mirror of
https://github.com/caddyserver/caddy.git
synced 2024-12-23 22:27:38 -05:00
1201492222
* Updated lucas-clemente/quic-go for QUIC 39+ support * Update quic-go to latest
942 lines
34 KiB
Go
942 lines
34 KiB
Go
package mint
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto"
|
|
"hash"
|
|
"time"
|
|
)
|
|
|
|
// Client State Machine
|
|
//
|
|
// START <----+
|
|
// Send ClientHello | | Recv HelloRetryRequest
|
|
// / v |
|
|
// | WAIT_SH ---+
|
|
// Can | | Recv ServerHello
|
|
// send | V
|
|
// early | WAIT_EE
|
|
// data | | Recv EncryptedExtensions
|
|
// | +--------+--------+
|
|
// | Using | | Using certificate
|
|
// | PSK | v
|
|
// | | WAIT_CERT_CR
|
|
// | | Recv | | Recv CertificateRequest
|
|
// | | Certificate | v
|
|
// | | | WAIT_CERT
|
|
// | | | | Recv Certificate
|
|
// | | v v
|
|
// | | WAIT_CV
|
|
// | | | Recv CertificateVerify
|
|
// | +> WAIT_FINISHED <+
|
|
// | | Recv Finished
|
|
// \ |
|
|
// | [Send EndOfEarlyData]
|
|
// | [Send Certificate [+ CertificateVerify]]
|
|
// | Send Finished
|
|
// Can send v
|
|
// app data --> CONNECTED
|
|
// after
|
|
// here
|
|
//
|
|
// State Instructions
|
|
// START Send(CH); [RekeyOut; SendEarlyData]
|
|
// WAIT_SH Send(CH) || RekeyIn
|
|
// WAIT_EE {}
|
|
// WAIT_CERT_CR {}
|
|
// WAIT_CERT {}
|
|
// WAIT_CV {}
|
|
// WAIT_FINISHED RekeyIn; [Send(EOED);] RekeyOut; [SendCert; SendCV;] SendFin; RekeyOut;
|
|
// CONNECTED StoreTicket || (RekeyIn; [RekeyOut])
|
|
|
|
type ClientStateStart struct {
|
|
Caps Capabilities
|
|
Opts ConnectionOptions
|
|
Params ConnectionParameters
|
|
|
|
cookie []byte
|
|
firstClientHello *HandshakeMessage
|
|
helloRetryRequest *HandshakeMessage
|
|
}
|
|
|
|
func (state ClientStateStart) Next(hm *HandshakeMessage) (HandshakeState, []HandshakeAction, Alert) {
|
|
if hm != nil {
|
|
logf(logTypeHandshake, "[ClientStateStart] Unexpected non-nil message")
|
|
return nil, nil, AlertUnexpectedMessage
|
|
}
|
|
|
|
// key_shares
|
|
offeredDH := map[NamedGroup][]byte{}
|
|
ks := KeyShareExtension{
|
|
HandshakeType: HandshakeTypeClientHello,
|
|
Shares: make([]KeyShareEntry, len(state.Caps.Groups)),
|
|
}
|
|
for i, group := range state.Caps.Groups {
|
|
pub, priv, err := newKeyShare(group)
|
|
if err != nil {
|
|
logf(logTypeHandshake, "[ClientStateStart] Error generating key share [%v]", err)
|
|
return nil, nil, AlertInternalError
|
|
}
|
|
|
|
ks.Shares[i].Group = group
|
|
ks.Shares[i].KeyExchange = pub
|
|
offeredDH[group] = priv
|
|
}
|
|
|
|
logf(logTypeHandshake, "opts: %+v", state.Opts)
|
|
|
|
// supported_versions, supported_groups, signature_algorithms, server_name
|
|
sv := SupportedVersionsExtension{Versions: []uint16{supportedVersion}}
|
|
sni := ServerNameExtension(state.Opts.ServerName)
|
|
sg := SupportedGroupsExtension{Groups: state.Caps.Groups}
|
|
sa := SignatureAlgorithmsExtension{Algorithms: state.Caps.SignatureSchemes}
|
|
|
|
state.Params.ServerName = state.Opts.ServerName
|
|
|
|
// Application Layer Protocol Negotiation
|
|
var alpn *ALPNExtension
|
|
if (state.Opts.NextProtos != nil) && (len(state.Opts.NextProtos) > 0) {
|
|
alpn = &ALPNExtension{Protocols: state.Opts.NextProtos}
|
|
}
|
|
|
|
// Construct base ClientHello
|
|
ch := &ClientHelloBody{
|
|
CipherSuites: state.Caps.CipherSuites,
|
|
}
|
|
_, err := prng.Read(ch.Random[:])
|
|
if err != nil {
|
|
logf(logTypeHandshake, "[ClientStateStart] Error creating ClientHello random [%v]", err)
|
|
return nil, nil, AlertInternalError
|
|
}
|
|
for _, ext := range []ExtensionBody{&sv, &sni, &ks, &sg, &sa} {
|
|
err := ch.Extensions.Add(ext)
|
|
if err != nil {
|
|
logf(logTypeHandshake, "[ClientStateStart] Error adding extension type=[%v] [%v]", ext.Type(), err)
|
|
return nil, nil, AlertInternalError
|
|
}
|
|
}
|
|
// XXX: These optional extensions can't be folded into the above because Go
|
|
// interface-typed values are never reported as nil
|
|
if alpn != nil {
|
|
err := ch.Extensions.Add(alpn)
|
|
if err != nil {
|
|
logf(logTypeHandshake, "[ClientStateStart] Error adding ALPN extension [%v]", err)
|
|
return nil, nil, AlertInternalError
|
|
}
|
|
}
|
|
if state.cookie != nil {
|
|
err := ch.Extensions.Add(&CookieExtension{Cookie: state.cookie})
|
|
if err != nil {
|
|
logf(logTypeHandshake, "[ClientStateStart] Error adding ALPN extension [%v]", err)
|
|
return nil, nil, AlertInternalError
|
|
}
|
|
}
|
|
|
|
// Run the external extension handler.
