Source file
src/crypto/tls/handshake_server.go
1
2
3
4
5 package tls
6
7 import (
8 "context"
9 "crypto"
10 "crypto/ecdsa"
11 "crypto/ed25519"
12 "crypto/rsa"
13 "crypto/subtle"
14 "crypto/x509"
15 "errors"
16 "fmt"
17 "hash"
18 "internal/byteorder"
19 "io"
20 "time"
21 )
22
23
24
25 type serverHandshakeState struct {
26 c *Conn
27 ctx context.Context
28 clientHello *clientHelloMsg
29 hello *serverHelloMsg
30 suite *cipherSuite
31 ecdheOk bool
32 ecSignOk bool
33 rsaDecryptOk bool
34 rsaSignOk bool
35 sessionState *SessionState
36 finishedHash finishedHash
37 masterSecret []byte
38 cert *Certificate
39 }
40
41
42 func (c *Conn) serverHandshake(ctx context.Context) error {
43 clientHello, err := c.readClientHello(ctx)
44 if err != nil {
45 return err
46 }
47
48 if c.vers == VersionTLS13 {
49 hs := serverHandshakeStateTLS13{
50 c: c,
51 ctx: ctx,
52 clientHello: clientHello,
53 }
54 return hs.handshake()
55 }
56
57 hs := serverHandshakeState{
58 c: c,
59 ctx: ctx,
60 clientHello: clientHello,
61 }
62 return hs.handshake()
63 }
64
65 func (hs *serverHandshakeState) handshake() error {
66 c := hs.c
67
68 if err := hs.processClientHello(); err != nil {
69 return err
70 }
71
72
73 c.buffering = true
74 if err := hs.checkForResumption(); err != nil {
75 return err
76 }
77 if hs.sessionState != nil {
78
79 if err := hs.doResumeHandshake(); err != nil {
80 return err
81 }
82 if err := hs.establishKeys(); err != nil {
83 return err
84 }
85 if err := hs.sendSessionTicket(); err != nil {
86 return err
87 }
88 if err := hs.sendFinished(c.serverFinished[:]); err != nil {
89 return err
90 }
91 if _, err := c.flush(); err != nil {
92 return err
93 }
94 c.clientFinishedIsFirst = false
95 if err := hs.readFinished(nil); err != nil {
96 return err
97 }
98 } else {
99
100
101 if err := hs.pickCipherSuite(); err != nil {
102 return err
103 }
104 if err := hs.doFullHandshake(); err != nil {
105 return err
106 }
107 if err := hs.establishKeys(); err != nil {
108 return err
109 }
110 if err := hs.readFinished(c.clientFinished[:]); err != nil {
111 return err
112 }
113 c.clientFinishedIsFirst = true
114 c.buffering = true
115 if err := hs.sendSessionTicket(); err != nil {
116 return err
117 }
118 if err := hs.sendFinished(nil); err != nil {
119 return err
120 }
121 if _, err := c.flush(); err != nil {
122 return err
123 }
124 }
125
126 c.ekm = ekmFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random)
127 c.isHandshakeComplete.Store(true)
128
129 return nil
130 }
131
132
133 func (c *Conn) readClientHello(ctx context.Context) (*clientHelloMsg, error) {
134
135
136 msg, err := c.readHandshake(nil)
137 if err != nil {
138 return nil, err
139 }
140 clientHello, ok := msg.(*clientHelloMsg)
141 if !ok {
142 c.sendAlert(alertUnexpectedMessage)
143 return nil, unexpectedMessageError(clientHello, msg)
144 }
145
146 var configForClient *Config
147 originalConfig := c.config
148 if c.config.GetConfigForClient != nil {
149 chi := clientHelloInfo(ctx, c, clientHello)
150 if configForClient, err = c.config.GetConfigForClient(chi); err != nil {
151 c.sendAlert(alertInternalError)
152 return nil, err
153 } else if configForClient != nil {
154 c.config = configForClient
155 }
156 }
157 c.ticketKeys = originalConfig.ticketKeys(configForClient)
158
159 clientVersions := clientHello.supportedVersions
160 if len(clientHello.supportedVersions) == 0 {
161 clientVersions = supportedVersionsFromMax(clientHello.vers)
162 }
163 c.vers, ok = c.config.mutualVersion(roleServer, clientVersions)
164 if !ok {
165 c.sendAlert(alertProtocolVersion)
166 return nil, fmt.Errorf("tls: client offered only unsupported versions: %x", clientVersions)
