...

Source file src/pkg/crypto/tls/handshake_messages.go

     1	// Copyright 2009 The Go Authors. All rights reserved.
     2	// Use of this source code is governed by a BSD-style
     3	// license that can be found in the LICENSE file.
     4	
     5	package tls
     6	
     7	import (
     8		"fmt"
     9		"golang.org/x/crypto/cryptobyte"
    10		"strings"
    11	)
    12	
    13	// The marshalingFunction type is an adapter to allow the use of ordinary
    14	// functions as cryptobyte.MarshalingValue.
    15	type marshalingFunction func(b *cryptobyte.Builder) error
    16	
    17	func (f marshalingFunction) Marshal(b *cryptobyte.Builder) error {
    18		return f(b)
    19	}
    20	
    21	// addBytesWithLength appends a sequence of bytes to the cryptobyte.Builder. If
    22	// the length of the sequence is not the value specified, it produces an error.
    23	func addBytesWithLength(b *cryptobyte.Builder, v []byte, n int) {
    24		b.AddValue(marshalingFunction(func(b *cryptobyte.Builder) error {
    25			if len(v) != n {
    26				return fmt.Errorf("invalid value length: expected %d, got %d", n, len(v))
    27			}
    28			b.AddBytes(v)
    29			return nil
    30		}))
    31	}
    32	
    33	// addUint64 appends a big-endian, 64-bit value to the cryptobyte.Builder.
    34	func addUint64(b *cryptobyte.Builder, v uint64) {
    35		b.AddUint32(uint32(v >> 32))
    36		b.AddUint32(uint32(v))
    37	}
    38	
    39	// readUint64 decodes a big-endian, 64-bit value into out and advances over it.
    40	// It reports whether the read was successful.
    41	func readUint64(s *cryptobyte.String, out *uint64) bool {
    42		var hi, lo uint32
    43		if !s.ReadUint32(&hi) || !s.ReadUint32(&lo) {
    44			return false
    45		}
    46		*out = uint64(hi)<<32 | uint64(lo)
    47		return true
    48	}
    49	
    50	// readUint8LengthPrefixed acts like s.ReadUint8LengthPrefixed, but targets a
    51	// []byte instead of a cryptobyte.String.
    52	func readUint8LengthPrefixed(s *cryptobyte.String, out *[]byte) bool {
    53		return s.ReadUint8LengthPrefixed((*cryptobyte.String)(out))
    54	}
    55	
    56	// readUint16LengthPrefixed acts like s.ReadUint16LengthPrefixed, but targets a
    57	// []byte instead of a cryptobyte.String.
    58	func readUint16LengthPrefixed(s *cryptobyte.String, out *[]byte) bool {
    59		return s.ReadUint16LengthPrefixed((*cryptobyte.String)(out))
    60	}
    61	
    62	// readUint24LengthPrefixed acts like s.ReadUint24LengthPrefixed, but targets a
    63	// []byte instead of a cryptobyte.String.
    64	func readUint24LengthPrefixed(s *cryptobyte.String, out *[]byte) bool {
    65		return s.ReadUint24LengthPrefixed((*cryptobyte.String)(out))
    66	}
    67	
    68	type clientHelloMsg struct {
    69		raw                              []byte
    70		vers                             uint16
    71		random                           []byte
    72		sessionId                        []byte
    73		cipherSuites                     []uint16
    74		compressionMethods               []uint8
    75		nextProtoNeg                     bool
    76		serverName                       string
    77		ocspStapling                     bool
    78		supportedCurves                  []CurveID
    79		supportedPoints                  []uint8
    80		ticketSupported                  bool
    81		sessionTicket                    []uint8
    82		supportedSignatureAlgorithms     []SignatureScheme
    83		supportedSignatureAlgorithmsCert []SignatureScheme
    84		secureRenegotiationSupported     bool
    85		secureRenegotiation              []byte
    86		alpnProtocols                    []string
    87		scts                             bool
    88		supportedVersions                []uint16
    89		cookie                           []byte
    90		keyShares                        []keyShare
    91		earlyData                        bool
    92		pskModes                         []uint8
    93		pskIdentities                    []pskIdentity
    94		pskBinders                       [][]byte
    95	}
    96	
    97	func (m *clientHelloMsg) marshal() []byte {
    98		if m.raw != nil {
    99			return m.raw
   100		}
   101	
   102		var b cryptobyte.Builder
   103		b.AddUint8(typeClientHello)
   104		b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
   105			b.AddUint16(m.vers)
   106			addBytesWithLength(b, m.random, 32)
   107			b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
   108				b.AddBytes(m.sessionId)
   109			})
   110			b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   111				for _, suite := range m.cipherSuites {
   112					b.AddUint16(suite)
   113				}
   114			})
   115			b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
   116				b.AddBytes(m.compressionMethods)
   117			})
   118	
   119			// If extensions aren't present, omit them.
   120			var extensionsPresent bool
   121			bWithoutExtensions := *b
   122	
   123			b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   124				if m.nextProtoNeg {
   125					// draft-agl-tls-nextprotoneg-04
   126					b.AddUint16(extensionNextProtoNeg)
   127					b.AddUint16(0) // empty extension_data
   128				}
   129				if len(m.serverName) > 0 {
   130					// RFC 6066, Section 3
   131					b.AddUint16(extensionServerName)
   132					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   133						b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   134							b.AddUint8(0) // name_type = host_name
   135							b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   136								b.AddBytes([]byte(m.serverName))
   137							})
   138						})
   139					})
   140				}
   141				if m.ocspStapling {
   142					// RFC 4366, Section 3.6
   143					b.AddUint16(extensionStatusRequest)
   144					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   145						b.AddUint8(1)  // status_type = ocsp
   146						b.AddUint16(0) // empty responder_id_list
   147						b.AddUint16(0) // empty request_extensions
   148					})
   149				}
   150				if len(m.supportedCurves) > 0 {
   151					// RFC 4492, sections 5.1.1 and RFC 8446, Section 4.2.7
   152					b.AddUint16(extensionSupportedCurves)
   153					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   154						b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   155							for _, curve := range m.supportedCurves {
   156								b.AddUint16(uint16(curve))
   157							}
   158						})
   159					})
   160				}
   161				if len(m.supportedPoints) > 0 {
   162					// RFC 4492, Section 5.1.2
   163					b.AddUint16(extensionSupportedPoints)
   164					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   165						b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
   166							b.AddBytes(m.supportedPoints)
   167						})
   168					})
   169				}
   170				if m.ticketSupported {
   171					// RFC 5077, Section 3.2
   172					b.AddUint16(extensionSessionTicket)
   173					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   174						b.AddBytes(m.sessionTicket)
   175					})
   176				}
   177				if len(m.supportedSignatureAlgorithms) > 0 {
   178					// RFC 5246, Section 7.4.1.4.1
   179					b.AddUint16(extensionSignatureAlgorithms)
   180					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   181						b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   182							for _, sigAlgo := range m.supportedSignatureAlgorithms {
   183								b.AddUint16(uint16(sigAlgo))
   184							}
   185						})
   186					})
   187				}
   188				if len(m.supportedSignatureAlgorithmsCert) > 0 {
   189					// RFC 8446, Section 4.2.3
   190					b.AddUint16(extensionSignatureAlgorithmsCert)
   191					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   192						b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   193							for _, sigAlgo := range m.supportedSignatureAlgorithmsCert {
   194								b.AddUint16(uint16(sigAlgo))
   195							}
   196						})
   197					})
   198				}
