1// Copyright 2009 The Go Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style 3// license that can be found in the LICENSE file. 4 5package runner 6 7import ( 8 "bytes" 9 "crypto" 10 "crypto/ecdsa" 11 "crypto/ed25519" 12 "crypto/elliptic" 13 "crypto/rsa" 14 "crypto/subtle" 15 "crypto/x509" 16 "errors" 17 "fmt" 18 "io" 19 "math/big" 20 "time" 21) 22 23// serverHandshakeState contains details of a server handshake in progress. 24// It's discarded once the handshake has completed. 25type serverHandshakeState struct { 26 c *Conn 27 clientHello *clientHelloMsg 28 hello *serverHelloMsg 29 suite *cipherSuite 30 ellipticOk bool 31 ecdsaOk bool 32 sessionState *sessionState 33 finishedHash finishedHash 34 masterSecret []byte 35 certsFromClient [][]byte 36 cert *Certificate 37 finishedBytes []byte 38} 39 40// serverHandshake performs a TLS handshake as a server. 41func (c *Conn) serverHandshake() error { 42 config := c.config 43 44 // If this is the first server handshake, we generate a random key to 45 // encrypt the tickets with. 46 config.serverInitOnce.Do(config.serverInit) 47 48 c.sendHandshakeSeq = 0 49 c.recvHandshakeSeq = 0 50 51 hs := serverHandshakeState{ 52 c: c, 53 } 54 if err := hs.readClientHello(); err != nil { 55 return err 56 } 57 58 if c.vers >= VersionTLS13 { 59 if err := hs.doTLS13Handshake(); err != nil { 60 return err 61 } 62 } else { 63 isResume, err := hs.processClientHello() 64 if err != nil { 65 return err 66 } 67 68 // For an overview of TLS handshaking, see https://tools.ietf.org/html/rfc5246#section-7.3 69 if isResume { 70 // The client has included a session ticket and so we do an abbreviated handshake. 71 if err := hs.doResumeHandshake(); err != nil { 72 return err 73 } 74 if err := hs.establishKeys(); err != nil { 75 return err 76 } 77 if c.config.Bugs.RenewTicketOnResume { 78 if err := hs.sendSessionTicket(); err != nil { 79 return err 80 } 81 } 82 if err := hs.sendFinished(c.firstFinished[:], isResume); err != nil { 83 return err 84 } 85 // Most retransmits are triggered by a timeout, but the final 86 // leg of the handshake is retransmited upon re-receiving a 87 // Finished. 88 if err := c.simulatePacketLoss(func() { 89 c.sendHandshakeSeq-- 90 c.writeRecord(recordTypeHandshake, hs.finishedBytes) 91 c.flushHandshake() 92 }); err != nil { 93 return err 94 } 95 if err := hs.readFinished(nil, isResume); err != nil { 96 return err 97 } 98 c.didResume = true 99 } else { 100 // The client didn't include a session ticket, or it wasn't 101 // valid so we do a full handshake. 102 if err := hs.doFullHandshake(); err != nil { 103 return err 104 } 105 if err := hs.establishKeys(); err != nil { 106 return err 107 } 108 if err := hs.readFinished(c.firstFinished[:], isResume); err != nil { 109 return err 110 } 111 if c.config.Bugs.AlertBeforeFalseStartTest != 0 { 112 c.sendAlert(c.config.Bugs.AlertBeforeFalseStartTest) 113 } 114 if c.config.Bugs.ExpectFalseStart { 115 if err := c.readRecord(recordTypeApplicationData); err != nil { 116 return fmt.Errorf("tls: peer did not false start: %s", err) 117 } 118 } 119 if err := hs.sendSessionTicket(); err != nil { 120 return err 121 } 122 if err := hs.sendFinished(nil, isResume); err != nil { 123 return err 124 } 125 } 126 127 c.exporterSecret = hs.masterSecret 128 } 129 c.handshakeComplete = true 130 copy(c.clientRandom[:], hs.clientHello.random) 131 copy(c.serverRandom[:], hs.hello.random) 132 133 return nil 134} 135 136// readClientHello reads a ClientHello message from the client and determines 137// the protocol version. 138func (hs *serverHandshakeState) readClientHello() error { 139 config := hs.c.config 140 c := hs.c 141 142 if err := c.simulatePacketLoss(nil); err != nil { 143 return err 144 } 145 msg, err := c.readHandshake() 146 if err != nil { 147 return err 148 } 149 var ok bool 150 hs.clientHello, ok = msg.(*clientHelloMsg) 151 if !ok { 152 c.sendAlert(alertUnexpectedMessage) 153 return unexpectedMessageError(hs.clientHello, msg) 154 } 155 if size := config.Bugs.RequireClientHelloSize; size != 0 && len(hs.clientHello.raw) != size { 156 return fmt.Errorf("tls: ClientHello record size is %d, but expected %d", len(hs.clientHello.raw), size) 157 } 158 159 if c.isDTLS && !config.Bugs.SkipHelloVerifyRequest { 160 // Per RFC 6347, the version field in HelloVerifyRequest SHOULD 161 // be always DTLS 1.0 162 helloVerifyRequest := &helloVerifyRequestMsg{ 163 vers: VersionDTLS10, 164 cookie: make([]byte, 32), 165 } 166 if _, err := io.ReadFull(c.config.rand(), helloVerifyRequest.cookie); err != nil { 167 c.sendAlert(alertInternalError) 168 return errors.New("dtls: short read from Rand: " + err.Error()) 169 } 170 c.writeRecord(recordTypeHandshake, helloVerifyRequest.marshal()) 171 c.flushHandshake() 172 173 if err := c.simulatePacketLoss(nil); err != nil { 174 return err 175 } 176 msg, err := c.readHandshake() 177 if err != nil { 178 return err 179 } 180 newClientHello, ok := msg.(*clientHelloMsg) 181 if !ok { 182 c.sendAlert(alertUnexpectedMessage) 183 return unexpectedMessageError(hs.clientHello, msg) 184 } 185 if !bytes.Equal(newClientHello.cookie, helloVerifyRequest.cookie) { 186 return errors.New("dtls: invalid cookie") 187 } 188 if err := checkClientHellosEqual(hs.clientHello.raw, newClientHello.raw, c.isDTLS, nil); err != nil { 189 return err 190 } 191 hs.clientHello = newClientHello 192 } 193 194 if config.Bugs.RequireSameRenegoClientVersion && c.clientVersion != 0 { 195 if c.clientVersion != hs.clientHello.vers { 196 return fmt.Errorf("tls: client offered different version on renego") 197 } 198 } 199 200 if config.Bugs.FailIfCECPQ2Offered { 201 for _, offeredCurve := range hs.clientHello.supportedCurves { 202 if isPqGroup(offeredCurve) { 203 return errors.New("tls: CECPQ2 was offered") 204 } 205 } 206 } 207 208 if expected := config.Bugs.ExpectedKeyShares; expected != nil { 209 if len(expected) != len(hs.clientHello.keyShares) { 210 return fmt.Errorf("tls: expected %d key shares, but found %d", len(expected), len(hs.clientHello.keyShares)) 211 } 212 213 for i, group := range expected { 214 if found := hs.clientHello.keyShares[i].group; found != group { 215 return fmt.Errorf("tls: key share #%d is for group %d, not %d", i, found, group) 216 } 217 } 218 } 219 220 c.clientVersion = hs.clientHello.vers 221 222 // Use the versions extension if supplied, otherwise use the legacy ClientHello version. 223 if len(hs.clientHello.supportedVersions) == 0 { 224 if c.isDTLS { 225 if hs.clientHello.vers <= VersionDTLS12 { 226 hs.clientHello.supportedVersions = append(hs.clientHello.supportedVersions, VersionDTLS12) 227 } 228 if hs.clientHello.vers <= VersionDTLS10 { 229 hs.clientHello.supportedVersions = append(hs.clientHello.supportedVersions, VersionDTLS10) 230 } 231 } else { 232 if hs.clientHello.vers >= VersionTLS12 { 233 hs.clientHello.supportedVersions = append(hs.clientHello.supportedVersions, VersionTLS12) 234 } 235 if hs.clientHello.vers >= VersionTLS11 { 236 hs.clientHello.supportedVersions = append(hs.clientHello.supportedVersions, VersionTLS11) 237 } 238 if hs.clientHello.vers >= VersionTLS10 { 239 hs.clientHello.supportedVersions = append(hs.clientHello.supportedVersions, VersionTLS10) 240 } 241 if hs.clientHello.vers >= VersionSSL30 { 242 hs.clientHello.supportedVersions = append(hs.clientHello.supportedVersions, VersionSSL30) 243 } 244 } 245 } else if config.Bugs.ExpectGREASE && !containsGREASE(hs.clientHello.supportedVersions) { 246 return errors.New("tls: no GREASE version value found") 247 } 248 249 if !c.haveVers { 250 if config.Bugs.NegotiateVersion != 0 { 251 c.wireVersion = config.Bugs.NegotiateVersion 252 } else { 253 var found bool 254 for _, vers := range hs.clientHello.supportedVersions { 255 if _, ok := config.isSupportedVersion(vers, c.isDTLS); ok { 256 c.wireVersion = vers 257 found = true 258 break 259 } 260 } 261 if !found { 262 c.sendAlert(alertProtocolVersion) 263 return errors.New("tls: client did not offer any supported protocol versions") 264 } 265 } 266 } else if config.Bugs.NegotiateVersionOnRenego != 0 { 267 c.wireVersion = config.Bugs.NegotiateVersionOnRenego 268 } 269 270 c.vers, ok = wireToVersion(c.wireVersion, c.isDTLS) 271 if !ok { 272 panic("Could not map wire version") 273 } 274 c.haveVers = true 275 276 clientProtocol, ok := wireToVersion(c.clientVersion, c.isDTLS) 277 278 // Reject < 1.2 ClientHellos with signature_algorithms. 279 if ok && clientProtocol < VersionTLS12 && len(hs.clientHello.signatureAlgorithms) > 0 { 280 return fmt.Errorf("tls: client included signature_algorithms before TLS 1.2") 281 } 282 283 // Check the client cipher list is consistent with the version. 284 if ok && clientProtocol < VersionTLS12 { 285 for _, id := range hs.clientHello.cipherSuites { 286 if isTLS12Cipher(id) { 287 return fmt.Errorf("tls: client offered TLS 1.2 cipher before TLS 1.2") 288 } 289 } 290 } 291 292 if config.Bugs.MockQUICTransport != nil && len(hs.clientHello.sessionID) > 0 { 293 return fmt.Errorf("tls: QUIC client did not disable compatibility mode") 294 } 295 if config.Bugs.ExpectNoTLS12Session { 296 if len(hs.clientHello.sessionID) > 0 && c.vers >= VersionTLS13 { 297 return fmt.Errorf("tls: client offered an unexpected session ID") 298 } 299 if len(hs.clientHello.sessionTicket) > 0 { 300 return fmt.Errorf("tls: client offered an unexpected session ticket") 301 } 302 } 303 304 if config.Bugs.ExpectNoTLS13PSK && len(hs.clientHello.pskIdentities) > 0 { 305 return fmt.Errorf("tls: client offered unexpected PSK identities") 306 } 307 308 var scsvFound bool 309 for _, cipherSuite := range hs.clientHello.cipherSuites { 310 if cipherSuite == fallbackSCSV { 311 scsvFound = true 312 break 313 } 314 } 315 316 if !scsvFound && config.Bugs.FailIfNotFallbackSCSV { 317 return errors.New("tls: no fallback SCSV found when expected") 318 } else if scsvFound && !config.Bugs.FailIfNotFallbackSCSV { 319 return errors.New("tls: fallback SCSV found when not expected") 320 } 321 322 if config.Bugs.ExpectGREASE && !containsGREASE(hs.clientHello.cipherSuites) { 323 return errors.New("tls: no GREASE cipher suite value found") 324 } 325 326 var greaseFound bool 327 for _, curve := range hs.clientHello.supportedCurves { 328 if isGREASEValue(uint16(curve)) { 329 greaseFound = true 330 break 331 } 332 } 333 334 if !greaseFound && config.Bugs.ExpectGREASE { 335 return errors.New("tls: no GREASE curve value found") 336 } 337 338 if len(hs.clientHello.keyShares) > 0 { 339 greaseFound = false 340 for _, keyShare := range hs.clientHello.keyShares { 341 if isGREASEValue(uint16(keyShare.group)) { 342 greaseFound = true 343 break 344 } 345 } 346 347 if !greaseFound && config.Bugs.ExpectGREASE { 348 return errors.New("tls: no GREASE curve value found") 349 } 350 } 351 352 applyBugsToClientHello(hs.clientHello, config) 353 354 return nil 355} 356 357func applyBugsToClientHello(clientHello *clientHelloMsg, config *Config) { 358 if config.Bugs.IgnorePeerSignatureAlgorithmPreferences { 359 clientHello.signatureAlgorithms = config.signSignatureAlgorithms() 360 } 361 if config.Bugs.IgnorePeerCurvePreferences { 362 clientHello.supportedCurves = config.curvePreferences() 363 } 364 if config.Bugs.IgnorePeerCipherPreferences { 365 clientHello.cipherSuites = config.cipherSuites() 366 } 367} 368 369func (hs *serverHandshakeState) doTLS13Handshake() error { 370 c := hs.c 371 config := c.config 372 373 // We've read the ClientHello, so the next record must be preceded with ChangeCipherSpec. 