1// Copyright 2009 The Go Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style 3// license that can be found in the LICENSE file. 4 5package runner 6 7import ( 8 "bytes" 9 "crypto" 10 "crypto/ecdsa" 11 "crypto/ed25519" 12 "crypto/elliptic" 13 "crypto/rsa" 14 "crypto/subtle" 15 "crypto/x509" 16 "errors" 17 "fmt" 18 "io" 19 "math/big" 20 "net" 21 "time" 22 23 "boringssl.googlesource.com/boringssl/ssl/test/runner/hpke" 24) 25 26type clientHandshakeState struct { 27 c *Conn 28 serverHello *serverHelloMsg 29 hello *clientHelloMsg 30 suite *cipherSuite 31 finishedHash finishedHash 32 keyShares map[CurveID]ecdhCurve 33 masterSecret []byte 34 session *ClientSessionState 35 finishedBytes []byte 36 peerPublicKey crypto.PublicKey 37 skxAlgo signatureAlgorithm 38} 39 40func mapClientHelloVersion(vers uint16, isDTLS bool) uint16 { 41 if !isDTLS { 42 return vers 43 } 44 45 switch vers { 46 case VersionTLS12: 47 return VersionDTLS12 48 case VersionTLS10: 49 return VersionDTLS10 50 } 51 52 panic("Unknown ClientHello version.") 53} 54 55func fixClientHellos(hello *clientHelloMsg, in []byte) ([]byte, error) { 56 ret := append([]byte{}, in...) 57 newHello := new(clientHelloMsg) 58 if !newHello.unmarshal(ret) { 59 return nil, errors.New("tls: invalid ClientHello") 60 } 61 62 hello.random = newHello.random 63 hello.sessionID = newHello.sessionID 64 65 // Replace |ret|'s key shares with those of |hello|. For simplicity, we 66 // require their lengths match, which is satisfied by matching the 67 // DefaultCurves setting to the selection in the replacement 68 // ClientHello. 69 bb := newByteBuilder() 70 hello.marshalKeyShares(bb) 71 keyShares := bb.finish() 72 if len(keyShares) != len(newHello.keySharesRaw) { 73 return nil, errors.New("tls: ClientHello key share length is inconsistent with DefaultCurves setting") 74 } 75 // |newHello.keySharesRaw| aliases |ret|. 76 copy(newHello.keySharesRaw, keyShares) 77 78 return ret, nil 79} 80 81func (c *Conn) clientHandshake() error { 82 if c.config == nil { 83 c.config = defaultConfig() 84 } 85 86 if len(c.config.ServerName) == 0 && !c.config.InsecureSkipVerify { 87 return errors.New("tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config") 88 } 89 90 c.sendHandshakeSeq = 0 91 c.recvHandshakeSeq = 0 92 93 nextProtosLength := 0 94 for _, proto := range c.config.NextProtos { 95 if l := len(proto); l > 255 { 96 return errors.New("tls: invalid NextProtos value") 97 } else { 98 nextProtosLength += 1 + l 99 } 100 } 101 if nextProtosLength > 0xffff { 102 return errors.New("tls: NextProtos values too large") 103 } 104 105 // Translate the bugs that modify ClientHello extension order into a 106 // list of prefix extensions. The marshal function will try these 107 // extensions before any others, followed by any remaining extensions in 108 // the default order. 109 var prefixExtensions []uint16 110 if c.config.Bugs.PSKBinderFirst && !c.config.Bugs.OnlyCorruptSecondPSKBinder { 111 prefixExtensions = append(prefixExtensions, extensionPreSharedKey) 112 } 113 if c.config.Bugs.SwapNPNAndALPN { 114 prefixExtensions = append(prefixExtensions, extensionALPN) 115 prefixExtensions = append(prefixExtensions, extensionNextProtoNeg) 116 } 117 118 quicTransportParams := c.config.QUICTransportParams 119 quicTransportParamsLegacy := c.config.QUICTransportParams 120 if !c.config.QUICTransportParamsUseLegacyCodepoint.IncludeStandard() { 121 quicTransportParams = nil 122 } 123 if !c.config.QUICTransportParamsUseLegacyCodepoint.IncludeLegacy() { 124 quicTransportParamsLegacy = nil 125 } 126 127 minVersion := c.config.minVersion(c.isDTLS) 128 maxVersion := c.config.maxVersion(c.isDTLS) 129 hello := &clientHelloMsg{ 130 isDTLS: c.isDTLS, 131 compressionMethods: []uint8{compressionNone}, 132 random: make([]byte, 32), 133 ocspStapling: !c.config.Bugs.NoOCSPStapling, 134 sctListSupported: !c.config.Bugs.NoSignedCertificateTimestamps, 135 serverName: c.config.ServerName, 136 echIsInner: c.config.Bugs.SendECHIsInner, 137 supportedCurves: c.config.curvePreferences(), 138 supportedPoints: []uint8{pointFormatUncompressed}, 139 nextProtoNeg: len(c.config.NextProtos) > 0, 140 secureRenegotiation: []byte{}, 141 alpnProtocols: c.config.NextProtos, 142 quicTransportParams: quicTransportParams, 143 quicTransportParamsLegacy: quicTransportParamsLegacy, 144 duplicateExtension: c.config.Bugs.DuplicateExtension, 145 channelIDSupported: c.config.ChannelID != nil, 146 tokenBindingParams: c.config.TokenBindingParams, 147 tokenBindingVersion: c.config.TokenBindingVersion, 148 extendedMasterSecret: maxVersion >= VersionTLS10, 149 srtpProtectionProfiles: c.config.SRTPProtectionProfiles, 150 srtpMasterKeyIdentifier: c.config.Bugs.SRTPMasterKeyIdentifer, 151 customExtension: c.config.Bugs.CustomExtension, 152 omitExtensions: c.config.Bugs.OmitExtensions, 153 emptyExtensions: c.config.Bugs.EmptyExtensions, 154 delegatedCredentials: !c.config.Bugs.DisableDelegatedCredentials, 155 prefixExtensions: prefixExtensions, 156 } 157 158 if maxVersion >= VersionTLS13 { 159 hello.vers = mapClientHelloVersion(VersionTLS12, c.isDTLS) 160 if !c.config.Bugs.OmitSupportedVersions { 161 hello.supportedVersions = c.config.supportedVersions(c.isDTLS) 162 } 163 hello.pskKEModes = []byte{pskDHEKEMode} 164 } else { 165 hello.vers = mapClientHelloVersion(maxVersion, c.isDTLS) 166 } 167 168 if c.config.Bugs.SendClientVersion != 0 { 169 hello.vers = c.config.Bugs.SendClientVersion 170 } 171 172 if len(c.config.Bugs.SendSupportedVersions) > 0 { 173 hello.supportedVersions = c.config.Bugs.SendSupportedVersions 174 } 175 176 disableEMS := c.config.Bugs.NoExtendedMasterSecret 177 if c.cipherSuite != nil { 178 disableEMS = c.config.Bugs.NoExtendedMasterSecretOnRenegotiation 179 } 180 181 if disableEMS { 182 hello.extendedMasterSecret = false 183 } 184 185 if c.config.Bugs.NoSupportedCurves { 186 hello.supportedCurves = nil 187 } 188 189 if len(c.config.Bugs.SendPSKKeyExchangeModes) != 0 { 190 hello.pskKEModes = c.config.Bugs.SendPSKKeyExchangeModes 191 } 192 193 if c.config.Bugs.SendCompressionMethods != nil { 194 hello.compressionMethods = c.config.Bugs.SendCompressionMethods 195 } 196 197 if c.config.Bugs.SendSupportedPointFormats != nil { 198 hello.supportedPoints = c.config.Bugs.SendSupportedPointFormats 199 } 200 201 if len(c.clientVerify) > 0 && !c.config.Bugs.EmptyRenegotiationInfo { 202 if c.config.Bugs.BadRenegotiationInfo { 203 hello.secureRenegotiation = append(hello.secureRenegotiation, c.clientVerify...) 204 hello.secureRenegotiation[0] ^= 0x80 205 } else { 206 hello.secureRenegotiation = c.clientVerify 207 } 208 } 209 210 if c.config.Bugs.DuplicateCompressedCertAlgs { 211 hello.compressedCertAlgs = []uint16{1, 1} 212 } else if len(c.config.CertCompressionAlgs) > 0 { 213 hello.compressedCertAlgs = make([]uint16, 0, len(c.config.CertCompressionAlgs)) 214 for id, _ := range c.config.CertCompressionAlgs { 215 hello.compressedCertAlgs = append(hello.compressedCertAlgs, uint16(id)) 216 } 217 } 218 219 if c.noRenegotiationInfo() { 220 hello.secureRenegotiation = nil 221 } 222 223 for protocol, _ := range c.config.ApplicationSettings { 224 hello.alpsProtocols = append(hello.alpsProtocols, protocol) 225 } 226 227 if c.config.Bugs.SendPlaceholderEncryptedClientHello { 228 hello.clientECH = &clientECH{ 229 hpkeKDF: hpke.HKDFSHA256, 230 hpkeAEAD: hpke.AES128GCM, 231 configID: []byte{0x02, 0x0d, 0xe8, 0xae, 0xf5, 0x8b, 0x59, 0xb5}, 232 enc: []byte{0xe2, 0xf0, 0x96, 0x64, 0x18, 0x35, 0x10, 0xb3}, 233 payload: []byte{0xa8, 0x53, 0x3a, 0x8d, 0xe8, 0x5f, 0x7c, 0xd7}, 234 } 235 } 236 237 var keyShares map[CurveID]ecdhCurve 238 if maxVersion >= VersionTLS13 { 239 keyShares = make(map[CurveID]ecdhCurve) 240 hello.hasKeyShares = true 241 hello.trailingKeyShareData = c.config.Bugs.TrailingKeyShareData 242 curvesToSend := c.config.defaultCurves() 243 for _, curveID := range hello.supportedCurves { 244 if !curvesToSend[curveID] { 245 continue 246 } 247 curve, ok := curveForCurveID(curveID, c.config) 248 if !ok { 249 continue 250 } 251 publicKey, err := curve.offer(c.config.rand()) 252 if err != nil { 253 return err 254 } 255 256 if c.config.Bugs.SendCurve != 0 { 257 curveID = c.config.Bugs.SendCurve 258 } 259 if c.config.Bugs.InvalidECDHPoint { 260 publicKey[0] ^= 0xff 261 } 262 263 hello.keyShares = append(hello.keyShares, keyShareEntry{ 264 group: curveID, 265 keyExchange: publicKey, 266 }) 267 keyShares[curveID] = curve 268 269 if c.config.Bugs.DuplicateKeyShares { 270 hello.keyShares = append(hello.keyShares, hello.keyShares[len(hello.keyShares)-1]) 271 } 272 } 273 274 if c.config.Bugs.MissingKeyShare { 275 hello.hasKeyShares = false 276 } 277 } 278 279 possibleCipherSuites := c.config.cipherSuites() 280 hello.cipherSuites = make([]uint16, 0, len(possibleCipherSuites)) 281 282NextCipherSuite: 283 for _, suiteID := range possibleCipherSuites { 284 for _, suite := range cipherSuites { 285 if suite.id != suiteID { 286 continue 287 } 288 // Don't advertise TLS 1.2-only cipher suites unless 289 // we're attempting TLS 1.2. 