handshake_server.mx raw
1 // Copyright 2009 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
4
5 package tls
6
7 import (
8 "context"
9 "crypto"
10 "crypto/ecdsa"
11 "crypto/ed25519"
12 "crypto/rsa"
13 "crypto/subtle"
14 "crypto/tls/internal/fips140tls"
15 "crypto/x509"
16 "errors"
17 "fmt"
18 "hash"
19 "io"
20 "time"
21 )
22
23 // serverHandshakeState contains details of a server handshake in progress.
24 // It's discarded once the handshake has completed.
25 type serverHandshakeState struct {
26 c *Conn
27 ctx context.Context
28 clientHello *clientHelloMsg
29 hello *serverHelloMsg
30 suite *cipherSuite
31 ecdheOk bool
32 ecSignOk bool
33 rsaDecryptOk bool
34 rsaSignOk bool
35 sessionState *SessionState
36 finishedHash finishedHash
37 masterSecret []byte
38 cert *Certificate
39 }
40
41 // serverHandshake performs a TLS handshake as a server.
42 func (c *Conn) serverHandshake(ctx context.Context) error {
43 clientHello, ech, err := c.readClientHello(ctx)
44 if err != nil {
45 return err
46 }
47
48 if c.vers == VersionTLS13 {
49 hs := serverHandshakeStateTLS13{
50 c: c,
51 ctx: ctx,
52 clientHello: clientHello,
53 echContext: ech,
54 }
55 return hs.handshake()
56 }
57
58 hs := serverHandshakeState{
59 c: c,
60 ctx: ctx,
61 clientHello: clientHello,
62 }
63 return hs.handshake()
64 }
65
66 func (hs *serverHandshakeState) handshake() error {
67 c := hs.c
68
69 if err := hs.processClientHello(); err != nil {
70 return err
71 }
72
73 // For an overview of TLS handshaking, see RFC 5246, Section 7.3.
74 c.buffering = true
75 if err := hs.checkForResumption(); err != nil {
76 return err
77 }
78 if hs.sessionState != nil {
79 // The client has included a session ticket and so we do an abbreviated handshake.
80 if err := hs.doResumeHandshake(); err != nil {
81 return err
82 }
83 if err := hs.establishKeys(); err != nil {
84 return err
85 }
86 if err := hs.sendSessionTicket(); err != nil {
87 return err
88 }
89 if err := hs.sendFinished(c.serverFinished[:]); err != nil {
90 return err
91 }
92 if _, err := c.flush(); err != nil {
93 return err
94 }
95 c.clientFinishedIsFirst = false
96 if err := hs.readFinished(nil); err != nil {
97 return err
98 }
99 } else {
100 // The client didn't include a session ticket, or it wasn't
101 // valid so we do a full handshake.
102 if err := hs.pickCipherSuite(); err != nil {
103 return err
104 }
105 if err := hs.doFullHandshake(); err != nil {
106 return err
107 }
108 if err := hs.establishKeys(); err != nil {
109 return err
110 }
111 if err := hs.readFinished(c.clientFinished[:]); err != nil {
112 return err
113 }
114 c.clientFinishedIsFirst = true
115 c.buffering = true
116 if err := hs.sendSessionTicket(); err != nil {
117 return err
118 }
119 if err := hs.sendFinished(nil); err != nil {
120 return err
121 }
122 if _, err := c.flush(); err != nil {
123 return err
124 }
125 }
126
127 c.ekm = ekmFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random)
128 c.isHandshakeComplete.Store(true)
129
130 return nil
131 }
132
133 // readClientHello reads a ClientHello message and selects the protocol version.
134 func (c *Conn) readClientHello(ctx context.Context) (*clientHelloMsg, *echServerContext, error) {
135 // clientHelloMsg is included in the transcript, but we haven't initialized
136 // it yet. The respective handshake functions will record it themselves.
137 msg, err := c.readHandshake(nil)
138 if err != nil {
139 return nil, nil, err
140 }
141 clientHello, ok := msg.(*clientHelloMsg)
142 if !ok {
143 c.sendAlert(alertUnexpectedMessage)
144 return nil, nil, unexpectedMessageError(clientHello, msg)
145 }
146
147 // ECH processing has to be done before we do any other negotiation based on
148 // the contents of the client hello, since we may swap it out completely.
