github.com/dorkamotorka/go/src@v0.0.0-20230614113921-187095f0e316/crypto/tls/handshake_server.go (about) 1 // Copyright 2009 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 package tls 6 7 import ( 8 "context" 9 "crypto" 10 "crypto/ecdsa" 11 "crypto/ed25519" 12 "crypto/rsa" 13 "crypto/subtle" 14 "crypto/x509" 15 "errors" 16 "fmt" 17 "hash" 18 "io" 19 "time" 20 ) 21 22 // serverHandshakeState contains details of a server handshake in progress. 23 // It's discarded once the handshake has completed. 24 type serverHandshakeState struct { 25 c *Conn 26 ctx context.Context 27 clientHello *clientHelloMsg 28 hello *serverHelloMsg 29 suite *cipherSuite 30 ecdheOk bool 31 ecSignOk bool 32 rsaDecryptOk bool 33 rsaSignOk bool 34 sessionState *SessionState 35 finishedHash finishedHash 36 masterSecret []byte 37 cert *Certificate 38 } 39 40 // serverHandshake performs a TLS handshake as a server. 41 func (c *Conn) serverHandshake(ctx context.Context) error { 42 clientHello, err := c.readClientHello(ctx) 43 if err != nil { 44 return err 45 } 46 47 if c.vers == VersionTLS13 { 48 hs := serverHandshakeStateTLS13{ 49 c: c, 50 ctx: ctx, 51 clientHello: clientHello, 52 } 53 return hs.handshake() 54 } 55 56 hs := serverHandshakeState{ 57 c: c, 58 ctx: ctx, 59 clientHello: clientHello, 60 } 61 return hs.handshake() 62 } 63 64 func (hs *serverHandshakeState) handshake() error { 65 c := hs.c 66 67 if err := hs.processClientHello(); err != nil { 68 return err 69 } 70 71 // For an overview of TLS handshaking, see RFC 5246, Section 7.3. 72 c.buffering = true 73 if err := hs.checkForResumption(); err != nil { 74 return err 75 } 76 if hs.sessionState != nil { 77 // The client has included a session ticket and so we do an abbreviated handshake. 78 if err := hs.doResumeHandshake(); err != nil { 79 return err 80 } 81 if err := hs.establishKeys(); err != nil { 82 return err 83 } 84 if err := hs.sendSessionTicket(); err != nil { 85 return err 86 } 87 if err := hs.sendFinished(c.serverFinished[:]); err != nil { 88 return err 89 } 90 if _, err := c.flush(); err != nil { 91 return err 92 } 93 c.clientFinishedIsFirst = false 94 if err := hs.readFinished(nil); err != nil { 95 return err 96 } 97 } else { 98 // The client didn't include a session ticket, or it wasn't 99 // valid so we do a full handshake. 100 if err := hs.pickCipherSuite(); err != nil { 101 return err 102 } 103 if err := hs.doFullHandshake(); err != nil { 104 return err 105 } 106 if err := hs.establishKeys(); err != nil { 107 return err 108 } 109 if err := hs.readFinished(c.clientFinished[:]); err != nil { 110 return err 111 } 112 c.clientFinishedIsFirst = true 113 c.buffering = true 114 if err := hs.sendSessionTicket(); err != nil { 115 return err 116 } 117 if err := hs.sendFinished(nil); err != nil { 118 return err 119 } 120 if _, err := c.flush(); err != nil { 121 return err 122 } 123 } 124 125 c.ekm = ekmFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random) 126 c.isHandshakeComplete.Store(true) 127 128 return nil 129 } 130 131 // readClientHello reads a ClientHello message and selects the protocol version. 132 func (c *Conn) readClientHello(ctx context.Context) (*clientHelloMsg, error) { 133 // clientHelloMsg is included in the transcript, but we haven't initialized 134 // it yet. The respective handshake functions will record it themselves. 135 msg, err := c.readHandshake(nil) 136 if err != nil { 137 return nil, err 138 } 139 clientHello, ok := msg.