1 // Copyright 2009 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
22 // serverHandshakeState contains details of a server handshake in progress.
23 // It's discarded once the handshake has completed.
24 type serverHandshakeState struct {
26 clientHello *clientHelloMsg
31 sessionState *sessionState
32 finishedHash finishedHash
34 certsFromClient [][]byte
38 // serverHandshake performs a TLS handshake as a server.
39 func (c *Conn) serverHandshake() error {
42 // If this is the first server handshake, we generate a random key to
43 // encrypt the tickets with.
44 config.serverInitOnce.Do(config.serverInit)
46 c.sendHandshakeSeq = 0
47 c.recvHandshakeSeq = 0
49 hs := serverHandshakeState{
52 isResume, err := hs.readClientHello()
57 // For an overview of TLS handshaking, see https://tools.ietf.org/html/rfc5246#section-7.3
59 // The client has included a session ticket and so we do an abbreviated handshake.
60 if err := hs.doResumeHandshake(); err != nil {
63 if err := hs.establishKeys(); err != nil {
66 if c.config.Bugs.RenewTicketOnResume {
67 if err := hs.sendSessionTicket(); err != nil {
71 if err := hs.sendFinished(); err != nil {
74 if err := hs.readFinished(isResume); err != nil {
79 // The client didn't include a session ticket, or it wasn't
80 // valid so we do a full handshake.
81 if err := hs.doFullHandshake(); err != nil {
84 if err := hs.establishKeys(); err != nil {
87 if err := hs.readFinished(isResume); err != nil {
90 if c.config.Bugs.ExpectFalseStart {
91 if err := c.readRecord(recordTypeApplicationData); err != nil {
95 if err := hs.sendSessionTicket(); err != nil {
98 if err := hs.sendFinished(); err != nil {
102 c.handshakeComplete = true
107 // readClientHello reads a ClientHello message from the client and decides
108 // whether we will perform session resumption.
109 func (hs *serverHandshakeState) readClientHello() (isResume bool, err error) {
110 config := hs.c.config
113 msg, err := c.readHandshake()
118 hs.clientHello, ok = msg.(*clientHelloMsg)
120 c.sendAlert(alertUnexpectedMessage)
121 return false, unexpectedMessageError(hs.clientHello, msg)
124 if c.isDTLS && !config.Bugs.SkipHelloVerifyRequest {
125 // Per RFC 6347, the version field in HelloVerifyRequest SHOULD
126 // be always DTLS 1.0
127 helloVerifyRequest := &helloVerifyRequestMsg{
129 cookie: make([]byte, 32),
131 if _, err := io.ReadFull(c.config.rand(), helloVerifyRequest.cookie); err != nil {
132 c.sendAlert(alertInternalError)
133 return false, errors.New("dtls: short read from Rand: " + err.Error())
135 c.writeRecord(recordTypeHandshake, helloVerifyRequest.marshal())
137 msg, err := c.readHandshake()
141 newClientHello, ok := msg.(*clientHelloMsg)
143 c.sendAlert(alertUnexpectedMessage)
144 return false, unexpectedMessageError(hs.clientHello, msg)
146 if !bytes.Equal(newClientHello.cookie, helloVerifyRequest.cookie) {
147 return false, errors.New("dtls: invalid cookie")
150 // Apart from the cookie, the two ClientHellos must
151 // match. Note that clientHello.equal compares the
152 // serialization, so we make a copy.
