Source file src/crypto/tls/handshake_server.go

     1  // Copyright 2009 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package tls
     6  
     7  import (
     8  	"context"
     9  	"crypto"
    10  	"crypto/ecdsa"
    11  	"crypto/ed25519"
    12  	"crypto/rsa"
    13  	"crypto/subtle"
    14  	"crypto/x509"
    15  	"errors"
    16  	"fmt"
    17  	"hash"
    18  	"io"
    19  	"time"
    20  )
    21  
    22  // serverHandshakeState contains details of a server handshake in progress.
    23  // It's discarded once the handshake has completed.
    24  type serverHandshakeState struct {
    25  	c            *Conn
    26  	ctx          context.Context
    27  	clientHello  *clientHelloMsg
    28  	hello        *serverHelloMsg
    29  	suite        *cipherSuite
    30  	ecdheOk      bool
    31  	ecSignOk     bool
    32  	rsaDecryptOk bool
    33  	rsaSignOk    bool
    34  	sessionState *SessionState
    35  	finishedHash finishedHash
    36  	masterSecret []byte
    37  	cert         *Certificate
    38  }
    39  
    40  // serverHandshake performs a TLS handshake as a server.
    41  func (c *Conn) serverHandshake(ctx context.Context) error {
    42  	clientHello, err := c.readClientHello(ctx)
    43  	if err != nil {
    44  		return err
    45  	}
    46  
    47  	if c.vers == VersionTLS13 {
    48  		hs := serverHandshakeStateTLS13{
    49  			c:           c,
    50  			ctx:         ctx,
    51  			clientHello: clientHello,
    52  		}
    53  		return hs.handshake()
    54  	}
    55  
    56  	hs := serverHandshakeState{
    57  		c:           c,
    58  		ctx:         ctx,
    59  		clientHello: clientHello,
    60  	}
    61  	return hs.handshake()
    62  }
    63  
    64  func (hs *serverHandshakeState) handshake() error {
    65  	c := hs.c
    66  
    67  	if err := hs.processClientHello(); err != nil {
    68  		return err
    69  	}
    70  
    71  	// For an overview of TLS handshaking, see RFC 5246, Section 7.3.
    72  	c.buffering = true
    73  	if err := hs.checkForResumption(); err != nil {
    74  		return err
    75  	}
    76  	if hs.sessionState != nil {
    77  		// The client has included a session ticket and so we do an abbreviated handshake.
    78  		if err := hs.doResumeHandshake(); err != nil {
    79  			return err
    80  		}
    81  		if err := hs.establishKeys(); err != nil {
    82  			return err
    83  		}
    84  		if err := hs.sendSessionTicket(); err != nil {
    85  			return err
    86  		}
    87  		if err := hs.sendFinished(c.serverFinished[:]); err != nil {
    88  			return err
    89  		}
    90  		if _, err := c.flush(); err != nil {
    91  			return err
    92  		}
    93  		c.clientFinishedIsFirst = false
    94  		if err := hs.readFinished(nil); err != nil {
    95  			return err
    96  		}
    97  	} else {
    98  		// The client didn't include a session ticket, or it wasn't
    99  		// valid so we do a full handshake.
   100  		if err := hs.pickCipherSuite(); err != nil {
   101  			return err
   102  		}
   103  		if err := hs.doFullHandshake(); err != nil {
   104  			return err
   105  		}
   106  		if err := hs.establishKeys(); err != nil {
   107  			return err
   108  		}
   109  		if err := hs.readFinished(c.clientFinished[:]); err != nil {
   110  			return err
   111  		}
   112  		c.clientFinishedIsFirst = true
   113  		c.buffering = true
   114  		if err := hs.sendSessionTicket(); err != nil {
   115  			return err
   116  		}
   117  		if err := hs.sendFinished(nil); err != nil {
   118  			return err
   119  		}
   120  		if _, err := c.flush(); err != nil {
   121  			return err
   122  		}
   123  	}
   124  
   125  	c.ekm = ekmFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random)
   126  	c.isHandshakeComplete.Store(true)
   127  
   128  	return nil
   129  }
   130  
   131  // readClientHello reads a ClientHello message and selects the protocol version.
   132  func (c *Conn) readClientHello(ctx context.Context) (*clientHelloMsg, error) {
   133  	// clientHelloMsg is included in the transcript, but we haven't initialized
   134  	// it yet. The respective handshake functions will record it themselves.
