github.com/hellobchain/newcryptosm@v0.0.0-20221019060107-edb949a317e9/tls/handshake_server.go (about) 1 /* 2 Copyright Suzhou Tongji Fintech Research Institute 2017 All Rights Reserved. 3 Licensed under the Apache License, Version 2.0 (the "License"); 4 you may not use this file except in compliance with the License. 5 You may obtain a copy of the License at 6 7 http://www.apache.org/licenses/LICENSE-2.0 8 9 Unless required by applicable law or agreed to in writing, software 10 distributed under the License is distributed on an "AS IS" BASIS, 11 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 See the License for the specific language governing permissions and 13 limitations under the License. 14 */ 15 16 package tls 17 18 import ( 19 "crypto" 20 "crypto/rsa" 21 "crypto/subtle" 22 "encoding/asn1" 23 "errors" 24 "fmt" 25 "github.com/hellobchain/newcryptosm" 26 "github.com/hellobchain/newcryptosm/ecdsa" 27 x5092 "github.com/hellobchain/newcryptosm/x509" 28 "io" 29 ) 30 31 // serverHandshakeState contains details of a server handshake in progress. 32 // It's discarded once the handshake has completed. 33 type serverHandshakeState struct { 34 c *Conn 35 clientHello *clientHelloMsg 36 hello *serverHelloMsg 37 suite *cipherSuite 38 ellipticOk bool 39 ecdsaOk bool 40 sm2Ok bool 41 rsaDecryptOk bool 42 rsaSignOk bool 43 sessionState *sessionState 44 finishedHash finishedHash 45 masterSecret []byte 46 certsFromClient [][]byte 47 cert *Certificate 48 cachedClientHelloInfo *ClientHelloInfo 49 } 50 51 // serverHandshake performs a TLS handshake as a server. 52 // c.out.Mutex <= L; c.handshakeMutex <= L. 53 func (c *Conn) serverHandshake() error { 54 // If this is the first server handshake, we generate a random key to 55 // encrypt the tickets with. 56 c.config.serverInitOnce.Do(c.config.serverInit) 57 58 hs := serverHandshakeState{ 59 c: c, 60 } 61 // read clientHello 62 isResume, err := hs.readClientHello() 63 if err != nil { 64 return err 65 } 66 // For an overview of TLS handshaking, see https://tools.ietf.org/html/rfc5246#section-7.3 67 c.buffering = true 68 if isResume { 69 // The client has included a session ticket and so we do an abbreviated handshake. 70 if err := hs.doResumeHandshake(); err != nil { 71 return err 72 } 73 if err := hs.establishKeys(); err != nil { 74 return err 75 } 76 // ticketSupported is set in a resumption handshake if the 77 // ticket from the client was encrypted with an old session 78 // ticket key and thus a refreshed ticket should be sent. 79 if hs.hello.ticketSupported { 80 if err := hs.sendSessionTicket(); err != nil { 81 return err 82 } 83 } 84 if err := hs.sendFinished(c.serverFinished[:]); err != nil { 85 return err 86 } 87 if _, err := c.flush(); err != nil { 88 return err 89 } 90 c.clientFinishedIsFirst = false 91 if err := hs.readFinished(nil); err != nil { 92 return err 93 } 94 c.didResume = true 95 } else { 96 // The client didn't include a session ticket, or it wasn't 97 // valid so we do a full handshake. 98 if err := hs.doFullHandshake(); err != nil { 99 return err 100 } 101 if err := hs.establishKeys(); err != nil { 102 return err 103 } 104 if err := hs.readFinished(c.clientFinished[:]); err != nil { 105 return err 106 } 107 c.clientFinishedIsFirst = true 108 c.buffering = true 109 if err := hs.sendSessionTicket(); err != nil { 110 return err 111 } 112 if err := hs.sendFinished(nil); err != nil { 113 return err 114 } 115 if _, err := c.flush(); err != nil { 116 return err 117 } 118 } 119 c.handshakeComplete = true 120 121 return nil 122 } 123 124 // readClientHello reads a ClientHello message from the client and decides 125 // whether we will perform session resumption. 