fix: all tests pass

handshake_client.go

@@ -337,15 +337,15 @@ func (c *Conn) loadSession(hello *clientHelloMsg) (
 	if !c.config.InsecureSkipVerify {
 		if len(session.verifiedChains) == 0 {
 			// The original connection had InsecureSkipVerify, while this doesn't.
-			return cacheKey, nil, nil, nil, nil
+			return nil, nil, nil, nil
 		}
-		serverCert := session.serverCertificates[0]
+		serverCert := session.peerCertificates[0]
 		// [UTLS SECTION START]
 		if !c.config.InsecureSkipTimeVerify {
 			if c.config.time().After(serverCert.NotAfter) {
 				// Expired certificate, delete the entry.
 				c.config.ClientSessionCache.Put(cacheKey, nil)
-				return cacheKey, nil, nil, nil, nil
+				return nil, nil, nil, nil
 			}
 		}
 		var dnsName string
@@ -356,7 +356,7 @@ func (c *Conn) loadSession(hello *clientHelloMsg) (
 		}
 		if len(dnsName) > 0 {
 			if err := serverCert.VerifyHostname(dnsName); err != nil {
-				return cacheKey, nil, nil, nil, nil
+				return nil, nil, nil, nil
 			}
 		}
 		// [UTLS SECTION END]
@@ -1127,6 +1127,7 @@ func (c *Conn) clientSessionCacheKey() string {
 	return ""
 }
 
+// [UTLS SECTION START]
 // hostnameInSNI converts name into an appropriate hostname for SNI.
 // Literal IP addresses and absolute FQDNs are not permitted as SNI values.
 // See RFC 6066, Section 3.

handshake_client_tls13.go

@@ -18,16 +18,16 @@ import (
 )
 
 // [uTLS SECTION START]
-type KeySharesEcdheParameters map[CurveID]ecdheParameters
+type KeySharesEcdheParameters map[CurveID]*ecdh.PrivateKey
 
-func (keymap KeySharesEcdheParameters) AddEcdheParams(curveID CurveID, params ecdheParameters) {
-	keymap[curveID] = params
+func (keymap KeySharesEcdheParameters) AddEcdheParams(curveID CurveID, ecdheKey *ecdh.PrivateKey) {
+	keymap[curveID] = ecdheKey
 }
-func (keymap KeySharesEcdheParameters) GetEcdheParams(curveID CurveID) (params ecdheParameters, ok bool) {
-	params, ok = keymap[curveID]
+func (keymap KeySharesEcdheParameters) GetEcdheParams(curveID CurveID) (ecdheKey *ecdh.PrivateKey, ok bool) {
+	ecdheKey, ok = keymap[curveID]
 	return
 }
-func (keymap KeySharesEcdheParameters) GetPublicEcdheParams(curveID CurveID) (params EcdheParameters, ok bool) {
+func (keymap KeySharesEcdheParameters) GetPublicEcdheParams(curveID CurveID) (params *ecdh.PrivateKey, ok bool) {
 	params, ok = keymap[curveID]
 	return
 }
@@ -78,12 +78,12 @@ func (hs *clientHandshakeStateTLS13) handshake() error {
 
 	// set echdheParams to what we received from server
 	if ecdheParams, ok := hs.keySharesEcdheParams.GetEcdheParams(hs.serverHello.serverShare.group); ok {
-		hs.ecdheParams = ecdheParams
+		hs.ecdheKey = ecdheParams
 	}
 	// [uTLS SECTION END]
 
 	// Consistency check on the presence of a keyShare and its parameters.
-	if hs.ecdheParams == nil || len(hs.hello.keyShares) < 1 { // [uTLS]
+	if hs.ecdheKey == nil || len(hs.hello.keyShares) < 1 { // [uTLS]
 		// keyshares "< 1" instead of "!= 1", as uTLS may send multiple
 		return c.sendAlert(alertInternalError)
 	}

handshake_messages.go

@@ -642,13 +642,13 @@ type serverHelloMsg struct {
 	secureRenegotiation          []byte
 	extendedMasterSecret         bool
 	alpnProtocol                 string
-	ems                          bool
-	scts                         [][]byte
-	supportedVersion             uint16
-	serverShare                  keyShare
-	selectedIdentityPresent      bool
-	selectedIdentity             uint16
-	supportedPoints              []uint8
+	// ems                          bool
+	scts                    [][]byte
+	supportedVersion        uint16
+	serverShare             keyShare
+	selectedIdentityPresent bool
+	selectedIdentity        uint16
+	supportedPoints         []uint8
 
