github.com/euank/go@v0.0.0-20160829210321-495514729181/src/crypto/tls/handshake_server.go (about) 1 // Copyright 2009 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 package tls 6 7 import ( 8 "crypto" 9 "crypto/ecdsa" 10 "crypto/rsa" 11 "crypto/subtle" 12 "crypto/x509" 13 "encoding/asn1" 14 "errors" 15 "fmt" 16 "io" 17 ) 18 19 // serverHandshakeState contains details of a server handshake in progress. 20 // It's discarded once the handshake has completed. 21 type serverHandshakeState struct { 22 c *Conn 23 clientHello *clientHelloMsg 24 hello *serverHelloMsg 25 suite *cipherSuite 26 ellipticOk bool 27 ecdsaOk bool 28 rsaDecryptOk bool 29 rsaSignOk bool 30 sessionState *sessionState 31 finishedHash finishedHash 32 masterSecret []byte 33 certsFromClient [][]byte 34 cert *Certificate 35 } 36 37 // serverHandshake performs a TLS handshake as a server. 38 // c.out.Mutex <= L; c.handshakeMutex <= L. 39 func (c *Conn) serverHandshake() error { 40 config := c.config 41 42 // If this is the first server handshake, we generate a random key to 43 // encrypt the tickets with. 44 config.serverInitOnce.Do(config.serverInit) 45 46 hs := serverHandshakeState{ 47 c: c, 48 } 49 isResume, err := hs.readClientHello() 50 if err != nil { 51 return err 52 } 53 54 // For an overview of TLS handshaking, see https://tools.ietf.org/html/rfc5246#section-7.3 55 c.buffering = true 56 if isResume { 57 // The client has included a session ticket and so we do an abbreviated handshake. 58 if err := hs.doResumeHandshake(); err != nil { 59 return err 60 } 61 if err := hs.establishKeys(); err != nil { 62 return err 63 } 64 // ticketSupported is set in a resumption handshake if the 65 // ticket from the client was encrypted with an old session 66 // ticket key and thus a refreshed ticket should be sent. 67 if hs.hello.ticketSupported { 68 if err := hs.sendSessionTicket(); err != nil { 69 return err 70 } 71 } 72 if err := hs.sendFinished(c.serverFinished[:]); err != nil { 73 return err 74 } 75 if _, err := c.flush(); err != nil { 76 return err 77 } 78 c.clientFinishedIsFirst = false 79 if err := hs.readFinished(nil); err != nil { 80 return err 81 } 82 c.didResume = true 83 } else { 84 // The client didn't include a session ticket, or it wasn't 85 // valid so we do a full handshake. 86 if err := hs.doFullHandshake(); err != nil { 87 return err 88 } 89 if err := hs.establishKeys(); err != nil { 90 return err 91 } 92 if err := hs.readFinished(c.clientFinished[:]); err != nil { 93 return err 94 } 95 c.clientFinishedIsFirst = true 96 c.buffering = true 97 if err := hs.sendSessionTicket(); err != nil { 98 return err 99 } 100 if err := hs.sendFinished(nil); err != nil { 101 return err 102 } 103 if _, err := c.flush(); err != nil { 104 return err 105 } 106 } 107 c.handshakeComplete = true 108 109 return nil 110 } 111 112 // readClientHello reads a ClientHello message from the client and decides 113 // whether we will perform session resumption. 114 func (hs *serverHandshakeState) readClientHello() (isResume bool, err error) { 115 config := hs.c.config 116 c := hs.c 117 118 msg, err := c.readHandshake() 119 if err != nil { 120 return false, err 121 } 122 var ok bool 123 hs.clientHello, ok = msg.