Source file
src/crypto/tls/handshake_server.go
1
2
3
4
5 package tls
6
7 import (
8 "context"
9 "crypto"
10 "crypto/ecdsa"
11 "crypto/ed25519"
12 "crypto/rsa"
13 "crypto/subtle"
14 "crypto/x509"
15 "errors"
16 "fmt"
17 "hash"
18 "io"
19 "sync/atomic"
20 "time"
21 )
22
23
24
25 type serverHandshakeState struct {
26 c *Conn
27 ctx context.Context
28 clientHello *clientHelloMsg
29 hello *serverHelloMsg
30 suite *cipherSuite
31 ecdheOk bool
32 ecSignOk bool
33 rsaDecryptOk bool
34 rsaSignOk bool
35 sessionState *sessionState
36 finishedHash finishedHash
37 masterSecret []byte
38 cert *Certificate
39 }
40
41
42 func (c *Conn) serverHandshake(ctx context.Context) error {
43 clientHello, err := c.readClientHello(ctx)
44 if err != nil {
45 return err
46 }
47
48 if c.vers == VersionTLS13 {
49 hs := serverHandshakeStateTLS13{
50 c: c,
51 ctx: ctx,
52 clientHello: clientHello,
53 }
54 return hs.handshake()
55 }
56
57 hs := serverHandshakeState{
58 c: c,
59 ctx: ctx,
60 clientHello: clientHello,
61 }
62 return hs.handshake()
63 }
64
65 func (hs *serverHandshakeState) handshake() error {
66 c := hs.c
67
68 if err := hs.processClientHello(); err != nil {
69 return err
70 }
71
72
73 c.buffering = true
74 if hs.checkForResumption() {
75
76 c.didResume = true
77 if err := hs.doResumeHandshake(); err != nil {
78 return err
79 }
80 if err := hs.establishKeys(); err != nil {
81 return err
82 }
83 if err := hs.sendSessionTicket(); err != nil {
84 return err
85 }
86 if err := hs.sendFinished(c.serverFinished[:]); err != nil {
87 return err
88 }
89 if _, err := c.flush(); err != nil {
90 return err
91 }
92 c.clientFinishedIsFirst = false
93 if err := hs.readFinished(nil); err != nil {
94 return err
95 }
96 } else {
97
98
99 if err := hs.pickCipherSuite(); err != nil {
100 return err
101 }
102 if err := hs.doFullHandshake(); err != nil {
103 return err
104 }
105 if err := hs.establishKeys(); err != nil {
106 return err
107 }
108 if err := hs.readFinished(c.clientFinished[:]); err != nil {
109 return err
110 }
111 c.clientFinishedIsFirst = true
112 c.buffering = true
113 if err := hs.sendSessionTicket(); err != nil {
114 return err
115 }
116 if err := hs.sendFinished(nil); err != nil {
117 return err
118 }
119 if _, err := c.flush(); err != nil {
120 return err
121 }
122 }
123
124 c.ekm = ekmFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random)
125 atomic.StoreUint32(&c.handshakeStatus, 1)
126
127 return nil
128 }
129
130
131 func (c *Conn) readClientHello(ctx context.Context) (*clientHelloMsg, error) {
132 msg, err := c.readHandshake()
133 if err != nil {
134 return nil, err
135 }
136 clientHello, ok := msg.(*clientHelloMsg)
137 if !ok {
138 c.sendAlert(alertUnexpectedMessage)
139 return nil, unexpectedMessageError(clientHello, msg)
140 }
141
142 var configForClient *Config
143 originalConfig := c.config
144 if c.config.GetConfigForClient != nil {
145 chi := clientHelloInfo(ctx, c, clientHello)
146 if configForClient, err = c.config.GetConfigForClient(chi); err != nil {
147 c.sendAlert(alertInternalError)
148 return nil, err
149 } else if configForClient != nil {
150 c.config = configForClient
151 }
152 }
153 c.ticketKeys = originalConfig.ticketKeys(configForClient)
154
155 clientVersions := clientHello.supportedVersions
156 if len(clientHello.supportedVersions) == 0 {
