github.com/Hyperledger-TWGC/tjfoc-gm@v1.4.0/gmtls/handshake_client.go (about) 1 /* 2 Copyright Suzhou Tongji Fintech Research Institute 2017 All Rights Reserved. 3 Licensed under the Apache License, Version 2.0 (the "License"); 4 you may not use this file except in compliance with the License. 5 You may obtain a copy of the License at 6 7 http://www.apache.org/licenses/LICENSE-2.0 8 9 Unless required by applicable law or agreed to in writing, software 10 distributed under the License is distributed on an "AS IS" BASIS, 11 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 See the License for the specific language governing permissions and 13 limitations under the License. 14 */ 15 16 package gmtls 17 18 import ( 19 "bytes" 20 "crypto" 21 "crypto/ecdsa" 22 "crypto/rsa" 23 "crypto/subtle" 24 "errors" 25 "fmt" 26 "io" 27 "net" 28 "strconv" 29 "strings" 30 "sync/atomic" 31 32 "github.com/Hyperledger-TWGC/tjfoc-gm/x509" 33 ) 34 35 type clientHandshakeState struct { 36 c *Conn 37 serverHello *serverHelloMsg 38 hello *clientHelloMsg 39 suite *cipherSuite 40 finishedHash finishedHash 41 masterSecret []byte 42 session *ClientSessionState 43 } 44 45 func makeClientHello(config *Config) (*clientHelloMsg, error) { 46 if len(config.ServerName) == 0 && !config.InsecureSkipVerify { 47 return nil, errors.New("tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config") 48 } 49 50 nextProtosLength := 0 51 for _, proto := range config.NextProtos { 52 if l := len(proto); l == 0 || l > 255 { 53 return nil, errors.New("tls: invalid NextProtos value") 54 } else { 55 nextProtosLength += 1 + l 56 } 57 } 58 59 if nextProtosLength > 0xffff { 60 return nil, errors.New("tls: NextProtos values too large") 61 } 62 63 hello := &clientHelloMsg{ 64 vers: config.maxVersion(), 65 compressionMethods: []uint8{compressionNone}, 66 random: make([]byte, 32), 67 ocspStapling: true, 68 scts: true, 69 serverName: hostnameInSNI(config.ServerName), 70 supportedCurves: config.curvePreferences(), 71 supportedPoints: []uint8{pointFormatUncompressed}, 72 nextProtoNeg: len(config.NextProtos) > 0, 73 secureRenegotiationSupported: true, 74 alpnProtocols: config.NextProtos, 75 } 76 possibleCipherSuites := config.cipherSuites() 77 hello.cipherSuites = make([]uint16, 0, len(possibleCipherSuites)) 78 79 NextCipherSuite: 80 for _, suiteId := range possibleCipherSuites { 81 for _, suite := range cipherSuites { 82 if suite.id != suiteId { 83 continue 84 } 85 // Don't advertise TLS 1.2-only cipher suites unless 86 // we're attempting TLS 1.2. 87 if hello.vers < VersionTLS12 && suite.flags&suiteTLS12 != 0 { 88 continue 89 } 90 hello.cipherSuites = append(hello.cipherSuites, suiteId) 91 continue NextCipherSuite 92 } 93 } 94 95 _, err := io.ReadFull(config.rand(), hello.random) 96 if err != nil { 97 return nil, errors.New("tls: short read from Rand: " + err.Error()) 98 } 99 100 if hello.vers >= VersionTLS12 { 101 hello.supportedSignatureAlgorithms = supportedSignatureAlgorithms 102 } 103 104 return hello, nil 105 } 106 107 func (c *Conn) clientHandshake() error { 108 if c.config == nil { 109 c.config = defaultConfig() 110 } 111 112 // This may be a renegotiation handshake, in which case some fields 113 // need to be reset. 