github.com/miolini/go@v0.0.0-20160405192216-fca68c8cb408/src/crypto/tls/handshake_server.go (about) 1 // Copyright 2009 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 package tls 6 7 import ( 8 "crypto" 9 "crypto/ecdsa" 10 "crypto/rsa" 11 "crypto/subtle" 12 "crypto/x509" 13 "encoding/asn1" 14 "errors" 15 "fmt" 16 "io" 17 ) 18 19 // serverHandshakeState contains details of a server handshake in progress. 20 // It's discarded once the handshake has completed. 21 type serverHandshakeState struct { 22 c *Conn 23 clientHello *clientHelloMsg 24 hello *serverHelloMsg 25 suite *cipherSuite 26 ellipticOk bool 27 ecdsaOk bool 28 rsaDecryptOk bool 29 rsaSignOk bool 30 sessionState *sessionState 31 finishedHash finishedHash 32 masterSecret []byte 33 certsFromClient [][]byte 34 cert *Certificate 35 } 36 37 // serverHandshake performs a TLS handshake as a server. 38 func (c *Conn) serverHandshake() error { 39 config := c.config 40 41 // If this is the first server handshake, we generate a random key to 42 // encrypt the tickets with. 43 config.serverInitOnce.Do(config.serverInit) 44 45 hs := serverHandshakeState{ 46 c: c, 47 } 48 isResume, err := hs.readClientHello() 49 if err != nil { 50 return err 51 } 52 53 // For an overview of TLS handshaking, see https://tools.ietf.org/html/rfc5246#section-7.3 54 if isResume { 55 // The client has included a session ticket and so we do an abbreviated handshake. 56 if err := hs.doResumeHandshake(); err != nil { 57 return err 58 } 59 if err := hs.establishKeys(); err != nil { 60 return err 61 } 62 // ticketSupported is set in a resumption handshake if the 63 // ticket from the client was encrypted with an old session 64 // ticket key and thus a refreshed ticket should be sent. 65 if hs.hello.ticketSupported { 66 if err := hs.sendSessionTicket(); err != nil { 67 return err 68 } 69 } 70 if err := hs.sendFinished(c.firstFinished[:]); err != nil { 71 return err 72 } 73 if err := hs.readFinished(nil); err != nil { 74 return err 75 } 76 c.didResume = true 77 } else { 78 // The client didn't include a session ticket, or it wasn't 79 // valid so we do a full handshake. 80 if err := hs.doFullHandshake(); err != nil { 81 return err 82 } 83 if err := hs.establishKeys(); err != nil { 84 return err 85 } 86 if err := hs.readFinished(c.firstFinished[:]); err != nil { 87 return err 88 } 89 if err := hs.sendSessionTicket(); err != nil { 90 return err 91 } 92 if err := hs.sendFinished(nil); err != nil { 93 return err 94 } 95 } 96 c.handshakeComplete = true 97 98 return nil 99 } 100 101 // readClientHello reads a ClientHello message from the client and decides 102 // whether we will perform session resumption. 103 func (hs *serverHandshakeState) readClientHello() (isResume bool, err error) { 104 config := hs.c.config 105 c := hs.c 106 107 msg, err := c.readHandshake() 108 if err != nil { 109 return false, err 110 } 111 var ok bool 112 hs.clientHello, ok = msg.(*clientHelloMsg) 113 if !ok { 114 c.sendAlert(alertUnexpectedMessage) 115 return false, unexpectedMessageError(hs.clientHello, msg) 116 } 117 c.vers, ok = config.mutualVersion(hs.clientHello.vers) 118 if !ok { 119 c.sendAlert(alertProtocolVersion) 120 return false, fmt.Errorf("tls: client offered an unsupported, maximum protocol version of %x", hs.clientHello.vers) 121 } 122 c.haveVers = true 123 124 hs.hello = new(serverHelloMsg) 125 126 supportedCurve := false 127 preferredCurves := config.curvePreferences() 128 Curves: 129 for _, curve := range hs.clientHello.supportedCurves { 130 for _, supported := range preferredCurves { 131 if supported == curve { 132 supportedCurve = true 133 break Curves 134 } 135 } 136 } 137 138 supportedPointFormat := false 139 for _, pointFormat := range hs.clientHello.supportedPoints { 140 if pointFormat == pointFormatUncompressed { 141 supportedPointFormat = true 142 break 143 } 144 } 145 hs.ellipticOk = supportedCurve && supportedPointFormat 146 147 foundCompression := false 148 // We only support null compression, so check that the client offered it. 149 for _, compression := range hs.clientHello.compressionMethods { 150 if compression == compressionNone { 151 foundCompression = true 152 break 153 } 154 } 155 156 if !foundCompression { 157 c.sendAlert(alertHandshakeFailure) 158 return false, errors.New("tls: client does not support uncompressed connections") 159 } 160 161 hs.hello.vers = c.vers 162 hs.hello.random = make([]byte, 32) 163 _, err = io.ReadFull(config.rand(), hs.hello.random) 164 if err != nil { 165 c.sendAlert(alertInternalError) 166 return false, err 167 } 168 hs.hello.secureRenegotiation = hs.clientHello.secureRenegotiation 169 hs.hello.compressionMethod = compressionNone 170 if len(hs.clientHello.serverName) > 0 { 171 c.serverName = hs.clientHello.serverName 172 } 173 174 if len(hs.clientHello.alpnProtocols) > 0 { 175 if selectedProto, fallback := mutualProtocol(hs.clientHello.alpnProtocols, c.config.NextProtos); !fallback { 176 hs.hello.alpnProtocol = selectedProto 177 c.clientProtocol = selectedProto 178 } 179 } else { 180 // Although sending an empty NPN extension is reasonable, Firefox has 181 // had a bug around this. Best to send nothing at all if 182 // config.NextProtos is empty. See 183 // https://golang.org/issue/5445. 184 if hs.clientHello.nextProtoNeg && len(config.NextProtos) > 0 { 185 hs.hello.nextProtoNeg = true 186 hs.hello.nextProtos = config.NextProtos 187 } 188 } 189 190 hs.cert, err = config.getCertificate(&ClientHelloInfo{ 191 CipherSuites: hs.clientHello.cipherSuites, 192 ServerName: hs.clientHello.serverName, 193 SupportedCurves: hs.clientHello.supportedCurves, 194 SupportedPoints: hs.clientHello.supportedPoints, 195 }) 196 if err != nil { 197 c.sendAlert(alertInternalError) 198 return false, err 199 } 200 if hs.clientHello.scts { 201 hs.hello.scts = hs.cert.SignedCertificateTimestamps 202 } 203 204 if priv, ok := hs.cert.PrivateKey.(crypto.Signer); ok { 205 switch priv.Public().(type) { 206 case *ecdsa.PublicKey: 207 hs.ecdsaOk = true 208 case *rsa.PublicKey: 209 hs.rsaSignOk = true 210 default: 211 c.sendAlert(alertInternalError) 212 return false, fmt.Errorf("crypto/tls: unsupported signing key type (%T)", priv.Public()) 213 } 214 } 215 if priv, ok := hs.cert.PrivateKey.(crypto.Decrypter); ok { 216 switch priv.Public().(type) { 217 case *rsa.PublicKey: 218 hs.rsaDecryptOk = true 219 default: 220 c.sendAlert(alertInternalError) 221 return false, fmt.Errorf("crypto/tls: unsupported decryption key type (%T)", priv.Public()) 222 } 223 } 224 225 if hs.checkForResumption() { 226 return true, nil 227 } 228 229 var preferenceList, supportedList []uint16 230 if c.config.PreferServerCipherSuites { 231 preferenceList = c.config.cipherSuites() 232 supportedList = hs.clientHello.cipherSuites 233 } else { 234 preferenceList = hs.clientHello.cipherSuites 235 supportedList = c.config.cipherSuites() 236 } 237 238 for _, id := range preferenceList { 239 if hs.setCipherSuite(id, supportedList, c.vers) { 240 break 241 } 242 } 243 244 if hs.suite == nil { 245 c.sendAlert(alertHandshakeFailure) 246 return false, errors.New("tls: no cipher suite supported by both client and server") 247 } 248 249 // See https://tools.ietf.org/html/rfc7507. 250 for _, id := range hs.clientHello.cipherSuites { 251 if id == TLS_FALLBACK_SCSV { 252 // The client is doing a fallback connection. 253 if hs.clientHello.vers < c.config.maxVersion() { 254 c.sendAlert(alertInappropriateFallback) 255 return false, errors.New("tls: client using inappropriate protocol fallback") 256 } 257 break 258 } 259 } 260 261 return false, nil 262 } 263 264 // checkForResumption reports whether we should perform resumption on this connection. 