 	// HelloRetryRequest extensions
 	cookie        []byte
@@ -820,12 +820,13 @@ func (m *serverHelloMsg) unmarshal(data []byte) bool {
 			m.ocspStapling = true
 		case extensionSessionTicket:
 			m.ticketSupported = true
-		case utlsExtensionExtendedMasterSecret:
-			// No sanity check for this extension: pretending not to know it.
-			// if length > 0 {
-			// 	return false
-			// }
-			m.ems = true
+		// [UTLS] crypto/tls finally supports EMS! Now we don't do anything special here.
+		// case utlsExtensionExtendedMasterSecret:
+		// 	// No sanity check for this extension: pretending not to know it.
+		// 	// if length > 0 {
+		// 	// 	return false
+		// 	// }
+		// 	m.ems = true
 		case extensionRenegotiationInfo:
 			if !readUint8LengthPrefixed(&extData, &m.secureRenegotiation) {
 				return false

handshake_server.go

@@ -440,11 +440,6 @@ func (hs *serverHandshakeState) checkForResumption() error {
 		return nil
 	}
 
-	createdAt := time.Unix(int64(hs.sessionState.createdAt), 0)
-	if c.config.time().Sub(createdAt) > maxSessionTicketLifetime {
-		return false
-	}
-
 	// Never resume a session for a different TLS version.
 	if c.vers != sessionState.version {
 		return nil

handshake_server_test.go

@@ -24,8 +24,6 @@ import (
 	"strings"
 	"testing"
 	"time"
-
-	"golang.org/x/crypto/curve25519"
 )
 
 func testClientHello(t *testing.T, serverConfig *Config, m handshakeMessage) {

handshake_server_tls13.go

@@ -645,8 +645,6 @@ func (hs *serverHandshakeStateTLS13) sendServerParameters() error {
 		encryptedExtensions.quicTransportParameters = p
 		encryptedExtensions.earlyData = hs.earlyData
 	}
-	encryptedExtensions.alpnProtocol = selectedProto
-	c.clientProtocol = selectedProto
 
 	if _, err := hs.c.writeHandshakeRecord(encryptedExtensions, hs.transcript); err != nil {
 		return err