114 c.didResume = false 115 116 var hello *clientHelloMsg 117 var err error 118 if c.config.GMSupport != nil { 119 c.vers = VersionGMSSL 120 hello, err = makeClientHelloGM(c.config) 121 } else { 122 hello, err = makeClientHello(c.config) 123 } 124 if err != nil { 125 return err 126 } 127 128 if c.handshakes > 0 { 129 hello.secureRenegotiation = c.clientFinished[:] 130 } 131 132 var session *ClientSessionState 133 var cacheKey string 134 sessionCache := c.config.ClientSessionCache 135 if c.config.SessionTicketsDisabled { 136 sessionCache = nil 137 } 138 139 if sessionCache != nil { 140 hello.ticketSupported = true 141 } 142 143 // Session resumption is not allowed if renegotiating because 144 // renegotiation is primarily used to allow a client to send a client 145 // certificate, which would be skipped if session resumption occurred. 146 if sessionCache != nil && c.handshakes == 0 { 147 // Try to resume a previously negotiated TLS session, if 148 // available. 149 cacheKey = clientSessionCacheKey(c.conn.RemoteAddr(), c.config) 150 candidateSession, ok := sessionCache.Get(cacheKey) 151 if ok { 152 // Check that the ciphersuite/version used for the 153 // previous session are still valid. 154 cipherSuiteOk := false 155 for _, id := range hello.cipherSuites { 156 if id == candidateSession.cipherSuite { 157 cipherSuiteOk = true 158 break 159 } 160 } 161 162 versOk := candidateSession.vers >= c.config.minVersion() && 163 candidateSession.vers <= c.config.maxVersion() 164 if versOk && cipherSuiteOk { 165 session = candidateSession 166 } 167 } 168 } 169 170 if session != nil { 171 hello.sessionTicket = session.sessionTicket 172 // A random session ID is used to detect when the 173 // server accepted the ticket and is resuming a session 174 // (see RFC 5077). 175 hello.sessionId = make([]byte, 16) 176 if _, err := io.ReadFull(c.config.rand(), hello.sessionId); err != nil { 177 return errors.New("tls: short read from Rand: " + err.Error()) 178 } 179 } 180 181 if c.config.GMSupport != nil { 182 hs := &clientHandshakeStateGM{ 183 c: c, 184 hello: hello, 185 session: session, 186 } 187 if err = hs.handshake(); err != nil { 188 return err 189 } 190 // If we had a successful handshake and hs.session is different from 191 // the one already cached - cache a new one 192 if sessionCache != nil && hs.session != nil && session != hs.session { 193 sessionCache.Put(cacheKey, hs.session) 194 } 195 } else { 196 hs := &clientHandshakeState{ 197 c: c, 198 hello: hello, 199 session: session, 200 } 201 if err = hs.handshake(); err != nil { 202 return err 203 } 204 // If we had a successful handshake and hs.session is different from 205 // the one already cached - cache a new one 206 if sessionCache != nil && hs.session != nil && session != hs.session { 207 sessionCache.Put(cacheKey, hs.session) 208 } 209 } 210 211 return nil 212 } 213 214 // Does the handshake, either a full one or resumes old session. 215 // Requires hs.c, hs.hello, and, optionally, hs.session to be set. 216 func (hs *clientHandshakeState) handshake() error { 217 c := hs.c 218 219 // send ClientHello 220 if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil { 221 return err 222 } 223 224 msg, err := c.readHandshake() 225 if err != nil { 226 return err 227 } 228 229 var ok bool 230 if hs.serverHello, ok = msg.(*serverHelloMsg); !ok { 231 c.sendAlert(alertUnexpectedMessage) 232 return unexpectedMessageError(hs.serverHello, msg) 233 } 234 235 if err = hs.pickTLSVersion(); err != nil { 236 return err 237 } 238 239 if err = hs.pickCipherSuite(); err != nil { 240 return err 241 } 242 243 isResume, err := hs.processServerHello() 244 if err != nil { 245 return err 246 } 247 248 hs.finishedHash = newFinishedHash(c.vers, hs.suite) 249 250 // No signatures of the handshake are needed in a resumption. 