Source file src/pkg/crypto/tls/handshake_client_tls13.go
1
2
3
4
5 package tls
6
7 import (
8 "bytes"
9 "crypto"
10 "crypto/hmac"
11 "crypto/rsa"
12 "errors"
13 "hash"
14 "sync/atomic"
15 "time"
16 )
17
18 type clientHandshakeStateTLS13 struct {
19 c *Conn
20 serverHello *serverHelloMsg
21 hello *clientHelloMsg
22 ecdheParams ecdheParameters
23
24 session *ClientSessionState
25 earlySecret []byte
26 binderKey []byte
27
28 certReq *certificateRequestMsgTLS13
29 usingPSK bool
30 sentDummyCCS bool
31 suite *cipherSuiteTLS13
32 transcript hash.Hash
33 masterSecret []byte
34 trafficSecret []byte
35 }
36
37
38
39 func (hs *clientHandshakeStateTLS13) handshake() error {
40 c := hs.c
41
42
43
44 if c.handshakes > 0 {
45 c.sendAlert(alertProtocolVersion)
46 return errors.New("tls: server selected TLS 1.3 in a renegotiation")
47 }
48
49
50 if hs.ecdheParams == nil || len(hs.hello.keyShares) != 1 {
51 return c.sendAlert(alertInternalError)
52 }
53
54 if err := hs.checkServerHelloOrHRR(); err != nil {
55 return err
56 }
57
58 hs.transcript = hs.suite.hash.New()
59 hs.transcript.Write(hs.hello.marshal())
60
61 if bytes.Equal(hs.serverHello.random, helloRetryRequestRandom) {
62 if err := hs.sendDummyChangeCipherSpec(); err != nil {
63 return err
64 }
65 if err := hs.processHelloRetryRequest(); err != nil {
66 return err
67 }
68 }
69
70 hs.transcript.Write(hs.serverHello.marshal())
71
72 c.buffering = true
73 if err := hs.processServerHello(); err != nil {
74 return err
75 }
76 if err := hs.sendDummyChangeCipherSpec(); err != nil {
77 return err
78 }
79 if err := hs.establishHandshakeKeys(); err != nil {
80 return err
81 }
82 if err := hs.readServerParameters(); err != nil {
83 return err
84 }
85 if err := hs.readServerCertificate(); err != nil {
86 return err
87 }
88 if err := hs.readServerFinished(); err != nil {
89 return err
90 }
91 if err := hs.sendClientCertificate(); err != nil {
92 return err
93 }
94 if err := hs.sendClientFinished(); err != nil {
95 return err
96 }
97 if _, err := c.flush(); err != nil {
98 return err
99 }
100
101 atomic.StoreUint32(&c.handshakeStatus, 1)
102
103 return nil
104 }
105
106
107
108 func (hs *clientHandshakeStateTLS13) checkServerHelloOrHRR() error {
109 c := hs.c
110
111 if hs.serverHello.supportedVersion == 0 {
112 c.sendAlert(alertMissingExtension)
113 return errors.New("tls: server selected TLS 1.3 using the legacy version field")
114 }
115
116 if hs.serverHello.supportedVersion != VersionTLS13 {
117 c.sendAlert(alertIllegalParameter)
118 return errors.New("tls: server selected an invalid version after a HelloRetryRequest")
119 }
120
121 if hs.serverHello.vers != VersionTLS12 {
122 c.sendAlert(alertIllegalParameter)
123 return errors.New("tls: server sent an incorrect legacy version")
124 }
125
126 if hs.serverHello.nextProtoNeg ||
127 len(hs.serverHello.nextProtos) != 0 ||
128 hs.serverHello.ocspStapling ||
129 hs.serverHello.ticketSupported ||
130 hs.serverHello.secureRenegotiationSupported ||
131 len(hs.serverHello.secureRenegotiation) != 0 ||
132 len(hs.serverHello.alpnProtocol) != 0 ||
133 len(hs.serverHello.scts) != 0 {
134 c.sendAlert(alertUnsupportedExtension)
135 return errors.New("tls: server sent a ServerHello extension forbidden in TLS 1.3")