tls_test.go

@@ -339,118 +339,6 @@ func TestDialer(t *testing.T) {
 	}
 }
 
-func TestDeadlineOnWrite(t *testing.T) {
-	if testing.Short() {
-		t.Skip("skipping in short mode")
-	}
-
-	ln := newLocalListener(t)
-	defer ln.Close()
-
-	srvCh := make(chan *Conn, 1)
-
-	go func() {
-		sconn, err := ln.Accept()
-		if err != nil {
-			srvCh <- nil
-			return
-		}
-		srv := Server(sconn, testConfig.Clone())
-		if err := srv.Handshake(); err != nil {
-			srvCh <- nil
-			return
-		}
-		srvCh <- srv
-	}()
-
-	clientConfig := testConfig.Clone()
-	clientConfig.MaxVersion = VersionTLS12
-	conn, err := Dial("tcp", ln.Addr().String(), clientConfig)
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer conn.Close()
-
-	srv := <-srvCh
-	if srv == nil {
-		t.Error(err)
-	}
-
-	// Make sure the client/server is setup correctly and is able to do a typical Write/Read
-	buf := make([]byte, 6)
-	if _, err := srv.Write([]byte("foobar")); err != nil {
-		t.Errorf("Write err: %v", err)
-	}
-	if n, err := conn.Read(buf); n != 6 || err != nil || string(buf) != "foobar" {
-		t.Errorf("Read = %d, %v, data %q; want 6, nil, foobar", n, err, buf)
-	}
-
-	// Set a deadline which should cause Write to timeout
-	if err = srv.SetDeadline(time.Now()); err != nil {
-		t.Fatalf("SetDeadline(time.Now()) err: %v", err)
-	}
-	if _, err = srv.Write([]byte("should fail")); err == nil {
-		t.Fatal("Write should have timed out")
-	}
-
-	// Clear deadline and make sure it still times out
-	if err = srv.SetDeadline(time.Time{}); err != nil {
-		t.Fatalf("SetDeadline(time.Time{}) err: %v", err)
-	}
-	if _, err = srv.Write([]byte("This connection is permanently broken")); err == nil {
-		t.Fatal("Write which previously failed should still time out")
-	}
-
-	// Verify the error
-	if ne := err.(net.Error); ne.Temporary() != false {
-		t.Error("Write timed out but incorrectly classified the error as Temporary")
-	}
-	if !isTimeoutError(err) {
-		t.Error("Write timed out but did not classify the error as a Timeout")
-	}
-}
-
-type readerFunc func([]byte) (int, error)
-
-func (f readerFunc) Read(b []byte) (int, error) { return f(b) }
-
-// TestDialer tests that tls.Dialer.DialContext can abort in the middle of a handshake.
-// (The other cases are all handled by the existing dial tests in this package, which
-// all also flow through the same code shared code paths)
-func TestDialer(t *testing.T) {
-	ln := newLocalListener(t)
-	defer ln.Close()
-
-	unblockServer := make(chan struct{}) // close-only
-	defer close(unblockServer)
-	go func() {
-		conn, err := ln.Accept()
-		if err != nil {
-			return
-		}
-		defer conn.Close()
-		<-unblockServer
-	}()
-
-	ctx, cancel := context.WithCancel(context.Background())
-	d := Dialer{Config: &Config{
-		Rand: readerFunc(func(b []byte) (n int, err error) {
-			// By the time crypto/tls wants randomness, that means it has a TCP
-			// connection, so we're past the Dialer's dial and now blocked
-			// in a handshake. Cancel our context and see if we get unstuck.
-			// (Our TCP listener above never reads or writes, so the Handshake
-			// would otherwise be stuck forever)
-			cancel()
-			return len(b), nil
-		}),
-		ServerName: "foo",
-	}}
-	_, err := d.DialContext(ctx, "tcp", ln.Addr().String())
-	if err != context.Canceled {
-		t.Errorf("err = %v; want context.Canceled", err)
-	}
-}
-
 func isTimeoutError(err error) bool {
 	if ne, ok := err.(net.Error); ok {
 		return ne.Timeout()
@@ -982,6 +870,8 @@ func TestCloneNonFuncFields(t *testing.T) {
 			f.Set(reflect.ValueOf(RenegotiateOnceAsClient))
 		case "mutex", "autoSessionTicketKeys", "sessionTicketKeys":
 			continue // these are unexported fields that are handled separately
+		case "ApplicationSettings":
+			f.Set(reflect.ValueOf(map[string][]byte{"a": {1}}))
 		default:
 			t.Errorf("all fields must be accounted for, but saw unknown field %q", fn)
 		}

u_conn.go

@@ -16,7 +16,6 @@ import (
 	"io"
 	"net"
 	"strconv"
-	"sync/atomic"
 )
 
 type UConn struct {
@@ -77,13 +76,13 @@ func (uconn *UConn) BuildHandshakeState() error {
 		}
 
 		// use default Golang ClientHello.
-		hello, ecdheParams, err := uconn.makeClientHello()
+		hello, ecdheKey, err := uconn.makeClientHello()
 		if err != nil {
 			return err
 		}
 
 		uconn.HandshakeState.Hello = hello.getPublicPtr()
-		uconn.HandshakeState.State13.EcdheParams = ecdheParams
+		uconn.HandshakeState.State13.EcdheKey = ecdheKey
 		uconn.HandshakeState.C = uconn.Conn
 	} else {
 		if !uconn.ClientHelloBuilt {
@@ -114,10 +113,10 @@ func (uconn *UConn) BuildHandshakeState() error {
 // but the extension itself still MAY be present for mimicking purposes.
 // Session tickets to be reused - use same cache on following connections.
 func (uconn *UConn) SetSessionState(session *ClientSessionState) error {
-	uconn.HandshakeState.Session = session
 	var sessionTicket []uint8
 	if session != nil {
-		sessionTicket = session.sessionTicket
+		sessionTicket = session.ticket
+		uconn.HandshakeState.Session = session.session
 	}
 	uconn.HandshakeState.Hello.TicketSupported = true
 	uconn.HandshakeState.Hello.SessionTicket = sessionTicket
@@ -182,7 +181,7 @@ func (uconn *UConn) SetSNI(sni string) {
 // It returns an error when used with HelloGolang ClientHelloID
 func (uconn *UConn) RemoveSNIExtension() error {
 	if uconn.ClientHelloID == HelloGolang {
-		return fmt.Errorf("Cannot call RemoveSNIExtension on a UConn with a HelloGolang ClientHelloID")
+		return fmt.Errorf("cannot call RemoveSNIExtension on a UConn with a HelloGolang ClientHelloID")
 	}
 	uconn.omitSNIExtension = true
 	return nil
@@ -221,7 +220,7 @@ func (c *UConn) handshakeContext(ctx context.Context) (ret error) {
 	// Fast sync/atomic-based exit if there is no handshake in flight and the
 	// last one succeeded without an error. Avoids the expensive context setup
 	// and mutex for most Read and Write calls.
-	if c.handshakeComplete() {
+	if c.isHandshakeComplete.Load() {
 		return nil
 	}
 
