github.com/zmap/zcrypto@v0.0.0-20240512203510-0fef58d9a9db/tls/handshake_server.go (about)

     1  // Copyright 2009 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package tls
     6  
     7  import (
     8  	"crypto"
     9  	"crypto/ecdsa"
    10  	"crypto/rsa"
    11  	"crypto/subtle"
    12  	"encoding/asn1"
    13  	"errors"
    14  	"fmt"
    15  	"io"
    16  
    17  	"github.com/zmap/zcrypto/x509"
    18  )
    19  
    20  // serverHandshakeState contains details of a server handshake in progress.
    21  // It's discarded once the handshake has completed.
    22  type serverHandshakeState struct {
    23  	c                     *Conn
    24  	clientHello           *clientHelloMsg
    25  	hello                 *serverHelloMsg
    26  	suite                 *cipherSuite
    27  	ellipticOk            bool
    28  	ecdsaOk               bool
    29  	sessionState          *sessionState
    30  	finishedHash          finishedHash
    31  	masterSecret          []byte
    32  	certsFromClient       [][]byte
    33  	cert                  *Certificate
    34  	preMasterSecret       []byte
    35  	cachedClientHelloInfo *ClientHelloInfo
    36  }
    37  
    38  // serverHandshake performs a TLS handshake as a server.
    39  func (c *Conn) serverHandshake() error {
    40  	// If this is the first server handshake, we generate a random key to
    41  	// encrypt the tickets with.
    42  	c.config.serverInitOnce.Do(c.config.serverInit)
    43  
    44  	hs := serverHandshakeState{
    45  		c: c,
    46  	}
    47  	isResume, err := hs.readClientHello()
    48  	if err != nil {
    49  		return err
    50  	}
    51  
    52  	// For an overview of TLS handshaking, see https://tools.ietf.org/html/rfc5246#section-7.3
    53  	if !c.config.DontBufferHandshakes {
    54  		c.buffering = true
    55  		defer c.flush()
    56  	}
    57  	if isResume {
    58  		// The client has included a session ticket and so we do an abbreviated handshake.
    59  		if err := hs.doResumeHandshake(); err != nil {
    60  			return err
    61  		}
    62  		if err := hs.establishKeys(); err != nil {
    63  			return err
    64  		}
    65  		if err := hs.sendFinished(); err != nil {
    66  			return err
    67  		}
    68  		if _, err := c.flush(); err != nil {
    69  			return err
    70  		}
    71  		if err := hs.readFinished(); err != nil {
    72  			return err
    73  		}
    74  		c.didResume = true
    75  	} else {
    76  		// The client didn't include a session ticket, or it wasn't
    77  		// valid so we do a full handshake.
    78  		if err := hs.doFullHandshake(); err != nil {
    79  			return err
    80  		}
    81  		if err := hs.establishKeys(); err != nil {
    82  			return err
    83  		}
    84  		if err := hs.readFinished(); err != nil {
    85  			return err
    86  		}
    87  		if !c.config.DontBufferHandshakes {
    88  			c.buffering = true
    89  			defer c.flush()
    90  		}
    91  		if err := hs.sendSessionTicket(); err != nil {
    92  			return err
    93  		}
    94  		if err := hs.sendFinished(); err != nil {
    95  			return err
    96  		}
    97  		if _, err := c.flush(); err != nil {
    98  			return err
    99  		}
   100  	}
   101  
   102  	c.handshakeLog.KeyMaterial = hs.MakeLog()
   103  
   104  	c.handshakeComplete = true
   105  
   106  	return nil
   107  }
   108  
   109  // readClientHello reads a ClientHello message from the client and decides
   110  // whether we will perform session resumption.
