kris
/
boringssl
1
0
Форкнуть 0
Код Задачи 0 Pull Request'ы 0 Релизы 0 Вики Активность
Вы не можете выбрать более 25 тем Темы должны начинаться с буквы или цифры, могут содержать дефисы(-) и должны содержать не более 35 символов.
887 коммитов
12 Ветки
38 MiB
 
 
 
 
 
 
Дерево: d660b57208
Ветки Теги
${ item.name }
Создать ветку ${ searchTerm }
из 'd660b57208'
${ noResults }
boringssl/ssl/test/runner/handshake_client.go

924 строки
26 KiB
Исходник Вина История 

  1. // Copyright 2009 The Go Authors. All rights reserved.

  2. // Use of this source code is governed by a BSD-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package main

  6. 

  7. import (

  8. 	"bytes"

  9. 	"crypto"

  10. 	"crypto/ecdsa"

  11. 	"crypto/elliptic"

  12. 	"crypto/rsa"

  13. 	"crypto/subtle"

  14. 	"crypto/x509"

  15. 	"encoding/asn1"

  16. 	"errors"

  17. 	"fmt"

  18. 	"io"

  19. 	"math/big"

  20. 	"net"

  21. 	"strconv"

  22. )

  23. 

  24. type clientHandshakeState struct {

  25. 	c             *Conn

  26. 	serverHello   *serverHelloMsg

  27. 	hello         *clientHelloMsg

  28. 	suite         *cipherSuite

  29. 	finishedHash  finishedHash

  30. 	masterSecret  []byte

  31. 	session       *ClientSessionState

  32. 	finishedBytes []byte

  33. }

  34. 

  35. func (c *Conn) clientHandshake() error {

  36. 	if c.config == nil {

  37. 		c.config = defaultConfig()

  38. 	}

  39. 

  40. 	if len(c.config.ServerName) == 0 && !c.config.InsecureSkipVerify {

  41. 		return errors.New("tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config")

  42. 	}

  43. 

  44. 	c.sendHandshakeSeq = 0

  45. 	c.recvHandshakeSeq = 0

  46. 

  47. 	nextProtosLength := 0

  48. 	for _, proto := range c.config.NextProtos {

  49. 		if l := len(proto); l == 0 || l > 255 {

  50. 			return errors.New("tls: invalid NextProtos value")

  51. 		} else {

  52. 			nextProtosLength += 1 + l

  53. 		}

  54. 	}

  55. 	if nextProtosLength > 0xffff {

  56. 		return errors.New("tls: NextProtos values too large")

  57. 	}

  58. 

  59. 	hello := &clientHelloMsg{

  60. 		isDTLS:                  c.isDTLS,

  61. 		vers:                    c.config.maxVersion(),

  62. 		compressionMethods:      []uint8{compressionNone},

  63. 		random:                  make([]byte, 32),

  64. 		ocspStapling:            true,

  65. 		serverName:              c.config.ServerName,

  66. 		supportedCurves:         c.config.curvePreferences(),

  67. 		supportedPoints:         []uint8{pointFormatUncompressed},

  68. 		nextProtoNeg:            len(c.config.NextProtos) > 0,

  69. 		secureRenegotiation:     []byte{},

  70. 		alpnProtocols:           c.config.NextProtos,

  71. 		duplicateExtension:      c.config.Bugs.DuplicateExtension,

  72. 		channelIDSupported:      c.config.ChannelID != nil,

  73. 		npnLast:                 c.config.Bugs.SwapNPNAndALPN,

  74. 		extendedMasterSecret:    c.config.maxVersion() >= VersionTLS10,

  75. 		srtpProtectionProfiles:  c.config.SRTPProtectionProfiles,

  76. 		srtpMasterKeyIdentifier: c.config.Bugs.SRTPMasterKeyIdentifer,

  77. 	}

  78. 

  79. 	if c.config.Bugs.SendClientVersion != 0 {

  80. 		hello.vers = c.config.Bugs.SendClientVersion

  81. 	}

  82. 

  83. 	if c.config.Bugs.NoExtendedMasterSecret {

  84. 		hello.extendedMasterSecret = false

  85. 	}

  86. 

  87. 	if len(c.clientVerify) > 0 && !c.config.Bugs.EmptyRenegotiationInfo {

  88. 		if c.config.Bugs.BadRenegotiationInfo {

  89. 			hello.secureRenegotiation = append(hello.secureRenegotiation, c.clientVerify...)

  90. 			hello.secureRenegotiation[0] ^= 0x80

  91. 		} else {

  92. 			hello.secureRenegotiation = c.clientVerify

  93. 		}

  94. 	}

  95. 

  96. 	if c.config.Bugs.NoRenegotiationInfo {

  97. 		hello.secureRenegotiation = nil

  98. 	}

  99. 

  100. 	possibleCipherSuites := c.config.cipherSuites()

  101. 	hello.cipherSuites = make([]uint16, 0, len(possibleCipherSuites))

  102. 