149 var ech *echServerContext
150 if len(clientHello.encryptedClientHello) != 0 {
151 echKeys := c.config.EncryptedClientHelloKeys
152 if c.config.GetEncryptedClientHelloKeys != nil {
153 echKeys, err = c.config.GetEncryptedClientHelloKeys(clientHelloInfo(ctx, c, clientHello))
154 if err != nil {
155 c.sendAlert(alertInternalError)
156 return nil, nil, err
157 }
158 }
159 clientHello, ech, err = c.processECHClientHello(clientHello, echKeys)
160 if err != nil {
161 return nil, nil, err
162 }
163 }
164
165 var configForClient *Config
166 originalConfig := c.config
167 if c.config.GetConfigForClient != nil {
168 chi := clientHelloInfo(ctx, c, clientHello)
169 if configForClient, err = c.config.GetConfigForClient(chi); err != nil {
170 c.sendAlert(alertInternalError)
171 return nil, nil, err
172 } else if configForClient != nil {
173 c.config = configForClient
174 }
175 }
176 c.ticketKeys = originalConfig.ticketKeys(configForClient)
177
178 clientVersions := clientHello.supportedVersions
179 if clientHello.vers >= VersionTLS13 && len(clientVersions) == 0 {
180 // RFC 8446 4.2.1 indicates when the supported_versions extension is not sent,
181 // compatible servers MUST negotiate TLS 1.2 or earlier if supported, even
182 // if the client legacy version is TLS 1.3 or later.
183 //
184 // Since we reject empty extensionSupportedVersions in the client hello unmarshal
185 // finding the supportedVersions empty indicates the extension was not present.
186 clientVersions = supportedVersionsFromMax(VersionTLS12)
187 } else if len(clientVersions) == 0 {
188 clientVersions = supportedVersionsFromMax(clientHello.vers)
189 }
190 c.vers, ok = c.config.mutualVersion(roleServer, clientVersions)
191 if !ok {
192 c.sendAlert(alertProtocolVersion)
193 return nil, nil, fmt.Errorf("tls: client offered only unsupported versions: %x", clientVersions)
194 }
195 c.haveVers = true
196 c.in.version = c.vers
197 c.out.version = c.vers
198
199 // This check reflects some odd specification implied behavior. Client-facing servers
200 // are supposed to reject hellos with outer ECH and inner ECH that offers 1.2, but
201 // backend servers are allowed to accept hellos with inner ECH that offer 1.2, since
202 // they cannot expect client-facing servers to behave properly. Since we act as both
203 // a client-facing and backend server, we only enforce 1.3 being negotiated if we
204 // saw a hello with outer ECH first. The spec probably should've made this an error,
205 // but it didn't, and this matches the boringssl behavior.
206 if c.vers != VersionTLS13 && (ech != nil && !ech.inner) {
207 c.sendAlert(alertIllegalParameter)
208 return nil, nil, errors.New("tls: Encrypted Client Hello cannot be used pre-TLS 1.3")
209 }
210
211 if c.config.MinVersion == 0 && c.vers < VersionTLS12 {
212 tls10server.Value() // ensure godebug is initialized
213 tls10server.IncNonDefault()
214 }
215
216 return clientHello, ech, nil
217 }
218
219 func (hs *serverHandshakeState) processClientHello() error {
220 c := hs.c
221
222 hs.hello = &serverHelloMsg{}
223 hs.hello.vers = c.vers
224
225 foundCompression := false
226 // We only support null compression, so check that the client offered it.
227 for _, compression := range hs.clientHello.compressionMethods {
228 if compression == compressionNone {
229 foundCompression = true
230 break
231 }
232 }
233
234 if !foundCompression {
235 c.sendAlert(alertIllegalParameter)
236 return errors.New("tls: client does not support uncompressed connections")
237 }
238
239 hs.hello.random = []byte{:32}
240 serverRandom := hs.hello.random
241 // Downgrade protection canaries. See RFC 8446, Section 4.1.3.
242 maxVers := c.config.maxSupportedVersion(roleServer)
243 if maxVers >= VersionTLS12 && c.vers < maxVers || testingOnlyForceDowngradeCanary {
244 if c.vers == VersionTLS12 {
245 copy(serverRandom[24:], downgradeCanaryTLS12)
246 } else {
247 copy(serverRandom[24:], downgradeCanaryTLS11)
248 }
249 serverRandom = serverRandom[:24]
250 }
251 _, err := io.ReadFull(c.config.rand(), serverRandom)
252 if err != nil {
253 c.sendAlert(alertInternalError)
254 return err
255 }
256
257 if len(hs.clientHello.secureRenegotiation) != 0 {
258 c.sendAlert(alertHandshakeFailure)
259 return errors.New("tls: initial handshake had non-empty renegotiation extension")
260 }
261
262 hs.hello.extendedMasterSecret = hs.clientHello.extendedMasterSecret
263 hs.hello.secureRenegotiationSupported = hs.clientHello.secureRenegotiationSupported
264 hs.hello.compressionMethod = compressionNone
265 if len(hs.clientHello.serverName) > 0 {
266 c.serverName = hs.clientHello.serverName
267 }
268
269 selectedProto, err := negotiateALPN(c.config.NextProtos, hs.clientHello.alpnProtocols, false)
270 if err != nil {
271 c.sendAlert(alertNoApplicationProtocol)
272 return err
273 }
274 hs.hello.alpnProtocol = selectedProto
275 c.clientProtocol = selectedProto
276
277 hs.cert, err = c.config.getCertificate(clientHelloInfo(hs.ctx, c, hs.clientHello))
278 if err != nil {
279 if err == errNoCertificates {
280 c.sendAlert(alertUnrecognizedName)
281 } else {
282 c.sendAlert(alertInternalError)
283 }
284 return err
285 }
286 if hs.clientHello.scts {
287 hs.hello.scts = hs.cert.SignedCertificateTimestamps
288 }
289
290 hs.ecdheOk, err = supportsECDHE(c.config, c.vers, hs.clientHello.supportedCurves, hs.clientHello.supportedPoints)
291 if err != nil {
292 c.sendAlert(alertMissingExtension)
293 return err
294 }
295
296 if hs.ecdheOk && len(hs.clientHello.supportedPoints) > 0 {
297 // Although omitting the ec_point_formats extension is permitted, some
298 // old OpenSSL version will refuse to handshake if not present.
