1 // Copyright 2009 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 package runner 6 7 import ( 8 "bytes" 9 "crypto" 10 "crypto/ecdsa" 11 "crypto/elliptic" 12 "crypto/rsa" 13 "crypto/subtle" 14 "crypto/x509" 15 "errors" 16 "fmt" 17 "io" 18 "math/big" 19 "time" 20 21 "./ed25519" 22 ) 23 24 // serverHandshakeState contains details of a server handshake in progress. 25 // It's discarded once the handshake has completed. 26 type serverHandshakeState struct { 27 c *Conn 28 clientHello *clientHelloMsg 29 hello *serverHelloMsg 30 suite *cipherSuite 31 ellipticOk bool 32 ecdsaOk bool 33 sessionState *sessionState 34 finishedHash finishedHash 35 masterSecret []byte 36 certsFromClient [][]byte 37 cert *Certificate 38 finishedBytes []byte 39 } 40 41 // serverHandshake performs a TLS handshake as a server. 42 func (c *Conn) serverHandshake() error { 43 config := c.config 44 45 // If this is the first server handshake, we generate a random key to 46 // encrypt the tickets with. 47 config.serverInitOnce.Do(config.serverInit) 48 49 c.sendHandshakeSeq = 0 50 c.recvHandshakeSeq = 0 51 52 hs := serverHandshakeState{ 53 c: c, 54 } 55 if err := hs.readClientHello(); err != nil { 56 return err 57 } 58 59 if c.vers >= VersionTLS13 { 60 if err := hs.doTLS13Handshake(); err != nil { 61 return err 62 } 63 } else { 64 isResume, err := hs.processClientHello() 65 if err != nil { 66 return err 67 } 68 69 // For an overview of TLS handshaking, see https://tools.ietf.org/html/rfc5246#section-7.3 70 if isResume { 71 // The client has included a session ticket and so we do an abbreviated handshake. 72 if err := hs.doResumeHandshake(); err != nil { 73 return err 74 } 75 if err := hs.establishKeys(); err != nil { 76 return err 77 } 78 if c.config.Bugs.RenewTicketOnResume { 79 if err := hs.sendSessionTicket(); err != nil { 80 return err 81 } 82 } 83 if err := hs.sendFinished(c.firstFinished[:], isResume); err != nil { 84 return err 85 } 86 // Most retransmits are triggered by a timeout, but the final 87 // leg of the handshake is retransmited upon re-receiving a 88 // Finished. 89 if err := c.simulatePacketLoss(func() { 90 c.sendHandshakeSeq-- 91 c.writeRecord(recordTypeHandshake, hs.finishedBytes) 92 c.flushHandshake() 93 }); err != nil { 94 return err 95 } 96 if err := hs.readFinished(nil, isResume); err != nil { 97 return err 98 } 99 c.didResume = true 100 } else { 101 // The client didn't include a session ticket, or it wasn't 102 // valid so we do a full handshake. 103 if err := hs.doFullHandshake(); err != nil { 104 return err 105 } 106 if err := hs.establishKeys(); err != nil { 107 return err 108 } 109 if err := hs.readFinished(c.firstFinished[:], isResume); err != nil { 110 return err 111 } 112 if c.config.Bugs.AlertBeforeFalseStartTest != 0 { 113 c.sendAlert(c.config.Bugs.AlertBeforeFalseStartTest) 114 } 115 if c.config.Bugs.ExpectFalseStart { 116 if err := c.readRecord(recordTypeApplicationData); err != nil { 117 return fmt.Errorf("tls: peer did not false start: %s", err) 118 } 119 } 120 if err := hs.sendSessionTicket(); err != nil { 121 return err 122 } 123 if err := hs.sendFinished(nil, isResume); err != nil { 124 return err 125 } 126 } 127 128 c.exporterSecret = hs.masterSecret 129 } 130 c.handshakeComplete = true 131 copy(c.clientRandom[:], hs.clientHello.random) 132 copy(c.serverRandom[:], hs.hello.random) 133 134 return nil 135 } 136 137 // readClientHello reads a ClientHello message from the client and determines 138 // the protocol version. 139 func (hs *serverHandshakeState) readClientHello() error { 140 config := hs.c.config 141 c := hs.c 142 143 if err := c.simulatePacketLoss(nil); err != nil { 144 return err 145 } 146 msg, err := c.readHandshake() 147 if err != nil { 148 return err 149 } 150 var ok bool 151 hs.clientHello, ok = msg.(*clientHelloMsg) 152 if !ok { 153 c.sendAlert(alertUnexpectedMessage) 154 return unexpectedMessageError(hs.clientHello, msg) 155 } 156 if size := config.Bugs.RequireClientHelloSize; size != 0 && len(hs.clientHello.raw) != size { 157 return fmt.Errorf("tls: ClientHello record size is %d, but expected %d", len(hs.clientHello.raw), size) 158 } 159 160 if c.isDTLS && !config.Bugs.SkipHelloVerifyRequest { 161 // Per RFC 6347, the version field in HelloVerifyRequest SHOULD 162 // be always DTLS 1.0 163 helloVerifyRequest := &helloVerifyRequestMsg{ 164 vers: VersionDTLS10, 165 cookie: make([]byte, 32), 166 } 167 if _, err := io.ReadFull(c.config.rand(), helloVerifyRequest.cookie); err != nil { 168 c.sendAlert(alertInternalError) 169 return errors.New("dtls: short read from Rand: " + err.Error()) 170 } 171 c.writeRecord(recordTypeHandshake, helloVerifyRequest.marshal()) 172 c.flushHandshake() 173 174 if err := c.simulatePacketLoss(nil); err != nil { 175 return err 176 } 177 msg, err := c.readHandshake() 178 if err != nil { 179 return err 180 } 181 newClientHello, ok := msg.(*clientHelloMsg) 182 if !ok { 183 c.sendAlert(alertUnexpectedMessage) 184 return unexpectedMessageError(hs.clientHello, msg) 185 } 186 if !bytes.Equal(newClientHello.cookie, helloVerifyRequest.cookie) { 187 return errors.New("dtls: invalid cookie") 188 } 189 190 // Apart from the cookie, the two ClientHellos must 191 // match. Note that clientHello.equal compares the 192 // serialization, so we make a copy. 193 oldClientHelloCopy := *hs.clientHello 194 oldClientHelloCopy.raw = nil 195 oldClientHelloCopy.cookie = nil 196 newClientHelloCopy := *newClientHello 197 newClientHelloCopy.raw = nil 198 newClientHelloCopy.cookie = nil 199 if !oldClientHelloCopy.equal(&newClientHelloCopy) { 200 return errors.New("dtls: retransmitted ClientHello does not match") 201 } 202 hs.clientHello = newClientHello 203 } 204 205 if config.Bugs.RequireSameRenegoClientVersion && c.clientVersion != 0 { 206 if c.clientVersion != hs.clientHello.vers { 207 return fmt.Errorf("tls: client offered different version on renego") 208 } 209 } 210 211 c.clientVersion = hs.clientHello.vers 212 213 // Use the versions extension if supplied, otherwise use the legacy ClientHello version. 214 if len(hs.clientHello.supportedVersions) == 0 { 215 if c.isDTLS { 216 if hs.clientHello.vers <= VersionDTLS12 { 217 hs.clientHello.supportedVersions = append(hs.clientHello.supportedVersions, VersionDTLS12) 218 } 219 if hs.clientHello.vers <= VersionDTLS10 { 220 hs.clientHello.supportedVersions = append(hs.clientHello.supportedVersions, VersionDTLS10) 221 } 222 } else { 223 if hs.clientHello.vers >= VersionTLS12 { 224 hs.clientHello.supportedVersions = append(hs.clientHello.supportedVersions, VersionTLS12) 225 } 226 if hs.clientHello.vers >= VersionTLS11 { 227 hs.clientHello.supportedVersions = append(hs.clientHello.supportedVersions, VersionTLS11) 228 } 229 if hs.clientHello.vers >= VersionTLS10 { 230 hs.clientHello.supportedVersions = append(hs.clientHello.supportedVersions, VersionTLS10) 231 } 232 if hs.clientHello.vers >= VersionSSL30 { 233 hs.clientHello.supportedVersions = append(hs.clientHello.supportedVersions, VersionSSL30) 234 } 235 } 236 } else if config.Bugs.ExpectGREASE && !containsGREASE(hs.clientHello.supportedVersions) { 237 return errors.New("tls: no GREASE version value found") 238 } 239 240 if !c.haveVers { 241 if config.Bugs.NegotiateVersion != 0 { 242 c.wireVersion = config.Bugs.NegotiateVersion 243 } else { 244 var found bool 245 for _, vers := range hs.clientHello.supportedVersions { 246 if _, ok := config.isSupportedVersion(vers, c.isDTLS); ok { 247 c.wireVersion = vers 248 found = true 249 break 250 } 251 } 252 if !found { 253 c.sendAlert(alertProtocolVersion) 254 return errors.New("tls: client did not offer any supported protocol versions") 255 } 256 } 257 } else if config.Bugs.NegotiateVersionOnRenego != 0 { 258 c.wireVersion = config.Bugs.NegotiateVersionOnRenego 259 } 260 261 c.vers, ok = wireToVersion(c.wireVersion, c.isDTLS) 262 if !ok { 263 panic("Could not map wire version") 264 } 265 c.haveVers = true 266 267 clientProtocol, ok := wireToVersion(c.clientVersion, c.isDTLS) 268 269 // Reject < 1.2 ClientHellos with signature_algorithms. 270 if ok && clientProtocol < VersionTLS12 && len(hs.clientHello.signatureAlgorithms) > 0 { 271 return fmt.Errorf("tls: client included signature_algorithms before TLS 1.2") 272 } 273 274 // Check the client cipher list is consistent with the version. 