Source file src/crypto/tls/handshake_server.go

     1  // Copyright 2009 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package tls
     6  
     7  import (
     8  	"context"
     9  	"crypto"
    10  	"crypto/ecdsa"
    11  	"crypto/ed25519"
    12  	"crypto/rsa"
    13  	"crypto/subtle"
    14  	"crypto/x509"
    15  	"errors"
    16  	"fmt"
    17  	"hash"
    18  	"io"
    19  	"time"
    20  )
    21  
    22  // serverHandshakeState contains details of a server handshake in progress.
    23  // It's discarded once the handshake has completed.
    24  type serverHandshakeState struct {
    25  	c            *Conn
    26  	ctx          context.Context
    27  	clientHello  *clientHelloMsg
    28  	hello        *serverHelloMsg
    29  	suite        *cipherSuite
    30  	ecdheOk      bool
    31  	ecSignOk     bool
    32  	rsaDecryptOk bool
    33  	rsaSignOk    bool
    34  	sessionState *SessionState
    35  	finishedHash finishedHash
    36  	masterSecret []byte
    37  	cert         *Certificate
    38  }
    39  
    40  // serverHandshake performs a TLS handshake as a server.
    41  func (c *Conn) serverHandshake(ctx context.Context) error {
    42  	clientHello, err := c.readClientHello(ctx)
    43  	if err != nil {
    44  		return err
    45  	}
    46  
    47  	if c.vers == VersionTLS13 {
    48  		hs := serverHandshakeStateTLS13{
    49  			c:           c,
    50  			ctx:         ctx,
    51  			clientHello: clientHello,
    52  		}
    53  		return hs.handshake()
    54  	}
    55  
    56  	hs := serverHandshakeState{
    57  		c:           c,
    58  		ctx:         ctx,
    59  		clientHello: clientHello,
    60  	}
    61  	return hs.handshake()
    62  }
    63  
    64  func (hs *serverHandshakeState) handshake() error {
    65  	c := hs.c
    66  
    67  	if err := hs.processClientHello(); err != nil {
    68  		return err
    69  	}
    70  
    71  	// For an overview of TLS handshaking, see RFC 5246, Section 7.3.
    72  	c.buffering = true
    73  	if err := hs.checkForResumption(); err != nil {
    74  		return err
    75  	}
    76  	if hs.sessionState != nil {
    77  		// The client has included a session ticket and so we do an abbreviated handshake.
    78  		if err := hs.doResumeHandshake(); err != nil {
    79  			return err
    80  		}
    81  		if err := hs.establishKeys(); err != nil {
    82  			return err
    83  		}
    84  		if err := hs.sendSessionTicket(); err != nil {
    85  			return err
    86  		}
    87  		if err := hs.sendFinished(c.serverFinished[:]); err != nil {
    88  			return err
    89  		}
    90  		if _, err := c.flush(); err != nil {
    91  			return err
    92  		}
    93  		c.clientFinishedIsFirst = false
    94  		if err := hs.readFinished(nil); err != nil {
    95  			return err
    96  		}
    97  	} else {
    98  		// The client didn't include a session ticket, or it wasn't
    99  		// valid so we do a full handshake.
   100  		if err := hs.pickCipherSuite(); err != nil {
   101  			return err
   102  		}
   103  		if err := hs.doFullHandshake(); err != nil {
   104  			return err
   105  		}
   106  		if err := hs.establishKeys(); err != nil {
   107  			return err
   108  		}
   109  		if err := hs.readFinished(c.clientFinished[:]); err != nil {
   110  			return err
   111  		}
   112  		c.clientFinishedIsFirst = true
   113  		c.buffering = true
   114  		if err := hs.sendSessionTicket(); err != nil {
   115  			return err
   116  		}
   117  		if err := hs.sendFinished(nil); err != nil {
   118  			return err
   119  		}
   120  		if _, err := c.flush(); err != nil {
   121  			return err
   122  		}
   123  	}
   124  
   125  	c.ekm = ekmFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random)
   126  	c.isHandshakeComplete.Store(true)
   127  
   128  	return nil
   129  }
   130  
   131  // readClientHello reads a ClientHello message and selects the protocol version.
   132  func (c *Conn) readClientHello(ctx context.Context) (*clientHelloMsg, error) {
   133  	// clientHelloMsg is included in the transcript, but we haven't initialized
   134  	// it yet. The respective handshake functions will record it themselves.
