Merge pull request #17 from Kotodian/master

lesismal · web-flow · commit f938c60b7f35 · 2022-10-09T12:05:42.000+08:00
pub init problem
diff --git a/std/crypto/tls/conn.go b/std/crypto/tls/conn.go
@@ -688,12 +688,14 @@ func (c *Conn) ResetOrFreeBuffer() {
 
 // readRecordOrCCS reads one or more TLS records from the connection and
 // updates the record layer state. Some invariants:
-//   * c.in must be locked
-//   * c.input must be empty
+//   - c.in must be locked
+//   - c.input must be empty
+//
 // During the handshake one and only one of the following will happen:
 //   - c.hand grows
 //   - c.in.changeCipherSpec is called
 //   - an error is returned
+//
 // After the handshake one and only one of the following will happen:
 //   - c.hand grows
 //   - c.input is set
@@ -1561,7 +1563,6 @@ func (c *Conn) AppendAndRead(bufAppend []byte, bufRead []byte) (int, int, error)
 		}
 		c.rawInput = c.allocator.Append(c.rawInput, bufAppend...)
 	}
-
 	if err := c.Handshake(); err != nil {
 		if c.isNonBlock && err == errDataNotEnough {
 			return len(bufAppend), 0, nil
@@ -1702,7 +1703,6 @@ func (c *Conn) Handshake() error {
 
 	// c.in.Lock()
 	// defer c.in.Unlock()
-
 	c.handshakeErr = c.handshakeFn()
 	if c.isNonBlock && c.handshakeErr == errDataNotEnough {
 		c.handshakeErr = nil
diff --git a/std/crypto/tls/handshake_server.go b/std/crypto/tls/handshake_server.go
@@ -104,7 +104,6 @@ func (c *Conn) serverHandshake() error {
 		}
 		return hs.handshake()
 	}
-
 	hs := c.hs
 	if hs == nil {
 		hs = &serverHandshakeState{
@@ -124,7 +123,6 @@ func (hs *serverHandshakeState) handshake() error {
 	if hs.err != nil && hs.err != errDataNotEnough {
 		return hs.err
 	}
-
 	if err := hs.processClientHello(); err != nil {
 		hs.err = err
 		return err
@@ -203,7 +201,6 @@ func (hs *serverHandshakeState) handshake() error {
 	atomic.StoreUint32(&c.handshakeStatus, 1)
 
 	c.handshakeStatusAsync = stateServerHandshakeHandshakeDone
-
 	return nil
 }
 
@@ -651,8 +648,8 @@ func (hs *serverHandshakeState) doFullHandshake() error {
 				return err
 			}
 		}
-
 		if c.config.ClientAuth >= RequestClientCert {
+			// Request a client certificate
 			initCertReq()
 			hs.finishedHash.Write(certReq.marshal())
 			if _, err := c.writeRecord(recordTypeHandshake, certReq.marshal()); err != nil {
@@ -669,6 +666,7 @@ func (hs *serverHandshakeState) doFullHandshake() error {
 		if _, err := c.flush(); err != nil {
 			return err
 		}
+
 	}
 
 	if c.handshakeStatusAsync < stateServerHandshakeDoFullHandshake2ReadHandshake1 {
@@ -684,7 +682,6 @@ func (hs *serverHandshakeState) doFullHandshake() error {
 
 	// If we requested a client certificate, then the client must send a
 	// certificate message, even if it's empty.
-
 	if c.config.ClientAuth >= RequestClientCert {
 		if c.handshakeStatusAsync < stateServerHandshakeDoFullHandshake2HandleCertificateMsg {
 			c.handshakeStatusAsync = stateServerHandshakeDoFullHandshake2HandleCertificateMsg
@@ -717,7 +714,6 @@ func (hs *serverHandshakeState) doFullHandshake() error {
 
 		}
 	}
-
 	if c.handshakeStatusAsync < stateServerHandshakeDoFullHandshake2HandleVerifyConnection {
 		c.handshakeStatusAsync = stateServerHandshakeDoFullHandshake2HandleVerifyConnection
 		if c.config.VerifyConnection != nil {
@@ -747,7 +743,6 @@ func (hs *serverHandshakeState) doFullHandshake() error {
 		}
 
 	}
-
 	if c.handshakeStatusAsync >= stateServerHandshakeDoFullHandshake2ReadHandshake3 {
 		return nil
 	}
@@ -771,7 +766,6 @@ func (hs *serverHandshakeState) doFullHandshake() error {
 			c.handshakeStatusAsync = stateServerHandshakeDoFullHandshake2ReadHandshake3
 			return unexpectedMessageError(certVerify, msg)
 		}
-
 		var sigType uint8
 		var sigHash crypto.Hash
 		if c.vers >= VersionTLS12 {
@@ -796,6 +790,11 @@ func (hs *serverHandshakeState) doFullHandshake() error {
 		}
 
 		signed := hs.finishedHash.hashForClientCertificate(sigType, sigHash, hs.masterSecret)
+		if pub == nil {
+			if len(c.peerCertificates) > 0 {
+				pub = c.peerCertificates[0].PublicKey
+			}
+		}
 		if err := verifyHandshakeSignature(sigType, pub, sigHash, signed, certVerify.signature); err != nil {
 			c.sendAlert(alertDecryptError)
 			c.handshakeStatusAsync = stateServerHandshakeDoFullHandshake2ReadHandshake3