157 clientVersions = supportedVersionsFromMax(clientHello.vers)
158 }
159 c.vers, ok = c.config.mutualVersion(roleServer, clientVersions)
160 if !ok {
161 c.sendAlert(alertProtocolVersion)
162 return nil, fmt.Errorf("tls: client offered only unsupported versions: %x", clientVersions)
163 }
164 c.haveVers = true
165 c.in.version = c.vers
166 c.out.version = c.vers
167
168 return clientHello, nil
169 }
170
171 func (hs *serverHandshakeState) processClientHello() error {
172 c := hs.c
173
174 hs.hello = new(serverHelloMsg)
175 hs.hello.vers = c.vers
176
177 foundCompression := false
178
179 for _, compression := range hs.clientHello.compressionMethods {
180 if compression == compressionNone {
181 foundCompression = true
182 break
183 }
184 }
185
186 if !foundCompression {
187 c.sendAlert(alertHandshakeFailure)
188 return errors.New("tls: client does not support uncompressed connections")
189 }
190
191 hs.hello.random = make([]byte, 32)
192 serverRandom := hs.hello.random
193
194 maxVers := c.config.maxSupportedVersion(roleServer)
195 if maxVers >= VersionTLS12 && c.vers < maxVers || testingOnlyForceDowngradeCanary {
196 if c.vers == VersionTLS12 {
197 copy(serverRandom[24:], downgradeCanaryTLS12)
198 } else {
199 copy(serverRandom[24:], downgradeCanaryTLS11)
200 }
201 serverRandom = serverRandom[:24]
202 }
203 _, err := io.ReadFull(c.config.rand(), serverRandom)
204 if err != nil {
205 c.sendAlert(alertInternalError)
206 return err
207 }
208
209 if len(hs.clientHello.secureRenegotiation) != 0 {
210 c.sendAlert(alertHandshakeFailure)
211 return errors.New("tls: initial handshake had non-empty renegotiation extension")
212 }
213
214 hs.hello.secureRenegotiationSupported = hs.clientHello.secureRenegotiationSupported
215 hs.hello.compressionMethod = compressionNone
216 if len(hs.clientHello.serverName) > 0 {
217 c.serverName = hs.clientHello.serverName
218 }
219
220 selectedProto, err := negotiateALPN(c.config.NextProtos, hs.clientHello.alpnProtocols)
221 if err != nil {
222 c.sendAlert(alertNoApplicationProtocol)
223 return err
224 }
225 hs.hello.alpnProtocol = selectedProto
226 c.clientProtocol = selectedProto
227
228 hs.cert, err = c.config.getCertificate(clientHelloInfo(hs.ctx, c, hs.clientHello))
229 if err != nil {
230 if err == errNoCertificates {
231 c.sendAlert(alertUnrecognizedName)
232 } else {
233 c.sendAlert(alertInternalError)
234 }
235 return err
236 }
237 if hs.clientHello.scts {
238 hs.hello.scts = hs.cert.SignedCertificateTimestamps
239 }
240
241 hs.ecdheOk = supportsECDHE(c.config, hs.clientHello.supportedCurves, hs.clientHello.supportedPoints)
242
243 if hs.ecdheOk && len(hs.clientHello.supportedPoints) > 0 {
244
245
246
247
248
249 hs.hello.supportedPoints = []uint8{pointFormatUncompressed}
250 }
251
252 if priv, ok := hs.cert.PrivateKey.(crypto.Signer); ok {
253 switch priv.Public().(type) {
254 case *ecdsa.PublicKey:
255 hs.ecSignOk = true
256 case ed25519.PublicKey:
257 hs.ecSignOk = true
258 case *rsa.PublicKey:
259 hs.rsaSignOk = true
260 default:
261 c.sendAlert(alertInternalError)
262 return fmt.Errorf("tls: unsupported signing key type (%T)", priv.Public())
263 }
264 }
265 if priv, ok := hs.cert.PrivateKey.(crypto.Decrypter); ok {
266 switch priv.Public().(type) {
267 case *rsa.PublicKey:
268 hs.rsaDecryptOk = true
