github.com/JimmyHuang454/JLS-go@v0.0.0-20230831150107-90d536585ba0/tls/handshake_client_tls13.go (about) 1 // Copyright 2018 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 package tls 6 7 import ( 8 "bytes" 9 "context" 10 "crypto" 11 "crypto/ecdh" 12 "crypto/hmac" 13 "crypto/rsa" 14 "errors" 15 "hash" 16 "time" 17 ) 18 19 type clientHandshakeStateTLS13 struct { 20 c *Conn 21 ctx context.Context 22 serverHello *serverHelloMsg 23 hello *clientHelloMsg 24 ecdheKey *ecdh.PrivateKey 25 26 session *SessionState 27 earlySecret []byte 28 binderKey []byte 29 30 certReq *certificateRequestMsgTLS13 31 usingPSK bool 32 sentDummyCCS bool 33 suite *cipherSuiteTLS13 34 transcript hash.Hash 35 masterSecret []byte 36 trafficSecret []byte // client_application_traffic_secret_0 37 } 38 39 // handshake requires hs.c, hs.hello, hs.serverHello, hs.ecdheKey, and, 40 // optionally, hs.session, hs.earlySecret and hs.binderKey to be set. 41 func (hs *clientHandshakeStateTLS13) handshake() error { 42 c := hs.c 43 44 if needFIPS() { 45 return errors.New("tls: internal error: TLS 1.3 reached in FIPS mode") 46 } 47 48 // The server must not select TLS 1.3 in a renegotiation. See RFC 8446, 49 // sections 4.1.2 and 4.1.3. 50 if c.handshakes > 0 { 51 c.sendAlert(alertProtocolVersion) 52 return errors.New("tls: server selected TLS 1.3 in a renegotiation") 53 } 54 55 // Consistency check on the presence of a keyShare and its parameters. 56 if hs.ecdheKey == nil || len(hs.hello.keyShares) != 1 { 57 return c.sendAlert(alertInternalError) 58 } 59 60 if err := hs.checkServerHelloOrHRR(); err != nil { 61 return err 62 } 63 64 hs.transcript = hs.suite.hash.New() 65 66 if err := transcriptMsg(hs.hello, hs.transcript); err != nil { 67 return err 68 } 69 70 if bytes.Equal(hs.serverHello.random, helloRetryRequestRandom) { 71 if err := hs.sendDummyChangeCipherSpec(); err != nil { 72 return err 73 } 74 if err := hs.processHelloRetryRequest(); err != nil { 75 return err 76 } 77 } 78 79 if err := transcriptMsg(hs.serverHello, hs.transcript); err != nil { 80 return err 81 } 82 83 c.buffering = true 84 if err := hs.processServerHello(); err != nil { 85 return err 86 } 87 if err := hs.sendDummyChangeCipherSpec(); err != nil { 88 return err 89 } 90 if err := hs.establishHandshakeKeys(); err != nil { 91 return err 92 } 93 if err := hs.readServerParameters(); err != nil { 94 return err 95 } 96 if err := hs.readServerCertificate(); err != nil { 97 return err 98 } 99 if err := hs.readServerFinished(); err != nil { 100 return err 101 } 102 if err := hs.sendClientCertificate(); err != nil { 103 return err 104 } 105 if err := hs.sendClientFinished(); err != nil { 106 return err 107 } 108 if _, err := c.flush(); err != nil { 109 return err 110 } 111 112 c.isHandshakeComplete.Store(true) 113 114 return nil 115 } 116 117 // checkServerHelloOrHRR does validity checks that apply to both ServerHello and 118 // HelloRetryRequest messages. It sets hs.suite. 119 func (hs *clientHandshakeStateTLS13) checkServerHelloOrHRR() error { 120 c := hs.c 121 122 if hs.serverHello.supportedVersion == 0 { 123 c.sendAlert(alertMissingExtension) 124 return errors.New("tls: server selected TLS 1.3 using the legacy version field") 125 } 126 127 if hs.serverHello.supportedVersion != VersionTLS13 { 128 c.sendAlert(alertIllegalParameter) 129 return errors.New("tls: server selected an invalid version after a HelloRetryRequest") 130 } 131 132 if hs.serverHello.vers != VersionTLS12 { 133 c.sendAlert(alertIllegalParameter) 134 return errors.New("tls: server sent an incorrect