checkServerHelloOrHRR does validity checks that apply to both ServerHello and HelloRetryRequest messages. It sets hs.suite.
()
| 163 | // checkServerHelloOrHRR does validity checks that apply to both ServerHello and |
| 164 | // HelloRetryRequest messages. It sets hs.suite. |
| 165 | func (hs *clientHandshakeStateTLS13) checkServerHelloOrHRR() error { |
| 166 | c := hs.c |
| 167 | |
| 168 | if hs.serverHello.supportedVersion == 0 { |
| 169 | c.sendAlert(alertMissingExtension) |
| 170 | return errors.New("tls: server selected TLS 1.3 using the legacy version field") |
| 171 | } |
| 172 | |
| 173 | if hs.serverHello.supportedVersion != VersionTLS13 { |
| 174 | c.sendAlert(alertIllegalParameter) |
| 175 | return errors.New("tls: server selected an invalid version after a HelloRetryRequest") |
| 176 | } |
| 177 | |
| 178 | if hs.serverHello.vers != VersionTLS12 { |
| 179 | c.sendAlert(alertIllegalParameter) |
| 180 | return errors.New("tls: server sent an incorrect legacy version") |
| 181 | } |
| 182 | |
| 183 | if hs.serverHello.ocspStapling || |
| 184 | hs.serverHello.ticketSupported || |
| 185 | hs.serverHello.extendedMasterSecret || |
| 186 | hs.serverHello.secureRenegotiationSupported || |
| 187 | len(hs.serverHello.secureRenegotiation) != 0 || |
| 188 | len(hs.serverHello.alpnProtocol) != 0 || |
| 189 | len(hs.serverHello.scts) != 0 { |
| 190 | c.sendAlert(alertUnsupportedExtension) |
| 191 | return errors.New("tls: server sent a ServerHello extension forbidden in TLS 1.3") |
| 192 | } |
| 193 | |
| 194 | if !bytes.Equal(hs.hello.sessionId, hs.serverHello.sessionId) { |
| 195 | c.sendAlert(alertIllegalParameter) |
| 196 | return errors.New("tls: server did not echo the legacy session ID") |
| 197 | } |
| 198 | |
| 199 | if hs.serverHello.compressionMethod != compressionNone { |
| 200 | c.sendAlert(alertDecodeError) |
| 201 | return errors.New("tls: server sent non-zero legacy TLS compression method") |
| 202 | } |
| 203 | |
| 204 | selectedSuite := mutualCipherSuiteTLS13(hs.hello.cipherSuites, hs.serverHello.cipherSuite) |
| 205 | if hs.suite != nil && selectedSuite != hs.suite { |
| 206 | c.sendAlert(alertIllegalParameter) |
| 207 | return errors.New("tls: server changed cipher suite after a HelloRetryRequest") |
| 208 | } |
| 209 | if selectedSuite == nil { |
| 210 | c.sendAlert(alertIllegalParameter) |
| 211 | return errors.New("tls: server chose an unconfigured cipher suite") |
| 212 | } |
| 213 | hs.suite = selectedSuite |
| 214 | c.cipherSuite = hs.suite.id |
| 215 | |
| 216 | return nil |
| 217 | } |
| 218 | |
| 219 | // sendDummyChangeCipherSpec sends a ChangeCipherSpec record for compatibility |
| 220 | // with middleboxes that didn't implement TLS correctly. See RFC 8446, Appendix D.4. |
no test coverage detected