crypto/ecdsa: use bigmod and nistec instead of math/big and crypto/elliptic
Ignoring custom curves, this makes the whole package constant-time.
There is a slight loss in performance for P-384 and P-521 because bigmod
is slower than math/big (but P-256 has an assembly scalar field
inversion, so doesn't use bigmod for anything big).
name old time/op new time/op delta
Sign/P256-8 19.2µs ± 2% 19.1µs ± 2% ~ (p=0.268 n=9+10)
Sign/P384-8 166µs ± 3% 188µs ± 2% +13.52% (p=0.000 n=10+10)
Sign/P521-8 337µs ± 2% 359µs ± 2% +6.46% (p=0.000 n=10+10)
Verify/P256-8 58.1µs ± 2% 58.1µs ± 2% ~ (p=0.971 n=10+10)
Verify/P384-8 484µs ± 2% 569µs ±12% +17.65% (p=0.000 n=10+10)
Verify/P521-8 1.03ms ± 4% 1.14ms ± 2% +11.02% (p=0.000 n=10+10)
GenerateKey/P256-8 12.4µs ±12% 12.0µs ± 2% ~ (p=0.063 n=10+10)
GenerateKey/P384-8 129µs ±18% 119µs ± 2% ~ (p=0.190 n=10+10)
GenerateKey/P521-8 241µs ± 2% 240µs ± 2% ~ (p=0.436 n=10+10)
name old alloc/op new alloc/op delta
Sign/P256-8 3.08kB ± 0% 2.47kB ± 0% -19.77% (p=0.000 n=10+10)
Sign/P384-8 6.16kB ± 0% 2.64kB ± 0% -57.16% (p=0.000 n=10+10)
Sign/P521-8 7.87kB ± 0% 3.01kB ± 0% -61.80% (p=0.000 n=10+10)
Verify/P256-8 1.29kB ± 1% 0.48kB ± 0% -62.69% (p=0.000 n=10+10)
Verify/P384-8 2.49kB ± 1% 0.64kB ± 0% -74.25% (p=0.000 n=10+10)
Verify/P521-8 3.31kB ± 0% 0.96kB ± 0% -71.02% (p=0.000 n=7+10)
GenerateKey/P256-8 720B ± 0% 920B ± 0% +27.78% (p=0.000 n=10+10)
GenerateKey/P384-8 921B ± 0% 1120B ± 0% +21.61% (p=0.000 n=9+10)
GenerateKey/P521-8 1.30kB ± 0% 1.44kB ± 0% +10.45% (p=0.000 n=10+10)
name old allocs/op new allocs/op delta
Sign/P256-8 45.0 ± 0% 33.0 ± 0% -26.67% (p=0.000 n=10+10)
Sign/P384-8 69.0 ± 0% 34.0 ± 0% -50.72% (p=0.000 n=10+10)
Sign/P521-8 71.0 ± 0% 35.0 ± 0% -50.70% (p=0.000 n=10+10)
Verify/P256-8 23.0 ± 0% 10.0 ± 0% -56.52% (p=0.000 n=10+10)
Verify/P384-8 43.0 ± 0% 14.0 ± 0% -67.44% (p=0.000 n=10+10)
Verify/P521-8 45.0 ± 0% 14.0 ± 0% -68.89% (p=0.000 n=7+10)
GenerateKey/P256-8 13.0 ± 0% 14.0 ± 0% +7.69% (p=0.000 n=10+10)
GenerateKey/P384-8 16.0 ± 0% 17.0 ± 0% +6.25% (p=0.000 n=10+10)
GenerateKey/P521-8 16.5 ± 3% 17.0 ± 0% +3.03% (p=0.033 n=10+10)
Change-Id: I4e074ef039b0f7ffbc436a4cdbe4ef90c647018d
Reviewed-on: https://go-review.googlesource.com/c/go/+/353849
Auto-Submit: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Than McIntosh <thanm@google.com>
Reviewed-by: David Chase <drchase@google.com>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
diff --git a/src/crypto/ecdsa/ecdsa.go b/src/crypto/ecdsa/ecdsa.go
index 3d7a6b0..6722a6b 100644
--- a/src/crypto/ecdsa/ecdsa.go
+++ b/src/crypto/ecdsa/ecdsa.go
@@ -20,39 +20,28 @@
// [SEC 1, Version 2.0]: https://www.secg.org/sec1-v2.pdf
import (
+ "bytes"
"crypto"
"crypto/aes"
"crypto/cipher"
"crypto/ecdh"
"crypto/elliptic"
+ "crypto/internal/bigmod"
"crypto/internal/boring"
"crypto/internal/boring/bbig"
+ "crypto/internal/nistec"
"crypto/internal/randutil"
"crypto/sha512"
+ "crypto/subtle"
"errors"
"io"
"math/big"
+ "sync"
"golang.org/x/crypto/cryptobyte"
"golang.org/x/crypto/cryptobyte/asn1"
)
-// A invertible implements fast inverse in GF(N).
-type invertible interface {
- // Inverse returns the inverse of k mod Params().N.
- Inverse(k *big.Int) *big.Int
-}
-
-// A combinedMult implements fast combined multiplication for verification.
-type combinedMult interface {
- // CombinedMult returns [s1]G + [s2]P where G is the generator.
- CombinedMult(Px, Py *big.Int, s1, s2 []byte) (x, y *big.Int)
-}
-
-const (
- aesIV = "IV for ECDSA CTR"
-)
-
// PublicKey represents an ECDSA public key.
type PublicKey struct {
elliptic.Curve
@@ -86,7 +75,7 @@
if !ok {
return false
}
- return pub.X.Cmp(xx.X) == 0 && pub.Y.Cmp(xx.Y) == 0 &&
+ return bigIntEqual(pub.X, xx.X) && bigIntEqual(pub.Y, xx.Y) &&
// Standard library Curve implementations are singletons, so this check
// will work for those. Other Curves might be equivalent even if not
// singletons, but there is no definitive way to check for that, and
@@ -141,7 +130,13 @@
if !ok {
return false
}
- return priv.PublicKey.Equal(&xx.PublicKey) && priv.D.Cmp(xx.D) == 0
+ return priv.PublicKey.Equal(&xx.PublicKey) && bigIntEqual(priv.D, xx.D)
+}
+
+// bigIntEqual reports whether a and b are equal leaking only their bit length
+// through timing side-channels.
+func bigIntEqual(a, b *big.Int) bool {
+ return subtle.ConstantTimeCompare(a.Bytes(), b.Bytes()) == 1
}
// Sign signs digest with priv, reading randomness from rand. The opts argument
@@ -152,51 +147,13 @@
// where the private part is kept in, for example, a hardware module. Common
// uses can use the SignASN1 function in this package directly.
func (priv *PrivateKey) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error) {
- if boring.Enabled && rand == boring.RandReader {
- b, err := boringPrivateKey(priv)
- if err != nil {
- return nil, err
- }
- return boring.SignMarshalECDSA(b, digest)
- }
- boring.UnreachableExceptTests()
-
- r, s, err := Sign(rand, priv, digest)
- if err != nil {
- return nil, err
- }
-
- var b cryptobyte.Builder
- b.AddASN1(asn1.SEQUENCE, func(b *cryptobyte.Builder) {
- b.AddASN1BigInt(r)
- b.AddASN1BigInt(s)
- })
- return b.Bytes()
-}
-
-var one = new(big.Int).SetInt64(1)
-
-// randFieldElement returns a random element of the order of the given
-// curve using the procedure given in FIPS 186-4, Appendix B.5.1.
-func randFieldElement(c elliptic.Curve, rand io.Reader) (k *big.Int, err error) {
- params := c.Params()
- // Note that for P-521 this will actually be 63 bits more than the order, as
- // division rounds down, but the extra bit is inconsequential.
- b := make([]byte, params.N.BitLen()/8+8)
- _, err = io.ReadFull(rand, b)
- if err != nil {
- return
- }
-
- k = new(big.Int).SetBytes(b)
- n := new(big.Int).Sub(params.N, one)
- k.Mod(k, n)
- k.Add(k, one)
- return
+ return SignASN1(rand, priv, digest)
}
// GenerateKey generates a public and private key pair.
func GenerateKey(c elliptic.Curve, rand io.Reader) (*PrivateKey, error) {
+ randutil.MaybeReadByte(rand)
+
if boring.Enabled && rand == boring.RandReader {
x, y, d, err := boring.GenerateKeyECDSA(c.Params().Name)
if err != nil {
@@ -206,80 +163,242 @@
}
boring.UnreachableExceptTests()
- k, err := randFieldElement(c, rand)
+ switch c.Params() {
+ case elliptic.P224().Params():
+ return generateNISTEC(p224(), rand)
+ case elliptic.P256().Params():
+ return generateNISTEC(p256(), rand)
+ case elliptic.P384().Params():
+ return generateNISTEC(p384(), rand)
+ case elliptic.P521().Params():
+ return generateNISTEC(p521(), rand)
+ default:
+ return generateLegacy(c, rand)
+ }
+}
+
+func generateNISTEC[Point nistPoint[Point]](c *nistCurve[Point], rand io.Reader) (*PrivateKey, error) {
+ k, Q, err := randomPoint(c, rand)
if err != nil {
return nil, err
}
priv := new(PrivateKey)
- priv.PublicKey.Curve = c
- priv.D = k
- priv.PublicKey.X, priv.PublicKey.Y = c.ScalarBaseMult(k.Bytes())
+ priv.PublicKey.Curve = c.curve
+ priv.D = new(big.Int).SetBytes(k.Bytes(c.N))
+ priv.PublicKey.X, priv.PublicKey.Y, err = c.pointToAffine(Q)
+ if err != nil {
+ return nil, err
+ }
return priv, nil
}
-// hashToInt converts a hash value to an integer. Per FIPS 186-4, Section 6.4,
-// we use the left-most bits of the hash to match the bit-length of the order of
-// the curve. This also performs Step 5 of SEC 1, Version 2.0, Section 4.1.3.
-func hashToInt(hash []byte, c elliptic.Curve) *big.Int {
- orderBits := c.Params().N.BitLen()
- orderBytes := (orderBits + 7) / 8
- if len(hash) > orderBytes {
- hash = hash[:orderBytes]
+// randomPoint returns a random scalar and the corresponding point using the
+// procedure given in FIPS 186-4, Appendix B.5.2 (rejection sampling).
+func randomPoint[Point nistPoint[Point]](c *nistCurve[Point], rand io.Reader) (k *bigmod.Nat, p Point, err error) {
+ k = bigmod.NewNat()
+ for {
+ b := make([]byte, c.N.Size())
+ if _, err = io.ReadFull(rand, b); err != nil {
+ return
+ }
+
+ // Mask off any excess bits to increase the chance of hitting a value in
+ // (0, N). These are the most dangerous lines in the package and maybe in
+ // the library: a single bit of bias in the selection of nonces would likely
+ // lead to key recovery, but no tests would fail. Look but DO NOT TOUCH.
+ if excess := len(b)*8 - c.N.BitLen(); excess > 0 {
+ // Just to be safe, assert that this only happens for the one curve that
+ // doesn't have a round number of bits.
+ if excess != 0 && c.curve.Params().Name != "P-521" {
+ panic("ecdsa: internal error: unexpectedly masking off bits")
+ }
+ b[0] >>= excess
+ }
+
+ // FIPS 186-4 makes us check k <= N - 2 and then add one.
+ // Checking 0 < k <= N - 1 is strictly equivalent.
+ // None of this matters anyway because the chance of selecting
+ // zero is cryptographically negligible.
+ if _, err = k.SetBytes(b, c.N); err == nil && k.IsZero() == 0 {
+ break
+ }
+
+ if testingOnlyRejectionSamplingLooped != nil {
+ testingOnlyRejectionSamplingLooped()
+ }
}
- ret := new(big.Int).SetBytes(hash)
- excess := len(hash)*8 - orderBits
- if excess > 0 {
- ret.Rsh(ret, uint(excess))
- }
- return ret
+ p, err = c.newPoint().ScalarBaseMult(k.Bytes(c.N))
+ return
}
-// fermatInverse calculates the inverse of k in GF(P) using Fermat's method
-// (exponentiation modulo P - 2, per Euler's theorem). This has better
-// constant-time properties than Euclid's method (implemented in
-// math/big.Int.ModInverse and FIPS 186-4, Appendix C.1) although math/big
-// itself isn't strictly constant-time so it's not perfect.
-func fermatInverse(k, N *big.Int) *big.Int {
- two := big.NewInt(2)
- nMinus2 := new(big.Int).Sub(N, two)
- return new(big.Int).Exp(k, nMinus2, N)
-}
+// testingOnlyRejectionSamplingLooped is called when rejection sampling in
+// randomPoint rejects a candidate for being higher than the modulus.
+var testingOnlyRejectionSamplingLooped func()
-var errZeroParam = errors.New("zero parameter")
+// errNoAsm is returned by signAsm and verifyAsm when the assembly
+// implementation is not available.
+var errNoAsm = errors.New("no assembly implementation available")
-// Sign signs a hash (which should be the result of hashing a larger message)
+// SignASN1 signs a hash (which should be the result of hashing a larger message)
// using the private key, priv. If the hash is longer than the bit-length of the
// private key's curve order, the hash will be truncated to that length. It
-// returns the signature as a pair of integers. Most applications should use
-// SignASN1 instead of dealing directly with r, s.
-func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err error) {
+// returns the ASN.1 encoded signature.
+func SignASN1(rand io.Reader, priv *PrivateKey, hash []byte) ([]byte, error) {
randutil.MaybeReadByte(rand)
if boring.Enabled && rand == boring.RandReader {
b, err := boringPrivateKey(priv)
if err != nil {
- return nil, nil, err
+ return nil, err
}
- sig, err := boring.SignMarshalECDSA(b, hash)
- if err != nil {
- return nil, nil, err
- }
- var r, s big.Int
- var inner cryptobyte.String
- input := cryptobyte.String(sig)
- if !input.ReadASN1(&inner, asn1.SEQUENCE) ||
- !input.Empty() ||
- !inner.ReadASN1Integer(&r) ||
- !inner.ReadASN1Integer(&s) ||
- !inner.Empty() {
- return nil, nil, errors.New("invalid ASN.1 from boringcrypto")
- }
- return &r, &s, nil
+ return boring.SignMarshalECDSA(b, hash)
}
boring.UnreachableExceptTests()
+ csprng, err := mixedCSPRNG(rand, priv, hash)
+ if err != nil {
+ return nil, err
+ }
+
+ if sig, err := signAsm(priv, csprng, hash); err != errNoAsm {
+ return sig, err
+ }
+
+ switch priv.Curve.Params() {
+ case elliptic.P224().Params():
+ return signNISTEC(p224(), priv, csprng, hash)
+ case elliptic.P256().Params():
+ return signNISTEC(p256(), priv, csprng, hash)
+ case elliptic.P384().Params():
+ return signNISTEC(p384(), priv, csprng, hash)
+ case elliptic.P521().Params():
+ return signNISTEC(p521(), priv, csprng, hash)
+ default:
+ return signLegacy(priv, csprng, hash)
+ }
+}
+
+func signNISTEC[Point nistPoint[Point]](c *nistCurve[Point], priv *PrivateKey, csprng io.Reader, hash []byte) (sig []byte, err error) {
+ // SEC 1, Version 2.0, Section 4.1.3
+
+ k, R, err := randomPoint(c, csprng)
+ if err != nil {
+ return nil, err
+ }
+
+ // kInv = k⁻¹
+ kInv := bigmod.NewNat()
+ inverse(c, kInv, k)
+
+ Rx, err := R.BytesX()
+ if err != nil {
+ return nil, err
+ }
+ r, err := bigmod.NewNat().SetOverflowingBytes(Rx, c.N)
+ if err != nil {
+ return nil, err
+ }
+
+ // The spec wants us to retry here, but the chance of hitting this condition
+ // on a large prime-order group like the NIST curves we support is
+ // cryptographically negligible. If we hit it, something is awfully wrong.
+ if r.IsZero() == 1 {
+ return nil, errors.New("ecdsa: internal error: r is zero")
+ }
+
+ e := bigmod.NewNat()
+ hashToNat(c, e, hash)
+
+ s, err := bigmod.NewNat().SetBytes(priv.D.Bytes(), c.N)
+ if err != nil {
+ return nil, err
+ }
+ s.Mul(r, c.N)
+ s.Add(e, c.N)
+ s.Mul(kInv, c.N)
+
+ // Again, the chance of this happening is cryptographically negligible.
+ if s.IsZero() == 1 {
+ return nil, errors.New("ecdsa: internal error: s is zero")
+ }
+
+ return encodeSignature(r.Bytes(c.N), s.Bytes(c.N))
+}
+
+func encodeSignature(r, s []byte) ([]byte, error) {
+ var b cryptobyte.Builder
+ b.AddASN1(asn1.SEQUENCE, func(b *cryptobyte.Builder) {
+ addASN1IntBytes(b, r)
+ addASN1IntBytes(b, s)
+ })
+ return b.Bytes()
+}
+
+// addASN1IntBytes encodes in ASN.1 a positive integer represented as
+// a big-endian byte slice with zero or more leading zeroes.
+func addASN1IntBytes(b *cryptobyte.Builder, bytes []byte) {
+ for len(bytes) > 1 && bytes[0] == 0 {
+ bytes = bytes[1:]
+ }
+ b.AddASN1(asn1.INTEGER, func(c *cryptobyte.Builder) {
+ if bytes[0]&0x80 != 0 {
+ c.AddUint8(0)
+ }
+ c.AddBytes(bytes)
+ })
+}
+
+// inverse sets kInv to the inverse of k modulo the order of the curve.
+func inverse[Point nistPoint[Point]](c *nistCurve[Point], kInv, k *bigmod.Nat) {
+ if c.curve.Params().Name == "P-256" {
+ kBytes, err := nistec.P256OrdInverse(k.Bytes(c.N))
+ // Some platforms don't implement P256OrdInverse, and always return an error.
+ if err == nil {
+ _, err := kInv.SetBytes(kBytes, c.N)
+ if err != nil {
+ panic("ecdsa: internal error: P256OrdInverse produced an invalid value")
+ }
+ return
+ }
+ }
+
+ // Calculate the inverse of s in GF(N) using Fermat's method
+ // (exponentiation modulo P - 2, per Euler's theorem)
+ kInv.Exp(k, c.nMinus2, c.N)
+}
+
+// hashToNat sets e to the left-most bits of hash, according to
+// SEC 1, Section 4.1.3, point 5 and Section 4.1.4, point 3.
+func hashToNat[Point nistPoint[Point]](c *nistCurve[Point], e *bigmod.Nat, hash []byte) {
+ // ECDSA asks us to take the left-most log2(N) bits of hash, and use them as
+ // an integer modulo N. This is the absolute worst of all worlds: we still
+ // have to reduce, because the result might still overflow N, but to take
+ // the left-most bits for P-521 we have to do a right shift.
+ if size := c.N.Size(); len(hash) > size {
+ hash = hash[:size]
+ if excess := len(hash)*8 - c.N.BitLen(); excess > 0 {
+ hash = bytes.Clone(hash)
+ for i := len(hash) - 1; i >= 0; i-- {
+ hash[i] >>= excess
+ if i > 0 {
+ hash[i] |= hash[i-1] << (8 - excess)
+ }
+ }
+ }
+ }
+ _, err := e.SetOverflowingBytes(hash, c.N)
+ if err != nil {
+ panic("ecdsa: internal error: truncated hash is too long")
+ }
+}
+
+// mixedCSPRNG returns a CSPRNG that mixes entropy from rand with the message
+// and the private key, to protect the key in case rand fails. This is
+// equivalent in security to RFC 6979 deterministic nonce generation, but still
+// produces randomized signatures.
+func mixedCSPRNG(rand io.Reader, priv *PrivateKey, hash []byte) (io.Reader, error) {
// This implementation derives the nonce from an AES-CTR CSPRNG keyed by:
//
// SHA2-512(priv.D || entropy || hash)[:32]
@@ -293,9 +412,8 @@
// Get 256 bits of entropy from rand.
entropy := make([]byte, 32)
- _, err = io.ReadFull(rand, entropy)
- if err != nil {
- return
+ if _, err := io.ReadFull(rand, entropy); err != nil {
+ return nil, err
}
// Initialize an SHA-512 hash context; digest...
@@ -309,156 +427,22 @@
// Create an AES-CTR instance to use as a CSPRNG.
block, err := aes.NewCipher(key)
if err != nil {
- return nil, nil, err
+ return nil, err
}
// Create a CSPRNG that xors a stream of zeros with
// the output of the AES-CTR instance.
- csprng := &cipher.StreamReader{
+ const aesIV = "IV for ECDSA CTR"
+ return &cipher.StreamReader{
R: zeroReader,
S: cipher.NewCTR(block, []byte(aesIV)),
- }
-
- c := priv.PublicKey.Curve
- return sign(priv, csprng, c, hash)
-}
-
-func signGeneric(priv *PrivateKey, csprng *cipher.StreamReader, c elliptic.Curve, hash []byte) (r, s *big.Int, err error) {
- // SEC 1, Version 2.0, Section 4.1.3
- N := c.Params().N
- if N.Sign() == 0 {
- return nil, nil, errZeroParam
- }
- var k, kInv *big.Int
- for {
- for {
- k, err = randFieldElement(c, *csprng)
- if err != nil {
- r = nil
- return
- }
-
- if in, ok := priv.Curve.(invertible); ok {
- kInv = in.Inverse(k)
- } else {
- kInv = fermatInverse(k, N) // N != 0
- }
-
- r, _ = priv.Curve.ScalarBaseMult(k.Bytes())
- r.Mod(r, N)
- if r.Sign() != 0 {
- break
- }
- }
-
- e := hashToInt(hash, c)
- s = new(big.Int).Mul(priv.D, r)
- s.Add(s, e)
- s.Mul(s, kInv)
- s.Mod(s, N) // N != 0
- if s.Sign() != 0 {
- break
- }
- }
-
- return
-}
-
-// SignASN1 signs a hash (which should be the result of hashing a larger message)
-// using the private key, priv. If the hash is longer than the bit-length of the
-// private key's curve order, the hash will be truncated to that length. It
-// returns the ASN.1 encoded signature.
-func SignASN1(rand io.Reader, priv *PrivateKey, hash []byte) ([]byte, error) {
- return priv.Sign(rand, hash, nil)
-}
-
-// Verify verifies the signature in r, s of hash using the public key, pub. Its
-// return value records whether the signature is valid. Most applications should
-// use VerifyASN1 instead of dealing directly with r, s.
-func Verify(pub *PublicKey, hash []byte, r, s *big.Int) bool {
- if boring.Enabled {
- key, err := boringPublicKey(pub)
- if err != nil {
- return false
- }
- var b cryptobyte.Builder
- b.AddASN1(asn1.SEQUENCE, func(b *cryptobyte.Builder) {
- b.AddASN1BigInt(r)
- b.AddASN1BigInt(s)
- })
- sig, err := b.Bytes()
- if err != nil {
- return false
- }
- return boring.VerifyECDSA(key, hash, sig)
- }
- boring.UnreachableExceptTests()
-
- c := pub.Curve
- N := c.Params().N
-
- if r.Sign() <= 0 || s.Sign() <= 0 {
- return false
- }
- if r.Cmp(N) >= 0 || s.Cmp(N) >= 0 {
- return false
- }
- return verify(pub, c, hash, r, s)
-}
-
-func verifyGeneric(pub *PublicKey, c elliptic.Curve, hash []byte, r, s *big.Int) bool {
- // SEC 1, Version 2.0, Section 4.1.4
- e := hashToInt(hash, c)
- var w *big.Int
- N := c.Params().N
- if in, ok := c.(invertible); ok {
- w = in.Inverse(s)
- } else {
- w = new(big.Int).ModInverse(s, N)
- }
-
- u1 := e.Mul(e, w)
- u1.Mod(u1, N)
- u2 := w.Mul(r, w)
- u2.Mod(u2, N)
-
- // Check if implements S1*g + S2*p
- var x, y *big.Int
- if opt, ok := c.(combinedMult); ok {
- x, y = opt.CombinedMult(pub.X, pub.Y, u1.Bytes(), u2.Bytes())
- } else {
- x1, y1 := c.ScalarBaseMult(u1.Bytes())
- x2, y2 := c.ScalarMult(pub.X, pub.Y, u2.Bytes())
- x, y = c.Add(x1, y1, x2, y2)
- }
-
- if x.Sign() == 0 && y.Sign() == 0 {
- return false
- }
- x.Mod(x, N)
- return x.Cmp(r) == 0
-}
-
-// VerifyASN1 verifies the ASN.1 encoded signature, sig, of hash using the
-// public key, pub. Its return value records whether the signature is valid.
