Source file
src/crypto/tls/handshake_client_tls13.go
1
2
3
4
5 package tls
6
7 import (
8 "bytes"
9 "crypto"
10 "crypto/hmac"
11 "crypto/rsa"
12 "errors"
13 "hash"
14 "sync/atomic"
15 "time"
16 )
17
18 type clientHandshakeStateTLS13 struct {
19 c *Conn
20 serverHello *serverHelloMsg
21 hello *clientHelloMsg
22 ecdheParams ecdheParameters
23
24 session *ClientSessionState
25 earlySecret []byte
26 binderKey []byte
27
28 certReq *certificateRequestMsgTLS13
29 usingPSK bool
30 sentDummyCCS bool
31 suite *cipherSuiteTLS13
32 transcript hash.Hash
33 masterSecret []byte
34 trafficSecret []byte
35 }
36
37
38
39 func (hs *clientHandshakeStateTLS13) handshake() error {
40 c := hs.c
41
42
43
44 if c.handshakes > 0 {
45 c.sendAlert(alertProtocolVersion)
46 return errors.New("tls: server selected TLS 1.3 in a renegotiation")
47 }
48
49
50 if hs.ecdheParams == nil || len(hs.hello.keyShares) != 1 {
51 return c.sendAlert(alertInternalError)
52 }
53
54 if err := hs.checkServerHelloOrHRR(); err != nil {
55 return err
56 }
57
58 hs.transcript = hs.suite.hash.New()
59 hs.transcript.Write(hs.hello.marshal())
60
61 if bytes.Equal(hs.serverHello.random, helloRetryRequestRandom) {
62 if err := hs.sendDummyChangeCipherSpec(); err != nil {
63 return err
64 }
65 if err := hs.processHelloRetryRequest(); err != nil {
66 return err
67 }
68 }
69
70 hs.transcript.Write(hs.serverHello.marshal())
71
72 c.buffering = true
73 if err := hs.processServerHello(); err != nil {
74 return err
75 }
76 if err := hs.sendDummyChangeCipherSpec(); err != nil {
77 return err
78 }
79 if err := hs.establishHandshakeKeys(); err != nil {
80 return err
81 }
82 if err := hs.readServerParameters(); err != nil {
83 return err
84 }
85 if err := hs.readServerCertificate(); err != nil {
86 return err
87 }
88 if err := hs.readServerFinished(); err != nil {
89 return err
90 }
91 if err := hs.sendClientCertificate(); err != nil {
92 return err
93 }
94 if err := hs.sendClientFinished(); err != nil {
95 return err
96 }
97 if _, err := c.flush(); err != nil {
98 return err
99 }
100
101 atomic.StoreUint32(&c.handshakeStatus, 1)
102
103 return nil
104 }
105
106
107
108 func (hs *clientHandshakeStateTLS13) checkServerHelloOrHRR() error {
109 c := hs.c
110
111 if hs.serverHello.supportedVersion == 0 {
112 c.sendAlert(alertMissingExtension)
113 return errors.New("tls: server selected TLS 1.3 using the legacy version field")
114 }
115
116 if hs.serverHello.supportedVersion != VersionTLS13 {
117 c.sendAlert(alertIllegalParameter)
118 return errors.New("tls: server selected an invalid version after a HelloRetryRequest")
119 }
120
121 if hs.serverHello.vers != VersionTLS12 {
122 c.sendAlert(alertIllegalParameter)
123 return errors.New("tls: server sent an incorrect legacy version")
124 }
125
126 if hs.serverHello.ocspStapling ||
127 hs.serverHello.ticketSupported ||
128 hs.serverHello.secureRenegotiationSupported ||
129 len(hs.serverHello.secureRenegotiation) != 0 ||
130 len(hs.serverHello.alpnProtocol) != 0 ||
131 len(hs.serverHello.scts) != 0 {
132 c.sendAlert(alertUnsupportedExtension)
133 return errors.New("tls: server sent a ServerHello extension forbidden in TLS 1.3")
134 }
135
136 if !bytes.Equal(hs.hello.sessionId, hs.serverHello.sessionId) {
