search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
libgo: Merge to master revision 19184.
[official-gcc.git] / libgo / go / crypto / tls / handshake_client.go
blobfd1303eebb947ff7d3a35ad46530c44f6460a05c
1 // Copyright 2009 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
4
5 package tls
6
7 import (
8 "bytes"
9 "crypto/ecdsa"
10 "crypto/rsa"
11 "crypto/subtle"
12 "crypto/x509"
13 "encoding/asn1"
14 "errors"
15 "fmt"
16 "io"
17 "net"
18 "strconv"
19 )
20
21 type clientHandshakeState struct {
22 c *Conn
23 serverHello *serverHelloMsg
24 hello *clientHelloMsg
25 suite *cipherSuite
26 finishedHash finishedHash
27 masterSecret []byte
28 session *ClientSessionState
29 }
30
31 func (c *Conn) clientHandshake() error {
32 if c.config == nil {
33 c.config = defaultConfig()
34 }
35
36 hello := &clientHelloMsg{
37 vers: c.config.maxVersion(),
38 compressionMethods: []uint8{compressionNone},
39 random: make([]byte, 32),
40 ocspStapling: true,
41 serverName: c.config.ServerName,
42 supportedCurves: []uint16{curveP256, curveP384, curveP521},
43 supportedPoints: []uint8{pointFormatUncompressed},
44 nextProtoNeg: len(c.config.NextProtos) > 0,
45 secureRenegotiation: true,
46 }
47
48 possibleCipherSuites := c.config.cipherSuites()
49 hello.cipherSuites = make([]uint16, 0, len(possibleCipherSuites))
50
51 NextCipherSuite:
52 for _, suiteId := range possibleCipherSuites {
53 for _, suite := range cipherSuites {
54 if suite.id != suiteId {
55 continue
56 }
57 // Don't advertise TLS 1.2-only cipher suites unless
58 // we're attempting TLS 1.2.
59 if hello.vers < VersionTLS12 && suite.flags&suiteTLS12 != 0 {
60 continue
61 }
62 hello.cipherSuites = append(hello.cipherSuites, suiteId)
63 continue NextCipherSuite
64 }
65 }
66
67 _, err := io.ReadFull(c.config.rand(), hello.random)
68 if err != nil {
69 c.sendAlert(alertInternalError)
70 return errors.New("tls: short read from Rand: " + err.Error())
71 }
72
73 if hello.vers >= VersionTLS12 {
74 hello.signatureAndHashes = supportedSKXSignatureAlgorithms
75 }
76
77 var session *ClientSessionState
78 var cacheKey string
79 sessionCache := c.config.ClientSessionCache
80 if c.config.SessionTicketsDisabled {
81 sessionCache = nil
82 }
83
84 if sessionCache != nil {
85 hello.ticketSupported = true
86
87 // Try to resume a previously negotiated TLS session, if
88 // available.
89 cacheKey = clientSessionCacheKey(c.conn.RemoteAddr(), c.config)
90 candidateSession, ok := sessionCache.Get(cacheKey)
91 if ok {
92 // Check that the ciphersuite/version used for the
93 // previous session are still valid.
94 cipherSuiteOk := false
95 for _, id := range hello.cipherSuites {
96 if id == candidateSession.cipherSuite {
97 cipherSuiteOk = true
98 break
99 }
100 }
101
102 versOk := candidateSession.vers >= c.config.minVersion() &&
103 candidateSession.vers <= c.config.maxVersion()
104 if versOk && cipherSuiteOk {
105 session = candidateSession
106 }
107 }
108 }
109
110 if session != nil {
111 hello.sessionTicket = session.sessionTicket
112 // A random session ID is used to detect when the
113 // server accepted the ticket and is resuming a session
114 // (see RFC 5077).