(*clientHelloMsg) 140 if !ok { 141 c.sendAlert(alertUnexpectedMessage) 142 return nil, unexpectedMessageError(clientHello, msg) 143 } 144 145 var configForClient *Config 146 originalConfig := c.config 147 if c.config.GetConfigForClient != nil { 148 chi := clientHelloInfo(ctx, c, clientHello) 149 if configForClient, err = c.config.GetConfigForClient(chi); err != nil { 150 c.sendAlert(alertInternalError) 151 return nil, err 152 } else if configForClient != nil { 153 c.config = configForClient 154 } 155 } 156 c.ticketKeys = originalConfig.ticketKeys(configForClient) 157 158 clientVersions := clientHello.supportedVersions 159 if len(clientHello.supportedVersions) == 0 { 160 clientVersions = supportedVersionsFromMax(clientHello.vers) 161 } 162 c.vers, ok = c.config.mutualVersion(roleServer, clientVersions) 163 if !ok { 164 c.sendAlert(alertProtocolVersion) 165 return nil, fmt.Errorf("tls: client offered only unsupported versions: %x", clientVersions) 166 } 167 c.haveVers = true 168 c.in.version = c.vers 169 c.out.version = c.vers 170 171 return clientHello, nil 172 } 173 174 func (hs *serverHandshakeState) processClientHello() error { 175 c := hs.c 176 177 hs.hello = new(serverHelloMsg) 178 hs.hello.vers = c.vers 179 180 foundCompression := false 181 // We only support null compression, so check that the client offered it. 182 for _, compression := range hs.clientHello.compressionMethods { 183 if compression == compressionNone { 184 foundCompression = true 185 break 186 } 187 } 188 189 if !foundCompression { 190 c.sendAlert(alertHandshakeFailure) 191 return errors.New("tls: client does not support uncompressed connections") 192 } 193 194 hs.hello.random = make([]byte, 32) 195 serverRandom := hs.hello.random 196 // Downgrade protection canaries. See RFC 8446, Section 4.1.3. 197 maxVers := c.config.maxSupportedVersion(roleServer) 198 if maxVers >= VersionTLS12 && c.vers < maxVers || testingOnlyForceDowngradeCanary { 199 if c.vers == VersionTLS12 { 200 copy(serverRandom[24:], downgradeCanaryTLS12) 201 } else { 202 copy(serverRandom[24:], downgradeCanaryTLS11) 203 } 204 serverRandom = serverRandom[:24] 205 } 206 _, err := io.ReadFull(c.config.rand(), serverRandom) 207 if err != nil { 208 c.sendAlert(alertInternalError) 209 return err 210 } 211 212 if len(hs.clientHello.secureRenegotiation) != 0 { 213 c.sendAlert(alertHandshakeFailure) 214 return errors.New("tls: initial handshake had non-empty renegotiation extension") 215 } 216 217 hs.hello.extendedMasterSecret = hs.clientHello.extendedMasterSecret 218 hs.hello.secureRenegotiationSupported = hs.clientHello.secureRenegotiationSupported 219 hs.hello.compressionMethod = compressionNone 220 if len(hs.clientHello.serverName) > 0 { 221 c.serverName = hs.clientHello.serverName 222 } 223 224 selectedProto, err := negotiateALPN(c.config.NextProtos, hs.clientHello.alpnProtocols, false) 225 if err != nil { 226 c.sendAlert(alertNoApplicationProtocol) 227 return err 228 } 229 hs.hello.alpnProtocol = selectedProto 230 c.clientProtocol = selectedProto 231 232 hs.cert, err = c.config.getCertificate(clientHelloInfo(hs.ctx, c, hs.clientHello)) 233 if err != nil { 234 if err == errNoCertificates { 235 c.sendAlert(alertUnrecognizedName) 236 } else { 237 c.sendAlert(alertInternalError) 238 } 239 return err 240 } 241 if hs.clientHello.scts { 242 hs.hello.scts = hs.cert.SignedCertificateTimestamps 243 } 244 245 hs.ecdheOk = supportsECDHE(c.config, hs.clientHello.supportedCurves, hs.clientHello.supportedPoints) 246 247 if hs.ecdheOk && len(hs.clientHello.supportedPoints) > 0 { 248 // Although omitting the ec_point_formats extension is permitted, some 249 // old OpenSSL version will refuse to handshake if not present. 250 // 251 // Per RFC 4492, section 5.1.2, implementations MUST support the 252 // uncompressed point format. See golang.org/issue/31943. 