   135  	msg, err := c.readHandshake(nil)
   136  	if err != nil {
   137  		return nil, err
   138  	}
   139  	clientHello, ok := msg.(*clientHelloMsg)
   140  	if !ok {
   141  		c.sendAlert(alertUnexpectedMessage)
   142  		return nil, unexpectedMessageError(clientHello, msg)
   143  	}
   144  
   145  	var configForClient *Config
   146  	originalConfig := c.config
   147  	if c.config.GetConfigForClient != nil {
   148  		chi := clientHelloInfo(ctx, c, clientHello)
   149  		if configForClient, err = c.config.GetConfigForClient(chi); err != nil {
   150  			c.sendAlert(alertInternalError)
   151  			return nil, err
   152  		} else if configForClient != nil {
   153  			c.config = configForClient
   154  		}
   155  	}
   156  	c.ticketKeys = originalConfig.ticketKeys(configForClient)
   157  
   158  	clientVersions := clientHello.supportedVersions
   159  	if len(clientHello.supportedVersions) == 0 {
   160  		clientVersions = supportedVersionsFromMax(clientHello.vers)
   161  	}
   162  	c.vers, ok = c.config.mutualVersion(roleServer, clientVersions)
   163  	if !ok {
   164  		c.sendAlert(alertProtocolVersion)
   165  		return nil, fmt.Errorf("tls: client offered only unsupported versions: %x", clientVersions)
   166  	}
   167  	c.haveVers = true
   168  	c.in.version = c.vers
   169  	c.out.version = c.vers
   170  
   171  	if c.config.MinVersion == 0 && c.vers < VersionTLS12 {
   172  		tls10server.IncNonDefault()
   173  	}
   174  
   175  	return clientHello, nil
   176  }
   177  
   178  func (hs *serverHandshakeState) processClientHello() error {
   179  	c := hs.c
   180  
   181  	hs.hello = new(serverHelloMsg)
   182  	hs.hello.vers = c.vers
   183  
   184  	foundCompression := false
   185  	// We only support null compression, so check that the client offered it.
   186  	for _, compression := range hs.clientHello.compressionMethods {
   187  		if compression == compressionNone {
   188  			foundCompression = true
   189  			break
   190  		}
   191  	}
   192  
   193  	if !foundCompression {
   194  		c.sendAlert(alertHandshakeFailure)
   195  		return errors.New("tls: client does not support uncompressed connections")
   196  	}
   197  
   198  	hs.hello.random = make([]byte, 32)
   199  	serverRandom := hs.hello.random
   200  	// Downgrade protection canaries. See RFC 8446, Section 4.1.3.
   201  	maxVers := c.config.maxSupportedVersion(roleServer)
   202  	if maxVers >= VersionTLS12 && c.vers < maxVers || testingOnlyForceDowngradeCanary {
   203  		if c.vers == VersionTLS12 {
   204  			copy(serverRandom[24:], downgradeCanaryTLS12)
   205  		} else {
   206  			copy(serverRandom[24:], downgradeCanaryTLS11)
   207  		}
   208  		serverRandom = serverRandom[:24]
   209  	}
   210  	_, err := io.ReadFull(c.config.rand(), serverRandom)
   211  	if err != nil {
   212  		c.sendAlert(alertInternalError)
   213  		return err
   214  	}
   215  
   216  	if len(hs.clientHello.secureRenegotiation) != 0 {
   217  		c.sendAlert(alertHandshakeFailure)
   218  		return errors.New("tls: initial handshake had non-empty renegotiation extension")
   219  	}
   220  
   221  	hs.hello.extendedMasterSecret = hs.clientHello.extendedMasterSecret
   222  	hs.hello.secureRenegotiationSupported = hs.clientHello.secureRenegotiationSupported
   223  	hs.hello.compressionMethod = compressionNone
   224  	if len(hs.clientHello.serverName) > 0 {
   225  		c.serverName = hs.clientHello.serverName
   226  	}
   227  
   228  	selectedProto, err := negotiateALPN(c.config.NextProtos, hs.clientHello.alpnProtocols, false)
   229  	if err != nil {
   230  		c.sendAlert(alertNoApplicationProtocol)
   231  		return err
   232  	}
   233  	hs.hello.alpnProtocol = selectedProto
   234  	c.clientProtocol = selectedProto
   235  
   236  	hs.cert, err = c.config.getCertificate(clientHelloInfo(hs.ctx, c, hs.clientHello))
   237  	if err != nil {
   238  		if err == errNoCertificates {
   239  			c.sendAlert(alertUnrecognizedName)
   240  		} else {
   241  			c.sendAlert(alertInternalError)
   242  		}
   243  		return err
   244  	}
   245  	if hs.clientHello.scts {
   246  		hs.hello.scts = hs.cert.SignedCertificateTimestamps
   247  	}
   248  
   249  	hs.ecdheOk = supportsECDHE(c.config, hs.clientHello.supportedCurves, hs.clientHello.supportedPoints)
   250  
   251  	if hs.ecdheOk && len(hs.clientHello.supportedPoints) > 0 {
   252  		// Although omitting the ec_point_formats extension is permitted, some
   253  		// old OpenSSL version will refuse to handshake if not present.
   254  		//
   255  		// Per RFC 4492, section 5.1.2, implementations MUST support the
   256  		// uncompressed point format. See golang.org/issue/31943.
