kris
/
tls-tris
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
332 Commits
4 Branches
2.5 MiB
 
 
 
 
 
 
Tree: c9d95e7aac
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'c9d95e7aac'
${ noResults }
tls-tris/handshake_server.go

843 lines
24 KiB
Raw Blame History 

  1. // Copyright 2009 The Go Authors. All rights reserved.

  2. // Use of this source code is governed by a BSD-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package tls

  6. 

  7. import (

  8. 	"crypto"

  9. 	"crypto/ecdsa"

  10. 	"crypto/rsa"

  11. 	"crypto/subtle"

  12. 	"crypto/x509"

  13. 	"encoding/asn1"

  14. 	"errors"

  15. 	"fmt"

  16. 	"io"

  17. )

  18. 

  19. // serverHandshakeState contains details of a server handshake in progress.

  20. // It's discarded once the handshake has completed.

  21. type serverHandshakeState struct {

  22. 	c                     *Conn

  23. 	clientHello           *clientHelloMsg

  24. 	hello                 *serverHelloMsg

  25. 	suite                 *cipherSuite

  26. 	ellipticOk            bool

  27. 	ecdsaOk               bool

  28. 	rsaDecryptOk          bool

  29. 	rsaSignOk             bool

  30. 	sessionState          *sessionState

  31. 	finishedHash          finishedHash

  32. 	masterSecret          []byte

  33. 	certsFromClient       [][]byte

  34. 	cert                  *Certificate

  35. 	cachedClientHelloInfo *ClientHelloInfo

  36. }

  37. 

  38. // serverHandshake performs a TLS handshake as a server.

  39. // c.out.Mutex <= L; c.handshakeMutex <= L.

  40. func (c *Conn) serverHandshake() error {

  41. 	// If this is the first server handshake, we generate a random key to

  42. 	// encrypt the tickets with.

  43. 	c.config.serverInitOnce.Do(c.config.serverInit)

  44. 

  45. 	hs := serverHandshakeState{

  46. 		c: c,

  47. 	}

  48. 	isResume, err := hs.readClientHello()

  49. 	if err != nil {

  50. 		return err

  51. 	}

  52. 

  53. 	// For an overview of TLS handshaking, see https://tools.ietf.org/html/rfc5246#section-7.3

  54. 	c.buffering = true

  55. 	if isResume {

  56. 		// The client has included a session ticket and so we do an abbreviated handshake.

  57. 		if err := hs.doResumeHandshake(); err != nil {

  58. 			return err

  59. 		}

  60. 		if err := hs.establishKeys(); err != nil {

  61. 			return err

  62. 		}

  63. 		// ticketSupported is set in a resumption handshake if the

  64. 		// ticket from the client was encrypted with an old session

  65. 		// ticket key and thus a refreshed ticket should be sent.

  66. 		if hs.hello.ticketSupported {

  67. 			if err := hs.sendSessionTicket(); err != nil {

  68. 				return err

  69. 			}

  70. 		}

  71. 		if err := hs.sendFinished(c.serverFinished[:]); err != nil {

  72. 			return err

  73. 		}

  74. 		if _, err := c.flush(); err != nil {

  75. 			return err

  76. 		}

  77. 		c.clientFinishedIsFirst = false

  78. 		if err := hs.readFinished(nil); err != nil {

  79. 			return err

  80. 		}

  81. 		c.didResume = true

  82. 	} else {

  83. 		// The client didn't include a session ticket, or it wasn't

  84. 		// valid so we do a full handshake.

  85. 		if err := hs.doFullHandshake(); err != nil {

  86. 			return err

  87. 		}

  88. 		if err := hs.establishKeys(); err != nil {

  89. 			return err

  90. 		}

  91. 		if err := hs.readFinished(c.clientFinished[:]); err != nil {

  92. 			return err

  93. 		}

  94. 		c.clientFinishedIsFirst = true

  95. 		c.buffering = true

  96. 		if err := hs.sendSessionTicket(); err != nil {

  97. 			return err

  98. 		}

  99. 		if err := hs.sendFinished(nil); err != nil {

  100. 			return err

  101. 		}

  102. 		if _, err := c.flush(); err != nil {

  103. 			return err

  104. 		}

  105. 	}

  106. 	c.handshakeComplete = true

  107. 

  108. 	return nil

  109. }

  110. 

  111. // readClientHello reads a ClientHello message from the client and decides

  112. // whether we will perform session resumption.

  113. func (hs *serverHandshakeState) readClientHello() (isResume bool, err error) {

  114. 	c := hs.c

  115. 