136 }
137
138 if !bytes.Equal(hs.hello.sessionId, hs.serverHello.sessionId) {
139 c.sendAlert(alertIllegalParameter)
140 return errors.New("tls: server did not echo the legacy session ID")
141 }
142
143 if hs.serverHello.compressionMethod != compressionNone {
144 c.sendAlert(alertIllegalParameter)
145 return errors.New("tls: server selected unsupported compression format")
146 }
147
148 selectedSuite := mutualCipherSuiteTLS13(hs.hello.cipherSuites, hs.serverHello.cipherSuite)
149 if hs.suite != nil && selectedSuite != hs.suite {
150 c.sendAlert(alertIllegalParameter)
151 return errors.New("tls: server changed cipher suite after a HelloRetryRequest")
152 }
153 if selectedSuite == nil {
154 c.sendAlert(alertIllegalParameter)
155 return errors.New("tls: server chose an unconfigured cipher suite")
156 }
157 hs.suite = selectedSuite
158 c.cipherSuite = hs.suite.id
159
160 return nil
161 }
162
163
164
165 func (hs *clientHandshakeStateTLS13) sendDummyChangeCipherSpec() error {
166 if hs.sentDummyCCS {
167 return nil
168 }
169 hs.sentDummyCCS = true
170
171 _, err := hs.c.writeRecord(recordTypeChangeCipherSpec, []byte{1})
172 return err
173 }
174
175
176
177 func (hs *clientHandshakeStateTLS13) processHelloRetryRequest() error {
178 c := hs.c
179
180
181
182 chHash := hs.transcript.Sum(nil)
183 hs.transcript.Reset()
184 hs.transcript.Write([]byte{typeMessageHash, 0, 0, uint8(len(chHash))})
185 hs.transcript.Write(chHash)
186 hs.transcript.Write(hs.serverHello.marshal())
187
188 if hs.serverHello.serverShare.group != 0 {
189 c.sendAlert(alertDecodeError)
190 return errors.New("tls: received malformed key_share extension")
191 }
192
193 curveID := hs.serverHello.selectedGroup
194 if curveID == 0 {
195 c.sendAlert(alertMissingExtension)
196 return errors.New("tls: received HelloRetryRequest without selected group")
197 }
198 curveOK := false
199 for _, id := range hs.hello.supportedCurves {
200 if id == curveID {
201 curveOK = true
202 break
203 }
204 }
205 if !curveOK {
206 c.sendAlert(alertIllegalParameter)
207 return errors.New("tls: server selected unsupported group")
208 }
209 if hs.ecdheParams.CurveID() == curveID {
210 c.sendAlert(alertIllegalParameter)
211 return errors.New("tls: server sent an unnecessary HelloRetryRequest message")
212 }
213 if _, ok := curveForCurveID(curveID); curveID != X25519 && !ok {
214 c.sendAlert(alertInternalError)
215 return errors.New("tls: CurvePreferences includes unsupported curve")
216 }
217 params, err := generateECDHEParameters(c.config.rand(), curveID)
218 if err != nil {
219 c.sendAlert(alertInternalError)
220 return err
221 }
222 hs.ecdheParams = params
223 hs.hello.keyShares = []keyShare{{group: curveID, data: params.PublicKey()}}
224
225 hs.hello.cookie = hs.serverHello.cookie
226
227 hs.hello.raw = nil
228 if len(hs.hello.pskIdentities) > 0 {
229 pskSuite := cipherSuiteTLS13ByID(hs.session.cipherSuite)
230 if pskSuite == nil {
231 return c.sendAlert(alertInternalError)
232 }
233 if pskSuite.hash == hs.suite.hash {
234
235 ticketAge := uint32(c.config.time().Sub(hs.session.receivedAt) / time.Millisecond)
236 hs.hello.pskIdentities[0].obfuscatedTicketAge = ticketAge + hs.session.ageAdd