167 }
168 c.haveVers = true
169 c.in.version = c.vers
170 c.out.version = c.vers
171
172 if c.config.MinVersion == 0 && c.vers < VersionTLS12 {
173 tls10server.Value()
174 tls10server.IncNonDefault()
175 }
176
177 return clientHello, nil
178 }
179
180 func (hs *serverHandshakeState) processClientHello() error {
181 c := hs.c
182
183 hs.hello = new(serverHelloMsg)
184 hs.hello.vers = c.vers
185
186 foundCompression := false
187
188 for _, compression := range hs.clientHello.compressionMethods {
189 if compression == compressionNone {
190 foundCompression = true
191 break
192 }
193 }
194
195 if !foundCompression {
196 c.sendAlert(alertHandshakeFailure)
197 return errors.New("tls: client does not support uncompressed connections")
198 }
199
200 hs.hello.random = make([]byte, 32)
201 serverRandom := hs.hello.random
202
203 maxVers := c.config.maxSupportedVersion(roleServer)
204 if maxVers >= VersionTLS12 && c.vers < maxVers || testingOnlyForceDowngradeCanary {
205 if c.vers == VersionTLS12 {
206 copy(serverRandom[24:], downgradeCanaryTLS12)
207 } else {
208 copy(serverRandom[24:], downgradeCanaryTLS11)
209 }
210 serverRandom = serverRandom[:24]
211 }
212 _, err := io.ReadFull(c.config.rand(), serverRandom)
213 if err != nil {
214 c.sendAlert(alertInternalError)
215 return err
216 }
217
218 if len(hs.clientHello.secureRenegotiation) != 0 {
219 c.sendAlert(alertHandshakeFailure)
220 return errors.New("tls: initial handshake had non-empty renegotiation extension")
221 }
222
223 hs.hello.extendedMasterSecret = hs.clientHello.extendedMasterSecret
224 hs.hello.secureRenegotiationSupported = hs.clientHello.secureRenegotiationSupported
225 hs.hello.compressionMethod = compressionNone
226 if len(hs.clientHello.serverName) > 0 {
227 c.serverName = hs.clientHello.serverName
228 }
229
230 selectedProto, err := negotiateALPN(c.config.NextProtos, hs.clientHello.alpnProtocols, false)
231 if err != nil {
232 c.sendAlert(alertNoApplicationProtocol)
233 return err
234 }
235 hs.hello.alpnProtocol = selectedProto
236 c.clientProtocol = selectedProto
237
238 hs.cert, err = c.config.getCertificate(clientHelloInfo(hs.ctx, c, hs.clientHello))
239 if err != nil {
240 if err == errNoCertificates {
241 c.sendAlert(alertUnrecognizedName)
242 } else {
243 c.sendAlert(alertInternalError)
244 }
245 return err
246 }
247 if hs.clientHello.scts {
248 hs.hello.scts = hs.cert.SignedCertificateTimestamps
249 }
250
251 hs.ecdheOk = supportsECDHE(c.config, c.vers, hs.clientHello.supportedCurves, hs.clientHello.supportedPoints)
252
253 if hs.ecdheOk && len(hs.clientHello.supportedPoints) > 0 {
254
255
256
257
258
259 hs.hello.supportedPoints = []uint8{pointFormatUncompressed}
260 }
261
262 if priv, ok := hs.cert.PrivateKey.(crypto.Signer); ok {
263 switch priv.Public().(type) {
264 case *ecdsa.PublicKey:
265 hs.ecSignOk = true
266 case ed25519.PublicKey:
267 hs.ecSignOk = true
268 case *rsa.PublicKey:
269 hs.rsaSignOk = true
270 default:
271 c.sendAlert(alertInternalError)
272 return fmt.Errorf("tls: unsupported signing key type (%T)", priv.Public())
273 }
274 }
275 if priv, ok := hs.cert.PrivateKey.(crypto.Decrypter); ok {
276 switch priv.Public().(type) {
277 case *rsa.PublicKey:
278 hs.rsaDecryptOk = true
279 default:
280 c.sendAlert(alertInternalError)
281 return fmt.Errorf("tls: unsupported decryption key type (%T)", priv.Public())
282 }
283 }
284
285 return nil
286 }
287
288
289
290
291 func negotiateALPN(serverProtos, clientProtos []string, quic bool) (string, error) {
292 if len(serverProtos) == 0 || len(clientProtos) == 0 {
293 if quic && len(serverProtos) != 0 {
294