153 oldClientHelloCopy := *hs.clientHello
154 oldClientHelloCopy.raw = nil
155 oldClientHelloCopy.cookie = nil
156 newClientHelloCopy := *newClientHello
157 newClientHelloCopy.raw = nil
158 newClientHelloCopy.cookie = nil
159 if !oldClientHelloCopy.equal(&newClientHelloCopy) {
160 return false, errors.New("dtls: retransmitted ClientHello does not match")
162 hs.clientHello = newClientHello
165 c.vers, ok = config.mutualVersion(hs.clientHello.vers)
167 c.sendAlert(alertProtocolVersion)
168 return false, fmt.Errorf("tls: client offered an unsupported, maximum protocol version of %x", hs.clientHello.vers)
172 hs.hello = new(serverHelloMsg)
173 hs.hello.isDTLS = c.isDTLS
175 supportedCurve := false
176 preferredCurves := config.curvePreferences()
178 for _, curve := range hs.clientHello.supportedCurves {
179 for _, supported := range preferredCurves {
180 if supported == curve {
181 supportedCurve = true
187 supportedPointFormat := false
188 for _, pointFormat := range hs.clientHello.supportedPoints {
189 if pointFormat == pointFormatUncompressed {
190 supportedPointFormat = true
194 hs.ellipticOk = supportedCurve && supportedPointFormat
196 foundCompression := false
197 // We only support null compression, so check that the client offered it.
198 for _, compression := range hs.clientHello.compressionMethods {
199 if compression == compressionNone {
200 foundCompression = true
205 if !foundCompression {
206 c.sendAlert(alertHandshakeFailure)
207 return false, errors.New("tls: client does not support uncompressed connections")
210 hs.hello.vers = c.vers
211 hs.hello.random = make([]byte, 32)
212 _, err = io.ReadFull(config.rand(), hs.hello.random)
214 c.sendAlert(alertInternalError)
218 if !bytes.Equal(c.clientVerify, hs.clientHello.secureRenegotiation) {
219 c.sendAlert(alertHandshakeFailure)
220 return false, errors.New("tls: renegotiation mismatch")
223 if len(c.clientVerify) > 0 && !c.config.Bugs.EmptyRenegotiationInfo {
224 hs.hello.secureRenegotiation = append(hs.hello.secureRenegotiation, c.clientVerify...)
225 hs.hello.secureRenegotiation = append(hs.hello.secureRenegotiation, c.serverVerify...)
226 if c.config.Bugs.BadRenegotiationInfo {
227 hs.hello.secureRenegotiation[0] ^= 0x80
230 hs.hello.secureRenegotiation = hs.clientHello.secureRenegotiation
233 hs.hello.compressionMethod = compressionNone
234 hs.hello.duplicateExtension = c.config.Bugs.DuplicateExtension
235 if len(hs.clientHello.serverName) > 0 {
236 c.serverName = hs.clientHello.serverName
239 if len(hs.clientHello.alpnProtocols) > 0 {
240 if selectedProto, fallback := mutualProtocol(hs.clientHello.alpnProtocols, c.config.NextProtos); !fallback {
241 hs.hello.alpnProtocol = selectedProto
242 c.clientProtocol = selectedProto
246 // Although sending an empty NPN extension is reasonable, Firefox has
247 // had a bug around this. Best to send nothing at all if
248 // config.NextProtos is empty. See
249 // https://code.google.com/p/go/issues/detail?id=5445.
