1 // Copyright 2018 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
19 type clientHandshakeStateTLS13 struct {
22 serverHello *serverHelloMsg
24 ecdheKey *ecdh.PrivateKey
26 session *ClientSessionState
30 certReq *certificateRequestMsgTLS13
33 suite *cipherSuiteTLS13
36 trafficSecret []byte // client_application_traffic_secret_0
39 // handshake requires hs.c, hs.hello, hs.serverHello, hs.ecdheKey, and,
40 // optionally, hs.session, hs.earlySecret and hs.binderKey to be set.
41 func (hs *clientHandshakeStateTLS13) handshake() error {
45 return errors.New("tls: internal error: TLS 1.3 reached in FIPS mode")
48 // The server must not select TLS 1.3 in a renegotiation. See RFC 8446,
49 // sections 4.1.2 and 4.1.3.
51 c.sendAlert(alertProtocolVersion)
52 return errors.New("tls: server selected TLS 1.3 in a renegotiation")
55 // Consistency check on the presence of a keyShare and its parameters.
56 if hs.ecdheKey == nil || len(hs.hello.keyShares) != 1 {
57 return c.sendAlert(alertInternalError)
60 if err := hs.checkServerHelloOrHRR(); err != nil {
64 hs.transcript = hs.suite.hash.New()
66 if err := transcriptMsg(hs.hello, hs.transcript); err != nil {
70 if bytes.Equal(hs.serverHello.random, helloRetryRequestRandom) {
71 if err := hs.sendDummyChangeCipherSpec(); err != nil {
74 if err := hs.processHelloRetryRequest(); err != nil {
79 if err := transcriptMsg(hs.serverHello, hs.transcript); err != nil {
84 if err := hs.processServerHello(); err != nil {
87 if err := hs.sendDummyChangeCipherSpec(); err != nil {
90 if err := hs.establishHandshakeKeys(); err != nil {
93 if err := hs.readServerParameters(); err != nil {
96 if err := hs.readServerCertificate(); err != nil {
99 if err := hs.readServerFinished(); err != nil {
102 if err := hs.sendClientCertificate(); err != nil {
105 if err := hs.sendClientFinished(); err != nil {
108 if _, err := c.flush(); err != nil {
112 c.isHandshakeComplete.Store(true)
117 // checkServerHelloOrHRR does validity checks that apply to both ServerHello and
118 // HelloRetryRequest messages. It sets hs.suite.
119 func (hs *clientHandshakeStateTLS13) checkServerHelloOrHRR() error {
122 if hs.serverHello.supportedVersion == 0 {
123 c.sendAlert(alertMissingExtension)
124 return errors.New("tls: server selected TLS 1.3 using the legacy version field")
127 if hs.serverHello.supportedVersion != VersionTLS13 {
128 c.sendAlert(alertIllegalParameter)
129 return errors.New("tls: server selected an invalid version after a HelloRetryRequest")
132 if hs.serverHello.vers != VersionTLS12 {
133 c.sendAlert(alertIllegalParameter)
134 return errors.New("tls: server sent an incorrect legacy version")
137 if hs.serverHello.ocspStapling ||
138 hs.serverHello.ticketSupported ||
139 hs.serverHello.secureRenegotiationSupported ||
140 len(hs.serverHello.secureRenegotiation) != 0 ||
141 len(hs.serverHello.alpnProtocol) != 0 ||
142 len(hs.serverHello.scts) != 0 {
143 c.sendAlert(alertUnsupportedExtension)
144 return errors.New("tls: server sent a ServerHello extension forbidden in TLS 1.3")
147 if !bytes.Equal(hs.hello.sessionId, hs.serverHello.sessionId) {
148 c.sendAlert(alertIllegalParameter)
149 return errors.New("tls: server did not echo the legacy session ID")
152 if hs.serverHello.compressionMethod != compressionNone {
153 c.sendAlert(alertIllegalParameter)
154 return errors.New("tls: server selected unsupported compression format")
157 selectedSuite := mutualCipherSuiteTLS13(hs.hello.cipherSuites, hs.serverHello.cipherSuite)
158 if hs.suite != nil && selectedSuite != hs.suite {
159 c.sendAlert(alertIllegalParameter)
160 return errors.New("tls: server changed cipher suite after a HelloRetryRequest")
162 if selectedSuite == nil {
163 c.sendAlert(alertIllegalParameter)
164 return errors.New("tls: server chose an unconfigured cipher suite")
166 hs.suite = selectedSuite
167 c.cipherSuite = hs.suite.id
172 // sendDummyChangeCipherSpec sends a ChangeCipherSpec record for compatibility
173 // with middleboxes that didn't implement TLS correctly. See RFC 8446, Appendix D.4.