   111  func (hs *serverHandshakeState) readClientHello() (isResume bool, err error) {
   112  	c := hs.c
   113  	c.handshakeLog = new(ServerHandshake)
   114  
   115  	msg, err := c.readHandshake()
   116  	if err != nil {
   117  		return false, err
   118  	}
   119  	var ok bool
   120  	hs.clientHello, ok = msg.(*clientHelloMsg)
   121  	if !ok {
   122  		c.sendAlert(alertUnexpectedMessage)
   123  		return false, unexpectedMessageError(hs.clientHello, msg)
   124  	}
   125  	c.clientHelloRaw = hs.clientHello.raw
   126  	c.clientCiphers = hs.clientHello.cipherSuites
   127  	c.handshakeLog.ClientHello = hs.clientHello.MakeLog()
   128  
   129  	if c.config.GetConfigForClient != nil {
   130  		if newConfig, err := c.config.GetConfigForClient(hs.clientHelloInfo()); err != nil {
   131  			c.sendAlert(alertInternalError)
   132  			return false, err
   133  		} else if newConfig != nil {
   134  			newConfig.mutex.Lock()
   135  			newConfig.originalConfig = c.config
   136  			newConfig.mutex.Unlock()
   137  
   138  			newConfig.serverInitOnce.Do(newConfig.serverInit)
   139  			c.config = newConfig
   140  		}
   141  	}
   142  
   143  	c.vers, ok = c.config.mutualVersion(hs.clientHello.vers)
   144  	if !ok {
   145  		c.sendAlert(alertProtocolVersion)
   146  		return false, fmt.Errorf("tls: client offered an unsupported, maximum protocol version of %x", hs.clientHello.vers)
   147  	}
   148  	c.haveVers = true
   149  
   150  	hs.finishedHash = newFinishedHash(c.vers, hs.suite)
   151  	hs.finishedHash.Write(hs.clientHello.marshal())
   152  
   153  	hs.hello = new(serverHelloMsg)
   154  
   155  	supportedCurve := false
   156  	preferredCurves := c.config.curvePreferences()
   157  Curves:
   158  	for _, curve := range hs.clientHello.supportedCurves {
   159  		for _, supported := range preferredCurves {
   160  			if supported == curve {
   161  				supportedCurve = true
   162  				break Curves
   163  			}
   164  		}
   165  	}
   166  
   167  	supportedPointFormat := false
   168  	for _, pointFormat := range hs.clientHello.supportedPoints {
   169  		if pointFormat == pointFormatUncompressed {
   170  			supportedPointFormat = true
   171  			break
   172  		}
   173  	}
   174  	hs.ellipticOk = supportedCurve && supportedPointFormat
   175  
   176  	foundCompression := false
   177  	// We only support null compression, so check that the client offered it.
   178  	for _, compression := range hs.clientHello.compressionMethods {
   179  		if compression == compressionNone {
   180  			foundCompression = true
   181  			break
   182  		}
   183  	}
   184  
   185  	if !foundCompression {
   186  		c.sendAlert(alertHandshakeFailure)
   187  		return false, errors.New("tls: client does not support uncompressed connections")
   188  	}
   189  
   190  	hs.hello.vers = c.vers
   191  
   192  	hs.hello.random = make([]byte, 32)
   193  	if len(c.config.ServerRandom) == 32 {
   194  		copy(hs.hello.random, c.config.ServerRandom)
   195  	} else {
   196  		_, err := io.ReadFull(c.config.rand(), hs.hello.random)
   197  		if err != nil {
   198  			c.sendAlert(alertInternalError)
   199  			return false, err
   200  		}
   201  	}
   202  
   203  	hs.hello.secureRenegotiation = hs.clientHello.secureRenegotiation
   204  	hs.hello.compressionMethod = compressionNone
   205  	hs.hello.extendedMasterSecret = c.vers >= VersionTLS10 && hs.clientHello.extendedMasterSecret && c.config.ExtendedMasterSecret
   206  	if len(hs.clientHello.serverName) > 0 {
   207  		c.serverName = hs.clientHello.serverName
   208  	}
   209  	if len(hs.clientHello.alpnProtocols) > 0 {
   210  		if selectedProto, fallback := mutualProtocol(hs.clientHello.alpnProtocols, c.config.NextProtos); !fallback {
   211  			hs.hello.alpnProtocol = selectedProto
   212  			c.clientProtocol = selectedProto
   213  		}
   214  	} else {
   215  		// Although sending an empty NPN extension is reasonable, Firefox has
   216  		// had a bug around this. Best to send nothing at all if
   217  		// c.config.NextProtos is empty. See
   218  		// https://code.google.com/p/go/issues/detail?id=5445.
