1// Copyright 2018 The Go Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style 3// license that can be found in the LICENSE file. 4 5package tls 6 7import ( 8 "bytes" 9 "crypto" 10 "crypto/hmac" 11 "crypto/rsa" 12 "errors" 13 "hash" 14 "sync/atomic" 15 "time" 16) 17 18type clientHandshakeStateTLS13 struct { 19 c *Conn 20 serverHello *serverHelloMsg 21 hello *clientHelloMsg 22 ecdheParams ecdheParameters 23 24 session *ClientSessionState 25 earlySecret []byte 26 binderKey []byte 27 28 certReq *certificateRequestMsgTLS13 29 usingPSK bool 30 sentDummyCCS bool 31 suite *cipherSuiteTLS13 32 transcript hash.Hash 33 masterSecret []byte 34 trafficSecret []byte // client_application_traffic_secret_0 35} 36 37// handshake requires hs.c, hs.hello, hs.serverHello, hs.ecdheParams, and, 38// optionally, hs.session, hs.earlySecret and hs.binderKey to be set. 39func (hs *clientHandshakeStateTLS13) handshake() error { 40 c := hs.c 41 42 // The server must not select TLS 1.3 in a renegotiation. See RFC 8446, 43 // sections 4.1.2 and 4.1.3. 44 if c.handshakes > 0 { 45 c.sendAlert(alertProtocolVersion) 46 return errors.New("tls: server selected TLS 1.3 in a renegotiation") 47 } 48 49 // Consistency check on the presence of a keyShare and its parameters. 50 if hs.ecdheParams == nil || len(hs.hello.keyShares) != 1 { 51 return c.sendAlert(alertInternalError) 52 } 53 54 if err := hs.checkServerHelloOrHRR(); err != nil { 55 return err 56 } 57 58 hs.transcript = hs.suite.hash.New() 59 hs.transcript.Write(hs.hello.marshal()) 60 61 if bytes.Equal(hs.serverHello.random, helloRetryRequestRandom) { 62 if err := hs.sendDummyChangeCipherSpec(); err != nil { 63 return err 64 } 65 if err := hs.processHelloRetryRequest(); err != nil { 66 return err 67 } 68 } 69 70 hs.transcript.Write(hs.serverHello.marshal()) 71 72 c.buffering = true 73 if err := hs.processServerHello(); err != nil { 74 return err 75 } 76 if err := hs.sendDummyChangeCipherSpec(); err != nil { 77 return err 78 } 79 if err := hs.establishHandshakeKeys(); err != nil { 80 return err 81 } 82 if err := hs.readServerParameters(); err != nil { 83 return err 84 } 85 if err := hs.readServerCertificate(); err != nil { 86 return err 87 } 88 if err := hs.readServerFinished(); err != nil { 89 return err 90 } 91 if err := hs.sendClientCertificate(); err != nil { 92 return err 93 } 94 if err := hs.sendClientFinished(); err != nil { 95 return err 96 } 97 if _, err := c.flush(); err != nil { 98 return err 99 } 100 101 atomic.StoreUint32(&c.handshakeStatus, 1) 102 103 return nil 104} 105 106// checkServerHelloOrHRR does validity checks that apply to both ServerHello and 107// HelloRetryRequest messages. It sets hs.suite. 108func (hs *clientHandshakeStateTLS13) checkServerHelloOrHRR() error { 109 c := hs.c 110 111 if hs.serverHello.supportedVersion == 0 { 112 c.sendAlert(alertMissingExtension) 113 return errors.New("tls: server selected TLS 1.3 using the legacy version field") 114 } 115 116 if hs.serverHello.supportedVersion != VersionTLS13 { 117 c.sendAlert(alertIllegalParameter) 118 return errors.New("tls: server selected an invalid version after a HelloRetryRequest") 119 } 120 121 if hs.serverHello.vers != VersionTLS12 { 122 c.sendAlert(alertIllegalParameter) 123 return errors.New("tls: server sent an incorrect legacy version") 124 } 125 126 if hs.serverHello.ocspStapling || 127 hs.serverHello.ticketSupported || 128 hs.serverHello.secureRenegotiationSupported || 129 len(hs.serverHello.secureRenegotiation) != 0 || 130 len(hs.serverHello.alpnProtocol) != 0 || 131 len(hs.serverHello.scts) != 0 { 132 c.sendAlert(alertUnsupportedExtension) 133 return