1// Copyright 2018 The Go Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style 3// license that can be found in the LICENSE file. 4 5package tls 6 7import ( 8 "bytes" 9 "context" 10 "crypto" 11 "crypto/hmac" 12 "crypto/rsa" 13 "errors" 14 "hash" 15 "sync/atomic" 16 "time" 17) 18 19type clientHandshakeStateTLS13 struct { 20 c *Conn 21 ctx context.Context 22 serverHello *serverHelloMsg 23 hello *clientHelloMsg 24 ecdheParams ecdheParameters 25 26 session *ClientSessionState 27 earlySecret []byte 28 binderKey []byte 29 30 certReq *certificateRequestMsgTLS13 31 usingPSK bool 32 sentDummyCCS bool 33 suite *cipherSuiteTLS13 34 transcript hash.Hash 35 masterSecret []byte 36 trafficSecret []byte // client_application_traffic_secret_0 37} 38 39// handshake requires hs.c, hs.hello, hs.serverHello, hs.ecdheParams, and, 40// optionally, hs.session, hs.earlySecret and hs.binderKey to be set. 41func (hs *clientHandshakeStateTLS13) handshake() error { 42 c := hs.c 43 44 // The server must not select TLS 1.3 in a renegotiation. See RFC 8446, 45 // sections 4.1.2 and 4.1.3. 46 if c.handshakes > 0 { 47 c.sendAlert(alertProtocolVersion) 48 return errors.New("tls: server selected TLS 1.3 in a renegotiation") 49 } 50 51 // Consistency check on the presence of a keyShare and its parameters. 52 if hs.ecdheParams == nil || len(hs.hello.keyShares) != 1 { 53 return c.sendAlert(alertInternalError) 54 } 55 56 if err := hs.checkServerHelloOrHRR(); err != nil { 57 return err 58 } 59 60 hs.transcript = hs.suite.hash.New() 61 hs.transcript.Write(hs.hello.marshal()) 62 63 if bytes.Equal(hs.serverHello.random, helloRetryRequestRandom) { 64 if err := hs.sendDummyChangeCipherSpec(); err != nil { 65 return err 66 } 67 if err := hs.processHelloRetryRequest(); err != nil { 68 return err 69 } 70 } 71 72 hs.transcript.Write(hs.serverHello.marshal()) 73 74 c.buffering = true 75 if err := hs.processServerHello(); err != nil { 76 return err 77 } 78 if err := hs.sendDummyChangeCipherSpec(); err != nil { 79 return err 80 } 81 if err := hs.establishHandshakeKeys(); err != nil { 82 return err 83 } 84 if err := hs.readServerParameters(); err != nil { 85 return err 86 } 87 if err := hs.readServerCertificate(); err != nil { 88 return err 89 } 90 if err := hs.readServerFinished(); err != nil { 91 return err 92 } 93 if err := hs.sendClientCertificate(); err != nil { 94 return err 95 } 96 if err := hs.sendClientFinished(); err != nil { 97 return err 98 } 99 if _, err := c.flush(); err != nil { 100 return err 101 } 102 103 atomic.StoreUint32(&c.handshakeStatus, 1) 104 105 return nil 106} 107 108// checkServerHelloOrHRR does validity checks that apply to both ServerHello and 109// HelloRetryRequest messages. It sets hs.suite. 110func (hs *clientHandshakeStateTLS13) checkServerHelloOrHRR() error { 111 c := hs.c 112 113 if hs.serverHello.supportedVersion == 0 { 114 c.sendAlert(alertMissingExtension) 115 return errors.New("tls: server selected TLS 1.3 using the legacy version field") 116 } 117 118 if hs.serverHello.supportedVersion != VersionTLS13 { 119 c.sendAlert(alertIllegalParameter) 120 return errors.New("tls: server selected an invalid version after a HelloRetryRequest") 121 } 122 123 if hs.serverHello.vers != VersionTLS12 { 124 c.sendAlert(alertIllegalParameter) 125 return errors.New("tls: server sent an incorrect legacy version") 126 } 127 128 if hs.serverHello.ocspStapling || 129 hs.serverHello.ticketSupported || 130 hs.serverHello.secureRenegotiationSupported || 131 len(hs.serverHello.secureRenegotiation) != 0 || 132 len(hs.serverHello.alpnProtocol) != 0 || 133 