ecSignOk bool
rsaDecryptOk bool
rsaSignOk bool
- sessionState *sessionState
+ sessionState *SessionState
finishedHash finishedHash
masterSecret []byte
cert *Certificate
if plaintext == nil {
return false
}
- hs.sessionState = &sessionState{}
- ok := hs.sessionState.unmarshal(plaintext)
- if !ok {
+ ss, err := ParseSessionState(plaintext)
+ if err != nil {
return false
}
+ hs.sessionState = ss
// TLS 1.2 tickets don't natively have a lifetime, but we want to avoid
// re-wrapping the same master secret in different tickets over and over for
}
// Never resume a session for a different TLS version.
- if c.vers != hs.sessionState.vers {
+ if c.vers != hs.sessionState.version {
return false
}
return false
}
- sessionHasClientCerts := len(hs.sessionState.certificates) != 0
+ sessionHasClientCerts := len(hs.sessionState.certificate.Certificate) != 0
needClientCerts := requiresClientCert(c.config.ClientAuth)
if needClientCerts && !sessionHasClientCerts {
return false
return err
}
- if err := c.processCertsFromClient(Certificate{
- Certificate: hs.sessionState.certificates,
- }); err != nil {
+ if err := c.processCertsFromClient(hs.sessionState.certificate); err != nil {
return err
}
}
}
- hs.masterSecret = hs.sessionState.masterSecret
+ hs.masterSecret = hs.sessionState.secret
return nil
}
for _, cert := range c.peerCertificates {
certsFromClient = append(certsFromClient, cert.Raw)
}
- state := sessionState{
- vers: c.vers,
- cipherSuite: hs.suite.id,
- createdAt: createdAt,
- masterSecret: hs.masterSecret,
- certificates: certsFromClient,
- }
- stateBytes, err := state.marshal()
+ state := SessionState{
+ version: c.vers,
+ cipherSuite: hs.suite.id,
+ createdAt: createdAt,
+ secret: hs.masterSecret,
+ certificate: Certificate{
+ Certificate: certsFromClient,
+ OCSPStaple: c.ocspResponse,
+ SignedCertificateTimestamps: c.scts,
+ },
+ }
+ stateBytes, err := state.Bytes()
if err != nil {
return err
}