237
238 transcript := hs.suite.hash.New()
239 transcript.Write([]byte{typeMessageHash, 0, 0, uint8(len(chHash))})
240 transcript.Write(chHash)
241 transcript.Write(hs.serverHello.marshal())
242 transcript.Write(hs.hello.marshalWithoutBinders())
243 pskBinders := [][]byte{hs.suite.finishedHash(hs.binderKey, transcript)}
244 hs.hello.updateBinders(pskBinders)
245 } else {
246
247 hs.hello.pskIdentities = nil
248 hs.hello.pskBinders = nil
249 }
250 }
251
252 hs.transcript.Write(hs.hello.marshal())
253 if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil {
254 return err
255 }
256
257 msg, err := c.readHandshake()
258 if err != nil {
259 return err
260 }
261
262 serverHello, ok := msg.(*serverHelloMsg)
263 if !ok {
264 c.sendAlert(alertUnexpectedMessage)
265 return unexpectedMessageError(serverHello, msg)
266 }
267 hs.serverHello = serverHello
268
269 if err := hs.checkServerHelloOrHRR(); err != nil {
270 return err
271 }
272
273 return nil
274 }
275
276 func (hs *clientHandshakeStateTLS13) processServerHello() error {
277 c := hs.c
278
279 if bytes.Equal(hs.serverHello.random, helloRetryRequestRandom) {
280 c.sendAlert(alertUnexpectedMessage)
281 return errors.New("tls: server sent two HelloRetryRequest messages")
282 }
283
284 if len(hs.serverHello.cookie) != 0 {
285 c.sendAlert(alertUnsupportedExtension)
286 return errors.New("tls: server sent a cookie in a normal ServerHello")
287 }
288
289 if hs.serverHello.selectedGroup != 0 {
290 c.sendAlert(alertDecodeError)
291 return errors.New("tls: malformed key_share extension")
292 }
293
294 if hs.serverHello.serverShare.group == 0 {
295 c.sendAlert(alertIllegalParameter)
296 return errors.New("tls: server did not send a key share")
297 }
298 if hs.serverHello.serverShare.group != hs.ecdheParams.CurveID() {
299 c.sendAlert(alertIllegalParameter)
300 return errors.New("tls: server selected unsupported group")
301 }
302
303 if !hs.serverHello.selectedIdentityPresent {
304 return nil
305 }
306
307 if int(hs.serverHello.selectedIdentity) >= len(hs.hello.pskIdentities) {
308 c.sendAlert(alertIllegalParameter)
309 return errors.New("tls: server selected an invalid PSK")
310 }
311
312 if len(hs.hello.pskIdentities) != 1 || hs.session == nil {
313 return c.sendAlert(alertInternalError)
314 }
315 pskSuite := cipherSuiteTLS13ByID(hs.session.cipherSuite)
316 if pskSuite == nil {
317 return c.sendAlert(alertInternalError)
318 }
319 if pskSuite.hash != hs.suite.hash {
320 c.sendAlert(alertIllegalParameter)
321 return errors.New("tls: server selected an invalid PSK and cipher suite pair")
322 }
323
324 hs.usingPSK = true
325 c.didResume = true
326 c.peerCertificates = hs.session.serverCertificates
327 c.verifiedChains = hs.session.verifiedChains
328 return nil
329 }
330
331 func (hs *clientHandshakeStateTLS13) establishHandshakeKeys() error {
332 c := hs.c
333
334 sharedKey := hs.ecdheParams.SharedKey(hs.serverHello.serverShare.data)
335 if sharedKey == nil {
336 c.sendAlert(alertIllegalParameter)
337 return errors.New("tls: invalid server key share")
338 }
339
340 earlySecret := hs.earlySecret
341 if !hs.usingPSK {
342 earlySecret = hs.suite.extract(nil, nil)
343 }
344 handshakeSecret := hs.suite.extract(sharedKey,
