1// Copyright 2009 The Go Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style 3// license that can be found in the LICENSE file. 4 5package runner 6 7import ( 8 "bytes" 9 "crypto" 10 "crypto/ecdsa" 11 "crypto/ed25519" 12 "crypto/elliptic" 13 "crypto/rsa" 14 "crypto/subtle" 15 "crypto/x509" 16 "errors" 17 "fmt" 18 "io" 19 "math/big" 20 "time" 21 22 "boringssl.googlesource.com/boringssl/ssl/test/runner/hpke" 23 "golang.org/x/crypto/cryptobyte" 24) 25 26// serverHandshakeState contains details of a server handshake in progress. 27// It's discarded once the handshake has completed. 28type serverHandshakeState struct { 29 c *Conn 30 clientHello *clientHelloMsg 31 hello *serverHelloMsg 32 suite *cipherSuite 33 ellipticOk bool 34 ecdsaOk bool 35 sessionState *sessionState 36 finishedHash finishedHash 37 masterSecret []byte 38 certsFromClient [][]byte 39 cert *Credential 40 finishedBytes []byte 41 echHPKEContext *hpke.Context 42 echConfigID uint8 43} 44 45// serverHandshake performs a TLS handshake as a server. 46func (c *Conn) serverHandshake() error { 47 config := c.config 48 49 // If this is the first server handshake, we generate a random key to 50 // encrypt the tickets with. 51 config.serverInitOnce.Do(config.serverInit) 52 53 c.sendHandshakeSeq = 0 54 c.recvHandshakeSeq = 0 55 56 hs := serverHandshakeState{ 57 c: c, 58 } 59 if err := hs.readClientHello(); err != nil { 60 return err 61 } 62 63 if c.vers >= VersionTLS13 { 64 if err := hs.doTLS13Handshake(); err != nil { 65 return err 66 } 67 } else { 68 isResume, err := hs.processClientHello() 69 if err != nil { 70 return err 71 } 72 73 // We only implement enough of SSL 3.0 to test that the client doesn't: 74 // if negotiated (possibly with the NegotiateVersion bug), we send a 75 // ServerHello and look for the resulting client protocol_version alert. 76 if c.vers == VersionSSL30 { 77 c.writeRecord(recordTypeHandshake, hs.hello.marshal()) 78 c.flushHandshake() 79 if _, err := c.readHandshake(); err != nil { 80 return err 81 } 82 return errors.New("tls: client did not reject an SSL 3.0 ServerHello") 83 } 84 85 // For an overview of TLS handshaking, see https://tools.ietf.org/html/rfc5246#section-7.3 86 if isResume { 87 // The client has included a session ticket and so we do an abbreviated handshake. 88 if err := hs.doResumeHandshake(); err != nil { 89 return err 90 } 91 if err := hs.establishKeys(); err != nil { 92 return err 93 } 94 if c.config.Bugs.RenewTicketOnResume { 95 if err := hs.sendSessionTicket(); err != nil { 96 return err 97 } 98 } 99 if err := hs.sendFinished(c.firstFinished[:], isResume); err != nil { 100 return err 101 } 102 // Most retransmits are triggered by a timeout, but the final 103 // leg of the handshake is retransmited upon re-receiving a 104 // Finished. 105 if err := c.simulatePacketLoss(func() { 106 c.sendHandshakeSeq-- 107 c.writeRecord(recordTypeHandshake, hs.finishedBytes) 108 c.flushHandshake() 109 }); err != nil { 110 return err 111 } 112 if err := hs.readFinished(nil, isResume); err != nil { 113 return err 114 } 115 c.didResume = true 116 } else { 117 // The client didn't include a session ticket, or it wasn't 118 // valid so we do a full handshake. 119 if err := hs.doFullHandshake(); err != nil { 120 return err 121 } 122 if err := hs.establishKeys(); err != nil { 123 return err 124 } 125 if err := hs.readFinished(c.firstFinished[:], isResume); err != nil { 126 return err 127 } 128 if c.config.Bugs.AlertBeforeFalseStartTest != 0 { 129 c.sendAlert(c.config.Bugs.AlertBeforeFalseStartTest) 130 } 131 if c.config.Bugs.ExpectFalseStart { 132 if err := c.readRecord(recordTypeApplicationData); err != nil { 133 return fmt.Errorf("tls: peer did not false start: %s", err) 134 } 135 } 136 if err := hs.sendSessionTicket(); err != nil { 137 return err 138 } 139 if err := hs.sendFinished(nil, isResume); err != nil { 140 return err 141 } 142 } 143 144 c.exporterSecret = hs.masterSecret 145 } 146 c.handshakeComplete = true 147 copy(c.clientRandom[:], hs.clientHello.random) 148 copy(c.serverRandom[:], hs.hello.random) 149 150 return nil 151} 152 153// readClientHello reads a ClientHello message from the client and determines 154// the protocol version. 155func (hs *serverHandshakeState) readClientHello() error { 156 config := hs.c.config 157 c := hs.c 158 159 if err := c.simulatePacketLoss(nil); err != nil { 160 return err 161 } 162 msg, err := c.readHandshake() 163 if err != nil { 164 return err 165 } 166 var ok bool 167 hs.clientHello, ok = msg.(*clientHelloMsg) 168 if !ok { 169 c.sendAlert(alertUnexpectedMessage) 170 return unexpectedMessageError(hs.clientHello, msg) 171 } 172 if size := config.Bugs.RequireClientHelloSize; size != 0 && len(hs.clientHello.raw) != size { 173 return fmt.Errorf("tls: ClientHello record size is %d, but expected %d", len(hs.clientHello.raw), size) 174 } 175 if isAllZero(hs.clientHello.random) { 176 // If the client forgets to fill in the client random, it will likely be 177 // all zero. 178 return errors.New("tls: ClientHello random was all zero") 179 } 180 181 if expected := config.Bugs.ExpectOuterServerName; len(expected) != 0 && expected != hs.clientHello.serverName { 182 return fmt.Errorf("tls: unexpected ClientHelloOuter server name: wanted %q, got %q", expected, hs.clientHello.serverName) 183 } 184 185 // We check this both before and after decrypting ECH. 186 if !hs.clientHello.hasGREASEExtension && config.Bugs.ExpectGREASE { 187 return errors.New("tls: no GREASE extension found") 188 } 189 190 if config.Bugs.ExpectClientECH && hs.clientHello.echOuter == nil { 191 return errors.New("tls: expected client to offer ECH") 192 } 193 if config.Bugs.ExpectNoClientECH && hs.clientHello.echOuter != nil { 194 return errors.New("tls: expected client not to offer ECH") 195 } 196 197 if echOuter := hs.clientHello.echOuter; echOuter != nil { 198 for _, candidate := range config.ServerECHConfigs { 199 if candidate.ECHConfig.ConfigID != echOuter.configID { 200 continue 201 } 202 var found bool 203 for _, suite := range candidate.ECHConfig.CipherSuites { 204 if echOuter.kdfID == suite.KDF && echOuter.aeadID == suite.AEAD { 205 found = true 206 break 207 } 208 } 209 if !found { 210 continue 211 } 212 info := []byte("tls ech\x00") 213 info = append(info, candidate.ECHConfig.Raw...) 214 hs.echHPKEContext, err = hpke.SetupBaseReceiverX25519(echOuter.kdfID, echOuter.aeadID, echOuter.enc, candidate.Key, info) 215 if err != nil { 216 continue 217 } 218 clientHelloInner, err := hs.decryptClientHello(hs.clientHello) 219 if err != nil { 220 if _, ok := err.(*echDecryptError); ok { 221 continue 222 } 223 c.sendAlert(alertDecryptError) 224 return fmt.Errorf("tls: error decrypting ClientHello: %s", err) 225 } 226 if config.Bugs.UseInnerSessionWithClientHelloOuter { 227 hs.clientHello.pskIdentities = clientHelloInner.pskIdentities 228 } else { 229 c.echAccepted = true 230 hs.clientHello = clientHelloInner 231 hs.echConfigID = echOuter.configID 232 } 233 } 234 } 235 236 if c.isDTLS && !config.Bugs.SkipHelloVerifyRequest { 237 // Per RFC 6347, the version field in HelloVerifyRequest SHOULD 238 // be always DTLS 1.0 239 cookieLen := c.config.Bugs.HelloVerifyRequestCookieLength 240 if cookieLen == 0 { 241 cookieLen = 32 242 } 243 if c.config.Bugs.EmptyHelloVerifyRequestCookie { 244 cookieLen = 0 245 } 246 helloVerifyRequest := &helloVerifyRequestMsg{ 247 vers: VersionDTLS10, 248 cookie: make([]byte, cookieLen), 249 } 250 if _, err := io.ReadFull(c.config.rand(), helloVerifyRequest.cookie); err != nil { 251 c.sendAlert(alertInternalError) 252 return errors.New("dtls: short read from Rand: " + err.Error()) 253 } 254 c.writeRecord(recordTypeHandshake, helloVerifyRequest.marshal()) 255 c.flushHandshake() 256 257 if err := c.simulatePacketLoss(nil); err != nil { 258 return err 259 } 260 msg, err := c.readHandshake() 261 if err != nil { 262 return err 263 } 264 newClientHello, ok := msg.(*clientHelloMsg) 265 if !ok { 266 c.sendAlert(alertUnexpectedMessage) 267 return unexpectedMessageError(hs.clientHello, msg) 268 } 269 if !bytes.Equal(newClientHello.cookie, helloVerifyRequest.cookie) { 270 return errors.New("dtls: invalid cookie") 271 } 272 if err := checkClientHellosEqual(hs.clientHello.raw, newClientHello.raw, c.isDTLS, nil); err != nil { 273 return err 274 } 275 hs.clientHello = newClientHello 276 } 277 278 if config.Bugs.RequireSameRenegoClientVersion && c.clientVersion != 0 { 279 if c.clientVersion != hs.clientHello.vers { 280 return fmt.Errorf("tls: client offered different version on renego") 281 } 282 } 283 284 if config.Bugs.FailIfKyberOffered { 285 for _, offeredCurve := range hs.clientHello.supportedCurves { 286 if isPqGroup(offeredCurve) { 287 return errors.New("tls: X25519Kyber768 was offered") 288 } 289 } 290 } 291 292 if expected := config.Bugs.ExpectedKeyShares; expected != nil { 293 if len(expected) != len(hs.clientHello.keyShares) { 294 return fmt.Errorf("tls: expected %d key shares, but found %d", len(expected), len(hs.clientHello.keyShares)) 295 } 296 297 for i, group := range expected { 298 if found := hs.clientHello.keyShares[i].group; found != group { 299 return fmt.Errorf("tls: key share #%d is for group %d, not %d", i, found, group) 300 } 301 } 302 } 303 304 c.clientVersion = hs.clientHello.vers 305 306 // Use the versions extension if supplied, otherwise use the legacy ClientHello version. 307 if len(hs.clientHello.supportedVersions) == 0 { 308 if c.isDTLS { 309 if hs.clientHello.vers <= VersionDTLS12 { 310 hs.clientHello.supportedVersions = append(hs.clientHello.supportedVersions, VersionDTLS12) 311 } 312 if hs.clientHello.vers <= VersionDTLS10 { 313 hs.clientHello.supportedVersions = append(hs.clientHello.supportedVersions, VersionDTLS10) 314 } 315 } else { 316 if hs.clientHello.vers >= VersionTLS12 { 317 hs.clientHello.supportedVersions = append(hs.clientHello.supportedVersions, VersionTLS12) 318 } 319 if hs.clientHello.vers >= VersionTLS11 { 320 hs.clientHello.supportedVersions = append(hs.clientHello.supportedVersions, VersionTLS11) 321 } 322 if hs.clientHello.vers >= VersionTLS10 { 323 hs.clientHello.supportedVersions = append(hs.clientHello.supportedVersions, VersionTLS10) 324 } 325 if hs.clientHello.vers >= VersionSSL30 { 326 hs.clientHello.supportedVersions = append(hs.clientHello.supportedVersions, VersionSSL30) 327 } 328 } 329 } else if config.Bugs.ExpectGREASE && !containsGREASE(hs.clientHello.supportedVersions) { 330 return errors.New("tls: no GREASE version value found") 331 } 332 333 if !c.haveVers { 334 if config.Bugs.NegotiateVersion != 0 { 335 c.wireVersion = config.Bugs.NegotiateVersion 336 } else { 337 var found bool 338 for _, vers := range hs.clientHello.supportedVersions { 339 if _, ok := config.isSupportedVersion(vers, c.isDTLS); ok { 340 c.wireVersion = vers 341 found = true 342 break 343 } 344 } 345 if !found { 346 c.sendAlert(alertProtocolVersion) 347 return errors.New("tls: client did not offer any supported protocol versions") 348 } 349 } 350 } else if config.Bugs.NegotiateVersionOnRenego != 0 { 351 c.wireVersion = config.Bugs.NegotiateVersionOnRenego 352 } 353 354 c.vers, ok = wireToVersion(c.wireVersion, c.isDTLS) 355 if !ok { 356 panic("Could not map wire version") 357 } 358 c.haveVers = true 359 360 clientProtocol, ok := wireToVersion(c.clientVersion, c.isDTLS) 361 362 // Reject < 1.2 ClientHellos with signature_algorithms. 