kris
/
th5
1
0
Bifurcation 0
Code Tickets 0 Demandes d'ajout 0 Versions 0 Wiki Activité
Alternative TLS implementation in Go
Vous ne pouvez pas sélectionner plus de 25 sujets Les noms de sujets doivent commencer par une lettre ou un nombre, peuvent contenir des tirets ('-') et peuvent comporter jusqu'à 35 caractères.
505 Révisions
3 Branches
2.6 MiB
 
 
Aborescence: 1ea9624098
Branches Tags
${ item.name }
Créer la branche ${ searchTerm }
de '1ea9624098'
${ noResults }
th5/handshake_server.go

940 lignes
27 KiB
Brut Annotations Historique 

  1. // Copyright 2009 The Go Authors. All rights reserved.

  2. // Use of this source code is governed by a BSD-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package tls

  6. 

  7. import (

  8. 	"crypto"

  9. 	"crypto/ecdsa"

  10. 	"crypto/rsa"

  11. 	"crypto/subtle"

  12. 	"crypto/x509"

  13. 	"errors"

  14. 	"fmt"

  15. 	"io"

  16. 	"sync/atomic"

  17. )

  18. 

  19. type Committer interface {

  20. 	Commit() error

  21. }

  22. 

  23. // serverHandshakeState contains details of a server handshake in progress.

  24. // It's discarded once the handshake has completed.

  25. type serverHandshakeState struct {

  26. 	c                     *Conn

  27. 	suite                 *cipherSuite

  28. 	masterSecret          []byte

  29. 	cachedClientHelloInfo *ClientHelloInfo

  30. 	clientHello           *clientHelloMsg

  31. 	hello                 *serverHelloMsg

  32. 	cert                  *Certificate

  33. 	privateKey            crypto.PrivateKey

  34. 

  35. 	// A marshalled DelegatedCredential to be sent to the client in the

  36. 	// handshake.

  37. 	delegatedCredential []byte

  38. 

  39. 	// TLS 1.0-1.2 fields

  40. 	ellipticOk      bool

  41. 	ecdsaOk         bool

  42. 	rsaDecryptOk    bool

  43. 	rsaSignOk       bool

  44. 	sessionState    *sessionState

  45. 	finishedHash    finishedHash

  46. 	certsFromClient [][]byte

  47. 

  48. 	// TLS 1.3 fields

  49. 	hello13Enc        *encryptedExtensionsMsg

  50. 	keySchedule       *keySchedule13

  51. 	clientFinishedKey []byte

  52. 	hsClientCipher    interface{}

  53. 	appClientCipher   interface{}

  54. }

  55. 

  56. // serverHandshake performs a TLS handshake as a server.

  57. // c.out.Mutex <= L; c.handshakeMutex <= L.

  58. func (c *Conn) serverHandshake() error {

  59. 	// If this is the first server handshake, we generate a random key to

  60. 	// encrypt the tickets with.

  61. 	c.config.serverInitOnce.Do(func() { c.config.serverInit(nil) })

  62. 

  63. 	hs := serverHandshakeState{

  64. 		c: c,

  65. 	}

  66. 	c.in.traceErr = hs.traceErr

  67. 	c.out.traceErr = hs.traceErr

  68. 	isResume, err := hs.readClientHello()

  69. 	if err != nil {

  70. 		return err

  71. 	}

  72. 

  73. 	// For an overview of TLS handshaking, see https://tools.ietf.org/html/rfc5246#section-7.3

  74. 	// and https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-2

  75. 	c.buffering = true

  76. 	if c.vers >= VersionTLS13 {

  77. 		if err := hs.doTLS13Handshake(); err != nil {

  78. 			return err

  79. 		}

  80. 		if _, err := c.flush(); err != nil {

  81. 			return err

  82. 		}

  83. 		c.hs = &hs

  84. 		// If the client is sending early data while the server expects

  85. 		// it, delay the Finished check until HandshakeConfirmed() is

  86. 		// called or until all early data is Read(). Otherwise, complete

  87. 		// authenticating the client now (there is no support for

  88. 		// sending 0.5-RTT data to a potential unauthenticated client).

  89. 		if c.phase != readingEarlyData {

  90. 			if err := hs.readClientFinished13(false); err != nil {

  91. 				return err

  92. 			}

  93. 		}

  94. 		c.handshakeComplete = true

  95. 		return nil

  96. 	} else if isResume {

  97. 		// The client has included a session ticket and so we do an abbreviated handshake.

  98. 		if err := hs.doResumeHandshake(); err != nil {

  99. 			return err

  100. 		}

  101. 		if err := hs.establishKeys(); err != nil {

  102. 			return err

  103. 		}

  104. 		// ticketSupported is set in a resumption handshake if the

  105. 		// ticket from the client was encrypted with an old session

  106. 		// ticket key and thus a refreshed ticket should be sent.

