Source file
src/crypto/tls/handshake_client_tls13.go
1
2
3
4
5 package tls
6
7 import (
8 "bytes"
9 "context"
10 "crypto"
11 "crypto/hmac"
12 "crypto/rsa"
13 "errors"
14 "hash"
15 "sync/atomic"
16 "time"
17 )
18
19 type clientHandshakeStateTLS13 struct {
20 c *Conn
21 ctx context.Context
22 serverHello *serverHelloMsg
23 hello *clientHelloMsg
24 ecdheParams ecdheParameters
25
26 session *ClientSessionState
27 earlySecret []byte
28 binderKey []byte
29
30 certReq *certificateRequestMsgTLS13
31 usingPSK bool
32 sentDummyCCS bool
33 suite *cipherSuiteTLS13
34 transcript hash.Hash
35 masterSecret []byte
36 trafficSecret []byte
37 }
38
39
40
41 func (hs *clientHandshakeStateTLS13) handshake() error {
42 c := hs.c
43
44 if needFIPS() {
45 return errors.New("tls: internal error: TLS 1.3 reached in FIPS mode")
46 }
47
48
49
50 if c.handshakes > 0 {
51 c.sendAlert(alertProtocolVersion)
52 return errors.New("tls: server selected TLS 1.3 in a renegotiation")
53 }
54
55
56 if hs.ecdheParams == nil || len(hs.hello.keyShares) != 1 {
57 return c.sendAlert(alertInternalError)
58 }
59
60 if err := hs.checkServerHelloOrHRR(); err != nil {
61 return err
62 }
63
64 hs.transcript = hs.suite.hash.New()
65 hs.transcript.Write(hs.hello.marshal())
66
67 if bytes.Equal(hs.serverHello.random, helloRetryRequestRandom) {
68 if err := hs.sendDummyChangeCipherSpec(); err != nil {
69 return err
70 }
71 if err := hs.processHelloRetryRequest(); err != nil {
72 return err
73 }
74 }
75
76 hs.transcript.Write(hs.serverHello.marshal())
77
78 c.buffering = true
79 if err := hs.processServerHello(); err != nil {
80 return err
81 }
82 if err := hs.sendDummyChangeCipherSpec(); err != nil {
83 return err
84 }
85 if err := hs.establishHandshakeKeys(); err != nil {
86 return err
87 }
88 if err := hs.readServerParameters(); err != nil {
89 return err
90 }
91 if err := hs.readServerCertificate(); err != nil {
92 return err
93 }
94 if err := hs.readServerFinished(); err != nil {
95 return err
96 }
97 if err := hs.sendClientCertificate(); err != nil {
98 return err
99 }
100 if err := hs.sendClientFinished(); err != nil {
101 return err
102 }
103 if _, err := c.flush(); err != nil {
104 return err
105 }
106
107 atomic.StoreUint32(&c.handshakeStatus, 1)
108
109 return nil
110 }
111
112
113
114 func (hs *clientHandshakeStateTLS13) checkServerHelloOrHRR() error {
115 c := hs.c
116
117 if hs.serverHello.supportedVersion == 0 {
118 c.sendAlert(alertMissingExtension)
119 return errors.New("tls: server selected TLS 1.3 using the legacy version field")
120 }
121
122 if hs.serverHello.supportedVersion != VersionTLS13 {
123 c.sendAlert(alertIllegalParameter)
124 return errors.New("tls: server selected an invalid version after a HelloRetryRequest")
125 }
126
127 if hs.serverHello.vers != VersionTLS12 {
128 c.sendAlert(alertIllegalParameter)
129 return errors.New("tls: server sent an incorrect legacy version")
130 }
131
132 if hs.serverHello.ocspStapling ||
133 hs.serverHello.ticketSupported ||
134 hs.serverHello.secureRenegotiationSupported ||
135 len(hs.serverHello.secureRenegotiation) != 0 ||
136 len(hs.serverHello.alpnProtocol) != 0 ||
137 len(hs.serverHello.scts) != 0 {
138 c.sendAlert(alertUnsupportedExtension)
