From 1188641a16ced0c393e0a397c2283ee70a7f1905 Mon Sep 17 00:00:00 2001
From: Sergey Frolov <sergey.frolov@colorado.edu>
Date: Sat, 9 Feb 2019 19:31:35 -0700
Subject: [PATCH] Correctly handle HelloRetryRequest

---
 handshake_client.go                           |   2 +
 handshake_client_tls13.go                     |  63 ++++++
 ...nt-TLSv13-UTLS-HelloRetryRequest-Chrome-70 | 181 ++++++++++++++++++
 u_conn.go                                     |   6 +-
 u_conn_test.go                                |  17 ++
 u_public.go                                   |  12 +-
 u_tls_extensions.go                           |  28 +++
 7 files changed, 307 insertions(+), 2 deletions(-)
 create mode 100644 testdata/Client-TLSv13-UTLS-HelloRetryRequest-Chrome-70

diff --git a/handshake_client.go b/handshake_client.go
index b88030a..8f919c2 100644
--- a/handshake_client.go
+++ b/handshake_client.go
@@ -29,6 +29,8 @@ type clientHandshakeState struct {
 	finishedHash finishedHash
 	masterSecret []byte
 	session      *ClientSessionState
+
+	uconn *UConn // [UTLS]
 }
 
 func (c *Conn) makeClientHello() (*clientHelloMsg, ecdheParameters, error) {
diff --git a/handshake_client_tls13.go b/handshake_client_tls13.go
index cee9a00..8292478 100644
--- a/handshake_client_tls13.go
+++ b/handshake_client_tls13.go
@@ -33,6 +33,8 @@ type clientHandshakeStateTLS13 struct {
 	transcript    hash.Hash
 	masterSecret  []byte
 	trafficSecret []byte // client_application_traffic_secret_0
+
+	uconn *UConn // [UTLS]
 }
 
 // handshake requires hs.c, hs.hello, hs.serverHello, hs.ecdheParams, and,
@@ -251,6 +253,67 @@ func (hs *clientHandshakeStateTLS13) processHelloRetryRequest() error {
 		}
 	}
 