  107. 		if hs.hello.ticketSupported {

  108. 			if err := hs.sendSessionTicket(); err != nil {

  109. 				return err

  110. 			}

  111. 		}

  112. 		if err := hs.sendFinished(c.serverFinished[:]); err != nil {

  113. 			return err

  114. 		}

  115. 		if _, err := c.flush(); err != nil {

  116. 			return err

  117. 		}

  118. 		c.clientFinishedIsFirst = false

  119. 		if err := hs.readFinished(nil); err != nil {

  120. 			return err

  121. 		}

  122. 		c.didResume = true

  123. 	} else {

  124. 		// The client didn't include a session ticket, or it wasn't

  125. 		// valid so we do a full handshake.

  126. 		if err := hs.doFullHandshake(); err != nil {

  127. 			return err

  128. 		}

  129. 		if err := hs.establishKeys(); err != nil {

  130. 			return err

  131. 		}

  132. 		if err := hs.readFinished(c.clientFinished[:]); err != nil {

  133. 			return err

  134. 		}

  135. 		c.clientFinishedIsFirst = true

  136. 		c.buffering = true

  137. 		if err := hs.sendSessionTicket(); err != nil {

  138. 			return err

  139. 		}

  140. 		if err := hs.sendFinished(nil); err != nil {

  141. 			return err

  142. 		}

  143. 		if _, err := c.flush(); err != nil {

  144. 			return err

  145. 		}

  146. 	}

  147. 	if c.hand.Len() > 0 {

  148. 		return c.sendAlert(alertUnexpectedMessage)

  149. 	}

  150. 	c.phase = handshakeConfirmed

  151. 	atomic.StoreInt32(&c.handshakeConfirmed, 1)

  152. 	c.handshakeComplete = true

  153. 

  154. 	return nil

  155. }

  156. 

  157. // readClientHello reads a ClientHello message from the client and decides

  158. // whether we will perform session resumption.

  159. func (hs *serverHandshakeState) readClientHello() (isResume bool, err error) {

  160. 	c := hs.c

  161. 

  162. 	msg, err := c.readHandshake()

  163. 	if err != nil {

  164. 		return false, err

  165. 	}

  166. 	var ok bool

  167. 	hs.clientHello, ok = msg.(*clientHelloMsg)

  168. 	if !ok {

  169. 		c.sendAlert(alertUnexpectedMessage)

  170. 		return false, unexpectedMessageError(hs.clientHello, msg)

  171. 	}

  172. 

  173. 	if c.config.GetConfigForClient != nil {

  174. 		if newConfig, err := c.config.GetConfigForClient(hs.clientHelloInfo()); err != nil {

  175. 			c.out.traceErr, c.in.traceErr = nil, nil // disable tracing

  176. 			c.sendAlert(alertInternalError)

  177. 			return false, err

  178. 		} else if newConfig != nil {

  179. 			newConfig.serverInitOnce.Do(func() { newConfig.serverInit(c.config) })

  180. 			c.config = newConfig

  181. 		}

  182. 	}

  183. 

  184. 	var keyShares []CurveID

  185. 	for _, ks := range hs.clientHello.keyShares {

  186. 		keyShares = append(keyShares, ks.group)

  187. 	}

  188. 

  189. 	if hs.clientHello.supportedVersions != nil {

  190. 		c.vers, ok = c.config.pickVersion(hs.clientHello.supportedVersions)

  191. 		if !ok {

  192. 			c.sendAlert(alertProtocolVersion)

  193. 			return false, fmt.Errorf("tls: none of the client versions (%x) are supported", hs.clientHello.supportedVersions)

  194. 		}

  195. 	} else {

  196. 		c.vers, ok = c.config.mutualVersion(hs.clientHello.vers)

  197. 		if !ok {

  198. 			c.sendAlert(alertProtocolVersion)

  199. 			return false, fmt.Errorf("tls: client offered an unsupported, maximum protocol version of %x", hs.clientHello.vers)

  200. 		}

  201. 	}

  202. 	c.haveVers = true

  203. 

  204. 	preferredCurves := c.config.curvePreferences()

  205. Curves:

  206. 	for _, curve := range hs.clientHello.supportedCurves {

  207. 		for _, supported := range preferredCurves {

  208. 			if supported == curve {

  209. 				hs.ellipticOk = true

  210. 				break Curves

  211. 			}

  212. 		}

  213. 	}

  214. 

  215. 	// If present, the supported points extension must include uncompressed.

  216. 	// Can be absent. This behavior mirrors BoringSSL.

  217. 	if hs.clientHello.supportedPoints != nil {

  218. 		supportedPointFormat := false

  219. 		for _, pointFormat := range hs.clientHello.supportedPoints {

  220. 			if pointFormat == pointFormatUncompressed {

  221. 				supportedPointFormat = true

  222. 				break

  223. 			}

  224. 		}

  225. 		if !supportedPointFormat {

  226. 			c.sendAlert(alertHandshakeFailure)

  227. 			return false, errors.New("tls: client does not support uncompressed points")

  228. 		}

  229. 	}

  230. 

  231. 	foundCompression := false

  232. 	// We only support null compression, so check that the client offered it.

  233. 	for _, compression := range hs.clientHello.compressionMethods {

  234. 		if compression == compressionNone {

  235. 			foundCompression = true

  236. 			break

  237. 		}

  238. 	}

  239. 