Original file line number	Diff line number	Diff line change
`@@ -104,7 +104,6 @@ func (c *Conn) serverHandshake() error {`
`104`	`104`	`}`
`105`	`105`	`return hs.handshake()`
`106`	`106`	`}`
`107`		`-`
`108`	`107`	`hs := c.hs`
`109`	`108`	`if hs == nil {`
`110`	`109`	`hs = &serverHandshakeState{`
`@@ -124,7 +123,6 @@ func (hs *serverHandshakeState) handshake() error {`
`124`	`123`	`if hs.err != nil && hs.err != errDataNotEnough {`
`125`	`124`	`return hs.err`
`126`	`125`	`}`
`127`		`-`
`128`	`126`	`if err := hs.processClientHello(); err != nil {`
`129`	`127`	`hs.err = err`
`130`	`128`	`return err`
`@@ -203,7 +201,6 @@ func (hs *serverHandshakeState) handshake() error {`
`203`	`201`	`atomic.StoreUint32(&c.handshakeStatus, 1)`
`204`	`202`
`205`	`203`	`c.handshakeStatusAsync = stateServerHandshakeHandshakeDone`
`206`		`-`
`207`	`204`	`return nil`
`208`	`205`	`}`
`209`	`206`
`@@ -651,8 +648,8 @@ func (hs *serverHandshakeState) doFullHandshake() error {`
`651`	`648`	`return err`
`652`	`649`	`}`
`653`	`650`	`}`
`654`		`-`
`655`	`651`	`if c.config.ClientAuth >= RequestClientCert {`
	`652`	`+ // Request a client certificate`
`656`	`653`	`initCertReq()`
`657`	`654`	`hs.finishedHash.Write(certReq.marshal())`
`658`	`655`	`if _, err := c.writeRecord(recordTypeHandshake, certReq.marshal()); err != nil {`
`@@ -669,6 +666,7 @@ func (hs *serverHandshakeState) doFullHandshake() error {`
`669`	`666`	`if _, err := c.flush(); err != nil {`
`670`	`667`	`return err`
`671`	`668`	`}`
	`669`	`+`
`672`	`670`	`}`
`673`	`671`
`674`	`672`	`if c.handshakeStatusAsync < stateServerHandshakeDoFullHandshake2ReadHandshake1 {`
`@@ -684,7 +682,6 @@ func (hs *serverHandshakeState) doFullHandshake() error {`
`684`	`682`
`685`	`683`	`// If we requested a client certificate, then the client must send a`
`686`	`684`	`// certificate message, even if it's empty.`
`687`		`-`
`688`	`685`	`if c.config.ClientAuth >= RequestClientCert {`
`689`	`686`	`if c.handshakeStatusAsync < stateServerHandshakeDoFullHandshake2HandleCertificateMsg {`
`690`	`687`	`c.handshakeStatusAsync = stateServerHandshakeDoFullHandshake2HandleCertificateMsg`
`@@ -717,7 +714,6 @@ func (hs *serverHandshakeState) doFullHandshake() error {`
`717`	`714`
`718`	`715`	`}`
`719`	`716`	`}`
`720`		`-`
`721`	`717`	`if c.handshakeStatusAsync < stateServerHandshakeDoFullHandshake2HandleVerifyConnection {`
`722`	`718`	`c.handshakeStatusAsync = stateServerHandshakeDoFullHandshake2HandleVerifyConnection`
`723`	`719`	`if c.config.VerifyConnection != nil {`
`@@ -747,7 +743,6 @@ func (hs *serverHandshakeState) doFullHandshake() error {`
`747`	`743`	`}`
`748`	`744`
`749`	`745`	`}`
`750`		`-`
`751`	`746`	`if c.handshakeStatusAsync >= stateServerHandshakeDoFullHandshake2ReadHandshake3 {`
`752`	`747`	`return nil`
`753`	`748`	`}`
`@@ -771,7 +766,6 @@ func (hs *serverHandshakeState) doFullHandshake() error {`
`771`	`766`	`c.handshakeStatusAsync = stateServerHandshakeDoFullHandshake2ReadHandshake3`
`772`	`767`	`return unexpectedMessageError(certVerify, msg)`
`773`	`768`	`}`
`774`		`-`
`775`	`769`	`var sigType uint8`
`776`	`770`	`var sigHash crypto.Hash`
`777`	`771`	`if c.vers >= VersionTLS12 {`
`@@ -796,6 +790,11 @@ func (hs *serverHandshakeState) doFullHandshake() error {`
`796`	`790`	`}`
`797`	`791`
`798`	`792`	`signed := hs.finishedHash.hashForClientCertificate(sigType, sigHash, hs.masterSecret)`
	`793`	`+ if pub == nil {`
	`794`	`+ if len(c.peerCertificates) > 0 {`
	`795`	`+ pub = c.peerCertificates[0].PublicKey`
	`796`	`+ }`
	`797`	`+ }`
`799`	`798`	`if err := verifyHandshakeSignature(sigType, pub, sigHash, signed, certVerify.signature); err != nil {`
`800`	`799`	`c.sendAlert(alertDecryptError)`
`801`	`800`	`c.handshakeStatusAsync = stateServerHandshakeDoFullHandshake2ReadHandshake3`