github.com/zmap/zcrypto@v0.0.0-20240512203510-0fef58d9a9db/tls/handshake_server.go (about) 1 // Copyright 2009 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 package tls 6 7 import ( 8 "crypto" 9 "crypto/ecdsa" 10 "crypto/rsa" 11 "crypto/subtle" 12 "encoding/asn1" 13 "errors" 14 "fmt" 15 "io" 16 17 "github.com/zmap/zcrypto/x509" 18 ) 19 20 // serverHandshakeState contains details of a server handshake in progress. 21 // It's discarded once the handshake has completed. 22 type serverHandshakeState struct { 23 c *Conn 24 clientHello *clientHelloMsg 25 hello *serverHelloMsg 26 suite *cipherSuite 27 ellipticOk bool 28 ecdsaOk bool 29 sessionState *sessionState 30 finishedHash finishedHash 31 masterSecret []byte 32 certsFromClient [][]byte 33 cert *Certificate 34 preMasterSecret []byte 35 cachedClientHelloInfo *ClientHelloInfo 36 } 37 38 // serverHandshake performs a TLS handshake as a server. 39 func (c *Conn) serverHandshake() error { 40 // If this is the first server handshake, we generate a random key to 41 // encrypt the tickets with. 42 c.config.serverInitOnce.Do(c.config.serverInit) 43 44 hs := serverHandshakeState{ 45 c: c, 46 } 47 isResume, err := hs.readClientHello() 48 if err != nil { 49 return err 50 } 51 52 // For an overview of TLS handshaking, see https://tools.ietf.org/html/rfc5246#section-7.3 53 if !c.config.DontBufferHandshakes { 54 c.buffering = true 55 defer c.flush() 56 } 57 if isResume { 58 // The client has included a session ticket and so we do an abbreviated handshake. 59 if err := hs.doResumeHandshake(); err != nil { 60 return err 61 } 62 if err := hs.establishKeys(); err != nil { 63 return err 64 } 65 if err := hs.sendFinished(); err != nil { 66 return err 67 } 68 if _, err := c.flush(); err != nil { 69 return err 70 } 71 if err := hs.readFinished(); err != nil { 72 return err 73 } 74 c.didResume = true 75 } else { 76 // The client didn't include a session ticket, or it wasn't 77 // valid so we do a full handshake. 78 if err := hs.doFullHandshake(); err != nil { 79 return err 80 } 81 if err := hs.establishKeys(); err != nil { 82 return err 83 } 84 if err := hs.readFinished(); err != nil { 85 return err 86 } 87 if !c.config.DontBufferHandshakes { 88 c.buffering = true 89 defer c.flush() 90 } 91 if err := hs.sendSessionTicket(); err != nil { 92 return err 93 } 94 if err := hs.sendFinished(); err != nil { 95 return err 96 } 97 if _, err := c.flush(); err != nil { 98 return err 99 } 100 } 101 102 c.handshakeLog.KeyMaterial = hs.MakeLog() 103 104 c.handshakeComplete = true 105 106 return nil 107 } 108 109 // readClientHello reads a ClientHello message from the client and decides 110 // whether we will perform session resumption. 111 func (hs *serverHandshakeState) readClientHello() (isResume bool, err error) { 112 c := hs.c 113 c.handshakeLog = new(ServerHandshake) 114 115 msg, err := c.readHandshake() 116 if err != nil { 117 return false, err 118 } 119 var ok bool 120 hs.clientHello, ok = msg.(*clientHelloMsg) 121 if !ok { 122 c.sendAlert(alertUnexpectedMessage) 123 return false, unexpectedMessageError(hs.clientHello, msg) 124 } 125 c.clientHelloRaw = hs.clientHello.raw 126 c.clientCiphers = hs.clientHello.cipherSuites 127 c.handshakeLog.ClientHello = hs.clientHello.MakeLog() 128 129 if c.config.GetConfigForClient != nil { 130 if newConfig, err := c.config.GetConfigForClient(hs.clientHelloInfo()); err != nil { 131 c.sendAlert(alertInternalError) 132 return false, err 133 } else if newConfig != nil { 134 newConfig.mutex.Lock() 135 newConfig.originalConfig = c.config 136 newConfig.mutex.Unlock() 137 138 newConfig.serverInitOnce.Do(newConfig.serverInit) 139 c.config = newConfig 140 } 141 } 142 