handshake_client.go

Documentation: crypto/tls

     1  // Copyright 2009 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package tls
     6  
     7  import (
     8  	"bytes"
     9  	"crypto"
    10  	"crypto/ecdsa"
    11  	"crypto/ed25519"
    12  	"crypto/rsa"
    13  	"crypto/subtle"
    14  	"crypto/x509"
    15  	"errors"
    16  	"fmt"
    17  	"io"
    18  	"net"
    19  	"strings"
    20  	"sync/atomic"
    21  	"time"
    22  )
    23  
    24  type clientHandshakeState struct {
    25  	c            *Conn
    26  	serverHello  *serverHelloMsg
    27  	hello        *clientHelloMsg
    28  	suite        *cipherSuite
    29  	finishedHash finishedHash
    30  	masterSecret []byte
    31  	session      *ClientSessionState
    32  }
    33  
    34  func (c *Conn) makeClientHello() (*clientHelloMsg, ecdheParameters, error) {
    35  	config := c.config
    36  	if len(config.ServerName) == 0 && !config.InsecureSkipVerify {
    37  		return nil, nil, errors.New("tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config")
    38  	}
    39  
    40  	nextProtosLength := 0
    41  	for _, proto := range config.NextProtos {
    42  		if l := len(proto); l == 0 || l > 255 {
    43  			return nil, nil, errors.New("tls: invalid NextProtos value")
    44  		} else {
    45  			nextProtosLength += 1 + l
    46  		}
    47  	}
    48  	if nextProtosLength > 0xffff {
    49  		return nil, nil, errors.New("tls: NextProtos values too large")
    50  	}
    51  
    52  	supportedVersions := config.supportedVersions()
    53  	if len(supportedVersions) == 0 {
    54  		return nil, nil, errors.New("tls: no supported versions satisfy MinVersion and MaxVersion")
    55  	}
    56  
    57  	clientHelloVersion := supportedVersions[0]
    58  	// The version at the beginning of the ClientHello was capped at TLS 1.2
    59  	// for compatibility reasons. The supported_versions extension is used
    60  	// to negotiate versions now. See RFC 8446, Section 4.2.1.
    61  	if clientHelloVersion > VersionTLS12 {
    62  		clientHelloVersion = VersionTLS12
    63  	}
    64  
    65  	hello := &clientHelloMsg{
    66  		vers:                         clientHelloVersion,
    67  		compressionMethods:           []uint8{compressionNone},
    68  		random:                       make([]byte, 32),
    69  		sessionId:                    make([]byte, 32),
    70  		ocspStapling:                 true,
    71  		scts:                         true,
    72  		serverName:                   hostnameInSNI(config.ServerName),
    73  		supportedCurves:              config.curvePreferences(),
    74  		supportedPoints:              []uint8{pointFormatUncompressed},
    75  		secureRenegotiationSupported: true,
    76  		alpnProtocols:                config.NextProtos,
    77  		supportedVersions:            supportedVersions,
    78  	}
    79  
    80  	if c.handshakes > 0 {
    81  		hello.secureRenegotiation = c.clientFinished[:]
    82  	}
    83  
    84  	possibleCipherSuites := config.cipherSuites()
    85  	hello.cipherSuites = make([]uint16, 0, len(possibleCipherSuites))
    86  
    87  	for _, suiteId := range possibleCipherSuites {
    88  		for _, suite := range cipherSuites {
    89  			if suite.id != suiteId {
    90  				continue
    91  			}
    92  			// Don't advertise TLS 1.2-only cipher suites unless
    93  			// we're attempting TLS 1.2.
    94  			if hello.vers < VersionTLS12 && suite.flags&suiteTLS12 != 0 {
    95  				break
    96  			}
    97  			hello.cipherSuites = append(hello.cipherSuites, suiteId)
    98  			break
    99  		}
   100  	}
   101  
   102  	_, err := io.ReadFull(config.rand(), hello.random)
   103  	if err != nil {
   104  		return nil, nil, errors.New("tls: short read from Rand: " + err.Error())
   105  	}
   106  
   107  	// A random session ID is used to detect when the server accepted a ticket
   108  	// and is resuming a session (see RFC 5077). In TLS 1.3, it's always set as
   109  	// a compatibility measure (see RFC 8446, Section 4.1.2).
   110  	if _, err := io.ReadFull(config.rand(), hello.sessionId); err != nil {
   111  		return nil, nil, errors.New("tls: short read from Rand: " + err.Error())
   112  	}
   113  
   114  	if hello.vers >= VersionTLS12 {
   115  		hello.supportedSignatureAlgorithms = supportedSignatureAlgorithms
   116  	}
   117  
   118  	var params ecdheParameters
   119  	if hello.supportedVersions[0] == VersionTLS13 {
   120  		hello.cipherSuites = append(hello.cipherSuites, defaultCipherSuitesTLS13()...)
