crypto/tls: minor refactors for readability
Change-Id: I93e73f16474b4b31f7097af2f9479822dfc34c5c Reviewed-on: https://go-review.googlesource.com/20678 Reviewed-by: Adam Langley <agl@golang.org>
This commit is contained in:
parent
9f2da1d218
commit
e15014c62b
@ -552,14 +552,15 @@ func (hs *clientHandshakeState) processServerHello() (bool, error) {
|
|||||||
}
|
}
|
||||||
c.scts = hs.serverHello.scts
|
c.scts = hs.serverHello.scts
|
||||||
|
|
||||||
if hs.serverResumedSession() {
|
if !hs.serverResumedSession() {
|
||||||
// Restore masterSecret and peerCerts from previous state
|
return false, nil
|
||||||
hs.masterSecret = hs.session.masterSecret
|
|
||||||
c.peerCertificates = hs.session.serverCertificates
|
|
||||||
c.verifiedChains = hs.session.verifiedChains
|
|
||||||
return true, nil
|
|
||||||
}
|
}
|
||||||
return false, nil
|
|
||||||
|
// Restore masterSecret and peerCerts from previous state
|
||||||
|
hs.masterSecret = hs.session.masterSecret
|
||||||
|
c.peerCertificates = hs.session.serverCertificates
|
||||||
|
c.verifiedChains = hs.session.verifiedChains
|
||||||
|
return true, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func (hs *clientHandshakeState) readFinished(out []byte) error {
|
func (hs *clientHandshakeState) readFinished(out []byte) error {
|
||||||
|
@ -1316,11 +1316,8 @@ func (m *certificateRequestMsg) unmarshal(data []byte) bool {
|
|||||||
m.certificateAuthorities = append(m.certificateAuthorities, cas[:caLen])
|
m.certificateAuthorities = append(m.certificateAuthorities, cas[:caLen])
|
||||||
cas = cas[caLen:]
|
cas = cas[caLen:]
|
||||||
}
|
}
|
||||||
if len(data) > 0 {
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
|
|
||||||
return true
|
return len(data) == 0
|
||||||
}
|
}
|
||||||
|
|
||||||
type certificateVerifyMsg struct {
|
type certificateVerifyMsg struct {
|
||||||
|
@ -187,12 +187,13 @@ Curves:
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if hs.cert, err = config.getCertificate(&ClientHelloInfo{
|
hs.cert, err = config.getCertificate(&ClientHelloInfo{
|
||||||
CipherSuites: hs.clientHello.cipherSuites,
|
CipherSuites: hs.clientHello.cipherSuites,
|
||||||
ServerName: hs.clientHello.serverName,
|
ServerName: hs.clientHello.serverName,
|
||||||
SupportedCurves: hs.clientHello.supportedCurves,
|
SupportedCurves: hs.clientHello.supportedCurves,
|
||||||
SupportedPoints: hs.clientHello.supportedPoints,
|
SupportedPoints: hs.clientHello.supportedPoints,
|
||||||
}); err != nil {
|
})
|
||||||
|
if err != nil {
|
||||||
c.sendAlert(alertInternalError)
|
c.sendAlert(alertInternalError)
|
||||||
return false, err
|
return false, err
|
||||||
}
|
}
|
||||||
@ -710,20 +711,20 @@ func (hs *serverHandshakeState) processCertsFromClient(certificates [][]byte) (c
|
|||||||
c.verifiedChains = chains
|
c.verifiedChains = chains
|
||||||
}
|
}
|
||||||
|
|
||||||
if len(certs) > 0 {
|
if len(certs) == 0 {
|
||||||
var pub crypto.PublicKey
|
return nil, nil
|
||||||
switch key := certs[0].PublicKey.(type) {
|
|
||||||
case *ecdsa.PublicKey, *rsa.PublicKey:
|
|
||||||
pub = key
|
|
||||||
default:
|
|
||||||
c.sendAlert(alertUnsupportedCertificate)
|
|
||||||
return nil, fmt.Errorf("tls: client's certificate contains an unsupported public key of type %T", certs[0].PublicKey)
|
|
||||||
}
|
|
||||||
c.peerCertificates = certs
|
|
||||||
return pub, nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return nil, nil
|
var pub crypto.PublicKey
|
||||||
|
switch key := certs[0].PublicKey.(type) {
|
||||||
|
case *ecdsa.PublicKey, *rsa.PublicKey:
|
||||||
|
pub = key
|
||||||
|
default:
|
||||||
|
c.sendAlert(alertUnsupportedCertificate)
|
||||||
|
return nil, fmt.Errorf("tls: client's certificate contains an unsupported public key of type %T", certs[0].PublicKey)
|
||||||
|
}
|
||||||
|
c.peerCertificates = certs
|
||||||
|
return pub, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// setCipherSuite sets a cipherSuite with the given id as the serverHandshakeState
|
// setCipherSuite sets a cipherSuite with the given id as the serverHandshakeState
|
||||||
|
@ -126,11 +126,7 @@ func (s *sessionState) unmarshal(data []byte) bool {
|
|||||||
data = data[certLen:]
|
