()
| 544 | } |
| 545 | |
| 546 | func (hs *clientHandshakeStateTLS13) readServerParameters() error { |
| 547 | c := hs.c |
| 548 | |
| 549 | msg, err := c.readHandshake(hs.transcript) |
| 550 | if err != nil { |
| 551 | return err |
| 552 | } |
| 553 | |
| 554 | encryptedExtensions, ok := msg.(*encryptedExtensionsMsg) |
| 555 | if !ok { |
| 556 | c.sendAlert(alertUnexpectedMessage) |
| 557 | return unexpectedMessageError(encryptedExtensions, msg) |
| 558 | } |
| 559 | |
| 560 | if err := checkALPN(hs.hello.alpnProtocols, encryptedExtensions.alpnProtocol, c.quic != nil); err != nil { |
| 561 | // RFC 8446 specifies that no_application_protocol is sent by servers, but |
| 562 | // does not specify how clients handle the selection of an incompatible protocol. |
| 563 | // RFC 9001 Section 8.1 specifies that QUIC clients send no_application_protocol |
| 564 | // in this case. Always sending no_application_protocol seems reasonable. |
| 565 | c.sendAlert(alertNoApplicationProtocol) |
| 566 | return err |
| 567 | } |
| 568 | c.clientProtocol = encryptedExtensions.alpnProtocol |
| 569 | |
| 570 | if c.quic != nil { |
| 571 | if encryptedExtensions.quicTransportParameters == nil { |
| 572 | // RFC 9001 Section 8.2. |
| 573 | c.sendAlert(alertMissingExtension) |
| 574 | return errors.New("tls: server did not send a quic_transport_parameters extension") |
| 575 | } |
| 576 | c.quicSetTransportParameters(encryptedExtensions.quicTransportParameters) |
| 577 | } else { |
| 578 | if encryptedExtensions.quicTransportParameters != nil { |
| 579 | c.sendAlert(alertUnsupportedExtension) |
| 580 | return errors.New("tls: server sent an unexpected quic_transport_parameters extension") |
| 581 | } |
| 582 | } |
| 583 | |
| 584 | if !hs.hello.earlyData && encryptedExtensions.earlyData { |
| 585 | c.sendAlert(alertUnsupportedExtension) |
| 586 | return errors.New("tls: server sent an unexpected early_data extension") |
| 587 | } |
| 588 | if hs.hello.earlyData && !encryptedExtensions.earlyData { |
| 589 | c.quicRejectedEarlyData() |
| 590 | } |
| 591 | if encryptedExtensions.earlyData { |
| 592 | if hs.session.cipherSuite != c.cipherSuite { |
| 593 | c.sendAlert(alertHandshakeFailure) |
| 594 | return errors.New("tls: server accepted 0-RTT with the wrong cipher suite") |
| 595 | } |
| 596 | if hs.session.alpnProtocol != c.clientProtocol { |
| 597 | c.sendAlert(alertHandshakeFailure) |
| 598 | return errors.New("tls: server accepted 0-RTT with the wrong ALPN") |
| 599 | } |
| 600 | } |
| 601 | if hs.echContext != nil { |
| 602 | if hs.echContext.echRejected { |
| 603 | hs.echContext.retryConfigs = encryptedExtensions.echRetryConfigs |
no test coverage detected