1// Copyright 2009 The Go Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style 3// license that can be found in the LICENSE file. 4 5package runner 6 7import ( 8 "bytes" 9 "crypto" 10 "crypto/ecdsa" 11 "crypto/ed25519" 12 "crypto/elliptic" 13 "crypto/rsa" 14 "crypto/subtle" 15 "crypto/x509" 16 "errors" 17 "fmt" 18 "io" 19 "math/big" 20 "net" 21 "time" 22) 23 24type clientHandshakeState struct { 25 c *Conn 26 serverHello *serverHelloMsg 27 hello *clientHelloMsg 28 suite *cipherSuite 29 finishedHash finishedHash 30 keyShares map[CurveID]ecdhCurve 31 masterSecret []byte 32 session *ClientSessionState 33 finishedBytes []byte 34 peerPublicKey crypto.PublicKey 35 skxAlgo signatureAlgorithm 36} 37 38func mapClientHelloVersion(vers uint16, isDTLS bool) uint16 { 39 if !isDTLS { 40 return vers 41 } 42 43 switch vers { 44 case VersionTLS12: 45 return VersionDTLS12 46 case VersionTLS10: 47 return VersionDTLS10 48 } 49 50 panic("Unknown ClientHello version.") 51} 52 53func fixClientHellos(hello *clientHelloMsg, in []byte) ([]byte, error) { 54 ret := append([]byte{}, in...) 55 newHello := new(clientHelloMsg) 56 if !newHello.unmarshal(ret) { 57 return nil, errors.New("tls: invalid ClientHello") 58 } 59 60 hello.random = newHello.random 61 hello.sessionId = newHello.sessionId 62 63 // Replace |ret|'s key shares with those of |hello|. For simplicity, we 64 // require their lengths match, which is satisfied by matching the 65 // DefaultCurves setting to the selection in the replacement 66 // ClientHello. 67 bb := newByteBuilder() 68 hello.marshalKeyShares(bb) 69 keyShares := bb.finish() 70 if len(keyShares) != len(newHello.keySharesRaw) { 71 return nil, errors.New("tls: ClientHello key share length is inconsistent with DefaultCurves setting") 72 } 73 // |newHello.keySharesRaw| aliases |ret|. 74 copy(newHello.keySharesRaw, keyShares) 75 76 return ret, nil 77} 78 79func (c *Conn) clientHandshake() error { 80 if c.config == nil { 81 c.config = defaultConfig() 82 } 83 84 if len(c.config.ServerName) == 0 && !c.config.InsecureSkipVerify { 85 return errors.New("tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config") 86 } 87 88 c.sendHandshakeSeq = 0 89 c.recvHandshakeSeq = 0 90 91 nextProtosLength := 0 92 for _, proto := range c.config.NextProtos { 93 if l := len(proto); l > 255 { 94 return errors.New("tls: invalid NextProtos value") 95 } else { 96 nextProtosLength += 1 + l 97 } 98 } 99 if nextProtosLength > 0xffff { 100 return errors.New("tls: NextProtos values too large") 101 } 102 103 minVersion := c.config.minVersion(c.isDTLS) 104 maxVersion := c.config.maxVersion(c.isDTLS) 105 hello := &clientHelloMsg{ 106 isDTLS: c.isDTLS, 107 compressionMethods: []uint8{compressionNone}, 108 random: make([]byte, 32), 109 ocspStapling: !c.config.Bugs.NoOCSPStapling, 110 sctListSupported: !c.config.Bugs.NoSignedCertificateTimestamps, 111 serverName: c.config.ServerName, 112 supportedCurves: c.config.curvePreferences(), 113 supportedPoints: []uint8{pointFormatUncompressed}, 114 nextProtoNeg: len(c.config.NextProtos) > 0, 115 secureRenegotiation: []byte{}, 116 alpnProtocols: c.config.NextProtos, 117 quicTransportParams: c.config.QUICTransportParams, 118 duplicateExtension: c.config.Bugs.DuplicateExtension, 119 channelIDSupported: c.config.ChannelID != nil, 120 tokenBindingParams: c.config.TokenBindingParams, 121 tokenBindingVersion: c.config.TokenBindingVersion, 122 npnAfterAlpn: c.config.Bugs.SwapNPNAndALPN, 123 extendedMasterSecret: maxVersion >= VersionTLS10, 124 srtpProtectionProfiles: c.config.SRTPProtectionProfiles, 125 srtpMasterKeyIdentifier: c.config.Bugs.SRTPMasterKeyIdentifer, 126 customExtension: c.config.Bugs.CustomExtension, 127 pskBinderFirst: c.config.Bugs.PSKBinderFirst && !c.config.Bugs.OnlyCorruptSecondPSKBinder, 128 omitExtensions: c.config.Bugs.OmitExtensions, 129 emptyExtensions: c.config.Bugs.EmptyExtensions, 130 delegatedCredentials: !c.config.Bugs.DisableDelegatedCredentials, 131 pqExperimentSignal: c.config.PQExperimentSignal, 132 } 133 134 if maxVersion >= VersionTLS13 { 135 hello.vers = mapClientHelloVersion(VersionTLS12, c.isDTLS) 136 if !c.config.Bugs.OmitSupportedVersions { 137 hello.supportedVersions = c.config.supportedVersions(c.isDTLS) 138 } 139 hello.pskKEModes = []byte{pskDHEKEMode} 140 } else { 141 hello.vers = mapClientHelloVersion(maxVersion, c.isDTLS) 142 } 143 144 if c.config.Bugs.SendClientVersion != 0 { 145 hello.vers = c.config.Bugs.SendClientVersion 146 } 147 148 if len(c.config.Bugs.SendSupportedVersions) > 0 { 149 hello.supportedVersions = c.config.Bugs.SendSupportedVersions 150 } 151 152 disableEMS := c.config.Bugs.NoExtendedMasterSecret 153 if c.cipherSuite != nil { 154 disableEMS = c.config.Bugs.NoExtendedMasterSecretOnRenegotiation 155 } 156 157 if disableEMS { 158 hello.extendedMasterSecret = false 159 } 160 161 if c.config.Bugs.NoSupportedCurves { 162 hello.supportedCurves = nil 163 } 164 165 if len(c.config.Bugs.SendPSKKeyExchangeModes) != 0 { 166 hello.pskKEModes = c.config.Bugs.SendPSKKeyExchangeModes 167 } 168 169 if c.config.Bugs.SendCompressionMethods != nil { 170 hello.compressionMethods = c.config.Bugs.SendCompressionMethods 171 } 172 173 if c.config.Bugs.SendSupportedPointFormats != nil { 174 hello.supportedPoints = c.config.Bugs.SendSupportedPointFormats 175 } 176 177 if len(c.clientVerify) > 0 && !c.config.Bugs.EmptyRenegotiationInfo { 178 if c.config.Bugs.BadRenegotiationInfo { 179 hello.secureRenegotiation = append(hello.secureRenegotiation, c.clientVerify...) 180 hello.secureRenegotiation[0] ^= 0x80 181 } else { 182 hello.secureRenegotiation = c.clientVerify 183 } 184 } 185 186 if c.config.Bugs.DuplicateCompressedCertAlgs { 187 hello.compressedCertAlgs = []uint16{1, 1} 188 } else if len(c.config.CertCompressionAlgs) > 0 { 189 hello.compressedCertAlgs = make([]uint16, 0, len(c.config.CertCompressionAlgs)) 190 for id, _ := range c.config.CertCompressionAlgs { 191 hello.compressedCertAlgs = append(hello.compressedCertAlgs, uint16(id)) 192 } 193 } 194 195 if c.noRenegotiationInfo() { 196 hello.secureRenegotiation = nil 197 } 198 199 var keyShares map[CurveID]ecdhCurve 200 if maxVersion >= VersionTLS13 { 201 keyShares = make(map[CurveID]ecdhCurve) 202 hello.hasKeyShares = true 203 hello.trailingKeyShareData = c.config.Bugs.TrailingKeyShareData 204 curvesToSend := c.config.defaultCurves() 205 for _, curveID := range hello.supportedCurves { 206 if !curvesToSend[curveID] { 207 continue 208 } 209 curve, ok := curveForCurveID(curveID, c.config) 210 if !ok { 211 continue 212 } 213 publicKey, err := curve.offer(c.config.rand()) 214 if err != nil { 215 return err 216 } 217 218 if c.config.Bugs.SendCurve != 0 { 219 curveID = c.config.Bugs.SendCurve 220 } 221 if c.config.Bugs.InvalidECDHPoint { 222 publicKey[0] ^= 0xff 223 } 224 225 hello.keyShares = append(hello.keyShares, keyShareEntry{ 226 group: curveID, 227 keyExchange: publicKey, 228 }) 229 keyShares[curveID] = curve 230 231 if c.config.Bugs.DuplicateKeyShares { 232 hello.keyShares = append(hello.keyShares, hello.keyShares[len(hello.keyShares)-1]) 233 } 234 } 235 236 if c.config.Bugs.MissingKeyShare { 237 hello.hasKeyShares = false 238 } 239 } 240 241 possibleCipherSuites := c.config.cipherSuites() 242 hello.cipherSuites = make([]uint16, 0, len(possibleCipherSuites)) 243 244NextCipherSuite: 245 for _, suiteId := range possibleCipherSuites { 246 for _, suite := range cipherSuites { 247 if suite.id != suiteId { 248 continue 249 } 250 // Don't advertise TLS 1.2-only cipher suites unless 251 // we're attempting TLS 1.2. 252 if maxVersion < VersionTLS12 && suite.flags&suiteTLS12 != 0 { 253 continue 254 } 255 hello.cipherSuites = append(hello.cipherSuites, suiteId) 256 continue NextCipherSuite 257 } 258 } 259 260 if c.config.Bugs.AdvertiseAllConfiguredCiphers { 261 hello.cipherSuites = possibleCipherSuites 262 } 263 264 if c.config.Bugs.SendRenegotiationSCSV { 265 hello.cipherSuites = append(hello.cipherSuites, renegotiationSCSV) 266 } 267 268 if c.config.Bugs.SendFallbackSCSV { 269 hello.cipherSuites = append(hello.cipherSuites, fallbackSCSV) 270 } 271 272 _, err := io.ReadFull(c.config.rand(), hello.random) 273 if err != nil { 274 c.sendAlert(alertInternalError) 275 return errors.New("tls: short read from Rand: " + err.Error()) 276 } 277 278 if maxVersion >= VersionTLS12 && !c.config.Bugs.NoSignatureAlgorithms { 279 hello.signatureAlgorithms = c.config.verifySignatureAlgorithms() 280 } 281 282 var session *ClientSessionState 283 var cacheKey string 284 sessionCache := c.config.ClientSessionCache 285 286 if sessionCache != nil { 287 hello.ticketSupported = !c.config.SessionTicketsDisabled 288 289 // Try to resume a previously negotiated TLS session, if 290 // available. 