crypto/tls: use SessionState on the client side

Another internal change, that allows exposing the new APIs easily in
following CLs.

For #60105

Change-Id: I9c61b9f6e9d29af633f952444f514bcbbe82fe4e
Reviewed-on: https://go-review.googlesource.com/c/go/+/496819
Reviewed-by: Matthew Dempsky <mdempsky@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Run-TryBot: Filippo Valsorda <filippo@golang.org>

ticket.go

@@ -10,6 +10,7 @@ import (
 	"crypto/hmac"
 	"crypto/sha256"
 	"crypto/subtle"
+	"crypto/x509"
 	"errors"
 	"io"
 
@@ -18,12 +19,63 @@ import (
 
 // A SessionState is a resumable session.
 type SessionState struct {
-	version uint16 // uint16 version;
-	// uint8 revision = 1;
+	// Encoded as a SessionState (in the language of RFC 8446, Section 3).
+	//
+	//   enum { server(1), client(2) } SessionStateType;
+	//
+	//   opaque Certificate<1..2^24-1>;
+	//
+	//   Certificate CertificateChain<0..2^24-1>;
+	//
+	//   struct {
+	//       uint16 version;
+	//       SessionStateType type;
+	//       uint16 cipher_suite;
+	//       uint64 created_at;
+	//       opaque secret<1..2^8-1>;
+	//       CertificateEntry certificate_list<0..2^24-1>;
+	//       select (SessionState.type) {
+	//           case server: /* empty */;
+	//           case client: struct {
+	//               CertificateChain verified_chains<0..2^24-1>; /* excluding leaf */
+	//               select (SessionState.version) {
+	//                   case VersionTLS10..VersionTLS12: /* empty */;
+	//                   case VersionTLS13: struct {
+	//                       uint64 use_by;
+	//                       uint32 age_add;
+	//                   };
+	//               };
+	//           };
+	//       };
+	//   } SessionState;
+	//
+
+	version     uint16
+	isClient    bool
 	cipherSuite uint16
-	createdAt   uint64
-	secret      []byte      // opaque master_secret<1..2^8-1>;
-	certificate Certificate // CertificateEntry certificate_list<0..2^24-1>;
+	// createdAt is the generation time of the secret on the sever (which for
+	// TLS 1.0–1.2 might be earlier than the current session) and the time at
+	// which the ticket was received on the client.
+	createdAt         uint64 // seconds since UNIX epoch
+	secret            []byte // master secret for TLS 1.2, or the PSK for TLS 1.3
+	peerCertificates  []*x509.Certificate
+	activeCertHandles []*activeCert
+	ocspResponse      []byte
+	scts              [][]byte
+
+	// Client-side fields.
+	verifiedChains [][]*x509.Certificate
+
+	// Client-side TLS 1.3-only fields.
+	useBy  uint64 // seconds since UNIX epoch
+	ageAdd uint32
+}
+
+// ClientSessionState contains the state needed by clients to resume TLS
+// sessions.
+type ClientSessionState struct {
+	ticket  []byte
+	session *SessionState
 }
 
 // Bytes encodes the session, including any private fields, so that it can be
@@ -31,38 +83,157 @@ type SessionState struct {
 //
 // The specific encoding should be considered opaque and may change incompatibly
 // between Go versions.
-func (m *SessionState) Bytes() ([]byte, error) {
+func (s *SessionState) Bytes() ([]byte, error) {
 	var b cryptobyte.Builder
-	b.AddUint16(m.version)
-	b.AddUint8(1) // revision
-	b.AddUint16(m.cipherSuite)
-	addUint64(&b, m.createdAt)
+	b.AddUint16(s.version)
+	if s.isClient {
+		b.AddUint8(2) // client
+	} else {
+		b.AddUint8(1) // server
+	}
+	b.AddUint16(s.cipherSuite)
+	addUint64(&b, s.createdAt)
 	b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
-		b.AddBytes(m.secret)
+		b.AddBytes(s.secret)
 	})
-	marshalCertificate(&b, m.certificate)
+	marshalCertificate(&b, s.certificate())
+	if s.isClient {
+		b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
+			for _, chain := range s.verifiedChains {
+				b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
+					// We elide the first certificate because it's always the leaf.
+					if len(chain) == 0 {
+						b.SetError(errors.New("tls: internal error: empty verified chain"))
+						return
+					}
+					for _, cert := range chain[1:] {
+						b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
+							b.AddBytes(cert.Raw)
+						})
+					}
+				})
+			}
+		})
+		if s.version >= VersionTLS13 {
+			addUint64(&b, s.useBy)
+			b.AddUint32(s.ageAdd)
+		}
+	}
 	return b.Bytes()
 }
 
