()
| 84 | } |
| 85 | |
| 86 | func (hs *serverHandshakeStateTLS13) processClientHello() error { |
| 87 | c := hs.c |
| 88 | |
| 89 | hs.hello = new(serverHelloMsg) |
| 90 | |
| 91 | // TLS 1.3 froze the ServerHello.legacy_version field, and uses |
| 92 | // supported_versions instead. See RFC 8446, sections 4.1.3 and 4.2.1. |
| 93 | hs.hello.vers = VersionTLS12 |
| 94 | hs.hello.supportedVersion = c.vers |
| 95 | |
| 96 | if len(hs.clientHello.supportedVersions) == 0 { |
| 97 | c.sendAlert(alertIllegalParameter) |
| 98 | return errors.New("tls: client used the legacy version field to negotiate TLS 1.3") |
| 99 | } |
| 100 | |
| 101 | // Abort if the client is doing a fallback and landing lower than what we |
| 102 | // support. See RFC 7507, which however does not specify the interaction |
| 103 | // with supported_versions. The only difference is that with |
| 104 | // supported_versions a client has a chance to attempt a [TLS 1.2, TLS 1.4] |
| 105 | // handshake in case TLS 1.3 is broken but 1.2 is not. Alas, in that case, |
| 106 | // it will have to drop the TLS_FALLBACK_SCSV protection if it falls back to |
| 107 | // TLS 1.2, because a TLS 1.3 server would abort here. The situation before |
| 108 | // supported_versions was not better because there was just no way to do a |
| 109 | // TLS 1.4 handshake without risking the server selecting TLS 1.3. |
| 110 | for _, id := range hs.clientHello.cipherSuites { |
| 111 | if id == TLS_FALLBACK_SCSV { |
| 112 | // Use c.vers instead of max(supported_versions) because an attacker |
| 113 | // could defeat this by adding an arbitrary high version otherwise. |
| 114 | if c.vers < c.config.maxSupportedVersion(roleClient) { |
| 115 | c.sendAlert(alertInappropriateFallback) |
| 116 | return errors.New("tls: client using inappropriate protocol fallback") |
| 117 | } |
| 118 | break |
| 119 | } |
| 120 | } |
| 121 | |
| 122 | if len(hs.clientHello.compressionMethods) != 1 || |
| 123 | hs.clientHello.compressionMethods[0] != compressionNone { |
| 124 | c.sendAlert(alertIllegalParameter) |
| 125 | return errors.New("tls: TLS 1.3 client supports illegal compression methods") |
| 126 | } |
| 127 | |
| 128 | hs.hello.random = make([]byte, 32) |
| 129 | if _, err := io.ReadFull(c.config.rand(), hs.hello.random); err != nil { |
| 130 | c.sendAlert(alertInternalError) |
| 131 | return err |
| 132 | } |
| 133 | |
| 134 | if len(hs.clientHello.secureRenegotiation) != 0 { |
| 135 | c.sendAlert(alertHandshakeFailure) |
| 136 | return errors.New("tls: initial handshake had non-empty renegotiation extension") |
| 137 | } |
| 138 | |
| 139 | if hs.clientHello.earlyData { |
| 140 | // See RFC 8446, Section 4.2.10 for the complicated behavior required |
| 141 | // here. The scenario is that a different server at our address offered |
| 142 | // to accept early data in the past, which we can't handle. For now, all |
| 143 | // 0-RTT enabled session tickets need to expire before a Go server can |
no test coverage detected