Source file
src/crypto/tls/handshake_server.go
1
2
3
4
5 package tls
6
7 import (
8 "context"
9 "crypto"
10 "crypto/ecdsa"
11 "crypto/ed25519"
12 "crypto/rsa"
13 "crypto/subtle"
14 "crypto/x509"
15 "errors"
16 "fmt"
17 "hash"
18 "io"
19 "time"
20 )
21
22
23
24 type serverHandshakeState struct {
25 c *Conn
26 ctx context.Context
27 clientHello *clientHelloMsg
28 hello *serverHelloMsg
29 suite *cipherSuite
30 ecdheOk bool
31 ecSignOk bool
32 rsaDecryptOk bool
33 rsaSignOk bool
34 sessionState *SessionState
35 finishedHash finishedHash
36 masterSecret []byte
37 cert *Certificate
38 }
39
40
41 func (c *Conn) serverHandshake(ctx context.Context) error {
42 clientHello, err := c.readClientHello(ctx)
43 if err != nil {
44 return err
45 }
46
47 if c.vers == VersionTLS13 {
48 hs := serverHandshakeStateTLS13{
49 c: c,
50 ctx: ctx,
51 clientHello: clientHello,
52 }
53 return hs.handshake()
54 }
55
56 hs := serverHandshakeState{
57 c: c,
58 ctx: ctx,
59 clientHello: clientHello,
60 }
61 return hs.handshake()
62 }
63
64 func (hs *serverHandshakeState) handshake() error {
65 c := hs.c
66
67 if err := hs.processClientHello(); err != nil {
68 return err
69 }
70
71
72 c.buffering = true
73 if err := hs.checkForResumption(); err != nil {
74 return err
75 }
76 if hs.sessionState != nil {
77
78 if err := hs.doResumeHandshake(); err != nil {
79 return err
80 }
81 if err := hs.establishKeys(); err != nil {
82 return err
83 }
84 if err := hs.sendSessionTicket(); err != nil {
85 return err
86 }
87 if err := hs.sendFinished(c.serverFinished[:]); err != nil {
88 return err
89 }
90 if _, err := c.flush(); err != nil {
91 return err
92 }
93 c.clientFinishedIsFirst = false
94 if err := hs.readFinished(nil); err != nil {
95 return err
96 }
97 } else {
98
99
100 if err := hs.pickCipherSuite(); err != nil {
101 return err
102 }
103 if err := hs.doFullHandshake(); err != nil {
104 return err
105 }
106 if err := hs.establishKeys(); err != nil {
107 return err
108 }
109 if err := hs.readFinished(c.clientFinished[:]); err != nil {
110 return err
111 }
112 c.clientFinishedIsFirst = true
113 c.buffering = true
114 if err := hs.sendSessionTicket(); err != nil {
115 return err
116 }
117 if err := hs.sendFinished(nil); err != nil {
118 return err
119 }
120 if _, err := c.flush(); err != nil {
121 return err
122 }
123 }
124
125 c.ekm = ekmFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random)
126 c.isHandshakeComplete.Store(true)
127
128 return nil
129 }
130
131
132 func (c *Conn) readClientHello(ctx context.Context) (*clientHelloMsg, error) {
133
134
135 msg, err := c.readHandshake(nil)
136 if err != nil {
137 return nil, err
138 }
139 clientHello, ok := msg.(*clientHelloMsg)
140 if !ok {
141 c.sendAlert(alertUnexpectedMessage)
142 return nil, unexpectedMessageError(clientHello, msg)
143 }
144
145 var configForClient *Config
146 originalConfig := c.config
147 if c.config.GetConfigForClient != nil {
148 chi := clientHelloInfo(ctx, c, clientHello)
149 if configForClient, err = c.config.GetConfigForClient(chi); err != nil {
150 c.sendAlert(alertInternalError)
151 return nil, err
152 } else if configForClient != nil {
153 c.config = configForClient
154 }
155 }
156 c.ticketKeys = originalConfig.ticketKeys(configForClient)
157
158 clientVersions := clientHello.supportedVersions
159 if len(clientHello.supportedVersions) == 0 {
160 clientVersions = supportedVersionsFromMax(clientHello.vers)
161 }
162 c.vers, ok = c.config.mutualVersion(roleServer, clientVersions)
163 if !ok {
164 c.sendAlert(alertProtocolVersion)
165 return nil, fmt.Errorf("tls: client offered only unsupported versions: %x", clientVersions)