143 c.vers, ok = c.config.mutualVersion(hs.clientHello.vers) 144 if !ok { 145 c.sendAlert(alertProtocolVersion) 146 return false, fmt.Errorf("tls: client offered an unsupported, maximum protocol version of %x", hs.clientHello.vers) 147 } 148 c.haveVers = true 149 150 hs.finishedHash = newFinishedHash(c.vers, hs.suite) 151 hs.finishedHash.Write(hs.clientHello.marshal()) 152 153 hs.hello = new(serverHelloMsg) 154 155 supportedCurve := false 156 preferredCurves := c.config.curvePreferences() 157 Curves: 158 for _, curve := range hs.clientHello.supportedCurves { 159 for _, supported := range preferredCurves { 160 if supported == curve { 161 supportedCurve = true 162 break Curves 163 } 164 } 165 } 166 167 supportedPointFormat := false 168 for _, pointFormat := range hs.clientHello.supportedPoints { 169 if pointFormat == pointFormatUncompressed { 170 supportedPointFormat = true 171 break 172 } 173 } 174 hs.ellipticOk = supportedCurve && supportedPointFormat 175 176 foundCompression := false 177 // We only support null compression, so check that the client offered it. 178 for _, compression := range hs.clientHello.compressionMethods { 179 if compression == compressionNone { 180 foundCompression = true 181 break 182 } 183 } 184 185 if !foundCompression { 186 c.sendAlert(alertHandshakeFailure) 187 return false, errors.New("tls: client does not support uncompressed connections") 188 } 189 190 hs.hello.vers = c.vers 191 192 hs.hello.random = make([]byte, 32) 193 if len(c.config.ServerRandom) == 32 { 194 copy(hs.hello.random, c.config.ServerRandom) 195 } else { 196 _, err := io.ReadFull(c.config.rand(), hs.hello.random) 197 if err != nil { 198 c.sendAlert(alertInternalError) 199 return false, err 200 } 201 } 202 203 hs.hello.secureRenegotiation = hs.clientHello.secureRenegotiation 204 hs.hello.compressionMethod = compressionNone 205 hs.hello.extendedMasterSecret = c.vers >= VersionTLS10 && hs.clientHello.extendedMasterSecret && c.config.ExtendedMasterSecret 206 if len(hs.clientHello.serverName) > 0 { 207 c.serverName = hs.clientHello.serverName 208 } 209 if len(hs.clientHello.alpnProtocols) > 0 { 210 if selectedProto, fallback := mutualProtocol(hs.clientHello.alpnProtocols, c.config.NextProtos); !fallback { 211 hs.hello.alpnProtocol = selectedProto 212 c.clientProtocol = selectedProto 213 } 214 } else { 215 // Although sending an empty NPN extension is reasonable, Firefox has 216 // had a bug around this. Best to send nothing at all if 217 // c.config.NextProtos is empty. See 218 // https://code.google.com/p/go/issues/detail?id=5445. 219 if hs.clientHello.nextProtoNeg && len(c.config.NextProtos) > 0 { 220 hs.hello.nextProtoNeg = true 221 hs.hello.nextProtos = c.config.NextProtos 222 } 223 } 224 225 if len(c.config.Certificates) == 0 { 226 c.sendAlert(alertInternalError) 227 return false, errors.New("tls: no certificates configured") 228 } 229 hs.cert = &c.config.Certificates[0] 230 if len(hs.clientHello.serverName) > 0 { 231 hs.cert = c.config.getCertificateForName(hs.clientHello.serverName) 232 } 233 234 _, hs.ecdsaOk = hs.cert.PrivateKey.(*ecdsa.PrivateKey) 235 236 if hs.checkForResumption() { 237 return true, nil 238 } 239 240 var preferenceList, supportedList []uint16 241 if c.config.PreferServerCipherSuites { 242 preferenceList = c.config.cipherSuites() 243 supportedList = hs.clientHello.cipherSuites 244 } else { 245 preferenceList = hs.clientHello.cipherSuites 246 supportedList = c.config.cipherSuites() 247 } 248 249 for _, id := range preferenceList { 250 if hs.suite = c.tryCipherSuite(id, supportedList, c.vers, hs.ellipticOk, hs.ecdsaOk); hs.suite != nil { 251 break 252 } 253 } 254 255 if hs.suite == nil { 256 c.sendAlert(alertHandshakeFailure) 257 return false, errors.New("tls: no cipher suite supported by both client and server") 258 } 259 260 return false, nil 261 } 262 263 // checkForResumption returns true if we should perform resumption on this connection. 