package tls
import (
)
const maxClientPSKIdentities = 5
type echServerContext struct {
hpkeContext *hpke.Receipient
configID uint8
ciphersuite echCipher
transcript hash.Hash
inner bool
}
type serverHandshakeStateTLS13 struct {
c *Conn
ctx context.Context
clientHello *clientHelloMsg
hello *serverHelloMsg
sentDummyCCS bool
usingPSK bool
earlyData bool
suite *cipherSuiteTLS13
cert *Certificate
sigAlg SignatureScheme
earlySecret *tls13.EarlySecret
sharedKey []byte
handshakeSecret *tls13.HandshakeSecret
masterSecret *tls13.MasterSecret
trafficSecret []byte
transcript hash.Hash
clientFinished []byte
echContext *echServerContext
}
func ( *serverHandshakeStateTLS13) () error {
:= .c
if := .processClientHello(); != nil {
return
}
if := .checkForResumption(); != nil {
return
}
if := .pickCertificate(); != nil {
return
}
.buffering = true
if := .sendServerParameters(); != nil {
return
}
if := .sendServerCertificate(); != nil {
return
}
if := .sendServerFinished(); != nil {
return
}
if , := .flush(); != nil {
return
}
if := .readClientCertificate(); != nil {
return
}
if := .readClientFinished(); != nil {
return
}
.isHandshakeComplete.Store(true)
return nil
}
func ( *serverHandshakeStateTLS13) () error {
:= .c
.hello = new(serverHelloMsg)
.hello.vers = VersionTLS12
.hello.supportedVersion = .vers
if len(.clientHello.supportedVersions) == 0 {
.sendAlert(alertIllegalParameter)
return errors.New("tls: client used the legacy version field to negotiate TLS 1.3")
}
for , := range .clientHello.cipherSuites {
if == TLS_FALLBACK_SCSV {
if .vers < .config.maxSupportedVersion(roleServer) {
.sendAlert(alertInappropriateFallback)
return errors.New("tls: client using inappropriate protocol fallback")
}
break
}
}
if len(.clientHello.compressionMethods) != 1 ||
.clientHello.compressionMethods[0] != compressionNone {
.sendAlert(alertIllegalParameter)
return errors.New("tls: TLS 1.3 client supports illegal compression methods")
}
.hello.random = make([]byte, 32)
if , := io.ReadFull(.config.rand(), .hello.random); != nil {
.sendAlert(alertInternalError)
return
}
if len(.clientHello.secureRenegotiation) != 0 {
.sendAlert(alertHandshakeFailure)
return errors.New("tls: initial handshake had non-empty renegotiation extension")
}
if .clientHello.earlyData && .quic != nil {
if len(.clientHello.pskIdentities) == 0 {
.sendAlert(alertIllegalParameter)
return errors.New("tls: early_data without pre_shared_key")
}
} else if .clientHello.earlyData {
.sendAlert(alertUnsupportedExtension)
return errors.New("tls: client sent unexpected early data")
}
.hello.sessionId = .clientHello.sessionId
.hello.compressionMethod = compressionNone
:= defaultCipherSuitesTLS13
if !hasAESGCMHardwareSupport || !aesgcmPreferred(.clientHello.cipherSuites) {
= defaultCipherSuitesTLS13NoAES
}
if fips140tls.Required() {
= defaultCipherSuitesTLS13FIPS
}
for , := range {
.suite = mutualCipherSuiteTLS13(.clientHello.cipherSuites, )
if .suite != nil {
break
}
}
if .suite == nil {
.sendAlert(alertHandshakeFailure)
return errors.New("tls: no cipher suite supported by both client and server")
}
.cipherSuite = .suite.id
.hello.cipherSuite = .suite.id
.transcript = .suite.hash.New()
:= .config.curvePreferences(.vers)
= slices.DeleteFunc(, func( CurveID) bool {
return !slices.Contains(.clientHello.supportedCurves, )
})
if len() == 0 {
.sendAlert(alertHandshakeFailure)
return errors.New("tls: no key exchanges supported by both client and server")
}
:= func( CurveID) bool {
for , := range .clientHello.keyShares {
if .group == {
return true
}
}
return false
}
sort.SliceStable(, func(, int) bool {
return ([]) && !([])
})
sort.SliceStable(, func(, int) bool {