174 func (hs *clientHandshakeStateTLS13) sendDummyChangeCipherSpec() error {
178 hs.sentDummyCCS = true
180 return hs.c.writeChangeCipherRecord()
183 // processHelloRetryRequest handles the HRR in hs.serverHello, modifies and
184 // resends hs.hello, and reads the new ServerHello into hs.serverHello.
185 func (hs *clientHandshakeStateTLS13) processHelloRetryRequest() error {
188 // The first ClientHello gets double-hashed into the transcript upon a
189 // HelloRetryRequest. (The idea is that the server might offload transcript
190 // storage to the client in the cookie.) See RFC 8446, Section 4.4.1.
191 chHash := hs.transcript.Sum(nil)
192 hs.transcript.Reset()
193 hs.transcript.Write([]byte{typeMessageHash, 0, 0, uint8(len(chHash))})
194 hs.transcript.Write(chHash)
195 if err := transcriptMsg(hs.serverHello, hs.transcript); err != nil {
199 // The only HelloRetryRequest extensions we support are key_share and
200 // cookie, and clients must abort the handshake if the HRR would not result
201 // in any change in the ClientHello.
202 if hs.serverHello.selectedGroup == 0 && hs.serverHello.cookie == nil {
203 c.sendAlert(alertIllegalParameter)
204 return errors.New("tls: server sent an unnecessary HelloRetryRequest message")
207 if hs.serverHello.cookie != nil {
208 hs.hello.cookie = hs.serverHello.cookie
211 if hs.serverHello.serverShare.group != 0 {
212 c.sendAlert(alertDecodeError)
213 return errors.New("tls: received malformed key_share extension")
216 // If the server sent a key_share extension selecting a group, ensure it's
217 // a group we advertised but did not send a key share for, and send a key
218 // share for it this time.
219 if curveID := hs.serverHello.selectedGroup; curveID != 0 {
221 for _, id := range hs.hello.supportedCurves {
228 c.sendAlert(alertIllegalParameter)
229 return errors.New("tls: server selected unsupported group")
231 if sentID, _ := curveIDForCurve(hs.ecdheKey.Curve()); sentID == curveID {
232 c.sendAlert(alertIllegalParameter)
233 return errors.New("tls: server sent an unnecessary HelloRetryRequest key_share")
235 if _, ok := curveForCurveID(curveID); !ok {
236 c.sendAlert(alertInternalError)
237 return errors.New("tls: CurvePreferences includes unsupported curve")
239 key, err := generateECDHEKey(c.config.rand(), curveID)
241 c.sendAlert(alertInternalError)
245 hs.hello.keyShares = []keyShare{{group: curveID, data: key.PublicKey().Bytes()}}
249 if len(hs.hello.pskIdentities) > 0 {
250 pskSuite := cipherSuiteTLS13ByID(hs.session.cipherSuite)
252 return c.sendAlert(alertInternalError)
254 if pskSuite.hash == hs.suite.hash {
255 // Update binders and obfuscated_ticket_age.
256 ticketAge := uint32(c.config.time().Sub(hs.session.receivedAt) / time.Millisecond)
257 hs.hello.pskIdentities[0].obfuscatedTicketAge = ticketAge + hs.session.ageAdd
259 transcript := hs.suite.hash.New()
260 transcript.Write([]byte{typeMessageHash, 0, 0, uint8(len(chHash))})
261 transcript.Write(chHash)
262 if err := transcriptMsg(hs.serverHello, transcript); err != nil {
265 helloBytes, err := hs.hello.marshalWithoutBinders()
269 transcript.Write(helloBytes)
270 pskBinders := [][]byte{hs.suite.finishedHash(hs.binderKey, transcript)}
271 if err := hs.hello.updateBinders(pskBinders); err != nil {
275 // Server selected a cipher suite incompatible with the PSK.