  103. NextCipherSuite:

  104. 	for _, suiteId := range possibleCipherSuites {

  105. 		for _, suite := range cipherSuites {

  106. 			if suite.id != suiteId {

  107. 				continue

  108. 			}

  109. 			// Don't advertise TLS 1.2-only cipher suites unless

  110. 			// we're attempting TLS 1.2.

  111. 			if hello.vers < VersionTLS12 && suite.flags&suiteTLS12 != 0 {

  112. 				continue

  113. 			}

  114. 			// Don't advertise non-DTLS cipher suites on DTLS.

  115. 			if c.isDTLS && suite.flags&suiteNoDTLS != 0 {

  116. 				continue

  117. 			}

  118. 			hello.cipherSuites = append(hello.cipherSuites, suiteId)

  119. 			continue NextCipherSuite

  120. 		}

  121. 	}

  122. 

  123. 	if c.config.Bugs.SendFallbackSCSV {

  124. 		hello.cipherSuites = append(hello.cipherSuites, fallbackSCSV)

  125. 	}

  126. 

  127. 	_, err := io.ReadFull(c.config.rand(), hello.random)

  128. 	if err != nil {

  129. 		c.sendAlert(alertInternalError)

  130. 		return errors.New("tls: short read from Rand: " + err.Error())

  131. 	}

  132. 

  133. 	if hello.vers >= VersionTLS12 && !c.config.Bugs.NoSignatureAndHashes {

  134. 		hello.signatureAndHashes = c.config.signatureAndHashesForClient()

  135. 	}

  136. 

  137. 	var session *ClientSessionState

  138. 	var cacheKey string

  139. 	sessionCache := c.config.ClientSessionCache

  140. 

  141. 	if sessionCache != nil {

  142. 		hello.ticketSupported = !c.config.SessionTicketsDisabled

  143. 

  144. 		// Try to resume a previously negotiated TLS session, if

  145. 		// available.

  146. 		cacheKey = clientSessionCacheKey(c.conn.RemoteAddr(), c.config)

  147. 		candidateSession, ok := sessionCache.Get(cacheKey)

  148. 		if ok {

  149. 			ticketOk := !c.config.SessionTicketsDisabled || candidateSession.sessionTicket == nil

  150. 

  151. 			// Check that the ciphersuite/version used for the

  152. 			// previous session are still valid.

  153. 			cipherSuiteOk := false

  154. 			for _, id := range hello.cipherSuites {

  155. 				if id == candidateSession.cipherSuite {

  156. 					cipherSuiteOk = true

  157. 					break

  158. 				}

  159. 			}

  160. 

  161. 			versOk := candidateSession.vers >= c.config.minVersion() &&

  162. 				candidateSession.vers <= c.config.maxVersion()

  163. 			if ticketOk && versOk && cipherSuiteOk {

  164. 				session = candidateSession

  165. 			}

  166. 		}

  167. 	}

  168. 

  169. 	if session != nil {

  170. 		if session.sessionTicket != nil {

  171. 			hello.sessionTicket = session.sessionTicket

  172. 			if c.config.Bugs.CorruptTicket {

  173. 				hello.sessionTicket = make([]byte, len(session.sessionTicket))

  174. 				copy(hello.sessionTicket, session.sessionTicket)

  175. 				if len(hello.sessionTicket) > 0 {

  176. 					offset := 40

  177. 					if offset > len(hello.sessionTicket) {

  178. 						offset = len(hello.sessionTicket) - 1

  179. 					}

  180. 					hello.sessionTicket[offset] ^= 0x40

  181. 				}

  182. 			}

  183. 			// A random session ID is used to detect when the

  184. 			// server accepted the ticket and is resuming a session

  185. 			// (see RFC 5077).

  186. 			sessionIdLen := 16

  187. 			if c.config.Bugs.OversizedSessionId {

  188. 				sessionIdLen = 33

  189. 			}

  190. 			hello.sessionId = make([]byte, sessionIdLen)

  191. 			if _, err := io.ReadFull(c.config.rand(), hello.sessionId); err != nil {

  192. 				c.sendAlert(alertInternalError)

  193. 				return errors.New("tls: short read from Rand: " + err.Error())

  194. 			}

  195. 		} else {

  196. 			hello.sessionId = session.sessionId

  197. 		}

  198. 	}

  199. 

  200. 	var helloBytes []byte

  201. 	if c.config.Bugs.SendV2ClientHello {

  202. 		// Test that the peer left-pads random.

  203. 		hello.random[0] = 0

  204. 		v2Hello := &v2ClientHelloMsg{

  205. 			vers:         hello.vers,

  206. 			cipherSuites: hello.cipherSuites,

  207. 			// No session resumption for V2ClientHello.

  208. 			sessionId: nil,

  209. 			challenge: hello.random[1:],

  210. 		}

  211. 		helloBytes = v2Hello.marshal()

  212. 		c.writeV2Record(helloBytes)

  213. 	} else {

  214. 		helloBytes = hello.marshal()

  215. 		c.writeRecord(recordTypeHandshake, helloBytes)

  216. 	}

  217. 

  218. 	if err := c.simulatePacketLoss(nil); err != nil {

  219. 		return err

  220. 	}

  221. 	msg, err := c.readHandshake()

  222. 	if err != nil {

  223. 		return err

  224. 	}

  225. 