269 default:
270 c.sendAlert(alertInternalError)
271 return fmt.Errorf("tls: unsupported decryption key type (%T)", priv.Public())
272 }
273 }
274
275 return nil
276 }
277
278
279
280
281 func negotiateALPN(serverProtos, clientProtos []string) (string, error) {
282 if len(serverProtos) == 0 || len(clientProtos) == 0 {
283 return "", nil
284 }
285 var http11fallback bool
286 for _, s := range serverProtos {
287 for _, c := range clientProtos {
288 if s == c {
289 return s, nil
290 }
291 if s == "h2" && c == "http/1.1" {
292 http11fallback = true
293 }
294 }
295 }
296
297
298
299
300 if http11fallback {
301 return "", nil
302 }
303 return "", fmt.Errorf("tls: client requested unsupported application protocols (%s)", clientProtos)
304 }
305
306
307
308 func supportsECDHE(c *Config, supportedCurves []CurveID, supportedPoints []uint8) bool {
309 supportsCurve := false
310 for _, curve := range supportedCurves {
311 if c.supportsCurve(curve) {
312 supportsCurve = true
313 break
314 }
315 }
316
317 supportsPointFormat := false
318 for _, pointFormat := range supportedPoints {
319 if pointFormat == pointFormatUncompressed {
320 supportsPointFormat = true
321 break
322 }
323 }
324
325
326
327
328 if len(supportedPoints) == 0 {
329 supportsPointFormat = true
330 }
331
332 return supportsCurve && supportsPointFormat
333 }
334
335 func (hs *serverHandshakeState) pickCipherSuite() error {
336 c := hs.c
337
338 preferenceOrder := cipherSuitesPreferenceOrder
339 if !hasAESGCMHardwareSupport || !aesgcmPreferred(hs.clientHello.cipherSuites) {
340 preferenceOrder = cipherSuitesPreferenceOrderNoAES
341 }
342
343 configCipherSuites := c.config.cipherSuites()
344 preferenceList := make([]uint16, 0, len(configCipherSuites))
345 for _, suiteID := range preferenceOrder {
346 for _, id := range configCipherSuites {
347 if id == suiteID {
348 preferenceList = append(preferenceList, id)
349 break
350 }
351 }
352 }
353
354 hs.suite = selectCipherSuite(preferenceList, hs.clientHello.cipherSuites, hs.cipherSuiteOk)
355 if hs.suite == nil {
356 c.sendAlert(alertHandshakeFailure)
357 return errors.New("tls: no cipher suite supported by both client and server")
358 }
359 c.cipherSuite = hs.suite.id
360
361 for _, id := range hs.clientHello.cipherSuites {
362 if id == TLS_FALLBACK_SCSV {
363
364 if hs.clientHello.vers < c.config.maxSupportedVersion(roleServer) {
365 c.sendAlert(alertInappropriateFallback)
366 return errors.New("tls: client using inappropriate protocol fallback")
367 }
368 break
369 }
370 }
371
372 return nil
373 }
374
375 func (hs *serverHandshakeState) cipherSuiteOk(c *cipherSuite) bool {
376 if c.flags&suiteECDHE != 0 {
377 if !hs.ecdheOk {
378 return false
379 }
380 if c.flags&suiteECSign != 0 {
381 if !hs.ecSignOk {
382 return false
383 }
384 } else if !hs.rsaSignOk {
385 return false
386 }
387 } else if !hs.rsaDecryptOk {
388 return false
389 }
390 if hs.c.vers < VersionTLS12 && c.flags&suiteTLS12 != 0 {
391 return false
392 }
393 return true
394 }
395
396
397 func (hs *serverHandshakeState) checkForResumption() bool {
398 c := hs.c
399
400 if c.config.SessionTicketsDisabled {
401 return false
402 }
403
404 plaintext, usedOldKey := c.decryptTicket(hs.clientHello.sessionTicket)
405 if plaintext == nil {
406 return false
407 }
