handshake_server.go

     1  // Copyright 2009 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package tls
     6  
     7  import (
     8  	"context"
     9  	"crypto"
    10  	"crypto/ecdsa"
    11  	"crypto/ed25519"
    12  	"crypto/rsa"
    13  	"crypto/subtle"
    14  	"crypto/tls/internal/fips140tls"
    15  	"crypto/x509"
    16  	"errors"
    17  	"fmt"
    18  	"hash"
    19  	"io"
    20  	"time"
    21  )
    22  
    23  // serverHandshakeState contains details of a server handshake in progress.
    24  // It's discarded once the handshake has completed.
    25  type serverHandshakeState struct {
    26  	c            *Conn
    27  	ctx          context.Context
    28  	clientHello  *clientHelloMsg
    29  	hello        *serverHelloMsg
    30  	suite        *cipherSuite
    31  	ecdheOk      bool
    32  	ecSignOk     bool
    33  	rsaDecryptOk bool
    34  	rsaSignOk    bool
    35  	sessionState *SessionState
    36  	finishedHash finishedHash
    37  	masterSecret []byte
    38  	cert         *Certificate
    39  }
    40  
    41  // serverHandshake performs a TLS handshake as a server.
    42  func (c *Conn) serverHandshake(ctx context.Context) error {
    43  	clientHello, ech, err := c.readClientHello(ctx)
    44  	if err != nil {
    45  		return err
    46  	}
    47  
    48  	if c.vers == VersionTLS13 {
    49  		hs := serverHandshakeStateTLS13{
    50  			c:           c,
    51  			ctx:         ctx,
    52  			clientHello: clientHello,
    53  			echContext:  ech,
    54  		}
    55  		return hs.handshake()
    56  	}
    57  
    58  	hs := serverHandshakeState{
    59  		c:           c,
    60  		ctx:         ctx,
    61  		clientHello: clientHello,
    62  	}
    63  	return hs.handshake()
    64  }
    65  
    66  func (hs *serverHandshakeState) handshake() error {
    67  	c := hs.c
    68  
    69  	if err := hs.processClientHello(); err != nil {
    70  		return err
    71  	}
    72  
    73  	// For an overview of TLS handshaking, see RFC 5246, Section 7.3.
    74  	c.buffering = true
    75  	if err := hs.checkForResumption(); err != nil {
    76  		return err
    77  	}
    78  	if hs.sessionState != nil {
    79  		// The client has included a session ticket and so we do an abbreviated handshake.
    80  		if err := hs.doResumeHandshake(); err != nil {
    81  			return err
    82  		}
    83  		if err := hs.establishKeys(); err != nil {
    84  			return err
    85  		}
    86  		if err := hs.sendSessionTicket(); err != nil {
    87  			return err
    88  		}
    89  		if err := hs.sendFinished(c.serverFinished[:]); err != nil {
    90  			return err
    91  		}
    92  		if _, err := c.flush(); err != nil {
    93  			return err
    94  		}
    95  		c.clientFinishedIsFirst = false
    96  		if err := hs.readFinished(nil); err != nil {
    97  			return err
    98  		}
    99  	} else {
   100  		// The client didn't include a session ticket, or it wasn't
   101  		// valid so we do a full handshake.
   102  		if err := hs.pickCipherSuite(); err != nil {
   103  			return err
   104  		}
   105  		if err := hs.doFullHandshake(); err != nil {
   106  			return err
   107  		}
   108  		if err := hs.establishKeys(); err != nil {
   109  			return err
   110  		}
   111  		if err := hs.readFinished(c.clientFinished[:]); err != nil {
   112  			return err
   113  		}
   114  		c.clientFinishedIsFirst = true
   115  		c.buffering = true
   116  		if err := hs.sendSessionTicket(); err != nil {
   117  			return err
   118  		}
   119  		if err := hs.sendFinished(nil); err != nil {
   120  			return err
   121  		}
   122  		if _, err := c.flush(); err != nil {
   123  			return err
   124  		}
   125  	}
   126  
   127  	c.ekm = ekmFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random)
   128  	c.isHandshakeComplete.Store(true)
   129  
   130  	return nil
   131  }
   132  
   133  // readClientHello reads a ClientHello message and selects the protocol version.
   134  func (c *Conn) readClientHello(ctx context.Context) (*clientHelloMsg, *echServerContext, error) {
   135  	// clientHelloMsg is included in the transcript, but we haven't initialized
   136  	// it yet. The respective handshake functions will record it themselves.
   137  	msg, err := c.readHandshake(nil)
   138  	if err != nil {
   139  		return nil, nil, err
   140  	}
   141  	clientHello, ok := msg.(*clientHelloMsg)
   142  	if !ok {
   143  		c.sendAlert(alertUnexpectedMessage)
   144  		return nil, nil, unexpectedMessageError(clientHello, msg)
   145  	}
   146  
   147  	// ECH processing has to be done before we do any other negotiation based on
   148  	// the contents of the client hello, since we may swap it out completely.