-func VerifyASN1(pub *PublicKey, hash, sig []byte) bool {
- var (
- r, s = &big.Int{}, &big.Int{}
- inner cryptobyte.String
- )
- input := cryptobyte.String(sig)
- if !input.ReadASN1(&inner, asn1.SEQUENCE) ||
- !input.Empty() ||
- !inner.ReadASN1Integer(r) ||
- !inner.ReadASN1Integer(s) ||
- !inner.Empty() {
- return false
- }
- return Verify(pub, hash, r, s)
+ }, nil
}
type zr struct{}
+var zeroReader = zr{}
+
// Read replaces the contents of dst with zeros. It is safe for concurrent use.
func (zr) Read(dst []byte) (n int, err error) {
for i := range dst {
@@ -467,4 +451,206 @@
return len(dst), nil
}
-var zeroReader = zr{}
+// VerifyASN1 verifies the ASN.1 encoded signature, sig, of hash using the
+// public key, pub. Its return value records whether the signature is valid.
+func VerifyASN1(pub *PublicKey, hash, sig []byte) bool {
+ if boring.Enabled {
+ key, err := boringPublicKey(pub)
+ if err != nil {
+ return false
+ }
+ return boring.VerifyECDSA(key, hash, sig)
+ }
+ boring.UnreachableExceptTests()
+
+ if err := verifyAsm(pub, hash, sig); err != errNoAsm {
+ return err == nil
+ }
+
+ switch pub.Curve.Params() {
+ case elliptic.P224().Params():
+ return verifyNISTEC(p224(), pub, hash, sig)
+ case elliptic.P256().Params():
+ return verifyNISTEC(p256(), pub, hash, sig)
+ case elliptic.P384().Params():
+ return verifyNISTEC(p384(), pub, hash, sig)
+ case elliptic.P521().Params():
+ return verifyNISTEC(p521(), pub, hash, sig)
+ default:
+ return verifyLegacy(pub, hash, sig)
+ }
+}
+
+func verifyNISTEC[Point nistPoint[Point]](c *nistCurve[Point], pub *PublicKey, hash, sig []byte) bool {
+ rBytes, sBytes, err := parseSignature(sig)
+ if err != nil {
+ return false
+ }
+
+ Q, err := c.pointFromAffine(pub.X, pub.Y)
+ if err != nil {
+ return false
+ }
+
+ // SEC 1, Version 2.0, Section 4.1.4
+
+ r, err := bigmod.NewNat().SetBytes(rBytes, c.N)
+ if err != nil || r.IsZero() == 1 {
+ return false
+ }
+ s, err := bigmod.NewNat().SetBytes(sBytes, c.N)
+ if err != nil || s.IsZero() == 1 {
+ return false
+ }
+
+ e := bigmod.NewNat()
+ hashToNat(c, e, hash)
+
+ // w = s⁻¹
+ w := bigmod.NewNat()
+ inverse(c, w, s)
+
+ // p₁ = [e * s⁻¹]G
+ p1, err := c.newPoint().ScalarBaseMult(e.Mul(w, c.N).Bytes(c.N))
+ if err != nil {
+ return false
+ }
+ // p₂ = [r * s⁻¹]Q
+ p2, err := Q.ScalarMult(Q, w.Mul(r, c.N).Bytes(c.N))
+ if err != nil {
+ return false
+ }
+ // BytesX returns an error for the point at infinity.
+ Rx, err := p1.Add(p1, p2).BytesX()
+ if err != nil {
+ return false
+ }
+
+ v, err := bigmod.NewNat().SetOverflowingBytes(Rx, c.N)
+ if err != nil {
+ return false
+ }
+
+ return v.Equal(r) == 1
+}
+
+func parseSignature(sig []byte) (r, s []byte, err error) {
+ var inner cryptobyte.String
+ input := cryptobyte.String(sig)
+ if !input.ReadASN1(&inner, asn1.SEQUENCE) ||
+ !input.Empty() ||
+ !inner.ReadASN1Integer(&r) ||
+ !inner.ReadASN1Integer(&s) ||
+ !inner.Empty() {
+ return nil, nil, errors.New("invalid ASN.1")
+ }
+ return r, s, nil
+}
+
+type nistCurve[Point nistPoint[Point]] struct {
+ newPoint func() Point
+ curve elliptic.Curve
+ N *bigmod.Modulus
+ nMinus2 []byte
+}
+
+// nistPoint is a generic constraint for the nistec Point types.
+type nistPoint[T any] interface {
+ Bytes() []byte
+ BytesX() ([]byte, error)
+ SetBytes([]byte) (T, error)
+ Add(T, T) T
+ ScalarMult(T, []byte) (T, error)
+ ScalarBaseMult([]byte) (T, error)
+}
+
+// pointFromAffine is used to convert the PublicKey to a nistec Point.
+func (curve *nistCurve[Point]) pointFromAffine(x, y *big.Int) (p Point, err error) {
+ bitSize := curve.curve.Params().BitSize
+ // Reject values that would not get correctly encoded.
+ if x.Sign() < 0 || y.Sign() < 0 {
+ return p, errors.New("negative coordinate")
+ }
+ if x.BitLen() > bitSize || y.BitLen() > bitSize {
+ return p, errors.New("overflowing coordinate")
+ }
+ // Encode the coordinates and let SetBytes reject invalid points.
+ byteLen := (bitSize + 7) / 8
+ buf := make([]byte, 1+2*byteLen)
+ buf[0] = 4 // uncompressed point
+ x.FillBytes(buf[1 : 1+byteLen])
+ y.FillBytes(buf[1+byteLen : 1+2*byteLen])
+ return curve.newPoint().SetBytes(buf)
+}
+
+// pointToAffine is used to convert a nistec Point to a PublicKey.
+func (curve *nistCurve[Point]) pointToAffine(p Point) (x, y *big.Int, err error) {
+ out := p.Bytes()
+ if len(out) == 1 && out[0] == 0 {
+ // This is the encoding of the point at infinity.
+ return nil, nil, errors.New("ecdsa: public key point is the infinity")
+ }
+ byteLen := (curve.curve.Params().BitSize + 7) / 8
+ x = new(big.Int).SetBytes(out[1 : 1+byteLen])
+ y = new(big.Int).SetBytes(out[1+byteLen:])
+ return x, y, nil
+}
+
+var p224Once sync.Once
+var _p224 *nistCurve[*nistec.P224Point]
+
+func p224() *nistCurve[*nistec.P224Point] {
+ p224Once.Do(func() {
+ _p224 = &nistCurve[*nistec.P224Point]{
+ newPoint: func() *nistec.P224Point { return nistec.NewP224Point() },
+ }
+ precomputeParams(_p224, elliptic.P224())
+ })
+ return _p224
+}
+
+var p256Once sync.Once
+var _p256 *nistCurve[*nistec.P256Point]
+
+func p256() *nistCurve[*nistec.P256Point] {
+ p256Once.Do(func() {
+ _p256 = &nistCurve[*nistec.P256Point]{
+ newPoint: func() *nistec.P256Point { return nistec.NewP256Point() },
+ }
+ precomputeParams(_p256, elliptic.P256())
+ })
+ return _p256
+}
+
+var p384Once sync.Once
+var _p384 *nistCurve[*nistec.P384Point]
+
+func p384() *nistCurve[*nistec.P384Point] {
+ p384Once.Do(func() {
+ _p384 = &nistCurve[*nistec.P384Point]{
+ newPoint: func() *nistec.P384Point { return nistec.NewP384Point() },
+ }
+ precomputeParams(_p384, elliptic.P384())
+ })
+ return _p384
+}
+
+var p521Once sync.Once
+var _p521 *nistCurve[*nistec.P521Point]
+
+func p521() *nistCurve[*nistec.P521Point] {
+ p521Once.Do(func() {
+ _p521 = &nistCurve[*nistec.P521Point]{
+ newPoint: func() *nistec.P521Point { return nistec.NewP521Point() },
+ }
+ precomputeParams(_p521, elliptic.P521())
+ })
+ return _p521
+}
+
+func precomputeParams[Point nistPoint[Point]](c *nistCurve[Point], curve elliptic.Curve) {
+ params := curve.Params()
+ c.curve = curve
+ c.N = bigmod.NewModulusFromBig(params.N)
+ c.nMinus2 = new(big.Int).Sub(params.N, big.NewInt(2)).Bytes()
+}
diff --git a/src/crypto/ecdsa/ecdsa_legacy.go b/src/crypto/ecdsa/ecdsa_legacy.go
new file mode 100644
index 0000000..4ae0b41
--- /dev/null
+++ b/src/crypto/ecdsa/ecdsa_legacy.go
@@ -0,0 +1,185 @@
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package ecdsa
+
+import (
+ "crypto/elliptic"
+ "errors"
+ "io"
+ "math/big"
+
+ "golang.org/x/crypto/cryptobyte"
+ "golang.org/x/crypto/cryptobyte/asn1"
+)
+
+// This file contains a math/big implementation of ECDSA that is only used for
+// deprecated custom curves.
+
+func generateLegacy(c elliptic.Curve, rand io.Reader) (*PrivateKey, error) {
+ k, err := randFieldElement(c, rand)
+ if err != nil {
+ return nil, err
+ }
+
+ priv := new(PrivateKey)
+ priv.PublicKey.Curve = c
+ priv.D = k
+ priv.PublicKey.X, priv.PublicKey.Y = c.ScalarBaseMult(k.Bytes())
+ return priv, nil
+}
+
+// hashToInt converts a hash value to an integer. Per FIPS 186-4, Section 6.4,
+// we use the left-most bits of the hash to match the bit-length of the order of
+// the curve. This also performs Step 5 of SEC 1, Version 2.0, Section 4.1.3.
+func hashToInt(hash []byte, c elliptic.Curve) *big.Int {
+ orderBits := c.Params().N.BitLen()
+ orderBytes := (orderBits + 7) / 8
+ if len(hash) > orderBytes {
+ hash = hash[:orderBytes]
+ }
+
+ ret := new(big.Int).SetBytes(hash)
+ excess := len(hash)*8 - orderBits
+ if excess > 0 {
+ ret.Rsh(ret, uint(excess))
+ }
+ return ret
+}
+
+var errZeroParam = errors.New("zero parameter")
+
+// Sign signs a hash (which should be the result of hashing a larger message)
+// using the private key, priv. If the hash is longer than the bit-length of the
+// private key's curve order, the hash will be truncated to that length. It
+// returns the signature as a pair of integers. Most applications should use
+// SignASN1 instead of dealing directly with r, s.
+func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err error) {
+ sig, err := SignASN1(rand, priv, hash)
+ if err != nil {
+ return nil, nil, err
+ }
+
+ r, s = new(big.Int), new(big.Int)
+ var inner cryptobyte.String
+ input := cryptobyte.String(sig)
+ if !input.ReadASN1(&inner, asn1.SEQUENCE) ||
+ !input.Empty() ||
+ !inner.ReadASN1Integer(r) ||
+ !inner.ReadASN1Integer(s) ||
+ !inner.Empty() {
+ return nil, nil, errors.New("invalid ASN.1 from SignASN1")
+ }
+ return r, s, nil
+}
+
+func signLegacy(priv *PrivateKey, csprng io.Reader, hash []byte) (sig []byte, err error) {
+ c := priv.Curve
+
+ // SEC 1, Version 2.0, Section 4.1.3
+ N := c.Params().N
+ if N.Sign() == 0 {
+ return nil, errZeroParam
+ }
+ var k, kInv, r, s *big.Int
+ for {
+ for {
+ k, err = randFieldElement(c, csprng)
+ if err != nil {
+ return nil, err
+ }
+
+ kInv = new(big.Int).ModInverse(k, N)
+
+ r, _ = c.ScalarBaseMult(k.Bytes())
+ r.Mod(r, N)
+ if r.Sign() != 0 {
+ break
+ }
+ }
+
+ e := hashToInt(hash, c)
+ s = new(big.Int).Mul(priv.D, r)
+ s.Add(s, e)
+ s.Mul(s, kInv)
+ s.Mod(s, N) // N != 0
+ if s.Sign() != 0 {
+ break
+ }
+ }
+
+ return encodeSignature(r.Bytes(), s.Bytes())
+}
+
+// Verify verifies the signature in r, s of hash using the public key, pub. Its
+// return value records whether the signature is valid. Most applications should
+// use VerifyASN1 instead of dealing directly with r, s.
+func Verify(pub *PublicKey, hash []byte, r, s *big.Int) bool {
+ sig, err := encodeSignature(r.Bytes(), s.Bytes())
+ if err != nil {
+ return false
+ }
+ return VerifyASN1(pub, hash, sig)
+}
+
+func verifyLegacy(pub *PublicKey, hash []byte, sig []byte) bool {
+ rBytes, sBytes, err := parseSignature(sig)
+ if err != nil {
+ return false
+ }
+ r, s := new(big.Int).SetBytes(rBytes), new(big.Int).SetBytes(sBytes)
+
+ c := pub.Curve
+ N := c.Params().N
+
+ if r.Sign() <= 0 || s.Sign() <= 0 {
+ return false
+ }
+ if r.Cmp(N) >= 0 || s.Cmp(N) >= 0 {
+ return false
+ }
+
+ // SEC 1, Version 2.0, Section 4.1.4
+ e := hashToInt(hash, c)
+ w := new(big.Int).ModInverse(s, N)
+
+ u1 := e.Mul(e, w)
+ u1.Mod(u1, N)
+ u2 := w.Mul(r, w)
+ u2.Mod(u2, N)
+
+ x1, y1 := c.ScalarBaseMult(u1.Bytes())
+ x2, y2 := c.ScalarMult(pub.X, pub.Y, u2.Bytes())
+ x, y := c.Add(x1, y1, x2, y2)
+
+ if x.Sign() == 0 && y.Sign() == 0 {
+ return false
+ }
+ x.Mod(x, N)
+ return x.Cmp(r) == 0
+}
+
+var one = new(big.Int).SetInt64(1)
+
+// randFieldElement returns a random element of the order of the given
+// curve using the procedure given in FIPS 186-4, Appendix B.5.2.
+func randFieldElement(c elliptic.Curve, rand io.Reader) (k *big.Int, err error) {
+ // See randomPoint for notes on the algorithm. This has to match, or s390x
+ // signatures will come out different from other architectures, which will
+ // break TLS recorded tests.
+ for {
+ N := c.Params().N
+ b := make([]byte, (N.BitLen()+7)/8)
+ if _, err = io.ReadFull(rand, b); err != nil {
+ return
+ }
+ if excess := len(b)*8 - N.BitLen(); excess > 0 {
+ b[0] >>= excess
+ }
+ k = new(big.Int).SetBytes(b)
+ if k.Sign() != 0 && k.Cmp(N) < 0 {
+ return
+ }
+ }
+}
diff --git a/src/crypto/ecdsa/ecdsa_noasm.go b/src/crypto/ecdsa/ecdsa_noasm.go
index 7fbca10b..a72aa4b 100644
--- a/src/crypto/ecdsa/ecdsa_noasm.go
+++ b/src/crypto/ecdsa/ecdsa_noasm.go
@@ -6,16 +6,12 @@
package ecdsa
-import (
- "crypto/cipher"
- "crypto/elliptic"
- "math/big"
-)
+import "io"
-func sign(priv *PrivateKey, csprng *cipher.StreamReader, c elliptic.Curve, hash []byte) (r, s *big.Int, err error) {
- return signGeneric(priv, csprng, c, hash)
+func verifyAsm(pub *PublicKey, hash []byte, sig []byte) error {
+ return errNoAsm
}
-func verify(pub *PublicKey, c elliptic.Curve, hash []byte, r, s *big.Int) bool {
- return verifyGeneric(pub, c, hash, r, s)
+func signAsm(priv *PrivateKey, csprng io.Reader, hash []byte) (sig []byte, err error) {
+ return nil, errNoAsm
}
diff --git a/src/crypto/ecdsa/ecdsa_s390x.go b/src/crypto/ecdsa/ecdsa_s390x.go
index bd92579..49f645a 100644
--- a/src/crypto/ecdsa/ecdsa_s390x.go
+++ b/src/crypto/ecdsa/ecdsa_s390x.go
@@ -5,9 +5,10 @@
package ecdsa
import (
- "crypto/cipher"
"crypto/elliptic"
+ "errors"
"internal/cpu"
+ "io"
"math/big"
)
@@ -69,67 +70,20 @@
hashToInt(hash, c).FillBytes(dst)
}
-func sign(priv *PrivateKey, csprng *cipher.StreamReader, c elliptic.Curve, hash []byte) (r, s *big.Int, err error) {
- if functionCode, blockSize, ok := canUseKDSA(c); ok {
- for {
- var k *big.Int
- k, err = randFieldElement(c, *csprng)
- if err != nil {
- return nil, nil, err
- }
-
- // The parameter block looks like the following for sign.
- // +---------------------+
- // | Signature(R) |
- // +---------------------+
- // | Signature(S) |
- // +---------------------+
- // | Hashed Message |
- // +---------------------+
- // | Private Key |
- // +---------------------+
- // | Random Number |
- // +---------------------+
- // | |
- // | ... |
- // | |
- // +---------------------+
- // The common components(signatureR, signatureS, hashedMessage, privateKey and
- // random number) each takes block size of bytes. The block size is different for
- // different curves and is set by canUseKDSA function.
- var params [4096]byte
-
- // Copy content into the parameter block. In the sign case,
- // we copy hashed message, private key and random number into
- // the parameter block.
- hashToBytes(params[2*blockSize:3*blockSize], hash, c)
- priv.D.FillBytes(params[3*blockSize : 4*blockSize])
- k.FillBytes(params[4*blockSize : 5*blockSize])
- // Convert verify function code into a sign function code by adding 8.
- // We also need to set the 'deterministic' bit in the function code, by
- // adding 128, in order to stop the instruction using its own random number
- // generator in addition to the random number we supply.
- switch kdsa(functionCode+136, ¶ms) {
- case 0: // success
- r = new(big.Int)
- r.SetBytes(params[:blockSize])
- s = new(big.Int)
- s.SetBytes(params[blockSize : 2*blockSize])
- return
- case 1: // error
- return nil, nil, errZeroParam
- case 2: // retry
- continue
- }
- panic("unreachable")
- }
+func signAsm(priv *PrivateKey, csprng io.Reader, hash []byte) (sig []byte, err error) {
+ c := priv.Curve
+ functionCode, blockSize, ok := canUseKDSA(c)
+ if !ok {
+ return nil, errNoAsm
}
- return signGeneric(priv, csprng, c, hash)
-}
+ for {
+ var k *big.Int
+ k, err = randFieldElement(c, csprng)
+ if err != nil {
+ return nil, err
+ }
-func verify(pub *PublicKey, c elliptic.Curve, hash []byte, r, s *big.Int) bool {
- if functionCode, blockSize, ok := canUseKDSA(c); ok {
- // The parameter block looks like the following for verify:
+ // The parameter block looks like the following for sign.
// +---------------------+
// | Signature(R) |
// +---------------------+
@@ -137,28 +91,87 @@
// +---------------------+
// | Hashed Message |
// +---------------------+
- // | Public Key X |
+ // | Private Key |
// +---------------------+
- // | Public Key Y |
+ // | Random Number |
// +---------------------+
// | |
// | ... |
// | |
// +---------------------+
- // The common components(signatureR, signatureS, hashed message, public key X,
- // and public key Y) each takes block size of bytes. The block size is different for
+ // The common components(signatureR, signatureS, hashedMessage, privateKey and
+ // random number) each takes block size of bytes. The block size is different for
// different curves and is set by canUseKDSA function.
var params [4096]byte
- // Copy content into the parameter block. In the verify case,
- // we copy signature (r), signature(s), hashed message, public key x component,
- // and public key y component into the parameter block.
- r.FillBytes(params[0*blockSize : 1*blockSize])
- s.FillBytes(params[1*blockSize : 2*blockSize])
+ // Copy content into the parameter block. In the sign case,
+ // we copy hashed message, private key and random number into
+ // the parameter block.
hashToBytes(params[2*blockSize:3*blockSize], hash, c)
- pub.X.FillBytes(params[3*blockSize : 4*blockSize])
- pub.Y.FillBytes(params[4*blockSize : 5*blockSize])
- return kdsa(functionCode, ¶ms) == 0
+ priv.D.FillBytes(params[3*blockSize : 4*blockSize])
+ k.FillBytes(params[4*blockSize : 5*blockSize])
+ // Convert verify function code into a sign function code by adding 8.
+ // We also need to set the 'deterministic' bit in the function code, by
+ // adding 128, in order to stop the instruction using its own random number
+ // generator in addition to the random number we supply.
+ switch kdsa(functionCode+136, ¶ms) {
+ case 0: // success
+ return encodeSignature(params[:blockSize], params[blockSize:2*blockSize])
+ case 1: // error
+ return nil, errZeroParam
+ case 2: // retry
+ continue
+ }
+ panic("unreachable")
}
- return verifyGeneric(pub, c, hash, r, s)
+}
+
+func verifyAsm(pub *PublicKey, hash []byte, sig []byte) error {
+ c := pub.Curve
+ functionCode, blockSize, ok := canUseKDSA(c)
+ if !ok {
+ return errNoAsm
+ }
+
+ r, s, err := parseSignature(sig)
+ if err != nil {
+ return err
+ }
+ if len(r) > blockSize || len(s) > blockSize {
+ return errors.New("invalid signature")
+ }
+
+ // The parameter block looks like the following for verify:
+ // +---------------------+
+ // | Signature(R) |
+ // +---------------------+
+ // | Signature(S) |
+ // +---------------------+
+ // | Hashed Message |
+ // +---------------------+
+ // | Public Key X |
+ // +---------------------+
+ // | Public Key Y |
+ // +---------------------+
+ // | |
+ // | ... |
+ // | |
+ // +---------------------+
+ // The common components(signatureR, signatureS, hashed message, public key X,
+ // and public key Y) each takes block size of bytes. The block size is different for
+ // different curves and is set by canUseKDSA function.
+ var params [4096]byte
+
+ // Copy content into the parameter block. In the verify case,
+ // we copy signature (r), signature(s), hashed message, public key x component,
+ // and public key y component into the parameter block.