|
|
if state.Caps.ExtensionHandler != nil {
|
|
err := state.Caps.ExtensionHandler.Send(HandshakeTypeClientHello, &ch.Extensions)
|
|
if err != nil {
|
|
logf(logTypeHandshake, "[ClientStateStart] Error running external extension sender [%v]", err)
|
|
return nil, nil, AlertInternalError
|
|
}
|
|
}
|
|
|
|
// Handle PSK and EarlyData just before transmitting, so that we can
|
|
// calculate the PSK binder value
|
|
var psk *PreSharedKeyExtension
|
|
var ed *EarlyDataExtension
|
|
var offeredPSK PreSharedKey
|
|
var earlyHash crypto.Hash
|
|
var earlySecret []byte
|
|
var clientEarlyTrafficKeys keySet
|
|
var clientHello *HandshakeMessage
|
|
if key, ok := state.Caps.PSKs.Get(state.Opts.ServerName); ok {
|
|
offeredPSK = key
|
|
|
|
// Narrow ciphersuites to ones that match PSK hash
|
|
params, ok := cipherSuiteMap[key.CipherSuite]
|
|
if !ok {
|
|
logf(logTypeHandshake, "[ClientStateStart] PSK for unknown ciphersuite")
|
|
return nil, nil, AlertInternalError
|
|
}
|
|
|
|
compatibleSuites := []CipherSuite{}
|
|
for _, suite := range ch.CipherSuites {
|
|
if cipherSuiteMap[suite].Hash == params.Hash {
|
|
compatibleSuites = append(compatibleSuites, suite)
|
|
}
|
|
}
|
|
ch.CipherSuites = compatibleSuites
|
|
|
|
// Signal early data if we're going to do it
|
|
if len(state.Opts.EarlyData) > 0 {
|
|
state.Params.ClientSendingEarlyData = true
|
|
ed = &EarlyDataExtension{}
|
|
err = ch.Extensions.Add(ed)
|
|
if err != nil {
|
|
logf(logTypeHandshake, "Error adding early data extension: %v", err)
|
|
return nil, nil, AlertInternalError
|
|
}
|
|
}
|
|
|
|
// Signal supported PSK key exchange modes
|
|
if len(state.Caps.PSKModes) == 0 {
|
|
logf(logTypeHandshake, "PSK selected, but no PSKModes")
|
|
return nil, nil, AlertInternalError
|
|
}
|
|
kem := &PSKKeyExchangeModesExtension{KEModes: state.Caps.PSKModes}
|
|
err = ch.Extensions.Add(kem)
|
|
if err != nil {
|
|
logf(logTypeHandshake, "Error adding PSKKeyExchangeModes extension: %v", err)
|
|
return nil, nil, AlertInternalError
|
|
}
|
|
|
|
// Add the shim PSK extension to the ClientHello
|
|
logf(logTypeHandshake, "Adding PSK extension with id = %x", key.Identity)
|
|
psk = &PreSharedKeyExtension{
|
|
HandshakeType: HandshakeTypeClientHello,
|
|
Identities: []PSKIdentity{
|
|
{
|
|
Identity: key.Identity,
|
|
ObfuscatedTicketAge: uint32(time.Since(key.ReceivedAt)/time.Millisecond) + key.TicketAgeAdd,
|
|
},
|
|
},
|
|
Binders: []PSKBinderEntry{
|
|
// Note: Stub to get the length fields right
|
|
{Binder: bytes.Repeat([]byte{0x00}, params.Hash.Size())},
|
|
},
|
|
}
|
|
ch.Extensions.Add(psk)
|
|
|
|
// Compute the binder key
|
|
h0 := params.Hash.New().Sum(nil)
|
|
zero := bytes.Repeat([]byte{0}, params.Hash.Size())
|
|
|
|
earlyHash = params.Hash
|
|
earlySecret = HkdfExtract(params.Hash, zero, key.Key)
|
|
logf(logTypeCrypto, "early secret: [%d] %x", len(earlySecret), earlySecret)
|
|
|
|
binderLabel := labelExternalBinder
|
|
if key.IsResumption {
|
|
binderLabel = labelResumptionBinder
|
|
}
|
|
binderKey := deriveSecret(params, earlySecret, binderLabel, h0)
|
|
logf(logTypeCrypto, "binder key: [%d] %x", len(binderKey), binderKey)
|
|
|
|
// Compute the binder value
|
|
trunc, err := ch.Truncated()
|
|
if err != nil {
|
|
logf(logTypeHandshake, "[ClientStateStart] Error marshaling truncated ClientHello [%v]", err)
|
|
return nil, nil, AlertInternalError
|
|
}
|
|
|
|
truncHash := params.Hash.New()
|
|
truncHash.Write(trunc)
|
|
|
|
binder := computeFinishedData(params, binderKey, truncHash.Sum(nil))
|
|
|
|
// Replace the PSK extension
|
|
psk.Binders[0].Binder = binder
|
|
ch.Extensions.Add(psk)
|
|
|
|
// If we got here, the earlier marshal succeeded (in ch.Truncated()), so
|
|
// this one should too.