   149  	var ech *echServerContext
   150  	if len(clientHello.encryptedClientHello) != 0 {
   151  		echKeys := c.config.EncryptedClientHelloKeys
   152  		if c.config.GetEncryptedClientHelloKeys != nil {
   153  			echKeys, err = c.config.GetEncryptedClientHelloKeys(clientHelloInfo(ctx, c, clientHello))
   154  			if err != nil {
   155  				c.sendAlert(alertInternalError)
   156  				return nil, nil, err
   157  			}
   158  		}
   159  		clientHello, ech, err = c.processECHClientHello(clientHello, echKeys)
   160  		if err != nil {
   161  			return nil, nil, err
   162  		}
   163  	}
   164  
   165  	var configForClient *Config
   166  	originalConfig := c.config
   167  	if c.config.GetConfigForClient != nil {
   168  		chi := clientHelloInfo(ctx, c, clientHello)
   169  		if configForClient, err = c.config.GetConfigForClient(chi); err != nil {
   170  			c.sendAlert(alertInternalError)
   171  			return nil, nil, err
   172  		} else if configForClient != nil {
   173  			c.config = configForClient
   174  		}
   175  	}
   176  	c.ticketKeys = originalConfig.ticketKeys(configForClient)
   177  
   178  	clientVersions := clientHello.supportedVersions
   179  	if clientHello.vers >= VersionTLS13 && len(clientVersions) == 0 {
   180  		// RFC 8446 4.2.1 indicates when the supported_versions extension is not sent,
   181  		// compatible servers MUST negotiate TLS 1.2 or earlier if supported, even
   182  		// if the client legacy version is TLS 1.3 or later.
   183  		//
   184  		// Since we reject empty extensionSupportedVersions in the client hello unmarshal
   185  		// finding the supportedVersions empty indicates the extension was not present.
   186  		clientVersions = supportedVersionsFromMax(VersionTLS12)
   187  	} else if len(clientVersions) == 0 {
   188  		clientVersions = supportedVersionsFromMax(clientHello.vers)
   189  	}
   190  	c.vers, ok = c.config.mutualVersion(roleServer, clientVersions)
   191  	if !ok {
   192  		c.sendAlert(alertProtocolVersion)
   193  		return nil, nil, fmt.Errorf("tls: client offered only unsupported versions: %x", clientVersions)
   194  	}
   195  	c.haveVers = true
   196  	c.in.version = c.vers
   197  	c.out.version = c.vers
   198  
   199  	// This check reflects some odd specification implied behavior. Client-facing servers
   200  	// are supposed to reject hellos with outer ECH and inner ECH that offers 1.2, but
   201  	// backend servers are allowed to accept hellos with inner ECH that offer 1.2, since
   202  	// they cannot expect client-facing servers to behave properly. Since we act as both
   203  	// a client-facing and backend server, we only enforce 1.3 being negotiated if we
   204  	// saw a hello with outer ECH first. The spec probably should've made this an error,
   205  	// but it didn't, and this matches the boringssl behavior.
   206  	if c.vers != VersionTLS13 && (ech != nil && !ech.inner) {
   207  		c.sendAlert(alertIllegalParameter)
   208  		return nil, nil, errors.New("tls: Encrypted Client Hello cannot be used pre-TLS 1.3")
   209  	}
   210  
   211  	if c.config.MinVersion == 0 && c.vers < VersionTLS12 {
   212  		tls10server.Value() // ensure godebug is initialized
   213  		tls10server.IncNonDefault()
   214  	}
   215  
   216  	return clientHello, ech, nil
   217  }
   218  
   219  func (hs *serverHandshakeState) processClientHello() error {
   220  	c := hs.c
   221  
   222  	hs.hello = new(serverHelloMsg)
   223  	hs.hello.vers = c.vers
   224  
   225  	foundCompression := false
   226  	// We only support null compression, so check that the client offered it.
   227  	for _, compression := range hs.clientHello.compressionMethods {
   228  		if compression == compressionNone {
   229  			foundCompression = true
   230  			break
   231  		}
   232  	}
   233  
   234  	if !foundCompression {
   235  		c.sendAlert(alertIllegalParameter)
   236  		return errors.New("tls: client does not support uncompressed connections")
   237  	}
   238  
   239  	hs.hello.random = make([]byte, 32)
   240  	serverRandom := hs.hello.random
   241  	// Downgrade protection canaries. See RFC 8446, Section 4.1.3.