250 if hs.clientHello.nextProtoNeg && len(config.NextProtos) > 0 {
251 hs.hello.nextProtoNeg = true
252 hs.hello.nextProtos = config.NextProtos
255 hs.hello.extendedMasterSecret = c.vers >= VersionTLS10 && hs.clientHello.extendedMasterSecret && !c.config.Bugs.NoExtendedMasterSecret
257 if len(config.Certificates) == 0 {
258 c.sendAlert(alertInternalError)
259 return false, errors.New("tls: no certificates configured")
261 hs.cert = &config.Certificates[0]
262 if len(hs.clientHello.serverName) > 0 {
263 hs.cert = config.getCertificateForName(hs.clientHello.serverName)
265 if expected := c.config.Bugs.ExpectServerName; expected != "" && expected != hs.clientHello.serverName {
266 return false, errors.New("tls: unexpected server name")
269 if hs.clientHello.channelIDSupported && config.RequestChannelID {
270 hs.hello.channelIDRequested = true
273 _, hs.ecdsaOk = hs.cert.PrivateKey.(*ecdsa.PrivateKey)
275 if hs.checkForResumption() {
281 for _, cipherSuite := range hs.clientHello.cipherSuites {
282 if cipherSuite == fallbackSCSV {
288 if !scsvFound && config.Bugs.FailIfNotFallbackSCSV {
289 return false, errors.New("tls: no fallback SCSV found when expected")
290 } else if scsvFound && !config.Bugs.FailIfNotFallbackSCSV {
291 return false, errors.New("tls: fallback SCSV found when not expected")
294 var preferenceList, supportedList []uint16
295 if c.config.PreferServerCipherSuites {
296 preferenceList = c.config.cipherSuites()
297 supportedList = hs.clientHello.cipherSuites
299 preferenceList = hs.clientHello.cipherSuites
300 supportedList = c.config.cipherSuites()
303 for _, id := range preferenceList {
304 if hs.suite = c.tryCipherSuite(id, supportedList, c.vers, hs.ellipticOk, hs.ecdsaOk); hs.suite != nil {
310 c.sendAlert(alertHandshakeFailure)
311 return false, errors.New("tls: no cipher suite supported by both client and server")
317 // checkForResumption returns true if we should perform resumption on this connection.
318 func (hs *serverHandshakeState) checkForResumption() bool {
321 if c.config.SessionTicketsDisabled {
326 if hs.sessionState, ok = c.decryptTicket(hs.clientHello.sessionTicket); !ok {
330 if !c.config.Bugs.AllowSessionVersionMismatch {
331 if hs.sessionState.vers > hs.clientHello.vers {
334 if vers, ok := c.config.mutualVersion(hs.sessionState.vers); !ok || vers != hs.sessionState.vers {
339 cipherSuiteOk := false
340 // Check that the client is still offering the ciphersuite in the session.
341 for _, id := range hs.clientHello.cipherSuites {
342 if id == hs.sessionState.cipherSuite {
351 // Check that we also support the ciphersuite from the session.
352 hs.suite = c.tryCipherSuite(hs.sessionState.cipherSuite, c.config.cipherSuites(), hs.sessionState.vers, hs.ellipticOk, hs.ecdsaOk)
357 sessionHasClientCerts := len(hs.sessionState.certificates) != 0
358 needClientCerts := c.config.ClientAuth == RequireAnyClientCert || c.config.ClientAuth == RequireAndVerifyClientCert
359 if needClientCerts && !sessionHasClientCerts {
362 if sessionHasClientCerts && c.config.ClientAuth == NoClientCert {
369 func (hs *serverHandshakeState) doResumeHandshake() error {
372 hs.hello.cipherSuite = hs.suite.id
373 // We echo the client's session ID in the ServerHello to let it know
374 // that we're doing a resumption.