   121  
   122  		curveID := config.curvePreferences()[0]
   123  		if _, ok := curveForCurveID(curveID); curveID != X25519 && !ok {
   124  			return nil, nil, errors.New("tls: CurvePreferences includes unsupported curve")
   125  		}
   126  		params, err = generateECDHEParameters(config.rand(), curveID)
   127  		if err != nil {
   128  			return nil, nil, err
   129  		}
   130  		hello.keyShares = []keyShare{{group: curveID, data: params.PublicKey()}}
   131  	}
   132  
   133  	return hello, params, nil
   134  }
   135  
   136  func (c *Conn) clientHandshake() (err error) {
   137  	if c.config == nil {
   138  		c.config = defaultConfig()
   139  	}
   140  
   141  	// This may be a renegotiation handshake, in which case some fields
   142  	// need to be reset.
   143  	c.didResume = false
   144  
   145  	hello, ecdheParams, err := c.makeClientHello()
   146  	if err != nil {
   147  		return err
   148  	}
   149  
   150  	cacheKey, session, earlySecret, binderKey := c.loadSession(hello)
   151  	if cacheKey != "" && session != nil {
   152  		defer func() {
   153  			// If we got a handshake failure when resuming a session, throw away
   154  			// the session ticket. See RFC 5077, Section 3.2.
   155  			//
   156  			// RFC 8446 makes no mention of dropping tickets on failure, but it
   157  			// does require servers to abort on invalid binders, so we need to
   158  			// delete tickets to recover from a corrupted PSK.
   159  			if err != nil {
   160  				c.config.ClientSessionCache.Put(cacheKey, nil)
   161  			}
   162  		}()
   163  	}
   164  
   165  	if _, err := c.writeRecord(recordTypeHandshake, hello.marshal()); err != nil {
   166  		return err
   167  	}
   168  
   169  	msg, err := c.readHandshake()
   170  	if err != nil {
   171  		return err
   172  	}
   173  
   174  	serverHello, ok := msg.(*serverHelloMsg)
   175  	if !ok {
   176  		c.sendAlert(alertUnexpectedMessage)
   177  		return unexpectedMessageError(serverHello, msg)
   178  	}
   179  
   180  	if err := c.pickTLSVersion(serverHello); err != nil {
   181  		return err
   182  	}
   183  
   184  	if c.vers == VersionTLS13 {
   185  		hs := &clientHandshakeStateTLS13{
   186  			c:           c,
   187  			serverHello: serverHello,
   188  			hello:       hello,
   189  			ecdheParams: ecdheParams,
   190  			session:     session,
   191  			earlySecret: earlySecret,
   192  			binderKey:   binderKey,
   193  		}
   194  
   195  		// In TLS 1.3, session tickets are delivered after the handshake.
   196  		return hs.handshake()
   197  	}
   198  
   199  	hs := &clientHandshakeState{
   200  		c:           c,
   201  		serverHello: serverHello,
   202  		hello:       hello,
   203  		session:     session,
   204  	}
   205  
   206  	if err := hs.handshake(); err != nil {
   207  		return err
   208  	}
   209  
   210  	// If we had a successful handshake and hs.session is different from
   211  	// the one already cached - cache a new one.
   212  	if cacheKey != "" && hs.session != nil && session != hs.session {
   213  		c.config.ClientSessionCache.Put(cacheKey, hs.session)
   214  	}
   215  
   216  	return nil
   217  }
   218  
   219  func (c *Conn) loadSession(hello *clientHelloMsg) (cacheKey string,
   220  	session *ClientSessionState, earlySecret, binderKey []byte) {
   221  	if c.config.SessionTicketsDisabled || c.config.ClientSessionCache == nil {
   222  		return "", nil, nil, nil
   223  	}
   224  
   225  	hello.ticketSupported = true
   226  
   227  	if hello.supportedVersions[0] == VersionTLS13 {
   228  		// Require DHE on resumption as it guarantees forward secrecy against
   229  		// compromise of the session ticket key. See RFC 8446, Section 4.2.9.
   230  		hello.pskModes = []uint8{pskModeDHE}
   231  	}
   232  
   233  	// Session resumption is not allowed if renegotiating because
   234  	// renegotiation is primarily used to allow a client to send a client
   235  	// certificate, which would be skipped if session resumption occurred.
   236  	if c.handshakes != 0 {
   237  		return "", nil, nil, nil
   238  	}
   239  
   240  	// Try to resume a previously negotiated TLS session, if available.
   241  	cacheKey = clientSessionCacheKey(c.conn.RemoteAddr(), c.config)
   242  	session, ok := c.config.ClientSessionCache.Get(cacheKey)
   243  	if !ok || session == nil {
   244  		return cacheKey, nil, nil, nil
   245  	}
   246  
   247  	// Check that version used for the previous session is still valid.
   248  	versOk := false
   249  	for _, v := range hello.supportedVersions {
   250  		if v == session.vers {
   251  			versOk = true
   252  			break
   253  		}
   254  	}
   255  	if !versOk {
   256  		return cacheKey, nil, nil, nil
   257  	}
   258  
   259  	// Check that the cached server certificate is not expired, and that it's
   260  	// valid for the ServerName. This should be ensured by the cache key, but
   261  	// protect the application from a faulty ClientSessionCache implementation.
