kris
/
boringssl
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1673 Commits
12 Branches
38 MiB
 
 
 
 
 
 
Tree: b2d987b47c
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'b2d987b47c'
${ noResults }
boringssl/ssl/test/runner/handshake_client.go

982 lines
28 KiB
Raw Blame History 

  1. // Copyright 2009 The Go Authors. All rights reserved.

  2. // Use of this source code is governed by a BSD-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package main

  6. 

  7. import (

  8. 	"bytes"

  9. 	"crypto/ecdsa"

  10. 	"crypto/elliptic"

  11. 	"crypto/rsa"

  12. 	"crypto/subtle"

  13. 	"crypto/x509"

  14. 	"encoding/asn1"

  15. 	"errors"

  16. 	"fmt"

  17. 	"io"

  18. 	"math/big"

  19. 	"net"

  20. 	"strconv"

  21. )

  22. 

  23. type clientHandshakeState struct {

  24. 	c             *Conn

  25. 	serverHello   *serverHelloMsg

  26. 	hello         *clientHelloMsg

  27. 	suite         *cipherSuite

  28. 	finishedHash  finishedHash

  29. 	masterSecret  []byte

  30. 	session       *ClientSessionState

  31. 	finishedBytes []byte

  32. }

  33. 

  34. func (c *Conn) clientHandshake() error {

  35. 	if c.config == nil {

  36. 		c.config = defaultConfig()

  37. 	}

  38. 

  39. 	if len(c.config.ServerName) == 0 && !c.config.InsecureSkipVerify {

  40. 		return errors.New("tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config")

  41. 	}

  42. 

  43. 	c.sendHandshakeSeq = 0

  44. 	c.recvHandshakeSeq = 0

  45. 

  46. 	nextProtosLength := 0

  47. 	for _, proto := range c.config.NextProtos {

  48. 		if l := len(proto); l > 255 {

  49. 			return errors.New("tls: invalid NextProtos value")

  50. 		} else {

  51. 			nextProtosLength += 1 + l

  52. 		}

  53. 	}

  54. 	if nextProtosLength > 0xffff {

  55. 		return errors.New("tls: NextProtos values too large")

  56. 	}

  57. 

  58. 	hello := &clientHelloMsg{

  59. 		isDTLS:                  c.isDTLS,

  60. 		vers:                    c.config.maxVersion(),

  61. 		compressionMethods:      []uint8{compressionNone},

  62. 		random:                  make([]byte, 32),

  63. 		ocspStapling:            true,

  64. 		serverName:              c.config.ServerName,

  65. 		supportedCurves:         c.config.curvePreferences(),

  66. 		supportedPoints:         []uint8{pointFormatUncompressed},

  67. 		nextProtoNeg:            len(c.config.NextProtos) > 0,

  68. 		secureRenegotiation:     []byte{},

  69. 		alpnProtocols:           c.config.NextProtos,

  70. 		duplicateExtension:      c.config.Bugs.DuplicateExtension,

  71. 		channelIDSupported:      c.config.ChannelID != nil,

  72. 		npnLast:                 c.config.Bugs.SwapNPNAndALPN,

  73. 		extendedMasterSecret:    c.config.maxVersion() >= VersionTLS10,

  74. 		srtpProtectionProfiles:  c.config.SRTPProtectionProfiles,

  75. 		srtpMasterKeyIdentifier: c.config.Bugs.SRTPMasterKeyIdentifer,

  76. 		customExtension:         c.config.Bugs.CustomExtension,

  77. 	}

  78. 

  79. 	if c.config.Bugs.SendClientVersion != 0 {

  80. 		hello.vers = c.config.Bugs.SendClientVersion

  81. 	}

  82. 

  83. 	if c.config.Bugs.NoExtendedMasterSecret {

  84. 		hello.extendedMasterSecret = false

  85. 	}

  86. 

  87. 	if c.config.Bugs.NoSupportedCurves {

  88. 		hello.supportedCurves = nil

  89. 	}

  90. 

  91. 	if len(c.clientVerify) > 0 && !c.config.Bugs.EmptyRenegotiationInfo {

  92. 		if c.config.Bugs.BadRenegotiationInfo {

  93. 			hello.secureRenegotiation = append(hello.secureRenegotiation, c.clientVerify...)

  94. 			hello.secureRenegotiation[0] ^= 0x80

  95. 		} else {

  96. 			hello.secureRenegotiation = c.clientVerify

  97. 		}

  98. 	}

  99. 

  100. 	if c.config.Bugs.NoRenegotiationInfo {

  101. 		hello.secureRenegotiation = nil

  102. 	}

  103. 

  104. 	possibleCipherSuites := c.config.cipherSuites()

  105. 	hello.cipherSuites = make([]uint16, 0, len(possibleCipherSuites))

  106. 

  107. NextCipherSuite:

  108. 	for _, suiteId := range possibleCipherSuites {

  109. 		for _, suite := range cipherSuites {

  110. 			if suite.id != suiteId {

  111. 				continue

  112. 			}

  113. 			// Don't advertise TLS 1.2-only cipher suites unless

  114. 			// we're attempting TLS 1.2.

  115. 			if hello.vers < VersionTLS12 && suite.flags&suiteTLS12 != 0 {

  116. 				continue

  117. 			}

  118. 			// Don't advertise non-DTLS cipher suites on DTLS.

