1 // Copyright 2018 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
20 // maxClientPSKIdentities is the number of client PSK identities the server will
21 // attempt to validate. It will ignore the rest not to let cheap ClientHello
22 // messages cause too much work in session ticket decryption attempts.
23 const maxClientPSKIdentities = 5
25 type serverHandshakeStateTLS13 struct {
28 clientHello *clientHelloMsg
32 suite *cipherSuiteTLS13
34 sigAlg SignatureScheme
37 handshakeSecret []byte
39 trafficSecret []byte // client_application_traffic_secret_0
44 func (hs *serverHandshakeStateTLS13) handshake() error {
48 return errors.New("tls: internal error: TLS 1.3 reached in FIPS mode")
51 // For an overview of the TLS 1.3 handshake, see RFC 8446, Section 2.
52 if err := hs.processClientHello(); err != nil {
55 if err := hs.checkForResumption(); err != nil {
58 if err := hs.pickCertificate(); err != nil {
62 if err := hs.sendServerParameters(); err != nil {
65 if err := hs.sendServerCertificate(); err != nil {
68 if err := hs.sendServerFinished(); err != nil {
71 // Note that at this point we could start sending application data without
72 // waiting for the client's second flight, but the application might not
73 // expect the lack of replay protection of the ClientHello parameters.
74 if _, err := c.flush(); err != nil {
77 if err := hs.readClientCertificate(); err != nil {
80 if err := hs.readClientFinished(); err != nil {
84 atomic.StoreUint32(&c.handshakeStatus, 1)
89 func (hs *serverHandshakeStateTLS13) processClientHello() error {
92 hs.hello = new(serverHelloMsg)
94 // TLS 1.3 froze the ServerHello.legacy_version field, and uses
95 // supported_versions instead. See RFC 8446, sections 4.1.3 and 4.2.1.
96 hs.hello.vers = VersionTLS12
97 hs.hello.supportedVersion = c.vers
99 if len(hs.clientHello.supportedVersions) == 0 {
100 c.sendAlert(alertIllegalParameter)
101 return errors.New("tls: client used the legacy version field to negotiate TLS 1.3")
104 // Abort if the client is doing a fallback and landing lower than what we
105 // support. See RFC 7507, which however does not specify the interaction
106 // with supported_versions. The only difference is that with
107 // supported_versions a client has a chance to attempt a [TLS 1.2, TLS 1.4]
108 // handshake in case TLS 1.3 is broken but 1.2 is not. Alas, in that case,
109 // it will have to drop the TLS_FALLBACK_SCSV protection if it falls back to
110 // TLS 1.2, because a TLS 1.3 server would abort here. The situation before
111 // supported_versions was not better because there was just no way to do a
112 // TLS 1.4 handshake without risking the server selecting TLS 1.3.
113 for _, id := range hs.clientHello.cipherSuites {
114 if id == TLS_FALLBACK_SCSV {
115 // Use c.vers instead of max(supported_versions) because an attacker
116 // could defeat this by adding an arbitrary high version otherwise.
117 if c.vers < c.config.maxSupportedVersion() {
118 c.sendAlert(alertInappropriateFallback)
119 return errors.New("tls: client using inappropriate protocol fallback")
125 if len(hs.clientHello.compressionMethods) != 1 ||
126 hs.clientHello.compressionMethods[0] != compressionNone {
127 c.sendAlert(alertIllegalParameter)
128 return errors.New("tls: TLS 1.3 client supports illegal compression methods")
131 hs.hello.random = make([]byte, 32)
132 if _, err := io.ReadFull(c.config.rand(), hs.hello.random); err != nil {
133 c.sendAlert(alertInternalError)
137 if len(hs.clientHello.secureRenegotiation) != 0 {
138 c.sendAlert(alertHandshakeFailure)
139 return errors.New("tls: initial handshake had non-empty renegotiation extension")
142 if hs.clientHello.earlyData {
143 // See RFC 8446, Section 4.2.10 for the complicated behavior required
144 // here. The scenario is that a different server at our address offered
145 // to accept early data in the past, which we can't handle. For now, all
146 // 0-RTT enabled session tickets need to expire before a Go server can
147 // replace a server or join a pool. That's the same requirement that
148 // applies to mixing or replacing with any TLS 1.2 server.