   135  	msg, err := c.readHandshake(nil)
   136  	if err != nil {
   137  		return nil, err
   138  	}
   139  	clientHello, ok := msg.(*clientHelloMsg)
   140  	if !ok {
   141  		c.sendAlert(alertUnexpectedMessage)
   142  		return nil, unexpectedMessageError(clientHello, msg)
   143  	}
   144  
   145  	var configForClient *Config
   146  	originalConfig := c.config
   147  	if c.config.GetConfigForClient != nil {
   148  		chi := clientHelloInfo(ctx, c, clientHello)
   149  		if configForClient, err = c.config.GetConfigForClient(chi); err != nil {
   150  			c.sendAlert(alertInternalError)
   151  			return nil, err
   152  		} else if configForClient != nil {
   153  			c.config = configForClient
   154  		}
   155  	}
   156  	c.ticketKeys = originalConfig.ticketKeys(configForClient)
   157  
   158  	clientVersions := clientHello.supportedVersions
   159  	if len(clientHello.supportedVersions) == 0 {
   160  		clientVersions = supportedVersionsFromMax(clientHello.vers)
   161  	}
   162  	c.vers, ok = c.config.mutualVersion(roleServer, clientVersions)
   163  	if !ok {
   164  		c.sendAlert(alertProtocolVersion)
   165  		return nil, fmt.Errorf("tls: client offered only unsupported versions: %x", clientVersions)
   166  	}
   167  	c.haveVers = true
   168  	c.in.version = c.vers
   169  	c.out.version = c.vers
   170  
   171  	return clientHello, nil
   172  }
   173  
   174  func (hs *serverHandshakeState) processClientHello() error {
   175  	c := hs.c
   176  
   177  	hs.hello = new(serverHelloMsg)
   178  	hs.hello.vers = c.vers
   179  
   180  	foundCompression := false
   181  	// We only support null compression, so check that the client offered it.
   182  	for _, compression := range hs.clientHello.compressionMethods {
   183  		if compression == compressionNone {
   184  			foundCompression = true
   185  			break
   186  		}
   187  	}
   188  
   189  	if !foundCompression {
   190  		c.sendAlert(alertHandshakeFailure)
   191  		return errors.New("tls: client does not support uncompressed connections")
   192  	}
   193  
   194  	hs.hello.random = make([]byte, 32)
   195  	serverRandom := hs.hello.random
   196  	// Downgrade protection canaries. See RFC 8446, Section 4.1.3.
   197  	maxVers := c.config.maxSupportedVersion(roleServer)
   198  	if maxVers >= VersionTLS12 && c.vers < maxVers || testingOnlyForceDowngradeCanary {
   199  		if c.vers == VersionTLS12 {
   200  			copy(serverRandom[24:], downgradeCanaryTLS12)
   201  		} else {
   202  			copy(serverRandom[24:], downgradeCanaryTLS11)
   203  		}
   204  		serverRandom = serverRandom[:24]
   205  	}
   206  	_, err := io.ReadFull(c.config.rand(), serverRandom)
   207  	if err != nil {
   208  		c.sendAlert(alertInternalError)
   209  		return err
   210  	}
   211  
   212  	if len(hs.clientHello.secureRenegotiation) != 0 {
   213  		c.sendAlert(alertHandshakeFailure)
   214  		return errors.New("tls: initial handshake had non-empty renegotiation extension")
   215  	}
   216  
   217  	hs.hello.extendedMasterSecret = hs.clientHello.extendedMasterSecret
   218  	hs.hello.secureRenegotiationSupported = hs.clientHello.secureRenegotiationSupported
   219  	hs.hello.compressionMethod = compressionNone
   220  	if len(hs.clientHello.serverName) > 0 {
   221  		c.serverName = hs.clientHello.serverName
   222  	}
   223  
   224  	selectedProto, err := negotiateALPN(c.config.NextProtos, hs.clientHello.alpnProtocols, false)
   225  	if err != nil {
   226  		c.sendAlert(alertNoApplicationProtocol)
   227  		return err
   228  	}
   229  	hs.hello.alpnProtocol = selectedProto
   230  	c.clientProtocol = selectedProto
   231  
   232  	hs.cert, err = c.config.getCertificate(clientHelloInfo(hs.ctx, c, hs.clientHello))
   233  	if err != nil {
   234  		if err == errNoCertificates {
   235  			c.sendAlert(alertUnrecognizedName)
   236  		} else {
   237  			c.sendAlert(alertInternalError)
   238  		}
   239  		return err
   240  	}
   241  	if hs.clientHello.scts {
   242  		hs.hello.scts = hs.cert.SignedCertificateTimestamps
   243  	}
   244  
   245  	hs.ecdheOk = supportsECDHE(c.config, hs.clientHello.supportedCurves, hs.clientHello.supportedPoints)
   246  
   247  	if hs.ecdheOk && len(hs.clientHello.supportedPoints) > 0 {
   248  		// Although omitting the ec_point_formats extension is permitted, some
   249  		// old OpenSSL version will refuse to handshake if not present.
   250  		//
   251  		// Per RFC 4492, section 5.1.2, implementations MUST support the
   252  		// uncompressed point format. See golang.org/issue/31943.