375 hs.hello.sessionId = hs.clientHello.sessionId
376 hs.hello.ticketSupported = c.config.Bugs.RenewTicketOnResume
378 hs.finishedHash = newFinishedHash(c.vers, hs.suite)
379 hs.finishedHash.discardHandshakeBuffer()
380 hs.writeClientHash(hs.clientHello.marshal())
381 hs.writeServerHash(hs.hello.marshal())
383 c.writeRecord(recordTypeHandshake, hs.hello.marshal())
385 if len(hs.sessionState.certificates) > 0 {
386 if _, err := hs.processCertsFromClient(hs.sessionState.certificates); err != nil {
391 hs.masterSecret = hs.sessionState.masterSecret
392 c.extendedMasterSecret = hs.sessionState.extendedMasterSecret
397 func (hs *serverHandshakeState) doFullHandshake() error {
398 config := hs.c.config
401 isPSK := hs.suite.flags&suitePSK != 0
402 if !isPSK && hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0 {
403 hs.hello.ocspStapling = true
406 hs.hello.ticketSupported = hs.clientHello.ticketSupported && !config.SessionTicketsDisabled
407 hs.hello.cipherSuite = hs.suite.id
408 c.extendedMasterSecret = hs.hello.extendedMasterSecret
410 hs.finishedHash = newFinishedHash(c.vers, hs.suite)
411 hs.writeClientHash(hs.clientHello.marshal())
412 hs.writeServerHash(hs.hello.marshal())
414 c.writeRecord(recordTypeHandshake, hs.hello.marshal())
417 certMsg := new(certificateMsg)
418 certMsg.certificates = hs.cert.Certificate
419 if !config.Bugs.UnauthenticatedECDH {
420 hs.writeServerHash(certMsg.marshal())
421 c.writeRecord(recordTypeHandshake, certMsg.marshal())
425 if hs.hello.ocspStapling {
426 certStatus := new(certificateStatusMsg)
427 certStatus.statusType = statusTypeOCSP
428 certStatus.response = hs.cert.OCSPStaple
429 hs.writeServerHash(certStatus.marshal())
430 c.writeRecord(recordTypeHandshake, certStatus.marshal())
433 keyAgreement := hs.suite.ka(c.vers)
434 skx, err := keyAgreement.generateServerKeyExchange(config, hs.cert, hs.clientHello, hs.hello)
436 c.sendAlert(alertHandshakeFailure)
439 if skx != nil && !config.Bugs.SkipServerKeyExchange {
440 hs.writeServerHash(skx.marshal())
441 c.writeRecord(recordTypeHandshake, skx.marshal())
444 if config.ClientAuth >= RequestClientCert {
445 // Request a client certificate
446 certReq := &certificateRequestMsg{
447 certificateTypes: config.ClientCertificateTypes,
449 if certReq.certificateTypes == nil {
450 certReq.certificateTypes = []byte{
451 byte(CertTypeRSASign),
452 byte(CertTypeECDSASign),
455 if c.vers >= VersionTLS12 {
456 certReq.hasSignatureAndHash = true
457 certReq.signatureAndHashes = supportedClientCertSignatureAlgorithms
460 // An empty list of certificateAuthorities signals to
461 // the client that it may send any certificate in response
462 // to our request. When we know the CAs we trust, then
463 // we can send them down, so that the client can choose
464 // an appropriate certificate to give to us.
465 if config.ClientCAs != nil {
466 certReq.certificateAuthorities = config.ClientCAs.Subjects()
468 hs.writeServerHash(certReq.marshal())
469 c.writeRecord(recordTypeHandshake, certReq.marshal())
472 helloDone := new(serverHelloDoneMsg)
473 hs.writeServerHash(helloDone.marshal())
474 c.writeRecord(recordTypeHandshake, helloDone.marshal())
476 var pub crypto.PublicKey // public key for client auth, if any
478 msg, err := c.readHandshake()
484 // If we requested a client certificate, then the client must send a
485 // certificate message, even if it's empty.
486 if config.ClientAuth >= RequestClientCert {
487 var certMsg *certificateMsg
488 if certMsg, ok = msg.(*certificateMsg); !ok {
489 c.sendAlert(alertUnexpectedMessage)
490 return unexpectedMessageError(certMsg, msg)
492 hs.writeClientHash(certMsg.marshal())
494 if len(certMsg.certificates) == 0 {
495 // The client didn't actually send a certificate
496 switch config.ClientAuth {
497 case RequireAnyClientCert, RequireAndVerifyClientCert:
498 c.sendAlert(alertBadCertificate)
499 return errors.New("tls: client didn't provide a certificate")
503 pub, err = hs.processCertsFromClient(certMsg.certificates)
508 msg, err = c.readHandshake()
514 // Get client key exchange
515 ckx, ok := msg.(*clientKeyExchangeMsg)
517 c.sendAlert(alertUnexpectedMessage)
518 return unexpectedMessageError(ckx, msg)
520 hs.writeClientHash(ckx.marshal())
522 preMasterSecret, err := keyAgreement.processClientKeyExchange(config, hs.cert, ckx, c.vers)
524 c.sendAlert(alertHandshakeFailure)
527 if c.extendedMasterSecret {
528 hs.masterSecret = extendedMasterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.finishedHash)
530 if c.config.Bugs.RequireExtendedMasterSecret {
531 return errors.New("tls: extended master secret required but not supported by peer")
533 hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.clientHello.random, hs.hello.random)
536 // If we received a client cert in response to our certificate request message,
537 // the client will send us a certificateVerifyMsg immediately after the
538 // clientKeyExchangeMsg. This message is a digest of all preceding
539 // handshake-layer messages that is signed using the private key corresponding
540 // to the client's certificate. This allows us to verify that the client is in
541 // possession of the private key of the certificate.