+ copy(params[0*blockSize+blockSize-len(r):], r)
+ copy(params[1*blockSize+blockSize-len(s):], s)
+ hashToBytes(params[2*blockSize:3*blockSize], hash, c)
+ pub.X.FillBytes(params[3*blockSize : 4*blockSize])
+ pub.Y.FillBytes(params[4*blockSize : 5*blockSize])
+ if kdsa(functionCode, ¶ms) != 0 {
+ return errors.New("invalid signature")
+ }
+ return nil
}
diff --git a/src/crypto/ecdsa/ecdsa_test.go b/src/crypto/ecdsa/ecdsa_test.go
index 4fd4d87..6ed2f94 100644
--- a/src/crypto/ecdsa/ecdsa_test.go
+++ b/src/crypto/ecdsa/ecdsa_test.go
@@ -6,6 +6,7 @@
import (
"bufio"
+ "bytes"
"compress/bzip2"
"crypto/elliptic"
"crypto/rand"
@@ -30,6 +31,7 @@
{"P224", elliptic.P224()},
{"P384", elliptic.P384()},
{"P521", elliptic.P521()},
+ {"P256/Generic", genericParamsForCurve(elliptic.P256())},
}
if testing.Short() {
tests = tests[:1]
@@ -43,6 +45,15 @@
}
}
+// genericParamsForCurve returns the dereferenced CurveParams for
+// the specified curve. This is used to avoid the logic for
+// upgrading a curve to its specific implementation, forcing
+// usage of the generic implementation.
+func genericParamsForCurve(c elliptic.Curve) *elliptic.CurveParams {
+ d := *(c.Params())
+ return &d
+}
+
func TestKeyGeneration(t *testing.T) {
testAllCurves(t, testKeyGeneration)
}
@@ -327,6 +338,85 @@
}
}
+func TestRandomPoint(t *testing.T) {
+ t.Run("P-224", func(t *testing.T) { testRandomPoint(t, p224()) })
+ t.Run("P-256", func(t *testing.T) { testRandomPoint(t, p256()) })
+ t.Run("P-384", func(t *testing.T) { testRandomPoint(t, p384()) })
+ t.Run("P-521", func(t *testing.T) { testRandomPoint(t, p521()) })
+}
+
+func testRandomPoint[Point nistPoint[Point]](t *testing.T, c *nistCurve[Point]) {
+ t.Cleanup(func() { testingOnlyRejectionSamplingLooped = nil })
+ var loopCount int
+ testingOnlyRejectionSamplingLooped = func() { loopCount++ }
+
+ // A sequence of all ones will generate 2^N-1, which should be rejected.
+ // (Unless, for example, we are masking too many bits.)
+ r := io.MultiReader(bytes.NewReader(bytes.Repeat([]byte{0xff}, 100)), rand.Reader)
+ if k, p, err := randomPoint(c, r); err != nil {
+ t.Fatal(err)
+ } else if k.IsZero() == 1 {
+ t.Error("k is zero")
+ } else if p.Bytes()[0] != 4 {
+ t.Error("p is infinity")
+ }
+ if loopCount == 0 {
+ t.Error("overflow was not rejected")
+ }
+ loopCount = 0
+
+ // A sequence of all zeroes will generate zero, which should be rejected.
+ r = io.MultiReader(bytes.NewReader(bytes.Repeat([]byte{0}, 100)), rand.Reader)
+ if k, p, err := randomPoint(c, r); err != nil {
+ t.Fatal(err)
+ } else if k.IsZero() == 1 {
+ t.Error("k is zero")
+ } else if p.Bytes()[0] != 4 {
+ t.Error("p is infinity")
+ }
+ if loopCount == 0 {
+ t.Error("zero was not rejected")
+ }
+ loopCount = 0
+
+ // P-256 has a 2⁻³² chance or randomly hitting a rejection. For P-224 it's
+ // 2⁻¹¹², for P-384 it's 2⁻¹⁹⁴, and for P-521 it's 2⁻²⁶², so if we hit in
+ // tests, something is horribly wrong. (For example, we are masking the
+ // wrong bits.)
+ if c.curve == elliptic.P256() {
+ return
+ }
+ if k, p, err := randomPoint(c, rand.Reader); err != nil {
+ t.Fatal(err)
+ } else if k.IsZero() == 1 {
+ t.Error("k is zero")
+ } else if p.Bytes()[0] != 4 {
+ t.Error("p is infinity")
+ }
+ if loopCount > 0 {
+ t.Error("unexpected rejection")
+ }
+}
+
+func randomPointForCurve(curve elliptic.Curve, rand io.Reader) error {
+ switch curve.Params() {
+ case elliptic.P224().Params():
+ _, _, err := randomPoint(p224(), rand)
+ return err
+ case elliptic.P256().Params():
+ _, _, err := randomPoint(p256(), rand)
+ return err
+ case elliptic.P384().Params():
+ _, _, err := randomPoint(p384(), rand)
+ return err
+ case elliptic.P521().Params():
+ _, _, err := randomPoint(p521(), rand)
+ return err
+ default:
+ panic("unknown curve")
+ }
+}
+
func benchmarkAllCurves(b *testing.B, f func(*testing.B, elliptic.Curve)) {
tests := []struct {
name string
diff --git a/src/crypto/elliptic/nistec.go b/src/crypto/elliptic/nistec.go
index 9bb4600..d906c57 100644
--- a/src/crypto/elliptic/nistec.go
+++ b/src/crypto/elliptic/nistec.go
@@ -137,11 +137,10 @@
}
func (curve *nistCurve[Point]) pointFromAffine(x, y *big.Int) (p Point, err error) {
- p = curve.newPoint()
// (0, 0) is by convention the point at infinity, which can't be represented
// in affine coordinates. See Issue 37294.
if x.Sign() == 0 && y.Sign() == 0 {
- return p, nil
+ return curve.newPoint(), nil
}
// Reject values that would not get correctly encoded.
if x.Sign() < 0 || y.Sign() < 0 {
@@ -156,7 +155,7 @@
buf[0] = 4 // uncompressed point
x.FillBytes(buf[1 : 1+byteLen])
y.FillBytes(buf[1+byteLen : 1+2*byteLen])
- return p.SetBytes(buf)
+ return curve.newPoint().SetBytes(buf)
}
func (curve *nistCurve[Point]) pointToAffine(p Point) (x, y *big.Int) {
diff --git a/src/crypto/internal/bigmod/nat.go b/src/crypto/internal/bigmod/nat.go
index 679eb34..b9d0975 100644
--- a/src/crypto/internal/bigmod/nat.go
+++ b/src/crypto/internal/bigmod/nat.go
@@ -74,7 +74,7 @@
// common and most performant RSA key size. It's also enough to cover some of
// the operations of key sizes up to 4096.
const preallocTarget = 2048
-const preallocLimbs = (preallocTarget + _W) / _W
+const preallocLimbs = (preallocTarget + _W - 1) / _W
// NewNat returns a new nat with a size of zero, just like new(Nat), but with
// the preallocated capacity to hold a number of up to preallocTarget bits.
@@ -179,10 +179,37 @@
}
// SetBytes assigns x = b, where b is a slice of big-endian bytes.
-// SetBytes returns an error if b > m.
+// SetBytes returns an error if b >= m.
//
// The output will be resized to the size of m and overwritten.
func (x *Nat) SetBytes(b []byte, m *Modulus) (*Nat, error) {
+ if err := x.setBytes(b, m); err != nil {
+ return nil, err
+ }
+ if x.cmpGeq(m.nat) == yes {
+ return nil, errors.New("input overflows the modulus")
+ }
+ return x, nil
+}
+
+// SetOverflowingBytes assigns x = b, where b is a slice of big-endian bytes. SetOverflowingBytes
+// returns an error if b has a longer bit length than m, but reduces overflowing
+// values up to 2^⌈log2(m)⌉ - 1.
+//
+// The output will be resized to the size of m and overwritten.
+func (x *Nat) SetOverflowingBytes(b []byte, m *Modulus) (*Nat, error) {
+ if err := x.setBytes(b, m); err != nil {
+ return nil, err
+ }
+ leading := _W - bitLen(x.limbs[len(x.limbs)-1])
+ if leading < m.leading {
+ return nil, errors.New("input overflows the modulus")
+ }
+ x.sub(x.cmpGeq(m.nat), m.nat)
+ return x, nil
+}
+
+func (x *Nat) setBytes(b []byte, m *Modulus) error {
outI := 0
shift := 0
x.resetFor(m)
@@ -197,17 +224,14 @@
outI++
if outI >= len(x.limbs) {
if overflow > 0 || i > 0 {
- return nil, errors.New("input overflows the modulus")
+ return errors.New("input overflows the modulus")
}
break
}
x.limbs[outI] = uint(overflow)
}
}
- if x.cmpGeq(m.nat) == yes {
- return nil, errors.New("input overflows the modulus")
- }
- return x, nil
+ return nil
}
// Equal returns 1 if x == y, and 0 otherwise.
@@ -226,6 +250,19 @@
return equal
}
+// IsZero returns 1 if x == 0, and 0 otherwise.
+func (x *Nat) IsZero() choice {
+ // Eliminate bounds checks in the loop.
+ size := len(x.limbs)
+ xLimbs := x.limbs[:size]
+
+ zero := yes
+ for i := 0; i < size; i++ {
+ zero &= ctEq(xLimbs[i], 0)
+ }
+ return zero
+}
+
// cmpGeq returns 1 if x >= y, and 0 otherwise.
//
// Both operands must have the same announced length.
@@ -372,8 +409,12 @@
// Size returns the size of m in bytes.
func (m *Modulus) Size() int {
- bits := len(m.nat.limbs)*_W - int(m.leading)
- return (bits + 7) / 8
+ return (m.BitLen() + 7) / 8
+}
+
+// BitLen returns the size of m in bits.
+func (m *Modulus) BitLen() int {
+ return len(m.nat.limbs)*_W - int(m.leading)
}
// Nat returns m as a Nat. The return value must not be written to.
diff --git a/src/crypto/internal/nistec/p256_asm_ordinv.go b/src/crypto/internal/nistec/p256_ordinv.go
similarity index 100%
rename from src/crypto/internal/nistec/p256_asm_ordinv.go
rename to src/crypto/internal/nistec/p256_ordinv.go
diff --git a/src/crypto/internal/nistec/p256_ordinv_noasm.go b/src/crypto/internal/nistec/p256_ordinv_noasm.go
new file mode 100644
index 0000000..213875c
--- /dev/null
+++ b/src/crypto/internal/nistec/p256_ordinv_noasm.go
@@ -0,0 +1,13 @@
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build !amd64 && !arm64
+
+package nistec
+
+import "errors"
+
+func P256OrdInverse(k []byte) ([]byte, error) {
+ return nil, errors.New("unimplemented")
+}
diff --git a/src/crypto/internal/nistec/p256_asm_ordinv_test.go b/src/crypto/internal/nistec/p256_ordinv_test.go
similarity index 100%
rename from src/crypto/internal/nistec/p256_asm_ordinv_test.go
rename to src/crypto/internal/nistec/p256_ordinv_test.go
diff --git a/src/crypto/tls/testdata/Client-TLSv10-ClientCert-ECDSA-ECDSA b/src/crypto/tls/testdata/Client-TLSv10-ClientCert-ECDSA-ECDSA
index c7fa530..d93f679 100644
--- a/src/crypto/tls/testdata/Client-TLSv10-ClientCert-ECDSA-ECDSA
+++ b/src/crypto/tls/testdata/Client-TLSv10-ClientCert-ECDSA-ECDSA
@@ -16,11 +16,11 @@
000000e0 e5 7d a3 47 cd 62 43 15 28 da ac 5f bb 29 07 30 |.}.G.bC.(.._.).0|
000000f0 ff f6 84 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 |.........._X.;t|
>>> Flow 2 (server to client)
-00000000 16 03 01 00 59 02 00 00 55 03 01 92 4c b7 e6 07 |....Y...U...L...|
-00000010 09 b4 4a 47 6a 29 c7 79 18 0d 43 37 86 26 21 5a |..JGj).y..C7.&!Z|
-00000020 25 35 db 5f ae d0 20 0d 85 67 f7 20 75 e5 cb 25 |%5._.. ..g. u..%|
-00000030 4b 5d 95 87 78 00 fc 3f 78 26 e8 77 b5 0d d4 0e |K]..x..?x&.w....|
-00000040 54 06 66 b4 14 dc 6b db f2 af f3 2a c0 09 00 00 |T.f...k....*....|
+00000000 16 03 01 00 59 02 00 00 55 03 01 f1 70 ef e1 e5 |....Y...U...p...|
+00000010 96 73 83 d3 e2 b9 53 7e 81 ae 1d 40 24 5a ca f2 |.s....S~...@$Z..|
+00000020 06 b3 b6 01 e4 02 fb 81 bc d9 3d 20 1f 1a f0 b5 |..........= ....|
+00000030 b2 93 42 da 00 4d bf f6 dc 99 54 8d 3b 17 a4 74 |..B..M....T.;..t|
+00000040 ca 93 e1 5c a9 c4 d1 35 af f2 d8 f9 c0 09 00 00 |...\...5........|
00000050 0d ff 01 00 01 00 00 0b 00 04 03 00 01 02 16 03 |................|
00000060 01 02 0e 0b 00 02 0a 00 02 07 00 02 04 30 82 02 |.............0..|
00000070 00 30 82 01 62 02 09 00 b8 bf 2d 47 a0 d2 eb f4 |.0..b.....-G....|
@@ -55,18 +55,18 @@
00000240 13 83 0d 94 06 bb d4 37 7a f6 ec 7a c9 86 2e dd |.......7z..z....|
00000250 d7 11 69 7f 85 7c 56 de fb 31 78 2b e4 c7 78 0d |..i..|V..1x+..x.|
00000260 ae cb be 9e 4e 36 24 31 7b 6a 0f 39 95 12 07 8f |....N6$1{j.9....|
-00000270 2a 16 03 01 00 b5 0c 00 00 b1 03 00 1d 20 d7 b5 |*............ ..|
-00000280 51 8e b5 01 4f 02 2f 43 11 2b de 94 7d 82 e6 49 |Q...O./C.+..}..I|
-00000290 1b a6 ee a0 7f 12 35 a2 3a 62 46 ce 07 25 00 8b |......5.:bF..%..|
-000002a0 30 81 88 02 42 00 83 45 db 03 db b9 74 ce 77 35 |0...B..E....t.w5|
-000002b0 1b e5 76 18 dc 3a d3 ee 32 18 f3 16 a6 c3 62 be |..v..:..2.....b.|
-000002c0 46 47 40 80 2d a0 08 c5 1e 5a 4a 42 69 8c ee e5 |FG@.-....ZJBi...|
-000002d0 70 b5 71 30 2f 54 32 54 5f 5b 26 62 e1 81 52 9e |p.q0/T2T_[&b..R.|
-000002e0 49 70 d4 81 e4 76 f1 02 42 01 70 f6 87 84 bb 58 |Ip...v..B.p....X|
-000002f0 5d e4 a1 72 87 d5 35 53 99 9c 3f 30 2b 80 7e c9 |]..r..5S..?0+.~.|
-00000300 79 eb d8 97 3c 82 ff 37 a5 8d 36 bc 27 c1 51 58 |y...<..7..6.'.QX|
-00000310 e6 2a 48 05 bf 9b a4 a5 b1 7f 77 b8 d9 3e 37 c6 |.*H.......w..>7.|
-00000320 67 ad ef 8c 72 ea f6 ba bb af 00 16 03 01 00 0a |g...r...........|
+00000270 2a 16 03 01 00 b5 0c 00 00 b1 03 00 1d 20 f0 8c |*............ ..|
+00000280 cd 6a c2 7a ea f0 2b 4a 34 6d a9 3b 7a 29 5d 04 |.j.z..+J4m.;z)].|
+00000290 65 70 97 30 e7 10 6e c2 7e 50 c5 89 4a 3f 00 8b |ep.0..n.~P..J?..|
+000002a0 30 81 88 02 42 00 be e2 67 30 f0 8a cb 63 6c 13 |0...B...g0...cl.|
+000002b0 e0 4e 88 52 6e bc e4 83 53 f4 18 75 b7 46 a5 46 |.N.Rn...S..u.F.F|
+000002c0 11 f1 4b f9 bd 58 4e 62 5c fb a8 f2 93 99 3c 94 |..K..XNb\.....<.|
+000002d0 18 1d 7a f1 74 bf 9d c6 fe 65 b1 bc 54 2b c7 ba |..z.t....e..T+..|
+000002e0 f7 45 a8 0a 21 ad 23 02 42 01 c8 fd 48 62 e2 5e |.E..!.#.B...Hb.^|
+000002f0 f1 9c 95 c0 28 c4 c5 04 31 e5 ba a5 3c 09 d9 d7 |....(...1...<...|
+00000300 43 aa 8c 35 26 ed 47 57 6d c6 15 86 50 3c 72 e1 |C..5&.GWm...P<r.|
+00000310 6f 2b 85 63 97 5e 20 58 fc cf 0c f9 37 27 42 fb |o+.c.^ X....7'B.|
+00000320 cd ed c3 40 ac 5f d9 06 5c a3 27 16 03 01 00 0a |...@._..\.'.....|
00000330 0d 00 00 06 03 01 02 40 00 00 16 03 01 00 04 0e |.......@........|
00000340 00 00 00 |...|
>>> Flow 3 (client to server)
@@ -106,29 +106,29 @@
00000210 03 01 00 25 10 00 00 21 20 2f e5 7d a3 47 cd 62 |...%...! /.}.G.b|
00000220 43 15 28 da ac 5f bb 29 07 30 ff f6 84 af c4 cf |C.(.._.).0......|
00000230 c2 ed 90 99 5f 58 cb 3b 74 16 03 01 00 91 0f 00 |...._X.;t.......|
-00000240 00 8d 00 8b 30 81 88 02 42 01 f0 c3 b2 6e e2 a3 |....0...B....n..|
-00000250 cd 76 02 7a d5 b5 66 fa b6 66 4e 4b a0 17 d6 bd |.v.z..f..fNK....|
-00000260 ec f6 8c 1f f9 b4 32 18 a9 ba 66 a8 67 a4 fa c8 |......2...f.g...|
-00000270 f7 73 5f 22 fb f2 22 e2 4d a1 f6 30 a2 55 76 51 |.s_"..".M..0.UvQ|
-00000280 b7 61 7d 13 68 0a 89 9d 34 31 46 02 42 01 fa 8b |.a}.h...41F.B...|
-00000290 61 f6 91 8e 88 ca 84 e6 33 e0 da 92 7e ee 21 1c |a.......3...~.!.|
-000002a0 df 47 c2 5d 07 d8 ae 1b 04 58 f9 50 16 13 74 ea |.G.].....X.P..t.|
-000002b0 04 cc 18 2d 2b 9a 08 89 24 e8 b8 01 bb c6 84 6c |...-+...$......l|
-000002c0 e6 9a c6 8a 44 74 1c 3a 79 0c e9 3c 11 ba 1b 14 |....Dt.:y..<....|
-000002d0 03 01 00 01 01 16 03 01 00 30 1d 4b df 00 de 1c |.........0.K....|
-000002e0 b5 30 7b ea 64 a0 09 89 8c c5 be fc 9b 07 7e 45 |.0{.d.........~E|
-000002f0 27 00 e7 78 da 3e a3 04 97 87 b0 c2 17 32 01 91 |'..x.>.......2..|
-00000300 6e 66 7b dd 9e 28 bc cc 66 65 |nf{..(..fe|
+00000240 00 8d 00 8b 30 81 88 02 42 01 4c 44 9a a6 7e 6e |....0...B.LD..~n|
+00000250 8a f0 40 c0 63 cf 50 4d 1c 36 55 c2 ae 89 19 5a |..@.c.PM.6U....Z|
+00000260 3f ef 2b 2e 0d 66 4f fe c2 cb 17 86 7c a1 2c e9 |?.+..fO.....|.,.|
+00000270 d8 44 b6 45 36 cc 3a 29 74 19 3c 98 c1 f6 8f 9c |.D.E6.:)t.<.....|
+00000280 bb 29 fa ae d5 73 de c8 b3 27 7f 02 42 01 86 c9 |.)...s...'..B...|
+00000290 9d e6 1d 45 8b 35 7d ee 7d de ce 4b 15 40 1e 26 |...E.5}.}..K.@.&|
+000002a0 95 eb 8e b2 6d ac a3 52 b3 fe bc 9d 2b 61 1a 41 |....m..R....+a.A|