139 return errors.New("tls: server sent a ServerHello extension forbidden in TLS 1.3")
140 }
141
142 if !bytes.Equal(hs.hello.sessionId, hs.serverHello.sessionId) {
143 c.sendAlert(alertIllegalParameter)
144 return errors.New("tls: server did not echo the legacy session ID")
145 }
146
147 if hs.serverHello.compressionMethod != compressionNone {
148 c.sendAlert(alertIllegalParameter)
149 return errors.New("tls: server selected unsupported compression format")
150 }
151
152 selectedSuite := mutualCipherSuiteTLS13(hs.hello.cipherSuites, hs.serverHello.cipherSuite)
153 if hs.suite != nil && selectedSuite != hs.suite {
154 c.sendAlert(alertIllegalParameter)
155 return errors.New("tls: server changed cipher suite after a HelloRetryRequest")
156 }
157 if selectedSuite == nil {
158 c.sendAlert(alertIllegalParameter)
159 return errors.New("tls: server chose an unconfigured cipher suite")
160 }
161 hs.suite = selectedSuite
162 c.cipherSuite = hs.suite.id
163
164 return nil
165 }
166
167
168
169 func (hs *clientHandshakeStateTLS13) sendDummyChangeCipherSpec() error {
170 if hs.sentDummyCCS {
171 return nil
172 }
173 hs.sentDummyCCS = true
174
175 _, err := hs.c.writeRecord(recordTypeChangeCipherSpec, []byte{1})
176 return err
177 }
178
179
180
181 func (hs *clientHandshakeStateTLS13) processHelloRetryRequest() error {
182 c := hs.c
183
184
185
186
187 chHash := hs.transcript.Sum(nil)
188 hs.transcript.Reset()
189 hs.transcript.Write([]byte{typeMessageHash, 0, 0, uint8(len(chHash))})
190 hs.transcript.Write(chHash)
191 hs.transcript.Write(hs.serverHello.marshal())
192
193
194
195
196 if hs.serverHello.selectedGroup == 0 && hs.serverHello.cookie == nil {
197 c.sendAlert(alertIllegalParameter)
198 return errors.New("tls: server sent an unnecessary HelloRetryRequest message")
199 }
200
201 if hs.serverHello.cookie != nil {
202 hs.hello.cookie = hs.serverHello.cookie
203 }
204
205 if hs.serverHello.serverShare.group != 0 {
206 c.sendAlert(alertDecodeError)
207 return errors.New("tls: received malformed key_share extension")
208 }
209
210
211
212
213 if curveID := hs.serverHello.selectedGroup; curveID != 0 {
214 curveOK := false
215 for _, id := range hs.hello.supportedCurves {
216 if id == curveID {
217 curveOK = true
218 break
219 }
220 }
221 if !curveOK {
222 c.sendAlert(alertIllegalParameter)
223 return errors.New("tls: server selected unsupported group")
224 }
225 if hs.ecdheParams.CurveID() == curveID {
226 c.sendAlert(alertIllegalParameter)
227 return errors.New("tls: server sent an unnecessary HelloRetryRequest key_share")
228 }
229 if _, ok := curveForCurveID(curveID); curveID != X25519 && !ok {
230 c.sendAlert(alertInternalError)
231 return errors.New("tls: CurvePreferences includes unsupported curve")
232 }
233 params, err := generateECDHEParameters(c.config.rand(), curveID)
234 if err != nil {
235 c.sendAlert(alertInternalError)
236 return err
237 }
238 hs.ecdheParams = params
239 hs.hello.keyShares = []keyShare{{group: curveID, data: params.PublicKey()}}
240 }
241
242 hs.hello.raw = nil
243 if len(hs.hello.pskIdentities) > 0 {
244 pskSuite := cipherSuiteTLS13ByID(hs.session.cipherSuite)
245 if pskSuite == nil {
246 return c.sendAlert(alertInternalError)
247 }
