1 // Copyright 2018 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
20 // maxClientPSKIdentities is the number of client PSK identities the server will
21 // attempt to validate. It will ignore the rest not to let cheap ClientHello
22 // messages cause too much work in session ticket decryption attempts.
23 const maxClientPSKIdentities = 5
25 type serverHandshakeStateTLS13 struct {
28 clientHello *clientHelloMsg
32 suite *cipherSuiteTLS13
34 sigAlg SignatureScheme
37 handshakeSecret []byte
39 trafficSecret []byte // client_application_traffic_secret_0
44 func (hs *serverHandshakeStateTLS13) handshake() error {
48 return errors.New("tls: internal error: TLS 1.3 reached in FIPS mode")
51 // For an overview of the TLS 1.3 handshake, see RFC 8446, Section 2.
52 if err := hs.processClientHello(); err != nil {
55 if err := hs.checkForResumption(); err != nil {
58 if err := hs.pickCertificate(); err != nil {
62 if err := hs.sendServerParameters(); err != nil {
65 if err := hs.sendServerCertificate(); err != nil {
68 if err := hs.sendServerFinished(); err != nil {
71 // Note that at this point we could start sending application data without
72 // waiting for the client's second flight, but the application might not
73 // expect the lack of replay protection of the ClientHello parameters.
74 if _, err := c.flush(); err != nil {
77 if err := hs.readClientCertificate(); err != nil {
80 if err := hs.readClientFinished(); err != nil {
84 c.isHandshakeComplete.Store(true)
89 func (hs *serverHandshakeStateTLS13) processClientHello() error {
92 hs.hello = new(serverHelloMsg)
94 // TLS 1.3 froze the ServerHello.legacy_version field, and uses
95 // supported_versions instead. See RFC 8446, sections 4.1.3 and 4.2.1.
96 hs.hello.vers = VersionTLS12
97 hs.hello.supportedVersion = c.vers
99 if len(hs.clientHello.supportedVersions) == 0 {
100 c.sendAlert(alertIllegalParameter)
101 return errors.New("tls: client used the legacy version field to negotiate TLS 1.3")
104 // Abort if the client is doing a fallback and landing lower than what we
105 // support. See RFC 7507, which however does not specify the interaction
106 // with supported_versions. The only difference is that with
107 // supported_versions a client has a chance to attempt a [TLS 1.2, TLS 1.4]
108 // handshake in case TLS 1.3 is broken but 1.2 is not. Alas, in that case,
109 // it will have to drop the TLS_FALLBACK_SCSV protection if it falls back to
110 // TLS 1.2, because a TLS 1.3 server would abort here. The situation before
111 // supported_versions was not better because there was just no way to do a
112 // TLS 1.4 handshake without risking the server selecting TLS 1.3.
113 for _, id := range hs.clientHello.cipherSuites {
114 if id == TLS_FALLBACK_SCSV {
115 // Use c.vers instead of max(supported_versions) because an attacker
116 // could defeat this by adding an arbitrary high version otherwise.
117 if c.vers < c.config.maxSupportedVersion(roleServer) {
118 c.sendAlert(alertInappropriateFallback)
119 return errors.New("tls: client using inappropriate protocol fallback")
125 if len(hs.clientHello.compressionMethods) != 1 ||
126 hs.clientHello.compressionMethods[0] != compressionNone {
127 c.sendAlert(alertIllegalParameter)
128 return errors.New("tls: TLS 1.3 client supports illegal compression methods")
131 hs.hello.random = make([]byte, 32)
132 if _, err := io.ReadFull(c.config.rand(), hs.hello.random); err != nil {
133 c.sendAlert(alertInternalError)
137 if len(hs.clientHello.secureRenegotiation) != 0 {
138 c.sendAlert(alertHandshakeFailure)
139 return errors.New("tls: initial handshake had non-empty renegotiation extension")
142 if hs.clientHello.earlyData {
143 // See RFC 8446, Section 4.2.10 for the complicated behavior required
144 // here. The scenario is that a different server at our address offered
145 // to accept early data in the past, which we can't handle. For now, all
146 // 0-RTT enabled session tickets need to expire before a Go server can
147 // replace a server or join a pool. That's the same requirement that
148 // applies to mixing or replacing with any TLS 1.2 server.