291 cacheKey = clientSessionCacheKey(c.conn.RemoteAddr(), c.config) 292 // TODO(nharper): Support storing more than one session 293 // ticket for TLS 1.3. 294 candidateSession, ok := sessionCache.Get(cacheKey) 295 if ok { 296 ticketOk := !c.config.SessionTicketsDisabled || candidateSession.sessionTicket == nil 297 298 // Check that the ciphersuite/version used for the 299 // previous session are still valid. 300 cipherSuiteOk := false 301 if candidateSession.vers <= VersionTLS12 { 302 for _, id := range hello.cipherSuites { 303 if id == candidateSession.cipherSuite { 304 cipherSuiteOk = true 305 break 306 } 307 } 308 } else { 309 // TLS 1.3 allows the cipher to change on 310 // resumption. 311 cipherSuiteOk = true 312 } 313 314 versOk := candidateSession.vers >= minVersion && 315 candidateSession.vers <= maxVersion 316 if ticketOk && versOk && cipherSuiteOk { 317 session = candidateSession 318 } 319 } 320 } 321 322 var pskCipherSuite *cipherSuite 323 if session != nil && c.config.time().Before(session.ticketExpiration) { 324 ticket := session.sessionTicket 325 if c.config.Bugs.FilterTicket != nil && len(ticket) > 0 { 326 // Copy the ticket so FilterTicket may act in-place. 327 ticket = make([]byte, len(session.sessionTicket)) 328 copy(ticket, session.sessionTicket) 329 330 ticket, err = c.config.Bugs.FilterTicket(ticket) 331 if err != nil { 332 return err 333 } 334 } 335 336 if session.vers >= VersionTLS13 || c.config.Bugs.SendBothTickets { 337 pskCipherSuite = cipherSuiteFromID(session.cipherSuite) 338 if pskCipherSuite == nil { 339 return errors.New("tls: client session cache has invalid cipher suite") 340 } 341 // TODO(nharper): Support sending more 342 // than one PSK identity. 343 ticketAge := uint32(c.config.time().Sub(session.ticketCreationTime) / time.Millisecond) 344 if c.config.Bugs.SendTicketAge != 0 { 345 ticketAge = uint32(c.config.Bugs.SendTicketAge / time.Millisecond) 346 } 347 psk := pskIdentity{ 348 ticket: ticket, 349 obfuscatedTicketAge: session.ticketAgeAdd + ticketAge, 350 } 351 hello.pskIdentities = []pskIdentity{psk} 352 353 if c.config.Bugs.ExtraPSKIdentity { 354 hello.pskIdentities = append(hello.pskIdentities, psk) 355 } 356 } 357 358 if session.vers < VersionTLS13 || c.config.Bugs.SendBothTickets { 359 if ticket != nil { 360 hello.sessionTicket = ticket 361 // A random session ID is used to detect when the 362 // server accepted the ticket and is resuming a session 363 // (see RFC 5077). 364 sessionIdLen := 16 365 if c.config.Bugs.TicketSessionIDLength != 0 { 366 sessionIdLen = c.config.Bugs.TicketSessionIDLength 367 } 368 if c.config.Bugs.EmptyTicketSessionID { 369 sessionIdLen = 0 370 } 371 hello.sessionId = make([]byte, sessionIdLen) 372 if _, err := io.ReadFull(c.config.rand(), hello.sessionId); err != nil { 373 c.sendAlert(alertInternalError) 374 return errors.New("tls: short read from Rand: " + err.Error()) 375 } 376 } else { 377 hello.sessionId = session.sessionId 378 } 379 } 380 } 381 382 // Request compatibility mode from the client by sending a fake session 383 // ID. Although BoringSSL always enables compatibility mode, other 384 // implementations make it conditional on the ClientHello. We test 385 // BoringSSL's expected behavior with SendClientHelloSessionID. 386 if len(hello.sessionId) == 0 && maxVersion >= VersionTLS13 { 387 hello.sessionId = make([]byte, 32) 388 if _, err := io.ReadFull(c.config.rand(), hello.sessionId); err != nil { 389 c.sendAlert(alertInternalError) 390 return errors.New("tls: short read from Rand: " + err.Error()) 391 } 392 } 393 394 if c.config.Bugs.SendCipherSuites != nil { 395 hello.cipherSuites = c.config.Bugs.SendCipherSuites 396 } 397 398 var sendEarlyData bool 399 if len(hello.pskIdentities) > 0 && c.config.Bugs.SendEarlyData != nil { 400 hello.hasEarlyData = true 401 sendEarlyData = true 402 } 403 if c.config.Bugs.SendFakeEarlyDataLength > 0 { 404 hello.hasEarlyData = true 405 } 406 if c.config.Bugs.OmitEarlyDataExtension { 407 hello.hasEarlyData = false 408 } 409 if c.config.Bugs.SendClientHelloSessionID != nil { 410 hello.sessionId = c.config.Bugs.SendClientHelloSessionID 411 } 412 413 var helloBytes []byte 414 if c.config.Bugs.SendV2ClientHello { 415 // Test that the peer left-pads random. 416 hello.random[0] = 0 417 v2Hello := &v2ClientHelloMsg{ 418 vers: hello.vers, 419 cipherSuites: hello.cipherSuites, 420 // No session resumption for V2ClientHello. 421 sessionId: nil, 422 challenge: hello.random[1:], 423 } 424 helloBytes = v2Hello.marshal() 425 c.writeV2Record(helloBytes) 426 } else { 427 if len(hello.pskIdentities) > 0 { 428 version := session.wireVersion 429 // We may have a pre-1.3 session if SendBothTickets is 430 // set. 431 if session.vers < VersionTLS13 { 432 version = VersionTLS13 433 } 434 generatePSKBinders(version, hello, pskCipherSuite, session.masterSecret, []byte{}, []byte{}, c.config) 435 } 436 if c.config.Bugs.SendClientHelloWithFixes != nil { 437 helloBytes, err = fixClientHellos(hello, c.config.Bugs.SendClientHelloWithFixes) 438 if err != nil { 439 return err 440 } 441 } else { 442 helloBytes = hello.marshal() 443 } 444 445 if c.config.Bugs.PartialClientFinishedWithClientHello { 446 // Include one byte of Finished. We can compute it 447 // without completing the handshake. This assumes we 448 // negotiate TLS 1.3 with no HelloRetryRequest or 449 // CertificateRequest. 450 toWrite := make([]byte, 0, len(helloBytes)+1) 451 toWrite = append(toWrite, helloBytes...) 452 toWrite = append(toWrite, typeFinished) 453 c.writeRecord(recordTypeHandshake, toWrite) 454 } else { 455 c.writeRecord(recordTypeHandshake, helloBytes) 456 } 457 } 458 c.flushHandshake() 459 460 if err := c.simulatePacketLoss(nil); err != nil { 461 return err 462 } 463 if c.config.Bugs.SendEarlyAlert { 464 c.sendAlert(alertHandshakeFailure) 465 } 466 if c.config.Bugs.SendFakeEarlyDataLength > 0 { 467 c.sendFakeEarlyData(c.config.Bugs.SendFakeEarlyDataLength) 468 } 469 470 // Derive early write keys and set Conn state to allow early writes. 471 if sendEarlyData { 472 finishedHash := newFinishedHash(session.wireVersion, c.isDTLS, pskCipherSuite) 473 finishedHash.addEntropy(session.masterSecret) 474 finishedHash.Write(helloBytes) 475 476 if !c.config.Bugs.SkipChangeCipherSpec { 477 c.wireVersion = session.wireVersion 478 c.vers = VersionTLS13 479 c.writeRecord(recordTypeChangeCipherSpec, []byte{1}) 480 c.wireVersion = 0 481 c.vers = 0 482 } 483 484 earlyTrafficSecret := finishedHash.deriveSecret(earlyTrafficLabel) 485 c.earlyExporterSecret = finishedHash.deriveSecret(earlyExporterLabel) 486 487 c.useOutTrafficSecret(session.wireVersion, pskCipherSuite, earlyTrafficSecret) 488 for _, earlyData := range c.config.Bugs.SendEarlyData { 489 if _, err := c.writeRecord(recordTypeApplicationData, earlyData); err != nil { 490 return err 491 } 492 } 493 } 494 495 msg, err := c.readHandshake() 496 if err != nil { 497 return err 498 } 499 500 if c.isDTLS { 501 helloVerifyRequest, ok := msg.(*helloVerifyRequestMsg) 502 if ok { 503 if helloVerifyRequest.vers != VersionDTLS10 { 504 // Per RFC 6347, the version field in 505 // HelloVerifyRequest SHOULD be always DTLS 506 // 1.0. Enforce this for testing purposes. 507 return errors.New("dtls: bad HelloVerifyRequest version") 508 } 509 510 hello.raw = nil 511 hello.cookie = helloVerifyRequest.cookie 512 helloBytes = hello.marshal() 513 c.writeRecord(recordTypeHandshake, helloBytes) 514 c.flushHandshake() 515 516 if err := c.simulatePacketLoss(nil); err != nil { 517 return err 518 } 519 msg, err = c.readHandshake() 520 if err != nil { 521 return err 522 } 523 } 524 } 525 526 var serverWireVersion uint16 527 switch m := msg.(type) { 528 case *helloRetryRequestMsg: 529 serverWireVersion = m.vers 530 case *serverHelloMsg: 531 serverWireVersion = m.vers 532 default: 533 c.sendAlert(alertUnexpectedMessage) 534 return fmt.Errorf("tls: received unexpected message of type %T when waiting for HelloRetryRequest or ServerHello", msg) 535 } 536 537 serverVersion, ok := c.config.isSupportedVersion(serverWireVersion, c.isDTLS) 538 if !ok { 539 c.sendAlert(alertProtocolVersion) 540 return fmt.Errorf("tls: server selected unsupported protocol version %x", c.vers) 541 } 542 c.wireVersion = serverWireVersion 543 c.vers = serverVersion 544 c.haveVers = true 545 546 if c.vers >= VersionTLS13 { 547 // The first server message must be followed by a ChangeCipherSpec. 