Google Git
Sign in
go / go / b88147c303f7b2b52ca0191a96fa1a3249e46297 / . / src / crypto / tls / handshake_server.go
blob: a6cafd3d24962b071a977181eee2a8c615e9319e [file] [log] [blame]
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]1// Copyright 2009 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5package tls
6
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]7import (
Joel Sing7b7dac52013-07-17 12:33:16 -0400[diff] [blame]8 "crypto"
9 "crypto/ecdsa"
Robert Griesemer5a1d3322009-12-15 15:33:31 -0800[diff] [blame]10 "crypto/rsa"
Robert Griesemer5a1d3322009-12-15 15:33:31 -0800[diff] [blame]11 "crypto/subtle"
Mikkel Krautzc47123d2010-08-16 11:22:22 -0400[diff] [blame]12 "crypto/x509"
Joel Sing7b7dac52013-07-17 12:33:16 -0400[diff] [blame]13 "encoding/asn1"
Russ Coxc2049d22011-11-01 22:04:37 -0400[diff] [blame]14 "errors"
Adam Langley6b29f7b2014-02-12 11:20:01 -0500[diff] [blame]15 "fmt"
Robert Griesemer5a1d3322009-12-15 15:33:31 -0800[diff] [blame]16 "io"
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]17)
18
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]19// serverHandshakeState contains details of a server handshake in progress.
20// It's discarded once the handshake has completed.
21type serverHandshakeState struct {
22 c *Conn
23 clientHello *clientHelloMsg
24 hello *serverHelloMsg
25 suite *cipherSuite
26 ellipticOk bool
Adam Langleyeef70352013-09-17 13:30:36 -0400[diff] [blame]27 ecdsaOk bool
Adam Langley7b850ec62015-04-02 16:19:46 -0700[diff] [blame]28 rsaDecryptOk bool
29 rsaSignOk bool
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]30 sessionState *sessionState
31 finishedHash finishedHash
32 masterSecret []byte
33 certsFromClient [][]byte
Adam Langleyeef70352013-09-17 13:30:36 -0400[diff] [blame]34 cert *Certificate
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]35}
36
37// serverHandshake performs a TLS handshake as a server.
Russ Coxc2049d22011-11-01 22:04:37 -0400[diff] [blame]38func (c *Conn) serverHandshake() error {
Russ Cox72d93222010-04-26 22:19:04 -0700[diff] [blame]39 config := c.config
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]40
41 // If this is the first server handshake, we generate a random key to
42 // encrypt the tickets with.
Brad Fitzpatrick76d5e2c2013-03-20 23:53:38 -0400[diff] [blame]43 config.serverInitOnce.Do(config.serverInit)
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]44
45 hs := serverHandshakeState{
46 c: c,
47 }
48 isResume, err := hs.readClientHello()
Russ Cox72d93222010-04-26 22:19:04 -0700[diff] [blame]49 if err != nil {
50 return err
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]51 }
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]52
53 // For an overview of TLS handshaking, see https://tools.ietf.org/html/rfc5246#section-7.3
54 if isResume {
55 // The client has included a session ticket and so we do an abbreviated handshake.
56 if err := hs.doResumeHandshake(); err != nil {
57 return err
58 }
59 if err := hs.establishKeys(); err != nil {
60 return err
61 }
Jonathan Rudenbergbff14172015-04-17 21:32:11 -0400[diff] [blame]62 // ticketSupported is set in a resumption handshake if the
63 // ticket from the client was encrypted with an old session
64 // ticket key and thus a refreshed ticket should be sent.
65 if hs.hello.ticketSupported {
66 if err := hs.sendSessionTicket(); err != nil {
67 return err
68 }
69 }
Andres Erbsenfce63882014-08-11 16:40:42 -0700[diff] [blame]70 if err := hs.sendFinished(c.firstFinished[:]); err != nil {
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]71 return err
72 }
Andres Erbsenfce63882014-08-11 16:40:42 -0700[diff] [blame]73 if err := hs.readFinished(nil); err != nil {
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]74 return err
75 }
76 c.didResume = true
77 } else {
78 // The client didn't include a session ticket, or it wasn't
79 // valid so we do a full handshake.
80 if err := hs.doFullHandshake(); err != nil {
81 return err
82 }
83 if err := hs.establishKeys(); err != nil {
84 return err
85 }
Andres Erbsenfce63882014-08-11 16:40:42 -0700[diff] [blame]86 if err := hs.readFinished(c.firstFinished[:]); err != nil {
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]87 return err
88 }
89 if err := hs.sendSessionTicket(); err != nil {
90 return err
91 }
Andres Erbsenfce63882014-08-11 16:40:42 -0700[diff] [blame]92 if err := hs.sendFinished(nil); err != nil {
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]93 return err
94 }
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]95 }
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]96 c.handshakeComplete = true
97
98 return nil
99}
100
101// readClientHello reads a ClientHello message from the client and decides
102// whether we will perform session resumption.
