Google Git
Sign in
go / go / 482669db62bc5b6537727d621555a46eccb6173d / . / src / crypto / tls / handshake_server.go
blob: 7606305c1dfbcc1573cee069158ff660b3ae468c [file] [log] [blame]
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]1// Copyright 2009 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5package tls
6
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]7import (
Johan Brandhorst86070432020-08-01 12:18:31 +0100[diff] [blame]8 "context"
Joel Sing7b7dac52013-07-17 12:33:16 -0400[diff] [blame]9 "crypto"
10 "crypto/ecdsa"
Filippo Valsordaf3533852019-05-16 19:13:29 -0400[diff] [blame]11 "crypto/ed25519"
Robert Griesemer5a1d3322009-12-15 15:33:31 -0800[diff] [blame]12 "crypto/rsa"
Robert Griesemer5a1d3322009-12-15 15:33:31 -0800[diff] [blame]13 "crypto/subtle"
Mikkel Krautzc47123d2010-08-16 11:22:22 -0400[diff] [blame]14 "crypto/x509"
Russ Coxc2049d22011-11-01 22:04:37 -0400[diff] [blame]15 "errors"
Adam Langley6b29f7b2014-02-12 11:20:01 -0500[diff] [blame]16 "fmt"
Filippo Valsorda01cdd362020-08-31 17:09:57 -0400[diff] [blame]17 "hash"
Robert Griesemer5a1d3322009-12-15 15:33:31 -0800[diff] [blame]18 "io"
Minaev Mikee5b13402018-01-26 09:17:46 +0000[diff] [blame]19 "sync/atomic"
Katie Hockman6ea19bb2020-04-30 20:11:55 -0400[diff] [blame]20 "time"
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]21)
22
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]23// serverHandshakeState contains details of a server handshake in progress.
24// It's discarded once the handshake has completed.
25type serverHandshakeState struct {
Filippo Valsorda106db712018-11-05 19:23:25 -0500[diff] [blame]26 c *Conn
Johan Brandhorst86070432020-08-01 12:18:31 +0100[diff] [blame]27 ctx context.Context
Filippo Valsorda106db712018-11-05 19:23:25 -0500[diff] [blame]28 clientHello *clientHelloMsg
29 hello *serverHelloMsg
30 suite *cipherSuite
Filippo Valsordaec732632019-11-01 19:00:33 -0400[diff] [blame]31 ecdheOk bool
Filippo Valsordaf3533852019-05-16 19:13:29 -0400[diff] [blame]32 ecSignOk bool
Filippo Valsorda106db712018-11-05 19:23:25 -0500[diff] [blame]33 rsaDecryptOk bool
34 rsaSignOk bool
35 sessionState *sessionState
36 finishedHash finishedHash
37 masterSecret []byte
38 cert *Certificate
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]39}
40
41// serverHandshake performs a TLS handshake as a server.
Johan Brandhorst86070432020-08-01 12:18:31 +0100[diff] [blame]42func (c *Conn) serverHandshake(ctx context.Context) error {
43 clientHello, err := c.readClientHello(ctx)
Russ Cox72d93222010-04-26 22:19:04 -0700[diff] [blame]44 if err != nil {
45 return err
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]46 }
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]47
Filippo Valsordac21ba092018-11-02 00:57:30 -0400[diff] [blame]48 if c.vers == VersionTLS13 {
49 hs := serverHandshakeStateTLS13{
50 c: c,
Johan Brandhorst86070432020-08-01 12:18:31 +0100[diff] [blame]51 ctx: ctx,
Filippo Valsordac21ba092018-11-02 00:57:30 -0400[diff] [blame]52 clientHello: clientHello,
53 }
54 return hs.handshake()
55 }
56
57 hs := serverHandshakeState{
58 c: c,
Johan Brandhorst86070432020-08-01 12:18:31 +0100[diff] [blame]59 ctx: ctx,
Filippo Valsordac21ba092018-11-02 00:57:30 -0400[diff] [blame]60 clientHello: clientHello,
61 }
62 return hs.handshake()
63}
64
65func (hs *serverHandshakeState) handshake() error {
66 c := hs.c
67
68 if err := hs.processClientHello(); err != nil {
69 return err
70 }
71
Filippo Valsordaee769922018-10-12 17:07:04 -0400[diff] [blame]72 // For an overview of TLS handshaking, see RFC 5246, Section 7.3.
Adam Langley2a8c81f2016-06-01 14:41:09 -0700[diff] [blame]73 c.buffering = true
Filippo Valsordac21ba092018-11-02 00:57:30 -0400[diff] [blame]74 if hs.checkForResumption() {
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]75 // The client has included a session ticket and so we do an abbreviated handshake.
Katie Hockman62a3f2e2020-04-20 17:55:37 -0400[diff] [blame]76 c.didResume = true
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]77 if err := hs.doResumeHandshake(); err != nil {
78 return err
79 }
80 if err := hs.establishKeys(); err != nil {
81 return err
82 }
Katie Hockman3b0882e2020-05-18 15:50:03 -0400[diff] [blame]83 if err := hs.sendSessionTicket(); err != nil {
84 return err
Jonathan Rudenbergbff14172015-04-17 21:32:11 -0400[diff] [blame]85 }
Adam Langleyaf125a52016-04-26 10:45:35 -0700[diff] [blame]86 if err := hs.sendFinished(c.serverFinished[:]); err != nil {
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]87 return err
88 }
Adam Langley2a8c81f2016-06-01 14:41:09 -0700[diff] [blame]89 if _, err := c.flush(); err != nil {
90 return err
91 }
Adam Langleyaf125a52016-04-26 10:45:35 -0700[diff] [blame]92 c.clientFinishedIsFirst = false
Andres Erbsenfce63882014-08-11 16:40:42 -0700[diff] [blame]93 if err := hs.readFinished(nil); err != nil {
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]94 return err
95 }
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]96 } else {
97 // The client didn't include a session ticket, or it wasn't
98 // valid so we do a full handshake.
Filippo Valsordac21ba092018-11-02 00:57:30 -0400[diff] [blame]99 if err := hs.pickCipherSuite(); err != nil {
100 return err
101 }
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]102 if err := hs.doFullHandshake(); err != nil {
103 return err
104 }
105 if err := hs.establishKeys(); err != nil {
106 return err
107 }
Adam Langleyaf125a52016-04-26 10:45:35 -0700[diff] [blame]108 if err := hs.readFinished(c.clientFinished[:]); err != nil {
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]109 return err
110 }
Adam Langleyaf125a52016-04-26 10:45:35 -0700[diff] [blame]111 c.clientFinishedIsFirst = true
Adam Langley2a8c81f2016-06-01 14:41:09 -0700[diff] [blame]112 c.buffering = true
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]113 if err := hs.sendSessionTicket(); err != nil {
114 return err
115 }
Andres Erbsenfce63882014-08-11 16:40:42 -0700[diff] [blame]116 if err := hs.sendFinished(nil); err != nil {
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]117 return err
118 }
Adam Langley2a8c81f2016-06-01 14:41:09 -0700[diff] [blame]119 if _, err := c.flush(); err != nil {
120 return err
121 }
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]122 }
Mike Danesec5291412017-12-20 19:47:49 -0800[diff] [blame]123
124 c.ekm = ekmFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random)
Minaev Mikee5b13402018-01-26 09:17:46 +0000[diff] [blame]125 atomic.StoreUint32(&c.handshakeStatus, 1)
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]126
127 return nil
128}
129
Filippo Valsordac21ba092018-11-02 00:57:30 -0400[diff] [blame]130// readClientHello reads a ClientHello message and selects the protocol version.