548 c.expectTLS13ChangeCipherSpec = true 549 } 550 551 helloRetryRequest, haveHelloRetryRequest := msg.(*helloRetryRequestMsg) 552 var secondHelloBytes []byte 553 if haveHelloRetryRequest { 554 if c.config.Bugs.FailIfHelloRetryRequested { 555 return errors.New("tls: unexpected HelloRetryRequest") 556 } 557 // Explicitly read the ChangeCipherSpec now; it should 558 // be attached to the first flight, not the second flight. 559 if err := c.readTLS13ChangeCipherSpec(); err != nil { 560 return err 561 } 562 563 c.out.resetCipher() 564 if len(helloRetryRequest.cookie) > 0 { 565 hello.tls13Cookie = helloRetryRequest.cookie 566 } 567 568 if c.config.Bugs.MisinterpretHelloRetryRequestCurve != 0 { 569 helloRetryRequest.hasSelectedGroup = true 570 helloRetryRequest.selectedGroup = c.config.Bugs.MisinterpretHelloRetryRequestCurve 571 } 572 if helloRetryRequest.hasSelectedGroup { 573 var hrrCurveFound bool 574 group := helloRetryRequest.selectedGroup 575 for _, curveID := range hello.supportedCurves { 576 if group == curveID { 577 hrrCurveFound = true 578 break 579 } 580 } 581 if !hrrCurveFound || keyShares[group] != nil { 582 c.sendAlert(alertHandshakeFailure) 583 return errors.New("tls: received invalid HelloRetryRequest") 584 } 585 curve, ok := curveForCurveID(group, c.config) 586 if !ok { 587 return errors.New("tls: Unable to get curve requested in HelloRetryRequest") 588 } 589 publicKey, err := curve.offer(c.config.rand()) 590 if err != nil { 591 return err 592 } 593 keyShares[group] = curve 594 hello.keyShares = []keyShareEntry{{ 595 group: group, 596 keyExchange: publicKey, 597 }} 598 } 599 600 if c.config.Bugs.SecondClientHelloMissingKeyShare { 601 hello.hasKeyShares = false 602 } 603 604 hello.hasEarlyData = c.config.Bugs.SendEarlyDataOnSecondClientHello 605 // The first ClientHello may have skipped this due to OnlyCorruptSecondPSKBinder. 606 hello.pskBinderFirst = c.config.Bugs.PSKBinderFirst 607 if c.config.Bugs.OmitPSKsOnSecondClientHello { 608 hello.pskIdentities = nil 609 hello.pskBinders = nil 610 } 611 hello.raw = nil 612 613 if len(hello.pskIdentities) > 0 { 614 generatePSKBinders(c.wireVersion, hello, pskCipherSuite, session.masterSecret, helloBytes, helloRetryRequest.marshal(), c.config) 615 } 616 secondHelloBytes = hello.marshal() 617 618 if c.config.Bugs.InterleaveEarlyData { 619 c.sendFakeEarlyData(4) 620 c.writeRecord(recordTypeHandshake, secondHelloBytes[:16]) 621 c.sendFakeEarlyData(4) 622 c.writeRecord(recordTypeHandshake, secondHelloBytes[16:]) 623 } else { 624 c.writeRecord(recordTypeHandshake, secondHelloBytes) 625 } 626 c.flushHandshake() 627 628 if c.config.Bugs.SendEarlyDataOnSecondClientHello { 629 c.sendFakeEarlyData(4) 630 } 631 632 msg, err = c.readHandshake() 633 if err != nil { 634 return err 635 } 636 } 637 638 serverHello, ok := msg.(*serverHelloMsg) 639 if !ok { 640 c.sendAlert(alertUnexpectedMessage) 641 return unexpectedMessageError(serverHello, msg) 642 } 643 644 if serverWireVersion != serverHello.vers { 645 c.sendAlert(alertIllegalParameter) 646 return fmt.Errorf("tls: server sent non-matching version %x vs %x", serverWireVersion, serverHello.vers) 647 } 648 649 _, supportsTLS13 := c.config.isSupportedVersion(VersionTLS13, false) 650 // Check for downgrade signals in the server random, per RFC 8446, section 4.1.3. 651 gotDowngrade := serverHello.random[len(serverHello.random)-8:] 652 if (supportsTLS13 || c.config.Bugs.CheckTLS13DowngradeRandom) && !c.config.Bugs.IgnoreTLS13DowngradeRandom { 653 if c.vers <= VersionTLS12 && c.config.maxVersion(c.isDTLS) >= VersionTLS13 { 654 if bytes.Equal(gotDowngrade, downgradeTLS13) { 655 c.sendAlert(alertProtocolVersion) 656 return errors.New("tls: downgrade from TLS 1.3 detected") 657 } 658 } 659 if c.vers <= VersionTLS11 && c.config.maxVersion(c.isDTLS) >= VersionTLS12 { 660 if bytes.Equal(gotDowngrade, downgradeTLS12) { 661 c.sendAlert(alertProtocolVersion) 662 return errors.New("tls: downgrade from TLS 1.2 detected") 663 } 664 } 665 } 666 667 if bytes.Equal(gotDowngrade, downgradeJDK11) != c.config.Bugs.ExpectJDK11DowngradeRandom { 668 c.sendAlert(alertProtocolVersion) 669 if c.config.Bugs.ExpectJDK11DowngradeRandom { 670 return errors.New("tls: server did not send a JDK 11 downgrade signal") 671 } 672 return errors.New("tls: server sent an unexpected JDK 11 downgrade signal") 673 } 674 675 suite := mutualCipherSuite(hello.cipherSuites, serverHello.cipherSuite) 676 if suite == nil { 677 c.sendAlert(alertHandshakeFailure) 678 return fmt.Errorf("tls: server selected an unsupported cipher suite") 679 } 680 681 if haveHelloRetryRequest && helloRetryRequest.hasSelectedGroup && helloRetryRequest.selectedGroup != serverHello.keyShare.group { 682 c.sendAlert(alertHandshakeFailure) 683 return errors.New("tls: ServerHello parameters did not match HelloRetryRequest") 684 } 685 686 if c.config.Bugs.ExpectOmitExtensions && !serverHello.omitExtensions { 687 return errors.New("tls: ServerHello did not omit extensions") 688 } 689 690 hs := &clientHandshakeState{ 691 c: c, 692 serverHello: serverHello, 693 hello: hello, 694 suite: suite, 695 finishedHash: newFinishedHash(c.wireVersion, c.isDTLS, suite), 696 keyShares: keyShares, 697 session: session, 698 } 699 700 hs.writeHash(helloBytes, hs.c.sendHandshakeSeq-1) 701 if haveHelloRetryRequest { 702 err = hs.finishedHash.UpdateForHelloRetryRequest() 703 if err != nil { 704 return err 705 } 706 hs.writeServerHash(helloRetryRequest.marshal()) 707 hs.writeClientHash(secondHelloBytes) 708 } 709 hs.writeServerHash(hs.serverHello.marshal()) 710 711 if c.vers >= VersionTLS13 { 712 if err := hs.doTLS13Handshake(); err != nil { 713 return err 714 } 715 } else { 716 if c.config.Bugs.EarlyChangeCipherSpec > 0 { 717 hs.establishKeys() 718 c.writeRecord(recordTypeChangeCipherSpec, []byte{1}) 719 } 720 721 if hs.serverHello.compressionMethod != compressionNone { 722 c.sendAlert(alertUnexpectedMessage) 723 return errors.New("tls: server selected unsupported compression format") 724 } 725 726 err = hs.processServerExtensions(&serverHello.extensions) 727 if err != nil { 728 return err 729 } 730 731 isResume, err := hs.processServerHello() 732 if err != nil { 733 return err 734 } 735 736 if isResume { 737 if c.config.Bugs.EarlyChangeCipherSpec == 0 { 738 if err := hs.establishKeys(); err != nil { 739 return err 740 } 741 } 742 if err := hs.readSessionTicket(); err != nil { 743 return err 744 } 745 if err := hs.readFinished(c.firstFinished[:]); err != nil { 746 return err 747 } 748 if err := hs.sendFinished(nil, isResume); err != nil { 749 return err 750 } 751 } else { 752 if err := hs.doFullHandshake(); err != nil { 753 return err 754 } 755 if err := hs.establishKeys(); err != nil { 756 return err 757 } 758 if err := hs.sendFinished(c.firstFinished[:], isResume); err != nil { 759 return err 760 } 761 // Most retransmits are triggered by a timeout, but the final 762 // leg of the handshake is retransmited upon re-receiving a 763 // Finished. 764 if err := c.simulatePacketLoss(func() { 765 c.sendHandshakeSeq-- 766 c.writeRecord(recordTypeHandshake, hs.finishedBytes) 767 c.flushHandshake() 768 }); err != nil { 769 return err 770 } 771 if err := hs.readSessionTicket(); err != nil { 772 return err 773 } 774 if err := hs.readFinished(nil); err != nil { 775 return err 776 } 777 } 778 779 if sessionCache != nil && hs.session != nil && session != hs.session { 780 if c.config.Bugs.RequireSessionTickets && len(hs.session.sessionTicket) == 0 { 781 return errors.New("tls: new session used session IDs instead of tickets") 782 } 783 if c.config.Bugs.RequireSessionIDs && len(hs.session.sessionId) == 0 { 784 return errors.New("tls: new session used session tickets instead of IDs") 785 } 786 sessionCache.Put(cacheKey, hs.session) 787 } 788 789 c.didResume = isResume 790 c.exporterSecret = hs.masterSecret 791 } 792 793 c.handshakeComplete = true 794 c.cipherSuite = suite 795 copy(c.clientRandom[:], hs.hello.random) 796 copy(c.serverRandom[:], hs.serverHello.random) 797 798 return nil 799} 800 801func (hs *clientHandshakeState) doTLS13Handshake() error { 802 c := hs.c 803 804 if !bytes.Equal(hs.hello.sessionId, hs.serverHello.sessionId) { 805 return errors.New("tls: session IDs did not match.") 806 } 807 808 // Once the PRF hash is known, TLS 1.3 does not require a handshake 809 // buffer. 810 hs.finishedHash.discardHandshakeBuffer() 811 812 zeroSecret := hs.finishedHash.zeroSecret() 813 814 // Resolve PSK and compute the early secret. 815 // 816 // TODO(davidben): This will need to be handled slightly earlier once 817 // 0-RTT is implemented. 