Source file
src/crypto/tls/handshake_client_tls13.go
1
2
3
4
5 package tls
6
7 import (
8 "bytes"
9 "context"
10 "crypto"
11 "crypto/ecdh"
12 "crypto/hmac"
13 "crypto/rsa"
14 "errors"
15 "hash"
16 "time"
17 )
18
19 type clientHandshakeStateTLS13 struct {
20 c *Conn
21 ctx context.Context
22 serverHello *serverHelloMsg
23 hello *clientHelloMsg
24 ecdheKey *ecdh.PrivateKey
25
26 session *SessionState
27 earlySecret []byte
28 binderKey []byte
29
30 certReq *certificateRequestMsgTLS13
31 usingPSK bool
32 sentDummyCCS bool
33 suite *cipherSuiteTLS13
34 transcript hash.Hash
35 masterSecret []byte
36 trafficSecret []byte
37 }
38
39
40
41 func (hs *clientHandshakeStateTLS13) handshake() error {
42 c := hs.c
43
44 if needFIPS() {
45 return errors.New("tls: internal error: TLS 1.3 reached in FIPS mode")
46 }
47
48
49
50 if c.handshakes > 0 {
51 c.sendAlert(alertProtocolVersion)
52 return errors.New("tls: server selected TLS 1.3 in a renegotiation")
53 }
54
55
56 if hs.ecdheKey == nil || len(hs.hello.keyShares) != 1 {
57 return c.sendAlert(alertInternalError)
58 }
59
60 if err := hs.checkServerHelloOrHRR(); err != nil {
61 return err
62 }
63
64 hs.transcript = hs.suite.hash.New()
65
66 if err := transcriptMsg(hs.hello, hs.transcript); err != nil {
67 return err
68 }
69
70 if bytes.Equal(hs.serverHello.random, helloRetryRequestRandom) {
71 if err := hs.sendDummyChangeCipherSpec(); err != nil {
72 return err
73 }
74 if err := hs.processHelloRetryRequest(); err != nil {
75 return err
76 }
77 }
78
79 if err := transcriptMsg(hs.serverHello, hs.transcript); err != nil {
80 return err
81 }
82
83 c.buffering = true
84 if err := hs.processServerHello(); err != nil {
85 return err
86 }
87 if err := hs.sendDummyChangeCipherSpec(); err != nil {
88 return err
89 }
90 if err := hs.establishHandshakeKeys(); err != nil {
91 return err
92 }
93 if err := hs.readServerParameters(); err != nil {
94 return err
95 }
96 if err := hs.readServerCertificate(); err != nil {
97 return err
98 }
99 if err := hs.readServerFinished(); err != nil {
100 return err
101 }
102 if err := hs.sendClientCertificate(); err != nil {
103 return err
104 }
105 if err := hs.sendClientFinished(); err != nil {
106 return err
107 }
108 if _, err := c.flush(); err != nil {
109 return err
110 }
111
112 c.isHandshakeComplete.Store(true)
113
114 return nil
115 }
116
117
118
119 func (hs *clientHandshakeStateTLS13) checkServerHelloOrHRR() error {
120 c := hs.c
121
122 if hs.serverHello.supportedVersion == 0 {
123 c.sendAlert(alertMissingExtension)
124 return errors.New("tls: server selected TLS 1.3 using the legacy version field")
125 }
126
127 if hs.serverHello.supportedVersion != VersionTLS13 {
128 c.sendAlert(alertIllegalParameter)
129 return errors.New("tls: server selected an invalid version after a HelloRetryRequest")
130 }
131
132 if hs.serverHello.vers != VersionTLS12 {
133 c.sendAlert(alertIllegalParameter)
134 return errors.New("tls: server sent an incorrect legacy version")
135 }
136
137 if hs.serverHello.ocspStapling ||
138 hs.serverHello.ticketSupported ||
139 hs.serverHello.extendedMasterSecret ||
140 hs.serverHello.secureRenegotiationSupported ||
141 len(hs.serverHello.secureRenegotiation) != 0 ||
142 len(hs.serverHello.alpnProtocol) != 0 ||
143 len(hs.serverHello.scts) != 0 {
144 c.sendAlert(alertUnsupportedExtension)
145 return errors.New("tls: server sent a ServerHello extension forbidden in TLS 1.3")
146 }
147
148 if !bytes.Equal(hs.hello.sessionId, hs.serverHello.sessionId) {
149 c.sendAlert(alertIllegalParameter)
150 return errors.New("tls: server did not echo the legacy session ID")
151 }
152