|
|
clientHello, _ = HandshakeMessageFromBody(ch)
|
|
|
|
// Compute early traffic keys
|
|
h := params.Hash.New()
|
|
h.Write(clientHello.Marshal())
|
|
chHash := h.Sum(nil)
|
|
|
|
earlyTrafficSecret := deriveSecret(params, earlySecret, labelEarlyTrafficSecret, chHash)
|
|
logf(logTypeCrypto, "early traffic secret: [%d] %x", len(earlyTrafficSecret), earlyTrafficSecret)
|
|
clientEarlyTrafficKeys = makeTrafficKeys(params, earlyTrafficSecret)
|
|
} else if len(state.Opts.EarlyData) > 0 {
|
|
logf(logTypeHandshake, "[ClientStateWaitSH] Early data without PSK")
|
|
return nil, nil, AlertInternalError
|
|
} else {
|
|
clientHello, err = HandshakeMessageFromBody(ch)
|
|
if err != nil {
|
|
logf(logTypeHandshake, "[ClientStateStart] Error marshaling ClientHello [%v]", err)
|
|
return nil, nil, AlertInternalError
|
|
}
|
|
}
|
|
|
|
logf(logTypeHandshake, "[ClientStateStart] -> [ClientStateWaitSH]")
|
|
nextState := ClientStateWaitSH{
|
|
Caps: state.Caps,
|
|
Opts: state.Opts,
|
|
Params: state.Params,
|
|
OfferedDH: offeredDH,
|
|
OfferedPSK: offeredPSK,
|
|
|
|
earlySecret: earlySecret,
|
|
earlyHash: earlyHash,
|
|
|
|
firstClientHello: state.firstClientHello,
|
|
helloRetryRequest: state.helloRetryRequest,
|
|
clientHello: clientHello,
|
|
}
|
|
|
|
toSend := []HandshakeAction{
|
|
SendHandshakeMessage{clientHello},
|
|
}
|
|
if state.Params.ClientSendingEarlyData {
|
|
toSend = append(toSend, []HandshakeAction{
|
|
RekeyOut{Label: "early", KeySet: clientEarlyTrafficKeys},
|
|
SendEarlyData{},
|
|
}...)
|
|
}
|
|
|
|
return nextState, toSend, AlertNoAlert
|
|
}
|
|
|
|
type ClientStateWaitSH struct {
|
|
Caps Capabilities
|
|
Opts ConnectionOptions
|
|
Params ConnectionParameters
|
|
OfferedDH map[NamedGroup][]byte
|
|
OfferedPSK PreSharedKey
|
|
PSK []byte
|
|
|
|
earlySecret []byte
|
|
earlyHash crypto.Hash
|
|
|
|
firstClientHello *HandshakeMessage
|
|
helloRetryRequest *HandshakeMessage
|
|
clientHello *HandshakeMessage
|
|
}
|
|
|
|
func (state ClientStateWaitSH) Next(hm *HandshakeMessage) (HandshakeState, []HandshakeAction, Alert) {
|
|
if hm == nil {
|
|
logf(logTypeHandshake, "[ClientStateWaitSH] Unexpected nil message")
|
|
return nil, nil, AlertUnexpectedMessage
|
|
}
|
|
|
|
bodyGeneric, err := hm.ToBody()
|
|
if err != nil {
|
|
logf(logTypeHandshake, "[ClientStateWaitSH] Error decoding message: %v", err)
|
|
return nil, nil, AlertDecodeError
|
|
}
|
|
|
|
switch body := bodyGeneric.(type) {
|
|
case *HelloRetryRequestBody:
|
|
hrr := body
|
|
|
|
if state.helloRetryRequest != nil {
|
|
logf(logTypeHandshake, "[ClientStateWaitSH] Received a second HelloRetryRequest")
|
|
return nil, nil, AlertUnexpectedMessage
|
|
}
|
|
|
|
// Check that the version sent by the server is the one we support
|
|
if hrr.Version != supportedVersion {
|
|
logf(logTypeHandshake, "[ClientStateWaitSH] Unsupported version [%v]", hrr.Version)
|
|
return nil, nil, AlertProtocolVersion
|
|
}
|
|
|
|
// Check that the server provided a supported ciphersuite
|
|
supportedCipherSuite := false
|
|
for _, suite := range state.Caps.CipherSuites {
|
|
supportedCipherSuite = supportedCipherSuite || (suite == hrr.CipherSuite)
|
|
}
|
|
if !supportedCipherSuite {
|
|
logf(logTypeHandshake, "[ClientStateWaitSH] Unsupported ciphersuite [%04x]", hrr.CipherSuite)
|
|
return nil, nil, AlertHandshakeFailure
|
|
}
|
|
|
|
// Narrow the supported ciphersuites to the server-provided one
|
|
state.Caps.CipherSuites = []CipherSuite{hrr.CipherSuite}
|
|
|
|
// Handle external extensions.
|
|
if state.Caps.ExtensionHandler != nil {
|
|
err := state.Caps.ExtensionHandler.Receive(HandshakeTypeHelloRetryRequest, &hrr.Extensions)
|
|
if err != nil {
|
|
logf(logTypeHandshake, "[ClientWaitSH] Error running external extension handler [%v]", err)
|
|
return nil, nil, AlertInternalError
|
|
}
|
|
}
|
|
|
|
// The only thing we know how to respond to in an HRR is the Cookie
|
|
// extension, so if there is either no Cookie extension or anything other
|
|
// than a Cookie extension, we have to fail.
