From 6738f0eadf6606c7206bb4507415e6dec90cd3c4 Mon Sep 17 00:00:00 2001
From: Lucas Clemente <lucas@clemente.io>
Date: Sun, 8 May 2016 22:23:36 +0200
Subject: [PATCH] add sni to crypto.Signer interface

---
 crypto/proof_rsa.go            | 6 +++---
 crypto/proof_rsa_test.go       | 4 ++--
 crypto/signer.go               | 6 +++---
 handshake/crypto_setup.go      | 8 ++++----
 handshake/crypto_setup_test.go | 6 +++---
 handshake/server_config.go     | 8 ++++----
 6 files changed, 19 insertions(+), 19 deletions(-)

diff --git a/crypto/proof_rsa.go b/crypto/proof_rsa.go
index 9c291f85..7b971417 100644
--- a/crypto/proof_rsa.go
+++ b/crypto/proof_rsa.go
@@ -42,7 +42,7 @@ func NewRSASigner(tlsConfig *tls.Config) (Signer, error) {
 }
 
 // SignServerProof signs CHLO and server config for use in the server proof
-func (kd *rsaSigner) SignServerProof(chlo []byte, serverConfigData []byte) ([]byte, error) {
+func (kd *rsaSigner) SignServerProof(sni string, chlo []byte, serverConfigData []byte) ([]byte, error) {
 	hash := sha256.New()
 	if len(chlo) > 0 {
 		// Version >= 31
@@ -58,7 +58,7 @@ func (kd *rsaSigner) SignServerProof(chlo []byte, serverConfigData []byte) ([]by
 }
 
 // GetCertCompressed gets the certificate in the format described by the QUIC crypto doc
-func (kd *rsaSigner) GetCertCompressed() []byte {
+func (kd *rsaSigner) GetCertCompressed(sni string) []byte {
 	b := &bytes.Buffer{}
 	b.WriteByte(1) // Entry type compressed
 	b.WriteByte(0) // Entry type end_of_list
@@ -80,6 +80,6 @@ func (kd *rsaSigner) GetCertCompressed() []byte {
 }
 
 // GetCertUncompressed gets the certificate in DER
-func (kd *rsaSigner) GetCertUncompressed() []byte {
+func (kd *rsaSigner) GetCertUncompressed(sni string) []byte {
 	return kd.cert.Raw
 }
diff --git a/crypto/proof_rsa_test.go b/crypto/proof_rsa_test.go
index 700329f4..eb123ea3 100644
--- a/crypto/proof_rsa_test.go
+++ b/crypto/proof_rsa_test.go
@@ -24,7 +24,7 @@ var _ = Describe("ProofRsa", func() {
 		z.Write(cert)
 		z.Close()
 		kd := &rsaSigner{cert: &x509.Certificate{Raw: cert}}
-		Expect(kd.GetCertCompressed()).To(Equal(append([]byte{
+		Expect(kd.GetCertCompressed("")).To(Equal(append([]byte{
 			0x01, 0x00,
 			0x08, 0x00, 0x00, 0x00,
 		}, certZlib.Bytes()...)))
@@ -33,7 +33,7 @@ var _ = Describe("ProofRsa", func() {
 	It("gives valid signatures", func() {
 		kd, err := NewRSASigner(testdata.GetTLSConfig())
 		Expect(err).ToNot(HaveOccurred())
-		signature, err := kd.SignServerProof([]byte{'C', 'H', 'L', 'O'}, []byte{'S', 'C', 'F', 'G'})
+		signature, err := kd.SignServerProof("", []byte{'C', 'H', 'L', 'O'}, []byte{'S', 'C', 'F', 'G'})
 		Expect(err).ToNot(HaveOccurred())
 		// Generated with:
 		// ruby -e 'require "digest"; p Digest::SHA256.digest("QUIC CHLO and server config signature\x00" + "\x20\x00\x00\x00" + Digest::SHA256.digest("CHLO") + "SCFG")'
diff --git a/crypto/signer.go b/crypto/signer.go
index 7eb8304c..1687d2d4 100644
--- a/crypto/signer.go
+++ b/crypto/signer.go
@@ -2,7 +2,7 @@ package crypto
 