len(hs.serverHello.scts) != 0 { 134 c.sendAlert(alertUnsupportedExtension) 135 return errors.New("tls: server sent a ServerHello extension forbidden in TLS 1.3") 136 } 137 138 if !bytes.Equal(hs.hello.sessionId, hs.serverHello.sessionId) { 139 c.sendAlert(alertIllegalParameter) 140 return errors.New("tls: server did not echo the legacy session ID") 141 } 142 143 if hs.serverHello.compressionMethod != compressionNone { 144 c.sendAlert(alertIllegalParameter) 145 return errors.New("tls: server selected unsupported compression format") 146 } 147 148 selectedSuite := mutualCipherSuiteTLS13(hs.hello.cipherSuites, hs.serverHello.cipherSuite) 149 if hs.suite != nil && selectedSuite != hs.suite { 150 c.sendAlert(alertIllegalParameter) 151 return errors.New("tls: server changed cipher suite after a HelloRetryRequest") 152 } 153 if selectedSuite == nil { 154 c.sendAlert(alertIllegalParameter) 155 return errors.New("tls: server chose an unconfigured cipher suite") 156 } 157 hs.suite = selectedSuite 158 c.cipherSuite = hs.suite.id 159 160 return nil 161} 162 163// sendDummyChangeCipherSpec sends a ChangeCipherSpec record for compatibility 164// with middleboxes that didn't implement TLS correctly. See RFC 8446, Appendix D.4. 165func (hs *clientHandshakeStateTLS13) sendDummyChangeCipherSpec() error { 166 if hs.sentDummyCCS { 167 return nil 168 } 169 hs.sentDummyCCS = true 170 171 _, err := hs.c.writeRecord(recordTypeChangeCipherSpec, []byte{1}) 172 return err 173} 174 175// processHelloRetryRequest handles the HRR in hs.serverHello, modifies and 176// resends hs.hello, and reads the new ServerHello into hs.serverHello. 177func (hs *clientHandshakeStateTLS13) processHelloRetryRequest() error { 178 c := hs.c 179 180 // The first ClientHello gets double-hashed into the transcript upon a 181 // HelloRetryRequest. (The idea is that the server might offload transcript 182 // storage to the client in the cookie.) See RFC 8446, Section 4.4.1. 183 chHash := hs.transcript.Sum(nil) 184 hs.transcript.Reset() 185 hs.transcript.Write([]byte{typeMessageHash, 0, 0, uint8(len(chHash))}) 186 hs.transcript.Write(chHash) 187 hs.transcript.Write(hs.serverHello.marshal()) 188 189 // The only HelloRetryRequest extensions we support are key_share and 190 // cookie, and clients must abort the handshake if the HRR would not result 191 // in any change in the ClientHello. 192 if hs.serverHello.selectedGroup == 0 && hs.serverHello.cookie == nil { 193 c.sendAlert(alertIllegalParameter) 194 return errors.New("tls: server sent an unnecessary HelloRetryRequest message") 195 } 196 197 if hs.serverHello.cookie != nil { 198 hs.hello.cookie = hs.serverHello.cookie 199 } 200 201 if hs.serverHello.serverShare.group != 0 { 202 c.sendAlert(alertDecodeError) 203 return errors.New("tls: received malformed key_share extension") 204 } 205 206 // If the server sent a key_share extension selecting a group, ensure it's 207 // a group we advertised but did not send a key share for, and send a key 208 // share for it this time. 209 if curveID := hs.serverHello.selectedGroup; curveID != 0 { 210 curveOK := false 211 for _, id := range hs.hello.supportedCurves { 212 if id == curveID { 213 curveOK = true 214 break 215 } 216 } 217 if !curveOK { 218 c.sendAlert(alertIllegalParameter) 219 return errors.New("tls: server selected unsupported group") 220 } 221 if hs.ecdheParams.CurveID() == curveID { 222 c.sendAlert(alertIllegalParameter) 223 return errors.New("tls: server sent an unnecessary HelloRetryRequest key_share") 224 } 225 if _, ok := curveForCurveID(curveID); curveID != X25519 && !ok { 226 