crypto/tls: send ec_points_format extension in ServerHello

Follow the recommandation from RFC 8422, section 5.1.2 of sending back the ec_points_format extension when requested by the client. This is to fix some clients declining the handshake if omitted. Fixes #31943 Change-Id: I7b04dbac6f9af75cda094073defe081e1e9a295d Reviewed-on: https://go-review.googlesource.com/c/go/+/176418 Run-TryBot: Filippo Valsorda <filippo@golang.org> Reviewed-by: Olivier Poitrey <rs@rhapsodyk.net> Reviewed-by: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>

crypto/tls: send ec_points_format extension in ServerHello
Follow the recommandation from RFC 8422, section 5.1.2 of sending back the ec_points_format extension when requested by the client. This is to fix some clients declining the handshake if omitted. Fixes #31943 Change-Id: I7b04dbac6f9af75cda094073defe081e1e9a295d Reviewed-on: https://go-review.googlesource.com/c/go/+/176418 Run-TryBot: Filippo Valsorda <filippo@golang.org> Reviewed-by: Olivier Poitrey <rs@rhapsodyk.net> Reviewed-by: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
02a5502a · Olivier Poitrey · Filippo Valsorda · 54697702 · 02a5502a · 02a5502a
Commit 02a5502a authored May 09, 2019 by Olivier Poitrey Committed by Filippo Valsorda Oct 31, 2019
39 changed files
--- a/src/crypto/tls/handshake_messages.go
+++ b/src/crypto/tls/handshake_messages.go
@@ -606,6 +606,7 @@ type serverHelloMsg struct {
 	serverShare                  keyShare
 	selectedIdentityPresent      bool
 	selectedIdentity             uint16
+	supportedPoints              []uint8

 	// HelloRetryRequest extensions
 	cookie        []byte
@@ -707,6 +708,14 @@ func (m *serverHelloMsg) marshal() []byte {
 					b.AddUint16(uint16(m.selectedGroup))
 				})
 			}
+			if len(m.supportedPoints) > 0 {
+				b.AddUint16(extensionSupportedPoints)
+				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
+					b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
+						b.AddBytes(m.supportedPoints)
+					})
+				})
+			}

 			extensionsPresent = len(b.BytesOrPanic()) > 2
 		})
@@ -811,6 +820,12 @@ func (m *serverHelloMsg) unmarshal(data []byte) bool {
 			if !extData.ReadUint16(&m.selectedIdentity) {
 				return false
 			}
+		case extensionSupportedPoints:
+			// RFC 4492, Section 5.1.2
+			if !readUint8LengthPrefixed(&extData, &m.supportedPoints) ||
+				len(m.supportedPoints) == 0 {
+				return false
+			}
 		default:
 			// Ignore unknown extensions.
 			continue

--- a/src/crypto/tls/handshake_messages_test.go
+++ b/src/crypto/tls/handshake_messages_test.go
@@ -201,6 +201,7 @@ func (*serverHelloMsg) Generate(rand *rand.Rand, size int) reflect.Value {
 	m.sessionId = randomBytes(rand.Intn(32), rand)
 	m.cipherSuite = uint16(rand.Int31())
 	m.compressionMethod = uint8(rand.Intn(256))
+	m.supportedPoints = randomBytes(rand.Intn(5)+1, rand)

 	if rand.Intn(10) > 5 {
 		m.ocspStapling = true

--- a/src/crypto/tls/handshake_server.go
+++ b/src/crypto/tls/handshake_server.go
@@ -196,6 +196,15 @@ Curves:
 	}
 	hs.ecdhOk = supportedCurve && supportedPointFormat

+	if supportedPointFormat {
+		// Although omiting the ec_point_formats extension is permitted, some
+		// old OpenSSL version will refuse to handshake if not present.
+		//
+		// Per RFC 4492, section 5.1.2, implementations MUST support the
+		// uncompressed point format. See golang.org/issue/31943.
+		hs.hello.supportedPoints = []uint8{pointFormatUncompressed}
+	}
+
 	foundCompression := false
 	// We only support null compression, so check that the client offered it.
 	for _, compression := range hs.clientHello.compressionMethods {

--- a/src/crypto/tls/handshake_server_test.go
+++ b/src/crypto/tls/handshake_server_test.go
@@ -272,6 +272,79 @@ func TestTLS12OnlyCipherSuites(t *testing.T) {
 	}
 }

+func TestTLSPointFormats(t *testing.T) {
+	// Test that a Server returns the ec_point_format extention when ECC is
+	// negotiated, and not returned on RSA handshake.