   253  		hs.hello.supportedPoints = []uint8{pointFormatUncompressed}
   254  	}
   255  
   256  	if priv, ok := hs.cert.PrivateKey.(crypto.Signer); ok {
   257  		switch priv.Public().(type) {
   258  		case *ecdsa.PublicKey:
   259  			hs.ecSignOk = true
   260  		case ed25519.PublicKey:
   261  			hs.ecSignOk = true
   262  		case *rsa.PublicKey:
   263  			hs.rsaSignOk = true
   264  		default:
   265  			c.sendAlert(alertInternalError)
   266  			return fmt.Errorf("tls: unsupported signing key type (%T)", priv.Public())
   267  		}
   268  	}
   269  	if priv, ok := hs.cert.PrivateKey.(crypto.Decrypter); ok {
   270  		switch priv.Public().(type) {
   271  		case *rsa.PublicKey:
   272  			hs.rsaDecryptOk = true
   273  		default:
   274  			c.sendAlert(alertInternalError)
   275  			return fmt.Errorf("tls: unsupported decryption key type (%T)", priv.Public())
   276  		}
   277  	}
   278  
   279  	return nil
   280  }
   281  
   282  // negotiateALPN picks a shared ALPN protocol that both sides support in server
   283  // preference order. If ALPN is not configured or the peer doesn't support it,
   284  // it returns "" and no error.
   285  func negotiateALPN(serverProtos, clientProtos []string, quic bool) (string, error) {
   286  	if len(serverProtos) == 0 || len(clientProtos) == 0 {
   287  		if quic && len(serverProtos) != 0 {
   288  			// RFC 9001, Section 8.1
   289  			return "", fmt.Errorf("tls: client did not request an application protocol")
   290  		}
   291  		return "", nil
   292  	}
   293  	var http11fallback bool
   294  	for _, s := range serverProtos {
   295  		for _, c := range clientProtos {
   296  			if s == c {
   297  				return s, nil
   298  			}
   299  			if s == "h2" && c == "http/1.1" {
   300  				http11fallback = true
   301  			}
   302  		}
   303  	}
   304  	// As a special case, let http/1.1 clients connect to h2 servers as if they
   305  	// didn't support ALPN. We used not to enforce protocol overlap, so over
   306  	// time a number of HTTP servers were configured with only "h2", but
   307  	// expected to accept connections from "http/1.1" clients. See Issue 46310.
   308  	if http11fallback {
   309  		return "", nil
   310  	}
   311  	return "", fmt.Errorf("tls: client requested unsupported application protocols (%s)", clientProtos)
   312  }
   313  
   314  // supportsECDHE returns whether ECDHE key exchanges can be used with this
   315  // pre-TLS 1.3 client.
   316  func supportsECDHE(c *Config, supportedCurves []CurveID, supportedPoints []uint8) bool {
   317  	supportsCurve := false
   318  	for _, curve := range supportedCurves {
   319  		if c.supportsCurve(curve) {
   320  			supportsCurve = true
   321  			break
   322  		}
   323  	}
   324  
   325  	supportsPointFormat := false
   326  	for _, pointFormat := range supportedPoints {
   327  		if pointFormat == pointFormatUncompressed {
   328  			supportsPointFormat = true
   329  			break
   330  		}
   331  	}
   332  	// Per RFC 8422, Section 5.1.2, if the Supported Point Formats extension is
   333  	// missing, uncompressed points are supported. If supportedPoints is empty,
   334  	// the extension must be missing, as an empty extension body is rejected by
   335  	// the parser. See https://go.dev/issue/49126.
   336  	if len(supportedPoints) == 0 {
   337  		supportsPointFormat = true
   338  	}
   339  
   340  	return supportsCurve && supportsPointFormat
   341  }
   342  
   343  func (hs *serverHandshakeState) pickCipherSuite() error {
   344  	c := hs.c
   345  
   346  	preferenceOrder := cipherSuitesPreferenceOrder
   347  	if !hasAESGCMHardwareSupport || !aesgcmPreferred(hs.clientHello.cipherSuites) {
   348  		preferenceOrder = cipherSuitesPreferenceOrderNoAES
   349  	}
   350  
   351  	configCipherSuites := c.config.cipherSuites()
   352  	preferenceList := make([]uint16, 0, len(configCipherSuites))
   353  	for _, suiteID := range preferenceOrder {
   354  		for _, id := range configCipherSuites {
   355  			if id == suiteID {
   356  				preferenceList = append(preferenceList, id)
   357  				break
   358  			}
   359  		}
   360  	}
   361  
   362  	hs.suite = selectCipherSuite(preferenceList, hs.clientHello.cipherSuites, hs.cipherSuiteOk)
   363  	if hs.suite == nil {
   364  		c.sendAlert(alertHandshakeFailure)
   365  		return errors.New("tls: no cipher suite supported by both client and server")
   366  	}
   367  	c.cipherSuite = hs.suite.id
   368  
   369  	for _, id := range hs.clientHello.cipherSuites {
   370  		if id == TLS_FALLBACK_SCSV {
   371  			// The client is doing a fallback connection. See RFC 7507.
