Source file
src/crypto/tls/handshake_client.go
1
2
3
4
5 package tls
6
7 import (
8 "bytes"
9 "context"
10 "crypto"
11 "crypto/ecdsa"
12 "crypto/ed25519"
13 "crypto/rsa"
14 "crypto/subtle"
15 "crypto/x509"
16 "errors"
17 "fmt"
18 "hash"
19 "io"
20 "net"
21 "strings"
22 "sync/atomic"
23 "time"
24 )
25
26 type clientHandshakeState struct {
27 c *Conn
28 ctx context.Context
29 serverHello *serverHelloMsg
30 hello *clientHelloMsg
31 suite *cipherSuite
32 finishedHash finishedHash
33 masterSecret []byte
34 session *ClientSessionState
35 }
36
37 var testingOnlyForceClientHelloSignatureAlgorithms []SignatureScheme
38
39 func (c *Conn) makeClientHello() (*clientHelloMsg, ecdheParameters, error) {
40 config := c.config
41 if len(config.ServerName) == 0 && !config.InsecureSkipVerify {
42 return nil, nil, errors.New("tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config")
43 }
44
45 nextProtosLength := 0
46 for _, proto := range config.NextProtos {
47 if l := len(proto); l == 0 || l > 255 {
48 return nil, nil, errors.New("tls: invalid NextProtos value")
49 } else {
50 nextProtosLength += 1 + l
51 }
52 }
53 if nextProtosLength > 0xffff {
54 return nil, nil, errors.New("tls: NextProtos values too large")
55 }
56
57 supportedVersions := config.supportedVersions(roleClient)
58 if len(supportedVersions) == 0 {
59 return nil, nil, errors.New("tls: no supported versions satisfy MinVersion and MaxVersion")
60 }
61
62 clientHelloVersion := config.maxSupportedVersion(roleClient)
63
64
65
66 if clientHelloVersion > VersionTLS12 {
67 clientHelloVersion = VersionTLS12
68 }
69
70 hello := &clientHelloMsg{
71 vers: clientHelloVersion,
72 compressionMethods: []uint8{compressionNone},
73 random: make([]byte, 32),
74 sessionId: make([]byte, 32),
75 ocspStapling: true,
76 scts: true,
77 serverName: hostnameInSNI(config.ServerName),
78 supportedCurves: config.curvePreferences(),
79 supportedPoints: []uint8{pointFormatUncompressed},
80 secureRenegotiationSupported: true,
81 alpnProtocols: config.NextProtos,
82 supportedVersions: supportedVersions,
83 }
84
85 if c.handshakes > 0 {
86 hello.secureRenegotiation = c.clientFinished[:]
87 }
88
89 preferenceOrder := cipherSuitesPreferenceOrder
90 if !hasAESGCMHardwareSupport {
91 preferenceOrder = cipherSuitesPreferenceOrderNoAES
92 }
93 configCipherSuites := config.cipherSuites()
94 hello.cipherSuites = make([]uint16, 0, len(configCipherSuites))
95
96 for _, suiteId := range preferenceOrder {
97 suite := mutualCipherSuite(configCipherSuites, suiteId)
98 if suite == nil {
99 continue
100 }
101
102
103 if hello.vers < VersionTLS12 && suite.flags&suiteTLS12 != 0 {
104 continue
105 }
106 hello.cipherSuites = append(hello.cipherSuites, suiteId)
107 }
108
109 _, err := io.ReadFull(config.rand(), hello.random)
110 if err != nil {
111 return nil, nil, errors.New("tls: short read from Rand: " + err.Error())
112 }
113
114
115
116
117 if _, err := io.ReadFull(config.rand(), hello.sessionId); err != nil {
118 return nil, nil, errors.New("tls: short read from Rand: " + err.Error())
119 }
120
121 if hello.vers >= VersionTLS12 {
122 hello.supportedSignatureAlgorithms = supportedSignatureAlgorithms()
123 }
124 if testingOnlyForceClientHelloSignatureAlgorithms != nil {
125 hello.supportedSignatureAlgorithms = testingOnlyForceClientHelloSignatureAlgorithms
126 }
127
128 var params ecdheParameters
129 if hello.supportedVersions[0] == VersionTLS13 {
130 if hasAESGCMHardwareSupport {
131 hello.cipherSuites = append(hello.cipherSuites, defaultCipherSuitesTLS13...)