  226. 	if c.isDTLS {

  227. 		helloVerifyRequest, ok := msg.(*helloVerifyRequestMsg)

  228. 		if ok {

  229. 			if helloVerifyRequest.vers != VersionTLS10 {

  230. 				// Per RFC 6347, the version field in

  231. 				// HelloVerifyRequest SHOULD be always DTLS

  232. 				// 1.0. Enforce this for testing purposes.

  233. 				return errors.New("dtls: bad HelloVerifyRequest version")

  234. 			}

  235. 

  236. 			hello.raw = nil

  237. 			hello.cookie = helloVerifyRequest.cookie

  238. 			helloBytes = hello.marshal()

  239. 			c.writeRecord(recordTypeHandshake, helloBytes)

  240. 

  241. 			if err := c.simulatePacketLoss(nil); err != nil {

  242. 				return err

  243. 			}

  244. 			msg, err = c.readHandshake()

  245. 			if err != nil {

  246. 				return err

  247. 			}

  248. 		}

  249. 	}

  250. 

  251. 	serverHello, ok := msg.(*serverHelloMsg)

  252. 	if !ok {

  253. 		c.sendAlert(alertUnexpectedMessage)

  254. 		return unexpectedMessageError(serverHello, msg)

  255. 	}

  256. 

  257. 	c.vers, ok = c.config.mutualVersion(serverHello.vers)

  258. 	if !ok {

  259. 		c.sendAlert(alertProtocolVersion)

  260. 		return fmt.Errorf("tls: server selected unsupported protocol version %x", serverHello.vers)

  261. 	}

  262. 	c.haveVers = true

  263. 

  264. 	suite := mutualCipherSuite(c.config.cipherSuites(), serverHello.cipherSuite)

  265. 	if suite == nil {

  266. 		c.sendAlert(alertHandshakeFailure)

  267. 		return fmt.Errorf("tls: server selected an unsupported cipher suite")

  268. 	}

  269. 

  270. 	if len(c.clientVerify) > 0 && !c.config.Bugs.NoRenegotiationInfo {

  271. 		var expectedRenegInfo []byte

  272. 		expectedRenegInfo = append(expectedRenegInfo, c.clientVerify...)

  273. 		expectedRenegInfo = append(expectedRenegInfo, c.serverVerify...)

  274. 		if !bytes.Equal(serverHello.secureRenegotiation, expectedRenegInfo) {

  275. 			c.sendAlert(alertHandshakeFailure)

  276. 			return fmt.Errorf("tls: renegotiation mismatch")

  277. 		}

  278. 	}

  279. 

  280. 	hs := &clientHandshakeState{

  281. 		c:            c,

  282. 		serverHello:  serverHello,

  283. 		hello:        hello,

  284. 		suite:        suite,

  285. 		finishedHash: newFinishedHash(c.vers, suite),

  286. 		session:      session,

  287. 	}

  288. 

  289. 	hs.writeHash(helloBytes, hs.c.sendHandshakeSeq-1)

  290. 	hs.writeServerHash(hs.serverHello.marshal())

  291. 

  292. 	if c.config.Bugs.EarlyChangeCipherSpec > 0 {

  293. 		hs.establishKeys()

  294. 		c.writeRecord(recordTypeChangeCipherSpec, []byte{1})

  295. 	}

  296. 

  297. 	isResume, err := hs.processServerHello()

  298. 	if err != nil {

  299. 		return err

  300. 	}

  301. 

  302. 	if isResume {

  303. 		if c.config.Bugs.EarlyChangeCipherSpec == 0 {

  304. 			if err := hs.establishKeys(); err != nil {

  305. 				return err

  306. 			}

  307. 		}

  308. 		if err := hs.readSessionTicket(); err != nil {

  309. 			return err

  310. 		}

  311. 		if err := hs.readFinished(); err != nil {

  312. 			return err

  313. 		}

  314. 		if err := hs.sendFinished(isResume); err != nil {

  315. 			return err

  316. 		}

  317. 	} else {

  318. 		if err := hs.doFullHandshake(); err != nil {

  319. 			return err

  320. 		}

  321. 		if err := hs.establishKeys(); err != nil {

  322. 			return err

  323. 		}

  324. 		if err := hs.sendFinished(isResume); err != nil {

  325. 			return err

  326. 		}

  327. 		// Most retransmits are triggered by a timeout, but the final

  328. 		// leg of the handshake is retransmited upon re-receiving a

  329. 		// Finished.

  330. 		if err := c.simulatePacketLoss(func() { c.writeRecord(recordTypeHandshake, hs.finishedBytes) }); err != nil {

  331. 			return err

  332. 		}

  333. 		if err := hs.readSessionTicket(); err != nil {

  334. 			return err

  335. 		}

  336. 		if err := hs.readFinished(); err != nil {

  337. 			return err

  338. 		}

  339. 	}

  340. 

  341. 	if sessionCache != nil && hs.session != nil && session != hs.session {

  342. 		sessionCache.Put(cacheKey, hs.session)

  343. 	}

  344. 