295 return "", fmt.Errorf("tls: client did not request an application protocol")
296 }
297 return "", nil
298 }
299 var http11fallback bool
300 for _, s := range serverProtos {
301 for _, c := range clientProtos {
302 if s == c {
303 return s, nil
304 }
305 if s == "h2" && c == "http/1.1" {
306 http11fallback = true
307 }
308 }
309 }
310
311
312
313
314 if http11fallback {
315 return "", nil
316 }
317 return "", fmt.Errorf("tls: client requested unsupported application protocols (%s)", clientProtos)
318 }
319
320
321
322 func supportsECDHE(c *Config, version uint16, supportedCurves []CurveID, supportedPoints []uint8) bool {
323 supportsCurve := false
324 for _, curve := range supportedCurves {
325 if c.supportsCurve(version, curve) {
326 supportsCurve = true
327 break
328 }
329 }
330
331 supportsPointFormat := false
332 for _, pointFormat := range supportedPoints {
333 if pointFormat == pointFormatUncompressed {
334 supportsPointFormat = true
335 break
336 }
337 }
338
339
340
341
342 if len(supportedPoints) == 0 {
343 supportsPointFormat = true
344 }
345
346 return supportsCurve && supportsPointFormat
347 }
348
349 func (hs *serverHandshakeState) pickCipherSuite() error {
350 c := hs.c
351
352 preferenceOrder := cipherSuitesPreferenceOrder
353 if !hasAESGCMHardwareSupport || !aesgcmPreferred(hs.clientHello.cipherSuites) {
354 preferenceOrder = cipherSuitesPreferenceOrderNoAES
355 }
356
357 configCipherSuites := c.config.cipherSuites()
358 preferenceList := make([]uint16, 0, len(configCipherSuites))
359 for _, suiteID := range preferenceOrder {
360 for _, id := range configCipherSuites {
361 if id == suiteID {
362 preferenceList = append(preferenceList, id)
363 break
364 }
365 }
366 }
367
368 hs.suite = selectCipherSuite(preferenceList, hs.clientHello.cipherSuites, hs.cipherSuiteOk)
369 if hs.suite == nil {
370 c.sendAlert(alertHandshakeFailure)
371 return errors.New("tls: no cipher suite supported by both client and server")
372 }
373 c.cipherSuite = hs.suite.id
374
375 if c.config.CipherSuites == nil && !needFIPS() && rsaKexCiphers[hs.suite.id] {
376 tlsrsakex.Value()
377 tlsrsakex.IncNonDefault()
378 }
379 if c.config.CipherSuites == nil && !needFIPS() && tdesCiphers[hs.suite.id] {
380 tls3des.Value()
381 tls3des.IncNonDefault()
382 }
383
384 for _, id := range hs.clientHello.cipherSuites {
385 if id == TLS_FALLBACK_SCSV {
386
387 if hs.clientHello.vers < c.config.maxSupportedVersion(roleServer) {
388 c.sendAlert(alertInappropriateFallback)
389 return errors.New("tls: client using inappropriate protocol fallback")
390 }
391 break
392 }
393 }
394
395 return nil
396 }
397
398 func (hs *serverHandshakeState) cipherSuiteOk(c *cipherSuite) bool {
399 if c.flags&suiteECDHE != 0 {
400 if !hs.ecdheOk {
401 return false
402 }
403 if c.flags&suiteECSign != 0 {
404 if !hs.ecSignOk {
405 return false
406 }
407 } else if !hs.rsaSignOk {
408 return false
409 }
410 } else if !hs.rsaDecryptOk {
411 return false
412 }
413 if hs.c.vers < VersionTLS12 && c.flags&suiteTLS12 != 0 {
414 return false
415 }
416 return true
417 }
418
419
420 func (hs *serverHandshakeState) checkForResumption() error {
421 c := hs.c
422
423 if c.config.SessionTicketsDisabled {
424 return nil
425 }
426
427 var sessionState *SessionState
428 if c.config.UnwrapSession != nil {
429 ss, err := c.config.UnwrapSession(hs.clientHello.sessionTicket, c.connectionStateLocked())
430 if err != nil {
431 return err
432 }
433 if ss == nil {
434 return nil
435 }
436 sessionState = ss
437 } else {
438 plaintext := c.config.decryptTicket(hs.clientHello.sessionTicket, c.ticketKeys)
439 if plaintext == nil {
440 return nil
441 }
442 ss, err := ParseSessionState(plaintext)
