diff --git a/alert.go b/alert.go index 49298682..24199a73 100644 --- a/alert.go +++ b/alert.go @@ -38,6 +38,8 @@ const ( alertInappropriateFallback alert = 86 alertUserCanceled alert = 90 alertNoRenegotiation alert = 100 + alertMissingExtension alert = 109 + alertUnsupportedExtension alert = 110 alertNoApplicationProtocol alert = 120 ) @@ -65,6 +67,8 @@ var alertText = map[alert]string{ alertInappropriateFallback: "inappropriate fallback", alertUserCanceled: "user canceled", alertNoRenegotiation: "no renegotiation", + alertMissingExtension: "missing extension", + alertUnsupportedExtension: "unsupported extension", alertNoApplicationProtocol: "no application protocol", } diff --git a/auth.go b/auth.go index a27db45b..3e12d974 100644 --- a/auth.go +++ b/auth.go @@ -11,6 +11,8 @@ import ( "encoding/asn1" "errors" "fmt" + "hash" + "io" ) // pickSignatureAlgorithm selects a signature algorithm that is compatible with @@ -43,7 +45,7 @@ func pickSignatureAlgorithm(pubkey crypto.PublicKey, peerSigAlgs, ourSigAlgs []S if !isSupportedSignatureAlgorithm(sigAlg, ourSigAlgs) { continue } - hashAlg, err := lookupTLSHash(sigAlg) + hashAlg, err := hashFromSignatureScheme(sigAlg) if err != nil { panic("tls: supported signature algorithm has an unknown hash function") } @@ -105,3 +107,27 @@ func verifyHandshakeSignature(sigType uint8, pubkey crypto.PublicKey, hashFunc c } return nil } + +const ( + serverSignatureContext = "TLS 1.3, server CertificateVerify\x00" + clientSignatureContext = "TLS 1.3, client CertificateVerify\x00" +) + +var signaturePadding = []byte{ + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, +} + +// writeSignedMessage writes the content to be signed by certificate keys in TLS +// 1.3 to sigHash. See RFC 8446, Section 4.4.3. +func writeSignedMessage(sigHash io.Writer, context string, transcript hash.Hash) { + sigHash.Write(signaturePadding) + io.WriteString(sigHash, context) + sigHash.Write(transcript.Sum(nil)) +} diff --git a/cipher_suites.go b/cipher_suites.go index d948fac8..41ab2ba8 100644 --- a/cipher_suites.go +++ b/cipher_suites.go @@ -410,6 +410,20 @@ func mutualCipherSuite(have []uint16, want uint16) *cipherSuite { return nil } +func mutualCipherSuiteTLS13(have []uint16, want uint16) *cipherSuiteTLS13 { + for _, id := range have { + if id == want { + for _, suite := range cipherSuitesTLS13 { + if suite.id == want { + return suite + } + } + return nil + } + } + return nil +} + // A list of cipher suite IDs that are, or have been, implemented by this // package. // diff --git a/common.go b/common.go index 17c10bbd..7e5976ae 100644 --- a/common.go +++ b/common.go @@ -149,17 +149,8 @@ const ( // Certificate types (for certificateRequestMsg) const ( - certTypeRSASign = 1 // A certificate containing an RSA key - certTypeDSSSign = 2 // A certificate containing a DSA key - certTypeRSAFixedDH = 3 // A certificate containing a static DH key - certTypeDSSFixedDH = 4 // A certificate containing a static DH key - - // See RFC 4492 sections 3 and 5.5. - certTypeECDSASign = 64 // A certificate containing an ECDSA-capable public key, signed with ECDSA. - certTypeRSAFixedECDH = 65 // A certificate containing an ECDH-capable public key, signed with RSA. - certTypeECDSAFixedECDH = 66 // A certificate containing an ECDH-capable public key, signed with ECDSA. - - // Rest of these are reserved by the TLS spec + certTypeRSASign = 1 + certTypeECDSASign = 64 // RFC 4492, Section 5.5 ) // Signature algorithms (for internal signaling use). Starting at 16 to avoid overlap with @@ -188,6 +179,15 @@ var supportedSignatureAlgorithms = []SignatureScheme{ ECDSAWithSHA1, } +// helloRetryRequestRandom is set as the Random value of a ServerHello +// to signal that the message is actually a HelloRetryRequest. +var helloRetryRequestRandom = []byte{ // See RFC 8446, Section 4.1.3. + 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11, + 0xBE, 0x1D, 0x8C, 0x02, 0x1E, 0x65, 0xB8, 0x91, + 0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E, + 0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C, +} + // ConnectionState records basic TLS details about the connection. type ConnectionState struct { Version uint16 // TLS version used by the connection (e.g. VersionTLS12) @@ -356,6 +356,8 @@ type CertificateRequestInfo struct { // handshake and application data flow is not permitted so renegotiation can // only be used with protocols that synchronise with the renegotiation, such as // HTTPS. +// +// Renegotiation is not defined in TLS 1.3. type RenegotiationSupport int const ( @@ -530,7 +532,8 @@ type Config struct { // CurvePreferences contains the elliptic curves that will be used in // an ECDHE handshake, in preference order. If empty, the default will - // be used. + // be used. The client will use the first preference as the type for + // its key share in TLS 1.3. This may change in the future. CurvePreferences []CurveID // DynamicRecordSizingDisabled disables adaptive sizing of TLS records. @@ -716,6 +719,7 @@ func (c *Config) cipherSuites() []uint16 { } var supportedVersions = []uint16{ + VersionTLS13, VersionTLS12, VersionTLS11, VersionTLS10, @@ -735,6 +739,10 @@ func (c *Config) supportedVersions(isClient bool) []uint16 { if isClient && v < VersionTLS10 { continue } + // TLS 1.3 is only supported if explicitly requested while in development. + if v == VersionTLS13 && (!isClient || c == nil || c.MaxVersion != VersionTLS13) { + continue + } versions = append(versions, v) } return versions diff --git a/conn.go b/conn.go index 36199640..853e86eb 100644 --- a/conn.go +++ b/conn.go @@ -154,6 +154,8 @@ type halfConn struct { nextCipher interface{} // next encryption state nextMac macFunction // next MAC algorithm + + trafficSecret []byte // current TLS 1.3 traffic secret } func (hc *halfConn) setErrorLocked(err error) error { @@ -172,7 +174,7 @@ func (hc *halfConn) prepareCipherSpec(version uint16, cipher interface{}, mac ma // changeCipherSpec changes the encryption and MAC states // to the ones previously passed to prepareCipherSpec. func (hc *halfConn) changeCipherSpec() error { - if hc.nextCipher == nil { + if hc.nextCipher == nil || hc.version == VersionTLS13 { return alertInternalError } hc.cipher = hc.nextCipher @@ -185,6 +187,15 @@ func (hc *halfConn) changeCipherSpec() error { return nil } +func (hc *halfConn) setTrafficSecret(suite *cipherSuiteTLS13, secret []byte) { + hc.trafficSecret = secret + key, iv := suite.trafficKey(secret) + hc.cipher = suite.aead(key, iv) + for i := range hc.seq { + hc.seq[i] = 0 + } +} + // incSeq increments the sequence number. func (hc *halfConn) incSeq() { for i := 7; i >= 0; i-- { @@ -1110,6 +1121,10 @@ func (c *Conn) Write(b []byte) (int, error) { // handleRenegotiation processes a HelloRequest handshake message. func (c *Conn) handleRenegotiation() error { + if c.vers == VersionTLS13 { + return errors.New("tls: internal error: unexpected renegotiation") + } + msg, err := c.readHandshake() if err != nil { return err @@ -1299,7 +1314,7 @@ func (c *Conn) Handshake() error { } if c.handshakeErr == nil && !c.handshakeComplete() { - panic("handshake should have had a result.") + panic("tls: internal error: handshake should have had a result") } return c.handshakeErr diff --git a/handshake_client.go b/handshake_client.go index cfa7a75b..076a525b 100644 --- a/handshake_client.go +++ b/handshake_client.go @@ -30,26 +30,27 @@ type clientHandshakeState struct { session *ClientSessionState } -func makeClientHello(config *Config) (*clientHelloMsg, error) { +func (c *Conn) makeClientHello() (*clientHelloMsg, ecdheParameters, error) { + config := c.config if len(config.ServerName) == 0 && !config.InsecureSkipVerify { - return nil, errors.New("tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config") + return nil, nil, errors.New("tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config") } nextProtosLength := 0 for _, proto := range config.NextProtos { if l := len(proto); l == 0 || l > 255 { - return nil, errors.New("tls: invalid NextProtos value") + return nil, nil, errors.New("tls: invalid NextProtos value") } else { nextProtosLength += 1 + l } } if nextProtosLength > 0xffff { - return nil, errors.New("tls: NextProtos values too large") + return nil, nil, errors.New("tls: NextProtos values too large") } supportedVersions := config.supportedVersions(true) if len(supportedVersions) == 0 { - return nil, errors.New("tls: no supported versions satisfy MinVersion and MaxVersion") + return nil, nil, errors.New("tls: no supported versions satisfy MinVersion and MaxVersion") } clientHelloVersion := supportedVersions[0] @@ -64,6 +65,7 @@ func makeClientHello(config *Config) (*clientHelloMsg, error) { vers: clientHelloVersion, compressionMethods: []uint8{compressionNone}, random: make([]byte, 32), + sessionId: make([]byte, 32), ocspStapling: true, scts: true, serverName: hostnameInSNI(config.ServerName), @@ -74,6 +76,11 @@ func makeClientHello(config *Config) (*clientHelloMsg, error) { alpnProtocols: config.NextProtos, supportedVersions: supportedVersions, } + + if c.handshakes > 0 { + hello.secureRenegotiation = c.clientFinished[:] + } + possibleCipherSuites := config.cipherSuites() hello.cipherSuites = make([]uint16, 0, len(possibleCipherSuites)) @@ -95,14 +102,36 @@ NextCipherSuite: _, err := io.ReadFull(config.rand(), hello.random) if err != nil { - return nil, errors.New("tls: short read from Rand: " + err.Error()) + return nil, nil, errors.New("tls: short read from Rand: " + err.Error()) + } + + // A random session ID is used to detect when the server accepted a ticket + // and is resuming a session (see RFC 5077). In TLS 1.3, it's always set as + // a compatibility measure (see RFC 8446, Section 4.1.2). + if _, err := io.ReadFull(config.rand(), hello.sessionId); err != nil { + return nil, nil, errors.New("tls: short read from Rand: " + err.Error()) } if hello.vers >= VersionTLS12 { hello.supportedSignatureAlgorithms = supportedSignatureAlgorithms } - return hello, nil + var params ecdheParameters + if hello.supportedVersions[0] == VersionTLS13 { + hello.cipherSuites = append(hello.cipherSuites, defaultCipherSuitesTLS13()...) + + curveID := config.curvePreferences()[0] + if _, ok := curveForCurveID(curveID); curveID != X25519 && !ok { + return nil, nil, errors.New("tls: CurvePreferences includes unsupported curve") + } + params, err = generateECDHEParameters(config.rand(), curveID) + if err != nil { + return nil, nil, err + } + hello.keyShares = []keyShare{{group: curveID, data: params.PublicKey()}} + } + + return hello, params, nil } func (c *Conn) clientHandshake() error { @@ -114,118 +143,143 @@ func (c *Conn) clientHandshake() error { // need to be reset. c.didResume = false - hello, err := makeClientHello(c.config) + hello, ecdheParams, err := c.makeClientHello() if err != nil { return err } - if c.handshakes > 0 { - hello.secureRenegotiation = c.clientFinished[:] + var newSession *ClientSessionState + cacheKey, session := c.loadSession(hello) + + if _, err := c.writeRecord(recordTypeHandshake, hello.marshal()); err != nil { + return err } - var session *ClientSessionState - var cacheKey string - sessionCache := c.config.ClientSessionCache - if c.config.SessionTicketsDisabled { - sessionCache = nil + msg, err := c.readHandshake() + if err != nil { + return err } - if sessionCache != nil { - hello.ticketSupported = true + serverHello, ok := msg.(*serverHelloMsg) + if !ok { + c.sendAlert(alertUnexpectedMessage) + return unexpectedMessageError(serverHello, msg) } - // Session resumption is not allowed if renegotiating because - // renegotiation is primarily used to allow a client to send a client - // certificate, which would be skipped if session resumption occurred. - if sessionCache != nil && c.handshakes == 0 { - // Try to resume a previously negotiated TLS session, if - // available. - cacheKey = clientSessionCacheKey(c.conn.RemoteAddr(), c.config) - candidateSession, ok := sessionCache.Get(cacheKey) - if ok { - // Check that the ciphersuite/version used for the - // previous session are still valid. - cipherSuiteOk := false - for _, id := range hello.cipherSuites { - if id == candidateSession.cipherSuite { - cipherSuiteOk = true - break - } - } + if err := c.pickTLSVersion(serverHello); err != nil { + return err + } - versOk := false - for _, v := range c.config.supportedVersions(true) { - if v == candidateSession.vers { - versOk = true - break - } - } + if c.vers == VersionTLS13 { + hs := &clientHandshakeStateTLS13{ + c: c, + serverHello: serverHello, + hello: hello, + ecdheParams: ecdheParams, + session: session, + } - if versOk && cipherSuiteOk { - session = candidateSession - } + if err := hs.handshake(); err != nil { + return err } - } - if session != nil { - hello.sessionTicket = session.sessionTicket - // A random session ID is used to detect when the - // server accepted the ticket and is resuming a session - // (see RFC 5077). - hello.sessionId = make([]byte, 16) - if _, err := io.ReadFull(c.config.rand(), hello.sessionId); err != nil { - return errors.New("tls: short read from Rand: " + err.Error()) + newSession = hs.session + } else { + hs := &clientHandshakeState{ + c: c, + serverHello: serverHello, + hello: hello, + session: session, } - } - hs := &clientHandshakeState{ - c: c, - hello: hello, - session: session, - } + if err := hs.handshake(); err != nil { + return err + } - if err = hs.handshake(); err != nil { - return err + newSession = hs.session } // If we had a successful handshake and hs.session is different from - // the one already cached - cache a new one - if sessionCache != nil && hs.session != nil && session != hs.session { - sessionCache.Put(cacheKey, hs.session) + // the one already cached - cache a new one. + if hello.ticketSupported && newSession != nil && session != newSession { + c.config.ClientSessionCache.Put(cacheKey, newSession) } return nil } -// Does the handshake, either a full one or resumes old session. -// Requires hs.c, hs.hello, and, optionally, hs.session to be set. -func (hs *clientHandshakeState) handshake() error { - c := hs.c +func (c *Conn) loadSession(hello *clientHelloMsg) (cacheKey string, session *ClientSessionState) { + if c.config.SessionTicketsDisabled || c.config.ClientSessionCache == nil { + return + } - // send ClientHello - if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil { - return err + hello.ticketSupported = true + + // Session resumption is not allowed if renegotiating because + // renegotiation is primarily used to allow a client to send a client + // certificate, which would be skipped if session resumption occurred. + if c.handshakes != 0 { + return } - msg, err := c.readHandshake() - if err != nil { - return err + // Try to resume a previously negotiated TLS session, if available. + cacheKey = clientSessionCacheKey(c.conn.RemoteAddr(), c.config) + candidateSession, ok := c.config.ClientSessionCache.Get(cacheKey) + if !ok { + return } - var ok bool - if hs.serverHello, ok = msg.