153 if hs.serverHello.compressionMethod != compressionNone {
154 c.sendAlert(alertIllegalParameter)
155 return errors.New("tls: server selected unsupported compression format")
156 }
157
158 selectedSuite := mutualCipherSuiteTLS13(hs.hello.cipherSuites, hs.serverHello.cipherSuite)
159 if hs.suite != nil && selectedSuite != hs.suite {
160 c.sendAlert(alertIllegalParameter)
161 return errors.New("tls: server changed cipher suite after a HelloRetryRequest")
162 }
163 if selectedSuite == nil {
164 c.sendAlert(alertIllegalParameter)
165 return errors.New("tls: server chose an unconfigured cipher suite")
166 }
167 hs.suite = selectedSuite
168 c.cipherSuite = hs.suite.id
169
170 return nil
171 }
172
173
174
175 func (hs *clientHandshakeStateTLS13) sendDummyChangeCipherSpec() error {
176 if hs.c.quic != nil {
177 return nil
178 }
179 if hs.sentDummyCCS {
180 return nil
181 }
182 hs.sentDummyCCS = true
183
184 return hs.c.writeChangeCipherRecord()
185 }
186
187
188
189 func (hs *clientHandshakeStateTLS13) processHelloRetryRequest() error {
190 c := hs.c
191
192
193
194
195 chHash := hs.transcript.Sum(nil)
196 hs.transcript.Reset()
197 hs.transcript.Write([]byte{typeMessageHash, 0, 0, uint8(len(chHash))})
198 hs.transcript.Write(chHash)
199 if err := transcriptMsg(hs.serverHello, hs.transcript); err != nil {
200 return err
201 }
202
203
204
205
206 if hs.serverHello.selectedGroup == 0 && hs.serverHello.cookie == nil {
207 c.sendAlert(alertIllegalParameter)
208 return errors.New("tls: server sent an unnecessary HelloRetryRequest message")
209 }
210
211 if hs.serverHello.cookie != nil {
212 hs.hello.cookie = hs.serverHello.cookie
213 }
214
215 if hs.serverHello.serverShare.group != 0 {
216 c.sendAlert(alertDecodeError)
217 return errors.New("tls: received malformed key_share extension")
218 }
219
220
221
222
223 if curveID := hs.serverHello.selectedGroup; curveID != 0 {
224 curveOK := false
225 for _, id := range hs.hello.supportedCurves {
226 if id == curveID {
227 curveOK = true
228 break
229 }
230 }
231 if !curveOK {
232 c.sendAlert(alertIllegalParameter)
233 return errors.New("tls: server selected unsupported group")
234 }
235 if sentID, _ := curveIDForCurve(hs.ecdheKey.Curve()); sentID == curveID {
236 c.sendAlert(alertIllegalParameter)
237 return errors.New("tls: server sent an unnecessary HelloRetryRequest key_share")
238 }
239 if _, ok := curveForCurveID(curveID); !ok {
240 c.sendAlert(alertInternalError)
241 return errors.New("tls: CurvePreferences includes unsupported curve")
242 }
243 key, err := generateECDHEKey(c.config.rand(), curveID)
244 if err != nil {
245 c.sendAlert(alertInternalError)
246 return err
247 }
248 hs.ecdheKey = key
249 hs.hello.keyShares = []keyShare{{group: curveID, data: key.PublicKey().Bytes()}}
250 }
251
252 if len(hs.hello.pskIdentities) > 0 {
253 pskSuite := cipherSuiteTLS13ByID(hs.session.cipherSuite)
254 if pskSuite == nil {
255 return c.sendAlert(alertInternalError)
256 }
257 if pskSuite.hash == hs.suite.hash {
258
259 ticketAge := c.config.time().Sub(time.Unix(int64(hs.session.createdAt), 0))
260 hs.hello.pskIdentities[0].obfuscatedTicketAge = uint32(ticketAge/time.Millisecond) + hs.session.ageAdd
261
262 transcript := hs.suite.hash.New()
263 transcript.Write([]byte{typeMessageHash, 0, 0, uint8(len(chHash))})
264 transcript.Write(chHash)
265 if err := transcriptMsg(hs.serverHello, transcript); err != nil {
266 return err
267 }
268 helloBytes, err := hs.hello.marshalWithoutBinders()
269 if err != nil {
270 return err
271 }
272 transcript.Write(helloBytes)
273 pskBinders := [][]byte{hs.suite.finishedHash(hs.binderKey, transcript)}