103func (hs *serverHandshakeState) readClientHello() (isResume bool, err error) {
104 config := hs.c.config
105 c := hs.c
106
107 msg, err := c.readHandshake()
108 if err != nil {
109 return false, err
Russ Cox72d93222010-04-26 22:19:04 -0700[diff] [blame]110 }
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]111 var ok bool
112 hs.clientHello, ok = msg.(*clientHelloMsg)
113 if !ok {
Adam Langley6b29f7b2014-02-12 11:20:01 -0500[diff] [blame]114 c.sendAlert(alertUnexpectedMessage)
115 return false, unexpectedMessageError(hs.clientHello, msg)
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]116 }
Adam Langley2112fed2013-06-04 20:02:22 -0400[diff] [blame]117 c.vers, ok = config.mutualVersion(hs.clientHello.vers)
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]118 if !ok {
Adam Langley6b29f7b2014-02-12 11:20:01 -0500[diff] [blame]119 c.sendAlert(alertProtocolVersion)
120 return false, fmt.Errorf("tls: client offered an unsupported, maximum protocol version of %x", hs.clientHello.vers)
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]121 }
Russ Cox72d93222010-04-26 22:19:04 -0700[diff] [blame]122 c.haveVers = true
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]123
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]124 hs.hello = new(serverHelloMsg)
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]125
Adam Langley4883b732010-12-16 17:10:50 -0500[diff] [blame]126 supportedCurve := false
Adam Langleydb99a8f2014-02-24 17:57:51 -0500[diff] [blame]127 preferredCurves := config.curvePreferences()
Adam Langley4883b732010-12-16 17:10:50 -0500[diff] [blame]128Curves:
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]129 for _, curve := range hs.clientHello.supportedCurves {
Adam Langleydb99a8f2014-02-24 17:57:51 -0500[diff] [blame]130 for _, supported := range preferredCurves {
131 if supported == curve {
132 supportedCurve = true
133 break Curves
134 }
Adam Langley4883b732010-12-16 17:10:50 -0500[diff] [blame]135 }
136 }
137
138 supportedPointFormat := false
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]139 for _, pointFormat := range hs.clientHello.supportedPoints {
Adam Langley4883b732010-12-16 17:10:50 -0500[diff] [blame]140 if pointFormat == pointFormatUncompressed {
141 supportedPointFormat = true
142 break
143 }
144 }
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]145 hs.ellipticOk = supportedCurve && supportedPointFormat
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]146
Robert Griesemer5a1d3322009-12-15 15:33:31 -0800[diff] [blame]147 foundCompression := false
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]148 // We only support null compression, so check that the client offered it.
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]149 for _, compression := range hs.clientHello.compressionMethods {
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]150 if compression == compressionNone {
Robert Griesemer5a1d3322009-12-15 15:33:31 -0800[diff] [blame]151 foundCompression = true
152 break
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]153 }
154 }
155
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]156 if !foundCompression {
Adam Langley6b29f7b2014-02-12 11:20:01 -0500[diff] [blame]157 c.sendAlert(alertHandshakeFailure)
158 return false, errors.New("tls: client does not support uncompressed connections")
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]159 }
160
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]161 hs.hello.vers = c.vers
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]162 hs.hello.random = make([]byte, 32)
Anthony Martinc2d02b32014-02-04 10:51:37 -0500[diff] [blame]163 _, err = io.ReadFull(config.rand(), hs.hello.random)
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]164 if err != nil {
Adam Langley6b29f7b2014-02-12 11:20:01 -0500[diff] [blame]165 c.sendAlert(alertInternalError)
166 return false, err
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]167 }
Anthony Martinc2d02b32014-02-04 10:51:37 -0500[diff] [blame]168 hs.hello.secureRenegotiation = hs.clientHello.secureRenegotiation
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]169 hs.hello.compressionMethod = compressionNone
170 if len(hs.clientHello.serverName) > 0 {
171 c.serverName = hs.clientHello.serverName
Adam Langley9ebb5962009-12-23 11:13:09 -0800[diff] [blame]172 }
Adam Langleyd0e255f2014-08-05 11:36:20 -0700[diff] [blame]173
174 if len(hs.clientHello.alpnProtocols) > 0 {
175 if selectedProto, fallback := mutualProtocol(hs.clientHello.alpnProtocols, c.config.NextProtos); !fallback {
176 hs.hello.alpnProtocol = selectedProto
177 c.clientProtocol = selectedProto
178 }
179 } else {
180 // Although sending an empty NPN extension is reasonable, Firefox has
181 // had a bug around this. Best to send nothing at all if
182 // config.NextProtos is empty. See
Péter Surányi9b6ccb12015-02-06 21:44:39 +0900[diff] [blame]183 // https://golang.org/issue/5445.