166 }
167 c.haveVers = true
168 c.in.version = c.vers
169 c.out.version = c.vers
170
171 if c.config.MinVersion == 0 && c.vers < VersionTLS12 {
172 tls10server.IncNonDefault()
173 }
174
175 return clientHello, nil
176 }
177
178 func (hs *serverHandshakeState) processClientHello() error {
179 c := hs.c
180
181 hs.hello = new(serverHelloMsg)
182 hs.hello.vers = c.vers
183
184 foundCompression := false
185
186 for _, compression := range hs.clientHello.compressionMethods {
187 if compression == compressionNone {
188 foundCompression = true
189 break
190 }
191 }
192
193 if !foundCompression {
194 c.sendAlert(alertHandshakeFailure)
195 return errors.New("tls: client does not support uncompressed connections")
196 }
197
198 hs.hello.random = make([]byte, 32)
199 serverRandom := hs.hello.random
200
201 maxVers := c.config.maxSupportedVersion(roleServer)
202 if maxVers >= VersionTLS12 && c.vers < maxVers || testingOnlyForceDowngradeCanary {
203 if c.vers == VersionTLS12 {
204 copy(serverRandom[24:], downgradeCanaryTLS12)
205 } else {
206 copy(serverRandom[24:], downgradeCanaryTLS11)
207 }
208 serverRandom = serverRandom[:24]
209 }
210 _, err := io.ReadFull(c.config.rand(), serverRandom)
211 if err != nil {
212 c.sendAlert(alertInternalError)
213 return err
214 }
215
216 if len(hs.clientHello.secureRenegotiation) != 0 {
217 c.sendAlert(alertHandshakeFailure)
218 return errors.New("tls: initial handshake had non-empty renegotiation extension")
219 }
220
221 hs.hello.extendedMasterSecret = hs.clientHello.extendedMasterSecret
222 hs.hello.secureRenegotiationSupported = hs.clientHello.secureRenegotiationSupported
223 hs.hello.compressionMethod = compressionNone
224 if len(hs.clientHello.serverName) > 0 {
225 c.serverName = hs.clientHello.serverName
226 }
227
228 selectedProto, err := negotiateALPN(c.config.NextProtos, hs.clientHello.alpnProtocols, false)
229 if err != nil {
230 c.sendAlert(alertNoApplicationProtocol)
231 return err
232 }
233 hs.hello.alpnProtocol = selectedProto
234 c.clientProtocol = selectedProto
235
236 hs.cert, err = c.config.getCertificate(clientHelloInfo(hs.ctx, c, hs.clientHello))
237 if err != nil {
238 if err == errNoCertificates {
239 c.sendAlert(alertUnrecognizedName)
240 } else {
241 c.sendAlert(alertInternalError)
242 }
243 return err
244 }
245 if hs.clientHello.scts {
246 hs.hello.scts = hs.cert.SignedCertificateTimestamps
247 }
248
249 hs.ecdheOk = supportsECDHE(c.config, hs.clientHello.supportedCurves, hs.clientHello.supportedPoints)
250
251 if hs.ecdheOk && len(hs.clientHello.supportedPoints) > 0 {
252
253
254
255
256
257 hs.hello.supportedPoints = []uint8{pointFormatUncompressed}
258 }
259
260 if priv, ok := hs.cert.PrivateKey.(crypto.Signer); ok {
261 switch priv.Public().(type) {
262 case *ecdsa.PublicKey:
263 hs.ecSignOk = true
264 case ed25519.PublicKey:
265 hs.ecSignOk = true
266 case *rsa.PublicKey:
267 hs.rsaSignOk = true
268 default:
269 c.sendAlert(alertInternalError)
270 return fmt.Errorf("tls: unsupported signing key type (%T)", priv.Public())
271 }
272 }
273 if priv, ok := hs.cert.PrivateKey.(crypto.Decrypter); ok {
274 switch priv.Public().(type) {
275 case *rsa.PublicKey:
276 hs.rsaDecryptOk = true
277 default:
278 c.sendAlert(alertInternalError)
279 return fmt.Errorf("tls: unsupported decryption key type (%T)", priv.Public())
280 }
281 }
282
283 return nil
284 }
285
286
287
288
289 func negotiateALPN(serverProtos, clientProtos []string, quic bool) (string, error) {
290 if len(serverProtos) == 0 || len(clientProtos) == 0 {
291 if quic && len(serverProtos) != 0 {