115 hello.sessionId = make([]byte, 16)
116 if _, err := io.ReadFull(c.config.rand(), hello.sessionId); err != nil {
117 c.sendAlert(alertInternalError)
118 return errors.New("tls: short read from Rand: " + err.Error())
119 }
120 }
121
122 c.writeRecord(recordTypeHandshake, hello.marshal())
123
124 msg, err := c.readHandshake()
125 if err != nil {
126 return err
127 }
128 serverHello, ok := msg.(*serverHelloMsg)
129 if !ok {
130 c.sendAlert(alertUnexpectedMessage)
131 return unexpectedMessageError(serverHello, msg)
132 }
133
134 vers, ok := c.config.mutualVersion(serverHello.vers)
135 if !ok || vers < VersionTLS10 {
136 // TLS 1.0 is the minimum version supported as a client.
137 c.sendAlert(alertProtocolVersion)
138 return fmt.Errorf("tls: server selected unsupported protocol version %x", serverHello.vers)
139 }
140 c.vers = vers
141 c.haveVers = true
142
143 suite := mutualCipherSuite(c.config.cipherSuites(), serverHello.cipherSuite)
144 if suite == nil {
145 c.sendAlert(alertHandshakeFailure)
146 return fmt.Errorf("tls: server selected an unsupported cipher suite")
147 }
148
149 hs := &clientHandshakeState{
150 c: c,
151 serverHello: serverHello,
152 hello: hello,
153 suite: suite,
154 finishedHash: newFinishedHash(c.vers),
155 session: session,
156 }
157
158 hs.finishedHash.Write(hs.hello.marshal())
159 hs.finishedHash.Write(hs.serverHello.marshal())
160
161 isResume, err := hs.processServerHello()
162 if err != nil {
163 return err
164 }
165
166 if isResume {
167 if err := hs.establishKeys(); err != nil {
168 return err
169 }
170 if err := hs.readSessionTicket(); err != nil {
171 return err
172 }
173 if err := hs.readFinished(); err != nil {
174 return err
175 }
176 if err := hs.sendFinished(); err != nil {
177 return err
178 }
179 } else {
180 if err := hs.doFullHandshake(); err != nil {
181 return err
182 }
183 if err := hs.establishKeys(); err != nil {
184 return err
185 }
186 if err := hs.sendFinished(); err != nil {
187 return err
188 }
189 if err := hs.readSessionTicket(); err != nil {
190 return err
191 }
192 if err := hs.readFinished(); err != nil {
193 return err
194 }
195 }
196
197 if sessionCache != nil && hs.session != nil && session != hs.session {
198 sessionCache.Put(cacheKey, hs.session)
199 }
200
201 c.didResume = isResume
202 c.handshakeComplete = true
203 c.cipherSuite = suite.id
204 return nil
205 }
206
207 func (hs *clientHandshakeState) doFullHandshake() error {
208 c := hs.c
209
210 msg, err := c.readHandshake()
211 if err != nil {
212 return err
213 }
214 certMsg, ok := msg.(*certificateMsg)
215 if !ok || len(certMsg.certificates) == 0 {
216 c.sendAlert(alertUnexpectedMessage)
217 return unexpectedMessageError(certMsg, msg)
218 }
219 hs.finishedHash.Write(certMsg.marshal())
220
221 certs := make([]*x509.Certificate, len(certMsg.certificates))
222 for i, asn1Data := range certMsg.certificates {
223 cert, err := x509.ParseCertificate(asn1Data)
224 if err != nil {
225 c.sendAlert(alertBadCertificate)
226 return errors.New("tls: failed to parse certificate from server: " + err.Error())
227 }
228 certs[i] = cert
229 }
230
231 if !c.config.InsecureSkipVerify {
232 opts := x509.VerifyOptions{
233 Roots: c.config.RootCAs,
234 CurrentTime: c.config.time(),
235 DNSName: c.config.ServerName,
236 Intermediates: x509.NewCertPool(),
237 }
238
239 for i, cert := range certs {
240 if i == 0 {
241 continue
242 }
243 opts.Intermediates.AddCert(cert)
244 }
245 c.verifiedChains, err = certs[0].Verify(opts)
246 if err != nil {
247 c.sendAlert(alertBadCertificate)
248 return err
249 }
250 }
251
252 switch certs[0].PublicKey.(type) {
253 case *rsa.PublicKey, *ecdsa.PublicKey:
254 break
255 default:
256 c.sendAlert(alertUnsupportedCertificate)