542 if len(c.peerCertificates) > 0 {
543 msg, err = c.readHandshake()
547 certVerify, ok := msg.(*certificateVerifyMsg)
549 c.sendAlert(alertUnexpectedMessage)
550 return unexpectedMessageError(certVerify, msg)
553 // Determine the signature type.
554 var signatureAndHash signatureAndHash
555 if certVerify.hasSignatureAndHash {
556 signatureAndHash = certVerify.signatureAndHash
558 // Before TLS 1.2 the signature algorithm was implicit
559 // from the key type, and only one hash per signature
560 // algorithm was possible. Leave the hash as zero.
562 case *ecdsa.PublicKey:
563 signatureAndHash.signature = signatureECDSA
565 signatureAndHash.signature = signatureRSA
569 switch key := pub.(type) {
570 case *ecdsa.PublicKey:
571 if signatureAndHash.signature != signatureECDSA {
572 err = errors.New("tls: bad signature type for client's ECDSA certificate")
575 ecdsaSig := new(ecdsaSignature)
576 if _, err = asn1.Unmarshal(certVerify.signature, ecdsaSig); err != nil {
579 if ecdsaSig.R.Sign() <= 0 || ecdsaSig.S.Sign() <= 0 {
580 err = errors.New("ECDSA signature contained zero or negative values")
584 digest, _, err = hs.finishedHash.hashForClientCertificate(signatureAndHash, hs.masterSecret)
588 if !ecdsa.Verify(key, digest, ecdsaSig.R, ecdsaSig.S) {
589 err = errors.New("ECDSA verification failure")
593 if signatureAndHash.signature != signatureRSA {
594 err = errors.New("tls: bad signature type for client's RSA certificate")
598 var hashFunc crypto.Hash
599 digest, hashFunc, err = hs.finishedHash.hashForClientCertificate(signatureAndHash, hs.masterSecret)
603 err = rsa.VerifyPKCS1v15(key, hashFunc, digest, certVerify.signature)
606 c.sendAlert(alertBadCertificate)
607 return errors.New("could not validate signature of connection nonces: " + err.Error())
610 hs.writeClientHash(certVerify.marshal())
613 hs.finishedHash.discardHandshakeBuffer()
618 func (hs *serverHandshakeState) establishKeys() error {
621 clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV :=
622 keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen)
624 var clientCipher, serverCipher interface{}
625 var clientHash, serverHash macFunction
627 if hs.suite.aead == nil {
628 clientCipher = hs.suite.cipher(clientKey, clientIV, true /* for reading */)
629 clientHash = hs.suite.mac(c.vers, clientMAC)
630 serverCipher = hs.suite.cipher(serverKey, serverIV, false /* not for reading */)
631 serverHash = hs.suite.mac(c.vers, serverMAC)
633 clientCipher = hs.suite.aead(clientKey, clientIV)
634 serverCipher = hs.suite.aead(serverKey, serverIV)
637 c.in.prepareCipherSpec(c.vers, clientCipher, clientHash)
638 c.out.prepareCipherSpec(c.vers, serverCipher, serverHash)
643 func (hs *serverHandshakeState) readFinished(isResume bool) error {
646 c.readRecord(recordTypeChangeCipherSpec)
647 if err := c.in.error(); err != nil {
651 if hs.hello.nextProtoNeg {
652 msg, err := c.readHandshake()
656 nextProto, ok := msg.(*nextProtoMsg)
658 c.sendAlert(alertUnexpectedMessage)
659 return unexpectedMessageError(nextProto, msg)