  116. 	msg, err := c.readHandshake()

  117. 	if err != nil {

  118. 		return false, err

  119. 	}

  120. 	var ok bool

  121. 	hs.clientHello, ok = msg.(*clientHelloMsg)

  122. 	if !ok {

  123. 		c.sendAlert(alertUnexpectedMessage)

  124. 		return false, unexpectedMessageError(hs.clientHello, msg)

  125. 	}

  126. 

  127. 	if c.config.GetConfigForClient != nil {

  128. 		if newConfig, err := c.config.GetConfigForClient(hs.clientHelloInfo()); err != nil {

  129. 			c.sendAlert(alertInternalError)

  130. 			return false, err

  131. 		} else if newConfig != nil {

  132. 			newConfig.mutex.Lock()

  133. 			newConfig.originalConfig = c.config

  134. 			newConfig.mutex.Unlock()

  135. 

  136. 			newConfig.serverInitOnce.Do(newConfig.serverInit)

  137. 			c.config = newConfig

  138. 		}

  139. 	}

  140. 

  141. 	c.vers, ok = c.config.mutualVersion(hs.clientHello.vers)

  142. 	if !ok {

  143. 		c.sendAlert(alertProtocolVersion)

  144. 		return false, fmt.Errorf("tls: client offered an unsupported, maximum protocol version of %x", hs.clientHello.vers)

  145. 	}

  146. 	c.haveVers = true

  147. 

  148. 	hs.hello = new(serverHelloMsg)

  149. 

  150. 	supportedCurve := false

  151. 	preferredCurves := c.config.curvePreferences()

  152. Curves:

  153. 	for _, curve := range hs.clientHello.supportedCurves {

  154. 		for _, supported := range preferredCurves {

  155. 			if supported == curve {

  156. 				supportedCurve = true

  157. 				break Curves

  158. 			}

  159. 		}

  160. 	}

  161. 

  162. 	supportedPointFormat := false

  163. 	for _, pointFormat := range hs.clientHello.supportedPoints {

  164. 		if pointFormat == pointFormatUncompressed {

  165. 			supportedPointFormat = true

  166. 			break

  167. 		}

  168. 	}

  169. 	hs.ellipticOk = supportedCurve && supportedPointFormat

  170. 

  171. 	foundCompression := false

  172. 	// We only support null compression, so check that the client offered it.

  173. 	for _, compression := range hs.clientHello.compressionMethods {

  174. 		if compression == compressionNone {

  175. 			foundCompression = true

  176. 			break

  177. 		}

  178. 	}

  179. 

  180. 	if !foundCompression {

  181. 		c.sendAlert(alertHandshakeFailure)

  182. 		return false, errors.New("tls: client does not support uncompressed connections")

  183. 	}

  184. 

  185. 	hs.hello.vers = c.vers

  186. 	hs.hello.random = make([]byte, 32)

  187. 	_, err = io.ReadFull(c.config.rand(), hs.hello.random)

  188. 	if err != nil {

  189. 		c.sendAlert(alertInternalError)

  190. 		return false, err

  191. 	}

  192. 

  193. 	if len(hs.clientHello.secureRenegotiation) != 0 {

  194. 		c.sendAlert(alertHandshakeFailure)

  195. 		return false, errors.New("tls: initial handshake had non-empty renegotiation extension")

  196. 	}

  197. 

  198. 	hs.hello.secureRenegotiationSupported = hs.clientHello.secureRenegotiationSupported

  199. 	hs.hello.compressionMethod = compressionNone

  200. 	if len(hs.clientHello.serverName) > 0 {

  201. 		c.serverName = hs.clientHello.serverName

  202. 	}

  203. 

  204. 	if len(hs.clientHello.alpnProtocols) > 0 {

  205. 		if selectedProto, fallback := mutualProtocol(hs.clientHello.alpnProtocols, c.config.NextProtos); !fallback {

  206. 			hs.hello.alpnProtocol = selectedProto

  207. 			c.clientProtocol = selectedProto

  208. 		}

  209. 	} else {

  210. 		// Although sending an empty NPN extension is reasonable, Firefox has

  211. 		// had a bug around this. Best to send nothing at all if

  212. 		// c.config.NextProtos is empty. See

  213. 		// https://golang.org/issue/5445.

  214. 		if hs.clientHello.nextProtoNeg && len(c.config.NextProtos) > 0 {

  215. 			hs.hello.nextProtoNeg = true

  216. 			hs.hello.nextProtos = c.config.NextProtos

  217. 		}

  218. 	}

  219. 

