crypto/tls: add SessionState and use it on the server side

This change by itself is useless, because the application has no way to
access or provide SessionStates to crypto/tls, but they will be provided
in following CLs.

For #60105

Change-Id: I8d5de79b1eda0a778420134cf6f346246a1bb296
Reviewed-on: https://go-review.googlesource.com/c/go/+/496818
Reviewed-by: Marten Seemann <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
Reviewed-by: Matthew Dempsky <[email protected]>
Run-TryBot: Filippo Valsorda <[email protected]>

Author: FiloSottile

api/next/60105.txt

@@ -0,0 +1,3 @@
+pkg crypto/tls, func ParseSessionState([]uint8) (*SessionState, error) #60105
+pkg crypto/tls, method (*SessionState) Bytes() ([]uint8, error) #60105
+pkg crypto/tls, type SessionState struct #60105

src/crypto/tls/handshake_messages_test.go

@@ -15,7 +15,7 @@ import (
 	"time"
 )
 
-var tests = []any{
+var tests = []handshakeMessage{
 	&clientHelloMsg{},
 	&serverHelloMsg{},
 	&finishedMsg{},
@@ -28,14 +28,13 @@ var tests = []any{
 	&certificateStatusMsg{},
 	&clientKeyExchangeMsg{},
 	&newSessionTicketMsg{},
-	&sessionState{},
-	&sessionStateTLS13{},
 	&encryptedExtensionsMsg{},
 	&endOfEarlyDataMsg{},
 	&keyUpdateMsg{},
 	&newSessionTicketMsgTLS13{},
 	&certificateRequestMsgTLS13{},
 	&certificateMsgTLS13{},
+	&SessionState{},
 }
 
 func mustMarshal(t *testing.T, msg handshakeMessage) []byte {
@@ -50,8 +49,8 @@ func mustMarshal(t *testing.T, msg handshakeMessage) []byte {
 func TestMarshalUnmarshal(t *testing.T) {
 	rand := rand.New(rand.NewSource(time.Now().UnixNano()))
 
-	for i, iface := range tests {
-		ty := reflect.ValueOf(iface).Type()
+	for i, m := range tests {
+		ty := reflect.ValueOf(m).Type()
 
 		n := 100
 		if testing.Short() {
@@ -66,15 +65,14 @@ func TestMarshalUnmarshal(t *testing.T) {
 
 			m1 := v.Interface().(handshakeMessage)
 			marshaled := mustMarshal(t, m1)
-			m2 := iface.(handshakeMessage)
-			if !m2.unmarshal(marshaled) {
+			if !m.unmarshal(marshaled) {
 				t.Errorf("#%d failed to unmarshal %#v %x", i, m1, marshaled)
 				break
 			}
-			m2.marshal() // to fill any marshal cache in the message
+			m.marshal() // to fill any marshal cache in the message
 
-			if !reflect.DeepEqual(m1, m2) {
-				t.Errorf("#%d got:%#v want:%#v %x", i, m2, m1, marshaled)
+			if !reflect.DeepEqual(m1, m) {
+				t.Errorf("#%d got:%#v want:%#v %x", i, m, m1, marshaled)
 				break
 			}
 
@@ -85,7 +83,7 @@ func TestMarshalUnmarshal(t *testing.T) {
 				// data is optional and the length of the
 				// Finished varies across versions.
 				for j := 0; j < len(marshaled); j++ {
-					if m2.unmarshal(marshaled[0:j]) {
+					if m.unmarshal(marshaled[0:j]) {
 						t.Errorf("#%d unmarshaled a prefix of length %d of %#v", i, j, m1)
 						break
 					}
@@ -97,9 +95,7 @@ func TestMarshalUnmarshal(t *testing.T) {
 
 func TestFuzz(t *testing.T) {
 	rand := rand.New(rand.NewSource(0))
-	for _, iface := range tests {
-		m := iface.(handshakeMessage)
-
+	for _, m := range tests {
 		for j := 0; j < 1000; j++ {
 			len := rand.Intn(100)
 			bytes := randomBytes(len, rand)
@@ -317,22 +313,11 @@ func (*newSessionTicketMsg) Generate(rand *rand.Rand, size int) reflect.Value {
 	return reflect.ValueOf(m)
 }
 
