Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 86271ee9f866cd83d9e37ab1ba1218ebefb336aa / . / ssl / test / runner / handshake_server.go
blob: 68ba734acd1b659607c404052d41598662d1d2cd [file] [log] [blame]
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1// Copyright 2009 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5package main
6
7import (
8 "crypto"
9 "crypto/ecdsa"
10 "crypto/rsa"
11 "crypto/subtle"
12 "crypto/x509"
13 "encoding/asn1"
14 "errors"
15 "fmt"
16 "io"
17)
18
19// serverHandshakeState contains details of a server handshake in progress.
20// It's discarded once the handshake has completed.
21type serverHandshakeState struct {
22 c *Conn
23 clientHello *clientHelloMsg
24 hello *serverHelloMsg
25 suite *cipherSuite
26 ellipticOk bool
27 ecdsaOk bool
28 sessionState *sessionState
29 finishedHash finishedHash
30 masterSecret []byte
31 certsFromClient [][]byte
32 cert *Certificate
33}
34
35// serverHandshake performs a TLS handshake as a server.
36func (c *Conn) serverHandshake() error {
37 config := c.config
38
39 // If this is the first server handshake, we generate a random key to
40 // encrypt the tickets with.
41 config.serverInitOnce.Do(config.serverInit)
42
43 hs := serverHandshakeState{
44 c: c,
45 }
46 isResume, err := hs.readClientHello()
47 if err != nil {
48 return err
49 }
50
51 // For an overview of TLS handshaking, see https://tools.ietf.org/html/rfc5246#section-7.3
52 if isResume {
53 // The client has included a session ticket and so we do an abbreviated handshake.
54 if err := hs.doResumeHandshake(); err != nil {
55 return err
56 }
57 if err := hs.establishKeys(); err != nil {
58 return err
59 }
60 if err := hs.sendFinished(); err != nil {
61 return err
62 }
63 if err := hs.readFinished(); err != nil {
64 return err
65 }
66 c.didResume = true
67 } else {
68 // The client didn't include a session ticket, or it wasn't
69 // valid so we do a full handshake.
70 if err := hs.doFullHandshake(); err != nil {
71 return err
72 }
73 if err := hs.establishKeys(); err != nil {
74 return err
75 }
76 if err := hs.readFinished(); err != nil {
77 return err
78 }
79 if err := hs.sendSessionTicket(); err != nil {
80 return err
81 }
82 if err := hs.sendFinished(); err != nil {
83 return err
84 }
85 }
86 c.handshakeComplete = true
87
88 return nil
89}
90
91// readClientHello reads a ClientHello message from the client and decides
92// whether we will perform session resumption.
93func (hs *serverHandshakeState) readClientHello() (isResume bool, err error) {
94 config := hs.c.config
95 c := hs.c
96
97 msg, err := c.readHandshake()
98 if err != nil {
99 return false, err
100 }
101 var ok bool
102 hs.clientHello, ok = msg.(*clientHelloMsg)
103 if !ok {
104 c.sendAlert(alertUnexpectedMessage)
105 return false, unexpectedMessageError(hs.clientHello, msg)
106 }
107 c.vers, ok = config.mutualVersion(hs.clientHello.vers)
108 if !ok {
109 c.sendAlert(alertProtocolVersion)
110 return false, fmt.Errorf("tls: client offered an unsupported, maximum protocol version of %x", hs.clientHello.vers)
111 }
112 c.haveVers = true
113
114 hs.hello = new(serverHelloMsg)
115
116 supportedCurve := false
117 preferredCurves := config.curvePreferences()
118Curves:
119 for _, curve := range hs.clientHello.supportedCurves {
120 for _, supported := range preferredCurves {
121 if supported == curve {
122 supportedCurve = true
123 break Curves
124 }
125 }
126 }
127
128 supportedPointFormat := false
129 for _, pointFormat := range hs.clientHello.supportedPoints {
130 if pointFormat == pointFormatUncompressed {
131 supportedPointFormat = true
132 break
133 }
134 }
135 hs.ellipticOk = supportedCurve && supportedPointFormat
136
137 foundCompression := false
138 // We only support null compression, so check that the client offered it.