c.sendAlert(alertInternalError) 227 return errors.New("tls: CurvePreferences includes unsupported curve") 228 } 229 params, err := generateECDHEParameters(c.config.rand(), curveID) 230 if err != nil { 231 c.sendAlert(alertInternalError) 232 return err 233 } 234 hs.ecdheParams = params 235 hs.hello.keyShares = []keyShare{{group: curveID, data: params.PublicKey()}} 236 } 237 238 hs.hello.raw = nil 239 if len(hs.hello.pskIdentities) > 0 { 240 pskSuite := cipherSuiteTLS13ByID(hs.session.cipherSuite) 241 if pskSuite == nil { 242 return c.sendAlert(alertInternalError) 243 } 244 if pskSuite.hash == hs.suite.hash { 245 // Update binders and obfuscated_ticket_age. 246 ticketAge := uint32(c.config.time().Sub(hs.session.receivedAt) / time.Millisecond) 247 hs.hello.pskIdentities[0].obfuscatedTicketAge = ticketAge + hs.session.ageAdd 248 249 transcript := hs.suite.hash.New() 250 transcript.Write([]byte{typeMessageHash, 0, 0, uint8(len(chHash))}) 251 transcript.Write(chHash) 252 transcript.Write(hs.serverHello.marshal()) 253 transcript.Write(hs.hello.marshalWithoutBinders()) 254 pskBinders := [][]byte{hs.suite.finishedHash(hs.binderKey, transcript)} 255 hs.hello.updateBinders(pskBinders) 256 } else { 257 // Server selected a cipher suite incompatible with the PSK. 258 hs.hello.pskIdentities = nil 259 hs.hello.pskBinders = nil 260 } 261 } 262 263 hs.transcript.Write(hs.hello.marshal()) 264 if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil { 265 return err 266 } 267 268 msg, err := c.readHandshake() 269 if err != nil { 270 return err 271 } 272 273 serverHello, ok := msg.(*serverHelloMsg) 274 if !ok { 275 c.sendAlert(alertUnexpectedMessage) 276 return unexpectedMessageError(serverHello, msg) 277 } 278 hs.serverHello = serverHello 279 280 if err := hs.checkServerHelloOrHRR(); err != nil { 281 return err 282 } 283 284 return nil 285} 286 287func (hs *clientHandshakeStateTLS13) processServerHello() error { 288 c := hs.c 289 290 if bytes.Equal(hs.serverHello.random, helloRetryRequestRandom) { 291 c.sendAlert(alertUnexpectedMessage) 292 return errors.New("tls: server sent two HelloRetryRequest messages") 293 } 294 295 if len(hs.serverHello.cookie) != 0 { 296 c.sendAlert(alertUnsupportedExtension) 297 return errors.New("tls: server sent a cookie in a normal ServerHello") 298 } 299 300 if hs.serverHello.selectedGroup != 0 { 301 c.sendAlert(alertDecodeError) 302 return errors.New("tls: malformed key_share extension") 303 } 304 305 if hs.serverHello.serverShare.group == 0 { 306 c.sendAlert(alertIllegalParameter) 307 return errors.New("tls: server did not send a key share") 308 } 309 if hs.serverHello.serverShare.group != hs.ecdheParams.CurveID() { 310 c.sendAlert(alertIllegalParameter) 311 return errors.New("tls: server selected unsupported group") 312 } 313 314 if !hs.serverHello.selectedIdentityPresent { 315 return nil 316 } 317 318 if int(hs.serverHello.selectedIdentity) >= len(hs.hello.pskIdentities) { 319 c.sendAlert(alertIllegalParameter) 320 return errors.New("tls: server selected an invalid PSK") 321 } 322 323 if len(hs.hello.pskIdentities) != 1 || hs.session == nil { 324 return c.sendAlert(alertInternalError) 325 } 326 pskSuite := cipherSuiteTLS13ByID(hs.session.cipherSuite) 327 if pskSuite == nil { 328 return c.sendAlert(alertInternalError) 329 } 330 if pskSuite.hash != hs.suite.hash { 331 c.sendAlert(alertIllegalParameter) 332 return errors.New("tls: server selected an invalid PSK and cipher suite pair") 333 } 334 335 hs.usingPSK = true 336 c.didResume = true 337 c.peerCertificates = hs.session.serverCertificates 338 c.verifiedChains = hs.session.verifiedChains 