handshake_server.go

     1  // Copyright 2009 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package tls
     6  
     7  import (
     8  	"context"
     9  	"crypto"
    10  	"crypto/ecdsa"
    11  	"crypto/ed25519"
    12  	"crypto/rsa"
    13  	"crypto/subtle"
    14  	"crypto/x509"
    15  	"errors"
    16  	"fmt"
    17  	"hash"
    18  	"io"
    19  	"time"
    20  )
    21  
    22  // serverHandshakeState contains details of a server handshake in progress.
    23  // It's discarded once the handshake has completed.
    24  type serverHandshakeState struct {
    25  	c            *Conn
    26  	ctx          context.Context
    27  	clientHello  *clientHelloMsg
    28  	hello        *serverHelloMsg
    29  	suite        *cipherSuite
    30  	ecdheOk      bool
    31  	ecSignOk     bool
    32  	rsaDecryptOk bool
    33  	rsaSignOk    bool
    34  	sessionState *sessionState
    35  	finishedHash finishedHash
    36  	masterSecret []byte
    37  	cert         *Certificate
    38  }
    39  
    40  // serverHandshake performs a TLS handshake as a server.
    41  func (c *Conn) serverHandshake(ctx context.Context) error {
    42  	clientHello, err := c.readClientHello(ctx)
    43  	if err != nil {
    44  		return err
    45  	}
    46  
    47  	if c.vers == VersionTLS13 {
    48  		hs := serverHandshakeStateTLS13{
    49  			c:           c,
    50  			ctx:         ctx,
    51  			clientHello: clientHello,
    52  		}
    53  		return hs.handshake()
    54  	}
    55  
    56  	hs := serverHandshakeState{
    57  		c:           c,
    58  		ctx:         ctx,
    59  		clientHello: clientHello,
    60  	}
    61  	return hs.handshake()
    62  }
    63  
    64  func (hs *serverHandshakeState) handshake() error {
    65  	c := hs.c
    66  
    67  	if err := hs.processClientHello(); err != nil {
    68  		return err
    69  	}
    70  
    71  	// For an overview of TLS handshaking, see RFC 5246, Section 7.3.
    72  	c.buffering = true
    73  	if hs.checkForResumption() {
    74  		// The client has included a session ticket and so we do an abbreviated handshake.
    75  		c.didResume = true
    76  		if err := hs.doResumeHandshake(); err != nil {
    77  			return err
    78  		}
    79  		if err := hs.establishKeys(); err != nil {
    80  			return err
    81  		}
    82  		if err := hs.sendSessionTicket(); err != nil {
    83  			return err
    84  		}
    85  		if err := hs.sendFinished(c.serverFinished[:]); err != nil {
    86  			return err
    87  		}
    88  		if _, err := c.flush(); err != nil {
    89  			return err
    90  		}
    91  		c.clientFinishedIsFirst = false
    92  		if err := hs.readFinished(nil); err != nil {
    93  			return err
    94  		}
    95  	} else {
    96  		// The client didn't include a session ticket, or it wasn't
    97  		// valid so we do a full handshake.
    98  		if err := hs.pickCipherSuite(); err != nil {
    99  			return err
   100  		}
   101  		if err := hs.doFullHandshake(); err != nil {
   102  			return err
   103  		}
   104  		if err := hs.establishKeys(); err != nil {
   105  			return err
   106  		}
   107  		if err := hs.readFinished(c.clientFinished[:]); err != nil {
   108  			return err
   109  		}
   110  		c.clientFinishedIsFirst = true
   111  		c.buffering = true
   112  		if err := hs.sendSessionTicket(); err != nil {
   113  			return err
   114  		}
   115  		if err := hs.sendFinished(nil); err != nil {
   116  			return err
   117  		}
   118  		if _, err := c.flush(); err != nil {
   119  			return err
   120  		}
   121  	}
   122  
   123  	c.ekm = ekmFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random)
   124  	c.isHandshakeComplete.Store(true)
   125  
   126  	return nil
   127  }
   128  
   129  // readClientHello reads a ClientHello message and selects the protocol version.
   130  func (c *Conn) readClientHello(ctx context.Context) (*clientHelloMsg, error) {
   131  	// clientHelloMsg is included in the transcript, but we haven't initialized
   132  	// it yet. The respective handshake functions will record it themselves.