(*serverHelloMsg); !ok { - c.sendAlert(alertUnexpectedMessage) - return unexpectedMessageError(hs.serverHello, msg) + // Check that the ciphersuite and version used for the previous session + // are still valid. + cipherSuiteOk := false + for _, id := range hello.cipherSuites { + if id == candidateSession.cipherSuite { + cipherSuiteOk = true + break + } } - if err = hs.pickTLSVersion(); err != nil { - return err + versOk := false + for _, v := range hello.supportedVersions { + if v == candidateSession.vers { + versOk = true + break + } } - if err = hs.pickCipherSuite(); err != nil { - return err + if versOk && cipherSuiteOk { + session = candidateSession + hello.sessionTicket = session.sessionTicket + } + + return +} + +func (c *Conn) pickTLSVersion(serverHello *serverHelloMsg) error { + peerVersion := serverHello.vers + if serverHello.supportedVersion != 0 { + peerVersion = serverHello.supportedVersion } + vers, ok := c.config.mutualVersion(true, []uint16{peerVersion}) + if !ok { + c.sendAlert(alertProtocolVersion) + return fmt.Errorf("tls: server selected unsupported protocol version %x", peerVersion) + } + + c.vers = vers + c.haveVers = true + c.in.version = vers + c.out.version = vers + + return nil +} + +// Does the handshake, either a full one or resumes old session. +// Requires hs.c, hs.hello, and, optionally, hs.session to be set. +func (hs *clientHandshakeState) handshake() error { + c := hs.c + isResume, err := hs.processServerHello() if err != nil { return err @@ -291,24 +345,6 @@ func (hs *clientHandshakeState) handshake() error { return nil } -func (hs *clientHandshakeState) pickTLSVersion() error { - peerVersion := hs.serverHello.vers - if hs.serverHello.supportedVersion != 0 { - peerVersion = hs.serverHello.supportedVersion - } - - vers, ok := hs.c.config.mutualVersion(true, []uint16{peerVersion}) - if !ok { - hs.c.sendAlert(alertProtocolVersion) - return fmt.Errorf("tls: server selected unsupported protocol version %x", peerVersion) - } - - hs.c.vers = vers - hs.c.haveVers = true - - return nil -} - func (hs *clientHandshakeState) pickCipherSuite() error { if hs.suite = mutualCipherSuite(hs.hello.cipherSuites, hs.serverHello.cipherSuite); hs.suite == nil { hs.c.sendAlert(alertHandshakeFailure) @@ -336,53 +372,9 @@ func (hs *clientHandshakeState) doFullHandshake() error { if c.handshakes == 0 { // If this is the first handshake on a connection, process and // (optionally) verify the server's certificates. - certs := make([]*x509.Certificate, len(certMsg.certificates)) - for i, asn1Data := range certMsg.certificates { - cert, err := x509.ParseCertificate(asn1Data) - if err != nil { - c.sendAlert(alertBadCertificate) - return errors.New("tls: failed to parse certificate from server: " + err.Error()) - } - certs[i] = cert - } - - if !c.config.InsecureSkipVerify { - opts := x509.VerifyOptions{ - Roots: c.config.RootCAs, - CurrentTime: c.config.time(), - DNSName: c.config.ServerName, - Intermediates: x509.NewCertPool(), - } - - for i, cert := range certs { - if i == 0 { - continue - } - opts.Intermediates.AddCert(cert) - } - c.verifiedChains, err = certs[0].Verify(opts) - if err != nil { - c.sendAlert(alertBadCertificate) - return err - } - } - - if c.config.VerifyPeerCertificate != nil { - if err := c.config.VerifyPeerCertificate(certMsg.certificates, c.verifiedChains); err != nil { - c.sendAlert(alertBadCertificate) - return err - } - } - - switch certs[0].PublicKey.(type) { - case *rsa.PublicKey, *ecdsa.PublicKey: - break - default: - c.sendAlert(alertUnsupportedCertificate) - return fmt.Errorf("tls: server's certificate contains an unsupported type of public key: %T", certs[0].PublicKey) + if err := c.verifyServerCertificate(certMsg.certificates); err != nil { + return err } - - c.peerCertificates = certs } else { // This is a renegotiation handshake. We require that the // server's identity (i.e. leaf certificate) is unchanged and @@ -574,6 +566,10 @@ func (hs *clientHandshakeState) serverResumedSession() bool { func (hs *clientHandshakeState) processServerHello() (bool, error) { c := hs.c + if err := hs.pickCipherSuite(); err != nil { + return false, err + } + if hs.serverHello.compressionMethod != compressionNone { c.sendAlert(alertUnexpectedMessage) return false, errors.New("tls: server selected unsupported compression format") @@ -731,6 +727,61 @@ func (hs *clientHandshakeState) sendFinished(out []byte) error { return nil } +// verifyServerCertificate parses and verifies the provided chain, setting +// c.verifiedChains and c.peerCertificates or sending the appropriate alert. +func (c *Conn) verifyServerCertificate(certificates [][]byte) error { + certs := make([]*x509.Certificate, len(certificates)) + for i, asn1Data := range certificates { + cert, err := x509.ParseCertificate(asn1Data) + if err != nil { + c.sendAlert(alertBadCertificate) + return errors.New("tls: failed to parse certificate from server: " + err.Error()) + } + certs[i] = cert + } + + if !c.config.InsecureSkipVerify { + opts := x509.VerifyOptions{ + Roots: c.config.RootCAs, + CurrentTime: c.config.time(), + DNSName: c.config.ServerName, + Intermediates: x509.NewCertPool(), + } + + for i, cert := range certs { + if i == 0 { + continue + } + opts.Intermediates.AddCert(cert) + } + var err error + c.verifiedChains, err = certs[0].Verify(opts) + if err != nil { + c.sendAlert(alertBadCertificate) + return err + } + } + + if c.config.VerifyPeerCertificate != nil { + if err := c.config.VerifyPeerCertificate(certificates, c.verifiedChains); err != nil { + c.sendAlert(alertBadCertificate) + return err + } + } + + switch certs[0].PublicKey.(type) { + case *rsa.PublicKey, *ecdsa.PublicKey: + break + default: + c.sendAlert(alertUnsupportedCertificate) + return fmt.Errorf("tls: server's certificate contains an unsupported type of public key: %T", certs[0].PublicKey) + } + + c.peerCertificates = certs + + return nil +} + // tls11SignatureSchemes contains the signature schemes that we synthesise for // a TLS <= 1.1 connection, based on the supported certificate types. var tls11SignatureSchemes = []SignatureScheme{ECDSAWithP256AndSHA256, ECDSAWithP384AndSHA384, ECDSAWithP521AndSHA512, PKCS1WithSHA256, PKCS1WithSHA384, PKCS1WithSHA512, PKCS1WithSHA1} diff --git a/handshake_client_test.go b/handshake_client_test.go index 2b7a5983..dac7a233 100644 --- a/handshake_client_test.go +++ b/handshake_client_test.go @@ -22,11 +22,22 @@ import ( "path/filepath" "strconv" "strings" - "sync" "testing" "time" ) +func init() { + // TLS 1.3 cipher suites preferences are not configurable and change based + // on the architecture. Force them to the version with AES accelleration for + // test consistency. + once.Do(initDefaultCipherSuites) + varDefaultCipherSuitesTLS13 = []uint16{ + TLS_AES_128_GCM_SHA256, + TLS_CHACHA20_POLY1305_SHA256, + TLS_AES_256_GCM_SHA384, + } +} + // Note: see comment in handshake_test.go for details of how the reference // tests work. @@ -281,7 +292,7 @@ func (test *clientTest) run(t *testing.T, write bool) { // TODO(filippo): regenerate client tests all at once after CL 146217, // RSA-PSS and client-side TLS 1.3 are landed. - if !write { + if !write && !strings.Contains(test.name, "TLSv13") { t.Skip("recorded client tests are out of date") } @@ -421,7 +432,7 @@ func (test *clientTest) run(t *testing.T, write bool) { childProcess.Process.Kill() childProcess.Wait() if len(recordingConn.flows) < 3 { - os.Stdout.Write(childProcess.Stdout.(*opensslOutputSink).all) + os.Stdout.Write(stdout.all) t.Fatalf("Client connection didn't work") } recordingConn.WriteTo(out) @@ -429,46 +440,48 @@ func (test *clientTest) run(t *testing.T, write bool) { } } -var ( - didParMu sync.Mutex - didPar = map[*testing.T]bool{} -) - -// setParallel calls t.Parallel once. If you call it twice, it would -// panic. -func setParallel(t *testing.T) { - didParMu.Lock() - v := didPar[t] - didPar[t] = true - didParMu.Unlock() - if !v { - t.Parallel() - } -} +func runClientTestForVersion(t *testing.T, template *clientTest, version, option string) { + t.Run(version, func(t *testing.T) { + // Make a deep copy of the template before going parallel. + test := *template + if template.config != nil { + test.config = template.config.Clone() + } -func runClientTestForVersion(t *testing.T, template *clientTest, prefix, option string) { - setParallel(t) + if !*update { + t.Parallel() + } - test := *template - test.name = prefix + test.name - if len(test.command) == 0 { - test.command = defaultClientCommand - } - test.command = append([]string(nil), test.command...) - test.command = append(test.command, option) - test.run(t, *update) + test.name = version + "-" + test.name + if len(test.command) == 0 { + test.command = defaultClientCommand + } + test.command = append([]string(nil), test.command...) + test.command = append(test.command, option) + test.run(t, *update) + }) } func runClientTestTLS10(t *testing.T, template *clientTest) { - runClientTestForVersion(t, template, "TLSv10-", "-tls1") + runClientTestForVersion(t, template, "TLSv10", "-tls1") } func runClientTestTLS11(t *testing.T, template *clientTest) { - runClientTestForVersion(t, template, "TLSv11-", "-tls1_1") + runClientTestForVersion(t, template, "TLSv11", "-tls1_1") } func runClientTestTLS12(t *testing.T, template *clientTest) { - runClientTestForVersion(t, template, "TLSv12-", "-tls1_2") + runClientTestForVersion(t, template, "TLSv12", "-tls1_2") +} + +func runClientTestTLS13(t *testing.T, template *clientTest) { + // TODO(filippo): set MaxVersion to VersionTLS13 instead in testConfig + // while regenerating client tests. + if template.config == nil { + template.config = testConfig.Clone() + } + template.config.MaxVersion = VersionTLS13 + runClientTestForVersion(t, template, "TLSv13", "-tls1_3") } func TestHandshakeClientRSARC4(t *testing.T) { @@ -570,12 +583,40 @@ func TestHandshakeClientX25519(t *testing.T) { config.CurvePreferences = []CurveID{X25519} test := &clientTest{ - name: "X25519-ECDHE-RSA-AES-GCM", - command: []string{"openssl", "s_server", "-cipher", "ECDHE-RSA-AES128-GCM-SHA256"}, + name: "X25519-ECDHE", + command: []string{"openssl", "s_server", "-cipher", "ECDHE-RSA-AES128-GCM-SHA256", "-curves", "X25519"}, config: config, } runClientTestTLS12(t, test) + runClientTestTLS13(t, test) +} + +func TestHandshakeClientP256(t *testing.T) { + config := testConfig.Clone() + config.CurvePreferences = []CurveID{CurveP256} + + test := &clientTest{ + name: "P256-ECDHE", + command: []string{"openssl", "s_server", "-cipher", "ECDHE-RSA-AES128-GCM-SHA256", "-curves", "P-256"}, + config: config, + } + + runClientTestTLS12(t, test) + runClientTestTLS13(t, test) +} + +func TestHandshakeClientHelloRetryRequest(t *testing.T) { + config := testConfig.Clone() + config.CurvePreferences = []CurveID{X25519, CurveP256} + + test := &clientTest{ + name: "HelloRetryRequest", + command: []string{"openssl", "s_server", "-cipher", "ECDHE-RSA-AES128-GCM-SHA256", "-curves", "P-256"}, + config: config, + } + + runClientTestTLS13(t, test) } func TestHandshakeClientECDHERSAChaCha20(t *testing.T) { @@ -606,6 +647,38 @@ func TestHandshakeClientECDHEECDSAChaCha20(t *testing.T) { runClientTestTLS12(t, test) } +func TestHandshakeClientAES128SHA256(t *testing.T) { + test := &clientTest{ + name: "AES128-SHA256", + command: []string{"openssl", "s_server", "-ciphersuites", "TLS_AES_128_GCM_SHA256"}, + } + runClientTestTLS13(t, test) +} +func TestHandshakeClientAES256SHA384(t *testing.T) { + test := &clientTest{ + name: "AES256-SHA384", + command: []string{"openssl", "s_server", "-ciphersuites", "TLS_AES_256_GCM_SHA384"}, + } + runClientTestTLS13(t, test) +} +func TestHandshakeClientCHACHA20SHA256(t *testing.T) { + test := &clientTest{ + name: "CHACHA20-SHA256", + command: []string{"openssl", "s_server", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256"}, + } + runClientTestTLS13(t, test) +} + +func TestHandshakeClientECDSATLS13(t *testing.T) { + test := &clientTest{ + name: "ECDSA", + command: []string{"openssl", "s_server"}, + cert: testECDSACertificate, + key: testECDSAPrivateKey, + } + runClientTestTLS13(t, test) +} + func TestHandshakeClientCertRSA(t *testing.T) { config := testConfig.Clone() cert, _ := X509KeyPair([]byte(clientCertificatePEM), []byte(clientKeyPEM)) @@ -914,6 +987,7 @@ func TestHandshakeClientALPNMatch(t *testing.T) { }, } runClientTestTLS12(t, test) + runClientTestTLS13(t, test) } // sctsBase64 contains data from `openssl s_client -serverinfo 18 -connect ritter.vg:443` @@ -952,6 +1026,9 @@ func TestHandshakClientSCTs(t *testing.T) { }, } runClientTestTLS12(t, test) + + // TLS 1.3 moved SCTs to the Certificate extensions and -serverinfo only + // supports ServerHello extensions. } func TestRenegotiationRejected(t *testing.T) { @@ -974,6 +1051,9 @@ func TestRenegotiationRejected(t *testing.T) { } runClientTestTLS12(t, test) + + config.Renegotiation = RenegotiateFreelyAsClient + runClientTestTLS13(t, test) } func TestRenegotiateOnce(t *testing.T) { @@ -1048,6 +1128,7 @@ func TestHandshakeClientExportKeyingMaterial(t *testing.T) { } runClientTestTLS10(t, test) runClientTestTLS12(t, test) + runClientTestTLS13(t, test) } var hostnameInSNITests = []struct { diff --git a/handshake_client_tls13.go b/handshake_client_tls13.go new file mode 100644 index 00000000..5f0cb6d2 --- /dev/null +++ b/handshake_client_tls13.go @@ -0,0 +1,443 @@ +// Copyright 2018 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package tls + +import ( + "bytes" + "crypto" + "crypto/hmac" + "errors" + "hash" + "sync/atomic" +) + +type clientHandshakeStateTLS13 struct { + c *Conn + serverHello *serverHelloMsg + hello *clientHelloMsg + certReq *certificateRequestMsgTLS13 + ecdheParams ecdheParameters + suite *cipherSuiteTLS13 + transcript hash.Hash + masterSecret []byte + trafficSecret []byte // client_application_traffic_secret_0 + session *ClientSessionState +} + +func (hs *clientHandshakeStateTLS13) handshake() error { + c := hs.c + + // The server must not select TLS 1.3 in a renegotiation. See RFC 8446, + // sections 4.1.2 and 4.1.3. + if c.handshakes > 0 { + c.sendAlert(alertProtocolVersion) + return errors.New("tls: server selected TLS 1.3 in a renegotiation") + } + + // Consistency check on the presence of a keyShare and its parameters. + if hs.ecdheParams == nil || len(hs.hello.keyShares) != 1 { + return c.sendAlert(alertInternalError) + } + + if err := hs.checkServerHelloOrHRR(); err != nil { + return err + } + + hs.transcript = hs.suite.hash.New() + hs.transcript.Write(hs.hello.marshal()) + + if bytes.Equal(hs.serverHello.random, helloRetryRequestRandom) { + // The first ClientHello gets double-hashed into the transcript upon a + // HelloRetryRequest. See RFC 8446, Section 4.4.1. + chHash := hs.transcript.Sum(nil) + hs.transcript.Reset() + hs.transcript.Write([]byte{typeMessageHash, 0, 0, uint8(len(chHash))}) + hs.transcript.Write(chHash) + hs.transcript.Write(hs.serverHello.marshal()) + + if err := hs.processHelloRetryRequest(); err != nil { + return err + } + + hs.transcript.Write(hs.hello.marshal()) + } + + hs.transcript.Write(hs.serverHello.marshal()) + + if err := hs.processServerHello(); err != nil { + return err + } + if err := hs.establishHandshakeKeys(); err != nil { + return err + } + if err := hs.readServerParameters(); err != nil { + return err + } + if err := hs.doFullHandshake(); err != nil { + return err + } + if err := hs.readServerFinished(); err != nil { + return err + } + + c.buffering = true + if err := hs.sendClientCertificate(); err != nil { + return err + } + if err := hs.sendClientFinished(); err != nil { + return err + } + if _, err := c.flush(); err != nil { + return err + } + + atomic.StoreUint32(&c.handshakeStatus, 1) + + return nil +} + +// checkServerHelloOrHRR does validity checks that apply to both ServerHello and +// HelloRetryRequest messages. It sets hs.suite. +func (hs *clientHandshakeStateTLS13) checkServerHelloOrHRR() error { + c := hs.c + + if hs.serverHello.supportedVersion == 0 { + c.sendAlert(alertMissingExtension) + return errors.New("tls: server selected TLS 1.3 using the legacy version field") + } + + if hs.serverHello.supportedVersion != VersionTLS13 { + c.sendAlert(alertIllegalParameter) + return errors.New("tls: server selected an invalid version after a HelloRetryRequest") + } + + if hs.serverHello.vers != VersionTLS12 { + c.sendAlert(alertIllegalParameter) + return errors.New("tls: server sent an incorrect legacy version") + } + + if hs.serverHello.nextProtoNeg || + len(hs.serverHello.nextProtos) != 0 || + hs.serverHello.ocspStapling || + hs.serverHello.ticketSupported || + hs.serverHello.secureRenegotiationSupported || + len(hs.serverHello.secureRenegotiation) != 0 || + len(hs.serverHello.alpnProtocol) != 0 || + len(hs.serverHello.scts) != 0 { + c.sendAlert(alertUnsupportedExtension) + return errors.New("tls: server sent a ServerHello extension forbidden in TLS 1.3") + } + + if !bytes.Equal(hs.hello.sessionId, hs.serverHello.sessionId) { + c.sendAlert(alertIllegalParameter) + return errors.New("tls: server did not echo the legacy session ID") + } + + if hs.serverHello.compressionMethod != compressionNone { + c.sendAlert(alertIllegalParameter) + return errors.New("tls: server selected unsupported compression format") + } + + selectedSuite := mutualCipherSuiteTLS13(hs.hello.cipherSuites, hs.serverHello.cipherSuite) + if hs.suite != nil && selectedSuite != hs.suite { + c.sendAlert(alertIllegalParameter) + return errors.New("tls: server changed cipher suite after a HelloRetryRequest") + } + if selectedSuite == nil { + c.sendAlert(alertIllegalParameter) + return errors.New("tls: server chose an unconfigured cipher suite") + } + hs.suite = selectedSuite + c.cipherSuite = hs.suite.id + + return nil +} + +// processHelloRetryRequest handles the HRR in hs.serverHello, modifies and +// resends hs.hello, and reads the new ServerHello into hs.serverHello. +func (hs *clientHandshakeStateTLS13) processHelloRetryRequest() error { + c := hs.c + + if hs.serverHello.serverShare.group != 0 { + c.sendAlert(alertDecodeError) + return errors.New("tls: received malformed key_share extension") + } + + curveID := hs.serverHello.selectedGroup + if curveID == 0 { + c.sendAlert(alertMissingExtension) + return errors.New("tls: received HelloRetryRequest without selected group") + } + curveOK := false + for _, id := range hs.hello.supportedCurves { + if id == curveID { + curveOK = true + break + } + } + if !curveOK { + c.sendAlert(alertIllegalParameter) + return errors.New("tls: server selected unsupported group") + } + if hs.ecdheParams.CurveID() == curveID { + c.sendAlert(alertIllegalParameter) + return errors.New("tls: server sent an unnecessary HelloRetryRequest message") + } + if _, ok := curveForCurveID(curveID); curveID != X25519 && !ok { + c.sendAlert(alertInternalError) + return errors.New("tls: CurvePreferences includes unsupported curve") + } + params, err := generateECDHEParameters(c.config.rand(), curveID) + if err != nil { + c.sendAlert(alertInternalError) + return err + } + hs.ecdheParams = params + hs.hello.keyShares = []keyShare{{group: curveID, data: params.PublicKey()}} + + hs.hello.cookie = hs.serverHello.cookie + + hs.hello.raw = nil + if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil { + return err + } + + msg, err := c.readHandshake() + if err != nil { + return err + } + + serverHello, ok := msg.(*serverHelloMsg) + if !ok { + c.sendAlert(alertUnexpectedMessage) + return unexpectedMessageError(serverHello, msg) + } + hs.serverHello = serverHello + + if err := hs.checkServerHelloOrHRR(); err != nil { + return err + } + + return nil +} + +func (hs *clientHandshakeStateTLS13) processServerHello() error { + c := hs.c + + if bytes.Equal(hs.serverHello.random, helloRetryRequestRandom) { + c.sendAlert(alertUnexpectedMessage) + return errors.New("tls: server sent two HelloRetryRequest messages") + } + + if len(hs.serverHello.cookie) != 0 { + c.sendAlert(alertUnsupportedExtension) + return errors.New("tls: server sent a cookie in a normal ServerHello") + } + + if hs.serverHello.selectedGroup != 0 { + c.sendAlert(alertDecodeError) + return errors.New("tls: malformed key_share extension") + } + + if hs.serverHello.serverShare.group != hs.ecdheParams.CurveID() { + c.sendAlert(alertIllegalParameter) + return errors.New("tls: server selected unsupported group") + } + + return nil +} + +func (hs *clientHandshakeStateTLS13) establishHandshakeKeys() error { + c := hs.c + + sharedKey := hs.ecdheParams.SharedKey(hs.serverHello.serverShare.data) + if sharedKey == nil { + c.sendAlert(alertIllegalParameter) + return errors.New("tls: invalid server key share") + } + + earlySecret := hs.suite.extract(nil, nil) + handshakeSecret := hs.suite.extract(sharedKey, + hs.suite.deriveSecret(earlySecret, "derived", nil)) + + clientSecret := hs.suite.deriveSecret(handshakeSecret, + clientHandshakeTrafficLabel, hs.transcript) + c.out.setTrafficSecret(hs.suite, clientSecret) + serverSecret := hs.suite.deriveSecret(handshakeSecret, + serverHandshakeTrafficLabel, hs.transcript) + c.in.setTrafficSecret(hs.suite, serverSecret) + + hs.masterSecret = hs.suite.extract(nil, + hs.suite.deriveSecret(handshakeSecret, "derived", nil)) + + return nil +} + +func (hs *clientHandshakeStateTLS13) readServerParameters() error { + c := hs.c + + msg, err := c.readHandshake() + if err != nil { + return err + } + + encryptedExtensions, ok := msg.(*encryptedExtensionsMsg) + if !ok { + c.sendAlert(alertUnexpectedMessage) + return unexpectedMessageError(encryptedExtensions, msg) + } + hs.transcript.Write(encryptedExtensions.marshal()) + + if len(encryptedExtensions.alpnProtocol) != 0 && len(hs.hello.alpnProtocols) == 0 { + c.sendAlert(alertUnsupportedExtension) + return errors.New("tls: server advertised unrequested ALPN extension") + } + c.clientProtocol = encryptedExtensions.alpnProtocol + + return nil +} + +func (hs *clientHandshakeStateTLS13) doFullHandshake() error { + c := hs.c + + msg, err := c.readHandshake() + if err != nil { + return err + } + + certReq, ok := msg.(*certificateRequestMsgTLS13) + if ok { + hs.transcript.Write(certReq.marshal()) + + hs.certReq = certReq + + msg, err = c.readHandshake() + if err != nil { + return err + } + } + + certMsg, ok := msg.(*certificateMsgTLS13) + if !ok { + c.sendAlert(alertUnexpectedMessage) + return unexpectedMessageError(certMsg, msg) + } + if len(certMsg.certificate.Certificate) == 0 { + c.sendAlert(alertDecodeError) + return errors.New("tls: received empty certificates message") + } + hs.transcript.Write(certMsg.marshal()) + + c.scts = certMsg.certificate.SignedCertificateTimestamps + c.ocspResponse = certMsg.certificate.OCSPStaple + + if err := c.verifyServerCertificate(certMsg.certificate.Certificate); err != nil { + return err + } + + msg, err = c.readHandshake() + if err != nil { + return err + } + + certVerify, ok := msg.(*certificateVerifyMsg) + if !ok { + c.sendAlert(alertUnexpectedMessage) + return unexpectedMessageError(certVerify, msg) + } + + // See RFC 8446, Section 4.4.3. + if !isSupportedSignatureAlgorithm(certVerify.signatureAlgorithm, hs.hello.supportedSignatureAlgorithms) { + c.sendAlert(alertIllegalParameter) + return errors.New("tls: invalid certificate signature algorithm") + } + sigType := signatureFromSignatureScheme(certVerify.signatureAlgorithm) + sigHash, err := hashFromSignatureScheme(certVerify.signatureAlgorithm) + if sigType == 0 || err != nil { + c.sendAlert(alertInternalError) + return err + } + if sigType == signaturePKCS1v15 || sigHash == crypto.SHA1 { + c.sendAlert(alertIllegalParameter) + return errors.New("tls: invalid certificate signature algorithm") + } + h := sigHash.New() + writeSignedMessage(h, serverSignatureContext, hs.transcript) + if err := verifyHandshakeSignature(sigType, c.peerCertificates[0].PublicKey, + sigHash, h.Sum(nil), certVerify.signature); err != nil { + c.sendAlert(alertDecryptError) + return errors.New("tls: invalid certificate signature") + } + + hs.transcript.Write(certVerify.marshal()) + + return nil +} + +func (hs *clientHandshakeStateTLS13) readServerFinished() error { + c := hs.c + + msg, err := c.readHandshake() + if err != nil { + return err + } + + finished, ok := msg.(*finishedMsg) + if !ok { + c.sendAlert(alertUnexpectedMessage) + return unexpectedMessageError(finished, msg) + } + + // See RFC 8446, sections 4.4.4 and 4.4. + finishedKey := hs.suite.expandLabel(c.in.trafficSecret, "finished", nil, hs.suite.hash.Size()) + expectedMAC := hmac.New(hs.suite.hash.New, finishedKey) + expectedMAC.Write(hs.transcript.Sum(nil)) + if !hmac.Equal(expectedMAC.Sum(nil), finished.verifyData) { + c.sendAlert(alertDecryptError) + return errors.New("tls: invalid finished hash") + } + + hs.transcript.Write(finished.marshal()) + + // Derive secrets that take context through the server Finished. + + hs.trafficSecret = hs.suite.deriveSecret(hs.masterSecret, + clientApplicationTrafficLabel, hs.transcript) + serverSecret := hs.suite.deriveSecret(hs.masterSecret, + serverApplicationTrafficLabel, hs.transcript) + c.in.setTrafficSecret(hs.suite, serverSecret) + + c.ekm = hs.suite.exportKeyingMaterial(hs.masterSecret, hs.transcript) + + return nil +} + +func (hs *clientHandshakeStateTLS13) sendClientCertificate() error { + if hs.certReq == nil { + return nil + } + + return errors.New("tls: TLS 1.3 client authentication unimplemented") // TODO(filippo) +} + +func (hs *clientHandshakeStateTLS13) sendClientFinished() error { + c := hs.c + + finishedKey := hs.suite.expandLabel(c.out.trafficSecret, "finished", nil, hs.suite.hash.Size()) + verifyData := hmac.New(hs.suite.hash.New, finishedKey) + verifyData.Write(hs.transcript.Sum(nil)) + finished := &finishedMsg{ + verifyData: verifyData.Sum(nil), + } + + hs.transcript.Write(finished.marshal()) + if _, err := c.writeRecord(recordTypeHandshake, finished.marshal()); err != nil { + return err + } + + c.out.setTrafficSecret(hs.suite, hs.trafficSecret) + + return nil +} diff --git a/handshake_messages.go b/handshake_messages.go index 82b91cc8..c622e087 100644 --- a/handshake_messages.go +++ b/handshake_messages.go @@ -466,7 +466,8 @@ func (m *clientHelloMsg) unmarshal(data []byte) bool { } case extensionCookie: // RFC 8446, Section 4.2.2 - if !readUint16LengthPrefixed(&extData, &m.cookie) { + if !readUint16LengthPrefixed(&extData, &m.cookie) || + len(m.cookie) == 0 { return false } case extensionKeyShare: @@ -757,7 +758,8 @@ func (m *serverHelloMsg) unmarshal(data []byte) bool { return false } case extensionCookie: - if !readUint16LengthPrefixed(&extData, &m.cookie) { + if !readUint16LengthPrefixed(&extData, &m.cookie) || + len(m.cookie) == 0 { return false } case extensionKeyShare: diff --git a/handshake_server_test.go b/handshake_server_test.go index 5aa2c9a9..f7785ecd 100644 --- a/handshake_server_test.go +++ b/handshake_server_test.go @@ -506,6 +506,9 @@ type serverTest struct { // ConnectionState of the resulting connection. It returns false if the // ConnectionState is unacceptable. validate func(ConnectionState) error + // wait, if true, prevents this subtest from calling t.Parallel. + // If false, runServerTest* returns immediately. + wait bool } var defaultClientCommand = []string{"openssl", "s_client", "-no_ticket"} @@ -686,32 +689,42 @@ func (test *serverTest) run(t *testing.T, write bool) { } } -func runServerTestForVersion(t *testing.T, template *serverTest, prefix, option string) { - setParallel(t) - test := *template - test.name = prefix + test.name - if len(test.command) == 0 { - test.command = defaultClientCommand - } - test.command = append([]string(nil), test.command...) - test.command = append(test.command, option) - test.run(t, *update) +func runServerTestForVersion(t *testing.T, template *serverTest, version, option string) { + t.Run(version, func(t *testing.T) { + // Make a deep copy of the template before going parallel. + test := *template + if template.config != nil { + test.config = template.config.Clone() + } + + if !*update && !template.wait { + t.Parallel() + } + + test.name = version + "-" + test.name + if len(test.command) == 0 { + test.command = defaultClientCommand + } + test.command = append([]string(nil), test.command...) + test.command = append(test.command, option) + test.run(t, *update) + }) } func runServerTestSSLv3(t *testing.T, template *serverTest) { - runServerTestForVersion(t, template, "SSLv3-", "-ssl3") + runServerTestForVersion(t, template, "SSLv3", "-ssl3") } func runServerTestTLS10(t *testing.T, template *serverTest) { - runServerTestForVersion(t, template, "TLSv10-", "-tls1") + runServerTestForVersion(t, template, "TLSv10", "-tls1") } func runServerTestTLS11(t *testing.T, template *serverTest) { - runServerTestForVersion(t, template, "TLSv11-", "-tls1_1") + runServerTestForVersion(t, template, "TLSv11", "-tls1_1") } func runServerTestTLS12(t *testing.T, template *serverTest) { - runServerTestForVersion(t, template, "TLSv12-", "-tls1_2") + runServerTestForVersion(t, template, "TLSv12", "-tls1_2") } func TestHandshakeServerRSARC4(t *testing.T) { @@ -971,6 +984,7 @@ func TestResumption(t *testing.T) { test := &serverTest{ name: "IssueTicket", command: []string{"openssl", "s_client", "-cipher", "AES128-SHA", "-sess_out", sessionFilePath}, + wait: true, } runServerTestTLS12(t, test) @@ -991,6 +1005,7 @@ func TestResumptionDisabled(t *testing.T) { name: "IssueTicketPreDisable", command: []string{"openssl", "s_client", "-cipher", "AES128-SHA", "-sess_out", sessionFilePath}, config: config, + wait: true, } runServerTestTLS12(t, test) @@ -1196,7 +1211,6 @@ FMBexFe01MNvja5oHt1vzobhfm6ySD6B5U7ixohLZNz1MLvT/2XMW/TdtWo+PtAd -----END EC PRIVATE KEY-----` func TestClientAuth(t *testing.T) { - setParallel(t) var certPath, keyPath, ecdsaCertPath, ecdsaKeyPath string if *update { @@ -1208,6 +1222,8 @@ func TestClientAuth(t *testing.T) { defer os.Remove(ecdsaCertPath) ecdsaKeyPath = tempFile(clientECDSAKeyPEM) defer os.Remove(ecdsaKeyPath) + } else { + t.Parallel() } config := testConfig.Clone() diff --git a/key_agreement.go b/key_agreement.go index 1baa901e..628e578e 100644 --- a/key_agreement.go +++ b/key_agreement.go @@ -6,15 +6,12 @@ package tls import ( "crypto" - "crypto/elliptic" "crypto/md5" "crypto/rsa" "crypto/sha1" "crypto/x509" "errors" - "golang_org/x/crypto/curve25519" "io" - "math/big" ) var errClientKeyExchange = errors.New("tls: invalid ClientKeyExchange message") @@ -124,86 +121,54 @@ func hashForServerKeyExchange(sigType uint8, hashFunc crypto.Hash, version uint1 return md5SHA1Hash(slices), nil } -func curveForCurveID(id CurveID) (elliptic.Curve, bool) { - switch id { - case CurveP256: - return elliptic.P256(), true - case CurveP384: - return elliptic.P384(), true - case CurveP521: - return elliptic.P521(), true - default: - return nil, false - } - -} - // ecdheKeyAgreement implements a TLS key agreement where the server // generates an ephemeral EC public/private key pair and signs it. The // pre-master secret is then calculated using ECDH. The signature may // either be ECDSA or RSA. type ecdheKeyAgreement struct { - version uint16 - isRSA bool - privateKey []byte - curveid CurveID - - // publicKey is used to store the peer's public value when X25519 is - // being used. - publicKey []byte - // x and y are used to store the peer's public value when one of the - // NIST curves is being used. - x, y *big.Int + version uint16 + isRSA bool + params ecdheParameters + + // ckx and preMasterSecret are generated in processServerKeyExchange + // and returned in generateClientKeyExchange. + ckx *clientKeyExchangeMsg + preMasterSecret []byte } func (ka *ecdheKeyAgreement) generateServerKeyExchange(config *Config, cert *Certificate, clientHello *clientHelloMsg, hello *serverHelloMsg) (*serverKeyExchangeMsg, error) { preferredCurves := config.curvePreferences() + var curveID CurveID NextCandidate: for _, candidate := range preferredCurves { for _, c := range clientHello.supportedCurves { if candidate == c { - ka.curveid = c + curveID = c break NextCandidate } } } - if ka.curveid == 0 { + if curveID == 0 { return nil, errors.New("tls: no supported elliptic curves offered") } + if _, ok := curveForCurveID(curveID); curveID != X25519 && !ok { + return nil, errors.New("tls: CurvePreferences includes unsupported curve") + } - var ecdhePublic []byte - - if ka.curveid == X25519 { - var scalar, public [32]byte - if _, err := io.ReadFull(config.rand(), scalar[:]); err != nil { - return nil, err - } - - curve25519.ScalarBaseMult(&public, &scalar) - ka.privateKey = scalar[:] - ecdhePublic = public[:] - } else { - curve, ok := curveForCurveID(ka.curveid) - if !ok { - return nil, errors.New("tls: preferredCurves includes unsupported curve") - } - - var x, y *big.Int - var err error - ka.privateKey, x, y, err = elliptic.GenerateKey(curve, config.rand()) - if err != nil { - return nil, err - } - ecdhePublic = elliptic.Marshal(curve, x, y) + params, err := generateECDHEParameters(config.rand(), curveID) + if err != nil { + return nil, err } + ka.params = params // See RFC 4492, Section 5.4. + ecdhePublic := params.PublicKey() serverECDHParams := make([]byte, 1+2+1+len(ecdhePublic)) serverECDHParams[0] = 3 // named curve - serverECDHParams[1] = byte(ka.curveid >> 8) - serverECDHParams[2] = byte(ka.curveid) + serverECDHParams[1] = byte(curveID >> 8) + serverECDHParams[2] = byte(curveID) serverECDHParams[3] = byte(len(ecdhePublic)) copy(serverECDHParams[4:], ecdhePublic) @@ -259,30 +224,10 @@ func (ka *ecdheKeyAgreement) processClientKeyExchange(config *Config, cert *Cert return nil, errClientKeyExchange } - if ka.curveid == X25519 { - if len(ckx.ciphertext) != 1+32 { - return nil, errClientKeyExchange - } - - var theirPublic, sharedKey, scalar [32]byte - copy(theirPublic[:], ckx.ciphertext[1:]) - copy(scalar[:], ka.privateKey) - curve25519.ScalarMult(&sharedKey, &scalar, &theirPublic) - return sharedKey[:], nil - } - - curve, ok := curveForCurveID(ka.curveid) - if !ok { - panic("internal error") - } - x, y := elliptic.Unmarshal(curve, ckx.ciphertext[1:]) // Unmarshal also checks whether the given point is on the curve - if x == nil { + preMasterSecret := ka.params.SharedKey(ckx.ciphertext[1:]) + if preMasterSecret == nil { return nil, errClientKeyExchange } - x, _ = curve.ScalarMult(x, y, ka.privateKey) - preMasterSecret := make([]byte, (curve.Params().BitSize+7)>>3) - xBytes := x.Bytes() - copy(preMasterSecret[len(preMasterSecret)-len(xBytes):], xBytes) return preMasterSecret, nil } @@ -294,7 +239,7 @@ func (ka *ecdheKeyAgreement) processServerKeyExchange(config *Config, clientHell if skx.key[0] != 3 { // named curve return errors.New("tls: server selected unsupported curve") } - ka.curveid = CurveID(skx.key[1])<<8 | CurveID(skx.key[2]) + curveID := CurveID(skx.key[1])<<8 | CurveID(skx.key[2]) publicLen := int(skx.key[3]) if publicLen+4 > len(skx.key) { @@ -308,21 +253,26 @@ func (ka *ecdheKeyAgreement) processServerKeyExchange(config *Config, clientHell return errServerKeyExchange } - if ka.curveid == X25519 { - if len(publicKey) != 32 { - return errors.New("tls: bad X25519 public value") - } - ka.publicKey = publicKey - } else { - curve, ok := curveForCurveID(ka.curveid) - if !ok { - return errors.New("tls: server selected unsupported curve") - } - ka.x, ka.y = elliptic.Unmarshal(curve, publicKey) // Unmarshal also checks whether the given point is on the curve - if ka.x == nil { - return errServerKeyExchange - } + if _, ok := curveForCurveID(curveID); curveID != X25519 && !ok { + return errors.New("tls: server selected unsupported curve") + } + + params, err := generateECDHEParameters(config.rand(), curveID) + if err != nil { + return err } + ka.params = params + + ka.preMasterSecret = params.SharedKey(publicKey) + if ka.preMasterSecret == nil { + return errServerKeyExchange + } + + ourPublicKey := params.PublicKey() + ka.ckx = new(clientKeyExchangeMsg) + ka.ckx.ciphertext = make([]byte, 1+len(ourPublicKey)) + ka.ckx.ciphertext[0] = byte(len(ourPublicKey)) + copy(ka.ckx.ciphertext[1:], ourPublicKey) var signatureAlgorithm SignatureScheme if ka.version >= VersionTLS12 { @@ -355,45 +305,9 @@ func (ka *ecdheKeyAgreement) processServerKeyExchange(config *Config, clientHell } func (ka *ecdheKeyAgreement) generateClientKeyExchange(config *Config, clientHello *clientHelloMsg, cert *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error) { - if ka.curveid == 0 { + if ka.ckx == nil { return nil, nil, errors.New("tls: missing ServerKeyExchange message") } - var serialized, preMasterSecret []byte - - if ka.curveid == X25519 { - var ourPublic, theirPublic, sharedKey, scalar [32]byte - - if _, err := io.ReadFull(config.rand(), scalar[:]); err != nil { - return nil, nil, err - } - - copy(theirPublic[:], ka.publicKey) - curve25519.ScalarBaseMult(&ourPublic, &scalar) - curve25519.ScalarMult(&sharedKey, &scalar, &theirPublic) - serialized = ourPublic[:] - preMasterSecret = sharedKey[:] - } else { - curve, ok := curveForCurveID(ka.curveid) - if !ok { - panic("internal error") - } - priv, mx, my, err := elliptic.GenerateKey(curve, config.rand()) - if err != nil { - return nil, nil, err - } - x, _ := curve.ScalarMult(ka.x, ka.y, priv) - preMasterSecret = make([]byte, (curve.Params().BitSize+7)>>3) - xBytes := x.Bytes() - copy(preMasterSecret[len(preMasterSecret)-len(xBytes):], xBytes) - - serialized = elliptic.Marshal(curve, mx, my) - } - - ckx := new(clientKeyExchangeMsg) - ckx.ciphertext = make([]byte, 1+len(serialized)) - ckx.ciphertext[0] = byte(len(serialized)) - copy(ckx.ciphertext[1:], serialized) - - return preMasterSecret, ckx, nil + return ka.preMasterSecret, ka.ckx, nil } diff --git a/key_schedule.go b/key_schedule.go index 21b50f17..0a88c96a 100644 --- a/key_schedule.go +++ b/key_schedule.go @@ -5,9 +5,14 @@ package tls import ( + "crypto/elliptic" + "errors" "golang_org/x/crypto/cryptobyte" + "golang_org/x/crypto/curve25519" "golang_org/x/crypto/hkdf" "hash" + "io" + "math/big" ) // This file contains the functions necessary to compute the TLS 1.3 key @@ -83,3 +88,102 @@ func (c *cipherSuiteTLS13) exportKeyingMaterial(masterSecret []byte, transcript return c.expandLabel(secret, "exporter", h.Sum(nil), length), nil } } + +// ecdheParameters implements Diffie-Hellman with either NIST curves or X25519, +// according to RFC 8446, Section 4.2.8.2. +type ecdheParameters interface { + CurveID() CurveID + PublicKey() []byte + SharedKey(peerPublicKey []byte) []byte +} + +func generateECDHEParameters(rand io.Reader, curveID CurveID) (ecdheParameters, error) { + if curveID == X25519 { + p := &x25519Parameters{} + if _, err := io.ReadFull(rand, p.privateKey[:]); err != nil { + return nil, err + } + curve25519.ScalarBaseMult(&p.publicKey, &p.privateKey) + return p, nil + } + + curve, ok := curveForCurveID(curveID) + if !ok { + return nil, errors.New("tls: internal error: unsupported curve") + } + + p := &nistParameters{curveID: curveID} + var err error + p.privateKey, p.x, p.y, err = elliptic.GenerateKey(curve, rand) + if err != nil { + return nil, err + } + return p, nil +} + +func curveForCurveID(id CurveID) (elliptic.Curve, bool) { + switch id { + case CurveP256: + return elliptic.P256(), true + case CurveP384: + return elliptic.P384(), true + case CurveP521: + return elliptic.P521(), true + default: + return nil, false + } +} + +type nistParameters struct { + privateKey []byte + x, y *big.Int // public key + curveID CurveID +} + +func (p *nistParameters) CurveID() CurveID { + return p.curveID +} + +func (p *nistParameters) PublicKey() []byte { + curve, _ := curveForCurveID(p.curveID) + return elliptic.Marshal(curve, p.x, p.y) +} + +func (p *nistParameters) SharedKey(peerPublicKey []byte) []byte { + curve, _ := curveForCurveID(p.curveID) + // Unmarshal also checks whether the given point is on the curve. + x, y := elliptic.Unmarshal(curve, peerPublicKey) + if x == nil { + return nil + } + + xShared, _ := curve.ScalarMult(x, y, p.privateKey) + sharedKey := make([]byte, (curve.Params().BitSize+7)>>3) + xBytes := xShared.Bytes() + copy(sharedKey[len(sharedKey)-len(xBytes):], xBytes) + + return sharedKey +} + +type x25519Parameters struct { + privateKey [32]byte + publicKey [32]byte +} + +func (p *x25519Parameters) CurveID() CurveID { + return X25519 +} + +func (p *x25519Parameters) PublicKey() []byte { + return p.publicKey[:] +} + +func (p *x25519Parameters) SharedKey(peerPublicKey []byte) []byte { + if len(peerPublicKey) != 32 { + return nil + } + var theirPublicKey, sharedKey [32]byte + copy(theirPublicKey[:], peerPublicKey) + curve25519.ScalarMult(&sharedKey, &p.privateKey, &theirPublicKey) + return sharedKey[:] +} diff --git a/prf.go b/prf.go index a31a50d1..5379397c 100644 --- a/prf.go +++ b/prf.go @@ -108,7 +108,6 @@ func prf30(result, secret, label, seed []byte) { } const ( - tlsRandomLength = 32 // Length of a random nonce in TLS 1.1. masterSecretLength = 48 // Length of a master secret in TLS 1.1. finishedVerifyLength = 12 // Length of verify_data in a Finished message. ) @@ -176,9 +175,9 @@ func keysFromMasterSecret(version uint16, suite *cipherSuite, masterSecret, clie return } -// lookupTLSHash looks up the corresponding crypto.Hash for a given +// hashFromSignatureScheme returns the corresponding crypto.Hash for a given // hash from a TLS SignatureScheme. -func lookupTLSHash(signatureAlgorithm SignatureScheme) (crypto.Hash, error) { +func hashFromSignatureScheme(signatureAlgorithm SignatureScheme) (crypto.Hash, error) { switch signatureAlgorithm { case PKCS1WithSHA1, ECDSAWithSHA1: return crypto.SHA1, nil diff --git a/testdata/Client-TLSv12-P256-ECDHE b/testdata/Client-TLSv12-P256-ECDHE new file mode 100644 index 00000000..5af84457 --- /dev/null +++ b/testdata/Client-TLSv12-P256-ECDHE @@ -0,0 +1,93 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 c0 01 00 00 bc 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 2c cc a8 |.............,..| +00000050 cc a9 c0 2f c0 2b c0 30 c0 2c c0 27 c0 13 c0 23 |.../.+.0.,.'...#| +00000060 c0 09 c0 14 c0 0a 00 9c 00 9d 00 3c 00 2f 00 35 |...........<./.5| +00000070 c0 12 00 0a 00 05 c0 11 c0 07 01 00 00 47 00 05 |.............G..| +00000080 00 05 01 00 00 00 00 00 0a 00 04 00 02 00 17 00 |................| +00000090 0b 00 02 01 00 00 0d 00 18 00 16 08 04 08 05 08 |................| +000000a0 06 04 01 04 03 05 01 05 03 06 01 06 03 02 01 02 |................| +000000b0 03 ff 01 00 01 00 00 12 00 00 00 2b 00 07 06 03 |...........+....| +000000c0 03 03 02 03 01 |.....| +>>> Flow 2 (server to client) +00000000 16 03 03 00 59 02 00 00 55 03 03 81 3f 3a 95 29 |....Y...U...?:.)| +00000010 07 06 82 6e 6d e2 be 73 49 df 41 e6 ae 14 52 ff |...nm..sI.A...R.| +00000020 10 83 3a 9a 1b 70 34 49 3b 34 5e 20 1d 28 3f e2 |..:..p4I;4^ .(?.| +00000030 3b 60 d5 b0 12 d6 a2 50 8f db 85 64 b1 4b 04 c6 |;`.....P...d.K..| +00000040 ac d2 de 9d 66 97 13 bb 6d 67 0a 59 c0 2f 00 00 |....f...mg.Y./..| +00000050 0d ff 01 00 01 00 00 0b 00 04 03 00 01 02 16 03 |................| +00000060 03 02 59 0b 00 02 55 00 02 52 00 02 4f 30 82 02 |..Y...U..R..O0..| +00000070 4b 30 82 01 b4 a0 03 02 01 02 02 09 00 e8 f0 9d |K0..............| +00000080 3f e2 5b ea a6 30 0d 06 09 2a 86 48 86 f7 0d 01 |?.[..0...*.H....| +00000090 01 0b 05 00 30 1f 31 0b 30 09 06 03 55 04 0a 13 |....0.1.0...U...| +000000a0 02 47 6f 31 10 30 0e 06 03 55 04 03 13 07 47 6f |.Go1.0...U....Go| +000000b0 20 52 6f 6f 74 30 1e 17 0d 31 36 30 31 30 31 30 | Root0...1601010| +000000c0 30 30 30 30 30 5a 17 0d 32 35 30 31 30 31 30 30 |00000Z..25010100| +000000d0 30 30 30 30 5a 30 1a 31 0b 30 09 06 03 55 04 0a |0000Z0.1.0...U..| +000000e0 13 02 47 6f 31 0b 30 09 06 03 55 04 03 13 02 47 |..Go1.0...U....G| +000000f0 6f 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 |o0..0...*.H.....| +00000100 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 db 46 |.......0.......F| +00000110 7d 93 2e 12 27 06 48 bc 06 28 21 ab 7e c4 b6 a2 |}...'.H..(!.~...| +00000120 5d fe 1e 52 45 88 7a 36 47 a5 08 0d 92 42 5b c2 |]..RE.z6G....B[.| +00000130 81 c0 be 97 79 98 40 fb 4f 6d 14 fd 2b 13 8b c2 |....y.@.Om..+...| +00000140 a5 2e 67 d8 d4 09 9e d6 22 38 b7 4a 0b 74 73 2b |..g....."8.J.ts+| +00000150 c2 34 f1 d1 93 e5 96 d9 74 7b f3 58 9f 6c 61 3c |.4......t{.X.la<| +00000160 c0 b0 41 d4 d9 2b 2b 24 23 77 5b 1c 3b bd 75 5d |..A..++$#w[.;.u]| +00000170 ce 20 54 cf a1 63 87 1d 1e 24 c4 f3 1d 1a 50 8b |. T..c...$....P.| +00000180 aa b6 14 43 ed 97 a7 75 62 f4 14 c8 52 d7 02 03 |...C...ub...R...| +00000190 01 00 01 a3 81 93 30 81 90 30 0e 06 03 55 1d 0f |......0..0...U..| +000001a0 01 01 ff 04 04 03 02 05 a0 30 1d 06 03 55 1d 25 |.........0...U.%| +000001b0 04 16 30 14 06 08 2b 06 01 05 05 07 03 01 06 08 |..0...+.........| +000001c0 2b 06 01 05 05 07 03 02 30 0c 06 03 55 1d 13 01 |+.......0...U...| +000001d0 01 ff 04 02 30 00 30 19 06 03 55 1d 0e 04 12 04 |....0.0...U.....| +000001e0 10 9f 91 16 1f 43 43 3e 49 a6 de 6d b6 80 d7 9f |.....CC>I..m....| +000001f0 60 30 1b 06 03 55 1d 23 04 14 30 12 80 10 48 13 |`0...U.#..0...H.| +00000200 49 4d 13 7e 16 31 bb a3 01 d5 ac ab 6e 7b 30 19 |IM.~.1......n{0.| +00000210 06 03 55 1d 11 04 12 30 10 82 0e 65 78 61 6d 70 |..U....0...examp| +00000220 6c 65 2e 67 6f 6c 61 6e 67 30 0d 06 09 2a 86 48 |le.golang0...*.H| +00000230 86 f7 0d 01 01 0b 05 00 03 81 81 00 9d 30 cc 40 |.............0.@| +00000240 2b 5b 50 a0 61 cb ba e5 53 58 e1 ed 83 28 a9 58 |+[P.a...SX...(.X| +00000250 1a a9 38 a4 95 a1 ac 31 5a 1a 84 66 3d 43 d3 2d |..8....1Z..f=C.-| +00000260 d9 0b f2 97 df d3 20 64 38 92 24 3a 00 bc cf 9c |...... d8.$:....| +00000270 7d b7 40 20 01 5f aa d3 16 61 09 a2 76 fd 13 c3 |}.@ ._...a..v...| +00000280 cc e1 0c 5c ee b1 87 82 f1 6c 04 ed 73 bb b3 43 |...\.....l..s..C| +00000290 77 8d 0c 1c f1 0f a1 d8 40 83 61 c9 4c 72 2b 9d |w.......@.a.Lr+.| +000002a0 ae db 46 06 06 4d f4 c1 b3 3e c0 d1 bd 42 d4 db |..F..M...>...B..| +000002b0 fe 3d 13 60 84 5c 21 d3 3b e9 fa e7 16 03 03 00 |.=.`.\!.;.......| +000002c0 cd 0c 00 00 c9 03 00 17 41 04 05 27 21 d2 da a3 |........A..'!...| +000002d0 dd 65 60 cc 17 38 50 27 84 0d 14 09 df 14 17 81 |.e`..8P'........| +000002e0 5a 1f 3f 35 79 12 57 03 cb aa bb ea 65 cf 31 62 |Z.?5y.W.....e.1b| +000002f0 9e ee 6f 17 f0 74 24 5d 2a 38 4a d0 39 ce 9a 47 |..o..t$]*8J.9..G| +00000300 3d 79 91 88 7d 21 31 c9 ca 60 08 04 00 80 67 b9 |=y..}!1..`....g.| +00000310 0c e6 6b e4 46 f3 2f 3a a2 e8 ac 75 49 8b da 41 |..k.F./:...uI..A| +00000320 8c 8a 5c c3 a8 87 c1 e3 18 b3 60 a6 44 61 b0 de |..\.......`.Da..| +00000330 90 33 9f c9 e9 30 d9 e5 b6 2a 5f 17 b9 93 03 e2 |.3...0...*_.....| +00000340 59 81 2e 66 25 d4 d9 4e 46 b9 27 35 0b 0c 16 b4 |Y..f%..NF.'5....| +00000350 c2 d7 1d 4d 2c 4c c3 aa 19 f6 bc 28 d6 dc df da |...M,L.....(....| +00000360 ab 40 45 1c ad 3e de 62 c2 cf 68 d3 4f 04 5b ee |.@E..>.b..h.O.[.| +00000370 a1 55 a8 56 9c 13 c0 d8 49 66 72 ba be 41 96 2f |.U.V....Ifr..A./| +00000380 d4 1a 84 99 a5 fe 1a 55 8e 0b 9e 32 44 48 16 03 |.......U...2DH..| +00000390 03 00 04 0e 00 00 00 |.......| +>>> Flow 3 (client to server) +00000000 16 03 03 00 46 10 00 00 42 41 04 1e 18 37 ef 0d |....F...BA...7..| +00000010 19 51 88 35 75 71 b5 e5 54 5b 12 2e 8f 09 67 fd |.Q.5uq..T[....g.| +00000020 a7 24 20 3e b2 56 1c ce 97 28 5e f8 2b 2d 4f 9e |.$ >.V...(^.+-O.| +00000030 f1 07 9f 6c 4b 5b 83 56 e2 32 42 e9 58 b6 d7 49 |...lK[.V.2B.X..I| +00000040 a6 b5 68 1a 41 03 56 6b dc 5a 89 14 03 03 00 01 |..h.A.Vk.Z......| +00000050 01 16 03 03 00 28 00 00 00 00 00 00 00 00 50 f3 |.....(........P.| +00000060 bf 97 9d c6 91 b6 26 91 b2 b2 04 18 62 48 7d e8 |......&.....bH}.| +00000070 f7 79 e6 ff a9 71 66 0e ed 7c f8 f8 24 a4 |.y...qf..|..$.| +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 28 02 94 9b f6 79 |..........(....y| +00000010 47 11 f7 0a 0d 94 cb 0c de d4 04 83 93 0f 41 a4 |G.............A.| +00000020 8e 40 99 da 17 db 97 cc 07 de d9 7b 36 b6 88 da |.@.........{6...| +00000030 d7 9d 05 |...| +>>> Flow 5 (client to server) +00000000 17 03 03 00 1e 00 00 00 00 00 00 00 01 f6 fa 55 |...............U| +00000010 88 a8 ea bc c6 d7 de 17 f9 1a 0b 66 68 48 51 ab |...........fhHQ.| +00000020 ad 54 ff 15 03 03 00 1a 00 00 00 00 00 00 00 02 |.T..............| +00000030 bc 1b da 21 83 5f 34 55 ed 33 18 18 96 e5 f6 b9 |...!._4U.3......| +00000040 2e d9 |..| diff --git a/testdata/Client-TLSv12-X25519-ECDHE-RSA-AES-GCM b/testdata/Client-TLSv12-X25519-ECDHE similarity index 100% rename from testdata/Client-TLSv12-X25519-ECDHE-RSA-AES-GCM rename to testdata/Client-TLSv12-X25519-ECDHE diff --git a/testdata/Client-TLSv13-AES128-SHA256 b/testdata/Client-TLSv13-AES128-SHA256 new file mode 100644 index 00000000..c471e887 --- /dev/null +++ b/testdata/Client-TLSv13-AES128-SHA256 @@ -0,0 +1,89 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 f8 01 00 00 f4 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a8 |.............2..| +00000050 cc a9 c0 2f c0 2b c0 30 c0 2c c0 27 c0 13 c0 23 |.../.+.0.,.'...