MCPcopy Index your code
hub / github.com/XTLS/REALITY / processClientHello

Method processClientHello

handshake_server_tls13.go:201–423  ·  view source on GitHub ↗
()

Source from the content-addressed store, hash-verified

199}
200
201func (hs *serverHandshakeStateTLS13) processClientHello() error {
202 c := hs.c
203
204 hs.hello = new(serverHelloMsg)
205
206 // TLS 1.3 froze the ServerHello.legacy_version field, and uses
207 // supported_versions instead. See RFC 8446, sections 4.1.3 and 4.2.1.
208 hs.hello.vers = VersionTLS12
209 hs.hello.supportedVersion = c.vers
210
211 if len(hs.clientHello.supportedVersions) == 0 {
212 c.sendAlert(alertIllegalParameter)
213 return errors.New("tls: client used the legacy version field to negotiate TLS 1.3")
214 }
215
216 // Abort if the client is doing a fallback and landing lower than what we
217 // support. See RFC 7507, which however does not specify the interaction
218 // with supported_versions. The only difference is that with
219 // supported_versions a client has a chance to attempt a [TLS 1.2, TLS 1.4]
220 // handshake in case TLS 1.3 is broken but 1.2 is not. Alas, in that case,
221 // it will have to drop the TLS_FALLBACK_SCSV protection if it falls back to
222 // TLS 1.2, because a TLS 1.3 server would abort here. The situation before
223 // supported_versions was not better because there was just no way to do a
224 // TLS 1.4 handshake without risking the server selecting TLS 1.3.
225 for _, id := range hs.clientHello.cipherSuites {
226 if id == TLS_FALLBACK_SCSV {
227 // Use c.vers instead of max(supported_versions) because an attacker
228 // could defeat this by adding an arbitrary high version otherwise.
229 if c.vers < c.config.maxSupportedVersion(roleServer) {
230 c.sendAlert(alertInappropriateFallback)
231 return errors.New("tls: client using inappropriate protocol fallback")
232 }
233 break
234 }
235 }
236
237 if len(hs.clientHello.compressionMethods) != 1 ||
238 hs.clientHello.compressionMethods[0] != compressionNone {
239 c.sendAlert(alertIllegalParameter)
240 return errors.New("tls: TLS 1.3 client supports illegal compression methods")
241 }
242
243 hs.hello.random = make([]byte, 32)
244 if _, err := io.ReadFull(c.config.rand(), hs.hello.random); err != nil {
245 c.sendAlert(alertInternalError)
246 return err
247 }
248
249 if len(hs.clientHello.secureRenegotiation) != 0 {
250 c.sendAlert(alertHandshakeFailure)
251 return errors.New("tls: initial handshake had non-empty renegotiation extension")
252 }
253
254 if hs.clientHello.earlyData && c.quic != nil {
255 if len(hs.clientHello.pskIdentities) == 0 {
256 c.sendAlert(alertIllegalParameter)
257 return errors.New("tls: early_data without pre_shared_key")
258 }

Callers

nothing calls this directly

Calls 14

doHelloRetryRequestMethod · 0.95
RequiredFunction · 0.92
isAESGCMPreferredFunction · 0.85
mutualCipherSuiteTLS13Function · 0.85
isPQKeyExchangeFunction · 0.85
curveForCurveIDFunction · 0.85
generateECDHEKeyFunction · 0.85
negotiateALPNFunction · 0.85
sendAlertMethod · 0.80
maxSupportedVersionMethod · 0.80
randMethod · 0.80
curvePreferencesMethod · 0.80

Tested by

no test coverage detected