Johan Brandhorst86070432020-08-01 12:18:31 +0100[diff] [blame]131func (c *Conn) readClientHello(ctx context.Context) (*clientHelloMsg, error) {
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]132 msg, err := c.readHandshake()
133 if err != nil {
Filippo Valsordac21ba092018-11-02 00:57:30 -0400[diff] [blame]134 return nil, err
Russ Cox72d93222010-04-26 22:19:04 -0700[diff] [blame]135 }
Filippo Valsordac21ba092018-11-02 00:57:30 -0400[diff] [blame]136 clientHello, ok := msg.(*clientHelloMsg)
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]137 if !ok {
Adam Langley6b29f7b2014-02-12 11:20:01 -0500[diff] [blame]138 c.sendAlert(alertUnexpectedMessage)
Filippo Valsordac21ba092018-11-02 00:57:30 -0400[diff] [blame]139 return nil, unexpectedMessageError(clientHello, msg)
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]140 }
Adam Langleycff3e752016-10-10 15:27:34 -0700[diff] [blame]141
Katie Hockman43f2f502020-04-28 17:47:27 -0400[diff] [blame]142 var configForClient *Config
143 originalConfig := c.config
Adam Langleycff3e752016-10-10 15:27:34 -0700[diff] [blame]144 if c.config.GetConfigForClient != nil {
Johan Brandhorst86070432020-08-01 12:18:31 +0100[diff] [blame]145 chi := clientHelloInfo(ctx, c, clientHello)
Katie Hockman43f2f502020-04-28 17:47:27 -0400[diff] [blame]146 if configForClient, err = c.config.GetConfigForClient(chi); err != nil {
Adam Langleycff3e752016-10-10 15:27:34 -0700[diff] [blame]147 c.sendAlert(alertInternalError)
Filippo Valsordac21ba092018-11-02 00:57:30 -0400[diff] [blame]148 return nil, err
Katie Hockman43f2f502020-04-28 17:47:27 -0400[diff] [blame]149 } else if configForClient != nil {
150 c.config = configForClient
Adam Langleycff3e752016-10-10 15:27:34 -0700[diff] [blame]151 }
152 }
Katie Hockman43f2f502020-04-28 17:47:27 -0400[diff] [blame]153 c.ticketKeys = originalConfig.ticketKeys(configForClient)
Adam Langleycff3e752016-10-10 15:27:34 -0700[diff] [blame]154
Filippo Valsordac21ba092018-11-02 00:57:30 -0400[diff] [blame]155 clientVersions := clientHello.supportedVersions
156 if len(clientHello.supportedVersions) == 0 {
157 clientVersions = supportedVersionsFromMax(clientHello.vers)
Filippo Valsorda7f5dce02018-10-31 09:34:10 -0400[diff] [blame]158 }
Filippo Valsorda035963c2021-10-31 23:13:18 -0400[diff] [blame]159 c.vers, ok = c.config.mutualVersion(roleServer, clientVersions)
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]160 if !ok {
Adam Langley6b29f7b2014-02-12 11:20:01 -0500[diff] [blame]161 c.sendAlert(alertProtocolVersion)
Filippo Valsordac21ba092018-11-02 00:57:30 -0400[diff] [blame]162 return nil, fmt.Errorf("tls: client offered only unsupported versions: %x", clientVersions)
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]163 }
Russ Cox72d93222010-04-26 22:19:04 -0700[diff] [blame]164 c.haveVers = true
Filippo Valsordac21ba092018-11-02 00:57:30 -0400[diff] [blame]165 c.in.version = c.vers
166 c.out.version = c.vers
167
168 return clientHello, nil
169}
170
171func (hs *serverHandshakeState) processClientHello() error {
172 c := hs.c
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]173
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]174 hs.hello = new(serverHelloMsg)
Filippo Valsorda7f5dce02018-10-31 09:34:10 -0400[diff] [blame]175 hs.hello.vers = c.vers
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]176
Robert Griesemer5a1d3322009-12-15 15:33:31 -0800[diff] [blame]177 foundCompression := false
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]178 // We only support null compression, so check that the client offered it.
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]179 for _, compression := range hs.clientHello.compressionMethods {
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]180 if compression == compressionNone {
Robert Griesemer5a1d3322009-12-15 15:33:31 -0800[diff] [blame]181 foundCompression = true
182 break
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]183 }
184 }
185
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]186 if !foundCompression {
Adam Langley6b29f7b2014-02-12 11:20:01 -0500[diff] [blame]187 c.sendAlert(alertHandshakeFailure)
Filippo Valsordac21ba092018-11-02 00:57:30 -0400[diff] [blame]188 return errors.New("tls: client does not support uncompressed connections")
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]189 }
190
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]191 hs.hello.random = make([]byte, 32)
Filippo Valsorda46d4aa22018-11-05 20:39:45 -0500[diff] [blame]192 serverRandom := hs.hello.random
193 // Downgrade protection canaries. See RFC 8446, Section 4.1.3.