+	tests := []struct {
+		name                string
+		cipherSuites        []uint16
+		supportedCurves     []CurveID
+		supportedPoints     []uint8
+		wantSupportedPoints bool
+	}{
+		{"ECC", []uint16{TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA}, []CurveID{CurveP256}, []uint8{compressionNone}, true},
+		{"RSA", []uint16{TLS_RSA_WITH_AES_256_GCM_SHA384}, nil, nil, false},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			clientHello := &clientHelloMsg{
+				vers:               VersionTLS12,
+				random:             make([]byte, 32),
+				cipherSuites:       tt.cipherSuites,
+				compressionMethods: []uint8{compressionNone},
+				supportedCurves:    tt.supportedCurves,
+				supportedPoints:    tt.supportedPoints,
+			}
+
+			c, s := localPipe(t)
+			replyChan := make(chan interface{})
+			go func() {
+				cli := Client(c, testConfig)
+				cli.vers = clientHello.vers
+				cli.writeRecord(recordTypeHandshake, clientHello.marshal())
+				reply, err := cli.readHandshake()
+				c.Close()
+				if err != nil {
+					replyChan <- err
+				} else {
+					replyChan <- reply
+				}
+			}()
+			config := testConfig.Clone()
+			config.CipherSuites = clientHello.cipherSuites
+			Server(s, config).Handshake()
+			s.Close()
+			reply := <-replyChan
+			if err, ok := reply.(error); ok {
+				t.Fatal(err)
+			}
+			serverHello, ok := reply.(*serverHelloMsg)
+			if !ok {
+				t.Fatalf("didn't get ServerHello message in reply. Got %v\n", reply)
+			}
+			if tt.wantSupportedPoints {
+				if len(serverHello.supportedPoints) < 1 {
+					t.Fatal("missing ec_point_format extension from server")
+				}
+				found := false
+				for _, p := range serverHello.supportedPoints {
+					if p == pointFormatUncompressed {
+						found = true
+						break
+					}
+				}
+				if !found {
+					t.Fatal("missing uncompressed format in ec_point_format extension from server")
+				}
+			} else {
+				if len(serverHello.supportedPoints) != 0 {
+					t.Fatalf("unexcpected ec_point_format extension from server: %v", serverHello.supportedPoints)
+				}
+			}
+		})
+	}
+}
+
 func TestAlertForwarding(t *testing.T) {
 	c, s := localPipe(t)
 	go func() {

--- a/src/crypto/tls/testdata/Server-TLSv10-ECDHE-ECDSA-AES
+++ b/src/crypto/tls/testdata/Server-TLSv10-ECDHE-ECDSA-AES
--- a/src/crypto/tls/testdata/Server-TLSv10-ExportKeyingMaterial
+++ b/src/crypto/tls/testdata/Server-TLSv10-ExportKeyingMaterial
--- a/src/crypto/tls/testdata/Server-TLSv10-RSA-3DES
+++ b/src/crypto/tls/testdata/Server-TLSv10-RSA-3DES
--- a/src/crypto/tls/testdata/Server-TLSv10-RSA-AES
+++ b/src/crypto/tls/testdata/Server-TLSv10-RSA-AES
--- a/src/crypto/tls/testdata/Server-TLSv10-RSA-RC4
+++ b/src/crypto/tls/testdata/Server-TLSv10-RSA-RC4
--- a/src/crypto/tls/testdata/Server-TLSv11-RSA-RC4
+++ b/src/crypto/tls/testdata/Server-TLSv11-RSA-RC4
--- a/src/crypto/tls/testdata/Server-TLSv12-ALPN
+++ b/src/crypto/tls/testdata/Server-TLSv12-ALPN
--- a/src/crypto/tls/testdata/Server-TLSv12-ALPN-NoMatch
+++ b/src/crypto/tls/testdata/Server-TLSv12-ALPN-NoMatch
--- a/src/crypto/tls/testdata/Server-TLSv12-CipherSuiteCertPreferenceECDSA
+++ b/src/crypto/tls/testdata/Server-TLSv12-CipherSuiteCertPreferenceECDSA
--- a/src/crypto/tls/testdata/Server-TLSv12-CipherSuiteCertPreferenceRSA
+++ b/src/crypto/tls/testdata/Server-TLSv12-CipherSuiteCertPreferenceRSA
--- a/src/crypto/tls/testdata/Server-TLSv12-ClientAuthRequestedAndECDSAGiven
+++ b/src/crypto/tls/testdata/Server-TLSv12-ClientAuthRequestedAndECDSAGiven
--- a/src/crypto/tls/testdata/Server-TLSv12-ClientAuthRequestedAndEd25519Given
+++ b/src/crypto/tls/testdata/Server-TLSv12-ClientAuthRequestedAndEd25519Given
--- a/src/crypto/tls/testdata/Server-TLSv12-ClientAuthRequestedAndGiven
+++ b/src/crypto/tls/testdata/Server-TLSv12-ClientAuthRequestedAndGiven
--- a/src/crypto/tls/testdata/Server-TLSv12-ClientAuthRequestedAndPKCS1v15Given
+++ b/src/crypto/tls/testdata/Server-TLSv12-ClientAuthRequestedAndPKCS1v15Given
--- a/src/crypto/tls/testdata/Server-TLSv12-ClientAuthRequestedNotGiven