   257  		hs.hello.supportedPoints = []uint8{pointFormatUncompressed}
   258  	}
   259  
   260  	if priv, ok := hs.cert.PrivateKey.(crypto.Signer); ok {
   261  		switch priv.Public().(type) {
   262  		case *ecdsa.PublicKey:
   263  			hs.ecSignOk = true
   264  		case ed25519.PublicKey:
   265  			hs.ecSignOk = true
   266  		case *rsa.PublicKey:
   267  			hs.rsaSignOk = true
   268  		default:
   269  			c.sendAlert(alertInternalError)
   270  			return fmt.Errorf("tls: unsupported signing key type (%T)", priv.Public())
   271  		}
   272  	}
   273  	if priv, ok := hs.cert.PrivateKey.(crypto.Decrypter); ok {
   274  		switch priv.Public().(type) {
   275  		case *rsa.PublicKey:
   276  			hs.rsaDecryptOk = true
   277  		default:
   278  			c.sendAlert(alertInternalError)
   279  			return fmt.Errorf("tls: unsupported decryption key type (%T)", priv.Public())
   280  		}
   281  	}
   282  
   283  	return nil
   284  }
   285  
   286  // negotiateALPN picks a shared ALPN protocol that both sides support in server
   287  // preference order. If ALPN is not configured or the peer doesn't support it,
   288  // it returns "" and no error.
   289  func negotiateALPN(serverProtos, clientProtos []string, quic bool) (string, error) {
   290  	if len(serverProtos) == 0 || len(clientProtos) == 0 {
   291  		if quic && len(serverProtos) != 0 {
   292  			// RFC 9001, Section 8.1
   293  			return "", fmt.Errorf("tls: client did not request an application protocol")
   294  		}
   295  		return "", nil
   296  	}
   297  	var http11fallback bool
   298  	for _, s := range serverProtos {
   299  		for _, c := range clientProtos {
   300  			if s == c {
   301  				return s, nil
   302  			}
   303  			if s == "h2" && c == "http/1.1" {
   304  				http11fallback = true
   305  			}
   306  		}
   307  	}
   308  	// As a special case, let http/1.1 clients connect to h2 servers as if they
   309  	// didn't support ALPN. We used not to enforce protocol overlap, so over
   310  	// time a number of HTTP servers were configured with only "h2", but
   311  	// expected to accept connections from "http/1.1" clients. See Issue 46310.
   312  	if http11fallback {
   313  		return "", nil
   314  	}
   315  	return "", fmt.Errorf("tls: client requested unsupported application protocols (%s)", clientProtos)
   316  }
   317  
   318  // supportsECDHE returns whether ECDHE key exchanges can be used with this
   319  // pre-TLS 1.3 client.
   320  func supportsECDHE(c *Config, supportedCurves []CurveID, supportedPoints []uint8) bool {
   321  	supportsCurve := false
   322  	for _, curve := range supportedCurves {
   323  		if c.supportsCurve(curve) {
   324  			supportsCurve = true
   325  			break
   326  		}
   327  	}
   328  
   329  	supportsPointFormat := false
   330  	for _, pointFormat := range supportedPoints {
   331  		if pointFormat == pointFormatUncompressed {
   332  			supportsPointFormat = true
   333  			break
   334  		}
   335  	}
   336  	// Per RFC 8422, Section 5.1.2, if the Supported Point Formats extension is
   337  	// missing, uncompressed points are supported. If supportedPoints is empty,
   338  	// the extension must be missing, as an empty extension body is rejected by
   339  	// the parser. See https://go.dev/issue/49126.
   340  	if len(supportedPoints) == 0 {
   341  		supportsPointFormat = true
   342  	}
   343  
   344  	return supportsCurve && supportsPointFormat
   345  }
   346  
   347  func (hs *serverHandshakeState) pickCipherSuite() error {
   348  	c := hs.c
   349  
   350  	preferenceOrder := cipherSuitesPreferenceOrder
   351  	if !hasAESGCMHardwareSupport || !aesgcmPreferred(hs.clientHello.cipherSuites) {
   352  		preferenceOrder = cipherSuitesPreferenceOrderNoAES
   353  	}
   354  
   355  	configCipherSuites := c.config.cipherSuites()
   356  	preferenceList := make([]uint16, 0, len(configCipherSuites))
   357  	for _, suiteID := range preferenceOrder {
   358  		for _, id := range configCipherSuites {
   359  			if id == suiteID {
   360  				preferenceList = append(preferenceList, id)
   361  				break
   362  			}
   363  		}
   364  	}
   365  
   366  	hs.suite = selectCipherSuite(preferenceList, hs.clientHello.cipherSuites, hs.cipherSuiteOk)
   367  	if hs.suite == nil {
   368  		c.sendAlert(alertHandshakeFailure)
   369  		return errors.New("tls: no cipher suite supported by both client and server")
   370  	}
   371  	c.cipherSuite = hs.suite.id
   372  
   373  	if c.config.CipherSuites == nil && rsaKexCiphers[hs.suite.id] {
   374  		tlsrsakex.IncNonDefault()
   375  	}
   376  
   377  	for _, id := range hs.clientHello.cipherSuites {
   378  		if id == TLS_FALLBACK_SCSV {
   379  			// The client is doing a fallback connection. See RFC 7507.