126 func (hs *serverHandshakeState) readClientHello() (isResume bool, err error) { 127 c := hs.c 128 // read client hello from client 129 msg, err := c.readHandshake() 130 if err != nil { 131 return false, err 132 } 133 // deal with client hello 134 var ok bool 135 hs.clientHello, ok = msg.(*clientHelloMsg) 136 if !ok { 137 c.sendAlert(alertUnexpectedMessage) 138 return false, unexpectedMessageError(hs.clientHello, msg) 139 } 140 141 if c.config.GetConfigForClient != nil { 142 if newConfig, err := c.config.GetConfigForClient(hs.clientHelloInfo()); err != nil { 143 c.sendAlert(alertInternalError) 144 return false, err 145 } else if newConfig != nil { 146 newConfig.mutex.Lock() 147 newConfig.originalConfig = c.config 148 newConfig.mutex.Unlock() 149 150 newConfig.serverInitOnce.Do(newConfig.serverInit) 151 c.config = newConfig 152 } 153 } 154 155 c.vers, ok = c.config.mutualVersion(hs.clientHello.vers) 156 if !ok { 157 c.sendAlert(alertProtocolVersion) 158 return false, fmt.Errorf("tls: client offered an unsupported, maximum protocol version of %x", hs.clientHello.vers) 159 } 160 c.haveVers = true 161 // generate server hello 162 hs.hello = new(serverHelloMsg) 163 164 supportedCurve := false 165 preferredCurves := c.config.curvePreferences() 166 Curves: 167 for _, curve := range hs.clientHello.supportedCurves { 168 for _, supported := range preferredCurves { 169 if supported == curve { 170 supportedCurve = true 171 break Curves 172 } 173 } 174 } 175 176 supportedPointFormat := false 177 for _, pointFormat := range hs.clientHello.supportedPoints { 178 if pointFormat == pointFormatUncompressed { 179 supportedPointFormat = true 180 break 181 } 182 } 183 hs.ellipticOk = supportedCurve && supportedPointFormat 184 185 foundCompression := false 186 // We only support null compression, so check that the client offered it. 187 for _, compression := range hs.clientHello.compressionMethods { 188 if compression == compressionNone { 189 foundCompression = true 190 break 191 } 192 } 193 194 if !foundCompression { 195 c.sendAlert(alertHandshakeFailure) 196 return false, errors.New("tls: client does not support uncompressed connections") 197 } 198 199 // generate server random 200 201 hs.hello.vers = c.vers 202 hs.hello.random = make([]byte, 32) 203 _, err = io.ReadFull(c.config.rand(), hs.hello.random) 204 if err != nil { 205 c.sendAlert(alertInternalError) 206 return false, err 207 } 208 209 if len(hs.clientHello.secureRenegotiation) != 0 { 210 c.sendAlert(alertHandshakeFailure) 211 return false, errors.New("tls: initial handshake had non-empty renegotiation extension") 212 } 213 214 hs.hello.secureRenegotiationSupported = hs.clientHello.secureRenegotiationSupported 215 hs.hello.compressionMethod = compressionNone 216 if len(hs.clientHello.serverName) > 0 { 217 c.serverName = hs.clientHello.serverName 218 } 219 220 if len(hs.clientHello.alpnProtocols) > 0 { 221 if selectedProto, fallback := mutualProtocol(hs.clientHello.alpnProtocols, c.config.NextProtos); !fallback { 222 hs.hello.alpnProtocol = selectedProto 223 c.clientProtocol = selectedProto 224 } 225 } else { 226 // Although sending an empty NPN extension is reasonable, Firefox has 227 // had a bug around this. Best to send nothing at all if 228 // c.config.NextProtos is empty. See 229 // https://golang.org/issue/5445. 