Filippo Valsorda035963c2021-10-31 23:13:18 -0400[diff] [blame]194 maxVers := c.config.maxSupportedVersion(roleServer)
Filippo Valsordaa6c6e592020-04-29 17:54:24 -0400[diff] [blame]195 if maxVers >= VersionTLS12 && c.vers < maxVers || testingOnlyForceDowngradeCanary {
Filippo Valsorda46d4aa22018-11-05 20:39:45 -0500[diff] [blame]196 if c.vers == VersionTLS12 {
197 copy(serverRandom[24:], downgradeCanaryTLS12)
198 } else {
199 copy(serverRandom[24:], downgradeCanaryTLS11)
200 }
201 serverRandom = serverRandom[:24]
202 }
203 _, err := io.ReadFull(c.config.rand(), serverRandom)
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]204 if err != nil {
Adam Langley6b29f7b2014-02-12 11:20:01 -0500[diff] [blame]205 c.sendAlert(alertInternalError)
Filippo Valsordac21ba092018-11-02 00:57:30 -0400[diff] [blame]206 return err
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]207 }
Adam Langleyaf125a52016-04-26 10:45:35 -0700[diff] [blame]208
209 if len(hs.clientHello.secureRenegotiation) != 0 {
210 c.sendAlert(alertHandshakeFailure)
Filippo Valsordac21ba092018-11-02 00:57:30 -0400[diff] [blame]211 return errors.New("tls: initial handshake had non-empty renegotiation extension")
Adam Langleyaf125a52016-04-26 10:45:35 -0700[diff] [blame]212 }
213
214 hs.hello.secureRenegotiationSupported = hs.clientHello.secureRenegotiationSupported
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]215 hs.hello.compressionMethod = compressionNone
216 if len(hs.clientHello.serverName) > 0 {
217 c.serverName = hs.clientHello.serverName
Adam Langley9ebb5962009-12-23 11:13:09 -0800[diff] [blame]218 }
Adam Langleyd0e255f2014-08-05 11:36:20 -0700[diff] [blame]219
Filippo Valsordadc00dc62021-06-07 08:24:22 -0400[diff] [blame]220 selectedProto, err := negotiateALPN(c.config.NextProtos, hs.clientHello.alpnProtocols)
221 if err != nil {
222 c.sendAlert(alertNoApplicationProtocol)
223 return err
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]224 }
Filippo Valsordadc00dc62021-06-07 08:24:22 -0400[diff] [blame]225 hs.hello.alpnProtocol = selectedProto
226 c.clientProtocol = selectedProto
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]227
Johan Brandhorst86070432020-08-01 12:18:31 +0100[diff] [blame]228 hs.cert, err = c.config.getCertificate(clientHelloInfo(hs.ctx, c, hs.clientHello))
Emmanuel Odekef0711b92016-03-14 03:35:13 -0600[diff] [blame]229 if err != nil {
Filippo Valsordaeb93c682019-11-02 14:43:34 -0400[diff] [blame]230 if err == errNoCertificates {
231 c.sendAlert(alertUnrecognizedName)
232 } else {
233 c.sendAlert(alertInternalError)
234 }
Filippo Valsordac21ba092018-11-02 00:57:30 -0400[diff] [blame]235 return err
Adam Langleyeef70352013-09-17 13:30:36 -0400[diff] [blame]236 }
Jonathan Rudenberg02e69c42015-04-16 14:59:22 -0400[diff] [blame]237 if hs.clientHello.scts {
238 hs.hello.scts = hs.cert.SignedCertificateTimestamps
239 }
Adam Langleyeef70352013-09-17 13:30:36 -0400[diff] [blame]240
Filippo Valsordaec732632019-11-01 19:00:33 -0400[diff] [blame]241 hs.ecdheOk = supportsECDHE(c.config, hs.clientHello.supportedCurves, hs.clientHello.supportedPoints)
242
243 if hs.ecdheOk {
Ville Skyttä440f7d62019-11-15 19:49:30 +0000[diff] [blame]244 // Although omitting the ec_point_formats extension is permitted, some
Filippo Valsordaec732632019-11-01 19:00:33 -0400[diff] [blame]245 // old OpenSSL version will refuse to handshake if not present.
246 //
247 // Per RFC 4492, section 5.1.2, implementations MUST support the
248 // uncompressed point format. See golang.org/issue/31943.
249 hs.hello.supportedPoints = []uint8{pointFormatUncompressed}
250 }
251
Jacob H. Haven28f33b42015-03-19 04:01:57 -0700[diff] [blame]252 if priv, ok := hs.cert.PrivateKey.(crypto.Signer); ok {
Jacob H. Haven28f33b42015-03-19 04:01:57 -0700[diff] [blame]253 switch priv.Public().(type) {
254 case *ecdsa.PublicKey:
Filippo Valsordaf3533852019-05-16 19:13:29 -0400[diff] [blame]255 hs.ecSignOk = true
256 case ed25519.PublicKey:
257 hs.ecSignOk = true
Jacob H. Haven28f33b42015-03-19 04:01:57 -0700[diff] [blame]258 case *rsa.PublicKey:
Adam Langley7b850ec62015-04-02 16:19:46 -0700[diff] [blame]259 hs.rsaSignOk = true
Jacob H. Haven28f33b42015-03-19 04:01:57 -0700[diff] [blame]260 default:
261 c.sendAlert(alertInternalError)
Filippo Valsordac21ba092018-11-02 00:57:30 -0400[diff] [blame]262 return fmt.Errorf("tls: unsupported signing key type (%T)", priv.Public())
Jacob H. Haven28f33b42015-03-19 04:01:57 -0700[diff] [blame]263 }
264 }
265 if priv, ok := hs.cert.PrivateKey.(crypto.Decrypter); ok {
Jacob H. Haven28f33b42015-03-19 04:01:57 -0700[diff] [blame]266 switch priv.Public().(type) {
267 case *rsa.PublicKey:
Adam Langley7b850ec62015-04-02 16:19:46 -0700[diff] [blame]268 hs.rsaDecryptOk = true
Jacob H. Haven28f33b42015-03-19 04:01:57 -0700[diff] [blame]269 default:
270 c.sendAlert(alertInternalError)
Filippo Valsordac21ba092018-11-02 00:57:30 -0400[diff] [blame]271 return fmt.Errorf("tls: unsupported decryption key type (%T)", priv.Public())
Jacob H. Haven28f33b42015-03-19 04:01:57 -0700[diff] [blame]272 }
273 }
Adam Langleyeef70352013-09-17 13:30:36 -0400[diff] [blame]274
Filippo Valsordac21ba092018-11-02 00:57:30 -0400[diff] [blame]275 return nil
276}
277
Filippo Valsordadc00dc62021-06-07 08:24:22 -0400[diff] [blame]278// negotiateALPN picks a shared ALPN protocol that both sides support in server
279// preference order. If ALPN is not configured or the peer doesn't support it,
280// it returns "" and no error.
281func negotiateALPN(serverProtos, clientProtos []string) (string, error) {
282 if len(serverProtos) == 0 || len(clientProtos) == 0 {
283 return "", nil
284 }
285 var http11fallback bool
286 for _, s := range serverProtos {
287 for _, c := range clientProtos {
288 if s == c {
289 return s, nil
290 }
291 if s == "h2" && c == "http/1.1" {
292 http11fallback = true
293 }
294 }
295 }
296 // As a special case, let http/1.1 clients connect to h2 servers as if they
297 // didn't support ALPN. We used not to enforce protocol overlap, so over
298 // time a number of HTTP servers were configured with only "h2", but
299 // expected to accept connections from "http/1.1" clients. See Issue 46310.
