MCPcopy
hub / github.com/XTLS/REALITY / checkServerHelloOrHRR

Method checkServerHelloOrHRR

handshake_client_tls13.go:165–217  ·  view source on GitHub ↗

checkServerHelloOrHRR does validity checks that apply to both ServerHello and HelloRetryRequest messages. It sets hs.suite.

()

Source from the content-addressed store, hash-verified

163// checkServerHelloOrHRR does validity checks that apply to both ServerHello and
164// HelloRetryRequest messages. It sets hs.suite.
165func (hs *clientHandshakeStateTLS13) checkServerHelloOrHRR() error {
166 c := hs.c
167
168 if hs.serverHello.supportedVersion == 0 {
169 c.sendAlert(alertMissingExtension)
170 return errors.New("tls: server selected TLS 1.3 using the legacy version field")
171 }
172
173 if hs.serverHello.supportedVersion != VersionTLS13 {
174 c.sendAlert(alertIllegalParameter)
175 return errors.New("tls: server selected an invalid version after a HelloRetryRequest")
176 }
177
178 if hs.serverHello.vers != VersionTLS12 {
179 c.sendAlert(alertIllegalParameter)
180 return errors.New("tls: server sent an incorrect legacy version")
181 }
182
183 if hs.serverHello.ocspStapling ||
184 hs.serverHello.ticketSupported ||
185 hs.serverHello.extendedMasterSecret ||
186 hs.serverHello.secureRenegotiationSupported ||
187 len(hs.serverHello.secureRenegotiation) != 0 ||
188 len(hs.serverHello.alpnProtocol) != 0 ||
189 len(hs.serverHello.scts) != 0 {
190 c.sendAlert(alertUnsupportedExtension)
191 return errors.New("tls: server sent a ServerHello extension forbidden in TLS 1.3")
192 }
193
194 if !bytes.Equal(hs.hello.sessionId, hs.serverHello.sessionId) {
195 c.sendAlert(alertIllegalParameter)
196 return errors.New("tls: server did not echo the legacy session ID")
197 }
198
199 if hs.serverHello.compressionMethod != compressionNone {
200 c.sendAlert(alertDecodeError)
201 return errors.New("tls: server sent non-zero legacy TLS compression method")
202 }
203
204 selectedSuite := mutualCipherSuiteTLS13(hs.hello.cipherSuites, hs.serverHello.cipherSuite)
205 if hs.suite != nil && selectedSuite != hs.suite {
206 c.sendAlert(alertIllegalParameter)
207 return errors.New("tls: server changed cipher suite after a HelloRetryRequest")
208 }
209 if selectedSuite == nil {
210 c.sendAlert(alertIllegalParameter)
211 return errors.New("tls: server chose an unconfigured cipher suite")
212 }
213 hs.suite = selectedSuite
214 c.cipherSuite = hs.suite.id
215
216 return nil
217}
218
219// sendDummyChangeCipherSpec sends a ChangeCipherSpec record for compatibility
220// with middleboxes that didn't implement TLS correctly. See RFC 8446, Appendix D.4.

Callers 2

handshakeMethod · 0.95

Calls 2

mutualCipherSuiteTLS13Function · 0.85
sendAlertMethod · 0.80

Tested by

no test coverage detected