  240. 	if !foundCompression {

  241. 		c.sendAlert(alertIllegalParameter)

  242. 		return false, errors.New("tls: client does not support uncompressed connections")

  243. 	}

  244. 	if len(hs.clientHello.compressionMethods) != 1 && c.vers >= VersionTLS13 {

  245. 		c.sendAlert(alertIllegalParameter)

  246. 		return false, errors.New("tls: 1.3 client offered compression")

  247. 	}

  248. 

  249. 	if len(hs.clientHello.secureRenegotiation) != 0 {

  250. 		c.sendAlert(alertHandshakeFailure)

  251. 		return false, errors.New("tls: initial handshake had non-empty renegotiation extension")

  252. 	}

  253. 

  254. 	if c.vers < VersionTLS13 {

  255. 		hs.hello = new(serverHelloMsg)

  256. 		hs.hello.vers = c.vers

  257. 		hs.hello.random = make([]byte, 32)

  258. 		_, err = io.ReadFull(c.config.rand(), hs.hello.random)

  259. 		if err != nil {

  260. 			c.sendAlert(alertInternalError)

  261. 			return false, err

  262. 		}

  263. 		hs.hello.secureRenegotiationSupported = hs.clientHello.secureRenegotiationSupported

  264. 		hs.hello.compressionMethod = compressionNone

  265. 	} else {

  266. 		hs.hello = new(serverHelloMsg)

  267. 		hs.hello13Enc = new(encryptedExtensionsMsg)

  268. 		hs.hello.vers = c.vers

  269. 		hs.hello.random = make([]byte, 32)

  270. 		hs.hello.sessionId = hs.clientHello.sessionId

  271. 		_, err = io.ReadFull(c.config.rand(), hs.hello.random)

  272. 		if err != nil {

  273. 			c.sendAlert(alertInternalError)

  274. 			return false, err

  275. 		}

  276. 	}

  277. 

  278. 	if len(hs.clientHello.serverName) > 0 {

  279. 		c.serverName = hs.clientHello.serverName

  280. 	}

  281. 

  282. 	if len(hs.clientHello.alpnProtocols) > 0 {

  283. 		if selectedProto, fallback := mutualProtocol(hs.clientHello.alpnProtocols, c.config.NextProtos); !fallback {

  284. 			if hs.hello != nil {

  285. 				hs.hello.alpnProtocol = selectedProto

  286. 			} else {

  287. 				hs.hello13Enc.alpnProtocol = selectedProto

  288. 			}

  289. 			c.clientProtocol = selectedProto

  290. 		}

  291. 	} else {

  292. 		// Although sending an empty NPN extension is reasonable, Firefox has

  293. 		// had a bug around this. Best to send nothing at all if

  294. 		// c.config.NextProtos is empty. See

  295. 		// https://golang.org/issue/5445.

  296. 		if hs.clientHello.nextProtoNeg && len(c.config.NextProtos) > 0 && c.vers < VersionTLS13 {

  297. 			hs.hello.nextProtoNeg = true

  298. 			hs.hello.nextProtos = c.config.NextProtos

  299. 		}

  300. 	}

  301. 

  302. 	hs.cert, err = c.config.getCertificate(hs.clientHelloInfo())

  303. 	if err != nil {

  304. 		c.sendAlert(alertInternalError)

  305. 		return false, err

  306. 	}

  307. 

  308. 	// Set the private key for this handshake to the certificate's secret key.

  309. 	hs.privateKey = hs.cert.PrivateKey

  310. 

  311. 	if hs.clientHello.scts {

  312. 		hs.hello.scts = hs.cert.SignedCertificateTimestamps

  313. 	}

  314. 

  315. 	// Set the private key to the DC private key if the client and server are

  316. 	// willing to negotiate the delegated credential extension.

  317. 	//

  318. 	// Check to see if a DelegatedCredential is available and should be used.

  319. 	// If one is available, the session is using TLS >= 1.2, and the client

  320. 	// accepts the delegated credential extension, then set the handshake

  321. 	// private key to the DC private key.

  322. 	if c.config.GetDelegatedCredential != nil && hs.clientHello.delegatedCredential && c.vers >= VersionTLS12 {

  323. 		dc, sk, err := c.config.GetDelegatedCredential(hs.clientHelloInfo(), c.vers)

  324. 		if err != nil {

  325. 			c.sendAlert(alertInternalError)

  326. 			return false, err

  327. 		}

  328. 

  329. 		// Set the handshake private key.

  330. 		if dc != nil {

  331. 			hs.privateKey = sk

  332. 			if dc.Raw == nil {

  333. 				dc.Raw, err = dc.Marshal()

  334. 				if err != nil {

  335. 					c.sendAlert(alertInternalError)

  336. 					return false, err

  337. 				}

  338. 			}

  339. 			hs.delegatedCredential = dc.Raw

  340. 

  341. 			// For TLS 1.2, the DC is an extension to the ServerHello.

  342. 			if c.vers == VersionTLS12 {

  343. 				hs.hello.delegatedCredential = hs.delegatedCredential

  344. 			}

  345. 		}

  346. 	}

  347. 