253 hs.hello.supportedPoints = []uint8{pointFormatUncompressed} 254 } 255 256 if priv, ok := hs.cert.PrivateKey.(crypto.Signer); ok { 257 switch priv.Public().(type) { 258 case *ecdsa.PublicKey: 259 hs.ecSignOk = true 260 case ed25519.PublicKey: 261 hs.ecSignOk = true 262 case *rsa.PublicKey: 263 hs.rsaSignOk = true 264 default: 265 c.sendAlert(alertInternalError) 266 return fmt.Errorf("tls: unsupported signing key type (%T)", priv.Public()) 267 } 268 } 269 if priv, ok := hs.cert.PrivateKey.(crypto.Decrypter); ok { 270 switch priv.Public().(type) { 271 case *rsa.PublicKey: 272 hs.rsaDecryptOk = true 273 default: 274 c.sendAlert(alertInternalError) 275 return fmt.Errorf("tls: unsupported decryption key type (%T)", priv.Public()) 276 } 277 } 278 279 return nil 280 } 281 282 // negotiateALPN picks a shared ALPN protocol that both sides support in server 283 // preference order. If ALPN is not configured or the peer doesn't support it, 284 // it returns "" and no error. 285 func negotiateALPN(serverProtos, clientProtos []string, quic bool) (string, error) { 286 if len(serverProtos) == 0 || len(clientProtos) == 0 { 287 if quic && len(serverProtos) != 0 { 288 // RFC 9001, Section 8.1 289 return "", fmt.Errorf("tls: client did not request an application protocol") 290 } 291 return "", nil 292 } 293 var http11fallback bool 294 for _, s := range serverProtos { 295 for _, c := range clientProtos { 296 if s == c { 297 return s, nil 298 } 299 if s == "h2" && c == "http/1.1" { 300 http11fallback = true 301 } 302 } 303 } 304 // As a special case, let http/1.1 clients connect to h2 servers as if they 305 // didn't support ALPN. We used not to enforce protocol overlap, so over 306 // time a number of HTTP servers were configured with only "h2", but 307 // expected to accept connections from "http/1.1" clients. See Issue 46310. 308 if http11fallback { 309 return "", nil 310 } 311 return "", fmt.Errorf("tls: client requested unsupported application protocols (%s)", clientProtos) 312 } 313 314 // supportsECDHE returns whether ECDHE key exchanges can be used with this 315 // pre-TLS 1.3 client. 316 func supportsECDHE(c *Config, supportedCurves []CurveID, supportedPoints []uint8) bool { 317 supportsCurve := false 318 for _, curve := range supportedCurves { 319 if c.supportsCurve(curve) { 320 supportsCurve = true 321 break 322 } 323 } 324 325 supportsPointFormat := false 326 for _, pointFormat := range supportedPoints { 327 if pointFormat == pointFormatUncompressed { 328 supportsPointFormat = true 329 break 330 } 331 } 332 // Per RFC 8422, Section 5.1.2, if the Supported Point Formats extension is 333 // missing, uncompressed points are supported. If supportedPoints is empty, 334 // the extension must be missing, as an empty extension body is rejected by 335 // the parser. See https://go.dev/issue/49126. 336 if len(supportedPoints) == 0 { 337 supportsPointFormat = true 338 } 339 340 return supportsCurve && supportsPointFormat 341 } 342 343 func (hs *serverHandshakeState) pickCipherSuite() error { 344 c := hs.c 345 346 preferenceOrder := cipherSuitesPreferenceOrder 347 if !hasAESGCMHardwareSupport || !aesgcmPreferred(hs.clientHello.cipherSuites) { 348 preferenceOrder = cipherSuitesPreferenceOrderNoAES 349 } 350 351 configCipherSuites := c.config.cipherSuites() 352 preferenceList := make([]uint16, 0, len(configCipherSuites)) 353 for _, suiteID := range preferenceOrder { 354 for _, id := range configCipherSuites { 355 if id == suiteID { 356 preferenceList = append(preferenceList, id) 357 break 358 } 359 } 360 } 361 362 hs.suite = selectCipherSuite(preferenceList, hs.clientHello.cipherSuites, hs.cipherSuiteOk) 363 if hs.suite == nil { 364 c.sendAlert(alertHandshakeFailure) 365 return errors.New("tls: no cipher suite supported by both client and server") 366 } 367 c.cipherSuite = hs.suite.id 368 369 for _, id := range hs.clientHello.cipherSuites { 370 if id == TLS_FALLBACK_SCSV { 371 // The client is doing a fallback connection. See RFC 7507. 