292
293 return "", fmt.Errorf("tls: client did not request an application protocol")
294 }
295 return "", nil
296 }
297 var http11fallback bool
298 for _, s := range serverProtos {
299 for _, c := range clientProtos {
300 if s == c {
301 return s, nil
302 }
303 if s == "h2" && c == "http/1.1" {
304 http11fallback = true
305 }
306 }
307 }
308
309
310
311
312 if http11fallback {
313 return "", nil
314 }
315 return "", fmt.Errorf("tls: client requested unsupported application protocols (%s)", clientProtos)
316 }
317
318
319
320 func supportsECDHE(c *Config, supportedCurves []CurveID, supportedPoints []uint8) bool {
321 supportsCurve := false
322 for _, curve := range supportedCurves {
323 if c.supportsCurve(curve) {
324 supportsCurve = true
325 break
326 }
327 }
328
329 supportsPointFormat := false
330 for _, pointFormat := range supportedPoints {
331 if pointFormat == pointFormatUncompressed {
332 supportsPointFormat = true
333 break
334 }
335 }
336
337
338
339
340 if len(supportedPoints) == 0 {
341 supportsPointFormat = true
342 }
343
344 return supportsCurve && supportsPointFormat
345 }
346
347 func (hs *serverHandshakeState) pickCipherSuite() error {
348 c := hs.c
349
350 preferenceOrder := cipherSuitesPreferenceOrder
351 if !hasAESGCMHardwareSupport || !aesgcmPreferred(hs.clientHello.cipherSuites) {
352 preferenceOrder = cipherSuitesPreferenceOrderNoAES
353 }
354
355 configCipherSuites := c.config.cipherSuites()
356 preferenceList := make([]uint16, 0, len(configCipherSuites))
357 for _, suiteID := range preferenceOrder {
358 for _, id := range configCipherSuites {
359 if id == suiteID {
360 preferenceList = append(preferenceList, id)
361 break
362 }
363 }
364 }
365
366 hs.suite = selectCipherSuite(preferenceList, hs.clientHello.cipherSuites, hs.cipherSuiteOk)
367 if hs.suite == nil {
368 c.sendAlert(alertHandshakeFailure)
369 return errors.New("tls: no cipher suite supported by both client and server")
370 }
371 c.cipherSuite = hs.suite.id
372
373 if c.config.CipherSuites == nil && !needFIPS() && rsaKexCiphers[hs.suite.id] {
374 tlsrsakex.IncNonDefault()
375 }
376
377 for _, id := range hs.clientHello.cipherSuites {
378 if id == TLS_FALLBACK_SCSV {
379
380 if hs.clientHello.vers < c.config.maxSupportedVersion(roleServer) {
381 c.sendAlert(alertInappropriateFallback)
382 return errors.New("tls: client using inappropriate protocol fallback")
383 }
384 break
385 }
386 }
387
388 return nil
389 }
390
391 func (hs *serverHandshakeState) cipherSuiteOk(c *cipherSuite) bool {
392 if c.flags&suiteECDHE != 0 {
393 if !hs.ecdheOk {
394 return false
395 }
396 if c.flags&suiteECSign != 0 {
397 if !hs.ecSignOk {
398 return false
399 }
400 } else if !hs.rsaSignOk {
401 return false
402 }
403 } else if !hs.rsaDecryptOk {
404 return false
405 }
406 if hs.c.vers < VersionTLS12 && c.flags&suiteTLS12 != 0 {
407 return false
408 }
409 return true
410 }
411
412
413 func (hs *serverHandshakeState) checkForResumption() error {
414 c := hs.c
415
416 if c.config.SessionTicketsDisabled {
417 return nil
418 }
419
420 var sessionState *SessionState
421 if c.config.UnwrapSession != nil {
422 ss, err := c.config.UnwrapSession(hs.clientHello.sessionTicket, c.connectionStateLocked())
423 if err != nil {
424 return err
425 }
426 if ss == nil {
427 return nil
428 }
429 sessionState = ss
430 } else {
431 plaintext := c.config.decryptTicket(hs.clientHello.sessionTicket, c.ticketKeys)
432 if plaintext == nil {
433 return nil
434 }
435 ss, err := ParseSessionState(plaintext)
436 if err != nil {
437 return nil
438 }
439 sessionState = ss
440 }
441
442
443
444