363 if ok && clientProtocol < VersionTLS12 && len(hs.clientHello.signatureAlgorithms) > 0 { 364 return fmt.Errorf("tls: client included signature_algorithms before TLS 1.2") 365 } 366 367 // Check the client cipher list is consistent with the version. 368 if ok && clientProtocol < VersionTLS12 { 369 for _, id := range hs.clientHello.cipherSuites { 370 if isTLS12Cipher(id) { 371 return fmt.Errorf("tls: client offered TLS 1.2 cipher before TLS 1.2") 372 } 373 } 374 } 375 376 if config.Bugs.MockQUICTransport != nil && len(hs.clientHello.sessionID) > 0 { 377 return fmt.Errorf("tls: QUIC client did not disable compatibility mode") 378 } 379 if config.Bugs.ExpectNoSessionID && len(hs.clientHello.sessionID) > 0 { 380 return fmt.Errorf("tls: client offered an unexpected session ID") 381 } 382 if config.Bugs.ExpectNoTLS12Session { 383 if len(hs.clientHello.sessionID) > 0 { 384 if _, ok := config.ServerSessionCache.Get(string(hs.clientHello.sessionID)); ok { 385 return fmt.Errorf("tls: client offered an unexpected TLS 1.2 session") 386 } 387 } 388 if len(hs.clientHello.sessionTicket) > 0 { 389 return fmt.Errorf("tls: client offered an unexpected session ticket") 390 } 391 } 392 393 if config.Bugs.ExpectNoTLS13PSK && len(hs.clientHello.pskIdentities) > 0 { 394 return fmt.Errorf("tls: client offered unexpected PSK identities") 395 } 396 397 var scsvFound bool 398 for _, cipherSuite := range hs.clientHello.cipherSuites { 399 if cipherSuite == fallbackSCSV { 400 scsvFound = true 401 break 402 } 403 } 404 405 if !scsvFound && config.Bugs.FailIfNotFallbackSCSV { 406 return errors.New("tls: no fallback SCSV found when expected") 407 } else if scsvFound && !config.Bugs.FailIfNotFallbackSCSV { 408 return errors.New("tls: fallback SCSV found when not expected") 409 } 410 411 if config.Bugs.ExpectGREASE && !containsGREASE(hs.clientHello.cipherSuites) { 412 return errors.New("tls: no GREASE cipher suite value found") 413 } 414 415 var greaseFound bool 416 for _, curve := range hs.clientHello.supportedCurves { 417 if isGREASEValue(uint16(curve)) { 418 greaseFound = true 419 break 420 } 421 } 422 423 if !greaseFound && config.Bugs.ExpectGREASE { 424 return errors.New("tls: no GREASE curve value found") 425 } 426 427 if len(hs.clientHello.keyShares) > 0 { 428 greaseFound = false 429 for _, keyShare := range hs.clientHello.keyShares { 430 if isGREASEValue(uint16(keyShare.group)) { 431 greaseFound = true 432 break 433 } 434 } 435 436 if !greaseFound && config.Bugs.ExpectGREASE { 437 return errors.New("tls: no GREASE curve value found") 438 } 439 } 440 441 if len(hs.clientHello.sessionID) == 0 && c.config.Bugs.ExpectClientHelloSessionID { 442 return errors.New("tls: expected non-empty session ID from client") 443 } 444 445 applyBugsToClientHello(hs.clientHello, config) 446 447 return nil 448} 449 450func applyBugsToClientHello(clientHello *clientHelloMsg, config *Config) { 451 if config.Bugs.IgnorePeerSignatureAlgorithmPreferences { 452 clientHello.signatureAlgorithms = config.Credential.signatureAlgorithms() 453 } 454 if config.Bugs.IgnorePeerCurvePreferences { 455 clientHello.supportedCurves = config.curvePreferences() 456 } 457 if config.Bugs.IgnorePeerCipherPreferences { 458 clientHello.cipherSuites = config.cipherSuites() 459 } 460} 461 462type echDecryptError struct { 463 error 464} 465 466func (hs *serverHandshakeState) decryptClientHello(helloOuter *clientHelloMsg) (helloInner *clientHelloMsg, err error) { 467 // ClientHelloOuterAAD is ClientHelloOuter with the payload replaced by 468 // zeros. See draft-ietf-tls-esni-13, section 5.2. 469 aad := make([]byte, len(helloOuter.raw)-4) 470 copy(aad, helloOuter.raw[4:helloOuter.echPayloadStart]) 471 copy(aad[helloOuter.echPayloadEnd-4:], helloOuter.raw[helloOuter.echPayloadEnd:]) 472 473 // In fuzzer mode, the payload is cleartext. 474 encoded := helloOuter.echOuter.payload 475 if !hs.c.config.Bugs.NullAllCiphers { 476 var err error 477 encoded, err = hs.echHPKEContext.Open(helloOuter.echOuter.payload, aad) 478 if err != nil { 479 // Wrap |err| so the caller can implement trial decryption. 480 return nil, &echDecryptError{err} 481 } 482 } 483 484 helloInner, err = decodeClientHelloInner(hs.c.config, encoded, helloOuter) 485 if err != nil { 486 return nil, err 487 } 488 489 if isAllZero(helloInner.random) { 490 // If the client forgets to fill in the client random, it will likely be 491 // all zero. 492 return nil, errors.New("tls: ClientHelloInner random was all zero") 493 } 494 if bytes.Equal(helloInner.random, helloOuter.random) { 495 return nil, errors.New("tls: ClientHelloOuter and ClientHelloInner have the same random values") 496 } 497 // ClientHelloInner should not offer TLS 1.2 and below. 498 if len(helloInner.supportedVersions) == 0 { 499 return nil, errors.New("tls: ClientHelloInner did not offer supported_versions") 500 } 501 for _, vers := range helloInner.supportedVersions { 502 switch vers { 503 case VersionSSL30, VersionTLS10, VersionTLS11, VersionTLS12, VersionDTLS10, VersionDTLS12: 504 return nil, fmt.Errorf("tls: ClientHelloInner offered invalid version: %04x", vers) 505 } 506 } 507 // ClientHelloInner should omit TLS-1.2-only extensions. 508 if helloInner.nextProtoNeg || len(helloInner.supportedPoints) != 0 || helloInner.ticketSupported || helloInner.secureRenegotiation != nil || helloInner.extendedMasterSecret { 509 return nil, errors.New("tls: ClientHelloInner included a TLS-1.2-only extension") 510 } 511 if !helloInner.echInner { 512 return nil, errors.New("tls: ClientHelloInner missing inner encrypted_client_hello extension") 513 } 514 515 return helloInner, nil 516} 517 518func (hs *serverHandshakeState) doTLS13Handshake() error { 519 c := hs.c 520 config := c.config 521 522 // We've read the ClientHello, so the next record must be preceded with ChangeCipherSpec. 523 c.expectTLS13ChangeCipherSpec = true 524 525 hs.hello = &serverHelloMsg{ 526 isDTLS: c.isDTLS, 527 vers: c.wireVersion, 528 sessionID: hs.clientHello.sessionID, 529 compressionMethod: config.Bugs.SendCompressionMethod, 530 versOverride: config.Bugs.SendServerHelloVersion, 531 supportedVersOverride: config.Bugs.SendServerSupportedVersionExtension, 532 omitSupportedVers: config.Bugs.OmitServerSupportedVersionExtension, 533 customExtension: config.Bugs.CustomUnencryptedExtension, 534 unencryptedALPN: config.Bugs.SendUnencryptedALPN, 535 } 536 537 hs.hello.random = make([]byte, 32) 538 if _, err := io.ReadFull(config.rand(), hs.hello.random); err != nil { 539 c.sendAlert(alertInternalError) 540 return err 541 } 542 543 // TLS 1.3 forbids clients from advertising any non-null compression. 544 if len(hs.clientHello.compressionMethods) != 1 || hs.clientHello.compressionMethods[0] != compressionNone { 545 return errors.New("tls: client sent compression method other than null for TLS 1.3") 546 } 547 548 // Prepare an EncryptedExtensions message, but do not send it yet. 549 encryptedExtensions := new(encryptedExtensionsMsg) 550 encryptedExtensions.empty = config.Bugs.EmptyEncryptedExtensions 551 if err := hs.processClientExtensions(&encryptedExtensions.extensions); err != nil { 552 return err 553 } 554 555 // Select the cipher suite. 556 var preferenceList, supportedList []uint16 557 if config.PreferServerCipherSuites { 558 preferenceList = config.cipherSuites() 559 supportedList = hs.clientHello.cipherSuites 560 } else { 561 preferenceList = hs.clientHello.cipherSuites 562 supportedList = config.cipherSuites() 563 } 564 565 for _, id := range preferenceList { 566 if hs.suite = c.tryCipherSuite(id, supportedList, c.vers, true, true); hs.suite != nil { 567 break 568 } 569 } 570 571 if hs.suite == nil { 572 c.sendAlert(alertHandshakeFailure) 573 return errors.New("tls: no cipher suite supported by both client and server") 574 } 575 576 hs.hello.cipherSuite = hs.suite.id 577 if c.config.Bugs.SendCipherSuite != 0 { 578 hs.hello.cipherSuite = c.config.Bugs.SendCipherSuite 579 } 580 581 hs.finishedHash = newFinishedHash(c.wireVersion, c.isDTLS, hs.suite) 582 hs.finishedHash.discardHandshakeBuffer() 583 hs.writeClientHash(hs.clientHello.marshal()) 584 585 supportedCurve := false 586 var selectedCurve CurveID 587 preferredCurves := config.curvePreferences() 588Curves: 589 for _, curve := range hs.clientHello.supportedCurves { 590 for _, supported := range preferredCurves { 591 if supported == curve { 592 supportedCurve = true 593 selectedCurve = curve 594 break Curves 595 } 596 } 597 } 598 599 if !supportedCurve { 600 c.sendAlert(alertHandshakeFailure) 601 return errors.New("tls: no curve supported by both client and server") 602 } 603 604 pskIdentities := hs.clientHello.pskIdentities 605 pskKEModes := hs.clientHello.pskKEModes 606 607 var replacedPSKIdentities bool 608 if len(pskIdentities) == 0 && len(hs.clientHello.sessionTicket) > 0 && c.config.Bugs.AcceptAnySession { 609 // Pick up the ticket from the TLS 1.2 extension, to test the 610 // client does not get in a mixed up state. 611 psk := pskIdentity{ 612 ticket: hs.clientHello.sessionTicket, 613 } 614 pskIdentities = []pskIdentity{psk} 615 pskKEModes = []byte{pskDHEKEMode} 616 replacedPSKIdentities = true 617 } 618 if config.Bugs.UseInnerSessionWithClientHelloOuter { 619 replacedPSKIdentities = true 620 } 621 622 var pskIndex int 623 foundKEMode := bytes.IndexByte(pskKEModes, pskDHEKEMode) >= 0 624 if foundKEMode && !config.SessionTicketsDisabled { 625 for i, pskIdentity := range pskIdentities { 626 // TODO(svaldez): Check the obfuscatedTicketAge before accepting 0-RTT. 627 sessionState, ok := c.decryptTicket(pskIdentity.ticket) 628 if !ok { 629 continue 630 } 631 632 if !config.Bugs.AcceptAnySession { 633 if sessionState.vers != c.vers { 634 continue 635 } 636 if sessionState.ticketExpiration.Before(c.config.time()) { 637 continue 638 } 639 sessionCipher := cipherSuiteFromID(sessionState.cipherSuite) 640 if sessionCipher == nil || sessionCipher.hash() != hs.suite.hash() { 641 continue 642 } 643 } 644 645 clientTicketAge := time.Duration(uint32(pskIdentity.obfuscatedTicketAge-sessionState.ticketAgeAdd)) * time.Millisecond 646 if config.Bugs.ExpectTicketAge != 0 && clientTicketAge != config.Bugs.ExpectTicketAge { 647 c.sendAlert(alertHandshakeFailure) 648 return errors.New("tls: invalid ticket age") 649 } 650 651 if !replacedPSKIdentities { 652 binderToVerify := hs.clientHello.pskBinders[i] 653 if err := verifyPSKBinder(c.wireVersion, hs.clientHello, sessionState, binderToVerify, []byte{}, []byte{}); err != nil { 654 return err 655 } 656 } 657 658 hs.sessionState = sessionState 659 hs.hello.hasPSKIdentity = true 660 hs.hello.pskIdentity = uint16(i) 661 pskIndex = i 662 if config.Bugs.SelectPSKIdentityOnResume != 0 { 663 hs.hello.pskIdentity = config.Bugs.SelectPSKIdentityOnResume 664 } 665 c.didResume = true 666 break 667 } 668 } 669 670 if config.Bugs.AlwaysSelectPSKIdentity { 671 hs.hello.hasPSKIdentity = true 672 hs.hello.pskIdentity = 0 673 } 674 675 // Resolve PSK and compute the early secret. 