   219  		if hs.clientHello.nextProtoNeg && len(c.config.NextProtos) > 0 {
   220  			hs.hello.nextProtoNeg = true
   221  			hs.hello.nextProtos = c.config.NextProtos
   222  		}
   223  	}
   224  
   225  	if len(c.config.Certificates) == 0 {
   226  		c.sendAlert(alertInternalError)
   227  		return false, errors.New("tls: no certificates configured")
   228  	}
   229  	hs.cert = &c.config.Certificates[0]
   230  	if len(hs.clientHello.serverName) > 0 {
   231  		hs.cert = c.config.getCertificateForName(hs.clientHello.serverName)
   232  	}
   233  
   234  	_, hs.ecdsaOk = hs.cert.PrivateKey.(*ecdsa.PrivateKey)
   235  
   236  	if hs.checkForResumption() {
   237  		return true, nil
   238  	}
   239  
   240  	var preferenceList, supportedList []uint16
   241  	if c.config.PreferServerCipherSuites {
   242  		preferenceList = c.config.cipherSuites()
   243  		supportedList = hs.clientHello.cipherSuites
   244  	} else {
   245  		preferenceList = hs.clientHello.cipherSuites
   246  		supportedList = c.config.cipherSuites()
   247  	}
   248  
   249  	for _, id := range preferenceList {
   250  		if hs.suite = c.tryCipherSuite(id, supportedList, c.vers, hs.ellipticOk, hs.ecdsaOk); hs.suite != nil {
   251  			break
   252  		}
   253  	}
   254  
   255  	if hs.suite == nil {
   256  		c.sendAlert(alertHandshakeFailure)
   257  		return false, errors.New("tls: no cipher suite supported by both client and server")
   258  	}
   259  
   260  	return false, nil
   261  }
   262  
   263  // checkForResumption returns true if we should perform resumption on this connection.
   264  func (hs *serverHandshakeState) checkForResumption() bool {
   265  	c := hs.c
   266  
   267  	if c.config.SessionTicketsDisabled {
   268  		return false
   269  	}
   270  
   271  	var ok bool
   272  	if hs.sessionState, ok = c.decryptTicket(hs.clientHello.sessionTicket); !ok {
   273  		return false
   274  	}
   275  
   276  	if hs.sessionState.vers > hs.clientHello.vers {
   277  		return false
   278  	}
   279  	if vers, ok := c.config.mutualVersion(hs.sessionState.vers); !ok || vers != hs.sessionState.vers {
   280  		return false
   281  	}
   282  
   283  	cipherSuiteOk := false
   284  	// Check that the client is still offering the ciphersuite in the session.
   285  	for _, id := range hs.clientHello.cipherSuites {
   286  		if id == hs.sessionState.cipherSuite {
   287  			cipherSuiteOk = true
   288  			break
   289  		}
   290  	}
   291  	if !cipherSuiteOk {
   292  		return false
   293  	}
   294  
   295  	// Check that we also support the ciphersuite from the session.
   296  	hs.suite = c.tryCipherSuite(hs.sessionState.cipherSuite, c.config.cipherSuites(), hs.sessionState.vers, hs.ellipticOk, hs.ecdsaOk)
   297  	if hs.suite == nil {
   298  		return false
   299  	}
   300  
   301  	sessionHasClientCerts := len(hs.sessionState.certificates) != 0
   302  	needClientCerts := c.config.ClientAuth == RequireAnyClientCert || c.config.ClientAuth == RequireAndVerifyClientCert
   303  	if needClientCerts && !sessionHasClientCerts {
   304  		return false
   305  	}
   306  	if sessionHasClientCerts && c.config.ClientAuth == NoClientCert {
   307  		return false
   308  	}
   309  
   310  	return true
   311  }
   312  
   313  func (hs *serverHandshakeState) doResumeHandshake() error {
   314  	c := hs.c
   315  
   316  	hs.hello.cipherSuite = hs.suite.id
   317  	// We echo the client's session ID in the ServerHello to let it know
   318  	// that we're doing a resumption.
