()
| 703 | } |
| 704 | |
| 705 | func (hs *clientHandshakeStateTLS13) readServerFinished() error { |
| 706 | c := hs.c |
| 707 | |
| 708 | // finishedMsg is included in the transcript, but not until after we |
| 709 | // check the client version, since the state before this message was |
| 710 | // sent is used during verification. |
| 711 | msg, err := c.readHandshake(nil) |
| 712 | if err != nil { |
| 713 | return err |
| 714 | } |
| 715 | |
| 716 | finished, ok := msg.(*finishedMsg) |
| 717 | if !ok { |
| 718 | c.sendAlert(alertUnexpectedMessage) |
| 719 | return unexpectedMessageError(finished, msg) |
| 720 | } |
| 721 | |
| 722 | expectedMAC := hs.suite.finishedHash(c.in.trafficSecret, hs.transcript) |
| 723 | if !hmac.Equal(expectedMAC, finished.verifyData) { |
| 724 | c.sendAlert(alertDecryptError) |
| 725 | return errors.New("tls: invalid server finished hash") |
| 726 | } |
| 727 | |
| 728 | if err := transcriptMsg(finished, hs.transcript); err != nil { |
| 729 | return err |
| 730 | } |
| 731 | |
| 732 | // Derive secrets that take context through the server Finished. |
| 733 | |
| 734 | hs.trafficSecret = hs.masterSecret.ClientApplicationTrafficSecret(hs.transcript) |
| 735 | serverSecret := hs.masterSecret.ServerApplicationTrafficSecret(hs.transcript) |
| 736 | c.in.setTrafficSecret(hs.suite, QUICEncryptionLevelApplication, serverSecret) |
| 737 | |
| 738 | err = c.config.writeKeyLog(keyLogLabelClientTraffic, hs.hello.random, hs.trafficSecret) |
| 739 | if err != nil { |
| 740 | c.sendAlert(alertInternalError) |
| 741 | return err |
| 742 | } |
| 743 | err = c.config.writeKeyLog(keyLogLabelServerTraffic, hs.hello.random, serverSecret) |
| 744 | if err != nil { |
| 745 | c.sendAlert(alertInternalError) |
| 746 | return err |
| 747 | } |
| 748 | |
| 749 | c.ekm = hs.suite.exportKeyingMaterial(hs.masterSecret, hs.transcript) |
| 750 | |
| 751 | return nil |
| 752 | } |
| 753 | |
| 754 | func (hs *clientHandshakeStateTLS13) sendClientCertificate() error { |
| 755 | c := hs.c |
no test coverage detected