445 createdAt := time.Unix(int64(sessionState.createdAt), 0)
446 if c.config.time().Sub(createdAt) > maxSessionTicketLifetime {
447 return nil
448 }
449
450
451 if c.vers != sessionState.version {
452 return nil
453 }
454
455 cipherSuiteOk := false
456
457 for _, id := range hs.clientHello.cipherSuites {
458 if id == sessionState.cipherSuite {
459 cipherSuiteOk = true
460 break
461 }
462 }
463 if !cipherSuiteOk {
464 return nil
465 }
466
467
468 suite := selectCipherSuite([]uint16{sessionState.cipherSuite},
469 c.config.cipherSuites(), hs.cipherSuiteOk)
470 if suite == nil {
471 return nil
472 }
473
474 sessionHasClientCerts := len(sessionState.peerCertificates) != 0
475 needClientCerts := requiresClientCert(c.config.ClientAuth)
476 if needClientCerts && !sessionHasClientCerts {
477 return nil
478 }
479 if sessionHasClientCerts && c.config.ClientAuth == NoClientCert {
480 return nil
481 }
482 if sessionHasClientCerts && c.config.time().After(sessionState.peerCertificates[0].NotAfter) {
483 return nil
484 }
485 if sessionHasClientCerts && c.config.ClientAuth >= VerifyClientCertIfGiven &&
486 len(sessionState.verifiedChains) == 0 {
487 return nil
488 }
489
490
491 if !sessionState.extMasterSecret && hs.clientHello.extendedMasterSecret {
492 return nil
493 }
494 if sessionState.extMasterSecret && !hs.clientHello.extendedMasterSecret {
495
496
497 return errors.New("tls: session supported extended_master_secret but client does not")
498 }
499
500 c.peerCertificates = sessionState.peerCertificates
501 c.ocspResponse = sessionState.ocspResponse
502 c.scts = sessionState.scts
503 c.verifiedChains = sessionState.verifiedChains
504 c.extMasterSecret = sessionState.extMasterSecret
505 hs.sessionState = sessionState
506 hs.suite = suite
507 c.didResume = true
508 return nil
509 }
510
511 func (hs *serverHandshakeState) doResumeHandshake() error {
512 c := hs.c
513
514 hs.hello.cipherSuite = hs.suite.id
515 c.cipherSuite = hs.suite.id
516
517
518 hs.hello.sessionId = hs.clientHello.sessionId
519
520
521
522 hs.hello.ticketSupported = true
523 hs.finishedHash = newFinishedHash(c.vers, hs.suite)
524 hs.finishedHash.discardHandshakeBuffer()
525 if err := transcriptMsg(hs.clientHello, &hs.finishedHash); err != nil {
526 return err
527 }
528 if _, err := hs.c.writeHandshakeRecord(hs.hello, &hs.finishedHash); err != nil {
529 return err
530 }
531
532 if c.config.VerifyConnection != nil {
533 if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil {
534 c.sendAlert(alertBadCertificate)
535 return err
536 }
537 }
538
539 hs.masterSecret = hs.sessionState.secret
540
541 return nil
542 }
543
544 func (hs *serverHandshakeState) doFullHandshake() error {
545 c := hs.c
546
547 if hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0 {
548 hs.hello.ocspStapling = true
549 }
550
551 hs.hello.ticketSupported = hs.clientHello.ticketSupported && !c.config.SessionTicketsDisabled
552 hs.hello.cipherSuite = hs.suite.id
553
554 hs.finishedHash = newFinishedHash(hs.c.vers, hs.suite)
555 if c.config.ClientAuth == NoClientCert {
556
557
558 hs.finishedHash.discardHandshakeBuffer()
559 }
560 if err := transcriptMsg(hs.clientHello, &hs.finishedHash); err != nil {
561 return err
562 }
563 if _, err := hs.c.writeHandshakeRecord(hs.hello, &hs.finishedHash); err != nil {
564 return err
565 }
566
567 certMsg := new(certificateMsg)
568 certMsg.certificates = hs.cert.Certificate
569 if _, err := hs.c.writeHandshakeRecord(certMsg, &hs.finishedHash); err != nil {
570 return err
571 }
572
573 if hs.hello.ocspStapling {
574 certStatus := new(certificateStatusMsg)