300 if http11fallback {
301 return "", nil
302 }
303 return "", fmt.Errorf("tls: client requested unsupported application protocols (%s)", clientProtos)
304}
305
Filippo Valsordaec732632019-11-01 19:00:33 -0400[diff] [blame]306// supportsECDHE returns whether ECDHE key exchanges can be used with this
307// pre-TLS 1.3 client.
308func supportsECDHE(c *Config, supportedCurves []CurveID, supportedPoints []uint8) bool {
309 supportsCurve := false
310 for _, curve := range supportedCurves {
311 if c.supportsCurve(curve) {
312 supportsCurve = true
313 break
314 }
315 }
316
317 supportsPointFormat := false
318 for _, pointFormat := range supportedPoints {
319 if pointFormat == pointFormatUncompressed {
320 supportsPointFormat = true
321 break
322 }
323 }
324
325 return supportsCurve && supportsPointFormat
326}
327
Filippo Valsordac21ba092018-11-02 00:57:30 -0400[diff] [blame]328func (hs *serverHandshakeState) pickCipherSuite() error {
329 c := hs.c
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]330
Filippo Valsorda9d0819b2021-04-28 01:37:09 -0400[diff] [blame]331 preferenceOrder := cipherSuitesPreferenceOrder
332 if !hasAESGCMHardwareSupport || !aesgcmPreferred(hs.clientHello.cipherSuites) {
333 preferenceOrder = cipherSuitesPreferenceOrderNoAES
334 }
Roland Shoemaker9f39a432020-10-15 18:32:20 -0700[diff] [blame]335
Filippo Valsorda9d0819b2021-04-28 01:37:09 -0400[diff] [blame]336 configCipherSuites := c.config.cipherSuites()
337 preferenceList := make([]uint16, 0, len(configCipherSuites))
338 for _, suiteID := range preferenceOrder {
339 for _, id := range configCipherSuites {
340 if id == suiteID {
341 preferenceList = append(preferenceList, id)
342 break
343 }
Roland Shoemaker9f39a432020-10-15 18:32:20 -0700[diff] [blame]344 }
Adam Langley793cbd52013-01-22 10:10:38 -0500[diff] [blame]345 }
346
Filippo Valsorda9d0819b2021-04-28 01:37:09 -0400[diff] [blame]347 hs.suite = selectCipherSuite(preferenceList, hs.clientHello.cipherSuites, hs.cipherSuiteOk)
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]348 if hs.suite == nil {
Adam Langley6b29f7b2014-02-12 11:20:01 -0500[diff] [blame]349 c.sendAlert(alertHandshakeFailure)
Filippo Valsordac21ba092018-11-02 00:57:30 -0400[diff] [blame]350 return errors.New("tls: no cipher suite supported by both client and server")
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]351 }
Katie Hockmanfb86c702020-06-04 10:52:24 -0400[diff] [blame]352 c.cipherSuite = hs.suite.id
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]353
Adam Langleye5624ed2014-10-15 17:54:04 -0700[diff] [blame]354 for _, id := range hs.clientHello.cipherSuites {
355 if id == TLS_FALLBACK_SCSV {
Filippo Valsorda46d4aa22018-11-05 20:39:45 -0500[diff] [blame]356 // The client is doing a fallback connection. See RFC 7507.
Filippo Valsorda035963c2021-10-31 23:13:18 -0400[diff] [blame]357 if hs.clientHello.vers < c.config.maxSupportedVersion(roleServer) {
Adam Langleye5624ed2014-10-15 17:54:04 -0700[diff] [blame]358 c.sendAlert(alertInappropriateFallback)
Filippo Valsordac21ba092018-11-02 00:57:30 -0400[diff] [blame]359 return errors.New("tls: client using inappropriate protocol fallback")
Adam Langleye5624ed2014-10-15 17:54:04 -0700[diff] [blame]360 }
361 break
362 }
363 }
364
Filippo Valsordac21ba092018-11-02 00:57:30 -0400[diff] [blame]365 return nil
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]366}
367
Filippo Valsordaec732632019-11-01 19:00:33 -0400[diff] [blame]368func (hs *serverHandshakeState) cipherSuiteOk(c *cipherSuite) bool {
369 if c.flags&suiteECDHE != 0 {
370 if !hs.ecdheOk {
371 return false
372 }
373 if c.flags&suiteECSign != 0 {
374 if !hs.ecSignOk {
375 return false
376 }
377 } else if !hs.rsaSignOk {
378 return false
379 }
380 } else if !hs.rsaDecryptOk {
381 return false
382 }
383 if hs.c.vers < VersionTLS12 && c.flags&suiteTLS12 != 0 {
384 return false
385 }
386 return true
387}
388
Josh Bleecher Snyder2adc4e82015-02-17 15:44:42 -0800[diff] [blame]389// checkForResumption reports whether we should perform resumption on this connection.
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]390func (hs *serverHandshakeState) checkForResumption() bool {
391 c := hs.c
392
Adam Langley64df53e2014-09-26 11:02:09 +1000[diff] [blame]393 if c.config.SessionTicketsDisabled {
394 return false
395 }
396
Filippo Valsorda6435d0c2018-11-05 15:59:08 -0500[diff] [blame]397 plaintext, usedOldKey := c.decryptTicket(hs.clientHello.sessionTicket)
398 if plaintext == nil {
399 return false
400 }
401 hs.sessionState = &sessionState{usedOldKey: usedOldKey}
402 ok := hs.sessionState.unmarshal(plaintext)
403 if !ok {
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]404 return false
405 }
406
Katie Hockman6ea19bb2020-04-30 20:11:55 -0400[diff] [blame]407 createdAt := time.Unix(int64(hs.sessionState.createdAt), 0)
408 if c.config.time().Sub(createdAt) > maxSessionTicketLifetime {
409 return false
410 }
411
David Benjaminebbe4f82016-02-15 11:41:40 -0500[diff] [blame]412 // Never resume a session for a different TLS version.
413 if c.vers != hs.sessionState.vers {
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]414 return false
415 }
416
417 cipherSuiteOk := false
418 // Check that the client is still offering the ciphersuite in the session.
419 for _, id := range hs.clientHello.cipherSuites {
420 if id == hs.sessionState.cipherSuite {
421 cipherSuiteOk = true
422 break
423 }
424 }
425 if !cipherSuiteOk {
426 return false
427 }
428
429 // Check that we also support the ciphersuite from the session.