   199				if m.secureRenegotiationSupported {
   200					// RFC 5746, Section 3.2
   201					b.AddUint16(extensionRenegotiationInfo)
   202					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   203						b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
   204							b.AddBytes(m.secureRenegotiation)
   205						})
   206					})
   207				}
   208				if len(m.alpnProtocols) > 0 {
   209					// RFC 7301, Section 3.1
   210					b.AddUint16(extensionALPN)
   211					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   212						b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   213							for _, proto := range m.alpnProtocols {
   214								b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
   215									b.AddBytes([]byte(proto))
   216								})
   217							}
   218						})
   219					})
   220				}
   221				if m.scts {
   222					// RFC 6962, Section 3.3.1
   223					b.AddUint16(extensionSCT)
   224					b.AddUint16(0) // empty extension_data
   225				}
   226				if len(m.supportedVersions) > 0 {
   227					// RFC 8446, Section 4.2.1
   228					b.AddUint16(extensionSupportedVersions)
   229					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   230						b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
   231							for _, vers := range m.supportedVersions {
   232								b.AddUint16(vers)
   233							}
   234						})
   235					})
   236				}
   237				if len(m.cookie) > 0 {
   238					// RFC 8446, Section 4.2.2
   239					b.AddUint16(extensionCookie)
   240					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   241						b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   242							b.AddBytes(m.cookie)
   243						})
   244					})
   245				}
   246				if len(m.keyShares) > 0 {
   247					// RFC 8446, Section 4.2.8
   248					b.AddUint16(extensionKeyShare)
   249					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   250						b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   251							for _, ks := range m.keyShares {
   252								b.AddUint16(uint16(ks.group))
   253								b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   254									b.AddBytes(ks.data)
   255								})
   256							}
   257						})
   258					})
   259				}
   260				if m.earlyData {
   261					// RFC 8446, Section 4.2.10
   262					b.AddUint16(extensionEarlyData)
   263					b.AddUint16(0) // empty extension_data
   264				}
   265				if len(m.pskModes) > 0 {
   266					// RFC 8446, Section 4.2.9
   267					b.AddUint16(extensionPSKModes)
   268					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   269						b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
   270							b.AddBytes(m.pskModes)
   271						})
   272					})
   273				}
   274				if len(m.pskIdentities) > 0 { // pre_shared_key must be the last extension
   275					// RFC 8446, Section 4.2.11
   276					b.AddUint16(extensionPreSharedKey)
   277					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   278						b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   279							for _, psk := range m.pskIdentities {
   280								b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   281									b.AddBytes(psk.label)
   282								})
   283								b.AddUint32(psk.obfuscatedTicketAge)
   284							}
   285						})
   286						b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   287							for _, binder := range m.pskBinders {
   288								b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
   289									b.AddBytes(binder)
   290								})
   291							}
   292						})
   293					})
   294				}
   295	
   296				extensionsPresent = len(b.BytesOrPanic()) > 2
   297			})
   298	
   299			if !extensionsPresent {
   300				*b = bWithoutExtensions
   301			}
   302		})
   303	
   304		m.raw = b.BytesOrPanic()
   305		return m.raw
   306	}
   307	
   308	// marshalWithoutBinders returns the ClientHello through the
   309	// PreSharedKeyExtension.identities field, according to RFC 8446, Section
   310	// 4.2.11.2. Note that m.pskBinders must be set to slices of the correct length.
   311	func (m *clientHelloMsg) marshalWithoutBinders() []byte {
   312		bindersLen := 2 // uint16 length prefix
   313		for _, binder := range m.pskBinders {
   314			bindersLen += 1 // uint8 length prefix
   315			bindersLen += len(binder)
   316		}
   317	
   318		fullMessage := m.marshal()
   319		return fullMessage[:len(fullMessage)-bindersLen]
   320	}
   321	
   322	// updateBinders updates the m.pskBinders field, if necessary updating the
   323	// cached marshaled representation. The supplied binders must have the same
   324	// length as the current m.pskBinders.
   325	func (m *clientHelloMsg) updateBinders(pskBinders [][]byte) {
   326		if len(pskBinders) != len(m.pskBinders) {
   327			panic("tls: internal error: pskBinders length mismatch")
   328		}
   329		for i := range m.pskBinders {
   330			if len(pskBinders[i]) != len(m.pskBinders[i]) {
   331				panic("tls: internal error: pskBinders length mismatch")
   332			}
   333		}
   334		m.pskBinders = pskBinders
   335		if m.raw != nil {
   336			lenWithoutBinders := len(m.marshalWithoutBinders())
   337			// TODO(filippo): replace with NewFixedBuilder once CL 148882 is imported.
   338			b := cryptobyte.NewBuilder(m.raw[:lenWithoutBinders])
   339			b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   340				for _, binder := range m.pskBinders {
   341					b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
   342						b.AddBytes(binder)
   343					})
   344				}
   345			})
   346			if len(b.BytesOrPanic()) != len(m.raw) {
   347				panic("tls: internal error: failed to update binders")
   348			}
   349		}
   350	}
   351	
   352	func (m *clientHelloMsg) unmarshal(data []byte) bool {
   353		*m = clientHelloMsg{raw: data}
   354		s := cryptobyte.String(data)
   355	
   356		if !s.Skip(4) || // message type and uint24 length field
   357			!s.ReadUint16(&m.vers) || !s.ReadBytes(&m.random, 32) ||
   358			!readUint8LengthPrefixed(&s, &m.sessionId) {
   359			return false
   360		}
   361	
   362		var cipherSuites cryptobyte.String
   363		if !s.ReadUint16LengthPrefixed(&cipherSuites) {
   364			return false
   365		}
   366		m.cipherSuites = []uint16{}
   367		m.secureRenegotiationSupported = false
   368		for !cipherSuites.Empty() {
   369			var suite uint16
   370			if !cipherSuites.ReadUint16(&suite) {
   371				return false
   372			}
   373			if suite == scsvRenegotiation {
   374				m.secureRenegotiationSupported = true
   375			}
   376			m.cipherSuites = append(m.cipherSuites, suite)
   377		}
   378	
   379		if !readUint8LengthPrefixed(&s, &m.compressionMethods) {
   380			return false
   381		}
   382	
   383		if s.Empty() {
   384			// ClientHello is optionally followed by extension data
   385			return true
   386		}
   387	
   388		var extensions cryptobyte.String
   389		if !s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() {
   390			return false
   391		}
   392	
   393		for !extensions.Empty() {
   394			var extension uint16
   395			var extData cryptobyte.String
   396			if !extensions.ReadUint16(&extension) ||
   397				!extensions.ReadUint16LengthPrefixed(&extData) {
   398				return false
   399			}
   400	
   401			switch extension {
   402			case extensionServerName:
   403				// RFC 6066, Section 3
   404				var nameList cryptobyte.String
   405				if !extData.ReadUint16LengthPrefixed(&nameList) || nameList.Empty() {
   406					return false
   407				}
   408				for !nameList.Empty() {
   409					var nameType uint8
   410					var serverName cryptobyte.String
   411					if !nameList.ReadUint8(&nameType) ||
   412						!nameList.ReadUint16LengthPrefixed(&serverName) ||
   413						serverName.Empty() {
   414						return false
   415					}
   416					if nameType != 0 {
   417						continue
   418					}
   419					if len(m.serverName) != 0 {
   420						// Multiple names of the same name_type are prohibited.