443 if err != nil {
444 return nil
445 }
446 sessionState = ss
447 }
448
449
450
451
452 createdAt := time.Unix(int64(sessionState.createdAt), 0)
453 if c.config.time().Sub(createdAt) > maxSessionTicketLifetime {
454 return nil
455 }
456
457
458 if c.vers != sessionState.version {
459 return nil
460 }
461
462 cipherSuiteOk := false
463
464 for _, id := range hs.clientHello.cipherSuites {
465 if id == sessionState.cipherSuite {
466 cipherSuiteOk = true
467 break
468 }
469 }
470 if !cipherSuiteOk {
471 return nil
472 }
473
474
475 suite := selectCipherSuite([]uint16{sessionState.cipherSuite},
476 c.config.cipherSuites(), hs.cipherSuiteOk)
477 if suite == nil {
478 return nil
479 }
480
481 sessionHasClientCerts := len(sessionState.peerCertificates) != 0
482 needClientCerts := requiresClientCert(c.config.ClientAuth)
483 if needClientCerts && !sessionHasClientCerts {
484 return nil
485 }
486 if sessionHasClientCerts && c.config.ClientAuth == NoClientCert {
487 return nil
488 }
489 if sessionHasClientCerts && c.config.time().After(sessionState.peerCertificates[0].NotAfter) {
490 return nil
491 }
492 if sessionHasClientCerts && c.config.ClientAuth >= VerifyClientCertIfGiven &&
493 len(sessionState.verifiedChains) == 0 {
494 return nil
495 }
496
497
498 if !sessionState.extMasterSecret && hs.clientHello.extendedMasterSecret {
499 return nil
500 }
501 if sessionState.extMasterSecret && !hs.clientHello.extendedMasterSecret {
502
503
504 return errors.New("tls: session supported extended_master_secret but client does not")
505 }
506
507 c.peerCertificates = sessionState.peerCertificates
508 c.ocspResponse = sessionState.ocspResponse
509 c.scts = sessionState.scts
510 c.verifiedChains = sessionState.verifiedChains
511 c.extMasterSecret = sessionState.extMasterSecret
512 hs.sessionState = sessionState
513 hs.suite = suite
514 c.didResume = true
515 return nil
516 }
517
518 func (hs *serverHandshakeState) doResumeHandshake() error {
519 c := hs.c
520
521 hs.hello.cipherSuite = hs.suite.id
522 c.cipherSuite = hs.suite.id
523
524
525 hs.hello.sessionId = hs.clientHello.sessionId
526
527
528
529 hs.hello.ticketSupported = true
530 hs.finishedHash = newFinishedHash(c.vers, hs.suite)
531 hs.finishedHash.discardHandshakeBuffer()
532 if err := transcriptMsg(hs.clientHello, &hs.finishedHash); err != nil {
533 return err
534 }
535 if _, err := hs.c.writeHandshakeRecord(hs.hello, &hs.finishedHash); err != nil {
536 return err
537 }
538
539 if c.config.VerifyConnection != nil {
540 if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil {
541 c.sendAlert(alertBadCertificate)
542 return err
543 }
544 }
545
546 hs.masterSecret = hs.sessionState.secret
547
548 return nil
549 }
550
551 func (hs *serverHandshakeState) doFullHandshake() error {
552 c := hs.c
553
554 if hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0 {
555 hs.hello.ocspStapling = true
556 }
557
558 hs.hello.ticketSupported = hs.clientHello.ticketSupported && !c.config.SessionTicketsDisabled
559 hs.hello.cipherSuite = hs.suite.id
560
561 hs.finishedHash = newFinishedHash(hs.c.vers, hs.suite)
562 if c.config.ClientAuth == NoClientCert {
563
564
565 hs.finishedHash.discardHandshakeBuffer()
566 }
567 if err := transcriptMsg(hs.clientHello, &hs.finishedHash); err != nil {
568 return err
569 }
570 if _, err := hs.c.writeHandshakeRecord(hs.hello, &hs.finishedHash); err != nil {
571 return err
572 }
573
574 certMsg := new(certificateMsg)
575 certMsg.certificates = hs.cert.Certificate
576 if _, err := hs.c.writeHandshakeRecord(certMsg, &hs.finishedHash); err != nil {
577 return err
578 }
579
580 if hs.hello.ocspStapling {
581 certStatus := new(certificateStatusMsg)