   380  			if hs.clientHello.vers < c.config.maxSupportedVersion(roleServer) {
   381  				c.sendAlert(alertInappropriateFallback)
   382  				return errors.New("tls: client using inappropriate protocol fallback")
   383  			}
   384  			break
   385  		}
   386  	}
   387  
   388  	return nil
   389  }
   390  
   391  func (hs *serverHandshakeState) cipherSuiteOk(c *cipherSuite) bool {
   392  	if c.flags&suiteECDHE != 0 {
   393  		if !hs.ecdheOk {
   394  			return false
   395  		}
   396  		if c.flags&suiteECSign != 0 {
   397  			if !hs.ecSignOk {
   398  				return false
   399  			}
   400  		} else if !hs.rsaSignOk {
   401  			return false
   402  		}
   403  	} else if !hs.rsaDecryptOk {
   404  		return false
   405  	}
   406  	if hs.c.vers < VersionTLS12 && c.flags&suiteTLS12 != 0 {
   407  		return false
   408  	}
   409  	return true
   410  }
   411  
   412  // checkForResumption reports whether we should perform resumption on this connection.
   413  func (hs *serverHandshakeState) checkForResumption() error {
   414  	c := hs.c
   415  
   416  	if c.config.SessionTicketsDisabled {
   417  		return nil
   418  	}
   419  
   420  	var sessionState *SessionState
   421  	if c.config.UnwrapSession != nil {
   422  		ss, err := c.config.UnwrapSession(hs.clientHello.sessionTicket, c.connectionStateLocked())
   423  		if err != nil {
   424  			return err
   425  		}
   426  		if ss == nil {
   427  			return nil
   428  		}
   429  		sessionState = ss
   430  	} else {
   431  		plaintext := c.config.decryptTicket(hs.clientHello.sessionTicket, c.ticketKeys)
   432  		if plaintext == nil {
   433  			return nil
   434  		}
   435  		ss, err := ParseSessionState(plaintext)
   436  		if err != nil {
   437  			return nil
   438  		}
   439  		sessionState = ss
   440  	}
   441  
   442  	// TLS 1.2 tickets don't natively have a lifetime, but we want to avoid
   443  	// re-wrapping the same master secret in different tickets over and over for
   444  	// too long, weakening forward secrecy.
   445  	createdAt := time.Unix(int64(sessionState.createdAt), 0)
   446  	if c.config.time().Sub(createdAt) > maxSessionTicketLifetime {
   447  		return nil
   448  	}
   449  
   450  	// Never resume a session for a different TLS version.
   451  	if c.vers != sessionState.version {
   452  		return nil
   453  	}
   454  
   455  	cipherSuiteOk := false
   456  	// Check that the client is still offering the ciphersuite in the session.
   457  	for _, id := range hs.clientHello.cipherSuites {
   458  		if id == sessionState.cipherSuite {
   459  			cipherSuiteOk = true
   460  			break
   461  		}
   462  	}
   463  	if !cipherSuiteOk {
   464  		return nil
   465  	}
   466  
   467  	// Check that we also support the ciphersuite from the session.
   468  	suite := selectCipherSuite([]uint16{sessionState.cipherSuite},
   469  		c.config.cipherSuites(), hs.cipherSuiteOk)
   470  	if suite == nil {
   471  		return nil
   472  	}
   473  
   474  	sessionHasClientCerts := len(sessionState.peerCertificates) != 0
   475  	needClientCerts := requiresClientCert(c.config.ClientAuth)
   476  	if needClientCerts && !sessionHasClientCerts {
   477  		return nil
   478  	}
   479  	if sessionHasClientCerts && c.config.ClientAuth == NoClientCert {
   480  		return nil
   481  	}
   482  	if sessionHasClientCerts && c.config.time().After(sessionState.peerCertificates[0].NotAfter) {
   483  		return nil
   484  	}
   485  	if sessionHasClientCerts && c.config.ClientAuth >= VerifyClientCertIfGiven &&
   486  		len(sessionState.verifiedChains) == 0 {
   487  		return nil
   488  	}
   489  
   490  	// RFC 7627, Section 5.3
   491  	if !sessionState.extMasterSecret && hs.clientHello.extendedMasterSecret {
   492  		return nil
   493  	}
   494  	if sessionState.extMasterSecret && !hs.clientHello.extendedMasterSecret {
   495  		// Aborting is somewhat harsh, but it's a MUST and it would indicate a
   496  		// weird downgrade in client capabilities.