   262  	if !c.config.InsecureSkipVerify {
   263  		if len(session.verifiedChains) == 0 {
   264  			// The original connection had InsecureSkipVerify, while this doesn't.
   265  			return cacheKey, nil, nil, nil
   266  		}
   267  		serverCert := session.serverCertificates[0]
   268  		if c.config.time().After(serverCert.NotAfter) {
   269  			// Expired certificate, delete the entry.
   270  			c.config.ClientSessionCache.Put(cacheKey, nil)
   271  			return cacheKey, nil, nil, nil
   272  		}
   273  		if err := serverCert.VerifyHostname(c.config.ServerName); err != nil {
   274  			return cacheKey, nil, nil, nil
   275  		}
   276  	}
   277  
   278  	if session.vers != VersionTLS13 {
   279  		// In TLS 1.2 the cipher suite must match the resumed session. Ensure we
   280  		// are still offering it.
   281  		if mutualCipherSuite(hello.cipherSuites, session.cipherSuite) == nil {
   282  			return cacheKey, nil, nil, nil
   283  		}
   284  
   285  		hello.sessionTicket = session.sessionTicket
   286  		return
   287  	}
   288  
   289  	// Check that the session ticket is not expired.
   290  	if c.config.time().After(session.useBy) {
   291  		c.config.ClientSessionCache.Put(cacheKey, nil)
   292  		return cacheKey, nil, nil, nil
   293  	}
   294  
   295  	// In TLS 1.3 the KDF hash must match the resumed session. Ensure we
   296  	// offer at least one cipher suite with that hash.
   297  	cipherSuite := cipherSuiteTLS13ByID(session.cipherSuite)
   298  	if cipherSuite == nil {
   299  		return cacheKey, nil, nil, nil
   300  	}
   301  	cipherSuiteOk := false
   302  	for _, offeredID := range hello.cipherSuites {
   303  		offeredSuite := cipherSuiteTLS13ByID(offeredID)
   304  		if offeredSuite != nil && offeredSuite.hash == cipherSuite.hash {
   305  			cipherSuiteOk = true
   306  			break
   307  		}
   308  	}
   309  	if !cipherSuiteOk {
   310  		return cacheKey, nil, nil, nil
   311  	}
   312  
   313  	// Set the pre_shared_key extension. See RFC 8446, Section 4.2.11.1.
   314  	ticketAge := uint32(c.config.time().Sub(session.receivedAt) / time.Millisecond)
   315  	identity := pskIdentity{
   316  		label:               session.sessionTicket,
   317  		obfuscatedTicketAge: ticketAge + session.ageAdd,
   318  	}
   319  	hello.pskIdentities = []pskIdentity{identity}
   320  	hello.pskBinders = [][]byte{make([]byte, cipherSuite.hash.Size())}
   321  
   322  	// Compute the PSK binders. See RFC 8446, Section 4.2.11.2.
   323  	psk := cipherSuite.expandLabel(session.masterSecret, "resumption",
   324  		session.nonce, cipherSuite.hash.Size())
   325  	earlySecret = cipherSuite.extract(psk, nil)
   326  	binderKey = cipherSuite.deriveSecret(earlySecret, resumptionBinderLabel, nil)
   327  	transcript := cipherSuite.hash.New()
   328  	transcript.Write(hello.marshalWithoutBinders())
   329  	pskBinders := [][]byte{cipherSuite.finishedHash(binderKey, transcript)}
   330  	hello.updateBinders(pskBinders)
   331  
   332  	return
   333  }
   334  
   335  func (c *Conn) pickTLSVersion(serverHello *serverHelloMsg) error {
   336  	peerVersion := serverHello.vers
   337  	if serverHello.supportedVersion != 0 {
   338  		peerVersion = serverHello.supportedVersion
   339  	}
   340  
   341  	vers, ok := c.config.mutualVersion([]uint16{peerVersion})
   342  	if !ok {
   343  		c.sendAlert(alertProtocolVersion)
   344  		return fmt.Errorf("tls: server selected unsupported protocol version %x", peerVersion)
   345  	}
   346  
   347  	c.vers = vers
   348  	c.haveVers = true
   349  	c.in.version = vers
   350  	c.out.version = vers
   351  
   352  	return nil
   353  }
   354  
   355  // Does the handshake, either a full one or resumes old session. Requires hs.c,
   356  // hs.hello, hs.serverHello, and, optionally, hs.session to be set.
   357  func (hs *clientHandshakeState) handshake() error {
   358  	c := hs.c
   359  
   360  	isResume, err := hs.processServerHello()
   361  	if err != nil {
   362  		return err
   363  	}
   364  
   365  	hs.finishedHash = newFinishedHash(c.vers, hs.suite)
   366  
   367  	// No signatures of the handshake are needed in a resumption.