+000002b0 5c b5 e5 c0 df 3f 5b 84 4b d6 b2 c5 3a 15 05 0d |\....?[.K...:...|
+000002c0 3f 0a 6e d7 8d 49 35 50 67 3e 6e c5 a7 ba 84 14 |?.n..I5Pg>n.....|
+000002d0 03 01 00 01 01 16 03 01 00 30 91 e2 f5 b4 fc 0d |.........0......|
+000002e0 43 92 f1 18 99 68 d8 4d 94 ab e0 87 60 e5 46 e3 |C....h.M....`.F.|
+000002f0 dd b8 0c b5 c6 5b 73 ba ae e7 7f 0c 6d 6d 94 e7 |.....[s.....mm..|
+00000300 e2 21 c5 5c 0e b9 e6 c7 88 92 |.!.\......|
>>> Flow 4 (server to client)
-00000000 14 03 01 00 01 01 16 03 01 00 30 51 68 ca 97 63 |..........0Qh..c|
-00000010 c6 c0 24 1c 87 20 70 ac f7 47 16 45 44 17 cc 92 |..$.. p..G.ED...|
-00000020 b3 6d 8b fa d1 3c b8 10 d7 da e4 a7 35 3c a2 d0 |.m...<......5<..|
-00000030 da 4b 50 e4 89 94 4b bc 20 6b e3 |.KP...K. k.|
+00000000 14 03 01 00 01 01 16 03 01 00 30 24 93 c5 b1 d0 |..........0$....|
+00000010 bf 5e 5c 79 18 91 d4 c2 5d 82 bd b9 77 44 a8 75 |.^\y....]...wD.u|
+00000020 2a aa 22 c1 71 79 4c ad 7f 95 1f 94 b7 2b 5d cb |*.".qyL......+].|
+00000030 85 57 0a 7e 55 f1 56 4b 98 da b8 |.W.~U.VK...|
>>> Flow 5 (client to server)
-00000000 17 03 01 00 20 fc fa 90 90 d0 51 0d 35 0f 6a 6d |.... .....Q.5.jm|
-00000010 c2 32 ec 92 46 9f d7 e9 66 37 02 2a f6 c6 2e e2 |.2..F...f7.*....|
-00000020 13 aa fa fa d3 17 03 01 00 20 45 a9 36 19 7d a8 |......... E.6.}.|
-00000030 44 4c 8b aa 4e 47 c8 79 0c 97 a5 20 fa 6f 1f f7 |DL..NG.y... .o..|
-00000040 d3 bc d7 6d c2 67 23 c8 d6 05 15 03 01 00 20 f1 |...m.g#....... .|
-00000050 f1 ed f9 fc c2 f6 61 c8 42 9d c9 8a b0 d0 de d3 |......a.B.......|
-00000060 42 c7 04 64 eb 9e eb 58 3b c3 7d 0d 4d 16 d4 |B..d...X;.}.M..|
+00000000 17 03 01 00 20 21 19 00 1b 74 03 79 83 6a cf 87 |.... !...t.y.j..|
+00000010 c5 1f c6 e6 ff 1c 8d 9e a9 2b 3c 7e e5 e0 d5 b5 |.........+<~....|
+00000020 c0 d5 1a 84 45 17 03 01 00 20 77 40 7e ac d0 9e |....E.... w@~...|
+00000030 d1 86 73 26 d2 c6 a0 a4 94 9e d7 7e 28 59 5c b2 |..s&.......~(Y\.|
+00000040 9f 4d fa c5 c9 b7 a2 b2 b1 7b 15 03 01 00 20 59 |.M.......{.... Y|
+00000050 aa 2f 3f 2c 20 f1 15 ef 24 95 29 66 c0 48 78 00 |./?, ...$.)f.Hx.|
+00000060 19 d6 1e 95 af 83 03 6e d8 c7 8e bb c3 54 02 |.......n.....T.|
diff --git a/src/crypto/tls/testdata/Client-TLSv10-ClientCert-ECDSA-RSA b/src/crypto/tls/testdata/Client-TLSv10-ClientCert-ECDSA-RSA
index 81e5191..afe6e10 100644
--- a/src/crypto/tls/testdata/Client-TLSv10-ClientCert-ECDSA-RSA
+++ b/src/crypto/tls/testdata/Client-TLSv10-ClientCert-ECDSA-RSA
@@ -16,11 +16,11 @@
000000e0 e5 7d a3 47 cd 62 43 15 28 da ac 5f bb 29 07 30 |.}.G.bC.(.._.).0|
000000f0 ff f6 84 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 |.........._X.;t|
>>> Flow 2 (server to client)
-00000000 16 03 01 00 59 02 00 00 55 03 01 ca 72 6a a1 69 |....Y...U...rj.i|
-00000010 18 a4 f8 76 4a c3 5c e8 d5 c1 fb 06 c6 9a 14 67 |...vJ.\........g|
-00000020 ce e4 f6 52 67 ab 64 48 28 5a 63 20 55 ea ff 87 |...Rg.dH(Zc U...|
-00000030 5a 78 5c cb 21 af 83 a5 ed 1b d3 2c 39 81 e5 ca |Zx\.!......,9...|
-00000040 63 d2 5c 57 27 1d d0 f9 41 40 43 b0 c0 13 00 00 |c.\W'...A@C.....|
+00000000 16 03 01 00 59 02 00 00 55 03 01 b5 1a 96 ea d5 |....Y...U.......|
+00000010 01 ef fb 42 1d 49 e1 1b 7c e4 15 ec cc 7f b9 fc |...B.I..|.......|
+00000020 22 e0 0b 1d 66 0e c8 d6 9b cd ec 20 d5 2b fe 9a |"...f...... .+..|
+00000030 f7 e7 10 1c c4 15 10 f1 24 8d 8f f6 25 90 aa 1c |........$...%...|
+00000040 10 c4 87 c6 36 23 5b 6a c1 ae 20 5e c0 13 00 00 |....6#[j.. ^....|
00000050 0d ff 01 00 01 00 00 0b 00 04 03 00 01 02 16 03 |................|
00000060 01 02 59 0b 00 02 55 00 02 52 00 02 4f 30 82 02 |..Y...U..R..O0..|
00000070 4b 30 82 01 b4 a0 03 02 01 02 02 09 00 e8 f0 9d |K0..............|
@@ -60,17 +60,17 @@
00000290 77 8d 0c 1c f1 0f a1 d8 40 83 61 c9 4c 72 2b 9d |w.......@.a.Lr+.|
000002a0 ae db 46 06 06 4d f4 c1 b3 3e c0 d1 bd 42 d4 db |..F..M...>...B..|
000002b0 fe 3d 13 60 84 5c 21 d3 3b e9 fa e7 16 03 01 00 |.=.`.\!.;.......|
-000002c0 aa 0c 00 00 a6 03 00 1d 20 e8 a5 9c e4 73 3d 75 |........ ....s=u|
-000002d0 0c 3e f2 de 21 9c 0f 91 b4 fd 94 f0 27 f6 d9 7d |.>..!.......'..}|
-000002e0 cd 0c 4c 50 b0 47 db dd 12 00 80 04 c0 be d5 bb |..LP.G..........|
-000002f0 e8 e2 a2 2e d9 2e 75 fa b6 07 d0 f7 75 52 fb 2f |......u.....uR./|
-00000300 50 cd 43 68 bd 42 11 6d d6 9f a3 d1 00 fd a9 14 |P.Ch.B.m........|
-00000310 0c 2a dd 76 ea 73 21 52 00 3a 83 cf d7 07 c7 bd |.*.v.s!R.:......|
-00000320 78 21 ce 35 80 b3 06 22 f1 96 a7 20 41 f8 aa 61 |x!.5..."... A..a|
-00000330 94 b4 77 d4 d9 92 f2 66 c5 1c d1 82 f3 b9 e2 9d |..w....f........|
-00000340 a9 30 1c e2 4e ec 0d 32 3d 0d 61 22 c8 e5 95 9f |.0..N..2=.a"....|
-00000350 cf 3e fc a8 c5 c3 f8 45 45 29 ea a7 e7 b7 a6 17 |.>.....EE)......|
-00000360 9e 5f 83 d4 b3 f0 da 31 73 94 f2 16 03 01 00 0a |._.....1s.......|
+000002c0 aa 0c 00 00 a6 03 00 1d 20 87 d5 d1 27 70 92 d9 |........ ...'p..|
+000002d0 15 56 e4 fd a8 52 a9 a5 f6 db ab f5 e2 61 fa 5d |.V...R.......a.]|
+000002e0 64 ba c2 ee 37 0b 53 cf 3c 00 80 71 cd eb 4b 1c |d...7.S.<..q..K.|
+000002f0 f7 84 85 6a 20 5c c8 40 59 1c b0 8e 1b b6 b6 19 |...j \.@Y.......|
+00000300 f1 66 ad 7d 1d d5 58 da c3 c4 dd 12 57 04 05 0d |.f.}..X.....W...|
+00000310 79 46 20 0b 8c a3 49 95 e0 96 22 75 56 44 21 6b |yF ...I..."uVD!k|
+00000320 42 17 ed 32 eb 9c f3 fd b0 b3 08 da 61 7e f3 9b |B..2........a~..|
+00000330 43 51 c0 09 e3 53 17 5d 84 3f c4 52 db 73 f9 d1 |CQ...S.].?.R.s..|
+00000340 21 0e 55 a4 bc a1 1b b6 3a 5a d1 cb 15 7e 8b a4 |!.U.....:Z...~..|
+00000350 fb 0f e7 7e 36 a7 1b a4 c0 1f 79 37 49 17 84 d3 |...~6.....y7I...|
+00000360 97 39 78 1f 55 77 e8 aa 37 2a 36 16 03 01 00 0a |.9x.Uw..7*6.....|
00000370 0d 00 00 06 03 01 02 40 00 00 16 03 01 00 04 0e |.......@........|
00000380 00 00 00 |...|
>>> Flow 3 (client to server)
@@ -110,29 +110,29 @@
00000210 03 01 00 25 10 00 00 21 20 2f e5 7d a3 47 cd 62 |...%...! /.}.G.b|
00000220 43 15 28 da ac 5f bb 29 07 30 ff f6 84 af c4 cf |C.(.._.).0......|
00000230 c2 ed 90 99 5f 58 cb 3b 74 16 03 01 00 91 0f 00 |...._X.;t.......|
-00000240 00 8d 00 8b 30 81 88 02 42 00 9a b9 f6 98 e3 ed |....0...B.......|
-00000250 ed 0d a3 0e 54 51 9f 73 d4 87 40 4e a9 39 4b 2d |....TQ.s..@N.9K-|
-00000260 2a b9 4d 8d e3 46 c3 b6 39 f2 ca a9 c9 0f 79 c1 |*.M..F..9.....y.|
-00000270 0c 90 6f de 58 97 72 fc a8 c1 4c 12 aa a4 85 57 |..o.X.r...L....W|
-00000280 50 7c a0 02 8a 12 c5 80 aa b6 39 02 42 00 9c b7 |P|........9.B...|
-00000290 95 b4 04 83 5b 3a e1 ac da 78 86 11 f5 30 75 4a |....[:...x...0uJ|
-000002a0 25 67 6c fd ef 5a d8 56 d3 60 93 cf 65 07 2b 1f |%gl..Z.V.`..e.+.|
-000002b0 a9 40 a8 ba cd 0e 41 2d 10 43 a4 61 93 b7 0a 11 |.@....A-.C.a....|
-000002c0 78 d1 72 2b 20 07 49 5a 76 02 17 57 87 78 c7 14 |x.r+ .IZv..W.x..|
-000002d0 03 01 00 01 01 16 03 01 00 30 93 de 1b 64 0e 56 |.........0...d.V|
-000002e0 d9 a8 da f7 37 cb ac ac 3e f5 e2 f9 87 19 f2 79 |....7...>......y|
-000002f0 24 76 19 a4 a2 41 d6 9e 7d ca aa 3e 1d d7 22 dd |$v...A..}..>..".|
-00000300 05 aa dd 74 03 db fd a2 de ee |...t......|
+00000240 00 8d 00 8b 30 81 88 02 42 01 e7 32 ab 5d d7 f8 |....0...B..2.]..|
+00000250 b6 25 f9 b6 e6 19 eb 20 75 99 90 bc 41 06 74 ce |.%..... u...A.t.|
+00000260 92 31 fc 9e cd f3 b4 b1 b1 f7 1e d3 3c 5e 01 92 |.1..........<^..|
+00000270 a0 c6 24 05 6e 3b ba 6c 51 61 6c 11 fd fe d7 9f |..$.n;.lQal.....|
+00000280 0b 16 b3 1a f7 20 fa b2 3d 92 c9 02 42 01 d7 dc |..... ..=...B...|
+00000290 20 50 f6 91 a3 63 2a 79 37 d4 8b 71 0a 1e 73 f8 | P...c*y7..q..s.|
+000002a0 1e 1c 04 c5 c8 66 bc 5e 67 5e bb 94 76 87 23 12 |.....f.^g^..v.#.|
+000002b0 64 18 cb 09 66 58 f1 06 17 93 1e b9 83 67 9d 3d |d...fX.......g.=|
+000002c0 39 0a fb 37 7b a9 bf d2 59 1a 49 0f 4c 10 df 14 |9..7{...Y.I.L...|
+000002d0 03 01 00 01 01 16 03 01 00 30 4f 0e ba fc 20 81 |.........0O... .|
+000002e0 73 58 e0 47 33 b9 5e c4 6a 10 c2 1a 42 c3 85 2b |sX.G3.^.j...B..+|
+000002f0 20 38 80 5d 40 81 4a 78 40 d9 13 ac af b3 45 e7 | 8.]@.Jx@.....E.|
+00000300 1e 19 c6 b5 63 6e 9c 5c 8a 8d |....cn.\..|
>>> Flow 4 (server to client)
-00000000 14 03 01 00 01 01 16 03 01 00 30 4d 4f d6 67 05 |..........0MO.g.|
-00000010 32 8c 16 cb 19 35 b3 b9 02 d8 5e 24 b6 c8 b7 3a |2....5....^$...:|
-00000020 17 34 98 77 e1 73 e0 cd a9 30 a8 15 60 8c f4 9a |.4.w.s...0..`...|
-00000030 dc cf 7a fd 86 85 1c 2b 33 21 e8 |..z....+3!.|
+00000000 14 03 01 00 01 01 16 03 01 00 30 c6 bb 74 56 db |..........0..tV.|
+00000010 fd f7 a7 dd 3b a3 50 10 11 44 83 a1 c6 b1 6e 70 |....;.P..D....np|
+00000020 37 6e 68 b2 5a 45 6b fb e9 9d 4e 68 cf ba ea af |7nh.ZEk...Nh....|
+00000030 7d f6 65 ee 22 14 9e 5a a7 85 65 |}.e."..Z..e|
>>> Flow 5 (client to server)
-00000000 17 03 01 00 20 b8 c5 17 b7 92 d8 93 7a b2 fd 4f |.... .......z..O|
-00000010 15 d1 db b9 47 54 00 a0 f6 77 92 03 a8 89 e5 ba |....GT...w......|
-00000020 cc eb d9 bd 27 17 03 01 00 20 57 d5 9a f6 36 b2 |....'.... W...6.|
-00000030 57 ba cd 64 77 36 b9 74 fb bd 95 51 03 61 e8 45 |W..dw6.t...Q.a.E|
-00000040 cb b8 35 f0 05 17 b3 08 c6 cb 15 03 01 00 20 28 |..5........... (|
-00000050 43 03 ab 3f e2 f5 d0 33 4c 7f 50 a4 ee 7b 46 e6 |C..?...3L.P..{F.|
-00000060 12 76 d0 fd c3 99 5c 63 a4 04 ea 4b e3 bd 99 |.v....\c...K...|
+00000000 17 03 01 00 20 c7 78 67 68 03 48 2e a5 c3 7a 0a |.... .xgh.H...z.|
+00000010 56 73 14 02 12 f7 26 ac 48 19 3e e6 4b 0f ac d0 |Vs....&.H.>.K...|
+00000020 4e 74 dc 66 68 17 03 01 00 20 bf db fb e7 85 35 |Nt.fh.... .....5|
+00000030 50 4d 39 3f ab 25 95 30 4c 7a 20 d8 89 db 74 ff |PM9?.%.0Lz ...t.|
+00000040 e6 e1 05 30 98 17 f3 93 8a 0d 15 03 01 00 20 f9 |...0.......... .|
+00000050 33 18 32 46 d3 28 46 a4 06 8c e1 9b 9b 1d d1 d8 |3.2F.(F.........|
+00000060 7b 9f 6c ad 5d 2a 36 10 2c dd f8 30 23 54 ac |{.l.]*6.,..0#T.|
diff --git a/src/crypto/tls/testdata/Client-TLSv12-ClientCert-ECDSA-ECDSA b/src/crypto/tls/testdata/Client-TLSv12-ClientCert-ECDSA-ECDSA
index e1fb8a8..4b5a4ca 100644
--- a/src/crypto/tls/testdata/Client-TLSv12-ClientCert-ECDSA-ECDSA
+++ b/src/crypto/tls/testdata/Client-TLSv12-ClientCert-ECDSA-ECDSA
@@ -16,11 +16,11 @@
000000e0 e5 7d a3 47 cd 62 43 15 28 da ac 5f bb 29 07 30 |.}.G.bC.(.._.).0|
000000f0 ff f6 84 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 |.........._X.;t|
>>> Flow 2 (server to client)
-00000000 16 03 03 00 59 02 00 00 55 03 03 36 60 84 12 26 |....Y...U..6`..&|
-00000010 51 e4 32 33 26 ef c3 31 bf ea ac 27 0f c3 fb cb |Q.23&..1...'....|
-00000020 05 89 af df 56 a9 3f 14 6e 5e 2c 20 ad 6e 60 2d |....V.?.n^, .n`-|
-00000030 94 aa e5 73 22 eb 68 92 77 1c 6c cb f4 5a 14 f2 |...s".h.w.l..Z..|
-00000040 29 85 88 aa 2e 56 2a ad 80 e1 f0 b1 c0 09 00 00 |)....V*.........|
+00000000 16 03 03 00 59 02 00 00 55 03 03 8f fe 05 df f3 |....Y...U.......|
+00000010 02 70 ec 72 c4 3d 1e 52 c3 63 b8 1d dc e0 36 72 |.p.r.=.R.c....6r|
+00000020 8b 04 94 a5 45 fb 97 a5 0b e1 a7 20 9d fb e5 2b |....E...... ...+|
+00000030 77 d7 1b da e8 d7 3e fe c5 8f 4e b6 5a 40 29 02 |w.....>...N.Z@).|
+00000040 fd 08 46 4e 27 24 53 e1 de 88 8a 77 c0 09 00 00 |..FN'$S....w....|
00000050 0d ff 01 00 01 00 00 0b 00 04 03 00 01 02 16 03 |................|
00000060 03 02 0e 0b 00 02 0a 00 02 07 00 02 04 30 82 02 |.............0..|
00000070 00 30 82 01 62 02 09 00 b8 bf 2d 47 a0 d2 eb f4 |.0..b.....-G....|
@@ -55,18 +55,18 @@
00000240 13 83 0d 94 06 bb d4 37 7a f6 ec 7a c9 86 2e dd |.......7z..z....|
00000250 d7 11 69 7f 85 7c 56 de fb 31 78 2b e4 c7 78 0d |..i..|V..1x+..x.|
00000260 ae cb be 9e 4e 36 24 31 7b 6a 0f 39 95 12 07 8f |....N6$1{j.9....|
-00000270 2a 16 03 03 00 b7 0c 00 00 b3 03 00 1d 20 87 2c |*............ .,|
-00000280 f2 fd 8e b9 3d 5f 1c c8 bb 04 f5 1e 01 a8 ba d8 |....=_..........|
-00000290 b6 8e 61 78 15 9e 3b a7 da 96 8e 77 d7 70 04 03 |..ax..;....w.p..|
-000002a0 00 8b 30 81 88 02 42 01 dc e2 26 f9 18 39 da 7d |..0...B...&..9.}|
-000002b0 bd a1 30 c6 6f dd cd aa a0 4f 71 cf 42 76 61 ba |..0.o....Oq.Bva.|
-000002c0 e7 9f 09 b5 05 f2 76 c7 db 2a 93 83 3b 0b 3a cf |......v..*..;.:.|
-000002d0 60 96 24 c8 af de 2c db 5a 29 1c 62 67 28 e9 d7 |`.$...,.Z).bg(..|
-000002e0 57 5f 54 18 cc bf ee d1 d9 02 42 01 04 cf 67 0b |W_T.......B...g.|
-000002f0 62 2c c2 17 a3 f4 f1 32 0f c5 b9 ae 3b 52 36 2b |b,.....2....;R6+|
-00000300 f0 c0 60 49 08 e0 bf f5 7c 09 13 e4 b8 ba 08 c7 |..`I....|.......|
-00000310 ea 74 a0 f5 88 45 e4 35 f1 c5 4e df fe 45 bc ca |.t...E.5..N..E..|
-00000320 9c 5f c8 84 66 13 8f b3 c9 7e b2 ba d6 16 03 03 |._..f....~......|
+00000270 2a 16 03 03 00 b7 0c 00 00 b3 03 00 1d 20 82 a8 |*............ ..|
+00000280 4b 0e 10 e1 2b a2 f6 9d 11 0a 4d 0b c0 2f 12 85 |K...+.....M../..|
+00000290 bc f3 e9 9f b4 50 50 fa b1 a9 fd 35 d1 39 04 03 |.....PP....5.9..|
+000002a0 00 8b 30 81 88 02 42 01 b1 cb c7 7a 83 6a 95 5b |..0...B....z.j.[|
+000002b0 09 4c 59 d6 9a 6b 9d 0c e9 f5 22 1c 46 76 5b 4e |.LY..k....".Fv[N|
+000002c0 3c 4a ac 81 b7 96 29 7c e2 e8 08 e7 5f be 9d dc |<J....)|...._...|
+000002d0 8d 9e 1d a1 84 4c 18 1a 8a 2d bd 97 de 26 70 14 |.....L...-...&p.|
+000002e0 11 74 49 4b e9 2e 59 30 9c 02 42 00 b5 9e 89 32 |.tIK..Y0..B....2|
+000002f0 45 02 71 19 6e 83 fc 26 26 b4 28 08 6a 7d d3 72 |E.q.n..&&.(.j}.r|
+00000300 4e ed 82 68 2f ad ff 39 5a ce 34 b8 e4 39 f2 f1 |N..h/..9Z.4..9..|
+00000310 60 5d 84 c4 da 4d 5a 33 f8 20 5a f2 7f aa 7e 18 |`]...MZ3. Z...~.|
+00000320 14 14 2a 68 a8 9d dd d0 ec e3 00 87 49 16 03 03 |..*h........I...|
00000330 00 3a 0d 00 00 36 03 01 02 40 00 2e 04 03 05 03 |.:...6...@......|
00000340 06 03 08 07 08 08 08 09 08 0a 08 0b 08 04 08 05 |................|
00000350 08 06 04 01 05 01 06 01 03 03 02 03 03 01 02 01 |................|
@@ -108,32 +108,32 @@
00000200 e4 fa cc b1 8a ce e2 23 a0 87 f0 e1 67 51 eb 16 |.......#....gQ..|
00000210 03 03 00 25 10 00 00 21 20 2f e5 7d a3 47 cd 62 |...%...! /.}.G.b|
00000220 43 15 28 da ac 5f bb 29 07 30 ff f6 84 af c4 cf |C.(.._.).0......|
-00000230 c2 ed 90 99 5f 58 cb 3b 74 16 03 03 00 92 0f 00 |...._X.;t.......|
-00000240 00 8e 04 03 00 8a 30 81 87 02 42 01 8f ff aa 8c |......0...B.....|
-00000250 bd 0c 94 39 34 e5 39 7b d2 12 26 8e 94 4a fd 68 |...94.9{..&..J.h|
-00000260 f2 f5 5b 30 69 e1 42 3a 74 cd 9a 37 75 5c d2 a6 |..[0i.B:t..7u\..|
-00000270 c9 7b b1 83 c1 d9 c5 55 1a af 3d 19 64 02 43 c0 |.{.....U..=.d.C.|
