kris
/
th5
1
0
Fork 0
Code Issues 0 Pull-Requests 0 Releases 0 Wiki Aktivität
Alternative TLS implementation in Go
Du kannst nicht mehr als 25 Themen auswählen Themen müssen entweder mit einem Buchstaben oder einer Ziffer beginnen. Sie können Bindestriche („-“) enthalten und bis zu 35 Zeichen lang sein.
505 Commits
3 Branches
2.6 MiB
 
 
Struktur: 1ea9624098
Branches Tags
${ item.name }
Erstelle Branch ${ searchTerm }
von „1ea9624098“
${ noResults }
th5/handshake_server.go

940 Zeilen
27 KiB
Originalformat Blame Verlauf 

  1. // Copyright 2009 The Go Authors. All rights reserved.

  2. // Use of this source code is governed by a BSD-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package tls

  6. 

  7. import (

  8. 	"crypto"

  9. 	"crypto/ecdsa"

  10. 	"crypto/rsa"

  11. 	"crypto/subtle"

  12. 	"crypto/x509"

  13. 	"errors"

  14. 	"fmt"

  15. 	"io"

  16. 	"sync/atomic"

  17. )

  18. 

  19. type Committer interface {

  20. 	Commit() error

  21. }

  22. 

  23. // serverHandshakeState contains details of a server handshake in progress.

  24. // It's discarded once the handshake has completed.

  25. type serverHandshakeState struct {

  26. 	c                     *Conn

  27. 	suite                 *cipherSuite

  28. 	masterSecret          []byte

  29. 	cachedClientHelloInfo *ClientHelloInfo

  30. 	clientHello           *clientHelloMsg

  31. 	hello                 *serverHelloMsg

  32. 	cert                  *Certificate

  33. 	privateKey            crypto.PrivateKey

  34. 

  35. 	// A marshalled DelegatedCredential to be sent to the client in the

  36. 	// handshake.

  37. 	delegatedCredential []byte

  38. 

  39. 	// TLS 1.0-1.2 fields

  40. 	ellipticOk      bool

  41. 	ecdsaOk         bool

  42. 	rsaDecryptOk    bool

  43. 	rsaSignOk       bool

  44. 	sessionState    *sessionState

  45. 	finishedHash    finishedHash

  46. 	certsFromClient [][]byte

  47. 

  48. 	// TLS 1.3 fields

  49. 	hello13Enc        *encryptedExtensionsMsg

  50. 	keySchedule       *keySchedule13

  51. 	clientFinishedKey []byte

  52. 	hsClientCipher    interface{}

  53. 	appClientCipher   interface{}

  54. }

  55. 

  56. // serverHandshake performs a TLS handshake as a server.

  57. // c.out.Mutex <= L; c.handshakeMutex <= L.

  58. func (c *Conn) serverHandshake() error {

  59. 	// If this is the first server handshake, we generate a random key to

  60. 	// encrypt the tickets with.

  61. 	c.config.serverInitOnce.Do(func() { c.config.serverInit(nil) })

  62. 

  63. 	hs := serverHandshakeState{

  64. 		c: c,

  65. 	}

  66. 	c.in.traceErr = hs.traceErr

  67. 	c.out.traceErr = hs.traceErr

  68. 	isResume, err := hs.readClientHello()

  69. 	if err != nil {

  70. 		return err

  71. 	}

  72. 

  73. 	// For an overview of TLS handshaking, see https://tools.ietf.org/html/rfc5246#section-7.3

  74. 	// and https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-2

  75. 	c.buffering = true

  76. 	if c.vers >= VersionTLS13 {

  77. 		if err := hs.doTLS13Handshake(); err != nil {

  78. 			return err

  79. 		}

  80. 		if _, err := c.flush(); err != nil {

  81. 			return err

  82. 		}

  83. 		c.hs = &hs

  84. 		// If the client is sending early data while the server expects

  85. 		// it, delay the Finished check until HandshakeConfirmed() is

  86. 		// called or until all early data is Read(). Otherwise, complete

  87. 		// authenticating the client now (there is no support for

  88. 		// sending 0.5-RTT data to a potential unauthenticated client).

  89. 		if c.phase != readingEarlyData {

  90. 			if err := hs.readClientFinished13(false); err != nil {

  91. 				return err

  92. 			}

  93. 		}

  94. 		c.handshakeComplete = true

  95. 		return nil

  96. 	} else if isResume {

  97. 		// The client has included a session ticket and so we do an abbreviated handshake.

  98. 		if err := hs.doResumeHandshake(); err != nil {

  99. 			return err

  100. 		}

  101. 		if err := hs.establishKeys(); err != nil {

  102. 			return err

  103. 		}

  104. 		// ticketSupported is set in a resumption handshake if the

  105. 		// ticket from the client was encrypted with an old session

  106. 		// ticket key and thus a refreshed ticket should be sent.