290 if maxVersion < VersionTLS12 && suite.flags&suiteTLS12 != 0 { 291 continue 292 } 293 hello.cipherSuites = append(hello.cipherSuites, suiteID) 294 continue NextCipherSuite 295 } 296 } 297 298 if c.config.Bugs.AdvertiseAllConfiguredCiphers { 299 hello.cipherSuites = possibleCipherSuites 300 } 301 302 if c.config.Bugs.SendRenegotiationSCSV { 303 hello.cipherSuites = append(hello.cipherSuites, renegotiationSCSV) 304 } 305 306 if c.config.Bugs.SendFallbackSCSV { 307 hello.cipherSuites = append(hello.cipherSuites, fallbackSCSV) 308 } 309 310 _, err := io.ReadFull(c.config.rand(), hello.random) 311 if err != nil { 312 c.sendAlert(alertInternalError) 313 return errors.New("tls: short read from Rand: " + err.Error()) 314 } 315 316 if maxVersion >= VersionTLS12 && !c.config.Bugs.NoSignatureAlgorithms { 317 hello.signatureAlgorithms = c.config.verifySignatureAlgorithms() 318 } 319 320 var session *ClientSessionState 321 var cacheKey string 322 sessionCache := c.config.ClientSessionCache 323 324 if sessionCache != nil { 325 hello.ticketSupported = !c.config.SessionTicketsDisabled 326 327 // Try to resume a previously negotiated TLS session, if 328 // available. 329 cacheKey = clientSessionCacheKey(c.conn.RemoteAddr(), c.config) 330 // TODO(nharper): Support storing more than one session 331 // ticket for TLS 1.3. 332 candidateSession, ok := sessionCache.Get(cacheKey) 333 if ok { 334 ticketOk := !c.config.SessionTicketsDisabled || candidateSession.sessionTicket == nil 335 336 // Check that the ciphersuite/version used for the 337 // previous session are still valid. 338 cipherSuiteOk := false 339 if candidateSession.vers <= VersionTLS12 { 340 for _, id := range hello.cipherSuites { 341 if id == candidateSession.cipherSuite { 342 cipherSuiteOk = true 343 break 344 } 345 } 346 } else { 347 // TLS 1.3 allows the cipher to change on 348 // resumption. 349 cipherSuiteOk = true 350 } 351 352 versOk := candidateSession.vers >= minVersion && 353 candidateSession.vers <= maxVersion 354 if ticketOk && versOk && cipherSuiteOk { 355 session = candidateSession 356 } 357 } 358 } 359 360 var pskCipherSuite *cipherSuite 361 if session != nil && c.config.time().Before(session.ticketExpiration) { 362 ticket := session.sessionTicket 363 if c.config.Bugs.FilterTicket != nil && len(ticket) > 0 { 364 // Copy the ticket so FilterTicket may act in-place. 365 ticket = make([]byte, len(session.sessionTicket)) 366 copy(ticket, session.sessionTicket) 367 368 ticket, err = c.config.Bugs.FilterTicket(ticket) 369 if err != nil { 370 return err 371 } 372 } 373 374 if session.vers >= VersionTLS13 || c.config.Bugs.SendBothTickets { 375 pskCipherSuite = cipherSuiteFromID(session.cipherSuite) 376 if pskCipherSuite == nil { 377 return errors.New("tls: client session cache has invalid cipher suite") 378 } 379 // TODO(nharper): Support sending more 380 // than one PSK identity. 381 ticketAge := uint32(c.config.time().Sub(session.ticketCreationTime) / time.Millisecond) 382 if c.config.Bugs.SendTicketAge != 0 { 383 ticketAge = uint32(c.config.Bugs.SendTicketAge / time.Millisecond) 384 } 385 psk := pskIdentity{ 386 ticket: ticket, 387 obfuscatedTicketAge: session.ticketAgeAdd + ticketAge, 388 } 389 hello.pskIdentities = []pskIdentity{psk} 390 391 if c.config.Bugs.ExtraPSKIdentity { 392 hello.pskIdentities = append(hello.pskIdentities, psk) 393 } 394 } 395 396 if session.vers < VersionTLS13 || c.config.Bugs.SendBothTickets { 397 if ticket != nil { 398 hello.sessionTicket = ticket 399 // A random session ID is used to detect when the 400 // server accepted the ticket and is resuming a session 401 // (see RFC 5077). 402 sessionIDLen := 16 403 if c.config.Bugs.TicketSessionIDLength != 0 { 404 sessionIDLen = c.config.Bugs.TicketSessionIDLength 405 } 406 if c.config.Bugs.EmptyTicketSessionID { 407 sessionIDLen = 0 408 } 409 hello.sessionID = make([]byte, sessionIDLen) 410 if _, err := io.ReadFull(c.config.rand(), hello.sessionID); err != nil { 411 c.sendAlert(alertInternalError) 412 return errors.New("tls: short read from Rand: " + err.Error()) 413 } 414 } else { 415 hello.sessionID = session.sessionID 416 } 417 } 418 } 419 420 // Request compatibility mode from the client by sending a fake session 421 // ID. Although BoringSSL always enables compatibility mode, other 422 // implementations make it conditional on the ClientHello. We test 423 // BoringSSL's expected behavior with SendClientHelloSessionID. 424 if len(hello.sessionID) == 0 && maxVersion >= VersionTLS13 { 425 hello.sessionID = make([]byte, 32) 426 if _, err := io.ReadFull(c.config.rand(), hello.sessionID); err != nil { 427 c.sendAlert(alertInternalError) 428 return errors.New("tls: short read from Rand: " + err.Error()) 429 } 430 } 431 if c.config.Bugs.MockQUICTransport != nil && !c.config.Bugs.CompatModeWithQUIC { 432 hello.sessionID = []byte{} 433 } 434 435 if c.config.Bugs.SendCipherSuites != nil { 436 hello.cipherSuites = c.config.Bugs.SendCipherSuites 437 } 438 439 var sendEarlyData bool 440 if len(hello.pskIdentities) > 0 && c.config.Bugs.SendEarlyData != nil { 441 hello.hasEarlyData = true 442 sendEarlyData = true 443 } 444 if c.config.Bugs.SendFakeEarlyDataLength > 0 { 445 hello.hasEarlyData = true 446 } 447 if c.config.Bugs.OmitEarlyDataExtension { 448 hello.hasEarlyData = false 449 } 450 if c.config.Bugs.SendClientHelloSessionID != nil { 451 hello.sessionID = c.config.Bugs.SendClientHelloSessionID 452 } 453 454 var helloBytes []byte 455 if c.config.Bugs.SendV2ClientHello { 456 // Test that the peer left-pads random. 457 hello.random[0] = 0 458 v2Hello := &v2ClientHelloMsg{ 459 vers: hello.vers, 460 cipherSuites: hello.cipherSuites, 461 // No session resumption for V2ClientHello. 462 sessionID: nil, 463 challenge: hello.random[1:], 464 } 465 helloBytes = v2Hello.marshal() 466 c.writeV2Record(helloBytes) 467 } else { 468 if len(hello.pskIdentities) > 0 { 469 version := session.wireVersion 470 // We may have a pre-1.3 session if SendBothTickets is 471 // set. 472 if session.vers < VersionTLS13 { 473 version = VersionTLS13 474 } 475 generatePSKBinders(version, hello, pskCipherSuite, session.masterSecret, []byte{}, []byte{}, c.config) 476 } 477 if c.config.Bugs.SendClientHelloWithFixes != nil { 478 helloBytes, err = fixClientHellos(hello, c.config.Bugs.SendClientHelloWithFixes) 479 if err != nil { 480 return err 481 } 482 } else { 483 helloBytes = hello.marshal() 484 } 485 486 var appendToHello byte 487 if c.config.Bugs.PartialClientFinishedWithClientHello { 488 appendToHello = typeFinished 489 } else if c.config.Bugs.PartialEndOfEarlyDataWithClientHello { 490 appendToHello = typeEndOfEarlyData 491 } else if c.config.Bugs.PartialSecondClientHelloAfterFirst { 492 appendToHello = typeClientHello 493 } else if c.config.Bugs.PartialClientKeyExchangeWithClientHello { 494 appendToHello = typeClientKeyExchange 495 } 496 if appendToHello != 0 { 497 c.writeRecord(recordTypeHandshake, append(helloBytes[:len(helloBytes):len(helloBytes)], appendToHello)) 498 } else { 499 c.writeRecord(recordTypeHandshake, helloBytes) 500 } 501 } 502 c.flushHandshake() 503 504 if err := c.simulatePacketLoss(nil); err != nil { 505 return err 506 } 507 if c.config.Bugs.SendEarlyAlert { 508 c.sendAlert(alertHandshakeFailure) 509 } 510 if c.config.Bugs.SendFakeEarlyDataLength > 0 { 511 c.sendFakeEarlyData(c.config.Bugs.SendFakeEarlyDataLength) 512 } 513 514 // Derive early write keys and set Conn state to allow early writes. 515 if sendEarlyData { 516 finishedHash := newFinishedHash(session.wireVersion, c.isDTLS, pskCipherSuite) 517 finishedHash.addEntropy(session.masterSecret) 518 finishedHash.Write(helloBytes) 519 520 if !c.config.Bugs.SkipChangeCipherSpec { 521 c.wireVersion = session.wireVersion 522 c.vers = VersionTLS13 523 c.writeRecord(recordTypeChangeCipherSpec, []byte{1}) 524 c.wireVersion = 0 525 c.vers = 0 526 } 527 528 earlyTrafficSecret := finishedHash.deriveSecret(earlyTrafficLabel) 529 c.earlyExporterSecret = finishedHash.deriveSecret(earlyExporterLabel) 530 531 c.useOutTrafficSecret(encryptionEarlyData, session.wireVersion, pskCipherSuite, earlyTrafficSecret) 532 for _, earlyData := range c.config.Bugs.SendEarlyData { 533 if _, err := c.writeRecord(recordTypeApplicationData, earlyData); err != nil { 534 return err 535 } 536 } 537 } 538 539 msg, err := c.readHandshake() 540 if err != nil { 541 return err 542 } 543 544 if c.isDTLS { 545 helloVerifyRequest, ok := msg.(*helloVerifyRequestMsg) 546 if ok { 547 if helloVerifyRequest.vers != VersionDTLS10 { 548 // Per RFC 6347, the version field in 549 // HelloVerifyRequest SHOULD be always DTLS 550 // 1.0. Enforce this for testing purposes. 551 return errors.New("dtls: bad HelloVerifyRequest version") 552 } 553 554 hello.raw = nil 555 hello.cookie = helloVerifyRequest.cookie 556 helloBytes = hello.marshal() 557 c.writeRecord(recordTypeHandshake, helloBytes) 558 c.flushHandshake() 559 560 if err := c.simulatePacketLoss(nil); err != nil { 561 return err 562 } 563 msg, err = c.readHandshake() 564 if err != nil { 565 return err 566 } 567 } 568 } 569 570 var serverWireVersion uint16 571 switch m := msg.(type) { 572 case *helloRetryRequestMsg: 573 serverWireVersion = m.vers 574 case *serverHelloMsg: 575 serverWireVersion = m.vers 576 default: 577 c.sendAlert(alertUnexpectedMessage) 578 return fmt.Errorf("tls: received unexpected message of type %T when waiting for HelloRetryRequest or ServerHello", msg) 579 } 580 581 serverVersion, ok := c.config.isSupportedVersion(serverWireVersion, c.isDTLS) 582 if !ok { 583 c.sendAlert(alertProtocolVersion) 584 return fmt.Errorf("tls: server selected unsupported protocol version %x", c.vers) 585 } 586 c.wireVersion = serverWireVersion 587 c.vers = serverVersion 588 c.haveVers = true 589 590 if c.vers >= VersionTLS13 { 591 // The first server message must be followed by a ChangeCipherSpec. 