handshake_server.go

     1  // Copyright 2009 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package tls
     6  
     7  import (
     8  	"context"
     9  	"crypto"
    10  	"crypto/ecdsa"
    11  	"crypto/ed25519"
    12  	"crypto/rsa"
    13  	"crypto/subtle"
    14  	"crypto/tls/internal/fips140tls"
    15  	"crypto/x509"
    16  	"errors"
    17  	"fmt"
    18  	"hash"
    19  	"internal/byteorder"
    20  	"io"
    21  	"time"
    22  )
    23  
    24  // serverHandshakeState contains details of a server handshake in progress.
    25  // It's discarded once the handshake has completed.
    26  type serverHandshakeState struct {
    27  	c            *Conn
    28  	ctx          context.Context
    29  	clientHello  *clientHelloMsg
    30  	hello        *serverHelloMsg
    31  	suite        *cipherSuite
    32  	ecdheOk      bool
    33  	ecSignOk     bool
    34  	rsaDecryptOk bool
    35  	rsaSignOk    bool
    36  	sessionState *SessionState
    37  	finishedHash finishedHash
    38  	masterSecret []byte
    39  	cert         *Certificate
    40  }
    41  
    42  // serverHandshake performs a TLS handshake as a server.
    43  func (c *Conn) serverHandshake(ctx context.Context) error {
    44  	clientHello, ech, err := c.readClientHello(ctx)
    45  	if err != nil {
    46  		return err
    47  	}
    48  
    49  	if c.vers == VersionTLS13 {
    50  		hs := serverHandshakeStateTLS13{
    51  			c:           c,
    52  			ctx:         ctx,
    53  			clientHello: clientHello,
    54  			echContext:  ech,
    55  		}
    56  		return hs.handshake()
    57  	}
    58  
    59  	hs := serverHandshakeState{
    60  		c:           c,
    61  		ctx:         ctx,
    62  		clientHello: clientHello,
    63  	}
    64  	return hs.handshake()
    65  }
    66  
    67  func (hs *serverHandshakeState) handshake() error {
    68  	c := hs.c
    69  
    70  	if err := hs.processClientHello(); err != nil {
    71  		return err
    72  	}
    73  
    74  	// For an overview of TLS handshaking, see RFC 5246, Section 7.3.
    75  	c.buffering = true
    76  	if err := hs.checkForResumption(); err != nil {
    77  		return err
    78  	}
    79  	if hs.sessionState != nil {
    80  		// The client has included a session ticket and so we do an abbreviated handshake.
    81  		if err := hs.doResumeHandshake(); err != nil {
    82  			return err
    83  		}
    84  		if err := hs.establishKeys(); err != nil {
    85  			return err
    86  		}
    87  		if err := hs.sendSessionTicket(); err != nil {
    88  			return err
    89  		}
    90  		if err := hs.sendFinished(c.serverFinished[:]); err != nil {
    91  			return err
    92  		}
    93  		if _, err := c.flush(); err != nil {
    94  			return err
    95  		}
    96  		c.clientFinishedIsFirst = false
    97  		if err := hs.readFinished(nil); err != nil {
    98  			return err
    99  		}
   100  	} else {
   101  		// The client didn't include a session ticket, or it wasn't
   102  		// valid so we do a full handshake.
   103  		if err := hs.pickCipherSuite(); err != nil {
   104  			return err
   105  		}
   106  		if err := hs.doFullHandshake(); err != nil {
   107  			return err
   108  		}
   109  		if err := hs.establishKeys(); err != nil {
   110  			return err
   111  		}
   112  		if err := hs.readFinished(c.clientFinished[:]); err != nil {
   113  			return err
   114  		}
   115  		c.clientFinishedIsFirst = true
   116  		c.buffering = true
   117  		if err := hs.sendSessionTicket(); err != nil {
   118  			return err
   119  		}
   120  		if err := hs.sendFinished(nil); err != nil {
   121  			return err
   122  		}
   123  		if _, err := c.flush(); err != nil {
   124  			return err
   125  		}
   126  	}
   127  
   128  	c.ekm = ekmFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random)
   129  	c.isHandshakeComplete.Store(true)
   130  
   131  	return nil
   132  }
   133  
   134  // readClientHello reads a ClientHello message and selects the protocol version.
   135  func (c *Conn) readClientHello(ctx context.Context) (*clientHelloMsg, *echServerContext, error) {
   136  	// clientHelloMsg is included in the transcript, but we haven't initialized
   137  	// it yet. The respective handshake functions will record it themselves.
   138  	msg, err := c.readHandshake(nil)
   139  	if err != nil {
   140  		return nil, nil, err
   141  	}
   142  	clientHello, ok := msg.(*clientHelloMsg)
   143  	if !ok {
   144  		c.sendAlert(alertUnexpectedMessage)
   145  		return nil, nil, unexpectedMessageError(clientHello, msg)
   146  	}
   147  
   148  	// ECH processing has to be done before we do any other negotiation based on
   149  	// the contents of the client hello, since we may swap it out completely.