+++ b/src/crypto/tls/testdata/Server-TLSv12-ClientAuthRequestedNotGiven
--- a/src/crypto/tls/testdata/Server-TLSv12-ECDHE-ECDSA-AES
+++ b/src/crypto/tls/testdata/Server-TLSv12-ECDHE-ECDSA-AES
--- a/src/crypto/tls/testdata/Server-TLSv12-Ed25519
+++ b/src/crypto/tls/testdata/Server-TLSv12-Ed25519
 >>> Flow 1 (client to server)
-00000000  16 03 01 00 cb 01 00 00  c7 03 03 a6 41 b7 62 67  |............A.bg|
-00000010  34 b4 48 22 67 fd e6 a9  12 29 b7 85 6a 27 c9 fc  |4.H"g....)..j'..|
-00000020  70 3a cc 0c 94 61 88 d1  9e 22 3d 00 00 38 c0 2c  |p:...a..."=..8.,|
+00000000  16 03 01 00 cb 01 00 00  c7 03 03 b8 0c b4 c2 92  |................|
+00000010  d9 b6 77 56 d9 9f 2b 94  c9 2f c8 28 4f bf 69 bc  |..wV..+../.(O.i.|
+00000020  8f 4c 81 46 a6 43 4b e7  e5 70 b2 00 00 38 c0 2c  |.L.F.CK..p...8.,|
 00000030  c0 30 00 9f cc a9 cc a8  cc aa c0 2b c0 2f 00 9e  |.0.........+./..|
 00000040  c0 24 c0 28 00 6b c0 23  c0 27 00 67 c0 0a c0 14  |.$.(.k.#.'.g....|
 00000050  00 39 c0 09 c0 13 00 33  00 9d 00 9c 00 3d 00 3c  |.9.....3.....=.<|
@@ -13,51 +13,51 @@
 000000b0  08 0b 08 04 08 05 08 06  04 01 05 01 06 01 03 03  |................|
 000000c0  02 03 03 01 02 01 03 02  02 02 04 02 05 02 06 02  |................|
 >>> Flow 2 (server to client)
-00000000  16 03 03 00 31 02 00 00  2d 03 03 00 00 00 00 00  |....1...-.......|
+00000000  16 03 03 00 37 02 00 00  33 03 03 00 00 00 00 00  |....7...3.......|
 00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
 00000020  00 00 00 44 4f 57 4e 47  52 44 01 00 c0 2c 00 00  |...DOWNGRD...,..|
-00000030  05 ff 01 00 01 00 16 03  03 01 3c 0b 00 01 38 00  |..........<...8.|
-00000040  01 35 00 01 32 30 82 01  2e 30 81 e1 a0 03 02 01  |.5..20...0......|
-00000050  02 02 10 0f 43 1c 42 57  93 94 1d e9 87 e4 f1 ad  |....C.BW........|
-00000060  15 00 5d 30 05 06 03 2b  65 70 30 12 31 10 30 0e  |..]0...+ep0.1.0.|
-00000070  06 03 55 04 0a 13 07 41  63 6d 65 20 43 6f 30 1e  |..U....Acme Co0.|
-00000080  17 0d 31 39 30 35 31 36  32 31 33 38 30 31 5a 17  |..190516213801Z.|
-00000090  0d 32 30 30 35 31 35 32  31 33 38 30 31 5a 30 12  |.200515213801Z0.|
-000000a0  31 10 30 0e 06 03 55 04  0a 13 07 41 63 6d 65 20  |1.0...U....Acme |
-000000b0  43 6f 30 2a 30 05 06 03  2b 65 70 03 21 00 3f e2  |Co0*0...+ep.!.?.|
-000000c0  15 2e e6 e3 ef 3f 4e 85  4a 75 77 a3 64 9e ed e0  |.....?N.Juw.d...|
-000000d0  bf 84 2c cc 92 26 8f fa  6f 34 83 aa ec 8f a3 4d  |..,..&..o4.....M|
-000000e0  30 4b 30 0e 06 03 55 1d  0f 01 01 ff 04 04 03 02  |0K0...U.........|
-000000f0  05 a0 30 13 06 03 55 1d  25 04 0c 30 0a 06 08 2b  |..0...U.%..0...+|
-00000100  06 01 05 05 07 03 01 30  0c 06 03 55 1d 13 01 01  |.......0...U....|
-00000110  ff 04 02 30 00 30 16 06  03 55 1d 11 04 0f 30 0d  |...0.0...U....0.|
-00000120  82 0b 65 78 61 6d 70 6c  65 2e 63 6f 6d 30 05 06  |..example.com0..|
-00000130  03 2b 65 70 03 41 00 63  44 ed 9c c4 be 53 24 53  |.+ep.A.cD....S$S|
-00000140  9f d2 10 8d 9f e8 21 08  90 95 39 e5 0d c1 55 ff  |......!...9...U.|
-00000150  2c 16 b7 1d fc ab 7d 4d  d4 e0 93 13 d0 a9 42 e0  |,.....}M......B.|
-00000160  b6 6b fe 5d 67 48 d7 9f  50 bc 6c cd 4b 03 83 7c  |.k.]gH..P.l.K..||
-00000170  f2 08 58 cd ac cf 0c 16  03 03 00 6c 0c 00 00 68  |..X........l...h|
-00000180  03 00 1d 20 2f e5 7d a3  47 cd 62 43 15 28 da ac  |... /.}.G.bC.(..|
-00000190  5f bb 29 07 30 ff f6 84  af c4 cf c2 ed 90 99 5f  |_.).0.........._|
-000001a0  58 cb 3b 74 08 07 00 40  b8 a3 37 f4 74 44 64 eb  |X.;t...@..7.tDd.|
-000001b0  1f 4b a1 5c 6e 3b 46 a0  b8 ce ce da 79 8d 03 d8  |.K.\n;F.....y...|
-000001c0  a2 c2 1d ca 25 21 d2 c3  cf 65 02 7e 4c d6 9a 5a  |....%!...e.~L..Z|
-000001d0  ba 60 51 71 e4 37 ab 70  18 73 f1 a0 e5 f9 e3 2d  |.`Qq.7.p.s.....-|
-000001e0  00 37 68 97 cf fa e4 08  16 03 03 00 04 0e 00 00  |.7h.............|
-000001f0  00                                                |.|
+00000030  0b ff 01 00 01 00 00 0b  00 02 01 00 16 03 03 01  |................|
+00000040  3c 0b 00 01 38 00 01 35  00 01 32 30 82 01 2e 30  |<...8..5..20...0|