264 func (hs *serverHandshakeState) checkForResumption() bool { 265 c := hs.c 266 267 if c.config.SessionTicketsDisabled { 268 return false 269 } 270 271 var ok bool 272 if hs.sessionState, ok = c.decryptTicket(hs.clientHello.sessionTicket); !ok { 273 return false 274 } 275 276 if hs.sessionState.vers > hs.clientHello.vers { 277 return false 278 } 279 if vers, ok := c.config.mutualVersion(hs.sessionState.vers); !ok || vers != hs.sessionState.vers { 280 return false 281 } 282 283 cipherSuiteOk := false 284 // Check that the client is still offering the ciphersuite in the session. 285 for _, id := range hs.clientHello.cipherSuites { 286 if id == hs.sessionState.cipherSuite { 287 cipherSuiteOk = true 288 break 289 } 290 } 291 if !cipherSuiteOk { 292 return false 293 } 294 295 // Check that we also support the ciphersuite from the session. 296 hs.suite = c.tryCipherSuite(hs.sessionState.cipherSuite, c.config.cipherSuites(), hs.sessionState.vers, hs.ellipticOk, hs.ecdsaOk) 297 if hs.suite == nil { 298 return false 299 } 300 301 sessionHasClientCerts := len(hs.sessionState.certificates) != 0 302 needClientCerts := c.config.ClientAuth == RequireAnyClientCert || c.config.ClientAuth == RequireAndVerifyClientCert 303 if needClientCerts && !sessionHasClientCerts { 304 return false 305 } 306 if sessionHasClientCerts && c.config.ClientAuth == NoClientCert { 307 return false 308 } 309 310 return true 311 } 312 313 func (hs *serverHandshakeState) doResumeHandshake() error { 314 c := hs.c 315 316 hs.hello.cipherSuite = hs.suite.id 317 // We echo the client's session ID in the ServerHello to let it know 318 // that we're doing a resumption. 319 hs.hello.sessionId = hs.clientHello.sessionId 320 hs.finishedHash.Write(hs.hello.marshal()) 321 c.writeRecord(recordTypeHandshake, hs.hello.marshal()) 322 c.handshakeLog.ServerHello = hs.hello.MakeLog() 323 324 if len(hs.sessionState.certificates) > 0 { 325 if _, err := hs.processCertsFromClient(hs.sessionState.certificates); err != nil { 326 return err 327 } 328 } 329 330 hs.masterSecret = hs.sessionState.masterSecret 331 c.extendedMasterSecret = hs.sessionState.extendedMasterSecret 332 333 return nil 334 } 335 336 func (hs *serverHandshakeState) doFullHandshake() error { 337 c := hs.c 338 339 if hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0 { 340 hs.hello.ocspStapling = true 341 } 342 343 hs.hello.ticketSupported = hs.clientHello.ticketSupported && !c.config.SessionTicketsDisabled 344 hs.hello.cipherSuite = hs.suite.id 345 c.extendedMasterSecret = hs.hello.extendedMasterSecret 346 hs.finishedHash.Write(hs.hello.marshal()) 347 c.writeRecord(recordTypeHandshake, hs.hello.marshal()) 348 c.handshakeLog.ServerHello = hs.hello.MakeLog() 349 350 certMsg := new(certificateMsg) 351 certMsg.certificates = hs.cert.Certificate 352 hs.finishedHash.Write(certMsg.marshal()) 353 c.writeRecord(recordTypeHandshake, certMsg.marshal()) 354 c.handshakeLog.ServerCertificates = certMsg.MakeLog() 355 356 if hs.hello.ocspStapling { 357 certStatus := new(certificateStatusMsg) 358 certStatus.statusType = statusTypeOCSP 359 certStatus.response = hs.cert.OCSPStaple 360 hs.finishedHash.Write(certStatus.marshal()) 361 c.writeRecord(recordTypeHandshake, certStatus.marshal()) 362 } 363 364 keyAgreement := hs.suite.ka(c.vers) 365 skx, err := keyAgreement.generateServerKeyExchange(c.config, hs.cert, hs.clientHello, hs.hello) 366 if err != nil { 367 c.sendAlert(alertHandshakeFailure) 