  119. 			if c.isDTLS && suite.flags&suiteNoDTLS != 0 && !c.config.Bugs.EnableAllCiphersInDTLS {

  120. 				continue

  121. 			}

  122. 			hello.cipherSuites = append(hello.cipherSuites, suiteId)

  123. 			continue NextCipherSuite

  124. 		}

  125. 	}

  126. 

  127. 	if c.config.Bugs.SendRenegotiationSCSV {

  128. 		hello.cipherSuites = append(hello.cipherSuites, renegotiationSCSV)

  129. 	}

  130. 

  131. 	if c.config.Bugs.SendFallbackSCSV {

  132. 		hello.cipherSuites = append(hello.cipherSuites, fallbackSCSV)

  133. 	}

  134. 

  135. 	_, err := io.ReadFull(c.config.rand(), hello.random)

  136. 	if err != nil {

  137. 		c.sendAlert(alertInternalError)

  138. 		return errors.New("tls: short read from Rand: " + err.Error())

  139. 	}

  140. 

  141. 	if hello.vers >= VersionTLS12 && !c.config.Bugs.NoSignatureAndHashes {

  142. 		hello.signatureAndHashes = c.config.signatureAndHashesForClient()

  143. 	}

  144. 

  145. 	var session *ClientSessionState

  146. 	var cacheKey string

  147. 	sessionCache := c.config.ClientSessionCache

  148. 

  149. 	if sessionCache != nil {

  150. 		hello.ticketSupported = !c.config.SessionTicketsDisabled

  151. 

  152. 		// Try to resume a previously negotiated TLS session, if

  153. 		// available.

  154. 		cacheKey = clientSessionCacheKey(c.conn.RemoteAddr(), c.config)

  155. 		candidateSession, ok := sessionCache.Get(cacheKey)

  156. 		if ok {

  157. 			ticketOk := !c.config.SessionTicketsDisabled || candidateSession.sessionTicket == nil

  158. 

  159. 			// Check that the ciphersuite/version used for the

  160. 			// previous session are still valid.

  161. 			cipherSuiteOk := false

  162. 			for _, id := range hello.cipherSuites {

  163. 				if id == candidateSession.cipherSuite {

  164. 					cipherSuiteOk = true

  165. 					break

  166. 				}

  167. 			}

  168. 

  169. 			versOk := candidateSession.vers >= c.config.minVersion() &&

  170. 				candidateSession.vers <= c.config.maxVersion()

  171. 			if ticketOk && versOk && cipherSuiteOk {

  172. 				session = candidateSession

  173. 			}

  174. 		}

  175. 	}

  176. 

  177. 	if session != nil {

  178. 		if session.sessionTicket != nil {

  179. 			hello.sessionTicket = session.sessionTicket

  180. 			if c.config.Bugs.CorruptTicket {

  181. 				hello.sessionTicket = make([]byte, len(session.sessionTicket))

  182. 				copy(hello.sessionTicket, session.sessionTicket)

  183. 				if len(hello.sessionTicket) > 0 {

  184. 					offset := 40

  185. 					if offset > len(hello.sessionTicket) {

  186. 						offset = len(hello.sessionTicket) - 1

  187. 					}

  188. 					hello.sessionTicket[offset] ^= 0x40

  189. 				}

  190. 			}

  191. 			// A random session ID is used to detect when the

  192. 			// server accepted the ticket and is resuming a session

  193. 			// (see RFC 5077).

  194. 			sessionIdLen := 16

  195. 			if c.config.Bugs.OversizedSessionId {

  196. 				sessionIdLen = 33

  197. 			}

  198. 			hello.sessionId = make([]byte, sessionIdLen)

  199. 			if _, err := io.ReadFull(c.config.rand(), hello.sessionId); err != nil {

  200. 				c.sendAlert(alertInternalError)

  201. 				return errors.New("tls: short read from Rand: " + err.Error())

  202. 			}

  203. 		} else {

  204. 			hello.sessionId = session.sessionId

  205. 		}

  206. 	}

  207. 

  208. 	var helloBytes []byte

  209. 	if c.config.Bugs.SendV2ClientHello {

  210. 		// Test that the peer left-pads random.

  211. 		hello.random[0] = 0

  212. 		v2Hello := &v2ClientHelloMsg{

  213. 			vers:         hello.vers,

  214. 			cipherSuites: hello.cipherSuites,

  215. 			// No session resumption for V2ClientHello.

  216. 			sessionId: nil,

  217. 			challenge: hello.random[1:],

  218. 		}

  219. 		helloBytes = v2Hello.marshal()

  220. 		c.writeV2Record(helloBytes)

  221. 	} else {

  222. 		helloBytes = hello.marshal()

  223. 		c.writeRecord(recordTypeHandshake, helloBytes)

  224. 	}

  225. 	c.dtlsFlushHandshake()

  226. 

  227. 	if err := c.simulatePacketLoss(nil); err != nil {

  228. 		return err

  229. 	}

  230. 	msg, err := c.readHandshake()

  231. 	if err != nil {

  232. 		return err

  233. 	}

  234. 

  235. 	if c.isDTLS {

  236. 		helloVerifyRequest, ok := msg.(*helloVerifyRequestMsg)

  237. 		if ok {

  238. 			if helloVerifyRequest.vers != VersionTLS10 {

  239. 				// Per RFC 6347, the version field in

  240. 				// HelloVerifyRequest SHOULD be always DTLS

  241. 				// 1.0. Enforce this for testing purposes.

  242. 				return errors.New("dtls: bad HelloVerifyRequest version")

  243. 			}

  244. 

