Source file src/crypto/tls/handshake_server_tls13.go

     1  // Copyright 2018 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package tls
     6  
     7  import (
     8  	"bytes"
     9  	"context"
    10  	"crypto"
    11  	"crypto/hmac"
    12  	"crypto/rsa"
    13  	"encoding/binary"
    14  	"errors"
    15  	"hash"
    16  	"io"
    17  	"time"
    18  )
    19  
    20  // maxClientPSKIdentities is the number of client PSK identities the server will
    21  // attempt to validate. It will ignore the rest not to let cheap ClientHello
    22  // messages cause too much work in session ticket decryption attempts.
    23  const maxClientPSKIdentities = 5
    24  
    25  type serverHandshakeStateTLS13 struct {
    26  	c               *Conn
    27  	ctx             context.Context
    28  	clientHello     *clientHelloMsg
    29  	hello           *serverHelloMsg
    30  	sentDummyCCS    bool
    31  	usingPSK        bool
    32  	earlyData       bool
    33  	suite           *cipherSuiteTLS13
    34  	cert            *Certificate
    35  	sigAlg          SignatureScheme
    36  	earlySecret     []byte
    37  	sharedKey       []byte
    38  	handshakeSecret []byte
    39  	masterSecret    []byte
    40  	trafficSecret   []byte // client_application_traffic_secret_0
    41  	transcript      hash.Hash
    42  	clientFinished  []byte
    43  }
    44  
    45  func (hs *serverHandshakeStateTLS13) handshake() error {
    46  	c := hs.c
    47  
    48  	if needFIPS() {
    49  		return errors.New("tls: internal error: TLS 1.3 reached in FIPS mode")
    50  	}
    51  
    52  	// For an overview of the TLS 1.3 handshake, see RFC 8446, Section 2.
    53  	if err := hs.processClientHello(); err != nil {
    54  		return err
    55  	}
    56  	if err := hs.checkForResumption(); err != nil {
    57  		return err
    58  	}
    59  	if err := hs.pickCertificate(); err != nil {
    60  		return err
    61  	}
    62  	c.buffering = true
    63  	if err := hs.sendServerParameters(); err != nil {
    64  		return err
    65  	}
    66  	if err := hs.sendServerCertificate(); err != nil {
    67  		return err
    68  	}
    69  	if err := hs.sendServerFinished(); err != nil {
    70  		return err
    71  	}
    72  	// Note that at this point we could start sending application data without
    73  	// waiting for the client's second flight, but the application might not
    74  	// expect the lack of replay protection of the ClientHello parameters.
    75  	if _, err := c.flush(); err != nil {
    76  		return err
    77  	}
    78  	if err := hs.readClientCertificate(); err != nil {
    79  		return err
    80  	}
    81  	if err := hs.readClientFinished(); err != nil {
    82  		return err
    83  	}
    84  
    85  	c.isHandshakeComplete.Store(true)
    86  
    87  	return nil
    88  }
    89  
    90  func (hs *serverHandshakeStateTLS13) processClientHello() error {
    91  	c := hs.c
    92  
    93  	hs.hello = new(serverHelloMsg)
    94  
    95  	// TLS 1.3 froze the ServerHello.legacy_version field, and uses
    96  	// supported_versions instead. See RFC 8446, sections 4.1.3 and 4.2.1.
    97  	hs.hello.vers = VersionTLS12
    98  	hs.hello.supportedVersion = c.vers
    99  
   100  	if len(hs.clientHello.supportedVersions) == 0 {
   101  		c.sendAlert(alertIllegalParameter)
   102  		return errors.New("tls: client used the legacy version field to negotiate TLS 1.3")
   103  	}
   104  
   105  	// Abort if the client is doing a fallback and landing lower than what we
   106  	// support. See RFC 7507, which however does not specify the interaction
   107  	// with supported_versions. The only difference is that with
   108  	// supported_versions a client has a chance to attempt a [TLS 1.2, TLS 1.4]
   109  	// handshake in case TLS 1.3 is broken but 1.2 is not. Alas, in that case,
   110  	// it will have to drop the TLS_FALLBACK_SCSV protection if it falls back to
   111  	// TLS 1.2, because a TLS 1.3 server would abort here. The situation before
   112  	// supported_versions was not better because there was just no way to do a
   113  	// TLS 1.4 handshake without risking the server selecting TLS 1.3.
   114  	for _, id := range hs.clientHello.cipherSuites {
   115  		if id == TLS_FALLBACK_SCSV {
   116  			// Use c.vers instead of max(supported_versions) because an attacker
   117  			// could defeat this by adding an arbitrary high version otherwise.