149 c.sendAlert(alertUnsupportedExtension)
150 return errors.New("tls: client sent unexpected early data")
153 hs.hello.sessionId = hs.clientHello.sessionId
154 hs.hello.compressionMethod = compressionNone
156 preferenceList := defaultCipherSuitesTLS13
157 if !hasAESGCMHardwareSupport || !aesgcmPreferred(hs.clientHello.cipherSuites) {
158 preferenceList = defaultCipherSuitesTLS13NoAES
160 for _, suiteID := range preferenceList {
161 hs.suite = mutualCipherSuiteTLS13(hs.clientHello.cipherSuites, suiteID)
167 c.sendAlert(alertHandshakeFailure)
168 return errors.New("tls: no cipher suite supported by both client and server")
170 c.cipherSuite = hs.suite.id
171 hs.hello.cipherSuite = hs.suite.id
172 hs.transcript = hs.suite.hash.New()
174 // Pick the ECDHE group in server preference order, but give priority to
175 // groups with a key share, to avoid a HelloRetryRequest round-trip.
176 var selectedGroup CurveID
177 var clientKeyShare *keyShare
179 for _, preferredGroup := range c.config.curvePreferences() {
180 for _, ks := range hs.clientHello.keyShares {
181 if ks.group == preferredGroup {
182 selectedGroup = ks.group
187 if selectedGroup != 0 {
190 for _, group := range hs.clientHello.supportedCurves {
191 if group == preferredGroup {
192 selectedGroup = group
197 if selectedGroup == 0 {
198 c.sendAlert(alertHandshakeFailure)
199 return errors.New("tls: no ECDHE curve supported by both client and server")
201 if clientKeyShare == nil {
202 if err := hs.doHelloRetryRequest(selectedGroup); err != nil {
205 clientKeyShare = &hs.clientHello.keyShares[0]
208 if _, ok := curveForCurveID(selectedGroup); selectedGroup != X25519 && !ok {
209 c.sendAlert(alertInternalError)
210 return errors.New("tls: CurvePreferences includes unsupported curve")
212 params, err := generateECDHEParameters(c.config.rand(), selectedGroup)
214 c.sendAlert(alertInternalError)
217 hs.hello.serverShare = keyShare{group: selectedGroup, data: params.PublicKey()}
218 hs.sharedKey = params.SharedKey(clientKeyShare.data)
219 if hs.sharedKey == nil {
220 c.sendAlert(alertIllegalParameter)
221 return errors.New("tls: invalid client key share")
224 c.serverName = hs.clientHello.serverName
228 func (hs *serverHandshakeStateTLS13) checkForResumption() error {
231 if c.config.SessionTicketsDisabled {
236 for _, mode := range hs.clientHello.pskModes {
237 if mode == pskModeDHE {
246 if len(hs.clientHello.pskIdentities) != len(hs.clientHello.pskBinders) {
247 c.sendAlert(alertIllegalParameter)
248 return errors.New("tls: invalid or missing PSK binders")
250 if len(hs.clientHello.pskIdentities) == 0 {
254 for i, identity := range hs.clientHello.pskIdentities {
255 if i >= maxClientPSKIdentities {
259 plaintext, _ := c.decryptTicket(identity.label)
260 if plaintext == nil {
263 sessionState := new(sessionStateTLS13)
264 if ok := sessionState.unmarshal(plaintext); !ok {
268 createdAt := time.Unix(int64(sessionState.createdAt), 0)
269 if c.config.time().Sub(createdAt) > maxSessionTicketLifetime {
273 // We don't check the obfuscated ticket age because it's affected by
274 // clock skew and it's only a freshness signal useful for shrinking the
275 // window for replay attacks, which don't affect us as we don't do 0-RTT.