#| +00000060 c0 09 c0 14 c0 0a 00 9c 00 9d 00 3c 00 2f 00 35 |...........<./.5| +00000070 c0 12 00 0a 00 05 c0 11 c0 07 13 01 13 03 13 02 |................| +00000080 01 00 00 79 00 05 00 05 01 00 00 00 00 00 0a 00 |...y............| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 18 00 16 08 04 08 05 08 06 04 01 04 |................| +000000b0 03 05 01 05 03 06 01 06 03 02 01 02 03 ff 01 00 |................| +000000c0 01 00 00 12 00 00 00 2b 00 09 08 03 04 03 03 03 |.......+........| +000000d0 02 03 01 00 33 00 26 00 24 00 1d 00 20 2f e5 7d |....3.&.$... /.}| +000000e0 a3 47 cd 62 43 15 28 da ac 5f bb 29 07 30 ff f6 |.G.bC.(.._.).0..| +000000f0 84 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 |........_X.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 7a 02 00 00 76 03 03 f0 8a 7b f4 40 |....z...v....{.@| +00000010 4d 58 1d e4 6a 58 d2 e9 dc 28 6b aa bc 2f 60 37 |MX..jX...(k../`7| +00000020 1c a3 3c ce 7d f2 97 8d ff 14 55 20 00 00 00 00 |..<.}.....U ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 13 01 00 00 |................| +00000050 2e 00 2b 00 02 03 04 00 33 00 24 00 1d 00 20 a4 |..+.....3.$... .| +00000060 23 1b 72 8e 09 ba fa 75 6c f5 cc c2 2a aa 3d 0f |#.r....ul...*.=.| +00000070 2e c1 f4 70 40 28 9b df 1e 92 2e cb a2 d5 41 14 |...p@(........A.| +00000080 03 03 00 01 01 17 03 03 00 17 1f f5 f9 57 54 6a |.............WTj| +00000090 02 3f 12 97 48 cb e1 df 85 00 58 8d ab 1d 95 55 |.?..H.....X....U| +000000a0 3f 17 03 03 02 6d 22 f9 23 08 b9 f2 5d 4a f5 9b |?....m".#...]J..| +000000b0 41 b5 16 33 dc e9 45 34 a8 15 19 0b b0 1e a4 57 |A..3..E4.......W| +000000c0 46 52 d9 53 ec 3c 7c 5c 6c e0 f4 2e 90 55 cc 74 |FR.S.<|\l....U.t| +000000d0 65 92 a3 1e f0 75 f0 13 c5 65 42 fb 0a 9d f3 bb |e....u...eB.....| +000000e0 d5 61 b7 70 74 4d d1 e4 28 f3 8d 0b f5 de 04 fa |.a.ptM..(.......| +000000f0 46 28 11 b9 d3 50 82 00 97 32 ac ff 19 ce 27 6b |F(...P...2....'k| +00000100 e9 a9 ae ec c2 49 5a 61 bf a0 c0 57 71 c1 00 76 |.....IZa...Wq..v| +00000110 e4 81 40 c0 96 81 0a 38 d4 6c b7 7f e3 52 7c 3d |..@....8.l...R|=| +00000120 bb e1 c8 e0 ef c4 f5 85 8e bc fc d5 5a 00 50 ea |............Z.P.| +00000130 54 a1 1b da 8c 31 0f 9f bc 13 a2 d1 89 93 8a 08 |T....1..........| +00000140 47 c5 5e 78 be 09 b5 34 e3 33 d3 38 16 9e 71 ca |G.^x...4.3.8..q.| +00000150 25 5b 7c 35 08 e6 2c 07 c3 0b 37 60 4a 7b 32 49 |%[|5..,...7`J{2I| +00000160 9b c4 24 28 6d 76 3e 04 8e 14 22 e9 f9 0d 58 25 |..$(mv>..."...X%| +00000170 ad 0a 31 8b 1f 0c 2e 50 65 3f 77 fc f9 ab a7 60 |..1....Pe?w....`| +00000180 6a 52 b0 a9 e5 47 f6 91 b6 72 7a 52 b7 fb c5 93 |jR...G...rzR....| +00000190 0a 4f 3e 0c 0c 12 5e 30 94 10 5f ee af 4a 40 d0 |.O>...^0.._..J@.| +000001a0 ba 2c 5b 88 18 86 f1 96 8b cd 28 41 44 59 5e 69 |.,[.......(ADY^i| +000001b0 be 24 bb 97 99 7e 70 9f 9b d7 bb 54 0b 32 73 bf |.$...~p....T.2s.| +000001c0 af 71 82 6b b5 21 b6 a0 85 f2 73 56 98 83 60 c0 |.q.k.!....sV..`.| +000001d0 70 34 c6 1b 7b 40 ee 5d 8e 79 7d bc ac 6b 3c c9 |p4..{@.].y}..k<.| +000001e0 9c 47 13 d9 08 a9 05 d6 43 38 19 a0 d6 37 e0 48 |.G......C8...7.H| +000001f0 dd f5 b5 2b e2 d8 25 07 35 5b 20 2f 0e 01 4a 93 |...+..%.5[ /..J.| +00000200 63 5c 07 b6 3b 7f 62 9a 85 f8 57 0a 69 db 2c 9b |c\..;.b...W.i.,.| +00000210 11 60 6d f3 2b 31 cc 4e 7d 93 bb 13 39 fd 85 da |.`m.+1.N}...9...| +00000220 cb 52 84 7e 36 89 28 ef 8f b5 04 c2 37 c3 33 04 |.R.~6.(.....7.3.| +00000230 ba cb 1b 45 23 2f 2a 49 5d 95 6e 95 d4 32 07 ba |...E#/*I].n..2..| +00000240 0e 2f 57 0b b2 a5 d9 6b 3e a5 ab f2 97 89 b9 23 |./W....k>......#| +00000250 5a 3f 11 8d 45 68 3e bc 8a 59 14 36 bc cc 33 b3 |Z?..Eh>..Y.6..3.| +00000260 50 e3 15 b3 ec 03 ba 52 2f dc 70 5b c0 2a 45 28 |P......R/.p[.*E(| +00000270 49 2f d0 c7 a1 5c e4 24 35 b0 78 04 fe 87 54 69 |I/...\.$5.x...Ti| +00000280 c5 6e 56 a7 f5 7f d1 cb 23 af 4a 52 5f 7c 0e 1d |.nV.....#.JR_|..| +00000290 5a 83 6a 69 f5 bc 99 74 30 ee 3c 05 2b 12 52 09 |Z.ji...t0.<.+.R.| +000002a0 b0 a2 36 86 14 70 44 dd ec 37 44 4b 8f bf e0 76 |..6..pD..7DK...v| +000002b0 99 c5 84 90 37 59 a3 e3 f7 57 fa ac bb 6b 04 6a |....7Y...W...k.j| +000002c0 1e 0f 9f 1d 63 b7 3a 47 48 dc 3b bc ff 4d 47 94 |....c.:GH.;..MG.| +000002d0 43 38 cb d5 c5 74 bc 6d 0a f3 ea fa 23 ac e5 0b |C8...t.m....#...| +000002e0 fa b9 61 b1 d9 20 5c c6 c8 32 2e fa 11 f0 99 90 |..a.. \..2......| +000002f0 d4 96 42 3a b6 09 f3 11 c9 e1 d8 2d ae 80 6a b0 |..B:.......-..j.| +00000300 21 7a b6 2d d7 37 93 bf 53 ad 82 eb fc f1 8f 21 |!z.-.7..S......!| +00000310 f0 bc fd 17 03 03 00 99 47 59 11 95 5b 84 48 92 |........GY..[.H.| +00000320 22 b1 4b b0 70 57 5c b4 67 41 53 ed a7 5b 38 eb |".K.pW\.gAS..[8.| +00000330 bf 10 65 4a f9 21 c4 63 72 a1 d9 06 f2 21 55 df |..eJ.!.cr....!U.| +00000340 ff 7e ee ea a3 37 00 f1 14 41 2f 71 b1 8e f1 c0 |.~...7...A/q....| +00000350 5d 5b 72 4b a5 99 1d 80 c1 e6 94 5d 78 17 46 81 |][rK.......]x.F.| +00000360 50 1c 6d dc a7 79 60 67 60 ae af fe 6f 84 67 81 |P.m..y`g`...o.g.| +00000370 bd b5 20 8e 3f 33 28 e4 6a 94 82 37 9d ea 26 71 |.. .?3(.j..7..&q| +00000380 65 9d 7d a3 c7 32 be ec 3c d0 c6 b5 a6 55 e6 d7 |e.}..2..<....U..| +00000390 72 49 14 3b 08 41 cb d8 cc d4 52 b5 c8 35 71 79 |rI.;.A....R..5qy| +000003a0 7d 90 d2 21 0c 61 cb f6 1c 73 0a b0 7d ff 7b 3e |}..!.a...s..}.{>| +000003b0 44 17 03 03 00 35 c1 39 ac b9 1b 43 33 1e 43 35 |D....5.9...C3.C5| +000003c0 50 d0 2f b9 f9 cf f9 c3 dd 1c 4c 1e 52 46 bd dc |P./.......L.RF..| +000003d0 48 93 4f e3 f3 46 27 81 0b 80 34 b4 5b a5 06 c9 |H.O..F'...4.[...| +000003e0 3c 3a 12 e3 33 45 9d d5 0c 1e 98 |<:..3E.....| +>>> Flow 3 (client to server) +00000000 17 03 03 00 35 da 94 f3 ee 16 d5 21 2c be 50 e4 |....5......!,.P.| +00000010 08 a2 44 90 27 9a 22 44 9f 04 c8 1f 6c 97 57 54 |..D.'."D....l.WT| +00000020 da 4b 84 f2 f5 7e be 86 2a 19 f3 ed b6 05 e8 30 |.K...~..*......0| +00000030 a2 ca ee a0 71 bb 75 8d ed fe 17 03 03 00 17 db |....q.u.........| +00000040 f3 61 60 d9 d2 80 c8 87 17 66 37 b6 e3 a3 27 37 |.a`......f7...'7| +00000050 c1 91 69 35 60 f6 17 03 03 00 13 e9 c3 a2 1e a4 |..i5`...........| +00000060 84 65 d3 bb 97 7a 14 1d 4e ae 8b 3f 42 ac |.e...z..N..?B.| diff --git a/testdata/Client-TLSv13-AES256-SHA384 b/testdata/Client-TLSv13-AES256-SHA384 new file mode 100644 index 00000000..be6eea0f --- /dev/null +++ b/testdata/Client-TLSv13-AES256-SHA384 @@ -0,0 +1,91 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 f8 01 00 00 f4 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a8 |.............2..| +00000050 cc a9 c0 2f c0 2b c0 30 c0 2c c0 27 c0 13 c0 23 |.../.+.0.,.'...#| +00000060 c0 09 c0 14 c0 0a 00 9c 00 9d 00 3c 00 2f 00 35 |...........<./.5| +00000070 c0 12 00 0a 00 05 c0 11 c0 07 13 01 13 03 13 02 |................| +00000080 01 00 00 79 00 05 00 05 01 00 00 00 00 00 0a 00 |...y............| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 18 00 16 08 04 08 05 08 06 04 01 04 |................| +000000b0 03 05 01 05 03 06 01 06 03 02 01 02 03 ff 01 00 |................| +000000c0 01 00 00 12 00 00 00 2b 00 09 08 03 04 03 03 03 |.......+........| +000000d0 02 03 01 00 33 00 26 00 24 00 1d 00 20 2f e5 7d |....3.&.$... /.}| +000000e0 a3 47 cd 62 43 15 28 da ac 5f bb 29 07 30 ff f6 |.G.bC.(.._.).0..| +000000f0 84 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 |........_X.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 7a 02 00 00 76 03 03 14 19 73 05 2c |....z...v....s.,| +00000010 b8 2b 70 cd 16 84 60 f5 61 03 95 f1 ac 51 2b eb |.+p...`.a....Q+.| +00000020 d5 6a e9 65 c9 35 ed 88 c2 aa bd 20 00 00 00 00 |.j.e.5..... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 13 02 00 00 |................| +00000050 2e 00 2b 00 02 03 04 00 33 00 24 00 1d 00 20 0a |..+.....3.$... .| +00000060 ab 07 ce b5 0b 2d 94 fa 8b 55 ff 09 7a 69 35 a5 |.....-...U..zi5.| +00000070 01 d8 5c c5 84 92 ef e5 f5 45 09 48 78 48 28 14 |..\......E.HxH(.| +00000080 03 03 00 01 01 17 03 03 00 17 77 e1 72 79 f2 fc |..........w.ry..| +00000090 a1 c2 e5 04 92 0a 63 0b d3 a3 b8 15 6c e7 2a c2 |......c.....l.*.| +000000a0 3d 17 03 03 02 6d 6d a1 64 08 b2 95 9f 65 d8 bc |=....mm.d....e..| +000000b0 fc 1c 6e 4d 75 20 e6 08 ea 58 cc db b2 6f d5 58 |..nMu ...X...o.X| +000000c0 97 e8 8f 62 b0 a2 c0 84 20 4b 2d 43 a2 eb a1 98 |...b.... K-C....| +000000d0 93 c0 04 12 b4 9e 17 9b 45 f2 59 f0 9d ed 27 53 |........E.Y...'S| +000000e0 14 a5 c3 e0 46 5b 22 e4 76 b6 71 7e f6 cb 35 6a |....F[".v.q~..5j| +000000f0 ab 34 f9 da 93 b2 21 41 6b 72 73 5e 0c 5f 4e 70 |.4....!Akrs^._Np| +00000100 ff fe d3 50 48 de c8 e1 16 f7 c4 f3 24 ef 7f 0a |...PH.......$...| +00000110 0d bc 24 86 13 93 6e e3 8c d5 a2 a9 97 ee cd 40 |..$...n........@| +00000120 d6 6b 5a ef 88 62 b0 a0 f3 aa ac f1 7f 7c 0a ad |.kZ..b.......|..| +00000130 b7 98 57 aa 7d 89 bb 1e 88 3b 66 9c 34 98 1a 8e |..W.}....;f.4...| +00000140 5a a1 2a 3e 10 be 1b bd 86 43 b4 3f cc a4 0b d1 |Z.*>.....C.?....| +00000150 0c 36 a3 a5 f2 e3 40 a6 c3 5c ed aa 43 57 3e 22 |.6....@..\..CW>"| +00000160 4f eb 5c d6 e4 4e 8e 83 2a f8 25 db 63 49 d0 cc |O.\..N..*.%.cI..| +00000170 b2 6b 29 3a bc b4 f0 04 58 60 be 9d ab 8c 9e 06 |.k):....X`......| +00000180 df 1c 9b cf 49 a9 d2 cd 42 d3 5c 5a d6 2f b8 91 |....I...B.\Z./..| +00000190 76 a6 df 3a a2 6e 24 1c de 1f 63 7e c1 bc 1f 2a |v..:.n$...c~...*| +000001a0 20 4c af 9e 47 02 6f fd 8b ed 66 69 d6 76 cc d8 | L..G.o...fi.v..| +000001b0 f2 b4 ec 71 79 2d 1f 46 22 cb 28 6b be 8e 77 d8 |...qy-.F".(k..w.| +000001c0 24 34 9b 00 c8 e3 8d d6 5d 2a 58 a9 dc ae 21 0f |$4......]*X...!.| +000001d0 92 94 33 b9 cb 1a 89 79 2a eb e8 11 c9 d3 5a af |..3....y*.....Z.| +000001e0 f8 f4 1b ce 34 c8 79 24 ed 08 bd 80 a5 4a cc cd |....4.y$.....J..| +000001f0 21 b0 8b 89 b5 ff f4 03 ee cc 88 16 d9 cf 5f 38 |!............._8| +00000200 8b 67 ac c4 51 b9 f4 44 0c e4 47 83 ba 24 60 8a |.g..Q..D..G..$`.| +00000210 75 0d c2 3d 77 38 46 b1 db 37 57 af 78 aa 06 97 |u..=w8F..7W.x...| +00000220 ab 83 42 f1 96 8c 00 3f 6c 7f b8 ae 1d fb e1 10 |..B....?l.......| +00000230 4d fd 73 bb 37 a6 7d 5a 26 79 5d 7b e4 98 84 9c |M.s.7.}Z&y]{....| +00000240 a2 c4 12 5a b3 a4 bc 6e 35 bd a1 2d 58 e8 27 77 |...Z...n5..-X.'w| +00000250 e1 d6 c4 d5 fb 5a cb 64 6f 6e 4e e0 77 11 ca ba |.....Z.donN.w...| +00000260 30 f4 96 dd fd 95 36 d7 23 4d 87 17 b9 66 9e 23 |0.....6.#M...f.#| +00000270 54 d7 b2 0a 18 f3 11 6e 61 d1 b6 86 94 fb 5c 63 |T......na.....\c| +00000280 ed 6e 5b 60 80 01 51 47 7a d9 2e c1 8f ff 23 ba |.n[`..QGz.....#.| +00000290 75 8d 59 a6 5e 93 c5 10 44 6e 8f a5 59 ab 06 5b |u.Y.^...Dn..Y..[| +000002a0 e9 b6 85 8d 11 6c f8 9a 45 ac 57 b4 04 52 cd fd |.....l..E.W..R..| +000002b0 29 dc 50 ba 9f ec 5a 67 33 35 6b a8 88 2f 86 1b |).P...Zg35k../..| +000002c0 eb 44 54 5b 1d 7e 8a 3b 01 b6 9f d1 99 58 6a bb |.DT[.~.;.....Xj.| +000002d0 9e ab 03 ff 18 00 16 7c 3b 16 a4 d7 4e 1a 63 4f |.......|;...N.cO| +000002e0 69 2b ea 88 54 ed fe 21 45 7a 6e 3a ef aa 89 e7 |i+..T..!Ezn:....| +000002f0 b0 87 93 d8 99 12 6e 1c fd 81 f4 92 4f a3 17 c2 |......n.....O...| +00000300 78 e2 ef a6 eb be 01 6a 1b 4d 49 f7 1a 8f 0f 01 |x......j.MI.....| +00000310 72 bd 9e 17 03 03 00 99 01 71 8b a7 7e 19 d2 27 |r........q..~..'| +00000320 e5 dc 92 fd 6f 90 69 5a b7 7e 64 bd 82 5d 92 06 |....o.iZ.~d..]..| +00000330 6d 0c 65 67 a0 af 23 06 68 15 49 3e 02 65 45 dd |m.eg..#.h.I>.eE.| +00000340 6d 21 04 3e b8 26 de 4b b4 d0 14 77 26 43 79 16 |m!.>.&.K...w&Cy.| +00000350 70 7d f7 97 38 52 5c fd 6f f0 89 df 4e d7 56 4b |p}..8R\.o...N.VK| +00000360 03 10 b3 75 e8 55 8e bb b3 8d 7b 4e 8e a3 81 20 |...u.U....{N... | +00000370 08 1e ce db ee 31 9b 50 49 00 75 0f 96 97 63 98 |.....1.PI.u...c.| +00000380 6e 5e ae fe 8b 33 c5 6e ad 0c 7c 33 e6 ad e9 ba |n^...3.n..|3....| +00000390 74 ef b3 29 8c cc 7e 92 9c 36 4a ad 7e bf c8 09 |t..)..~..6J.~...| +000003a0 e7 1d 70 9a db 8c e6 78 56 70 31 41 2c f1 b1 54 |..p....xVp1A,..T| +000003b0 0b 17 03 03 00 45 0c b9 ad a0 58 fe 16 91 07 e5 |.....E....X.....| +000003c0 c3 e1 76 ee 5e 8a 42 02 80 fc e2 89 cd 6c 2d 7f |..v.^.B......l-.| +000003d0 f1 dc 41 44 e5 d2 d2 86 8b 51 f3 d4 cc 3b 8d 11 |..AD.....Q...;..| +000003e0 3e a9 ae 34 38 8b 5f 15 c5 fd 34 55 e8 47 58 9e |>..48._...4U.GX.| +000003f0 80 02 de 43 b8 42 e3 63 6b 3f c1 |...C.B.ck?.| +>>> Flow 3 (client to server) +00000000 17 03 03 00 45 3b b4 6d 08 6d 86 92 01 79 ac 23 |....E;.m.m...y.#| +00000010 49 ba 86 5a cc 31 5b 50 6c f2 49 51 17 9a 63 ad |I..Z.1[Pl.IQ..c.| +00000020 11 ba a2 84 8c d4 25 c1 02 63 f8 23 9f a8 8e 6e |......%..c.#...n| +00000030 5e 6f ba 97 10 16 84 cf 3f 97 0f cc 5a 11 6c 79 |^o......?...Z.ly| +00000040 54 eb 2c 81 6c da 61 60 6a ed 17 03 03 00 17 66 |T.,.l.a`j......f| +00000050 41 78 50 23 cc b7 43 2b b9 6e 4c 8c 8c 68 3a 1a |AxP#..C+.nL..h:.| +00000060 ca 35 c8 79 62 dc 17 03 03 00 13 96 1f 8f 80 2c |.5.yb..........,| +00000070 4c a8 fa 30 1b 19 e7 34 a9 55 56 06 00 5a |L..0...4.UV..Z| diff --git a/testdata/Client-TLSv13-ALPN b/testdata/Client-TLSv13-ALPN new file mode 100644 index 00000000..291f49ad --- /dev/null +++ b/testdata/Client-TLSv13-ALPN @@ -0,0 +1,92 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 01 10 01 00 01 0c 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a8 |.............2..| +00000050 cc a9 c0 2f c0 2b c0 30 c0 2c c0 27 c0 13 c0 23 |.../.+.0.,.'...#| +00000060 c0 09 c0 14 c0 0a 00 9c 00 9d 00 3c 00 2f 00 35 |...........<./.5| +00000070 c0 12 00 0a 00 05 c0 11 c0 07 13 01 13 03 13 02 |................| +00000080 01 00 00 91 33 74 00 00 00 05 00 05 01 00 00 00 |....3t..........| +00000090 00 00 0a 00 0a 00 08 00 1d 00 17 00 18 00 19 00 |................| +000000a0 0b 00 02 01 00 00 0d 00 18 00 16 08 04 08 05 08 |................| +000000b0 06 04 01 04 03 05 01 05 03 06 01 06 03 02 01 02 |................| +000000c0 03 ff 01 00 01 00 00 10 00 10 00 0e 06 70 72 6f |.............pro| +000000d0 74 6f 32 06 70 72 6f 74 6f 31 00 12 00 00 00 2b |to2.proto1.....+| +000000e0 00 09 08 03 04 03 03 03 02 03 01 00 33 00 26 00 |............3.&.| +000000f0 24 00 1d 00 20 2f e5 7d a3 47 cd 62 43 15 28 da |$... /.}.G.bC.(.| +00000100 ac 5f bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 99 |._.).0..........| +00000110 5f 58 cb 3b 74 |_X.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 7a 02 00 00 76 03 03 0a 4d aa 31 08 |....z...v...M.1.| +00000010 a9 02 77 7b 6e 39 6d cd dc 26 a1 21 15 64 b4 a8 |..w{n9m..&.!.d..| +00000020 c5 61 98 3c 41 c0 20 1a 58 0e 15 20 00 00 00 00 |.a..Q.(.| +000001c0 62 81 2d 8e 4c 86 2f e2 8a 87 79 bc 43 89 ce af |b.-.L./...y.C...| +000001d0 f5 08 4e 36 4f 0b 17 cf a3 05 a7 27 7c 21 2c 18 |..N6O......'|!,.| +000001e0 a0 51 f8 ef 38 de 80 99 54 bb 16 2d d2 65 76 95 |.Q..8...T..-.ev.| +000001f0 91 7b 81 36 ed 43 5e 44 f5 d5 6d 74 37 37 56 cb |.{.6.C^D..mt77V.| +00000200 7d 79 7b 7c 96 42 ba 74 8f 5c 6c aa 3d e4 57 90 |}y{|.B.t.\l.=.W.| +00000210 07 a7 d1 50 7e 16 54 ec 92 a6 e4 e2 6f cf 10 c7 |...P~.T.....o...| +00000220 1e 6f 24 4c 1a 5d 44 72 0f 10 22 2f 04 aa ca 55 |.o$L.]Dr.."/...U| +00000230 c6 d0 54 45 80 6d 87 ed 85 44 64 07 c5 71 ff 68 |..TE.m...Dd..q.h| +00000240 ae c5 f1 5c 8d 8a 4d 85 3b 68 65 b2 97 c7 2b bf |...\..M.;he...+.| +00000250 49 d8 76 ac 58 de ba 31 7f 10 92 85 4c cd f5 d7 |I.v.X..1....L...| +00000260 bc db aa f4 c8 81 95 fd 77 e8 9f 03 74 0e 15 a7 |........w...t...| +00000270 73 0c 6d 07 27 ce c3 23 cc 68 f0 82 ce 2b 8d 25 |s.m.'..#.h...+.%| +00000280 4e b3 e8 31 b6 e4 2b 4e bf b8 09 f7 ef 6e 64 89 |N..1..+N.....nd.| +00000290 23 03 03 bf 93 dd 3a 89 e1 cf d1 7b b8 72 8d 40 |#.....:....{.r.@| +000002a0 30 d4 06 be c4 78 a7 70 66 a5 90 36 86 e4 a1 53 |0....x.pf..6...S| +000002b0 59 81 68 04 bc 1b 5b b8 28 ff d0 78 75 2a 46 a7 |Y.h...[.(..xu*F.| +000002c0 3b 11 08 e3 cc fd 39 a4 d0 fa d0 ed cf 34 ce 6e |;.....9......4.n| +000002d0 02 a6 6c 1c 04 c3 a7 53 08 6c dc 8c 71 51 7c 9c |..l....S.l..qQ|.| +000002e0 f0 da 86 91 a0 f1 0d 04 fb 18 c3 89 1a b8 58 f7 |..............X.| +000002f0 50 9c cb 62 a6 d4 64 6b cd 7b 5c 33 1e d8 45 43 |P..b..dk.{\3..EC| +00000300 f6 72 cd 04 1a 7f e4 48 b2 16 17 9d 79 97 5c bc |.r.....H....y.\.| +00000310 fa 0a 06 b1 92 f1 b3 db 98 83 04 01 6a 2b 51 38 |............j+Q8| +00000320 17 03 03 00 99 82 ea 5b 85 f2 b1 05 63 fa 98 d3 |.......