   368  	// Otherwise, in a full handshake, if we don't have any certificates
   369  	// configured then we will never send a CertificateVerify message and
   370  	// thus no signatures are needed in that case either.
   371  	if isResume || (len(c.config.Certificates) == 0 && c.config.GetClientCertificate == nil) {
   372  		hs.finishedHash.discardHandshakeBuffer()
   373  	}
   374  
   375  	hs.finishedHash.Write(hs.hello.marshal())
   376  	hs.finishedHash.Write(hs.serverHello.marshal())
   377  
   378  	c.buffering = true
   379  	if isResume {
   380  		if err := hs.establishKeys(); err != nil {
   381  			return err
   382  		}
   383  		if err := hs.readSessionTicket(); err != nil {
   384  			return err
   385  		}
   386  		if err := hs.readFinished(c.serverFinished[:]); err != nil {
   387  			return err
   388  		}
   389  		c.clientFinishedIsFirst = false
   390  		if err := hs.sendFinished(c.clientFinished[:]); err != nil {
   391  			return err
   392  		}
   393  		if _, err := c.flush(); err != nil {
   394  			return err
   395  		}
   396  	} else {
   397  		if err := hs.doFullHandshake(); err != nil {
   398  			return err
   399  		}
   400  		if err := hs.establishKeys(); err != nil {
   401  			return err
   402  		}
   403  		if err := hs.sendFinished(c.clientFinished[:]); err != nil {
   404  			return err
   405  		}
   406  		if _, err := c.flush(); err != nil {
   407  			return err
   408  		}
   409  		c.clientFinishedIsFirst = true
   410  		if err := hs.readSessionTicket(); err != nil {
   411  			return err
   412  		}
   413  		if err := hs.readFinished(c.serverFinished[:]); err != nil {
   414  			return err
   415  		}
   416  	}
   417  
   418  	c.ekm = ekmFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.hello.random, hs.serverHello.random)
   419  	c.didResume = isResume
   420  	atomic.StoreUint32(&c.handshakeStatus, 1)
   421  
   422  	return nil
   423  }
   424  
   425  func (hs *clientHandshakeState) pickCipherSuite() error {
   426  	if hs.suite = mutualCipherSuite(hs.hello.cipherSuites, hs.serverHello.cipherSuite); hs.suite == nil {
   427  		hs.c.sendAlert(alertHandshakeFailure)
   428  		return errors.New("tls: server chose an unconfigured cipher suite")
   429  	}
   430  
   431  	hs.c.cipherSuite = hs.suite.id
   432  	return nil
   433  }
   434  
   435  func (hs *clientHandshakeState) doFullHandshake() error {
   436  	c := hs.c
   437  
   438  	msg, err := c.readHandshake()
   439  	if err != nil {
   440  		return err
   441  	}
   442  	certMsg, ok := msg.(*certificateMsg)
   443  	if !ok || len(certMsg.certificates) == 0 {
   444  		c.sendAlert(alertUnexpectedMessage)
   445  		return unexpectedMessageError(certMsg, msg)
   446  	}
   447  	hs.finishedHash.Write(certMsg.marshal())
   448  
   449  	if c.handshakes == 0 {
   450  		// If this is the first handshake on a connection, process and
   451  		// (optionally) verify the server's certificates.
   452  		if err := c.verifyServerCertificate(certMsg.certificates); err != nil {
   453  			return err
   454  		}
   455  	} else {
   456  		// This is a renegotiation handshake. We require that the
   457  		// server's identity (i.e. leaf certificate) is unchanged and
   458  		// thus any previous trust decision is still valid.
   459  		//
   460  		// See https://mitls.org/pages/attacks/3SHAKE for the
   461  		// motivation behind this requirement.
   462  		if !bytes.Equal(c.peerCertificates[0].Raw, certMsg.certificates[0]) {
   463  			c.sendAlert(alertBadCertificate)
   464  			return errors.New("tls: server's identity changed during renegotiation")
   465  		}
   466  	}
   467  
   468  	msg, err = c.readHandshake()
   469  	if err != nil {
   470  		return err
   471  	}
   472  
   473  	cs, ok := msg.(*certificateStatusMsg)
   474  	if ok {
   475  		// RFC4366 on Certificate Status Request:
   476  		// The server MAY return a "certificate_status" message.
   477  
   478  		if !hs.serverHello.ocspStapling {
   479  			// If a server returns a "CertificateStatus" message, then the
   480  			// server MUST have included an extension of type "status_request"
   481  			// with empty "extension_data" in the extended server hello.
