crypto/tls: add ConnectionState.Unique0RTTToken

13.go

@@ -513,6 +513,7 @@ func (hs *serverHandshakeState) checkPSK() (earlySecret []byte, alert alert) {
 				return nil, alertIllegalParameter
 			}
 			if hs.c.config.Accept0RTTData {
+				hs.c.binder = expectedBinder
 				hs.c.ticketMaxEarlyData = int64(s.maxEarlyDataLen)
 				hs.hello13Enc.earlyData = true
 			}

common.go

@@ -218,6 +218,11 @@ type ConnectionState struct {
 	// (past and future) is guaranteed not to be replayed.
 	HandshakeConfirmed bool
 
+	// Unique0RTTToken is a value that never repeats, and can be used
+	// to detect replay attacks against 0-RTT connections.
+	// Unique0RTTToken is only present if HandshakeConfirmed is false.
+	Unique0RTTToken []byte
+
 	ClientHello []byte // ClientHello packet
 }
 

conn.go

@@ -116,6 +116,10 @@ type Conn struct {
 	// to ever buffer it. in.Mutex.
 	earlyDataBytes int64
 
+	// binder is the value of the PSK binder that was validated to
+	// accept the 0-RTT data. Exposed as ConnectionState.Unique0RTTToken.
+	binder []byte
+
 	tmp [16]byte
 }
 
@@ -1591,6 +1595,9 @@ func (c *Conn) ConnectionState() ConnectionState {
 		state.SignedCertificateTimestamps = c.scts
 		state.OCSPResponse = c.ocspResponse
 		state.HandshakeConfirmed = atomic.LoadInt32(&c.handshakeConfirmed) == 1
+		if !state.HandshakeConfirmed {
+			state.Unique0RTTToken = c.binder
+		}
 		if !c.didResume {
 			if c.clientFinishedIsFirst {
 				state.TLSUnique = c.clientFinished[:]