676 if hs.sessionState != nil { 677 hs.finishedHash.addEntropy(hs.sessionState.secret) 678 } else { 679 hs.finishedHash.addEntropy(hs.finishedHash.zeroSecret()) 680 } 681 682 hs.hello.hasKeyShare = true 683 if hs.sessionState != nil && config.Bugs.NegotiatePSKResumption { 684 hs.hello.hasKeyShare = false 685 } 686 if config.Bugs.MissingKeyShare { 687 hs.hello.hasKeyShare = false 688 } 689 690 firstHelloRetryRequest := true 691 692ResendHelloRetryRequest: 693 var sendHelloRetryRequest bool 694 cipherSuite := hs.suite.id 695 if config.Bugs.SendHelloRetryRequestCipherSuite != 0 { 696 cipherSuite = config.Bugs.SendHelloRetryRequestCipherSuite 697 } 698 helloRetryRequest := &helloRetryRequestMsg{ 699 vers: c.wireVersion, 700 sessionID: hs.clientHello.sessionID, 701 cipherSuite: cipherSuite, 702 compressionMethod: config.Bugs.SendCompressionMethod, 703 duplicateExtensions: config.Bugs.DuplicateHelloRetryRequestExtensions, 704 } 705 706 if config.Bugs.AlwaysSendHelloRetryRequest { 707 sendHelloRetryRequest = true 708 } 709 710 if config.Bugs.SendHelloRetryRequestCookie != nil { 711 sendHelloRetryRequest = true 712 helloRetryRequest.cookie = config.Bugs.SendHelloRetryRequestCookie 713 } 714 715 if len(config.Bugs.CustomHelloRetryRequestExtension) > 0 { 716 sendHelloRetryRequest = true 717 helloRetryRequest.customExtension = config.Bugs.CustomHelloRetryRequestExtension 718 } 719 720 var selectedKeyShare *keyShareEntry 721 if hs.hello.hasKeyShare { 722 // Look for the key share corresponding to our selected curve. 723 for i := range hs.clientHello.keyShares { 724 if hs.clientHello.keyShares[i].group == selectedCurve { 725 selectedKeyShare = &hs.clientHello.keyShares[i] 726 break 727 } 728 } 729 730 if config.Bugs.ExpectMissingKeyShare && selectedKeyShare != nil { 731 return errors.New("tls: expected missing key share") 732 } 733 734 if selectedKeyShare == nil { 735 helloRetryRequest.hasSelectedGroup = true 736 helloRetryRequest.selectedGroup = selectedCurve 737 sendHelloRetryRequest = true 738 } 739 } 740 741 if config.Bugs.SendHelloRetryRequestCurve != 0 { 742 helloRetryRequest.hasSelectedGroup = true 743 helloRetryRequest.selectedGroup = config.Bugs.SendHelloRetryRequestCurve 744 sendHelloRetryRequest = true 745 } 746 747 if config.Bugs.SkipHelloRetryRequest { 748 sendHelloRetryRequest = false 749 } 750 751 if sendHelloRetryRequest { 752 hs.finishedHash.UpdateForHelloRetryRequest() 753 754 // Emit the ECH confirmation signal when requested. 755 if hs.clientHello.echInner { 756 helloRetryRequest.echConfirmation = make([]byte, 8) 757 helloRetryRequest.echConfirmation = hs.finishedHash.echAcceptConfirmation(hs.clientHello.random, echAcceptConfirmationHRRLabel, helloRetryRequest.marshal()) 758 helloRetryRequest.raw = nil 759 } else if config.Bugs.AlwaysSendECHHelloRetryRequest { 760 // When solicited, a random ECH confirmation string should be ignored. 761 helloRetryRequest.echConfirmation = make([]byte, 8) 762 if _, err := io.ReadFull(config.rand(), helloRetryRequest.echConfirmation); err != nil { 763 c.sendAlert(alertInternalError) 764 return fmt.Errorf("tls: short read from Rand: %s", err) 765 } 766 } 767 768 hs.writeServerHash(helloRetryRequest.marshal()) 769 if c.config.Bugs.PartialServerHelloWithHelloRetryRequest { 770 data := helloRetryRequest.marshal() 771 c.writeRecord(recordTypeHandshake, append(data[:len(data):len(data)], typeServerHello)) 772 } else { 773 c.writeRecord(recordTypeHandshake, helloRetryRequest.marshal()) 774 } 775 c.flushHandshake() 776 777 if !c.config.Bugs.SkipChangeCipherSpec { 778 c.writeRecord(recordTypeChangeCipherSpec, []byte{1}) 779 } 780 781 if hs.clientHello.hasEarlyData { 782 c.setSkipEarlyData() 783 } 784 785 // Read new ClientHello. 786 newMsg, err := c.readHandshake() 787 if err != nil { 788 return err 789 } 790 newClientHello, ok := newMsg.(*clientHelloMsg) 791 if !ok { 792 c.sendAlert(alertUnexpectedMessage) 793 return unexpectedMessageError(newClientHello, newMsg) 794 } 795 796 if expected := config.Bugs.ExpectOuterServerName; len(expected) != 0 && expected != newClientHello.serverName { 797 return fmt.Errorf("tls: unexpected ClientHelloOuter server name: wanted %q, got %q", expected, newClientHello.serverName) 798 } 799 800 if c.echAccepted { 801 if newClientHello.echOuter == nil { 802 c.sendAlert(alertMissingExtension) 803 return errors.New("tls: second ClientHelloOuter had no encrypted_client_hello extension") 804 } 805 if newClientHello.echOuter.configID != hs.echConfigID || 806 newClientHello.echOuter.kdfID != hs.echHPKEContext.KDF() || 807 newClientHello.echOuter.aeadID != hs.echHPKEContext.AEAD() { 808 c.sendAlert(alertIllegalParameter) 809 return errors.New("tls: ECH parameters changed in second ClientHelloOuter") 810 } 811 if len(newClientHello.echOuter.enc) != 0 { 812 c.sendAlert(alertIllegalParameter) 813 return errors.New("tls: second ClientHelloOuter had non-empty ECH enc") 814 } 815 newClientHello, err = hs.decryptClientHello(newClientHello) 816 if err != nil { 817 c.sendAlert(alertDecryptError) 818 return fmt.Errorf("tls: error decrypting ClientHello: %s", err) 819 } 820 } 821 822 hs.writeClientHash(newClientHello.marshal()) 823 824 if config.Bugs.ExpectNoTLS13PSKAfterHRR && len(newClientHello.pskIdentities) > 0 { 825 return fmt.Errorf("tls: client offered unexpected PSK identities after HelloRetryRequest") 826 } 827 828 applyBugsToClientHello(newClientHello, config) 829 830 // Check that the new ClientHello matches the old ClientHello, 831 // except for relevant modifications. See RFC 8446, section 4.1.2. 832 ignoreExtensions := []uint16{extensionPadding} 833 834 if helloRetryRequest.hasSelectedGroup { 835 newKeyShares := newClientHello.keyShares 836 if len(newKeyShares) != 1 || newKeyShares[0].group != helloRetryRequest.selectedGroup { 837 return errors.New("tls: KeyShare from HelloRetryRequest not in new ClientHello") 838 } 839 selectedKeyShare = &newKeyShares[0] 840 ignoreExtensions = append(ignoreExtensions, extensionKeyShare) 841 } 842 843 if len(helloRetryRequest.cookie) > 0 { 844 if !bytes.Equal(newClientHello.tls13Cookie, helloRetryRequest.cookie) { 845 return errors.New("tls: cookie from HelloRetryRequest not present in new ClientHello") 846 } 847 ignoreExtensions = append(ignoreExtensions, extensionCookie) 848 } 849 850 // The second ClientHello refreshes binders, and may drop PSK identities 851 // that are no longer consistent with the cipher suite. 852 oldPSKIdentities := hs.clientHello.pskIdentities 853 for _, identity := range newClientHello.pskIdentities { 854 // Skip to the matching PSK identity in oldPSKIdentities. 855 for len(oldPSKIdentities) > 0 && !bytes.Equal(oldPSKIdentities[0].ticket, identity.ticket) { 856 oldPSKIdentities = oldPSKIdentities[1:] 857 } 858 // The identity now either matches, or oldPSKIdentities is empty. 859 if len(oldPSKIdentities) == 0 { 860 return errors.New("tls: unexpected PSK identity in second ClientHello") 861 } 862 oldPSKIdentities = oldPSKIdentities[1:] 863 } 864 ignoreExtensions = append(ignoreExtensions, extensionPreSharedKey) 865 866 // Update the index for the identity we resumed. The client may have 867 // dropped some entries. 868 if hs.sessionState != nil { 869 var found bool 870 ticket := hs.clientHello.pskIdentities[pskIndex].ticket 871 for i, identity := range newClientHello.pskIdentities { 872 if bytes.Equal(identity.ticket, ticket) { 873 found = true 874 pskIndex = i 875 break 876 } 877 } 878 if found { 879 binderToVerify := newClientHello.pskBinders[pskIndex] 880 if err := verifyPSKBinder(c.wireVersion, newClientHello, hs.sessionState, binderToVerify, hs.clientHello.marshal(), helloRetryRequest.marshal()); err != nil { 881 return err 882 } 883 } else if !config.Bugs.AcceptAnySession { 884 // If AcceptAnySession is set, the client may have already noticed 885 // the selected session is incompatible with the HelloRetryRequest 886 // and correctly dropped the PSK identity. We may also have 887 // attempted to resume a session from the TLS 1.2 extension. 888 return errors.New("tls: second ClientHello is missing selected session") 889 } 890 } 891 892 // The second ClientHello must stop offering early data. 893 if newClientHello.hasEarlyData { 894 return errors.New("tls: EarlyData sent in new ClientHello") 895 } 896 ignoreExtensions = append(ignoreExtensions, extensionEarlyData) 897 898 if err := checkClientHellosEqual(hs.clientHello.raw, newClientHello.raw, c.isDTLS, ignoreExtensions); err != nil { 899 return err 900 } 901 902 if firstHelloRetryRequest && config.Bugs.SecondHelloRetryRequest { 903 firstHelloRetryRequest = false 904 goto ResendHelloRetryRequest 905 } 906 } 907 908 // Decide whether or not to accept early data. 909 if !sendHelloRetryRequest && hs.clientHello.hasEarlyData { 910 if !config.Bugs.AlwaysRejectEarlyData && hs.sessionState != nil { 911 if hs.sessionState.cipherSuite == hs.suite.id && 912 c.clientProtocol == string(hs.sessionState.earlyALPN) && 913 c.hasApplicationSettings == hs.sessionState.hasApplicationSettings && 914 bytes.Equal(c.localApplicationSettings, hs.sessionState.localApplicationSettings) && 915 c.hasApplicationSettingsOld == hs.sessionState.hasApplicationSettingsOld && 916 bytes.Equal(c.localApplicationSettingsOld, hs.sessionState.localApplicationSettingsOld) { 917 encryptedExtensions.extensions.hasEarlyData = true 918 } 919 if config.Bugs.AlwaysAcceptEarlyData { 920 encryptedExtensions.extensions.hasEarlyData = true 921 } 922 } 923 if encryptedExtensions.extensions.hasEarlyData { 924 earlyTrafficSecret := hs.finishedHash.deriveSecret(earlyTrafficLabel) 925 c.earlyExporterSecret = hs.finishedHash.deriveSecret(earlyExporterLabel) 926 927 // Applications are implicit with early data. 928 if !config.Bugs.SendApplicationSettingsWithEarlyData { 929 encryptedExtensions.extensions.hasApplicationSettings = false 930 encryptedExtensions.extensions.applicationSettings = nil 931 encryptedExtensions.extensions.hasApplicationSettingsOld = false 932 encryptedExtensions.extensions.applicationSettingsOld = nil 933 } 934 935 sessionCipher := cipherSuiteFromID(hs.sessionState.cipherSuite) 936 if err := c.useInTrafficSecret(encryptionEarlyData, c.wireVersion, sessionCipher, earlyTrafficSecret); err != nil { 937 return err 938 } 939 940 for _, expectedMsg := range config.Bugs.ExpectEarlyData { 941 if err := c.readRecord(recordTypeApplicationData); err != nil { 942 return err 943 } 944 msg := c.input.data[c.input.off:] 945 if !bytes.Equal(msg, expectedMsg) { 946 return fmt.Errorf("tls: got early data record %x, wanted %x", msg, expectedMsg) 947 } 948 c.in.freeBlock(c.input) 949 c.input = nil 950 } 951 } else { 952 c.setSkipEarlyData() 953 } 954 } 955 956 if config.Bugs.SendEarlyDataExtension { 957 encryptedExtensions.extensions.hasEarlyData = true 958 } 959 960 // Resolve ECDHE and compute the handshake secret. 961 if hs.hello.hasKeyShare { 962 // Once a curve has been selected and a key share identified, 963 // the server needs to generate a public value and send it in 964 // the ServerHello. 965 kem, ok := kemForCurveID(selectedCurve, config) 966 if !ok { 967 panic("tls: server failed to look up curve ID") 968 } 969 c.curveID = selectedCurve 970 971 var peerKey []byte 972 if config.Bugs.SkipHelloRetryRequest { 973 // If skipping HelloRetryRequest, use a random key to 974 // avoid crashing. 