  348. 	if priv, ok := hs.privateKey.(crypto.Signer); ok {

  349. 		switch priv.Public().(type) {

  350. 		case *ecdsa.PublicKey:

  351. 			hs.ecdsaOk = true

  352. 		case *rsa.PublicKey:

  353. 			hs.rsaSignOk = true

  354. 		default:

  355. 			c.sendAlert(alertInternalError)

  356. 			return false, fmt.Errorf("tls: unsupported signing key type (%T)", priv.Public())

  357. 		}

  358. 	}

  359. 	if priv, ok := hs.privateKey.(crypto.Decrypter); ok {

  360. 		switch priv.Public().(type) {

  361. 		case *rsa.PublicKey:

  362. 			hs.rsaDecryptOk = true

  363. 		default:

  364. 			c.sendAlert(alertInternalError)

  365. 			return false, fmt.Errorf("tls: unsupported decryption key type (%T)", priv.Public())

  366. 		}

  367. 	}

  368. 

  369. 	if c.vers != VersionTLS13 && hs.checkForResumption() {

  370. 		return true, nil

  371. 	}

  372. 

  373. 	var preferenceList, supportedList []uint16

  374. 	if c.config.PreferServerCipherSuites {

  375. 		preferenceList = c.config.cipherSuites()

  376. 		supportedList = hs.clientHello.cipherSuites

  377. 	} else {

  378. 		preferenceList = hs.clientHello.cipherSuites

  379. 		supportedList = c.config.cipherSuites()

  380. 	}

  381. 

  382. 	for _, id := range preferenceList {

  383. 		if hs.setCipherSuite(id, supportedList, c.vers) {

  384. 			break

  385. 		}

  386. 	}

  387. 

  388. 	if hs.suite == nil {

  389. 		c.sendAlert(alertHandshakeFailure)

  390. 		return false, errors.New("tls: no cipher suite supported by both client and server")

  391. 	}

  392. 

  393. 	// See https://tools.ietf.org/html/rfc7507.

  394. 	for _, id := range hs.clientHello.cipherSuites {

  395. 		if id == TLS_FALLBACK_SCSV {

  396. 			// The client is doing a fallback connection.

  397. 			if c.vers < c.config.maxVersion() {

  398. 				c.sendAlert(alertInappropriateFallback)

  399. 				return false, errors.New("tls: client using inappropriate protocol fallback")

  400. 			}

  401. 			break

  402. 		}

  403. 	}

  404. 

  405. 	return false, nil

  406. }

  407. 

  408. // checkForResumption reports whether we should perform resumption on this connection.

  409. func (hs *serverHandshakeState) checkForResumption() bool {

  410. 	c := hs.c

  411. 

  412. 	if c.config.SessionTicketsDisabled {

  413. 		return false

  414. 	}

  415. 

  416. 	sessionTicket := append([]uint8{}, hs.clientHello.sessionTicket...)

  417. 	serializedState, usedOldKey := c.decryptTicket(sessionTicket)

  418. 	hs.sessionState = &sessionState{usedOldKey: usedOldKey}

  419. 	if hs.sessionState.unmarshal(serializedState) != alertSuccess {

  420. 		return false

  421. 	}

  422. 

  423. 	// Never resume a session for a different TLS version.

  424. 	if c.vers != hs.sessionState.vers {

  425. 		return false

  426. 	}

  427. 

  428. 	cipherSuiteOk := false

  429. 	// Check that the client is still offering the ciphersuite in the session.

  430. 	for _, id := range hs.clientHello.cipherSuites {

  431. 		if id == hs.sessionState.cipherSuite {

  432. 			cipherSuiteOk = true

  433. 			break

  434. 		}

  435. 	}

  436. 	if !cipherSuiteOk {

  437. 		return false

  438. 	}

  439. 

  440. 	// Check that we also support the ciphersuite from the session.

  441. 	if !hs.setCipherSuite(hs.sessionState.cipherSuite, c.config.cipherSuites(), hs.sessionState.vers) {

  442. 		return false

  443. 	}

  444. 

  445. 	sessionHasClientCerts := len(hs.sessionState.certificates) != 0

  446. 	needClientCerts := c.config.ClientAuth == RequireAnyClientCert || c.config.ClientAuth == RequireAndVerifyClientCert

  447. 	if needClientCerts && !sessionHasClientCerts {

  448. 		return false

  449. 	}

  450. 	if sessionHasClientCerts && c.config.ClientAuth == NoClientCert {

  451. 		return false

  452. 	}

  453. 

  454. 	return true

  455. }

  456. 

  457. func (hs *serverHandshakeState) doResumeHandshake() error {

  458. 	c := hs.c

  459. 

  460. 	hs.hello.cipherSuite = hs.suite.id

  461. 	// We echo the client's session ID in the ServerHello to let it know

  462. 	// that we're doing a resumption.