-func (*sessionState) Generate(rand *rand.Rand, size int) reflect.Value {
-	s := &sessionState{}
-	s.vers = uint16(rand.Intn(10000))
+func (*SessionState) Generate(rand *rand.Rand, size int) reflect.Value {
+	s := &SessionState{}
+	s.version = uint16(rand.Intn(10000))
 	s.cipherSuite = uint16(rand.Intn(10000))
-	s.masterSecret = randomBytes(rand.Intn(100)+1, rand)
-	s.createdAt = uint64(rand.Int63())
-	for i := 0; i < rand.Intn(20); i++ {
-		s.certificates = append(s.certificates, randomBytes(rand.Intn(500)+1, rand))
-	}
-	return reflect.ValueOf(s)
-}
-
-func (*sessionStateTLS13) Generate(rand *rand.Rand, size int) reflect.Value {
-	s := &sessionStateTLS13{}
-	s.cipherSuite = uint16(rand.Intn(10000))
-	s.resumptionSecret = randomBytes(rand.Intn(100)+1, rand)
+	s.secret = randomBytes(rand.Intn(100)+1, rand)
 	s.createdAt = uint64(rand.Int63())
 	for i := 0; i < rand.Intn(2)+1; i++ {
 		s.certificate.Certificate = append(
@@ -350,6 +335,16 @@ func (*sessionStateTLS13) Generate(rand *rand.Rand, size int) reflect.Value {
 	return reflect.ValueOf(s)
 }
 
+func (s *SessionState) marshal() ([]byte, error) { return s.Bytes() }
+func (s *SessionState) unmarshal(b []byte) bool {
+	ss, err := ParseSessionState(b)
+	if err != nil {
+		return false
+	}
+	*s = *ss
+	return true
+}
+
 func (*endOfEarlyDataMsg) Generate(rand *rand.Rand, size int) reflect.Value {
 	m := &endOfEarlyDataMsg{}
 	return reflect.ValueOf(m)

src/crypto/tls/handshake_server.go

@@ -31,7 +31,7 @@ type serverHandshakeState struct {
 	ecSignOk     bool
 	rsaDecryptOk bool
 	rsaSignOk    bool
-	sessionState *sessionState
+	sessionState *SessionState
 	finishedHash finishedHash
 	masterSecret []byte
 	cert         *Certificate
@@ -410,11 +410,11 @@ func (hs *serverHandshakeState) checkForResumption() bool {
 	if plaintext == nil {
 		return false
 	}
-	hs.sessionState = &sessionState{}
-	ok := hs.sessionState.unmarshal(plaintext)
-	if !ok {
+	ss, err := ParseSessionState(plaintext)
+	if err != nil {
 		return false
 	}
+	hs.sessionState = ss
 
 	// TLS 1.2 tickets don't natively have a lifetime, but we want to avoid
 	// re-wrapping the same master secret in different tickets over and over for
@@ -425,7 +425,7 @@ func (hs *serverHandshakeState) checkForResumption() bool {
 	}
 
 	// Never resume a session for a different TLS version.
-	if c.vers != hs.sessionState.vers {
+	if c.vers != hs.sessionState.version {
 		return false
 	}
 
@@ -448,7 +448,7 @@ func (hs *serverHandshakeState) checkForResumption() bool {
 		return false
 	}
 
-	sessionHasClientCerts := len(hs.sessionState.certificates) != 0
+	sessionHasClientCerts := len(hs.sessionState.certificate.Certificate) != 0
 	needClientCerts := requiresClientCert(c.config.ClientAuth)
 	if needClientCerts && !sessionHasClientCerts {
 		return false
@@ -481,9 +481,7 @@ func (hs *serverHandshakeState) doResumeHandshake() error {
 		return err
 	}
 