368 return err 369 } 370 if skx != nil { 371 hs.finishedHash.Write(skx.marshal()) 372 c.writeRecord(recordTypeHandshake, skx.marshal()) 373 c.handshakeLog.ServerKeyExchange = skx.MakeLog(keyAgreement) 374 } 375 376 if c.config.ClientAuth >= RequestClientCert { 377 // Request a client certificate 378 certReq := new(certificateRequestMsg) 379 certReq.certificateTypes = []byte{ 380 byte(certTypeRSASign), 381 byte(certTypeECDSASign), 382 } 383 if c.vers >= VersionTLS12 { 384 certReq.hasSignatureAndHash = true 385 certReq.signatureAndHashes = c.config.signatureAndHashesForServer() 386 } 387 388 // An empty list of certificateAuthorities signals to 389 // the client that it may send any certificate in response 390 // to our request. When we know the CAs we trust, then 391 // we can send them down, so that the client can choose 392 // an appropriate certificate to give to us. 393 if c.config.ClientCAs != nil { 394 certReq.certificateAuthorities = c.config.ClientCAs.Subjects() 395 } 396 hs.finishedHash.Write(certReq.marshal()) 397 c.writeRecord(recordTypeHandshake, certReq.marshal()) 398 } 399 400 helloDone := new(serverHelloDoneMsg) 401 hs.finishedHash.Write(helloDone.marshal()) 402 c.writeRecord(recordTypeHandshake, helloDone.marshal()) 403 404 if _, err := c.flush(); err != nil { 405 return err 406 } 407 408 var pub crypto.PublicKey // public key for client auth, if any 409 410 msg, err := c.readHandshake() 411 if err != nil { 412 return err 413 } 414 415 var ok bool 416 // If we requested a client certificate, then the client must send a 417 // certificate message, even if it's empty. 418 if c.config.ClientAuth >= RequestClientCert { 419 if certMsg, ok = msg.(*certificateMsg); !ok { 420 c.sendAlert(alertUnexpectedMessage) 421 return unexpectedMessageError(certMsg, msg) 422 } 423 hs.finishedHash.Write(certMsg.marshal()) 424 425 if len(certMsg.certificates) == 0 { 426 // The client didn't actually send a certificate 427 switch c.config.ClientAuth { 428 case RequireAnyClientCert, RequireAndVerifyClientCert: 429 c.sendAlert(alertBadCertificate) 430 return errors.New("tls: client didn't provide a certificate") 431 } 432 } 433 434 pub, err = hs.processCertsFromClient(certMsg.certificates) 435 if err != nil { 436 return err 437 } 438 439 msg, err = c.readHandshake() 440 if err != nil { 441 return err 442 } 443 } 444 445 // Get client key exchange 446 ckx, ok := msg.(*clientKeyExchangeMsg) 447 if !ok { 448 c.sendAlert(alertUnexpectedMessage) 449 return unexpectedMessageError(ckx, msg) 450 } 451 hs.finishedHash.Write(ckx.marshal()) 452 453 preMasterSecret, err := keyAgreement.processClientKeyExchange(c.config, hs.cert, ckx) 454 if err != nil { 455 c.sendAlert(alertHandshakeFailure) 456 return err 457 } 458 c.handshakeLog.ClientKeyExchange = ckx.MakeLog(keyAgreement) 459 460 hs.preMasterSecret = make([]byte, len(preMasterSecret)) 461 copy(hs.preMasterSecret, preMasterSecret) 462 463 if c.extendedMasterSecret { 464 hs.masterSecret = extendedMasterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.finishedHash) 465 } else { 466 hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.clientHello.random, hs.hello.random) 467 } 468 469 // If we received a client cert in response to our certificate request message, 470 // the client will send us a certificateVerifyMsg immediately after the 471 // clientKeyExchangeMsg. This message is a digest of all preceding 472 // handshake-layer messages that is signed using the private key corresponding 473 // to the client's certificate. This allows us to verify that the client is in 474 // possession of the private key of the certificate. 