   133  	msg, err := c.readHandshake(nil)
   134  	if err != nil {
   135  		return nil, err
   136  	}
   137  	clientHello, ok := msg.(*clientHelloMsg)
   138  	if !ok {
   139  		c.sendAlert(alertUnexpectedMessage)
   140  		return nil, unexpectedMessageError(clientHello, msg)
   141  	}
   142  
   143  	var configForClient *Config
   144  	originalConfig := c.config
   145  	if c.config.GetConfigForClient != nil {
   146  		chi := clientHelloInfo(ctx, c, clientHello)
   147  		if configForClient, err = c.config.GetConfigForClient(chi); err != nil {
   148  			c.sendAlert(alertInternalError)
   149  			return nil, err
   150  		} else if configForClient != nil {
   151  			c.config = configForClient
   152  		}
   153  	}
   154  	c.ticketKeys = originalConfig.ticketKeys(configForClient)
   155  
   156  	clientVersions := clientHello.supportedVersions
   157  	if len(clientHello.supportedVersions) == 0 {
   158  		clientVersions = supportedVersionsFromMax(clientHello.vers)
   159  	}
   160  	c.vers, ok = c.config.mutualVersion(roleServer, clientVersions)
   161  	if !ok {
   162  		c.sendAlert(alertProtocolVersion)
   163  		return nil, fmt.Errorf("tls: client offered only unsupported versions: %x", clientVersions)
   164  	}
   165  	c.haveVers = true
   166  	c.in.version = c.vers
   167  	c.out.version = c.vers
   168  
   169  	return clientHello, nil
   170  }
   171  
   172  func (hs *serverHandshakeState) processClientHello() error {
   173  	c := hs.c
   174  
   175  	hs.hello = new(serverHelloMsg)
   176  	hs.hello.vers = c.vers
   177  
   178  	foundCompression := false
   179  	// We only support null compression, so check that the client offered it.
   180  	for _, compression := range hs.clientHello.compressionMethods {
   181  		if compression == compressionNone {
   182  			foundCompression = true
   183  			break
   184  		}
   185  	}
   186  
   187  	if !foundCompression {
   188  		c.sendAlert(alertHandshakeFailure)
   189  		return errors.New("tls: client does not support uncompressed connections")
   190  	}
   191  
   192  	hs.hello.random = make([]byte, 32)
   193  	serverRandom := hs.hello.random
   194  	// Downgrade protection canaries. See RFC 8446, Section 4.1.3.
   195  	maxVers := c.config.maxSupportedVersion(roleServer)
   196  	if maxVers >= VersionTLS12 && c.vers < maxVers || testingOnlyForceDowngradeCanary {
   197  		if c.vers == VersionTLS12 {
   198  			copy(serverRandom[24:], downgradeCanaryTLS12)
   199  		} else {
   200  			copy(serverRandom[24:], downgradeCanaryTLS11)
   201  		}
   202  		serverRandom = serverRandom[:24]
   203  	}
   204  	_, err := io.ReadFull(c.config.rand(), serverRandom)
   205  	if err != nil {
   206  		c.sendAlert(alertInternalError)
   207  		return err
   208  	}
   209  
   210  	if len(hs.clientHello.secureRenegotiation) != 0 {
   211  		c.sendAlert(alertHandshakeFailure)
   212  		return errors.New("tls: initial handshake had non-empty renegotiation extension")
   213  	}
   214  
   215  	hs.hello.secureRenegotiationSupported = hs.clientHello.secureRenegotiationSupported
   216  	hs.hello.compressionMethod = compressionNone
   217  	if len(hs.clientHello.serverName) > 0 {
   218  		c.serverName = hs.clientHello.serverName
   219  	}
   220  
   221  	selectedProto, err := negotiateALPN(c.config.NextProtos, hs.clientHello.alpnProtocols)
   222  	if err != nil {
   223  		c.sendAlert(alertNoApplicationProtocol)
   224  		return err
   225  	}
   226  	hs.hello.alpnProtocol = selectedProto
   227  	c.clientProtocol = selectedProto
   228  
   229  	hs.cert, err = c.config.getCertificate(clientHelloInfo(hs.ctx, c, hs.clientHello))
   230  	if err != nil {
   231  		if err == errNoCertificates {
   232  			c.sendAlert(alertUnrecognizedName)
   233  		} else {
   234  			c.sendAlert(alertInternalError)
   235  		}
   236  		return err
   237  	}
   238  	if hs.clientHello.scts {
   239  		hs.hello.scts = hs.cert.SignedCertificateTimestamps
   240  	}
   241  
   242  	hs.ecdheOk = supportsECDHE(c.config, hs.clientHello.supportedCurves, hs.clientHello.supportedPoints)
   243  
   244  	if hs.ecdheOk && len(hs.clientHello.supportedPoints) > 0 {
   245  		// Although omitting the ec_point_formats extension is permitted, some
   246  		// old OpenSSL version will refuse to handshake if not present.
