Source file
src/crypto/tls/handshake_server.go
1
2
3
4
5 package tls
6
7 import (
8 "context"
9 "crypto"
10 "crypto/ecdsa"
11 "crypto/ed25519"
12 "crypto/rsa"
13 "crypto/subtle"
14 "crypto/x509"
15 "errors"
16 "fmt"
17 "hash"
18 "io"
19 "time"
20 )
21
22
23
24 type serverHandshakeState struct {
25 c *Conn
26 ctx context.Context
27 clientHello *clientHelloMsg
28 hello *serverHelloMsg
29 suite *cipherSuite
30 ecdheOk bool
31 ecSignOk bool
32 rsaDecryptOk bool
33 rsaSignOk bool
34 sessionState *sessionState
35 finishedHash finishedHash
36 masterSecret []byte
37 cert *Certificate
38 }
39
40
41 func (c *Conn) serverHandshake(ctx context.Context) error {
42 clientHello, err := c.readClientHello(ctx)
43 if err != nil {
44 return err
45 }
46
47 if c.vers == VersionTLS13 {
48 hs := serverHandshakeStateTLS13{
49 c: c,
50 ctx: ctx,
51 clientHello: clientHello,
52 }
53 return hs.handshake()
54 }
55
56 hs := serverHandshakeState{
57 c: c,
58 ctx: ctx,
59 clientHello: clientHello,
60 }
61 return hs.handshake()
62 }
63
64 func (hs *serverHandshakeState) handshake() error {
65 c := hs.c
66
67 if err := hs.processClientHello(); err != nil {
68 return err
69 }
70
71
72 c.buffering = true
73 if hs.checkForResumption() {
74
75 c.didResume = true
76 if err := hs.doResumeHandshake(); err != nil {
77 return err
78 }
79 if err := hs.establishKeys(); err != nil {
80 return err
81 }
82 if err := hs.sendSessionTicket(); err != nil {
83 return err
84 }
85 if err := hs.sendFinished(c.serverFinished[:]); err != nil {
86 return err
87 }
88 if _, err := c.flush(); err != nil {
89 return err
90 }
91 c.clientFinishedIsFirst = false
92 if err := hs.readFinished(nil); err != nil {
93 return err
94 }
95 } else {
96
97
98 if err := hs.pickCipherSuite(); err != nil {
99 return err
100 }
101 if err := hs.doFullHandshake(); err != nil {
102 return err
103 }
104 if err := hs.establishKeys(); err != nil {
105 return err
106 }
107 if err := hs.readFinished(c.clientFinished[:]); err != nil {
108 return err
109 }
110 c.clientFinishedIsFirst = true
111 c.buffering = true
112 if err := hs.sendSessionTicket(); err != nil {
113 return err
114 }
115 if err := hs.sendFinished(nil); err != nil {
116 return err
117 }
118 if _, err := c.flush(); err != nil {
119 return err
120 }
121 }
122
123 c.ekm = ekmFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random)
124 c.isHandshakeComplete.Store(true)
125
126 return nil
127 }
128
129
130 func (c *Conn) readClientHello(ctx context.Context) (*clientHelloMsg, error) {
131
132
133 msg, err := c.readHandshake(nil)
134 if err != nil {
135 return nil, err
136 }
137 clientHello, ok := msg.(*clientHelloMsg)
138 if !ok {
139 c.sendAlert(alertUnexpectedMessage)
140 return nil, unexpectedMessageError(clientHello, msg)
141 }
142
143 var configForClient *Config
144 originalConfig := c.config
145 if c.config.GetConfigForClient != nil {
146 chi := clientHelloInfo(ctx, c, clientHello)
147 if configForClient, err = c.config.GetConfigForClient(chi); err != nil {
148 c.sendAlert(alertInternalError)
149 return nil, err
150 } else if configForClient != nil {
151 c.config = configForClient
152 }
153 }
154 c.ticketKeys = originalConfig.ticketKeys(configForClient)
155
156 clientVersions := clientHello.supportedVersions