  345. 	c.didResume = isResume

  346. 	c.handshakeComplete = true

  347. 	c.cipherSuite = suite.id

  348. 	return nil

  349. }

  350. 

  351. func (hs *clientHandshakeState) doFullHandshake() error {

  352. 	c := hs.c

  353. 

  354. 	var leaf *x509.Certificate

  355. 	if hs.suite.flags&suitePSK == 0 {

  356. 		msg, err := c.readHandshake()

  357. 		if err != nil {

  358. 			return err

  359. 		}

  360. 

  361. 		certMsg, ok := msg.(*certificateMsg)

  362. 		if !ok || len(certMsg.certificates) == 0 {

  363. 			c.sendAlert(alertUnexpectedMessage)

  364. 			return unexpectedMessageError(certMsg, msg)

  365. 		}

  366. 		hs.writeServerHash(certMsg.marshal())

  367. 

  368. 		certs := make([]*x509.Certificate, len(certMsg.certificates))

  369. 		for i, asn1Data := range certMsg.certificates {

  370. 			cert, err := x509.ParseCertificate(asn1Data)

  371. 			if err != nil {

  372. 				c.sendAlert(alertBadCertificate)

  373. 				return errors.New("tls: failed to parse certificate from server: " + err.Error())

  374. 			}

  375. 			certs[i] = cert

  376. 		}

  377. 		leaf = certs[0]

  378. 

  379. 		if !c.config.InsecureSkipVerify {

  380. 			opts := x509.VerifyOptions{

  381. 				Roots:         c.config.RootCAs,

  382. 				CurrentTime:   c.config.time(),

  383. 				DNSName:       c.config.ServerName,

  384. 				Intermediates: x509.NewCertPool(),

  385. 			}

  386. 

  387. 			for i, cert := range certs {

  388. 				if i == 0 {

  389. 					continue

  390. 				}

  391. 				opts.Intermediates.AddCert(cert)

  392. 			}

  393. 			c.verifiedChains, err = leaf.Verify(opts)

  394. 			if err != nil {

  395. 				c.sendAlert(alertBadCertificate)

  396. 				return err

  397. 			}

  398. 		}

  399. 

  400. 		switch leaf.PublicKey.(type) {

  401. 		case *rsa.PublicKey, *ecdsa.PublicKey:

  402. 			break

  403. 		default:

  404. 			c.sendAlert(alertUnsupportedCertificate)

  405. 			return fmt.Errorf("tls: server's certificate contains an unsupported type of public key: %T", leaf.PublicKey)

  406. 		}

  407. 

  408. 		c.peerCertificates = certs

  409. 	}

  410. 

  411. 	if hs.serverHello.ocspStapling {

  412. 		msg, err := c.readHandshake()

  413. 		if err != nil {

  414. 			return err

  415. 		}

  416. 		cs, ok := msg.(*certificateStatusMsg)

  417. 		if !ok {

  418. 			c.sendAlert(alertUnexpectedMessage)

  419. 			return unexpectedMessageError(cs, msg)

  420. 		}

  421. 		hs.writeServerHash(cs.marshal())

  422. 

  423. 		if cs.statusType == statusTypeOCSP {

  424. 			c.ocspResponse = cs.response

  425. 		}

  426. 	}

  427. 

  428. 	msg, err := c.readHandshake()

  429. 	if err != nil {

  430. 		return err

  431. 	}

  432. 

  433. 	keyAgreement := hs.suite.ka(c.vers)

  434. 

  435. 	skx, ok := msg.(*serverKeyExchangeMsg)

  436. 	if ok {

  437. 		hs.writeServerHash(skx.marshal())

  438. 		err = keyAgreement.processServerKeyExchange(c.config, hs.hello, hs.serverHello, leaf, skx)

  439. 		if err != nil {

  440. 			c.sendAlert(alertUnexpectedMessage)

  441. 			return err

  442. 		}

  443. 

  444. 		msg, err = c.readHandshake()

  445. 		if err != nil {

  446. 			return err

  447. 		}

  448. 	}

  449. 

  450. 	var chainToSend *Certificate

  451. 	var certRequested bool

  452. 	certReq, ok := msg.(*certificateRequestMsg)

  453. 	if ok {

  454. 		certRequested = true

  455. 

  456. 		// RFC 4346 on the certificateAuthorities field:

  457. 		// A list of the distinguished names of acceptable certificate

  458. 		// authorities. These distinguished names may specify a desired

  459. 		// distinguished name for a root CA or for a subordinate CA;

  460. 		// thus, this message can be used to describe both known roots

  461. 		// and a desired authorization space. If the

  462. 		// certificate_authorities list is empty then the client MAY

  463. 		// send any certificate of the appropriate

  464. 		// ClientCertificateType, unless there is some external

  465. 		// arrangement to the contrary.

  466. 

  467. 		hs.writeServerHash(certReq.marshal())

  468. 

  469. 		var rsaAvail, ecdsaAvail bool

  470. 		for _, certType := range certReq.certificateTypes {

  471. 			switch certType {

  472. 			case CertTypeRSASign:

  473. 				rsaAvail = true

  474. 			case CertTypeECDSASign:

  475. 				ecdsaAvail = true

  476. 			}

  477. 		}

  478. 