   242  	maxVers := c.config.maxSupportedVersion(roleServer)
   243  	if maxVers >= VersionTLS12 && c.vers < maxVers || testingOnlyForceDowngradeCanary {
   244  		if c.vers == VersionTLS12 {
   245  			copy(serverRandom[24:], downgradeCanaryTLS12)
   246  		} else {
   247  			copy(serverRandom[24:], downgradeCanaryTLS11)
   248  		}
   249  		serverRandom = serverRandom[:24]
   250  	}
   251  	_, err := io.ReadFull(c.config.rand(), serverRandom)
   252  	if err != nil {
   253  		c.sendAlert(alertInternalError)
   254  		return err
   255  	}
   256  
   257  	if len(hs.clientHello.secureRenegotiation) != 0 {
   258  		c.sendAlert(alertHandshakeFailure)
   259  		return errors.New("tls: initial handshake had non-empty renegotiation extension")
   260  	}
   261  
   262  	hs.hello.extendedMasterSecret = hs.clientHello.extendedMasterSecret
   263  	hs.hello.secureRenegotiationSupported = hs.clientHello.secureRenegotiationSupported
   264  	hs.hello.compressionMethod = compressionNone
   265  	if len(hs.clientHello.serverName) > 0 {
   266  		c.serverName = hs.clientHello.serverName
   267  	}
   268  
   269  	selectedProto, err := negotiateALPN(c.config.NextProtos, hs.clientHello.alpnProtocols, false)
   270  	if err != nil {
   271  		c.sendAlert(alertNoApplicationProtocol)
   272  		return err
   273  	}
   274  	hs.hello.alpnProtocol = selectedProto
   275  	c.clientProtocol = selectedProto
   276  
   277  	hs.cert, err = c.config.getCertificate(clientHelloInfo(hs.ctx, c, hs.clientHello))
   278  	if err != nil {
   279  		if err == errNoCertificates {
   280  			c.sendAlert(alertUnrecognizedName)
   281  		} else {
   282  			c.sendAlert(alertInternalError)
   283  		}
   284  		return err
   285  	}
   286  	if hs.clientHello.scts {
   287  		hs.hello.scts = hs.cert.SignedCertificateTimestamps
   288  	}
   289  
   290  	hs.ecdheOk, err = supportsECDHE(c.config, c.vers, hs.clientHello.supportedCurves, hs.clientHello.supportedPoints)
   291  	if err != nil {
   292  		c.sendAlert(alertMissingExtension)
   293  		return err
   294  	}
   295  
   296  	if hs.ecdheOk && len(hs.clientHello.supportedPoints) > 0 {
   297  		// Although omitting the ec_point_formats extension is permitted, some
   298  		// old OpenSSL version will refuse to handshake if not present.
   299  		//
   300  		// Per RFC 4492, section 5.1.2, implementations MUST support the
   301  		// uncompressed point format. See golang.org/issue/31943.
   302  		hs.hello.supportedPoints = []uint8{pointFormatUncompressed}
   303  	}
   304  
   305  	if priv, ok := hs.cert.PrivateKey.(crypto.Signer); ok {
   306  		switch priv.Public().(type) {
   307  		case *ecdsa.PublicKey:
   308  			hs.ecSignOk = true
   309  		case ed25519.PublicKey:
   310  			hs.ecSignOk = true
   311  		case *rsa.PublicKey:
   312  			hs.rsaSignOk = true
   313  		default:
   314  			c.sendAlert(alertInternalError)
   315  			return fmt.Errorf("tls: unsupported signing key type (%T)", priv.Public())
   316  		}
   317  	}
   318  	if priv, ok := hs.cert.PrivateKey.(crypto.Decrypter); ok {
   319  		switch priv.Public().(type) {
   320  		case *rsa.PublicKey:
   321  			hs.rsaDecryptOk = true
   322  		default:
   323  			c.sendAlert(alertInternalError)
   324  			return fmt.Errorf("tls: unsupported decryption key type (%T)", priv.Public())
   325  		}
   326  	}
   327  
   328  	return nil
   329  }
   330  
   331  // negotiateALPN picks a shared ALPN protocol that both sides support in server
   332  // preference order. If ALPN is not configured or the peer doesn't support it,
   333  // it returns "" and no error.
   334  func negotiateALPN(serverProtos, clientProtos []string, quic bool) (string, error) {
   335  	if len(serverProtos) == 0 || len(clientProtos) == 0 {
   336  		if quic && len(serverProtos) != 0 {
   337  			// RFC 9001, Section 8.1
   338  			return "", fmt.Errorf("tls: client did not request an application protocol")
   339  		}
   340  		return "", nil
   341  	}
   342  	var http11fallback bool
   343  	for _, s := range serverProtos {
   344  		for _, c := range clientProtos {
   345  			if s == c {
   346  				return s, nil
   347  			}
   348  			if s == "h2" && c == "http/1.1" {
   349  				http11fallback = true
   350  			}
   351  		}
   352  	}
   353  	// As a special case, let http/1.1 clients connect to h2 servers as if they
   354  	// didn't support ALPN. We used not to enforce protocol overlap, so over
   355  	// time a number of HTTP servers were configured with only "h2", but
   356  	// expected to accept connections from "http/1.1" clients. See Issue 46310.
   357  	if http11fallback {
   358  		return "", nil
   359  	}
   360  	return "", fmt.Errorf("tls: client requested unsupported application protocols (%q)", clientProtos)
   361  }
   362  
   363  // supportsECDHE returns whether ECDHE key exchanges can be used with this
   364  // pre-TLS 1.3 client.
   365  func supportsECDHE(c *Config, version uint16, supportedCurves []CurveID, supportedPoints []uint8) (bool, error) {
   366  	supportsCurve := false
   367  	for _, curve := range supportedCurves {
   368  		if c.supportsCurve(version, curve) {
   369  			supportsCurve = true
   370  			break
   371  		}
   372  	}
   373  
   374  	supportsPointFormat := false
   375  	offeredNonCompressedFormat := false
   376  	for _, pointFormat := range supportedPoints {
   377  		if pointFormat == pointFormatUncompressed {
   378  			supportsPointFormat = true
   379  		} else {
   380  			offeredNonCompressedFormat = true
   381  		}
   382  	}
   383  	// Per RFC 8422, Section 5.1.2, if the Supported Point Formats extension is
   384  	// missing, uncompressed points are supported. If supportedPoints is empty,
   385  	// the extension must be missing, as an empty extension body is rejected by
   386  	// the parser. See https://go.dev/issue/49126.
