crypto/tls: fix PSK binder calculation

[tsaarni]

When server and client have mismatch in curve preference, the server will
send HelloRetryRequest during TLSv1.3 PSK resumption. There was a bug
introduced by Go1.19.6 or later and Go1.20.1 or later, that makes the client
calculate the PSK binder hash incorrectly. Server will reject the TLS
handshake by sending alert: invalid PSK binder.

Fixes #59424

[gopherbot]

This PR (HEAD: ccf1b7e) has been imported to Gerrit for code review.

Please visit https://go-review.googlesource.com/c/go/+/481955 to see it.

Tip: You can toggle comments from me using the comments slash command (e.g. /comments off)
See the Wiki page for more info

[gopherbot]

Message from Gopher Robot:

Patch Set 1:

Congratulations on opening your first change. Thank you for your contribution!

Next steps:
A maintainer will review your change and provide feedback. See
https://go.dev/doc/contribute#review for more info and tips to get your
patch through code review.

Most changes in the Go project go through a few rounds of revision. This can be
surprising to people new to the project. The careful, iterative review process
is our way of helping mentor contributors and ensuring that their contributions
have a lasting impact.

During May-July and Nov-Jan the Go project is in a code freeze, during which
little code gets reviewed or merged. If a reviewer responds with a comment like
R=go1.11 or adds a tag like "wait-release", it means that this CL will be
reviewed as part of the next development cycle. See https://go.dev/s/release
for more details.

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/481955.
After addressing review feedback, remember to publish your drafts!

[tsaarni]

The bug that this PR attempts to fix is on the TLSv1.3 client handshake code. Only TLSv1.3 clients are impacted. Servers are not impacted. TLSv1.2 implementation is not impacted.

The bug was introduced by #58001

The bug impacts TLS clients compiled with with Go1.19.6 or later or Go1.20.1 or later.

For the client to be impacted, client must have explicitly enabled TLS resumption by setting e.g.
ClientSessionCache: tls.NewLRUClientSessionCache(num)
in client's tls.Config structure. Client also needs to hold the SSL context and re-use it for multiple requests to triggers resumption

The bug happens in PSK resumption when client and server having incompatible preferred EC curve. For example, it can happen when the server has set

CurvePreferences: []tls.CurveID{tls.CurveP521, tls.CurveP384, tls.CurveP256}

but client uses the Go default list: client will send ClientHello with x25519. Since server preferences does not include x25519, server will respond with HelloRetryRequest and set secp512r1 from CurvePreferences according to chapter "2.1. Incorrect DHE Share" https://www.rfc-editor.org/rfc/rfc8446#page-14.

The reception of HelloRetryRequest response from the server will trigger the bug in client when above conditions are true. There is a typo in processHelloRetryRequest() which causes ClientHello message to be sent to server with invalid PSK binders hash.

When server will process the new ClientHello with invalid PSK binders field, it will abort the handshake with "invalid PSK binder" alert.

[gopherbot]

Message from Roland Shoemaker:

Patch Set 1: Code-Review+2 Run-TryBot+1

(1 comment)

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/481955.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from Gopher Robot:

Patch Set 1:

(1 comment)

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/481955.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from Gopher Robot:

Patch Set 1: TryBot-Result+1

(1 comment)

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/481955.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from Tero Saarni:

Patch Set 1:

(1 comment)

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/481955.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from Roland Shoemaker:

Patch Set 1:

(1 comment)

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/481955.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

This PR (HEAD: 1aad9bc) has been imported to Gerrit for code review.

Please visit https://go-review.googlesource.com/c/go/+/481955 to see it.

Tip: You can toggle comments from me using the comments slash command (e.g. /comments off)
See the Wiki page for more info

[gopherbot]

Message from Tero Saarni:

Patch Set 2:

(1 comment)

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/481955.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from Roland Shoemaker:

Patch Set 2: Auto-Submit+1 Code-Review+2 Run-TryBot+1

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/481955.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from Gopher Robot:

Patch Set 2:

(1 comment)

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/481955.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from Gopher Robot:

Patch Set 2: TryBot-Result+1

(1 comment)

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/481955.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from Dmitri Shuralyov:

Patch Set 1: Run-TryBot+1

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/488055.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from Gopher Robot:

Patch Set 1:

(1 comment)

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/488075.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from Dmitri Shuralyov:

Patch Set 1: Code-Review+1

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/488075.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from Gopher Robot:

Patch Set 1:

(1 comment)

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/488075.
After addressing review feedback, remember to publish your drafts!

[dmitshur]

Merged as CL 481955 (commit 2c70690).

[gopherbot]

Message from Gopher Robot:

Patch Set 1: TryBot-Result-1

(1 comment)

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/488075.
After addressing review feedback, remember to publish your drafts!