@@ -236,7 +235,10 @@ func (c *UConn) handshakeContext(ctx context.Context) (ret error) {
 	//
 	// The interrupter goroutine waits for the input context to be done and
 	// closes the connection if this happens before the function returns.
-	if ctx.Done() != nil {
+	if c.quic != nil {
+		c.quic.cancelc = handshakeCtx.Done()
+		c.quic.cancel = cancel
+	} else if ctx.Done() != nil {
 		done := make(chan struct{})
 		interruptRes := make(chan error, 1)
 		defer func() {
@@ -264,7 +266,7 @@ func (c *UConn) handshakeContext(ctx context.Context) (ret error) {
 	if err := c.handshakeErr; err != nil {
 		return err
 	}
-	if c.handshakeComplete() {
+	if c.isHandshakeComplete.Load() {
 		return nil
 	}
 
@@ -288,9 +290,36 @@ func (c *UConn) handshakeContext(ctx context.Context) (ret error) {
 		c.flush()
 	}
 
-	if c.handshakeErr == nil && !c.handshakeComplete() {
+	if c.handshakeErr == nil && !c.isHandshakeComplete.Load() {
 		c.handshakeErr = errors.New("tls: internal error: handshake should have had a result")
 	}
+	if c.handshakeErr != nil && c.isHandshakeComplete.Load() {
+		panic("tls: internal error: handshake returned an error but is marked successful")
+	}
+
+	if c.quic != nil {
+		if c.handshakeErr == nil {
+			c.quicHandshakeComplete()
+			// Provide the 1-RTT read secret now that the handshake is complete.
+			// The QUIC layer MUST NOT decrypt 1-RTT packets prior to completing
+			// the handshake (RFC 9001, Section 5.7).
+			c.quicSetReadSecret(QUICEncryptionLevelApplication, c.cipherSuite, c.in.trafficSecret)
+		} else {
+			var a alert
+			c.out.Lock()
+			if !errors.As(c.out.err, &a) {
+				a = alertInternalError
+			}
+			c.out.Unlock()
+			// Return an error which wraps both the handshake error and
+			// any alert error we may have sent, or alertInternalError
+			// if we didn't send an alert.
+			// Truncate the text of the alert to 0 characters.
+			c.handshakeErr = fmt.Errorf("%w%.0w", c.handshakeErr, AlertError(a))
+		}
+		close(c.quic.blockedc)
+		close(c.quic.signalc)
+	}
 
 	return c.handshakeErr
 }
@@ -300,12 +329,12 @@ func (c *UConn) handshakeContext(ctx context.Context) (ret error) {
 func (c *UConn) Write(b []byte) (int, error) {
 	// interlock with Close below
 	for {
-		x := atomic.LoadInt32(&c.activeCall)
+		x := c.activeCall.Load()
 		if x&1 != 0 {
 			return 0, net.ErrClosed
 		}
-		if atomic.CompareAndSwapInt32(&c.activeCall, x, x+2) {
-			defer atomic.AddInt32(&c.activeCall, -2)
+		if c.activeCall.CompareAndSwap(x, x+2) {
+			defer c.activeCall.Add(-2)
 			break
 		}
 	}
@@ -321,7 +350,7 @@ func (c *UConn) Write(b []byte) (int, error) {
 		return 0, err
 	}
 
-	if !c.handshakeComplete() {
+	if !c.isHandshakeComplete.Load() {
 		return 0, alertInternalError
 	}
 
@@ -399,11 +428,11 @@ func (c *UConn) clientHandshake(ctx context.Context) (err error) {
 	}
 	// [uTLS section ends]
 
