Source file
src/crypto/tls/handshake_server.go
1
2
3
4
5 package tls
6
7 import (
8 "context"
9 "crypto"
10 "crypto/ecdsa"
11 "crypto/ed25519"
12 "crypto/rsa"
13 "crypto/subtle"
14 "crypto/x509"
15 "errors"
16 "fmt"
17 "hash"
18 "io"
19 "time"
20 )
21
22
23
24 type serverHandshakeState struct {
25 c *Conn
26 ctx context.Context
27 clientHello *clientHelloMsg
28 hello *serverHelloMsg
29 suite *cipherSuite
30 ecdheOk bool
31 ecSignOk bool
32 rsaDecryptOk bool
33 rsaSignOk bool
34 sessionState *SessionState
35 finishedHash finishedHash
36 masterSecret []byte
37 cert *Certificate
38 }
39
40
41 func (c *Conn) serverHandshake(ctx context.Context) error {
42 clientHello, err := c.readClientHello(ctx)
43 if err != nil {
44 return err
45 }
46
47 if c.vers == VersionTLS13 {
48 hs := serverHandshakeStateTLS13{
49 c: c,
50 ctx: ctx,
51 clientHello: clientHello,
52 }
53 return hs.handshake()
54 }
55
56 hs := serverHandshakeState{
57 c: c,
58 ctx: ctx,
59 clientHello: clientHello,
60 }
61 return hs.handshake()
62 }
63
64 func (hs *serverHandshakeState) handshake() error {
65 c := hs.c
66
67 if err := hs.processClientHello(); err != nil {
68 return err
69 }
70
71
72 c.buffering = true
73 if err := hs.checkForResumption(); err != nil {
74 return err
75 }
76 if hs.sessionState != nil {
77
78 if err := hs.doResumeHandshake(); err != nil {
79 return err
80 }
81 if err := hs.establishKeys(); err != nil {
82 return err
83 }
84 if err := hs.sendSessionTicket(); err != nil {
85 return err
86 }
87 if err := hs.sendFinished(c.serverFinished[:]); err != nil {
88 return err
89 }
90 if _, err := c.flush(); err != nil {
91 return err
92 }
93 c.clientFinishedIsFirst = false
94 if err := hs.readFinished(nil); err != nil {
95 return err
96 }
97 } else {
98
99
100 if err := hs.pickCipherSuite(); err != nil {
101 return err
102 }
103 if err := hs.doFullHandshake(); err != nil {
104 return err
105 }
106 if err := hs.establishKeys(); err != nil {
107 return err
108 }
109 if err := hs.readFinished(c.clientFinished[:]); err != nil {
110 return err
111 }
112 c.clientFinishedIsFirst = true
113 c.buffering = true
114 if err := hs.sendSessionTicket(); err != nil {
115 return err
116 }
117 if err := hs.sendFinished(nil); err != nil {
118 return err
119 }
120 if _, err := c.flush(); err != nil {
121 return err
122 }
123 }
124
125 c.ekm = ekmFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random)
126 c.isHandshakeComplete.Store(true)
127
128 return nil
129 }
130
131
132 func (c *Conn) readClientHello(ctx context.Context) (*clientHelloMsg, error) {
133
134
135 msg, err := c.readHandshake(nil)
136 if err != nil {
137 return nil, err
138 }
139 clientHello, ok := msg.(*clientHelloMsg)
140 if !ok {
141 c.sendAlert(alertUnexpectedMessage)
142 return nil, unexpectedMessageError(clientHello, msg)
143 }
144
145 var configForClient *Config
146 originalConfig := c.config
147 if c.config.GetConfigForClient != nil {
148 chi := clientHelloInfo(ctx, c, clientHello)
149 if configForClient, err = c.config.GetConfigForClient(chi); err != nil {
150 c.sendAlert(alertInternalError)
151 return nil, err
152 } else if configForClient != nil {
153 c.config = configForClient
154 }
155 }
156 c.ticketKeys = originalConfig.ticketKeys(configForClient)
157
158 clientVersions := clientHello.supportedVersions
159 if len(clientHello.supportedVersions) == 0 {
160 clientVersions = supportedVersionsFromMax(clientHello.vers)
161 }
162 c.vers, ok = c.config.mutualVersion(roleServer, clientVersions)
163 if !ok {
164 c.sendAlert(alertProtocolVersion)