[....c...| +00000330 ad 0d ac ab 0a a2 95 81 1a 04 52 c0 9e 18 da 3d |..........R....=| +00000340 b6 36 a6 6f 35 1d c2 e0 e6 82 d6 0d ec b4 e1 02 |.6.o5...........| +00000350 95 43 e0 1e 3c 2b 96 8f 39 d0 49 33 ef 30 4f 05 |.C..<+..9.I3.0O.| +00000360 7a 2e 1b 04 39 d7 b3 4a 1a 24 20 11 1e d7 fb ea |z...9..J.$ .....| +00000370 28 57 68 79 53 7d f8 08 35 c4 c2 7a f5 73 19 76 |(WhyS}..5..z.s.v| +00000380 dc 56 fb 35 aa 6a b7 73 7b da 41 f3 9f 71 14 14 |.V.5.j.s{.A..q..| +00000390 b8 61 8e ab 82 5e 57 e8 af d2 31 95 ec 4f a7 01 |.a...^W...1..O..| +000003a0 f2 2b cc 75 1b b1 cd c6 25 c0 69 32 4d 02 53 73 |.+.u....%.i2M.Ss| +000003b0 80 ef c3 af 62 68 a7 82 15 dc e5 f2 8e 0f 17 03 |....bh..........| +000003c0 03 00 35 ca d4 d7 83 55 19 de 32 ec b2 9c 79 13 |..5....U..2...y.| +000003d0 e2 99 3b ae 9d 90 d1 ec 76 e9 89 be b0 59 9b e1 |..;.....v....Y..| +000003e0 fc 37 a7 84 5c 3c 03 e2 92 72 f9 ee d6 85 fc 42 |.7..\<...r.....B| +000003f0 f2 2f f6 ac bb 2b 25 a0 |./...+%.| +>>> Flow 3 (client to server) +00000000 17 03 03 00 35 cc 3b 0d 48 9a 16 49 7c 30 93 a1 |....5.;.H..I|0..| +00000010 ad ad f3 1d 8c ba 5b 16 af bd 40 36 31 0c aa 64 |......[...@61..d| +00000020 0c b0 2b bd d2 24 6e e8 07 30 94 e2 22 c8 c4 b8 |..+..$n..0.."...| +00000030 3c 7a 36 f6 dd 4c be 4c ef 68 17 03 03 00 17 f6 |4B,.3......| +00000050 b5 32 fd a4 5c f1 17 03 03 00 13 d6 00 df 9b 19 |.2..\...........| +00000060 38 a4 5e 5a 95 53 b6 10 80 79 1a 31 6b 4d |8.^Z.S...y.1kM| diff --git a/testdata/Client-TLSv13-CHACHA20-SHA256 b/testdata/Client-TLSv13-CHACHA20-SHA256 new file mode 100644 index 00000000..1cc7a4f4 --- /dev/null +++ b/testdata/Client-TLSv13-CHACHA20-SHA256 @@ -0,0 +1,89 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 f8 01 00 00 f4 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a8 |.............2..| +00000050 cc a9 c0 2f c0 2b c0 30 c0 2c c0 27 c0 13 c0 23 |.../.+.0.,.'...#| +00000060 c0 09 c0 14 c0 0a 00 9c 00 9d 00 3c 00 2f 00 35 |...........<./.5| +00000070 c0 12 00 0a 00 05 c0 11 c0 07 13 01 13 03 13 02 |................| +00000080 01 00 00 79 00 05 00 05 01 00 00 00 00 00 0a 00 |...y............| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 18 00 16 08 04 08 05 08 06 04 01 04 |................| +000000b0 03 05 01 05 03 06 01 06 03 02 01 02 03 ff 01 00 |................| +000000c0 01 00 00 12 00 00 00 2b 00 09 08 03 04 03 03 03 |.......+........| +000000d0 02 03 01 00 33 00 26 00 24 00 1d 00 20 2f e5 7d |....3.&.$... /.}| +000000e0 a3 47 cd 62 43 15 28 da ac 5f bb 29 07 30 ff f6 |.G.bC.(.._.).0..| +000000f0 84 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 |........_X.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 7a 02 00 00 76 03 03 7b 81 36 84 98 |....z...v..{.6..| +00000010 a3 9c d6 2d a5 38 91 94 a3 df 3a d2 ad 4b b6 60 |...-.8....:..K.`| +00000020 12 f2 fa 04 f4 1c a1 e4 55 43 f3 20 00 00 00 00 |........UC. ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 13 03 00 00 |................| +00000050 2e 00 2b 00 02 03 04 00 33 00 24 00 1d 00 20 eb |..+.....3.$... .| +00000060 45 9d e3 42 6c 04 45 5c 46 28 7d 88 60 44 32 74 |E..Bl.E\F(}.`D2t| +00000070 e8 8c ca 9d f6 71 ec c4 11 d5 11 1d 04 aa 47 14 |.....q........G.| +00000080 03 03 00 01 01 17 03 03 00 17 db ed 81 c0 66 7b |..............f{| +00000090 80 d4 91 4c 78 75 7f af d2 60 c8 bd 35 45 7e 36 |...Lxu...`..5E~6| +000000a0 5a 17 03 03 02 6d a5 9c 0f 75 69 8d 43 05 50 35 |Z....m...ui.C.P5| +000000b0 39 ec 82 e2 ba 01 09 c7 f0 47 1f ab 50 f3 6b aa |9........G..P.k.| +000000c0 83 8c eb db 0d 5c 86 ba fd 8f 63 30 1a 48 3e 62 |.....\....c0.H>b| +000000d0 ed 6a bc 9c 71 2c 33 e4 55 43 bb 67 86 c2 45 06 |.j..q,3.UC.g..E.| +000000e0 fd 9c 50 3e a8 5e 94 14 58 65 27 cc 12 0d 98 c3 |..P>.^..Xe'.....| +000000f0 68 79 8a 20 b5 a5 0d 0a d6 93 d8 a2 ee 79 64 2e |hy. .........yd.| +00000100 be f3 20 ff d4 2e 6b b0 4e 76 3c 0f 28 85 bc e6 |.. ...k.Nv<.(...| +00000110 91 bd f3 cb 60 75 41 4c d0 23 b4 df c2 c9 4b 8b |....`uAL.#....K.| +00000120 6d 3b fd 7c 93 90 a5 f8 5f d0 70 42 aa a6 c1 02 |m;.|...._.pB....| +00000130 10 ae 24 71 33 43 98 4a 96 d1 de de 6c 8e a1 98 |..$q3C.J....l...| +00000140 bf 08 bb 0c 08 ad 31 bf 25 19 cd c2 54 93 15 e6 |......1.%...T...| +00000150 e4 da c3 da 98 67 fc 1f 7a ce 57 d6 6a 53 82 67 |.....g..z.W.jS.g| +00000160 50 f5 c8 9d b5 92 46 4f 84 a4 e7 14 e0 03 4f 40 |P.....FO......O@| +00000170 a9 df 76 c3 14 06 36 4f be 03 8f e9 cd a6 57 9c |..v...6O......W.| +00000180 da 98 61 a0 2e ba 74 fc 9f f2 c8 87 9d ed fb 87 |..a...t.........| +00000190 de db 9c 15 a0 5c 7b 5a ab af c7 fa 5a ab d1 c0 |.....\{Z....Z...| +000001a0 13 64 12 c0 5d 36 b5 fd 4d 80 df 26 cd ef c0 ca |.d..]6..M..&....| +000001b0 83 e5 3a 55 58 2a 63 5c 38 e7 e0 9c 15 cb 76 14 |..:UX*c\8.....v.| +000001c0 5f 7a 9a 8f 9f 03 83 3e 7d 9e 61 17 2a 6b c8 ff |_z.....>}.a.*k..| +000001d0 dc f9 01 aa 5f e1 44 ea 2c 09 60 ac 0b 25 e4 52 |...._.D.,.`..%.R| +000001e0 0e 21 86 6f d4 92 2d eb 95 0a 87 6d 91 ee 27 05 |.!.o..-....m..'.| +000001f0 e2 e2 88 13 eb ac 8b f8 45 c4 88 eb 76 43 10 d8 |........E...vC..| +00000200 26 de de b0 9b 4c 14 1b 2c db 93 8e de 46 a9 9e |&....L..,....F..| +00000210 df 87 df 88 69 a8 15 ae cf 3c a7 3d ae 70 3d 2a |....i....<.=.p=*| +00000220 22 eb 01 2e e1 29 23 2f 8a ad cf 54 25 fb 8b 0a |"....)#/...T%...| +00000230 1c 70 b8 0c 34 e5 49 9e c1 cd 98 02 85 42 22 56 |.p..4.I......B"V| +00000240 b8 da 9b 48 cc 87 84 f9 f1 94 e1 bc 5a 01 a1 3f |...H........Z..?| +00000250 de 7c ac 03 d3 75 88 8d 22 6e f8 6e e1 f8 4b 9c |.|...u.."n.n..K.| +00000260 0b 13 7e f6 1b 0e 22 ce 62 69 3d 66 55 87 a2 a1 |..~...".bi=fU...| +00000270 01 9e 2b 3c 60 80 b3 c6 d9 fc 9a 4c 0e 89 83 44 |..+<`......L...D| +00000280 8c 02 64 70 e7 71 b5 e0 6c f1 44 cc bf 3e 03 95 |..dp.q..l.D..>..| +00000290 a9 46 6a f3 f6 1e ea 19 bb 8c 62 92 17 bc cf 2d |.Fj.......b....-| +000002a0 e5 af ca 2d 66 6d ed c1 13 f6 89 55 fc 5c 51 12 |...-fm.....U.\Q.| +000002b0 30 02 78 58 96 7c 8b 28 68 56 7b f7 c4 48 03 5b |0.xX.|.(hV{..H.[| +000002c0 5f 46 ef 9c 1d 7e 4c 0a b9 de 37 df 90 86 7c 1d |_F...~L...7...|.| +000002d0 e6 af dc 85 c5 03 6f a2 38 d2 2a f3 33 5c 27 06 |......o.8.*.3\'.| +000002e0 c4 1e 44 61 1b 7b 28 3c 3d ca 32 d2 9b 8b 59 9a |..Da.{(<=.2...Y.| +000002f0 42 7c b8 23 4d 81 ca ce 02 f1 bc 87 f2 dd 42 2f |B|.#M.........B/| +00000300 f0 c4 97 32 b9 a5 44 c2 12 96 ca cf fd 95 14 c8 |...2..D.........| +00000310 12 47 0a 17 03 03 00 99 ff 36 e6 aa 19 66 0f 3d |.G.......6...f.=| +00000320 c1 cd b3 8b b3 51 78 a1 bb d6 c7 dc 1a ee ae 82 |.....Qx.........| +00000330 35 b5 b9 71 a9 0e a2 d0 d2 0f d7 cf c9 29 a3 2e |5..q.........)..| +00000340 57 21 ac 8e 37 01 47 1c 26 83 f7 15 69 44 c6 27 |W!..7.G.&...iD.'| +00000350 f9 4c e3 b2 5e 2f 7a 57 55 05 ef c6 89 1c f0 23 |.L..^/zWU......#| +00000360 ce 46 44 26 5b d8 2b ff 8a 8b 8b dc 94 73 1a a3 |.FD&[.+......s..| +00000370 46 15 57 d3 8b 03 2b d3 83 7b 45 d9 28 b0 2b 96 |F.W...+..{E.(.+.| +00000380 6a de 74 2a dd ca 12 ab 55 1e 8a b7 a2 6a b6 8e |j.t*....U....j..| +00000390 42 fe c0 35 16 d8 3f f7 f5 58 5d 7a 6c 3c 8d 71 |B..5..?..X]zl<.q| +000003a0 a3 8e 88 91 97 69 1d 35 e0 47 5d 3d 99 48 96 29 |.....i.5.G]=.H.)| +000003b0 1b 17 03 03 00 35 da 2c 98 c0 1b 27 40 d0 89 d0 |.....5.,...'@...| +000003c0 90 76 97 c1 0a 76 33 17 0e a0 cb 15 5a eb ce 78 |.v...v3.....Z..x| +000003d0 6f ba db da 20 38 94 75 dc 1a 42 c6 2e ef f4 46 |o... 8.u..B....F| +000003e0 12 ac 0e 56 56 32 e6 1c 2e 29 31 |...VV2...)1| +>>> Flow 3 (client to server) +00000000 17 03 03 00 35 23 ee 53 57 90 ba 6c b8 81 73 49 |....5#.SW..l..sI| +00000010 50 0b a2 6f 9c bc b4 84 c5 31 e7 1d 57 ef fe c2 |P..o.....1..W...| +00000020 00 0b 1b 67 f7 2c 7d d3 e1 24 fa 4c 7a 90 5a 52 |...g.,}..$.Lz.ZR| +00000030 c4 78 2c 4a a4 81 3a ca 70 3e 17 03 03 00 17 d1 |.x,J..:.p>......| +00000040 04 00 5a 55 c2 9d ed 7d 32 a0 94 80 f7 2a f1 ee |..ZU...}2....*..| +00000050 e7 28 20 f8 27 3b 17 03 03 00 13 99 71 80 30 28 |.( .';......q.0(| +00000060 79 f2 88 36 2d a4 b5 b8 f0 1a e8 4e 26 ec |y..6-......N&.| diff --git a/testdata/Client-TLSv13-ECDSA b/testdata/Client-TLSv13-ECDSA new file mode 100644 index 00000000..2d370669 --- /dev/null +++ b/testdata/Client-TLSv13-ECDSA @@ -0,0 +1,85 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 f8 01 00 00 f4 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a8 |.............2..| +00000050 cc a9 c0 2f c0 2b c0 30 c0 2c c0 27 c0 13 c0 23 |.../.+.0.,.'...#| +00000060 c0 09 c0 14 c0 0a 00 9c 00 9d 00 3c 00 2f 00 35 |...........<./.5| +00000070 c0 12 00 0a 00 05 c0 11 c0 07 13 01 13 03 13 02 |................| +00000080 01 00 00 79 00 05 00 05 01 00 00 00 00 00 0a 00 |...y............| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 18 00 16 08 04 08 05 08 06 04 01 04 |................| +000000b0 03 05 01 05 03 06 01 06 03 02 01 02 03 ff 01 00 |................| +000000c0 01 00 00 12 00 00 00 2b 00 09 08 03 04 03 03 03 |.......+........| +000000d0 02 03 01 00 33 00 26 00 24 00 1d 00 20 2f e5 7d |....3.&.$... /.}| +000000e0 a3 47 cd 62 43 15 28 da ac 5f bb 29 07 30 ff f6 |.G.bC.(.._.).0..| +000000f0 84 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 |........_X.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 7a 02 00 00 76 03 03 ea 51 d2 17 98 |....z...v...Q...| +00000010 38 87 56 24 96 d8 d2 5b 19 30 72 26 67 8b 3c 00 |8.V$...[.0r&g.<.| +00000020 88 61 ca f2 2f 46 d2 06 72 75 58 20 00 00 00 00 |.a../F..ruX ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 13 01 00 00 |................| +00000050 2e 00 2b 00 02 03 04 00 33 00 24 00 1d 00 20 88 |..+.....3.$... .| +00000060 e1 24 f3 7f 61 5a 52 d9 5c d6 a1 11 68 e8 fc 00 |.$..aZR.\...h...| +00000070 db d5 de 59 73 b2 a7 75 ac 7e 2b b0 1f a9 4d 14 |...Ys..u.~+...M.| +00000080 03 03 00 01 01 17 03 03 00 17 ae bf 1f bc 4e 27 |..............N'| +00000090 37 3e 57 af 20 b4 4a 7b 4a da e0 47 8e 32 63 69 |7>W. .J{J..G.2ci| +000000a0 2f 17 03 03 02 22 3d 8b c2 4f 07 ac cc e2 64 53 |/...."=..O....dS| +000000b0 8c 1f 79 c7 f0 00 6e 99 27 e4 1b a1 9b df b4 89 |..y...n.'.......| +000000c0 e5 31 a0 b9 5f 86 4a 87 2c d1 41 96 d6 e1 9d 7f |.1.._.J.,.A.....| +000000d0 07 50 84 86 ae dd f7 46 53 4e 60 2d 6a 7b 99 3a |.P.....FSN`-j{.:| +000000e0 af 8c 8c fb ee 66 f6 3d f2 87 56 ed cb 8f 99 3f |.....f.=..V....?| +000000f0 a0 1c bf c4 60 09 b3 01 4c 04 3f 10 c6 3e 36 9b |....`...L.?..>6.| +00000100 be e3 ee aa df df 58 78 c5 21 e4 98 0d 98 de 71 |......Xx.!.....q| +00000110 45 63 c3 b2 39 9e d2 c0 83 e6 b7 e0 6f b0 b0 04 |Ec..9.......o...| +00000120 fe c0 2f c4 32 98 82 6c ee f5 68 1c 21 e7 f2 2e |../.2..l..h.!...| +00000130 2f bf d1 17 21 ac da 03 d1 42 c3 85 78 c7 4f d8 |/...!....B..x.O.| +00000140 cf ca 1e 3f e1 ac a3 06 de 29 21 86 ee bb cc b0 |...?.....)!.....| +00000150 68 4a c5 65 a8 7f 90 8f 48 a1 df 24 57 36 6b da |hJ.e....H..$W6k.| +00000160 64 cb 52 56 76 9a 47 86 d1 8e ed d7 c0 85 9c 74 |d.RVv.G........t| +00000170 89 05 01 43 0b 69 dc 4a ed 61 eb 55 bf e5 3a a4 |...C.i.J.a.U..:.| +00000180 b9 39 6b 3b 71 cf 33 83 b1 54 59 71 b2 24 a0 1f |.9k;q.3..TYq.$..| +00000190 70 fe 58 ff 90 88 d9 91 55 d6 a5 ef 3d c9 0d 3b |p.X.....U...=..;| +000001a0 a0 57 de d4 c4 82 50 bd ff 9d 85 b9 90 10 df 92 |.W....P.........| +000001b0 5b 41 ec c2 41 2a 1d b6 d7 e1 51 08 92 a3 ef 98 |[A..A*....Q.....| +000001c0 4d 79 d8 37 11 df a1 3f 43 ed 0d 20 44 ca f2 94 |My.7...?C.. D...| +000001d0 ff e2 5e 05 b7 9c 4d b7 70 83 73 b1 d9 5a ed 7e |..^...M.p.s..Z.~| +000001e0 3a c6 08 3a 49 1d 4f 08 30 02 8f d8 3f cb 14 a3 |:..:I.O.0...?...| +000001f0 d5 74 7e 85 e8 f6 ab 6a 61 54 84 79 21 2a aa f4 |.t~....jaT.y!*..| +00000200 3d b3 42 df b7 d6 6f e8 29 50 cc f8 18 a9 f0 99 |=.B...o.)P......| +00000210 6b 44 c3 37 ef 3d 20 0b 28 10 b3 f9 ea f2 65 df |kD.7.= .(.....e.| +00000220 ae c6 28 24 c5 ea e1 bc ba 79 ad 02 c3 fc b2 cb |..($.....y......| +00000230 8a f3 70 80 5a d0 4b 2c 78 43 2a 18 71 2c 0c c0 |..p.Z.K,xC*.q,..| +00000240 45 f5 1b 47 1d f6 fb 75 53 ed d7 a0 e4 c4 2a 48 |E..G...uS.....*H| +00000250 e4 e8 37 33 fe d1 f0 96 dc 27 bb 40 41 b6 e6 9e |..73.....'.@A...| +00000260 18 bb 2d 5b b1 05 7c 5b 94 ef f6 af f4 64 b2 e8 |..-[..|[.....d..| +00000270 08 4c 1b 01 11 de 53 b5 f1 15 ff 6f 8a 08 ef cb |.L....S....o....| +00000280 74 d1 81 a6 c0 b5 ac 41 ec 30 5e f0 dc ec b1 70 |t......A.0^....p| +00000290 5f 53 e9 56 dd 48 05 4f 0c f0 7d a7 13 2a 33 d6 |_S.V.H.O..}..*3.| +000002a0 2b 4b 22 7f a9 b5 cf 1f 63 f4 c2 6c ee 0c 10 d0 |+K".....c..l....| +000002b0 96 06 2f aa 2b df 69 01 ee 3c b4 e9 f3 9d 7b 8b |../.+.i..<....{.| +000002c0 5f ff b3 a1 3a 03 df c6 17 03 03 00 a4 da 63 32 |_...:.........c2| +000002d0 c2 d8 9b 78 bc fa 59 d8 5a 4c 8c f1 f6 e0 26 39 |...x..Y.ZL....&9| +000002e0 fd 27 c7 0c 11 ad 3e 34 2e 0c 3c aa 83 a8 96 d9 |.'....>4..<.....| +000002f0 0c be 5d a7 8a 79 f9 08 67 8f 74 82 88 a1 0f f0 |..]..y..g.t.....| +00000300 1b 52 c3 7a 89 25 14 72 3b 0b 4c 82 e5 9c df ac |.R.z.%.r;.L.....| +00000310 e3 49 b1 ef 35 c0 df 6c 0e 5e b4 48 38 d1 d7 73 |.I..5..l.^.H8..s| +00000320 01 30 04 b4 67 37 32 92 79 9c 45 52 06 bd 25 af |.0..g72.y.ER..%.| +00000330 5a 0f 8d 98 4f c6 12 31 78 90 32 78 8c a4 49 a0 |Z...O..1x.2x..I.| +00000340 6e fb 2b 94 31 0d 05 a8 96 05 04 3b f5 80 a7 3c |n.+.1......;...<| +00000350 92 c9 ee ea c6 cb 24 a2 e2 c9 88 3e 09 50 8c 75 |......$....>.P.u| +00000360 d5 95 10 8f b0 f9 5b ec b5 d7 be aa 3c b0 e9 d0 |......[.....<...| +00000370 67 17 03 03 00 35 da 1d 4c 65 79 5b 84 e9 60 3e |g....5..Ley[..`>| +00000380 ac de 29 ad 8d 7e a1 9b ad 25 35 08 39 f1 75 6f |..)..~...%5.9.uo| +00000390 6b 11 66 fc 66 ff c7 88 7a fc d5 a6 24 c3 fc 7f |k.f.f...z...$...| +000003a0 6a aa 94 36 56 cd 75 66 1f 0b 7c |j..6V.uf..|| +>>> Flow 3 (client to server) +00000000 17 03 03 00 35 50 19 ff 67 64 b8 80 c8 ed 81 0c |....5P..gd......| +00000010 00 ab e0 d6 d4 3b 74 0f 89 a6 23 f3 0b 84 e3 a9 |.....;t...#.....| +00000020 73 67 14 03 ba b4 42 69 0a dc dc 99 d6 be 9b 61 |sg....Bi.......a| +00000030 96 21 57 1e 54 ca dc 1b df e7 17 03 03 00 17 ef |.!W.T...........| +00000040 42 23 91 2c b5 5d 1f 2c 1f db 5e d1 24 be 79 7a |B#.,.].,..^.$.yz| +00000050 9f 1a 2f 0c 71 4c 17 03 03 00 13 ad 90 35 ea 7f |../.qL.......5..| +00000060 3b 23 ca da 36 fd 02 97 d6 cd d2 84 c6 57 |;#..6........W| diff --git a/testdata/Client-TLSv13-ExportKeyingMaterial b/testdata/Client-TLSv13-ExportKeyingMaterial new file mode 100644 index 00000000..5778ef7b --- /dev/null +++ b/testdata/Client-TLSv13-ExportKeyingMaterial @@ -0,0 +1,89 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 f8 01 00 00 f4 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a8 |.............2..| +00000050 cc a9 c0 2f c0 2b c0 30 c0 2c c0 27 c0 13 c0 23 |.../.+.0.,.'...#| +00000060 c0 09 c0 14 c0 0a 00 9c 00 9d 00 3c 00 2f 00 35 |...........<./.5| +00000070 c0 12 00 0a 00 05 c0 11 c0 07 13 01 13 03 13 02 |................| +00000080 01 00 00 79 00 05 00 05 01 00 00 00 00 00 0a 00 |...y............| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 18 00 16 08 04 08 05 08 06 04 01 04 |................| +000000b0 03 05 01 05 03 06 01 06 03 02 01 02 03 ff 01 00 |................| +000000c0 01 00 00 12 00 00 00 2b 00 09 08 03 04 03 03 03 |.......+........| +000000d0 02 03 01 00 33 00 26 00 24 00 1d 00 20 2f e5 7d |....3.&.$... /.}| +000000e0 a3 47 cd 62 43 15 28 da ac 5f bb 29 07 30 ff f6 |.G.bC.(.._.).0..| +000000f0 84 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 |........_X.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 7a 02 00 00 76 03 03 a6 29 2f 1c 88 |....z...v...)/..| +00000010 12 96 7a 88 1c dc f7 ca dc 1e 6e e2 a7 09 65 01 |..z.......n...e.| +00000020 28 3a c1 58 01 6a ed 8d 18 fe b7 20 00 00 00 00 |(:.X.j..... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 13 01 00 00 |................| +00000050 2e 00 2b 00 02 03 04 00 33 00 24 00 1d 00 20 ab |..+.....3.$... .| +00000060 5a f1 b4 52 1d 1c 87 fb b3 9e f2 f9 ee d1 f1 ff |Z..R............| +00000070 66 3e 01 70 41 6f 01 45 4a d0 3a 98 d3 e4 50 14 |f>.pAo.EJ.:...P.