-	if err := c.processCertsFromClient(Certificate{
-		Certificate: hs.sessionState.certificates,
-	}); err != nil {
+	if err := c.processCertsFromClient(hs.sessionState.certificate); err != nil {
 		return err
 	}
 
@@ -494,7 +492,7 @@ func (hs *serverHandshakeState) doResumeHandshake() error {
 		}
 	}
 
-	hs.masterSecret = hs.sessionState.masterSecret
+	hs.masterSecret = hs.sessionState.secret
 
 	return nil
 }
@@ -772,14 +770,18 @@ func (hs *serverHandshakeState) sendSessionTicket() error {
 	for _, cert := range c.peerCertificates {
 		certsFromClient = append(certsFromClient, cert.Raw)
 	}
-	state := sessionState{
-		vers:         c.vers,
-		cipherSuite:  hs.suite.id,
-		createdAt:    createdAt,
-		masterSecret: hs.masterSecret,
-		certificates: certsFromClient,
-	}
-	stateBytes, err := state.marshal()
+	state := SessionState{
+		version:     c.vers,
+		cipherSuite: hs.suite.id,
+		createdAt:   createdAt,
+		secret:      hs.masterSecret,
+		certificate: Certificate{
+			Certificate:                 certsFromClient,
+			OCSPStaple:                  c.ocspResponse,
+			SignedCertificateTimestamps: c.scts,
+		},
+	}
+	stateBytes, err := state.Bytes()
 	if err != nil {
 		return err
 	}

src/crypto/tls/handshake_server_tls13.go

@@ -279,8 +279,8 @@ func (hs *serverHandshakeStateTLS13) checkForResumption() error {
 		if plaintext == nil {
 			continue
 		}
-		sessionState := new(sessionStateTLS13)
-		if ok := sessionState.unmarshal(plaintext); !ok {
+		sessionState, err := ParseSessionState(plaintext)
+		if err != nil || sessionState.version != VersionTLS13 {
 			continue
 		}
 
@@ -310,9 +310,7 @@ func (hs *serverHandshakeStateTLS13) checkForResumption() error {
 			continue
 		}
 
-		psk := hs.suite.expandLabel(sessionState.resumptionSecret, "resumption",
-			nil, hs.suite.hash.Size())
-		hs.earlySecret = hs.suite.extract(psk, nil)
+		hs.earlySecret = hs.suite.extract(sessionState.secret, nil)
 		binderKey := hs.suite.deriveSecret(hs.earlySecret, resumptionBinderLabel, nil)
 		// Clone the transcript in case a HelloRetryRequest was recorded.
 		transcript := cloneHash(hs.transcript, hs.suite.hash)
@@ -771,24 +769,29 @@ func (hs *serverHandshakeStateTLS13) sendSessionTickets() error {
 
 	resumptionSecret := hs.suite.deriveSecret(hs.masterSecret,
 		resumptionLabel, hs.transcript)
+	// ticket_nonce, which must be unique per connection, is always left at
+	// zero because we only ever send one ticket per connection.
+	psk := hs.suite.expandLabel(resumptionSecret, "resumption",
+		nil, hs.suite.hash.Size())
 
 	m := new(newSessionTicketMsgTLS13)
 
 	var certsFromClient [][]byte
 	for _, cert := range c.peerCertificates {
 		certsFromClient = append(certsFromClient, cert.Raw)
 	}
-	state := sessionStateTLS13{
-		cipherSuite:      hs.suite.id,
-		createdAt:        uint64(c.config.time().Unix()),
-		resumptionSecret: resumptionSecret,
+	state := &SessionState{
+		version:     c.vers,
+		cipherSuite: hs.suite.id,
+		createdAt:   uint64(c.config.time().Unix()),
+		secret:      psk,
 		certificate: Certificate{
 			Certificate:                 certsFromClient,
 			OCSPStaple:                  c.ocspResponse,
 			SignedCertificateTimestamps: c.scts,
 		},
 	}
-	stateBytes, err := state.marshal()
+	stateBytes, err := state.Bytes()
 	if err != nil {
 		c.sendAlert(alertInternalError)
 		return err
@@ -809,9 +812,6 @@ func (hs *serverHandshakeStateTLS13) sendSessionTickets() error {
 	}
 	m.ageAdd = binary.LittleEndian.Uint32(ageAdd)
 