+00000050  81 e1 a0 03 02 01 02 02  10 0f 43 1c 42 57 93 94  |..........C.BW..|
+00000060  1d e9 87 e4 f1 ad 15 00  5d 30 05 06 03 2b 65 70  |........]0...+ep|
+00000070  30 12 31 10 30 0e 06 03  55 04 0a 13 07 41 63 6d  |0.1.0...U....Acm|
+00000080  65 20 43 6f 30 1e 17 0d  31 39 30 35 31 36 32 31  |e Co0...19051621|
+00000090  33 38 30 31 5a 17 0d 32  30 30 35 31 35 32 31 33  |3801Z..200515213|
+000000a0  38 30 31 5a 30 12 31 10  30 0e 06 03 55 04 0a 13  |801Z0.1.0...U...|
+000000b0  07 41 63 6d 65 20 43 6f  30 2a 30 05 06 03 2b 65  |.Acme Co0*0...+e|
+000000c0  70 03 21 00 3f e2 15 2e  e6 e3 ef 3f 4e 85 4a 75  |p.!.?......?N.Ju|
+000000d0  77 a3 64 9e ed e0 bf 84  2c cc 92 26 8f fa 6f 34  |w.d.....,..&..o4|
+000000e0  83 aa ec 8f a3 4d 30 4b  30 0e 06 03 55 1d 0f 01  |.....M0K0...U...|
+000000f0  01 ff 04 04 03 02 05 a0  30 13 06 03 55 1d 25 04  |........0...U.%.|
+00000100  0c 30 0a 06 08 2b 06 01  05 05 07 03 01 30 0c 06  |.0...+.......0..|
+00000110  03 55 1d 13 01 01 ff 04  02 30 00 30 16 06 03 55  |.U.......0.0...U|
+00000120  1d 11 04 0f 30 0d 82 0b  65 78 61 6d 70 6c 65 2e  |....0...example.|
+00000130  63 6f 6d 30 05 06 03 2b  65 70 03 41 00 63 44 ed  |com0...+ep.A.cD.|
+00000140  9c c4 be 53 24 53 9f d2  10 8d 9f e8 21 08 90 95  |...S$S......!...|
+00000150  39 e5 0d c1 55 ff 2c 16  b7 1d fc ab 7d 4d d4 e0  |9...U.,.....}M..|
+00000160  93 13 d0 a9 42 e0 b6 6b  fe 5d 67 48 d7 9f 50 bc  |....B..k.]gH..P.|
+00000170  6c cd 4b 03 83 7c f2 08  58 cd ac cf 0c 16 03 03  |l.K..|..X.......|
+00000180  00 6c 0c 00 00 68 03 00  1d 20 2f e5 7d a3 47 cd  |.l...h... /.}.G.|
+00000190  62 43 15 28 da ac 5f bb  29 07 30 ff f6 84 af c4  |bC.(.._.).0.....|
+000001a0  cf c2 ed 90 99 5f 58 cb  3b 74 08 07 00 40 b6 c5  |....._X.;t...@..|
+000001b0  00 07 5f 16 0d c5 5a 13  26 8e 74 09 1a 16 7f d2  |.._...Z.&.t.....|
+000001c0  4c 90 b5 ee 29 00 7b d6  d0 59 fe 79 1f f2 d9 66  |L...).{..Y.y...f|
+000001d0  e2 5e 22 c9 27 b8 09 e5  f3 b6 c4 be 46 4a c2 a9  |.^".'.......FJ..|
+000001e0  34 f8 ba ad b6 86 8d 47  58 00 55 d9 3c 03 16 03  |4......GX.U.<...|
+000001f0  03 00 04 0e 00 00 00                              |.......|
 >>> Flow 3 (client to server)
-00000000  16 03 03 00 25 10 00 00  21 20 51 d1 53 24 ee 09  |....%...! Q.S$..|
-00000010  51 02 90 7e 6f 02 a2 54  db 6e 95 a4 af f9 43 51  |Q..~o..T.n....CQ|
-00000020  d2 ff 6b e6 26 d0 88 4d  c1 56 14 03 03 00 01 01  |..k.&..M.V......|
-00000030  16 03 03 00 28 2a 7a 63  66 3f 53 88 0a cf ef 03  |....(*zcf?S.....|
-00000040  ef 21 5b b5 57 ce 9e e5  da 84 e5 a7 d3 6d 90 c9  |.![.W........m..|
-00000050  6c f8 c1 9d cc a2 ff cb  97 5a 7c 1a 62           |l........Z|.b|
+00000000  16 03 03 00 25 10 00 00  21 20 6e 1a be aa e4 ca  |....%...! n.....|
+00000010  43 15 88 b6 fe f7 6c 69  26 1c 99 1c a9 01 75 e3  |C.....li&.....u.|
+00000020  32 ef 37 85 6c 2e 15 6e  37 24 14 03 03 00 01 01  |2.7.l..n7$......|
+00000030  16 03 03 00 28 e8 ca d2  ac 7b 38 5e 23 0a c0 62  |....(....{8^#..b|
+00000040  05 c5 ec 9a 3b 99 48 6e  72 c0 30 b3 3c 69 a1 fd  |....;.Hnr.0.<i..|
+00000050  28 e6 13 12 05 0d 7a 30  41 73 a5 45 9a           |(.....z0As.E.|
 >>> Flow 4 (server to client)
 00000000  14 03 03 00 01 01 16 03  03 00 28 00 00 00 00 00  |..........(.....|
-00000010  00 00 00 7a ee 1c df b7  14 c9 81 18 f3 51 de 24  |...z.........Q.$|
-00000020  70 ed b7 87 b9 29 b3 f7  ef 43 d0 c9 8f 35 3e 0a  |p....)...C...5>.|
-00000030  a1 c4 72 17 03 03 00 25  00 00 00 00 00 00 00 01  |..r....%........|
-00000040  f6 37 d9 31 d2 1f de a6  43 3b 60 a7 30 8c 76 cd  |.7.1....C;`.0.v.|
-00000050  47 f3 e3 a5 f3 6f e0 fe  fd 93 76 1f 0a 15 03 03  |G....o....v.....|
-00000060  00 1a 00 00 00 00 00 00  00 02 6d 2d 8d 6b f1 e3  |..........m-.k..|
-00000070  8f 21 e4 8e af b2 90 69  5b 10 3a f9              |.!.....i[.:.|
+00000010  00 00 00 09 61 1e 91 05  79 fe d3 ea 62 2c 4e 62  |....a...y...b,Nb|
+00000020  42 b4 68 20 ca 47 e3 a4  4f 33 ce ba 8c d7 ea 63  |B.h .G..O3.....c|
+00000030  54 c7 8c 17 03 03 00 25  00 00 00 00 00 00 00 01  |T......%........|