  220. 	hs.cert, err = c.config.getCertificate(hs.clientHelloInfo())

  221. 	if err != nil {

  222. 		c.sendAlert(alertInternalError)

  223. 		return false, err

  224. 	}

  225. 	if hs.clientHello.scts {

  226. 		hs.hello.scts = hs.cert.SignedCertificateTimestamps

  227. 	}

  228. 

  229. 	if priv, ok := hs.cert.PrivateKey.(crypto.Signer); ok {

  230. 		switch priv.Public().(type) {

  231. 		case *ecdsa.PublicKey:

  232. 			hs.ecdsaOk = true

  233. 		case *rsa.PublicKey:

  234. 			hs.rsaSignOk = true

  235. 		default:

  236. 			c.sendAlert(alertInternalError)

  237. 			return false, fmt.Errorf("tls: unsupported signing key type (%T)", priv.Public())

  238. 		}

  239. 	}

  240. 	if priv, ok := hs.cert.PrivateKey.(crypto.Decrypter); ok {

  241. 		switch priv.Public().(type) {

  242. 		case *rsa.PublicKey:

  243. 			hs.rsaDecryptOk = true

  244. 		default:

  245. 			c.sendAlert(alertInternalError)

  246. 			return false, fmt.Errorf("tls: unsupported decryption key type (%T)", priv.Public())

  247. 		}

  248. 	}

  249. 

  250. 	if hs.checkForResumption() {

  251. 		return true, nil

  252. 	}

  253. 

  254. 	var preferenceList, supportedList []uint16

  255. 	if c.config.PreferServerCipherSuites {

  256. 		preferenceList = c.config.cipherSuites()

  257. 		supportedList = hs.clientHello.cipherSuites

  258. 	} else {

  259. 		preferenceList = hs.clientHello.cipherSuites

  260. 		supportedList = c.config.cipherSuites()

  261. 	}

  262. 

  263. 	for _, id := range preferenceList {

  264. 		if hs.setCipherSuite(id, supportedList, c.vers) {

  265. 			break

  266. 		}

  267. 	}

  268. 

  269. 	if hs.suite == nil {

  270. 		c.sendAlert(alertHandshakeFailure)

  271. 		return false, errors.New("tls: no cipher suite supported by both client and server")

  272. 	}

  273. 

  274. 	// See https://tools.ietf.org/html/rfc7507.

  275. 	for _, id := range hs.clientHello.cipherSuites {

  276. 		if id == TLS_FALLBACK_SCSV {

  277. 			// The client is doing a fallback connection.

  278. 			if hs.clientHello.vers < c.config.maxVersion() {

  279. 				c.sendAlert(alertInappropriateFallback)

  280. 				return false, errors.New("tls: client using inappropriate protocol fallback")

  281. 			}

  282. 			break

  283. 		}

  284. 	}

  285. 

  286. 	return false, nil

  287. }

  288. 

  289. // checkForResumption reports whether we should perform resumption on this connection.

  290. func (hs *serverHandshakeState) checkForResumption() bool {

  291. 	c := hs.c

  292. 

  293. 	if c.config.SessionTicketsDisabled {

  294. 		return false

  295. 	}

  296. 

  297. 	var ok bool

  298. 	var sessionTicket = append([]uint8{}, hs.clientHello.sessionTicket...)

  299. 	if hs.sessionState, ok = c.decryptTicket(sessionTicket); !ok {

  300. 		return false

  301. 	}

  302. 

  303. 	// Never resume a session for a different TLS version.

  304. 	if c.vers != hs.sessionState.vers {

  305. 		return false

  306. 	}

  307. 

  308. 	cipherSuiteOk := false

  309. 	// Check that the client is still offering the ciphersuite in the session.

  310. 	for _, id := range hs.clientHello.cipherSuites {

  311. 		if id == hs.sessionState.cipherSuite {

  312. 			cipherSuiteOk = true

  313. 			break

  314. 		}

  315. 	}

  316. 	if !cipherSuiteOk {

  317. 		return false

  318. 	}

  319. 

  320. 	// Check that we also support the ciphersuite from the session.

  321. 	if !hs.setCipherSuite(hs.sessionState.cipherSuite, c.config.cipherSuites(), hs.sessionState.vers) {

  322. 		return false

  323. 	}

  324. 

