Lines Matching refs:hs
45 hs := serverHandshakeState{
48 isResume, err := hs.readClientHello()
57 if err := hs.doResumeHandshake(); err != nil {
60 if err := hs.establishKeys(); err != nil {
66 if hs.hello.ticketSupported {
67 if err := hs.sendSessionTicket(); err != nil {
71 if err := hs.sendFinished(c.serverFinished[:]); err != nil {
78 if err := hs.readFinished(nil); err != nil {
85 if err := hs.doFullHandshake(); err != nil {
88 if err := hs.establishKeys(); err != nil {
91 if err := hs.readFinished(c.clientFinished[:]); err != nil {
96 if err := hs.sendSessionTicket(); err != nil {
99 if err := hs.sendFinished(nil); err != nil {
113 func (hs *serverHandshakeState) readClientHello() (isResume bool, err error) {
114 c := hs.c
121 hs.clientHello, ok = msg.(*clientHelloMsg)
124 return false, unexpectedMessageError(hs.clientHello, msg)
128 if newConfig, err := c.config.GetConfigForClient(hs.clientHelloInfo()); err != nil {
141 c.vers, ok = c.config.mutualVersion(hs.clientHello.vers)
144 return false, fmt.Errorf("tls: client offered an unsupported, maximum protocol version of %x", hs.clientHello.vers)
148 hs.hello = new(serverHelloMsg)
153 for _, curve := range hs.clientHello.supportedCurves {
163 for _, pointFormat := range hs.clientHello.supportedPoints {
169 hs.ellipticOk = supportedCurve && supportedPointFormat
173 for _, compression := range hs.clientHello.compressionMethods {
185 hs.hello.vers = c.vers
186 hs.hello.random = make([]byte, 32)
187 _, err = io.ReadFull(c.config.rand(), hs.hello.random)
193 if len(hs.clientHello.secureRenegotiation) != 0 {
198 hs.hello.secureRenegotiationSupported = hs.clientHello.secureRenegotiationSupported
199 hs.hello.compressionMethod = compressionNone
200 if len(hs.clientHello.serverName) > 0 {
201 c.serverName = hs.clientHello.serverName
204 if len(hs.clientHello.alpnProtocols) > 0 {
205 if selectedProto, fallback := mutualProtocol(hs.clientHello.alpnProtocols, c.config.NextProtos); !fallback {
206 hs.hello.alpnProtocol = selectedProto
214 if hs.clientHello.nextProtoNeg && len(c.config.NextProtos) > 0 {
215 hs.hello.nextProtoNeg = true
216 hs.hello.nextProtos = c.config.NextProtos
220 hs.cert, err = c.config.getCertificate(hs.clientHelloInfo())
225 if hs.clientHello.scts {
226 hs.hello.scts = hs.cert.SignedCertificateTimestamps
229 if priv, ok := hs.cert.PrivateKey.(crypto.Signer); ok {
232 hs.ecdsaOk = true
234 hs.rsaSignOk = true
240 if priv, ok := hs.cert.PrivateKey.(crypto.Decrypter); ok {
243 hs.rsaDecryptOk = true
250 if hs.checkForResumption() {
257 supportedList = hs.clientHello.cipherSuites
259 preferenceList = hs.clientHello.cipherSuites
264 if hs.setCipherSuite(id, supportedList, c.vers) {
269 if hs.suite == nil {
275 for _, id := range hs.clientHello.cipherSuites {
278 if hs.clientHello.vers < c.config.maxVersion() {
290 func (hs *serverHandshakeState) checkForResumption() bool {
291 c := hs.c
298 var sessionTicket = append([]uint8{}, hs.clientHello.sessionTicket...)