592 c.expectTLS13ChangeCipherSpec = true 593 } 594 595 helloRetryRequest, haveHelloRetryRequest := msg.(*helloRetryRequestMsg) 596 var secondHelloBytes []byte 597 if haveHelloRetryRequest { 598 if c.config.Bugs.FailIfHelloRetryRequested { 599 return errors.New("tls: unexpected HelloRetryRequest") 600 } 601 // Explicitly read the ChangeCipherSpec now; it should 602 // be attached to the first flight, not the second flight. 603 if err := c.readTLS13ChangeCipherSpec(); err != nil { 604 return err 605 } 606 607 c.out.resetCipher() 608 if len(helloRetryRequest.cookie) > 0 { 609 hello.tls13Cookie = helloRetryRequest.cookie 610 } 611 612 if c.config.Bugs.MisinterpretHelloRetryRequestCurve != 0 { 613 helloRetryRequest.hasSelectedGroup = true 614 helloRetryRequest.selectedGroup = c.config.Bugs.MisinterpretHelloRetryRequestCurve 615 } 616 if helloRetryRequest.hasSelectedGroup { 617 var hrrCurveFound bool 618 group := helloRetryRequest.selectedGroup 619 for _, curveID := range hello.supportedCurves { 620 if group == curveID { 621 hrrCurveFound = true 622 break 623 } 624 } 625 if !hrrCurveFound || keyShares[group] != nil { 626 c.sendAlert(alertHandshakeFailure) 627 return errors.New("tls: received invalid HelloRetryRequest") 628 } 629 curve, ok := curveForCurveID(group, c.config) 630 if !ok { 631 return errors.New("tls: Unable to get curve requested in HelloRetryRequest") 632 } 633 publicKey, err := curve.offer(c.config.rand()) 634 if err != nil { 635 return err 636 } 637 keyShares[group] = curve 638 hello.keyShares = []keyShareEntry{{ 639 group: group, 640 keyExchange: publicKey, 641 }} 642 } 643 644 if c.config.Bugs.SecondClientHelloMissingKeyShare { 645 hello.hasKeyShares = false 646 } 647 648 hello.hasEarlyData = c.config.Bugs.SendEarlyDataOnSecondClientHello 649 // The first ClientHello may have skipped this due to OnlyCorruptSecondPSKBinder. 650 if c.config.Bugs.PSKBinderFirst && c.config.Bugs.OnlyCorruptSecondPSKBinder { 651 hello.prefixExtensions = append(hello.prefixExtensions, extensionPreSharedKey) 652 } 653 if c.config.Bugs.OmitPSKsOnSecondClientHello { 654 hello.pskIdentities = nil 655 hello.pskBinders = nil 656 } 657 hello.raw = nil 658 659 if len(hello.pskIdentities) > 0 { 660 generatePSKBinders(c.wireVersion, hello, pskCipherSuite, session.masterSecret, helloBytes, helloRetryRequest.marshal(), c.config) 661 } 662 secondHelloBytes = hello.marshal() 663 secondHelloBytesToWrite := secondHelloBytes 664 665 if c.config.Bugs.PartialSecondClientHelloAfterFirst { 666 // The first byte has already been sent. 667 secondHelloBytesToWrite = secondHelloBytesToWrite[1:] 668 } 669 670 if c.config.Bugs.InterleaveEarlyData { 671 c.sendFakeEarlyData(4) 672 c.writeRecord(recordTypeHandshake, secondHelloBytesToWrite[:16]) 673 c.sendFakeEarlyData(4) 674 c.writeRecord(recordTypeHandshake, secondHelloBytesToWrite[16:]) 675 } else if c.config.Bugs.PartialClientFinishedWithSecondClientHello { 676 toWrite := make([]byte, len(secondHelloBytesToWrite)+1) 677 copy(toWrite, secondHelloBytesToWrite) 678 toWrite[len(secondHelloBytesToWrite)] = typeFinished 679 c.writeRecord(recordTypeHandshake, toWrite) 680 } else { 681 c.writeRecord(recordTypeHandshake, secondHelloBytesToWrite) 682 } 683 c.flushHandshake() 684 685 if c.config.Bugs.SendEarlyDataOnSecondClientHello { 686 c.sendFakeEarlyData(4) 687 } 688 689 msg, err = c.readHandshake() 690 if err != nil { 691 return err 692 } 693 } 694 695 serverHello, ok := msg.(*serverHelloMsg) 696 if !ok { 697 c.sendAlert(alertUnexpectedMessage) 698 return unexpectedMessageError(serverHello, msg) 699 } 700 701 if serverWireVersion != serverHello.vers { 702 c.sendAlert(alertIllegalParameter) 703 return fmt.Errorf("tls: server sent non-matching version %x vs %x", serverWireVersion, serverHello.vers) 704 } 705 706 _, supportsTLS13 := c.config.isSupportedVersion(VersionTLS13, false) 707 // Check for downgrade signals in the server random, per RFC 8446, section 4.1.3. 708 gotDowngrade := serverHello.random[len(serverHello.random)-8:] 709 if (supportsTLS13 || c.config.Bugs.CheckTLS13DowngradeRandom) && !c.config.Bugs.IgnoreTLS13DowngradeRandom { 710 if c.vers <= VersionTLS12 && c.config.maxVersion(c.isDTLS) >= VersionTLS13 { 711 if bytes.Equal(gotDowngrade, downgradeTLS13) { 712 c.sendAlert(alertProtocolVersion) 713 return errors.New("tls: downgrade from TLS 1.3 detected") 714 } 715 } 716 if c.vers <= VersionTLS11 && c.config.maxVersion(c.isDTLS) >= VersionTLS12 { 717 if bytes.Equal(gotDowngrade, downgradeTLS12) { 718 c.sendAlert(alertProtocolVersion) 719 return errors.New("tls: downgrade from TLS 1.2 detected") 720 } 721 } 722 } 723 724 if bytes.Equal(gotDowngrade, downgradeJDK11) != c.config.Bugs.ExpectJDK11DowngradeRandom { 725 c.sendAlert(alertProtocolVersion) 726 if c.config.Bugs.ExpectJDK11DowngradeRandom { 727 return errors.New("tls: server did not send a JDK 11 downgrade signal") 728 } 729 return errors.New("tls: server sent an unexpected JDK 11 downgrade signal") 730 } 731 732 suite := mutualCipherSuite(hello.cipherSuites, serverHello.cipherSuite) 733 if suite == nil { 734 c.sendAlert(alertHandshakeFailure) 735 return fmt.Errorf("tls: server selected an unsupported cipher suite") 736 } 737 738 if haveHelloRetryRequest && helloRetryRequest.hasSelectedGroup && helloRetryRequest.selectedGroup != serverHello.keyShare.group { 739 c.sendAlert(alertHandshakeFailure) 740 return errors.New("tls: ServerHello parameters did not match HelloRetryRequest") 741 } 742 743 if c.config.Bugs.ExpectOmitExtensions && !serverHello.omitExtensions { 744 return errors.New("tls: ServerHello did not omit extensions") 745 } 746 747 hs := &clientHandshakeState{ 748 c: c, 749 serverHello: serverHello, 750 hello: hello, 751 suite: suite, 752 finishedHash: newFinishedHash(c.wireVersion, c.isDTLS, suite), 753 keyShares: keyShares, 754 session: session, 755 } 756 757 hs.writeHash(helloBytes, hs.c.sendHandshakeSeq-1) 758 if haveHelloRetryRequest { 759 err = hs.finishedHash.UpdateForHelloRetryRequest() 760 if err != nil { 761 return err 762 } 763 hs.writeServerHash(helloRetryRequest.marshal()) 764 hs.writeClientHash(secondHelloBytes) 765 } 766 767 if c.vers >= VersionTLS13 { 768 if err := hs.doTLS13Handshake(); err != nil { 769 return err 770 } 771 } else { 772 hs.writeServerHash(hs.serverHello.marshal()) 773 if c.config.Bugs.EarlyChangeCipherSpec > 0 { 774 hs.establishKeys() 775 c.writeRecord(recordTypeChangeCipherSpec, []byte{1}) 776 } 777 778 if hs.serverHello.compressionMethod != compressionNone { 779 c.sendAlert(alertUnexpectedMessage) 780 return errors.New("tls: server selected unsupported compression format") 781 } 782 783 err = hs.processServerExtensions(&serverHello.extensions) 784 if err != nil { 785 return err 786 } 787 788 isResume, err := hs.processServerHello() 789 if err != nil { 790 return err 791 } 792 793 if isResume { 794 if c.config.Bugs.EarlyChangeCipherSpec == 0 { 795 if err := hs.establishKeys(); err != nil { 796 return err 797 } 798 } 799 if err := hs.readSessionTicket(); err != nil { 800 return err 801 } 802 if err := hs.readFinished(c.firstFinished[:]); err != nil { 803 return err 804 } 805 if err := hs.sendFinished(nil, isResume); err != nil { 806 return err 807 } 808 } else { 809 if err := hs.doFullHandshake(); err != nil { 810 return err 811 } 812 if err := hs.establishKeys(); err != nil { 813 return err 814 } 815 if err := hs.sendFinished(c.firstFinished[:], isResume); err != nil { 816 return err 817 } 818 // Most retransmits are triggered by a timeout, but the final 819 // leg of the handshake is retransmited upon re-receiving a 820 // Finished. 821 if err := c.simulatePacketLoss(func() { 822 c.sendHandshakeSeq-- 823 c.writeRecord(recordTypeHandshake, hs.finishedBytes) 824 c.flushHandshake() 825 }); err != nil { 826 return err 827 } 828 if err := hs.readSessionTicket(); err != nil { 829 return err 830 } 831 if err := hs.readFinished(nil); err != nil { 832 return err 833 } 834 } 835 836 if sessionCache != nil && hs.session != nil && session != hs.session { 837 if c.config.Bugs.RequireSessionTickets && len(hs.session.sessionTicket) == 0 { 838 return errors.New("tls: new session used session IDs instead of tickets") 839 } 840 if c.config.Bugs.RequireSessionIDs && len(hs.session.sessionID) == 0 { 841 return errors.New("tls: new session used session tickets instead of IDs") 842 } 843 sessionCache.Put(cacheKey, hs.session) 844 } 845 846 c.didResume = isResume 847 c.exporterSecret = hs.masterSecret 848 } 849 850 c.handshakeComplete = true 851 c.cipherSuite = suite 852 copy(c.clientRandom[:], hs.hello.random) 853 copy(c.serverRandom[:], hs.serverHello.random) 854 855 return nil 856} 857 858func (hs *clientHandshakeState) doTLS13Handshake() error { 859 c := hs.c 860 861 if !bytes.Equal(hs.hello.sessionID, hs.serverHello.sessionID) { 862 return errors.New("tls: session IDs did not match.") 863 } 864 865 zeroSecret := hs.finishedHash.zeroSecret() 866 867 // Resolve PSK and compute the early secret. 868 // 869 // TODO(davidben): This will need to be handled slightly earlier once 870 // 0-RTT is implemented. 