return isPQKeyExchange([]) && !isPQKeyExchange([])
})
:= [0]
var *keyShare
for , := range .clientHello.keyShares {
if .group == {
= &
break
}
}
if == nil {
, := .doHelloRetryRequest()
if != nil {
return
}
=
}
.curveID =
:=
:= .data
if == X25519MLKEM768 {
= X25519
if len() != mlkem.EncapsulationKeySize768+x25519PublicKeySize {
.sendAlert(alertIllegalParameter)
return errors.New("tls: invalid X25519MLKEM768 client key share")
}
= [mlkem.EncapsulationKeySize768:]
}
if , := curveForCurveID(); ! {
.sendAlert(alertInternalError)
return errors.New("tls: CurvePreferences includes unsupported curve")
}
, := generateECDHEKey(.config.rand(), )
if != nil {
.sendAlert(alertInternalError)
return
}
.hello.serverShare = keyShare{group: , data: .PublicKey().Bytes()}
, := .Curve().NewPublicKey()
if != nil {
.sendAlert(alertIllegalParameter)
return errors.New("tls: invalid client key share")
}
.sharedKey, = .ECDH()
if != nil {
.sendAlert(alertIllegalParameter)
return errors.New("tls: invalid client key share")
}
if == X25519MLKEM768 {
, := mlkem.NewEncapsulationKey768(.data[:mlkem.EncapsulationKeySize768])
if != nil {
.sendAlert(alertIllegalParameter)
return errors.New("tls: invalid X25519MLKEM768 client key share")
}
, := .Encapsulate()
.sharedKey = append(, .sharedKey...)
.hello.serverShare.data = append(, .hello.serverShare.data...)
}
, := negotiateALPN(.config.NextProtos, .clientHello.alpnProtocols, .quic != nil)
if != nil {
.sendAlert(alertNoApplicationProtocol)
return
}
.clientProtocol =
if .quic != nil {
for , := range .clientHello.supportedVersions {
if < VersionTLS13 {
.sendAlert(alertProtocolVersion)
return errors.New("tls: client offered TLS version older than TLS 1.3")
}
}
if .clientHello.quicTransportParameters == nil {
.sendAlert(alertMissingExtension)
return errors.New("tls: client did not send a quic_transport_parameters extension")
}
.quicSetTransportParameters(.clientHello.quicTransportParameters)
} else {
if .clientHello.quicTransportParameters != nil {
.sendAlert(alertUnsupportedExtension)
return errors.New("tls: client sent an unexpected quic_transport_parameters extension")
}
}
.serverName = .clientHello.serverName
return nil
}
func ( *serverHandshakeStateTLS13) () error {
:= .c
if .config.SessionTicketsDisabled {
return nil
}
:= false
for , := range .clientHello.pskModes {
if == pskModeDHE {
= true
break
}
}
if ! {
return nil
}
if len(.clientHello.pskIdentities) != len(.clientHello.pskBinders) {
.sendAlert(alertIllegalParameter)
return errors.New("tls: invalid or missing PSK binders")
}
if len(.clientHello.pskIdentities) == 0 {
return nil
}
for , := range .clientHello.pskIdentities {
if >= maxClientPSKIdentities {
break
}
var *SessionState
if .config.UnwrapSession != nil {
var error
, = .config.UnwrapSession(.label, .connectionStateLocked())
if != nil {
return
}
if == nil {
continue
}
} else {
:= .config.decryptTicket(.label, .ticketKeys)
if == nil {
continue
}
var error
, = ParseSessionState()
if != nil {
continue
}
}
if .version != VersionTLS13 {
continue
}
:= time.Unix(int64(.createdAt), 0)
if .config.time().Sub() > maxSessionTicketLifetime {
continue
}
:= cipherSuiteTLS13ByID(.cipherSuite)
if == nil || .hash != .suite.hash {
continue
}
:= len(.peerCertificates) != 0
:= requiresClientCert(.config.ClientAuth)
if && ! {
continue
}
if && .config.ClientAuth == NoClientCert {
continue
}
if && .config.time().After(.peerCertificates[0].NotAfter) {
continue
}
if && .config.ClientAuth >= VerifyClientCertIfGiven &&
len(.verifiedChains) == 0 {
continue
}
if .quic != nil && .quic.enableSessionEvents {
if := .quicResumeSession(); != nil {
return
}
}
.earlySecret = tls13.NewEarlySecret(.suite.hash.New, .secret)
