Source file src/crypto/tls/handshake_server.go

Documentation: crypto/tls

     1  // Copyright 2009 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package tls
     6  
     7  import (
     8  	"crypto"
     9  	"crypto/ecdsa"
    10  	"crypto/ed25519"
    11  	"crypto/rsa"
    12  	"crypto/subtle"
    13  	"crypto/x509"
    14  	"errors"
    15  	"fmt"
    16  	"io"
    17  	"sync/atomic"
    18  )
    19  
    20  // serverHandshakeState contains details of a server handshake in progress.
    21  // It's discarded once the handshake has completed.
    22  type serverHandshakeState struct {
    23  	c            *Conn
    24  	clientHello  *clientHelloMsg
    25  	hello        *serverHelloMsg
    26  	suite        *cipherSuite
    27  	ecdhOk       bool
    28  	ecSignOk     bool
    29  	rsaDecryptOk bool
    30  	rsaSignOk    bool
    31  	sessionState *sessionState
    32  	finishedHash finishedHash
    33  	masterSecret []byte
    34  	cert         *Certificate
    35  }
    36  
    37  // serverHandshake performs a TLS handshake as a server.
    38  func (c *Conn) serverHandshake() error {
    39  	// If this is the first server handshake, we generate a random key to
    40  	// encrypt the tickets with.
    41  	c.config.serverInitOnce.Do(func() { c.config.serverInit(nil) })
    42  
    43  	clientHello, err := c.readClientHello()
    44  	if err != nil {
    45  		return err
    46  	}
    47  
    48  	if c.vers == VersionTLS13 {
    49  		hs := serverHandshakeStateTLS13{
    50  			c:           c,
    51  			clientHello: clientHello,
    52  		}
    53  		return hs.handshake()
    54  	}
    55  
    56  	hs := serverHandshakeState{
    57  		c:           c,
    58  		clientHello: clientHello,
    59  	}
    60  	return hs.handshake()
    61  }
    62  
    63  func (hs *serverHandshakeState) handshake() error {
    64  	c := hs.c
    65  
    66  	if err := hs.processClientHello(); err != nil {
    67  		return err
    68  	}
    69  
    70  	// For an overview of TLS handshaking, see RFC 5246, Section 7.3.
    71  	c.buffering = true
    72  	if hs.checkForResumption() {
    73  		// The client has included a session ticket and so we do an abbreviated handshake.
    74  		if err := hs.doResumeHandshake(); err != nil {
    75  			return err
    76  		}
    77  		if err := hs.establishKeys(); err != nil {
    78  			return err
    79  		}
    80  		// ticketSupported is set in a resumption handshake if the
    81  		// ticket from the client was encrypted with an old session
    82  		// ticket key and thus a refreshed ticket should be sent.
    83  		if hs.hello.ticketSupported {
    84  			if err := hs.sendSessionTicket(); err != nil {
    85  				return err
    86  			}
    87  		}
    88  		if err := hs.sendFinished(c.serverFinished[:]); err != nil {
    89  			return err
    90  		}
    91  		if _, err := c.flush(); err != nil {
    92  			return err
    93  		}
    94  		c.clientFinishedIsFirst = false
    95  		if err := hs.readFinished(nil); err != nil {
    96  			return err
    97  		}
    98  		c.didResume = true
    99  	} else {
   100  		// The client didn't include a session ticket, or it wasn't
   101  		// valid so we do a full handshake.
   102  		if err := hs.pickCipherSuite(); err != nil {
   103  			return err
   104  		}
   105  		if err := hs.doFullHandshake(); err != nil {
   106  			return err
   107  		}
   108  		if err := hs.establishKeys(); err != nil {
   109  			return err
   110  		}
   111  		if err := hs.readFinished(c.clientFinished[:]); err != nil {
   112  			return err
   113  		}
   114  		c.clientFinishedIsFirst = true
   115  		c.buffering = true
   116  		if err := hs.sendSessionTicket(); err != nil {
   117  			return err
   118  		}
   119  		if err := hs.sendFinished(nil); err != nil {
   120  			return err
   121  		}
   122  		if _, err := c.flush(); err != nil {
   123  			return err
   124  		}
   125  	}
   126  
   127  	c.ekm = ekmFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random)
   128  	atomic.StoreUint32(&c.handshakeStatus, 1)
   129  
   130  	return nil
   131  }
   132  
   133  // readClientHello reads a ClientHello message and selects the protocol version.