+00000040  fb 97 f4 60 38 95 26 f2  69 ea c7 91 99 08 73 7a  |...`8.&.i.....sz|
+00000050  ca 96 97 6f 9f a6 be c2  ca 1d f1 2e 08 15 03 03  |...o............|
+00000060  00 1a 00 00 00 00 00 00  00 02 b4 06 50 09 ec 73  |............P..s|
+00000070  06 83 b4 fa bb 40 21 7f  4c d9 61 8a              |.....@!.L.a.|
--- a/src/crypto/tls/testdata/Server-TLSv12-ExportKeyingMaterial
+++ b/src/crypto/tls/testdata/Server-TLSv12-ExportKeyingMaterial
--- a/src/crypto/tls/testdata/Server-TLSv12-IssueTicket
+++ b/src/crypto/tls/testdata/Server-TLSv12-IssueTicket
--- a/src/crypto/tls/testdata/Server-TLSv12-IssueTicketPreDisable
+++ b/src/crypto/tls/testdata/Server-TLSv12-IssueTicketPreDisable
--- a/src/crypto/tls/testdata/Server-TLSv12-P256
+++ b/src/crypto/tls/testdata/Server-TLSv12-P256
--- a/src/crypto/tls/testdata/Server-TLSv12-RSA-3DES
+++ b/src/crypto/tls/testdata/Server-TLSv12-RSA-3DES
--- a/src/crypto/tls/testdata/Server-TLSv12-RSA-AES
+++ b/src/crypto/tls/testdata/Server-TLSv12-RSA-AES
--- a/src/crypto/tls/testdata/Server-TLSv12-RSA-AES-GCM
+++ b/src/crypto/tls/testdata/Server-TLSv12-RSA-AES-GCM
--- a/src/crypto/tls/testdata/Server-TLSv12-RSA-AES256-GCM-SHA384
+++ b/src/crypto/tls/testdata/Server-TLSv12-RSA-AES256-GCM-SHA384
--- a/src/crypto/tls/testdata/Server-TLSv12-RSA-RC4
+++ b/src/crypto/tls/testdata/Server-TLSv12-RSA-RC4
--- a/src/crypto/tls/testdata/Server-TLSv12-RSA-RSAPKCS1v15
+++ b/src/crypto/tls/testdata/Server-TLSv12-RSA-RSAPKCS1v15
--- a/src/crypto/tls/testdata/Server-TLSv12-RSA-RSAPSS
+++ b/src/crypto/tls/testdata/Server-TLSv12-RSA-RSAPSS
 >>> Flow 1 (client to server)
-00000000  16 03 01 00 91 01 00 00  8d 03 03 de a3 85 5b 56  |..............[V|
-00000010  34 e4 d0 57 07 66 8d 3c  39 00 eb 27 02 22 c9 f3  |4..W.f.<9..'."..|
-00000020  23 a6 5e 08 3a 6d 06 09  8f d9 00 00 00 2a c0 30  |#.^.:m.......*.0|
+00000000  16 03 01 00 91 01 00 00  8d 03 03 01 e3 d4 6a 58  |..............jX|
+00000010  36 ca f5 a3 28 b8 b3 89  96 e2 14 77 94 e1 2e 77  |6...(......w...w|
+00000020  f4 4b 7e 3c e4 d4 b7 a2  18 14 1d 00 00 2a c0 30  |.K~<.........*.0|
 00000030  00 9f cc a8 cc aa c0 2f  00 9e c0 28 00 6b c0 27  |......./...(.k.'|
 00000040  00 67 c0 14 00 39 c0 13  00 33 00 9d 00 9c 00 3d  |.g...9...3.....=|
 00000050  00 3c 00 35 00 2f 00 ff  01 00 00 3a 00 00 00 0e  |.<.5./.....:....|
@@ -10,45 +10,46 @@
 00000080  00 1e 00 19 00 18 00 16  00 00 00 17 00 00 00 0d  |................|
 00000090  00 04 00 02 08 04                                 |......|
 >>> Flow 2 (server to client)
-00000000  16 03 03 00 31 02 00 00  2d 03 03 00 00 00 00 00  |....1...-.......|
+00000000  16 03 03 00 37 02 00 00  33 03 03 00 00 00 00 00  |....7...3.......|
 00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
 00000020  00 00 00 44 4f 57 4e 47  52 44 01 00 c0 30 00 00  |...DOWNGRD...0..|
-00000030  05 ff 01 00 01 00 16 03  03 02 59 0b 00 02 55 00  |..........Y...U.|
-00000040  02 52 00 02 4f 30 82 02  4b 30 82 01 b4 a0 03 02  |.R..O0..K0......|
-00000050  01 02 02 09 00 e8 f0 9d  3f e2 5b ea a6 30 0d 06  |........?.[..0..|
-00000060  09 2a 86 48 86 f7 0d 01  01 0b 05 00 30 1f 31 0b  |.*.H........0.1.|
-00000070  30 09 06 03 55 04 0a 13  02 47 6f 31 10 30 0e 06  |0...U....Go1.0..|
-00000080  03 55 04 03 13 07 47 6f  20 52 6f 6f 74 30 1e 17  |.U....Go Root0..|
-00000090  0d 31 36 30 31 30 31 30  30 30 30 30 30 5a 17 0d  |.160101000000Z..|
-000000a0  32 35 30 31 30 31 30 30  30 30 30 30 5a 30 1a 31  |250101000000Z0.1|
-000000b0  0b 30 09 06 03 55 04 0a  13 02 47 6f 31 0b 30 09  |.0...U....Go1.0.|
-000000c0  06 03 55 04 03 13 02 47  6f 30 81 9f 30 0d 06 09  |..U....Go0..0...|
-000000d0  2a 86 48 86 f7 0d 01 01  01 05 00 03 81 8d 00 30  |*.H............0|
-000000e0  81 89 02 81 81 00 db 46  7d 93 2e 12 27 06 48 bc  |.......F}...'.H.|
-000000f0  06 28 21 ab 7e c4 b6 a2  5d fe 1e 52 45 88 7a 36  |.(!.~...]..RE.z6|
-00000100  47 a5 08 0d 92 42 5b c2  81 c0 be 97 79 98 40 fb  |G....B[.....y.@.|
-00000110  4f 6d 14 fd 2b 13 8b c2  a5 2e 67 d8 d4 09 9e d6  |Om..+.....g.....|
