From 634f9a58586c07731cfdab5ce050d803f4ea0bd9 Mon Sep 17 00:00:00 2001
From: Peter Wu <pwu@cloudflare.com>
Date: Mon, 27 Nov 2017 15:47:45 +0000
Subject: [PATCH] crypto/tls: prepare for TLS 1.3 client handshake.

This change splits handshake processing for TLS 1.3, reindenting the TLS
1.2 code path and splitting initializationg of the handshake hash. No
equivalent is added for processServerHello because session resumption is
not supported yet.
---
 13.go               |  7 +++++++
 handshake_client.go | 51 +++++++++++++++++++++++++++++++--------------
 2 files changed, 42 insertions(+), 16 deletions(-)

diff --git a/13.go b/13.go
index 1626f1e..c5f48b1 100644
--- a/13.go
+++ b/13.go
@@ -735,3 +735,10 @@ func (hs *serverHandshakeState) traceErr(err error) {
 		}
 	}
 }
+
+func (hs *clientHandshakeState) doTLS13Handshake() error {
+	// TODO key exchange phase
+	// TODO server params phase
+	// TODO auth phase
+	return nil
+}
diff --git a/handshake_client.go b/handshake_client.go
index 140dcd5..821a446 100644
--- a/handshake_client.go
+++ b/handshake_client.go
@@ -25,9 +25,14 @@ type clientHandshakeState struct {
 	serverHello  *serverHelloMsg
 	hello        *clientHelloMsg
 	suite        *cipherSuite
-	finishedHash finishedHash
 	masterSecret []byte
 	session      *ClientSessionState
+
+	// TLS 1.0-1.2 fields
+	finishedHash finishedHash
+
+	// TLS 1.3 fields
+	keySchedule *keySchedule13
 }
 
 func makeClientHello(config *Config) (*clientHelloMsg, error) {
@@ -214,26 +219,40 @@ func (hs *clientHandshakeState) handshake() error {
 		return err
 	}
 
-	isResume, err := hs.processServerHello()
-	if err != nil {
-		return err
-	}
+	var isResume bool
+	if c.vers >= VersionTLS13 {
+		hs.keySchedule = newKeySchedule13(hs.suite, c.config, hs.hello.random)
+		hs.keySchedule.write(hs.hello.marshal())
+		hs.keySchedule.write(hs.serverHello.marshal())
+	} else {
+		isResume, err = hs.processServerHello()
+		if err != nil {
+			return err
+		}
 
-	hs.finishedHash = newFinishedHash(c.vers, hs.suite)
+		hs.finishedHash = newFinishedHash(c.vers, hs.suite)
 
-	// No signatures of the handshake are needed in a resumption.
-	// Otherwise, in a full handshake, if we don't have any certificates
-	// configured then we will never send a CertificateVerify message and
-	// thus no signatures are needed in that case either.
-	if isResume || (len(c.config.Certificates) == 0 && c.config.GetClientCertificate == nil) {
-		hs.finishedHash.discardHandshakeBuffer()
-	}
+		// No signatures of the handshake are needed in a resumption.
+		// Otherwise, in a full handshake, if we don't have any certificates
+		// configured then we will never send a CertificateVerify message and
+		// thus no signatures are needed in that case either.
+		if isResume || (len(c.config.Certificates) == 0 && c.config.GetClientCertificate == nil) {
+			hs.finishedHash.discardHandshakeBuffer()
+		}
 
-	hs.finishedHash.Write(hs.hello.marshal())
-	hs.finishedHash.Write(hs.serverHello.marshal())
+		hs.finishedHash.Write(hs.hello.marshal())
+		hs.finishedHash.Write(hs.serverHello.marshal())
+	}
 
 	c.buffering = true
-	if isResume {
+	if c.vers >= VersionTLS13 {
+		if err := hs.doTLS13Handshake(); err != nil {
+			return err
+		}
+		if _, err := c.flush(); err != nil {
+			return err
+		}
+	} else if isResume {
 		if err := hs.establishKeys(); err != nil {
 			return err
 		}