   247  		//
   248  		// Per RFC 4492, section 5.1.2, implementations MUST support the
   249  		// uncompressed point format. See golang.org/issue/31943.
   250  		hs.hello.supportedPoints = []uint8{pointFormatUncompressed}
   251  	}
   252  
   253  	if priv, ok := hs.cert.PrivateKey.(crypto.Signer); ok {
   254  		switch priv.Public().(type) {
   255  		case *ecdsa.PublicKey:
   256  			hs.ecSignOk = true
   257  		case ed25519.PublicKey:
   258  			hs.ecSignOk = true
   259  		case *rsa.PublicKey:
   260  			hs.rsaSignOk = true
   261  		default:
   262  			c.sendAlert(alertInternalError)
   263  			return fmt.Errorf("tls: unsupported signing key type (%T)", priv.Public())
   264  		}
   265  	}
   266  	if priv, ok := hs.cert.PrivateKey.(crypto.Decrypter); ok {
   267  		switch priv.Public().(type) {
   268  		case *rsa.PublicKey:
   269  			hs.rsaDecryptOk = true
   270  		default:
   271  			c.sendAlert(alertInternalError)
   272  			return fmt.Errorf("tls: unsupported decryption key type (%T)", priv.Public())
   273  		}
   274  	}
   275  
   276  	return nil
   277  }
   278  
   279  // negotiateALPN picks a shared ALPN protocol that both sides support in server
   280  // preference order. If ALPN is not configured or the peer doesn't support it,
   281  // it returns "" and no error.
   282  func negotiateALPN(serverProtos, clientProtos []string) (string, error) {
   283  	if len(serverProtos) == 0 || len(clientProtos) == 0 {
   284  		return "", nil
   285  	}
   286  	var http11fallback bool
   287  	for _, s := range serverProtos {
   288  		for _, c := range clientProtos {
   289  			if s == c {
   290  				return s, nil
   291  			}
   292  			if s == "h2" && c == "http/1.1" {
   293  				http11fallback = true
   294  			}
   295  		}
   296  	}
   297  	// As a special case, let http/1.1 clients connect to h2 servers as if they
   298  	// didn't support ALPN. We used not to enforce protocol overlap, so over
   299  	// time a number of HTTP servers were configured with only "h2", but
   300  	// expected to accept connections from "http/1.1" clients. See Issue 46310.
   301  	if http11fallback {
   302  		return "", nil
   303  	}
   304  	return "", fmt.Errorf("tls: client requested unsupported application protocols (%s)", clientProtos)
   305  }
   306  
   307  // supportsECDHE returns whether ECDHE key exchanges can be used with this
   308  // pre-TLS 1.3 client.
   309  func supportsECDHE(c *Config, supportedCurves []CurveID, supportedPoints []uint8) bool {
   310  	supportsCurve := false
   311  	for _, curve := range supportedCurves {
   312  		if c.supportsCurve(curve) {
   313  			supportsCurve = true
   314  			break
   315  		}
   316  	}
   317  
   318  	supportsPointFormat := false
   319  	for _, pointFormat := range supportedPoints {
   320  		if pointFormat == pointFormatUncompressed {
   321  			supportsPointFormat = true
   322  			break
   323  		}
   324  	}
   325  	// Per RFC 8422, Section 5.1.2, if the Supported Point Formats extension is
   326  	// missing, uncompressed points are supported. If supportedPoints is empty,
   327  	// the extension must be missing, as an empty extension body is rejected by
   328  	// the parser. See https://go.dev/issue/49126.