  479. 		// We need to search our list of client certs for one

  480. 		// where SignatureAlgorithm is RSA and the Issuer is in

  481. 		// certReq.certificateAuthorities

  482. 	findCert:

  483. 		for i, chain := range c.config.Certificates {

  484. 			if !rsaAvail && !ecdsaAvail {

  485. 				continue

  486. 			}

  487. 

  488. 			for j, cert := range chain.Certificate {

  489. 				x509Cert := chain.Leaf

  490. 				// parse the certificate if this isn't the leaf

  491. 				// node, or if chain.Leaf was nil

  492. 				if j != 0 || x509Cert == nil {

  493. 					if x509Cert, err = x509.ParseCertificate(cert); err != nil {

  494. 						c.sendAlert(alertInternalError)

  495. 						return errors.New("tls: failed to parse client certificate #" + strconv.Itoa(i) + ": " + err.Error())

  496. 					}

  497. 				}

  498. 

  499. 				switch {

  500. 				case rsaAvail && x509Cert.PublicKeyAlgorithm == x509.RSA:

  501. 				case ecdsaAvail && x509Cert.PublicKeyAlgorithm == x509.ECDSA:

  502. 				default:

  503. 					continue findCert

  504. 				}

  505. 

  506. 				if len(certReq.certificateAuthorities) == 0 {

  507. 					// they gave us an empty list, so just take the

  508. 					// first RSA cert from c.config.Certificates

  509. 					chainToSend = &chain

  510. 					break findCert

  511. 				}

  512. 

  513. 				for _, ca := range certReq.certificateAuthorities {

  514. 					if bytes.Equal(x509Cert.RawIssuer, ca) {

  515. 						chainToSend = &chain

  516. 						break findCert

  517. 					}

  518. 				}

  519. 			}

  520. 		}

  521. 

  522. 		msg, err = c.readHandshake()

  523. 		if err != nil {

  524. 			return err

  525. 		}

  526. 	}

  527. 

  528. 	shd, ok := msg.(*serverHelloDoneMsg)

  529. 	if !ok {

  530. 		c.sendAlert(alertUnexpectedMessage)

  531. 		return unexpectedMessageError(shd, msg)

  532. 	}

  533. 	hs.writeServerHash(shd.marshal())

  534. 

  535. 	// If the server requested a certificate then we have to send a

  536. 	// Certificate message, even if it's empty because we don't have a

  537. 	// certificate to send.

  538. 	if certRequested {

  539. 		certMsg := new(certificateMsg)

  540. 		if chainToSend != nil {

  541. 			certMsg.certificates = chainToSend.Certificate

  542. 		}

  543. 		hs.writeClientHash(certMsg.marshal())

  544. 		c.writeRecord(recordTypeHandshake, certMsg.marshal())

  545. 	}

  546. 

  547. 	preMasterSecret, ckx, err := keyAgreement.generateClientKeyExchange(c.config, hs.hello, leaf)

  548. 	if err != nil {

  549. 		c.sendAlert(alertInternalError)

  550. 		return err

  551. 	}

  552. 	if ckx != nil {

  553. 		if c.config.Bugs.EarlyChangeCipherSpec < 2 {

  554. 			hs.writeClientHash(ckx.marshal())

  555. 		}

  556. 		c.writeRecord(recordTypeHandshake, ckx.marshal())

  557. 	}

  558. 

  559. 	if hs.serverHello.extendedMasterSecret && c.vers >= VersionTLS10 {

  560. 		hs.masterSecret = extendedMasterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.finishedHash)

  561. 		c.extendedMasterSecret = true

  562. 	} else {

  563. 		if c.config.Bugs.RequireExtendedMasterSecret {

  564. 			return errors.New("tls: extended master secret required but not supported by peer")

  565. 		}

  566. 		hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.hello.random, hs.serverHello.random)

  567. 	}

  568. 

  569. 	if chainToSend != nil {

  570. 		var signed []byte

  571. 		certVerify := &certificateVerifyMsg{

  572. 			hasSignatureAndHash: c.vers >= VersionTLS12,

  573. 		}

  574. 

  575. 		switch key := c.config.Certificates[0].PrivateKey.(type) {

  576. 		case *ecdsa.PrivateKey:

  577. 			certVerify.signatureAndHash, err = hs.finishedHash.selectClientCertSignatureAlgorithm(certReq.signatureAndHashes, signatureECDSA)

  578. 			if err != nil {

  579. 				break

  580. 			}

  581. 			var digest []byte

  582. 			digest, _, err = hs.finishedHash.hashForClientCertificate(certVerify.signatureAndHash, hs.masterSecret)

  583. 			if err != nil {

  584. 				break

  585. 			}

  586. 			var r, s *big.Int

  587. 			r, s, err = ecdsa.Sign(c.config.rand(), key, digest)

  588. 			if err == nil {

  589. 				signed, err = asn1.Marshal(ecdsaSignature{r, s})

  590. 			}

  591. 		case *rsa.PrivateKey:

  592. 			certVerify.signatureAndHash, err = hs.finishedHash.selectClientCertSignatureAlgorithm(certReq.signatureAndHashes, signatureRSA)

  593. 			if err != nil {

  594. 				break

  595. 			}

  596. 			var digest []byte

  597. 			var hashFunc crypto.Hash

  598. 			digest, hashFunc, err = hs.finishedHash.hashForClientCertificate(certVerify.signatureAndHash, hs.masterSecret)

  599. 			if err != nil {

  600. 				break

  601. 			}

  602. 			signed, err = rsa.SignPKCS1v15(c.config.rand(), key, hashFunc, digest)

  603. 		default:

  604. 			err = errors.New("unknown private key type")

  605. 		}

  606. 		if err != nil {

  607. 			c.sendAlert(alertInternalError)

  608. 			return errors.New("tls: failed to sign handshake with client certificate: " + err.Error())

  609. 		}

  610. 		certVerify.signature = signed

  611. 

  612. 		hs.writeClientHash(certVerify.marshal())

  613. 		c.writeRecord(recordTypeHandshake, certVerify.marshal())

  614. 	}

  615. 

  616. 	hs.finishedHash.discardHandshakeBuffer()

  617. 

  618. 	return nil

  619. }

  620. 

  621. func (hs *clientHandshakeState) establishKeys() error {

  622. 	c := hs.c

  623. 

  624. 	clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV :=

  625. 		keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.hello.random, hs.serverHello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen)

  626. 	var clientCipher, serverCipher interface{}

  627. 	var clientHash, serverHash macFunction

  628. 	if hs.suite.cipher != nil {

  629. 		clientCipher = hs.suite.cipher(clientKey, clientIV, false /* not for reading */)

  630. 		clientHash = hs.suite.mac(c.vers, clientMAC)

  631. 		serverCipher = hs.suite.cipher(serverKey, serverIV, true /* for reading */)

  632. 		serverHash = hs.suite.mac(c.vers, serverMAC)

  633. 	} else {

  634. 		clientCipher = hs.suite.aead(clientKey, clientIV)

  635. 		serverCipher = hs.suite.aead(serverKey, serverIV)

  636. 	}

  637. 

  638. 	c.in.prepareCipherSpec(c.vers, serverCipher, serverHash)

  639. 	c.out.prepareCipherSpec(c.vers, clientCipher, clientHash)

  640. 	return nil

  641. }

  642. 

  643. func (hs *clientHandshakeState) serverResumedSession() bool {

  644. 	// If the server responded with the same sessionId then it means the

  645. 	// sessionTicket is being used to resume a TLS session.

  646. 	return hs.session != nil && hs.hello.sessionId != nil &&

  647. 		bytes.Equal(hs.serverHello.sessionId, hs.hello.sessionId)

  648. }

  649. 

  650. func (hs *clientHandshakeState) processServerHello() (bool, error) {

  651. 	c := hs.c

  652. 

  653. 	if hs.serverHello.compressionMethod != compressionNone {

  654. 		c.sendAlert(alertUnexpectedMessage)

  655. 		return false, errors.New("tls: server selected unsupported compression format")

  656. 	}

  657. 

  658. 	clientDidNPN := hs.hello.nextProtoNeg

  659. 	clientDidALPN := len(hs.hello.alpnProtocols) > 0

  660. 	serverHasNPN := hs.serverHello.nextProtoNeg

  661. 	serverHasALPN := len(hs.serverHello.alpnProtocol) > 0

  662. 

  663. 	if !clientDidNPN && serverHasNPN {

  664. 		c.sendAlert(alertHandshakeFailure)

  665. 		return false, errors.New("server advertised unrequested NPN extension")

  666. 	}

  667. 

  668. 	if !clientDidALPN && serverHasALPN {

  669. 		c.sendAlert(alertHandshakeFailure)

  670. 		return false, errors.New("server advertised unrequested ALPN extension")

  671. 	}

  672. 

  673. 	if serverHasNPN && serverHasALPN {

  674. 		c.sendAlert(alertHandshakeFailure)

  675. 		return false, errors.New("server advertised both NPN and ALPN extensions")

  676. 	}

  677. 

  678. 	if serverHasALPN {

  679. 		c.clientProtocol = hs.serverHello.alpnProtocol

  680. 		c.clientProtocolFallback = false

  681. 		c.usedALPN = true

  682. 	}

  683. 

  684. 	if !hs.hello.channelIDSupported && hs.serverHello.channelIDRequested {

  685. 		c.sendAlert(alertHandshakeFailure)

  686. 		return false, errors.New("server advertised unrequested Channel ID extension")

  687. 	}

  688. 

  689. 	if hs.serverHello.srtpProtectionProfile != 0 {

  690. 		if hs.serverHello.srtpMasterKeyIdentifier != "" {

  691. 			return false, errors.New("tls: server selected SRTP MKI value")

  692. 		}

  693. 

  694. 		found := false

  695. 		for _, p := range c.config.SRTPProtectionProfiles {

  696. 			if p == hs.serverHello.srtpProtectionProfile {

  697. 				found = true

  698. 				break

  699. 			}

  700. 		}

  701. 		if !found {

  702. 			return false, errors.New("tls: server advertised unsupported SRTP profile")

  703. 		}

  704. 