(*clientHelloMsg) 124 if !ok { 125 c.sendAlert(alertUnexpectedMessage) 126 return false, unexpectedMessageError(hs.clientHello, msg) 127 } 128 c.vers, ok = config.mutualVersion(hs.clientHello.vers) 129 if !ok { 130 c.sendAlert(alertProtocolVersion) 131 return false, fmt.Errorf("tls: client offered an unsupported, maximum protocol version of %x", hs.clientHello.vers) 132 } 133 c.haveVers = true 134 135 hs.hello = new(serverHelloMsg) 136 137 supportedCurve := false 138 preferredCurves := config.curvePreferences() 139 Curves: 140 for _, curve := range hs.clientHello.supportedCurves { 141 for _, supported := range preferredCurves { 142 if supported == curve { 143 supportedCurve = true 144 break Curves 145 } 146 } 147 } 148 149 supportedPointFormat := false 150 for _, pointFormat := range hs.clientHello.supportedPoints { 151 if pointFormat == pointFormatUncompressed { 152 supportedPointFormat = true 153 break 154 } 155 } 156 hs.ellipticOk = supportedCurve && supportedPointFormat 157 158 foundCompression := false 159 // We only support null compression, so check that the client offered it. 160 for _, compression := range hs.clientHello.compressionMethods { 161 if compression == compressionNone { 162 foundCompression = true 163 break 164 } 165 } 166 167 if !foundCompression { 168 c.sendAlert(alertHandshakeFailure) 169 return false, errors.New("tls: client does not support uncompressed connections") 170 } 171 172 hs.hello.vers = c.vers 173 hs.hello.random = make([]byte, 32) 174 _, err = io.ReadFull(config.rand(), hs.hello.random) 175 if err != nil { 176 c.sendAlert(alertInternalError) 177 return false, err 178 } 179 180 if len(hs.clientHello.secureRenegotiation) != 0 { 181 c.sendAlert(alertHandshakeFailure) 182 return false, errors.New("tls: initial handshake had non-empty renegotiation extension") 183 } 184 185 hs.hello.secureRenegotiationSupported = hs.clientHello.secureRenegotiationSupported 186 hs.hello.compressionMethod = compressionNone 187 if len(hs.clientHello.serverName) > 0 { 188 c.serverName = hs.clientHello.serverName 189 } 190 191 if len(hs.clientHello.alpnProtocols) > 0 { 192 if selectedProto, fallback := mutualProtocol(hs.clientHello.alpnProtocols, c.config.NextProtos); !fallback { 193 hs.hello.alpnProtocol = selectedProto 194 c.clientProtocol = selectedProto 195 } 196 } else { 197 // Although sending an empty NPN extension is reasonable, Firefox has 198 // had a bug around this. Best to send nothing at all if 199 // config.NextProtos is empty. See 200 // https://golang.org/issue/5445. 201 if hs.clientHello.nextProtoNeg && len(config.NextProtos) > 0 { 202 hs.hello.nextProtoNeg = true 203 hs.hello.nextProtos = config.NextProtos 204 } 205 } 206 207 hs.cert, err = config.getCertificate(&ClientHelloInfo{ 208 CipherSuites: hs.clientHello.cipherSuites, 209 ServerName: hs.clientHello.serverName, 210 SupportedCurves: hs.clientHello.supportedCurves, 211 SupportedPoints: hs.clientHello.supportedPoints, 212 }) 213 if err != nil { 214 c.sendAlert(alertInternalError) 215 return false, err 216 } 217 if hs.clientHello.scts { 218 hs.hello.scts = hs.cert.SignedCertificateTimestamps 219 } 220 221 if priv, ok := hs.cert.PrivateKey.(crypto.Signer); ok { 222 switch priv.Public().(type) { 223 case *ecdsa.PublicKey: 224 hs.ecdsaOk = true 225 case *rsa.PublicKey: 226 hs.rsaSignOk = true 227 default: 228 c.sendAlert(alertInternalError) 229 return false, fmt.Errorf("tls: unsupported signing key type (%T)", priv.Public()) 230 } 231 } 232 if priv, ok := hs.cert.PrivateKey.(crypto.Decrypter); ok { 233 switch priv.Public().