257 return fmt.Errorf("tls: server's certificate contains an unsupported type of public key: %T", certs[0].PublicKey)
258 }
259
260 c.peerCertificates = certs
261
262 if hs.serverHello.ocspStapling {
263 msg, err = c.readHandshake()
264 if err != nil {
265 return err
266 }
267 cs, ok := msg.(*certificateStatusMsg)
268 if !ok {
269 c.sendAlert(alertUnexpectedMessage)
270 return unexpectedMessageError(cs, msg)
271 }
272 hs.finishedHash.Write(cs.marshal())
273
274 if cs.statusType == statusTypeOCSP {
275 c.ocspResponse = cs.response
276 }
277 }
278
279 msg, err = c.readHandshake()
280 if err != nil {
281 return err
282 }
283
284 keyAgreement := hs.suite.ka(c.vers)
285
286 skx, ok := msg.(*serverKeyExchangeMsg)
287 if ok {
288 hs.finishedHash.Write(skx.marshal())
289 err = keyAgreement.processServerKeyExchange(c.config, hs.hello, hs.serverHello, certs[0], skx)
290 if err != nil {
291 c.sendAlert(alertUnexpectedMessage)
292 return err
293 }
294
295 msg, err = c.readHandshake()
296 if err != nil {
297 return err
298 }
299 }
300
301 var chainToSend *Certificate
302 var certRequested bool
303 certReq, ok := msg.(*certificateRequestMsg)
304 if ok {
305 certRequested = true
306
307 // RFC 4346 on the certificateAuthorities field:
308 // A list of the distinguished names of acceptable certificate
309 // authorities. These distinguished names may specify a desired
310 // distinguished name for a root CA or for a subordinate CA;
311 // thus, this message can be used to describe both known roots
312 // and a desired authorization space. If the
313 // certificate_authorities list is empty then the client MAY
314 // send any certificate of the appropriate
315 // ClientCertificateType, unless there is some external
316 // arrangement to the contrary.
317
318 hs.finishedHash.Write(certReq.marshal())
319
320 var rsaAvail, ecdsaAvail bool
321 for _, certType := range certReq.certificateTypes {
322 switch certType {
323 case certTypeRSASign:
324 rsaAvail = true
325 case certTypeECDSASign:
326 ecdsaAvail = true
327 }
328 }
329
330 // We need to search our list of client certs for one
331 // where SignatureAlgorithm is RSA and the Issuer is in
332 // certReq.certificateAuthorities
333 findCert:
334 for i, chain := range c.config.Certificates {
335 if !rsaAvail && !ecdsaAvail {
336 continue
337 }
338
339 for j, cert := range chain.Certificate {
340 x509Cert := chain.Leaf
341 // parse the certificate if this isn't the leaf
342 // node, or if chain.Leaf was nil
343 if j != 0 || x509Cert == nil {
344 if x509Cert, err = x509.ParseCertificate(cert); err != nil {
345 c.sendAlert(alertInternalError)
346 return errors.New("tls: failed to parse client certificate #" + strconv.Itoa(i) + ": " + err.Error())
347 }
348 }
349
350 switch {
351 case rsaAvail && x509Cert.PublicKeyAlgorithm == x509.RSA:
352 case ecdsaAvail && x509Cert.PublicKeyAlgorithm == x509.ECDSA:
353 default:
354 continue findCert
355 }
356
357 if len(certReq.certificateAuthorities) == 0 {
358 // they gave us an empty list, so just take the
359 // first RSA cert from c.config.Certificates
360 chainToSend = &chain
361 break findCert
362 }
363
364 for _, ca := range certReq.certificateAuthorities {
365 if bytes.Equal(x509Cert.RawIssuer, ca) {
366 chainToSend = &chain
367 break findCert
368 }
369 }
370 }
371 }
372
373 msg, err = c.readHandshake()
374 if err != nil {
375 return err
376 }
377 }
378
379 shd, ok := msg.(*serverHelloDoneMsg)
380 if !ok {
381 c.sendAlert(alertUnexpectedMessage)
382 return unexpectedMessageError(shd, msg)
383 }
384 hs.finishedHash.Write(shd.marshal())
385
386 // If the server requested a certificate then we have to send a
387 // Certificate message, even if it's empty because we don't have a
388 // certificate to send.