139 for _, compression := range hs.clientHello.compressionMethods {
140 if compression == compressionNone {
141 foundCompression = true
142 break
143 }
144 }
145
146 if !foundCompression {
147 c.sendAlert(alertHandshakeFailure)
148 return false, errors.New("tls: client does not support uncompressed connections")
149 }
150
151 hs.hello.vers = c.vers
152 hs.hello.random = make([]byte, 32)
153 _, err = io.ReadFull(config.rand(), hs.hello.random)
154 if err != nil {
155 c.sendAlert(alertInternalError)
156 return false, err
157 }
158 hs.hello.secureRenegotiation = hs.clientHello.secureRenegotiation
159 hs.hello.compressionMethod = compressionNone
David Benjamin35a7a442014-07-05 00:23:20 -0400[diff] [blame]160 hs.hello.duplicateExtension = c.config.Bugs.DuplicateExtension
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]161 if len(hs.clientHello.serverName) > 0 {
162 c.serverName = hs.clientHello.serverName
163 }
164 // Although sending an empty NPN extension is reasonable, Firefox has
165 // had a bug around this. Best to send nothing at all if
166 // config.NextProtos is empty. See
167 // https://code.google.com/p/go/issues/detail?id=5445.
168 if hs.clientHello.nextProtoNeg && len(config.NextProtos) > 0 {
169 hs.hello.nextProtoNeg = true
170 hs.hello.nextProtos = config.NextProtos
171 }
172
173 if len(config.Certificates) == 0 {
174 c.sendAlert(alertInternalError)
175 return false, errors.New("tls: no certificates configured")
176 }
177 hs.cert = &config.Certificates[0]
178 if len(hs.clientHello.serverName) > 0 {
179 hs.cert = config.getCertificateForName(hs.clientHello.serverName)
180 }
181
182 _, hs.ecdsaOk = hs.cert.PrivateKey.(*ecdsa.PrivateKey)
183
184 if hs.checkForResumption() {
185 return true, nil
186 }
187
Adam Langleyac61fa32014-06-23 12:03:11 -0700[diff] [blame]188 var scsvFound bool
189
190 for _, cipherSuite := range hs.clientHello.cipherSuites {
191 if cipherSuite == fallbackSCSV {
192 scsvFound = true
193 break
194 }
195 }
196
197 if !scsvFound && config.Bugs.FailIfNotFallbackSCSV {
198 return false, errors.New("tls: no fallback SCSV found when expected")
199 } else if scsvFound && !config.Bugs.FailIfNotFallbackSCSV {
200 return false, errors.New("tls: fallback SCSV found when not expected")
201 }
202
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]203 var preferenceList, supportedList []uint16
204 if c.config.PreferServerCipherSuites {
205 preferenceList = c.config.cipherSuites()
206 supportedList = hs.clientHello.cipherSuites
207 } else {
208 preferenceList = hs.clientHello.cipherSuites
209 supportedList = c.config.cipherSuites()
210 }
211
212 for _, id := range preferenceList {
213 if hs.suite = c.tryCipherSuite(id, supportedList, c.vers, hs.ellipticOk, hs.ecdsaOk); hs.suite != nil {
214 break
215 }
216 }
217
218 if hs.suite == nil {
219 c.sendAlert(alertHandshakeFailure)
220 return false, errors.New("tls: no cipher suite supported by both client and server")
221 }
222
223 return false, nil
224}
225
226// checkForResumption returns true if we should perform resumption on this connection.
227func (hs *serverHandshakeState) checkForResumption() bool {
228 c := hs.c
229
230 var ok bool
231 if hs.sessionState, ok = c.decryptTicket(hs.clientHello.sessionTicket); !ok {
232 return false
233 }
234
235 if hs.sessionState.vers > hs.clientHello.vers {
236 return false
237 }
238 if vers, ok := c.config.mutualVersion(hs.sessionState.vers); !ok || vers != hs.sessionState.vers {
239 return false
240 }
241
242 cipherSuiteOk := false
243 // Check that the client is still offering the ciphersuite in the session.
244 for _, id := range hs.clientHello.cipherSuites {
245 if id == hs.sessionState.cipherSuite {
246 cipherSuiteOk = true
247 break
248 }
249 }
250 if !cipherSuiteOk {
251 return false
252 }
253
254 // Check that we also support the ciphersuite from the session.
