crypto/tls: fix sessionState marshaling

Change-Id: I2910f322256c521dd03b1dc23d117defdcd0aa54
Reviewed-on: https://go-review.googlesource.com/c/go/+/232662
Run-TryBot: Katie Hockman <katie@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>

Author: katiehockman

src/crypto/tls/ticket.go

@@ -23,8 +23,8 @@ type sessionState struct {
 	vers         uint16
 	cipherSuite  uint16
 	masterSecret []byte // opaque master_secret<1..2^16-1>;
-	// struct { opaque certificate<1..2^32-1> } Certificate;
-	certificates [][]byte // Certificate certificate_list<0..2^16-1>;
+	// uint16 num_certificates;
+	certificates [][]byte // opaque certificate<1..2^32-1>;
 
 	// usedOldKey is true if the ticket from which this session came from
 	// was encrypted with an older key and thus should be refreshed.
@@ -38,35 +38,33 @@ func (m *sessionState) marshal() []byte {
 	b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
 		b.AddBytes(m.masterSecret)
 	})
-	b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
-		for _, cert := range m.certificates {
-			b.AddUint32LengthPrefixed(func(b *cryptobyte.Builder) {
-				b.AddBytes(cert)
-			})
-		}
-	})
+	b.AddUint16(uint16(len(m.certificates)))
+	for _, cert := range m.certificates {
+		b.AddUint32LengthPrefixed(func(b *cryptobyte.Builder) {
+			b.AddBytes(cert)
+		})
+	}
 	return b.BytesOrPanic()
 }
 
 func (m *sessionState) unmarshal(data []byte) bool {
 	*m = sessionState{usedOldKey: m.usedOldKey}
 	s := cryptobyte.String(data)
+	var numCerts uint16
 	if ok := s.ReadUint16(&m.vers) &&
 		m.vers != VersionTLS13 &&
 		s.ReadUint16(&m.cipherSuite) &&
 		readUint16LengthPrefixed(&s, &m.masterSecret) &&
-		len(m.masterSecret) != 0; !ok {
+		len(m.masterSecret) != 0 &&
+		s.ReadUint16(&numCerts); !ok {
 		return false
 	}
-	var certList cryptobyte.String
-	if !s.ReadUint16LengthPrefixed(&certList) {
-		return false
-	}
-	for !certList.Empty() {
+
+	for i := 0; i < int(numCerts); i++ {
 		var certLen uint32
-		certList.ReadUint32(&certLen)
+		s.ReadUint32(&certLen)
 		var cert []byte
-		if certLen == 0 || !certList.ReadBytes(&cert, int(certLen)) {
+		if certLen == 0 || !s.ReadBytes(&cert, int(certLen)) {
 			return false
 		}
 		m.certificates = append(m.certificates, cert)