handshake_client_tls13.go

Documentation: crypto/tls

		 1  // Copyright 2018 The Go Authors. All rights reserved.
		 2  // Use of this source code is governed by a BSD-style
		 3  // license that can be found in the LICENSE file.
		 4  
		 5  package tls
		 6  
		 7  import (
		 8  	"bytes"
		 9  	"context"
		10  	"crypto"
		11  	"crypto/hmac"
		12  	"crypto/rsa"
		13  	"errors"
		14  	"hash"
		15  	"sync/atomic"
		16  	"time"
		17  )
		18  
		19  type clientHandshakeStateTLS13 struct {
		20  	c					 *Conn
		21  	ctx				 context.Context
		22  	serverHello *serverHelloMsg
		23  	hello			 *clientHelloMsg
		24  	ecdheParams ecdheParameters
		25  
		26  	session		 *ClientSessionState
		27  	earlySecret []byte
		28  	binderKey	 []byte
		29  
		30  	certReq			 *certificateRequestMsgTLS13
		31  	usingPSK			bool
		32  	sentDummyCCS	bool
		33  	suite				 *cipherSuiteTLS13
		34  	transcript		hash.Hash
		35  	masterSecret	[]byte
		36  	trafficSecret []byte // client_application_traffic_secret_0
		37  }
		38  
		39  // handshake requires hs.c, hs.hello, hs.serverHello, hs.ecdheParams, and,
		40  // optionally, hs.session, hs.earlySecret and hs.binderKey to be set.
		41  func (hs *clientHandshakeStateTLS13) handshake() error {
		42  	c := hs.c
		43  
		44  	// The server must not select TLS 1.3 in a renegotiation. See RFC 8446,
		45  	// sections 4.1.2 and 4.1.3.
		46  	if c.handshakes > 0 {
		47  		c.sendAlert(alertProtocolVersion)
		48  		return errors.New("tls: server selected TLS 1.3 in a renegotiation")
		49  	}
		50  
		51  	// Consistency check on the presence of a keyShare and its parameters.
		52  	if hs.ecdheParams == nil || len(hs.hello.keyShares) != 1 {
		53  		return c.sendAlert(alertInternalError)
		54  	}
		55  
		56  	if err := hs.checkServerHelloOrHRR(); err != nil {
		57  		return err
		58  	}
		59  
		60  	hs.transcript = hs.suite.hash.New()
		61  	hs.transcript.Write(hs.hello.marshal())
		62  
		63  	if bytes.Equal(hs.serverHello.random, helloRetryRequestRandom) {
		64  		if err := hs.sendDummyChangeCipherSpec(); err != nil {
		65  			return err
		66  		}
		67  		if err := hs.processHelloRetryRequest(); err != nil {
		68  			return err
		69  		}
		70  	}
		71  
		72  	hs.transcript.Write(hs.serverHello.marshal())
		73  
		74  	c.buffering = true
		75  	if err := hs.processServerHello(); err != nil {
		76  		return err
		77  	}
		78  	if err := hs.sendDummyChangeCipherSpec(); err != nil {
		79  		return err
		80  	}
		81  	if err := hs.establishHandshakeKeys(); err != nil {
		82  		return err
		83  	}
		84  	if err := hs.readServerParameters(); err != nil {
		85  		return err
		86  	}
		87  	if err := hs.readServerCertificate(); err != nil {
		88  		return err
		89  	}
		90  	if err := hs.readServerFinished(); err != nil {
		91  		return err
		92  	}
		93  	if err := hs.sendClientCertificate(); err != nil {
		94  		return err
		95  	}
		96  	if err := hs.sendClientFinished(); err != nil {
		97  		return err
		98  	}
		99  	if _, err := c.flush(); err != nil {
	 100  		return err
	 101  	}
	 102  
	 103  	atomic.StoreUint32(&c.handshakeStatus, 1)
	 104  
	 105  	return nil
	 106  }
	 107  
	 108  // checkServerHelloOrHRR does validity checks that apply to both ServerHello and
	 109  // HelloRetryRequest messages. It sets hs.suite.