265 func (hs *serverHandshakeState) checkForResumption() bool { 266 c := hs.c 267 268 if c.config.SessionTicketsDisabled { 269 return false 270 } 271 272 var ok bool 273 var sessionTicket = append([]uint8{}, hs.clientHello.sessionTicket...) 274 if hs.sessionState, ok = c.decryptTicket(sessionTicket); !ok { 275 return false 276 } 277 278 if hs.sessionState.vers > hs.clientHello.vers { 279 return false 280 } 281 if vers, ok := c.config.mutualVersion(hs.sessionState.vers); !ok || vers != hs.sessionState.vers { 282 return false 283 } 284 285 cipherSuiteOk := false 286 // Check that the client is still offering the ciphersuite in the session. 287 for _, id := range hs.clientHello.cipherSuites { 288 if id == hs.sessionState.cipherSuite { 289 cipherSuiteOk = true 290 break 291 } 292 } 293 if !cipherSuiteOk { 294 return false 295 } 296 297 // Check that we also support the ciphersuite from the session. 298 if !hs.setCipherSuite(hs.sessionState.cipherSuite, c.config.cipherSuites(), hs.sessionState.vers) { 299 return false 300 } 301 302 sessionHasClientCerts := len(hs.sessionState.certificates) != 0 303 needClientCerts := c.config.ClientAuth == RequireAnyClientCert || c.config.ClientAuth == RequireAndVerifyClientCert 304 if needClientCerts && !sessionHasClientCerts { 305 return false 306 } 307 if sessionHasClientCerts && c.config.ClientAuth == NoClientCert { 308 return false 309 } 310 311 return true 312 } 313 314 func (hs *serverHandshakeState) doResumeHandshake() error { 315 c := hs.c 316 317 hs.hello.cipherSuite = hs.suite.id 318 // We echo the client's session ID in the ServerHello to let it know 319 // that we're doing a resumption. 320 hs.hello.sessionId = hs.clientHello.sessionId 321 hs.hello.ticketSupported = hs.sessionState.usedOldKey 322 hs.finishedHash = newFinishedHash(c.vers, hs.suite) 323 hs.finishedHash.discardHandshakeBuffer() 324 hs.finishedHash.Write(hs.clientHello.marshal()) 325 hs.finishedHash.Write(hs.hello.marshal()) 326 if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil { 327 return err 328 } 329 330 if len(hs.sessionState.certificates) > 0 { 331 if _, err := hs.processCertsFromClient(hs.sessionState.certificates); err != nil { 332 return err 333 } 334 } 335 336 hs.masterSecret = hs.sessionState.masterSecret 337 338 return nil 339 } 340 341 func (hs *serverHandshakeState) doFullHandshake() error { 342 config := hs.c.config 343 c := hs.c 344 345 if hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0 { 346 hs.hello.ocspStapling = true 347 } 348 349 hs.hello.ticketSupported = hs.clientHello.ticketSupported && !config.SessionTicketsDisabled 350 hs.hello.cipherSuite = hs.suite.id 351 352 hs.finishedHash = newFinishedHash(hs.c.vers, hs.suite) 353 if config.ClientAuth == NoClientCert { 354 // No need to keep a full record of the handshake if client 355 // certificates won't be used. 356 hs.finishedHash.discardHandshakeBuffer() 357 } 358 hs.finishedHash.Write(hs.clientHello.marshal()) 359 hs.finishedHash.Write(hs.hello.marshal()) 360 if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil { 361 return err 362 } 363 364 certMsg := new(certificateMsg) 365 certMsg.certificates = hs.cert.Certificate 366 hs.finishedHash.Write(certMsg.marshal()) 367 if _, err := c.writeRecord(recordTypeHandshake, certMsg.marshal()); err != nil { 368 return err 369 } 370 371 if hs.hello.ocspStapling { 372 certStatus := new(certificateStatusMsg) 373 certStatus.statusType = statusTypeOCSP 374 certStatus.response = hs.cert.OCSPStaple 375 hs.finishedHash.Write(certStatus.marshal()) 376 if _, err := c.writeRecord(recordTypeHandshake, certStatus.marshal()); err != nil { 377 return err 378 } 379 } 380 381 keyAgreement := hs.suite.ka(c.vers) 382 skx, err := keyAgreement.generateServerKeyExchange(config, hs.cert, hs.clientHello, hs.hello) 383 if err != nil { 384 c.sendAlert(alertHandshakeFailure) 385 return err 386 } 387 if skx != nil { 388 hs.finishedHash.Write(skx.marshal()) 389 if _, err := c.writeRecord(recordTypeHandshake, skx.marshal()); err != nil { 390 return err 391 } 392 } 393 394 if config.ClientAuth >= RequestClientCert { 395 // Request a client certificate 396 certReq := new(certificateRequestMsg) 397 certReq.certificateTypes = []byte{ 398 byte(certTypeRSASign), 399 byte(certTypeECDSASign), 400 } 401 if c.vers >= VersionTLS12 { 402 certReq.hasSignatureAndHash = true 403 certReq.signatureAndHashes = supportedSignatureAlgorithms 404 } 405 406 // An empty list of certificateAuthorities signals to 407 // the client that it may send any certificate in response 408 // to our request. When we know the CAs we trust, then 409 // we can send them down, so that the client can choose 410 // an appropriate certificate to give to us. 411 if config.ClientCAs != nil { 412 certReq.certificateAuthorities = config.ClientCAs.Subjects() 413 } 414 hs.finishedHash.Write(certReq.marshal()) 415 if _, err := c.writeRecord(recordTypeHandshake, certReq.marshal()); err != nil { 416 return err 417 } 418 } 419 420 helloDone := new(serverHelloDoneMsg) 421 hs.finishedHash.Write(helloDone.marshal()) 422 if _, err := c.writeRecord(recordTypeHandshake, helloDone.marshal()); err != nil { 423 return err 424 } 425 426 var pub crypto.PublicKey // public key for client auth, if any 427 428 msg, err := c.readHandshake() 429 if err != nil { 430 return err 431 } 432 433 var ok bool 434 // If we requested a client certificate, then the client must send a 435 // certificate message, even if it's empty. 436 if config.ClientAuth >= RequestClientCert { 437 if certMsg, ok = msg.(*certificateMsg); !ok { 438 c.sendAlert(alertUnexpectedMessage) 439 return unexpectedMessageError(certMsg, msg) 440 } 441 hs.finishedHash.Write(certMsg.marshal()) 442 443 if len(certMsg.certificates) == 0 { 444 // The client didn't actually send a certificate 445 switch config.ClientAuth { 446 case RequireAnyClientCert, RequireAndVerifyClientCert: 447 c.sendAlert(alertBadCertificate) 448 return errors.New("tls: client didn't provide a certificate") 449 } 450 } 451 452 pub, err = hs.processCertsFromClient(certMsg.certificates) 453 if err != nil { 454 return err 455 } 456 457 msg, err = c.readHandshake() 458 if err != nil { 459 return err 460 } 461 } 462 463 // Get client key exchange 464 ckx, ok := msg.(*clientKeyExchangeMsg) 465 if !ok { 466 c.sendAlert(alertUnexpectedMessage) 467 return unexpectedMessageError(ckx, msg) 468 } 469 hs.finishedHash.Write(ckx.marshal()) 470 471 preMasterSecret, err := keyAgreement.processClientKeyExchange(config, hs.cert, ckx, c.vers) 472 if err != nil { 473 c.sendAlert(alertHandshakeFailure) 474 return err 475 } 476 hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.clientHello.random, hs.hello.random) 477 478 // If we received a client cert in response to our certificate request message, 479 // the client will send us a certificateVerifyMsg immediately after the 480 // clientKeyExchangeMsg. This message is a digest of all preceding 481 // handshake-layer messages that is signed using the private key corresponding 482 // to the client's certificate. This allows us to verify that the client is in 483 // possession of the private key of the certificate. 484 if len(c.peerCertificates) > 0 { 485 msg, err = c.readHandshake() 486 if err != nil { 487 return err 488 } 489 certVerify, ok := msg.(*certificateVerifyMsg) 490 if !ok { 491 c.sendAlert(alertUnexpectedMessage) 492 return unexpectedMessageError(certVerify, msg) 493 } 494 495 // Determine the signature type. 496 var signatureAndHash signatureAndHash 497 if certVerify.hasSignatureAndHash { 498 signatureAndHash = certVerify.signatureAndHash 499 if !isSupportedSignatureAndHash(signatureAndHash, supportedSignatureAlgorithms) { 500 return errors.New("tls: unsupported hash function for client certificate") 501 } 502 } else { 503 // Before TLS 1.2 the signature algorithm was implicit 504 // from the key type, and only one hash per signature 505 // algorithm was possible. Leave the hash as zero. 506 switch pub.