275 if ok && clientProtocol < VersionTLS12 { 276 for _, id := range hs.clientHello.cipherSuites { 277 if isTLS12Cipher(id) { 278 return fmt.Errorf("tls: client offered TLS 1.2 cipher before TLS 1.2") 279 } 280 } 281 } 282 283 if config.Bugs.ExpectNoTLS12Session { 284 if len(hs.clientHello.sessionId) > 0 && c.vers >= VersionTLS13 { 285 return fmt.Errorf("tls: client offered an unexpected session ID") 286 } 287 if len(hs.clientHello.sessionTicket) > 0 { 288 return fmt.Errorf("tls: client offered an unexpected session ticket") 289 } 290 } 291 292 if config.Bugs.ExpectNoTLS13PSK && len(hs.clientHello.pskIdentities) > 0 { 293 return fmt.Errorf("tls: client offered unexpected PSK identities") 294 } 295 296 var scsvFound bool 297 for _, cipherSuite := range hs.clientHello.cipherSuites { 298 if cipherSuite == fallbackSCSV { 299 scsvFound = true 300 break 301 } 302 } 303 304 if !scsvFound && config.Bugs.FailIfNotFallbackSCSV { 305 return errors.New("tls: no fallback SCSV found when expected") 306 } else if scsvFound && !config.Bugs.FailIfNotFallbackSCSV { 307 return errors.New("tls: fallback SCSV found when not expected") 308 } 309 310 if config.Bugs.ExpectGREASE && !containsGREASE(hs.clientHello.cipherSuites) { 311 return errors.New("tls: no GREASE cipher suite value found") 312 } 313 314 var greaseFound bool 315 for _, curve := range hs.clientHello.supportedCurves { 316 if isGREASEValue(uint16(curve)) { 317 greaseFound = true 318 break 319 } 320 } 321 322 if !greaseFound && config.Bugs.ExpectGREASE { 323 return errors.New("tls: no GREASE curve value found") 324 } 325 326 if len(hs.clientHello.keyShares) > 0 { 327 greaseFound = false 328 for _, keyShare := range hs.clientHello.keyShares { 329 if isGREASEValue(uint16(keyShare.group)) { 330 greaseFound = true 331 break 332 } 333 } 334 335 if !greaseFound && config.Bugs.ExpectGREASE { 336 return errors.New("tls: no GREASE curve value found") 337 } 338 } 339 340 if expected := hs.clientHello.dummyPQPaddingLen; expected != config.Bugs.ExpectDummyPQPaddingLength { 341 return fmt.Errorf("tls: expected dummy PQ padding extension of length %d, but got one of length %d", expected, config.Bugs.ExpectDummyPQPaddingLength) 342 } 343 344 applyBugsToClientHello(hs.clientHello, config) 345 346 return nil 347 } 348 349 func applyBugsToClientHello(clientHello *clientHelloMsg, config *Config) { 350 if config.Bugs.IgnorePeerSignatureAlgorithmPreferences { 351 clientHello.signatureAlgorithms = config.signSignatureAlgorithms() 352 } 353 if config.Bugs.IgnorePeerCurvePreferences { 354 clientHello.supportedCurves = config.curvePreferences() 355 } 356 if config.Bugs.IgnorePeerCipherPreferences { 357 clientHello.cipherSuites = config.cipherSuites() 358 } 359 } 360 361 func (hs *serverHandshakeState) doTLS13Handshake() error { 362 c := hs.c 363 config := c.config 364 365 // We've read the ClientHello, so the next record must be preceded with ChangeCipherSpec. 366 c.expectTLS13ChangeCipherSpec = true 367 368 hs.hello = &serverHelloMsg{ 369 isDTLS: c.isDTLS, 370 vers: c.wireVersion, 371 sessionId: hs.clientHello.sessionId, 372 compressionMethod: config.Bugs.SendCompressionMethod, 373 versOverride: config.Bugs.SendServerHelloVersion, 374 supportedVersOverride: config.Bugs.SendServerSupportedExtensionVersion, 375 customExtension: config.Bugs.CustomUnencryptedExtension, 376 unencryptedALPN: config.Bugs.SendUnencryptedALPN, 377 } 378 379 hs.hello.random = make([]byte, 32) 380 if _, err := io.ReadFull(config.rand(), hs.hello.random); err != nil { 381 c.sendAlert(alertInternalError) 382 return err 383 } 384 385 // TLS 1.3 forbids clients from advertising any non-null compression. 386 if len(hs.clientHello.compressionMethods) != 1 || hs.clientHello.compressionMethods[0] != compressionNone { 387 return errors.New("tls: client sent compression method other than null for TLS 1.3") 388 } 389 390 // Prepare an EncryptedExtensions message, but do not send it yet. 391 encryptedExtensions := new(encryptedExtensionsMsg) 392 encryptedExtensions.empty = config.Bugs.EmptyEncryptedExtensions 393 if err := hs.processClientExtensions(&encryptedExtensions.extensions); err != nil { 394 return err 395 } 396 397 // Select the cipher suite. 398 var preferenceList, supportedList []uint16 399 if config.PreferServerCipherSuites { 400 preferenceList = config.cipherSuites() 401 supportedList = hs.clientHello.cipherSuites 402 } else { 403 preferenceList = hs.clientHello.cipherSuites 404 supportedList = config.cipherSuites() 405 } 406 407 for _, id := range preferenceList { 408 if hs.suite = c.tryCipherSuite(id, supportedList, c.vers, true, true); hs.suite != nil { 409 break 410 } 411 } 412 413 if hs.suite == nil { 414 c.sendAlert(alertHandshakeFailure) 415 return errors.New("tls: no cipher suite supported by both client and server") 416 } 417 418 hs.hello.cipherSuite = hs.suite.id 419 if c.config.Bugs.SendCipherSuite != 0 { 420 hs.hello.cipherSuite = c.config.Bugs.SendCipherSuite 421 } 422 423 hs.finishedHash = newFinishedHash(c.wireVersion, c.isDTLS, hs.suite) 424 hs.finishedHash.discardHandshakeBuffer() 425 hs.writeClientHash(hs.clientHello.marshal()) 426 427 supportedCurve := false 428 var selectedCurve CurveID 429 preferredCurves := config.curvePreferences() 430 Curves: 431 for _, curve := range hs.clientHello.supportedCurves { 432 for _, supported := range preferredCurves { 433 if supported == curve { 434 supportedCurve = true 435 selectedCurve = curve 436 break Curves 437 } 438 } 439 } 440 441 if !supportedCurve { 442 c.sendAlert(alertHandshakeFailure) 443 return errors.New("tls: no curve supported by both client and server") 444 } 445 446 pskIdentities := hs.clientHello.pskIdentities 447 pskKEModes := hs.clientHello.pskKEModes 448 449 if len(pskIdentities) == 0 && len(hs.clientHello.sessionTicket) > 0 && c.config.Bugs.AcceptAnySession { 450 psk := pskIdentity{ 451 ticket: hs.clientHello.sessionTicket, 452 } 453 pskIdentities = []pskIdentity{psk} 454 pskKEModes = []byte{pskDHEKEMode} 455 } 456 457 var pskIndex int 458 foundKEMode := bytes.IndexByte(pskKEModes, pskDHEKEMode) >= 0 459 if foundKEMode && !config.SessionTicketsDisabled { 460 for i, pskIdentity := range pskIdentities { 461 // TODO(svaldez): Check the obfuscatedTicketAge before accepting 0-RTT. 462 sessionState, ok := c.decryptTicket(pskIdentity.ticket) 463 if !ok { 464 continue 465 } 466 467 if !config.Bugs.AcceptAnySession { 468 if sessionState.vers != c.vers { 469 continue 470 } 471 if sessionState.ticketExpiration.Before(c.config.time()) { 472 continue 473 } 474 sessionCipher := cipherSuiteFromID(sessionState.cipherSuite) 475 if sessionCipher == nil || sessionCipher.hash() != hs.suite.hash() { 476 continue 477 } 478 } 479 480 clientTicketAge := time.Duration(uint32(pskIdentity.obfuscatedTicketAge-sessionState.ticketAgeAdd)) * time.Millisecond 481 if config.Bugs.ExpectTicketAge != 0 && clientTicketAge != config.Bugs.ExpectTicketAge { 482 c.sendAlert(alertHandshakeFailure) 483 return errors.New("tls: invalid ticket age") 484 } 485 486 hs.sessionState = sessionState 487 hs.hello.hasPSKIdentity = true 488 hs.hello.pskIdentity = uint16(i) 489 pskIndex = i 490 if config.Bugs.SelectPSKIdentityOnResume != 0 { 491 hs.hello.pskIdentity = config.Bugs.SelectPSKIdentityOnResume 492 } 493 c.didResume = true 494 break 495 } 496 } 497 498 if config.Bugs.AlwaysSelectPSKIdentity { 499 hs.hello.hasPSKIdentity = true 500 hs.hello.pskIdentity = 0 501 } 502 503 // Verify the PSK binder. Note there may not be a PSK binder if 504 // AcceptAnyBinder is set. See https://crbug.com/boringssl/115. 505 if hs.sessionState != nil && !config.Bugs.AcceptAnySession { 506 binderToVerify := hs.clientHello.pskBinders[pskIndex] 507 if err := verifyPSKBinder(c.wireVersion, hs.clientHello, hs.sessionState, binderToVerify, []byte{}, []byte{}); err != nil { 508 return err 509 } 510 } 511 512 // Resolve PSK and compute the early secret. 513 if hs.sessionState != nil { 514 hs.finishedHash.addEntropy(hs.sessionState.masterSecret) 515 } else { 516 hs.finishedHash.addEntropy(hs.finishedHash.zeroSecret()) 517 } 518 519 hs.hello.hasKeyShare = true 520 if hs.sessionState != nil && config.Bugs.NegotiatePSKResumption { 521 hs.hello.hasKeyShare = false 522 } 523 if config.Bugs.MissingKeyShare { 524 hs.hello.hasKeyShare = false 525 } 526 527 firstHelloRetryRequest := true 528 529 ResendHelloRetryRequest: 530 var sendHelloRetryRequest bool 531 cipherSuite := hs.suite.id 532 if config.Bugs.SendHelloRetryRequestCipherSuite != 0 { 533 cipherSuite = config.Bugs.SendHelloRetryRequestCipherSuite 534 } 535 helloRetryRequest := &helloRetryRequestMsg{ 536 vers: c.wireVersion, 537 sessionId: hs.clientHello.sessionId, 538 cipherSuite: cipherSuite, 539 compressionMethod: config.Bugs.SendCompressionMethod, 540 duplicateExtensions: config.Bugs.DuplicateHelloRetryRequestExtensions, 541 } 542 543 if config.Bugs.AlwaysSendHelloRetryRequest { 544 sendHelloRetryRequest = true 545 } 546 547 if config.Bugs.SendHelloRetryRequestCookie != nil { 548 sendHelloRetryRequest = true 549 helloRetryRequest.cookie = config.Bugs.SendHelloRetryRequestCookie 550 } 551 552 if len(config.Bugs.CustomHelloRetryRequestExtension) > 0 { 553 sendHelloRetryRequest = true 554 helloRetryRequest.customExtension = config.Bugs.CustomHelloRetryRequestExtension 555 } 556 557 var selectedKeyShare *keyShareEntry 558 if hs.hello.hasKeyShare { 559 // Look for the key share corresponding to our selected curve. 