818 if hs.serverHello.hasPSKIdentity { 819 // We send at most one PSK identity. 820 if hs.session == nil || hs.serverHello.pskIdentity != 0 { 821 c.sendAlert(alertUnknownPSKIdentity) 822 return errors.New("tls: server sent unknown PSK identity") 823 } 824 sessionCipher := cipherSuiteFromID(hs.session.cipherSuite) 825 if sessionCipher == nil || sessionCipher.hash() != hs.suite.hash() { 826 c.sendAlert(alertHandshakeFailure) 827 return errors.New("tls: server resumed an invalid session for the cipher suite") 828 } 829 hs.finishedHash.addEntropy(hs.session.masterSecret) 830 c.didResume = true 831 } else { 832 hs.finishedHash.addEntropy(zeroSecret) 833 } 834 835 if !hs.serverHello.hasKeyShare { 836 c.sendAlert(alertUnsupportedExtension) 837 return errors.New("tls: server omitted KeyShare on resumption.") 838 } 839 840 // Resolve ECDHE and compute the handshake secret. 841 if !c.config.Bugs.MissingKeyShare && !c.config.Bugs.SecondClientHelloMissingKeyShare { 842 curve, ok := hs.keyShares[hs.serverHello.keyShare.group] 843 if !ok { 844 c.sendAlert(alertHandshakeFailure) 845 return errors.New("tls: server selected an unsupported group") 846 } 847 c.curveID = hs.serverHello.keyShare.group 848 849 ecdheSecret, err := curve.finish(hs.serverHello.keyShare.keyExchange) 850 if err != nil { 851 return err 852 } 853 hs.finishedHash.nextSecret() 854 hs.finishedHash.addEntropy(ecdheSecret) 855 } else { 856 hs.finishedHash.nextSecret() 857 hs.finishedHash.addEntropy(zeroSecret) 858 } 859 860 // Derive handshake traffic keys and switch read key to handshake 861 // traffic key. 862 clientHandshakeTrafficSecret := hs.finishedHash.deriveSecret(clientHandshakeTrafficLabel) 863 serverHandshakeTrafficSecret := hs.finishedHash.deriveSecret(serverHandshakeTrafficLabel) 864 if err := c.useInTrafficSecret(c.wireVersion, hs.suite, serverHandshakeTrafficSecret); err != nil { 865 return err 866 } 867 868 msg, err := c.readHandshake() 869 if err != nil { 870 return err 871 } 872 873 encryptedExtensions, ok := msg.(*encryptedExtensionsMsg) 874 if !ok { 875 c.sendAlert(alertUnexpectedMessage) 876 return unexpectedMessageError(encryptedExtensions, msg) 877 } 878 hs.writeServerHash(encryptedExtensions.marshal()) 879 880 err = hs.processServerExtensions(&encryptedExtensions.extensions) 881 if err != nil { 882 return err 883 } 884 885 var chainToSend *Certificate 886 var certReq *certificateRequestMsg 887 if c.didResume { 888 // Copy over authentication from the session. 889 c.peerCertificates = hs.session.serverCertificates 890 c.sctList = hs.session.sctList 891 c.ocspResponse = hs.session.ocspResponse 892 } else { 893 msg, err := c.readHandshake() 894 if err != nil { 895 return err 896 } 897 898 var ok bool 899 certReq, ok = msg.(*certificateRequestMsg) 900 if ok { 901 if len(certReq.requestContext) != 0 { 902 return errors.New("tls: non-empty certificate request context sent in handshake") 903 } 904 905 if c.config.Bugs.ExpectNoCertificateAuthoritiesExtension && certReq.hasCAExtension { 906 return errors.New("tls: expected no certificate_authorities extension") 907 } 908 909 if err := checkRSAPSSSupport(c.config.Bugs.ExpectRSAPSSSupport, certReq.signatureAlgorithms, certReq.signatureAlgorithmsCert); err != nil { 910 return err 911 } 912 913 if c.config.Bugs.IgnorePeerSignatureAlgorithmPreferences { 914 certReq.signatureAlgorithms = c.config.signSignatureAlgorithms() 915 } 916 917 hs.writeServerHash(certReq.marshal()) 918 919 chainToSend, err = selectClientCertificate(c, certReq) 920 if err != nil { 921 return err 922 } 923 924 msg, err = c.readHandshake() 925 if err != nil { 926 return err 927 } 928 } 929 930 var certMsg *certificateMsg 931 932 if compressedCertMsg, ok := msg.(*compressedCertificateMsg); ok { 933 hs.writeServerHash(compressedCertMsg.marshal()) 934 935 alg, ok := c.config.CertCompressionAlgs[compressedCertMsg.algID] 936 if !ok { 937 c.sendAlert(alertBadCertificate) 938 return fmt.Errorf("tls: received certificate compressed with unknown algorithm %x", compressedCertMsg.algID) 939 } 940 941 decompressed := make([]byte, 4+int(compressedCertMsg.uncompressedLength)) 942 if !alg.Decompress(decompressed[4:], compressedCertMsg.compressed) { 943 c.sendAlert(alertBadCertificate) 944 return fmt.Errorf("tls: failed to decompress certificate with algorithm %x", compressedCertMsg.algID) 945 } 946 947 certMsg = &certificateMsg{ 948 hasRequestContext: true, 949 } 950 951 if !certMsg.unmarshal(decompressed) { 952 c.sendAlert(alertBadCertificate) 953 return errors.New("tls: failed to parse decompressed certificate") 954 } 955 956 if expected := c.config.Bugs.ExpectedCompressedCert; expected != 0 && expected != compressedCertMsg.algID { 957 return fmt.Errorf("tls: expected certificate compressed with algorithm %x, but message used %x", expected, compressedCertMsg.algID) 958 } 959 } else { 960 if certMsg, ok = msg.(*certificateMsg); !ok { 961 c.sendAlert(alertUnexpectedMessage) 962 return unexpectedMessageError(certMsg, msg) 963 } 964 hs.writeServerHash(certMsg.marshal()) 965 966 if c.config.Bugs.ExpectedCompressedCert != 0 { 967 return errors.New("tls: uncompressed certificate received") 968 } 969 } 970 971 // Check for unsolicited extensions. 972 for i, cert := range certMsg.certificates { 973 if c.config.Bugs.NoOCSPStapling && cert.ocspResponse != nil { 974 c.sendAlert(alertUnsupportedExtension) 975 return errors.New("tls: unexpected OCSP response in the server certificate") 976 } 977 if c.config.Bugs.NoSignedCertificateTimestamps && cert.sctList != nil { 978 c.sendAlert(alertUnsupportedExtension) 979 return errors.New("tls: unexpected SCT list in the server certificate") 980 } 981 if i > 0 && c.config.Bugs.ExpectNoExtensionsOnIntermediate && (cert.ocspResponse != nil || cert.sctList != nil) { 982 c.sendAlert(alertUnsupportedExtension) 983 return errors.New("tls: unexpected extensions in the server certificate") 984 } 985 } 986 987 if err := hs.verifyCertificates(certMsg); err != nil { 988 return err 989 } 990 c.ocspResponse = certMsg.certificates[0].ocspResponse 991 c.sctList = certMsg.certificates[0].sctList 992 993 msg, err = c.readHandshake() 994 if err != nil { 995 return err 996 } 997 certVerifyMsg, ok := msg.(*certificateVerifyMsg) 998 if !ok { 999 c.sendAlert(alertUnexpectedMessage) 1000 return unexpectedMessageError(certVerifyMsg, msg) 1001 } 1002 1003 c.peerSignatureAlgorithm = certVerifyMsg.signatureAlgorithm 1004 input := hs.finishedHash.certificateVerifyInput(serverCertificateVerifyContextTLS13) 1005 err = verifyMessage(c.vers, hs.peerPublicKey, c.config, certVerifyMsg.signatureAlgorithm, input, certVerifyMsg.signature) 1006 if err != nil { 1007 return err 1008 } 1009 1010 hs.writeServerHash(certVerifyMsg.marshal()) 1011 } 1012 1013 msg, err = c.readHandshake() 1014 if err != nil { 1015 return err 1016 } 1017 serverFinished, ok := msg.(*finishedMsg) 1018 if !ok { 1019 c.sendAlert(alertUnexpectedMessage) 1020 return unexpectedMessageError(serverFinished, msg) 1021 } 1022 1023 verify := hs.finishedHash.serverSum(serverHandshakeTrafficSecret) 1024 if len(verify) != len(serverFinished.verifyData) || 1025 subtle.ConstantTimeCompare(verify, serverFinished.verifyData) != 1 { 1026 c.sendAlert(alertHandshakeFailure) 1027 return errors.New("tls: server's Finished message was incorrect") 1028 } 1029 1030 hs.writeServerHash(serverFinished.marshal()) 1031 1032 // The various secrets do not incorporate the client's final leg, so 1033 // derive them now before updating the handshake context. 1034 hs.finishedHash.nextSecret() 1035 hs.finishedHash.addEntropy(zeroSecret) 1036 1037 clientTrafficSecret := hs.finishedHash.deriveSecret(clientApplicationTrafficLabel) 1038 serverTrafficSecret := hs.finishedHash.deriveSecret(serverApplicationTrafficLabel) 1039 c.exporterSecret = hs.finishedHash.deriveSecret(exporterLabel) 1040 1041 // Switch to application data keys on read. In particular, any alerts 1042 // from the client certificate are read over these keys. 1043 if err := c.useInTrafficSecret(c.wireVersion, hs.suite, serverTrafficSecret); err != nil { 1044 return err 1045 } 1046 1047 // If we're expecting 0.5-RTT messages from the server, read them now. 1048 var deferredTickets []*newSessionTicketMsg 1049 if encryptedExtensions.extensions.hasEarlyData { 1050 // BoringSSL will always send two tickets half-RTT when 1051 // negotiating 0-RTT. 1052 for i := 0; i < shimConfig.HalfRTTTickets; i++ { 1053 msg, err := c.readHandshake() 1054 if err != nil { 1055 return fmt.Errorf("tls: error reading half-RTT ticket: %s", err) 1056 } 1057 newSessionTicket, ok := msg.