374 c.expectTLS13ChangeCipherSpec = true 375 376 hs.hello = &serverHelloMsg{ 377 isDTLS: c.isDTLS, 378 vers: c.wireVersion, 379 sessionID: hs.clientHello.sessionID, 380 compressionMethod: config.Bugs.SendCompressionMethod, 381 versOverride: config.Bugs.SendServerHelloVersion, 382 supportedVersOverride: config.Bugs.SendServerSupportedVersionExtension, 383 omitSupportedVers: config.Bugs.OmitServerSupportedVersionExtension, 384 customExtension: config.Bugs.CustomUnencryptedExtension, 385 unencryptedALPN: config.Bugs.SendUnencryptedALPN, 386 } 387 388 hs.hello.random = make([]byte, 32) 389 if _, err := io.ReadFull(config.rand(), hs.hello.random); err != nil { 390 c.sendAlert(alertInternalError) 391 return err 392 } 393 394 // TLS 1.3 forbids clients from advertising any non-null compression. 395 if len(hs.clientHello.compressionMethods) != 1 || hs.clientHello.compressionMethods[0] != compressionNone { 396 return errors.New("tls: client sent compression method other than null for TLS 1.3") 397 } 398 399 // Prepare an EncryptedExtensions message, but do not send it yet. 400 encryptedExtensions := new(encryptedExtensionsMsg) 401 encryptedExtensions.empty = config.Bugs.EmptyEncryptedExtensions 402 if err := hs.processClientExtensions(&encryptedExtensions.extensions); err != nil { 403 return err 404 } 405 406 if config.Bugs.ExpectClientECH && hs.clientHello.clientECH == nil { 407 return errors.New("tls: expected client to send ClientECH") 408 } 409 410 if hs.clientHello.clientECH != nil && len(config.Bugs.SendECHRetryConfigs) > 0 { 411 encryptedExtensions.extensions.echRetryConfigs = config.Bugs.SendECHRetryConfigs 412 } 413 414 // Select the cipher suite. 415 var preferenceList, supportedList []uint16 416 if config.PreferServerCipherSuites { 417 preferenceList = config.cipherSuites() 418 supportedList = hs.clientHello.cipherSuites 419 } else { 420 preferenceList = hs.clientHello.cipherSuites 421 supportedList = config.cipherSuites() 422 } 423 424 for _, id := range preferenceList { 425 if hs.suite = c.tryCipherSuite(id, supportedList, c.vers, true, true); hs.suite != nil { 426 break 427 } 428 } 429 430 if hs.suite == nil { 431 c.sendAlert(alertHandshakeFailure) 432 return errors.New("tls: no cipher suite supported by both client and server") 433 } 434 435 hs.hello.cipherSuite = hs.suite.id 436 if c.config.Bugs.SendCipherSuite != 0 { 437 hs.hello.cipherSuite = c.config.Bugs.SendCipherSuite 438 } 439 440 hs.finishedHash = newFinishedHash(c.wireVersion, c.isDTLS, hs.suite) 441 hs.finishedHash.discardHandshakeBuffer() 442 hs.writeClientHash(hs.clientHello.marshal()) 443 444 supportedCurve := false 445 var selectedCurve CurveID 446 preferredCurves := config.curvePreferences() 447Curves: 448 for _, curve := range hs.clientHello.supportedCurves { 449 for _, supported := range preferredCurves { 450 if supported == curve { 451 supportedCurve = true 452 selectedCurve = curve 453 break Curves 454 } 455 } 456 } 457 458 if !supportedCurve { 459 c.sendAlert(alertHandshakeFailure) 460 return errors.New("tls: no curve supported by both client and server") 461 } 462 463 pskIdentities := hs.clientHello.pskIdentities 464 pskKEModes := hs.clientHello.pskKEModes 465 466 var replacedPSKIdentities bool 467 if len(pskIdentities) == 0 && len(hs.clientHello.sessionTicket) > 0 && c.config.Bugs.AcceptAnySession { 468 // Pick up the ticket from the TLS 1.2 extension, to test the 469 // client does not get in a mixed up state. 470 psk := pskIdentity{ 471 ticket: hs.clientHello.sessionTicket, 472 } 473 pskIdentities = []pskIdentity{psk} 474 pskKEModes = []byte{pskDHEKEMode} 475 replacedPSKIdentities = true 476 } 477 478 var pskIndex int 479 foundKEMode := bytes.IndexByte(pskKEModes, pskDHEKEMode) >= 0 480 if foundKEMode && !config.SessionTicketsDisabled { 481 for i, pskIdentity := range pskIdentities { 482 // TODO(svaldez): Check the obfuscatedTicketAge before accepting 0-RTT. 483 sessionState, ok := c.decryptTicket(pskIdentity.ticket) 484 if !ok { 485 continue 486 } 487 488 if !config.Bugs.AcceptAnySession { 489 if sessionState.vers != c.vers { 490 continue 491 } 492 if sessionState.ticketExpiration.Before(c.config.time()) { 493 continue 494 } 495 sessionCipher := cipherSuiteFromID(sessionState.cipherSuite) 496 if sessionCipher == nil || sessionCipher.hash() != hs.suite.hash() { 497 continue 498 } 499 } 500 501 clientTicketAge := time.Duration(uint32(pskIdentity.obfuscatedTicketAge-sessionState.ticketAgeAdd)) * time.Millisecond 502 if config.Bugs.ExpectTicketAge != 0 && clientTicketAge != config.Bugs.ExpectTicketAge { 503 c.sendAlert(alertHandshakeFailure) 504 return errors.New("tls: invalid ticket age") 505 } 506 507 if !replacedPSKIdentities { 508 binderToVerify := hs.clientHello.pskBinders[i] 509 if err := verifyPSKBinder(c.wireVersion, hs.clientHello, sessionState, binderToVerify, []byte{}, []byte{}); err != nil { 510 return err 511 } 512 } 513 514 hs.sessionState = sessionState 515 hs.hello.hasPSKIdentity = true 516 hs.hello.pskIdentity = uint16(i) 517 pskIndex = i 518 if config.Bugs.SelectPSKIdentityOnResume != 0 { 519 hs.hello.pskIdentity = config.Bugs.SelectPSKIdentityOnResume 520 } 521 c.didResume = true 522 break 523 } 524 } 525 526 if config.Bugs.AlwaysSelectPSKIdentity { 527 hs.hello.hasPSKIdentity = true 528 hs.hello.pskIdentity = 0 529 } 530 531 // Resolve PSK and compute the early secret. 532 if hs.sessionState != nil { 533 hs.finishedHash.addEntropy(hs.sessionState.masterSecret) 534 } else { 535 hs.finishedHash.addEntropy(hs.finishedHash.zeroSecret()) 536 } 537 538 hs.hello.hasKeyShare = true 539 if hs.sessionState != nil && config.Bugs.NegotiatePSKResumption { 540 hs.hello.hasKeyShare = false 541 } 542 if config.Bugs.MissingKeyShare { 543 hs.hello.hasKeyShare = false 544 } 545 546 firstHelloRetryRequest := true 547 548ResendHelloRetryRequest: 549 var sendHelloRetryRequest bool 550 cipherSuite := hs.suite.id 551 if config.Bugs.SendHelloRetryRequestCipherSuite != 0 { 552 cipherSuite = config.Bugs.SendHelloRetryRequestCipherSuite 553 } 554 helloRetryRequest := &helloRetryRequestMsg{ 555 vers: c.wireVersion, 556 sessionID: hs.clientHello.sessionID, 557 cipherSuite: cipherSuite, 558 compressionMethod: config.Bugs.SendCompressionMethod, 559 duplicateExtensions: config.Bugs.DuplicateHelloRetryRequestExtensions, 560 } 561 562 if config.Bugs.AlwaysSendHelloRetryRequest { 563 sendHelloRetryRequest = true 564 } 565 566 if config.Bugs.SendHelloRetryRequestCookie != nil { 567 sendHelloRetryRequest = true 568 helloRetryRequest.cookie = config.Bugs.SendHelloRetryRequestCookie 569 } 570 571 if len(config.Bugs.CustomHelloRetryRequestExtension) > 0 { 572 sendHelloRetryRequest = true 573 helloRetryRequest.customExtension = config.Bugs.CustomHelloRetryRequestExtension 574 } 575 576 var selectedKeyShare *keyShareEntry 577 if hs.hello.hasKeyShare { 578 // Look for the key share corresponding to our selected curve. 579 for i := range hs.clientHello.keyShares { 580 if hs.clientHello.keyShares[i].group == selectedCurve { 581 selectedKeyShare = &hs.clientHello.keyShares[i] 582 break 583 } 584 } 585 586 if config.Bugs.ExpectMissingKeyShare && selectedKeyShare != nil { 587 return errors.New("tls: expected missing key share") 588 } 589 590 if selectedKeyShare == nil { 591 helloRetryRequest.hasSelectedGroup = true 592 helloRetryRequest.selectedGroup = selectedCurve 593 sendHelloRetryRequest = true 594 } 595 } 596 597 if config.Bugs.SendHelloRetryRequestCurve != 0 { 598 helloRetryRequest.hasSelectedGroup = true 599 helloRetryRequest.selectedGroup = config.Bugs.SendHelloRetryRequestCurve 600 sendHelloRetryRequest = true 601 } 602 603 if config.Bugs.SkipHelloRetryRequest { 604 sendHelloRetryRequest = false 605 } 606 607 if sendHelloRetryRequest { 608 if err := hs.finishedHash.UpdateForHelloRetryRequest(); err != nil { 609 return err 610 } 611 612 oldClientHelloBytes := hs.clientHello.marshal() 613 hs.writeServerHash(helloRetryRequest.marshal()) 614 if c.config.Bugs.PartialServerHelloWithHelloRetryRequest { 615 data := helloRetryRequest.marshal() 616 c.writeRecord(recordTypeHandshake, append(data[:len(data):len(data)], typeServerHello)) 617 } else { 618 c.writeRecord(recordTypeHandshake, helloRetryRequest.marshal()) 619 } 620 c.flushHandshake() 621 622 if !c.config.Bugs.SkipChangeCipherSpec { 623 c.writeRecord(recordTypeChangeCipherSpec, []byte{1}) 624 } 625 626 if hs.clientHello.hasEarlyData { 627 c.setSkipEarlyData() 628 } 629 630 // Read new ClientHello. 631 newMsg, err := c.readHandshake() 632 if err != nil { 633 return err 634 } 635 newClientHello, ok := newMsg.(*clientHelloMsg) 636 if !ok { 637 c.sendAlert(alertUnexpectedMessage) 638 return unexpectedMessageError(newClientHello, newMsg) 639 } 640 hs.writeClientHash(newClientHello.marshal()) 641 642 if config.Bugs.ExpectNoTLS13PSKAfterHRR && len(newClientHello.pskIdentities) > 0 { 643 return fmt.Errorf("tls: client offered unexpected PSK identities after HelloRetryRequest") 644 } 645 646 applyBugsToClientHello(newClientHello, config) 647 648 // Check that the new ClientHello matches the old ClientHello, 649 // except for relevant modifications. See RFC 8446, section 4.1.2. 