Make sure clean the stored session

We need to delete the stored session when any fatal errors occurs.
This operation should be taken in the Conn.notify function.

conn.go

@@ -676,14 +676,6 @@ func (c *Conn) handleIncomingPacket(buf []byte, enqueue bool) (bool, *alert.Aler
 		var err error
 		buf, err = c.state.cipherSuite.Decrypt(buf)
 		if err != nil {
-			if len(c.state.SessionID) > 0 {
-				// According to the RFC, we need to delete the stored session.
-				// https://datatracker.ietf.org/doc/html/rfc5246#section-7.2
-				if delErr := c.fsm.cfg.sessionStore.Del(c.state.SessionID); delErr != nil {
-					return false, &alert.Alert{Level: alert.Fatal, Description: alert.InternalError}, delErr
-				}
-				return false, &alert.Alert{Level: alert.Fatal, Description: alert.DecryptError}, err
-			}
 			c.log.Debugf("%s: decrypt failed: %s", srvCliStr(c.state.isClient), err)
 			return false, nil, nil
 		}
@@ -764,6 +756,15 @@ func (c *Conn) recvHandshake() <-chan chan struct{} {
 }
 
 func (c *Conn) notify(ctx context.Context, level alert.Level, desc alert.Description) error {
+	if level == alert.Fatal && len(c.state.SessionID) > 0 {
+		// According to the RFC, we need to delete the stored session.
+		// https://datatracker.ietf.org/doc/html/rfc5246#section-7.2
+		if ss := c.fsm.cfg.sessionStore; ss != nil {
+			if err := ss.Del(c.sessionKey()); err != nil {
+				return err
+			}
+		}
+	}
 	return c.writePackets(ctx, []*packet{
 		{
 			record: &recordlayer.RecordLayer{
@@ -960,6 +961,13 @@ func (c *Conn) RemoteAddr() net.Addr {
 	return c.nextConn.RemoteAddr()
 }
 
+func (c *Conn) sessionKey() []byte {
+	if c.state.isClient {
+		return []byte(c.nextConn.RemoteAddr().String() + c.fsm.cfg.serverName)
+	}
+	return c.state.SessionID
+}
+
 // SetDeadline implements net.Conn.SetDeadline
 func (c *Conn) SetDeadline(t time.Time) error {
 	c.readDeadline.Set(t)

flight1handler.go

@@ -92,8 +92,7 @@ func flight1Generate(c flightConn, state *State, cache *handshakeCache, cfg *han
 
 	if cfg.sessionStore != nil {
 		cfg.log.Tracef("[handshake] try to resume session")
-		key := []byte(c.RemoteAddr().String() + cfg.serverName)
-		if s, err := cfg.sessionStore.Get(key); err != nil {
+		if s, err := cfg.sessionStore.Get(c.sessionKey()); err != nil {
 			return nil, &alert.Alert{Level: alert.Fatal, Description: alert.InternalError}, err
 		} else if s.ID != nil {
 			cfg.log.Tracef("[handshake] get saved session: %x", s.ID)

flight5handler.go

@@ -54,8 +54,7 @@ func flight5Parse(ctx context.Context, c flightConn, state *State, cache *handsh
 			Secret: state.masterSecret,
 		}
 		cfg.log.Tracef("[handshake] save new session: %x", s.ID)
-		key := []byte(c.RemoteAddr().String() + cfg.serverName)
-		if err := cfg.sessionStore.Set(key, s); err != nil {
+		if err := cfg.sessionStore.Set(c.sessionKey(), s); err != nil {
 			return 0, &alert.Alert{Level: alert.Fatal, Description: alert.InternalError}, err
 		}
 	}

handshaker.go

@@ -6,7 +6,6 @@ import (
 	"crypto/x509"
 	"fmt"
 	"io"
-	"net"
 	"sync"
 	"time"
 
@@ -122,7 +121,7 @@ type flightConn interface {
 	recvHandshake() <-chan chan struct{}
 	setLocalEpoch(epoch uint16)
 	handleQueuedPackets(context.Context) error
-	RemoteAddr() net.Addr
+	sessionKey() []byte
 }
 
 func (c *handshakeConfig) writeKeyLog(label string, clientRandom, secret []byte) {

handshaker_test.go

@@ -4,7 +4,6 @@ import (
 	"bytes"
 	"context"
 	"crypto/tls"
-	"net"
 	"sync"
 	"testing"
 	"time"
@@ -277,6 +276,6 @@ func (c *flightTestConn) handleQueuedPackets(ctx context.Context) error {
 	return nil
 }
 
-func (c *flightTestConn) RemoteAddr() net.Addr {
+func (c *flightTestConn) sessionKey() []byte {
 	return nil
 }