871 if hs.serverHello.hasPSKIdentity { 872 // We send at most one PSK identity. 873 if hs.session == nil || hs.serverHello.pskIdentity != 0 { 874 c.sendAlert(alertUnknownPSKIdentity) 875 return errors.New("tls: server sent unknown PSK identity") 876 } 877 sessionCipher := cipherSuiteFromID(hs.session.cipherSuite) 878 if sessionCipher == nil || sessionCipher.hash() != hs.suite.hash() { 879 c.sendAlert(alertHandshakeFailure) 880 return errors.New("tls: server resumed an invalid session for the cipher suite") 881 } 882 hs.finishedHash.addEntropy(hs.session.masterSecret) 883 c.didResume = true 884 } else { 885 hs.finishedHash.addEntropy(zeroSecret) 886 } 887 888 if !hs.serverHello.hasKeyShare { 889 c.sendAlert(alertUnsupportedExtension) 890 return errors.New("tls: server omitted KeyShare on resumption.") 891 } 892 893 // Resolve ECDHE and compute the handshake secret. 894 if !c.config.Bugs.MissingKeyShare && !c.config.Bugs.SecondClientHelloMissingKeyShare { 895 curve, ok := hs.keyShares[hs.serverHello.keyShare.group] 896 if !ok { 897 c.sendAlert(alertHandshakeFailure) 898 return errors.New("tls: server selected an unsupported group") 899 } 900 c.curveID = hs.serverHello.keyShare.group 901 902 ecdheSecret, err := curve.finish(hs.serverHello.keyShare.keyExchange) 903 if err != nil { 904 return err 905 } 906 hs.finishedHash.nextSecret() 907 hs.finishedHash.addEntropy(ecdheSecret) 908 } else { 909 hs.finishedHash.nextSecret() 910 hs.finishedHash.addEntropy(zeroSecret) 911 } 912 913 // Determine whether the server indicated ECH acceptance. 914 915 // Generate ServerHelloECHConf, which is identical to the ServerHello except 916 // that the last 8 bytes of the random value are zeroes. 917 echAcceptConfirmation := hs.finishedHash.deriveSecretPeek([]byte("ech accept confirmation"), hs.serverHello.marshalForECHConf()) 918 serverAcceptedECH := bytes.Equal(echAcceptConfirmation[:8], hs.serverHello.random[24:]) 919 if c.config.Bugs.ExpectServerAcceptECH && !serverAcceptedECH { 920 return errors.New("tls: server did not indicate ECH acceptance") 921 } 922 if !c.config.Bugs.ExpectServerAcceptECH && serverAcceptedECH { 923 return errors.New("tls: server indicated ECH acceptance") 924 } 925 926 // Once the PRF hash is known, TLS 1.3 does not require a handshake 927 // buffer. 928 hs.finishedHash.discardHandshakeBuffer() 929 930 hs.writeServerHash(hs.serverHello.marshal()) 931 932 // Derive handshake traffic keys and switch read key to handshake 933 // traffic key. 934 clientHandshakeTrafficSecret := hs.finishedHash.deriveSecret(clientHandshakeTrafficLabel) 935 serverHandshakeTrafficSecret := hs.finishedHash.deriveSecret(serverHandshakeTrafficLabel) 936 if err := c.useInTrafficSecret(encryptionHandshake, c.wireVersion, hs.suite, serverHandshakeTrafficSecret); err != nil { 937 return err 938 } 939 940 msg, err := c.readHandshake() 941 if err != nil { 942 return err 943 } 944 945 encryptedExtensions, ok := msg.(*encryptedExtensionsMsg) 946 if !ok { 947 c.sendAlert(alertUnexpectedMessage) 948 return unexpectedMessageError(encryptedExtensions, msg) 949 } 950 hs.writeServerHash(encryptedExtensions.marshal()) 951 952 err = hs.processServerExtensions(&encryptedExtensions.extensions) 953 if err != nil { 954 return err 955 } 956 957 var chainToSend *Certificate 958 var certReq *certificateRequestMsg 959 if c.didResume { 960 // Copy over authentication from the session. 961 c.peerCertificates = hs.session.serverCertificates 962 c.sctList = hs.session.sctList 963 c.ocspResponse = hs.session.ocspResponse 964 } else { 965 msg, err := c.readHandshake() 966 if err != nil { 967 return err 968 } 969 970 var ok bool 971 certReq, ok = msg.(*certificateRequestMsg) 972 if ok { 973 if len(certReq.requestContext) != 0 { 974 return errors.New("tls: non-empty certificate request context sent in handshake") 975 } 976 977 if c.config.Bugs.ExpectNoCertificateAuthoritiesExtension && certReq.hasCAExtension { 978 return errors.New("tls: expected no certificate_authorities extension") 979 } 980 981 if c.config.Bugs.IgnorePeerSignatureAlgorithmPreferences { 982 certReq.signatureAlgorithms = c.config.signSignatureAlgorithms() 983 } 984 985 hs.writeServerHash(certReq.marshal()) 986 987 chainToSend, err = selectClientCertificate(c, certReq) 988 if err != nil { 989 return err 990 } 991 992 msg, err = c.readHandshake() 993 if err != nil { 994 return err 995 } 996 } 997 998 var certMsg *certificateMsg 999 1000 if compressedCertMsg, ok := msg.(*compressedCertificateMsg); ok { 1001 hs.writeServerHash(compressedCertMsg.marshal()) 1002 1003 alg, ok := c.config.CertCompressionAlgs[compressedCertMsg.algID] 1004 if !ok { 1005 c.sendAlert(alertBadCertificate) 1006 return fmt.Errorf("tls: received certificate compressed with unknown algorithm %x", compressedCertMsg.algID) 1007 } 1008 1009 decompressed := make([]byte, 4+int(compressedCertMsg.uncompressedLength)) 1010 if !alg.Decompress(decompressed[4:], compressedCertMsg.compressed) { 1011 c.sendAlert(alertBadCertificate) 1012 return fmt.Errorf("tls: failed to decompress certificate with algorithm %x", compressedCertMsg.algID) 1013 } 1014 1015 certMsg = &certificateMsg{ 1016 hasRequestContext: true, 1017 } 1018 1019 if !certMsg.unmarshal(decompressed) { 1020 c.sendAlert(alertBadCertificate) 1021 return errors.New("tls: failed to parse decompressed certificate") 1022 } 1023 1024 if expected := c.config.Bugs.ExpectedCompressedCert; expected != 0 && expected != compressedCertMsg.algID { 1025 return fmt.Errorf("tls: expected certificate compressed with algorithm %x, but message used %x", expected, compressedCertMsg.algID) 1026 } 1027 } else { 1028 if certMsg, ok = msg.(*certificateMsg); !ok { 1029 c.sendAlert(alertUnexpectedMessage) 1030 return unexpectedMessageError(certMsg, msg) 1031 } 1032 hs.writeServerHash(certMsg.marshal()) 1033 1034 if c.config.Bugs.ExpectedCompressedCert != 0 { 1035 return errors.New("tls: uncompressed certificate received") 1036 } 1037 } 1038 1039 // Check for unsolicited extensions. 1040 for i, cert := range certMsg.certificates { 1041 if c.config.Bugs.NoOCSPStapling && cert.ocspResponse != nil { 1042 c.sendAlert(alertUnsupportedExtension) 1043 return errors.New("tls: unexpected OCSP response in the server certificate") 1044 } 1045 if c.config.Bugs.NoSignedCertificateTimestamps && cert.sctList != nil { 1046 c.sendAlert(alertUnsupportedExtension) 1047 return errors.New("tls: unexpected SCT list in the server certificate") 1048 } 1049 if i > 0 && c.config.Bugs.ExpectNoExtensionsOnIntermediate && (cert.ocspResponse != nil || cert.sctList != nil) { 1050 c.sendAlert(alertUnsupportedExtension) 1051 return errors.New("tls: unexpected extensions in the server certificate") 1052 } 1053 } 1054 1055 if err := hs.verifyCertificates(certMsg); err != nil { 1056 return err 1057 } 1058 c.ocspResponse = certMsg.certificates[0].ocspResponse 1059 c.sctList = certMsg.certificates[0].sctList 1060 1061 msg, err = c.readHandshake() 1062 if err != nil { 1063 return err 1064 } 1065 certVerifyMsg, ok := msg.(*certificateVerifyMsg) 1066 if !ok { 1067 c.sendAlert(alertUnexpectedMessage) 1068 return unexpectedMessageError(certVerifyMsg, msg) 1069 } 1070 1071 c.peerSignatureAlgorithm = certVerifyMsg.signatureAlgorithm 1072 input := hs.finishedHash.certificateVerifyInput(serverCertificateVerifyContextTLS13) 1073 err = verifyMessage(c.vers, hs.peerPublicKey, c.config, certVerifyMsg.signatureAlgorithm, input, certVerifyMsg.signature) 1074 if err != nil { 1075 return err 1076 } 1077 1078 hs.writeServerHash(certVerifyMsg.marshal()) 1079 } 1080 1081 msg, err = c.readHandshake() 1082 if err != nil { 1083 return err 1084 } 1085 serverFinished, ok := msg.(*finishedMsg) 1086 if !ok { 1087 c.sendAlert(alertUnexpectedMessage) 1088 return unexpectedMessageError(serverFinished, msg) 1089 } 1090 1091 verify := hs.finishedHash.serverSum(serverHandshakeTrafficSecret) 1092 if len(verify) != len(serverFinished.verifyData) || 1093 subtle.ConstantTimeCompare(verify, serverFinished.verifyData) != 1 { 1094 c.sendAlert(alertHandshakeFailure) 1095 return errors.New("tls: server's Finished message was incorrect") 1096 } 1097 1098 hs.writeServerHash(serverFinished.marshal()) 1099 1100 // The various secrets do not incorporate the client's final leg, so 1101 // derive them now before updating the handshake context. 1102 hs.finishedHash.nextSecret() 1103 hs.finishedHash.addEntropy(zeroSecret) 1104 1105 clientTrafficSecret := hs.finishedHash.deriveSecret(clientApplicationTrafficLabel) 1106 serverTrafficSecret := hs.finishedHash.deriveSecret(serverApplicationTrafficLabel) 1107 c.exporterSecret = hs.finishedHash.deriveSecret(exporterLabel) 1108 1109 // Switch to application data keys on read. In particular, any alerts 1110 // from the client certificate are read over these keys. 1111 if err := c.useInTrafficSecret(encryptionApplication, c.wireVersion, hs.suite, serverTrafficSecret); err != nil { 1112 return err 1113 } 1114 1115 // If we're expecting 0.5-RTT messages from the server, read them now. 1116 var deferredTickets []*newSessionTicketMsg 1117 if encryptedExtensions.extensions.hasEarlyData { 1118 // BoringSSL will always send two tickets half-RTT when 1119 // negotiating 0-RTT. 1120 for i := 0; i < shimConfig.HalfRTTTickets; i++ { 1121 msg, err := c.readHandshake() 1122 if err != nil { 1123 return fmt.Errorf("tls: error reading half-RTT ticket: %s", err) 1124 } 1125 newSessionTicket, ok := msg.