137 c.sendAlert(alertIllegalParameter)
138 return errors.New("tls: server did not echo the legacy session ID")
139 }
140
141 if hs.serverHello.compressionMethod != compressionNone {
142 c.sendAlert(alertIllegalParameter)
143 return errors.New("tls: server selected unsupported compression format")
144 }
145
146 selectedSuite := mutualCipherSuiteTLS13(hs.hello.cipherSuites, hs.serverHello.cipherSuite)
147 if hs.suite != nil && selectedSuite != hs.suite {
148 c.sendAlert(alertIllegalParameter)
149 return errors.New("tls: server changed cipher suite after a HelloRetryRequest")
150 }
151 if selectedSuite == nil {
152 c.sendAlert(alertIllegalParameter)
153 return errors.New("tls: server chose an unconfigured cipher suite")
154 }
155 hs.suite = selectedSuite
156 c.cipherSuite = hs.suite.id
157
158 return nil
159 }
160
161
162
163 func (hs *clientHandshakeStateTLS13) sendDummyChangeCipherSpec() error {
164 if hs.sentDummyCCS {
165 return nil
166 }
167 hs.sentDummyCCS = true
168
169 _, err := hs.c.writeRecord(recordTypeChangeCipherSpec, []byte{1})
170 return err
171 }
172
173
174
175 func (hs *clientHandshakeStateTLS13) processHelloRetryRequest() error {
176 c := hs.c
177
178
179
180
181 chHash := hs.transcript.Sum(nil)
182 hs.transcript.Reset()
183 hs.transcript.Write([]byte{typeMessageHash, 0, 0, uint8(len(chHash))})
184 hs.transcript.Write(chHash)
185 hs.transcript.Write(hs.serverHello.marshal())
186
187
188
189
190 if hs.serverHello.selectedGroup == 0 && hs.serverHello.cookie == nil {
191 c.sendAlert(alertIllegalParameter)
192 return errors.New("tls: server sent an unnecessary HelloRetryRequest message")
193 }
194
195 if hs.serverHello.cookie != nil {
196 hs.hello.cookie = hs.serverHello.cookie
197 }
198
199 if hs.serverHello.serverShare.group != 0 {
200 c.sendAlert(alertDecodeError)
201 return errors.New("tls: received malformed key_share extension")
202 }
203
204
205
206
207 if curveID := hs.serverHello.selectedGroup; curveID != 0 {
208 curveOK := false
209 for _, id := range hs.hello.supportedCurves {
210 if id == curveID {
211 curveOK = true
212 break
213 }
214 }
215 if !curveOK {
216 c.sendAlert(alertIllegalParameter)
217 return errors.New("tls: server selected unsupported group")
218 }
219 if hs.ecdheParams.CurveID() == curveID {
220 c.sendAlert(alertIllegalParameter)
221 return errors.New("tls: server sent an unnecessary HelloRetryRequest key_share")
222 }
223 if _, ok := curveForCurveID(curveID); curveID != X25519 && !ok {
224 c.sendAlert(alertInternalError)
225 return errors.New("tls: CurvePreferences includes unsupported curve")
226 }
227 params, err := generateECDHEParameters(c.config.rand(), curveID)
228 if err != nil {
229 c.sendAlert(alertInternalError)
230 return err
231 }
232 hs.ecdheParams = params
233 hs.hello.keyShares = []keyShare{{group: curveID, data: params.PublicKey()}}
234 }
235
236 hs.hello.raw = nil
237 if len(hs.hello.pskIdentities) > 0 {
238 pskSuite := cipherSuiteTLS13ByID(hs.session.cipherSuite)
239 if pskSuite == nil {
240 return c.sendAlert(alertInternalError)
241 }
242 if pskSuite.hash == hs.suite.hash {
243
244 ticketAge := uint32(c.config.time().Sub(hs.session.receivedAt) / time.Millisecond)
245 hs.hello.pskIdentities[0].obfuscatedTicketAge = ticketAge + hs.session.ageAdd