255 hs.suite = c.tryCipherSuite(hs.sessionState.cipherSuite, c.config.cipherSuites(), hs.sessionState.vers, hs.ellipticOk, hs.ecdsaOk)
256 if hs.suite == nil {
257 return false
258 }
259
260 sessionHasClientCerts := len(hs.sessionState.certificates) != 0
261 needClientCerts := c.config.ClientAuth == RequireAnyClientCert || c.config.ClientAuth == RequireAndVerifyClientCert
262 if needClientCerts && !sessionHasClientCerts {
263 return false
264 }
265 if sessionHasClientCerts && c.config.ClientAuth == NoClientCert {
266 return false
267 }
268
269 return true
270}
271
272func (hs *serverHandshakeState) doResumeHandshake() error {
273 c := hs.c
274
275 hs.hello.cipherSuite = hs.suite.id
276 // We echo the client's session ID in the ServerHello to let it know
277 // that we're doing a resumption.
278 hs.hello.sessionId = hs.clientHello.sessionId
279
280 hs.finishedHash = newFinishedHash(c.vers, hs.suite)
281 hs.finishedHash.Write(hs.clientHello.marshal())
282 hs.finishedHash.Write(hs.hello.marshal())
283
284 c.writeRecord(recordTypeHandshake, hs.hello.marshal())
285
286 if len(hs.sessionState.certificates) > 0 {
287 if _, err := hs.processCertsFromClient(hs.sessionState.certificates); err != nil {
288 return err
289 }
290 }
291
292 hs.masterSecret = hs.sessionState.masterSecret
293
294 return nil
295}
296
297func (hs *serverHandshakeState) doFullHandshake() error {
298 config := hs.c.config
299 c := hs.c
300
301 if hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0 {
302 hs.hello.ocspStapling = true
303 }
304
305 hs.hello.ticketSupported = hs.clientHello.ticketSupported && !config.SessionTicketsDisabled
306 hs.hello.cipherSuite = hs.suite.id
307
308 hs.finishedHash = newFinishedHash(c.vers, hs.suite)
309 hs.finishedHash.Write(hs.clientHello.marshal())
310 hs.finishedHash.Write(hs.hello.marshal())
311
312 c.writeRecord(recordTypeHandshake, hs.hello.marshal())
313
314 certMsg := new(certificateMsg)
315 certMsg.certificates = hs.cert.Certificate
David Benjamin1c375dd2014-07-12 00:48:23 -0400[diff] [blame]316 if !config.Bugs.UnauthenticatedECDH {
317 hs.finishedHash.Write(certMsg.marshal())
318 c.writeRecord(recordTypeHandshake, certMsg.marshal())
319 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]320
321 if hs.hello.ocspStapling {
322 certStatus := new(certificateStatusMsg)
323 certStatus.statusType = statusTypeOCSP
324 certStatus.response = hs.cert.OCSPStaple
325 hs.finishedHash.Write(certStatus.marshal())
326 c.writeRecord(recordTypeHandshake, certStatus.marshal())
327 }
328
329 keyAgreement := hs.suite.ka(c.vers)
330 skx, err := keyAgreement.generateServerKeyExchange(config, hs.cert, hs.clientHello, hs.hello)
331 if err != nil {
332 c.sendAlert(alertHandshakeFailure)
333 return err
334 }
David Benjamin9c651c92014-07-12 13:27:45 -0400[diff] [blame]335 if skx != nil && !config.Bugs.SkipServerKeyExchange {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]336 hs.finishedHash.Write(skx.marshal())
337 c.writeRecord(recordTypeHandshake, skx.marshal())
338 }
339
340 if config.ClientAuth >= RequestClientCert {
341 // Request a client certificate
David Benjamin7b030512014-07-08 17:30:11 -0400[diff] [blame]342 certReq := &certificateRequestMsg{
343 certificateTypes: config.ClientCertificateTypes,
344 }
345 if certReq.certificateTypes == nil {
346 certReq.certificateTypes = []byte{
347 byte(CertTypeRSASign),
348 byte(CertTypeECDSASign),
349 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]350 }
351 if c.vers >= VersionTLS12 {
352 certReq.hasSignatureAndHash = true
353 certReq.signatureAndHashes = supportedClientCertSignatureAlgorithms
354 }
355
356 // An empty list of certificateAuthorities signals to
357 // the client that it may send any certificate in response
358 // to our request. When we know the CAs we trust, then
359 // we can send them down, so that the client can choose
360 // an appropriate certificate to give to us.