|
|
serverCookie := new(CookieExtension)
|
|
foundCookie := hrr.Extensions.Find(serverCookie)
|
|
if !foundCookie || len(hrr.Extensions) != 1 {
|
|
logf(logTypeHandshake, "[ClientStateWaitSH] No Cookie or extra extensions [%v] [%d]", foundCookie, len(hrr.Extensions))
|
|
return nil, nil, AlertIllegalParameter
|
|
}
|
|
|
|
// Hash the body into a pseudo-message
|
|
// XXX: Ignoring some errors here
|
|
params := cipherSuiteMap[hrr.CipherSuite]
|
|
h := params.Hash.New()
|
|
h.Write(state.clientHello.Marshal())
|
|
firstClientHello := &HandshakeMessage{
|
|
msgType: HandshakeTypeMessageHash,
|
|
body: h.Sum(nil),
|
|
}
|
|
|
|
logf(logTypeHandshake, "[ClientStateWaitSH] -> [ClientStateStart]")
|
|
return ClientStateStart{
|
|
Caps: state.Caps,
|
|
Opts: state.Opts,
|
|
cookie: serverCookie.Cookie,
|
|
firstClientHello: firstClientHello,
|
|
helloRetryRequest: hm,
|
|
}.Next(nil)
|
|
|
|
case *ServerHelloBody:
|
|
sh := body
|
|
|
|
// Check that the version sent by the server is the one we support
|
|
if sh.Version != supportedVersion {
|
|
logf(logTypeHandshake, "[ClientStateWaitSH] Unsupported version [%v]", sh.Version)
|
|
return nil, nil, AlertProtocolVersion
|
|
}
|
|
|
|
// Check that the server provided a supported ciphersuite
|
|
supportedCipherSuite := false
|
|
for _, suite := range state.Caps.CipherSuites {
|
|
supportedCipherSuite = supportedCipherSuite || (suite == sh.CipherSuite)
|
|
}
|
|
if !supportedCipherSuite {
|
|
logf(logTypeHandshake, "[ClientStateWaitSH] Unsupported ciphersuite [%04x]", sh.CipherSuite)
|
|
return nil, nil, AlertHandshakeFailure
|
|
}
|
|
|
|
// Handle external extensions.
|
|
if state.Caps.ExtensionHandler != nil {
|
|
err := state.Caps.ExtensionHandler.Receive(HandshakeTypeServerHello, &sh.Extensions)
|
|
if err != nil {
|
|
logf(logTypeHandshake, "[ClientWaitSH] Error running external extension handler [%v]", err)
|
|
return nil, nil, AlertInternalError
|
|
}
|
|
}
|
|
|
|
// Do PSK or key agreement depending on extensions
|
|
serverPSK := PreSharedKeyExtension{HandshakeType: HandshakeTypeServerHello}
|
|
serverKeyShare := KeyShareExtension{HandshakeType: HandshakeTypeServerHello}
|
|
|
|
foundPSK := sh.Extensions.Find(&serverPSK)
|
|
foundKeyShare := sh.Extensions.Find(&serverKeyShare)
|
|
|
|
if foundPSK && (serverPSK.SelectedIdentity == 0) {
|
|
state.Params.UsingPSK = true
|
|
}
|
|
|
|
var dhSecret []byte
|
|
if foundKeyShare {
|
|
sks := serverKeyShare.Shares[0]
|
|
priv, ok := state.OfferedDH[sks.Group]
|
|
if !ok {
|
|
logf(logTypeHandshake, "[ClientStateWaitSH] Key share for unknown group")
|
|
return nil, nil, AlertIllegalParameter
|
|
}
|
|
|
|
state.Params.UsingDH = true
|
|
dhSecret, _ = keyAgreement(sks.Group, sks.KeyExchange, priv)
|
|
}
|
|
|
|
suite := sh.CipherSuite
|
|
state.Params.CipherSuite = suite
|
|
|
|
params, ok := cipherSuiteMap[suite]
|
|
if !ok {
|
|
logf(logTypeCrypto, "Unsupported ciphersuite [%04x]", suite)
|
|
return nil, nil, AlertHandshakeFailure
|
|
}
|
|
|
|
// Start up the handshake hash
|
|
handshakeHash := params.Hash.New()
|
|
handshakeHash.Write(state.firstClientHello.Marshal())
|
|
handshakeHash.Write(state.helloRetryRequest.Marshal())
|
|
handshakeHash.Write(state.clientHello.Marshal())
|
|
handshakeHash.Write(hm.Marshal())
|
|
|
|
// Compute handshake secrets
|
|
zero := bytes.Repeat([]byte{0}, params.Hash.Size())
|
|
|
|
var earlySecret []byte
|
|
if state.Params.UsingPSK {
|
|
if params.Hash != state.earlyHash {
|
|
logf(logTypeCrypto, "Change of hash between early and normal init early=[%02x] suite=[%04x] hash=[%02x]",
|
|
state.earlyHash, suite, params.Hash)
|
|
}
|
|
|
|
earlySecret = state.earlySecret
|
|
} else {
|
|
earlySecret = HkdfExtract(params.Hash, zero, zero)
|
|
}
|
|
|
|
if dhSecret == nil {
|
|
dhSecret = zero
|
|
}
|
|
|
|
h0 := params.Hash.New().Sum(nil)
|
|
h2 := handshakeHash.Sum(nil)
|
|
preHandshakeSecret := deriveSecret(params, earlySecret, labelDerived, h0)
|
|
handshakeSecret := HkdfExtract(params.Hash, preHandshakeSecret, dhSecret)
|
|
clientHandshakeTrafficSecret := deriveSecret(params, handshakeSecret, labelClientHandshakeTrafficSecret, h2)
|
|
serverHandshakeTrafficSecret := deriveSecret(params, handshakeSecret, labelServerHandshakeTrafficSecret, h2)
|
|
preMasterSecret := deriveSecret(params, handshakeSecret, labelDerived, h0)
|
|
masterSecret := HkdfExtract(params.Hash, preMasterSecret, zero)
|
|
|
|
logf(logTypeCrypto, "early secret: [%d] %x", len(earlySecret), earlySecret)
