handshake_client_tls13.go

Documentation: crypto/tls

     1  // Copyright 2018 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package tls
     6  
     7  import (
     8  	"bytes"
     9  	"context"
    10  	"crypto"
    11  	"crypto/hmac"
    12  	"crypto/rsa"
    13  	"errors"
    14  	"hash"
    15  	"sync/atomic"
    16  	"time"
    17  )
    18  
    19  type clientHandshakeStateTLS13 struct {
    20  	c           *Conn
    21  	ctx         context.Context
    22  	serverHello *serverHelloMsg
    23  	hello       *clientHelloMsg
    24  	ecdheParams ecdheParameters
    25  
    26  	session     *ClientSessionState
    27  	earlySecret []byte
    28  	binderKey   []byte
    29  
    30  	certReq       *certificateRequestMsgTLS13
    31  	usingPSK      bool
    32  	sentDummyCCS  bool
    33  	suite         *cipherSuiteTLS13
    34  	transcript    hash.Hash
    35  	masterSecret  []byte
    36  	trafficSecret []byte // client_application_traffic_secret_0
    37  }
    38  
    39  // handshake requires hs.c, hs.hello, hs.serverHello, hs.ecdheParams, and,
    40  // optionally, hs.session, hs.earlySecret and hs.binderKey to be set.
    41  func (hs *clientHandshakeStateTLS13) handshake() error {
    42  	c := hs.c
    43  
    44  	// The server must not select TLS 1.3 in a renegotiation. See RFC 8446,
    45  	// sections 4.1.2 and 4.1.3.
    46  	if c.handshakes > 0 {
    47  		c.sendAlert(alertProtocolVersion)
    48  		return errors.New("tls: server selected TLS 1.3 in a renegotiation")
    49  	}
    50  
    51  	// Consistency check on the presence of a keyShare and its parameters.
    52  	if hs.ecdheParams == nil || len(hs.hello.keyShares) != 1 {
    53  		return c.sendAlert(alertInternalError)
    54  	}
    55  
    56  	if err := hs.checkServerHelloOrHRR(); err != nil {
    57  		return err
    58  	}
    59  
    60  	hs.transcript = hs.suite.hash.New()
    61  	hs.transcript.Write(hs.hello.marshal())
    62  
    63  	if bytes.Equal(hs.serverHello.random, helloRetryRequestRandom) {
    64  		if err := hs.sendDummyChangeCipherSpec(); err != nil {
    65  			return err
    66  		}
    67  		if err := hs.processHelloRetryRequest(); err != nil {
    68  			return err
    69  		}
    70  	}
    71  
    72  	hs.transcript.Write(hs.serverHello.marshal())
    73  
    74  	c.buffering = true
    75  	if err := hs.processServerHello(); err != nil {
    76  		return err
    77  	}
    78  	if err := hs.sendDummyChangeCipherSpec(); err != nil {
    79  		return err
    80  	}
    81  	if err := hs.establishHandshakeKeys(); err != nil {
    82  		return err
    83  	}
    84  	if err := hs.readServerParameters(); err != nil {
    85  		return err
    86  	}
    87  	if err := hs.readServerCertificate(); err != nil {
    88  		return err
    89  	}
    90  	if err := hs.readServerFinished(); err != nil {
    91  		return err
    92  	}
    93  	if err := hs.sendClientCertificate(); err != nil {
    94  		return err
    95  	}
    96  	if err := hs.sendClientFinished(); err != nil {
    97  		return err
    98  	}
    99  	if _, err := c.flush(); err != nil {
   100  		return err
   101  	}
   102  
   103  	atomic.StoreUint32(&c.handshakeStatus, 1)
   104  
   105  	return nil
   106  }
   107  
   108  // checkServerHelloOrHRR does validity checks that apply to both ServerHello and
   109  // HelloRetryRequest messages. It sets hs.suite.