165 return nil, fmt.Errorf("tls: client offered only unsupported versions: %x", clientVersions)
166 }
167 c.haveVers = true
168 c.in.version = c.vers
169 c.out.version = c.vers
170
171 return clientHello, nil
172 }
173
174 func (hs *serverHandshakeState) processClientHello() error {
175 c := hs.c
176
177 hs.hello = new(serverHelloMsg)
178 hs.hello.vers = c.vers
179
180 foundCompression := false
181
182 for _, compression := range hs.clientHello.compressionMethods {
183 if compression == compressionNone {
184 foundCompression = true
185 break
186 }
187 }
188
189 if !foundCompression {
190 c.sendAlert(alertHandshakeFailure)
191 return errors.New("tls: client does not support uncompressed connections")
192 }
193
194 hs.hello.random = make([]byte, 32)
195 serverRandom := hs.hello.random
196
197 maxVers := c.config.maxSupportedVersion(roleServer)
198 if maxVers >= VersionTLS12 && c.vers < maxVers || testingOnlyForceDowngradeCanary {
199 if c.vers == VersionTLS12 {
200 copy(serverRandom[24:], downgradeCanaryTLS12)
201 } else {
202 copy(serverRandom[24:], downgradeCanaryTLS11)
203 }
204 serverRandom = serverRandom[:24]
205 }
206 _, err := io.ReadFull(c.config.rand(), serverRandom)
207 if err != nil {
208 c.sendAlert(alertInternalError)
209 return err
210 }
211
212 if len(hs.clientHello.secureRenegotiation) != 0 {
213 c.sendAlert(alertHandshakeFailure)
214 return errors.New("tls: initial handshake had non-empty renegotiation extension")
215 }
216
217 hs.hello.extendedMasterSecret = hs.clientHello.extendedMasterSecret
218 hs.hello.secureRenegotiationSupported = hs.clientHello.secureRenegotiationSupported
219 hs.hello.compressionMethod = compressionNone
220 if len(hs.clientHello.serverName) > 0 {
221 c.serverName = hs.clientHello.serverName
222 }
223
224 selectedProto, err := negotiateALPN(c.config.NextProtos, hs.clientHello.alpnProtocols, false)
225 if err != nil {
226 c.sendAlert(alertNoApplicationProtocol)
227 return err
228 }
229 hs.hello.alpnProtocol = selectedProto
230 c.clientProtocol = selectedProto
231
232 hs.cert, err = c.config.getCertificate(clientHelloInfo(hs.ctx, c, hs.clientHello))
233 if err != nil {
234 if err == errNoCertificates {
235 c.sendAlert(alertUnrecognizedName)
236 } else {
237 c.sendAlert(alertInternalError)
238 }
239 return err
240 }
241 if hs.clientHello.scts {
242 hs.hello.scts = hs.cert.SignedCertificateTimestamps
243 }
244
245 hs.ecdheOk = supportsECDHE(c.config, hs.clientHello.supportedCurves, hs.clientHello.supportedPoints)
246
247 if hs.ecdheOk && len(hs.clientHello.supportedPoints) > 0 {
248
249
250
251
252
253 hs.hello.supportedPoints = []uint8{pointFormatUncompressed}
254 }
255
256 if priv, ok := hs.cert.PrivateKey.(crypto.Signer); ok {
257 switch priv.Public().(type) {
258 case *ecdsa.PublicKey:
259 hs.ecSignOk = true
260 case ed25519.PublicKey:
261 hs.ecSignOk = true
262 case *rsa.PublicKey:
263 hs.rsaSignOk = true
264 default:
265 c.sendAlert(alertInternalError)
266 return fmt.Errorf("tls: unsupported signing key type (%T)", priv.Public())
267 }
268 }
269 if priv, ok := hs.cert.PrivateKey.(crypto.Decrypter); ok {
270 switch priv.Public().(type) {
271 case *rsa.PublicKey:
272 hs.rsaDecryptOk = true
273 default:
274 c.sendAlert(alertInternalError)
275 return fmt.Errorf("tls: unsupported decryption key type (%T)", priv.Public())
276 }
277 }
278
279 return nil
280 }
281
282
283
284
285 func negotiateALPN(serverProtos, clientProtos []string, quic bool) (string, error) {
286 if len(serverProtos) == 0 || len(clientProtos) == 0 {
287 if quic && len(serverProtos) != 0 {
288