   150  	var ech *echServerContext
   151  	if len(clientHello.encryptedClientHello) != 0 {
   152  		clientHello, ech, err = c.processECHClientHello(clientHello)
   153  		if err != nil {
   154  			return nil, nil, err
   155  		}
   156  	}
   157  
   158  	var configForClient *Config
   159  	originalConfig := c.config
   160  	if c.config.GetConfigForClient != nil {
   161  		chi := clientHelloInfo(ctx, c, clientHello)
   162  		if configForClient, err = c.config.GetConfigForClient(chi); err != nil {
   163  			c.sendAlert(alertInternalError)
   164  			return nil, nil, err
   165  		} else if configForClient != nil {
   166  			c.config = configForClient
   167  		}
   168  	}
   169  	c.ticketKeys = originalConfig.ticketKeys(configForClient)
   170  
   171  	clientVersions := clientHello.supportedVersions
   172  	if clientHello.vers >= VersionTLS13 && len(clientVersions) == 0 {
   173  		// RFC 8446 4.2.1 indicates when the supported_versions extension is not sent,
   174  		// compatible servers MUST negotiate TLS 1.2 or earlier if supported, even
   175  		// if the client legacy version is TLS 1.3 or later.
   176  		//
   177  		// Since we reject empty extensionSupportedVersions in the client hello unmarshal
   178  		// finding the supportedVersions empty indicates the extension was not present.
   179  		clientVersions = supportedVersionsFromMax(VersionTLS12)
   180  	} else if len(clientVersions) == 0 {
   181  		clientVersions = supportedVersionsFromMax(clientHello.vers)
   182  	}
   183  	c.vers, ok = c.config.mutualVersion(roleServer, clientVersions)
   184  	if !ok {
   185  		c.sendAlert(alertProtocolVersion)
   186  		return nil, nil, fmt.Errorf("tls: client offered only unsupported versions: %x", clientVersions)
   187  	}
   188  	c.haveVers = true
   189  	c.in.version = c.vers
   190  	c.out.version = c.vers
   191  
   192  	// This check reflects some odd specification implied behavior. Client-facing servers
   193  	// are supposed to reject hellos with outer ECH and inner ECH that offers 1.2, but
   194  	// backend servers are allowed to accept hellos with inner ECH that offer 1.2, since
   195  	// they cannot expect client-facing servers to behave properly. Since we act as both
   196  	// a client-facing and backend server, we only enforce 1.3 being negotiated if we
   197  	// saw a hello with outer ECH first. The spec probably should've made this an error,
   198  	// but it didn't, and this matches the boringssl behavior.
   199  	if c.vers != VersionTLS13 && (ech != nil && !ech.inner) {
   200  		c.sendAlert(alertIllegalParameter)
   201  		return nil, nil, errors.New("tls: Encrypted Client Hello cannot be used pre-TLS 1.3")
   202  	}
   203  
   204  	if c.config.MinVersion == 0 && c.vers < VersionTLS12 {
   205  		tls10server.Value() // ensure godebug is initialized
   206  		tls10server.IncNonDefault()
   207  	}
   208  
   209  	return clientHello, ech, nil
   210  }
   211  
   212  func (hs *serverHandshakeState) processClientHello() error {
   213  	c := hs.c
   214  
   215  	hs.hello = new(serverHelloMsg)
   216  	hs.hello.vers = c.vers
   217  
   218  	foundCompression := false
   219  	// We only support null compression, so check that the client offered it.
   220  	for _, compression := range hs.clientHello.compressionMethods {
   221  		if compression == compressionNone {
   222  			foundCompression = true
   223  			break
   224  		}
   225  	}
   226  
   227  	if !foundCompression {
   228  		c.sendAlert(alertHandshakeFailure)
   229  		return errors.New("tls: client does not support uncompressed connections")
   230  	}
   231  
   232  	hs.hello.random = make([]byte, 32)
   233  	serverRandom := hs.hello.random
   234  	// Downgrade protection canaries. See RFC 8446, Section 4.1.3.
   235  	maxVers := c.config.maxSupportedVersion(roleServer)
   236  	if maxVers >= VersionTLS12 && c.vers < maxVers || testingOnlyForceDowngradeCanary {
   237  		if c.vers == VersionTLS12 {
   238  			copy(serverRandom[24:], downgradeCanaryTLS12)
   239  		} else {
   240  			copy(serverRandom[24:], downgradeCanaryTLS11)
   241  		}
   242  		serverRandom = serverRandom[:24]
   243  	}
   244  	_, err := io.ReadFull(c.config.rand(), serverRandom)
   245  	if err != nil {
   246  		c.sendAlert(alertInternalError)
   247  		return err
   248  	}
   249  
   250  	if len(hs.clientHello.secureRenegotiation) != 0 {
   251  		c.sendAlert(alertHandshakeFailure)
   252  		return errors.New("tls: initial handshake had non-empty renegotiation extension")
   253  	}
   254  
   255  	hs.hello.extendedMasterSecret = hs.clientHello.extendedMasterSecret
   256  	hs.hello.secureRenegotiationSupported = hs.clientHello.secureRenegotiationSupported
   257  	hs.hello.compressionMethod = compressionNone
   258  	if len(hs.clientHello.serverName) > 0 {
   259  		c.serverName = hs.clientHello.serverName
   260  	}
   261  
   262  	selectedProto, err := negotiateALPN(c.config.NextProtos, hs.clientHello.alpnProtocols, false)
   263  	if err != nil {
   264  		c.sendAlert(alertNoApplicationProtocol)
   265  		return err
   266  	}
   267  	hs.hello.alpnProtocol = selectedProto
   268  	c.clientProtocol = selectedProto
   269  
   270  	hs.cert, err = c.config.getCertificate(clientHelloInfo(hs.ctx, c, hs.clientHello))
   271  	if err != nil {
   272  		if err == errNoCertificates {
   273  			c.sendAlert(alertUnrecognizedName)
   274  		} else {
   275  			c.sendAlert(alertInternalError)
   276  		}
   277  		return err
   278  	}
   279  	if hs.clientHello.scts {
   280  		hs.hello.scts = hs.cert.SignedCertificateTimestamps
   281  	}
   282  
   283  	hs.ecdheOk, err = supportsECDHE(c.config, c.vers, hs.clientHello.supportedCurves, hs.clientHello.supportedPoints)
   284  	if err != nil {
   285  		c.sendAlert(alertMissingExtension)
   286  		return err
   287  	}
   288  
   289  	if hs.ecdheOk && len(hs.clientHello.supportedPoints) > 0 {
   290  		// Although omitting the ec_point_formats extension is permitted, some
   291  		// old OpenSSL version will refuse to handshake if not present.