(type) { 234 case *rsa.PublicKey: 235 hs.rsaDecryptOk = true 236 default: 237 c.sendAlert(alertInternalError) 238 return false, fmt.Errorf("tls: unsupported decryption key type (%T)", priv.Public()) 239 } 240 } 241 242 if hs.checkForResumption() { 243 return true, nil 244 } 245 246 var preferenceList, supportedList []uint16 247 if c.config.PreferServerCipherSuites { 248 preferenceList = c.config.cipherSuites() 249 supportedList = hs.clientHello.cipherSuites 250 } else { 251 preferenceList = hs.clientHello.cipherSuites 252 supportedList = c.config.cipherSuites() 253 } 254 255 for _, id := range preferenceList { 256 if hs.setCipherSuite(id, supportedList, c.vers) { 257 break 258 } 259 } 260 261 if hs.suite == nil { 262 c.sendAlert(alertHandshakeFailure) 263 return false, errors.New("tls: no cipher suite supported by both client and server") 264 } 265 266 // See https://tools.ietf.org/html/rfc7507. 267 for _, id := range hs.clientHello.cipherSuites { 268 if id == TLS_FALLBACK_SCSV { 269 // The client is doing a fallback connection. 270 if hs.clientHello.vers < c.config.maxVersion() { 271 c.sendAlert(alertInappropriateFallback) 272 return false, errors.New("tls: client using inappropriate protocol fallback") 273 } 274 break 275 } 276 } 277 278 return false, nil 279 } 280 281 // checkForResumption reports whether we should perform resumption on this connection. 282 func (hs *serverHandshakeState) checkForResumption() bool { 283 c := hs.c 284 285 if c.config.SessionTicketsDisabled { 286 return false 287 } 288 289 var ok bool 290 var sessionTicket = append([]uint8{}, hs.clientHello.sessionTicket...) 291 if hs.sessionState, ok = c.decryptTicket(sessionTicket); !ok { 292 return false 293 } 294 295 // Never resume a session for a different TLS version. 296 if c.vers != hs.sessionState.vers { 297 return false 298 } 299 300 cipherSuiteOk := false 301 // Check that the client is still offering the ciphersuite in the session. 302 for _, id := range hs.clientHello.cipherSuites { 303 if id == hs.sessionState.cipherSuite { 304 cipherSuiteOk = true 305 break 306 } 307 } 308 if !cipherSuiteOk { 309 return false 310 } 311 312 // Check that we also support the ciphersuite from the session. 313 if !hs.setCipherSuite(hs.sessionState.cipherSuite, c.config.cipherSuites(), hs.sessionState.vers) { 314 return false 315 } 316 317 sessionHasClientCerts := len(hs.sessionState.certificates) != 0 318 needClientCerts := c.config.ClientAuth == RequireAnyClientCert || c.config.ClientAuth == RequireAndVerifyClientCert 319 if needClientCerts && !sessionHasClientCerts { 320 return false 321 } 322 if sessionHasClientCerts && c.config.ClientAuth == NoClientCert { 323 return false 324 } 325 326 return true 327 } 328 329 func (hs *serverHandshakeState) doResumeHandshake() error { 330 c := hs.c 331 332 hs.hello.cipherSuite = hs.suite.id 333 // We echo the client's session ID in the ServerHello to let it know 334 // that we're doing a resumption. 335 hs.hello.sessionId = hs.clientHello.sessionId 336 hs.hello.ticketSupported = hs.sessionState.usedOldKey 337 hs.finishedHash = newFinishedHash(c.vers, hs.suite) 338 hs.finishedHash.discardHandshakeBuffer() 339 hs.finishedHash.Write(hs.clientHello.marshal()) 340 hs.finishedHash.Write(hs.hello.marshal()) 341 if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil { 342 return err 343 } 344 345 if len(hs.sessionState.certificates) > 0 { 346 if _, err := hs.processCertsFromClient(hs.sessionState.certificates); err != nil { 