248 if pskSuite.hash == hs.suite.hash {
249
250 ticketAge := uint32(c.config.time().Sub(hs.session.receivedAt) / time.Millisecond)
251 hs.hello.pskIdentities[0].obfuscatedTicketAge = ticketAge + hs.session.ageAdd
252
253 transcript := hs.suite.hash.New()
254 transcript.Write([]byte{typeMessageHash, 0, 0, uint8(len(chHash))})
255 transcript.Write(chHash)
256 transcript.Write(hs.serverHello.marshal())
257 transcript.Write(hs.hello.marshalWithoutBinders())
258 pskBinders := [][]byte{hs.suite.finishedHash(hs.binderKey, transcript)}
259 hs.hello.updateBinders(pskBinders)
260 } else {
261
262 hs.hello.pskIdentities = nil
263 hs.hello.pskBinders = nil
264 }
265 }
266
267 hs.transcript.Write(hs.hello.marshal())
268 if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil {
269 return err
270 }
271
272 msg, err := c.readHandshake()
273 if err != nil {
274 return err
275 }
276
277 serverHello, ok := msg.(*serverHelloMsg)
278 if !ok {
279 c.sendAlert(alertUnexpectedMessage)
280 return unexpectedMessageError(serverHello, msg)
281 }
282 hs.serverHello = serverHello
283
284 if err := hs.checkServerHelloOrHRR(); err != nil {
285 return err
286 }
287
288 return nil
289 }
290
291 func (hs *clientHandshakeStateTLS13) processServerHello() error {
292 c := hs.c
293
294 if bytes.Equal(hs.serverHello.random, helloRetryRequestRandom) {
295 c.sendAlert(alertUnexpectedMessage)
296 return errors.New("tls: server sent two HelloRetryRequest messages")
297 }
298
299 if len(hs.serverHello.cookie) != 0 {
300 c.sendAlert(alertUnsupportedExtension)
301 return errors.New("tls: server sent a cookie in a normal ServerHello")
302 }
303
304 if hs.serverHello.selectedGroup != 0 {
305 c.sendAlert(alertDecodeError)
306 return errors.New("tls: malformed key_share extension")
307 }
308
309 if hs.serverHello.serverShare.group == 0 {
310 c.sendAlert(alertIllegalParameter)
311 return errors.New("tls: server did not send a key share")
312 }
313 if hs.serverHello.serverShare.group != hs.ecdheParams.CurveID() {
314 c.sendAlert(alertIllegalParameter)
315 return errors.New("tls: server selected unsupported group")
316 }
317
318 if !hs.serverHello.selectedIdentityPresent {
319 return nil
320 }
321
322 if int(hs.serverHello.selectedIdentity) >= len(hs.hello.pskIdentities) {
323 c.sendAlert(alertIllegalParameter)
324 return errors.New("tls: server selected an invalid PSK")
325 }
326
327 if len(hs.hello.pskIdentities) != 1 || hs.session == nil {
328 return c.sendAlert(alertInternalError)
329 }
330 pskSuite := cipherSuiteTLS13ByID(hs.session.cipherSuite)
331 if pskSuite == nil {
332 return c.sendAlert(alertInternalError)
333 }
334 if pskSuite.hash != hs.suite.hash {
335 c.sendAlert(alertIllegalParameter)
336 return errors.New("tls: server selected an invalid PSK and cipher suite pair")
337 }
338
339 hs.usingPSK = true
340 c.didResume = true
341 c.peerCertificates = hs.session.serverCertificates
342 c.verifiedChains = hs.session.verifiedChains
343 c.ocspResponse = hs.session.ocspResponse
344 c.scts = hs.session.scts
345 return nil
346 }
347
348 func (hs *clientHandshakeStateTLS13) establishHandshakeKeys() error {
349 c := hs.c
350
351 sharedKey := hs.ecdheParams.SharedKey(hs.serverHello.serverShare.data)