   372  			if hs.clientHello.vers < c.config.maxSupportedVersion(roleServer) {
   373  				c.sendAlert(alertInappropriateFallback)
   374  				return errors.New("tls: client using inappropriate protocol fallback")
   375  			}
   376  			break
   377  		}
   378  	}
   379  
   380  	return nil
   381  }
   382  
   383  func (hs *serverHandshakeState) cipherSuiteOk(c *cipherSuite) bool {
   384  	if c.flags&suiteECDHE != 0 {
   385  		if !hs.ecdheOk {
   386  			return false
   387  		}
   388  		if c.flags&suiteECSign != 0 {
   389  			if !hs.ecSignOk {
   390  				return false
   391  			}
   392  		} else if !hs.rsaSignOk {
   393  			return false
   394  		}
   395  	} else if !hs.rsaDecryptOk {
   396  		return false
   397  	}
   398  	if hs.c.vers < VersionTLS12 && c.flags&suiteTLS12 != 0 {
   399  		return false
   400  	}
   401  	return true
   402  }
   403  
   404  // checkForResumption reports whether we should perform resumption on this connection.
   405  func (hs *serverHandshakeState) checkForResumption() error {
   406  	c := hs.c
   407  
   408  	if c.config.SessionTicketsDisabled {
   409  		return nil
   410  	}
   411  
   412  	var sessionState *SessionState
   413  	if c.config.UnwrapSession != nil {
   414  		ss, err := c.config.UnwrapSession(hs.clientHello.sessionTicket, c.connectionStateLocked())
   415  		if err != nil {
   416  			return err
   417  		}
   418  		if ss == nil {
   419  			return nil
   420  		}
   421  		sessionState = ss
   422  	} else {
   423  		plaintext := c.config.decryptTicket(hs.clientHello.sessionTicket, c.ticketKeys)
   424  		if plaintext == nil {
   425  			return nil
   426  		}
   427  		ss, err := ParseSessionState(plaintext)
   428  		if err != nil {
   429  			return nil
   430  		}
   431  		sessionState = ss
   432  	}
   433  
   434  	// TLS 1.2 tickets don't natively have a lifetime, but we want to avoid
   435  	// re-wrapping the same master secret in different tickets over and over for
   436  	// too long, weakening forward secrecy.
   437  	createdAt := time.Unix(int64(sessionState.createdAt), 0)
   438  	if c.config.time().Sub(createdAt) > maxSessionTicketLifetime {
   439  		return nil
   440  	}
   441  
   442  	// Never resume a session for a different TLS version.
   443  	if c.vers != sessionState.version {
   444  		return nil
   445  	}
   446  
   447  	cipherSuiteOk := false
   448  	// Check that the client is still offering the ciphersuite in the session.
   449  	for _, id := range hs.clientHello.cipherSuites {
   450  		if id == sessionState.cipherSuite {
   451  			cipherSuiteOk = true
   452  			break
   453  		}
   454  	}
   455  	if !cipherSuiteOk {
   456  		return nil
   457  	}
   458  
   459  	// Check that we also support the ciphersuite from the session.
   460  	suite := selectCipherSuite([]uint16{sessionState.cipherSuite},
   461  		c.config.cipherSuites(), hs.cipherSuiteOk)
   462  	if suite == nil {
   463  		return nil
   464  	}
   465  
   466  	sessionHasClientCerts := len(sessionState.peerCertificates) != 0
   467  	needClientCerts := requiresClientCert(c.config.ClientAuth)
   468  	if needClientCerts && !sessionHasClientCerts {
   469  		return nil
   470  	}
   471  	if sessionHasClientCerts && c.config.ClientAuth == NoClientCert {
   472  		return nil
   473  	}
   474  	if sessionHasClientCerts && c.config.time().After(sessionState.peerCertificates[0].NotAfter) {
   475  		return nil
   476  	}
   477  	if sessionHasClientCerts && c.config.ClientAuth >= VerifyClientCertIfGiven &&
   478  		len(sessionState.verifiedChains) == 0 {
   479  		return nil
   480  	}
   481  
   482  	// RFC 7627, Section 5.3
   483  	if !sessionState.extMasterSecret && hs.clientHello.extendedMasterSecret {
   484  		return nil
   485  	}
   486  	if sessionState.extMasterSecret && !hs.clientHello.extendedMasterSecret {
   487  		// Aborting is somewhat harsh, but it's a MUST and it would indicate a
   488  		// weird downgrade in client capabilities.