-	// ticket_nonce, which must be unique per connection, is always left at
-	// zero because we only ever send one ticket per connection.
-
 	if _, err := c.writeHandshakeRecord(m, nil); err != nil {
 		return err
 	}

src/crypto/tls/testdata/Server-TLSv10-ExportKeyingMaterial

@@ -1,7 +1,7 @@
 >>> Flow 1 (client to server)
-00000000  16 03 01 00 55 01 00 00  51 03 01 f5 f3 42 9e 4a  |....U...Q....B.J|
-00000010  f4 5f cc c5 18 d0 77 f2  9f 1a 37 d7 44 6b f5 09  |._....w...7.Dk..|
-00000020  69 ab 8b ee d7 1c 63 8d  95 59 bc 00 00 04 c0 14  |i.....c..Y......|
+00000000  16 03 01 00 55 01 00 00  51 03 01 58 36 60 2e c2  |....U...Q..X6`..|
+00000010  61 c3 fb 34 e3 b1 09 ca  00 58 fb 2b 72 d6 de 35  |a..4.....X.+r..5|
+00000020  a1 ed 5b ec 40 64 e2 cc  ff 3c c6 00 00 04 c0 14  |..[.@d...<......|
 00000030  00 ff 01 00 00 24 00 0b  00 04 03 00 01 02 00 0a  |.....$..........|
 00000040  00 0c 00 0a 00 1d 00 17  00 1e 00 19 00 18 00 23  |...............#|
 00000050  00 00 00 16 00 00 00 17  00 00                    |..........|
@@ -50,42 +50,42 @@
 00000290  d4 db fe 3d 13 60 84 5c  21 d3 3b e9 fa e7 16 03  |...=.`.\!.;.....|
 000002a0  01 00 aa 0c 00 00 a6 03  00 1d 20 2f e5 7d a3 47  |.......... /.}.G|
 000002b0  cd 62 43 15 28 da ac 5f  bb 29 07 30 ff f6 84 af  |.bC.(.._.).0....|
-000002c0  c4 cf c2 ed 90 99 5f 58  cb 3b 74 00 80 3f 8b 3e  |......_X.;t..?.>|
-000002d0  b0 29 ea c2 25 87 26 bb  69 0d b8 52 18 d4 82 19  |.)..%.&.i..R....|
-000002e0  90 3b e9 dc 77 94 61 fe  69 95 9f 50 85 34 c5 dd  |.;..w.a.i..P.4..|
-000002f0  c0 a1 d5 d6 83 e4 e3 ba  8c f7 6e 39 e0 14 94 30  |..........n9...0|
-00000300  34 16 f0 5b c0 32 92 a3  21 8e 21 c8 57 05 16 a3  |4..[.2..!.!.W...|
-00000310  ea 66 0a 29 20 14 32 e2  f6 b2 7f 17 04 dc 8f 1b  |.f.) .2.........|
-00000320  2c 56 50 75 bf 84 c7 11  84 18 a3 05 08 1a 3a e4  |,VPu..........:.|
-00000330  16 ec f2 b5 1f 29 9b 56  8f 5c 9c f2 91 3e 09 5e  |.....).V.\...>.^|
-00000340  c7 59 45 12 37 39 06 c5  11 3c fc ee 49 16 03 01  |.YE.79...<..I...|
+000002c0  c4 cf c2 ed 90 99 5f 58  cb 3b 74 00 80 cc 63 02  |......_X.;t...c.|
+000002d0  c4 91 d5 33 71 50 31 1f  7c d0 9c 3d f4 86 33 e6  |...3qP1.|..=..3.|
+000002e0  28 32 81 af d9 33 c2 c9  38 89 38 3f 1b 01 07 c2  |(2...3..8.8?....|
+000002f0  99 46 68 ea db 0e a3 b0  a7 e6 de b3 8f 9a 3d f1  |.Fh...........=.|