132 } else {
133 hello.cipherSuites = append(hello.cipherSuites, defaultCipherSuitesTLS13NoAES...)
134 }
135
136 curveID := config.curvePreferences()[0]
137 if _, ok := curveForCurveID(curveID); curveID != X25519 && !ok {
138 return nil, nil, errors.New("tls: CurvePreferences includes unsupported curve")
139 }
140 params, err = generateECDHEParameters(config.rand(), curveID)
141 if err != nil {
142 return nil, nil, err
143 }
144 hello.keyShares = []keyShare{{group: curveID, data: params.PublicKey()}}
145 }
146
147 return hello, params, nil
148 }
149
150 func (c *Conn) clientHandshake(ctx context.Context) (err error) {
151 if c.config == nil {
152 c.config = defaultConfig()
153 }
154
155
156
157 c.didResume = false
158
159 hello, ecdheParams, err := c.makeClientHello()
160 if err != nil {
161 return err
162 }
163 c.serverName = hello.serverName
164
165 cacheKey, session, earlySecret, binderKey := c.loadSession(hello)
166 if cacheKey != "" && session != nil {
167 defer func() {
168
169
170
171
172
173
174 if err != nil {
175 c.config.ClientSessionCache.Put(cacheKey, nil)
176 }
177 }()
178 }
179
180 if _, err := c.writeRecord(recordTypeHandshake, hello.marshal()); err != nil {
181 return err
182 }
183
184 msg, err := c.readHandshake()
185 if err != nil {
186 return err
187 }
188
189 serverHello, ok := msg.(*serverHelloMsg)
190 if !ok {
191 c.sendAlert(alertUnexpectedMessage)
192 return unexpectedMessageError(serverHello, msg)
193 }
194
195 if err := c.pickTLSVersion(serverHello); err != nil {
196 return err
197 }
198
199
200
201
202 maxVers := c.config.maxSupportedVersion(roleClient)
203 tls12Downgrade := string(serverHello.random[24:]) == downgradeCanaryTLS12
204 tls11Downgrade := string(serverHello.random[24:]) == downgradeCanaryTLS11
205 if maxVers == VersionTLS13 && c.vers <= VersionTLS12 && (tls12Downgrade || tls11Downgrade) ||
206 maxVers == VersionTLS12 && c.vers <= VersionTLS11 && tls11Downgrade {
207 c.sendAlert(alertIllegalParameter)
208 return errors.New("tls: downgrade attempt detected, possibly due to a MitM attack or a broken middlebox")
209 }
210
211 if c.vers == VersionTLS13 {
212 hs := &clientHandshakeStateTLS13{
213 c: c,
214 ctx: ctx,
215 serverHello: serverHello,
216 hello: hello,
217 ecdheParams: ecdheParams,
218 session: session,
219 earlySecret: earlySecret,
220 binderKey: binderKey,
221 }
222
223
224 return hs.handshake()
225 }
226
227 hs := &clientHandshakeState{
228 c: c,
229 ctx: ctx,
230 serverHello: serverHello,
231 hello: hello,
232 session: session,
233 }
234
235 if err := hs.handshake(); err != nil {
236 return err
237 }
238
239
240
241 if cacheKey != "" && hs.session != nil && session != hs.session {
242 c.config.ClientSessionCache.Put(cacheKey, hs.session)
243 }
244
245 return nil
246 }
247
248 func (c *Conn) loadSession(hello *clientHelloMsg) (cacheKey string,
249 session *ClientSessionState, earlySecret, binderKey []byte) {
250 if c.config.SessionTicketsDisabled || c.config.ClientSessionCache == nil {
251 return "", nil, nil, nil
252 }
253
254 hello.ticketSupported = true
255
256 if hello.supportedVersions[0] == VersionTLS13 {
257
258
259 hello.pskModes = []uint8{pskModeDHE}
260 }
261
262
263
264
265 if c.handshakes != 0 {
266 return "", nil, nil, nil
267 }
268
269
270 cacheKey = clientSessionCacheKey(c.conn.RemoteAddr(), c.config)
271 session, ok := c.config.ClientSessionCache.Get(cacheKey)