289 return "", fmt.Errorf("tls: client did not request an application protocol")
290 }
291 return "", nil
292 }
293 var http11fallback bool
294 for _, s := range serverProtos {
295 for _, c := range clientProtos {
296 if s == c {
297 return s, nil
298 }
299 if s == "h2" && c == "http/1.1" {
300 http11fallback = true
301 }
302 }
303 }
304
305
306
307
308 if http11fallback {
309 return "", nil
310 }
311 return "", fmt.Errorf("tls: client requested unsupported application protocols (%s)", clientProtos)
312 }
313
314
315
316 func supportsECDHE(c *Config, supportedCurves []CurveID, supportedPoints []uint8) bool {
317 supportsCurve := false
318 for _, curve := range supportedCurves {
319 if c.supportsCurve(curve) {
320 supportsCurve = true
321 break
322 }
323 }
324
325 supportsPointFormat := false
326 for _, pointFormat := range supportedPoints {
327 if pointFormat == pointFormatUncompressed {
328 supportsPointFormat = true
329 break
330 }
331 }
332
333
334
335
336 if len(supportedPoints) == 0 {
337 supportsPointFormat = true
338 }
339
340 return supportsCurve && supportsPointFormat
341 }
342
343 func (hs *serverHandshakeState) pickCipherSuite() error {
344 c := hs.c
345
346 preferenceOrder := cipherSuitesPreferenceOrder
347 if !hasAESGCMHardwareSupport || !aesgcmPreferred(hs.clientHello.cipherSuites) {
348 preferenceOrder = cipherSuitesPreferenceOrderNoAES
349 }
350
351 configCipherSuites := c.config.cipherSuites()
352 preferenceList := make([]uint16, 0, len(configCipherSuites))
353 for _, suiteID := range preferenceOrder {
354 for _, id := range configCipherSuites {
355 if id == suiteID {
356 preferenceList = append(preferenceList, id)
357 break
358 }
359 }
360 }
361
362 hs.suite = selectCipherSuite(preferenceList, hs.clientHello.cipherSuites, hs.cipherSuiteOk)
363 if hs.suite == nil {
364 c.sendAlert(alertHandshakeFailure)
365 return errors.New("tls: no cipher suite supported by both client and server")
366 }
367 c.cipherSuite = hs.suite.id
368
369 for _, id := range hs.clientHello.cipherSuites {
370 if id == TLS_FALLBACK_SCSV {
371
372 if hs.clientHello.vers < c.config.maxSupportedVersion(roleServer) {
373 c.sendAlert(alertInappropriateFallback)
374 return errors.New("tls: client using inappropriate protocol fallback")
375 }
376 break
377 }
378 }
379
380 return nil
381 }
382
383 func (hs *serverHandshakeState) cipherSuiteOk(c *cipherSuite) bool {
384 if c.flags&suiteECDHE != 0 {
385 if !hs.ecdheOk {
386 return false
387 }
388 if c.flags&suiteECSign != 0 {
389 if !hs.ecSignOk {
390 return false
391 }
392 } else if !hs.rsaSignOk {
393 return false
394 }
395 } else if !hs.rsaDecryptOk {
396 return false
397 }
398 if hs.c.vers < VersionTLS12 && c.flags&suiteTLS12 != 0 {
399 return false
400 }
401 return true
402 }
403
404
405 func (hs *serverHandshakeState) checkForResumption() error {
406 c := hs.c
407
408 if c.config.SessionTicketsDisabled {
409 return nil
410 }
411
412 var sessionState *SessionState
413 if c.config.UnwrapSession != nil {
414 ss, err := c.config.UnwrapSession(hs.clientHello.sessionTicket, c.connectionStateLocked())
415 if err != nil {
416 return err
417 }
418 if ss == nil {
419 return nil
420 }
421 sessionState = ss
422 } else {
423 plaintext := c.config.decryptTicket(hs.clientHello.sessionTicket, c.ticketKeys)
424 if plaintext == nil {
425 return nil
426 }
427 ss, err := ParseSessionState(plaintext)
428 if err != nil {
429 return nil
430 }
431 sessionState = ss
432 }
433
434
435
436
437 createdAt := time.Unix(int64(sessionState.createdAt), 0)
438 if c.config.time().Sub(createdAt) > maxSessionTicketLifetime {