   482  
   483  			c.sendAlert(alertUnexpectedMessage)
   484  			return errors.New("tls: received unexpected CertificateStatus message")
   485  		}
   486  		hs.finishedHash.Write(cs.marshal())
   487  
   488  		c.ocspResponse = cs.response
   489  
   490  		msg, err = c.readHandshake()
   491  		if err != nil {
   492  			return err
   493  		}
   494  	}
   495  
   496  	keyAgreement := hs.suite.ka(c.vers)
   497  
   498  	skx, ok := msg.(*serverKeyExchangeMsg)
   499  	if ok {
   500  		hs.finishedHash.Write(skx.marshal())
   501  		err = keyAgreement.processServerKeyExchange(c.config, hs.hello, hs.serverHello, c.peerCertificates[0], skx)
   502  		if err != nil {
   503  			c.sendAlert(alertUnexpectedMessage)
   504  			return err
   505  		}
   506  
   507  		msg, err = c.readHandshake()
   508  		if err != nil {
   509  			return err
   510  		}
   511  	}
   512  
   513  	var chainToSend *Certificate
   514  	var certRequested bool
   515  	certReq, ok := msg.(*certificateRequestMsg)
   516  	if ok {
   517  		certRequested = true
   518  		hs.finishedHash.Write(certReq.marshal())
   519  
   520  		cri := certificateRequestInfoFromMsg(c.vers, certReq)
   521  		if chainToSend, err = c.getClientCertificate(cri); err != nil {
   522  			c.sendAlert(alertInternalError)
   523  			return err
   524  		}
   525  
   526  		msg, err = c.readHandshake()
   527  		if err != nil {
   528  			return err
   529  		}
   530  	}
   531  
   532  	shd, ok := msg.(*serverHelloDoneMsg)
   533  	if !ok {
   534  		c.sendAlert(alertUnexpectedMessage)
   535  		return unexpectedMessageError(shd, msg)
   536  	}
   537  	hs.finishedHash.Write(shd.marshal())
   538  
   539  	// If the server requested a certificate then we have to send a
   540  	// Certificate message, even if it's empty because we don't have a
   541  	// certificate to send.
   542  	if certRequested {
   543  		certMsg = new(certificateMsg)
   544  		certMsg.certificates = chainToSend.Certificate
   545  		hs.finishedHash.Write(certMsg.marshal())
   546  		if _, err := c.writeRecord(recordTypeHandshake, certMsg.marshal()); err != nil {
   547  			return err
   548  		}
   549  	}
   550  
   551  	preMasterSecret, ckx, err := keyAgreement.generateClientKeyExchange(c.config, hs.hello, c.peerCertificates[0])
   552  	if err != nil {
   553  		c.sendAlert(alertInternalError)
   554  		return err
   555  	}
   556  	if ckx != nil {
   557  		hs.finishedHash.Write(ckx.marshal())
   558  		if _, err := c.writeRecord(recordTypeHandshake, ckx.marshal()); err != nil {
   559  			return err
   560  		}
   561  	}
   562  
   563  	if chainToSend != nil && len(chainToSend.Certificate) > 0 {
   564  		certVerify := &certificateVerifyMsg{}
   565  
   566  		key, ok := chainToSend.PrivateKey.(crypto.Signer)
   567  		if !ok {
   568  			c.sendAlert(alertInternalError)
   569  			return fmt.Errorf("tls: client certificate private key of type %T does not implement crypto.Signer", chainToSend.PrivateKey)
   570  		}
   571  
   572  		var sigType uint8
   573  		var sigHash crypto.Hash
   574  		if c.vers >= VersionTLS12 {
   575  			signatureAlgorithm, err := selectSignatureScheme(c.vers, chainToSend, certReq.supportedSignatureAlgorithms)
   576  			if err != nil {
   577  				c.sendAlert(alertIllegalParameter)
   578  				return err
   579  			}
   580  			sigType, sigHash, err = typeAndHashFromSignatureScheme(signatureAlgorithm)
   581  			if err != nil {
   582  				return c.sendAlert(alertInternalError)
   583  			}
   584  			certVerify.hasSignatureAlgorithm = true
   585  			certVerify.signatureAlgorithm = signatureAlgorithm
   586  		} else {
   587  			sigType, sigHash, err = legacyTypeAndHashFromPublicKey(key.Public())
   588  			if err != nil {
   589  				c.sendAlert(alertIllegalParameter)
   590  				return err
   591  			}
   592  		}
   593  
   594  		signed := hs.finishedHash.hashForClientCertificate(sigType, sigHash, hs.masterSecret)
   595  		signOpts := crypto.SignerOpts(sigHash)
   596  		if sigType == signatureRSAPSS {
   597  			signOpts = &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash, Hash: sigHash}
   598  		}
   599  		certVerify.signature, err = key.Sign(c.config.rand(), signed, signOpts)
   600  		if err != nil {
   601  			c.sendAlert(alertInternalError)
   602  			return err
   603  		}
   604  
   605  		hs.finishedHash.Write(certVerify.marshal())
   606  		if _, err := c.writeRecord(recordTypeHandshake, certVerify.marshal()); err != nil {
   607  			return err
   608  		}
   609  	}
   610  
   611  	hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.hello.random, hs.serverHello.random)
   612  	if err := c.config.writeKeyLog(keyLogLabelTLS12, hs.hello.random, hs.masterSecret); err != nil {
   613  		c.sendAlert(alertInternalError)
   614  		return errors.New("tls: failed to write to key log: " + err.Error())
   615  	}
   616  
   617  	hs.finishedHash.discardHandshakeBuffer()
   618  
   619  	return nil
   620  }
   621  
   622  func (hs *clientHandshakeState) establishKeys() error {
   623  	c := hs.c
   624  
   625  	clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV :=
   626  		keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.hello.random, hs.serverHello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen)
   627  	var clientCipher, serverCipher interface{}
   628  	var clientHash, serverHash macFunction
   629  	if hs.suite.cipher != nil {
   630  		clientCipher = hs.suite.cipher(clientKey, clientIV, false /* not for reading */)
   631  		clientHash = hs.suite.mac(c.vers, clientMAC)
   632  		serverCipher = hs.suite.cipher(serverKey, serverIV, true /* for reading */)
   633  		serverHash = hs.suite.mac(c.vers, serverMAC)
   634  	} else {
   635  		clientCipher = hs.suite.aead(clientKey, clientIV)
   636  		serverCipher = hs.suite.aead(serverKey, serverIV)
   637  	}
   638  
   639  	c.in.prepareCipherSpec(c.vers, serverCipher, serverHash)
   640  	c.out.prepareCipherSpec(c.vers, clientCipher, clientHash)
   641  	return nil
   642  }
   643  
   644  func (hs *clientHandshakeState) serverResumedSession() bool {
   645  	// If the server responded with the same sessionId then it means the
   646  	// sessionTicket is being used to resume a TLS session.
