xref: /aosp_15_r20/external/boringssl/src/ssl/test/runner/handshake_server.go (revision 8fb009dc861624b67b6cdb62ea21f0f22d0c584b)
1// Copyright 2009 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5package runner
6
7import (
8	"bytes"
9	"crypto"
10	"crypto/ecdsa"
11	"crypto/ed25519"
12	"crypto/elliptic"
13	"crypto/rsa"
14	"crypto/subtle"
15	"crypto/x509"
16	"errors"
17	"fmt"
18	"io"
19	"math/big"
20	"time"
21
22	"boringssl.googlesource.com/boringssl/ssl/test/runner/hpke"
23	"golang.org/x/crypto/cryptobyte"
24)
25
26// serverHandshakeState contains details of a server handshake in progress.
27// It's discarded once the handshake has completed.
28type serverHandshakeState struct {
29	c               *Conn
30	clientHello     *clientHelloMsg
31	hello           *serverHelloMsg
32	suite           *cipherSuite
33	ellipticOk      bool
34	ecdsaOk         bool
35	sessionState    *sessionState
36	finishedHash    finishedHash
37	masterSecret    []byte
38	certsFromClient [][]byte
39	cert            *Credential
40	finishedBytes   []byte
41	echHPKEContext  *hpke.Context
42	echConfigID     uint8
43}
44
45// serverHandshake performs a TLS handshake as a server.
46func (c *Conn) serverHandshake() error {
47	config := c.config
48
49	// If this is the first server handshake, we generate a random key to
50	// encrypt the tickets with.
51	config.serverInitOnce.Do(config.serverInit)
52
53	c.sendHandshakeSeq = 0
54	c.recvHandshakeSeq = 0
55
56	hs := serverHandshakeState{
57		c: c,
58	}
59	if err := hs.readClientHello(); err != nil {
60		return err
61	}
62
63	if c.vers >= VersionTLS13 {
64		if err := hs.doTLS13Handshake(); err != nil {
65			return err
66		}
67	} else {
68		isResume, err := hs.processClientHello()
69		if err != nil {
70			return err
71		}
72
73		// We only implement enough of SSL 3.0 to test that the client doesn't:
74		// if negotiated (possibly with the NegotiateVersion bug), we send a
75		// ServerHello and look for the resulting client protocol_version alert.
76		if c.vers == VersionSSL30 {
77			c.writeRecord(recordTypeHandshake, hs.hello.marshal())
78			c.flushHandshake()
79			if _, err := c.readHandshake(); err != nil {
80				return err
81			}
82			return errors.New("tls: client did not reject an SSL 3.0 ServerHello")
83		}
84
85		// For an overview of TLS handshaking, see https://tools.ietf.org/html/rfc5246#section-7.3
86		if isResume {
87			// The client has included a session ticket and so we do an abbreviated handshake.
88			if err := hs.doResumeHandshake(); err != nil {
89				return err
90			}
91			if err := hs.establishKeys(); err != nil {
92				return err
93			}
94			if c.config.Bugs.RenewTicketOnResume {
95				if err := hs.sendSessionTicket(); err != nil {
96					return err
97				}
98			}
99			if err := hs.sendFinished(c.firstFinished[:], isResume); err != nil {
100				return err
101			}
102			// Most retransmits are triggered by a timeout, but the final
103			// leg of the handshake is retransmited upon re-receiving a
104			// Finished.
105			if err := c.simulatePacketLoss(func() {
106				c.sendHandshakeSeq--
107				c.writeRecord(recordTypeHandshake, hs.finishedBytes)
108				c.flushHandshake()
109			}); err != nil {
110				return err
111			}
112			if err := hs.readFinished(nil, isResume); err != nil {
113				return err
114			}
115			c.didResume = true
116		} else {
117			// The client didn't include a session ticket, or it wasn't
118			// valid so we do a full handshake.
119			if err := hs.doFullHandshake(); err != nil {
120				return err
121			}
122			if err := hs.establishKeys(); err != nil {
123				return err
124			}
125			if err := hs.readFinished(c.firstFinished[:], isResume); err != nil {
126				return err
127			}
128			if c.config.Bugs.AlertBeforeFalseStartTest != 0 {
129				c.sendAlert(c.config.Bugs.AlertBeforeFalseStartTest)
130			}
131			if c.config.Bugs.ExpectFalseStart {
132				if err := c.readRecord(recordTypeApplicationData); err != nil {
133					return fmt.Errorf("tls: peer did not false start: %s", err)
134				}
135			}
136			if err := hs.sendSessionTicket(); err != nil {
137				return err
138			}
139			if err := hs.sendFinished(nil, isResume); err != nil {
140				return err
141			}
142		}
143
144		c.exporterSecret = hs.masterSecret
145	}
146	c.handshakeComplete = true
147	copy(c.clientRandom[:], hs.clientHello.random)
148	copy(c.serverRandom[:], hs.hello.random)
149
150	return nil
151}
152
153// readClientHello reads a ClientHello message from the client and determines
154// the protocol version.
155func (hs *serverHandshakeState) readClientHello() error {
156	config := hs.c.config
157	c := hs.c
158
159	if err := c.simulatePacketLoss(nil); err != nil {
160		return err
161	}
162	msg, err := c.readHandshake()
163	if err != nil {
164		return err
165	}
166	var ok bool
167	hs.clientHello, ok = msg.(*clientHelloMsg)
168	if !ok {
169		c.sendAlert(alertUnexpectedMessage)
170		return unexpectedMessageError(hs.clientHello, msg)
171	}
172	if size := config.Bugs.RequireClientHelloSize; size != 0 && len(hs.clientHello.raw) != size {
173		return fmt.Errorf("tls: ClientHello record size is %d, but expected %d", len(hs.clientHello.raw), size)
174	}
175	if isAllZero(hs.clientHello.random) {
176		// If the client forgets to fill in the client random, it will likely be
177		// all zero.
178		return errors.New("tls: ClientHello random was all zero")
179	}
180
181	if expected := config.Bugs.ExpectOuterServerName; len(expected) != 0 && expected != hs.clientHello.serverName {
182		return fmt.Errorf("tls: unexpected ClientHelloOuter server name: wanted %q, got %q", expected, hs.clientHello.serverName)
183	}
184
185	// We check this both before and after decrypting ECH.
186	if !hs.clientHello.hasGREASEExtension && config.Bugs.ExpectGREASE {
187		return errors.New("tls: no GREASE extension found")
188	}
189
190	if config.Bugs.ExpectClientECH && hs.clientHello.echOuter == nil {
191		return errors.New("tls: expected client to offer ECH")
192	}
193	if config.Bugs.ExpectNoClientECH && hs.clientHello.echOuter != nil {
194		return errors.New("tls: expected client not to offer ECH")
195	}
196
197	if echOuter := hs.clientHello.echOuter; echOuter != nil {
198		for _, candidate := range config.ServerECHConfigs {
199			if candidate.ECHConfig.ConfigID != echOuter.configID {
200				continue
201			}
202			var found bool
203			for _, suite := range candidate.ECHConfig.CipherSuites {
204				if echOuter.kdfID == suite.KDF && echOuter.aeadID == suite.AEAD {
205					found = true
206					break
207				}
208			}
209			if !found {
210				continue
211			}
212			info := []byte("tls ech\x00")
213			info = append(info, candidate.ECHConfig.Raw...)
214			hs.echHPKEContext, err = hpke.SetupBaseReceiverX25519(echOuter.kdfID, echOuter.aeadID, echOuter.enc, candidate.Key, info)
215			if err != nil {
216				continue
217			}
218			clientHelloInner, err := hs.decryptClientHello(hs.clientHello)
219			if err != nil {
220				if _, ok := err.(*echDecryptError); ok {
221					continue
222				}
223				c.sendAlert(alertDecryptError)
224				return fmt.Errorf("tls: error decrypting ClientHello: %s", err)
225			}
226			if config.Bugs.UseInnerSessionWithClientHelloOuter {
227				hs.clientHello.pskIdentities = clientHelloInner.pskIdentities
228			} else {
229				c.echAccepted = true
230				hs.clientHello = clientHelloInner
231				hs.echConfigID = echOuter.configID
232			}
233		}
234	}
235
236	if c.isDTLS && !config.Bugs.SkipHelloVerifyRequest {
237		// Per RFC 6347, the version field in HelloVerifyRequest SHOULD
238		// be always DTLS 1.0
239		cookieLen := c.config.Bugs.HelloVerifyRequestCookieLength
240		if cookieLen == 0 {
241			cookieLen = 32
242		}
243		if c.config.Bugs.EmptyHelloVerifyRequestCookie {
244			cookieLen = 0
245		}
246		helloVerifyRequest := &helloVerifyRequestMsg{
247			vers:   VersionDTLS10,
248			cookie: make([]byte, cookieLen),
249		}
250		if _, err := io.ReadFull(c.config.rand(), helloVerifyRequest.cookie); err != nil {
251			c.sendAlert(alertInternalError)
252			return errors.New("dtls: short read from Rand: " + err.Error())
253		}
254		c.writeRecord(recordTypeHandshake, helloVerifyRequest.marshal())
255		c.flushHandshake()
256
257		if err := c.simulatePacketLoss(nil); err != nil {
258			return err
259		}
260		msg, err := c.readHandshake()
261		if err != nil {
262			return err
263		}
264		newClientHello, ok := msg.(*clientHelloMsg)
265		if !ok {
266			c.sendAlert(alertUnexpectedMessage)
267			return unexpectedMessageError(hs.clientHello, msg)
268		}
269		if !bytes.Equal(newClientHello.cookie, helloVerifyRequest.cookie) {
270			return errors.New("dtls: invalid cookie")
271		}
272		if err := checkClientHellosEqual(hs.clientHello.raw, newClientHello.raw, c.isDTLS, nil); err != nil {
273			return err
274		}
275		hs.clientHello = newClientHello
276	}
277
278	if config.Bugs.RequireSameRenegoClientVersion && c.clientVersion != 0 {
279		if c.clientVersion != hs.clientHello.vers {
280			return fmt.Errorf("tls: client offered different version on renego")
281		}
282	}
283
284	if config.Bugs.FailIfKyberOffered {
285		for _, offeredCurve := range hs.clientHello.supportedCurves {
286			if isPqGroup(offeredCurve) {
287				return errors.New("tls: X25519Kyber768 was offered")
288			}
289		}
290	}
291
292	if expected := config.Bugs.ExpectedKeyShares; expected != nil {
293		if len(expected) != len(hs.clientHello.keyShares) {
294			return fmt.Errorf("tls: expected %d key shares, but found %d", len(expected), len(hs.clientHello.keyShares))
295		}
296
297		for i, group := range expected {
298			if found := hs.clientHello.keyShares[i].group; found != group {
299				return fmt.Errorf("tls: key share #%d is for group %d, not %d", i, found, group)
300			}
301		}
302	}
303
304	c.clientVersion = hs.clientHello.vers
305
306	// Use the versions extension if supplied, otherwise use the legacy ClientHello version.
307	if len(hs.clientHello.supportedVersions) == 0 {
308		if c.isDTLS {
309			if hs.clientHello.vers <= VersionDTLS12 {
310				hs.clientHello.supportedVersions = append(hs.clientHello.supportedVersions, VersionDTLS12)
311			}
312			if hs.clientHello.vers <= VersionDTLS10 {
313				hs.clientHello.supportedVersions = append(hs.clientHello.supportedVersions, VersionDTLS10)
314			}
315		} else {
316			if hs.clientHello.vers >= VersionTLS12 {
317				hs.clientHello.supportedVersions = append(hs.clientHello.supportedVersions, VersionTLS12)
318			}
319			if hs.clientHello.vers >= VersionTLS11 {
320				hs.clientHello.supportedVersions = append(hs.clientHello.supportedVersions, VersionTLS11)
321			}
322			if hs.clientHello.vers >= VersionTLS10 {
323				hs.clientHello.supportedVersions = append(hs.clientHello.supportedVersions, VersionTLS10)
324			}
325			if hs.clientHello.vers >= VersionSSL30 {
326				hs.clientHello.supportedVersions = append(hs.clientHello.supportedVersions, VersionSSL30)
327			}
328		}
329	} else if config.Bugs.ExpectGREASE && !containsGREASE(hs.clientHello.supportedVersions) {
330		return errors.New("tls: no GREASE version value found")
331	}
332
333	if !c.haveVers {
334		if config.Bugs.NegotiateVersion != 0 {
335			c.wireVersion = config.Bugs.NegotiateVersion
336		} else {
337			var found bool
338			for _, vers := range hs.clientHello.supportedVersions {
339				if _, ok := config.isSupportedVersion(vers, c.isDTLS); ok {
340					c.wireVersion = vers
341					found = true
342					break
343				}
344			}
345			if !found {
346				c.sendAlert(alertProtocolVersion)
347				return errors.New("tls: client did not offer any supported protocol versions")
348			}
349		}
350	} else if config.Bugs.NegotiateVersionOnRenego != 0 {
351		c.wireVersion = config.Bugs.NegotiateVersionOnRenego
352	}
353
354	c.vers, ok = wireToVersion(c.wireVersion, c.isDTLS)
355	if !ok {
356		panic("Could not map wire version")
357	}
358	c.haveVers = true
359
360	clientProtocol, ok := wireToVersion(c.clientVersion, c.isDTLS)
361
362	// Reject < 1.2 ClientHellos with signature_algorithms.
363	if ok && clientProtocol < VersionTLS12 && len(hs.clientHello.signatureAlgorithms) > 0 {
364		return fmt.Errorf("tls: client included signature_algorithms before TLS 1.2")
365	}
366
367	// Check the client cipher list is consistent with the version.