   489  		return errors.New("tls: session supported extended_master_secret but client does not")
   490  	}
   491  
   492  	c.peerCertificates = sessionState.peerCertificates
   493  	c.ocspResponse = sessionState.ocspResponse
   494  	c.scts = sessionState.scts
   495  	c.verifiedChains = sessionState.verifiedChains
   496  	c.extMasterSecret = sessionState.extMasterSecret
   497  	hs.sessionState = sessionState
   498  	hs.suite = suite
   499  	c.didResume = true
   500  	return nil
   501  }
   502  
   503  func (hs *serverHandshakeState) doResumeHandshake() error {
   504  	c := hs.c
   505  
   506  	hs.hello.cipherSuite = hs.suite.id
   507  	c.cipherSuite = hs.suite.id
   508  	// We echo the client's session ID in the ServerHello to let it know
   509  	// that we're doing a resumption.
   510  	hs.hello.sessionId = hs.clientHello.sessionId
   511  	// We always send a new session ticket, even if it wraps the same master
   512  	// secret and it's potentially encrypted with the same key, to help the
   513  	// client avoid cross-connection tracking from a network observer.
   514  	hs.hello.ticketSupported = true
   515  	hs.finishedHash = newFinishedHash(c.vers, hs.suite)
   516  	hs.finishedHash.discardHandshakeBuffer()
   517  	if err := transcriptMsg(hs.clientHello, &hs.finishedHash); err != nil {
   518  		return err
   519  	}
   520  	if _, err := hs.c.writeHandshakeRecord(hs.hello, &hs.finishedHash); err != nil {
   521  		return err
   522  	}
   523  
   524  	if c.config.VerifyConnection != nil {
   525  		if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil {
   526  			c.sendAlert(alertBadCertificate)
   527  			return err
   528  		}
   529  	}
   530  
   531  	hs.masterSecret = hs.sessionState.secret
   532  
   533  	return nil
   534  }
   535  
   536  func (hs *serverHandshakeState) doFullHandshake() error {
   537  	c := hs.c
   538  
   539  	if hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0 {
   540  		hs.hello.ocspStapling = true
   541  	}
   542  
   543  	hs.hello.ticketSupported = hs.clientHello.ticketSupported && !c.config.SessionTicketsDisabled
   544  	hs.hello.cipherSuite = hs.suite.id
   545  
   546  	hs.finishedHash = newFinishedHash(hs.c.vers, hs.suite)
   547  	if c.config.ClientAuth == NoClientCert {
   548  		// No need to keep a full record of the handshake if client
   549  		// certificates won't be used.
   550  		hs.finishedHash.discardHandshakeBuffer()
   551  	}
   552  	if err := transcriptMsg(hs.clientHello, &hs.finishedHash); err != nil {
   553  		return err
   554  	}
   555  	if _, err := hs.c.writeHandshakeRecord(hs.hello, &hs.finishedHash); err != nil {
   556  		return err
   557  	}
   558  
   559  	certMsg := new(certificateMsg)
   560  	certMsg.certificates = hs.cert.Certificate
   561  	if _, err := hs.c.writeHandshakeRecord(certMsg, &hs.finishedHash); err != nil {
   562  		return err
   563  	}
   564  
   565  	if hs.hello.ocspStapling {
   566  		certStatus := new(certificateStatusMsg)
   567  		certStatus.response = hs.cert.OCSPStaple
   568  		if _, err := hs.c.writeHandshakeRecord(certStatus, &hs.finishedHash); err != nil {
   569  			return err
   570  		}
   571  	}
   572  
   573  	keyAgreement := hs.suite.ka(c.vers)
   574  	skx, err := keyAgreement.generateServerKeyExchange(c.config, hs.cert, hs.clientHello, hs.hello)
   575  	if err != nil {
   576  		c.sendAlert(alertHandshakeFailure)
   577  		return err
   578  	}
   579  	if skx != nil {
   580  		if _, err := hs.c.writeHandshakeRecord(skx, &hs.finishedHash); err != nil {
   581  			return err
   582  		}
   583  	}
   584  
   585  	var certReq *certificateRequestMsg
   586  	if c.config.ClientAuth >= RequestClientCert {
   587  		// Request a client certificate
   588  		certReq = new(certificateRequestMsg)
   589  		certReq.certificateTypes = []byte{
   590  			byte(certTypeRSASign),
   591  			byte(certTypeECDSASign),
   592  		}
   593  		if c.vers >= VersionTLS12 {
   594  			certReq.hasSignatureAlgorithm = true
   595  			certReq.supportedSignatureAlgorithms = supportedSignatureAlgorithms()
   596  		}
   597  
   598  		// An empty list of certificateAuthorities signals to
   599  		// the client that it may send any certificate in response
   600  		// to our request. When we know the CAs we trust, then
   601  		// we can send them down, so that the client can choose
   602  		// an appropriate certificate to give to us.