   421						return false
   422					}
   423					m.serverName = string(serverName)
   424					// An SNI value may not include a trailing dot.
   425					if strings.HasSuffix(m.serverName, ".") {
   426						return false
   427					}
   428				}
   429			case extensionNextProtoNeg:
   430				// draft-agl-tls-nextprotoneg-04
   431				m.nextProtoNeg = true
   432			case extensionStatusRequest:
   433				// RFC 4366, Section 3.6
   434				var statusType uint8
   435				var ignored cryptobyte.String
   436				if !extData.ReadUint8(&statusType) ||
   437					!extData.ReadUint16LengthPrefixed(&ignored) ||
   438					!extData.ReadUint16LengthPrefixed(&ignored) {
   439					return false
   440				}
   441				m.ocspStapling = statusType == statusTypeOCSP
   442			case extensionSupportedCurves:
   443				// RFC 4492, sections 5.1.1 and RFC 8446, Section 4.2.7
   444				var curves cryptobyte.String
   445				if !extData.ReadUint16LengthPrefixed(&curves) || curves.Empty() {
   446					return false
   447				}
   448				for !curves.Empty() {
   449					var curve uint16
   450					if !curves.ReadUint16(&curve) {
   451						return false
   452					}
   453					m.supportedCurves = append(m.supportedCurves, CurveID(curve))
   454				}
   455			case extensionSupportedPoints:
   456				// RFC 4492, Section 5.1.2
   457				if !readUint8LengthPrefixed(&extData, &m.supportedPoints) ||
   458					len(m.supportedPoints) == 0 {
   459					return false
   460				}
   461			case extensionSessionTicket:
   462				// RFC 5077, Section 3.2
   463				m.ticketSupported = true
   464				extData.ReadBytes(&m.sessionTicket, len(extData))
   465			case extensionSignatureAlgorithms:
   466				// RFC 5246, Section 7.4.1.4.1
   467				var sigAndAlgs cryptobyte.String
   468				if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() {
   469					return false
   470				}
   471				for !sigAndAlgs.Empty() {
   472					var sigAndAlg uint16
   473					if !sigAndAlgs.ReadUint16(&sigAndAlg) {
   474						return false
   475					}
   476					m.supportedSignatureAlgorithms = append(
   477						m.supportedSignatureAlgorithms, SignatureScheme(sigAndAlg))
   478				}
   479			case extensionSignatureAlgorithmsCert:
   480				// RFC 8446, Section 4.2.3
   481				var sigAndAlgs cryptobyte.String
   482				if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() {
   483					return false
   484				}
   485				for !sigAndAlgs.Empty() {
   486					var sigAndAlg uint16
   487					if !sigAndAlgs.ReadUint16(&sigAndAlg) {
   488						return false
   489					}
   490					m.supportedSignatureAlgorithmsCert = append(
   491						m.supportedSignatureAlgorithmsCert, SignatureScheme(sigAndAlg))
   492				}
   493			case extensionRenegotiationInfo:
   494				// RFC 5746, Section 3.2
   495				if !readUint8LengthPrefixed(&extData, &m.secureRenegotiation) {
   496					return false
   497				}
   498				m.secureRenegotiationSupported = true
   499			case extensionALPN:
   500				// RFC 7301, Section 3.1
   501				var protoList cryptobyte.String
   502				if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() {
   503					return false
   504				}
   505				for !protoList.Empty() {
   506					var proto cryptobyte.String
   507					if !protoList.ReadUint8LengthPrefixed(&proto) || proto.Empty() {
   508						return false
   509					}
   510					m.alpnProtocols = append(m.alpnProtocols, string(proto))
   511				}
   512			case extensionSCT:
   513				// RFC 6962, Section 3.3.1
   514				m.scts = true
   515			case extensionSupportedVersions:
   516				// RFC 8446, Section 4.2.1
   517				var versList cryptobyte.String
   518				if !extData.ReadUint8LengthPrefixed(&versList) || versList.Empty() {
   519					return false
   520				}
   521				for !versList.Empty() {
   522					var vers uint16
   523					if !versList.ReadUint16(&vers) {
   524						return false
   525					}
   526					m.supportedVersions = append(m.supportedVersions, vers)
   527				}
   528			case extensionCookie:
   529				// RFC 8446, Section 4.2.2
   530				if !readUint16LengthPrefixed(&extData, &m.cookie) ||
   531					len(m.cookie) == 0 {
   532					return false
   533				}
   534			case extensionKeyShare:
   535				// RFC 8446, Section 4.2.8
   536				var clientShares cryptobyte.String
   537				if !extData.ReadUint16LengthPrefixed(&clientShares) {
   538					return false
   539				}
   540				for !clientShares.Empty() {
   541					var ks keyShare
   542					if !clientShares.ReadUint16((*uint16)(&ks.group)) ||
   543						!readUint16LengthPrefixed(&clientShares, &ks.data) ||
   544						len(ks.data) == 0 {
   545						return false
   546					}
   547					m.keyShares = append(m.keyShares, ks)
   548				}
   549			case extensionEarlyData:
   550				// RFC 8446, Section 4.2.10
   551				m.earlyData = true
   552			case extensionPSKModes:
   553				// RFC 8446, Section 4.2.9
   554				if !readUint8LengthPrefixed(&extData, &m.pskModes) {
   555					return false
   556				}
   557			case extensionPreSharedKey:
   558				// RFC 8446, Section 4.2.11
   559				if !extensions.Empty() {
   560					return false // pre_shared_key must be the last extension
   561				}
   562				var identities cryptobyte.String
   563				if !extData.ReadUint16LengthPrefixed(&identities) || identities.Empty() {
   564					return false
   565				}
   566				for !identities.Empty() {
   567					var psk pskIdentity
   568					if !readUint16LengthPrefixed(&identities, &psk.label) ||
   569						!identities.ReadUint32(&psk.obfuscatedTicketAge) ||
   570						len(psk.label) == 0 {
   571						return false
   572					}
   573					m.pskIdentities = append(m.pskIdentities, psk)
   574				}
   575				var binders cryptobyte.String
   576				if !extData.ReadUint16LengthPrefixed(&binders) || binders.Empty() {
   577					return false
   578				}
   579				for !binders.Empty() {
   580					var binder []byte
   581					if !readUint8LengthPrefixed(&binders, &binder) ||
   582						len(binder) == 0 {
   583						return false
   584					}
   585					m.pskBinders = append(m.pskBinders, binder)
   586				}
   587			default:
   588				// Ignore unknown extensions.