246
247 transcript := hs.suite.hash.New()
248 transcript.Write([]byte{typeMessageHash, 0, 0, uint8(len(chHash))})
249 transcript.Write(chHash)
250 transcript.Write(hs.serverHello.marshal())
251 transcript.Write(hs.hello.marshalWithoutBinders())
252 pskBinders := [][]byte{hs.suite.finishedHash(hs.binderKey, transcript)}
253 hs.hello.updateBinders(pskBinders)
254 } else {
255
256 hs.hello.pskIdentities = nil
257 hs.hello.pskBinders = nil
258 }
259 }
260
261 hs.transcript.Write(hs.hello.marshal())
262 if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil {
263 return err
264 }
265
266 msg, err := c.readHandshake()
267 if err != nil {
268 return err
269 }
270
271 serverHello, ok := msg.(*serverHelloMsg)
272 if !ok {
273 c.sendAlert(alertUnexpectedMessage)
274 return unexpectedMessageError(serverHello, msg)
275 }
276 hs.serverHello = serverHello
277
278 if err := hs.checkServerHelloOrHRR(); err != nil {
279 return err
280 }
281
282 return nil
283 }
284
285 func (hs *clientHandshakeStateTLS13) processServerHello() error {
286 c := hs.c
287
288 if bytes.Equal(hs.serverHello.random, helloRetryRequestRandom) {
289 c.sendAlert(alertUnexpectedMessage)
290 return errors.New("tls: server sent two HelloRetryRequest messages")
291 }
292
293 if len(hs.serverHello.cookie) != 0 {
294 c.sendAlert(alertUnsupportedExtension)
295 return errors.New("tls: server sent a cookie in a normal ServerHello")
296 }
297
298 if hs.serverHello.selectedGroup != 0 {
299 c.sendAlert(alertDecodeError)
300 return errors.New("tls: malformed key_share extension")
301 }
302
303 if hs.serverHello.serverShare.group == 0 {
304 c.sendAlert(alertIllegalParameter)
305 return errors.New("tls: server did not send a key share")
306 }
307 if hs.serverHello.serverShare.group != hs.ecdheParams.CurveID() {
308 c.sendAlert(alertIllegalParameter)
309 return errors.New("tls: server selected unsupported group")
310 }
311
312 if !hs.serverHello.selectedIdentityPresent {
313 return nil
314 }
315
316 if int(hs.serverHello.selectedIdentity) >= len(hs.hello.pskIdentities) {
317 c.sendAlert(alertIllegalParameter)
318 return errors.New("tls: server selected an invalid PSK")
319 }
320
321 if len(hs.hello.pskIdentities) != 1 || hs.session == nil {
322 return c.sendAlert(alertInternalError)
323 }
324 pskSuite := cipherSuiteTLS13ByID(hs.session.cipherSuite)
325 if pskSuite == nil {
326 return c.sendAlert(alertInternalError)
327 }
328 if pskSuite.hash != hs.suite.hash {
329 c.sendAlert(alertIllegalParameter)
330 return errors.New("tls: server selected an invalid PSK and cipher suite pair")
331 }
332
333 hs.usingPSK = true
334 c.didResume = true
335 c.peerCertificates = hs.session.serverCertificates
336 c.verifiedChains = hs.session.verifiedChains
337 c.ocspResponse = hs.session.ocspResponse
338 c.scts = hs.session.scts
339 return nil
340 }
341
342 func (hs *clientHandshakeStateTLS13) establishHandshakeKeys() error {
343 c := hs.c
344
345 sharedKey := hs.ecdheParams.SharedKey(hs.serverHello.serverShare.data)
346 if sharedKey == nil {
347 c.sendAlert(alertIllegalParameter)
348 return errors.New("tls: invalid server key share")
349 }
350
351 earlySecret := hs.earlySecret
352 if !hs.usingPSK {
