len(serverFinished.verifyData) ||
1233 subtle.ConstantTimeCompare(verify, serverFinished.verifyData) != 1 {
1234 c.sendAlert(alertHandshakeFailure)
1235 return errors.New("tls: server's Finished message was incorrect")
1236 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1237 }
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]1238 c.serverVerify = append(c.serverVerify[:0], serverFinished.verifyData...)
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]1239 copy(out, serverFinished.verifyData)
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]1240 hs.writeServerHash(serverFinished.marshal())
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1241 return nil
1242}
1243
1244func (hs *clientHandshakeState) readSessionTicket() error {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]1245 c := hs.c
1246
1247 // Create a session with no server identifier. Either a
1248 // session ID or session ticket will be attached.
1249 session := &ClientSessionState{
1250 vers: c.vers,
1251 cipherSuite: hs.suite.id,
1252 masterSecret: hs.masterSecret,
1253 handshakeHash: hs.finishedHash.server.Sum(nil),
1254 serverCertificates: c.peerCertificates,
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]1255 sctList: c.sctList,
1256 ocspResponse: c.ocspResponse,
Nick Harper0b3625b2016-07-25 16:16:28 -0700[diff] [blame]1257 ticketExpiration: c.config.time().Add(time.Duration(7 * 24 * time.Hour)),
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]1258 }
1259
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1260 if !hs.serverHello.extensions.ticketSupported {
David Benjamind98452d2015-06-16 14:16:23 -0400[diff] [blame]1261 if c.config.Bugs.ExpectNewTicket {
1262 return errors.New("tls: expected new ticket")
1263 }
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]1264 if hs.session == nil && len(hs.serverHello.sessionId) > 0 {
1265 session.sessionId = hs.serverHello.sessionId
1266 hs.session = session
1267 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1268 return nil
1269 }
1270
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]1271 if c.vers == VersionSSL30 {
1272 return errors.New("tls: negotiated session tickets in SSL 3.0")
1273 }
1274
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1275 msg, err := c.readHandshake()
1276 if err != nil {
1277 return err
1278 }
1279 sessionTicketMsg, ok := msg.(*newSessionTicketMsg)
1280 if !ok {
1281 c.sendAlert(alertUnexpectedMessage)
1282 return unexpectedMessageError(sessionTicketMsg, msg)
1283 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1284
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]1285 session.sessionTicket = sessionTicketMsg.ticket
1286 hs.session = session
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1287
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]1288 hs.writeServerHash(sessionTicketMsg.marshal())
1289
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1290 return nil
1291}
1292
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]1293func (hs *clientHandshakeState) sendFinished(out []byte, isResume bool) error {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1294 c := hs.c
1295
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]1296 var postCCSMsgs [][]byte
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]1297 seqno := hs.c.sendHandshakeSeq
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1298 if hs.serverHello.extensions.nextProtoNeg {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1299 nextProto := new(nextProtoMsg)
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1300 proto, fallback := mutualProtocol(c.config.NextProtos, hs.serverHello.extensions.nextProtos)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1301 nextProto.proto = proto
1302 c.clientProtocol = proto
1303 c.clientProtocolFallback = fallback
1304
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]1305 nextProtoBytes := nextProto.marshal()
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]1306 hs.writeHash(nextProtoBytes, seqno)
1307 seqno++
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]1308 postCCSMsgs = append(postCCSMsgs, nextProtoBytes)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1309 }
1310
Nick Harperb3d51be2016-07-01 11:43:18 -0400[diff] [blame]1311 if hs.serverHello.extensions.channelIDRequested {
David Benjamin24599a82016-06-30 18:56:53 -0400[diff] [blame]1312 channelIDMsg := new(channelIDMsg)
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]1313 if c.config.ChannelID.Curve != elliptic.P256() {
1314 return fmt.Errorf("tls: Channel ID is not on P-256.")
1315 }
1316 var resumeHash []byte
1317 if isResume {
1318 resumeHash = hs.session.handshakeHash
1319 }
1320 r, s, err := ecdsa.Sign(c.config.rand(), c.config.ChannelID, hs.finishedHash.hashForChannelID(resumeHash))
1321 if err != nil {
1322 return err
1323 }
1324 channelID := make([]byte, 128)
1325 writeIntPadded(channelID[0:32], c.config.ChannelID.X)
1326 writeIntPadded(channelID[32:64], c.config.ChannelID.Y)
1327 writeIntPadded(channelID[64:96], r)
1328 writeIntPadded(channelID[96:128], s)
David Benjamin24599a82016-06-30 18:56:53 -0400[diff] [blame]1329 channelIDMsg.channelID = channelID
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]1330
1331 c.channelID = &c.config.ChannelID.PublicKey
1332
David Benjamin24599a82016-06-30 18:56:53 -0400[diff] [blame]1333 channelIDMsgBytes := channelIDMsg.marshal()
1334 hs.writeHash(channelIDMsgBytes, seqno)
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]1335 seqno++
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]1336 postCCSMsgs = append(postCCSMsgs, channelIDMsgBytes)
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]1337 }
1338
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1339 finished := new(finishedMsg)
David Benjaminf3ec83d2014-07-21 22:42:34 -0400[diff] [blame]1340 if c.config.Bugs.EarlyChangeCipherSpec == 2 {
1341 finished.verifyData = hs.finishedHash.clientSum(nil)
1342 } else {
1343 finished.verifyData = hs.finishedHash.clientSum(hs.masterSecret)
1344 }
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]1345 copy(out, finished.verifyData)
David Benjamin513f0ea2015-04-02 19:33:31 -0400[diff] [blame]1346 if c.config.Bugs.BadFinished {
1347 finished.verifyData[0]++
1348 }
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]1349 c.clientVerify = append(c.clientVerify[:0], finished.verifyData...)