   589				continue
   590			}
   591	
   592			if !extData.Empty() {
   593				return false
   594			}
   595		}
   596	
   597		return true
   598	}
   599	
   600	type serverHelloMsg struct {
   601		raw                          []byte
   602		vers                         uint16
   603		random                       []byte
   604		sessionId                    []byte
   605		cipherSuite                  uint16
   606		compressionMethod            uint8
   607		nextProtoNeg                 bool
   608		nextProtos                   []string
   609		ocspStapling                 bool
   610		ticketSupported              bool
   611		secureRenegotiationSupported bool
   612		secureRenegotiation          []byte
   613		alpnProtocol                 string
   614		scts                         [][]byte
   615		supportedVersion             uint16
   616		serverShare                  keyShare
   617		selectedIdentityPresent      bool
   618		selectedIdentity             uint16
   619	
   620		// HelloRetryRequest extensions
   621		cookie        []byte
   622		selectedGroup CurveID
   623	}
   624	
   625	func (m *serverHelloMsg) marshal() []byte {
   626		if m.raw != nil {
   627			return m.raw
   628		}
   629	
   630		var b cryptobyte.Builder
   631		b.AddUint8(typeServerHello)
   632		b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
   633			b.AddUint16(m.vers)
   634			addBytesWithLength(b, m.random, 32)
   635			b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
   636				b.AddBytes(m.sessionId)
   637			})
   638			b.AddUint16(m.cipherSuite)
   639			b.AddUint8(m.compressionMethod)
   640	
   641			// If extensions aren't present, omit them.
   642			var extensionsPresent bool
   643			bWithoutExtensions := *b
   644	
   645			b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   646				if m.nextProtoNeg {
   647					b.AddUint16(extensionNextProtoNeg)
   648					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   649						for _, proto := range m.nextProtos {
   650							b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
   651								b.AddBytes([]byte(proto))
   652							})
   653						}
   654					})
   655				}
   656				if m.ocspStapling {
   657					b.AddUint16(extensionStatusRequest)
   658					b.AddUint16(0) // empty extension_data
   659				}
   660				if m.ticketSupported {
   661					b.AddUint16(extensionSessionTicket)
   662					b.AddUint16(0) // empty extension_data
   663				}
   664				if m.secureRenegotiationSupported {
   665					b.AddUint16(extensionRenegotiationInfo)
   666					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   667						b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
   668							b.AddBytes(m.secureRenegotiation)
   669						})
   670					})
   671				}
   672				if len(m.alpnProtocol) > 0 {
   673					b.AddUint16(extensionALPN)
   674					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   675						b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   676							b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
   677								b.AddBytes([]byte(m.alpnProtocol))
   678							})
   679						})
   680					})
   681				}
   682				if len(m.scts) > 0 {
   683					b.AddUint16(extensionSCT)
   684					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   685						b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   686							for _, sct := range m.scts {
   687								b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   688									b.AddBytes(sct)
   689								})
   690							}
   691						})
   692					})
   693				}
   694				if m.supportedVersion != 0 {
   695					b.AddUint16(extensionSupportedVersions)
   696					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   697						b.AddUint16(m.supportedVersion)
   698					})
   699				}
   700				if m.serverShare.group != 0 {
   701					b.AddUint16(extensionKeyShare)
   702					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   703						b.AddUint16(uint16(m.serverShare.group))
   704						b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   705							b.AddBytes(m.serverShare.data)
   706						})
   707					})
   708				}
   709				if m.selectedIdentityPresent {
   710					b.AddUint16(extensionPreSharedKey)
   711					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   712						b.AddUint16(m.selectedIdentity)
   713					})
   714				}
   715	
   716				if len(m.cookie) > 0 {
   717					b.AddUint16(extensionCookie)
   718					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   719						b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   720							b.AddBytes(m.cookie)
   721						})
   722					})
   723				}
   724				if m.selectedGroup != 0 {
   725					b.AddUint16(extensionKeyShare)
   726					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   727						b.AddUint16(uint16(m.selectedGroup))
   728					})
   729				}
   730	
   731				extensionsPresent = len(b.BytesOrPanic()) > 2
   732			})
   733	
   734			if !extensionsPresent {
   735				*b = bWithoutExtensions
   736			}
   737		})
   738	
   739		m.raw = b.BytesOrPanic()
   740		return m.raw
   741	}
   742	
   743	func (m *serverHelloMsg) unmarshal(data []byte) bool {
   744		*m = serverHelloMsg{raw: data}
   745		s := cryptobyte.String(data)
   746	
   747		if !s.Skip(4) || // message type and uint24 length field
   748			!s.ReadUint16(&m.vers) || !s.ReadBytes(&m.random, 32) ||
   749			!readUint8LengthPrefixed(&s, &m.sessionId) ||
   750			!s.ReadUint16(&m.cipherSuite) ||
   751			!s.ReadUint8(&m.compressionMethod) {
   752			return false
   753		}
   754	
   755		if s.Empty() {
   756			// ServerHello is optionally followed by extension data
   757			return true
   758		}
   759	
   760		var extensions cryptobyte.String
   761		if !s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() {
   762			return false
   763		}
   764	
   765		for !extensions.Empty() {
   766			var extension uint16
   767			var extData cryptobyte.String
   768			if !extensions.ReadUint16(&extension) ||
   769				!extensions.ReadUint16LengthPrefixed(&extData) {
   770				return false
   771			}
   772	
   773			switch extension {
   774			case extensionNextProtoNeg:
   775				m.nextProtoNeg = true
   776				for !extData.Empty() {
   777					var proto cryptobyte.String
   778					if !extData.ReadUint8LengthPrefixed(&proto) ||
   779						proto.Empty() {
   780						return false
   781					}
   782					m.nextProtos = append(m.nextProtos, string(proto))
   783				}
   784			case extensionStatusRequest:
   785				m.ocspStapling = true
   786			case extensionSessionTicket:
   787				m.ticketSupported = true
   788			case extensionRenegotiationInfo:
   789				if !readUint8LengthPrefixed(&extData, &m.secureRenegotiation) {
   790					return false
   791				}
   792				m.secureRenegotiationSupported = true
   793			case extensionALPN:
   794				var protoList cryptobyte.String
   795				if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() {
   796					return false
   797				}
   798				var proto cryptobyte.String
   799				if !protoList.ReadUint8LengthPrefixed(&proto) ||
   800					proto.Empty() || !protoList.Empty() {
   801					return false
   802				}
   803				m.alpnProtocol = string(proto)
   804			case extensionSCT:
   805				var sctList cryptobyte.String
   806				if !extData.ReadUint16LengthPrefixed(&sctList) || sctList.Empty() {
   807					return false
   808				}
   809				for !sctList.Empty() {
   810					var sct []byte
   811					if !readUint16LengthPrefixed(&sctList, &sct) ||
   812						len(sct) == 0 {
   813						return false
   814					}
   815					m.scts = append(m.scts, sct)
   816				}
   817			case extensionSupportedVersions:
   818				if !extData.ReadUint16(&m.supportedVersion) {
   819					return false
   820				}
   821			case extensionCookie:
   822				if !readUint16LengthPrefixed(&extData, &m.cookie) ||
   823					len(m.cookie) == 0 {
   824					return false
   825				}
   826			case extensionKeyShare:
   827				// This extension has different formats in SH and HRR, accept either
   828				// and let the handshake logic decide. See RFC 8446, Section 4.2.8.
   829				if len(extData) == 2 {
   830					if !extData.ReadUint16((*uint16)(&m.selectedGroup)) {
   831						return false
   832					}
   833				} else {
   834					if !extData.ReadUint16((*uint16)(&m.serverShare.group)) ||
   835						!readUint16LengthPrefixed(&extData, &m.serverShare.data) {
   836						return false
   837					}
   838				}
   839			case extensionPreSharedKey:
   840				m.selectedIdentityPresent = true
   841				if !extData.ReadUint16(&m.selectedIdentity) {
   842					return false
   843				}
   844			default:
   845				// Ignore unknown extensions.