149 c.sendAlert(alertUnsupportedExtension)
150 return errors.New("tls: client sent unexpected early data")
153 hs.hello.sessionId = hs.clientHello.sessionId
154 hs.hello.compressionMethod = compressionNone
156 preferenceList := defaultCipherSuitesTLS13
157 if !hasAESGCMHardwareSupport || !aesgcmPreferred(hs.clientHello.cipherSuites) {
158 preferenceList = defaultCipherSuitesTLS13NoAES
160 for _, suiteID := range preferenceList {
161 hs.suite = mutualCipherSuiteTLS13(hs.clientHello.cipherSuites, suiteID)
167 c.sendAlert(alertHandshakeFailure)
168 return errors.New("tls: no cipher suite supported by both client and server")
170 c.cipherSuite = hs.suite.id
171 hs.hello.cipherSuite = hs.suite.id
172 hs.transcript = hs.suite.hash.New()
174 // Pick the ECDHE group in server preference order, but give priority to
175 // groups with a key share, to avoid a HelloRetryRequest round-trip.
176 var selectedGroup CurveID
177 var clientKeyShare *keyShare
179 for _, preferredGroup := range c.config.curvePreferences() {
180 for _, ks := range hs.clientHello.keyShares {
181 if ks.group == preferredGroup {
182 selectedGroup = ks.group
187 if selectedGroup != 0 {
190 for _, group := range hs.clientHello.supportedCurves {
191 if group == preferredGroup {
192 selectedGroup = group
197 if selectedGroup == 0 {
198 c.sendAlert(alertHandshakeFailure)
199 return errors.New("tls: no ECDHE curve supported by both client and server")
201 if clientKeyShare == nil {
202 if err := hs.doHelloRetryRequest(selectedGroup); err != nil {
205 clientKeyShare = &hs.clientHello.keyShares[0]
208 if _, ok := curveForCurveID(selectedGroup); !ok {
209 c.sendAlert(alertInternalError)
210 return errors.New("tls: CurvePreferences includes unsupported curve")
212 key, err := generateECDHEKey(c.config.rand(), selectedGroup)
214 c.sendAlert(alertInternalError)
217 hs.hello.serverShare = keyShare{group: selectedGroup, data: key.PublicKey().Bytes()}
218 peerKey, err := key.Curve().NewPublicKey(clientKeyShare.data)
220 c.sendAlert(alertIllegalParameter)
221 return errors.New("tls: invalid client key share")
223 hs.sharedKey, err = key.ECDH(peerKey)
225 c.sendAlert(alertIllegalParameter)
226 return errors.New("tls: invalid client key share")
230 if hs.clientHello.quicTransportParameters == nil {
231 // RFC 9001 Section 8.2.
232 c.sendAlert(alertMissingExtension)
233 return errors.New("tls: client did not send a quic_transport_parameters extension")
235 c.quicSetTransportParameters(hs.clientHello.quicTransportParameters)
237 if hs.clientHello.quicTransportParameters != nil {
238 c.sendAlert(alertUnsupportedExtension)
239 return errors.New("tls: client sent an unexpected quic_transport_parameters extension")
243 c.serverName = hs.clientHello.serverName
247 func (hs *serverHandshakeStateTLS13) checkForResumption() error {
250 if c.config.SessionTicketsDisabled {
255 for _, mode := range hs.clientHello.pskModes {
256 if mode == pskModeDHE {
265 if len(hs.clientHello.pskIdentities) != len(hs.clientHello.pskBinders) {
266 c.sendAlert(alertIllegalParameter)
267 return errors.New("tls: invalid or missing PSK binders")
269 if len(hs.clientHello.pskIdentities) == 0 {
273 for i, identity := range hs.clientHello.pskIdentities {
274 if i >= maxClientPSKIdentities {
278 plaintext := c.decryptTicket(identity.label)
279 if plaintext == nil {
282 sessionState := new(sessionStateTLS13)
283 if ok := sessionState.unmarshal(plaintext); !ok {
287 createdAt := time.Unix(int64(sessionState.createdAt), 0)
288 if c.config.time().Sub(createdAt) > maxSessionTicketLifetime {
292 // We don't check the obfuscated ticket age because it's affected by
293 // clock skew and it's only a freshness signal useful for shrinking the
294 // window for replay attacks, which don't affect us as we don't do 0-RTT.