+	// [UTLS SECTION BEGINS]
+	// crypto/tls code above this point had changed crypto/tls structures in accordance with HRR, and is about
+	// to call default marshaller.
+	// Instead, we fill uTLS-specific structs and call uTLS marshaller.
+	// Only extensionCookie, extensionPreSharedKey, extensionKeyShare, extensionEarlyData, extensionSupportedVersions,
+	// and utlsExtensionPadding are supposed to change
+	if hs.uconn != nil {
+		if hs.uconn.clientHelloID != HelloGolang {
+			if len(hs.hello.pskIdentities) > 0 {
+				// TODO: wait for someone who cares about PSK to implement
+				return errors.New("uTLS does not support reprocessing of PSK key triggered by HelloRetryRequest")
+			}
+
+			keyShareExtFound := false
+			for _, ext := range hs.uconn.Extensions {
+				// new ks seems to be generated either way
+				if ks, ok := ext.(*KeyShareExtension); ok {
+					ks.KeyShares = keyShares(hs.hello.keyShares).ToPublic()
+					keyShareExtFound = true
+				}
+			}
+			if !keyShareExtFound {
+				return errors.New("uTLS: received HelloRetryRequest, but keyshare not found among client's " +
+					"uconn.Extensions")
+			}
+
+			if len(hs.serverHello.cookie) > 0 {
+				// serverHello specified a cookie, let's echo it
+				cookieFound := false
+				for _, ext := range hs.uconn.Extensions {
+					if ks, ok := ext.(*CookieExtension); ok {
+						ks.Cookie = hs.serverHello.cookie
+						cookieFound = true
+					}
+				}
+
+				if !cookieFound {
+					// pick a random index where to add cookieExtension
+					// -2 instead of -1 is a lazy way to ensure that PSK is still a last extension
+					cookieIndex, err := getRandInt(len(hs.uconn.Extensions) - 2)
+					if err != nil {
+						return err
+					}
+					if cookieIndex >= len(hs.uconn.Extensions) {
+						// this check is for empty hs.uconn.Extensions
+						return fmt.Errorf("cookieIndex >= len(hs.uconn.Extensions): %v >= %v",
+							cookieIndex, len(hs.uconn.Extensions))
+					}
+					hs.uconn.Extensions = append(hs.uconn.Extensions[:cookieIndex],
+						append([]TLSExtension{&CookieExtension{Cookie: hs.serverHello.cookie}},
+							hs.uconn.Extensions[cookieIndex:]...)...)
+				}
+			}
+			if err = hs.uconn.MarshalClientHello(); err != nil {
+				return err
+			}
+			hs.hello.raw = hs.uconn.HandshakeState.Hello.Raw
+		}
+	}
+	// [UTLS SECTION ENDS]
+
 	hs.transcript.Write(hs.hello.marshal())
 	if _, err := c.writeRecord(recordTypeHandshake, hs.hello.marshal()); err != nil {
 		return err
diff --git a/testdata/Client-TLSv13-UTLS-HelloRetryRequest-Chrome-70 b/testdata/Client-TLSv13-UTLS-HelloRetryRequest-Chrome-70
new file mode 100644
index 0000000..af33801
--- /dev/null
+++ b/testdata/Client-TLSv13-UTLS-HelloRetryRequest-Chrome-70
@@ -0,0 +1,181 @@
+>>> Flow 1 (client to server)
+00000000  16 03 01 02 00 01 00 01  fc 03 03 00 00 00 00 00  |................|
+00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000020  00 00 00 00 00 00 00 00  00 00 00 20 00 00 00 00  |........... ....|
+00000030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000040  00 00 00 00 00 00 00 00  00 00 00 00 00 22 0a 0a  |............."..|
+00000050  13 01 13 02 13 03 c0 2b  c0 2f c0 2c c0 30 cc a9  |.......+./.,.0..|
+00000060  cc a8 c0 13 c0 14 00 9c  00 9d 00 2f 00 35 00 0a  |.........../.5..|
+00000070  01 00 01 91 0a 0a 00 00  ff 01 00 01 00 00 00 00  |................|