   134  func (c *Conn) readClientHello() (*clientHelloMsg, error) {
   135  	msg, err := c.readHandshake()
   136  	if err != nil {
   137  		return nil, err
   138  	}
   139  	clientHello, ok := msg.(*clientHelloMsg)
   140  	if !ok {
   141  		c.sendAlert(alertUnexpectedMessage)
   142  		return nil, unexpectedMessageError(clientHello, msg)
   143  	}
   144  
   145  	if c.config.GetConfigForClient != nil {
   146  		chi := clientHelloInfo(c, clientHello)
   147  		if newConfig, err := c.config.GetConfigForClient(chi); err != nil {
   148  			c.sendAlert(alertInternalError)
   149  			return nil, err
   150  		} else if newConfig != nil {
   151  			newConfig.serverInitOnce.Do(func() { newConfig.serverInit(c.config) })
   152  			c.config = newConfig
   153  		}
   154  	}
   155  
   156  	clientVersions := clientHello.supportedVersions
   157  	if len(clientHello.supportedVersions) == 0 {
   158  		clientVersions = supportedVersionsFromMax(clientHello.vers)
   159  	}
   160  	c.vers, ok = c.config.mutualVersion(false, clientVersions)
   161  	if !ok {
   162  		c.sendAlert(alertProtocolVersion)
   163  		return nil, fmt.Errorf("tls: client offered only unsupported versions: %x", clientVersions)
   164  	}
   165  	c.haveVers = true
   166  	c.in.version = c.vers
   167  	c.out.version = c.vers
   168  
   169  	return clientHello, nil
   170  }
   171  
   172  func (hs *serverHandshakeState) processClientHello() error {
   173  	c := hs.c
   174  
   175  	hs.hello = new(serverHelloMsg)
   176  	hs.hello.vers = c.vers
   177  
   178  	supportedCurve := false
   179  	preferredCurves := c.config.curvePreferences()
   180  Curves:
   181  	for _, curve := range hs.clientHello.supportedCurves {
   182  		for _, supported := range preferredCurves {
   183  			if supported == curve {
   184  				supportedCurve = true
   185  				break Curves
   186  			}
   187  		}
   188  	}
   189  
   190  	supportedPointFormat := false
   191  	for _, pointFormat := range hs.clientHello.supportedPoints {
   192  		if pointFormat == pointFormatUncompressed {
   193  			supportedPointFormat = true
   194  			break
   195  		}
   196  	}
   197  	hs.ecdhOk = supportedCurve && supportedPointFormat
   198  
   199  	foundCompression := false
   200  	// We only support null compression, so check that the client offered it.
   201  	for _, compression := range hs.clientHello.compressionMethods {
   202  		if compression == compressionNone {
   203  			foundCompression = true
   204  			break
   205  		}
   206  	}
   207  
   208  	if !foundCompression {
   209  		c.sendAlert(alertHandshakeFailure)
   210  		return errors.New("tls: client does not support uncompressed connections")
   211  	}
   212  
   213  	hs.hello.random = make([]byte, 32)
   214  	serverRandom := hs.hello.random
   215  	// Downgrade protection canaries. See RFC 8446, Section 4.1.3.