legacy version") 135 } 136 137 if hs.serverHello.ocspStapling || 138 hs.serverHello.ticketSupported || 139 hs.serverHello.extendedMasterSecret || 140 hs.serverHello.secureRenegotiationSupported || 141 len(hs.serverHello.secureRenegotiation) != 0 || 142 len(hs.serverHello.alpnProtocol) != 0 || 143 len(hs.serverHello.scts) != 0 { 144 c.sendAlert(alertUnsupportedExtension) 145 return errors.New("tls: server sent a ServerHello extension forbidden in TLS 1.3") 146 } 147 148 if !bytes.Equal(hs.hello.sessionId, hs.serverHello.sessionId) { 149 c.sendAlert(alertIllegalParameter) 150 return errors.New("tls: server did not echo the legacy session ID") 151 } 152 153 if hs.serverHello.compressionMethod != compressionNone { 154 c.sendAlert(alertIllegalParameter) 155 return errors.New("tls: server selected unsupported compression format") 156 } 157 158 selectedSuite := mutualCipherSuiteTLS13(hs.hello.cipherSuites, hs.serverHello.cipherSuite) 159 if hs.suite != nil && selectedSuite != hs.suite { 160 c.sendAlert(alertIllegalParameter) 161 return errors.New("tls: server changed cipher suite after a HelloRetryRequest") 162 } 163 if selectedSuite == nil { 164 c.sendAlert(alertIllegalParameter) 165 return errors.New("tls: server chose an unconfigured cipher suite") 166 } 167 hs.suite = selectedSuite 168 c.cipherSuite = hs.suite.id 169 170 return nil 171 } 172 173 // sendDummyChangeCipherSpec sends a ChangeCipherSpec record for compatibility 174 // with middleboxes that didn't implement TLS correctly. See RFC 8446, Appendix D.4. 175 func (hs *clientHandshakeStateTLS13) sendDummyChangeCipherSpec() error { 176 if hs.c.quic != nil { 177 return nil 178 } 179 if hs.sentDummyCCS { 180 return nil 181 } 182 hs.sentDummyCCS = true 183 184 return hs.c.writeChangeCipherRecord() 185 } 186 187 // processHelloRetryRequest handles the HRR in hs.serverHello, modifies and 188 // resends hs.hello, and reads the new ServerHello into hs.serverHello. 189 func (hs *clientHandshakeStateTLS13) processHelloRetryRequest() error { 190 c := hs.c 191 192 // The first ClientHello gets double-hashed into the transcript upon a 193 // HelloRetryRequest. (The idea is that the server might offload transcript 194 // storage to the client in the cookie.) See RFC 8446, Section 4.4.1. 195 chHash := hs.transcript.Sum(nil) 196 hs.transcript.Reset() 197 hs.transcript.Write([]byte{typeMessageHash, 0, 0, uint8(len(chHash))}) 198 hs.transcript.Write(chHash) 199 if err := transcriptMsg(hs.serverHello, hs.transcript); err != nil { 200 return err 201 } 202 203 // The only HelloRetryRequest extensions we support are key_share and 204 // cookie, and clients must abort the handshake if the HRR would not result 205 // in any change in the ClientHello. 206 if hs.serverHello.selectedGroup == 0 && hs.serverHello.cookie == nil { 207 c.sendAlert(alertIllegalParameter) 208 return errors.New("tls: server sent an unnecessary HelloRetryRequest message") 209 } 210 211 if hs.serverHello.cookie != nil { 212 hs.hello.cookie = hs.serverHello.cookie 213 } 214 215 if hs.serverHello.serverShare.group != 0 { 216 c.sendAlert(alertDecodeError) 217 return errors.New("tls: received malformed key_share extension") 218 } 219 220 // If the server sent a key_share extension selecting a group, ensure it's 221 // a group we advertised but did not send a key share for, and send a key 222 // share for it this time. 223 if curveID := hs.serverHello.selectedGroup; curveID != 0 { 224 curveOK := false 225 for _, id := range hs.hello.supportedCurves { 226 if id == curveID { 227 curveOK = true 228 