368	if ok && clientProtocol < VersionTLS12 {
369		for _, id := range hs.clientHello.cipherSuites {
370			if isTLS12Cipher(id) {
371				return fmt.Errorf("tls: client offered TLS 1.2 cipher before TLS 1.2")
372			}
373		}
374	}
375
376	if config.Bugs.MockQUICTransport != nil && len(hs.clientHello.sessionID) > 0 {
377		return fmt.Errorf("tls: QUIC client did not disable compatibility mode")
378	}
379	if config.Bugs.ExpectNoSessionID && len(hs.clientHello.sessionID) > 0 {
380		return fmt.Errorf("tls: client offered an unexpected session ID")
381	}
382	if config.Bugs.ExpectNoTLS12Session {
383		if len(hs.clientHello.sessionID) > 0 {
384			if _, ok := config.ServerSessionCache.Get(string(hs.clientHello.sessionID)); ok {
385				return fmt.Errorf("tls: client offered an unexpected TLS 1.2 session")
386			}
387		}
388		if len(hs.clientHello.sessionTicket) > 0 {
389			return fmt.Errorf("tls: client offered an unexpected session ticket")
390		}
391	}
392
393	if config.Bugs.ExpectNoTLS13PSK && len(hs.clientHello.pskIdentities) > 0 {
394		return fmt.Errorf("tls: client offered unexpected PSK identities")
395	}
396
397	var scsvFound bool
398	for _, cipherSuite := range hs.clientHello.cipherSuites {
399		if cipherSuite == fallbackSCSV {
400			scsvFound = true
401			break
402		}
403	}
404
405	if !scsvFound && config.Bugs.FailIfNotFallbackSCSV {
406		return errors.New("tls: no fallback SCSV found when expected")
407	} else if scsvFound && !config.Bugs.FailIfNotFallbackSCSV {
408		return errors.New("tls: fallback SCSV found when not expected")
409	}
410
411	if config.Bugs.ExpectGREASE && !containsGREASE(hs.clientHello.cipherSuites) {
412		return errors.New("tls: no GREASE cipher suite value found")
413	}
414
415	var greaseFound bool
416	for _, curve := range hs.clientHello.supportedCurves {
417		if isGREASEValue(uint16(curve)) {
418			greaseFound = true
419			break
420		}
421	}
422
423	if !greaseFound && config.Bugs.ExpectGREASE {
424		return errors.New("tls: no GREASE curve value found")
425	}
426
427	if len(hs.clientHello.keyShares) > 0 {
428		greaseFound = false
429		for _, keyShare := range hs.clientHello.keyShares {
430			if isGREASEValue(uint16(keyShare.group)) {
431				greaseFound = true
432				break
433			}
434		}
435
436		if !greaseFound && config.Bugs.ExpectGREASE {
437			return errors.New("tls: no GREASE curve value found")
438		}
439	}
440
441	if len(hs.clientHello.sessionID) == 0 && c.config.Bugs.ExpectClientHelloSessionID {
442		return errors.New("tls: expected non-empty session ID from client")
443	}
444
445	applyBugsToClientHello(hs.clientHello, config)
446
447	return nil
448}
449
450func applyBugsToClientHello(clientHello *clientHelloMsg, config *Config) {
451	if config.Bugs.IgnorePeerSignatureAlgorithmPreferences {
452		clientHello.signatureAlgorithms = config.Credential.signatureAlgorithms()
453	}
454	if config.Bugs.IgnorePeerCurvePreferences {
455		clientHello.supportedCurves = config.curvePreferences()
456	}
457	if config.Bugs.IgnorePeerCipherPreferences {
458		clientHello.cipherSuites = config.cipherSuites()
459	}
460}
461
462type echDecryptError struct {
463	error
464}
465
466func (hs *serverHandshakeState) decryptClientHello(helloOuter *clientHelloMsg) (helloInner *clientHelloMsg, err error) {
467	// ClientHelloOuterAAD is ClientHelloOuter with the payload replaced by
468	// zeros. See draft-ietf-tls-esni-13, section 5.2.
469	aad := make([]byte, len(helloOuter.raw)-4)
470	copy(aad, helloOuter.raw[4:helloOuter.echPayloadStart])
471	copy(aad[helloOuter.echPayloadEnd-4:], helloOuter.raw[helloOuter.echPayloadEnd:])
472
473	// In fuzzer mode, the payload is cleartext.
474	encoded := helloOuter.echOuter.payload
475	if !hs.c.config.Bugs.NullAllCiphers {
476		var err error
477		encoded, err = hs.echHPKEContext.Open(helloOuter.echOuter.payload, aad)
478		if err != nil {
479			// Wrap |err| so the caller can implement trial decryption.
480			return nil, &echDecryptError{err}
481		}
482	}
483
484	helloInner, err = decodeClientHelloInner(hs.c.config, encoded, helloOuter)
485	if err != nil {
486		return nil, err
487	}
488
489	if isAllZero(helloInner.random) {
490		// If the client forgets to fill in the client random, it will likely be
491		// all zero.
492		return nil, errors.New("tls: ClientHelloInner random was all zero")
493	}
494	if bytes.Equal(helloInner.random, helloOuter.random) {
495		return nil, errors.New("tls: ClientHelloOuter and ClientHelloInner have the same random values")
496	}
497	// ClientHelloInner should not offer TLS 1.2 and below.
498	if len(helloInner.supportedVersions) == 0 {
499		return nil, errors.New("tls: ClientHelloInner did not offer supported_versions")
500	}
501	for _, vers := range helloInner.supportedVersions {
502		switch vers {
503		case VersionSSL30, VersionTLS10, VersionTLS11, VersionTLS12, VersionDTLS10, VersionDTLS12:
504			return nil, fmt.Errorf("tls: ClientHelloInner offered invalid version: %04x", vers)
505		}
506	}
507	// ClientHelloInner should omit TLS-1.2-only extensions.
508	if helloInner.nextProtoNeg || len(helloInner.supportedPoints) != 0 || helloInner.ticketSupported || helloInner.secureRenegotiation != nil || helloInner.extendedMasterSecret {
509		return nil, errors.New("tls: ClientHelloInner included a TLS-1.2-only extension")
510	}
511	if !helloInner.echInner {
512		return nil, errors.New("tls: ClientHelloInner missing inner encrypted_client_hello extension")
513	}
514
515	return helloInner, nil
516}
517
518func (hs *serverHandshakeState) doTLS13Handshake() error {
519	c := hs.c
520	config := c.config
521
522	// We've read the ClientHello, so the next record must be preceded with ChangeCipherSpec.
523	c.expectTLS13ChangeCipherSpec = true
524
525	hs.hello = &serverHelloMsg{
526		isDTLS:                c.isDTLS,
527		vers:                  c.wireVersion,
528		sessionID:             hs.clientHello.sessionID,
529		compressionMethod:     config.Bugs.SendCompressionMethod,
530		versOverride:          config.Bugs.SendServerHelloVersion,
531		supportedVersOverride: config.Bugs.SendServerSupportedVersionExtension,
532		omitSupportedVers:     config.Bugs.OmitServerSupportedVersionExtension,
533		customExtension:       config.Bugs.CustomUnencryptedExtension,
534		unencryptedALPN:       config.Bugs.SendUnencryptedALPN,
535	}
536
537	hs.hello.random = make([]byte, 32)
538	if _, err := io.ReadFull(config.rand(), hs.hello.random); err != nil {
539		c.sendAlert(alertInternalError)
540		return err
541	}
542
543	// TLS 1.3 forbids clients from advertising any non-null compression.
544	if len(hs.clientHello.compressionMethods) != 1 || hs.clientHello.compressionMethods[0] != compressionNone {
545		return errors.New("tls: client sent compression method other than null for TLS 1.3")
546	}
547
548	// Prepare an EncryptedExtensions message, but do not send it yet.
549	encryptedExtensions := new(encryptedExtensionsMsg)
550	encryptedExtensions.empty = config.Bugs.EmptyEncryptedExtensions
551	if err := hs.processClientExtensions(&encryptedExtensions.extensions); err != nil {
552		return err
553	}
554
555	// Select the cipher suite.
556	var preferenceList, supportedList []uint16
557	if config.PreferServerCipherSuites {
558		preferenceList = config.cipherSuites()
559		supportedList = hs.clientHello.cipherSuites
560	} else {
561		preferenceList = hs.clientHello.cipherSuites
562		supportedList = config.cipherSuites()
563	}
564
565	for _, id := range preferenceList {
566		if hs.suite = c.tryCipherSuite(id, supportedList, c.vers, true, true); hs.suite != nil {
567			break
568		}
569	}
570
571	if hs.suite == nil {
572		c.sendAlert(alertHandshakeFailure)
573		return errors.New("tls: no cipher suite supported by both client and server")
574	}
575
576	hs.hello.cipherSuite = hs.suite.id
577	if c.config.Bugs.SendCipherSuite != 0 {
578		hs.hello.cipherSuite = c.config.Bugs.SendCipherSuite
579	}
580
581	hs.finishedHash = newFinishedHash(c.wireVersion, c.isDTLS, hs.suite)
582	hs.finishedHash.discardHandshakeBuffer()
583	hs.writeClientHash(hs.clientHello.marshal())
584
585	supportedCurve := false
586	var selectedCurve CurveID
587	preferredCurves := config.curvePreferences()
588Curves:
589	for _, curve := range hs.clientHello.supportedCurves {
590		for _, supported := range preferredCurves {
591			if supported == curve {
592				supportedCurve = true
593				selectedCurve = curve
594				break Curves
595			}
596		}
597	}
598
599	if !supportedCurve {
600		c.sendAlert(alertHandshakeFailure)
601		return errors.New("tls: no curve supported by both client and server")
602	}
603
604	pskIdentities := hs.clientHello.pskIdentities
605	pskKEModes := hs.clientHello.pskKEModes
606
607	var replacedPSKIdentities bool
608	if len(pskIdentities) == 0 && len(hs.clientHello.sessionTicket) > 0 && c.config.Bugs.AcceptAnySession {
609		// Pick up the ticket from the TLS 1.2 extension, to test the
610		// client does not get in a mixed up state.
611		psk := pskIdentity{
612			ticket: hs.clientHello.sessionTicket,
613		}
614		pskIdentities = []pskIdentity{psk}
615		pskKEModes = []byte{pskDHEKEMode}
616		replacedPSKIdentities = true
617	}
618	if config.Bugs.UseInnerSessionWithClientHelloOuter {
619		replacedPSKIdentities = true
620	}
621
622	var pskIndex int
623	foundKEMode := bytes.IndexByte(pskKEModes, pskDHEKEMode) >= 0
624	if foundKEMode && !config.SessionTicketsDisabled {
625		for i, pskIdentity := range pskIdentities {
626			// TODO(svaldez): Check the obfuscatedTicketAge before accepting 0-RTT.
627			sessionState, ok := c.decryptTicket(pskIdentity.ticket)
628			if !ok {
629				continue
630			}
631
632			if !config.Bugs.AcceptAnySession {
633				if sessionState.vers != c.vers {
634					continue
635				}
636				if sessionState.ticketExpiration.Before(c.config.time()) {
637					continue
638				}
639				sessionCipher := cipherSuiteFromID(sessionState.cipherSuite)
640				if sessionCipher == nil || sessionCipher.hash() != hs.suite.hash() {
641					continue
642				}
643			}
644
645			clientTicketAge := time.Duration(uint32(pskIdentity.obfuscatedTicketAge-sessionState.ticketAgeAdd)) * time.Millisecond
646			if config.Bugs.ExpectTicketAge != 0 && clientTicketAge != config.Bugs.ExpectTicketAge {
647				c.sendAlert(alertHandshakeFailure)
648				return errors.New("tls: invalid ticket age")
649			}
650
651			if !replacedPSKIdentities {
652				binderToVerify := hs.clientHello.pskBinders[i]
653				if err := verifyPSKBinder(c.wireVersion, hs.clientHello, sessionState, binderToVerify, []byte{}, []byte{}); err != nil {
654					return err
655				}
656			}
657
658			hs.sessionState = sessionState
659			hs.hello.hasPSKIdentity = true
660			hs.hello.pskIdentity = uint16(i)
661			pskIndex = i
662			if config.Bugs.SelectPSKIdentityOnResume != 0 {
663				hs.hello.pskIdentity = config.Bugs.SelectPSKIdentityOnResume
664			}
665			c.didResume = true
666			break
667		}
668	}
669
670	if config.Bugs.AlwaysSelectPSKIdentity {
671		hs.hello.hasPSKIdentity = true
672		hs.hello.pskIdentity = 0
673	}
674
675	// Resolve PSK and compute the early secret.