361 if config.ClientCAs != nil {
362 certReq.certificateAuthorities = config.ClientCAs.Subjects()
363 }
364 hs.finishedHash.Write(certReq.marshal())
365 c.writeRecord(recordTypeHandshake, certReq.marshal())
366 }
367
368 helloDone := new(serverHelloDoneMsg)
369 hs.finishedHash.Write(helloDone.marshal())
370 c.writeRecord(recordTypeHandshake, helloDone.marshal())
371
372 var pub crypto.PublicKey // public key for client auth, if any
373
374 msg, err := c.readHandshake()
375 if err != nil {
376 return err
377 }
378
379 var ok bool
380 // If we requested a client certificate, then the client must send a
381 // certificate message, even if it's empty.
382 if config.ClientAuth >= RequestClientCert {
383 if certMsg, ok = msg.(*certificateMsg); !ok {
384 c.sendAlert(alertUnexpectedMessage)
385 return unexpectedMessageError(certMsg, msg)
386 }
387 hs.finishedHash.Write(certMsg.marshal())
388
389 if len(certMsg.certificates) == 0 {
390 // The client didn't actually send a certificate
391 switch config.ClientAuth {
392 case RequireAnyClientCert, RequireAndVerifyClientCert:
393 c.sendAlert(alertBadCertificate)
394 return errors.New("tls: client didn't provide a certificate")
395 }
396 }
397
398 pub, err = hs.processCertsFromClient(certMsg.certificates)
399 if err != nil {
400 return err
401 }
402
403 msg, err = c.readHandshake()
404 if err != nil {
405 return err
406 }
407 }
408
409 // Get client key exchange
410 ckx, ok := msg.(*clientKeyExchangeMsg)
411 if !ok {
412 c.sendAlert(alertUnexpectedMessage)
413 return unexpectedMessageError(ckx, msg)
414 }
415 hs.finishedHash.Write(ckx.marshal())
416
417 // If we received a client cert in response to our certificate request message,
418 // the client will send us a certificateVerifyMsg immediately after the
419 // clientKeyExchangeMsg. This message is a digest of all preceding
420 // handshake-layer messages that is signed using the private key corresponding
421 // to the client's certificate. This allows us to verify that the client is in
422 // possession of the private key of the certificate.
423 if len(c.peerCertificates) > 0 {
424 msg, err = c.readHandshake()
425 if err != nil {
426 return err
427 }
428 certVerify, ok := msg.(*certificateVerifyMsg)
429 if !ok {
430 c.sendAlert(alertUnexpectedMessage)
431 return unexpectedMessageError(certVerify, msg)
432 }
433
David Benjaminde620d92014-07-18 15:03:41 -0400[diff] [blame]434 // Determine the signature type.
435 var signatureAndHash signatureAndHash
436 if certVerify.hasSignatureAndHash {
437 signatureAndHash = certVerify.signatureAndHash
438 } else {
439 // Before TLS 1.2 the signature algorithm was implicit
440 // from the key type, and only one hash per signature
441 // algorithm was possible. Leave the hash as zero.
442 switch pub.(type) {
443 case *ecdsa.PublicKey:
444 signatureAndHash.signature = signatureECDSA
445 case *rsa.PublicKey:
446 signatureAndHash.signature = signatureRSA
447 }
448 }
449
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]450 switch key := pub.(type) {
451 case *ecdsa.PublicKey:
David Benjaminde620d92014-07-18 15:03:41 -0400[diff] [blame]452 if signatureAndHash.signature != signatureECDSA {
453 err = errors.New("tls: bad signature type for client's ECDSA certificate")
454 break
455 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]456 ecdsaSig := new(ecdsaSignature)
457 if _, err = asn1.Unmarshal(certVerify.signature, ecdsaSig); err != nil {
458 break
459 }
460 if ecdsaSig.R.Sign() <= 0 || ecdsaSig.S.Sign() <= 0 {
461 err = errors.New("ECDSA signature contained zero or negative values")
462 break
463 }
David Benjaminde620d92014-07-18 15:03:41 -0400[diff] [blame]464 var digest []byte
465 digest, _, err = hs.finishedHash.hashForClientCertificate(signatureAndHash)
466 if err != nil {
467 break
468 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]469 if !ecdsa.Verify(key, digest, ecdsaSig.R, ecdsaSig.S) {
470 err = errors.New("ECDSA verification failure")
471 break
472 }
473 case *rsa.PublicKey:
David Benjaminde620d92014-07-18 15:03:41 -0400[diff] [blame]474 if signatureAndHash.signature != signatureRSA {
475 err = errors.New("tls: bad signature type for client's RSA certificate")
476 break
477 }
478 var digest []byte
479 var hashFunc crypto.Hash
480 digest, hashFunc, err = hs.finishedHash.hashForClientCertificate(signatureAndHash)
481 if err != nil {
482 break
483 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]484 err = rsa.VerifyPKCS1v15(key, hashFunc, digest, certVerify.signature)