475 if len(c.peerCertificates) > 0 { 476 msg, err = c.readHandshake() 477 if err != nil { 478 return err 479 } 480 certVerify, ok := msg.(*certificateVerifyMsg) 481 if !ok { 482 c.sendAlert(alertUnexpectedMessage) 483 return unexpectedMessageError(certVerify, msg) 484 } 485 486 // Determine the signature type. 487 var signatureAndHash SigAndHash 488 if certVerify.hasSignatureAndHash { 489 signatureAndHash = certVerify.signatureAndHash 490 if !isSupportedSignatureAndHash(signatureAndHash, c.config.signatureAndHashesForServer()) { 491 return errors.New("tls: unsupported hash function for client certificate") 492 } 493 } else { 494 // Before TLS 1.2 the signature algorithm was implicit 495 // from the key type, and only one hash per signature 496 // algorithm was possible. Leave the hash as zero. 497 switch pub.(type) { 498 case *ecdsa.PublicKey: 499 signatureAndHash.Signature = signatureECDSA 500 case *rsa.PublicKey: 501 signatureAndHash.Signature = signatureRSA 502 } 503 } 504 505 switch key := pub.(type) { 506 case *x509.AugmentedECDSA: 507 if signatureAndHash.Signature != signatureECDSA { 508 err = errors.New("tls: bad signature type for client's ECDSA certificate") 509 break 510 } 511 ecdsaSig := new(ecdsaSignature) 512 if _, err = asn1.Unmarshal(certVerify.signature, ecdsaSig); err != nil { 513 break 514 } 515 if ecdsaSig.R.Sign() <= 0 || ecdsaSig.S.Sign() <= 0 { 516 err = errors.New("ECDSA signature contained zero or negative values") 517 break 518 } 519 var digest []byte 520 digest, _, err = hs.finishedHash.hashForClientCertificate(signatureAndHash, hs.masterSecret) 521 if err != nil { 522 break 523 } 524 if !ecdsa.Verify(key.Pub, digest, ecdsaSig.R, ecdsaSig.S) { 525 err = errors.New("ECDSA verification failure") 526 break 527 } 528 case *ecdsa.PublicKey: 529 if signatureAndHash.Signature != signatureECDSA { 530 err = errors.New("tls: bad signature type for client's ECDSA certificate") 531 break 532 } 533 ecdsaSig := new(ecdsaSignature) 534 if _, err = asn1.Unmarshal(certVerify.signature, ecdsaSig); err != nil { 535 break 536 } 537 if ecdsaSig.R.Sign() <= 0 || ecdsaSig.S.Sign() <= 0 { 538 err = errors.New("ECDSA signature contained zero or negative values") 539 break 540 } 541 var digest []byte 542 digest, _, err = hs.finishedHash.hashForClientCertificate(signatureAndHash, hs.masterSecret) 543 if err != nil { 544 break 545 } 546 if !ecdsa.Verify(key, digest, ecdsaSig.R, ecdsaSig.S) { 547 err = errors.New("ECDSA verification failure") 548 break 549 } 550 case *rsa.PublicKey: 551 if signatureAndHash.Signature != signatureRSA { 552 err = errors.New("tls: bad signature type for client's RSA certificate") 553 break 554 } 555 var digest []byte 556 var hashFunc crypto.Hash 557 digest, hashFunc, err = hs.finishedHash.hashForClientCertificate(signatureAndHash, hs.masterSecret) 558 if err != nil { 559 break 560 } 561 err = rsa.VerifyPKCS1v15(key, hashFunc, digest, certVerify.signature) 562 } 563 if err != nil { 564 c.sendAlert(alertBadCertificate) 565 return errors.New("could not validate signature of connection nonces: " + err.Error()) 566 } 567 568 hs.writeClientHash(certVerify.marshal()) 569 } 570 571 return nil 572 } 573 574 func (hs *serverHandshakeState) establishKeys() error { 575 c := hs.c 576 577 clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV := 578 keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen) 579 580 var clientCipher, serverCipher interface{} 581 var clientHash, serverHash macFunction 582 583 if hs.suite.aead == nil { 584 clientCipher = hs.suite.cipher(clientKey, clientIV, true /* for reading */) 585 clientHash = hs.suite.mac(c.vers, clientMAC) 586 serverCipher = hs.suite.cipher(serverKey, serverIV, false /* not for reading */) 