1 // Copyright 2018 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 package tls 6 7 import ( 8 "bytes" 9 "crypto" 10 "crypto/hmac" 11 "crypto/rsa" 12 "errors" 13 "hash" 14 "io" 15 "sync/atomic" 16 "time" 17 ) 18 19 // maxClientPSKIdentities is the number of client PSK identities the server will 20 // attempt to validate. It will ignore the rest not to let cheap ClientHello 21 // messages cause too much work in session ticket decryption attempts. 22 const maxClientPSKIdentities = 5 23 24 type serverHandshakeStateTLS13 struct { 25 c *Conn 26 clientHello *clientHelloMsg 27 hello *serverHelloMsg 28 sentDummyCCS bool 29 usingPSK bool 30 suite *cipherSuiteTLS13 31 cert *Certificate 32 sigAlg SignatureScheme 33 earlySecret []byte 34 sharedKey []byte 35 handshakeSecret []byte 36 masterSecret []byte 37 trafficSecret []byte // client_application_traffic_secret_0 38 transcript hash.Hash 39 clientFinished []byte 40 } 41 42 func (hs *serverHandshakeStateTLS13) handshake() error { 43 c := hs.c 44 45 // For an overview of the TLS 1.3 handshake, see RFC 8446, Section 2. 46 if err := hs.processClientHello(); err != nil { 47 return err 48 } 49 if err := hs.checkForResumption(); err != nil { 50 return err 51 } 52 if err := hs.pickCertificate(); err != nil { 53 return err 54 } 55 c.buffering = true 56 if err := hs.sendServerParameters(); err != nil { 57 return err 58 } 59 if err := hs.sendServerCertificate(); err != nil { 60 return err 61 } 62 if err := hs.sendServerFinished(); err != nil { 63 return err 64 } 65 // Note that at this point we could start sending application data without 66 // waiting for the client's second flight, but the application might not 67 // expect the lack of replay protection of the ClientHello parameters. 68 if _, err := c.flush(); err != nil { 69 return err 70 } 71 if err := hs.readClientCertificate(); err != nil { 72 return err 73 } 74 if err := hs.readClientFinished(); err != nil { 75 return err 76 } 77 78 atomic.StoreUint32(&c.handshakeStatus, 1) 79 80 return nil 81 } 82 83 func (hs *serverHandshakeStateTLS13) processClientHello() error { 84 c := hs.c 85 86 hs.hello = new(serverHelloMsg) 87 88 // TLS 1.3 froze the ServerHello.legacy_version field, and uses 89 // supported_versions instead. See RFC 8446, sections 4.1.3 and 4.2.1. 90 hs.hello.vers = VersionTLS12 91 hs.hello.supportedVersion = c.vers 92 93 if len(hs.clientHello.supportedVersions) == 0 { 94 c.sendAlert(alertIllegalParameter) 95 return errors.New("tls: client used the legacy version field to negotiate TLS 1.3") 96 } 97 98 // Abort if the client is doing a fallback and landing lower than what we 99 // support. See RFC 7507, which however does not specify the interaction 100 // with supported_versions. The only difference is that with 101 // supported_versions a client has a chance to attempt a [TLS 1.2, TLS 1.4] 102 // handshake in case TLS 1.3 is broken but 1.2 is not. Alas, in that case, 103 // it will have to drop the TLS_FALLBACK_SCSV protection if it falls back to 104 // TLS 1.2, because a TLS 1.3 server would abort here. The situation before 105 // supported_versions was not better because there was just no way to do a 106 // TLS 1.4 handshake without risking the server selecting TLS 1.3. 107 for _, id := range hs.clientHello.cipherSuites { 108 if id == TLS_FALLBACK_SCSV { 109 // Use c.vers instead of max(supported_versions) because an attacker 110 // could defeat this by adding an arbitrary high version otherwise. 