485 }
486 if err != nil {
487 c.sendAlert(alertBadCertificate)
488 return errors.New("could not validate signature of connection nonces: " + err.Error())
489 }
490
491 hs.finishedHash.Write(certVerify.marshal())
492 }
493
494 preMasterSecret, err := keyAgreement.processClientKeyExchange(config, hs.cert, ckx, c.vers)
495 if err != nil {
496 c.sendAlert(alertHandshakeFailure)
497 return err
498 }
499 hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.clientHello.random, hs.hello.random)
500
501 return nil
502}
503
504func (hs *serverHandshakeState) establishKeys() error {
505 c := hs.c
506
507 clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV :=
508 keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen)
509
510 var clientCipher, serverCipher interface{}
511 var clientHash, serverHash macFunction
512
513 if hs.suite.aead == nil {
514 clientCipher = hs.suite.cipher(clientKey, clientIV, true /* for reading */)
515 clientHash = hs.suite.mac(c.vers, clientMAC)
516 serverCipher = hs.suite.cipher(serverKey, serverIV, false /* not for reading */)
517 serverHash = hs.suite.mac(c.vers, serverMAC)
518 } else {
519 clientCipher = hs.suite.aead(clientKey, clientIV)
520 serverCipher = hs.suite.aead(serverKey, serverIV)
521 }
522
523 c.in.prepareCipherSpec(c.vers, clientCipher, clientHash)
524 c.out.prepareCipherSpec(c.vers, serverCipher, serverHash)
525
526 return nil
527}
528
529func (hs *serverHandshakeState) readFinished() error {
530 c := hs.c
531
532 c.readRecord(recordTypeChangeCipherSpec)
533 if err := c.in.error(); err != nil {
534 return err
535 }
536
537 if hs.hello.nextProtoNeg {
538 msg, err := c.readHandshake()
539 if err != nil {
540 return err
541 }
542 nextProto, ok := msg.(*nextProtoMsg)
543 if !ok {
544 c.sendAlert(alertUnexpectedMessage)
545 return unexpectedMessageError(nextProto, msg)
546 }
547 hs.finishedHash.Write(nextProto.marshal())
548 c.clientProtocol = nextProto.proto
549 }
550
551 msg, err := c.readHandshake()
552 if err != nil {
553 return err
554 }
555 clientFinished, ok := msg.(*finishedMsg)
556 if !ok {
557 c.sendAlert(alertUnexpectedMessage)
558 return unexpectedMessageError(clientFinished, msg)
559 }
560
561 verify := hs.finishedHash.clientSum(hs.masterSecret)
562 if len(verify) != len(clientFinished.verifyData) ||
563 subtle.ConstantTimeCompare(verify, clientFinished.verifyData) != 1 {
564 c.sendAlert(alertHandshakeFailure)
565 return errors.New("tls: client's Finished message is incorrect")
566 }
567
568 hs.finishedHash.Write(clientFinished.marshal())
569 return nil
570}
571
572func (hs *serverHandshakeState) sendSessionTicket() error {
David Benjamind23f4122014-07-23 15:09:48 -0400[diff] [blame]573 if !hs.hello.ticketSupported || hs.c.config.Bugs.SkipNewSessionTicket {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]574 return nil
575 }
576
577 c := hs.c
578 m := new(newSessionTicketMsg)
579
580 var err error
581 state := sessionState{
582 vers: c.vers,
583 cipherSuite: hs.suite.id,
584 masterSecret: hs.masterSecret,
585 certificates: hs.certsFromClient,
586 }
587 m.ticket, err = c.encryptTicket(&state)
588 if err != nil {
589 return err
590 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]591
592 hs.finishedHash.Write(m.marshal())
593 c.writeRecord(recordTypeHandshake, m.marshal())
594
595 return nil
596}
597
598func (hs *serverHandshakeState) sendFinished() error {
599 c := hs.c
600
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame^]601 finished := new(finishedMsg)
602 finished.verifyData = hs.finishedHash.serverSum(hs.masterSecret)
603 postCCSBytes := finished.marshal()
604 hs.finishedHash.Write(postCCSBytes)
605
606 if c.config.Bugs.FragmentAcrossChangeCipherSpec {
607 c.writeRecord(recordTypeHandshake, postCCSBytes[:5])
608 postCCSBytes = postCCSBytes[5:]
609 }
610
David Benjamina0e52232014-07-19 17:39:58 -0400[diff] [blame]611 if !c.config.Bugs.SkipChangeCipherSpec {
612 c.writeRecord(recordTypeChangeCipherSpec, []byte{1})
613 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]614
David Benjamin86271ee2014-07-21 16:14:03 -0400[diff] [blame^]615 c.writeRecord(recordTypeHandshake, postCCSBytes)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]616
617 c.cipherSuite = hs.suite.id
618
619 return nil
620}
621
622// processCertsFromClient takes a chain of client certificates either from a
623// Certificates message or from a sessionState and verifies them. It returns
624// the public key of the leaf certificate.