   387  	if len(supportedPoints) == 0 {
   388  		supportsPointFormat = true
   389  	} else if offeredNonCompressedFormat && !supportsPointFormat {
   390  		return false, errors.New("tls: client offered only incompatible point formats")
   391  	}
   392  
   393  	return supportsCurve && supportsPointFormat, nil
   394  }
   395  
   396  func (hs *serverHandshakeState) pickCipherSuite() error {
   397  	c := hs.c
   398  
   399  	preferenceList := c.config.cipherSuites(isAESGCMPreferred(hs.clientHello.cipherSuites))
   400  
   401  	hs.suite = selectCipherSuite(preferenceList, hs.clientHello.cipherSuites, hs.cipherSuiteOk)
   402  	if hs.suite == nil {
   403  		c.sendAlert(alertHandshakeFailure)
   404  		return fmt.Errorf("tls: no cipher suite supported by both client and server; client offered: %x",
   405  			hs.clientHello.cipherSuites)
   406  	}
   407  	c.cipherSuite = hs.suite.id
   408  
   409  	if c.config.CipherSuites == nil && !fips140tls.Required() && rsaKexCiphers[hs.suite.id] {
   410  		tlsrsakex.Value() // ensure godebug is initialized
   411  		tlsrsakex.IncNonDefault()
   412  	}
   413  	if c.config.CipherSuites == nil && !fips140tls.Required() && tdesCiphers[hs.suite.id] {
   414  		tls3des.Value() // ensure godebug is initialized
   415  		tls3des.IncNonDefault()
   416  	}
   417  
   418  	for _, id := range hs.clientHello.cipherSuites {
   419  		if id == TLS_FALLBACK_SCSV {
   420  			// The client is doing a fallback connection. See RFC 7507.
   421  			if hs.clientHello.vers < c.config.maxSupportedVersion(roleServer) {
   422  				c.sendAlert(alertInappropriateFallback)
   423  				return errors.New("tls: client using inappropriate protocol fallback")
   424  			}
   425  			break
   426  		}
   427  	}
   428  
   429  	return nil
   430  }
   431  
   432  func (hs *serverHandshakeState) cipherSuiteOk(c *cipherSuite) bool {
   433  	if c.flags&suiteECDHE != 0 {
   434  		if !hs.ecdheOk {
   435  			return false
   436  		}
   437  		if c.flags&suiteECSign != 0 {
   438  			if !hs.ecSignOk {
   439  				return false
   440  			}
   441  		} else if !hs.rsaSignOk {
   442  			return false
   443  		}
   444  	} else if !hs.rsaDecryptOk {
   445  		return false
   446  	}
   447  	if hs.c.vers < VersionTLS12 && c.flags&suiteTLS12 != 0 {
   448  		return false
   449  	}
   450  	return true
   451  }
   452  
   453  // checkForResumption reports whether we should perform resumption on this connection.
   454  func (hs *serverHandshakeState) checkForResumption() error {
   455  	c := hs.c
   456  
   457  	if c.config.SessionTicketsDisabled {
   458  		return nil
   459  	}
   460  
   461  	var sessionState *SessionState
   462  	if c.config.UnwrapSession != nil {
   463  		ss, err := c.config.UnwrapSession(hs.clientHello.sessionTicket, c.connectionStateLocked())
   464  		if err != nil {
   465  			return err
   466  		}
   467  		if ss == nil {
   468  			return nil
   469  		}
   470  		sessionState = ss
   471  	} else {
   472  		plaintext := c.config.decryptTicket(hs.clientHello.sessionTicket, c.ticketKeys)
   473  		if plaintext == nil {
   474  			return nil
   475  		}
   476  		ss, err := ParseSessionState(plaintext)
   477  		if err != nil {
   478  			return nil
   479  		}
   480  		sessionState = ss
   481  	}
   482  
   483  	// TLS 1.2 tickets don't natively have a lifetime, but we want to avoid
   484  	// re-wrapping the same master secret in different tickets over and over for
   485  	// too long, weakening forward secrecy.
   486  	createdAt := time.Unix(int64(sessionState.createdAt), 0)
   487  	if c.config.time().Sub(createdAt) > maxSessionTicketLifetime {
   488  		return nil
   489  	}
   490  
   491  	// Never resume a session for a different TLS version.
   492  	if c.vers != sessionState.version {
   493  		return nil
   494  	}
   495  
   496  	cipherSuiteOk := false
   497  	// Check that the client is still offering the ciphersuite in the session.
   498  	for _, id := range hs.clientHello.cipherSuites {
   499  		if id == sessionState.cipherSuite {
   500  			cipherSuiteOk = true
   501  			break
   502  		}
   503  	}
   504  	if !cipherSuiteOk {
   505  		return nil
   506  	}
   507  
   508  	// Check that we also support the ciphersuite from the session.
