Source file
src/crypto/tls/handshake_server_tls13.go
1
2
3
4
5 package tls
6
7 import (
8 "bytes"
9 "context"
10 "crypto"
11 "crypto/hmac"
12 "crypto/rsa"
13 "encoding/binary"
14 "errors"
15 "hash"
16 "io"
17 "sync/atomic"
18 "time"
19 )
20
21
22
23
24 const maxClientPSKIdentities = 5
25
26 type serverHandshakeStateTLS13 struct {
27 c *Conn
28 ctx context.Context
29 clientHello *clientHelloMsg
30 hello *serverHelloMsg
31 sentDummyCCS bool
32 usingPSK bool
33 suite *cipherSuiteTLS13
34 cert *Certificate
35 sigAlg SignatureScheme
36 earlySecret []byte
37 sharedKey []byte
38 handshakeSecret []byte
39 masterSecret []byte
40 trafficSecret []byte
41 transcript hash.Hash
42 clientFinished []byte
43 }
44
45 func (hs *serverHandshakeStateTLS13) handshake() error {
46 c := hs.c
47
48 if needFIPS() {
49 return errors.New("tls: internal error: TLS 1.3 reached in FIPS mode")
50 }
51
52
53 if err := hs.processClientHello(); err != nil {
54 return err
55 }
56 if err := hs.checkForResumption(); err != nil {
57 return err
58 }
59 if err := hs.pickCertificate(); err != nil {
60 return err
61 }
62 c.buffering = true
63 if err := hs.sendServerParameters(); err != nil {
64 return err
65 }
66 if err := hs.sendServerCertificate(); err != nil {
67 return err
68 }
69 if err := hs.sendServerFinished(); err != nil {
70 return err
71 }
72
73
74
75 if _, err := c.flush(); err != nil {
76 return err
77 }
78 if err := hs.readClientCertificate(); err != nil {
79 return err
80 }
81 if err := hs.readClientFinished(); err != nil {
82 return err
83 }
84
85 atomic.StoreUint32(&c.handshakeStatus, 1)
86
87 return nil
88 }
89
90 func (hs *serverHandshakeStateTLS13) processClientHello() error {
91 c := hs.c
92
93 hs.hello = new(serverHelloMsg)
94
95
96
97 hs.hello.vers = VersionTLS12
98 hs.hello.supportedVersion = c.vers
99
100 if len(hs.clientHello.supportedVersions) == 0 {
101 c.sendAlert(alertIllegalParameter)
102 return errors.New("tls: client used the legacy version field to negotiate TLS 1.3")
103 }
104
105
106
107
108
109
110
111
112
113
114 for _, id := range hs.clientHello.cipherSuites {
115 if id == TLS_FALLBACK_SCSV {
116
117
118 if c.vers < c.config.maxSupportedVersion(roleServer) {
119 c.sendAlert(alertInappropriateFallback)
120 return errors.New("tls: client using inappropriate protocol fallback")
121 }
122 break
123 }
124 }
125
126 if len(hs.clientHello.compressionMethods) != 1 ||
127 hs.clientHello.compressionMethods[0] != compressionNone {
128 c.sendAlert(alertIllegalParameter)
129 return errors.New("tls: TLS 1.3 client supports illegal compression methods")
130 }
131
132 hs.hello.random = make([]byte, 32)
133 if _, err := io.ReadFull(c.config.rand(), hs.hello.random); err != nil {
134 c.sendAlert(alertInternalError)
135 return err
136 }
137
138 if len(hs.clientHello.secureRenegotiation) != 0 {
139 c.sendAlert(alertHandshakeFailure)
140 return errors.New("tls: initial handshake had non-empty renegotiation extension")
141 }
142
143 if hs.clientHello.earlyData {
144
145
146
147
148
149
150 c.sendAlert(alertUnsupportedExtension)
151 return errors.New("tls: client sent unexpected early data")
152 }
153
154 hs.hello.sessionId = hs.clientHello.sessionId
155 hs.hello.compressionMethod = compressionNone
156
157 preferenceList := defaultCipherSuitesTLS13
158 if !hasAESGCMHardwareSupport || !aesgcmPreferred(hs.clientHello.cipherSuites) {