-00000280 0a 1c 0e ff f4 42 85 fb d1 aa a2 52 1a 02 41 2f |.....B.....R..A/|
-00000290 c6 23 d7 37 f1 36 75 0c 0f b4 49 14 c4 b4 d9 28 |.#.7.6u...I....(|
-000002a0 c1 00 2d e4 d6 93 fd a0 f5 59 4e 45 0c a4 28 d4 |..-......YNE..(.|
-000002b0 dc aa 7b 0b 28 29 12 94 f6 db 8c 23 af 81 7e ab |..{.().....#..~.|
-000002c0 fd 12 ba 11 27 b2 10 87 89 61 9f 5d 6d 18 79 c5 |....'....a.]m.y.|
-000002d0 14 03 03 00 01 01 16 03 03 00 40 00 00 00 00 00 |..........@.....|
-000002e0 00 00 00 00 00 00 00 00 00 00 00 2d 3e 6e 02 fb |...........->n..|
-000002f0 50 cc 37 62 77 17 08 ef 71 e6 06 23 82 ba 97 b7 |P.7bw...q..#....|
-00000300 0f 38 f9 5e 05 63 4c c9 04 6e bd e4 78 76 32 3b |.8.^.cL..n..xv2;|
-00000310 3a a7 9b de 30 ca ed fb 17 dc 40 |:...0.....@|
+00000230 c2 ed 90 99 5f 58 cb 3b 74 16 03 03 00 93 0f 00 |...._X.;t.......|
+00000240 00 8f 04 03 00 8b 30 81 88 02 42 01 cd 6b 44 a0 |......0...B..kD.|
+00000250 80 3b f5 5d f0 99 24 dd 89 94 b9 96 34 e7 04 e7 |.;.]..$.....4...|
+00000260 38 72 64 36 5a e9 ac bc e3 54 1b 75 69 e2 de 03 |8rd6Z....T.ui...|
+00000270 ce a9 2c 76 92 dd 6b 31 0a 93 10 57 69 8b e0 cf |..,v..k1...Wi...|
+00000280 7d 75 e4 e1 a9 d2 d3 29 b6 a7 ff 86 d4 02 42 01 |}u.....)......B.|
+00000290 e4 d9 31 56 23 62 e6 c2 2d 57 8a 6f d3 3f 1f 4d |..1V#b..-W.o.?.M|
+000002a0 ca 0e c0 60 53 55 1f fb 56 24 22 82 c0 fe d9 0b |...`SU..V$".....|
+000002b0 9b de fb f2 d4 a6 e4 98 9f 2c 07 07 01 83 ab 93 |.........,......|
+000002c0 3e c6 02 41 e9 8b 8d 95 eb cf b9 0f b5 fb 2c 9f |>..A..........,.|
+000002d0 90 14 03 03 00 01 01 16 03 03 00 40 00 00 00 00 |...........@....|
+000002e0 00 00 00 00 00 00 00 00 00 00 00 00 aa 12 12 09 |................|
+000002f0 c5 08 94 28 8d 59 f3 68 cc 02 69 47 fa cf 9c 81 |...(.Y.h..iG....|
+00000300 a6 a5 b5 c7 e7 26 45 4a 59 67 ca 0a ed 6c 58 38 |.....&EJYg...lX8|
+00000310 23 12 48 a9 3c 0c 26 00 78 58 db 21 |#.H.<.&.xX.!|
>>> Flow 4 (server to client)
-00000000 14 03 03 00 01 01 16 03 03 00 40 19 62 a8 82 26 |..........@.b..&|
-00000010 0f 0c 84 b4 31 6a 5d 12 65 dc b9 bc de 5c cb 77 |....1j].e....\.w|
-00000020 5d 04 7e a8 10 1a a5 05 e5 ca 04 68 a2 81 ef f5 |].~........h....|
-00000030 ae 4e bd f1 f3 ba 3f 6a 81 ae 71 9a 2f 31 e2 79 |.N....?j..q./1.y|
-00000040 f1 4d 6c 0e a4 be 4b f7 80 6f 97 |.Ml...K..o.|
+00000000 14 03 03 00 01 01 16 03 03 00 40 5a 63 b1 0f 47 |..........@Zc..G|
+00000010 76 ac c4 69 62 82 63 77 8b 26 7b a9 8a 7d 3d fe |v..ib.cw.&{..}=.|
+00000020 4a 04 b4 80 17 cc be 5e 9e b2 5d a3 2d 48 85 44 |J......^..].-H.D|
+00000030 7d db 62 77 31 27 18 b1 55 61 b3 64 6c d6 39 f7 |}.bw1'..Ua.dl.9.|
+00000040 f2 fe 7c 73 c8 3f 31 c9 78 83 8c |..|s.?1.x..|
>>> Flow 5 (client to server)
00000000 17 03 03 00 30 00 00 00 00 00 00 00 00 00 00 00 |....0...........|
-00000010 00 00 00 00 00 e9 f4 51 fe c1 02 35 de 6e 72 c3 |.......Q...5.nr.|
-00000020 58 f3 01 4a f0 9d f2 34 df fc 0e 93 ef 46 2e 45 |X..J...4.....F.E|
-00000030 5e 60 43 52 33 15 03 03 00 30 00 00 00 00 00 00 |^`CR3....0......|
-00000040 00 00 00 00 00 00 00 00 00 00 ac 82 d6 47 42 40 |.............GB@|
-00000050 d6 6c 6d e3 b6 c6 4a b7 83 ce 6f 3f 33 ad e7 eb |.lm...J...o?3...|
-00000060 bf 59 82 50 8a 18 e3 13 46 6c |.Y.P....Fl|
+00000010 00 00 00 00 00 b9 a3 b6 37 76 c9 69 20 8d 97 e3 |........7v.i ...|
+00000020 0d f1 6e d4 6d 79 0b 64 4f a5 0d 30 ff 1c cd 56 |..n.my.dO..0...V|
+00000030 e7 ce 69 a6 48 15 03 03 00 30 00 00 00 00 00 00 |..i.H....0......|
+00000040 00 00 00 00 00 00 00 00 00 00 c6 3c 3b f2 09 05 |...........<;...|
+00000050 2c 4d 07 4f 95 34 29 ec ef 3b b5 31 c6 a4 91 5e |,M.O.4)..;.1...^|
+00000060 14 20 5b c5 34 19 f9 1d 22 63 |. [.4..."c|
diff --git a/src/crypto/tls/testdata/Client-TLSv12-ClientCert-ECDSA-RSA b/src/crypto/tls/testdata/Client-TLSv12-ClientCert-ECDSA-RSA
index 7ae186d..36bddc2 100644
--- a/src/crypto/tls/testdata/Client-TLSv12-ClientCert-ECDSA-RSA
+++ b/src/crypto/tls/testdata/Client-TLSv12-ClientCert-ECDSA-RSA
@@ -16,11 +16,11 @@
000000e0 e5 7d a3 47 cd 62 43 15 28 da ac 5f bb 29 07 30 |.}.G.bC.(.._.).0|
000000f0 ff f6 84 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 |.........._X.;t|
>>> Flow 2 (server to client)
-00000000 16 03 03 00 59 02 00 00 55 03 03 2a 52 95 57 8c |....Y...U..*R.W.|
-00000010 55 3f d7 82 f0 3f af 57 a1 82 86 00 3a 6b c0 07 |U?...?.W....:k..|
-00000020 4d c3 0e 80 cc 37 2d 51 f4 d3 e2 20 4a f6 c9 8a |M....7-Q... J...|
-00000030 d2 98 4a ff 22 66 11 da 6f 9a a0 17 b9 96 b0 86 |..J."f..o.......|
-00000040 29 e0 39 86 0a 00 42 78 30 60 61 99 c0 2f 00 00 |).9...Bx0`a../..|
+00000000 16 03 03 00 59 02 00 00 55 03 03 b8 f6 b1 71 c5 |....Y...U.....q.|
+00000010 d0 3f 36 fb 8a b9 15 35 ae c5 08 8e eb c6 d5 ad |.?6....5........|
+00000020 a1 8a ff 65 2e 78 f5 2a 2b cb f7 20 26 1e c1 94 |...e.x.*+.. &...|
+00000030 85 a9 b1 ca 8d 5f 3f 00 6a 44 c9 ed 28 36 97 f2 |....._?.jD..(6..|
+00000040 7d 38 0a 56 75 a2 12 ac 34 ed 7e 14 c0 2f 00 00 |}8.Vu...4.~../..|
00000050 0d ff 01 00 01 00 00 0b 00 04 03 00 01 02 16 03 |................|
00000060 03 02 59 0b 00 02 55 00 02 52 00 02 4f 30 82 02 |..Y...U..R..O0..|
00000070 4b 30 82 01 b4 a0 03 02 01 02 02 09 00 e8 f0 9d |K0..............|
@@ -60,17 +60,17 @@
00000290 77 8d 0c 1c f1 0f a1 d8 40 83 61 c9 4c 72 2b 9d |w.......@.a.Lr+.|
000002a0 ae db 46 06 06 4d f4 c1 b3 3e c0 d1 bd 42 d4 db |..F..M...>...B..|
000002b0 fe 3d 13 60 84 5c 21 d3 3b e9 fa e7 16 03 03 00 |.=.`.\!.;.......|
-000002c0 ac 0c 00 00 a8 03 00 1d 20 fa 3a 8f b7 50 10 38 |........ .:..P.8|
-000002d0 04 9d fb c4 e4 76 6d 93 86 b2 8a d7 5b 8f 8d 45 |.....vm.....[..E|
-000002e0 41 b7 ba 54 bc cc 7b 07 3c 08 04 00 80 a1 14 65 |A..T..{.<......e|
-000002f0 f6 48 29 ba 08 86 52 65 dd 08 ef b8 b8 77 ef fd |.H)...Re.....w..|
-00000300 8a ca dc 37 f8 69 fa 04 69 73 84 07 b2 45 f0 a2 |...7.i..is...E..|
-00000310 8c 69 f7 7c 4c 5c 95 c5 66 80 ad 93 04 67 4b 3d |.i.|L\..f....gK=|
-00000320 f8 53 a9 33 b3 c0 40 17 62 34 f0 f3 1e d2 23 93 |.S.3..@.b4....#.|
-00000330 29 52 bc f4 f0 72 58 b9 76 9c 7b 54 b0 d5 d1 ab |)R...rX.v.{T....|
-00000340 b3 1b ae f7 f3 46 6a 07 7f f4 91 ee 46 d6 85 43 |.....Fj.....F..C|
-00000350 ea c6 f9 f5 47 89 85 39 72 35 af b4 03 e9 a2 ea |....G..9r5......|
-00000360 a8 19 09 ea b3 d2 c2 38 59 65 d1 2c 18 16 03 03 |.......8Ye.,....|
+000002c0 ac 0c 00 00 a8 03 00 1d 20 9d 82 84 ba 8e 4b 7e |........ .....K~|
+000002d0 bc f4 8e ab c1 31 68 42 cb 36 1d 64 60 55 74 11 |.....1hB.6.d`Ut.|
+000002e0 cf 63 d2 f4 c9 e7 a9 bf 7b 08 04 00 80 ce b2 06 |.c......{.......|
+000002f0 a3 54 1e fd f7 c4 a6 54 40 ea 74 8c e0 de ec aa |.T.....T@.t.....|
+00000300 30 66 c3 e4 a9 7f 86 cc f7 34 6b 55 a4 97 fd 6e |0f.......4kU...n|
+00000310 3b 1f c4 e9 17 3c 6d 94 66 78 e0 1a ab 41 64 9b |;....<m.fx...Ad.|
+00000320 2b 2e 14 99 96 68 aa ef 97 65 ea e7 72 28 9c 0f |+....h...e..r(..|
+00000330 f9 11 57 b7 1f 31 54 87 1a 36 45 ec c1 0f 72 53 |..W..1T..6E...rS|
+00000340 56 a1 8d e4 d0 93 3e bb 77 8a 32 bd fb 07 0b ce |V.....>.w.2.....|
+00000350 82 d3 a1 ab 6f 80 ac ac 4e da b7 7f 84 fe 3f 26 |....o...N.....?&|
+00000360 f4 d9 b9 b6 2b 68 1a cc ef 31 97 22 bf 16 03 03 |....+h...1."....|
00000370 00 3a 0d 00 00 36 03 01 02 40 00 2e 04 03 05 03 |.:...6...@......|
00000380 06 03 08 07 08 08 08 09 08 0a 08 0b 08 04 08 05 |................|
00000390 08 06 04 01 05 01 06 01 03 03 02 03 03 01 02 01 |................|
@@ -112,28 +112,28 @@
00000200 e4 fa cc b1 8a ce e2 23 a0 87 f0 e1 67 51 eb 16 |.......#....gQ..|
00000210 03 03 00 25 10 00 00 21 20 2f e5 7d a3 47 cd 62 |...%...! /.}.G.b|
00000220 43 15 28 da ac 5f bb 29 07 30 ff f6 84 af c4 cf |C.(.._.).0......|
-00000230 c2 ed 90 99 5f 58 cb 3b 74 16 03 03 00 91 0f 00 |...._X.;t.......|
-00000240 00 8d 04 03 00 89 30 81 86 02 41 63 34 72 b4 70 |......0...Ac4r.p|
-00000250 45 46 9c 3c 06 2c f5 ab d4 dd a7 91 69 9c 65 0f |EF.<.,......i.e.|
-00000260 4b d9 2d 90 3d d1 f2 4d 2a 6a 43 4f a7 fd b5 22 |K.-.=..M*jCO..."|
-00000270 83 61 e2 14 33 8c bc 8a 81 52 a1 f4 69 a7 12 c9 |.a..3....R..i...|
-00000280 c3 28 69 85 6d c1 b0 5d d3 5e ac 4e 02 41 35 cd |.(i.m..].^.N.A5.|
-00000290 3b c3 f6 ea 9e df 2a a1 ea 80 55 40 d2 13 d3 ff |;.....*...U@....|
-000002a0 b2 59 bb a0 c7 10 67 6e 9b dc 6c 3c 97 08 07 e0 |.Y....gn..l<....|
-000002b0 db da 79 6b 0e 6c a0 23 13 b1 02 32 ab ee 62 69 |..yk.l.#...2..bi|
-000002c0 f9 d5 7f 24 2e 26 94 36 a4 36 53 63 dd 90 20 14 |...$.&.6.6Sc.. .|
-000002d0 03 03 00 01 01 16 03 03 00 28 00 00 00 00 00 00 |.........(......|
-000002e0 00 00 a7 30 0e b0 f7 ba 51 35 c9 4c c2 24 90 5e |...0....Q5.L.$.^|
-000002f0 b2 59 57 5d 96 9d ad d1 1e 7d b0 35 09 9c c5 49 |.YW].....}.5...I|
-00000300 bd 82 |..|
+00000230 c2 ed 90 99 5f 58 cb 3b 74 16 03 03 00 93 0f 00 |...._X.;t.......|
+00000240 00 8f 04 03 00 8b 30 81 88 02 42 01 d0 ef 2f 75 |......0...B.../u|
+00000250 25 6e 4b 2a 16 21 c4 73 59 80 a8 c9 27 45 1b 06 |%nK*.!.sY...'E..|
+00000260 75 20 61 01 db aa c4 90 25 16 1b fb ec 92 54 f7 |u a.....%.....T.|
+00000270 16 9b 8c e0 34 48 3e 62 57 92 99 42 7f d1 35 09 |....4H>bW..B..5.|
+00000280 e1 55 4c 32 cc ed 9d 3e 18 25 1d 31 b8 02 42 01 |.UL2...>.%.1..B.|
+00000290 dd d8 20 b1 12 a2 7d 3b 6b 40 f3 db 59 2b 33 db |.. ...};k@..Y+3.|
+000002a0 5f 85 4d b4 5f 6f 23 ae d2 a2 74 2b 22 94 60 51 |_.M._o#...t+".`Q|
+000002b0 75 aa 66 88 2f 5a db f5 91 b2 7c f4 c4 e9 25 fa |u.f./Z....|...%.|
+000002c0 f7 74 20 00 c3 08 22 8e 88 28 1c 72 4b 36 cd 03 |.t ..."..(.rK6..|
+000002d0 46 14 03 03 00 01 01 16 03 03 00 28 00 00 00 00 |F..........(....|
+000002e0 00 00 00 00 2c 30 d5 ee d2 79 8c 68 62 7a c7 36 |....,0...y.hbz.6|
+000002f0 ce c9 39 25 4b 6d 3e 59 7d 42 21 72 65 00 41 45 |..9%Km>Y}B!re.AE|
+00000300 ba 47 88 64 |.G.d|
>>> Flow 4 (server to client)
-00000000 14 03 03 00 01 01 16 03 03 00 28 09 ff 53 e8 0f |..........(..S..|
-00000010 ad 86 30 ca 96 54 da 72 45 13 7a cd 51 f6 b3 a5 |..0..T.rE.z.Q...|
-00000020 27 4c 7c 26 81 6d 76 6f 19 8e f3 13 77 49 59 73 |'L|&.mvo....wIYs|
-00000030 4e 98 3e |N.>|
+00000000 14 03 03 00 01 01 16 03 03 00 28 9c e9 30 06 da |..........(..0..|
+00000010 ef 89 4a 77 db 17 d4 51 79 36 c1 97 45 8a b0 c9 |..Jw...Qy6..E...|
+00000020 b7 d4 69 8d fc f2 5e 1a c8 e3 43 6c 7a b4 0a 40 |..i...^...Clz..@|
+00000030 ec 35 c9 |.5.|
>>> Flow 5 (client to server)
-00000000 17 03 03 00 1e 00 00 00 00 00 00 00 01 99 7b 4c |..............{L|
-00000010 1d 0a b1 89 0d ac fa a7 39 eb 9a ff 8f 06 60 d1 |........9.....`.|
-00000020 88 e8 ef 15 03 03 00 1a 00 00 00 00 00 00 00 02 |................|
-00000030 99 42 7f c8 35 79 f3 a0 10 5c 05 25 c1 ac ab aa |.B..5y...\.%....|
-00000040 d5 9e |..|
+00000000 17 03 03 00 1e 00 00 00 00 00 00 00 01 f2 3b 7e |..............;~|
+00000010 59 d0 c1 2f 93 f8 8a 48 8d e6 f4 54 70 63 4a 2d |Y../...H...TpcJ-|
+00000020 90 5d 9b 15 03 03 00 1a 00 00 00 00 00 00 00 02 |.]..............|
+00000030 42 1f 5c b2 d3 14 4d 6e 30 85 59 89 5a 34 80 00 |B.\...Mn0.Y.Z4..|
+00000040 fe ab |..|
diff --git a/src/crypto/tls/testdata/Client-TLSv13-ClientCert-ECDSA-RSA b/src/crypto/tls/testdata/Client-TLSv13-ClientCert-ECDSA-RSA
index 251e339..bd8f6cd 100644
--- a/src/crypto/tls/testdata/Client-TLSv13-ClientCert-ECDSA-RSA
+++ b/src/crypto/tls/testdata/Client-TLSv13-ClientCert-ECDSA-RSA
@@ -16,124 +16,124 @@
000000e0 e5 7d a3 47 cd 62 43 15 28 da ac 5f bb 29 07 30 |.}.G.bC.(.._.).0|
000000f0 ff f6 84 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 |.........._X.;t|
>>> Flow 2 (server to client)
-00000000 16 03 03 00 7a 02 00 00 76 03 03 ce 38 98 c9 b7 |....z...v...8...|
-00000010 f8 67 af 0d 29 52 88 a4 d0 c2 a8 10 c4 8e 80 26 |.g..)R.........&|
-00000020 43 84 0e 60 06 ce f0 b7 b1 cd 29 20 00 00 00 00 |C..`......) ....|
+00000000 16 03 03 00 7a 02 00 00 76 03 03 85 46 7d 9f 55 |....z...v...F}.U|
+00000010 82 34 10 06 5e 8d 60 5d 00 9d 28 cd 18 c2 18 ee |.4..^.`]..(.....|
+00000020 cb 9a 63 ee 9a 30 7d 5d 87 3d 24 20 00 00 00 00 |..c..0}].=$ ....|
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000040 00 00 00 00 00 00 00 00 00 00 00 00 13 03 00 00 |................|
-00000050 2e 00 2b 00 02 03 04 00 33 00 24 00 1d 00 20 aa |..+.....3.$... .|
-00000060 00 03 6d 16 04 54 48 55 4d f9 04 e8 29 ca 9c 5d |..m..THUM...)..]|
-00000070 14 94 a2 7a 2e 0a 4e 75 12 2d 63 cf 19 81 21 14 |...z..Nu.-c...!.|
-00000080 03 03 00 01 01 17 03 03 00 17 7b 90 e1 af 77 ca |..........{...w.|
-00000090 a1 3b a6 e0 9f ea 4b f6 3f 45 a0 78 1c fb af 51 |.;....K.?E.x...Q|
-000000a0 30 17 03 03 00 42 ff 27 8b 9c fd 65 d7 b1 d4 43 |0....B.'...e...C|
-000000b0 eb 8f c3 ca b4 57 be 35 35 75 35 cf 43 73 d6 14 |.....W.55u5.Cs..|
-000000c0 7e 2d b4 f8 31 60 1b 35 2a 38 91 32 40 8b f0 ab |~-..1`.5*8.2@...|
-000000d0 a8 b0 dc 2b db b9 63 92 28 dc f2 c2 95 d3 4a 63 |...+..c.(.....Jc|
-000000e0 69 e7 58 0c e5 9c d5 22 17 03 03 02 6d 7c 70 9b |i.X...."....m|p.|
-000000f0 e1 81 3a 0d 6e 7f 5c 30 2e 09 1d 82 ac 48 a6 7e |..:.n.\0.....H.~|
-00000100 03 ce d0 ce e2 e8 9e 8b 2b ee af 1a b1 6a 3a 27 |........+....j:'|
-00000110 04 53 73 d2 d4 28 68 19 96 3a 3d 89 df 2c e3 2b |.Ss..(h..:=..,.+|
-00000120 45 c8 5e 60 42 b0 4d f2 9c 8a 8d 83 f6 97 e0 b0 |E.^`B.M.........|
-00000130 02 39 37 46 2b 07 28 8b e8 d8 c2 e3 ba 58 9b dc |.97F+.(......X..|
-00000140 62 c4 e6 cb b4 97 f0 67 2b b3 40 4b 64 3e 73 3f |b......g+.@Kd>s?|
-00000150 a1 1f 6e fe 7f ba af 7d bd c4 7c 37 60 c0 94 d6 |..n....}..|7`...|
-00000160 bc 14 70 a9 95 a6 b7 88 9d 50 cf 9f 36 0c 38 c4 |..p......P..6.8.|
-00000170 97 ba ea 43 16 e8 fd 72 22 3c 09 4a 97 1c 97 70 |...C...r"<.J...p|
-00000180 88 6d d4 f3 9d b9 5a f3 67 f5 7b da 3e ed 1a 66 |.m....Z.g.{.>..f|
-00000190 4c 62 50 ff cd 92 08 d8 5c 2e 11 de ea 44 16 91 |LbP.....\....D..|
-000001a0 3e 44 d7 8c dd 2a b4 c7 2b 4d 40 a2 f9 7e 49 a9 |>D...*..+M@..~I.|
-000001b0 d8 51 a1 27 b3 34 75 59 04 04 cd 52 d6 37 34 e6 |.Q.'.4uY...R.74.|
-000001c0 41 32 36 45 c0 65 fb 5c e2 21 77 7f 35 db 9d 34 |A26E.e.\.!w.5..4|
-000001d0 0d 6e 9d a7 9e 00 ec e3 3e 9c 50 50 13 5b ad b9 |.n......>.PP.[..|
-000001e0 b3 47 44 f8 9b 12 ab 50 7f a7 df 35 c5 d6 78 3c |.GD....P...5..x<|
-000001f0 c1 04 41 db 99 18 cd 8c 05 3f 08 ae 2b 41 c9 46 |..A......?..+A.F|
-00000200 16 9a e3 a9 5b d3 9c 00 56 0e e2 d1 da 6d 6b 20 |....[...V....mk |
-00000210 65 1b 55 1f 4f b1 eb 94 c6 48 e3 50 d6 14 c5 62 |e.U.O....H.P...b|