575 certStatus.response = hs.cert.OCSPStaple
576 if _, err := hs.c.writeHandshakeRecord(certStatus, &hs.finishedHash); err != nil {
577 return err
578 }
579 }
580
581 keyAgreement := hs.suite.ka(c.vers)
582 skx, err := keyAgreement.generateServerKeyExchange(c.config, hs.cert, hs.clientHello, hs.hello)
583 if err != nil {
584 c.sendAlert(alertHandshakeFailure)
585 return err
586 }
587 if skx != nil {
588 if _, err := hs.c.writeHandshakeRecord(skx, &hs.finishedHash); err != nil {
589 return err
590 }
591 }
592
593 var certReq *certificateRequestMsg
594 if c.config.ClientAuth >= RequestClientCert {
595
596 certReq = new(certificateRequestMsg)
597 certReq.certificateTypes = []byte{
598 byte(certTypeRSASign),
599 byte(certTypeECDSASign),
600 }
601 if c.vers >= VersionTLS12 {
602 certReq.hasSignatureAlgorithm = true
603 certReq.supportedSignatureAlgorithms = supportedSignatureAlgorithms()
604 }
605
606
607
608
609
610
611 if c.config.ClientCAs != nil {
612 certReq.certificateAuthorities = c.config.ClientCAs.Subjects()
613 }
614 if _, err := hs.c.writeHandshakeRecord(certReq, &hs.finishedHash); err != nil {
615 return err
616 }
617 }
618
619 helloDone := new(serverHelloDoneMsg)
620 if _, err := hs.c.writeHandshakeRecord(helloDone, &hs.finishedHash); err != nil {
621 return err
622 }
623
624 if _, err := c.flush(); err != nil {
625 return err
626 }
627
628 var pub crypto.PublicKey
629
630 msg, err := c.readHandshake(&hs.finishedHash)
631 if err != nil {
632 return err
633 }
634
635
636
637 if c.config.ClientAuth >= RequestClientCert {
638 certMsg, ok := msg.(*certificateMsg)
639 if !ok {
640 c.sendAlert(alertUnexpectedMessage)
641 return unexpectedMessageError(certMsg, msg)
642 }
643
644 if err := c.processCertsFromClient(Certificate{
645 Certificate: certMsg.certificates,
646 }); err != nil {
647 return err
648 }
649 if len(certMsg.certificates) != 0 {
650 pub = c.peerCertificates[0].PublicKey
651 }
652
653 msg, err = c.readHandshake(&hs.finishedHash)
654 if err != nil {
655 return err
656 }
657 }
658 if c.config.VerifyConnection != nil {
659 if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil {
660 c.sendAlert(alertBadCertificate)
661 return err
662 }
663 }
664
665
666 ckx, ok := msg.(*clientKeyExchangeMsg)
667 if !ok {
668 c.sendAlert(alertUnexpectedMessage)
669 return unexpectedMessageError(ckx, msg)
670 }
671
672 preMasterSecret, err := keyAgreement.processClientKeyExchange(c.config, hs.cert, ckx, c.vers)
673 if err != nil {
674 c.sendAlert(alertHandshakeFailure)
675 return err
676 }
677 if hs.hello.extendedMasterSecret {
678 c.extMasterSecret = true
679 hs.masterSecret = extMasterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret,
680 hs.finishedHash.Sum())
681 } else {
682 hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret,
683 hs.clientHello.random, hs.hello.random)
684 }
685 if err := c.config.writeKeyLog(keyLogLabelTLS12, hs.clientHello.random, hs.masterSecret); err != nil {
686 c.sendAlert(alertInternalError)
687 return err
688 }
689
690
691
692
693
694
695
696 if len(c.peerCertificates) > 0 {
697
698
699
700 msg, err = c.readHandshake(nil)
701 if err != nil {
702 return err
703 }
704 certVerify, ok := msg.(*certificateVerifyMsg)
705 if !ok {
706 c.sendAlert(alertUnexpectedMessage)
707 return unexpectedMessageError(certVerify, msg)
708 }
709
710 var sigType uint8
711 var sigHash crypto.Hash
712 if c.vers >= VersionTLS12 {
713 if !isSupportedSignatureAlgorithm(certVerify.signatureAlgorithm, certReq.supportedSignatureAlgorithms) {
714 c.sendAlert(alertIllegalParameter)
715 return errors.New("tls: client certificate used with invalid signature algorithm")