650 ignoreExtensions := []uint16{extensionPadding} 651 652 if helloRetryRequest.hasSelectedGroup { 653 newKeyShares := newClientHello.keyShares 654 if len(newKeyShares) != 1 || newKeyShares[0].group != helloRetryRequest.selectedGroup { 655 return errors.New("tls: KeyShare from HelloRetryRequest not in new ClientHello") 656 } 657 selectedKeyShare = &newKeyShares[0] 658 ignoreExtensions = append(ignoreExtensions, extensionKeyShare) 659 } 660 661 if len(helloRetryRequest.cookie) > 0 { 662 if !bytes.Equal(newClientHello.tls13Cookie, helloRetryRequest.cookie) { 663 return errors.New("tls: cookie from HelloRetryRequest not present in new ClientHello") 664 } 665 ignoreExtensions = append(ignoreExtensions, extensionCookie) 666 } 667 668 // The second ClientHello refreshes binders, and may drop PSK identities 669 // that are no longer consistent with the cipher suite. 670 oldPSKIdentities := hs.clientHello.pskIdentities 671 for _, identity := range newClientHello.pskIdentities { 672 // Skip to the matching PSK identity in oldPSKIdentities. 673 for len(oldPSKIdentities) > 0 && !bytes.Equal(oldPSKIdentities[0].ticket, identity.ticket) { 674 oldPSKIdentities = oldPSKIdentities[1:] 675 } 676 // The identity now either matches, or oldPSKIdentities is empty. 677 if len(oldPSKIdentities) == 0 { 678 return errors.New("tls: unexpected PSK identity in second ClientHello") 679 } 680 oldPSKIdentities = oldPSKIdentities[1:] 681 } 682 ignoreExtensions = append(ignoreExtensions, extensionPreSharedKey) 683 684 // Update the index for the identity we resumed. The client may have 685 // dropped some entries. 686 if hs.sessionState != nil { 687 var found bool 688 ticket := hs.clientHello.pskIdentities[pskIndex].ticket 689 for i, identity := range newClientHello.pskIdentities { 690 if bytes.Equal(identity.ticket, ticket) { 691 found = true 692 pskIndex = i 693 break 694 } 695 } 696 if found { 697 binderToVerify := newClientHello.pskBinders[pskIndex] 698 if err := verifyPSKBinder(c.wireVersion, newClientHello, hs.sessionState, binderToVerify, oldClientHelloBytes, helloRetryRequest.marshal()); err != nil { 699 return err 700 } 701 } else if !config.Bugs.AcceptAnySession { 702 // If AcceptAnySession is set, the client may have already noticed 703 // the selected session is incompatible with the HelloRetryRequest 704 // and correctly dropped the PSK identity. We may also have 705 // attempted to resume a session from the TLS 1.2 extension. 706 return errors.New("tls: second ClientHello is missing selected session") 707 } 708 } 709 710 // The second ClientHello must stop offering early data. 711 if newClientHello.hasEarlyData { 712 return errors.New("tls: EarlyData sent in new ClientHello") 713 } 714 ignoreExtensions = append(ignoreExtensions, extensionEarlyData) 715 716 if err := checkClientHellosEqual(hs.clientHello.raw, newClientHello.raw, c.isDTLS, ignoreExtensions); err != nil { 717 return err 718 } 719 720 if firstHelloRetryRequest && config.Bugs.SecondHelloRetryRequest { 721 firstHelloRetryRequest = false 722 goto ResendHelloRetryRequest 723 } 724 } 725 726 // Decide whether or not to accept early data. 727 if !sendHelloRetryRequest && hs.clientHello.hasEarlyData { 728 if !config.Bugs.AlwaysRejectEarlyData && hs.sessionState != nil { 729 if hs.sessionState.cipherSuite == hs.suite.id && 730 c.clientProtocol == string(hs.sessionState.earlyALPN) && 731 c.hasApplicationSettings == hs.sessionState.hasApplicationSettings && 732 bytes.Equal(c.localApplicationSettings, hs.sessionState.localApplicationSettings) { 733 encryptedExtensions.extensions.hasEarlyData = true 734 } 735 if config.Bugs.AlwaysAcceptEarlyData { 736 encryptedExtensions.extensions.hasEarlyData = true 737 } 738 } 739 if encryptedExtensions.extensions.hasEarlyData { 740 earlyTrafficSecret := hs.finishedHash.deriveSecret(earlyTrafficLabel) 741 c.earlyExporterSecret = hs.finishedHash.deriveSecret(earlyExporterLabel) 742 743 // Applications are implicit with early data. 744 if !config.Bugs.SendApplicationSettingsWithEarlyData { 745 encryptedExtensions.extensions.hasApplicationSettings = false 746 encryptedExtensions.extensions.applicationSettings = nil 747 } 748 749 sessionCipher := cipherSuiteFromID(hs.sessionState.cipherSuite) 750 if err := c.useInTrafficSecret(encryptionEarlyData, c.wireVersion, sessionCipher, earlyTrafficSecret); err != nil { 751 return err 752 } 753 754 for _, expectedMsg := range config.Bugs.ExpectEarlyData { 755 if err := c.readRecord(recordTypeApplicationData); err != nil { 756 return err 757 } 758 msg := c.input.data[c.input.off:] 759 if !bytes.Equal(msg, expectedMsg) { 760 return fmt.Errorf("tls: got early data record %x, wanted %x", msg, expectedMsg) 761 } 762 c.in.freeBlock(c.input) 763 c.input = nil 764 } 765 } else { 766 c.setSkipEarlyData() 767 } 768 } 769 770 if config.Bugs.SendEarlyDataExtension { 771 encryptedExtensions.extensions.hasEarlyData = true 772 } 773 774 // Resolve ECDHE and compute the handshake secret. 775 if hs.hello.hasKeyShare { 776 // Once a curve has been selected and a key share identified, 777 // the server needs to generate a public value and send it in 778 // the ServerHello. 779 curve, ok := curveForCurveID(selectedCurve, config) 780 if !ok { 781 panic("tls: server failed to look up curve ID") 782 } 783 c.curveID = selectedCurve 784 785 var peerKey []byte 786 if config.Bugs.SkipHelloRetryRequest { 787 // If skipping HelloRetryRequest, use a random key to 788 // avoid crashing. 789 curve2, _ := curveForCurveID(selectedCurve, config) 790 var err error 791 peerKey, err = curve2.offer(config.rand()) 792 if err != nil { 793 return err 794 } 795 } else { 796 peerKey = selectedKeyShare.keyExchange 797 } 798 799 publicKey, ecdheSecret, err := curve.accept(config.rand(), peerKey) 800 if err != nil { 801 c.sendAlert(alertHandshakeFailure) 802 return err 803 } 804 hs.finishedHash.nextSecret() 805 hs.finishedHash.addEntropy(ecdheSecret) 806 hs.hello.hasKeyShare = true 807 808 curveID := selectedCurve 809 if c.config.Bugs.SendCurve != 0 { 810 curveID = config.Bugs.SendCurve 811 } 812 if c.config.Bugs.InvalidECDHPoint { 813 publicKey[0] ^= 0xff 814 } 815 816 hs.hello.keyShare = keyShareEntry{ 817 group: curveID, 818 keyExchange: publicKey, 819 } 820 821 if config.Bugs.EncryptedExtensionsWithKeyShare { 822 encryptedExtensions.extensions.hasKeyShare = true 823 encryptedExtensions.extensions.keyShare = keyShareEntry{ 824 group: curveID, 825 keyExchange: publicKey, 826 } 827 } 828 } else { 829 hs.finishedHash.nextSecret() 830 hs.finishedHash.addEntropy(hs.finishedHash.zeroSecret()) 831 } 832 833 // Send unencrypted ServerHello. 834 helloBytes := hs.hello.marshal() 835 hs.writeServerHash(helloBytes) 836 if config.Bugs.PartialServerHelloWithHelloRetryRequest { 837 // The first byte has already been written. 838 helloBytes = helloBytes[1:] 839 } 840 if config.Bugs.PartialEncryptedExtensionsWithServerHello { 841 c.writeRecord(recordTypeHandshake, append(helloBytes[:len(helloBytes):len(helloBytes)], typeEncryptedExtensions)) 842 } else { 843 c.writeRecord(recordTypeHandshake, helloBytes) 844 } 845 c.flushHandshake() 846 847 if !c.config.Bugs.SkipChangeCipherSpec && !sendHelloRetryRequest { 848 c.writeRecord(recordTypeChangeCipherSpec, []byte{1}) 849 } 850 851 for i := 0; i < c.config.Bugs.SendExtraChangeCipherSpec; i++ { 852 c.writeRecord(recordTypeChangeCipherSpec, []byte{1}) 853 } 854 855 // Switch to handshake traffic keys. 856 serverHandshakeTrafficSecret := hs.finishedHash.deriveSecret(serverHandshakeTrafficLabel) 857 c.useOutTrafficSecret(encryptionHandshake, c.wireVersion, hs.suite, serverHandshakeTrafficSecret) 858 // Derive handshake traffic read key, but don't switch yet. 859 clientHandshakeTrafficSecret := hs.finishedHash.deriveSecret(clientHandshakeTrafficLabel) 860 861 // Send EncryptedExtensions. 862 hs.writeServerHash(encryptedExtensions.marshal()) 863 if config.Bugs.PartialEncryptedExtensionsWithServerHello { 864 // The first byte has already been sent. 865 c.writeRecord(recordTypeHandshake, encryptedExtensions.marshal()[1:]) 866 } else { 867 c.writeRecord(recordTypeHandshake, encryptedExtensions.marshal()) 868 } 869 870 if hs.sessionState == nil { 871 if config.ClientAuth >= RequestClientCert { 872 // Request a client certificate 873 certReq := &certificateRequestMsg{ 874 vers: c.wireVersion, 875 hasSignatureAlgorithm: !config.Bugs.OmitCertificateRequestAlgorithms, 876 hasRequestContext: true, 877 requestContext: config.Bugs.SendRequestContext, 878 customExtension: config.Bugs.SendCustomCertificateRequest, 879 } 880 if !config.Bugs.NoSignatureAlgorithms { 881 certReq.signatureAlgorithms = config.verifySignatureAlgorithms() 882 } 883 884 // An empty list of certificateAuthorities signals to 885 // the client that it may send any certificate in response 886 // to our request. When we know the CAs we trust, then 887 // we can send them down, so that the client can choose 888 // an appropriate certificate to give to us. 889 if config.ClientCAs != nil { 890 certReq.certificateAuthorities = config.ClientCAs.Subjects() 891 } 892 hs.writeServerHash(certReq.marshal()) 893 c.writeRecord(recordTypeHandshake, certReq.marshal()) 894 } 895 896 certMsg := &certificateMsg{ 897 hasRequestContext: true, 898 } 899 if !config.Bugs.EmptyCertificateList { 900 for i, certData := range hs.cert.Certificate { 901 cert := certificateEntry{ 902 data: certData, 903 } 904 if i == 0 { 905 if hs.clientHello.ocspStapling && !c.config.Bugs.NoOCSPStapling { 906 cert.ocspResponse = hs.cert.OCSPStaple 907 } 908 if hs.clientHello.sctListSupported && !c.config.Bugs.NoSignedCertificateTimestamps { 909 cert.sctList = hs.cert.SignedCertificateTimestampList 910 } 911 cert.duplicateExtensions = config.Bugs.SendDuplicateCertExtensions 912 cert.extraExtension = config.Bugs.SendExtensionOnCertificate 913 } else { 914 if config.Bugs.SendOCSPOnIntermediates != nil { 915 cert.ocspResponse = config.Bugs.SendOCSPOnIntermediates 916 } 917 if config.Bugs.SendSCTOnIntermediates != nil { 918 cert.sctList = config.Bugs.SendSCTOnIntermediates 919 } 920 } 921 certMsg.certificates = append(certMsg.certificates, cert) 922 } 923 } 924 certMsgBytes := certMsg.marshal() 925 sentCompressedCertMsg := false 926 927 FindCertCompressionAlg: 928 for candidate, alg := range c.config.CertCompressionAlgs { 929 for _, id := range hs.clientHello.compressedCertAlgs { 930 if id == candidate { 931 if expected := config.Bugs.ExpectedCompressedCert; expected != 0 && expected != id { 932 return fmt.Errorf("expected to send compressed cert with alg %d, but picked %d", expected, id) 933 } 934 935 if override := config.Bugs.SendCertCompressionAlgID; override != 0 { 936 id = override 937 } 938 939 uncompressed := certMsgBytes[4:] 940 uncompressedLen := uint32(len(uncompressed)) 941 if override := config.Bugs.SendCertUncompressedLength; override != 0 { 942 uncompressedLen = override 943 } 944 945 compressedCertMsgBytes := (&compressedCertificateMsg{ 946 algID: id, 947 uncompressedLength: uncompressedLen, 948 compressed: alg.Compress(uncompressed), 949 }).marshal() 950 951 hs.writeServerHash(compressedCertMsgBytes) 952 c.writeRecord(recordTypeHandshake, compressedCertMsgBytes) 953 sentCompressedCertMsg = true 954 break FindCertCompressionAlg 955 } 956 } 957 } 958 959 if !sentCompressedCertMsg { 960 if config.Bugs.ExpectedCompressedCert != 0 { 961 return errors.New("unexpectedly sent uncompressed certificate") 962 } 963 hs.writeServerHash(certMsgBytes) 964 c.writeRecord(recordTypeHandshake, certMsgBytes) 965 } 966 967 certVerify := &certificateVerifyMsg{ 968 hasSignatureAlgorithm: true, 969 } 970 971 // Determine the hash to sign. 972 privKey := hs.cert.PrivateKey 973 974 var err error 975 certVerify.signatureAlgorithm, err = selectSignatureAlgorithm(c.vers, privKey, config, hs.clientHello.signatureAlgorithms) 976 if err != nil { 977 c.sendAlert(alertInternalError) 978 return err 979 } 980 981 input := hs.finishedHash.certificateVerifyInput(serverCertificateVerifyContextTLS13) 982 certVerify.signature, err = signMessage(c.vers, privKey, c.config, certVerify.signatureAlgorithm, input) 983 if err != nil { 984 c.sendAlert(alertInternalError) 985 return err 986 } 987 988 if config.Bugs.SendSignatureAlgorithm != 0 { 989 certVerify.signatureAlgorithm = config.Bugs.SendSignatureAlgorithm 990 } 991 992 if !config.Bugs.SkipCertificateVerify { 993 hs.writeServerHash(certVerify.marshal()) 994 c.writeRecord(recordTypeHandshake, certVerify.marshal()) 995 } 996 } else if hs.sessionState != nil { 997 // Pick up certificates from the session instead. 998 if len(hs.sessionState.certificates) > 0 { 999 if _, err := hs.processCertsFromClient(hs.sessionState.certificates); err != nil { 1000 return err 1001 } 1002 } 1003 } 1004 1005 finished := new(finishedMsg) 1006 finished.verifyData = hs.finishedHash.serverSum(serverHandshakeTrafficSecret) 1007 if config.Bugs.BadFinished { 1008 finished.verifyData[0]++ 1009 } 1010 hs.writeServerHash(finished.marshal()) 1011 c.writeRecord(recordTypeHandshake, finished.marshal()) 1012 if c.config.Bugs.SendExtraFinished { 1013 c.writeRecord(recordTypeHandshake, finished.marshal()) 1014 } 1015 c.flushHandshake() 1016 1017 if encryptedExtensions.extensions.hasEarlyData && !c.shouldSkipEarlyData() { 1018 for _, expectedMsg := range config.Bugs.ExpectLateEarlyData { 1019 if err := c.readRecord(recordTypeApplicationData); err != nil { 1020 return err 1021 } 1022 if !bytes.Equal(c.input.data[c.input.off:], expectedMsg) { 1023 return errors.New("ExpectLateEarlyData: did not get expected message") 1024 } 1025 c.in.freeBlock(c.input) 1026 c.input = nil 1027 } 1028 } 1029 1030 // The various secrets do not incorporate the client's final leg, so 1031 // derive them now before updating the handshake context. 1032 hs.finishedHash.nextSecret() 1033 hs.finishedHash.addEntropy(hs.finishedHash.zeroSecret()) 1034 1035 clientTrafficSecret := hs.finishedHash.deriveSecret(clientApplicationTrafficLabel) 1036 serverTrafficSecret := hs.finishedHash.deriveSecret(serverApplicationTrafficLabel) 1037 c.exporterSecret = hs.finishedHash.deriveSecret(exporterLabel) 1038 1039 // Switch to application data keys on write. In particular, any alerts 1040 // from the client certificate are sent over these keys. 1041 c.useOutTrafficSecret(encryptionApplication, c.wireVersion, hs.suite, serverTrafficSecret) 1042 1043 // Send 0.5-RTT messages. 1044 for _, halfRTTMsg := range config.Bugs.SendHalfRTTData { 1045 if _, err := c.writeRecord(recordTypeApplicationData, halfRTTMsg); err != nil { 1046 return err 1047 } 1048 } 1049 1050 // Read end_of_early_data. 1051 if encryptedExtensions.extensions.hasEarlyData && config.Bugs.MockQUICTransport == nil { 1052 msg, err := c.readHandshake() 1053 if err != nil { 1054 return err 1055 } 1056 1057 endOfEarlyData, ok := msg.(*endOfEarlyDataMsg) 1058 if !ok { 1059 c.sendAlert(alertUnexpectedMessage) 1060 return unexpectedMessageError(endOfEarlyData, msg) 1061 } 1062 hs.writeClientHash(endOfEarlyData.marshal()) 1063 } 1064 1065 // Switch input stream to handshake traffic keys. 1066 if err := c.useInTrafficSecret(encryptionHandshake, c.wireVersion, hs.suite, clientHandshakeTrafficSecret); err != nil { 1067 return err 1068 } 1069 1070 // If we sent an ALPS extension, the client must respond with one. 1071 if encryptedExtensions.extensions.hasApplicationSettings { 1072 msg, err := c.readHandshake() 1073 if err != nil { 1074 return err 1075 } 1076 clientEncryptedExtensions, ok := msg.(*clientEncryptedExtensionsMsg) 1077 if !ok { 1078 c.sendAlert(alertUnexpectedMessage) 1079 return unexpectedMessageError(clientEncryptedExtensions, msg) 1080 } 1081 hs.writeClientHash(clientEncryptedExtensions.marshal()) 1082 1083 if !clientEncryptedExtensions.hasApplicationSettings { 1084 c.sendAlert(alertMissingExtension) 1085 return errors.New("tls: client didn't provide application settings") 1086 } 1087 c.peerApplicationSettings = clientEncryptedExtensions.applicationSettings 1088 } else if encryptedExtensions.extensions.hasEarlyData { 1089 // 0-RTT sessions carry application settings over. 1090 c.peerApplicationSettings = hs.sessionState.peerApplicationSettings 1091 } 1092 1093 // If we requested a client certificate, then the client must send a 1094 // certificate message, even if it's empty. 1095 if config.ClientAuth >= RequestClientCert { 1096 msg, err := c.readHandshake() 1097 if err != nil { 1098 return err 1099 } 1100 1101 certMsg, ok := msg.(*certificateMsg) 1102 if !ok { 1103 c.sendAlert(alertUnexpectedMessage) 1104 return unexpectedMessageError(certMsg, msg) 1105 } 1106 hs.writeClientHash(certMsg.marshal()) 1107 1108 if len(certMsg.certificates) == 0 { 1109 // The client didn't actually send a certificate 1110 switch config.ClientAuth { 1111 case RequireAnyClientCert, RequireAndVerifyClientCert: 1112 c.sendAlert(alertCertificateRequired) 1113 return errors.New("tls: client didn't provide a certificate") 1114 } 1115 } 1116 1117 var certs [][]byte 1118 for _, cert := range certMsg.certificates { 1119 certs = append(certs, cert.data) 1120 // OCSP responses and SCT lists are not negotiated in 1121 // client certificates. 1122 if cert.ocspResponse != nil || cert.sctList != nil { 1123 c.sendAlert(alertUnsupportedExtension) 1124 return errors.New("tls: unexpected extensions in the client certificate") 1125 } 1126 } 1127 pub, err := hs.processCertsFromClient(certs) 1128 if err != nil { 1129 return err 1130 } 1131 1132 if len(c.peerCertificates) > 0 { 1133 msg, err = c.readHandshake() 1134 if err != nil { 1135 return err 1136 } 1137 1138 certVerify, ok := msg.(*certificateVerifyMsg) 1139 if !ok { 1140 c.sendAlert(alertUnexpectedMessage) 1141 return unexpectedMessageError(certVerify, msg) 1142 } 1143 1144 c.peerSignatureAlgorithm = certVerify.signatureAlgorithm 1145 input := hs.finishedHash.certificateVerifyInput(clientCertificateVerifyContextTLS13) 1146 if err := verifyMessage(c.vers, pub, config, certVerify.signatureAlgorithm, input, certVerify.signature); err != nil { 1147 c.sendAlert(alertBadCertificate) 1148 return err 1149 } 1150 hs.writeClientHash(certVerify.marshal()) 1151 } 1152 } 1153 1154 if encryptedExtensions.extensions.channelIDRequested { 1155 msg, err := c.readHandshake() 1156 if err != nil { 1157 return err 1158 } 1159 channelIDMsg, ok := msg.(*channelIDMsg) 1160 if !ok { 1161 c.sendAlert(alertUnexpectedMessage) 1162 return unexpectedMessageError(channelIDMsg, msg) 1163 } 1164 channelIDHash := crypto.SHA256.New() 1165 channelIDHash.Write(hs.finishedHash.certificateVerifyInput(channelIDContextTLS13)) 1166 channelID, err := verifyChannelIDMessage(channelIDMsg, channelIDHash.Sum(nil)) 1167 if err != nil { 1168 return err 1169 } 1170 c.channelID = channelID 1171 1172 hs.writeClientHash(channelIDMsg.marshal()) 1173 } 1174 1175 // Read the client Finished message. 1176 msg, err := c.readHandshake() 1177 if err != nil { 1178 return err 1179 } 1180 clientFinished, ok := msg.(*finishedMsg) 1181 if !ok { 1182 c.sendAlert(alertUnexpectedMessage) 1183 return unexpectedMessageError(clientFinished, msg) 1184 } 1185 1186 verify := hs.finishedHash.clientSum(clientHandshakeTrafficSecret) 1187 if len(verify) != len(clientFinished.verifyData) || 1188 subtle.ConstantTimeCompare(verify, clientFinished.verifyData) != 1 { 1189 c.sendAlert(alertHandshakeFailure) 1190 return errors.New("tls: client's Finished message was incorrect") 1191 } 1192 hs.writeClientHash(clientFinished.marshal()) 1193 1194 // Switch to application data keys on read. 1195 if err := c.useInTrafficSecret(encryptionApplication, c.wireVersion, hs.suite, clientTrafficSecret); err != nil { 1196 return err 1197 } 1198 1199 c.cipherSuite = hs.suite 1200 c.resumptionSecret = hs.finishedHash.deriveSecret(resumptionLabel) 1201 1202 // TODO(davidben): Allow configuring the number of tickets sent for 1203 // testing. 1204 if !c.config.SessionTicketsDisabled && foundKEMode { 1205 ticketCount := 2 1206 for i := 0; i < ticketCount; i++ { 1207 c.SendNewSessionTicket([]byte{byte(i)}) 1208 } 1209 } 1210 return nil 1211} 1212 1213// processClientHello processes the ClientHello message from the client and 1214// decides whether we will perform session resumption. 1215func (hs *serverHandshakeState) processClientHello() (isResume bool, err error) { 1216 config := hs.c.config 1217 c := hs.c 1218 1219 hs.hello = &serverHelloMsg{ 1220 isDTLS: c.isDTLS, 1221 vers: c.wireVersion, 1222 versOverride: config.Bugs.SendServerHelloVersion, 1223 compressionMethod: config.Bugs.SendCompressionMethod, 1224 extensions: serverExtensions{ 1225 supportedVersion: config.Bugs.SendServerSupportedVersionExtension, 1226 }, 1227 omitExtensions: config.Bugs.OmitExtensions, 1228 emptyExtensions: config.Bugs.EmptyExtensions, 1229 } 1230 1231 hs.hello.random = make([]byte, 32) 1232 _, err = io.ReadFull(config.rand(), hs.hello.random) 1233 if err != nil { 1234 c.sendAlert(alertInternalError) 1235 return false, err 1236 } 1237 1238 _, supportsTLS13 := c.config.isSupportedVersion(VersionTLS13, false) 1239 1240 // Signal downgrades in the server random, per RFC 8446, section 4.1.3. 