   329  	if len(supportedPoints) == 0 {
   330  		supportsPointFormat = true
   331  	}
   332  
   333  	return supportsCurve && supportsPointFormat
   334  }
   335  
   336  func (hs *serverHandshakeState) pickCipherSuite() error {
   337  	c := hs.c
   338  
   339  	preferenceOrder := cipherSuitesPreferenceOrder
   340  	if !hasAESGCMHardwareSupport || !aesgcmPreferred(hs.clientHello.cipherSuites) {
   341  		preferenceOrder = cipherSuitesPreferenceOrderNoAES
   342  	}
   343  
   344  	configCipherSuites := c.config.cipherSuites()
   345  	preferenceList := make([]uint16, 0, len(configCipherSuites))
   346  	for _, suiteID := range preferenceOrder {
   347  		for _, id := range configCipherSuites {
   348  			if id == suiteID {
   349  				preferenceList = append(preferenceList, id)
   350  				break
   351  			}
   352  		}
   353  	}
   354  
   355  	hs.suite = selectCipherSuite(preferenceList, hs.clientHello.cipherSuites, hs.cipherSuiteOk)
   356  	if hs.suite == nil {
   357  		c.sendAlert(alertHandshakeFailure)
   358  		return errors.New("tls: no cipher suite supported by both client and server")
   359  	}
   360  	c.cipherSuite = hs.suite.id
   361  
   362  	for _, id := range hs.clientHello.cipherSuites {
   363  		if id == TLS_FALLBACK_SCSV {
   364  			// The client is doing a fallback connection. See RFC 7507.
   365  			if hs.clientHello.vers < c.config.maxSupportedVersion(roleServer) {
   366  				c.sendAlert(alertInappropriateFallback)
   367  				return errors.New("tls: client using inappropriate protocol fallback")
   368  			}
   369  			break
   370  		}
   371  	}
   372  
   373  	return nil
   374  }
   375  
   376  func (hs *serverHandshakeState) cipherSuiteOk(c *cipherSuite) bool {
   377  	if c.flags&suiteECDHE != 0 {
   378  		if !hs.ecdheOk {
   379  			return false
   380  		}
   381  		if c.flags&suiteECSign != 0 {
   382  			if !hs.ecSignOk {
   383  				return false
   384  			}
   385  		} else if !hs.rsaSignOk {
   386  			return false
   387  		}
   388  	} else if !hs.rsaDecryptOk {
   389  		return false
   390  	}
   391  	if hs.c.vers < VersionTLS12 && c.flags&suiteTLS12 != 0 {
   392  		return false
   393  	}
   394  	return true
   395  }
   396  
   397  // checkForResumption reports whether we should perform resumption on this connection.
   398  func (hs *serverHandshakeState) checkForResumption() bool {
   399  	c := hs.c
   400  
   401  	if c.config.SessionTicketsDisabled {
   402  		return false
   403  	}
   404  
   405  	plaintext, usedOldKey := c.decryptTicket(hs.clientHello.sessionTicket)
   406  	if plaintext == nil {
   407  		return false
   408  	}
   409  	hs.sessionState = &sessionState{usedOldKey: usedOldKey}
   410  	ok := hs.sessionState.unmarshal(plaintext)
   411  	if !ok {
   412  		return false
   413  	}
   414  
   415  	createdAt := time.Unix(int64(hs.sessionState.createdAt), 0)
   416  	if c.config.time().Sub(createdAt) > maxSessionTicketLifetime {
   417  		return false
   418  	}
   419  
   420  	// Never resume a session for a different TLS version.
   421  	if c.vers != hs.sessionState.vers {
   422  		return false
   423  	}
   424  
   425  	cipherSuiteOk := false
   426  	// Check that the client is still offering the ciphersuite in the session.
   427  	for _, id := range hs.clientHello.cipherSuites {
   428  		if id == hs.sessionState.cipherSuite {
   429  			cipherSuiteOk = true
   430  			break
   431  		}
   432  	}
   433  	if !cipherSuiteOk {
   434  		return false
   435  	}
   436  
   437  	// Check that we also support the ciphersuite from the session.
   438  	hs.suite = selectCipherSuite([]uint16{hs.sessionState.cipherSuite},
   439  		c.config.cipherSuites(), hs.cipherSuiteOk)
   440  	if hs.suite == nil {
   441  		return false
   442  	}
   443  
   444  	sessionHasClientCerts := len(hs.sessionState.certificates) != 0
   445  	needClientCerts := requiresClientCert(c.config.ClientAuth)
   446  	if needClientCerts && !sessionHasClientCerts {
   447  		return false
   448  	}
   449  	if sessionHasClientCerts && c.config.ClientAuth == NoClientCert {
   450  		return false
   451  	}
   452  
   453  	return true
   454  }
   455  
   456  func (hs *serverHandshakeState) doResumeHandshake() error {
   457  	c := hs.c
   458  
   459  	hs.hello.cipherSuite = hs.suite.id
   460  	c.cipherSuite = hs.suite.id
   461  	// We echo the client's session ID in the ServerHello to let it know
   462  	// that we're doing a resumption.