break 229 } 230 } 231 if !curveOK { 232 c.sendAlert(alertIllegalParameter) 233 return errors.New("tls: server selected unsupported group") 234 } 235 if sentID, _ := curveIDForCurve(hs.ecdheKey.Curve()); sentID == curveID { 236 c.sendAlert(alertIllegalParameter) 237 return errors.New("tls: server sent an unnecessary HelloRetryRequest key_share") 238 } 239 if _, ok := curveForCurveID(curveID); !ok { 240 c.sendAlert(alertInternalError) 241 return errors.New("tls: CurvePreferences includes unsupported curve") 242 } 243 key, err := generateECDHEKey(c.config.rand(), curveID) 244 if err != nil { 245 c.sendAlert(alertInternalError) 246 return err 247 } 248 hs.ecdheKey = key 249 hs.hello.keyShares = []keyShare{{group: curveID, data: key.PublicKey().Bytes()}} 250 } 251 252 hs.hello.raw = nil 253 if len(hs.hello.pskIdentities) > 0 { 254 pskSuite := cipherSuiteTLS13ByID(hs.session.cipherSuite) 255 if pskSuite == nil { 256 return c.sendAlert(alertInternalError) 257 } 258 if pskSuite.hash == hs.suite.hash { 259 // Update binders and obfuscated_ticket_age. 260 ticketAge := c.config.time().Sub(time.Unix(int64(hs.session.createdAt), 0)) 261 hs.hello.pskIdentities[0].obfuscatedTicketAge = uint32(ticketAge/time.Millisecond) + hs.session.ageAdd 262 263 transcript := hs.suite.hash.New() 264 transcript.Write([]byte{typeMessageHash, 0, 0, uint8(len(chHash))}) 265 transcript.Write(chHash) 266 if err := transcriptMsg(hs.serverHello, transcript); err != nil { 267 return err 268 } 269 helloBytes, err := hs.hello.marshalWithoutBinders() 270 if err != nil { 271 return err 272 } 273 transcript.Write(helloBytes) 274 pskBinders := [][]byte{hs.suite.finishedHash(hs.binderKey, transcript)} 275 if err := hs.hello.updateBinders(pskBinders); err != nil { 276 return err 277 } 278 } else { 279 // Server selected a cipher suite incompatible with the PSK. 280 hs.hello.pskIdentities = nil 281 hs.hello.pskBinders = nil 282 } 283 } 284 285 if hs.hello.earlyData { 286 hs.hello.earlyData = false 287 c.quicRejectedEarlyData() 288 } 289 290 if _, err := hs.c.writeHandshakeRecord(hs.hello, hs.transcript); err != nil { 291 return err 292 } 293 294 // serverHelloMsg is not included in the transcript 295 msg, err := c.readHandshake(nil) 296 if err != nil { 297 return err 298 } 299 300 serverHello, ok := msg.(*serverHelloMsg) 301 if !ok { 302 c.sendAlert(alertUnexpectedMessage) 303 return unexpectedMessageError(serverHello, msg) 304 } 305 hs.serverHello = serverHello 306 307 if err := hs.checkServerHelloOrHRR(); err != nil { 308 return err 309 } 310 311 return nil 312 } 313 314 func (hs *clientHandshakeStateTLS13) processServerHello() error { 315 c := hs.c 316 317 if bytes.Equal(hs.serverHello.random, helloRetryRequestRandom) { 318 c.sendAlert(alertUnexpectedMessage) 319 return errors.New("tls: server sent two HelloRetryRequest messages") 320 } 321 322 if len(hs.serverHello.cookie) != 0 { 323 c.sendAlert(alertUnsupportedExtension) 324 return errors.New("tls: server sent a cookie in a normal ServerHello") 325 } 326 327 if hs.serverHello.selectedGroup != 0 { 328 c.sendAlert(alertDecodeError) 329 return errors.New("tls: malformed key_share extension") 330 } 331 332 if hs.serverHello.serverShare.group == 0 { 333 c.sendAlert(alertIllegalParameter) 334 return errors.New("tls: server did not send a key share") 335 } 336 if sentID, _ := curveIDForCurve(hs.ecdheKey.Curve()); hs.serverHello.serverShare.group != sentID { 337 c.sendAlert(alertIllegalParameter) 338 return errors.New("tls: server selected unsupported group") 339 } 340 341 if !hs.serverHello.selectedIdentityPresent { 342 return nil 343 } 344 345 if int(hs.serverHello.selectedIdentity) >= len(hs.hello.pskIdentities) { 346 c.sendAlert(alertIllegalParameter) 347 return errors.New("tls: server selected an invalid PSK") 348 } 349 350 if len(hs.hello.pskIdentities) != 1 || hs.session == nil { 351 return c.sendAlert(alertInternalError) 352 } 353 pskSuite := cipherSuiteTLS13ByID(hs.session.cipherSuite) 354 if pskSuite == nil { 355 return c.sendAlert(alertInternalError) 356 } 357 if pskSuite.hash != hs.suite.hash { 358 c.sendAlert(alertIllegalParameter) 359 return errors.New("tls: server selected an invalid PSK and cipher suite pair") 360 } 361 362 hs.usingPSK = true 363 c.didResume = true 364 c.peerCertificates = hs.session.peerCertificates 365 c.activeCertHandles = hs.session.activeCertHandles 366 c.verifiedChains = hs.session.verifiedChains 367 c.ocspResponse = hs.session.ocspResponse 368 c.scts = hs.session.scts 369 return nil 370 } 371 372 func (hs *clientHandshakeStateTLS13) establishHandshakeKeys() error { 373 c := hs.c 374 375 peerKey, err := hs.ecdheKey.Curve().NewPublicKey(hs.serverHello.serverShare.data) 376 if err != nil { 377 c.sendAlert(alertIllegalParameter) 378 return errors.New("tls: invalid server key share") 379 } 380 sharedKey, err := hs.ecdheKey.ECDH(peerKey) 381 if err != nil { 382 c.sendAlert(alertIllegalParameter) 383 return errors.New("tls: invalid server key share") 384 } 385 386 earlySecret := hs.earlySecret 387 if !hs.usingPSK { 388 earlySecret = hs.suite.extract(nil, nil) 389 } 390 391 handshakeSecret := hs.suite.extract(sharedKey, 392 hs.suite.deriveSecret(earlySecret, "derived", nil)) 393 394 clientSecret := hs.suite.deriveSecret(handshakeSecret, 395 clientHandshakeTrafficLabel, hs.transcript) 396 c.out.setTrafficSecret(hs.suite, QUICEncryptionLevelHandshake, clientSecret) 397 serverSecret := hs.suite.deriveSecret(handshakeSecret, 398 serverHandshakeTrafficLabel, hs.transcript) 399 c.in.setTrafficSecret(hs.suite, QUICEncryptionLevelHandshake, serverSecret) 400 401 if c.quic != nil { 402 if c.hand.Len() != 0 { 403 c.sendAlert(alertUnexpectedMessage) 404 } 405 c.quicSetWriteSecret(QUICEncryptionLevelHandshake, hs.suite.id, clientSecret) 406 c.quicSetReadSecret(QUICEncryptionLevelHandshake, hs.suite.id, serverSecret) 407 } 408 409 err = c.config.writeKeyLog(keyLogLabelClientHandshake, hs.hello.random, clientSecret) 410 if err != nil { 411 c.sendAlert(alertInternalError) 412 return err 413 } 414 err = c.config.writeKeyLog(keyLogLabelServerHandshake, hs.hello.random, serverSecret) 415 if err != nil { 416 c.sendAlert(alertInternalError) 417 return err 418 } 419 420 hs.masterSecret = hs.suite.extract(nil, 421 hs.suite.deriveSecret(handshakeSecret, "derived", nil)) 422 423 return nil 424 } 425 426 func (hs *clientHandshakeStateTLS13) readServerParameters() error { 427 c := hs.c 428 429 msg, err := c.readHandshake(hs.transcript) 430 if err != nil { 431 return err 432 } 433 434 encryptedExtensions, ok := msg.(*encryptedExtensionsMsg) 435 if !ok { 436 c.sendAlert(alertUnexpectedMessage) 437 return unexpectedMessageError(encryptedExtensions, msg) 438 } 439 440 if err := checkALPN(hs.hello.alpnProtocols, encryptedExtensions.alpnProtocol, c.quic != nil); err != nil { 441 // RFC 8446 specifies that no_application_protocol is sent by servers, but 442 // does not specify how clients handle the selection of an incompatible protocol. 443 // RFC 9001 Section 8.1 specifies that QUIC clients send no_application_protocol 444 // in this case. Always sending no_application_protocol seems reasonable. 