716 }
717 sigType, sigHash, err = typeAndHashFromSignatureScheme(certVerify.signatureAlgorithm)
718 if err != nil {
719 return c.sendAlert(alertInternalError)
720 }
721 } else {
722 sigType, sigHash, err = legacyTypeAndHashFromPublicKey(pub)
723 if err != nil {
724 c.sendAlert(alertIllegalParameter)
725 return err
726 }
727 }
728
729 signed := hs.finishedHash.hashForClientCertificate(sigType, sigHash)
730 if err := verifyHandshakeSignature(sigType, pub, sigHash, signed, certVerify.signature); err != nil {
731 c.sendAlert(alertDecryptError)
732 return errors.New("tls: invalid signature by the client certificate: " + err.Error())
733 }
734
735 if err := transcriptMsg(certVerify, &hs.finishedHash); err != nil {
736 return err
737 }
738 }
739
740 hs.finishedHash.discardHandshakeBuffer()
741
742 return nil
743 }
744
745 func (hs *serverHandshakeState) establishKeys() error {
746 c := hs.c
747
748 clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV :=
749 keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen)
750
751 var clientCipher, serverCipher any
752 var clientHash, serverHash hash.Hash
753
754 if hs.suite.aead == nil {
755 clientCipher = hs.suite.cipher(clientKey, clientIV, true )
756 clientHash = hs.suite.mac(clientMAC)
757 serverCipher = hs.suite.cipher(serverKey, serverIV, false )
758 serverHash = hs.suite.mac(serverMAC)
759 } else {
760 clientCipher = hs.suite.aead(clientKey, clientIV)
761 serverCipher = hs.suite.aead(serverKey, serverIV)
762 }
763
764 c.in.prepareCipherSpec(c.vers, clientCipher, clientHash)
765 c.out.prepareCipherSpec(c.vers, serverCipher, serverHash)
766
767 return nil
768 }
769
770 func (hs *serverHandshakeState) readFinished(out []byte) error {
771 c := hs.c
772
773 if err := c.readChangeCipherSpec(); err != nil {
774 return err
775 }
776
777
778
779
780 msg, err := c.readHandshake(nil)
781 if err != nil {
782 return err
783 }
784 clientFinished, ok := msg.(*finishedMsg)
785 if !ok {
786 c.sendAlert(alertUnexpectedMessage)
787 return unexpectedMessageError(clientFinished, msg)
788 }
789
790 verify := hs.finishedHash.clientSum(hs.masterSecret)
791 if len(verify) != len(clientFinished.verifyData) ||
792 subtle.ConstantTimeCompare(verify, clientFinished.verifyData) != 1 {
793 c.sendAlert(alertHandshakeFailure)
794 return errors.New("tls: client's Finished message is incorrect")
795 }
796
797 if err := transcriptMsg(clientFinished, &hs.finishedHash); err != nil {
798 return err
799 }
800
801 copy(out, verify)
802 return nil
803 }
804
805 func (hs *serverHandshakeState) sendSessionTicket() error {
806 if !hs.hello.ticketSupported {
807 return nil
808 }
809
810 c := hs.c
811 m := new(newSessionTicketMsg)
812
813 state, err := c.sessionState()
814 if err != nil {
815 return err
816 }
817 state.secret = hs.masterSecret
818 if hs.sessionState != nil {
819
820
821 state.createdAt = hs.sessionState.createdAt
822 }
823 if c.config.WrapSession != nil {
824 m.ticket, err = c.config.WrapSession(c.connectionStateLocked(), state)
825 if err != nil {
826 return err
827 }
828 } else {
829 stateBytes, err := state.Bytes()
830 if err != nil {
831 return err
832 }
833 m.ticket, err = c.config.encryptTicket(stateBytes, c.ticketKeys)
834 if err != nil {
835 return err
836 }
837 }
838
839 if _, err := hs.c.writeHandshakeRecord(m, &hs.finishedHash); err != nil {
840 return err
841 }
842
843 return nil
844 }
845
846 func (hs *serverHandshakeState) sendFinished(out []byte) error {
847 c := hs.c
848
849 if err := c.writeChangeCipherRecord(); err != nil {
850 return err
851 }
852
