crypto/tls: prepare for TLS 1.3 client handshake.

This change splits handshake processing for TLS 1.3, reindenting the TLS 1.2 code path and splitting initializationg of the handshake hash. No equivalent is added for processServerHello because session resumption is not supported yet.
2017-11-27 15:47:45 +00:00 · 2017-11-27 15:47:45 +00:00 · 634f9a5858
commit 634f9a5858
parent 9eb1d7faf7
2 changed files with 44 additions and 18 deletions
--- a/13.go
+++ b/13.go
@ -735,3 +735,10 @@ func (hs *serverHandshakeState) traceErr(err error) {
 		}
 	}
 }
 func (hs *clientHandshakeState) doTLS13Handshake() error {
 	// TODO key exchange phase
 	// TODO server params phase
 	// TODO auth phase
 	return nil
 }
--- a/handshake_client.go
+++ b/handshake_client.go
@ -25,9 +25,14 @@ type clientHandshakeState struct {
 	serverHello  *serverHelloMsg
 	hello        *clientHelloMsg
 	suite        *cipherSuite
 	finishedHash finishedHash
 	masterSecret []byte
 	session      *ClientSessionState
 	// TLS 1.0-1.2 fields
 	finishedHash finishedHash
 	// TLS 1.3 fields
 	keySchedule *keySchedule13
 }
 func makeClientHello(config *Config) (*clientHelloMsg, error) {
@ -214,26 +219,40 @@ func (hs *clientHandshakeState) handshake() error {
 		return err
 	}
-	isResume, err := hs.processServerHello()
+	var isResume bool
-	if err != nil {
+	if c.vers >= VersionTLS13 {
-		return err
+		hs.keySchedule = newKeySchedule13(hs.suite, c.config, hs.hello.random)
 		hs.keySchedule.write(hs.hello.marshal())
 		hs.keySchedule.write(hs.serverHello.marshal())
 	} else {
 		isResume, err = hs.processServerHello()
 		if err != nil {
 			return err
 		}
 		hs.finishedHash = newFinishedHash(c.vers, hs.suite)
 		// No signatures of the handshake are needed in a resumption.
 		// Otherwise, in a full handshake, if we don't have any certificates
 		// configured then we will never send a CertificateVerify message and
 		// thus no signatures are needed in that case either.
 		if isResume || (len(c.config.Certificates) == 0 && c.config.GetClientCertificate == nil) {
 			hs.finishedHash.discardHandshakeBuffer()
 		}
 		hs.finishedHash.Write(hs.hello.marshal())
 		hs.finishedHash.Write(hs.serverHello.marshal())
 	}
 	hs.finishedHash = newFinishedHash(c.vers, hs.suite)
 	// No signatures of the handshake are needed in a resumption.
 	// Otherwise, in a full handshake, if we don't have any certificates
 	// configured then we will never send a CertificateVerify message and
 	// thus no signatures are needed in that case either.
 	if isResume || (len(c.config.Certificates) == 0 && c.config.GetClientCertificate == nil) {
 		hs.finishedHash.discardHandshakeBuffer()
 	}
 	hs.finishedHash.Write(hs.hello.marshal())
 	hs.finishedHash.Write(hs.serverHello.marshal())
 	c.buffering = true
-	if isResume {
+	if c.vers >= VersionTLS13 {
 		if err := hs.doTLS13Handshake(); err != nil {
 			return err
 		}
 		if _, err := c.flush(); err != nil {
 			return err
 		}
 	} else if isResume {
 		if err := hs.establishKeys(); err != nil {
 			return err
 		}