   110  func (hs *clientHandshakeStateTLS13) checkServerHelloOrHRR() error {
   111  	c := hs.c
   112  
   113  	if hs.serverHello.supportedVersion == 0 {
   114  		c.sendAlert(alertMissingExtension)
   115  		return errors.New("tls: server selected TLS 1.3 using the legacy version field")
   116  	}
   117  
   118  	if hs.serverHello.supportedVersion != VersionTLS13 {
   119  		c.sendAlert(alertIllegalParameter)
   120  		return errors.New("tls: server selected an invalid version after a HelloRetryRequest")
   121  	}
   122  
   123  	if hs.serverHello.vers != VersionTLS12 {
   124  		c.sendAlert(alertIllegalParameter)
   125  		return errors.New("tls: server sent an incorrect legacy version")
   126  	}
   127  
   128  	if hs.serverHello.ocspStapling ||
   129  		hs.serverHello.ticketSupported ||
   130  		hs.serverHello.secureRenegotiationSupported ||
   131  		len(hs.serverHello.secureRenegotiation) != 0 ||
   132  		len(hs.serverHello.alpnProtocol) != 0 ||
   133  		len(hs.serverHello.scts) != 0 {
   134  		c.sendAlert(alertUnsupportedExtension)
   135  		return errors.New("tls: server sent a ServerHello extension forbidden in TLS 1.3")
   136  	}
   137  
   138  	if !bytes.Equal(hs.hello.sessionId, hs.serverHello.sessionId) {
   139  		c.sendAlert(alertIllegalParameter)
   140  		return errors.New("tls: server did not echo the legacy session ID")
   141  	}
   142  
   143  	if hs.serverHello.compressionMethod != compressionNone {
   144  		c.sendAlert(alertIllegalParameter)
   145  		return errors.New("tls: server selected unsupported compression format")
   146  	}
   147  
   148  	selectedSuite := mutualCipherSuiteTLS13(hs.hello.cipherSuites, hs.serverHello.cipherSuite)
   149  	if hs.suite != nil && selectedSuite != hs.suite {
   150  		c.sendAlert(alertIllegalParameter)
   151  		return errors.New("tls: server changed cipher suite after a HelloRetryRequest")
   152  	}
   153  	if selectedSuite == nil {
   154  		c.sendAlert(alertIllegalParameter)
   155  		return errors.New("tls: server chose an unconfigured cipher suite")
   156  	}
   157  	hs.suite = selectedSuite
   158  	c.cipherSuite = hs.suite.id
   159  
   160  	return nil
   161  }
   162  
   163  // sendDummyChangeCipherSpec sends a ChangeCipherSpec record for compatibility
   164  // with middleboxes that didn't implement TLS correctly. See RFC 8446, Appendix D.4.
   165  func (hs *clientHandshakeStateTLS13) sendDummyChangeCipherSpec() error {
   166  	if hs.sentDummyCCS {
   167  		return nil
   168  	}
   169  	hs.sentDummyCCS = true
   170  
   171  	_, err := hs.c.writeRecord(recordTypeChangeCipherSpec, []byte{1})
   172  	return err
   173  }
   174  
   175  // processHelloRetryRequest handles the HRR in hs.serverHello, modifies and
   176  // resends hs.hello, and reads the new ServerHello into hs.serverHello.
   177  func (hs *clientHandshakeStateTLS13) processHelloRetryRequest() error {
   178  	c := hs.c
   179  
   180  	// The first ClientHello gets double-hashed into the transcript upon a
   181  	// HelloRetryRequest. (The idea is that the server might offload transcript
   182  	// storage to the client in the cookie.) See RFC 8446, Section 4.4.1.
   183  	chHash := hs.transcript.Sum(nil)
   184  	hs.transcript.Reset()
   185  	hs.transcript.Write([]byte{typeMessageHash, 0, 0, uint8(len(chHash))})
   186  	hs.transcript.Write(chHash)
   187  	hs.transcript.Write(hs.serverHello.marshal())
   188  
   189  	// The only HelloRetryRequest extensions we support are key_share and
   190  	// cookie, and clients must abort the handshake if the HRR would not result
   191  	// in any change in the ClientHello.