-	cacheKey, session, earlySecret, binderKey, err := c.loadSession(hello)
+	session, earlySecret, binderKey, err := c.loadSession(hello)
 	if err != nil {
 		return err
 	}
-	if cacheKey != "" && session != nil {
+	if session != nil {
 		defer func() {
 			// If we got a handshake failure when resuming a session, throw away
 			// the session ticket. See RFC 5077, Section 3.2.
@@ -412,15 +441,21 @@ func (c *UConn) clientHandshake(ctx context.Context) (err error) {
 			// does require servers to abort on invalid binders, so we need to
 			// delete tickets to recover from a corrupted PSK.
 			if err != nil {
-				c.config.ClientSessionCache.Put(cacheKey, nil)
+				if cacheKey := c.clientSessionCacheKey(); cacheKey != "" {
+					c.config.ClientSessionCache.Put(cacheKey, nil)
+				}
 			}
 		}()
 	}
 
-	if !sessionIsAlreadySet { // uTLS: do not overwrite already set session
-		err = c.SetSessionState(session)
-		if err != nil {
-			return
+	cacheKey := c.clientSessionCacheKey()
+	if c.config.ClientSessionCache != nil {
+		cs, ok := c.config.ClientSessionCache.Get(cacheKey)
+		if !sessionIsAlreadySet && ok { // uTLS: do not overwrite already set session
+			err = c.SetSessionState(cs)
+			if err != nil {
+				return
+			}
 		}
 	}
 
@@ -476,7 +511,12 @@ func (c *UConn) clientHandshake(ctx context.Context) (err error) {
 	// If we had a successful handshake and hs.session is different from
 	// the one already cached - cache a new one.
 	if cacheKey != "" && hs12.session != nil && session != hs12.session {
-		c.config.ClientSessionCache.Put(cacheKey, hs12.session)
+		hs12cs := &ClientSessionState{
+			ticket:  hs12.ticket,
+			session: hs12.session,
+		}
+
+		c.config.ClientSessionCache.Put(cacheKey, hs12cs)
 	}
 	return nil
 }
@@ -508,7 +548,7 @@ func (uconn *UConn) MarshalClientHello() error {
 			if paddingExt == nil {
 				paddingExt = pe
 			} else {
-				return errors.New("Multiple padding extensions!")
+				return errors.New("multiple padding extensions!")
 			}
 		}
 	}
@@ -576,7 +616,7 @@ func (uconn *UConn) GetOutKeystream(length int) ([]byte, error) {
 		// AEAD.Seal() does not mutate internal state, other ciphers might
 		return outCipher.Seal(nil, uconn.out.seq[:], zeros, nil), nil
 	}
-	return nil, errors.New("Could not convert OutCipher to cipher.AEAD")
+	return nil, errors.New("could not convert OutCipher to cipher.AEAD")
 }
 
 // SetTLSVers sets min and max TLS version in all appropriate places.
@@ -686,7 +726,7 @@ func MakeConnWithCompleteHandshake(tcpConn net.Conn, version uint16, cipherSuite
 		}
 
 		// skip the handshake states
-		atomic.StoreUint32(&tlsConn.handshakeStatus, 1)
+		tlsConn.isHandshakeComplete.Store(true)
 		tlsConn.cipherSuite = cipherSuite
 		tlsConn.haveVers = true
 		tlsConn.vers = version

u_parrots.go

@@ -2013,12 +2013,12 @@ func (uconn *UConn) ApplyPreset(p *ClientHelloSpec) error {
 		return err
 	}
 
-	privateHello, ecdheParams, err := uconn.makeClientHello()
+	privateHello, ecdheKey, err := uconn.makeClientHello()
 	if err != nil {
 		return err
 	}
 	uconn.HandshakeState.Hello = privateHello.getPublicPtr()
-	uconn.HandshakeState.State13.EcdheParams = ecdheParams
+	uconn.HandshakeState.State13.EcdheKey = ecdheKey
 	uconn.HandshakeState.State13.KeySharesEcdheParams = make(KeySharesEcdheParameters, 2)
 	hello := uconn.HandshakeState.Hello
 	session := uconn.HandshakeState.Session
@@ -2088,12 +2088,14 @@ func (uconn *UConn) ApplyPreset(p *ClientHelloSpec) error {
 			}
 			grease_extensions_seen += 1
 		case *SessionTicketExtension:
+			var cs *ClientSessionState
 			if session == nil && uconn.config.ClientSessionCache != nil {
-				cacheKey := clientSessionCacheKey(uconn.RemoteAddr(), uconn.config)
-				session, _ = uconn.config.ClientSessionCache.Get(cacheKey)
+				cacheKey := uconn.clientSessionCacheKey()
+				cs, _ = uconn.config.ClientSessionCache.Get(cacheKey)
+				session = cs.session
 				// TODO: use uconn.loadSession(hello.getPrivateObj()) to support TLS 1.3 PSK-style resumption
 			}
-			err := uconn.SetSessionState(session)
+			err := uconn.SetSessionState(cs)
 			if err != nil {
 				return err
 			}
@@ -2115,16 +2117,16 @@ func (uconn *UConn) ApplyPreset(p *ClientHelloSpec) error {
 					continue
 				}
 