159 preferenceList = defaultCipherSuitesTLS13NoAES
160 }
161 for _, suiteID := range preferenceList {
162 hs.suite = mutualCipherSuiteTLS13(hs.clientHello.cipherSuites, suiteID)
163 if hs.suite != nil {
164 break
165 }
166 }
167 if hs.suite == nil {
168 c.sendAlert(alertHandshakeFailure)
169 return errors.New("tls: no cipher suite supported by both client and server")
170 }
171 c.cipherSuite = hs.suite.id
172 hs.hello.cipherSuite = hs.suite.id
173 hs.transcript = hs.suite.hash.New()
174
175
176
177 var selectedGroup CurveID
178 var clientKeyShare *keyShare
179 GroupSelection:
180 for _, preferredGroup := range c.config.curvePreferences() {
181 for _, ks := range hs.clientHello.keyShares {
182 if ks.group == preferredGroup {
183 selectedGroup = ks.group
184 clientKeyShare = &ks
185 break GroupSelection
186 }
187 }
188 if selectedGroup != 0 {
189 continue
190 }
191 for _, group := range hs.clientHello.supportedCurves {
192 if group == preferredGroup {
193 selectedGroup = group
194 break
195 }
196 }
197 }
198 if selectedGroup == 0 {
199 c.sendAlert(alertHandshakeFailure)
200 return errors.New("tls: no ECDHE curve supported by both client and server")
201 }
202 if clientKeyShare == nil {
203 if err := hs.doHelloRetryRequest(selectedGroup); err != nil {
204 return err
205 }
206 clientKeyShare = &hs.clientHello.keyShares[0]
207 }
208
209 if _, ok := curveForCurveID(selectedGroup); selectedGroup != X25519 && !ok {
210 c.sendAlert(alertInternalError)
211 return errors.New("tls: CurvePreferences includes unsupported curve")
212 }
213 params, err := generateECDHEParameters(c.config.rand(), selectedGroup)
214 if err != nil {
215 c.sendAlert(alertInternalError)
216 return err
217 }
218 hs.hello.serverShare = keyShare{group: selectedGroup, data: params.PublicKey()}
219 hs.sharedKey = params.SharedKey(clientKeyShare.data)
220 if hs.sharedKey == nil {
221 c.sendAlert(alertIllegalParameter)
222 return errors.New("tls: invalid client key share")
223 }
224
225 c.serverName = hs.clientHello.serverName
226 return nil
227 }
228
229 func (hs *serverHandshakeStateTLS13) checkForResumption() error {
230 c := hs.c
231
232 if c.config.SessionTicketsDisabled {
233 return nil
234 }
235
236 modeOK := false
237 for _, mode := range hs.clientHello.pskModes {
238 if mode == pskModeDHE {
239 modeOK = true
240 break
241 }
242 }
243 if !modeOK {
244 return nil
245 }
246
247 if len(hs.clientHello.pskIdentities) != len(hs.clientHello.pskBinders) {
248 c.sendAlert(alertIllegalParameter)
249 return errors.New("tls: invalid or missing PSK binders")
250 }
251 if len(hs.clientHello.pskIdentities) == 0 {
252 return nil
253 }
254
255 for i, identity := range hs.clientHello.pskIdentities {
256 if i >= maxClientPSKIdentities {
257 break
258 }
259
260 plaintext, _ := c.decryptTicket(identity.label)
261 if plaintext == nil {
262 continue
263 }
264 sessionState := new(sessionStateTLS13)
265 if ok := sessionState.unmarshal(plaintext); !ok {
266 continue
267 }
268
269 createdAt := time.Unix(int64(sessionState.createdAt), 0)
270 if c.config.time().Sub(createdAt) > maxSessionTicketLifetime {
271 continue
272 }
273
274
275
276
277
278 pskSuite := cipherSuiteTLS13ByID(sessionState.cipherSuite)
279 if pskSuite == nil || pskSuite.hash != hs.suite.hash {
280 continue
281 }
282
283
284
285
286 sessionHasClientCerts := len(sessionState.certificate.Certificate) != 0