277 pskSuite := cipherSuiteTLS13ByID(sessionState.cipherSuite)
278 if pskSuite == nil || pskSuite.hash != hs.suite.hash {
282 // PSK connections don't re-establish client certificates, but carry
283 // them over in the session ticket. Ensure the presence of client certs
284 // in the ticket is consistent with the configured requirements.
285 sessionHasClientCerts := len(sessionState.certificate.Certificate) != 0
286 needClientCerts := requiresClientCert(c.config.ClientAuth)
287 if needClientCerts && !sessionHasClientCerts {
290 if sessionHasClientCerts && c.config.ClientAuth == NoClientCert {
294 psk := hs.suite.expandLabel(sessionState.resumptionSecret, "resumption",
295 nil, hs.suite.hash.Size())
296 hs.earlySecret = hs.suite.extract(psk, nil)
297 binderKey := hs.suite.deriveSecret(hs.earlySecret, resumptionBinderLabel, nil)
298 // Clone the transcript in case a HelloRetryRequest was recorded.
299 transcript := cloneHash(hs.transcript, hs.suite.hash)
300 if transcript == nil {
301 c.sendAlert(alertInternalError)
302 return errors.New("tls: internal error: failed to clone hash")
304 transcript.Write(hs.clientHello.marshalWithoutBinders())
305 pskBinder := hs.suite.finishedHash(binderKey, transcript)
306 if !hmac.Equal(hs.clientHello.pskBinders[i], pskBinder) {
307 c.sendAlert(alertDecryptError)
308 return errors.New("tls: invalid PSK binder")
312 if err := c.processCertsFromClient(sessionState.certificate); err != nil {
316 hs.hello.selectedIdentityPresent = true
317 hs.hello.selectedIdentity = uint16(i)
325 // cloneHash uses the encoding.BinaryMarshaler and encoding.BinaryUnmarshaler
326 // interfaces implemented by standard library hashes to clone the state of in
327 // to a new instance of h. It returns nil if the operation fails.
328 func cloneHash(in hash.Hash, h crypto.Hash) hash.Hash {
329 // Recreate the interface to avoid importing encoding.
330 type binaryMarshaler interface {
331 MarshalBinary() (data []byte, err error)
332 UnmarshalBinary(data []byte) error
334 marshaler, ok := in.(binaryMarshaler)
338 state, err := marshaler.MarshalBinary()
343 unmarshaler, ok := out.(binaryMarshaler)
347 if err := unmarshaler.UnmarshalBinary(state); err != nil {
353 func (hs *serverHandshakeStateTLS13) pickCertificate() error {
356 // Only one of PSK and certificates are used at a time.
361 // signature_algorithms is required in TLS 1.3. See RFC 8446, Section 4.2.3.
362 if len(hs.clientHello.supportedSignatureAlgorithms) == 0 {
363 return c.sendAlert(alertMissingExtension)
366 certificate, err := c.config.getCertificate(clientHelloInfo(hs.ctx, c, hs.clientHello))
368 if err == errNoCertificates {
369 c.sendAlert(alertUnrecognizedName)
371 c.sendAlert(alertInternalError)
375 hs.sigAlg, err = selectSignatureScheme(c.vers, certificate, hs.clientHello.supportedSignatureAlgorithms)
377 // getCertificate returned a certificate that is unsupported or
378 // incompatible with the client's signature algorithms.
379 c.sendAlert(alertHandshakeFailure)
382 hs.cert = certificate
387 // sendDummyChangeCipherSpec sends a ChangeCipherSpec record for compatibility
388 // with middleboxes that didn't implement TLS correctly. See RFC 8446, Appendix D.4.