-				ecdheParams, err := generateECDHEParameters(uconn.config.rand(), curveID)
+				ecdheKey, err := generateECDHEKey(uconn.config.rand(), curveID)
 				if err != nil {
 					return fmt.Errorf("unsupported Curve in KeyShareExtension: %v."+
 						"To mimic it, fill the Data(key) field manually", curveID)
 				}
-				uconn.HandshakeState.State13.KeySharesEcdheParams.AddEcdheParams(curveID, ecdheParams)
-				ext.KeyShares[i].Data = ecdheParams.PublicKey()
+				uconn.HandshakeState.State13.KeySharesEcdheParams.AddEcdheParams(curveID, ecdheKey)
+				ext.KeyShares[i].Data = ecdheKey.PublicKey().Bytes()
 				if !preferredCurveIsSet {
 					// only do this once for the first non-grease curve
-					uconn.HandshakeState.State13.EcdheParams = ecdheParams
+					uconn.HandshakeState.State13.EcdheKey = ecdheKey
 					preferredCurveIsSet = true
 				}
 			}
@@ -2147,7 +2149,12 @@ func (uconn *UConn) ApplyPreset(p *ClientHelloSpec) error {
 }
 
 func (uconn *UConn) generateRandomizedSpec() (ClientHelloSpec, error) {
-	return generateRandomizedSpec(&uconn.ClientHelloID, uconn.serverName, uconn.HandshakeState.Session, uconn.config.NextProtos)
+	css := &ClientSessionState{
+		session: uconn.HandshakeState.Session,
+		ticket:  uconn.HandshakeState.Hello.SessionTicket,
+	}
+
+	return generateRandomizedSpec(&uconn.ClientHelloID, uconn.serverName, css, uconn.config.NextProtos)
 }
 
 func generateRandomizedSpec(

u_public.go

@@ -6,8 +6,10 @@ package tls
 
 import (
 	"crypto"
+	"crypto/ecdh"
 	"crypto/x509"
 	"hash"
+	"time"
 )
 
 // ClientHandshakeState includes both TLS 1.3-only and TLS 1.2-only states,
@@ -24,7 +26,7 @@ type PubClientHandshakeState struct {
 	ServerHello  *PubServerHelloMsg
 	Hello        *PubClientHelloMsg
 	MasterSecret []byte
-	Session      *ClientSessionState
+	Session      *SessionState
 
 	State12 TLS12OnlyState
 	State13 TLS13OnlyState
@@ -35,7 +37,7 @@ type PubClientHandshakeState struct {
 // TLS 1.3 only
 type TLS13OnlyState struct {
 	Suite                *PubCipherSuiteTLS13
-	EcdheParams          EcdheParameters
+	EcdheKey             *ecdh.PrivateKey
 	KeySharesEcdheParams KeySharesEcdheParameters
 	EarlySecret          []byte
 	BinderKey            []byte
@@ -60,7 +62,7 @@ func (chs *PubClientHandshakeState) toPrivate13() *clientHandshakeStateTLS13 {
 			c:                    chs.C,
 			serverHello:          chs.ServerHello.getPrivatePtr(),
 			hello:                chs.Hello.getPrivatePtr(),
-			ecdheParams:          chs.State13.EcdheParams,
+			ecdheKey:             chs.State13.EcdheKey,
 			keySharesEcdheParams: chs.State13.KeySharesEcdheParams,
 
 			session:     chs.Session,
@@ -86,7 +88,7 @@ func (chs13 *clientHandshakeStateTLS13) toPublic13() *PubClientHandshakeState {
 	} else {
 		tls13State := TLS13OnlyState{
 			KeySharesEcdheParams: chs13.keySharesEcdheParams,
-			EcdheParams:          chs13.ecdheParams,
+			EcdheKey:             chs13.ecdheKey,
 			EarlySecret:          chs13.earlySecret,
 			BinderKey:            chs13.binderKey,
 			CertReq:              chs13.certReq.toPublic(),
@@ -156,9 +158,9 @@ func (chs12 *clientHandshakeState) toPublic12() *PubClientHandshakeState {
 	}
 }
 