587 serverHash = hs.suite.mac(c.vers, serverMAC) 588 } else { 589 clientCipher = hs.suite.aead(clientKey, clientIV) 590 serverCipher = hs.suite.aead(serverKey, serverIV) 591 } 592 593 c.in.prepareCipherSpec(c.vers, clientCipher, clientHash) 594 c.out.prepareCipherSpec(c.vers, serverCipher, serverHash) 595 596 return nil 597 } 598 599 func (hs *serverHandshakeState) readFinished() error { 600 c := hs.c 601 602 c.readRecord(recordTypeChangeCipherSpec) 603 if err := c.in.error(); err != nil { 604 return err 605 } 606 607 if hs.hello.nextProtoNeg { 608 msg, err := c.readHandshake() 609 if err != nil { 610 return err 611 } 612 nextProto, ok := msg.(*nextProtoMsg) 613 if !ok { 614 c.sendAlert(alertUnexpectedMessage) 615 return unexpectedMessageError(nextProto, msg) 616 } 617 hs.finishedHash.Write(nextProto.marshal()) 618 c.clientProtocol = nextProto.proto 619 } 620 621 msg, err := c.readHandshake() 622 if err != nil { 623 return err 624 } 625 clientFinished, ok := msg.(*finishedMsg) 626 if !ok { 627 c.sendAlert(alertUnexpectedMessage) 628 return unexpectedMessageError(clientFinished, msg) 629 } 630 c.handshakeLog.ClientFinished = clientFinished.MakeLog() 631 632 verify := hs.finishedHash.clientSum(hs.masterSecret) 633 if len(verify) != len(clientFinished.verifyData) || 634 subtle.ConstantTimeCompare(verify, clientFinished.verifyData) != 1 { 635 c.sendAlert(alertHandshakeFailure) 636 return errors.New("tls: client's Finished message is incorrect") 637 } 638 639 hs.finishedHash.Write(clientFinished.marshal()) 640 return nil 641 } 642 643 func (hs *serverHandshakeState) sendSessionTicket() error { 644 if !hs.hello.ticketSupported { 645 return nil 646 } 647 648 c := hs.c 649 m := new(newSessionTicketMsg) 650 651 var err error 652 state := sessionState{ 653 vers: c.vers, 654 cipherSuite: hs.suite.id, 655 masterSecret: hs.masterSecret, 656 certificates: hs.certsFromClient, 657 } 658 m.ticket, err = c.encryptTicket(&state) 659 if err != nil { 660 return err 661 } 662 663 hs.finishedHash.Write(m.marshal()) 664 c.writeRecord(recordTypeHandshake, m.marshal()) 665 666 return nil 667 } 668 669 func (hs *serverHandshakeState) sendFinished() error { 670 c := hs.c 671 672 c.writeRecord(recordTypeChangeCipherSpec, []byte{1}) 673 674 finished := new(finishedMsg) 675 finished.verifyData = hs.finishedHash.serverSum(hs.masterSecret) 676 hs.finishedHash.Write(finished.marshal()) 677 c.writeRecord(recordTypeHandshake, finished.marshal()) 678 c.handshakeLog.ServerFinished = finished.MakeLog() 679 680 c.cipherSuite = hs.suite.id 681 682 return nil 683 } 684 685 // processCertsFromClient takes a chain of client certificates either from a 686 // Certificates message or from a sessionState and verifies them. It returns 687 // the public key of the leaf certificate. 688 func (hs *serverHandshakeState) processCertsFromClient(certificates [][]byte) (crypto.PublicKey, error) { 689 c := hs.c 690 691 hs.certsFromClient = certificates 692 certs := make([]*x509.Certificate, len(certificates)) 693 var err error 694 for i, asn1Data := range certificates { 695 if certs[i], err = x509.ParseCertificate(asn1Data); err != nil { 696 c.sendAlert(alertBadCertificate) 697 return nil, errors.New("tls: failed to parse client certificate: " + err.Error()) 698 } 699 } 700 701 if c.config.ClientAuth >= VerifyClientCertIfGiven && len(certs) > 0 { 702 opts := x509.VerifyOptions{ 703 Roots: c.config.ClientCAs, 704 CurrentTime: c.config.time(), 705 Intermediates: x509.NewCertPool(), 706 KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, 707 } 708 709 for _, cert := range certs[1:] { 710 opts.Intermediates.AddCert(cert) 711 } 712 713 chains, _, _, err := certs[0].Verify(opts) 