-00000220 5e fc d2 cf df f4 68 90 c9 bb 80 54 f3 f3 a3 78 |^.....h....T...x|
-00000230 af 1f 6f ef e1 d5 64 24 04 e5 d4 59 bc 4d 7b a0 |..o...d$...Y.M{.|
-00000240 1a 23 e1 81 b7 c4 bb 52 86 f4 2a 85 d2 d0 7a ed |.#.....R..*...z.|
-00000250 c0 5d 27 07 4b df 52 c4 ea c8 c9 9c f0 48 35 71 |.]'.K.R......H5q|
-00000260 bd 04 65 65 47 e3 21 88 ff 08 6c 6a f3 6c dd 81 |..eeG.!...lj.l..|
-00000270 3f 50 21 66 34 49 07 a0 e0 6d 80 54 77 8b 27 81 |?P!f4I...m.Tw.'.|
-00000280 4f b9 59 60 0a b0 c7 00 6a 7b 26 33 f6 5e ad 37 |O.Y`....j{&3.^.7|
-00000290 bf ea 87 e4 3c e7 b8 20 b0 89 88 ac 5a a4 af f7 |....<.. ....Z...|
-000002a0 23 3c 0a d0 ab 74 fc 49 d2 e5 51 a7 a5 4e 21 5f |#<...t.I..Q..N!_|
-000002b0 90 9a 65 36 9f e1 e3 9e 3d 67 d6 93 f1 b8 f0 4b |..e6....=g.....K|
-000002c0 c6 d8 ca 50 fb cc 92 ab 47 b5 8c 21 02 4a ee 42 |...P....G..!.J.B|
-000002d0 35 a3 52 41 04 94 19 cd 23 c6 33 b0 84 0d 88 97 |5.RA....#.3.....|
-000002e0 5a e0 3e 4c 6d 99 ec 6d 11 3f 19 e7 77 60 3b de |Z.>Lm..m.?..w`;.|
-000002f0 6d 04 b8 ab bc 83 4f 51 a5 ba 56 56 d6 e3 ff 0e |m.....OQ..VV....|
-00000300 d5 4b 75 29 6a f9 4b c6 ef fd 62 25 89 76 f1 fd |.Ku)j.K...b%.v..|
-00000310 84 3f e9 93 63 cf eb 47 85 b1 aa a2 4c 94 6b 99 |.?..c..G....L.k.|
-00000320 98 6e 1a 19 85 0b 90 d2 9f 0f ec d4 36 1e 22 a0 |.n..........6.".|
-00000330 4e 7f a1 ae 90 15 68 8a 48 c5 06 01 aa b9 56 cb |N.....h.H.....V.|
-00000340 e0 62 53 d8 96 56 61 1d 81 96 b8 66 ae 94 c8 5f |.bS..Va....f..._|
-00000350 86 47 fe ca 27 8d 7f 8e f8 74 17 03 03 00 99 ac |.G..'....t......|
-00000360 2b 09 0b 44 a5 33 27 19 86 59 ca 75 5c df 59 fc |+..D.3'..Y.u\.Y.|
-00000370 34 57 08 11 4f d8 1a c6 7c 76 d5 0a 36 91 f2 3a |4W..O...|v..6..:|
-00000380 d1 96 58 64 29 3a d1 05 e3 cb 6f ea 92 4a f6 3b |..Xd):....o..J.;|
-00000390 54 4c 16 41 99 6e 0f e9 c3 9a ac a3 59 ee fa c9 |TL.A.n......Y...|
-000003a0 4d 58 ae 23 58 58 b5 b5 d6 6a dd b4 0c 24 bf e1 |MX.#XX...j...$..|
-000003b0 d4 16 53 f2 2d e1 78 d0 ea 70 59 ac a3 e4 e4 6f |..S.-.x..pY....o|
-000003c0 65 93 28 ad e1 64 83 11 05 42 a3 a0 11 d5 f2 af |e.(..d...B......|
-000003d0 7e 03 93 80 82 48 e0 84 2e 1c 50 98 65 22 49 f1 |~....H....P.e"I.|
-000003e0 df 41 03 83 b2 5c 1c 56 cb b7 f3 72 04 d6 09 cf |.A...\.V...r....|
-000003f0 f9 3a 5d e8 35 80 b6 a2 17 03 03 00 35 b4 b5 c3 |.:].5.......5...|
-00000400 43 78 3d e8 eb 66 7d 1c 36 8e a1 9f 26 ab 5a aa |Cx=..f}.6...&.Z.|
-00000410 63 b6 2f 7a a5 f6 7d 89 1e 5d c5 a1 bf b4 3b 4a |c./z..}..]....;J|
-00000420 89 1f 96 74 e3 c4 d8 72 57 a5 c7 99 a9 f3 77 16 |...t...rW.....w.|
-00000430 f3 25 |.%|
+00000050 2e 00 2b 00 02 03 04 00 33 00 24 00 1d 00 20 15 |..+.....3.$... .|
+00000060 b8 ae de 9d dc 14 58 fe 01 5d 08 ed 41 ac c6 c7 |......X..]..A...|
+00000070 85 fe b1 a3 ae b6 8c 47 f3 e1 4e c5 f8 8b 48 14 |.......G..N...H.|
+00000080 03 03 00 01 01 17 03 03 00 17 d6 72 35 0b 81 34 |...........r5..4|
+00000090 42 89 f1 9b 31 94 72 af 0c 3c 45 36 96 26 71 e8 |B...1.r..<E6.&q.|
+000000a0 86 17 03 03 00 42 47 ed 30 6f 20 53 07 4f b2 c1 |.....BG.0o S.O..|
+000000b0 35 49 fa 5b d9 af 6c 0b c3 71 7a f3 a8 5b 24 ba |5I.[..l..qz..[$.|
+000000c0 59 dd 34 b7 02 07 63 5d a1 ad ac 4c a2 58 e7 cd |Y.4...c]...L.X..|
+000000d0 6d f7 23 4e e1 a9 af 75 23 93 37 25 59 7e fb 52 |m.#N...u#.7%Y~.R|
+000000e0 65 a4 e7 ea 0a df a7 ce 17 03 03 02 6d e5 aa db |e...........m...|
+000000f0 1d 7e 55 0f b4 79 96 de 15 74 52 95 52 c8 ce d6 |.~U..y...tR.R...|
+00000100 85 a9 a8 6f 79 63 cf d7 3a 9e 38 d2 9d 0a 73 a0 |...oyc..:.8...s.|
+00000110 0b c3 f3 85 77 d3 63 16 9b 13 79 e6 61 96 08 57 |....w.c...y.a..W|
+00000120 ba 4a 64 b6 af 1a 98 22 a6 d9 20 82 2c 40 28 57 |.Jd....".. .,@(W|
+00000130 b8 95 d6 b4 94 46 8f 67 2d eb ee 02 74 d3 94 e7 |.....F.g-...t...|
+00000140 6e 5b 2f a9 7d a2 c2 aa 89 0c 43 c3 9d 92 6f 16 |n[/.}.....C...o.|
+00000150 27 84 d7 79 dd 4b 6a ed 9b fc cd d7 c0 c4 59 09 |'..y.Kj.......Y.|
+00000160 21 1f 83 67 e7 76 c8 ee bf f5 79 87 a0 bd 14 6d |!..g.v....y....m|
+00000170 db ac 06 04 c4 3b 3a a7 1e cb 22 d1 97 21 9d c2 |.....;:..."..!..|
+00000180 ee ed a8 41 f7 a0 6a a0 64 2f b0 0a 6f b7 78 b8 |...A..j.d/..o.x.|
+00000190 20 36 ed 7a e9 3c 26 cb 36 7d 3c ee 73 27 32 e7 | 6.z.<&.6}<.s'2.|
+000001a0 e7 fd 6e 27 d9 da ad 48 67 29 94 50 f5 0e 56 af |..n'...Hg).P..V.|
+000001b0 e4 c5 1d d3 59 a4 de 59 d7 79 7a f3 10 36 fb ed |....Y..Y.yz..6..|
+000001c0 b1 97 00 a4 dd 6e c2 65 19 0a 73 fe 2c 49 dc c5 |.....n.e..s.,I..|
+000001d0 df 19 53 c2 7e de 0b 2b 55 3d ca 0b 39 a4 77 c4 |..S.~..+U=..9.w.|
+000001e0 21 53 93 12 f0 9a 3a 3b 97 0c 93 80 50 23 80 9e |!S....:;....P#..|
+000001f0 84 2e ef 22 2b c1 b3 dd b1 55 38 76 9a d6 a6 f1 |..."+....U8v....|
+00000200 67 11 df d9 a0 8a 18 c6 68 ef d8 7b d7 36 4b 57 |g.......h..{.6KW|
+00000210 a7 bf 4e 77 a5 f6 4f 1e be 6e 14 40 67 73 1c 20 |..Nw..O..n.@gs. |
+00000220 9f 17 30 b6 76 00 87 56 8c 2b 76 5f 04 46 5a a1 |..0.v..V.+v_.FZ.|
+00000230 0f fa 64 b3 fa da 4e 72 eb a7 95 c3 93 de 97 20 |..d...Nr....... |
+00000240 2d ea 06 84 aa f0 b6 5a ac ea 64 06 2a 8c b0 eb |-......Z..d.*...|
+00000250 58 0a e8 51 e1 34 c4 03 38 9f f7 fb ec 98 78 07 |X..Q.4..8.....x.|
+00000260 71 73 ad a5 d7 d5 d1 2d 95 b6 4f 7c 5a ee d9 f1 |qs.....-..O|Z...|
+00000270 fa e3 7d ae bd 31 98 27 31 07 f2 86 cf e5 8d 2c |..}..1.'1......,|
+00000280 e8 55 40 69 b0 26 a3 51 e8 60 59 6f 66 bb 36 4f |.U@i.&.Q.`Yof.6O|
+00000290 85 fc 36 d1 72 99 9d e1 83 ad ec 3f e8 90 a8 48 |..6.r......?...H|
+000002a0 f5 d1 41 30 59 4e 44 79 e4 de 6f 0d 37 61 01 bb |..A0YNDy..o.7a..|
+000002b0 b8 7f ee c7 a2 35 c7 12 dc d3 ca 49 8d d9 3e d8 |.....5.....I..>.|
+000002c0 24 69 34 a4 8f 92 f2 77 61 cb b7 04 f8 02 25 9c |$i4....wa.....%.|
+000002d0 88 ea c7 f0 13 3e 17 bc ac 5a 80 c4 80 c6 b0 19 |.....>...Z......|
+000002e0 d3 73 b5 94 5a 27 df 08 05 23 6e 03 64 67 ab c8 |.s..Z'...#n.dg..|
+000002f0 63 7c 76 b3 92 39 ef 29 77 28 ec 6f 05 70 a6 2f |c|v..9.)w(.o.p./|
+00000300 a0 d2 73 fd f9 cc 4f d7 6f 86 db 9a 02 84 8c 6c |..s...O.o......l|
+00000310 39 3a 54 28 38 43 ca 0d da 34 b5 d4 03 0c f8 c1 |9:T(8C...4......|
+00000320 8d 48 d0 63 c7 41 da 4c db 0a 45 56 cf 6b 0b ca |.H.c.A.L..EV.k..|
+00000330 2f a3 82 6e 8e 90 6f 8a f2 41 33 c5 56 c5 15 bd |/..n..o..A3.V...|
+00000340 c2 02 45 41 7a e7 2b 0d 15 82 a7 37 34 ea 19 c2 |..EAz.+....74...|
+00000350 8b 1d d4 17 9c 2d d4 c0 9d f3 17 03 03 00 99 37 |.....-.........7|
+00000360 6a b2 6e 07 32 19 45 80 7b 80 ef 93 b3 6e c3 19 |j.n.2.E.{....n..|
+00000370 4d fe 3e e9 7f e4 b9 37 d2 b0 83 56 f7 2f 9b 61 |M.>....7...V./.a|
+00000380 67 a1 65 b4 38 4b a1 06 c5 4a 20 44 37 26 d0 2a |g.e.8K...J D7&.*|
+00000390 b7 96 1e 72 ef a8 5d fb 5a b8 ea 26 0e 4b 38 e0 |...r..].Z..&.K8.|
+000003a0 6a 3a ab 4a e3 b4 db 00 f8 30 e6 db 02 e4 cf 89 |j:.J.....0......|
+000003b0 5b 57 b8 b8 3e 0a 97 b4 61 9e 89 7d 76 b3 9f 51 |[W..>...a..}v..Q|
+000003c0 a0 b8 46 95 8b 2b b9 25 8e 39 29 f5 97 41 e6 f1 |..F..+.%.9)..A..|
+000003d0 f0 0c 8b 70 bc 63 a0 56 24 c0 fb 0d 44 7f d8 78 |...p.c.V$...D..x|
+000003e0 c0 d5 a2 b7 53 67 c5 6d 0f 37 25 3e dc 08 e2 50 |....Sg.m.7%>...P|
+000003f0 ca 28 c3 1b ec 28 26 0c 17 03 03 00 35 ef 63 88 |.(...(&.....5.c.|
+00000400 13 79 07 a1 28 af 88 6e 8c e4 ad b3 0a 28 2a ce |.y..(..n.....(*.|
+00000410 db 0f 63 8a 16 95 ab 0a 01 51 4f 28 79 15 78 00 |..c......QO(y.x.|
+00000420 f9 7a a6 40 1b 39 98 d8 8d df 1b b9 ab 82 b9 59 |.z.@.9.........Y|
+00000430 67 b9 |g.|
>>> Flow 3 (client to server)
-00000000 14 03 03 00 01 01 17 03 03 02 1e 2e 1c 18 ac 6e |...............n|
-00000010 bd d7 35 f8 21 6f 36 d7 13 94 53 3b 56 5d 03 8e |..5.!o6...S;V]..|
-00000020 2d 92 fa cb 17 d3 75 55 13 84 9c aa be f7 34 9e |-.....uU......4.|
-00000030 35 67 9b 90 bc 76 5d 65 c0 23 b0 04 d0 ba 15 b5 |5g...v]e.#......|
-00000040 30 70 4d 8d d2 38 73 0a 3a 58 c3 bc da a4 f5 ae |0pM..8s.:X......|
-00000050 05 ee 0c 06 bd 06 fe ab 1b 31 cf 4d 46 63 cc ee |.........1.MFc..|
-00000060 8f 8a 0d e9 32 50 4d a0 f6 f2 ce c5 be 41 c2 16 |....2PM......A..|
-00000070 a7 c3 b3 8a 5c 27 4a fd 37 2d 32 d9 76 25 27 12 |....\'J.7-2.v%'.|
-00000080 03 b9 e7 ef bc c8 59 e1 16 80 dc b2 16 ae 05 b6 |......Y.........|
-00000090 cf 8e 99 0d f8 ed 5a b1 bb c1 05 d5 35 fe fd 2d |......Z.....5..-|
-000000a0 97 c6 19 d8 2d 1a a9 30 d1 4a 6d 27 45 93 5f 5d |....-..0.Jm'E._]|
-000000b0 45 f4 98 a8 d8 88 27 8f f2 ad 1e 24 6e c8 8f 12 |E.....'....$n...|
-000000c0 f7 32 b5 3d 3c e3 e0 32 56 4e 80 a8 5f 27 f0 d0 |.2.=<..2VN.._'..|
-000000d0 a1 c2 d0 22 2d 3a 36 0f bd 7b 94 9f ca 8d c1 ea |..."-:6..{......|
-000000e0 c6 1f d8 87 4a 75 bd 3e 0f ae 2f e1 78 ae 3f 00 |....Ju.>../.x.?.|
-000000f0 f4 3a 82 dd ec 3f 61 43 bf 4b f8 01 a3 32 df 13 |.:...?aC.K...2..|
-00000100 61 45 ca bb e0 9a 17 85 45 90 c6 fb 5d 79 1b 58 |aE......E...]y.X|
-00000110 54 ca 84 e9 a9 11 c4 74 82 f7 da e4 b3 4f 05 a1 |T......t.....O..|
-00000120 23 72 9f 63 b8 4c 55 e6 da 33 b9 1c b0 fe 28 72 |#r.c.LU..3....(r|
-00000130 f0 02 b6 ec 70 ae 27 d4 21 51 32 56 32 4e e7 7d |....p.'.!Q2V2N.}|
-00000140 b8 0d 75 25 45 5c 68 83 4f e3 3e 8a 87 7c 06 81 |..u%E\h.O.>..|..|
-00000150 ac ff 23 44 0e bd e7 0a 76 64 45 c4 04 df 35 db |..#D....vdE...5.|
-00000160 ab 8a 38 87 f5 e5 35 75 7a 92 85 3d 14 9e aa 19 |..8...5uz..=....|
-00000170 4d 94 25 8f c0 c3 37 ca 63 f3 dd 48 4a 6a 6b f5 |M.%...7.c..HJjk.|
-00000180 fa 52 67 30 ab ff 56 9f 58 bd cd 66 d4 83 85 d8 |.Rg0..V.X..f....|
-00000190 85 6c 6d 3c 56 e5 17 75 fc dc a7 3d ed 18 a1 3b |.lm<V..u...=...;|
-000001a0 6c e6 54 95 75 38 77 77 90 34 81 cb 1c cb e9 04 |l.T.u8ww.4......|
-000001b0 c8 d2 12 04 36 a8 9b f6 9b 6a 81 8d f5 b1 e2 ca |....6....j......|
-000001c0 31 37 27 f2 84 bd 5c 3a 1c 6c 64 83 35 94 89 ee |17'...\:.ld.5...|
-000001d0 08 42 1d 05 52 67 e6 4d 7f bb d2 21 82 8c 15 6b |.B..Rg.M...!...k|
-000001e0 e9 f9 6d bc b3 1f 5a df b8 55 aa 9d f6 aa d2 7c |..m...Z..U.....||
-000001f0 41 76 3b 1b b2 f5 b8 49 32 be bb f8 0e d3 74 be |Av;....I2.....t.|
-00000200 eb 0d 9b e2 57 b6 ec e5 61 d7 09 80 a8 63 b4 cf |....W...a....c..|
-00000210 bb 0a 14 9d 39 1c 08 58 22 c4 ae d5 4f 42 97 14 |....9..X"...OB..|
-00000220 71 e1 c0 a5 5e 8e 2f 89 27 17 03 03 00 a3 f0 96 |q...^./.'.......|
-00000230 d3 9e 8c 19 84 9a 42 d3 84 64 a6 89 40 6f d6 c9 |......B..d..@o..|
-00000240 50 90 bb 9d 16 90 9d fb aa 85 28 ab 25 63 78 a9 |P.........(.%cx.|
-00000250 dd dc 35 03 73 08 26 2b 30 53 84 f8 74 66 f2 6f |..5.s.&+0S..tf.o|
-00000260 d7 0a f0 e2 c4 10 a4 46 cf 77 ea cb b7 b7 a9 81 |.......F.w......|
-00000270 5f 09 4a 6a a5 16 a4 79 dc b0 c9 ae 5a ff 2a 7b |_.Jj...y....Z.*{|
-00000280 3f bd 7a 15 b3 02 ad 3e 90 37 46 51 71 fc 6d d0 |?.z....>.7FQq.m.|
-00000290 9f 38 42 95 1a 88 ac 5f 83 a1 8a 59 59 62 cc 4a |.8B...._...YYb.J|
-000002a0 57 d2 3e 1e 7e 1d c0 4d 41 23 85 5f 92 f4 63 16 |W.>.~..MA#._..c.|
-000002b0 df df 6e 3d d7 c1 e6 21 22 0f e1 13 82 29 a6 e3 |..n=...!"....)..|
-000002c0 f8 8c a4 a3 72 1d 61 c1 2a 9d a8 2d 13 8a 4f 87 |....r.a.*..-..O.|
-000002d0 91 17 03 03 00 35 9d 35 c8 ac 1e c6 46 8d e1 42 |.....5.5....F..B|
-000002e0 68 e5 79 77 64 15 e2 13 c0 70 1a 47 59 d0 1e c3 |h.ywd....p.GY...|
-000002f0 68 f7 5a fe 11 a2 3d e4 6e 2c b5 7d ea 98 e7 75 |h.Z...=.n,.}...u|
-00000300 7c 54 a4 35 9b 1f c9 ba 72 b1 94 17 03 03 00 17 ||T.5....r.......|
-00000310 a3 81 17 ac 97 a9 f0 91 b5 7a 04 38 ff fd 8e d3 |.........z.8....|
-00000320 d8 7b c4 40 7e d3 ea 17 03 03 00 13 a8 b1 06 94 |.{.@~...........|
-00000330 90 83 62 d5 be a8 23 d5 8b af 77 0d 90 13 98 |..b...#...w....|
+00000000 14 03 03 00 01 01 17 03 03 02 1e ad ee 84 48 28 |..............H(|
+00000010 bb dc e6 01 81 4c b3 55 85 2a 73 3a 34 d6 6b 3a |.....L.U.*s:4.k:|
+00000020 c6 e7 6b da e8 97 dc 13 72 9c d4 03 e2 fc ec e0 |..k.....r.......|
+00000030 0b 00 09 a9 3c 85 19 79 80 a3 fc da 39 b1 13 90 |....<..y....9...|
+00000040 3e 0c be 19 5a be a9 ac a5 46 a0 07 79 74 be 59 |>...Z....F..yt.Y|
+00000050 18 23 55 79 c0 29 3f 8c 37 d6 21 0c 64 57 4c f0 |.#Uy.)?.7.!.dWL.|
+00000060 a1 34 e0 52 f7 e5 3c af 48 b4 82 78 bd be 7c 90 |.4.R..<.H..x..|.|
+00000070 df 0e f3 46 84 6a e2 bb 88 aa 9a a0 ce 04 de 2b |...F.j.........+|
+00000080 b3 17 78 e1 a0 bb 65 7f c5 b3 a6 45 13 c6 11 e1 |..x...e....E....|
+00000090 e2 b4 ec 80 43 80 b6 a5 12 58 ac 5e 30 d3 a0 61 |....C....X.^0..a|
+000000a0 60 c2 90 36 aa 82 f7 ff 55 aa 4e 25 b3 29 5d 41 |`..6....U.N%.)]A|
+000000b0 67 4e 9c d4 f1 1d 55 f1 29 54 13 25 3c 04 41 8f |gN....U.)T.%<.A.|
+000000c0 6b 9d 95 06 3f 04 84 55 dd 43 7a fb 9f 73 ff df |k...?..U.Cz..s..|
+000000d0 3b da 12 3b 97 36 fa 51 0b ca c7 0b fb 6a 09 dd |;..;.6.Q.....j..|
+000000e0 61 2a df 79 b3 66 90 45 76 3c 2b c6 98 42 5a 82 |a*.y.f.Ev<+..BZ.|
+000000f0 0e 93 cf 6f 2b 60 e4 66 67 ad 43 66 73 d2 8c 94 |...o+`.fg.Cfs...|
+00000100 7f 7a 97 d5 a1 8b 07 63 44 cb 51 18 ac 2a af 19 |.z.....cD.Q..*..|
+00000110 66 df ab 18 6f 2a bf fc 7a fa 64 52 c4 1e 91 71 |f...o*..z.dR...q|
+00000120 f1 f7 7f 79 e1 ed 07 3a e1 08 07 d3 db 4d 74 76 |...y...:.....Mtv|
+00000130 db fa b9 b4 68 e3 d8 e7 8d ad 49 a7 1d 6d 7e 4e |....h.....I..m~N|
+00000140 3a 6a d2 9a c3 b0 72 61 bb 72 b8 8d 98 58 6e 2e |:j....ra.r...Xn.|
+00000150 20 f8 ab 4a df 96 c7 6c fe 33 5b 76 b0 80 26 34 | ..J...l.3[v..&4|
+00000160 b9 5c 9a 79 50 d7 6a 29 25 11 20 4e 3c b6 a7 73 |.\.yP.j)%. N<..s|
+00000170 64 55 a6 8e 57 22 4a 98 5e 14 95 21 ff 8d 3f 05 |dU..W"J.^..!..?.|
+00000180 eb d9 30 8e f1 a3 56 3a d8 6d 6e 07 de a2 62 ec |..0...V:.mn...b.|
+00000190 e4 06 bb 96 ae a3 23 d0 bd fd c7 f3 ee 2f 21 3f |......#....../!?|
+000001a0 8f 25 7a 4a fb 47 cf 78 db 74 35 c8 67 e6 f0 99 |.%zJ.G.x.t5.g...|
+000001b0 39 4e 1f 50 1a bc 64 2e ae 8e b5 38 63 06 86 5a |9N.P..d....8c..Z|
+000001c0 2b 1b b5 b9 a1 18 58 24 32 ce c9 de 66 ba 21 b3 |+.....X$2...f.!.|
+000001d0 d8 0f fa 3a 88 ac 6e 66 57 2c 45 5b 59 85 d4 b0 |...:..nfW,E[Y...|
+000001e0 ad 32 8c ef 0c 2a 51 1a cc ca 6a 82 3e 70 41 cc |.2...*Q...j.>pA.|
+000001f0 b8 80 db a0 48 22 47 49 a1 a5 d2 9a 80 dc 09 bc |....H"GI........|
+00000200 c8 c7 dd 53 4b 44 2f 9a 75 06 b7 31 5e fd 74 f5 |...SKD/.u..1^.t.|
+00000210 d4 53 e2 90 dc b7 9a 13 ca 00 96 56 a1 1b dd 71 |.S.........V...q|
+00000220 54 25 77 fa 42 31 95 dd ba 17 03 03 00 a3 9e 23 |T%w.B1.........#|
+00000230 96 bb c9 d5 30 f7 f4 a3 4c 33 a4 bd 2b 09 93 f5 |....0...L3..+...|
