crypto/tls: add SessionState and use it on the server side

This change by itself is useless, because the application has no way to access or provide SessionStates to crypto/tls, but they will be provided in following CLs. For #60105 Change-Id: I8d5de79b1eda0a778420134cf6f346246a1bb296 Reviewed-on: https://go-review.googlesource.com/c/go/+/496818 Reviewed-by: Marten Seemann <martenseemann@gmail.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Matthew Dempsky <mdempsky@google.com> Run-TryBot: Filippo Valsorda <filippo@golang.org>
2025-04-03 20:17:36 +03:00 · 2023-05-20 17:49:21 +02:00 · 2023-05-20 17:49:21 +02:00 · b838c1c320
commit b838c1c320
parent 65b9e15fc2
33 changed files with 2250 additions and 2302 deletions
--- a/handshake_server_tls13.go
+++ b/handshake_server_tls13.go
@ -279,8 +279,8 @@ func (hs *serverHandshakeStateTLS13) checkForResumption() error {
 		if plaintext == nil {
 			continue
 		}
-		sessionState := new(sessionStateTLS13)
-		if ok := sessionState.unmarshal(plaintext); !ok {
+		sessionState, err := ParseSessionState(plaintext)
+		if err != nil || sessionState.version != VersionTLS13 {
 			continue
 		}

@ -310,9 +310,7 @@ func (hs *serverHandshakeStateTLS13) checkForResumption() error {
 			continue
 		}

-		psk := hs.suite.expandLabel(sessionState.resumptionSecret, "resumption",
-			nil, hs.suite.hash.Size())
-		hs.earlySecret = hs.suite.extract(psk, nil)
+		hs.earlySecret = hs.suite.extract(sessionState.secret, nil)
 		binderKey := hs.suite.deriveSecret(hs.earlySecret, resumptionBinderLabel, nil)
 		// Clone the transcript in case a HelloRetryRequest was recorded.
 		transcript := cloneHash(hs.transcript, hs.suite.hash)
@ -771,6 +769,10 @@ func (hs *serverHandshakeStateTLS13) sendSessionTickets() error {

 	resumptionSecret := hs.suite.deriveSecret(hs.masterSecret,
 		resumptionLabel, hs.transcript)
+	// ticket_nonce, which must be unique per connection, is always left at
+	// zero because we only ever send one ticket per connection.
+	psk := hs.suite.expandLabel(resumptionSecret, "resumption",
+		nil, hs.suite.hash.Size())

 	m := new(newSessionTicketMsgTLS13)

@ -778,17 +780,18 @@ func (hs *serverHandshakeStateTLS13) sendSessionTickets() error {
 	for _, cert := range c.peerCertificates {
 		certsFromClient = append(certsFromClient, cert.Raw)
 	}
-	state := sessionStateTLS13{
-		cipherSuite:      hs.suite.id,
-		createdAt:        uint64(c.config.time().Unix()),
-		resumptionSecret: resumptionSecret,
+	state := &SessionState{
+		version:     c.vers,
+		cipherSuite: hs.suite.id,
+		createdAt:   uint64(c.config.time().Unix()),
+		secret:      psk,
 		certificate: Certificate{
 			Certificate:                 certsFromClient,
 			OCSPStaple:                  c.ocspResponse,
 			SignedCertificateTimestamps: c.scts,
 		},
 	}
-	stateBytes, err := state.marshal()
+	stateBytes, err := state.Bytes()
 	if err != nil {
 		c.sendAlert(alertInternalError)
 		return err
@ -809,9 +812,6 @@ func (hs *serverHandshakeStateTLS13) sendSessionTickets() error {
 	}
 	m.ageAdd = binary.LittleEndian.Uint32(ageAdd)

-	// ticket_nonce, which must be unique per connection, is always left at
-	// zero because we only ever send one ticket per connection.
-
 	if _, err := c.writeHandshakeRecord(m, nil); err != nil {
 		return err
 	}