714 if err != nil { 715 c.sendAlert(alertBadCertificate) 716 return nil, errors.New("tls: failed to verify client's certificate: " + err.Error()) 717 } 718 719 ok := false 720 for _, ku := range certs[0].ExtKeyUsage { 721 if ku == x509.ExtKeyUsageClientAuth { 722 ok = true 723 break 724 } 725 } 726 if !ok { 727 c.sendAlert(alertHandshakeFailure) 728 return nil, errors.New("tls: client's certificate's extended key usage doesn't permit it to be used for client authentication") 729 } 730 731 c.verifiedChains = chains 732 } 733 734 if len(certs) > 0 { 735 var pub crypto.PublicKey 736 switch key := certs[0].PublicKey.(type) { 737 case *ecdsa.PublicKey, *rsa.PublicKey: 738 pub = key 739 case *x509.AugmentedECDSA: 740 pub = key.Pub 741 default: 742 c.sendAlert(alertUnsupportedCertificate) 743 return nil, fmt.Errorf("tls: client's certificate contains an unsupported public key of type %T", certs[0].PublicKey) 744 } 745 c.peerCertificates = certs 746 return pub, nil 747 } 748 749 return nil, nil 750 } 751 752 func (hs *serverHandshakeState) writeServerHash(msg []byte) { 753 // writeServerHash is called before writeRecord. 754 hs.writeHash(msg, 0) 755 } 756 757 func (hs *serverHandshakeState) writeClientHash(msg []byte) { 758 // writeClientHash is called after readHandshake. 759 hs.writeHash(msg, 0) 760 } 761 762 func (hs *serverHandshakeState) writeHash(msg []byte, seqno uint16) { 763 hs.finishedHash.Write(msg) 764 } 765 766 // tryCipherSuite returns a cipherSuite with the given id if that cipher suite 767 // is acceptable to use. 768 func (c *Conn) tryCipherSuite(id uint16, supportedCipherSuites []uint16, version uint16, ellipticOk, ecdsaOk bool) *cipherSuite { 769 for _, supported := range supportedCipherSuites { 770 if id == supported { 771 var candidate *cipherSuite 772 773 for _, s := range implementedCipherSuites { 774 if s.id == id { 775 candidate = s 776 break 777 } 778 } 779 if candidate == nil { 780 continue 781 } 782 // Don't select a ciphersuite which we can't 783 // support for this client. 784 if (candidate.flags&suiteECDHE != 0) && !ellipticOk { 785 continue 786 } 787 if (candidate.flags&suiteECDSA != 0) != ecdsaOk { 788 continue 789 } 790 if version < VersionTLS12 && candidate.flags&suiteTLS12 != 0 { 791 continue 792 } 793 return candidate 794 } 795 } 796 797 return nil 798 } 799 800 // suppVersArray is the backing array of ClientHelloInfo.SupportedVersions 801 var suppVersArray = [...]uint16{VersionTLS12, VersionTLS11, VersionTLS10, VersionSSL30} 802 803 func (hs *serverHandshakeState) clientHelloInfo() *ClientHelloInfo { 804 if hs.cachedClientHelloInfo != nil { 805 return hs.cachedClientHelloInfo 806 } 807 808 var supportedVersions []uint16 809 if hs.clientHello.vers > VersionTLS12 { 810 supportedVersions = suppVersArray[:] 811 } else if hs.clientHello.vers >= VersionSSL30 { 812 supportedVersions = suppVersArray[VersionTLS12-hs.clientHello.vers:] 813 } 814 815 signatureSchemes := make([]SignatureScheme, 0, len(hs.clientHello.signatureAndHashes)) 816 for _, sah := range hs.clientHello.signatureAndHashes { 817 signatureSchemes = append(signatureSchemes, SignatureScheme(sah.Hash)<<8+SignatureScheme(sah.Signature)) 818 } 819 820 hs.cachedClientHelloInfo = &ClientHelloInfo{ 821 CipherSuites: hs.clientHello.cipherSuites, 822 ServerName: hs.clientHello.serverName, 823 SupportedCurves: hs.clientHello.supportedCurves, 824 SupportedPoints: hs.clientHello.supportedPoints, 825 SignatureSchemes: signatureSchemes, 826 SupportedProtos: hs.clientHello.alpnProtocols, 827 SupportedVersions: supportedVersions, 828 Conn: hs.c.conn, 829 HandshakeLog: hs.c.handshakeLog, 830 } 831 832 return hs.cachedClientHelloInfo 833 }