111 if c.vers < c.config.maxSupportedVersion(false) { 112 c.sendAlert(alertInappropriateFallback) 113 return errors.New("tls: client using inappropriate protocol fallback") 114 } 115 break 116 } 117 } 118 119 if len(hs.clientHello.compressionMethods) != 1 || 120 hs.clientHello.compressionMethods[0] != compressionNone { 121 c.sendAlert(alertIllegalParameter) 122 return errors.New("tls: TLS 1.3 client supports illegal compression methods") 123 } 124 125 hs.hello.random = make([]byte, 32) 126 if _, err := io.ReadFull(c.config.rand(), hs.hello.random); err != nil { 127 c.sendAlert(alertInternalError) 128 return err 129 } 130 131 if len(hs.clientHello.secureRenegotiation) != 0 { 132 c.sendAlert(alertHandshakeFailure) 133 return errors.New("tls: initial handshake had non-empty renegotiation extension") 134 } 135 136 if hs.clientHello.earlyData { 137 // See RFC 8446, Section 4.2.10 for the complicated behavior required 138 // here. The scenario is that a different server at our address offered 139 // to accept early data in the past, which we can't handle. For now, all 140 // 0-RTT enabled session tickets need to expire before a Go server can 141 // replace a server or join a pool. That's the same requirement that 142 // applies to mixing or replacing with any TLS 1.2 server. 143 c.sendAlert(alertUnsupportedExtension) 144 return errors.New("tls: client sent unexpected early data") 145 } 146 147 hs.hello.sessionId = hs.clientHello.sessionId 148 hs.hello.compressionMethod = compressionNone 149 150 var preferenceList, supportedList []uint16 151 if c.config.PreferServerCipherSuites { 152 preferenceList = defaultCipherSuitesTLS13() 153 supportedList = hs.clientHello.cipherSuites 154 } else { 155 preferenceList = hs.clientHello.cipherSuites 156 supportedList = defaultCipherSuitesTLS13() 157 } 158 for _, suiteID := range preferenceList { 159 hs.suite = mutualCipherSuiteTLS13(supportedList, suiteID) 160 if hs.suite != nil { 161 break 162 } 163 } 164 if hs.suite == nil { 165 c.sendAlert(alertHandshakeFailure) 166 return errors.New("tls: no cipher suite supported by both client and server") 167 } 168 c.cipherSuite = hs.suite.id 169 hs.hello.cipherSuite = hs.suite.id 170 hs.transcript = hs.suite.hash.New() 171 172 // Pick the ECDHE group in server preference order, but give priority to 173 // groups with a key share, to avoid a HelloRetryRequest round-trip. 174 var selectedGroup CurveID 175 var clientKeyShare *keyShare 176 GroupSelection: 177 for _, preferredGroup := range c.config.curvePreferences() { 178 for _, ks := range hs.clientHello.keyShares { 179 if ks.group == preferredGroup { 180 selectedGroup = ks.group 181 clientKeyShare = &ks 182 break GroupSelection 183 } 184 } 185 if selectedGroup != 0 { 186 continue 187 } 188 for _, group := range hs.clientHello.supportedCurves { 189 if group == preferredGroup { 190 selectedGroup = group 191 break 192 } 193 } 194 } 195 if selectedGroup == 0 { 196 c.sendAlert(alertHandshakeFailure) 197 return errors.New("tls: no ECDHE curve supported by both client and server") 198 } 199 if clientKeyShare == nil { 200 if err := hs.doHelloRetryRequest(selectedGroup); err != nil { 201 return err 202 } 203 clientKeyShare = &hs.clientHello.keyShares[0] 204 } 205 206 if _, ok := curveForCurveID(selectedGroup); selectedGroup != X25519 && !ok { 207 c.sendAlert(alertInternalError) 208 return errors.New("tls: CurvePreferences includes unsupported curve") 209 } 210 params, err := generateECDHEParameters(c.config.rand(), selectedGroup) 211 if err != nil { 212 