From 6b5dc9f4ba7ee494f568d377e4a3e7d6e1ef475e Mon Sep 17 00:00:00 2001
From: Brad Fitzpatrick <bradfitz@golang.org>
Date: Mon, 29 Apr 2019 22:04:09 +0000
Subject: [PATCH] crypto/tls: remove NPN support

RELNOTE=yes

Fixes #28362

Change-Id: I43813c0c17bbe6c4cbb4d1f121518c434b3f5aa8
Reviewed-on: https://go-review.googlesource.com/c/go/+/174329
Reviewed-by: Filippo Valsorda <filippo@golang.org>
---
 conn.go                     |   2 -
 handshake_client.go         |  25 ------
 handshake_client_tls13.go   |   4 +-
 handshake_messages.go       |  94 +--------------------
 handshake_messages_test.go  |  17 ----
 handshake_server.go         |  23 -----
 handshake_server_tls13.go   |   1 -
 testdata/Client-TLSv12-ALPN |  74 ++++++++--------
 testdata/Client-TLSv13-ALPN | 162 ++++++++++++++++++------------------
 9 files changed, 121 insertions(+), 281 deletions(-)

diff --git a/conn.go b/conn.go
index 750e45e..0504877 100644
--- a/conn.go
+++ b/conn.go
@@ -1027,8 +1027,6 @@ func (c *Conn) readHandshake() (interface{}, error) {
 		m = &certificateVerifyMsg{
 			hasSignatureAlgorithm: c.vers >= VersionTLS12,
 		}
-	case typeNextProtocol:
-		m = new(nextProtoMsg)
 	case typeFinished:
 		m = new(finishedMsg)
 	case typeEncryptedExtensions:
diff --git a/handshake_client.go b/handshake_client.go
index f043113..75d710b 100644
--- a/handshake_client.go
+++ b/handshake_client.go
@@ -73,7 +73,6 @@ func (c *Conn) makeClientHello() (*clientHelloMsg, ecdheParameters, error) {
 		serverName:                   hostnameInSNI(config.ServerName),
 		supportedCurves:              config.curvePreferences(),
 		supportedPoints:              []uint8{pointFormatUncompressed},
-		nextProtoNeg:                 len(config.NextProtos) > 0,
 		secureRenegotiationSupported: true,
 		alpnProtocols:                config.NextProtos,
 		supportedVersions:            supportedVersions,
@@ -673,26 +672,14 @@ func (hs *clientHandshakeState) processServerHello() (bool, error) {
 		}
 	}
 
-	clientDidNPN := hs.hello.nextProtoNeg
 	clientDidALPN := len(hs.hello.alpnProtocols) > 0
-	serverHasNPN := hs.serverHello.nextProtoNeg
 	serverHasALPN := len(hs.serverHello.alpnProtocol) > 0
 
-	if !clientDidNPN && serverHasNPN {
-		c.sendAlert(alertHandshakeFailure)
-		return false, errors.New("tls: server advertised unrequested NPN extension")
-	}
-
 	if !clientDidALPN && serverHasALPN {
 		c.sendAlert(alertHandshakeFailure)
 		return false, errors.New("tls: server advertised unrequested ALPN extension")
 	}
 
-	if serverHasNPN && serverHasALPN {
-		c.sendAlert(alertHandshakeFailure)
-		return false, errors.New("tls: server advertised both NPN and ALPN extensions")
-	}
-
 	if serverHasALPN {
 		c.clientProtocol = hs.serverHello.alpnProtocol
 		c.clientProtocolFallback = false
@@ -784,18 +771,6 @@ func (hs *clientHandshakeState) sendFinished(out []byte) error {
 	if _, err := c.writeRecord(recordTypeChangeCipherSpec, []byte{1}); err != nil {
 		return err
 	}
-	if hs.serverHello.nextProtoNeg {
-		nextProto := new(nextProtoMsg)
-		proto, fallback := mutualProtocol(c.config.NextProtos, hs.serverHello.nextProtos)
-		nextProto.proto = proto
-		c.clientProtocol = proto
-		c.clientProtocolFallback = fallback
-
-		hs.finishedHash.Write(nextProto.marshal())
-		if _, err := c.writeRecord(recordTypeHandshake, nextProto.marshal()); err != nil {
-			return err
-		}
-	}
 
 	finished := new(finishedMsg)
 	finished.verifyData = hs.finishedHash.clientSum(hs.masterSecret)
diff --git a/handshake_client_tls13.go b/handshake_client_tls13.go
index 82207eb..a561cbf 100644
--- a/handshake_client_tls13.go
+++ b/handshake_client_tls13.go
@@ -123,9 +123,7 @@ func (hs *clientHandshakeStateTLS13) checkServerHelloOrHRR() error {
 		return errors.New("tls: server sent an incorrect legacy version")
 	}
 
-	if hs.serverHello.nextProtoNeg ||
-		len(hs.serverHello.nextProtos) != 0 ||
-		hs.serverHello.ocspStapling ||
+	if hs.serverHello.ocspStapling ||
 		hs.serverHello.ticketSupported ||
 		hs.serverHello.secureRenegotiationSupported ||
 		len(hs.serverHello.secureRenegotiation) != 0 ||
diff --git a/handshake_messages.go b/handshake_messages.go
index 2d21377..5524782 100644
--- a/handshake_messages.go
+++ b/handshake_messages.go
@@ -6,8 +6,9 @@ package tls
 
 import (
 	"fmt"
-	"golang.org/x/crypto/cryptobyte"
 	"strings"
+
+	"golang.org/x/crypto/cryptobyte"
 )
 