Adam Langleyd0e255f2014-08-05 11:36:20 -0700[diff] [blame]184 if hs.clientHello.nextProtoNeg && len(config.NextProtos) > 0 {
185 hs.hello.nextProtoNeg = true
186 hs.hello.nextProtos = config.NextProtos
187 }
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]188 }
189
Emmanuel Odekef0711b92016-03-14 03:35:13 -0600[diff] [blame]190 hs.cert, err = config.getCertificate(&ClientHelloInfo{
Adam Langleycba882e2015-04-12 16:41:31 -0700[diff] [blame]191 CipherSuites: hs.clientHello.cipherSuites,
192 ServerName: hs.clientHello.serverName,
193 SupportedCurves: hs.clientHello.supportedCurves,
194 SupportedPoints: hs.clientHello.supportedPoints,
Emmanuel Odekef0711b92016-03-14 03:35:13 -0600[diff] [blame]195 })
196 if err != nil {
Adam Langley6b29f7b2014-02-12 11:20:01 -0500[diff] [blame]197 c.sendAlert(alertInternalError)
Adam Langleycba882e2015-04-12 16:41:31 -0700[diff] [blame]198 return false, err
Adam Langleyeef70352013-09-17 13:30:36 -0400[diff] [blame]199 }
Jonathan Rudenberg02e69c42015-04-16 14:59:22 -0400[diff] [blame]200 if hs.clientHello.scts {
201 hs.hello.scts = hs.cert.SignedCertificateTimestamps
202 }
Adam Langleyeef70352013-09-17 13:30:36 -0400[diff] [blame]203
Jacob H. Haven28f33b42015-03-19 04:01:57 -0700[diff] [blame]204 if priv, ok := hs.cert.PrivateKey.(crypto.Signer); ok {
Jacob H. Haven28f33b42015-03-19 04:01:57 -0700[diff] [blame]205 switch priv.Public().(type) {
206 case *ecdsa.PublicKey:
207 hs.ecdsaOk = true
208 case *rsa.PublicKey:
Adam Langley7b850ec62015-04-02 16:19:46 -0700[diff] [blame]209 hs.rsaSignOk = true
Jacob H. Haven28f33b42015-03-19 04:01:57 -0700[diff] [blame]210 default:
211 c.sendAlert(alertInternalError)
212 return false, fmt.Errorf("crypto/tls: unsupported signing key type (%T)", priv.Public())
213 }
214 }
215 if priv, ok := hs.cert.PrivateKey.(crypto.Decrypter); ok {
Jacob H. Haven28f33b42015-03-19 04:01:57 -0700[diff] [blame]216 switch priv.Public().(type) {
217 case *rsa.PublicKey:
Adam Langley7b850ec62015-04-02 16:19:46 -0700[diff] [blame]218 hs.rsaDecryptOk = true
Jacob H. Haven28f33b42015-03-19 04:01:57 -0700[diff] [blame]219 default:
220 c.sendAlert(alertInternalError)
221 return false, fmt.Errorf("crypto/tls: unsupported decryption key type (%T)", priv.Public())
222 }
223 }
Adam Langleyeef70352013-09-17 13:30:36 -0400[diff] [blame]224
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]225 if hs.checkForResumption() {
226 return true, nil
227 }
228
Adam Langley793cbd52013-01-22 10:10:38 -0500[diff] [blame]229 var preferenceList, supportedList []uint16
230 if c.config.PreferServerCipherSuites {
231 preferenceList = c.config.cipherSuites()
232 supportedList = hs.clientHello.cipherSuites
233 } else {
234 preferenceList = hs.clientHello.cipherSuites
235 supportedList = c.config.cipherSuites()
236 }
237
238 for _, id := range preferenceList {
Jacob H. Haven28f33b42015-03-19 04:01:57 -0700[diff] [blame]239 if hs.setCipherSuite(id, supportedList, c.vers) {
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]240 break
241 }
242 }
243
244 if hs.suite == nil {
Adam Langley6b29f7b2014-02-12 11:20:01 -0500[diff] [blame]245 c.sendAlert(alertHandshakeFailure)
246 return false, errors.New("tls: no cipher suite supported by both client and server")
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]247 }
248
David Benjaminb88147c2016-02-15 11:56:18 -0500[diff] [blame^]249 // See https://tools.ietf.org/html/rfc7507.
Adam Langleye5624ed2014-10-15 17:54:04 -0700[diff] [blame]250 for _, id := range hs.clientHello.cipherSuites {
251 if id == TLS_FALLBACK_SCSV {
252 // The client is doing a fallback connection.
Ben Burkert1965b032014-12-18 10:17:54 -0800[diff] [blame]253 if hs.clientHello.vers < c.config.maxVersion() {
Adam Langleye5624ed2014-10-15 17:54:04 -0700[diff] [blame]254 c.sendAlert(alertInappropriateFallback)
Joël Stemmer1d0a9eb2015-03-06 14:59:12 +0100[diff] [blame]255 return false, errors.New("tls: client using inappropriate protocol fallback")
Adam Langleye5624ed2014-10-15 17:54:04 -0700[diff] [blame]256 }
257 break
258 }
259 }
260
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]261 return false, nil
262}
263
Josh Bleecher Snyder2adc4e82015-02-17 15:44:42 -0800[diff] [blame]264// checkForResumption reports whether we should perform resumption on this connection.
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]265func (hs *serverHandshakeState) checkForResumption() bool {
266 c := hs.c
267
Adam Langley64df53e2014-09-26 11:02:09 +1000[diff] [blame]268 if c.config.SessionTicketsDisabled {
269 return false
270 }
271
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]272 var ok bool
Jacob H. Havenf1d669a2015-02-03 16:15:18 -0800[diff] [blame]273 var sessionTicket = append([]uint8{}, hs.clientHello.sessionTicket...)
274 if hs.sessionState, ok = c.decryptTicket(sessionTicket); !ok {
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]275 return false
276 }
277
278 if hs.sessionState.vers > hs.clientHello.vers {
279 return false
280 }
Adam Langley2112fed2013-06-04 20:02:22 -0400[diff] [blame]281 if vers, ok := c.config.mutualVersion(hs.sessionState.vers); !ok || vers != hs.sessionState.vers {
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]282 return false
283 }
284
285 cipherSuiteOk := false
286 // Check that the client is still offering the ciphersuite in the session.