(type) { 507 case *ecdsa.PublicKey: 508 signatureAndHash.signature = signatureECDSA 509 case *rsa.PublicKey: 510 signatureAndHash.signature = signatureRSA 511 } 512 } 513 514 switch key := pub.(type) { 515 case *ecdsa.PublicKey: 516 if signatureAndHash.signature != signatureECDSA { 517 err = errors.New("bad signature type for client's ECDSA certificate") 518 break 519 } 520 ecdsaSig := new(ecdsaSignature) 521 if _, err = asn1.Unmarshal(certVerify.signature, ecdsaSig); err != nil { 522 break 523 } 524 if ecdsaSig.R.Sign() <= 0 || ecdsaSig.S.Sign() <= 0 { 525 err = errors.New("ECDSA signature contained zero or negative values") 526 break 527 } 528 var digest []byte 529 if digest, _, err = hs.finishedHash.hashForClientCertificate(signatureAndHash, hs.masterSecret); err != nil { 530 break 531 } 532 if !ecdsa.Verify(key, digest, ecdsaSig.R, ecdsaSig.S) { 533 err = errors.New("ECDSA verification failure") 534 } 535 case *rsa.PublicKey: 536 if signatureAndHash.signature != signatureRSA { 537 err = errors.New("bad signature type for client's RSA certificate") 538 break 539 } 540 var digest []byte 541 var hashFunc crypto.Hash 542 if digest, hashFunc, err = hs.finishedHash.hashForClientCertificate(signatureAndHash, hs.masterSecret); err != nil { 543 break 544 } 545 err = rsa.VerifyPKCS1v15(key, hashFunc, digest, certVerify.signature) 546 } 547 if err != nil { 548 c.sendAlert(alertBadCertificate) 549 return errors.New("tls: could not validate signature of connection nonces: " + err.Error()) 550 } 551 552 hs.finishedHash.Write(certVerify.marshal()) 553 } 554 555 hs.finishedHash.discardHandshakeBuffer() 556 557 return nil 558 } 559 560 func (hs *serverHandshakeState) establishKeys() error { 561 c := hs.c 562 563 clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV := 564 keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen) 565 566 var clientCipher, serverCipher interface{} 567 var clientHash, serverHash macFunction 568 569 if hs.suite.aead == nil { 570 clientCipher = hs.suite.cipher(clientKey, clientIV, true /* for reading */) 571 clientHash = hs.suite.mac(c.vers, clientMAC) 572 serverCipher = hs.suite.cipher(serverKey, serverIV, false /* not for reading */) 573 serverHash = hs.suite.mac(c.vers, serverMAC) 574 } else { 575 clientCipher = hs.suite.aead(clientKey, clientIV) 576 serverCipher = hs.suite.aead(serverKey, serverIV) 577 } 578 579 c.in.prepareCipherSpec(c.vers, clientCipher, clientHash) 580 c.out.prepareCipherSpec(c.vers, serverCipher, serverHash) 581 582 return nil 583 } 584 585 func (hs *serverHandshakeState) readFinished(out []byte) error { 586 c := hs.c 587 588 c.readRecord(recordTypeChangeCipherSpec) 589 if err := c.in.error(); err != nil { 590 return err 591 } 592 593 if hs.hello.nextProtoNeg { 594 msg, err := c.readHandshake() 595 if err != nil { 596 return err 597 } 598 nextProto, ok := msg.(*nextProtoMsg) 599 if !ok { 600 c.sendAlert(alertUnexpectedMessage) 601 return unexpectedMessageError(nextProto, msg) 602 } 603 hs.finishedHash.Write(nextProto.marshal()) 604 c.clientProtocol = nextProto.proto 605 } 606 607 msg, err := c.readHandshake() 608 if err != nil { 609 return err 610 } 611 clientFinished, ok := msg.(*finishedMsg) 612 if !ok { 613 c.sendAlert(alertUnexpectedMessage) 614 return unexpectedMessageError(clientFinished, msg) 615 } 616 617 verify := hs.finishedHash.clientSum(hs.masterSecret) 618 if len(verify) != len(clientFinished.verifyData) || 619 subtle.ConstantTimeCompare(verify, clientFinished.verifyData) != 1 { 620 c.sendAlert(alertHandshakeFailure) 621 return errors.New("tls: client's Finished message is incorrect") 622 } 623 624 hs.finishedHash.Write(clientFinished.marshal()) 625 copy(out, verify) 626 return nil 627 } 628 629 func (hs *serverHandshakeState) sendSessionTicket() error { 630 if !hs.hello.ticketSupported { 631 return nil 632 } 633 634 c := hs.c 635 m := new(newSessionTicketMsg) 636 637 var err error 638 state := sessionState{ 639 vers: c.vers, 640 cipherSuite: hs.suite.id, 641 masterSecret: hs.masterSecret, 642 certificates: hs.certsFromClient, 643 } 644 m.ticket, err = c.encryptTicket(&state) 645 if err != nil { 646 return err 647 } 648 649 hs.finishedHash.Write(m.marshal()) 650 if _, err := c.writeRecord(recordTypeHandshake, m.marshal()); err != nil { 651 return err 652 } 653 654 return nil 655 } 656 657 func (hs *serverHandshakeState) sendFinished(out []byte) error { 658 c := hs.c 659 660 if _, err := c.writeRecord(recordTypeChangeCipherSpec, []byte{1}); err != nil { 661 return err 662 } 663 664 finished := new(finishedMsg) 665 finished.verifyData = hs.finishedHash.serverSum(hs.masterSecret) 666 hs.finishedHash.Write(finished.marshal()) 667 if _, err := c.writeRecord(recordTypeHandshake, finished.marshal()); err != nil { 668 return err 669 } 670 671 c.cipherSuite = hs.suite.id 672 copy(out, finished.verifyData) 673 674 return nil 675 } 676 677 // processCertsFromClient takes a chain of client certificates either from a 678 // Certificates message or from a sessionState and verifies them. It returns 679 // the public key of the leaf certificate. 680 func (hs *serverHandshakeState) processCertsFromClient(certificates [][]byte) (crypto.PublicKey, error) { 681 c := hs.c 682 683 hs.certsFromClient = certificates 684 certs := make([]*x509.Certificate, len(certificates)) 685 var err error 686 for i, asn1Data := range certificates { 687 if certs[i], err = x509.ParseCertificate(asn1Data); err != nil { 688 c.sendAlert(alertBadCertificate) 689 return nil, errors.New("tls: failed to parse client certificate: " + err.Error()) 690 } 691 } 692 693 if c.config.ClientAuth >= VerifyClientCertIfGiven && len(certs) > 0 { 694 opts := x509.VerifyOptions{ 695 Roots: c.config.ClientCAs, 696 CurrentTime: c.config.time(), 697 Intermediates: x509.NewCertPool(), 698 KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, 699 } 700 701 for _, cert := range certs[1:] { 702 opts.Intermediates.AddCert(cert) 703 } 704 705 chains, err := certs[0].Verify(opts) 706 if err != nil { 707 c.sendAlert(alertBadCertificate) 708 return nil, errors.New("tls: failed to verify client's certificate: " + err.Error()) 709 } 710 711 c.verifiedChains = chains 712 } 713 714 if len(certs) == 0 { 715 return nil, nil 716 } 717 718 var pub crypto.PublicKey 719 switch key := certs[0].PublicKey.(type) { 720 case *ecdsa.PublicKey, *rsa.PublicKey: 721 pub = key 722 default: 723 c.sendAlert(alertUnsupportedCertificate) 724 return nil, fmt.Errorf("tls: client's certificate contains an unsupported public key of type %T", certs[0].PublicKey) 725 } 726 c.peerCertificates = certs 727 return pub, nil 728 } 729 730 // setCipherSuite sets a cipherSuite with the given id as the serverHandshakeState 731 // suite if that cipher suite is acceptable to use. 732 // It returns a bool indicating if the suite was set. 733 func (hs *serverHandshakeState) setCipherSuite(id uint16, supportedCipherSuites []uint16, version uint16) bool { 734 for _, supported := range supportedCipherSuites { 735 if id == supported { 736 var candidate *cipherSuite 737 738 for _, s := range cipherSuites { 739 if s.id == id { 740 candidate = s 741 break 742 } 743 } 744 if candidate == nil { 745 continue 746 } 747 // Don't select a ciphersuite which we can't 748 // support for this client. 749 if candidate.flags&suiteECDHE != 0 { 750 if !hs.ellipticOk { 751 continue 752 } 753 if candidate.flags&suiteECDSA != 0 { 754 if !hs.ecdsaOk { 755 continue 756 } 757 } else if !hs.rsaSignOk { 758 continue 759 } 760 } else if !hs.rsaDecryptOk { 761 continue 762 } 763 if version < VersionTLS12 && candidate.flags&suiteTLS12 != 0 { 764 continue 765 } 766 hs.suite = candidate 767 return true 768 } 769 } 770 return false 771 }