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]1350 hs.finishedBytes = finished.marshal()
1351 hs.writeHash(hs.finishedBytes, seqno)
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]1352 postCCSMsgs = append(postCCSMsgs, hs.finishedBytes)
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]1353
1354 if c.config.Bugs.FragmentAcrossChangeCipherSpec {
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]1355 c.writeRecord(recordTypeHandshake, postCCSMsgs[0][:5])
1356 postCCSMsgs[0] = postCCSMsgs[0][5:]
David Benjamin61672812016-07-14 23:10:43 -0400[diff] [blame]1357 } else if c.config.Bugs.SendUnencryptedFinished {
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]1358 c.writeRecord(recordTypeHandshake, postCCSMsgs[0])
1359 postCCSMsgs = postCCSMsgs[1:]
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]1360 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]1361 c.flushHandshake()
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]1362
1363 if !c.config.Bugs.SkipChangeCipherSpec &&
1364 c.config.Bugs.EarlyChangeCipherSpec == 0 {
David Benjamin8411b242015-11-26 12:07:28 -0500[diff] [blame]1365 ccs := []byte{1}
1366 if c.config.Bugs.BadChangeCipherSpec != nil {
1367 ccs = c.config.Bugs.BadChangeCipherSpec
1368 }
1369 c.writeRecord(recordTypeChangeCipherSpec, ccs)
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame]1370 }
1371
David Benjamin4189bd92015-01-25 23:52:39 -0500[diff] [blame]1372 if c.config.Bugs.AppDataAfterChangeCipherSpec != nil {
1373 c.writeRecord(recordTypeApplicationData, c.config.Bugs.AppDataAfterChangeCipherSpec)
1374 }
David Benjamindc3da932015-03-12 15:09:02 -0400[diff] [blame]1375 if c.config.Bugs.AlertAfterChangeCipherSpec != 0 {
1376 c.sendAlert(c.config.Bugs.AlertAfterChangeCipherSpec)
1377 return errors.New("tls: simulating post-CCS alert")
1378 }
David Benjamin4189bd92015-01-25 23:52:39 -0500[diff] [blame]1379
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]1380 if !c.config.Bugs.SkipFinished {
1381 for _, msg := range postCCSMsgs {
1382 c.writeRecord(recordTypeHandshake, msg)
1383 }
David Benjamin02edcd02016-07-27 17:40:37 -0400[diff] [blame]1384
1385 if c.config.Bugs.SendExtraFinished {
1386 c.writeRecord(recordTypeHandshake, finished.marshal())
1387 }
1388
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]1389 c.flushHandshake()
David Benjaminb3774b92015-01-31 17:16:01 -0500[diff] [blame]1390 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1391 return nil
1392}
1393
David Benjamin83c0bc92014-08-04 01:23:53 -0400[diff] [blame]1394func (hs *clientHandshakeState) writeClientHash(msg []byte) {
1395 // writeClientHash is called before writeRecord.
1396 hs.writeHash(msg, hs.c.sendHandshakeSeq)
1397}
1398
1399func (hs *clientHandshakeState) writeServerHash(msg []byte) {
1400 // writeServerHash is called after readHandshake.
1401 hs.writeHash(msg, hs.c.recvHandshakeSeq-1)
1402}
1403
1404func (hs *clientHandshakeState) writeHash(msg []byte, seqno uint16) {
1405 if hs.c.isDTLS {
1406 // This is somewhat hacky. DTLS hashes a slightly different format.
1407 // First, the TLS header.
1408 hs.finishedHash.Write(msg[:4])
1409 // Then the sequence number and reassembled fragment offset (always 0).
1410 hs.finishedHash.Write([]byte{byte(seqno >> 8), byte(seqno), 0, 0, 0})
1411 // Then the reassembled fragment (always equal to the message length).
1412 hs.finishedHash.Write(msg[1:4])
1413 // And then the message body.
1414 hs.finishedHash.Write(msg[4:])
1415 } else {
1416 hs.finishedHash.Write(msg)
1417 }
1418}
1419
David Benjamina6f82632016-07-01 18:44:02 -0400[diff] [blame]1420// selectClientCertificate selects a certificate for use with the given
1421// certificate, or none if none match. It may return a particular certificate or
1422// nil on success, or an error on internal error.