  107. 		if hs.hello.ticketSupported {

  108. 			if err := hs.sendSessionTicket(); err != nil {

  109. 				return err

  110. 			}

  111. 		}

  112. 		if err := hs.sendFinished(c.serverFinished[:]); err != nil {

  113. 			return err

  114. 		}

  115. 		if _, err := c.flush(); err != nil {

  116. 			return err

  117. 		}

  118. 		c.clientFinishedIsFirst = false

  119. 		if err := hs.readFinished(nil); err != nil {

  120. 			return err

  121. 		}

  122. 		c.didResume = true

  123. 	} else {

  124. 		// The client didn't include a session ticket, or it wasn't

  125. 		// valid so we do a full handshake.

  126. 		if err := hs.doFullHandshake(); err != nil {

  127. 			return err

  128. 		}

  129. 		if err := hs.establishKeys(); err != nil {

  130. 			return err

  131. 		}

  132. 		if err := hs.readFinished(c.clientFinished[:]); err != nil {

  133. 			return err

  134. 		}

  135. 		c.clientFinishedIsFirst = true

  136. 		c.buffering = true

  137. 		if err := hs.sendSessionTicket(); err != nil {

  138. 			return err

  139. 		}

  140. 		if err := hs.sendFinished(nil); err != nil {

  141. 			return err

  142. 		}

  143. 		if _, err := c.flush(); err != nil {

  144. 			return err

  145. 		}

  146. 	}

  147. 	if c.hand.Len() > 0 {

  148. 		return c.sendAlert(alertUnexpectedMessage)

  149. 	}

  150. 	c.phase = handshakeConfirmed

  151. 	atomic.StoreInt32(&c.handshakeConfirmed, 1)

  152. 	c.handshakeComplete = true

  153. 

  154. 	return nil

  155. }

  156. 

  157. // readClientHello reads a ClientHello message from the client and decides

  158. // whether we will perform session resumption.

  159. func (hs *serverHandshakeState) readClientHello() (isResume bool, err error) {

  160. 	c := hs.c

  161. 

  162. 	msg, err := c.readHandshake()

  163. 	if err != nil {

  164. 		return false, err

  165. 	}

  166. 	var ok bool

  167. 	hs.clientHello, ok = msg.(*clientHelloMsg)

  168. 	if !ok {

  169. 		c.sendAlert(alertUnexpectedMessage)

  170. 		return false, unexpectedMessageError(hs.clientHello, msg)

  171. 	}

  172. 

  173. 	if c.config.GetConfigForClient != nil {

  174. 		if newConfig, err := c.config.GetConfigForClient(hs.clientHelloInfo()); err != nil {

  175. 			c.out.traceErr, c.in.traceErr = nil, nil // disable tracing

  176. 			c.sendAlert(alertInternalError)

  177. 			return false, err

  178. 		} else if newConfig != nil {

  179. 			newConfig.serverInitOnce.Do(func() { newConfig.serverInit(c.config) })

  180. 			c.config = newConfig

  181. 		}

  182. 	}

  183. 

  184. 	var keyShares []CurveID

  185. 	for _, ks := range hs.clientHello.keyShares {

  186. 		keyShares = append(keyShares, ks.group)

  187. 	}

  188. 

  189. 	if hs.clientHello.supportedVersions != nil {

  190. 		c.vers, ok = c.config.pickVersion(hs.clientHello.supportedVersions)

  191. 		if !ok {

  192. 			c.sendAlert(alertProtocolVersion)

  193. 			return false, fmt.Errorf("tls: none of the client versions (%x) are supported", hs.clientHello.supportedVersions)

  194. 		}

  195. 	} else {

  196. 		c.vers, ok = c.config.mutualVersion(hs.clientHello.vers)

  197. 		if !ok {

  198. 			c.sendAlert(alertProtocolVersion)

  199. 			return false, fmt.Errorf("tls: client offered an unsupported, maximum protocol version of %x", hs.clientHello.vers)

  200. 		}

  201. 	}

  202. 	c.haveVers = true

  203. 

  204. 	preferredCurves := c.config.curvePreferences()

  205. Curves:

  206. 	for _, curve := range hs.clientHello.supportedCurves {

  207. 		for _, supported := range preferredCurves {

  208. 			if supported == curve {

  209. 				hs.ellipticOk = true

  210. 				break Curves

  211. 			}

  212. 		}

  213. 	}

  214. 

  215. 	// If present, the supported points extension must include uncompressed.

  216. 	// Can be absent. This behavior mirrors BoringSSL.

  217. 	if hs.clientHello.supportedPoints != nil {

  218. 		supportedPointFormat := false

  219. 		for _, pointFormat := range hs.clientHello.supportedPoints {

  220. 			if pointFormat == pointFormatUncompressed {

  221. 				supportedPointFormat = true

  222. 				break

  223. 			}

  224. 		}

  225. 		if !supportedPointFormat {

  226. 			c.sendAlert(alertHandshakeFailure)

  227. 			return false, errors.New("tls: client does not support uncompressed points")

  228. 		}

  229. 	}

  230. 

  231. 	foundCompression := false

  232. 	// We only support null compression, so check that the client offered it.

  233. 	for _, compression := range hs.clientHello.compressionMethods {

  234. 		if compression == compressionNone {

  235. 			foundCompression = true

  236. 			break

  237. 		}

  238. 	}

  239. 