408 hs.sessionState = &sessionState{usedOldKey: usedOldKey}
409 ok := hs.sessionState.unmarshal(plaintext)
410 if !ok {
411 return false
412 }
413
414 createdAt := time.Unix(int64(hs.sessionState.createdAt), 0)
415 if c.config.time().Sub(createdAt) > maxSessionTicketLifetime {
416 return false
417 }
418
419
420 if c.vers != hs.sessionState.vers {
421 return false
422 }
423
424 cipherSuiteOk := false
425
426 for _, id := range hs.clientHello.cipherSuites {
427 if id == hs.sessionState.cipherSuite {
428 cipherSuiteOk = true
429 break
430 }
431 }
432 if !cipherSuiteOk {
433 return false
434 }
435
436
437 hs.suite = selectCipherSuite([]uint16{hs.sessionState.cipherSuite},
438 c.config.cipherSuites(), hs.cipherSuiteOk)
439 if hs.suite == nil {
440 return false
441 }
442
443 sessionHasClientCerts := len(hs.sessionState.certificates) != 0
444 needClientCerts := requiresClientCert(c.config.ClientAuth)
445 if needClientCerts && !sessionHasClientCerts {
446 return false
447 }
448 if sessionHasClientCerts && c.config.ClientAuth == NoClientCert {
449 return false
450 }
451
452 return true
453 }
454
455 func (hs *serverHandshakeState) doResumeHandshake() error {
456 c := hs.c
457
458 hs.hello.cipherSuite = hs.suite.id
459 c.cipherSuite = hs.suite.id
460
461
462 hs.hello.sessionId = hs.clientHello.sessionId
463 hs.hello.ticketSupported = hs.sessionState.usedOldKey
464 hs.finishedHash = newFinishedHash(c.vers, hs.suite)
465 hs.finishedHash.discardHandshakeBuffer()
466 hs.finishedHash.Write(hs.clientHello.marshal())
467 hs.finishedHash.Write(hs.hello.marshal())
468 if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil {
469 return err
470 }
471
472 if err := c.processCertsFromClient(Certificate{
473 Certificate: hs.sessionState.certificates,
474 }); err != nil {
475 return err
476 }
477
478 if c.config.VerifyConnection != nil {
479 if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil {
480 c.sendAlert(alertBadCertificate)
481 return err
482 }
483 }
484
485 hs.masterSecret = hs.sessionState.masterSecret
486
487 return nil
488 }
489
490 func (hs *serverHandshakeState) doFullHandshake() error {
491 c := hs.c
492
493 if hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0 {
494 hs.hello.ocspStapling = true
495 }
496
497 hs.hello.ticketSupported = hs.clientHello.ticketSupported && !c.config.SessionTicketsDisabled
498 hs.hello.cipherSuite = hs.suite.id
499
500 hs.finishedHash = newFinishedHash(hs.c.vers, hs.suite)
501 if c.config.ClientAuth == NoClientCert {
502
503
504 hs.finishedHash.discardHandshakeBuffer()
505 }
506 hs.finishedHash.Write(hs.clientHello.marshal())
507 hs.finishedHash.Write(hs.hello.marshal())
508 if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil {
509 return err
510 }
511
512 certMsg := new(certificateMsg)
513 certMsg.certificates = hs.cert.Certificate
514 hs.finishedHash.Write(certMsg.marshal())
515 if _, err := c.writeRecord(recordTypeHandshake, certMsg.marshal()); err != nil {
516 return err
517 }
518
519 if hs.hello.ocspStapling {
520 certStatus := new(certificateStatusMsg)
521 certStatus.response = hs.cert.OCSPStaple
522 hs.finishedHash.Write(certStatus.marshal())
523 if _, err := c.writeRecord(recordTypeHandshake, certStatus.marshal()); err != nil {
524 return err
525 }
526 }
527
528 keyAgreement := hs.suite.ka(c.vers)