157 if len(clientHello.supportedVersions) == 0 {
158 clientVersions = supportedVersionsFromMax(clientHello.vers)
159 }
160 c.vers, ok = c.config.mutualVersion(roleServer, clientVersions)
161 if !ok {
162 c.sendAlert(alertProtocolVersion)
163 return nil, fmt.Errorf("tls: client offered only unsupported versions: %x", clientVersions)
164 }
165 c.haveVers = true
166 c.in.version = c.vers
167 c.out.version = c.vers
168
169 return clientHello, nil
170 }
171
172 func (hs *serverHandshakeState) processClientHello() error {
173 c := hs.c
174
175 hs.hello = new(serverHelloMsg)
176 hs.hello.vers = c.vers
177
178 foundCompression := false
179
180 for _, compression := range hs.clientHello.compressionMethods {
181 if compression == compressionNone {
182 foundCompression = true
183 break
184 }
185 }
186
187 if !foundCompression {
188 c.sendAlert(alertHandshakeFailure)
189 return errors.New("tls: client does not support uncompressed connections")
190 }
191
192 hs.hello.random = make([]byte, 32)
193 serverRandom := hs.hello.random
194
195 maxVers := c.config.maxSupportedVersion(roleServer)
196 if maxVers >= VersionTLS12 && c.vers < maxVers || testingOnlyForceDowngradeCanary {
197 if c.vers == VersionTLS12 {
198 copy(serverRandom[24:], downgradeCanaryTLS12)
199 } else {
200 copy(serverRandom[24:], downgradeCanaryTLS11)
201 }
202 serverRandom = serverRandom[:24]
203 }
204 _, err := io.ReadFull(c.config.rand(), serverRandom)
205 if err != nil {
206 c.sendAlert(alertInternalError)
207 return err
208 }
209
210 if len(hs.clientHello.secureRenegotiation) != 0 {
211 c.sendAlert(alertHandshakeFailure)
212 return errors.New("tls: initial handshake had non-empty renegotiation extension")
213 }
214
215 hs.hello.secureRenegotiationSupported = hs.clientHello.secureRenegotiationSupported
216 hs.hello.compressionMethod = compressionNone
217 if len(hs.clientHello.serverName) > 0 {
218 c.serverName = hs.clientHello.serverName
219 }
220
221 selectedProto, err := negotiateALPN(c.config.NextProtos, hs.clientHello.alpnProtocols)
222 if err != nil {
223 c.sendAlert(alertNoApplicationProtocol)
224 return err
225 }
226 hs.hello.alpnProtocol = selectedProto
227 c.clientProtocol = selectedProto
228
229 hs.cert, err = c.config.getCertificate(clientHelloInfo(hs.ctx, c, hs.clientHello))
230 if err != nil {
231 if err == errNoCertificates {
232 c.sendAlert(alertUnrecognizedName)
233 } else {
234 c.sendAlert(alertInternalError)
235 }
236 return err
237 }
238 if hs.clientHello.scts {
239 hs.hello.scts = hs.cert.SignedCertificateTimestamps
240 }
241
242 hs.ecdheOk = supportsECDHE(c.config, hs.clientHello.supportedCurves, hs.clientHello.supportedPoints)
243
244 if hs.ecdheOk && len(hs.clientHello.supportedPoints) > 0 {
245
246
247
248
249
250 hs.hello.supportedPoints = []uint8{pointFormatUncompressed}
251 }
252
253 if priv, ok := hs.cert.PrivateKey.(crypto.Signer); ok {
254 switch priv.Public().(type) {
255 case *ecdsa.PublicKey:
256 hs.ecSignOk = true
257 case ed25519.PublicKey:
258 hs.ecSignOk = true
259 case *rsa.PublicKey:
260 hs.rsaSignOk = true
261 default:
262 c.sendAlert(alertInternalError)
263 return fmt.Errorf("tls: unsupported signing key type (%T)", priv.Public())
264 }
265 }
266 if priv, ok := hs.cert.PrivateKey.(crypto.Decrypter); ok {
267 switch priv.Public().(type) {