  240. 	if !foundCompression {

  241. 		c.sendAlert(alertIllegalParameter)

  242. 		return false, errors.New("tls: client does not support uncompressed connections")

  243. 	}

  244. 	if len(hs.clientHello.compressionMethods) != 1 && c.vers >= VersionTLS13 {

  245. 		c.sendAlert(alertIllegalParameter)

  246. 		return false, errors.New("tls: 1.3 client offered compression")

  247. 	}

  248. 

  249. 	if len(hs.clientHello.secureRenegotiation) != 0 {

  250. 		c.sendAlert(alertHandshakeFailure)

  251. 		return false, errors.New("tls: initial handshake had non-empty renegotiation extension")

  252. 	}

  253. 

  254. 	if c.vers < VersionTLS13 {

  255. 		hs.hello = new(serverHelloMsg)

  256. 		hs.hello.vers = c.vers

  257. 		hs.hello.random = make([]byte, 32)

  258. 		_, err = io.ReadFull(c.config.rand(), hs.hello.random)

  259. 		if err != nil {

  260. 			c.sendAlert(alertInternalError)

  261. 			return false, err

  262. 		}

  263. 		hs.hello.secureRenegotiationSupported = hs.clientHello.secureRenegotiationSupported

  264. 		hs.hello.compressionMethod = compressionNone

  265. 	} else {

  266. 		hs.hello = new(serverHelloMsg)

  267. 		hs.hello13Enc = new(encryptedExtensionsMsg)

  268. 		hs.hello.vers = c.vers

  269. 		hs.hello.random = make([]byte, 32)

  270. 		hs.hello.sessionId = hs.clientHello.sessionId

  271. 		_, err = io.ReadFull(c.config.rand(), hs.hello.random)

  272. 		if err != nil {

  273. 			c.sendAlert(alertInternalError)

  274. 			return false, err

  275. 		}

  276. 	}

  277. 

  278. 	if len(hs.clientHello.serverName) > 0 {

  279. 		c.serverName = hs.clientHello.serverName

  280. 	}

  281. 

  282. 	if len(hs.clientHello.alpnProtocols) > 0 {

  283. 		if selectedProto, fallback := mutualProtocol(hs.clientHello.alpnProtocols, c.config.NextProtos); !fallback {

  284. 			if hs.hello != nil {

  285. 				hs.hello.alpnProtocol = selectedProto

  286. 			} else {

  287. 				hs.hello13Enc.alpnProtocol = selectedProto

  288. 			}

  289. 			c.clientProtocol = selectedProto

  290. 		}

  291. 	} else {

  292. 		// Although sending an empty NPN extension is reasonable, Firefox has

  293. 		// had a bug around this. Best to send nothing at all if

  294. 		// c.config.NextProtos is empty. See

  295. 		// https://golang.org/issue/5445.

  296. 		if hs.clientHello.nextProtoNeg && len(c.config.NextProtos) > 0 && c.vers < VersionTLS13 {

  297. 			hs.hello.nextProtoNeg = true

  298. 			hs.hello.nextProtos = c.config.NextProtos

  299. 		}

  300. 	}

  301. 

  302. 	hs.cert, err = c.config.getCertificate(hs.clientHelloInfo())

  303. 	if err != nil {

  304. 		c.sendAlert(alertInternalError)

  305. 		return false, err

  306. 	}

  307. 

  308. 	// Set the private key for this handshake to the certificate's secret key.

  309. 	hs.privateKey = hs.cert.PrivateKey

  310. 

  311. 	if hs.clientHello.scts {

  312. 		hs.hello.scts = hs.cert.SignedCertificateTimestamps

  313. 	}

  314. 

  315. 	// Set the private key to the DC private key if the client and server are

  316. 	// willing to negotiate the delegated credential extension.

  317. 	//

  318. 	// Check to see if a DelegatedCredential is available and should be used.

  319. 	// If one is available, the session is using TLS >= 1.2, and the client

  320. 	// accepts the delegated credential extension, then set the handshake

  321. 	// private key to the DC private key.

  322. 	if c.config.GetDelegatedCredential != nil && hs.clientHello.delegatedCredential && c.vers >= VersionTLS12 {

  323. 		dc, sk, err := c.config.GetDelegatedCredential(hs.clientHelloInfo(), c.vers)

  324. 		if err != nil {

  325. 			c.sendAlert(alertInternalError)

  326. 			return false, err

  327. 		}

  328. 

  329. 		// Set the handshake private key.

  330. 		if dc != nil {

  331. 			hs.privateKey = sk

  332. 			if dc.Raw == nil {

  333. 				dc.Raw, err = dc.Marshal()

  334. 				if err != nil {

  335. 					c.sendAlert(alertInternalError)

  336. 					return false, err

  337. 				}

  338. 			}

  339. 			hs.delegatedCredential = dc.Raw

  340. 

  341. 			// For TLS 1.2, the DC is an extension to the ServerHello.

  342. 			if c.vers == VersionTLS12 {

  343. 				hs.hello.delegatedCredential = hs.delegatedCredential

  344. 			}

  345. 		}

  346. 	}

  347. 