  463. 	hs.hello.sessionId = hs.clientHello.sessionId

  464. 	hs.hello.ticketSupported = hs.sessionState.usedOldKey

  465. 	hs.finishedHash = newFinishedHash(c.vers, hs.suite)

  466. 	hs.finishedHash.discardHandshakeBuffer()

  467. 	hs.finishedHash.Write(hs.clientHello.marshal())

  468. 	hs.finishedHash.Write(hs.hello.marshal())

  469. 	if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil {

  470. 		return err

  471. 	}

  472. 

  473. 	if len(hs.sessionState.certificates) > 0 {

  474. 		if _, err := hs.processCertsFromClient(hs.sessionState.certificates); err != nil {

  475. 			return err

  476. 		}

  477. 	}

  478. 

  479. 	hs.masterSecret = hs.sessionState.masterSecret

  480. 

  481. 	return nil

  482. }

  483. 

  484. func (hs *serverHandshakeState) doFullHandshake() error {

  485. 	c := hs.c

  486. 

  487. 	if hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0 {

  488. 		hs.hello.ocspStapling = true

  489. 	}

  490. 

  491. 	hs.hello.ticketSupported = hs.clientHello.ticketSupported && !c.config.SessionTicketsDisabled

  492. 	hs.hello.cipherSuite = hs.suite.id

  493. 

  494. 	hs.finishedHash = newFinishedHash(hs.c.vers, hs.suite)

  495. 	if c.config.ClientAuth == NoClientCert {

  496. 		// No need to keep a full record of the handshake if client

  497. 		// certificates won't be used.

  498. 		hs.finishedHash.discardHandshakeBuffer()

  499. 	}

  500. 	hs.finishedHash.Write(hs.clientHello.marshal())

  501. 	hs.finishedHash.Write(hs.hello.marshal())

  502. 	if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil {

  503. 		return err

  504. 	}

  505. 

  506. 	certMsg := new(certificateMsg)

  507. 	certMsg.certificates = hs.cert.Certificate

  508. 	hs.finishedHash.Write(certMsg.marshal())

  509. 	if _, err := c.writeRecord(recordTypeHandshake, certMsg.marshal()); err != nil {

  510. 		return err

  511. 	}

  512. 

  513. 	if hs.hello.ocspStapling {

  514. 		certStatus := new(certificateStatusMsg)

  515. 		certStatus.statusType = statusTypeOCSP

  516. 		certStatus.response = hs.cert.OCSPStaple

  517. 		hs.finishedHash.Write(certStatus.marshal())

  518. 		if _, err := c.writeRecord(recordTypeHandshake, certStatus.marshal()); err != nil {

  519. 			return err

  520. 		}

  521. 	}

  522. 

  523. 	keyAgreement := hs.suite.ka(c.vers)

  524. 	skx, err := keyAgreement.generateServerKeyExchange(c.config, hs.privateKey, hs.clientHello, hs.hello)

  525. 	if err != nil {

  526. 		c.sendAlert(alertHandshakeFailure)

  527. 		return err

  528. 	}

  529. 	if skx != nil {

  530. 		hs.finishedHash.Write(skx.marshal())

  531. 		if _, err := c.writeRecord(recordTypeHandshake, skx.marshal()); err != nil {

  532. 			return err

  533. 		}

  534. 	}

  535. 

  536. 	if c.config.ClientAuth >= RequestClientCert {

  537. 		// Request a client certificate

  538. 		certReq := new(certificateRequestMsg)

  539. 		certReq.certificateTypes = []byte{

  540. 			byte(certTypeRSASign),

  541. 			byte(certTypeECDSASign),

  542. 		}

  543. 		if c.vers >= VersionTLS12 {

  544. 			certReq.hasSignatureAndHash = true

  545. 			certReq.supportedSignatureAlgorithms = supportedSignatureAlgorithms

  546. 		}

  547. 

  548. 		// An empty list of certificateAuthorities signals to

  549. 		// the client that it may send any certificate in response

  550. 		// to our request. When we know the CAs we trust, then

  551. 		// we can send them down, so that the client can choose

  552. 		// an appropriate certificate to give to us.

  553. 		if c.config.ClientCAs != nil {

  554. 			certReq.certificateAuthorities = c.config.ClientCAs.Subjects()

  555. 		}

  556. 		hs.finishedHash.Write(certReq.marshal())

  557. 		if _, err := c.writeRecord(recordTypeHandshake, certReq.marshal()); err != nil {

  558. 			return err

  559. 		}

  560. 	}

  561. 

  562. 	helloDone := new(serverHelloDoneMsg)

  563. 	hs.finishedHash.Write(helloDone.marshal())

  564. 	if _, err := c.writeRecord(recordTypeHandshake, helloDone.marshal()); err != nil {

  565. 		return err

  566. 	}

  567. 

  568. 	if _, err := c.flush(); err != nil {

  569. 		return err

  570. 	}

  571. 

  572. 	var pub crypto.PublicKey // public key for client auth, if any

  573. 

  574. 	msg, err := c.readHandshake()

  575. 	if err != nil {

  576. 		return err

  577. 	}

  578. 

  579. 	var ok bool

  580. 	// If we requested a client certificate, then the client must send a

  581. 	// certificate message, even if it's empty.