251 // Otherwise, in a full handshake, if we don't have any certificates 252 // configured then we will never send a CertificateVerify message and 253 // thus no signatures are needed in that case either. 254 if isResume || (len(c.config.Certificates) == 0 && c.config.GetClientCertificate == nil) { 255 hs.finishedHash.discardHandshakeBuffer() 256 } 257 258 hs.finishedHash.Write(hs.hello.marshal()) 259 hs.finishedHash.Write(hs.serverHello.marshal()) 260 261 c.buffering = true 262 if isResume { 263 if err := hs.establishKeys(); err != nil { 264 return err 265 } 266 if err := hs.readSessionTicket(); err != nil { 267 return err 268 } 269 if err := hs.readFinished(c.serverFinished[:]); err != nil { 270 return err 271 } 272 c.clientFinishedIsFirst = false 273 if err := hs.sendFinished(c.clientFinished[:]); err != nil { 274 return err 275 } 276 if _, err := c.flush(); err != nil { 277 return err 278 } 279 } else { 280 if err := hs.doFullHandshake(); err != nil { 281 return err 282 } 283 if err := hs.establishKeys(); err != nil { 284 return err 285 } 286 if err := hs.sendFinished(c.clientFinished[:]); err != nil { 287 return err 288 } 289 if _, err := c.flush(); err != nil { 290 return err 291 } 292 c.clientFinishedIsFirst = true 293 if err := hs.readSessionTicket(); err != nil { 294 return err 295 } 296 if err := hs.readFinished(c.serverFinished[:]); err != nil { 297 return err 298 } 299 } 300 301 c.ekm = ekmFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.hello.random, hs.serverHello.random) 302 c.didResume = isResume 303 atomic.StoreUint32(&c.handshakeStatus, 1) 304 305 return nil 306 } 307 308 func (hs *clientHandshakeState) pickTLSVersion() error { 309 vers, ok := hs.c.config.mutualVersion(hs.serverHello.vers) 310 if !ok || vers < VersionTLS10 { 311 // TLS 1.0 is the minimum version supported as a client. 312 hs.c.sendAlert(alertProtocolVersion) 313 return fmt.Errorf("tls: server selected unsupported protocol version %x", hs.serverHello.vers) 314 } 315 316 hs.c.vers = vers 317 hs.c.haveVers = true 318 319 return nil 320 } 321 322 func (hs *clientHandshakeState) pickCipherSuite() error { 323 if hs.suite = mutualCipherSuite(hs.hello.cipherSuites, hs.serverHello.cipherSuite); hs.suite == nil { 324 hs.c.sendAlert(alertHandshakeFailure) 325 return errors.New("tls: server chose an unconfigured cipher suite") 326 } 327 328 hs.c.cipherSuite = hs.suite.id 329 return nil 330 } 331 332 func (hs *clientHandshakeState) doFullHandshake() error { 333 c := hs.c 334 335 msg, err := c.readHandshake() 336 if err != nil { 337 return err 338 } 339 certMsg, ok := msg.(*certificateMsg) 340 if !ok || len(certMsg.certificates) == 0 { 341 c.sendAlert(alertUnexpectedMessage) 342 return unexpectedMessageError(certMsg, msg) 343 } 344 hs.finishedHash.Write(certMsg.marshal()) 345 346 if c.handshakes == 0 { 347 // If this is the first handshake on a connection, process and 348 // (optionally) verify the server's certificates. 