  348. 	if priv, ok := hs.privateKey.(crypto.Signer); ok {

  349. 		switch priv.Public().(type) {

  350. 		case *ecdsa.PublicKey:

  351. 			hs.ecdsaOk = true

  352. 		case *rsa.PublicKey:

  353. 			hs.rsaSignOk = true

  354. 		default:

  355. 			c.sendAlert(alertInternalError)

  356. 			return false, fmt.Errorf("tls: unsupported signing key type (%T)", priv.Public())

  357. 		}

  358. 	}

  359. 	if priv, ok := hs.privateKey.(crypto.Decrypter); ok {

  360. 		switch priv.Public().(type) {

  361. 		case *rsa.PublicKey:

  362. 			hs.rsaDecryptOk = true

  363. 		default:

  364. 			c.sendAlert(alertInternalError)

  365. 			return false, fmt.Errorf("tls: unsupported decryption key type (%T)", priv.Public())

  366. 		}

  367. 	}

  368. 

  369. 	if c.vers != VersionTLS13 && hs.checkForResumption() {

  370. 		return true, nil

  371. 	}

  372. 

  373. 	var preferenceList, supportedList []uint16

  374. 	if c.config.PreferServerCipherSuites {

  375. 		preferenceList = c.config.cipherSuites()

  376. 		supportedList = hs.clientHello.cipherSuites

  377. 	} else {

  378. 		preferenceList = hs.clientHello.cipherSuites

  379. 		supportedList = c.config.cipherSuites()

  380. 	}

  381. 

  382. 	for _, id := range preferenceList {

  383. 		if hs.setCipherSuite(id, supportedList, c.vers) {

  384. 			break

  385. 		}

  386. 	}

  387. 

  388. 	if hs.suite == nil {

  389. 		c.sendAlert(alertHandshakeFailure)

  390. 		return false, errors.New("tls: no cipher suite supported by both client and server")

  391. 	}

  392. 

  393. 	// See https://tools.ietf.org/html/rfc7507.

  394. 	for _, id := range hs.clientHello.cipherSuites {

  395. 		if id == TLS_FALLBACK_SCSV {

  396. 			// The client is doing a fallback connection.

  397. 			if c.vers < c.config.maxVersion() {

  398. 				c.sendAlert(alertInappropriateFallback)

  399. 				return false, errors.New("tls: client using inappropriate protocol fallback")

  400. 			}

  401. 			break

  402. 		}

  403. 	}

  404. 

  405. 	return false, nil

  406. }

  407. 

  408. // checkForResumption reports whether we should perform resumption on this connection.

  409. func (hs *serverHandshakeState) checkForResumption() bool {

  410. 	c := hs.c

  411. 

  412. 	if c.config.SessionTicketsDisabled {

  413. 		return false

  414. 	}

  415. 

  416. 	sessionTicket := append([]uint8{}, hs.clientHello.sessionTicket...)

  417. 	serializedState, usedOldKey := c.decryptTicket(sessionTicket)

  418. 	hs.sessionState = &sessionState{usedOldKey: usedOldKey}

  419. 	if hs.sessionState.unmarshal(serializedState) != alertSuccess {

  420. 		return false

  421. 	}

  422. 

  423. 	// Never resume a session for a different TLS version.

  424. 	if c.vers != hs.sessionState.vers {

  425. 		return false

  426. 	}

  427. 

  428. 	cipherSuiteOk := false

  429. 	// Check that the client is still offering the ciphersuite in the session.

  430. 	for _, id := range hs.clientHello.cipherSuites {

  431. 		if id == hs.sessionState.cipherSuite {

  432. 			cipherSuiteOk = true

  433. 			break

  434. 		}

  435. 	}

  436. 	if !cipherSuiteOk {

  437. 		return false

  438. 	}

  439. 

  440. 	// Check that we also support the ciphersuite from the session.

  441. 	if !hs.setCipherSuite(hs.sessionState.cipherSuite, c.config.cipherSuites(), hs.sessionState.vers) {

  442. 		return false

  443. 	}

  444. 

  445. 	sessionHasClientCerts := len(hs.sessionState.certificates) != 0

  446. 	needClientCerts := c.config.ClientAuth == RequireAnyClientCert || c.config.ClientAuth == RequireAndVerifyClientCert

  447. 	if needClientCerts && !sessionHasClientCerts {

  448. 		return false

  449. 	}

  450. 	if sessionHasClientCerts && c.config.ClientAuth == NoClientCert {

  451. 		return false

  452. 	}

  453. 

  454. 	return true

  455. }

  456. 

  457. func (hs *serverHandshakeState) doResumeHandshake() error {

  458. 	c := hs.c

  459. 

  460. 	hs.hello.cipherSuite = hs.suite.id

  461. 	// We echo the client's session ID in the ServerHello to let it know

  462. 	// that we're doing a resumption.