 // The marshalingFunction type is an adapter to allow the use of ordinary
@@ -72,7 +73,6 @@ type clientHelloMsg struct {
 	sessionId                        []byte
 	cipherSuites                     []uint16
 	compressionMethods               []uint8
-	nextProtoNeg                     bool
 	serverName                       string
 	ocspStapling                     bool
 	supportedCurves                  []CurveID
@@ -121,11 +121,6 @@ func (m *clientHelloMsg) marshal() []byte {
 		bWithoutExtensions := *b
 
 		b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
-			if m.nextProtoNeg {
-				// draft-agl-tls-nextprotoneg-04
-				b.AddUint16(extensionNextProtoNeg)
-				b.AddUint16(0) // empty extension_data
-			}
 			if len(m.serverName) > 0 {
 				// RFC 6066, Section 3
 				b.AddUint16(extensionServerName)
@@ -426,9 +421,6 @@ func (m *clientHelloMsg) unmarshal(data []byte) bool {
 					return false
 				}
 			}
-		case extensionNextProtoNeg:
-			// draft-agl-tls-nextprotoneg-04
-			m.nextProtoNeg = true
 		case extensionStatusRequest:
 			// RFC 4366, Section 3.6
 			var statusType uint8
@@ -604,8 +596,6 @@ type serverHelloMsg struct {
 	sessionId                    []byte
 	cipherSuite                  uint16
 	compressionMethod            uint8
-	nextProtoNeg                 bool
-	nextProtos                   []string
 	ocspStapling                 bool
 	ticketSupported              bool
 	secureRenegotiationSupported bool
@@ -643,16 +633,6 @@ func (m *serverHelloMsg) marshal() []byte {
 		bWithoutExtensions := *b
 
 		b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
-			if m.nextProtoNeg {
-				b.AddUint16(extensionNextProtoNeg)
-				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
-					for _, proto := range m.nextProtos {
-						b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
-							b.AddBytes([]byte(proto))
-						})
-					}
-				})
-			}
 			if m.ocspStapling {
 				b.AddUint16(extensionStatusRequest)
 				b.AddUint16(0) // empty extension_data
@@ -771,16 +751,6 @@ func (m *serverHelloMsg) unmarshal(data []byte) bool {
 		}
 
 		switch extension {
-		case extensionNextProtoNeg:
-			m.nextProtoNeg = true
-			for !extData.Empty() {
-				var proto cryptobyte.String
-				if !extData.ReadUint8LengthPrefixed(&proto) ||
-					proto.Empty() {
-					return false
-				}
-				m.nextProtos = append(m.nextProtos, string(proto))
-			}
 		case extensionStatusRequest:
 			m.ocspStapling = true
 		case extensionSessionTicket:
@@ -1579,66 +1549,6 @@ func (m *finishedMsg) unmarshal(data []byte) bool {
 		s.Empty()
 }
 
-type nextProtoMsg struct {
-	raw   []byte
-	proto string
-}
-
-func (m *nextProtoMsg) marshal() []byte {
-	if m.raw != nil {
-		return m.raw
-	}
-	l := len(m.proto)
-	if l > 255 {
-		l = 255
-	}
-
-	padding := 32 - (l+2)%32
-	length := l + padding + 2
-	x := make([]byte, length+4)
-	x[0] = typeNextProtocol
-	x[1] = uint8(length >> 16)
-	x[2] = uint8(length >> 8)
-	x[3] = uint8(length)
-
-	y := x[4:]
-	y[0] = byte(l)
-	copy(y[1:], []byte(m.proto[0:l]))
-	y = y[1+l:]
-	y[0] = byte(padding)
-
-	m.raw = x
-
-	return x
-}
-
-func (m *nextProtoMsg) unmarshal(data []byte) bool {
-	m.raw = data
-
-	if len(data) < 5 {
-		return false
-	}
-	data = data[4:]
-	protoLen := int(data[0])
-	data = data[1:]
-	if len(data) < protoLen {
-		return false
-	}
-	m.proto = string(data[0:protoLen])
-	data = data[protoLen:]
-
-	if len(data) < 1 {
-		return false
-	}
-	paddingLen := int(data[0])
-	data = data[1:]
-	if len(data) != paddingLen {
-		return false
-	}
-
-	return true
-}
-
 type certificateRequestMsg struct {
 	raw []byte
 	// hasSignatureAlgorithm indicates whether this message includes a list of
diff --git a/handshake_messages_test.go b/handshake_messages_test.go
index 21beb8e..9b01692 100644
--- a/handshake_messages_test.go
+++ b/handshake_messages_test.go
@@ -26,7 +26,6 @@ var tests = []interface{}{
 	},
 	&certificateStatusMsg{},
 	&clientKeyExchangeMsg{},
-	&nextProtoMsg{},
 	&newSessionTicketMsg{},
 	&sessionState{},
 	&sessionStateTLS13{},
@@ -127,9 +126,6 @@ func (*clientHelloMsg) Generate(rand *rand.Rand, size int) reflect.Value {
 		m.cipherSuites[i] = cs
 	}
 	m.compressionMethods = randomBytes(rand.Intn(63)+1, rand)
-	if rand.Intn(10) > 5 {
-		m.nextProtoNeg = true
-	}
 	if rand.Intn(10) > 5 {
 		m.serverName = randomString(rand.Intn(255), rand)
 		for strings.HasSuffix(m.serverName, ".") {
@@ -206,13 +202,6 @@ func (*serverHelloMsg) Generate(rand *rand.Rand, size int) reflect.Value {
 	m.cipherSuite = uint16(rand.Int31())
 	m.compressionMethod = uint8(rand.Intn(256))
 
-	if rand.Intn(10) > 5 {
-		m.nextProtoNeg = true
-		for i := 0; i < rand.Intn(10); i++ {
-			m.nextProtos = append(m.nextProtos, randomString(20, rand))
-		}
-	}
-
 	if rand.Intn(10) > 5 {
 		m.ocspStapling = true
 	}
@@ -308,12 +297,6 @@ func (*finishedMsg) Generate(rand *rand.Rand, size int) reflect.Value {
 	return reflect.ValueOf(m)
 }
 