439 return nil
440 }
441
442
443 if c.vers != sessionState.version {
444 return nil
445 }
446
447 cipherSuiteOk := false
448
449 for _, id := range hs.clientHello.cipherSuites {
450 if id == sessionState.cipherSuite {
451 cipherSuiteOk = true
452 break
453 }
454 }
455 if !cipherSuiteOk {
456 return nil
457 }
458
459
460 suite := selectCipherSuite([]uint16{sessionState.cipherSuite},
461 c.config.cipherSuites(), hs.cipherSuiteOk)
462 if suite == nil {
463 return nil
464 }
465
466 sessionHasClientCerts := len(sessionState.peerCertificates) != 0
467 needClientCerts := requiresClientCert(c.config.ClientAuth)
468 if needClientCerts && !sessionHasClientCerts {
469 return nil
470 }
471 if sessionHasClientCerts && c.config.ClientAuth == NoClientCert {
472 return nil
473 }
474 if sessionHasClientCerts && c.config.time().After(sessionState.peerCertificates[0].NotAfter) {
475 return nil
476 }
477 if sessionHasClientCerts && c.config.ClientAuth >= VerifyClientCertIfGiven &&
478 len(sessionState.verifiedChains) == 0 {
479 return nil
480 }
481
482
483 if !sessionState.extMasterSecret && hs.clientHello.extendedMasterSecret {
484 return nil
485 }
486 if sessionState.extMasterSecret && !hs.clientHello.extendedMasterSecret {
487
488
489 return errors.New("tls: session supported extended_master_secret but client does not")
490 }
491
492 c.peerCertificates = sessionState.peerCertificates
493 c.ocspResponse = sessionState.ocspResponse
494 c.scts = sessionState.scts
495 c.verifiedChains = sessionState.verifiedChains
496 c.extMasterSecret = sessionState.extMasterSecret
497 hs.sessionState = sessionState
498 hs.suite = suite
499 c.didResume = true
500 return nil
501 }
502
503 func (hs *serverHandshakeState) doResumeHandshake() error {
504 c := hs.c
505
506 hs.hello.cipherSuite = hs.suite.id
507 c.cipherSuite = hs.suite.id
508
509
510 hs.hello.sessionId = hs.clientHello.sessionId
511
512
513
514 hs.hello.ticketSupported = true
515 hs.finishedHash = newFinishedHash(c.vers, hs.suite)
516 hs.finishedHash.discardHandshakeBuffer()
517 if err := transcriptMsg(hs.clientHello, &hs.finishedHash); err != nil {
518 return err
519 }
520 if _, err := hs.c.writeHandshakeRecord(hs.hello, &hs.finishedHash); err != nil {
521 return err
522 }
523
524 if c.config.VerifyConnection != nil {
525 if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil {
526 c.sendAlert(alertBadCertificate)
527 return err
528 }
529 }
530
531 hs.masterSecret = hs.sessionState.secret
532
533 return nil
534 }
535
536 func (hs *serverHandshakeState) doFullHandshake() error {
537 c := hs.c
538
539 if hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0 {
540 hs.hello.ocspStapling = true
541 }
542
543 hs.hello.ticketSupported = hs.clientHello.ticketSupported && !c.config.SessionTicketsDisabled
544 hs.hello.cipherSuite = hs.suite.id
545
546 hs.finishedHash = newFinishedHash(hs.c.vers, hs.suite)
547 if c.config.ClientAuth == NoClientCert {
548
549
550 hs.finishedHash.discardHandshakeBuffer()
551 }
552 if err := transcriptMsg(hs.clientHello, &hs.finishedHash); err != nil {
553 return err
554 }
555 if _, err := hs.c.writeHandshakeRecord(hs.hello, &hs.finishedHash); err != nil {
556 return err
557 }
558
559 certMsg := new(certificateMsg)
560 certMsg.certificates = hs.cert.Certificate
561 if _, err := hs.c.writeHandshakeRecord(certMsg, &hs.finishedHash); err != nil {
562 return err
563 }
564
565 if hs.hello.ocspStapling {
566 certStatus := new(certificateStatusMsg)
567 certStatus.response = hs.cert.OCSPStaple
568 if _, err := hs.c.writeHandshakeRecord(certStatus, &hs.finishedHash); err != nil {
