kris
/
th5
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Alternative TLS implementation in Go
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
47 Commits
3 Branches
2.6 MiB
 
 
Tree: f98d01fb7e
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'f98d01fb7e'
${ noResults }
th5/handshake_server.go

281 lines
8.0 KiB
Raw Blame History 

  1. // Copyright 2009 The Go Authors. All rights reserved.

  2. // Use of this source code is governed by a BSD-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package tls

  6. 

  7. // The handshake goroutine reads handshake messages from the record processor

  8. // and outputs messages to be written on another channel. It updates the record

  9. // processor with the state of the connection via the control channel. In the

  10. // case of handshake messages that need synchronous processing (because they

  11. // affect the handling of the next record) the record processor knows about

  12. // them and either waits for a control message (Finished) or includes a reply

  13. // channel in the message (ChangeCipherSpec).

  14. 

  15. import (

  16. 	"crypto/hmac"

  17. 	"crypto/rc4"

  18. 	"crypto/rsa"

  19. 	"crypto/subtle"

  20. 	"crypto/x509"

  21. 	"io"

  22. 	"os"

  23. )

  24. 

  25. type cipherSuite struct {

  26. 	id                          uint16 // The number of this suite on the wire.

  27. 	hashLength, cipherKeyLength int

  28. 	// TODO(agl): need a method to create the cipher and hash interfaces.

  29. }

  30. 

  31. var cipherSuites = []cipherSuite{

  32. 	{TLS_RSA_WITH_RC4_128_SHA, 20, 16},

  33. }

  34. 

  35. func (c *Conn) serverHandshake() os.Error {

  36. 	config := c.config

  37. 	msg, err := c.readHandshake()

  38. 	if err != nil {

  39. 		return err

  40. 	}

  41. 	clientHello, ok := msg.(*clientHelloMsg)

  42. 	if !ok {

  43. 		return c.sendAlert(alertUnexpectedMessage)

  44. 	}

  45. 	vers, ok := mutualVersion(clientHello.vers)

  46. 	if !ok {

  47. 		return c.sendAlert(alertProtocolVersion)

  48. 	}

  49. 	c.vers = vers

  50. 	c.haveVers = true

  51. 

  52. 	finishedHash := newFinishedHash()

  53. 	finishedHash.Write(clientHello.marshal())

  54. 

  55. 	hello := new(serverHelloMsg)

  56. 

  57. 	// We only support a single ciphersuite so we look for it in the list

  58. 	// of client supported suites.

  59. 	//

  60. 	// TODO(agl): Add additional cipher suites.

  61. 	var suite *cipherSuite

  62. 

  63. 	for _, id := range clientHello.cipherSuites {

  64. 		for _, supported := range cipherSuites {

  65. 			if supported.id == id {

  66. 				suite = &supported

  67. 				break

  68. 			}

  69. 		}

  70. 	}

  71. 

  72. 	foundCompression := false

  73. 	// We only support null compression, so check that the client offered it.

  74. 	for _, compression := range clientHello.compressionMethods {

  75. 		if compression == compressionNone {

  76. 			foundCompression = true

  77. 			break

  78. 		}

  79. 	}

  80. 

  81. 	if suite == nil || !foundCompression {

  82. 		return c.sendAlert(alertHandshakeFailure)

  83. 	}

  84. 

  85. 	hello.vers = vers

  86. 	hello.cipherSuite = suite.id

  87. 	t := uint32(config.time())

  88. 	hello.random = make([]byte, 32)

  89. 	hello.random[0] = byte(t >> 24)

  90. 	hello.random[1] = byte(t >> 16)

  91. 	hello.random[2] = byte(t >> 8)

  92. 	hello.random[3] = byte(t)

  93. 	_, err = io.ReadFull(config.rand(), hello.random[4:])

  94. 	if err != nil {

  95. 		return c.sendAlert(alertInternalError)

  96. 	}

  97. 	hello.compressionMethod = compressionNone

  98. 	if clientHello.nextProtoNeg {

  99. 		hello.nextProtoNeg = true

  100. 		hello.nextProtos = config.NextProtos

  101. 	}

  102. 

