()
| 466 | } |
| 467 | |
| 468 | func (hs *clientHandshakeState) doFullHandshake() error { |
| 469 | c := hs.c |
| 470 | |
| 471 | msg, err := c.readHandshake() |
| 472 | if err != nil { |
| 473 | return err |
| 474 | } |
| 475 | certMsg, ok := msg.(*certificateMsg) |
| 476 | if !ok || len(certMsg.certificates) == 0 { |
| 477 | c.sendAlert(alertUnexpectedMessage) |
| 478 | return unexpectedMessageError(certMsg, msg) |
| 479 | } |
| 480 | hs.finishedHash.Write(certMsg.marshal()) |
| 481 | |
| 482 | msg, err = c.readHandshake() |
| 483 | if err != nil { |
| 484 | return err |
| 485 | } |
| 486 | |
| 487 | cs, ok := msg.(*certificateStatusMsg) |
| 488 | if ok { |
| 489 | // RFC4366 on Certificate Status Request: |
| 490 | // The server MAY return a "certificate_status" message. |
| 491 | |
| 492 | if !hs.serverHello.ocspStapling { |
| 493 | // If a server returns a "CertificateStatus" message, then the |
| 494 | // server MUST have included an extension of type "status_request" |
| 495 | // with empty "extension_data" in the extended server hello. |
| 496 | |
| 497 | c.sendAlert(alertUnexpectedMessage) |
| 498 | return errors.New("tls: received unexpected CertificateStatus message") |
| 499 | } |
| 500 | hs.finishedHash.Write(cs.marshal()) |
| 501 | |
| 502 | c.ocspResponse = cs.response |
| 503 | |
| 504 | msg, err = c.readHandshake() |
| 505 | if err != nil { |
| 506 | return err |
| 507 | } |
| 508 | } |
| 509 | |
| 510 | if c.handshakes == 0 { |
| 511 | // If this is the first handshake on a connection, process and |
| 512 | // (optionally) verify the server's certificates. |
| 513 | if err := c.verifyServerCertificate(certMsg.certificates); err != nil { |
| 514 | return err |
| 515 | } |
| 516 | } else { |
| 517 | // This is a renegotiation handshake. We require that the |
| 518 | // server's identity (i.e. leaf certificate) is unchanged and |
| 519 | // thus any previous trust decision is still valid. |
| 520 | // |
| 521 | // See https://mitls.org/pages/attacks/3SHAKE for the |
| 522 | // motivation behind this requirement. |
| 523 | if !bytes.Equal(c.peerCertificates[0].Raw, certMsg.certificates[0]) { |
| 524 | c.sendAlert(alertBadCertificate) |
| 525 | return errors.New("tls: server's identity changed during renegotiation") |
no test coverage detected