crypto/tls: implement TLS 1.3 PSK authentication (client side)

Also check original certificate validity when resuming TLS 1.0–1.2. Will refuse to resume a session if the certificate is expired or if the original connection had InsecureSkipVerify and the resumed one doesn't. Support only PSK+DHE to protect forward secrecy even with lack of a strong session ticket rotation story. Tested with NSS because s_server does not provide any way of getting the same session ticket key across invocations. Will self-test like TLS 1.0–1.2 once server side is implemented. Incorporates CL 128477 by @santoshankr. Fixes #24919 Updates #9671 Change-Id: Id3eaa5b6c77544a1357668bf9ff255f3420ecc34 Reviewed-on: https://go-review.googlesource.com/c/147420 Reviewed-by: Adam Langley <agl@golang.org>
2025-04-04 20:47:36 +03:00 · 2018-11-04 18:41:37 -05:00 · 2018-11-04 18:41:37 -05:00 · dc9021e679
commit dc9021e679
parent 5b79a7c982
11 changed files with 444 additions and 158 deletions
--- a/conn.go
+++ b/conn.go
@ -57,6 +57,9 @@ type Conn struct {
 	secureRenegotiation bool
 	// ekm is a closure for exporting keying material.
 	ekm func(label string, context []byte, length int) ([]byte, error)
+	// resumptionSecret is the resumption_master_secret for generating or
+	// handling NewSessionTicket messages. nil if config.SessionTicketsDisabled.
+	resumptionSecret []byte

 	// clientFinishedIsFirst is true if the client sent the first Finished
 	// message during the most recent handshake. This is recorded because
@ -1169,10 +1172,15 @@ func (c *Conn) handlePostHandshakeMessage() error {
 		return err
 	}

+	c.retryCount++
+	if c.retryCount > maxUselessRecords {
+		c.sendAlert(alertUnexpectedMessage)
+		return c.in.setErrorLocked(errors.New("tls: too many non-advancing records"))
+	}
+
 	switch msg := msg.(type) {
 	case *newSessionTicketMsgTLS13:
-		// TODO(filippo): TLS 1.3 session ticket not implemented.
-		return nil
+		return c.handleNewSessionTicket(msg)
 	case *keyUpdateMsg:
 		return c.handleKeyUpdate(msg)
 	default:
@ -1182,19 +1190,7 @@ func (c *Conn) handlePostHandshakeMessage() error {
 }

 func (c *Conn) handleKeyUpdate(keyUpdate *keyUpdateMsg) error {
-	c.retryCount++
-	if c.retryCount > maxUselessRecords {
-		c.sendAlert(alertUnexpectedMessage)
-		return c.in.setErrorLocked(errors.New("tls: too many non-advancing records"))
-	}
-
-	var cipherSuite *cipherSuiteTLS13
-	for _, suite := range cipherSuitesTLS13 {
-		if suite.id == c.cipherSuite {
-			cipherSuite = suite
-			break
-		}
-	}
+	cipherSuite := cipherSuiteTLS13ByID(c.cipherSuite)
 	if cipherSuite == nil {
 		return c.in.setErrorLocked(c.sendAlert(alertInternalError))
 	}