handshake_server_tls13.go

Documentation: crypto/tls

		 1  // Copyright 2018 The Go Authors. All rights reserved.
		 2  // Use of this source code is governed by a BSD-style
		 3  // license that can be found in the LICENSE file.
		 4  
		 5  package tls
		 6  
		 7  import (
		 8  	"bytes"
		 9  	"context"
		10  	"crypto"
		11  	"crypto/hmac"
		12  	"crypto/rsa"
		13  	"encoding/binary"
		14  	"errors"
		15  	"hash"
		16  	"io"
		17  	"sync/atomic"
		18  	"time"
		19  )
		20  
		21  // maxClientPSKIdentities is the number of client PSK identities the server will
		22  // attempt to validate. It will ignore the rest not to let cheap ClientHello
		23  // messages cause too much work in session ticket decryption attempts.
		24  const maxClientPSKIdentities = 5
		25  
		26  type serverHandshakeStateTLS13 struct {
		27  	c							 *Conn
		28  	ctx						 context.Context
		29  	clientHello		 *clientHelloMsg
		30  	hello					 *serverHelloMsg
		31  	sentDummyCCS		bool
		32  	usingPSK				bool
		33  	suite					 *cipherSuiteTLS13
		34  	cert						*Certificate
		35  	sigAlg					SignatureScheme
		36  	earlySecret		 []byte
		37  	sharedKey			 []byte
		38  	handshakeSecret []byte
		39  	masterSecret		[]byte
		40  	trafficSecret	 []byte // client_application_traffic_secret_0
		41  	transcript			hash.Hash
		42  	clientFinished	[]byte
		43  }
		44  
		45  func (hs *serverHandshakeStateTLS13) handshake() error {
		46  	c := hs.c
		47  
		48  	// For an overview of the TLS 1.3 handshake, see RFC 8446, Section 2.
		49  	if err := hs.processClientHello(); err != nil {
		50  		return err
		51  	}
		52  	if err := hs.checkForResumption(); err != nil {
		53  		return err
		54  	}
		55  	if err := hs.pickCertificate(); err != nil {
		56  		return err
		57  	}
		58  	c.buffering = true
		59  	if err := hs.sendServerParameters(); err != nil {
		60  		return err
		61  	}
		62  	if err := hs.sendServerCertificate(); err != nil {
		63  		return err
		64  	}
		65  	if err := hs.sendServerFinished(); err != nil {
		66  		return err
		67  	}
		68  	// Note that at this point we could start sending application data without
		69  	// waiting for the client's second flight, but the application might not
		70  	// expect the lack of replay protection of the ClientHello parameters.
		71  	if _, err := c.flush(); err != nil {
		72  		return err
		73  	}
		74  	if err := hs.readClientCertificate(); err != nil {
		75  		return err
		76  	}
		77  	if err := hs.readClientFinished(); err != nil {
		78  		return err
		79  	}
		80  
		81  	atomic.StoreUint32(&c.handshakeStatus, 1)
		82  
		83  	return nil
		84  }
		85  
		86  func (hs *serverHandshakeStateTLS13) processClientHello() error {
		87  	c := hs.c
		88  
		89  	hs.hello = new(serverHelloMsg)
		90  
		91  	// TLS 1.3 froze the ServerHello.legacy_version field, and uses
		92  	// supported_versions instead. See RFC 8446, sections 4.1.3 and 4.2.1.
		93  	hs.hello.vers = VersionTLS12
		94  	hs.hello.supportedVersion = c.vers
		95  
		96  	if len(hs.clientHello.supportedVersions) == 0 {
		97  		c.sendAlert(alertIllegalParameter)
		98  		return errors.New("tls: client used the legacy version field to negotiate TLS 1.3")
		99  	}
	 100  
	 101  	// Abort if the client is doing a fallback and landing lower than what we
	 102  	// support. See RFC 7507, which however does not specify the interaction
	 103  	// with supported_versions. The only difference is that with
	 104  	// supported_versions a client has a chance to attempt a [TLS 1.2, TLS 1.4]
	 105  	// handshake in case TLS 1.3 is broken but 1.2 is not. Alas, in that case,
	 106  	// it will have to drop the TLS_FALLBACK_SCSV protection if it falls back to
	 107  	// TLS 1.2, because a TLS 1.3 server would abort here. The situation before
	 108  	// supported_versions was not better because there was just no way to do a
	 109  	// TLS 1.4 handshake without risking the server selecting TLS 1.3.
	 110  	for _, id := range hs.clientHello.cipherSuites {
	 111  		if id == TLS_FALLBACK_SCSV {
	 112  			// Use c.vers instead of max(supported_versions) because an attacker
	 113  			// could defeat this by adding an arbitrary high version otherwise.