389 func (hs *serverHandshakeStateTLS13) sendDummyChangeCipherSpec() error {
393 hs.sentDummyCCS = true
395 _, err := hs.c.writeRecord(recordTypeChangeCipherSpec, []byte{1})
399 func (hs *serverHandshakeStateTLS13) doHelloRetryRequest(selectedGroup CurveID) error {
402 // The first ClientHello gets double-hashed into the transcript upon a
403 // HelloRetryRequest. See RFC 8446, Section 4.4.1.
404 hs.transcript.Write(hs.clientHello.marshal())
405 chHash := hs.transcript.Sum(nil)
406 hs.transcript.Reset()
407 hs.transcript.Write([]byte{typeMessageHash, 0, 0, uint8(len(chHash))})
408 hs.transcript.Write(chHash)
410 helloRetryRequest := &serverHelloMsg{
412 random: helloRetryRequestRandom,
413 sessionId: hs.hello.sessionId,
414 cipherSuite: hs.hello.cipherSuite,
415 compressionMethod: hs.hello.compressionMethod,
416 supportedVersion: hs.hello.supportedVersion,
417 selectedGroup: selectedGroup,
420 hs.transcript.Write(helloRetryRequest.marshal())
421 if _, err := c.writeRecord(recordTypeHandshake, helloRetryRequest.marshal()); err != nil {
425 if err := hs.sendDummyChangeCipherSpec(); err != nil {
429 msg, err := c.readHandshake()
434 clientHello, ok := msg.(*clientHelloMsg)
436 c.sendAlert(alertUnexpectedMessage)
437 return unexpectedMessageError(clientHello, msg)
440 if len(clientHello.keyShares) != 1 || clientHello.keyShares[0].group != selectedGroup {
441 c.sendAlert(alertIllegalParameter)
442 return errors.New("tls: client sent invalid key share in second ClientHello")
445 if clientHello.earlyData {
446 c.sendAlert(alertIllegalParameter)
447 return errors.New("tls: client indicated early data in second ClientHello")
450 if illegalClientHelloChange(clientHello, hs.clientHello) {
451 c.sendAlert(alertIllegalParameter)
452 return errors.New("tls: client illegally modified second ClientHello")
455 hs.clientHello = clientHello
459 // illegalClientHelloChange reports whether the two ClientHello messages are
460 // different, with the exception of the changes allowed before and after a
461 // HelloRetryRequest. See RFC 8446, Section 4.1.2.
462 func illegalClientHelloChange(ch, ch1 *clientHelloMsg) bool {
463 if len(ch.supportedVersions) != len(ch1.supportedVersions) ||
464 len(ch.cipherSuites) != len(ch1.cipherSuites) ||
465 len(ch.supportedCurves) != len(ch1.supportedCurves) ||
466 len(ch.supportedSignatureAlgorithms) != len(ch1.supportedSignatureAlgorithms) ||
467 len(ch.supportedSignatureAlgorithmsCert) != len(ch1.supportedSignatureAlgorithmsCert) ||
468 len(ch.alpnProtocols) != len(ch1.alpnProtocols) {
471 for i := range ch.supportedVersions {
472 if ch.supportedVersions[i] != ch1.supportedVersions[i] {
476 for i := range ch.cipherSuites {
477 if ch.cipherSuites[i] != ch1.cipherSuites[i] {
481 for i := range ch.supportedCurves {
482 if ch.supportedCurves[i] != ch1.supportedCurves[i] {