287 for _, id := range hs.clientHello.cipherSuites {
288 if id == hs.sessionState.cipherSuite {
289 cipherSuiteOk = true
290 break
291 }
292 }
293 if !cipherSuiteOk {
294 return false
295 }
296
297 // Check that we also support the ciphersuite from the session.
Jacob H. Haven28f33b42015-03-19 04:01:57 -0700[diff] [blame]298 if !hs.setCipherSuite(hs.sessionState.cipherSuite, c.config.cipherSuites(), hs.sessionState.vers) {
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]299 return false
300 }
301
302 sessionHasClientCerts := len(hs.sessionState.certificates) != 0
303 needClientCerts := c.config.ClientAuth == RequireAnyClientCert || c.config.ClientAuth == RequireAndVerifyClientCert
304 if needClientCerts && !sessionHasClientCerts {
305 return false
306 }
307 if sessionHasClientCerts && c.config.ClientAuth == NoClientCert {
308 return false
309 }
310
311 return true
312}
313
314func (hs *serverHandshakeState) doResumeHandshake() error {
315 c := hs.c
316
317 hs.hello.cipherSuite = hs.suite.id
318 // We echo the client's session ID in the ServerHello to let it know
319 // that we're doing a resumption.
320 hs.hello.sessionId = hs.clientHello.sessionId
Jonathan Rudenbergbff14172015-04-17 21:32:11 -0400[diff] [blame]321 hs.hello.ticketSupported = hs.sessionState.usedOldKey
Adam Langley09b238f2015-04-28 09:13:38 -0700[diff] [blame]322 hs.finishedHash = newFinishedHash(c.vers, hs.suite)
323 hs.finishedHash.discardHandshakeBuffer()
324 hs.finishedHash.Write(hs.clientHello.marshal())
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]325 hs.finishedHash.Write(hs.hello.marshal())
Tamir Duberstein37c28752016-02-26 14:17:29 -0500[diff] [blame]326 if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil {
327 return err
328 }
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]329
330 if len(hs.sessionState.certificates) > 0 {
331 if _, err := hs.processCertsFromClient(hs.sessionState.certificates); err != nil {
332 return err
333 }
334 }
335
336 hs.masterSecret = hs.sessionState.masterSecret
337
338 return nil
339}
340
341func (hs *serverHandshakeState) doFullHandshake() error {
342 config := hs.c.config
343 c := hs.c
Adam Langleye6e8b722012-04-12 12:35:21 -0400[diff] [blame]344
Adam Langleyeef70352013-09-17 13:30:36 -0400[diff] [blame]345 if hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0 {
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]346 hs.hello.ocspStapling = true
Adam Langley6f921f22011-04-14 14:47:28 -0400[diff] [blame]347 }
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]348
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]349 hs.hello.ticketSupported = hs.clientHello.ticketSupported && !config.SessionTicketsDisabled
350 hs.hello.cipherSuite = hs.suite.id
Adam Langley09b238f2015-04-28 09:13:38 -0700[diff] [blame]351
352 hs.finishedHash = newFinishedHash(hs.c.vers, hs.suite)
353 if config.ClientAuth == NoClientCert {
354 // No need to keep a full record of the handshake if client
355 // certificates won't be used.
356 hs.finishedHash.discardHandshakeBuffer()
357 }
358 hs.finishedHash.Write(hs.clientHello.marshal())
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]359 hs.finishedHash.Write(hs.hello.marshal())
Tamir Duberstein37c28752016-02-26 14:17:29 -0500[diff] [blame]360 if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil {
361 return err
362 }
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]363
Robert Griesemer5a1d3322009-12-15 15:33:31 -0800[diff] [blame]364 certMsg := new(certificateMsg)
Adam Langleyeef70352013-09-17 13:30:36 -0400[diff] [blame]365 certMsg.certificates = hs.cert.Certificate
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]366 hs.finishedHash.Write(certMsg.marshal())
Tamir Duberstein37c28752016-02-26 14:17:29 -0500[diff] [blame]367 if _, err := c.writeRecord(recordTypeHandshake, certMsg.marshal()); err != nil {
368 return err
369 }
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]370
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]371 if hs.hello.ocspStapling {
Adam Langley6f921f22011-04-14 14:47:28 -0400[diff] [blame]372 certStatus := new(certificateStatusMsg)
373 certStatus.statusType = statusTypeOCSP
Adam Langleyeef70352013-09-17 13:30:36 -0400[diff] [blame]374 certStatus.response = hs.cert.OCSPStaple
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]375 hs.finishedHash.Write(certStatus.marshal())
Tamir Duberstein37c28752016-02-26 14:17:29 -0500[diff] [blame]376 if _, err := c.writeRecord(recordTypeHandshake, certStatus.marshal()); err != nil {
377 return err
378 }
Adam Langley6f921f22011-04-14 14:47:28 -0400[diff] [blame]379 }
380
Adam Langley7e767792013-07-02 19:58:56 -0400[diff] [blame]381 keyAgreement := hs.suite.ka(c.vers)
Adam Langleyeef70352013-09-17 13:30:36 -0400[diff] [blame]382 skx, err := keyAgreement.generateServerKeyExchange(config, hs.cert, hs.clientHello, hs.hello)
Adam Langley4883b732010-12-16 17:10:50 -0500[diff] [blame]383 if err != nil {
384 c.sendAlert(alertHandshakeFailure)
385 return err
386 }
387 if skx != nil {
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]388 hs.finishedHash.Write(skx.marshal())
Tamir Duberstein37c28752016-02-26 14:17:29 -0500[diff] [blame]389 if _, err := c.writeRecord(recordTypeHandshake, skx.marshal()); err != nil {
390 return err
391 }
Adam Langley4883b732010-12-16 17:10:50 -0500[diff] [blame]392 }
393