	 110  func (hs *clientHandshakeStateTLS13) checkServerHelloOrHRR() error {
	 111  	c := hs.c
	 112  
	 113  	if hs.serverHello.supportedVersion == 0 {
	 114  		c.sendAlert(alertMissingExtension)
	 115  		return errors.New("tls: server selected TLS 1.3 using the legacy version field")
	 116  	}
	 117  
	 118  	if hs.serverHello.supportedVersion != VersionTLS13 {
	 119  		c.sendAlert(alertIllegalParameter)
	 120  		return errors.New("tls: server selected an invalid version after a HelloRetryRequest")
	 121  	}
	 122  
	 123  	if hs.serverHello.vers != VersionTLS12 {
	 124  		c.sendAlert(alertIllegalParameter)
	 125  		return errors.New("tls: server sent an incorrect legacy version")
	 126  	}
	 127  
	 128  	if hs.serverHello.ocspStapling ||
	 129  		hs.serverHello.ticketSupported ||
	 130  		hs.serverHello.secureRenegotiationSupported ||
	 131  		len(hs.serverHello.secureRenegotiation) != 0 ||
	 132  		len(hs.serverHello.alpnProtocol) != 0 ||
	 133  		len(hs.serverHello.scts) != 0 {
	 134  		c.sendAlert(alertUnsupportedExtension)
	 135  		return errors.New("tls: server sent a ServerHello extension forbidden in TLS 1.3")
	 136  	}
	 137  
	 138  	if !bytes.Equal(hs.hello.sessionId, hs.serverHello.sessionId) {
	 139  		c.sendAlert(alertIllegalParameter)
	 140  		return errors.New("tls: server did not echo the legacy session ID")
	 141  	}
	 142  
	 143  	if hs.serverHello.compressionMethod != compressionNone {
	 144  		c.sendAlert(alertIllegalParameter)
	 145  		return errors.New("tls: server selected unsupported compression format")
	 146  	}
	 147  
	 148  	selectedSuite := mutualCipherSuiteTLS13(hs.hello.cipherSuites, hs.serverHello.cipherSuite)
	 149  	if hs.suite != nil && selectedSuite != hs.suite {
	 150  		c.sendAlert(alertIllegalParameter)
	 151  		return errors.New("tls: server changed cipher suite after a HelloRetryRequest")
	 152  	}
	 153  	if selectedSuite == nil {
	 154  		c.sendAlert(alertIllegalParameter)
	 155  		return errors.New("tls: server chose an unconfigured cipher suite")
	 156  	}
	 157  	hs.suite = selectedSuite
	 158  	c.cipherSuite = hs.suite.id
	 159  
	 160  	return nil
	 161  }
	 162  
	 163  // sendDummyChangeCipherSpec sends a ChangeCipherSpec record for compatibility
	 164  // with middleboxes that didn't implement TLS correctly. See RFC 8446, Appendix D.4.
	 165  func (hs *clientHandshakeStateTLS13) sendDummyChangeCipherSpec() error {
	 166  	if hs.sentDummyCCS {
	 167  		return nil
	 168  	}
	 169  	hs.sentDummyCCS = true
	 170  
	 171  	_, err := hs.c.writeRecord(recordTypeChangeCipherSpec, []byte{1})
	 172  	return err
	 173  }
	 174  
	 175  // processHelloRetryRequest handles the HRR in hs.serverHello, modifies and
	 176  // resends hs.hello, and reads the new ServerHello into hs.serverHello.
	 177  func (hs *clientHandshakeStateTLS13) processHelloRetryRequest() error {
	 178  	c := hs.c
	 179  
	 180  	// The first ClientHello gets double-hashed into the transcript upon a
	 181  	// HelloRetryRequest. (The idea is that the server might offload transcript
	 182  	// storage to the client in the cookie.) See RFC 8446, Section 4.4.1.