Filippo Valsordaec732632019-11-01 19:00:33 -0400[diff] [blame]430 hs.suite = selectCipherSuite([]uint16{hs.sessionState.cipherSuite},
431 c.config.cipherSuites(), hs.cipherSuiteOk)
432 if hs.suite == nil {
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]433 return false
434 }
435
436 sessionHasClientCerts := len(hs.sessionState.certificates) != 0
Filippo Valsorda6435d0c2018-11-05 15:59:08 -0500[diff] [blame]437 needClientCerts := requiresClientCert(c.config.ClientAuth)
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]438 if needClientCerts && !sessionHasClientCerts {
439 return false
440 }
441 if sessionHasClientCerts && c.config.ClientAuth == NoClientCert {
442 return false
443 }
444
445 return true
446}
447
448func (hs *serverHandshakeState) doResumeHandshake() error {
449 c := hs.c
450
451 hs.hello.cipherSuite = hs.suite.id
Katie Hockmanfb86c702020-06-04 10:52:24 -0400[diff] [blame]452 c.cipherSuite = hs.suite.id
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]453 // We echo the client's session ID in the ServerHello to let it know
454 // that we're doing a resumption.
455 hs.hello.sessionId = hs.clientHello.sessionId
Jonathan Rudenbergbff14172015-04-17 21:32:11 -0400[diff] [blame]456 hs.hello.ticketSupported = hs.sessionState.usedOldKey
Adam Langley09b238f2015-04-28 09:13:38 -0700[diff] [blame]457 hs.finishedHash = newFinishedHash(c.vers, hs.suite)
458 hs.finishedHash.discardHandshakeBuffer()
459 hs.finishedHash.Write(hs.clientHello.marshal())
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]460 hs.finishedHash.Write(hs.hello.marshal())
Tamir Duberstein37c28752016-02-26 14:17:29 -0500[diff] [blame]461 if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil {
462 return err
463 }
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]464
Filippo Valsorda106db712018-11-05 19:23:25 -0500[diff] [blame]465 if err := c.processCertsFromClient(Certificate{
466 Certificate: hs.sessionState.certificates,
467 }); err != nil {
468 return err
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]469 }
470
Katie Hockman66e35c92020-05-13 17:44:20 -0400[diff] [blame]471 if c.config.VerifyConnection != nil {
472 if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil {
473 c.sendAlert(alertBadCertificate)
474 return err
475 }
476 }
477
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]478 hs.masterSecret = hs.sessionState.masterSecret
479
480 return nil
481}
482
483func (hs *serverHandshakeState) doFullHandshake() error {
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]484 c := hs.c
Adam Langleye6e8b722012-04-12 12:35:21 -0400[diff] [blame]485
Adam Langleyeef70352013-09-17 13:30:36 -0400[diff] [blame]486 if hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0 {
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]487 hs.hello.ocspStapling = true
Adam Langley6f921f22011-04-14 14:47:28 -0400[diff] [blame]488 }
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]489
Adam Langleycff3e752016-10-10 15:27:34 -0700[diff] [blame]490 hs.hello.ticketSupported = hs.clientHello.ticketSupported && !c.config.SessionTicketsDisabled
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]491 hs.hello.cipherSuite = hs.suite.id
Adam Langley09b238f2015-04-28 09:13:38 -0700[diff] [blame]492
493 hs.finishedHash = newFinishedHash(hs.c.vers, hs.suite)
Adam Langleycff3e752016-10-10 15:27:34 -0700[diff] [blame]494 if c.config.ClientAuth == NoClientCert {
Adam Langley09b238f2015-04-28 09:13:38 -0700[diff] [blame]495 // No need to keep a full record of the handshake if client
496 // certificates won't be used.
497 hs.finishedHash.discardHandshakeBuffer()
498 }
499 hs.finishedHash.Write(hs.clientHello.marshal())
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]500 hs.finishedHash.Write(hs.hello.marshal())
Tamir Duberstein37c28752016-02-26 14:17:29 -0500[diff] [blame]501 if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil {
502 return err
503 }
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]504
Robert Griesemer5a1d3322009-12-15 15:33:31 -0800[diff] [blame]505 certMsg := new(certificateMsg)
Adam Langleyeef70352013-09-17 13:30:36 -0400[diff] [blame]506 certMsg.certificates = hs.cert.Certificate
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]507 hs.finishedHash.Write(certMsg.marshal())
Tamir Duberstein37c28752016-02-26 14:17:29 -0500[diff] [blame]508 if _, err := c.writeRecord(recordTypeHandshake, certMsg.marshal()); err != nil {
509 return err
510 }
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]511
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]512 if hs.hello.ocspStapling {
Adam Langley6f921f22011-04-14 14:47:28 -0400[diff] [blame]513 certStatus := new(certificateStatusMsg)
Adam Langleyeef70352013-09-17 13:30:36 -0400[diff] [blame]514 certStatus.response = hs.cert.OCSPStaple
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]515 hs.finishedHash.Write(certStatus.marshal())
Tamir Duberstein37c28752016-02-26 14:17:29 -0500[diff] [blame]516 if _, err := c.writeRecord(recordTypeHandshake, certStatus.marshal()); err != nil {
517 return err
518 }
Adam Langley6f921f22011-04-14 14:47:28 -0400[diff] [blame]519 }
520
Adam Langley7e767792013-07-02 19:58:56 -0400[diff] [blame]521 keyAgreement := hs.suite.ka(c.vers)
Adam Langleycff3e752016-10-10 15:27:34 -0700[diff] [blame]522 skx, err := keyAgreement.generateServerKeyExchange(c.config, hs.cert, hs.clientHello, hs.hello)
Adam Langley4883b732010-12-16 17:10:50 -0500[diff] [blame]523 if err != nil {
524 c.sendAlert(alertHandshakeFailure)
525 return err
526 }
527 if skx != nil {
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]528 hs.finishedHash.Write(skx.marshal())
Tamir Duberstein37c28752016-02-26 14:17:29 -0500[diff] [blame]529 if _, err := c.writeRecord(recordTypeHandshake, skx.marshal()); err != nil {
530 return err
531 }
Adam Langley4883b732010-12-16 17:10:50 -0500[diff] [blame]532 }
533
Filippo Valsorda0b3a57b2019-06-13 18:33:33 -0400[diff] [blame]534 var certReq *certificateRequestMsg
Adam Langleycff3e752016-10-10 15:27:34 -0700[diff] [blame]535 if c.config.ClientAuth >= RequestClientCert {
Mikkel Krautzc47123d2010-08-16 11:22:22 -0400[diff] [blame]536 // Request a client certificate
Filippo Valsorda0b3a57b2019-06-13 18:33:33 -0400[diff] [blame]537 certReq = new(certificateRequestMsg)
Joel Sing7b7dac52013-07-17 12:33:16 -0400[diff] [blame]538 certReq.certificateTypes = []byte{
539 byte(certTypeRSASign),
540 byte(certTypeECDSASign),
541 }
Adam Langley7e767792013-07-02 19:58:56 -0400[diff] [blame]542 if c.vers >= VersionTLS12 {
Filippo Valsorda4c8b09e2018-10-24 21:22:00 -0400[diff] [blame]543 certReq.hasSignatureAlgorithm = true
Filippo Valsordaab0a6492019-11-20 16:19:41 -0500[diff] [blame]544 certReq.supportedSignatureAlgorithms = supportedSignatureAlgorithms()
Adam Langley7e767792013-07-02 19:58:56 -0400[diff] [blame]545 }
Jeff R. Allenc581ec42012-01-05 12:05:38 -0500[diff] [blame]546
Mikkel Krautzc47123d2010-08-16 11:22:22 -0400[diff] [blame]547 // An empty list of certificateAuthorities signals to
548 // the client that it may send any certificate in response
Jeff R. Allenc581ec42012-01-05 12:05:38 -0500[diff] [blame]549 // to our request. When we know the CAs we trust, then
550 // we can send them down, so that the client can choose
551 // an appropriate certificate to give to us.