  245. 			hello.raw = nil

  246. 			hello.cookie = helloVerifyRequest.cookie

  247. 			helloBytes = hello.marshal()

  248. 			c.writeRecord(recordTypeHandshake, helloBytes)

  249. 			c.dtlsFlushHandshake()

  250. 

  251. 			if err := c.simulatePacketLoss(nil); err != nil {

  252. 				return err

  253. 			}

  254. 			msg, err = c.readHandshake()

  255. 			if err != nil {

  256. 				return err

  257. 			}

  258. 		}

  259. 	}

  260. 

  261. 	serverHello, ok := msg.(*serverHelloMsg)

  262. 	if !ok {

  263. 		c.sendAlert(alertUnexpectedMessage)

  264. 		return unexpectedMessageError(serverHello, msg)

  265. 	}

  266. 

  267. 	c.vers, ok = c.config.mutualVersion(serverHello.vers)

  268. 	if !ok {

  269. 		c.sendAlert(alertProtocolVersion)

  270. 		return fmt.Errorf("tls: server selected unsupported protocol version %x", serverHello.vers)

  271. 	}

  272. 	c.haveVers = true

  273. 

  274. 	suite := mutualCipherSuite(c.config.cipherSuites(), serverHello.cipherSuite)

  275. 	if suite == nil {

  276. 		c.sendAlert(alertHandshakeFailure)

  277. 		return fmt.Errorf("tls: server selected an unsupported cipher suite")

  278. 	}

  279. 

  280. 	if c.config.Bugs.RequireRenegotiationInfo && serverHello.secureRenegotiation == nil {

  281. 		return errors.New("tls: renegotiation extension missing")

  282. 	}

  283. 

  284. 	if len(c.clientVerify) > 0 && !c.config.Bugs.NoRenegotiationInfo {

  285. 		var expectedRenegInfo []byte

  286. 		expectedRenegInfo = append(expectedRenegInfo, c.clientVerify...)

  287. 		expectedRenegInfo = append(expectedRenegInfo, c.serverVerify...)

  288. 		if !bytes.Equal(serverHello.secureRenegotiation, expectedRenegInfo) {

  289. 			c.sendAlert(alertHandshakeFailure)

  290. 			return fmt.Errorf("tls: renegotiation mismatch")

  291. 		}

  292. 	}

  293. 

  294. 	if expected := c.config.Bugs.ExpectedCustomExtension; expected != nil {

  295. 		if serverHello.customExtension != *expected {

  296. 			return fmt.Errorf("tls: bad custom extension contents %q", serverHello.customExtension)

  297. 		}

  298. 	}

  299. 

  300. 	hs := &clientHandshakeState{

  301. 		c:            c,

  302. 		serverHello:  serverHello,

  303. 		hello:        hello,

  304. 		suite:        suite,

  305. 		finishedHash: newFinishedHash(c.vers, suite),

  306. 		session:      session,

  307. 	}

  308. 

  309. 	hs.writeHash(helloBytes, hs.c.sendHandshakeSeq-1)

  310. 	hs.writeServerHash(hs.serverHello.marshal())

  311. 

  312. 	if c.config.Bugs.EarlyChangeCipherSpec > 0 {

  313. 		hs.establishKeys()

  314. 		c.writeRecord(recordTypeChangeCipherSpec, []byte{1})

  315. 	}

  316. 

  317. 	isResume, err := hs.processServerHello()

  318. 	if err != nil {

  319. 		return err

  320. 	}

  321. 

  322. 	if isResume {

  323. 		if c.config.Bugs.EarlyChangeCipherSpec == 0 {

  324. 			if err := hs.establishKeys(); err != nil {

  325. 				return err

  326. 			}

  327. 		}

  328. 		if err := hs.readSessionTicket(); err != nil {

  329. 			return err

  330. 		}

  331. 		if err := hs.readFinished(c.firstFinished[:]); err != nil {

  332. 			return err

  333. 		}

  334. 		if err := hs.sendFinished(nil, isResume); err != nil {

  335. 			return err

  336. 		}

  337. 	} else {

  338. 		if err := hs.doFullHandshake(); err != nil {

  339. 			return err

  340. 		}

  341. 		if err := hs.establishKeys(); err != nil {

  342. 			return err

  343. 		}

  344. 		if err := hs.sendFinished(c.firstFinished[:], isResume); err != nil {

  345. 			return err

  346. 		}

  347. 		// Most retransmits are triggered by a timeout, but the final

  348. 		// leg of the handshake is retransmited upon re-receiving a

  349. 		// Finished.

  350. 		if err := c.simulatePacketLoss(func() {

  351. 			c.writeRecord(recordTypeHandshake, hs.finishedBytes)

  352. 			c.dtlsFlushHandshake()

  353. 		}); err != nil {

  354. 			return err

  355. 		}

  356. 		if err := hs.readSessionTicket(); err != nil {

  357. 			return err

  358. 		}

  359. 		if err := hs.readFinished(nil); err != nil {

  360. 			return err

  361. 		}

  362. 	}

  363. 

  364. 	if sessionCache != nil && hs.session != nil && session != hs.session {

  365. 		sessionCache.Put(cacheKey, hs.session)

  366. 	}

  367. 

  368. 	c.didResume = isResume

  369. 	c.handshakeComplete = true

  370. 	c.cipherSuite = suite

  371. 	copy(c.clientRandom[:], hs.hello.random)

  372. 	copy(c.serverRandom[:], hs.serverHello.random)

  373. 	copy(c.masterSecret[:], hs.masterSecret)

  374. 	return nil

  375. }

  376. 