661 hs.writeClientHash(nextProto.marshal())
662 c.clientProtocol = nextProto.proto
665 if hs.hello.channelIDRequested {
666 msg, err := c.readHandshake()
670 encryptedExtensions, ok := msg.(*encryptedExtensionsMsg)
672 c.sendAlert(alertUnexpectedMessage)
673 return unexpectedMessageError(encryptedExtensions, msg)
675 x := new(big.Int).SetBytes(encryptedExtensions.channelID[0:32])
676 y := new(big.Int).SetBytes(encryptedExtensions.channelID[32:64])
677 r := new(big.Int).SetBytes(encryptedExtensions.channelID[64:96])
678 s := new(big.Int).SetBytes(encryptedExtensions.channelID[96:128])
679 if !elliptic.P256().IsOnCurve(x, y) {
680 return errors.New("tls: invalid channel ID public key")
682 channelID := &ecdsa.PublicKey{elliptic.P256(), x, y}
683 var resumeHash []byte
685 resumeHash = hs.sessionState.handshakeHash
687 if !ecdsa.Verify(channelID, hs.finishedHash.hashForChannelID(resumeHash), r, s) {
688 return errors.New("tls: invalid channel ID signature")
690 c.channelID = channelID
692 hs.writeClientHash(encryptedExtensions.marshal())
695 msg, err := c.readHandshake()
699 clientFinished, ok := msg.(*finishedMsg)
701 c.sendAlert(alertUnexpectedMessage)
702 return unexpectedMessageError(clientFinished, msg)
705 verify := hs.finishedHash.clientSum(hs.masterSecret)
706 if len(verify) != len(clientFinished.verifyData) ||
707 subtle.ConstantTimeCompare(verify, clientFinished.verifyData) != 1 {
708 c.sendAlert(alertHandshakeFailure)
709 return errors.New("tls: client's Finished message is incorrect")
711 c.clientVerify = append(c.clientVerify[:0], clientFinished.verifyData...)
713 hs.writeClientHash(clientFinished.marshal())
717 func (hs *serverHandshakeState) sendSessionTicket() error {
718 if !hs.hello.ticketSupported || hs.c.config.Bugs.SkipNewSessionTicket {
723 m := new(newSessionTicketMsg)
726 state := sessionState{
728 cipherSuite: hs.suite.id,
729 masterSecret: hs.masterSecret,
730 certificates: hs.certsFromClient,
731 handshakeHash: hs.finishedHash.server.Sum(nil),
733 m.ticket, err = c.encryptTicket(&state)
738 hs.writeServerHash(m.marshal())
739 c.writeRecord(recordTypeHandshake, m.marshal())
744 func (hs *serverHandshakeState) sendFinished() error {
747 finished := new(finishedMsg)
748 finished.verifyData = hs.finishedHash.serverSum(hs.masterSecret)
749 c.serverVerify = append(c.serverVerify[:0], finished.verifyData...)
750 postCCSBytes := finished.marshal()
751 hs.writeServerHash(postCCSBytes)
753 if c.config.Bugs.FragmentAcrossChangeCipherSpec {
754 c.writeRecord(recordTypeHandshake, postCCSBytes[:5])
755 postCCSBytes = postCCSBytes[5:]
758 if !c.config.Bugs.SkipChangeCipherSpec {
759 c.writeRecord(recordTypeChangeCipherSpec, []byte{1})
762 c.writeRecord(recordTypeHandshake, postCCSBytes)
764 c.cipherSuite = hs.suite.id
769 // processCertsFromClient takes a chain of client certificates either from a
770 // Certificates message or from a sessionState and verifies them. It returns
771 // the public key of the leaf certificate.