	 114  			if c.vers < c.config.maxSupportedVersion() {
	 115  				c.sendAlert(alertInappropriateFallback)
	 116  				return errors.New("tls: client using inappropriate protocol fallback")
	 117  			}
	 118  			break
	 119  		}
	 120  	}
	 121  
	 122  	if len(hs.clientHello.compressionMethods) != 1 ||
	 123  		hs.clientHello.compressionMethods[0] != compressionNone {
	 124  		c.sendAlert(alertIllegalParameter)
	 125  		return errors.New("tls: TLS 1.3 client supports illegal compression methods")
	 126  	}
	 127  
	 128  	hs.hello.random = make([]byte, 32)
	 129  	if _, err := io.ReadFull(c.config.rand(), hs.hello.random); err != nil {
	 130  		c.sendAlert(alertInternalError)
	 131  		return err
	 132  	}
	 133  
	 134  	if len(hs.clientHello.secureRenegotiation) != 0 {
	 135  		c.sendAlert(alertHandshakeFailure)
	 136  		return errors.New("tls: initial handshake had non-empty renegotiation extension")
	 137  	}
	 138  
	 139  	if hs.clientHello.earlyData {
	 140  		// See RFC 8446, Section 4.2.10 for the complicated behavior required
	 141  		// here. The scenario is that a different server at our address offered
	 142  		// to accept early data in the past, which we can't handle. For now, all
	 143  		// 0-RTT enabled session tickets need to expire before a Go server can
	 144  		// replace a server or join a pool. That's the same requirement that
	 145  		// applies to mixing or replacing with any TLS 1.2 server.
	 146  		c.sendAlert(alertUnsupportedExtension)
	 147  		return errors.New("tls: client sent unexpected early data")
	 148  	}
	 149  
	 150  	hs.hello.sessionId = hs.clientHello.sessionId
	 151  	hs.hello.compressionMethod = compressionNone
	 152  
	 153  	preferenceList := defaultCipherSuitesTLS13
	 154  	if !hasAESGCMHardwareSupport || !aesgcmPreferred(hs.clientHello.cipherSuites) {
	 155  		preferenceList = defaultCipherSuitesTLS13NoAES
	 156  	}
	 157  	for _, suiteID := range preferenceList {
	 158  		hs.suite = mutualCipherSuiteTLS13(hs.clientHello.cipherSuites, suiteID)
	 159  		if hs.suite != nil {
	 160  			break
	 161  		}
	 162  	}
	 163  	if hs.suite == nil {
	 164  		c.sendAlert(alertHandshakeFailure)
	 165  		return errors.New("tls: no cipher suite supported by both client and server")
	 166  	}
	 167  	c.cipherSuite = hs.suite.id
	 168  	hs.hello.cipherSuite = hs.suite.id
	 169  	hs.transcript = hs.suite.hash.New()
	 170  
	 171  	// Pick the ECDHE group in server preference order, but give priority to
	 172  	// groups with a key share, to avoid a HelloRetryRequest round-trip.
	 173  	var selectedGroup CurveID
	 174  	var clientKeyShare *keyShare
	 175  GroupSelection:
	 176  	for _, preferredGroup := range c.config.curvePreferences() {
	 177  		for _, ks := range hs.clientHello.keyShares {
	 178  			if ks.group == preferredGroup {
	 179  				selectedGroup = ks.group
	 180  				clientKeyShare = &ks
	 181  				break GroupSelection
	 182  			}
	 183  		}
	 184  		if selectedGroup != 0 {
	 185  			continue
	 186  		}
	 187  		for _, group := range hs.clientHello.supportedCurves {
	 188  			if group == preferredGroup {
	 189  				selectedGroup = group
	 190  				break
	 191  			}
	 192  		}
	 193  	}
	 194  	if selectedGroup == 0 {
	 195  		c.sendAlert(alertHandshakeFailure)
	 196  		return errors.New("tls: no ECDHE curve supported by both client and server")
	 197  	}
	 198  	if clientKeyShare == nil {
	 199  		if err := hs.doHelloRetryRequest(selectedGroup); err != nil {
	 200  			return err
	 201  		}
	 202  		clientKeyShare = &hs.clientHello.keyShares[0]
	 203  	}
	 204  
	 205  	if _, ok := curveForCurveID(selectedGroup); selectedGroup != X25519 && !ok {
	 206  		c.sendAlert(alertInternalError)
	 207  		return errors.New("tls: CurvePreferences includes unsupported curve")
	 208  	}
	 209  	params, err := generateECDHEParameters(c.config.rand(), selectedGroup)
	 210  	if err != nil {
	 211  		c.sendAlert(alertInternalError)
	 212  		return err
	 213  	}
	 214  	hs.hello.serverShare = keyShare{group: selectedGroup, data: params.PublicKey()}
	 215  	hs.sharedKey = params.SharedKey(clientKeyShare.data)