   292  		//
   293  		// Per RFC 4492, section 5.1.2, implementations MUST support the
   294  		// uncompressed point format. See golang.org/issue/31943.
   295  		hs.hello.supportedPoints = []uint8{pointFormatUncompressed}
   296  	}
   297  
   298  	if priv, ok := hs.cert.PrivateKey.(crypto.Signer); ok {
   299  		switch priv.Public().(type) {
   300  		case *ecdsa.PublicKey:
   301  			hs.ecSignOk = true
   302  		case ed25519.PublicKey:
   303  			hs.ecSignOk = true
   304  		case *rsa.PublicKey:
   305  			hs.rsaSignOk = true
   306  		default:
   307  			c.sendAlert(alertInternalError)
   308  			return fmt.Errorf("tls: unsupported signing key type (%T)", priv.Public())
   309  		}
   310  	}
   311  	if priv, ok := hs.cert.PrivateKey.(crypto.Decrypter); ok {
   312  		switch priv.Public().(type) {
   313  		case *rsa.PublicKey:
   314  			hs.rsaDecryptOk = true
   315  		default:
   316  			c.sendAlert(alertInternalError)
   317  			return fmt.Errorf("tls: unsupported decryption key type (%T)", priv.Public())
   318  		}
   319  	}
   320  
   321  	return nil
   322  }
   323  
   324  // negotiateALPN picks a shared ALPN protocol that both sides support in server
   325  // preference order. If ALPN is not configured or the peer doesn't support it,
   326  // it returns "" and no error.
   327  func negotiateALPN(serverProtos, clientProtos []string, quic bool) (string, error) {
   328  	if len(serverProtos) == 0 || len(clientProtos) == 0 {
   329  		if quic && len(serverProtos) != 0 {
   330  			// RFC 9001, Section 8.1
   331  			return "", fmt.Errorf("tls: client did not request an application protocol")
   332  		}
   333  		return "", nil
   334  	}
   335  	var http11fallback bool
   336  	for _, s := range serverProtos {
   337  		for _, c := range clientProtos {
   338  			if s == c {
   339  				return s, nil
   340  			}
   341  			if s == "h2" && c == "http/1.1" {
   342  				http11fallback = true
   343  			}
   344  		}
   345  	}
   346  	// As a special case, let http/1.1 clients connect to h2 servers as if they
   347  	// didn't support ALPN. We used not to enforce protocol overlap, so over
   348  	// time a number of HTTP servers were configured with only "h2", but
   349  	// expected to accept connections from "http/1.1" clients. See Issue 46310.
   350  	if http11fallback {
   351  		return "", nil
   352  	}
   353  	return "", fmt.Errorf("tls: client requested unsupported application protocols (%s)", clientProtos)
   354  }
   355  
   356  // supportsECDHE returns whether ECDHE key exchanges can be used with this
   357  // pre-TLS 1.3 client.
   358  func supportsECDHE(c *Config, version uint16, supportedCurves []CurveID, supportedPoints []uint8) (bool, error) {
   359  	supportsCurve := false
   360  	for _, curve := range supportedCurves {
   361  		if c.supportsCurve(version, curve) {
   362  			supportsCurve = true
   363  			break
   364  		}
   365  	}
   366  
   367  	supportsPointFormat := false
   368  	offeredNonCompressedFormat := false
   369  	for _, pointFormat := range supportedPoints {
   370  		if pointFormat == pointFormatUncompressed {
   371  			supportsPointFormat = true
   372  		} else {
   373  			offeredNonCompressedFormat = true
   374  		}
   375  	}
   376  	// Per RFC 8422, Section 5.1.2, if the Supported Point Formats extension is
   377  	// missing, uncompressed points are supported. If supportedPoints is empty,
   378  	// the extension must be missing, as an empty extension body is rejected by
   379  	// the parser. See https://go.dev/issue/49126.