268 case *rsa.PublicKey:
269 hs.rsaDecryptOk = true
270 default:
271 c.sendAlert(alertInternalError)
272 return fmt.Errorf("tls: unsupported decryption key type (%T)", priv.Public())
273 }
274 }
275
276 return nil
277 }
278
279
280
281
282 func negotiateALPN(serverProtos, clientProtos []string) (string, error) {
283 if len(serverProtos) == 0 || len(clientProtos) == 0 {
284 return "", nil
285 }
286 var http11fallback bool
287 for _, s := range serverProtos {
288 for _, c := range clientProtos {
289 if s == c {
290 return s, nil
291 }
292 if s == "h2" && c == "http/1.1" {
293 http11fallback = true
294 }
295 }
296 }
297
298
299
300
301 if http11fallback {
302 return "", nil
303 }
304 return "", fmt.Errorf("tls: client requested unsupported application protocols (%s)", clientProtos)
305 }
306
307
308
309 func supportsECDHE(c *Config, supportedCurves []CurveID, supportedPoints []uint8) bool {
310 supportsCurve := false
311 for _, curve := range supportedCurves {
312 if c.supportsCurve(curve) {
313 supportsCurve = true
314 break
315 }
316 }
317
318 supportsPointFormat := false
319 for _, pointFormat := range supportedPoints {
320 if pointFormat == pointFormatUncompressed {
321 supportsPointFormat = true
322 break
323 }
324 }
325
326
327
328
329 if len(supportedPoints) == 0 {
330 supportsPointFormat = true
331 }
332
333 return supportsCurve && supportsPointFormat
334 }
335
336 func (hs *serverHandshakeState) pickCipherSuite() error {
337 c := hs.c
338
339 preferenceOrder := cipherSuitesPreferenceOrder
340 if !hasAESGCMHardwareSupport || !aesgcmPreferred(hs.clientHello.cipherSuites) {
341 preferenceOrder = cipherSuitesPreferenceOrderNoAES
342 }
343
344 configCipherSuites := c.config.cipherSuites()
345 preferenceList := make([]uint16, 0, len(configCipherSuites))
346 for _, suiteID := range preferenceOrder {
347 for _, id := range configCipherSuites {
348 if id == suiteID {
349 preferenceList = append(preferenceList, id)
350 break
351 }
352 }
353 }
354
355 hs.suite = selectCipherSuite(preferenceList, hs.clientHello.cipherSuites, hs.cipherSuiteOk)
356 if hs.suite == nil {
357 c.sendAlert(alertHandshakeFailure)
358 return errors.New("tls: no cipher suite supported by both client and server")
359 }
360 c.cipherSuite = hs.suite.id
361
362 for _, id := range hs.clientHello.cipherSuites {
363 if id == TLS_FALLBACK_SCSV {
364
365 if hs.clientHello.vers < c.config.maxSupportedVersion(roleServer) {
366 c.sendAlert(alertInappropriateFallback)
367 return errors.New("tls: client using inappropriate protocol fallback")
368 }
369 break
370 }
371 }
372
373 return nil
374 }
375
376 func (hs *serverHandshakeState) cipherSuiteOk(c *cipherSuite) bool {
377 if c.flags&suiteECDHE != 0 {
378 if !hs.ecdheOk {
379 return false
380 }
381 if c.flags&suiteECSign != 0 {
382 if !hs.ecSignOk {
383 return false
384 }
385 } else if !hs.rsaSignOk {
386 return false
387 }
388 } else if !hs.rsaDecryptOk {
389 return false
390 }
391 if hs.c.vers < VersionTLS12 && c.flags&suiteTLS12 != 0 {
392 return false
393 }
394 return true
395 }
396
397
398 func (hs *serverHandshakeState) checkForResumption() bool {
399 c := hs.c
400
401 if c.config.SessionTicketsDisabled {
402 return false
403 }
404
405 plaintext, usedOldKey := c.decryptTicket(hs.clientHello.sessionTicket)