582 certStatus.response = hs.cert.OCSPStaple
583 if _, err := hs.c.writeHandshakeRecord(certStatus, &hs.finishedHash); err != nil {
584 return err
585 }
586 }
587
588 keyAgreement := hs.suite.ka(c.vers)
589 skx, err := keyAgreement.generateServerKeyExchange(c.config, hs.cert, hs.clientHello, hs.hello)
590 if err != nil {
591 c.sendAlert(alertHandshakeFailure)
592 return err
593 }
594 if skx != nil {
595 if len(skx.key) >= 3 && skx.key[0] == 3 {
596 c.curveID = CurveID(byteorder.BeUint16(skx.key[1:]))
597 }
598 if _, err := hs.c.writeHandshakeRecord(skx, &hs.finishedHash); err != nil {
599 return err
600 }
601 }
602
603 var certReq *certificateRequestMsg
604 if c.config.ClientAuth >= RequestClientCert {
605
606 certReq = new(certificateRequestMsg)
607 certReq.certificateTypes = []byte{
608 byte(certTypeRSASign),
609 byte(certTypeECDSASign),
610 }
611 if c.vers >= VersionTLS12 {
612 certReq.hasSignatureAlgorithm = true
613 certReq.supportedSignatureAlgorithms = supportedSignatureAlgorithms()
614 }
615
616
617
618
619
620
621 if c.config.ClientCAs != nil {
622 certReq.certificateAuthorities = c.config.ClientCAs.Subjects()
623 }
624 if _, err := hs.c.writeHandshakeRecord(certReq, &hs.finishedHash); err != nil {
625 return err
626 }
627 }
628
629 helloDone := new(serverHelloDoneMsg)
630 if _, err := hs.c.writeHandshakeRecord(helloDone, &hs.finishedHash); err != nil {
631 return err
632 }
633
634 if _, err := c.flush(); err != nil {
635 return err
636 }
637
638 var pub crypto.PublicKey
639
640 msg, err := c.readHandshake(&hs.finishedHash)
641 if err != nil {
642 return err
643 }
644
645
646
647 if c.config.ClientAuth >= RequestClientCert {
648 certMsg, ok := msg.(*certificateMsg)
649 if !ok {
650 c.sendAlert(alertUnexpectedMessage)
651 return unexpectedMessageError(certMsg, msg)
652 }
653
654 if err := c.processCertsFromClient(Certificate{
655 Certificate: certMsg.certificates,
656 }); err != nil {
657 return err
658 }
659 if len(certMsg.certificates) != 0 {
660 pub = c.peerCertificates[0].PublicKey
661 }
662
663 msg, err = c.readHandshake(&hs.finishedHash)
664 if err != nil {
665 return err
666 }
667 }
668 if c.config.VerifyConnection != nil {
669 if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil {
670 c.sendAlert(alertBadCertificate)
671 return err
672 }
673 }
674
675
676 ckx, ok := msg.(*clientKeyExchangeMsg)
677 if !ok {
678 c.sendAlert(alertUnexpectedMessage)
679 return unexpectedMessageError(ckx, msg)
680 }
681
682 preMasterSecret, err := keyAgreement.processClientKeyExchange(c.config, hs.cert, ckx, c.vers)
683 if err != nil {
684 c.sendAlert(alertHandshakeFailure)
685 return err
686 }
687 if hs.hello.extendedMasterSecret {
688 c.extMasterSecret = true
689 hs.masterSecret = extMasterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret,
690 hs.finishedHash.Sum())
691 } else {
692 hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret,
693 hs.clientHello.random, hs.hello.random)
694 }
695 if err := c.config.writeKeyLog(keyLogLabelTLS12, hs.clientHello.random, hs.masterSecret); err != nil {
696 c.sendAlert(alertInternalError)
697 return err
698 }
699
700
701
702
703
704
705
706 if len(c.peerCertificates) > 0 {
707
708
709
710 msg, err = c.readHandshake(nil)
711 if err != nil {
712 return err
713 }
714 certVerify, ok := msg.(*certificateVerifyMsg)
715 if !ok {
716 c.sendAlert(alertUnexpectedMessage)
717 return unexpectedMessageError(certVerify, msg)
718 }
719
720 var sigType uint8
721 var sigHash crypto.Hash
722 if c.vers >= VersionTLS12 {
723 if !isSupportedSignatureAlgorithm(certVerify.signatureAlgorithm, certReq.supportedSignatureAlgorithms) {