272 if !ok || session == nil {
273 return cacheKey, nil, nil, nil
274 }
275
276
277 versOk := false
278 for _, v := range hello.supportedVersions {
279 if v == session.vers {
280 versOk = true
281 break
282 }
283 }
284 if !versOk {
285 return cacheKey, nil, nil, nil
286 }
287
288
289
290
291 if !c.config.InsecureSkipVerify {
292 if len(session.verifiedChains) == 0 {
293
294 return cacheKey, nil, nil, nil
295 }
296 serverCert := session.serverCertificates[0]
297 if c.config.time().After(serverCert.NotAfter) {
298
299 c.config.ClientSessionCache.Put(cacheKey, nil)
300 return cacheKey, nil, nil, nil
301 }
302 if err := serverCert.VerifyHostname(c.config.ServerName); err != nil {
303 return cacheKey, nil, nil, nil
304 }
305 }
306
307 if session.vers != VersionTLS13 {
308
309
310 if mutualCipherSuite(hello.cipherSuites, session.cipherSuite) == nil {
311 return cacheKey, nil, nil, nil
312 }
313
314 hello.sessionTicket = session.sessionTicket
315 return
316 }
317
318
319 if c.config.time().After(session.useBy) {
320 c.config.ClientSessionCache.Put(cacheKey, nil)
321 return cacheKey, nil, nil, nil
322 }
323
324
325
326 cipherSuite := cipherSuiteTLS13ByID(session.cipherSuite)
327 if cipherSuite == nil {
328 return cacheKey, nil, nil, nil
329 }
330 cipherSuiteOk := false
331 for _, offeredID := range hello.cipherSuites {
332 offeredSuite := cipherSuiteTLS13ByID(offeredID)
333 if offeredSuite != nil && offeredSuite.hash == cipherSuite.hash {
334 cipherSuiteOk = true
335 break
336 }
337 }
338 if !cipherSuiteOk {
339 return cacheKey, nil, nil, nil
340 }
341
342
343 ticketAge := uint32(c.config.time().Sub(session.receivedAt) / time.Millisecond)
344 identity := pskIdentity{
345 label: session.sessionTicket,
346 obfuscatedTicketAge: ticketAge + session.ageAdd,
347 }
348 hello.pskIdentities = []pskIdentity{identity}
349 hello.pskBinders = [][]byte{make([]byte, cipherSuite.hash.Size())}
350
351
352 psk := cipherSuite.expandLabel(session.masterSecret, "resumption",
353 session.nonce, cipherSuite.hash.Size())
354 earlySecret = cipherSuite.extract(psk, nil)
355 binderKey = cipherSuite.deriveSecret(earlySecret, resumptionBinderLabel, nil)
356 transcript := cipherSuite.hash.New()
357 transcript.Write(hello.marshalWithoutBinders())
358 pskBinders := [][]byte{cipherSuite.finishedHash(binderKey, transcript)}
359 hello.updateBinders(pskBinders)
360
361 return
362 }
363
364 func (c *Conn) pickTLSVersion(serverHello *serverHelloMsg) error {
365 peerVersion := serverHello.vers
366 if serverHello.supportedVersion != 0 {
367 peerVersion = serverHello.supportedVersion
368 }
369
370 vers, ok := c.config.mutualVersion(roleClient, []uint16{peerVersion})
371 if !ok {
372 c.sendAlert(alertProtocolVersion)
373 return fmt.Errorf("tls: server selected unsupported protocol version %x", peerVersion)
374 }
375
376 c.vers = vers
377 c.haveVers = true
378 c.in.version = vers
379 c.out.version = vers
380
381 return nil
382 }
383
384
385
386 func (hs *clientHandshakeState) handshake() error {
387 c := hs.c
388
389 isResume, err := hs.processServerHello()
390 if err != nil {
391 return err
392 }
393
394 hs.finishedHash = newFinishedHash(c.vers, hs.suite)
395
396
397
398
399
400 if isResume || (len(c.config.Certificates) == 0 && c.config.GetClientCertificate == nil) {
401 hs.finishedHash.discardHandshakeBuffer()
402 }
403
404 hs.finishedHash.Write(hs.hello.marshal())