230 if hs.clientHello.nextProtoNeg && len(c.config.NextProtos) > 0 { 231 hs.hello.nextProtoNeg = true 232 hs.hello.nextProtos = c.config.NextProtos 233 } 234 } 235 // server certificate 236 hs.cert, err = c.config.getCertificate(hs.clientHelloInfo()) 237 if err != nil { 238 c.sendAlert(alertInternalError) 239 return false, err 240 } 241 if hs.clientHello.scts { 242 hs.hello.scts = hs.cert.SignedCertificateTimestamps 243 } 244 245 if priv, ok := hs.cert.PrivateKey.(crypto.Signer); ok { 246 switch priv.Public().(type) { 247 case *ecdsa.PublicKey: 248 pub := priv.Public().(*ecdsa.PublicKey) 249 if ecdsa.IsSM2(pub.Params()) { 250 hs.sm2Ok = true 251 } else { 252 hs.ecdsaOk = true 253 } 254 case *rsa.PublicKey: 255 hs.rsaSignOk = true 256 default: 257 c.sendAlert(alertInternalError) 258 return false, fmt.Errorf("tls: unsupported signing key type (%T)", priv.Public()) 259 } 260 } 261 if priv, ok := hs.cert.PrivateKey.(crypto.Decrypter); ok { 262 switch priv.Public().(type) { 263 case *rsa.PublicKey: 264 hs.rsaDecryptOk = true 265 default: 266 c.sendAlert(alertInternalError) 267 return false, fmt.Errorf("tls: unsupported decryption key type (%T)", priv.Public()) 268 } 269 } 270 271 if hs.checkForResumption() { 272 return true, nil 273 } 274 275 var preferenceList, supportedList []uint16 276 if c.config.PreferServerCipherSuites { 277 preferenceList = c.config.cipherSuites() 278 supportedList = hs.clientHello.cipherSuites 279 } else { 280 preferenceList = hs.clientHello.cipherSuites 281 supportedList = c.config.cipherSuites() 282 } 283 for _, id := range preferenceList { 284 if hs.setCipherSuite(id, supportedList, c.vers) { 285 break 286 } 287 } 288 289 if hs.suite == nil { 290 c.sendAlert(alertHandshakeFailure) 291 return false, errors.New("tls: no cipher suite supported by both client and server") 292 } 293 294 // See https://tools.ietf.org/html/rfc7507. 295 for _, id := range hs.clientHello.cipherSuites { 296 if id == TLS_FALLBACK_SCSV { 297 // The client is doing a fallback connection. 298 if hs.clientHello.vers < c.config.maxVersion() { 299 c.sendAlert(alertInappropriateFallback) 300 return false, errors.New("tls: client using inappropriate protocol fallback") 301 } 302 break 303 } 304 } 305 306 return false, nil 307 } 308 309 // checkForResumption reports whether we should perform resumption on this connection. 310 func (hs *serverHandshakeState) checkForResumption() bool { 311 c := hs.c 312 313 if c.config.SessionTicketsDisabled { 314 return false 315 } 316 317 var ok bool 318 var sessionTicket = append([]uint8{}, hs.clientHello.sessionTicket...) 319 if hs.sessionState, ok = c.decryptTicket(sessionTicket); !ok { 320 return false 321 } 322 323 // Never resume a session for a different TLS version. 324 if c.vers != hs.sessionState.vers { 325 return false 326 } 327 328 cipherSuiteOk := false 329 // Check that the client is still offering the ciphersuite in the session. 330 for _, id := range hs.clientHello.cipherSuites { 331 if id == hs.sessionState.cipherSuite { 332 cipherSuiteOk = true 333 break 334 } 335 } 336 if !cipherSuiteOk { 337 return false 338 } 339 340 // Check that we also support the ciphersuite from the session. 