errors.New("tls: server sent a ServerHello extension forbidden in TLS 1.3") 134 } 135 136 if !bytes.Equal(hs.hello.sessionId, hs.serverHello.sessionId) { 137 c.sendAlert(alertIllegalParameter) 138 return errors.New("tls: server did not echo the legacy session ID") 139 } 140 141 if hs.serverHello.compressionMethod != compressionNone { 142 c.sendAlert(alertIllegalParameter) 143 return errors.New("tls: server selected unsupported compression format") 144 } 145 146 selectedSuite := mutualCipherSuiteTLS13(hs.hello.cipherSuites, hs.serverHello.cipherSuite) 147 if hs.suite != nil && selectedSuite != hs.suite { 148 c.sendAlert(alertIllegalParameter) 149 return errors.New("tls: server changed cipher suite after a HelloRetryRequest") 150 } 151 if selectedSuite == nil { 152 c.sendAlert(alertIllegalParameter) 153 return errors.New("tls: server chose an unconfigured cipher suite") 154 } 155 hs.suite = selectedSuite 156 c.cipherSuite = hs.suite.id 157 158 return nil 159} 160 161// sendDummyChangeCipherSpec sends a ChangeCipherSpec record for compatibility 162// with middleboxes that didn't implement TLS correctly. See RFC 8446, Appendix D.4. 163func (hs *clientHandshakeStateTLS13) sendDummyChangeCipherSpec() error { 164 if hs.sentDummyCCS { 165 return nil 166 } 167 hs.sentDummyCCS = true 168 169 _, err := hs.c.writeRecord(recordTypeChangeCipherSpec, []byte{1}) 170 return err 171} 172 173// processHelloRetryRequest handles the HRR in hs.serverHello, modifies and 174// resends hs.hello, and reads the new ServerHello into hs.serverHello. 175func (hs *clientHandshakeStateTLS13) processHelloRetryRequest() error { 176 c := hs.c 177 178 // The first ClientHello gets double-hashed into the transcript upon a 179 // HelloRetryRequest. (The idea is that the server might offload transcript 180 // storage to the client in the cookie.) See RFC 8446, Section 4.4.1. 181 chHash := hs.transcript.Sum(nil) 182 hs.transcript.Reset() 183 hs.transcript.Write([]byte{typeMessageHash, 0, 0, uint8(len(chHash))}) 184 hs.transcript.Write(chHash) 185 hs.transcript.Write(hs.serverHello.marshal()) 186 187 // The only HelloRetryRequest extensions we support are key_share and 188 // cookie, and clients must abort the handshake if the HRR would not result 189 // in any change in the ClientHello. 190 if hs.serverHello.selectedGroup == 0 && hs.serverHello.cookie == nil { 191 c.sendAlert(alertIllegalParameter) 192 return errors.New("tls: server sent an unnecessary HelloRetryRequest message") 193 } 194 195 if hs.serverHello.cookie != nil { 196 hs.hello.cookie = hs.serverHello.cookie 197 } 198 199 if hs.serverHello.serverShare.group != 0 { 200 c.sendAlert(alertDecodeError) 201 return errors.New("tls: received malformed key_share extension") 202 } 203 204 // If the server sent a key_share extension selecting a group, ensure it's 205 // a group we advertised but did not send a key share for, and send a key 206 // share for it this time. 207 if curveID := hs.serverHello.selectedGroup; curveID != 0 { 208 curveOK := false 209 for _, id := range hs.hello.supportedCurves { 210 if id == curveID { 211 curveOK = true 212 break 213 } 214 } 215 if !curveOK { 216 c.sendAlert(alertIllegalParameter) 217 return errors.New("tls: server selected unsupported group") 218 } 219 if hs.ecdheParams.CurveID() == curveID { 220 c.sendAlert(alertIllegalParameter) 221 return errors.New("tls: server sent an unnecessary HelloRetryRequest key_share") 222 } 223 if _, ok := curveForCurveID(curveID); curveID != X25519 && !ok { 224 c.sendAlert(alertInternalError) 225 return errors.New("tls: CurvePreferences includes unsupported curve") 226 } 227 params, err := generateECDHEParameters(c.config.rand(), curveID) 228 if err != nil { 229 c.sendAlert(alertInternalError) 230 return err 231 } 232 hs.ecdheParams = params 233 hs.hello.keyShares = []keyShare{{group: curveID, data: params.PublicKey()}} 234 } 235 236 hs.hello.raw = nil 237 if len(hs.hello.pskIdentities) > 0 { 238 pskSuite := cipherSuiteTLS13ByID(hs.session.cipherSuite) 239 if pskSuite == nil { 240 return c.sendAlert(alertInternalError) 241 } 242 if pskSuite.hash == hs.suite.hash { 243 // Update binders and obfuscated_ticket_age. 244 ticketAge := uint32(c.config.time().Sub(hs.session.receivedAt) / time.Millisecond) 245 hs.hello.pskIdentities[0].obfuscatedTicketAge = ticketAge + hs.session.ageAdd 246 247 transcript := hs.suite.hash.New() 248 transcript.Write([]byte{typeMessageHash, 0, 0, uint8(len(chHash))}) 249 transcript.Write(chHash) 250 transcript.Write(hs.serverHello.marshal()) 251 transcript.Write(hs.hello.marshalWithoutBinders()) 252 pskBinders := [][]byte{hs.suite.finishedHash(hs.binderKey, transcript)} 253 hs.hello.updateBinders(pskBinders) 254 } else { 255 // Server selected a cipher suite incompatible with the PSK. 256 hs.hello.pskIdentities = nil 257 hs.hello.pskBinders = nil 258 } 259 } 260 261 hs.transcript.Write(hs.hello.marshal()) 262 if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil { 263 return err 264 } 265 266 msg, err := c.readHandshake() 267 if err != nil { 268 return err 269 } 270 271 serverHello, ok := msg.(*serverHelloMsg) 272 if !ok { 273 c.sendAlert(alertUnexpectedMessage) 274 return unexpectedMessageError(serverHello, msg) 275 } 276 hs.serverHello = serverHello 277 278 if err := hs.checkServerHelloOrHRR(); err != nil { 279 return err 280 } 281 282 return nil 283} 284 285func (hs *clientHandshakeStateTLS13) processServerHello() error { 286 c := hs.c 287 288 if bytes.Equal(hs.serverHello.random, helloRetryRequestRandom) { 289 c.sendAlert(alertUnexpectedMessage) 290 return errors.New("tls: server sent two HelloRetryRequest messages") 291 } 292 293 if len(hs.serverHello.cookie) != 0 { 294 c.sendAlert(alertUnsupportedExtension) 295 return errors.New("tls: server sent a cookie in a normal ServerHello") 296 } 297 298 if hs.serverHello.selectedGroup != 0 { 299 c.sendAlert(alertDecodeError) 300 return errors.New("tls: malformed key_share extension") 301 } 302 303 if hs.serverHello.serverShare.group == 0 { 304 c.sendAlert(alertIllegalParameter) 305 return errors.New("tls: server did not send a key share") 306 } 307 if hs.serverHello.serverShare.group != hs.ecdheParams.CurveID() { 308 c.sendAlert(alertIllegalParameter) 309 return errors.New("tls: server selected unsupported group") 310 } 311 312 if !hs.serverHello.selectedIdentityPresent { 313 return nil 314 } 315 316 if int(hs.serverHello.selectedIdentity) >= len(hs.hello.pskIdentities) { 317 c.sendAlert(alertIllegalParameter) 318 return errors.New("tls: server selected an invalid PSK") 319 } 320 321 if len(hs.hello.pskIdentities) != 1 || hs.session == nil { 322 return c.sendAlert(alertInternalError) 323 } 324 pskSuite := cipherSuiteTLS13ByID(hs.session.cipherSuite) 325 if pskSuite == nil { 326 return c.sendAlert(alertInternalError) 327 } 328 if pskSuite.hash != hs.suite.hash { 329 c.sendAlert(alertIllegalParameter) 330 return errors.New("tls: server selected an invalid PSK and cipher suite pair") 331 } 332 333 hs.usingPSK = true 334 c.didResume = true 335 c.peerCertificates = hs.session.serverCertificates 336 c.verifiedChains = hs.session.verifiedChains 337 c.ocspResponse = hs.session.ocspResponse 338 c.scts = hs.session.scts 339 return nil 340} 341 342func (hs *clientHandshakeStateTLS13) establishHandshakeKeys() error { 343 c := hs.c 344 345 sharedKey := hs.ecdheParams.SharedKey(hs.serverHello.serverShare.data) 346 if sharedKey == nil { 347 c.sendAlert(alertIllegalParameter) 348 return errors.New("tls: invalid server key share") 349 } 350 351 earlySecret := hs.earlySecret 352 if !hs.usingPSK { 353 earlySecret = hs.suite.extract(nil, nil) 354 } 355 handshakeSecret := hs.suite.extract(sharedKey, 356 hs.suite.deriveSecret(earlySecret, "derived", nil)) 357 358 clientSecret := hs.suite.deriveSecret(handshakeSecret, 359 clientHandshakeTrafficLabel, hs.transcript) 360 c.out.setTrafficSecret(hs.suite, clientSecret) 361 serverSecret := hs.suite.deriveSecret(handshakeSecret, 362 serverHandshakeTrafficLabel, hs.transcript) 363 c.in.setTrafficSecret(hs.suite, serverSecret) 364 365 err := c.config.writeKeyLog(keyLogLabelClientHandshake, hs.hello.random, clientSecret) 366 if err != nil { 367 c.sendAlert(alertInternalError) 368 return err 369 } 370 err = c.config.writeKeyLog(keyLogLabelServerHandshake, hs.hello.random, serverSecret) 371 if err != nil { 372 c.sendAlert(alertInternalError) 373 return err 374 } 375 376 hs.masterSecret = hs.suite.extract(nil, 377 hs.suite.deriveSecret(handshakeSecret, "derived", nil)) 378 379 return nil 380} 381 382func (hs *clientHandshakeStateTLS13) readServerParameters() error { 383 c := hs.c 384 385 msg, err := c.readHandshake() 386 if err != nil { 387 return err 388 } 389 390 encryptedExtensions, ok := msg.(*encryptedExtensionsMsg) 391 if !ok { 392 c.sendAlert(alertUnexpectedMessage) 393 return unexpectedMessageError(encryptedExtensions, msg) 394 } 395 hs.transcript.Write(encryptedExtensions.marshal()) 396 397 if encryptedExtensions.alpnProtocol != "" { 398 if len(hs.hello.alpnProtocols) == 0 { 399 c.sendAlert(alertUnsupportedExtension) 400 return errors.New("tls: server advertised unrequested ALPN extension") 401 } 402 if mutualProtocol([]string{encryptedExtensions.alpnProtocol}, hs.hello.alpnProtocols) == "" { 403 c.sendAlert(alertUnsupportedExtension) 404 return errors.New("tls: server selected unadvertised ALPN protocol") 405 } 406 c.clientProtocol = encryptedExtensions.alpnProtocol 407 } 408 409 return nil 410} 411 412func (hs *clientHandshakeStateTLS13) readServerCertificate() error { 413 c := hs.c 414 415 // Either a PSK or a certificate is always used, but not both. 416 // See RFC 8446, Section 4.1.1. 417 if hs.usingPSK { 418 // Make sure the connection is still being verified whether or not this 419 // is a resumption. Resumptions currently don't reverify certificates so 420 // they don't call verifyServerCertificate. See Issue 31641. 421 if c.config.VerifyConnection != nil { 422 if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil { 423 c.sendAlert(alertBadCertificate) 424 return err 425 } 426 } 427 return nil 428 } 429 430 msg, err := c.readHandshake() 431 if err != nil { 432 return err 433 } 434 435 certReq, ok := msg.(*certificateRequestMsgTLS13) 436 if ok { 437 hs.transcript.Write(certReq.marshal()) 438 439 hs.certReq = certReq 440 441 msg, err = c.readHandshake() 442 if err != nil { 443 return err 444 } 445 } 446 447 certMsg, ok := msg.(*certificateMsgTLS13) 448 if !ok { 449 c.sendAlert(alertUnexpectedMessage) 450 return unexpectedMessageError(certMsg, msg) 451 } 452 if len(certMsg.certificate.Certificate) == 0 { 453 c.sendAlert(alertDecodeError) 454 return errors.New("tls: received empty certificates message") 455 } 456 hs.transcript.Write(certMsg.marshal()) 457 458 c.scts = certMsg.certificate.SignedCertificateTimestamps 459 c.ocspResponse = certMsg.certificate.OCSPStaple 460 461 if err := c.verifyServerCertificate(certMsg.certificate.Certificate); err != nil { 462 return err 463 } 464 465 msg, err = c.readHandshake() 466 if err != nil { 467 return err 468 } 469 470 certVerify, ok := msg.