   380  	if len(supportedPoints) == 0 {
   381  		supportsPointFormat = true
   382  	} else if offeredNonCompressedFormat && !supportsPointFormat {
   383  		return false, errors.New("tls: client offered only incompatible point formats")
   384  	}
   385  
   386  	return supportsCurve && supportsPointFormat, nil
   387  }
   388  
   389  func (hs *serverHandshakeState) pickCipherSuite() error {
   390  	c := hs.c
   391  
   392  	preferenceList := c.config.cipherSuites(isAESGCMPreferred(hs.clientHello.cipherSuites))
   393  
   394  	hs.suite = selectCipherSuite(preferenceList, hs.clientHello.cipherSuites, hs.cipherSuiteOk)
   395  	if hs.suite == nil {
   396  		c.sendAlert(alertHandshakeFailure)
   397  		return fmt.Errorf("tls: no cipher suite supported by both client and server; client offered: %x",
   398  			hs.clientHello.cipherSuites)
   399  	}
   400  	c.cipherSuite = hs.suite.id
   401  
   402  	if c.config.CipherSuites == nil && !fips140tls.Required() && rsaKexCiphers[hs.suite.id] {
   403  		tlsrsakex.Value() // ensure godebug is initialized
   404  		tlsrsakex.IncNonDefault()
   405  	}
   406  	if c.config.CipherSuites == nil && !fips140tls.Required() && tdesCiphers[hs.suite.id] {
   407  		tls3des.Value() // ensure godebug is initialized
   408  		tls3des.IncNonDefault()
   409  	}
   410  
   411  	for _, id := range hs.clientHello.cipherSuites {
   412  		if id == TLS_FALLBACK_SCSV {
   413  			// The client is doing a fallback connection. See RFC 7507.
   414  			if hs.clientHello.vers < c.config.maxSupportedVersion(roleServer) {
   415  				c.sendAlert(alertInappropriateFallback)
   416  				return errors.New("tls: client using inappropriate protocol fallback")
   417  			}
   418  			break
   419  		}
   420  	}
   421  
   422  	return nil
   423  }
   424  
   425  func (hs *serverHandshakeState) cipherSuiteOk(c *cipherSuite) bool {
   426  	if c.flags&suiteECDHE != 0 {
   427  		if !hs.ecdheOk {
   428  			return false
   429  		}
   430  		if c.flags&suiteECSign != 0 {
   431  			if !hs.ecSignOk {
   432  				return false
   433  			}
   434  		} else if !hs.rsaSignOk {
   435  			return false
   436  		}
   437  	} else if !hs.rsaDecryptOk {
   438  		return false
   439  	}
   440  	if hs.c.vers < VersionTLS12 && c.flags&suiteTLS12 != 0 {
   441  		return false
   442  	}
   443  	return true
   444  }
   445  
   446  // checkForResumption reports whether we should perform resumption on this connection.
   447  func (hs *serverHandshakeState) checkForResumption() error {
   448  	c := hs.c
   449  
   450  	if c.config.SessionTicketsDisabled {
   451  		return nil
   452  	}
   453  
   454  	var sessionState *SessionState
   455  	if c.config.UnwrapSession != nil {
   456  		ss, err := c.config.UnwrapSession(hs.clientHello.sessionTicket, c.connectionStateLocked())
   457  		if err != nil {
   458  			return err
   459  		}
   460  		if ss == nil {
   461  			return nil
   462  		}
   463  		sessionState = ss
   464  	} else {
   465  		plaintext := c.config.decryptTicket(hs.clientHello.sessionTicket, c.ticketKeys)
   466  		if plaintext == nil {
   467  			return nil
   468  		}
   469  		ss, err := ParseSessionState(plaintext)
   470  		if err != nil {
   471  			return nil
   472  		}
   473  		sessionState = ss
   474  	}
   475  
   476  	// TLS 1.2 tickets don't natively have a lifetime, but we want to avoid
   477  	// re-wrapping the same master secret in different tickets over and over for
   478  	// too long, weakening forward secrecy.
   479  	createdAt := time.Unix(int64(sessionState.createdAt), 0)
   480  	if c.config.time().Sub(createdAt) > maxSessionTicketLifetime {
   481  		return nil
   482  	}
   483  
   484  	// Never resume a session for a different TLS version.
   485  	if c.vers != sessionState.version {
   486  		return nil
   487  	}
   488  
   489  	cipherSuiteOk := false
   490  	// Check that the client is still offering the ciphersuite in the session.
   491  	for _, id := range hs.clientHello.cipherSuites {
   492  		if id == sessionState.cipherSuite {
   493  			cipherSuiteOk = true
   494  			break
   495  		}
   496  	}
   497  	if !cipherSuiteOk {
   498  		return nil
   499  	}
   500  
   501  	// Check that we also support the ciphersuite from the session.