+00000080  05 00 03 00 00 00 00 17  00 00 00 23 00 00 00 0d  |...........#....|
+00000090  00 14 00 12 04 03 08 04  04 01 05 03 08 05 05 01  |................|
+000000a0  08 06 06 01 02 01 00 05  00 05 01 00 00 00 00 00  |................|
+000000b0  12 00 00 00 10 00 0e 00  0c 02 68 32 08 68 74 74  |..........h2.htt|
+000000c0  70 2f 31 2e 31 75 50 00  00 00 0b 00 02 01 00 00  |p/1.1uP.........|
+000000d0  33 00 2b 00 29 0a 0a 00  01 00 00 1d 00 20 2f e5  |3.+.)........ /.|
+000000e0  7d a3 47 cd 62 43 15 28  da ac 5f bb 29 07 30 ff  |}.G.bC.(.._.).0.|
+000000f0  f6 84 af c4 cf c2 ed 90  99 5f 58 cb 3b 74 00 2d  |........._X.;t.-|
+00000100  00 02 01 01 00 2b 00 0b  0a 0a 0a 03 04 03 03 03  |.....+..........|
+00000110  02 03 01 00 0a 00 0a 00  08 0a 0a 00 1d 00 17 00  |................|
+00000120  18 00 1b 00 03 02 00 02  1a 1a 00 01 00 00 15 00  |................|
+00000130  d4 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000140  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000150  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000160  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000170  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000180  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000190  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+000001a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+000001b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+000001c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+000001d0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+000001e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+000001f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000200  00 00 00 00 00                                    |.....|
+>>> Flow 2 (server to client)
+00000000  16 03 03 00 58 02 00 00  54 03 03 cf 21 ad 74 e5  |....X...T...!.t.|
+00000010  9a 61 11 be 1d 8c 02 1e  65 b8 91 c2 a2 11 16 7a  |.a......e......z|
+00000020  bb 8c 5e 07 9e 09 e2 c8  a8 33 9c 20 00 00 00 00  |..^......3. ....|
+00000030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000040  00 00 00 00 00 00 00 00  00 00 00 00 13 01 00 00  |................|
+00000050  0c 00 2b 00 02 03 04 00  33 00 02 00 17 14 03 03  |..+.....3.......|
+00000060  00 01 01                                          |...|
+>>> Flow 3 (client to server)
+00000000  14 03 03 00 01 01 16 03  03 02 00 01 00 01 fc 03  |................|
+00000010  03 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000030  00 20 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |. ..............|
+00000040  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000050  00 00 00 22 0a 0a 13 01  13 02 13 03 c0 2b c0 2f  |...".........+./|
+00000060  c0 2c c0 30 cc a9 cc a8  c0 13 c0 14 00 9c 00 9d  |.,.0............|
+00000070  00 2f 00 35 00 0a 01 00  01 91 0a 0a 00 00 ff 01  |./.5............|
+00000080  00 01 00 00 00 00 05 00  03 00 00 00 00 17 00 00  |................|
+00000090  00 23 00 00 00 0d 00 14  00 12 04 03 08 04 04 01  |.#..............|
+000000a0  05 03 08 05 05 01 08 06  06 01 02 01 00 05 00 05  |................|
+000000b0  01 00 00 00 00 00 12 00  00 00 10 00 0e 00 0c 02  |................|
+000000c0  68 32 08 68 74 74 70 2f  31 2e 31 75 50 00 00 00  |h2.http/1.1uP...|
+000000d0  0b 00 02 01 00 00 33 00  47 00 45 00 17 00 41 04  |......3.G.E...A.|