772 func (hs *serverHandshakeState) processCertsFromClient(certificates [][]byte) (crypto.PublicKey, error) {
775 hs.certsFromClient = certificates
776 certs := make([]*x509.Certificate, len(certificates))
778 for i, asn1Data := range certificates {
779 if certs[i], err = x509.ParseCertificate(asn1Data); err != nil {
780 c.sendAlert(alertBadCertificate)
781 return nil, errors.New("tls: failed to parse client certificate: " + err.Error())
785 if c.config.ClientAuth >= VerifyClientCertIfGiven && len(certs) > 0 {
786 opts := x509.VerifyOptions{
787 Roots: c.config.ClientCAs,
788 CurrentTime: c.config.time(),
789 Intermediates: x509.NewCertPool(),
790 KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
793 for _, cert := range certs[1:] {
794 opts.Intermediates.AddCert(cert)
797 chains, err := certs[0].Verify(opts)
799 c.sendAlert(alertBadCertificate)
800 return nil, errors.New("tls: failed to verify client's certificate: " + err.Error())
804 for _, ku := range certs[0].ExtKeyUsage {
805 if ku == x509.ExtKeyUsageClientAuth {
811 c.sendAlert(alertHandshakeFailure)
812 return nil, errors.New("tls: client's certificate's extended key usage doesn't permit it to be used for client authentication")
815 c.verifiedChains = chains
819 var pub crypto.PublicKey
820 switch key := certs[0].PublicKey.(type) {
821 case *ecdsa.PublicKey, *rsa.PublicKey:
824 c.sendAlert(alertUnsupportedCertificate)
825 return nil, fmt.Errorf("tls: client's certificate contains an unsupported public key of type %T", certs[0].PublicKey)
827 c.peerCertificates = certs
834 func (hs *serverHandshakeState) writeServerHash(msg []byte) {
835 // writeServerHash is called before writeRecord.
836 hs.writeHash(msg, hs.c.sendHandshakeSeq)
839 func (hs *serverHandshakeState) writeClientHash(msg []byte) {
840 // writeClientHash is called after readHandshake.
841 hs.writeHash(msg, hs.c.recvHandshakeSeq-1)
844 func (hs *serverHandshakeState) writeHash(msg []byte, seqno uint16) {
846 // This is somewhat hacky. DTLS hashes a slightly different format.
847 // First, the TLS header.
848 hs.finishedHash.Write(msg[:4])
849 // Then the sequence number and reassembled fragment offset (always 0).
850 hs.finishedHash.Write([]byte{byte(seqno >> 8), byte(seqno), 0, 0, 0})
851 // Then the reassembled fragment (always equal to the message length).
852 hs.finishedHash.Write(msg[1:4])
853 // And then the message body.
854 hs.finishedHash.Write(msg[4:])
856 hs.finishedHash.Write(msg)
860 // tryCipherSuite returns a cipherSuite with the given id if that cipher suite
861 // is acceptable to use.
862 func (c *Conn) tryCipherSuite(id uint16, supportedCipherSuites []uint16, version uint16, ellipticOk, ecdsaOk bool) *cipherSuite {
863 for _, supported := range supportedCipherSuites {
865 var candidate *cipherSuite
867 for _, s := range cipherSuites {
873 if candidate == nil {
876 // Don't select a ciphersuite which we can't
877 // support for this client.
878 if (candidate.flags&suiteECDHE != 0) && !ellipticOk {
881 if (candidate.flags&suiteECDSA != 0) != ecdsaOk {
884 if !c.config.Bugs.SkipCipherVersionCheck && version < VersionTLS12 && candidate.flags&suiteTLS12 != 0 {
887 if c.isDTLS && candidate.flags&suiteNoDTLS != 0 {