299 if hs.sessionState, ok = c.decryptTicket(sessionTicket); !ok {
304 if c.vers != hs.sessionState.vers {
310 for _, id := range hs.clientHello.cipherSuites {
311 if id == hs.sessionState.cipherSuite {
321 if !hs.setCipherSuite(hs.sessionState.cipherSuite, c.config.cipherSuites(), hs.sessionState.vers) {
325 sessionHasClientCerts := len(hs.sessionState.certificates) != 0
337 func (hs *serverHandshakeState) doResumeHandshake() error {
338 c := hs.c
340 hs.hello.cipherSuite = hs.suite.id
343 hs.hello.sessionId = hs.clientHello.sessionId
344 hs.hello.ticketSupported = hs.sessionState.usedOldKey
345 hs.finishedHash = newFinishedHash(c.vers, hs.suite)
346 hs.finishedHash.discardHandshakeBuffer()
347 hs.finishedHash.Write(hs.clientHello.marshal())
348 hs.finishedHash.Write(hs.hello.marshal())
349 if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil {
353 if len(hs.sessionState.certificates) > 0 {
354 if _, err := hs.processCertsFromClient(hs.sessionState.certificates); err != nil {
359 hs.masterSecret = hs.sessionState.masterSecret
364 func (hs *serverHandshakeState) doFullHandshake() error {
365 c := hs.c
367 if hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0 {
368 hs.hello.ocspStapling = true
371 hs.hello.ticketSupported = hs.clientHello.ticketSupported && !c.config.SessionTicketsDisabled
372 hs.hello.cipherSuite = hs.suite.id
374 hs.finishedHash = newFinishedHash(hs.c.vers, hs.suite)
378 hs.finishedHash.discardHandshakeBuffer()
380 hs.finishedHash.Write(hs.clientHello.marshal())
381 hs.finishedHash.Write(hs.hello.marshal())
382 if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil {
387 certMsg.certificates = hs.cert.Certificate
388 hs.finishedHash.Write(certMsg.marshal())
393 if hs.hello.ocspStapling {
396 certStatus.response = hs.cert.OCSPStaple
397 hs.finishedHash.Write(certStatus.marshal())
403 keyAgreement := hs.suite.ka(c.vers)
404 skx, err := keyAgreement.generateServerKeyExchange(c.config, hs.cert, hs.clientHello, hs.hello)
410 hs.finishedHash.Write(skx.marshal())
436 hs.finishedHash.Write(certReq.marshal())
443 hs.finishedHash.Write(helloDone.marshal())
467 hs.finishedHash.Write(certMsg.marshal())
478 pub, err = hs.processCertsFromClient(certMsg.certificates)
495 hs.finishedHash.Write(ckx.marshal())
497 preMasterSecret, err := keyAgreement.processClientKeyExchange(c.config, hs.cert, ckx, c.vers)
502 hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.clientHello.random, hs.hello.random)
503 if err := c.config.writeKeyLog(hs.clientHello.random, hs.masterSecret); err != nil {
559 if digest, _, err = hs.finishedHash.hashForClientCertificate(signatureAndHash, hs.masterSecret); err != nil {
572 if digest, hashFunc, err = hs.finishedHash.hashForClientCertificate(signatureAndHash, hs.masterSecret); err != nil {
582 hs.finishedHash.Write(certVerify.marshal())
585 hs.finishedHash.discardHandshakeBuffer()
590 func (hs *serverHandshakeState) establishKeys() error {
591 c := hs.c
594 keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen)
599 if hs.suite.aead == nil {
600 clientCipher = hs.suite.cipher(clientKey, clientIV, true /* for reading */)
601 clientHash = hs.suite.mac(c.vers, clientMAC)
602 serverCipher = hs.suite.cipher(serverKey, serverIV, false /* not for reading */)
603 serverHash = hs.suite.mac(c.vers, serverMAC)
605 clientCipher = hs.suite.aead(clientKey, clientIV)
606 serverCipher = hs.suite.aead(serverKey, serverIV)
615 func (hs *serverHandshakeState) readFinished(out []byte) error {
616 c := hs.c
623 if hs.hello.nextProtoNeg {
633 hs.finishedHash.Write(nextProto.marshal())
647 verify := hs.finishedHash.clientSum(hs.masterSecret)
654 hs.finishedHash.Write(clientFinished.marshal())
659 func (hs *serverHandshakeState) sendSessionTicket() error {
660 if !hs.hello.ticketSupported {
664 c := hs.c
670 cipherSuite: hs.suite.id,
671 masterSecret: hs.masterSecret,
672 certificates: hs.certsFromClient,
679 hs.finishedHash.Write(m.marshal())
687 func (hs *serverHandshakeState) sendFinished(out []byte) error {
688 c := hs.c
695 finished.verifyData = hs.finishedHash.serverSum(hs.masterSecret)
696 hs.finishedHash.Write(finished.marshal())
701 c.cipherSuite = hs.suite.id
710 func (hs *serverHandshakeState) processCertsFromClient(certificates [][]byte) (crypto.PublicKey, error) {
711 c := hs.c
713 hs.certsFromClient = certificates
770 func (hs *serverHandshakeState) setCipherSuite(id uint16, supportedCipherSuites []uint16, version uint16) bool {
787 if !hs.ellipticOk {
791 if !hs.ecdsaOk {
794 } else if !hs.rsaSignOk {
797 } else if !hs.rsaDecryptOk {
803 hs.suite = candidate
813 func (hs *serverHandshakeState) clientHelloInfo() *ClientHelloInfo {
814 if hs.cachedClientHelloInfo != nil {
815 return hs.cachedClientHelloInfo
819 if hs.clientHello.vers > VersionTLS12 {
821 } else if hs.clientHello.vers >= VersionSSL30 {
822 supportedVersions = suppVersArray[VersionTLS12-hs.clientHello.vers:]
825 signatureSchemes := make([]SignatureScheme, 0, len(hs.clientHello.signatureAndHashes))
826 for _, sah := range hs.clientHello.signatureAndHashes {
830 hs.cachedClientHelloInfo = &ClientHelloInfo{
831 CipherSuites: hs.clientHello.cipherSuites,
832 ServerName: hs.clientHello.serverName,
833 SupportedCurves: hs.clientHello.supportedCurves,
834 SupportedPoints: hs.clientHello.supportedPoints,
836 SupportedProtos: hs.clientHello.alpnProtocols,
838 Conn: hs.c.conn,
841 return hs.cachedClientHelloInfo