276 hs.hello.pskIdentities = nil
277 hs.hello.pskBinders = nil
281 if _, err := hs.c.writeHandshakeRecord(hs.hello, hs.transcript); err != nil {
285 // serverHelloMsg is not included in the transcript
286 msg, err := c.readHandshake(nil)
291 serverHello, ok := msg.(*serverHelloMsg)
293 c.sendAlert(alertUnexpectedMessage)
294 return unexpectedMessageError(serverHello, msg)
296 hs.serverHello = serverHello
298 if err := hs.checkServerHelloOrHRR(); err != nil {
305 func (hs *clientHandshakeStateTLS13) processServerHello() error {
308 if bytes.Equal(hs.serverHello.random, helloRetryRequestRandom) {
309 c.sendAlert(alertUnexpectedMessage)
310 return errors.New("tls: server sent two HelloRetryRequest messages")
313 if len(hs.serverHello.cookie) != 0 {
314 c.sendAlert(alertUnsupportedExtension)
315 return errors.New("tls: server sent a cookie in a normal ServerHello")
318 if hs.serverHello.selectedGroup != 0 {
319 c.sendAlert(alertDecodeError)
320 return errors.New("tls: malformed key_share extension")
323 if hs.serverHello.serverShare.group == 0 {
324 c.sendAlert(alertIllegalParameter)
325 return errors.New("tls: server did not send a key share")
327 if sentID, _ := curveIDForCurve(hs.ecdheKey.Curve()); hs.serverHello.serverShare.group != sentID {
328 c.sendAlert(alertIllegalParameter)
329 return errors.New("tls: server selected unsupported group")
332 if !hs.serverHello.selectedIdentityPresent {
336 if int(hs.serverHello.selectedIdentity) >= len(hs.hello.pskIdentities) {
337 c.sendAlert(alertIllegalParameter)
338 return errors.New("tls: server selected an invalid PSK")
341 if len(hs.hello.pskIdentities) != 1 || hs.session == nil {
342 return c.sendAlert(alertInternalError)
344 pskSuite := cipherSuiteTLS13ByID(hs.session.cipherSuite)
346 return c.sendAlert(alertInternalError)
348 if pskSuite.hash != hs.suite.hash {
349 c.sendAlert(alertIllegalParameter)
350 return errors.New("tls: server selected an invalid PSK and cipher suite pair")
355 c.peerCertificates = hs.session.serverCertificates
356 c.verifiedChains = hs.session.verifiedChains
357 c.ocspResponse = hs.session.ocspResponse
358 c.scts = hs.session.scts
362 func (hs *clientHandshakeStateTLS13) establishHandshakeKeys() error {
365 peerKey, err := hs.ecdheKey.Curve().NewPublicKey(hs.serverHello.serverShare.data)
367 c.sendAlert(alertIllegalParameter)
368 return errors.New("tls: invalid server key share")
370 sharedKey, err := hs.ecdheKey.ECDH(peerKey)
372 c.sendAlert(alertIllegalParameter)
373 return errors.New("tls: invalid server key share")
376 earlySecret := hs.earlySecret
378 earlySecret = hs.suite.extract(nil, nil)
381 handshakeSecret := hs.suite.extract(sharedKey,
382 hs.suite.deriveSecret(earlySecret, "derived", nil))
384 clientSecret := hs.suite.deriveSecret(handshakeSecret,
385 clientHandshakeTrafficLabel, hs.transcript)
386 c.out.setTrafficSecret(hs.suite, clientSecret)
387 serverSecret := hs.suite.deriveSecret(handshakeSecret,
388 serverHandshakeTrafficLabel, hs.transcript)
389 c.in.setTrafficSecret(hs.suite, serverSecret)
391 err = c.config.writeKeyLog(keyLogLabelClientHandshake, hs.hello.random, clientSecret)
393 c.sendAlert(alertInternalError)
396 err = c.config.writeKeyLog(keyLogLabelServerHandshake, hs.hello.random, serverSecret)
398 c.sendAlert(alertInternalError)
402 hs.masterSecret = hs.suite.extract(nil,
403 hs.suite.deriveSecret(handshakeSecret, "derived", nil))
408 func (hs *clientHandshakeStateTLS13) readServerParameters() error {
411 msg, err := c.readHandshake(hs.transcript)
416 encryptedExtensions, ok := msg.(*encryptedExtensionsMsg)
418 c.sendAlert(alertUnexpectedMessage)
419 return unexpectedMessageError(encryptedExtensions, msg)
422 if err := checkALPN(hs.hello.alpnProtocols, encryptedExtensions.alpnProtocol); err != nil {
423 c.sendAlert(alertUnsupportedExtension)
426 c.clientProtocol = encryptedExtensions.alpnProtocol
431 func (hs *clientHandshakeStateTLS13) readServerCertificate() error {
434 // Either a PSK or a certificate is always used, but not both.