349 certs := make([]*x509.Certificate, len(certMsg.certificates)) 350 for i, asn1Data := range certMsg.certificates { 351 cert, err := x509.ParseCertificate(asn1Data) 352 if err != nil { 353 c.sendAlert(alertBadCertificate) 354 return errors.New("tls: failed to parse certificate from server: " + err.Error()) 355 } 356 certs[i] = cert 357 } 358 359 if !c.config.InsecureSkipVerify { 360 opts := x509.VerifyOptions{ 361 Roots: c.config.RootCAs, 362 CurrentTime: c.config.time(), 363 DNSName: c.config.ServerName, 364 Intermediates: x509.NewCertPool(), 365 } 366 367 for i, cert := range certs { 368 if i == 0 { 369 continue 370 } 371 opts.Intermediates.AddCert(cert) 372 } 373 c.verifiedChains, err = certs[0].Verify(opts) 374 if err != nil { 375 c.sendAlert(alertBadCertificate) 376 return err 377 } 378 } 379 380 if c.config.VerifyPeerCertificate != nil { 381 if err := c.config.VerifyPeerCertificate(certMsg.certificates, c.verifiedChains); err != nil { 382 c.sendAlert(alertBadCertificate) 383 return err 384 } 385 } 386 387 switch certs[0].PublicKey.(type) { 388 case *rsa.PublicKey, *ecdsa.PublicKey: 389 break 390 default: 391 c.sendAlert(alertUnsupportedCertificate) 392 return fmt.Errorf("tls: server's certificate contains an unsupported type of public key: %T", certs[0].PublicKey) 393 } 394 395 c.peerCertificates = certs 396 } else { 397 // This is a renegotiation handshake. We require that the 398 // server's identity (i.e. leaf certificate) is unchanged and 399 // thus any previous trust decision is still valid. 400 // 401 // See https://mitls.org/pages/attacks/3SHAKE for the 402 // motivation behind this requirement. 403 if !bytes.Equal(c.peerCertificates[0].Raw, certMsg.certificates[0]) { 404 c.sendAlert(alertBadCertificate) 405 return errors.New("tls: server's identity changed during renegotiation") 406 } 407 } 408 409 msg, err = c.readHandshake() 410 if err != nil { 411 return err 412 } 413 414 cs, ok := msg.(*certificateStatusMsg) 415 if ok { 416 // RFC4366 on Certificate Status Request: 417 // The server MAY return a "certificate_status" message. 418 419 if !hs.serverHello.ocspStapling { 420 // If a server returns a "CertificateStatus" message, then the 421 // server MUST have included an extension of type "status_request" 422 // with empty "extension_data" in the extended server hello. 423 424 c.sendAlert(alertUnexpectedMessage) 425 return errors.New("tls: received unexpected CertificateStatus message") 426 } 427 hs.finishedHash.Write(cs.marshal()) 428 429 if cs.statusType == statusTypeOCSP { 430 c.ocspResponse = cs.response 431 } 432 433 msg, err = c.readHandshake() 434 if err != nil { 435 return err 436 } 437 } 438 439 keyAgreement := hs.suite.ka(c.vers) 440 441 skx, ok := msg.(*serverKeyExchangeMsg) 442 if ok { 443 hs.finishedHash.Write(skx.marshal()) 444 err = keyAgreement.processServerKeyExchange(c.config, hs.hello, hs.serverHello, c.peerCertificates[0], skx) 445 if err != nil { 446 c.sendAlert(alertUnexpectedMessage) 447 return err 448 } 449 450 msg, err = c.readHandshake() 451 if err != nil { 452 return err 453 } 454 } 455 456 var chainToSend *Certificate 457 var certRequested bool 458 certReq, ok := msg.(*certificateRequestMsg) 459 if ok { 460 certRequested = true 461 hs.finishedHash.Write(certReq.marshal()) 462 463 if chainToSend, err = hs.getCertificate(certReq); err != nil { 464 c.sendAlert(alertInternalError) 465 return err 466 } 467 468 msg, err = c.readHandshake() 469 if err != nil { 470 return err 471 } 472 } 473 474 shd, ok := msg.