(*newSessionTicketMsg) 1126 if !ok { 1127 return errors.New("tls: expected half-RTT ticket") 1128 } 1129 // Defer processing until the resumption secret is computed. 1130 deferredTickets = append(deferredTickets, newSessionTicket) 1131 } 1132 for _, expectedMsg := range c.config.Bugs.ExpectHalfRTTData { 1133 if err := c.readRecord(recordTypeApplicationData); err != nil { 1134 return err 1135 } 1136 if !bytes.Equal(c.input.data[c.input.off:], expectedMsg) { 1137 return errors.New("ExpectHalfRTTData: did not get expected message") 1138 } 1139 c.in.freeBlock(c.input) 1140 c.input = nil 1141 } 1142 } 1143 1144 // Send EndOfEarlyData and then switch write key to handshake 1145 // traffic key. 1146 if encryptedExtensions.extensions.hasEarlyData && !c.config.Bugs.SkipEndOfEarlyData && c.config.Bugs.MockQUICTransport == nil { 1147 if c.config.Bugs.SendStrayEarlyHandshake { 1148 helloRequest := new(helloRequestMsg) 1149 c.writeRecord(recordTypeHandshake, helloRequest.marshal()) 1150 } 1151 endOfEarlyData := new(endOfEarlyDataMsg) 1152 endOfEarlyData.nonEmpty = c.config.Bugs.NonEmptyEndOfEarlyData 1153 if c.config.Bugs.PartialEndOfEarlyDataWithClientHello { 1154 // The first byte has already been sent. 1155 c.writeRecord(recordTypeHandshake, endOfEarlyData.marshal()[1:]) 1156 } else { 1157 c.writeRecord(recordTypeHandshake, endOfEarlyData.marshal()) 1158 } 1159 hs.writeClientHash(endOfEarlyData.marshal()) 1160 } 1161 1162 if !c.config.Bugs.SkipChangeCipherSpec && !hs.hello.hasEarlyData { 1163 c.writeRecord(recordTypeChangeCipherSpec, []byte{1}) 1164 } 1165 1166 for i := 0; i < c.config.Bugs.SendExtraChangeCipherSpec; i++ { 1167 c.writeRecord(recordTypeChangeCipherSpec, []byte{1}) 1168 } 1169 1170 c.useOutTrafficSecret(encryptionHandshake, c.wireVersion, hs.suite, clientHandshakeTrafficSecret) 1171 1172 // The client EncryptedExtensions message is sent if some extension uses it. 1173 // (Currently only ALPS does.) 1174 hasEncryptedExtensions := c.config.Bugs.AlwaysSendClientEncryptedExtensions 1175 clientEncryptedExtensions := new(clientEncryptedExtensionsMsg) 1176 if encryptedExtensions.extensions.hasApplicationSettings || (c.config.Bugs.SendApplicationSettingsWithEarlyData && c.hasApplicationSettings) { 1177 hasEncryptedExtensions = true 1178 if !c.config.Bugs.OmitClientApplicationSettings { 1179 clientEncryptedExtensions.hasApplicationSettings = true 1180 clientEncryptedExtensions.applicationSettings = c.localApplicationSettings 1181 } 1182 } 1183 if c.config.Bugs.SendExtraClientEncryptedExtension { 1184 hasEncryptedExtensions = true 1185 clientEncryptedExtensions.customExtension = []byte{0} 1186 } 1187 if hasEncryptedExtensions && !c.config.Bugs.OmitClientEncryptedExtensions { 1188 hs.writeClientHash(clientEncryptedExtensions.marshal()) 1189 c.writeRecord(recordTypeHandshake, clientEncryptedExtensions.marshal()) 1190 } 1191 1192 if certReq != nil && !c.config.Bugs.SkipClientCertificate { 1193 certMsg := &certificateMsg{ 1194 hasRequestContext: true, 1195 requestContext: certReq.requestContext, 1196 } 1197 if chainToSend != nil { 1198 for _, certData := range chainToSend.Certificate { 1199 certMsg.certificates = append(certMsg.certificates, certificateEntry{ 1200 data: certData, 1201 extraExtension: c.config.Bugs.SendExtensionOnCertificate, 1202 }) 1203 } 1204 } 1205 hs.writeClientHash(certMsg.marshal()) 1206 c.writeRecord(recordTypeHandshake, certMsg.marshal()) 1207 1208 if chainToSend != nil { 1209 certVerify := &certificateVerifyMsg{ 1210 hasSignatureAlgorithm: true, 1211 } 1212 1213 // Determine the hash to sign. 1214 privKey := chainToSend.PrivateKey 1215 1216 var err error 1217 certVerify.signatureAlgorithm, err = selectSignatureAlgorithm(c.vers, privKey, c.config, certReq.signatureAlgorithms) 1218 if err != nil { 1219 c.sendAlert(alertInternalError) 1220 return err 1221 } 1222 1223 input := hs.finishedHash.certificateVerifyInput(clientCertificateVerifyContextTLS13) 1224 certVerify.signature, err = signMessage(c.vers, privKey, c.config, certVerify.signatureAlgorithm, input) 1225 if err != nil { 1226 c.sendAlert(alertInternalError) 1227 return err 1228 } 1229 if c.config.Bugs.SendSignatureAlgorithm != 0 { 1230 certVerify.signatureAlgorithm = c.config.Bugs.SendSignatureAlgorithm 1231 } 1232 1233 if !c.config.Bugs.SkipCertificateVerify { 1234 hs.writeClientHash(certVerify.marshal()) 1235 c.writeRecord(recordTypeHandshake, certVerify.marshal()) 1236 } 1237 } 1238 } 1239 1240 if encryptedExtensions.extensions.channelIDRequested { 1241 channelIDHash := crypto.SHA256.New() 1242 channelIDHash.Write(hs.finishedHash.certificateVerifyInput(channelIDContextTLS13)) 1243 channelIDMsgBytes, err := hs.writeChannelIDMessage(channelIDHash.Sum(nil)) 1244 if err != nil { 1245 return err 1246 } 1247 hs.writeClientHash(channelIDMsgBytes) 1248 c.writeRecord(recordTypeHandshake, channelIDMsgBytes) 1249 } 1250 1251 // Send a client Finished message. 1252 finished := new(finishedMsg) 1253 finished.verifyData = hs.finishedHash.clientSum(clientHandshakeTrafficSecret) 1254 if c.config.Bugs.BadFinished { 1255 finished.verifyData[0]++ 1256 } 1257 hs.writeClientHash(finished.marshal()) 1258 if c.config.Bugs.PartialClientFinishedWithClientHello { 1259 // The first byte has already been sent. 1260 c.writeRecord(recordTypeHandshake, finished.marshal()[1:]) 1261 } else if c.config.Bugs.InterleaveEarlyData { 1262 finishedBytes := finished.marshal() 1263 c.sendFakeEarlyData(4) 1264 c.writeRecord(recordTypeHandshake, finishedBytes[:1]) 1265 c.sendFakeEarlyData(4) 1266 c.writeRecord(recordTypeHandshake, finishedBytes[1:]) 1267 } else { 1268 c.writeRecord(recordTypeHandshake, finished.marshal()) 1269 } 1270 if c.config.Bugs.SendExtraFinished { 1271 c.writeRecord(recordTypeHandshake, finished.marshal()) 1272 } 1273 c.flushHandshake() 1274 1275 // Switch to application data keys. 1276 c.useOutTrafficSecret(encryptionApplication, c.wireVersion, hs.suite, clientTrafficSecret) 1277 c.resumptionSecret = hs.finishedHash.deriveSecret(resumptionLabel) 1278 for _, ticket := range deferredTickets { 1279 if err := c.processTLS13NewSessionTicket(ticket, hs.suite); err != nil { 1280 return err 1281 } 1282 } 1283 1284 return nil 1285} 1286 1287func (hs *clientHandshakeState) doFullHandshake() error { 1288 c := hs.c 1289 1290 var leaf *x509.Certificate 1291 if hs.suite.flags&suitePSK == 0 { 1292 msg, err := c.readHandshake() 1293 if err != nil { 1294 return err 1295 } 1296 1297 certMsg, ok := msg.(*certificateMsg) 1298 if !ok { 1299 c.sendAlert(alertUnexpectedMessage) 1300 return unexpectedMessageError(certMsg, msg) 1301 } 1302 hs.writeServerHash(certMsg.marshal()) 1303 1304 if err := hs.verifyCertificates(certMsg); err != nil { 1305 return err 1306 } 1307 leaf = c.peerCertificates[0] 1308 } 1309 1310 if hs.serverHello.extensions.ocspStapling { 1311 msg, err := c.readHandshake() 1312 if err != nil { 1313 return err 1314 } 1315 cs, ok := msg.(*certificateStatusMsg) 1316 if !ok { 1317 c.sendAlert(alertUnexpectedMessage) 1318 return unexpectedMessageError(cs, msg) 1319 } 1320 hs.writeServerHash(cs.marshal()) 1321 1322 if cs.statusType == statusTypeOCSP { 1323 c.ocspResponse = cs.response 1324 } 1325 } 1326 1327 msg, err := c.readHandshake() 1328 if err != nil { 1329 return err 1330 } 1331 1332 keyAgreement := hs.suite.ka(c.vers) 1333 1334 skx, ok := msg.(*serverKeyExchangeMsg) 1335 if ok { 1336 hs.writeServerHash(skx.marshal()) 1337 err = keyAgreement.processServerKeyExchange(c.config, hs.hello, hs.serverHello, hs.peerPublicKey, skx) 1338 if err != nil { 1339 c.sendAlert(alertUnexpectedMessage) 1340 return err 1341 } 1342 if ecdhe, ok := keyAgreement.(*ecdheKeyAgreement); ok { 1343 c.curveID = ecdhe.curveID 1344 } 1345 1346 c.peerSignatureAlgorithm = keyAgreement.peerSignatureAlgorithm() 1347 1348 msg, err = c.readHandshake() 1349 if err != nil { 1350 return err 1351 } 1352 } 1353 1354 var chainToSend *Certificate 1355 var certRequested bool 1356 certReq, ok := msg.(*certificateRequestMsg) 1357 if ok { 1358 certRequested = true 1359 if c.config.Bugs.IgnorePeerSignatureAlgorithmPreferences { 1360 certReq.signatureAlgorithms = c.config.signSignatureAlgorithms() 1361 } 1362 1363 hs.writeServerHash(certReq.marshal()) 1364 1365 chainToSend, err = selectClientCertificate(c, certReq) 1366 if err != nil { 1367 return err 1368 } 1369 1370 msg, err = c.readHandshake() 1371 if err != nil { 1372 return err 1373 } 1374 } 1375 1376 shd, ok := msg.(*serverHelloDoneMsg) 1377 if !ok { 1378 c.sendAlert(alertUnexpectedMessage) 1379 return unexpectedMessageError(shd, msg) 1380 } 1381 hs.writeServerHash(shd.marshal()) 1382 1383 // If the server requested a certificate then we have to send a 1384 // Certificate message in TLS, even if it's empty because we don't have 1385 // a certificate to send. In SSL 3.0, skip the message and send a 1386 // no_certificate warning alert. 