1241 if supportsTLS13 || config.Bugs.SendTLS13DowngradeRandom { 1242 if c.vers <= VersionTLS12 && config.maxVersion(c.isDTLS) >= VersionTLS13 { 1243 copy(hs.hello.random[len(hs.hello.random)-8:], downgradeTLS13) 1244 } 1245 if c.vers <= VersionTLS11 && config.maxVersion(c.isDTLS) == VersionTLS12 { 1246 copy(hs.hello.random[len(hs.hello.random)-8:], downgradeTLS12) 1247 } 1248 } 1249 if config.Bugs.SendJDK11DowngradeRandom { 1250 copy(hs.hello.random[len(hs.hello.random)-8:], downgradeJDK11) 1251 } 1252 1253 if len(hs.clientHello.sessionID) == 0 && c.config.Bugs.ExpectClientHelloSessionID { 1254 return false, errors.New("tls: expected non-empty session ID from client") 1255 } 1256 1257 foundCompression := false 1258 // We only support null compression, so check that the client offered it. 1259 for _, compression := range hs.clientHello.compressionMethods { 1260 if compression == compressionNone { 1261 foundCompression = true 1262 break 1263 } 1264 } 1265 1266 if !foundCompression { 1267 c.sendAlert(alertHandshakeFailure) 1268 return false, errors.New("tls: client does not support uncompressed connections") 1269 } 1270 1271 if err := hs.processClientExtensions(&hs.hello.extensions); err != nil { 1272 return false, err 1273 } 1274 1275 supportedCurve := false 1276 preferredCurves := config.curvePreferences() 1277Curves: 1278 for _, curve := range hs.clientHello.supportedCurves { 1279 if isPqGroup(curve) && c.vers < VersionTLS13 { 1280 // CECPQ2 is TLS 1.3-only. 1281 continue 1282 } 1283 1284 for _, supported := range preferredCurves { 1285 if supported == curve { 1286 supportedCurve = true 1287 break Curves 1288 } 1289 } 1290 } 1291 1292 supportedPointFormat := false 1293 for _, pointFormat := range hs.clientHello.supportedPoints { 1294 if pointFormat == pointFormatUncompressed { 1295 supportedPointFormat = true 1296 break 1297 } 1298 } 1299 hs.ellipticOk = supportedCurve && supportedPointFormat 1300 1301 _, hs.ecdsaOk = hs.cert.PrivateKey.(*ecdsa.PrivateKey) 1302 // Ed25519 also uses ECDSA certificates. 1303 _, ed25519Ok := hs.cert.PrivateKey.(ed25519.PrivateKey) 1304 hs.ecdsaOk = hs.ecdsaOk || ed25519Ok 1305 1306 // For test purposes, check that the peer never offers a session when 1307 // renegotiating. 1308 if c.cipherSuite != nil && len(hs.clientHello.sessionID) > 0 && c.config.Bugs.FailIfResumeOnRenego { 1309 return false, errors.New("tls: offered resumption on renegotiation") 1310 } 1311 1312 if c.config.Bugs.FailIfSessionOffered && (len(hs.clientHello.sessionTicket) > 0 || len(hs.clientHello.sessionID) > 0) { 1313 return false, errors.New("tls: client offered a session ticket or ID") 1314 } 1315 1316 if hs.checkForResumption() { 1317 return true, nil 1318 } 1319 1320 var preferenceList, supportedList []uint16 1321 if c.config.PreferServerCipherSuites { 1322 preferenceList = c.config.cipherSuites() 1323 supportedList = hs.clientHello.cipherSuites 1324 } else { 1325 preferenceList = hs.clientHello.cipherSuites 1326 supportedList = c.config.cipherSuites() 1327 } 1328 1329 for _, id := range preferenceList { 1330 if hs.suite = c.tryCipherSuite(id, supportedList, c.vers, hs.ellipticOk, hs.ecdsaOk); hs.suite != nil { 1331 break 1332 } 1333 } 1334 1335 if hs.suite == nil { 1336 c.sendAlert(alertHandshakeFailure) 1337 return false, errors.New("tls: no cipher suite supported by both client and server") 1338 } 1339 1340 return false, nil 1341} 1342 1343// processClientExtensions processes all ClientHello extensions not directly 1344// related to cipher suite negotiation and writes responses in serverExtensions. 1345func (hs *serverHandshakeState) processClientExtensions(serverExtensions *serverExtensions) error { 1346 config := hs.c.config 1347 c := hs.c 1348 1349 if c.vers < VersionTLS13 || config.Bugs.NegotiateRenegotiationInfoAtAllVersions { 1350 if !bytes.Equal(c.clientVerify, hs.clientHello.secureRenegotiation) { 1351 c.sendAlert(alertHandshakeFailure) 1352 return errors.New("tls: renegotiation mismatch") 1353 } 1354 1355 if len(c.clientVerify) > 0 && !c.config.Bugs.EmptyRenegotiationInfo { 1356 serverExtensions.secureRenegotiation = append(serverExtensions.secureRenegotiation, c.clientVerify...) 1357 serverExtensions.secureRenegotiation = append(serverExtensions.secureRenegotiation, c.serverVerify...) 1358 if c.config.Bugs.BadRenegotiationInfo { 1359 serverExtensions.secureRenegotiation[0] ^= 0x80 1360 } 1361 if c.config.Bugs.BadRenegotiationInfoEnd { 1362 serverExtensions.secureRenegotiation[len(serverExtensions.secureRenegotiation)-1] ^= 0x80 1363 } 1364 } else { 1365 serverExtensions.secureRenegotiation = hs.clientHello.secureRenegotiation 1366 } 1367 1368 if c.noRenegotiationInfo() { 1369 serverExtensions.secureRenegotiation = nil 1370 } 1371 } 1372 1373 serverExtensions.duplicateExtension = c.config.Bugs.DuplicateExtension 1374 1375 if len(hs.clientHello.serverName) > 0 { 1376 c.serverName = hs.clientHello.serverName 1377 } 1378 if len(config.Certificates) == 0 { 1379 c.sendAlert(alertInternalError) 1380 return errors.New("tls: no certificates configured") 1381 } 1382 hs.cert = &config.Certificates[0] 1383 if len(hs.clientHello.serverName) > 0 { 1384 hs.cert = config.getCertificateForName(hs.clientHello.serverName) 1385 } 1386 if expected := c.config.Bugs.ExpectServerName; expected != "" && expected != hs.clientHello.serverName { 1387 return errors.New("tls: unexpected server name") 1388 } 1389 1390 if cert := config.Bugs.RenegotiationCertificate; c.cipherSuite != nil && cert != nil { 1391 hs.cert = cert 1392 } 1393 1394 if len(hs.clientHello.alpnProtocols) > 0 { 1395 // We will never offer ALPN as a client on renegotiation 1396 // handshakes. 1397 if len(c.clientVerify) > 0 { 1398 return errors.New("tls: offered ALPN on renegotiation") 1399 } 1400 if proto := c.config.Bugs.ALPNProtocol; proto != nil { 1401 serverExtensions.alpnProtocol = *proto 1402 serverExtensions.alpnProtocolEmpty = len(*proto) == 0 1403 c.clientProtocol = *proto 1404 c.usedALPN = true 1405 } else if selectedProto, fallback := mutualProtocol(hs.clientHello.alpnProtocols, c.config.NextProtos); !fallback { 1406 serverExtensions.alpnProtocol = selectedProto 1407 c.clientProtocol = selectedProto 1408 c.usedALPN = true 1409 } 1410 1411 var alpsAllowed bool 1412 if c.vers >= VersionTLS13 { 1413 for _, proto := range hs.clientHello.alpsProtocols { 1414 if proto == c.clientProtocol { 1415 alpsAllowed = true 1416 break 1417 } 1418 } 1419 } 1420 if c.config.Bugs.AlwaysNegotiateApplicationSettings { 1421 alpsAllowed = true 1422 } 1423 if settings, ok := c.config.ApplicationSettings[c.clientProtocol]; ok && alpsAllowed { 1424 c.hasApplicationSettings = true 1425 c.localApplicationSettings = settings 1426 // Note these fields may later be cleared we accept 0-RTT. 1427 serverExtensions.hasApplicationSettings = true 1428 serverExtensions.applicationSettings = settings 1429 } 1430 } 1431 1432 if len(c.config.Bugs.SendALPN) > 0 { 1433 serverExtensions.alpnProtocol = c.config.Bugs.SendALPN 1434 } 1435 1436 if c.vers < VersionTLS13 || config.Bugs.NegotiateNPNAtAllVersions { 1437 if len(hs.clientHello.alpnProtocols) == 0 || c.config.Bugs.NegotiateALPNAndNPN { 1438 // Although sending an empty NPN extension is reasonable, Firefox has 1439 // had a bug around this. Best to send nothing at all if 1440 // config.NextProtos is empty. See 1441 // https://code.google.com/p/go/issues/detail?id=5445. 1442 if hs.clientHello.nextProtoNeg && len(config.NextProtos) > 0 { 1443 serverExtensions.nextProtoNeg = true 1444 serverExtensions.nextProtos = config.NextProtos 1445 serverExtensions.npnAfterAlpn = config.Bugs.SwapNPNAndALPN 1446 } 1447 } 1448 } 1449 1450 if len(hs.clientHello.quicTransportParams) > 0 { 1451 c.quicTransportParams = hs.clientHello.quicTransportParams 1452 } 1453 if c.config.QUICTransportParamsUseLegacyCodepoint.IncludeStandard() { 1454 serverExtensions.quicTransportParams = c.config.QUICTransportParams 1455 } 1456 1457 if len(hs.clientHello.quicTransportParamsLegacy) > 0 { 1458 c.quicTransportParamsLegacy = hs.clientHello.quicTransportParamsLegacy 1459 } 1460 if c.config.QUICTransportParamsUseLegacyCodepoint.IncludeLegacy() { 1461 serverExtensions.quicTransportParamsLegacy = c.config.QUICTransportParams 1462 } 1463 1464 if c.vers < VersionTLS13 || config.Bugs.NegotiateEMSAtAllVersions { 1465 disableEMS := config.Bugs.NoExtendedMasterSecret 1466 if c.cipherSuite != nil { 1467 disableEMS = config.Bugs.NoExtendedMasterSecretOnRenegotiation 1468 } 1469 serverExtensions.extendedMasterSecret = c.vers >= VersionTLS10 && hs.clientHello.extendedMasterSecret && !disableEMS 1470 } 1471 1472 if hs.clientHello.channelIDSupported && config.RequestChannelID { 1473 serverExtensions.channelIDRequested = true 1474 } 1475 1476 if config.TokenBindingParams != nil { 1477 if !bytes.Equal(config.ExpectTokenBindingParams, hs.clientHello.tokenBindingParams) { 1478 return errors.New("client did not send expected token binding params") 1479 } 1480 1481 // For testing, blindly send whatever is set in config, even if 1482 // it is invalid. 1483 serverExtensions.tokenBindingParams = config.TokenBindingParams 1484 serverExtensions.tokenBindingVersion = config.TokenBindingVersion 1485 } 1486 1487 if c.vers < VersionTLS13 && len(hs.clientHello.tokenBindingParams) > 0 && (!hs.clientHello.extendedMasterSecret || hs.clientHello.secureRenegotiation == nil) { 1488 return errors.New("client sent Token Binding without EMS and/or RI") 1489 } 1490 1491 if hs.clientHello.srtpProtectionProfiles != nil { 1492 SRTPLoop: 1493 for _, p1 := range c.config.SRTPProtectionProfiles { 1494 for _, p2 := range hs.clientHello.srtpProtectionProfiles { 1495 if p1 == p2 { 1496 serverExtensions.srtpProtectionProfile = p1 1497 c.srtpProtectionProfile = p1 1498 break SRTPLoop 1499 } 1500 } 1501 } 1502 } 1503 1504 if c.config.Bugs.SendSRTPProtectionProfile != 0 { 1505 serverExtensions.srtpProtectionProfile = c.config.Bugs.SendSRTPProtectionProfile 1506 } 1507 1508 if expected := c.config.Bugs.ExpectedCustomExtension; expected != nil { 1509 if hs.clientHello.customExtension != *expected { 1510 return fmt.Errorf("tls: bad custom extension contents %q", hs.clientHello.customExtension) 1511 } 1512 } 1513 serverExtensions.customExtension = config.Bugs.CustomExtension 1514 1515 if c.config.Bugs.AdvertiseTicketExtension { 1516 serverExtensions.ticketSupported = true 1517 } 1518 1519 if c.config.Bugs.SendSupportedPointFormats != nil { 1520 serverExtensions.supportedPoints = c.config.Bugs.SendSupportedPointFormats 1521 } 1522 1523 if c.config.Bugs.SendServerSupportedCurves { 1524 serverExtensions.supportedCurves = c.config.curvePreferences() 1525 } 1526 1527 if !hs.clientHello.hasGREASEExtension && config.Bugs.ExpectGREASE { 1528 return errors.New("tls: no GREASE extension found") 1529 } 1530 1531 serverExtensions.serverNameAck = c.config.Bugs.SendServerNameAck 1532 1533 return nil 1534} 1535 1536// checkForResumption returns true if we should perform resumption on this connection. 