(*serverHelloDoneMsg) 475 if !ok { 476 c.sendAlert(alertUnexpectedMessage) 477 return unexpectedMessageError(shd, msg) 478 } 479 hs.finishedHash.Write(shd.marshal()) 480 481 // If the server requested a certificate then we have to send a 482 // Certificate message, even if it's empty because we don't have a 483 // certificate to send. 484 if certRequested { 485 certMsg = new(certificateMsg) 486 certMsg.certificates = chainToSend.Certificate 487 hs.finishedHash.Write(certMsg.marshal()) 488 if _, err := c.writeRecord(recordTypeHandshake, certMsg.marshal()); err != nil { 489 return err 490 } 491 } 492 493 preMasterSecret, ckx, err := keyAgreement.generateClientKeyExchange(c.config, hs.hello, c.peerCertificates[0]) 494 if err != nil { 495 c.sendAlert(alertInternalError) 496 return err 497 } 498 if ckx != nil { 499 hs.finishedHash.Write(ckx.marshal()) 500 if _, err := c.writeRecord(recordTypeHandshake, ckx.marshal()); err != nil { 501 return err 502 } 503 } 504 505 if chainToSend != nil && len(chainToSend.Certificate) > 0 { 506 certVerify := &certificateVerifyMsg{ 507 hasSignatureAndHash: c.vers >= VersionTLS12, 508 } 509 510 key, ok := chainToSend.PrivateKey.(crypto.Signer) 511 if !ok { 512 c.sendAlert(alertInternalError) 513 return fmt.Errorf("tls: client certificate private key of type %T does not implement crypto.Signer", chainToSend.PrivateKey) 514 } 515 516 signatureAlgorithm, sigType, hashFunc, err := pickSignatureAlgorithm(key.Public(), certReq.supportedSignatureAlgorithms, hs.hello.supportedSignatureAlgorithms, c.vers) 517 if err != nil { 518 c.sendAlert(alertInternalError) 519 return err 520 } 521 // SignatureAndHashAlgorithm was introduced in TLS 1.2. 522 if certVerify.hasSignatureAndHash { 523 certVerify.signatureAlgorithm = signatureAlgorithm 524 } 525 digest, err := hs.finishedHash.hashForClientCertificate(sigType, hashFunc, hs.masterSecret) 526 if err != nil { 527 c.sendAlert(alertInternalError) 528 return err 529 } 530 signOpts := crypto.SignerOpts(hashFunc) 531 if sigType == signatureRSAPSS { 532 signOpts = &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash, Hash: hashFunc} 533 } 534 certVerify.signature, err = key.Sign(c.config.rand(), digest, signOpts) 535 if err != nil { 536 c.sendAlert(alertInternalError) 537 return err 538 } 539 540 hs.finishedHash.Write(certVerify.marshal()) 541 if _, err := c.writeRecord(recordTypeHandshake, certVerify.marshal()); err != nil { 542 return err 543 } 544 } 545 546 hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.hello.random, hs.serverHello.random) 547 if err := c.config.writeKeyLog(hs.hello.random, hs.masterSecret); err != nil { 548 c.sendAlert(alertInternalError) 549 return errors.New("tls: failed to write to key log: " + err.Error()) 550 } 551 552 hs.finishedHash.discardHandshakeBuffer() 553 554 return nil 555 } 556 557 func (hs *clientHandshakeState) establishKeys() error { 558 c := hs.c 559 560 clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV := 561 keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.hello.random, hs.serverHello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen) 562 var clientCipher, serverCipher interface{} 563 var clientHash, serverHash macFunction 564 if hs.suite.cipher != nil { 565 clientCipher = hs.suite.cipher(clientKey, clientIV, false /* not for reading */) 566 clientHash = hs.suite.mac(c.vers, clientMAC) 567 serverCipher = hs.suite.cipher(serverKey, serverIV, true /* for reading */) 568 serverHash = hs.suite.mac(c.vers, serverMAC) 569 } else { 570 clientCipher = hs.suite.aead(clientKey, clientIV) 571 serverCipher = hs.suite.aead(serverKey, serverIV) 572 } 573 574 c.in.prepareCipherSpec(c.vers, serverCipher, serverHash) 575 c.out.prepareCipherSpec(c.vers, clientCipher, clientHash) 576 return nil 577 } 578 579 func (hs *clientHandshakeState) serverResumedSession() bool { 580 // If the server responded with the same sessionId then it means the 581 // sessionTicket is being used to resume a TLS session. 