353 earlySecret = hs.suite.extract(nil, nil)
354 }
355 handshakeSecret := hs.suite.extract(sharedKey,
356 hs.suite.deriveSecret(earlySecret, "derived", nil))
357
358 clientSecret := hs.suite.deriveSecret(handshakeSecret,
359 clientHandshakeTrafficLabel, hs.transcript)
360 c.out.setTrafficSecret(hs.suite, clientSecret)
361 serverSecret := hs.suite.deriveSecret(handshakeSecret,
362 serverHandshakeTrafficLabel, hs.transcript)
363 c.in.setTrafficSecret(hs.suite, serverSecret)
364
365 err := c.config.writeKeyLog(keyLogLabelClientHandshake, hs.hello.random, clientSecret)
366 if err != nil {
367 c.sendAlert(alertInternalError)
368 return err
369 }
370 err = c.config.writeKeyLog(keyLogLabelServerHandshake, hs.hello.random, serverSecret)
371 if err != nil {
372 c.sendAlert(alertInternalError)
373 return err
374 }
375
376 hs.masterSecret = hs.suite.extract(nil,
377 hs.suite.deriveSecret(handshakeSecret, "derived", nil))
378
379 return nil
380 }
381
382 func (hs *clientHandshakeStateTLS13) readServerParameters() error {
383 c := hs.c
384
385 msg, err := c.readHandshake()
386 if err != nil {
387 return err
388 }
389
390 encryptedExtensions, ok := msg.(*encryptedExtensionsMsg)
391 if !ok {
392 c.sendAlert(alertUnexpectedMessage)
393 return unexpectedMessageError(encryptedExtensions, msg)
394 }
395 hs.transcript.Write(encryptedExtensions.marshal())
396
397 if encryptedExtensions.alpnProtocol != "" {
398 if len(hs.hello.alpnProtocols) == 0 {
399 c.sendAlert(alertUnsupportedExtension)
400 return errors.New("tls: server advertised unrequested ALPN extension")
401 }
402 if mutualProtocol([]string{encryptedExtensions.alpnProtocol}, hs.hello.alpnProtocols) == "" {
403 c.sendAlert(alertUnsupportedExtension)
404 return errors.New("tls: server selected unadvertised ALPN protocol")
405 }
406 c.clientProtocol = encryptedExtensions.alpnProtocol
407 }
408
409 return nil
410 }
411
412 func (hs *clientHandshakeStateTLS13) readServerCertificate() error {
413 c := hs.c
414
415
416
417 if hs.usingPSK {
418
419
420
421 if c.config.VerifyConnection != nil {
422 if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil {
423 c.sendAlert(alertBadCertificate)
424 return err
425 }
426 }
427 return nil
428 }
429
430 msg, err := c.readHandshake()
431 if err != nil {
432 return err
433 }
434
435 certReq, ok := msg.(*certificateRequestMsgTLS13)
436 if ok {
437 hs.transcript.Write(certReq.marshal())
438
439 hs.certReq = certReq
440
441 msg, err = c.readHandshake()
442 if err != nil {
443 return err
444 }
445 }
446
447 certMsg, ok := msg.(*certificateMsgTLS13)
448 if !ok {
449 c.sendAlert(alertUnexpectedMessage)
450 return unexpectedMessageError(certMsg, msg)
451 }
452 if len(certMsg.certificate.Certificate) == 0 {
453 c.sendAlert(alertDecodeError)
454 return errors.New("tls: received empty certificates message")
455 }
456 hs.transcript.Write(certMsg.marshal())
457
458 c.scts = certMsg.certificate.SignedCertificateTimestamps
459 c.ocspResponse = certMsg.certificate.OCSPStaple
460
461 if err := c.verifyServerCertificate(certMsg.certificate.Certificate); err != nil {
462 return err
463 }
464
465 msg, err = c.readHandshake()
466 if err != nil {
467 return err
468 }
469
470 certVerify, ok := msg.(*certificateVerifyMsg)
471 if !ok {