299 //
300 // Per RFC 4492, section 5.1.2, implementations MUST support the
301 // uncompressed point format. See golang.org/issue/31943.
302 hs.hello.supportedPoints = []uint8{pointFormatUncompressed}
303 }
304
305 if priv, ok := hs.cert.PrivateKey.(crypto.Signer); ok {
306 switch priv.Public().(type) {
307 case *ecdsa.PublicKey:
308 hs.ecSignOk = true
309 case ed25519.PublicKey:
310 hs.ecSignOk = true
311 case *rsa.PublicKey:
312 hs.rsaSignOk = true
313 default:
314 c.sendAlert(alertInternalError)
315 return fmt.Errorf("tls: unsupported signing key type (%T)", priv.Public())
316 }
317 }
318 if priv, ok := hs.cert.PrivateKey.(crypto.Decrypter); ok {
319 switch priv.Public().(type) {
320 case *rsa.PublicKey:
321 hs.rsaDecryptOk = true
322 default:
323 c.sendAlert(alertInternalError)
324 return fmt.Errorf("tls: unsupported decryption key type (%T)", priv.Public())
325 }
326 }
327
328 return nil
329 }
330
331 // negotiateALPN picks a shared ALPN protocol that both sides support in server
332 // preference order. If ALPN is not configured or the peer doesn't support it,
333 // it returns "" and no error.
334 func negotiateALPN(serverProtos, clientProtos [][]byte, quic bool) ([]byte, error) {
335 if len(serverProtos) == 0 || len(clientProtos) == 0 {
336 if quic && len(serverProtos) != 0 {
337 // RFC 9001, Section 8.1
338 return "", fmt.Errorf("tls: client did not request an application protocol")
339 }
340 return "", nil
341 }
342 var http11fallback bool
343 for _, s := range serverProtos {
344 for _, c := range clientProtos {
345 if s == c {
346 return s, nil
347 }
348 if s == "h2" && c == "http/1.1" {
349 http11fallback = true
350 }
351 }
352 }
353 // As a special case, let http/1.1 clients connect to h2 servers as if they
354 // didn't support ALPN. We used not to enforce protocol overlap, so over
355 // time a number of HTTP servers were configured with only "h2", but
356 // expected to accept connections from "http/1.1" clients. See Issue 46310.
357 if http11fallback {
358 return "", nil
359 }
360 return "", fmt.Errorf("tls: client requested unsupported application protocols (%q)", clientProtos)
361 }
362
363 // supportsECDHE returns whether ECDHE key exchanges can be used with this
364 // pre-TLS 1.3 client.
365 func supportsECDHE(c *Config, version uint16, supportedCurves []CurveID, supportedPoints []uint8) (bool, error) {
366 supportsCurve := false
367 for _, curve := range supportedCurves {
368 if c.supportsCurve(version, curve) {
369 supportsCurve = true
370 break
371 }
372 }
373
374 supportsPointFormat := false
375 offeredNonCompressedFormat := false
376 for _, pointFormat := range supportedPoints {
377 if pointFormat == pointFormatUncompressed {
378 supportsPointFormat = true
379 } else {
380 offeredNonCompressedFormat = true
381 }
382 }
383 // Per RFC 8422, Section 5.1.2, if the Supported Point Formats extension is
384 // missing, uncompressed points are supported. If supportedPoints is empty,
385 // the extension must be missing, as an empty extension body is rejected by
386 // the parser. See https://go.dev/issue/49126.