| +00000080 03 03 00 01 01 17 03 03 00 17 38 75 a9 bf e3 61 |..........8u...a| +00000090 2f 8a 58 1d 28 6b b5 25 83 c9 d8 86 31 38 ee 6d |/.X.(k.%....18.m| +000000a0 c1 17 03 03 02 6d cb 78 87 73 70 3d c4 e4 de d9 |.....m.x.sp=....| +000000b0 2d 22 f0 cf 35 9e c1 0a ac 97 88 75 20 8f 63 b1 |-"..5......u .c.| +000000c0 2f c0 c9 4d 86 7f d6 6b 3a 2e b6 c1 e3 d4 73 f4 |/..M...k:.....s.| +000000d0 f7 2b 4f 86 6f f0 fd ed 2a dd 17 98 5e e6 32 e9 |.+O.o...*...^.2.| +000000e0 48 5e 48 36 e0 f8 d3 a4 93 54 7b 17 c5 46 ea d5 |H^H6.....T{..F..| +000000f0 6b 0f 5b bd 1d 3c 15 b1 c2 3f 2f 91 e5 d3 dd 75 |k.[..<...?/....u| +00000100 c5 c7 73 f7 ce a2 6e e1 bc 10 2a b7 0f 5e 7d cc |..s...n...*..^}.| +00000110 3e 22 3c 71 37 3f ba f0 44 3b 55 c8 5c a7 19 f2 |>"...| +00000160 28 a4 ac 75 1b 3b 7f 85 cb 2c 9c 64 09 38 75 59 |(..u.;...,.d.8uY| +00000170 33 0e 7f fe 93 0f 8a 67 5f 5e 86 c4 74 40 7f 0b |3......g_^..t@..| +00000180 f8 82 03 9c 8d 37 39 12 a9 20 cb 31 c5 40 f6 23 |.....79.. .1.@.#| +00000190 78 71 20 e3 8a a8 81 ab 6c 98 43 67 f8 2b a9 6f |xq .....l.Cg.+.o| +000001a0 41 2a 80 7f 1c 11 6d ae ea cf d9 6a 3c 11 74 72 |A*....m....j<.tr| +000001b0 86 e4 ab ee 1a f2 58 ce e2 8f d6 4e 06 57 e9 33 |......X....N.W.3| +000001c0 e9 ef 5a af 19 5c eb 9a a4 df ed 9f d3 55 00 d9 |..Z..\.......U..| +000001d0 2c 09 3f c5 58 4f 08 22 2e 9c 63 9b 53 92 07 83 |,.?.XO."..c.S...| +000001e0 b7 96 82 de 46 5b 35 b8 ff d2 52 96 66 2a ce ed |....F[5...R.f*..| +000001f0 93 b1 6a be ab 91 6b 1f b1 bc 35 1f 11 6a 48 a6 |..j...k...5..jH.| +00000200 20 63 62 8f e4 e4 07 4b be 79 37 d6 98 00 64 9e | cb....K.y7...d.| +00000210 17 f4 48 65 71 21 0c 79 30 32 a1 eb f5 9a be 5a |..Heq!.y02.....Z| +00000220 8d 7b 17 dd af c4 06 78 3b 0d a9 4a d8 f1 a8 6d |.{.....x;..J...m| +00000230 3d cf 52 a6 34 9d 3a 1c ee ff 83 7a d1 23 47 f1 |=.R.4.:....z.#G.| +00000240 65 9d 57 61 66 d9 66 bd e7 63 ca b9 22 07 36 0b |e.Waf.f..c..".6.| +00000250 5b 9a 20 59 19 25 49 54 a0 3b bf 28 24 5c 58 76 |[. Y.%IT.;.($\Xv| +00000260 1a a9 68 e9 90 dd 6a 66 d8 f3 d3 60 e4 3d af 3a |..h...jf...`.=.:| +00000270 49 d1 0e b8 39 a2 b6 e3 15 6e c0 ff 0d 57 48 05 |I...9....n...WH.| +00000280 c1 44 01 59 fa 9b f7 90 bc 7b 05 c4 f0 1f e8 9f |.D.Y.....{......| +00000290 02 c5 2a 89 7d 1e c4 75 bc b9 af d2 17 89 79 9d |..*.}..u......y.| +000002a0 3c aa 55 db 24 e7 35 08 a0 6d 88 79 61 af 01 82 |<.U.$.5..m.ya...| +000002b0 82 b7 4a f0 d4 89 38 6a fc 82 97 5e 77 09 87 45 |..J...8j...^w..E| +000002c0 5e 2f 21 8c 39 4e 98 76 76 ab 16 25 8e f0 d2 5c |^/!.9N.vv..%...\| +000002d0 a6 ad bd 18 f3 78 f4 2a b2 ac 36 67 2b 67 6a 43 |.....x.*..6g+gjC| +000002e0 95 d6 63 f8 b5 9f 7d 84 26 83 83 3c d3 7a 3b 52 |..c...}.&..<.z;R| +000002f0 68 de f0 d8 49 7f bc 56 b4 70 16 74 ee fa 5b 7b |h...I..V.p.t..[{| +00000300 36 50 6a 54 26 02 7a 3c ee 0b f9 2e a1 20 5c 44 |6PjT&.z<..... \D| +00000310 fd fe fc 17 03 03 00 99 69 60 73 ea a0 71 1a 5e |........i`s..q.^| +00000320 c4 ea 67 f7 b2 e0 34 7c cc 55 67 f3 87 43 c9 68 |..g...4|.Ug..C.h| +00000330 a6 02 84 1d 6c de 1d 90 4c 82 01 5c a5 16 39 97 |....l...L..\..9.| +00000340 67 45 7f fb 0e 43 24 4e ea c5 7b eb f5 bc 1f b6 |gE...C$N..{.....| +00000350 70 2e 95 e4 61 20 f0 8b 24 54 2e 43 9c f1 82 56 |p...a ..$T.C...V| +00000360 9c ca 28 96 64 57 85 a4 e1 d0 f4 be ea b4 7b a2 |..(.dW........{.| +00000370 23 aa 4f c6 06 9c e7 81 eb 4b 62 93 af 93 1c cf |#.O......Kb.....| +00000380 2b fd 5f bd a7 07 e9 c3 c8 97 c1 e4 df f4 74 06 |+._...........t.| +00000390 62 01 32 0c ec a2 40 86 c1 7e da e9 1e 7e 46 67 |b.2...@..~...~Fg| +000003a0 8a c6 ef b5 ce ac 3e 44 fa b0 ff b6 c4 20 aa 65 |......>D..... .e| +000003b0 fb 17 03 03 00 35 c1 a6 e0 e5 bf 91 7a ec 17 85 |.....5......z...| +000003c0 38 1e 32 1e 92 4e 9c 38 8c 02 1b 08 03 0e a3 a2 |8.2..N.8........| +000003d0 8f 2b 73 76 c1 99 48 de e7 39 cf a8 97 e4 30 e6 |.+sv..H..9....0.| +000003e0 75 52 3a f4 6f bf 67 bd 87 c5 30 |uR:.o.g...0| +>>> Flow 3 (client to server) +00000000 17 03 03 00 35 be 06 09 fb e0 58 83 8e 27 5a c0 |....5.....X..'Z.| +00000010 8a 4c 56 ad 79 29 90 99 47 21 2f d4 f4 98 81 a8 |.LV.y)..G!/.....| +00000020 e8 55 d6 bd 26 b1 a9 48 34 ff 40 66 7e 2e 83 ea |.U..&..H4.@f~...| +00000030 ed fe a0 01 73 0b 91 1f c0 1d 17 03 03 00 17 ee |....s...........| +00000040 58 ac 2a e7 26 72 e3 c7 81 2c 02 0f 57 39 56 4f |X.*.&r...,..W9VO| +00000050 43 7a 2d a7 f4 d8 17 03 03 00 13 94 2c 15 0b 04 |Cz-.........,...| +00000060 7a aa 78 3b a6 b8 23 f1 75 b4 b5 2e e7 94 |z.x;..#.u.....| diff --git a/testdata/Client-TLSv13-HelloRetryRequest b/testdata/Client-TLSv13-HelloRetryRequest new file mode 100644 index 00000000..76961c6b --- /dev/null +++ b/testdata/Client-TLSv13-HelloRetryRequest @@ -0,0 +1,118 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 f4 01 00 00 f0 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a8 |.............2..| +00000050 cc a9 c0 2f c0 2b c0 30 c0 2c c0 27 c0 13 c0 23 |.../.+.0.,.'...#| +00000060 c0 09 c0 14 c0 0a 00 9c 00 9d 00 3c 00 2f 00 35 |...........<./.5| +00000070 c0 12 00 0a 00 05 c0 11 c0 07 13 01 13 03 13 02 |................| +00000080 01 00 00 75 00 05 00 05 01 00 00 00 00 00 0a 00 |...u............| +00000090 06 00 04 00 1d 00 17 00 0b 00 02 01 00 00 0d 00 |................| +000000a0 18 00 16 08 04 08 05 08 06 04 01 04 03 05 01 05 |................| +000000b0 03 06 01 06 03 02 01 02 03 ff 01 00 01 00 00 12 |................| +000000c0 00 00 00 2b 00 09 08 03 04 03 03 03 02 03 01 00 |...+............| +000000d0 33 00 26 00 24 00 1d 00 20 2f e5 7d a3 47 cd 62 |3.&.$... /.}.G.b| +000000e0 43 15 28 da ac 5f bb 29 07 30 ff f6 84 af c4 cf |C.(.._.).0......| +000000f0 c2 ed 90 99 5f 58 cb 3b 74 |...._X.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 58 02 00 00 54 03 03 cf 21 ad 74 e5 |....X...T...!.t.| +00000010 9a 61 11 be 1d 8c 02 1e 65 b8 91 c2 a2 11 16 7a |.a......e......z| +00000020 bb 8c 5e 07 9e 09 e2 c8 a8 33 9c 20 00 00 00 00 |..^......3. ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 13 01 00 00 |................| +00000050 0c 00 2b 00 02 03 04 00 33 00 02 00 17 14 03 03 |..+.....3.......| +00000060 00 01 01 |...| +>>> Flow 3 (client to server) +00000000 16 03 03 01 15 01 00 01 11 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a8 |.............2..| +00000050 cc a9 c0 2f c0 2b c0 30 c0 2c c0 27 c0 13 c0 23 |.../.+.0.,.'...#| +00000060 c0 09 c0 14 c0 0a 00 9c 00 9d 00 3c 00 2f 00 35 |...........<./.5| +00000070 c0 12 00 0a 00 05 c0 11 c0 07 13 01 13 03 13 02 |................| +00000080 01 00 00 96 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 06 00 04 00 1d 00 17 00 0b 00 02 01 00 00 0d 00 |................| +000000a0 18 00 16 08 04 08 05 08 06 04 01 04 03 05 01 05 |................| +000000b0 03 06 01 06 03 02 01 02 03 ff 01 00 01 00 00 12 |................| +000000c0 00 00 00 2b 00 09 08 03 04 03 03 03 02 03 01 00 |...+............| +000000d0 33 00 47 00 45 00 17 00 41 04 1e 18 37 ef 0d 19 |3.G.E...A...7...| +000000e0 51 88 35 75 71 b5 e5 54 5b 12 2e 8f 09 67 fd a7 |Q.5uq..T[....g..| +000000f0 24 20 3e b2 56 1c ce 97 28 5e f8 2b 2d 4f 9e f1 |$ >.V...(^.+-O..| +00000100 07 9f 6c 4b 5b 83 56 e2 32 42 e9 58 b6 d7 49 a6 |..lK[.V.2B.X..I.| +00000110 b5 68 1a 41 03 56 6b dc 5a 89 |.h.A.Vk.Z.| +>>> Flow 4 (server to client) +00000000 16 03 03 00 9b 02 00 00 97 03 03 7b 87 0f 37 7b |...........{..7{| +00000010 8a c3 85 98 1c 19 61 a4 bd 12 06 b5 72 58 09 24 |......a.....rX.$| +00000020 c7 ab c0 12 f7 b7 b5 69 c2 05 46 20 00 00 00 00 |.......i..F ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 13 01 00 00 |................| +00000050 4f 00 2b 00 02 03 04 00 33 00 45 00 17 00 41 04 |O.+.....3.E...A.| +00000060 95 47 67 c9 ae 36 1b 3f b7 b7 21 15 ab 11 9f de |.Gg..6.?..!.....| +00000070 4d 06 76 61 be 86 9e 79 c9 e9 9d 62 95 8e b7 f9 |M.va...y...b....| +00000080 c7 e1 9f 79 08 f0 98 76 54 22 90 c1 fa 15 56 99 |...y...vT"....V.| +00000090 21 64 93 92 78 9a 52 3c 4e e7 b1 39 be 25 88 af |!d..x.R.m...QAl......t| +00000160 ac 8c 12 df ba c6 bb e9 90 1c e9 ed e1 9c 28 d4 |..............(.| +00000170 50 89 88 09 06 61 2e 27 c6 60 26 86 91 f2 37 a2 |P....a.'.`&...7.| +00000180 83 67 ac c4 3f e7 6d 9c 30 de 74 a0 2e b9 0e 6b |.g..?.m.0.t....k| +00000190 de 4a 73 4d 67 9a ee 45 c7 5e bc d1 bb bb 01 67 |.JsMg..E.^.....g| +000001a0 cd b2 e6 c6 fa 3c e1 59 d9 e0 c9 85 5d 76 8d c8 |.....<.Y....]v..| +000001b0 ed 83 cd eb 88 51 d6 05 9f 0c 45 81 66 07 7c 2d |.....Q....E.f.|-| +000001c0 dd 6f 35 fd 76 d0 03 00 46 d9 f7 87 fe e4 8f bc |.o5.v...F.......| +000001d0 1b 69 6a 97 38 82 46 5e fe f6 a6 8a 0c 1a 6d 7f |.ij.8.F^......m.| +000001e0 4d b2 1b dd df 5c f3 43 21 cd 26 47 09 32 3a cc |M....\.C!.&G.2:.| +000001f0 b6 30 5a 1d 27 7a ad 6d da 2d 51 dc 67 84 09 8f |.0Z.'z.m.-Q.g...| +00000200 8f 86 2d 6f af 04 15 ce 90 53 4d 0d 32 a5 c4 c3 |..-o.....SM.2...| +00000210 41 94 0b 08 33 b9 2c 23 d3 d5 c2 42 f1 e4 d6 cf |A...3.,#...B....| +00000220 b2 cd 45 8e dd 9f 52 cb e5 dd ec aa 40 55 fd 94 |..E...R.....@U..| +00000230 99 cc 97 88 6d b0 71 80 4d 31 34 5e 92 a0 7d 1d |....m.q.M14^..}.| +00000240 1e fe 6e d6 47 81 f1 db a5 00 37 32 f2 98 87 f8 |..n.G.....72....| +00000250 83 48 31 c1 5f 28 7a 59 de fd 5a 56 b0 e4 39 78 |.H1._(zY..ZV..9x| +00000260 38 d4 68 b3 ef 16 a1 3e 41 ee 57 94 2e fb 16 4c |8.h....>A.W....L| +00000270 fd 02 3a c1 57 c6 4b 3b 2b 63 79 67 e1 cf 07 21 |..:.W.K;+cyg...!| +00000280 27 c7 9e 4a b0 bf e1 c2 4a 6e 9a 82 2a 8c 05 8d |'..J....Jn..*...| +00000290 93 48 0d 1c 15 60 66 d0 da b3 2f dc 90 fd 9e 6b |.H...`f.../....k| +000002a0 c2 62 ee a4 25 c5 52 e3 44 00 b8 6c 2d 6b 16 d7 |.b..%.R.D..l-k..| +000002b0 bc a4 2b b9 71 b7 b0 fc a4 e7 78 a3 39 1e 54 6f |..+.q.....x.9.To| +000002c0 7f c5 4c 20 4d b5 84 db 00 1d d0 ad 7a b8 13 e6 |..L M.......z...| +000002d0 06 f1 c2 f9 06 b5 c1 23 50 b1 0d f9 38 4d 80 65 |.......#P...8M.e| +000002e0 e1 56 7c 04 3f d8 07 b7 46 5a ff 29 f3 d4 43 fa |.V|.?...FZ.)..C.| +000002f0 be 32 47 76 58 7a c4 50 76 b7 65 5f 56 83 f9 06 |.2GvXz.Pv.e_V...| +00000300 44 30 65 0a 4b b1 e9 5c 80 4e 3c 1b 67 6f e1 53 |D0e.K..\.N<.go.S| +00000310 09 a8 3b 0f a6 85 f7 2f 51 08 48 94 9b 5a 0f b6 |..;..../Q.H..Z..| +00000320 b8 24 52 e0 c2 67 55 1d bc e1 e3 1b 15 8e 17 03 |.$R..gU.........| +00000330 03 00 99 58 f7 33 99 2c 8c 8c 18 78 60 49 6d 44 |...X.3.,...x`ImD| +00000340 f7 b4 25 5f 29 2b 37 7d ff 40 07 42 dd b3 9b a1 |..%_)+7}.@.B....| +00000350 10 a5 d6 d0 de 6d ca a0 df 41 82 0b e6 8a 35 8c |.....m...A....5.| +00000360 b7 52 aa 1c 8c f4 c2 31 2c 92 0b be 99 70 b0 84 |.R.....1,....p..| +00000370 c1 f4 9f d4 ff c7 ab e0 64 9e 17 34 aa 58 2d 32 |........d..4.X-2| +00000380 6d 74 90 ec f1 87 11 8f 9c 86 e2 26 2a 51 3e d4 |mt.........&*Q>.| +00000390 4b e4 01 13 13 6b cf 96 c6 ba 8e cf 8a 2b 5a 72 |K....k.......+Zr| +000003a0 df d7 43 47 ef 33 10 53 22 5c ab 8b b3 b4 6d 3c |..CG.3.S"\....m<| +000003b0 a6 31 58 f2 d7 bc 1c 46 48 4f 34 a1 62 5c ed 33 |.1X....FHO4.b\.3| +000003c0 01 3f ae 63 15 d5 94 96 b6 a1 d5 00 17 03 03 00 |.?.c............| +000003d0 35 34 66 3e 16 07 f3 ea c0 61 a6 30 c7 6f e9 1d |54f>.....a.0.o..| +000003e0 8b 6d 66 11 3c eb 27 88 9e 1a 94 86 85 0e da a0 |.mf.<.'.........| +000003f0 d7 1e 9e 2c d8 55 3e 53 b7 0f bc 96 be 82 00 34 |...,.U>S.......4| +00000400 a1 b3 3e c6 d3 bf |..>...| +>>> Flow 5 (client to server) +00000000 17 03 03 00 35 df 1b 3b a9 e7 cd 63 2c a6 09 65 |....5..;...c,..e| +00000010 66 df 94 09 d1 c4 ce 44 22 8b b5 48 2e 23 62 3a |f......D"..H.#b:| +00000020 9f e3 b2 58 a7 b2 e3 2a 27 a9 4d 34 41 0c 31 41 |...X...*'.M4A.1A| +00000030 92 b7 48 02 d2 51 d6 97 3e 70 17 03 03 00 17 f1 |..H..Q..>p......| +00000040 b7 28 75 42 2a 8b 20 2a 97 ed 47 ac a0 ee fd 38 |.(uB*. *..G....8| +00000050 cb 00 e3 b2 b1 87 17 03 03 00 13 bc 5a f3 ee 64 |............Z..d| +00000060 4d a5 1a 64 35 f2 f6 82 e3 e4 7d 82 08 c4 |M..d5.....}...| diff --git a/testdata/Client-TLSv13-P256-ECDHE b/testdata/Client-TLSv13-P256-ECDHE new file mode 100644 index 00000000..7c8997db --- /dev/null +++ b/testdata/Client-TLSv13-P256-ECDHE @@ -0,0 +1,93 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 01 13 01 00 01 0f 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a8 |.............2..| +00000050 cc a9 c0 2f c0 2b c0 30 c0 2c c0 27 c0 13 c0 23 |.../.+.0.,.'...#| +00000060 c0 09 c0 14 c0 0a 00 9c 00 9d 00 3c 00 2f 00 35 |...........<./.5| +00000070 c0 12 00 0a 00 05 c0 11 c0 07 13 01 13 03 13 02 |................| +00000080 01 00 00 94 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 04 00 02 00 17 00 0b 00 02 01 00 00 0d 00 18 00 |................| +000000a0 16 08 04 08 05 08 06 04 01 04 03 05 01 05 03 06 |................| +000000b0 01 06 03 02 01 02 03 ff 01 00 01 00 00 12 00 00 |................| +000000c0 00 2b 00 09 08 03 04 03 03 03 02 03 01 00 33 00 |.+............3.| +000000d0 47 00 45 00 17 00 41 04 1e 18 37 ef 0d 19 51 88 |G.E...A...7...Q.| +000000e0 35 75 71 b5 e5 54 5b 12 2e 8f 09 67 fd a7 24 20 |5uq..T[....g..$ | +000000f0 3e b2 56 1c ce 97 28 5e f8 2b 2d 4f 9e f1 07 9f |>.V...(^.+-O....| +00000100 6c 4b 5b 83 56 e2 32 42 e9 58 b6 d7 49 a6 b5 68 |lK[.V.2B.X..I..h| +00000110 1a 41 03 56 6b dc 5a 89 |.A.Vk.Z.| +>>> Flow 2 (server to client) +00000000 16 03 03 00 9b 02 00 00 97 03 03 9b 6d 68 8f c5 |............mh..| +00000010 57 3c 87 82 4c 88 98 ec 51 3c bd 18 c7 02 b4 5a |W<..L...Q<.....Z| +00000020 ed 76 16 f9 54 87 1c 83 3f 76 1a 20 00 00 00 00 |.v..T...?v. ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 13 01 00 00 |................| +00000050 4f 00 2b 00 02 03 04 00 33 00 45 00 17 00 41 04 |O.+.....3.E...A.| +00000060 a8 5f cf 31 63 1e 59 63 80 b9 59 47 ee 50 d6 68 |._.1c.Yc..YG.P.h| +00000070 af fe 1f 1f b0 4f ae 67 a8 d1 f1 a7 ff f4 43 f8 |.....O.g......C.| +00000080 15 74 ae a7 64 1f 35 2b 29 b3 16 54 91 5c 0f 7d |.t..d.5+)..T.\.}| +00000090 c5 63 64 2c 16 f4 99 e3 76 52 6f f6 b6 e8 c7 78 |.cd,....vRo....x| +000000a0 14 03 03 00 01 01 17 03 03 00 17 47 98 e0 19 54 |...........G...T| +000000b0 3e f3 78 0a 24 92 23 bb c0 03 5d 51 8b fb c1 c2 |>.x.$.#...]Q....| +000000c0 8e e6 17 03 03 02 6d ba 0a a6 e1 a8 13 0c 3c fd |......m.......<.| +000000d0 0d ae 7e 47 76 78 9d 17 13 03 53 ba 7a 22 a4 55 |..~Gvx....S.z".U| +000000e0 3b a3 30 51 d0 e6 33 c3 95 63 07 99 aa 12 82 c3 |;.0Q..3..c......| +000000f0 be 5d b0 88 2e 91 9c 87 a7 a0 a5 79 d8 5e 1c b2 |.].........y.^..| +00000100 9b 27 6e da 98 63 a6 9a e0 f2 51 83 f0 49 85 a4 |.'n..c....Q..I..| +00000110 63 0f 1a 48 85 29 c1 31 78 c0 66 61 36 d2 ec 7c |c..H.).1x.fa6..|| +00000120 ed ba 35 42 ed 7f be a5 2c 91 11 8f 95 f9 8f 7a |..5B....,......z| +00000130 04 32 14 01 5c 78 21 86 f5 70 09 59 7e dc b3 7f |.2..\x!..p.Y~...| +00000140 fd ed 14 d2 40 65 cc b3 1b d7 c6 4b 30 d0 72 59 |....@e.....K0.rY| +00000150 db 1a 13 3c b8 f4 ea 8f 22 f2 13 b7 3f 9c 99 fd |...<...."...?...| +00000160 91 c2 bc e4 e0 71 63 30 81 24 26 2e 9e ff 16 8e |.....qc0.$&.....| +00000170 47 e4 e0 e4 12 2f ba 2c 7e c5 dd 91 79 4f bd 5f |G..../.,~...yO._| +00000180 0f 0e 66 5f da 0e f2 4d 9e 46 f3 c7 7f 65 f6 d4 |..f_...M.F...e..| +00000190 cd f1 cb c6 d7 5e a2 db 58 e1 d1 c5 05 63 90 a0 |.....^..X....c..| +000001a0 96 18 64 29 92 95 88 6c 9f f8 9b 54 b6 d2 e2 bc |..d)...l...T....| +000001b0 3d 6f f2 c0 56 76 66 05 21 47 80 e9 63 85 a1 12 |=o..Vvf.!G..c...| +000001c0 c9 e8 80 c4 fe b5 63 86 cf ae 8f 83 ff ae ff 63 |......c........c| +000001d0 77 20 ae 9c f7 88 1f 6d 18 4a 33 e9 2b e0 12 ca |w .....m.J3.+...| +000001e0 05 4c b7 25 35 b6 8d a4 ba 00 5c f2 be ab a7 d6 |.L.%5.....\.....| +000001f0 0e 02 1c 58 da af c9 51 4c e8 8e b8 fa 27 78 76 |...X...QL....'xv| +00000200 9d 50 2e 36 98 09 23 12 37 f0 c6 4a 32 00 cd 09 |.P.6..#.7..J2...| +00000210 9e ca 6b e4 1e d6 7f 9c 72 b3 81 13 29 2c fe 49 |..k.....r...),.I| +00000220 99 92 2f 8f c9 f0 86 9d fa 56 b8 6c 7b 76 fc 12 |../......V.l{v..| +00000230 c5 1f e7 a1 ea 13 99 ac 2c 6b 9c 23 3e 0b 78 0c |........,k.#>.x.| +00000240 41 9a 47 51 0c 64 87 a3 b8 1b 7f 2c d9 c5 b2 28 |A.GQ.d.....,...(| +00000250 36 13 7e b5 8c ab 32 50 64 a0 eb 9f 57 19 eb fa |6.~...2Pd...W...