  377. func (hs *clientHandshakeState) doFullHandshake() error {

  378. 	c := hs.c

  379. 

  380. 	var leaf *x509.Certificate

  381. 	if hs.suite.flags&suitePSK == 0 {

  382. 		msg, err := c.readHandshake()

  383. 		if err != nil {

  384. 			return err

  385. 		}

  386. 

  387. 		certMsg, ok := msg.(*certificateMsg)

  388. 		if !ok || len(certMsg.certificates) == 0 {

  389. 			c.sendAlert(alertUnexpectedMessage)

  390. 			return unexpectedMessageError(certMsg, msg)

  391. 		}

  392. 		hs.writeServerHash(certMsg.marshal())

  393. 

  394. 		certs := make([]*x509.Certificate, len(certMsg.certificates))

  395. 		for i, asn1Data := range certMsg.certificates {

  396. 			cert, err := x509.ParseCertificate(asn1Data)

  397. 			if err != nil {

  398. 				c.sendAlert(alertBadCertificate)

  399. 				return errors.New("tls: failed to parse certificate from server: " + err.Error())

  400. 			}

  401. 			certs[i] = cert

  402. 		}

  403. 		leaf = certs[0]

  404. 

  405. 		if !c.config.InsecureSkipVerify {

  406. 			opts := x509.VerifyOptions{

  407. 				Roots:         c.config.RootCAs,

  408. 				CurrentTime:   c.config.time(),

  409. 				DNSName:       c.config.ServerName,

  410. 				Intermediates: x509.NewCertPool(),

  411. 			}

  412. 

  413. 			for i, cert := range certs {

  414. 				if i == 0 {

  415. 					continue

  416. 				}

  417. 				opts.Intermediates.AddCert(cert)

  418. 			}

  419. 			c.verifiedChains, err = leaf.Verify(opts)

  420. 			if err != nil {

  421. 				c.sendAlert(alertBadCertificate)

  422. 				return err

  423. 			}

  424. 		}

  425. 

  426. 		switch leaf.PublicKey.(type) {

  427. 		case *rsa.PublicKey, *ecdsa.PublicKey:

  428. 			break

  429. 		default:

  430. 			c.sendAlert(alertUnsupportedCertificate)

  431. 			return fmt.Errorf("tls: server's certificate contains an unsupported type of public key: %T", leaf.PublicKey)

  432. 		}

  433. 

  434. 		c.peerCertificates = certs

  435. 	}

  436. 

  437. 	if hs.serverHello.ocspStapling {

  438. 		msg, err := c.readHandshake()

  439. 		if err != nil {

  440. 			return err

  441. 		}

  442. 		cs, ok := msg.(*certificateStatusMsg)

  443. 		if !ok {

  444. 			c.sendAlert(alertUnexpectedMessage)

  445. 			return unexpectedMessageError(cs, msg)

  446. 		}

  447. 		hs.writeServerHash(cs.marshal())

  448. 

  449. 		if cs.statusType == statusTypeOCSP {

  450. 			c.ocspResponse = cs.response

  451. 		}

  452. 	}

  453. 

  454. 	msg, err := c.readHandshake()

  455. 	if err != nil {

  456. 		return err

  457. 	}

  458. 

  459. 	keyAgreement := hs.suite.ka(c.vers)

  460. 

  461. 	skx, ok := msg.(*serverKeyExchangeMsg)

  462. 	if ok {

  463. 		hs.writeServerHash(skx.marshal())

  464. 		err = keyAgreement.processServerKeyExchange(c.config, hs.hello, hs.serverHello, leaf, skx)

  465. 		if err != nil {

  466. 			c.sendAlert(alertUnexpectedMessage)

  467. 			return err

  468. 		}

  469. 

  470. 		msg, err = c.readHandshake()

  471. 		if err != nil {

  472. 			return err

  473. 		}

  474. 	}

  475. 

  476. 	var chainToSend *Certificate

  477. 	var certRequested bool

  478. 	certReq, ok := msg.(*certificateRequestMsg)

  479. 	if ok {

  480. 		certRequested = true

  481. 

  482. 		// RFC 4346 on the certificateAuthorities field:

  483. 		// A list of the distinguished names of acceptable certificate

  484. 		// authorities. These distinguished names may specify a desired

  485. 		// distinguished name for a root CA or for a subordinate CA;

  486. 		// thus, this message can be used to describe both known roots

  487. 		// and a desired authorization space. If the

  488. 		// certificate_authorities list is empty then the client MAY

  489. 		// send any certificate of the appropriate

  490. 		// ClientCertificateType, unless there is some external

  491. 		// arrangement to the contrary.

  492. 

  493. 		hs.writeServerHash(certReq.marshal())

  494. 

  495. 		var rsaAvail, ecdsaAvail bool

  496. 		for _, certType := range certReq.certificateTypes {

  497. 			switch certType {

  498. 			case CertTypeRSASign:

  499. 				rsaAvail = true

  500. 			case CertTypeECDSASign:

  501. 				ecdsaAvail = true

  502. 			}

  503. 		}

  504. 

  505. 		// We need to search our list of client certs for one

  506. 		// where SignatureAlgorithm is RSA and the Issuer is in

  507. 		// certReq.certificateAuthorities

  508. 	findCert:

  509. 		for i, chain := range c.config.Certificates {

  510. 			if !rsaAvail && !ecdsaAvail {

  511. 				continue

  512. 			}

  513. 