387 if len(supportedPoints) == 0 {
388 supportsPointFormat = true
389 } else if offeredNonCompressedFormat && !supportsPointFormat {
390 return false, errors.New("tls: client offered only incompatible point formats")
391 }
392
393 return supportsCurve && supportsPointFormat, nil
394 }
395
396 func (hs *serverHandshakeState) pickCipherSuite() error {
397 c := hs.c
398
399 preferenceList := c.config.cipherSuites(isAESGCMPreferred(hs.clientHello.cipherSuites))
400
401 hs.suite = selectCipherSuite(preferenceList, hs.clientHello.cipherSuites, hs.cipherSuiteOk)
402 if hs.suite == nil {
403 c.sendAlert(alertHandshakeFailure)
404 return fmt.Errorf("tls: no cipher suite supported by both client and server; client offered: %x",
405 hs.clientHello.cipherSuites)
406 }
407 c.cipherSuite = hs.suite.id
408
409 if c.config.CipherSuites == nil && !fips140tls.Required() && rsaKexCiphers[hs.suite.id] {
410 tlsrsakex.Value() // ensure godebug is initialized
411 tlsrsakex.IncNonDefault()
412 }
413 if c.config.CipherSuites == nil && !fips140tls.Required() && tdesCiphers[hs.suite.id] {
414 tls3des.Value() // ensure godebug is initialized
415 tls3des.IncNonDefault()
416 }
417
418 for _, id := range hs.clientHello.cipherSuites {
419 if id == TLS_FALLBACK_SCSV {
420 // The client is doing a fallback connection. See RFC 7507.
421 if hs.clientHello.vers < c.config.maxSupportedVersion(roleServer) {
422 c.sendAlert(alertInappropriateFallback)
423 return errors.New("tls: client using inappropriate protocol fallback")
424 }
425 break
426 }
427 }
428
429 return nil
430 }
431
432 func (hs *serverHandshakeState) cipherSuiteOk(c *cipherSuite) bool {
433 if c.flags&suiteECDHE != 0 {
434 if !hs.ecdheOk {
435 return false
436 }
437 if c.flags&suiteECSign != 0 {
438 if !hs.ecSignOk {
439 return false
440 }
441 } else if !hs.rsaSignOk {
442 return false
443 }
444 } else if !hs.rsaDecryptOk {
445 return false
446 }
447 if hs.c.vers < VersionTLS12 && c.flags&suiteTLS12 != 0 {
448 return false
449 }
450 return true
451 }
452
453 // checkForResumption reports whether we should perform resumption on this connection.
454 func (hs *serverHandshakeState) checkForResumption() error {
455 c := hs.c
456
457 if c.config.SessionTicketsDisabled {
458 return nil
459 }
460
461 var sessionState *SessionState
462 if c.config.UnwrapSession != nil {
463 ss, err := c.config.UnwrapSession(hs.clientHello.sessionTicket, c.connectionStateLocked())
464 if err != nil {
465 return err
466 }
467 if ss == nil {
468 return nil
469 }
470 sessionState = ss
471 } else {
472 plaintext := c.config.decryptTicket(hs.clientHello.sessionTicket, c.ticketKeys)
473 if plaintext == nil {
474 return nil
475 }
476 ss, err := ParseSessionState(plaintext)
477 if err != nil {
478 return nil
479 }
480 sessionState = ss
481 }
482
483 // TLS 1.2 tickets don't natively have a lifetime, but we want to avoid
484 // re-wrapping the same master secret in different tickets over and over for
485 // too long, weakening forward secrecy.
486 createdAt := time.Unix(int64(sessionState.createdAt), 0)
487 if c.config.time().Sub(createdAt) > maxSessionTicketLifetime {
488 return nil
489 }
490
491 // Never resume a session for a different TLS version.
492 if c.vers != sessionState.version {
493 return nil
494 }
495
496 cipherSuiteOk := false
497 // Check that the client is still offering the ciphersuite in the session.
498 for _, id := range hs.clientHello.cipherSuites {
499 if id == sessionState.cipherSuite {
500 cipherSuiteOk = true
501 break
502 }
503 }
504 if !cipherSuiteOk {
505 return nil
506 }
507
508 // Check that we also support the ciphersuite from the session.
509 suite := selectCipherSuite([]uint16{sessionState.cipherSuite},
510 c.config.supportedCipherSuites(), hs.cipherSuiteOk)
511 if suite == nil {
512 return nil
513 }
514
515 sessionHasClientCerts := len(sessionState.peerCertificates) != 0
516 needClientCerts := requiresClientCert(c.config.ClientAuth)
517 if needClientCerts && !sessionHasClientCerts {
518 return nil
519 }
520 if sessionHasClientCerts && c.config.ClientAuth == NoClientCert {
521 return nil
522 }
523 if sessionHasClientCerts && c.config.time().After(sessionState.peerCertificates[0].NotAfter) {
524 return nil
525 }
526 opts := x509.VerifyOptions{
527 CurrentTime: c.config.time(),
528 Roots: c.config.ClientCAs,
529 KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
530 }
531 if sessionHasClientCerts && c.config.ClientAuth >= VerifyClientCertIfGiven &&
532 !anyValidVerifiedChain(sessionState.verifiedChains, opts) {
533 return nil
534 }
535
536 // RFC 7627, Section 5.3
537 if !sessionState.extMasterSecret && hs.clientHello.extendedMasterSecret {
538 return nil
539 }
540 if sessionState.extMasterSecret && !hs.clientHello.extendedMasterSecret {
541 // Aborting is somewhat harsh, but it's a MUST and it would indicate a
542 // weird downgrade in client capabilities.
