crypto/tls: use SessionState on the client side

Another internal change, that allows exposing the new APIs easily in following CLs. For #60105 Change-Id: I9c61b9f6e9d29af633f952444f514bcbbe82fe4e Reviewed-on: https://go-review.googlesource.com/c/go/+/496819 Reviewed-by: Matthew Dempsky <mdempsky@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Damien Neil <dneil@google.com> Run-TryBot: Filippo Valsorda <filippo@golang.org>
2025-04-03 20:17:36 +03:00 · 2023-05-21 21:17:56 +02:00 · 2023-05-21 21:17:56 +02:00 · e911b27e23
commit e911b27e23
parent b838c1c320
9 changed files with 350 additions and 168 deletions
--- a/handshake_server_tls13.go
+++ b/handshake_server_tls13.go
@ -301,7 +301,7 @@ func (hs *serverHandshakeStateTLS13) checkForResumption() error {
 		// PSK connections don't re-establish client certificates, but carry
 		// them over in the session ticket. Ensure the presence of client certs
 		// in the ticket is consistent with the configured requirements.
-		sessionHasClientCerts := len(sessionState.certificate.Certificate) != 0
+		sessionHasClientCerts := len(sessionState.peerCertificates) != 0
 		needClientCerts := requiresClientCert(c.config.ClientAuth)
 		if needClientCerts && !sessionHasClientCerts {
 			continue
@ -331,7 +331,7 @@ func (hs *serverHandshakeStateTLS13) checkForResumption() error {
 		}

 		c.didResume = true
-		if err := c.processCertsFromClient(sessionState.certificate); err != nil {
+		if err := c.processCertsFromClient(sessionState.certificate()); err != nil {
 			return err
 		}

@ -776,21 +776,11 @@ func (hs *serverHandshakeStateTLS13) sendSessionTickets() error {

 	m := new(newSessionTicketMsgTLS13)

-	var certsFromClient [][]byte
-	for _, cert := range c.peerCertificates {
-		certsFromClient = append(certsFromClient, cert.Raw)
-	}
-	state := &SessionState{
-		version:     c.vers,
-		cipherSuite: hs.suite.id,
-		createdAt:   uint64(c.config.time().Unix()),
-		secret:      psk,
-		certificate: Certificate{
-			Certificate:                 certsFromClient,
-			OCSPStaple:                  c.ocspResponse,
-			SignedCertificateTimestamps: c.scts,
-		},
+	state, err := c.sessionState()
+	if err != nil {
+		return err
 	}
+	state.secret = psk
 	stateBytes, err := state.Bytes()
 	if err != nil {
 		c.sendAlert(alertInternalError)