c.sendAlert(alertInternalError) 213 return err 214 } 215 hs.hello.serverShare = keyShare{group: selectedGroup, data: params.PublicKey()} 216 hs.sharedKey = params.SharedKey(clientKeyShare.data) 217 if hs.sharedKey == nil { 218 c.sendAlert(alertIllegalParameter) 219 return errors.New("tls: invalid client key share") 220 } 221 222 c.serverName = hs.clientHello.serverName 223 return nil 224 } 225 226 func (hs *serverHandshakeStateTLS13) checkForResumption() error { 227 c := hs.c 228 229 if c.config.SessionTicketsDisabled { 230 return nil 231 } 232 233 modeOK := false 234 for _, mode := range hs.clientHello.pskModes { 235 if mode == pskModeDHE { 236 modeOK = true 237 break 238 } 239 } 240 if !modeOK { 241 return nil 242 } 243 244 if len(hs.clientHello.pskIdentities) != len(hs.clientHello.pskBinders) { 245 c.sendAlert(alertIllegalParameter) 246 return errors.New("tls: invalid or missing PSK binders") 247 } 248 if len(hs.clientHello.pskIdentities) == 0 { 249 return nil 250 } 251 252 for i, identity := range hs.clientHello.pskIdentities { 253 if i >= maxClientPSKIdentities { 254 break 255 } 256 257 plaintext, _ := c.decryptTicket(identity.label) 258 if plaintext == nil { 259 continue 260 } 261 sessionState := new(sessionStateTLS13) 262 if ok := sessionState.unmarshal(plaintext); !ok { 263 continue 264 } 265 266 createdAt := time.Unix(int64(sessionState.createdAt), 0) 267 if c.config.time().Sub(createdAt) > maxSessionTicketLifetime { 268 continue 269 } 270 271 // We don't check the obfuscated ticket age because it's affected by 272 // clock skew and it's only a freshness signal useful for shrinking the 273 // window for replay attacks, which don't affect us as we don't do 0-RTT. 274 275 pskSuite := cipherSuiteTLS13ByID(sessionState.cipherSuite) 276 if pskSuite == nil || pskSuite.hash != hs.suite.hash { 277 continue 278 } 279 280 // PSK connections don't re-establish client certificates, but carry 281 // them over in the session ticket. Ensure the presence of client certs 282 // in the ticket is consistent with the configured requirements. 283 sessionHasClientCerts := len(sessionState.certificate.Certificate) != 0 284 needClientCerts := requiresClientCert(c.config.ClientAuth) 285 if needClientCerts && !sessionHasClientCerts { 286 continue 287 } 288 if sessionHasClientCerts && c.config.ClientAuth == NoClientCert { 289 continue 290 } 291 292 psk := hs.suite.expandLabel(sessionState.resumptionSecret, "resumption", 293 nil, hs.suite.hash.Size()) 294 hs.earlySecret = hs.suite.extract(psk, nil) 295 binderKey := hs.suite.deriveSecret(hs.earlySecret, resumptionBinderLabel, nil) 296 // Clone the transcript in case a HelloRetryRequest was recorded. 297 transcript := cloneHash(hs.transcript, hs.suite.hash) 298 if transcript == nil { 299 c.sendAlert(alertInternalError) 300 return errors.New("tls: internal error: failed to clone hash") 301 } 302 transcript.Write(hs.clientHello.marshalWithoutBinders()) 303 pskBinder := hs.suite.finishedHash(binderKey, transcript) 304 if !hmac.Equal(hs.clientHello.pskBinders[i], pskBinder) { 305 c.sendAlert(alertDecryptError) 306 return errors.New("tls: invalid PSK binder") 307 } 308 309 if err := c.processCertsFromClient(sessionState.certificate); err != nil { 310 return err 311 } 312 313 hs.hello.selectedIdentityPresent = true 314 hs.hello.selectedIdentity = uint16(i) 315 hs.usingPSK = true 316 c.didResume = true 317 return nil 318 } 319 320 return nil 321 } 322 323 // cloneHash uses the encoding.BinaryMarshaler and encoding.BinaryUnmarshaler 324 // interfaces implemented by standard library hashes to clone the state of in 325 // to a new instance of h. It returns nil if the operation fails. 