  463. 	hs.hello.sessionId = hs.clientHello.sessionId

  464. 	hs.hello.ticketSupported = hs.sessionState.usedOldKey

  465. 	hs.finishedHash = newFinishedHash(c.vers, hs.suite)

  466. 	hs.finishedHash.discardHandshakeBuffer()

  467. 	hs.finishedHash.Write(hs.clientHello.marshal())

  468. 	hs.finishedHash.Write(hs.hello.marshal())

  469. 	if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil {

  470. 		return err

  471. 	}

  472. 

  473. 	if len(hs.sessionState.certificates) > 0 {

  474. 		if _, err := hs.processCertsFromClient(hs.sessionState.certificates); err != nil {

  475. 			return err

  476. 		}

  477. 	}

  478. 

  479. 	hs.masterSecret = hs.sessionState.masterSecret

  480. 

  481. 	return nil

  482. }

  483. 

  484. func (hs *serverHandshakeState) doFullHandshake() error {

  485. 	c := hs.c

  486. 

  487. 	if hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0 {

  488. 		hs.hello.ocspStapling = true

  489. 	}

  490. 

  491. 	hs.hello.ticketSupported = hs.clientHello.ticketSupported && !c.config.SessionTicketsDisabled

  492. 	hs.hello.cipherSuite = hs.suite.id

  493. 

  494. 	hs.finishedHash = newFinishedHash(hs.c.vers, hs.suite)

  495. 	if c.config.ClientAuth == NoClientCert {

  496. 		// No need to keep a full record of the handshake if client

  497. 		// certificates won't be used.

  498. 		hs.finishedHash.discardHandshakeBuffer()

  499. 	}

  500. 	hs.finishedHash.Write(hs.clientHello.marshal())

  501. 	hs.finishedHash.Write(hs.hello.marshal())

  502. 	if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil {

  503. 		return err

  504. 	}

  505. 

  506. 	certMsg := new(certificateMsg)

  507. 	certMsg.certificates = hs.cert.Certificate

  508. 	hs.finishedHash.Write(certMsg.marshal())

  509. 	if _, err := c.writeRecord(recordTypeHandshake, certMsg.marshal()); err != nil {

  510. 		return err

  511. 	}

  512. 

  513. 	if hs.hello.ocspStapling {

  514. 		certStatus := new(certificateStatusMsg)

  515. 		certStatus.statusType = statusTypeOCSP

  516. 		certStatus.response = hs.cert.OCSPStaple

  517. 		hs.finishedHash.Write(certStatus.marshal())

  518. 		if _, err := c.writeRecord(recordTypeHandshake, certStatus.marshal()); err != nil {

  519. 			return err

  520. 		}

  521. 	}

  522. 

  523. 	keyAgreement := hs.suite.ka(c.vers)

  524. 	skx, err := keyAgreement.generateServerKeyExchange(c.config, hs.privateKey, hs.clientHello, hs.hello)

  525. 	if err != nil {

  526. 		c.sendAlert(alertHandshakeFailure)

  527. 		return err

  528. 	}

  529. 	if skx != nil {

  530. 		hs.finishedHash.Write(skx.marshal())

  531. 		if _, err := c.writeRecord(recordTypeHandshake, skx.marshal()); err != nil {

  532. 			return err

  533. 		}

  534. 	}

  535. 

  536. 	if c.config.ClientAuth >= RequestClientCert {

  537. 		// Request a client certificate

  538. 		certReq := new(certificateRequestMsg)

  539. 		certReq.certificateTypes = []byte{

  540. 			byte(certTypeRSASign),

  541. 			byte(certTypeECDSASign),

  542. 		}

  543. 		if c.vers >= VersionTLS12 {

  544. 			certReq.hasSignatureAndHash = true

  545. 			certReq.supportedSignatureAlgorithms = supportedSignatureAlgorithms

  546. 		}

  547. 

  548. 		// An empty list of certificateAuthorities signals to

  549. 		// the client that it may send any certificate in response

  550. 		// to our request. When we know the CAs we trust, then

  551. 		// we can send them down, so that the client can choose

  552. 		// an appropriate certificate to give to us.

  553. 		if c.config.ClientCAs != nil {

  554. 			certReq.certificateAuthorities = c.config.ClientCAs.Subjects()

  555. 		}

  556. 		hs.finishedHash.Write(certReq.marshal())

  557. 		if _, err := c.writeRecord(recordTypeHandshake, certReq.marshal()); err != nil {

  558. 			return err

  559. 		}

  560. 	}

  561. 

  562. 	helloDone := new(serverHelloDoneMsg)

  563. 	hs.finishedHash.Write(helloDone.marshal())

  564. 	if _, err := c.writeRecord(recordTypeHandshake, helloDone.marshal()); err != nil {

  565. 		return err

  566. 	}

  567. 

  568. 	if _, err := c.flush(); err != nil {

  569. 		return err

  570. 	}

  571. 

  572. 	var pub crypto.PublicKey // public key for client auth, if any

  573. 

  574. 	msg, err := c.readHandshake()

  575. 	if err != nil {

  576. 		return err

  577. 	}

  578. 

  579. 	var ok bool

  580. 	// If we requested a client certificate, then the client must send a

  581. 	// certificate message, even if it's empty.