405 hs.finishedHash.Write(hs.serverHello.marshal())
406
407 c.buffering = true
408 c.didResume = isResume
409 if isResume {
410 if err := hs.establishKeys(); err != nil {
411 return err
412 }
413 if err := hs.readSessionTicket(); err != nil {
414 return err
415 }
416 if err := hs.readFinished(c.serverFinished[:]); err != nil {
417 return err
418 }
419 c.clientFinishedIsFirst = false
420
421
422
423 if c.config.VerifyConnection != nil {
424 if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil {
425 c.sendAlert(alertBadCertificate)
426 return err
427 }
428 }
429 if err := hs.sendFinished(c.clientFinished[:]); err != nil {
430 return err
431 }
432 if _, err := c.flush(); err != nil {
433 return err
434 }
435 } else {
436 if err := hs.doFullHandshake(); err != nil {
437 return err
438 }
439 if err := hs.establishKeys(); err != nil {
440 return err
441 }
442 if err := hs.sendFinished(c.clientFinished[:]); err != nil {
443 return err
444 }
445 if _, err := c.flush(); err != nil {
446 return err
447 }
448 c.clientFinishedIsFirst = true
449 if err := hs.readSessionTicket(); err != nil {
450 return err
451 }
452 if err := hs.readFinished(c.serverFinished[:]); err != nil {
453 return err
454 }
455 }
456
457 c.ekm = ekmFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.hello.random, hs.serverHello.random)
458 atomic.StoreUint32(&c.handshakeStatus, 1)
459
460 return nil
461 }
462
463 func (hs *clientHandshakeState) pickCipherSuite() error {
464 if hs.suite = mutualCipherSuite(hs.hello.cipherSuites, hs.serverHello.cipherSuite); hs.suite == nil {
465 hs.c.sendAlert(alertHandshakeFailure)
466 return errors.New("tls: server chose an unconfigured cipher suite")
467 }
468
469 hs.c.cipherSuite = hs.suite.id
470 return nil
471 }
472
473 func (hs *clientHandshakeState) doFullHandshake() error {
474 c := hs.c
475
476 msg, err := c.readHandshake()
477 if err != nil {
478 return err
479 }
480 certMsg, ok := msg.(*certificateMsg)
481 if !ok || len(certMsg.certificates) == 0 {
482 c.sendAlert(alertUnexpectedMessage)
483 return unexpectedMessageError(certMsg, msg)
484 }
485 hs.finishedHash.Write(certMsg.marshal())
486
487 msg, err = c.readHandshake()
488 if err != nil {
489 return err
490 }
491
492 cs, ok := msg.(*certificateStatusMsg)
493 if ok {
494
495
496
497 if !hs.serverHello.ocspStapling {
498
499
500
501
502 c.sendAlert(alertUnexpectedMessage)
503 return errors.New("tls: received unexpected CertificateStatus message")
504 }
505 hs.finishedHash.Write(cs.marshal())
506
507 c.ocspResponse = cs.response
508
509 msg, err = c.readHandshake()
510 if err != nil {
511 return err
512 }
513 }
514
515 if c.handshakes == 0 {
516
517
518 if err := c.verifyServerCertificate(certMsg.certificates); err != nil {
519 return err
520 }
521 } else {
522
523
524
525
526
527
528 if !bytes.Equal(c.peerCertificates[0].Raw, certMsg.certificates[0]) {
529 c.sendAlert(alertBadCertificate)
530 return errors.New("tls: server's identity changed during renegotiation")
531 }
532 }
533
534 keyAgreement := hs.suite.ka(c.vers)
535
536 skx, ok := msg.(*serverKeyExchangeMsg)
537 if ok {
538 hs.finishedHash.Write(skx.marshal())
539 err = keyAgreement.processServerKeyExchange(c.config, hs.hello, hs.serverHello, c.peerCertificates[0], skx)
540 if err != nil {
541 c.sendAlert(alertUnexpectedMessage)
542 return err
543 }
544
545 msg, err = c.readHandshake()
546 if err != nil {