560 for i := range hs.clientHello.keyShares { 561 if hs.clientHello.keyShares[i].group == selectedCurve { 562 selectedKeyShare = &hs.clientHello.keyShares[i] 563 break 564 } 565 } 566 567 if config.Bugs.ExpectMissingKeyShare && selectedKeyShare != nil { 568 return errors.New("tls: expected missing key share") 569 } 570 571 if selectedKeyShare == nil { 572 helloRetryRequest.hasSelectedGroup = true 573 helloRetryRequest.selectedGroup = selectedCurve 574 sendHelloRetryRequest = true 575 } 576 } 577 578 if config.Bugs.SendHelloRetryRequestCurve != 0 { 579 helloRetryRequest.hasSelectedGroup = true 580 helloRetryRequest.selectedGroup = config.Bugs.SendHelloRetryRequestCurve 581 sendHelloRetryRequest = true 582 } 583 584 if config.Bugs.SkipHelloRetryRequest { 585 sendHelloRetryRequest = false 586 } 587 588 if sendHelloRetryRequest { 589 if err := hs.finishedHash.UpdateForHelloRetryRequest(); err != nil { 590 return err 591 } 592 593 oldClientHelloBytes := hs.clientHello.marshal() 594 hs.writeServerHash(helloRetryRequest.marshal()) 595 c.writeRecord(recordTypeHandshake, helloRetryRequest.marshal()) 596 c.flushHandshake() 597 598 if !c.config.Bugs.SkipChangeCipherSpec { 599 c.writeRecord(recordTypeChangeCipherSpec, []byte{1}) 600 } 601 602 if hs.clientHello.hasEarlyData { 603 c.skipEarlyData = true 604 } 605 606 // Read new ClientHello. 607 newMsg, err := c.readHandshake() 608 if err != nil { 609 return err 610 } 611 newClientHello, ok := newMsg.(*clientHelloMsg) 612 if !ok { 613 c.sendAlert(alertUnexpectedMessage) 614 return unexpectedMessageError(newClientHello, newMsg) 615 } 616 hs.writeClientHash(newClientHello.marshal()) 617 618 if config.Bugs.ExpectNoTLS13PSKAfterHRR && len(newClientHello.pskIdentities) > 0 { 619 return fmt.Errorf("tls: client offered unexpected PSK identities after HelloRetryRequest") 620 } 621 622 if newClientHello.hasEarlyData { 623 return errors.New("tls: EarlyData sent in new ClientHello") 624 } 625 626 applyBugsToClientHello(newClientHello, config) 627 628 // Check that the new ClientHello matches the old ClientHello, 629 // except for relevant modifications. 630 // 631 // TODO(davidben): Make this check more precise. 632 oldClientHelloCopy := *hs.clientHello 633 oldClientHelloCopy.raw = nil 634 oldClientHelloCopy.hasEarlyData = false 635 newClientHelloCopy := *newClientHello 636 newClientHelloCopy.raw = nil 637 638 if helloRetryRequest.hasSelectedGroup { 639 newKeyShares := newClientHelloCopy.keyShares 640 if len(newKeyShares) != 1 || newKeyShares[0].group != helloRetryRequest.selectedGroup { 641 return errors.New("tls: KeyShare from HelloRetryRequest not in new ClientHello") 642 } 643 selectedKeyShare = &newKeyShares[0] 644 newClientHelloCopy.keyShares = oldClientHelloCopy.keyShares 645 } 646 647 if len(helloRetryRequest.cookie) > 0 { 648 if !bytes.Equal(newClientHelloCopy.tls13Cookie, helloRetryRequest.cookie) { 649 return errors.New("tls: cookie from HelloRetryRequest not present in new ClientHello") 650 } 651 newClientHelloCopy.tls13Cookie = nil 652 } 653 654 // PSK binders and obfuscated ticket age are both updated in the 655 // second ClientHello. 656 if len(oldClientHelloCopy.pskIdentities) != len(newClientHelloCopy.pskIdentities) { 657 newClientHelloCopy.pskIdentities = oldClientHelloCopy.pskIdentities 658 } else { 659 if len(oldClientHelloCopy.pskIdentities) != len(newClientHelloCopy.pskIdentities) { 660 return errors.New("tls: PSK identity count from old and new ClientHello do not match") 661 } 662 for i, identity := range oldClientHelloCopy.pskIdentities { 663 newClientHelloCopy.pskIdentities[i].obfuscatedTicketAge = identity.obfuscatedTicketAge 664 } 665 } 666 newClientHelloCopy.pskBinders = oldClientHelloCopy.pskBinders 667 newClientHelloCopy.hasEarlyData = oldClientHelloCopy.hasEarlyData 668 669 if !oldClientHelloCopy.equal(&newClientHelloCopy) { 670 return errors.New("tls: new ClientHello does not match") 671 } 672 673 if firstHelloRetryRequest && config.Bugs.SecondHelloRetryRequest { 674 firstHelloRetryRequest = false 675 goto ResendHelloRetryRequest 676 } 677 678 // Verify the PSK binder. Note there may not be a PSK binder if 679 // AcceptAnyBinder is set. See https://crbug.com/115. 680 if hs.sessionState != nil && !config.Bugs.AcceptAnySession { 681 binderToVerify := newClientHello.pskBinders[pskIndex] 682 if err := verifyPSKBinder(c.wireVersion, newClientHello, hs.sessionState, binderToVerify, oldClientHelloBytes, helloRetryRequest.marshal()); err != nil { 683 return err 684 } 685 } 686 } 687 688 // Decide whether or not to accept early data. 689 if !sendHelloRetryRequest && hs.clientHello.hasEarlyData { 690 if !config.Bugs.AlwaysRejectEarlyData && hs.sessionState != nil { 691 if c.clientProtocol == string(hs.sessionState.earlyALPN) || config.Bugs.AlwaysAcceptEarlyData { 692 encryptedExtensions.extensions.hasEarlyData = true 693 } 694 } 695 if encryptedExtensions.extensions.hasEarlyData { 696 earlyTrafficSecret := hs.finishedHash.deriveSecret(earlyTrafficLabel) 697 c.earlyExporterSecret = hs.finishedHash.deriveSecret(earlyExporterLabel) 698 699 if err := c.useInTrafficSecret(c.wireVersion, hs.suite, earlyTrafficSecret); err != nil { 700 return err 701 } 702 703 c.earlyCipherSuite = hs.suite 704 expectEarlyData := config.Bugs.ExpectEarlyData 705 if n := config.Bugs.ExpectEarlyKeyingMaterial; n > 0 { 706 exporter, err := c.ExportEarlyKeyingMaterial(n, []byte(config.Bugs.ExpectEarlyKeyingLabel), []byte(config.Bugs.ExpectEarlyKeyingContext)) 707 if err != nil { 708 return err 709 } 710 expectEarlyData = append([][]byte{exporter}, expectEarlyData...) 711 } 712 713 for _, expectedMsg := range expectEarlyData { 714 if err := c.readRecord(recordTypeApplicationData); err != nil { 715 return err 716 } 717 msg := c.input.data[c.input.off:] 718 if !bytes.Equal(msg, expectedMsg) { 719 return fmt.Errorf("tls: got early data record %x, wanted %x", msg, expectedMsg) 720 } 721 c.in.freeBlock(c.input) 722 c.input = nil 723 } 724 } else { 725 c.skipEarlyData = true 726 } 727 } 728 729 if config.Bugs.SendEarlyDataExtension { 730 encryptedExtensions.extensions.hasEarlyData = true 731 } 732 733 // Resolve ECDHE and compute the handshake secret. 734 if hs.hello.hasKeyShare { 735 // Once a curve has been selected and a key share identified, 736 // the server needs to generate a public value and send it in 737 // the ServerHello. 738 curve, ok := curveForCurveID(selectedCurve) 739 if !ok { 740 panic("tls: server failed to look up curve ID") 741 } 742 c.curveID = selectedCurve 743 744 var peerKey []byte 745 if config.Bugs.SkipHelloRetryRequest { 746 // If skipping HelloRetryRequest, use a random key to 747 // avoid crashing. 748 curve2, _ := curveForCurveID(selectedCurve) 749 var err error 750 peerKey, err = curve2.offer(config.rand()) 751 if err != nil { 752 return err 753 } 754 } else { 755 peerKey = selectedKeyShare.keyExchange 756 } 757 758 publicKey, ecdheSecret, err := curve.accept(config.rand(), peerKey) 759 if err != nil { 760 c.sendAlert(alertHandshakeFailure) 761 return err 762 } 763 hs.finishedHash.nextSecret() 764 hs.finishedHash.addEntropy(ecdheSecret) 765 hs.hello.hasKeyShare = true 766 767 curveID := selectedCurve 768 if c.config.Bugs.SendCurve != 0 { 769 curveID = config.Bugs.SendCurve 770 } 771 if c.config.Bugs.InvalidECDHPoint { 772 publicKey[0] ^= 0xff 773 } 774 775 hs.hello.keyShare = keyShareEntry{ 776 group: curveID, 777 keyExchange: publicKey, 778 } 779 780 if config.Bugs.EncryptedExtensionsWithKeyShare { 781 encryptedExtensions.extensions.hasKeyShare = true 782 encryptedExtensions.extensions.keyShare = keyShareEntry{ 783 group: curveID, 784 keyExchange: publicKey, 785 } 786 } 787 } else { 788 hs.finishedHash.nextSecret() 789 hs.finishedHash.addEntropy(hs.finishedHash.zeroSecret()) 790 } 791 792 // Send unencrypted ServerHello. 793 hs.writeServerHash(hs.hello.marshal()) 794 if config.Bugs.PartialEncryptedExtensionsWithServerHello { 795 helloBytes := hs.hello.marshal() 796 toWrite := make([]byte, 0, len(helloBytes)+1) 797 toWrite = append(toWrite, helloBytes...) 798 toWrite = append(toWrite, typeEncryptedExtensions) 799 c.writeRecord(recordTypeHandshake, toWrite) 800 } else { 801 c.writeRecord(recordTypeHandshake, hs.hello.marshal()) 802 } 803 c.flushHandshake() 804 805 if !c.config.Bugs.SkipChangeCipherSpec && !sendHelloRetryRequest { 806 c.writeRecord(recordTypeChangeCipherSpec, []byte{1}) 807 } 808 809 for i := 0; i < c.config.Bugs.SendExtraChangeCipherSpec; i++ { 810 c.writeRecord(recordTypeChangeCipherSpec, []byte{1}) 811 } 812 813 // Switch to handshake traffic keys. 814 serverHandshakeTrafficSecret := hs.finishedHash.deriveSecret(serverHandshakeTrafficLabel) 815 c.useOutTrafficSecret(c.wireVersion, hs.suite, serverHandshakeTrafficSecret) 816 // Derive handshake traffic read key, but don't switch yet. 817 clientHandshakeTrafficSecret := hs.finishedHash.deriveSecret(clientHandshakeTrafficLabel) 818 819 // Send EncryptedExtensions. 