352 if sharedKey == nil {
353 c.sendAlert(alertIllegalParameter)
354 return errors.New("tls: invalid server key share")
355 }
356
357 earlySecret := hs.earlySecret
358 if !hs.usingPSK {
359 earlySecret = hs.suite.extract(nil, nil)
360 }
361 handshakeSecret := hs.suite.extract(sharedKey,
362 hs.suite.deriveSecret(earlySecret, "derived", nil))
363
364 clientSecret := hs.suite.deriveSecret(handshakeSecret,
365 clientHandshakeTrafficLabel, hs.transcript)
366 c.out.setTrafficSecret(hs.suite, clientSecret)
367 serverSecret := hs.suite.deriveSecret(handshakeSecret,
368 serverHandshakeTrafficLabel, hs.transcript)
369 c.in.setTrafficSecret(hs.suite, serverSecret)
370
371 err := c.config.writeKeyLog(keyLogLabelClientHandshake, hs.hello.random, clientSecret)
372 if err != nil {
373 c.sendAlert(alertInternalError)
374 return err
375 }
376 err = c.config.writeKeyLog(keyLogLabelServerHandshake, hs.hello.random, serverSecret)
377 if err != nil {
378 c.sendAlert(alertInternalError)
379 return err
380 }
381
382 hs.masterSecret = hs.suite.extract(nil,
383 hs.suite.deriveSecret(handshakeSecret, "derived", nil))
384
385 return nil
386 }
387
388 func (hs *clientHandshakeStateTLS13) readServerParameters() error {
389 c := hs.c
390
391 msg, err := c.readHandshake()
392 if err != nil {
393 return err
394 }
395
396 encryptedExtensions, ok := msg.(*encryptedExtensionsMsg)
397 if !ok {
398 c.sendAlert(alertUnexpectedMessage)
399 return unexpectedMessageError(encryptedExtensions, msg)
400 }
401 hs.transcript.Write(encryptedExtensions.marshal())
402
403 if err := checkALPN(hs.hello.alpnProtocols, encryptedExtensions.alpnProtocol); err != nil {
404 c.sendAlert(alertUnsupportedExtension)
405 return err
406 }
407 c.clientProtocol = encryptedExtensions.alpnProtocol
408
409 return nil
410 }
411
412 func (hs *clientHandshakeStateTLS13) readServerCertificate() error {
413 c := hs.c
414
415
416
417 if hs.usingPSK {
418
419
420
421 if c.config.VerifyConnection != nil {
422 if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil {
423 c.sendAlert(alertBadCertificate)
424 return err
425 }
426 }
427 return nil
428 }
429
430 msg, err := c.readHandshake()
431 if err != nil {
432 return err
433 }
434
435 certReq, ok := msg.(*certificateRequestMsgTLS13)
436 if ok {
437 hs.transcript.Write(certReq.marshal())
438
439 hs.certReq = certReq
440
441 msg, err = c.readHandshake()
442 if err != nil {
443 return err
444 }
445 }
446
447 certMsg, ok := msg.(*certificateMsgTLS13)
448 if !ok {
449 c.sendAlert(alertUnexpectedMessage)
450 return unexpectedMessageError(certMsg, msg)
451 }
452 if len(certMsg.certificate.Certificate) == 0 {
453 c.sendAlert(alertDecodeError)
454 return errors.New("tls: received empty certificates message")
455 }
456 hs.transcript.Write(certMsg.marshal())
457
458 c.scts = certMsg.certificate.SignedCertificateTimestamps
459 c.ocspResponse = certMsg.certificate.OCSPStaple
460
461 if err := c.verifyServerCertificate(certMsg.certificate.Certificate); err != nil {
462 return err
463 }
464
465 msg, err = c.readHandshake()
466 if err != nil {
467 return err
468 }
469
470 certVerify, ok := msg.(*certificateVerifyMsg)
471 if !ok {
472 c.sendAlert(alertUnexpectedMessage)
473 return unexpectedMessageError(certVerify, msg)