	 183  	chHash := hs.transcript.Sum(nil)
	 184  	hs.transcript.Reset()
	 185  	hs.transcript.Write([]byte{typeMessageHash, 0, 0, uint8(len(chHash))})
	 186  	hs.transcript.Write(chHash)
	 187  	hs.transcript.Write(hs.serverHello.marshal())
	 188  
	 189  	// The only HelloRetryRequest extensions we support are key_share and
	 190  	// cookie, and clients must abort the handshake if the HRR would not result
	 191  	// in any change in the ClientHello.
	 192  	if hs.serverHello.selectedGroup == 0 && hs.serverHello.cookie == nil {
	 193  		c.sendAlert(alertIllegalParameter)
	 194  		return errors.New("tls: server sent an unnecessary HelloRetryRequest message")
	 195  	}
	 196  
	 197  	if hs.serverHello.cookie != nil {
	 198  		hs.hello.cookie = hs.serverHello.cookie
	 199  	}
	 200  
	 201  	if hs.serverHello.serverShare.group != 0 {
	 202  		c.sendAlert(alertDecodeError)
	 203  		return errors.New("tls: received malformed key_share extension")
	 204  	}
	 205  
	 206  	// If the server sent a key_share extension selecting a group, ensure it's
	 207  	// a group we advertised but did not send a key share for, and send a key
	 208  	// share for it this time.
	 209  	if curveID := hs.serverHello.selectedGroup; curveID != 0 {
	 210  		curveOK := false
	 211  		for _, id := range hs.hello.supportedCurves {
	 212  			if id == curveID {
	 213  				curveOK = true
	 214  				break
	 215  			}
	 216  		}
	 217  		if !curveOK {
	 218  			c.sendAlert(alertIllegalParameter)
	 219  			return errors.New("tls: server selected unsupported group")
	 220  		}
	 221  		if hs.ecdheParams.CurveID() == curveID {
	 222  			c.sendAlert(alertIllegalParameter)
	 223  			return errors.New("tls: server sent an unnecessary HelloRetryRequest key_share")
	 224  		}
	 225  		if _, ok := curveForCurveID(curveID); curveID != X25519 && !ok {
	 226  			c.sendAlert(alertInternalError)
	 227  			return errors.New("tls: CurvePreferences includes unsupported curve")
	 228  		}
	 229  		params, err := generateECDHEParameters(c.config.rand(), curveID)
	 230  		if err != nil {
	 231  			c.sendAlert(alertInternalError)
	 232  			return err
	 233  		}
	 234  		hs.ecdheParams = params
	 235  		hs.hello.keyShares = []keyShare{{group: curveID, data: params.PublicKey()}}
	 236  	}
	 237  
	 238  	hs.hello.raw = nil
	 239  	if len(hs.hello.pskIdentities) > 0 {
	 240  		pskSuite := cipherSuiteTLS13ByID(hs.session.cipherSuite)
	 241  		if pskSuite == nil {
	 242  			return c.sendAlert(alertInternalError)
	 243  		}
	 244  		if pskSuite.hash == hs.suite.hash {
	 245  			// Update binders and obfuscated_ticket_age.
	 246  			ticketAge := uint32(c.config.time().Sub(hs.session.receivedAt) / time.Millisecond)
	 247  			hs.hello.pskIdentities[0].obfuscatedTicketAge = ticketAge + hs.session.ageAdd
	 248  
	 249  			transcript := hs.suite.hash.New()
	 250  			transcript.Write([]byte{typeMessageHash, 0, 0, uint8(len(chHash))})
	 251  			transcript.Write(chHash)
	 252  			transcript.Write(hs.serverHello.marshal())
	 253  			transcript.Write(hs.hello.marshalWithoutBinders())
	 254  			pskBinders := [][]byte{hs.suite.finishedHash(hs.binderKey, transcript)}
	 255  			hs.hello.updateBinders(pskBinders)
	 256  		} else {
	 257  			// Server selected a cipher suite incompatible with the PSK.