	 216  	if hs.sharedKey == nil {
	 217  		c.sendAlert(alertIllegalParameter)
	 218  		return errors.New("tls: invalid client key share")
	 219  	}
	 220  
	 221  	c.serverName = hs.clientHello.serverName
	 222  	return nil
	 223  }
	 224  
	 225  func (hs *serverHandshakeStateTLS13) checkForResumption() error {
	 226  	c := hs.c
	 227  
	 228  	if c.config.SessionTicketsDisabled {
	 229  		return nil
	 230  	}
	 231  
	 232  	modeOK := false
	 233  	for _, mode := range hs.clientHello.pskModes {
	 234  		if mode == pskModeDHE {
	 235  			modeOK = true
	 236  			break
	 237  		}
	 238  	}
	 239  	if !modeOK {
	 240  		return nil
	 241  	}
	 242  
	 243  	if len(hs.clientHello.pskIdentities) != len(hs.clientHello.pskBinders) {
	 244  		c.sendAlert(alertIllegalParameter)
	 245  		return errors.New("tls: invalid or missing PSK binders")
	 246  	}
	 247  	if len(hs.clientHello.pskIdentities) == 0 {
	 248  		return nil
	 249  	}
	 250  
	 251  	for i, identity := range hs.clientHello.pskIdentities {
	 252  		if i >= maxClientPSKIdentities {
	 253  			break
	 254  		}
	 255  
	 256  		plaintext, _ := c.decryptTicket(identity.label)
	 257  		if plaintext == nil {
	 258  			continue
	 259  		}
	 260  		sessionState := new(sessionStateTLS13)
	 261  		if ok := sessionState.unmarshal(plaintext); !ok {
	 262  			continue
	 263  		}
	 264  
	 265  		createdAt := time.Unix(int64(sessionState.createdAt), 0)
	 266  		if c.config.time().Sub(createdAt) > maxSessionTicketLifetime {
	 267  			continue
	 268  		}
	 269  
	 270  		// We don't check the obfuscated ticket age because it's affected by
	 271  		// clock skew and it's only a freshness signal useful for shrinking the
	 272  		// window for replay attacks, which don't affect us as we don't do 0-RTT.
	 273  
	 274  		pskSuite := cipherSuiteTLS13ByID(sessionState.cipherSuite)
	 275  		if pskSuite == nil || pskSuite.hash != hs.suite.hash {
	 276  			continue
	 277  		}
	 278  
	 279  		// PSK connections don't re-establish client certificates, but carry
	 280  		// them over in the session ticket. Ensure the presence of client certs
	 281  		// in the ticket is consistent with the configured requirements.
	 282  		sessionHasClientCerts := len(sessionState.certificate.Certificate) != 0
	 283  		needClientCerts := requiresClientCert(c.config.ClientAuth)
	 284  		if needClientCerts && !sessionHasClientCerts {
	 285  			continue
	 286  		}
	 287  		if sessionHasClientCerts && c.config.ClientAuth == NoClientCert {
	 288  			continue
	 289  		}
	 290  
	 291  		psk := hs.suite.expandLabel(sessionState.resumptionSecret, "resumption",
	 292  			nil, hs.suite.hash.Size())
	 293  		hs.earlySecret = hs.suite.extract(psk, nil)
	 294  		binderKey := hs.suite.deriveSecret(hs.earlySecret, resumptionBinderLabel, nil)
	 295  		// Clone the transcript in case a HelloRetryRequest was recorded.
	 296  		transcript := cloneHash(hs.transcript, hs.suite.hash)
	 297  		if transcript == nil {
	 298  			c.sendAlert(alertInternalError)
	 299  			return errors.New("tls: internal error: failed to clone hash")
	 300  		}
	 301  		transcript.Write(hs.clientHello.marshalWithoutBinders())
	 302  		pskBinder := hs.suite.finishedHash(binderKey, transcript)
	 303  		if !hmac.Equal(hs.clientHello.pskBinders[i], pskBinder) {
	 304  			c.sendAlert(alertDecryptError)
	 305  			return errors.New("tls: invalid PSK binder")
	 306  		}
	 307  
	 308  		c.didResume = true
	 309  		if err := c.processCertsFromClient(sessionState.certificate); err != nil {
	 310  			return err
	 311  		}
	 312  
	 313  		hs.hello.selectedIdentityPresent = true
	 314  		hs.hello.selectedIdentity = uint16(i)
	 315  		hs.usingPSK = true
	 316  		return nil
	 317  	}
	 318  
	 319  	return nil
	 320  }
	 321  
	 322  // cloneHash uses the encoding.BinaryMarshaler and encoding.BinaryUnmarshaler
	 323  // interfaces implemented by standard library hashes to clone the state of in
	 324  // to a new instance of h. It returns nil if the operation fails.
	 325  func cloneHash(in hash.Hash, h crypto.Hash) hash.Hash {
	 326  	// Recreate the interface to avoid importing encoding.