347 return err 348 } 349 } 350 351 hs.masterSecret = hs.sessionState.masterSecret 352 353 return nil 354 } 355 356 func (hs *serverHandshakeState) doFullHandshake() error { 357 config := hs.c.config 358 c := hs.c 359 360 if hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0 { 361 hs.hello.ocspStapling = true 362 } 363 364 hs.hello.ticketSupported = hs.clientHello.ticketSupported && !config.SessionTicketsDisabled 365 hs.hello.cipherSuite = hs.suite.id 366 367 hs.finishedHash = newFinishedHash(hs.c.vers, hs.suite) 368 if config.ClientAuth == NoClientCert { 369 // No need to keep a full record of the handshake if client 370 // certificates won't be used. 371 hs.finishedHash.discardHandshakeBuffer() 372 } 373 hs.finishedHash.Write(hs.clientHello.marshal()) 374 hs.finishedHash.Write(hs.hello.marshal()) 375 if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil { 376 return err 377 } 378 379 certMsg := new(certificateMsg) 380 certMsg.certificates = hs.cert.Certificate 381 hs.finishedHash.Write(certMsg.marshal()) 382 if _, err := c.writeRecord(recordTypeHandshake, certMsg.marshal()); err != nil { 383 return err 384 } 385 386 if hs.hello.ocspStapling { 387 certStatus := new(certificateStatusMsg) 388 certStatus.statusType = statusTypeOCSP 389 certStatus.response = hs.cert.OCSPStaple 390 hs.finishedHash.Write(certStatus.marshal()) 391 if _, err := c.writeRecord(recordTypeHandshake, certStatus.marshal()); err != nil { 392 return err 393 } 394 } 395 396 keyAgreement := hs.suite.ka(c.vers) 397 skx, err := keyAgreement.generateServerKeyExchange(config, hs.cert, hs.clientHello, hs.hello) 398 if err != nil { 399 c.sendAlert(alertHandshakeFailure) 400 return err 401 } 402 if skx != nil { 403 hs.finishedHash.Write(skx.marshal()) 404 if _, err := c.writeRecord(recordTypeHandshake, skx.marshal()); err != nil { 405 return err 406 } 407 } 408 409 if config.ClientAuth >= RequestClientCert { 410 // Request a client certificate 411 certReq := new(certificateRequestMsg) 412 certReq.certificateTypes = []byte{ 413 byte(certTypeRSASign), 414 byte(certTypeECDSASign), 415 } 416 if c.vers >= VersionTLS12 { 417 certReq.hasSignatureAndHash = true 418 certReq.signatureAndHashes = supportedSignatureAlgorithms 419 } 420 421 // An empty list of certificateAuthorities signals to 422 // the client that it may send any certificate in response 423 // to our request. When we know the CAs we trust, then 424 // we can send them down, so that the client can choose 425 // an appropriate certificate to give to us. 426 if config.ClientCAs != nil { 427 certReq.certificateAuthorities = config.ClientCAs.Subjects() 428 } 429 hs.finishedHash.Write(certReq.marshal()) 430 if _, err := c.writeRecord(recordTypeHandshake, certReq.marshal()); err != nil { 431 return err 432 } 433 } 434 435 helloDone := new(serverHelloDoneMsg) 436 hs.finishedHash.Write(helloDone.marshal()) 437 if _, err := c.writeRecord(recordTypeHandshake, helloDone.marshal()); err != nil { 438 return err 439 } 440 441 if _, err := c.flush(); err != nil { 442 return err 443 } 444 445 var pub crypto.PublicKey // public key for client auth, if any 446 447 msg, err := c.readHandshake() 448 if err != nil { 449 return err 450 } 451 452 var ok bool 453 // If we requested a client certificate, then the client must send a 454 // certificate message, even if it's empty. 455 if config.ClientAuth >= RequestClientCert { 456 if certMsg, ok = msg.