   216  	maxVers := c.config.maxSupportedVersion(false)
   217  	if maxVers >= VersionTLS12 && c.vers < maxVers {
   218  		if c.vers == VersionTLS12 {
   219  			copy(serverRandom[24:], downgradeCanaryTLS12)
   220  		} else {
   221  			copy(serverRandom[24:], downgradeCanaryTLS11)
   222  		}
   223  		serverRandom = serverRandom[:24]
   224  	}
   225  	_, err := io.ReadFull(c.config.rand(), serverRandom)
   226  	if err != nil {
   227  		c.sendAlert(alertInternalError)
   228  		return err
   229  	}
   230  
   231  	if len(hs.clientHello.secureRenegotiation) != 0 {
   232  		c.sendAlert(alertHandshakeFailure)
   233  		return errors.New("tls: initial handshake had non-empty renegotiation extension")
   234  	}
   235  
   236  	hs.hello.secureRenegotiationSupported = hs.clientHello.secureRenegotiationSupported
   237  	hs.hello.compressionMethod = compressionNone
   238  	if len(hs.clientHello.serverName) > 0 {
   239  		c.serverName = hs.clientHello.serverName
   240  	}
   241  
   242  	if len(hs.clientHello.alpnProtocols) > 0 {
   243  		if selectedProto, fallback := mutualProtocol(hs.clientHello.alpnProtocols, c.config.NextProtos); !fallback {
   244  			hs.hello.alpnProtocol = selectedProto
   245  			c.clientProtocol = selectedProto
   246  		}
   247  	} else {
   248  		// Although sending an empty NPN extension is reasonable, Firefox has
   249  		// had a bug around this. Best to send nothing at all if
   250  		// c.config.NextProtos is empty. See
   251  		// https://golang.org/issue/5445.
   252  		if hs.clientHello.nextProtoNeg && len(c.config.NextProtos) > 0 {
   253  			hs.hello.nextProtoNeg = true
   254  			hs.hello.nextProtos = c.config.NextProtos
   255  		}
   256  	}
   257  
   258  	hs.cert, err = c.config.getCertificate(clientHelloInfo(c, hs.clientHello))
   259  	if err != nil {
   260  		c.sendAlert(alertInternalError)
   261  		return err
   262  	}
   263  	if hs.clientHello.scts {
   264  		hs.hello.scts = hs.cert.SignedCertificateTimestamps
   265  	}
   266  
   267  	if priv, ok := hs.cert.PrivateKey.(crypto.Signer); ok {
   268  		switch priv.Public().(type) {
   269  		case *ecdsa.PublicKey:
   270  			hs.ecSignOk = true
   271  		case ed25519.PublicKey:
   272  			hs.ecSignOk = true
   273  		case *rsa.PublicKey:
   274  			hs.rsaSignOk = true
   275  		default:
   276  			c.sendAlert(alertInternalError)
   277  			return fmt.Errorf("tls: unsupported signing key type (%T)", priv.Public())
   278  		}
   279  	}
   280  	if priv, ok := hs.cert.PrivateKey.(crypto.Decrypter); ok {
   281  		switch priv.Public().(type) {
   282  		case *rsa.PublicKey:
   283  			hs.rsaDecryptOk = true
   284  		default:
   285  			c.sendAlert(alertInternalError)
   286  			return fmt.Errorf("tls: unsupported decryption key type (%T)", priv.Public())
   287  		}
   288  	}
   289  
   290  	return nil
   291  }
   292  
   293  func (hs *serverHandshakeState) pickCipherSuite() error {
   294  	c := hs.c
   295  
   296  	var preferenceList, supportedList []uint16
   297  	if c.config.PreferServerCipherSuites {
   298  		preferenceList = c.config.cipherSuites()
   299  		supportedList = hs.clientHello.cipherSuites
   300  	} else {
   301  		preferenceList = hs.clientHello.cipherSuites
   302  		supportedList = c.config.cipherSuites()
   303  	}
   304  
   305  	for _, id := range preferenceList {
   306  		if hs.setCipherSuite(id, supportedList, c.vers) {
   307  			break
   308  		}
   309  	}
   310  
   311  	if hs.suite == nil {
   312  		c.sendAlert(alertHandshakeFailure)
   313  		return errors.New("tls: no cipher suite supported by both client and server")
   314  	}
   315  
   316  	for _, id := range hs.clientHello.cipherSuites {
   317  		if id == TLS_FALLBACK_SCSV {
   318  			// The client is doing a fallback connection. See RFC 7507.
