generate a client nonce once, when reading a server config multiple times

handshake/crypto_setup_client.go

@@ -97,6 +97,7 @@ func (h *cryptoSetupClient) handleREJMessage(cryptoData map[Tag][]byte) error {
 		h.sno = sno
 	}
 
+	// TODO: what happens if the server sends a different server config in two packets?
 	if scfg, ok := cryptoData[TagSCFG]; ok {
 		h.serverConfig, err = parseServerConfig(scfg)
 		if err != nil {
@@ -104,9 +105,11 @@ func (h *cryptoSetupClient) handleREJMessage(cryptoData map[Tag][]byte) error {
 		}
 
 		// now that we have a server config, we can use its OBIT value to generate a client nonce
-		err = h.generateClientNonce()
+		if len(h.nonc) == 0 {
-		if err != nil {
+			err = h.generateClientNonce()
-			return err
+			if err != nil {
+				return err
+			}
 		}
 	}
 

handshake/crypto_setup_client_test.go

@@ -90,6 +90,19 @@ var _ = Describe("Crypto setup", func() {
 				Expect(cs.nonc).To(HaveLen(32))
 			})
 
+			It("only generates a client nonce once, when reading multiple server configs", func() {
+				b := &bytes.Buffer{}
+				WriteHandshakeMessage(b, TagSCFG, getDefaultServerConfigClient())
+				tagMap[TagSCFG] = b.Bytes()
+				err := cs.handleREJMessage(tagMap)
+				Expect(err).ToNot(HaveOccurred())
+				nonc := cs.nonc
+				Expect(nonc).ToNot(BeEmpty())
+				err = cs.handleREJMessage(tagMap)
+				Expect(err).ToNot(HaveOccurred())
+				Expect(cs.nonc).To(Equal(nonc))
+			})
+
 			It("passes on errors from reading the server config", func() {
 				b := &bytes.Buffer{}
 				WriteHandshakeMessage(b, TagSHLO, make(map[Tag][]byte))