  582. 	if c.config.ClientAuth >= RequestClientCert {

  583. 		if certMsg, ok = msg.(*certificateMsg); !ok {

  584. 			c.sendAlert(alertUnexpectedMessage)

  585. 			return unexpectedMessageError(certMsg, msg)

  586. 		}

  587. 		hs.finishedHash.Write(certMsg.marshal())

  588. 

  589. 		if len(certMsg.certificates) == 0 {

  590. 			// The client didn't actually send a certificate

  591. 			switch c.config.ClientAuth {

  592. 			case RequireAnyClientCert, RequireAndVerifyClientCert:

  593. 				c.sendAlert(alertBadCertificate)

  594. 				return errors.New("tls: client didn't provide a certificate")

  595. 			}

  596. 		}

  597. 

  598. 		pub, err = hs.processCertsFromClient(certMsg.certificates)

  599. 		if err != nil {

  600. 			return err

  601. 		}

  602. 

  603. 		msg, err = c.readHandshake()

  604. 		if err != nil {

  605. 			return err

  606. 		}

  607. 	}

  608. 

  609. 	// Get client key exchange

  610. 	ckx, ok := msg.(*clientKeyExchangeMsg)

  611. 	if !ok {

  612. 		c.sendAlert(alertUnexpectedMessage)

  613. 		return unexpectedMessageError(ckx, msg)

  614. 	}

  615. 	hs.finishedHash.Write(ckx.marshal())

  616. 

  617. 	preMasterSecret, err := keyAgreement.processClientKeyExchange(c.config, hs.privateKey, ckx, c.vers)

  618. 	if err != nil {

  619. 		if err == errClientKeyExchange {

  620. 			c.sendAlert(alertDecodeError)

  621. 		} else {

  622. 			c.sendAlert(alertInternalError)

  623. 		}

  624. 		return err

  625. 	}

  626. 	hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.clientHello.random, hs.hello.random)

  627. 	if err := c.config.writeKeyLog("CLIENT_RANDOM", hs.clientHello.random, hs.masterSecret); err != nil {

  628. 		c.sendAlert(alertInternalError)

  629. 		return err

  630. 	}

  631. 

  632. 	// If we received a client cert in response to our certificate request message,

  633. 	// the client will send us a certificateVerifyMsg immediately after the

  634. 	// clientKeyExchangeMsg. This message is a digest of all preceding

  635. 	// handshake-layer messages that is signed using the private key corresponding

  636. 	// to the client's certificate. This allows us to verify that the client is in

  637. 	// possession of the private key of the certificate.

  638. 	if len(c.peerCertificates) > 0 {

  639. 		msg, err = c.readHandshake()

  640. 		if err != nil {

  641. 			return err

  642. 		}

  643. 		certVerify, ok := msg.(*certificateVerifyMsg)

  644. 		if !ok {

  645. 			c.sendAlert(alertUnexpectedMessage)

  646. 			return unexpectedMessageError(certVerify, msg)

  647. 		}

  648. 

  649. 		// Determine the signature type.

  650. 		_, sigType, hashFunc, err := pickSignatureAlgorithm(pub, []SignatureScheme{certVerify.signatureAlgorithm}, supportedSignatureAlgorithms, c.vers)

  651. 		if err != nil {

  652. 			c.sendAlert(alertIllegalParameter)

  653. 			return err

  654. 		}

  655. 

  656. 		var digest []byte

  657. 		if digest, err = hs.finishedHash.hashForClientCertificate(sigType, hashFunc, hs.masterSecret); err == nil {

  658. 			err = verifyHandshakeSignature(sigType, pub, hashFunc, digest, certVerify.signature)

  659. 		}

  660. 		if err != nil {

  661. 			c.sendAlert(alertBadCertificate)

  662. 			return errors.New("tls: could not validate signature of connection nonces: " + err.Error())

  663. 		}

  664. 

  665. 		hs.finishedHash.Write(certVerify.marshal())

  666. 	}

  667. 

  668. 	hs.finishedHash.discardHandshakeBuffer()

  669. 

  670. 	return nil

  671. }

  672. 

  673. func (hs *serverHandshakeState) establishKeys() error {

  674. 	c := hs.c

  675. 

  676. 	clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV :=

  677. 		keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen)

  678. 

  679. 	var clientCipher, serverCipher interface{}

  680. 	var clientHash, serverHash macFunction

  681. 

  682. 	if hs.suite.aead == nil {

  683. 		clientCipher = hs.suite.cipher(clientKey, clientIV, true /* for reading */)

  684. 		clientHash = hs.suite.mac(c.vers, clientMAC)

  685. 		serverCipher = hs.suite.cipher(serverKey, serverIV, false /* not for reading */)

  686. 		serverHash = hs.suite.mac(c.vers, serverMAC)

  687. 	} else {

  688. 		clientCipher = hs.suite.aead(clientKey, clientIV)

  689. 		serverCipher = hs.suite.aead(serverKey, serverIV)

  690. 	}

  691. 

  692. 	c.in.prepareCipherSpec(c.vers, clientCipher, clientHash)

  693. 	c.out.prepareCipherSpec(c.vers, serverCipher, serverHash)

  694. 