   118  			if c.vers < c.config.maxSupportedVersion(roleServer) {
   119  				c.sendAlert(alertInappropriateFallback)
   120  				return errors.New("tls: client using inappropriate protocol fallback")
   121  			}
   122  			break
   123  		}
   124  	}
   125  
   126  	if len(hs.clientHello.compressionMethods) != 1 ||
   127  		hs.clientHello.compressionMethods[0] != compressionNone {
   128  		c.sendAlert(alertIllegalParameter)
   129  		return errors.New("tls: TLS 1.3 client supports illegal compression methods")
   130  	}
   131  
   132  	hs.hello.random = make([]byte, 32)
   133  	if _, err := io.ReadFull(c.config.rand(), hs.hello.random); err != nil {
   134  		c.sendAlert(alertInternalError)
   135  		return err
   136  	}
   137  
   138  	if len(hs.clientHello.secureRenegotiation) != 0 {
   139  		c.sendAlert(alertHandshakeFailure)
   140  		return errors.New("tls: initial handshake had non-empty renegotiation extension")
   141  	}
   142  
   143  	if hs.clientHello.earlyData && c.quic != nil {
   144  		if len(hs.clientHello.pskIdentities) == 0 {
   145  			c.sendAlert(alertIllegalParameter)
   146  			return errors.New("tls: early_data without pre_shared_key")
   147  		}
   148  	} else if hs.clientHello.earlyData {
   149  		// See RFC 8446, Section 4.2.10 for the complicated behavior required
   150  		// here. The scenario is that a different server at our address offered
   151  		// to accept early data in the past, which we can't handle. For now, all
   152  		// 0-RTT enabled session tickets need to expire before a Go server can
   153  		// replace a server or join a pool. That's the same requirement that
   154  		// applies to mixing or replacing with any TLS 1.2 server.
   155  		c.sendAlert(alertUnsupportedExtension)
   156  		return errors.New("tls: client sent unexpected early data")
   157  	}
   158  
   159  	hs.hello.sessionId = hs.clientHello.sessionId
   160  	hs.hello.compressionMethod = compressionNone
   161  
   162  	preferenceList := defaultCipherSuitesTLS13
   163  	if !hasAESGCMHardwareSupport || !aesgcmPreferred(hs.clientHello.cipherSuites) {
   164  		preferenceList = defaultCipherSuitesTLS13NoAES
   165  	}
   166  	for _, suiteID := range preferenceList {
   167  		hs.suite = mutualCipherSuiteTLS13(hs.clientHello.cipherSuites, suiteID)
   168  		if hs.suite != nil {
   169  			break
   170  		}
   171  	}
   172  	if hs.suite == nil {
   173  		c.sendAlert(alertHandshakeFailure)
   174  		return errors.New("tls: no cipher suite supported by both client and server")
   175  	}
   176  	c.cipherSuite = hs.suite.id
   177  	hs.hello.cipherSuite = hs.suite.id
   178  	hs.transcript = hs.suite.hash.New()
   179  
   180  	// Pick the ECDHE group in server preference order, but give priority to
   181  	// groups with a key share, to avoid a HelloRetryRequest round-trip.
   182  	var selectedGroup CurveID
   183  	var clientKeyShare *keyShare
   184  GroupSelection:
   185  	for _, preferredGroup := range c.config.curvePreferences() {
   186  		for _, ks := range hs.clientHello.keyShares {
   187  			if ks.group == preferredGroup {
   188  				selectedGroup = ks.group
   189  				clientKeyShare = &ks
   190  				break GroupSelection
   191  			}
   192  		}
   193  		if selectedGroup != 0 {
   194  			continue
   195  		}
   196  		for _, group := range hs.clientHello.supportedCurves {
   197  			if group == preferredGroup {
   198  				selectedGroup = group
   199  				break
   200  			}
   201  		}
   202  	}
   203  	if selectedGroup == 0 {
   204  		c.sendAlert(alertHandshakeFailure)
   205  		return errors.New("tls: no ECDHE curve supported by both client and server")
   206  	}
   207  	if clientKeyShare == nil {
   208  		if err := hs.doHelloRetryRequest(selectedGroup); err != nil {
   209  			return err
   210  		}
   211  		clientKeyShare = &hs.clientHello.keyShares[0]
   212  	}
   213  
   214  	if _, ok := curveForCurveID(selectedGroup); !ok {
   215  		c.sendAlert(alertInternalError)
   216  		return errors.New("tls: CurvePreferences includes unsupported curve")
   217  	}
   218  	key, err := generateECDHEKey(c.config.rand(), selectedGroup)
   219  	if err != nil {
   220  		c.sendAlert(alertInternalError)
   221  		return err
   222  	}
   223  	hs.hello.serverShare = keyShare{group: selectedGroup, data: key.PublicKey().Bytes()}
   224  	peerKey, err := key.Curve().NewPublicKey(clientKeyShare.data)
   225  	if err != nil {
   226  		c.sendAlert(alertIllegalParameter)
   227  		return errors.New("tls: invalid client key share")
   228  	}
   229  	hs.sharedKey, err = key.ECDH(peerKey)
   230  	if err != nil {
   231  		c.sendAlert(alertIllegalParameter)
   232  		return errors.New("tls: invalid client key share")
   233  	}
   234  
   235  	selectedProto, err := negotiateALPN(c.config.NextProtos, hs.clientHello.alpnProtocols, c.quic != nil)
   236  	if err != nil {
   237  		c.sendAlert(alertNoApplicationProtocol)
   238  		return err
   239  	}
   240  	c.clientProtocol = selectedProto
   241  
   242  	if c.quic != nil {
   243  		// RFC 9001 Section 4.2: Clients MUST NOT offer TLS versions older than 1.3.
   244  		for _, v := range hs.clientHello.supportedVersions {
   245  			if v < VersionTLS13 {
   246  				c.sendAlert(alertProtocolVersion)
   247  				return errors.New("tls: client offered TLS version older than TLS 1.3")
   248  			}
   249  		}
   250  		// RFC 9001 Section 8.2.