975 kem2, _ := kemForCurveID(selectedCurve, config) 976 var err error 977 peerKey, err = kem2.generate(config.rand()) 978 if err != nil { 979 return err 980 } 981 } else { 982 peerKey = selectedKeyShare.keyExchange 983 } 984 985 ciphertext, ecdheSecret, err := kem.encap(config.rand(), peerKey) 986 if err != nil { 987 c.sendAlert(alertHandshakeFailure) 988 return err 989 } 990 hs.finishedHash.nextSecret() 991 hs.finishedHash.addEntropy(ecdheSecret) 992 hs.hello.hasKeyShare = true 993 994 curveID := selectedCurve 995 if c.config.Bugs.SendCurve != 0 { 996 curveID = config.Bugs.SendCurve 997 } 998 if c.config.Bugs.InvalidECDHPoint { 999 ciphertext[0] ^= 0xff 1000 } 1001 1002 hs.hello.keyShare = keyShareEntry{ 1003 group: curveID, 1004 keyExchange: ciphertext, 1005 } 1006 1007 if config.Bugs.EncryptedExtensionsWithKeyShare { 1008 encryptedExtensions.extensions.hasKeyShare = true 1009 encryptedExtensions.extensions.keyShare = keyShareEntry{ 1010 group: curveID, 1011 keyExchange: ciphertext, 1012 } 1013 } 1014 } else { 1015 hs.finishedHash.nextSecret() 1016 hs.finishedHash.addEntropy(hs.finishedHash.zeroSecret()) 1017 } 1018 1019 // Emit the ECH confirmation signal when requested. 1020 if hs.clientHello.echInner && !config.Bugs.OmitServerHelloECHConfirmation { 1021 randomSuffix := hs.hello.random[len(hs.hello.random)-echAcceptConfirmationLength:] 1022 for i := range randomSuffix { 1023 randomSuffix[i] = 0 1024 } 1025 copy(randomSuffix, hs.finishedHash.echAcceptConfirmation(hs.clientHello.random, echAcceptConfirmationLabel, hs.hello.marshal())) 1026 hs.hello.raw = nil 1027 } 1028 1029 // Send unencrypted ServerHello. 1030 helloBytes := hs.hello.marshal() 1031 hs.writeServerHash(helloBytes) 1032 if config.Bugs.PartialServerHelloWithHelloRetryRequest { 1033 // The first byte has already been written. 1034 helloBytes = helloBytes[1:] 1035 } 1036 if config.Bugs.PartialEncryptedExtensionsWithServerHello { 1037 c.writeRecord(recordTypeHandshake, append(helloBytes[:len(helloBytes):len(helloBytes)], typeEncryptedExtensions)) 1038 } else { 1039 c.writeRecord(recordTypeHandshake, helloBytes) 1040 } 1041 c.flushHandshake() 1042 1043 if !c.config.Bugs.SkipChangeCipherSpec && !sendHelloRetryRequest { 1044 c.writeRecord(recordTypeChangeCipherSpec, []byte{1}) 1045 } 1046 1047 for i := 0; i < c.config.Bugs.SendExtraChangeCipherSpec; i++ { 1048 c.writeRecord(recordTypeChangeCipherSpec, []byte{1}) 1049 } 1050 1051 // Switch to handshake traffic keys. 1052 serverHandshakeTrafficSecret := hs.finishedHash.deriveSecret(serverHandshakeTrafficLabel) 1053 c.useOutTrafficSecret(encryptionHandshake, c.wireVersion, hs.suite, serverHandshakeTrafficSecret) 1054 // Derive handshake traffic read key, but don't switch yet. 1055 clientHandshakeTrafficSecret := hs.finishedHash.deriveSecret(clientHandshakeTrafficLabel) 1056 1057 // Send EncryptedExtensions. 1058 hs.writeServerHash(encryptedExtensions.marshal()) 1059 if config.Bugs.PartialEncryptedExtensionsWithServerHello { 1060 // The first byte has already been sent. 1061 c.writeRecord(recordTypeHandshake, encryptedExtensions.marshal()[1:]) 1062 } else { 1063 c.writeRecord(recordTypeHandshake, encryptedExtensions.marshal()) 1064 } 1065 1066 if hs.sessionState == nil { 1067 if config.ClientAuth >= RequestClientCert { 1068 // Request a client certificate 1069 certReq := &certificateRequestMsg{ 1070 vers: c.wireVersion, 1071 hasSignatureAlgorithm: !config.Bugs.OmitCertificateRequestAlgorithms, 1072 hasRequestContext: true, 1073 requestContext: config.Bugs.SendRequestContext, 1074 customExtension: config.Bugs.SendCustomCertificateRequest, 1075 } 1076 if !config.Bugs.NoSignatureAlgorithms { 1077 certReq.signatureAlgorithms = config.verifySignatureAlgorithms() 1078 } 1079 1080 // An empty list of certificateAuthorities signals to 1081 // the client that it may send any certificate in response 1082 // to our request. When we know the CAs we trust, then 1083 // we can send them down, so that the client can choose 1084 // an appropriate certificate to give to us. 1085 if config.ClientCAs != nil { 1086 certReq.certificateAuthorities = config.ClientCAs.Subjects() 1087 } 1088 hs.writeServerHash(certReq.marshal()) 1089 c.writeRecord(recordTypeHandshake, certReq.marshal()) 1090 } 1091 1092 certMsg := &certificateMsg{ 1093 hasRequestContext: true, 1094 } 1095 if !config.Bugs.EmptyCertificateList { 1096 for i, certData := range hs.cert.Certificate { 1097 cert := certificateEntry{ 1098 data: certData, 1099 } 1100 if i == 0 { 1101 if hs.clientHello.ocspStapling && !c.config.Bugs.NoOCSPStapling { 1102 cert.ocspResponse = hs.cert.OCSPStaple 1103 } 1104 if hs.clientHello.sctListSupported && !c.config.Bugs.NoSignedCertificateTimestamps { 1105 cert.sctList = hs.cert.SignedCertificateTimestampList 1106 } 1107 cert.duplicateExtensions = config.Bugs.SendDuplicateCertExtensions 1108 cert.extraExtension = config.Bugs.SendExtensionOnCertificate 1109 } else { 1110 if config.Bugs.SendOCSPOnIntermediates != nil { 1111 cert.ocspResponse = config.Bugs.SendOCSPOnIntermediates 1112 } 1113 if config.Bugs.SendSCTOnIntermediates != nil { 1114 cert.sctList = config.Bugs.SendSCTOnIntermediates 1115 } 1116 } 1117 certMsg.certificates = append(certMsg.certificates, cert) 1118 } 1119 } 1120 certMsgBytes := certMsg.marshal() 1121 sentCompressedCertMsg := false 1122 1123 FindCertCompressionAlg: 1124 for candidate, alg := range c.config.CertCompressionAlgs { 1125 for _, id := range hs.clientHello.compressedCertAlgs { 1126 if id == candidate { 1127 if expected := config.Bugs.ExpectedCompressedCert; expected != 0 && expected != id { 1128 return fmt.Errorf("tls: expected to send compressed cert with alg %d, but picked %d", expected, id) 1129 } 1130 if config.Bugs.ExpectUncompressedCert { 1131 return errors.New("tls: expected to send uncompressed cert") 1132 } 1133 1134 if override := config.Bugs.SendCertCompressionAlgID; override != 0 { 1135 id = override 1136 } 1137 1138 uncompressed := certMsgBytes[4:] 1139 uncompressedLen := uint32(len(uncompressed)) 1140 if override := config.Bugs.SendCertUncompressedLength; override != 0 { 1141 uncompressedLen = override 1142 } 1143 1144 compressedCertMsgBytes := (&compressedCertificateMsg{ 1145 algID: id, 1146 uncompressedLength: uncompressedLen, 1147 compressed: alg.Compress(uncompressed), 1148 }).marshal() 1149 1150 hs.writeServerHash(compressedCertMsgBytes) 1151 c.writeRecord(recordTypeHandshake, compressedCertMsgBytes) 1152 sentCompressedCertMsg = true 1153 break FindCertCompressionAlg 1154 } 1155 } 1156 } 1157 1158 if !sentCompressedCertMsg { 1159 if config.Bugs.ExpectedCompressedCert != 0 { 1160 return errors.New("tls: unexpectedly sent uncompressed certificate") 1161 } 1162 hs.writeServerHash(certMsgBytes) 1163 c.writeRecord(recordTypeHandshake, certMsgBytes) 1164 } 1165 1166 certVerify := &certificateVerifyMsg{ 1167 hasSignatureAlgorithm: true, 1168 } 1169 1170 // Determine the hash to sign. 1171 var err error 1172 certVerify.signatureAlgorithm, err = selectSignatureAlgorithm(c.isClient, c.vers, hs.cert, config, hs.clientHello.signatureAlgorithms) 1173 if err != nil { 1174 c.sendAlert(alertInternalError) 1175 return err 1176 } 1177 1178 privKey := hs.cert.PrivateKey 1179 input := hs.finishedHash.certificateVerifyInput(serverCertificateVerifyContextTLS13) 1180 certVerify.signature, err = signMessage(c.isClient, c.vers, privKey, c.config, certVerify.signatureAlgorithm, input) 1181 if err != nil { 1182 c.sendAlert(alertInternalError) 1183 return err 1184 } 1185 1186 if config.Bugs.SendSignatureAlgorithm != 0 { 1187 certVerify.signatureAlgorithm = config.Bugs.SendSignatureAlgorithm 1188 } 1189 1190 if !config.Bugs.SkipCertificateVerify { 1191 hs.writeServerHash(certVerify.marshal()) 1192 c.writeRecord(recordTypeHandshake, certVerify.marshal()) 1193 } 1194 } else if hs.sessionState != nil { 1195 // Pick up certificates from the session instead. 1196 if len(hs.sessionState.certificates) > 0 { 1197 if _, err := hs.processCertsFromClient(hs.sessionState.certificates); err != nil { 1198 return err 1199 } 1200 } 1201 } 1202 1203 finished := new(finishedMsg) 1204 finished.verifyData = hs.finishedHash.serverSum(serverHandshakeTrafficSecret) 1205 if config.Bugs.BadFinished { 1206 finished.verifyData[0]++ 1207 } 1208 hs.writeServerHash(finished.marshal()) 1209 c.writeRecord(recordTypeHandshake, finished.marshal()) 1210 if c.config.Bugs.SendExtraFinished { 1211 c.writeRecord(recordTypeHandshake, finished.marshal()) 1212 } 1213 c.flushHandshake() 1214 1215 if encryptedExtensions.extensions.hasEarlyData && !c.shouldSkipEarlyData() { 1216 for _, expectedMsg := range config.Bugs.ExpectLateEarlyData { 1217 if err := c.readRecord(recordTypeApplicationData); err != nil { 1218 return err 1219 } 1220 if !bytes.Equal(c.input.data[c.input.off:], expectedMsg) { 1221 return errors.New("ExpectLateEarlyData: did not get expected message") 1222 } 1223 c.in.freeBlock(c.input) 1224 c.input = nil 1225 } 1226 } 1227 1228 // The various secrets do not incorporate the client's final leg, so 1229 // derive them now before updating the handshake context. 1230 hs.finishedHash.nextSecret() 1231 hs.finishedHash.addEntropy(hs.finishedHash.zeroSecret()) 1232 1233 clientTrafficSecret := hs.finishedHash.deriveSecret(clientApplicationTrafficLabel) 1234 serverTrafficSecret := hs.finishedHash.deriveSecret(serverApplicationTrafficLabel) 1235 c.exporterSecret = hs.finishedHash.deriveSecret(exporterLabel) 1236 1237 // Switch to application data keys on write. In particular, any alerts 1238 // from the client certificate are sent over these keys. 1239 c.useOutTrafficSecret(encryptionApplication, c.wireVersion, hs.suite, serverTrafficSecret) 1240 1241 // Send 0.5-RTT messages. 1242 for _, halfRTTMsg := range config.Bugs.SendHalfRTTData { 1243 if _, err := c.writeRecord(recordTypeApplicationData, halfRTTMsg); err != nil { 1244 return err 1245 } 1246 } 1247 1248 // Read end_of_early_data. 1249 if encryptedExtensions.extensions.hasEarlyData && config.Bugs.MockQUICTransport == nil { 1250 msg, err := c.readHandshake() 1251 if err != nil { 1252 return err 1253 } 1254 1255 endOfEarlyData, ok := msg.(*endOfEarlyDataMsg) 1256 if !ok { 1257 c.sendAlert(alertUnexpectedMessage) 1258 return unexpectedMessageError(endOfEarlyData, msg) 1259 } 1260 hs.writeClientHash(endOfEarlyData.marshal()) 1261 } 1262 1263 // Switch input stream to handshake traffic keys. 1264 if err := c.useInTrafficSecret(encryptionHandshake, c.wireVersion, hs.suite, clientHandshakeTrafficSecret); err != nil { 1265 return err 1266 } 1267 1268 // If we sent an ALPS extension, the client must respond with a single EncryptedExtensions. 1269 if encryptedExtensions.extensions.hasApplicationSettings || encryptedExtensions.extensions.hasApplicationSettingsOld { 1270 msg, err := c.readHandshake() 1271 if err != nil { 1272 return err 1273 } 1274 clientEncryptedExtensions, ok := msg.