  325. 	sessionHasClientCerts := len(hs.sessionState.certificates) != 0

  326. 	needClientCerts := c.config.ClientAuth == RequireAnyClientCert || c.config.ClientAuth == RequireAndVerifyClientCert

  327. 	if needClientCerts && !sessionHasClientCerts {

  328. 		return false

  329. 	}

  330. 	if sessionHasClientCerts && c.config.ClientAuth == NoClientCert {

  331. 		return false

  332. 	}

  333. 

  334. 	return true

  335. }

  336. 

  337. func (hs *serverHandshakeState) doResumeHandshake() error {

  338. 	c := hs.c

  339. 

  340. 	hs.hello.cipherSuite = hs.suite.id

  341. 	// We echo the client's session ID in the ServerHello to let it know

  342. 	// that we're doing a resumption.

  343. 	hs.hello.sessionId = hs.clientHello.sessionId

  344. 	hs.hello.ticketSupported = hs.sessionState.usedOldKey

  345. 	hs.finishedHash = newFinishedHash(c.vers, hs.suite)

  346. 	hs.finishedHash.discardHandshakeBuffer()

  347. 	hs.finishedHash.Write(hs.clientHello.marshal())

  348. 	hs.finishedHash.Write(hs.hello.marshal())

  349. 	if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil {

  350. 		return err

  351. 	}

  352. 

  353. 	if len(hs.sessionState.certificates) > 0 {

  354. 		if _, err := hs.processCertsFromClient(hs.sessionState.certificates); err != nil {

  355. 			return err

  356. 		}

  357. 	}

  358. 

  359. 	hs.masterSecret = hs.sessionState.masterSecret

  360. 

  361. 	return nil

  362. }

  363. 

  364. func (hs *serverHandshakeState) doFullHandshake() error {

  365. 	c := hs.c

  366. 

  367. 	if hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0 {

  368. 		hs.hello.ocspStapling = true

  369. 	}

  370. 

  371. 	hs.hello.ticketSupported = hs.clientHello.ticketSupported && !c.config.SessionTicketsDisabled

  372. 	hs.hello.cipherSuite = hs.suite.id

  373. 

  374. 	hs.finishedHash = newFinishedHash(hs.c.vers, hs.suite)

  375. 	if c.config.ClientAuth == NoClientCert {

  376. 		// No need to keep a full record of the handshake if client

  377. 		// certificates won't be used.

  378. 		hs.finishedHash.discardHandshakeBuffer()

  379. 	}

  380. 	hs.finishedHash.Write(hs.clientHello.marshal())

  381. 	hs.finishedHash.Write(hs.hello.marshal())

  382. 	if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil {

  383. 		return err

  384. 	}

  385. 

  386. 	certMsg := new(certificateMsg)

  387. 	certMsg.certificates = hs.cert.Certificate

  388. 	hs.finishedHash.Write(certMsg.marshal())

  389. 	if _, err := c.writeRecord(recordTypeHandshake, certMsg.marshal()); err != nil {

  390. 		return err

  391. 	}

  392. 

  393. 	if hs.hello.ocspStapling {

  394. 		certStatus := new(certificateStatusMsg)

  395. 		certStatus.statusType = statusTypeOCSP

  396. 		certStatus.response = hs.cert.OCSPStaple

  397. 		hs.finishedHash.Write(certStatus.marshal())

  398. 		if _, err := c.writeRecord(recordTypeHandshake, certStatus.marshal()); err != nil {

  399. 			return err

  400. 		}

  401. 	}

  402. 

  403. 	keyAgreement := hs.suite.ka(c.vers)

  404. 	skx, err := keyAgreement.generateServerKeyExchange(c.config, hs.cert, hs.clientHello, hs.hello)

  405. 	if err != nil {

  406. 		c.sendAlert(alertHandshakeFailure)

  407. 		return err

  408. 	}

  409. 	if skx != nil {

  410. 		hs.finishedHash.Write(skx.marshal())

  411. 		if _, err := c.writeRecord(recordTypeHandshake, skx.marshal()); err != nil {

  412. 			return err

  413. 		}

  414. 	}

  415. 

  416. 	if c.config.ClientAuth >= RequestClientCert {

  417. 		// Request a client certificate

  418. 		certReq := new(certificateRequestMsg)

  419. 		certReq.certificateTypes = []byte{

  420. 			byte(certTypeRSASign),

  421. 			byte(certTypeECDSASign),

  422. 		}

  423. 		if c.vers >= VersionTLS12 {

  424. 			certReq.hasSignatureAndHash = true

  425. 			certReq.signatureAndHashes = supportedSignatureAlgorithms

  426. 		}

  427. 

