MCPcopy Create free account
hub / github.com/XTLS/Go / processClientHello

Method processClientHello

handshake_server_tls13.go:86–223  ·  view source on GitHub ↗
()

Source from the content-addressed store, hash-verified

84}
85
86func (hs *serverHandshakeStateTLS13) processClientHello() error {
87 c := hs.c
88
89 hs.hello = new(serverHelloMsg)
90
91 // TLS 1.3 froze the ServerHello.legacy_version field, and uses
92 // supported_versions instead. See RFC 8446, sections 4.1.3 and 4.2.1.
93 hs.hello.vers = VersionTLS12
94 hs.hello.supportedVersion = c.vers
95
96 if len(hs.clientHello.supportedVersions) == 0 {
97 c.sendAlert(alertIllegalParameter)
98 return errors.New("tls: client used the legacy version field to negotiate TLS 1.3")
99 }
100
101 // Abort if the client is doing a fallback and landing lower than what we
102 // support. See RFC 7507, which however does not specify the interaction
103 // with supported_versions. The only difference is that with
104 // supported_versions a client has a chance to attempt a [TLS 1.2, TLS 1.4]
105 // handshake in case TLS 1.3 is broken but 1.2 is not. Alas, in that case,
106 // it will have to drop the TLS_FALLBACK_SCSV protection if it falls back to
107 // TLS 1.2, because a TLS 1.3 server would abort here. The situation before
108 // supported_versions was not better because there was just no way to do a
109 // TLS 1.4 handshake without risking the server selecting TLS 1.3.
110 for _, id := range hs.clientHello.cipherSuites {
111 if id == TLS_FALLBACK_SCSV {
112 // Use c.vers instead of max(supported_versions) because an attacker
113 // could defeat this by adding an arbitrary high version otherwise.
114 if c.vers < c.config.maxSupportedVersion(roleClient) {
115 c.sendAlert(alertInappropriateFallback)
116 return errors.New("tls: client using inappropriate protocol fallback")
117 }
118 break
119 }
120 }
121
122 if len(hs.clientHello.compressionMethods) != 1 ||
123 hs.clientHello.compressionMethods[0] != compressionNone {
124 c.sendAlert(alertIllegalParameter)
125 return errors.New("tls: TLS 1.3 client supports illegal compression methods")
126 }
127
128 hs.hello.random = make([]byte, 32)
129 if _, err := io.ReadFull(c.config.rand(), hs.hello.random); err != nil {
130 c.sendAlert(alertInternalError)
131 return err
132 }
133
134 if len(hs.clientHello.secureRenegotiation) != 0 {
135 c.sendAlert(alertHandshakeFailure)
136 return errors.New("tls: initial handshake had non-empty renegotiation extension")
137 }
138
139 if hs.clientHello.earlyData {
140 // See RFC 8446, Section 4.2.10 for the complicated behavior required
141 // here. The scenario is that a different server at our address offered
142 // to accept early data in the past, which we can't handle. For now, all
143 // 0-RTT enabled session tickets need to expire before a Go server can

Callers 1

handshakeMethod · 0.95

Calls 11

doHelloRetryRequestMethod · 0.95
aesgcmPreferredFunction · 0.85
mutualCipherSuiteTLS13Function · 0.85
curveForCurveIDFunction · 0.85
generateECDHEParametersFunction · 0.85
sendAlertMethod · 0.80
maxSupportedVersionMethod · 0.80
randMethod · 0.80
curvePreferencesMethod · 0.80
PublicKeyMethod · 0.65
SharedKeyMethod · 0.65

Tested by

no test coverage detected