   497  		return errors.New("tls: session supported extended_master_secret but client does not")
   498  	}
   499  
   500  	c.peerCertificates = sessionState.peerCertificates
   501  	c.ocspResponse = sessionState.ocspResponse
   502  	c.scts = sessionState.scts
   503  	c.verifiedChains = sessionState.verifiedChains
   504  	c.extMasterSecret = sessionState.extMasterSecret
   505  	hs.sessionState = sessionState
   506  	hs.suite = suite
   507  	c.didResume = true
   508  	return nil
   509  }
   510  
   511  func (hs *serverHandshakeState) doResumeHandshake() error {
   512  	c := hs.c
   513  
   514  	hs.hello.cipherSuite = hs.suite.id
   515  	c.cipherSuite = hs.suite.id
   516  	// We echo the client's session ID in the ServerHello to let it know
   517  	// that we're doing a resumption.
   518  	hs.hello.sessionId = hs.clientHello.sessionId
   519  	// We always send a new session ticket, even if it wraps the same master
   520  	// secret and it's potentially encrypted with the same key, to help the
   521  	// client avoid cross-connection tracking from a network observer.
   522  	hs.hello.ticketSupported = true
   523  	hs.finishedHash = newFinishedHash(c.vers, hs.suite)
   524  	hs.finishedHash.discardHandshakeBuffer()
   525  	if err := transcriptMsg(hs.clientHello, &hs.finishedHash); err != nil {
   526  		return err
   527  	}
   528  	if _, err := hs.c.writeHandshakeRecord(hs.hello, &hs.finishedHash); err != nil {
   529  		return err
   530  	}
   531  
   532  	if c.config.VerifyConnection != nil {
   533  		if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil {
   534  			c.sendAlert(alertBadCertificate)
   535  			return err
   536  		}
   537  	}
   538  
   539  	hs.masterSecret = hs.sessionState.secret
   540  
   541  	return nil
   542  }
   543  
   544  func (hs *serverHandshakeState) doFullHandshake() error {
   545  	c := hs.c
   546  
   547  	if hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0 {
   548  		hs.hello.ocspStapling = true
   549  	}
   550  
   551  	hs.hello.ticketSupported = hs.clientHello.ticketSupported && !c.config.SessionTicketsDisabled
   552  	hs.hello.cipherSuite = hs.suite.id
   553  
   554  	hs.finishedHash = newFinishedHash(hs.c.vers, hs.suite)
   555  	if c.config.ClientAuth == NoClientCert {
   556  		// No need to keep a full record of the handshake if client
   557  		// certificates won't be used.
   558  		hs.finishedHash.discardHandshakeBuffer()
   559  	}
   560  	if err := transcriptMsg(hs.clientHello, &hs.finishedHash); err != nil {
   561  		return err
   562  	}
   563  	if _, err := hs.c.writeHandshakeRecord(hs.hello, &hs.finishedHash); err != nil {
   564  		return err
   565  	}
   566  
   567  	certMsg := new(certificateMsg)
   568  	certMsg.certificates = hs.cert.Certificate
   569  	if _, err := hs.c.writeHandshakeRecord(certMsg, &hs.finishedHash); err != nil {
   570  		return err
   571  	}
   572  
   573  	if hs.hello.ocspStapling {
   574  		certStatus := new(certificateStatusMsg)
   575  		certStatus.response = hs.cert.OCSPStaple
   576  		if _, err := hs.c.writeHandshakeRecord(certStatus, &hs.finishedHash); err != nil {
   577  			return err
   578  		}
   579  	}
   580  
   581  	keyAgreement := hs.suite.ka(c.vers)
   582  	skx, err := keyAgreement.generateServerKeyExchange(c.config, hs.cert, hs.clientHello, hs.hello)
   583  	if err != nil {
   584  		c.sendAlert(alertHandshakeFailure)
   585  		return err
   586  	}
   587  	if skx != nil {
   588  		if _, err := hs.c.writeHandshakeRecord(skx, &hs.finishedHash); err != nil {
   589  			return err
   590  		}
   591  	}
   592  
   593  	var certReq *certificateRequestMsg
   594  	if c.config.ClientAuth >= RequestClientCert {
   595  		// Request a client certificate
   596  		certReq = new(certificateRequestMsg)
   597  		certReq.certificateTypes = []byte{
   598  			byte(certTypeRSASign),
   599  			byte(certTypeECDSASign),
   600  		}
   601  		if c.vers >= VersionTLS12 {
   602  			certReq.hasSignatureAlgorithm = true
   603  			certReq.supportedSignatureAlgorithms = supportedSignatureAlgorithms()
   604  		}
   605  
   606  		// An empty list of certificateAuthorities signals to
   607  		// the client that it may send any certificate in response
   608  		// to our request. When we know the CAs we trust, then
   609  		// we can send them down, so that the client can choose
   610  		// an appropriate certificate to give to us.