	 327  	type binaryMarshaler interface {
	 328  		MarshalBinary() (data []byte, err error)
	 329  		UnmarshalBinary(data []byte) error
	 330  	}
	 331  	marshaler, ok := in.(binaryMarshaler)
	 332  	if !ok {
	 333  		return nil
	 334  	}
	 335  	state, err := marshaler.MarshalBinary()
	 336  	if err != nil {
	 337  		return nil
	 338  	}
	 339  	out := h.New()
	 340  	unmarshaler, ok := out.(binaryMarshaler)
	 341  	if !ok {
	 342  		return nil
	 343  	}
	 344  	if err := unmarshaler.UnmarshalBinary(state); err != nil {
	 345  		return nil
	 346  	}
	 347  	return out
	 348  }
	 349  
	 350  func (hs *serverHandshakeStateTLS13) pickCertificate() error {
	 351  	c := hs.c
	 352  
	 353  	// Only one of PSK and certificates are used at a time.
	 354  	if hs.usingPSK {
	 355  		return nil
	 356  	}
	 357  
	 358  	// signature_algorithms is required in TLS 1.3. See RFC 8446, Section 4.2.3.
	 359  	if len(hs.clientHello.supportedSignatureAlgorithms) == 0 {
	 360  		return c.sendAlert(alertMissingExtension)
	 361  	}
	 362  
	 363  	certificate, err := c.config.getCertificate(clientHelloInfo(hs.ctx, c, hs.clientHello))
	 364  	if err != nil {
	 365  		if err == errNoCertificates {
	 366  			c.sendAlert(alertUnrecognizedName)
	 367  		} else {
	 368  			c.sendAlert(alertInternalError)
	 369  		}
	 370  		return err
	 371  	}
	 372  	hs.sigAlg, err = selectSignatureScheme(c.vers, certificate, hs.clientHello.supportedSignatureAlgorithms)
	 373  	if err != nil {
	 374  		// getCertificate returned a certificate that is unsupported or
	 375  		// incompatible with the client's signature algorithms.
	 376  		c.sendAlert(alertHandshakeFailure)
	 377  		return err
	 378  	}
	 379  	hs.cert = certificate
	 380  
	 381  	return nil
	 382  }
	 383  
	 384  // sendDummyChangeCipherSpec sends a ChangeCipherSpec record for compatibility
	 385  // with middleboxes that didn't implement TLS correctly. See RFC 8446, Appendix D.4.
	 386  func (hs *serverHandshakeStateTLS13) sendDummyChangeCipherSpec() error {
	 387  	if hs.sentDummyCCS {
	 388  		return nil
	 389  	}
	 390  	hs.sentDummyCCS = true
	 391  
	 392  	_, err := hs.c.writeRecord(recordTypeChangeCipherSpec, []byte{1})
	 393  	return err
	 394  }
	 395  
	 396  func (hs *serverHandshakeStateTLS13) doHelloRetryRequest(selectedGroup CurveID) error {
	 397  	c := hs.c
	 398  
	 399  	// The first ClientHello gets double-hashed into the transcript upon a
	 400  	// HelloRetryRequest. See RFC 8446, Section 4.4.1.
	 401  	hs.transcript.Write(hs.clientHello.marshal())
	 402  	chHash := hs.transcript.Sum(nil)
	 403  	hs.transcript.Reset()
	 404  	hs.transcript.Write([]byte{typeMessageHash, 0, 0, uint8(len(chHash))})
	 405  	hs.transcript.Write(chHash)
	 406  
	 407  	helloRetryRequest := &serverHelloMsg{
	 408  		vers:							hs.hello.vers,
	 409  		random:						helloRetryRequestRandom,
	 410  		sessionId:				 hs.hello.sessionId,
	 411  		cipherSuite:			 hs.hello.cipherSuite,
	 412  		compressionMethod: hs.hello.compressionMethod,
	 413  		supportedVersion:	hs.hello.supportedVersion,
	 414  		selectedGroup:		 selectedGroup,
	 415  	}
	 416  
	 417  	hs.transcript.Write(helloRetryRequest.marshal())
	 418  	if _, err := c.writeRecord(recordTypeHandshake, helloRetryRequest.marshal()); err != nil {
	 419  		return err
	 420  	}
	 421  
	 422  	if err := hs.sendDummyChangeCipherSpec(); err != nil {
	 423  		return err
	 424  	}
	 425  
	 426  	msg, err := c.readHandshake()
	 427  	if err != nil {
	 428  		return err
	 429  	}
	 430  
	 431  	clientHello, ok := msg.(*clientHelloMsg)
	 432  	if !ok {
	 433  		c.sendAlert(alertUnexpectedMessage)
	 434  		return unexpectedMessageError(clientHello, msg)
	 435  	}
	 436  
	 437  	if len(clientHello.keyShares) != 1 || clientHello.keyShares[0].group != selectedGroup {
	 438  		c.sendAlert(alertIllegalParameter)
	 439  		return errors.New("tls: client sent invalid key share in second ClientHello")
	 440  	}
	 441  
	 442  	if clientHello.earlyData {
	 443  		c.sendAlert(alertIllegalParameter)
	 444  		return errors.New("tls: client indicated early data in second ClientHello")
	 445  	}
	 446  
	 447  	if illegalClientHelloChange(clientHello, hs.clientHello) {
	 448  		c.sendAlert(alertIllegalParameter)
	 449  		return errors.New("tls: client illegally modified second ClientHello")
	 450  	}
	 451  
	 452  	hs.clientHello = clientHello
	 453  	return nil
	 454  }
	 455  
	 456  // illegalClientHelloChange reports whether the two ClientHello messages are
	 457  // different, with the exception of the changes allowed before and after a
	 458  // HelloRetryRequest. See RFC 8446, Section 4.1.2.