543 return errors.New("tls: session supported extended_master_secret but client does not")
544 }
545 if !sessionState.extMasterSecret && fips140tls.Required() {
546 // FIPS 140-3 requires the use of Extended Master Secret.
547 return nil
548 }
549
550 c.peerCertificates = sessionState.peerCertificates
551 c.ocspResponse = sessionState.ocspResponse
552 c.scts = sessionState.scts
553 c.verifiedChains = sessionState.verifiedChains
554 c.extMasterSecret = sessionState.extMasterSecret
555 hs.sessionState = sessionState
556 hs.suite = suite
557 c.curveID = sessionState.curveID
558 c.didResume = true
559 return nil
560 }
561
562 func (hs *serverHandshakeState) doResumeHandshake() error {
563 c := hs.c
564
565 hs.hello.cipherSuite = hs.suite.id
566 c.cipherSuite = hs.suite.id
567 // We echo the client's session ID in the ServerHello to let it know
568 // that we're doing a resumption.
569 hs.hello.sessionId = hs.clientHello.sessionId
570 // We always send a new session ticket, even if it wraps the same master
571 // secret and it's potentially encrypted with the same key, to help the
572 // client avoid cross-connection tracking from a network observer.
573 hs.hello.ticketSupported = true
574 hs.finishedHash = newFinishedHash(c.vers, hs.suite)
575 hs.finishedHash.discardHandshakeBuffer()
576 if err := transcriptMsg(hs.clientHello, &hs.finishedHash); err != nil {
577 return err
578 }
579 if _, err := hs.c.writeHandshakeRecord(hs.hello, &hs.finishedHash); err != nil {
580 return err
581 }
582
583 if c.config.VerifyConnection != nil {
584 if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil {
585 c.sendAlert(alertBadCertificate)
586 return err
587 }
588 }
589
590 hs.masterSecret = hs.sessionState.secret
591
592 return nil
593 }
594
595 func (hs *serverHandshakeState) doFullHandshake() error {
596 c := hs.c
597
598 if hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0 {
599 hs.hello.ocspStapling = true
600 }
601
602 if hs.clientHello.serverName != "" {
603 hs.hello.serverNameAck = true
604 }
605
606 hs.hello.ticketSupported = hs.clientHello.ticketSupported && !c.config.SessionTicketsDisabled
607 hs.hello.cipherSuite = hs.suite.id
608
609 hs.finishedHash = newFinishedHash(hs.c.vers, hs.suite)
610 if c.config.ClientAuth == NoClientCert {
611 // No need to keep a full record of the handshake if client
612 // certificates won't be used.
613 hs.finishedHash.discardHandshakeBuffer()
614 }
615 if err := transcriptMsg(hs.clientHello, &hs.finishedHash); err != nil {
616 return err
617 }
618 if _, err := hs.c.writeHandshakeRecord(hs.hello, &hs.finishedHash); err != nil {
619 return err
620 }
621
622 certMsg := &certificateMsg{}
623 certMsg.certificates = hs.cert.Certificate
624 if _, err := hs.c.writeHandshakeRecord(certMsg, &hs.finishedHash); err != nil {
625 return err
626 }
627
628 if hs.hello.ocspStapling {
629 certStatus := &certificateStatusMsg{}
630 certStatus.response = hs.cert.OCSPStaple
631 if _, err := hs.c.writeHandshakeRecord(certStatus, &hs.finishedHash); err != nil {
632 return err
633 }
634 }
635
636 keyAgreement := hs.suite.ka(c.vers)
637 skx, err := keyAgreement.generateServerKeyExchange(c.config, hs.cert, hs.clientHello, hs.hello)
638 if err != nil {
639 c.sendAlert(alertHandshakeFailure)
640 return err
641 }
642 if skx != nil {
643 if keyAgreement, ok := keyAgreement.(*ecdheKeyAgreement); ok {
644 c.curveID = keyAgreement.curveID
645 c.peerSigAlg = keyAgreement.signatureAlgorithm
646 }
647 if _, err := hs.c.writeHandshakeRecord(skx, &hs.finishedHash); err != nil {
648 return err
649 }
650 }
651
652 var certReq *certificateRequestMsg
653 if c.config.ClientAuth >= RequestClientCert {
654 // Request a client certificate
655 certReq = &certificateRequestMsg{}
656 certReq.certificateTypes = []byte{
657 byte(certTypeRSASign),
658 byte(certTypeECDSASign),
659 }
660 if c.vers >= VersionTLS12 {
661 certReq.hasSignatureAlgorithm = true
662 certReq.supportedSignatureAlgorithms = supportedSignatureAlgorithms(c.vers)
663 }
664
665 // An empty list of certificateAuthorities signals to
666 // the client that it may send any certificate in response
667 // to our request. When we know the CAs we trust, then
668 // we can send them down, so that the client can choose
669 // an appropriate certificate to give to us.