445 c.sendAlert(alertNoApplicationProtocol) 446 return err 447 } 448 c.clientProtocol = encryptedExtensions.alpnProtocol 449 450 if c.quic != nil { 451 if encryptedExtensions.quicTransportParameters == nil { 452 // RFC 9001 Section 8.2. 453 c.sendAlert(alertMissingExtension) 454 return errors.New("tls: server did not send a quic_transport_parameters extension") 455 } 456 c.quicSetTransportParameters(encryptedExtensions.quicTransportParameters) 457 } else { 458 if encryptedExtensions.quicTransportParameters != nil { 459 c.sendAlert(alertUnsupportedExtension) 460 return errors.New("tls: server sent an unexpected quic_transport_parameters extension") 461 } 462 } 463 464 if !hs.hello.earlyData && encryptedExtensions.earlyData { 465 c.sendAlert(alertUnsupportedExtension) 466 return errors.New("tls: server sent an unexpected early_data extension") 467 } 468 if hs.hello.earlyData && !encryptedExtensions.earlyData { 469 c.quicRejectedEarlyData() 470 } 471 if encryptedExtensions.earlyData { 472 if hs.session.cipherSuite != c.cipherSuite { 473 c.sendAlert(alertHandshakeFailure) 474 return errors.New("tls: server accepted 0-RTT with the wrong cipher suite") 475 } 476 if hs.session.alpnProtocol != c.clientProtocol { 477 c.sendAlert(alertHandshakeFailure) 478 return errors.New("tls: server accepted 0-RTT with the wrong ALPN") 479 } 480 } 481 482 return nil 483 } 484 485 func (hs *clientHandshakeStateTLS13) readServerCertificate() error { 486 c := hs.c 487 488 // Either a PSK or a certificate is always used, but not both. 489 // See RFC 8446, Section 4.1.1. 490 if hs.usingPSK { 491 // Make sure the connection is still being verified whether or not this 492 // is a resumption. Resumptions currently don't reverify certificates so 493 // they don't call verifyServerCertificate. See Issue 31641. 494 if c.config.VerifyConnection != nil { 495 if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil { 496 c.sendAlert(alertBadCertificate) 497 return err 498 } 499 } 500 return nil 501 } 502 503 msg, err := c.readHandshake(hs.transcript) 504 if err != nil { 505 return err 506 } 507 508 certReq, ok := msg.(*certificateRequestMsgTLS13) 509 if ok { 510 hs.certReq = certReq 511 512 msg, err = c.readHandshake(hs.transcript) 513 if err != nil { 514 return err 515 } 516 } 517 518 certMsg, ok := msg.(*certificateMsgTLS13) 519 if !ok { 520 c.sendAlert(alertUnexpectedMessage) 521 return unexpectedMessageError(certMsg, msg) 522 } 523 if len(certMsg.certificate.Certificate) == 0 { 524 c.sendAlert(alertDecodeError) 525 return errors.New("tls: received empty certificates message") 526 } 527 528 c.scts = certMsg.certificate.SignedCertificateTimestamps 529 c.ocspResponse = certMsg.certificate.OCSPStaple 530 531 if err := c.verifyServerCertificate(certMsg.certificate.Certificate); err != nil { 532 return err 533 } 534 535 // certificateVerifyMsg is included in the transcript, but not until 536 // after we verify the handshake signature, since the state before 537 // this message was sent is used. 538 msg, err = c.readHandshake(nil) 539 if err != nil { 540 return err 541 } 542 543 certVerify, ok := msg.(*certificateVerifyMsg) 544 if !ok { 545 c.sendAlert(alertUnexpectedMessage) 546 return unexpectedMessageError(certVerify, msg) 547 } 548 549 // See RFC 8446, Section 4.4.3. 