+func (s *SessionState) certificate() Certificate {
+	return Certificate{
+		Certificate:                 certificatesToBytesSlice(s.peerCertificates),
+		OCSPStaple:                  s.ocspResponse,
+		SignedCertificateTimestamps: s.scts,
+	}
+}
+
+func certificatesToBytesSlice(certs []*x509.Certificate) [][]byte {
+	s := make([][]byte, 0, len(certs))
+	for _, c := range certs {
+		s = append(s, c.Raw)
+	}
+	return s
+}
+
 // ParseSessionState parses a [SessionState] encoded by [SessionState.Bytes].
 func ParseSessionState(data []byte) (*SessionState, error) {
 	ss := &SessionState{}
 	s := cryptobyte.String(data)
-	var revision uint8
+	var typ uint8
+	var cert Certificate
 	if !s.ReadUint16(&ss.version) ||
-		!s.ReadUint8(&revision) ||
-		revision != 1 ||
+		!s.ReadUint8(&typ) ||
+		(typ != 1 && typ != 2) ||
 		!s.ReadUint16(&ss.cipherSuite) ||
 		!readUint64(&s, &ss.createdAt) ||
 		!readUint8LengthPrefixed(&s, &ss.secret) ||
 		len(ss.secret) == 0 ||
-		!unmarshalCertificate(&s, &ss.certificate) ||
-		!s.Empty() {
+		!unmarshalCertificate(&s, &cert) {
+		return nil, errors.New("tls: invalid session encoding")
+	}
+	for _, cert := range cert.Certificate {
+		c, err := globalCertCache.newCert(cert)
+		if err != nil {
+			return nil, err
+		}
+		ss.activeCertHandles = append(ss.activeCertHandles, c)
+		ss.peerCertificates = append(ss.peerCertificates, c.cert)
+	}
+	ss.ocspResponse = cert.OCSPStaple
+	ss.scts = cert.SignedCertificateTimestamps
+	if isClient := typ == 2; !isClient {
+		if !s.Empty() {
+			return nil, errors.New("tls: invalid session encoding")
+		}
+		return ss, nil
+	}
+	ss.isClient = true
+	if len(ss.peerCertificates) == 0 {
+		return nil, errors.New("tls: no server certificates in client session")
+	}
+	var chainList cryptobyte.String
+	if !s.ReadUint24LengthPrefixed(&chainList) {
+		return nil, errors.New("tls: invalid session encoding")
+	}
+	for !chainList.Empty() {
+		var certList cryptobyte.String
+		if !chainList.ReadUint24LengthPrefixed(&certList) {
+			return nil, errors.New("tls: invalid session encoding")
+		}
+		var chain []*x509.Certificate
+		chain = append(chain, ss.peerCertificates[0])
+		for !certList.Empty() {
+			var cert []byte
+			if !readUint24LengthPrefixed(&certList, &cert) {
+				return nil, errors.New("tls: invalid session encoding")
+			}
+			c, err := globalCertCache.newCert(cert)
+			if err != nil {
+				return nil, err
+			}
+			ss.activeCertHandles = append(ss.activeCertHandles, c)
+			chain = append(chain, c.cert)
+		}
+		ss.verifiedChains = append(ss.verifiedChains, chain)
+	}
+	if ss.version < VersionTLS13 {
+		if !s.Empty() {
+			return nil, errors.New("tls: invalid session encoding")
+		}
+		return ss, nil
+	}
+	if !s.ReadUint64(&ss.useBy) || !s.ReadUint32(&ss.ageAdd) || !s.Empty() {
 		return nil, errors.New("tls: invalid session encoding")
 	}
 	return ss, nil
 }
 
+// sessionState returns a partially filled-out [SessionState] with information
+// from the current connection.
+func (c *Conn) sessionState() (*SessionState, error) {
+	var verifiedChains [][]*x509.Certificate
+	if c.isClient {
+		verifiedChains = c.verifiedChains
+		if len(c.peerCertificates) == 0 {
+			return nil, errors.New("tls: internal error: empty peer certificates")
+		}
+	}
+	return &SessionState{
+		version:           c.vers,
+		cipherSuite:       c.cipherSuite,
+		createdAt:         uint64(c.config.time().Unix()),
+		peerCertificates:  c.peerCertificates,
+		activeCertHandles: c.activeCertHandles,
+		ocspResponse:      c.ocspResponse,
+		scts:              c.scts,
+		isClient:          c.isClient,
+		verifiedChains:    verifiedChains,
+	}, nil
+}
+
 func (c *Conn) encryptTicket(state []byte) ([]byte, error) {
 	if len(c.ticketKeys) == 0 {
 		return nil, errors.New("tls: internal error: session ticket keys unavailable")