1387 if certRequested { 1388 if c.vers == VersionSSL30 && chainToSend == nil { 1389 c.sendAlert(alertNoCertificate) 1390 } else if !c.config.Bugs.SkipClientCertificate { 1391 certMsg := new(certificateMsg) 1392 if chainToSend != nil { 1393 for _, certData := range chainToSend.Certificate { 1394 certMsg.certificates = append(certMsg.certificates, certificateEntry{ 1395 data: certData, 1396 }) 1397 } 1398 } 1399 hs.writeClientHash(certMsg.marshal()) 1400 c.writeRecord(recordTypeHandshake, certMsg.marshal()) 1401 } 1402 } 1403 1404 preMasterSecret, ckx, err := keyAgreement.generateClientKeyExchange(c.config, hs.hello, leaf) 1405 if err != nil { 1406 c.sendAlert(alertInternalError) 1407 return err 1408 } 1409 if ckx != nil { 1410 if c.config.Bugs.EarlyChangeCipherSpec < 2 { 1411 hs.writeClientHash(ckx.marshal()) 1412 } 1413 if c.config.Bugs.PartialClientKeyExchangeWithClientHello { 1414 // The first byte was already written. 1415 c.writeRecord(recordTypeHandshake, ckx.marshal()[1:]) 1416 } else { 1417 c.writeRecord(recordTypeHandshake, ckx.marshal()) 1418 } 1419 } 1420 1421 if hs.serverHello.extensions.extendedMasterSecret && c.vers >= VersionTLS10 { 1422 hs.masterSecret = extendedMasterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.finishedHash) 1423 c.extendedMasterSecret = true 1424 } else { 1425 if c.config.Bugs.RequireExtendedMasterSecret { 1426 return errors.New("tls: extended master secret required but not supported by peer") 1427 } 1428 hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.hello.random, hs.serverHello.random) 1429 } 1430 1431 if chainToSend != nil { 1432 certVerify := &certificateVerifyMsg{ 1433 hasSignatureAlgorithm: c.vers >= VersionTLS12, 1434 } 1435 1436 // Determine the hash to sign. 1437 privKey := c.config.Certificates[0].PrivateKey 1438 1439 if certVerify.hasSignatureAlgorithm { 1440 certVerify.signatureAlgorithm, err = selectSignatureAlgorithm(c.vers, privKey, c.config, certReq.signatureAlgorithms) 1441 if err != nil { 1442 c.sendAlert(alertInternalError) 1443 return err 1444 } 1445 } 1446 1447 if c.vers > VersionSSL30 { 1448 certVerify.signature, err = signMessage(c.vers, privKey, c.config, certVerify.signatureAlgorithm, hs.finishedHash.buffer) 1449 if err == nil && c.config.Bugs.SendSignatureAlgorithm != 0 { 1450 certVerify.signatureAlgorithm = c.config.Bugs.SendSignatureAlgorithm 1451 } 1452 } else { 1453 // SSL 3.0's client certificate construction is 1454 // incompatible with signatureAlgorithm. 1455 rsaKey, ok := privKey.(*rsa.PrivateKey) 1456 if !ok { 1457 err = errors.New("unsupported signature type for client certificate") 1458 } else { 1459 digest := hs.finishedHash.hashForClientCertificateSSL3(hs.masterSecret) 1460 if c.config.Bugs.InvalidSignature { 1461 digest[0] ^= 0x80 1462 } 1463 certVerify.signature, err = rsa.SignPKCS1v15(c.config.rand(), rsaKey, crypto.MD5SHA1, digest) 1464 } 1465 } 1466 if err != nil { 1467 c.sendAlert(alertInternalError) 1468 return errors.New("tls: failed to sign handshake with client certificate: " + err.Error()) 1469 } 1470 1471 if !c.config.Bugs.SkipCertificateVerify { 1472 hs.writeClientHash(certVerify.marshal()) 1473 c.writeRecord(recordTypeHandshake, certVerify.marshal()) 1474 } 1475 } 1476 // flushHandshake will be called in sendFinished. 1477 1478 hs.finishedHash.discardHandshakeBuffer() 1479 1480 return nil 1481} 1482 1483// delegatedCredentialSignedMessage returns the bytes that are signed in order 1484// to authenticate a delegated credential. 1485func delegatedCredentialSignedMessage(credBytes []byte, algorithm signatureAlgorithm, leafDER []byte) []byte { 1486 // https://tools.ietf.org/html/draft-ietf-tls-subcerts-03#section-3 1487 ret := make([]byte, 64, 128) 1488 for i := range ret { 1489 ret[i] = 0x20 1490 } 1491 1492 ret = append(ret, []byte("TLS, server delegated credentials\x00")...) 1493 ret = append(ret, leafDER...) 1494 ret = append(ret, byte(algorithm>>8), byte(algorithm)) 1495 ret = append(ret, credBytes...) 1496 1497 return ret 1498} 1499 1500func (hs *clientHandshakeState) verifyCertificates(certMsg *certificateMsg) error { 1501 c := hs.c 1502 1503 if len(certMsg.certificates) == 0 { 1504 c.sendAlert(alertIllegalParameter) 1505 return errors.New("tls: no certificates sent") 1506 } 1507 1508 var dc *delegatedCredential 1509 certs := make([]*x509.Certificate, len(certMsg.certificates)) 1510 for i, certEntry := range certMsg.certificates { 1511 cert, err := x509.ParseCertificate(certEntry.data) 1512 if err != nil { 1513 c.sendAlert(alertBadCertificate) 1514 return errors.New("tls: failed to parse certificate from server: " + err.Error()) 1515 } 1516 certs[i] = cert 1517 1518 if certEntry.delegatedCredential != nil { 1519 if c.config.Bugs.FailIfDelegatedCredentials { 1520 c.sendAlert(alertIllegalParameter) 1521 return errors.New("tls: unexpected delegated credential") 1522 } 1523 if i != 0 { 1524 c.sendAlert(alertIllegalParameter) 1525 return errors.New("tls: non-leaf certificate has a delegated credential") 1526 } 1527 if c.config.Bugs.DisableDelegatedCredentials { 1528 c.sendAlert(alertIllegalParameter) 1529 return errors.New("tls: server sent delegated credential without it being requested") 1530 } 1531 dc = certEntry.delegatedCredential 1532 } 1533 } 1534 1535 if !c.config.InsecureSkipVerify { 1536 opts := x509.VerifyOptions{ 1537 Roots: c.config.RootCAs, 1538 CurrentTime: c.config.time(), 1539 DNSName: c.config.ServerName, 1540 Intermediates: x509.NewCertPool(), 1541 } 1542 1543 for i, cert := range certs { 1544 if i == 0 { 1545 continue 1546 } 1547 opts.Intermediates.AddCert(cert) 1548 } 1549 var err error 1550 c.verifiedChains, err = certs[0].Verify(opts) 1551 if err != nil { 1552 c.sendAlert(alertBadCertificate) 1553 return err 1554 } 1555 } 1556 1557 leafPublicKey := certs[0].PublicKey 1558 switch leafPublicKey.(type) { 1559 case *rsa.PublicKey, *ecdsa.PublicKey, ed25519.PublicKey: 1560 break 1561 default: 1562 c.sendAlert(alertUnsupportedCertificate) 1563 return fmt.Errorf("tls: server's certificate contains an unsupported type of public key: %T", leafPublicKey) 1564 } 1565 1566 c.peerCertificates = certs 1567 1568 if dc != nil { 1569 // Note that this doesn't check a) the delegated credential temporal 1570 // validity nor b) that the certificate has the special OID asserted. 1571 hs.skxAlgo = dc.expectedCertVerifyAlgo 1572 1573 var err error 1574 if hs.peerPublicKey, err = x509.ParsePKIXPublicKey(dc.pkixPublicKey); err != nil { 1575 c.sendAlert(alertBadCertificate) 1576 return errors.New("tls: failed to parse public key from delegated credential: " + err.Error()) 1577 } 1578 1579 verifier, err := getSigner(c.vers, hs.peerPublicKey, c.config, dc.algorithm, true) 1580 if err != nil { 1581 c.sendAlert(alertBadCertificate) 1582 return errors.New("tls: failed to get verifier for delegated credential: " + err.Error()) 1583 } 1584 1585 if err := verifier.verifyMessage(leafPublicKey, delegatedCredentialSignedMessage(dc.signedBytes, dc.algorithm, certs[0].Raw), dc.signature); err != nil { 1586 c.sendAlert(alertBadCertificate) 1587 return errors.New("tls: failed to verify delegated credential: " + err.Error()) 1588 } 1589 } else if c.config.Bugs.ExpectDelegatedCredentials { 1590 c.sendAlert(alertInternalError) 1591 return errors.New("tls: delegated credentials missing") 1592 } else { 1593 hs.peerPublicKey = leafPublicKey 1594 } 1595 1596 return nil 1597} 1598 1599func (hs *clientHandshakeState) establishKeys() error { 1600 c := hs.c 1601 1602 clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV := 1603 keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.hello.random, hs.serverHello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen(c.vers)) 1604 var clientCipher, serverCipher interface{} 1605 var clientHash, serverHash macFunction 1606 if hs.suite.cipher != nil { 1607 clientCipher = hs.suite.cipher(clientKey, clientIV, false /* not for reading */) 1608 clientHash = hs.suite.mac(c.vers, clientMAC) 1609 serverCipher = hs.suite.cipher(serverKey, serverIV, true /* for reading */) 1610 serverHash = hs.suite.mac(c.vers, serverMAC) 1611 } else { 1612 clientCipher = hs.suite.aead(c.vers, clientKey, clientIV) 1613 serverCipher = hs.suite.aead(c.vers, serverKey, serverIV) 1614 } 1615 1616 c.in.prepareCipherSpec(c.wireVersion, serverCipher, serverHash) 1617 c.out.prepareCipherSpec(c.wireVersion, clientCipher, clientHash) 1618 return nil 1619} 1620 1621func (hs *clientHandshakeState) processServerExtensions(serverExtensions *serverExtensions) error { 1622 c := hs.c 1623 1624 if c.vers < VersionTLS13 { 1625 if c.config.Bugs.RequireRenegotiationInfo && serverExtensions.secureRenegotiation == nil { 1626 return errors.New("tls: renegotiation extension missing") 1627 } 1628 1629 if len(c.clientVerify) > 0 && !c.noRenegotiationInfo() { 1630 var expectedRenegInfo []byte 1631 expectedRenegInfo = append(expectedRenegInfo, c.clientVerify...) 1632 expectedRenegInfo = append(expectedRenegInfo, c.serverVerify...) 