   251  		if hs.clientHello.quicTransportParameters == nil {
   252  			c.sendAlert(alertMissingExtension)
   253  			return errors.New("tls: client did not send a quic_transport_parameters extension")
   254  		}
   255  		c.quicSetTransportParameters(hs.clientHello.quicTransportParameters)
   256  	} else {
   257  		if hs.clientHello.quicTransportParameters != nil {
   258  			c.sendAlert(alertUnsupportedExtension)
   259  			return errors.New("tls: client sent an unexpected quic_transport_parameters extension")
   260  		}
   261  	}
   262  
   263  	c.serverName = hs.clientHello.serverName
   264  	return nil
   265  }
   266  
   267  func (hs *serverHandshakeStateTLS13) checkForResumption() error {
   268  	c := hs.c
   269  
   270  	if c.config.SessionTicketsDisabled {
   271  		return nil
   272  	}
   273  
   274  	modeOK := false
   275  	for _, mode := range hs.clientHello.pskModes {
   276  		if mode == pskModeDHE {
   277  			modeOK = true
   278  			break
   279  		}
   280  	}
   281  	if !modeOK {
   282  		return nil
   283  	}
   284  
   285  	if len(hs.clientHello.pskIdentities) != len(hs.clientHello.pskBinders) {
   286  		c.sendAlert(alertIllegalParameter)
   287  		return errors.New("tls: invalid or missing PSK binders")
   288  	}
   289  	if len(hs.clientHello.pskIdentities) == 0 {
   290  		return nil
   291  	}
   292  
   293  	for i, identity := range hs.clientHello.pskIdentities {
   294  		if i >= maxClientPSKIdentities {
   295  			break
   296  		}
   297  
   298  		var sessionState *SessionState
   299  		if c.config.UnwrapSession != nil {
   300  			var err error
   301  			sessionState, err = c.config.UnwrapSession(identity.label, c.connectionStateLocked())
   302  			if err != nil {
   303  				return err
   304  			}
   305  			if sessionState == nil {
   306  				continue
   307  			}
   308  		} else {
   309  			plaintext := c.config.decryptTicket(identity.label, c.ticketKeys)
   310  			if plaintext == nil {
   311  				continue
   312  			}
   313  			var err error
   314  			sessionState, err = ParseSessionState(plaintext)
   315  			if err != nil {
   316  				continue
   317  			}
   318  		}
   319  
   320  		if sessionState.version != VersionTLS13 {
   321  			continue
   322  		}
   323  
   324  		createdAt := time.Unix(int64(sessionState.createdAt), 0)
   325  		if c.config.time().Sub(createdAt) > maxSessionTicketLifetime {
   326  			continue
   327  		}
   328  
   329  		pskSuite := cipherSuiteTLS13ByID(sessionState.cipherSuite)
   330  		if pskSuite == nil || pskSuite.hash != hs.suite.hash {
   331  			continue
   332  		}
   333  
   334  		// PSK connections don't re-establish client certificates, but carry
   335  		// them over in the session ticket. Ensure the presence of client certs
   336  		// in the ticket is consistent with the configured requirements.
   337  		sessionHasClientCerts := len(sessionState.peerCertificates) != 0
   338  		needClientCerts := requiresClientCert(c.config.ClientAuth)
   339  		if needClientCerts && !sessionHasClientCerts {
   340  			continue
   341  		}
   342  		if sessionHasClientCerts && c.config.ClientAuth == NoClientCert {
   343  			continue
   344  		}
   345  		if sessionHasClientCerts && c.config.time().After(sessionState.peerCertificates[0].NotAfter) {
   346  			continue
   347  		}
   348  		if sessionHasClientCerts && c.config.ClientAuth >= VerifyClientCertIfGiven &&
   349  			len(sessionState.verifiedChains) == 0 {
   350  			continue
   351  		}
   352  
   353  		hs.earlySecret = hs.suite.extract(sessionState.secret, nil)
   354  		binderKey := hs.suite.deriveSecret(hs.earlySecret, resumptionBinderLabel, nil)
   355  		// Clone the transcript in case a HelloRetryRequest was recorded.
   356  		transcript := cloneHash(hs.transcript, hs.suite.hash)
   357  		if transcript == nil {
   358  			c.sendAlert(alertInternalError)
   359  			return errors.New("tls: internal error: failed to clone hash")
   360  		}
   361  		clientHelloBytes, err := hs.clientHello.marshalWithoutBinders()
   362  		if err != nil {
   363  			c.sendAlert(alertInternalError)
   364  			return err
   365  		}
   366  		transcript.Write(clientHelloBytes)
   367  		pskBinder := hs.suite.finishedHash(binderKey, transcript)
   368  		if !hmac.Equal(hs.clientHello.pskBinders[i], pskBinder) {
   369  			c.sendAlert(alertDecryptError)
   370  			return errors.New("tls: invalid PSK binder")
   371  		}
   372  
   373  		if c.quic != nil && hs.clientHello.earlyData && i == 0 &&
   374  			sessionState.EarlyData && sessionState.cipherSuite == hs.suite.id &&
   375  			sessionState.alpnProtocol == c.clientProtocol {
   376  			hs.earlyData = true
   377  
   378  			transcript := hs.suite.hash.New()
   379  			if err := transcriptMsg(hs.clientHello, transcript); err != nil {
   380  				return err
   381  			}
   382  			earlyTrafficSecret := hs.suite.deriveSecret(hs.earlySecret, clientEarlyTrafficLabel, transcript)
   383  			c.quicSetReadSecret(QUICEncryptionLevelEarly, hs.suite.id, earlyTrafficSecret)
   384  		}
   385  
   386  		c.didResume = true
   387  		c.peerCertificates = sessionState.peerCertificates
   388  		c.ocspResponse = sessionState.ocspResponse
   389  		c.scts = sessionState.scts
   390  		c.verifiedChains = sessionState.verifiedChains
   391  
   392  		hs.hello.selectedIdentityPresent = true
   393  		hs.hello.selectedIdentity = uint16(i)
   394  		hs.usingPSK = true
   395  		return nil
   396  	}
   397  
   398  	return nil
   399  }
   400  
   401  // cloneHash uses the encoding.BinaryMarshaler and encoding.BinaryUnmarshaler
   402  // interfaces implemented by standard library hashes to clone the state of in
   403  // to a new instance of h. It returns nil if the operation fails.
