crypto/tls: support QUIC as a transport

[gostls13.git] / src / crypto / tls / handshake_server_tls13.go

diff --git a/src/crypto/tls/handshake_server_tls13.go b/src/crypto/tls/handshake_server_tls13.go
index b7b568cd84ac80a8108ae2fa461c08555db2d98b..69ebe1c7d59659564820ab9217047e50571a1776 100644 (file)
--- a/src/crypto/tls/handshake_server_tls13.go
+++ b/src/crypto/tls/handshake_server_tls13.go
@@ -226,6 +226,20 @@ GroupSelection:
                return errors.New("tls: invalid client key share")
        }
 
+       if c.quic != nil {
+               if hs.clientHello.quicTransportParameters == nil {
+                       // RFC 9001 Section 8.2.
+                       c.sendAlert(alertMissingExtension)
+                       return errors.New("tls: client did not send a quic_transport_parameters extension")
+               }
+               c.quicSetTransportParameters(hs.clientHello.quicTransportParameters)
+       } else {
+               if hs.clientHello.quicTransportParameters != nil {
+                       c.sendAlert(alertUnsupportedExtension)
+                       return errors.New("tls: client sent an unexpected quic_transport_parameters extension")
+               }
+       }
+
        c.serverName = hs.clientHello.serverName
        return nil
 }
@@ -397,6 +411,9 @@ func (hs *serverHandshakeStateTLS13) pickCertificate() error {
 // sendDummyChangeCipherSpec sends a ChangeCipherSpec record for compatibility
 // with middleboxes that didn't implement TLS correctly. See RFC 8446, Appendix D.4.
 func (hs *serverHandshakeStateTLS13) sendDummyChangeCipherSpec() error {
+       if hs.c.quic != nil {
+               return nil
+       }
        if hs.sentDummyCCS {
                return nil
        }
@@ -548,10 +565,18 @@ func (hs *serverHandshakeStateTLS13) sendServerParameters() error {
 
        clientSecret := hs.suite.deriveSecret(hs.handshakeSecret,
                clientHandshakeTrafficLabel, hs.transcript)
-       c.in.setTrafficSecret(hs.suite, clientSecret)
+       c.in.setTrafficSecret(hs.suite, QUICEncryptionLevelHandshake, clientSecret)
        serverSecret := hs.suite.deriveSecret(hs.handshakeSecret,
                serverHandshakeTrafficLabel, hs.transcript)
-       c.out.setTrafficSecret(hs.suite, serverSecret)
+       c.out.setTrafficSecret(hs.suite, QUICEncryptionLevelHandshake, serverSecret)
+
+       if c.quic != nil {
+               if c.hand.Len() != 0 {
+                       c.sendAlert(alertUnexpectedMessage)
+               }
+               c.quicSetWriteSecret(QUICEncryptionLevelHandshake, hs.suite.id, serverSecret)
+               c.quicSetReadSecret(QUICEncryptionLevelHandshake, hs.suite.id, clientSecret)
+       }
 
        err := c.config.writeKeyLog(keyLogLabelClientHandshake, hs.clientHello.random, clientSecret)
        if err != nil {
@@ -566,7 +591,7 @@ func (hs *serverHandshakeStateTLS13) sendServerParameters() error {
 
        encryptedExtensions := new(encryptedExtensionsMsg)
 
-       selectedProto, err := negotiateALPN(c.config.NextProtos, hs.clientHello.alpnProtocols)
+       selectedProto, err := negotiateALPN(c.config.NextProtos, hs.clientHello.alpnProtocols, c.quic != nil)
        if err != nil {
                c.sendAlert(alertNoApplicationProtocol)
                return err
@@ -574,6 +599,14 @@ func (hs *serverHandshakeStateTLS13) sendServerParameters() error {
        encryptedExtensions.alpnProtocol = selectedProto
        c.clientProtocol = selectedProto
 
+       if c.quic != nil {
+               p, err := c.quicGetTransportParameters()
+               if err != nil {
+                       return err
+               }
+               encryptedExtensions.quicTransportParameters = p
+       }
+
        if _, err := hs.c.writeHandshakeRecord(encryptedExtensions, hs.transcript); err != nil {
                return err
        }
@@ -672,7 +705,15 @@ func (hs *serverHandshakeStateTLS13) sendServerFinished() error {
                clientApplicationTrafficLabel, hs.transcript)
        serverSecret := hs.suite.deriveSecret(hs.masterSecret,
                serverApplicationTrafficLabel, hs.transcript)
-       c.out.setTrafficSecret(hs.suite, serverSecret)
+       c.out.setTrafficSecret(hs.suite, QUICEncryptionLevelApplication, serverSecret)
+
+       if c.quic != nil {
+               if c.hand.Len() != 0 {
+                       // TODO: Handle this in setTrafficSecret?
+                       c.sendAlert(alertUnexpectedMessage)
+               }
+               c.quicSetWriteSecret(QUICEncryptionLevelApplication, hs.suite.id, serverSecret)
+       }
 
        err := c.config.writeKeyLog(keyLogLabelClientTraffic, hs.clientHello.random, hs.trafficSecret)
        if err != nil {
@@ -887,7 +928,7 @@ func (hs *serverHandshakeStateTLS13) readClientFinished() error {
                return errors.New("tls: invalid client finished hash")
        }
 
-       c.in.setTrafficSecret(hs.suite, hs.trafficSecret)
+       c.in.setTrafficSecret(hs.suite, QUICEncryptionLevelApplication, hs.trafficSecret)
 
        return nil
 }