+00000300  76 72 a8 e4 4a 63 97 fd  d2 77 23 79 13 cb ac d5  |vr..Jc...w#y....|
+00000310  db fa 89 ae 45 98 6f 1d  38 2c 20 d2 ba 94 eb 01  |....E.o.8, .....|
+00000320  91 5e 57 b6 a0 95 dc 70  ad 06 f7 c4 02 b9 06 c3  |.^W....p........|
+00000330  84 04 de b8 2c 71 31 4f  94 47 78 73 b1 72 e4 00  |....,q1O.Gxs.r..|
+00000340  4a 58 bb 88 fd 6f 55 6a  49 17 ef b9 6b 16 03 01  |JX...oUjI...k...|
 00000350  00 04 0e 00 00 00                                 |......|
 >>> Flow 3 (client to server)
-00000000  16 03 01 00 25 10 00 00  21 20 a1 f8 df c3 de d5  |....%...! ......|
-00000010  70 2f 18 10 4e 4e 86 18  ae 89 a5 4a 34 81 40 f8  |p/..NN.....J4.@.|
-00000020  9d a6 f4 cf b0 5b b5 43  54 08 14 03 01 00 01 01  |.....[.CT.......|
-00000030  16 03 01 00 30 86 24 e7  70 5c ea 25 e3 65 63 b5  |....0.$.p\.%.ec.|
-00000040  91 de 82 c3 23 ce b1 68  0c b4 a0 f3 ae 5d 46 cd  |....#..h.....]F.|
-00000050  90 ce 4f 4c b0 c7 14 13  60 17 32 b4 fc 2a 0b 49  |..OL....`.2..*.I|
-00000060  8d 0e 3d e8 2a                                    |..=.*|
+00000000  16 03 01 00 25 10 00 00  21 20 06 ca bc 6d bc 25  |....%...! ...m.%|
+00000010  25 0c 1a 06 b5 36 e6 de  20 57 fe bc 24 e9 87 e4  |%....6.. W..$...|
+00000020  cd 57 a0 91 7e 7e f2 79  5b 0b 14 03 01 00 01 01  |.W..~~.y[.......|
+00000030  16 03 01 00 30 85 12 fa  73 ea 8f 6f a5 d4 15 3b  |....0...s..o...;|
+00000040  70 ac 6b 95 bc 3e 75 b3  ee c7 f1 1a 9e b2 b4 f0  |p.k..>u.........|
+00000050  0d f3 30 da 63 dc f7 c4  cd d6 ab ed db e5 c6 f9  |..0.c...........|
+00000060  6b 4f 52 3d 04                                    |kOR=.|
 >>> Flow 4 (server to client)
 00000000  16 03 01 00 7b 04 00 00  77 00 00 00 00 00 71 00  |....{...w.....q.|
 00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 94  |................|
-00000020  6d ec a4 83 51 ed 14 ef  68 ca 42 c5 4c fe ae 28  |m...Q...h.B.L..(|
-00000030  76 e9 99 d7 d3 45 dd ff  bd 64 54 a3 a8 bf 69 17  |v....E...dT...i.|
-00000040  28 b5 cb bb 13 1c e8 a8  9c f8 a7 43 81 9d 1d bc  |(..........C....|
-00000050  00 96 83 1d cc da 66 d7  20 e1 52 44 b4 49 38 16  |......f. .RD.I8.|
-00000060  56 c5 9e be 43 6c 3c 82  7a 50 fd d6 e6 00 99 27  |V...Cl<.zP.....'|
-00000070  49 a1 65 7b cb 82 3f 9a  74 17 08 2b fd 7b de db  |I.e{..?.t..+.{..|
-00000080  14 03 01 00 01 01 16 03  01 00 30 eb 9f f3 b2 32  |..........0....2|