(*newSessionTicketMsg) 1058 if !ok { 1059 return errors.New("tls: expected half-RTT ticket") 1060 } 1061 // Defer processing until the resumption secret is computed. 1062 deferredTickets = append(deferredTickets, newSessionTicket) 1063 } 1064 for _, expectedMsg := range c.config.Bugs.ExpectHalfRTTData { 1065 if err := c.readRecord(recordTypeApplicationData); err != nil { 1066 return err 1067 } 1068 if !bytes.Equal(c.input.data[c.input.off:], expectedMsg) { 1069 return errors.New("ExpectHalfRTTData: did not get expected message") 1070 } 1071 c.in.freeBlock(c.input) 1072 c.input = nil 1073 } 1074 } 1075 1076 // Send EndOfEarlyData and then switch write key to handshake 1077 // traffic key. 1078 if encryptedExtensions.extensions.hasEarlyData && c.out.cipher != nil && !c.config.Bugs.SkipEndOfEarlyData { 1079 if c.config.Bugs.SendStrayEarlyHandshake { 1080 helloRequest := new(helloRequestMsg) 1081 c.writeRecord(recordTypeHandshake, helloRequest.marshal()) 1082 } 1083 endOfEarlyData := new(endOfEarlyDataMsg) 1084 endOfEarlyData.nonEmpty = c.config.Bugs.NonEmptyEndOfEarlyData 1085 c.writeRecord(recordTypeHandshake, endOfEarlyData.marshal()) 1086 hs.writeClientHash(endOfEarlyData.marshal()) 1087 } 1088 1089 if !c.config.Bugs.SkipChangeCipherSpec && !hs.hello.hasEarlyData { 1090 c.writeRecord(recordTypeChangeCipherSpec, []byte{1}) 1091 } 1092 1093 for i := 0; i < c.config.Bugs.SendExtraChangeCipherSpec; i++ { 1094 c.writeRecord(recordTypeChangeCipherSpec, []byte{1}) 1095 } 1096 1097 c.useOutTrafficSecret(c.wireVersion, hs.suite, clientHandshakeTrafficSecret) 1098 1099 if certReq != nil && !c.config.Bugs.SkipClientCertificate { 1100 certMsg := &certificateMsg{ 1101 hasRequestContext: true, 1102 requestContext: certReq.requestContext, 1103 } 1104 if chainToSend != nil { 1105 for _, certData := range chainToSend.Certificate { 1106 certMsg.certificates = append(certMsg.certificates, certificateEntry{ 1107 data: certData, 1108 extraExtension: c.config.Bugs.SendExtensionOnCertificate, 1109 }) 1110 } 1111 } 1112 hs.writeClientHash(certMsg.marshal()) 1113 c.writeRecord(recordTypeHandshake, certMsg.marshal()) 1114 1115 if chainToSend != nil { 1116 certVerify := &certificateVerifyMsg{ 1117 hasSignatureAlgorithm: true, 1118 } 1119 1120 // Determine the hash to sign. 1121 privKey := chainToSend.PrivateKey 1122 1123 var err error 1124 certVerify.signatureAlgorithm, err = selectSignatureAlgorithm(c.vers, privKey, c.config, certReq.signatureAlgorithms) 1125 if err != nil { 1126 c.sendAlert(alertInternalError) 1127 return err 1128 } 1129 1130 input := hs.finishedHash.certificateVerifyInput(clientCertificateVerifyContextTLS13) 1131 certVerify.signature, err = signMessage(c.vers, privKey, c.config, certVerify.signatureAlgorithm, input) 1132 if err != nil { 1133 c.sendAlert(alertInternalError) 1134 return err 1135 } 1136 if c.config.Bugs.SendSignatureAlgorithm != 0 { 1137 certVerify.signatureAlgorithm = c.config.Bugs.SendSignatureAlgorithm 1138 } 1139 1140 if !c.config.Bugs.SkipCertificateVerify { 1141 hs.writeClientHash(certVerify.marshal()) 1142 c.writeRecord(recordTypeHandshake, certVerify.marshal()) 1143 } 1144 } 1145 } 1146 1147 if encryptedExtensions.extensions.channelIDRequested { 1148 channelIDHash := crypto.SHA256.New() 1149 channelIDHash.Write(hs.finishedHash.certificateVerifyInput(channelIDContextTLS13)) 1150 channelIDMsgBytes, err := hs.writeChannelIDMessage(channelIDHash.Sum(nil)) 1151 if err != nil { 1152 return err 1153 } 1154 hs.writeClientHash(channelIDMsgBytes) 1155 c.writeRecord(recordTypeHandshake, channelIDMsgBytes) 1156 } 1157 1158 // Send a client Finished message. 1159 finished := new(finishedMsg) 1160 finished.verifyData = hs.finishedHash.clientSum(clientHandshakeTrafficSecret) 1161 if c.config.Bugs.BadFinished { 1162 finished.verifyData[0]++ 1163 } 1164 hs.writeClientHash(finished.marshal()) 1165 if c.config.Bugs.PartialClientFinishedWithClientHello { 1166 // The first byte has already been sent. 1167 c.writeRecord(recordTypeHandshake, finished.marshal()[1:]) 1168 } else if c.config.Bugs.InterleaveEarlyData { 1169 finishedBytes := finished.marshal() 1170 c.sendFakeEarlyData(4) 1171 c.writeRecord(recordTypeHandshake, finishedBytes[:1]) 1172 c.sendFakeEarlyData(4) 1173 c.writeRecord(recordTypeHandshake, finishedBytes[1:]) 1174 } else { 1175 c.writeRecord(recordTypeHandshake, finished.marshal()) 1176 } 1177 if c.config.Bugs.SendExtraFinished { 1178 c.writeRecord(recordTypeHandshake, finished.marshal()) 1179 } 1180 c.flushHandshake() 1181 1182 // Switch to application data keys. 1183 c.useOutTrafficSecret(c.wireVersion, hs.suite, clientTrafficSecret) 1184 c.resumptionSecret = hs.finishedHash.deriveSecret(resumptionLabel) 1185 for _, ticket := range deferredTickets { 1186 if err := c.processTLS13NewSessionTicket(ticket, hs.suite); err != nil { 1187 return err 1188 } 1189 } 1190 1191 return nil 1192} 1193 1194func (hs *clientHandshakeState) doFullHandshake() error { 1195 c := hs.c 1196 1197 var leaf *x509.Certificate 1198 if hs.suite.flags&suitePSK == 0 { 1199 msg, err := c.readHandshake() 1200 if err != nil { 1201 return err 1202 } 1203 1204 certMsg, ok := msg.(*certificateMsg) 1205 if !ok { 1206 c.sendAlert(alertUnexpectedMessage) 1207 return unexpectedMessageError(certMsg, msg) 1208 } 1209 hs.writeServerHash(certMsg.marshal()) 1210 1211 if err := hs.verifyCertificates(certMsg); err != nil { 1212 return err 1213 } 1214 leaf = c.peerCertificates[0] 1215 } 1216 1217 if hs.serverHello.extensions.ocspStapling { 1218 msg, err := c.readHandshake() 1219 if err != nil { 1220 return err 1221 } 1222 cs, ok := msg.(*certificateStatusMsg) 1223 if !ok { 1224 c.sendAlert(alertUnexpectedMessage) 1225 return unexpectedMessageError(cs, msg) 1226 } 1227 hs.writeServerHash(cs.marshal()) 1228 1229 if cs.statusType == statusTypeOCSP { 1230 c.ocspResponse = cs.response 1231 } 1232 } 1233 1234 msg, err := c.readHandshake() 1235 if err != nil { 1236 return err 1237 } 1238 1239 keyAgreement := hs.suite.ka(c.vers) 1240 1241 skx, ok := msg.(*serverKeyExchangeMsg) 1242 if ok { 1243 hs.writeServerHash(skx.marshal()) 1244 err = keyAgreement.processServerKeyExchange(c.config, hs.hello, hs.serverHello, hs.peerPublicKey, skx) 1245 if err != nil { 1246 c.sendAlert(alertUnexpectedMessage) 1247 return err 1248 } 1249 if ecdhe, ok := keyAgreement.(*ecdheKeyAgreement); ok { 1250 c.curveID = ecdhe.curveID 1251 } 1252 1253 c.peerSignatureAlgorithm = keyAgreement.peerSignatureAlgorithm() 1254 1255 msg, err = c.readHandshake() 1256 if err != nil { 1257 return err 1258 } 1259 } 1260 1261 var chainToSend *Certificate 1262 var certRequested bool 1263 certReq, ok := msg.(*certificateRequestMsg) 1264 if ok { 1265 certRequested = true 1266 if err := checkRSAPSSSupport(c.config.Bugs.ExpectRSAPSSSupport, certReq.signatureAlgorithms, certReq.signatureAlgorithmsCert); err != nil { 1267 return err 1268 } 1269 if c.config.Bugs.IgnorePeerSignatureAlgorithmPreferences { 1270 certReq.signatureAlgorithms = c.config.signSignatureAlgorithms() 1271 } 1272 1273 hs.writeServerHash(certReq.marshal()) 1274 1275 chainToSend, err = selectClientCertificate(c, certReq) 1276 if err != nil { 1277 return err 1278 } 1279 1280 msg, err = c.readHandshake() 1281 if err != nil { 1282 return err 1283 } 1284 } 1285 1286 shd, ok := msg.(*serverHelloDoneMsg) 1287 if !ok { 1288 c.sendAlert(alertUnexpectedMessage) 1289 return unexpectedMessageError(shd, msg) 1290 } 1291 hs.writeServerHash(shd.marshal()) 1292 1293 // If the server requested a certificate then we have to send a 1294 // Certificate message in TLS, even if it's empty because we don't have 1295 // a certificate to send. In SSL 3.0, skip the message and send a 1296 // no_certificate warning alert. 