389 if certRequested {
390 certMsg = new(certificateMsg)
391 if chainToSend != nil {
392 certMsg.certificates = chainToSend.Certificate
393 }
394 hs.finishedHash.Write(certMsg.marshal())
395 c.writeRecord(recordTypeHandshake, certMsg.marshal())
396 }
397
398 preMasterSecret, ckx, err := keyAgreement.generateClientKeyExchange(c.config, hs.hello, certs[0])
399 if err != nil {
400 c.sendAlert(alertInternalError)
401 return err
402 }
403 if ckx != nil {
404 hs.finishedHash.Write(ckx.marshal())
405 c.writeRecord(recordTypeHandshake, ckx.marshal())
406 }
407
408 if chainToSend != nil {
409 var signed []byte
410 certVerify := &certificateVerifyMsg{
411 hasSignatureAndHash: c.vers >= VersionTLS12,
412 }
413
414 switch key := c.config.Certificates[0].PrivateKey.(type) {
415 case *ecdsa.PrivateKey:
416 digest, _, hashId := hs.finishedHash.hashForClientCertificate(signatureECDSA)
417 r, s, err := ecdsa.Sign(c.config.rand(), key, digest)
418 if err == nil {
419 signed, err = asn1.Marshal(ecdsaSignature{r, s})
420 }
421 certVerify.signatureAndHash.signature = signatureECDSA
422 certVerify.signatureAndHash.hash = hashId
423 case *rsa.PrivateKey:
424 digest, hashFunc, hashId := hs.finishedHash.hashForClientCertificate(signatureRSA)
425 signed, err = rsa.SignPKCS1v15(c.config.rand(), key, hashFunc, digest)
426 certVerify.signatureAndHash.signature = signatureRSA
427 certVerify.signatureAndHash.hash = hashId
428 default:
429 err = errors.New("unknown private key type")
430 }
431 if err != nil {
432 c.sendAlert(alertInternalError)
433 return errors.New("tls: failed to sign handshake with client certificate: " + err.Error())
434 }
435 certVerify.signature = signed
436
437 hs.finishedHash.Write(certVerify.marshal())
438 c.writeRecord(recordTypeHandshake, certVerify.marshal())
439 }
440
441 hs.masterSecret = masterFromPreMasterSecret(c.vers, preMasterSecret, hs.hello.random, hs.serverHello.random)
442 return nil
443 }
444
445 func (hs *clientHandshakeState) establishKeys() error {
446 c := hs.c
447
448 clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV :=
449 keysFromMasterSecret(c.vers, hs.masterSecret, hs.hello.random, hs.serverHello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen)
450 var clientCipher, serverCipher interface{}
451 var clientHash, serverHash macFunction
452 if hs.suite.cipher != nil {
453 clientCipher = hs.suite.cipher(clientKey, clientIV, false /* not for reading */)
454 clientHash = hs.suite.mac(c.vers, clientMAC)
455 serverCipher = hs.suite.cipher(serverKey, serverIV, true /* for reading */)
456 serverHash = hs.suite.mac(c.vers, serverMAC)
457 } else {
458 clientCipher = hs.suite.aead(clientKey, clientIV)
459 serverCipher = hs.suite.aead(serverKey, serverIV)
460 }
461
462 c.in.prepareCipherSpec(c.vers, serverCipher, serverHash)
463 c.out.prepareCipherSpec(c.vers, clientCipher, clientHash)
464 return nil
465 }
466
467 func (hs *clientHandshakeState) serverResumedSession() bool {
468 // If the server responded with the same sessionId then it means the
469 // sessionTicket is being used to resume a TLS session.