274 if err := hs.hello.updateBinders(pskBinders); err != nil {
275 return err
276 }
277 } else {
278
279 hs.hello.pskIdentities = nil
280 hs.hello.pskBinders = nil
281 }
282 }
283
284 if hs.hello.earlyData {
285 hs.hello.earlyData = false
286 c.quicRejectedEarlyData()
287 }
288
289 if _, err := hs.c.writeHandshakeRecord(hs.hello, hs.transcript); err != nil {
290 return err
291 }
292
293
294 msg, err := c.readHandshake(nil)
295 if err != nil {
296 return err
297 }
298
299 serverHello, ok := msg.(*serverHelloMsg)
300 if !ok {
301 c.sendAlert(alertUnexpectedMessage)
302 return unexpectedMessageError(serverHello, msg)
303 }
304 hs.serverHello = serverHello
305
306 if err := hs.checkServerHelloOrHRR(); err != nil {
307 return err
308 }
309
310 return nil
311 }
312
313 func (hs *clientHandshakeStateTLS13) processServerHello() error {
314 c := hs.c
315
316 if bytes.Equal(hs.serverHello.random, helloRetryRequestRandom) {
317 c.sendAlert(alertUnexpectedMessage)
318 return errors.New("tls: server sent two HelloRetryRequest messages")
319 }
320
321 if len(hs.serverHello.cookie) != 0 {
322 c.sendAlert(alertUnsupportedExtension)
323 return errors.New("tls: server sent a cookie in a normal ServerHello")
324 }
325
326 if hs.serverHello.selectedGroup != 0 {
327 c.sendAlert(alertDecodeError)
328 return errors.New("tls: malformed key_share extension")
329 }
330
331 if hs.serverHello.serverShare.group == 0 {
332 c.sendAlert(alertIllegalParameter)
333 return errors.New("tls: server did not send a key share")
334 }
335 if sentID, _ := curveIDForCurve(hs.ecdheKey.Curve()); hs.serverHello.serverShare.group != sentID {
336 c.sendAlert(alertIllegalParameter)
337 return errors.New("tls: server selected unsupported group")
338 }
339
340 if !hs.serverHello.selectedIdentityPresent {
341 return nil
342 }
343
344 if int(hs.serverHello.selectedIdentity) >= len(hs.hello.pskIdentities) {
345 c.sendAlert(alertIllegalParameter)
346 return errors.New("tls: server selected an invalid PSK")
347 }
348
349 if len(hs.hello.pskIdentities) != 1 || hs.session == nil {
350 return c.sendAlert(alertInternalError)
351 }
352 pskSuite := cipherSuiteTLS13ByID(hs.session.cipherSuite)
353 if pskSuite == nil {
354 return c.sendAlert(alertInternalError)
355 }
356 if pskSuite.hash != hs.suite.hash {
357 c.sendAlert(alertIllegalParameter)
358 return errors.New("tls: server selected an invalid PSK and cipher suite pair")
359 }
360
361 hs.usingPSK = true
362 c.didResume = true
363 c.peerCertificates = hs.session.peerCertificates
364 c.activeCertHandles = hs.session.activeCertHandles
365 c.verifiedChains = hs.session.verifiedChains
366 c.ocspResponse = hs.session.ocspResponse
367 c.scts = hs.session.scts
368 return nil
369 }
370
371 func (hs *clientHandshakeStateTLS13) establishHandshakeKeys() error {
372 c := hs.c
373
374 peerKey, err := hs.ecdheKey.Curve().NewPublicKey(hs.serverHello.serverShare.data)
375 if err != nil {
376 c.sendAlert(alertIllegalParameter)
377 return errors.New("tls: invalid server key share")
378 }
379 sharedKey, err := hs.ecdheKey.ECDH(peerKey)
380 if err != nil {
381 c.sendAlert(alertIllegalParameter)
382 return errors.New("tls: invalid server key share")
383 }
384
385 earlySecret := hs.earlySecret
386 if !hs.usingPSK {
387 earlySecret = hs.suite.extract(nil, nil)
388 }
389
390 handshakeSecret := hs.suite.extract(sharedKey,
391 hs.suite.deriveSecret(earlySecret, "derived", nil))
392
393 clientSecret := hs.suite.deriveSecret(handshakeSecret,
394 clientHandshakeTrafficLabel, hs.transcript)
395 c.out.setTrafficSecret(hs.suite, QUICEncryptionLevelHandshake, clientSecret)
396 serverSecret := hs.suite.deriveSecret(handshakeSecret,