+00000240 04 02 a7 d7 9d 2e 00 5e 18 bc 18 de 1b 94 28 51 |.......^......(Q|
+00000250 4b cd 2c 15 0e 75 b1 59 12 96 8f eb cb b5 a4 4a |K.,..u.Y.......J|
+00000260 ea c2 e0 1d 28 72 4b 8f 62 d3 7d f0 2f f1 c4 de |....(rK.b.}./...|
+00000270 6a 6e dc 9c 43 80 c8 ae 99 86 97 de 67 58 d6 4c |jn..C.......gX.L|
+00000280 91 74 dc c3 23 a5 32 9b df f5 1e 64 15 04 7d df |.t..#.2....d..}.|
+00000290 12 e4 40 52 77 5c a3 26 de 20 b6 92 a5 d8 18 cf |..@Rw\.&. ......|
+000002a0 63 7e 9e 47 b8 ed db ee b7 9d b6 1c e5 c0 ad 7f |c~.G............|
+000002b0 d6 07 89 d8 b3 a0 2e 87 b9 81 0d 44 37 c2 c5 13 |...........D7...|
+000002c0 cc cb 70 87 e3 49 6e eb 66 79 76 37 4a f1 c4 4e |..p..In.fyv7J..N|
+000002d0 82 17 03 03 00 35 52 42 2a a8 a5 7a eb 5f 32 d5 |.....5RB*..z._2.|
+000002e0 68 71 42 8b ce 62 f0 48 43 0b 0f b8 8c ed 16 f4 |hqB..b.HC.......|
+000002f0 64 7e d3 74 57 9d 83 00 ad bc 9b f8 ed bb 23 35 |d~.tW.........#5|
+00000300 07 e9 7c b2 a1 d6 76 d0 f5 ba 15 17 03 03 00 17 |..|...v.........|
+00000310 e2 3f a0 cb 23 fe 4c f1 aa cb 21 70 74 46 4f 10 |.?..#.L...!ptFO.|
+00000320 30 76 0a 72 49 09 65 17 03 03 00 13 ee 7b 9d 32 |0v.rI.e......{.2|
+00000330 ac d4 8a 40 99 1b 0a 23 f7 a4 c6 a6 ef 33 77 |...@...#.....3w|
diff --git a/src/crypto/tls/testdata/Server-TLSv10-ECDHE-ECDSA-AES b/src/crypto/tls/testdata/Server-TLSv10-ECDHE-ECDSA-AES
index 1132b39..c8f11ea 100644
--- a/src/crypto/tls/testdata/Server-TLSv10-ECDHE-ECDSA-AES
+++ b/src/crypto/tls/testdata/Server-TLSv10-ECDHE-ECDSA-AES
@@ -1,11 +1,10 @@
>>> Flow 1 (client to server)
-00000000 16 03 01 00 63 01 00 00 5f 03 01 38 de f5 d6 ae |....c..._..8....|
-00000010 46 71 e8 02 f2 45 88 b8 64 fb 6e 68 67 d1 7f e8 |Fq...E..d.nhg...|
-00000020 49 71 1e a9 ec 8e 54 06 bb 2b 16 00 00 04 c0 0a |Iq....T..+......|
-00000030 00 ff 01 00 00 32 00 00 00 0e 00 0c 00 00 09 31 |.....2.........1|
-00000040 32 37 2e 30 2e 30 2e 31 00 0b 00 04 03 00 01 02 |27.0.0.1........|
-00000050 00 0a 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 |................|
-00000060 00 16 00 00 00 17 00 00 |........|
+00000000 16 03 01 00 51 01 00 00 4d 03 01 8a c0 af 21 2c |....Q...M.....!,|
+00000010 ff 48 d6 fd 10 92 4a 8c 84 c7 9e c3 90 3a f5 bf |.H....J......:..|
+00000020 cd 36 1b 2f 96 8b 13 86 f1 ff 5e 00 00 04 c0 0a |.6./......^.....|
+00000030 00 ff 01 00 00 20 00 0b 00 04 03 00 01 02 00 0a |..... ..........|
+00000040 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00 16 |................|
+00000050 00 00 00 17 00 00 |......|
>>> Flow 2 (server to client)
00000000 16 03 01 00 37 02 00 00 33 03 01 00 00 00 00 00 |....7...3.......|
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
@@ -44,37 +43,37 @@
00000220 0d 94 06 bb d4 37 7a f6 ec 7a c9 86 2e dd d7 11 |.....7z..z......|
00000230 69 7f 85 7c 56 de fb 31 78 2b e4 c7 78 0d ae cb |i..|V..1x+..x...|
00000240 be 9e 4e 36 24 31 7b 6a 0f 39 95 12 07 8f 2a 16 |..N6$1{j.9....*.|
-00000250 03 01 00 b5 0c 00 00 b1 03 00 1d 20 2f e5 7d a3 |........... /.}.|
+00000250 03 01 00 b4 0c 00 00 b0 03 00 1d 20 2f e5 7d a3 |........... /.}.|
00000260 47 cd 62 43 15 28 da ac 5f bb 29 07 30 ff f6 84 |G.bC.(.._.).0...|
-00000270 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 00 8b 30 81 |......._X.;t..0.|
-00000280 88 02 42 01 ad 26 fd 16 9a 93 5f 87 ce 29 8c d2 |..B..&...._..)..|
-00000290 56 a7 d2 59 56 bd d3 1f 90 54 bd af 91 81 25 ff |V..YV....T....%.|
-000002a0 66 74 57 16 2f 31 f2 5a 48 97 03 b9 41 4c 8e bb |ftW./1.ZH...AL..|
-000002b0 87 31 ed 71 84 37 63 78 9f 0a c7 9d 5e f3 5a 53 |.1.q.7cx....^.ZS|
-000002c0 88 89 46 ba a7 02 42 00 92 74 15 1c 0e 1f 2f 95 |..F...B..t..../.|
-000002d0 e5 79 d5 e9 90 ce d8 96 0d fd b8 42 55 00 94 08 |.y.........BU...|
-000002e0 4e 47 a9 ea bd 67 0b 02 a6 9e 8b d3 09 e5 53 ea |NG...g........S.|
-000002f0 03 22 2e 2d 78 2c 69 1d 28 ab 13 3d 0a 46 15 09 |.".-x,i.(..=.F..|
-00000300 b6 0b 74 69 2d 5a 96 bf b6 16 03 01 00 04 0e 00 |..ti-Z..........|
-00000310 00 00 |..|
+00000270 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 00 8a 30 81 |......._X.;t..0.|
+00000280 87 02 42 01 ea 1b 6f 67 3e cd 57 50 12 78 5a db |..B...og>.WP.xZ.|
+00000290 06 12 77 04 9d df 0c b0 98 4b a7 e8 23 fb ad 46 |..w......K..#..F|
+000002a0 ef 9b 99 d3 02 4b 46 51 c4 49 2a ae 29 b4 a7 e5 |.....KFQ.I*.)...|
+000002b0 08 d0 db ce 28 af 21 43 37 d4 29 03 00 e3 5f 50 |....(.!C7.)..._P|
+000002c0 35 cd 0a 3f 9d 02 41 35 05 7c a0 ed 81 23 98 38 |5..?..A5.|...#.8|
+000002d0 af 2c 12 8f 59 94 77 c7 56 ef 0b db 60 d0 5b 72 |.,..Y.w.V...`.[r|
+000002e0 9e fd 2a 6c ea 1d af cb ce 5b df 34 52 2a 4b 38 |..*l.....[.4R*K8|
+000002f0 48 81 2c 39 76 61 58 19 80 1b e0 eb fb 53 35 94 |H.,9vaX......S5.|
+00000300 55 ba a6 2b a2 b3 50 b4 16 03 01 00 04 0e 00 00 |U..+..P.........|
+00000310 00 |.|
>>> Flow 3 (client to server)
-00000000 16 03 01 00 25 10 00 00 21 20 82 c0 dd 83 c2 45 |....%...! .....E|
-00000010 a2 bc 3a 2a ec ab 60 8e 02 e0 db 7c 59 83 c1 62 |..:*..`....|Y..b|
-00000020 c7 cc 61 1e de dc 40 e4 65 6c 14 03 01 00 01 01 |..a...@.el......|
-00000030 16 03 01 00 30 3e 26 56 0b a2 10 47 00 55 27 21 |....0>&V...G.U'!|
-00000040 63 33 f2 7d 4b ba 77 5f e7 a7 09 7a 1f 51 85 f2 |c3.}K.w_...z.Q..|
-00000050 46 a5 af 80 79 1a c7 72 bb 3d f9 dd 1d 83 05 22 |F...y..r.=....."|
-00000060 c9 6c dd 91 d9 |.l...|
+00000000 16 03 01 00 25 10 00 00 21 20 29 f2 f2 54 f4 ff |....%...! )..T..|
+00000010 59 de df ab 55 18 04 cd 8c 27 28 7e 11 11 09 84 |Y...U....'(~....|
+00000020 18 e1 0f 09 70 f8 d7 13 a1 38 14 03 01 00 01 01 |....p....8......|
+00000030 16 03 01 00 30 d8 40 dc 30 cb d6 25 de 23 01 84 |....0.@.0..%.#..|
+00000040 30 75 1c 17 bd f3 fe 7e b4 cd 61 f3 55 c4 30 55 |0u.....~..a.U.0U|
+00000050 ee 43 6f f0 6b a7 0a ed 88 d9 d4 72 7c c7 c6 c7 |.Co.k......r|...|
+00000060 4d 2f 7b 9f 9b |M/{..|
>>> Flow 4 (server to client)
-00000000 14 03 01 00 01 01 16 03 01 00 30 38 fa fd 42 8f |..........08..B.|
-00000010 80 5a 7c 33 d4 6c 72 f7 4e 2f 00 ab c2 86 58 9d |.Z|3.lr.N/....X.|
-00000020 fc a5 43 fa ea 5b a1 ee a9 df df 9d 90 4c c0 e3 |..C..[.......L..|
-00000030 10 09 c4 23 21 f9 e9 69 f5 f8 fa 17 03 01 00 20 |...#!..i....... |
-00000040 1e 57 17 e4 96 06 32 d4 00 a3 98 ed bd 1c 61 78 |.W....2.......ax|
-00000050 e7 0d 89 ec 84 c3 56 fa 75 73 87 6f 47 35 80 3f |......V.us.oG5.?|
-00000060 17 03 01 00 30 4d 51 0a dd 70 6d b0 c2 d1 46 5c |....0MQ..pm...F\|
-00000070 b5 03 87 de e6 65 d3 e2 83 e0 33 f8 a2 0a 29 7f |.....e....3...).|
-00000080 6c 24 2b 1f 7b 2b 53 19 21 e9 62 6c 31 75 9c be |l$+.{+S.!.bl1u..|
-00000090 5b b0 3d 5b 1a 15 03 01 00 20 19 51 64 4b 5a 9b |[.=[..... .QdKZ.|
-000000a0 c8 2a 1c e7 9e 29 d9 df ad 1d 08 09 82 a3 b1 1d |.*...)..........|
-000000b0 60 99 00 25 30 51 a1 72 b6 27 |`..%0Q.r.'|
+00000000 14 03 01 00 01 01 16 03 01 00 30 60 b7 c0 a3 ba |..........0`....|
+00000010 ad dd 52 99 15 7a f2 9e 10 21 02 7c 91 6d cf c9 |..R..z...!.|.m..|
+00000020 09 ab fe 9c b3 46 46 60 1c 24 66 3f b6 14 b1 51 |.....FF`.$f?...Q|
+00000030 ac 05 75 48 03 c1 e0 3a c2 6d 5e 17 03 01 00 20 |..uH...:.m^.... |
+00000040 82 87 18 81 c3 24 55 8f 9c a3 49 fc 8a 8a 7a fe |.....$U...I...z.|
+00000050 93 05 c9 7e 90 73 a4 b1 0a d7 3b 7d 72 1f fc 6c |...~.s....;}r..l|
+00000060 17 03 01 00 30 1f 51 a5 44 2e 7a 40 12 43 28 c6 |....0.Q.D.z@.C(.|
+00000070 99 05 6d 92 d9 ed 0d f2 fb a7 48 a3 03 e9 34 b1 |..m.......H...4.|
+00000080 52 32 e1 be a9 7e bf b1 0e 1f b4 1c 3e 0a 9d d9 |R2...~......>...|
+00000090 90 10 4f 79 dd 15 03 01 00 20 57 98 fd dd 09 f9 |..Oy..... W.....|
+000000a0 c5 d9 33 24 1a b2 ed 56 ad 91 c9 25 2f ff ff 09 |..3$...V...%/...|
+000000b0 dc b0 2c 38 cc 70 1f cc 6f f4 |..,8.p..o.|
diff --git a/src/crypto/tls/testdata/Server-TLSv12-ECDHE-ECDSA-AES b/src/crypto/tls/testdata/Server-TLSv12-ECDHE-ECDSA-AES
index d7e6188..62f4311 100644
--- a/src/crypto/tls/testdata/Server-TLSv12-ECDHE-ECDSA-AES
+++ b/src/crypto/tls/testdata/Server-TLSv12-ECDHE-ECDSA-AES
@@ -1,14 +1,13 @@
>>> Flow 1 (client to server)
-00000000 16 03 01 00 97 01 00 00 93 03 03 86 3b 10 1e 5f |............;.._|
-00000010 81 eb 21 bd 77 47 61 e9 3f 82 85 14 91 8c ab 7d |..!.wGa.?......}|
-00000020 84 bd b1 f0 06 20 8a 7b 06 d6 78 00 00 04 c0 0a |..... .{..x.....|
-00000030 00 ff 01 00 00 66 00 00 00 0e 00 0c 00 00 09 31 |.....f.........1|
-00000040 32 37 2e 30 2e 30 2e 31 00 0b 00 04 03 00 01 02 |27.0.0.1........|
-00000050 00 0a 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 |................|
-00000060 00 16 00 00 00 17 00 00 00 0d 00 30 00 2e 04 03 |...........0....|
-00000070 05 03 06 03 08 07 08 08 08 09 08 0a 08 0b 08 04 |................|
-00000080 08 05 08 06 04 01 05 01 06 01 03 03 02 03 03 01 |................|
-00000090 02 01 03 02 02 02 04 02 05 02 06 02 |............|
+00000000 16 03 01 00 85 01 00 00 81 03 03 20 34 f0 4b 7a |........... 4.Kz|
+00000010 4f ed 31 de 38 ef 33 2e 69 7d 74 35 e5 02 b9 bb |O.1.8.3.i}t5....|
+00000020 bd 1a 5c 3a f2 57 f1 23 62 66 52 00 00 04 c0 0a |..\:.W.#bfR.....|
+00000030 00 ff 01 00 00 54 00 0b 00 04 03 00 01 02 00 0a |.....T..........|
+00000040 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00 16 |................|
+00000050 00 00 00 17 00 00 00 0d 00 30 00 2e 04 03 05 03 |.........0......|
+00000060 06 03 08 07 08 08 08 09 08 0a 08 0b 08 04 08 05 |................|
+00000070 08 06 04 01 05 01 06 01 03 03 02 03 03 01 02 01 |................|
+00000080 03 02 02 02 04 02 05 02 06 02 |..........|
>>> Flow 2 (server to client)
00000000 16 03 03 00 37 02 00 00 33 03 03 00 00 00 00 00 |....7...3.......|
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
@@ -47,39 +46,39 @@
00000220 0d 94 06 bb d4 37 7a f6 ec 7a c9 86 2e dd d7 11 |.....7z..z......|
00000230 69 7f 85 7c 56 de fb 31 78 2b e4 c7 78 0d ae cb |i..|V..1x+..x...|
00000240 be 9e 4e 36 24 31 7b 6a 0f 39 95 12 07 8f 2a 16 |..N6$1{j.9....*.|
-00000250 03 03 00 b7 0c 00 00 b3 03 00 1d 20 2f e5 7d a3 |........... /.}.|
+00000250 03 03 00 b6 0c 00 00 b2 03 00 1d 20 2f e5 7d a3 |........... /.}.|
00000260 47 cd 62 43 15 28 da ac 5f bb 29 07 30 ff f6 84 |G.bC.(.._.).0...|
-00000270 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 04 03 00 8b |......._X.;t....|
-00000280 30 81 88 02 42 01 c5 d1 36 97 5b 0e 5e a6 90 50 |0...B...6.[.^..P|
-00000290 a0 2e 80 b5 df d7 5a f6 95 0d a4 c6 f0 da 2e e7 |......Z.........|
-000002a0 91 79 9f 85 2e ef ca 66 3c f7 c4 7b bd 61 70 bb |.y.....f<..{.ap.|
-000002b0 16 c5 aa 00 35 33 ae 58 00 b3 f1 fe 0f 77 52 23 |....53.X.....wR#|
-000002c0 f4 40 ba 4b c7 e5 43 02 42 01 64 af ab 8a 87 38 |.@.K..C.B.d....8|
-000002d0 a1 7f b8 ae 84 0e a4 ff ad 16 09 44 0b 65 67 70 |...........D.egp|
-000002e0 12 7f 1a 37 9a 1d 5e b7 3b 63 df f9 6b f1 b9 ba |...7..^.;c..k...|
-000002f0 6b 35 8f b3 03 da 3d 61 00 3d 4e 75 b4 d0 92 d5 |k5....=a.=Nu....|
-00000300 ee 50 9d d7 f9 26 69 e6 ec cf 3b 16 03 03 00 04 |.P...&i...;.....|
-00000310 0e 00 00 00 |....|
+00000270 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 04 03 00 8a |......._X.;t....|
+00000280 30 81 87 02 41 21 2b cf 6b fc 8a 13 b6 21 8a 46 |0...A!+.k....!.F|
+00000290 fc 7c 56 7e 28 22 4d b2 c2 c8 45 92 cc 99 6a 3c |.|V~("M...E...j<|
+000002a0 48 0f 16 95 6c 43 3d ea bd ac 25 88 a3 35 0c 14 |H...lC=...%..5..|
+000002b0 c6 43 46 16 ec b5 57 76 86 1c 5a d1 52 44 3b 8c |.CF...Wv..Z.RD;.|
+000002c0 e5 b3 46 3b 47 d8 02 42 01 ad a2 c3 4c 69 35 13 |..F;G..B....Li5.|
+000002d0 d7 66 37 63 c9 43 50 68 f6 ff 7f 7d be 7e 8d 89 |.f7c.CPh...}.~..|
+000002e0 db 57 3e 0f 51 c8 49 9b 3a e2 87 65 dd 28 21 9a |.W>.Q.I.:..e.(!.|
+000002f0 c3 36 28 a4 e8 25 7b ae 8e 45 35 22 8f 2d 97 27 |.6(..%{..E5".-.'|
+00000300 fe b8 99 a9 c1 5f d8 8b 70 d3 16 03 03 00 04 0e |....._..p.......|
+00000310 00 00 00 |...|
>>> Flow 3 (client to server)
-00000000 16 03 03 00 25 10 00 00 21 20 54 db 5b a1 4c e0 |....%...! T.[.L.|
-00000010 0e 52 a2 45 e3 b4 ac 91 3d e1 de a9 3e eb 80 9e |.R.E....=...>...|
-00000020 f5 04 7b fc 82 10 2f d9 d1 41 14 03 03 00 01 01 |..{.../..A......|
-00000030 16 03 03 00 40 47 68 cc 5e 68 3f 05 d6 f8 5c 11 |....@Gh.^h?...\.|
-00000040 08 a3 91 72 ae 4c 98 67 2f 45 ee 16 6b 8b 2d 28 |...r.L.g/E..k.-(|
-00000050 15 34 43 47 f9 46 f2 96 c2 85 d5 cc 03 e0 84 de |.4CG.F..........|
-00000060 9c 03 fe bf c9 73 23 15 d0 0f 85 3a 76 db 9f 5d |.....s#....:v..]|
-00000070 95 b7 de 9c c2 |.....|
+00000000 16 03 03 00 25 10 00 00 21 20 c4 25 45 6f 39 18 |....%...! .%Eo9.|
+00000010 b1 f6 0a b3 f7 3e 98 ed 63 ae bd 74 12 91 0d 81 |.....>..c..t....|
+00000020 84 71 13 3c a7 cf a5 d2 24 5f 14 03 03 00 01 01 |.q.<....$_......|
+00000030 16 03 03 00 40 27 8d 44 74 7a ae 8a 4e 1c f9 1b |....@'.Dtz..N...|
+00000040 05 23 c4 89 57 27 4c dc db 4a ae aa 08 74 00 55 |.#..W'L..J...t.U|
+00000050 f9 4e 63 02 75 24 ca fb 30 78 cc 82 8a 69 be ab |.Nc.u$..0x...i..|
+00000060 10 9d 25 2d a8 b6 bb 64 6e 32 68 4b 0a 32 06 74 |..%-...dn2hK.2.t|
+00000070 26 5e bc 68 25 |&^.h%|
>>> Flow 4 (server to client)
00000000 14 03 03 00 01 01 16 03 03 00 40 00 00 00 00 00 |..........@.....|
-00000010 00 00 00 00 00 00 00 00 00 00 00 98 34 52 f3 44 |............4R.D|
-00000020 18 69 23 61 ef 8f e9 c0 88 9c ad 1f cb e4 8d 55 |.i#a...........U|
-00000030 bd bb 77 9c 65 9d 21 f0 54 4c 46 db 4f e6 e8 ab |..w.e.!.TLF.O...|
-00000040 6b 1d 60 38 7f e0 2c 38 ef e7 43 17 03 03 00 40 |k.`8..,8..C....@|
+00000010 00 00 00 00 00 00 00 00 00 00 00 b0 cf 70 b3 00 |.............p..|
+00000020 89 e2 77 af 87 08 f5 2f 2c c8 75 ce 8a ed 30 d8 |..w..../,.u...0.|
+00000030 f7 44 f3 9d 8b 4c 42 7a 52 d0 c8 37 9b 45 46 1c |.D...LBzR..7.EF.|
+00000040 56 3b ee 52 5d c4 72 04 13 49 aa 17 03 03 00 40 |V;.R].r..I.....@|
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
-00000060 44 68 90 07 1e 8c 7f db 3e 3f 8c 28 e1 d7 41 38 |Dh......>?.(..A8|
-00000070 e2 78 04 e3 42 c2 a9 76 bb 0a ae b9 93 df 81 d7 |.x..B..v........|
-00000080 9b 0f 1d 44 19 79 ff 7c 21 8f 75 ca e2 82 cc c4 |...D.y.|!.u.....|
+00000060 ce c4 34 c2 d8 4e f5 db d1 ff 6d 64 ae 39 6d 78 |..4..N....md.9mx|
+00000070 3c c4 57 32 d1 af 35 d3 b4 79 3c b4 bd a1 21 7b |<.W2..5..y<...!{|
+00000080 1f ef b8 3c 97 37 18 e5 10 62 e8 3d 7d 12 f5 db |...<.7...b.=}...|
00000090 15 03 03 00 30 00 00 00 00 00 00 00 00 00 00 00 |....0...........|
-000000a0 00 00 00 00 00 82 1f e6 2c 3f c7 55 19 01 0b 62 |........,?.U...b|