724 c.sendAlert(alertIllegalParameter)
725 return errors.New("tls: client certificate used with invalid signature algorithm")
726 }
727 sigType, sigHash, err = typeAndHashFromSignatureScheme(certVerify.signatureAlgorithm)
728 if err != nil {
729 return c.sendAlert(alertInternalError)
730 }
731 } else {
732 sigType, sigHash, err = legacyTypeAndHashFromPublicKey(pub)
733 if err != nil {
734 c.sendAlert(alertIllegalParameter)
735 return err
736 }
737 }
738
739 signed := hs.finishedHash.hashForClientCertificate(sigType, sigHash)
740 if err := verifyHandshakeSignature(sigType, pub, sigHash, signed, certVerify.signature); err != nil {
741 c.sendAlert(alertDecryptError)
742 return errors.New("tls: invalid signature by the client certificate: " + err.Error())
743 }
744
745 if err := transcriptMsg(certVerify, &hs.finishedHash); err != nil {
746 return err
747 }
748 }
749
750 hs.finishedHash.discardHandshakeBuffer()
751
752 return nil
753 }
754
755 func (hs *serverHandshakeState) establishKeys() error {
756 c := hs.c
757
758 clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV :=
759 keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen)
760
761 var clientCipher, serverCipher any
762 var clientHash, serverHash hash.Hash
763
764 if hs.suite.aead == nil {
765 clientCipher = hs.suite.cipher(clientKey, clientIV, true )
766 clientHash = hs.suite.mac(clientMAC)
767 serverCipher = hs.suite.cipher(serverKey, serverIV, false )
768 serverHash = hs.suite.mac(serverMAC)
769 } else {
770 clientCipher = hs.suite.aead(clientKey, clientIV)
771 serverCipher = hs.suite.aead(serverKey, serverIV)
772 }
773
774 c.in.prepareCipherSpec(c.vers, clientCipher, clientHash)
775 c.out.prepareCipherSpec(c.vers, serverCipher, serverHash)
776
777 return nil
778 }
779
780 func (hs *serverHandshakeState) readFinished(out []byte) error {
781 c := hs.c
782
783 if err := c.readChangeCipherSpec(); err != nil {
784 return err
785 }
786
787
788
789
790 msg, err := c.readHandshake(nil)
791 if err != nil {
792 return err
793 }
794 clientFinished, ok := msg.(*finishedMsg)
795 if !ok {
796 c.sendAlert(alertUnexpectedMessage)
797 return unexpectedMessageError(clientFinished, msg)
798 }
799
800 verify := hs.finishedHash.clientSum(hs.masterSecret)
801 if len(verify) != len(clientFinished.verifyData) ||
802 subtle.ConstantTimeCompare(verify, clientFinished.verifyData) != 1 {
803 c.sendAlert(alertHandshakeFailure)
804 return errors.New("tls: client's Finished message is incorrect")
805 }
806
807 if err := transcriptMsg(clientFinished, &hs.finishedHash); err != nil {
808 return err
809 }
810
811 copy(out, verify)
812 return nil
813 }
814
815 func (hs *serverHandshakeState) sendSessionTicket() error {
816 if !hs.hello.ticketSupported {
817 return nil
818 }
819
820 c := hs.c
821 m := new(newSessionTicketMsg)
822
823 state := c.sessionState()
824 state.secret = hs.masterSecret
825 if hs.sessionState != nil {
826
827
828 state.createdAt = hs.sessionState.createdAt
829 }
830 if c.config.WrapSession != nil {
831 var err error
832 m.ticket, err = c.config.WrapSession(c.connectionStateLocked(), state)
833 if err != nil {
834 return err
835 }
836 } else {
837 stateBytes, err := state.Bytes()
838 if err != nil {
839 return err
840 }
841 m.ticket, err = c.config.encryptTicket(stateBytes, c.ticketKeys)
842 if err != nil {
843 return err
844 }
845 }
846
847 if _, err := hs.c.writeHandshakeRecord(m, &hs.finishedHash); err != nil {
848 return err
849 }
850
851 return nil
852 }
853
854 func (hs *serverHandshakeState) sendFinished(out []byte) error {
855 c := hs.c
856
857 if err := c.writeChangeCipherRecord(); err != nil {
858 return err
859 }
860