372 if hs.clientHello.vers < c.config.maxSupportedVersion(roleServer) { 373 c.sendAlert(alertInappropriateFallback) 374 return errors.New("tls: client using inappropriate protocol fallback") 375 } 376 break 377 } 378 } 379 380 return nil 381 } 382 383 func (hs *serverHandshakeState) cipherSuiteOk(c *cipherSuite) bool { 384 if c.flags&suiteECDHE != 0 { 385 if !hs.ecdheOk { 386 return false 387 } 388 if c.flags&suiteECSign != 0 { 389 if !hs.ecSignOk { 390 return false 391 } 392 } else if !hs.rsaSignOk { 393 return false 394 } 395 } else if !hs.rsaDecryptOk { 396 return false 397 } 398 if hs.c.vers < VersionTLS12 && c.flags&suiteTLS12 != 0 { 399 return false 400 } 401 return true 402 } 403 404 // checkForResumption reports whether we should perform resumption on this connection. 405 func (hs *serverHandshakeState) checkForResumption() error { 406 c := hs.c 407 408 if c.config.SessionTicketsDisabled { 409 return nil 410 } 411 412 var sessionState *SessionState 413 if c.config.UnwrapSession != nil { 414 ss, err := c.config.UnwrapSession(hs.clientHello.sessionTicket, c.connectionStateLocked()) 415 if err != nil { 416 return err 417 } 418 if ss == nil { 419 return nil 420 } 421 sessionState = ss 422 } else { 423 plaintext := c.config.decryptTicket(hs.clientHello.sessionTicket, c.ticketKeys) 424 if plaintext == nil { 425 return nil 426 } 427 ss, err := ParseSessionState(plaintext) 428 if err != nil { 429 return nil 430 } 431 sessionState = ss 432 } 433 434 // TLS 1.2 tickets don't natively have a lifetime, but we want to avoid 435 // re-wrapping the same master secret in different tickets over and over for 436 // too long, weakening forward secrecy. 437 createdAt := time.Unix(int64(sessionState.createdAt), 0) 438 if c.config.time().Sub(createdAt) > maxSessionTicketLifetime { 439 return nil 440 } 441 442 // Never resume a session for a different TLS version. 443 if c.vers != sessionState.version { 444 return nil 445 } 446 447 cipherSuiteOk := false 448 // Check that the client is still offering the ciphersuite in the session. 449 for _, id := range hs.clientHello.cipherSuites { 450 if id == sessionState.cipherSuite { 451 cipherSuiteOk = true 452 break 453 } 454 } 455 if !cipherSuiteOk { 456 return nil 457 } 458 459 // Check that we also support the ciphersuite from the session. 460 suite := selectCipherSuite([]uint16{sessionState.cipherSuite}, 461 c.config.cipherSuites(), hs.cipherSuiteOk) 462 if suite == nil { 463 return nil 464 } 465 466 sessionHasClientCerts := len(sessionState.peerCertificates) != 0 467 needClientCerts := requiresClientCert(c.config.ClientAuth) 468 if needClientCerts && !sessionHasClientCerts { 469 return nil 470 } 471 if sessionHasClientCerts && c.config.ClientAuth == NoClientCert { 472 return nil 473 } 474 if sessionHasClientCerts && c.config.time().After(sessionState.peerCertificates[0].NotAfter) { 475 return nil 476 } 477 if sessionHasClientCerts && c.config.ClientAuth >= VerifyClientCertIfGiven && 478 len(sessionState.verifiedChains) == 0 { 479 return nil 480 } 481 482 // RFC 7627, Section 5.3 483 if !sessionState.extMasterSecret && hs.clientHello.extendedMasterSecret { 484 return nil 485 } 486 if sessionState.extMasterSecret && !hs.clientHello.extendedMasterSecret { 487 // Aborting is somewhat harsh, but it's a MUST and it would indicate a 488 // weird downgrade in client capabilities. 