  103. 	finishedHash.Write(hello.marshal())

  104. 	c.writeRecord(recordTypeHandshake, hello.marshal())

  105. 

  106. 	if len(config.Certificates) == 0 {

  107. 		return c.sendAlert(alertInternalError)

  108. 	}

  109. 

  110. 	certMsg := new(certificateMsg)

  111. 	certMsg.certificates = config.Certificates[0].Certificate

  112. 	finishedHash.Write(certMsg.marshal())

  113. 	c.writeRecord(recordTypeHandshake, certMsg.marshal())

  114. 

  115. 	if config.AuthenticateClient {

  116. 		// Request a client certificate

  117. 		certReq := new(certificateRequestMsg)

  118. 		certReq.certificateTypes = []byte{certTypeRSASign}

  119. 		// An empty list of certificateAuthorities signals to

  120. 		// the client that it may send any certificate in response

  121. 		// to our request.

  122. 

  123. 		finishedHash.Write(certReq.marshal())

  124. 		c.writeRecord(recordTypeHandshake, certReq.marshal())

  125. 	}

  126. 

  127. 	helloDone := new(serverHelloDoneMsg)

  128. 	finishedHash.Write(helloDone.marshal())

  129. 	c.writeRecord(recordTypeHandshake, helloDone.marshal())

  130. 

  131. 	var pub *rsa.PublicKey

  132. 	if config.AuthenticateClient {

  133. 		// Get client certificate

  134. 		msg, err = c.readHandshake()

  135. 		if err != nil {

  136. 			return err

  137. 		}

  138. 		certMsg, ok = msg.(*certificateMsg)

  139. 		if !ok {

  140. 			return c.sendAlert(alertUnexpectedMessage)

  141. 		}

  142. 		finishedHash.Write(certMsg.marshal())

  143. 

  144. 		certs := make([]*x509.Certificate, len(certMsg.certificates))

  145. 		for i, asn1Data := range certMsg.certificates {

  146. 			cert, err := x509.ParseCertificate(asn1Data)

  147. 			if err != nil {

  148. 				c.sendAlert(alertBadCertificate)

  149. 				return os.ErrorString("could not parse client's certificate: " + err.String())

  150. 			}

  151. 			certs[i] = cert

  152. 		}

  153. 

  154. 		// TODO(agl): do better validation of certs: max path length, name restrictions etc.

  155. 		for i := 1; i < len(certs); i++ {

  156. 			if err := certs[i-1].CheckSignatureFrom(certs[i]); err != nil {

  157. 				c.sendAlert(alertBadCertificate)

  158. 				return os.ErrorString("could not validate certificate signature: " + err.String())

  159. 			}

  160. 		}

  161. 

  162. 		if len(certs) > 0 {

  163. 			key, ok := certs[0].PublicKey.(*rsa.PublicKey)

  164. 			if !ok {

  165. 				return c.sendAlert(alertUnsupportedCertificate)

  166. 			}

  167. 			pub = key

  168. 			c.peerCertificates = certs

  169. 		}

  170. 	}

  171. 

  172. 	// Get client key exchange

  173. 	msg, err = c.readHandshake()

  174. 	if err != nil {

  175. 		return err

  176. 	}

  177. 	ckx, ok := msg.(*clientKeyExchangeMsg)

  178. 	if !ok {

  179. 		return c.sendAlert(alertUnexpectedMessage)

  180. 	}

  181. 	finishedHash.Write(ckx.marshal())

  182. 

  183. 	// If we received a client cert in response to our certificate request message,

  184. 	// the client will send us a certificateVerifyMsg immediately after the

  185. 	// clientKeyExchangeMsg.  This message is a MD5SHA1 digest of all preceeding

  186. 	// handshake-layer messages that is signed using the private key corresponding

  187. 	// to the client's certificate. This allows us to verify that the client is in

  188. 	// posession of the private key of the certificate.

  189. 	if len(c.peerCertificates) > 0 {

  190. 		msg, err = c.readHandshake()

  191. 		if err != nil {

  192. 			return err

  193. 		}

  194. 		certVerify, ok := msg.(*certificateVerifyMsg)

  195. 		if !ok {

  196. 			return c.sendAlert(alertUnexpectedMessage)

  197. 		}

  198. 