  514. 			for j, cert := range chain.Certificate {

  515. 				x509Cert := chain.Leaf

  516. 				// parse the certificate if this isn't the leaf

  517. 				// node, or if chain.Leaf was nil

  518. 				if j != 0 || x509Cert == nil {

  519. 					if x509Cert, err = x509.ParseCertificate(cert); err != nil {

  520. 						c.sendAlert(alertInternalError)

  521. 						return errors.New("tls: failed to parse client certificate #" + strconv.Itoa(i) + ": " + err.Error())

  522. 					}

  523. 				}

  524. 

  525. 				switch {

  526. 				case rsaAvail && x509Cert.PublicKeyAlgorithm == x509.RSA:

  527. 				case ecdsaAvail && x509Cert.PublicKeyAlgorithm == x509.ECDSA:

  528. 				default:

  529. 					continue findCert

  530. 				}

  531. 

  532. 				if len(certReq.certificateAuthorities) == 0 {

  533. 					// they gave us an empty list, so just take the

  534. 					// first RSA cert from c.config.Certificates

  535. 					chainToSend = &chain

  536. 					break findCert

  537. 				}

  538. 

  539. 				for _, ca := range certReq.certificateAuthorities {

  540. 					if bytes.Equal(x509Cert.RawIssuer, ca) {

  541. 						chainToSend = &chain

  542. 						break findCert

  543. 					}

  544. 				}

  545. 			}

  546. 		}

  547. 

  548. 		msg, err = c.readHandshake()

  549. 		if err != nil {

  550. 			return err

  551. 		}

  552. 	}

  553. 

  554. 	shd, ok := msg.(*serverHelloDoneMsg)

  555. 	if !ok {

  556. 		c.sendAlert(alertUnexpectedMessage)

  557. 		return unexpectedMessageError(shd, msg)

  558. 	}

  559. 	hs.writeServerHash(shd.marshal())

  560. 

  561. 	// If the server requested a certificate then we have to send a

  562. 	// Certificate message, even if it's empty because we don't have a

  563. 	// certificate to send.

  564. 	if certRequested {

  565. 		certMsg := new(certificateMsg)

  566. 		if chainToSend != nil {

  567. 			certMsg.certificates = chainToSend.Certificate

  568. 		}

  569. 		hs.writeClientHash(certMsg.marshal())

  570. 		c.writeRecord(recordTypeHandshake, certMsg.marshal())

  571. 	}

  572. 

  573. 	preMasterSecret, ckx, err := keyAgreement.generateClientKeyExchange(c.config, hs.hello, leaf)

  574. 	if err != nil {

  575. 		c.sendAlert(alertInternalError)

  576. 		return err

  577. 	}

  578. 	if ckx != nil {

  579. 		if c.config.Bugs.EarlyChangeCipherSpec < 2 {

  580. 			hs.writeClientHash(ckx.marshal())

  581. 		}

  582. 		c.writeRecord(recordTypeHandshake, ckx.marshal())

  583. 	}

  584. 

  585. 	if hs.serverHello.extendedMasterSecret && c.vers >= VersionTLS10 {

  586. 		hs.masterSecret = extendedMasterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.finishedHash)

  587. 		c.extendedMasterSecret = true

  588. 	} else {

  589. 		if c.config.Bugs.RequireExtendedMasterSecret {

  590. 			return errors.New("tls: extended master secret required but not supported by peer")

  591. 		}

  592. 		hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.hello.random, hs.serverHello.random)

  593. 	}

  594. 

  595. 	if chainToSend != nil {

  596. 		var signed []byte

  597. 		certVerify := &certificateVerifyMsg{

  598. 			hasSignatureAndHash: c.vers >= VersionTLS12,

  599. 		}

  600. 

  601. 		// Determine the hash to sign.

  602. 		var signatureType uint8

  603. 		switch c.config.Certificates[0].PrivateKey.(type) {

  604. 		case *ecdsa.PrivateKey:

  605. 			signatureType = signatureECDSA

  606. 		case *rsa.PrivateKey:

  607. 			signatureType = signatureRSA

  608. 		default:

  609. 			c.sendAlert(alertInternalError)

  610. 			return errors.New("unknown private key type")

  611. 		}

  612. 		if c.config.Bugs.IgnorePeerSignatureAlgorithmPreferences {

  613. 			certReq.signatureAndHashes = c.config.signatureAndHashesForClient()

  614. 		}

  615. 		certVerify.signatureAndHash, err = hs.finishedHash.selectClientCertSignatureAlgorithm(certReq.signatureAndHashes, c.config.signatureAndHashesForClient(), signatureType)

  616. 		if err != nil {

  617. 			c.sendAlert(alertInternalError)

  618. 			return err

  619. 		}

  620. 		digest, hashFunc, err := hs.finishedHash.hashForClientCertificate(certVerify.signatureAndHash, hs.masterSecret)

  621. 		if err != nil {

  622. 			c.sendAlert(alertInternalError)

  623. 			return err

  624. 		}

  625. 		if c.config.Bugs.InvalidCertVerifySignature {

  626. 			digest[0] ^= 0x80

  627. 		}

  628. 