	 459  func illegalClientHelloChange(ch, ch1 *clientHelloMsg) bool {
	 460  	if len(ch.supportedVersions) != len(ch1.supportedVersions) ||
	 461  		len(ch.cipherSuites) != len(ch1.cipherSuites) ||
	 462  		len(ch.supportedCurves) != len(ch1.supportedCurves) ||
	 463  		len(ch.supportedSignatureAlgorithms) != len(ch1.supportedSignatureAlgorithms) ||
	 464  		len(ch.supportedSignatureAlgorithmsCert) != len(ch1.supportedSignatureAlgorithmsCert) ||
	 465  		len(ch.alpnProtocols) != len(ch1.alpnProtocols) {
	 466  		return true
	 467  	}
	 468  	for i := range ch.supportedVersions {
	 469  		if ch.supportedVersions[i] != ch1.supportedVersions[i] {
	 470  			return true
	 471  		}
	 472  	}
	 473  	for i := range ch.cipherSuites {
	 474  		if ch.cipherSuites[i] != ch1.cipherSuites[i] {
	 475  			return true
	 476  		}
	 477  	}
	 478  	for i := range ch.supportedCurves {
	 479  		if ch.supportedCurves[i] != ch1.supportedCurves[i] {
	 480  			return true
	 481  		}
	 482  	}
	 483  	for i := range ch.supportedSignatureAlgorithms {
	 484  		if ch.supportedSignatureAlgorithms[i] != ch1.supportedSignatureAlgorithms[i] {
	 485  			return true
	 486  		}
	 487  	}
	 488  	for i := range ch.supportedSignatureAlgorithmsCert {
	 489  		if ch.supportedSignatureAlgorithmsCert[i] != ch1.supportedSignatureAlgorithmsCert[i] {
	 490  			return true
	 491  		}
	 492  	}
	 493  	for i := range ch.alpnProtocols {
	 494  		if ch.alpnProtocols[i] != ch1.alpnProtocols[i] {
	 495  			return true
	 496  		}
	 497  	}
	 498  	return ch.vers != ch1.vers ||
	 499  		!bytes.Equal(ch.random, ch1.random) ||
	 500  		!bytes.Equal(ch.sessionId, ch1.sessionId) ||
	 501  		!bytes.Equal(ch.compressionMethods, ch1.compressionMethods) ||
	 502  		ch.serverName != ch1.serverName ||
	 503  		ch.ocspStapling != ch1.ocspStapling ||
	 504  		!bytes.Equal(ch.supportedPoints, ch1.supportedPoints) ||
	 505  		ch.ticketSupported != ch1.ticketSupported ||
	 506  		!bytes.Equal(ch.sessionTicket, ch1.sessionTicket) ||
	 507  		ch.secureRenegotiationSupported != ch1.secureRenegotiationSupported ||
	 508  		!bytes.Equal(ch.secureRenegotiation, ch1.secureRenegotiation) ||
	 509  		ch.scts != ch1.scts ||
	 510  		!bytes.Equal(ch.cookie, ch1.cookie) ||
	 511  		!bytes.Equal(ch.pskModes, ch1.pskModes)
	 512  }
	 513  
	 514  func (hs *serverHandshakeStateTLS13) sendServerParameters() error {
	 515  	c := hs.c
	 516  
	 517  	hs.transcript.Write(hs.clientHello.marshal())
	 518  	hs.transcript.Write(hs.hello.marshal())
	 519  	if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil {
	 520  		return err
	 521  	}
	 522  
	 523  	if err := hs.sendDummyChangeCipherSpec(); err != nil {
	 524  		return err
	 525  	}
	 526  
	 527  	earlySecret := hs.earlySecret
	 528  	if earlySecret == nil {
	 529  		earlySecret = hs.suite.extract(nil, nil)
	 530  	}
	 531  	hs.handshakeSecret = hs.suite.extract(hs.sharedKey,
	 532  		hs.suite.deriveSecret(earlySecret, "derived", nil))
	 533  
	 534  	clientSecret := hs.suite.deriveSecret(hs.handshakeSecret,
	 535  		clientHandshakeTrafficLabel, hs.transcript)
	 536  	c.in.setTrafficSecret(hs.suite, clientSecret)
	 537  	serverSecret := hs.suite.deriveSecret(hs.handshakeSecret,
	 538  		serverHandshakeTrafficLabel, hs.transcript)
	 539  	c.out.setTrafficSecret(hs.suite, serverSecret)
	 540  
	 541  	err := c.config.writeKeyLog(keyLogLabelClientHandshake, hs.clientHello.random, clientSecret)
	 542  	if err != nil {
	 543  		c.sendAlert(alertInternalError)
	 544  		return err
	 545  	}
	 546  	err = c.config.writeKeyLog(keyLogLabelServerHandshake, hs.clientHello.random, serverSecret)
	 547  	if err != nil {
	 548  		c.sendAlert(alertInternalError)
	 549  		return err
	 550  	}
	 551  
	 552  	encryptedExtensions := new(encryptedExtensionsMsg)
	 553  