569 return err
570 }
571 }
572
573 keyAgreement := hs.suite.ka(c.vers)
574 skx, err := keyAgreement.generateServerKeyExchange(c.config, hs.cert, hs.clientHello, hs.hello)
575 if err != nil {
576 c.sendAlert(alertHandshakeFailure)
577 return err
578 }
579 if skx != nil {
580 if _, err := hs.c.writeHandshakeRecord(skx, &hs.finishedHash); err != nil {
581 return err
582 }
583 }
584
585 var certReq *certificateRequestMsg
586 if c.config.ClientAuth >= RequestClientCert {
587
588 certReq = new(certificateRequestMsg)
589 certReq.certificateTypes = []byte{
590 byte(certTypeRSASign),
591 byte(certTypeECDSASign),
592 }
593 if c.vers >= VersionTLS12 {
594 certReq.hasSignatureAlgorithm = true
595 certReq.supportedSignatureAlgorithms = supportedSignatureAlgorithms()
596 }
597
598
599
600
601
602
603 if c.config.ClientCAs != nil {
604 certReq.certificateAuthorities = c.config.ClientCAs.Subjects()
605 }
606 if _, err := hs.c.writeHandshakeRecord(certReq, &hs.finishedHash); err != nil {
607 return err
608 }
609 }
610
611 helloDone := new(serverHelloDoneMsg)
612 if _, err := hs.c.writeHandshakeRecord(helloDone, &hs.finishedHash); err != nil {
613 return err
614 }
615
616 if _, err := c.flush(); err != nil {
617 return err
618 }
619
620 var pub crypto.PublicKey
621
622 msg, err := c.readHandshake(&hs.finishedHash)
623 if err != nil {
624 return err
625 }
626
627
628
629 if c.config.ClientAuth >= RequestClientCert {
630 certMsg, ok := msg.(*certificateMsg)
631 if !ok {
632 c.sendAlert(alertUnexpectedMessage)
633 return unexpectedMessageError(certMsg, msg)
634 }
635
636 if err := c.processCertsFromClient(Certificate{
637 Certificate: certMsg.certificates,
638 }); err != nil {
639 return err
640 }
641 if len(certMsg.certificates) != 0 {
642 pub = c.peerCertificates[0].PublicKey
643 }
644
645 msg, err = c.readHandshake(&hs.finishedHash)
646 if err != nil {
647 return err
648 }
649 }
650 if c.config.VerifyConnection != nil {
651 if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil {
652 c.sendAlert(alertBadCertificate)
653 return err
654 }
655 }
656
657
658 ckx, ok := msg.(*clientKeyExchangeMsg)
659 if !ok {
660 c.sendAlert(alertUnexpectedMessage)
661 return unexpectedMessageError(ckx, msg)
662 }
663
664 preMasterSecret, err := keyAgreement.processClientKeyExchange(c.config, hs.cert, ckx, c.vers)
665 if err != nil {
666 c.sendAlert(alertHandshakeFailure)
667 return err
668 }
669 if hs.hello.extendedMasterSecret {
670 c.extMasterSecret = true
671 hs.masterSecret = extMasterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret,
672 hs.finishedHash.Sum())
673 } else {
674 hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret,
675 hs.clientHello.random, hs.hello.random)
676 }
677 if err := c.config.writeKeyLog(keyLogLabelTLS12, hs.clientHello.random, hs.masterSecret); err != nil {
678 c.sendAlert(alertInternalError)
679 return err
680 }
681
682
683
684
685
686
687
688 if len(c.peerCertificates) > 0 {
689
690
691
692 msg, err = c.readHandshake(nil)
693 if err != nil {
694 return err
695 }
696 certVerify, ok := msg.(*certificateVerifyMsg)
697 if !ok {
698 c.sendAlert(alertUnexpectedMessage)
699 return unexpectedMessageError(certVerify, msg)
700 }
701
702 var sigType uint8
703 var sigHash crypto.Hash
704 if c.vers >= VersionTLS12 {
705 if !isSupportedSignatureAlgorithm(certVerify.signatureAlgorithm, certReq.supportedSignatureAlgorithms) {
706 c.sendAlert(alertIllegalParameter)
707 return errors.New("tls: client certificate used with invalid signature algorithm")
708 }