	 258  			hs.hello.pskIdentities = nil
	 259  			hs.hello.pskBinders = nil
	 260  		}
	 261  	}
	 262  
	 263  	hs.transcript.Write(hs.hello.marshal())
	 264  	if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil {
	 265  		return err
	 266  	}
	 267  
	 268  	msg, err := c.readHandshake()
	 269  	if err != nil {
	 270  		return err
	 271  	}
	 272  
	 273  	serverHello, ok := msg.(*serverHelloMsg)
	 274  	if !ok {
	 275  		c.sendAlert(alertUnexpectedMessage)
	 276  		return unexpectedMessageError(serverHello, msg)
	 277  	}
	 278  	hs.serverHello = serverHello
	 279  
	 280  	if err := hs.checkServerHelloOrHRR(); err != nil {
	 281  		return err
	 282  	}
	 283  
	 284  	return nil
	 285  }
	 286  
	 287  func (hs *clientHandshakeStateTLS13) processServerHello() error {
	 288  	c := hs.c
	 289  
	 290  	if bytes.Equal(hs.serverHello.random, helloRetryRequestRandom) {
	 291  		c.sendAlert(alertUnexpectedMessage)
	 292  		return errors.New("tls: server sent two HelloRetryRequest messages")
	 293  	}
	 294  
	 295  	if len(hs.serverHello.cookie) != 0 {
	 296  		c.sendAlert(alertUnsupportedExtension)
	 297  		return errors.New("tls: server sent a cookie in a normal ServerHello")
	 298  	}
	 299  
	 300  	if hs.serverHello.selectedGroup != 0 {
	 301  		c.sendAlert(alertDecodeError)
	 302  		return errors.New("tls: malformed key_share extension")
	 303  	}
	 304  
	 305  	if hs.serverHello.serverShare.group == 0 {
	 306  		c.sendAlert(alertIllegalParameter)
	 307  		return errors.New("tls: server did not send a key share")
	 308  	}
	 309  	if hs.serverHello.serverShare.group != hs.ecdheParams.CurveID() {
	 310  		c.sendAlert(alertIllegalParameter)
	 311  		return errors.New("tls: server selected unsupported group")
	 312  	}
	 313  
	 314  	if !hs.serverHello.selectedIdentityPresent {
	 315  		return nil
	 316  	}
	 317  
	 318  	if int(hs.serverHello.selectedIdentity) >= len(hs.hello.pskIdentities) {
	 319  		c.sendAlert(alertIllegalParameter)
	 320  		return errors.New("tls: server selected an invalid PSK")
	 321  	}
	 322  
	 323  	if len(hs.hello.pskIdentities) != 1 || hs.session == nil {
	 324  		return c.sendAlert(alertInternalError)
	 325  	}
	 326  	pskSuite := cipherSuiteTLS13ByID(hs.session.cipherSuite)
	 327  	if pskSuite == nil {
	 328  		return c.sendAlert(alertInternalError)
	 329  	}
	 330  	if pskSuite.hash != hs.suite.hash {
	 331  		c.sendAlert(alertIllegalParameter)
	 332  		return errors.New("tls: server selected an invalid PSK and cipher suite pair")
	 333  	}
	 334  
	 335  	hs.usingPSK = true
	 336  	c.didResume = true
	 337  	c.peerCertificates = hs.session.serverCertificates
	 338  	c.verifiedChains = hs.session.verifiedChains
	 339  	c.ocspResponse = hs.session.ocspResponse