   319  			if hs.clientHello.vers < c.config.maxSupportedVersion(false) {
   320  				c.sendAlert(alertInappropriateFallback)
   321  				return errors.New("tls: client using inappropriate protocol fallback")
   322  			}
   323  			break
   324  		}
   325  	}
   326  
   327  	return nil
   328  }
   329  
   330  // checkForResumption reports whether we should perform resumption on this connection.
   331  func (hs *serverHandshakeState) checkForResumption() bool {
   332  	c := hs.c
   333  
   334  	if c.config.SessionTicketsDisabled {
   335  		return false
   336  	}
   337  
   338  	plaintext, usedOldKey := c.decryptTicket(hs.clientHello.sessionTicket)
   339  	if plaintext == nil {
   340  		return false
   341  	}
   342  	hs.sessionState = &sessionState{usedOldKey: usedOldKey}
   343  	ok := hs.sessionState.unmarshal(plaintext)
   344  	if !ok {
   345  		return false
   346  	}
   347  
   348  	// Never resume a session for a different TLS version.
   349  	if c.vers != hs.sessionState.vers {
   350  		return false
   351  	}
   352  
   353  	cipherSuiteOk := false
   354  	// Check that the client is still offering the ciphersuite in the session.
   355  	for _, id := range hs.clientHello.cipherSuites {
   356  		if id == hs.sessionState.cipherSuite {
   357  			cipherSuiteOk = true
   358  			break
   359  		}
   360  	}
   361  	if !cipherSuiteOk {
   362  		return false
   363  	}
   364  
   365  	// Check that we also support the ciphersuite from the session.
   366  	if !hs.setCipherSuite(hs.sessionState.cipherSuite, c.config.cipherSuites(), hs.sessionState.vers) {
   367  		return false
   368  	}
   369  
   370  	sessionHasClientCerts := len(hs.sessionState.certificates) != 0
   371  	needClientCerts := requiresClientCert(c.config.ClientAuth)
   372  	if needClientCerts && !sessionHasClientCerts {
   373  		return false
   374  	}
   375  	if sessionHasClientCerts && c.config.ClientAuth == NoClientCert {
   376  		return false
   377  	}
   378  
   379  	return true
   380  }
   381  
   382  func (hs *serverHandshakeState) doResumeHandshake() error {
   383  	c := hs.c
   384  
   385  	hs.hello.cipherSuite = hs.suite.id
   386  	// We echo the client's session ID in the ServerHello to let it know
   387  	// that we're doing a resumption.
   388  	hs.hello.sessionId = hs.clientHello.sessionId
   389  	hs.hello.ticketSupported = hs.sessionState.usedOldKey
   390  	hs.finishedHash = newFinishedHash(c.vers, hs.suite)
   391  	hs.finishedHash.discardHandshakeBuffer()
   392  	hs.finishedHash.Write(hs.clientHello.marshal())
   393  	hs.finishedHash.Write(hs.hello.marshal())
   394  	if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil {
   395  		return err
   396  	}
   397  
   398  	if err := c.processCertsFromClient(Certificate{
   399  		Certificate: hs.sessionState.certificates,
   400  	}); err != nil {
   401  		return err
   402  	}
   403  
   404  	hs.masterSecret = hs.sessionState.masterSecret
   405  
   406  	return nil
   407  }
   408  
   409  func (hs *serverHandshakeState) doFullHandshake() error {
   410  	c := hs.c
   411  
   412  	if hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0 {
   413  		hs.hello.ocspStapling = true
   414  	}
   415  
   416  	hs.hello.ticketSupported = hs.clientHello.ticketSupported && !c.config.SessionTicketsDisabled
   417  	hs.hello.cipherSuite = hs.suite.id
   418  
   419  	hs.finishedHash = newFinishedHash(hs.c.vers, hs.suite)
   420  	if c.config.ClientAuth == NoClientCert {
   421  		// No need to keep a full record of the handshake if client
   422  		// certificates won't be used.