Jeff R. Allenc581ec42012-01-05 12:05:38 -0500[diff] [blame]394 if config.ClientAuth >= RequestClientCert {
Mikkel Krautzc47123d2010-08-16 11:22:22 -0400[diff] [blame]395 // Request a client certificate
396 certReq := new(certificateRequestMsg)
Joel Sing7b7dac52013-07-17 12:33:16 -0400[diff] [blame]397 certReq.certificateTypes = []byte{
398 byte(certTypeRSASign),
399 byte(certTypeECDSASign),
400 }
Adam Langley7e767792013-07-02 19:58:56 -0400[diff] [blame]401 if c.vers >= VersionTLS12 {
402 certReq.hasSignatureAndHash = true
Adam Langley09b238f2015-04-28 09:13:38 -0700[diff] [blame]403 certReq.signatureAndHashes = supportedSignatureAlgorithms
Adam Langley7e767792013-07-02 19:58:56 -0400[diff] [blame]404 }
Jeff R. Allenc581ec42012-01-05 12:05:38 -0500[diff] [blame]405
Mikkel Krautzc47123d2010-08-16 11:22:22 -0400[diff] [blame]406 // An empty list of certificateAuthorities signals to
407 // the client that it may send any certificate in response
Jeff R. Allenc581ec42012-01-05 12:05:38 -0500[diff] [blame]408 // to our request. When we know the CAs we trust, then
409 // we can send them down, so that the client can choose
410 // an appropriate certificate to give to us.
411 if config.ClientCAs != nil {
412 certReq.certificateAuthorities = config.ClientCAs.Subjects()
413 }
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]414 hs.finishedHash.Write(certReq.marshal())
Tamir Duberstein37c28752016-02-26 14:17:29 -0500[diff] [blame]415 if _, err := c.writeRecord(recordTypeHandshake, certReq.marshal()); err != nil {
416 return err
417 }
Mikkel Krautzc47123d2010-08-16 11:22:22 -0400[diff] [blame]418 }
419
Robert Griesemer5a1d3322009-12-15 15:33:31 -0800[diff] [blame]420 helloDone := new(serverHelloDoneMsg)
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]421 hs.finishedHash.Write(helloDone.marshal())
Tamir Duberstein37c28752016-02-26 14:17:29 -0500[diff] [blame]422 if _, err := c.writeRecord(recordTypeHandshake, helloDone.marshal()); err != nil {
423 return err
424 }
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]425
Joel Sing7b7dac52013-07-17 12:33:16 -0400[diff] [blame]426 var pub crypto.PublicKey // public key for client auth, if any
Mikkel Krautzc47123d2010-08-16 11:22:22 -0400[diff] [blame]427
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]428 msg, err := c.readHandshake()
Russ Cox72d93222010-04-26 22:19:04 -0700[diff] [blame]429 if err != nil {
430 return err
431 }
Jeff R. Allenc581ec42012-01-05 12:05:38 -0500[diff] [blame]432
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]433 var ok bool
Jeff R. Allenc581ec42012-01-05 12:05:38 -0500[diff] [blame]434 // If we requested a client certificate, then the client must send a
435 // certificate message, even if it's empty.
436 if config.ClientAuth >= RequestClientCert {
437 if certMsg, ok = msg.(*certificateMsg); !ok {
Adam Langley6b29f7b2014-02-12 11:20:01 -0500[diff] [blame]438 c.sendAlert(alertUnexpectedMessage)
439 return unexpectedMessageError(certMsg, msg)
Jeff R. Allenc581ec42012-01-05 12:05:38 -0500[diff] [blame]440 }
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]441 hs.finishedHash.Write(certMsg.marshal())
Jeff R. Allenc581ec42012-01-05 12:05:38 -0500[diff] [blame]442
443 if len(certMsg.certificates) == 0 {
444 // The client didn't actually send a certificate
445 switch config.ClientAuth {
446 case RequireAnyClientCert, RequireAndVerifyClientCert:
447 c.sendAlert(alertBadCertificate)
448 return errors.New("tls: client didn't provide a certificate")
449 }
450 }
451
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]452 pub, err = hs.processCertsFromClient(certMsg.certificates)
453 if err != nil {
454 return err
Jeff R. Allenc581ec42012-01-05 12:05:38 -0500[diff] [blame]455 }
456
457 msg, err = c.readHandshake()
458 if err != nil {
459 return err
460 }
461 }
462
463 // Get client key exchange
Russ Cox72d93222010-04-26 22:19:04 -0700[diff] [blame]464 ckx, ok := msg.(*clientKeyExchangeMsg)
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]465 if !ok {
Adam Langley6b29f7b2014-02-12 11:20:01 -0500[diff] [blame]466 c.sendAlert(alertUnexpectedMessage)
467 return unexpectedMessageError(ckx, msg)
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]468 }
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]469 hs.finishedHash.Write(ckx.marshal())
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]470
Adam Langley09b238f2015-04-28 09:13:38 -0700[diff] [blame]471 preMasterSecret, err := keyAgreement.processClientKeyExchange(config, hs.cert, ckx, c.vers)
472 if err != nil {
473 c.sendAlert(alertHandshakeFailure)
474 return err
475 }
476 hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.clientHello.random, hs.hello.random)
477
Mikkel Krautzc47123d2010-08-16 11:22:22 -0400[diff] [blame]478 // If we received a client cert in response to our certificate request message,
479 // the client will send us a certificateVerifyMsg immediately after the
Brad Fitzpatrick5fea2cc2016-03-01 23:21:55 +0000[diff] [blame]480 // clientKeyExchangeMsg. This message is a digest of all preceding
Mikkel Krautzc47123d2010-08-16 11:22:22 -0400[diff] [blame]481 // handshake-layer messages that is signed using the private key corresponding
482 // to the client's certificate. This allows us to verify that the client is in
Robert Henckec8727c82011-05-18 13:14:56 -0400[diff] [blame]483 // possession of the private key of the certificate.