474 }
475
476
477 if !isSupportedSignatureAlgorithm(certVerify.signatureAlgorithm, supportedSignatureAlgorithms()) {
478 c.sendAlert(alertIllegalParameter)
479 return errors.New("tls: certificate used with invalid signature algorithm")
480 }
481 sigType, sigHash, err := typeAndHashFromSignatureScheme(certVerify.signatureAlgorithm)
482 if err != nil {
483 return c.sendAlert(alertInternalError)
484 }
485 if sigType == signaturePKCS1v15 || sigHash == crypto.SHA1 {
486 c.sendAlert(alertIllegalParameter)
487 return errors.New("tls: certificate used with invalid signature algorithm")
488 }
489 signed := signedMessage(sigHash, serverSignatureContext, hs.transcript)
490 if err := verifyHandshakeSignature(sigType, c.peerCertificates[0].PublicKey,
491 sigHash, signed, certVerify.signature); err != nil {
492 c.sendAlert(alertDecryptError)
493 return errors.New("tls: invalid signature by the server certificate: " + err.Error())
494 }
495
496 hs.transcript.Write(certVerify.marshal())
497
498 return nil
499 }
500
501 func (hs *clientHandshakeStateTLS13) readServerFinished() error {
502 c := hs.c
503
504 msg, err := c.readHandshake()
505 if err != nil {
506 return err
507 }
508
509 finished, ok := msg.(*finishedMsg)
510 if !ok {
511 c.sendAlert(alertUnexpectedMessage)
512 return unexpectedMessageError(finished, msg)
513 }
514
515 expectedMAC := hs.suite.finishedHash(c.in.trafficSecret, hs.transcript)
516 if !hmac.Equal(expectedMAC, finished.verifyData) {
517 c.sendAlert(alertDecryptError)
518 return errors.New("tls: invalid server finished hash")
519 }
520
521 hs.transcript.Write(finished.marshal())
522
523
524
525 hs.trafficSecret = hs.suite.deriveSecret(hs.masterSecret,
526 clientApplicationTrafficLabel, hs.transcript)
527 serverSecret := hs.suite.deriveSecret(hs.masterSecret,
528 serverApplicationTrafficLabel, hs.transcript)
529 c.in.setTrafficSecret(hs.suite, serverSecret)
530
531 err = c.config.writeKeyLog(keyLogLabelClientTraffic, hs.hello.random, hs.trafficSecret)
532 if err != nil {
533 c.sendAlert(alertInternalError)
534 return err
535 }
536 err = c.config.writeKeyLog(keyLogLabelServerTraffic, hs.hello.random, serverSecret)
537 if err != nil {
538 c.sendAlert(alertInternalError)
539 return err
540 }
541
542 c.ekm = hs.suite.exportKeyingMaterial(hs.masterSecret, hs.transcript)
543
544 return nil
545 }
546
547 func (hs *clientHandshakeStateTLS13) sendClientCertificate() error {
548 c := hs.c
549
550 if hs.certReq == nil {
551 return nil
552 }
553
554 cert, err := c.getClientCertificate(&CertificateRequestInfo{
555 AcceptableCAs: hs.certReq.certificateAuthorities,
556 SignatureSchemes: hs.certReq.supportedSignatureAlgorithms,
557 Version: c.vers,
558 ctx: hs.ctx,
559 })
560 if err != nil {
561 return err
562 }
563
564 certMsg := new(certificateMsgTLS13)
565
566 certMsg.certificate = *cert
567 certMsg.scts = hs.certReq.scts && len(cert.SignedCertificateTimestamps) > 0
568 certMsg.ocspStapling = hs.certReq.ocspStapling && len(cert.OCSPStaple) > 0
569
570 hs.transcript.Write(certMsg.marshal())
571 if _, err := c.writeRecord(recordTypeHandshake, certMsg.marshal()); err != nil {
572 return err
573 }
574
575
576 if len(cert.Certificate) == 0 {