(*clientEncryptedExtensionsMsg) 1275 if !ok { 1276 c.sendAlert(alertUnexpectedMessage) 1277 return unexpectedMessageError(clientEncryptedExtensions, msg) 1278 } 1279 hs.writeClientHash(clientEncryptedExtensions.marshal()) 1280 1281 // Expect client send new application settings not old. 1282 if encryptedExtensions.extensions.hasApplicationSettings { 1283 if !clientEncryptedExtensions.hasApplicationSettings { 1284 c.sendAlert(alertMissingExtension) 1285 return errors.New("tls: client didn't provide new application settings") 1286 } 1287 if clientEncryptedExtensions.hasApplicationSettingsOld { 1288 c.sendAlert(alertUnsupportedExtension) 1289 return errors.New("tls: client shouldn't provide old application settings") 1290 } 1291 c.peerApplicationSettings = clientEncryptedExtensions.applicationSettings 1292 } 1293 1294 // Expect client send old application settings not new. 1295 if encryptedExtensions.extensions.hasApplicationSettingsOld { 1296 if !clientEncryptedExtensions.hasApplicationSettingsOld { 1297 c.sendAlert(alertMissingExtension) 1298 return errors.New("tls: client didn't provide old application settings") 1299 } 1300 if clientEncryptedExtensions.hasApplicationSettings { 1301 c.sendAlert(alertUnsupportedExtension) 1302 return errors.New("tls: client shouldn't provide new application settings") 1303 } 1304 c.peerApplicationSettingsOld = clientEncryptedExtensions.applicationSettingsOld 1305 } 1306 } else if encryptedExtensions.extensions.hasEarlyData { 1307 // 0-RTT sessions carry application settings over. 1308 c.peerApplicationSettings = hs.sessionState.peerApplicationSettings 1309 c.peerApplicationSettingsOld = hs.sessionState.peerApplicationSettingsOld 1310 } 1311 1312 // If we requested a client certificate, then the client must send a 1313 // certificate message, even if it's empty. 1314 if config.ClientAuth >= RequestClientCert { 1315 msg, err := c.readHandshake() 1316 if err != nil { 1317 return err 1318 } 1319 1320 certMsg, ok := msg.(*certificateMsg) 1321 if !ok { 1322 c.sendAlert(alertUnexpectedMessage) 1323 return unexpectedMessageError(certMsg, msg) 1324 } 1325 hs.writeClientHash(certMsg.marshal()) 1326 1327 if len(certMsg.certificates) == 0 { 1328 // The client didn't actually send a certificate 1329 switch config.ClientAuth { 1330 case RequireAnyClientCert, RequireAndVerifyClientCert: 1331 c.sendAlert(alertCertificateRequired) 1332 return errors.New("tls: client didn't provide a certificate") 1333 } 1334 } 1335 1336 var certs [][]byte 1337 for _, cert := range certMsg.certificates { 1338 certs = append(certs, cert.data) 1339 // OCSP responses and SCT lists are not negotiated in 1340 // client certificates. 1341 if cert.ocspResponse != nil || cert.sctList != nil { 1342 c.sendAlert(alertUnsupportedExtension) 1343 return errors.New("tls: unexpected extensions in the client certificate") 1344 } 1345 } 1346 pub, err := hs.processCertsFromClient(certs) 1347 if err != nil { 1348 return err 1349 } 1350 1351 if len(c.peerCertificates) > 0 { 1352 msg, err = c.readHandshake() 1353 if err != nil { 1354 return err 1355 } 1356 1357 certVerify, ok := msg.(*certificateVerifyMsg) 1358 if !ok { 1359 c.sendAlert(alertUnexpectedMessage) 1360 return unexpectedMessageError(certVerify, msg) 1361 } 1362 1363 c.peerSignatureAlgorithm = certVerify.signatureAlgorithm 1364 input := hs.finishedHash.certificateVerifyInput(clientCertificateVerifyContextTLS13) 1365 if err := verifyMessage(c.isClient, c.vers, pub, config, certVerify.signatureAlgorithm, input, certVerify.signature); err != nil { 1366 c.sendAlert(alertBadCertificate) 1367 return err 1368 } 1369 hs.writeClientHash(certVerify.marshal()) 1370 } 1371 } 1372 1373 if encryptedExtensions.extensions.channelIDRequested { 1374 msg, err := c.readHandshake() 1375 if err != nil { 1376 return err 1377 } 1378 channelIDMsg, ok := msg.(*channelIDMsg) 1379 if !ok { 1380 c.sendAlert(alertUnexpectedMessage) 1381 return unexpectedMessageError(channelIDMsg, msg) 1382 } 1383 channelIDHash := crypto.SHA256.New() 1384 channelIDHash.Write(hs.finishedHash.certificateVerifyInput(channelIDContextTLS13)) 1385 channelID, err := verifyChannelIDMessage(channelIDMsg, channelIDHash.Sum(nil)) 1386 if err != nil { 1387 return err 1388 } 1389 c.channelID = channelID 1390 1391 hs.writeClientHash(channelIDMsg.marshal()) 1392 } 1393 1394 // Read the client Finished message. 1395 msg, err := c.readHandshake() 1396 if err != nil { 1397 return err 1398 } 1399 clientFinished, ok := msg.(*finishedMsg) 1400 if !ok { 1401 c.sendAlert(alertUnexpectedMessage) 1402 return unexpectedMessageError(clientFinished, msg) 1403 } 1404 1405 verify := hs.finishedHash.clientSum(clientHandshakeTrafficSecret) 1406 if len(verify) != len(clientFinished.verifyData) || 1407 subtle.ConstantTimeCompare(verify, clientFinished.verifyData) != 1 { 1408 c.sendAlert(alertHandshakeFailure) 1409 return errors.New("tls: client's Finished message was incorrect") 1410 } 1411 hs.writeClientHash(clientFinished.marshal()) 1412 1413 // Switch to application data keys on read. 1414 if err := c.useInTrafficSecret(encryptionApplication, c.wireVersion, hs.suite, clientTrafficSecret); err != nil { 1415 return err 1416 } 1417 1418 c.cipherSuite = hs.suite 1419 c.resumptionSecret = hs.finishedHash.deriveSecret(resumptionLabel) 1420 1421 // TODO(davidben): Allow configuring the number of tickets sent for 1422 // testing. 1423 if !c.config.SessionTicketsDisabled && foundKEMode { 1424 ticketCount := 2 1425 for i := 0; i < ticketCount; i++ { 1426 c.SendNewSessionTicket([]byte{byte(i)}) 1427 } 1428 } 1429 return nil 1430} 1431 1432// processClientHello processes the ClientHello message from the client and 1433// decides whether we will perform session resumption. 1434func (hs *serverHandshakeState) processClientHello() (isResume bool, err error) { 1435 config := hs.c.config 1436 c := hs.c 1437 1438 hs.hello = &serverHelloMsg{ 1439 isDTLS: c.isDTLS, 1440 vers: c.wireVersion, 1441 versOverride: config.Bugs.SendServerHelloVersion, 1442 compressionMethod: config.Bugs.SendCompressionMethod, 1443 extensions: serverExtensions{ 1444 supportedVersion: config.Bugs.SendServerSupportedVersionExtension, 1445 }, 1446 omitExtensions: config.Bugs.OmitExtensions, 1447 emptyExtensions: config.Bugs.EmptyExtensions, 1448 } 1449 1450 hs.hello.random = make([]byte, 32) 1451 _, err = io.ReadFull(config.rand(), hs.hello.random) 1452 if err != nil { 1453 c.sendAlert(alertInternalError) 1454 return false, err 1455 } 1456 1457 _, supportsTLS13 := c.config.isSupportedVersion(VersionTLS13, false) 1458 1459 // Signal downgrades in the server random, per RFC 8446, section 4.1.3. 1460 if supportsTLS13 || config.Bugs.SendTLS13DowngradeRandom { 1461 if c.vers <= VersionTLS12 && config.maxVersion(c.isDTLS) >= VersionTLS13 { 1462 copy(hs.hello.random[len(hs.hello.random)-8:], downgradeTLS13) 1463 } 1464 if c.vers <= VersionTLS11 && config.maxVersion(c.isDTLS) == VersionTLS12 { 1465 copy(hs.hello.random[len(hs.hello.random)-8:], downgradeTLS12) 1466 } 1467 } 1468 if config.Bugs.SendJDK11DowngradeRandom { 1469 copy(hs.hello.random[len(hs.hello.random)-8:], downgradeJDK11) 1470 } 1471 1472 foundCompression := false 1473 // We only support null compression, so check that the client offered it. 1474 for _, compression := range hs.clientHello.compressionMethods { 1475 if compression == compressionNone { 1476 foundCompression = true 1477 break 1478 } 1479 } 1480 1481 if !foundCompression { 1482 c.sendAlert(alertHandshakeFailure) 1483 return false, errors.New("tls: client does not support uncompressed connections") 1484 } 1485 1486 if err := hs.processClientExtensions(&hs.hello.extensions); err != nil { 1487 return false, err 1488 } 1489 1490 supportedCurve := false 1491 preferredCurves := config.curvePreferences() 1492Curves: 1493 for _, curve := range hs.clientHello.supportedCurves { 1494 if isPqGroup(curve) && c.vers < VersionTLS13 { 1495 // Post-quantum is TLS 1.3 only. 1496 continue 1497 } 1498 1499 for _, supported := range preferredCurves { 1500 if supported == curve { 1501 supportedCurve = true 1502 break Curves 1503 } 1504 } 1505 } 1506 1507 supportedPointFormat := false 1508 for _, pointFormat := range hs.clientHello.supportedPoints { 1509 if pointFormat == pointFormatUncompressed { 1510 supportedPointFormat = true 1511 break 1512 } 1513 } 1514 hs.ellipticOk = supportedCurve && supportedPointFormat 1515 1516 _, hs.ecdsaOk = hs.cert.PrivateKey.(*ecdsa.PrivateKey) 1517 // Ed25519 also uses ECDSA certificates. 1518 _, ed25519Ok := hs.cert.PrivateKey.(ed25519.PrivateKey) 1519 hs.ecdsaOk = hs.ecdsaOk || ed25519Ok 1520 1521 // For test purposes, check that the peer never offers a session when 1522 // renegotiating. 1523 if c.cipherSuite != nil && len(hs.clientHello.sessionID) > 0 && c.config.Bugs.FailIfResumeOnRenego { 1524 return false, errors.New("tls: offered resumption on renegotiation") 1525 } 1526 1527 if hs.checkForResumption() { 1528 return true, nil 1529 } 1530 1531 var preferenceList, supportedList []uint16 1532 if c.config.PreferServerCipherSuites { 1533 preferenceList = c.config.cipherSuites() 1534 supportedList = hs.clientHello.cipherSuites 1535 } else { 1536 preferenceList = hs.clientHello.cipherSuites 1537 supportedList = c.config.cipherSuites() 1538 } 1539 1540 for _, id := range preferenceList { 1541 if hs.suite = c.tryCipherSuite(id, supportedList, c.vers, hs.ellipticOk, hs.ecdsaOk); hs.suite != nil { 1542 break 1543 } 1544 } 1545 1546 if hs.suite == nil { 1547 c.sendAlert(alertHandshakeFailure) 1548 return false, errors.New("tls: no cipher suite supported by both client and server") 1549 } 1550 1551 return false, nil 1552} 1553 1554// processClientExtensions processes all ClientHello extensions not directly 1555// related to cipher suite negotiation and writes responses in serverExtensions. 1556func (hs *serverHandshakeState) processClientExtensions(serverExtensions *serverExtensions) error { 1557 config := hs.c.config 1558 c := hs.c 1559 1560 if c.vers < VersionTLS13 || config.Bugs.NegotiateRenegotiationInfoAtAllVersions { 1561 if !bytes.Equal(c.clientVerify, hs.clientHello.secureRenegotiation) { 1562 c.sendAlert(alertHandshakeFailure) 1563 return errors.New("tls: renegotiation mismatch") 1564 } 1565 1566 if len(c.clientVerify) > 0 && !c.config.Bugs.EmptyRenegotiationInfo { 1567 serverExtensions.secureRenegotiation = append(serverExtensions.secureRenegotiation, c.clientVerify...) 1568 serverExtensions.secureRenegotiation = append(serverExtensions.secureRenegotiation, c.serverVerify...) 1569 if c.config.Bugs.BadRenegotiationInfo { 1570 serverExtensions.secureRenegotiation[0] ^= 0x80 1571 } 1572 if c.config.Bugs.BadRenegotiationInfoEnd { 1573 serverExtensions.secureRenegotiation[len(serverExtensions.secureRenegotiation)-1] ^= 0x80 1574 } 1575 } else { 1576 serverExtensions.secureRenegotiation = hs.clientHello.secureRenegotiation 1577 } 1578 1579 if c.noRenegotiationInfo() { 1580 serverExtensions.secureRenegotiation = nil 1581 } 1582 } 1583 1584 serverExtensions.duplicateExtension = c.config.Bugs.DuplicateExtension 1585 1586 if len(hs.clientHello.serverName) > 0 { 1587 c.serverName = hs.clientHello.serverName 1588 } 1589 if config.Credential == nil { 1590 c.sendAlert(alertInternalError) 1591 return errors.New("tls: no certificates configured") 1592 } 1593 hs.cert = config.Credential 1594 if expected := c.config.Bugs.ExpectServerName; expected != "" && expected != hs.clientHello.serverName { 1595 return fmt.Errorf("tls: unexpected server name: wanted %q, got %q", expected, hs.clientHello.serverName) 1596 } 1597 1598 if cert := config.Bugs.RenegotiationCertificate; c.cipherSuite != nil && cert != nil { 1599 hs.cert = cert 1600 } 1601 1602 if len(hs.clientHello.alpnProtocols) > 0 { 1603 // We will never offer ALPN as a client on renegotiation 1604 // handshakes. 