  582. 	if c.config.ClientAuth >= RequestClientCert {

  583. 		if certMsg, ok = msg.(*certificateMsg); !ok {

  584. 			c.sendAlert(alertUnexpectedMessage)

  585. 			return unexpectedMessageError(certMsg, msg)

  586. 		}

  587. 		hs.finishedHash.Write(certMsg.marshal())

  588. 

  589. 		if len(certMsg.certificates) == 0 {

  590. 			// The client didn't actually send a certificate

  591. 			switch c.config.ClientAuth {

  592. 			case RequireAnyClientCert, RequireAndVerifyClientCert:

  593. 				c.sendAlert(alertBadCertificate)

  594. 				return errors.New("tls: client didn't provide a certificate")

  595. 			}

  596. 		}

  597. 

  598. 		pub, err = hs.processCertsFromClient(certMsg.certificates)

  599. 		if err != nil {

  600. 			return err

  601. 		}

  602. 

  603. 		msg, err = c.readHandshake()

  604. 		if err != nil {

  605. 			return err

  606. 		}

  607. 	}

  608. 

  609. 	// Get client key exchange

  610. 	ckx, ok := msg.(*clientKeyExchangeMsg)

  611. 	if !ok {

  612. 		c.sendAlert(alertUnexpectedMessage)

  613. 		return unexpectedMessageError(ckx, msg)

  614. 	}

  615. 	hs.finishedHash.Write(ckx.marshal())

  616. 

  617. 	preMasterSecret, err := keyAgreement.processClientKeyExchange(c.config, hs.privateKey, ckx, c.vers)

  618. 	if err != nil {

  619. 		if err == errClientKeyExchange {

  620. 			c.sendAlert(alertDecodeError)

  621. 		} else {

  622. 			c.sendAlert(alertInternalError)

  623. 		}

  624. 		return err

  625. 	}

  626. 	hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.clientHello.random, hs.hello.random)

  627. 	if err := c.config.writeKeyLog("CLIENT_RANDOM", hs.clientHello.random, hs.masterSecret); err != nil {

  628. 		c.sendAlert(alertInternalError)

  629. 		return err

  630. 	}

  631. 

  632. 	// If we received a client cert in response to our certificate request message,

  633. 	// the client will send us a certificateVerifyMsg immediately after the

  634. 	// clientKeyExchangeMsg. This message is a digest of all preceding

  635. 	// handshake-layer messages that is signed using the private key corresponding

  636. 	// to the client's certificate. This allows us to verify that the client is in

  637. 	// possession of the private key of the certificate.

  638. 	if len(c.peerCertificates) > 0 {

  639. 		msg, err = c.readHandshake()

  640. 		if err != nil {

  641. 			return err

  642. 		}

  643. 		certVerify, ok := msg.(*certificateVerifyMsg)

  644. 		if !ok {

  645. 			c.sendAlert(alertUnexpectedMessage)

  646. 			return unexpectedMessageError(certVerify, msg)

  647. 		}

  648. 

  649. 		// Determine the signature type.

  650. 		_, sigType, hashFunc, err := pickSignatureAlgorithm(pub, []SignatureScheme{certVerify.signatureAlgorithm}, supportedSignatureAlgorithms, c.vers)

  651. 		if err != nil {

  652. 			c.sendAlert(alertIllegalParameter)

  653. 			return err

  654. 		}

  655. 

  656. 		var digest []byte

  657. 		if digest, err = hs.finishedHash.hashForClientCertificate(sigType, hashFunc, hs.masterSecret); err == nil {

  658. 			err = verifyHandshakeSignature(sigType, pub, hashFunc, digest, certVerify.signature)

  659. 		}

  660. 		if err != nil {

  661. 			c.sendAlert(alertBadCertificate)

  662. 			return errors.New("tls: could not validate signature of connection nonces: " + err.Error())

  663. 		}

  664. 

  665. 		hs.finishedHash.Write(certVerify.marshal())

  666. 	}

  667. 

  668. 	hs.finishedHash.discardHandshakeBuffer()

  669. 

  670. 	return nil

  671. }

  672. 

  673. func (hs *serverHandshakeState) establishKeys() error {

  674. 	c := hs.c

  675. 

  676. 	clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV :=

  677. 		keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen)

  678. 

  679. 	var clientCipher, serverCipher interface{}

  680. 	var clientHash, serverHash macFunction

  681. 

  682. 	if hs.suite.aead == nil {

  683. 		clientCipher = hs.suite.cipher(clientKey, clientIV, true /* for reading */)

  684. 		clientHash = hs.suite.mac(c.vers, clientMAC)

  685. 		serverCipher = hs.suite.cipher(serverKey, serverIV, false /* not for reading */)

  686. 		serverHash = hs.suite.mac(c.vers, serverMAC)

  687. 	} else {

  688. 		clientCipher = hs.suite.aead(clientKey, clientIV)

  689. 		serverCipher = hs.suite.aead(serverKey, serverIV)

  690. 	}

  691. 

  692. 	c.in.prepareCipherSpec(c.vers, clientCipher, clientHash)

  693. 	c.out.prepareCipherSpec(c.vers, serverCipher, serverHash)

  694. 