  629. 		switch key := c.config.Certificates[0].PrivateKey.(type) {

  630. 		case *ecdsa.PrivateKey:

  631. 			var r, s *big.Int

  632. 			r, s, err = ecdsa.Sign(c.config.rand(), key, digest)

  633. 			if err == nil {

  634. 				signed, err = asn1.Marshal(ecdsaSignature{r, s})

  635. 			}

  636. 		case *rsa.PrivateKey:

  637. 			signed, err = rsa.SignPKCS1v15(c.config.rand(), key, hashFunc, digest)

  638. 		default:

  639. 			err = errors.New("unknown private key type")

  640. 		}

  641. 		if err != nil {

  642. 			c.sendAlert(alertInternalError)

  643. 			return errors.New("tls: failed to sign handshake with client certificate: " + err.Error())

  644. 		}

  645. 		certVerify.signature = signed

  646. 

  647. 		hs.writeClientHash(certVerify.marshal())

  648. 		c.writeRecord(recordTypeHandshake, certVerify.marshal())

  649. 	}

  650. 	c.dtlsFlushHandshake()

  651. 

  652. 	hs.finishedHash.discardHandshakeBuffer()

  653. 

  654. 	return nil

  655. }

  656. 

  657. func (hs *clientHandshakeState) establishKeys() error {

  658. 	c := hs.c

  659. 

  660. 	clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV :=

  661. 		keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.hello.random, hs.serverHello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen)

  662. 	var clientCipher, serverCipher interface{}

  663. 	var clientHash, serverHash macFunction

  664. 	if hs.suite.cipher != nil {

  665. 		clientCipher = hs.suite.cipher(clientKey, clientIV, false /* not for reading */)

  666. 		clientHash = hs.suite.mac(c.vers, clientMAC)

  667. 		serverCipher = hs.suite.cipher(serverKey, serverIV, true /* for reading */)

  668. 		serverHash = hs.suite.mac(c.vers, serverMAC)

  669. 	} else {

  670. 		clientCipher = hs.suite.aead(clientKey, clientIV)

  671. 		serverCipher = hs.suite.aead(serverKey, serverIV)

  672. 	}

  673. 

  674. 	c.in.prepareCipherSpec(c.vers, serverCipher, serverHash)

  675. 	c.out.prepareCipherSpec(c.vers, clientCipher, clientHash)

  676. 	return nil

  677. }

  678. 

  679. func (hs *clientHandshakeState) serverResumedSession() bool {

  680. 	// If the server responded with the same sessionId then it means the

  681. 	// sessionTicket is being used to resume a TLS session.

  682. 	return hs.session != nil && hs.hello.sessionId != nil &&

  683. 		bytes.Equal(hs.serverHello.sessionId, hs.hello.sessionId)

  684. }

  685. 

  686. func (hs *clientHandshakeState) processServerHello() (bool, error) {

  687. 	c := hs.c

  688. 

  689. 	if hs.serverHello.compressionMethod != compressionNone {

  690. 		c.sendAlert(alertUnexpectedMessage)

  691. 		return false, errors.New("tls: server selected unsupported compression format")

  692. 	}

  693. 

  694. 	clientDidNPN := hs.hello.nextProtoNeg

  695. 	clientDidALPN := len(hs.hello.alpnProtocols) > 0

  696. 	serverHasNPN := hs.serverHello.nextProtoNeg

  697. 	serverHasALPN := len(hs.serverHello.alpnProtocol) > 0

  698. 

  699. 	if !clientDidNPN && serverHasNPN {

  700. 		c.sendAlert(alertHandshakeFailure)

  701. 		return false, errors.New("server advertised unrequested NPN extension")

  702. 	}

  703. 

  704. 	if !clientDidALPN && serverHasALPN {

  705. 		c.sendAlert(alertHandshakeFailure)

  706. 		return false, errors.New("server advertised unrequested ALPN extension")

  707. 	}

  708. 

  709. 	if serverHasNPN && serverHasALPN {

  710. 		c.sendAlert(alertHandshakeFailure)

  711. 		return false, errors.New("server advertised both NPN and ALPN extensions")

  712. 	}

  713. 

  714. 	if serverHasALPN {

  715. 		c.clientProtocol = hs.serverHello.alpnProtocol

  716. 		c.clientProtocolFallback = false

  717. 		c.usedALPN = true

  718. 	}

  719. 

  720. 	if !hs.hello.channelIDSupported && hs.serverHello.channelIDRequested {

  721. 		c.sendAlert(alertHandshakeFailure)

  722. 		return false, errors.New("server advertised unrequested Channel ID extension")

  723. 	}

  724. 

  725. 	if hs.serverHello.srtpProtectionProfile != 0 {

  726. 		if hs.serverHello.srtpMasterKeyIdentifier != "" {

  727. 			return false, errors.New("tls: server selected SRTP MKI value")

  728. 		}

  729. 

  730. 		found := false

  731. 		for _, p := range c.config.SRTPProtectionProfiles {

  732. 			if p == hs.serverHello.srtpProtectionProfile {

  733. 				found = true

  734. 				break

  735. 			}

  736. 		}

  737. 		if !found {

  738. 			return false, errors.New("tls: server advertised unsupported SRTP profile")

  739. 		}

  740. 

  741. 		c.srtpProtectionProfile = hs.serverHello.srtpProtectionProfile

  742. 	}

  743. 

  744. 	if hs.serverResumedSession() {

  745. 		// For test purposes, assert that the server never accepts the

  746. 		// resumption offer on renegotiation.