397 serverHandshakeTrafficLabel, hs.transcript)
398 c.in.setTrafficSecret(hs.suite, QUICEncryptionLevelHandshake, serverSecret)
399
400 if c.quic != nil {
401 if c.hand.Len() != 0 {
402 c.sendAlert(alertUnexpectedMessage)
403 }
404 c.quicSetWriteSecret(QUICEncryptionLevelHandshake, hs.suite.id, clientSecret)
405 c.quicSetReadSecret(QUICEncryptionLevelHandshake, hs.suite.id, serverSecret)
406 }
407
408 err = c.config.writeKeyLog(keyLogLabelClientHandshake, hs.hello.random, clientSecret)
409 if err != nil {
410 c.sendAlert(alertInternalError)
411 return err
412 }
413 err = c.config.writeKeyLog(keyLogLabelServerHandshake, hs.hello.random, serverSecret)
414 if err != nil {
415 c.sendAlert(alertInternalError)
416 return err
417 }
418
419 hs.masterSecret = hs.suite.extract(nil,
420 hs.suite.deriveSecret(handshakeSecret, "derived", nil))
421
422 return nil
423 }
424
425 func (hs *clientHandshakeStateTLS13) readServerParameters() error {
426 c := hs.c
427
428 msg, err := c.readHandshake(hs.transcript)
429 if err != nil {
430 return err
431 }
432
433 encryptedExtensions, ok := msg.(*encryptedExtensionsMsg)
434 if !ok {
435 c.sendAlert(alertUnexpectedMessage)
436 return unexpectedMessageError(encryptedExtensions, msg)
437 }
438
439 if err := checkALPN(hs.hello.alpnProtocols, encryptedExtensions.alpnProtocol, c.quic != nil); err != nil {
440
441
442
443
444 c.sendAlert(alertNoApplicationProtocol)
445 return err
446 }
447 c.clientProtocol = encryptedExtensions.alpnProtocol
448
449 if c.quic != nil {
450 if encryptedExtensions.quicTransportParameters == nil {
451
452 c.sendAlert(alertMissingExtension)
453 return errors.New("tls: server did not send a quic_transport_parameters extension")
454 }
455 c.quicSetTransportParameters(encryptedExtensions.quicTransportParameters)
456 } else {
457 if encryptedExtensions.quicTransportParameters != nil {
458 c.sendAlert(alertUnsupportedExtension)
459 return errors.New("tls: server sent an unexpected quic_transport_parameters extension")
460 }
461 }
462
463 if !hs.hello.earlyData && encryptedExtensions.earlyData {
464 c.sendAlert(alertUnsupportedExtension)
465 return errors.New("tls: server sent an unexpected early_data extension")
466 }
467 if hs.hello.earlyData && !encryptedExtensions.earlyData {
468 c.quicRejectedEarlyData()
469 }
470 if encryptedExtensions.earlyData {
471 if hs.session.cipherSuite != c.cipherSuite {
472 c.sendAlert(alertHandshakeFailure)
473 return errors.New("tls: server accepted 0-RTT with the wrong cipher suite")
474 }
475 if hs.session.alpnProtocol != c.clientProtocol {
476 c.sendAlert(alertHandshakeFailure)
477 return errors.New("tls: server accepted 0-RTT with the wrong ALPN")
478 }
479 }
480
481 return nil
482 }
483
484 func (hs *clientHandshakeStateTLS13) readServerCertificate() error {
485 c := hs.c
486
487
488
489 if hs.usingPSK {
490
491
492
493 if c.config.VerifyConnection != nil {
494 if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil {
495 c.sendAlert(alertBadCertificate)
496 return err
497 }
498 }
499 return nil
500 }
501
502 msg, err := c.readHandshake(hs.transcript)
503 if err != nil {
504 return err
505 }
506
507 certReq, ok := msg.(*certificateRequestMsgTLS13)
508 if ok {
509 hs.certReq = certReq
510
511 msg, err = c.readHandshake(hs.transcript)
512 if err != nil {
513 return err
514 }
515 }
516
517 certMsg, ok := msg.(*certificateMsgTLS13)
518 if !ok {
519 c.sendAlert(alertUnexpectedMessage)
520 return unexpectedMessageError(certMsg, msg)
521 }
522 if len(certMsg.certificate.Certificate) == 0 {
523 c.sendAlert(alertDecodeError)
524 return errors.New("tls: received empty certificates message")
525 }