1297 if certRequested { 1298 if c.vers == VersionSSL30 && chainToSend == nil { 1299 c.sendAlert(alertNoCertificate) 1300 } else if !c.config.Bugs.SkipClientCertificate { 1301 certMsg := new(certificateMsg) 1302 if chainToSend != nil { 1303 for _, certData := range chainToSend.Certificate { 1304 certMsg.certificates = append(certMsg.certificates, certificateEntry{ 1305 data: certData, 1306 }) 1307 } 1308 } 1309 hs.writeClientHash(certMsg.marshal()) 1310 c.writeRecord(recordTypeHandshake, certMsg.marshal()) 1311 } 1312 } 1313 1314 preMasterSecret, ckx, err := keyAgreement.generateClientKeyExchange(c.config, hs.hello, leaf) 1315 if err != nil { 1316 c.sendAlert(alertInternalError) 1317 return err 1318 } 1319 if ckx != nil { 1320 if c.config.Bugs.EarlyChangeCipherSpec < 2 { 1321 hs.writeClientHash(ckx.marshal()) 1322 } 1323 c.writeRecord(recordTypeHandshake, ckx.marshal()) 1324 } 1325 1326 if hs.serverHello.extensions.extendedMasterSecret && c.vers >= VersionTLS10 { 1327 hs.masterSecret = extendedMasterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.finishedHash) 1328 c.extendedMasterSecret = true 1329 } else { 1330 if c.config.Bugs.RequireExtendedMasterSecret { 1331 return errors.New("tls: extended master secret required but not supported by peer") 1332 } 1333 hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.hello.random, hs.serverHello.random) 1334 } 1335 1336 if chainToSend != nil { 1337 certVerify := &certificateVerifyMsg{ 1338 hasSignatureAlgorithm: c.vers >= VersionTLS12, 1339 } 1340 1341 // Determine the hash to sign. 1342 privKey := c.config.Certificates[0].PrivateKey 1343 1344 if certVerify.hasSignatureAlgorithm { 1345 certVerify.signatureAlgorithm, err = selectSignatureAlgorithm(c.vers, privKey, c.config, certReq.signatureAlgorithms) 1346 if err != nil { 1347 c.sendAlert(alertInternalError) 1348 return err 1349 } 1350 } 1351 1352 if c.vers > VersionSSL30 { 1353 certVerify.signature, err = signMessage(c.vers, privKey, c.config, certVerify.signatureAlgorithm, hs.finishedHash.buffer) 1354 if err == nil && c.config.Bugs.SendSignatureAlgorithm != 0 { 1355 certVerify.signatureAlgorithm = c.config.Bugs.SendSignatureAlgorithm 1356 } 1357 } else { 1358 // SSL 3.0's client certificate construction is 1359 // incompatible with signatureAlgorithm. 1360 rsaKey, ok := privKey.(*rsa.PrivateKey) 1361 if !ok { 1362 err = errors.New("unsupported signature type for client certificate") 1363 } else { 1364 digest := hs.finishedHash.hashForClientCertificateSSL3(hs.masterSecret) 1365 if c.config.Bugs.InvalidSignature { 1366 digest[0] ^= 0x80 1367 } 1368 certVerify.signature, err = rsa.SignPKCS1v15(c.config.rand(), rsaKey, crypto.MD5SHA1, digest) 1369 } 1370 } 1371 if err != nil { 1372 c.sendAlert(alertInternalError) 1373 return errors.New("tls: failed to sign handshake with client certificate: " + err.Error()) 1374 } 1375 1376 if !c.config.Bugs.SkipCertificateVerify { 1377 hs.writeClientHash(certVerify.marshal()) 1378 c.writeRecord(recordTypeHandshake, certVerify.marshal()) 1379 } 1380 } 1381 // flushHandshake will be called in sendFinished. 1382 1383 hs.finishedHash.discardHandshakeBuffer() 1384 1385 return nil 1386} 1387 1388// delegatedCredentialSignedMessage returns the bytes that are signed in order 1389// to authenticate a delegated credential. 1390func delegatedCredentialSignedMessage(credBytes []byte, algorithm signatureAlgorithm, leafDER []byte) []byte { 1391 // https://tools.ietf.org/html/draft-ietf-tls-subcerts-03#section-3 1392 ret := make([]byte, 64, 128) 1393 for i := range ret { 1394 ret[i] = 0x20 1395 } 1396 1397 ret = append(ret, []byte("TLS, server delegated credentials\x00")...) 1398 ret = append(ret, leafDER...) 1399 ret = append(ret, byte(algorithm>>8), byte(algorithm)) 1400 ret = append(ret, credBytes...) 1401 1402 return ret 1403} 1404 1405func (hs *clientHandshakeState) verifyCertificates(certMsg *certificateMsg) error { 1406 c := hs.c 1407 1408 if len(certMsg.certificates) == 0 { 1409 c.sendAlert(alertIllegalParameter) 1410 return errors.New("tls: no certificates sent") 1411 } 1412 1413 var dc *delegatedCredential 1414 certs := make([]*x509.Certificate, len(certMsg.certificates)) 1415 for i, certEntry := range certMsg.certificates { 1416 cert, err := x509.ParseCertificate(certEntry.data) 1417 if err != nil { 1418 c.sendAlert(alertBadCertificate) 1419 return errors.New("tls: failed to parse certificate from server: " + err.Error()) 1420 } 1421 certs[i] = cert 1422 1423 if certEntry.delegatedCredential != nil { 1424 if c.config.Bugs.FailIfDelegatedCredentials { 1425 c.sendAlert(alertIllegalParameter) 1426 return errors.New("tls: unexpected delegated credential") 1427 } 1428 if i != 0 { 1429 c.sendAlert(alertIllegalParameter) 1430 return errors.New("tls: non-leaf certificate has a delegated credential") 1431 } 1432 if c.config.Bugs.DisableDelegatedCredentials { 1433 c.sendAlert(alertIllegalParameter) 1434 return errors.New("tls: server sent delegated credential without it being requested") 1435 } 1436 dc = certEntry.delegatedCredential 1437 } 1438 } 1439 1440 if !c.config.InsecureSkipVerify { 1441 opts := x509.VerifyOptions{ 1442 Roots: c.config.RootCAs, 1443 CurrentTime: c.config.time(), 1444 DNSName: c.config.ServerName, 1445 Intermediates: x509.NewCertPool(), 1446 } 1447 1448 for i, cert := range certs { 1449 if i == 0 { 1450 continue 1451 } 1452 opts.Intermediates.AddCert(cert) 1453 } 1454 var err error 1455 c.verifiedChains, err = certs[0].Verify(opts) 1456 if err != nil { 1457 c.sendAlert(alertBadCertificate) 1458 return err 1459 } 1460 } 1461 1462 leafPublicKey := certs[0].PublicKey 1463 switch leafPublicKey.(type) { 1464 case *rsa.PublicKey, *ecdsa.PublicKey, ed25519.PublicKey: 1465 break 1466 default: 1467 c.sendAlert(alertUnsupportedCertificate) 1468 return fmt.Errorf("tls: server's certificate contains an unsupported type of public key: %T", leafPublicKey) 1469 } 1470 1471 c.peerCertificates = certs 1472 1473 if dc != nil { 1474 // Note that this doesn't check a) the delegated credential temporal 1475 // validity nor b) that the certificate has the special OID asserted. 1476 hs.skxAlgo = dc.expectedCertVerifyAlgo 1477 1478 var err error 1479 if hs.peerPublicKey, err = x509.ParsePKIXPublicKey(dc.pkixPublicKey); err != nil { 1480 c.sendAlert(alertBadCertificate) 1481 return errors.New("tls: failed to parse public key from delegated credential: " + err.Error()) 1482 } 1483 1484 verifier, err := getSigner(c.vers, hs.peerPublicKey, c.config, dc.algorithm, true) 1485 if err != nil { 1486 c.sendAlert(alertBadCertificate) 1487 return errors.New("tls: failed to get verifier for delegated credential: " + err.Error()) 1488 } 1489 1490 if err := verifier.verifyMessage(leafPublicKey, delegatedCredentialSignedMessage(dc.signedBytes, dc.algorithm, certs[0].Raw), dc.signature); err != nil { 1491 c.sendAlert(alertBadCertificate) 1492 return errors.New("tls: failed to verify delegated credential: " + err.Error()) 1493 } 1494 } else if c.config.Bugs.ExpectDelegatedCredentials { 1495 c.sendAlert(alertInternalError) 1496 return errors.New("tls: delegated credentials missing") 1497 } else { 1498 hs.peerPublicKey = leafPublicKey 1499 } 1500 1501 return nil 1502} 1503 1504func (hs *clientHandshakeState) establishKeys() error { 1505 c := hs.c 1506 1507 clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV := 1508 keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.hello.random, hs.serverHello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen(c.vers)) 1509 var clientCipher, serverCipher interface{} 1510 var clientHash, serverHash macFunction 1511 if hs.suite.cipher != nil { 1512 clientCipher = hs.suite.cipher(clientKey, clientIV, false /* not for reading */) 1513 clientHash = hs.suite.mac(c.vers, clientMAC) 1514 serverCipher = hs.suite.cipher(serverKey, serverIV, true /* for reading */) 1515 serverHash = hs.suite.mac(c.vers, serverMAC) 1516 } else { 1517 clientCipher = hs.suite.aead(c.vers, clientKey, clientIV) 1518 serverCipher = hs.suite.aead(c.vers, serverKey, serverIV) 1519 } 1520 1521 c.in.prepareCipherSpec(c.wireVersion, serverCipher, serverHash) 1522 c.out.prepareCipherSpec(c.wireVersion, clientCipher, clientHash) 1523 return nil 1524} 1525 1526func (hs *clientHandshakeState) processServerExtensions(serverExtensions *serverExtensions) error { 1527 c := hs.c 1528 1529 if c.vers < VersionTLS13 { 1530 if c.config.Bugs.RequireRenegotiationInfo && serverExtensions.secureRenegotiation == nil { 1531 return errors.New("tls: renegotiation extension missing") 1532 } 1533 1534 if len(c.clientVerify) > 0 && !c.noRenegotiationInfo() { 1535 var expectedRenegInfo []byte 1536 expectedRenegInfo = append(expectedRenegInfo, c.clientVerify...) 1537 expectedRenegInfo = append(expectedRenegInfo, c.serverVerify...) 