   319  	hs.hello.sessionId = hs.clientHello.sessionId
   320  	hs.finishedHash.Write(hs.hello.marshal())
   321  	c.writeRecord(recordTypeHandshake, hs.hello.marshal())
   322  	c.handshakeLog.ServerHello = hs.hello.MakeLog()
   323  
   324  	if len(hs.sessionState.certificates) > 0 {
   325  		if _, err := hs.processCertsFromClient(hs.sessionState.certificates); err != nil {
   326  			return err
   327  		}
   328  	}
   329  
   330  	hs.masterSecret = hs.sessionState.masterSecret
   331  	c.extendedMasterSecret = hs.sessionState.extendedMasterSecret
   332  
   333  	return nil
   334  }
   335  
   336  func (hs *serverHandshakeState) doFullHandshake() error {
   337  	c := hs.c
   338  
   339  	if hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0 {
   340  		hs.hello.ocspStapling = true
   341  	}
   342  
   343  	hs.hello.ticketSupported = hs.clientHello.ticketSupported && !c.config.SessionTicketsDisabled
   344  	hs.hello.cipherSuite = hs.suite.id
   345  	c.extendedMasterSecret = hs.hello.extendedMasterSecret
   346  	hs.finishedHash.Write(hs.hello.marshal())
   347  	c.writeRecord(recordTypeHandshake, hs.hello.marshal())
   348  	c.handshakeLog.ServerHello = hs.hello.MakeLog()
   349  
   350  	certMsg := new(certificateMsg)
   351  	certMsg.certificates = hs.cert.Certificate
   352  	hs.finishedHash.Write(certMsg.marshal())
   353  	c.writeRecord(recordTypeHandshake, certMsg.marshal())
   354  	c.handshakeLog.ServerCertificates = certMsg.MakeLog()
   355  
   356  	if hs.hello.ocspStapling {
   357  		certStatus := new(certificateStatusMsg)
   358  		certStatus.statusType = statusTypeOCSP
   359  		certStatus.response = hs.cert.OCSPStaple
   360  		hs.finishedHash.Write(certStatus.marshal())
   361  		c.writeRecord(recordTypeHandshake, certStatus.marshal())
   362  	}
   363  
   364  	keyAgreement := hs.suite.ka(c.vers)
   365  	skx, err := keyAgreement.generateServerKeyExchange(c.config, hs.cert, hs.clientHello, hs.hello)
   366  	if err != nil {
   367  		c.sendAlert(alertHandshakeFailure)
   368  		return err
   369  	}
   370  	if skx != nil {
   371  		hs.finishedHash.Write(skx.marshal())
   372  		c.writeRecord(recordTypeHandshake, skx.marshal())
   373  		c.handshakeLog.ServerKeyExchange = skx.MakeLog(keyAgreement)
   374  	}
   375  
   376  	if c.config.ClientAuth >= RequestClientCert {
   377  		// Request a client certificate
   378  		certReq := new(certificateRequestMsg)
   379  		certReq.certificateTypes = []byte{
   380  			byte(certTypeRSASign),
   381  			byte(certTypeECDSASign),
   382  		}
   383  		if c.vers >= VersionTLS12 {
   384  			certReq.hasSignatureAndHash = true
   385  			certReq.signatureAndHashes = c.config.signatureAndHashesForServer()
   386  		}
   387  
   388  		// An empty list of certificateAuthorities signals to
   389  		// the client that it may send any certificate in response
   390  		// to our request. When we know the CAs we trust, then
   391  		// we can send them down, so that the client can choose
   392  		// an appropriate certificate to give to us.
   393  		if c.config.ClientCAs != nil {
   394  			certReq.certificateAuthorities = c.config.ClientCAs.Subjects()
   395  		}
   396  		hs.finishedHash.Write(certReq.marshal())
   397  		c.writeRecord(recordTypeHandshake, certReq.marshal())
   398  	}
   399  
   400  	helloDone := new(serverHelloDoneMsg)
   401  	hs.finishedHash.Write(helloDone.marshal())
   402  	c.writeRecord(recordTypeHandshake, helloDone.marshal())
   403  
   404  	if _, err := c.flush(); err != nil {
   405  		return err
   406  	}
   407  
   408  	var pub crypto.PublicKey // public key for client auth, if any
   409  
   410  	msg, err := c.readHandshake()
   411  	if err != nil {
   412  		return err
   413  	}
   414  
   415  	var ok bool
   416  	// If we requested a client certificate, then the client must send a
   417  	// certificate message, even if it's empty.
