]> Cypherpunks.ru repositories - gostls13.git/blobdiff - src/crypto/tls/handshake_server_tls13.go
projects / gostls13.git / blobdiff
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
[dev.boringcrypto] all: merge master into dev.boringcrypto
[gostls13.git] / src / crypto / tls / handshake_server_tls13.go
diff --git a/src/crypto/tls/handshake_server_tls13.go b/src/crypto/tls/handshake_server_tls13.go
index 95dd8a60ea8daf739b297ce1f9f5479a546c7042..7a84efd2a9c52ff884643697fa56d4ba278ea187 100644 (file)
--- a/src/crypto/tls/handshake_server_tls13.go
+++ b/src/crypto/tls/handshake_server_tls13.go
@@ -310,6 +310,7 @@ func (hs *serverHandshakeStateTLS13) checkForResumption() error {
                        return errors.New("tls: invalid PSK binder")
                }
 
+               c.didResume = true
                if err := c.processCertsFromClient(sessionState.certificate); err != nil {
                        return err
                }
@@ -317,7 +318,6 @@ func (hs *serverHandshakeStateTLS13) checkForResumption() error {
                hs.hello.selectedIdentityPresent = true
                hs.hello.selectedIdentity = uint16(i)
                hs.usingPSK = true
-               c.didResume = true
                return nil
        }
 
@@ -757,6 +757,14 @@ func (hs *serverHandshakeStateTLS13) readClientCertificate() error {
        c := hs.c
 
        if !hs.requestClientCert() {
+               // Make sure the connection is still being verified whether or not
+               // the server requested a client certificate.
+               if c.config.VerifyConnection != nil {
+                       if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil {
+                               c.sendAlert(alertBadCertificate)
+                               return err
+                       }
+               }
                return nil
        }
 
@@ -779,6 +787,13 @@ func (hs *serverHandshakeStateTLS13) readClientCertificate() error {
                return err
        }
 
+       if c.config.VerifyConnection != nil {
+               if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil {
+                       c.sendAlert(alertBadCertificate)
+                       return err
+               }
+       }
+
        if len(certMsg.certificate.Certificate) != 0 {
                msg, err = c.readHandshake()
                if err != nil {
Go GOST TLS 1.3