296 pskSuite := cipherSuiteTLS13ByID(sessionState.cipherSuite)
297 if pskSuite == nil || pskSuite.hash != hs.suite.hash {
301 // PSK connections don't re-establish client certificates, but carry
302 // them over in the session ticket. Ensure the presence of client certs
303 // in the ticket is consistent with the configured requirements.
304 sessionHasClientCerts := len(sessionState.certificate.Certificate) != 0
305 needClientCerts := requiresClientCert(c.config.ClientAuth)
306 if needClientCerts && !sessionHasClientCerts {
309 if sessionHasClientCerts && c.config.ClientAuth == NoClientCert {
313 psk := hs.suite.expandLabel(sessionState.resumptionSecret, "resumption",
314 nil, hs.suite.hash.Size())
315 hs.earlySecret = hs.suite.extract(psk, nil)
316 binderKey := hs.suite.deriveSecret(hs.earlySecret, resumptionBinderLabel, nil)
317 // Clone the transcript in case a HelloRetryRequest was recorded.
318 transcript := cloneHash(hs.transcript, hs.suite.hash)
319 if transcript == nil {
320 c.sendAlert(alertInternalError)
321 return errors.New("tls: internal error: failed to clone hash")
323 clientHelloBytes, err := hs.clientHello.marshalWithoutBinders()
325 c.sendAlert(alertInternalError)
328 transcript.Write(clientHelloBytes)
329 pskBinder := hs.suite.finishedHash(binderKey, transcript)
330 if !hmac.Equal(hs.clientHello.pskBinders[i], pskBinder) {
331 c.sendAlert(alertDecryptError)
332 return errors.New("tls: invalid PSK binder")
336 if err := c.processCertsFromClient(sessionState.certificate); err != nil {
340 hs.hello.selectedIdentityPresent = true
341 hs.hello.selectedIdentity = uint16(i)
349 // cloneHash uses the encoding.BinaryMarshaler and encoding.BinaryUnmarshaler
350 // interfaces implemented by standard library hashes to clone the state of in
351 // to a new instance of h. It returns nil if the operation fails.
352 func cloneHash(in hash.Hash, h crypto.Hash) hash.Hash {
353 // Recreate the interface to avoid importing encoding.
354 type binaryMarshaler interface {
355 MarshalBinary() (data []byte, err error)
356 UnmarshalBinary(data []byte) error
358 marshaler, ok := in.(binaryMarshaler)
362 state, err := marshaler.MarshalBinary()
367 unmarshaler, ok := out.(binaryMarshaler)
371 if err := unmarshaler.UnmarshalBinary(state); err != nil {
377 func (hs *serverHandshakeStateTLS13) pickCertificate() error {
380 // Only one of PSK and certificates are used at a time.
385 // signature_algorithms is required in TLS 1.3. See RFC 8446, Section 4.2.3.
386 if len(hs.clientHello.supportedSignatureAlgorithms) == 0 {
387 return c.sendAlert(alertMissingExtension)
390 certificate, err := c.config.getCertificate(clientHelloInfo(hs.ctx, c, hs.clientHello))
392 if err == errNoCertificates {
393 c.sendAlert(alertUnrecognizedName)
395 c.sendAlert(alertInternalError)
399 hs.sigAlg, err = selectSignatureScheme(c.vers, certificate, hs.clientHello.supportedSignatureAlgorithms)
401 // getCertificate returned a certificate that is unsupported or
402 // incompatible with the client's signature algorithms.
403 c.sendAlert(alertHandshakeFailure)
406 hs.cert = certificate
411 // sendDummyChangeCipherSpec sends a ChangeCipherSpec record for compatibility
412 // with middleboxes that didn't implement TLS correctly. See RFC 8446, Appendix D.4.
413 func (hs *serverHandshakeStateTLS13) sendDummyChangeCipherSpec() error {
414 if hs.c.quic != nil {
420 hs.sentDummyCCS = true
422 return hs.c.writeChangeCipherRecord()
425 func (hs *serverHandshakeStateTLS13) doHelloRetryRequest(selectedGroup CurveID) error {
428 // The first ClientHello gets double-hashed into the transcript upon a
429 // HelloRetryRequest. See RFC 8446, Section 4.4.1.