-000000b0 1a 99 fc f8 d3 b0 38 21 41 92 1a d1 e0 43 96 da |......8!A....C..|
-000000c0 80 4b 58 91 c8 |.KX..|
+000000a0 00 00 00 00 00 81 75 ae 71 18 61 61 ae 35 ce c8 |......u.q.aa.5..|
+000000b0 43 57 52 c9 68 5e 0d 63 c4 0e 7d 36 90 b2 f6 f6 |CWR.h^.c..}6....|
+000000c0 ea 72 3c d9 41 |.r<.A|
diff --git a/src/crypto/tls/testdata/Server-TLSv13-ECDHE-ECDSA-AES b/src/crypto/tls/testdata/Server-TLSv13-ECDHE-ECDSA-AES
index d2b0250..22909cc 100644
--- a/src/crypto/tls/testdata/Server-TLSv13-ECDHE-ECDSA-AES
+++ b/src/crypto/tls/testdata/Server-TLSv13-ECDHE-ECDSA-AES
@@ -1,96 +1,94 @@
>>> Flow 1 (client to server)
-00000000 16 03 01 00 dc 01 00 00 d8 03 03 90 bc cf 62 d0 |..............b.|
-00000010 bc 89 6b 84 ad 18 87 f5 9c 96 0e 02 3f ae a5 4b |..k.........?..K|
-00000020 80 70 f8 54 47 b1 78 03 48 4d 06 20 ae 9e 3c 17 |.p.TG.x.HM. ..<.|
-00000030 1a c6 fa 52 84 da ea a9 9c 08 e7 10 65 3a 65 4e |...R........e:eN|
-00000040 d1 65 61 40 bf 7c ee db d4 f2 73 ff 00 04 13 01 |.ea@.|....s.....|
-00000050 00 ff 01 00 00 8b 00 00 00 0e 00 0c 00 00 09 31 |...............1|
-00000060 32 37 2e 30 2e 30 2e 31 00 0b 00 04 03 00 01 02 |27.0.0.1........|
-00000070 00 0a 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 |................|
-00000080 00 16 00 00 00 17 00 00 00 0d 00 1e 00 1c 04 03 |................|
-00000090 05 03 06 03 08 07 08 08 08 09 08 0a 08 0b 08 04 |................|
-000000a0 08 05 08 06 04 01 05 01 06 01 00 2b 00 03 02 03 |...........+....|
-000000b0 04 00 2d 00 02 01 01 00 33 00 26 00 24 00 1d 00 |..-.....3.&.$...|
-000000c0 20 ad 11 a7 07 20 9c cb 33 96 f4 0d 78 a1 89 55 | .... ..3...x..U|
-000000d0 6c af 70 f4 ac d6 cb d9 0d 1b 13 fa 50 de 68 17 |l.p.........P.h.|
-000000e0 1d |.|
+00000000 16 03 01 00 ca 01 00 00 c6 03 03 30 09 bc 8e d5 |...........0....|
+00000010 59 36 2b f3 2b 0f 9d 32 ff 23 ba c7 4a 1f 50 e6 |Y6+.+..2.#..J.P.|
+00000020 32 bd 0e c3 f6 df b7 70 dc d5 0c 20 44 0e b7 7b |2......p... D..{|
+00000030 a0 37 9f 1d 8d 7e 93 f7 c0 7d 25 d3 f8 e5 65 50 |.7...~...}%...eP|
+00000040 79 5e 4f 53 e5 67 40 f0 bf ad 4d f8 00 04 13 01 |y^OS.g@...M.....|
+00000050 00 ff 01 00 00 79 00 0b 00 04 03 00 01 02 00 0a |.....y..........|
+00000060 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00 16 |................|
+00000070 00 00 00 17 00 00 00 0d 00 1e 00 1c 04 03 05 03 |................|
+00000080 06 03 08 07 08 08 08 09 08 0a 08 0b 08 04 08 05 |................|
+00000090 08 06 04 01 05 01 06 01 00 2b 00 03 02 03 04 00 |.........+......|
+000000a0 2d 00 02 01 01 00 33 00 26 00 24 00 1d 00 20 23 |-.....3.&.$... #|
+000000b0 23 ab 76 3d e8 d5 1b 9f 03 71 bc bf 3d 18 3a 86 |#.v=.....q..=.:.|
+000000c0 5d 59 ee ac b9 0a 2f f6 fc 5d 13 7b 3e 88 68 |]Y..../..].{>.h|
>>> Flow 2 (server to client)
00000000 16 03 03 00 7a 02 00 00 76 03 03 00 00 00 00 00 |....z...v.......|
00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
-00000020 00 00 00 00 00 00 00 00 00 00 00 20 ae 9e 3c 17 |........... ..<.|
-00000030 1a c6 fa 52 84 da ea a9 9c 08 e7 10 65 3a 65 4e |...R........e:eN|
-00000040 d1 65 61 40 bf 7c ee db d4 f2 73 ff 13 01 00 00 |.ea@.|....s.....|
+00000020 00 00 00 00 00 00 00 00 00 00 00 20 44 0e b7 7b |........... D..{|
+00000030 a0 37 9f 1d 8d 7e 93 f7 c0 7d 25 d3 f8 e5 65 50 |.7...~...}%...eP|
+00000040 79 5e 4f 53 e5 67 40 f0 bf ad 4d f8 13 01 00 00 |y^OS.g@...M.....|
00000050 2e 00 2b 00 02 03 04 00 33 00 24 00 1d 00 20 2f |..+.....3.$... /|
00000060 e5 7d a3 47 cd 62 43 15 28 da ac 5f bb 29 07 30 |.}.G.bC.(.._.).0|
00000070 ff f6 84 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 14 |.........._X.;t.|
-00000080 03 03 00 01 01 17 03 03 00 17 f1 16 14 8f 0a b5 |................|
-00000090 92 fa 55 d7 fb 6c 33 04 ae c6 ed 3b 90 27 e9 ae |..U..l3....;.'..|
-000000a0 e8 17 03 03 02 22 ca b1 97 19 9d da 2e 1d 12 f4 |....."..........|
-000000b0 05 af 35 28 1e 85 9d 28 81 f0 5a 83 46 9c df f7 |..5(...(..Z.F...|
-000000c0 58 2e 30 fa b9 07 00 cf fe 69 37 5e f2 75 a0 ef |X.0......i7^.u..|
-000000d0 f3 ab 60 0b c5 09 72 bd b4 42 2f 45 24 3e 82 d0 |..`...r..B/E$>..|
-000000e0 f1 a1 dd 3a de 6a b9 9d 85 2b 83 75 47 c9 d2 c3 |...:.j...+.uG...|
-000000f0 25 91 85 c2 a1 97 6a 62 dd aa 19 11 94 e2 6b f9 |%.....jb......k.|
-00000100 7d 5a bc 5e d4 64 bc 74 44 85 d1 7a eb 3a ef d5 |}Z.^.d.tD..z.:..|
-00000110 96 f4 22 64 61 2b 79 77 ac 8b 61 69 cc eb ad fd |.."da+yw..ai....|
-00000120 38 5e 61 74 d9 4f 70 82 06 3b 3e f8 a8 53 7c e8 |8^at.Op..;>..S|.|
-00000130 9d 98 43 a1 af 86 ba d9 64 64 f0 e0 b0 8f 39 6b |..C.....dd....9k|
-00000140 16 d6 92 09 8d 5b d0 34 f4 14 60 69 a0 28 73 3a |.....[.4..`i.(s:|
-00000150 24 7f 81 4e 8b d1 50 49 1a c0 60 92 fd 02 47 6d |$..N..PI..`...Gm|
-00000160 d8 97 62 b2 b4 57 8b d7 d1 b6 bf 19 40 cb 13 09 |..b..W......@...|
-00000170 ef d6 55 66 39 88 29 e0 14 2d 06 98 d6 b6 bf a6 |..Uf9.)..-......|
-00000180 04 10 47 d5 64 fe 38 69 db 33 a4 fc 12 de 83 5b |..G.d.8i.3.....[|
-00000190 c9 8e 76 56 bc f7 dd ac 96 c6 a0 ed e5 43 0b 13 |..vV.........C..|
-000001a0 1e 78 94 18 fd 57 50 79 08 91 18 aa 84 63 4e 46 |.x...WPy.....cNF|
-000001b0 53 db e0 f3 9a 0b d6 13 20 36 aa 56 dd 7a 62 d9 |S....... 6.V.zb.|
-000001c0 3f f6 bd 87 74 3c 86 d1 94 a1 04 79 a8 54 e4 8e |?...t<.....y.T..|
-000001d0 11 d6 52 42 5c 4b 77 18 b9 d7 db f7 48 9a 69 e1 |..RB\Kw.....H.i.|
-000001e0 2d b9 38 38 e4 e8 94 5e b1 7e 2c 81 96 6a a0 ed |-.88...^.~,..j..|
-000001f0 bb 35 6a 8c 93 f2 6d 38 70 df 79 54 d9 45 c8 b8 |.5j...m8p.yT.E..|
-00000200 b2 9c 0f 9f 70 34 8f ac b3 08 f5 3e b1 d2 5a d7 |....p4.....>..Z.|
-00000210 7b ee f3 dc 9a d1 12 c3 77 24 76 9b bf 09 50 a7 |{.......w$v...P.|
-00000220 3c ab 7f 1f 99 b5 02 8c ac 5e 85 cc 53 fd ca e0 |<........^..S...|
-00000230 c7 e2 41 08 fd cb b0 79 0c 8b 02 4f 80 92 c2 cd |..A....y...O....|
-00000240 6c a1 aa 75 d2 4c d1 25 40 7c 14 41 a7 15 20 a3 |l..u.L.%@|.A.. .|
-00000250 a6 81 64 7c c0 c7 2d dd 82 84 ad 2a f4 06 f9 61 |..d|..-....*...a|
-00000260 23 1c dd c6 ef 72 da 6b eb be 41 f0 b4 5f 9a 02 |#....r.k..A.._..|
-00000270 ee a8 f3 bb 05 48 ec 50 a3 ff f3 94 bb d8 a9 6d |.....H.P.......m|
-00000280 92 49 7c bf a1 eb 55 26 08 26 d3 80 d6 cb 05 ea |.I|...U&.&......|
-00000290 d1 db bf 97 3d 10 ff 4e f6 05 33 23 68 95 31 42 |....=..N..3#h.1B|
-000002a0 5a d5 30 61 79 c4 88 7f e1 be 28 ad 72 bb 78 36 |Z.0ay.....(.r.x6|
-000002b0 ba bb 38 75 fb 97 33 b6 28 8c a2 f4 46 fe 37 d8 |..8u..3.(...F.7.|
-000002c0 b0 67 63 97 c1 51 0c 61 17 03 03 00 a4 20 15 70 |.gc..Q.a..... .p|
-000002d0 7a 69 b1 33 c2 e1 f5 9c 2b b2 06 1e 01 a6 7f 03 |zi.3....+.......|
-000002e0 cd 00 13 02 3b 0c 2b 3f 85 d8 ed 6d 81 7e e9 b2 |....;.+?...m.~..|
-000002f0 b6 be 7b 77 51 30 dd b5 fc 93 08 91 9e 46 e2 85 |..{wQ0.......F..|
-00000300 74 3c 9a 04 26 86 b8 6c 98 99 57 7e 36 54 0d 90 |t<..&..l..W~6T..|
-00000310 4c 55 65 77 69 59 b2 e5 5b a3 19 4a b0 72 3d 91 |LUewiY..[..J.r=.|
-00000320 2e 5d 9b 8c 52 a1 e6 f5 22 c6 3c 0d 9b d8 9c b9 |.]..R...".<.....|
-00000330 cb 90 51 bc 16 69 06 30 22 16 62 08 3b 3f 05 99 |..Q..i.0".b.;?..|
-00000340 60 2a cc cf 29 f5 e1 b0 84 81 c8 63 00 d4 d4 13 |`*..)......c....|
-00000350 b5 5d 4c 63 8a 60 3e 44 24 03 30 85 91 4c 3d f2 |.]Lc.`>D$.0..L=.|
-00000360 2c c2 78 f2 c3 4c bb 90 60 0b 66 18 02 e7 5c 85 |,.x..L..`.f...\.|
-00000370 19 17 03 03 00 35 49 76 5f ff 32 3a 09 7a 4b f2 |.....5Iv_.2:.zK.|
-00000380 fe f3 38 b6 76 f4 12 f2 aa a3 ed b6 02 ab 0b b9 |..8.v...........|
-00000390 3b 9d 00 51 f1 5c 96 23 6b 49 f8 32 9f 74 30 32 |;..Q.\.#kI.2.t02|
-000003a0 4d af af ef d5 55 2c ff 2b a0 45 17 03 03 00 93 |M....U,.+.E.....|
-000003b0 6e e0 6a f9 44 af c0 af 95 ab 1e ff fd 97 38 f5 |n.j.D.........8.|
-000003c0 7b 24 70 da e2 4e 8b dc 9b 49 84 fe 73 0a b0 7e |{$p..N...I..s..~|
-000003d0 cf 14 f7 8a 67 e7 74 bd ee 82 93 c6 27 a2 bd 1e |....g.t.....'...|
-000003e0 cb 71 06 af 65 dd f0 d9 91 81 b0 f8 21 34 48 d1 |.q..e.......!4H.|
-000003f0 c4 e0 e3 19 a8 b4 48 b7 3a be 52 e5 7c a8 a3 c2 |......H.:.R.|...|
-00000400 08 6c ac 66 4d 36 cf a1 9d 1f 72 c5 09 20 db 05 |.l.fM6....r.. ..|
-00000410 e5 0a 44 af 4a d8 32 38 19 7d 28 e3 05 23 99 66 |..D.J.28.}(..#.f|
-00000420 f6 ad 77 02 7e 00 67 c1 71 58 b9 89 3c 93 15 95 |..w.~.g.qX..<...|
-00000430 ee 38 e2 ea c0 73 fe da e4 75 6d 38 ca 54 0b bf |.8...s...um8.T..|
-00000440 f0 af 86 |...|
+00000080 03 03 00 01 01 17 03 03 00 17 2a db 0a 1b 36 73 |..........*...6s|
+00000090 de 3d 2f d9 c8 c0 2b 93 43 b3 a8 96 30 d2 bc 3d |.=/...+.C...0..=|
+000000a0 f7 17 03 03 02 22 72 49 cc 6d 9e 7f f5 42 1c 8b |....."rI.m...B..|
+000000b0 8a 0e 1b ad 71 f4 21 50 be ad 91 df e0 d4 a0 dc |....q.!P........|
+000000c0 61 d2 eb 6a 39 f1 8d 31 66 9f 97 d9 b2 79 bf 10 |a..j9..1f....y..|
+000000d0 cc e1 2a 7f da 9f ff 10 22 a8 0b d6 26 c9 7c a4 |..*....."...&.|.|
+000000e0 51 8d a7 62 af 96 ec 01 72 7b 08 27 9f ff 1d a6 |Q..b....r{.'....|
+000000f0 26 54 6e 48 09 73 ac 7c b2 bc a5 04 4e a2 41 66 |&TnH.s.|....N.Af|
+00000100 37 07 dd 7f 0d 8b 5b fa 84 a4 12 8b 44 9b b3 44 |7.....[.....D..D|
+00000110 71 bb 3a ce 95 8b a1 c5 e2 9f d2 86 0b 2b b2 43 |q.:..........+.C|
+00000120 aa 24 4c 69 0f c8 e8 7d ff 53 2a 56 e8 dd 53 bf |.$Li...}.S*V..S.|
+00000130 1b a7 fa 74 f2 c3 3d fa 11 b4 30 ce c0 9b 05 a5 |...t..=...0.....|
+00000140 13 b9 d1 1d a7 02 0a a6 36 31 b5 91 1f 5e 7f 65 |........61...^.e|
+00000150 24 48 3c ec fa d3 db 11 31 d1 c3 cd 47 b2 89 95 |$H<.....1...G...|
+00000160 80 55 25 1a 66 bf d9 ba 42 05 1d 20 b3 6e 09 bc |.U%.f...B.. .n..|
+00000170 5f 1d 81 15 b2 54 c6 65 7e 75 35 e7 54 60 28 e1 |_....T.e~u5.T`(.|
+00000180 15 0e ee 51 09 3c c1 5b ba 90 2e af 0a 85 40 0a |...Q.<.[......@.|
+00000190 de 78 c8 c9 15 75 61 1f 75 a2 5c 80 d5 ed a5 71 |.x...ua.u.\....q|
+000001a0 a7 d8 21 f3 9c 84 f5 af b1 5c 45 76 de a7 05 20 |..!......\Ev... |
+000001b0 7f c4 c4 71 b1 68 e0 a2 17 7f ac f8 c4 80 a8 89 |...q.h..........|
+000001c0 e8 35 68 ae 98 cf 2d 29 4e dc 84 45 21 d3 bb 0a |.5h...-)N..E!...|
+000001d0 d8 c9 e1 41 48 b2 a8 53 31 5c 26 d0 28 9e 8e df |...AH..S1\&.(...|
+000001e0 72 f2 ef f7 78 3d 7e b9 09 0c a4 e8 3e c5 a5 f6 |r...x=~.....>...|
+000001f0 e3 aa 32 1d da 98 7b 0a f1 0a 42 f6 71 92 45 01 |..2...{...B.q.E.|
+00000200 e4 28 f3 c6 0f a2 cf c3 74 3b 09 f5 75 51 8e fa |.(......t;..uQ..|
+00000210 6c 12 9e 80 2b 0a 87 fb 29 3d 0d a6 c4 7b c8 42 |l...+...)=...{.B|
+00000220 75 57 48 b3 78 20 2c b3 a1 d7 b7 6f 95 18 a2 bc |uWH.x ,....o....|
+00000230 fd c9 22 d3 49 ae 5b 2a ec b1 1a ff cd 38 3a bf |..".I.[*.....8:.|
+00000240 45 e8 a8 fe 39 d5 f8 a2 89 73 7f 8f 2c 65 8a e6 |E...9....s..,e..|
+00000250 b7 20 f7 c9 5c 02 ea 33 4f f6 fc 68 2f d6 a0 d9 |. ..\..3O..h/...|
+00000260 73 10 38 35 ba d8 74 2d cf 05 07 ee d4 fc 09 89 |s.85..t-........|
+00000270 0b 77 72 61 74 1f 16 8d 1f 29 3b 20 8d ef 99 b8 |.wrat....); ....|
+00000280 3d 80 24 5a 1d 32 9b 2e 50 4c 35 7e 4f c9 bc a7 |=.$Z.2..PL5~O...|
+00000290 6e ae 26 42 fb 4e c3 a8 7c 77 b4 c5 4c 1b 3a db |n.&B.N..|w..L.:.|
+000002a0 cc 3f 44 fe ae d7 3f 42 5f ee 05 6a 1d 72 98 0e |.?D...?B_..j.r..|
+000002b0 db 97 3c 11 06 c7 9e 5b 03 95 e0 52 09 54 39 b1 |..<....[...R.T9.|
+000002c0 13 19 f3 98 6c ed e3 ab 17 03 03 00 a3 49 60 43 |....l........I`C|
+000002d0 34 81 d3 6f fe c4 eb ac 49 64 51 9f 22 81 03 41 |4..o....IdQ."..A|
+000002e0 fd bc 4f 41 78 59 81 8a 82 b5 c3 06 79 8d d4 b2 |..OAxY......y...|
+000002f0 8b 9f 08 2b 09 ae 88 7d bd 87 6a 40 19 b8 c7 1b |...+...}..j@....|
+00000300 e1 55 69 8d 47 7a 49 66 fe 22 1f 95 c7 b5 15 ce |.Ui.GzIf."......|
+00000310 6b d6 5b 37 45 57 72 ba 5f a3 62 49 13 80 b9 47 |k.[7EWr._.bI...G|
+00000320 9c e3 ce 6e a0 40 03 7d 41 4e 41 0d 21 ee e4 f6 |...n.@.}ANA.!...|
+00000330 71 74 12 48 1e d1 b2 80 82 b0 bf ff 07 61 04 82 |qt.H.........a..|
+00000340 db 4b 00 a1 11 97 48 1b 9b 13 b3 0e 5b 7f 99 f3 |.K....H.....[...|
+00000350 6f c1 a0 2f 41 d9 e2 30 f9 fa 0b 8a ef 6d d1 e1 |o../A..0.....m..|
+00000360 30 3d 07 5a 8a ef 8b a1 2b 44 c5 58 0d 3f 13 d7 |0=.Z....+D.X.?..|
+00000370 17 03 03 00 35 a2 fb e8 71 06 77 fa 70 66 75 01 |....5...q.w.pfu.|
+00000380 0a a0 d7 49 20 f0 8a f0 ea bf 79 20 68 46 02 43 |...I .....y hF.C|
+00000390 3c b9 cc c9 5f 1d c7 80 d8 58 f5 e3 94 6e 85 02 |<..._....X...n..|
+000003a0 c8 b2 4e a1 a2 43 b8 8d ae 89 17 03 03 00 93 4a |..N..C.........J|
+000003b0 dd 6b 37 b9 20 fa 51 b2 e2 60 a1 8e 08 40 bf c6 |.k7. .Q..`...@..|
+000003c0 25 22 9a 26 3a ec 35 aa f2 26 9c bc 39 05 91 7b |%".&:.5..&..9..{|
+000003d0 81 45 18 8d f7 f4 29 88 76 43 a8 63 e3 d3 59 d7 |.E....).vC.c..Y.|
+000003e0 2d 67 b3 4d 2f 6d c6 62 cf fd ac ed d6 80 04 57 |-g.M/m.b.......W|
+000003f0 b3 ac af 59 ce 35 43 94 1d 97 8c 2d 8d 89 b1 a7 |...Y.5C....-....|
+00000400 90 76 89 ec e4 0a 8f a9 9b 8d 22 02 8b 87 55 a4 |.v........"...U.|
+00000410 9b 55 da 85 a6 06 47 63 4c a2 1c 96 eb e1 77 35 |.U....GcL.....w5|
+00000420 71 0d 7e e5 78 ab 25 da ee 5e ae 07 a9 ed 44 3a |q.~.x.%..^....D:|
+00000430 75 ff 5c 4f 4e e5 01 27 7f 9e eb 63 db e2 85 70 |u.\ON..'...c...p|
+00000440 fc 99 |..|
>>> Flow 3 (client to server)
-00000000 14 03 03 00 01 01 17 03 03 00 35 23 02 12 13 f1 |..........5#....|
-00000010 db fa 70 c0 92 85 8a d3 fa 80 1b 5c a6 22 ff 20 |..p........\.". |
-00000020 5d bf 1d 61 58 34 c0 48 6f e1 26 a6 bf bc 76 c7 |]..aX4.Ho.&...v.|
-00000030 8b da ee 54 64 30 c4 5c b1 61 67 82 29 bb 3f 4b |...Td0.\.ag.).?K|
+00000000 14 03 03 00 01 01 17 03 03 00 35 8c c8 26 94 66 |..........5..&.f|
+00000010 2e fd e0 4e bf b8 77 9d 12 d9 f6 9c 1b 15 c4 f1 |...N..w.........|
+00000020 39 f8 91 27 16 0c 34 ef 33 46 22 4e 19 d6 d0 d2 |9..'..4.3F"N....|
+00000030 ef 6b 57 91 f8 e4 17 fe f9 ec f4 f1 ce c0 44 26 |.kW...........D&|
>>> Flow 4 (server to client)
-00000000 17 03 03 00 1e 95 c0 53 e2 37 94 09 83 1e 7e 23 |.......S.7....~#|
-00000010 dc 9f 02 5e 91 19 b6 f9 72 0d 38 3f 25 ae b2 5f |...^....r.8?%.._|
-00000020 4b f2 78 17 03 03 00 13 d2 ad 73 d6 f3 21 ab 7c |K.x.......s..!.||
-00000030 02 dd 63 ff cf d7 34 ca 71 3d 70 |..c...4.q=p|
+00000000 17 03 03 00 1e ab 4d 1a 04 59 10 8b ef f9 b5 8a |......M..Y......|
+00000010 62 34 91 4e f9 cd 93 8c 7a 6d be d6 72 42 ad 45 |b4.N....zm..rB.E|
+00000020 21 f5 4e 17 03 03 00 13 1e bf bd 27 1a ad ab 1f |!.N........'....|
+00000030 32 f5 99 95 dc 34 e3 eb 9c c1 1c |2....4.....|