	 340  	c.scts = hs.session.scts
	 341  	return nil
	 342  }
	 343  
	 344  func (hs *clientHandshakeStateTLS13) establishHandshakeKeys() error {
	 345  	c := hs.c
	 346  
	 347  	sharedKey := hs.ecdheParams.SharedKey(hs.serverHello.serverShare.data)
	 348  	if sharedKey == nil {
	 349  		c.sendAlert(alertIllegalParameter)
	 350  		return errors.New("tls: invalid server key share")
	 351  	}
	 352  
	 353  	earlySecret := hs.earlySecret
	 354  	if !hs.usingPSK {
	 355  		earlySecret = hs.suite.extract(nil, nil)
	 356  	}
	 357  	handshakeSecret := hs.suite.extract(sharedKey,
	 358  		hs.suite.deriveSecret(earlySecret, "derived", nil))
	 359  
	 360  	clientSecret := hs.suite.deriveSecret(handshakeSecret,
	 361  		clientHandshakeTrafficLabel, hs.transcript)
	 362  	c.out.setTrafficSecret(hs.suite, clientSecret)
	 363  	serverSecret := hs.suite.deriveSecret(handshakeSecret,
	 364  		serverHandshakeTrafficLabel, hs.transcript)
	 365  	c.in.setTrafficSecret(hs.suite, serverSecret)
	 366  
	 367  	err := c.config.writeKeyLog(keyLogLabelClientHandshake, hs.hello.random, clientSecret)
	 368  	if err != nil {
	 369  		c.sendAlert(alertInternalError)
	 370  		return err
	 371  	}
	 372  	err = c.config.writeKeyLog(keyLogLabelServerHandshake, hs.hello.random, serverSecret)
	 373  	if err != nil {
	 374  		c.sendAlert(alertInternalError)
	 375  		return err
	 376  	}
	 377  
	 378  	hs.masterSecret = hs.suite.extract(nil,
	 379  		hs.suite.deriveSecret(handshakeSecret, "derived", nil))
	 380  
	 381  	return nil
	 382  }
	 383  
	 384  func (hs *clientHandshakeStateTLS13) readServerParameters() error {
	 385  	c := hs.c
	 386  
	 387  	msg, err := c.readHandshake()
	 388  	if err != nil {
	 389  		return err
	 390  	}
	 391  
	 392  	encryptedExtensions, ok := msg.(*encryptedExtensionsMsg)
	 393  	if !ok {
	 394  		c.sendAlert(alertUnexpectedMessage)
	 395  		return unexpectedMessageError(encryptedExtensions, msg)
	 396  	}
	 397  	hs.transcript.Write(encryptedExtensions.marshal())
	 398  
	 399  	if err := checkALPN(hs.hello.alpnProtocols, encryptedExtensions.alpnProtocol); err != nil {
	 400  		c.sendAlert(alertUnsupportedExtension)
	 401  		return err
	 402  	}
	 403  	c.clientProtocol = encryptedExtensions.alpnProtocol
	 404  
	 405  	return nil
	 406  }
	 407  
	 408  func (hs *clientHandshakeStateTLS13) readServerCertificate() error {
	 409  	c := hs.c
	 410  
	 411  	// Either a PSK or a certificate is always used, but not both.
	 412  	// See RFC 8446, Section 4.1.1.
	 413  	if hs.usingPSK {
	 414  		// Make sure the connection is still being verified whether or not this
	 415  		// is a resumption. Resumptions currently don't reverify certificates so
	 416  		// they don't call verifyServerCertificate. See Issue 31641.