   418  	if c.config.ClientAuth >= RequestClientCert {
   419  		if certMsg, ok = msg.(*certificateMsg); !ok {
   420  			c.sendAlert(alertUnexpectedMessage)
   421  			return unexpectedMessageError(certMsg, msg)
   422  		}
   423  		hs.finishedHash.Write(certMsg.marshal())
   424  
   425  		if len(certMsg.certificates) == 0 {
   426  			// The client didn't actually send a certificate
   427  			switch c.config.ClientAuth {
   428  			case RequireAnyClientCert, RequireAndVerifyClientCert:
   429  				c.sendAlert(alertBadCertificate)
   430  				return errors.New("tls: client didn't provide a certificate")
   431  			}
   432  		}
   433  
   434  		pub, err = hs.processCertsFromClient(certMsg.certificates)
   435  		if err != nil {
   436  			return err
   437  		}
   438  
   439  		msg, err = c.readHandshake()
   440  		if err != nil {
   441  			return err
   442  		}
   443  	}
   444  
   445  	// Get client key exchange
   446  	ckx, ok := msg.(*clientKeyExchangeMsg)
   447  	if !ok {
   448  		c.sendAlert(alertUnexpectedMessage)
   449  		return unexpectedMessageError(ckx, msg)
   450  	}
   451  	hs.finishedHash.Write(ckx.marshal())
   452  
   453  	preMasterSecret, err := keyAgreement.processClientKeyExchange(c.config, hs.cert, ckx)
   454  	if err != nil {
   455  		c.sendAlert(alertHandshakeFailure)
   456  		return err
   457  	}
   458  	c.handshakeLog.ClientKeyExchange = ckx.MakeLog(keyAgreement)
   459  
   460  	hs.preMasterSecret = make([]byte, len(preMasterSecret))
   461  	copy(hs.preMasterSecret, preMasterSecret)
   462  
   463  	if c.extendedMasterSecret {
   464  		hs.masterSecret = extendedMasterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.finishedHash)
   465  	} else {
   466  		hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.clientHello.random, hs.hello.random)
   467  	}
   468  
   469  	// If we received a client cert in response to our certificate request message,
   470  	// the client will send us a certificateVerifyMsg immediately after the
   471  	// clientKeyExchangeMsg.  This message is a digest of all preceding
   472  	// handshake-layer messages that is signed using the private key corresponding
   473  	// to the client's certificate. This allows us to verify that the client is in
   474  	// possession of the private key of the certificate.
   475  	if len(c.peerCertificates) > 0 {
   476  		msg, err = c.readHandshake()
   477  		if err != nil {
   478  			return err
   479  		}
   480  		certVerify, ok := msg.(*certificateVerifyMsg)
   481  		if !ok {
   482  			c.sendAlert(alertUnexpectedMessage)
   483  			return unexpectedMessageError(certVerify, msg)
   484  		}
   485  
   486  		// Determine the signature type.
   487  		var signatureAndHash SigAndHash
   488  		if certVerify.hasSignatureAndHash {
   489  			signatureAndHash = certVerify.signatureAndHash
   490  			if !isSupportedSignatureAndHash(signatureAndHash, c.config.signatureAndHashesForServer()) {
   491  				return errors.New("tls: unsupported hash function for client certificate")
   492  			}
   493  		} else {
   494  			// Before TLS 1.2 the signature algorithm was implicit
   495  			// from the key type, and only one hash per signature
   496  			// algorithm was possible. Leave the hash as zero.