287 needClientCerts := requiresClientCert(c.config.ClientAuth)
288 if needClientCerts && !sessionHasClientCerts {
289 continue
290 }
291 if sessionHasClientCerts && c.config.ClientAuth == NoClientCert {
292 continue
293 }
294
295 psk := hs.suite.expandLabel(sessionState.resumptionSecret, "resumption",
296 nil, hs.suite.hash.Size())
297 hs.earlySecret = hs.suite.extract(psk, nil)
298 binderKey := hs.suite.deriveSecret(hs.earlySecret, resumptionBinderLabel, nil)
299
300 transcript := cloneHash(hs.transcript, hs.suite.hash)
301 if transcript == nil {
302 c.sendAlert(alertInternalError)
303 return errors.New("tls: internal error: failed to clone hash")
304 }
305 transcript.Write(hs.clientHello.marshalWithoutBinders())
306 pskBinder := hs.suite.finishedHash(binderKey, transcript)
307 if !hmac.Equal(hs.clientHello.pskBinders[i], pskBinder) {
308 c.sendAlert(alertDecryptError)
309 return errors.New("tls: invalid PSK binder")
310 }
311
312 c.didResume = true
313 if err := c.processCertsFromClient(sessionState.certificate); err != nil {
314 return err
315 }
316
317 hs.hello.selectedIdentityPresent = true
318 hs.hello.selectedIdentity = uint16(i)
319 hs.usingPSK = true
320 return nil
321 }
322
323 return nil
324 }
325
326
327
328
329 func cloneHash(in hash.Hash, h crypto.Hash) hash.Hash {
330
331 type binaryMarshaler interface {
332 MarshalBinary() (data []byte, err error)
333 UnmarshalBinary(data []byte) error
334 }
335 marshaler, ok := in.(binaryMarshaler)
336 if !ok {
337 return nil
338 }
339 state, err := marshaler.MarshalBinary()
340 if err != nil {
341 return nil
342 }
343 out := h.New()
344 unmarshaler, ok := out.(binaryMarshaler)
345 if !ok {
346 return nil
347 }
348 if err := unmarshaler.UnmarshalBinary(state); err != nil {
349 return nil
350 }
351 return out
352 }
353
354 func (hs *serverHandshakeStateTLS13) pickCertificate() error {
355 c := hs.c
356
357
358 if hs.usingPSK {
359 return nil
360 }
361
362
363 if len(hs.clientHello.supportedSignatureAlgorithms) == 0 {
364 return c.sendAlert(alertMissingExtension)
365 }
366
367 certificate, err := c.config.getCertificate(clientHelloInfo(hs.ctx, c, hs.clientHello))
368 if err != nil {
369 if err == errNoCertificates {
370 c.sendAlert(alertUnrecognizedName)
371 } else {
372 c.sendAlert(alertInternalError)
373 }
374 return err
375 }
376 hs.sigAlg, err = selectSignatureScheme(c.vers, certificate, hs.clientHello.supportedSignatureAlgorithms)
377 if err != nil {
378
379
380 c.sendAlert(alertHandshakeFailure)
381 return err
382 }
383 hs.cert = certificate
384
385 return nil
386 }
387
388
389
390 func (hs *serverHandshakeStateTLS13) sendDummyChangeCipherSpec() error {
391 if hs.sentDummyCCS {
392 return nil
393 }
394 hs.sentDummyCCS = true
395
396 _, err := hs.c.writeRecord(recordTypeChangeCipherSpec, []byte{1})
397 return err
398 }
399
400 func (hs *serverHandshakeStateTLS13) doHelloRetryRequest(selectedGroup CurveID) error {
401 c := hs.c
402
403
404
405 hs.transcript.Write(hs.clientHello.marshal())
406 chHash := hs.transcript.Sum(nil)
407 hs.transcript.Reset()
408 hs.transcript.Write([]byte{typeMessageHash, 0, 0, uint8(len(chHash))})
409 hs.transcript.Write(chHash)
410
411 helloRetryRequest := &serverHelloMsg{
412 vers: hs.hello.vers,
413 random: helloRetryRequestRandom,
414 sessionId: hs.hello.sessionId,
415 cipherSuite: hs.hello.cipherSuite,