-type EcdheParameters interface {
-	ecdheParameters
-}
+// type EcdheParameters interface {
+// 	ecdheParameters
+// }
 
 type CertificateRequestMsgTLS13 struct {
 	Raw                              []byte
@@ -243,7 +245,7 @@ type PubServerHelloMsg struct {
 	NextProtos                   []string
 	OcspStapling                 bool
 	Scts                         [][]byte
-	Ems                          bool
+	ExtendedMasterSecret         bool
 	TicketSupported              bool
 	SecureRenegotiation          []byte
 	SecureRenegotiationSupported bool
@@ -274,7 +276,7 @@ func (shm *PubServerHelloMsg) getPrivatePtr() *serverHelloMsg {
 			nextProtos:                   shm.NextProtos,
 			ocspStapling:                 shm.OcspStapling,
 			scts:                         shm.Scts,
-			ems:                          shm.Ems,
+			extendedMasterSecret:         shm.ExtendedMasterSecret,
 			ticketSupported:              shm.TicketSupported,
 			secureRenegotiation:          shm.SecureRenegotiation,
 			secureRenegotiationSupported: shm.SecureRenegotiationSupported,
@@ -304,7 +306,7 @@ func (shm *serverHelloMsg) getPublicPtr() *PubServerHelloMsg {
 			NextProtos:                   shm.nextProtos,
 			OcspStapling:                 shm.ocspStapling,
 			Scts:                         shm.scts,
-			Ems:                          shm.ems,
+			ExtendedMasterSecret:         shm.extendedMasterSecret,
 			TicketSupported:              shm.ticketSupported,
 			SecureRenegotiation:          shm.secureRenegotiation,
 			SecureRenegotiationSupported: shm.secureRenegotiationSupported,
@@ -601,71 +603,89 @@ func MakeClientSessionState(
 	MasterSecret []byte,
 	ServerCertificates []*x509.Certificate,
 	VerifiedChains [][]*x509.Certificate) *ClientSessionState {
-	css := ClientSessionState{sessionTicket: SessionTicket,
-		vers:               Vers,
-		cipherSuite:        CipherSuite,
-		masterSecret:       MasterSecret,
-		serverCertificates: ServerCertificates,
-		verifiedChains:     VerifiedChains}
-	return &css
+	css := &ClientSessionState{
+		ticket: SessionTicket,
+		session: &SessionState{
+			version:          Vers,
+			cipherSuite:      CipherSuite,
+			secret:           MasterSecret,
+			peerCertificates: ServerCertificates,
+			verifiedChains:   VerifiedChains,
+		},
+	}
+	return css
 }
 
 // Encrypted ticket used for session resumption with server
 func (css *ClientSessionState) SessionTicket() []uint8 {
-	return css.sessionTicket
+	return css.ticket
 }
 
 // SSL/TLS version negotiated for the session
 func (css *ClientSessionState) Vers() uint16 {
-	return css.vers
+	return css.session.version
 }
 
 // Ciphersuite negotiated for the session
 func (css *ClientSessionState) CipherSuite() uint16 {
-	return css.cipherSuite
+	return css.session.cipherSuite
 }
 
 // MasterSecret generated by client on a full handshake
 func (css *ClientSessionState) MasterSecret() []byte {
-	return css.masterSecret
+	return css.session.secret
 }
 
 // Certificate chain presented by the server
 func (css *ClientSessionState) ServerCertificates() []*x509.Certificate {
-	return css.serverCertificates
+	return css.session.peerCertificates
 }
 
 // Certificate chains we built for verification
 func (css *ClientSessionState) VerifiedChains() [][]*x509.Certificate {
-	return css.verifiedChains
+	return css.session.verifiedChains
 }
 