326 func cloneHash(in hash.Hash, h crypto.Hash) hash.Hash { 327 // Recreate the interface to avoid importing encoding. 328 type binaryMarshaler interface { 329 MarshalBinary() (data []byte, err error) 330 UnmarshalBinary(data []byte) error 331 } 332 marshaler, ok := in.(binaryMarshaler) 333 if !ok { 334 return nil 335 } 336 state, err := marshaler.MarshalBinary() 337 if err != nil { 338 return nil 339 } 340 out := h.New() 341 unmarshaler, ok := out.(binaryMarshaler) 342 if !ok { 343 return nil 344 } 345 if err := unmarshaler.UnmarshalBinary(state); err != nil { 346 return nil 347 } 348 return out 349 } 350 351 func (hs *serverHandshakeStateTLS13) pickCertificate() error { 352 c := hs.c 353 354 // Only one of PSK and certificates are used at a time. 355 if hs.usingPSK { 356 return nil 357 } 358 359 // This implements a very simplistic certificate selection strategy for now: 360 // getCertificate delegates to the application Config.GetCertificate, or 361 // selects based on the server_name only. If the selected certificate's 362 // public key does not match the client signature_algorithms, the handshake 363 // is aborted. No attention is given to signature_algorithms_cert, and it is 364 // not passed to the application Config.GetCertificate. This will need to 365 // improve according to RFC 8446, sections 4.4.2.2 and 4.2.3. 366 certificate, err := c.config.getCertificate(clientHelloInfo(c, hs.clientHello)) 367 if err != nil { 368 c.sendAlert(alertInternalError) 369 return err 370 } 371 supportedAlgs := signatureSchemesForCertificate(c.vers, certificate) 372 if supportedAlgs == nil { 373 c.sendAlert(alertInternalError) 374 return unsupportedCertificateError(certificate) 375 } 376 // Pick signature scheme in client preference order, as the server 377 // preference order is not configurable. 378 for _, preferredAlg := range hs.clientHello.supportedSignatureAlgorithms { 379 if isSupportedSignatureAlgorithm(preferredAlg, supportedAlgs) { 380 hs.sigAlg = preferredAlg 381 break 382 } 383 } 384 if hs.sigAlg == 0 { 385 // getCertificate returned a certificate incompatible with the 386 // ClientHello supported signature algorithms. 387 c.sendAlert(alertHandshakeFailure) 388 return errors.New("tls: client doesn't support selected certificate") 389 } 390 hs.cert = certificate 391 392 return nil 393 } 394 395 // sendDummyChangeCipherSpec sends a ChangeCipherSpec record for compatibility 396 // with middleboxes that didn't implement TLS correctly. See RFC 8446, Appendix D.4. 397 func (hs *serverHandshakeStateTLS13) sendDummyChangeCipherSpec() error { 398 if hs.sentDummyCCS { 399 return nil 400 } 401 hs.sentDummyCCS = true 402 403 _, err := hs.c.writeRecord(recordTypeChangeCipherSpec, []byte{1}) 404 return err 405 } 406 407 func (hs *serverHandshakeStateTLS13) doHelloRetryRequest(selectedGroup CurveID) error { 408 c := hs.c 409 410 // The first ClientHello gets double-hashed into the transcript upon a 411 // HelloRetryRequest. See RFC 8446, Section 4.4.1. 