   192  	if hs.serverHello.selectedGroup == 0 && hs.serverHello.cookie == nil {
   193  		c.sendAlert(alertIllegalParameter)
   194  		return errors.New("tls: server sent an unnecessary HelloRetryRequest message")
   195  	}
   196  
   197  	if hs.serverHello.cookie != nil {
   198  		hs.hello.cookie = hs.serverHello.cookie
   199  	}
   200  
   201  	if hs.serverHello.serverShare.group != 0 {
   202  		c.sendAlert(alertDecodeError)
   203  		return errors.New("tls: received malformed key_share extension")
   204  	}
   205  
   206  	// If the server sent a key_share extension selecting a group, ensure it's
   207  	// a group we advertised but did not send a key share for, and send a key
   208  	// share for it this time.
   209  	if curveID := hs.serverHello.selectedGroup; curveID != 0 {
   210  		curveOK := false
   211  		for _, id := range hs.hello.supportedCurves {
   212  			if id == curveID {
   213  				curveOK = true
   214  				break
   215  			}
   216  		}
   217  		if !curveOK {
   218  			c.sendAlert(alertIllegalParameter)
   219  			return errors.New("tls: server selected unsupported group")
   220  		}
   221  		if hs.ecdheParams.CurveID() == curveID {
   222  			c.sendAlert(alertIllegalParameter)
   223  			return errors.New("tls: server sent an unnecessary HelloRetryRequest key_share")
   224  		}
   225  		if _, ok := curveForCurveID(curveID); curveID != X25519 && !ok {
   226  			c.sendAlert(alertInternalError)
   227  			return errors.New("tls: CurvePreferences includes unsupported curve")
   228  		}
   229  		params, err := generateECDHEParameters(c.config.rand(), curveID)
   230  		if err != nil {
   231  			c.sendAlert(alertInternalError)
   232  			return err
   233  		}
   234  		hs.ecdheParams = params
   235  		hs.hello.keyShares = []keyShare{{group: curveID, data: params.PublicKey()}}
   236  	}
   237  
   238  	hs.hello.raw = nil
   239  	if len(hs.hello.pskIdentities) > 0 {
   240  		pskSuite := cipherSuiteTLS13ByID(hs.session.cipherSuite)
   241  		if pskSuite == nil {
   242  			return c.sendAlert(alertInternalError)
   243  		}
   244  		if pskSuite.hash == hs.suite.hash {
   245  			// Update binders and obfuscated_ticket_age.
   246  			ticketAge := uint32(c.config.time().Sub(hs.session.receivedAt) / time.Millisecond)
   247  			hs.hello.pskIdentities[0].obfuscatedTicketAge = ticketAge + hs.session.ageAdd
   248  
   249  			transcript := hs.suite.hash.New()
   250  			transcript.Write([]byte{typeMessageHash, 0, 0, uint8(len(chHash))})
   251  			transcript.Write(chHash)
   252  			transcript.Write(hs.serverHello.marshal())
   253  			transcript.Write(hs.hello.marshalWithoutBinders())
   254  			pskBinders := [][]byte{hs.suite.finishedHash(hs.binderKey, transcript)}
   255  			hs.hello.updateBinders(pskBinders)
   256  		} else {
   257  			// Server selected a cipher suite incompatible with the PSK.