341 if !hs.setCipherSuite(hs.sessionState.cipherSuite, c.config.cipherSuites(), hs.sessionState.vers) { 342 return false 343 } 344 345 sessionHasClientCerts := len(hs.sessionState.certificates) != 0 346 needClientCerts := c.config.ClientAuth == RequireAnyClientCert || c.config.ClientAuth == RequireAndVerifyClientCert 347 if needClientCerts && !sessionHasClientCerts { 348 return false 349 } 350 if sessionHasClientCerts && c.config.ClientAuth == NoClientCert { 351 return false 352 } 353 354 return true 355 } 356 357 func (hs *serverHandshakeState) doResumeHandshake() error { 358 c := hs.c 359 360 hs.hello.cipherSuite = hs.suite.id 361 // We echo the client's session ID in the ServerHello to let it know 362 // that we're doing a resumption. 363 hs.hello.sessionId = hs.clientHello.sessionId 364 hs.hello.ticketSupported = hs.sessionState.usedOldKey 365 hs.finishedHash = newFinishedHash(c.vers, hs.suite) 366 hs.finishedHash.discardHandshakeBuffer() 367 hs.finishedHash.Write(hs.clientHello.marshal()) 368 hs.finishedHash.Write(hs.hello.marshal()) 369 if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil { 370 return err 371 } 372 373 if len(hs.sessionState.certificates) > 0 { 374 if _, err := hs.processCertsFromClient(hs.sessionState.certificates); err != nil { 375 return err 376 } 377 } 378 379 hs.masterSecret = hs.sessionState.masterSecret 380 381 return nil 382 } 383 384 func (hs *serverHandshakeState) doFullHandshake() error { 385 c := hs.c 386 387 if hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0 { 388 hs.hello.ocspStapling = true 389 } 390 391 hs.hello.ticketSupported = hs.clientHello.ticketSupported && !c.config.SessionTicketsDisabled 392 hs.hello.cipherSuite = hs.suite.id 393 394 hs.finishedHash = newFinishedHash(hs.c.vers, hs.suite) 395 if c.config.ClientAuth == NoClientCert { 396 // No need to keep a full record of the handshake if client 397 // certificates won't be used. 398 hs.finishedHash.discardHandshakeBuffer() 399 } 400 hs.finishedHash.Write(hs.clientHello.marshal()) 401 hs.finishedHash.Write(hs.hello.marshal()) 402 // send server hello 403 if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil { 404 return err 405 } 406 certMsg := new(certificateMsg) 407 certMsg.certificates = hs.cert.Certificate 408 hs.finishedHash.Write(certMsg.marshal()) 409 if _, err := c.writeRecord(recordTypeHandshake, certMsg.marshal()); err != nil { 410 return err 411 } 412 if hs.hello.ocspStapling { 413 certStatus := new(certificateStatusMsg) 414 certStatus.statusType = statusTypeOCSP 415 certStatus.response = hs.cert.OCSPStaple 416 hs.finishedHash.Write(certStatus.marshal()) 417 if _, err := c.writeRecord(recordTypeHandshake, certStatus.marshal()); err != nil { 418 return err 419 } 420 } 421 keyAgreement := hs.suite.ka(c.vers) 422 skx, err := keyAgreement.generateServerKeyExchange(c.config, hs.cert, hs.clientHello, hs.hello) 423 if err != nil { 424 c.sendAlert(alertHandshakeFailure) 425 return err 426 } 427 if skx != nil { 428 hs.finishedHash.Write(skx.marshal()) 429 if _, err := c.writeRecord(recordTypeHandshake, skx.marshal()); err != nil { 430 return err 431 } 432 } 433 if c.config.ClientAuth >= RequestClientCert { 434 // Request a client certificate 435 certReq := new(certificateRequestMsg) 436 certReq.certificateTypes = []byte{ 437 byte(certTypeRSASign), 438 byte(certTypeECDSASign), 439 byte(certTypeSM2Sign), 440 } 441 if c.vers >= VersionTLS12 { 442 