1538 if !bytes.Equal(serverExtensions.secureRenegotiation, expectedRenegInfo) { 1539 c.sendAlert(alertHandshakeFailure) 1540 return fmt.Errorf("tls: renegotiation mismatch") 1541 } 1542 } 1543 } else if serverExtensions.secureRenegotiation != nil { 1544 return errors.New("tls: renegotiation info sent in TLS 1.3") 1545 } 1546 1547 if expected := c.config.Bugs.ExpectedCustomExtension; expected != nil { 1548 if serverExtensions.customExtension != *expected { 1549 return fmt.Errorf("tls: bad custom extension contents %q", serverExtensions.customExtension) 1550 } 1551 } 1552 1553 clientDidNPN := hs.hello.nextProtoNeg 1554 clientDidALPN := len(hs.hello.alpnProtocols) > 0 1555 serverHasNPN := serverExtensions.nextProtoNeg 1556 serverHasALPN := len(serverExtensions.alpnProtocol) > 0 1557 1558 if !clientDidNPN && serverHasNPN { 1559 c.sendAlert(alertHandshakeFailure) 1560 return errors.New("server advertised unrequested NPN extension") 1561 } 1562 1563 if !clientDidALPN && serverHasALPN { 1564 c.sendAlert(alertHandshakeFailure) 1565 return errors.New("server advertised unrequested ALPN extension") 1566 } 1567 1568 if serverHasNPN && serverHasALPN { 1569 c.sendAlert(alertHandshakeFailure) 1570 return errors.New("server advertised both NPN and ALPN extensions") 1571 } 1572 1573 if serverHasALPN { 1574 c.clientProtocol = serverExtensions.alpnProtocol 1575 c.clientProtocolFallback = false 1576 c.usedALPN = true 1577 } 1578 1579 if serverHasNPN && c.vers >= VersionTLS13 { 1580 c.sendAlert(alertHandshakeFailure) 1581 return errors.New("server advertised NPN over TLS 1.3") 1582 } 1583 1584 if !hs.hello.channelIDSupported && serverExtensions.channelIDRequested { 1585 c.sendAlert(alertHandshakeFailure) 1586 return errors.New("server advertised unrequested Channel ID extension") 1587 } 1588 1589 if len(serverExtensions.tokenBindingParams) == 1 { 1590 found := false 1591 for _, p := range c.config.TokenBindingParams { 1592 if p == serverExtensions.tokenBindingParams[0] { 1593 c.tokenBindingParam = p 1594 found = true 1595 break 1596 } 1597 } 1598 if !found { 1599 return errors.New("tls: server advertised unsupported Token Binding key param") 1600 } 1601 if serverExtensions.tokenBindingVersion > c.config.TokenBindingVersion { 1602 return errors.New("tls: server's Token Binding version is too new") 1603 } 1604 if c.vers < VersionTLS13 { 1605 if !serverExtensions.extendedMasterSecret || serverExtensions.secureRenegotiation == nil { 1606 return errors.New("server sent Token Binding without EMS or RI") 1607 } 1608 } 1609 c.tokenBindingNegotiated = true 1610 } 1611 1612 if serverExtensions.extendedMasterSecret && c.vers >= VersionTLS13 { 1613 return errors.New("tls: server advertised extended master secret over TLS 1.3") 1614 } 1615 1616 if serverExtensions.ticketSupported && c.vers >= VersionTLS13 { 1617 return errors.New("tls: server advertised ticket extension over TLS 1.3") 1618 } 1619 1620 if serverExtensions.ocspStapling && c.vers >= VersionTLS13 { 1621 return errors.New("tls: server advertised OCSP in ServerHello over TLS 1.3") 1622 } 1623 1624 if serverExtensions.ocspStapling && c.config.Bugs.NoOCSPStapling { 1625 return errors.New("tls: server advertised unrequested OCSP extension") 1626 } 1627 1628 if len(serverExtensions.sctList) > 0 && c.vers >= VersionTLS13 { 1629 return errors.New("tls: server advertised SCTs in ServerHello over TLS 1.3") 1630 } 1631 1632 if len(serverExtensions.sctList) > 0 && c.config.Bugs.NoSignedCertificateTimestamps { 1633 return errors.New("tls: server advertised unrequested SCTs") 1634 } 1635 1636 if serverExtensions.srtpProtectionProfile != 0 { 1637 if serverExtensions.srtpMasterKeyIdentifier != "" { 1638 return errors.New("tls: server selected SRTP MKI value") 1639 } 1640 1641 found := false 1642 for _, p := range c.config.SRTPProtectionProfiles { 1643 if p == serverExtensions.srtpProtectionProfile { 1644 found = true 1645 break 1646 } 1647 } 1648 if !found { 1649 return errors.New("tls: server advertised unsupported SRTP profile") 1650 } 1651 1652 c.srtpProtectionProfile = serverExtensions.srtpProtectionProfile 1653 } 1654 1655 if c.vers >= VersionTLS13 && c.didResume { 1656 if c.config.Bugs.ExpectEarlyDataAccepted && !serverExtensions.hasEarlyData { 1657 c.sendAlert(alertHandshakeFailure) 1658 return errors.New("tls: server did not accept early data when expected") 1659 } 1660 1661 if !c.config.Bugs.ExpectEarlyDataAccepted && serverExtensions.hasEarlyData { 1662 c.sendAlert(alertHandshakeFailure) 1663 return errors.New("tls: server accepted early data when not expected") 1664 } 1665 } 1666 1667 if len(serverExtensions.quicTransportParams) > 0 { 1668 if c.vers < VersionTLS13 { 1669 c.sendAlert(alertHandshakeFailure) 1670 return errors.New("tls: server sent QUIC transport params for TLS version less than 1.3") 1671 } 1672 c.quicTransportParams = serverExtensions.quicTransportParams 1673 } 1674 1675 if c.config.Bugs.ExpectPQExperimentSignal != serverExtensions.pqExperimentSignal { 1676 return fmt.Errorf("tls: PQ experiment signal presence (%t) was not what was expected", serverExtensions.pqExperimentSignal) 1677 } 1678 1679 return nil 1680} 1681 1682func (hs *clientHandshakeState) serverResumedSession() bool { 1683 // If the server responded with the same sessionId then it means the 1684 // sessionTicket is being used to resume a TLS session. 1685 // 1686 // Note that, if hs.hello.sessionId is a non-nil empty array, this will 1687 // accept an empty session ID from the server as resumption. See 1688 // EmptyTicketSessionID. 1689 return hs.session != nil && hs.hello.sessionId != nil && 1690 bytes.Equal(hs.serverHello.sessionId, hs.hello.sessionId) 1691} 1692 1693func (hs *clientHandshakeState) processServerHello() (bool, error) { 1694 c := hs.c 1695 1696 if hs.serverResumedSession() { 1697 // For test purposes, assert that the server never accepts the 1698 // resumption offer on renegotiation. 1699 if c.cipherSuite != nil && c.config.Bugs.FailIfResumeOnRenego { 1700 return false, errors.New("tls: server resumed session on renegotiation") 1701 } 1702 1703 if hs.serverHello.extensions.sctList != nil { 1704 return false, errors.New("tls: server sent SCT extension on session resumption") 1705 } 1706 1707 if hs.serverHello.extensions.ocspStapling { 1708 return false, errors.New("tls: server sent OCSP extension on session resumption") 1709 } 1710 1711 // Restore masterSecret and peerCerts from previous state 1712 hs.masterSecret = hs.session.masterSecret 1713 c.peerCertificates = hs.session.serverCertificates 1714 c.extendedMasterSecret = hs.session.extendedMasterSecret 1715 c.sctList = hs.session.sctList 1716 c.ocspResponse = hs.session.ocspResponse 1717 hs.finishedHash.discardHandshakeBuffer() 1718 return true, nil 1719 } 1720 1721 if hs.serverHello.extensions.sctList != nil { 1722 c.sctList = hs.serverHello.extensions.sctList 1723 } 1724 1725 return false, nil 1726} 1727 1728func (hs *clientHandshakeState) readFinished(out []byte) error { 1729 c := hs.c 1730 1731 c.readRecord(recordTypeChangeCipherSpec) 1732 if err := c.in.error(); err != nil { 1733 return err 1734 } 1735 1736 msg, err := c.readHandshake() 1737 if err != nil { 1738 return err 1739 } 1740 serverFinished, ok := msg.(*finishedMsg) 1741 if !ok { 1742 c.sendAlert(alertUnexpectedMessage) 1743 return unexpectedMessageError(serverFinished, msg) 1744 } 1745 1746 if c.config.Bugs.EarlyChangeCipherSpec == 0 { 1747 verify := hs.finishedHash.serverSum(hs.masterSecret) 1748 if len(verify) != len(serverFinished.verifyData) || 1749 subtle.ConstantTimeCompare(verify, serverFinished.verifyData) != 1 { 1750 c.sendAlert(alertHandshakeFailure) 1751 return errors.New("tls: server's Finished message was incorrect") 1752 } 1753 } 1754 c.serverVerify = append(c.serverVerify[:0], serverFinished.verifyData...) 1755 copy(out, serverFinished.verifyData) 1756 hs.writeServerHash(serverFinished.marshal()) 1757 return nil 1758} 1759 1760func (hs *clientHandshakeState) readSessionTicket() error { 1761 c := hs.c 1762 1763 // Create a session with no server identifier. Either a 1764 // session ID or session ticket will be attached. 1765 session := &ClientSessionState{ 1766 vers: c.vers, 1767 wireVersion: c.wireVersion, 1768 cipherSuite: hs.suite.id, 1769 masterSecret: hs.masterSecret, 1770 handshakeHash: hs.finishedHash.Sum(), 1771 serverCertificates: c.peerCertificates, 1772 sctList: c.sctList, 1773 ocspResponse: c.ocspResponse, 1774 ticketExpiration: c.config.time().Add(time.Duration(7 * 24 * time.Hour)), 1775 } 1776 1777 if !hs.serverHello.extensions.ticketSupported { 1778 if c.config.Bugs.ExpectNewTicket { 1779 return errors.New("tls: expected new ticket") 1780 } 1781 if hs.session == nil && len(hs.serverHello.sessionId) > 0 { 1782 session.sessionId = hs.serverHello.sessionId 1783 hs.session = session 1784 } 1785 return nil 1786 } 1787 1788 if c.vers == VersionSSL30 { 1789 return errors.New("tls: negotiated session tickets in SSL 3.0") 1790 } 1791 if c.config.Bugs.ExpectNoNewSessionTicket { 1792 return errors.New("tls: received unexpected NewSessionTicket") 1793 } 1794 1795 msg, err := c.readHandshake() 1796 if err != nil { 1797 return err 1798 } 1799 sessionTicketMsg, ok := msg.