   509  	suite := selectCipherSuite([]uint16{sessionState.cipherSuite},
   510  		c.config.supportedCipherSuites(), hs.cipherSuiteOk)
   511  	if suite == nil {
   512  		return nil
   513  	}
   514  
   515  	sessionHasClientCerts := len(sessionState.peerCertificates) != 0
   516  	needClientCerts := requiresClientCert(c.config.ClientAuth)
   517  	if needClientCerts && !sessionHasClientCerts {
   518  		return nil
   519  	}
   520  	if sessionHasClientCerts && c.config.ClientAuth == NoClientCert {
   521  		return nil
   522  	}
   523  	if sessionHasClientCerts {
   524  		now := c.config.time()
   525  		for _, c := range sessionState.peerCertificates {
   526  			if now.After(c.NotAfter) {
   527  				return nil
   528  			}
   529  		}
   530  	}
   531  	if sessionHasClientCerts && c.config.ClientAuth >= VerifyClientCertIfGiven &&
   532  		len(sessionState.verifiedChains) == 0 {
   533  		return nil
   534  	}
   535  
   536  	// RFC 7627, Section 5.3
   537  	if !sessionState.extMasterSecret && hs.clientHello.extendedMasterSecret {
   538  		return nil
   539  	}
   540  	if sessionState.extMasterSecret && !hs.clientHello.extendedMasterSecret {
   541  		// Aborting is somewhat harsh, but it's a MUST and it would indicate a
   542  		// weird downgrade in client capabilities.
   543  		return errors.New("tls: session supported extended_master_secret but client does not")
   544  	}
   545  	if !sessionState.extMasterSecret && fips140tls.Required() {
   546  		// FIPS 140-3 requires the use of Extended Master Secret.
   547  		return nil
   548  	}
   549  
   550  	c.peerCertificates = sessionState.peerCertificates
   551  	c.ocspResponse = sessionState.ocspResponse
   552  	c.scts = sessionState.scts
   553  	c.verifiedChains = sessionState.verifiedChains
   554  	c.extMasterSecret = sessionState.extMasterSecret
   555  	hs.sessionState = sessionState
   556  	hs.suite = suite
   557  	c.curveID = sessionState.curveID
   558  	c.didResume = true
   559  	return nil
   560  }
   561  
   562  func (hs *serverHandshakeState) doResumeHandshake() error {
   563  	c := hs.c
   564  
   565  	hs.hello.cipherSuite = hs.suite.id
   566  	c.cipherSuite = hs.suite.id
   567  	// We echo the client's session ID in the ServerHello to let it know
   568  	// that we're doing a resumption.
   569  	hs.hello.sessionId = hs.clientHello.sessionId
   570  	// We always send a new session ticket, even if it wraps the same master
   571  	// secret and it's potentially encrypted with the same key, to help the
   572  	// client avoid cross-connection tracking from a network observer.
   573  	hs.hello.ticketSupported = true
   574  	hs.finishedHash = newFinishedHash(c.vers, hs.suite)
   575  	hs.finishedHash.discardHandshakeBuffer()
   576  	if err := transcriptMsg(hs.clientHello, &hs.finishedHash); err != nil {
   577  		return err
   578  	}
   579  	if _, err := hs.c.writeHandshakeRecord(hs.hello, &hs.finishedHash); err != nil {
   580  		return err
   581  	}
   582  
   583  	if c.config.VerifyConnection != nil {
   584  		if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil {
   585  			c.sendAlert(alertBadCertificate)
   586  			return err
   587  		}
   588  	}
   589  
   590  	hs.masterSecret = hs.sessionState.secret
   591  
   592  	return nil
   593  }
   594  
   595  func (hs *serverHandshakeState) doFullHandshake() error {
   596  	c := hs.c
   597  
   598  	if hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0 {
   599  		hs.hello.ocspStapling = true
   600  	}
   601  
   602  	if hs.clientHello.serverName != "" {
   603  		hs.hello.serverNameAck = true
   604  	}
   605  
   606  	hs.hello.ticketSupported = hs.clientHello.ticketSupported && !c.config.SessionTicketsDisabled
   607  	hs.hello.cipherSuite = hs.suite.id
   608  
   609  	hs.finishedHash = newFinishedHash(hs.c.vers, hs.suite)
   610  	if c.config.ClientAuth == NoClientCert {
   611  		// No need to keep a full record of the handshake if client
   612  		// certificates won't be used.
   613  		hs.finishedHash.discardHandshakeBuffer()
   614  	}
   615  	if err := transcriptMsg(hs.clientHello, &hs.finishedHash); err != nil {
   616  		return err
   617  	}
   618  	if _, err := hs.c.writeHandshakeRecord(hs.hello, &hs.finishedHash); err != nil {
   619  		return err
   620  	}
   621  
   622  	certMsg := new(certificateMsg)
   623  	certMsg.certificates = hs.cert.Certificate
   624  	if _, err := hs.c.writeHandshakeRecord(certMsg, &hs.finishedHash); err != nil {
   625  		return err
   626  	}
   627  
   628  	if hs.hello.ocspStapling {
   629  		certStatus := new(certificateStatusMsg)
   630  		certStatus.response = hs.cert.OCSPStaple
   631  		if _, err := hs.c.writeHandshakeRecord(certStatus, &hs.finishedHash); err != nil {
   632  			return err
   633  		}
   634  	}
   635  
   636  	keyAgreement := hs.suite.ka(c.vers)
   637  	skx, err := keyAgreement.generateServerKeyExchange(c.config, hs.cert, hs.clientHello, hs.hello)
   638  	if err != nil {
   639  		c.sendAlert(alertHandshakeFailure)
   640  		return err
   641  	}
   642  	if skx != nil {
   643  		if keyAgreement, ok := keyAgreement.(*ecdheKeyAgreement); ok {
   644  			c.curveID = keyAgreement.curveID
   645  			c.peerSigAlg = keyAgreement.signatureAlgorithm
   646  		}
   647  		if _, err := hs.c.writeHandshakeRecord(skx, &hs.finishedHash); err != nil {
   648  			return err
   649  		}
   650  	}
   651  
   652  	var certReq *certificateRequestMsg
   653  	if c.config.ClientAuth >= RequestClientCert {
   654  		// Request a client certificate
   655  		certReq = new(certificateRequestMsg)
   656  		certReq.certificateTypes = []byte{
   657  			byte(certTypeRSASign),
   658  			byte(certTypeECDSASign),
   659  		}
   660  		if c.vers >= VersionTLS12 {
   661  			certReq.hasSignatureAlgorithm = true
   662  			certReq.supportedSignatureAlgorithms = supportedSignatureAlgorithms(c.vers)
   663  		}
   664  
   665  		// An empty list of certificateAuthorities signals to
   666  		// the client that it may send any certificate in response
   667  		// to our request. When we know the CAs we trust, then
   668  		// we can send them down, so that the client can choose
   669  		// an appropriate certificate to give to us.