   463  	hs.hello.sessionId = hs.clientHello.sessionId
   464  	hs.hello.ticketSupported = hs.sessionState.usedOldKey
   465  	hs.finishedHash = newFinishedHash(c.vers, hs.suite)
   466  	hs.finishedHash.discardHandshakeBuffer()
   467  	if err := transcriptMsg(hs.clientHello, &hs.finishedHash); err != nil {
   468  		return err
   469  	}
   470  	if _, err := hs.c.writeHandshakeRecord(hs.hello, &hs.finishedHash); err != nil {
   471  		return err
   472  	}
   473  
   474  	if err := c.processCertsFromClient(Certificate{
   475  		Certificate: hs.sessionState.certificates,
   476  	}); err != nil {
   477  		return err
   478  	}
   479  
   480  	if c.config.VerifyConnection != nil {
   481  		if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil {
   482  			c.sendAlert(alertBadCertificate)
   483  			return err
   484  		}
   485  	}
   486  
   487  	hs.masterSecret = hs.sessionState.masterSecret
   488  
   489  	return nil
   490  }
   491  
   492  func (hs *serverHandshakeState) doFullHandshake() error {
   493  	c := hs.c
   494  
   495  	if hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0 {
   496  		hs.hello.ocspStapling = true
   497  	}
   498  
   499  	hs.hello.ticketSupported = hs.clientHello.ticketSupported && !c.config.SessionTicketsDisabled
   500  	hs.hello.cipherSuite = hs.suite.id
   501  
   502  	hs.finishedHash = newFinishedHash(hs.c.vers, hs.suite)
   503  	if c.config.ClientAuth == NoClientCert {
   504  		// No need to keep a full record of the handshake if client
   505  		// certificates won't be used.
   506  		hs.finishedHash.discardHandshakeBuffer()
   507  	}
   508  	if err := transcriptMsg(hs.clientHello, &hs.finishedHash); err != nil {
   509  		return err
   510  	}
   511  	if _, err := hs.c.writeHandshakeRecord(hs.hello, &hs.finishedHash); err != nil {
   512  		return err
   513  	}
   514  
   515  	certMsg := new(certificateMsg)
   516  	certMsg.certificates = hs.cert.Certificate
   517  	if _, err := hs.c.writeHandshakeRecord(certMsg, &hs.finishedHash); err != nil {
   518  		return err
   519  	}
   520  
   521  	if hs.hello.ocspStapling {
   522  		certStatus := new(certificateStatusMsg)
   523  		certStatus.response = hs.cert.OCSPStaple
   524  		if _, err := hs.c.writeHandshakeRecord(certStatus, &hs.finishedHash); err != nil {
   525  			return err
   526  		}
   527  	}
   528  
   529  	keyAgreement := hs.suite.ka(c.vers)
   530  	skx, err := keyAgreement.generateServerKeyExchange(c.config, hs.cert, hs.clientHello, hs.hello)
   531  	if err != nil {
   532  		c.sendAlert(alertHandshakeFailure)
   533  		return err
   534  	}
   535  	if skx != nil {
   536  		if _, err := hs.c.writeHandshakeRecord(skx, &hs.finishedHash); err != nil {
   537  			return err
   538  		}
   539  	}
   540  
   541  	var certReq *certificateRequestMsg
   542  	if c.config.ClientAuth >= RequestClientCert {
   543  		// Request a client certificate
   544  		certReq = new(certificateRequestMsg)
   545  		certReq.certificateTypes = []byte{
   546  			byte(certTypeRSASign),
   547  			byte(certTypeECDSASign),
   548  		}
   549  		if c.vers >= VersionTLS12 {
   550  			certReq.hasSignatureAlgorithm = true
   551  			certReq.supportedSignatureAlgorithms = supportedSignatureAlgorithms()
   552  		}
   553  
   554  		// An empty list of certificateAuthorities signals to
   555  		// the client that it may send any certificate in response
   556  		// to our request. When we know the CAs we trust, then
   557  		// we can send them down, so that the client can choose
   558  		// an appropriate certificate to give to us.