709 sigType, sigHash, err = typeAndHashFromSignatureScheme(certVerify.signatureAlgorithm)
710 if err != nil {
711 return c.sendAlert(alertInternalError)
712 }
713 } else {
714 sigType, sigHash, err = legacyTypeAndHashFromPublicKey(pub)
715 if err != nil {
716 c.sendAlert(alertIllegalParameter)
717 return err
718 }
719 }
720
721 signed := hs.finishedHash.hashForClientCertificate(sigType, sigHash)
722 if err := verifyHandshakeSignature(sigType, pub, sigHash, signed, certVerify.signature); err != nil {
723 c.sendAlert(alertDecryptError)
724 return errors.New("tls: invalid signature by the client certificate: " + err.Error())
725 }
726
727 if err := transcriptMsg(certVerify, &hs.finishedHash); err != nil {
728 return err
729 }
730 }
731
732 hs.finishedHash.discardHandshakeBuffer()
733
734 return nil
735 }
736
737 func (hs *serverHandshakeState) establishKeys() error {
738 c := hs.c
739
740 clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV :=
741 keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen)
742
743 var clientCipher, serverCipher any
744 var clientHash, serverHash hash.Hash
745
746 if hs.suite.aead == nil {
747 clientCipher = hs.suite.cipher(clientKey, clientIV, true )
748 clientHash = hs.suite.mac(clientMAC)
749 serverCipher = hs.suite.cipher(serverKey, serverIV, false )
750 serverHash = hs.suite.mac(serverMAC)
751 } else {
752 clientCipher = hs.suite.aead(clientKey, clientIV)
753 serverCipher = hs.suite.aead(serverKey, serverIV)
754 }
755
756 c.in.prepareCipherSpec(c.vers, clientCipher, clientHash)
757 c.out.prepareCipherSpec(c.vers, serverCipher, serverHash)
758
759 return nil
760 }
761
762 func (hs *serverHandshakeState) readFinished(out []byte) error {
763 c := hs.c
764
765 if err := c.readChangeCipherSpec(); err != nil {
766 return err
767 }
768
769
770
771
772 msg, err := c.readHandshake(nil)
773 if err != nil {
774 return err
775 }
776 clientFinished, ok := msg.(*finishedMsg)
777 if !ok {
778 c.sendAlert(alertUnexpectedMessage)
779 return unexpectedMessageError(clientFinished, msg)
780 }
781
782 verify := hs.finishedHash.clientSum(hs.masterSecret)
783 if len(verify) != len(clientFinished.verifyData) ||
784 subtle.ConstantTimeCompare(verify, clientFinished.verifyData) != 1 {
785 c.sendAlert(alertHandshakeFailure)
786 return errors.New("tls: client's Finished message is incorrect")
787 }
788
789 if err := transcriptMsg(clientFinished, &hs.finishedHash); err != nil {
790 return err
791 }
792
793 copy(out, verify)
794 return nil
795 }
796
797 func (hs *serverHandshakeState) sendSessionTicket() error {
798 if !hs.hello.ticketSupported {
799 return nil
800 }
801
802 c := hs.c
803 m := new(newSessionTicketMsg)
804
805 state, err := c.sessionState()
806 if err != nil {
807 return err
808 }
809 state.secret = hs.masterSecret
810 if hs.sessionState != nil {
811
812
813 state.createdAt = hs.sessionState.createdAt
814 }
815 if c.config.WrapSession != nil {
816 m.ticket, err = c.config.WrapSession(c.connectionStateLocked(), state)
817 if err != nil {
818 return err
819 }
820 } else {
821 stateBytes, err := state.Bytes()
822 if err != nil {
823 return err
824 }
825 m.ticket, err = c.config.encryptTicket(stateBytes, c.ticketKeys)
826 if err != nil {
827 return err
828 }
829 }
830
831 if _, err := hs.c.writeHandshakeRecord(m, &hs.finishedHash); err != nil {
832 return err
833 }
834
835 return nil
836 }
837
838 func (hs *serverHandshakeState) sendFinished(out []byte) error {
839 c := hs.c
840
841 if err := c.writeChangeCipherRecord(); err != nil {
842 return err
843 }
844
845 finished := new(finishedMsg)