(*certificateMsg); !ok { 457 c.sendAlert(alertUnexpectedMessage) 458 return unexpectedMessageError(certMsg, msg) 459 } 460 hs.finishedHash.Write(certMsg.marshal()) 461 462 if len(certMsg.certificates) == 0 { 463 // The client didn't actually send a certificate 464 switch config.ClientAuth { 465 case RequireAnyClientCert, RequireAndVerifyClientCert: 466 c.sendAlert(alertBadCertificate) 467 return errors.New("tls: client didn't provide a certificate") 468 } 469 } 470 471 pub, err = hs.processCertsFromClient(certMsg.certificates) 472 if err != nil { 473 return err 474 } 475 476 msg, err = c.readHandshake() 477 if err != nil { 478 return err 479 } 480 } 481 482 // Get client key exchange 483 ckx, ok := msg.(*clientKeyExchangeMsg) 484 if !ok { 485 c.sendAlert(alertUnexpectedMessage) 486 return unexpectedMessageError(ckx, msg) 487 } 488 hs.finishedHash.Write(ckx.marshal()) 489 490 preMasterSecret, err := keyAgreement.processClientKeyExchange(config, hs.cert, ckx, c.vers) 491 if err != nil { 492 c.sendAlert(alertHandshakeFailure) 493 return err 494 } 495 hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.clientHello.random, hs.hello.random) 496 if err := config.writeKeyLog(hs.clientHello.random, hs.masterSecret); err != nil { 497 c.sendAlert(alertInternalError) 498 return err 499 } 500 501 // If we received a client cert in response to our certificate request message, 502 // the client will send us a certificateVerifyMsg immediately after the 503 // clientKeyExchangeMsg. This message is a digest of all preceding 504 // handshake-layer messages that is signed using the private key corresponding 505 // to the client's certificate. This allows us to verify that the client is in 506 // possession of the private key of the certificate. 507 if len(c.peerCertificates) > 0 { 508 msg, err = c.readHandshake() 509 if err != nil { 510 return err 511 } 512 certVerify, ok := msg.(*certificateVerifyMsg) 513 if !ok { 514 c.sendAlert(alertUnexpectedMessage) 515 return unexpectedMessageError(certVerify, msg) 516 } 517 518 // Determine the signature type. 519 var signatureAndHash signatureAndHash 520 if certVerify.hasSignatureAndHash { 521 signatureAndHash = certVerify.signatureAndHash 522 if !isSupportedSignatureAndHash(signatureAndHash, supportedSignatureAlgorithms) { 523 return errors.New("tls: unsupported hash function for client certificate") 524 } 525 } else { 526 // Before TLS 1.2 the signature algorithm was implicit 527 // from the key type, and only one hash per signature 528 // algorithm was possible. Leave the hash as zero. 529 switch pub.(type) { 530 case *ecdsa.PublicKey: 531 signatureAndHash.signature = signatureECDSA 532 case *rsa.PublicKey: 533 signatureAndHash.signature = signatureRSA 534 } 535 } 536 537 switch key := pub.(type) { 538 case *ecdsa.PublicKey: 539 if signatureAndHash.signature != signatureECDSA { 540 err = errors.New("tls: bad signature type for client's ECDSA certificate") 541 break 542 } 543 ecdsaSig := new(ecdsaSignature) 544 if _, err = asn1.Unmarshal(certVerify.signature, ecdsaSig); err != nil { 545 break 546 } 547 if ecdsaSig.R.Sign() <= 0 || ecdsaSig.S.Sign() <= 0 { 548 err = errors.New("tls: ECDSA signature contained zero or negative values") 549 break 550 } 551 var digest []byte 552 if digest, _, err = hs.finishedHash.hashForClientCertificate(signatureAndHash, hs.masterSecret); err != nil { 553 break 554 } 555 if !ecdsa.Verify(key, digest, ecdsaSig.R, ecdsaSig.S) { 