|
|
logf(logTypeCrypto, "handshake secret: [%d] %x", len(handshakeSecret), handshakeSecret)
|
|
logf(logTypeCrypto, "client handshake traffic secret: [%d] %x", len(clientHandshakeTrafficSecret), clientHandshakeTrafficSecret)
|
|
logf(logTypeCrypto, "server handshake traffic secret: [%d] %x", len(serverHandshakeTrafficSecret), serverHandshakeTrafficSecret)
|
|
logf(logTypeCrypto, "master secret: [%d] %x", len(masterSecret), masterSecret)
|
|
|
|
serverHandshakeKeys := makeTrafficKeys(params, serverHandshakeTrafficSecret)
|
|
|
|
logf(logTypeHandshake, "[ClientStateWaitSH] -> [ClientStateWaitEE]")
|
|
nextState := ClientStateWaitEE{
|
|
Caps: state.Caps,
|
|
Params: state.Params,
|
|
cryptoParams: params,
|
|
handshakeHash: handshakeHash,
|
|
certificates: state.Caps.Certificates,
|
|
masterSecret: masterSecret,
|
|
clientHandshakeTrafficSecret: clientHandshakeTrafficSecret,
|
|
serverHandshakeTrafficSecret: serverHandshakeTrafficSecret,
|
|
}
|
|
toSend := []HandshakeAction{
|
|
RekeyIn{Label: "handshake", KeySet: serverHandshakeKeys},
|
|
}
|
|
return nextState, toSend, AlertNoAlert
|
|
}
|
|
|
|
logf(logTypeHandshake, "[ClientStateWaitSH] Unexpected message [%d]", hm.msgType)
|
|
return nil, nil, AlertUnexpectedMessage
|
|
}
|
|
|
|
type ClientStateWaitEE struct {
|
|
Caps Capabilities
|
|
AuthCertificate func(chain []CertificateEntry) error
|
|
Params ConnectionParameters
|
|
cryptoParams CipherSuiteParams
|
|
handshakeHash hash.Hash
|
|
certificates []*Certificate
|
|
masterSecret []byte
|
|
clientHandshakeTrafficSecret []byte
|
|
serverHandshakeTrafficSecret []byte
|
|
}
|
|
|
|
func (state ClientStateWaitEE) Next(hm *HandshakeMessage) (HandshakeState, []HandshakeAction, Alert) {
|
|
if hm == nil || hm.msgType != HandshakeTypeEncryptedExtensions {
|
|
logf(logTypeHandshake, "[ClientStateWaitEE] Unexpected message")
|
|
return nil, nil, AlertUnexpectedMessage
|
|
}
|
|
|
|
ee := EncryptedExtensionsBody{}
|
|
_, err := ee.Unmarshal(hm.body)
|
|
if err != nil {
|
|
logf(logTypeHandshake, "[ClientStateWaitEE] Error decoding message: %v", err)
|
|
return nil, nil, AlertDecodeError
|
|
}
|
|
|
|
// Handle external extensions.
|
|
if state.Caps.ExtensionHandler != nil {
|
|
err := state.Caps.ExtensionHandler.Receive(HandshakeTypeEncryptedExtensions, &ee.Extensions)
|
|
if err != nil {
|
|
logf(logTypeHandshake, "[ClientWaitStateEE] Error running external extension handler [%v]", err)
|
|
return nil, nil, AlertInternalError
|
|
}
|
|
}
|
|
|
|
serverALPN := ALPNExtension{}
|
|
serverEarlyData := EarlyDataExtension{}
|
|
|
|
gotALPN := ee.Extensions.Find(&serverALPN)
|
|
state.Params.UsingEarlyData = ee.Extensions.Find(&serverEarlyData)
|
|
|
|
if gotALPN && len(serverALPN.Protocols) > 0 {
|
|
state.Params.NextProto = serverALPN.Protocols[0]
|
|
}
|
|
|
|
state.handshakeHash.Write(hm.Marshal())
|
|
|
|
if state.Params.UsingPSK {
|
|
logf(logTypeHandshake, "[ClientStateWaitEE] -> [ClientStateWaitFinished]")
|
|
nextState := ClientStateWaitFinished{
|
|
Params: state.Params,
|
|
cryptoParams: state.cryptoParams,
|
|
handshakeHash: state.handshakeHash,
|
|
certificates: state.certificates,
|
|
masterSecret: state.masterSecret,
|
|
clientHandshakeTrafficSecret: state.clientHandshakeTrafficSecret,
|
|
serverHandshakeTrafficSecret: state.serverHandshakeTrafficSecret,
|
|
}
|
|
return nextState, nil, AlertNoAlert
|
|
}
|
|
|
|
logf(logTypeHandshake, "[ClientStateWaitEE] -> [ClientStateWaitCertCR]")
|
|
nextState := ClientStateWaitCertCR{
|
|
AuthCertificate: state.AuthCertificate,
|
|
Params: state.Params,
|
|
cryptoParams: state.cryptoParams,
|
|
handshakeHash: state.handshakeHash,
|
|
certificates: state.certificates,
|
|
masterSecret: state.masterSecret,
|
|
clientHandshakeTrafficSecret: state.clientHandshakeTrafficSecret,
|
|
serverHandshakeTrafficSecret: state.serverHandshakeTrafficSecret,
|
|
}
|
|
return nextState, nil, AlertNoAlert
|
|
}
|
|
|
|
type ClientStateWaitCertCR struct {
|
|
AuthCertificate func(chain []CertificateEntry) error
|
|
Params ConnectionParameters
|
|
cryptoParams CipherSuiteParams
|
|
handshakeHash hash.Hash
|
|
certificates []*Certificate
|
|
masterSecret []byte
|
|
clientHandshakeTrafficSecret []byte
|
|
serverHandshakeTrafficSecret []byte
|
|
}
|
|
|
|
func (state ClientStateWaitCertCR) Next(hm *HandshakeMessage) (HandshakeState, []HandshakeAction, Alert) {
|
|
if hm == nil {
|
|
logf(logTypeHandshake, "[ClientStateWaitCertCR] Unexpected message")