   502  	suite := selectCipherSuite([]uint16{sessionState.cipherSuite},
   503  		c.config.supportedCipherSuites(), hs.cipherSuiteOk)
   504  	if suite == nil {
   505  		return nil
   506  	}
   507  
   508  	sessionHasClientCerts := len(sessionState.peerCertificates) != 0
   509  	needClientCerts := requiresClientCert(c.config.ClientAuth)
   510  	if needClientCerts && !sessionHasClientCerts {
   511  		return nil
   512  	}
   513  	if sessionHasClientCerts && c.config.ClientAuth == NoClientCert {
   514  		return nil
   515  	}
   516  	if sessionHasClientCerts && c.config.time().After(sessionState.peerCertificates[0].NotAfter) {
   517  		return nil
   518  	}
   519  	if sessionHasClientCerts && c.config.ClientAuth >= VerifyClientCertIfGiven &&
   520  		len(sessionState.verifiedChains) == 0 {
   521  		return nil
   522  	}
   523  
   524  	// RFC 7627, Section 5.3
   525  	if !sessionState.extMasterSecret && hs.clientHello.extendedMasterSecret {
   526  		return nil
   527  	}
   528  	if sessionState.extMasterSecret && !hs.clientHello.extendedMasterSecret {
   529  		// Aborting is somewhat harsh, but it's a MUST and it would indicate a
   530  		// weird downgrade in client capabilities.
   531  		return errors.New("tls: session supported extended_master_secret but client does not")
   532  	}
   533  	if !sessionState.extMasterSecret && fips140tls.Required() {
   534  		// FIPS 140-3 requires the use of Extended Master Secret.
   535  		return nil
   536  	}
   537  
   538  	c.peerCertificates = sessionState.peerCertificates
   539  	c.ocspResponse = sessionState.ocspResponse
   540  	c.scts = sessionState.scts
   541  	c.verifiedChains = sessionState.verifiedChains
   542  	c.extMasterSecret = sessionState.extMasterSecret
   543  	hs.sessionState = sessionState
   544  	hs.suite = suite
   545  	c.curveID = sessionState.curveID
   546  	c.didResume = true
   547  	return nil
   548  }
   549  
   550  func (hs *serverHandshakeState) doResumeHandshake() error {
   551  	c := hs.c
   552  
   553  	hs.hello.cipherSuite = hs.suite.id
   554  	c.cipherSuite = hs.suite.id
   555  	// We echo the client's session ID in the ServerHello to let it know
   556  	// that we're doing a resumption.
   557  	hs.hello.sessionId = hs.clientHello.sessionId
   558  	// We always send a new session ticket, even if it wraps the same master
   559  	// secret and it's potentially encrypted with the same key, to help the
   560  	// client avoid cross-connection tracking from a network observer.
   561  	hs.hello.ticketSupported = true
   562  	hs.finishedHash = newFinishedHash(c.vers, hs.suite)
   563  	hs.finishedHash.discardHandshakeBuffer()
   564  	if err := transcriptMsg(hs.clientHello, &hs.finishedHash); err != nil {
   565  		return err
   566  	}
   567  	if _, err := hs.c.writeHandshakeRecord(hs.hello, &hs.finishedHash); err != nil {
   568  		return err
   569  	}
   570  
   571  	if c.config.VerifyConnection != nil {
   572  		if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil {
   573  			c.sendAlert(alertBadCertificate)
   574  			return err
   575  		}
   576  	}
   577  
   578  	hs.masterSecret = hs.sessionState.secret
   579  
   580  	return nil
   581  }
   582  
   583  func (hs *serverHandshakeState) doFullHandshake() error {
   584  	c := hs.c
   585  
   586  	if hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0 {
   587  		hs.hello.ocspStapling = true
   588  	}
   589  
   590  	hs.hello.ticketSupported = hs.clientHello.ticketSupported && !c.config.SessionTicketsDisabled
   591  	hs.hello.cipherSuite = hs.suite.id
   592  
   593  	hs.finishedHash = newFinishedHash(hs.c.vers, hs.suite)
   594  	if c.config.ClientAuth == NoClientCert {
   595  		// No need to keep a full record of the handshake if client
   596  		// certificates won't be used.
   597  		hs.finishedHash.discardHandshakeBuffer()
   598  	}
   599  	if err := transcriptMsg(hs.clientHello, &hs.finishedHash); err != nil {
   600  		return err
   601  	}
   602  	if _, err := hs.c.writeHandshakeRecord(hs.hello, &hs.finishedHash); err != nil {
   603  		return err
   604  	}
   605  
   606  	certMsg := new(certificateMsg)
   607  	certMsg.certificates = hs.cert.Certificate
   608  	if _, err := hs.c.writeHandshakeRecord(certMsg, &hs.finishedHash); err != nil {
   609  		return err
   610  	}
   611  
   612  	if hs.hello.ocspStapling {
   613  		certStatus := new(certificateStatusMsg)
   614  		certStatus.response = hs.cert.OCSPStaple
   615  		if _, err := hs.c.writeHandshakeRecord(certStatus, &hs.finishedHash); err != nil {
   616  			return err
   617  		}
   618  	}
   619  
   620  	keyAgreement := hs.suite.ka(c.vers)
   621  	skx, err := keyAgreement.generateServerKeyExchange(c.config, hs.cert, hs.clientHello, hs.hello)
   622  	if err != nil {
   623  		c.sendAlert(alertHandshakeFailure)
   624  		return err
   625  	}
   626  	if skx != nil {
   627  		if len(skx.key) >= 3 && skx.key[0] == 3 /* named curve */ {
   628  			c.curveID = CurveID(byteorder.BEUint16(skx.key[1:]))
   629  		}
   630  		if _, err := hs.c.writeHandshakeRecord(skx, &hs.finishedHash); err != nil {
   631  			return err
   632  		}
   633  	}
   634  
   635  	var certReq *certificateRequestMsg
   636  	if c.config.ClientAuth >= RequestClientCert {
   637  		// Request a client certificate
   638  		certReq = new(certificateRequestMsg)
   639  		certReq.certificateTypes = []byte{
   640  			byte(certTypeRSASign),
   641  			byte(certTypeECDSASign),
   642  		}
   643  		if c.vers >= VersionTLS12 {
   644  			certReq.hasSignatureAlgorithm = true
   645  			certReq.supportedSignatureAlgorithms = supportedSignatureAlgorithms()
   646  		}
   647  
   648  		// An empty list of certificateAuthorities signals to
   649  		// the client that it may send any certificate in response
   650  		// to our request. When we know the CAs we trust, then
   651  		// we can send them down, so that the client can choose
   652  		// an appropriate certificate to give to us.