   647  	return hs.session != nil && hs.hello.sessionId != nil &&
   648  		bytes.Equal(hs.serverHello.sessionId, hs.hello.sessionId)
   649  }
   650  
   651  func (hs *clientHandshakeState) processServerHello() (bool, error) {
   652  	c := hs.c
   653  
   654  	if err := hs.pickCipherSuite(); err != nil {
   655  		return false, err
   656  	}
   657  
   658  	if hs.serverHello.compressionMethod != compressionNone {
   659  		c.sendAlert(alertUnexpectedMessage)
   660  		return false, errors.New("tls: server selected unsupported compression format")
   661  	}
   662  
   663  	if c.handshakes == 0 && hs.serverHello.secureRenegotiationSupported {
   664  		c.secureRenegotiation = true
   665  		if len(hs.serverHello.secureRenegotiation) != 0 {
   666  			c.sendAlert(alertHandshakeFailure)
   667  			return false, errors.New("tls: initial handshake had non-empty renegotiation extension")
   668  		}
   669  	}
   670  
   671  	if c.handshakes > 0 && c.secureRenegotiation {
   672  		var expectedSecureRenegotiation [24]byte
   673  		copy(expectedSecureRenegotiation[:], c.clientFinished[:])
   674  		copy(expectedSecureRenegotiation[12:], c.serverFinished[:])
   675  		if !bytes.Equal(hs.serverHello.secureRenegotiation, expectedSecureRenegotiation[:]) {
   676  			c.sendAlert(alertHandshakeFailure)
   677  			return false, errors.New("tls: incorrect renegotiation extension contents")
   678  		}
   679  	}
   680  
   681  	clientDidALPN := len(hs.hello.alpnProtocols) > 0
   682  	serverHasALPN := len(hs.serverHello.alpnProtocol) > 0
   683  
   684  	if !clientDidALPN && serverHasALPN {
   685  		c.sendAlert(alertHandshakeFailure)
   686  		return false, errors.New("tls: server advertised unrequested ALPN extension")
   687  	}
   688  
   689  	if serverHasALPN {
   690  		c.clientProtocol = hs.serverHello.alpnProtocol
   691  		c.clientProtocolFallback = false
   692  	}
   693  	c.scts = hs.serverHello.scts
   694  
   695  	if !hs.serverResumedSession() {
   696  		return false, nil
   697  	}
   698  
   699  	if hs.session.vers != c.vers {
   700  		c.sendAlert(alertHandshakeFailure)
   701  		return false, errors.New("tls: server resumed a session with a different version")
   702  	}
   703  
   704  	if hs.session.cipherSuite != hs.suite.id {
   705  		c.sendAlert(alertHandshakeFailure)
   706  		return false, errors.New("tls: server resumed a session with a different cipher suite")
   707  	}
   708  
   709  	// Restore masterSecret and peerCerts from previous state
   710  	hs.masterSecret = hs.session.masterSecret
   711  	c.peerCertificates = hs.session.serverCertificates
   712  	c.verifiedChains = hs.session.verifiedChains
   713  	return true, nil
   714  }
   715  
   716  func (hs *clientHandshakeState) readFinished(out []byte) error {
   717  	c := hs.c
   718  
   719  	if err := c.readChangeCipherSpec(); err != nil {
   720  		return err
   721  	}
   722  
   723  	msg, err := c.readHandshake()
   724  	if err != nil {
   725  		return err
   726  	}
   727  	serverFinished, ok := msg.(*finishedMsg)
   728  	if !ok {
   729  		c.sendAlert(alertUnexpectedMessage)
   730  		return unexpectedMessageError(serverFinished, msg)
   731  	}
   732  
   733  	verify := hs.finishedHash.serverSum(hs.masterSecret)
   734  	if len(verify) != len(serverFinished.verifyData) ||
   735  		subtle.ConstantTimeCompare(verify, serverFinished.verifyData) != 1 {
   736  		c.sendAlert(alertHandshakeFailure)
   737  		return errors.New("tls: server's Finished message was incorrect")
   738  	}
   739  	hs.finishedHash.Write(serverFinished.marshal())
   740  	copy(out, verify)
   741  	return nil
   742  }
   743  
   744  func (hs *clientHandshakeState) readSessionTicket() error {
   745  	if !hs.serverHello.ticketSupported {
   746  		return nil
   747  	}
   748  
   749  	c := hs.c
   750  	msg, err := c.readHandshake()