547 return err
548 }
549 }
550
551 var chainToSend *Certificate
552 var certRequested bool
553 certReq, ok := msg.(*certificateRequestMsg)
554 if ok {
555 certRequested = true
556 hs.finishedHash.Write(certReq.marshal())
557
558 cri := certificateRequestInfoFromMsg(hs.ctx, c.vers, certReq)
559 if chainToSend, err = c.getClientCertificate(cri); err != nil {
560 c.sendAlert(alertInternalError)
561 return err
562 }
563
564 msg, err = c.readHandshake()
565 if err != nil {
566 return err
567 }
568 }
569
570 shd, ok := msg.(*serverHelloDoneMsg)
571 if !ok {
572 c.sendAlert(alertUnexpectedMessage)
573 return unexpectedMessageError(shd, msg)
574 }
575 hs.finishedHash.Write(shd.marshal())
576
577
578
579
580 if certRequested {
581 certMsg = new(certificateMsg)
582 certMsg.certificates = chainToSend.Certificate
583 hs.finishedHash.Write(certMsg.marshal())
584 if _, err := c.writeRecord(recordTypeHandshake, certMsg.marshal()); err != nil {
585 return err
586 }
587 }
588
589 preMasterSecret, ckx, err := keyAgreement.generateClientKeyExchange(c.config, hs.hello, c.peerCertificates[0])
590 if err != nil {
591 c.sendAlert(alertInternalError)
592 return err
593 }
594 if ckx != nil {
595 hs.finishedHash.Write(ckx.marshal())
596 if _, err := c.writeRecord(recordTypeHandshake, ckx.marshal()); err != nil {
597 return err
598 }
599 }
600
601 if chainToSend != nil && len(chainToSend.Certificate) > 0 {
602 certVerify := &certificateVerifyMsg{}
603
604 key, ok := chainToSend.PrivateKey.(crypto.Signer)
605 if !ok {
606 c.sendAlert(alertInternalError)
607 return fmt.Errorf("tls: client certificate private key of type %T does not implement crypto.Signer", chainToSend.PrivateKey)
608 }
609
610 var sigType uint8
611 var sigHash crypto.Hash
612 if c.vers >= VersionTLS12 {
613 signatureAlgorithm, err := selectSignatureScheme(c.vers, chainToSend, certReq.supportedSignatureAlgorithms)
614 if err != nil {
615 c.sendAlert(alertIllegalParameter)
616 return err
617 }
618 sigType, sigHash, err = typeAndHashFromSignatureScheme(signatureAlgorithm)
619 if err != nil {
620 return c.sendAlert(alertInternalError)
621 }
622 certVerify.hasSignatureAlgorithm = true
623 certVerify.signatureAlgorithm = signatureAlgorithm
624 } else {
625 sigType, sigHash, err = legacyTypeAndHashFromPublicKey(key.Public())
626 if err != nil {
627 c.sendAlert(alertIllegalParameter)
628 return err
629 }
630 }
631
632 signed := hs.finishedHash.hashForClientCertificate(sigType, sigHash, hs.masterSecret)
633 signOpts := crypto.SignerOpts(sigHash)
634 if sigType == signatureRSAPSS {
635 signOpts = &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash, Hash: sigHash}
636 }
637 certVerify.signature, err = key.Sign(c.config.rand(), signed, signOpts)
638 if err != nil {
639 c.sendAlert(alertInternalError)
640 return err
641 }
642
643 hs.finishedHash.Write(certVerify.marshal())
644 if _, err := c.writeRecord(recordTypeHandshake, certVerify.marshal()); err != nil {
645 return err
646 }
647 }
648
649 hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.hello.random, hs.serverHello.random)
650 if err := c.config.writeKeyLog(keyLogLabelTLS12, hs.hello.random, hs.masterSecret); err != nil {
651 c.sendAlert(alertInternalError)
652 return errors.New("tls: failed to write to key log: " + err.Error())
653 }
654
655 hs.finishedHash.discardHandshakeBuffer()
656
657 return nil
658 }
659