-func (*nextProtoMsg) Generate(rand *rand.Rand, size int) reflect.Value {
-	m := &nextProtoMsg{}
-	m.proto = randomString(rand.Intn(255), rand)
-	return reflect.ValueOf(m)
-}
-
 func (*newSessionTicketMsg) Generate(rand *rand.Rand, size int) reflect.Value {
 	m := &newSessionTicketMsg{}
 	m.ticket = randomBytes(rand.Intn(4), rand)
diff --git a/handshake_server.go b/handshake_server.go
index c6c40b3..ab5be72 100644
--- a/handshake_server.go
+++ b/handshake_server.go
@@ -244,15 +244,6 @@ Curves:
 			hs.hello.alpnProtocol = selectedProto
 			c.clientProtocol = selectedProto
 		}
-	} else {
-		// Although sending an empty NPN extension is reasonable, Firefox has
-		// had a bug around this. Best to send nothing at all if
-		// c.config.NextProtos is empty. See
-		// https://golang.org/issue/5445.
-		if hs.clientHello.nextProtoNeg && len(c.config.NextProtos) > 0 {
-			hs.hello.nextProtoNeg = true
-			hs.hello.nextProtos = c.config.NextProtos
-		}
 	}
 
 	hs.cert, err = c.config.getCertificate(clientHelloInfo(c, hs.clientHello))
@@ -618,20 +609,6 @@ func (hs *serverHandshakeState) readFinished(out []byte) error {
 		return err
 	}
 