 func (css *ClientSessionState) SetSessionTicket(SessionTicket []uint8) {
-	css.sessionTicket = SessionTicket
+	css.ticket = SessionTicket
 }
 func (css *ClientSessionState) SetVers(Vers uint16) {
-	css.vers = Vers
+	if css.session == nil {
+		css.session = &SessionState{}
+	}
+	css.session.version = Vers
 }
 func (css *ClientSessionState) SetCipherSuite(CipherSuite uint16) {
-	css.cipherSuite = CipherSuite
+	if css.session == nil {
+		css.session = &SessionState{}
+	}
+	css.session.cipherSuite = CipherSuite
 }
 func (css *ClientSessionState) SetMasterSecret(MasterSecret []byte) {
-	css.masterSecret = MasterSecret
+	if css.session == nil {
+		css.session = &SessionState{}
+	}
+	css.session.secret = MasterSecret
 }
 func (css *ClientSessionState) SetServerCertificates(ServerCertificates []*x509.Certificate) {
-	css.serverCertificates = ServerCertificates
+	if css.session == nil {
+		css.session = &SessionState{}
+	}
+	css.session.peerCertificates = ServerCertificates
 }
 func (css *ClientSessionState) SetVerifiedChains(VerifiedChains [][]*x509.Certificate) {
-	css.verifiedChains = VerifiedChains
+	if css.session == nil {
+		css.session = &SessionState{}
+	}
+	css.session.verifiedChains = VerifiedChains
 }
 
 // TicketKey is the internal representation of a session ticket key.
 type TicketKey struct {
-	// KeyName is an opaque byte string that serves to identify the session
-	// ticket key. It's exposed as plaintext in every session ticket.
-	KeyName [ticketKeyNameLen]byte
 	AesKey  [16]byte
 	HmacKey [16]byte
+	// created is the time at which this ticket key was created. See Config.ticketKeys.
+	Created time.Time
 }
 
 type TicketKeys []TicketKey
@@ -681,17 +701,17 @@ func TicketKeyFromBytes(b [32]byte) TicketKey {
 
 func (tk ticketKey) ToPublic() TicketKey {
 	return TicketKey{
-		KeyName: tk.keyName,
 		AesKey:  tk.aesKey,
 		HmacKey: tk.hmacKey,
+		Created: tk.created,
 	}
 }
 
 func (TK TicketKey) ToPrivate() ticketKey {
 	return ticketKey{
-		keyName: TK.KeyName,
 		aesKey:  TK.AesKey,
 		hmacKey: TK.HmacKey,
+		created: TK.Created,
 	}
 }
 

u_tls_extensions.go

@@ -802,15 +802,15 @@ type SessionTicketExtension struct {
 
 func (e *SessionTicketExtension) writeToUConn(uc *UConn) error {
 	if e.Session != nil {
-		uc.HandshakeState.Session = e.Session
-		uc.HandshakeState.Hello.SessionTicket = e.Session.sessionTicket
+		uc.HandshakeState.Session = e.Session.session
+		uc.HandshakeState.Hello.SessionTicket = e.Session.ticket
 	}
 	return nil
 }
 
 func (e *SessionTicketExtension) Len() int {
 	if e.Session != nil {
-		return 4 + len(e.Session.sessionTicket)
+		return 4 + len(e.Session.ticket)
 	}
 	return 4
 }
@@ -827,7 +827,7 @@ func (e *SessionTicketExtension) Read(b []byte) (int, error) {
 	b[2] = byte(extBodyLen >> 8)
 	b[3] = byte(extBodyLen)
 	if extBodyLen > 0 {
-		copy(b[4:], e.Session.sessionTicket)
+		copy(b[4:], e.Session.ticket)
 	}
 	return e.Len(), io.EOF
 }
@@ -926,7 +926,7 @@ func (e *UtlsExtendedMasterSecretExtension) Write(_ []byte) (int, error) {
 	return 0, nil
 }
 
-var extendedMasterSecretLabel = []byte("extended master secret")
+// var extendedMasterSecretLabel = []byte("extended master secret")
 
 // extendedMasterFromPreMasterSecret generates the master secret from the pre-master
 // secret and session hash. See https://tools.ietf.org/html/rfc7627#section-4
@@ -1862,7 +1862,7 @@ func (e *FakePreSharedKeyExtension) writeToUConn(uc *UConn) error {
 	if uc.config.ClientSessionCache == nil {
 		return nil // don't write the extension if there is no session cache
 	}
-	if session, ok := uc.config.ClientSessionCache.Get(clientSessionCacheKey(uc.conn.RemoteAddr(), uc.config)); !ok || session == nil {
+	if session, ok := uc.config.ClientSessionCache.Get(uc.clientSessionCacheKey()); !ok || session == nil {
 		return nil // don't write the extension if there is no session cache available for this session
 	}
 	uc.HandshakeState.Hello.PskIdentities = e.PskIdentities