crypto/tls: don't reverify but check certificate expiration on resumption

We used to inconsistently run certificate verification on the server on resumption, but not on the client. This made TLS 1.3 resumption pretty much useless, as it didn't save bytes, CPU, or round-trips. This requires serializing the verified chains into the session ticket, so it's a tradeoff making the ticket bigger to save computation (and for consistency). The previous behavior also had a "stickyness" issue: if a ticket contained invalid certificates, they would be used even if the client had in the meantime configured valid certificates for a full handshake. We also didn't check expiration on the client side on resumption if InsecureSkipVerify was set. Again for consistency, we do that now. Also, we used to run VerifyPeerCertificates on resumption even if NoClientCerts was set. Fixes #31641 Change-Id: Icc88269ea4adb544fa81158114aae76f3c91a15f Reviewed-on: https://go-review.googlesource.com/c/go/+/497895 Reviewed-by: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Filippo Valsorda <filippo@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org> Auto-Submit: Filippo Valsorda <filippo@golang.org>
2025-04-03 20:17:36 +03:00 · 2023-05-24 15:49:56 +02:00 · 2023-05-24 15:49:56 +02:00 · 5ca720fc5e
commit 5ca720fc5e
parent b6a93d8a50
36 changed files with 2436 additions and 2275 deletions
--- a/ticket.go
+++ b/ticket.go
@ -37,16 +37,16 @@ type SessionState struct {
 	//       uint8 ext_master_secret = { 0, 1 };
 	//       uint8 early_data = { 0, 1 };
 	//       CertificateEntry certificate_list<0..2^24-1>;
+	//       CertificateChain verified_chains<0..2^24-1>; /* excluding leaf */
 	//       select (SessionState.early_data) {
 	//           case 0: Empty;
 	//           case 1: opaque alpn<1..2^8-1>;
 	//       };
 	//       select (SessionState.type) {
-	//           case server: /* empty */;
+	//           case server: Empty;
 	//           case client: struct {
-	//               CertificateChain verified_chains<0..2^24-1>; /* excluding leaf */
 	//               select (SessionState.version) {
-	//                   case VersionTLS10..VersionTLS12: /* empty */;
+	//                   case VersionTLS10..VersionTLS12: Empty;
 	//                   case VersionTLS13: struct {
 	//                       uint64 use_by;
 	//                       uint32 age_add;
@ -87,11 +87,9 @@ type SessionState struct {
 	activeCertHandles []*activeCert
 	ocspResponse      []byte
 	scts              [][]byte
+	verifiedChains    [][]*x509.Certificate
 	alpnProtocol      string // only set if EarlyData is true

-	// Client-side fields.
-	verifiedChains [][]*x509.Certificate
-
 	// Client-side TLS 1.3-only fields.
 	useBy  uint64 // seconds since UNIX epoch
 	ageAdd uint32
@ -129,29 +127,33 @@ func (s *SessionState) Bytes() ([]byte, error) {
 	} else {
 		b.AddUint8(0)
 	}
-	marshalCertificate(&b, s.certificate())
+	marshalCertificate(&b, Certificate{
+		Certificate:                 certificatesToBytesSlice(s.peerCertificates),
+		OCSPStaple:                  s.ocspResponse,
+		SignedCertificateTimestamps: s.scts,
+	})
+	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
+		for _, chain := range s.verifiedChains {
+			b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
+				// We elide the first certificate because it's always the leaf.
+				if len(chain) == 0 {
+					b.SetError(errors.New("tls: internal error: empty verified chain"))
+					return
+				}
+				for _, cert := range chain[1:] {
+					b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
+						b.AddBytes(cert.Raw)
+					})
+				}
+			})
+		}
+	})
 	if s.EarlyData {
 		b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
 			b.AddBytes([]byte(s.alpnProtocol))
 		})
 	}
 	if s.isClient {
-		b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
-			for _, chain := range s.verifiedChains {
-				b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
-					// We elide the first certificate because it's always the leaf.
-					if len(chain) == 0 {
-						b.SetError(errors.New("tls: internal error: empty verified chain"))
-						return
-					}
-					for _, cert := range chain[1:] {
-						b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
-							b.AddBytes(cert.Raw)
-						})
-					}
-				})
-			}
-		})
 		if s.version >= VersionTLS13 {
 			addUint64(&b, s.useBy)
 			b.AddUint32(s.ageAdd)
@ -160,14 +162,6 @@ func (s *SessionState) Bytes() ([]byte, error) {
 	return b.Bytes()
 }