406 if plaintext == nil {
407 return false
408 }
409 hs.sessionState = &sessionState{usedOldKey: usedOldKey}
410 ok := hs.sessionState.unmarshal(plaintext)
411 if !ok {
412 return false
413 }
414
415 createdAt := time.Unix(int64(hs.sessionState.createdAt), 0)
416 if c.config.time().Sub(createdAt) > maxSessionTicketLifetime {
417 return false
418 }
419
420
421 if c.vers != hs.sessionState.vers {
422 return false
423 }
424
425 cipherSuiteOk := false
426
427 for _, id := range hs.clientHello.cipherSuites {
428 if id == hs.sessionState.cipherSuite {
429 cipherSuiteOk = true
430 break
431 }
432 }
433 if !cipherSuiteOk {
434 return false
435 }
436
437
438 hs.suite = selectCipherSuite([]uint16{hs.sessionState.cipherSuite},
439 c.config.cipherSuites(), hs.cipherSuiteOk)
440 if hs.suite == nil {
441 return false
442 }
443
444 sessionHasClientCerts := len(hs.sessionState.certificates) != 0
445 needClientCerts := requiresClientCert(c.config.ClientAuth)
446 if needClientCerts && !sessionHasClientCerts {
447 return false
448 }
449 if sessionHasClientCerts && c.config.ClientAuth == NoClientCert {
450 return false
451 }
452
453 return true
454 }
455
456 func (hs *serverHandshakeState) doResumeHandshake() error {
457 c := hs.c
458
459 hs.hello.cipherSuite = hs.suite.id
460 c.cipherSuite = hs.suite.id
461
462
463 hs.hello.sessionId = hs.clientHello.sessionId
464 hs.hello.ticketSupported = hs.sessionState.usedOldKey
465 hs.finishedHash = newFinishedHash(c.vers, hs.suite)
466 hs.finishedHash.discardHandshakeBuffer()
467 if err := transcriptMsg(hs.clientHello, &hs.finishedHash); err != nil {
468 return err
469 }
470 if _, err := hs.c.writeHandshakeRecord(hs.hello, &hs.finishedHash); err != nil {
471 return err
472 }
473
474 if err := c.processCertsFromClient(Certificate{
475 Certificate: hs.sessionState.certificates,
476 }); err != nil {
477 return err
478 }
479
480 if c.config.VerifyConnection != nil {
481 if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil {
482 c.sendAlert(alertBadCertificate)
483 return err
484 }
485 }
486
487 hs.masterSecret = hs.sessionState.masterSecret
488
489 return nil
490 }
491
492 func (hs *serverHandshakeState) doFullHandshake() error {
493 c := hs.c
494
495 if hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0 {
496 hs.hello.ocspStapling = true
497 }
498
499 hs.hello.ticketSupported = hs.clientHello.ticketSupported && !c.config.SessionTicketsDisabled
500 hs.hello.cipherSuite = hs.suite.id
501
502 hs.finishedHash = newFinishedHash(hs.c.vers, hs.suite)
503 if c.config.ClientAuth == NoClientCert {
504
505
506 hs.finishedHash.discardHandshakeBuffer()
507 }
508 if err := transcriptMsg(hs.clientHello, &hs.finishedHash); err != nil {
509 return err
510 }
511 if _, err := hs.c.writeHandshakeRecord(hs.hello, &hs.finishedHash); err != nil {
512 return err
513 }
514
515 certMsg := new(certificateMsg)
516 certMsg.certificates = hs.cert.Certificate
517 if _, err := hs.c.writeHandshakeRecord(certMsg, &hs.finishedHash); err != nil {
518 return err
519 }
520
521 if hs.hello.ocspStapling {
522 certStatus := new(certificateStatusMsg)
523 certStatus.response = hs.cert.OCSPStaple
524 if _, err := hs.c.writeHandshakeRecord(certStatus, &hs.finishedHash); err != nil {
525 return err
526 }
527 }
528