certReq.hasSignatureAndHash = true 443 certReq.signatureAndHashes = supportedSignatureAlgorithms 444 } 445 446 // An empty list of certificateAuthorities signals to 447 // the client that it may send any certificate in response 448 // to our request. When we know the CAs we trust, then 449 // we can send them down, so that the client can choose 450 // an appropriate certificate to give to us. 451 if c.config.ClientCAs != nil { 452 certReq.certificateAuthorities = c.config.ClientCAs.Subjects() 453 } 454 // request client cert 455 hs.finishedHash.Write(certReq.marshal()) 456 if _, err := c.writeRecord(recordTypeHandshake, certReq.marshal()); err != nil { 457 return err 458 } 459 } 460 helloDone := new(serverHelloDoneMsg) 461 hs.finishedHash.Write(helloDone.marshal()) 462 if _, err := c.writeRecord(recordTypeHandshake, helloDone.marshal()); err != nil { 463 return err 464 } 465 if _, err := c.flush(); err != nil { 466 return err 467 } 468 469 var pub crypto.PublicKey // public key for client auth, if any 470 msg, err := c.readHandshake() 471 if err != nil { 472 return err 473 } 474 var ok bool 475 // If we requested a client certificate, then the client must send a 476 // certificate message, even if it's empty. 477 if c.config.ClientAuth >= RequestClientCert { 478 if certMsg, ok = msg.(*certificateMsg); !ok { 479 c.sendAlert(alertUnexpectedMessage) 480 return unexpectedMessageError(certMsg, msg) 481 } 482 hs.finishedHash.Write(certMsg.marshal()) 483 if len(certMsg.certificates) == 0 { 484 // The client didn't actually send a certificate 485 switch c.config.ClientAuth { 486 case RequireAnyClientCert, RequireAndVerifyClientCert: 487 c.sendAlert(alertBadCertificate) 488 return errors.New("tls: client didn't provide a certificate") 489 } 490 } 491 pub, err = hs.processCertsFromClient(certMsg.certificates) 492 if err != nil { 493 return err 494 } 495 msg, err = c.readHandshake() 496 if err != nil { 497 return err 498 } 499 } 500 // Get client key exchange 501 ckx, ok := msg.(*clientKeyExchangeMsg) 502 if !ok { 503 c.sendAlert(alertUnexpectedMessage) 504 return unexpectedMessageError(ckx, msg) 505 } 506 hs.finishedHash.Write(ckx.marshal()) 507 preMasterSecret, err := keyAgreement.processClientKeyExchange(c.config, hs.cert, ckx, c.vers) 508 if err != nil { 509 c.sendAlert(alertHandshakeFailure) 510 return err 511 } 512 hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.clientHello.random, hs.hello.random) 513 if err := c.config.writeKeyLog(hs.clientHello.random, hs.masterSecret); err != nil { 514 c.sendAlert(alertInternalError) 515 return err 516 } 517 // If we received a client cert in response to our certificate request message, 518 // the client will send us a certificateVerifyMsg immediately after the 519 // clientKeyExchangeMsg. This message is a digest of all preceding 520 // handshake-layer messages that is signed using the private key corresponding 521 // to the client's certificate. This allows us to verify that the client is in 522 // possession of the private key of the certificate. 523 if len(c.peerCertificates) > 0 { 524 msg, err = c.readHandshake() 525 if err != nil { 526 return err 527 } 528 certVerify, ok := msg.