Mikkel Krautzc47123d2010-08-16 11:22:22 -0400[diff] [blame]484 if len(c.peerCertificates) > 0 {
485 msg, err = c.readHandshake()
486 if err != nil {
487 return err
488 }
489 certVerify, ok := msg.(*certificateVerifyMsg)
490 if !ok {
Adam Langley6b29f7b2014-02-12 11:20:01 -0500[diff] [blame]491 c.sendAlert(alertUnexpectedMessage)
492 return unexpectedMessageError(certVerify, msg)
Mikkel Krautzc47123d2010-08-16 11:22:22 -0400[diff] [blame]493 }
494
Adam Langley09b238f2015-04-28 09:13:38 -0700[diff] [blame]495 // Determine the signature type.
496 var signatureAndHash signatureAndHash
497 if certVerify.hasSignatureAndHash {
498 signatureAndHash = certVerify.signatureAndHash
499 if !isSupportedSignatureAndHash(signatureAndHash, supportedSignatureAlgorithms) {
500 return errors.New("tls: unsupported hash function for client certificate")
501 }
502 } else {
503 // Before TLS 1.2 the signature algorithm was implicit
504 // from the key type, and only one hash per signature
505 // algorithm was possible. Leave the hash as zero.
506 switch pub.(type) {
507 case *ecdsa.PublicKey:
508 signatureAndHash.signature = signatureECDSA
509 case *rsa.PublicKey:
510 signatureAndHash.signature = signatureRSA
511 }
512 }
513
Joel Sing7b7dac52013-07-17 12:33:16 -0400[diff] [blame]514 switch key := pub.(type) {
515 case *ecdsa.PublicKey:
Adam Langley09b238f2015-04-28 09:13:38 -0700[diff] [blame]516 if signatureAndHash.signature != signatureECDSA {
517 err = errors.New("bad signature type for client's ECDSA certificate")
518 break
519 }
Joel Sing7b7dac52013-07-17 12:33:16 -0400[diff] [blame]520 ecdsaSig := new(ecdsaSignature)
521 if _, err = asn1.Unmarshal(certVerify.signature, ecdsaSig); err != nil {
522 break
523 }
524 if ecdsaSig.R.Sign() <= 0 || ecdsaSig.S.Sign() <= 0 {
525 err = errors.New("ECDSA signature contained zero or negative values")
526 break
527 }
Adam Langley09b238f2015-04-28 09:13:38 -0700[diff] [blame]528 var digest []byte
529 if digest, _, err = hs.finishedHash.hashForClientCertificate(signatureAndHash, hs.masterSecret); err != nil {
Joel Sing7b7dac52013-07-17 12:33:16 -0400[diff] [blame]530 break
531 }
Adam Langley09b238f2015-04-28 09:13:38 -0700[diff] [blame]532 if !ecdsa.Verify(key, digest, ecdsaSig.R, ecdsaSig.S) {
533 err = errors.New("ECDSA verification failure")
534 }
Joel Sing7b7dac52013-07-17 12:33:16 -0400[diff] [blame]535 case *rsa.PublicKey:
Adam Langley09b238f2015-04-28 09:13:38 -0700[diff] [blame]536 if signatureAndHash.signature != signatureRSA {
537 err = errors.New("bad signature type for client's RSA certificate")
538 break
539 }
540 var digest []byte
541 var hashFunc crypto.Hash
542 if digest, hashFunc, err = hs.finishedHash.hashForClientCertificate(signatureAndHash, hs.masterSecret); err != nil {
543 break
544 }
Joel Sing7b7dac52013-07-17 12:33:16 -0400[diff] [blame]545 err = rsa.VerifyPKCS1v15(key, hashFunc, digest, certVerify.signature)
546 }
Mikkel Krautzc47123d2010-08-16 11:22:22 -0400[diff] [blame]547 if err != nil {
Adam Langleyf6e2eab2010-10-11 10:39:56 -0400[diff] [blame]548 c.sendAlert(alertBadCertificate)
Adam Langley09b238f2015-04-28 09:13:38 -0700[diff] [blame]549 return errors.New("tls: could not validate signature of connection nonces: " + err.Error())
Mikkel Krautzc47123d2010-08-16 11:22:22 -0400[diff] [blame]550 }
551
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]552 hs.finishedHash.Write(certVerify.marshal())
Mikkel Krautzc47123d2010-08-16 11:22:22 -0400[diff] [blame]553 }
Adam Langley09b238f2015-04-28 09:13:38 -0700[diff] [blame]554
555 hs.finishedHash.discardHandshakeBuffer()
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]556
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]557 return nil
558}
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]559
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]560func (hs *serverHandshakeState) establishKeys() error {
561 c := hs.c
562
563 clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV :=
Adam Langley09b238f2015-04-28 09:13:38 -0700[diff] [blame]564 keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen)
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]565
Adam Langley2fe9a5a2013-08-29 17:18:59 -0400[diff] [blame]566 var clientCipher, serverCipher interface{}
567 var clientHash, serverHash macFunction
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]568
Adam Langley2fe9a5a2013-08-29 17:18:59 -0400[diff] [blame]569 if hs.suite.aead == nil {
570 clientCipher = hs.suite.cipher(clientKey, clientIV, true /* for reading */)
571 clientHash = hs.suite.mac(c.vers, clientMAC)
572 serverCipher = hs.suite.cipher(serverKey, serverIV, false /* not for reading */)
573 serverHash = hs.suite.mac(c.vers, serverMAC)
574 } else {
575 clientCipher = hs.suite.aead(clientKey, clientIV)
576 serverCipher = hs.suite.aead(serverKey, serverIV)
577 }
578
579 c.in.prepareCipherSpec(c.vers, clientCipher, clientHash)