489 return errors.New("tls: session supported extended_master_secret but client does not") 490 } 491 492 c.peerCertificates = sessionState.peerCertificates 493 c.ocspResponse = sessionState.ocspResponse 494 c.scts = sessionState.scts 495 c.verifiedChains = sessionState.verifiedChains 496 c.extMasterSecret = sessionState.extMasterSecret 497 hs.sessionState = sessionState 498 hs.suite = suite 499 c.didResume = true 500 return nil 501 } 502 503 func (hs *serverHandshakeState) doResumeHandshake() error { 504 c := hs.c 505 506 hs.hello.cipherSuite = hs.suite.id 507 c.cipherSuite = hs.suite.id 508 // We echo the client's session ID in the ServerHello to let it know 509 // that we're doing a resumption. 510 hs.hello.sessionId = hs.clientHello.sessionId 511 // We always send a new session ticket, even if it wraps the same master 512 // secret and it's potentially encrypted with the same key, to help the 513 // client avoid cross-connection tracking from a network observer. 514 hs.hello.ticketSupported = true 515 hs.finishedHash = newFinishedHash(c.vers, hs.suite) 516 hs.finishedHash.discardHandshakeBuffer() 517 if err := transcriptMsg(hs.clientHello, &hs.finishedHash); err != nil { 518 return err 519 } 520 if _, err := hs.c.writeHandshakeRecord(hs.hello, &hs.finishedHash); err != nil { 521 return err 522 } 523 524 if c.config.VerifyConnection != nil { 525 if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil { 526 c.sendAlert(alertBadCertificate) 527 return err 528 } 529 } 530 531 hs.masterSecret = hs.sessionState.secret 532 533 return nil 534 } 535 536 func (hs *serverHandshakeState) doFullHandshake() error { 537 c := hs.c 538 539 if hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0 { 540 hs.hello.ocspStapling = true 541 } 542 543 hs.hello.ticketSupported = hs.clientHello.ticketSupported && !c.config.SessionTicketsDisabled 544 hs.hello.cipherSuite = hs.suite.id 545 546 hs.finishedHash = newFinishedHash(hs.c.vers, hs.suite) 547 if c.config.ClientAuth == NoClientCert { 548 // No need to keep a full record of the handshake if client 549 // certificates won't be used. 550 hs.finishedHash.discardHandshakeBuffer() 551 } 552 if err := transcriptMsg(hs.clientHello, &hs.finishedHash); err != nil { 553 return err 554 } 555 if _, err := hs.c.writeHandshakeRecord(hs.hello, &hs.finishedHash); err != nil { 556 return err 557 } 558 559 certMsg := new(certificateMsg) 560 certMsg.certificates = hs.cert.Certificate 561 if _, err := hs.c.writeHandshakeRecord(certMsg, &hs.finishedHash); err != nil { 562 return err 563 } 564 565 if hs.hello.ocspStapling { 566 certStatus := new(certificateStatusMsg) 567 certStatus.response = hs.cert.OCSPStaple 568 if _, err := hs.c.writeHandshakeRecord(certStatus, &hs.finishedHash); err != nil { 569 return err 570 } 571 } 572 573 keyAgreement := hs.suite.ka(c.vers) 574 skx, err := keyAgreement.generateServerKeyExchange(c.config, hs.cert, hs.clientHello, hs.hello) 575 if err != nil { 576 c.sendAlert(alertHandshakeFailure) 577 return err 578 } 579 if skx != nil { 580 if _, err := hs.c.writeHandshakeRecord(skx, &hs.finishedHash); err != nil { 581 return err 582 } 583 } 584 585 var certReq *certificateRequestMsg 586 if c.config.ClientAuth >= RequestClientCert { 587 // Request a client certificate 588 certReq = new(certificateRequestMsg) 589 certReq.certificateTypes = []byte{ 590 byte(certTypeRSASign), 591 byte(certTypeECDSASign), 592 } 593 if c.vers >= VersionTLS12 { 594 certReq.hasSignatureAlgorithm = true 595 certReq.supportedSignatureAlgorithms = supportedSignatureAlgorithms() 596 } 597 598 // An empty list of certificateAuthorities signals to 599 // the