526
527 c.scts = certMsg.certificate.SignedCertificateTimestamps
528 c.ocspResponse = certMsg.certificate.OCSPStaple
529
530 if err := c.verifyServerCertificate(certMsg.certificate.Certificate); err != nil {
531 return err
532 }
533
534
535
536
537 msg, err = c.readHandshake(nil)
538 if err != nil {
539 return err
540 }
541
542 certVerify, ok := msg.(*certificateVerifyMsg)
543 if !ok {
544 c.sendAlert(alertUnexpectedMessage)
545 return unexpectedMessageError(certVerify, msg)
546 }
547
548
549 if !isSupportedSignatureAlgorithm(certVerify.signatureAlgorithm, supportedSignatureAlgorithms()) {
550 c.sendAlert(alertIllegalParameter)
551 return errors.New("tls: certificate used with invalid signature algorithm")
552 }
553 sigType, sigHash, err := typeAndHashFromSignatureScheme(certVerify.signatureAlgorithm)
554 if err != nil {
555 return c.sendAlert(alertInternalError)
556 }
557 if sigType == signaturePKCS1v15 || sigHash == crypto.SHA1 {
558 c.sendAlert(alertIllegalParameter)
559 return errors.New("tls: certificate used with invalid signature algorithm")
560 }
561 signed := signedMessage(sigHash, serverSignatureContext, hs.transcript)
562 if err := verifyHandshakeSignature(sigType, c.peerCertificates[0].PublicKey,
563 sigHash, signed, certVerify.signature); err != nil {
564 c.sendAlert(alertDecryptError)
565 return errors.New("tls: invalid signature by the server certificate: " + err.Error())
566 }
567
568 if err := transcriptMsg(certVerify, hs.transcript); err != nil {
569 return err
570 }
571
572 return nil
573 }
574
575 func (hs *clientHandshakeStateTLS13) readServerFinished() error {
576 c := hs.c
577
578
579
580
581 msg, err := c.readHandshake(nil)
582 if err != nil {
583 return err
584 }
585
586 finished, ok := msg.(*finishedMsg)
587 if !ok {
588 c.sendAlert(alertUnexpectedMessage)
589 return unexpectedMessageError(finished, msg)
590 }
591
592 expectedMAC := hs.suite.finishedHash(c.in.trafficSecret, hs.transcript)
593 if !hmac.Equal(expectedMAC, finished.verifyData) {
594 c.sendAlert(alertDecryptError)
595 return errors.New("tls: invalid server finished hash")
596 }
597
598 if err := transcriptMsg(finished, hs.transcript); err != nil {
599 return err
600 }
601
602
603
604 hs.trafficSecret = hs.suite.deriveSecret(hs.masterSecret,
605 clientApplicationTrafficLabel, hs.transcript)
606 serverSecret := hs.suite.deriveSecret(hs.masterSecret,
607 serverApplicationTrafficLabel, hs.transcript)
608 c.in.setTrafficSecret(hs.suite, QUICEncryptionLevelApplication, serverSecret)
609
610 err = c.config.writeKeyLog(keyLogLabelClientTraffic, hs.hello.random, hs.trafficSecret)
611 if err != nil {
612 c.sendAlert(alertInternalError)
613 return err
614 }
615 err = c.config.writeKeyLog(keyLogLabelServerTraffic, hs.hello.random, serverSecret)
616 if err != nil {
617 c.sendAlert(alertInternalError)
618 return err
619 }
620
621 c.ekm = hs.suite.exportKeyingMaterial(hs.masterSecret, hs.transcript)
622
623 return nil
624 }
625
626 func (hs *clientHandshakeStateTLS13) sendClientCertificate() error {
627 c := hs.c
628
629 if hs.certReq == nil {
630 return nil
631 }
632
633 cert, err := c.getClientCertificate(&CertificateRequestInfo{
634 AcceptableCAs: hs.certReq.certificateAuthorities,
635 SignatureSchemes: hs.certReq.supportedSignatureAlgorithms,
636 Version: c.vers,
637 ctx: hs.ctx,
638 })
639 if err != nil {
640 return err
641 }
642
643 certMsg := new(certificateMsgTLS13)
644
645 certMsg.certificate = *cert
646 certMsg.scts = hs.certReq.scts && len(cert.SignedCertificateTimestamps) > 0
647 certMsg.ocspStapling = hs.certReq.ocspStapling && len(cert.OCSPStaple) > 0
648
