(selectedGroup CurveID)
| 639 | } |
| 640 | |
| 641 | func (hs *serverHandshakeStateTLS13) doHelloRetryRequest(selectedGroup CurveID) (*keyShare, error) { |
| 642 | c := hs.c |
| 643 | |
| 644 | // The first ClientHello gets double-hashed into the transcript upon a |
| 645 | // HelloRetryRequest. See RFC 8446, Section 4.4.1. |
| 646 | if err := transcriptMsg(hs.clientHello, hs.transcript); err != nil { |
| 647 | return nil, err |
| 648 | } |
| 649 | chHash := hs.transcript.Sum(nil) |
| 650 | hs.transcript.Reset() |
| 651 | hs.transcript.Write([]byte{typeMessageHash, 0, 0, uint8(len(chHash))}) |
| 652 | hs.transcript.Write(chHash) |
| 653 | |
| 654 | helloRetryRequest := &serverHelloMsg{ |
| 655 | vers: hs.hello.vers, |
| 656 | random: helloRetryRequestRandom, |
| 657 | sessionId: hs.hello.sessionId, |
| 658 | cipherSuite: hs.hello.cipherSuite, |
| 659 | compressionMethod: hs.hello.compressionMethod, |
| 660 | supportedVersion: hs.hello.supportedVersion, |
| 661 | selectedGroup: selectedGroup, |
| 662 | } |
| 663 | |
| 664 | if hs.echContext != nil { |
| 665 | // Compute the acceptance message. |
| 666 | helloRetryRequest.encryptedClientHello = make([]byte, 8) |
| 667 | confTranscript := cloneHash(hs.transcript, hs.suite.hash) |
| 668 | if err := transcriptMsg(helloRetryRequest, confTranscript); err != nil { |
| 669 | return nil, err |
| 670 | } |
| 671 | h := hs.suite.hash.New |
| 672 | prf, err := hkdf.Extract(h, hs.clientHello.random, nil) |
| 673 | if err != nil { |
| 674 | c.sendAlert(alertInternalError) |
| 675 | return nil, err |
| 676 | } |
| 677 | acceptConfirmation := tls13.ExpandLabel(h, prf, "hrr ech accept confirmation", confTranscript.Sum(nil), 8) |
| 678 | helloRetryRequest.encryptedClientHello = acceptConfirmation |
| 679 | } |
| 680 | |
| 681 | if _, err := hs.c.writeHandshakeRecord(helloRetryRequest, hs.transcript); err != nil { |
| 682 | return nil, err |
| 683 | } |
| 684 | |
| 685 | if err := hs.sendDummyChangeCipherSpec(); err != nil { |
| 686 | return nil, err |
| 687 | } |
| 688 | |
| 689 | // clientHelloMsg is not included in the transcript. |
| 690 | msg, err := c.readHandshake(nil) |
| 691 | if err != nil { |
| 692 | return nil, err |
| 693 | } |
| 694 | |
| 695 | clientHello, ok := msg.(*clientHelloMsg) |
| 696 | if !ok { |
| 697 | c.sendAlert(alertUnexpectedMessage) |
| 698 | return nil, unexpectedMessageError(clientHello, msg) |
no test coverage detected