   846				continue
   847			}
   848	
   849			if !extData.Empty() {
   850				return false
   851			}
   852		}
   853	
   854		return true
   855	}
   856	
   857	type encryptedExtensionsMsg struct {
   858		raw          []byte
   859		alpnProtocol string
   860	}
   861	
   862	func (m *encryptedExtensionsMsg) marshal() []byte {
   863		if m.raw != nil {
   864			return m.raw
   865		}
   866	
   867		var b cryptobyte.Builder
   868		b.AddUint8(typeEncryptedExtensions)
   869		b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
   870			b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   871				if len(m.alpnProtocol) > 0 {
   872					b.AddUint16(extensionALPN)
   873					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   874						b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   875							b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
   876								b.AddBytes([]byte(m.alpnProtocol))
   877							})
   878						})
   879					})
   880				}
   881			})
   882		})
   883	
   884		m.raw = b.BytesOrPanic()
   885		return m.raw
   886	}
   887	
   888	func (m *encryptedExtensionsMsg) unmarshal(data []byte) bool {
   889		*m = encryptedExtensionsMsg{raw: data}
   890		s := cryptobyte.String(data)
   891	
   892		var extensions cryptobyte.String
   893		if !s.Skip(4) || // message type and uint24 length field
   894			!s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() {
   895			return false
   896		}
   897	
   898		for !extensions.Empty() {
   899			var extension uint16
   900			var extData cryptobyte.String
   901			if !extensions.ReadUint16(&extension) ||
   902				!extensions.ReadUint16LengthPrefixed(&extData) {
   903				return false
   904			}
   905	
   906			switch extension {
   907			case extensionALPN:
   908				var protoList cryptobyte.String
   909				if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() {
   910					return false
   911				}
   912				var proto cryptobyte.String
   913				if !protoList.ReadUint8LengthPrefixed(&proto) ||
   914					proto.Empty() || !protoList.Empty() {
   915					return false
   916				}
   917				m.alpnProtocol = string(proto)
   918			default:
   919				// Ignore unknown extensions.
   920				continue
   921			}
   922	
   923			if !extData.Empty() {
   924				return false
   925			}
   926		}
   927	
   928		return true
   929	}
   930	
   931	type endOfEarlyDataMsg struct{}
   932	
   933	func (m *endOfEarlyDataMsg) marshal() []byte {
   934		x := make([]byte, 4)
   935		x[0] = typeEndOfEarlyData
   936		return x
   937	}
   938	
   939	func (m *endOfEarlyDataMsg) unmarshal(data []byte) bool {
   940		return len(data) == 4
   941	}
   942	
   943	type keyUpdateMsg struct {
   944		raw             []byte
   945		updateRequested bool
   946	}
   947	
   948	func (m *keyUpdateMsg) marshal() []byte {
   949		if m.raw != nil {
   950			return m.raw
   951		}
   952	
   953		var b cryptobyte.Builder
   954		b.AddUint8(typeKeyUpdate)
   955		b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
   956			if m.updateRequested {
   957				b.AddUint8(1)
   958			} else {
   959				b.AddUint8(0)
   960			}
   961		})
   962	
   963		m.raw = b.BytesOrPanic()
   964		return m.raw
   965	}
   966	
   967	func (m *keyUpdateMsg) unmarshal(data []byte) bool {
   968		m.raw = data
   969		s := cryptobyte.String(data)
   970	
   971		var updateRequested uint8
   972		if !s.Skip(4) || // message type and uint24 length field
   973			!s.ReadUint8(&updateRequested) || !s.Empty() {
   974			return false
   975		}
   976		switch updateRequested {
   977		case 0:
   978			m.updateRequested = false
   979		case 1:
   980			m.updateRequested = true
   981		default:
   982			return false
   983		}
   984		return true
   985	}
   986	
   987	type newSessionTicketMsgTLS13 struct {
   988		raw          []byte
   989		lifetime     uint32
   990		ageAdd       uint32
   991		nonce        []byte
   992		label        []byte
   993		maxEarlyData uint32
   994	}
   995	
   996	func (m *newSessionTicketMsgTLS13) marshal() []byte {
   997		if m.raw != nil {
   998			return m.raw
   999		}
  1000	
  1001		var b cryptobyte.Builder
  1002		b.AddUint8(typeNewSessionTicket)
  1003		b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
  1004			b.AddUint32(m.lifetime)
  1005			b.AddUint32(m.ageAdd)
  1006			b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
  1007				b.AddBytes(m.nonce)
  1008			})
  1009			b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1010				b.AddBytes(m.label)
  1011			})
  1012	
  1013			b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1014				if m.maxEarlyData > 0 {
  1015					b.AddUint16(extensionEarlyData)
  1016					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1017						b.AddUint32(m.maxEarlyData)
  1018					})
  1019				}
  1020			})
  1021		})
  1022	
  1023		m.raw = b.BytesOrPanic()
  1024		return m.raw
  1025	}
  1026	
  1027	func (m *newSessionTicketMsgTLS13) unmarshal(data []byte) bool {
  1028		*m = newSessionTicketMsgTLS13{raw: data}
  1029		s := cryptobyte.String(data)
  1030	
  1031		var extensions cryptobyte.String
  1032		if !s.Skip(4) || // message type and uint24 length field
  1033			!s.ReadUint32(&m.lifetime) ||
  1034			!s.ReadUint32(&m.ageAdd) ||
  1035			!readUint8LengthPrefixed(&s, &m.nonce) ||
  1036			!readUint16LengthPrefixed(&s, &m.label) ||
  1037			!s.ReadUint16LengthPrefixed(&extensions) ||
  1038			!s.Empty() {
  1039			return false
  1040		}
  1041	
  1042		for !extensions.Empty() {
  1043			var extension uint16
  1044			var extData cryptobyte.String
  1045			if !extensions.ReadUint16(&extension) ||
  1046				!extensions.ReadUint16LengthPrefixed(&extData) {
  1047				return false
  1048			}
  1049	
  1050			switch extension {
  1051			case extensionEarlyData:
  1052				if !extData.ReadUint32(&m.maxEarlyData) {
  1053					return false
  1054				}
  1055			default:
  1056				// Ignore unknown extensions.
  1057				continue
  1058			}
  1059	
  1060			if !extData.Empty() {
  1061				return false
  1062			}
  1063		}
  1064	
  1065		return true
  1066	}
  1067	
  1068	type certificateRequestMsgTLS13 struct {
  1069		raw                              []byte
  1070		ocspStapling                     bool
  1071		scts                             bool
  1072		supportedSignatureAlgorithms     []SignatureScheme
  1073		supportedSignatureAlgorithmsCert []SignatureScheme
  1074		certificateAuthorities           [][]byte
  1075	}
  1076	
  1077	func (m *certificateRequestMsgTLS13) marshal() []byte {
  1078		if m.raw != nil {
  1079			return m.raw
  1080		}
  1081	
  1082		var b cryptobyte.Builder
  1083		b.AddUint8(typeCertificateRequest)
  1084		b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
  1085			// certificate_request_context (SHALL be zero length unless used for
  1086			// post-handshake authentication)
  1087			b.AddUint8(0)
  1088	
  1089			b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1090				if m.ocspStapling {
  1091					b.AddUint16(extensionStatusRequest)
  1092					b.AddUint16(0) // empty extension_data
  1093				}
  1094				if m.scts {
  1095					// RFC 8446, Section 4.4.2.1 makes no mention of
  1096					// signed_certificate_timestamp in CertificateRequest, but
  1097					// "Extensions in the Certificate message from the client MUST
  1098					// correspond to extensions in the CertificateRequest message
  1099					// from the server." and it appears in the table in Section 4.2.