   559  		if c.config.ClientCAs != nil {
   560  			certReq.certificateAuthorities = c.config.ClientCAs.Subjects()
   561  		}
   562  		if _, err := hs.c.writeHandshakeRecord(certReq, &hs.finishedHash); err != nil {
   563  			return err
   564  		}
   565  	}
   566  
   567  	helloDone := new(serverHelloDoneMsg)
   568  	if _, err := hs.c.writeHandshakeRecord(helloDone, &hs.finishedHash); err != nil {
   569  		return err
   570  	}
   571  
   572  	if _, err := c.flush(); err != nil {
   573  		return err
   574  	}
   575  
   576  	var pub crypto.PublicKey // public key for client auth, if any
   577  
   578  	msg, err := c.readHandshake(&hs.finishedHash)
   579  	if err != nil {
   580  		return err
   581  	}
   582  
   583  	// If we requested a client certificate, then the client must send a
   584  	// certificate message, even if it's empty.
   585  	if c.config.ClientAuth >= RequestClientCert {
   586  		certMsg, ok := msg.(*certificateMsg)
   587  		if !ok {
   588  			c.sendAlert(alertUnexpectedMessage)
   589  			return unexpectedMessageError(certMsg, msg)
   590  		}
   591  
   592  		if err := c.processCertsFromClient(Certificate{
   593  			Certificate: certMsg.certificates,
   594  		}); err != nil {
   595  			return err
   596  		}
   597  		if len(certMsg.certificates) != 0 {
   598  			pub = c.peerCertificates[0].PublicKey
   599  		}
   600  
   601  		msg, err = c.readHandshake(&hs.finishedHash)
   602  		if err != nil {
   603  			return err
   604  		}
   605  	}
   606  	if c.config.VerifyConnection != nil {
   607  		if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil {
   608  			c.sendAlert(alertBadCertificate)
   609  			return err
   610  		}
   611  	}
   612  
   613  	// Get client key exchange
   614  	ckx, ok := msg.(*clientKeyExchangeMsg)
   615  	if !ok {
   616  		c.sendAlert(alertUnexpectedMessage)
   617  		return unexpectedMessageError(ckx, msg)
   618  	}
   619  
   620  	preMasterSecret, err := keyAgreement.processClientKeyExchange(c.config, hs.cert, ckx, c.vers)
   621  	if err != nil {
   622  		c.sendAlert(alertHandshakeFailure)
   623  		return err
   624  	}
   625  	hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.clientHello.random, hs.hello.random)
   626  	if err := c.config.writeKeyLog(keyLogLabelTLS12, hs.clientHello.random, hs.masterSecret); err != nil {
   627  		c.sendAlert(alertInternalError)
   628  		return err
   629  	}
   630  
   631  	// If we received a client cert in response to our certificate request message,
   632  	// the client will send us a certificateVerifyMsg immediately after the
   633  	// clientKeyExchangeMsg. This message is a digest of all preceding
   634  	// handshake-layer messages that is signed using the private key corresponding
   635  	// to the client's certificate. This allows us to verify that the client is in
   636  	// possession of the private key of the certificate.
   637  	if len(c.peerCertificates) > 0 {
   638  		// certificateVerifyMsg is included in the transcript, but not until
   639  		// after we verify the handshake signature, since the state before
   640  		// this message was sent is used.