   603  		if c.config.ClientCAs != nil {
   604  			certReq.certificateAuthorities = c.config.ClientCAs.Subjects()
   605  		}
   606  		if _, err := hs.c.writeHandshakeRecord(certReq, &hs.finishedHash); err != nil {
   607  			return err
   608  		}
   609  	}
   610  
   611  	helloDone := new(serverHelloDoneMsg)
   612  	if _, err := hs.c.writeHandshakeRecord(helloDone, &hs.finishedHash); err != nil {
   613  		return err
   614  	}
   615  
   616  	if _, err := c.flush(); err != nil {
   617  		return err
   618  	}
   619  
   620  	var pub crypto.PublicKey // public key for client auth, if any
   621  
   622  	msg, err := c.readHandshake(&hs.finishedHash)
   623  	if err != nil {
   624  		return err
   625  	}
   626  
   627  	// If we requested a client certificate, then the client must send a
   628  	// certificate message, even if it's empty.
   629  	if c.config.ClientAuth >= RequestClientCert {
   630  		certMsg, ok := msg.(*certificateMsg)
   631  		if !ok {
   632  			c.sendAlert(alertUnexpectedMessage)
   633  			return unexpectedMessageError(certMsg, msg)
   634  		}
   635  
   636  		if err := c.processCertsFromClient(Certificate{
   637  			Certificate: certMsg.certificates,
   638  		}); err != nil {
   639  			return err
   640  		}
   641  		if len(certMsg.certificates) != 0 {
   642  			pub = c.peerCertificates[0].PublicKey
   643  		}
   644  
   645  		msg, err = c.readHandshake(&hs.finishedHash)
   646  		if err != nil {
   647  			return err
   648  		}
   649  	}
   650  	if c.config.VerifyConnection != nil {
   651  		if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil {
   652  			c.sendAlert(alertBadCertificate)
   653  			return err
   654  		}
   655  	}
   656  
   657  	// Get client key exchange
   658  	ckx, ok := msg.(*clientKeyExchangeMsg)
   659  	if !ok {
   660  		c.sendAlert(alertUnexpectedMessage)
   661  		return unexpectedMessageError(ckx, msg)
   662  	}
   663  
   664  	preMasterSecret, err := keyAgreement.processClientKeyExchange(c.config, hs.cert, ckx, c.vers)
   665  	if err != nil {
   666  		c.sendAlert(alertHandshakeFailure)
   667  		return err
   668  	}
   669  	if hs.hello.extendedMasterSecret {
   670  		c.extMasterSecret = true
   671  		hs.masterSecret = extMasterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret,
   672  			hs.finishedHash.Sum())
   673  	} else {
   674  		hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret,
   675  			hs.clientHello.random, hs.hello.random)
   676  	}
   677  	if err := c.config.writeKeyLog(keyLogLabelTLS12, hs.clientHello.random, hs.masterSecret); err != nil {
   678  		c.sendAlert(alertInternalError)
   679  		return err
   680  	}
   681  
   682  	// If we received a client cert in response to our certificate request message,
   683  	// the client will send us a certificateVerifyMsg immediately after the
   684  	// clientKeyExchangeMsg. This message is a digest of all preceding
   685  	// handshake-layer messages that is signed using the private key corresponding
   686  	// to the client's certificate. This allows us to verify that the client is in
   687  	// possession of the private key of the certificate.
   688  	if len(c.peerCertificates) > 0 {
   689  		// certificateVerifyMsg is included in the transcript, but not until
   690  		// after we verify the handshake signature, since the state before
   691  		// this message was sent is used.