339 c.ocspResponse = hs.session.ocspResponse 340 c.scts = hs.session.scts 341 return nil 342} 343 344func (hs *clientHandshakeStateTLS13) establishHandshakeKeys() error { 345 c := hs.c 346 347 sharedKey := hs.ecdheParams.SharedKey(hs.serverHello.serverShare.data) 348 if sharedKey == nil { 349 c.sendAlert(alertIllegalParameter) 350 return errors.New("tls: invalid server key share") 351 } 352 353 earlySecret := hs.earlySecret 354 if !hs.usingPSK { 355 earlySecret = hs.suite.extract(nil, nil) 356 } 357 handshakeSecret := hs.suite.extract(sharedKey, 358 hs.suite.deriveSecret(earlySecret, "derived", nil)) 359 360 clientSecret := hs.suite.deriveSecret(handshakeSecret, 361 clientHandshakeTrafficLabel, hs.transcript) 362 c.out.setTrafficSecret(hs.suite, clientSecret) 363 serverSecret := hs.suite.deriveSecret(handshakeSecret, 364 serverHandshakeTrafficLabel, hs.transcript) 365 c.in.setTrafficSecret(hs.suite, serverSecret) 366 367 err := c.config.writeKeyLog(keyLogLabelClientHandshake, hs.hello.random, clientSecret) 368 if err != nil { 369 c.sendAlert(alertInternalError) 370 return err 371 } 372 err = c.config.writeKeyLog(keyLogLabelServerHandshake, hs.hello.random, serverSecret) 373 if err != nil { 374 c.sendAlert(alertInternalError) 375 return err 376 } 377 378 hs.masterSecret = hs.suite.extract(nil, 379 hs.suite.deriveSecret(handshakeSecret, "derived", nil)) 380 381 return nil 382} 383 384func (hs *clientHandshakeStateTLS13) readServerParameters() error { 385 c := hs.c 386 387 msg, err := c.readHandshake() 388 if err != nil { 389 return err 390 } 391 392 encryptedExtensions, ok := msg.(*encryptedExtensionsMsg) 393 if !ok { 394 c.sendAlert(alertUnexpectedMessage) 395 return unexpectedMessageError(encryptedExtensions, msg) 396 } 397 hs.transcript.Write(encryptedExtensions.marshal()) 398 399 if err := checkALPN(hs.hello.alpnProtocols, encryptedExtensions.alpnProtocol); err != nil { 400 c.sendAlert(alertUnsupportedExtension) 401 return err 402 } 403 c.clientProtocol = encryptedExtensions.alpnProtocol 404 405 return nil 406} 407 408func (hs *clientHandshakeStateTLS13) readServerCertificate() error { 409 c := hs.c 410 411 // Either a PSK or a certificate is always used, but not both. 412 // See RFC 8446, Section 4.1.1. 413 if hs.usingPSK { 414 // Make sure the connection is still being verified whether or not this 415 // is a resumption. Resumptions currently don't reverify certificates so 416 // they don't call verifyServerCertificate. See Issue 31641. 417 if c.config.VerifyConnection != nil { 418 if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil { 419 c.sendAlert(alertBadCertificate) 420 return err 421 } 422 } 423 return nil 424 } 425 426 msg, err := c.readHandshake() 427 if err != nil { 428 return err 429 } 430 431 certReq, ok := msg.(*certificateRequestMsgTLS13) 432 if ok { 433 hs.transcript.Write(certReq.marshal()) 434 435 hs.certReq = certReq 436 437 msg, err = c.readHandshake() 438 if err != nil { 439 return err 440 } 441 } 442 443 certMsg, ok := msg.(*certificateMsgTLS13) 444 if !ok { 445 c.sendAlert(alertUnexpectedMessage) 446 return unexpectedMessageError(certMsg, msg) 447 } 448 if len(certMsg.certificate.Certificate) == 0 { 449 c.sendAlert(alertDecodeError) 450 return errors.New("tls: received empty certificates message") 451 } 452 hs.transcript.Write(certMsg.marshal()) 453 454 c.scts = certMsg.certificate.SignedCertificateTimestamps 455 c.ocspResponse = certMsg.certificate.OCSPStaple 456 457 if err := c.verifyServerCertificate(certMsg.certificate.Certificate); err != nil { 458 return err 459 } 460 461 msg, err = c.readHandshake() 462 if err != nil { 463 return err 464 } 465 466 certVerify, ok := msg.