   641  		msg, err = c.readHandshake(nil)
   642  		if err != nil {
   643  			return err
   644  		}
   645  		certVerify, ok := msg.(*certificateVerifyMsg)
   646  		if !ok {
   647  			c.sendAlert(alertUnexpectedMessage)
   648  			return unexpectedMessageError(certVerify, msg)
   649  		}
   650  
   651  		var sigType uint8
   652  		var sigHash crypto.Hash
   653  		if c.vers >= VersionTLS12 {
   654  			if !isSupportedSignatureAlgorithm(certVerify.signatureAlgorithm, certReq.supportedSignatureAlgorithms) {
   655  				c.sendAlert(alertIllegalParameter)
   656  				return errors.New("tls: client certificate used with invalid signature algorithm")
   657  			}
   658  			sigType, sigHash, err = typeAndHashFromSignatureScheme(certVerify.signatureAlgorithm)
   659  			if err != nil {
   660  				return c.sendAlert(alertInternalError)
   661  			}
   662  		} else {
   663  			sigType, sigHash, err = legacyTypeAndHashFromPublicKey(pub)
   664  			if err != nil {
   665  				c.sendAlert(alertIllegalParameter)
   666  				return err
   667  			}
   668  		}
   669  
   670  		signed := hs.finishedHash.hashForClientCertificate(sigType, sigHash)
   671  		if err := verifyHandshakeSignature(sigType, pub, sigHash, signed, certVerify.signature); err != nil {
   672  			c.sendAlert(alertDecryptError)
   673  			return errors.New("tls: invalid signature by the client certificate: " + err.Error())
   674  		}
   675  
   676  		if err := transcriptMsg(certVerify, &hs.finishedHash); err != nil {
   677  			return err
   678  		}
   679  	}
   680  
   681  	hs.finishedHash.discardHandshakeBuffer()
   682  
   683  	return nil
   684  }
   685  
   686  func (hs *serverHandshakeState) establishKeys() error {
   687  	c := hs.c
   688  
   689  	clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV :=
   690  		keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen)
   691  
   692  	var clientCipher, serverCipher any
   693  	var clientHash, serverHash hash.Hash
   694  
   695  	if hs.suite.aead == nil {
   696  		clientCipher = hs.suite.cipher(clientKey, clientIV, true /* for reading */)
   697  		clientHash = hs.suite.mac(clientMAC)
   698  		serverCipher = hs.suite.cipher(serverKey, serverIV, false /* not for reading */)
   699  		serverHash = hs.suite.mac(serverMAC)
   700  	} else {
   701  		clientCipher = hs.suite.aead(clientKey, clientIV)
   702  		serverCipher = hs.suite.aead(serverKey, serverIV)
   703  	}
   704  
   705  	c.in.prepareCipherSpec(c.vers, clientCipher, clientHash)
   706  	c.out.prepareCipherSpec(c.vers, serverCipher, serverHash)
   707  
   708  	return nil
   709  }
   710  
   711  func (hs *serverHandshakeState) readFinished(out []byte) error {
   712  	c := hs.c
   713  
   714  	if err := c.readChangeCipherSpec(); err != nil {
   715  		return err
   716  	}
   717  
   718  	// finishedMsg is included in the transcript, but not until after we
   719  	// check the client version, since the state before this message was
   720  	// sent is used during verification.
   721  	msg, err := c.readHandshake(nil)
   722  	if err != nil {
   723  		return err
   724  	}
   725  	clientFinished, ok := msg.(*finishedMsg)
   726  	if !ok {
   727  		c.sendAlert(alertUnexpectedMessage)
   728  		return unexpectedMessageError(clientFinished, msg)
   729  	}
   730  
   731  	verify := hs.finishedHash.clientSum(hs.masterSecret)
   732  	if len(verify) != len(clientFinished.verifyData) ||
   733  		subtle.ConstantTimeCompare(verify, clientFinished.verifyData) != 1 {
   734  		c.sendAlert(alertHandshakeFailure)
   735  		return errors.New("tls: client's Finished message is incorrect")
   736  	}
   737  
   738  	if err := transcriptMsg(clientFinished, &hs.finishedHash); err != nil {
   739  		return err
   740  	}
   741  
   742  	copy(out, verify)
   743  	return nil
   744  }
   745  
   746  func (hs *serverHandshakeState) sendSessionTicket() error {
   747  	// ticketSupported is set in a resumption handshake if the
   748  	// ticket from the client was encrypted with an old session
   749  	// ticket key and thus a refreshed ticket should be sent.
   750  	if !hs.hello.ticketSupported {
   751  		return nil
   752  	}
   753  
   754  	c := hs.c
   755  	m := new(newSessionTicketMsg)
   756  
   757  	createdAt := uint64(c.config.time().Unix())
   758  	if hs.sessionState != nil {
   759  		// If this is re-wrapping an old key, then keep
   760  		// the original time it was created.