  428. 		// An empty list of certificateAuthorities signals to

  429. 		// the client that it may send any certificate in response

  430. 		// to our request. When we know the CAs we trust, then

  431. 		// we can send them down, so that the client can choose

  432. 		// an appropriate certificate to give to us.

  433. 		if c.config.ClientCAs != nil {

  434. 			certReq.certificateAuthorities = c.config.ClientCAs.Subjects()

  435. 		}

  436. 		hs.finishedHash.Write(certReq.marshal())

  437. 		if _, err := c.writeRecord(recordTypeHandshake, certReq.marshal()); err != nil {

  438. 			return err

  439. 		}

  440. 	}

  441. 

  442. 	helloDone := new(serverHelloDoneMsg)

  443. 	hs.finishedHash.Write(helloDone.marshal())

  444. 	if _, err := c.writeRecord(recordTypeHandshake, helloDone.marshal()); err != nil {

  445. 		return err

  446. 	}

  447. 

  448. 	if _, err := c.flush(); err != nil {

  449. 		return err

  450. 	}

  451. 

  452. 	var pub crypto.PublicKey // public key for client auth, if any

  453. 

  454. 	msg, err := c.readHandshake()

  455. 	if err != nil {

  456. 		return err

  457. 	}

  458. 

  459. 	var ok bool

  460. 	// If we requested a client certificate, then the client must send a

  461. 	// certificate message, even if it's empty.

  462. 	if c.config.ClientAuth >= RequestClientCert {

  463. 		if certMsg, ok = msg.(*certificateMsg); !ok {

  464. 			c.sendAlert(alertUnexpectedMessage)

  465. 			return unexpectedMessageError(certMsg, msg)

  466. 		}

  467. 		hs.finishedHash.Write(certMsg.marshal())

  468. 

  469. 		if len(certMsg.certificates) == 0 {

  470. 			// The client didn't actually send a certificate

  471. 			switch c.config.ClientAuth {

  472. 			case RequireAnyClientCert, RequireAndVerifyClientCert:

  473. 				c.sendAlert(alertBadCertificate)

  474. 				return errors.New("tls: client didn't provide a certificate")

  475. 			}

  476. 		}

  477. 

  478. 		pub, err = hs.processCertsFromClient(certMsg.certificates)

  479. 		if err != nil {

  480. 			return err

  481. 		}

  482. 

  483. 		msg, err = c.readHandshake()

  484. 		if err != nil {

  485. 			return err

  486. 		}

  487. 	}

  488. 

  489. 	// Get client key exchange

  490. 	ckx, ok := msg.(*clientKeyExchangeMsg)

  491. 	if !ok {

  492. 		c.sendAlert(alertUnexpectedMessage)

  493. 		return unexpectedMessageError(ckx, msg)

  494. 	}

  495. 	hs.finishedHash.Write(ckx.marshal())

  496. 

  497. 	preMasterSecret, err := keyAgreement.processClientKeyExchange(c.config, hs.cert, ckx, c.vers)

  498. 	if err != nil {

  499. 		c.sendAlert(alertHandshakeFailure)

  500. 		return err

  501. 	}

  502. 	hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.clientHello.random, hs.hello.random)

  503. 	if err := c.config.writeKeyLog(hs.clientHello.random, hs.masterSecret); err != nil {

  504. 		c.sendAlert(alertInternalError)

  505. 		return err

  506. 	}

  507. 

  508. 	// If we received a client cert in response to our certificate request message,

  509. 	// the client will send us a certificateVerifyMsg immediately after the

  510. 	// clientKeyExchangeMsg. This message is a digest of all preceding

  511. 	// handshake-layer messages that is signed using the private key corresponding

  512. 	// to the client's certificate. This allows us to verify that the client is in

  513. 	// possession of the private key of the certificate.

  514. 	if len(c.peerCertificates) > 0 {

  515. 		msg, err = c.readHandshake()

  516. 		if err != nil {

  517. 			return err

  518. 		}

  519. 		certVerify, ok := msg.(*certificateVerifyMsg)

  520. 		if !ok {

  521. 			c.sendAlert(alertUnexpectedMessage)

  522. 			return unexpectedMessageError(certVerify, msg)

  523. 		}

  524. 

  525. 		// Determine the signature type.