(*certificateVerifyMsg) 471 if !ok { 472 c.sendAlert(alertUnexpectedMessage) 473 return unexpectedMessageError(certVerify, msg) 474 } 475 476 // See RFC 8446, Section 4.4.3. 477 if !isSupportedSignatureAlgorithm(certVerify.signatureAlgorithm, supportedSignatureAlgorithms) { 478 c.sendAlert(alertIllegalParameter) 479 return errors.New("tls: certificate used with invalid signature algorithm") 480 } 481 sigType, sigHash, err := typeAndHashFromSignatureScheme(certVerify.signatureAlgorithm) 482 if err != nil { 483 return c.sendAlert(alertInternalError) 484 } 485 if sigType == signaturePKCS1v15 || sigHash == crypto.SHA1 { 486 c.sendAlert(alertIllegalParameter) 487 return errors.New("tls: certificate used with invalid signature algorithm") 488 } 489 signed := signedMessage(sigHash, serverSignatureContext, hs.transcript) 490 if err := verifyHandshakeSignature(sigType, c.peerCertificates[0].PublicKey, 491 sigHash, signed, certVerify.signature); err != nil { 492 c.sendAlert(alertDecryptError) 493 return errors.New("tls: invalid signature by the server certificate: " + err.Error()) 494 } 495 496 hs.transcript.Write(certVerify.marshal()) 497 498 return nil 499} 500 501func (hs *clientHandshakeStateTLS13) readServerFinished() error { 502 c := hs.c 503 504 msg, err := c.readHandshake() 505 if err != nil { 506 return err 507 } 508 509 finished, ok := msg.(*finishedMsg) 510 if !ok { 511 c.sendAlert(alertUnexpectedMessage) 512 return unexpectedMessageError(finished, msg) 513 } 514 515 expectedMAC := hs.suite.finishedHash(c.in.trafficSecret, hs.transcript) 516 if !hmac.Equal(expectedMAC, finished.verifyData) { 517 c.sendAlert(alertDecryptError) 518 return errors.New("tls: invalid server finished hash") 519 } 520 521 hs.transcript.Write(finished.marshal()) 522 523 // Derive secrets that take context through the server Finished. 524 525 hs.trafficSecret = hs.suite.deriveSecret(hs.masterSecret, 526 clientApplicationTrafficLabel, hs.transcript) 527 serverSecret := hs.suite.deriveSecret(hs.masterSecret, 528 serverApplicationTrafficLabel, hs.transcript) 529 c.in.setTrafficSecret(hs.suite, serverSecret) 530 531 err = c.config.writeKeyLog(keyLogLabelClientTraffic, hs.hello.random, hs.trafficSecret) 532 if err != nil { 533 c.sendAlert(alertInternalError) 534 return err 535 } 536 err = c.config.writeKeyLog(keyLogLabelServerTraffic, hs.hello.random, serverSecret) 537 if err != nil { 538 c.sendAlert(alertInternalError) 539 return err 540 } 541 542 c.ekm = hs.suite.exportKeyingMaterial(hs.masterSecret, hs.transcript) 543 544 return nil 545} 546 547func (hs *clientHandshakeStateTLS13) sendClientCertificate() error { 548 c := hs.c 549 550 if hs.certReq == nil { 551 return nil 552 } 553 554 cert, err := c.getClientCertificate(&CertificateRequestInfo{ 555 AcceptableCAs: hs.certReq.certificateAuthorities, 556 SignatureSchemes: hs.certReq.supportedSignatureAlgorithms, 557 Version: c.vers, 558 }) 559 if err != nil { 560 return err 561 } 562 563 certMsg := new(certificateMsgTLS13) 564 565 certMsg.certificate = *cert 566 certMsg.scts = hs.certReq.scts && len(cert.SignedCertificateTimestamps) > 0 567 certMsg.ocspStapling = hs.certReq.ocspStapling && len(cert.OCSPStaple) > 0 568 569 hs.transcript.Write(certMsg.marshal()) 570 if _, err := c.writeRecord(recordTypeHandshake, certMsg.marshal()); err != nil { 571 return err 572 } 573 574 // If we sent an empty certificate message, skip the CertificateVerify. 