412 hs.transcript.Write(hs.clientHello.marshal()) 413 chHash := hs.transcript.Sum(nil) 414 hs.transcript.Reset() 415 hs.transcript.Write([]byte{typeMessageHash, 0, 0, uint8(len(chHash))}) 416 hs.transcript.Write(chHash) 417 418 helloRetryRequest := &serverHelloMsg{ 419 vers: hs.hello.vers, 420 random: helloRetryRequestRandom, 421 sessionId: hs.hello.sessionId, 422 cipherSuite: hs.hello.cipherSuite, 423 compressionMethod: hs.hello.compressionMethod, 424 supportedVersion: hs.hello.supportedVersion, 425 selectedGroup: selectedGroup, 426 } 427 428 hs.transcript.Write(helloRetryRequest.marshal()) 429 if _, err := c.writeRecord(recordTypeHandshake, helloRetryRequest.marshal()); err != nil { 430 return err 431 } 432 433 if err := hs.sendDummyChangeCipherSpec(); err != nil { 434 return err 435 } 436 437 msg, err := c.readHandshake() 438 if err != nil { 439 return err 440 } 441 442 clientHello, ok := msg.(*clientHelloMsg) 443 if !ok { 444 c.sendAlert(alertUnexpectedMessage) 445 return unexpectedMessageError(clientHello, msg) 446 } 447 448 if len(clientHello.keyShares) != 1 || clientHello.keyShares[0].group != selectedGroup { 449 c.sendAlert(alertIllegalParameter) 450 return errors.New("tls: client sent invalid key share in second ClientHello") 451 } 452 453 if clientHello.earlyData { 454 c.sendAlert(alertIllegalParameter) 455 return errors.New("tls: client indicated early data in second ClientHello") 456 } 457 458 if illegalClientHelloChange(clientHello, hs.clientHello) { 459 c.sendAlert(alertIllegalParameter) 460 return errors.New("tls: client illegally modified second ClientHello") 461 } 462 463 hs.clientHello = clientHello 464 return nil 465 } 466 467 // illegalClientHelloChange reports whether the two ClientHello messages are 468 // different, with the exception of the changes allowed before and after a 469 // HelloRetryRequest. See RFC 8446, Section 4.1.2. 470 func illegalClientHelloChange(ch, ch1 *clientHelloMsg) bool { 471 if len(ch.supportedVersions) != len(ch1.supportedVersions) || 472 len(ch.cipherSuites) != len(ch1.cipherSuites) || 473 len(ch.supportedCurves) != len(ch1.supportedCurves) || 474 len(ch.supportedSignatureAlgorithms) != len(ch1.supportedSignatureAlgorithms) || 475 len(ch.supportedSignatureAlgorithmsCert) != len(ch1.supportedSignatureAlgorithmsCert) || 476 len(ch.alpnProtocols) != len(ch1.alpnProtocols) { 477 return true 478 } 479 for i := range ch.supportedVersions { 480 if ch.supportedVersions[i] != ch1.supportedVersions[i] { 481 return true 482 } 483 } 484 for i := range ch.cipherSuites { 485 if ch.cipherSuites[i] != ch1.cipherSuites[i] { 486 return true 487 } 488 } 489 for i := range ch.supportedCurves { 490 if ch.supportedCurves[i] != ch1.supportedCurves[i] { 491 return true 492 } 493 } 494 for i := range ch.supportedSignatureAlgorithms { 495 if ch.supportedSignatureAlgorithms[i] != ch1.supportedSignatureAlgorithms[i] { 496 return true 497 } 498 } 499 for i := range ch.supportedSignatureAlgorithmsCert { 500 if ch.supportedSignatureAlgorithmsCert[i] != ch1.supportedSignatureAlgorithmsCert[i] { 501 return true 502 } 503 } 504 for i := range ch.alpnProtocols { 505 if ch.alpnProtocols[i] != ch1.alpnProtocols[i] { 506 return true 507 } 508 } 509 return ch.vers != ch1.vers || 510 !bytes.Equal(ch.random, ch1.random) || 511 !bytes.Equal(ch.sessionId, ch1.sessionId) || 512 !bytes.Equal(ch.compressionMethods, ch1.compressionMethods) || 513 ch.nextProtoNeg != ch1.nextProtoNeg || 514 ch.serverName != ch1.serverName || 515 ch.ocspStapling != ch1.ocspStapling || 516 !bytes.Equal(ch.supportedPoints, ch1.supportedPoints) || 517 ch.ticketSupported != ch1.ticketSupported || 518 !bytes.Equal(ch.sessionTicket, ch1.sessionTicket) || 519 ch.secureRenegotiationSupported != ch1.secureRenegotiationSupported || 520 !bytes.Equal(ch.secureRenegotiation, ch1.secureRenegotiation) || 521 ch.scts != ch1.scts || 522 !bytes.Equal(ch.cookie, ch1.cookie) || 523 !bytes.Equal(ch.pskModes, ch1.pskModes) 524 } 525 526 func (hs *serverHandshakeStateTLS13) sendServerParameters() error { 527 c := hs.c 528 529 hs.transcript.Write(hs.clientHello.marshal()) 530 hs.transcript.Write(hs.hello.marshal()) 531 if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil { 532 return err 533 } 534 535 if err := hs.sendDummyChangeCipherSpec(); err != nil { 536 return err 537 } 538 539 earlySecret := hs.earlySecret 540 if earlySecret == nil { 541 earlySecret = hs.suite.extract(nil, nil) 542 } 543 hs.handshakeSecret = hs.suite.extract(hs.sharedKey, 544 hs.suite.deriveSecret(earlySecret, "derived", nil)) 545 546 clientSecret := hs.suite.deriveSecret(hs.handshakeSecret, 547 clientHandshakeTrafficLabel, hs.transcript) 548 c.in.setTrafficSecret(hs.suite, clientSecret) 549 serverSecret := hs.suite.deriveSecret(hs.handshakeSecret, 550 serverHandshakeTrafficLabel, hs.transcript) 551 c.out.setTrafficSecret(hs.suite, serverSecret) 552 553 err := c.config.writeKeyLog(keyLogLabelClientHandshake, hs.clientHello.random, clientSecret) 554 if err != nil { 555 c.sendAlert(alertInternalError) 556 return err 557 } 558 err = c.config.writeKeyLog(keyLogLabelServerHandshake, hs.clientHello.random, serverSecret) 559 if err != nil { 560 c.sendAlert(alertInternalError) 561 return err 562 } 563 564 encryptedExtensions := new(encryptedExtensionsMsg) 565 566 if len(hs.clientHello.alpnProtocols) > 0 { 567 if selectedProto, fallback := mutualProtocol(hs.clientHello.alpnProtocols, c.config.NextProtos); !fallback { 568 encryptedExtensions.alpnProtocol = selectedProto 569 c.clientProtocol = selectedProto 570 } 571 } 572 573 hs.transcript.Write(encryptedExtensions.marshal()) 574 if _, err := c.writeRecord(recordTypeHandshake, encryptedExtensions.marshal()); err != nil { 575 return err 576 } 577 578 return nil 579 } 580 581 func (hs *serverHandshakeStateTLS13) requestClientCert() bool { 582 return hs.c.config.ClientAuth >= RequestClientCert && !hs.usingPSK 583 } 584 585 func (hs *serverHandshakeStateTLS13) sendServerCertificate() error { 586 c := hs.c 587 588 // Only one of PSK and certificates are used at a time. 589 if hs.usingPSK { 590 return nil 591 } 592 593 if hs.requestClientCert() { 594 // Request a client certificate 595 certReq := new(certificateRequestMsgTLS13) 596 certReq.ocspStapling = true 597 certReq.scts = true 598 certReq.supportedSignatureAlgorithms = supportedSignatureAlgorithms 599 if c.config.ClientCAs != nil { 600 certReq.certificateAuthorities = c.config.ClientCAs.Subjects() 601 } 602 603 hs.transcript.Write(certReq.marshal()) 604 if _, err := c.writeRecord(recordTypeHandshake, certReq.marshal()); err != nil { 605 return err 606 } 607 } 608 609 certMsg := new(certificateMsgTLS13) 610 611 certMsg.certificate = *hs.cert 612 certMsg.scts = hs.clientHello.scts && len(hs.cert.SignedCertificateTimestamps) > 0 613 certMsg.ocspStapling = hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0 614 615 hs.transcript.Write(certMsg.marshal()) 616 if _, err := c.writeRecord(recordTypeHandshake, certMsg.marshal()); err != nil { 617 return err 618 } 619 620 certVerifyMsg := new(certificateVerifyMsg) 621 certVerifyMsg.hasSignatureAlgorithm = true 622 certVerifyMsg.signatureAlgorithm = hs.sigAlg 623 624 sigType := signatureFromSignatureScheme(hs.sigAlg) 625 sigHash, err := hashFromSignatureScheme(hs.sigAlg) 626 if sigType == 0 || err != nil { 627 return c.sendAlert(alertInternalError) 628 } 629 630 signed := signedMessage(sigHash, serverSignatureContext, hs.transcript) 631 signOpts := crypto.SignerOpts(sigHash) 632 if sigType == signatureRSAPSS { 633 signOpts = &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash, Hash: sigHash} 634 } 635 sig, err := hs.cert.PrivateKey.