1537func (hs *serverHandshakeState) checkForResumption() bool { 1538 c := hs.c 1539 1540 ticket := hs.clientHello.sessionTicket 1541 if len(ticket) == 0 && len(hs.clientHello.pskIdentities) > 0 && c.config.Bugs.AcceptAnySession { 1542 ticket = hs.clientHello.pskIdentities[0].ticket 1543 } 1544 if len(ticket) > 0 { 1545 if c.config.SessionTicketsDisabled { 1546 return false 1547 } 1548 1549 var ok bool 1550 if hs.sessionState, ok = c.decryptTicket(ticket); !ok { 1551 return false 1552 } 1553 } else { 1554 if c.config.ServerSessionCache == nil { 1555 return false 1556 } 1557 1558 var ok bool 1559 sessionID := string(hs.clientHello.sessionID) 1560 if hs.sessionState, ok = c.config.ServerSessionCache.Get(sessionID); !ok { 1561 return false 1562 } 1563 } 1564 1565 if c.config.Bugs.AcceptAnySession { 1566 // Replace the cipher suite with one known to work, to test 1567 // cross-version resumption attempts. 1568 hs.sessionState.cipherSuite = TLS_RSA_WITH_AES_128_CBC_SHA 1569 } else { 1570 // Never resume a session for a different SSL version. 1571 if c.vers != hs.sessionState.vers { 1572 return false 1573 } 1574 1575 cipherSuiteOk := false 1576 // Check that the client is still offering the ciphersuite in the session. 1577 for _, id := range hs.clientHello.cipherSuites { 1578 if id == hs.sessionState.cipherSuite { 1579 cipherSuiteOk = true 1580 break 1581 } 1582 } 1583 if !cipherSuiteOk { 1584 return false 1585 } 1586 } 1587 1588 // Check that we also support the ciphersuite from the session. 1589 hs.suite = c.tryCipherSuite(hs.sessionState.cipherSuite, c.config.cipherSuites(), c.vers, hs.ellipticOk, hs.ecdsaOk) 1590 1591 if hs.suite == nil { 1592 return false 1593 } 1594 1595 sessionHasClientCerts := len(hs.sessionState.certificates) != 0 1596 needClientCerts := c.config.ClientAuth == RequireAnyClientCert || c.config.ClientAuth == RequireAndVerifyClientCert 1597 if needClientCerts && !sessionHasClientCerts { 1598 return false 1599 } 1600 if sessionHasClientCerts && c.config.ClientAuth == NoClientCert { 1601 return false 1602 } 1603 1604 return true 1605} 1606 1607func (hs *serverHandshakeState) doResumeHandshake() error { 1608 c := hs.c 1609 1610 hs.hello.cipherSuite = hs.suite.id 1611 if c.config.Bugs.SendCipherSuite != 0 { 1612 hs.hello.cipherSuite = c.config.Bugs.SendCipherSuite 1613 } 1614 // We echo the client's session ID in the ServerHello to let it know 1615 // that we're doing a resumption. 1616 hs.hello.sessionID = hs.clientHello.sessionID 1617 hs.hello.extensions.ticketSupported = c.config.Bugs.RenewTicketOnResume 1618 1619 if c.config.Bugs.SendSCTListOnResume != nil { 1620 hs.hello.extensions.sctList = c.config.Bugs.SendSCTListOnResume 1621 } 1622 1623 if c.config.Bugs.SendOCSPResponseOnResume != nil { 1624 // There is no way, syntactically, to send an OCSP response on a 1625 // resumption handshake. 1626 hs.hello.extensions.ocspStapling = true 1627 } 1628 1629 hs.finishedHash = newFinishedHash(c.wireVersion, c.isDTLS, hs.suite) 1630 hs.finishedHash.discardHandshakeBuffer() 1631 hs.writeClientHash(hs.clientHello.marshal()) 1632 hs.writeServerHash(hs.hello.marshal()) 1633 1634 c.writeRecord(recordTypeHandshake, hs.hello.marshal()) 1635 1636 if len(hs.sessionState.certificates) > 0 { 1637 if _, err := hs.processCertsFromClient(hs.sessionState.certificates); err != nil { 1638 return err 1639 } 1640 } 1641 1642 hs.masterSecret = hs.sessionState.masterSecret 1643 c.extendedMasterSecret = hs.sessionState.extendedMasterSecret 1644 1645 return nil 1646} 1647 1648func (hs *serverHandshakeState) doFullHandshake() error { 1649 config := hs.c.config 1650 c := hs.c 1651 1652 isPSK := hs.suite.flags&suitePSK != 0 1653 if !isPSK && hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0 && !c.config.Bugs.NoOCSPStapling { 1654 hs.hello.extensions.ocspStapling = true 1655 } 1656 1657 if hs.clientHello.sctListSupported && len(hs.cert.SignedCertificateTimestampList) > 0 && !c.config.Bugs.NoSignedCertificateTimestamps { 1658 hs.hello.extensions.sctList = hs.cert.SignedCertificateTimestampList 1659 } 1660 1661 if len(c.clientVerify) > 0 && config.Bugs.SendSCTListOnRenegotiation != nil { 1662 hs.hello.extensions.sctList = config.Bugs.SendSCTListOnRenegotiation 1663 } 1664 1665 hs.hello.extensions.ticketSupported = hs.clientHello.ticketSupported && !config.SessionTicketsDisabled && c.vers > VersionSSL30 1666 hs.hello.cipherSuite = hs.suite.id 1667 if config.Bugs.SendCipherSuite != 0 { 1668 hs.hello.cipherSuite = config.Bugs.SendCipherSuite 1669 } 1670 c.extendedMasterSecret = hs.hello.extensions.extendedMasterSecret 1671 1672 // Generate a session ID if we're to save the session. 1673 if !hs.hello.extensions.ticketSupported && config.ServerSessionCache != nil { 1674 hs.hello.sessionID = make([]byte, 32) 1675 if _, err := io.ReadFull(config.rand(), hs.hello.sessionID); err != nil { 1676 c.sendAlert(alertInternalError) 1677 return errors.New("tls: short read from Rand: " + err.Error()) 1678 } 1679 } 1680 if config.Bugs.EchoSessionIDInFullHandshake { 1681 hs.hello.sessionID = hs.clientHello.sessionID 1682 } 1683 1684 hs.finishedHash = newFinishedHash(c.wireVersion, c.isDTLS, hs.suite) 1685 hs.writeClientHash(hs.clientHello.marshal()) 1686 hs.writeServerHash(hs.hello.marshal()) 1687 1688 if config.Bugs.SendSNIWarningAlert { 1689 c.SendAlert(alertLevelWarning, alertUnrecognizedName) 1690 } 1691 1692 c.writeRecord(recordTypeHandshake, hs.hello.marshal()) 1693 1694 if !isPSK { 1695 certMsg := new(certificateMsg) 1696 if !config.Bugs.EmptyCertificateList { 1697 for _, certData := range hs.cert.Certificate { 1698 certMsg.certificates = append(certMsg.certificates, certificateEntry{ 1699 data: certData, 1700 }) 1701 } 1702 } 1703 if !config.Bugs.UnauthenticatedECDH { 1704 certMsgBytes := certMsg.marshal() 1705 hs.writeServerHash(certMsgBytes) 1706 c.writeRecord(recordTypeHandshake, certMsgBytes) 1707 } 1708 } 1709 1710 if hs.hello.extensions.ocspStapling && !c.config.Bugs.SkipCertificateStatus { 1711 certStatus := new(certificateStatusMsg) 1712 certStatus.statusType = statusTypeOCSP 1713 certStatus.response = hs.cert.OCSPStaple 1714 if len(c.clientVerify) > 0 && config.Bugs.SendOCSPResponseOnRenegotiation != nil { 1715 certStatus.response = config.Bugs.SendOCSPResponseOnRenegotiation 1716 } 1717 hs.writeServerHash(certStatus.marshal()) 1718 c.writeRecord(recordTypeHandshake, certStatus.marshal()) 1719 } 1720 1721 keyAgreement := hs.suite.ka(c.vers) 1722 skx, err := keyAgreement.generateServerKeyExchange(config, hs.cert, hs.clientHello, hs.hello, c.vers) 1723 if err != nil { 1724 c.sendAlert(alertHandshakeFailure) 1725 return err 1726 } 1727 if ecdhe, ok := keyAgreement.(*ecdheKeyAgreement); ok { 1728 c.curveID = ecdhe.curveID 1729 } 1730 if skx != nil && !config.Bugs.SkipServerKeyExchange { 1731 hs.writeServerHash(skx.marshal()) 1732 c.writeRecord(recordTypeHandshake, skx.marshal()) 1733 } 1734 1735 if config.ClientAuth >= RequestClientCert { 1736 // Request a client certificate 1737 certReq := &certificateRequestMsg{ 1738 vers: c.wireVersion, 1739 certificateTypes: config.ClientCertificateTypes, 1740 } 1741 if certReq.certificateTypes == nil { 1742 certReq.certificateTypes = []byte{ 1743 byte(CertTypeRSASign), 1744 byte(CertTypeECDSASign), 1745 } 1746 } 1747 if c.vers >= VersionTLS12 { 1748 certReq.hasSignatureAlgorithm = true 1749 if !config.Bugs.NoSignatureAlgorithms { 1750 certReq.signatureAlgorithms = config.verifySignatureAlgorithms() 1751 } 1752 } 1753 1754 // An empty list of certificateAuthorities signals to 1755 // the client that it may send any certificate in response 1756 // to our request. When we know the CAs we trust, then 1757 // we can send them down, so that the client can choose 1758 // an appropriate certificate to give to us. 1759 if config.ClientCAs != nil { 1760 certReq.certificateAuthorities = config.ClientCAs.Subjects() 1761 } 1762 hs.writeServerHash(certReq.marshal()) 1763 c.writeRecord(recordTypeHandshake, certReq.marshal()) 1764 } 1765 1766 helloDone := new(serverHelloDoneMsg) 1767 helloDoneBytes := helloDone.marshal() 1768 hs.writeServerHash(helloDoneBytes) 1769 var toAppend byte 1770 if config.Bugs.PartialNewSessionTicketWithServerHelloDone { 1771 toAppend = typeNewSessionTicket 1772 } else if config.Bugs.PartialFinishedWithServerHelloDone { 1773 toAppend = typeFinished 1774 } 1775 if toAppend != 0 { 1776 c.writeRecord(recordTypeHandshake, append(helloDoneBytes[:len(helloDoneBytes):len(helloDoneBytes)], toAppend)) 1777 } else { 1778 c.writeRecord(recordTypeHandshake, helloDoneBytes) 1779 } 1780 c.flushHandshake() 1781 1782 var pub crypto.PublicKey // public key for client auth, if any 1783 1784 if err := c.simulatePacketLoss(nil); err != nil { 1785 return err 1786 } 1787 msg, err := c.readHandshake() 1788 if err != nil { 1789 return err 1790 } 1791 1792 var ok bool 1793 // If we requested a client certificate, then the client must send a 1794 // certificate message, even if it's empty. 1795 if config.ClientAuth >= RequestClientCert { 1796 var certMsg *certificateMsg 1797 var certificates [][]byte 1798 if certMsg, ok = msg.(*certificateMsg); ok { 1799 if c.vers == VersionSSL30 && len(certMsg.certificates) == 0 { 1800 return errors.New("tls: empty certificate message in SSL 3.0") 1801 } 1802 1803 hs.writeClientHash(certMsg.marshal()) 1804 for _, cert := range certMsg.certificates { 1805 certificates = append(certificates, cert.data) 1806 } 1807 } else if c.vers == VersionSSL30 { 1808 // In SSL 3.0, no certificate is signaled by a warning 1809 // alert which we translate to ssl3NoCertificateMsg. 