676	if hs.sessionState != nil {
677		hs.finishedHash.addEntropy(hs.sessionState.secret)
678	} else {
679		hs.finishedHash.addEntropy(hs.finishedHash.zeroSecret())
680	}
681
682	hs.hello.hasKeyShare = true
683	if hs.sessionState != nil && config.Bugs.NegotiatePSKResumption {
684		hs.hello.hasKeyShare = false
685	}
686	if config.Bugs.MissingKeyShare {
687		hs.hello.hasKeyShare = false
688	}
689
690	firstHelloRetryRequest := true
691
692ResendHelloRetryRequest:
693	var sendHelloRetryRequest bool
694	cipherSuite := hs.suite.id
695	if config.Bugs.SendHelloRetryRequestCipherSuite != 0 {
696		cipherSuite = config.Bugs.SendHelloRetryRequestCipherSuite
697	}
698	helloRetryRequest := &helloRetryRequestMsg{
699		vers:                c.wireVersion,
700		sessionID:           hs.clientHello.sessionID,
701		cipherSuite:         cipherSuite,
702		compressionMethod:   config.Bugs.SendCompressionMethod,
703		duplicateExtensions: config.Bugs.DuplicateHelloRetryRequestExtensions,
704	}
705
706	if config.Bugs.AlwaysSendHelloRetryRequest {
707		sendHelloRetryRequest = true
708	}
709
710	if config.Bugs.SendHelloRetryRequestCookie != nil {
711		sendHelloRetryRequest = true
712		helloRetryRequest.cookie = config.Bugs.SendHelloRetryRequestCookie
713	}
714
715	if len(config.Bugs.CustomHelloRetryRequestExtension) > 0 {
716		sendHelloRetryRequest = true
717		helloRetryRequest.customExtension = config.Bugs.CustomHelloRetryRequestExtension
718	}
719
720	var selectedKeyShare *keyShareEntry
721	if hs.hello.hasKeyShare {
722		// Look for the key share corresponding to our selected curve.
723		for i := range hs.clientHello.keyShares {
724			if hs.clientHello.keyShares[i].group == selectedCurve {
725				selectedKeyShare = &hs.clientHello.keyShares[i]
726				break
727			}
728		}
729
730		if config.Bugs.ExpectMissingKeyShare && selectedKeyShare != nil {
731			return errors.New("tls: expected missing key share")
732		}
733
734		if selectedKeyShare == nil {
735			helloRetryRequest.hasSelectedGroup = true
736			helloRetryRequest.selectedGroup = selectedCurve
737			sendHelloRetryRequest = true
738		}
739	}
740
741	if config.Bugs.SendHelloRetryRequestCurve != 0 {
742		helloRetryRequest.hasSelectedGroup = true
743		helloRetryRequest.selectedGroup = config.Bugs.SendHelloRetryRequestCurve
744		sendHelloRetryRequest = true
745	}
746
747	if config.Bugs.SkipHelloRetryRequest {
748		sendHelloRetryRequest = false
749	}
750
751	if sendHelloRetryRequest {
752		hs.finishedHash.UpdateForHelloRetryRequest()
753
754		// Emit the ECH confirmation signal when requested.
755		if hs.clientHello.echInner {
756			helloRetryRequest.echConfirmation = make([]byte, 8)
757			helloRetryRequest.echConfirmation = hs.finishedHash.echAcceptConfirmation(hs.clientHello.random, echAcceptConfirmationHRRLabel, helloRetryRequest.marshal())
758			helloRetryRequest.raw = nil
759		} else if config.Bugs.AlwaysSendECHHelloRetryRequest {
760			// When solicited, a random ECH confirmation string should be ignored.
761			helloRetryRequest.echConfirmation = make([]byte, 8)
762			if _, err := io.ReadFull(config.rand(), helloRetryRequest.echConfirmation); err != nil {
763				c.sendAlert(alertInternalError)
764				return fmt.Errorf("tls: short read from Rand: %s", err)
765			}
766		}
767
768		hs.writeServerHash(helloRetryRequest.marshal())
769		if c.config.Bugs.PartialServerHelloWithHelloRetryRequest {
770			data := helloRetryRequest.marshal()
771			c.writeRecord(recordTypeHandshake, append(data[:len(data):len(data)], typeServerHello))
772		} else {
773			c.writeRecord(recordTypeHandshake, helloRetryRequest.marshal())
774		}
775		c.flushHandshake()
776
777		if !c.config.Bugs.SkipChangeCipherSpec {
778			c.writeRecord(recordTypeChangeCipherSpec, []byte{1})
779		}
780
781		if hs.clientHello.hasEarlyData {
782			c.setSkipEarlyData()
783		}
784
785		// Read new ClientHello.
786		newMsg, err := c.readHandshake()
787		if err != nil {
788			return err
789		}
790		newClientHello, ok := newMsg.(*clientHelloMsg)
791		if !ok {
792			c.sendAlert(alertUnexpectedMessage)
793			return unexpectedMessageError(newClientHello, newMsg)
794		}
795
796		if expected := config.Bugs.ExpectOuterServerName; len(expected) != 0 && expected != newClientHello.serverName {
797			return fmt.Errorf("tls: unexpected ClientHelloOuter server name: wanted %q, got %q", expected, newClientHello.serverName)
798		}
799
800		if c.echAccepted {
801			if newClientHello.echOuter == nil {
802				c.sendAlert(alertMissingExtension)
803				return errors.New("tls: second ClientHelloOuter had no encrypted_client_hello extension")
804			}
805			if newClientHello.echOuter.configID != hs.echConfigID ||
806				newClientHello.echOuter.kdfID != hs.echHPKEContext.KDF() ||
807				newClientHello.echOuter.aeadID != hs.echHPKEContext.AEAD() {
808				c.sendAlert(alertIllegalParameter)
809				return errors.New("tls: ECH parameters changed in second ClientHelloOuter")
810			}
811			if len(newClientHello.echOuter.enc) != 0 {
812				c.sendAlert(alertIllegalParameter)
813				return errors.New("tls: second ClientHelloOuter had non-empty ECH enc")
814			}
815			newClientHello, err = hs.decryptClientHello(newClientHello)
816			if err != nil {
817				c.sendAlert(alertDecryptError)
818				return fmt.Errorf("tls: error decrypting ClientHello: %s", err)
819			}
820		}
821
822		hs.writeClientHash(newClientHello.marshal())
823
824		if config.Bugs.ExpectNoTLS13PSKAfterHRR && len(newClientHello.pskIdentities) > 0 {
825			return fmt.Errorf("tls: client offered unexpected PSK identities after HelloRetryRequest")
826		}
827
828		applyBugsToClientHello(newClientHello, config)
829
830		// Check that the new ClientHello matches the old ClientHello,
831		// except for relevant modifications. See RFC 8446, section 4.1.2.
832		ignoreExtensions := []uint16{extensionPadding}
833
834		if helloRetryRequest.hasSelectedGroup {
835			newKeyShares := newClientHello.keyShares
836			if len(newKeyShares) != 1 || newKeyShares[0].group != helloRetryRequest.selectedGroup {
837				return errors.New("tls: KeyShare from HelloRetryRequest not in new ClientHello")
838			}
839			selectedKeyShare = &newKeyShares[0]
840			ignoreExtensions = append(ignoreExtensions, extensionKeyShare)
841		}
842
843		if len(helloRetryRequest.cookie) > 0 {
844			if !bytes.Equal(newClientHello.tls13Cookie, helloRetryRequest.cookie) {
845				return errors.New("tls: cookie from HelloRetryRequest not present in new ClientHello")
846			}
847			ignoreExtensions = append(ignoreExtensions, extensionCookie)
848		}
849
850		// The second ClientHello refreshes binders, and may drop PSK identities
851		// that are no longer consistent with the cipher suite.
852		oldPSKIdentities := hs.clientHello.pskIdentities
853		for _, identity := range newClientHello.pskIdentities {
854			// Skip to the matching PSK identity in oldPSKIdentities.
855			for len(oldPSKIdentities) > 0 && !bytes.Equal(oldPSKIdentities[0].ticket, identity.ticket) {
856				oldPSKIdentities = oldPSKIdentities[1:]
857			}
858			// The identity now either matches, or oldPSKIdentities is empty.
859			if len(oldPSKIdentities) == 0 {
860				return errors.New("tls: unexpected PSK identity in second ClientHello")
861			}
862			oldPSKIdentities = oldPSKIdentities[1:]
863		}
864		ignoreExtensions = append(ignoreExtensions, extensionPreSharedKey)
865
866		// Update the index for the identity we resumed. The client may have
867		// dropped some entries.
868		if hs.sessionState != nil {
869			var found bool
870			ticket := hs.clientHello.pskIdentities[pskIndex].ticket
871			for i, identity := range newClientHello.pskIdentities {
872				if bytes.Equal(identity.ticket, ticket) {
873					found = true
874					pskIndex = i
875					break
876				}
877			}
878			if found {
879				binderToVerify := newClientHello.pskBinders[pskIndex]
880				if err := verifyPSKBinder(c.wireVersion, newClientHello, hs.sessionState, binderToVerify, hs.clientHello.marshal(), helloRetryRequest.marshal()); err != nil {
881					return err
882				}
883			} else if !config.Bugs.AcceptAnySession {
884				// If AcceptAnySession is set, the client may have already noticed
885				// the selected session is incompatible with the HelloRetryRequest
886				// and correctly dropped the PSK identity. We may also have
887				// attempted to resume a session from the TLS 1.2 extension.
888				return errors.New("tls: second ClientHello is missing selected session")
889			}
890		}
891
892		// The second ClientHello must stop offering early data.
893		if newClientHello.hasEarlyData {
894			return errors.New("tls: EarlyData sent in new ClientHello")
895		}
896		ignoreExtensions = append(ignoreExtensions, extensionEarlyData)
897
898		if err := checkClientHellosEqual(hs.clientHello.raw, newClientHello.raw, c.isDTLS, ignoreExtensions); err != nil {
899			return err
900		}
901
902		if firstHelloRetryRequest && config.Bugs.SecondHelloRetryRequest {
903			firstHelloRetryRequest = false
904			goto ResendHelloRetryRequest
905		}
906	}
907
908	// Decide whether or not to accept early data.
909	if !sendHelloRetryRequest && hs.clientHello.hasEarlyData {
910		if !config.Bugs.AlwaysRejectEarlyData && hs.sessionState != nil {
911			if hs.sessionState.cipherSuite == hs.suite.id &&
912				c.clientProtocol == string(hs.sessionState.earlyALPN) &&
913				c.hasApplicationSettings == hs.sessionState.hasApplicationSettings &&
914				bytes.Equal(c.localApplicationSettings, hs.sessionState.localApplicationSettings) &&
915				c.hasApplicationSettingsOld == hs.sessionState.hasApplicationSettingsOld &&
916				bytes.Equal(c.localApplicationSettingsOld, hs.sessionState.localApplicationSettingsOld) {
917				encryptedExtensions.extensions.hasEarlyData = true
918			}
919			if config.Bugs.AlwaysAcceptEarlyData {
920				encryptedExtensions.extensions.hasEarlyData = true
921			}
922		}
923		if encryptedExtensions.extensions.hasEarlyData {
924			earlyTrafficSecret := hs.finishedHash.deriveSecret(earlyTrafficLabel)
925			c.earlyExporterSecret = hs.finishedHash.deriveSecret(earlyExporterLabel)
926
927			// Applications are implicit with early data.
928			if !config.Bugs.SendApplicationSettingsWithEarlyData {
929				encryptedExtensions.extensions.hasApplicationSettings = false
930				encryptedExtensions.extensions.applicationSettings = nil
931				encryptedExtensions.extensions.hasApplicationSettingsOld = false
932				encryptedExtensions.extensions.applicationSettingsOld = nil
933			}
934
935			sessionCipher := cipherSuiteFromID(hs.sessionState.cipherSuite)
936			if err := c.useInTrafficSecret(encryptionEarlyData, c.wireVersion, sessionCipher, earlyTrafficSecret); err != nil {
937				return err
938			}
939
940			for _, expectedMsg := range config.Bugs.ExpectEarlyData {
941				if err := c.readRecord(recordTypeApplicationData); err != nil {
942					return err
943				}
944				msg := c.input.data[c.input.off:]
945				if !bytes.Equal(msg, expectedMsg) {
946					return fmt.Errorf("tls: got early data record %x, wanted %x", msg, expectedMsg)
947				}
948				c.in.freeBlock(c.input)
949				c.input = nil
950			}
951		} else {
952			c.setSkipEarlyData()
953		}
954	}
955
956	if config.Bugs.SendEarlyDataExtension {
957		encryptedExtensions.extensions.hasEarlyData = true
958	}
959
960	// Resolve ECDHE and compute the handshake secret.
961	if hs.hello.hasKeyShare {
962		// Once a curve has been selected and a key share identified,
963		// the server needs to generate a public value and send it in
964		// the ServerHello.
965		kem, ok := kemForCurveID(selectedCurve, config)
966		if !ok {
967			panic("tls: server failed to look up curve ID")
968		}
969		c.curveID = selectedCurve
970
971		var peerKey []byte
972		if config.Bugs.SkipHelloRetryRequest {
973			// If skipping HelloRetryRequest, use a random key to
974			// avoid crashing.
975			kem2, _ := kemForCurveID(selectedCurve, config)
976			var err error
977			peerKey, err = kem2.generate(config.rand())
978			if err != nil {
979				return err
980			}
981		} else {
982			peerKey = selectedKeyShare.keyExchange
983		}
984
985		ciphertext, ecdheSecret, err := kem.encap(config.rand(), peerKey)
986		if err != nil {
987			c.sendAlert(alertHandshakeFailure)
988			return err
989		}
990		hs.finishedHash.nextSecret()
991		hs.finishedHash.addEntropy(ecdheSecret)
992		hs.hello.hasKeyShare = true
993
994		curveID := selectedCurve
995		if c.config.Bugs.SendCurve != 0 {
996			curveID = config.Bugs.SendCurve
997		}
998		if c.config.Bugs.InvalidECDHPoint {
999			ciphertext[0] ^= 0xff
1000		}
1001
1002		hs.hello.keyShare = keyShareEntry{
1003			group:       curveID,
1004			keyExchange: ciphertext,
1005		}
1006
1007		if config.Bugs.EncryptedExtensionsWithKeyShare {
1008			encryptedExtensions.extensions.hasKeyShare = true
1009			encryptedExtensions.extensions.keyShare = keyShareEntry{
1010				group:       curveID,
1011				keyExchange: ciphertext,
1012			}
1013		}
1014	} else {
1015		hs.finishedHash.nextSecret()
1016		hs.finishedHash.addEntropy(hs.finishedHash.zeroSecret())
1017	}
1018
1019	// Emit the ECH confirmation signal when requested.