820 hs.writeServerHash(encryptedExtensions.marshal()) 821 if config.Bugs.PartialEncryptedExtensionsWithServerHello { 822 // The first byte has already been sent. 823 c.writeRecord(recordTypeHandshake, encryptedExtensions.marshal()[1:]) 824 } else { 825 c.writeRecord(recordTypeHandshake, encryptedExtensions.marshal()) 826 } 827 828 if hs.sessionState == nil { 829 if config.ClientAuth >= RequestClientCert { 830 // Request a client certificate 831 certReq := &certificateRequestMsg{ 832 vers: c.wireVersion, 833 hasSignatureAlgorithm: !config.Bugs.OmitCertificateRequestAlgorithms, 834 hasRequestContext: true, 835 requestContext: config.Bugs.SendRequestContext, 836 customExtension: config.Bugs.SendCustomCertificateRequest, 837 } 838 if !config.Bugs.NoSignatureAlgorithms { 839 certReq.signatureAlgorithms = config.verifySignatureAlgorithms() 840 } 841 842 // An empty list of certificateAuthorities signals to 843 // the client that it may send any certificate in response 844 // to our request. When we know the CAs we trust, then 845 // we can send them down, so that the client can choose 846 // an appropriate certificate to give to us. 847 if config.ClientCAs != nil { 848 certReq.certificateAuthorities = config.ClientCAs.Subjects() 849 } 850 hs.writeServerHash(certReq.marshal()) 851 c.writeRecord(recordTypeHandshake, certReq.marshal()) 852 } 853 854 certMsg := &certificateMsg{ 855 hasRequestContext: true, 856 } 857 if !config.Bugs.EmptyCertificateList { 858 for i, certData := range hs.cert.Certificate { 859 cert := certificateEntry{ 860 data: certData, 861 } 862 if i == 0 { 863 if hs.clientHello.ocspStapling { 864 cert.ocspResponse = hs.cert.OCSPStaple 865 } 866 if hs.clientHello.sctListSupported { 867 cert.sctList = hs.cert.SignedCertificateTimestampList 868 } 869 cert.duplicateExtensions = config.Bugs.SendDuplicateCertExtensions 870 cert.extraExtension = config.Bugs.SendExtensionOnCertificate 871 } else { 872 if config.Bugs.SendOCSPOnIntermediates != nil { 873 cert.ocspResponse = config.Bugs.SendOCSPOnIntermediates 874 } 875 if config.Bugs.SendSCTOnIntermediates != nil { 876 cert.sctList = config.Bugs.SendSCTOnIntermediates 877 } 878 } 879 certMsg.certificates = append(certMsg.certificates, cert) 880 } 881 } 882 certMsgBytes := certMsg.marshal() 883 hs.writeServerHash(certMsgBytes) 884 c.writeRecord(recordTypeHandshake, certMsgBytes) 885 886 certVerify := &certificateVerifyMsg{ 887 hasSignatureAlgorithm: true, 888 } 889 890 // Determine the hash to sign. 891 privKey := hs.cert.PrivateKey 892 893 var err error 894 certVerify.signatureAlgorithm, err = selectSignatureAlgorithm(c.vers, privKey, config, hs.clientHello.signatureAlgorithms) 895 if err != nil { 896 c.sendAlert(alertInternalError) 897 return err 898 } 899 900 input := hs.finishedHash.certificateVerifyInput(serverCertificateVerifyContextTLS13) 901 certVerify.signature, err = signMessage(c.vers, privKey, c.config, certVerify.signatureAlgorithm, input) 902 if err != nil { 903 c.sendAlert(alertInternalError) 904 return err 905 } 906 907 if config.Bugs.SendSignatureAlgorithm != 0 { 908 certVerify.signatureAlgorithm = config.Bugs.SendSignatureAlgorithm 909 } 910 911 if !config.Bugs.SkipCertificateVerify { 912 hs.writeServerHash(certVerify.marshal()) 913 c.writeRecord(recordTypeHandshake, certVerify.marshal()) 914 } 915 } else if hs.sessionState != nil { 916 // Pick up certificates from the session instead. 917 if len(hs.sessionState.certificates) > 0 { 918 if _, err := hs.processCertsFromClient(hs.sessionState.certificates); err != nil { 919 return err 920 } 921 } 922 } 923 924 finished := new(finishedMsg) 925 finished.verifyData = hs.finishedHash.serverSum(serverHandshakeTrafficSecret) 926 if config.Bugs.BadFinished { 927 finished.verifyData[0]++ 928 } 929 hs.writeServerHash(finished.marshal()) 930 c.writeRecord(recordTypeHandshake, finished.marshal()) 931 if c.config.Bugs.SendExtraFinished { 932 c.writeRecord(recordTypeHandshake, finished.marshal()) 933 } 934 c.flushHandshake() 935 936 if encryptedExtensions.extensions.hasEarlyData && !c.skipEarlyData { 937 for _, expectedMsg := range config.Bugs.ExpectLateEarlyData { 938 if err := c.readRecord(recordTypeApplicationData); err != nil { 939 return err 940 } 941 if !bytes.Equal(c.input.data[c.input.off:], expectedMsg) { 942 return errors.New("ExpectLateEarlyData: did not get expected message") 943 } 944 c.in.freeBlock(c.input) 945 c.input = nil 946 } 947 } 948 949 // The various secrets do not incorporate the client's final leg, so 950 // derive them now before updating the handshake context. 951 hs.finishedHash.nextSecret() 952 hs.finishedHash.addEntropy(hs.finishedHash.zeroSecret()) 953 954 clientTrafficSecret := hs.finishedHash.deriveSecret(clientApplicationTrafficLabel) 955 serverTrafficSecret := hs.finishedHash.deriveSecret(serverApplicationTrafficLabel) 956 c.exporterSecret = hs.finishedHash.deriveSecret(exporterLabel) 957 958 // Switch to application data keys on write. In particular, any alerts 959 // from the client certificate are sent over these keys. 960 c.useOutTrafficSecret(c.wireVersion, hs.suite, serverTrafficSecret) 961 962 // Send 0.5-RTT messages. 963 for _, halfRTTMsg := range config.Bugs.SendHalfRTTData { 964 if _, err := c.writeRecord(recordTypeApplicationData, halfRTTMsg); err != nil { 965 return err 966 } 967 } 968 969 // Read end_of_early_data. 970 if encryptedExtensions.extensions.hasEarlyData { 971 msg, err := c.readHandshake() 972 if err != nil { 973 return err 974 } 975 976 endOfEarlyData, ok := msg.(*endOfEarlyDataMsg) 977 if !ok { 978 c.sendAlert(alertUnexpectedMessage) 979 return unexpectedMessageError(endOfEarlyData, msg) 980 } 981 hs.writeClientHash(endOfEarlyData.marshal()) 982 } 983 984 // Switch input stream to handshake traffic keys. 985 if err := c.useInTrafficSecret(c.wireVersion, hs.suite, clientHandshakeTrafficSecret); err != nil { 986 return err 987 } 988 989 // If we requested a client certificate, then the client must send a 990 // certificate message, even if it's empty. 991 if config.ClientAuth >= RequestClientCert { 992 msg, err := c.readHandshake() 993 if err != nil { 994 return err 995 } 996 997 certMsg, ok := msg.(*certificateMsg) 998 if !ok { 999 c.sendAlert(alertUnexpectedMessage) 1000 return unexpectedMessageError(certMsg, msg) 1001 } 1002 hs.writeClientHash(certMsg.marshal()) 1003 1004 if len(certMsg.certificates) == 0 { 1005 // The client didn't actually send a certificate 1006 switch config.ClientAuth { 1007 case RequireAnyClientCert, RequireAndVerifyClientCert: 1008 c.sendAlert(alertCertificateRequired) 1009 return errors.New("tls: client didn't provide a certificate") 1010 } 1011 } 1012 1013 var certs [][]byte 1014 for _, cert := range certMsg.certificates { 1015 certs = append(certs, cert.data) 1016 // OCSP responses and SCT lists are not negotiated in 1017 // client certificates. 1018 if cert.ocspResponse != nil || cert.sctList != nil { 1019 c.sendAlert(alertUnsupportedExtension) 1020 return errors.New("tls: unexpected extensions in the client certificate") 1021 } 1022 } 1023 pub, err := hs.processCertsFromClient(certs) 1024 if err != nil { 1025 return err 1026 } 1027 1028 if len(c.peerCertificates) > 0 { 1029 msg, err = c.readHandshake() 1030 if err != nil { 1031 return err 1032 } 1033 1034 certVerify, ok := msg.(*certificateVerifyMsg) 1035 if !ok { 1036 c.sendAlert(alertUnexpectedMessage) 1037 return unexpectedMessageError(certVerify, msg) 1038 } 1039 1040 c.peerSignatureAlgorithm = certVerify.signatureAlgorithm 1041 input := hs.finishedHash.certificateVerifyInput(clientCertificateVerifyContextTLS13) 1042 if err := verifyMessage(c.vers, pub, config, certVerify.signatureAlgorithm, input, certVerify.signature); err != nil { 1043 c.sendAlert(alertBadCertificate) 1044 return err 1045 } 1046 hs.writeClientHash(certVerify.marshal()) 1047 } 1048 } 1049 1050 if encryptedExtensions.extensions.channelIDRequested { 1051 msg, err := c.readHandshake() 1052 if err != nil { 1053 return err 1054 } 1055 channelIDMsg, ok := msg.(*channelIDMsg) 1056 if !ok { 1057 c.sendAlert(alertUnexpectedMessage) 1058 return unexpectedMessageError(channelIDMsg, msg) 1059 } 1060 channelIDHash := crypto.SHA256.New() 1061 channelIDHash.Write(hs.finishedHash.certificateVerifyInput(channelIDContextTLS13)) 1062 channelID, err := verifyChannelIDMessage(channelIDMsg, channelIDHash.Sum(nil)) 1063 if err != nil { 1064 return err 1065 } 1066 c.channelID = channelID 1067 1068 hs.writeClientHash(channelIDMsg.marshal()) 1069 } 1070 1071 // Read the client Finished message. 1072 msg, err := c.readHandshake() 1073 if err != nil { 1074 return err 1075 } 1076 clientFinished, ok := msg.(*finishedMsg) 1077 if !ok { 1078 c.sendAlert(alertUnexpectedMessage) 1079 return unexpectedMessageError(clientFinished, msg) 1080 } 1081 1082 verify := hs.finishedHash.clientSum(clientHandshakeTrafficSecret) 1083 if len(verify) != len(clientFinished.verifyData) || 1084 subtle.ConstantTimeCompare(verify, clientFinished.verifyData) != 1 { 1085 c.sendAlert(alertHandshakeFailure) 1086 return errors.New("tls: client's Finished message was incorrect") 1087 } 1088 hs.writeClientHash(clientFinished.marshal()) 1089 1090 // Switch to application data keys on read. 1091 if err := c.useInTrafficSecret(c.wireVersion, hs.suite, clientTrafficSecret); err != nil { 1092 return err 1093 } 1094 1095 c.cipherSuite = hs.suite 1096 c.resumptionSecret = hs.finishedHash.deriveSecret(resumptionLabel) 1097 1098 // TODO(davidben): Allow configuring the number of tickets sent for 1099 // testing. 