(*certificateVerifyMsg) 529 if !ok { 530 c.sendAlert(alertUnexpectedMessage) 531 return unexpectedMessageError(certVerify, msg) 532 } 533 534 // Determine the signature type. 535 var signatureAndHash signatureAndHash 536 if certVerify.hasSignatureAndHash { 537 signatureAndHash = certVerify.signatureAndHash 538 if !isSupportedSignatureAndHash(signatureAndHash, supportedSignatureAlgorithms) { 539 return errors.New("tls: unsupported hash function for client certificate") 540 } 541 } else { 542 // Before TLS 1.2 the signature algorithm was implicit 543 // from the key type, and only one hash per signature 544 // algorithm was possible. Leave the hash as zero. 545 switch pub.(type) { 546 case *ecdsa.PublicKey: 547 pb := pub.(*ecdsa.PublicKey) 548 if ecdsa.IsSM2(pb.Params()) { 549 signatureAndHash.signature = signatureSM2 550 } else { 551 signatureAndHash.signature = signatureECDSA 552 } 553 case *rsa.PublicKey: 554 signatureAndHash.signature = signatureRSA 555 } 556 } 557 558 switch key := pub.(type) { 559 case *ecdsa.PublicKey: 560 if signatureAndHash.signature != signatureSM2 && signatureAndHash.signature != signatureECDSA { 561 err = errors.New("tls: bad signature type for client's SM2 certificate") 562 break 563 } 564 sm2Sig := new(sm2Signature) 565 if _, err = asn1.Unmarshal(certVerify.signature, sm2Sig); err != nil { 566 break 567 } 568 if sm2Sig.R.Sign() <= 0 || sm2Sig.S.Sign() <= 0 { 569 err = errors.New("tls: ECDSA signature contained zero or negative values") 570 break 571 } 572 var digest []byte 573 if digest, _, err = hs.finishedHash.hashForClientCertificate(signatureAndHash, hs.masterSecret); err != nil { 574 break 575 } 576 if !ecdsa.Verify(&ecdsa.PublicKey{ 577 X: key.X, 578 Y: key.Y, 579 Curve: key.Curve, 580 }, digest, sm2Sig.R, sm2Sig.S) { 581 err = errors.New("tls: SM2 verification failure") 582 } 583 584 case *rsa.PublicKey: 585 if signatureAndHash.signature != signatureRSA { 586 err = errors.New("tls: bad signature type for client's RSA certificate") 587 break 588 } 589 var digest []byte 590 var hashFunc newcryptosm.Hash 591 if digest, hashFunc, err = hs.finishedHash.hashForClientCertificate(signatureAndHash, hs.masterSecret); err != nil { 592 break 593 } 594 err = rsa.VerifyPKCS1v15(key, crypto.Hash(hashFunc), digest, certVerify.signature) 595 } 596 if err != nil { 597 c.sendAlert(alertBadCertificate) 598 return errors.New("tls: could not validate signature of connection nonces: " + err.Error()) 599 } 600 601 hs.finishedHash.Write(certVerify.marshal()) 602 } 603 604 hs.finishedHash.discardHandshakeBuffer() 605 606 return nil 607 } 608 609 func (hs *serverHandshakeState) establishKeys() error { 610 c := hs.c 611 612 clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV := 613 keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen) 614 615 var clientCipher, serverCipher interface{} 616 var clientHash, serverHash macFunction 617 618 if hs.suite.aead == nil { 619 clientCipher = hs.suite.cipher(clientKey, clientIV, true /* for reading */) 620 clientHash = hs.suite.mac(c.vers, clientMAC) 621 serverCipher = hs.suite.cipher(serverKey, serverIV, false /* not for reading */) 622 serverHash = hs.suite.mac(c.vers, serverMAC) 623 } else { 624 clientCipher = hs.suite.aead(clientKey, clientIV) 625 serverCipher = hs.suite.aead(serverKey, serverIV) 626 } 627 628 c.in.prepareCipherSpec(c.vers, clientCipher, clientHash) 629 c.out.prepareCipherSpec(c.vers, serverCipher, serverHash) 630 631 return nil 632 } 633 634 func (hs *serverHandshakeState) readFinished(out []byte) error { 635 c := hs.c 636 637 c.readRecord(recordTypeChangeCipherSpec) 638 if c.in.err != nil { 639 return c.in.err 640 } 641 642 if hs.hello.nextProtoNeg { 643 msg, err := c.readHandshake() 644 if err != nil { 645 return err 646 } 647 nextProto, ok := msg.