   423  		hs.finishedHash.discardHandshakeBuffer()
   424  	}
   425  	hs.finishedHash.Write(hs.clientHello.marshal())
   426  	hs.finishedHash.Write(hs.hello.marshal())
   427  	if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil {
   428  		return err
   429  	}
   430  
   431  	certMsg := new(certificateMsg)
   432  	certMsg.certificates = hs.cert.Certificate
   433  	hs.finishedHash.Write(certMsg.marshal())
   434  	if _, err := c.writeRecord(recordTypeHandshake, certMsg.marshal()); err != nil {
   435  		return err
   436  	}
   437  
   438  	if hs.hello.ocspStapling {
   439  		certStatus := new(certificateStatusMsg)
   440  		certStatus.response = hs.cert.OCSPStaple
   441  		hs.finishedHash.Write(certStatus.marshal())
   442  		if _, err := c.writeRecord(recordTypeHandshake, certStatus.marshal()); err != nil {
   443  			return err
   444  		}
   445  	}
   446  
   447  	keyAgreement := hs.suite.ka(c.vers)
   448  	skx, err := keyAgreement.generateServerKeyExchange(c.config, hs.cert, hs.clientHello, hs.hello)
   449  	if err != nil {
   450  		c.sendAlert(alertHandshakeFailure)
   451  		return err
   452  	}
   453  	if skx != nil {
   454  		hs.finishedHash.Write(skx.marshal())
   455  		if _, err := c.writeRecord(recordTypeHandshake, skx.marshal()); err != nil {
   456  			return err
   457  		}
   458  	}
   459  
   460  	var certReq *certificateRequestMsg
   461  	if c.config.ClientAuth >= RequestClientCert {
   462  		// Request a client certificate
   463  		certReq = new(certificateRequestMsg)
   464  		certReq.certificateTypes = []byte{
   465  			byte(certTypeRSASign),
   466  			byte(certTypeECDSASign),
   467  		}
   468  		if c.vers >= VersionTLS12 {
   469  			certReq.hasSignatureAlgorithm = true
   470  			certReq.supportedSignatureAlgorithms = supportedSignatureAlgorithmsTLS12
   471  		}
   472  
   473  		// An empty list of certificateAuthorities signals to
   474  		// the client that it may send any certificate in response
   475  		// to our request. When we know the CAs we trust, then
   476  		// we can send them down, so that the client can choose
   477  		// an appropriate certificate to give to us.
   478  		if c.config.ClientCAs != nil {
   479  			certReq.certificateAuthorities = c.config.ClientCAs.Subjects()
   480  		}
   481  		hs.finishedHash.Write(certReq.marshal())
   482  		if _, err := c.writeRecord(recordTypeHandshake, certReq.marshal()); err != nil {
   483  			return err
   484  		}
   485  	}
   486  
   487  	helloDone := new(serverHelloDoneMsg)
   488  	hs.finishedHash.Write(helloDone.marshal())
   489  	if _, err := c.writeRecord(recordTypeHandshake, helloDone.marshal()); err != nil {
   490  		return err
   491  	}
   492  
   493  	if _, err := c.flush(); err != nil {
   494  		return err
   495  	}
   496  
   497  	var pub crypto.PublicKey // public key for client auth, if any
   498  
   499  	msg, err := c.readHandshake()
   500  	if err != nil {
   501  		return err
   502  	}
   503  
   504  	// If we requested a client certificate, then the client must send a
   505  	// certificate message, even if it's empty.