   404  func cloneHash(in hash.Hash, h crypto.Hash) hash.Hash {
   405  	// Recreate the interface to avoid importing encoding.
   406  	type binaryMarshaler interface {
   407  		MarshalBinary() (data []byte, err error)
   408  		UnmarshalBinary(data []byte) error
   409  	}
   410  	marshaler, ok := in.(binaryMarshaler)
   411  	if !ok {
   412  		return nil
   413  	}
   414  	state, err := marshaler.MarshalBinary()
   415  	if err != nil {
   416  		return nil
   417  	}
   418  	out := h.New()
   419  	unmarshaler, ok := out.(binaryMarshaler)
   420  	if !ok {
   421  		return nil
   422  	}
   423  	if err := unmarshaler.UnmarshalBinary(state); err != nil {
   424  		return nil
   425  	}
   426  	return out
   427  }
   428  
   429  func (hs *serverHandshakeStateTLS13) pickCertificate() error {
   430  	c := hs.c
   431  
   432  	// Only one of PSK and certificates are used at a time.
   433  	if hs.usingPSK {
   434  		return nil
   435  	}
   436  
   437  	// signature_algorithms is required in TLS 1.3. See RFC 8446, Section 4.2.3.
   438  	if len(hs.clientHello.supportedSignatureAlgorithms) == 0 {
   439  		return c.sendAlert(alertMissingExtension)
   440  	}
   441  
   442  	certificate, err := c.config.getCertificate(clientHelloInfo(hs.ctx, c, hs.clientHello))
   443  	if err != nil {
   444  		if err == errNoCertificates {
   445  			c.sendAlert(alertUnrecognizedName)
   446  		} else {
   447  			c.sendAlert(alertInternalError)
   448  		}
   449  		return err
   450  	}
   451  	hs.sigAlg, err = selectSignatureScheme(c.vers, certificate, hs.clientHello.supportedSignatureAlgorithms)
   452  	if err != nil {
   453  		// getCertificate returned a certificate that is unsupported or
   454  		// incompatible with the client's signature algorithms.
   455  		c.sendAlert(alertHandshakeFailure)
   456  		return err
   457  	}
   458  	hs.cert = certificate
   459  
   460  	return nil
   461  }
   462  
   463  // sendDummyChangeCipherSpec sends a ChangeCipherSpec record for compatibility
   464  // with middleboxes that didn't implement TLS correctly. See RFC 8446, Appendix D.4.
   465  func (hs *serverHandshakeStateTLS13) sendDummyChangeCipherSpec() error {
   466  	if hs.c.quic != nil {
   467  		return nil
   468  	}
   469  	if hs.sentDummyCCS {
   470  		return nil
   471  	}
   472  	hs.sentDummyCCS = true
   473  
   474  	return hs.c.writeChangeCipherRecord()
   475  }
   476  
   477  func (hs *serverHandshakeStateTLS13) doHelloRetryRequest(selectedGroup CurveID) error {
   478  	c := hs.c
   479  
   480  	// The first ClientHello gets double-hashed into the transcript upon a
   481  	// HelloRetryRequest. See RFC 8446, Section 4.4.1.
   482  	if err := transcriptMsg(hs.clientHello, hs.transcript); err != nil {
   483  		return err
   484  	}
   485  	chHash := hs.transcript.Sum(nil)
   486  	hs.transcript.Reset()
   487  	hs.transcript.Write([]byte{typeMessageHash, 0, 0, uint8(len(chHash))})
   488  	hs.transcript.Write(chHash)
   489  
   490  	helloRetryRequest := &serverHelloMsg{
   491  		vers:              hs.hello.vers,
   492  		random:            helloRetryRequestRandom,
   493  		sessionId:         hs.hello.sessionId,
   494  		cipherSuite:       hs.hello.cipherSuite,
   495  		compressionMethod: hs.hello.compressionMethod,
   496  		supportedVersion:  hs.hello.supportedVersion,
   497  		selectedGroup:     selectedGroup,
   498  	}
   499  
   500  	if _, err := hs.c.writeHandshakeRecord(helloRetryRequest, hs.transcript); err != nil {
   501  		return err
   502  	}
   503  
   504  	if err := hs.sendDummyChangeCipherSpec(); err != nil {
   505  		return err
   506  	}
   507  
   508  	// clientHelloMsg is not included in the transcript.