   751  	if err != nil {
   752  		return err
   753  	}
   754  	sessionTicketMsg, ok := msg.(*newSessionTicketMsg)
   755  	if !ok {
   756  		c.sendAlert(alertUnexpectedMessage)
   757  		return unexpectedMessageError(sessionTicketMsg, msg)
   758  	}
   759  	hs.finishedHash.Write(sessionTicketMsg.marshal())
   760  
   761  	hs.session = &ClientSessionState{
   762  		sessionTicket:      sessionTicketMsg.ticket,
   763  		vers:               c.vers,
   764  		cipherSuite:        hs.suite.id,
   765  		masterSecret:       hs.masterSecret,
   766  		serverCertificates: c.peerCertificates,
   767  		verifiedChains:     c.verifiedChains,
   768  		receivedAt:         c.config.time(),
   769  	}
   770  
   771  	return nil
   772  }
   773  
   774  func (hs *clientHandshakeState) sendFinished(out []byte) error {
   775  	c := hs.c
   776  
   777  	if _, err := c.writeRecord(recordTypeChangeCipherSpec, []byte{1}); err != nil {
   778  		return err
   779  	}
   780  
   781  	finished := new(finishedMsg)
   782  	finished.verifyData = hs.finishedHash.clientSum(hs.masterSecret)
   783  	hs.finishedHash.Write(finished.marshal())
   784  	if _, err := c.writeRecord(recordTypeHandshake, finished.marshal()); err != nil {
   785  		return err
   786  	}
   787  	copy(out, finished.verifyData)
   788  	return nil
   789  }
   790  
   791  // verifyServerCertificate parses and verifies the provided chain, setting
   792  // c.verifiedChains and c.peerCertificates or sending the appropriate alert.
   793  func (c *Conn) verifyServerCertificate(certificates [][]byte) error {
   794  	certs := make([]*x509.Certificate, len(certificates))
   795  	for i, asn1Data := range certificates {
   796  		cert, err := x509.ParseCertificate(asn1Data)
   797  		if err != nil {
   798  			c.sendAlert(alertBadCertificate)
   799  			return errors.New("tls: failed to parse certificate from server: " + err.Error())
   800  		}
   801  		certs[i] = cert
   802  	}
   803  
   804  	if !c.config.InsecureSkipVerify {
   805  		opts := x509.VerifyOptions{
   806  			Roots:         c.config.RootCAs,
   807  			CurrentTime:   c.config.time(),
   808  			DNSName:       c.config.ServerName,
   809  			Intermediates: x509.NewCertPool(),
   810  		}
   811  		for _, cert := range certs[1:] {
   812  			opts.Intermediates.AddCert(cert)
   813  		}
   814  		var err error
   815  		c.verifiedChains, err = certs[0].Verify(opts)
   816  		if err != nil {
   817  			c.sendAlert(alertBadCertificate)
   818  			return err
   819  		}
   820  	}
   821  
   822  	if c.config.VerifyPeerCertificate != nil {
   823  		if err := c.config.VerifyPeerCertificate(certificates, c.verifiedChains); err != nil {
   824  			c.sendAlert(alertBadCertificate)
   825  			return err
   826  		}
   827  	}
   828  
   829  	switch certs[0].PublicKey.(type) {
   830  	case *rsa.PublicKey, *ecdsa.PublicKey, ed25519.PublicKey:
   831  		break
   832  	default:
   833  		c.sendAlert(alertUnsupportedCertificate)
   834  		return fmt.Errorf("tls: server's certificate contains an unsupported type of public key: %T", certs[0].PublicKey)
   835  	}
   836  
   837  	c.peerCertificates = certs
   838  
   839  	return nil
   840  }
   841  
   842  // tls11SignatureSchemes contains the signature schemes that we synthesise for
   843  // a TLS <= 1.1 connection, based on the supported certificate types.
   844  var (
   845  	tls11SignatureSchemes      = []SignatureScheme{ECDSAWithP256AndSHA256, ECDSAWithP384AndSHA384, ECDSAWithP521AndSHA512, PKCS1WithSHA256, PKCS1WithSHA384, PKCS1WithSHA512, PKCS1WithSHA1}
   846  	tls11SignatureSchemesECDSA = tls11SignatureSchemes[:3]
   847  	tls11SignatureSchemesRSA   = tls11SignatureSchemes[3:]
   848  )
   849  
   850  // certificateRequestInfoFromMsg generates a CertificateRequestInfo from a TLS
   851  // <= 1.2 CertificateRequest, making an effort to fill in missing information.