 // A Signer holds a certificate and a private key
 type Signer interface {
-	SignServerProof(chlo []byte, serverConfigData []byte) ([]byte, error)
-	GetCertCompressed() []byte
-	GetCertUncompressed() []byte
+	SignServerProof(sni string, chlo []byte, serverConfigData []byte) ([]byte, error)
+	GetCertCompressed(sni string) []byte
+	GetCertUncompressed(sni string) []byte
 }
diff --git a/handshake/crypto_setup.go b/handshake/crypto_setup.go
index 26016886..1b26739f 100644
--- a/handshake/crypto_setup.go
+++ b/handshake/crypto_setup.go
@@ -156,7 +156,7 @@ func (h *CryptoSetup) isInchoateCHLO(cryptoData map[Tag][]byte) bool {
 }
 
 func (h *CryptoSetup) handleInchoateCHLO(data []byte) ([]byte, error) {
-	proof, err := h.scfg.Sign(data)
+	proof, err := h.scfg.Sign("", data)
 	if err != nil {
 		return nil, err
 	}
@@ -164,7 +164,7 @@ func (h *CryptoSetup) handleInchoateCHLO(data []byte) ([]byte, error) {
 	var serverReply bytes.Buffer
 	WriteHandshakeMessage(&serverReply, TagREJ, map[Tag][]byte{
 		TagSCFG: h.scfg.Get(),
-		TagCERT: h.scfg.GetCertCompressed(),
+		TagCERT: h.scfg.GetCertCompressed(""),
 		TagSNO:  h.nonce,
 		TagPROF: proof,
 	})
@@ -184,7 +184,7 @@ func (h *CryptoSetup) handleCHLO(data []byte, cryptoData map[Tag][]byte) ([]byte
 	h.mutex.Lock()
 	defer h.mutex.Unlock()
 
-	h.secureAEAD, err = h.keyDerivation(false, sharedSecret, nonce.Bytes(), h.connID, data, h.scfg.Get(), h.scfg.signer.GetCertUncompressed())
+	h.secureAEAD, err = h.keyDerivation(false, sharedSecret, nonce.Bytes(), h.connID, data, h.scfg.Get(), h.scfg.signer.GetCertUncompressed(""))
 	if err != nil {
 		return nil, err
 	}
@@ -195,7 +195,7 @@ func (h *CryptoSetup) handleCHLO(data []byte, cryptoData map[Tag][]byte) ([]byte
 	if err != nil {
 		return nil, err
 	}
-	h.forwardSecureAEAD, err = h.keyDerivation(true, ephermalSharedSecret, nonce.Bytes(), h.connID, data, h.scfg.Get(), h.scfg.signer.GetCertUncompressed())
+	h.forwardSecureAEAD, err = h.keyDerivation(true, ephermalSharedSecret, nonce.Bytes(), h.connID, data, h.scfg.Get(), h.scfg.signer.GetCertUncompressed(""))
 	if err != nil {
 		return nil, err
 	}
diff --git a/handshake/crypto_setup_test.go b/handshake/crypto_setup_test.go
index 94c5ffdb..deed6603 100644
--- a/handshake/crypto_setup_test.go
+++ b/handshake/crypto_setup_test.go
@@ -33,16 +33,16 @@ type mockSigner struct {
 	gotCHLO bool
 }
 
-func (s *mockSigner) SignServerProof(chlo []byte, serverConfigData []byte) ([]byte, error) {
+func (s *mockSigner) SignServerProof(sni string, chlo []byte, serverConfigData []byte) ([]byte, error) {
 	if len(chlo) > 0 {
 		s.gotCHLO = true
 	}
 	return []byte("proof"), nil
 }
-func (*mockSigner) GetCertCompressed() []byte {
+func (*mockSigner) GetCertCompressed(sni string) []byte {
 	return []byte("certcompressed")
 }
-func (*mockSigner) GetCertUncompressed() []byte {
+func (*mockSigner) GetCertUncompressed(sni string) []byte {
 	return []byte("certuncompressed")
 }
 
diff --git a/handshake/server_config.go b/handshake/server_config.go
index 9ae28f81..e8b04d6b 100644
--- a/handshake/server_config.go
+++ b/handshake/server_config.go
@@ -45,11 +45,11 @@ func (s *ServerConfig) Get() []byte {
 }
 
 // Sign the server config and CHLO with the server's keyData
-func (s *ServerConfig) Sign(chlo []byte) ([]byte, error) {
-	return s.signer.SignServerProof(chlo, s.Get())
+func (s *ServerConfig) Sign(sni string, chlo []byte) ([]byte, error) {
+	return s.signer.SignServerProof(sni, chlo, s.Get())
 }
 
 // GetCertCompressed returns the certificate data
-func (s *ServerConfig) GetCertCompressed() []byte {
-	return s.signer.GetCertCompressed()
+func (s *ServerConfig) GetCertCompressed(sni string) []byte {
+	return s.signer.GetCertCompressed(sni)
 }