1810 if _, ok := msg.(*ssl3NoCertificateMsg); !ok { 1811 return errors.New("tls: client provided neither a certificate nor no_certificate warning alert") 1812 } 1813 } else { 1814 // In TLS, the Certificate message is required. In SSL 1815 // 3.0, the peer skips it when sending no certificates. 1816 c.sendAlert(alertUnexpectedMessage) 1817 return unexpectedMessageError(certMsg, msg) 1818 } 1819 1820 if len(certificates) == 0 { 1821 // The client didn't actually send a certificate 1822 switch config.ClientAuth { 1823 case RequireAnyClientCert, RequireAndVerifyClientCert: 1824 c.sendAlert(alertBadCertificate) 1825 return errors.New("tls: client didn't provide a certificate") 1826 } 1827 } 1828 1829 pub, err = hs.processCertsFromClient(certificates) 1830 if err != nil { 1831 return err 1832 } 1833 1834 msg, err = c.readHandshake() 1835 if err != nil { 1836 return err 1837 } 1838 } 1839 1840 // Get client key exchange 1841 ckx, ok := msg.(*clientKeyExchangeMsg) 1842 if !ok { 1843 c.sendAlert(alertUnexpectedMessage) 1844 return unexpectedMessageError(ckx, msg) 1845 } 1846 hs.writeClientHash(ckx.marshal()) 1847 1848 preMasterSecret, err := keyAgreement.processClientKeyExchange(config, hs.cert, ckx, c.vers) 1849 if err != nil { 1850 c.sendAlert(alertHandshakeFailure) 1851 return err 1852 } 1853 if c.extendedMasterSecret { 1854 hs.masterSecret = extendedMasterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.finishedHash) 1855 } else { 1856 if c.config.Bugs.RequireExtendedMasterSecret { 1857 return errors.New("tls: extended master secret required but not supported by peer") 1858 } 1859 hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.clientHello.random, hs.hello.random) 1860 } 1861 1862 // If we received a client cert in response to our certificate request message, 1863 // the client will send us a certificateVerifyMsg immediately after the 1864 // clientKeyExchangeMsg. This message is a digest of all preceding 1865 // handshake-layer messages that is signed using the private key corresponding 1866 // to the client's certificate. This allows us to verify that the client is in 1867 // possession of the private key of the certificate. 1868 if len(c.peerCertificates) > 0 { 1869 msg, err = c.readHandshake() 1870 if err != nil { 1871 return err 1872 } 1873 certVerify, ok := msg.(*certificateVerifyMsg) 1874 if !ok { 1875 c.sendAlert(alertUnexpectedMessage) 1876 return unexpectedMessageError(certVerify, msg) 1877 } 1878 1879 // Determine the signature type. 1880 var sigAlg signatureAlgorithm 1881 if certVerify.hasSignatureAlgorithm { 1882 sigAlg = certVerify.signatureAlgorithm 1883 c.peerSignatureAlgorithm = sigAlg 1884 } 1885 1886 if c.vers > VersionSSL30 { 1887 err = verifyMessage(c.vers, pub, c.config, sigAlg, hs.finishedHash.buffer, certVerify.signature) 1888 } else { 1889 // SSL 3.0's client certificate construction is 1890 // incompatible with signatureAlgorithm. 1891 rsaPub, ok := pub.(*rsa.PublicKey) 1892 if !ok { 1893 err = errors.New("unsupported key type for client certificate") 1894 } else { 1895 digest := hs.finishedHash.hashForClientCertificateSSL3(hs.masterSecret) 1896 err = rsa.VerifyPKCS1v15(rsaPub, crypto.MD5SHA1, digest, certVerify.signature) 1897 } 1898 } 1899 if err != nil { 1900 c.sendAlert(alertBadCertificate) 1901 return errors.New("could not validate signature of connection nonces: " + err.Error()) 1902 } 1903 1904 hs.writeClientHash(certVerify.marshal()) 1905 } 1906 1907 hs.finishedHash.discardHandshakeBuffer() 1908 1909 return nil 1910} 1911 1912func (hs *serverHandshakeState) establishKeys() error { 1913 c := hs.c 1914 1915 clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV := 1916 keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen(c.vers)) 1917 1918 var clientCipher, serverCipher interface{} 1919 var clientHash, serverHash macFunction 1920 1921 if hs.suite.aead == nil { 1922 clientCipher = hs.suite.cipher(clientKey, clientIV, true /* for reading */) 1923 clientHash = hs.suite.mac(c.vers, clientMAC) 1924 serverCipher = hs.suite.cipher(serverKey, serverIV, false /* not for reading */) 1925 serverHash = hs.suite.mac(c.vers, serverMAC) 1926 } else { 1927 clientCipher = hs.suite.aead(c.vers, clientKey, clientIV) 1928 serverCipher = hs.suite.aead(c.vers, serverKey, serverIV) 1929 } 1930 1931 c.in.prepareCipherSpec(c.wireVersion, clientCipher, clientHash) 1932 c.out.prepareCipherSpec(c.wireVersion, serverCipher, serverHash) 1933 1934 return nil 1935} 1936 1937func (hs *serverHandshakeState) readFinished(out []byte, isResume bool) error { 1938 c := hs.c 1939 1940 c.readRecord(recordTypeChangeCipherSpec) 1941 if err := c.in.error(); err != nil { 1942 return err 1943 } 1944 1945 if hs.hello.extensions.nextProtoNeg { 1946 msg, err := c.readHandshake() 1947 if err != nil { 1948 return err 1949 } 1950 nextProto, ok := msg.(*nextProtoMsg) 1951 if !ok { 1952 c.sendAlert(alertUnexpectedMessage) 1953 return unexpectedMessageError(nextProto, msg) 1954 } 1955 hs.writeClientHash(nextProto.marshal()) 1956 c.clientProtocol = nextProto.proto 1957 } 1958 1959 if hs.hello.extensions.channelIDRequested { 1960 msg, err := c.readHandshake() 1961 if err != nil { 1962 return err 1963 } 1964 channelIDMsg, ok := msg.(*channelIDMsg) 1965 if !ok { 1966 c.sendAlert(alertUnexpectedMessage) 1967 return unexpectedMessageError(channelIDMsg, msg) 1968 } 1969 var resumeHash []byte 1970 if isResume { 1971 resumeHash = hs.sessionState.handshakeHash 1972 } 1973 channelID, err := verifyChannelIDMessage(channelIDMsg, hs.finishedHash.hashForChannelID(resumeHash)) 1974 if err != nil { 1975 return err 1976 } 1977 c.channelID = channelID 1978 1979 hs.writeClientHash(channelIDMsg.marshal()) 1980 } 1981 1982 msg, err := c.readHandshake() 1983 if err != nil { 1984 return err 1985 } 1986 clientFinished, ok := msg.(*finishedMsg) 1987 if !ok { 1988 c.sendAlert(alertUnexpectedMessage) 1989 return unexpectedMessageError(clientFinished, msg) 1990 } 1991 1992 verify := hs.finishedHash.clientSum(hs.masterSecret) 1993 if len(verify) != len(clientFinished.verifyData) || 1994 subtle.ConstantTimeCompare(verify, clientFinished.verifyData) != 1 { 1995 c.sendAlert(alertHandshakeFailure) 1996 return errors.New("tls: client's Finished message is incorrect") 1997 } 1998 c.clientVerify = append(c.clientVerify[:0], clientFinished.verifyData...) 1999 copy(out, clientFinished.verifyData) 2000 2001 hs.writeClientHash(clientFinished.marshal()) 2002 return nil 2003} 2004 2005func (hs *serverHandshakeState) sendSessionTicket() error { 2006 c := hs.c 2007 state := sessionState{ 2008 vers: c.vers, 2009 cipherSuite: hs.suite.id, 2010 masterSecret: hs.masterSecret, 2011 certificates: hs.certsFromClient, 2012 handshakeHash: hs.finishedHash.Sum(), 2013 } 2014 2015 if !hs.hello.extensions.ticketSupported || hs.c.config.Bugs.SkipNewSessionTicket { 2016 if c.config.ServerSessionCache != nil && len(hs.hello.sessionID) != 0 { 2017 c.config.ServerSessionCache.Put(string(hs.hello.sessionID), &state) 2018 } 2019 return nil 2020 } 2021 2022 m := new(newSessionTicketMsg) 2023 m.vers = c.wireVersion 2024 m.isDTLS = c.isDTLS 2025 if c.config.Bugs.SendTicketLifetime != 0 { 2026 m.ticketLifetime = uint32(c.config.Bugs.SendTicketLifetime / time.Second) 2027 } 2028 2029 if !c.config.Bugs.SendEmptySessionTicket { 2030 var err error 2031 m.ticket, err = c.encryptTicket(&state) 2032 if err != nil { 2033 return err 2034 } 2035 } 2036 2037 hs.writeServerHash(m.marshal()) 2038 if c.config.Bugs.PartialNewSessionTicketWithServerHelloDone { 2039 // The first byte was already sent. 2040 c.writeRecord(recordTypeHandshake, m.marshal()[1:]) 2041 } else { 2042 c.writeRecord(recordTypeHandshake, m.marshal()) 2043 } 2044 2045 return nil 2046} 2047 2048func (hs *serverHandshakeState) sendFinished(out []byte, isResume bool) error { 2049 c := hs.c 2050 2051 finished := new(finishedMsg) 2052 finished.verifyData = hs.finishedHash.serverSum(hs.masterSecret) 2053 copy(out, finished.verifyData) 2054 if c.config.Bugs.BadFinished { 2055 finished.verifyData[0]++ 2056 } 2057 c.serverVerify = append(c.serverVerify[:0], finished.verifyData...) 2058 hs.finishedBytes = finished.marshal() 2059 hs.writeServerHash(hs.finishedBytes) 2060 postCCSBytes := hs.finishedBytes 2061 if c.config.Bugs.PartialFinishedWithServerHelloDone { 2062 // The first byte has already been sent. 2063 postCCSBytes = postCCSBytes[1:] 2064 } 2065 2066 if c.config.Bugs.FragmentAcrossChangeCipherSpec { 2067 c.writeRecord(recordTypeHandshake, postCCSBytes[:5]) 2068 postCCSBytes = postCCSBytes[5:] 2069 } else if c.config.Bugs.SendUnencryptedFinished { 2070 c.writeRecord(recordTypeHandshake, postCCSBytes) 2071 postCCSBytes = nil 2072 } 2073 2074 if !c.config.Bugs.SkipChangeCipherSpec { 2075 ccs := []byte{1} 2076 if c.config.Bugs.BadChangeCipherSpec != nil { 2077 ccs = c.config.Bugs.BadChangeCipherSpec 2078 } 2079 c.writeRecord(recordTypeChangeCipherSpec, ccs) 2080 } 2081 2082 if c.config.Bugs.AppDataAfterChangeCipherSpec != nil { 2083 c.writeRecord(recordTypeApplicationData, c.config.Bugs.AppDataAfterChangeCipherSpec) 2084 } 2085 if c.config.Bugs.AlertAfterChangeCipherSpec != 0 { 2086 c.sendAlert(c.config.Bugs.AlertAfterChangeCipherSpec) 2087 return errors.New("tls: simulating post-CCS alert") 2088 } 2089 2090 if !c.config.Bugs.SkipFinished && len(postCCSBytes) > 0 { 2091 c.writeRecord(recordTypeHandshake, postCCSBytes) 2092 if c.config.Bugs.SendExtraFinished { 2093 c.writeRecord(recordTypeHandshake, finished.marshal()) 2094 } 2095 } 2096 2097 if isResume || (!c.config.Bugs.PackHelloRequestWithFinished && !c.config.Bugs.PackAppDataWithHandshake) { 2098 // Defer flushing until Renegotiate() or Write(). 2099 c.flushHandshake() 2100 } 2101 2102 c.cipherSuite = hs.suite 2103 2104 return nil 2105} 2106 2107// processCertsFromClient takes a chain of client certificates either from a 2108// Certificates message or from a sessionState and verifies them. It returns 2109// the public key of the leaf certificate. 