472 c.sendAlert(alertUnexpectedMessage)
473 return unexpectedMessageError(certVerify, msg)
474 }
475
476
477 if !isSupportedSignatureAlgorithm(certVerify.signatureAlgorithm, supportedSignatureAlgorithms) {
478 c.sendAlert(alertIllegalParameter)
479 return errors.New("tls: certificate used with invalid signature algorithm")
480 }
481 sigType, sigHash, err := typeAndHashFromSignatureScheme(certVerify.signatureAlgorithm)
482 if err != nil {
483 return c.sendAlert(alertInternalError)
484 }
485 if sigType == signaturePKCS1v15 || sigHash == crypto.SHA1 {
486 c.sendAlert(alertIllegalParameter)
487 return errors.New("tls: certificate used with invalid signature algorithm")
488 }
489 signed := signedMessage(sigHash, serverSignatureContext, hs.transcript)
490 if err := verifyHandshakeSignature(sigType, c.peerCertificates[0].PublicKey,
491 sigHash, signed, certVerify.signature); err != nil {
492 c.sendAlert(alertDecryptError)
493 return errors.New("tls: invalid signature by the server certificate: " + err.Error())
494 }
495
496 hs.transcript.Write(certVerify.marshal())
497
498 return nil
499 }
500
501 func (hs *clientHandshakeStateTLS13) readServerFinished() error {
502 c := hs.c
503
504 msg, err := c.readHandshake()
505 if err != nil {
506 return err
507 }
508
509 finished, ok := msg.(*finishedMsg)
510 if !ok {
511 c.sendAlert(alertUnexpectedMessage)
512 return unexpectedMessageError(finished, msg)
513 }
514
515 expectedMAC := hs.suite.finishedHash(c.in.trafficSecret, hs.transcript)
516 if !hmac.Equal(expectedMAC, finished.verifyData) {
517 c.sendAlert(alertDecryptError)
518 return errors.New("tls: invalid server finished hash")
519 }
520
521 hs.transcript.Write(finished.marshal())
522
523
524
525 hs.trafficSecret = hs.suite.deriveSecret(hs.masterSecret,
526 clientApplicationTrafficLabel, hs.transcript)
527 serverSecret := hs.suite.deriveSecret(hs.masterSecret,
528 serverApplicationTrafficLabel, hs.transcript)
529 c.in.setTrafficSecret(hs.suite, serverSecret)
530
531 err = c.config.writeKeyLog(keyLogLabelClientTraffic, hs.hello.random, hs.trafficSecret)
532 if err != nil {
533 c.sendAlert(alertInternalError)
534 return err
535 }
536 err = c.config.writeKeyLog(keyLogLabelServerTraffic, hs.hello.random, serverSecret)
537 if err != nil {
538 c.sendAlert(alertInternalError)
539 return err
540 }
541
542 c.ekm = hs.suite.exportKeyingMaterial(hs.masterSecret, hs.transcript)
543
544 return nil
545 }
546
547 func (hs *clientHandshakeStateTLS13) sendClientCertificate() error {
548 c := hs.c
549
550 if hs.certReq == nil {
551 return nil
552 }
553
554 cert, err := c.getClientCertificate(&CertificateRequestInfo{
555 AcceptableCAs: hs.certReq.certificateAuthorities,
556 SignatureSchemes: hs.certReq.supportedSignatureAlgorithms,
557 Version: c.vers,
558 })
559 if err != nil {
560 return err
561 }
562
563 certMsg := new(certificateMsgTLS13)
564
565 certMsg.certificate = *cert
566 certMsg.scts = hs.certReq.scts && len(cert.SignedCertificateTimestamps) > 0
567 certMsg.ocspStapling = hs.certReq.ocspStapling && len(cert.OCSPStaple) > 0
568
569 hs.transcript.Write(certMsg.marshal())
570 if _, err := c.writeRecord(recordTypeHandshake, certMsg.marshal()); err != nil {
571 return err
572 }
573
574
575 if len(cert.Certificate) == 0 {