470 return hs.session != nil && hs.hello.sessionId != nil &&
471 bytes.Equal(hs.serverHello.sessionId, hs.hello.sessionId)
472 }
473
474 func (hs *clientHandshakeState) processServerHello() (bool, error) {
475 c := hs.c
476
477 if hs.serverHello.compressionMethod != compressionNone {
478 c.sendAlert(alertUnexpectedMessage)
479 return false, errors.New("tls: server selected unsupported compression format")
480 }
481
482 if !hs.hello.nextProtoNeg && hs.serverHello.nextProtoNeg {
483 c.sendAlert(alertHandshakeFailure)
484 return false, errors.New("server advertised unrequested NPN extension")
485 }
486
487 if hs.serverResumedSession() {
488 // Restore masterSecret and peerCerts from previous state
489 hs.masterSecret = hs.session.masterSecret
490 c.peerCertificates = hs.session.serverCertificates
491 return true, nil
492 }
493 return false, nil
494 }
495
496 func (hs *clientHandshakeState) readFinished() error {
497 c := hs.c
498
499 c.readRecord(recordTypeChangeCipherSpec)
500 if err := c.error(); err != nil {
501 return err
502 }
503
504 msg, err := c.readHandshake()
505 if err != nil {
506 return err
507 }
508 serverFinished, ok := msg.(*finishedMsg)
509 if !ok {
510 c.sendAlert(alertUnexpectedMessage)
511 return unexpectedMessageError(serverFinished, msg)
512 }
513
514 verify := hs.finishedHash.serverSum(hs.masterSecret)
515 if len(verify) != len(serverFinished.verifyData) ||
516 subtle.ConstantTimeCompare(verify, serverFinished.verifyData) != 1 {
517 c.sendAlert(alertHandshakeFailure)
518 return errors.New("tls: server's Finished message was incorrect")
519 }
520 hs.finishedHash.Write(serverFinished.marshal())
521 return nil
522 }
523
524 func (hs *clientHandshakeState) readSessionTicket() error {
525 if !hs.serverHello.ticketSupported {
526 return nil
527 }
528
529 c := hs.c
530 msg, err := c.readHandshake()
531 if err != nil {
532 return err
533 }
534 sessionTicketMsg, ok := msg.(*newSessionTicketMsg)
535 if !ok {
536 c.sendAlert(alertUnexpectedMessage)
537 return unexpectedMessageError(sessionTicketMsg, msg)
538 }
539 hs.finishedHash.Write(sessionTicketMsg.marshal())
540
541 hs.session = &ClientSessionState{
542 sessionTicket: sessionTicketMsg.ticket,
543 vers: c.vers,
544 cipherSuite: hs.suite.id,
545 masterSecret: hs.masterSecret,
546 serverCertificates: c.peerCertificates,
547 }
548
549 return nil
550 }
551
552 func (hs *clientHandshakeState) sendFinished() error {
553 c := hs.c
554
555 c.writeRecord(recordTypeChangeCipherSpec, []byte{1})
556 if hs.serverHello.nextProtoNeg {
557 nextProto := new(nextProtoMsg)
558 proto, fallback := mutualProtocol(c.config.NextProtos, hs.serverHello.nextProtos)
559 nextProto.proto = proto
560 c.clientProtocol = proto
561 c.clientProtocolFallback = fallback
562
563 hs.finishedHash.Write(nextProto.marshal())
564 c.writeRecord(recordTypeHandshake, nextProto.marshal())
565 }
566
567 finished := new(finishedMsg)
568 finished.verifyData = hs.finishedHash.clientSum(hs.masterSecret)
569 hs.finishedHash.Write(finished.marshal())
570 c.writeRecord(recordTypeHandshake, finished.marshal())
571 return nil
572 }
573
574 // clientSessionCacheKey returns a key used to cache sessionTickets that could
575 // be used to resume previously negotiated TLS sessions with a server.
576 func clientSessionCacheKey(serverAddr net.Addr, config *Config) string {
577 if len(config.ServerName) > 0 {
578 return config.ServerName
579 }
580 return serverAddr.String()
581 }
582
583 // mutualProtocol finds the mutual Next Protocol Negotiation protocol given the
584 // set of client and server supported protocols. The set of client supported
585 // protocols must not be empty. It returns the resulting protocol and flag
586 // indicating if the fallback case was reached.
587 func mutualProtocol(clientProtos, serverProtos []string) (string, bool) {
588 for _, s := range serverProtos {
589 for _, c := range clientProtos {
590 if s == c {
591 return s, false
592 }
593 }
594 }
595
596 return clientProtos[0], true
597 }
Mirror of the offical gcc git repository hosted at gcc.gnu.org