  695. 	return nil

  696. }

  697. 

  698. func (hs *serverHandshakeState) readFinished(out []byte) error {

  699. 	c := hs.c

  700. 

  701. 	c.readRecord(recordTypeChangeCipherSpec)

  702. 	if c.in.err != nil {

  703. 		return c.in.err

  704. 	}

  705. 

  706. 	if hs.hello.nextProtoNeg {

  707. 		msg, err := c.readHandshake()

  708. 		if err != nil {

  709. 			return err

  710. 		}

  711. 		nextProto, ok := msg.(*nextProtoMsg)

  712. 		if !ok {

  713. 			c.sendAlert(alertUnexpectedMessage)

  714. 			return unexpectedMessageError(nextProto, msg)

  715. 		}

  716. 		hs.finishedHash.Write(nextProto.marshal())

  717. 		c.clientProtocol = nextProto.proto

  718. 	}

  719. 

  720. 	msg, err := c.readHandshake()

  721. 	if err != nil {

  722. 		return err

  723. 	}

  724. 	clientFinished, ok := msg.(*finishedMsg)

  725. 	if !ok {

  726. 		c.sendAlert(alertUnexpectedMessage)

  727. 		return unexpectedMessageError(clientFinished, msg)

  728. 	}

  729. 

  730. 	verify := hs.finishedHash.clientSum(hs.masterSecret)

  731. 	if len(verify) != len(clientFinished.verifyData) ||

  732. 		subtle.ConstantTimeCompare(verify, clientFinished.verifyData) != 1 {

  733. 		c.sendAlert(alertDecryptError)

  734. 		return errors.New("tls: client's Finished message is incorrect")

  735. 	}

  736. 

  737. 	hs.finishedHash.Write(clientFinished.marshal())

  738. 	copy(out, verify)

  739. 	return nil

  740. }

  741. 

  742. func (hs *serverHandshakeState) sendSessionTicket() error {

  743. 	if !hs.hello.ticketSupported {

  744. 		return nil

  745. 	}

  746. 

  747. 	c := hs.c

  748. 	m := new(newSessionTicketMsg)

  749. 

  750. 	var err error

  751. 	state := sessionState{

  752. 		vers:         c.vers,

  753. 		cipherSuite:  hs.suite.id,

  754. 		masterSecret: hs.masterSecret,

  755. 		certificates: hs.certsFromClient,

  756. 	}

  757. 	m.ticket, err = c.encryptTicket(state.marshal())

  758. 	if err != nil {

  759. 		return err

  760. 	}

  761. 

  762. 	hs.finishedHash.Write(m.marshal())

  763. 	if _, err := c.writeRecord(recordTypeHandshake, m.marshal()); err != nil {

  764. 		return err

  765. 	}

  766. 

  767. 	return nil

  768. }

  769. 

  770. func (hs *serverHandshakeState) sendFinished(out []byte) error {

  771. 	c := hs.c

  772. 

  773. 	if _, err := c.writeRecord(recordTypeChangeCipherSpec, []byte{1}); err != nil {

  774. 		return err

  775. 	}

  776. 

  777. 	finished := new(finishedMsg)

  778. 	finished.verifyData = hs.finishedHash.serverSum(hs.masterSecret)

  779. 	hs.finishedHash.Write(finished.marshal())

  780. 	if _, err := c.writeRecord(recordTypeHandshake, finished.marshal()); err != nil {

  781. 		return err

  782. 	}

  783. 

  784. 	c.cipherSuite = hs.suite.id

  785. 	copy(out, finished.verifyData)

  786. 

  787. 	return nil

  788. }

  789. 

  790. // processCertsFromClient takes a chain of client certificates either from a

  791. // Certificates message or from a sessionState and verifies them. It returns

  792. // the public key of the leaf certificate.

  793. func (hs *serverHandshakeState) processCertsFromClient(certificates [][]byte) (crypto.PublicKey, error) {

  794. 	c := hs.c

  795. 

  796. 	hs.certsFromClient = certificates

  797. 	certs := make([]*x509.Certificate, len(certificates))

  798. 	var err error

  799. 	for i, asn1Data := range certificates {

  800. 		if certs[i], err = x509.ParseCertificate(asn1Data); err != nil {

  801. 			c.sendAlert(alertBadCertificate)

  802. 			return nil, errors.New("tls: failed to parse client certificate: " + err.Error())

  803. 		}

  804. 	}

  805. 

  806. 	if c.config.ClientAuth >= VerifyClientCertIfGiven && len(certs) > 0 {

  807. 		opts := x509.VerifyOptions{

  808. 			Roots:         c.config.ClientCAs,

  809. 			CurrentTime:   c.config.time(),

  810. 			Intermediates: x509.NewCertPool(),

  811. 			KeyUsages:     []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},

  812. 		}

  813. 

  814. 		for _, cert := range certs[1:] {

  815. 			opts.Intermediates.AddCert(cert)

  816. 		}

  817. 

  818. 		chains, err := certs[0].Verify(opts)

  819. 		if err != nil {

  820. 			c.sendAlert(alertBadCertificate)

  821. 			return nil, errors.New("tls: failed to verify client's certificate: " + err.Error())

  822. 		}

  823. 