(crypto.Signer).Sign(c.config.rand(), signed, signOpts) 636 if err != nil { 637 public := hs.cert.PrivateKey.(crypto.Signer).Public() 638 if rsaKey, ok := public.(*rsa.PublicKey); ok && sigType == signatureRSAPSS && 639 rsaKey.N.BitLen()/8 < sigHash.Size()*2+2 { // key too small for RSA-PSS 640 c.sendAlert(alertHandshakeFailure) 641 } else { 642 c.sendAlert(alertInternalError) 643 } 644 return errors.New("tls: failed to sign handshake: " + err.Error()) 645 } 646 certVerifyMsg.signature = sig 647 648 hs.transcript.Write(certVerifyMsg.marshal()) 649 if _, err := c.writeRecord(recordTypeHandshake, certVerifyMsg.marshal()); err != nil { 650 return err 651 } 652 653 return nil 654 } 655 656 func (hs *serverHandshakeStateTLS13) sendServerFinished() error { 657 c := hs.c 658 659 finished := &finishedMsg{ 660 verifyData: hs.suite.finishedHash(c.out.trafficSecret, hs.transcript), 661 } 662 663 hs.transcript.Write(finished.marshal()) 664 if _, err := c.writeRecord(recordTypeHandshake, finished.marshal()); err != nil { 665 return err 666 } 667 668 // Derive secrets that take context through the server Finished. 669 670 hs.masterSecret = hs.suite.extract(nil, 671 hs.suite.deriveSecret(hs.handshakeSecret, "derived", nil)) 672 673 hs.trafficSecret = hs.suite.deriveSecret(hs.masterSecret, 674 clientApplicationTrafficLabel, hs.transcript) 675 serverSecret := hs.suite.deriveSecret(hs.masterSecret, 676 serverApplicationTrafficLabel, hs.transcript) 677 c.out.setTrafficSecret(hs.suite, serverSecret) 678 679 err := c.config.writeKeyLog(keyLogLabelClientTraffic, hs.clientHello.random, hs.trafficSecret) 680 if err != nil { 681 c.sendAlert(alertInternalError) 682 return err 683 } 684 err = c.config.writeKeyLog(keyLogLabelServerTraffic, hs.clientHello.random, serverSecret) 685 if err != nil { 686 c.sendAlert(alertInternalError) 687 return err 688 } 689 690 c.ekm = hs.suite.exportKeyingMaterial(hs.masterSecret, hs.transcript) 691 692 // If we did not request client certificates, at this point we can 693 // precompute the client finished and roll the transcript forward to send 694 // session tickets in our first flight. 695 if !hs.requestClientCert() { 696 if err := hs.sendSessionTickets(); err != nil { 697 return err 698 } 699 } 700 701 return nil 702 } 703 704 func (hs *serverHandshakeStateTLS13) shouldSendSessionTickets() bool { 705 if hs.c.config.SessionTicketsDisabled { 706 return false 707 } 708 709 // Don't send tickets the client wouldn't use. See RFC 8446, Section 4.2.9. 710 for _, pskMode := range hs.clientHello.pskModes { 711 if pskMode == pskModeDHE { 712 return true 713 } 714 } 715 return false 716 } 717 718 func (hs *serverHandshakeStateTLS13) sendSessionTickets() error { 719 c := hs.c 720 721 hs.clientFinished = hs.suite.finishedHash(c.in.trafficSecret, hs.transcript) 722 finishedMsg := &finishedMsg{ 723 verifyData: hs.clientFinished, 724 } 725 hs.transcript.Write(finishedMsg.marshal()) 726 727 if !hs.shouldSendSessionTickets() { 728 return nil 729 } 730 731 resumptionSecret := hs.suite.deriveSecret(hs.masterSecret, 732 resumptionLabel, hs.transcript) 733 734 m := new(newSessionTicketMsgTLS13) 735 736 var certsFromClient [][]byte 737 for _, cert := range