-	if hs.hello.nextProtoNeg {
-		msg, err := c.readHandshake()
-		if err != nil {
-			return err
-		}
-		nextProto, ok := msg.(*nextProtoMsg)
-		if !ok {
-			c.sendAlert(alertUnexpectedMessage)
-			return unexpectedMessageError(nextProto, msg)
-		}
-		hs.finishedHash.Write(nextProto.marshal())
-		c.clientProtocol = nextProto.proto
-	}
-
 	msg, err := c.readHandshake()
 	if err != nil {
 		return err
diff --git a/handshake_server_tls13.go b/handshake_server_tls13.go
index 979ead5..feaa5bb 100644
--- a/handshake_server_tls13.go
+++ b/handshake_server_tls13.go
@@ -510,7 +510,6 @@ func illegalClientHelloChange(ch, ch1 *clientHelloMsg) bool {
 		!bytes.Equal(ch.random, ch1.random) ||
 		!bytes.Equal(ch.sessionId, ch1.sessionId) ||
 		!bytes.Equal(ch.compressionMethods, ch1.compressionMethods) ||
-		ch.nextProtoNeg != ch1.nextProtoNeg ||
 		ch.serverName != ch1.serverName ||
 		ch.ocspStapling != ch1.ocspStapling ||
 		!bytes.Equal(ch.supportedPoints, ch1.supportedPoints) ||
diff --git a/testdata/Client-TLSv12-ALPN b/testdata/Client-TLSv12-ALPN
index 2708b26..358b211 100644
--- a/testdata/Client-TLSv12-ALPN
+++ b/testdata/Client-TLSv12-ALPN
@@ -1,5 +1,5 @@
 >>> Flow 1 (client to server)
-00000000  16 03 01 01 12 01 00 01  0e 03 03 00 00 00 00 00  |................|
+00000000  16 03 01 01 0e 01 00 01  0a 03 03 00 00 00 00 00  |................|
 00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
 00000020  00 00 00 00 00 00 00 00  00 00 00 20 00 00 00 00  |........... ....|
 00000030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
@@ -7,22 +7,22 @@
 00000050  cc a9 c0 2f c0 2b c0 30  c0 2c c0 27 c0 13 c0 23  |.../.+.0.,.'...#|
 00000060  c0 09 c0 14 c0 0a 00 9c  00 9d 00 3c 00 2f 00 35  |...........<./.5|
 00000070  c0 12 00 0a 00 05 c0 11  c0 07 13 01 13 03 13 02  |................|
-00000080  01 00 00 93 33 74 00 00  00 05 00 05 01 00 00 00  |....3t..........|
-00000090  00 00 0a 00 0a 00 08 00  1d 00 17 00 18 00 19 00  |................|
-000000a0  0b 00 02 01 00 00 0d 00  1a 00 18 08 04 04 03 08  |................|
-000000b0  07 08 05 08 06 04 01 05  01 06 01 05 03 06 03 02  |................|
-000000c0  01 02 03 ff 01 00 01 00  00 10 00 10 00 0e 06 70  |...............p|
-000000d0  72 6f 74 6f 32 06 70 72  6f 74 6f 31 00 12 00 00  |roto2.proto1....|
-000000e0  00 2b 00 09 08 03 04 03  03 03 02 03 01 00 33 00  |.+............3.|
-000000f0  26 00 24 00 1d 00 20 2f  e5 7d a3 47 cd 62 43 15  |&.$... /.}.G.bC.|
-00000100  28 da ac 5f bb 29 07 30  ff f6 84 af c4 cf c2 ed  |(.._.).0........|
-00000110  90 99 5f 58 cb 3b 74                              |.._X.;t|
+00000080  01 00 00 8f 00 05 00 05  01 00 00 00 00 00 0a 00  |................|
+00000090  0a 00 08 00 1d 00 17 00  18 00 19 00 0b 00 02 01  |................|
+000000a0  00 00 0d 00 1a 00 18 08  04 04 03 08 07 08 05 08  |................|
+000000b0  06 04 01 05 01 06 01 05  03 06 03 02 01 02 03 ff  |................|
+000000c0  01 00 01 00 00 10 00 10  00 0e 06 70 72 6f 74 6f  |...........proto|
+000000d0  32 06 70 72 6f 74 6f 31  00 12 00 00 00 2b 00 09  |2.proto1.....+..|
+000000e0  08 03 04 03 03 03 02 03  01 00 33 00 26 00 24 00  |..........3.&.$.|
+000000f0  1d 00 20 2f e5 7d a3 47  cd 62 43 15 28 da ac 5f  |.. /.}.G.bC.(.._|
+00000100  bb 29 07 30 ff f6 84 af  c4 cf c2 ed 90 99 5f 58  |.).0.........._X|
+00000110  cb 3b 74                                          |.;t|
 >>> Flow 2 (server to client)
-00000000  16 03 03 00 66 02 00 00  62 03 03 0e b3 00 4c e5  |....f...b.....L.|
-00000010  e4 08 c5 3d c2 9c 19 a1  de ae 43 24 9a 4d 81 99  |...=......C$.M..|
-00000020  df 60 cf a5 be ae c1 e8  e8 b9 a8 20 14 e6 e1 91  |.`......... ....|
-00000030  7a ab 9f 7b 3c dc c5 71  4b 28 80 5e fa 56 c9 b7  |z..{<..qK(.^.V..|
-00000040  d4 2f 0e 80 49 df 81 93  df 5d 34 49 cc a8 00 00  |./..I....]4I....|
+00000000  16 03 03 00 66 02 00 00  62 03 03 95 14 55 52 0b  |....f...b....UR.|
+00000010  e7 c1 15 6b dc 19 3b 17  9e bb 6a b7 61 82 dc 59  |...k..;...j.a..Y|
+00000020  d3 a4 7c e1 c3 83 cc e2  e5 56 e0 20 3c 82 0d 54  |..|......V. <..T|
+00000030  2b 78 fe 50 cb 4e c1 69  d7 6f b3 9f ac 2e 27 c8  |+x.P.N.i.o....'.|
+00000040  c6 7a 70 27 1e 14 67 43  4c f1 7d d7 cc a8 00 00  |.zp'..gCL.}.....|
 00000050  1a ff 01 00 01 00 00 0b  00 04 03 00 01 02 00 10  |................|
 00000060  00 09 00 07 06 70 72 6f  74 6f 31 16 03 03 02 59  |.....proto1....Y|
 00000070  0b 00 02 55 00 02 52 00  02 4f 30 82 02 4b 30 82  |...U..R..O0..K0.|