   611  		if c.config.ClientCAs != nil {
   612  			certReq.certificateAuthorities = c.config.ClientCAs.Subjects()
   613  		}
   614  		if _, err := hs.c.writeHandshakeRecord(certReq, &hs.finishedHash); err != nil {
   615  			return err
   616  		}
   617  	}
   618  
   619  	helloDone := new(serverHelloDoneMsg)
   620  	if _, err := hs.c.writeHandshakeRecord(helloDone, &hs.finishedHash); err != nil {
   621  		return err
   622  	}
   623  
   624  	if _, err := c.flush(); err != nil {
   625  		return err
   626  	}
   627  
   628  	var pub crypto.PublicKey // public key for client auth, if any
   629  
   630  	msg, err := c.readHandshake(&hs.finishedHash)
   631  	if err != nil {
   632  		return err
   633  	}
   634  
   635  	// If we requested a client certificate, then the client must send a
   636  	// certificate message, even if it's empty.
   637  	if c.config.ClientAuth >= RequestClientCert {
   638  		certMsg, ok := msg.(*certificateMsg)
   639  		if !ok {
   640  			c.sendAlert(alertUnexpectedMessage)
   641  			return unexpectedMessageError(certMsg, msg)
   642  		}
   643  
   644  		if err := c.processCertsFromClient(Certificate{
   645  			Certificate: certMsg.certificates,
   646  		}); err != nil {
   647  			return err
   648  		}
   649  		if len(certMsg.certificates) != 0 {
   650  			pub = c.peerCertificates[0].PublicKey
   651  		}
   652  
   653  		msg, err = c.readHandshake(&hs.finishedHash)
   654  		if err != nil {
   655  			return err
   656  		}
   657  	}
   658  	if c.config.VerifyConnection != nil {
   659  		if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil {
   660  			c.sendAlert(alertBadCertificate)
   661  			return err
   662  		}
   663  	}
   664  
   665  	// Get client key exchange
   666  	ckx, ok := msg.(*clientKeyExchangeMsg)
   667  	if !ok {
   668  		c.sendAlert(alertUnexpectedMessage)
   669  		return unexpectedMessageError(ckx, msg)
   670  	}
   671  
   672  	preMasterSecret, err := keyAgreement.processClientKeyExchange(c.config, hs.cert, ckx, c.vers)
   673  	if err != nil {
   674  		c.sendAlert(alertHandshakeFailure)
   675  		return err
   676  	}
   677  	if hs.hello.extendedMasterSecret {
   678  		c.extMasterSecret = true
   679  		hs.masterSecret = extMasterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret,
   680  			hs.finishedHash.Sum())
   681  	} else {
   682  		hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret,
   683  			hs.clientHello.random, hs.hello.random)
   684  	}
   685  	if err := c.config.writeKeyLog(keyLogLabelTLS12, hs.clientHello.random, hs.masterSecret); err != nil {
   686  		c.sendAlert(alertInternalError)
   687  		return err
   688  	}
   689  
   690  	// If we received a client cert in response to our certificate request message,
   691  	// the client will send us a certificateVerifyMsg immediately after the
   692  	// clientKeyExchangeMsg. This message is a digest of all preceding
   693  	// handshake-layer messages that is signed using the private key corresponding
   694  	// to the client's certificate. This allows us to verify that the client is in
   695  	// possession of the private key of the certificate.
   696  	if len(c.peerCertificates) > 0 {
   697  		// certificateVerifyMsg is included in the transcript, but not until
   698  		// after we verify the handshake signature, since the state before
   699  		// this message was sent is used.