1633 if !bytes.Equal(serverExtensions.secureRenegotiation, expectedRenegInfo) { 1634 c.sendAlert(alertHandshakeFailure) 1635 return fmt.Errorf("tls: renegotiation mismatch") 1636 } 1637 } 1638 } else if serverExtensions.secureRenegotiation != nil { 1639 return errors.New("tls: renegotiation info sent in TLS 1.3") 1640 } 1641 1642 if expected := c.config.Bugs.ExpectedCustomExtension; expected != nil { 1643 if serverExtensions.customExtension != *expected { 1644 return fmt.Errorf("tls: bad custom extension contents %q", serverExtensions.customExtension) 1645 } 1646 } 1647 1648 clientDidNPN := hs.hello.nextProtoNeg 1649 clientDidALPN := len(hs.hello.alpnProtocols) > 0 1650 serverHasNPN := serverExtensions.nextProtoNeg 1651 serverHasALPN := len(serverExtensions.alpnProtocol) > 0 1652 1653 if !clientDidNPN && serverHasNPN { 1654 c.sendAlert(alertHandshakeFailure) 1655 return errors.New("server advertised unrequested NPN extension") 1656 } 1657 1658 if !clientDidALPN && serverHasALPN { 1659 c.sendAlert(alertHandshakeFailure) 1660 return errors.New("server advertised unrequested ALPN extension") 1661 } 1662 1663 if serverHasNPN && serverHasALPN { 1664 c.sendAlert(alertHandshakeFailure) 1665 return errors.New("server advertised both NPN and ALPN extensions") 1666 } 1667 1668 if serverHasALPN { 1669 c.clientProtocol = serverExtensions.alpnProtocol 1670 c.clientProtocolFallback = false 1671 c.usedALPN = true 1672 } 1673 1674 if serverHasNPN && c.vers >= VersionTLS13 { 1675 c.sendAlert(alertHandshakeFailure) 1676 return errors.New("server advertised NPN over TLS 1.3") 1677 } 1678 1679 if !hs.hello.channelIDSupported && serverExtensions.channelIDRequested { 1680 c.sendAlert(alertHandshakeFailure) 1681 return errors.New("server advertised unrequested Channel ID extension") 1682 } 1683 1684 if len(serverExtensions.tokenBindingParams) == 1 { 1685 found := false 1686 for _, p := range c.config.TokenBindingParams { 1687 if p == serverExtensions.tokenBindingParams[0] { 1688 c.tokenBindingParam = p 1689 found = true 1690 break 1691 } 1692 } 1693 if !found { 1694 return errors.New("tls: server advertised unsupported Token Binding key param") 1695 } 1696 if serverExtensions.tokenBindingVersion > c.config.TokenBindingVersion { 1697 return errors.New("tls: server's Token Binding version is too new") 1698 } 1699 if c.vers < VersionTLS13 { 1700 if !serverExtensions.extendedMasterSecret || serverExtensions.secureRenegotiation == nil { 1701 return errors.New("server sent Token Binding without EMS or RI") 1702 } 1703 } 1704 c.tokenBindingNegotiated = true 1705 } 1706 1707 if serverExtensions.extendedMasterSecret && c.vers >= VersionTLS13 { 1708 return errors.New("tls: server advertised extended master secret over TLS 1.3") 1709 } 1710 1711 if serverExtensions.ticketSupported && c.vers >= VersionTLS13 { 1712 return errors.New("tls: server advertised ticket extension over TLS 1.3") 1713 } 1714 1715 if serverExtensions.ocspStapling && c.vers >= VersionTLS13 { 1716 return errors.New("tls: server advertised OCSP in ServerHello over TLS 1.3") 1717 } 1718 1719 if serverExtensions.ocspStapling && c.config.Bugs.NoOCSPStapling { 1720 return errors.New("tls: server advertised unrequested OCSP extension") 1721 } 1722 1723 if len(serverExtensions.sctList) > 0 && c.vers >= VersionTLS13 { 1724 return errors.New("tls: server advertised SCTs in ServerHello over TLS 1.3") 1725 } 1726 1727 if len(serverExtensions.sctList) > 0 && c.config.Bugs.NoSignedCertificateTimestamps { 1728 return errors.New("tls: server advertised unrequested SCTs") 1729 } 1730 1731 if serverExtensions.srtpProtectionProfile != 0 { 1732 if serverExtensions.srtpMasterKeyIdentifier != "" { 1733 return errors.New("tls: server selected SRTP MKI value") 1734 } 1735 1736 found := false 1737 for _, p := range c.config.SRTPProtectionProfiles { 1738 if p == serverExtensions.srtpProtectionProfile { 1739 found = true 1740 break 1741 } 1742 } 1743 if !found { 1744 return errors.New("tls: server advertised unsupported SRTP profile") 1745 } 1746 1747 c.srtpProtectionProfile = serverExtensions.srtpProtectionProfile 1748 } 1749 1750 if c.vers >= VersionTLS13 && c.didResume { 1751 if c.config.Bugs.ExpectEarlyDataAccepted && !serverExtensions.hasEarlyData { 1752 c.sendAlert(alertHandshakeFailure) 1753 return errors.New("tls: server did not accept early data when expected") 1754 } 1755 1756 if !c.config.Bugs.ExpectEarlyDataAccepted && serverExtensions.hasEarlyData { 1757 c.sendAlert(alertHandshakeFailure) 1758 return errors.New("tls: server accepted early data when not expected") 1759 } 1760 } else if serverExtensions.hasEarlyData { 1761 return errors.New("tls: server accepted early data when not resuming") 1762 } 1763 1764 if len(serverExtensions.quicTransportParams) > 0 { 1765 if c.vers < VersionTLS13 { 1766 c.sendAlert(alertHandshakeFailure) 1767 return errors.New("tls: server sent QUIC transport params for TLS version less than 1.3") 1768 } 1769 c.quicTransportParams = serverExtensions.quicTransportParams 1770 } 1771 1772 if len(serverExtensions.quicTransportParamsLegacy) > 0 { 1773 if c.vers < VersionTLS13 { 1774 c.sendAlert(alertHandshakeFailure) 1775 return errors.New("tls: server sent QUIC transport params for TLS version less than 1.3") 1776 } 1777 c.quicTransportParamsLegacy = serverExtensions.quicTransportParamsLegacy 1778 } 1779 1780 if serverExtensions.hasApplicationSettings { 1781 if c.vers < VersionTLS13 { 1782 return errors.New("tls: server sent application settings at invalid version") 1783 } 1784 if serverExtensions.hasEarlyData { 1785 return errors.New("tls: server sent application settings with 0-RTT") 1786 } 1787 if !serverHasALPN { 1788 return errors.New("tls: server sent application settings without ALPN") 1789 } 1790 settings, ok := c.config.ApplicationSettings[serverExtensions.alpnProtocol] 1791 if !ok { 1792 return errors.New("tls: server sent application settings for invalid protocol") 1793 } 1794 c.hasApplicationSettings = true 1795 c.localApplicationSettings = settings 1796 c.peerApplicationSettings = serverExtensions.applicationSettings 1797 } else if serverExtensions.hasEarlyData { 1798 // 0-RTT connections inherit application settings from the session. 1799 c.hasApplicationSettings = hs.session.hasApplicationSettings 1800 c.localApplicationSettings = hs.session.localApplicationSettings 1801 c.peerApplicationSettings = hs.session.peerApplicationSettings 1802 } 1803 1804 return nil 1805} 1806 1807func (hs *clientHandshakeState) serverResumedSession() bool { 1808 // If the server responded with the same sessionID then it means the 1809 // sessionTicket is being used to resume a TLS session. 1810 // 1811 // Note that, if hs.hello.sessionID is a non-nil empty array, this will 1812 // accept an empty session ID from the server as resumption. See 1813 // EmptyTicketSessionID. 1814 return hs.session != nil && hs.hello.sessionID != nil && 1815 bytes.Equal(hs.serverHello.sessionID, hs.hello.sessionID) 1816} 1817 1818func (hs *clientHandshakeState) processServerHello() (bool, error) { 1819 c := hs.c 1820 1821 if hs.serverResumedSession() { 1822 // For test purposes, assert that the server never accepts the 1823 // resumption offer on renegotiation. 1824 if c.cipherSuite != nil && c.config.Bugs.FailIfResumeOnRenego { 1825 return false, errors.New("tls: server resumed session on renegotiation") 1826 } 1827 1828 if hs.serverHello.extensions.sctList != nil { 1829 return false, errors.New("tls: server sent SCT extension on session resumption") 1830 } 1831 1832 if hs.serverHello.extensions.ocspStapling { 1833 return false, errors.New("tls: server sent OCSP extension on session resumption") 1834 } 1835 1836 // Restore masterSecret and peerCerts from previous state 1837 hs.masterSecret = hs.session.masterSecret 1838 c.peerCertificates = hs.session.serverCertificates 1839 c.extendedMasterSecret = hs.session.extendedMasterSecret 1840 c.sctList = hs.session.sctList 1841 c.ocspResponse = hs.session.ocspResponse 1842 hs.finishedHash.discardHandshakeBuffer() 1843 return true, nil 1844 } 1845 1846 if hs.serverHello.extensions.sctList != nil { 1847 c.sctList = hs.serverHello.extensions.sctList 1848 } 1849 1850 return false, nil 1851} 1852 1853func (hs *clientHandshakeState) readFinished(out []byte) error { 1854 c := hs.c 1855 1856 c.readRecord(recordTypeChangeCipherSpec) 1857 if err := c.in.error(); err != nil { 1858 return err 1859 } 1860 1861 msg, err := c.readHandshake() 1862 if err != nil { 1863 return err 1864 } 1865 serverFinished, ok := msg.(*finishedMsg) 1866 if !ok { 1867 c.sendAlert(alertUnexpectedMessage) 1868 return unexpectedMessageError(serverFinished, msg) 1869 } 1870 1871 if c.config.Bugs.EarlyChangeCipherSpec == 0 { 1872 verify := hs.finishedHash.serverSum(hs.masterSecret) 1873 if len(verify) != len(serverFinished.verifyData) || 1874 subtle.ConstantTimeCompare(verify, serverFinished.verifyData) != 1 { 1875 c.sendAlert(alertHandshakeFailure) 1876 return errors.New("tls: server's Finished message was incorrect") 1877 } 1878 } 1879 c.serverVerify = append(c.serverVerify[:0], serverFinished.verifyData...) 1880 copy(out, serverFinished.verifyData) 1881 hs.writeServerHash(serverFinished.marshal()) 1882 return nil 1883} 1884 1885func (hs *clientHandshakeState) readSessionTicket() error { 1886 c := hs.c 1887 1888 // Create a session with no server identifier. Either a 1889 // session ID or session ticket will be attached. 