345 hs.suite.deriveSecret(earlySecret, "derived", nil))
346
347 clientSecret := hs.suite.deriveSecret(handshakeSecret,
348 clientHandshakeTrafficLabel, hs.transcript)
349 c.out.setTrafficSecret(hs.suite, clientSecret)
350 serverSecret := hs.suite.deriveSecret(handshakeSecret,
351 serverHandshakeTrafficLabel, hs.transcript)
352 c.in.setTrafficSecret(hs.suite, serverSecret)
353
354 err := c.config.writeKeyLog(keyLogLabelClientHandshake, hs.hello.random, clientSecret)
355 if err != nil {
356 c.sendAlert(alertInternalError)
357 return err
358 }
359 err = c.config.writeKeyLog(keyLogLabelServerHandshake, hs.hello.random, serverSecret)
360 if err != nil {
361 c.sendAlert(alertInternalError)
362 return err
363 }
364
365 hs.masterSecret = hs.suite.extract(nil,
366 hs.suite.deriveSecret(handshakeSecret, "derived", nil))
367
368 return nil
369 }
370
371 func (hs *clientHandshakeStateTLS13) readServerParameters() error {
372 c := hs.c
373
374 msg, err := c.readHandshake()
375 if err != nil {
376 return err
377 }
378
379 encryptedExtensions, ok := msg.(*encryptedExtensionsMsg)
380 if !ok {
381 c.sendAlert(alertUnexpectedMessage)
382 return unexpectedMessageError(encryptedExtensions, msg)
383 }
384 hs.transcript.Write(encryptedExtensions.marshal())
385
386 if len(encryptedExtensions.alpnProtocol) != 0 && len(hs.hello.alpnProtocols) == 0 {
387 c.sendAlert(alertUnsupportedExtension)
388 return errors.New("tls: server advertised unrequested ALPN extension")
389 }
390 c.clientProtocol = encryptedExtensions.alpnProtocol
391
392 return nil
393 }
394
395 func (hs *clientHandshakeStateTLS13) readServerCertificate() error {
396 c := hs.c
397
398
399
400 if hs.usingPSK {
401 return nil
402 }
403
404 msg, err := c.readHandshake()
405 if err != nil {
406 return err
407 }
408
409 certReq, ok := msg.(*certificateRequestMsgTLS13)
410 if ok {
411 hs.transcript.Write(certReq.marshal())
412
413 hs.certReq = certReq
414
415 msg, err = c.readHandshake()
416 if err != nil {
417 return err
418 }
419 }
420
421 certMsg, ok := msg.(*certificateMsgTLS13)
422 if !ok {
423 c.sendAlert(alertUnexpectedMessage)
424 return unexpectedMessageError(certMsg, msg)
425 }
426 if len(certMsg.certificate.Certificate) == 0 {
427 c.sendAlert(alertDecodeError)
428 return errors.New("tls: received empty certificates message")
429 }
430 hs.transcript.Write(certMsg.marshal())
431
432 c.scts = certMsg.certificate.SignedCertificateTimestamps
433 c.ocspResponse = certMsg.certificate.OCSPStaple
434
435 if err := c.verifyServerCertificate(certMsg.certificate.Certificate); err != nil {
436 return err
437 }
438
439 msg, err = c.readHandshake()
440 if err != nil {
441 return err
442 }
443
444 certVerify, ok := msg.(*certificateVerifyMsg)
445 if !ok {
446 c.sendAlert(alertUnexpectedMessage)
447 return unexpectedMessageError(certVerify, msg)
448 }
449
450
451 if !isSupportedSignatureAlgorithm(certVerify.signatureAlgorithm, supportedSignatureAlgorithms) {
452 c.sendAlert(alertIllegalParameter)
453 return errors.New("tls: invalid certificate signature algorithm")
454 }
455 sigType := signatureFromSignatureScheme(certVerify.signatureAlgorithm)
456 sigHash, err := hashFromSignatureScheme(certVerify.signatureAlgorithm)