(*newSessionTicketMsg) 1800 if !ok { 1801 c.sendAlert(alertUnexpectedMessage) 1802 return unexpectedMessageError(sessionTicketMsg, msg) 1803 } 1804 1805 session.sessionTicket = sessionTicketMsg.ticket 1806 hs.session = session 1807 1808 hs.writeServerHash(sessionTicketMsg.marshal()) 1809 1810 return nil 1811} 1812 1813func (hs *clientHandshakeState) sendFinished(out []byte, isResume bool) error { 1814 c := hs.c 1815 1816 var postCCSMsgs [][]byte 1817 seqno := hs.c.sendHandshakeSeq 1818 if hs.serverHello.extensions.nextProtoNeg { 1819 nextProto := new(nextProtoMsg) 1820 proto, fallback := mutualProtocol(c.config.NextProtos, hs.serverHello.extensions.nextProtos) 1821 nextProto.proto = proto 1822 c.clientProtocol = proto 1823 c.clientProtocolFallback = fallback 1824 1825 nextProtoBytes := nextProto.marshal() 1826 hs.writeHash(nextProtoBytes, seqno) 1827 seqno++ 1828 postCCSMsgs = append(postCCSMsgs, nextProtoBytes) 1829 } 1830 1831 if hs.serverHello.extensions.channelIDRequested { 1832 var resumeHash []byte 1833 if isResume { 1834 resumeHash = hs.session.handshakeHash 1835 } 1836 channelIDMsgBytes, err := hs.writeChannelIDMessage(hs.finishedHash.hashForChannelID(resumeHash)) 1837 if err != nil { 1838 return err 1839 } 1840 hs.writeHash(channelIDMsgBytes, seqno) 1841 seqno++ 1842 postCCSMsgs = append(postCCSMsgs, channelIDMsgBytes) 1843 } 1844 1845 finished := new(finishedMsg) 1846 if c.config.Bugs.EarlyChangeCipherSpec == 2 { 1847 finished.verifyData = hs.finishedHash.clientSum(nil) 1848 } else { 1849 finished.verifyData = hs.finishedHash.clientSum(hs.masterSecret) 1850 } 1851 copy(out, finished.verifyData) 1852 if c.config.Bugs.BadFinished { 1853 finished.verifyData[0]++ 1854 } 1855 c.clientVerify = append(c.clientVerify[:0], finished.verifyData...) 1856 hs.finishedBytes = finished.marshal() 1857 hs.writeHash(hs.finishedBytes, seqno) 1858 postCCSMsgs = append(postCCSMsgs, hs.finishedBytes) 1859 1860 if c.config.Bugs.FragmentAcrossChangeCipherSpec { 1861 c.writeRecord(recordTypeHandshake, postCCSMsgs[0][:5]) 1862 postCCSMsgs[0] = postCCSMsgs[0][5:] 1863 } else if c.config.Bugs.SendUnencryptedFinished { 1864 c.writeRecord(recordTypeHandshake, postCCSMsgs[0]) 1865 postCCSMsgs = postCCSMsgs[1:] 1866 } 1867 1868 if !c.config.Bugs.SkipChangeCipherSpec && 1869 c.config.Bugs.EarlyChangeCipherSpec == 0 { 1870 ccs := []byte{1} 1871 if c.config.Bugs.BadChangeCipherSpec != nil { 1872 ccs = c.config.Bugs.BadChangeCipherSpec 1873 } 1874 c.writeRecord(recordTypeChangeCipherSpec, ccs) 1875 } 1876 1877 if c.config.Bugs.AppDataAfterChangeCipherSpec != nil { 1878 c.writeRecord(recordTypeApplicationData, c.config.Bugs.AppDataAfterChangeCipherSpec) 1879 } 1880 if c.config.Bugs.AlertAfterChangeCipherSpec != 0 { 1881 c.sendAlert(c.config.Bugs.AlertAfterChangeCipherSpec) 1882 return errors.New("tls: simulating post-CCS alert") 1883 } 1884 1885 if !c.config.Bugs.SkipFinished { 1886 for _, msg := range postCCSMsgs { 1887 c.writeRecord(recordTypeHandshake, msg) 1888 } 1889 1890 if c.config.Bugs.SendExtraFinished { 1891 c.writeRecord(recordTypeHandshake, finished.marshal()) 1892 } 1893 } 1894 1895 if !isResume || !c.config.Bugs.PackAppDataWithHandshake { 1896 c.flushHandshake() 1897 } 1898 return nil 1899} 1900 1901func (hs *clientHandshakeState) writeChannelIDMessage(channelIDHash []byte) ([]byte, error) { 1902 c := hs.c 1903 channelIDMsg := new(channelIDMsg) 1904 if c.config.ChannelID.Curve != elliptic.P256() { 1905 return nil, fmt.Errorf("tls: Channel ID is not on P-256.") 1906 } 1907 r, s, err := ecdsa.Sign(c.config.rand(), c.config.ChannelID, channelIDHash) 1908 if err != nil { 1909 return nil, err 1910 } 1911 channelID := make([]byte, 128) 1912 writeIntPadded(channelID[0:32], c.config.ChannelID.X) 1913 writeIntPadded(channelID[32:64], c.config.ChannelID.Y) 1914 writeIntPadded(channelID[64:96], r) 1915 writeIntPadded(channelID[96:128], s) 1916 if c.config.Bugs.InvalidChannelIDSignature { 1917 channelID[64] ^= 1 1918 } 1919 channelIDMsg.channelID = channelID 1920 1921 c.channelID = &c.config.ChannelID.PublicKey 1922 1923 return channelIDMsg.marshal(), nil 1924} 1925 1926func (hs *clientHandshakeState) writeClientHash(msg []byte) { 1927 // writeClientHash is called before writeRecord. 1928 hs.writeHash(msg, hs.c.sendHandshakeSeq) 1929} 1930 1931func (hs *clientHandshakeState) writeServerHash(msg []byte) { 1932 // writeServerHash is called after readHandshake. 1933 hs.writeHash(msg, hs.c.recvHandshakeSeq-1) 1934} 1935 1936func (hs *clientHandshakeState) writeHash(msg []byte, seqno uint16) { 1937 if hs.c.isDTLS { 1938 // This is somewhat hacky. DTLS hashes a slightly different format. 1939 // First, the TLS header. 1940 hs.finishedHash.Write(msg[:4]) 1941 // Then the sequence number and reassembled fragment offset (always 0). 1942 hs.finishedHash.Write([]byte{byte(seqno >> 8), byte(seqno), 0, 0, 0}) 1943 // Then the reassembled fragment (always equal to the message length). 1944 hs.finishedHash.Write(msg[1:4]) 1945 // And then the message body. 1946 hs.finishedHash.Write(msg[4:]) 1947 } else { 1948 hs.finishedHash.Write(msg) 1949 } 1950} 1951 1952// selectClientCertificate selects a certificate for use with the given 1953// certificate, or none if none match. It may return a particular certificate or 1954// nil on success, or an error on internal error. 1955func selectClientCertificate(c *Conn, certReq *certificateRequestMsg) (*Certificate, error) { 1956 if len(c.config.Certificates) == 0 { 1957 return nil, nil 1958 } 1959 1960 // The test is assumed to have configured the certificate it meant to 1961 // send. 1962 if len(c.config.Certificates) > 1 { 1963 return nil, errors.New("tls: multiple certificates configured") 1964 } 1965 1966 return &c.config.Certificates[0], nil 1967} 1968 1969// clientSessionCacheKey returns a key used to cache sessionTickets that could 1970// be used to resume previously negotiated TLS sessions with a server. 1971func clientSessionCacheKey(serverAddr net.Addr, config *Config) string { 1972 if len(config.ServerName) > 0 { 1973 return config.ServerName 1974 } 1975 return serverAddr.String() 1976} 1977 1978// mutualProtocol finds the mutual Next Protocol Negotiation or ALPN protocol 1979// given list of possible protocols and a list of the preference order. The 1980// first list must not be empty. It returns the resulting protocol and flag 1981// indicating if the fallback case was reached. 1982func mutualProtocol(protos, preferenceProtos []string) (string, bool) { 1983 for _, s := range preferenceProtos { 1984 for _, c := range protos { 1985 if s == c { 1986 return s, false 1987 } 1988 } 1989 } 1990 1991 return protos[0], true 1992} 1993 1994// writeIntPadded writes x into b, padded up with leading zeros as 1995// needed. 1996func writeIntPadded(b []byte, x *big.Int) { 1997 for i := range b { 1998 b[i] = 0 1999 } 2000 xb := x.Bytes() 2001 copy(b[len(b)-len(xb):], xb) 2002} 2003 2004func generatePSKBinders(version uint16, hello *clientHelloMsg, pskCipherSuite *cipherSuite, psk, firstClientHello, helloRetryRequest []byte, config *Config) { 2005 maybeCorruptBinder := !config.Bugs.OnlyCorruptSecondPSKBinder || len(firstClientHello) > 0 2006 binderLen := pskCipherSuite.hash().Size() 2007 numBinders := 1 2008 if maybeCorruptBinder { 2009 if config.Bugs.SendNoPSKBinder { 2010 // The binders may have been set from the previous 2011 // ClientHello. 2012 hello.pskBinders = nil 2013 return 2014 } 2015 2016 if config.Bugs.SendShortPSKBinder { 2017 binderLen-- 2018 } 2019 2020 if config.Bugs.SendExtraPSKBinder { 2021 numBinders++ 2022 } 2023 } 2024 2025 // Fill hello.pskBinders with appropriate length arrays of zeros so the 2026 // length prefixes are correct when computing the binder over the truncated 2027 // ClientHello message. 2028 hello.pskBinders = make([][]byte, numBinders) 2029 for i := range hello.pskBinders { 2030 hello.pskBinders[i] = make([]byte, binderLen) 2031 } 2032 2033 helloBytes := hello.marshal() 2034 binderSize := len(hello.pskBinders)*(binderLen+1) + 2 2035 truncatedHello := helloBytes[:len(helloBytes)-binderSize] 2036 binder := computePSKBinder(psk, version, resumptionPSKBinderLabel, pskCipherSuite, firstClientHello, helloRetryRequest, truncatedHello) 2037 if maybeCorruptBinder { 2038 if config.Bugs.SendShortPSKBinder { 2039 binder = binder[:binderLen] 2040 } 2041 if config.Bugs.SendInvalidPSKBinder { 2042 binder[0] ^= 1 2043 } 2044 } 2045 2046 for i := range hello.pskBinders { 2047 hello.pskBinders[i] = binder 2048 } 2049 2050 hello.raw = nil 2051} 2052