   692  		msg, err = c.readHandshake(nil)
   693  		if err != nil {
   694  			return err
   695  		}
   696  		certVerify, ok := msg.(*certificateVerifyMsg)
   697  		if !ok {
   698  			c.sendAlert(alertUnexpectedMessage)
   699  			return unexpectedMessageError(certVerify, msg)
   700  		}
   701  
   702  		var sigType uint8
   703  		var sigHash crypto.Hash
   704  		if c.vers >= VersionTLS12 {
   705  			if !isSupportedSignatureAlgorithm(certVerify.signatureAlgorithm, certReq.supportedSignatureAlgorithms) {
   706  				c.sendAlert(alertIllegalParameter)
   707  				return errors.New("tls: client certificate used with invalid signature algorithm")
   708  			}
   709  			sigType, sigHash, err = typeAndHashFromSignatureScheme(certVerify.signatureAlgorithm)
   710  			if err != nil {
   711  				return c.sendAlert(alertInternalError)
   712  			}
   713  		} else {
   714  			sigType, sigHash, err = legacyTypeAndHashFromPublicKey(pub)
   715  			if err != nil {
   716  				c.sendAlert(alertIllegalParameter)
   717  				return err
   718  			}
   719  		}
   720  
   721  		signed := hs.finishedHash.hashForClientCertificate(sigType, sigHash)
   722  		if err := verifyHandshakeSignature(sigType, pub, sigHash, signed, certVerify.signature); err != nil {
   723  			c.sendAlert(alertDecryptError)
   724  			return errors.New("tls: invalid signature by the client certificate: " + err.Error())
   725  		}
   726  
   727  		if err := transcriptMsg(certVerify, &hs.finishedHash); err != nil {
   728  			return err
   729  		}
   730  	}
   731  
   732  	hs.finishedHash.discardHandshakeBuffer()
   733  
   734  	return nil
   735  }
   736  
   737  func (hs *serverHandshakeState) establishKeys() error {
   738  	c := hs.c
   739  
   740  	clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV :=
   741  		keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen)
   742  
   743  	var clientCipher, serverCipher any
   744  	var clientHash, serverHash hash.Hash
   745  
   746  	if hs.suite.aead == nil {
   747  		clientCipher = hs.suite.cipher(clientKey, clientIV, true /* for reading */)
   748  		clientHash = hs.suite.mac(clientMAC)
   749  		serverCipher = hs.suite.cipher(serverKey, serverIV, false /* not for reading */)
   750  		serverHash = hs.suite.mac(serverMAC)
   751  	} else {
   752  		clientCipher = hs.suite.aead(clientKey, clientIV)
   753  		serverCipher = hs.suite.aead(serverKey, serverIV)
   754  	}
   755  
   756  	c.in.prepareCipherSpec(c.vers, clientCipher, clientHash)
   757  	c.out.prepareCipherSpec(c.vers, serverCipher, serverHash)
   758  
   759  	return nil
   760  }
   761  
   762  func (hs *serverHandshakeState) readFinished(out []byte) error {
   763  	c := hs.c
   764  
   765  	if err := c.readChangeCipherSpec(); err != nil {
   766  		return err
   767  	}
   768  
   769  	// finishedMsg is included in the transcript, but not until after we
   770  	// check the client version, since the state before this message was
   771  	// sent is used during verification.
   772  	msg, err := c.readHandshake(nil)
   773  	if err != nil {
   774  		return err
   775  	}
   776  	clientFinished, ok := msg.(*finishedMsg)
   777  	if !ok {
   778  		c.sendAlert(alertUnexpectedMessage)
   779  		return unexpectedMessageError(clientFinished, msg)
   780  	}
   781  
   782  	verify := hs.finishedHash.clientSum(hs.masterSecret)
   783  	if len(verify) != len(clientFinished.verifyData) ||
   784  		subtle.ConstantTimeCompare(verify, clientFinished.verifyData) != 1 {
   785  		c.sendAlert(alertHandshakeFailure)
   786  		return errors.New("tls: client's Finished message is incorrect")
   787  	}
   788  
   789  	if err := transcriptMsg(clientFinished, &hs.finishedHash); err != nil {
   790  		return err
   791  	}
   792  
   793  	copy(out, verify)
   794  	return nil
   795  }
   796  
   797  func (hs *serverHandshakeState) sendSessionTicket() error {
   798  	if !hs.hello.ticketSupported {
   799  		return nil
   800  	}
   801  
   802  	c := hs.c
   803  	m := new(newSessionTicketMsg)
   804  
   805  	state, err := c.sessionState()
   806  	if err != nil {
   807  		return err
   808  	}
   809  	state.secret = hs.masterSecret
   810  	if hs.sessionState != nil {
   811  		// If this is re-wrapping an old key, then keep
   812  		// the original time it was created.
   813  		state.createdAt = hs.sessionState.createdAt
   814  	}
   815  	if c.config.WrapSession != nil {
   816  		m.ticket, err = c.config.WrapSession(c.connectionStateLocked(), state)
   817  		if err != nil {
   818  			return err
   819  		}
   820  	} else {
   821  		stateBytes, err := state.Bytes()
   822  		if err != nil {
   823  			return err
   824  		}
   825  		m.ticket, err = c.config.encryptTicket(stateBytes, c.ticketKeys)
   826  		if err != nil {
   827  			return err
   828  		}
   829  	}
   830  
   831  	if _, err := hs.c.writeHandshakeRecord(m, &hs.finishedHash); err != nil {
   832  		return err
   833  	}
   834  
   835  	return nil
   836  }
   837  
   838  func (hs *serverHandshakeState) sendFinished(out []byte) error {
   839  	c := hs.c
   840  
   841  	if err := c.writeChangeCipherRecord(); err != nil {
   842  		return err
   843  	}
   844  
   845  	finished := new(finishedMsg)
   846  	finished.verifyData = hs.finishedHash.serverSum(hs.masterSecret)
   847  	if _, err := hs.c.writeHandshakeRecord(finished, &hs.finishedHash); err != nil {
   848  		return err
   849  	}
   850  
   851  	copy(out, finished.verifyData)
   852  
   853  	return nil
   854  }
   855  
   856  // processCertsFromClient takes a chain of client certificates either from a
   857  // Certificates message and verifies them.