	 417  		if c.config.VerifyConnection != nil {
	 418  			if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil {
	 419  				c.sendAlert(alertBadCertificate)
	 420  				return err
	 421  			}
	 422  		}
	 423  		return nil
	 424  	}
	 425  
	 426  	msg, err := c.readHandshake()
	 427  	if err != nil {
	 428  		return err
	 429  	}
	 430  
	 431  	certReq, ok := msg.(*certificateRequestMsgTLS13)
	 432  	if ok {
	 433  		hs.transcript.Write(certReq.marshal())
	 434  
	 435  		hs.certReq = certReq
	 436  
	 437  		msg, err = c.readHandshake()
	 438  		if err != nil {
	 439  			return err
	 440  		}
	 441  	}
	 442  
	 443  	certMsg, ok := msg.(*certificateMsgTLS13)
	 444  	if !ok {
	 445  		c.sendAlert(alertUnexpectedMessage)
	 446  		return unexpectedMessageError(certMsg, msg)
	 447  	}
	 448  	if len(certMsg.certificate.Certificate) == 0 {
	 449  		c.sendAlert(alertDecodeError)
	 450  		return errors.New("tls: received empty certificates message")
	 451  	}
	 452  	hs.transcript.Write(certMsg.marshal())
	 453  
	 454  	c.scts = certMsg.certificate.SignedCertificateTimestamps
	 455  	c.ocspResponse = certMsg.certificate.OCSPStaple
	 456  
	 457  	if err := c.verifyServerCertificate(certMsg.certificate.Certificate); err != nil {
	 458  		return err
	 459  	}
	 460  
	 461  	msg, err = c.readHandshake()
	 462  	if err != nil {
	 463  		return err
	 464  	}
	 465  
	 466  	certVerify, ok := msg.(*certificateVerifyMsg)
	 467  	if !ok {
	 468  		c.sendAlert(alertUnexpectedMessage)
	 469  		return unexpectedMessageError(certVerify, msg)
	 470  	}
	 471  
	 472  	// See RFC 8446, Section 4.4.3.
	 473  	if !isSupportedSignatureAlgorithm(certVerify.signatureAlgorithm, supportedSignatureAlgorithms) {
	 474  		c.sendAlert(alertIllegalParameter)
	 475  		return errors.New("tls: certificate used with invalid signature algorithm")
	 476  	}
	 477  	sigType, sigHash, err := typeAndHashFromSignatureScheme(certVerify.signatureAlgorithm)
	 478  	if err != nil {
	 479  		return c.sendAlert(alertInternalError)
	 480  	}
	 481  	if sigType == signaturePKCS1v15 || sigHash == crypto.SHA1 {
	 482  		c.sendAlert(alertIllegalParameter)
	 483  		return errors.New("tls: certificate used with invalid signature algorithm")
	 484  	}
	 485  	signed := signedMessage(sigHash, serverSignatureContext, hs.transcript)
	 486  	if err := verifyHandshakeSignature(sigType, c.peerCertificates[0].PublicKey,
	 487  		sigHash, signed, certVerify.signature); err != nil {
	 488  		c.sendAlert(alertDecryptError)
	 489  		return errors.New("tls: invalid signature by the server certificate: " + err.Error())
	 490  	}
	 491  
	 492  	hs.transcript.Write(certVerify.marshal())
	 493  
	 494  	return nil
	 495  }
	 496  
	 497  func (hs *clientHandshakeStateTLS13) readServerFinished() error {
	 498  	c := hs.c
	 499  
	 500  	msg, err := c.readHandshake()
	 501  	if err != nil {
	 502  		return err
	 503  	}
	 504  
	 505  	finished, ok := msg.(*finishedMsg)
	 506  	if !ok {
	 507  		c.sendAlert(alertUnexpectedMessage)
	 508  		return unexpectedMessageError(finished, msg)
	 509  	}
	 510  
	 511  	expectedMAC := hs.suite.finishedHash(c.in.trafficSecret, hs.transcript)
	 512  	if !hmac.Equal(expectedMAC, finished.verifyData) {
	 513  		c.sendAlert(alertDecryptError)
	 514  		return errors.New("tls: invalid server finished hash")
	 515  	}
	 516  
	 517  	hs.transcript.Write(finished.marshal())
	 518  
	 519  	// Derive secrets that take context through the server Finished.