(*nextProtoMsg) 648 if !ok { 649 c.sendAlert(alertUnexpectedMessage) 650 return unexpectedMessageError(nextProto, msg) 651 } 652 hs.finishedHash.Write(nextProto.marshal()) 653 c.clientProtocol = nextProto.proto 654 } 655 656 msg, err := c.readHandshake() 657 if err != nil { 658 return err 659 } 660 clientFinished, ok := msg.(*finishedMsg) 661 if !ok { 662 c.sendAlert(alertUnexpectedMessage) 663 return unexpectedMessageError(clientFinished, msg) 664 } 665 666 verify := hs.finishedHash.clientSum(hs.masterSecret) 667 if len(verify) != len(clientFinished.verifyData) || 668 subtle.ConstantTimeCompare(verify, clientFinished.verifyData) != 1 { 669 c.sendAlert(alertHandshakeFailure) 670 return errors.New("tls: client's Finished message is incorrect") 671 } 672 673 hs.finishedHash.Write(clientFinished.marshal()) 674 copy(out, verify) 675 return nil 676 } 677 678 func (hs *serverHandshakeState) sendSessionTicket() error { 679 if !hs.hello.ticketSupported { 680 return nil 681 } 682 683 c := hs.c 684 m := new(newSessionTicketMsg) 685 686 var err error 687 state := sessionState{ 688 vers: c.vers, 689 cipherSuite: hs.suite.id, 690 masterSecret: hs.masterSecret, 691 certificates: hs.certsFromClient, 692 } 693 m.ticket, err = c.encryptTicket(&state) 694 if err != nil { 695 return err 696 } 697 698 hs.finishedHash.Write(m.marshal()) 699 if _, err := c.writeRecord(recordTypeHandshake, m.marshal()); err != nil { 700 return err 701 } 702 703 return nil 704 } 705 706 func (hs *serverHandshakeState) sendFinished(out []byte) error { 707 c := hs.c 708 709 if _, err := c.writeRecord(recordTypeChangeCipherSpec, []byte{1}); err != nil { 710 return err 711 } 712 713 finished := new(finishedMsg) 714 finished.verifyData = hs.finishedHash.serverSum(hs.masterSecret) 715 hs.finishedHash.Write(finished.marshal()) 716 if _, err := c.writeRecord(recordTypeHandshake, finished.marshal()); err != nil { 717 return err 718 } 719 720 c.cipherSuite = hs.suite.id 721 copy(out, finished.verifyData) 722 723 return nil 724 } 725 726 // processCertsFromClient takes a chain of client certificates either from a 727 // Certificates message or from a sessionState and verifies them. It returns 728 // the public key of the leaf certificate. 729 func (hs *serverHandshakeState) processCertsFromClient(certificates [][]byte) (crypto.PublicKey, error) { 730 c := hs.c 731 732 hs.certsFromClient = certificates 733 certs := make([]*x5092.Certificate, len(certificates)) 734 var err error 735 for i, asn1Data := range certificates { 736 if certs[i], err = x5092.ParseCertificate(asn1Data); err != nil { 737 c.sendAlert(alertBadCertificate) 738 return nil, errors.New("tls: failed to parse client certificate: " + err.Error()) 739 } 740 } 741 742 if c.config.ClientAuth >= VerifyClientCertIfGiven && len(certs) > 0 { 743 opts := x5092.VerifyOptions{ 744 Roots: c.config.ClientCAs, 745 CurrentTime: c.config.time(), 746 Intermediates: x5092.NewCertPool(), 747 KeyUsages: []x5092.ExtKeyUsage{x5092.ExtKeyUsageClientAuth}, 748 } 749 750 for _, cert := range certs[1:] { 751 opts.Intermediates.AddCert(cert) 752 } 753 754 chains, err := certs[0].Verify(opts) 755 if err != nil { 756 c.sendAlert(alertBadCertificate) 757 return nil, errors.New("tls: failed to verify client's certificate: " + err.Error()) 758 } 759 760 c.verifiedChains = chains 761 } 762 763 if c.config.VerifyPeerCertificate != nil { 764 if err := c.config.VerifyPeerCertificate(certificates, c.verifiedChains); err != nil { 765 c.sendAlert(alertBadCertificate) 766 return nil, err 767 } 768 } 769 770 if len(certs) == 0 { 771 return nil, nil 772 } 773 774 var pub crypto.PublicKey 775 switch key := certs[0].PublicKey.