search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge from mainline (167278:168000).
[official-gcc/graphite-test-results.git] / libgo / go / crypto / tls / handshake_client.go
blobb6b0e0fad3784f609c3ec1d3db88b02f2b5715a0
1 // Copyright 2009 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
4
5 package tls
6
7 import (
8 "crypto/hmac"
9 "crypto/rc4"
10 "crypto/rsa"
11 "crypto/subtle"
12 "crypto/x509"
13 "io"
14 "os"
15 )
16
17 func (c *Conn) clientHandshake() os.Error {
18 finishedHash := newFinishedHash()
19
20 if c.config == nil {
21 c.config = defaultConfig()
22 }
23
24 hello := &clientHelloMsg{
25 vers: maxVersion,
26 cipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA},
27 compressionMethods: []uint8{compressionNone},
28 random: make([]byte, 32),
29 ocspStapling: true,
30 serverName: c.config.ServerName,
31 }
32
33 t := uint32(c.config.Time())
34 hello.random[0] = byte(t >> 24)
35 hello.random[1] = byte(t >> 16)
36 hello.random[2] = byte(t >> 8)
37 hello.random[3] = byte(t)
38 _, err := io.ReadFull(c.config.Rand, hello.random[4:])
39 if err != nil {
40 c.sendAlert(alertInternalError)
41 return os.ErrorString("short read from Rand")
42 }
43
44 finishedHash.Write(hello.marshal())
45 c.writeRecord(recordTypeHandshake, hello.marshal())
46
47 msg, err := c.readHandshake()
48 if err != nil {
49 return err
50 }
51 serverHello, ok := msg.(*serverHelloMsg)
52 if !ok {
53 return c.sendAlert(alertUnexpectedMessage)
54 }
55 finishedHash.Write(serverHello.marshal())
56
57 vers, ok := mutualVersion(serverHello.vers)
58 if !ok {
59 c.sendAlert(alertProtocolVersion)
60 }
61 c.vers = vers
62 c.haveVers = true
63
64 if serverHello.cipherSuite != TLS_RSA_WITH_RC4_128_SHA ||
65 serverHello.compressionMethod != compressionNone {
66 return c.sendAlert(alertUnexpectedMessage)
67 }
68
69 msg, err = c.readHandshake()
70 if err != nil {
71 return err
72 }
73 certMsg, ok := msg.(*certificateMsg)
74 if !ok || len(certMsg.certificates) == 0 {
75 return c.sendAlert(alertUnexpectedMessage)
76 }
77 finishedHash.Write(certMsg.marshal())
78
79 certs := make([]*x509.Certificate, len(certMsg.certificates))
80 chain := NewCASet()
81 for i, asn1Data := range certMsg.certificates {
82 cert, err := x509.ParseCertificate(asn1Data)
83 if err != nil {
84 c.sendAlert(alertBadCertificate)
85 return os.ErrorString("failed to parse certificate from server: " + err.String())
86 }
87 certs[i] = cert
88 chain.AddCert(cert)
89 }
90
91 // If we don't have a root CA set configured then anything is accepted.
92 // TODO(rsc): Find certificates for OS X 10.6.
93 for cur := certs[0]; c.config.RootCAs != nil; {
94 parent := c.config.RootCAs.FindVerifiedParent(cur)
95 if parent != nil {
96 break
97 }
98
99 parent = chain.FindVerifiedParent(cur)
100 if parent == nil {
101 c.sendAlert(alertBadCertificate)
102 return os.ErrorString("could not find root certificate for chain")
103 }
104
105 if !parent.BasicConstraintsValid || !parent.IsCA {
106 c.sendAlert(alertBadCertificate)
107 return os.ErrorString("intermediate certificate does not have CA bit set")
108 }
109 // KeyUsage status flags are ignored. From Engineering
110 // Security, Peter Gutmann: A European government CA marked its
111 // signing certificates as being valid for encryption only, but
112 // no-one noticed. Another European CA marked its signature
113 // keys as not being valid for signatures. A different CA
114 // marked its own trusted root certificate as being invalid for
115 // certificate signing. Another national CA distributed a
116 // certificate to be used to encrypt data for the country’s tax
117 // authority that was marked as only being usable for digital
118 // signatures but not for encryption. Yet another CA reversed
119 // the order of the bit flags in the keyUsage due to confusion
120 // over encoding endianness, essentially setting a random
121 // keyUsage in certificates that it issued. Another CA created
122 // a self-invalidating certificate by adding a certificate
123 // policy statement stipulating that the certificate had to be
124 // used strictly as specified in the keyUsage, and a keyUsage
125 // containing a flag indicating that the RSA encryption key
126 // could only be used for Diffie-Hellman key agreement.
127
128 cur = parent
129 }
130
131 pub, ok := certs[0].PublicKey.(*rsa.PublicKey)
132 if !ok {
133 return c.sendAlert(alertUnsupportedCertificate)
134 }
135
136 c.peerCertificates = certs
137
138 if serverHello.certStatus {
139 msg, err = c.readHandshake()
140 if err != nil {
141 return err
142 }
143 cs, ok := msg.(*certificateStatusMsg)
144 if !ok {
145 return c.sendAlert(alertUnexpectedMessage)
146 }
147 finishedHash.Write(cs.marshal())
148
149 if cs.statusType == statusTypeOCSP {
150 c.ocspResponse = cs.response
151 }
152 }
153
154 msg, err = c.readHandshake()
155 if err != nil {
156 return err
157 }
158
159 transmitCert := false
160 certReq, ok := msg.(*certificateRequestMsg)
161 if ok {
162 // We only accept certificates with RSA keys.