1100 if !c.config.SessionTicketsDisabled && foundKEMode { 1101 ticketCount := 2 1102 for i := 0; i < ticketCount; i++ { 1103 c.SendNewSessionTicket([]byte{byte(i)}) 1104 } 1105 } 1106 return nil 1107 } 1108 1109 // processClientHello processes the ClientHello message from the client and 1110 // decides whether we will perform session resumption. 1111 func (hs *serverHandshakeState) processClientHello() (isResume bool, err error) { 1112 config := hs.c.config 1113 c := hs.c 1114 1115 hs.hello = &serverHelloMsg{ 1116 isDTLS: c.isDTLS, 1117 vers: c.wireVersion, 1118 versOverride: config.Bugs.SendServerHelloVersion, 1119 compressionMethod: config.Bugs.SendCompressionMethod, 1120 extensions: serverExtensions{ 1121 supportedVersion: config.Bugs.SendServerSupportedExtensionVersion, 1122 }, 1123 omitExtensions: config.Bugs.OmitExtensions, 1124 emptyExtensions: config.Bugs.EmptyExtensions, 1125 } 1126 1127 hs.hello.random = make([]byte, 32) 1128 _, err = io.ReadFull(config.rand(), hs.hello.random) 1129 if err != nil { 1130 c.sendAlert(alertInternalError) 1131 return false, err 1132 } 1133 // Signal downgrades in the server random, per draft-ietf-tls-tls13-16, 1134 // section 4.1.3. 1135 if c.vers <= VersionTLS12 && config.maxVersion(c.isDTLS) >= VersionTLS13 { 1136 copy(hs.hello.random[len(hs.hello.random)-8:], downgradeTLS13) 1137 } 1138 if c.vers <= VersionTLS11 && config.maxVersion(c.isDTLS) == VersionTLS12 { 1139 copy(hs.hello.random[len(hs.hello.random)-8:], downgradeTLS12) 1140 } 1141 if config.Bugs.SendDraftTLS13DowngradeRandom { 1142 copy(hs.hello.random[len(hs.hello.random)-8:], downgradeTLS13Draft) 1143 } 1144 1145 if len(hs.clientHello.sessionId) == 0 && c.config.Bugs.ExpectClientHelloSessionID { 1146 return false, errors.New("tls: expected non-empty session ID from client") 1147 } 1148 1149 foundCompression := false 1150 // We only support null compression, so check that the client offered it. 1151 for _, compression := range hs.clientHello.compressionMethods { 1152 if compression == compressionNone { 1153 foundCompression = true 1154 break 1155 } 1156 } 1157 1158 if !foundCompression { 1159 c.sendAlert(alertHandshakeFailure) 1160 return false, errors.New("tls: client does not support uncompressed connections") 1161 } 1162 1163 if err := hs.processClientExtensions(&hs.hello.extensions); err != nil { 1164 return false, err 1165 } 1166 1167 supportedCurve := false 1168 preferredCurves := config.curvePreferences() 1169 Curves: 1170 for _, curve := range hs.clientHello.supportedCurves { 1171 for _, supported := range preferredCurves { 1172 if supported == curve { 1173 supportedCurve = true 1174 break Curves 1175 } 1176 } 1177 } 1178 1179 supportedPointFormat := false 1180 for _, pointFormat := range hs.clientHello.supportedPoints { 1181 if pointFormat == pointFormatUncompressed { 1182 supportedPointFormat = true 1183 break 1184 } 1185 } 1186 hs.ellipticOk = supportedCurve && supportedPointFormat 1187 1188 _, hs.ecdsaOk = hs.cert.PrivateKey.(*ecdsa.PrivateKey) 1189 // Ed25519 also uses ECDSA certificates. 1190 _, ed25519Ok := hs.cert.PrivateKey.(ed25519.PrivateKey) 1191 hs.ecdsaOk = hs.ecdsaOk || ed25519Ok 1192 1193 // For test purposes, check that the peer never offers a session when 1194 // renegotiating. 1195 if c.cipherSuite != nil && len(hs.clientHello.sessionId) > 0 && c.config.Bugs.FailIfResumeOnRenego { 1196 return false, errors.New("tls: offered resumption on renegotiation") 1197 } 1198 1199 if c.config.Bugs.FailIfSessionOffered && (len(hs.clientHello.sessionTicket) > 0 || len(hs.clientHello.sessionId) > 0) { 1200 return false, errors.New("tls: client offered a session ticket or ID") 1201 } 1202 1203 if hs.checkForResumption() { 1204 return true, nil 1205 } 1206 1207 var preferenceList, supportedList []uint16 1208 if c.config.PreferServerCipherSuites { 1209 preferenceList = c.config.cipherSuites() 1210 supportedList = hs.clientHello.cipherSuites 1211 } else { 1212 preferenceList = hs.clientHello.cipherSuites 1213 supportedList = c.config.cipherSuites() 1214 } 1215 1216 for _, id := range preferenceList { 1217 if hs.suite = c.tryCipherSuite(id, supportedList, c.vers, hs.ellipticOk, hs.ecdsaOk); hs.suite != nil { 1218 break 1219 } 1220 } 1221 1222 if hs.suite == nil { 1223 c.sendAlert(alertHandshakeFailure) 1224 return false, errors.New("tls: no cipher suite supported by both client and server") 1225 } 1226 1227 return false, nil 1228 } 1229 1230 // processClientExtensions processes all ClientHello extensions not directly 1231 // related to cipher suite negotiation and writes responses in serverExtensions. 1232 func (hs *serverHandshakeState) processClientExtensions(serverExtensions *serverExtensions) error { 1233 config := hs.c.config 1234 c := hs.c 1235 1236 if c.vers < VersionTLS13 || config.Bugs.NegotiateRenegotiationInfoAtAllVersions { 1237 if !bytes.Equal(c.clientVerify, hs.clientHello.secureRenegotiation) { 1238 c.sendAlert(alertHandshakeFailure) 1239 return errors.New("tls: renegotiation mismatch") 1240 } 1241 1242 if len(c.clientVerify) > 0 && !c.config.Bugs.EmptyRenegotiationInfo { 1243 serverExtensions.secureRenegotiation = append(serverExtensions.secureRenegotiation, c.clientVerify...) 1244 serverExtensions.secureRenegotiation = append(serverExtensions.secureRenegotiation, c.serverVerify...) 1245 if c.config.Bugs.BadRenegotiationInfo { 1246 serverExtensions.secureRenegotiation[0] ^= 0x80 1247 } 1248 if c.config.Bugs.BadRenegotiationInfoEnd { 1249 serverExtensions.secureRenegotiation[len(serverExtensions.secureRenegotiation)-1] ^= 0x80 1250 } 1251 } else { 1252 serverExtensions.secureRenegotiation = hs.clientHello.secureRenegotiation 1253 } 1254 1255 if c.noRenegotiationInfo() { 1256 serverExtensions.secureRenegotiation = nil 1257 } 1258 } 1259 1260 serverExtensions.duplicateExtension = c.config.Bugs.DuplicateExtension 1261 1262 if len(hs.clientHello.serverName) > 0 { 1263 c.serverName = hs.clientHello.serverName 1264 } 1265 if len(config.Certificates) == 0 { 1266 c.sendAlert(alertInternalError) 1267 return errors.New("tls: no certificates configured") 1268 } 1269 hs.cert = &config.Certificates[0] 1270 if len(hs.clientHello.serverName) > 0 { 1271 hs.cert = config.getCertificateForName(hs.clientHello.serverName) 1272 } 1273 if expected := c.config.Bugs.ExpectServerName; expected != "" && expected != hs.clientHello.serverName { 1274 return errors.New("tls: unexpected server name") 1275 } 1276 1277 if cert := config.Bugs.RenegotiationCertificate; c.cipherSuite != nil && cert != nil { 1278 hs.cert = cert 1279 } 1280 1281 if len(hs.clientHello.alpnProtocols) > 0 { 1282 // We will never offer ALPN as a client on renegotiation 1283 // handshakes. 1284 if len(c.clientVerify) > 0 { 1285 return errors.New("tls: offered ALPN on renegotiation") 1286 } 1287 if proto := c.config.Bugs.ALPNProtocol; proto != nil { 1288 serverExtensions.alpnProtocol = *proto 1289 serverExtensions.alpnProtocolEmpty = len(*proto) == 0 1290 c.clientProtocol = *proto 1291 c.usedALPN = true 1292 } else if selectedProto, fallback := mutualProtocol(hs.clientHello.alpnProtocols, c.config.NextProtos); !fallback { 1293 serverExtensions.alpnProtocol = selectedProto 1294 c.clientProtocol = selectedProto 1295 c.usedALPN = true 1296 } 1297 } 1298 1299 if len(c.config.Bugs.SendALPN) > 0 { 1300 serverExtensions.alpnProtocol = c.config.Bugs.SendALPN 1301 } 1302 1303 if c.vers < VersionTLS13 || config.Bugs.NegotiateNPNAtAllVersions { 1304 if len(hs.clientHello.alpnProtocols) == 0 || c.config.Bugs.NegotiateALPNAndNPN { 1305 // Although sending an empty NPN extension is reasonable, Firefox has 1306 // had a bug around this. Best to send nothing at all if 1307 // config.NextProtos is empty. See 1308 // https://code.google.com/p/go/issues/detail?id=5445. 1309 if hs.clientHello.nextProtoNeg && len(config.NextProtos) > 0 { 1310 serverExtensions.nextProtoNeg = true 1311 serverExtensions.nextProtos = config.NextProtos 1312 serverExtensions.npnAfterAlpn = config.Bugs.SwapNPNAndALPN 1313 } 1314 } 1315 } 1316 1317 if len(hs.clientHello.quicTransportParams) > 0 { 1318 c.quicTransportParams = hs.clientHello.quicTransportParams 1319 serverExtensions.quicTransportParams = c.config.QUICTransportParams 1320 } 1321 1322 if c.vers < VersionTLS13 || config.Bugs.NegotiateEMSAtAllVersions { 1323 disableEMS := config.Bugs.NoExtendedMasterSecret 1324 if c.cipherSuite != nil { 1325 disableEMS = config.Bugs.NoExtendedMasterSecretOnRenegotiation 1326 } 1327 serverExtensions.extendedMasterSecret = c.vers >= VersionTLS10 && hs.clientHello.extendedMasterSecret && !disableEMS 1328 } 1329 1330 if hs.clientHello.channelIDSupported && config.RequestChannelID { 1331 serverExtensions.channelIDRequested = true 1332 } 1333 1334 if config.TokenBindingParams != nil { 1335 if !bytes.Equal(config.ExpectTokenBindingParams, hs.clientHello.tokenBindingParams) { 1336 return errors.New("client did not send expected token binding params") 1337 } 1338 1339 // For testing, blindly send whatever is set in config, even if 1340 // it is invalid. 