649 if _, err := hs.c.writeHandshakeRecord(certMsg, hs.transcript); err != nil {
650 return err
651 }
652
653
654 if len(cert.Certificate) == 0 {
655 return nil
656 }
657
658 certVerifyMsg := new(certificateVerifyMsg)
659 certVerifyMsg.hasSignatureAlgorithm = true
660
661 certVerifyMsg.signatureAlgorithm, err = selectSignatureScheme(c.vers, cert, hs.certReq.supportedSignatureAlgorithms)
662 if err != nil {
663
664
665 c.sendAlert(alertHandshakeFailure)
666 return err
667 }
668
669 sigType, sigHash, err := typeAndHashFromSignatureScheme(certVerifyMsg.signatureAlgorithm)
670 if err != nil {
671 return c.sendAlert(alertInternalError)
672 }
673
674 signed := signedMessage(sigHash, clientSignatureContext, hs.transcript)
675 signOpts := crypto.SignerOpts(sigHash)
676 if sigType == signatureRSAPSS {
677 signOpts = &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash, Hash: sigHash}
678 }
679 sig, err := cert.PrivateKey.(crypto.Signer).Sign(c.config.rand(), signed, signOpts)
680 if err != nil {
681 c.sendAlert(alertInternalError)
682 return errors.New("tls: failed to sign handshake: " + err.Error())
683 }
684 certVerifyMsg.signature = sig
685
686 if _, err := hs.c.writeHandshakeRecord(certVerifyMsg, hs.transcript); err != nil {
687 return err
688 }
689
690 return nil
691 }
692
693 func (hs *clientHandshakeStateTLS13) sendClientFinished() error {
694 c := hs.c
695
696 finished := &finishedMsg{
697 verifyData: hs.suite.finishedHash(c.out.trafficSecret, hs.transcript),
698 }
699
700 if _, err := hs.c.writeHandshakeRecord(finished, hs.transcript); err != nil {
701 return err
702 }
703
704 c.out.setTrafficSecret(hs.suite, QUICEncryptionLevelApplication, hs.trafficSecret)
705
706 if !c.config.SessionTicketsDisabled && c.config.ClientSessionCache != nil {
707 c.resumptionSecret = hs.suite.deriveSecret(hs.masterSecret,
708 resumptionLabel, hs.transcript)
709 }
710
711 if c.quic != nil {
712 if c.hand.Len() != 0 {
713 c.sendAlert(alertUnexpectedMessage)
714 }
715 c.quicSetWriteSecret(QUICEncryptionLevelApplication, hs.suite.id, hs.trafficSecret)
716 }
717
718 return nil
719 }
720
721 func (c *Conn) handleNewSessionTicket(msg *newSessionTicketMsgTLS13) error {
722 if !c.isClient {
723 c.sendAlert(alertUnexpectedMessage)
724 return errors.New("tls: received new session ticket from a client")
725 }
726
727 if c.config.SessionTicketsDisabled || c.config.ClientSessionCache == nil {
728 return nil
729 }
730
731
732 if msg.lifetime == 0 {
733 return nil
734 }
735 lifetime := time.Duration(msg.lifetime) * time.Second
736 if lifetime > maxSessionTicketLifetime {
737 c.sendAlert(alertIllegalParameter)
738 return errors.New("tls: received a session ticket with invalid lifetime")
739 }
740
741
742 if c.quic != nil && msg.maxEarlyData != 0 && msg.maxEarlyData != 0xffffffff {
743 c.sendAlert(alertIllegalParameter)
744 return errors.New("tls: invalid early data for QUIC connection")
745 }
746
747 cipherSuite := cipherSuiteTLS13ByID(c.cipherSuite)
748 if cipherSuite == nil || c.resumptionSecret == nil {
749 return c.sendAlert(alertInternalError)
750 }
751
752 psk := cipherSuite.expandLabel(c.resumptionSecret, "resumption",
753 msg.nonce, cipherSuite.hash.Size())
754
755 session := c.sessionState()
756 session.secret = psk
757 session.useBy = uint64(c.config.time().Add(lifetime).Unix())
758 session.ageAdd = msg.ageAdd
759 session.EarlyData = c.quic != nil && msg.maxEarlyData == 0xffffffff
760 cs := &ClientSessionState{ticket: msg.label, session: session}
761
762 if cacheKey := c.clientSessionCacheKey(); cacheKey != "" {
763 c.config.ClientSessionCache.Put(cacheKey, cs)
764 }
765
766 return nil
767 }
768
View as plain text