529 skx, err := keyAgreement.generateServerKeyExchange(c.config, hs.cert, hs.clientHello, hs.hello)
530 if err != nil {
531 c.sendAlert(alertHandshakeFailure)
532 return err
533 }
534 if skx != nil {
535 hs.finishedHash.Write(skx.marshal())
536 if _, err := c.writeRecord(recordTypeHandshake, skx.marshal()); err != nil {
537 return err
538 }
539 }
540
541 var certReq *certificateRequestMsg
542 if c.config.ClientAuth >= RequestClientCert {
543
544 certReq = new(certificateRequestMsg)
545 certReq.certificateTypes = []byte{
546 byte(certTypeRSASign),
547 byte(certTypeECDSASign),
548 }
549 if c.vers >= VersionTLS12 {
550 certReq.hasSignatureAlgorithm = true
551 certReq.supportedSignatureAlgorithms = supportedSignatureAlgorithms()
552 }
553
554
555
556
557
558
559 if c.config.ClientCAs != nil {
560 certReq.certificateAuthorities = c.config.ClientCAs.Subjects()
561 }
562 hs.finishedHash.Write(certReq.marshal())
563 if _, err := c.writeRecord(recordTypeHandshake, certReq.marshal()); err != nil {
564 return err
565 }
566 }
567
568 helloDone := new(serverHelloDoneMsg)
569 hs.finishedHash.Write(helloDone.marshal())
570 if _, err := c.writeRecord(recordTypeHandshake, helloDone.marshal()); err != nil {
571 return err
572 }
573
574 if _, err := c.flush(); err != nil {
575 return err
576 }
577
578 var pub crypto.PublicKey
579
580 msg, err := c.readHandshake()
581 if err != nil {
582 return err
583 }
584
585
586
587 if c.config.ClientAuth >= RequestClientCert {
588 certMsg, ok := msg.(*certificateMsg)
589 if !ok {
590 c.sendAlert(alertUnexpectedMessage)
591 return unexpectedMessageError(certMsg, msg)
592 }
593 hs.finishedHash.Write(certMsg.marshal())
594
595 if err := c.processCertsFromClient(Certificate{
596 Certificate: certMsg.certificates,
597 }); err != nil {
598 return err
599 }
600 if len(certMsg.certificates) != 0 {
601 pub = c.peerCertificates[0].PublicKey
602 }
603
604 msg, err = c.readHandshake()
605 if err != nil {
606 return err
607 }
608 }
609 if c.config.VerifyConnection != nil {
610 if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil {
611 c.sendAlert(alertBadCertificate)
612 return err
613 }
614 }
615
616
617 ckx, ok := msg.(*clientKeyExchangeMsg)
618 if !ok {
619 c.sendAlert(alertUnexpectedMessage)
620 return unexpectedMessageError(ckx, msg)
621 }
622 hs.finishedHash.Write(ckx.marshal())
623
624 preMasterSecret, err := keyAgreement.processClientKeyExchange(c.config, hs.cert, ckx, c.vers)
625 if err != nil {
626 c.sendAlert(alertHandshakeFailure)
627 return err
628 }
629 hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.clientHello.random, hs.hello.random)
630 if err := c.config.writeKeyLog(keyLogLabelTLS12, hs.clientHello.random, hs.masterSecret); err != nil {
631 c.sendAlert(alertInternalError)
632 return err
633 }
634
635
636
637
638
639
640
641 if len(c.peerCertificates) > 0 {
642 msg, err = c.readHandshake()
643 if err != nil {
644 return err
645 }
646 certVerify, ok := msg.(*certificateVerifyMsg)
647 if !ok {
648 c.sendAlert(alertUnexpectedMessage)
649 return unexpectedMessageError(certVerify, msg)
650 }
651
652 var sigType uint8
653 var sigHash crypto.Hash
654 if c.vers >= VersionTLS12 {
655 if !isSupportedSignatureAlgorithm(certVerify.signatureAlgorithm, certReq.supportedSignatureAlgorithms) {
656 c.sendAlert(alertIllegalParameter)