  705. 		c.srtpProtectionProfile = hs.serverHello.srtpProtectionProfile

  706. 	}

  707. 

  708. 	if hs.serverResumedSession() {

  709. 		// Restore masterSecret and peerCerts from previous state

  710. 		hs.masterSecret = hs.session.masterSecret

  711. 		c.peerCertificates = hs.session.serverCertificates

  712. 		c.extendedMasterSecret = hs.session.extendedMasterSecret

  713. 		hs.finishedHash.discardHandshakeBuffer()

  714. 		return true, nil

  715. 	}

  716. 	return false, nil

  717. }

  718. 

  719. func (hs *clientHandshakeState) readFinished() error {

  720. 	c := hs.c

  721. 

  722. 	c.readRecord(recordTypeChangeCipherSpec)

  723. 	if err := c.in.error(); err != nil {

  724. 		return err

  725. 	}

  726. 

  727. 	msg, err := c.readHandshake()

  728. 	if err != nil {

  729. 		return err

  730. 	}

  731. 	serverFinished, ok := msg.(*finishedMsg)

  732. 	if !ok {

  733. 		c.sendAlert(alertUnexpectedMessage)

  734. 		return unexpectedMessageError(serverFinished, msg)

  735. 	}

  736. 

  737. 	if c.config.Bugs.EarlyChangeCipherSpec == 0 {

  738. 		verify := hs.finishedHash.serverSum(hs.masterSecret)

  739. 		if len(verify) != len(serverFinished.verifyData) ||

  740. 			subtle.ConstantTimeCompare(verify, serverFinished.verifyData) != 1 {

  741. 			c.sendAlert(alertHandshakeFailure)

  742. 			return errors.New("tls: server's Finished message was incorrect")

  743. 		}

  744. 	}

  745. 	c.serverVerify = append(c.serverVerify[:0], serverFinished.verifyData...)

  746. 	hs.writeServerHash(serverFinished.marshal())

  747. 	return nil

  748. }

  749. 

  750. func (hs *clientHandshakeState) readSessionTicket() error {

  751. 	c := hs.c

  752. 

  753. 	// Create a session with no server identifier. Either a

  754. 	// session ID or session ticket will be attached.

  755. 	session := &ClientSessionState{

  756. 		vers:               c.vers,

  757. 		cipherSuite:        hs.suite.id,

  758. 		masterSecret:       hs.masterSecret,

  759. 		handshakeHash:      hs.finishedHash.server.Sum(nil),

  760. 		serverCertificates: c.peerCertificates,

  761. 	}

  762. 

  763. 	if !hs.serverHello.ticketSupported {

  764. 		if hs.session == nil && len(hs.serverHello.sessionId) > 0 {

  765. 			session.sessionId = hs.serverHello.sessionId

  766. 			hs.session = session

  767. 		}

  768. 		return nil

  769. 	}

  770. 

  771. 	msg, err := c.readHandshake()

  772. 	if err != nil {

  773. 		return err

  774. 	}

  775. 	sessionTicketMsg, ok := msg.(*newSessionTicketMsg)

  776. 	if !ok {

  777. 		c.sendAlert(alertUnexpectedMessage)

  778. 		return unexpectedMessageError(sessionTicketMsg, msg)

  779. 	}

  780. 

  781. 	session.sessionTicket = sessionTicketMsg.ticket

  782. 	hs.session = session

  783. 

  784. 	hs.writeServerHash(sessionTicketMsg.marshal())

  785. 

  786. 	return nil

  787. }

  788. 

  789. func (hs *clientHandshakeState) sendFinished(isResume bool) error {

  790. 	c := hs.c

  791. 

  792. 	var postCCSBytes []byte

  793. 	seqno := hs.c.sendHandshakeSeq

  794. 	if hs.serverHello.nextProtoNeg {

  795. 		nextProto := new(nextProtoMsg)

  796. 		proto, fallback := mutualProtocol(c.config.NextProtos, hs.serverHello.nextProtos)

  797. 		nextProto.proto = proto

  798. 		c.clientProtocol = proto

  799. 		c.clientProtocolFallback = fallback

  800. 

  801. 		nextProtoBytes := nextProto.marshal()

  802. 		hs.writeHash(nextProtoBytes, seqno)

  803. 		seqno++

  804. 		postCCSBytes = append(postCCSBytes, nextProtoBytes...)

  805. 	}

  806. 

  807. 	if hs.serverHello.channelIDRequested {

  808. 		encryptedExtensions := new(encryptedExtensionsMsg)

  809. 		if c.config.ChannelID.Curve != elliptic.P256() {

  810. 			return fmt.Errorf("tls: Channel ID is not on P-256.")