486 for i := range ch.supportedSignatureAlgorithms {
487 if ch.supportedSignatureAlgorithms[i] != ch1.supportedSignatureAlgorithms[i] {
491 for i := range ch.supportedSignatureAlgorithmsCert {
492 if ch.supportedSignatureAlgorithmsCert[i] != ch1.supportedSignatureAlgorithmsCert[i] {
496 for i := range ch.alpnProtocols {
497 if ch.alpnProtocols[i] != ch1.alpnProtocols[i] {
501 return ch.vers != ch1.vers ||
502 !bytes.Equal(ch.random, ch1.random) ||
503 !bytes.Equal(ch.sessionId, ch1.sessionId) ||
504 !bytes.Equal(ch.compressionMethods, ch1.compressionMethods) ||
505 ch.serverName != ch1.serverName ||
506 ch.ocspStapling != ch1.ocspStapling ||
507 !bytes.Equal(ch.supportedPoints, ch1.supportedPoints) ||
508 ch.ticketSupported != ch1.ticketSupported ||
509 !bytes.Equal(ch.sessionTicket, ch1.sessionTicket) ||
510 ch.secureRenegotiationSupported != ch1.secureRenegotiationSupported ||
511 !bytes.Equal(ch.secureRenegotiation, ch1.secureRenegotiation) ||
512 ch.scts != ch1.scts ||
513 !bytes.Equal(ch.cookie, ch1.cookie) ||
514 !bytes.Equal(ch.pskModes, ch1.pskModes)
517 func (hs *serverHandshakeStateTLS13) sendServerParameters() error {
520 hs.transcript.Write(hs.clientHello.marshal())
521 hs.transcript.Write(hs.hello.marshal())
522 if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil {
526 if err := hs.sendDummyChangeCipherSpec(); err != nil {
530 earlySecret := hs.earlySecret
531 if earlySecret == nil {
532 earlySecret = hs.suite.extract(nil, nil)
534 hs.handshakeSecret = hs.suite.extract(hs.sharedKey,
535 hs.suite.deriveSecret(earlySecret, "derived", nil))
537 clientSecret := hs.suite.deriveSecret(hs.handshakeSecret,
538 clientHandshakeTrafficLabel, hs.transcript)
539 c.in.setTrafficSecret(hs.suite, clientSecret)
540 serverSecret := hs.suite.deriveSecret(hs.handshakeSecret,
541 serverHandshakeTrafficLabel, hs.transcript)
542 c.out.setTrafficSecret(hs.suite, serverSecret)
544 err := c.config.writeKeyLog(keyLogLabelClientHandshake, hs.clientHello.random, clientSecret)
546 c.sendAlert(alertInternalError)
549 err = c.config.writeKeyLog(keyLogLabelServerHandshake, hs.clientHello.random, serverSecret)
551 c.sendAlert(alertInternalError)
555 encryptedExtensions := new(encryptedExtensionsMsg)
557 selectedProto, err := negotiateALPN(c.config.NextProtos, hs.clientHello.alpnProtocols)
559 c.sendAlert(alertNoApplicationProtocol)
562 encryptedExtensions.alpnProtocol = selectedProto
563 c.clientProtocol = selectedProto
565 hs.transcript.Write(encryptedExtensions.marshal())
566 if _, err := c.writeRecord(recordTypeHandshake, encryptedExtensions.marshal()); err != nil {
573 func (hs *serverHandshakeStateTLS13) requestClientCert() bool {
574 return hs.c.config.ClientAuth >= RequestClientCert && !hs.usingPSK
577 func (hs *serverHandshakeStateTLS13) sendServerCertificate() error {
580 // Only one of PSK and certificates are used at a time.