670 if c.config.ClientCAs != nil {
671 certReq.certificateAuthorities = c.config.ClientCAs.Subjects()
672 }
673 if _, err := hs.c.writeHandshakeRecord(certReq, &hs.finishedHash); err != nil {
674 return err
675 }
676 }
677
678 helloDone := &serverHelloDoneMsg{}
679 if _, err := hs.c.writeHandshakeRecord(helloDone, &hs.finishedHash); err != nil {
680 return err
681 }
682
683 if _, err := c.flush(); err != nil {
684 return err
685 }
686
687 var pub crypto.PublicKey // public key for client auth, if any
688
689 msg, err := c.readHandshake(&hs.finishedHash)
690 if err != nil {
691 return err
692 }
693
694 // If we requested a client certificate, then the client must send a
695 // certificate message, even if it's empty.
696 if c.config.ClientAuth >= RequestClientCert {
697 certMsg, ok := msg.(*certificateMsg)
698 if !ok {
699 c.sendAlert(alertUnexpectedMessage)
700 return unexpectedMessageError(certMsg, msg)
701 }
702
703 if err := c.processCertsFromClient(Certificate{
704 Certificate: certMsg.certificates,
705 }); err != nil {
706 return err
707 }
708 if len(certMsg.certificates) != 0 {
709 pub = c.peerCertificates[0].PublicKey
710 }
711
712 msg, err = c.readHandshake(&hs.finishedHash)
713 if err != nil {
714 return err
715 }
716 }
717 if c.config.VerifyConnection != nil {
718 if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil {
719 c.sendAlert(alertBadCertificate)
720 return err
721 }
722 }
723
724 // Get client key exchange
725 ckx, ok := msg.(*clientKeyExchangeMsg)
726 if !ok {
727 c.sendAlert(alertUnexpectedMessage)
728 return unexpectedMessageError(ckx, msg)
729 }
730
731 preMasterSecret, err := keyAgreement.processClientKeyExchange(c.config, hs.cert, ckx, c.vers)
732 if err != nil {
733 c.sendAlert(alertIllegalParameter)
734 return err
735 }
736 if hs.hello.extendedMasterSecret {
737 c.extMasterSecret = true
738 hs.masterSecret = extMasterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret,
739 hs.finishedHash.Sum())
740 } else {
741 if fips140tls.Required() {
742 c.sendAlert(alertHandshakeFailure)
743 return errors.New("tls: FIPS 140-3 requires the use of Extended Master Secret")
744 }
745 hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret,
746 hs.clientHello.random, hs.hello.random)
747 }
748 if err := c.config.writeKeyLog(keyLogLabelTLS12, hs.clientHello.random, hs.masterSecret); err != nil {
749 c.sendAlert(alertInternalError)
750 return err
751 }
752
753 // If we received a client cert in response to our certificate request message,
754 // the client will send us a certificateVerifyMsg immediately after the
755 // clientKeyExchangeMsg. This message is a digest of all preceding
756 // handshake-layer messages that is signed using the private key corresponding
757 // to the client's certificate. This allows us to verify that the client is in
758 // possession of the private key of the certificate.
759 if len(c.peerCertificates) > 0 {
760 // certificateVerifyMsg is included in the transcript, but not until
761 // after we verify the handshake signature, since the state before
762 // this message was sent is used.