529 keyAgreement := hs.suite.ka(c.vers)
530 skx, err := keyAgreement.generateServerKeyExchange(c.config, hs.cert, hs.clientHello, hs.hello)
531 if err != nil {
532 c.sendAlert(alertHandshakeFailure)
533 return err
534 }
535 if skx != nil {
536 if _, err := hs.c.writeHandshakeRecord(skx, &hs.finishedHash); err != nil {
537 return err
538 }
539 }
540
541 var certReq *certificateRequestMsg
542 if c.config.ClientAuth >= RequestClientCert {
543
544 certReq = new(certificateRequestMsg)
545 certReq.certificateTypes = []byte{
546 byte(certTypeRSASign),
547 byte(certTypeECDSASign),
548 }
549 if c.vers >= VersionTLS12 {
550 certReq.hasSignatureAlgorithm = true
551 certReq.supportedSignatureAlgorithms = supportedSignatureAlgorithms()
552 }
553
554
555
556
557
558
559 if c.config.ClientCAs != nil {
560 certReq.certificateAuthorities = c.config.ClientCAs.Subjects()
561 }
562 if _, err := hs.c.writeHandshakeRecord(certReq, &hs.finishedHash); err != nil {
563 return err
564 }
565 }
566
567 helloDone := new(serverHelloDoneMsg)
568 if _, err := hs.c.writeHandshakeRecord(helloDone, &hs.finishedHash); err != nil {
569 return err
570 }
571
572 if _, err := c.flush(); err != nil {
573 return err
574 }
575
576 var pub crypto.PublicKey
577
578 msg, err := c.readHandshake(&hs.finishedHash)
579 if err != nil {
580 return err
581 }
582
583
584
585 if c.config.ClientAuth >= RequestClientCert {
586 certMsg, ok := msg.(*certificateMsg)
587 if !ok {
588 c.sendAlert(alertUnexpectedMessage)
589 return unexpectedMessageError(certMsg, msg)
590 }
591
592 if err := c.processCertsFromClient(Certificate{
593 Certificate: certMsg.certificates,
594 }); err != nil {
595 return err
596 }
597 if len(certMsg.certificates) != 0 {
598 pub = c.peerCertificates[0].PublicKey
599 }
600
601 msg, err = c.readHandshake(&hs.finishedHash)
602 if err != nil {
603 return err
604 }
605 }
606 if c.config.VerifyConnection != nil {
607 if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil {
608 c.sendAlert(alertBadCertificate)
609 return err
610 }
611 }
612
613
614 ckx, ok := msg.(*clientKeyExchangeMsg)
615 if !ok {
616 c.sendAlert(alertUnexpectedMessage)
617 return unexpectedMessageError(ckx, msg)
618 }
619
620 preMasterSecret, err := keyAgreement.processClientKeyExchange(c.config, hs.cert, ckx, c.vers)
621 if err != nil {
622 c.sendAlert(alertHandshakeFailure)
623 return err
624 }
625 hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.clientHello.random, hs.hello.random)
626 if err := c.config.writeKeyLog(keyLogLabelTLS12, hs.clientHello.random, hs.masterSecret); err != nil {
627 c.sendAlert(alertInternalError)
628 return err
629 }
630
631
632
633
634
635
636
637 if len(c.peerCertificates) > 0 {
638
639
640
641 msg, err = c.readHandshake(nil)
642 if err != nil {
643 return err
644 }
645 certVerify, ok := msg.(*certificateVerifyMsg)
646 if !ok {
647 c.sendAlert(alertUnexpectedMessage)
648 return unexpectedMessageError(certVerify, msg)
649 }
650
651 var sigType uint8
652 var sigHash crypto.Hash
653 if c.vers >= VersionTLS12 {
654 if !isSupportedSignatureAlgorithm(certVerify.signatureAlgorithm, certReq.supportedSignatureAlgorithms) {
655 c.sendAlert(alertIllegalParameter)
656 return errors.New("tls: client certificate used with invalid signature algorithm")
657 }