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]580 c.out.prepareCipherSpec(c.vers, serverCipher, serverHash)
581
582 return nil
583}
584
Andres Erbsenfce63882014-08-11 16:40:42 -0700[diff] [blame]585func (hs *serverHandshakeState) readFinished(out []byte) error {
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]586 c := hs.c
587
Russ Cox72d93222010-04-26 22:19:04 -0700[diff] [blame]588 c.readRecord(recordTypeChangeCipherSpec)
Adam Langley3656c2d2014-03-03 09:01:44 -0500[diff] [blame]589 if err := c.in.error(); err != nil {
Russ Cox72d93222010-04-26 22:19:04 -0700[diff] [blame]590 return err
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]591 }
592
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]593 if hs.hello.nextProtoNeg {
594 msg, err := c.readHandshake()
Russ Cox72d93222010-04-26 22:19:04 -0700[diff] [blame]595 if err != nil {
596 return err
597 }
598 nextProto, ok := msg.(*nextProtoMsg)
Adam Langley9ebb5962009-12-23 11:13:09 -0800[diff] [blame]599 if !ok {
Adam Langley6b29f7b2014-02-12 11:20:01 -0500[diff] [blame]600 c.sendAlert(alertUnexpectedMessage)
601 return unexpectedMessageError(nextProto, msg)
Adam Langley9ebb5962009-12-23 11:13:09 -0800[diff] [blame]602 }
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]603 hs.finishedHash.Write(nextProto.marshal())
Russ Cox72d93222010-04-26 22:19:04 -0700[diff] [blame]604 c.clientProtocol = nextProto.proto
Adam Langley9ebb5962009-12-23 11:13:09 -0800[diff] [blame]605 }
606
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]607 msg, err := c.readHandshake()
Russ Cox72d93222010-04-26 22:19:04 -0700[diff] [blame]608 if err != nil {
609 return err
610 }
611 clientFinished, ok := msg.(*finishedMsg)
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]612 if !ok {
Adam Langley6b29f7b2014-02-12 11:20:01 -0500[diff] [blame]613 c.sendAlert(alertUnexpectedMessage)
614 return unexpectedMessageError(clientFinished, msg)
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]615 }
616
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]617 verify := hs.finishedHash.clientSum(hs.masterSecret)
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]618 if len(verify) != len(clientFinished.verifyData) ||
619 subtle.ConstantTimeCompare(verify, clientFinished.verifyData) != 1 {
Adam Langley6b29f7b2014-02-12 11:20:01 -0500[diff] [blame]620 c.sendAlert(alertHandshakeFailure)
621 return errors.New("tls: client's Finished message is incorrect")
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]622 }
623
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]624 hs.finishedHash.Write(clientFinished.marshal())
Andres Erbsenfce63882014-08-11 16:40:42 -0700[diff] [blame]625 copy(out, verify)
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]626 return nil
627}
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]628
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]629func (hs *serverHandshakeState) sendSessionTicket() error {
630 if !hs.hello.ticketSupported {
631 return nil
632 }
633
634 c := hs.c
635 m := new(newSessionTicketMsg)
636
637 var err error
638 state := sessionState{
639 vers: c.vers,
640 cipherSuite: hs.suite.id,
641 masterSecret: hs.masterSecret,
642 certificates: hs.certsFromClient,
643 }
644 m.ticket, err = c.encryptTicket(&state)
645 if err != nil {
646 return err
647 }
648
649 hs.finishedHash.Write(m.marshal())
Tamir Duberstein37c28752016-02-26 14:17:29 -0500[diff] [blame]650 if _, err := c.writeRecord(recordTypeHandshake, m.marshal()); err != nil {
651 return err
652 }
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]653
654 return nil
655}
656
Andres Erbsenfce63882014-08-11 16:40:42 -0700[diff] [blame]657func (hs *serverHandshakeState) sendFinished(out []byte) error {
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]658 c := hs.c
659
Tamir Duberstein37c28752016-02-26 14:17:29 -0500[diff] [blame]660 if _, err := c.writeRecord(recordTypeChangeCipherSpec, []byte{1}); err != nil {
661 return err
662 }
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]663
Robert Griesemer5a1d3322009-12-15 15:33:31 -0800[diff] [blame]664 finished := new(finishedMsg)
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]665 finished.verifyData = hs.finishedHash.serverSum(hs.masterSecret)
666 hs.finishedHash.Write(finished.marshal())
Tamir Duberstein37c28752016-02-26 14:17:29 -0500[diff] [blame]667 if _, err := c.writeRecord(recordTypeHandshake, finished.marshal()); err != nil {
668 return err
669 }
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]670
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]671 c.cipherSuite = hs.suite.id
Andres Erbsenfce63882014-08-11 16:40:42 -0700[diff] [blame]672 copy(out, finished.verifyData)
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]673
674 return nil
675}
676
677// processCertsFromClient takes a chain of client certificates either from a
678// Certificates message or from a sessionState and verifies them. It returns
679// the public key of the leaf certificate.