575 if len(cert.Certificate) == 0 { 576 return nil 577 } 578 579 certVerifyMsg := new(certificateVerifyMsg) 580 certVerifyMsg.hasSignatureAlgorithm = true 581 582 certVerifyMsg.signatureAlgorithm, err = selectSignatureScheme(c.vers, cert, hs.certReq.supportedSignatureAlgorithms) 583 if err != nil { 584 // getClientCertificate returned a certificate incompatible with the 585 // CertificateRequestInfo supported signature algorithms. 586 c.sendAlert(alertHandshakeFailure) 587 return err 588 } 589 590 sigType, sigHash, err := typeAndHashFromSignatureScheme(certVerifyMsg.signatureAlgorithm) 591 if err != nil { 592 return c.sendAlert(alertInternalError) 593 } 594 595 signed := signedMessage(sigHash, clientSignatureContext, hs.transcript) 596 signOpts := crypto.SignerOpts(sigHash) 597 if sigType == signatureRSAPSS { 598 signOpts = &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash, Hash: sigHash} 599 } 600 sig, err := cert.PrivateKey.(crypto.Signer).Sign(c.config.rand(), signed, signOpts) 601 if err != nil { 602 c.sendAlert(alertInternalError) 603 return errors.New("tls: failed to sign handshake: " + err.Error()) 604 } 605 certVerifyMsg.signature = sig 606 607 hs.transcript.Write(certVerifyMsg.marshal()) 608 if _, err := c.writeRecord(recordTypeHandshake, certVerifyMsg.marshal()); err != nil { 609 return err 610 } 611 612 return nil 613} 614 615func (hs *clientHandshakeStateTLS13) sendClientFinished() error { 616 c := hs.c 617 618 finished := &finishedMsg{ 619 verifyData: hs.suite.finishedHash(c.out.trafficSecret, hs.transcript), 620 } 621 622 hs.transcript.Write(finished.marshal()) 623 if _, err := c.writeRecord(recordTypeHandshake, finished.marshal()); err != nil { 624 return err 625 } 626 627 c.out.setTrafficSecret(hs.suite, hs.trafficSecret) 628 629 if !c.config.SessionTicketsDisabled && c.config.ClientSessionCache != nil { 630 c.resumptionSecret = hs.suite.deriveSecret(hs.masterSecret, 631 resumptionLabel, hs.transcript) 632 } 633 634 return nil 635} 636 637func (c *Conn) handleNewSessionTicket(msg *newSessionTicketMsgTLS13) error { 638 if !c.isClient { 639 c.sendAlert(alertUnexpectedMessage) 640 return errors.New("tls: received new session ticket from a client") 641 } 642 643 if c.config.SessionTicketsDisabled || c.config.ClientSessionCache == nil { 644 return nil 645 } 646 647 // See RFC 8446, Section 4.6.1. 648 if msg.lifetime == 0 { 649 return nil 650 } 651 lifetime := time.Duration(msg.lifetime) * time.Second 652 if lifetime > maxSessionTicketLifetime { 653 c.sendAlert(alertIllegalParameter) 654 return errors.New("tls: received a session ticket with invalid lifetime") 655 } 656 657 cipherSuite := cipherSuiteTLS13ByID(c.cipherSuite) 658 if cipherSuite == nil || c.resumptionSecret == nil { 659 return c.sendAlert(alertInternalError) 660 } 661 662 // Save the resumption_master_secret and nonce instead of deriving the PSK 663 // to do the least amount of work on NewSessionTicket messages before we 664 // know if the ticket will be used. Forward secrecy of resumed connections 665 // is guaranteed by the requirement for pskModeDHE. 666 session := &ClientSessionState{ 667 sessionTicket: msg.label, 668 vers: c.vers, 669 cipherSuite: c.cipherSuite, 670 masterSecret: c.resumptionSecret, 671 serverCertificates: c.peerCertificates, 672 verifiedChains: c.verifiedChains, 673 receivedAt: c.config.time(), 674 nonce: msg.nonce, 675 useBy: c.config.time().Add(lifetime), 676 ageAdd: msg.ageAdd, 677 ocspResponse: c.ocspResponse, 678 scts: c.scts, 679 } 680 681 cacheKey := clientSessionCacheKey(c.conn.RemoteAddr(), c.config) 682 c.config.ClientSessionCache.Put(cacheKey, session) 683 684 return nil 685} 686