556 err = errors.New("tls: ECDSA verification failure") 557 } 558 case *rsa.PublicKey: 559 if signatureAndHash.signature != signatureRSA { 560 err = errors.New("tls: bad signature type for client's RSA certificate") 561 break 562 } 563 var digest []byte 564 var hashFunc crypto.Hash 565 if digest, hashFunc, err = hs.finishedHash.hashForClientCertificate(signatureAndHash, hs.masterSecret); err != nil { 566 break 567 } 568 err = rsa.VerifyPKCS1v15(key, hashFunc, digest, certVerify.signature) 569 } 570 if err != nil { 571 c.sendAlert(alertBadCertificate) 572 return errors.New("tls: could not validate signature of connection nonces: " + err.Error()) 573 } 574 575 hs.finishedHash.Write(certVerify.marshal()) 576 } 577 578 hs.finishedHash.discardHandshakeBuffer() 579 580 return nil 581 } 582 583 func (hs *serverHandshakeState) establishKeys() error { 584 c := hs.c 585 586 clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV := 587 keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen) 588 589 var clientCipher, serverCipher interface{} 590 var clientHash, serverHash macFunction 591 592 if hs.suite.aead == nil { 593 clientCipher = hs.suite.cipher(clientKey, clientIV, true /* for reading */) 594 clientHash = hs.suite.mac(c.vers, clientMAC) 595 serverCipher = hs.suite.cipher(serverKey, serverIV, false /* not for reading */) 596 serverHash = hs.suite.mac(c.vers, serverMAC) 597 } else { 598 clientCipher = hs.suite.aead(clientKey, clientIV) 599 serverCipher = hs.suite.aead(serverKey, serverIV) 600 } 601 602 c.in.prepareCipherSpec(c.vers, clientCipher, clientHash) 603 c.out.prepareCipherSpec(c.vers, serverCipher, serverHash) 604 605 return nil 606 } 607 608 func (hs *serverHandshakeState) readFinished(out []byte) error { 609 c := hs.c 610 611 c.readRecord(recordTypeChangeCipherSpec) 612 if c.in.err != nil { 613 return c.in.err 614 } 615 616 if hs.hello.nextProtoNeg { 617 msg, err := c.readHandshake() 618 if err != nil { 619 return err 620 } 621 nextProto, ok := msg.(*nextProtoMsg) 622 if !ok { 623 c.sendAlert(alertUnexpectedMessage) 624 return unexpectedMessageError(nextProto, msg) 625 } 626 hs.finishedHash.Write(nextProto.marshal()) 627 c.clientProtocol = nextProto.proto 628 } 629 630 msg, err := c.readHandshake() 631 if err != nil { 632 return err 633 } 634 clientFinished, ok := msg.(*finishedMsg) 635 if !ok { 636 c.sendAlert(alertUnexpectedMessage) 637 return unexpectedMessageError(clientFinished, msg) 638 } 639 640 verify := hs.finishedHash.clientSum(hs.masterSecret) 641 if len(verify) != len(clientFinished.verifyData) || 642 subtle.ConstantTimeCompare(verify, clientFinished.verifyData) != 1 { 643 c.sendAlert(alertHandshakeFailure) 644 return errors.New("tls: client's Finished message is incorrect") 645 } 646 647 hs.finishedHash.Write(clientFinished.marshal()) 648 copy(out, verify) 649 return nil 650 } 651 652 func (hs *serverHandshakeState) sendSessionTicket() error { 653 if !hs.hello.ticketSupported { 654 return nil 655 } 656 657 c := hs.c 658 m := new(newSessionTicketMsg) 659 660 var err error 661 state := sessionState{ 662 vers: c.vers, 663 cipherSuite: hs.suite.id, 664 masterSecret: hs.masterSecret, 665 certificates: hs.certsFromClient, 666 } 667 m.ticket, err = c.encryptTicket(&state) 668 if err != nil { 669 return err 670 } 671 672 hs.finishedHash.Write(m.marshal()) 673 if _, err := c.writeRecord(recordTypeHandshake, m.marshal()); err != nil { 