   700  		msg, err = c.readHandshake(nil)
   701  		if err != nil {
   702  			return err
   703  		}
   704  		certVerify, ok := msg.(*certificateVerifyMsg)
   705  		if !ok {
   706  			c.sendAlert(alertUnexpectedMessage)
   707  			return unexpectedMessageError(certVerify, msg)
   708  		}
   709  
   710  		var sigType uint8
   711  		var sigHash crypto.Hash
   712  		if c.vers >= VersionTLS12 {
   713  			if !isSupportedSignatureAlgorithm(certVerify.signatureAlgorithm, certReq.supportedSignatureAlgorithms) {
   714  				c.sendAlert(alertIllegalParameter)
   715  				return errors.New("tls: client certificate used with invalid signature algorithm")
   716  			}
   717  			sigType, sigHash, err = typeAndHashFromSignatureScheme(certVerify.signatureAlgorithm)
   718  			if err != nil {
   719  				return c.sendAlert(alertInternalError)
   720  			}
   721  		} else {
   722  			sigType, sigHash, err = legacyTypeAndHashFromPublicKey(pub)
   723  			if err != nil {
   724  				c.sendAlert(alertIllegalParameter)
   725  				return err
   726  			}
   727  		}
   728  
   729  		signed := hs.finishedHash.hashForClientCertificate(sigType, sigHash)
   730  		if err := verifyHandshakeSignature(sigType, pub, sigHash, signed, certVerify.signature); err != nil {
   731  			c.sendAlert(alertDecryptError)
   732  			return errors.New("tls: invalid signature by the client certificate: " + err.Error())
   733  		}
   734  
   735  		if err := transcriptMsg(certVerify, &hs.finishedHash); err != nil {
   736  			return err
   737  		}
   738  	}
   739  
   740  	hs.finishedHash.discardHandshakeBuffer()
   741  
   742  	return nil
   743  }
   744  
   745  func (hs *serverHandshakeState) establishKeys() error {
   746  	c := hs.c
   747  
   748  	clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV :=
   749  		keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen)
   750  
   751  	var clientCipher, serverCipher any
   752  	var clientHash, serverHash hash.Hash
   753  
   754  	if hs.suite.aead == nil {
   755  		clientCipher = hs.suite.cipher(clientKey, clientIV, true /* for reading */)
   756  		clientHash = hs.suite.mac(clientMAC)
   757  		serverCipher = hs.suite.cipher(serverKey, serverIV, false /* not for reading */)
   758  		serverHash = hs.suite.mac(serverMAC)
   759  	} else {
   760  		clientCipher = hs.suite.aead(clientKey, clientIV)
   761  		serverCipher = hs.suite.aead(serverKey, serverIV)
   762  	}
   763  
   764  	c.in.prepareCipherSpec(c.vers, clientCipher, clientHash)
   765  	c.out.prepareCipherSpec(c.vers, serverCipher, serverHash)
   766  
   767  	return nil
   768  }
   769  
   770  func (hs *serverHandshakeState) readFinished(out []byte) error {
   771  	c := hs.c
   772  
   773  	if err := c.readChangeCipherSpec(); err != nil {
   774  		return err
   775  	}
   776  
   777  	// finishedMsg is included in the transcript, but not until after we
   778  	// check the client version, since the state before this message was
   779  	// sent is used during verification.
   780  	msg, err := c.readHandshake(nil)
   781  	if err != nil {
   782  		return err
   783  	}
   784  	clientFinished, ok := msg.(*finishedMsg)
   785  	if !ok {
   786  		c.sendAlert(alertUnexpectedMessage)
   787  		return unexpectedMessageError(clientFinished, msg)
   788  	}
   789  
   790  	verify := hs.finishedHash.clientSum(hs.masterSecret)
   791  	if len(verify) != len(clientFinished.verifyData) ||
   792  		subtle.ConstantTimeCompare(verify, clientFinished.verifyData) != 1 {
   793  		c.sendAlert(alertHandshakeFailure)
   794  		return errors.New("tls: client's Finished message is incorrect")
   795  	}
   796  
   797  	if err := transcriptMsg(clientFinished, &hs.finishedHash); err != nil {
   798  		return err
   799  	}
   800  
   801  	copy(out, verify)
   802  	return nil
   803  }
   804  
   805  func (hs *serverHandshakeState) sendSessionTicket() error {
   806  	if !hs.hello.ticketSupported {
   807  		return nil
   808  	}
   809  
   810  	c := hs.c
   811  	m := new(newSessionTicketMsg)
   812  
   813  	state, err := c.sessionState()
   814  	if err != nil {
   815  		return err
   816  	}
   817  	state.secret = hs.masterSecret
   818  	if hs.sessionState != nil {
   819  		// If this is re-wrapping an old key, then keep
   820  		// the original time it was created.
   821  		state.createdAt = hs.sessionState.createdAt
   822  	}
   823  	if c.config.WrapSession != nil {
   824  		m.ticket, err = c.config.WrapSession(c.connectionStateLocked(), state)
   825  		if err != nil {
   826  			return err
   827  		}
   828  	} else {
   829  		stateBytes, err := state.Bytes()
   830  		if err != nil {
   831  			return err
   832  		}
   833  		m.ticket, err = c.config.encryptTicket(stateBytes, c.ticketKeys)
   834  		if err != nil {
   835  			return err
   836  		}
   837  	}
   838  
   839  	if _, err := hs.c.writeHandshakeRecord(m, &hs.finishedHash); err != nil {
   840  		return err
   841  	}
   842  
   843  	return nil
   844  }
   845  
   846  func (hs *serverHandshakeState) sendFinished(out []byte) error {
   847  	c := hs.c
   848  
   849  	if err := c.writeChangeCipherRecord(); err != nil {
   850  		return err
   851  	}
   852  
   853  	finished := new(finishedMsg)
   854  	finished.verifyData = hs.finishedHash.serverSum(hs.masterSecret)
   855  	if _, err := hs.c.writeHandshakeRecord(finished, &hs.finishedHash); err != nil {
   856  		return err
   857  	}
   858  
   859  	copy(out, finished.verifyData)
   860  
   861  	return nil
   862  }
   863  
   864  // processCertsFromClient takes a chain of client certificates either from a
   865  // Certificates message and verifies them.