657 return errors.New("tls: client certificate used with invalid signature algorithm")
658 }
659 sigType, sigHash, err = typeAndHashFromSignatureScheme(certVerify.signatureAlgorithm)
660 if err != nil {
661 return c.sendAlert(alertInternalError)
662 }
663 } else {
664 sigType, sigHash, err = legacyTypeAndHashFromPublicKey(pub)
665 if err != nil {
666 c.sendAlert(alertIllegalParameter)
667 return err
668 }
669 }
670
671 signed := hs.finishedHash.hashForClientCertificate(sigType, sigHash, hs.masterSecret)
672 if err := verifyHandshakeSignature(sigType, pub, sigHash, signed, certVerify.signature); err != nil {
673 c.sendAlert(alertDecryptError)
674 return errors.New("tls: invalid signature by the client certificate: " + err.Error())
675 }
676
677 hs.finishedHash.Write(certVerify.marshal())
678 }
679
680 hs.finishedHash.discardHandshakeBuffer()
681
682 return nil
683 }
684
685 func (hs *serverHandshakeState) establishKeys() error {
686 c := hs.c
687
688 clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV :=
689 keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen)
690
691 var clientCipher, serverCipher any
692 var clientHash, serverHash hash.Hash
693
694 if hs.suite.aead == nil {
695 clientCipher = hs.suite.cipher(clientKey, clientIV, true )
696 clientHash = hs.suite.mac(clientMAC)
697 serverCipher = hs.suite.cipher(serverKey, serverIV, false )
698 serverHash = hs.suite.mac(serverMAC)
699 } else {
700 clientCipher = hs.suite.aead(clientKey, clientIV)
701 serverCipher = hs.suite.aead(serverKey, serverIV)
702 }
703
704 c.in.prepareCipherSpec(c.vers, clientCipher, clientHash)
705 c.out.prepareCipherSpec(c.vers, serverCipher, serverHash)
706
707 return nil
708 }
709
710 func (hs *serverHandshakeState) readFinished(out []byte) error {
711 c := hs.c
712
713 if err := c.readChangeCipherSpec(); err != nil {
714 return err
715 }
716
717 msg, err := c.readHandshake()
718 if err != nil {
719 return err
720 }
721 clientFinished, ok := msg.(*finishedMsg)
722 if !ok {
723 c.sendAlert(alertUnexpectedMessage)
724 return unexpectedMessageError(clientFinished, msg)
725 }
726
727 verify := hs.finishedHash.clientSum(hs.masterSecret)
728 if len(verify) != len(clientFinished.verifyData) ||
729 subtle.ConstantTimeCompare(verify, clientFinished.verifyData) != 1 {
730 c.sendAlert(alertHandshakeFailure)
731 return errors.New("tls: client's Finished message is incorrect")
732 }
733
734 hs.finishedHash.Write(clientFinished.marshal())
735 copy(out, verify)
736 return nil
737 }
738
739 func (hs *serverHandshakeState) sendSessionTicket() error {
740
741
742
743 if !hs.hello.ticketSupported {
744 return nil
745 }
746
747 c := hs.c
748 m := new(newSessionTicketMsg)
749
750 createdAt := uint64(c.config.time().Unix())
751 if hs.sessionState != nil {
752
753
754 createdAt = hs.sessionState.createdAt
755 }
756
757 var certsFromClient [][]byte
758 for _, cert := range c.peerCertificates {
759 certsFromClient = append(certsFromClient, cert.Raw)
760 }
761 state := sessionState{
762 vers: c.vers,
763 cipherSuite: hs.suite.id,
764 createdAt: createdAt,
765 masterSecret: hs.masterSecret,
766 certificates: certsFromClient,
767 }
768 var err error
769 m.ticket, err = c.encryptTicket(state.marshal())
770 if err != nil {
771 return err
772 }
773
774 hs.finishedHash.Write(m.marshal())