   670  		if c.config.ClientCAs != nil {
   671  			certReq.certificateAuthorities = c.config.ClientCAs.Subjects()
   672  		}
   673  		if _, err := hs.c.writeHandshakeRecord(certReq, &hs.finishedHash); err != nil {
   674  			return err
   675  		}
   676  	}
   677  
   678  	helloDone := new(serverHelloDoneMsg)
   679  	if _, err := hs.c.writeHandshakeRecord(helloDone, &hs.finishedHash); err != nil {
   680  		return err
   681  	}
   682  
   683  	if _, err := c.flush(); err != nil {
   684  		return err
   685  	}
   686  
   687  	var pub crypto.PublicKey // public key for client auth, if any
   688  
   689  	msg, err := c.readHandshake(&hs.finishedHash)
   690  	if err != nil {
   691  		return err
   692  	}
   693  
   694  	// If we requested a client certificate, then the client must send a
   695  	// certificate message, even if it's empty.
   696  	if c.config.ClientAuth >= RequestClientCert {
   697  		certMsg, ok := msg.(*certificateMsg)
   698  		if !ok {
   699  			c.sendAlert(alertUnexpectedMessage)
   700  			return unexpectedMessageError(certMsg, msg)
   701  		}
   702  
   703  		if err := c.processCertsFromClient(Certificate{
   704  			Certificate: certMsg.certificates,
   705  		}); err != nil {
   706  			return err
   707  		}
   708  		if len(certMsg.certificates) != 0 {
   709  			pub = c.peerCertificates[0].PublicKey
   710  		}
   711  
   712  		msg, err = c.readHandshake(&hs.finishedHash)
   713  		if err != nil {
   714  			return err
   715  		}
   716  	}
   717  	if c.config.VerifyConnection != nil {
   718  		if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil {
   719  			c.sendAlert(alertBadCertificate)
   720  			return err
   721  		}
   722  	}
   723  
   724  	// Get client key exchange
   725  	ckx, ok := msg.(*clientKeyExchangeMsg)
   726  	if !ok {
   727  		c.sendAlert(alertUnexpectedMessage)
   728  		return unexpectedMessageError(ckx, msg)
   729  	}
   730  
   731  	preMasterSecret, err := keyAgreement.processClientKeyExchange(c.config, hs.cert, ckx, c.vers)
   732  	if err != nil {
   733  		c.sendAlert(alertIllegalParameter)
   734  		return err
   735  	}
   736  	if hs.hello.extendedMasterSecret {
   737  		c.extMasterSecret = true
   738  		hs.masterSecret = extMasterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret,
   739  			hs.finishedHash.Sum())
   740  	} else {
   741  		if fips140tls.Required() {
   742  			c.sendAlert(alertHandshakeFailure)
   743  			return errors.New("tls: FIPS 140-3 requires the use of Extended Master Secret")
   744  		}
   745  		hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret,
   746  			hs.clientHello.random, hs.hello.random)
   747  	}
   748  	if err := c.config.writeKeyLog(keyLogLabelTLS12, hs.clientHello.random, hs.masterSecret); err != nil {
   749  		c.sendAlert(alertInternalError)
   750  		return err
   751  	}
   752  
   753  	// If we received a client cert in response to our certificate request message,
   754  	// the client will send us a certificateVerifyMsg immediately after the
   755  	// clientKeyExchangeMsg. This message is a digest of all preceding
   756  	// handshake-layer messages that is signed using the private key corresponding
   757  	// to the client's certificate. This allows us to verify that the client is in
   758  	// possession of the private key of the certificate.
   759  	if len(c.peerCertificates) > 0 {
   760  		// certificateVerifyMsg is included in the transcript, but not until
   761  		// after we verify the handshake signature, since the state before
   762  		// this message was sent is used.