1423func selectClientCertificate(c *Conn, certReq *certificateRequestMsg) (*Certificate, error) {
1424 // RFC 4346 on the certificateAuthorities field:
1425 // A list of the distinguished names of acceptable certificate
1426 // authorities. These distinguished names may specify a desired
1427 // distinguished name for a root CA or for a subordinate CA; thus, this
1428 // message can be used to describe both known roots and a desired
1429 // authorization space. If the certificate_authorities list is empty
1430 // then the client MAY send any certificate of the appropriate
1431 // ClientCertificateType, unless there is some external arrangement to
1432 // the contrary.
1433
1434 var rsaAvail, ecdsaAvail bool
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]1435 if !certReq.hasRequestContext {
1436 for _, certType := range certReq.certificateTypes {
1437 switch certType {
1438 case CertTypeRSASign:
1439 rsaAvail = true
1440 case CertTypeECDSASign:
1441 ecdsaAvail = true
1442 }
David Benjamina6f82632016-07-01 18:44:02 -0400[diff] [blame]1443 }
1444 }
1445
1446 // We need to search our list of client certs for one
1447 // where SignatureAlgorithm is RSA and the Issuer is in
1448 // certReq.certificateAuthorities
1449findCert:
1450 for i, chain := range c.config.Certificates {
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]1451 if !certReq.hasRequestContext && !rsaAvail && !ecdsaAvail {
David Benjamina6f82632016-07-01 18:44:02 -0400[diff] [blame]1452 continue
1453 }
1454
1455 // Ensure the private key supports one of the advertised
1456 // signature algorithms.
1457 if certReq.hasSignatureAlgorithm {
David Benjamin0a8deb22016-07-09 21:02:01 -0700[diff] [blame]1458 if _, err := selectSignatureAlgorithm(c.vers, chain.PrivateKey, c.config, certReq.signatureAlgorithms); err != nil {
David Benjamina6f82632016-07-01 18:44:02 -0400[diff] [blame]1459 continue
1460 }
1461 }
1462
1463 for j, cert := range chain.Certificate {
1464 x509Cert := chain.Leaf
1465 // parse the certificate if this isn't the leaf
1466 // node, or if chain.Leaf was nil
1467 if j != 0 || x509Cert == nil {
1468 var err error
1469 if x509Cert, err = x509.ParseCertificate(cert); err != nil {
1470 c.sendAlert(alertInternalError)
1471 return nil, errors.New("tls: failed to parse client certificate #" + strconv.Itoa(i) + ": " + err.Error())
1472 }
1473 }
1474
Nick Harperb41d2e42016-07-01 17:50:32 -0400[diff] [blame]1475 if !certReq.hasRequestContext {
1476 switch {
1477 case rsaAvail && x509Cert.PublicKeyAlgorithm == x509.RSA:
1478 case ecdsaAvail && x509Cert.PublicKeyAlgorithm == x509.ECDSA:
1479 default:
1480 continue findCert
1481 }
David Benjamina6f82632016-07-01 18:44:02 -0400[diff] [blame]1482 }
1483
1484 if len(certReq.certificateAuthorities) == 0 {
1485 // They gave us an empty list, so just take the
1486 // first certificate of valid type from
1487 // c.config.Certificates.
1488 return &chain, nil
1489 }
1490
1491 for _, ca := range certReq.certificateAuthorities {
1492 if bytes.Equal(x509Cert.RawIssuer, ca) {
1493 return &chain, nil
1494 }
1495 }
1496 }
1497 }
1498
1499 return nil, nil
1500}
1501
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1502// clientSessionCacheKey returns a key used to cache sessionTickets that could
1503// be used to resume previously negotiated TLS sessions with a server.
1504func clientSessionCacheKey(serverAddr net.Addr, config *Config) string {
1505 if len(config.ServerName) > 0 {
1506 return config.ServerName
1507 }
1508 return serverAddr.String()
1509}
1510
David Benjaminfa055a22014-09-15 16:51:51 -0400[diff] [blame]1511// mutualProtocol finds the mutual Next Protocol Negotiation or ALPN protocol
1512// given list of possible protocols and a list of the preference order. The
1513// first list must not be empty. It returns the resulting protocol and flag
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1514// indicating if the fallback case was reached.
David Benjaminfa055a22014-09-15 16:51:51 -0400[diff] [blame]1515func mutualProtocol(protos, preferenceProtos []string) (string, bool) {
1516 for _, s := range preferenceProtos {
1517 for _, c := range protos {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1518 if s == c {
1519 return s, false
1520 }
1521 }
1522 }
1523
David Benjaminfa055a22014-09-15 16:51:51 -0400[diff] [blame]1524 return protos[0], true
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1525}
David Benjamind30a9902014-08-24 01:44:23 -0400[diff] [blame]1526
1527// writeIntPadded writes x into b, padded up with leading zeros as
1528// needed.
1529func writeIntPadded(b []byte, x *big.Int) {
1530 for i := range b {
1531 b[i] = 0
1532 }
1533 xb := x.Bytes()
1534 copy(b[len(b)-len(xb):], xb)
1535}