Make sure clean the stored session

We need to delete the stored session when any fatal errors occurs.
This operation should be taken in the Conn.notify function.

conn.go

@@ -676,14 +676,6 @@ func (c *Conn) handleIncomingPacket(buf []byte, enqueue bool) (bool, *alert.Aler
 		var err error
 		buf, err = c.state.cipherSuite.Decrypt(buf)
 		if err != nil {
-			if len(c.state.SessionID) > 0 {
-				// According to the RFC, we need to delete the stored session.
-				// https://datatracker.ietf.org/doc/html/rfc5246#section-7.2
-				if delErr := c.fsm.cfg.sessionStore.Del(c.state.SessionID); delErr != nil {
-					return false, &alert.Alert{Level: alert.Fatal, Description: alert.InternalError}, delErr
-				}
-				return false, &alert.Alert{Level: alert.Fatal, Description: alert.DecryptError}, err
-			}
 			c.log.Debugf("%s: decrypt failed: %s", srvCliStr(c.state.isClient), err)
 			return false, nil, nil
 		}
@@ -764,6 +756,16 @@ func (c *Conn) recvHandshake() <-chan chan struct{} {
 }
 
 func (c *Conn) notify(ctx context.Context, level alert.Level, desc alert.Description) error {
+	if level == alert.Fatal && len(c.state.SessionID) > 0 {
+		// According to the RFC, we need to delete the stored session.
+		// https://datatracker.ietf.org/doc/html/rfc5246#section-7.2
+		if ss := c.fsm.cfg.sessionStore; ss != nil {
+			c.log.Tracef("clean invalid session: %s", c.state.SessionID)
+			if err := ss.Del(c.sessionKey()); err != nil {
+				return err
+			}
+		}
+	}
 	return c.writePackets(ctx, []*packet{
 		{
 			record: &recordlayer.RecordLayer{
@@ -960,6 +962,16 @@ func (c *Conn) RemoteAddr() net.Addr {
 	return c.nextConn.RemoteAddr()
 }
 
+func (c *Conn) sessionKey() []byte {
+	if c.state.isClient {
+		// As ServerName can be like 0.example.com, it's better to add
+		// delimiter character which is not allowed to be in
+		// neither address or domain name.
+		return []byte(c.nextConn.RemoteAddr().String() + "_" + c.fsm.cfg.serverName)
+	}
+	return c.state.SessionID
+}
+
 // SetDeadline implements net.Conn.SetDeadline
 func (c *Conn) SetDeadline(t time.Time) error {
 	c.readDeadline.Set(t)

conn_test.go

@@ -2153,7 +2153,7 @@ func TestSessionResume(t *testing.T) {
 	report := test.CheckRoutines(t)
 	defer report()
 
-	t.Run("session resumption old", func(t *testing.T) {
+	t.Run("resumed", func(t *testing.T) {
 		ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
 		defer cancel()
 
@@ -2173,7 +2173,7 @@ func TestSessionResume(t *testing.T) {
 		ca, cb := dpipe.Pipe()
 
 		_ = ss.Set(id, s)
-		_ = ss.Set([]byte(ca.RemoteAddr().String()+"example.com"), s)
+		_ = ss.Set([]byte(ca.RemoteAddr().String()+"_example.com"), s)
 
 		go func() {
 			config := &Config{
@@ -2217,7 +2217,7 @@ func TestSessionResume(t *testing.T) {
 		_ = res.c.Close()
 	})
 
-	t.Run("session resumption new", func(t *testing.T) {
+	t.Run("new session", func(t *testing.T) {
 		ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
 		defer cancel()
 
