(hello *clientHelloMsg)
| 386 | } |
| 387 | |
| 388 | func (c *Conn) loadSession(hello *clientHelloMsg) ( |
| 389 | session *SessionState, earlySecret *tls13.EarlySecret, binderKey []byte, err error) { |
| 390 | if c.config.SessionTicketsDisabled || c.config.ClientSessionCache == nil { |
| 391 | return nil, nil, nil, nil |
| 392 | } |
| 393 | |
| 394 | echInner := bytes.Equal(hello.encryptedClientHello, []byte{1}) |
| 395 | |
| 396 | // ticketSupported is a TLS 1.2 extension (as TLS 1.3 replaced tickets with PSK |
| 397 | // identities) and ECH requires and forces TLS 1.3. |
| 398 | hello.ticketSupported = true && !echInner |
| 399 | |
| 400 | if hello.supportedVersions[0] == VersionTLS13 { |
| 401 | // Require DHE on resumption as it guarantees forward secrecy against |
| 402 | // compromise of the session ticket key. See RFC 8446, Section 4.2.9. |
| 403 | hello.pskModes = []uint8{pskModeDHE} |
| 404 | } |
| 405 | |
| 406 | // Session resumption is not allowed if renegotiating because |
| 407 | // renegotiation is primarily used to allow a client to send a client |
| 408 | // certificate, which would be skipped if session resumption occurred. |
| 409 | if c.handshakes != 0 { |
| 410 | return nil, nil, nil, nil |
| 411 | } |
| 412 | |
| 413 | // Try to resume a previously negotiated TLS session, if available. |
| 414 | cacheKey := c.clientSessionCacheKey() |
| 415 | if cacheKey == "" { |
| 416 | return nil, nil, nil, nil |
| 417 | } |
| 418 | cs, ok := c.config.ClientSessionCache.Get(cacheKey) |
| 419 | if !ok || cs == nil { |
| 420 | return nil, nil, nil, nil |
| 421 | } |
| 422 | session = cs.session |
| 423 | |
| 424 | // Check that version used for the previous session is still valid. |
| 425 | versOk := false |
| 426 | for _, v := range hello.supportedVersions { |
| 427 | if v == session.version { |
| 428 | versOk = true |
| 429 | break |
| 430 | } |
| 431 | } |
| 432 | if !versOk { |
| 433 | return nil, nil, nil, nil |
| 434 | } |
| 435 | |
| 436 | // Check that the cached server certificate is not expired, and that it's |
| 437 | // valid for the ServerName. This should be ensured by the cache key, but |
| 438 | // protect the application from a faulty ClientSessionCache implementation. |
| 439 | if c.config.time().After(session.peerCertificates[0].NotAfter) { |
| 440 | // Expired certificate, delete the entry. |
| 441 | c.config.ClientSessionCache.Put(cacheKey, nil) |
| 442 | return nil, nil, nil, nil |
| 443 | } |
| 444 | if !c.config.InsecureSkipVerify { |
| 445 | if len(session.verifiedChains) == 0 { |
no test coverage detected