   866  func (c *Conn) processCertsFromClient(certificate Certificate) error {
   867  	certificates := certificate.Certificate
   868  	certs := make([]*x509.Certificate, len(certificates))
   869  	var err error
   870  	for i, asn1Data := range certificates {
   871  		if certs[i], err = x509.ParseCertificate(asn1Data); err != nil {
   872  			c.sendAlert(alertBadCertificate)
   873  			return errors.New("tls: failed to parse client certificate: " + err.Error())
   874  		}
   875  		if certs[i].PublicKeyAlgorithm == x509.RSA {
   876  			n := certs[i].PublicKey.(*rsa.PublicKey).N.BitLen()
   877  			if max, ok := checkKeySize(n); !ok {
   878  				c.sendAlert(alertBadCertificate)
   879  				return fmt.Errorf("tls: client sent certificate containing RSA key larger than %d bits", max)
   880  			}
   881  		}
   882  	}
   883  
   884  	if len(certs) == 0 && requiresClientCert(c.config.ClientAuth) {
   885  		if c.vers == VersionTLS13 {
   886  			c.sendAlert(alertCertificateRequired)
   887  		} else {
   888  			c.sendAlert(alertBadCertificate)
   889  		}
   890  		return errors.New("tls: client didn't provide a certificate")
   891  	}
   892  
   893  	if c.config.ClientAuth >= VerifyClientCertIfGiven && len(certs) > 0 {
   894  		opts := x509.VerifyOptions{
   895  			Roots:         c.config.ClientCAs,
   896  			CurrentTime:   c.config.time(),
   897  			Intermediates: x509.NewCertPool(),
   898  			KeyUsages:     []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
   899  		}
   900  
   901  		for _, cert := range certs[1:] {
   902  			opts.Intermediates.AddCert(cert)
   903  		}
   904  
   905  		chains, err := certs[0].Verify(opts)
   906  		if err != nil {
   907  			var errCertificateInvalid x509.CertificateInvalidError
   908  			if errors.As(err, &x509.UnknownAuthorityError{}) {
   909  				c.sendAlert(alertUnknownCA)
   910  			} else if errors.As(err, &errCertificateInvalid) && errCertificateInvalid.Reason == x509.Expired {
   911  				c.sendAlert(alertCertificateExpired)
   912  			} else {
   913  				c.sendAlert(alertBadCertificate)
   914  			}
   915  			return &CertificateVerificationError{UnverifiedCertificates: certs, Err: err}
   916  		}
   917  
   918  		c.verifiedChains = chains
   919  	}
   920  
   921  	c.peerCertificates = certs
   922  	c.ocspResponse = certificate.OCSPStaple
   923  	c.scts = certificate.SignedCertificateTimestamps
   924  
   925  	if len(certs) > 0 {
   926  		switch certs[0].PublicKey.(type) {
   927  		case *ecdsa.PublicKey, *rsa.PublicKey, ed25519.PublicKey:
   928  		default:
   929  			c.sendAlert(alertUnsupportedCertificate)
   930  			return fmt.Errorf("tls: client certificate contains an unsupported public key of type %T", certs[0].PublicKey)
   931  		}
   932  	}
   933  
   934  	if c.config.VerifyPeerCertificate != nil {
   935  		if err := c.config.VerifyPeerCertificate(certificates, c.verifiedChains); err != nil {
   936  			c.sendAlert(alertBadCertificate)
   937  			return err
   938  		}
   939  	}
   940  
   941  	return nil
   942  }
   943  
   944  func clientHelloInfo(ctx context.Context, c *Conn, clientHello *clientHelloMsg) *ClientHelloInfo {
   945  	supportedVersions := clientHello.supportedVersions
   946  	if len(clientHello.supportedVersions) == 0 {
   947  		supportedVersions = supportedVersionsFromMax(clientHello.vers)
   948  	}
   949  
   950  	return &ClientHelloInfo{
   951  		CipherSuites:      clientHello.cipherSuites,
   952  		ServerName:        clientHello.serverName,
   953  		SupportedCurves:   clientHello.supportedCurves,
   954  		SupportedPoints:   clientHello.supportedPoints,
   955  		SignatureSchemes:  clientHello.supportedSignatureAlgorithms,
   956  		SupportedProtos:   clientHello.alpnProtocols,
   957  		SupportedVersions: supportedVersions,
   958  		Conn:              c.conn,
   959  		config:            c.config,
   960  		ctx:               ctx,
   961  	}
   962  }
   963  

View as plain text