crypto/tls: generate unique ticket_age_add for each ticket

#23 -- CLA ok -- re-author to me+google@tomthorogood.co.uk

13.go

@@ -556,15 +556,9 @@ func (hs *serverHandshakeState) sendSessionTicket13() error {
 	resumptionSecret := hkdfExpandLabel(hash, hs.masterSecret, handshakeCtx, "resumption master secret", hash.Size())
 
 	ageAddBuf := make([]byte, 4)
-	if _, err := io.ReadFull(c.config.rand(), ageAddBuf); err != nil {
-		c.sendAlert(alertInternalError)
-		return err
-	}
 	sessionState := &sessionState13{
-		vers:  c.vers,
-		suite: hs.suite.id,
-		ageAdd: uint32(ageAddBuf[0])<<24 | uint32(ageAddBuf[1])<<16 |
-			uint32(ageAddBuf[2])<<8 | uint32(ageAddBuf[3]),
+		vers:             c.vers,
+		suite:            hs.suite.id,
 		createdAt:        uint64(time.Now().Unix()),
 		resumptionSecret: resumptionSecret,
 		alpnProtocol:     c.clientProtocol,
@@ -573,6 +567,12 @@ func (hs *serverHandshakeState) sendSessionTicket13() error {
 	}
 
 	for i := 0; i < numSessionTickets; i++ {
+		if _, err := io.ReadFull(c.config.rand(), ageAddBuf); err != nil {
+			c.sendAlert(alertInternalError)
+			return err
+		}
+		sessionState.ageAdd = uint32(ageAddBuf[0])<<24 | uint32(ageAddBuf[1])<<16 |
+			uint32(ageAddBuf[2])<<8 | uint32(ageAddBuf[3])
 		ticket := sessionState.marshal()
 		var err error
 		if c.config.SessionTicketSealer != nil {