   258  			hs.hello.pskIdentities = nil
   259  			hs.hello.pskBinders = nil
   260  		}
   261  	}
   262  
   263  	hs.transcript.Write(hs.hello.marshal())
   264  	if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil {
   265  		return err
   266  	}
   267  
   268  	msg, err := c.readHandshake()
   269  	if err != nil {
   270  		return err
   271  	}
   272  
   273  	serverHello, ok := msg.(*serverHelloMsg)
   274  	if !ok {
   275  		c.sendAlert(alertUnexpectedMessage)
   276  		return unexpectedMessageError(serverHello, msg)
   277  	}
   278  	hs.serverHello = serverHello
   279  
   280  	if err := hs.checkServerHelloOrHRR(); err != nil {
   281  		return err
   282  	}
   283  
   284  	return nil
   285  }
   286  
   287  func (hs *clientHandshakeStateTLS13) processServerHello() error {
   288  	c := hs.c
   289  
   290  	if bytes.Equal(hs.serverHello.random, helloRetryRequestRandom) {
   291  		c.sendAlert(alertUnexpectedMessage)
   292  		return errors.New("tls: server sent two HelloRetryRequest messages")
   293  	}
   294  
   295  	if len(hs.serverHello.cookie) != 0 {
   296  		c.sendAlert(alertUnsupportedExtension)
   297  		return errors.New("tls: server sent a cookie in a normal ServerHello")
   298  	}
   299  
   300  	if hs.serverHello.selectedGroup != 0 {
   301  		c.sendAlert(alertDecodeError)
   302  		return errors.New("tls: malformed key_share extension")
   303  	}
   304  
   305  	if hs.serverHello.serverShare.group == 0 {
   306  		c.sendAlert(alertIllegalParameter)
   307  		return errors.New("tls: server did not send a key share")
   308  	}
   309  	if hs.serverHello.serverShare.group != hs.ecdheParams.CurveID() {
   310  		c.sendAlert(alertIllegalParameter)
   311  		return errors.New("tls: server selected unsupported group")
   312  	}
   313  
   314  	if !hs.serverHello.selectedIdentityPresent {
   315  		return nil
   316  	}
   317  
   318  	if int(hs.serverHello.selectedIdentity) >= len(hs.hello.pskIdentities) {
   319  		c.sendAlert(alertIllegalParameter)
   320  		return errors.New("tls: server selected an invalid PSK")
   321  	}
   322  
   323  	if len(hs.hello.pskIdentities) != 1 || hs.session == nil {
   324  		return c.sendAlert(alertInternalError)
   325  	}
   326  	pskSuite := cipherSuiteTLS13ByID(hs.session.cipherSuite)
   327  	if pskSuite == nil {
   328  		return c.sendAlert(alertInternalError)
   329  	}
   330  	if pskSuite.hash != hs.suite.hash {
   331  		c.sendAlert(alertIllegalParameter)
   332  		return errors.New("tls: server selected an invalid PSK and cipher suite pair")
   333  	}
   334  
   335  	hs.usingPSK = true
   336  	c.didResume = true
   337  	c.peerCertificates = hs.session.serverCertificates
   338  	c.verifiedChains = hs.session.verifiedChains
   339  	c.ocspResponse = hs.session.ocspResponse
   340  	c.scts = hs.session.scts
   341  	return nil
   342  }
   343  
   344  func (hs *clientHandshakeStateTLS13) establishHandshakeKeys() error {
   345  	c := hs.c
   346  
   347  	sharedKey := hs.ecdheParams.SharedKey(hs.serverHello.serverShare.data)
   348  	if sharedKey == nil {
   349  		c.sendAlert(alertIllegalParameter)
   350  		return errors.New("tls: invalid server key share")
   351  	}
   352  
   353  	earlySecret := hs.earlySecret
   354  	if !hs.usingPSK {
   355  		earlySecret = hs.suite.extract(nil, nil)
   356  	}
   357  	handshakeSecret := hs.suite.extract(sharedKey,
   358  		hs.suite.deriveSecret(earlySecret, "derived", nil))
   359  
   360  	clientSecret := hs.suite.deriveSecret(handshakeSecret,
   361  		clientHandshakeTrafficLabel, hs.transcript)
   362  	c.out.setTrafficSecret(hs.suite, clientSecret)
   363  	serverSecret := hs.suite.deriveSecret(handshakeSecret,
   364  		serverHandshakeTrafficLabel, hs.transcript)
   365  	c.in.setTrafficSecret(hs.suite, serverSecret)
   366  
   367  	err := c.config.writeKeyLog(keyLogLabelClientHandshake, hs.hello.random, clientSecret)
   368  	if err != nil {
   369  		c.sendAlert(alertInternalError)
   370  		return err
   371  	}
   372  	err = c.config.writeKeyLog(keyLogLabelServerHandshake, hs.hello.random, serverSecret)
   373  	if err != nil {
   374  		c.sendAlert(alertInternalError)
   375  		return err
   376  	}
   377  
   378  	hs.masterSecret = hs.suite.extract(nil,
   379  		hs.suite.deriveSecret(handshakeSecret, "derived", nil))
   380  
   381  	return nil
   382  }
   383  
   384  func (hs *clientHandshakeStateTLS13) readServerParameters() error {
   385  	c := hs.c
   386  
   387  	msg, err := c.readHandshake()
   388  	if err != nil {
   389  		return err
   390  	}
   391  
   392  	encryptedExtensions, ok := msg.(*encryptedExtensionsMsg)
   393  	if !ok {
   394  		c.sendAlert(alertUnexpectedMessage)
   395  		return unexpectedMessageError(encryptedExtensions, msg)
   396  	}
   397  	hs.transcript.Write(encryptedExtensions.marshal())
   398  
   399  	if err := checkALPN(hs.hello.alpnProtocols, encryptedExtensions.alpnProtocol); err != nil {
   400  		c.sendAlert(alertUnsupportedExtension)
   401  		return err
   402  	}
   403  	c.clientProtocol = encryptedExtensions.alpnProtocol
   404  
   405  	return nil
   406  }
   407  
   408  func (hs *clientHandshakeStateTLS13) readServerCertificate() error {
   409  	c := hs.c
   410  
   411  	// Either a PSK or a certificate is always used, but not both.