:= .earlySecret.ResumptionBinderKey()
:= cloneHash(.transcript, .suite.hash)
if == nil {
.sendAlert(alertInternalError)
return errors.New("tls: internal error: failed to clone hash")
}
, := .clientHello.marshalWithoutBinders()
if != nil {
.sendAlert(alertInternalError)
return
}
.Write()
:= .suite.finishedHash(, )
if !hmac.Equal(.clientHello.pskBinders[], ) {
.sendAlert(alertDecryptError)
return errors.New("tls: invalid PSK binder")
}
if .quic != nil && .clientHello.earlyData && == 0 &&
.EarlyData && .cipherSuite == .suite.id &&
.alpnProtocol == .clientProtocol {
.earlyData = true
:= .suite.hash.New()
if := transcriptMsg(.clientHello, ); != nil {
return
}
:= .earlySecret.ClientEarlyTrafficSecret()
.quicSetReadSecret(QUICEncryptionLevelEarly, .suite.id, )
}
.didResume = true
.peerCertificates = .peerCertificates
.ocspResponse = .ocspResponse
.scts = .scts
.verifiedChains = .verifiedChains
.hello.selectedIdentityPresent = true
.hello.selectedIdentity = uint16()
.usingPSK = true
return nil
}
return nil
}
func ( hash.Hash, crypto.Hash) hash.Hash {
type interface {
() ( []byte, error)
( []byte) error
}
, := .()
if ! {
return nil
}
, := .()
if != nil {
return nil
}
:= .New()
, := .()
if ! {
return nil
}
if := .(); != nil {
return nil
}
return
}
func ( *serverHandshakeStateTLS13) () error {
:= .c
if .usingPSK {
return nil
}
if len(.clientHello.supportedSignatureAlgorithms) == 0 {
return .sendAlert(alertMissingExtension)
}
, := .config.getCertificate(clientHelloInfo(.ctx, , .clientHello))
if != nil {
if == errNoCertificates {
.sendAlert(alertUnrecognizedName)
} else {
.sendAlert(alertInternalError)
}
return
}
.sigAlg, = selectSignatureScheme(.vers, , .clientHello.supportedSignatureAlgorithms)
if != nil {
.sendAlert(alertHandshakeFailure)
return
}
.cert =
return nil
}
func ( *serverHandshakeStateTLS13) () error {
if .c.quic != nil {
return nil
}
if .sentDummyCCS {
return nil
}
.sentDummyCCS = true
return .c.writeChangeCipherRecord()
}
func ( *serverHandshakeStateTLS13) ( CurveID) (*keyShare, error) {
:= .c
if := transcriptMsg(.clientHello, .transcript); != nil {
return nil,
}
:= .transcript.Sum(nil)
.transcript.Reset()
.transcript.Write([]byte{typeMessageHash, 0, 0, uint8(len())})
.transcript.Write()
:= &serverHelloMsg{
vers: .hello.vers,
random: helloRetryRequestRandom,
sessionId: .hello.sessionId,
cipherSuite: .hello.cipherSuite,
compressionMethod: .hello.compressionMethod,
supportedVersion: .hello.supportedVersion,
selectedGroup: ,
}
if .echContext != nil {
.encryptedClientHello = make([]byte, 8)
:= cloneHash(.transcript, .suite.hash)
if := transcriptMsg(, ); != nil {
return nil,
}
:= tls13.ExpandLabel(.suite.hash.New,
hkdf.Extract(.suite.hash.New, .clientHello.random, nil),
"hrr ech accept confirmation",
.Sum(nil),
8,
)
.encryptedClientHello =
}
if , := .c.writeHandshakeRecord(, .transcript); != nil {
return nil,
}
if := .sendDummyChangeCipherSpec(); != nil {
return nil,
}
, := .readHandshake(nil)
if != nil {
return nil,
}
, := .(*clientHelloMsg)
if ! {
.sendAlert(alertUnexpectedMessage)
return nil, unexpectedMessageError(, )
}
if .echContext != nil {
if len(.encryptedClientHello) == 0 {
.sendAlert(alertMissingExtension)
return nil, errors.New("tls: second client hello missing encrypted client hello extension")
}
, , , , , := parseECHExt(.encryptedClientHello)
if != nil {
.sendAlert(alertDecodeError)
return nil, errors.New("tls: client sent invalid encrypted client hello extension")
}
if == outerECHExt && .echContext.inner || == innerECHExt && !.echContext.inner {
.sendAlert(alertDecodeError)
return nil, errors.New("tls: unexpected switch in encrypted client hello extension type")