576 return nil
577 }
578
579 certVerifyMsg := new(certificateVerifyMsg)
580 certVerifyMsg.hasSignatureAlgorithm = true
581
582 certVerifyMsg.signatureAlgorithm, err = selectSignatureScheme(c.vers, cert, hs.certReq.supportedSignatureAlgorithms)
583 if err != nil {
584
585
586 c.sendAlert(alertHandshakeFailure)
587 return err
588 }
589
590 sigType, sigHash, err := typeAndHashFromSignatureScheme(certVerifyMsg.signatureAlgorithm)
591 if err != nil {
592 return c.sendAlert(alertInternalError)
593 }
594
595 signed := signedMessage(sigHash, clientSignatureContext, hs.transcript)
596 signOpts := crypto.SignerOpts(sigHash)
597 if sigType == signatureRSAPSS {
598 signOpts = &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash, Hash: sigHash}
599 }
600 sig, err := cert.PrivateKey.(crypto.Signer).Sign(c.config.rand(), signed, signOpts)
601 if err != nil {
602 c.sendAlert(alertInternalError)
603 return errors.New("tls: failed to sign handshake: " + err.Error())
604 }
605 certVerifyMsg.signature = sig
606
607 hs.transcript.Write(certVerifyMsg.marshal())
608 if _, err := c.writeRecord(recordTypeHandshake, certVerifyMsg.marshal()); err != nil {
609 return err
610 }
611
612 return nil
613 }
614
615 func (hs *clientHandshakeStateTLS13) sendClientFinished() error {
616 c := hs.c
617
618 finished := &finishedMsg{
619 verifyData: hs.suite.finishedHash(c.out.trafficSecret, hs.transcript),
620 }
621
622 hs.transcript.Write(finished.marshal())
623 if _, err := c.writeRecord(recordTypeHandshake, finished.marshal()); err != nil {
624 return err
625 }
626
627 c.out.setTrafficSecret(hs.suite, hs.trafficSecret)
628
629 if !c.config.SessionTicketsDisabled && c.config.ClientSessionCache != nil {
630 c.resumptionSecret = hs.suite.deriveSecret(hs.masterSecret,
631 resumptionLabel, hs.transcript)
632 }
633
634 return nil
635 }
636
637 func (c *Conn) handleNewSessionTicket(msg *newSessionTicketMsgTLS13) error {
638 if !c.isClient {
639 c.sendAlert(alertUnexpectedMessage)
640 return errors.New("tls: received new session ticket from a client")
641 }
642
643 if c.config.SessionTicketsDisabled || c.config.ClientSessionCache == nil {
644 return nil
645 }
646
647
648 if msg.lifetime == 0 {
649 return nil
650 }
651 lifetime := time.Duration(msg.lifetime) * time.Second
652 if lifetime > maxSessionTicketLifetime {
653 c.sendAlert(alertIllegalParameter)
654 return errors.New("tls: received a session ticket with invalid lifetime")
655 }
656
657 cipherSuite := cipherSuiteTLS13ByID(c.cipherSuite)
658 if cipherSuite == nil || c.resumptionSecret == nil {
659 return c.sendAlert(alertInternalError)
660 }
661
662
663
664
665
666 session := &ClientSessionState{
667 sessionTicket: msg.label,
668 vers: c.vers,
669 cipherSuite: c.cipherSuite,
670 masterSecret: c.resumptionSecret,
671 serverCertificates: c.peerCertificates,
672 verifiedChains: c.verifiedChains,
673 receivedAt: c.config.time(),
674 nonce: msg.nonce,
675 useBy: c.config.time().Add(lifetime),
676 ageAdd: msg.ageAdd,
677 ocspResponse: c.ocspResponse,
678 scts: c.scts,
679 }
680
681 cacheKey := clientSessionCacheKey(c.conn.RemoteAddr(), c.config)
682 c.config.ClientSessionCache.Put(cacheKey, session)
683
684 return nil
685 }
686
View as plain text