582 return hs.session != nil && hs.hello.sessionId != nil && 583 bytes.Equal(hs.serverHello.sessionId, hs.hello.sessionId) 584 } 585 586 func (hs *clientHandshakeState) processServerHello() (bool, error) { 587 c := hs.c 588 589 if hs.serverHello.compressionMethod != compressionNone { 590 c.sendAlert(alertUnexpectedMessage) 591 return false, errors.New("tls: server selected unsupported compression format") 592 } 593 594 if c.handshakes == 0 && hs.serverHello.secureRenegotiationSupported { 595 c.secureRenegotiation = true 596 if len(hs.serverHello.secureRenegotiation) != 0 { 597 c.sendAlert(alertHandshakeFailure) 598 return false, errors.New("tls: initial handshake had non-empty renegotiation extension") 599 } 600 } 601 602 if c.handshakes > 0 && c.secureRenegotiation { 603 var expectedSecureRenegotiation [24]byte 604 copy(expectedSecureRenegotiation[:], c.clientFinished[:]) 605 copy(expectedSecureRenegotiation[12:], c.serverFinished[:]) 606 if !bytes.Equal(hs.serverHello.secureRenegotiation, expectedSecureRenegotiation[:]) { 607 c.sendAlert(alertHandshakeFailure) 608 return false, errors.New("tls: incorrect renegotiation extension contents") 609 } 610 } 611 612 clientDidNPN := hs.hello.nextProtoNeg 613 clientDidALPN := len(hs.hello.alpnProtocols) > 0 614 serverHasNPN := hs.serverHello.nextProtoNeg 615 serverHasALPN := len(hs.serverHello.alpnProtocol) > 0 616 617 if !clientDidNPN && serverHasNPN { 618 c.sendAlert(alertHandshakeFailure) 619 return false, errors.New("tls: server advertised unrequested NPN extension") 620 } 621 622 if !clientDidALPN && serverHasALPN { 623 c.sendAlert(alertHandshakeFailure) 624 return false, errors.New("tls: server advertised unrequested ALPN extension") 625 } 626 627 if serverHasNPN && serverHasALPN { 628 c.sendAlert(alertHandshakeFailure) 629 return false, errors.New("tls: server advertised both NPN and ALPN extensions") 630 } 631 632 if serverHasALPN { 633 c.clientProtocol = hs.serverHello.alpnProtocol 634 c.clientProtocolFallback = false 635 } 636 c.scts = hs.serverHello.scts 637 638 if !hs.serverResumedSession() { 639 return false, nil 640 } 641 642 if hs.session.vers != c.vers { 643 c.sendAlert(alertHandshakeFailure) 644 return false, errors.New("tls: server resumed a session with a different version") 645 } 646 647 if hs.session.cipherSuite != hs.suite.id { 648 c.sendAlert(alertHandshakeFailure) 649 return false, errors.New("tls: server resumed a session with a different cipher suite") 650 } 651 652 // Restore masterSecret and peerCerts from previous state 653 hs.masterSecret = hs.session.masterSecret 654 c.peerCertificates = hs.session.serverCertificates 655 c.verifiedChains = hs.session.verifiedChains 656 return true, nil 657 } 658 659 func (hs *clientHandshakeState) readFinished(out []byte) error { 660 c := hs.c 661 662 c.readRecord(recordTypeChangeCipherSpec) 663 if c.in.err != nil { 664 return c.in.err 665 } 666 667 msg, err := c.readHandshake() 668 if err != nil { 669 return err 670 } 671 serverFinished, ok := msg.(*finishedMsg) 672 if !ok { 673 c.sendAlert(alertUnexpectedMessage) 674 return unexpectedMessageError(serverFinished, msg) 675 } 676 677 verify := hs.finishedHash.serverSum(hs.masterSecret) 678 if len(verify) != len(serverFinished.verifyData) || 679 subtle.ConstantTimeCompare(verify, serverFinished.verifyData) != 1 { 680 c.sendAlert(alertHandshakeFailure) 681 return errors.New("tls: server's Finished message was incorrect") 682 } 683 hs.finishedHash.Write(serverFinished.marshal()) 684 copy(out, verify) 685 return nil 686 } 687 688 func (hs *clientHandshakeState) readSessionTicket() error { 689 if !hs.serverHello.ticketSupported { 690 return nil 691 } 692 693 c := hs.c 694 msg, err := c.readHandshake() 695 if err != nil { 696 return err 697 } 698 sessionTicketMsg, ok := msg.