  199. 		digest := make([]byte, 36)

  200. 		copy(digest[0:16], finishedHash.serverMD5.Sum())

  201. 		copy(digest[16:36], finishedHash.serverSHA1.Sum())

  202. 		err = rsa.VerifyPKCS1v15(pub, rsa.HashMD5SHA1, digest, certVerify.signature)

  203. 		if err != nil {

  204. 			c.sendAlert(alertBadCertificate)

  205. 			return os.ErrorString("could not validate signature of connection nonces: " + err.String())

  206. 		}

  207. 

  208. 		finishedHash.Write(certVerify.marshal())

  209. 	}

  210. 

  211. 	preMasterSecret := make([]byte, 48)

  212. 	_, err = io.ReadFull(config.rand(), preMasterSecret[2:])

  213. 	if err != nil {

  214. 		return c.sendAlert(alertInternalError)

  215. 	}

  216. 

  217. 	err = rsa.DecryptPKCS1v15SessionKey(config.rand(), config.Certificates[0].PrivateKey, ckx.ciphertext, preMasterSecret)

  218. 	if err != nil {

  219. 		return c.sendAlert(alertHandshakeFailure)

  220. 	}

  221. 	// We don't check the version number in the premaster secret. For one,

  222. 	// by checking it, we would leak information about the validity of the

  223. 	// encrypted pre-master secret. Secondly, it provides only a small

  224. 	// benefit against a downgrade attack and some implementations send the

  225. 	// wrong version anyway. See the discussion at the end of section

  226. 	// 7.4.7.1 of RFC 4346.

  227. 

  228. 	masterSecret, clientMAC, serverMAC, clientKey, serverKey :=

  229. 		keysFromPreMasterSecret11(preMasterSecret, clientHello.random, hello.random, suite.hashLength, suite.cipherKeyLength)

  230. 

  231. 	cipher, _ := rc4.NewCipher(clientKey)

  232. 	c.in.prepareCipherSpec(cipher, hmac.NewSHA1(clientMAC))

  233. 	c.readRecord(recordTypeChangeCipherSpec)

  234. 	if err := c.error(); err != nil {

  235. 		return err

  236. 	}

  237. 

  238. 	if hello.nextProtoNeg {

  239. 		msg, err = c.readHandshake()

  240. 		if err != nil {

  241. 			return err

  242. 		}

  243. 		nextProto, ok := msg.(*nextProtoMsg)

  244. 		if !ok {

  245. 			return c.sendAlert(alertUnexpectedMessage)

  246. 		}

  247. 		finishedHash.Write(nextProto.marshal())

  248. 		c.clientProtocol = nextProto.proto

  249. 	}

  250. 

  251. 	msg, err = c.readHandshake()

  252. 	if err != nil {

  253. 		return err

  254. 	}

  255. 	clientFinished, ok := msg.(*finishedMsg)

  256. 	if !ok {

  257. 		return c.sendAlert(alertUnexpectedMessage)

  258. 	}

  259. 

  260. 	verify := finishedHash.clientSum(masterSecret)

  261. 	if len(verify) != len(clientFinished.verifyData) ||

  262. 		subtle.ConstantTimeCompare(verify, clientFinished.verifyData) != 1 {

  263. 		return c.sendAlert(alertHandshakeFailure)

  264. 	}

  265. 

  266. 	finishedHash.Write(clientFinished.marshal())

  267. 

  268. 	cipher2, _ := rc4.NewCipher(serverKey)

  269. 	c.out.prepareCipherSpec(cipher2, hmac.NewSHA1(serverMAC))

  270. 	c.writeRecord(recordTypeChangeCipherSpec, []byte{1})

  271. 

  272. 	finished := new(finishedMsg)

  273. 	finished.verifyData = finishedHash.serverSum(masterSecret)

  274. 	c.writeRecord(recordTypeHandshake, finished.marshal())

  275. 

  276. 	c.handshakeComplete = true

  277. 	c.cipherSuite = TLS_RSA_WITH_RC4_128_SHA

  278. 

  279. 	return nil

  280. }