   497  			switch pub.(type) {
   498  			case *ecdsa.PublicKey:
   499  				signatureAndHash.Signature = signatureECDSA
   500  			case *rsa.PublicKey:
   501  				signatureAndHash.Signature = signatureRSA
   502  			}
   503  		}
   504  
   505  		switch key := pub.(type) {
   506  		case *x509.AugmentedECDSA:
   507  			if signatureAndHash.Signature != signatureECDSA {
   508  				err = errors.New("tls: bad signature type for client's ECDSA certificate")
   509  				break
   510  			}
   511  			ecdsaSig := new(ecdsaSignature)
   512  			if _, err = asn1.Unmarshal(certVerify.signature, ecdsaSig); err != nil {
   513  				break
   514  			}
   515  			if ecdsaSig.R.Sign() <= 0 || ecdsaSig.S.Sign() <= 0 {
   516  				err = errors.New("ECDSA signature contained zero or negative values")
   517  				break
   518  			}
   519  			var digest []byte
   520  			digest, _, err = hs.finishedHash.hashForClientCertificate(signatureAndHash, hs.masterSecret)
   521  			if err != nil {
   522  				break
   523  			}
   524  			if !ecdsa.Verify(key.Pub, digest, ecdsaSig.R, ecdsaSig.S) {
   525  				err = errors.New("ECDSA verification failure")
   526  				break
   527  			}
   528  		case *ecdsa.PublicKey:
   529  			if signatureAndHash.Signature != signatureECDSA {
   530  				err = errors.New("tls: bad signature type for client's ECDSA certificate")
   531  				break
   532  			}
   533  			ecdsaSig := new(ecdsaSignature)
   534  			if _, err = asn1.Unmarshal(certVerify.signature, ecdsaSig); err != nil {
   535  				break
   536  			}
   537  			if ecdsaSig.R.Sign() <= 0 || ecdsaSig.S.Sign() <= 0 {
   538  				err = errors.New("ECDSA signature contained zero or negative values")
   539  				break
   540  			}
   541  			var digest []byte
   542  			digest, _, err = hs.finishedHash.hashForClientCertificate(signatureAndHash, hs.masterSecret)
   543  			if err != nil {
   544  				break
   545  			}
   546  			if !ecdsa.Verify(key, digest, ecdsaSig.R, ecdsaSig.S) {
   547  				err = errors.New("ECDSA verification failure")
   548  				break
   549  			}
   550  		case *rsa.PublicKey:
   551  			if signatureAndHash.Signature != signatureRSA {
   552  				err = errors.New("tls: bad signature type for client's RSA certificate")
   553  				break
   554  			}
   555  			var digest []byte
   556  			var hashFunc crypto.Hash
   557  			digest, hashFunc, err = hs.finishedHash.hashForClientCertificate(signatureAndHash, hs.masterSecret)
   558  			if err != nil {
   559  				break
   560  			}
   561  			err = rsa.VerifyPKCS1v15(key, hashFunc, digest, certVerify.signature)
   562  		}
   563  		if err != nil {
   564  			c.sendAlert(alertBadCertificate)
   565  			return errors.New("could not validate signature of connection nonces: " + err.Error())
   566  		}
   567  
   568  		hs.writeClientHash(certVerify.marshal())
   569  	}
   570  
   571  	return nil
   572  }
   573  
   574  func (hs *serverHandshakeState) establishKeys() error {
   575  	c := hs.c
   576  
   577  	clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV :=
   578  		keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen)
   579  
   580  	var clientCipher, serverCipher interface{}
   581  	var clientHash, serverHash macFunction
   582  
   583  	if hs.suite.aead == nil {
   584  		clientCipher = hs.suite.cipher(clientKey, clientIV, true /* for reading */)
   585  		clientHash = hs.suite.mac(c.vers, clientMAC)
   586  		serverCipher = hs.suite.cipher(serverKey, serverIV, false /* not for reading */)
   587  		serverHash = hs.suite.mac(c.vers, serverMAC)
   588  	} else {
   589  		clientCipher = hs.suite.aead(clientKey, clientIV)
   590  		serverCipher = hs.suite.aead(serverKey, serverIV)
   591  	}
   592  
   593  	c.in.prepareCipherSpec(c.vers, clientCipher, clientHash)
   594  	c.out.prepareCipherSpec(c.vers, serverCipher, serverHash)
   595  
   596  	return nil
   597  }
   598  
   599  func (hs *serverHandshakeState) readFinished() error {
   600  	c := hs.c
   601  
   602  	c.readRecord(recordTypeChangeCipherSpec)
   603  	if err := c.in.error(); err != nil {
   604  		return err
   605  	}
   606  
   607  	if hs.hello.nextProtoNeg {
   608  		msg, err := c.readHandshake()
   609  		if err != nil {
   610  			return err
   611  		}
   612  		nextProto, ok := msg.(*nextProtoMsg)
   613  		if !ok {
   614  			c.sendAlert(alertUnexpectedMessage)
   615  			return unexpectedMessageError(nextProto, msg)
   616  		}
   617  		hs.finishedHash.Write(nextProto.marshal())
   618  		c.clientProtocol = nextProto.proto
   619  	}
   620  
   621  	msg, err := c.readHandshake()
   622  	if err != nil {