data = data[certLen:]
|
||||||
}
|
}
|
||||||
|
|
||||||
if len(data) > 0 {
|
return len(data) == 0
|
||||||
return false
|
|
||||||
}
|
|
||||||
|
|
||||||
return true
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *Conn) encryptTicket(state *sessionState) ([]byte, error) {
|
func (c *Conn) encryptTicket(state *sessionState) ([]byte, error) {
|
||||||
|
17
tls.go
17
tls.go
@ -210,11 +210,11 @@ func X509KeyPair(certPEMBlock, keyPEMBlock []byte) (Certificate, error) {
|
|||||||
if len(cert.Certificate) == 0 {
|
if len(cert.Certificate) == 0 {
|
||||||
if len(skippedBlockTypes) == 0 {
|
if len(skippedBlockTypes) == 0 {
|
||||||
return fail(errors.New("crypto/tls: failed to find any PEM data in certificate input"))
|
return fail(errors.New("crypto/tls: failed to find any PEM data in certificate input"))
|
||||||
} else if len(skippedBlockTypes) == 1 && strings.HasSuffix(skippedBlockTypes[0], "PRIVATE KEY") {
|
|
||||||
return fail(errors.New("crypto/tls: failed to find certificate PEM data in certificate input, but did find a private key; PEM inputs may have been switched"))
|
|
||||||
} else {
|
|
||||||
return fail(fmt.Errorf("crypto/tls: failed to find \"CERTIFICATE\" PEM block in certificate input after skipping PEM blocks of the following types: %v", skippedBlockTypes))
|
|
||||||
}
|
}
|
||||||
|
if len(skippedBlockTypes) == 1 && strings.HasSuffix(skippedBlockTypes[0], "PRIVATE KEY") {
|
||||||
|
return fail(errors.New("crypto/tls: failed to find certificate PEM data in certificate input, but did find a private key; PEM inputs may have been switched"))
|
||||||
|
}
|
||||||
|
return fail(fmt.Errorf("crypto/tls: failed to find \"CERTIFICATE\" PEM block in certificate input after skipping PEM blocks of the following types: %v", skippedBlockTypes))
|
||||||
}
|
}
|
||||||
|
|
||||||
skippedBlockTypes = skippedBlockTypes[:0]
|
skippedBlockTypes = skippedBlockTypes[:0]
|
||||||
@ -224,11 +224,11 @@ func X509KeyPair(certPEMBlock, keyPEMBlock []byte) (Certificate, error) {
|
|||||||
if keyDERBlock == nil {
|
if keyDERBlock == nil {
|
||||||
if len(skippedBlockTypes) == 0 {
|
if len(skippedBlockTypes) == 0 {
|
||||||
return fail(errors.New("crypto/tls: failed to find any PEM data in key input"))
|
return fail(errors.New("crypto/tls: failed to find any PEM data in key input"))
|
||||||
} else if len(skippedBlockTypes) == 1 && skippedBlockTypes[0] == "CERTIFICATE" {
|
|
||||||
return fail(errors.New("crypto/tls: found a certificate rather than a key in the PEM for the private key"))
|
|
||||||
} else {
|
|
||||||
return fail(fmt.Errorf("crypto/tls: failed to find PEM block with type ending in \"PRIVATE KEY\" in key input after skipping PEM blocks of the following types: %v", skippedBlockTypes))
|
|
||||||
}
|
}
|
||||||
|
if len(skippedBlockTypes) == 1 && skippedBlockTypes[0] == "CERTIFICATE" {
|
||||||
|
return fail(errors.New("crypto/tls: found a certificate rather than a key in the PEM for the private key"))
|
||||||
|
}
|
||||||
|
return fail(fmt.Errorf("crypto/tls: failed to find PEM block with type ending in \"PRIVATE KEY\" in key input after skipping PEM blocks of the following types: %v", skippedBlockTypes))
|
||||||
}
|
}
|
||||||
if keyDERBlock.Type == "PRIVATE KEY" || strings.HasSuffix(keyDERBlock.Type, " PRIVATE KEY") {
|
if keyDERBlock.Type == "PRIVATE KEY" || strings.HasSuffix(keyDERBlock.Type, " PRIVATE KEY") {
|
||||||
break
|
break
|
||||||
@ -262,7 +262,6 @@ func X509KeyPair(certPEMBlock, keyPEMBlock []byte) (Certificate, error) {
|
|||||||
priv, ok := cert.PrivateKey.(*ecdsa.PrivateKey)
|
priv, ok := cert.PrivateKey.(*ecdsa.PrivateKey)
|
||||||
if !ok {
|
if !ok {
|
||||||
return fail(errors.New("crypto/tls: private key type does not match public key type"))
|
return fail(errors.New("crypto/tls: private key type does not match public key type"))
|
||||||
|
|
||||||
}
|
}
|
||||||
if pub.X.Cmp(priv.X) != 0 || pub.Y.Cmp(priv.Y) != 0 {
|
if pub.X.Cmp(priv.X) != 0 || pub.Y.Cmp(priv.Y) != 0 {
|
||||||
return fail(errors.New("crypto/tls: private key does not match public key"))
|
return fail(errors.New("crypto/tls: private key does not match public key"))
|
||||||
|
Loading…
Reference in New Issue
Block a user