550 if !isSupportedSignatureAlgorithm(certVerify.signatureAlgorithm, supportedSignatureAlgorithms()) { 551 c.sendAlert(alertIllegalParameter) 552 return errors.New("tls: certificate used with invalid signature algorithm") 553 } 554 sigType, sigHash, err := typeAndHashFromSignatureScheme(certVerify.signatureAlgorithm) 555 if err != nil { 556 return c.sendAlert(alertInternalError) 557 } 558 if sigType == signaturePKCS1v15 || sigHash == crypto.SHA1 { 559 c.sendAlert(alertIllegalParameter) 560 return errors.New("tls: certificate used with invalid signature algorithm") 561 } 562 signed := signedMessage(sigHash, serverSignatureContext, hs.transcript) 563 if err := verifyHandshakeSignature(sigType, c.peerCertificates[0].PublicKey, 564 sigHash, signed, certVerify.signature); err != nil { 565 c.sendAlert(alertDecryptError) 566 return errors.New("tls: invalid signature by the server certificate: " + err.Error()) 567 } 568 569 if err := transcriptMsg(certVerify, hs.transcript); err != nil { 570 return err 571 } 572 573 return nil 574 } 575 576 func (hs *clientHandshakeStateTLS13) readServerFinished() error { 577 c := hs.c 578 579 // finishedMsg is included in the transcript, but not until after we 580 // check the client version, since the state before this message was 581 // sent is used during verification. 582 msg, err := c.readHandshake(nil) 583 if err != nil { 584 return err 585 } 586 587 finished, ok := msg.(*finishedMsg) 588 if !ok { 589 c.sendAlert(alertUnexpectedMessage) 590 return unexpectedMessageError(finished, msg) 591 } 592 593 expectedMAC := hs.suite.finishedHash(c.in.trafficSecret, hs.transcript) 594 if !hmac.Equal(expectedMAC, finished.verifyData) { 595 c.sendAlert(alertDecryptError) 596 return errors.New("tls: invalid server finished hash") 597 } 598 599 if err := transcriptMsg(finished, hs.transcript); err != nil { 600 return err 601 } 602 603 // Derive secrets that take context through the server Finished. 604 605 hs.trafficSecret = hs.suite.deriveSecret(hs.masterSecret, 606 clientApplicationTrafficLabel, hs.transcript) 607 serverSecret := hs.suite.deriveSecret(hs.masterSecret, 608 serverApplicationTrafficLabel, hs.transcript) 609 c.in.setTrafficSecret(hs.suite, QUICEncryptionLevelApplication, serverSecret) 610 611 err = c.config.writeKeyLog(keyLogLabelClientTraffic, hs.hello.random, hs.trafficSecret) 612 if err != nil { 613 c.sendAlert(alertInternalError) 614 return err 615 } 616 err = c.config.writeKeyLog(keyLogLabelServerTraffic, hs.hello.random, serverSecret) 617 if err != nil { 618 c.sendAlert(alertInternalError) 619 return err 620 } 621 622 c.ekm = hs.suite.exportKeyingMaterial(hs.masterSecret, hs.transcript) 623 624 return nil 625 } 626 627 func (hs *clientHandshakeStateTLS13) sendClientCertificate() error { 628 c := hs.c 629 630 if hs.certReq == nil { 631 return nil 632 } 633 634 cert, err := c.getClientCertificate(&CertificateRequestInfo{ 635 AcceptableCAs: hs.certReq.certificateAuthorities, 636 SignatureSchemes: hs.certReq.supportedSignatureAlgorithms, 637 Version: c.vers, 638 ctx: hs.ctx, 639 }) 640 if err != nil { 641 return err 642 } 643 644 certMsg := new(certificateMsgTLS13) 645 646 certMsg.certificate = *cert 647 certMsg.scts = hs.certReq.scts && len(cert.SignedCertificateTimestamps) > 0 648 certMsg.ocspStapling = hs.certReq.ocspStapling && len(cert.OCSPStaple) > 0 649 650 if _, err := hs.c.writeHandshakeRecord(certMsg, hs.transcript); err != nil { 651 return err 652 } 653 654 // If we sent an empty certificate message, skip the CertificateVerify. 655 if len(cert.Certificate) == 0 { 656 return nil 657 } 658 659 certVerifyMsg := new(certificateVerifyMsg) 660 certVerifyMsg.hasSignatureAlgorithm = true 661 662 certVerifyMsg.signatureAlgorithm, err = selectSignatureScheme(c.vers, cert, hs.certReq.supportedSignatureAlgorithms) 663 if err != nil { 664 // getClientCertificate returned a certificate incompatible with the 665 // CertificateRequestInfo supported signature algorithms. 