1890 session := &ClientSessionState{ 1891 vers: c.vers, 1892 wireVersion: c.wireVersion, 1893 cipherSuite: hs.suite.id, 1894 masterSecret: hs.masterSecret, 1895 handshakeHash: hs.finishedHash.Sum(), 1896 serverCertificates: c.peerCertificates, 1897 sctList: c.sctList, 1898 ocspResponse: c.ocspResponse, 1899 ticketExpiration: c.config.time().Add(time.Duration(7 * 24 * time.Hour)), 1900 } 1901 1902 if !hs.serverHello.extensions.ticketSupported { 1903 if c.config.Bugs.ExpectNewTicket { 1904 return errors.New("tls: expected new ticket") 1905 } 1906 if hs.session == nil && len(hs.serverHello.sessionID) > 0 { 1907 session.sessionID = hs.serverHello.sessionID 1908 hs.session = session 1909 } 1910 return nil 1911 } 1912 1913 if c.vers == VersionSSL30 { 1914 return errors.New("tls: negotiated session tickets in SSL 3.0") 1915 } 1916 if c.config.Bugs.ExpectNoNewSessionTicket { 1917 return errors.New("tls: received unexpected NewSessionTicket") 1918 } 1919 1920 msg, err := c.readHandshake() 1921 if err != nil { 1922 return err 1923 } 1924 sessionTicketMsg, ok := msg.(*newSessionTicketMsg) 1925 if !ok { 1926 c.sendAlert(alertUnexpectedMessage) 1927 return unexpectedMessageError(sessionTicketMsg, msg) 1928 } 1929 1930 session.sessionTicket = sessionTicketMsg.ticket 1931 hs.session = session 1932 1933 hs.writeServerHash(sessionTicketMsg.marshal()) 1934 1935 return nil 1936} 1937 1938func (hs *clientHandshakeState) sendFinished(out []byte, isResume bool) error { 1939 c := hs.c 1940 1941 var postCCSMsgs [][]byte 1942 seqno := hs.c.sendHandshakeSeq 1943 if hs.serverHello.extensions.nextProtoNeg { 1944 nextProto := new(nextProtoMsg) 1945 proto, fallback := mutualProtocol(c.config.NextProtos, hs.serverHello.extensions.nextProtos) 1946 nextProto.proto = proto 1947 c.clientProtocol = proto 1948 c.clientProtocolFallback = fallback 1949 1950 nextProtoBytes := nextProto.marshal() 1951 hs.writeHash(nextProtoBytes, seqno) 1952 seqno++ 1953 postCCSMsgs = append(postCCSMsgs, nextProtoBytes) 1954 } 1955 1956 if hs.serverHello.extensions.channelIDRequested { 1957 var resumeHash []byte 1958 if isResume { 1959 resumeHash = hs.session.handshakeHash 1960 } 1961 channelIDMsgBytes, err := hs.writeChannelIDMessage(hs.finishedHash.hashForChannelID(resumeHash)) 1962 if err != nil { 1963 return err 1964 } 1965 hs.writeHash(channelIDMsgBytes, seqno) 1966 seqno++ 1967 postCCSMsgs = append(postCCSMsgs, channelIDMsgBytes) 1968 } 1969 1970 finished := new(finishedMsg) 1971 if c.config.Bugs.EarlyChangeCipherSpec == 2 { 1972 finished.verifyData = hs.finishedHash.clientSum(nil) 1973 } else { 1974 finished.verifyData = hs.finishedHash.clientSum(hs.masterSecret) 1975 } 1976 copy(out, finished.verifyData) 1977 if c.config.Bugs.BadFinished { 1978 finished.verifyData[0]++ 1979 } 1980 c.clientVerify = append(c.clientVerify[:0], finished.verifyData...) 1981 hs.finishedBytes = finished.marshal() 1982 hs.writeHash(hs.finishedBytes, seqno) 1983 if c.config.Bugs.PartialClientFinishedWithClientHello { 1984 // The first byte has already been written. 1985 postCCSMsgs = append(postCCSMsgs, hs.finishedBytes[1:]) 1986 } else { 1987 postCCSMsgs = append(postCCSMsgs, hs.finishedBytes) 1988 } 1989 1990 if c.config.Bugs.FragmentAcrossChangeCipherSpec { 1991 c.writeRecord(recordTypeHandshake, postCCSMsgs[0][:5]) 1992 postCCSMsgs[0] = postCCSMsgs[0][5:] 1993 } else if c.config.Bugs.SendUnencryptedFinished { 1994 c.writeRecord(recordTypeHandshake, postCCSMsgs[0]) 1995 postCCSMsgs = postCCSMsgs[1:] 1996 } 1997 1998 if !c.config.Bugs.SkipChangeCipherSpec && 1999 c.config.Bugs.EarlyChangeCipherSpec == 0 { 2000 ccs := []byte{1} 2001 if c.config.Bugs.BadChangeCipherSpec != nil { 2002 ccs = c.config.Bugs.BadChangeCipherSpec 2003 } 2004 c.writeRecord(recordTypeChangeCipherSpec, ccs) 2005 } 2006 2007 if c.config.Bugs.AppDataAfterChangeCipherSpec != nil { 2008 c.writeRecord(recordTypeApplicationData, c.config.Bugs.AppDataAfterChangeCipherSpec) 2009 } 2010 if c.config.Bugs.AlertAfterChangeCipherSpec != 0 { 2011 c.sendAlert(c.config.Bugs.AlertAfterChangeCipherSpec) 2012 return errors.New("tls: simulating post-CCS alert") 2013 } 2014 2015 if !c.config.Bugs.SkipFinished { 2016 for _, msg := range postCCSMsgs { 2017 c.writeRecord(recordTypeHandshake, msg) 2018 } 2019 2020 if c.config.Bugs.SendExtraFinished { 2021 c.writeRecord(recordTypeHandshake, finished.marshal()) 2022 } 2023 } 2024 2025 if !isResume || !c.config.Bugs.PackAppDataWithHandshake { 2026 c.flushHandshake() 2027 } 2028 return nil 2029} 2030 2031func (hs *clientHandshakeState) writeChannelIDMessage(channelIDHash []byte) ([]byte, error) { 2032 c := hs.c 2033 channelIDMsg := new(channelIDMsg) 2034 if c.config.ChannelID.Curve != elliptic.P256() { 2035 return nil, fmt.Errorf("tls: Channel ID is not on P-256.") 2036 } 2037 r, s, err := ecdsa.Sign(c.config.rand(), c.config.ChannelID, channelIDHash) 2038 if err != nil { 2039 return nil, err 2040 } 2041 channelID := make([]byte, 128) 2042 writeIntPadded(channelID[0:32], c.config.ChannelID.X) 2043 writeIntPadded(channelID[32:64], c.config.ChannelID.Y) 2044 writeIntPadded(channelID[64:96], r) 2045 writeIntPadded(channelID[96:128], s) 2046 if c.config.Bugs.InvalidChannelIDSignature { 2047 channelID[64] ^= 1 2048 } 2049 channelIDMsg.channelID = channelID 2050 2051 c.channelID = &c.config.ChannelID.PublicKey 2052 2053 return channelIDMsg.marshal(), nil 2054} 2055 2056func (hs *clientHandshakeState) writeClientHash(msg []byte) { 2057 // writeClientHash is called before writeRecord. 2058 hs.writeHash(msg, hs.c.sendHandshakeSeq) 2059} 2060 2061func (hs *clientHandshakeState) writeServerHash(msg []byte) { 2062 // writeServerHash is called after readHandshake. 2063 hs.writeHash(msg, hs.c.recvHandshakeSeq-1) 2064} 2065 2066func (hs *clientHandshakeState) writeHash(msg []byte, seqno uint16) { 2067 if hs.c.isDTLS { 2068 // This is somewhat hacky. DTLS hashes a slightly different format. 2069 // First, the TLS header. 2070 hs.finishedHash.Write(msg[:4]) 2071 // Then the sequence number and reassembled fragment offset (always 0). 2072 hs.finishedHash.Write([]byte{byte(seqno >> 8), byte(seqno), 0, 0, 0}) 2073 // Then the reassembled fragment (always equal to the message length). 2074 hs.finishedHash.Write(msg[1:4]) 2075 // And then the message body. 2076 hs.finishedHash.Write(msg[4:]) 2077 } else { 2078 hs.finishedHash.Write(msg) 2079 } 2080} 2081 2082// selectClientCertificate selects a certificate for use with the given 2083// certificate, or none if none match. It may return a particular certificate or 2084// nil on success, or an error on internal error. 2085func selectClientCertificate(c *Conn, certReq *certificateRequestMsg) (*Certificate, error) { 2086 if len(c.config.Certificates) == 0 { 2087 return nil, nil 2088 } 2089 2090 // The test is assumed to have configured the certificate it meant to 2091 // send. 2092 if len(c.config.Certificates) > 1 { 2093 return nil, errors.New("tls: multiple certificates configured") 2094 } 2095 2096 return &c.config.Certificates[0], nil 2097} 2098 2099// clientSessionCacheKey returns a key used to cache sessionTickets that could 2100// be used to resume previously negotiated TLS sessions with a server. 2101func clientSessionCacheKey(serverAddr net.Addr, config *Config) string { 2102 if len(config.ServerName) > 0 { 2103 return config.ServerName 2104 } 2105 return serverAddr.String() 2106} 2107 2108// mutualProtocol finds the mutual Next Protocol Negotiation or ALPN protocol 2109// given list of possible protocols and a list of the preference order. The 2110// first list must not be empty. It returns the resulting protocol and flag 2111// indicating if the fallback case was reached. 2112func mutualProtocol(protos, preferenceProtos []string) (string, bool) { 2113 for _, s := range preferenceProtos { 2114 for _, c := range protos { 2115 if s == c { 2116 return s, false 2117 } 2118 } 2119 } 2120 2121 return protos[0], true 2122} 2123 2124// writeIntPadded writes x into b, padded up with leading zeros as 2125// needed. 2126func writeIntPadded(b []byte, x *big.Int) { 2127 for i := range b { 2128 b[i] = 0 2129 } 2130 xb := x.Bytes() 2131 copy(b[len(b)-len(xb):], xb) 2132} 2133 2134func generatePSKBinders(version uint16, hello *clientHelloMsg, pskCipherSuite *cipherSuite, psk, firstClientHello, helloRetryRequest []byte, config *Config) { 2135 maybeCorruptBinder := !config.Bugs.OnlyCorruptSecondPSKBinder || len(firstClientHello) > 0 2136 binderLen := pskCipherSuite.hash().Size() 2137 numBinders := 1 2138 if maybeCorruptBinder { 2139 if config.Bugs.SendNoPSKBinder { 2140 // The binders may have been set from the previous 2141 // ClientHello. 2142 hello.pskBinders = nil 2143 return 2144 } 2145 2146 if config.Bugs.SendShortPSKBinder { 2147 binderLen-- 2148 } 2149 2150 if config.Bugs.SendExtraPSKBinder { 2151 numBinders++ 2152 } 2153 } 2154 2155 // Fill hello.pskBinders with appropriate length arrays of zeros so the 2156 // length prefixes are correct when computing the binder over the truncated 2157 // ClientHello message. 2158 hello.pskBinders = make([][]byte, numBinders) 2159 for i := range hello.pskBinders { 2160 hello.pskBinders[i] = make([]byte, binderLen) 2161 } 2162 2163 helloBytes := hello.marshal() 2164 binderSize := len(hello.pskBinders)*(binderLen+1) + 2 2165 truncatedHello := helloBytes[:len(helloBytes)-binderSize] 2166 binder := computePSKBinder(psk, version, resumptionPSKBinderLabel, pskCipherSuite, firstClientHello, helloRetryRequest, truncatedHello) 2167 if maybeCorruptBinder { 2168 if config.Bugs.SendShortPSKBinder { 2169 binder = binder[:binderLen] 2170 } 2171 if config.Bugs.SendInvalidPSKBinder { 2172 binder[0] ^= 1 2173 } 2174 } 2175 2176 for i := range hello.pskBinders { 2177 hello.pskBinders[i] = binder 2178 } 2179 2180 hello.raw = nil 2181} 2182