  695. 	return nil

  696. }

  697. 

  698. func (hs *serverHandshakeState) readFinished(out []byte) error {

  699. 	c := hs.c

  700. 

  701. 	c.readRecord(recordTypeChangeCipherSpec)

  702. 	if c.in.err != nil {

  703. 		return c.in.err

  704. 	}

  705. 

  706. 	if hs.hello.nextProtoNeg {

  707. 		msg, err := c.readHandshake()

  708. 		if err != nil {

  709. 			return err

  710. 		}

  711. 		nextProto, ok := msg.(*nextProtoMsg)

  712. 		if !ok {

  713. 			c.sendAlert(alertUnexpectedMessage)

  714. 			return unexpectedMessageError(nextProto, msg)

  715. 		}

  716. 		hs.finishedHash.Write(nextProto.marshal())

  717. 		c.clientProtocol = nextProto.proto

  718. 	}

  719. 

  720. 	msg, err := c.readHandshake()

  721. 	if err != nil {

  722. 		return err

  723. 	}

  724. 	clientFinished, ok := msg.(*finishedMsg)

  725. 	if !ok {

  726. 		c.sendAlert(alertUnexpectedMessage)

  727. 		return unexpectedMessageError(clientFinished, msg)

  728. 	}

  729. 

  730. 	verify := hs.finishedHash.clientSum(hs.masterSecret)

  731. 	if len(verify) != len(clientFinished.verifyData) ||

  732. 		subtle.ConstantTimeCompare(verify, clientFinished.verifyData) != 1 {

  733. 		c.sendAlert(alertDecryptError)

  734. 		return errors.New("tls: client's Finished message is incorrect")

  735. 	}

  736. 

  737. 	hs.finishedHash.Write(clientFinished.marshal())

  738. 	copy(out, verify)

  739. 	return nil

  740. }

  741. 

  742. func (hs *serverHandshakeState) sendSessionTicket() error {

  743. 	if !hs.hello.ticketSupported {

  744. 		return nil

  745. 	}

  746. 

  747. 	c := hs.c

  748. 	m := new(newSessionTicketMsg)

  749. 

  750. 	var err error

  751. 	state := sessionState{

  752. 		vers:         c.vers,

  753. 		cipherSuite:  hs.suite.id,

  754. 		masterSecret: hs.masterSecret,

  755. 		certificates: hs.certsFromClient,

  756. 	}

  757. 	m.ticket, err = c.encryptTicket(state.marshal())

  758. 	if err != nil {

  759. 		return err

  760. 	}

  761. 

  762. 	hs.finishedHash.Write(m.marshal())

  763. 	if _, err := c.writeRecord(recordTypeHandshake, m.marshal()); err != nil {

  764. 		return err

  765. 	}

  766. 

  767. 	return nil

  768. }

  769. 

  770. func (hs *serverHandshakeState) sendFinished(out []byte) error {

  771. 	c := hs.c

  772. 

  773. 	if _, err := c.writeRecord(recordTypeChangeCipherSpec, []byte{1}); err != nil {

  774. 		return err

  775. 	}

  776. 

  777. 	finished := new(finishedMsg)

  778. 	finished.verifyData = hs.finishedHash.serverSum(hs.masterSecret)

  779. 	hs.finishedHash.Write(finished.marshal())

  780. 	if _, err := c.writeRecord(recordTypeHandshake, finished.marshal()); err != nil {

  781. 		return err

  782. 	}

  783. 

  784. 	c.cipherSuite = hs.suite.id

  785. 	copy(out, finished.verifyData)

  786. 

  787. 	return nil

  788. }

  789. 

  790. // processCertsFromClient takes a chain of client certificates either from a

  791. // Certificates message or from a sessionState and verifies them. It returns

  792. // the public key of the leaf certificate.

  793. func (hs *serverHandshakeState) processCertsFromClient(certificates [][]byte) (crypto.PublicKey, error) {

  794. 	c := hs.c

  795. 

  796. 	hs.certsFromClient = certificates

  797. 	certs := make([]*x509.Certificate, len(certificates))

  798. 	var err error

  799. 	for i, asn1Data := range certificates {

  800. 		if certs[i], err = x509.ParseCertificate(asn1Data); err != nil {

  801. 			c.sendAlert(alertBadCertificate)

  802. 			return nil, errors.New("tls: failed to parse client certificate: " + err.Error())

  803. 		}

  804. 	}

  805. 

  806. 	if c.config.ClientAuth >= VerifyClientCertIfGiven && len(certs) > 0 {

  807. 		opts := x509.VerifyOptions{

  808. 			Roots:         c.config.ClientCAs,

  809. 			CurrentTime:   c.config.time(),

  810. 			Intermediates: x509.NewCertPool(),

  811. 			KeyUsages:     []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},

  812. 		}

  813. 

  814. 		for _, cert := range certs[1:] {

  815. 			opts.Intermediates.AddCert(cert)

  816. 		}

  817. 

  818. 		chains, err := certs[0].Verify(opts)

  819. 		if err != nil {

  820. 			c.sendAlert(alertBadCertificate)

  821. 			return nil, errors.New("tls: failed to verify client's certificate: " + err.Error())

  822. 		}

  823. 