   858  func (c *Conn) processCertsFromClient(certificate Certificate) error {
   859  	certificates := certificate.Certificate
   860  	certs := make([]*x509.Certificate, len(certificates))
   861  	var err error
   862  	for i, asn1Data := range certificates {
   863  		if certs[i], err = x509.ParseCertificate(asn1Data); err != nil {
   864  			c.sendAlert(alertBadCertificate)
   865  			return errors.New("tls: failed to parse client certificate: " + err.Error())
   866  		}
   867  		if certs[i].PublicKeyAlgorithm == x509.RSA {
   868  			n := certs[i].PublicKey.(*rsa.PublicKey).N.BitLen()
   869  			if max, ok := checkKeySize(n); !ok {
   870  				c.sendAlert(alertBadCertificate)
   871  				return fmt.Errorf("tls: client sent certificate containing RSA key larger than %d bits", max)
   872  			}
   873  		}
   874  	}
   875  
   876  	if len(certs) == 0 && requiresClientCert(c.config.ClientAuth) {
   877  		if c.vers == VersionTLS13 {
   878  			c.sendAlert(alertCertificateRequired)
   879  		} else {
   880  			c.sendAlert(alertBadCertificate)
   881  		}
   882  		return errors.New("tls: client didn't provide a certificate")
   883  	}
   884  
   885  	if c.config.ClientAuth >= VerifyClientCertIfGiven && len(certs) > 0 {
   886  		opts := x509.VerifyOptions{
   887  			Roots:         c.config.ClientCAs,
   888  			CurrentTime:   c.config.time(),
   889  			Intermediates: x509.NewCertPool(),
   890  			KeyUsages:     []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
   891  		}
   892  
   893  		for _, cert := range certs[1:] {
   894  			opts.Intermediates.AddCert(cert)
   895  		}
   896  
   897  		chains, err := certs[0].Verify(opts)
   898  		if err != nil {
   899  			var errCertificateInvalid x509.CertificateInvalidError
   900  			if errors.As(err, &x509.UnknownAuthorityError{}) {
   901  				c.sendAlert(alertUnknownCA)
   902  			} else if errors.As(err, &errCertificateInvalid) && errCertificateInvalid.Reason == x509.Expired {
   903  				c.sendAlert(alertCertificateExpired)
   904  			} else {
   905  				c.sendAlert(alertBadCertificate)
   906  			}
   907  			return &CertificateVerificationError{UnverifiedCertificates: certs, Err: err}
   908  		}
   909  
   910  		c.verifiedChains = chains
   911  	}
   912  
   913  	c.peerCertificates = certs
   914  	c.ocspResponse = certificate.OCSPStaple
   915  	c.scts = certificate.SignedCertificateTimestamps
   916  
   917  	if len(certs) > 0 {
   918  		switch certs[0].PublicKey.(type) {
   919  		case *ecdsa.PublicKey, *rsa.PublicKey, ed25519.PublicKey:
   920  		default:
   921  			c.sendAlert(alertUnsupportedCertificate)
   922  			return fmt.Errorf("tls: client certificate contains an unsupported public key of type %T", certs[0].PublicKey)
   923  		}
   924  	}
   925  
   926  	if c.config.VerifyPeerCertificate != nil {
   927  		if err := c.config.VerifyPeerCertificate(certificates, c.verifiedChains); err != nil {
   928  			c.sendAlert(alertBadCertificate)
   929  			return err
   930  		}
   931  	}
   932  
   933  	return nil
   934  }
   935  
   936  func clientHelloInfo(ctx context.Context, c *Conn, clientHello *clientHelloMsg) *ClientHelloInfo {
   937  	supportedVersions := clientHello.supportedVersions
   938  	if len(clientHello.supportedVersions) == 0 {
   939  		supportedVersions = supportedVersionsFromMax(clientHello.vers)
   940  	}
   941  
   942  	return &ClientHelloInfo{
   943  		CipherSuites:      clientHello.cipherSuites,
   944  		ServerName:        clientHello.serverName,
   945  		SupportedCurves:   clientHello.supportedCurves,
   946  		SupportedPoints:   clientHello.supportedPoints,
   947  		SignatureSchemes:  clientHello.supportedSignatureAlgorithms,
   948  		SupportedProtos:   clientHello.alpnProtocols,
   949  		SupportedVersions: supportedVersions,
   950  		Conn:              c.conn,
   951  		config:            c.config,
   952  		ctx:               ctx,
   953  	}
   954  }
   955  

View as plain text