763 msg, err = c.readHandshake(nil)
764 if err != nil {
765 return err
766 }
767 certVerify, ok := msg.(*certificateVerifyMsg)
768 if !ok {
769 c.sendAlert(alertUnexpectedMessage)
770 return unexpectedMessageError(certVerify, msg)
771 }
772
773 var sigType uint8
774 var sigHash crypto.Hash
775 if c.vers >= VersionTLS12 {
776 if !isSupportedSignatureAlgorithm(certVerify.signatureAlgorithm, certReq.supportedSignatureAlgorithms) {
777 c.sendAlert(alertIllegalParameter)
778 return errors.New("tls: client certificate used with invalid signature algorithm")
779 }
780 sigType, sigHash, err = typeAndHashFromSignatureScheme(certVerify.signatureAlgorithm)
781 if err != nil {
782 return c.sendAlert(alertInternalError)
783 }
784 if sigHash == crypto.SHA1 {
785 tlssha1.Value() // ensure godebug is initialized
786 tlssha1.IncNonDefault()
787 }
788 if hs.finishedHash.buffer == nil {
789 c.sendAlert(alertInternalError)
790 return errors.New("tls: internal error: did not keep handshake transcript for TLS 1.2")
791 }
792 if err := verifyHandshakeSignature(sigType, pub, sigHash, hs.finishedHash.buffer, certVerify.signature); err != nil {
793 c.sendAlert(alertDecryptError)
794 return errors.New("tls: invalid signature by the client certificate: " + err.Error())
795 }
796 } else {
797 sigType, sigHash, err = legacyTypeAndHashFromPublicKey(pub)
798 if err != nil {
799 c.sendAlert(alertIllegalParameter)
800 return err
801 }
802 signed := hs.finishedHash.hashForClientCertificate(sigType)
803 if err := verifyLegacyHandshakeSignature(sigType, pub, sigHash, signed, certVerify.signature); err != nil {
804 c.sendAlert(alertDecryptError)
805 return errors.New("tls: invalid signature by the client certificate: " + err.Error())
806 }
807 }
808
809 c.peerSigAlg = certVerify.signatureAlgorithm
810
811 if err := transcriptMsg(certVerify, &hs.finishedHash); err != nil {
812 return err
813 }
814 }
815
816 hs.finishedHash.discardHandshakeBuffer()
817
818 return nil
819 }
820
821 func (hs *serverHandshakeState) establishKeys() error {
822 c := hs.c
823
824 clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV :=
825 keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen)
826
827 var clientCipher, serverCipher any
828 var clientHash, serverHash hash.Hash
829
830 if hs.suite.aead == nil {
831 clientCipher = hs.suite.cipher(clientKey, clientIV, true /* for reading */)
832 clientHash = hs.suite.mac(clientMAC)
833 serverCipher = hs.suite.cipher(serverKey, serverIV, false /* not for reading */)
834 serverHash = hs.suite.mac(serverMAC)
835 } else {
836 clientCipher = hs.suite.aead(clientKey, clientIV)
837 serverCipher = hs.suite.aead(serverKey, serverIV)
838 }
839
840 c.in.prepareCipherSpec(c.vers, clientCipher, clientHash)
841 c.out.prepareCipherSpec(c.vers, serverCipher, serverHash)
842
843 return nil
844 }
845
846 func (hs *serverHandshakeState) readFinished(out []byte) error {
847 c := hs.c
848
849 if err := c.readChangeCipherSpec(); err != nil {
850 return err
851 }
852
853 // finishedMsg is included in the transcript, but not until after we
854 // check the client version, since the state before this message was
855 // sent is used during verification.
856 msg, err := c.readHandshake(nil)
857 if err != nil {
858 return err
859 }
860 clientFinished, ok := msg.(*finishedMsg)
861 if !ok {
862 c.sendAlert(alertUnexpectedMessage)
863 return unexpectedMessageError(clientFinished, msg)
864 }
865
866 verify := hs.finishedHash.clientSum(hs.masterSecret)
867 if len(verify) != len(clientFinished.verifyData) ||
868 subtle.ConstantTimeCompare(verify, clientFinished.verifyData) != 1 {
869 c.sendAlert(alertHandshakeFailure)
870 return errors.New("tls: client's Finished message is incorrect")
871 }
872
873 if err := transcriptMsg(clientFinished, &hs.finishedHash); err != nil {
874 return err
875 }
876
877 copy(out, verify)
878 return nil
879 }
880
881 func (hs *serverHandshakeState) sendSessionTicket() error {
882 if !hs.hello.ticketSupported {
883 return nil
884 }
885
886 c := hs.c
887 m := &newSessionTicketMsg{}
888
889 state := c.sessionState()
890 state.secret = hs.masterSecret
891 if hs.sessionState != nil {
892 // If this is re-wrapping an old key, then keep
893 // the original time it was created.
894 state.createdAt = hs.sessionState.createdAt
895 }
896 if c.config.WrapSession != nil {
897 var err error
898 m.ticket, err = c.config.WrapSession(c.connectionStateLocked(), state)
899 if err != nil {
900 return err
901 }
902 } else {
903 stateBytes, err := state.Bytes()
904 if err != nil {
905 return err
906 }
907 m.ticket, err = c.config.encryptTicket(stateBytes, c.ticketKeys)
908 if err != nil {
909 return err
910 }
911 }
912
913 if _, err := hs.c.writeHandshakeRecord(m, &hs.finishedHash); err != nil {
914 return err
915 }
916
917 return nil
918 }
919
920 func (hs *serverHandshakeState) sendFinished(out []byte) error {
921 c := hs.c
922
923 if err := c.writeChangeCipherRecord(); err != nil {
924 return err
925 }
926
927 finished := &finishedMsg{}
928 finished.verifyData = hs.finishedHash.serverSum(hs.masterSecret)
929 if _, err := hs.c.writeHandshakeRecord(finished, &hs.finishedHash); err != nil {
930 return err
931 }
932
933 copy(out, finished.verifyData)
934
935 return nil
936 }
937
938 // processCertsFromClient takes a chain of client certificates either from a
939 // certificateMsg message or a certificateMsgTLS13 message and verifies them.