853 finished := new(finishedMsg)
854 finished.verifyData = hs.finishedHash.serverSum(hs.masterSecret)
855 if _, err := hs.c.writeHandshakeRecord(finished, &hs.finishedHash); err != nil {
856 return err
857 }
858
859 copy(out, finished.verifyData)
860
861 return nil
862 }
863
864
865
866 func (c *Conn) processCertsFromClient(certificate Certificate) error {
867 certificates := certificate.Certificate
868 certs := make([]*x509.Certificate, len(certificates))
869 var err error
870 for i, asn1Data := range certificates {
871 if certs[i], err = x509.ParseCertificate(asn1Data); err != nil {
872 c.sendAlert(alertBadCertificate)
873 return errors.New("tls: failed to parse client certificate: " + err.Error())
874 }
875 if certs[i].PublicKeyAlgorithm == x509.RSA {
876 n := certs[i].PublicKey.(*rsa.PublicKey).N.BitLen()
877 if max, ok := checkKeySize(n); !ok {
878 c.sendAlert(alertBadCertificate)
879 return fmt.Errorf("tls: client sent certificate containing RSA key larger than %d bits", max)
880 }
881 }
882 }
883
884 if len(certs) == 0 && requiresClientCert(c.config.ClientAuth) {
885 if c.vers == VersionTLS13 {
886 c.sendAlert(alertCertificateRequired)
887 } else {
888 c.sendAlert(alertBadCertificate)
889 }
890 return errors.New("tls: client didn't provide a certificate")
891 }
892
893 if c.config.ClientAuth >= VerifyClientCertIfGiven && len(certs) > 0 {
894 opts := x509.VerifyOptions{
895 Roots: c.config.ClientCAs,
896 CurrentTime: c.config.time(),
897 Intermediates: x509.NewCertPool(),
898 KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
899 }
900
901 for _, cert := range certs[1:] {
902 opts.Intermediates.AddCert(cert)
903 }
904
905 chains, err := certs[0].Verify(opts)
906 if err != nil {
907 var errCertificateInvalid x509.CertificateInvalidError
908 if errors.As(err, &x509.UnknownAuthorityError{}) {
909 c.sendAlert(alertUnknownCA)
910 } else if errors.As(err, &errCertificateInvalid) && errCertificateInvalid.Reason == x509.Expired {
911 c.sendAlert(alertCertificateExpired)
912 } else {
913 c.sendAlert(alertBadCertificate)
914 }
915 return &CertificateVerificationError{UnverifiedCertificates: certs, Err: err}
916 }
917
918 c.verifiedChains = chains
919 }
920
921 c.peerCertificates = certs
922 c.ocspResponse = certificate.OCSPStaple
923 c.scts = certificate.SignedCertificateTimestamps
924
925 if len(certs) > 0 {
926 switch certs[0].PublicKey.(type) {
927 case *ecdsa.PublicKey, *rsa.PublicKey, ed25519.PublicKey:
928 default:
929 c.sendAlert(alertUnsupportedCertificate)
930 return fmt.Errorf("tls: client certificate contains an unsupported public key of type %T", certs[0].PublicKey)
931 }
932 }
933
934 if c.config.VerifyPeerCertificate != nil {
935 if err := c.config.VerifyPeerCertificate(certificates, c.verifiedChains); err != nil {
936 c.sendAlert(alertBadCertificate)
937 return err
938 }
939 }
940
941 return nil
942 }
943
944 func clientHelloInfo(ctx context.Context, c *Conn, clientHello *clientHelloMsg) *ClientHelloInfo {
945 supportedVersions := clientHello.supportedVersions
946 if len(clientHello.supportedVersions) == 0 {
947 supportedVersions = supportedVersionsFromMax(clientHello.vers)
948 }
949
950 return &ClientHelloInfo{
951 CipherSuites: clientHello.cipherSuites,
952 ServerName: clientHello.serverName,
953 SupportedCurves: clientHello.supportedCurves,
954 SupportedPoints: clientHello.supportedPoints,
955 SignatureSchemes: clientHello.supportedSignatureAlgorithms,
956 SupportedProtos: clientHello.alpnProtocols,
957 SupportedVersions: supportedVersions,
958 Conn: c.conn,
959 config: c.config,
960 ctx: ctx,
961 }
962 }
963
View as plain text