1020	if hs.clientHello.echInner && !config.Bugs.OmitServerHelloECHConfirmation {
1021		randomSuffix := hs.hello.random[len(hs.hello.random)-echAcceptConfirmationLength:]
1022		for i := range randomSuffix {
1023			randomSuffix[i] = 0
1024		}
1025		copy(randomSuffix, hs.finishedHash.echAcceptConfirmation(hs.clientHello.random, echAcceptConfirmationLabel, hs.hello.marshal()))
1026		hs.hello.raw = nil
1027	}
1028
1029	// Send unencrypted ServerHello.
1030	helloBytes := hs.hello.marshal()
1031	hs.writeServerHash(helloBytes)
1032	if config.Bugs.PartialServerHelloWithHelloRetryRequest {
1033		// The first byte has already been written.
1034		helloBytes = helloBytes[1:]
1035	}
1036	if config.Bugs.PartialEncryptedExtensionsWithServerHello {
1037		c.writeRecord(recordTypeHandshake, append(helloBytes[:len(helloBytes):len(helloBytes)], typeEncryptedExtensions))
1038	} else {
1039		c.writeRecord(recordTypeHandshake, helloBytes)
1040	}
1041	c.flushHandshake()
1042
1043	if !c.config.Bugs.SkipChangeCipherSpec && !sendHelloRetryRequest {
1044		c.writeRecord(recordTypeChangeCipherSpec, []byte{1})
1045	}
1046
1047	for i := 0; i < c.config.Bugs.SendExtraChangeCipherSpec; i++ {
1048		c.writeRecord(recordTypeChangeCipherSpec, []byte{1})
1049	}
1050
1051	// Switch to handshake traffic keys.
1052	serverHandshakeTrafficSecret := hs.finishedHash.deriveSecret(serverHandshakeTrafficLabel)
1053	c.useOutTrafficSecret(encryptionHandshake, c.wireVersion, hs.suite, serverHandshakeTrafficSecret)
1054	// Derive handshake traffic read key, but don't switch yet.
1055	clientHandshakeTrafficSecret := hs.finishedHash.deriveSecret(clientHandshakeTrafficLabel)
1056
1057	// Send EncryptedExtensions.
1058	hs.writeServerHash(encryptedExtensions.marshal())
1059	if config.Bugs.PartialEncryptedExtensionsWithServerHello {
1060		// The first byte has already been sent.
1061		c.writeRecord(recordTypeHandshake, encryptedExtensions.marshal()[1:])
1062	} else {
1063		c.writeRecord(recordTypeHandshake, encryptedExtensions.marshal())
1064	}
1065
1066	if hs.sessionState == nil {
1067		if config.ClientAuth >= RequestClientCert {
1068			// Request a client certificate
1069			certReq := &certificateRequestMsg{
1070				vers:                  c.wireVersion,
1071				hasSignatureAlgorithm: !config.Bugs.OmitCertificateRequestAlgorithms,
1072				hasRequestContext:     true,
1073				requestContext:        config.Bugs.SendRequestContext,
1074				customExtension:       config.Bugs.SendCustomCertificateRequest,
1075			}
1076			if !config.Bugs.NoSignatureAlgorithms {
1077				certReq.signatureAlgorithms = config.verifySignatureAlgorithms()
1078			}
1079
1080			// An empty list of certificateAuthorities signals to
1081			// the client that it may send any certificate in response
1082			// to our request. When we know the CAs we trust, then
1083			// we can send them down, so that the client can choose
1084			// an appropriate certificate to give to us.
1085			if config.ClientCAs != nil {
1086				certReq.certificateAuthorities = config.ClientCAs.Subjects()
1087			}
1088			hs.writeServerHash(certReq.marshal())
1089			c.writeRecord(recordTypeHandshake, certReq.marshal())
1090		}
1091
1092		certMsg := &certificateMsg{
1093			hasRequestContext: true,
1094		}
1095		if !config.Bugs.EmptyCertificateList {
1096			for i, certData := range hs.cert.Certificate {
1097				cert := certificateEntry{
1098					data: certData,
1099				}
1100				if i == 0 {
1101					if hs.clientHello.ocspStapling && !c.config.Bugs.NoOCSPStapling {
1102						cert.ocspResponse = hs.cert.OCSPStaple
1103					}
1104					if hs.clientHello.sctListSupported && !c.config.Bugs.NoSignedCertificateTimestamps {
1105						cert.sctList = hs.cert.SignedCertificateTimestampList
1106					}
1107					cert.duplicateExtensions = config.Bugs.SendDuplicateCertExtensions
1108					cert.extraExtension = config.Bugs.SendExtensionOnCertificate
1109				} else {
1110					if config.Bugs.SendOCSPOnIntermediates != nil {
1111						cert.ocspResponse = config.Bugs.SendOCSPOnIntermediates
1112					}
1113					if config.Bugs.SendSCTOnIntermediates != nil {
1114						cert.sctList = config.Bugs.SendSCTOnIntermediates
1115					}
1116				}
1117				certMsg.certificates = append(certMsg.certificates, cert)
1118			}
1119		}
1120		certMsgBytes := certMsg.marshal()
1121		sentCompressedCertMsg := false
1122
1123	FindCertCompressionAlg:
1124		for candidate, alg := range c.config.CertCompressionAlgs {
1125			for _, id := range hs.clientHello.compressedCertAlgs {
1126				if id == candidate {
1127					if expected := config.Bugs.ExpectedCompressedCert; expected != 0 && expected != id {
1128						return fmt.Errorf("tls: expected to send compressed cert with alg %d, but picked %d", expected, id)
1129					}
1130					if config.Bugs.ExpectUncompressedCert {
1131						return errors.New("tls: expected to send uncompressed cert")
1132					}
1133
1134					if override := config.Bugs.SendCertCompressionAlgID; override != 0 {
1135						id = override
1136					}
1137
1138					uncompressed := certMsgBytes[4:]
1139					uncompressedLen := uint32(len(uncompressed))
1140					if override := config.Bugs.SendCertUncompressedLength; override != 0 {
1141						uncompressedLen = override
1142					}
1143
1144					compressedCertMsgBytes := (&compressedCertificateMsg{
1145						algID:              id,
1146						uncompressedLength: uncompressedLen,
1147						compressed:         alg.Compress(uncompressed),
1148					}).marshal()
1149
1150					hs.writeServerHash(compressedCertMsgBytes)
1151					c.writeRecord(recordTypeHandshake, compressedCertMsgBytes)
1152					sentCompressedCertMsg = true
1153					break FindCertCompressionAlg
1154				}
1155			}
1156		}
1157
1158		if !sentCompressedCertMsg {
1159			if config.Bugs.ExpectedCompressedCert != 0 {
1160				return errors.New("tls: unexpectedly sent uncompressed certificate")
1161			}
1162			hs.writeServerHash(certMsgBytes)
1163			c.writeRecord(recordTypeHandshake, certMsgBytes)
1164		}
1165
1166		certVerify := &certificateVerifyMsg{
1167			hasSignatureAlgorithm: true,
1168		}
1169
1170		// Determine the hash to sign.
1171		var err error
1172		certVerify.signatureAlgorithm, err = selectSignatureAlgorithm(c.isClient, c.vers, hs.cert, config, hs.clientHello.signatureAlgorithms)
1173		if err != nil {
1174			c.sendAlert(alertInternalError)
1175			return err
1176		}
1177
1178		privKey := hs.cert.PrivateKey
1179		input := hs.finishedHash.certificateVerifyInput(serverCertificateVerifyContextTLS13)
1180		certVerify.signature, err = signMessage(c.isClient, c.vers, privKey, c.config, certVerify.signatureAlgorithm, input)
1181		if err != nil {
1182			c.sendAlert(alertInternalError)
1183			return err
1184		}
1185
1186		if config.Bugs.SendSignatureAlgorithm != 0 {
1187			certVerify.signatureAlgorithm = config.Bugs.SendSignatureAlgorithm
1188		}
1189
1190		if !config.Bugs.SkipCertificateVerify {
1191			hs.writeServerHash(certVerify.marshal())
1192			c.writeRecord(recordTypeHandshake, certVerify.marshal())
1193		}
1194	} else if hs.sessionState != nil {
1195		// Pick up certificates from the session instead.
1196		if len(hs.sessionState.certificates) > 0 {
1197			if _, err := hs.processCertsFromClient(hs.sessionState.certificates); err != nil {
1198				return err
1199			}
1200		}
1201	}
1202
1203	finished := new(finishedMsg)
1204	finished.verifyData = hs.finishedHash.serverSum(serverHandshakeTrafficSecret)
1205	if config.Bugs.BadFinished {
1206		finished.verifyData[0]++
1207	}
1208	hs.writeServerHash(finished.marshal())
1209	c.writeRecord(recordTypeHandshake, finished.marshal())
1210	if c.config.Bugs.SendExtraFinished {
1211		c.writeRecord(recordTypeHandshake, finished.marshal())
1212	}
1213	c.flushHandshake()
1214
1215	if encryptedExtensions.extensions.hasEarlyData && !c.shouldSkipEarlyData() {
1216		for _, expectedMsg := range config.Bugs.ExpectLateEarlyData {
1217			if err := c.readRecord(recordTypeApplicationData); err != nil {
1218				return err
1219			}
1220			if !bytes.Equal(c.input.data[c.input.off:], expectedMsg) {
1221				return errors.New("ExpectLateEarlyData: did not get expected message")
1222			}
1223			c.in.freeBlock(c.input)
1224			c.input = nil
1225		}
1226	}
1227
1228	// The various secrets do not incorporate the client's final leg, so
1229	// derive them now before updating the handshake context.
1230	hs.finishedHash.nextSecret()
1231	hs.finishedHash.addEntropy(hs.finishedHash.zeroSecret())
1232
1233	clientTrafficSecret := hs.finishedHash.deriveSecret(clientApplicationTrafficLabel)
1234	serverTrafficSecret := hs.finishedHash.deriveSecret(serverApplicationTrafficLabel)
1235	c.exporterSecret = hs.finishedHash.deriveSecret(exporterLabel)
1236
1237	// Switch to application data keys on write. In particular, any alerts
1238	// from the client certificate are sent over these keys.
1239	c.useOutTrafficSecret(encryptionApplication, c.wireVersion, hs.suite, serverTrafficSecret)
1240
1241	// Send 0.5-RTT messages.
1242	for _, halfRTTMsg := range config.Bugs.SendHalfRTTData {
1243		if _, err := c.writeRecord(recordTypeApplicationData, halfRTTMsg); err != nil {
1244			return err
1245		}
1246	}
1247
1248	// Read end_of_early_data.
1249	if encryptedExtensions.extensions.hasEarlyData && config.Bugs.MockQUICTransport == nil {
1250		msg, err := c.readHandshake()
1251		if err != nil {
1252			return err
1253		}
1254
1255		endOfEarlyData, ok := msg.(*endOfEarlyDataMsg)
1256		if !ok {
1257			c.sendAlert(alertUnexpectedMessage)
1258			return unexpectedMessageError(endOfEarlyData, msg)
1259		}
1260		hs.writeClientHash(endOfEarlyData.marshal())
1261	}
1262
1263	// Switch input stream to handshake traffic keys.
1264	if err := c.useInTrafficSecret(encryptionHandshake, c.wireVersion, hs.suite, clientHandshakeTrafficSecret); err != nil {
1265		return err
1266	}
1267
1268	// If we sent an ALPS extension, the client must respond with a single EncryptedExtensions.
1269	if encryptedExtensions.extensions.hasApplicationSettings || encryptedExtensions.extensions.hasApplicationSettingsOld {
1270		msg, err := c.readHandshake()
1271		if err != nil {
1272			return err
1273		}
1274		clientEncryptedExtensions, ok := msg.(*clientEncryptedExtensionsMsg)
1275		if !ok {
1276			c.sendAlert(alertUnexpectedMessage)
1277			return unexpectedMessageError(clientEncryptedExtensions, msg)
1278		}
1279		hs.writeClientHash(clientEncryptedExtensions.marshal())
1280
1281		// Expect client send new application settings not old.
1282		if encryptedExtensions.extensions.hasApplicationSettings {
1283			if !clientEncryptedExtensions.hasApplicationSettings {
1284				c.sendAlert(alertMissingExtension)
1285				return errors.New("tls: client didn't provide new application settings")
1286			}
1287			if clientEncryptedExtensions.hasApplicationSettingsOld {
1288				c.sendAlert(alertUnsupportedExtension)
1289				return errors.New("tls: client shouldn't provide old application settings")
1290			}
1291			c.peerApplicationSettings = clientEncryptedExtensions.applicationSettings
1292		}
1293
1294		// Expect client send old application settings not new.
1295		if encryptedExtensions.extensions.hasApplicationSettingsOld {
1296			if !clientEncryptedExtensions.hasApplicationSettingsOld {
1297				c.sendAlert(alertMissingExtension)
1298				return errors.New("tls: client didn't provide old application settings")
1299			}
1300			if clientEncryptedExtensions.hasApplicationSettings {
1301				c.sendAlert(alertUnsupportedExtension)
1302				return errors.New("tls: client shouldn't provide new application settings")
1303			}
1304			c.peerApplicationSettingsOld = clientEncryptedExtensions.applicationSettingsOld
1305		}
1306	} else if encryptedExtensions.extensions.hasEarlyData {
1307		// 0-RTT sessions carry application settings over.
