crypto/tls: reject change_cipher_spec record after handshake in TLS 1.3

[RPRX]

This change fixes a non-urgent security issue in Golang's implementation of TLS 1.3.

Currently, when using Go crypto/tls, the middleman is able to insert garbage change_cipher_spec records between application_data records without breaking the TLS 1.3 connection. To test it, for example, insert the following code in func writeRecordLocked():

	if typ == recordTypeApplicationData && c.vers == VersionTLS13 {
		c.write([]byte{20, 3, 3, 0, 1, 1})
	}

If the peer is Go crypto/tls, it will ignore these bytes and increase c.retryCount, instead of sending an alert immediately.
With maxUselessRecords = 16, this bug can be used to detect whether an application_data record is empty or not.

---

In Golang's existing comment:

go/src/crypto/tls/conn.go

Lines 726 to 727 in 84609d8

	// In TLS 1.3, change_cipher_spec records are ignored until the
	// Finished. See RFC 8446, Appendix D.4. Note that according to Section

In RFC 8446, Appendix D.4:

Either side can send change_cipher_spec at any time during the handshake

In OpenSSL:

https://github.com/openssl/openssl/blob/ac57336cd258e0432ffa485615d11c7c7ecfe81a/ssl/record/methods/tls_common.c#L728

In BoringSSL:

https://github.com/google/boringssl/blob/082e953a134ad423a00b8859f9daf5708e729260/ssl/tls_record.cc#L257

[gopherbot]

This PR (HEAD: 16688ac) has been imported to Gerrit for code review.

Please visit https://go-review.googlesource.com/c/go/+/473936 to see it.

Tip: You can toggle comments from me using the comments slash command (e.g. /comments off)
See the Wiki page for more info

[gopherbot]

Message from Gopher Robot:

Patch Set 1:

Congratulations on opening your first change. Thank you for your contribution!

Next steps:
A maintainer will review your change and provide feedback. See
https://go.dev/doc/contribute#review for more info and tips to get your
patch through code review.

Most changes in the Go project go through a few rounds of revision. This can be
surprising to people new to the project. The careful, iterative review process
is our way of helping mentor contributors and ensuring that their contributions
have a lasting impact.

During May-July and Nov-Jan the Go project is in a code freeze, during which
little code gets reviewed or merged. If a reviewer responds with a comment like
R=go1.11 or adds a tag like "wait-release", it means that this CL will be
reviewed as part of the next development cycle. See https://go.dev/s/release
for more details.

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/473936.
After addressing review feedback, remember to publish your drafts!