crypto/tls: implement TLS 1.3 PSK authentication (client side)

Also check original certificate validity when resuming TLS 1.0–1.2. Will
refuse to resume a session if the certificate is expired or if the
original connection had InsecureSkipVerify and the resumed one doesn't.

Support only PSK+DHE to protect forward secrecy even with lack of a
strong session ticket rotation story.

Tested with NSS because s_server does not provide any way of getting the
same session ticket key across invocations. Will self-test like TLS
1.0–1.2 once server side is implemented.

Incorporates CL 128477 by @santoshankr.

Fixes #24919
Updates #9671

Change-Id: Id3eaa5b6c77544a1357668bf9ff255f3420ecc34
Reviewed-on: https://go-review.googlesource.com/c/147420
Reviewed-by: Adam Langley <agl@golang.org>

handshake_server_tls13.go

@@ -434,12 +434,8 @@ func (hs *serverHandshakeStateTLS13) sendServerCertificate() error {
 func (hs *serverHandshakeStateTLS13) sendServerFinished() error {
 	c := hs.c
 
-	// See RFC 8446, sections 4.4.4 and 4.4.
-	finishedKey := hs.suite.expandLabel(c.out.trafficSecret, "finished", nil, hs.suite.hash.Size())
-	verifyData := hmac.New(hs.suite.hash.New, finishedKey)
-	verifyData.Write(hs.transcript.Sum(nil))
 	finished := &finishedMsg{
-		verifyData: verifyData.Sum(nil),
+		verifyData: hs.suite.finishedHash(c.out.trafficSecret, hs.transcript),
 	}
 
 	hs.transcript.Write(finished.marshal())
@@ -488,10 +484,8 @@ func (hs *serverHandshakeStateTLS13) readClientFinished() error {
 		return unexpectedMessageError(finished, msg)
 	}
 
-	finishedKey := hs.suite.expandLabel(c.in.trafficSecret, "finished", nil, hs.suite.hash.Size())
-	expectedMAC := hmac.New(hs.suite.hash.New, finishedKey)
-	expectedMAC.Write(hs.transcript.Sum(nil))
-	if !hmac.Equal(expectedMAC.Sum(nil), finished.verifyData) {
+	expectedMAC := hs.suite.finishedHash(c.in.trafficSecret, hs.transcript)
+	if !hmac.Equal(expectedMAC, finished.verifyData) {
 		c.sendAlert(alertDecryptError)
 		return errors.New("tls: invalid client finished hash")
 	}