@@ -63,31 +63,31 @@
 000002a0  1c f1 0f a1 d8 40 83 61  c9 4c 72 2b 9d ae db 46  |.....@.a.Lr+...F|
 000002b0  06 06 4d f4 c1 b3 3e c0  d1 bd 42 d4 db fe 3d 13  |..M...>...B...=.|
 000002c0  60 84 5c 21 d3 3b e9 fa  e7 16 03 03 00 ac 0c 00  |`.\!.;..........|
-000002d0  00 a8 03 00 1d 20 18 37  3a d3 0a 4f 9b 95 c7 f0  |..... .7:..O....|
-000002e0  a2 00 43 5f df 2e a8 16  a9 9f 2a 0e 51 cf c9 b9  |..C_......*.Q...|
-000002f0  14 62 a7 ab 4b 6a 08 04  00 80 1a b2 78 e7 cd b6  |.b..Kj......x...|
-00000300  18 65 31 19 f9 91 9f a6  cb 77 97 69 86 27 ef 06  |.e1......w.i.'..|
-00000310  b5 bc f4 8f 75 96 01 72  64 2c d4 e4 67 0a d5 58  |....u..rd,..g..X|
-00000320  e0 e1 05 82 a6 58 f6 e0  06 c2 15 03 69 ba 5a a0  |.....X......i.Z.|
-00000330  2b af 6f b1 cd 16 84 1d  89 9c d0 c7 d2 c7 83 e8  |+.o.............|
-00000340  43 b7 4f e8 ca 97 c0 e2  57 d0 10 48 0c 26 cf 58  |C.O.....W..H.&.X|
-00000350  50 69 d8 86 b6 f5 aa 02  b8 f6 41 c4 15 52 99 52  |Pi........A..R.R|
-00000360  05 05 5b 42 80 6d 8a bf  7a e6 f3 60 c5 67 23 dc  |..[B.m..z..`.g#.|
-00000370  39 4b e6 74 0e 0e 47 a7  57 02 16 03 03 00 04 0e  |9K.t..G.W.......|
+000002d0  00 a8 03 00 1d 20 c3 e3  43 9c 5d 0f 09 61 ae 18  |..... ..C.]..a..|
+000002e0  66 05 b1 7d c1 9f e5 26  9c a7 97 d6 1f 9a 7c ff  |f..}...&......|.|
+000002f0  8c 34 a1 32 a2 35 08 04  00 80 6c 50 a1 80 d9 20  |.4.2.5....lP... |
+00000300  56 08 da d9 5b 77 4d ad  43 66 71 15 ec fe db 02  |V...[wM.Cfq.....|
+00000310  fb 40 d8 8d 67 22 e2 1b  ec 8d b9 4e ba 65 01 8b  |.@..g".....N.e..|
+00000320  70 e0 83 bc 06 1b 14 8f  07 cf a6 08 58 c3 77 94  |p...........X.w.|
+00000330  0f 94 53 62 54 6c 1f 92  22 9d ae f8 5a ad d5 f3  |..SbTl.."...Z...|
+00000340  8a f7 e6 93 8c 0e 48 1b  23 89 d8 bd e9 5c 50 cd  |......H.#....\P.|
+00000350  07 3d 7e 8e b0 d6 65 44  58 62 03 a1 d9 94 72 f0  |.=~...eDXb....r.|
+00000360  25 a9 e0 c1 be ac 32 05  59 f7 7f 6e 13 23 70 5a  |%.....2.Y..n.#pZ|
+00000370  65 ba a2 d7 da 3c a2 9e  6b 13 16 03 03 00 04 0e  |e....<..k.......|
 00000380  00 00 00                                          |...|
 >>> Flow 3 (client to server)
 00000000  16 03 03 00 25 10 00 00  21 20 2f e5 7d a3 47 cd  |....%...! /.}.G.|
 00000010  62 43 15 28 da ac 5f bb  29 07 30 ff f6 84 af c4  |bC.(.._.).0.....|
 00000020  cf c2 ed 90 99 5f 58 cb  3b 74 14 03 03 00 01 01  |....._X.;t......|
-00000030  16 03 03 00 20 0d 3c cf  6f 13 e3 73 d2 c5 05 06  |.... .<.o..s....|
-00000040  85 8d 41 e0 46 3b 25 e7  0a ae b9 00 1e c3 3f 61  |..A.F;%.......?a|
-00000050  82 2d e1 19 a4                                    |.-...|
+00000030  16 03 03 00 20 5e 91 45  7d ab 7c b7 6f 57 a6 d0  |.... ^.E}.|.oW..|
+00000040  17 83 cb 40 1b 76 6b 5e  80 39 03 2f 6d 2f 10 8e  |...@.vk^.9./m/..|
+00000050  74 33 12 54 8d                                    |t3.T.|
 >>> Flow 4 (server to client)
-00000000  14 03 03 00 01 01 16 03  03 00 20 43 1a 5d c1 dc  |.......... C.]..|
-00000010  42 10 81 bc af 2d 40 82  fa 27 41 81 cc e5 97 99  |B....-@..'A.....|
-00000020  80 27 3a b5 db f5 8e 2a  6d 72 86                 |.':....*mr.|
+00000000  14 03 03 00 01 01 16 03  03 00 20 f1 3c 7a 28 eb  |.......... .<z(.|
+00000010  0a b1 bf 42 28 de 07 83  76 c6 2c 94 b7 d5 ef f3  |...B(...v.,.....|
+00000020  0b 9c 0c 2e d3 ab 8a a9  03 d2 c0                 |...........|
 >>> Flow 5 (client to server)
-00000000  17 03 03 00 16 f1 0a 98  3b 2a 06 98 ad 46 f5 f7  |........;*...F..|
-00000010  42 cf 89 c0 d4 a7 08 df  bb dc 4d 15 03 03 00 12  |B.........M.....|
-00000020  9c d4 d2 a1 fb 38 98 31  7d ce 39 50 0b 58 d8 a8  |.....8.1}.9P.X..|
-00000030  3e 19                                             |>.|
+00000000  17 03 03 00 16 dc f6 18  54 22 e0 9c 08 bf db a8  |........T"......|
+00000010  62 2a 64 9e 06 43 0f 22  18 0e 34 15 03 03 00 12  |b*d..C."..4.....|
+00000020  20 2f f4 76 cd dc 82 eb  30 f9 e0 42 6b 29 16 ed  | /.v....0..Bk)..|
+00000030  7c f0                                             ||.|
diff --git a/testdata/Client-TLSv13-ALPN b/testdata/Client-TLSv13-ALPN
index f2ca5ac..0ac9b36 100644
--- a/testdata/Client-TLSv13-ALPN
+++ b/testdata/Client-TLSv13-ALPN
@@ -1,5 +1,5 @@
 >>> Flow 1 (client to server)
-00000000  16 03 01 01 12 01 00 01  0e 03 03 00 00 00 00 00  |................|
+00000000  16 03 01 01 0e 01 00 01  0a 03 03 00 00 00 00 00  |................|
 00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