}
if == outerECHExt {
if != .echContext.ciphersuite || != .echContext.configID || len() != 0 {
.sendAlert(alertIllegalParameter)
return nil, errors.New("tls: second client hello encrypted client hello extension does not match")
}
, := decryptECHPayload(.echContext.hpkeContext, .original, )
if != nil {
.sendAlert(alertDecryptError)
return nil, errors.New("tls: failed to decrypt second client hello encrypted client hello extension payload")
}
, := decodeInnerClientHello(, )
if != nil {
.sendAlert(alertIllegalParameter)
return nil, errors.New("tls: client sent invalid encrypted client hello extension")
}
=
}
}
if len(.keyShares) != 1 {
.sendAlert(alertIllegalParameter)
return nil, errors.New("tls: client didn't send one key share in second ClientHello")
}
:= &.keyShares[0]
if .group != {
.sendAlert(alertIllegalParameter)
return nil, errors.New("tls: client sent unexpected key share in second ClientHello")
}
if .earlyData {
.sendAlert(alertIllegalParameter)
return nil, errors.New("tls: client indicated early data in second ClientHello")
}
if illegalClientHelloChange(, .clientHello) {
.sendAlert(alertIllegalParameter)
return nil, errors.New("tls: client illegally modified second ClientHello")
}
.didHRR = true
.clientHello =
return , nil
}
func (, *clientHelloMsg) bool {
if len(.supportedVersions) != len(.supportedVersions) ||
len(.cipherSuites) != len(.cipherSuites) ||
len(.supportedCurves) != len(.supportedCurves) ||
len(.supportedSignatureAlgorithms) != len(.supportedSignatureAlgorithms) ||
len(.supportedSignatureAlgorithmsCert) != len(.supportedSignatureAlgorithmsCert) ||
len(.alpnProtocols) != len(.alpnProtocols) {
return true
}
for := range .supportedVersions {
if .supportedVersions[] != .supportedVersions[] {
return true
}
}
for := range .cipherSuites {
if .cipherSuites[] != .cipherSuites[] {
return true
}
}
for := range .supportedCurves {
if .supportedCurves[] != .supportedCurves[] {
return true
}
}
for := range .supportedSignatureAlgorithms {
if .supportedSignatureAlgorithms[] != .supportedSignatureAlgorithms[] {
return true
}
}
for := range .supportedSignatureAlgorithmsCert {
if .supportedSignatureAlgorithmsCert[] != .supportedSignatureAlgorithmsCert[] {
return true
}
}
for := range .alpnProtocols {
if .alpnProtocols[] != .alpnProtocols[] {
return true
}
}
return .vers != .vers ||
!bytes.Equal(.random, .random) ||
!bytes.Equal(.sessionId, .sessionId) ||
!bytes.Equal(.compressionMethods, .compressionMethods) ||
.serverName != .serverName ||
.ocspStapling != .ocspStapling ||
!bytes.Equal(.supportedPoints, .supportedPoints) ||
.ticketSupported != .ticketSupported ||
!bytes.Equal(.sessionTicket, .sessionTicket) ||
.secureRenegotiationSupported != .secureRenegotiationSupported ||
!bytes.Equal(.secureRenegotiation, .secureRenegotiation) ||
.scts != .scts ||
!bytes.Equal(.cookie, .cookie) ||
!bytes.Equal(.pskModes, .pskModes)
}
func ( *serverHandshakeStateTLS13) () error {
:= .c
if .echContext != nil {
copy(.hello.random[32-8:], make([]byte, 8))
:= cloneHash(.transcript, .suite.hash)
.Write(.clientHello.original)
if := transcriptMsg(.hello, ); != nil {
return
}
:= tls13.ExpandLabel(.suite.hash.New,
hkdf.Extract(.suite.hash.New, .clientHello.random, nil),
"ech accept confirmation",
.Sum(nil),
8,
)
copy(.hello.random[32-8:], )
}
if := transcriptMsg(.clientHello, .transcript); != nil {
return
}
if , := .c.writeHandshakeRecord(.hello, .transcript); != nil {
return
}
if := .sendDummyChangeCipherSpec(); != nil {
return
}
:= .earlySecret
if == nil {
= tls13.NewEarlySecret(.suite.hash.New, nil)
}
.handshakeSecret = .HandshakeSecret(.sharedKey)