1308		c.peerApplicationSettings = hs.sessionState.peerApplicationSettings
1309		c.peerApplicationSettingsOld = hs.sessionState.peerApplicationSettingsOld
1310	}
1311
1312	// If we requested a client certificate, then the client must send a
1313	// certificate message, even if it's empty.
1314	if config.ClientAuth >= RequestClientCert {
1315		msg, err := c.readHandshake()
1316		if err != nil {
1317			return err
1318		}
1319
1320		certMsg, ok := msg.(*certificateMsg)
1321		if !ok {
1322			c.sendAlert(alertUnexpectedMessage)
1323			return unexpectedMessageError(certMsg, msg)
1324		}
1325		hs.writeClientHash(certMsg.marshal())
1326
1327		if len(certMsg.certificates) == 0 {
1328			// The client didn't actually send a certificate
1329			switch config.ClientAuth {
1330			case RequireAnyClientCert, RequireAndVerifyClientCert:
1331				c.sendAlert(alertCertificateRequired)
1332				return errors.New("tls: client didn't provide a certificate")
1333			}
1334		}
1335
1336		var certs [][]byte
1337		for _, cert := range certMsg.certificates {
1338			certs = append(certs, cert.data)
1339			// OCSP responses and SCT lists are not negotiated in
1340			// client certificates.
1341			if cert.ocspResponse != nil || cert.sctList != nil {
1342				c.sendAlert(alertUnsupportedExtension)
1343				return errors.New("tls: unexpected extensions in the client certificate")
1344			}
1345		}
1346		pub, err := hs.processCertsFromClient(certs)
1347		if err != nil {
1348			return err
1349		}
1350
1351		if len(c.peerCertificates) > 0 {
1352			msg, err = c.readHandshake()
1353			if err != nil {
1354				return err
1355			}
1356
1357			certVerify, ok := msg.(*certificateVerifyMsg)
1358			if !ok {
1359				c.sendAlert(alertUnexpectedMessage)
1360				return unexpectedMessageError(certVerify, msg)
1361			}
1362
1363			c.peerSignatureAlgorithm = certVerify.signatureAlgorithm
1364			input := hs.finishedHash.certificateVerifyInput(clientCertificateVerifyContextTLS13)
1365			if err := verifyMessage(c.isClient, c.vers, pub, config, certVerify.signatureAlgorithm, input, certVerify.signature); err != nil {
1366				c.sendAlert(alertBadCertificate)
1367				return err
1368			}
1369			hs.writeClientHash(certVerify.marshal())
1370		}
1371	}
1372
1373	if encryptedExtensions.extensions.channelIDRequested {
1374		msg, err := c.readHandshake()
1375		if err != nil {
1376			return err
1377		}
1378		channelIDMsg, ok := msg.(*channelIDMsg)
1379		if !ok {
1380			c.sendAlert(alertUnexpectedMessage)
1381			return unexpectedMessageError(channelIDMsg, msg)
1382		}
1383		channelIDHash := crypto.SHA256.New()
1384		channelIDHash.Write(hs.finishedHash.certificateVerifyInput(channelIDContextTLS13))
1385		channelID, err := verifyChannelIDMessage(channelIDMsg, channelIDHash.Sum(nil))
1386		if err != nil {
1387			return err
1388		}
1389		c.channelID = channelID
1390
1391		hs.writeClientHash(channelIDMsg.marshal())
1392	}
1393
1394	// Read the client Finished message.
1395	msg, err := c.readHandshake()
1396	if err != nil {
1397		return err
1398	}
1399	clientFinished, ok := msg.(*finishedMsg)
1400	if !ok {
1401		c.sendAlert(alertUnexpectedMessage)
1402		return unexpectedMessageError(clientFinished, msg)
1403	}
1404
1405	verify := hs.finishedHash.clientSum(clientHandshakeTrafficSecret)
1406	if len(verify) != len(clientFinished.verifyData) ||
1407		subtle.ConstantTimeCompare(verify, clientFinished.verifyData) != 1 {
1408		c.sendAlert(alertHandshakeFailure)
1409		return errors.New("tls: client's Finished message was incorrect")
1410	}
1411	hs.writeClientHash(clientFinished.marshal())
1412
1413	// Switch to application data keys on read.
1414	if err := c.useInTrafficSecret(encryptionApplication, c.wireVersion, hs.suite, clientTrafficSecret); err != nil {
1415		return err
1416	}
1417
1418	c.cipherSuite = hs.suite
1419	c.resumptionSecret = hs.finishedHash.deriveSecret(resumptionLabel)
1420
1421	// TODO(davidben): Allow configuring the number of tickets sent for
1422	// testing.
1423	if !c.config.SessionTicketsDisabled && foundKEMode {
1424		ticketCount := 2
1425		for i := 0; i < ticketCount; i++ {
1426			c.SendNewSessionTicket([]byte{byte(i)})
1427		}
1428	}
1429	return nil
1430}
1431
1432// processClientHello processes the ClientHello message from the client and
1433// decides whether we will perform session resumption.
1434func (hs *serverHandshakeState) processClientHello() (isResume bool, err error) {
1435	config := hs.c.config
1436	c := hs.c
1437
1438	hs.hello = &serverHelloMsg{
1439		isDTLS:            c.isDTLS,
1440		vers:              c.wireVersion,
1441		versOverride:      config.Bugs.SendServerHelloVersion,
1442		compressionMethod: config.Bugs.SendCompressionMethod,
1443		extensions: serverExtensions{
1444			supportedVersion: config.Bugs.SendServerSupportedVersionExtension,
1445		},
1446		omitExtensions:  config.Bugs.OmitExtensions,
1447		emptyExtensions: config.Bugs.EmptyExtensions,
1448	}
1449
1450	hs.hello.random = make([]byte, 32)
1451	_, err = io.ReadFull(config.rand(), hs.hello.random)
1452	if err != nil {
1453		c.sendAlert(alertInternalError)
1454		return false, err
1455	}
1456
1457	_, supportsTLS13 := c.config.isSupportedVersion(VersionTLS13, false)
1458
1459	// Signal downgrades in the server random, per RFC 8446, section 4.1.3.
1460	if supportsTLS13 || config.Bugs.SendTLS13DowngradeRandom {
1461		if c.vers <= VersionTLS12 && config.maxVersion(c.isDTLS) >= VersionTLS13 {
1462			copy(hs.hello.random[len(hs.hello.random)-8:], downgradeTLS13)
1463		}
1464		if c.vers <= VersionTLS11 && config.maxVersion(c.isDTLS) == VersionTLS12 {
1465			copy(hs.hello.random[len(hs.hello.random)-8:], downgradeTLS12)
1466		}
1467	}
1468	if config.Bugs.SendJDK11DowngradeRandom {
1469		copy(hs.hello.random[len(hs.hello.random)-8:], downgradeJDK11)
1470	}
1471
1472	foundCompression := false
1473	// We only support null compression, so check that the client offered it.
1474	for _, compression := range hs.clientHello.compressionMethods {
1475		if compression == compressionNone {
1476			foundCompression = true
1477			break
1478		}
1479	}
1480
1481	if !foundCompression {
1482		c.sendAlert(alertHandshakeFailure)
1483		return false, errors.New("tls: client does not support uncompressed connections")
1484	}
1485
1486	if err := hs.processClientExtensions(&hs.hello.extensions); err != nil {
1487		return false, err
1488	}
1489
1490	supportedCurve := false
1491	preferredCurves := config.curvePreferences()
1492Curves:
1493	for _, curve := range hs.clientHello.supportedCurves {
1494		if isPqGroup(curve) && c.vers < VersionTLS13 {
1495			// Post-quantum is TLS 1.3 only.
1496			continue
1497		}
1498
1499		for _, supported := range preferredCurves {
1500			if supported == curve {
1501				supportedCurve = true
1502				break Curves
1503			}
1504		}
1505	}
1506
1507	supportedPointFormat := false
1508	for _, pointFormat := range hs.clientHello.supportedPoints {
1509		if pointFormat == pointFormatUncompressed {
1510			supportedPointFormat = true
1511			break
1512		}
1513	}
1514	hs.ellipticOk = supportedCurve && supportedPointFormat
1515
1516	_, hs.ecdsaOk = hs.cert.PrivateKey.(*ecdsa.PrivateKey)
1517	// Ed25519 also uses ECDSA certificates.
1518	_, ed25519Ok := hs.cert.PrivateKey.(ed25519.PrivateKey)
1519	hs.ecdsaOk = hs.ecdsaOk || ed25519Ok
1520
1521	// For test purposes, check that the peer never offers a session when
1522	// renegotiating.
1523	if c.cipherSuite != nil && len(hs.clientHello.sessionID) > 0 && c.config.Bugs.FailIfResumeOnRenego {
1524		return false, errors.New("tls: offered resumption on renegotiation")
1525	}
1526
1527	if hs.checkForResumption() {
1528		return true, nil
1529	}
1530
1531	var preferenceList, supportedList []uint16
1532	if c.config.PreferServerCipherSuites {
1533		preferenceList = c.config.cipherSuites()
1534		supportedList = hs.clientHello.cipherSuites
1535	} else {
1536		preferenceList = hs.clientHello.cipherSuites
1537		supportedList = c.config.cipherSuites()
1538	}
1539
1540	for _, id := range preferenceList {
1541		if hs.suite = c.tryCipherSuite(id, supportedList, c.vers, hs.ellipticOk, hs.ecdsaOk); hs.suite != nil {
1542			break
1543		}
1544	}
1545
1546	if hs.suite == nil {
1547		c.sendAlert(alertHandshakeFailure)
1548		return false, errors.New("tls: no cipher suite supported by both client and server")
1549	}
1550
1551	return false, nil
1552}
1553
1554// processClientExtensions processes all ClientHello extensions not directly
1555// related to cipher suite negotiation and writes responses in serverExtensions.
1556func (hs *serverHandshakeState) processClientExtensions(serverExtensions *serverExtensions) error {
1557	config := hs.c.config
1558	c := hs.c
1559
1560	if c.vers < VersionTLS13 || config.Bugs.NegotiateRenegotiationInfoAtAllVersions {
1561		if !bytes.Equal(c.clientVerify, hs.clientHello.secureRenegotiation) {
1562			c.sendAlert(alertHandshakeFailure)
1563			return errors.New("tls: renegotiation mismatch")
1564		}
1565
1566		if len(c.clientVerify) > 0 && !c.config.Bugs.EmptyRenegotiationInfo {
1567			serverExtensions.secureRenegotiation = append(serverExtensions.secureRenegotiation, c.clientVerify...)
1568			serverExtensions.secureRenegotiation = append(serverExtensions.secureRenegotiation, c.serverVerify...)
1569			if c.config.Bugs.BadRenegotiationInfo {
1570				serverExtensions.secureRenegotiation[0] ^= 0x80
1571			}
1572			if c.config.Bugs.BadRenegotiationInfoEnd {
1573				serverExtensions.secureRenegotiation[len(serverExtensions.secureRenegotiation)-1] ^= 0x80
1574			}
1575		} else {
1576			serverExtensions.secureRenegotiation = hs.clientHello.secureRenegotiation
1577		}
1578
1579		if c.noRenegotiationInfo() {
1580			serverExtensions.secureRenegotiation = nil
1581		}
1582	}
1583
1584	serverExtensions.duplicateExtension = c.config.Bugs.DuplicateExtension
1585
1586	if len(hs.clientHello.serverName) > 0 {
1587		c.serverName = hs.clientHello.serverName
1588	}
1589	if config.Credential == nil {
1590		c.sendAlert(alertInternalError)
1591		return errors.New("tls: no certificates configured")
1592	}
1593	hs.cert = config.Credential
1594	if expected := c.config.Bugs.ExpectServerName; expected != "" && expected != hs.clientHello.serverName {
1595		return fmt.Errorf("tls: unexpected server name: wanted %q, got %q", expected, hs.clientHello.serverName)
1596	}
1597
1598	if cert := config.Bugs.RenegotiationCertificate; c.cipherSuite != nil && cert != nil {
1599		hs.cert = cert
1600	}
1601
1602	if len(hs.clientHello.alpnProtocols) > 0 {
1603		// We will never offer ALPN as a client on renegotiation
1604		// handshakes.
1605		if len(c.clientVerify) > 0 {
1606			return errors.New("tls: offered ALPN on renegotiation")
1607		}
1608		if proto := c.config.Bugs.ALPNProtocol; proto != nil {
1609			serverExtensions.alpnProtocol = *proto
1610			serverExtensions.alpnProtocolEmpty = len(*proto) == 0
1611			c.clientProtocol = *proto
1612			c.usedALPN = true
1613		} else if selectedProto, fallback := mutualProtocol(hs.clientHello.alpnProtocols, c.config.NextProtos); !fallback {
1614			serverExtensions.alpnProtocol = selectedProto
1615			c.clientProtocol = selectedProto
1616			c.usedALPN = true
1617		}
1618
1619		var alpsAllowed, alpsAllowedOld bool
1620		if c.vers >= VersionTLS13 {
1621			for _, proto := range hs.clientHello.alpsProtocols {
1622				if proto == c.clientProtocol {
1623					alpsAllowed = true
1624					break
1625				}
1626			}
1627			for _, proto := range hs.clientHello.alpsProtocolsOld {
1628				if proto == c.clientProtocol {
1629					alpsAllowedOld = true
1630					break
1631				}
1632			}
1633		}
1634
1635		if c.config.Bugs.AlwaysNegotiateApplicationSettingsBoth {
1636			alpsAllowed = true
1637			alpsAllowedOld = true
1638		}
1639		if c.config.Bugs.AlwaysNegotiateApplicationSettingsNew {
1640			alpsAllowed = true
1641		}
1642		if c.config.Bugs.AlwaysNegotiateApplicationSettingsOld {
1643			alpsAllowedOld = true
1644		}
1645		if settings, ok := c.config.ApplicationSettings[c.clientProtocol]; ok && alpsAllowed {
1646			c.hasApplicationSettings = true
1647			c.localApplicationSettings = settings
1648			// Note these fields may later be cleared we accept 0-RTT.