   506  	if c.config.ClientAuth >= RequestClientCert {
   507  		certMsg, ok := msg.(*certificateMsg)
   508  		if !ok {
   509  			c.sendAlert(alertUnexpectedMessage)
   510  			return unexpectedMessageError(certMsg, msg)
   511  		}
   512  		hs.finishedHash.Write(certMsg.marshal())
   513  
   514  		if err := c.processCertsFromClient(Certificate{
   515  			Certificate: certMsg.certificates,
   516  		}); err != nil {
   517  			return err
   518  		}
   519  		if len(certMsg.certificates) != 0 {
   520  			pub = c.peerCertificates[0].PublicKey
   521  		}
   522  
   523  		msg, err = c.readHandshake()
   524  		if err != nil {
   525  			return err
   526  		}
   527  	}
   528  
   529  	// Get client key exchange
   530  	ckx, ok := msg.(*clientKeyExchangeMsg)
   531  	if !ok {
   532  		c.sendAlert(alertUnexpectedMessage)
   533  		return unexpectedMessageError(ckx, msg)
   534  	}
   535  	hs.finishedHash.Write(ckx.marshal())
   536  
   537  	preMasterSecret, err := keyAgreement.processClientKeyExchange(c.config, hs.cert, ckx, c.vers)
   538  	if err != nil {
   539  		c.sendAlert(alertHandshakeFailure)
   540  		return err
   541  	}
   542  	hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.clientHello.random, hs.hello.random)
   543  	if err := c.config.writeKeyLog(keyLogLabelTLS12, hs.clientHello.random, hs.masterSecret); err != nil {
   544  		c.sendAlert(alertInternalError)
   545  		return err
   546  	}
   547  
   548  	// If we received a client cert in response to our certificate request message,
   549  	// the client will send us a certificateVerifyMsg immediately after the
   550  	// clientKeyExchangeMsg. This message is a digest of all preceding
   551  	// handshake-layer messages that is signed using the private key corresponding
   552  	// to the client's certificate. This allows us to verify that the client is in
   553  	// possession of the private key of the certificate.
   554  	if len(c.peerCertificates) > 0 {
   555  		msg, err = c.readHandshake()
   556  		if err != nil {
   557  			return err
   558  		}
   559  		certVerify, ok := msg.(*certificateVerifyMsg)
   560  		if !ok {
   561  			c.sendAlert(alertUnexpectedMessage)
   562  			return unexpectedMessageError(certVerify, msg)
   563  		}
   564  
   565  		// Determine the signature type.
   566  		_, sigType, hashFunc, err := pickSignatureAlgorithm(pub, []SignatureScheme{certVerify.signatureAlgorithm}, certReq.supportedSignatureAlgorithms, c.vers)
   567  		if err != nil {
   568  			c.sendAlert(alertIllegalParameter)
   569  			return err
   570  		}
   571  
   572  		signed, err := hs.finishedHash.hashForClientCertificate(sigType, hashFunc, hs.masterSecret)
   573  		if err == nil {
   574  			err = verifyHandshakeSignature(sigType, pub, hashFunc, signed, certVerify.signature)
   575  		}
   576  		if err != nil {
   577  			c.sendAlert(alertBadCertificate)
   578  			return errors.New("tls: could not validate signature of connection nonces: " + err.Error())
   579  		}
   580  
   581  		hs.finishedHash.Write(certVerify.marshal())
   582  	}
   583  
   584  	hs.finishedHash.discardHandshakeBuffer()
   585  
   586  	return nil
   587  }
   588  
   589  func (hs *serverHandshakeState) establishKeys() error {
   590  	c := hs.c
   591  
   592  	clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV :=
   593  		keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen)
   594  
   595  	var clientCipher, serverCipher interface{}
   596  	var clientHash, serverHash macFunction
   597  
   598  	if hs.suite.aead == nil {
   599  		clientCipher = hs.suite.cipher(clientKey, clientIV, true /* for reading */)