   852  func certificateRequestInfoFromMsg(vers uint16, certReq *certificateRequestMsg) *CertificateRequestInfo {
   853  	cri := &CertificateRequestInfo{
   854  		AcceptableCAs: certReq.certificateAuthorities,
   855  		Version:       vers,
   856  	}
   857  
   858  	var rsaAvail, ecAvail bool
   859  	for _, certType := range certReq.certificateTypes {
   860  		switch certType {
   861  		case certTypeRSASign:
   862  			rsaAvail = true
   863  		case certTypeECDSASign:
   864  			ecAvail = true
   865  		}
   866  	}
   867  
   868  	if !certReq.hasSignatureAlgorithm {
   869  		// Prior to TLS 1.2, the signature schemes were not
   870  		// included in the certificate request message. In this
   871  		// case we use a plausible list based on the acceptable
   872  		// certificate types.
   873  		switch {
   874  		case rsaAvail && ecAvail:
   875  			cri.SignatureSchemes = tls11SignatureSchemes
   876  		case rsaAvail:
   877  			cri.SignatureSchemes = tls11SignatureSchemesRSA
   878  		case ecAvail:
   879  			cri.SignatureSchemes = tls11SignatureSchemesECDSA
   880  		}
   881  		return cri
   882  	}
   883  
   884  	// Filter the signature schemes based on the certificate types.
   885  	// See RFC 5246, Section 7.4.4 (where it calls this "somewhat complicated").
   886  	cri.SignatureSchemes = make([]SignatureScheme, 0, len(certReq.supportedSignatureAlgorithms))
   887  	for _, sigScheme := range certReq.supportedSignatureAlgorithms {
   888  		sigType, _, err := typeAndHashFromSignatureScheme(sigScheme)
   889  		if err != nil {
   890  			continue
   891  		}
   892  		switch sigType {
   893  		case signatureECDSA, signatureEd25519:
   894  			if ecAvail {
   895  				cri.SignatureSchemes = append(cri.SignatureSchemes, sigScheme)
   896  			}
   897  		case signatureRSAPSS, signaturePKCS1v15:
   898  			if rsaAvail {
   899  				cri.SignatureSchemes = append(cri.SignatureSchemes, sigScheme)
   900  			}
   901  		}
   902  	}
   903  
   904  	return cri
   905  }
   906  
   907  func (c *Conn) getClientCertificate(cri *CertificateRequestInfo) (*Certificate, error) {
   908  	if c.config.GetClientCertificate != nil {
   909  		return c.config.GetClientCertificate(cri)
   910  	}
   911  
   912  	for _, chain := range c.config.Certificates {
   913  		if err := cri.SupportsCertificate(&chain); err != nil {
   914  			continue
   915  		}
   916  		return &chain, nil
   917  	}
   918  
   919  	// No acceptable certificate found. Don't send a certificate.
   920  	return new(Certificate), nil
   921  }
   922  
   923  // clientSessionCacheKey returns a key used to cache sessionTickets that could
   924  // be used to resume previously negotiated TLS sessions with a server.
   925  func clientSessionCacheKey(serverAddr net.Addr, config *Config) string {
   926  	if len(config.ServerName) > 0 {
   927  		return config.ServerName
   928  	}
   929  	return serverAddr.String()
   930  }
   931  
   932  // mutualProtocol finds the mutual Next Protocol Negotiation or ALPN protocol
   933  // given list of possible protocols and a list of the preference order. The
   934  // first list must not be empty. It returns the resulting protocol and flag
   935  // indicating if the fallback case was reached.
   936  func mutualProtocol(protos, preferenceProtos []string) (string, bool) {
   937  	for _, s := range preferenceProtos {
   938  		for _, c := range protos {
   939  			if s == c {
   940  				return s, false
   941  			}
   942  		}
   943  	}
   944  
   945  	return protos[0], true
   946  }
   947  
   948  // hostnameInSNI converts name into an appropriate hostname for SNI.
   949  // Literal IP addresses and absolute FQDNs are not permitted as SNI values.
   950  // See RFC 6066, Section 3.
   951  func hostnameInSNI(name string) string {
   952  	host := name
   953  	if len(host) > 0 && host[0] == '[' && host[len(host)-1] == ']' {
   954  		host = host[1 : len(host)-1]
   955  	}
   956  	if i := strings.LastIndex(host, "%"); i > 0 {
   957  		host = host[:i]
   958  	}
   959  	if net.ParseIP(host) != nil {
   960  		return ""
   961  	}
   962  	for len(name) > 0 && name[len(name)-1] == '.' {
   963  		name = name[:len(name)-1]
   964  	}
   965  	return name
   966  }
   967
View as plain text