416 compressionMethod: hs.hello.compressionMethod,
417 supportedVersion: hs.hello.supportedVersion,
418 selectedGroup: selectedGroup,
419 }
420
421 hs.transcript.Write(helloRetryRequest.marshal())
422 if _, err := c.writeRecord(recordTypeHandshake, helloRetryRequest.marshal()); err != nil {
423 return err
424 }
425
426 if err := hs.sendDummyChangeCipherSpec(); err != nil {
427 return err
428 }
429
430 msg, err := c.readHandshake()
431 if err != nil {
432 return err
433 }
434
435 clientHello, ok := msg.(*clientHelloMsg)
436 if !ok {
437 c.sendAlert(alertUnexpectedMessage)
438 return unexpectedMessageError(clientHello, msg)
439 }
440
441 if len(clientHello.keyShares) != 1 || clientHello.keyShares[0].group != selectedGroup {
442 c.sendAlert(alertIllegalParameter)
443 return errors.New("tls: client sent invalid key share in second ClientHello")
444 }
445
446 if clientHello.earlyData {
447 c.sendAlert(alertIllegalParameter)
448 return errors.New("tls: client indicated early data in second ClientHello")
449 }
450
451 if illegalClientHelloChange(clientHello, hs.clientHello) {
452 c.sendAlert(alertIllegalParameter)
453 return errors.New("tls: client illegally modified second ClientHello")
454 }
455
456 hs.clientHello = clientHello
457 return nil
458 }
459
460
461
462
463 func illegalClientHelloChange(ch, ch1 *clientHelloMsg) bool {
464 if len(ch.supportedVersions) != len(ch1.supportedVersions) ||
465 len(ch.cipherSuites) != len(ch1.cipherSuites) ||
466 len(ch.supportedCurves) != len(ch1.supportedCurves) ||
467 len(ch.supportedSignatureAlgorithms) != len(ch1.supportedSignatureAlgorithms) ||
468 len(ch.supportedSignatureAlgorithmsCert) != len(ch1.supportedSignatureAlgorithmsCert) ||
469 len(ch.alpnProtocols) != len(ch1.alpnProtocols) {
470 return true
471 }
472 for i := range ch.supportedVersions {
473 if ch.supportedVersions[i] != ch1.supportedVersions[i] {
474 return true
475 }
476 }
477 for i := range ch.cipherSuites {
478 if ch.cipherSuites[i] != ch1.cipherSuites[i] {
479 return true
480 }
481 }
482 for i := range ch.supportedCurves {
483 if ch.supportedCurves[i] != ch1.supportedCurves[i] {
484 return true
485 }
486 }
487 for i := range ch.supportedSignatureAlgorithms {
488 if ch.supportedSignatureAlgorithms[i] != ch1.supportedSignatureAlgorithms[i] {
489 return true
490 }
491 }
492 for i := range ch.supportedSignatureAlgorithmsCert {
493 if ch.supportedSignatureAlgorithmsCert[i] != ch1.supportedSignatureAlgorithmsCert[i] {
494 return true
495 }
496 }
497 for i := range ch.alpnProtocols {
498 if ch.alpnProtocols[i] != ch1.alpnProtocols[i] {
499 return true
500 }
501 }
502 return ch.vers != ch1.vers ||
503 !bytes.Equal(ch.random, ch1.random) ||
504 !bytes.Equal(ch.sessionId, ch1.sessionId) ||
505 !bytes.Equal(ch.compressionMethods, ch1.compressionMethods) ||
506 ch.serverName != ch1.serverName ||
507 ch.ocspStapling != ch1.ocspStapling ||
508 !bytes.Equal(ch.supportedPoints, ch1.supportedPoints) ||
509 ch.ticketSupported != ch1.ticketSupported ||
510 !bytes.Equal(ch.sessionTicket, ch1.sessionTicket) ||
511 ch.secureRenegotiationSupported != ch1.secureRenegotiationSupported ||
512 !bytes.Equal(ch.secureRenegotiation, ch1.secureRenegotiation) ||
513 ch.scts != ch1.scts ||
514 !bytes.Equal(ch.cookie, ch1.cookie) ||
515 !bytes.Equal(ch.pskModes, ch1.pskModes)
516 }
517
518 func (hs *serverHandshakeStateTLS13) sendServerParameters() error {