(*newSessionTicketMsg) 699 if !ok { 700 c.sendAlert(alertUnexpectedMessage) 701 return unexpectedMessageError(sessionTicketMsg, msg) 702 } 703 hs.finishedHash.Write(sessionTicketMsg.marshal()) 704 705 hs.session = &ClientSessionState{ 706 sessionTicket: sessionTicketMsg.ticket, 707 vers: c.vers, 708 cipherSuite: hs.suite.id, 709 masterSecret: hs.masterSecret, 710 serverCertificates: c.peerCertificates, 711 verifiedChains: c.verifiedChains, 712 } 713 714 return nil 715 } 716 717 func (hs *clientHandshakeState) sendFinished(out []byte) error { 718 c := hs.c 719 720 if _, err := c.writeRecord(recordTypeChangeCipherSpec, []byte{1}); err != nil { 721 return err 722 } 723 if hs.serverHello.nextProtoNeg { 724 nextProto := new(nextProtoMsg) 725 proto, fallback := mutualProtocol(c.config.NextProtos, hs.serverHello.nextProtos) 726 nextProto.proto = proto 727 c.clientProtocol = proto 728 c.clientProtocolFallback = fallback 729 730 hs.finishedHash.Write(nextProto.marshal()) 731 if _, err := c.writeRecord(recordTypeHandshake, nextProto.marshal()); err != nil { 732 return err 733 } 734 } 735 736 finished := new(finishedMsg) 737 finished.verifyData = hs.finishedHash.clientSum(hs.masterSecret) 738 hs.finishedHash.Write(finished.marshal()) 739 if _, err := c.writeRecord(recordTypeHandshake, finished.marshal()); err != nil { 740 return err 741 } 742 copy(out, finished.verifyData) 743 return nil 744 } 745 746 // tls11SignatureSchemes contains the signature schemes that we synthesise for 747 // a TLS <= 1.1 connection, based on the supported certificate types. 748 var tls11SignatureSchemes = []SignatureScheme{ECDSAWithP256AndSHA256, ECDSAWithP384AndSHA384, ECDSAWithP521AndSHA512, PKCS1WithSHA256, PKCS1WithSHA384, PKCS1WithSHA512, PKCS1WithSHA1} 749 750 const ( 751 // tls11SignatureSchemesNumECDSA is the number of initial elements of 752 // tls11SignatureSchemes that use ECDSA. 753 tls11SignatureSchemesNumECDSA = 3 754 // tls11SignatureSchemesNumRSA is the number of trailing elements of 755 // tls11SignatureSchemes that use RSA. 756 tls11SignatureSchemesNumRSA = 4 757 ) 758 759 func (hs *clientHandshakeState) getCertificate(certReq *certificateRequestMsg) (*Certificate, error) { 760 c := hs.c 761 762 var rsaAvail, ecdsaAvail bool 763 for _, certType := range certReq.certificateTypes { 764 switch certType { 765 case certTypeRSASign: 766 rsaAvail = true 767 case certTypeECDSASign: 768 ecdsaAvail = true 769 } 770 } 771 772 if c.config.GetClientCertificate != nil { 773 var signatureSchemes []SignatureScheme 774 775 if !certReq.hasSignatureAndHash { 776 // Prior to TLS 1.2, the signature schemes were not 777 // included in the certificate request message. In this 778 // case we use a plausible list based on the acceptable 779 // certificate types. 780 signatureSchemes = tls11SignatureSchemes 781 if !ecdsaAvail { 782 signatureSchemes = signatureSchemes[tls11SignatureSchemesNumECDSA:] 783 } 784 if !rsaAvail { 785 signatureSchemes = signatureSchemes[:len(signatureSchemes)-tls11SignatureSchemesNumRSA] 786 } 787 } else { 788 signatureSchemes = certReq.supportedSignatureAlgorithms 789 } 790 791 return c.config.GetClientCertificate(&CertificateRequestInfo{ 792 AcceptableCAs: certReq.certificateAuthorities, 793 SignatureSchemes: signatureSchemes, 794 }) 795 } 796 797 // RFC 4346 on the certificateAuthorities field: A list of the 798 // distinguished names of acceptable certificate authorities. 