660 func (hs *clientHandshakeState) establishKeys() error {
661 c := hs.c
662
663 clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV :=
664 keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.hello.random, hs.serverHello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen)
665 var clientCipher, serverCipher any
666 var clientHash, serverHash hash.Hash
667 if hs.suite.cipher != nil {
668 clientCipher = hs.suite.cipher(clientKey, clientIV, false )
669 clientHash = hs.suite.mac(clientMAC)
670 serverCipher = hs.suite.cipher(serverKey, serverIV, true )
671 serverHash = hs.suite.mac(serverMAC)
672 } else {
673 clientCipher = hs.suite.aead(clientKey, clientIV)
674 serverCipher = hs.suite.aead(serverKey, serverIV)
675 }
676
677 c.in.prepareCipherSpec(c.vers, serverCipher, serverHash)
678 c.out.prepareCipherSpec(c.vers, clientCipher, clientHash)
679 return nil
680 }
681
682 func (hs *clientHandshakeState) serverResumedSession() bool {
683
684
685 return hs.session != nil && hs.hello.sessionId != nil &&
686 bytes.Equal(hs.serverHello.sessionId, hs.hello.sessionId)
687 }
688
689 func (hs *clientHandshakeState) processServerHello() (bool, error) {
690 c := hs.c
691
692 if err := hs.pickCipherSuite(); err != nil {
693 return false, err
694 }
695
696 if hs.serverHello.compressionMethod != compressionNone {
697 c.sendAlert(alertUnexpectedMessage)
698 return false, errors.New("tls: server selected unsupported compression format")
699 }
700
701 if c.handshakes == 0 && hs.serverHello.secureRenegotiationSupported {
702 c.secureRenegotiation = true
703 if len(hs.serverHello.secureRenegotiation) != 0 {
704 c.sendAlert(alertHandshakeFailure)
705 return false, errors.New("tls: initial handshake had non-empty renegotiation extension")
706 }
707 }
708
709 if c.handshakes > 0 && c.secureRenegotiation {
710 var expectedSecureRenegotiation [24]byte
711 copy(expectedSecureRenegotiation[:], c.clientFinished[:])
712 copy(expectedSecureRenegotiation[12:], c.serverFinished[:])
713 if !bytes.Equal(hs.serverHello.secureRenegotiation, expectedSecureRenegotiation[:]) {
714 c.sendAlert(alertHandshakeFailure)
715 return false, errors.New("tls: incorrect renegotiation extension contents")
716 }
717 }
718
719 if err := checkALPN(hs.hello.alpnProtocols, hs.serverHello.alpnProtocol); err != nil {
720 c.sendAlert(alertUnsupportedExtension)
721 return false, err
722 }
723 c.clientProtocol = hs.serverHello.alpnProtocol
724
725 c.scts = hs.serverHello.scts
726
727 if !hs.serverResumedSession() {
728 return false, nil
729 }
730
731 if hs.session.vers != c.vers {
732 c.sendAlert(alertHandshakeFailure)
733 return false, errors.New("tls: server resumed a session with a different version")
734 }
735
736 if hs.session.cipherSuite != hs.suite.id {
737 c.sendAlert(alertHandshakeFailure)
738 return false, errors.New("tls: server resumed a session with a different cipher suite")
739 }
740
741
742 hs.masterSecret = hs.session.masterSecret
743 c.peerCertificates = hs.session.serverCertificates
744 c.verifiedChains = hs.session.verifiedChains
745 c.ocspResponse = hs.session.ocspResponse
746
747
748 if len(c.scts) == 0 && len(hs.session.scts) != 0 {
749 c.scts = hs.session.scts
750 }
751
752 return true, nil
753 }
754
755
756
757 func checkALPN(clientProtos []string, serverProto string) error {
758 if serverProto == "" {
759 return nil
760 }
761 if len(clientProtos) == 0 {