c.peerCertificates { 738 certsFromClient = append(certsFromClient, cert.Raw) 739 } 740 state := sessionStateTLS13{ 741 cipherSuite: hs.suite.id, 742 createdAt: uint64(c.config.time().Unix()), 743 resumptionSecret: resumptionSecret, 744 certificate: Certificate{ 745 Certificate: certsFromClient, 746 OCSPStaple: c.ocspResponse, 747 SignedCertificateTimestamps: c.scts, 748 }, 749 } 750 var err error 751 m.label, err = c.encryptTicket(state.marshal()) 752 if err != nil { 753 return err 754 } 755 m.lifetime = uint32(maxSessionTicketLifetime / time.Second) 756 757 if _, err := c.writeRecord(recordTypeHandshake, m.marshal()); err != nil { 758 return err 759 } 760 761 return nil 762 } 763 764 func (hs *serverHandshakeStateTLS13) readClientCertificate() error { 765 c := hs.c 766 767 if !hs.requestClientCert() { 768 return nil 769 } 770 771 // If we requested a client certificate, then the client must send a 772 // certificate message. If it's empty, no CertificateVerify is sent. 773 774 msg, err := c.readHandshake() 775 if err != nil { 776 return err 777 } 778 779 certMsg, ok := msg.(*certificateMsgTLS13) 780 if !ok { 781 c.sendAlert(alertUnexpectedMessage) 782 return unexpectedMessageError(certMsg, msg) 783 } 784 hs.transcript.Write(certMsg.marshal()) 785 786 if err := c.processCertsFromClient(certMsg.certificate); err != nil { 787 return err 788 } 789 790 if len(certMsg.certificate.Certificate) != 0 { 791 msg, err = c.readHandshake() 792 if err != nil { 793 return err 794 } 795 796 certVerify, ok := msg.(*certificateVerifyMsg) 797 if !ok { 798 c.sendAlert(alertUnexpectedMessage) 799 return unexpectedMessageError(certVerify, msg) 800 } 801 802 // See RFC 8446, Section 4.4.3. 803 if !isSupportedSignatureAlgorithm(certVerify.signatureAlgorithm, supportedSignatureAlgorithms) { 804 c.sendAlert(alertIllegalParameter) 805 return errors.New("tls: invalid certificate signature algorithm") 806 } 807 sigType := signatureFromSignatureScheme(certVerify.signatureAlgorithm) 808 sigHash, err := hashFromSignatureScheme(certVerify.signatureAlgorithm) 809 if sigType == 0 || err != nil { 810 c.sendAlert(alertInternalError) 811 return err 812 } 813 if sigType == signaturePKCS1v15 || sigHash == crypto.SHA1 { 814 c.sendAlert(alertIllegalParameter) 815 return errors.New("tls: invalid certificate signature algorithm") 816 } 817 signed := signedMessage(sigHash, clientSignatureContext, hs.transcript) 818 if err := verifyHandshakeSignature(sigType, c.peerCertificates[0].PublicKey, 819 sigHash, signed, certVerify.signature); err != nil { 820 c.sendAlert(alertDecryptError) 821 return errors.New("tls: invalid certificate signature") 822 } 823 824 hs.transcript.Write(certVerify.marshal()) 825 } 826 827 // If we waited until the client certificates to send session tickets, we 828 // are ready to do it now. 829 if err := hs.sendSessionTickets(); err != nil { 830 return err 831 } 832 833 return nil 834 } 835 836 func (hs *serverHandshakeStateTLS13) readClientFinished() error { 837 c := hs.c 838 839 msg, err := c.readHandshake() 840 if err != nil { 841 return err 842 } 843 844 finished, ok := msg.(*finishedMsg) 845 if !ok { 846 c.sendAlert(alertUnexpectedMessage) 847 return unexpectedMessageError(finished, msg) 848 } 849 850 if !hmac.Equal(hs.clientFinished, finished.verifyData) { 851 c.sendAlert(alertDecryptError) 852 return errors.New("tls: invalid client finished hash") 853 } 854 855 c.in.setTrafficSecret(hs.suite, hs.trafficSecret) 856 857 return nil 858 } 859
View as plain text