457 if sigType == 0 || err != nil {
458 c.sendAlert(alertInternalError)
459 return err
460 }
461 if sigType == signaturePKCS1v15 || sigHash == crypto.SHA1 {
462 c.sendAlert(alertIllegalParameter)
463 return errors.New("tls: invalid certificate signature algorithm")
464 }
465 signed := signedMessage(sigHash, serverSignatureContext, hs.transcript)
466 if err := verifyHandshakeSignature(sigType, c.peerCertificates[0].PublicKey,
467 sigHash, signed, certVerify.signature); err != nil {
468 c.sendAlert(alertDecryptError)
469 return errors.New("tls: invalid certificate signature")
470 }
471
472 hs.transcript.Write(certVerify.marshal())
473
474 return nil
475 }
476
477 func (hs *clientHandshakeStateTLS13) readServerFinished() error {
478 c := hs.c
479
480 msg, err := c.readHandshake()
481 if err != nil {
482 return err
483 }
484
485 finished, ok := msg.(*finishedMsg)
486 if !ok {
487 c.sendAlert(alertUnexpectedMessage)
488 return unexpectedMessageError(finished, msg)
489 }
490
491 expectedMAC := hs.suite.finishedHash(c.in.trafficSecret, hs.transcript)
492 if !hmac.Equal(expectedMAC, finished.verifyData) {
493 c.sendAlert(alertDecryptError)
494 return errors.New("tls: invalid server finished hash")
495 }
496
497 hs.transcript.Write(finished.marshal())
498
499
500
501 hs.trafficSecret = hs.suite.deriveSecret(hs.masterSecret,
502 clientApplicationTrafficLabel, hs.transcript)
503 serverSecret := hs.suite.deriveSecret(hs.masterSecret,
504 serverApplicationTrafficLabel, hs.transcript)
505 c.in.setTrafficSecret(hs.suite, serverSecret)
506
507 err = c.config.writeKeyLog(keyLogLabelClientTraffic, hs.hello.random, hs.trafficSecret)
508 if err != nil {
509 c.sendAlert(alertInternalError)
510 return err
511 }
512 err = c.config.writeKeyLog(keyLogLabelServerTraffic, hs.hello.random, serverSecret)
513 if err != nil {
514 c.sendAlert(alertInternalError)
515 return err
516 }
517
518 c.ekm = hs.suite.exportKeyingMaterial(hs.masterSecret, hs.transcript)
519
520 return nil
521 }
522
523 func (hs *clientHandshakeStateTLS13) sendClientCertificate() error {
524 c := hs.c
525
526 if hs.certReq == nil {
527 return nil
528 }
529
530 cert, err := c.getClientCertificate(&CertificateRequestInfo{
531 AcceptableCAs: hs.certReq.certificateAuthorities,
532 SignatureSchemes: hs.certReq.supportedSignatureAlgorithms,
533 })
534 if err != nil {
535 return err
536 }
537
538 certMsg := new(certificateMsgTLS13)
539
540 certMsg.certificate = *cert
541 certMsg.scts = hs.certReq.scts && len(cert.SignedCertificateTimestamps) > 0
542 certMsg.ocspStapling = hs.certReq.ocspStapling && len(cert.OCSPStaple) > 0
543
544 hs.transcript.Write(certMsg.marshal())
545 if _, err := c.writeRecord(recordTypeHandshake, certMsg.marshal()); err != nil {
546 return err
547 }
548
549
550 if len(cert.Certificate) == 0 {
551 return nil
552 }
553
554 certVerifyMsg := new(certificateVerifyMsg)
555 certVerifyMsg.hasSignatureAlgorithm = true
556
557 supportedAlgs := signatureSchemesForCertificate(c.vers, cert)
558 if supportedAlgs == nil {
559 c.sendAlert(alertInternalError)
560 return unsupportedCertificateError(cert)
561 }
562
563
564 for _, preferredAlg := range hs.certReq.supportedSignatureAlgorithms {