|
|
return nil, nil, AlertUnexpectedMessage
|
|
}
|
|
|
|
bodyGeneric, err := hm.ToBody()
|
|
if err != nil {
|
|
logf(logTypeHandshake, "[ClientStateWaitCertCR] Error decoding message: %v", err)
|
|
return nil, nil, AlertDecodeError
|
|
}
|
|
|
|
state.handshakeHash.Write(hm.Marshal())
|
|
|
|
switch body := bodyGeneric.(type) {
|
|
case *CertificateBody:
|
|
logf(logTypeHandshake, "[ClientStateWaitCertCR] -> [ClientStateWaitCV]")
|
|
nextState := ClientStateWaitCV{
|
|
AuthCertificate: state.AuthCertificate,
|
|
Params: state.Params,
|
|
cryptoParams: state.cryptoParams,
|
|
handshakeHash: state.handshakeHash,
|
|
certificates: state.certificates,
|
|
serverCertificate: body,
|
|
masterSecret: state.masterSecret,
|
|
clientHandshakeTrafficSecret: state.clientHandshakeTrafficSecret,
|
|
serverHandshakeTrafficSecret: state.serverHandshakeTrafficSecret,
|
|
}
|
|
return nextState, nil, AlertNoAlert
|
|
|
|
case *CertificateRequestBody:
|
|
// A certificate request in the handshake should have a zero-length context
|
|
if len(body.CertificateRequestContext) > 0 {
|
|
logf(logTypeHandshake, "[ClientStateWaitCertCR] Certificate request with non-empty context: %v", err)
|
|
return nil, nil, AlertIllegalParameter
|
|
}
|
|
|
|
state.Params.UsingClientAuth = true
|
|
|
|
logf(logTypeHandshake, "[ClientStateWaitCertCR] -> [ClientStateWaitCert]")
|
|
nextState := ClientStateWaitCert{
|
|
AuthCertificate: state.AuthCertificate,
|
|
Params: state.Params,
|
|
cryptoParams: state.cryptoParams,
|
|
handshakeHash: state.handshakeHash,
|
|
certificates: state.certificates,
|
|
serverCertificateRequest: body,
|
|
masterSecret: state.masterSecret,
|
|
clientHandshakeTrafficSecret: state.clientHandshakeTrafficSecret,
|
|
serverHandshakeTrafficSecret: state.serverHandshakeTrafficSecret,
|
|
}
|
|
return nextState, nil, AlertNoAlert
|
|
}
|
|
|
|
return nil, nil, AlertUnexpectedMessage
|
|
}
|
|
|
|
type ClientStateWaitCert struct {
|
|
AuthCertificate func(chain []CertificateEntry) error
|
|
Params ConnectionParameters
|
|
cryptoParams CipherSuiteParams
|
|
handshakeHash hash.Hash
|
|
|
|
certificates []*Certificate
|
|
serverCertificateRequest *CertificateRequestBody
|
|
|
|
masterSecret []byte
|
|
clientHandshakeTrafficSecret []byte
|
|
serverHandshakeTrafficSecret []byte
|
|
}
|
|
|
|
func (state ClientStateWaitCert) Next(hm *HandshakeMessage) (HandshakeState, []HandshakeAction, Alert) {
|
|
if hm == nil || hm.msgType != HandshakeTypeCertificate {
|
|
logf(logTypeHandshake, "[ClientStateWaitCert] Unexpected message")
|
|
return nil, nil, AlertUnexpectedMessage
|
|
}
|
|
|
|
cert := &CertificateBody{}
|
|
_, err := cert.Unmarshal(hm.body)
|
|
if err != nil {
|
|
logf(logTypeHandshake, "[ClientStateWaitCert] Error decoding message: %v", err)
|
|
return nil, nil, AlertDecodeError
|
|
}
|
|
|
|
state.handshakeHash.Write(hm.Marshal())
|
|
|
|
logf(logTypeHandshake, "[ClientStateWaitCert] -> [ClientStateWaitCV]")
|
|
nextState := ClientStateWaitCV{
|
|
AuthCertificate: state.AuthCertificate,
|
|
Params: state.Params,
|
|
cryptoParams: state.cryptoParams,
|
|
handshakeHash: state.handshakeHash,
|
|
certificates: state.certificates,
|
|
serverCertificate: cert,
|
|
serverCertificateRequest: state.serverCertificateRequest,
|
|
masterSecret: state.masterSecret,
|
|
clientHandshakeTrafficSecret: state.clientHandshakeTrafficSecret,
|
|
serverHandshakeTrafficSecret: state.serverHandshakeTrafficSecret,
|
|
}
|
|
return nextState, nil, AlertNoAlert
|
|
}
|
|
|
|
type ClientStateWaitCV struct {
|
|
AuthCertificate func(chain []CertificateEntry) error
|
|
Params ConnectionParameters
|
|
cryptoParams CipherSuiteParams
|
|
handshakeHash hash.Hash
|
|
|
|
certificates []*Certificate
|
|
serverCertificate *CertificateBody
|
|
serverCertificateRequest *CertificateRequestBody
|
|
|
|
masterSecret []byte
|
|
clientHandshakeTrafficSecret []byte
|
|
serverHandshakeTrafficSecret []byte
|
|
}
|
|
|
|
func (state ClientStateWaitCV) Next(hm *HandshakeMessage) (HandshakeState, []HandshakeAction, Alert) {
|
|
if hm == nil || hm.msgType != HandshakeTypeCertificateVerify {
|
|
logf(logTypeHandshake, "[ClientStateWaitCV] Unexpected message")
|
|
return nil, nil, AlertUnexpectedMessage
|
|
}
|
|
|
|
certVerify := CertificateVerifyBody{}
|
|
_, err := certVerify.Unmarshal(hm.body)
|
|
if err != nil {
|
|
logf(logTypeHandshake, "[ClientStateWaitCV] Error decoding message: %v", err)
|
|
return nil, nil, AlertDecodeError
|