   653  		if c.config.ClientCAs != nil {
   654  			certReq.certificateAuthorities = c.config.ClientCAs.Subjects()
   655  		}
   656  		if _, err := hs.c.writeHandshakeRecord(certReq, &hs.finishedHash); err != nil {
   657  			return err
   658  		}
   659  	}
   660  
   661  	helloDone := new(serverHelloDoneMsg)
   662  	if _, err := hs.c.writeHandshakeRecord(helloDone, &hs.finishedHash); err != nil {
   663  		return err
   664  	}
   665  
   666  	if _, err := c.flush(); err != nil {
   667  		return err
   668  	}
   669  
   670  	var pub crypto.PublicKey // public key for client auth, if any
   671  
   672  	msg, err := c.readHandshake(&hs.finishedHash)
   673  	if err != nil {
   674  		return err
   675  	}
   676  
   677  	// If we requested a client certificate, then the client must send a
   678  	// certificate message, even if it's empty.
   679  	if c.config.ClientAuth >= RequestClientCert {
   680  		certMsg, ok := msg.(*certificateMsg)
   681  		if !ok {
   682  			c.sendAlert(alertUnexpectedMessage)
   683  			return unexpectedMessageError(certMsg, msg)
   684  		}
   685  
   686  		if err := c.processCertsFromClient(Certificate{
   687  			Certificate: certMsg.certificates,
   688  		}); err != nil {
   689  			return err
   690  		}
   691  		if len(certMsg.certificates) != 0 {
   692  			pub = c.peerCertificates[0].PublicKey
   693  		}
   694  
   695  		msg, err = c.readHandshake(&hs.finishedHash)
   696  		if err != nil {
   697  			return err
   698  		}
   699  	}
   700  	if c.config.VerifyConnection != nil {
   701  		if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil {
   702  			c.sendAlert(alertBadCertificate)
   703  			return err
   704  		}
   705  	}
   706  
   707  	// Get client key exchange
   708  	ckx, ok := msg.(*clientKeyExchangeMsg)
   709  	if !ok {
   710  		c.sendAlert(alertUnexpectedMessage)
   711  		return unexpectedMessageError(ckx, msg)
   712  	}
   713  
   714  	preMasterSecret, err := keyAgreement.processClientKeyExchange(c.config, hs.cert, ckx, c.vers)
   715  	if err != nil {
   716  		c.sendAlert(alertIllegalParameter)
   717  		return err
   718  	}
   719  	if hs.hello.extendedMasterSecret {
   720  		c.extMasterSecret = true
   721  		hs.masterSecret = extMasterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret,
   722  			hs.finishedHash.Sum())
   723  	} else {
   724  		if fips140tls.Required() {
   725  			c.sendAlert(alertHandshakeFailure)
   726  			return errors.New("tls: FIPS 140-3 requires the use of Extended Master Secret")
   727  		}
   728  		hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret,
   729  			hs.clientHello.random, hs.hello.random)
   730  	}
   731  	if err := c.config.writeKeyLog(keyLogLabelTLS12, hs.clientHello.random, hs.masterSecret); err != nil {
   732  		c.sendAlert(alertInternalError)
   733  		return err
   734  	}
   735  
   736  	// If we received a client cert in response to our certificate request message,
   737  	// the client will send us a certificateVerifyMsg immediately after the
   738  	// clientKeyExchangeMsg. This message is a digest of all preceding
   739  	// handshake-layer messages that is signed using the private key corresponding
   740  	// to the client's certificate. This allows us to verify that the client is in
   741  	// possession of the private key of the certificate.
   742  	if len(c.peerCertificates) > 0 {
   743  		// certificateVerifyMsg is included in the transcript, but not until
   744  		// after we verify the handshake signature, since the state before
   745  		// this message was sent is used.