	 520  
	 521  	hs.trafficSecret = hs.suite.deriveSecret(hs.masterSecret,
	 522  		clientApplicationTrafficLabel, hs.transcript)
	 523  	serverSecret := hs.suite.deriveSecret(hs.masterSecret,
	 524  		serverApplicationTrafficLabel, hs.transcript)
	 525  	c.in.setTrafficSecret(hs.suite, serverSecret)
	 526  
	 527  	err = c.config.writeKeyLog(keyLogLabelClientTraffic, hs.hello.random, hs.trafficSecret)
	 528  	if err != nil {
	 529  		c.sendAlert(alertInternalError)
	 530  		return err
	 531  	}
	 532  	err = c.config.writeKeyLog(keyLogLabelServerTraffic, hs.hello.random, serverSecret)
	 533  	if err != nil {
	 534  		c.sendAlert(alertInternalError)
	 535  		return err
	 536  	}
	 537  
	 538  	c.ekm = hs.suite.exportKeyingMaterial(hs.masterSecret, hs.transcript)
	 539  
	 540  	return nil
	 541  }
	 542  
	 543  func (hs *clientHandshakeStateTLS13) sendClientCertificate() error {
	 544  	c := hs.c
	 545  
	 546  	if hs.certReq == nil {
	 547  		return nil
	 548  	}
	 549  
	 550  	cert, err := c.getClientCertificate(&CertificateRequestInfo{
	 551  		AcceptableCAs:		hs.certReq.certificateAuthorities,
	 552  		SignatureSchemes: hs.certReq.supportedSignatureAlgorithms,
	 553  		Version:					c.vers,
	 554  		ctx:							hs.ctx,
	 555  	})
	 556  	if err != nil {
	 557  		return err
	 558  	}
	 559  
	 560  	certMsg := new(certificateMsgTLS13)
	 561  
	 562  	certMsg.certificate = *cert
	 563  	certMsg.scts = hs.certReq.scts && len(cert.SignedCertificateTimestamps) > 0
	 564  	certMsg.ocspStapling = hs.certReq.ocspStapling && len(cert.OCSPStaple) > 0
	 565  
	 566  	hs.transcript.Write(certMsg.marshal())
	 567  	if _, err := c.writeRecord(recordTypeHandshake, certMsg.marshal()); err != nil {
	 568  		return err
	 569  	}
	 570  
	 571  	// If we sent an empty certificate message, skip the CertificateVerify.
	 572  	if len(cert.Certificate) == 0 {
	 573  		return nil
	 574  	}
	 575  
	 576  	certVerifyMsg := new(certificateVerifyMsg)
	 577  	certVerifyMsg.hasSignatureAlgorithm = true
	 578  
	 579  	certVerifyMsg.signatureAlgorithm, err = selectSignatureScheme(c.vers, cert, hs.certReq.supportedSignatureAlgorithms)
	 580  	if err != nil {
	 581  		// getClientCertificate returned a certificate incompatible with the
	 582  		// CertificateRequestInfo supported signature algorithms.