625func (hs *serverHandshakeState) processCertsFromClient(certificates [][]byte) (crypto.PublicKey, error) {
626 c := hs.c
627
628 hs.certsFromClient = certificates
629 certs := make([]*x509.Certificate, len(certificates))
630 var err error
631 for i, asn1Data := range certificates {
632 if certs[i], err = x509.ParseCertificate(asn1Data); err != nil {
633 c.sendAlert(alertBadCertificate)
634 return nil, errors.New("tls: failed to parse client certificate: " + err.Error())
635 }
636 }
637
638 if c.config.ClientAuth >= VerifyClientCertIfGiven && len(certs) > 0 {
639 opts := x509.VerifyOptions{
640 Roots: c.config.ClientCAs,
641 CurrentTime: c.config.time(),
642 Intermediates: x509.NewCertPool(),
643 KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
644 }
645
646 for _, cert := range certs[1:] {
647 opts.Intermediates.AddCert(cert)
648 }
649
650 chains, err := certs[0].Verify(opts)
651 if err != nil {
652 c.sendAlert(alertBadCertificate)
653 return nil, errors.New("tls: failed to verify client's certificate: " + err.Error())
654 }
655
656 ok := false
657 for _, ku := range certs[0].ExtKeyUsage {
658 if ku == x509.ExtKeyUsageClientAuth {
659 ok = true
660 break
661 }
662 }
663 if !ok {
664 c.sendAlert(alertHandshakeFailure)
665 return nil, errors.New("tls: client's certificate's extended key usage doesn't permit it to be used for client authentication")
666 }
667
668 c.verifiedChains = chains
669 }
670
671 if len(certs) > 0 {
672 var pub crypto.PublicKey
673 switch key := certs[0].PublicKey.(type) {
674 case *ecdsa.PublicKey, *rsa.PublicKey:
675 pub = key
676 default:
677 c.sendAlert(alertUnsupportedCertificate)
678 return nil, fmt.Errorf("tls: client's certificate contains an unsupported public key of type %T", certs[0].PublicKey)
679 }
680 c.peerCertificates = certs
681 return pub, nil
682 }
683
684 return nil, nil
685}
686
687// tryCipherSuite returns a cipherSuite with the given id if that cipher suite
688// is acceptable to use.
689func (c *Conn) tryCipherSuite(id uint16, supportedCipherSuites []uint16, version uint16, ellipticOk, ecdsaOk bool) *cipherSuite {
690 for _, supported := range supportedCipherSuites {
691 if id == supported {
692 var candidate *cipherSuite
693
694 for _, s := range cipherSuites {
695 if s.id == id {
696 candidate = s
697 break
698 }
699 }
700 if candidate == nil {
701 continue
702 }
703 // Don't select a ciphersuite which we can't
704 // support for this client.
705 if (candidate.flags&suiteECDHE != 0) && !ellipticOk {
706 continue
707 }
708 if (candidate.flags&suiteECDSA != 0) != ecdsaOk {
709 continue
710 }
711 if version < VersionTLS12 && candidate.flags&suiteTLS12 != 0 {
712 continue
713 }
714 return candidate
715 }
716 }
717
718 return nil
719}