MCPcopy
hub / github.com/XTLS/REALITY / doHelloRetryRequest

Method doHelloRetryRequest

handshake_server_tls13.go:641–764  ·  view source on GitHub ↗
(selectedGroup CurveID)

Source from the content-addressed store, hash-verified

639}
640
641func (hs *serverHandshakeStateTLS13) doHelloRetryRequest(selectedGroup CurveID) (*keyShare, error) {
642 c := hs.c
643
644 // The first ClientHello gets double-hashed into the transcript upon a
645 // HelloRetryRequest. See RFC 8446, Section 4.4.1.
646 if err := transcriptMsg(hs.clientHello, hs.transcript); err != nil {
647 return nil, err
648 }
649 chHash := hs.transcript.Sum(nil)
650 hs.transcript.Reset()
651 hs.transcript.Write([]byte{typeMessageHash, 0, 0, uint8(len(chHash))})
652 hs.transcript.Write(chHash)
653
654 helloRetryRequest := &serverHelloMsg{
655 vers: hs.hello.vers,
656 random: helloRetryRequestRandom,
657 sessionId: hs.hello.sessionId,
658 cipherSuite: hs.hello.cipherSuite,
659 compressionMethod: hs.hello.compressionMethod,
660 supportedVersion: hs.hello.supportedVersion,
661 selectedGroup: selectedGroup,
662 }
663
664 if hs.echContext != nil {
665 // Compute the acceptance message.
666 helloRetryRequest.encryptedClientHello = make([]byte, 8)
667 confTranscript := cloneHash(hs.transcript, hs.suite.hash)
668 if err := transcriptMsg(helloRetryRequest, confTranscript); err != nil {
669 return nil, err
670 }
671 h := hs.suite.hash.New
672 prf, err := hkdf.Extract(h, hs.clientHello.random, nil)
673 if err != nil {
674 c.sendAlert(alertInternalError)
675 return nil, err
676 }
677 acceptConfirmation := tls13.ExpandLabel(h, prf, "hrr ech accept confirmation", confTranscript.Sum(nil), 8)
678 helloRetryRequest.encryptedClientHello = acceptConfirmation
679 }
680
681 if _, err := hs.c.writeHandshakeRecord(helloRetryRequest, hs.transcript); err != nil {
682 return nil, err
683 }
684
685 if err := hs.sendDummyChangeCipherSpec(); err != nil {
686 return nil, err
687 }
688
689 // clientHelloMsg is not included in the transcript.
690 msg, err := c.readHandshake(nil)
691 if err != nil {
692 return nil, err
693 }
694
695 clientHello, ok := msg.(*clientHelloMsg)
696 if !ok {
697 c.sendAlert(alertUnexpectedMessage)
698 return nil, unexpectedMessageError(clientHello, msg)

Callers 1

processClientHelloMethod · 0.95

Calls 15

ExpandLabelFunction · 0.92
transcriptMsgFunction · 0.85
cloneHashFunction · 0.85
unexpectedMessageErrorFunction · 0.85
parseECHExtFunction · 0.85
decryptECHPayloadFunction · 0.85
decodeInnerClientHelloFunction · 0.85
illegalClientHelloChangeFunction · 0.85
ResetMethod · 0.80
sendAlertMethod · 0.80
writeHandshakeRecordMethod · 0.80

Tested by

no test coverage detected