()
| 86 | } |
| 87 | |
| 88 | func (hs *serverHandshakeStateTLS13) handshake() error { |
| 89 | c := hs.c |
| 90 | if c.config.Show { |
| 91 | remoteAddr := c.RemoteAddr().String() |
| 92 | fmt.Printf("REALITY remoteAddr: %v\tis using X25519MLKEM768 for TLS' communication: %v\n", remoteAddr, hs.hello.serverShare.group == X25519MLKEM768) |
| 93 | fmt.Printf("REALITY remoteAddr: %v\tis using ML-DSA-65 for cert's extra signature: %v\n", remoteAddr, len(c.config.Mldsa65Key) > 0) |
| 94 | } |
| 95 | // For an overview of the TLS 1.3 handshake, see RFC 8446, Section 2. |
| 96 | /* |
| 97 | if err := hs.processClientHello(); err != nil { |
| 98 | return err |
| 99 | } |
| 100 | */ |
| 101 | { |
| 102 | hs.suite = cipherSuiteTLS13ByID(hs.hello.cipherSuite) |
| 103 | c.cipherSuite = hs.suite.id |
| 104 | hs.transcript = hs.suite.hash.New() |
| 105 | |
| 106 | var peerData []byte |
| 107 | for _, keyShare := range hs.clientHello.keyShares { |
| 108 | if keyShare.group == hs.hello.serverShare.group { |
| 109 | peerData = keyShare.data |
| 110 | break |
| 111 | } |
| 112 | } |
| 113 | |
| 114 | var peerPub = peerData |
| 115 | if hs.hello.serverShare.group == X25519MLKEM768 { |
| 116 | peerPub = peerData[mlkem.EncapsulationKeySize768:] |
| 117 | } |
| 118 | |
| 119 | key, _ := generateECDHEKey(c.config.rand(), X25519) |
| 120 | copy(hs.hello.serverShare.data, key.PublicKey().Bytes()) |
| 121 | peerKey, _ := key.Curve().NewPublicKey(peerPub) |
| 122 | hs.sharedKey, _ = key.ECDH(peerKey) |
| 123 | |
| 124 | if hs.hello.serverShare.group == X25519MLKEM768 { |
| 125 | k, _ := mlkem.NewEncapsulationKey768(peerData[:mlkem.EncapsulationKeySize768]) |
| 126 | mlkemSharedSecret, ciphertext := k.Encapsulate() |
| 127 | hs.sharedKey = append(mlkemSharedSecret, hs.sharedKey...) |
| 128 | copy(hs.hello.serverShare.data, append(ciphertext, hs.hello.serverShare.data[:32]...)) |
| 129 | } |
| 130 | |
| 131 | c.serverName = hs.clientHello.serverName |
| 132 | } |
| 133 | /* |
| 134 | if err := hs.checkForResumption(); err != nil { |
| 135 | return err |
| 136 | } |
| 137 | if err := hs.pickCertificate(); err != nil { |
| 138 | return err |
| 139 | } |
| 140 | */ |
| 141 | { |
| 142 | var cert []byte |
| 143 | if len(c.config.Mldsa65Key) > 0 { |
| 144 | cert = bytes.Clone(signedCertMldsa65) |
| 145 | } else { |
no test coverage detected