   763  		msg, err = c.readHandshake(nil)
   764  		if err != nil {
   765  			return err
   766  		}
   767  		certVerify, ok := msg.(*certificateVerifyMsg)
   768  		if !ok {
   769  			c.sendAlert(alertUnexpectedMessage)
   770  			return unexpectedMessageError(certVerify, msg)
   771  		}
   772  
   773  		var sigType uint8
   774  		var sigHash crypto.Hash
   775  		if c.vers >= VersionTLS12 {
   776  			if !isSupportedSignatureAlgorithm(certVerify.signatureAlgorithm, certReq.supportedSignatureAlgorithms) {
   777  				c.sendAlert(alertIllegalParameter)
   778  				return errors.New("tls: client certificate used with invalid signature algorithm")
   779  			}
   780  			sigType, sigHash, err = typeAndHashFromSignatureScheme(certVerify.signatureAlgorithm)
   781  			if err != nil {
   782  				return c.sendAlert(alertInternalError)
   783  			}
   784  			if sigHash == crypto.SHA1 {
   785  				tlssha1.Value() // ensure godebug is initialized
   786  				tlssha1.IncNonDefault()
   787  			}
   788  		} else {
   789  			sigType, sigHash, err = legacyTypeAndHashFromPublicKey(pub)
   790  			if err != nil {
   791  				c.sendAlert(alertIllegalParameter)
   792  				return err
   793  			}
   794  		}
   795  
   796  		signed := hs.finishedHash.hashForClientCertificate(sigType, sigHash)
   797  		if err := verifyHandshakeSignature(sigType, pub, sigHash, signed, certVerify.signature); err != nil {
   798  			c.sendAlert(alertDecryptError)
   799  			return errors.New("tls: invalid signature by the client certificate: " + err.Error())
   800  		}
   801  		c.peerSigAlg = certVerify.signatureAlgorithm
   802  
   803  		if err := transcriptMsg(certVerify, &hs.finishedHash); err != nil {
   804  			return err
   805  		}
   806  	}
   807  
   808  	hs.finishedHash.discardHandshakeBuffer()
   809  
   810  	return nil
   811  }
   812  
   813  func (hs *serverHandshakeState) establishKeys() error {
   814  	c := hs.c
   815  
   816  	clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV :=
   817  		keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen)
   818  
   819  	var clientCipher, serverCipher any
   820  	var clientHash, serverHash hash.Hash
   821  
   822  	if hs.suite.aead == nil {
   823  		clientCipher = hs.suite.cipher(clientKey, clientIV, true /* for reading */)
   824  		clientHash = hs.suite.mac(clientMAC)
   825  		serverCipher = hs.suite.cipher(serverKey, serverIV, false /* not for reading */)
   826  		serverHash = hs.suite.mac(serverMAC)
   827  	} else {
   828  		clientCipher = hs.suite.aead(clientKey, clientIV)
   829  		serverCipher = hs.suite.aead(serverKey, serverIV)
   830  	}
   831  
   832  	c.in.prepareCipherSpec(c.vers, clientCipher, clientHash)
   833  	c.out.prepareCipherSpec(c.vers, serverCipher, serverHash)
   834  
   835  	return nil
   836  }
   837  
   838  func (hs *serverHandshakeState) readFinished(out []byte) error {
   839  	c := hs.c
   840  
   841  	if err := c.readChangeCipherSpec(); err != nil {
   842  		return err
   843  	}
   844  
   845  	// finishedMsg is included in the transcript, but not until after we
   846  	// check the client version, since the state before this message was
   847  	// sent is used during verification.
   848  	msg, err := c.readHandshake(nil)
   849  	if err != nil {
   850  		return err
   851  	}
   852  	clientFinished, ok := msg.(*finishedMsg)
   853  	if !ok {
   854  		c.sendAlert(alertUnexpectedMessage)
   855  		return unexpectedMessageError(clientFinished, msg)
   856  	}
   857  
   858  	verify := hs.finishedHash.clientSum(hs.masterSecret)
   859  	if len(verify) != len(clientFinished.verifyData) ||
   860  		subtle.ConstantTimeCompare(verify, clientFinished.verifyData) != 1 {
   861  		c.sendAlert(alertHandshakeFailure)
   862  		return errors.New("tls: client's Finished message is incorrect")
   863  	}
   864  
   865  	if err := transcriptMsg(clientFinished, &hs.finishedHash); err != nil {
   866  		return err
   867  	}
   868  
   869  	copy(out, verify)
   870  	return nil
   871  }
   872  
   873  func (hs *serverHandshakeState) sendSessionTicket() error {
   874  	if !hs.hello.ticketSupported {
   875  		return nil
   876  	}
   877  
   878  	c := hs.c
   879  	m := new(newSessionTicketMsg)
   880  
   881  	state := c.sessionState()
   882  	state.secret = hs.masterSecret
   883  	if hs.sessionState != nil {
   884  		// If this is re-wrapping an old key, then keep
   885  		// the original time it was created.
   886  		state.createdAt = hs.sessionState.createdAt
   887  	}
   888  	if c.config.WrapSession != nil {
   889  		var err error
   890  		m.ticket, err = c.config.WrapSession(c.connectionStateLocked(), state)
   891  		if err != nil {
   892  			return err
   893  		}
   894  	} else {
   895  		stateBytes, err := state.Bytes()
   896  		if err != nil {
   897  			return err
   898  		}
   899  		m.ticket, err = c.config.encryptTicket(stateBytes, c.ticketKeys)
   900  		if err != nil {
   901  			return err
   902  		}
   903  	}
   904  
   905  	if _, err := hs.c.writeHandshakeRecord(m, &hs.finishedHash); err != nil {
   906  		return err
   907  	}
   908  
   909  	return nil
   910  }
   911  
   912  func (hs *serverHandshakeState) sendFinished(out []byte) error {
   913  	c := hs.c
   914  
   915  	if err := c.writeChangeCipherRecord(); err != nil {
   916  		return err
   917  	}
   918  
   919  	finished := new(finishedMsg)
   920  	finished.verifyData = hs.finishedHash.serverSum(hs.masterSecret)
   921  	if _, err := hs.c.writeHandshakeRecord(finished, &hs.finishedHash); err != nil {
   922  		return err
   923  	}
   924  
   925  	copy(out, finished.verifyData)
   926  
   927  	return nil
   928  }
   929  
   930  // processCertsFromClient takes a chain of client certificates either from a
   931  // certificateMsg message or a certificateMsgTLS13 message and verifies them.