1605 if len(c.clientVerify) > 0 { 1606 return errors.New("tls: offered ALPN on renegotiation") 1607 } 1608 if proto := c.config.Bugs.ALPNProtocol; proto != nil { 1609 serverExtensions.alpnProtocol = *proto 1610 serverExtensions.alpnProtocolEmpty = len(*proto) == 0 1611 c.clientProtocol = *proto 1612 c.usedALPN = true 1613 } else if selectedProto, fallback := mutualProtocol(hs.clientHello.alpnProtocols, c.config.NextProtos); !fallback { 1614 serverExtensions.alpnProtocol = selectedProto 1615 c.clientProtocol = selectedProto 1616 c.usedALPN = true 1617 } 1618 1619 var alpsAllowed, alpsAllowedOld bool 1620 if c.vers >= VersionTLS13 { 1621 for _, proto := range hs.clientHello.alpsProtocols { 1622 if proto == c.clientProtocol { 1623 alpsAllowed = true 1624 break 1625 } 1626 } 1627 for _, proto := range hs.clientHello.alpsProtocolsOld { 1628 if proto == c.clientProtocol { 1629 alpsAllowedOld = true 1630 break 1631 } 1632 } 1633 } 1634 1635 if c.config.Bugs.AlwaysNegotiateApplicationSettingsBoth { 1636 alpsAllowed = true 1637 alpsAllowedOld = true 1638 } 1639 if c.config.Bugs.AlwaysNegotiateApplicationSettingsNew { 1640 alpsAllowed = true 1641 } 1642 if c.config.Bugs.AlwaysNegotiateApplicationSettingsOld { 1643 alpsAllowedOld = true 1644 } 1645 if settings, ok := c.config.ApplicationSettings[c.clientProtocol]; ok && alpsAllowed { 1646 c.hasApplicationSettings = true 1647 c.localApplicationSettings = settings 1648 // Note these fields may later be cleared we accept 0-RTT. 1649 serverExtensions.hasApplicationSettings = true 1650 serverExtensions.applicationSettings = settings 1651 } 1652 if settings, ok := c.config.ApplicationSettings[c.clientProtocol]; ok && alpsAllowedOld { 1653 c.hasApplicationSettingsOld = true 1654 c.localApplicationSettingsOld = settings 1655 // Note these fields may later be cleared we accept 0-RTT. 1656 serverExtensions.hasApplicationSettingsOld = true 1657 serverExtensions.applicationSettingsOld = settings 1658 } 1659 } 1660 1661 if len(c.config.Bugs.SendALPN) > 0 { 1662 serverExtensions.alpnProtocol = c.config.Bugs.SendALPN 1663 } 1664 1665 if c.vers < VersionTLS13 || config.Bugs.NegotiateNPNAtAllVersions { 1666 if len(hs.clientHello.alpnProtocols) == 0 || c.config.Bugs.NegotiateALPNAndNPN { 1667 if hs.clientHello.nextProtoNeg && (len(config.NextProtos) > 0 || config.NegotiateNPNWithNoProtos) { 1668 serverExtensions.nextProtoNeg = true 1669 serverExtensions.nextProtos = config.NextProtos 1670 serverExtensions.npnAfterAlpn = config.Bugs.SwapNPNAndALPN 1671 } 1672 } 1673 } 1674 1675 if len(hs.clientHello.quicTransportParams) > 0 { 1676 c.quicTransportParams = hs.clientHello.quicTransportParams 1677 } 1678 if c.config.QUICTransportParamsUseLegacyCodepoint.IncludeStandard() { 1679 serverExtensions.quicTransportParams = c.config.QUICTransportParams 1680 } 1681 1682 if len(hs.clientHello.quicTransportParamsLegacy) > 0 { 1683 c.quicTransportParamsLegacy = hs.clientHello.quicTransportParamsLegacy 1684 } 1685 if c.config.QUICTransportParamsUseLegacyCodepoint.IncludeLegacy() { 1686 serverExtensions.quicTransportParamsLegacy = c.config.QUICTransportParams 1687 } 1688 1689 if c.vers < VersionTLS13 || config.Bugs.NegotiateEMSAtAllVersions { 1690 disableEMS := config.Bugs.NoExtendedMasterSecret 1691 if c.cipherSuite != nil { 1692 disableEMS = config.Bugs.NoExtendedMasterSecretOnRenegotiation 1693 } 1694 serverExtensions.extendedMasterSecret = hs.clientHello.extendedMasterSecret && !disableEMS 1695 } 1696 1697 if config.Bugs.AlwaysNegotiateChannelID || (hs.clientHello.channelIDSupported && config.RequestChannelID) { 1698 serverExtensions.channelIDRequested = true 1699 } 1700 1701 if hs.clientHello.srtpProtectionProfiles != nil { 1702 SRTPLoop: 1703 for _, p1 := range c.config.SRTPProtectionProfiles { 1704 for _, p2 := range hs.clientHello.srtpProtectionProfiles { 1705 if p1 == p2 { 1706 serverExtensions.srtpProtectionProfile = p1 1707 c.srtpProtectionProfile = p1 1708 break SRTPLoop 1709 } 1710 } 1711 } 1712 } 1713 1714 if c.config.Bugs.SendSRTPProtectionProfile != 0 { 1715 serverExtensions.srtpProtectionProfile = c.config.Bugs.SendSRTPProtectionProfile 1716 } 1717 1718 if expected := c.config.Bugs.ExpectedCustomExtension; expected != nil { 1719 if hs.clientHello.customExtension != *expected { 1720 return fmt.Errorf("tls: bad custom extension contents %q", hs.clientHello.customExtension) 1721 } 1722 } 1723 serverExtensions.customExtension = config.Bugs.CustomExtension 1724 1725 if c.config.Bugs.AdvertiseTicketExtension { 1726 serverExtensions.ticketSupported = true 1727 } 1728 1729 if c.config.Bugs.SendSupportedPointFormats != nil { 1730 serverExtensions.supportedPoints = c.config.Bugs.SendSupportedPointFormats 1731 } 1732 1733 if c.config.Bugs.SendServerSupportedCurves { 1734 serverExtensions.supportedCurves = c.config.curvePreferences() 1735 } 1736 1737 if !hs.clientHello.hasGREASEExtension && config.Bugs.ExpectGREASE { 1738 return errors.New("tls: no GREASE extension found") 1739 } 1740 1741 serverExtensions.serverNameAck = c.config.Bugs.SendServerNameAck 1742 1743 if (c.vers >= VersionTLS13 && hs.clientHello.echOuter != nil) || c.config.Bugs.AlwaysSendECHRetryConfigs { 1744 if len(config.Bugs.SendECHRetryConfigs) > 0 { 1745 serverExtensions.echRetryConfigs = config.Bugs.SendECHRetryConfigs 1746 } else if len(config.ServerECHConfigs) > 0 { 1747 echConfigs := make([][]byte, len(config.ServerECHConfigs)) 1748 for i, echConfig := range config.ServerECHConfigs { 1749 echConfigs[i] = echConfig.ECHConfig.Raw 1750 } 1751 serverExtensions.echRetryConfigs = CreateECHConfigList(echConfigs...) 1752 } 1753 } 1754 1755 return nil 1756} 1757 1758// checkForResumption returns true if we should perform resumption on this connection. 1759func (hs *serverHandshakeState) checkForResumption() bool { 1760 c := hs.c 1761 1762 ticket := hs.clientHello.sessionTicket 1763 if len(ticket) == 0 && len(hs.clientHello.pskIdentities) > 0 && c.config.Bugs.AcceptAnySession { 1764 ticket = hs.clientHello.pskIdentities[0].ticket 1765 } 1766 if len(ticket) > 0 { 1767 if c.config.SessionTicketsDisabled { 1768 return false 1769 } 1770 1771 var ok bool 1772 if hs.sessionState, ok = c.decryptTicket(ticket); !ok { 1773 return false 1774 } 1775 } else { 1776 if c.config.ServerSessionCache == nil { 1777 return false 1778 } 1779 1780 var ok bool 1781 sessionID := string(hs.clientHello.sessionID) 1782 if hs.sessionState, ok = c.config.ServerSessionCache.Get(sessionID); !ok { 1783 return false 1784 } 1785 } 1786 1787 if c.config.Bugs.AcceptAnySession { 1788 // Replace the cipher suite with one known to work, to test 1789 // cross-version resumption attempts. 1790 hs.sessionState.cipherSuite = TLS_RSA_WITH_AES_128_CBC_SHA 1791 } else { 1792 // Never resume a session for a different SSL version. 1793 if c.vers != hs.sessionState.vers { 1794 return false 1795 } 1796 1797 cipherSuiteOk := false 1798 // Check that the client is still offering the ciphersuite in the session. 1799 for _, id := range hs.clientHello.cipherSuites { 1800 if id == hs.sessionState.cipherSuite { 1801 cipherSuiteOk = true 1802 break 1803 } 1804 } 1805 if !cipherSuiteOk { 1806 return false 1807 } 1808 } 1809 1810 // Check that we also support the ciphersuite from the session. 1811 hs.suite = c.tryCipherSuite(hs.sessionState.cipherSuite, c.config.cipherSuites(), c.vers, hs.ellipticOk, hs.ecdsaOk) 1812 1813 if hs.suite == nil { 1814 return false 1815 } 1816 1817 sessionHasClientCerts := len(hs.sessionState.certificates) != 0 1818 needClientCerts := c.config.ClientAuth == RequireAnyClientCert || c.config.ClientAuth == RequireAndVerifyClientCert 1819 if needClientCerts && !sessionHasClientCerts { 1820 return false 1821 } 1822 if sessionHasClientCerts && c.config.ClientAuth == NoClientCert { 1823 return false 1824 } 1825 1826 return true 1827} 1828 1829func (hs *serverHandshakeState) doResumeHandshake() error { 1830 c := hs.c 1831 1832 hs.hello.cipherSuite = hs.suite.id 1833 if c.config.Bugs.SendCipherSuite != 0 { 1834 hs.hello.cipherSuite = c.config.Bugs.SendCipherSuite 1835 } 1836 // We echo the client's session ID in the ServerHello to let it know 1837 // that we're doing a resumption. 1838 hs.hello.sessionID = hs.clientHello.sessionID 1839 hs.hello.extensions.ticketSupported = c.config.Bugs.RenewTicketOnResume 1840 1841 if c.config.Bugs.SendSCTListOnResume != nil { 1842 hs.hello.extensions.sctList = c.config.Bugs.SendSCTListOnResume 1843 } 1844 1845 if c.config.Bugs.SendOCSPResponseOnResume != nil { 1846 // There is no way, syntactically, to send an OCSP response on a 1847 // resumption handshake. 1848 hs.hello.extensions.ocspStapling = true 1849 } 1850 1851 hs.finishedHash = newFinishedHash(c.wireVersion, c.isDTLS, hs.suite) 1852 hs.finishedHash.discardHandshakeBuffer() 1853 hs.writeClientHash(hs.clientHello.marshal()) 1854 hs.writeServerHash(hs.hello.marshal()) 1855 1856 c.writeRecord(recordTypeHandshake, hs.hello.marshal()) 1857 1858 if len(hs.sessionState.certificates) > 0 { 1859 if _, err := hs.processCertsFromClient(hs.sessionState.certificates); err != nil { 1860 return err 1861 } 1862 } 1863 1864 hs.masterSecret = hs.sessionState.secret 1865 c.extendedMasterSecret = hs.sessionState.extendedMasterSecret 1866 1867 return nil 1868} 1869 1870func (hs *serverHandshakeState) doFullHandshake() error { 1871 config := hs.c.config 1872 c := hs.c 1873 1874 isPSK := hs.suite.flags&suitePSK != 0 1875 if !isPSK && hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0 && !c.config.Bugs.NoOCSPStapling { 1876 hs.hello.extensions.ocspStapling = true 1877 } 1878 1879 if hs.clientHello.sctListSupported && len(hs.cert.SignedCertificateTimestampList) > 0 && !c.config.Bugs.NoSignedCertificateTimestamps { 1880 hs.hello.extensions.sctList = hs.cert.SignedCertificateTimestampList 1881 } 1882 1883 if len(c.clientVerify) > 0 && config.Bugs.SendSCTListOnRenegotiation != nil { 1884 hs.hello.extensions.sctList = config.Bugs.SendSCTListOnRenegotiation 1885 } 1886 1887 hs.hello.extensions.ticketSupported = hs.clientHello.ticketSupported && !config.SessionTicketsDisabled 1888 hs.hello.cipherSuite = hs.suite.id 1889 if config.Bugs.SendCipherSuite != 0 { 1890 hs.hello.cipherSuite = config.Bugs.SendCipherSuite 1891 } 1892 c.extendedMasterSecret = hs.hello.extensions.extendedMasterSecret 1893 1894 // Generate a session ID if we're to save the session. 1895 if !hs.hello.extensions.ticketSupported && config.ServerSessionCache != nil { 1896 l := config.Bugs.NewSessionIDLength 1897 if l == 0 { 1898 l = 32 1899 } 1900 hs.hello.sessionID = make([]byte, l) 1901 if _, err := io.ReadFull(config.rand(), hs.hello.sessionID); err != nil { 1902 c.sendAlert(alertInternalError) 1903 return errors.New("tls: short read from Rand: " + err.Error()) 1904 } 1905 } 1906 if config.Bugs.EchoSessionIDInFullHandshake { 1907 hs.hello.sessionID = hs.clientHello.sessionID 1908 } 1909 1910 hs.finishedHash = newFinishedHash(c.wireVersion, c.isDTLS, hs.suite) 1911 hs.writeClientHash(hs.clientHello.marshal()) 1912 hs.writeServerHash(hs.hello.marshal()) 1913 1914 if config.Bugs.SendSNIWarningAlert { 1915 c.SendAlert(alertLevelWarning, alertUnrecognizedName) 1916 } 1917 1918 c.writeRecord(recordTypeHandshake, hs.hello.marshal()) 1919 1920 if !isPSK { 1921 certMsg := new(certificateMsg) 1922 if !config.Bugs.EmptyCertificateList { 1923 for _, certData := range hs.cert.Certificate { 1924 certMsg.certificates = append(certMsg.certificates, certificateEntry{ 1925 data: certData, 1926 }) 1927 } 1928 } 1929 if !config.Bugs.UnauthenticatedECDH { 1930 certMsgBytes := certMsg.marshal() 1931 hs.writeServerHash(certMsgBytes) 1932 c.writeRecord(recordTypeHandshake, certMsgBytes) 1933 } 1934 } 1935 1936 if hs.hello.extensions.ocspStapling && !c.config.Bugs.SkipCertificateStatus { 1937 certStatus := new(certificateStatusMsg) 1938 certStatus.statusType = statusTypeOCSP 1939 certStatus.response = hs.cert.OCSPStaple 1940 if len(c.clientVerify) > 0 && config.Bugs.SendOCSPResponseOnRenegotiation != nil { 1941 certStatus.response = config.Bugs.SendOCSPResponseOnRenegotiation 1942 } 1943 hs.writeServerHash(certStatus.marshal()) 1944 c.writeRecord(recordTypeHandshake, certStatus.marshal()) 1945 } 1946 1947 keyAgreement := hs.suite.ka(c.vers) 1948 skx, err := keyAgreement.generateServerKeyExchange(config, hs.cert, hs.clientHello, hs.hello, c.vers) 1949 if err != nil { 1950 c.sendAlert(alertHandshakeFailure) 1951 return err 1952 } 1953 if ecdhe, ok := keyAgreement.