799 // These distinguished names may specify a desired 800 // distinguished name for a root CA or for a subordinate CA; 801 // thus, this message can be used to describe both known roots 802 // and a desired authorization space. If the 803 // certificate_authorities list is empty then the client MAY 804 // send any certificate of the appropriate 805 // ClientCertificateType, unless there is some external 806 // arrangement to the contrary. 807 808 // We need to search our list of client certs for one 809 // where SignatureAlgorithm is acceptable to the server and the 810 // Issuer is in certReq.certificateAuthorities 811 findCert: 812 for i, chain := range c.config.Certificates { 813 if !rsaAvail && !ecdsaAvail { 814 continue 815 } 816 817 for j, cert := range chain.Certificate { 818 x509Cert := chain.Leaf 819 // parse the certificate if this isn't the leaf 820 // node, or if chain.Leaf was nil 821 if j != 0 || x509Cert == nil { 822 var err error 823 if x509Cert, err = x509.ParseCertificate(cert); err != nil { 824 c.sendAlert(alertInternalError) 825 return nil, errors.New("tls: failed to parse client certificate #" + strconv.Itoa(i) + ": " + err.Error()) 826 } 827 } 828 829 switch { 830 case rsaAvail && x509Cert.PublicKeyAlgorithm == x509.RSA: 831 case ecdsaAvail && x509Cert.PublicKeyAlgorithm == x509.ECDSA: 832 default: 833 continue findCert 834 } 835 836 if len(certReq.certificateAuthorities) == 0 { 837 // they gave us an empty list, so just take the 838 // first cert from c.config.Certificates 839 return &chain, nil 840 } 841 842 for _, ca := range certReq.certificateAuthorities { 843 if bytes.Equal(x509Cert.RawIssuer, ca) { 844 return &chain, nil 845 } 846 } 847 } 848 } 849 850 // No acceptable certificate found. Don't send a certificate. 851 return new(Certificate), nil 852 } 853 854 // clientSessionCacheKey returns a key used to cache sessionTickets that could 855 // be used to resume previously negotiated TLS sessions with a server. 856 func clientSessionCacheKey(serverAddr net.Addr, config *Config) string { 857 if len(config.ServerName) > 0 { 858 return config.ServerName 859 } 860 return serverAddr.String() 861 } 862 863 // mutualProtocol finds the mutual Next Protocol Negotiation or ALPN protocol 864 // given list of possible protocols and a list of the preference order. The 865 // first list must not be empty. It returns the resulting protocol and flag 866 // indicating if the fallback case was reached. 867 func mutualProtocol(protos, preferenceProtos []string) (string, bool) { 868 for _, s := range preferenceProtos { 869 for _, c := range protos { 870 if s == c { 871 return s, false 872 } 873 } 874 } 875 876 return protos[0], true 877 } 878 879 // hostnameInSNI converts name into an approriate hostname for SNI. 880 // Literal IP addresses and absolute FQDNs are not permitted as SNI values. 881 // See https://tools.ietf.org/html/rfc6066#section-3. 882 func hostnameInSNI(name string) string { 883 host := name 884 if len(host) > 0 && host[0] == '[' && host[len(host)-1] == ']' { 885 host = host[1 : len(host)-1] 886 } 887 if i := strings.LastIndex(host, "%"); i > 0 { 888 host = host[:i] 889 } 890 if net.ParseIP(host) != nil { 891 return "" 892 } 893 for len(name) > 0 && name[len(name)-1] == '.' { 894 name = name[:len(name)-1] 895 } 896 return name 897 }