1649			serverExtensions.hasApplicationSettings = true
1650			serverExtensions.applicationSettings = settings
1651		}
1652		if settings, ok := c.config.ApplicationSettings[c.clientProtocol]; ok && alpsAllowedOld {
1653			c.hasApplicationSettingsOld = true
1654			c.localApplicationSettingsOld = settings
1655			// Note these fields may later be cleared we accept 0-RTT.
1656			serverExtensions.hasApplicationSettingsOld = true
1657			serverExtensions.applicationSettingsOld = settings
1658		}
1659	}
1660
1661	if len(c.config.Bugs.SendALPN) > 0 {
1662		serverExtensions.alpnProtocol = c.config.Bugs.SendALPN
1663	}
1664
1665	if c.vers < VersionTLS13 || config.Bugs.NegotiateNPNAtAllVersions {
1666		if len(hs.clientHello.alpnProtocols) == 0 || c.config.Bugs.NegotiateALPNAndNPN {
1667			if hs.clientHello.nextProtoNeg && (len(config.NextProtos) > 0 || config.NegotiateNPNWithNoProtos) {
1668				serverExtensions.nextProtoNeg = true
1669				serverExtensions.nextProtos = config.NextProtos
1670				serverExtensions.npnAfterAlpn = config.Bugs.SwapNPNAndALPN
1671			}
1672		}
1673	}
1674
1675	if len(hs.clientHello.quicTransportParams) > 0 {
1676		c.quicTransportParams = hs.clientHello.quicTransportParams
1677	}
1678	if c.config.QUICTransportParamsUseLegacyCodepoint.IncludeStandard() {
1679		serverExtensions.quicTransportParams = c.config.QUICTransportParams
1680	}
1681
1682	if len(hs.clientHello.quicTransportParamsLegacy) > 0 {
1683		c.quicTransportParamsLegacy = hs.clientHello.quicTransportParamsLegacy
1684	}
1685	if c.config.QUICTransportParamsUseLegacyCodepoint.IncludeLegacy() {
1686		serverExtensions.quicTransportParamsLegacy = c.config.QUICTransportParams
1687	}
1688
1689	if c.vers < VersionTLS13 || config.Bugs.NegotiateEMSAtAllVersions {
1690		disableEMS := config.Bugs.NoExtendedMasterSecret
1691		if c.cipherSuite != nil {
1692			disableEMS = config.Bugs.NoExtendedMasterSecretOnRenegotiation
1693		}
1694		serverExtensions.extendedMasterSecret = hs.clientHello.extendedMasterSecret && !disableEMS
1695	}
1696
1697	if config.Bugs.AlwaysNegotiateChannelID || (hs.clientHello.channelIDSupported && config.RequestChannelID) {
1698		serverExtensions.channelIDRequested = true
1699	}
1700
1701	if hs.clientHello.srtpProtectionProfiles != nil {
1702	SRTPLoop:
1703		for _, p1 := range c.config.SRTPProtectionProfiles {
1704			for _, p2 := range hs.clientHello.srtpProtectionProfiles {
1705				if p1 == p2 {
1706					serverExtensions.srtpProtectionProfile = p1
1707					c.srtpProtectionProfile = p1
1708					break SRTPLoop
1709				}
1710			}
1711		}
1712	}
1713
1714	if c.config.Bugs.SendSRTPProtectionProfile != 0 {
1715		serverExtensions.srtpProtectionProfile = c.config.Bugs.SendSRTPProtectionProfile
1716	}
1717
1718	if expected := c.config.Bugs.ExpectedCustomExtension; expected != nil {
1719		if hs.clientHello.customExtension != *expected {
1720			return fmt.Errorf("tls: bad custom extension contents %q", hs.clientHello.customExtension)
1721		}
1722	}
1723	serverExtensions.customExtension = config.Bugs.CustomExtension
1724
1725	if c.config.Bugs.AdvertiseTicketExtension {
1726		serverExtensions.ticketSupported = true
1727	}
1728
1729	if c.config.Bugs.SendSupportedPointFormats != nil {
1730		serverExtensions.supportedPoints = c.config.Bugs.SendSupportedPointFormats
1731	}
1732
1733	if c.config.Bugs.SendServerSupportedCurves {
1734		serverExtensions.supportedCurves = c.config.curvePreferences()
1735	}
1736
1737	if !hs.clientHello.hasGREASEExtension && config.Bugs.ExpectGREASE {
1738		return errors.New("tls: no GREASE extension found")
1739	}
1740
1741	serverExtensions.serverNameAck = c.config.Bugs.SendServerNameAck
1742
1743	if (c.vers >= VersionTLS13 && hs.clientHello.echOuter != nil) || c.config.Bugs.AlwaysSendECHRetryConfigs {
1744		if len(config.Bugs.SendECHRetryConfigs) > 0 {
1745			serverExtensions.echRetryConfigs = config.Bugs.SendECHRetryConfigs
1746		} else if len(config.ServerECHConfigs) > 0 {
1747			echConfigs := make([][]byte, len(config.ServerECHConfigs))
1748			for i, echConfig := range config.ServerECHConfigs {
1749				echConfigs[i] = echConfig.ECHConfig.Raw
1750			}
1751			serverExtensions.echRetryConfigs = CreateECHConfigList(echConfigs...)
1752		}
1753	}
1754
1755	return nil
1756}
1757
1758// checkForResumption returns true if we should perform resumption on this connection.
1759func (hs *serverHandshakeState) checkForResumption() bool {
1760	c := hs.c
1761
1762	ticket := hs.clientHello.sessionTicket
1763	if len(ticket) == 0 && len(hs.clientHello.pskIdentities) > 0 && c.config.Bugs.AcceptAnySession {
1764		ticket = hs.clientHello.pskIdentities[0].ticket
1765	}
1766	if len(ticket) > 0 {
1767		if c.config.SessionTicketsDisabled {
1768			return false
1769		}
1770
1771		var ok bool
1772		if hs.sessionState, ok = c.decryptTicket(ticket); !ok {
1773			return false
1774		}
1775	} else {
1776		if c.config.ServerSessionCache == nil {
1777			return false
1778		}
1779
1780		var ok bool
1781		sessionID := string(hs.clientHello.sessionID)
1782		if hs.sessionState, ok = c.config.ServerSessionCache.Get(sessionID); !ok {
1783			return false
1784		}
1785	}
1786
1787	if c.config.Bugs.AcceptAnySession {
1788		// Replace the cipher suite with one known to work, to test
1789		// cross-version resumption attempts.
1790		hs.sessionState.cipherSuite = TLS_RSA_WITH_AES_128_CBC_SHA
1791	} else {
1792		// Never resume a session for a different SSL version.
1793		if c.vers != hs.sessionState.vers {
1794			return false
1795		}
1796
1797		cipherSuiteOk := false
1798		// Check that the client is still offering the ciphersuite in the session.
1799		for _, id := range hs.clientHello.cipherSuites {
1800			if id == hs.sessionState.cipherSuite {
1801				cipherSuiteOk = true
1802				break
1803			}
1804		}
1805		if !cipherSuiteOk {
1806			return false
1807		}
1808	}
1809
1810	// Check that we also support the ciphersuite from the session.
1811	hs.suite = c.tryCipherSuite(hs.sessionState.cipherSuite, c.config.cipherSuites(), c.vers, hs.ellipticOk, hs.ecdsaOk)
1812
1813	if hs.suite == nil {
1814		return false
1815	}
1816
1817	sessionHasClientCerts := len(hs.sessionState.certificates) != 0
1818	needClientCerts := c.config.ClientAuth == RequireAnyClientCert || c.config.ClientAuth == RequireAndVerifyClientCert
1819	if needClientCerts && !sessionHasClientCerts {
1820		return false
1821	}
1822	if sessionHasClientCerts && c.config.ClientAuth == NoClientCert {
1823		return false
1824	}
1825
1826	return true
1827}
1828
1829func (hs *serverHandshakeState) doResumeHandshake() error {
1830	c := hs.c
1831
1832	hs.hello.cipherSuite = hs.suite.id
1833	if c.config.Bugs.SendCipherSuite != 0 {
1834		hs.hello.cipherSuite = c.config.Bugs.SendCipherSuite
1835	}
1836	// We echo the client's session ID in the ServerHello to let it know
1837	// that we're doing a resumption.
1838	hs.hello.sessionID = hs.clientHello.sessionID
1839	hs.hello.extensions.ticketSupported = c.config.Bugs.RenewTicketOnResume
1840
1841	if c.config.Bugs.SendSCTListOnResume != nil {
1842		hs.hello.extensions.sctList = c.config.Bugs.SendSCTListOnResume
1843	}
1844
1845	if c.config.Bugs.SendOCSPResponseOnResume != nil {
1846		// There is no way, syntactically, to send an OCSP response on a
1847		// resumption handshake.
1848		hs.hello.extensions.ocspStapling = true
1849	}
1850
1851	hs.finishedHash = newFinishedHash(c.wireVersion, c.isDTLS, hs.suite)
1852	hs.finishedHash.discardHandshakeBuffer()
1853	hs.writeClientHash(hs.clientHello.marshal())
1854	hs.writeServerHash(hs.hello.marshal())
1855
1856	c.writeRecord(recordTypeHandshake, hs.hello.marshal())
1857
1858	if len(hs.sessionState.certificates) > 0 {
1859		if _, err := hs.processCertsFromClient(hs.sessionState.certificates); err != nil {
1860			return err
1861		}
1862	}
1863
1864	hs.masterSecret = hs.sessionState.secret
1865	c.extendedMasterSecret = hs.sessionState.extendedMasterSecret
1866
1867	return nil
1868}
1869
1870func (hs *serverHandshakeState) doFullHandshake() error {
1871	config := hs.c.config
1872	c := hs.c
1873
1874	isPSK := hs.suite.flags&suitePSK != 0
1875	if !isPSK && hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0 && !c.config.Bugs.NoOCSPStapling {
1876		hs.hello.extensions.ocspStapling = true
1877	}
1878
1879	if hs.clientHello.sctListSupported && len(hs.cert.SignedCertificateTimestampList) > 0 && !c.config.Bugs.NoSignedCertificateTimestamps {
1880		hs.hello.extensions.sctList = hs.cert.SignedCertificateTimestampList
1881	}
1882
1883	if len(c.clientVerify) > 0 && config.Bugs.SendSCTListOnRenegotiation != nil {
1884		hs.hello.extensions.sctList = config.Bugs.SendSCTListOnRenegotiation
1885	}
1886
1887	hs.hello.extensions.ticketSupported = hs.clientHello.ticketSupported && !config.SessionTicketsDisabled
1888	hs.hello.cipherSuite = hs.suite.id
1889	if config.Bugs.SendCipherSuite != 0 {
1890		hs.hello.cipherSuite = config.Bugs.SendCipherSuite
1891	}
1892	c.extendedMasterSecret = hs.hello.extensions.extendedMasterSecret
1893
1894	// Generate a session ID if we're to save the session.