	 583  		c.sendAlert(alertHandshakeFailure)
	 584  		return err
	 585  	}
	 586  
	 587  	sigType, sigHash, err := typeAndHashFromSignatureScheme(certVerifyMsg.signatureAlgorithm)
	 588  	if err != nil {
	 589  		return c.sendAlert(alertInternalError)
	 590  	}
	 591  
	 592  	signed := signedMessage(sigHash, clientSignatureContext, hs.transcript)
	 593  	signOpts := crypto.SignerOpts(sigHash)
	 594  	if sigType == signatureRSAPSS {
	 595  		signOpts = &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash, Hash: sigHash}
	 596  	}
	 597  	sig, err := cert.PrivateKey.(crypto.Signer).Sign(c.config.rand(), signed, signOpts)
	 598  	if err != nil {
	 599  		c.sendAlert(alertInternalError)
	 600  		return errors.New("tls: failed to sign handshake: " + err.Error())
	 601  	}
	 602  	certVerifyMsg.signature = sig
	 603  
	 604  	hs.transcript.Write(certVerifyMsg.marshal())
	 605  	if _, err := c.writeRecord(recordTypeHandshake, certVerifyMsg.marshal()); err != nil {
	 606  		return err
	 607  	}
	 608  
	 609  	return nil
	 610  }
	 611  
	 612  func (hs *clientHandshakeStateTLS13) sendClientFinished() error {
	 613  	c := hs.c
	 614  
	 615  	finished := &finishedMsg{
	 616  		verifyData: hs.suite.finishedHash(c.out.trafficSecret, hs.transcript),
	 617  	}
	 618  
	 619  	hs.transcript.Write(finished.marshal())
	 620  	if _, err := c.writeRecord(recordTypeHandshake, finished.marshal()); err != nil {
	 621  		return err
	 622  	}
	 623  
	 624  	c.out.setTrafficSecret(hs.suite, hs.trafficSecret)
	 625  
	 626  	if !c.config.SessionTicketsDisabled && c.config.ClientSessionCache != nil {
	 627  		c.resumptionSecret = hs.suite.deriveSecret(hs.masterSecret,
	 628  			resumptionLabel, hs.transcript)
	 629  	}
	 630  
	 631  	return nil
	 632  }
	 633  
	 634  func (c *Conn) handleNewSessionTicket(msg *newSessionTicketMsgTLS13) error {
	 635  	if !c.isClient {
	 636  		c.sendAlert(alertUnexpectedMessage)
	 637  		return errors.New("tls: received new session ticket from a client")
	 638  	}
	 639  
	 640  	if c.config.SessionTicketsDisabled || c.config.ClientSessionCache == nil {
	 641  		return nil
	 642  	}
	 643  
	 644  	// See RFC 8446, Section 4.6.1.
	 645  	if msg.lifetime == 0 {
	 646  		return nil
	 647  	}
	 648  	lifetime := time.Duration(msg.lifetime) * time.Second
	 649  	if lifetime > maxSessionTicketLifetime {
	 650  		c.sendAlert(alertIllegalParameter)
	 651  		return errors.New("tls: received a session ticket with invalid lifetime")
	 652  	}
	 653  
	 654  	cipherSuite := cipherSuiteTLS13ByID(c.cipherSuite)
	 655  	if cipherSuite == nil || c.resumptionSecret == nil {
	 656  		return c.sendAlert(alertInternalError)
	 657  	}
	 658  
	 659  	// Save the resumption_master_secret and nonce instead of deriving the PSK
	 660  	// to do the least amount of work on NewSessionTicket messages before we
	 661  	// know if the ticket will be used. Forward secrecy of resumed connections
	 662  	// is guaranteed by the requirement for pskModeDHE.
	 663  	session := &ClientSessionState{
	 664  		sessionTicket:			msg.label,
	 665  		vers:							 c.vers,
	 666  		cipherSuite:				c.cipherSuite,
	 667  		masterSecret:			 c.resumptionSecret,
	 668  		serverCertificates: c.peerCertificates,
	 669  		verifiedChains:		 c.verifiedChains,
	 670  		receivedAt:				 c.config.time(),
	 671  		nonce:							msg.nonce,
	 672  		useBy:							c.config.time().Add(lifetime),
	 673  		ageAdd:						 msg.ageAdd,
	 674  		ocspResponse:			 c.ocspResponse,
	 675  		scts:							 c.scts,
	 676  	}
	 677  
	 678  	cacheKey := clientSessionCacheKey(c.conn.RemoteAddr(), c.config)
	 679  	c.config.ClientSessionCache.Put(cacheKey, session)
	 680  
	 681  	return nil
	 682  }
	 683
View as plain text