  747. 		if c.cipherSuite != nil && c.config.Bugs.FailIfResumeOnRenego {

  748. 			return false, errors.New("tls: server resumed session on renegotiation")

  749. 		}

  750. 

  751. 		// Restore masterSecret and peerCerts from previous state

  752. 		hs.masterSecret = hs.session.masterSecret

  753. 		c.peerCertificates = hs.session.serverCertificates

  754. 		c.extendedMasterSecret = hs.session.extendedMasterSecret

  755. 		hs.finishedHash.discardHandshakeBuffer()

  756. 		return true, nil

  757. 	}

  758. 	return false, nil

  759. }

  760. 

  761. func (hs *clientHandshakeState) readFinished(out []byte) error {

  762. 	c := hs.c

  763. 

  764. 	c.readRecord(recordTypeChangeCipherSpec)

  765. 	if err := c.in.error(); err != nil {

  766. 		return err

  767. 	}

  768. 

  769. 	msg, err := c.readHandshake()

  770. 	if err != nil {

  771. 		return err

  772. 	}

  773. 	serverFinished, ok := msg.(*finishedMsg)

  774. 	if !ok {

  775. 		c.sendAlert(alertUnexpectedMessage)

  776. 		return unexpectedMessageError(serverFinished, msg)

  777. 	}

  778. 

  779. 	if c.config.Bugs.EarlyChangeCipherSpec == 0 {

  780. 		verify := hs.finishedHash.serverSum(hs.masterSecret)

  781. 		if len(verify) != len(serverFinished.verifyData) ||

  782. 			subtle.ConstantTimeCompare(verify, serverFinished.verifyData) != 1 {

  783. 			c.sendAlert(alertHandshakeFailure)

  784. 			return errors.New("tls: server's Finished message was incorrect")

  785. 		}

  786. 	}

  787. 	c.serverVerify = append(c.serverVerify[:0], serverFinished.verifyData...)

  788. 	copy(out, serverFinished.verifyData)

  789. 	hs.writeServerHash(serverFinished.marshal())

  790. 	return nil

  791. }

  792. 

  793. func (hs *clientHandshakeState) readSessionTicket() error {

  794. 	c := hs.c

  795. 

  796. 	// Create a session with no server identifier. Either a

  797. 	// session ID or session ticket will be attached.

  798. 	session := &ClientSessionState{

  799. 		vers:               c.vers,

  800. 		cipherSuite:        hs.suite.id,

  801. 		masterSecret:       hs.masterSecret,

  802. 		handshakeHash:      hs.finishedHash.server.Sum(nil),

  803. 		serverCertificates: c.peerCertificates,

  804. 	}

  805. 

  806. 	if !hs.serverHello.ticketSupported {

  807. 		if c.config.Bugs.ExpectNewTicket {

  808. 			return errors.New("tls: expected new ticket")

  809. 		}

  810. 		if hs.session == nil && len(hs.serverHello.sessionId) > 0 {

  811. 			session.sessionId = hs.serverHello.sessionId

  812. 			hs.session = session

  813. 		}

  814. 		return nil

  815. 	}

  816. 

  817. 	msg, err := c.readHandshake()

  818. 	if err != nil {

  819. 		return err

  820. 	}

  821. 	sessionTicketMsg, ok := msg.(*newSessionTicketMsg)

  822. 	if !ok {

  823. 		c.sendAlert(alertUnexpectedMessage)

  824. 		return unexpectedMessageError(sessionTicketMsg, msg)

  825. 	}

  826. 

  827. 	session.sessionTicket = sessionTicketMsg.ticket

  828. 	hs.session = session

  829. 

  830. 	hs.writeServerHash(sessionTicketMsg.marshal())

  831. 

  832. 	return nil

  833. }

  834. 

  835. func (hs *clientHandshakeState) sendFinished(out []byte, isResume bool) error {

  836. 	c := hs.c

  837. 

  838. 	var postCCSBytes []byte

  839. 	seqno := hs.c.sendHandshakeSeq

  840. 	if hs.serverHello.nextProtoNeg {

  841. 		nextProto := new(nextProtoMsg)

  842. 		proto, fallback := mutualProtocol(c.config.NextProtos, hs.serverHello.nextProtos)

  843. 		nextProto.proto = proto

  844. 		c.clientProtocol = proto

  845. 		c.clientProtocolFallback = fallback

  846. 

  847. 		nextProtoBytes := nextProto.marshal()

  848. 		hs.writeHash(nextProtoBytes, seqno)

  849. 		seqno++

  850. 		postCCSBytes = append(postCCSBytes, nextProtoBytes...)

  851. 	}

  852. 

  853. 	if hs.serverHello.channelIDRequested {

  854. 		encryptedExtensions := new(encryptedExtensionsMsg)

  855. 		if c.config.ChannelID.Curve != elliptic.P256() {

  856. 			return fmt.Errorf("tls: Channel ID is not on P-256.")

  857. 		}

  858. 		var resumeHash []byte

  859. 		if isResume {

  860. 			resumeHash = hs.session.handshakeHash

  861. 		}

  862. 		r, s, err := ecdsa.Sign(c.config.rand(), c.config.ChannelID, hs.finishedHash.hashForChannelID(resumeHash))

  863. 		if err != nil {

  864. 			return err

  865. 		}

  866. 		channelID := make([]byte, 128)

  867. 		writeIntPadded(channelID[0:32], c.config.ChannelID.X)

  868. 		writeIntPadded(channelID[32:64], c.config.ChannelID.Y)

  869. 		writeIntPadded(channelID[64:96], r)

  870. 		writeIntPadded(channelID[96:128], s)

  871. 		encryptedExtensions.channelID = channelID

  872. 