430 if err := transcriptMsg(hs.clientHello, hs.transcript); err != nil {
433 chHash := hs.transcript.Sum(nil)
434 hs.transcript.Reset()
435 hs.transcript.Write([]byte{typeMessageHash, 0, 0, uint8(len(chHash))})
436 hs.transcript.Write(chHash)
438 helloRetryRequest := &serverHelloMsg{
440 random: helloRetryRequestRandom,
441 sessionId: hs.hello.sessionId,
442 cipherSuite: hs.hello.cipherSuite,
443 compressionMethod: hs.hello.compressionMethod,
444 supportedVersion: hs.hello.supportedVersion,
445 selectedGroup: selectedGroup,
448 if _, err := hs.c.writeHandshakeRecord(helloRetryRequest, hs.transcript); err != nil {
452 if err := hs.sendDummyChangeCipherSpec(); err != nil {
456 // clientHelloMsg is not included in the transcript.
457 msg, err := c.readHandshake(nil)
462 clientHello, ok := msg.(*clientHelloMsg)
464 c.sendAlert(alertUnexpectedMessage)
465 return unexpectedMessageError(clientHello, msg)
468 if len(clientHello.keyShares) != 1 || clientHello.keyShares[0].group != selectedGroup {
469 c.sendAlert(alertIllegalParameter)
470 return errors.New("tls: client sent invalid key share in second ClientHello")
473 if clientHello.earlyData {
474 c.sendAlert(alertIllegalParameter)
475 return errors.New("tls: client indicated early data in second ClientHello")
478 if illegalClientHelloChange(clientHello, hs.clientHello) {
479 c.sendAlert(alertIllegalParameter)
480 return errors.New("tls: client illegally modified second ClientHello")
483 hs.clientHello = clientHello
487 // illegalClientHelloChange reports whether the two ClientHello messages are
488 // different, with the exception of the changes allowed before and after a
489 // HelloRetryRequest. See RFC 8446, Section 4.1.2.
490 func illegalClientHelloChange(ch, ch1 *clientHelloMsg) bool {
491 if len(ch.supportedVersions) != len(ch1.supportedVersions) ||
492 len(ch.cipherSuites) != len(ch1.cipherSuites) ||
493 len(ch.supportedCurves) != len(ch1.supportedCurves) ||
494 len(ch.supportedSignatureAlgorithms) != len(ch1.supportedSignatureAlgorithms) ||
495 len(ch.supportedSignatureAlgorithmsCert) != len(ch1.supportedSignatureAlgorithmsCert) ||
496 len(ch.alpnProtocols) != len(ch1.alpnProtocols) {
499 for i := range ch.supportedVersions {
500 if ch.supportedVersions[i] != ch1.supportedVersions[i] {
504 for i := range ch.cipherSuites {
505 if ch.cipherSuites[i] != ch1.cipherSuites[i] {
509 for i := range ch.supportedCurves {
510 if ch.supportedCurves[i] != ch1.supportedCurves[i] {
514 for i := range ch.supportedSignatureAlgorithms {
515 if ch.supportedSignatureAlgorithms[i] != ch1.supportedSignatureAlgorithms[i] {
519 for i := range ch.supportedSignatureAlgorithmsCert {
520 if ch.supportedSignatureAlgorithmsCert[i] != ch1.supportedSignatureAlgorithmsCert[i] {
524 for i := range ch.alpnProtocols {
525 if ch.alpnProtocols[i] != ch1.alpnProtocols[i] {