 00000020  00 00 00 00 00 00 00 00  00 00 00 20 00 00 00 00  |........... ....|
 00000030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
@@ -7,87 +7,87 @@
 00000050  cc a9 c0 2f c0 2b c0 30  c0 2c c0 27 c0 13 c0 23  |.../.+.0.,.'...#|
 00000060  c0 09 c0 14 c0 0a 00 9c  00 9d 00 3c 00 2f 00 35  |...........<./.5|
 00000070  c0 12 00 0a 00 05 c0 11  c0 07 13 01 13 03 13 02  |................|
-00000080  01 00 00 93 33 74 00 00  00 05 00 05 01 00 00 00  |....3t..........|
-00000090  00 00 0a 00 0a 00 08 00  1d 00 17 00 18 00 19 00  |................|
-000000a0  0b 00 02 01 00 00 0d 00  1a 00 18 08 04 04 03 08  |................|
-000000b0  07 08 05 08 06 04 01 05  01 06 01 05 03 06 03 02  |................|
-000000c0  01 02 03 ff 01 00 01 00  00 10 00 10 00 0e 06 70  |...............p|
-000000d0  72 6f 74 6f 32 06 70 72  6f 74 6f 31 00 12 00 00  |roto2.proto1....|
-000000e0  00 2b 00 09 08 03 04 03  03 03 02 03 01 00 33 00  |.+............3.|
-000000f0  26 00 24 00 1d 00 20 2f  e5 7d a3 47 cd 62 43 15  |&.$... /.}.G.bC.|
-00000100  28 da ac 5f bb 29 07 30  ff f6 84 af c4 cf c2 ed  |(.._.).0........|
-00000110  90 99 5f 58 cb 3b 74                              |.._X.;t|
+00000080  01 00 00 8f 00 05 00 05  01 00 00 00 00 00 0a 00  |................|
+00000090  0a 00 08 00 1d 00 17 00  18 00 19 00 0b 00 02 01  |................|
+000000a0  00 00 0d 00 1a 00 18 08  04 04 03 08 07 08 05 08  |................|
+000000b0  06 04 01 05 01 06 01 05  03 06 03 02 01 02 03 ff  |................|
+000000c0  01 00 01 00 00 10 00 10  00 0e 06 70 72 6f 74 6f  |...........proto|
+000000d0  32 06 70 72 6f 74 6f 31  00 12 00 00 00 2b 00 09  |2.proto1.....+..|
+000000e0  08 03 04 03 03 03 02 03  01 00 33 00 26 00 24 00  |..........3.&.$.|
+000000f0  1d 00 20 2f e5 7d a3 47  cd 62 43 15 28 da ac 5f  |.. /.}.G.bC.(.._|
+00000100  bb 29 07 30 ff f6 84 af  c4 cf c2 ed 90 99 5f 58  |.).0.........._X|
+00000110  cb 3b 74                                          |.;t|
 >>> Flow 2 (server to client)
-00000000  16 03 03 00 7a 02 00 00  76 03 03 9a f4 f5 6b ec  |....z...v.....k.|
-00000010  37 69 ea a2 43 05 46 fe  dd 55 27 2e 78 cb f6 cc  |7i..C.F..U'.x...|
-00000020  96 ea fd 68 98 bb 3e 9d  75 ad 6e 20 00 00 00 00  |...h..>.u.n ....|
+00000000  16 03 03 00 7a 02 00 00  76 03 03 23 c5 c4 0c 4a  |....z...v..#...J|
+00000010  d2 5f 0b f6 ea 21 7a d1  a0 7d 21 26 b5 a3 94 ca  |._...!z..}!&....|
+00000020  91 6c 13 58 60 4f 39 cc  1a f7 c0 20 00 00 00 00  |.l.X`O9.... ....|
 00000030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
 00000040  00 00 00 00 00 00 00 00  00 00 00 00 13 01 00 00  |................|
-00000050  2e 00 2b 00 02 03 04 00  33 00 24 00 1d 00 20 04  |..+.....3.$... .|
-00000060  67 13 de c7 ca 6c 02 d8  ee c4 80 d8 43 c2 ef 3e  |g....l......C..>|
-00000070  94 e1 51 d6 bf c7 1f 0c  4a b0 af 7f 91 a5 61 14  |..Q.....J.....a.|
-00000080  03 03 00 01 01 17 03 03  00 24 3f 87 40 f6 93 e3  |.........$?.@...|
-00000090  c9 cb 6e 83 75 c5 2f e3  af 0f 84 9a 3b 88 ad cc  |..n.u./.....;...|
-000000a0  99 c9 1b a8 26 e0 14 d4  ab fe 50 5f ad 79 17 03  |....&.....P_.y..|
-000000b0  03 02 6d 67 86 8e eb e3  15 65 21 e5 2f aa 8d c7  |..mg.....e!./...|
-000000c0  d5 34 6a b6 d3 ab 5f 96  f6 b2 79 b0 bc 3e f7 9c  |.4j..._...y..>..|
-000000d0  5d 8d 62 50 91 35 e1 7d  fe 61 9b 8c 9d e1 4a 7f  |].bP.5.}.a....J.|
-000000e0  54 4b ad c5 35 3d c9 05  d1 b0 6c 3f b2 c4 f7 75  |TK..5=....l?...u|
-000000f0  57 84 50 62 8d 50 80 be  b6 71 b8 59 02 52 5d 55  |W.Pb.P...q.Y.R]U|
-00000100  70 5e 76 61 77 d9 d1 f6  20 d1 d9 bf e2 03 16 1e  |p^vaw... .......|
-00000110  eb 1c 55 85 48 8d 43 72  56 2a d2 16 fc a3 cc 94  |..U.H.CrV*......|
-00000120  08 6d a8 73 55 9d a8 0c  36 da f4 02 c9 23 7b d5  |.m.sU...6....#{.|
-00000130  06 e7 63 63 a1 fa 80 1c  ca 77 d3 ee 4a f8 61 31  |..cc.....w..J.a1|
-00000140  4b 1c d6 8c f3 86 d3 16  ba fe 1c ff 5a f6 fa fc  |K...........Z...|
-00000150  d6 c7 ab b6 5a db 51 f3  cc 42 f0 65 b6 8f f3 d7  |....Z.Q..B.e....|
-00000160  44 5a e7 1e a9 d4 a7 bd  cd 20 bf a1 13 f1 b5 29  |DZ....... .....)|
-00000170  91 a4 28 78 f5 b6 c2 09  a5 95 e5 98 ab c9 f4 4b  |..(x...........K|
-00000180  10 da eb 07 ff 46 44 f9  85 f6 4f 78 5c b0 fa 2d  |.....FD...Ox\..-|
-00000190  0b 3b 79 3f 11 a2 eb 12  96 a3 01 ac 13 d3 65 cc  |.;y?..........e.|
-000001a0  98 e8 c9 8c c3 c6 c9 09  aa f6 af 01 1e e5 30 40  |..............0@|
-000001b0  40 88 44 26 ee 49 91 68  18 56 b9 ce 22 f6 80 ff  |@.D&.I.h.V.."...|