  526. 		var signatureAndHash signatureAndHash

  527. 		if certVerify.hasSignatureAndHash {

  528. 			signatureAndHash = certVerify.signatureAndHash

  529. 			if !isSupportedSignatureAndHash(signatureAndHash, supportedSignatureAlgorithms) {

  530. 				return errors.New("tls: unsupported hash function for client certificate")

  531. 			}

  532. 		} else {

  533. 			// Before TLS 1.2 the signature algorithm was implicit

  534. 			// from the key type, and only one hash per signature

  535. 			// algorithm was possible. Leave the hash as zero.

  536. 			switch pub.(type) {

  537. 			case *ecdsa.PublicKey:

  538. 				signatureAndHash.signature = signatureECDSA

  539. 			case *rsa.PublicKey:

  540. 				signatureAndHash.signature = signatureRSA

  541. 			}

  542. 		}

  543. 

  544. 		switch key := pub.(type) {

  545. 		case *ecdsa.PublicKey:

  546. 			if signatureAndHash.signature != signatureECDSA {

  547. 				err = errors.New("tls: bad signature type for client's ECDSA certificate")

  548. 				break

  549. 			}

  550. 			ecdsaSig := new(ecdsaSignature)

  551. 			if _, err = asn1.Unmarshal(certVerify.signature, ecdsaSig); err != nil {

  552. 				break

  553. 			}

  554. 			if ecdsaSig.R.Sign() <= 0 || ecdsaSig.S.Sign() <= 0 {

  555. 				err = errors.New("tls: ECDSA signature contained zero or negative values")

  556. 				break

  557. 			}

  558. 			var digest []byte

  559. 			if digest, _, err = hs.finishedHash.hashForClientCertificate(signatureAndHash, hs.masterSecret); err != nil {

  560. 				break

  561. 			}

  562. 			if !ecdsa.Verify(key, digest, ecdsaSig.R, ecdsaSig.S) {

  563. 				err = errors.New("tls: ECDSA verification failure")

  564. 			}

  565. 		case *rsa.PublicKey:

  566. 			if signatureAndHash.signature != signatureRSA {

  567. 				err = errors.New("tls: bad signature type for client's RSA certificate")

  568. 				break

  569. 			}

  570. 			var digest []byte

  571. 			var hashFunc crypto.Hash

  572. 			if digest, hashFunc, err = hs.finishedHash.hashForClientCertificate(signatureAndHash, hs.masterSecret); err != nil {

  573. 				break

  574. 			}

  575. 			err = rsa.VerifyPKCS1v15(key, hashFunc, digest, certVerify.signature)

  576. 		}

  577. 		if err != nil {

  578. 			c.sendAlert(alertBadCertificate)

  579. 			return errors.New("tls: could not validate signature of connection nonces: " + err.Error())

  580. 		}

  581. 

  582. 		hs.finishedHash.Write(certVerify.marshal())

  583. 	}

  584. 

  585. 	hs.finishedHash.discardHandshakeBuffer()

  586. 

  587. 	return nil

  588. }

  589. 

  590. func (hs *serverHandshakeState) establishKeys() error {

  591. 	c := hs.c

  592. 

  593. 	clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV :=

  594. 		keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen)

  595. 

  596. 	var clientCipher, serverCipher interface{}

  597. 	var clientHash, serverHash macFunction

  598. 

  599. 	if hs.suite.aead == nil {

  600. 		clientCipher = hs.suite.cipher(clientKey, clientIV, true /* for reading */)

  601. 		clientHash = hs.suite.mac(c.vers, clientMAC)

  602. 		serverCipher = hs.suite.cipher(serverKey, serverIV, false /* not for reading */)

  603. 		serverHash = hs.suite.mac(c.vers, serverMAC)

  604. 	} else {

  605. 		clientCipher = hs.suite.aead(clientKey, clientIV)

  606. 		serverCipher = hs.suite.aead(serverKey, serverIV)

  607. 	}

  608. 

  609. 	c.in.prepareCipherSpec(c.vers, clientCipher, clientHash)

  610. 	c.out.prepareCipherSpec(c.vers, serverCipher, serverHash)

  611. 

  612. 	return nil

  613. }

  614. 

  615. func (hs *serverHandshakeState) readFinished(out []byte) error {

  616. 	c := hs.c

  617. 

  618. 	c.readRecord(recordTypeChangeCipherSpec)

  619. 	if c.in.err != nil {

  620. 		return c.in.err

  621. 	}

  622. 

  623. 	if hs.hello.nextProtoNeg {

  624. 		msg, err := c.readHandshake()

  625. 		if err != nil {

  626. 			return err

  627. 		}

  628. 		nextProto, ok := msg.(*nextProtoMsg)

  629. 		if !ok {

  630. 			c.sendAlert(alertUnexpectedMessage)

  631. 			return unexpectedMessageError(nextProto, msg)

  632. 		}

  633. 		hs.finishedHash.Write(nextProto.marshal())

  634. 		c.clientProtocol = nextProto.proto

  635. 	}

  636. 