+000000e0  1e 18 37 ef 0d 19 51 88  35 75 71 b5 e5 54 5b 12  |..7...Q.5uq..T[.|
+000000f0  2e 8f 09 67 fd a7 24 20  3e b2 56 1c ce 97 28 5e  |...g..$ >.V...(^|
+00000100  f8 2b 2d 4f 9e f1 07 9f  6c 4b 5b 83 56 e2 32 42  |.+-O....lK[.V.2B|
+00000110  e9 58 b6 d7 49 a6 b5 68  1a 41 03 56 6b dc 5a 89  |.X..I..h.A.Vk.Z.|
+00000120  00 2d 00 02 01 01 00 2b  00 0b 0a 0a 0a 03 04 03  |.-.....+........|
+00000130  03 03 02 03 01 00 0a 00  0a 00 08 0a 0a 00 1d 00  |................|
+00000140  17 00 18 00 1b 00 03 02  00 02 1a 1a 00 01 00 00  |................|
+00000150  15 00 b8 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000160  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000170  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000180  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000190  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+000001a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+000001b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+000001c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+000001d0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+000001e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+000001f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000200  00 00 00 00 00 00 00 00  00 00 00                 |...........|
+>>> Flow 4 (server to client)
+00000000  16 03 03 00 9b 02 00 00  97 03 03 ae 07 28 f1 a3  |.............(..|
+00000010  39 96 a7 38 99 f8 a5 25  6d 14 56 a1 f4 3b 65 b7  |9..8...%m.V..;e.|
+00000020  5b dc 16 a8 0f bc 29 73  60 50 4e 20 00 00 00 00  |[.....)s`PN ....|
+00000030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+00000040  00 00 00 00 00 00 00 00  00 00 00 00 13 01 00 00  |................|
+00000050  4f 00 2b 00 02 03 04 00  33 00 45 00 17 00 41 04  |O.+.....3.E...A.|
+00000060  92 f1 80 7f 0f 5c 8a 9d  9c 5c d6 f1 1d 39 66 d9  |.....\...\...9f.|
+00000070  03 be c3 72 b9 92 43 90  90 15 b4 1f 02 0d ee 37  |...r..C........7|
+00000080  b4 21 ab bd bb 71 84 3c  55 5b 8b cb c3 fc 15 50  |.!...q.<U[.....P|
+00000090  a7 33 3b c9 97 3d f0 f9  be 5a 48 a5 e4 9d 4d cc  |.3;..=...ZH...M.|
+000000a0  17 03 03 00 17 e7 7d 13  54 c7 0a aa 33 45 80 5d  |......}.T...3E.]|
+000000b0  5f 58 c9 0b ca e7 ac 58  d0 8a e8 37 17 03 03 02  |_X.....X...7....|
+000000c0  6d 73 95 78 a2 69 03 17  92 b7 7a dd 7f 85 59 af  |ms.x.i....z...Y.|
+000000d0  55 28 93 0a 07 46 90 38  c4 d6 e5 0e 24 67 a0 68  |U(...F.8....$g.h|
+000000e0  17 50 05 16 fb f2 26 74  29 27 52 95 ee 9e ca f0  |.P....&t)'R.....|
+000000f0  41 77 55 a5 05 ed 50 79  7a 0f ca cc 67 1e 1f e9  |AwU...Pyz...g...|
+00000100  31 48 85 ae f8 6f d2 8e  f9 48 38 2d 7c 54 b4 23  |1H...o...H8-|T.#|
+00000110  52 d8 9a fd 69 d9 9b 12  0c 38 77 14 41 2d 43 bd  |R...i....8w.A-C.|
+00000120  9d 26 31 c0 bc 2e 9a ee  b3 5e f4 df 89 8c 0f 7d  |.&1......^.....}|
+00000130  c7 fd 80 42 a0 34 4a 5b  15 09 b6 d8 74 d8 85 36  |...B.4J[....t..6|
+00000140  d0 83 ee 02 4f f4 1c 12  c2 9b 0d b7 51 48 ff 50  |....O.......QH.P|
+00000150  05 8e bc a9 51 4c 9c e1  ec 81 31 0e 87 39 92 78  |....QL....1..9.x|
+00000160  6d 36 62 c3 38 8b a6 10  f5 9a da d4 13 f6 1a 48  |m6b.8..........H|
+00000170  a1 96 88 75 a6 d0 c8 99  8f ce 24 62 b2 20 fd e1  |...u......$b. ..|
+00000180  0f d4 49 dc b9 2a b7 85  39 15 41 a8 18 99 7e 1f  |..I..*..9.A...~.|