-000001c0  32 d0 ee 15 e3 8a 96 c0  e5 47 51 c1 7f 70 e1 fc  |2........GQ..p..|
-000001d0  3a 44 1a 36 b9 e7 ee f0  9c 4e 62 1f 78 2f cc dd  |:D.6.....Nb.x/..|
-000001e0  62 a3 3b 9b ae d1 34 ea  7f d7 dc b4 c5 2c d7 96  |b.;...4......,..|
-000001f0  61 59 0b ed de cc 70 68  06 2c 93 3d a9 9f 0a 9b  |aY....ph.,.=....|
-00000200  46 0d 39 fa b0 db 7f 9b  c1 80 c8 55 35 bb 10 4c  |F.9........U5..L|
-00000210  2d 8f 88 ae 94 bf 4a 5f  3b f5 95 e7 7a 47 e2 0e  |-.....J_;...zG..|
-00000220  19 b2 e7 69 f5 bb c0 08  9d e8 5e 23 f0 85 12 c0  |...i......^#....|
-00000230  01 cf 7a 87 19 b1 98 97  8d 5a 19 5c 37 52 0b a7  |..z......Z.\7R..|
-00000240  45 e8 8f 9b 0c 76 5f a6  5b d9 45 87 5b 6e 0e db  |E....v_.[.E.[n..|
-00000250  6a 6a e2 b2 1d f9 e6 31  13 09 8c 32 93 43 46 17  |jj.....1...2.CF.|
-00000260  15 45 c8 26 7f f2 23 7b  b1 da c4 20 56 59 4b c9  |.E.&..#{... VYK.|
-00000270  3e 90 a6 77 ea 28 ea 05  74 b8 04 55 68 7a 60 91  |>..w.(..t..Uhz`.|
-00000280  b7 8e 7d 96 11 ac 2d af  f2 26 c5 03 99 57 80 a7  |..}...-..&...W..|
-00000290  80 1f 6f ce fd 0e 81 af  2e d6 b0 6b 7c 4c 71 02  |..o........k|Lq.|
-000002a0  4c 56 fc e9 0a 58 56 5e  4d fd 2d ea e8 ae d5 b7  |LV...XV^M.-.....|
-000002b0  cf aa 66 48 a9 42 76 59  81 52 18 cf c4 6d d8 8c  |..fH.BvY.R...m..|
-000002c0  90 e3 57 28 53 43 5e ae  cd 33 ac 64 e2 ff 65 17  |..W(SC^..3.d..e.|
-000002d0  11 e2 6a 07 aa 57 40 63  90 51 11 43 9f 9e 6d 56  |..j..W@c.Q.C..mV|
-000002e0  69 c2 44 bb f9 83 84 79  bf 98 be 62 e8 20 6e cc  |i.D....y...b. n.|
-000002f0  69 a9 c4 33 de 40 d5 e9  95 12 87 d5 28 24 05 62  |i..3.@......($.b|
-00000300  ca b8 c2 bd d9 96 dc 16  03 c8 7d 9c 7a 83 de 55  |..........}.z..U|
-00000310  3b 4f 90 7b af 36 9a a7  80 46 c5 76 14 70 6c f4  |;O.{.6...F.v.pl.|
-00000320  17 03 03 00 99 6e 39 2c  0d 81 12 85 c2 1c 42 56  |.....n9,......BV|
-00000330  6a 3a e2 04 60 af 78 13  20 d2 b5 b2 58 9e 2f b9  |j:..`.x. ...X./.|
-00000340  f8 11 4f 52 cd 31 c3 a1  ec 83 bd 2e ea 9a 53 6b  |..OR.1........Sk|
-00000350  55 99 a6 8a 25 1c f7 b6  83 4e 9f 1e 5d c5 b2 b2  |U...%....N..]...|
-00000360  a5 6b ea 87 96 0e 29 5b  a4 24 f2 16 4c ad e1 9b  |.k....)[.$..L...|
-00000370  24 d2 95 7e 74 37 44 1a  d7 83 f5 4c 28 3f 3d 92  |$..~t7D....L(?=.|
-00000380  a7 6f 6e 70 1c 27 93 19  64 ee 61 dc 81 35 67 c8  |.onp.'..d.a..5g.|
-00000390  f3 e6 de b0 8f 32 6c df  b1 66 97 6b b9 4a 81 f0  |.....2l..f.k.J..|
-000003a0  cd 3a b4 56 14 e3 27 50  b0 f3 9b 63 05 a5 99 3a  |.:.V..'P...c...:|
-000003b0  26 d6 a5 3c e4 ea 8a 5a  04 5e fb de 86 bb 17 03  |&..<...Z.^......|
-000003c0  03 00 35 eb 5f 0f df 9f  e0 c7 4d b4 3d a6 c8 1a  |..5._.....M.=...|
-000003d0  df f1 f8 1e 36 ea ae 30  32 da 78 0e 00 fe d3 54  |....6..02.x....T|
-000003e0  cc 90 08 1a cb 92 1c 5f  f7 0a 3c f7 19 ed a3 3b  |......._..<....;|
-000003f0  cb fd 56 cb 4f 30 83 07                           |..V.O0..|
+00000050  2e 00 2b 00 02 03 04 00  33 00 24 00 1d 00 20 f9  |..+.....3.$... .|
+00000060  64 7e 54 8f 64 ec 3d 7c  17 f1 96 3c 44 ca cd d7  |d~T.d.=|...<D...|
+00000070  3d 92 02 06 5a f8 ab dc  f3 50 fe 5c ab 04 6b 14  |=...Z....P.\..k.|
+00000080  03 03 00 01 01 17 03 03  00 24 9f 15 ee 1e 43 26  |.........$....C&|
+00000090  31 53 01 8b a0 a7 e9 ac  96 51 a7 bc fe 46 6c 60  |1S.......Q...Fl`|
+000000a0  d1 8b c4 a9 34 cd 93 13  51 50 e9 02 f9 ce 17 03  |....4...QP......|
+000000b0  03 02 6d c3 ad 14 a8 d3  81 87 26 7d a0 60 57 2c  |..m.......&}.`W,|
+000000c0  d2 65 f5 a5 fc a8 c4 dd  2e e2 04 57 1f 94 a4 4a  |.e.........W...J|
+000000d0  3a 43 92 f4 f5 58 e9 11  d7 b1 62 0d d1 f4 d5 43  |:C...X....b....C|
+000000e0  4a c8 fa d9 28 18 ca 74  1a b2 39 e2 9b 95 40 0e  |J...(..t..9...@.|
+000000f0  63 ed 11 52 9b 61 36 0c  c3 a6 7b de 4d 68 48 55  |c..R.a6...{.MhHU|
+00000100  e2 05 e8 59 e1 df 51 08  06 a8 09 a0 d5 e7 14 e9  |...Y..Q.........|
+00000110  13 c6 a4 6d ff 7b b0 98  50 ef 81 1b 64 6f 44 c1  |...m.{..P...doD.|
+00000120  cd da 85 a0 80 0c da 54  90 8e a1 7d 4b 1d 16 fc  |.......T...}K...|
+00000130  40 ba e3 25 e3 c2 52 29  7a 23 50 2a 43 3f 7e 32  |@..%..R)z#P*C?~2|
+00000140  73 e0 5a a5 3f 09 b0 3a  b8 90 8b 36 06 ac fc ef  |s.Z.?..:...6....|
+00000150  e8 9c ba f3 fb 8e 2d ab  b3 c6 f4 d0 1d eb 7b 20  |......-.......{ |
+00000160  2b 68 1f e9 25 49 c9 2a  45 6e 2b a5 00 12 54 b2  |+h..%I.*En+...T.|
+00000170  a7 16 2f 00 72 d4 ed 7d  ea 7e cb b1 0a 03 c6 3b  |../.r..}.~.....;|