529 return ch.vers != ch1.vers ||
530 !bytes.Equal(ch.random, ch1.random) ||
531 !bytes.Equal(ch.sessionId, ch1.sessionId) ||
532 !bytes.Equal(ch.compressionMethods, ch1.compressionMethods) ||
533 ch.serverName != ch1.serverName ||
534 ch.ocspStapling != ch1.ocspStapling ||
535 !bytes.Equal(ch.supportedPoints, ch1.supportedPoints) ||
536 ch.ticketSupported != ch1.ticketSupported ||
537 !bytes.Equal(ch.sessionTicket, ch1.sessionTicket) ||
538 ch.secureRenegotiationSupported != ch1.secureRenegotiationSupported ||
539 !bytes.Equal(ch.secureRenegotiation, ch1.secureRenegotiation) ||
540 ch.scts != ch1.scts ||
541 !bytes.Equal(ch.cookie, ch1.cookie) ||
542 !bytes.Equal(ch.pskModes, ch1.pskModes)
545 func (hs *serverHandshakeStateTLS13) sendServerParameters() error {
548 if err := transcriptMsg(hs.clientHello, hs.transcript); err != nil {
551 if _, err := hs.c.writeHandshakeRecord(hs.hello, hs.transcript); err != nil {
555 if err := hs.sendDummyChangeCipherSpec(); err != nil {
559 earlySecret := hs.earlySecret
560 if earlySecret == nil {
561 earlySecret = hs.suite.extract(nil, nil)
563 hs.handshakeSecret = hs.suite.extract(hs.sharedKey,
564 hs.suite.deriveSecret(earlySecret, "derived", nil))
566 clientSecret := hs.suite.deriveSecret(hs.handshakeSecret,
567 clientHandshakeTrafficLabel, hs.transcript)
568 c.in.setTrafficSecret(hs.suite, QUICEncryptionLevelHandshake, clientSecret)
569 serverSecret := hs.suite.deriveSecret(hs.handshakeSecret,
570 serverHandshakeTrafficLabel, hs.transcript)
571 c.out.setTrafficSecret(hs.suite, QUICEncryptionLevelHandshake, serverSecret)
574 if c.hand.Len() != 0 {
575 c.sendAlert(alertUnexpectedMessage)
577 c.quicSetWriteSecret(QUICEncryptionLevelHandshake, hs.suite.id, serverSecret)
578 c.quicSetReadSecret(QUICEncryptionLevelHandshake, hs.suite.id, clientSecret)
581 err := c.config.writeKeyLog(keyLogLabelClientHandshake, hs.clientHello.random, clientSecret)
583 c.sendAlert(alertInternalError)
586 err = c.config.writeKeyLog(keyLogLabelServerHandshake, hs.clientHello.random, serverSecret)
588 c.sendAlert(alertInternalError)
592 encryptedExtensions := new(encryptedExtensionsMsg)
594 selectedProto, err := negotiateALPN(c.config.NextProtos, hs.clientHello.alpnProtocols, c.quic != nil)
596 c.sendAlert(alertNoApplicationProtocol)
599 encryptedExtensions.alpnProtocol = selectedProto
600 c.clientProtocol = selectedProto
603 p, err := c.quicGetTransportParameters()
607 encryptedExtensions.quicTransportParameters = p
610 if _, err := hs.c.writeHandshakeRecord(encryptedExtensions, hs.transcript); err != nil {
617 func (hs *serverHandshakeStateTLS13) requestClientCert() bool {
618 return hs.c.config.ClientAuth >= RequestClientCert && !hs.usingPSK
621 func (hs *serverHandshakeStateTLS13) sendServerCertificate() error {
624 // Only one of PSK and certificates are used at a time.