-00000090  44 c2 58 ab 22 7f 41 a0  30 84 71 18 7a df 48 6b  |D.X.".A.0.q.z.Hk|
-000000a0  c7 2d 8b 8e 8f 8c 7f 5d  58 7c 2c 61 5d 0d bc ce  |.-.....]X|,a]...|
-000000b0  60 f0 47 b3 e2 86 5a 82  30 26 95 17 03 01 00 20  |`.G...Z.0&..... |
-000000c0  12 3e 23 0a f5 97 2a 6b  bf be f4 82 7b 31 92 9e  |.>#...*k....{1..|
-000000d0  32 c9 1f 4f 8e cc 74 5e  41 da ff 45 68 3c 82 07  |2..O..t^A..Eh<..|
-000000e0  17 03 01 00 30 31 73 bb  fd 8e ba 4d c3 74 14 9b  |....01s....M.t..|
-000000f0  81 c0 69 38 e6 32 86 35  b2 fb 2a af 2c 69 c1 ca  |..i8.2.5..*.,i..|
-00000100  0c 94 35 9a fa 7b ab b4  04 1e 56 6f 59 f9 40 38  |..5..{....VoY.@8|
-00000110  e6 a9 20 96 15 15 03 01  00 20 09 20 d5 0e cd 68  |.. ...... . ...h|
-00000120  79 de ea 6b 0e 84 98 e5  75 64 c4 e8 b1 9f c4 cc  |y..k....ud......|
-00000130  d6 4c b6 be cf 42 78 c6  6a 2e                    |.L...Bx.j.|
+00000020  6d 2d 70 97 51 ed 14 ef  68 ca 42 c5 4c 12 19 5b  |m-p.Q...h.B.L..[|
+00000030  90 88 76 b1 48 c1 f4 61  1a 16 81 2e f7 5f 87 79  |..v.H..a....._.y|
+00000040  5c b7 dd b1 be 7f f4 b8  6a fb af 51 a3 35 5e 20  |\.......j..Q.5^ |
+00000050  b4 a2 b9 69 8b 93 45 4f  1b af 8c 69 c9 49 38 16  |...i..EO...i.I8.|
+00000060  79 6d a8 7f 7e 49 b0 b9  5a 88 19 1d 82 c2 68 f7  |ym..~I..Z.....h.|
+00000070  8a b4 45 8c f9 86 a7 fe  f7 74 27 70 6f 52 6d 11  |..E......t'poRm.|
+00000080  14 03 01 00 01 01 16 03  01 00 30 3b 4f 4d 0a 0d  |..........0;OM..|
+00000090  d8 28 9f 41 e6 be a5 9f  f9 f1 a5 a9 f7 9f 24 90  |.(.A..........$.|
+000000a0  11 52 8a 0f 59 9c 55 79  68 7c 55 71 43 69 15 d9  |.R..Y.Uyh|UqCi..|
+000000b0  b1 5e cc 80 6d ba 38 e5  a7 72 8c 17 03 01 00 20  |.^..m.8..r..... |
+000000c0  cb bc e9 a2 a7 d1 3e 2c  6c 1e 37 2e c1 a9 56 25  |......>,l.7...V%|
+000000d0  d9 47 8e 3c 82 dc 6c 13  8b 0c 59 dc c2 06 28 ee  |.G.<..l...Y...(.|
+000000e0  17 03 01 00 30 8d 88 6f  ba 26 3f a0 e6 7d 9e cf  |....0..o.&?..}..|
+000000f0  6f f1 60 af ba 2e db b1  56 7c 95 00 51 fd 36 a0  |o.`.....V|..Q.6.|
+00000100  94 64 e9 40 ea 25 8c 99  a2 6b 11 43 34 08 29 79  |.d.@.%...k.C4.)y|
+00000110  e9 7e 50 d8 c0 15 03 01  00 20 7d aa 05 d0 ce d6  |.~P...... }.....|
+00000120  77 52 d8 f7 65 d9 3b fe  c3 51 f3 b6 67 90 f1 39  |wR..e.;..Q..g..9|
+00000130  62 a5 97 48 01 b0 4e 8b  16 48                    |b..H..N..H|