client that it may send any certificate in response 600 // to our request. When we know the CAs we trust, then 601 // we can send them down, so that the client can choose 602 // an appropriate certificate to give to us. 603 if c.config.ClientCAs != nil { 604 certReq.certificateAuthorities = c.config.ClientCAs.Subjects() 605 } 606 if _, err := hs.c.writeHandshakeRecord(certReq, &hs.finishedHash); err != nil { 607 return err 608 } 609 } 610 611 helloDone := new(serverHelloDoneMsg) 612 if _, err := hs.c.writeHandshakeRecord(helloDone, &hs.finishedHash); err != nil { 613 return err 614 } 615 616 if _, err := c.flush(); err != nil { 617 return err 618 } 619 620 var pub crypto.PublicKey // public key for client auth, if any 621 622 msg, err := c.readHandshake(&hs.finishedHash) 623 if err != nil { 624 return err 625 } 626 627 // If we requested a client certificate, then the client must send a 628 // certificate message, even if it's empty. 629 if c.config.ClientAuth >= RequestClientCert { 630 certMsg, ok := msg.(*certificateMsg) 631 if !ok { 632 c.sendAlert(alertUnexpectedMessage) 633 return unexpectedMessageError(certMsg, msg) 634 } 635 636 if err := c.processCertsFromClient(Certificate{ 637 Certificate: certMsg.certificates, 638 }); err != nil { 639 return err 640 } 641 if len(certMsg.certificates) != 0 { 642 pub = c.peerCertificates[0].PublicKey 643 } 644 645 msg, err = c.readHandshake(&hs.finishedHash) 646 if err != nil { 647 return err 648 } 649 } 650 if c.config.VerifyConnection != nil { 651 if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil { 652 c.sendAlert(alertBadCertificate) 653 return err 654 } 655 } 656 657 // Get client key exchange 658 ckx, ok := msg.(*clientKeyExchangeMsg) 659 if !ok { 660 c.sendAlert(alertUnexpectedMessage) 661 return unexpectedMessageError(ckx, msg) 662 } 663 664 preMasterSecret, err := keyAgreement.processClientKeyExchange(c.config, hs.cert, ckx, c.vers) 665 if err != nil { 666 c.sendAlert(alertHandshakeFailure) 667 return err 668 } 669 if hs.hello.extendedMasterSecret { 670 c.extMasterSecret = true 671 hs.masterSecret = extMasterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, 672 hs.finishedHash.Sum()) 673 } else { 674 hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, 675 hs.clientHello.random, hs.hello.random) 676 } 677 if err := c.config.writeKeyLog(keyLogLabelTLS12, hs.clientHello.random, hs.masterSecret); err != nil { 678 c.sendAlert(alertInternalError) 679 return err 680 } 681 682 // If we received a client cert in response to our certificate request message, 683 // the client will send us a certificateVerifyMsg immediately after the 684 // clientKeyExchangeMsg. This message is a digest of all preceding 685 // handshake-layer messages that is signed using the private key corresponding 686 // to the client's certificate. This allows us to verify that the client is in 687 // possession of the private key of the certificate. 688 if len(c.peerCertificates) > 0 { 689 // certificateVerifyMsg is included in the transcript, but not until 690 // after we verify the handshake signature, since the state before 691 // this message was sent is used. 692 msg, err = c.readHandshake(nil) 693 if err != nil { 694 return err 695 } 696 certVerify, ok := msg.