()
| 199 | } |
| 200 | |
| 201 | func (hs *serverHandshakeStateTLS13) processClientHello() error { |
| 202 | c := hs.c |
| 203 | |
| 204 | hs.hello = new(serverHelloMsg) |
| 205 | |
| 206 | // TLS 1.3 froze the ServerHello.legacy_version field, and uses |
| 207 | // supported_versions instead. See RFC 8446, sections 4.1.3 and 4.2.1. |
| 208 | hs.hello.vers = VersionTLS12 |
| 209 | hs.hello.supportedVersion = c.vers |
| 210 | |
| 211 | if len(hs.clientHello.supportedVersions) == 0 { |
| 212 | c.sendAlert(alertIllegalParameter) |
| 213 | return errors.New("tls: client used the legacy version field to negotiate TLS 1.3") |
| 214 | } |
| 215 | |
| 216 | // Abort if the client is doing a fallback and landing lower than what we |
| 217 | // support. See RFC 7507, which however does not specify the interaction |
| 218 | // with supported_versions. The only difference is that with |
| 219 | // supported_versions a client has a chance to attempt a [TLS 1.2, TLS 1.4] |
| 220 | // handshake in case TLS 1.3 is broken but 1.2 is not. Alas, in that case, |
| 221 | // it will have to drop the TLS_FALLBACK_SCSV protection if it falls back to |
| 222 | // TLS 1.2, because a TLS 1.3 server would abort here. The situation before |
| 223 | // supported_versions was not better because there was just no way to do a |
| 224 | // TLS 1.4 handshake without risking the server selecting TLS 1.3. |
| 225 | for _, id := range hs.clientHello.cipherSuites { |
| 226 | if id == TLS_FALLBACK_SCSV { |
| 227 | // Use c.vers instead of max(supported_versions) because an attacker |
| 228 | // could defeat this by adding an arbitrary high version otherwise. |
| 229 | if c.vers < c.config.maxSupportedVersion(roleServer) { |
| 230 | c.sendAlert(alertInappropriateFallback) |
| 231 | return errors.New("tls: client using inappropriate protocol fallback") |
| 232 | } |
| 233 | break |
| 234 | } |
| 235 | } |
| 236 | |
| 237 | if len(hs.clientHello.compressionMethods) != 1 || |
| 238 | hs.clientHello.compressionMethods[0] != compressionNone { |
| 239 | c.sendAlert(alertIllegalParameter) |
| 240 | return errors.New("tls: TLS 1.3 client supports illegal compression methods") |
| 241 | } |
| 242 | |
| 243 | hs.hello.random = make([]byte, 32) |
| 244 | if _, err := io.ReadFull(c.config.rand(), hs.hello.random); err != nil { |
| 245 | c.sendAlert(alertInternalError) |
| 246 | return err |
| 247 | } |
| 248 | |
| 249 | if len(hs.clientHello.secureRenegotiation) != 0 { |
| 250 | c.sendAlert(alertHandshakeFailure) |
| 251 | return errors.New("tls: initial handshake had non-empty renegotiation extension") |
| 252 | } |
| 253 | |
| 254 | if hs.clientHello.earlyData && c.quic != nil { |
| 255 | if len(hs.clientHello.pskIdentities) == 0 { |
| 256 | c.sendAlert(alertIllegalParameter) |
| 257 | return errors.New("tls: early_data without pre_shared_key") |
| 258 | } |
nothing calls this directly
no test coverage detected