	 554  	selectedProto, err := negotiateALPN(c.config.NextProtos, hs.clientHello.alpnProtocols)
	 555  	if err != nil {
	 556  		c.sendAlert(alertNoApplicationProtocol)
	 557  		return err
	 558  	}
	 559  	encryptedExtensions.alpnProtocol = selectedProto
	 560  	c.clientProtocol = selectedProto
	 561  
	 562  	hs.transcript.Write(encryptedExtensions.marshal())
	 563  	if _, err := c.writeRecord(recordTypeHandshake, encryptedExtensions.marshal()); err != nil {
	 564  		return err
	 565  	}
	 566  
	 567  	return nil
	 568  }
	 569  
	 570  func (hs *serverHandshakeStateTLS13) requestClientCert() bool {
	 571  	return hs.c.config.ClientAuth >= RequestClientCert && !hs.usingPSK
	 572  }
	 573  
	 574  func (hs *serverHandshakeStateTLS13) sendServerCertificate() error {
	 575  	c := hs.c
	 576  
	 577  	// Only one of PSK and certificates are used at a time.
	 578  	if hs.usingPSK {
	 579  		return nil
	 580  	}
	 581  
	 582  	if hs.requestClientCert() {
	 583  		// Request a client certificate
	 584  		certReq := new(certificateRequestMsgTLS13)
	 585  		certReq.ocspStapling = true
	 586  		certReq.scts = true
	 587  		certReq.supportedSignatureAlgorithms = supportedSignatureAlgorithms
	 588  		if c.config.ClientCAs != nil {
	 589  			certReq.certificateAuthorities = c.config.ClientCAs.Subjects()
	 590  		}
	 591  
	 592  		hs.transcript.Write(certReq.marshal())
	 593  		if _, err := c.writeRecord(recordTypeHandshake, certReq.marshal()); err != nil {
	 594  			return err
	 595  		}
	 596  	}
	 597  
	 598  	certMsg := new(certificateMsgTLS13)
	 599  
	 600  	certMsg.certificate = *hs.cert
	 601  	certMsg.scts = hs.clientHello.scts && len(hs.cert.SignedCertificateTimestamps) > 0
	 602  	certMsg.ocspStapling = hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0
	 603  
	 604  	hs.transcript.Write(certMsg.marshal())
	 605  	if _, err := c.writeRecord(recordTypeHandshake, certMsg.marshal()); err != nil {
	 606  		return err
	 607  	}
	 608  
	 609  	certVerifyMsg := new(certificateVerifyMsg)
	 610  	certVerifyMsg.hasSignatureAlgorithm = true
	 611  	certVerifyMsg.signatureAlgorithm = hs.sigAlg
	 612  
	 613  	sigType, sigHash, err := typeAndHashFromSignatureScheme(hs.sigAlg)
	 614  	if err != nil {
	 615  		return c.sendAlert(alertInternalError)
	 616  	}
	 617  
	 618  	signed := signedMessage(sigHash, serverSignatureContext, hs.transcript)
	 619  	signOpts := crypto.SignerOpts(sigHash)
	 620  	if sigType == signatureRSAPSS {
	 621  		signOpts = &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash, Hash: sigHash}
	 622  	}
	 623  	sig, err := hs.cert.PrivateKey.(crypto.Signer).Sign(c.config.rand(), signed, signOpts)
	 624  	if err != nil {
	 625  		public := hs.cert.PrivateKey.(crypto.Signer).Public()
	 626  		if rsaKey, ok := public.(*rsa.PublicKey); ok && sigType == signatureRSAPSS &&
	 627  			rsaKey.N.BitLen()/8 < sigHash.Size()*2+2 { // key too small for RSA-PSS
	 628  			c.sendAlert(alertHandshakeFailure)
	 629  		} else {
	 630  			c.sendAlert(alertInternalError)
	 631  		}
	 632  		return errors.New("tls: failed to sign handshake: " + err.Error())
	 633  	}
	 634  	certVerifyMsg.signature = sig
	 635  
	 636  	hs.transcript.Write(certVerifyMsg.marshal())
	 637  	if _, err := c.writeRecord(recordTypeHandshake, certVerifyMsg.marshal()); err != nil {
	 638  		return err
	 639  	}
	 640  
	 641  	return nil
	 642  }
	 643  
	 644  func (hs *serverHandshakeStateTLS13) sendServerFinished() error {
	 645  	c := hs.c
	 646  
	 647  	finished := &finishedMsg{
	 648  		verifyData: hs.suite.finishedHash(c.out.trafficSecret, hs.transcript),
	 649  	}
	 650  
	 651  	hs.transcript.Write(finished.marshal())
	 652  	if _, err := c.writeRecord(recordTypeHandshake, finished.marshal()); err != nil {
	 653  		return err
	 654  	}
	 655  
	 656  	// Derive secrets that take context through the server Finished.