   412  	// See RFC 8446, Section 4.1.1.
   413  	if hs.usingPSK {
   414  		// Make sure the connection is still being verified whether or not this
   415  		// is a resumption. Resumptions currently don't reverify certificates so
   416  		// they don't call verifyServerCertificate. See Issue 31641.
   417  		if c.config.VerifyConnection != nil {
   418  			if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil {
   419  				c.sendAlert(alertBadCertificate)
   420  				return err
   421  			}
   422  		}
   423  		return nil
   424  	}
   425  
   426  	msg, err := c.readHandshake()
   427  	if err != nil {
   428  		return err
   429  	}
   430  
   431  	certReq, ok := msg.(*certificateRequestMsgTLS13)
   432  	if ok {
   433  		hs.transcript.Write(certReq.marshal())
   434  
   435  		hs.certReq = certReq
   436  
   437  		msg, err = c.readHandshake()
   438  		if err != nil {
   439  			return err
   440  		}
   441  	}
   442  
   443  	certMsg, ok := msg.(*certificateMsgTLS13)
   444  	if !ok {
   445  		c.sendAlert(alertUnexpectedMessage)
   446  		return unexpectedMessageError(certMsg, msg)
   447  	}
   448  	if len(certMsg.certificate.Certificate) == 0 {
   449  		c.sendAlert(alertDecodeError)
   450  		return errors.New("tls: received empty certificates message")
   451  	}
   452  	hs.transcript.Write(certMsg.marshal())
   453  
   454  	c.scts = certMsg.certificate.SignedCertificateTimestamps
   455  	c.ocspResponse = certMsg.certificate.OCSPStaple
   456  
   457  	if err := c.verifyServerCertificate(certMsg.certificate.Certificate); err != nil {
   458  		return err
   459  	}
   460  
   461  	msg, err = c.readHandshake()
   462  	if err != nil {
   463  		return err
   464  	}
   465  
   466  	certVerify, ok := msg.(*certificateVerifyMsg)
   467  	if !ok {
   468  		c.sendAlert(alertUnexpectedMessage)
   469  		return unexpectedMessageError(certVerify, msg)
   470  	}
   471  
   472  	// See RFC 8446, Section 4.4.3.