585 if hs.requestClientCert() {
586 // Request a client certificate
587 certReq := new(certificateRequestMsgTLS13)
588 certReq.ocspStapling = true
590 certReq.supportedSignatureAlgorithms = supportedSignatureAlgorithms()
591 if c.config.ClientCAs != nil {
592 certReq.certificateAuthorities = c.config.ClientCAs.Subjects()
595 hs.transcript.Write(certReq.marshal())
596 if _, err := c.writeRecord(recordTypeHandshake, certReq.marshal()); err != nil {
601 certMsg := new(certificateMsgTLS13)
603 certMsg.certificate = *hs.cert
604 certMsg.scts = hs.clientHello.scts && len(hs.cert.SignedCertificateTimestamps) > 0
605 certMsg.ocspStapling = hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0
607 hs.transcript.Write(certMsg.marshal())
608 if _, err := c.writeRecord(recordTypeHandshake, certMsg.marshal()); err != nil {
612 certVerifyMsg := new(certificateVerifyMsg)
613 certVerifyMsg.hasSignatureAlgorithm = true
614 certVerifyMsg.signatureAlgorithm = hs.sigAlg
616 sigType, sigHash, err := typeAndHashFromSignatureScheme(hs.sigAlg)
618 return c.sendAlert(alertInternalError)
621 signed := signedMessage(sigHash, serverSignatureContext, hs.transcript)
622 signOpts := crypto.SignerOpts(sigHash)
623 if sigType == signatureRSAPSS {
624 signOpts = &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash, Hash: sigHash}
626 sig, err := hs.cert.PrivateKey.(crypto.Signer).Sign(c.config.rand(), signed, signOpts)
628 public := hs.cert.PrivateKey.(crypto.Signer).Public()
629 if rsaKey, ok := public.(*rsa.PublicKey); ok && sigType == signatureRSAPSS &&
630 rsaKey.N.BitLen()/8 < sigHash.Size()*2+2 { // key too small for RSA-PSS
631 c.sendAlert(alertHandshakeFailure)
633 c.sendAlert(alertInternalError)
635 return errors.New("tls: failed to sign handshake: " + err.Error())
637 certVerifyMsg.signature = sig
639 hs.transcript.Write(certVerifyMsg.marshal())
640 if _, err := c.writeRecord(recordTypeHandshake, certVerifyMsg.marshal()); err != nil {
647 func (hs *serverHandshakeStateTLS13) sendServerFinished() error {
650 finished := &finishedMsg{
651 verifyData: hs.suite.finishedHash(c.out.trafficSecret, hs.transcript),
654 hs.transcript.Write(finished.marshal())
655 if _, err := c.writeRecord(recordTypeHandshake, finished.marshal()); err != nil {
659 // Derive secrets that take context through the server Finished.
661 hs.masterSecret = hs.suite.extract(nil,
662 hs.suite.deriveSecret(hs.handshakeSecret, "derived", nil))
664 hs.trafficSecret = hs.suite.deriveSecret(hs.masterSecret,
665 clientApplicationTrafficLabel, hs.transcript)
666 serverSecret := hs.suite.deriveSecret(hs.masterSecret,
667 serverApplicationTrafficLabel, hs.transcript)
668 c.out.setTrafficSecret(hs.suite, serverSecret)
670 err := c.config.writeKeyLog(keyLogLabelClientTraffic, hs.clientHello.random, hs.trafficSecret)
672 c.sendAlert(alertInternalError)
675 err = c.config.writeKeyLog(keyLogLabelServerTraffic, hs.clientHello.random, serverSecret)
677 c.sendAlert(alertInternalError)
681 c.ekm = hs.suite.exportKeyingMaterial(hs.masterSecret, hs.transcript)
683 // If we did not request client certificates, at this point we can
684 // precompute the client finished and roll the transcript forward to send
685 // session tickets in our first flight.
686 if !hs.requestClientCert() {
687 if err := hs.sendSessionTickets(); err != nil {
695 func (hs *serverHandshakeStateTLS13) shouldSendSessionTickets() bool {
696 if hs.c.config.SessionTicketsDisabled {
700 // Don't send tickets the client wouldn't use. See RFC 8446, Section 4.2.9.