   623  		return err
   624  	}
   625  	clientFinished, ok := msg.(*finishedMsg)
   626  	if !ok {
   627  		c.sendAlert(alertUnexpectedMessage)
   628  		return unexpectedMessageError(clientFinished, msg)
   629  	}
   630  	c.handshakeLog.ClientFinished = clientFinished.MakeLog()
   631  
   632  	verify := hs.finishedHash.clientSum(hs.masterSecret)
   633  	if len(verify) != len(clientFinished.verifyData) ||
   634  		subtle.ConstantTimeCompare(verify, clientFinished.verifyData) != 1 {
   635  		c.sendAlert(alertHandshakeFailure)
   636  		return errors.New("tls: client's Finished message is incorrect")
   637  	}
   638  
   639  	hs.finishedHash.Write(clientFinished.marshal())
   640  	return nil
   641  }
   642  
   643  func (hs *serverHandshakeState) sendSessionTicket() error {
   644  	if !hs.hello.ticketSupported {
   645  		return nil
   646  	}
   647  
   648  	c := hs.c
   649  	m := new(newSessionTicketMsg)
   650  
   651  	var err error
   652  	state := sessionState{
   653  		vers:         c.vers,
   654  		cipherSuite:  hs.suite.id,
   655  		masterSecret: hs.masterSecret,
   656  		certificates: hs.certsFromClient,
   657  	}
   658  	m.ticket, err = c.encryptTicket(&state)
   659  	if err != nil {
   660  		return err
   661  	}
   662  
   663  	hs.finishedHash.Write(m.marshal())
   664  	c.writeRecord(recordTypeHandshake, m.marshal())
   665  
   666  	return nil
   667  }
   668  
   669  func (hs *serverHandshakeState) sendFinished() error {
   670  	c := hs.c
   671  
   672  	c.writeRecord(recordTypeChangeCipherSpec, []byte{1})
   673  
   674  	finished := new(finishedMsg)
   675  	finished.verifyData = hs.finishedHash.serverSum(hs.masterSecret)
   676  	hs.finishedHash.Write(finished.marshal())
   677  	c.writeRecord(recordTypeHandshake, finished.marshal())
   678  	c.handshakeLog.ServerFinished = finished.MakeLog()
   679  
   680  	c.cipherSuite = hs.suite.id
   681  
   682  	return nil
   683  }
   684  
   685  // processCertsFromClient takes a chain of client certificates either from a
   686  // Certificates message or from a sessionState and verifies them. It returns
   687  // the public key of the leaf certificate.
   688  func (hs *serverHandshakeState) processCertsFromClient(certificates [][]byte) (crypto.PublicKey, error) {
   689  	c := hs.c
   690  
   691  	hs.certsFromClient = certificates
   692  	certs := make([]*x509.Certificate, len(certificates))
   693  	var err error
   694  	for i, asn1Data := range certificates {
   695  		if certs[i], err = x509.ParseCertificate(asn1Data); err != nil {
   696  			c.sendAlert(alertBadCertificate)
   697  			return nil, errors.New("tls: failed to parse client certificate: " + err.Error())
   698  		}
   699  	}
   700  
   701  	if c.config.ClientAuth >= VerifyClientCertIfGiven && len(certs) > 0 {
   702  		opts := x509.VerifyOptions{
   703  			Roots:         c.config.ClientCAs,
   704  			CurrentTime:   c.config.time(),
   705  			Intermediates: x509.NewCertPool(),
   706  			KeyUsages:     []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
   707  		}
   708  
   709  		for _, cert := range certs[1:] {
   710  			opts.Intermediates.AddCert(cert)
   711  		}
   712  
   713  		chains, _, _, err := certs[0].Verify(opts)
   714  		if err != nil {
   715  			c.sendAlert(alertBadCertificate)
   716  			return nil, errors.New("tls: failed to verify client's certificate: " + err.Error())
   717  		}
   718  
   719  		ok := false
   720  		for _, ku := range certs[0].ExtKeyUsage {
   721  			if ku == x509.ExtKeyUsageClientAuth {
   722  				ok = true
   723  				break
   724  			}
   725  		}
   726  		if !ok {
   727  			c.sendAlert(alertHandshakeFailure)
   728  			return nil, errors.New("tls: client's certificate's extended key usage doesn't permit it to be used for client authentication")
   729  		}
   730  
   731  		c.verifiedChains = chains
   732  	}
   733  
   734  	if len(certs) > 0 {
   735  		var pub crypto.PublicKey
   736  		switch key := certs[0].PublicKey.(type) {
   737  		case *ecdsa.PublicKey, *rsa.PublicKey:
   738  			pub = key
   739  		case *x509.AugmentedECDSA:
   740  			pub = key.Pub
   741  		default:
   742  			c.sendAlert(alertUnsupportedCertificate)
   743  			return nil, fmt.Errorf("tls: client's certificate contains an unsupported public key of type %T", certs[0].PublicKey)
   744  		}
   745  		c.peerCertificates = certs
   746  		return pub, nil
   747  	}
   748  
   749  	return nil, nil
   750  }
   751  
   752  func (hs *serverHandshakeState) writeServerHash(msg []byte) {
   753  	// writeServerHash is called before writeRecord.