435 // See RFC 8446, Section 4.1.1.
437 // Make sure the connection is still being verified whether or not this
438 // is a resumption. Resumptions currently don't reverify certificates so
439 // they don't call verifyServerCertificate. See Issue 31641.
440 if c.config.VerifyConnection != nil {
441 if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil {
442 c.sendAlert(alertBadCertificate)
449 msg, err := c.readHandshake(hs.transcript)
454 certReq, ok := msg.(*certificateRequestMsgTLS13)
458 msg, err = c.readHandshake(hs.transcript)
464 certMsg, ok := msg.(*certificateMsgTLS13)
466 c.sendAlert(alertUnexpectedMessage)
467 return unexpectedMessageError(certMsg, msg)
469 if len(certMsg.certificate.Certificate) == 0 {
470 c.sendAlert(alertDecodeError)
471 return errors.New("tls: received empty certificates message")
474 c.scts = certMsg.certificate.SignedCertificateTimestamps
475 c.ocspResponse = certMsg.certificate.OCSPStaple
477 if err := c.verifyServerCertificate(certMsg.certificate.Certificate); err != nil {
481 // certificateVerifyMsg is included in the transcript, but not until
482 // after we verify the handshake signature, since the state before
483 // this message was sent is used.
484 msg, err = c.readHandshake(nil)
489 certVerify, ok := msg.(*certificateVerifyMsg)
491 c.sendAlert(alertUnexpectedMessage)
492 return unexpectedMessageError(certVerify, msg)
495 // See RFC 8446, Section 4.4.3.
496 if !isSupportedSignatureAlgorithm(certVerify.signatureAlgorithm, supportedSignatureAlgorithms()) {
497 c.sendAlert(alertIllegalParameter)
498 return errors.New("tls: certificate used with invalid signature algorithm")
500 sigType, sigHash, err := typeAndHashFromSignatureScheme(certVerify.signatureAlgorithm)
502 return c.sendAlert(alertInternalError)
504 if sigType == signaturePKCS1v15 || sigHash == crypto.SHA1 {
505 c.sendAlert(alertIllegalParameter)
506 return errors.New("tls: certificate used with invalid signature algorithm")
508 signed := signedMessage(sigHash, serverSignatureContext, hs.transcript)
509 if err := verifyHandshakeSignature(sigType, c.peerCertificates[0].PublicKey,
510 sigHash, signed, certVerify.signature); err != nil {
511 c.sendAlert(alertDecryptError)
512 return errors.New("tls: invalid signature by the server certificate: " + err.Error())
515 if err := transcriptMsg(certVerify, hs.transcript); err != nil {
522 func (hs *clientHandshakeStateTLS13) readServerFinished() error {
525 // finishedMsg is included in the transcript, but not until after we
526 // check the client version, since the state before this message was
527 // sent is used during verification.
528 msg, err := c.readHandshake(nil)
533 finished, ok := msg.(*finishedMsg)
535 c.sendAlert(alertUnexpectedMessage)
536 return unexpectedMessageError(finished, msg)
539 expectedMAC := hs.suite.finishedHash(c.in.trafficSecret, hs.transcript)
540 if !hmac.Equal(expectedMAC, finished.verifyData) {
541 c.sendAlert(alertDecryptError)
542 return errors.New("tls: invalid server finished hash")
545 if err := transcriptMsg(finished, hs.transcript); err != nil {
549 // Derive secrets that take context through the server Finished.
551 hs.trafficSecret = hs.suite.deriveSecret(hs.masterSecret,
552 clientApplicationTrafficLabel, hs.transcript)
553 serverSecret := hs.suite.deriveSecret(hs.masterSecret,
554 serverApplicationTrafficLabel, hs.transcript)
555 c.in.setTrafficSecret(hs.suite, serverSecret)
557 err = c.config.writeKeyLog(keyLogLabelClientTraffic, hs.hello.random, hs.trafficSecret)
559 c.sendAlert(alertInternalError)
562 err = c.config.writeKeyLog(keyLogLabelServerTraffic, hs.hello.random, serverSecret)
564 c.sendAlert(alertInternalError)
568 c.ekm = hs.suite.exportKeyingMaterial(hs.masterSecret, hs.transcript)
573 func (hs *clientHandshakeStateTLS13) sendClientCertificate() error {
576 if hs.certReq == nil {
580 cert, err := c.getClientCertificate(&CertificateRequestInfo{
581 AcceptableCAs: hs.certReq.certificateAuthorities,
582 SignatureSchemes: hs.certReq.supportedSignatureAlgorithms,
590 certMsg := new(certificateMsgTLS13)
592 certMsg.certificate = *cert
593 certMsg.scts = hs.certReq.scts && len(cert.SignedCertificateTimestamps) > 0
594 certMsg.ocspStapling = hs.certReq.ocspStapling && len(cert.OCSPStaple) > 0
596 if _, err := hs.c.writeHandshakeRecord(certMsg, hs.transcript); err != nil {
600 // If we sent an empty certificate message, skip the CertificateVerify.