(*certificateVerifyMsg) 697 if !ok { 698 c.sendAlert(alertUnexpectedMessage) 699 return unexpectedMessageError(certVerify, msg) 700 } 701 702 var sigType uint8 703 var sigHash crypto.Hash 704 if c.vers >= VersionTLS12 { 705 if !isSupportedSignatureAlgorithm(certVerify.signatureAlgorithm, certReq.supportedSignatureAlgorithms) { 706 c.sendAlert(alertIllegalParameter) 707 return errors.New("tls: client certificate used with invalid signature algorithm") 708 } 709 sigType, sigHash, err = typeAndHashFromSignatureScheme(certVerify.signatureAlgorithm) 710 if err != nil { 711 return c.sendAlert(alertInternalError) 712 } 713 } else { 714 sigType, sigHash, err = legacyTypeAndHashFromPublicKey(pub) 715 if err != nil { 716 c.sendAlert(alertIllegalParameter) 717 return err 718 } 719 } 720 721 signed := hs.finishedHash.hashForClientCertificate(sigType, sigHash) 722 if err := verifyHandshakeSignature(sigType, pub, sigHash, signed, certVerify.signature); err != nil { 723 c.sendAlert(alertDecryptError) 724 return errors.New("tls: invalid signature by the client certificate: " + err.Error()) 725 } 726 727 if err := transcriptMsg(certVerify, &hs.finishedHash); err != nil { 728 return err 729 } 730 } 731 732 hs.finishedHash.discardHandshakeBuffer() 733 734 return nil 735 } 736 737 func (hs *serverHandshakeState) establishKeys() error { 738 c := hs.c 739 740 clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV := 741 keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen) 742 743 var clientCipher, serverCipher any 744 var clientHash, serverHash hash.Hash 745 746 if hs.suite.aead == nil { 747 clientCipher = hs.suite.cipher(clientKey, clientIV, true /* for reading */) 748 clientHash = hs.suite.mac(clientMAC) 749 serverCipher = hs.suite.cipher(serverKey, serverIV, false /* not for reading */) 750 serverHash = hs.suite.mac(serverMAC) 751 } else { 752 clientCipher = hs.suite.aead(clientKey, clientIV) 753 serverCipher = hs.suite.aead(serverKey, serverIV) 754 } 755 756 c.in.prepareCipherSpec(c.vers, clientCipher, clientHash) 757 c.out.prepareCipherSpec(c.vers, serverCipher, serverHash) 758 759 return nil 760 } 761 762 func (hs *serverHandshakeState) readFinished(out []byte) error { 763 c := hs.c 764 765 if err := c.readChangeCipherSpec(); err != nil { 766 return err 767 } 768 769 // finishedMsg is included in the transcript, but not until after we 770 // check the client version, since the state before this message was 771 // sent is used during verification. 772 msg, err := c.readHandshake(nil) 773 if err != nil { 774 return err 775 } 776 clientFinished, ok := msg.(*finishedMsg) 777 if !ok { 778 c.sendAlert(alertUnexpectedMessage) 779 return unexpectedMessageError(clientFinished, msg) 780 } 781 782 verify := hs.finishedHash.clientSum(hs.masterSecret) 783 if len(verify) != len(clientFinished.verifyData) || 784 subtle.ConstantTimeCompare(verify, clientFinished.verifyData) != 1 { 785 c.sendAlert(alertHandshakeFailure) 786 return errors.New("tls: client's Finished message is incorrect") 787 } 788 789 if err := transcriptMsg(clientFinished, &hs.finishedHash); err != nil { 790 return err 791 } 792 793 copy(out, verify) 794 return nil 795 } 796 797 func (hs *serverHandshakeState) sendSessionTicket() error { 798 if !hs.hello.ticketSupported { 799 return nil 800 } 801 802 c := hs.c 803 m := new(newSessionTicketMsg) 804 805 state, err := c.sessionState() 806 if err != nil { 807 return err 808 } 809 state.secret = hs.masterSecret 810 if hs.sessionState != nil { 811 // If this is re-wrapping an old key, then keep 812 // the original time it was created. 