701 for _, pskMode := range hs.clientHello.pskModes {
702 if pskMode == pskModeDHE {
709 func (hs *serverHandshakeStateTLS13) sendSessionTickets() error {
712 hs.clientFinished = hs.suite.finishedHash(c.in.trafficSecret, hs.transcript)
713 finishedMsg := &finishedMsg{
714 verifyData: hs.clientFinished,
716 hs.transcript.Write(finishedMsg.marshal())
718 if !hs.shouldSendSessionTickets() {
722 resumptionSecret := hs.suite.deriveSecret(hs.masterSecret,
723 resumptionLabel, hs.transcript)
725 m := new(newSessionTicketMsgTLS13)
727 var certsFromClient [][]byte
728 for _, cert := range c.peerCertificates {
729 certsFromClient = append(certsFromClient, cert.Raw)
731 state := sessionStateTLS13{
732 cipherSuite: hs.suite.id,
733 createdAt: uint64(c.config.time().Unix()),
734 resumptionSecret: resumptionSecret,
735 certificate: Certificate{
736 Certificate: certsFromClient,
737 OCSPStaple: c.ocspResponse,
738 SignedCertificateTimestamps: c.scts,
742 m.label, err = c.encryptTicket(state.marshal())
746 m.lifetime = uint32(maxSessionTicketLifetime / time.Second)
748 if _, err := c.writeRecord(recordTypeHandshake, m.marshal()); err != nil {
755 func (hs *serverHandshakeStateTLS13) readClientCertificate() error {
758 if !hs.requestClientCert() {
759 // Make sure the connection is still being verified whether or not
760 // the server requested a client certificate.
761 if c.config.VerifyConnection != nil {
762 if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil {
763 c.sendAlert(alertBadCertificate)
770 // If we requested a client certificate, then the client must send a
771 // certificate message. If it's empty, no CertificateVerify is sent.
773 msg, err := c.readHandshake()
778 certMsg, ok := msg.(*certificateMsgTLS13)
780 c.sendAlert(alertUnexpectedMessage)
781 return unexpectedMessageError(certMsg, msg)
783 hs.transcript.Write(certMsg.marshal())
785 if err := c.processCertsFromClient(certMsg.certificate); err != nil {
789 if c.config.VerifyConnection != nil {
790 if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil {
791 c.sendAlert(alertBadCertificate)
796 if len(certMsg.certificate.Certificate) != 0 {
797 msg, err = c.readHandshake()
802 certVerify, ok := msg.(*certificateVerifyMsg)
804 c.sendAlert(alertUnexpectedMessage)
805 return unexpectedMessageError(certVerify, msg)
808 // See RFC 8446, Section 4.4.3.
809 if !isSupportedSignatureAlgorithm(certVerify.signatureAlgorithm, supportedSignatureAlgorithms()) {
810 c.sendAlert(alertIllegalParameter)
811 return errors.New("tls: client certificate used with invalid signature algorithm")
813 sigType, sigHash, err := typeAndHashFromSignatureScheme(certVerify.signatureAlgorithm)
815 return c.sendAlert(alertInternalError)
817 if sigType == signaturePKCS1v15 || sigHash == crypto.SHA1 {
818 c.sendAlert(alertIllegalParameter)
819 return errors.New("tls: client certificate used with invalid signature algorithm")
821 signed := signedMessage(sigHash, clientSignatureContext, hs.transcript)
822 if err := verifyHandshakeSignature(sigType, c.peerCertificates[0].PublicKey,
823 sigHash, signed, certVerify.signature); err != nil {
824 c.sendAlert(alertDecryptError)
825 return errors.New("tls: invalid signature by the client certificate: " + err.Error())
828 hs.transcript.Write(certVerify.marshal())
831 // If we waited until the client certificates to send session tickets, we
832 // are ready to do it now.
833 if err := hs.sendSessionTickets(); err != nil {
840 func (hs *serverHandshakeStateTLS13) readClientFinished() error {
843 msg, err := c.readHandshake()
848 finished, ok := msg.(*finishedMsg)
850 c.sendAlert(alertUnexpectedMessage)
851 return unexpectedMessageError(finished, msg)
854 if !hmac.Equal(hs.clientFinished, finished.verifyData) {
855 c.sendAlert(alertDecryptError)
856 return errors.New("tls: invalid client finished hash")
859 c.in.setTrafficSecret(hs.suite, hs.trafficSecret)