|
}
|
|
|
|
hcv := state.handshakeHash.Sum(nil)
|
|
logf(logTypeHandshake, "Handshake Hash to be verified: [%d] %x", len(hcv), hcv)
|
|
|
|
serverPublicKey := state.serverCertificate.CertificateList[0].CertData.PublicKey
|
|
if err := certVerify.Verify(serverPublicKey, hcv); err != nil {
|
|
logf(logTypeHandshake, "[ClientStateWaitCV] Server signature failed to verify")
|
|
return nil, nil, AlertHandshakeFailure
|
|
}
|
|
|
|
if state.AuthCertificate != nil {
|
|
err := state.AuthCertificate(state.serverCertificate.CertificateList)
|
|
if err != nil {
|
|
logf(logTypeHandshake, "[ClientStateWaitCV] Application rejected server certificate")
|
|
return nil, nil, AlertBadCertificate
|
|
}
|
|
} else {
|
|
logf(logTypeHandshake, "[ClientStateWaitCV] WARNING: No verification of server certificate")
|
|
}
|
|
|
|
state.handshakeHash.Write(hm.Marshal())
|
|
|
|
logf(logTypeHandshake, "[ClientStateWaitCV] -> [ClientStateWaitFinished]")
|
|
nextState := ClientStateWaitFinished{
|
|
Params: state.Params,
|
|
cryptoParams: state.cryptoParams,
|
|
handshakeHash: state.handshakeHash,
|
|
certificates: state.certificates,
|
|
serverCertificateRequest: state.serverCertificateRequest,
|
|
masterSecret: state.masterSecret,
|
|
clientHandshakeTrafficSecret: state.clientHandshakeTrafficSecret,
|
|
serverHandshakeTrafficSecret: state.serverHandshakeTrafficSecret,
|
|
}
|
|
return nextState, nil, AlertNoAlert
|
|
}
|
|
|
|
type ClientStateWaitFinished struct {
|
|
Params ConnectionParameters
|
|
cryptoParams CipherSuiteParams
|
|
handshakeHash hash.Hash
|
|
|
|
certificates []*Certificate
|
|
serverCertificateRequest *CertificateRequestBody
|
|
|
|
masterSecret []byte
|
|
clientHandshakeTrafficSecret []byte
|
|
serverHandshakeTrafficSecret []byte
|
|
}
|
|
|
|
func (state ClientStateWaitFinished) Next(hm *HandshakeMessage) (HandshakeState, []HandshakeAction, Alert) {
|
|
if hm == nil || hm.msgType != HandshakeTypeFinished {
|
|
logf(logTypeHandshake, "[ClientStateWaitFinished] Unexpected message")
|
|
return nil, nil, AlertUnexpectedMessage
|
|
}
|
|
|
|
// Verify server's Finished
|
|
h3 := state.handshakeHash.Sum(nil)
|
|
logf(logTypeCrypto, "handshake hash 3 [%d] %x", len(h3), h3)
|
|
logf(logTypeCrypto, "handshake hash for server Finished: [%d] %x", len(h3), h3)
|
|
|
|
serverFinishedData := computeFinishedData(state.cryptoParams, state.serverHandshakeTrafficSecret, h3)
|
|
logf(logTypeCrypto, "server finished data: [%d] %x", len(serverFinishedData), serverFinishedData)
|
|
|
|
fin := &FinishedBody{VerifyDataLen: len(serverFinishedData)}
|
|
_, err := fin.Unmarshal(hm.body)
|
|
if err != nil {
|
|
logf(logTypeHandshake, "[ClientStateWaitFinished] Error decoding message: %v", err)
|
|
return nil, nil, AlertDecodeError
|
|
}
|
|
|
|
if !bytes.Equal(fin.VerifyData, serverFinishedData) {
|
|
logf(logTypeHandshake, "[ClientStateWaitFinished] Server's Finished failed to verify [%x] != [%x]",
|
|
fin.VerifyData, serverFinishedData)
|
|
return nil, nil, AlertHandshakeFailure
|
|
}
|
|
|
|
// Update the handshake hash with the Finished
|
|
state.handshakeHash.Write(hm.Marshal())
|
|
logf(logTypeCrypto, "input to handshake hash [%d]: %x", len(hm.Marshal()), hm.Marshal())
|
|
h4 := state.handshakeHash.Sum(nil)
|
|
logf(logTypeCrypto, "handshake hash 4 [%d]: %x", len(h4), h4)
|
|
|
|
// Compute traffic secrets and keys
|
|
clientTrafficSecret := deriveSecret(state.cryptoParams, state.masterSecret, labelClientApplicationTrafficSecret, h4)
|
|
serverTrafficSecret := deriveSecret(state.cryptoParams, state.masterSecret, labelServerApplicationTrafficSecret, h4)
|
|
logf(logTypeCrypto, "client traffic secret: [%d] %x", len(clientTrafficSecret), clientTrafficSecret)
|
|
logf(logTypeCrypto, "server traffic secret: [%d] %x", len(serverTrafficSecret), serverTrafficSecret)
|
|
|
|
clientTrafficKeys := makeTrafficKeys(state.cryptoParams, clientTrafficSecret)
|
|
serverTrafficKeys := makeTrafficKeys(state.cryptoParams, serverTrafficSecret)
|
|
|
|
exporterSecret := deriveSecret(state.cryptoParams, state.masterSecret, labelExporterSecret, h4)
|
|
logf(logTypeCrypto, "client exporter secret: [%d] %x", len(exporterSecret), exporterSecret)
|
|
|
|
// Assemble client's second flight
|
|
toSend := []HandshakeAction{}
|
|
|
|
if state.Params.UsingEarlyData {
|
|
// Note: We only send EOED if the server is actually going to use the early
|
|
// data. Otherwise, it will never see it, and the transcripts will
|
|
// mismatch.