Adam Langleycff3e752016-10-10 15:27:34 -0700[diff] [blame]552 if c.config.ClientCAs != nil {
553 certReq.certificateAuthorities = c.config.ClientCAs.Subjects()
Jeff R. Allenc581ec42012-01-05 12:05:38 -0500[diff] [blame]554 }
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]555 hs.finishedHash.Write(certReq.marshal())
Tamir Duberstein37c28752016-02-26 14:17:29 -0500[diff] [blame]556 if _, err := c.writeRecord(recordTypeHandshake, certReq.marshal()); err != nil {
557 return err
558 }
Mikkel Krautzc47123d2010-08-16 11:22:22 -0400[diff] [blame]559 }
560
Robert Griesemer5a1d3322009-12-15 15:33:31 -0800[diff] [blame]561 helloDone := new(serverHelloDoneMsg)
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]562 hs.finishedHash.Write(helloDone.marshal())
Tamir Duberstein37c28752016-02-26 14:17:29 -0500[diff] [blame]563 if _, err := c.writeRecord(recordTypeHandshake, helloDone.marshal()); err != nil {
564 return err
565 }
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]566
Adam Langley2a8c81f2016-06-01 14:41:09 -0700[diff] [blame]567 if _, err := c.flush(); err != nil {
568 return err
569 }
570
Joel Sing7b7dac52013-07-17 12:33:16 -0400[diff] [blame]571 var pub crypto.PublicKey // public key for client auth, if any
Mikkel Krautzc47123d2010-08-16 11:22:22 -0400[diff] [blame]572
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]573 msg, err := c.readHandshake()
Russ Cox72d93222010-04-26 22:19:04 -0700[diff] [blame]574 if err != nil {
575 return err
576 }
Jeff R. Allenc581ec42012-01-05 12:05:38 -0500[diff] [blame]577
578 // If we requested a client certificate, then the client must send a
579 // certificate message, even if it's empty.
Adam Langleycff3e752016-10-10 15:27:34 -0700[diff] [blame]580 if c.config.ClientAuth >= RequestClientCert {
Filippo Valsorda106db712018-11-05 19:23:25 -0500[diff] [blame]581 certMsg, ok := msg.(*certificateMsg)
582 if !ok {
Adam Langley6b29f7b2014-02-12 11:20:01 -0500[diff] [blame]583 c.sendAlert(alertUnexpectedMessage)
584 return unexpectedMessageError(certMsg, msg)
Jeff R. Allenc581ec42012-01-05 12:05:38 -0500[diff] [blame]585 }
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]586 hs.finishedHash.Write(certMsg.marshal())
Jeff R. Allenc581ec42012-01-05 12:05:38 -0500[diff] [blame]587
Filippo Valsorda106db712018-11-05 19:23:25 -0500[diff] [blame]588 if err := c.processCertsFromClient(Certificate{
589 Certificate: certMsg.certificates,
590 }); err != nil {
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]591 return err
Jeff R. Allenc581ec42012-01-05 12:05:38 -0500[diff] [blame]592 }
Filippo Valsorda106db712018-11-05 19:23:25 -0500[diff] [blame]593 if len(certMsg.certificates) != 0 {
594 pub = c.peerCertificates[0].PublicKey
595 }
Jeff R. Allenc581ec42012-01-05 12:05:38 -0500[diff] [blame]596
597 msg, err = c.readHandshake()
598 if err != nil {
599 return err
600 }
601 }
Katie Hockman66e35c92020-05-13 17:44:20 -0400[diff] [blame]602 if c.config.VerifyConnection != nil {
603 if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil {
604 c.sendAlert(alertBadCertificate)
605 return err
Katie Hockman62a3f2e2020-04-20 17:55:37 -0400[diff] [blame]606 }
Jeff R. Allenc581ec42012-01-05 12:05:38 -0500[diff] [blame]607 }
608
609 // Get client key exchange
Russ Cox72d93222010-04-26 22:19:04 -0700[diff] [blame]610 ckx, ok := msg.(*clientKeyExchangeMsg)
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]611 if !ok {
Adam Langley6b29f7b2014-02-12 11:20:01 -0500[diff] [blame]612 c.sendAlert(alertUnexpectedMessage)
613 return unexpectedMessageError(ckx, msg)
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]614 }
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]615 hs.finishedHash.Write(ckx.marshal())
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]616
Adam Langleycff3e752016-10-10 15:27:34 -0700[diff] [blame]617 preMasterSecret, err := keyAgreement.processClientKeyExchange(c.config, hs.cert, ckx, c.vers)
Adam Langley09b238f2015-04-28 09:13:38 -0700[diff] [blame]618 if err != nil {
619 c.sendAlert(alertHandshakeFailure)
620 return err
621 }
622 hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.clientHello.random, hs.hello.random)
Filippo Valsorda29b01d52018-11-03 18:13:05 -0400[diff] [blame]623 if err := c.config.writeKeyLog(keyLogLabelTLS12, hs.clientHello.random, hs.masterSecret); err != nil {
Joonas Kuorilehto320bd562016-08-20 14:41:42 +0300[diff] [blame]624 c.sendAlert(alertInternalError)
625 return err
626 }
Adam Langley09b238f2015-04-28 09:13:38 -0700[diff] [blame]627
Mikkel Krautzc47123d2010-08-16 11:22:22 -0400[diff] [blame]628 // If we received a client cert in response to our certificate request message,
629 // the client will send us a certificateVerifyMsg immediately after the
Brad Fitzpatrick5fea2cc2016-03-01 23:21:55 +0000[diff] [blame]630 // clientKeyExchangeMsg. This message is a digest of all preceding
Mikkel Krautzc47123d2010-08-16 11:22:22 -0400[diff] [blame]631 // handshake-layer messages that is signed using the private key corresponding
632 // to the client's certificate. This allows us to verify that the client is in
Robert Henckec8727c82011-05-18 13:14:56 -0400[diff] [blame]633 // possession of the private key of the certificate.