666 c.sendAlert(alertHandshakeFailure) 667 return err 668 } 669 670 sigType, sigHash, err := typeAndHashFromSignatureScheme(certVerifyMsg.signatureAlgorithm) 671 if err != nil { 672 return c.sendAlert(alertInternalError) 673 } 674 675 signed := signedMessage(sigHash, clientSignatureContext, hs.transcript) 676 signOpts := crypto.SignerOpts(sigHash) 677 if sigType == signatureRSAPSS { 678 signOpts = &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash, Hash: sigHash} 679 } 680 sig, err := cert.PrivateKey.(crypto.Signer).Sign(c.config.rand(), signed, signOpts) 681 if err != nil { 682 c.sendAlert(alertInternalError) 683 return errors.New("tls: failed to sign handshake: " + err.Error()) 684 } 685 certVerifyMsg.signature = sig 686 687 if _, err := hs.c.writeHandshakeRecord(certVerifyMsg, hs.transcript); err != nil { 688 return err 689 } 690 691 return nil 692 } 693 694 func (hs *clientHandshakeStateTLS13) sendClientFinished() error { 695 c := hs.c 696 697 finished := &finishedMsg{ 698 verifyData: hs.suite.finishedHash(c.out.trafficSecret, hs.transcript), 699 } 700 701 if _, err := hs.c.writeHandshakeRecord(finished, hs.transcript); err != nil { 702 return err 703 } 704 705 c.out.setTrafficSecret(hs.suite, QUICEncryptionLevelApplication, hs.trafficSecret) 706 707 if !c.config.SessionTicketsDisabled && c.config.ClientSessionCache != nil { 708 c.resumptionSecret = hs.suite.deriveSecret(hs.masterSecret, 709 resumptionLabel, hs.transcript) 710 } 711 712 if c.quic != nil { 713 if c.hand.Len() != 0 { 714 c.sendAlert(alertUnexpectedMessage) 715 } 716 c.quicSetWriteSecret(QUICEncryptionLevelApplication, hs.suite.id, hs.trafficSecret) 717 } 718 719 return nil 720 } 721 722 func (c *Conn) handleNewSessionTicket(msg *newSessionTicketMsgTLS13) error { 723 if !c.isClient { 724 c.sendAlert(alertUnexpectedMessage) 725 return errors.New("tls: received new session ticket from a client") 726 } 727 728 if c.config.SessionTicketsDisabled || c.config.ClientSessionCache == nil { 729 return nil 730 } 731 732 // See RFC 8446, Section 4.6.1. 733 if msg.lifetime == 0 { 734 return nil 735 } 736 lifetime := time.Duration(msg.lifetime) * time.Second 737 if lifetime > maxSessionTicketLifetime { 738 c.sendAlert(alertIllegalParameter) 739 return errors.New("tls: received a session ticket with invalid lifetime") 740 } 741 742 // RFC 9001, Section 4.6.1 743 if c.quic != nil && msg.maxEarlyData != 0 && msg.maxEarlyData != 0xffffffff { 744 c.sendAlert(alertIllegalParameter) 745 return errors.New("tls: invalid early data for QUIC connection") 746 } 747 748 cipherSuite := cipherSuiteTLS13ByID(c.cipherSuite) 749 if cipherSuite == nil || c.resumptionSecret == nil { 750 return c.sendAlert(alertInternalError) 751 } 752 753 psk := cipherSuite.expandLabel(c.resumptionSecret, "resumption", 754 msg.nonce, cipherSuite.hash.Size()) 755 756 session, err := c.sessionState() 757 if err != nil { 758 c.sendAlert(alertInternalError) 759 return err 760 } 761 session.secret = psk 762 session.useBy = uint64(c.config.time().Add(lifetime).Unix()) 763 session.ageAdd = msg.ageAdd 764 session.EarlyData = c.quic != nil && msg.maxEarlyData == 0xffffffff // RFC 9001, Section 4.6.1 765 cs := &ClientSessionState{ticket: msg.label, session: session} 766 767 if cacheKey := c.clientSessionCacheKey(); cacheKey != "" { 768 c.config.ClientSessionCache.Put(cacheKey, cs) 769 } 770 771 return nil 772 }