:= .handshakeSecret.ClientHandshakeTrafficSecret(.transcript)
.in.setTrafficSecret(.suite, QUICEncryptionLevelHandshake, )
:= .handshakeSecret.ServerHandshakeTrafficSecret(.transcript)
.out.setTrafficSecret(.suite, QUICEncryptionLevelHandshake, )
if .quic != nil {
if .hand.Len() != 0 {
.sendAlert(alertUnexpectedMessage)
}
.quicSetWriteSecret(QUICEncryptionLevelHandshake, .suite.id, )
.quicSetReadSecret(QUICEncryptionLevelHandshake, .suite.id, )
}
:= .config.writeKeyLog(keyLogLabelClientHandshake, .clientHello.random, )
if != nil {
.sendAlert(alertInternalError)
return
}
= .config.writeKeyLog(keyLogLabelServerHandshake, .clientHello.random, )
if != nil {
.sendAlert(alertInternalError)
return
}
:= new(encryptedExtensionsMsg)
.alpnProtocol = .clientProtocol
if .quic != nil {
, := .quicGetTransportParameters()
if != nil {
return
}
.quicTransportParameters =
.earlyData = .earlyData
}
if len(.c.config.EncryptedClientHelloKeys) > 0 && len(.clientHello.encryptedClientHello) > 0 && .echContext == nil {
.echRetryConfigs, = buildRetryConfigList(.c.config.EncryptedClientHelloKeys)
if != nil {
.sendAlert(alertInternalError)
return
}
}
if , := .c.writeHandshakeRecord(, .transcript); != nil {
return
}
return nil
}
func ( *serverHandshakeStateTLS13) () bool {
return .c.config.ClientAuth >= RequestClientCert && !.usingPSK
}
func ( *serverHandshakeStateTLS13) () error {
:= .c
if .usingPSK {
return nil
}
if .requestClientCert() {
:= new(certificateRequestMsgTLS13)
.ocspStapling = true
.scts = true
.supportedSignatureAlgorithms = supportedSignatureAlgorithms()
if .config.ClientCAs != nil {
.certificateAuthorities = .config.ClientCAs.Subjects()
}
if , := .c.writeHandshakeRecord(, .transcript); != nil {
return
}
}
:= new(certificateMsgTLS13)
.certificate = *.cert
.scts = .clientHello.scts && len(.cert.SignedCertificateTimestamps) > 0
.ocspStapling = .clientHello.ocspStapling && len(.cert.OCSPStaple) > 0
if , := .c.writeHandshakeRecord(, .transcript); != nil {
return
}
:= new(certificateVerifyMsg)
.hasSignatureAlgorithm = true
.signatureAlgorithm = .sigAlg
, , := typeAndHashFromSignatureScheme(.sigAlg)
if != nil {
return .sendAlert(alertInternalError)
}
:= signedMessage(, serverSignatureContext, .transcript)
:= crypto.SignerOpts()
if == signatureRSAPSS {
= &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash, Hash: }
}
, := .cert.PrivateKey.(crypto.Signer).Sign(.config.rand(), , )
if != nil {
:= .cert.PrivateKey.(crypto.Signer).Public()
if , := .(*rsa.PublicKey); && == signatureRSAPSS &&
.N.BitLen()/8 < .Size()*2+2 {
.sendAlert(alertHandshakeFailure)
} else {
.sendAlert(alertInternalError)
}
return errors.New("tls: failed to sign handshake: " + .Error())
}
.signature =
if , := .c.writeHandshakeRecord(, .transcript); != nil {
return
}
return nil
}
func ( *serverHandshakeStateTLS13) () error {
:= .c
:= &finishedMsg{
verifyData: .suite.finishedHash(.out.trafficSecret, .transcript),
}
if , := .c.writeHandshakeRecord(, .transcript); != nil {
return
}
.masterSecret = .handshakeSecret.MasterSecret()
.trafficSecret = .masterSecret.ClientApplicationTrafficSecret(.transcript)
:= .masterSecret.ServerApplicationTrafficSecret(.transcript)
.out.setTrafficSecret(.suite, QUICEncryptionLevelApplication, )
if .quic != nil {
if .hand.Len() != 0 {
.sendAlert(alertUnexpectedMessage)
}
.quicSetWriteSecret(QUICEncryptionLevelApplication, .suite.id, )
}
:= .config.writeKeyLog(keyLogLabelClientTraffic, .clientHello.random, .trafficSecret)
if != nil {
.sendAlert(alertInternalError)
return
}
= .config.writeKeyLog(keyLogLabelServerTraffic, .clientHello.random, )
if != nil {
.sendAlert(alertInternalError)
return
}
.ekm = .suite.exportKeyingMaterial(.masterSecret, .transcript)