+00000190  77 9c 59 7a 62 6f fd 67  69 d8 a1 c6 e8 ef a3 6a  |w.Yzbo.gi......j|
+000001a0  6a dd a5 9e 2a aa da 27  25 62 ef be 68 d7 3f aa  |j...*..'%b..h.?.|
+000001b0  59 b7 5e 1e bc 13 87 1f  50 a6 f1 18 70 86 1e 92  |Y.^.....P...p...|
+000001c0  98 a4 0b 2a c0 71 65 9b  97 c7 c8 26 31 64 76 ff  |...*.qe....&1dv.|
+000001d0  13 eb 92 f4 ce 7e ab 6b  d8 bd 5a 22 62 20 64 1e  |.....~.k..Z"b d.|
+000001e0  4a 57 ea d2 39 31 db 00  97 2b 6b 76 11 e4 b8 c9  |JW..91...+kv....|
+000001f0  8f fe c3 54 1c f6 d8 52  a6 0d 3a f1 6b a2 cc 3f  |...T...R..:.k..?|
+00000200  e3 7e 7b cf 62 0e 52 e2  ea 9c 54 f3 7a 2f e4 40  |.~{.b.R...T.z/.@|
+00000210  ef 5e d4 84 5f 88 90 58  cd 35 c2 07 07 cf 85 62  |.^.._..X.5.....b|
+00000220  97 40 e1 09 6c cb f4 4f  6d 9a 77 62 cd f4 b1 01  |.@..l..Om.wb....|
+00000230  a4 1a 9a 81 37 ab de 20  22 f1 fa 7e e0 d7 74 89  |....7.. "..~..t.|
+00000240  ff b6 97 6e 38 e4 b2 05  8f 78 f0 ef 1c 3d 62 8e  |...n8....x...=b.|
+00000250  eb 28 ea 77 8f 8e 2b b5  e9 2f 3b 2c 06 98 41 79  |.(.w..+../;,..Ay|
+00000260  49 f5 2c 91 f5 9a 96 0d  5a 05 f0 72 8c 1a d3 3c  |I.,.....Z..r...<|
+00000270  b1 d6 04 fa 76 f3 35 63  c9 07 f5 6a 75 ca e7 a0  |....v.5c...ju...|
+00000280  13 d8 e7 ad 22 2b 27 65  c6 cc 13 f3 dc 12 9a 2a  |...."+'e.......*|
+00000290  07 54 d6 7f c2 66 87 7c  07 be 62 df 4a 82 8d 3a  |.T...f.|..b.J..:|
+000002a0  09 b5 ad 14 36 2a cd 0c  0d 21 31 9a 80 ae 14 65  |....6*...!1....e|
+000002b0  42 db a8 75 33 11 eb 01  71 b8 34 c4 0d 2f 74 0b  |B..u3...q.4../t.|
+000002c0  c6 c0 c9 e0 99 d1 ca f4  ff 1d 74 87 a8 17 0d 90  |..........t.....|
+000002d0  84 04 22 7f 91 ee 64 d3  0c 8f cd bc e4 a4 7c 4d  |.."...d.......|M|
+000002e0  10 cd 81 7d 29 eb 86 eb  7b ae fa d2 fc df ab c9  |...})...{.......|
+000002f0  44 6a 18 47 98 04 59 b2  97 e1 08 38 5e 19 1a e1  |Dj.G..Y....8^...|
+00000300  6f b5 7a 97 e7 f9 40 8f  35 f7 7f 38 7a 84 84 2e  |o.z...@.5..8z...|
+00000310  0f 35 5b dd e2 04 e5 fa  b1 44 a6 95 a4 01 97 cd  |.5[......D......|
+00000320  ac 88 71 89 0b eb 1b 7d  1f 6f 0e 5b 19 e7 17 03  |..q....}.o.[....|
+00000330  03 00 99 eb c7 e1 49 e2  42 25 50 25 07 80 67 3a  |......I.B%P%..g:|
+00000340  9a f4 bc 99 d5 49 f4 7f  f6 b4 91 f6 72 ba 7b 63  |.....I......r.{c|
+00000350  5a f8 11 73 91 e2 ee 81  12 34 f2 e7 9a 19 b1 06  |Z..s.....4......|
+00000360  4a 1e 4f 43 ff 13 de b0  a1 cf 5a 1e 2f 92 1c 11  |J.OC......Z./...|
+00000370  a6 83 22 4b 51 37 55 5b  74 ae 44 d0 5f 1f 72 f1  |.."KQ7U[t.D._.r.|
+00000380  11 dd 2d f3 97 d7 af fc  9f 53 7e 02 12 98 c8 4d  |..-......S~....M|
+00000390  78 8a c5 92 64 f1 76 98  de 7c 59 2b 7a 10 39 7b  |x...d.v..|Y+z.9{|
+000003a0  e1 25 7b c3 34 b8 d5 d3  17 51 30 f2 28 03 12 1a  |.%{.4....Q0.(...|
+000003b0  30 20 26 6d 3f d3 59 73  d9 dd 4e 33 2a 3a a4 33  |0 &m?.Ys..N3*:.3|
+000003c0  7b ab 5f 89 2f 93 2b 4a  e3 72 f6 0e 17 03 03 00  |{._./.+J.r......|
+000003d0  35 70 3d 70 6d 8a 69 d6  74 30 40 ec 50 1a e1 a5  |5p=pm.i.t0@.P...|
+000003e0  73 23 0d 90 81 b2 dd 8b  c6 0e e6 9e 11 0e 17 5b  |s#.............[|
+000003f0  30 d7 9c 28 e9 9d 47 32  5c a5 bb 65 86 a2 2b 24  |0..(..G2\..e..+$|
+00000400  62 2f 59 f0 da 05                                 |b/Y...|
+>>> Flow 5 (client to server)
+00000000  17 03 03 00 35 dd 48 af  8f 37 e2 24 fa 34 5c c6  |....5.H..7.$.4\.|