658 sigType, sigHash, err = typeAndHashFromSignatureScheme(certVerify.signatureAlgorithm)
659 if err != nil {
660 return c.sendAlert(alertInternalError)
661 }
662 } else {
663 sigType, sigHash, err = legacyTypeAndHashFromPublicKey(pub)
664 if err != nil {
665 c.sendAlert(alertIllegalParameter)
666 return err
667 }
668 }
669
670 signed := hs.finishedHash.hashForClientCertificate(sigType, sigHash)
671 if err := verifyHandshakeSignature(sigType, pub, sigHash, signed, certVerify.signature); err != nil {
672 c.sendAlert(alertDecryptError)
673 return errors.New("tls: invalid signature by the client certificate: " + err.Error())
674 }
675
676 if err := transcriptMsg(certVerify, &hs.finishedHash); err != nil {
677 return err
678 }
679 }
680
681 hs.finishedHash.discardHandshakeBuffer()
682
683 return nil
684 }
685
686 func (hs *serverHandshakeState) establishKeys() error {
687 c := hs.c
688
689 clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV :=
690 keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen)
691
692 var clientCipher, serverCipher any
693 var clientHash, serverHash hash.Hash
694
695 if hs.suite.aead == nil {
696 clientCipher = hs.suite.cipher(clientKey, clientIV, true )
697 clientHash = hs.suite.mac(clientMAC)
698 serverCipher = hs.suite.cipher(serverKey, serverIV, false )
699 serverHash = hs.suite.mac(serverMAC)
700 } else {
701 clientCipher = hs.suite.aead(clientKey, clientIV)
702 serverCipher = hs.suite.aead(serverKey, serverIV)
703 }
704
705 c.in.prepareCipherSpec(c.vers, clientCipher, clientHash)
706 c.out.prepareCipherSpec(c.vers, serverCipher, serverHash)
707
708 return nil
709 }
710
711 func (hs *serverHandshakeState) readFinished(out []byte) error {
712 c := hs.c
713
714 if err := c.readChangeCipherSpec(); err != nil {
715 return err
716 }
717
718
719
720
721 msg, err := c.readHandshake(nil)
722 if err != nil {
723 return err
724 }
725 clientFinished, ok := msg.(*finishedMsg)
726 if !ok {
727 c.sendAlert(alertUnexpectedMessage)
728 return unexpectedMessageError(clientFinished, msg)
729 }
730
731 verify := hs.finishedHash.clientSum(hs.masterSecret)
732 if len(verify) != len(clientFinished.verifyData) ||
733 subtle.ConstantTimeCompare(verify, clientFinished.verifyData) != 1 {
734 c.sendAlert(alertHandshakeFailure)
735 return errors.New("tls: client's Finished message is incorrect")
736 }
737
738 if err := transcriptMsg(clientFinished, &hs.finishedHash); err != nil {
739 return err
740 }
741
742 copy(out, verify)
743 return nil
744 }
745
746 func (hs *serverHandshakeState) sendSessionTicket() error {
747
748
749
750 if !hs.hello.ticketSupported {
751 return nil
752 }
753
754 c := hs.c
755 m := new(newSessionTicketMsg)
756
757 createdAt := uint64(c.config.time().Unix())
758 if hs.sessionState != nil {
759
760
761 createdAt = hs.sessionState.createdAt
762 }
763
764 var certsFromClient [][]byte
765 for _, cert := range c.peerCertificates {
766 certsFromClient = append(certsFromClient, cert.Raw)
767 }
768 state := sessionState{
769 vers: c.vers,
770 cipherSuite: hs.suite.id,
771 createdAt: createdAt,
772 masterSecret: hs.masterSecret,
773 certificates: certsFromClient,
774 }
775 stateBytes, err := state.marshal()
776 if err != nil {
777 return err
778 }
779 m.ticket, err = c.encryptTicket(stateBytes)