@@ -2263,7 +2263,7 @@ func TestSessionResume(t *testing.T) {
 		if res.err != nil {
 			t.Fatal(res.err)
 		}
-		cs, _ := s1.Get([]byte(ca.RemoteAddr().String() + "example.com"))
+		cs, _ := s1.Get([]byte(ca.RemoteAddr().String() + "_example.com"))
 		if !bytes.Equal(actualMasterSecret, cs.Secret) {
 			t.Errorf("TestSessionResumetion: masterSecret Mismatch: expected(%v) actual(%v)", ss.Secret, actualMasterSecret)
 		}

flight1handler.go

@@ -92,8 +92,7 @@ func flight1Generate(c flightConn, state *State, cache *handshakeCache, cfg *han
 
 	if cfg.sessionStore != nil {
 		cfg.log.Tracef("[handshake] try to resume session")
-		key := []byte(c.RemoteAddr().String() + cfg.serverName)
-		if s, err := cfg.sessionStore.Get(key); err != nil {
+		if s, err := cfg.sessionStore.Get(c.sessionKey()); err != nil {
 			return nil, &alert.Alert{Level: alert.Fatal, Description: alert.InternalError}, err
 		} else if s.ID != nil {
 			cfg.log.Tracef("[handshake] get saved session: %x", s.ID)

flight3handler.go

@@ -171,11 +171,6 @@ func handleResumption(ctx context.Context, c flightConn, state *State, cache *ha
 		return 0, &alert.Alert{Level: alert.Fatal, Description: alert.InternalError}, err
 	}
 	if !bytes.Equal(expectedVerifyData, finished.VerifyData) {
-		cfg.log.Tracef("[handshake] clean invalid session: %s", state.SessionID)
-		if err := cfg.sessionStore.Del(state.SessionID); err != nil {
-			return 0, &alert.Alert{Level: alert.Fatal, Description: alert.InternalError}, err
-		}
-
 		return 0, &alert.Alert{Level: alert.Fatal, Description: alert.HandshakeFailure}, errVerifyDataMismatch
 	}
 

flight4bhandler.go

@@ -34,11 +34,6 @@ func flight4bParse(ctx context.Context, c flightConn, state *State, cache *hands
 
 	expectedVerifyData, err := prf.VerifyDataClient(state.masterSecret, plainText, state.cipherSuite.HashFunc())
 	if err != nil {
-		cfg.log.Tracef("[handshake] clean invalid session: %s", state.SessionID)
-		if delErr := cfg.sessionStore.Del(state.SessionID); delErr != nil {
-			return 0, &alert.Alert{Level: alert.Fatal, Description: alert.InternalError}, delErr
-		}
-
 		return 0, &alert.Alert{Level: alert.Fatal, Description: alert.InternalError}, err
 	}
 	if !bytes.Equal(expectedVerifyData, finished.VerifyData) {

flight5handler.go

@@ -54,8 +54,7 @@ func flight5Parse(ctx context.Context, c flightConn, state *State, cache *handsh
 			Secret: state.masterSecret,
 		}
 		cfg.log.Tracef("[handshake] save new session: %x", s.ID)
-		key := []byte(c.RemoteAddr().String() + cfg.serverName)
-		if err := cfg.sessionStore.Set(key, s); err != nil {
+		if err := cfg.sessionStore.Set(c.sessionKey(), s); err != nil {
 			return 0, &alert.Alert{Level: alert.Fatal, Description: alert.InternalError}, err
 		}
 	}

handshaker.go

@@ -6,7 +6,6 @@ import (
 	"crypto/x509"
 	"fmt"
 	"io"
-	"net"
 	"sync"
 	"time"
 
@@ -122,7 +121,7 @@ type flightConn interface {
 	recvHandshake() <-chan chan struct{}
 	setLocalEpoch(epoch uint16)
 	handleQueuedPackets(context.Context) error
-	RemoteAddr() net.Addr
+	sessionKey() []byte
 }
 
 func (c *handshakeConfig) writeKeyLog(label string, clientRandom, secret []byte) {

handshaker_test.go

@@ -4,7 +4,6 @@ import (
 	"bytes"
 	"context"
 	"crypto/tls"
-	"net"
 	"sync"
 	"testing"
 	"time"
@@ -277,6 +276,6 @@ func (c *flightTestConn) handleQueuedPackets(ctx context.Context) error {
 	return nil
 }
 
-func (c *flightTestConn) RemoteAddr() net.Addr {
+func (c *flightTestConn) sessionKey() []byte {
 	return nil
 }