   509  	msg, err := c.readHandshake(nil)
   510  	if err != nil {
   511  		return err
   512  	}
   513  
   514  	clientHello, ok := msg.(*clientHelloMsg)
   515  	if !ok {
   516  		c.sendAlert(alertUnexpectedMessage)
   517  		return unexpectedMessageError(clientHello, msg)
   518  	}
   519  
   520  	if len(clientHello.keyShares) != 1 || clientHello.keyShares[0].group != selectedGroup {
   521  		c.sendAlert(alertIllegalParameter)
   522  		return errors.New("tls: client sent invalid key share in second ClientHello")
   523  	}
   524  
   525  	if clientHello.earlyData {
   526  		c.sendAlert(alertIllegalParameter)
   527  		return errors.New("tls: client indicated early data in second ClientHello")
   528  	}
   529  
   530  	if illegalClientHelloChange(clientHello, hs.clientHello) {
   531  		c.sendAlert(alertIllegalParameter)
   532  		return errors.New("tls: client illegally modified second ClientHello")
   533  	}
   534  
   535  	hs.clientHello = clientHello
   536  	return nil
   537  }
   538  
   539  // illegalClientHelloChange reports whether the two ClientHello messages are
   540  // different, with the exception of the changes allowed before and after a
   541  // HelloRetryRequest. See RFC 8446, Section 4.1.2.
   542  func illegalClientHelloChange(ch, ch1 *clientHelloMsg) bool {
   543  	if len(ch.supportedVersions) != len(ch1.supportedVersions) ||
   544  		len(ch.cipherSuites) != len(ch1.cipherSuites) ||
   545  		len(ch.supportedCurves) != len(ch1.supportedCurves) ||
   546  		len(ch.supportedSignatureAlgorithms) != len(ch1.supportedSignatureAlgorithms) ||
   547  		len(ch.supportedSignatureAlgorithmsCert) != len(ch1.supportedSignatureAlgorithmsCert) ||
   548  		len(ch.alpnProtocols) != len(ch1.alpnProtocols) {
   549  		return true
   550  	}
   551  	for i := range ch.supportedVersions {
   552  		if ch.supportedVersions[i] != ch1.supportedVersions[i] {
   553  			return true
   554  		}
   555  	}
   556  	for i := range ch.cipherSuites {
   557  		if ch.cipherSuites[i] != ch1.cipherSuites[i] {
   558  			return true
   559  		}
   560  	}
   561  	for i := range ch.supportedCurves {
   562  		if ch.supportedCurves[i] != ch1.supportedCurves[i] {
   563  			return true
   564  		}
   565  	}
   566  	for i := range ch.supportedSignatureAlgorithms {
   567  		if ch.supportedSignatureAlgorithms[i] != ch1.supportedSignatureAlgorithms[i] {
   568  			return true
   569  		}
   570  	}
   571  	for i := range ch.supportedSignatureAlgorithmsCert {
   572  		if ch.supportedSignatureAlgorithmsCert[i] != ch1.supportedSignatureAlgorithmsCert[i] {
   573  			return true
   574  		}
   575  	}
   576  	for i := range ch.alpnProtocols {
   577  		if ch.alpnProtocols[i] != ch1.alpnProtocols[i] {
   578  			return true
   579  		}
   580  	}
   581  	return ch.vers != ch1.vers ||
   582  		!bytes.Equal(ch.random, ch1.random) ||
   583  		!bytes.Equal(ch.sessionId, ch1.sessionId) ||
   584  		!bytes.Equal(ch.compressionMethods, ch1.compressionMethods) ||
   585  		ch.serverName != ch1.serverName ||
   586  		ch.ocspStapling != ch1.ocspStapling ||
   587  		!bytes.Equal(ch.supportedPoints, ch1.supportedPoints) ||
   588  		ch.ticketSupported != ch1.ticketSupported ||
   589  		!bytes.Equal(ch.sessionTicket, ch1.sessionTicket) ||
   590  		ch.secureRenegotiationSupported != ch1.secureRenegotiationSupported ||
   591  		!bytes.Equal(ch.secureRenegotiation, ch1.secureRenegotiation) ||
   592  		ch.scts != ch1.scts ||
   593  		!bytes.Equal(ch.cookie, ch1.cookie) ||
   594  		!bytes.Equal(ch.pskModes, ch1.pskModes)
   595  }
   596  
   597  func (hs *serverHandshakeStateTLS13) sendServerParameters() error {
   598  	c := hs.c
   599  
   600  	if err := transcriptMsg(hs.clientHello, hs.transcript); err != nil {
   601  		return err
   602  	}
   603  	if _, err := hs.c.writeHandshakeRecord(hs.hello, hs.transcript); err != nil {
   604  		return err
   605  	}
   606  
   607  	if err := hs.sendDummyChangeCipherSpec(); err != nil {
   608  		return err
   609  	}
   610  
   611  	earlySecret := hs.earlySecret
   612  	if earlySecret == nil {
   613  		earlySecret = hs.suite.extract(nil, nil)
   614  	}
   615  	hs.handshakeSecret = hs.suite.extract(hs.sharedKey,
   616  		hs.suite.deriveSecret(earlySecret, "derived", nil))
   617  
   618  	clientSecret := hs.suite.deriveSecret(hs.handshakeSecret,
   619  		clientHandshakeTrafficLabel, hs.transcript)
   620  	c.in.setTrafficSecret(hs.suite, QUICEncryptionLevelHandshake, clientSecret)
   621  	serverSecret := hs.suite.deriveSecret(hs.handshakeSecret,
   622  		serverHandshakeTrafficLabel, hs.transcript)
