ClientHello 'splitting' to handle PSK binders

3 files changed, 66 insertions, 1 deletions

diff --git a/crypto/src/tls/HandshakeMessageOutput.cs b/crypto/src/tls/HandshakeMessageOutput.cs
index ae07b9682..97e9a84af 100644
--- a/crypto/src/tls/HandshakeMessageOutput.cs
+++ b/crypto/src/tls/HandshakeMessageOutput.cs
@@ -58,5 +58,50 @@ namespace Org.BouncyCastle.Tls
 
             Platform.Dispose(this);
         }
+
+        internal void PrepareClientHello(TlsHandshakeHash handshakeHash, int totalBindersLength)
+        {
+            TlsUtilities.CheckUint16(totalBindersLength);
+
+            // Patch actual length back in
+            int bodyLength = (int)Length - 4 + totalBindersLength;
+            TlsUtilities.CheckUint24(bodyLength);
+
+            Seek(1L, SeekOrigin.Begin);
+            TlsUtilities.WriteUint24(bodyLength, this);
+
+#if PORTABLE
+            byte[] buf = ToArray();
+            int count = buf.Length;
+#else
+            byte[] buf = GetBuffer();
+            int count = (int)Length;
+#endif
+
+            handshakeHash.Update(buf, 0, count);
+
+            Seek(0L, SeekOrigin.End);
+        }
+
+        internal void SendClientHello(TlsClientProtocol clientProtocol, TlsHandshakeHash handshakeHash,
+            int totalBindersLength)
+        {
+#if PORTABLE
+            byte[] buf = ToArray();
+            int count = buf.Length;
+#else
+            byte[] buf = GetBuffer();
+            int count = (int)Length;
+#endif
+
+            if (totalBindersLength > 0)
+            {
+                handshakeHash.Update(buf, count - totalBindersLength, totalBindersLength);
+            }
+
+            clientProtocol.WriteHandshakeMessage(buf, 0, count);
+
+            Platform.Dispose(this);
+        }
     }
 }
diff --git a/crypto/src/tls/TlsClientProtocol.cs b/crypto/src/tls/TlsClientProtocol.cs
index 118772f67..7a92220dc 100644
--- a/crypto/src/tls/TlsClientProtocol.cs
+++ b/crypto/src/tls/TlsClientProtocol.cs
@@ -1690,7 +1690,15 @@ namespace Org.BouncyCastle.Tls
         {
             HandshakeMessageOutput message = new HandshakeMessageOutput(HandshakeType.client_hello);
             m_clientHello.Encode(m_tlsClientContext, message);
-            message.Send(this);
+
+            // TODO[tls13-psk] Calculate the total length of the binders that will be added.
+            int totalBindersLength = 0;
+
+            message.PrepareClientHello(m_handshakeHash, totalBindersLength);
+
+            // TODO[tls13-psk] Calculate any PSK binders and write them to 'message' here. 
+
+            message.SendClientHello(this, m_handshakeHash, totalBindersLength);
         }
 
         /// <exception cref="IOException"/>
diff --git a/crypto/src/tls/TlsProtocol.cs b/crypto/src/tls/TlsProtocol.cs
index 044fca42d..d4960e3c8 100644
--- a/crypto/src/tls/TlsProtocol.cs
+++ b/crypto/src/tls/TlsProtocol.cs
@@ -947,11 +947,23 @@ namespace Org.BouncyCastle.Tls
             short type = TlsUtilities.ReadUint8(buf, off);
             switch (type)
             {
+            /*
+             * These message types aren't included in the transcript.
+             */
             case HandshakeType.hello_request:
             case HandshakeType.key_update:
             case HandshakeType.new_session_ticket:
                 break;
 
+            /*
+             * These message types are deferred to the writer to explicitly update the transcript.
+             */
+            case HandshakeType.client_hello:
+                break;
+
+            /*
+             * For all others we automatically update the transcript. 
+             */
             default:
             {
                 m_handshakeHash.Update(buf, off, len);