Mikkel Krautzc47123d2010-08-16 11:22:22 -0400[diff] [blame]634 if len(c.peerCertificates) > 0 {
635 msg, err = c.readHandshake()
636 if err != nil {
637 return err
638 }
639 certVerify, ok := msg.(*certificateVerifyMsg)
640 if !ok {
Adam Langley6b29f7b2014-02-12 11:20:01 -0500[diff] [blame]641 c.sendAlert(alertUnexpectedMessage)
642 return unexpectedMessageError(certVerify, msg)
Mikkel Krautzc47123d2010-08-16 11:22:22 -0400[diff] [blame]643 }
644
Filippo Valsordaec732632019-11-01 19:00:33 -0400[diff] [blame]645 var sigType uint8
646 var sigHash crypto.Hash
647 if c.vers >= VersionTLS12 {
648 if !isSupportedSignatureAlgorithm(certVerify.signatureAlgorithm, certReq.supportedSignatureAlgorithms) {
649 c.sendAlert(alertIllegalParameter)
650 return errors.New("tls: client certificate used with invalid signature algorithm")
651 }
652 sigType, sigHash, err = typeAndHashFromSignatureScheme(certVerify.signatureAlgorithm)
653 if err != nil {
654 return c.sendAlert(alertInternalError)
655 }
656 } else {
657 sigType, sigHash, err = legacyTypeAndHashFromPublicKey(pub)
658 if err != nil {
659 c.sendAlert(alertIllegalParameter)
660 return err
661 }
Adam Langley09b238f2015-04-28 09:13:38 -0700[diff] [blame]662 }
663
Filippo Valsordaec732632019-11-01 19:00:33 -0400[diff] [blame]664 signed := hs.finishedHash.hashForClientCertificate(sigType, sigHash, hs.masterSecret)
665 if err := verifyHandshakeSignature(sigType, pub, sigHash, signed, certVerify.signature); err != nil {
Filippo Valsordacd18da42019-10-29 16:46:26 -0400[diff] [blame]666 c.sendAlert(alertDecryptError)
667 return errors.New("tls: invalid signature by the client certificate: " + err.Error())
Mikkel Krautzc47123d2010-08-16 11:22:22 -0400[diff] [blame]668 }
669
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]670 hs.finishedHash.Write(certVerify.marshal())
Mikkel Krautzc47123d2010-08-16 11:22:22 -0400[diff] [blame]671 }
Adam Langley09b238f2015-04-28 09:13:38 -0700[diff] [blame]672
673 hs.finishedHash.discardHandshakeBuffer()
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]674
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]675 return nil
676}
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]677
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]678func (hs *serverHandshakeState) establishKeys() error {
679 c := hs.c
680
681 clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV :=
Adam Langley09b238f2015-04-28 09:13:38 -0700[diff] [blame]682 keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen)
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]683
Russ Cox2580d0e2021-12-01 12:15:45 -0500[diff] [blame]684 var clientCipher, serverCipher any
Filippo Valsorda01cdd362020-08-31 17:09:57 -0400[diff] [blame]685 var clientHash, serverHash hash.Hash
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]686
Adam Langley2fe9a5a2013-08-29 17:18:59 -0400[diff] [blame]687 if hs.suite.aead == nil {
688 clientCipher = hs.suite.cipher(clientKey, clientIV, true /* for reading */)
Filippo Valsorda01cdd362020-08-31 17:09:57 -0400[diff] [blame]689 clientHash = hs.suite.mac(clientMAC)
Adam Langley2fe9a5a2013-08-29 17:18:59 -0400[diff] [blame]690 serverCipher = hs.suite.cipher(serverKey, serverIV, false /* not for reading */)
Filippo Valsorda01cdd362020-08-31 17:09:57 -0400[diff] [blame]691 serverHash = hs.suite.mac(serverMAC)
Adam Langley2fe9a5a2013-08-29 17:18:59 -0400[diff] [blame]692 } else {
693 clientCipher = hs.suite.aead(clientKey, clientIV)
694 serverCipher = hs.suite.aead(serverKey, serverIV)
695 }
696
697 c.in.prepareCipherSpec(c.vers, clientCipher, clientHash)
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]698 c.out.prepareCipherSpec(c.vers, serverCipher, serverHash)
699
700 return nil
701}
702
Andres Erbsenfce63882014-08-11 16:40:42 -0700[diff] [blame]703func (hs *serverHandshakeState) readFinished(out []byte) error {
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]704 c := hs.c
705
Filippo Valsordadb27e782018-11-03 18:29:09 -0400[diff] [blame]706 if err := c.readChangeCipherSpec(); err != nil {
707 return err
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]708 }
709
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]710 msg, err := c.readHandshake()
Russ Cox72d93222010-04-26 22:19:04 -0700[diff] [blame]711 if err != nil {
712 return err
713 }
714 clientFinished, ok := msg.(*finishedMsg)
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]715 if !ok {
Adam Langley6b29f7b2014-02-12 11:20:01 -0500[diff] [blame]716 c.sendAlert(alertUnexpectedMessage)
717 return unexpectedMessageError(clientFinished, msg)
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]718 }
719
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]720 verify := hs.finishedHash.clientSum(hs.masterSecret)
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]721 if len(verify) != len(clientFinished.verifyData) ||
722 subtle.ConstantTimeCompare(verify, clientFinished.verifyData) != 1 {
Adam Langley6b29f7b2014-02-12 11:20:01 -0500[diff] [blame]723 c.sendAlert(alertHandshakeFailure)
724 return errors.New("tls: client's Finished message is incorrect")
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]725 }
726
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]727 hs.finishedHash.Write(clientFinished.marshal())
Andres Erbsenfce63882014-08-11 16:40:42 -0700[diff] [blame]728 copy(out, verify)
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]729 return nil
730}
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]731
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]732func (hs *serverHandshakeState) sendSessionTicket() error {
Katie Hockman3b0882e2020-05-18 15:50:03 -0400[diff] [blame]733 // ticketSupported is set in a resumption handshake if the
734 // ticket from the client was encrypted with an old session
735 // ticket key and thus a refreshed ticket should be sent.
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]736 if !hs.hello.ticketSupported {
737 return nil
738 }
739
740 c := hs.c
741 m := new(newSessionTicketMsg)
742
Katie Hockman3b0882e2020-05-18 15:50:03 -0400[diff] [blame]743 createdAt := uint64(c.config.time().Unix())
744 if hs.sessionState != nil {
745 // If this is re-wrapping an old key, then keep
746 // the original time it was created.