1895	if !hs.hello.extensions.ticketSupported && config.ServerSessionCache != nil {
1896		l := config.Bugs.NewSessionIDLength
1897		if l == 0 {
1898			l = 32
1899		}
1900		hs.hello.sessionID = make([]byte, l)
1901		if _, err := io.ReadFull(config.rand(), hs.hello.sessionID); err != nil {
1902			c.sendAlert(alertInternalError)
1903			return errors.New("tls: short read from Rand: " + err.Error())
1904		}
1905	}
1906	if config.Bugs.EchoSessionIDInFullHandshake {
1907		hs.hello.sessionID = hs.clientHello.sessionID
1908	}
1909
1910	hs.finishedHash = newFinishedHash(c.wireVersion, c.isDTLS, hs.suite)
1911	hs.writeClientHash(hs.clientHello.marshal())
1912	hs.writeServerHash(hs.hello.marshal())
1913
1914	if config.Bugs.SendSNIWarningAlert {
1915		c.SendAlert(alertLevelWarning, alertUnrecognizedName)
1916	}
1917
1918	c.writeRecord(recordTypeHandshake, hs.hello.marshal())
1919
1920	if !isPSK {
1921		certMsg := new(certificateMsg)
1922		if !config.Bugs.EmptyCertificateList {
1923			for _, certData := range hs.cert.Certificate {
1924				certMsg.certificates = append(certMsg.certificates, certificateEntry{
1925					data: certData,
1926				})
1927			}
1928		}
1929		if !config.Bugs.UnauthenticatedECDH {
1930			certMsgBytes := certMsg.marshal()
1931			hs.writeServerHash(certMsgBytes)
1932			c.writeRecord(recordTypeHandshake, certMsgBytes)
1933		}
1934	}
1935
1936	if hs.hello.extensions.ocspStapling && !c.config.Bugs.SkipCertificateStatus {
1937		certStatus := new(certificateStatusMsg)
1938		certStatus.statusType = statusTypeOCSP
1939		certStatus.response = hs.cert.OCSPStaple
1940		if len(c.clientVerify) > 0 && config.Bugs.SendOCSPResponseOnRenegotiation != nil {
1941			certStatus.response = config.Bugs.SendOCSPResponseOnRenegotiation
1942		}
1943		hs.writeServerHash(certStatus.marshal())
1944		c.writeRecord(recordTypeHandshake, certStatus.marshal())
1945	}
1946
1947	keyAgreement := hs.suite.ka(c.vers)
1948	skx, err := keyAgreement.generateServerKeyExchange(config, hs.cert, hs.clientHello, hs.hello, c.vers)
1949	if err != nil {
1950		c.sendAlert(alertHandshakeFailure)
1951		return err
1952	}
1953	if ecdhe, ok := keyAgreement.(*ecdheKeyAgreement); ok {
1954		c.curveID = ecdhe.curveID
1955	}
1956	if skx != nil && !config.Bugs.SkipServerKeyExchange {
1957		hs.writeServerHash(skx.marshal())
1958		c.writeRecord(recordTypeHandshake, skx.marshal())
1959	}
1960
1961	if config.ClientAuth >= RequestClientCert {
1962		// Request a client certificate
1963		certReq := &certificateRequestMsg{
1964			vers:             c.wireVersion,
1965			certificateTypes: config.ClientCertificateTypes,
1966		}
1967		if certReq.certificateTypes == nil {
1968			certReq.certificateTypes = []byte{CertTypeRSASign, CertTypeECDSASign}
1969		}
1970		if c.vers >= VersionTLS12 {
1971			certReq.hasSignatureAlgorithm = true
1972			if !config.Bugs.NoSignatureAlgorithms {
1973				certReq.signatureAlgorithms = config.verifySignatureAlgorithms()
1974			}
1975		}
1976
1977		// An empty list of certificateAuthorities signals to
1978		// the client that it may send any certificate in response
1979		// to our request. When we know the CAs we trust, then
1980		// we can send them down, so that the client can choose
1981		// an appropriate certificate to give to us.
1982		if config.ClientCAs != nil {
1983			certReq.certificateAuthorities = config.ClientCAs.Subjects()
1984		}
1985		hs.writeServerHash(certReq.marshal())
1986		c.writeRecord(recordTypeHandshake, certReq.marshal())
1987	}
1988
1989	helloDone := new(serverHelloDoneMsg)
1990	helloDoneBytes := helloDone.marshal()
1991	hs.writeServerHash(helloDoneBytes)
1992	var toAppend byte
1993	if config.Bugs.PartialNewSessionTicketWithServerHelloDone {
1994		toAppend = typeNewSessionTicket
1995	} else if config.Bugs.PartialFinishedWithServerHelloDone {
1996		toAppend = typeFinished
1997	}
1998	if toAppend != 0 {
1999		c.writeRecord(recordTypeHandshake, append(helloDoneBytes[:len(helloDoneBytes):len(helloDoneBytes)], toAppend))
2000	} else {
2001		c.writeRecord(recordTypeHandshake, helloDoneBytes)
2002	}
2003	c.flushHandshake()
2004
2005	var pub crypto.PublicKey // public key for client auth, if any
2006
2007	if err := c.simulatePacketLoss(nil); err != nil {
2008		return err
2009	}
2010	msg, err := c.readHandshake()
2011	if err != nil {
2012		return err
2013	}
2014
2015	// If we requested a client certificate, then the client must send a
2016	// certificate message, even if it's empty.
2017	if config.ClientAuth >= RequestClientCert {
2018		certMsg, ok := msg.(*certificateMsg)
2019		if !ok {
2020			c.sendAlert(alertUnexpectedMessage)
2021			return unexpectedMessageError(certMsg, msg)
2022		}
2023		hs.writeClientHash(certMsg.marshal())
2024
2025		if len(certMsg.certificates) == 0 {
2026			// The client didn't actually send a certificate
2027			switch config.ClientAuth {
2028			case RequireAnyClientCert, RequireAndVerifyClientCert:
2029				c.sendAlert(alertBadCertificate)
2030				return errors.New("tls: client didn't provide a certificate")
2031			}
2032		}
2033
2034		var certificates [][]byte
2035		for _, cert := range certMsg.certificates {
2036			certificates = append(certificates, cert.data)
2037		}
2038
2039		pub, err = hs.processCertsFromClient(certificates)
2040		if err != nil {
2041			return err
2042		}
2043
2044		msg, err = c.readHandshake()
2045		if err != nil {
2046			return err
2047		}
2048	}
2049
2050	// Get client key exchange
2051	ckx, ok := msg.(*clientKeyExchangeMsg)
2052	if !ok {
2053		c.sendAlert(alertUnexpectedMessage)
2054		return unexpectedMessageError(ckx, msg)
2055	}
2056	hs.writeClientHash(ckx.marshal())
2057
2058	preMasterSecret, err := keyAgreement.processClientKeyExchange(config, hs.cert, ckx, c.vers)
2059	if err != nil {
2060		c.sendAlert(alertHandshakeFailure)
2061		return err
2062	}
2063	if c.extendedMasterSecret {
2064		hs.masterSecret = extendedMasterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.finishedHash)
2065	} else {
2066		if c.config.Bugs.RequireExtendedMasterSecret {
2067			return errors.New("tls: extended master secret required but not supported by peer")
2068		}
2069		hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.clientHello.random, hs.hello.random)
2070	}
2071
2072	// If we received a client cert in response to our certificate request message,
2073	// the client will send us a certificateVerifyMsg immediately after the
2074	// clientKeyExchangeMsg.  This message is a digest of all preceding
2075	// handshake-layer messages that is signed using the private key corresponding
2076	// to the client's certificate. This allows us to verify that the client is in
2077	// possession of the private key of the certificate.
2078	if len(c.peerCertificates) > 0 {
2079		msg, err = c.readHandshake()
2080		if err != nil {
2081			return err
2082		}
2083		certVerify, ok := msg.(*certificateVerifyMsg)
2084		if !ok {
2085			c.sendAlert(alertUnexpectedMessage)
2086			return unexpectedMessageError(certVerify, msg)
2087		}
2088
2089		// Determine the signature type.
2090		var sigAlg signatureAlgorithm
2091		if certVerify.hasSignatureAlgorithm {
2092			sigAlg = certVerify.signatureAlgorithm
2093			c.peerSignatureAlgorithm = sigAlg
2094		}
2095
2096		if err := verifyMessage(c.isClient, c.vers, pub, c.config, sigAlg, hs.finishedHash.buffer, certVerify.signature); err != nil {
2097			c.sendAlert(alertBadCertificate)
2098			return errors.New("could not validate signature of connection nonces: " + err.Error())
2099		}
2100
2101		hs.writeClientHash(certVerify.marshal())
2102	}
2103
2104	hs.finishedHash.discardHandshakeBuffer()
2105
2106	return nil
2107}
2108
2109func (hs *serverHandshakeState) establishKeys() error {
2110	c := hs.c
2111
2112	clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV :=
2113		keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen(c.vers))
2114
2115	var clientCipher, serverCipher any
2116	var clientHash, serverHash macFunction
2117
2118	if hs.suite.aead == nil {
2119		clientCipher = hs.suite.cipher(clientKey, clientIV, true /* for reading */)
2120		clientHash = hs.suite.mac(c.vers, clientMAC)
2121		serverCipher = hs.suite.cipher(serverKey, serverIV, false /* not for reading */)
2122		serverHash = hs.suite.mac(c.vers, serverMAC)
2123	} else {
2124		clientCipher = hs.suite.aead(c.vers, clientKey, clientIV)
2125		serverCipher = hs.suite.aead(c.vers, serverKey, serverIV)
2126	}
2127
2128	c.in.prepareCipherSpec(c.wireVersion, clientCipher, clientHash)
2129	c.out.prepareCipherSpec(c.wireVersion, serverCipher, serverHash)
2130
2131	return nil
2132}
2133
2134func (hs *serverHandshakeState) readFinished(out []byte, isResume bool) error {
2135	c := hs.c
2136
2137	c.readRecord(recordTypeChangeCipherSpec)
2138	if err := c.in.error(); err != nil {
2139		return err
2140	}
2141
2142	if hs.hello.extensions.nextProtoNeg {
2143		msg, err := c.readHandshake()
2144		if err != nil {
2145			return err
2146		}
2147		nextProto, ok := msg.(*nextProtoMsg)
2148		if !ok {
2149			c.sendAlert(alertUnexpectedMessage)
2150			return unexpectedMessageError(nextProto, msg)
2151		}
2152		hs.writeClientHash(nextProto.marshal())
2153		c.clientProtocol = nextProto.proto
2154	}
2155
2156	if hs.hello.extensions.channelIDRequested {
2157		msg, err := c.readHandshake()
2158		if err != nil {
2159			return err
2160		}
2161		channelIDMsg, ok := msg.(*channelIDMsg)
2162		if !ok {
2163			c.sendAlert(alertUnexpectedMessage)
2164			return unexpectedMessageError(channelIDMsg, msg)
2165		}
2166		var resumeHash []byte
2167		if isResume {
2168			resumeHash = hs.sessionState.handshakeHash
2169		}
2170		channelID, err := verifyChannelIDMessage(channelIDMsg, hs.finishedHash.hashForChannelID(resumeHash))
2171		if err != nil {
2172			return err
2173		}
2174		c.channelID = channelID
2175
2176		hs.writeClientHash(channelIDMsg.marshal())
2177	}
2178
2179	msg, err := c.readHandshake()
2180	if err != nil {
2181		return err
2182	}
2183	clientFinished, ok := msg.(*finishedMsg)
2184	if !ok {
2185		c.sendAlert(alertUnexpectedMessage)
2186		return unexpectedMessageError(clientFinished, msg)
2187	}
2188
2189	verify := hs.finishedHash.clientSum(hs.masterSecret)
2190	if len(verify) != len(clientFinished.verifyData) ||
2191		subtle.ConstantTimeCompare(verify, clientFinished.verifyData) != 1 {
2192		c.sendAlert(alertHandshakeFailure)
2193		return errors.New("tls: client's Finished message is incorrect")
2194	}
2195	c.clientVerify = append(c.clientVerify[:0], clientFinished.verifyData...)
2196	copy(out, clientFinished.verifyData)
2197
2198	hs.writeClientHash(clientFinished.marshal())
2199	return nil
2200}
2201
2202func (hs *serverHandshakeState) sendSessionTicket() error {
2203	c := hs.c
2204	state := sessionState{
2205		vers:          c.vers,
2206		cipherSuite:   hs.suite.id,
2207		secret:        hs.masterSecret,
2208		certificates:  hs.certsFromClient,
2209		handshakeHash: hs.finishedHash.Sum(),
2210	}
2211
2212	if !hs.hello.extensions.ticketSupported || hs.c.config.Bugs.SkipNewSessionTicket {
2213		if c.config.ServerSessionCache != nil && len(hs.hello.sessionID) != 0 {
2214			c.config.ServerSessionCache.Put(string(hs.hello.sessionID), &state)
2215		}
2216		return nil
2217	}
2218
2219	m := new(newSessionTicketMsg)
2220	m.vers = c.wireVersion
2221	m.isDTLS = c.isDTLS
2222	if c.config.Bugs.SendTicketLifetime != 0 {
2223		m.ticketLifetime = uint32(c.config.Bugs.SendTicketLifetime / time.Second)
2224	}
2225
2226	if !c.config.Bugs.SendEmptySessionTicket {
2227		var err error
2228		m.ticket, err = c.encryptTicket(&state)
2229		if err != nil {
2230			return err
2231		}
2232	}
2233
2234	hs.writeServerHash(m.marshal())
2235	if c.config.Bugs.PartialNewSessionTicketWithServerHelloDone {
2236		// The first byte was already sent.
2237		c.writeRecord(recordTypeHandshake, m.marshal()[1:])
2238	} else {
2239		c.writeRecord(recordTypeHandshake, m.marshal())
2240	}
2241
2242	return nil
2243}
2244
2245func (hs *serverHandshakeState) sendFinished(out []byte, isResume bool) error {
2246	c := hs.c
2247
2248	finished := new(finishedMsg)
2249	finished.verifyData = hs.finishedHash.serverSum(hs.masterSecret)
2250	copy(out, finished.verifyData)
2251	if c.config.Bugs.BadFinished {
2252		finished.verifyData[0]++
2253	}
2254	c.serverVerify = append(c.serverVerify[:0], finished.verifyData...)
2255	hs.finishedBytes = finished.marshal()
2256	hs.writeServerHash(hs.finishedBytes)
2257	postCCSBytes := hs.finishedBytes
2258	if c.config.Bugs.PartialFinishedWithServerHelloDone {
2259		// The first byte has already been sent.