  637. 	msg, err := c.readHandshake()

  638. 	if err != nil {

  639. 		return err

  640. 	}

  641. 	clientFinished, ok := msg.(*finishedMsg)

  642. 	if !ok {

  643. 		c.sendAlert(alertUnexpectedMessage)

  644. 		return unexpectedMessageError(clientFinished, msg)

  645. 	}

  646. 

  647. 	verify := hs.finishedHash.clientSum(hs.masterSecret)

  648. 	if len(verify) != len(clientFinished.verifyData) ||

  649. 		subtle.ConstantTimeCompare(verify, clientFinished.verifyData) != 1 {

  650. 		c.sendAlert(alertHandshakeFailure)

  651. 		return errors.New("tls: client's Finished message is incorrect")

  652. 	}

  653. 

  654. 	hs.finishedHash.Write(clientFinished.marshal())

  655. 	copy(out, verify)

  656. 	return nil

  657. }

  658. 

  659. func (hs *serverHandshakeState) sendSessionTicket() error {

  660. 	if !hs.hello.ticketSupported {

  661. 		return nil

  662. 	}

  663. 

  664. 	c := hs.c

  665. 	m := new(newSessionTicketMsg)

  666. 

  667. 	var err error

  668. 	state := sessionState{

  669. 		vers:         c.vers,

  670. 		cipherSuite:  hs.suite.id,

  671. 		masterSecret: hs.masterSecret,

  672. 		certificates: hs.certsFromClient,

  673. 	}

  674. 	m.ticket, err = c.encryptTicket(&state)

  675. 	if err != nil {

  676. 		return err

  677. 	}

  678. 

  679. 	hs.finishedHash.Write(m.marshal())

  680. 	if _, err := c.writeRecord(recordTypeHandshake, m.marshal()); err != nil {

  681. 		return err

  682. 	}

  683. 

  684. 	return nil

  685. }

  686. 

  687. func (hs *serverHandshakeState) sendFinished(out []byte) error {

  688. 	c := hs.c

  689. 

  690. 	if _, err := c.writeRecord(recordTypeChangeCipherSpec, []byte{1}); err != nil {

  691. 		return err

  692. 	}

  693. 

  694. 	finished := new(finishedMsg)

  695. 	finished.verifyData = hs.finishedHash.serverSum(hs.masterSecret)

  696. 	hs.finishedHash.Write(finished.marshal())

  697. 	if _, err := c.writeRecord(recordTypeHandshake, finished.marshal()); err != nil {

  698. 		return err

  699. 	}

  700. 

  701. 	c.cipherSuite = hs.suite.id

  702. 	copy(out, finished.verifyData)

  703. 

  704. 	return nil

  705. }

  706. 

  707. // processCertsFromClient takes a chain of client certificates either from a

  708. // Certificates message or from a sessionState and verifies them. It returns

  709. // the public key of the leaf certificate.

  710. func (hs *serverHandshakeState) processCertsFromClient(certificates [][]byte) (crypto.PublicKey, error) {

  711. 	c := hs.c

  712. 

  713. 	hs.certsFromClient = certificates

  714. 	certs := make([]*x509.Certificate, len(certificates))

  715. 	var err error

  716. 	for i, asn1Data := range certificates {

  717. 		if certs[i], err = x509.ParseCertificate(asn1Data); err != nil {

  718. 			c.sendAlert(alertBadCertificate)

  719. 			return nil, errors.New("tls: failed to parse client certificate: " + err.Error())

  720. 		}

  721. 	}

  722. 

  723. 	if c.config.ClientAuth >= VerifyClientCertIfGiven && len(certs) > 0 {

  724. 		opts := x509.VerifyOptions{

  725. 			Roots:         c.config.ClientCAs,

  726. 			CurrentTime:   c.config.time(),

  727. 			Intermediates: x509.NewCertPool(),

  728. 			KeyUsages:     []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},

  729. 		}

  730. 

  731. 		for _, cert := range certs[1:] {

  732. 			opts.Intermediates.AddCert(cert)

  733. 		}

  734. 

  735. 		chains, err := certs[0].Verify(opts)

  736. 		if err != nil {

  737. 			c.sendAlert(alertBadCertificate)

  738. 			return nil, errors.New("tls: failed to verify client's certificate: " + err.Error())

  739. 		}

  740. 