  824. 		c.verifiedChains = chains

  825. 	}

  826. 

  827. 	if c.config.VerifyPeerCertificate != nil {

  828. 		if err := c.config.VerifyPeerCertificate(certificates, c.verifiedChains); err != nil {

  829. 			c.sendAlert(alertBadCertificate)

  830. 			return nil, err

  831. 		}

  832. 	}

  833. 

  834. 	if len(certs) == 0 {

  835. 		return nil, nil

  836. 	}

  837. 

  838. 	var pub crypto.PublicKey

  839. 	switch key := certs[0].PublicKey.(type) {

  840. 	case *ecdsa.PublicKey, *rsa.PublicKey:

  841. 		pub = key

  842. 	default:

  843. 		c.sendAlert(alertUnsupportedCertificate)

  844. 		return nil, fmt.Errorf("tls: client's certificate contains an unsupported public key of type %T", certs[0].PublicKey)

  845. 	}

  846. 	c.peerCertificates = certs

  847. 	return pub, nil

  848. }

  849. 

  850. // setCipherSuite sets a cipherSuite with the given id as the serverHandshakeState

  851. // suite if that cipher suite is acceptable to use.

  852. // It returns a bool indicating if the suite was set.

  853. func (hs *serverHandshakeState) setCipherSuite(id uint16, supportedCipherSuites []uint16, version uint16) bool {

  854. 	for _, supported := range supportedCipherSuites {

  855. 		if id == supported {

  856. 			var candidate *cipherSuite

  857. 

  858. 			for _, s := range cipherSuites {

  859. 				if s.id == id {

  860. 					candidate = s

  861. 					break

  862. 				}

  863. 			}

  864. 			if candidate == nil {

  865. 				continue

  866. 			}

  867. 

  868. 			if version >= VersionTLS13 && candidate.flags&suiteTLS13 != 0 {

  869. 				hs.suite = candidate

  870. 				return true

  871. 			}

  872. 			if version < VersionTLS13 && candidate.flags&suiteTLS13 != 0 {

  873. 				continue

  874. 			}

  875. 

  876. 			// Don't select a ciphersuite which we can't

  877. 			// support for this client.

  878. 			if candidate.flags&suiteECDHE != 0 {

  879. 				if !hs.ellipticOk {

  880. 					continue

  881. 				}

  882. 				if candidate.flags&suiteECDSA != 0 {

  883. 					if !hs.ecdsaOk {

  884. 						continue

  885. 					}

  886. 				} else if !hs.rsaSignOk {

  887. 					continue

  888. 				}

  889. 			} else if !hs.rsaDecryptOk {

  890. 				continue

  891. 			}

  892. 			if version < VersionTLS12 && candidate.flags&suiteTLS12 != 0 {

  893. 				continue

  894. 			}

  895. 			hs.suite = candidate

  896. 			return true

  897. 		}

  898. 	}

  899. 	return false

  900. }

  901. 

  902. // suppVersArray is the backing array of ClientHelloInfo.SupportedVersions

  903. var suppVersArray = [...]uint16{VersionTLS12, VersionTLS11, VersionTLS10, VersionSSL30}

  904. 

  905. func (hs *serverHandshakeState) clientHelloInfo() *ClientHelloInfo {

  906. 	if hs.cachedClientHelloInfo != nil {

  907. 		return hs.cachedClientHelloInfo

  908. 	}

  909. 

  910. 	var supportedVersions []uint16

  911. 	if hs.clientHello.supportedVersions != nil {

  912. 		supportedVersions = hs.clientHello.supportedVersions

  913. 	} else if hs.clientHello.vers > VersionTLS12 {

  914. 		supportedVersions = suppVersArray[:]

  915. 	} else if hs.clientHello.vers >= VersionSSL30 {

  916. 		supportedVersions = suppVersArray[VersionTLS12-hs.clientHello.vers:]

  917. 	}

  918. 

  919. 	var pskBinder []byte

  920. 	if len(hs.clientHello.psks) > 0 {

  921. 		pskBinder = hs.clientHello.psks[0].binder

  922. 	}

  923. 

  924. 	hs.cachedClientHelloInfo = &ClientHelloInfo{

  925. 		CipherSuites:               hs.clientHello.cipherSuites,

  926. 		ServerName:                 hs.clientHello.serverName,

  927. 		SupportedCurves:            hs.clientHello.supportedCurves,

  928. 		SupportedPoints:            hs.clientHello.supportedPoints,

  929. 		SignatureSchemes:           hs.clientHello.supportedSignatureAlgorithms,

  930. 		SupportedProtos:            hs.clientHello.alpnProtocols,

  931. 		SupportedVersions:          supportedVersions,

  932. 		Conn:                       hs.c.conn,

  933. 		Offered0RTTData:            hs.clientHello.earlyData,

  934. 		AcceptsDelegatedCredential: hs.clientHello.delegatedCredential,

  935. 		Fingerprint:                pskBinder,

  936. 	}

  937. 

  938. 	return hs.cachedClientHelloInfo

  939. }