  873. 		c.channelID = &c.config.ChannelID.PublicKey

  874. 

  875. 		encryptedExtensionsBytes := encryptedExtensions.marshal()

  876. 		hs.writeHash(encryptedExtensionsBytes, seqno)

  877. 		seqno++

  878. 		postCCSBytes = append(postCCSBytes, encryptedExtensionsBytes...)

  879. 	}

  880. 

  881. 	finished := new(finishedMsg)

  882. 	if c.config.Bugs.EarlyChangeCipherSpec == 2 {

  883. 		finished.verifyData = hs.finishedHash.clientSum(nil)

  884. 	} else {

  885. 		finished.verifyData = hs.finishedHash.clientSum(hs.masterSecret)

  886. 	}

  887. 	copy(out, finished.verifyData)

  888. 	if c.config.Bugs.BadFinished {

  889. 		finished.verifyData[0]++

  890. 	}

  891. 	c.clientVerify = append(c.clientVerify[:0], finished.verifyData...)

  892. 	hs.finishedBytes = finished.marshal()

  893. 	hs.writeHash(hs.finishedBytes, seqno)

  894. 	postCCSBytes = append(postCCSBytes, hs.finishedBytes...)

  895. 

  896. 	if c.config.Bugs.FragmentAcrossChangeCipherSpec {

  897. 		c.writeRecord(recordTypeHandshake, postCCSBytes[:5])

  898. 		postCCSBytes = postCCSBytes[5:]

  899. 	}

  900. 	c.dtlsFlushHandshake()

  901. 

  902. 	if !c.config.Bugs.SkipChangeCipherSpec &&

  903. 		c.config.Bugs.EarlyChangeCipherSpec == 0 {

  904. 		c.writeRecord(recordTypeChangeCipherSpec, []byte{1})

  905. 	}

  906. 

  907. 	if c.config.Bugs.AppDataAfterChangeCipherSpec != nil {

  908. 		c.writeRecord(recordTypeApplicationData, c.config.Bugs.AppDataAfterChangeCipherSpec)

  909. 	}

  910. 	if c.config.Bugs.AlertAfterChangeCipherSpec != 0 {

  911. 		c.sendAlert(c.config.Bugs.AlertAfterChangeCipherSpec)

  912. 		return errors.New("tls: simulating post-CCS alert")

  913. 	}

  914. 

  915. 	if !c.config.Bugs.SkipFinished {

  916. 		c.writeRecord(recordTypeHandshake, postCCSBytes)

  917. 		c.dtlsFlushHandshake()

  918. 	}

  919. 	return nil

  920. }

  921. 

  922. func (hs *clientHandshakeState) writeClientHash(msg []byte) {

  923. 	// writeClientHash is called before writeRecord.

  924. 	hs.writeHash(msg, hs.c.sendHandshakeSeq)

  925. }

  926. 

  927. func (hs *clientHandshakeState) writeServerHash(msg []byte) {

  928. 	// writeServerHash is called after readHandshake.

  929. 	hs.writeHash(msg, hs.c.recvHandshakeSeq-1)

  930. }

  931. 

  932. func (hs *clientHandshakeState) writeHash(msg []byte, seqno uint16) {

  933. 	if hs.c.isDTLS {

  934. 		// This is somewhat hacky. DTLS hashes a slightly different format.

  935. 		// First, the TLS header.

  936. 		hs.finishedHash.Write(msg[:4])

  937. 		// Then the sequence number and reassembled fragment offset (always 0).

  938. 		hs.finishedHash.Write([]byte{byte(seqno >> 8), byte(seqno), 0, 0, 0})

  939. 		// Then the reassembled fragment (always equal to the message length).

  940. 		hs.finishedHash.Write(msg[1:4])

  941. 		// And then the message body.

  942. 		hs.finishedHash.Write(msg[4:])

  943. 	} else {

  944. 		hs.finishedHash.Write(msg)

  945. 	}

  946. }

  947. 

  948. // clientSessionCacheKey returns a key used to cache sessionTickets that could

  949. // be used to resume previously negotiated TLS sessions with a server.

  950. func clientSessionCacheKey(serverAddr net.Addr, config *Config) string {

  951. 	if len(config.ServerName) > 0 {

  952. 		return config.ServerName

  953. 	}

  954. 	return serverAddr.String()

  955. }

  956. 

  957. // mutualProtocol finds the mutual Next Protocol Negotiation or ALPN protocol

  958. // given list of possible protocols and a list of the preference order. The

  959. // first list must not be empty. It returns the resulting protocol and flag

  960. // indicating if the fallback case was reached.

  961. func mutualProtocol(protos, preferenceProtos []string) (string, bool) {

  962. 	for _, s := range preferenceProtos {

  963. 		for _, c := range protos {

  964. 			if s == c {

  965. 				return s, false

  966. 			}

  967. 		}

  968. 	}

  969. 

  970. 	return protos[0], true

  971. }

  972. 

  973. // writeIntPadded writes x into b, padded up with leading zeros as

  974. // needed.

  975. func writeIntPadded(b []byte, x *big.Int) {

  976. 	for i := range b {

  977. 		b[i] = 0

  978. 	}

  979. 	xb := x.Bytes()

  980. 	copy(b[len(b)-len(xb):], xb)

  981. }