780 if err != nil {
781 return err
782 }
783
784 if _, err := hs.c.writeHandshakeRecord(m, &hs.finishedHash); err != nil {
785 return err
786 }
787
788 return nil
789 }
790
791 func (hs *serverHandshakeState) sendFinished(out []byte) error {
792 c := hs.c
793
794 if err := c.writeChangeCipherRecord(); err != nil {
795 return err
796 }
797
798 finished := new(finishedMsg)
799 finished.verifyData = hs.finishedHash.serverSum(hs.masterSecret)
800 if _, err := hs.c.writeHandshakeRecord(finished, &hs.finishedHash); err != nil {
801 return err
802 }
803
804 copy(out, finished.verifyData)
805
806 return nil
807 }
808
809
810
811
812 func (c *Conn) processCertsFromClient(certificate Certificate) error {
813 certificates := certificate.Certificate
814 certs := make([]*x509.Certificate, len(certificates))
815 var err error
816 for i, asn1Data := range certificates {
817 if certs[i], err = x509.ParseCertificate(asn1Data); err != nil {
818 c.sendAlert(alertBadCertificate)
819 return errors.New("tls: failed to parse client certificate: " + err.Error())
820 }
821 }
822
823 if len(certs) == 0 && requiresClientCert(c.config.ClientAuth) {
824 c.sendAlert(alertBadCertificate)
825 return errors.New("tls: client didn't provide a certificate")
826 }
827
828 if c.config.ClientAuth >= VerifyClientCertIfGiven && len(certs) > 0 {
829 opts := x509.VerifyOptions{
830 Roots: c.config.ClientCAs,
831 CurrentTime: c.config.time(),
832 Intermediates: x509.NewCertPool(),
833 KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
834 }
835
836 for _, cert := range certs[1:] {
837 opts.Intermediates.AddCert(cert)
838 }
839
840 chains, err := certs[0].Verify(opts)
841 if err != nil {
842 c.sendAlert(alertBadCertificate)
843 return &CertificateVerificationError{UnverifiedCertificates: certs, Err: err}
844 }
845
846 c.verifiedChains = chains
847 }
848
849 c.peerCertificates = certs
850 c.ocspResponse = certificate.OCSPStaple
851 c.scts = certificate.SignedCertificateTimestamps
852
853 if len(certs) > 0 {
854 switch certs[0].PublicKey.(type) {
855 case *ecdsa.PublicKey, *rsa.PublicKey, ed25519.PublicKey:
856 default:
857 c.sendAlert(alertUnsupportedCertificate)
858 return fmt.Errorf("tls: client certificate contains an unsupported public key of type %T", certs[0].PublicKey)
859 }
860 }
861
862 if c.config.VerifyPeerCertificate != nil {
863 if err := c.config.VerifyPeerCertificate(certificates, c.verifiedChains); err != nil {
864 c.sendAlert(alertBadCertificate)
865 return err
866 }
867 }
868
869 return nil
870 }
871
872 func clientHelloInfo(ctx context.Context, c *Conn, clientHello *clientHelloMsg) *ClientHelloInfo {
873 supportedVersions := clientHello.supportedVersions
874 if len(clientHello.supportedVersions) == 0 {
875 supportedVersions = supportedVersionsFromMax(clientHello.vers)
876 }
877
878 return &ClientHelloInfo{
879 CipherSuites: clientHello.cipherSuites,
880 ServerName: clientHello.serverName,
881 SupportedCurves: clientHello.supportedCurves,
882 SupportedPoints: clientHello.supportedPoints,
883 SignatureSchemes: clientHello.supportedSignatureAlgorithms,
884 SupportedProtos: clientHello.alpnProtocols,
885 SupportedVersions: supportedVersions,
886 Conn: c.conn,
887 config: c.config,
888 ctx: ctx,
889 }
890 }
891
View as plain text