(*certificateVerifyMsg) 467 if !ok { 468 c.sendAlert(alertUnexpectedMessage) 469 return unexpectedMessageError(certVerify, msg) 470 } 471 472 // See RFC 8446, Section 4.4.3. 473 if !isSupportedSignatureAlgorithm(certVerify.signatureAlgorithm, supportedSignatureAlgorithms) { 474 c.sendAlert(alertIllegalParameter) 475 return errors.New("tls: certificate used with invalid signature algorithm") 476 } 477 sigType, sigHash, err := typeAndHashFromSignatureScheme(certVerify.signatureAlgorithm) 478 if err != nil { 479 return c.sendAlert(alertInternalError) 480 } 481 if sigType == signaturePKCS1v15 || sigHash == crypto.SHA1 { 482 c.sendAlert(alertIllegalParameter) 483 return errors.New("tls: certificate used with invalid signature algorithm") 484 } 485 signed := signedMessage(sigHash, serverSignatureContext, hs.transcript) 486 if err := verifyHandshakeSignature(sigType, c.peerCertificates[0].PublicKey, 487 sigHash, signed, certVerify.signature); err != nil { 488 c.sendAlert(alertDecryptError) 489 return errors.New("tls: invalid signature by the server certificate: " + err.Error()) 490 } 491 492 hs.transcript.Write(certVerify.marshal()) 493 494 return nil 495} 496 497func (hs *clientHandshakeStateTLS13) readServerFinished() error { 498 c := hs.c 499 500 msg, err := c.readHandshake() 501 if err != nil { 502 return err 503 } 504 505 finished, ok := msg.(*finishedMsg) 506 if !ok { 507 c.sendAlert(alertUnexpectedMessage) 508 return unexpectedMessageError(finished, msg) 509 } 510 511 expectedMAC := hs.suite.finishedHash(c.in.trafficSecret, hs.transcript) 512 if !hmac.Equal(expectedMAC, finished.verifyData) { 513 c.sendAlert(alertDecryptError) 514 return errors.New("tls: invalid server finished hash") 515 } 516 517 hs.transcript.Write(finished.marshal()) 518 519 // Derive secrets that take context through the server Finished. 520 521 hs.trafficSecret = hs.suite.deriveSecret(hs.masterSecret, 522 clientApplicationTrafficLabel, hs.transcript) 523 serverSecret := hs.suite.deriveSecret(hs.masterSecret, 524 serverApplicationTrafficLabel, hs.transcript) 525 c.in.setTrafficSecret(hs.suite, serverSecret) 526 527 err = c.config.writeKeyLog(keyLogLabelClientTraffic, hs.hello.random, hs.trafficSecret) 528 if err != nil { 529 c.sendAlert(alertInternalError) 530 return err 531 } 532 err = c.config.writeKeyLog(keyLogLabelServerTraffic, hs.hello.random, serverSecret) 533 if err != nil { 534 c.sendAlert(alertInternalError) 535 return err 536 } 537 538 c.ekm = hs.suite.exportKeyingMaterial(hs.masterSecret, hs.transcript) 539 540 return nil 541} 542 543func (hs *clientHandshakeStateTLS13) sendClientCertificate() error { 544 c := hs.c 545 546 if hs.certReq == nil { 547 return nil 548 } 549 550 cert, err := c.getClientCertificate(&CertificateRequestInfo{ 551 AcceptableCAs: hs.certReq.certificateAuthorities, 552 SignatureSchemes: hs.certReq.supportedSignatureAlgorithms, 553 Version: c.vers, 554 ctx: hs.ctx, 555 }) 556 if err != nil { 557 return err 558 } 559 560 certMsg := new(certificateMsgTLS13) 561 562 certMsg.certificate = *cert 563 certMsg.scts = hs.certReq.scts && len(cert.SignedCertificateTimestamps) > 0 564 certMsg.ocspStapling = hs.certReq.ocspStapling && len(cert.OCSPStaple) > 0 565 566 hs.transcript.Write(certMsg.marshal()) 567 if _, err := c.writeRecord(recordTypeHandshake, certMsg.marshal()); err != nil { 568 return err 569 } 570 571 // If we sent an empty certificate message, skip the CertificateVerify. 