2260		postCCSBytes = postCCSBytes[1:]
2261	}
2262
2263	if c.config.Bugs.FragmentAcrossChangeCipherSpec {
2264		c.writeRecord(recordTypeHandshake, postCCSBytes[:5])
2265		postCCSBytes = postCCSBytes[5:]
2266	} else if c.config.Bugs.SendUnencryptedFinished {
2267		c.writeRecord(recordTypeHandshake, postCCSBytes)
2268		postCCSBytes = nil
2269	}
2270
2271	if !c.config.Bugs.SkipChangeCipherSpec {
2272		ccs := []byte{1}
2273		if c.config.Bugs.BadChangeCipherSpec != nil {
2274			ccs = c.config.Bugs.BadChangeCipherSpec
2275		}
2276		c.writeRecord(recordTypeChangeCipherSpec, ccs)
2277	}
2278
2279	if c.config.Bugs.AppDataAfterChangeCipherSpec != nil {
2280		c.writeRecord(recordTypeApplicationData, c.config.Bugs.AppDataAfterChangeCipherSpec)
2281	}
2282	if c.config.Bugs.AlertAfterChangeCipherSpec != 0 {
2283		c.sendAlert(c.config.Bugs.AlertAfterChangeCipherSpec)
2284		return errors.New("tls: simulating post-CCS alert")
2285	}
2286
2287	if !c.config.Bugs.SkipFinished && len(postCCSBytes) > 0 {
2288		c.writeRecord(recordTypeHandshake, postCCSBytes)
2289		if c.config.Bugs.SendExtraFinished {
2290			c.writeRecord(recordTypeHandshake, finished.marshal())
2291		}
2292	}
2293
2294	if isResume || (!c.config.Bugs.PackHelloRequestWithFinished && !c.config.Bugs.PackAppDataWithHandshake) {
2295		// Defer flushing until Renegotiate() or Write().
2296		c.flushHandshake()
2297	}
2298
2299	c.cipherSuite = hs.suite
2300
2301	return nil
2302}
2303
2304// processCertsFromClient takes a chain of client certificates either from a
2305// Certificates message or from a sessionState and verifies them. It returns
2306// the public key of the leaf certificate.
2307func (hs *serverHandshakeState) processCertsFromClient(certificates [][]byte) (crypto.PublicKey, error) {
2308	c := hs.c
2309
2310	hs.certsFromClient = certificates
2311	certs := make([]*x509.Certificate, len(certificates))
2312	var err error
2313	for i, asn1Data := range certificates {
2314		if certs[i], err = x509.ParseCertificate(asn1Data); err != nil {
2315			c.sendAlert(alertBadCertificate)
2316			return nil, errors.New("tls: failed to parse client certificate: " + err.Error())
2317		}
2318	}
2319
2320	if c.config.ClientAuth >= VerifyClientCertIfGiven && len(certs) > 0 {
2321		opts := x509.VerifyOptions{
2322			Roots:         c.config.ClientCAs,
2323			CurrentTime:   c.config.time(),
2324			Intermediates: x509.NewCertPool(),
2325			KeyUsages:     []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
2326		}
2327
2328		for _, cert := range certs[1:] {
2329			opts.Intermediates.AddCert(cert)
2330		}
2331
2332		chains, err := certs[0].Verify(opts)
2333		if err != nil {
2334			c.sendAlert(alertBadCertificate)
2335			return nil, errors.New("tls: failed to verify client's certificate: " + err.Error())
2336		}
2337
2338		ok := false
2339		for _, ku := range certs[0].ExtKeyUsage {
2340			if ku == x509.ExtKeyUsageClientAuth {
2341				ok = true
2342				break
2343			}
2344		}
2345		if !ok {
2346			c.sendAlert(alertHandshakeFailure)
2347			return nil, errors.New("tls: client's certificate's extended key usage doesn't permit it to be used for client authentication")
2348		}
2349
2350		c.verifiedChains = chains
2351	}
2352
2353	if len(certs) > 0 {
2354		pub := certs[0].PublicKey
2355		switch pub.(type) {
2356		case *ecdsa.PublicKey, *rsa.PublicKey, ed25519.PublicKey:
2357			break
2358		default:
2359			c.sendAlert(alertUnsupportedCertificate)
2360			return nil, fmt.Errorf("tls: client's certificate contains an unsupported public key of type %T", pub)
2361		}
2362		c.peerCertificates = certs
2363		return pub, nil
2364	}
2365
2366	return nil, nil
2367}
2368
2369func verifyChannelIDMessage(channelIDMsg *channelIDMsg, channelIDHash []byte) (*ecdsa.PublicKey, error) {
2370	x := new(big.Int).SetBytes(channelIDMsg.channelID[0:32])
2371	y := new(big.Int).SetBytes(channelIDMsg.channelID[32:64])
2372	r := new(big.Int).SetBytes(channelIDMsg.channelID[64:96])
2373	s := new(big.Int).SetBytes(channelIDMsg.channelID[96:128])
2374	if !elliptic.P256().IsOnCurve(x, y) {
2375		return nil, errors.New("tls: invalid channel ID public key")
2376	}
2377	channelID := &ecdsa.PublicKey{Curve: elliptic.P256(), X: x, Y: y}
2378	if !ecdsa.Verify(channelID, channelIDHash, r, s) {
2379		return nil, errors.New("tls: invalid channel ID signature")
2380	}
2381	return channelID, nil
2382}
2383
2384func (hs *serverHandshakeState) writeServerHash(msg []byte) {
2385	// writeServerHash is called before writeRecord.
2386	hs.finishedHash.WriteHandshake(msg, hs.c.sendHandshakeSeq)
2387}
2388
2389func (hs *serverHandshakeState) writeClientHash(msg []byte) {
2390	// writeClientHash is called after readHandshake.
2391	hs.finishedHash.WriteHandshake(msg, hs.c.recvHandshakeSeq-1)
2392}
2393
2394// tryCipherSuite returns a cipherSuite with the given id if that cipher suite
2395// is acceptable to use.
2396func (c *Conn) tryCipherSuite(id uint16, supportedCipherSuites []uint16, version uint16, ellipticOk, ecdsaOk bool) *cipherSuite {
2397	for _, supported := range supportedCipherSuites {
2398		if id == supported {
2399			var candidate *cipherSuite
2400
2401			for _, s := range cipherSuites {
2402				if s.id == id {
2403					candidate = s
2404					break
2405				}
2406			}
2407			if candidate == nil {
2408				continue
2409			}
2410
2411			// Don't select a ciphersuite which we can't
2412			// support for this client.
2413			if version >= VersionTLS13 || candidate.flags&suiteTLS13 != 0 {
2414				if version < VersionTLS13 || candidate.flags&suiteTLS13 == 0 {
2415					continue
2416				}
2417				return candidate
2418			}
2419			if (candidate.flags&suiteECDHE != 0) && !ellipticOk {
2420				continue
2421			}
2422			if (candidate.flags&suiteECDSA != 0) != ecdsaOk {
2423				continue
2424			}
2425			if version < VersionTLS12 && candidate.flags&suiteTLS12 != 0 {
2426				continue
2427			}
2428			return candidate
2429		}
2430	}
2431
2432	return nil
2433}
2434
2435func isTLS12Cipher(id uint16) bool {
2436	for _, cipher := range cipherSuites {
2437		if cipher.id != id {
2438			continue
2439		}
2440		return cipher.flags&suiteTLS12 != 0
2441	}
2442	// Unknown cipher.
2443	return false
2444}
2445
2446func isGREASEValue(val uint16) bool {
2447	return val&0x0f0f == 0x0a0a && val&0xff == val>>8
2448}
2449
2450func verifyPSKBinder(version uint16, clientHello *clientHelloMsg, sessionState *sessionState, binderToVerify, firstClientHello, helloRetryRequest []byte) error {
2451	binderLen := 2
2452	for _, binder := range clientHello.pskBinders {
2453		binderLen += 1 + len(binder)
2454	}
2455
2456	truncatedHello := clientHello.marshal()
2457	truncatedHello = truncatedHello[:len(truncatedHello)-binderLen]
2458	pskCipherSuite := cipherSuiteFromID(sessionState.cipherSuite)
2459	if pskCipherSuite == nil {
2460		return errors.New("tls: Unknown cipher suite for PSK in session")
2461	}
2462
2463	binder := computePSKBinder(sessionState.secret, version, resumptionPSKBinderLabel, pskCipherSuite, firstClientHello, helloRetryRequest, truncatedHello)
2464	if !bytes.Equal(binder, binderToVerify) {
2465		return errors.New("tls: PSK binder does not verify")
2466	}
2467
2468	return nil
2469}
2470
2471// checkClientHellosEqual checks whether a and b are equal ClientHello
2472// messages. If isDTLS is true, the ClientHellos are parsed as DTLS and any
2473// differences in the cookie field are ignored. Extensions listed in
2474// ignoreExtensions may change or be removed between the two ClientHellos.
2475func checkClientHellosEqual(a, b []byte, isDTLS bool, ignoreExtensions []uint16) error {
2476	ignoreExtensionsSet := make(map[uint16]struct{})
2477	for _, ext := range ignoreExtensions {
2478		ignoreExtensionsSet[ext] = struct{}{}
2479	}
2480
2481	// Skip the handshake message header.
2482	aReader := cryptobyte.String(a[4:])
2483	bReader := cryptobyte.String(b[4:])
2484
2485	var aVers, bVers uint16
2486	var aRandom, bRandom []byte
2487	var aSessionID, bSessionID []byte
2488	if !aReader.ReadUint16(&aVers) ||
2489		!bReader.ReadUint16(&bVers) ||
2490		!aReader.ReadBytes(&aRandom, 32) ||
2491		!bReader.ReadBytes(&bRandom, 32) ||
2492		!readUint8LengthPrefixedBytes(&aReader, &aSessionID) ||
2493		!readUint8LengthPrefixedBytes(&bReader, &bSessionID) {
2494		return errors.New("tls: could not parse ClientHello")
2495	}
2496
2497	if aVers != bVers {
2498		return errors.New("tls: second ClientHello version did not match")
2499	}
2500	if !bytes.Equal(aRandom, bRandom) {
2501		return errors.New("tls: second ClientHello random did not match")
2502	}
2503	if !bytes.Equal(aSessionID, bSessionID) {
2504		return errors.New("tls: second ClientHello session ID did not match")
2505	}
2506
2507	if isDTLS {
2508		// DTLS 1.2 checks two ClientHellos match after a HelloVerifyRequest,
2509		// where we expect the cookies to change. DTLS 1.3 forbids the legacy
2510		// cookie altogether. If we implement DTLS 1.3, we'll need to ensure
2511		// that parsing logic above this function rejects this cookie.
2512		var aCookie, bCookie []byte
2513		if !readUint8LengthPrefixedBytes(&aReader, &aCookie) ||
2514			!readUint8LengthPrefixedBytes(&bReader, &bCookie) {
2515			return errors.New("tls: could not parse ClientHello")
2516		}
2517	}
2518
2519	var aCipherSuites, bCipherSuites, aCompressionMethods, bCompressionMethods []byte
2520	if !readUint16LengthPrefixedBytes(&aReader, &aCipherSuites) ||
2521		!readUint16LengthPrefixedBytes(&bReader, &bCipherSuites) ||
2522		!readUint8LengthPrefixedBytes(&aReader, &aCompressionMethods) ||
2523		!readUint8LengthPrefixedBytes(&bReader, &bCompressionMethods) {
2524		return errors.New("tls: could not parse ClientHello")
2525	}
2526	if !bytes.Equal(aCipherSuites, bCipherSuites) {
2527		return errors.New("tls: second ClientHello cipher suites did not match")
2528	}
2529	if !bytes.Equal(aCompressionMethods, bCompressionMethods) {
2530		return errors.New("tls: second ClientHello compression methods did not match")
2531	}
2532
2533	if len(aReader) == 0 && len(bReader) == 0 {
2534		// Both ClientHellos omit the extensions block.
2535		return nil
2536	}
2537
2538	var aExtensions, bExtensions cryptobyte.String
2539	if !aReader.ReadUint16LengthPrefixed(&aExtensions) ||
2540		!bReader.ReadUint16LengthPrefixed(&bExtensions) ||
2541		len(aReader) != 0 ||
2542		len(bReader) != 0 {
2543		return errors.New("tls: could not parse ClientHello")
2544	}
2545
2546	for len(aExtensions) != 0 {
2547		var aID uint16
2548		var aBody []byte
2549		if !aExtensions.ReadUint16(&aID) ||
2550			!readUint16LengthPrefixedBytes(&aExtensions, &aBody) {
2551			return errors.New("tls: could not parse ClientHello")
2552		}
2553		if _, ok := ignoreExtensionsSet[aID]; ok {
2554			continue
2555		}
2556
2557		for {
2558			if len(bExtensions) == 0 {
2559				return fmt.Errorf("tls: second ClientHello missing extension %d", aID)
2560			}
2561			var bID uint16
2562			var bBody []byte
2563			if !bExtensions.ReadUint16(&bID) ||
2564				!readUint16LengthPrefixedBytes(&bExtensions, &bBody) {
2565				return errors.New("tls: could not parse ClientHello")
2566			}
2567			if _, ok := ignoreExtensionsSet[bID]; ok {
2568				continue
2569			}
2570			if aID != bID {
2571				return fmt.Errorf("tls: unexpected extension %d in second ClientHello (wanted %d)", bID, aID)
2572			}
2573			if !bytes.Equal(aBody, bBody) {
2574				return fmt.Errorf("tls: extension %d in second ClientHello unexpectedly changed", aID)
2575			}
2576			break
2577		}
2578	}
2579
2580	// Any remaining extensions in the second ClientHello must be in the
2581	// ignored set.
2582	for len(bExtensions) != 0 {
2583		var id uint16
2584		var body []byte
2585		if !bExtensions.ReadUint16(&id) ||
2586			!readUint16LengthPrefixedBytes(&bExtensions, &body) {
2587			return errors.New("tls: could not parse ClientHello")
2588		}
2589		if _, ok := ignoreExtensionsSet[id]; !ok {
2590			return fmt.Errorf("tls: unexpected extension %d in second ClientHello", id)
2591		}
2592	}
2593
2594	return nil
2595}
2596