	 657  
	 658  	hs.masterSecret = hs.suite.extract(nil,
	 659  		hs.suite.deriveSecret(hs.handshakeSecret, "derived", nil))
	 660  
	 661  	hs.trafficSecret = hs.suite.deriveSecret(hs.masterSecret,
	 662  		clientApplicationTrafficLabel, hs.transcript)
	 663  	serverSecret := hs.suite.deriveSecret(hs.masterSecret,
	 664  		serverApplicationTrafficLabel, hs.transcript)
	 665  	c.out.setTrafficSecret(hs.suite, serverSecret)
	 666  
	 667  	err := c.config.writeKeyLog(keyLogLabelClientTraffic, hs.clientHello.random, hs.trafficSecret)
	 668  	if err != nil {
	 669  		c.sendAlert(alertInternalError)
	 670  		return err
	 671  	}
	 672  	err = c.config.writeKeyLog(keyLogLabelServerTraffic, hs.clientHello.random, serverSecret)
	 673  	if err != nil {
	 674  		c.sendAlert(alertInternalError)
	 675  		return err
	 676  	}
	 677  
	 678  	c.ekm = hs.suite.exportKeyingMaterial(hs.masterSecret, hs.transcript)
	 679  
	 680  	// If we did not request client certificates, at this point we can
	 681  	// precompute the client finished and roll the transcript forward to send
	 682  	// session tickets in our first flight.
	 683  	if !hs.requestClientCert() {
	 684  		if err := hs.sendSessionTickets(); err != nil {
	 685  			return err
	 686  		}
	 687  	}
	 688  
	 689  	return nil
	 690  }
	 691  
	 692  func (hs *serverHandshakeStateTLS13) shouldSendSessionTickets() bool {
	 693  	if hs.c.config.SessionTicketsDisabled {
	 694  		return false
	 695  	}
	 696  
	 697  	// Don't send tickets the client wouldn't use. See RFC 8446, Section 4.2.9.
	 698  	for _, pskMode := range hs.clientHello.pskModes {
	 699  		if pskMode == pskModeDHE {
	 700  			return true
	 701  		}
	 702  	}
	 703  	return false
	 704  }
	 705  
	 706  func (hs *serverHandshakeStateTLS13) sendSessionTickets() error {
	 707  	c := hs.c
	 708  
	 709  	hs.clientFinished = hs.suite.finishedHash(c.in.trafficSecret, hs.transcript)
	 710  	finishedMsg := &finishedMsg{
	 711  		verifyData: hs.clientFinished,
	 712  	}
	 713  	hs.transcript.Write(finishedMsg.marshal())
	 714  
	 715  	if !hs.shouldSendSessionTickets() {
	 716  		return nil
	 717  	}
	 718  
	 719  	resumptionSecret := hs.suite.deriveSecret(hs.masterSecret,
	 720  		resumptionLabel, hs.transcript)
	 721  
	 722  	m := new(newSessionTicketMsgTLS13)
	 723  
	 724  	var certsFromClient [][]byte
	 725  	for _, cert := range c.peerCertificates {
	 726  		certsFromClient = append(certsFromClient, cert.Raw)
	 727  	}
	 728  	state := sessionStateTLS13{
	 729  		cipherSuite:			hs.suite.id,
	 730  		createdAt:				uint64(c.config.time().Unix()),
	 731  		resumptionSecret: resumptionSecret,
	 732  		certificate: Certificate{
	 733  			Certificate:								 certsFromClient,
	 734  			OCSPStaple:									c.ocspResponse,
	 735  			SignedCertificateTimestamps: c.scts,
	 736  		},
	 737  	}
	 738  	var err error
	 739  	m.label, err = c.encryptTicket(state.marshal())
	 740  	if err != nil {
	 741  		return err
	 742  	}
	 743  	m.lifetime = uint32(maxSessionTicketLifetime / time.Second)
	 744  
	 745  	// ticket_age_add is a random 32-bit value. See RFC 8446, section 4.6.1
	 746  	// The value is not stored anywhere; we never need to check the ticket age
	 747  	// because 0-RTT is not supported.