940 func (c *Conn) processCertsFromClient(certificate Certificate) error {
941 certificates := certificate.Certificate
942 certs := []*x509.Certificate{:len(certificates)}
943 var err error
944 for i, asn1Data := range certificates {
945 if certs[i], err = x509.ParseCertificate(asn1Data); err != nil {
946 c.sendAlert(alertDecodeError)
947 return errors.New("tls: failed to parse client certificate: " + err.Error())
948 }
949 if certs[i].PublicKeyAlgorithm == x509.RSA {
950 n := certs[i].PublicKey.(*rsa.PublicKey).N.BitLen()
951 if max, ok := checkKeySize(n); !ok {
952 c.sendAlert(alertBadCertificate)
953 return fmt.Errorf("tls: client sent certificate containing RSA key larger than %d bits", max)
954 }
955 }
956 }
957
958 if len(certs) == 0 && requiresClientCert(c.config.ClientAuth) {
959 if c.vers == VersionTLS13 {
960 c.sendAlert(alertCertificateRequired)
961 } else {
962 c.sendAlert(alertHandshakeFailure)
963 }
964 return errors.New("tls: client didn't provide a certificate")
965 }
966
967 if c.config.ClientAuth >= VerifyClientCertIfGiven && len(certs) > 0 {
968 opts := x509.VerifyOptions{
969 Roots: c.config.ClientCAs,
970 CurrentTime: c.config.time(),
971 Intermediates: x509.NewCertPool(),
972 KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
973 }
974
975 for _, cert := range certs[1:] {
976 opts.Intermediates.AddCert(cert)
977 }
978
979 chains, err := certs[0].Verify(opts)
980 if err != nil {
981 if _, ok := err.(x509.UnknownAuthorityError); ok {
982 c.sendAlert(alertUnknownCA)
983 } else if ciErr, ok := err.(x509.CertificateInvalidError); ok && ciErr.Reason == x509.Expired {
984 c.sendAlert(alertCertificateExpired)
985 } else {
986 c.sendAlert(alertBadCertificate)
987 }
988 return &CertificateVerificationError{UnverifiedCertificates: certs, Err: err}
989 }
990
991 c.verifiedChains, err = fipsAllowedChains(chains)
992 if err != nil {
993 c.sendAlert(alertBadCertificate)
994 return &CertificateVerificationError{UnverifiedCertificates: certs, Err: err}
995 }
996 }
997
998 c.peerCertificates = certs
999 c.ocspResponse = certificate.OCSPStaple
1000 c.scts = certificate.SignedCertificateTimestamps
1001
1002 if len(certs) > 0 {
1003 switch certs[0].PublicKey.(type) {
1004 case *ecdsa.PublicKey, *rsa.PublicKey, ed25519.PublicKey:
1005 default:
1006 c.sendAlert(alertUnsupportedCertificate)
1007 return fmt.Errorf("tls: client certificate contains an unsupported public key of type %T", certs[0].PublicKey)
1008 }
1009 }
1010
1011 if c.config.VerifyPeerCertificate != nil {
1012 if err := c.config.VerifyPeerCertificate(certificates, c.verifiedChains); err != nil {
1013 c.sendAlert(alertBadCertificate)
1014 return err
1015 }
1016 }
1017
1018 return nil
1019 }
1020
1021 func clientHelloInfo(ctx context.Context, c *Conn, clientHello *clientHelloMsg) *ClientHelloInfo {
1022 supportedVersions := clientHello.supportedVersions
1023 if len(clientHello.supportedVersions) == 0 {
1024 supportedVersions = supportedVersionsFromMax(clientHello.vers)
1025 }
1026
1027 return &ClientHelloInfo{
1028 CipherSuites: clientHello.cipherSuites,
1029 ServerName: clientHello.serverName,
1030 SupportedCurves: clientHello.supportedCurves,
1031 SupportedPoints: clientHello.supportedPoints,
1032 SignatureSchemes: clientHello.supportedSignatureAlgorithms,
1033 SupportedProtos: clientHello.alpnProtocols,
1034 SupportedVersions: supportedVersions,
1035 Extensions: clientHello.extensions,
1036 Conn: c.conn,
1037 HelloRetryRequest: c.didHRR,
1038 config: c.config,
1039 ctx: ctx,
1040 }
1041 }
1042