  811. 		}

  812. 		var resumeHash []byte

  813. 		if isResume {

  814. 			resumeHash = hs.session.handshakeHash

  815. 		}

  816. 		r, s, err := ecdsa.Sign(c.config.rand(), c.config.ChannelID, hs.finishedHash.hashForChannelID(resumeHash))

  817. 		if err != nil {

  818. 			return err

  819. 		}

  820. 		channelID := make([]byte, 128)

  821. 		writeIntPadded(channelID[0:32], c.config.ChannelID.X)

  822. 		writeIntPadded(channelID[32:64], c.config.ChannelID.Y)

  823. 		writeIntPadded(channelID[64:96], r)

  824. 		writeIntPadded(channelID[96:128], s)

  825. 		encryptedExtensions.channelID = channelID

  826. 

  827. 		c.channelID = &c.config.ChannelID.PublicKey

  828. 

  829. 		encryptedExtensionsBytes := encryptedExtensions.marshal()

  830. 		hs.writeHash(encryptedExtensionsBytes, seqno)

  831. 		seqno++

  832. 		postCCSBytes = append(postCCSBytes, encryptedExtensionsBytes...)

  833. 	}

  834. 

  835. 	finished := new(finishedMsg)

  836. 	if c.config.Bugs.EarlyChangeCipherSpec == 2 {

  837. 		finished.verifyData = hs.finishedHash.clientSum(nil)

  838. 	} else {

  839. 		finished.verifyData = hs.finishedHash.clientSum(hs.masterSecret)

  840. 	}

  841. 	c.clientVerify = append(c.clientVerify[:0], finished.verifyData...)

  842. 	hs.finishedBytes = finished.marshal()

  843. 	hs.writeHash(hs.finishedBytes, seqno)

  844. 	postCCSBytes = append(postCCSBytes, hs.finishedBytes...)

  845. 

  846. 	if c.config.Bugs.FragmentAcrossChangeCipherSpec {

  847. 		c.writeRecord(recordTypeHandshake, postCCSBytes[:5])

  848. 		postCCSBytes = postCCSBytes[5:]

  849. 	}

  850. 

  851. 	if !c.config.Bugs.SkipChangeCipherSpec &&

  852. 		c.config.Bugs.EarlyChangeCipherSpec == 0 {

  853. 		c.writeRecord(recordTypeChangeCipherSpec, []byte{1})

  854. 	}

  855. 

  856. 	if c.config.Bugs.AppDataAfterChangeCipherSpec != nil {

  857. 		c.writeRecord(recordTypeApplicationData, c.config.Bugs.AppDataAfterChangeCipherSpec)

  858. 	}

  859. 

  860. 	c.writeRecord(recordTypeHandshake, postCCSBytes)

  861. 	return nil

  862. }

  863. 

  864. func (hs *clientHandshakeState) writeClientHash(msg []byte) {

  865. 	// writeClientHash is called before writeRecord.

  866. 	hs.writeHash(msg, hs.c.sendHandshakeSeq)

  867. }

  868. 

  869. func (hs *clientHandshakeState) writeServerHash(msg []byte) {

  870. 	// writeServerHash is called after readHandshake.

  871. 	hs.writeHash(msg, hs.c.recvHandshakeSeq-1)

  872. }

  873. 

  874. func (hs *clientHandshakeState) writeHash(msg []byte, seqno uint16) {

  875. 	if hs.c.isDTLS {

  876. 		// This is somewhat hacky. DTLS hashes a slightly different format.

  877. 		// First, the TLS header.

  878. 		hs.finishedHash.Write(msg[:4])

  879. 		// Then the sequence number and reassembled fragment offset (always 0).

  880. 		hs.finishedHash.Write([]byte{byte(seqno >> 8), byte(seqno), 0, 0, 0})

  881. 		// Then the reassembled fragment (always equal to the message length).

  882. 		hs.finishedHash.Write(msg[1:4])

  883. 		// And then the message body.

  884. 		hs.finishedHash.Write(msg[4:])

  885. 	} else {

  886. 		hs.finishedHash.Write(msg)

  887. 	}

  888. }

  889. 

  890. // clientSessionCacheKey returns a key used to cache sessionTickets that could

  891. // be used to resume previously negotiated TLS sessions with a server.

  892. func clientSessionCacheKey(serverAddr net.Addr, config *Config) string {

  893. 	if len(config.ServerName) > 0 {

  894. 		return config.ServerName

  895. 	}

  896. 	return serverAddr.String()

  897. }

  898. 

  899. // mutualProtocol finds the mutual Next Protocol Negotiation or ALPN protocol

  900. // given list of possible protocols and a list of the preference order. The

  901. // first list must not be empty. It returns the resulting protocol and flag

  902. // indicating if the fallback case was reached.

  903. func mutualProtocol(protos, preferenceProtos []string) (string, bool) {

  904. 	for _, s := range preferenceProtos {

  905. 		for _, c := range protos {

  906. 			if s == c {

  907. 				return s, false

  908. 			}

  909. 		}

  910. 	}

  911. 

  912. 	return protos[0], true

  913. }

  914. 

  915. // writeIntPadded writes x into b, padded up with leading zeros as

  916. // needed.

  917. func writeIntPadded(b []byte, x *big.Int) {

  918. 	for i := range b {

  919. 		b[i] = 0

  920. 	}

  921. 	xb := x.Bytes()

  922. 	copy(b[len(b)-len(xb):], xb)

  923. }