  1100					b.AddUint16(extensionSCT)
  1101					b.AddUint16(0) // empty extension_data
  1102				}
  1103				if len(m.supportedSignatureAlgorithms) > 0 {
  1104					b.AddUint16(extensionSignatureAlgorithms)
  1105					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1106						b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1107							for _, sigAlgo := range m.supportedSignatureAlgorithms {
  1108								b.AddUint16(uint16(sigAlgo))
  1109							}
  1110						})
  1111					})
  1112				}
  1113				if len(m.supportedSignatureAlgorithmsCert) > 0 {
  1114					b.AddUint16(extensionSignatureAlgorithmsCert)
  1115					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1116						b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1117							for _, sigAlgo := range m.supportedSignatureAlgorithmsCert {
  1118								b.AddUint16(uint16(sigAlgo))
  1119							}
  1120						})
  1121					})
  1122				}
  1123				if len(m.certificateAuthorities) > 0 {
  1124					b.AddUint16(extensionCertificateAuthorities)
  1125					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1126						b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1127							for _, ca := range m.certificateAuthorities {
  1128								b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1129									b.AddBytes(ca)
  1130								})
  1131							}
  1132						})
  1133					})
  1134				}
  1135			})
  1136		})
  1137	
  1138		m.raw = b.BytesOrPanic()
  1139		return m.raw
  1140	}
  1141	
  1142	func (m *certificateRequestMsgTLS13) unmarshal(data []byte) bool {
  1143		*m = certificateRequestMsgTLS13{raw: data}
  1144		s := cryptobyte.String(data)
  1145	
  1146		var context, extensions cryptobyte.String
  1147		if !s.Skip(4) || // message type and uint24 length field
  1148			!s.ReadUint8LengthPrefixed(&context) || !context.Empty() ||
  1149			!s.ReadUint16LengthPrefixed(&extensions) ||
  1150			!s.Empty() {
  1151			return false
  1152		}
  1153	
  1154		for !extensions.Empty() {
  1155			var extension uint16
  1156			var extData cryptobyte.String
  1157			if !extensions.ReadUint16(&extension) ||
  1158				!extensions.ReadUint16LengthPrefixed(&extData) {
  1159				return false
  1160			}
  1161	
  1162			switch extension {
  1163			case extensionStatusRequest:
  1164				m.ocspStapling = true
  1165			case extensionSCT:
  1166				m.scts = true
  1167			case extensionSignatureAlgorithms:
  1168				var sigAndAlgs cryptobyte.String
  1169				if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() {
  1170					return false
  1171				}
  1172				for !sigAndAlgs.Empty() {
  1173					var sigAndAlg uint16
  1174					if !sigAndAlgs.ReadUint16(&sigAndAlg) {
  1175						return false
  1176					}
  1177					m.supportedSignatureAlgorithms = append(
  1178						m.supportedSignatureAlgorithms, SignatureScheme(sigAndAlg))
  1179				}
  1180			case extensionSignatureAlgorithmsCert:
  1181				var sigAndAlgs cryptobyte.String
  1182				if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() {
  1183					return false
  1184				}
  1185				for !sigAndAlgs.Empty() {
  1186					var sigAndAlg uint16
  1187					if !sigAndAlgs.ReadUint16(&sigAndAlg) {
  1188						return false
  1189					}
  1190					m.supportedSignatureAlgorithmsCert = append(
  1191						m.supportedSignatureAlgorithmsCert, SignatureScheme(sigAndAlg))
  1192				}
  1193			case extensionCertificateAuthorities:
  1194				var auths cryptobyte.String
  1195				if !extData.ReadUint16LengthPrefixed(&auths) || auths.Empty() {
  1196					return false
  1197				}
  1198				for !auths.Empty() {
  1199					var ca []byte
  1200					if !readUint16LengthPrefixed(&auths, &ca) || len(ca) == 0 {
  1201						return false
  1202					}
  1203					m.certificateAuthorities = append(m.certificateAuthorities, ca)
  1204				}
  1205			default:
  1206				// Ignore unknown extensions.
  1207				continue
  1208			}
  1209	
  1210			if !extData.Empty() {
  1211				return false
  1212			}
  1213		}
  1214	
  1215		return true
  1216	}
  1217	
  1218	type certificateMsg struct {
  1219		raw          []byte
  1220		certificates [][]byte
  1221	}
  1222	
  1223	func (m *certificateMsg) marshal() (x []byte) {
  1224		if m.raw != nil {
  1225			return m.raw
  1226		}
  1227	
  1228		var i int
  1229		for _, slice := range m.certificates {
  1230			i += len(slice)
  1231		}
  1232	
  1233		length := 3 + 3*len(m.certificates) + i
  1234		x = make([]byte, 4+length)
  1235		x[0] = typeCertificate
  1236		x[1] = uint8(length >> 16)
  1237		x[2] = uint8(length >> 8)
  1238		x[3] = uint8(length)
  1239	
  1240		certificateOctets := length - 3
  1241		x[4] = uint8(certificateOctets >> 16)
  1242		x[5] = uint8(certificateOctets >> 8)
  1243		x[6] = uint8(certificateOctets)
  1244	
  1245		y := x[7:]
  1246		for _, slice := range m.certificates {
  1247			y[0] = uint8(len(slice) >> 16)
  1248			y[1] = uint8(len(slice) >> 8)
  1249			y[2] = uint8(len(slice))
  1250			copy(y[3:], slice)
  1251			y = y[3+len(slice):]
  1252		}
  1253	
  1254		m.raw = x
  1255		return
  1256	}
  1257	
  1258	func (m *certificateMsg) unmarshal(data []byte) bool {
  1259		if len(data) < 7 {
  1260			return false
  1261		}
  1262	
  1263		m.raw = data
  1264		certsLen := uint32(data[4])<<16 | uint32(data[5])<<8 | uint32(data[6])
  1265		if uint32(len(data)) != certsLen+7 {
  1266			return false
  1267		}
  1268	
  1269		numCerts := 0
  1270		d := data[7:]
  1271		for certsLen > 0 {
  1272			if len(d) < 4 {
  1273				return false
  1274			}
  1275			certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2])
  1276			if uint32(len(d)) < 3+certLen {
  1277				return false
  1278			}
  1279			d = d[3+certLen:]
  1280			certsLen -= 3 + certLen
  1281			numCerts++
  1282		}
  1283	
  1284		m.certificates = make([][]byte, numCerts)
  1285		d = data[7:]
  1286		for i := 0; i < numCerts; i++ {
  1287			certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2])
  1288			m.certificates[i] = d[3 : 3+certLen]
  1289			d = d[3+certLen:]
  1290		}
  1291	
  1292		return true
  1293	}
  1294	
  1295	type certificateMsgTLS13 struct {
  1296		raw          []byte
  1297		certificate  Certificate
  1298		ocspStapling bool
  1299		scts         bool
  1300	}
  1301	
  1302	func (m *certificateMsgTLS13) marshal() []byte {
  1303		if m.raw != nil {
  1304			return m.raw
  1305		}
  1306	
  1307		var b cryptobyte.Builder
  1308		b.AddUint8(typeCertificate)
  1309		b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
  1310			b.AddUint8(0) // certificate_request_context
  1311	
  1312			certificate := m.certificate
  1313			if !m.ocspStapling {
  1314				certificate.OCSPStaple = nil
  1315			}
  1316			if !m.scts {
  1317				certificate.SignedCertificateTimestamps = nil
  1318			}
  1319			marshalCertificate(b, certificate)
  1320		})
  1321	
  1322		m.raw = b.BytesOrPanic()
  1323		return m.raw
  1324	}
  1325	
  1326	func marshalCertificate(b *cryptobyte.Builder, certificate Certificate) {
  1327		b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
  1328			for i, cert := range certificate.Certificate {
  1329				b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
  1330					b.AddBytes(cert)
  1331				})
  1332				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1333					if i > 0 {
  1334						// This library only supports OCSP and SCT for leaf certificates.