   600  		clientHash = hs.suite.mac(c.vers, clientMAC)
   601  		serverCipher = hs.suite.cipher(serverKey, serverIV, false /* not for reading */)
   602  		serverHash = hs.suite.mac(c.vers, serverMAC)
   603  	} else {
   604  		clientCipher = hs.suite.aead(clientKey, clientIV)
   605  		serverCipher = hs.suite.aead(serverKey, serverIV)
   606  	}
   607  
   608  	c.in.prepareCipherSpec(c.vers, clientCipher, clientHash)
   609  	c.out.prepareCipherSpec(c.vers, serverCipher, serverHash)
   610  
   611  	return nil
   612  }
   613  
   614  func (hs *serverHandshakeState) readFinished(out []byte) error {
   615  	c := hs.c
   616  
   617  	if err := c.readChangeCipherSpec(); err != nil {
   618  		return err
   619  	}
   620  
   621  	if hs.hello.nextProtoNeg {
   622  		msg, err := c.readHandshake()
   623  		if err != nil {
   624  			return err
   625  		}
   626  		nextProto, ok := msg.(*nextProtoMsg)
   627  		if !ok {
   628  			c.sendAlert(alertUnexpectedMessage)
   629  			return unexpectedMessageError(nextProto, msg)
   630  		}
   631  		hs.finishedHash.Write(nextProto.marshal())
   632  		c.clientProtocol = nextProto.proto
   633  	}
   634  
   635  	msg, err := c.readHandshake()
   636  	if err != nil {
   637  		return err
   638  	}
   639  	clientFinished, ok := msg.(*finishedMsg)
   640  	if !ok {
   641  		c.sendAlert(alertUnexpectedMessage)
   642  		return unexpectedMessageError(clientFinished, msg)
   643  	}
   644  
   645  	verify := hs.finishedHash.clientSum(hs.masterSecret)
   646  	if len(verify) != len(clientFinished.verifyData) ||
   647  		subtle.ConstantTimeCompare(verify, clientFinished.verifyData) != 1 {
   648  		c.sendAlert(alertHandshakeFailure)
   649  		return errors.New("tls: client's Finished message is incorrect")
   650  	}
   651  
   652  	hs.finishedHash.Write(clientFinished.marshal())
   653  	copy(out, verify)
   654  	return nil
   655  }
   656  
   657  func (hs *serverHandshakeState) sendSessionTicket() error {
   658  	if !hs.hello.ticketSupported {
   659  		return nil
   660  	}
   661  
   662  	c := hs.c
   663  	m := new(newSessionTicketMsg)
   664  
   665  	var certsFromClient [][]byte
   666  	for _, cert := range c.peerCertificates {
   667  		certsFromClient = append(certsFromClient, cert.Raw)
   668  	}
   669  	state := sessionState{
   670  		vers:         c.vers,
   671  		cipherSuite:  hs.suite.id,
   672  		masterSecret: hs.masterSecret,
   673  		certificates: certsFromClient,
   674  	}
   675  	var err error
   676  	m.ticket, err = c.encryptTicket(state.marshal())
   677  	if err != nil {
   678  		return err
   679  	}
   680  
   681  	hs.finishedHash.Write(m.marshal())
   682  	if _, err := c.writeRecord(recordTypeHandshake, m.marshal()); err != nil {
   683  		return err
   684  	}
   685  
   686  	return nil
   687  }
   688  
   689  func (hs *serverHandshakeState) sendFinished(out []byte) error {
   690  	c := hs.c
   691  
   692  	if _, err := c.writeRecord(recordTypeChangeCipherSpec, []byte{1}); err != nil {
   693  		return err
   694  	}
   695  
   696  	finished := new(finishedMsg)
   697  	finished.verifyData = hs.finishedHash.serverSum(hs.masterSecret)
   698  	hs.finishedHash.Write(finished.marshal())
   699  	if _, err := c.writeRecord(recordTypeHandshake, finished.marshal()); err != nil {
   700  		return err
   701  	}
   702  
   703  	c.cipherSuite = hs.suite.id
   704  	copy(out, finished.verifyData)
   705  
   706  	return nil
   707  }
   708  
   709  // processCertsFromClient takes a chain of client certificates either from a
   710  // Certificates message or from a sessionState and verifies them. It returns
   711  // the public key of the leaf certificate.