775 if _, err := c.writeRecord(recordTypeHandshake, m.marshal()); err != nil {
776 return err
777 }
778
779 return nil
780 }
781
782 func (hs *serverHandshakeState) sendFinished(out []byte) error {
783 c := hs.c
784
785 if _, err := c.writeRecord(recordTypeChangeCipherSpec, []byte{1}); err != nil {
786 return err
787 }
788
789 finished := new(finishedMsg)
790 finished.verifyData = hs.finishedHash.serverSum(hs.masterSecret)
791 hs.finishedHash.Write(finished.marshal())
792 if _, err := c.writeRecord(recordTypeHandshake, finished.marshal()); err != nil {
793 return err
794 }
795
796 copy(out, finished.verifyData)
797
798 return nil
799 }
800
801
802
803
804 func (c *Conn) processCertsFromClient(certificate Certificate) error {
805 certificates := certificate.Certificate
806 certs := make([]*x509.Certificate, len(certificates))
807 var err error
808 for i, asn1Data := range certificates {
809 if certs[i], err = x509.ParseCertificate(asn1Data); err != nil {
810 c.sendAlert(alertBadCertificate)
811 return errors.New("tls: failed to parse client certificate: " + err.Error())
812 }
813 }
814
815 if len(certs) == 0 && requiresClientCert(c.config.ClientAuth) {
816 c.sendAlert(alertBadCertificate)
817 return errors.New("tls: client didn't provide a certificate")
818 }
819
820 if c.config.ClientAuth >= VerifyClientCertIfGiven && len(certs) > 0 {
821 opts := x509.VerifyOptions{
822 Roots: c.config.ClientCAs,
823 CurrentTime: c.config.time(),
824 Intermediates: x509.NewCertPool(),
825 KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
826 }
827
828 for _, cert := range certs[1:] {
829 opts.Intermediates.AddCert(cert)
830 }
831
832 chains, err := certs[0].Verify(opts)
833 if err != nil {
834 c.sendAlert(alertBadCertificate)
835 return errors.New("tls: failed to verify client certificate: " + err.Error())
836 }
837
838 c.verifiedChains = chains
839 }
840
841 c.peerCertificates = certs
842 c.ocspResponse = certificate.OCSPStaple
843 c.scts = certificate.SignedCertificateTimestamps
844
845 if len(certs) > 0 {
846 switch certs[0].PublicKey.(type) {
847 case *ecdsa.PublicKey, *rsa.PublicKey, ed25519.PublicKey:
848 default:
849 c.sendAlert(alertUnsupportedCertificate)
850 return fmt.Errorf("tls: client certificate contains an unsupported public key of type %T", certs[0].PublicKey)
851 }
852 }
853
854 if c.config.VerifyPeerCertificate != nil {
855 if err := c.config.VerifyPeerCertificate(certificates, c.verifiedChains); err != nil {
856 c.sendAlert(alertBadCertificate)
857 return err
858 }
859 }
860
861 return nil
862 }
863
864 func clientHelloInfo(ctx context.Context, c *Conn, clientHello *clientHelloMsg) *ClientHelloInfo {
865 supportedVersions := clientHello.supportedVersions
866 if len(clientHello.supportedVersions) == 0 {
867 supportedVersions = supportedVersionsFromMax(clientHello.vers)
868 }
869
870 return &ClientHelloInfo{
871 CipherSuites: clientHello.cipherSuites,
872 ServerName: clientHello.serverName,
873 SupportedCurves: clientHello.supportedCurves,
874 SupportedPoints: clientHello.supportedPoints,
875 SignatureSchemes: clientHello.supportedSignatureAlgorithms,
876 SupportedProtos: clientHello.alpnProtocols,
877 SupportedVersions: supportedVersions,
878 Conn: c.conn,
879 config: c.config,
880 ctx: ctx,
881 }
882 }
883
View as plain text