519 c := hs.c
520
521 hs.transcript.Write(hs.clientHello.marshal())
522 hs.transcript.Write(hs.hello.marshal())
523 if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil {
524 return err
525 }
526
527 if err := hs.sendDummyChangeCipherSpec(); err != nil {
528 return err
529 }
530
531 earlySecret := hs.earlySecret
532 if earlySecret == nil {
533 earlySecret = hs.suite.extract(nil, nil)
534 }
535 hs.handshakeSecret = hs.suite.extract(hs.sharedKey,
536 hs.suite.deriveSecret(earlySecret, "derived", nil))
537
538 clientSecret := hs.suite.deriveSecret(hs.handshakeSecret,
539 clientHandshakeTrafficLabel, hs.transcript)
540 c.in.setTrafficSecret(hs.suite, clientSecret)
541 serverSecret := hs.suite.deriveSecret(hs.handshakeSecret,
542 serverHandshakeTrafficLabel, hs.transcript)
543 c.out.setTrafficSecret(hs.suite, serverSecret)
544
545 err := c.config.writeKeyLog(keyLogLabelClientHandshake, hs.clientHello.random, clientSecret)
546 if err != nil {
547 c.sendAlert(alertInternalError)
548 return err
549 }
550 err = c.config.writeKeyLog(keyLogLabelServerHandshake, hs.clientHello.random, serverSecret)
551 if err != nil {
552 c.sendAlert(alertInternalError)
553 return err
554 }
555
556 encryptedExtensions := new(encryptedExtensionsMsg)
557
558 selectedProto, err := negotiateALPN(c.config.NextProtos, hs.clientHello.alpnProtocols)
559 if err != nil {
560 c.sendAlert(alertNoApplicationProtocol)
561 return err
562 }
563 encryptedExtensions.alpnProtocol = selectedProto
564 c.clientProtocol = selectedProto
565
566 hs.transcript.Write(encryptedExtensions.marshal())
567 if _, err := c.writeRecord(recordTypeHandshake, encryptedExtensions.marshal()); err != nil {
568 return err
569 }
570
571 return nil
572 }
573
574 func (hs *serverHandshakeStateTLS13) requestClientCert() bool {
575 return hs.c.config.ClientAuth >= RequestClientCert && !hs.usingPSK
576 }
577
578 func (hs *serverHandshakeStateTLS13) sendServerCertificate() error {
579 c := hs.c
580
581
582 if hs.usingPSK {
583 return nil
584 }
585
586 if hs.requestClientCert() {
587
588 certReq := new(certificateRequestMsgTLS13)
589 certReq.ocspStapling = true
590 certReq.scts = true
591 certReq.supportedSignatureAlgorithms = supportedSignatureAlgorithms()
592 if c.config.ClientCAs != nil {
593 certReq.certificateAuthorities = c.config.ClientCAs.Subjects()
594 }
595
596 hs.transcript.Write(certReq.marshal())
597 if _, err := c.writeRecord(recordTypeHandshake, certReq.marshal()); err != nil {
598 return err
599 }
600 }
601
602 certMsg := new(certificateMsgTLS13)
603
604 certMsg.certificate = *hs.cert
605 certMsg.scts = hs.clientHello.scts && len(hs.cert.SignedCertificateTimestamps) > 0
606 certMsg.ocspStapling = hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0
607
608 hs.transcript.Write(certMsg.marshal())
609 if _, err := c.writeRecord(recordTypeHandshake, certMsg.marshal()); err != nil {
610 return err
611 }
612
613 certVerifyMsg := new(certificateVerifyMsg)
614 certVerifyMsg.hasSignatureAlgorithm = true
615 certVerifyMsg.signatureAlgorithm = hs.sigAlg
616
617 sigType, sigHash, err := typeAndHashFromSignatureScheme(hs.sigAlg)
618 if err != nil {
619 return c.sendAlert(alertInternalError)
620 }
621
622 signed := signedMessage(sigHash, serverSignatureContext, hs.transcript)
623 signOpts := crypto.SignerOpts(sigHash)
624 if sigType == signatureRSAPSS {