813 state.createdAt = hs.sessionState.createdAt 814 } 815 if c.config.WrapSession != nil { 816 m.ticket, err = c.config.WrapSession(c.connectionStateLocked(), state) 817 if err != nil { 818 return err 819 } 820 } else { 821 stateBytes, err := state.Bytes() 822 if err != nil { 823 return err 824 } 825 m.ticket, err = c.config.encryptTicket(stateBytes, c.ticketKeys) 826 if err != nil { 827 return err 828 } 829 } 830 831 if _, err := hs.c.writeHandshakeRecord(m, &hs.finishedHash); err != nil { 832 return err 833 } 834 835 return nil 836 } 837 838 func (hs *serverHandshakeState) sendFinished(out []byte) error { 839 c := hs.c 840 841 if err := c.writeChangeCipherRecord(); err != nil { 842 return err 843 } 844 845 finished := new(finishedMsg) 846 finished.verifyData = hs.finishedHash.serverSum(hs.masterSecret) 847 if _, err := hs.c.writeHandshakeRecord(finished, &hs.finishedHash); err != nil { 848 return err 849 } 850 851 copy(out, finished.verifyData) 852 853 return nil 854 } 855 856 // processCertsFromClient takes a chain of client certificates either from a 857 // Certificates message and verifies them. 858 func (c *Conn) processCertsFromClient(certificate Certificate) error { 859 certificates := certificate.Certificate 860 certs := make([]*x509.Certificate, len(certificates)) 861 var err error 862 for i, asn1Data := range certificates { 863 if certs[i], err = x509.ParseCertificate(asn1Data); err != nil { 864 c.sendAlert(alertBadCertificate) 865 return errors.New("tls: failed to parse client certificate: " + err.Error()) 866 } 867 } 868 869 if len(certs) == 0 && requiresClientCert(c.config.ClientAuth) { 870 if c.vers == VersionTLS13 { 871 c.sendAlert(alertCertificateRequired) 872 } else { 873 c.sendAlert(alertBadCertificate) 874 } 875 return errors.New("tls: client didn't provide a certificate") 876 } 877 878 if c.config.ClientAuth >= VerifyClientCertIfGiven && len(certs) > 0 { 879 opts := x509.VerifyOptions{ 880 Roots: c.config.ClientCAs, 881 CurrentTime: c.config.time(), 882 Intermediates: x509.NewCertPool(), 883 KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, 884 } 885 886 for _, cert := range certs[1:] { 887 opts.Intermediates.AddCert(cert) 888 } 889 890 chains, err := certs[0].Verify(opts) 891 if err != nil { 892 var errCertificateInvalid x509.CertificateInvalidError 893 if errors.As(err, &x509.UnknownAuthorityError{}) { 894 c.sendAlert(alertUnknownCA) 895 } else if errors.As(err, &errCertificateInvalid) && errCertificateInvalid.Reason == x509.Expired { 896 c.sendAlert(alertCertificateExpired) 897 } else { 898 c.sendAlert(alertBadCertificate) 899 } 900 return &CertificateVerificationError{UnverifiedCertificates: certs, Err: err} 901 } 902 903 c.verifiedChains = chains 904 } 905 906 c.peerCertificates = certs 907 c.ocspResponse = certificate.OCSPStaple 908 c.scts = certificate.SignedCertificateTimestamps 909 910 if len(certs) > 0 { 911 switch certs[0].PublicKey.(type) { 912 case *ecdsa.PublicKey, *rsa.PublicKey, ed25519.PublicKey: 913 default: 914 c.sendAlert(alertUnsupportedCertificate) 915 return fmt.Errorf("tls: client certificate contains an unsupported public key of type %T", certs[0].PublicKey) 916 } 917 } 918 919 if c.config.VerifyPeerCertificate != nil { 920 if err := c.config.VerifyPeerCertificate(certificates, c.verifiedChains); err != nil { 921 c.sendAlert(alertBadCertificate) 922 return err 923 } 924 } 925 926 return nil 927 } 928 929 func clientHelloInfo(ctx context.Context, c *Conn, clientHello *clientHelloMsg) *ClientHelloInfo { 930 supportedVersions := clientHello.supportedVersions 931 if len(clientHello.supportedVersions) == 0 { 932 supportedVersions = supportedVersionsFromMax(clientHello.vers) 933 } 934 935 return &ClientHelloInfo{ 936 CipherSuites: clientHello.cipherSuites, 937 ServerName: clientHello.serverName, 938 SupportedCurves: clientHello.supportedCurves, 939 SupportedPoints: clientHello.supportedPoints, 940 SignatureSchemes: clientHello.supportedSignatureAlgorithms, 941 SupportedProtos: clientHello.alpnProtocols, 942 SupportedVersions: supportedVersions, 943 Conn: c.conn, 944 config: c.config, 945 ctx: ctx, 946 } 947 }