1341 serverExtensions.tokenBindingParams = config.TokenBindingParams 1342 serverExtensions.tokenBindingVersion = config.TokenBindingVersion 1343 } 1344 1345 if len(hs.clientHello.tokenBindingParams) > 0 && (!hs.clientHello.extendedMasterSecret || hs.clientHello.secureRenegotiation == nil) { 1346 return errors.New("client sent Token Binding without EMS and/or RI") 1347 } 1348 1349 if hs.clientHello.srtpProtectionProfiles != nil { 1350 SRTPLoop: 1351 for _, p1 := range c.config.SRTPProtectionProfiles { 1352 for _, p2 := range hs.clientHello.srtpProtectionProfiles { 1353 if p1 == p2 { 1354 serverExtensions.srtpProtectionProfile = p1 1355 c.srtpProtectionProfile = p1 1356 break SRTPLoop 1357 } 1358 } 1359 } 1360 } 1361 1362 if c.config.Bugs.SendSRTPProtectionProfile != 0 { 1363 serverExtensions.srtpProtectionProfile = c.config.Bugs.SendSRTPProtectionProfile 1364 } 1365 1366 if expected := c.config.Bugs.ExpectedCustomExtension; expected != nil { 1367 if hs.clientHello.customExtension != *expected { 1368 return fmt.Errorf("tls: bad custom extension contents %q", hs.clientHello.customExtension) 1369 } 1370 } 1371 serverExtensions.customExtension = config.Bugs.CustomExtension 1372 1373 if c.config.Bugs.AdvertiseTicketExtension { 1374 serverExtensions.ticketSupported = true 1375 } 1376 1377 if c.config.Bugs.SendSupportedPointFormats != nil { 1378 serverExtensions.supportedPoints = c.config.Bugs.SendSupportedPointFormats 1379 } 1380 1381 if c.config.Bugs.SendServerSupportedCurves { 1382 serverExtensions.supportedCurves = c.config.curvePreferences() 1383 } 1384 1385 if !hs.clientHello.hasGREASEExtension && config.Bugs.ExpectGREASE { 1386 return errors.New("tls: no GREASE extension found") 1387 } 1388 1389 serverExtensions.serverNameAck = c.config.Bugs.SendServerNameAck 1390 1391 return nil 1392 } 1393 1394 // checkForResumption returns true if we should perform resumption on this connection. 1395 func (hs *serverHandshakeState) checkForResumption() bool { 1396 c := hs.c 1397 1398 ticket := hs.clientHello.sessionTicket 1399 if len(ticket) == 0 && len(hs.clientHello.pskIdentities) > 0 && c.config.Bugs.AcceptAnySession { 1400 ticket = hs.clientHello.pskIdentities[0].ticket 1401 } 1402 if len(ticket) > 0 { 1403 if c.config.SessionTicketsDisabled { 1404 return false 1405 } 1406 1407 var ok bool 1408 if hs.sessionState, ok = c.decryptTicket(ticket); !ok { 1409 return false 1410 } 1411 } else { 1412 if c.config.ServerSessionCache == nil { 1413 return false 1414 } 1415 1416 var ok bool 1417 sessionId := string(hs.clientHello.sessionId) 1418 if hs.sessionState, ok = c.config.ServerSessionCache.Get(sessionId); !ok { 1419 return false 1420 } 1421 } 1422 1423 if c.config.Bugs.AcceptAnySession { 1424 // Replace the cipher suite with one known to work, to test 1425 // cross-version resumption attempts. 1426 hs.sessionState.cipherSuite = TLS_RSA_WITH_AES_128_CBC_SHA 1427 } else { 1428 // Never resume a session for a different SSL version. 1429 if c.vers != hs.sessionState.vers { 1430 return false 1431 } 1432 1433 cipherSuiteOk := false 1434 // Check that the client is still offering the ciphersuite in the session. 1435 for _, id := range hs.clientHello.cipherSuites { 1436 if id == hs.sessionState.cipherSuite { 1437 cipherSuiteOk = true 1438 break 1439 } 1440 } 1441 if !cipherSuiteOk { 1442 return false 1443 } 1444 } 1445 1446 // Check that we also support the ciphersuite from the session. 1447 hs.suite = c.tryCipherSuite(hs.sessionState.cipherSuite, c.config.cipherSuites(), c.vers, hs.ellipticOk, hs.ecdsaOk) 1448 1449 if hs.suite == nil { 1450 return false 1451 } 1452 1453 sessionHasClientCerts := len(hs.sessionState.certificates) != 0 1454 needClientCerts := c.config.ClientAuth == RequireAnyClientCert || c.config.ClientAuth == RequireAndVerifyClientCert 1455 if needClientCerts && !sessionHasClientCerts { 1456 return false 1457 } 1458 if sessionHasClientCerts && c.config.ClientAuth == NoClientCert { 1459 return false 1460 } 1461 1462 return true 1463 } 1464 1465 func (hs *serverHandshakeState) doResumeHandshake() error { 1466 c := hs.c 1467 1468 hs.hello.cipherSuite = hs.suite.id 1469 if c.config.Bugs.SendCipherSuite != 0 { 1470 hs.hello.cipherSuite = c.config.Bugs.SendCipherSuite 1471 } 1472 // We echo the client's session ID in the ServerHello to let it know 1473 // that we're doing a resumption. 1474 hs.hello.sessionId = hs.clientHello.sessionId 1475 hs.hello.extensions.ticketSupported = c.config.Bugs.RenewTicketOnResume 1476 1477 if c.config.Bugs.SendSCTListOnResume != nil { 1478 hs.hello.extensions.sctList = c.config.Bugs.SendSCTListOnResume 1479 } 1480 1481 if c.config.Bugs.SendOCSPResponseOnResume != nil { 1482 // There is no way, syntactically, to send an OCSP response on a 1483 // resumption handshake. 1484 hs.hello.extensions.ocspStapling = true 1485 } 1486 1487 hs.finishedHash = newFinishedHash(c.wireVersion, c.isDTLS, hs.suite) 1488 hs.finishedHash.discardHandshakeBuffer() 1489 hs.writeClientHash(hs.clientHello.marshal()) 1490 hs.writeServerHash(hs.hello.marshal()) 1491 1492 c.writeRecord(recordTypeHandshake, hs.hello.marshal()) 1493 1494 if len(hs.sessionState.certificates) > 0 { 1495 if _, err := hs.processCertsFromClient(hs.sessionState.certificates); err != nil { 1496 return err 1497 } 1498 } 1499 1500 hs.masterSecret = hs.sessionState.masterSecret 1501 c.extendedMasterSecret = hs.sessionState.extendedMasterSecret 1502 1503 return nil 1504 } 1505 1506 func (hs *serverHandshakeState) doFullHandshake() error { 1507 config := hs.c.config 1508 c := hs.c 1509 1510 isPSK := hs.suite.flags&suitePSK != 0 1511 if !isPSK && hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0 { 1512 hs.hello.extensions.ocspStapling = true 1513 } 1514 1515 if hs.clientHello.sctListSupported && len(hs.cert.SignedCertificateTimestampList) > 0 { 1516 hs.hello.extensions.sctList = hs.cert.SignedCertificateTimestampList 1517 } 1518 1519 if len(c.clientVerify) > 0 && config.Bugs.SendSCTListOnRenegotiation != nil { 1520 hs.hello.extensions.sctList = config.Bugs.SendSCTListOnRenegotiation 1521 } 1522 1523 hs.hello.extensions.ticketSupported = hs.clientHello.ticketSupported && !config.SessionTicketsDisabled && c.vers > VersionSSL30 1524 hs.hello.cipherSuite = hs.suite.id 1525 if config.Bugs.SendCipherSuite != 0 { 1526 hs.hello.cipherSuite = config.Bugs.SendCipherSuite 1527 } 1528 c.extendedMasterSecret = hs.hello.extensions.extendedMasterSecret 1529 1530 // Generate a session ID if we're to save the session. 1531 if !hs.hello.extensions.ticketSupported && config.ServerSessionCache != nil { 1532 hs.hello.sessionId = make([]byte, 32) 1533 if _, err := io.ReadFull(config.rand(), hs.hello.sessionId); err != nil { 1534 c.sendAlert(alertInternalError) 1535 return errors.New("tls: short read from Rand: " + err.Error()) 1536 } 1537 } 1538 if config.Bugs.EchoSessionIDInFullHandshake { 1539 hs.hello.sessionId = hs.clientHello.sessionId 1540 } 1541 1542 hs.finishedHash = newFinishedHash(c.wireVersion, c.isDTLS, hs.suite) 1543 hs.writeClientHash(hs.clientHello.marshal()) 1544 hs.writeServerHash(hs.hello.marshal()) 1545 1546 if config.Bugs.SendSNIWarningAlert { 1547 c.SendAlert(alertLevelWarning, alertUnrecognizedName) 1548 } 1549 1550 c.writeRecord(recordTypeHandshake, hs.hello.marshal()) 1551 1552 if !isPSK { 1553 certMsg := new(certificateMsg) 1554 if !config.Bugs.EmptyCertificateList { 1555 for _, certData := range hs.cert.Certificate { 1556 certMsg.certificates = append(certMsg.certificates, certificateEntry{ 1557 data: certData, 1558 }) 1559 } 1560 } 1561 if !config.Bugs.UnauthenticatedECDH { 1562 certMsgBytes := certMsg.marshal() 1563 hs.writeServerHash(certMsgBytes) 1564 c.writeRecord(recordTypeHandshake, certMsgBytes) 1565 } 1566 } 1567 1568 if hs.hello.extensions.ocspStapling && !c.config.Bugs.SkipCertificateStatus { 1569 certStatus := new(certificateStatusMsg) 1570 certStatus.statusType = statusTypeOCSP 1571 certStatus.response = hs.cert.OCSPStaple 1572 if len(c.clientVerify) > 0 && config.Bugs.SendOCSPResponseOnRenegotiation != nil { 1573 certStatus.response = config.Bugs.SendOCSPResponseOnRenegotiation 1574 } 1575 hs.writeServerHash(certStatus.marshal()) 1576 c.writeRecord(recordTypeHandshake, certStatus.marshal()) 1577 } 1578 1579 keyAgreement := hs.suite.ka(c.vers) 1580 skx, err := keyAgreement.generateServerKeyExchange(config, hs.cert, hs.clientHello, hs.hello) 1581 if err != nil { 1582 c.sendAlert(alertHandshakeFailure) 1583 return err 1584 } 1585 if ecdhe, ok := keyAgreement.