if !.requestClientCert() {
if := .sendSessionTickets(); != nil {
return
}
}
return nil
}
func ( *serverHandshakeStateTLS13) () bool {
if .c.config.SessionTicketsDisabled {
return false
}
if .c.quic != nil {
return false
}
for , := range .clientHello.pskModes {
if == pskModeDHE {
return true
}
}
return false
}
func ( *serverHandshakeStateTLS13) () error {
:= .c
.clientFinished = .suite.finishedHash(.in.trafficSecret, .transcript)
:= &finishedMsg{
verifyData: .clientFinished,
}
if := transcriptMsg(, .transcript); != nil {
return
}
.resumptionSecret = .masterSecret.ResumptionMasterSecret(.transcript)
if !.shouldSendSessionTickets() {
return nil
}
return .sendSessionTicket(false, nil)
}
func ( *Conn) ( bool, [][]byte) error {
:= cipherSuiteTLS13ByID(.cipherSuite)
if == nil {
return errors.New("tls: internal error: unknown cipher suite")
}
:= tls13.ExpandLabel(.hash.New, .resumptionSecret, "resumption",
nil, .hash.Size())
:= new(newSessionTicketMsgTLS13)
:= .sessionState()
.secret =
.EarlyData =
.Extra =
if .config.WrapSession != nil {
var error
.label, = .config.WrapSession(.connectionStateLocked(), )
if != nil {
return
}
} else {
, := .Bytes()
if != nil {
.sendAlert(alertInternalError)
return
}
.label, = .config.encryptTicket(, .ticketKeys)
if != nil {
return
}
}
.lifetime = uint32(maxSessionTicketLifetime / time.Second)
:= make([]byte, 4)
if , := .config.rand().Read(); != nil {
return
}
.ageAdd = byteorder.LEUint32()
if {
.maxEarlyData = 0xffffffff
}
if , := .writeHandshakeRecord(, nil); != nil {
return
}
return nil
}
func ( *serverHandshakeStateTLS13) () error {
:= .c
if !.requestClientCert() {
if .config.VerifyConnection != nil {
if := .config.VerifyConnection(.connectionStateLocked()); != nil {
.sendAlert(alertBadCertificate)
return
}
}
return nil
}
, := .readHandshake(.transcript)
if != nil {
return
}
, := .(*certificateMsgTLS13)
if ! {
.sendAlert(alertUnexpectedMessage)
return unexpectedMessageError(, )
}
if := .processCertsFromClient(.certificate); != nil {
return
}
if .config.VerifyConnection != nil {
if := .config.VerifyConnection(.connectionStateLocked()); != nil {
.sendAlert(alertBadCertificate)
return
}
}
if len(.certificate.Certificate) != 0 {
, = .readHandshake(nil)
if != nil {
return
}
, := .(*certificateVerifyMsg)
if ! {
.sendAlert(alertUnexpectedMessage)
return unexpectedMessageError(, )
}
if !isSupportedSignatureAlgorithm(.signatureAlgorithm, supportedSignatureAlgorithms()) {
.sendAlert(alertIllegalParameter)
return errors.New("tls: client certificate used with invalid signature algorithm")
}
, , := typeAndHashFromSignatureScheme(.signatureAlgorithm)
if != nil {
return .sendAlert(alertInternalError)
}
if == signaturePKCS1v15 || == crypto.SHA1 {
.sendAlert(alertIllegalParameter)
return errors.New("tls: client certificate used with invalid signature algorithm")
}
:= signedMessage(, clientSignatureContext, .transcript)
if := verifyHandshakeSignature(, .peerCertificates[0].PublicKey,
, , .signature); != nil {
.sendAlert(alertDecryptError)
return errors.New("tls: invalid signature by the client certificate: " + .Error())
}
if := transcriptMsg(, .transcript); != nil {
return
}
}
if := .sendSessionTickets(); != nil {
return
}
return nil
}
func ( *serverHandshakeStateTLS13) () error {
:= .c
, := .readHandshake(nil)
if != nil {
return
}
, := .(*finishedMsg)
if ! {
.sendAlert(alertUnexpectedMessage)
return unexpectedMessageError(, )
}
if !hmac.Equal(.clientFinished, .verifyData) {
.sendAlert(alertDecryptError)
return errors.New("tls: invalid client finished hash")
}
.in.setTrafficSecret(.suite, QUICEncryptionLevelApplication, .trafficSecret)
return nil
}