629 if hs.requestClientCert() {
630 // Request a client certificate
631 certReq := new(certificateRequestMsgTLS13)
632 certReq.ocspStapling = true
634 certReq.supportedSignatureAlgorithms = supportedSignatureAlgorithms()
635 if c.config.ClientCAs != nil {
636 certReq.certificateAuthorities = c.config.ClientCAs.Subjects()
639 if _, err := hs.c.writeHandshakeRecord(certReq, hs.transcript); err != nil {
644 certMsg := new(certificateMsgTLS13)
646 certMsg.certificate = *hs.cert
647 certMsg.scts = hs.clientHello.scts && len(hs.cert.SignedCertificateTimestamps) > 0
648 certMsg.ocspStapling = hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0
650 if _, err := hs.c.writeHandshakeRecord(certMsg, hs.transcript); err != nil {
654 certVerifyMsg := new(certificateVerifyMsg)
655 certVerifyMsg.hasSignatureAlgorithm = true
656 certVerifyMsg.signatureAlgorithm = hs.sigAlg
658 sigType, sigHash, err := typeAndHashFromSignatureScheme(hs.sigAlg)
660 return c.sendAlert(alertInternalError)
663 signed := signedMessage(sigHash, serverSignatureContext, hs.transcript)
664 signOpts := crypto.SignerOpts(sigHash)
665 if sigType == signatureRSAPSS {
666 signOpts = &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash, Hash: sigHash}
668 sig, err := hs.cert.PrivateKey.(crypto.Signer).Sign(c.config.rand(), signed, signOpts)
670 public := hs.cert.PrivateKey.(crypto.Signer).Public()
671 if rsaKey, ok := public.(*rsa.PublicKey); ok && sigType == signatureRSAPSS &&
672 rsaKey.N.BitLen()/8 < sigHash.Size()*2+2 { // key too small for RSA-PSS
673 c.sendAlert(alertHandshakeFailure)
675 c.sendAlert(alertInternalError)
677 return errors.New("tls: failed to sign handshake: " + err.Error())
679 certVerifyMsg.signature = sig
681 if _, err := hs.c.writeHandshakeRecord(certVerifyMsg, hs.transcript); err != nil {
688 func (hs *serverHandshakeStateTLS13) sendServerFinished() error {
691 finished := &finishedMsg{
692 verifyData: hs.suite.finishedHash(c.out.trafficSecret, hs.transcript),
695 if _, err := hs.c.writeHandshakeRecord(finished, hs.transcript); err != nil {
699 // Derive secrets that take context through the server Finished.
701 hs.masterSecret = hs.suite.extract(nil,
702 hs.suite.deriveSecret(hs.handshakeSecret, "derived", nil))
704 hs.trafficSecret = hs.suite.deriveSecret(hs.masterSecret,
705 clientApplicationTrafficLabel, hs.transcript)
706 serverSecret := hs.suite.deriveSecret(hs.masterSecret,
707 serverApplicationTrafficLabel, hs.transcript)
708 c.out.setTrafficSecret(hs.suite, QUICEncryptionLevelApplication, serverSecret)
711 if c.hand.Len() != 0 {
712 // TODO: Handle this in setTrafficSecret?
713 c.sendAlert(alertUnexpectedMessage)
715 c.quicSetWriteSecret(QUICEncryptionLevelApplication, hs.suite.id, serverSecret)
718 err := c.config.writeKeyLog(keyLogLabelClientTraffic, hs.clientHello.random, hs.trafficSecret)
720 c.sendAlert(alertInternalError)
723 err = c.config.writeKeyLog(keyLogLabelServerTraffic, hs.clientHello.random, serverSecret)
725 c.sendAlert(alertInternalError)
729 c.ekm = hs.suite.exportKeyingMaterial(hs.masterSecret, hs.transcript)
731 // If we did not request client certificates, at this point we can
732 // precompute the client finished and roll the transcript forward to send
733 // session tickets in our first flight.
734 if !hs.requestClientCert() {
735 if err := hs.sendSessionTickets(); err != nil {
743 func (hs *serverHandshakeStateTLS13) shouldSendSessionTickets() bool {
744 if hs.c.config.SessionTicketsDisabled {
748 // Don't send tickets the client wouldn't use. See RFC 8446, Section 4.2.9.
749 for _, pskMode := range hs.clientHello.pskModes {
750 if pskMode == pskModeDHE {
757 func (hs *serverHandshakeStateTLS13) sendSessionTickets() error {
760 hs.clientFinished = hs.suite.finishedHash(c.in.trafficSecret, hs.transcript)
761 finishedMsg := &finishedMsg{
762 verifyData: hs.clientFinished,
764 if err := transcriptMsg(finishedMsg, hs.transcript); err != nil {
768 if !hs.shouldSendSessionTickets() {
772 resumptionSecret := hs.suite.deriveSecret(hs.masterSecret,
773 resumptionLabel, hs.transcript)
775 m := new(newSessionTicketMsgTLS13)
777 var certsFromClient [][]byte
778 for _, cert := range c.peerCertificates {
779 certsFromClient = append(certsFromClient, cert.Raw)
781 state := sessionStateTLS13{
782 cipherSuite: hs.suite.id,
783 createdAt: uint64(c.config.time().Unix()),
784 resumptionSecret: resumptionSecret,
785 certificate: Certificate{
786 Certificate: certsFromClient,
787 OCSPStaple: c.ocspResponse,
788 SignedCertificateTimestamps: c.scts,
791 stateBytes, err := state.marshal()
793 c.sendAlert(alertInternalError)
796 m.label, err = c.encryptTicket(stateBytes)
800 m.lifetime = uint32(maxSessionTicketLifetime / time.Second)
802 // ticket_age_add is a random 32-bit value. See RFC 8446, section 4.6.1
803 // The value is not stored anywhere; we never need to check the ticket age
804 // because 0-RTT is not supported.