   754  	hs.writeHash(msg, 0)
   755  }
   756  
   757  func (hs *serverHandshakeState) writeClientHash(msg []byte) {
   758  	// writeClientHash is called after readHandshake.
   759  	hs.writeHash(msg, 0)
   760  }
   761  
   762  func (hs *serverHandshakeState) writeHash(msg []byte, seqno uint16) {
   763  	hs.finishedHash.Write(msg)
   764  }
   765  
   766  // tryCipherSuite returns a cipherSuite with the given id if that cipher suite
   767  // is acceptable to use.
   768  func (c *Conn) tryCipherSuite(id uint16, supportedCipherSuites []uint16, version uint16, ellipticOk, ecdsaOk bool) *cipherSuite {
   769  	for _, supported := range supportedCipherSuites {
   770  		if id == supported {
   771  			var candidate *cipherSuite
   772  
   773  			for _, s := range implementedCipherSuites {
   774  				if s.id == id {
   775  					candidate = s
   776  					break
   777  				}
   778  			}
   779  			if candidate == nil {
   780  				continue
   781  			}
   782  			// Don't select a ciphersuite which we can't
   783  			// support for this client.
   784  			if (candidate.flags&suiteECDHE != 0) && !ellipticOk {
   785  				continue
   786  			}
   787  			if (candidate.flags&suiteECDSA != 0) != ecdsaOk {
   788  				continue
   789  			}
   790  			if version < VersionTLS12 && candidate.flags&suiteTLS12 != 0 {
   791  				continue
   792  			}
   793  			return candidate
   794  		}
   795  	}
   796  
   797  	return nil
   798  }
   799  
   800  // suppVersArray is the backing array of ClientHelloInfo.SupportedVersions
   801  var suppVersArray = [...]uint16{VersionTLS12, VersionTLS11, VersionTLS10, VersionSSL30}
   802  
   803  func (hs *serverHandshakeState) clientHelloInfo() *ClientHelloInfo {
   804  	if hs.cachedClientHelloInfo != nil {
   805  		return hs.cachedClientHelloInfo
   806  	}
   807  
   808  	var supportedVersions []uint16
   809  	if hs.clientHello.vers > VersionTLS12 {
   810  		supportedVersions = suppVersArray[:]
   811  	} else if hs.clientHello.vers >= VersionSSL30 {
   812  		supportedVersions = suppVersArray[VersionTLS12-hs.clientHello.vers:]
   813  	}
   814  
   815  	signatureSchemes := make([]SignatureScheme, 0, len(hs.clientHello.signatureAndHashes))
   816  	for _, sah := range hs.clientHello.signatureAndHashes {
   817  		signatureSchemes = append(signatureSchemes, SignatureScheme(sah.Hash)<<8+SignatureScheme(sah.Signature))
   818  	}
   819  
   820  	hs.cachedClientHelloInfo = &ClientHelloInfo{
   821  		CipherSuites:      hs.clientHello.cipherSuites,
   822  		ServerName:        hs.clientHello.serverName,
   823  		SupportedCurves:   hs.clientHello.supportedCurves,
   824  		SupportedPoints:   hs.clientHello.supportedPoints,
   825  		SignatureSchemes:  signatureSchemes,
   826  		SupportedProtos:   hs.clientHello.alpnProtocols,
   827  		SupportedVersions: supportedVersions,
   828  		Conn:              hs.c.conn,
   829  		HandshakeLog:      hs.c.handshakeLog,
   830  	}
   831  
   832  	return hs.cachedClientHelloInfo
   833  }