572 if len(cert.Certificate) == 0 { 573 return nil 574 } 575 576 certVerifyMsg := new(certificateVerifyMsg) 577 certVerifyMsg.hasSignatureAlgorithm = true 578 579 certVerifyMsg.signatureAlgorithm, err = selectSignatureScheme(c.vers, cert, hs.certReq.supportedSignatureAlgorithms) 580 if err != nil { 581 // getClientCertificate returned a certificate incompatible with the 582 // CertificateRequestInfo supported signature algorithms. 583 c.sendAlert(alertHandshakeFailure) 584 return err 585 } 586 587 sigType, sigHash, err := typeAndHashFromSignatureScheme(certVerifyMsg.signatureAlgorithm) 588 if err != nil { 589 return c.sendAlert(alertInternalError) 590 } 591 592 signed := signedMessage(sigHash, clientSignatureContext, hs.transcript) 593 signOpts := crypto.SignerOpts(sigHash) 594 if sigType == signatureRSAPSS { 595 signOpts = &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash, Hash: sigHash} 596 } 597 sig, err := cert.PrivateKey.(crypto.Signer).Sign(c.config.rand(), signed, signOpts) 598 if err != nil { 599 c.sendAlert(alertInternalError) 600 return errors.New("tls: failed to sign handshake: " + err.Error()) 601 } 602 certVerifyMsg.signature = sig 603 604 hs.transcript.Write(certVerifyMsg.marshal()) 605 if _, err := c.writeRecord(recordTypeHandshake, certVerifyMsg.marshal()); err != nil { 606 return err 607 } 608 609 return nil 610} 611 612func (hs *clientHandshakeStateTLS13) sendClientFinished() error { 613 c := hs.c 614 615 finished := &finishedMsg{ 616 verifyData: hs.suite.finishedHash(c.out.trafficSecret, hs.transcript), 617 } 618 619 hs.transcript.Write(finished.marshal()) 620 if _, err := c.writeRecord(recordTypeHandshake, finished.marshal()); err != nil { 621 return err 622 } 623 624 c.out.setTrafficSecret(hs.suite, hs.trafficSecret) 625 626 if !c.config.SessionTicketsDisabled && c.config.ClientSessionCache != nil { 627 c.resumptionSecret = hs.suite.deriveSecret(hs.masterSecret, 628 resumptionLabel, hs.transcript) 629 } 630 631 return nil 632} 633 634func (c *Conn) handleNewSessionTicket(msg *newSessionTicketMsgTLS13) error { 635 if !c.isClient { 636 c.sendAlert(alertUnexpectedMessage) 637 return errors.New("tls: received new session ticket from a client") 638 } 639 640 if c.config.SessionTicketsDisabled || c.config.ClientSessionCache == nil { 641 return nil 642 } 643 644 // See RFC 8446, Section 4.6.1. 645 if msg.lifetime == 0 { 646 return nil 647 } 648 lifetime := time.Duration(msg.lifetime) * time.Second 649 if lifetime > maxSessionTicketLifetime { 650 c.sendAlert(alertIllegalParameter) 651 return errors.New("tls: received a session ticket with invalid lifetime") 652 } 653 654 cipherSuite := cipherSuiteTLS13ByID(c.cipherSuite) 655 if cipherSuite == nil || c.resumptionSecret == nil { 656 return c.sendAlert(alertInternalError) 657 } 658 659 // Save the resumption_master_secret and nonce instead of deriving the PSK 660 // to do the least amount of work on NewSessionTicket messages before we 661 // know if the ticket will be used. Forward secrecy of resumed connections 662 // is guaranteed by the requirement for pskModeDHE. 663 session := &ClientSessionState{ 664 sessionTicket: msg.label, 665 vers: c.vers, 666 cipherSuite: c.cipherSuite, 667 masterSecret: c.resumptionSecret, 668 serverCertificates: c.peerCertificates, 669 verifiedChains: c.verifiedChains, 670 receivedAt: c.config.time(), 671 nonce: msg.nonce, 672 useBy: c.config.time().Add(lifetime), 673 ageAdd: msg.ageAdd, 674 ocspResponse: c.ocspResponse, 675 scts: c.scts, 676 } 677 678 cacheKey := clientSessionCacheKey(c.conn.RemoteAddr(), c.config) 679 c.config.ClientSessionCache.Put(cacheKey, session) 680 681 return nil 682} 683