625 signOpts = &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash, Hash: sigHash}
626 }
627 sig, err := hs.cert.PrivateKey.(crypto.Signer).Sign(c.config.rand(), signed, signOpts)
628 if err != nil {
629 public := hs.cert.PrivateKey.(crypto.Signer).Public()
630 if rsaKey, ok := public.(*rsa.PublicKey); ok && sigType == signatureRSAPSS &&
631 rsaKey.N.BitLen()/8 < sigHash.Size()*2+2 {
632 c.sendAlert(alertHandshakeFailure)
633 } else {
634 c.sendAlert(alertInternalError)
635 }
636 return errors.New("tls: failed to sign handshake: " + err.Error())
637 }
638 certVerifyMsg.signature = sig
639
640 hs.transcript.Write(certVerifyMsg.marshal())
641 if _, err := c.writeRecord(recordTypeHandshake, certVerifyMsg.marshal()); err != nil {
642 return err
643 }
644
645 return nil
646 }
647
648 func (hs *serverHandshakeStateTLS13) sendServerFinished() error {
649 c := hs.c
650
651 finished := &finishedMsg{
652 verifyData: hs.suite.finishedHash(c.out.trafficSecret, hs.transcript),
653 }
654
655 hs.transcript.Write(finished.marshal())
656 if _, err := c.writeRecord(recordTypeHandshake, finished.marshal()); err != nil {
657 return err
658 }
659
660
661
662 hs.masterSecret = hs.suite.extract(nil,
663 hs.suite.deriveSecret(hs.handshakeSecret, "derived", nil))
664
665 hs.trafficSecret = hs.suite.deriveSecret(hs.masterSecret,
666 clientApplicationTrafficLabel, hs.transcript)
667 serverSecret := hs.suite.deriveSecret(hs.masterSecret,
668 serverApplicationTrafficLabel, hs.transcript)
669 c.out.setTrafficSecret(hs.suite, serverSecret)
670
671 err := c.config.writeKeyLog(keyLogLabelClientTraffic, hs.clientHello.random, hs.trafficSecret)
672 if err != nil {
673 c.sendAlert(alertInternalError)
674 return err
675 }
676 err = c.config.writeKeyLog(keyLogLabelServerTraffic, hs.clientHello.random, serverSecret)
677 if err != nil {
678 c.sendAlert(alertInternalError)
679 return err
680 }
681
682 c.ekm = hs.suite.exportKeyingMaterial(hs.masterSecret, hs.transcript)
683
684
685
686
687 if !hs.requestClientCert() {
688 if err := hs.sendSessionTickets(); err != nil {
689 return err
690 }
691 }
692
693 return nil
694 }
695
696 func (hs *serverHandshakeStateTLS13) shouldSendSessionTickets() bool {
697 if hs.c.config.SessionTicketsDisabled {
698 return false
699 }
700
701
702 for _, pskMode := range hs.clientHello.pskModes {
703 if pskMode == pskModeDHE {
704 return true
705 }
706 }
707 return false
708 }
709
710 func (hs *serverHandshakeStateTLS13) sendSessionTickets() error {
711 c := hs.c
712
713 hs.clientFinished = hs.suite.finishedHash(c.in.trafficSecret, hs.transcript)
714 finishedMsg := &finishedMsg{
715 verifyData: hs.clientFinished,
716 }
717 hs.transcript.Write(finishedMsg.marshal())
718
719 if !hs.shouldSendSessionTickets() {
720 return nil
721 }
722
723 resumptionSecret := hs.suite.deriveSecret(hs.masterSecret,
724 resumptionLabel, hs.transcript)
725
726 m := new(newSessionTicketMsgTLS13)
727
728 var certsFromClient [][]byte
729 for _, cert := range c.peerCertificates {
730 certsFromClient = append(certsFromClient, cert.Raw)
731 }
732 state := sessionStateTLS13{
733 cipherSuite: hs.suite.id,
734 createdAt: uint64(c.config.time().Unix()),
735 resumptionSecret: resumptionSecret,
736 certificate: Certificate{
737 Certificate: certsFromClient,
738 OCSPStaple: c.ocspResponse,
739 SignedCertificateTimestamps: c.scts,
740 },
741 }
742 var err error