Joel Sing7b7dac52013-07-17 12:33:16 -0400[diff] [blame]680func (hs *serverHandshakeState) processCertsFromClient(certificates [][]byte) (crypto.PublicKey, error) {
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]681 c := hs.c
682
683 hs.certsFromClient = certificates
684 certs := make([]*x509.Certificate, len(certificates))
685 var err error
686 for i, asn1Data := range certificates {
687 if certs[i], err = x509.ParseCertificate(asn1Data); err != nil {
688 c.sendAlert(alertBadCertificate)
689 return nil, errors.New("tls: failed to parse client certificate: " + err.Error())
690 }
691 }
692
693 if c.config.ClientAuth >= VerifyClientCertIfGiven && len(certs) > 0 {
694 opts := x509.VerifyOptions{
695 Roots: c.config.ClientCAs,
696 CurrentTime: c.config.time(),
697 Intermediates: x509.NewCertPool(),
698 KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
699 }
700
701 for _, cert := range certs[1:] {
702 opts.Intermediates.AddCert(cert)
703 }
704
705 chains, err := certs[0].Verify(opts)
706 if err != nil {
707 c.sendAlert(alertBadCertificate)
708 return nil, errors.New("tls: failed to verify client's certificate: " + err.Error())
709 }
710
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]711 c.verifiedChains = chains
712 }
713
Emmanuel Odekef0711b92016-03-14 03:35:13 -0600[diff] [blame]714 if len(certs) == 0 {
715 return nil, nil
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]716 }
717
Emmanuel Odekef0711b92016-03-14 03:35:13 -0600[diff] [blame]718 var pub crypto.PublicKey
719 switch key := certs[0].PublicKey.(type) {
720 case *ecdsa.PublicKey, *rsa.PublicKey:
721 pub = key
722 default:
723 c.sendAlert(alertUnsupportedCertificate)
724 return nil, fmt.Errorf("tls: client's certificate contains an unsupported public key of type %T", certs[0].PublicKey)
725 }
726 c.peerCertificates = certs
727 return pub, nil
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]728}
729
Jacob H. Haven28f33b42015-03-19 04:01:57 -0700[diff] [blame]730// setCipherSuite sets a cipherSuite with the given id as the serverHandshakeState
731// suite if that cipher suite is acceptable to use.
732// It returns a bool indicating if the suite was set.
733func (hs *serverHandshakeState) setCipherSuite(id uint16, supportedCipherSuites []uint16, version uint16) bool {
Adam Langley793cbd52013-01-22 10:10:38 -0500[diff] [blame]734 for _, supported := range supportedCipherSuites {
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]735 if id == supported {
736 var candidate *cipherSuite
737
738 for _, s := range cipherSuites {
739 if s.id == id {
740 candidate = s
741 break
742 }
743 }
744 if candidate == nil {
745 continue
746 }
747 // Don't select a ciphersuite which we can't
748 // support for this client.
Jacob H. Haven28f33b42015-03-19 04:01:57 -0700[diff] [blame]749 if candidate.flags&suiteECDHE != 0 {
Adam Langley7b850ec62015-04-02 16:19:46 -0700[diff] [blame]750 if !hs.ellipticOk {
Jacob H. Haven28f33b42015-03-19 04:01:57 -0700[diff] [blame]751 continue
752 }
753 if candidate.flags&suiteECDSA != 0 {
754 if !hs.ecdsaOk {
755 continue
756 }
Adam Langley7b850ec62015-04-02 16:19:46 -0700[diff] [blame]757 } else if !hs.rsaSignOk {
Jacob H. Haven28f33b42015-03-19 04:01:57 -0700[diff] [blame]758 continue
759 }
Adam Langley7b850ec62015-04-02 16:19:46 -0700[diff] [blame]760 } else if !hs.rsaDecryptOk {
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]761 continue
762 }
Adam Langleyf7524842013-09-26 17:09:56 -0400[diff] [blame]763 if version < VersionTLS12 && candidate.flags&suiteTLS12 != 0 {
764 continue
765 }
Jacob H. Haven28f33b42015-03-19 04:01:57 -0700[diff] [blame]766 hs.suite = candidate
767 return true
Adam Langley65c7dc42012-09-24 16:52:43 -0400[diff] [blame]768 }
769 }
Jacob H. Haven28f33b42015-03-19 04:01:57 -0700[diff] [blame]770 return false
Adam Langley5e598c52009-11-05 15:44:32 -0800[diff] [blame]771}