846 finished.verifyData = hs.finishedHash.serverSum(hs.masterSecret)
847 if _, err := hs.c.writeHandshakeRecord(finished, &hs.finishedHash); err != nil {
848 return err
849 }
850
851 copy(out, finished.verifyData)
852
853 return nil
854 }
855
856
857
858 func (c *Conn) processCertsFromClient(certificate Certificate) error {
859 certificates := certificate.Certificate
860 certs := make([]*x509.Certificate, len(certificates))
861 var err error
862 for i, asn1Data := range certificates {
863 if certs[i], err = x509.ParseCertificate(asn1Data); err != nil {
864 c.sendAlert(alertBadCertificate)
865 return errors.New("tls: failed to parse client certificate: " + err.Error())
866 }
867 if certs[i].PublicKeyAlgorithm == x509.RSA {
868 n := certs[i].PublicKey.(*rsa.PublicKey).N.BitLen()
869 if max, ok := checkKeySize(n); !ok {
870 c.sendAlert(alertBadCertificate)
871 return fmt.Errorf("tls: client sent certificate containing RSA key larger than %d bits", max)
872 }
873 }
874 }
875
876 if len(certs) == 0 && requiresClientCert(c.config.ClientAuth) {
877 if c.vers == VersionTLS13 {
878 c.sendAlert(alertCertificateRequired)
879 } else {
880 c.sendAlert(alertBadCertificate)
881 }
882 return errors.New("tls: client didn't provide a certificate")
883 }
884
885 if c.config.ClientAuth >= VerifyClientCertIfGiven && len(certs) > 0 {
886 opts := x509.VerifyOptions{
887 Roots: c.config.ClientCAs,
888 CurrentTime: c.config.time(),
889 Intermediates: x509.NewCertPool(),
890 KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
891 }
892
893 for _, cert := range certs[1:] {
894 opts.Intermediates.AddCert(cert)
895 }
896
897 chains, err := certs[0].Verify(opts)
898 if err != nil {
899 var errCertificateInvalid x509.CertificateInvalidError
900 if errors.As(err, &x509.UnknownAuthorityError{}) {
901 c.sendAlert(alertUnknownCA)
902 } else if errors.As(err, &errCertificateInvalid) && errCertificateInvalid.Reason == x509.Expired {
903 c.sendAlert(alertCertificateExpired)
904 } else {
905 c.sendAlert(alertBadCertificate)
906 }
907 return &CertificateVerificationError{UnverifiedCertificates: certs, Err: err}
908 }
909
910 c.verifiedChains = chains
911 }
912
913 c.peerCertificates = certs
914 c.ocspResponse = certificate.OCSPStaple
915 c.scts = certificate.SignedCertificateTimestamps
916
917 if len(certs) > 0 {
918 switch certs[0].PublicKey.(type) {
919 case *ecdsa.PublicKey, *rsa.PublicKey, ed25519.PublicKey:
920 default:
921 c.sendAlert(alertUnsupportedCertificate)
922 return fmt.Errorf("tls: client certificate contains an unsupported public key of type %T", certs[0].PublicKey)
923 }
924 }
925
926 if c.config.VerifyPeerCertificate != nil {
927 if err := c.config.VerifyPeerCertificate(certificates, c.verifiedChains); err != nil {
928 c.sendAlert(alertBadCertificate)
929 return err
930 }
931 }
932
933 return nil
934 }
935
936 func clientHelloInfo(ctx context.Context, c *Conn, clientHello *clientHelloMsg) *ClientHelloInfo {
937 supportedVersions := clientHello.supportedVersions
938 if len(clientHello.supportedVersions) == 0 {
939 supportedVersions = supportedVersionsFromMax(clientHello.vers)
940 }
941
942 return &ClientHelloInfo{
943 CipherSuites: clientHello.cipherSuites,
944 ServerName: clientHello.serverName,
945 SupportedCurves: clientHello.supportedCurves,
946 SupportedPoints: clientHello.supportedPoints,
947 SignatureSchemes: clientHello.supportedSignatureAlgorithms,
948 SupportedProtos: clientHello.alpnProtocols,
949 SupportedVersions: supportedVersions,
950 Conn: c.conn,
951 config: c.config,
952 ctx: ctx,
953 }
954 }
955
View as plain text