   712  func (c *Conn) processCertsFromClient(certificate Certificate) error {
   713  	certificates := certificate.Certificate
   714  	certs := make([]*x509.Certificate, len(certificates))
   715  	var err error
   716  	for i, asn1Data := range certificates {
   717  		if certs[i], err = x509.ParseCertificate(asn1Data); err != nil {
   718  			c.sendAlert(alertBadCertificate)
   719  			return errors.New("tls: failed to parse client certificate: " + err.Error())
   720  		}
   721  	}
   722  
   723  	if len(certs) == 0 && requiresClientCert(c.config.ClientAuth) {
   724  		c.sendAlert(alertBadCertificate)
   725  		return errors.New("tls: client didn't provide a certificate")
   726  	}
   727  
   728  	if c.config.ClientAuth >= VerifyClientCertIfGiven && len(certs) > 0 {
   729  		opts := x509.VerifyOptions{
   730  			Roots:         c.config.ClientCAs,
   731  			CurrentTime:   c.config.time(),
   732  			Intermediates: x509.NewCertPool(),
   733  			KeyUsages:     []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
   734  		}
   735  
   736  		for _, cert := range certs[1:] {
   737  			opts.Intermediates.AddCert(cert)
   738  		}
   739  
   740  		chains, err := certs[0].Verify(opts)
   741  		if err != nil {
   742  			c.sendAlert(alertBadCertificate)
   743  			return errors.New("tls: failed to verify client's certificate: " + err.Error())
   744  		}
   745  
   746  		c.verifiedChains = chains
   747  	}
   748  
   749  	if c.config.VerifyPeerCertificate != nil {
   750  		if err := c.config.VerifyPeerCertificate(certificates, c.verifiedChains); err != nil {
   751  			c.sendAlert(alertBadCertificate)
   752  			return err
   753  		}
   754  	}
   755  
   756  	if len(certs) == 0 {
   757  		return nil
   758  	}
   759  
   760  	switch certs[0].PublicKey.(type) {
   761  	case *ecdsa.PublicKey, *rsa.PublicKey, ed25519.PublicKey:
   762  	default:
   763  		c.sendAlert(alertUnsupportedCertificate)
   764  		return fmt.Errorf("tls: client's certificate contains an unsupported public key of type %T", certs[0].PublicKey)
   765  	}
   766  
   767  	c.peerCertificates = certs
   768  	c.ocspResponse = certificate.OCSPStaple
   769  	c.scts = certificate.SignedCertificateTimestamps
   770  	return nil
   771  }
   772  
   773  // setCipherSuite sets a cipherSuite with the given id as the serverHandshakeState
   774  // suite if that cipher suite is acceptable to use.
   775  // It returns a bool indicating if the suite was set.
   776  func (hs *serverHandshakeState) setCipherSuite(id uint16, supportedCipherSuites []uint16, version uint16) bool {
   777  	for _, supported := range supportedCipherSuites {
   778  		if id != supported {
   779  			continue
   780  		}
   781  		candidate := cipherSuiteByID(id)
   782  		if candidate == nil {
   783  			continue
   784  		}
   785  		// Don't select a ciphersuite which we can't
   786  		// support for this client.
   787  		if candidate.flags&suiteECDHE != 0 {
   788  			if !hs.ecdhOk {
   789  				continue
   790  			}
   791  			if candidate.flags&suiteECSign != 0 {
   792  				if !hs.ecSignOk {
   793  					continue
   794  				}
   795  			} else if !hs.rsaSignOk {
   796  				continue
   797  			}
   798  		} else if !hs.rsaDecryptOk {
   799  			continue
   800  		}
   801  		if version < VersionTLS12 && candidate.flags&suiteTLS12 != 0 {
   802  			continue
   803  		}
   804  		hs.suite = candidate
   805  		return true
   806  	}
   807  	return false
   808  }
   809  
   810  func clientHelloInfo(c *Conn, clientHello *clientHelloMsg) *ClientHelloInfo {
   811  	supportedVersions := clientHello.supportedVersions
   812  	if len(clientHello.supportedVersions) == 0 {
   813  		supportedVersions = supportedVersionsFromMax(clientHello.vers)
   814  	}
   815  
   816  	return &ClientHelloInfo{
   817  		CipherSuites:      clientHello.cipherSuites,
   818  		ServerName:        clientHello.serverName,
   819  		SupportedCurves:   clientHello.supportedCurves,
   820  		SupportedPoints:   clientHello.supportedPoints,
   821  		SignatureSchemes:  clientHello.supportedSignatureAlgorithms,
   822  		SupportedProtos:   clientHello.alpnProtocols,
   823  		SupportedVersions: supportedVersions,
   824  		Conn:              c.conn,
   825  	}
   826  }
   827  

View as plain text