(*ecdheKeyAgreement); ok { 1586 c.curveID = ecdhe.curveID 1587 } 1588 if skx != nil && !config.Bugs.SkipServerKeyExchange { 1589 hs.writeServerHash(skx.marshal()) 1590 c.writeRecord(recordTypeHandshake, skx.marshal()) 1591 } 1592 1593 if config.ClientAuth >= RequestClientCert { 1594 // Request a client certificate 1595 certReq := &certificateRequestMsg{ 1596 vers: c.wireVersion, 1597 certificateTypes: config.ClientCertificateTypes, 1598 } 1599 if certReq.certificateTypes == nil { 1600 certReq.certificateTypes = []byte{ 1601 byte(CertTypeRSASign), 1602 byte(CertTypeECDSASign), 1603 } 1604 } 1605 if c.vers >= VersionTLS12 { 1606 certReq.hasSignatureAlgorithm = true 1607 if !config.Bugs.NoSignatureAlgorithms { 1608 certReq.signatureAlgorithms = config.verifySignatureAlgorithms() 1609 } 1610 } 1611 1612 // An empty list of certificateAuthorities signals to 1613 // the client that it may send any certificate in response 1614 // to our request. When we know the CAs we trust, then 1615 // we can send them down, so that the client can choose 1616 // an appropriate certificate to give to us. 1617 if config.ClientCAs != nil { 1618 certReq.certificateAuthorities = config.ClientCAs.Subjects() 1619 } 1620 hs.writeServerHash(certReq.marshal()) 1621 c.writeRecord(recordTypeHandshake, certReq.marshal()) 1622 } 1623 1624 helloDone := new(serverHelloDoneMsg) 1625 hs.writeServerHash(helloDone.marshal()) 1626 c.writeRecord(recordTypeHandshake, helloDone.marshal()) 1627 c.flushHandshake() 1628 1629 var pub crypto.PublicKey // public key for client auth, if any 1630 1631 if err := c.simulatePacketLoss(nil); err != nil { 1632 return err 1633 } 1634 msg, err := c.readHandshake() 1635 if err != nil { 1636 return err 1637 } 1638 1639 var ok bool 1640 // If we requested a client certificate, then the client must send a 1641 // certificate message, even if it's empty. 1642 if config.ClientAuth >= RequestClientCert { 1643 var certMsg *certificateMsg 1644 var certificates [][]byte 1645 if certMsg, ok = msg.(*certificateMsg); ok { 1646 if c.vers == VersionSSL30 && len(certMsg.certificates) == 0 { 1647 return errors.New("tls: empty certificate message in SSL 3.0") 1648 } 1649 1650 hs.writeClientHash(certMsg.marshal()) 1651 for _, cert := range certMsg.certificates { 1652 certificates = append(certificates, cert.data) 1653 } 1654 } else if c.vers == VersionSSL30 { 1655 // In SSL 3.0, no certificate is signaled by a warning 1656 // alert which we translate to ssl3NoCertificateMsg. 1657 if _, ok := msg.(*ssl3NoCertificateMsg); !ok { 1658 return errors.New("tls: client provided neither a certificate nor no_certificate warning alert") 1659 } 1660 } else { 1661 // In TLS, the Certificate message is required. In SSL 1662 // 3.0, the peer skips it when sending no certificates. 1663 c.sendAlert(alertUnexpectedMessage) 1664 return unexpectedMessageError(certMsg, msg) 1665 } 1666 1667 if len(certificates) == 0 { 1668 // The client didn't actually send a certificate 1669 switch config.ClientAuth { 1670 case RequireAnyClientCert, RequireAndVerifyClientCert: 1671 c.sendAlert(alertBadCertificate) 1672 return errors.New("tls: client didn't provide a certificate") 1673 } 1674 } 1675 1676 pub, err = hs.processCertsFromClient(certificates) 1677 if err != nil { 1678 return err 1679 } 1680 1681 msg, err = c.readHandshake() 1682 if err != nil { 1683 return err 1684 } 1685 } 1686 1687 // Get client key exchange 1688 ckx, ok := msg.(*clientKeyExchangeMsg) 1689 if !ok { 1690 c.sendAlert(alertUnexpectedMessage) 1691 return unexpectedMessageError(ckx, msg) 1692 } 1693 hs.writeClientHash(ckx.marshal()) 1694 1695 preMasterSecret, err := keyAgreement.processClientKeyExchange(config, hs.cert, ckx, c.vers) 1696 if err != nil { 1697 c.sendAlert(alertHandshakeFailure) 1698 return err 1699 } 1700 if c.extendedMasterSecret { 1701 hs.masterSecret = extendedMasterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.finishedHash) 1702 } else { 1703 if c.config.Bugs.RequireExtendedMasterSecret { 1704 return errors.New("tls: extended master secret required but not supported by peer") 1705 } 1706 hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.clientHello.random, hs.hello.random) 1707 } 1708 1709 // If we received a client cert in response to our certificate request message, 1710 // the client will send us a certificateVerifyMsg immediately after the 1711 // clientKeyExchangeMsg. This message is a digest of all preceding 1712 // handshake-layer messages that is signed using the private key corresponding 1713 // to the client's certificate. This allows us to verify that the client is in 1714 // possession of the private key of the certificate. 1715 if len(c.peerCertificates) > 0 { 1716 msg, err = c.readHandshake() 1717 if err != nil { 1718 return err 1719 } 1720 certVerify, ok := msg.(*certificateVerifyMsg) 1721 if !ok { 1722 c.sendAlert(alertUnexpectedMessage) 1723 return unexpectedMessageError(certVerify, msg) 1724 } 1725 1726 // Determine the signature type. 1727 var sigAlg signatureAlgorithm 1728 if certVerify.hasSignatureAlgorithm { 1729 sigAlg = certVerify.signatureAlgorithm 1730 c.peerSignatureAlgorithm = sigAlg 1731 } 1732 1733 if c.vers > VersionSSL30 { 1734 err = verifyMessage(c.vers, pub, c.config, sigAlg, hs.finishedHash.buffer, certVerify.signature) 1735 } else { 1736 // SSL 3.0's client certificate construction is 1737 // incompatible with signatureAlgorithm. 1738 rsaPub, ok := pub.(*rsa.PublicKey) 1739 if !ok { 1740 err = errors.New("unsupported key type for client certificate") 1741 } else { 1742 digest := hs.finishedHash.hashForClientCertificateSSL3(hs.masterSecret) 1743 err = rsa.VerifyPKCS1v15(rsaPub, crypto.MD5SHA1, digest, certVerify.signature) 1744 } 1745 } 1746 if err != nil { 1747 c.sendAlert(alertBadCertificate) 1748 return errors.New("could not validate signature of connection nonces: " + err.Error()) 1749 } 1750 1751 hs.writeClientHash(certVerify.marshal()) 1752 } 1753 1754 hs.finishedHash.discardHandshakeBuffer() 1755 1756 return nil 1757 } 1758 1759 func (hs *serverHandshakeState) establishKeys() error { 1760 c := hs.c 1761 1762 clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV := 1763 keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen(c.vers)) 1764 1765 var clientCipher, serverCipher interface{} 1766 var clientHash, serverHash macFunction 1767 1768 if hs.suite.aead == nil { 1769 clientCipher = hs.suite.cipher(clientKey, clientIV, true /* for reading */) 1770 clientHash = hs.suite.mac(c.vers, clientMAC) 1771 serverCipher = hs.suite.cipher(serverKey, serverIV, false /* not for reading */) 1772 serverHash = hs.suite.mac(c.vers, serverMAC) 1773 } else { 1774 clientCipher = hs.suite.aead(c.vers, clientKey, clientIV) 1775 serverCipher = hs.suite.aead(c.vers, serverKey, serverIV) 1776 } 1777 1778 c.in.prepareCipherSpec(c.wireVersion, clientCipher, clientHash) 1779 c.out.prepareCipherSpec(c.wireVersion, serverCipher, serverHash) 1780 1781 return nil 1782 } 1783 1784 func (hs *serverHandshakeState) readFinished(out []byte, isResume bool) error { 1785 c := hs.c 1786 1787 c.readRecord(recordTypeChangeCipherSpec) 1788 if err := c.in.error(); err != nil { 1789 return err 1790 } 1791 1792 if hs.hello.extensions.nextProtoNeg { 1793 msg, err := c.readHandshake() 1794 if err != nil { 1795 return err 1796 } 1797 nextProto, ok := msg.(*nextProtoMsg) 1798 if !ok { 1799 c.sendAlert(alertUnexpectedMessage) 1800 return unexpectedMessageError(nextProto, msg) 1801 } 1802 hs.writeClientHash(nextProto.marshal()) 1803 c.clientProtocol = nextProto.proto 1804 } 1805 1806 if hs.hello.extensions.channelIDRequested { 1807 msg, err := c.readHandshake() 1808 if err != nil { 1809 return err 1810 } 1811 channelIDMsg, ok := msg.(*channelIDMsg) 1812 if !ok { 1813 c.sendAlert(alertUnexpectedMessage) 1814 return unexpectedMessageError(channelIDMsg, msg) 1815 } 1816 var resumeHash []byte 1817 if isResume { 1818 resumeHash = hs.sessionState.handshakeHash 1819 } 1820 channelID, err := verifyChannelIDMessage(channelIDMsg, hs.finishedHash.hashForChannelID(resumeHash)) 1821 if err != nil { 1822 return err 1823 } 1824 c.channelID = channelID 1825 1826 hs.writeClientHash(channelIDMsg.marshal()) 1827 } 1828 1829 msg, err := c.readHandshake() 1830 if err != nil { 1831 return err 1832 } 1833 clientFinished, ok := msg.(*finishedMsg) 1834 if !ok { 1835 c.sendAlert(alertUnexpectedMessage) 1836 return unexpectedMessageError(clientFinished, msg) 1837 } 1838 1839 verify := hs.finishedHash.clientSum(hs.masterSecret) 1840 if len(verify) != len(clientFinished.verifyData) || 1841 subtle.ConstantTimeCompare(verify, clientFinished.verifyData) != 1 { 1842 c.sendAlert(alertHandshakeFailure) 1843 return errors.New("tls: client's Finished message is incorrect") 1844 } 1845 c.clientVerify = append(c.clientVerify[:0], clientFinished.verifyData...) 