601 if len(cert.Certificate) == 0 {
605 certVerifyMsg := new(certificateVerifyMsg)
606 certVerifyMsg.hasSignatureAlgorithm = true
608 certVerifyMsg.signatureAlgorithm, err = selectSignatureScheme(c.vers, cert, hs.certReq.supportedSignatureAlgorithms)
610 // getClientCertificate returned a certificate incompatible with the
611 // CertificateRequestInfo supported signature algorithms.
612 c.sendAlert(alertHandshakeFailure)
616 sigType, sigHash, err := typeAndHashFromSignatureScheme(certVerifyMsg.signatureAlgorithm)
618 return c.sendAlert(alertInternalError)
621 signed := signedMessage(sigHash, clientSignatureContext, hs.transcript)
622 signOpts := crypto.SignerOpts(sigHash)
623 if sigType == signatureRSAPSS {
624 signOpts = &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash, Hash: sigHash}
626 sig, err := cert.PrivateKey.(crypto.Signer).Sign(c.config.rand(), signed, signOpts)
628 c.sendAlert(alertInternalError)
629 return errors.New("tls: failed to sign handshake: " + err.Error())
631 certVerifyMsg.signature = sig
633 if _, err := hs.c.writeHandshakeRecord(certVerifyMsg, hs.transcript); err != nil {
640 func (hs *clientHandshakeStateTLS13) sendClientFinished() error {
643 finished := &finishedMsg{
644 verifyData: hs.suite.finishedHash(c.out.trafficSecret, hs.transcript),
647 if _, err := hs.c.writeHandshakeRecord(finished, hs.transcript); err != nil {
651 c.out.setTrafficSecret(hs.suite, hs.trafficSecret)
653 if !c.config.SessionTicketsDisabled && c.config.ClientSessionCache != nil {
654 c.resumptionSecret = hs.suite.deriveSecret(hs.masterSecret,
655 resumptionLabel, hs.transcript)
661 func (c *Conn) handleNewSessionTicket(msg *newSessionTicketMsgTLS13) error {
663 c.sendAlert(alertUnexpectedMessage)
664 return errors.New("tls: received new session ticket from a client")
667 if c.config.SessionTicketsDisabled || c.config.ClientSessionCache == nil {
671 // See RFC 8446, Section 4.6.1.
672 if msg.lifetime == 0 {
675 lifetime := time.Duration(msg.lifetime) * time.Second
676 if lifetime > maxSessionTicketLifetime {
677 c.sendAlert(alertIllegalParameter)
678 return errors.New("tls: received a session ticket with invalid lifetime")
681 cipherSuite := cipherSuiteTLS13ByID(c.cipherSuite)
682 if cipherSuite == nil || c.resumptionSecret == nil {
683 return c.sendAlert(alertInternalError)
686 // Save the resumption_master_secret and nonce instead of deriving the PSK
687 // to do the least amount of work on NewSessionTicket messages before we
688 // know if the ticket will be used. Forward secrecy of resumed connections
689 // is guaranteed by the requirement for pskModeDHE.
690 session := &ClientSessionState{
691 sessionTicket: msg.label,
693 cipherSuite: c.cipherSuite,
694 masterSecret: c.resumptionSecret,
695 serverCertificates: c.peerCertificates,
696 verifiedChains: c.verifiedChains,
697 receivedAt: c.config.time(),
699 useBy: c.config.time().Add(lifetime),
701 ocspResponse: c.ocspResponse,
705 cacheKey := clientSessionCacheKey(c.conn.RemoteAddr(), c.config)
706 c.config.ClientSessionCache.Put(cacheKey, session)