handshake requires hs.c, hs.hello, hs.serverHello, hs.keyShareKeys, and, optionally, hs.session, hs.earlySecret and hs.binderKey to be set.
()
| 45 | // handshake requires hs.c, hs.hello, hs.serverHello, hs.keyShareKeys, and, |
| 46 | // optionally, hs.session, hs.earlySecret and hs.binderKey to be set. |
| 47 | func (hs *clientHandshakeStateTLS13) handshake() error { |
| 48 | c := hs.c |
| 49 | |
| 50 | // The server must not select TLS 1.3 in a renegotiation. See RFC 8446, |
| 51 | // sections 4.1.2 and 4.1.3. |
| 52 | if c.handshakes > 0 { |
| 53 | c.sendAlert(alertProtocolVersion) |
| 54 | return errors.New("tls: server selected TLS 1.3 in a renegotiation") |
| 55 | } |
| 56 | |
| 57 | // Consistency check on the presence of a keyShare and its parameters. |
| 58 | if hs.keyShareKeys == nil || hs.keyShareKeys.ecdhe == nil || len(hs.hello.keyShares) == 0 { |
| 59 | return c.sendAlert(alertInternalError) |
| 60 | } |
| 61 | |
| 62 | if err := hs.checkServerHelloOrHRR(); err != nil { |
| 63 | return err |
| 64 | } |
| 65 | |
| 66 | hs.transcript = hs.suite.hash.New() |
| 67 | |
| 68 | if err := transcriptMsg(hs.hello, hs.transcript); err != nil { |
| 69 | return err |
| 70 | } |
| 71 | |
| 72 | if hs.echContext != nil { |
| 73 | hs.echContext.innerTranscript = hs.suite.hash.New() |
| 74 | if err := transcriptMsg(hs.echContext.innerHello, hs.echContext.innerTranscript); err != nil { |
| 75 | return err |
| 76 | } |
| 77 | } |
| 78 | |
| 79 | if bytes.Equal(hs.serverHello.random, helloRetryRequestRandom) { |
| 80 | if err := hs.sendDummyChangeCipherSpec(); err != nil { |
| 81 | return err |
| 82 | } |
| 83 | if err := hs.processHelloRetryRequest(); err != nil { |
| 84 | return err |
| 85 | } |
| 86 | } |
| 87 | |
| 88 | if hs.echContext != nil { |
| 89 | confTranscript := cloneHash(hs.echContext.innerTranscript, hs.suite.hash) |
| 90 | confTranscript.Write(hs.serverHello.original[:30]) |
| 91 | confTranscript.Write(make([]byte, 8)) |
| 92 | confTranscript.Write(hs.serverHello.original[38:]) |
| 93 | h := hs.suite.hash.New |
| 94 | prk, err := hkdf.Extract(h, hs.echContext.innerHello.random, nil) |
| 95 | if err != nil { |
| 96 | c.sendAlert(alertInternalError) |
| 97 | return err |
| 98 | } |
| 99 | acceptConfirmation := tls13.ExpandLabel(h, prk, "ech accept confirmation", confTranscript.Sum(nil), 8) |
| 100 | if subtle.ConstantTimeCompare(acceptConfirmation, hs.serverHello.random[len(hs.serverHello.random)-8:]) == 1 { |
| 101 | hs.hello = hs.echContext.innerHello |
| 102 | c.serverName = c.config.ServerName |
| 103 | hs.transcript = hs.echContext.innerTranscript |
| 104 | c.echAccepted = true |
nothing calls this directly
no test coverage detected