   473  	if !isSupportedSignatureAlgorithm(certVerify.signatureAlgorithm, supportedSignatureAlgorithms) {
   474  		c.sendAlert(alertIllegalParameter)
   475  		return errors.New("tls: certificate used with invalid signature algorithm")
   476  	}
   477  	sigType, sigHash, err := typeAndHashFromSignatureScheme(certVerify.signatureAlgorithm)
   478  	if err != nil {
   479  		return c.sendAlert(alertInternalError)
   480  	}
   481  	if sigType == signaturePKCS1v15 || sigHash == crypto.SHA1 {
   482  		c.sendAlert(alertIllegalParameter)
   483  		return errors.New("tls: certificate used with invalid signature algorithm")
   484  	}
   485  	signed := signedMessage(sigHash, serverSignatureContext, hs.transcript)
   486  	if err := verifyHandshakeSignature(sigType, c.peerCertificates[0].PublicKey,
   487  		sigHash, signed, certVerify.signature); err != nil {
   488  		c.sendAlert(alertDecryptError)
   489  		return errors.New("tls: invalid signature by the server certificate: " + err.Error())
   490  	}
   491  
   492  	hs.transcript.Write(certVerify.marshal())
   493  
   494  	return nil
   495  }
   496  
   497  func (hs *clientHandshakeStateTLS13) readServerFinished() error {
   498  	c := hs.c
   499  
   500  	msg, err := c.readHandshake()
   501  	if err != nil {
   502  		return err
   503  	}
   504  
   505  	finished, ok := msg.(*finishedMsg)
   506  	if !ok {
   507  		c.sendAlert(alertUnexpectedMessage)
   508  		return unexpectedMessageError(finished, msg)
   509  	}
   510  
   511  	expectedMAC := hs.suite.finishedHash(c.in.trafficSecret, hs.transcript)
   512  	if !hmac.Equal(expectedMAC, finished.verifyData) {
   513  		c.sendAlert(alertDecryptError)
   514  		return errors.New("tls: invalid server finished hash")
   515  	}
   516  
   517  	hs.transcript.Write(finished.marshal())
   518  
   519  	// Derive secrets that take context through the server Finished.
   520  
   521  	hs.trafficSecret = hs.suite.deriveSecret(hs.masterSecret,
   522  		clientApplicationTrafficLabel, hs.transcript)
   523  	serverSecret := hs.suite.deriveSecret(hs.masterSecret,
   524  		serverApplicationTrafficLabel, hs.transcript)
   525  	c.in.setTrafficSecret(hs.suite, serverSecret)
   526  
   527  	err = c.config.writeKeyLog(keyLogLabelClientTraffic, hs.hello.random, hs.trafficSecret)
   528  	if err != nil {
   529  		c.sendAlert(alertInternalError)
   530  		return err
   531  	}
   532  	err = c.config.writeKeyLog(keyLogLabelServerTraffic, hs.hello.random, serverSecret)
   533  	if err != nil {
   534  		c.sendAlert(alertInternalError)
   535  		return err
   536  	}
   537  
   538  	c.ekm = hs.suite.exportKeyingMaterial(hs.masterSecret, hs.transcript)
   539  
   540  	return nil
   541  }
   542  
   543  func (hs *clientHandshakeStateTLS13) sendClientCertificate() error {
   544  	c := hs.c
   545  
   546  	if hs.certReq == nil {
   547  		return nil
   548  	}
   549  
   550  	cert, err := c.getClientCertificate(&CertificateRequestInfo{
   551  		AcceptableCAs:    hs.certReq.certificateAuthorities,
   552  		SignatureSchemes: hs.certReq.supportedSignatureAlgorithms,
   553  		Version:          c.vers,
   554  		ctx:              hs.ctx,
   555  	})
   556  	if err != nil {
   557  		return err
   558  	}
   559  
   560  	certMsg := new(certificateMsgTLS13)
   561  
   562  	certMsg.certificate = *cert
   563  	certMsg.scts = hs.certReq.scts && len(cert.SignedCertificateTimestamps) > 0
   564  	certMsg.ocspStapling = hs.certReq.ocspStapling && len(cert.OCSPStaple) > 0
   565  
   566  	hs.transcript.Write(certMsg.marshal())
   567  	if _, err := c.writeRecord(recordTypeHandshake, certMsg.marshal()); err != nil {
   568  		return err
   569  	}
   570  
   571  	// If we sent an empty certificate message, skip the CertificateVerify.
   572  	if len(cert.Certificate) == 0 {
   573  		return nil
   574  	}
   575  
   576  	certVerifyMsg := new(certificateVerifyMsg)
   577  	certVerifyMsg.hasSignatureAlgorithm = true
   578  
   579  	certVerifyMsg.signatureAlgorithm, err = selectSignatureScheme(c.vers, cert, hs.certReq.supportedSignatureAlgorithms)
   580  	if err != nil {
   581  		// getClientCertificate returned a certificate incompatible with the
   582  		// CertificateRequestInfo supported signature algorithms.