   623  	c.out.setTrafficSecret(hs.suite, QUICEncryptionLevelHandshake, serverSecret)
   624  
   625  	if c.quic != nil {
   626  		if c.hand.Len() != 0 {
   627  			c.sendAlert(alertUnexpectedMessage)
   628  		}
   629  		c.quicSetWriteSecret(QUICEncryptionLevelHandshake, hs.suite.id, serverSecret)
   630  		c.quicSetReadSecret(QUICEncryptionLevelHandshake, hs.suite.id, clientSecret)
   631  	}
   632  
   633  	err := c.config.writeKeyLog(keyLogLabelClientHandshake, hs.clientHello.random, clientSecret)
   634  	if err != nil {
   635  		c.sendAlert(alertInternalError)
   636  		return err
   637  	}
   638  	err = c.config.writeKeyLog(keyLogLabelServerHandshake, hs.clientHello.random, serverSecret)
   639  	if err != nil {
   640  		c.sendAlert(alertInternalError)
   641  		return err
   642  	}
   643  
   644  	encryptedExtensions := new(encryptedExtensionsMsg)
   645  	encryptedExtensions.alpnProtocol = c.clientProtocol
   646  
   647  	if c.quic != nil {
   648  		p, err := c.quicGetTransportParameters()
   649  		if err != nil {
   650  			return err
   651  		}
   652  		encryptedExtensions.quicTransportParameters = p
   653  		encryptedExtensions.earlyData = hs.earlyData
   654  	}
   655  
   656  	if _, err := hs.c.writeHandshakeRecord(encryptedExtensions, hs.transcript); err != nil {
   657  		return err
   658  	}
   659  
   660  	return nil
   661  }
   662  
   663  func (hs *serverHandshakeStateTLS13) requestClientCert() bool {
   664  	return hs.c.config.ClientAuth >= RequestClientCert && !hs.usingPSK
   665  }
   666  
   667  func (hs *serverHandshakeStateTLS13) sendServerCertificate() error {
   668  	c := hs.c
   669  
   670  	// Only one of PSK and certificates are used at a time.
   671  	if hs.usingPSK {
   672  		return nil
   673  	}
   674  
   675  	if hs.requestClientCert() {
   676  		// Request a client certificate
   677  		certReq := new(certificateRequestMsgTLS13)
   678  		certReq.ocspStapling = true
   679  		certReq.scts = true
   680  		certReq.supportedSignatureAlgorithms = supportedSignatureAlgorithms()
   681  		if c.config.ClientCAs != nil {
   682  			certReq.certificateAuthorities = c.config.ClientCAs.Subjects()
   683  		}
   684  
   685  		if _, err := hs.c.writeHandshakeRecord(certReq, hs.transcript); err != nil {
   686  			return err
   687  		}
   688  	}
   689  
   690  	certMsg := new(certificateMsgTLS13)
   691  
   692  	certMsg.certificate = *hs.cert
   693  	certMsg.scts = hs.clientHello.scts && len(hs.cert.SignedCertificateTimestamps) > 0
   694  	certMsg.ocspStapling = hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0
   695  
   696  	if _, err := hs.c.writeHandshakeRecord(certMsg, hs.transcript); err != nil {
   697  		return err
   698  	}
   699  
   700  	certVerifyMsg := new(certificateVerifyMsg)
   701  	certVerifyMsg.hasSignatureAlgorithm = true
   702  	certVerifyMsg.signatureAlgorithm = hs.sigAlg
   703  
   704  	sigType, sigHash, err := typeAndHashFromSignatureScheme(hs.sigAlg)
   705  	if err != nil {
   706  		return c.sendAlert(alertInternalError)
   707  	}
   708  
   709  	signed := signedMessage(sigHash, serverSignatureContext, hs.transcript)
   710  	signOpts := crypto.SignerOpts(sigHash)
   711  	if sigType == signatureRSAPSS {
   712  		signOpts = &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash, Hash: sigHash}
   713  	}
   714  	sig, err := hs.cert.PrivateKey.(crypto.Signer).Sign(c.config.rand(), signed, signOpts)
   715  	if err != nil {
   716  		public := hs.cert.PrivateKey.(crypto.Signer).Public()
   717  		if rsaKey, ok := public.(*rsa.PublicKey); ok && sigType == signatureRSAPSS &&
   718  			rsaKey.N.BitLen()/8 < sigHash.Size()*2+2 { // key too small for RSA-PSS
   719  			c.sendAlert(alertHandshakeFailure)
   720  		} else {
   721  			c.sendAlert(alertInternalError)
   722  		}
   723  		return errors.New("tls: failed to sign handshake: " + err.Error())
   724  	}
   725  	certVerifyMsg.signature = sig
   726  
   727  	if _, err := hs.c.writeHandshakeRecord(certVerifyMsg, hs.transcript); err != nil {
   728  		return err
   729  	}
   730  
   731  	return nil
   732  }
   733  
   734  func (hs *serverHandshakeStateTLS13) sendServerFinished() error {
   735  	c := hs.c
   736  
   737  	finished := &finishedMsg{
   738  		verifyData: hs.suite.finishedHash(c.out.trafficSecret, hs.transcript),
   739  	}
   740  
   741  	if _, err := hs.c.writeHandshakeRecord(finished, hs.transcript); err != nil {
   742  		return err
   743  	}
   744  
   745  	// Derive secrets that take context through the server Finished.