861 finished := new(finishedMsg)
862 finished.verifyData = hs.finishedHash.serverSum(hs.masterSecret)
863 if _, err := hs.c.writeHandshakeRecord(finished, &hs.finishedHash); err != nil {
864 return err
865 }
866
867 copy(out, finished.verifyData)
868
869 return nil
870 }
871
872
873
874 func (c *Conn) processCertsFromClient(certificate Certificate) error {
875 certificates := certificate.Certificate
876 certs := make([]*x509.Certificate, len(certificates))
877 var err error
878 for i, asn1Data := range certificates {
879 if certs[i], err = x509.ParseCertificate(asn1Data); err != nil {
880 c.sendAlert(alertBadCertificate)
881 return errors.New("tls: failed to parse client certificate: " + err.Error())
882 }
883 if certs[i].PublicKeyAlgorithm == x509.RSA {
884 n := certs[i].PublicKey.(*rsa.PublicKey).N.BitLen()
885 if max, ok := checkKeySize(n); !ok {
886 c.sendAlert(alertBadCertificate)
887 return fmt.Errorf("tls: client sent certificate containing RSA key larger than %d bits", max)
888 }
889 }
890 }
891
892 if len(certs) == 0 && requiresClientCert(c.config.ClientAuth) {
893 if c.vers == VersionTLS13 {
894 c.sendAlert(alertCertificateRequired)
895 } else {
896 c.sendAlert(alertBadCertificate)
897 }
898 return errors.New("tls: client didn't provide a certificate")
899 }
900
901 if c.config.ClientAuth >= VerifyClientCertIfGiven && len(certs) > 0 {
902 opts := x509.VerifyOptions{
903 Roots: c.config.ClientCAs,
904 CurrentTime: c.config.time(),
905 Intermediates: x509.NewCertPool(),
906 KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
907 }
908
909 for _, cert := range certs[1:] {
910 opts.Intermediates.AddCert(cert)
911 }
912
913 chains, err := certs[0].Verify(opts)
914 if err != nil {
915 var errCertificateInvalid x509.CertificateInvalidError
916 if errors.As(err, &x509.UnknownAuthorityError{}) {
917 c.sendAlert(alertUnknownCA)
918 } else if errors.As(err, &errCertificateInvalid) && errCertificateInvalid.Reason == x509.Expired {
919 c.sendAlert(alertCertificateExpired)
920 } else {
921 c.sendAlert(alertBadCertificate)
922 }
923 return &CertificateVerificationError{UnverifiedCertificates: certs, Err: err}
924 }
925
926 c.verifiedChains = chains
927 }
928
929 c.peerCertificates = certs
930 c.ocspResponse = certificate.OCSPStaple
931 c.scts = certificate.SignedCertificateTimestamps
932
933 if len(certs) > 0 {
934 switch certs[0].PublicKey.(type) {
935 case *ecdsa.PublicKey, *rsa.PublicKey, ed25519.PublicKey:
936 default:
937 c.sendAlert(alertUnsupportedCertificate)
938 return fmt.Errorf("tls: client certificate contains an unsupported public key of type %T", certs[0].PublicKey)
939 }
940 }
941
942 if c.config.VerifyPeerCertificate != nil {
943 if err := c.config.VerifyPeerCertificate(certificates, c.verifiedChains); err != nil {
944 c.sendAlert(alertBadCertificate)
945 return err
946 }
947 }
948
949 return nil
950 }
951
952 func clientHelloInfo(ctx context.Context, c *Conn, clientHello *clientHelloMsg) *ClientHelloInfo {
953 supportedVersions := clientHello.supportedVersions
954 if len(clientHello.supportedVersions) == 0 {
955 supportedVersions = supportedVersionsFromMax(clientHello.vers)
956 }
957
958 return &ClientHelloInfo{
959 CipherSuites: clientHello.cipherSuites,
960 ServerName: clientHello.serverName,
961 SupportedCurves: clientHello.supportedCurves,
962 SupportedPoints: clientHello.supportedPoints,
963 SignatureSchemes: clientHello.supportedSignatureAlgorithms,
964 SupportedProtos: clientHello.alpnProtocols,
965 SupportedVersions: supportedVersions,
966 Extensions: clientHello.extensions,
967 Conn: c.conn,
968 config: c.config,
969 ctx: ctx,
970 }
971 }
972
View as plain text