   583  		c.sendAlert(alertHandshakeFailure)
   584  		return err
   585  	}
   586  
   587  	sigType, sigHash, err := typeAndHashFromSignatureScheme(certVerifyMsg.signatureAlgorithm)
   588  	if err != nil {
   589  		return c.sendAlert(alertInternalError)
   590  	}
   591  
   592  	signed := signedMessage(sigHash, clientSignatureContext, hs.transcript)
   593  	signOpts := crypto.SignerOpts(sigHash)
   594  	if sigType == signatureRSAPSS {
   595  		signOpts = &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash, Hash: sigHash}
   596  	}
   597  	sig, err := cert.PrivateKey.(crypto.Signer).Sign(c.config.rand(), signed, signOpts)
   598  	if err != nil {
   599  		c.sendAlert(alertInternalError)
   600  		return errors.New("tls: failed to sign handshake: " + err.Error())
   601  	}
   602  	certVerifyMsg.signature = sig
   603  
   604  	hs.transcript.Write(certVerifyMsg.marshal())
   605  	if _, err := c.writeRecord(recordTypeHandshake, certVerifyMsg.marshal()); err != nil {
   606  		return err
   607  	}
   608  
   609  	return nil
   610  }
   611  
   612  func (hs *clientHandshakeStateTLS13) sendClientFinished() error {
   613  	c := hs.c
   614  
   615  	finished := &finishedMsg{
   616  		verifyData: hs.suite.finishedHash(c.out.trafficSecret, hs.transcript),
   617  	}
   618  
   619  	hs.transcript.Write(finished.marshal())
   620  	if _, err := c.writeRecord(recordTypeHandshake, finished.marshal()); err != nil {
   621  		return err
   622  	}
   623  
   624  	c.out.setTrafficSecret(hs.suite, hs.trafficSecret)
   625  
   626  	if !c.config.SessionTicketsDisabled && c.config.ClientSessionCache != nil {
   627  		c.resumptionSecret = hs.suite.deriveSecret(hs.masterSecret,
   628  			resumptionLabel, hs.transcript)
   629  	}
   630  
   631  	return nil
   632  }
   633  
   634  func (c *Conn) handleNewSessionTicket(msg *newSessionTicketMsgTLS13) error {
   635  	if !c.isClient {
   636  		c.sendAlert(alertUnexpectedMessage)
   637  		return errors.New("tls: received new session ticket from a client")
   638  	}
   639  
   640  	if c.config.SessionTicketsDisabled || c.config.ClientSessionCache == nil {
   641  		return nil
   642  	}
   643  
   644  	// See RFC 8446, Section 4.6.1.
   645  	if msg.lifetime == 0 {
   646  		return nil
   647  	}
   648  	lifetime := time.Duration(msg.lifetime) * time.Second
   649  	if lifetime > maxSessionTicketLifetime {
   650  		c.sendAlert(alertIllegalParameter)
   651  		return errors.New("tls: received a session ticket with invalid lifetime")
   652  	}
   653  
   654  	cipherSuite := cipherSuiteTLS13ByID(c.cipherSuite)
   655  	if cipherSuite == nil || c.resumptionSecret == nil {
   656  		return c.sendAlert(alertInternalError)
   657  	}
   658  
   659  	// Save the resumption_master_secret and nonce instead of deriving the PSK
   660  	// to do the least amount of work on NewSessionTicket messages before we
   661  	// know if the ticket will be used. Forward secrecy of resumed connections
   662  	// is guaranteed by the requirement for pskModeDHE.
   663  	session := &ClientSessionState{
   664  		sessionTicket:      msg.label,
   665  		vers:               c.vers,
   666  		cipherSuite:        c.cipherSuite,
   667  		masterSecret:       c.resumptionSecret,
   668  		serverCertificates: c.peerCertificates,
   669  		verifiedChains:     c.verifiedChains,
   670  		receivedAt:         c.config.time(),
   671  		nonce:              msg.nonce,
   672  		useBy:              c.config.time().Add(lifetime),
   673  		ageAdd:             msg.ageAdd,
   674  		ocspResponse:       c.ocspResponse,
   675  		scts:               c.scts,
   676  	}
   677  
   678  	cacheKey := clientSessionCacheKey(c.conn.RemoteAddr(), c.config)
   679  	c.config.ClientSessionCache.Put(cacheKey, session)
   680  
   681  	return nil
   682  }
   683
View as plain text