   746  
   747  	hs.masterSecret = hs.suite.extract(nil,
   748  		hs.suite.deriveSecret(hs.handshakeSecret, "derived", nil))
   749  
   750  	hs.trafficSecret = hs.suite.deriveSecret(hs.masterSecret,
   751  		clientApplicationTrafficLabel, hs.transcript)
   752  	serverSecret := hs.suite.deriveSecret(hs.masterSecret,
   753  		serverApplicationTrafficLabel, hs.transcript)
   754  	c.out.setTrafficSecret(hs.suite, QUICEncryptionLevelApplication, serverSecret)
   755  
   756  	if c.quic != nil {
   757  		if c.hand.Len() != 0 {
   758  			// TODO: Handle this in setTrafficSecret?
   759  			c.sendAlert(alertUnexpectedMessage)
   760  		}
   761  		c.quicSetWriteSecret(QUICEncryptionLevelApplication, hs.suite.id, serverSecret)
   762  	}
   763  
   764  	err := c.config.writeKeyLog(keyLogLabelClientTraffic, hs.clientHello.random, hs.trafficSecret)
   765  	if err != nil {
   766  		c.sendAlert(alertInternalError)
   767  		return err
   768  	}
   769  	err = c.config.writeKeyLog(keyLogLabelServerTraffic, hs.clientHello.random, serverSecret)
   770  	if err != nil {
   771  		c.sendAlert(alertInternalError)
   772  		return err
   773  	}
   774  
   775  	c.ekm = hs.suite.exportKeyingMaterial(hs.masterSecret, hs.transcript)
   776  
   777  	// If we did not request client certificates, at this point we can
   778  	// precompute the client finished and roll the transcript forward to send
   779  	// session tickets in our first flight.
   780  	if !hs.requestClientCert() {
   781  		if err := hs.sendSessionTickets(); err != nil {
   782  			return err
   783  		}
   784  	}
   785  
   786  	return nil
   787  }
   788  
   789  func (hs *serverHandshakeStateTLS13) shouldSendSessionTickets() bool {
   790  	if hs.c.config.SessionTicketsDisabled {
   791  		return false
   792  	}
   793  
   794  	// QUIC tickets are sent by QUICConn.SendSessionTicket, not automatically.
   795  	if hs.c.quic != nil {
   796  		return false
   797  	}
   798  
   799  	// Don't send tickets the client wouldn't use. See RFC 8446, Section 4.2.9.
   800  	for _, pskMode := range hs.clientHello.pskModes {
   801  		if pskMode == pskModeDHE {
   802  			return true
   803  		}
   804  	}
   805  	return false
   806  }
   807  
   808  func (hs *serverHandshakeStateTLS13) sendSessionTickets() error {
   809  	c := hs.c
   810  
   811  	hs.clientFinished = hs.suite.finishedHash(c.in.trafficSecret, hs.transcript)
   812  	finishedMsg := &finishedMsg{
   813  		verifyData: hs.clientFinished,
   814  	}
   815  	if err := transcriptMsg(finishedMsg, hs.transcript); err != nil {
   816  		return err
   817  	}
   818  
   819  	c.resumptionSecret = hs.suite.deriveSecret(hs.masterSecret,
   820  		resumptionLabel, hs.transcript)
   821  
   822  	if !hs.shouldSendSessionTickets() {
   823  		return nil
   824  	}
   825  	return c.sendSessionTicket(false)
   826  }
   827  
   828  func (c *Conn) sendSessionTicket(earlyData bool) error {
   829  	suite := cipherSuiteTLS13ByID(c.cipherSuite)
   830  	if suite == nil {
   831  		return errors.New("tls: internal error: unknown cipher suite")
   832  	}
   833  	// ticket_nonce, which must be unique per connection, is always left at
   834  	// zero because we only ever send one ticket per connection.
   835  	psk := suite.expandLabel(c.resumptionSecret, "resumption",
   836  		nil, suite.hash.Size())
   837  
   838  	m := new(newSessionTicketMsgTLS13)
   839  
   840  	state, err := c.sessionState()
   841  	if err != nil {
   842  		return err
   843  	}
   844  	state.secret = psk
   845  	state.EarlyData = earlyData
   846  	if c.config.WrapSession != nil {
   847  		m.label, err = c.config.WrapSession(c.connectionStateLocked(), state)
   848  		if err != nil {
   849  			return err
   850  		}
   851  	} else {
   852  		stateBytes, err := state.Bytes()
   853  		if err != nil {
   854  			c.sendAlert(alertInternalError)
   855  			return err
   856  		}
   857  		m.label, err = c.config.encryptTicket(stateBytes, c.ticketKeys)
   858  		if err != nil {
   859  			return err
   860  		}
   861  	}
   862  	m.lifetime = uint32(maxSessionTicketLifetime / time.Second)
   863  
   864  	// ticket_age_add is a random 32-bit value. See RFC 8446, section 4.6.1
   865  	// The value is not stored anywhere; we never need to check the ticket age
   866  	// because 0-RTT is not supported.