-00000120  22 38 b7 4a 0b 74 73 2b  c2 34 f1 d1 93 e5 96 d9  |"8.J.ts+.4......|
-00000130  74 7b f3 58 9f 6c 61 3c  c0 b0 41 d4 d9 2b 2b 24  |t{.X.la<..A..++$|
-00000140  23 77 5b 1c 3b bd 75 5d  ce 20 54 cf a1 63 87 1d  |#w[.;.u]. T..c..|
-00000150  1e 24 c4 f3 1d 1a 50 8b  aa b6 14 43 ed 97 a7 75  |.$....P....C...u|
-00000160  62 f4 14 c8 52 d7 02 03  01 00 01 a3 81 93 30 81  |b...R.........0.|
-00000170  90 30 0e 06 03 55 1d 0f  01 01 ff 04 04 03 02 05  |.0...U..........|
-00000180  a0 30 1d 06 03 55 1d 25  04 16 30 14 06 08 2b 06  |.0...U.%..0...+.|
-00000190  01 05 05 07 03 01 06 08  2b 06 01 05 05 07 03 02  |........+.......|
-000001a0  30 0c 06 03 55 1d 13 01  01 ff 04 02 30 00 30 19  |0...U.......0.0.|
-000001b0  06 03 55 1d 0e 04 12 04  10 9f 91 16 1f 43 43 3e  |..U..........CC>|
-000001c0  49 a6 de 6d b6 80 d7 9f  60 30 1b 06 03 55 1d 23  |I..m....`0...U.#|
-000001d0  04 14 30 12 80 10 48 13  49 4d 13 7e 16 31 bb a3  |..0...H.IM.~.1..|
-000001e0  01 d5 ac ab 6e 7b 30 19  06 03 55 1d 11 04 12 30  |....n{0...U....0|
-000001f0  10 82 0e 65 78 61 6d 70  6c 65 2e 67 6f 6c 61 6e  |...example.golan|
-00000200  67 30 0d 06 09 2a 86 48  86 f7 0d 01 01 0b 05 00  |g0...*.H........|
-00000210  03 81 81 00 9d 30 cc 40  2b 5b 50 a0 61 cb ba e5  |.....0.@+[P.a...|
-00000220  53 58 e1 ed 83 28 a9 58  1a a9 38 a4 95 a1 ac 31  |SX...(.X..8....1|
-00000230  5a 1a 84 66 3d 43 d3 2d  d9 0b f2 97 df d3 20 64  |Z..f=C.-...... d|
-00000240  38 92 24 3a 00 bc cf 9c  7d b7 40 20 01 5f aa d3  |8.$:....}.@ ._..|
-00000250  16 61 09 a2 76 fd 13 c3  cc e1 0c 5c ee b1 87 82  |.a..v......\....|
-00000260  f1 6c 04 ed 73 bb b3 43  77 8d 0c 1c f1 0f a1 d8  |.l..s..Cw.......|
-00000270  40 83 61 c9 4c 72 2b 9d  ae db 46 06 06 4d f4 c1  |@.a.Lr+...F..M..|
-00000280  b3 3e c0 d1 bd 42 d4 db  fe 3d 13 60 84 5c 21 d3  |.>...B...=.`.\!.|
-00000290  3b e9 fa e7 15 03 03 00  02 02 28                 |;.........(|
+00000030  0b ff 01 00 01 00 00 0b  00 02 01 00 16 03 03 02  |................|
+00000040  59 0b 00 02 55 00 02 52  00 02 4f 30 82 02 4b 30  |Y...U..R..O0..K0|
+00000050  82 01 b4 a0 03 02 01 02  02 09 00 e8 f0 9d 3f e2  |..............?.|
+00000060  5b ea a6 30 0d 06 09 2a  86 48 86 f7 0d 01 01 0b  |[..0...*.H......|
+00000070  05 00 30 1f 31 0b 30 09  06 03 55 04 0a 13 02 47  |..0.1.0...U....G|
+00000080  6f 31 10 30 0e 06 03 55  04 03 13 07 47 6f 20 52  |o1.0...U....Go R|
+00000090  6f 6f 74 30 1e 17 0d 31  36 30 31 30 31 30 30 30  |oot0...160101000|
+000000a0  30 30 30 5a 17 0d 32 35  30 31 30 31 30 30 30 30  |000Z..2501010000|
+000000b0  30 30 5a 30 1a 31 0b 30  09 06 03 55 04 0a 13 02  |00Z0.1.0...U....|
+000000c0  47 6f 31 0b 30 09 06 03  55 04 03 13 02 47 6f 30  |Go1.0...U....Go0|
+000000d0  81 9f 30 0d 06 09 2a 86  48 86 f7 0d 01 01 01 05  |..0...*.H.......|
+000000e0  00 03 81 8d 00 30 81 89  02 81 81 00 db 46 7d 93  |.....0.......F}.|
+000000f0  2e 12 27 06 48 bc 06 28  21 ab 7e c4 b6 a2 5d fe  |..'.H..(!.~...].|
+00000100  1e 52 45 88 7a 36 47 a5  08 0d 92 42 5b c2 81 c0  |.RE.z6G....B[...|
+00000110  be 97 79 98 40 fb 4f 6d  14 fd 2b 13 8b c2 a5 2e  |..y.@.Om..+.....|
+00000120  67 d8 d4 09 9e d6 22 38  b7 4a 0b 74 73 2b c2 34  |g....."8.J.ts+.4|
+00000130  f1 d1 93 e5 96 d9 74 7b  f3 58 9f 6c 61 3c c0 b0  |......t{.X.la<..|
+00000140  41 d4 d9 2b 2b 24 23 77  5b 1c 3b bd 75 5d ce 20  |A..++$#w[.;.u]. |
+00000150  54 cf a1 63 87 1d 1e 24  c4 f3 1d 1a 50 8b aa b6  |T..c...$....P...|
+00000160  14 43 ed 97 a7 75 62 f4  14 c8 52 d7 02 03 01 00  |.C...ub...R.....|
+00000170  01 a3 81 93 30 81 90 30  0e 06 03 55 1d 0f 01 01  |....0..0...U....|
+00000180  ff 04 04 03 02 05 a0 30  1d 06 03 55 1d 25 04 16  |.......0...U.%..|
+00000190  30 14 06 08 2b 06 01 05  05 07 03 01 06 08 2b 06  |0...+.........+.|
+000001a0  01 05 05 07 03 02 30 0c  06 03 55 1d 13 01 01 ff  |......0...U.....|
+000001b0  04 02 30 00 30 19 06 03  55 1d 0e 04 12 04 10 9f  |..0.0...U.......|
+000001c0  91 16 1f 43 43 3e 49 a6  de 6d b6 80 d7 9f 60 30  |...CC>I..m....`0|
+000001d0  1b 06 03 55 1d 23 04 14  30 12 80 10 48 13 49 4d  |...U.#..0...H.IM|