|
|
// EOED marshal is infallible
|
|
eoedm, _ := HandshakeMessageFromBody(&EndOfEarlyDataBody{})
|
|
toSend = append(toSend, SendHandshakeMessage{eoedm})
|
|
state.handshakeHash.Write(eoedm.Marshal())
|
|
logf(logTypeCrypto, "input to handshake hash [%d]: %x", len(eoedm.Marshal()), eoedm.Marshal())
|
|
}
|
|
|
|
clientHandshakeKeys := makeTrafficKeys(state.cryptoParams, state.clientHandshakeTrafficSecret)
|
|
toSend = append(toSend, RekeyOut{Label: "handshake", KeySet: clientHandshakeKeys})
|
|
|
|
if state.Params.UsingClientAuth {
|
|
// Extract constraints from certicateRequest
|
|
schemes := SignatureAlgorithmsExtension{}
|
|
gotSchemes := state.serverCertificateRequest.Extensions.Find(&schemes)
|
|
if !gotSchemes {
|
|
logf(logTypeHandshake, "[ClientStateWaitFinished] WARNING no appropriate certificate found [%v]", err)
|
|
return nil, nil, AlertIllegalParameter
|
|
}
|
|
|
|
// Select a certificate
|
|
cert, certScheme, err := CertificateSelection(nil, schemes.Algorithms, state.certificates)
|
|
if err != nil {
|
|
// XXX: Signal this to the application layer?
|
|
logf(logTypeHandshake, "[ClientStateWaitFinished] WARNING no appropriate certificate found [%v]", err)
|
|
|
|
certificate := &CertificateBody{}
|
|
certm, err := HandshakeMessageFromBody(certificate)
|
|
if err != nil {
|
|
logf(logTypeHandshake, "[ClientStateWaitFinished] Error marshaling Certificate [%v]", err)
|
|
return nil, nil, AlertInternalError
|
|
}
|
|
|
|
toSend = append(toSend, SendHandshakeMessage{certm})
|
|
state.handshakeHash.Write(certm.Marshal())
|
|
} else {
|
|
// Create and send Certificate, CertificateVerify
|
|
certificate := &CertificateBody{
|
|
CertificateList: make([]CertificateEntry, len(cert.Chain)),
|
|
}
|
|
for i, entry := range cert.Chain {
|
|
certificate.CertificateList[i] = CertificateEntry{CertData: entry}
|
|
}
|
|
certm, err := HandshakeMessageFromBody(certificate)
|
|
if err != nil {
|
|
logf(logTypeHandshake, "[ClientStateWaitFinished] Error marshaling Certificate [%v]", err)
|
|
return nil, nil, AlertInternalError
|
|
}
|
|
|
|
toSend = append(toSend, SendHandshakeMessage{certm})
|
|
state.handshakeHash.Write(certm.Marshal())
|
|
|
|
hcv := state.handshakeHash.Sum(nil)
|
|
logf(logTypeHandshake, "Handshake Hash to be verified: [%d] %x", len(hcv), hcv)
|
|
|
|
certificateVerify := &CertificateVerifyBody{Algorithm: certScheme}
|
|
logf(logTypeHandshake, "Creating CertVerify: %04x %v", certScheme, state.cryptoParams.Hash)
|
|
|
|
err = certificateVerify.Sign(cert.PrivateKey, hcv)
|
|
if err != nil {
|
|
logf(logTypeHandshake, "[ClientStateWaitFinished] Error signing CertificateVerify [%v]", err)
|
|
return nil, nil, AlertInternalError
|
|
}
|
|
certvm, err := HandshakeMessageFromBody(certificateVerify)
|
|
if err != nil {
|
|
logf(logTypeHandshake, "[ClientStateWaitFinished] Error marshaling CertificateVerify [%v]", err)
|
|
return nil, nil, AlertInternalError
|
|
}
|
|
|
|
toSend = append(toSend, SendHandshakeMessage{certvm})
|
|
state.handshakeHash.Write(certvm.Marshal())
|
|
}
|
|
}
|
|
|
|
// Compute the client's Finished message
|
|
h5 := state.handshakeHash.Sum(nil)
|
|
logf(logTypeCrypto, "handshake hash for client Finished: [%d] %x", len(h5), h5)
|
|
|
|
clientFinishedData := computeFinishedData(state.cryptoParams, state.clientHandshakeTrafficSecret, h5)
|
|
logf(logTypeCrypto, "client Finished data: [%d] %x", len(clientFinishedData), clientFinishedData)
|
|
|
|
fin = &FinishedBody{
|
|
VerifyDataLen: len(clientFinishedData),
|
|
VerifyData: clientFinishedData,
|
|
}
|
|
finm, err := HandshakeMessageFromBody(fin)
|
|
if err != nil {
|
|
logf(logTypeHandshake, "[ClientStateWaitFinished] Error marshaling client Finished [%v]", err)
|
|
return nil, nil, AlertInternalError
|
|
}
|
|
|
|
// Compute the resumption secret
|
|
state.handshakeHash.Write(finm.Marshal())
|
|
h6 := state.handshakeHash.Sum(nil)
|
|
|
|
resumptionSecret := deriveSecret(state.cryptoParams, state.masterSecret, labelResumptionSecret, h6)
|
|
logf(logTypeCrypto, "resumption secret: [%d] %x", len(resumptionSecret), resumptionSecret)
|
|
|
|
toSend = append(toSend, []HandshakeAction{
|
|
SendHandshakeMessage{finm},
|
|
RekeyIn{Label: "application", KeySet: serverTrafficKeys},
|
|
RekeyOut{Label: "application", KeySet: clientTrafficKeys},
|
|
}...)
|
|
|
|
logf(logTypeHandshake, "[ClientStateWaitFinished] -> [StateConnected]")
|
|
nextState := StateConnected{
|
|
Params: state.Params,
|
|
isClient: true,
|
|
cryptoParams: state.cryptoParams,
|
|
resumptionSecret: resumptionSecret,
|
|
clientTrafficSecret: clientTrafficSecret,
|
|
serverTrafficSecret: serverTrafficSecret,
|
|
exporterSecret: exporterSecret,
|
|
}
|
|
return nextState, toSend, AlertNoAlert
|
|
}
|