   746  		msg, err = c.readHandshake(nil)
   747  		if err != nil {
   748  			return err
   749  		}
   750  		certVerify, ok := msg.(*certificateVerifyMsg)
   751  		if !ok {
   752  			c.sendAlert(alertUnexpectedMessage)
   753  			return unexpectedMessageError(certVerify, msg)
   754  		}
   755  
   756  		var sigType uint8
   757  		var sigHash crypto.Hash
   758  		if c.vers >= VersionTLS12 {
   759  			if !isSupportedSignatureAlgorithm(certVerify.signatureAlgorithm, certReq.supportedSignatureAlgorithms) {
   760  				c.sendAlert(alertIllegalParameter)
   761  				return errors.New("tls: client certificate used with invalid signature algorithm")
   762  			}
   763  			sigType, sigHash, err = typeAndHashFromSignatureScheme(certVerify.signatureAlgorithm)
   764  			if err != nil {
   765  				return c.sendAlert(alertInternalError)
   766  			}
   767  		} else {
   768  			sigType, sigHash, err = legacyTypeAndHashFromPublicKey(pub)
   769  			if err != nil {
   770  				c.sendAlert(alertIllegalParameter)
   771  				return err
   772  			}
   773  		}
   774  
   775  		signed := hs.finishedHash.hashForClientCertificate(sigType, sigHash)
   776  		if err := verifyHandshakeSignature(sigType, pub, sigHash, signed, certVerify.signature); err != nil {
   777  			c.sendAlert(alertDecryptError)
   778  			return errors.New("tls: invalid signature by the client certificate: " + err.Error())
   779  		}
   780  
   781  		if err := transcriptMsg(certVerify, &hs.finishedHash); err != nil {
   782  			return err
   783  		}
   784  	}
   785  
   786  	hs.finishedHash.discardHandshakeBuffer()
   787  
   788  	return nil
   789  }
   790  
   791  func (hs *serverHandshakeState) establishKeys() error {
   792  	c := hs.c
   793  
   794  	clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV :=
   795  		keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen)
   796  
   797  	var clientCipher, serverCipher any
   798  	var clientHash, serverHash hash.Hash
   799  
   800  	if hs.suite.aead == nil {
   801  		clientCipher = hs.suite.cipher(clientKey, clientIV, true /* for reading */)
   802  		clientHash = hs.suite.mac(clientMAC)
   803  		serverCipher = hs.suite.cipher(serverKey, serverIV, false /* not for reading */)
   804  		serverHash = hs.suite.mac(serverMAC)
   805  	} else {
   806  		clientCipher = hs.suite.aead(clientKey, clientIV)
   807  		serverCipher = hs.suite.aead(serverKey, serverIV)
   808  	}
   809  
   810  	c.in.prepareCipherSpec(c.vers, clientCipher, clientHash)
   811  	c.out.prepareCipherSpec(c.vers, serverCipher, serverHash)
   812  
   813  	return nil
   814  }
   815  
   816  func (hs *serverHandshakeState) readFinished(out []byte) error {
   817  	c := hs.c
   818  
   819  	if err := c.readChangeCipherSpec(); err != nil {
   820  		return err
   821  	}
   822  
   823  	// finishedMsg is included in the transcript, but not until after we
   824  	// check the client version, since the state before this message was
   825  	// sent is used during verification.
   826  	msg, err := c.readHandshake(nil)
   827  	if err != nil {
   828  		return err
   829  	}
   830  	clientFinished, ok := msg.(*finishedMsg)
   831  	if !ok {
   832  		c.sendAlert(alertUnexpectedMessage)
   833  		return unexpectedMessageError(clientFinished, msg)
   834  	}
   835  
   836  	verify := hs.finishedHash.clientSum(hs.masterSecret)
   837  	if len(verify) != len(clientFinished.verifyData) ||
   838  		subtle.ConstantTimeCompare(verify, clientFinished.verifyData) != 1 {
   839  		c.sendAlert(alertHandshakeFailure)
   840  		return errors.New("tls: client's Finished message is incorrect")
   841  	}
   842  
   843  	if err := transcriptMsg(clientFinished, &hs.finishedHash); err != nil {
   844  		return err
   845  	}
   846  
   847  	copy(out, verify)
   848  	return nil
   849  }
   850  
   851  func (hs *serverHandshakeState) sendSessionTicket() error {
   852  	if !hs.hello.ticketSupported {
   853  		return nil
   854  	}
   855  
   856  	c := hs.c
   857  	m := new(newSessionTicketMsg)
   858  
   859  	state := c.sessionState()
   860  	state.secret = hs.masterSecret
   861  	if hs.sessionState != nil {
   862  		// If this is re-wrapping an old key, then keep
   863  		// the original time it was created.
   864  		state.createdAt = hs.sessionState.createdAt
   865  	}
   866  	if c.config.WrapSession != nil {
   867  		var err error
   868  		m.ticket, err = c.config.WrapSession(c.connectionStateLocked(), state)
   869  		if err != nil {
   870  			return err
   871  		}
   872  	} else {
   873  		stateBytes, err := state.Bytes()
   874  		if err != nil {
   875  			return err
   876  		}
   877  		m.ticket, err = c.config.encryptTicket(stateBytes, c.ticketKeys)
   878  		if err != nil {
   879  			return err
   880  		}
   881  	}
   882  
   883  	if _, err := hs.c.writeHandshakeRecord(m, &hs.finishedHash); err != nil {
   884  		return err
   885  	}
   886  
   887  	return nil
   888  }
   889  
   890  func (hs *serverHandshakeState) sendFinished(out []byte) error {
   891  	c := hs.c
   892  
   893  	if err := c.writeChangeCipherRecord(); err != nil {
   894  		return err
   895  	}
   896  
   897  	finished := new(finishedMsg)
   898  	finished.verifyData = hs.finishedHash.serverSum(hs.masterSecret)
   899  	if _, err := hs.c.writeHandshakeRecord(finished, &hs.finishedHash); err != nil {
   900  		return err
   901  	}
   902  
   903  	copy(out, finished.verifyData)
   904  
   905  	return nil
   906  }
   907  
   908  // processCertsFromClient takes a chain of client certificates either from a
   909  // certificateMsg message or a certificateMsgTLS13 message and verifies them.