163 rsaAvail := false
164 for _, certType := range certReq.certificateTypes {
165 if certType == certTypeRSASign {
166 rsaAvail = true
167 break
168 }
169 }
170
171 // For now, only send a certificate back if the server gives us an
172 // empty list of certificateAuthorities.
173 //
174 // RFC 4346 on the certificateAuthorities field:
175 // A list of the distinguished names of acceptable certificate
176 // authorities. These distinguished names may specify a desired
177 // distinguished name for a root CA or for a subordinate CA; thus,
178 // this message can be used to describe both known roots and a
179 // desired authorization space. If the certificate_authorities
180 // list is empty then the client MAY send any certificate of the
181 // appropriate ClientCertificateType, unless there is some
182 // external arrangement to the contrary.
183 if rsaAvail && len(certReq.certificateAuthorities) == 0 {
184 transmitCert = true
185 }
186
187 finishedHash.Write(certReq.marshal())
188
189 msg, err = c.readHandshake()
190 if err != nil {
191 return err
192 }
193 }
194
195 shd, ok := msg.(*serverHelloDoneMsg)
196 if !ok {
197 return c.sendAlert(alertUnexpectedMessage)
198 }
199 finishedHash.Write(shd.marshal())
200
201 var cert *x509.Certificate
202 if transmitCert {
203 certMsg = new(certificateMsg)
204 if len(c.config.Certificates) > 0 {
205 cert, err = x509.ParseCertificate(c.config.Certificates[0].Certificate[0])
206 if err == nil && cert.PublicKeyAlgorithm == x509.RSA {
207 certMsg.certificates = c.config.Certificates[0].Certificate
208 } else {
209 cert = nil
210 }
211 }
212 finishedHash.Write(certMsg.marshal())
213 c.writeRecord(recordTypeHandshake, certMsg.marshal())
214 }
215
216 ckx := new(clientKeyExchangeMsg)
217 preMasterSecret := make([]byte, 48)
218 preMasterSecret[0] = byte(hello.vers >> 8)
219 preMasterSecret[1] = byte(hello.vers)
220 _, err = io.ReadFull(c.config.Rand, preMasterSecret[2:])
221 if err != nil {
222 return c.sendAlert(alertInternalError)
223 }
224
225 ckx.ciphertext, err = rsa.EncryptPKCS1v15(c.config.Rand, pub, preMasterSecret)
226 if err != nil {
227 return c.sendAlert(alertInternalError)
228 }
229
230 finishedHash.Write(ckx.marshal())
231 c.writeRecord(recordTypeHandshake, ckx.marshal())
232
233 if cert != nil {
234 certVerify := new(certificateVerifyMsg)
235 var digest [36]byte
236 copy(digest[0:16], finishedHash.serverMD5.Sum())
237 copy(digest[16:36], finishedHash.serverSHA1.Sum())
238 signed, err := rsa.SignPKCS1v15(c.config.Rand, c.config.Certificates[0].PrivateKey, rsa.HashMD5SHA1, digest[0:])
239 if err != nil {
240 return c.sendAlert(alertInternalError)
241 }
242 certVerify.signature = signed
243
244 finishedHash.Write(certVerify.marshal())
245 c.writeRecord(recordTypeHandshake, certVerify.marshal())
246 }
247
248 suite := cipherSuites[0]
249 masterSecret, clientMAC, serverMAC, clientKey, serverKey :=
250 keysFromPreMasterSecret11(preMasterSecret, hello.random, serverHello.random, suite.hashLength, suite.cipherKeyLength)
251
252 cipher, _ := rc4.NewCipher(clientKey)
253
254 c.out.prepareCipherSpec(cipher, hmac.NewSHA1(clientMAC))
255 c.writeRecord(recordTypeChangeCipherSpec, []byte{1})
256
257 finished := new(finishedMsg)
258 finished.verifyData = finishedHash.clientSum(masterSecret)
259 finishedHash.Write(finished.marshal())
260 c.writeRecord(recordTypeHandshake, finished.marshal())
261
262 cipher2, _ := rc4.NewCipher(serverKey)
263 c.in.prepareCipherSpec(cipher2, hmac.NewSHA1(serverMAC))
264 c.readRecord(recordTypeChangeCipherSpec)
265 if c.err != nil {
266 return c.err
267 }
268
269 msg, err = c.readHandshake()
270 if err != nil {
271 return err
272 }
273 serverFinished, ok := msg.(*finishedMsg)
274 if !ok {
275 return c.sendAlert(alertUnexpectedMessage)
276 }
277
278 verify := finishedHash.serverSum(masterSecret)
279 if len(verify) != len(serverFinished.verifyData) ||
280 subtle.ConstantTimeCompare(verify, serverFinished.verifyData) != 1 {
281 return c.sendAlert(alertHandshakeFailure)
282 }
283
284 c.handshakeComplete = true
285 c.cipherSuite = TLS_RSA_WITH_RC4_128_SHA
286 return nil
287 }
GCC graphite test results