+00000010  c7 e3 29 dd ec cd 59 36  80 b4 11 be 5f 7e 90 2e  |..)...Y6...._~..|
+00000020  c9 e3 7e 53 34 12 5f 14  1c 38 d8 c7 49 b2 55 91  |..~S4._..8..I.U.|
+00000030  df e9 2b fd 79 78 60 7a  bf cd 17 03 03 00 17 bf  |..+.yx`z........|
+00000040  f4 06 52 2d c0 5c f8 73  32 55 13 00 52 b6 94 e5  |..R-.\.s2U..R...|
+00000050  03 7b a5 92 46 35                                 |.{..F5|
+>>> Flow 6 (server to client)
+00000000  17 03 03 00 da 61 bd 0a  99 51 52 9b d6 60 b9 c6  |.....a...QR..`..|
+00000010  73 74 6d e2 a8 ff c9 c3  6f 1c f8 9f 4a c0 4f 02  |stm.....o...J.O.|
+00000020  0a 51 0d 47 8a 3a 5a 9c  07 8d 3e e7 6c ef 98 11  |.Q.G.:Z...>.l...|
+00000030  76 89 43 9a 86 15 9a ed  e4 47 57 a1 b9 ec 17 d8  |v.C......GW.....|
+00000040  3a 90 85 db 95 5d 44 2a  c8 4d 04 3d f1 17 ca a9  |:....]D*.M.=....|
+00000050  bc 44 63 af c6 fe 88 77  ab 2e 3d 81 ca bd e4 00  |.Dc....w..=.....|
+00000060  aa 6b 2f fe 75 98 c4 94  f1 92 93 40 1d a4 4c f0  |.k/.u......@..L.|
+00000070  a4 3c b1 49 5b ec 27 38  e5 8f 5f 18 82 a7 b8 01  |.<.I[.'8.._.....|
+00000080  d9 5a 52 ce f2 6a e0 b7  1e a4 21 fc 10 74 f7 02  |.ZR..j....!..t..|
+00000090  33 0f e5 3c 77 6f 4d 68  79 9c ad 95 50 1d b8 9a  |3..<woMhy...P...|
+000000a0  d6 46 d3 f3 1d ee 25 ad  15 17 39 ec 50 64 04 1b  |.F....%...9.Pd..|
+000000b0  e1 ff 4c da d8 04 b3 9f  36 b3 43 f2 54 fe d3 dc  |..L.....6.C.T...|
+000000c0  bb a9 1e ef b4 06 6f 1b  47 0f f5 09 68 3f e6 58  |......o.G...h?.X|
+000000d0  be 99 51 b0 8f ce 06 c3  49 d7 8b f5 37 5c 5c 17  |..Q.....I...7\\.|
+000000e0  03 03 00 da c3 21 ac 77  44 d5 7b 4c 98 62 9a 98  |.....!.wD.{L.b..|
+000000f0  90 e5 00 e8 61 11 40 51  d9 6b e1 b1 02 06 7b 34  |....a.@Q.k....{4|
+00000100  af 80 09 74 29 06 b8 e6  78 cf 4c 62 86 e0 41 a4  |...t)...x.Lb..A.|
+00000110  39 aa c7 c2 13 c9 eb 7f  9c c6 d2 51 fc 69 fd 03  |9..........Q.i..|
+00000120  1b 26 45 b8 2b f0 69 31  d9 70 0f 2d 31 c3 fb f5  |.&E.+.i1.p.-1...|
+00000130  af a0 a1 e8 6c 63 d3 ed  33 bc 9c 4e 41 e7 1b df  |....lc..3..NA...|
+00000140  3e 5d 6a b3 c2 a0 f4 21  56 14 cf f5 9f f0 7b b4  |>]j....!V.....{.|
+00000150  de de 9c 8e c3 f4 81 25  20 9e ab a8 2f d0 ac 31  |.......% .../..1|
+00000160  c8 97 69 b5 e6 56 b6 6d  d3 9f 7e 5a b5 34 86 2c  |..i..V.m..~Z.4.,|
+00000170  29 23 d5 e1 84 fa 54 fd  b6 09 38 58 b2 16 79 d9  |)#....T...8X..y.|
+00000180  38 fd 41 d9 dd 18 ae 10  5a 1c ea 25 04 a5 fe f2  |8.A.....Z..%....|
+00000190  92 ca f7 e1 eb 3c a8 10  85 2b 08 f4 42 94 79 e8  |.....<...+..B.y.|
+000001a0  5b 2d ac 24 60 51 a0 27  51 02 1d b2 db 6a ad 6c  |[-.$`Q.'Q....j.l|
+000001b0  f6 01 06 e7 73 98 f3 cd  8c f7 51 ee a6 82        |....s.....Q...|
+>>> Flow 7 (client to server)
+00000000  17 03 03 00 13 8f 74 cd  f2 6c 0d a0 35 03 05 84  |......t..l..5...|
+00000010  cd 43 b8 2c 8f 23 18 41                           |.C.,.#.A|
diff --git a/u_conn.go b/u_conn.go
index 73fdb82..9f9eabb 100644
--- a/u_conn.go
+++ b/u_conn.go
@@ -41,6 +41,7 @@ func UClient(conn net.Conn, config *Config, clientHelloID ClientHelloID) *UConn
 	tlsConn := Conn{conn: conn, config: config, isClient: true}
 	handshakeState := ClientHandshakeState{C: &tlsConn, Hello: &ClientHelloMsg{}}
 	uconn := UConn{Conn: &tlsConn, clientHelloID: clientHelloID, HandshakeState: handshakeState}
+	uconn.HandshakeState.uconn = &uconn
 	return &uconn
 }
 