(*ecdheKeyAgreement); ok { 1954 c.curveID = ecdhe.curveID 1955 } 1956 if skx != nil && !config.Bugs.SkipServerKeyExchange { 1957 hs.writeServerHash(skx.marshal()) 1958 c.writeRecord(recordTypeHandshake, skx.marshal()) 1959 } 1960 1961 if config.ClientAuth >= RequestClientCert { 1962 // Request a client certificate 1963 certReq := &certificateRequestMsg{ 1964 vers: c.wireVersion, 1965 certificateTypes: config.ClientCertificateTypes, 1966 } 1967 if certReq.certificateTypes == nil { 1968 certReq.certificateTypes = []byte{CertTypeRSASign, CertTypeECDSASign} 1969 } 1970 if c.vers >= VersionTLS12 { 1971 certReq.hasSignatureAlgorithm = true 1972 if !config.Bugs.NoSignatureAlgorithms { 1973 certReq.signatureAlgorithms = config.verifySignatureAlgorithms() 1974 } 1975 } 1976 1977 // An empty list of certificateAuthorities signals to 1978 // the client that it may send any certificate in response 1979 // to our request. When we know the CAs we trust, then 1980 // we can send them down, so that the client can choose 1981 // an appropriate certificate to give to us. 1982 if config.ClientCAs != nil { 1983 certReq.certificateAuthorities = config.ClientCAs.Subjects() 1984 } 1985 hs.writeServerHash(certReq.marshal()) 1986 c.writeRecord(recordTypeHandshake, certReq.marshal()) 1987 } 1988 1989 helloDone := new(serverHelloDoneMsg) 1990 helloDoneBytes := helloDone.marshal() 1991 hs.writeServerHash(helloDoneBytes) 1992 var toAppend byte 1993 if config.Bugs.PartialNewSessionTicketWithServerHelloDone { 1994 toAppend = typeNewSessionTicket 1995 } else if config.Bugs.PartialFinishedWithServerHelloDone { 1996 toAppend = typeFinished 1997 } 1998 if toAppend != 0 { 1999 c.writeRecord(recordTypeHandshake, append(helloDoneBytes[:len(helloDoneBytes):len(helloDoneBytes)], toAppend)) 2000 } else { 2001 c.writeRecord(recordTypeHandshake, helloDoneBytes) 2002 } 2003 c.flushHandshake() 2004 2005 var pub crypto.PublicKey // public key for client auth, if any 2006 2007 if err := c.simulatePacketLoss(nil); err != nil { 2008 return err 2009 } 2010 msg, err := c.readHandshake() 2011 if err != nil { 2012 return err 2013 } 2014 2015 // If we requested a client certificate, then the client must send a 2016 // certificate message, even if it's empty. 2017 if config.ClientAuth >= RequestClientCert { 2018 certMsg, ok := msg.(*certificateMsg) 2019 if !ok { 2020 c.sendAlert(alertUnexpectedMessage) 2021 return unexpectedMessageError(certMsg, msg) 2022 } 2023 hs.writeClientHash(certMsg.marshal()) 2024 2025 if len(certMsg.certificates) == 0 { 2026 // The client didn't actually send a certificate 2027 switch config.ClientAuth { 2028 case RequireAnyClientCert, RequireAndVerifyClientCert: 2029 c.sendAlert(alertBadCertificate) 2030 return errors.New("tls: client didn't provide a certificate") 2031 } 2032 } 2033 2034 var certificates [][]byte 2035 for _, cert := range certMsg.certificates { 2036 certificates = append(certificates, cert.data) 2037 } 2038 2039 pub, err = hs.processCertsFromClient(certificates) 2040 if err != nil { 2041 return err 2042 } 2043 2044 msg, err = c.readHandshake() 2045 if err != nil { 2046 return err 2047 } 2048 } 2049 2050 // Get client key exchange 2051 ckx, ok := msg.(*clientKeyExchangeMsg) 2052 if !ok { 2053 c.sendAlert(alertUnexpectedMessage) 2054 return unexpectedMessageError(ckx, msg) 2055 } 2056 hs.writeClientHash(ckx.marshal()) 2057 2058 preMasterSecret, err := keyAgreement.processClientKeyExchange(config, hs.cert, ckx, c.vers) 2059 if err != nil { 2060 c.sendAlert(alertHandshakeFailure) 2061 return err 2062 } 2063 if c.extendedMasterSecret { 2064 hs.masterSecret = extendedMasterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.finishedHash) 2065 } else { 2066 if c.config.Bugs.RequireExtendedMasterSecret { 2067 return errors.New("tls: extended master secret required but not supported by peer") 2068 } 2069 hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.clientHello.random, hs.hello.random) 2070 } 2071 2072 // If we received a client cert in response to our certificate request message, 2073 // the client will send us a certificateVerifyMsg immediately after the 2074 // clientKeyExchangeMsg. This message is a digest of all preceding 2075 // handshake-layer messages that is signed using the private key corresponding 2076 // to the client's certificate. This allows us to verify that the client is in 2077 // possession of the private key of the certificate. 2078 if len(c.peerCertificates) > 0 { 2079 msg, err = c.readHandshake() 2080 if err != nil { 2081 return err 2082 } 2083 certVerify, ok := msg.(*certificateVerifyMsg) 2084 if !ok { 2085 c.sendAlert(alertUnexpectedMessage) 2086 return unexpectedMessageError(certVerify, msg) 2087 } 2088 2089 // Determine the signature type. 2090 var sigAlg signatureAlgorithm 2091 if certVerify.hasSignatureAlgorithm { 2092 sigAlg = certVerify.signatureAlgorithm 2093 c.peerSignatureAlgorithm = sigAlg 2094 } 2095 2096 if err := verifyMessage(c.isClient, c.vers, pub, c.config, sigAlg, hs.finishedHash.buffer, certVerify.signature); err != nil { 2097 c.sendAlert(alertBadCertificate) 2098 return errors.New("could not validate signature of connection nonces: " + err.Error()) 2099 } 2100 2101 hs.writeClientHash(certVerify.marshal()) 2102 } 2103 2104 hs.finishedHash.discardHandshakeBuffer() 2105 2106 return nil 2107} 2108 2109func (hs *serverHandshakeState) establishKeys() error { 2110 c := hs.c 2111 2112 clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV := 2113 keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen(c.vers)) 2114 2115 var clientCipher, serverCipher any 2116 var clientHash, serverHash macFunction 2117 2118 if hs.suite.aead == nil { 2119 clientCipher = hs.suite.cipher(clientKey, clientIV, true /* for reading */) 2120 clientHash = hs.suite.mac(c.vers, clientMAC) 2121 serverCipher = hs.suite.cipher(serverKey, serverIV, false /* not for reading */) 2122 serverHash = hs.suite.mac(c.vers, serverMAC) 2123 } else { 2124 clientCipher = hs.suite.aead(c.vers, clientKey, clientIV) 2125 serverCipher = hs.suite.aead(c.vers, serverKey, serverIV) 2126 } 2127 2128 c.in.prepareCipherSpec(c.wireVersion, clientCipher, clientHash) 2129 c.out.prepareCipherSpec(c.wireVersion, serverCipher, serverHash) 2130 2131 return nil 2132} 2133 2134func (hs *serverHandshakeState) readFinished(out []byte, isResume bool) error { 2135 c := hs.c 2136 2137 c.readRecord(recordTypeChangeCipherSpec) 2138 if err := c.in.error(); err != nil { 2139 return err 2140 } 2141 2142 if hs.hello.extensions.nextProtoNeg { 2143 msg, err := c.readHandshake() 2144 if err != nil { 2145 return err 2146 } 2147 nextProto, ok := msg.(*nextProtoMsg) 2148 if !ok { 2149 c.sendAlert(alertUnexpectedMessage) 2150 return unexpectedMessageError(nextProto, msg) 2151 } 2152 hs.writeClientHash(nextProto.marshal()) 2153 c.clientProtocol = nextProto.proto 2154 } 2155 2156 if hs.hello.extensions.channelIDRequested { 2157 msg, err := c.readHandshake() 2158 if err != nil { 2159 return err 2160 } 2161 channelIDMsg, ok := msg.(*channelIDMsg) 2162 if !ok { 2163 c.sendAlert(alertUnexpectedMessage) 2164 return unexpectedMessageError(channelIDMsg, msg) 2165 } 2166 var resumeHash []byte 2167 if isResume { 2168 resumeHash = hs.sessionState.handshakeHash 2169 } 2170 channelID, err := verifyChannelIDMessage(channelIDMsg, hs.finishedHash.hashForChannelID(resumeHash)) 2171 if err != nil { 2172 return err 2173 } 2174 c.channelID = channelID 2175 2176 hs.writeClientHash(channelIDMsg.marshal()) 2177 } 2178 2179 msg, err := c.readHandshake() 2180 if err != nil { 2181 return err 2182 } 2183 clientFinished, ok := msg.(*finishedMsg) 2184 if !ok { 2185 c.sendAlert(alertUnexpectedMessage) 2186 return unexpectedMessageError(clientFinished, msg) 2187 } 2188 2189 verify := hs.finishedHash.clientSum(hs.masterSecret) 2190 if len(verify) != len(clientFinished.verifyData) || 2191 subtle.ConstantTimeCompare(verify, clientFinished.verifyData) != 1 { 2192 c.sendAlert(alertHandshakeFailure) 2193 return errors.New("tls: client's Finished message is incorrect") 2194 } 2195 c.clientVerify = append(c.clientVerify[:0], clientFinished.verifyData...) 2196 copy(out, clientFinished.verifyData) 2197 2198 hs.writeClientHash(clientFinished.marshal()) 2199 return nil 2200} 2201 2202func (hs *serverHandshakeState) sendSessionTicket() error { 2203 c := hs.c 2204 state := sessionState{ 2205 vers: c.vers, 2206 cipherSuite: hs.suite.id, 2207 secret: hs.masterSecret, 2208 certificates: hs.certsFromClient, 2209 handshakeHash: hs.finishedHash.Sum(), 2210 } 2211 2212 if !hs.hello.extensions.ticketSupported || hs.c.config.Bugs.SkipNewSessionTicket { 2213 if c.config.ServerSessionCache != nil && len(hs.hello.sessionID) != 0 { 2214 c.config.ServerSessionCache.Put(string(hs.hello.sessionID), &state) 2215 } 2216 return nil 2217 } 2218 2219 m := new(newSessionTicketMsg) 2220 m.vers = c.wireVersion 2221 m.isDTLS = c.isDTLS 2222 if c.config.Bugs.SendTicketLifetime != 0 { 2223 m.ticketLifetime = uint32(c.config.Bugs.SendTicketLifetime / time.Second) 2224 } 2225 2226 if !c.config.Bugs.SendEmptySessionTicket { 2227 var err error 2228 m.ticket, err = c.encryptTicket(&state) 2229 if err != nil { 2230 return err 2231 } 2232 } 2233 2234 hs.writeServerHash(m.marshal()) 2235 if c.config.Bugs.PartialNewSessionTicketWithServerHelloDone { 2236 // The first byte was already sent. 2237 c.writeRecord(recordTypeHandshake, m.marshal()[1:]) 2238 } else { 2239 c.writeRecord(recordTypeHandshake, m.marshal()) 2240 } 2241 2242 return nil 2243} 2244 2245func (hs *serverHandshakeState) sendFinished(out []byte, isResume bool) error { 2246 c := hs.c 2247 2248 finished := new(finishedMsg) 2249 finished.verifyData = hs.finishedHash.serverSum(hs.masterSecret) 2250 copy(out, finished.verifyData) 2251 if c.config.Bugs.BadFinished { 2252 finished.verifyData[0]++ 2253 } 2254 c.serverVerify = append(c.serverVerify[:0], finished.verifyData...) 