2110func (hs *serverHandshakeState) processCertsFromClient(certificates [][]byte) (crypto.PublicKey, error) { 2111 c := hs.c 2112 2113 hs.certsFromClient = certificates 2114 certs := make([]*x509.Certificate, len(certificates)) 2115 var err error 2116 for i, asn1Data := range certificates { 2117 if certs[i], err = x509.ParseCertificate(asn1Data); err != nil { 2118 c.sendAlert(alertBadCertificate) 2119 return nil, errors.New("tls: failed to parse client certificate: " + err.Error()) 2120 } 2121 } 2122 2123 if c.config.ClientAuth >= VerifyClientCertIfGiven && len(certs) > 0 { 2124 opts := x509.VerifyOptions{ 2125 Roots: c.config.ClientCAs, 2126 CurrentTime: c.config.time(), 2127 Intermediates: x509.NewCertPool(), 2128 KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, 2129 } 2130 2131 for _, cert := range certs[1:] { 2132 opts.Intermediates.AddCert(cert) 2133 } 2134 2135 chains, err := certs[0].Verify(opts) 2136 if err != nil { 2137 c.sendAlert(alertBadCertificate) 2138 return nil, errors.New("tls: failed to verify client's certificate: " + err.Error()) 2139 } 2140 2141 ok := false 2142 for _, ku := range certs[0].ExtKeyUsage { 2143 if ku == x509.ExtKeyUsageClientAuth { 2144 ok = true 2145 break 2146 } 2147 } 2148 if !ok { 2149 c.sendAlert(alertHandshakeFailure) 2150 return nil, errors.New("tls: client's certificate's extended key usage doesn't permit it to be used for client authentication") 2151 } 2152 2153 c.verifiedChains = chains 2154 } 2155 2156 if len(certs) > 0 { 2157 pub := certs[0].PublicKey 2158 switch pub.(type) { 2159 case *ecdsa.PublicKey, *rsa.PublicKey, ed25519.PublicKey: 2160 break 2161 default: 2162 c.sendAlert(alertUnsupportedCertificate) 2163 return nil, fmt.Errorf("tls: client's certificate contains an unsupported public key of type %T", pub) 2164 } 2165 c.peerCertificates = certs 2166 return pub, nil 2167 } 2168 2169 return nil, nil 2170} 2171 2172func verifyChannelIDMessage(channelIDMsg *channelIDMsg, channelIDHash []byte) (*ecdsa.PublicKey, error) { 2173 x := new(big.Int).SetBytes(channelIDMsg.channelID[0:32]) 2174 y := new(big.Int).SetBytes(channelIDMsg.channelID[32:64]) 2175 r := new(big.Int).SetBytes(channelIDMsg.channelID[64:96]) 2176 s := new(big.Int).SetBytes(channelIDMsg.channelID[96:128]) 2177 if !elliptic.P256().IsOnCurve(x, y) { 2178 return nil, errors.New("tls: invalid channel ID public key") 2179 } 2180 channelID := &ecdsa.PublicKey{Curve: elliptic.P256(), X: x, Y: y} 2181 if !ecdsa.Verify(channelID, channelIDHash, r, s) { 2182 return nil, errors.New("tls: invalid channel ID signature") 2183 } 2184 return channelID, nil 2185} 2186 2187func (hs *serverHandshakeState) writeServerHash(msg []byte) { 2188 // writeServerHash is called before writeRecord. 2189 hs.writeHash(msg, hs.c.sendHandshakeSeq) 2190} 2191 2192func (hs *serverHandshakeState) writeClientHash(msg []byte) { 2193 // writeClientHash is called after readHandshake. 2194 hs.writeHash(msg, hs.c.recvHandshakeSeq-1) 2195} 2196 2197func (hs *serverHandshakeState) writeHash(msg []byte, seqno uint16) { 2198 if hs.c.isDTLS { 2199 // This is somewhat hacky. DTLS hashes a slightly different format. 2200 // First, the TLS header. 2201 hs.finishedHash.Write(msg[:4]) 2202 // Then the sequence number and reassembled fragment offset (always 0). 2203 hs.finishedHash.Write([]byte{byte(seqno >> 8), byte(seqno), 0, 0, 0}) 2204 // Then the reassembled fragment (always equal to the message length). 2205 hs.finishedHash.Write(msg[1:4]) 2206 // And then the message body. 2207 hs.finishedHash.Write(msg[4:]) 2208 } else { 2209 hs.finishedHash.Write(msg) 2210 } 2211} 2212 2213// tryCipherSuite returns a cipherSuite with the given id if that cipher suite 2214// is acceptable to use. 2215func (c *Conn) tryCipherSuite(id uint16, supportedCipherSuites []uint16, version uint16, ellipticOk, ecdsaOk bool) *cipherSuite { 2216 for _, supported := range supportedCipherSuites { 2217 if id == supported { 2218 var candidate *cipherSuite 2219 2220 for _, s := range cipherSuites { 2221 if s.id == id { 2222 candidate = s 2223 break 2224 } 2225 } 2226 if candidate == nil { 2227 continue 2228 } 2229 2230 // Don't select a ciphersuite which we can't 2231 // support for this client. 2232 if version >= VersionTLS13 || candidate.flags&suiteTLS13 != 0 { 2233 if version < VersionTLS13 || candidate.flags&suiteTLS13 == 0 { 2234 continue 2235 } 2236 return candidate 2237 } 2238 if (candidate.flags&suiteECDHE != 0) && !ellipticOk { 2239 continue 2240 } 2241 if (candidate.flags&suiteECDSA != 0) != ecdsaOk { 2242 continue 2243 } 2244 if version < VersionTLS12 && candidate.flags&suiteTLS12 != 0 { 2245 continue 2246 } 2247 return candidate 2248 } 2249 } 2250 2251 return nil 2252} 2253 2254func isTLS12Cipher(id uint16) bool { 2255 for _, cipher := range cipherSuites { 2256 if cipher.id != id { 2257 continue 2258 } 2259 return cipher.flags&suiteTLS12 != 0 2260 } 2261 // Unknown cipher. 2262 return false 2263} 2264 2265func isGREASEValue(val uint16) bool { 2266 return val&0x0f0f == 0x0a0a && val&0xff == val>>8 2267} 2268 2269func verifyPSKBinder(version uint16, clientHello *clientHelloMsg, sessionState *sessionState, binderToVerify, firstClientHello, helloRetryRequest []byte) error { 2270 binderLen := 2 2271 for _, binder := range clientHello.pskBinders { 2272 binderLen += 1 + len(binder) 2273 } 2274 2275 truncatedHello := clientHello.marshal() 2276 truncatedHello = truncatedHello[:len(truncatedHello)-binderLen] 2277 pskCipherSuite := cipherSuiteFromID(sessionState.cipherSuite) 2278 if pskCipherSuite == nil { 2279 return errors.New("tls: Unknown cipher suite for PSK in session") 2280 } 2281 2282 binder := computePSKBinder(sessionState.masterSecret, version, resumptionPSKBinderLabel, pskCipherSuite, firstClientHello, helloRetryRequest, truncatedHello) 2283 if !bytes.Equal(binder, binderToVerify) { 2284 return errors.New("tls: PSK binder does not verify") 2285 } 2286 2287 return nil 2288} 2289 2290// checkClientHellosEqual checks whether a and b are equal ClientHello 2291// messages. If isDTLS is true, the ClientHellos are parsed as DTLS and any 2292// differences in the cookie field are ignored. Extensions listed in 2293// ignoreExtensions may change or be removed between the two ClientHellos. 2294func checkClientHellosEqual(a, b []byte, isDTLS bool, ignoreExtensions []uint16) error { 2295 ignoreExtensionsSet := make(map[uint16]struct{}) 2296 for _, ext := range ignoreExtensions { 2297 ignoreExtensionsSet[ext] = struct{}{} 2298 } 2299 2300 // Skip the handshake message header. 2301 aReader := byteReader(a[4:]) 2302 bReader := byteReader(b[4:]) 2303 2304 var aVers, bVers uint16 2305 var aRandom, bRandom []byte 2306 var aSessionID, bSessionID []byte 2307 if !aReader.readU16(&aVers) || 2308 !bReader.readU16(&bVers) || 2309 !aReader.readBytes(&aRandom, 32) || 2310 !bReader.readBytes(&bRandom, 32) || 2311 !aReader.readU8LengthPrefixedBytes(&aSessionID) || 2312 !bReader.readU8LengthPrefixedBytes(&bSessionID) { 2313 return errors.New("tls: could not parse ClientHello") 2314 } 2315 2316 if aVers != bVers { 2317 return errors.New("tls: second ClientHello version did not match") 2318 } 2319 if !bytes.Equal(aRandom, bRandom) { 2320 return errors.New("tls: second ClientHello random did not match") 2321 } 2322 if !bytes.Equal(aSessionID, bSessionID) { 2323 return errors.New("tls: second ClientHello session ID did not match") 2324 } 2325 2326 if isDTLS { 2327 // DTLS 1.2 checks two ClientHellos match after a HelloVerifyRequest, 2328 // where we expect the cookies to change. DTLS 1.3 forbids the legacy 2329 // cookie altogether. If we implement DTLS 1.3, we'll need to ensure 2330 // that parsing logic above this function rejects this cookie. 2331 var aCookie, bCookie []byte 2332 if !aReader.readU8LengthPrefixedBytes(&aCookie) || 2333 !bReader.readU8LengthPrefixedBytes(&bCookie) { 2334 return errors.New("tls: could not parse ClientHello") 2335 } 2336 } 2337 2338 var aCipherSuites, bCipherSuites, aCompressionMethods, bCompressionMethods []byte 2339 if !aReader.readU16LengthPrefixedBytes(&aCipherSuites) || 2340 !bReader.readU16LengthPrefixedBytes(&bCipherSuites) || 2341 !aReader.readU8LengthPrefixedBytes(&aCompressionMethods) || 2342 !bReader.readU8LengthPrefixedBytes(&bCompressionMethods) { 2343 return errors.New("tls: could not parse ClientHello") 2344 } 2345 if !bytes.Equal(aCipherSuites, bCipherSuites) { 2346 return errors.New("tls: second ClientHello cipher suites did not match") 2347 } 2348 if !bytes.Equal(aCompressionMethods, bCompressionMethods) { 2349 return errors.New("tls: second ClientHello compression methods did not match") 2350 } 2351 2352 if len(aReader) == 0 && len(bReader) == 0 { 2353 // Both ClientHellos omit the extensions block. 2354 return nil 2355 } 2356 2357 var aExtensions, bExtensions byteReader 2358 if !aReader.readU16LengthPrefixed(&aExtensions) || 2359 !bReader.readU16LengthPrefixed(&bExtensions) || 2360 len(aReader) != 0 || 2361 len(bReader) != 0 { 2362 return errors.New("tls: could not parse ClientHello") 2363 } 2364 2365 for len(aExtensions) != 0 { 2366 var aID uint16 2367 var aBody []byte 2368 if !aExtensions.readU16(&aID) || 2369 !aExtensions.readU16LengthPrefixedBytes(&aBody) { 2370 return errors.New("tls: could not parse ClientHello") 2371 } 2372 if _, ok := ignoreExtensionsSet[aID]; ok { 2373 continue 2374 } 2375 2376 for { 2377 if len(bExtensions) == 0 { 2378 return fmt.Errorf("tls: second ClientHello missing extension %d", aID) 2379 } 2380 var bID uint16 2381 var bBody []byte 2382 if !bExtensions.readU16(&bID) || 2383 !bExtensions.readU16LengthPrefixedBytes(&bBody) { 2384 return errors.New("tls: could not parse ClientHello") 2385 } 2386 if _, ok := ignoreExtensionsSet[bID]; ok { 2387 continue 2388 } 2389 if aID != bID { 2390 return fmt.Errorf("tls: unexpected extension %d in second ClientHello (wanted %d)", bID, aID) 2391 } 2392 if !bytes.Equal(aBody, bBody) { 2393 return fmt.Errorf("tls: extension %d in second ClientHello unexpectedly changed", aID) 2394 } 2395 break 2396 } 2397 } 2398 2399 // Any remaining extensions in the second ClientHello must be in the 2400 // ignored set. 2401 for len(bExtensions) != 0 { 2402 var id uint16 2403 var body []byte 2404 if !bExtensions.readU16(&id) || 2405 !bExtensions.readU16LengthPrefixedBytes(&body) { 2406 return errors.New("tls: could not parse ClientHello") 2407 } 2408 if _, ok := ignoreExtensionsSet[id]; !ok { 2409 return fmt.Errorf("tls: unexpected extension %d in second ClientHello", id) 2410 } 2411 } 2412 2413 return nil 2414} 2415