	 748  	ageAdd := make([]byte, 4)
	 749  	_, err = hs.c.config.rand().Read(ageAdd)
	 750  	if err != nil {
	 751  		return err
	 752  	}
	 753  	m.ageAdd = binary.LittleEndian.Uint32(ageAdd)
	 754  
	 755  	// ticket_nonce, which must be unique per connection, is always left at
	 756  	// zero because we only ever send one ticket per connection.
	 757  
	 758  	if _, err := c.writeRecord(recordTypeHandshake, m.marshal()); err != nil {
	 759  		return err
	 760  	}
	 761  
	 762  	return nil
	 763  }
	 764  
	 765  func (hs *serverHandshakeStateTLS13) readClientCertificate() error {
	 766  	c := hs.c
	 767  
	 768  	if !hs.requestClientCert() {
	 769  		// Make sure the connection is still being verified whether or not
	 770  		// the server requested a client certificate.
	 771  		if c.config.VerifyConnection != nil {
	 772  			if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil {
	 773  				c.sendAlert(alertBadCertificate)
	 774  				return err
	 775  			}
	 776  		}
	 777  		return nil
	 778  	}
	 779  
	 780  	// If we requested a client certificate, then the client must send a
	 781  	// certificate message. If it's empty, no CertificateVerify is sent.
	 782  
	 783  	msg, err := c.readHandshake()
	 784  	if err != nil {
	 785  		return err
	 786  	}
	 787  
	 788  	certMsg, ok := msg.(*certificateMsgTLS13)
	 789  	if !ok {
	 790  		c.sendAlert(alertUnexpectedMessage)
	 791  		return unexpectedMessageError(certMsg, msg)
	 792  	}
	 793  	hs.transcript.Write(certMsg.marshal())
	 794  
	 795  	if err := c.processCertsFromClient(certMsg.certificate); err != nil {
	 796  		return err
	 797  	}
	 798  
	 799  	if c.config.VerifyConnection != nil {
	 800  		if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil {
	 801  			c.sendAlert(alertBadCertificate)
	 802  			return err
	 803  		}
	 804  	}
	 805  
	 806  	if len(certMsg.certificate.Certificate) != 0 {
	 807  		msg, err = c.readHandshake()
	 808  		if err != nil {
	 809  			return err
	 810  		}
	 811  
	 812  		certVerify, ok := msg.(*certificateVerifyMsg)
	 813  		if !ok {
	 814  			c.sendAlert(alertUnexpectedMessage)
	 815  			return unexpectedMessageError(certVerify, msg)
	 816  		}
	 817  
	 818  		// See RFC 8446, Section 4.4.3.
	 819  		if !isSupportedSignatureAlgorithm(certVerify.signatureAlgorithm, supportedSignatureAlgorithms) {
	 820  			c.sendAlert(alertIllegalParameter)
	 821  			return errors.New("tls: client certificate used with invalid signature algorithm")
	 822  		}
	 823  		sigType, sigHash, err := typeAndHashFromSignatureScheme(certVerify.signatureAlgorithm)
	 824  		if err != nil {
	 825  			return c.sendAlert(alertInternalError)
	 826  		}
	 827  		if sigType == signaturePKCS1v15 || sigHash == crypto.SHA1 {
	 828  			c.sendAlert(alertIllegalParameter)
	 829  			return errors.New("tls: client certificate used with invalid signature algorithm")
	 830  		}
	 831  		signed := signedMessage(sigHash, clientSignatureContext, hs.transcript)
	 832  		if err := verifyHandshakeSignature(sigType, c.peerCertificates[0].PublicKey,
	 833  			sigHash, signed, certVerify.signature); err != nil {
	 834  			c.sendAlert(alertDecryptError)
	 835  			return errors.New("tls: invalid signature by the client certificate: " + err.Error())
	 836  		}
	 837  
	 838  		hs.transcript.Write(certVerify.marshal())
	 839  	}
	 840  
	 841  	// If we waited until the client certificates to send session tickets, we
	 842  	// are ready to do it now.
	 843  	if err := hs.sendSessionTickets(); err != nil {
	 844  		return err
	 845  	}
	 846  
	 847  	return nil
	 848  }
	 849  
	 850  func (hs *serverHandshakeStateTLS13) readClientFinished() error {
	 851  	c := hs.c
	 852  
	 853  	msg, err := c.readHandshake()
	 854  	if err != nil {
	 855  		return err
	 856  	}
	 857  
	 858  	finished, ok := msg.(*finishedMsg)
	 859  	if !ok {
	 860  		c.sendAlert(alertUnexpectedMessage)
	 861  		return unexpectedMessageError(finished, msg)
	 862  	}
	 863  
	 864  	if !hmac.Equal(hs.clientFinished, finished.verifyData) {
	 865  		c.sendAlert(alertDecryptError)
	 866  		return errors.New("tls: invalid client finished hash")
	 867  	}
	 868  
	 869  	c.in.setTrafficSecret(hs.suite, hs.trafficSecret)
	 870  
	 871  	return nil
	 872  }
	 873
View as plain text