+000001e0  13 7e 16 31 bb a3 01 d5  ac ab 6e 7b 30 19 06 03  |.~.1......n{0...|
+000001f0  55 1d 11 04 12 30 10 82  0e 65 78 61 6d 70 6c 65  |U....0...example|
+00000200  2e 67 6f 6c 61 6e 67 30  0d 06 09 2a 86 48 86 f7  |.golang0...*.H..|
+00000210  0d 01 01 0b 05 00 03 81  81 00 9d 30 cc 40 2b 5b  |...........0.@+[|
+00000220  50 a0 61 cb ba e5 53 58  e1 ed 83 28 a9 58 1a a9  |P.a...SX...(.X..|
+00000230  38 a4 95 a1 ac 31 5a 1a  84 66 3d 43 d3 2d d9 0b  |8....1Z..f=C.-..|
+00000240  f2 97 df d3 20 64 38 92  24 3a 00 bc cf 9c 7d b7  |.... d8.$:....}.|
+00000250  40 20 01 5f aa d3 16 61  09 a2 76 fd 13 c3 cc e1  |@ ._...a..v.....|
+00000260  0c 5c ee b1 87 82 f1 6c  04 ed 73 bb b3 43 77 8d  |.\.....l..s..Cw.|
+00000270  0c 1c f1 0f a1 d8 40 83  61 c9 4c 72 2b 9d ae db  |......@.a.Lr+...|
+00000280  46 06 06 4d f4 c1 b3 3e  c0 d1 bd 42 d4 db fe 3d  |F..M...>...B...=|
+00000290  13 60 84 5c 21 d3 3b e9  fa e7 15 03 03 00 02 02  |.`.\!.;.........|
+000002a0  28                                                |(|
--- a/src/crypto/tls/testdata/Server-TLSv12-Resume
+++ b/src/crypto/tls/testdata/Server-TLSv12-Resume
 >>> Flow 1 (client to server)
-00000000  16 03 01 01 33 01 00 01  2f 03 03 b0 fe 51 14 a8  |....3.../....Q..|
-00000010  15 64 e2 64 e4 8e 4f 93  bf 17 38 50 d8 fb 4c fb  |.d.d..O...8P..L.|
-00000020  03 04 a2 c0 9d b9 d2 19  8f e6 9a 20 5e e4 28 dd  |........... ^.(.|
-00000030  e1 a6 89 f5 b2 5e 1a 7b  d3 af 0a bb 19 dc e1 2f  |.....^.{......./|
-00000040  58 d7 9e 59 a7 b7 de 07  bb 06 4d 0c 00 04 00 2f  |X..Y......M..../|
+00000000  16 03 01 01 33 01 00 01  2f 03 03 c0 ac ee 47 eb  |....3.../.....G.|
+00000010  75 70 12 a9 b7 d9 29 03  ba dd 0c 26 ef 07 cd c1  |up....)....&....|
+00000020  ac 2b b5 14 8a 59 3a d7  58 7d 20 20 eb 74 37 f4  |.+...Y:.X}  .t7.|
+00000030  79 3b 34 ed e4 b1 51 00  b9 09 04 bc 48 82 07 a2  |y;4...Q.....H...|
+00000040  cc 47 2d dc 16 54 a6 02  0c 5e f2 23 00 04 00 2f  |.G-..T...^.#.../|
 00000050  00 ff 01 00 00 e2 00 00  00 0e 00 0c 00 00 09 31  |...............1|
 00000060  32 37 2e 30 2e 30 2e 31  00 0b 00 04 03 00 01 02  |27.0.0.1........|
 00000070  00 0a 00 0c 00 0a 00 1d  00 17 00 1e 00 19 00 18  |................|
 00000080  00 23 00 78 50 46 ad c1  db a8 38 86 7b 2b bb fd  |.#.xPF....8.{+..|
 00000090  d0 c3 42 3e 00 00 00 00  00 00 00 00 00 00 00 00  |..B>............|
-000000a0  00 00 00 00 94 6f 2c 9f  83 61 fe 79 79 ae dc c2  |.....o,..a.yy...|
-000000b0  a0 99 e2 59 46 79 88 b8  ed 74 da ef da 3e 7e 69  |...YFy...t...>~i|
-000000c0  af 34 63 b3 7f 52 e1 07  4d f8 40 69 63 85 8c 66  |.4c..R..M.@ic..f|
-000000d0  a6 d6 f7 b7 b0 f2 d4 12  f4 2a 33 94 64 76 91 5b  |.........*3.dv.[|
-000000e0  6c 7d 49 37 3c 0b 76 3e  d6 5c 0b 65 79 96 31 51  |l}I7<.v>.\.ey.1Q|
-000000f0  46 01 51 94 38 5b 51 d5  2d 1a 8b 19 00 16 00 00  |F.Q.8[Q.-.......|
+000000a0  00 00 00 00 94 6f 2c 9f  83 61 5c 5f 43 13 c2 76  |.....o,..a\_C..v|
+000000b0  91 3a c1 1a 8c 51 00 5c  a0 93 a9 06 e2 0c b0 65  |.:...Q.\.......e|
+000000c0  e3 8c 0d 4b 7b 7e 52 32  b8 3c b3 76 c5 bf 95 4d  |...K{~R2.<.v...M|
+000000d0  29 71 50 81 e3 2b 6f 4a  32 dc 33 94 15 c5 fe 38  |)qP..+oJ2.3....8|
+000000e0  b4 0a fc 03 38 90 32 db  c0 7f 99 62 a9 89 15 d0  |....8.2....b....|
+000000f0  f6 79 64 79 38 b0 e2 19  07 82 82 0a 00 16 00 00  |.ydy8...........|
 00000100  00 17 00 00 00 0d 00 30  00 2e 04 03 05 03 06 03  |.......0........|
 00000110  08 07 08 08 08 09 08 0a  08 0b 08 04 08 05 08 06  |................|
 00000120  04 01 05 01 06 01 03 03  02 03 03 01 02 01 03 02  |................|
 00000130  02 02 04 02 05 02 06 02                           |........|
 >>> Flow 2 (server to client)
-00000000  16 03 03 00 51 02 00 00  4d 03 03 00 00 00 00 00  |....Q...M.......|
+00000000  16 03 03 00 57 02 00 00  53 03 03 00 00 00 00 00  |....W...S.......|
 00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
-00000020  00 00 00 44 4f 57 4e 47  52 44 01 20 5e e4 28 dd  |...DOWNGRD. ^.(.|
-00000030  e1 a6 89 f5 b2 5e 1a 7b  d3 af 0a bb 19 dc e1 2f  |.....^.{......./|