2255 hs.finishedBytes = finished.marshal() 2256 hs.writeServerHash(hs.finishedBytes) 2257 postCCSBytes := hs.finishedBytes 2258 if c.config.Bugs.PartialFinishedWithServerHelloDone { 2259 // The first byte has already been sent. 2260 postCCSBytes = postCCSBytes[1:] 2261 } 2262 2263 if c.config.Bugs.FragmentAcrossChangeCipherSpec { 2264 c.writeRecord(recordTypeHandshake, postCCSBytes[:5]) 2265 postCCSBytes = postCCSBytes[5:] 2266 } else if c.config.Bugs.SendUnencryptedFinished { 2267 c.writeRecord(recordTypeHandshake, postCCSBytes) 2268 postCCSBytes = nil 2269 } 2270 2271 if !c.config.Bugs.SkipChangeCipherSpec { 2272 ccs := []byte{1} 2273 if c.config.Bugs.BadChangeCipherSpec != nil { 2274 ccs = c.config.Bugs.BadChangeCipherSpec 2275 } 2276 c.writeRecord(recordTypeChangeCipherSpec, ccs) 2277 } 2278 2279 if c.config.Bugs.AppDataAfterChangeCipherSpec != nil { 2280 c.writeRecord(recordTypeApplicationData, c.config.Bugs.AppDataAfterChangeCipherSpec) 2281 } 2282 if c.config.Bugs.AlertAfterChangeCipherSpec != 0 { 2283 c.sendAlert(c.config.Bugs.AlertAfterChangeCipherSpec) 2284 return errors.New("tls: simulating post-CCS alert") 2285 } 2286 2287 if !c.config.Bugs.SkipFinished && len(postCCSBytes) > 0 { 2288 c.writeRecord(recordTypeHandshake, postCCSBytes) 2289 if c.config.Bugs.SendExtraFinished { 2290 c.writeRecord(recordTypeHandshake, finished.marshal()) 2291 } 2292 } 2293 2294 if isResume || (!c.config.Bugs.PackHelloRequestWithFinished && !c.config.Bugs.PackAppDataWithHandshake) { 2295 // Defer flushing until Renegotiate() or Write(). 2296 c.flushHandshake() 2297 } 2298 2299 c.cipherSuite = hs.suite 2300 2301 return nil 2302} 2303 2304// processCertsFromClient takes a chain of client certificates either from a 2305// Certificates message or from a sessionState and verifies them. It returns 2306// the public key of the leaf certificate. 2307func (hs *serverHandshakeState) processCertsFromClient(certificates [][]byte) (crypto.PublicKey, error) { 2308 c := hs.c 2309 2310 hs.certsFromClient = certificates 2311 certs := make([]*x509.Certificate, len(certificates)) 2312 var err error 2313 for i, asn1Data := range certificates { 2314 if certs[i], err = x509.ParseCertificate(asn1Data); err != nil { 2315 c.sendAlert(alertBadCertificate) 2316 return nil, errors.New("tls: failed to parse client certificate: " + err.Error()) 2317 } 2318 } 2319 2320 if c.config.ClientAuth >= VerifyClientCertIfGiven && len(certs) > 0 { 2321 opts := x509.VerifyOptions{ 2322 Roots: c.config.ClientCAs, 2323 CurrentTime: c.config.time(), 2324 Intermediates: x509.NewCertPool(), 2325 KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, 2326 } 2327 2328 for _, cert := range certs[1:] { 2329 opts.Intermediates.AddCert(cert) 2330 } 2331 2332 chains, err := certs[0].Verify(opts) 2333 if err != nil { 2334 c.sendAlert(alertBadCertificate) 2335 return nil, errors.New("tls: failed to verify client's certificate: " + err.Error()) 2336 } 2337 2338 ok := false 2339 for _, ku := range certs[0].ExtKeyUsage { 2340 if ku == x509.ExtKeyUsageClientAuth { 2341 ok = true 2342 break 2343 } 2344 } 2345 if !ok { 2346 c.sendAlert(alertHandshakeFailure) 2347 return nil, errors.New("tls: client's certificate's extended key usage doesn't permit it to be used for client authentication") 2348 } 2349 2350 c.verifiedChains = chains 2351 } 2352 2353 if len(certs) > 0 { 2354 pub := certs[0].PublicKey 2355 switch pub.(type) { 2356 case *ecdsa.PublicKey, *rsa.PublicKey, ed25519.PublicKey: 2357 break 2358 default: 2359 c.sendAlert(alertUnsupportedCertificate) 2360 return nil, fmt.Errorf("tls: client's certificate contains an unsupported public key of type %T", pub) 2361 } 2362 c.peerCertificates = certs 2363 return pub, nil 2364 } 2365 2366 return nil, nil 2367} 2368 2369func verifyChannelIDMessage(channelIDMsg *channelIDMsg, channelIDHash []byte) (*ecdsa.PublicKey, error) { 2370 x := new(big.Int).SetBytes(channelIDMsg.channelID[0:32]) 2371 y := new(big.Int).SetBytes(channelIDMsg.channelID[32:64]) 2372 r := new(big.Int).SetBytes(channelIDMsg.channelID[64:96]) 2373 s := new(big.Int).SetBytes(channelIDMsg.channelID[96:128]) 2374 if !elliptic.P256().IsOnCurve(x, y) { 2375 return nil, errors.New("tls: invalid channel ID public key") 2376 } 2377 channelID := &ecdsa.PublicKey{Curve: elliptic.P256(), X: x, Y: y} 2378 if !ecdsa.Verify(channelID, channelIDHash, r, s) { 2379 return nil, errors.New("tls: invalid channel ID signature") 2380 } 2381 return channelID, nil 2382} 2383 2384func (hs *serverHandshakeState) writeServerHash(msg []byte) { 2385 // writeServerHash is called before writeRecord. 2386 hs.finishedHash.WriteHandshake(msg, hs.c.sendHandshakeSeq) 2387} 2388 2389func (hs *serverHandshakeState) writeClientHash(msg []byte) { 2390 // writeClientHash is called after readHandshake. 2391 hs.finishedHash.WriteHandshake(msg, hs.c.recvHandshakeSeq-1) 2392} 2393 2394// tryCipherSuite returns a cipherSuite with the given id if that cipher suite 2395// is acceptable to use. 2396func (c *Conn) tryCipherSuite(id uint16, supportedCipherSuites []uint16, version uint16, ellipticOk, ecdsaOk bool) *cipherSuite { 2397 for _, supported := range supportedCipherSuites { 2398 if id == supported { 2399 var candidate *cipherSuite 2400 2401 for _, s := range cipherSuites { 2402 if s.id == id { 2403 candidate = s 2404 break 2405 } 2406 } 2407 if candidate == nil { 2408 continue 2409 } 2410 2411 // Don't select a ciphersuite which we can't 2412 // support for this client. 2413 if version >= VersionTLS13 || candidate.flags&suiteTLS13 != 0 { 2414 if version < VersionTLS13 || candidate.flags&suiteTLS13 == 0 { 2415 continue 2416 } 2417 return candidate 2418 } 2419 if (candidate.flags&suiteECDHE != 0) && !ellipticOk { 2420 continue 2421 } 2422 if (candidate.flags&suiteECDSA != 0) != ecdsaOk { 2423 continue 2424 } 2425 if version < VersionTLS12 && candidate.flags&suiteTLS12 != 0 { 2426 continue 2427 } 2428 return candidate 2429 } 2430 } 2431 2432 return nil 2433} 2434 2435func isTLS12Cipher(id uint16) bool { 2436 for _, cipher := range cipherSuites { 2437 if cipher.id != id { 2438 continue 2439 } 2440 return cipher.flags&suiteTLS12 != 0 2441 } 2442 // Unknown cipher. 2443 return false 2444} 2445 2446func isGREASEValue(val uint16) bool { 2447 return val&0x0f0f == 0x0a0a && val&0xff == val>>8 2448} 2449 2450func verifyPSKBinder(version uint16, clientHello *clientHelloMsg, sessionState *sessionState, binderToVerify, firstClientHello, helloRetryRequest []byte) error { 2451 binderLen := 2 2452 for _, binder := range clientHello.pskBinders { 2453 binderLen += 1 + len(binder) 2454 } 2455 2456 truncatedHello := clientHello.marshal() 2457 truncatedHello = truncatedHello[:len(truncatedHello)-binderLen] 2458 pskCipherSuite := cipherSuiteFromID(sessionState.cipherSuite) 2459 if pskCipherSuite == nil { 2460 return errors.New("tls: Unknown cipher suite for PSK in session") 2461 } 2462 2463 binder := computePSKBinder(sessionState.secret, version, resumptionPSKBinderLabel, pskCipherSuite, firstClientHello, helloRetryRequest, truncatedHello) 2464 if !bytes.Equal(binder, binderToVerify) { 2465 return errors.New("tls: PSK binder does not verify") 2466 } 2467 2468 return nil 2469} 2470 2471// checkClientHellosEqual checks whether a and b are equal ClientHello 2472// messages. If isDTLS is true, the ClientHellos are parsed as DTLS and any 2473// differences in the cookie field are ignored. Extensions listed in 2474// ignoreExtensions may change or be removed between the two ClientHellos. 2475func checkClientHellosEqual(a, b []byte, isDTLS bool, ignoreExtensions []uint16) error { 2476 ignoreExtensionsSet := make(map[uint16]struct{}) 2477 for _, ext := range ignoreExtensions { 2478 ignoreExtensionsSet[ext] = struct{}{} 2479 } 2480 2481 // Skip the handshake message header. 2482 aReader := cryptobyte.String(a[4:]) 2483 bReader := cryptobyte.String(b[4:]) 2484 2485 var aVers, bVers uint16 2486 var aRandom, bRandom []byte 2487 var aSessionID, bSessionID []byte 2488 if !aReader.ReadUint16(&aVers) || 2489 !bReader.ReadUint16(&bVers) || 2490 !aReader.ReadBytes(&aRandom, 32) || 2491 !bReader.ReadBytes(&bRandom, 32) || 2492 !readUint8LengthPrefixedBytes(&aReader, &aSessionID) || 2493 !readUint8LengthPrefixedBytes(&bReader, &bSessionID) { 2494 return errors.New("tls: could not parse ClientHello") 2495 } 2496 2497 if aVers != bVers { 2498 return errors.New("tls: second ClientHello version did not match") 2499 } 2500 if !bytes.Equal(aRandom, bRandom) { 2501 return errors.New("tls: second ClientHello random did not match") 2502 } 2503 if !bytes.Equal(aSessionID, bSessionID) { 2504 return errors.New("tls: second ClientHello session ID did not match") 2505 } 2506 2507 if isDTLS { 2508 // DTLS 1.2 checks two ClientHellos match after a HelloVerifyRequest, 2509 // where we expect the cookies to change. DTLS 1.3 forbids the legacy 2510 // cookie altogether. If we implement DTLS 1.3, we'll need to ensure 2511 // that parsing logic above this function rejects this cookie. 2512 var aCookie, bCookie []byte 2513 if !readUint8LengthPrefixedBytes(&aReader, &aCookie) || 2514 !readUint8LengthPrefixedBytes(&bReader, &bCookie) { 2515 return errors.New("tls: could not parse ClientHello") 2516 } 2517 } 2518 2519 var aCipherSuites, bCipherSuites, aCompressionMethods, bCompressionMethods []byte 2520 if !readUint16LengthPrefixedBytes(&aReader, &aCipherSuites) || 2521 !readUint16LengthPrefixedBytes(&bReader, &bCipherSuites) || 2522 !readUint8LengthPrefixedBytes(&aReader, &aCompressionMethods) || 2523 !readUint8LengthPrefixedBytes(&bReader, &bCompressionMethods) { 2524 return errors.New("tls: could not parse ClientHello") 2525 } 2526 if !bytes.Equal(aCipherSuites, bCipherSuites) { 2527 return errors.New("tls: second ClientHello cipher suites did not match") 2528 } 2529 if !bytes.Equal(aCompressionMethods, bCompressionMethods) { 2530 return errors.New("tls: second ClientHello compression methods did not match") 2531 } 2532 2533 if len(aReader) == 0 && len(bReader) == 0 { 2534 // Both ClientHellos omit the extensions block. 2535 return nil 2536 } 2537 2538 var aExtensions, bExtensions cryptobyte.String 2539 if !aReader.ReadUint16LengthPrefixed(&aExtensions) || 2540 !bReader.ReadUint16LengthPrefixed(&bExtensions) || 2541 len(aReader) != 0 || 2542 len(bReader) != 0 { 2543 return errors.New("tls: could not parse ClientHello") 2544 } 2545 2546 for len(aExtensions) != 0 { 2547 var aID uint16 2548 var aBody []byte 2549 if !aExtensions.ReadUint16(&aID) || 2550 !readUint16LengthPrefixedBytes(&aExtensions, &aBody) { 2551 return errors.New("tls: could not parse ClientHello") 2552 } 2553 if _, ok := ignoreExtensionsSet[aID]; ok { 2554 continue 2555 } 2556 2557 for { 2558 if len(bExtensions) == 0 { 2559 return fmt.Errorf("tls: second ClientHello missing extension %d", aID) 2560 } 2561 var bID uint16 2562 var bBody []byte 2563 if !bExtensions.ReadUint16(&bID) || 2564 !readUint16LengthPrefixedBytes(&bExtensions, &bBody) { 2565 return errors.New("tls: could not parse ClientHello") 2566 } 2567 if _, ok := ignoreExtensionsSet[bID]; ok { 2568 continue 2569 } 2570 if aID != bID { 2571 return fmt.Errorf("tls: unexpected extension %d in second ClientHello (wanted %d)", bID, aID) 2572 } 2573 if !bytes.Equal(aBody, bBody) { 2574 return fmt.Errorf("tls: extension %d in second ClientHello unexpectedly changed", aID) 2575 } 2576 break 2577 } 2578 } 2579 2580 // Any remaining extensions in the second ClientHello must be in the 2581 // ignored set. 2582 for len(bExtensions) != 0 { 2583 var id uint16 2584 var body []byte 2585 if !bExtensions.ReadUint16(&id) || 2586 !readUint16LengthPrefixedBytes(&bExtensions, &body) { 2587 return errors.New("tls: could not parse ClientHello") 2588 } 2589 if _, ok := ignoreExtensionsSet[id]; !ok { 2590 return fmt.Errorf("tls: unexpected extension %d in second ClientHello", id) 2591 } 2592 } 2593 2594 return nil 2595} 2596