| +00000260 1e 1d b3 73 81 18 14 de 6b ef 68 ed 37 da 29 0e |...s....k.h.7.).| +00000270 9a 7d c1 31 c5 bd 76 60 2b 40 3a 85 c2 1c b1 de |.}.1..v`+@:.....| +00000280 9f 41 00 22 5a 63 72 9f 57 4e 02 1b 5a 2c 5f 0a |.A."Zcr.WN..Z,_.| +00000290 c0 e2 c8 4c ca 18 39 7e c0 b8 67 58 b4 bd 0c 5b |...L..9~..gX...[| +000002a0 3a bd 1e 39 fd 09 73 63 e9 41 86 6b ed fe 35 f0 |:..9..sc.A.k..5.| +000002b0 64 ed 14 c9 d3 6c 65 97 96 fc dd bf 9f dd e4 01 |d....le.........| +000002c0 1b 02 ad 5a 55 f5 86 9f c1 56 ce 59 30 16 bb 9c |...ZU....V.Y0...| +000002d0 c8 9f 13 5a fd 61 7d 40 3f ec e7 9c 1e 61 0d c7 |...Z.a}@?....a..| +000002e0 44 87 84 2b fd 80 9d dd 00 a0 ce 19 fa 9a 3c f5 |D..+..........<.| +000002f0 59 3b 03 27 10 93 64 15 f4 a5 bd 3b f2 91 38 03 |Y;.'..d....;..8.| +00000300 a4 4f a4 6a dd 7e 3e 8c 5c 40 19 59 f9 7f a7 7c |.O.j.~>.\@.Y...|| +00000310 22 3b e8 55 88 b4 99 1f cb d9 2f 49 74 4d 3c 8b |";.U....../ItM<.| +00000320 81 7a 0c 31 77 87 aa 9d 57 9b cd 8a 16 6a cc 06 |.z.1w...W....j..| +00000330 51 83 1b 00 17 03 03 00 99 a8 77 b4 5b 03 63 c5 |Q.........w.[.c.| +00000340 fb 02 54 c7 56 aa fb ba 3d 19 52 34 c8 1a d5 3f |..T.V...=.R4...?| +00000350 ef bc b9 62 96 e6 42 be 13 4c 67 7a 4c 01 21 14 |...b..B..LgzL.!.| +00000360 12 5a 91 80 0b ff 19 90 b4 a9 d6 66 bc 50 9c 6c |.Z.........f.P.l| +00000370 a2 63 57 d2 78 e7 cb 1a ed 55 02 64 05 f8 7b 4f |.cW.x....U.d..{O| +00000380 1f 5f af a4 ce 9c 9c 82 e2 80 36 77 e6 9b be 82 |._........6w....| +00000390 25 bd 30 a5 e9 7f f8 a3 f8 f7 56 eb a1 8f f3 e5 |%.0.......V.....| +000003a0 6d 9f c0 30 e6 95 83 e3 1b 45 49 10 50 e1 7f 27 |m..0.....EI.P..'| +000003b0 cd 2c da e4 4b da 0d 77 d3 87 fe d2 38 55 e6 ea |.,..K..w....8U..| +000003c0 ec 12 90 ba f5 c7 5d 87 cd f1 35 5b 5b 8e d9 a4 |......]...5[[...| +000003d0 a5 04 17 03 03 00 35 84 59 aa d7 a6 cb 73 41 df |......5.Y....sA.| +000003e0 55 60 eb 39 3d 38 e4 84 96 72 40 ac 90 f4 38 59 |U`.9=8...r@...8Y| +000003f0 be 17 59 ee fa 51 cf 03 1a ec 6a 88 c2 bb 82 3a |..Y..Q....j....:| +00000400 11 3b 62 50 3c a5 4a c7 0e e7 e5 a8 |.;bP<.J.....| +>>> Flow 3 (client to server) +00000000 17 03 03 00 35 ea 0d 79 a3 d3 98 d9 41 c1 f0 0f |....5..y....A...| +00000010 43 e6 77 23 c7 e2 ca 20 27 ed de 0b 89 fd 2b 60 |C.w#... '.....+`| +00000020 cc c0 09 b2 d1 9c 50 c2 de 79 1f af cb 18 1b df |......P..y......| +00000030 e5 63 33 21 f7 36 35 f5 83 bd 17 03 03 00 17 a4 |.c3!.65.........| +00000040 03 32 95 72 e9 81 7a dc 86 92 d4 d3 6e 27 31 6e |.2.r..z.....n'1n| +00000050 fb 5e f3 4d f7 cb 17 03 03 00 13 69 ad fb c5 d1 |.^.M.......i....| +00000060 8e 3f 20 f5 70 18 41 8f 91 9d 23 58 26 75 |.? .p.A...#X&u| diff --git a/testdata/Client-TLSv13-RenegotiationRejected b/testdata/Client-TLSv13-RenegotiationRejected new file mode 100644 index 00000000..69efb593 --- /dev/null +++ b/testdata/Client-TLSv13-RenegotiationRejected @@ -0,0 +1,107 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 f8 01 00 00 f4 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a8 |.............2..| +00000050 cc a9 c0 2f c0 2b c0 30 c0 2c c0 27 c0 13 c0 23 |.../.+.0.,.'...#| +00000060 c0 09 c0 14 c0 0a 00 9c 00 9d 00 3c 00 2f 00 35 |...........<./.5| +00000070 c0 12 00 0a 00 05 c0 11 c0 07 13 01 13 03 13 02 |................| +00000080 01 00 00 79 00 05 00 05 01 00 00 00 00 00 0a 00 |...y............| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 18 00 16 08 04 08 05 08 06 04 01 04 |................| +000000b0 03 05 01 05 03 06 01 06 03 02 01 02 03 ff 01 00 |................| +000000c0 01 00 00 12 00 00 00 2b 00 09 08 03 04 03 03 03 |.......+........| +000000d0 02 03 01 00 33 00 26 00 24 00 1d 00 20 2f e5 7d |....3.&.$... /.}| +000000e0 a3 47 cd 62 43 15 28 da ac 5f bb 29 07 30 ff f6 |.G.bC.(.._.).0..| +000000f0 84 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 |........_X.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 7a 02 00 00 76 03 03 54 7e 6f 02 63 |....z...v..T~o.c| +00000010 1c ce 10 08 72 06 43 09 69 c1 bb d1 df 5d 05 1f |....r.C.i....]..| +00000020 67 44 47 37 10 75 37 ab 8b dd 58 20 00 00 00 00 |gDG7.u7...X ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 13 01 00 00 |................| +00000050 2e 00 2b 00 02 03 04 00 33 00 24 00 1d 00 20 e0 |..+.....3.$... .| +00000060 69 f4 18 18 65 bd a3 f0 ec c5 29 6b 1d 97 53 4c |i...e.....)k..SL| +00000070 84 c0 e1 d7 81 21 66 9d bc 9a e1 b6 62 70 3e 14 |.....!f.....bp>.| +00000080 03 03 00 01 01 17 03 03 00 17 b8 7a b7 13 71 7b |...........z..q{| +00000090 d0 0f fa 58 ae bb b3 1f 2b c9 77 08 94 22 d9 69 |...X....+.w..".i| +000000a0 78 17 03 03 02 6d 80 bb df 32 4b 7f 94 3d f2 34 |x....m...2K..=.4| +000000b0 ea cd 2d fc f1 8f eb 33 39 73 f2 ad 17 20 fa be |..-....39s... ..| +000000c0 99 15 48 91 af fc 01 80 63 e2 05 64 ea 5f 72 9c |..H.....c..d._r.| +000000d0 2c 30 41 ad 62 d2 17 4e eb 10 bb 54 b6 63 08 cb |,0A.b..N...T.c..| +000000e0 3b 2c a7 30 44 ca 78 20 f3 0b 8f 41 cf 3f 32 e8 |;,.0D.x ...A.?2.| +000000f0 e5 b1 a7 2f 0d 04 59 3e 00 85 36 41 17 f8 13 b7 |.../..Y>..6A....| +00000100 92 24 2c 14 49 05 0c fa d7 73 95 10 e6 fb b4 7e |.$,.I....s.....~| +00000110 6e 24 b1 87 cb aa 5e 09 c8 c7 57 16 eb 6d d3 ec |n$....^...W..m..| +00000120 d6 39 c2 ab 3d b8 8e 0e 7e ec 58 3d 0e 9e 81 7f |.9..=...~.X=....| +00000130 2d ad 32 0d d7 18 5f e2 b8 0d d7 59 90 e6 40 49 |-.2..._....Y..@I| +00000140 4f 20 8b fb 9d 94 f9 15 50 0e bb d9 cd ed 9c 7f |O ......P.......| +00000150 88 ce cb b2 60 6a 9d f1 de fa df 43 df 24 c2 15 |....`j.....C.$..| +00000160 64 a0 72 f8 36 fe 38 2d a1 78 58 51 cd 9e df 59 |d.r.6.8-.xXQ...Y| +00000170 5b ea fb d8 e9 31 e2 33 b9 5f fb a6 a2 bb 5f c8 |[....1.3._...._.| +00000180 80 37 16 71 2c 9d d5 98 85 dd 79 ff 82 01 e4 80 |.7.q,.....y.....| +00000190 09 e1 02 22 b2 08 a6 ef bb 05 2b 52 6c 31 08 94 |..."......+Rl1..| +000001a0 f3 31 7a fd b6 f3 b9 8d 19 74 f9 fd 76 6e 4c 29 |.1z......t..vnL)| +000001b0 cf 06 48 e0 4e 85 5d 03 63 97 ef 59 fe 8e 51 2e |..H.N.].c..Y..Q.| +000001c0 2f 68 ad 55 14 b1 56 9b 00 eb 43 2a 03 7e 56 a8 |/h.U..V...C*.~V.| +000001d0 5f 83 6d 4f a2 43 1f 95 2d 8f 6d b3 e2 fb 63 ce |_.mO.C..-.m...c.| +000001e0 de ef e6 e2 0b 3d 7c dd 06 62 38 80 ce a6 88 03 |.....=|..b8.....| +000001f0 3b 39 67 3c 60 ea 4c a4 0b 2d 8a d3 b0 b9 2f 10 |;9g<`.L..-..../.| +00000200 85 5f 30 a5 37 e9 f1 0d 34 f7 a4 c7 15 7b c7 08 |._0.7...4....{..| +00000210 7a 32 8f 52 87 ac 67 c1 c3 f4 1a e0 f3 3a ff ae |z2.R..g......:..| +00000220 85 85 ca d9 4b 4f ad 5f b3 bd 65 98 b4 63 b1 68 |....KO._..e..c.h| +00000230 29 38 39 37 e0 46 01 2f 4d dd 11 94 b0 0e 15 d9 |)897.F./M.......| +00000240 1d c8 a8 ee 4f 72 2d 3c 7b 4a 9b 6a 82 bd f6 78 |....Or-<{J.j...x| +00000250 94 c2 43 e5 6c 14 3f 69 4c dc 6a 7b fa e4 a3 1c |..C.l.?iL.j{....| +00000260 cc 46 75 e3 b2 50 5b 29 50 67 91 ea 45 54 87 42 |.Fu..P[)Pg..ET.B| +00000270 38 99 12 e8 25 86 ab 2b a8 24 72 dc 75 ae d6 bd |8...%..+.$r.u...| +00000280 93 ab fb 75 07 8a 7a 2b 6c 1b 0f 06 6d 9e cd e2 |...u..z+l...m...| +00000290 d4 c6 f0 52 7e 52 59 dd 9b cd 5c d1 77 17 1b d7 |...R~RY...\.w...| +000002a0 1d 03 4f 4e d8 0f b7 7c c7 f8 10 6a 3c 97 4f e3 |..ON...|...j<.O.| +000002b0 e3 2d b3 2a b0 42 c0 ab 9c fd 33 88 b6 8b 60 95 |.-.*.B....3...`.| +000002c0 fb 14 35 28 66 b5 49 1b a3 45 a6 e3 d4 86 ff ec |..5(f.I..E......| +000002d0 6e ad 18 54 60 66 e0 28 89 e8 12 3a ba f6 ab b6 |n..T`f.(...:....| +000002e0 f6 e8 68 3e 2a 2b d7 e0 c8 ed dc 37 9b 1c 94 ef |..h>*+.....7....| +000002f0 c9 91 c7 c6 47 13 4a c7 bf fc 44 9a 41 94 73 61 |....G.J...D.A.sa| +00000300 b2 ca 6a a1 cf 0a 65 c9 79 be 2a 8f 00 b7 99 98 |..j...e.y.*.....| +00000310 03 03 20 17 03 03 00 99 50 46 40 7e 04 bd 9f ec |.. .....PF@~....| +00000320 82 d2 f7 72 a0 00 aa 7c 9b 59 b7 a1 14 81 98 8e |...r...|.Y......| +00000330 18 58 c5 7c e2 96 7d 79 24 41 ad f1 51 1f d9 8a |.X.|..}y$A..Q...| +00000340 25 3c d0 f0 c0 77 82 1c 76 0c f0 f0 f4 2e c7 1a |%<...w..v.......| +00000350 dd 81 84 77 b5 9a 5c 78 02 7f db bb 2c d4 8e 7f |...w..\x....,...| +00000360 63 c2 86 de 43 01 c1 3c 35 28 d0 91 f0 bc ec 83 |c...C..<5(......| +00000370 dd b7 a4 91 b2 c5 1e e4 b7 da fd 0a df f7 33 b0 |..............3.| +00000380 37 39 1b 0c 01 00 1f df 1d c5 44 fc 5b 84 53 22 |79........D.[.S"| +00000390 21 1d 02 49 97 c7 08 dc 4a 28 cc 6f fc 5e 9c d5 |!..I....J(.o.^..| +000003a0 cf ea 11 89 f5 5f 15 25 e6 f7 bf a9 b4 c1 bb 91 |....._.%........| +000003b0 5d 17 03 03 00 35 23 b8 53 0a 97 0f e7 6c 01 5c |]....5#.S....l.\| +000003c0 5e 22 2e 14 ab 33 6d 87 3f 99 41 35 50 c4 95 76 |^"...3m.?.A5P..v| +000003d0 ea ac 8d d4 01 10 55 0a 74 c3 8a 80 64 44 cc 7c |......U.t...dD.|| +000003e0 d0 59 a5 34 dd c7 b9 13 ff 54 55 |.Y.4.....TU| +>>> Flow 3 (client to server) +00000000 17 03 03 00 35 c9 d1 1c 82 c8 d6 03 be 95 47 78 |....5.........Gx| +00000010 4d 0e 3a 7c fb 60 55 5f 41 5c dd 63 47 41 ff 43 |M.:|.`U_A\.cGA.C| +00000020 c9 4b 1c 37 bc be ac 2a f6 2c d7 39 06 58 5d 71 |.K.7...*.,.9.X]q| +00000030 ab 71 6a 5d 3c 52 c6 f1 48 ee 17 03 03 00 17 d6 |.qj].E..~XIw.| +00000050 50 e4 a2 35 35 67 |P..55g| +>>> Flow 4 (server to client) +00000000 17 03 03 00 da 01 9d a9 a7 3b 74 8a d3 cb 20 49 |.........;t... I| +00000010 b1 73 82 ca 35 bb d7 6b 0d 0d 29 c2 6b 3c 63 75 |.s..5..k..).k.s. ..l.]m].0(.| +00000050 f1 37 92 e8 f7 f7 db 16 82 0e 01 60 9c 88 c4 18 |.7.........`....| +00000060 d5 e7 b2 7c 3e ba e5 df 40 12 77 83 2c c8 0a 59 |...|>...@.w.,..Y| +00000070 a1 cc 43 17 c5 3d 77 76 39 07 ea 4a 37 10 dd d2 |..C..=wv9..J7...| +00000080 cc a5 70 3b d6 d1 41 c6 67 1c 16 61 e3 32 f7 a0 |..p;..A.g..a.2..| +00000090 21 76 4d 3f c0 6a 9d 82 e8 0f b4 44 07 a4 c7 74 |!vM?.j.....D...t| +000000a0 e4 38 be d8 7d 61 f7 cc dc 61 0f 3b 81 f0 b7 4d |.8..}a...a.;...M| +000000b0 7c ac 85 0c 2b 93 6c 02 a4 76 c5 fe f2 c2 d6 81 ||...+.l..v......| +000000c0 18 9b f4 11 ae 8c e6 c4 7a 91 d2 f7 84 43 fc 22 |........z....C."| +000000d0 a1 85 90 cb 20 07 2e 91 87 e9 65 a1 2f 1f 5b |.... .....e./.[| +>>> Flow 5 (client to server) +00000000 17 03 03 00 13 6f bd 84 f6 9b 45 bc 84 ba 22 b0 |.....o....E...".| +00000010 ae 0f cf 02 fa f7 4e 15 17 03 03 00 13 c1 b9 70 |......N........p| +00000020 e4 13 f9 b1 dc 1c d6 6e 7f ca 2b 1e d5 ab 0f 9c |.......n..+.....| diff --git a/testdata/Client-TLSv13-X25519-ECDHE b/testdata/Client-TLSv13-X25519-ECDHE new file mode 100644 index 00000000..c8ecf835 --- /dev/null +++ b/testdata/Client-TLSv13-X25519-ECDHE @@ -0,0 +1,89 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 f2 01 00 00 ee 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a8 |.............2..| +00000050 cc a9 c0 2f c0 2b c0 30 c0 2c c0 27 c0 13 c0 23 |.../.+.0.,.'...#| +00000060 c0 09 c0 14 c0 0a 00 9c 00 9d 00 3c 00 2f 00 35 |...........<./.5| +00000070 c0 12 00 0a 00 05 c0 11 c0 07 13 01 13 03 13 02 |................| +00000080 01 00 00 73 00 05 00 05 01 00 00 00 00 00 0a 00 |...s............| +00000090 04 00 02 00 1d 00 0b 00 02 01 00 00 0d 00 18 00 |................| +000000a0 16 08 04 08 05 08 06 04 01 04 03 05 01 05 03 06 |................| +000000b0 01 06 03 02 01 02 03 ff 01 00 01 00 00 12 00 00 |................| +000000c0 00 2b 00 09 08 03 04 03 03 03 02 03 01 00 33 00 |.+............3.| +000000d0 26 00 24 00 1d 00 20 2f e5 7d a3 47 cd 62 43 15 |&.$... /.}.G.bC.| +000000e0 28 da ac 5f bb 29 07 30 ff f6 84 af c4 cf c2 ed |(.._.).0........| +000000f0 90 99 5f 58 cb 3b 74 |.._X.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 7a 02 00 00 76 03 03 89 a2 c7 e7 3a |....z...v......:| +00000010 1e 5c a5 51 bd ad 35 de 3d 36 f6 ac ce 57 d0 f1 |.\.Q..5.=6...W..| +00000020 e4 c4 42 3f 1d c3 2b 13 a7 0f 20 20 00 00 00 00 |..B?..+... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 13 01 00 00 |................| +00000050 2e 00 2b 00 02 03 04 00 33 00 24 00 1d 00 20 94 |..+.....3.$... .| +00000060 b6 b9 7b 23 f1 28 d5 b6 96 5a ec e4 03 52 68 5a |..{#.(...Z...RhZ| +00000070 23 2e bf c3 cc 2b 0b e8 06 c1 b4 34 52 1f 28 14 |#....+.....4R.(.| +00000080 03 03 00 01 01 17 03 03 00 17 31 ef c3 81 8c d9 |..........1.....| +00000090 9d 98 71 b8 08 27 0e d6 c1 35 09 58 36 38 bc cc |..q..'...5.X68..| +000000a0 a9 17 03 03 02 6d 25 2e 10 a3 aa b1 6a cd 7c ed |.....m%.....j.|.| +000000b0 78 ab 43 5d c8 1f 60 51 00 83 49 59 ac 95 bd 87 |x.C]..`Q..IY....| +000000c0 98 a7 cd 1e 4d 65 d6 bd 76 78 a9 77 e5 0e 44 73 |....Me..vx.w..Ds| +000000d0 1f 5f 24 64 fc 05 02 9e 0d 70 de 04 dc b2 7e d3 |._$d.....p....~.| +000000e0 ee 8d 2e e4 1e 6d 02 dd 45 b8 69 14 46 f5 02 a6 |.....m..E.i.F...| +000000f0 f1 53 10 02 3a 84 1b 12 d9 cb 64 70 87 8b 1f f5 |.S..:.....dp....| +00000100 51 d7 02 a8 93 2c 48 14 f6 d6 bd f3 48 f0 7c 10 |Q....,H.....H.|.| +00000110 82 f7 b2 97 22 26 15 1a 67 4a 0e ca 7c 41 ee 08 |...."&..gJ..|A..| +00000120 78 b6 44 e1 17 78 9a a1 32 d6 68 99 9d a1 4f e1 |x.D..x..2.h...O.| +00000130 88 7e 3c 73 67 76 47 68 5c 88 21 e1 2b 5c 87 37 |.~.| +000001c0 76 71 d1 ba 52 2e 7c e8 01 49 b6 61 e0 e7 17 c1 |vq..R.|..I.a....| +000001d0 38 35 fd fa 4d 90 02 eb c6 b2 a4 d7 a1 ef 4a 4c |85..M.........JL| +000001e0 61 90 a3 0c 00 f2 9b d4 de ce 98 77 fc 54 ef 57 |a..........w.T.W| +000001f0 81 93 06 60 a1 9a da 9d 92 23 28 db 1e 60 3b 6e |...`.....#(..`;n| +00000200 15 18 2d 60 ee f6 60 ed e6 1a 41 a2 62 0a de f5 |..-`..`...A.b...| +00000210 c4 a1 53 d2 16 e8 92 dd 43 7b 6a 26 8b 83 27 42 |..S.....C{j&..'B| +00000220 85 36 6f 73 e9 e2 68 aa 32 e2 28 58 0a eb 1a 7e |.6os..h.2.(X...~| +00000230 d3 b1 cf e7 02 3f c4 25 85 89 80 ab 57 b4 82 2c |.....?.%....W..,| +00000240 90 2a f7 ea 2f 97 59 16 21 d1 79 a8 67 53 a3 61 |.*../.Y.!.y.gS.a| +00000250 1b fa 9a a4 4f dc 66 72 fd 0e ff 31 e0 8f 3a 54 |....O.fr...1..:T| +00000260 63 ee 13 2a d7 af 62 53 3c 19 b5 7d fc 8b 4b 12 |c..*..bS<..}..K.| +00000270 e1 a6 16 a7 28 54 b9 d9 a9 30 08 42 18 11 3b 53 |....(T...0.B..;S| +00000280 98 b1 72 9a 3e 46 9a b5 86 5e e2 6d d7 00 17 6b |..r.>F...^.m...k| +00000290 00 78 35 66 46 03 cb c7 6e 24 32 1b 1d 06 59 96 |.x5fF...n$2...Y.| +000002a0 43 e1 1a bb e5 b6 df 58 bd ec 90 bf b2 2f dd 79 |C......X...../.y| +000002b0 74 21 8d bd 6a ed 63 ee ed 19 43 96 58 c8 55 b5 |t!..j.c...C.X.U.| +000002c0 2f 6e a8 7f 5c fe cd 56 b0 9e e8 03 63 ab be e4 |/n..\..V....c...| +000002d0 45 e0 b8 a0 6c cb 37 dc b8 a4 a1 cd bc c5 09 78 |E...l.7........x| +000002e0 ea d7 00 26 bf f1 fb 02 1e 46 1a ce ca f5 5c 56 |...&.....F....\V| +000002f0 73 42 a7 32 20 09 70 4b 1c bb ca 79 6d ad 8a 6c |sB.2 .pK...ym..l| +00000300 3f 4a e1 b1 1e d4 76 9d 89 91 20 76 cd f6 99 92 |?J....v... v....| +00000310 de 64 00 17 03 03 00 99 7f af 97 d5 ba 57 8a e8 |.d...........W..| +00000320 c7 c7 7c a6 fc 46 50 80 aa 49 36 3a d0 61 42 7e |..|..FP..I6:.aB~| +00000330 8d 0e 3d b4 b2 82 d5 79 51 47 1c 72 79 ed 56 ff |..=....yQG.ry.V.| +00000340 0d 95 dd a5 84 b1 ac 6d 3d 87 66 ce bf 41 c9 64 |.......m=.f..A.d| +00000350 8f 6f 91 e7 24 ff 04 30 83 77 40 33 17 da 57 5b |.o..$..0.w@3..W[| +00000360 55 be a9 a6 bd 62 2c 24 56 c8 cb a1 68 24 73 97 |U....b,$V...h$s.| +00000370 2b ab d3 a8 3b 7d df ac 81 3c 85 d3 35 16 86 c8 |+...;}...<..5...| +00000380 92 a9 a6 95 f2 1d 40 7c a1 85 a9 6d ac 4a 44 82 |......@|...m.JD.| +00000390 ec 92 26 04 b8 e2 65 3e e9 dc cb e5 d1 0a 1f a7 |..&...e>........| +000003a0 2f a5 7a 9c 7c 62 0f 4e 8a 99 53 99 02 18 09 6f |/.z.|b.N..S....o| +000003b0 64 17 03 03 00 35 62 08 e9 3d d4 bc 4c 22 ef fb |d....5b..=..L"..| +000003c0 e0 30 cc fb 85 c9 0a 2d 71 f5 06 da 17 dc 94 e0 |.0.....-q.......| +000003d0 11 7d bb 45 cf b4 32 e5 56 1d 51 e1 74 11 ef 52 |.}.E..2.V.Q.t..R| +000003e0 27 e6 3f 18 3f 72 65 6d b3 79 7a |'.?.?rem.yz| +>>> Flow 3 (client to server) +00000000 17 03 03 00 35 92 2e 10 eb db 73 85 b8 85 d6 a3 |....5.....s.....| +00000010 87 c6 18 71 f7 63 06 ed 7e 54 3b 5b a6 dd a8 70 |...q.c..~T;[...p| +00000020 c4 94 12 e2 c3 cd 5c a5 af e2 64 9d eb 36 f5 dc |......\...d..6..| +00000030 16 f1 12 ea 5c 95 65 1e 4b dd 17 03 03 00 17 ba |....\.e.K.......| +00000040 be 5d 51 b5 c3 d6 b8 dc a5 38 85 4a 51 0e c7 ca |.]Q......8.JQ...| +00000050 a9 70 0b c7 1c 59 17 03 03 00 13 4d c9 3f 33 6b |.p...Y.....M.?3k| +00000060 27 87 88 73 da 3e 74 b2 18 fc 04 59 fc d9 |'..s.>t....Y..|