762 return errors.New("tls: server advertised unrequested ALPN extension")
763 }
764 for _, proto := range clientProtos {
765 if proto == serverProto {
766 return nil
767 }
768 }
769 return errors.New("tls: server selected unadvertised ALPN protocol")
770 }
771
772 func (hs *clientHandshakeState) readFinished(out []byte) error {
773 c := hs.c
774
775 if err := c.readChangeCipherSpec(); err != nil {
776 return err
777 }
778
779 msg, err := c.readHandshake()
780 if err != nil {
781 return err
782 }
783 serverFinished, ok := msg.(*finishedMsg)
784 if !ok {
785 c.sendAlert(alertUnexpectedMessage)
786 return unexpectedMessageError(serverFinished, msg)
787 }
788
789 verify := hs.finishedHash.serverSum(hs.masterSecret)
790 if len(verify) != len(serverFinished.verifyData) ||
791 subtle.ConstantTimeCompare(verify, serverFinished.verifyData) != 1 {
792 c.sendAlert(alertHandshakeFailure)
793 return errors.New("tls: server's Finished message was incorrect")
794 }
795 hs.finishedHash.Write(serverFinished.marshal())
796 copy(out, verify)
797 return nil
798 }
799
800 func (hs *clientHandshakeState) readSessionTicket() error {
801 if !hs.serverHello.ticketSupported {
802 return nil
803 }
804
805 c := hs.c
806 msg, err := c.readHandshake()
807 if err != nil {
808 return err
809 }
810 sessionTicketMsg, ok := msg.(*newSessionTicketMsg)
811 if !ok {
812 c.sendAlert(alertUnexpectedMessage)
813 return unexpectedMessageError(sessionTicketMsg, msg)
814 }
815 hs.finishedHash.Write(sessionTicketMsg.marshal())
816
817 hs.session = &ClientSessionState{
818 sessionTicket: sessionTicketMsg.ticket,
819 vers: c.vers,
820 cipherSuite: hs.suite.id,
821 masterSecret: hs.masterSecret,
822 serverCertificates: c.peerCertificates,
823 verifiedChains: c.verifiedChains,
824 receivedAt: c.config.time(),
825 ocspResponse: c.ocspResponse,
826 scts: c.scts,
827 }
828
829 return nil
830 }
831
832 func (hs *clientHandshakeState) sendFinished(out []byte) error {
833 c := hs.c
834
835 if _, err := c.writeRecord(recordTypeChangeCipherSpec, []byte{1}); err != nil {
836 return err
837 }
838
839 finished := new(finishedMsg)
840 finished.verifyData = hs.finishedHash.clientSum(hs.masterSecret)
841 hs.finishedHash.Write(finished.marshal())
842 if _, err := c.writeRecord(recordTypeHandshake, finished.marshal()); err != nil {
843 return err
844 }
845 copy(out, finished.verifyData)
846 return nil
847 }
848
849
850
851 func (c *Conn) verifyServerCertificate(certificates [][]byte) error {
852 certs := make([]*x509.Certificate, len(certificates))
853 for i, asn1Data := range certificates {
854 cert, err := x509.ParseCertificate(asn1Data)
855 if err != nil {
856 c.sendAlert(alertBadCertificate)
857 return errors.New("tls: failed to parse certificate from server: " + err.Error())
858 }
859 certs[i] = cert
860 }
861
862 if !c.config.InsecureSkipVerify {
863 opts := x509.VerifyOptions{
864 Roots: c.config.RootCAs,
865 CurrentTime: c.config.time(),
866 DNSName: c.config.ServerName,
867 Intermediates: x509.NewCertPool(),
868 }
869
870 for _, cert := range certs[1:] {
871 opts.Intermediates.AddCert(cert)
872 }
873 var err error
874 c.verifiedChains, err = certs[0].Verify(opts)
875 if err != nil {
876 c.sendAlert(alertBadCertificate)
877 return err
878 }
879 }
880
881 switch certs[0].PublicKey.(type) {
882 case *rsa.PublicKey, *ecdsa.PublicKey, ed25519.PublicKey:
883 break
884 default:
885 c.sendAlert(alertUnsupportedCertificate)
886 return fmt.Errorf("tls: server's certificate contains an unsupported type of public key: %T", certs[0].PublicKey)
887 }
888
889 c.peerCertificates = certs
890
891 if c.config.VerifyPeerCertificate != nil {
892 if err := c.config.VerifyPeerCertificate(certificates, c.verifiedChains); err != nil {
893 c.sendAlert(alertBadCertificate)
894 return err
895 }
896 }
897
898 if c.config.VerifyConnection != nil {
899 if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil {
900 c.sendAlert(alertBadCertificate)
901 return err
902 }
903 }
904
905 return nil
906 }
907
908
909
910 func certificateRequestInfoFromMsg(ctx context.Context, vers uint16, certReq *certificateRequestMsg) *CertificateRequestInfo {
911 cri := &CertificateRequestInfo{
912 AcceptableCAs: certReq.certificateAuthorities,
913 Version: vers,
914 ctx: ctx,
915 }
916
917 var rsaAvail, ecAvail bool
918 for _, certType := range certReq.certificateTypes {
919 switch certType {
920 case certTypeRSASign:
921 rsaAvail = true
922 case certTypeECDSASign:
923 ecAvail = true
924 }
925 }
926
927 if !certReq.hasSignatureAlgorithm {
928
929
930
931
932
933 switch {
934 case rsaAvail && ecAvail:
935 cri.SignatureSchemes = []SignatureScheme{
936 ECDSAWithP256AndSHA256, ECDSAWithP384AndSHA384, ECDSAWithP521AndSHA512,
937 PKCS1WithSHA256, PKCS1WithSHA384, PKCS1WithSHA512, PKCS1WithSHA1,
938 }
939 case rsaAvail:
940 cri.SignatureSchemes = []SignatureScheme{
941 PKCS1WithSHA256, PKCS1WithSHA384, PKCS1WithSHA512, PKCS1WithSHA1,
942 }
943 case ecAvail:
944 cri.SignatureSchemes = []SignatureScheme{
945 ECDSAWithP256AndSHA256, ECDSAWithP384AndSHA384, ECDSAWithP521AndSHA512,
946 }
947 }
948 return cri
949 }
950
951
952
953 cri.SignatureSchemes = make([]SignatureScheme, 0, len(certReq.supportedSignatureAlgorithms))
954 for _, sigScheme := range certReq.supportedSignatureAlgorithms {
955 sigType, _, err := typeAndHashFromSignatureScheme(sigScheme)
956 if err != nil {
957 continue
958 }
959 switch sigType {
960 case signatureECDSA, signatureEd25519:
961 if ecAvail {
962 cri.SignatureSchemes = append(cri.SignatureSchemes, sigScheme)
963 }
964 case signatureRSAPSS, signaturePKCS1v15:
965 if rsaAvail {
966 cri.SignatureSchemes = append(cri.SignatureSchemes, sigScheme)
967 }
968 }
969 }
970
971 return cri
972 }
973
974 func (c *Conn) getClientCertificate(cri *CertificateRequestInfo) (*Certificate, error) {
975 if c.config.GetClientCertificate != nil {
976 return c.config.GetClientCertificate(cri)
977 }
978
979 for _, chain := range c.config.Certificates {
980 if err := cri.SupportsCertificate(&chain); err != nil {
981 continue
982 }
983 return &chain, nil
984 }
985
986
987 return new(Certificate), nil
988 }
989
990
991
992 func clientSessionCacheKey(serverAddr net.Addr, config *Config) string {
993 if len(config.ServerName) > 0 {
994 return config.ServerName
995 }
996 return serverAddr.String()
997 }
998
999
1000
1001
1002 func hostnameInSNI(name string) string {
1003 host := name
1004 if len(host) > 0 && host[0] == '[' && host[len(host)-1] == ']' {
1005 host = host[1 : len(host)-1]
1006 }
1007 if i := strings.LastIndex(host, "%"); i > 0 {
1008 host = host[:i]
1009 }
1010 if net.ParseIP(host) != nil {
1011 return ""
1012 }
1013 for len(name) > 0 && name[len(name)-1] == '.' {
1014 name = name[:len(name)-1]
1015 }
1016 return name
1017 }
1018
View as plain text