()
| 658 | } |
| 659 | |
| 660 | func (hs *clientHandshakeState) doFullHandshake() error { |
| 661 | c := hs.c |
| 662 | |
| 663 | msg, err := c.readHandshake(&hs.finishedHash) |
| 664 | if err != nil { |
| 665 | return err |
| 666 | } |
| 667 | certMsg, ok := msg.(*certificateMsg) |
| 668 | if !ok || len(certMsg.certificates) == 0 { |
| 669 | c.sendAlert(alertUnexpectedMessage) |
| 670 | return unexpectedMessageError(certMsg, msg) |
| 671 | } |
| 672 | |
| 673 | msg, err = c.readHandshake(&hs.finishedHash) |
| 674 | if err != nil { |
| 675 | return err |
| 676 | } |
| 677 | |
| 678 | cs, ok := msg.(*certificateStatusMsg) |
| 679 | if ok { |
| 680 | // RFC4366 on Certificate Status Request: |
| 681 | // The server MAY return a "certificate_status" message. |
| 682 | |
| 683 | if !hs.serverHello.ocspStapling { |
| 684 | // If a server returns a "CertificateStatus" message, then the |
| 685 | // server MUST have included an extension of type "status_request" |
| 686 | // with empty "extension_data" in the extended server hello. |
| 687 | |
| 688 | c.sendAlert(alertUnexpectedMessage) |
| 689 | return errors.New("tls: received unexpected CertificateStatus message") |
| 690 | } |
| 691 | |
| 692 | c.ocspResponse = cs.response |
| 693 | |
| 694 | msg, err = c.readHandshake(&hs.finishedHash) |
| 695 | if err != nil { |
| 696 | return err |
| 697 | } |
| 698 | } |
| 699 | |
| 700 | if c.handshakes == 0 { |
| 701 | // If this is the first handshake on a connection, process and |
| 702 | // (optionally) verify the server's certificates. |
| 703 | if err := c.verifyServerCertificate(certMsg.certificates); err != nil { |
| 704 | return err |
| 705 | } |
| 706 | } else { |
| 707 | // This is a renegotiation handshake. We require that the |
| 708 | // server's identity (i.e. leaf certificate) is unchanged and |
| 709 | // thus any previous trust decision is still valid. |
| 710 | // |
| 711 | // See https://mitls.org/pages/attacks/3SHAKE for the |
| 712 | // motivation behind this requirement. |
| 713 | if !bytes.Equal(c.peerCertificates[0].Raw, certMsg.certificates[0]) { |
| 714 | c.sendAlert(alertBadCertificate) |
| 715 | return errors.New("tls: server's identity changed during renegotiation") |
| 716 | } |
| 717 | } |
no test coverage detected