-func (s *SessionState) certificate() Certificate {
-	return Certificate{
-		Certificate:                 certificatesToBytesSlice(s.peerCertificates),
-		OCSPStaple:                  s.ocspResponse,
-		SignedCertificateTimestamps: s.scts,
-	}
-}
-
 func certificatesToBytesSlice(certs []*x509.Certificate) [][]byte {
 	s := make([][]byte, 0, len(certs))
 	for _, c := range certs {
@ -221,6 +215,34 @@ func ParseSessionState(data []byte) (*SessionState, error) {
 	}
 	ss.ocspResponse = cert.OCSPStaple
 	ss.scts = cert.SignedCertificateTimestamps
+	var chainList cryptobyte.String
+	if !s.ReadUint24LengthPrefixed(&chainList) {
+		return nil, errors.New("tls: invalid session encoding")
+	}
+	for !chainList.Empty() {
+		var certList cryptobyte.String
+		if !chainList.ReadUint24LengthPrefixed(&certList) {
+			return nil, errors.New("tls: invalid session encoding")
+		}
+		var chain []*x509.Certificate
+		if len(ss.peerCertificates) == 0 {
+			return nil, errors.New("tls: invalid session encoding")
+		}
+		chain = append(chain, ss.peerCertificates[0])
+		for !certList.Empty() {
+			var cert []byte
+			if !readUint24LengthPrefixed(&certList, &cert) {
+				return nil, errors.New("tls: invalid session encoding")
+			}
+			c, err := globalCertCache.newCert(cert)
+			if err != nil {
+				return nil, err
+			}
+			ss.activeCertHandles = append(ss.activeCertHandles, c)
+			chain = append(chain, c.cert)
+		}
+		ss.verifiedChains = append(ss.verifiedChains, chain)
+	}
 	if ss.EarlyData {
 		var alpn []byte
 		if !readUint8LengthPrefixed(&s, &alpn) {
@ -238,31 +260,6 @@ func ParseSessionState(data []byte) (*SessionState, error) {
 	if len(ss.peerCertificates) == 0 {
 		return nil, errors.New("tls: no server certificates in client session")
 	}
-	var chainList cryptobyte.String
-	if !s.ReadUint24LengthPrefixed(&chainList) {
-		return nil, errors.New("tls: invalid session encoding")
-	}
-	for !chainList.Empty() {
-		var certList cryptobyte.String
-		if !chainList.ReadUint24LengthPrefixed(&certList) {
-			return nil, errors.New("tls: invalid session encoding")
-		}
-		var chain []*x509.Certificate
-		chain = append(chain, ss.peerCertificates[0])
-		for !certList.Empty() {
-			var cert []byte
-			if !readUint24LengthPrefixed(&certList, &cert) {
-				return nil, errors.New("tls: invalid session encoding")
-			}
-			c, err := globalCertCache.newCert(cert)
-			if err != nil {
-				return nil, err
-			}
-			ss.activeCertHandles = append(ss.activeCertHandles, c)
-			chain = append(chain, c.cert)
-		}
-		ss.verifiedChains = append(ss.verifiedChains, chain)
-	}
 	if ss.version < VersionTLS13 {
 		if !s.Empty() {
 			return nil, errors.New("tls: invalid session encoding")
@ -278,13 +275,6 @@ func ParseSessionState(data []byte) (*SessionState, error) {
 // sessionState returns a partially filled-out [SessionState] with information
 // from the current connection.
 func (c *Conn) sessionState() (*SessionState, error) {
-	var verifiedChains [][]*x509.Certificate
-	if c.isClient {
-		verifiedChains = c.verifiedChains
-		if len(c.peerCertificates) == 0 {
-			return nil, errors.New("tls: internal error: empty peer certificates")
-		}
-	}
 	return &SessionState{
 		version:           c.vers,
 		cipherSuite:       c.cipherSuite,
@ -296,7 +286,7 @@ func (c *Conn) sessionState() (*SessionState, error) {
 		scts:              c.scts,
 		isClient:          c.isClient,
 		extMasterSecret:   c.extMasterSecret,
-		verifiedChains:    verifiedChains,
+		verifiedChains:    c.verifiedChains,
 	}, nil
 }