   867  	ageAdd := make([]byte, 4)
   868  	_, err = c.config.rand().Read(ageAdd)
   869  	if err != nil {
   870  		return err
   871  	}
   872  	m.ageAdd = binary.LittleEndian.Uint32(ageAdd)
   873  
   874  	if earlyData {
   875  		// RFC 9001, Section 4.6.1
   876  		m.maxEarlyData = 0xffffffff
   877  	}
   878  
   879  	if _, err := c.writeHandshakeRecord(m, nil); err != nil {
   880  		return err
   881  	}
   882  
   883  	return nil
   884  }
   885  
   886  func (hs *serverHandshakeStateTLS13) readClientCertificate() error {
   887  	c := hs.c
   888  
   889  	if !hs.requestClientCert() {
   890  		// Make sure the connection is still being verified whether or not
   891  		// the server requested a client certificate.
   892  		if c.config.VerifyConnection != nil {
   893  			if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil {
   894  				c.sendAlert(alertBadCertificate)
   895  				return err
   896  			}
   897  		}
   898  		return nil
   899  	}
   900  
   901  	// If we requested a client certificate, then the client must send a
   902  	// certificate message. If it's empty, no CertificateVerify is sent.
   903  
   904  	msg, err := c.readHandshake(hs.transcript)
   905  	if err != nil {
   906  		return err
   907  	}
   908  
   909  	certMsg, ok := msg.(*certificateMsgTLS13)
   910  	if !ok {
   911  		c.sendAlert(alertUnexpectedMessage)
   912  		return unexpectedMessageError(certMsg, msg)
   913  	}
   914  
   915  	if err := c.processCertsFromClient(certMsg.certificate); err != nil {
   916  		return err
   917  	}
   918  
   919  	if c.config.VerifyConnection != nil {
   920  		if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil {
   921  			c.sendAlert(alertBadCertificate)
   922  			return err
   923  		}
   924  	}
   925  
   926  	if len(certMsg.certificate.Certificate) != 0 {
   927  		// certificateVerifyMsg is included in the transcript, but not until
   928  		// after we verify the handshake signature, since the state before
   929  		// this message was sent is used.
   930  		msg, err = c.readHandshake(nil)
   931  		if err != nil {
   932  			return err
   933  		}
   934  
   935  		certVerify, ok := msg.(*certificateVerifyMsg)
   936  		if !ok {
   937  			c.sendAlert(alertUnexpectedMessage)
   938  			return unexpectedMessageError(certVerify, msg)
   939  		}
   940  
   941  		// See RFC 8446, Section 4.4.3.
   942  		if !isSupportedSignatureAlgorithm(certVerify.signatureAlgorithm, supportedSignatureAlgorithms()) {
   943  			c.sendAlert(alertIllegalParameter)
   944  			return errors.New("tls: client certificate used with invalid signature algorithm")
   945  		}
   946  		sigType, sigHash, err := typeAndHashFromSignatureScheme(certVerify.signatureAlgorithm)
   947  		if err != nil {
   948  			return c.sendAlert(alertInternalError)
   949  		}
   950  		if sigType == signaturePKCS1v15 || sigHash == crypto.SHA1 {
   951  			c.sendAlert(alertIllegalParameter)
   952  			return errors.New("tls: client certificate used with invalid signature algorithm")
   953  		}
   954  		signed := signedMessage(sigHash, clientSignatureContext, hs.transcript)
   955  		if err := verifyHandshakeSignature(sigType, c.peerCertificates[0].PublicKey,
   956  			sigHash, signed, certVerify.signature); err != nil {
   957  			c.sendAlert(alertDecryptError)
   958  			return errors.New("tls: invalid signature by the client certificate: " + err.Error())
   959  		}
   960  
   961  		if err := transcriptMsg(certVerify, hs.transcript); err != nil {
   962  			return err
   963  		}
   964  	}
   965  
   966  	// If we waited until the client certificates to send session tickets, we
   967  	// are ready to do it now.
   968  	if err := hs.sendSessionTickets(); err != nil {
   969  		return err
   970  	}
   971  
   972  	return nil
   973  }
   974  
   975  func (hs *serverHandshakeStateTLS13) readClientFinished() error {
   976  	c := hs.c
   977  
   978  	// finishedMsg is not included in the transcript.
   979  	msg, err := c.readHandshake(nil)
   980  	if err != nil {
   981  		return err
   982  	}
   983  
   984  	finished, ok := msg.(*finishedMsg)
   985  	if !ok {
   986  		c.sendAlert(alertUnexpectedMessage)
   987  		return unexpectedMessageError(finished, msg)
   988  	}
   989  
   990  	if !hmac.Equal(hs.clientFinished, finished.verifyData) {
   991  		c.sendAlert(alertDecryptError)
   992  		return errors.New("tls: invalid client finished hash")
   993  	}
   994  
   995  	c.in.setTrafficSecret(hs.suite, QUICEncryptionLevelApplication, hs.trafficSecret)
   996  
   997  	return nil
   998  }
   999  

View as plain text