  1335						return
  1336					}
  1337					if certificate.OCSPStaple != nil {
  1338						b.AddUint16(extensionStatusRequest)
  1339						b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1340							b.AddUint8(statusTypeOCSP)
  1341							b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
  1342								b.AddBytes(certificate.OCSPStaple)
  1343							})
  1344						})
  1345					}
  1346					if certificate.SignedCertificateTimestamps != nil {
  1347						b.AddUint16(extensionSCT)
  1348						b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1349							b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1350								for _, sct := range certificate.SignedCertificateTimestamps {
  1351									b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1352										b.AddBytes(sct)
  1353									})
  1354								}
  1355							})
  1356						})
  1357					}
  1358				})
  1359			}
  1360		})
  1361	}
  1362	
  1363	func (m *certificateMsgTLS13) unmarshal(data []byte) bool {
  1364		*m = certificateMsgTLS13{raw: data}
  1365		s := cryptobyte.String(data)
  1366	
  1367		var context cryptobyte.String
  1368		if !s.Skip(4) || // message type and uint24 length field
  1369			!s.ReadUint8LengthPrefixed(&context) || !context.Empty() ||
  1370			!unmarshalCertificate(&s, &m.certificate) ||
  1371			!s.Empty() {
  1372			return false
  1373		}
  1374	
  1375		m.scts = m.certificate.SignedCertificateTimestamps != nil
  1376		m.ocspStapling = m.certificate.OCSPStaple != nil
  1377	
  1378		return true
  1379	}
  1380	
  1381	func unmarshalCertificate(s *cryptobyte.String, certificate *Certificate) bool {
  1382		var certList cryptobyte.String
  1383		if !s.ReadUint24LengthPrefixed(&certList) {
  1384			return false
  1385		}
  1386		for !certList.Empty() {
  1387			var cert []byte
  1388			var extensions cryptobyte.String
  1389			if !readUint24LengthPrefixed(&certList, &cert) ||
  1390				!certList.ReadUint16LengthPrefixed(&extensions) {
  1391				return false
  1392			}
  1393			certificate.Certificate = append(certificate.Certificate, cert)
  1394			for !extensions.Empty() {
  1395				var extension uint16
  1396				var extData cryptobyte.String
  1397				if !extensions.ReadUint16(&extension) ||
  1398					!extensions.ReadUint16LengthPrefixed(&extData) {
  1399					return false
  1400				}
  1401				if len(certificate.Certificate) > 1 {
  1402					// This library only supports OCSP and SCT for leaf certificates.
  1403					continue
  1404				}
  1405	
  1406				switch extension {
  1407				case extensionStatusRequest:
  1408					var statusType uint8
  1409					if !extData.ReadUint8(&statusType) || statusType != statusTypeOCSP ||
  1410						!readUint24LengthPrefixed(&extData, &certificate.OCSPStaple) ||
  1411						len(certificate.OCSPStaple) == 0 {
  1412						return false
  1413					}
  1414				case extensionSCT:
  1415					var sctList cryptobyte.String
  1416					if !extData.ReadUint16LengthPrefixed(&sctList) || sctList.Empty() {
  1417						return false
  1418					}
  1419					for !sctList.Empty() {
  1420						var sct []byte
  1421						if !readUint16LengthPrefixed(&sctList, &sct) ||
  1422							len(sct) == 0 {
  1423							return false
  1424						}
  1425						certificate.SignedCertificateTimestamps = append(
  1426							certificate.SignedCertificateTimestamps, sct)
  1427					}
  1428				default:
  1429					// Ignore unknown extensions.
  1430					continue
  1431				}
  1432	
  1433				if !extData.Empty() {
  1434					return false
  1435				}
  1436			}
  1437		}
  1438		return true
  1439	}
  1440	
  1441	type serverKeyExchangeMsg struct {
  1442		raw []byte
  1443		key []byte
  1444	}
  1445	
  1446	func (m *serverKeyExchangeMsg) marshal() []byte {
  1447		if m.raw != nil {
  1448			return m.raw
  1449		}
  1450		length := len(m.key)
  1451		x := make([]byte, length+4)
  1452		x[0] = typeServerKeyExchange
  1453		x[1] = uint8(length >> 16)
  1454		x[2] = uint8(length >> 8)
  1455		x[3] = uint8(length)
  1456		copy(x[4:], m.key)
  1457	
  1458		m.raw = x
  1459		return x
  1460	}
  1461	
  1462	func (m *serverKeyExchangeMsg) unmarshal(data []byte) bool {
  1463		m.raw = data
  1464		if len(data) < 4 {
  1465			return false
  1466		}
  1467		m.key = data[4:]
  1468		return true
  1469	}
  1470	
  1471	type certificateStatusMsg struct {
  1472		raw      []byte
  1473		response []byte
  1474	}
  1475	
  1476	func (m *certificateStatusMsg) marshal() []byte {
  1477		if m.raw != nil {
  1478			return m.raw
  1479		}
  1480	
  1481		var b cryptobyte.Builder
  1482		b.AddUint8(typeCertificateStatus)
  1483		b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
  1484			b.AddUint8(statusTypeOCSP)
  1485			b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
  1486				b.AddBytes(m.response)
  1487			})
  1488		})
  1489	
  1490		m.raw = b.BytesOrPanic()
  1491		return m.raw
  1492	}
  1493	
  1494	func (m *certificateStatusMsg) unmarshal(data []byte) bool {
  1495		m.raw = data
  1496		s := cryptobyte.String(data)
  1497	
  1498		var statusType uint8
  1499		if !s.Skip(4) || // message type and uint24 length field
  1500			!s.ReadUint8(&statusType) || statusType != statusTypeOCSP ||
  1501			!readUint24LengthPrefixed(&s, &m.response) ||
  1502			len(m.response) == 0 || !s.Empty() {
  1503			return false
  1504		}
  1505		return true
  1506	}
  1507	
  1508	type serverHelloDoneMsg struct{}
  1509	
  1510	func (m *serverHelloDoneMsg) marshal() []byte {
  1511		x := make([]byte, 4)
  1512		x[0] = typeServerHelloDone
  1513		return x
  1514	}
  1515	
  1516	func (m *serverHelloDoneMsg) unmarshal(data []byte) bool {
  1517		return len(data) == 4
  1518	}
  1519	
  1520	type clientKeyExchangeMsg struct {