565 if isSupportedSignatureAlgorithm(preferredAlg, supportedAlgs) {
566 certVerifyMsg.signatureAlgorithm = preferredAlg
567 break
568 }
569 }
570 if certVerifyMsg.signatureAlgorithm == 0 {
571
572
573 c.sendAlert(alertHandshakeFailure)
574 return errors.New("tls: server doesn't support selected certificate")
575 }
576
577 sigType := signatureFromSignatureScheme(certVerifyMsg.signatureAlgorithm)
578 sigHash, err := hashFromSignatureScheme(certVerifyMsg.signatureAlgorithm)
579 if sigType == 0 || err != nil {
580 return c.sendAlert(alertInternalError)
581 }
582
583 signed := signedMessage(sigHash, clientSignatureContext, hs.transcript)
584 signOpts := crypto.SignerOpts(sigHash)
585 if sigType == signatureRSAPSS {
586 signOpts = &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash, Hash: sigHash}
587 }
588 sig, err := cert.PrivateKey.(crypto.Signer).Sign(c.config.rand(), signed, signOpts)
589 if err != nil {
590 c.sendAlert(alertInternalError)
591 return errors.New("tls: failed to sign handshake: " + err.Error())
592 }
593 certVerifyMsg.signature = sig
594
595 hs.transcript.Write(certVerifyMsg.marshal())
596 if _, err := c.writeRecord(recordTypeHandshake, certVerifyMsg.marshal()); err != nil {
597 return err
598 }
599
600 return nil
601 }
602
603 func (hs *clientHandshakeStateTLS13) sendClientFinished() error {
604 c := hs.c
605
606 finished := &finishedMsg{
607 verifyData: hs.suite.finishedHash(c.out.trafficSecret, hs.transcript),
608 }
609
610 hs.transcript.Write(finished.marshal())
611 if _, err := c.writeRecord(recordTypeHandshake, finished.marshal()); err != nil {
612 return err
613 }
614
615 c.out.setTrafficSecret(hs.suite, hs.trafficSecret)
616
617 if !c.config.SessionTicketsDisabled && c.config.ClientSessionCache != nil {
618 c.resumptionSecret = hs.suite.deriveSecret(hs.masterSecret,
619 resumptionLabel, hs.transcript)
620 }
621
622 return nil
623 }
624
625 func (c *Conn) handleNewSessionTicket(msg *newSessionTicketMsgTLS13) error {
626 if !c.isClient {
627 c.sendAlert(alertUnexpectedMessage)
628 return errors.New("tls: received new session ticket from a client")
629 }
630
631 if c.config.SessionTicketsDisabled || c.config.ClientSessionCache == nil {
632 return nil
633 }
634
635
636 if msg.lifetime == 0 {
637 return nil
638 }
639 lifetime := time.Duration(msg.lifetime) * time.Second
640 if lifetime > maxSessionTicketLifetime {
641 c.sendAlert(alertIllegalParameter)
642 return errors.New("tls: received a session ticket with invalid lifetime")
643 }
644
645 cipherSuite := cipherSuiteTLS13ByID(c.cipherSuite)
646 if cipherSuite == nil || c.resumptionSecret == nil {
647 return c.sendAlert(alertInternalError)
648 }
649
650
651
652
653
654 session := &ClientSessionState{
655 sessionTicket: msg.label,
656 vers: c.vers,
657 cipherSuite: c.cipherSuite,
658 masterSecret: c.resumptionSecret,
659 serverCertificates: c.peerCertificates,
660 verifiedChains: c.verifiedChains,
661 receivedAt: c.config.time(),
662 nonce: msg.nonce,
663 useBy: c.config.time().Add(lifetime),
664 ageAdd: msg.ageAdd,
665 }
666
667 cacheKey := clientSessionCacheKey(c.conn.RemoteAddr(), c.config)
668 c.config.ClientSessionCache.Put(cacheKey, session)
669
670 return nil
671 }
672
View as plain text