@@ -368,7 +369,7 @@ func (c *UConn) clientHandshake() (err error) {
 	hs12.serverHello = serverHello
 	hs12.hello = hello
 	err = hs12.handshake()
-	c.HandshakeState = *hs12.toPublic13()
+	c.HandshakeState = *hs12.toPublic12()
 	if err != nil {
 		return err
 	}
@@ -509,6 +510,9 @@ func (uconn *UConn) GetUnderlyingConn() net.Conn {
 func MakeConnWithCompleteHandshake(tcpConn net.Conn, version uint16, cipherSuite uint16, masterSecret []byte, clientRandom []byte, serverRandom []byte, isClient bool) *Conn {
 	tlsConn := &Conn{conn: tcpConn, config: &Config{}, isClient: isClient}
 	cs := cipherSuiteByID(cipherSuite)
+	if cs == nil {
+		return nil
+	}
 
 	// This is mostly borrowed from establishKeys()
 	clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV :=
diff --git a/u_conn_test.go b/u_conn_test.go
index d4dd4cd..0a40ea9 100644
--- a/u_conn_test.go
+++ b/u_conn_test.go
@@ -142,6 +142,23 @@ func TestUTLSHandshakeClientParrotChrome_58_setclienthello(t *testing.T) {
 	runUTLSClientTestTLS12(t, test, helloID)
 }
 