  824. 		c.verifiedChains = chains

  825. 	}

  826. 

  827. 	if c.config.VerifyPeerCertificate != nil {

  828. 		if err := c.config.VerifyPeerCertificate(certificates, c.verifiedChains); err != nil {

  829. 			c.sendAlert(alertBadCertificate)

  830. 			return nil, err

  831. 		}

  832. 	}

  833. 

  834. 	if len(certs) == 0 {

  835. 		return nil, nil

  836. 	}

  837. 

  838. 	var pub crypto.PublicKey

  839. 	switch key := certs[0].PublicKey.(type) {

  840. 	case *ecdsa.PublicKey, *rsa.PublicKey:

  841. 		pub = key

  842. 	default:

  843. 		c.sendAlert(alertUnsupportedCertificate)

  844. 		return nil, fmt.Errorf("tls: client's certificate contains an unsupported public key of type %T", certs[0].PublicKey)

  845. 	}

  846. 	c.peerCertificates = certs

  847. 	return pub, nil

  848. }

  849. 

  850. // setCipherSuite sets a cipherSuite with the given id as the serverHandshakeState

  851. // suite if that cipher suite is acceptable to use.

  852. // It returns a bool indicating if the suite was set.

  853. func (hs *serverHandshakeState) setCipherSuite(id uint16, supportedCipherSuites []uint16, version uint16) bool {

  854. 	for _, supported := range supportedCipherSuites {

  855. 		if id == supported {

  856. 			var candidate *cipherSuite

  857. 

  858. 			for _, s := range cipherSuites {

  859. 				if s.id == id {

  860. 					candidate = s

  861. 					break

  862. 				}

  863. 			}

  864. 			if candidate == nil {

  865. 				continue

  866. 			}

  867. 

  868. 			if version >= VersionTLS13 && candidate.flags&suiteTLS13 != 0 {

  869. 				hs.suite = candidate

  870. 				return true

  871. 			}

  872. 			if version < VersionTLS13 && candidate.flags&suiteTLS13 != 0 {

  873. 				continue

  874. 			}

  875. 

  876. 			// Don't select a ciphersuite which we can't

  877. 			// support for this client.

  878. 			if candidate.flags&suiteECDHE != 0 {

  879. 				if !hs.ellipticOk {

  880. 					continue

  881. 				}

  882. 				if candidate.flags&suiteECDSA != 0 {

  883. 					if !hs.ecdsaOk {

  884. 						continue

  885. 					}

  886. 				} else if !hs.rsaSignOk {

  887. 					continue

  888. 				}

  889. 			} else if !hs.rsaDecryptOk {

  890. 				continue

  891. 			}

  892. 			if version < VersionTLS12 && candidate.flags&suiteTLS12 != 0 {

  893. 				continue

  894. 			}

  895. 			hs.suite = candidate

  896. 			return true

  897. 		}

  898. 	}

  899. 	return false

  900. }

  901. 

  902. // suppVersArray is the backing array of ClientHelloInfo.SupportedVersions

  903. var suppVersArray = [...]uint16{VersionTLS12, VersionTLS11, VersionTLS10, VersionSSL30}

  904. 

  905. func (hs *serverHandshakeState) clientHelloInfo() *ClientHelloInfo {

  906. 	if hs.cachedClientHelloInfo != nil {

  907. 		return hs.cachedClientHelloInfo

  908. 	}

  909. 

  910. 	var supportedVersions []uint16

  911. 	if hs.clientHello.supportedVersions != nil {

  912. 		supportedVersions = hs.clientHello.supportedVersions

  913. 	} else if hs.clientHello.vers > VersionTLS12 {

  914. 		supportedVersions = suppVersArray[:]

  915. 	} else if hs.clientHello.vers >= VersionSSL30 {

  916. 		supportedVersions = suppVersArray[VersionTLS12-hs.clientHello.vers:]

  917. 	}

  918. 

  919. 	var pskBinder []byte

  920. 	if len(hs.clientHello.psks) > 0 {

  921. 		pskBinder = hs.clientHello.psks[0].binder

  922. 	}

  923. 

  924. 	hs.cachedClientHelloInfo = &ClientHelloInfo{

  925. 		CipherSuites:               hs.clientHello.cipherSuites,

  926. 		ServerName:                 hs.clientHello.serverName,

  927. 		SupportedCurves:            hs.clientHello.supportedCurves,

  928. 		SupportedPoints:            hs.clientHello.supportedPoints,

  929. 		SignatureSchemes:           hs.clientHello.supportedSignatureAlgorithms,

  930. 		SupportedProtos:            hs.clientHello.alpnProtocols,

  931. 		SupportedVersions:          supportedVersions,

  932. 		Conn:                       hs.c.conn,

  933. 		Offered0RTTData:            hs.clientHello.earlyData,

  934. 		AcceptsDelegatedCredential: hs.clientHello.delegatedCredential,

  935. 		Fingerprint:                pskBinder,

  936. 	}

  937. 

  938. 	return hs.cachedClientHelloInfo

  939. }