577 return nil
578 }
579
580 certVerifyMsg := new(certificateVerifyMsg)
581 certVerifyMsg.hasSignatureAlgorithm = true
582
583 certVerifyMsg.signatureAlgorithm, err = selectSignatureScheme(c.vers, cert, hs.certReq.supportedSignatureAlgorithms)
584 if err != nil {
585
586
587 c.sendAlert(alertHandshakeFailure)
588 return err
589 }
590
591 sigType, sigHash, err := typeAndHashFromSignatureScheme(certVerifyMsg.signatureAlgorithm)
592 if err != nil {
593 return c.sendAlert(alertInternalError)
594 }
595
596 signed := signedMessage(sigHash, clientSignatureContext, hs.transcript)
597 signOpts := crypto.SignerOpts(sigHash)
598 if sigType == signatureRSAPSS {
599 signOpts = &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash, Hash: sigHash}
600 }
601 sig, err := cert.PrivateKey.(crypto.Signer).Sign(c.config.rand(), signed, signOpts)
602 if err != nil {
603 c.sendAlert(alertInternalError)
604 return errors.New("tls: failed to sign handshake: " + err.Error())
605 }
606 certVerifyMsg.signature = sig
607
608 hs.transcript.Write(certVerifyMsg.marshal())
609 if _, err := c.writeRecord(recordTypeHandshake, certVerifyMsg.marshal()); err != nil {
610 return err
611 }
612
613 return nil
614 }
615
616 func (hs *clientHandshakeStateTLS13) sendClientFinished() error {
617 c := hs.c
618
619 finished := &finishedMsg{
620 verifyData: hs.suite.finishedHash(c.out.trafficSecret, hs.transcript),
621 }
622
623 hs.transcript.Write(finished.marshal())
624 if _, err := c.writeRecord(recordTypeHandshake, finished.marshal()); err != nil {
625 return err
626 }
627
628 c.out.setTrafficSecret(hs.suite, hs.trafficSecret)
629
630 if !c.config.SessionTicketsDisabled && c.config.ClientSessionCache != nil {
631 c.resumptionSecret = hs.suite.deriveSecret(hs.masterSecret,
632 resumptionLabel, hs.transcript)
633 }
634
635 return nil
636 }
637
638 func (c *Conn) handleNewSessionTicket(msg *newSessionTicketMsgTLS13) error {
639 if !c.isClient {
640 c.sendAlert(alertUnexpectedMessage)
641 return errors.New("tls: received new session ticket from a client")
642 }
643
644 if c.config.SessionTicketsDisabled || c.config.ClientSessionCache == nil {
645 return nil
646 }
647
648
649 if msg.lifetime == 0 {
650 return nil
651 }
652 lifetime := time.Duration(msg.lifetime) * time.Second
653 if lifetime > maxSessionTicketLifetime {
654 c.sendAlert(alertIllegalParameter)
655 return errors.New("tls: received a session ticket with invalid lifetime")
656 }
657
658 cipherSuite := cipherSuiteTLS13ByID(c.cipherSuite)
659 if cipherSuite == nil || c.resumptionSecret == nil {
660 return c.sendAlert(alertInternalError)
661 }
662
663
664
665
666
667 session := &ClientSessionState{
668 sessionTicket: msg.label,
669 vers: c.vers,
670 cipherSuite: c.cipherSuite,
671 masterSecret: c.resumptionSecret,
672 serverCertificates: c.peerCertificates,
673 verifiedChains: c.verifiedChains,
674 receivedAt: c.config.time(),
675 nonce: msg.nonce,
676 useBy: c.config.time().Add(lifetime),
677 ageAdd: msg.ageAdd,
678 ocspResponse: c.ocspResponse,
679 scts: c.scts,
680 }
681
682 cacheKey := clientSessionCacheKey(c.conn.RemoteAddr(), c.config)
683 c.config.ClientSessionCache.Put(cacheKey, session)
684
685 return nil
686 }
687
View as plain text