+// tests consistency of fingerprint after HelloRetryRequest
+// chrome 70 is used, due to only specifying X25519 in keyshare, but being able to generate P-256 curve too
+// openssl server, configured to use P-256, will send HelloRetryRequest
+func TestUTLSHelloRetryRequest(t *testing.T) {
+	helloID := HelloChrome_70
+	config := testConfig.Clone()
+	config.CurvePreferences = []CurveID{X25519, CurveP256}
+
+	test := &clientTest{
+		name:    "UTLS-HelloRetryRequest-" + helloID.Str(),
+		command: []string{"openssl", "s_server", "-cipher", "ECDHE-RSA-AES128-GCM-SHA256", "-curves", "P-256"},
+		config:  config,
+	}
+
+	runUTLSClientTestTLS13(t, test, helloID)
+}
+
 /*
 *
  HELPER FUNCTIONS BELOW
diff --git a/u_public.go b/u_public.go
index 59c12ef..7481d6e 100644
--- a/u_public.go
+++ b/u_public.go
@@ -27,6 +27,8 @@ type ClientHandshakeState struct {
 
 	State12 TLS12OnlyState
 	State13 TLS13OnlyState
+
+	uconn *UConn
 }
 
 // TLS 1.3 only
@@ -69,6 +71,8 @@ func (chs *ClientHandshakeState) toPrivate13() *clientHandshakeStateTLS13 {
 			transcript:    chs.State13.Transcript,
 			masterSecret:  chs.MasterSecret,
 			trafficSecret: chs.State13.TrafficSecret,
+
+			uconn: chs.uconn,
 		}
 	}
 }
@@ -98,6 +102,8 @@ func (chs13 *clientHandshakeStateTLS13) toPublic13() *ClientHandshakeState {
 			MasterSecret: chs13.masterSecret,
 
 			State13: tls13State,
+
+			uconn: chs13.uconn,
 		}
 	}
 }
@@ -116,11 +122,13 @@ func (chs *ClientHandshakeState) toPrivate12() *clientHandshakeState {
 			masterSecret: chs.MasterSecret,
 
 			finishedHash: *chs.State12.FinishedHash.getPrivatePtr(),
+
+			uconn: chs.uconn,
 		}
 	}
 }
 
-func (chs12 *clientHandshakeState) toPublic13() *ClientHandshakeState {
+func (chs12 *clientHandshakeState) toPublic12() *ClientHandshakeState {
 	if chs12 == nil {
 		return nil
 	} else {
@@ -138,6 +146,8 @@ func (chs12 *clientHandshakeState) toPublic13() *ClientHandshakeState {
 			MasterSecret: chs12.masterSecret,
 
 			State12: tls12State,
+
+			uconn: chs12.uconn,
 		}
 	}
 }
diff --git a/u_tls_extensions.go b/u_tls_extensions.go
index 5645178..81b8200 100644
--- a/u_tls_extensions.go
+++ b/u_tls_extensions.go
@@ -684,5 +684,33 @@ func (e *SupportedVersionsExtension) Read(b []byte) (int, error) {
 	return e.Len(), io.EOF
 }
 
+// MUST NOT be part of initial ClientHello
+type CookieExtension struct {
+	Cookie []byte
+}
+
+func (e *CookieExtension) writeToUConn(uc *UConn) error {
+	return nil
+}
+
+func (e *CookieExtension) Len() int {
+	return 4 + len(e.Cookie)
+}
+
+func (e *CookieExtension) Read(b []byte) (int, error) {
+	if len(b) < e.Len() {
+		return 0, io.ErrShortBuffer
+	}
+
+	b[0] = byte(extensionCookie >> 8)
+	b[1] = byte(extensionCookie)
+	b[2] = byte(len(e.Cookie) >> 8)
+	b[3] = byte(len(e.Cookie))
+	if len(e.Cookie) > 0 {
+		copy(b[4:], e.Cookie)
+	}
+	return e.Len(), io.EOF
+}
+
 // TODO: FakeCertificateCompressionAlgorithmsExtension
 // TODO: FakeRecordSizeLimitExtension