1846 copy(out, clientFinished.verifyData) 1847 1848 hs.writeClientHash(clientFinished.marshal()) 1849 return nil 1850 } 1851 1852 func (hs *serverHandshakeState) sendSessionTicket() error { 1853 c := hs.c 1854 state := sessionState{ 1855 vers: c.vers, 1856 cipherSuite: hs.suite.id, 1857 masterSecret: hs.masterSecret, 1858 certificates: hs.certsFromClient, 1859 handshakeHash: hs.finishedHash.Sum(), 1860 } 1861 1862 if !hs.hello.extensions.ticketSupported || hs.c.config.Bugs.SkipNewSessionTicket { 1863 if c.config.ServerSessionCache != nil && len(hs.hello.sessionId) != 0 { 1864 c.config.ServerSessionCache.Put(string(hs.hello.sessionId), &state) 1865 } 1866 return nil 1867 } 1868 1869 m := new(newSessionTicketMsg) 1870 m.vers = c.wireVersion 1871 m.isDTLS = c.isDTLS 1872 if c.config.Bugs.SendTicketLifetime != 0 { 1873 m.ticketLifetime = uint32(c.config.Bugs.SendTicketLifetime / time.Second) 1874 } 1875 1876 if !c.config.Bugs.SendEmptySessionTicket { 1877 var err error 1878 m.ticket, err = c.encryptTicket(&state) 1879 if err != nil { 1880 return err 1881 } 1882 } 1883 1884 hs.writeServerHash(m.marshal()) 1885 c.writeRecord(recordTypeHandshake, m.marshal()) 1886 1887 return nil 1888 } 1889 1890 func (hs *serverHandshakeState) sendFinished(out []byte, isResume bool) error { 1891 c := hs.c 1892 1893 finished := new(finishedMsg) 1894 finished.verifyData = hs.finishedHash.serverSum(hs.masterSecret) 1895 copy(out, finished.verifyData) 1896 if c.config.Bugs.BadFinished { 1897 finished.verifyData[0]++ 1898 } 1899 c.serverVerify = append(c.serverVerify[:0], finished.verifyData...) 1900 hs.finishedBytes = finished.marshal() 1901 hs.writeServerHash(hs.finishedBytes) 1902 postCCSBytes := hs.finishedBytes 1903 1904 if c.config.Bugs.FragmentAcrossChangeCipherSpec { 1905 c.writeRecord(recordTypeHandshake, postCCSBytes[:5]) 1906 postCCSBytes = postCCSBytes[5:] 1907 } else if c.config.Bugs.SendUnencryptedFinished { 1908 c.writeRecord(recordTypeHandshake, postCCSBytes) 1909 postCCSBytes = nil 1910 } 1911 1912 if !c.config.Bugs.SkipChangeCipherSpec { 1913 ccs := []byte{1} 1914 if c.config.Bugs.BadChangeCipherSpec != nil { 1915 ccs = c.config.Bugs.BadChangeCipherSpec 1916 } 1917 c.writeRecord(recordTypeChangeCipherSpec, ccs) 1918 } 1919 1920 if c.config.Bugs.AppDataAfterChangeCipherSpec != nil { 1921 c.writeRecord(recordTypeApplicationData, c.config.Bugs.AppDataAfterChangeCipherSpec) 1922 } 1923 if c.config.Bugs.AlertAfterChangeCipherSpec != 0 { 1924 c.sendAlert(c.config.Bugs.AlertAfterChangeCipherSpec) 1925 return errors.New("tls: simulating post-CCS alert") 1926 } 1927 1928 if !c.config.Bugs.SkipFinished && len(postCCSBytes) > 0 { 1929 c.writeRecord(recordTypeHandshake, postCCSBytes) 1930 if c.config.Bugs.SendExtraFinished { 1931 c.writeRecord(recordTypeHandshake, finished.marshal()) 1932 } 1933 } 1934 1935 if isResume || (!c.config.Bugs.PackHelloRequestWithFinished && !c.config.Bugs.PackAppDataWithHandshake) { 1936 // Defer flushing until Renegotiate() or Write(). 1937 c.flushHandshake() 1938 } 1939 1940 c.cipherSuite = hs.suite 1941 1942 return nil 1943 } 1944 1945 // processCertsFromClient takes a chain of client certificates either from a 1946 // Certificates message or from a sessionState and verifies them. It returns 1947 // the public key of the leaf certificate. 1948 func (hs *serverHandshakeState) processCertsFromClient(certificates [][]byte) (crypto.PublicKey, error) { 1949 c := hs.c 1950 1951 hs.certsFromClient = certificates 1952 certs := make([]*x509.Certificate, len(certificates)) 1953 var err error 1954 for i, asn1Data := range certificates { 1955 if certs[i], err = x509.ParseCertificate(asn1Data); err != nil { 1956 c.sendAlert(alertBadCertificate) 1957 return nil, errors.New("tls: failed to parse client certificate: " + err.Error()) 1958 } 1959 } 1960 1961 if c.config.ClientAuth >= VerifyClientCertIfGiven && len(certs) > 0 { 1962 opts := x509.VerifyOptions{ 1963 Roots: c.config.ClientCAs, 1964 CurrentTime: c.config.time(), 1965 Intermediates: x509.NewCertPool(), 1966 KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, 1967 } 1968 1969 for _, cert := range certs[1:] { 1970 opts.Intermediates.AddCert(cert) 1971 } 1972 1973 chains, err := certs[0].Verify(opts) 1974 if err != nil { 1975 c.sendAlert(alertBadCertificate) 1976 return nil, errors.New("tls: failed to verify client's certificate: " + err.Error()) 1977 } 1978 1979 ok := false 1980 for _, ku := range certs[0].ExtKeyUsage { 1981 if ku == x509.ExtKeyUsageClientAuth { 1982 ok = true 1983 break 1984 } 1985 } 1986 if !ok { 1987 c.sendAlert(alertHandshakeFailure) 1988 return nil, errors.New("tls: client's certificate's extended key usage doesn't permit it to be used for client authentication") 1989 } 1990 1991 c.verifiedChains = chains 1992 } 1993 1994 if len(certs) > 0 { 1995 pub := getCertificatePublicKey(certs[0]) 1996 switch pub.(type) { 1997 case *ecdsa.PublicKey, *rsa.PublicKey, ed25519.PublicKey: 1998 break 1999 default: 2000 c.sendAlert(alertUnsupportedCertificate) 2001 return nil, fmt.Errorf("tls: client's certificate contains an unsupported public key of type %T", pub) 2002 } 2003 c.peerCertificates = certs 2004 return pub, nil 2005 } 2006 2007 return nil, nil 2008 } 2009 2010 func verifyChannelIDMessage(channelIDMsg *channelIDMsg, channelIDHash []byte) (*ecdsa.PublicKey, error) { 2011 x := new(big.Int).SetBytes(channelIDMsg.channelID[0:32]) 2012 y := new(big.Int).SetBytes(channelIDMsg.channelID[32:64]) 2013 r := new(big.Int).SetBytes(channelIDMsg.channelID[64:96]) 2014 s := new(big.Int).SetBytes(channelIDMsg.channelID[96:128]) 2015 if !elliptic.P256().IsOnCurve(x, y) { 2016 return nil, errors.New("tls: invalid channel ID public key") 2017 } 2018 channelID := &ecdsa.PublicKey{Curve: elliptic.P256(), X: x, Y: y} 2019 if !ecdsa.Verify(channelID, channelIDHash, r, s) { 2020 return nil, errors.New("tls: invalid channel ID signature") 2021 } 2022 return channelID, nil 2023 } 2024 2025 func (hs *serverHandshakeState) writeServerHash(msg []byte) { 2026 // writeServerHash is called before writeRecord. 2027 hs.writeHash(msg, hs.c.sendHandshakeSeq) 2028 } 2029 2030 func (hs *serverHandshakeState) writeClientHash(msg []byte) { 2031 // writeClientHash is called after readHandshake. 2032 hs.writeHash(msg, hs.c.recvHandshakeSeq-1) 2033 } 2034 2035 func (hs *serverHandshakeState) writeHash(msg []byte, seqno uint16) { 2036 if hs.c.isDTLS { 2037 // This is somewhat hacky. DTLS hashes a slightly different format. 2038 // First, the TLS header. 2039 hs.finishedHash.Write(msg[:4]) 2040 // Then the sequence number and reassembled fragment offset (always 0). 2041 hs.finishedHash.Write([]byte{byte(seqno >> 8), byte(seqno), 0, 0, 0}) 2042 // Then the reassembled fragment (always equal to the message length). 2043 hs.finishedHash.Write(msg[1:4]) 2044 // And then the message body. 2045 hs.finishedHash.Write(msg[4:]) 2046 } else { 2047 hs.finishedHash.Write(msg) 2048 } 2049 } 2050 2051 // tryCipherSuite returns a cipherSuite with the given id if that cipher suite 2052 // is acceptable to use. 2053 func (c *Conn) tryCipherSuite(id uint16, supportedCipherSuites []uint16, version uint16, ellipticOk, ecdsaOk bool) *cipherSuite { 2054 for _, supported := range supportedCipherSuites { 2055 if id == supported { 2056 var candidate *cipherSuite 2057 2058 for _, s := range cipherSuites { 2059 if s.id == id { 2060 candidate = s 2061 break 2062 } 2063 } 2064 if candidate == nil { 2065 continue 2066 } 2067 2068 // Don't select a ciphersuite which we can't 2069 // support for this client. 2070 if version >= VersionTLS13 || candidate.flags&suiteTLS13 != 0 { 2071 if version < VersionTLS13 || candidate.flags&suiteTLS13 == 0 { 2072 continue 2073 } 2074 return candidate 2075 } 2076 if (candidate.flags&suiteECDHE != 0) && !ellipticOk { 2077 continue 2078 } 2079 if (candidate.flags&suiteECDSA != 0) != ecdsaOk { 2080 continue 2081 } 2082 if version < VersionTLS12 && candidate.flags&suiteTLS12 != 0 { 2083 continue 2084 } 2085 return candidate 2086 } 2087 } 2088 2089 return nil 2090 } 2091 2092 func isTLS12Cipher(id uint16) bool { 2093 for _, cipher := range cipherSuites { 2094 if cipher.id != id { 2095 continue 2096 } 2097 return cipher.flags&suiteTLS12 != 0 2098 } 2099 // Unknown cipher. 2100 return false 2101 } 2102 2103 func isGREASEValue(val uint16) bool { 2104 return val&0x0f0f == 0x0a0a && val&0xff == val>>8 2105 } 2106 2107 func verifyPSKBinder(version uint16, clientHello *clientHelloMsg, sessionState *sessionState, binderToVerify, firstClientHello, helloRetryRequest []byte) error { 2108 binderLen := 2 2109 for _, binder := range clientHello.pskBinders { 2110 binderLen += 1 + len(binder) 2111 } 2112 2113 truncatedHello := clientHello.marshal() 2114 truncatedHello = truncatedHello[:len(truncatedHello)-binderLen] 2115 pskCipherSuite := cipherSuiteFromID(sessionState.cipherSuite) 2116 if pskCipherSuite == nil { 2117 return errors.New("tls: Unknown cipher suite for PSK in session") 2118 } 2119 2120 binder := computePSKBinder(sessionState.masterSecret, version, resumptionPSKBinderLabel, pskCipherSuite, firstClientHello, helloRetryRequest, truncatedHello) 2121 if !bytes.Equal(binder, binderToVerify) { 2122 return errors.New("tls: PSK binder does not verify") 2123 } 2124 2125 return nil 2126 } 2127