   910  func (c *Conn) processCertsFromClient(certificate Certificate) error {
   911  	certificates := certificate.Certificate
   912  	certs := make([]*x509.Certificate, len(certificates))
   913  	var err error
   914  	for i, asn1Data := range certificates {
   915  		if certs[i], err = x509.ParseCertificate(asn1Data); err != nil {
   916  			c.sendAlert(alertDecodeError)
   917  			return errors.New("tls: failed to parse client certificate: " + err.Error())
   918  		}
   919  		if certs[i].PublicKeyAlgorithm == x509.RSA {
   920  			n := certs[i].PublicKey.(*rsa.PublicKey).N.BitLen()
   921  			if max, ok := checkKeySize(n); !ok {
   922  				c.sendAlert(alertBadCertificate)
   923  				return fmt.Errorf("tls: client sent certificate containing RSA key larger than %d bits", max)
   924  			}
   925  		}
   926  	}
   927  
   928  	if len(certs) == 0 && requiresClientCert(c.config.ClientAuth) {
   929  		if c.vers == VersionTLS13 {
   930  			c.sendAlert(alertCertificateRequired)
   931  		} else {
   932  			c.sendAlert(alertHandshakeFailure)
   933  		}
   934  		return errors.New("tls: client didn't provide a certificate")
   935  	}
   936  
   937  	if c.config.ClientAuth >= VerifyClientCertIfGiven && len(certs) > 0 {
   938  		opts := x509.VerifyOptions{
   939  			Roots:         c.config.ClientCAs,
   940  			CurrentTime:   c.config.time(),
   941  			Intermediates: x509.NewCertPool(),
   942  			KeyUsages:     []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
   943  		}
   944  
   945  		for _, cert := range certs[1:] {
   946  			opts.Intermediates.AddCert(cert)
   947  		}
   948  
   949  		chains, err := certs[0].Verify(opts)
   950  		if err != nil {
   951  			var errCertificateInvalid x509.CertificateInvalidError
   952  			if errors.As(err, &x509.UnknownAuthorityError{}) {
   953  				c.sendAlert(alertUnknownCA)
   954  			} else if errors.As(err, &errCertificateInvalid) && errCertificateInvalid.Reason == x509.Expired {
   955  				c.sendAlert(alertCertificateExpired)
   956  			} else {
   957  				c.sendAlert(alertBadCertificate)
   958  			}
   959  			return &CertificateVerificationError{UnverifiedCertificates: certs, Err: err}
   960  		}
   961  
   962  		c.verifiedChains, err = fipsAllowedChains(chains)
   963  		if err != nil {
   964  			c.sendAlert(alertBadCertificate)
   965  			return &CertificateVerificationError{UnverifiedCertificates: certs, Err: err}
   966  		}
   967  	}
   968  
   969  	c.peerCertificates = certs
   970  	c.ocspResponse = certificate.OCSPStaple
   971  	c.scts = certificate.SignedCertificateTimestamps
   972  
   973  	if len(certs) > 0 {
   974  		switch certs[0].PublicKey.(type) {
   975  		case *ecdsa.PublicKey, *rsa.PublicKey, ed25519.PublicKey:
   976  		default:
   977  			c.sendAlert(alertUnsupportedCertificate)
   978  			return fmt.Errorf("tls: client certificate contains an unsupported public key of type %T", certs[0].PublicKey)
   979  		}
   980  	}
   981  
   982  	if c.config.VerifyPeerCertificate != nil {
   983  		if err := c.config.VerifyPeerCertificate(certificates, c.verifiedChains); err != nil {
   984  			c.sendAlert(alertBadCertificate)
   985  			return err
   986  		}
   987  	}
   988  
   989  	return nil
   990  }
   991  
   992  func clientHelloInfo(ctx context.Context, c *Conn, clientHello *clientHelloMsg) *ClientHelloInfo {
   993  	supportedVersions := clientHello.supportedVersions
   994  	if len(clientHello.supportedVersions) == 0 {
   995  		supportedVersions = supportedVersionsFromMax(clientHello.vers)
   996  	}
   997  
   998  	return &ClientHelloInfo{
   999  		CipherSuites:      clientHello.cipherSuites,
  1000  		ServerName:        clientHello.serverName,
  1001  		SupportedCurves:   clientHello.supportedCurves,
  1002  		SupportedPoints:   clientHello.supportedPoints,
  1003  		SignatureSchemes:  clientHello.supportedSignatureAlgorithms,
  1004  		SupportedProtos:   clientHello.alpnProtocols,
  1005  		SupportedVersions: supportedVersions,
  1006  		Extensions:        clientHello.extensions,
  1007  		Conn:              c.conn,
  1008  		config:            c.config,
  1009  		ctx:               ctx,
  1010  	}
  1011  }
  1012
View as plain text