805 ageAdd := make([]byte, 4)
806 _, err = hs.c.config.rand().Read(ageAdd)
810 m.ageAdd = binary.LittleEndian.Uint32(ageAdd)
812 // ticket_nonce, which must be unique per connection, is always left at
813 // zero because we only ever send one ticket per connection.
815 if _, err := c.writeHandshakeRecord(m, nil); err != nil {
822 func (hs *serverHandshakeStateTLS13) readClientCertificate() error {
825 if !hs.requestClientCert() {
826 // Make sure the connection is still being verified whether or not
827 // the server requested a client certificate.
828 if c.config.VerifyConnection != nil {
829 if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil {
830 c.sendAlert(alertBadCertificate)
837 // If we requested a client certificate, then the client must send a
838 // certificate message. If it's empty, no CertificateVerify is sent.
840 msg, err := c.readHandshake(hs.transcript)
845 certMsg, ok := msg.(*certificateMsgTLS13)
847 c.sendAlert(alertUnexpectedMessage)
848 return unexpectedMessageError(certMsg, msg)
851 if err := c.processCertsFromClient(certMsg.certificate); err != nil {
855 if c.config.VerifyConnection != nil {
856 if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil {
857 c.sendAlert(alertBadCertificate)
862 if len(certMsg.certificate.Certificate) != 0 {
863 // certificateVerifyMsg is included in the transcript, but not until
864 // after we verify the handshake signature, since the state before
865 // this message was sent is used.
866 msg, err = c.readHandshake(nil)
871 certVerify, ok := msg.(*certificateVerifyMsg)
873 c.sendAlert(alertUnexpectedMessage)
874 return unexpectedMessageError(certVerify, msg)
877 // See RFC 8446, Section 4.4.3.
878 if !isSupportedSignatureAlgorithm(certVerify.signatureAlgorithm, supportedSignatureAlgorithms()) {
879 c.sendAlert(alertIllegalParameter)
880 return errors.New("tls: client certificate used with invalid signature algorithm")
882 sigType, sigHash, err := typeAndHashFromSignatureScheme(certVerify.signatureAlgorithm)
884 return c.sendAlert(alertInternalError)
886 if sigType == signaturePKCS1v15 || sigHash == crypto.SHA1 {
887 c.sendAlert(alertIllegalParameter)
888 return errors.New("tls: client certificate used with invalid signature algorithm")
890 signed := signedMessage(sigHash, clientSignatureContext, hs.transcript)
891 if err := verifyHandshakeSignature(sigType, c.peerCertificates[0].PublicKey,
892 sigHash, signed, certVerify.signature); err != nil {
893 c.sendAlert(alertDecryptError)
894 return errors.New("tls: invalid signature by the client certificate: " + err.Error())
897 if err := transcriptMsg(certVerify, hs.transcript); err != nil {
902 // If we waited until the client certificates to send session tickets, we
903 // are ready to do it now.
904 if err := hs.sendSessionTickets(); err != nil {
911 func (hs *serverHandshakeStateTLS13) readClientFinished() error {
914 // finishedMsg is not included in the transcript.
915 msg, err := c.readHandshake(nil)
920 finished, ok := msg.(*finishedMsg)
922 c.sendAlert(alertUnexpectedMessage)
923 return unexpectedMessageError(finished, msg)
926 if !hmac.Equal(hs.clientFinished, finished.verifyData) {
927 c.sendAlert(alertDecryptError)
928 return errors.New("tls: invalid client finished hash")
931 c.in.setTrafficSecret(hs.suite, QUICEncryptionLevelApplication, hs.trafficSecret)