MCPcopy
hub / github.com/XTLS/REALITY / handshake

Method handshake

handshake_client_tls13.go:47–161  ·  view source on GitHub ↗

handshake requires hs.c, hs.hello, hs.serverHello, hs.keyShareKeys, and, optionally, hs.session, hs.earlySecret and hs.binderKey to be set.

()

Source from the content-addressed store, hash-verified

45// handshake requires hs.c, hs.hello, hs.serverHello, hs.keyShareKeys, and,
46// optionally, hs.session, hs.earlySecret and hs.binderKey to be set.
47func (hs *clientHandshakeStateTLS13) handshake() error {
48 c := hs.c
49
50 // The server must not select TLS 1.3 in a renegotiation. See RFC 8446,
51 // sections 4.1.2 and 4.1.3.
52 if c.handshakes > 0 {
53 c.sendAlert(alertProtocolVersion)
54 return errors.New("tls: server selected TLS 1.3 in a renegotiation")
55 }
56
57 // Consistency check on the presence of a keyShare and its parameters.
58 if hs.keyShareKeys == nil || hs.keyShareKeys.ecdhe == nil || len(hs.hello.keyShares) == 0 {
59 return c.sendAlert(alertInternalError)
60 }
61
62 if err := hs.checkServerHelloOrHRR(); err != nil {
63 return err
64 }
65
66 hs.transcript = hs.suite.hash.New()
67
68 if err := transcriptMsg(hs.hello, hs.transcript); err != nil {
69 return err
70 }
71
72 if hs.echContext != nil {
73 hs.echContext.innerTranscript = hs.suite.hash.New()
74 if err := transcriptMsg(hs.echContext.innerHello, hs.echContext.innerTranscript); err != nil {
75 return err
76 }
77 }
78
79 if bytes.Equal(hs.serverHello.random, helloRetryRequestRandom) {
80 if err := hs.sendDummyChangeCipherSpec(); err != nil {
81 return err
82 }
83 if err := hs.processHelloRetryRequest(); err != nil {
84 return err
85 }
86 }
87
88 if hs.echContext != nil {
89 confTranscript := cloneHash(hs.echContext.innerTranscript, hs.suite.hash)
90 confTranscript.Write(hs.serverHello.original[:30])
91 confTranscript.Write(make([]byte, 8))
92 confTranscript.Write(hs.serverHello.original[38:])
93 h := hs.suite.hash.New
94 prk, err := hkdf.Extract(h, hs.echContext.innerHello.random, nil)
95 if err != nil {
96 c.sendAlert(alertInternalError)
97 return err
98 }
99 acceptConfirmation := tls13.ExpandLabel(h, prk, "ech accept confirmation", confTranscript.Sum(nil), 8)
100 if subtle.ConstantTimeCompare(acceptConfirmation, hs.serverHello.random[len(hs.serverHello.random)-8:]) == 1 {
101 hs.hello = hs.echContext.innerHello
102 c.serverName = c.config.ServerName
103 hs.transcript = hs.echContext.innerTranscript
104 c.echAccepted = true

Callers

nothing calls this directly

Calls 15

checkServerHelloOrHRRMethod · 0.95
processServerHelloMethod · 0.95
readServerParametersMethod · 0.95
readServerCertificateMethod · 0.95
readServerFinishedMethod · 0.95
sendClientCertificateMethod · 0.95
sendClientFinishedMethod · 0.95
ExpandLabelFunction · 0.92
transcriptMsgFunction · 0.85

Tested by

no test coverage detected