   761  		createdAt = hs.sessionState.createdAt
   762  	}
   763  
   764  	var certsFromClient [][]byte
   765  	for _, cert := range c.peerCertificates {
   766  		certsFromClient = append(certsFromClient, cert.Raw)
   767  	}
   768  	state := sessionState{
   769  		vers:         c.vers,
   770  		cipherSuite:  hs.suite.id,
   771  		createdAt:    createdAt,
   772  		masterSecret: hs.masterSecret,
   773  		certificates: certsFromClient,
   774  	}
   775  	stateBytes, err := state.marshal()
   776  	if err != nil {
   777  		return err
   778  	}
   779  	m.ticket, err = c.encryptTicket(stateBytes)
   780  	if err != nil {
   781  		return err
   782  	}
   783  
   784  	if _, err := hs.c.writeHandshakeRecord(m, &hs.finishedHash); err != nil {
   785  		return err
   786  	}
   787  
   788  	return nil
   789  }
   790  
   791  func (hs *serverHandshakeState) sendFinished(out []byte) error {
   792  	c := hs.c
   793  
   794  	if err := c.writeChangeCipherRecord(); err != nil {
   795  		return err
   796  	}
   797  
   798  	finished := new(finishedMsg)
   799  	finished.verifyData = hs.finishedHash.serverSum(hs.masterSecret)
   800  	if _, err := hs.c.writeHandshakeRecord(finished, &hs.finishedHash); err != nil {
   801  		return err
   802  	}
   803  
   804  	copy(out, finished.verifyData)
   805  
   806  	return nil
   807  }
   808  
   809  // processCertsFromClient takes a chain of client certificates either from a
   810  // Certificates message or from a sessionState and verifies them. It returns
   811  // the public key of the leaf certificate.
   812  func (c *Conn) processCertsFromClient(certificate Certificate) error {
   813  	certificates := certificate.Certificate
   814  	certs := make([]*x509.Certificate, len(certificates))
   815  	var err error
   816  	for i, asn1Data := range certificates {
   817  		if certs[i], err = x509.ParseCertificate(asn1Data); err != nil {
   818  			c.sendAlert(alertBadCertificate)
   819  			return errors.New("tls: failed to parse client certificate: " + err.Error())
   820  		}
   821  	}
   822  
   823  	if len(certs) == 0 && requiresClientCert(c.config.ClientAuth) {
   824  		c.sendAlert(alertBadCertificate)
   825  		return errors.New("tls: client didn't provide a certificate")
   826  	}
   827  
   828  	if c.config.ClientAuth >= VerifyClientCertIfGiven && len(certs) > 0 {
   829  		opts := x509.VerifyOptions{
   830  			Roots:         c.config.ClientCAs,
   831  			CurrentTime:   c.config.time(),
   832  			Intermediates: x509.NewCertPool(),
   833  			KeyUsages:     []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
   834  		}
   835  
   836  		for _, cert := range certs[1:] {
   837  			opts.Intermediates.AddCert(cert)
   838  		}
   839  
   840  		chains, err := certs[0].Verify(opts)
   841  		if err != nil {
   842  			c.sendAlert(alertBadCertificate)
   843  			return &CertificateVerificationError{UnverifiedCertificates: certs, Err: err}
   844  		}
   845  
   846  		c.verifiedChains = chains
   847  	}
   848  
   849  	c.peerCertificates = certs
   850  	c.ocspResponse = certificate.OCSPStaple
   851  	c.scts = certificate.SignedCertificateTimestamps
   852  
   853  	if len(certs) > 0 {
   854  		switch certs[0].PublicKey.(type) {
   855  		case *ecdsa.PublicKey, *rsa.PublicKey, ed25519.PublicKey:
   856  		default:
   857  			c.sendAlert(alertUnsupportedCertificate)
   858  			return fmt.Errorf("tls: client certificate contains an unsupported public key of type %T", certs[0].PublicKey)
   859  		}
   860  	}
   861  
   862  	if c.config.VerifyPeerCertificate != nil {
   863  		if err := c.config.VerifyPeerCertificate(certificates, c.verifiedChains); err != nil {
   864  			c.sendAlert(alertBadCertificate)
   865  			return err
   866  		}
   867  	}
   868  
   869  	return nil
   870  }
   871  
   872  func clientHelloInfo(ctx context.Context, c *Conn, clientHello *clientHelloMsg) *ClientHelloInfo {
   873  	supportedVersions := clientHello.supportedVersions
   874  	if len(clientHello.supportedVersions) == 0 {
   875  		supportedVersions = supportedVersionsFromMax(clientHello.vers)
   876  	}
   877  
   878  	return &ClientHelloInfo{
   879  		CipherSuites:      clientHello.cipherSuites,
   880  		ServerName:        clientHello.serverName,
   881  		SupportedCurves:   clientHello.supportedCurves,
   882  		SupportedPoints:   clientHello.supportedPoints,
   883  		SignatureSchemes:  clientHello.supportedSignatureAlgorithms,
   884  		SupportedProtos:   clientHello.alpnProtocols,
   885  		SupportedVersions: supportedVersions,
   886  		Conn:              c.conn,
   887  		config:            c.config,
   888  		ctx:               ctx,
   889  	}
   890  }
   891
View as plain text