+00000180  b8 fe 97 59 6a b4 07 d3  2c b1 cc ca e8 46 24 97  |...Yj...,....F$.|
+00000190  d2 b8 a5 8e 7d 6f 78 7f  bd ee 7d 5a f6 ec 07 50  |....}ox...}Z...P|
+000001a0  00 c4 63 33 03 e5 09 44  c3 68 61 ec 5b 52 f8 67  |..c3...D.ha.[R.g|
+000001b0  66 60 fd 68 fe d7 b7 df  96 2c 1b 00 93 89 24 58  |f`.h.....,....$X|
+000001c0  20 2d 0a c1 c4 80 fc 03  8c 16 d1 83 11 a9 e7 70  | -.............p|
+000001d0  69 3f cf c2 dc 90 40 70  1a 1e d9 8e 36 02 61 57  |i?....@p....6.aW|
+000001e0  49 60 2d ba 59 76 fb 26  50 c8 db 82 b3 62 e5 d7  |I`-.Yv.&P....b..|
+000001f0  fb c6 91 9b 99 6e d2 d7  e1 8a da ec 87 e9 d8 71  |.....n.........q|
+00000200  3a 01 01 c9 9c da 3c 81  67 bc fb 30 0c 81 31 62  |:.....<.g..0..1b|
+00000210  c2 ff 1f ee db 27 e2 07  59 51 fb e2 64 89 e5 0e  |.....'..YQ..d...|
+00000220  0a 37 06 07 8a 96 34 b9  53 8d 0a ed 60 02 cb f5  |.7....4.S...`...|
+00000230  af b2 9c 77 27 2a 23 69  5f 58 cc 46 32 ab 76 df  |...w'*#i_X.F2.v.|
+00000240  1b c1 17 98 6e fb 9e 15  e0 7f e1 00 75 6d b2 cf  |....n.......um..|
+00000250  ce 6e dd 6c 00 b6 81 14  bb 06 60 b4 47 07 2a cf  |.n.l......`.G.*.|
+00000260  dc 87 72 07 7e 1d 76 fc  17 14 8a d7 5c 32 9b d2  |..r.~.v.....\2..|
+00000270  c6 45 24 d5 d0 ea a4 c6  b5 6e 63 fc c7 12 0c a7  |.E$......nc.....|
+00000280  0a 73 70 89 ce 3d 1f aa  d5 ad ba bc 16 e8 15 80  |.sp..=..........|
+00000290  14 16 84 f6 06 38 23 b7  21 ec 27 50 a8 76 cf 0c  |.....8#.!.'P.v..|
+000002a0  4f 58 f7 57 7f b3 bd 55  0c f4 53 6e 9f f4 f2 12  |OX.W...U..Sn....|
+000002b0  5b c4 e7 68 9c 17 8b 76  88 1e 42 1b 32 e0 81 4d  |[..h...v..B.2..M|
+000002c0  ce 16 73 59 74 bd 56 be  fd fe 42 21 07 bd f4 e9  |..sYt.V...B!....|
+000002d0  ff 83 f3 97 a8 9e d4 c6  3c 6f 43 9d 0b 3c dc 35  |........<oC..<.5|
+000002e0  29 e4 bd b1 75 a4 70 30  8d bd fa 25 74 6c 11 ea  |)...u.p0...%tl..|
+000002f0  44 38 b5 8f f9 7a 71 c6  f8 ea c7 2c 23 d2 29 6d  |D8...zq....,#.)m|
+00000300  dc 8f e5 f7 c6 80 3b 8d  47 da 19 da 28 26 26 e6  |......;.G...(&&.|
+00000310  0f 83 d5 e9 33 42 0b 21  f4 1c 48 c0 19 ed e6 84  |....3B.!..H.....|
+00000320  17 03 03 00 99 d6 56 fb  52 63 57 c0 61 ec 30 04  |......V.RcW.a.0.|
+00000330  0a ee 10 39 7b e4 6a 38  8b 29 9a 6c 40 88 1d a1  |...9{.j8.).l@...|
+00000340  8b 53 2b fe 47 66 75 70  5b 03 33 fc ca e6 4f 8d  |.S+.Gfup[.3...O.|
+00000350  f1 40 63 c2 24 97 b4 c8  dd b1 20 27 e0 28 03 7a  |.@c.$..... '.(.z|
+00000360  f1 cd b3 df 8a 93 39 fa  b9 f9 0e 62 4c 47 24 69  |......9....bLG$i|
+00000370  9a f3 a5 7b 0d 14 33 00  c3 ab ae 4a 46 c2 40 42  |...{..3....JF.@B|
+00000380  d7 36 c1 74 7a c6 1a 42  d2 e0 fe e6 4b 5c 96 1a  |.6.tz..B....K\..|
+00000390  24 05 13 2c ad aa 25 02  ae 1b 3a 87 a7 60 1c d4  |$..,..%...:..`..|
+000003a0  98 53 ee 33 e9 36 37 d0  97 c2 e9 2d b9 a0 ac 4f  |.S.3.67....-...O|
+000003b0  c8 82 d8 a4 28 2e e4 db  a1 8f 71 cb ee 28 17 03  |....(.....q..(..|
+000003c0  03 00 35 5d 41 7c b0 af  b5 49 e8 dc 8a 7f c8 1f  |..5]A|...I......|
+000003d0  af 70 8b c4 35 7b 7b 57  3a 49 f2 ef 75 4c 27 39  |.p..5{{W:I..uL'9|
+000003e0  bf a6 45 fd 9c 64 b2 6e  7c c0 d3 c0 c7 a6 25 2f  |..E..d.n|.....%/|
+000003f0  f7 48 6d 7c a4 33 ad 61                           |.Hm|.3.a|
 >>> Flow 3 (client to server)
-00000000  14 03 03 00 01 01 17 03  03 00 35 ec 05 98 86 f9  |..........5.....|
-00000010  a1 e4 14 c1 e2 85 17 62  f9 ff 5f 1f 53 8f 00 14  |.......b.._.S...|
-00000020  28 dd 31 bc 9a 7e 2d 54  53 c2 57 f0 24 0f e1 ca  |(.1..~-TS.W.$...|
-00000030  5e 17 07 bc 32 a5 72 3f  3e 90 dd be f1 a1 cc 6b  |^...2.r?>......k|
-00000040  17 03 03 00 17 93 58 dd  95 9a 88 82 3d 63 41 f7  |......X.....=cA.|
-00000050  ba da 0e 24 3f f2 b1 e5  db 83 2d bd 17 03 03 00  |...$?.....-.....|
-00000060  13 03 a4 42 58 3b d7 c5  c2 08 45 e5 c1 bc eb 47  |...BX;....E....G|
-00000070  b5 20 ea ce                                       |. ..|
+00000000  14 03 03 00 01 01 17 03  03 00 35 3e e7 50 e1 d1  |..........5>.P..|
+00000010  4d 9f 84 fe ca 83 c4 3b  a6 86 45 c2 7e e7 af 00  |M......;..E.~...|
+00000020  db e6 23 3c 06 b8 a3 1e  36 2e ab 45 7e d8 07 8c  |..#<....6..E~...|
+00000030  66 bf 5a 0f ff e6 3f 09  a4 d3 cf 74 1c d6 cf c7  |f.Z...?....t....|
+00000040  17 03 03 00 17 4c db af  a7 f3 73 b3 84 b9 a7 d1  |.....L....s.....|
+00000050  1c 2f cb 27 d8 ba 2c c6  84 48 88 18 17 03 03 00  |./.'..,..H......|
+00000060  13 a3 41 6f fb da f5 5a  4d 85 0c e0 ff 3a fb 91  |..Ao...ZM....:..|
+00000070  e2 5e ab 96                                       |.^..|