   932  func (c *Conn) processCertsFromClient(certificate Certificate) error {
   933  	certificates := certificate.Certificate
   934  	certs := make([]*x509.Certificate, len(certificates))
   935  	var err error
   936  	for i, asn1Data := range certificates {
   937  		if certs[i], err = x509.ParseCertificate(asn1Data); err != nil {
   938  			c.sendAlert(alertDecodeError)
   939  			return errors.New("tls: failed to parse client certificate: " + err.Error())
   940  		}
   941  		if certs[i].PublicKeyAlgorithm == x509.RSA {
   942  			n := certs[i].PublicKey.(*rsa.PublicKey).N.BitLen()
   943  			if max, ok := checkKeySize(n); !ok {
   944  				c.sendAlert(alertBadCertificate)
   945  				return fmt.Errorf("tls: client sent certificate containing RSA key larger than %d bits", max)
   946  			}
   947  		}
   948  	}
   949  
   950  	if len(certs) == 0 && requiresClientCert(c.config.ClientAuth) {
   951  		if c.vers == VersionTLS13 {
   952  			c.sendAlert(alertCertificateRequired)
   953  		} else {
   954  			c.sendAlert(alertHandshakeFailure)
   955  		}
   956  		return errors.New("tls: client didn't provide a certificate")
   957  	}
   958  
   959  	if c.config.ClientAuth >= VerifyClientCertIfGiven && len(certs) > 0 {
   960  		opts := x509.VerifyOptions{
   961  			Roots:         c.config.ClientCAs,
   962  			CurrentTime:   c.config.time(),
   963  			Intermediates: x509.NewCertPool(),
   964  			KeyUsages:     []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
   965  		}
   966  
   967  		for _, cert := range certs[1:] {
   968  			opts.Intermediates.AddCert(cert)
   969  		}
   970  
   971  		chains, err := certs[0].Verify(opts)
   972  		if err != nil {
   973  			var errCertificateInvalid x509.CertificateInvalidError
   974  			if errors.As(err, &x509.UnknownAuthorityError{}) {
   975  				c.sendAlert(alertUnknownCA)
   976  			} else if errors.As(err, &errCertificateInvalid) && errCertificateInvalid.Reason == x509.Expired {
   977  				c.sendAlert(alertCertificateExpired)
   978  			} else {
   979  				c.sendAlert(alertBadCertificate)
   980  			}
   981  			return &CertificateVerificationError{UnverifiedCertificates: certs, Err: err}
   982  		}
   983  
   984  		c.verifiedChains, err = fipsAllowedChains(chains)
   985  		if err != nil {
   986  			c.sendAlert(alertBadCertificate)
   987  			return &CertificateVerificationError{UnverifiedCertificates: certs, Err: err}
   988  		}
   989  	}
   990  
   991  	c.peerCertificates = certs
   992  	c.ocspResponse = certificate.OCSPStaple
   993  	c.scts = certificate.SignedCertificateTimestamps
   994  
   995  	if len(certs) > 0 {
   996  		switch certs[0].PublicKey.(type) {
   997  		case *ecdsa.PublicKey, *rsa.PublicKey, ed25519.PublicKey:
   998  		default:
   999  			c.sendAlert(alertUnsupportedCertificate)
  1000  			return fmt.Errorf("tls: client certificate contains an unsupported public key of type %T", certs[0].PublicKey)
  1001  		}
  1002  	}
  1003  
  1004  	if c.config.VerifyPeerCertificate != nil {
  1005  		if err := c.config.VerifyPeerCertificate(certificates, c.verifiedChains); err != nil {
  1006  			c.sendAlert(alertBadCertificate)
  1007  			return err
  1008  		}
  1009  	}
  1010  
  1011  	return nil
  1012  }
  1013  
  1014  func clientHelloInfo(ctx context.Context, c *Conn, clientHello *clientHelloMsg) *ClientHelloInfo {
  1015  	supportedVersions := clientHello.supportedVersions
  1016  	if len(clientHello.supportedVersions) == 0 {
  1017  		supportedVersions = supportedVersionsFromMax(clientHello.vers)
  1018  	}
  1019  
  1020  	return &ClientHelloInfo{
  1021  		CipherSuites:      clientHello.cipherSuites,
  1022  		ServerName:        clientHello.serverName,
  1023  		SupportedCurves:   clientHello.supportedCurves,
  1024  		SupportedPoints:   clientHello.supportedPoints,
  1025  		SignatureSchemes:  clientHello.supportedSignatureAlgorithms,
  1026  		SupportedProtos:   clientHello.alpnProtocols,
  1027  		SupportedVersions: supportedVersions,
  1028  		Extensions:        clientHello.extensions,
  1029  		Conn:              c.conn,
  1030  		config:            c.config,
  1031  		ctx:               ctx,
  1032  	}
  1033  }
  1034
View as plain text