  741. 		c.verifiedChains = chains

  742. 	}

  743. 

  744. 	if c.config.VerifyPeerCertificate != nil {

  745. 		if err := c.config.VerifyPeerCertificate(certificates, c.verifiedChains); err != nil {

  746. 			c.sendAlert(alertBadCertificate)

  747. 			return nil, err

  748. 		}

  749. 	}

  750. 

  751. 	if len(certs) == 0 {

  752. 		return nil, nil

  753. 	}

  754. 

  755. 	var pub crypto.PublicKey

  756. 	switch key := certs[0].PublicKey.(type) {

  757. 	case *ecdsa.PublicKey, *rsa.PublicKey:

  758. 		pub = key

  759. 	default:

  760. 		c.sendAlert(alertUnsupportedCertificate)

  761. 		return nil, fmt.Errorf("tls: client's certificate contains an unsupported public key of type %T", certs[0].PublicKey)

  762. 	}

  763. 	c.peerCertificates = certs

  764. 	return pub, nil

  765. }

  766. 

  767. // setCipherSuite sets a cipherSuite with the given id as the serverHandshakeState

  768. // suite if that cipher suite is acceptable to use.

  769. // It returns a bool indicating if the suite was set.

  770. func (hs *serverHandshakeState) setCipherSuite(id uint16, supportedCipherSuites []uint16, version uint16) bool {

  771. 	for _, supported := range supportedCipherSuites {

  772. 		if id == supported {

  773. 			var candidate *cipherSuite

  774. 

  775. 			for _, s := range cipherSuites {

  776. 				if s.id == id {

  777. 					candidate = s

  778. 					break

  779. 				}

  780. 			}

  781. 			if candidate == nil {

  782. 				continue

  783. 			}

  784. 			// Don't select a ciphersuite which we can't

  785. 			// support for this client.

  786. 			if candidate.flags&suiteECDHE != 0 {

  787. 				if !hs.ellipticOk {

  788. 					continue

  789. 				}

  790. 				if candidate.flags&suiteECDSA != 0 {

  791. 					if !hs.ecdsaOk {

  792. 						continue

  793. 					}

  794. 				} else if !hs.rsaSignOk {

  795. 					continue

  796. 				}

  797. 			} else if !hs.rsaDecryptOk {

  798. 				continue

  799. 			}

  800. 			if version < VersionTLS12 && candidate.flags&suiteTLS12 != 0 {

  801. 				continue

  802. 			}

  803. 			hs.suite = candidate

  804. 			return true

  805. 		}

  806. 	}

  807. 	return false

  808. }

  809. 

  810. // suppVersArray is the backing array of ClientHelloInfo.SupportedVersions

  811. var suppVersArray = [...]uint16{VersionTLS12, VersionTLS11, VersionTLS10, VersionSSL30}

  812. 

  813. func (hs *serverHandshakeState) clientHelloInfo() *ClientHelloInfo {

  814. 	if hs.cachedClientHelloInfo != nil {

  815. 		return hs.cachedClientHelloInfo

  816. 	}

  817. 

  818. 	var supportedVersions []uint16

  819. 	if hs.clientHello.vers > VersionTLS12 {

  820. 		supportedVersions = suppVersArray[:]

  821. 	} else if hs.clientHello.vers >= VersionSSL30 {

  822. 		supportedVersions = suppVersArray[VersionTLS12-hs.clientHello.vers:]

  823. 	}

  824. 

  825. 	signatureSchemes := make([]SignatureScheme, 0, len(hs.clientHello.signatureAndHashes))

  826. 	for _, sah := range hs.clientHello.signatureAndHashes {

  827. 		signatureSchemes = append(signatureSchemes, SignatureScheme(sah.hash)<<8+SignatureScheme(sah.signature))

  828. 	}

  829. 

  830. 	hs.cachedClientHelloInfo = &ClientHelloInfo{

  831. 		CipherSuites:      hs.clientHello.cipherSuites,

  832. 		ServerName:        hs.clientHello.serverName,

  833. 		SupportedCurves:   hs.clientHello.supportedCurves,

  834. 		SupportedPoints:   hs.clientHello.supportedPoints,

  835. 		SignatureSchemes:  signatureSchemes,

  836. 		SupportedProtos:   hs.clientHello.alpnProtocols,

  837. 		SupportedVersions: supportedVersions,

  838. 		Conn:              hs.c.conn,

  839. 	}

  840. 

  841. 	return hs.cachedClientHelloInfo

  842. }