674 return err 675 } 676 677 return nil 678 } 679 680 func (hs *serverHandshakeState) sendFinished(out []byte) error { 681 c := hs.c 682 683 if _, err := c.writeRecord(recordTypeChangeCipherSpec, []byte{1}); err != nil { 684 return err 685 } 686 687 finished := new(finishedMsg) 688 finished.verifyData = hs.finishedHash.serverSum(hs.masterSecret) 689 hs.finishedHash.Write(finished.marshal()) 690 if _, err := c.writeRecord(recordTypeHandshake, finished.marshal()); err != nil { 691 return err 692 } 693 694 c.cipherSuite = hs.suite.id 695 copy(out, finished.verifyData) 696 697 return nil 698 } 699 700 // processCertsFromClient takes a chain of client certificates either from a 701 // Certificates message or from a sessionState and verifies them. It returns 702 // the public key of the leaf certificate. 703 func (hs *serverHandshakeState) processCertsFromClient(certificates [][]byte) (crypto.PublicKey, error) { 704 c := hs.c 705 706 hs.certsFromClient = certificates 707 certs := make([]*x509.Certificate, len(certificates)) 708 var err error 709 for i, asn1Data := range certificates { 710 if certs[i], err = x509.ParseCertificate(asn1Data); err != nil { 711 c.sendAlert(alertBadCertificate) 712 return nil, errors.New("tls: failed to parse client certificate: " + err.Error()) 713 } 714 } 715 716 if c.config.ClientAuth >= VerifyClientCertIfGiven && len(certs) > 0 { 717 opts := x509.VerifyOptions{ 718 Roots: c.config.ClientCAs, 719 CurrentTime: c.config.time(), 720 Intermediates: x509.NewCertPool(), 721 KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, 722 } 723 724 for _, cert := range certs[1:] { 725 opts.Intermediates.AddCert(cert) 726 } 727 728 chains, err := certs[0].Verify(opts) 729 if err != nil { 730 c.sendAlert(alertBadCertificate) 731 return nil, errors.New("tls: failed to verify client's certificate: " + err.Error()) 732 } 733 734 c.verifiedChains = chains 735 } 736 737 if len(certs) == 0 { 738 return nil, nil 739 } 740 741 var pub crypto.PublicKey 742 switch key := certs[0].PublicKey.(type) { 743 case *ecdsa.PublicKey, *rsa.PublicKey: 744 pub = key 745 default: 746 c.sendAlert(alertUnsupportedCertificate) 747 return nil, fmt.Errorf("tls: client's certificate contains an unsupported public key of type %T", certs[0].PublicKey) 748 } 749 c.peerCertificates = certs 750 return pub, nil 751 } 752 753 // setCipherSuite sets a cipherSuite with the given id as the serverHandshakeState 754 // suite if that cipher suite is acceptable to use. 755 // It returns a bool indicating if the suite was set. 756 func (hs *serverHandshakeState) setCipherSuite(id uint16, supportedCipherSuites []uint16, version uint16) bool { 757 for _, supported := range supportedCipherSuites { 758 if id == supported { 759 var candidate *cipherSuite 760 761 for _, s := range cipherSuites { 762 if s.id == id { 763 candidate = s 764 break 765 } 766 } 767 if candidate == nil { 768 continue 769 } 770 // Don't select a ciphersuite which we can't 771 // support for this client. 772 if candidate.flags&suiteECDHE != 0 { 773 if !hs.ellipticOk { 774 continue 775 } 776 if candidate.flags&suiteECDSA != 0 { 777 if !hs.ecdsaOk { 778 continue 779 } 780 } else if !hs.rsaSignOk { 781 continue 782 } 783 } else if !hs.rsaDecryptOk { 784 continue 785 } 786 if version < VersionTLS12 && candidate.flags&suiteTLS12 != 0 { 787 continue 788 } 789 hs.suite = candidate 790 return true 791 } 792 } 793 return false 794 }