743 m.label, err = c.encryptTicket(state.marshal())
744 if err != nil {
745 return err
746 }
747 m.lifetime = uint32(maxSessionTicketLifetime / time.Second)
748
749
750
751
752 ageAdd := make([]byte, 4)
753 _, err = hs.c.config.rand().Read(ageAdd)
754 if err != nil {
755 return err
756 }
757 m.ageAdd = binary.LittleEndian.Uint32(ageAdd)
758
759
760
761
762 if _, err := c.writeRecord(recordTypeHandshake, m.marshal()); err != nil {
763 return err
764 }
765
766 return nil
767 }
768
769 func (hs *serverHandshakeStateTLS13) readClientCertificate() error {
770 c := hs.c
771
772 if !hs.requestClientCert() {
773
774
775 if c.config.VerifyConnection != nil {
776 if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil {
777 c.sendAlert(alertBadCertificate)
778 return err
779 }
780 }
781 return nil
782 }
783
784
785
786
787 msg, err := c.readHandshake()
788 if err != nil {
789 return err
790 }
791
792 certMsg, ok := msg.(*certificateMsgTLS13)
793 if !ok {
794 c.sendAlert(alertUnexpectedMessage)
795 return unexpectedMessageError(certMsg, msg)
796 }
797 hs.transcript.Write(certMsg.marshal())
798
799 if err := c.processCertsFromClient(certMsg.certificate); err != nil {
800 return err
801 }
802
803 if c.config.VerifyConnection != nil {
804 if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil {
805 c.sendAlert(alertBadCertificate)
806 return err
807 }
808 }
809
810 if len(certMsg.certificate.Certificate) != 0 {
811 msg, err = c.readHandshake()
812 if err != nil {
813 return err
814 }
815
816 certVerify, ok := msg.(*certificateVerifyMsg)
817 if !ok {
818 c.sendAlert(alertUnexpectedMessage)
819 return unexpectedMessageError(certVerify, msg)
820 }
821
822
823 if !isSupportedSignatureAlgorithm(certVerify.signatureAlgorithm, supportedSignatureAlgorithms()) {
824 c.sendAlert(alertIllegalParameter)
825 return errors.New("tls: client certificate used with invalid signature algorithm")
826 }
827 sigType, sigHash, err := typeAndHashFromSignatureScheme(certVerify.signatureAlgorithm)
828 if err != nil {
829 return c.sendAlert(alertInternalError)
830 }
831 if sigType == signaturePKCS1v15 || sigHash == crypto.SHA1 {
832 c.sendAlert(alertIllegalParameter)
833 return errors.New("tls: client certificate used with invalid signature algorithm")
834 }
835 signed := signedMessage(sigHash, clientSignatureContext, hs.transcript)
836 if err := verifyHandshakeSignature(sigType, c.peerCertificates[0].PublicKey,
837 sigHash, signed, certVerify.signature); err != nil {
838 c.sendAlert(alertDecryptError)
839 return errors.New("tls: invalid signature by the client certificate: " + err.Error())
840 }
841
842 hs.transcript.Write(certVerify.marshal())
843 }
844
845
846
847 if err := hs.sendSessionTickets(); err != nil {
848 return err
849 }
850
851 return nil
852 }
853
854 func (hs *serverHandshakeStateTLS13) readClientFinished() error {
855 c := hs.c
856
857 msg, err := c.readHandshake()
858 if err != nil {
859 return err
860 }
861
862 finished, ok := msg.(*finishedMsg)
863 if !ok {
864 c.sendAlert(alertUnexpectedMessage)
865 return unexpectedMessageError(finished, msg)
866 }
867
868 if !hmac.Equal(hs.clientFinished, finished.verifyData) {
869 c.sendAlert(alertDecryptError)
870 return errors.New("tls: invalid client finished hash")
871 }
872
873 c.in.setTrafficSecret(hs.suite, hs.trafficSecret)
874
875 return nil
876 }
877
View as plain text