747 createdAt = hs.sessionState.createdAt
748 }
749
Filippo Valsorda106db712018-11-05 19:23:25 -0500[diff] [blame]750 var certsFromClient [][]byte
751 for _, cert := range c.peerCertificates {
752 certsFromClient = append(certsFromClient, cert.Raw)
753 }
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]754 state := sessionState{
755 vers: c.vers,
756 cipherSuite: hs.suite.id,
Katie Hockman3b0882e2020-05-18 15:50:03 -0400[diff] [blame]757 createdAt: createdAt,
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]758 masterSecret: hs.masterSecret,
Filippo Valsorda106db712018-11-05 19:23:25 -0500[diff] [blame]759 certificates: certsFromClient,
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]760 }
Filippo Valsorda106db712018-11-05 19:23:25 -0500[diff] [blame]761 var err error
Filippo Valsorda6435d0c2018-11-05 15:59:08 -0500[diff] [blame]762 m.ticket, err = c.encryptTicket(state.marshal())
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]763 if err != nil {
764 return err
765 }
766
767 hs.finishedHash.Write(m.marshal())
Tamir Duberstein37c28752016-02-26 14:17:29 -0500[diff] [blame]768 if _, err := c.writeRecord(recordTypeHandshake, m.marshal()); err != nil {
769 return err
770 }
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]771
772 return nil
773}
774
Andres Erbsenfce63882014-08-11 16:40:42 -0700[diff] [blame]775func (hs *serverHandshakeState) sendFinished(out []byte) error {
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]776 c := hs.c
777
Tamir Duberstein37c28752016-02-26 14:17:29 -0500[diff] [blame]778 if _, err := c.writeRecord(recordTypeChangeCipherSpec, []byte{1}); err != nil {
779 return err
780 }
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]781
Robert Griesemer5a1d3322009-12-15 15:33:31 -0800[diff] [blame]782 finished := new(finishedMsg)
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]783 finished.verifyData = hs.finishedHash.serverSum(hs.masterSecret)
784 hs.finishedHash.Write(finished.marshal())
Tamir Duberstein37c28752016-02-26 14:17:29 -0500[diff] [blame]785 if _, err := c.writeRecord(recordTypeHandshake, finished.marshal()); err != nil {
786 return err
787 }
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]788
Andres Erbsenfce63882014-08-11 16:40:42 -0700[diff] [blame]789 copy(out, finished.verifyData)
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]790
791 return nil
792}
793
794// processCertsFromClient takes a chain of client certificates either from a
795// Certificates message or from a sessionState and verifies them. It returns
796// the public key of the leaf certificate.
Filippo Valsorda106db712018-11-05 19:23:25 -0500[diff] [blame]797func (c *Conn) processCertsFromClient(certificate Certificate) error {
798 certificates := certificate.Certificate
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]799 certs := make([]*x509.Certificate, len(certificates))
800 var err error
801 for i, asn1Data := range certificates {
802 if certs[i], err = x509.ParseCertificate(asn1Data); err != nil {
803 c.sendAlert(alertBadCertificate)
Filippo Valsorda106db712018-11-05 19:23:25 -0500[diff] [blame]804 return errors.New("tls: failed to parse client certificate: " + err.Error())
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]805 }
806 }
807
Filippo Valsorda106db712018-11-05 19:23:25 -0500[diff] [blame]808 if len(certs) == 0 && requiresClientCert(c.config.ClientAuth) {
809 c.sendAlert(alertBadCertificate)
810 return errors.New("tls: client didn't provide a certificate")
811 }
812
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]813 if c.config.ClientAuth >= VerifyClientCertIfGiven && len(certs) > 0 {
814 opts := x509.VerifyOptions{
815 Roots: c.config.ClientCAs,
816 CurrentTime: c.config.time(),
817 Intermediates: x509.NewCertPool(),
818 KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
819 }
820
821 for _, cert := range certs[1:] {
822 opts.Intermediates.AddCert(cert)
823 }
824
825 chains, err := certs[0].Verify(opts)
826 if err != nil {
827 c.sendAlert(alertBadCertificate)
Filippo Valsordacd18da42019-10-29 16:46:26 -0400[diff] [blame]828 return errors.New("tls: failed to verify client certificate: " + err.Error())
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]829 }
830
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]831 c.verifiedChains = chains
832 }
833
Katie Hockman62a3f2e2020-04-20 17:55:37 -0400[diff] [blame]834 c.peerCertificates = certs
835 c.ocspResponse = certificate.OCSPStaple
836 c.scts = certificate.SignedCertificateTimestamps
837
838 if len(certs) > 0 {
839 switch certs[0].PublicKey.(type) {
840 case *ecdsa.PublicKey, *rsa.PublicKey, ed25519.PublicKey:
841 default:
842 c.sendAlert(alertUnsupportedCertificate)
843 return fmt.Errorf("tls: client certificate contains an unsupported public key of type %T", certs[0].PublicKey)
844 }
845 }
846
Joshua Boelter426c2872016-07-13 16:22:28 -0600[diff] [blame]847 if c.config.VerifyPeerCertificate != nil {
848 if err := c.config.VerifyPeerCertificate(certificates, c.verifiedChains); err != nil {
849 c.sendAlert(alertBadCertificate)
Filippo Valsorda106db712018-11-05 19:23:25 -0500[diff] [blame]850 return err
Joshua Boelter426c2872016-07-13 16:22:28 -0600[diff] [blame]851 }
852 }
853
Filippo Valsorda106db712018-11-05 19:23:25 -0500[diff] [blame]854 return nil
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]855}
856
Johan Brandhorst86070432020-08-01 12:18:31 +0100[diff] [blame]857func clientHelloInfo(ctx context.Context, c *Conn, clientHello *clientHelloMsg) *ClientHelloInfo {
Filippo Valsordac21ba092018-11-02 00:57:30 -0400[diff] [blame]858 supportedVersions := clientHello.supportedVersions
859 if len(clientHello.supportedVersions) == 0 {
860 supportedVersions = supportedVersionsFromMax(clientHello.vers)
Filippo Valsorda51c959b2016-10-19 15:21:54 +0200[diff] [blame]861 }
862
Filippo Valsordac21ba092018-11-02 00:57:30 -0400[diff] [blame]863 return &ClientHelloInfo{
864 CipherSuites: clientHello.cipherSuites,
865 ServerName: clientHello.serverName,
866 SupportedCurves: clientHello.supportedCurves,
867 SupportedPoints: clientHello.supportedPoints,
868 SignatureSchemes: clientHello.supportedSignatureAlgorithms,
869 SupportedProtos: clientHello.alpnProtocols,
Filippo Valsorda51c959b2016-10-19 15:21:54 +0200[diff] [blame]870 SupportedVersions: supportedVersions,
Filippo Valsordac21ba092018-11-02 00:57:30 -0400[diff] [blame]871 Conn: c.conn,
Filippo Valsordadd017382019-11-01 19:00:33 -0400[diff] [blame]872 config: c.config,
Johan Brandhorst86070432020-08-01 12:18:31 +0100[diff] [blame]873 ctx: ctx,
Filippo Valsorda51c959b2016-10-19 15:21:54 +0200[diff] [blame]874 }
Filippo Valsorda51c959b2016-10-19 15:21:54 +0200[diff] [blame]875}