-00000040  58 d7 9e 59 a7 b7 de 07  bb 06 4d 0c 00 2f 00 00  |X..Y......M../..|
-00000050  05 ff 01 00 01 00 14 03  03 00 01 01 16 03 03 00  |................|
-00000060  40 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |@...............|
-00000070  00 c6 4d ae 43 25 3e 7a  8b 1d bc 77 6f 6d 05 c8  |..M.C%>z...wom..|
-00000080  93 a1 d0 ee 81 0b e6 3e  e6 0d 55 ff 3a 76 f3 e1  |.......>..U.:v..|
-00000090  49 0b e4 3b d2 1c cb 2d  9f 1e 03 cb f9 8c 60 96  |I..;...-......`.|
-000000a0  b1                                                |.|
+00000020  00 00 00 44 4f 57 4e 47  52 44 01 20 eb 74 37 f4  |...DOWNGRD. .t7.|
+00000030  79 3b 34 ed e4 b1 51 00  b9 09 04 bc 48 82 07 a2  |y;4...Q.....H...|
+00000040  cc 47 2d dc 16 54 a6 02  0c 5e f2 23 00 2f 00 00  |.G-..T...^.#./..|
+00000050  0b ff 01 00 01 00 00 0b  00 02 01 00 14 03 03 00  |................|
+00000060  01 01 16 03 03 00 40 00  00 00 00 00 00 00 00 00  |......@.........|
+00000070  00 00 00 00 00 00 00 a6  49 4b 9d e0 3c e1 58 b4  |........IK..<.X.|
+00000080  f9 50 e6 a6 32 ce 65 74  14 95 07 05 0c ef be 7d  |.P..2.et.......}|
+00000090  74 8c 46 3e 2a 07 de 5f  7a 08 b9 a0 80 f0 52 90  |t.F>*.._z.....R.|
+000000a0  d4 6b c5 0f c5 ae 54                              |.k....T|
 >>> Flow 3 (client to server)
-00000000  14 03 03 00 01 01 16 03  03 00 40 c9 ab 6e 5b 04  |..........@..n[.|
-00000010  35 28 90 72 16 86 e8 ad  a5 4d 2e f8 5a ee 42 8e  |5(.r.....M..Z.B.|
-00000020  6c 3f a4 00 3a de a8 c5  8f e3 59 15 10 09 31 91  |l?..:.....Y...1.|
-00000030  5c ad a1 b1 15 bc fd a1  4a 91 4b 7a 50 a7 37 c4  |\.......J.KzP.7.|
-00000040  3b 9d 3b 30 8e cd 8c ec  b3 bc 94                 |;.;0.......|
+00000000  14 03 03 00 01 01 16 03  03 00 40 8c 59 48 06 01  |..........@.YH..|
+00000010  a4 c6 35 ad a6 f5 a9 d3  31 ea 58 64 0e 45 91 4c  |..5.....1.Xd.E.L|
+00000020  fb e7 c6 6e 27 e8 92 a9  9c c3 c6 29 e9 6c 55 3a  |...n'......).lU:|
+00000030  2a fe 0f 40 d9 aa 3e fe  ab 66 e1 38 91 d1 db ac  |*..@..>..f.8....|
+00000040  58 13 f0 3c 5e f1 a9 9c  fd 07 04                 |X..<^......|
 >>> Flow 4 (server to client)
 00000000  17 03 03 00 40 00 00 00  00 00 00 00 00 00 00 00  |....@...........|
-00000010  00 00 00 00 00 95 7d fd  bf 36 bd 7d 5f 42 2f 0a  |......}..6.}_B/.|
-00000020  84 27 ed 2d 76 07 cb 5a  96 93 74 68 9f 2a 66 fa  |.'.-v..Z..th.*f.|
-00000030  85 b0 38 bc da 8d 11 7f  80 80 21 ed 34 db 58 91  |..8.......!.4.X.|
-00000040  b0 d7 8d 08 f1 15 03 03  00 30 00 00 00 00 00 00  |.........0......|
-00000050  00 00 00 00 00 00 00 00  00 00 6f ed 4a be 10 ea  |..........o.J...|
-00000060  6a 75 ee 69 c2 2c f7 54  8a 18 aa 5f 7c 65 d0 d8  |ju.i.,.T..._|e..|
-00000070  0c 94 dc a8 47 45 83 e6  68 09                    |....GE..h.|
+00000010  00 00 00 00 00 a6 4f 7a  f8 b0 6e 25 13 fb b6 68  |......Oz..n%...h|
+00000020  2d 1e 22 1b 95 93 63 e8  e1 9c 93 3e 53 78 bb aa  |-."...c....>Sx..|
+00000030  9f 6e 84 56 28 31 a0 ed  a9 a3 06 fd e6 f9 c4 c4  |.n.V(1..........|
+00000040  56 5f 5f c2 fb 15 03 03  00 30 00 00 00 00 00 00  |V__......0......|
+00000050  00 00 00 00 00 00 00 00  00 00 c9 98 24 06 26 73  |............$.&s|
+00000060  87 27 73 bd 7a 30 b5 85  28 f7 c4 b6 7a b0 96 9f  |.'s.z0..(...z...|
+00000070  a8 d4 43 1d 8e f5 a5 9f  f3 f3                    |..C.......|
--- a/src/crypto/tls/testdata/Server-TLSv12-ResumeDisabled
+++ b/src/crypto/tls/testdata/Server-TLSv12-ResumeDisabled
--- a/src/crypto/tls/testdata/Server-TLSv12-SNI
+++ b/src/crypto/tls/testdata/Server-TLSv12-SNI
--- a/src/crypto/tls/testdata/Server-TLSv12-SNI-GetCertificate
+++ b/src/crypto/tls/testdata/Server-TLSv12-SNI-GetCertificate
--- a/src/crypto/tls/testdata/Server-TLSv12-SNI-GetCertificateNotFound
+++ b/src/crypto/tls/testdata/Server-TLSv12-SNI-GetCertificateNotFound
--- a/src/crypto/tls/testdata/Server-TLSv12-X25519
+++ b/src/crypto/tls/testdata/Server-TLSv12-X25519
--- a/src/crypto/tls/testdata/Server-TLSv13-AES128-SHA256
+++ b/src/crypto/tls/testdata/Server-TLSv13-AES128-SHA256