(type) { 776 case *rsa.PublicKey, *ecdsa.PublicKey: 777 pub = key 778 default: 779 c.sendAlert(alertUnsupportedCertificate) 780 return nil, fmt.Errorf("tls: client's certificate contains an unsupported public key of type %T", certs[0].PublicKey) 781 } 782 c.peerCertificates = certs 783 return pub, nil 784 } 785 786 // setCipherSuite sets a cipherSuite with the given id as the serverHandshakeState 787 // suite if that cipher suite is acceptable to use. 788 // It returns a bool indicating if the suite was set. 789 func (hs *serverHandshakeState) setCipherSuite(id uint16, supportedCipherSuites []uint16, version uint16) bool { 790 for _, supported := range supportedCipherSuites { 791 if id == supported { 792 var candidate *cipherSuite 793 794 for _, s := range cipherSuites { 795 if s.id == id { 796 candidate = s 797 break 798 } 799 } 800 if candidate == nil { 801 continue 802 } 803 // Don't select a ciphersuite which we can't 804 // support for this client. 805 if candidate.flags&suiteECDHE != 0 { // 都是ecdhe密钥交换 806 if !hs.ellipticOk { // 是不是椭圆曲线 若是 807 continue 808 } 809 if candidate.flags&suiteECDSA != 0 { // 再判断是不是 签名算法是ecdsa 810 if !hs.ecdsaOk { 811 continue 812 } 813 } else if !hs.rsaSignOk { 814 continue 815 } 816 } else if candidate.flags&suiteSM2E != 0 { // sm2 ex 817 if !hs.ellipticOk { // 是不是椭圆曲线 若是 818 continue 819 } 820 if candidate.flags&suiteSM2 != 0 { // 再判断是不是 签名算法是SM2 821 if !hs.sm2Ok { 822 continue 823 } 824 } 825 } else if !hs.rsaDecryptOk { // rsa ex 826 continue 827 } 828 if version < VersionTLS12 && candidate.flags&suiteTLS12 != 0 { 829 continue 830 } 831 hs.suite = candidate 832 return true 833 } 834 } 835 return false 836 } 837 838 // suppVersArray is the backing array of ClientHelloInfo.SupportedVersions 839 var suppVersArray = [...]uint16{VersionTLS12, VersionTLS11, VersionTLS10, VersionSSL30} 840 841 func (hs *serverHandshakeState) clientHelloInfo() *ClientHelloInfo { 842 if hs.cachedClientHelloInfo != nil { 843 return hs.cachedClientHelloInfo 844 } 845 846 var supportedVersions []uint16 847 if hs.clientHello.vers > VersionTLS12 { 848 supportedVersions = suppVersArray[:] 849 } else if hs.clientHello.vers >= VersionSSL30 { 850 supportedVersions = suppVersArray[VersionTLS12-hs.clientHello.vers:] 851 } 852 853 signatureSchemes := make([]SignatureScheme, 0, len(hs.clientHello.signatureAndHashes)) 854 for _, sah := range hs.clientHello.signatureAndHashes { 855 signatureSchemes = append(signatureSchemes, SignatureScheme(sah.hash)<<8+SignatureScheme(sah.signature)) 856 } 857 858 hs.cachedClientHelloInfo = &ClientHelloInfo{ 859 CipherSuites: hs.clientHello.cipherSuites, 860 ServerName: hs.clientHello.serverName, 861 SupportedCurves: hs.clientHello.supportedCurves, 862 SupportedPoints: hs.clientHello.supportedPoints, 863 SignatureSchemes: signatureSchemes, 864 SupportedProtos: hs.clientHello.alpnProtocols, 865 SupportedVersions: supportedVersions, 866 Conn: hs.c.conn, 867 } 868 869 return hs.cachedClientHelloInfo 870 }