  1521		raw        []byte
  1522		ciphertext []byte
  1523	}
  1524	
  1525	func (m *clientKeyExchangeMsg) marshal() []byte {
  1526		if m.raw != nil {
  1527			return m.raw
  1528		}
  1529		length := len(m.ciphertext)
  1530		x := make([]byte, length+4)
  1531		x[0] = typeClientKeyExchange
  1532		x[1] = uint8(length >> 16)
  1533		x[2] = uint8(length >> 8)
  1534		x[3] = uint8(length)
  1535		copy(x[4:], m.ciphertext)
  1536	
  1537		m.raw = x
  1538		return x
  1539	}
  1540	
  1541	func (m *clientKeyExchangeMsg) unmarshal(data []byte) bool {
  1542		m.raw = data
  1543		if len(data) < 4 {
  1544			return false
  1545		}
  1546		l := int(data[1])<<16 | int(data[2])<<8 | int(data[3])
  1547		if l != len(data)-4 {
  1548			return false
  1549		}
  1550		m.ciphertext = data[4:]
  1551		return true
  1552	}
  1553	
  1554	type finishedMsg struct {
  1555		raw        []byte
  1556		verifyData []byte
  1557	}
  1558	
  1559	func (m *finishedMsg) marshal() []byte {
  1560		if m.raw != nil {
  1561			return m.raw
  1562		}
  1563	
  1564		var b cryptobyte.Builder
  1565		b.AddUint8(typeFinished)
  1566		b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
  1567			b.AddBytes(m.verifyData)
  1568		})
  1569	
  1570		m.raw = b.BytesOrPanic()
  1571		return m.raw
  1572	}
  1573	
  1574	func (m *finishedMsg) unmarshal(data []byte) bool {
  1575		m.raw = data
  1576		s := cryptobyte.String(data)
  1577		return s.Skip(1) &&
  1578			readUint24LengthPrefixed(&s, &m.verifyData) &&
  1579			s.Empty()
  1580	}
  1581	
  1582	type nextProtoMsg struct {
  1583		raw   []byte
  1584		proto string
  1585	}
  1586	
  1587	func (m *nextProtoMsg) marshal() []byte {
  1588		if m.raw != nil {
  1589			return m.raw
  1590		}
  1591		l := len(m.proto)
  1592		if l > 255 {
  1593			l = 255
  1594		}
  1595	
  1596		padding := 32 - (l+2)%32
  1597		length := l + padding + 2
  1598		x := make([]byte, length+4)
  1599		x[0] = typeNextProtocol
  1600		x[1] = uint8(length >> 16)
  1601		x[2] = uint8(length >> 8)
  1602		x[3] = uint8(length)
  1603	
  1604		y := x[4:]
  1605		y[0] = byte(l)
  1606		copy(y[1:], []byte(m.proto[0:l]))
  1607		y = y[1+l:]
  1608		y[0] = byte(padding)
  1609	
  1610		m.raw = x
  1611	
  1612		return x
  1613	}
  1614	
  1615	func (m *nextProtoMsg) unmarshal(data []byte) bool {
  1616		m.raw = data
  1617	
  1618		if len(data) < 5 {
  1619			return false
  1620		}
  1621		data = data[4:]
  1622		protoLen := int(data[0])
  1623		data = data[1:]
  1624		if len(data) < protoLen {
  1625			return false
  1626		}
  1627		m.proto = string(data[0:protoLen])
  1628		data = data[protoLen:]
  1629	
  1630		if len(data) < 1 {
  1631			return false
  1632		}
  1633		paddingLen := int(data[0])
  1634		data = data[1:]
  1635		if len(data) != paddingLen {
  1636			return false
  1637		}
  1638	
  1639		return true
  1640	}
  1641	
  1642	type certificateRequestMsg struct {
  1643		raw []byte
  1644		// hasSignatureAlgorithm indicates whether this message includes a list of
  1645		// supported signature algorithms. This change was introduced with TLS 1.2.
  1646		hasSignatureAlgorithm bool
  1647	
  1648		certificateTypes             []byte
  1649		supportedSignatureAlgorithms []SignatureScheme
  1650		certificateAuthorities       [][]byte
  1651	}
  1652	
  1653	func (m *certificateRequestMsg) marshal() (x []byte) {
  1654		if m.raw != nil {
  1655			return m.raw
  1656		}
  1657	
  1658		// See RFC 4346, Section 7.4.4.
  1659		length := 1 + len(m.certificateTypes) + 2
  1660		casLength := 0
  1661		for _, ca := range m.certificateAuthorities {
  1662			casLength += 2 + len(ca)
  1663		}
  1664		length += casLength
  1665	
  1666		if m.hasSignatureAlgorithm {
  1667			length += 2 + 2*len(m.supportedSignatureAlgorithms)
  1668		}
  1669	
  1670		x = make([]byte, 4+length)
  1671		x[0] = typeCertificateRequest
  1672		x[1] = uint8(length >> 16)
  1673		x[2] = uint8(length >> 8)
  1674		x[3] = uint8(length)
  1675	
  1676		x[4] = uint8(len(m.certificateTypes))
  1677	
  1678		copy(x[5:], m.certificateTypes)
  1679		y := x[5+len(m.certificateTypes):]
  1680	
  1681		if m.hasSignatureAlgorithm {
  1682			n := len(m.supportedSignatureAlgorithms) * 2
  1683			y[0] = uint8(n >> 8)
  1684			y[1] = uint8(n)
  1685			y = y[2:]
  1686			for _, sigAlgo := range m.supportedSignatureAlgorithms {
  1687				y[0] = uint8(sigAlgo >> 8)
  1688				y[1] = uint8(sigAlgo)
  1689				y = y[2:]
  1690			}
  1691		}
  1692	
  1693		y[0] = uint8(casLength >> 8)
  1694		y[1] = uint8(casLength)
  1695		y = y[2:]
  1696		for _, ca := range m.certificateAuthorities {
  1697			y[0] = uint8(len(ca) >> 8)
  1698			y[1] = uint8(len(ca))
  1699			y = y[2:]
  1700			copy(y, ca)
  1701			y = y[len(ca):]
  1702		}
  1703	
  1704		m.raw = x
  1705		return
  1706	}
  1707	
  1708	func (m *certificateRequestMsg) unmarshal(data []byte) bool {
  1709		m.raw = data
  1710	
  1711		if len(data) < 5 {
  1712			return false
  1713		}
  1714	
  1715		length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3])
  1716		if uint32(len(data))-4 != length {
  1717			return false
  1718		}
  1719	
  1720		numCertTypes := int(data[4])
  1721		data = data[5:]
  1722		if numCertTypes == 0 || len(data) <= numCertTypes {
  1723			return false
  1724		}
  1725	
  1726		m.certificateTypes = make([]byte, numCertTypes)
  1727		if copy(m.certificateTypes, data) != numCertTypes {
  1728			return false
  1729		}
  1730	
  1731		data = data[numCertTypes:]
  1732	
  1733		if m.hasSignatureAlgorithm {
  1734			if len(data) < 2 {
  1735				return false
  1736			}
  1737			sigAndHashLen := uint16(data[0])<<8 | uint16(data[1])
  1738			data = data[2:]
  1739			if sigAndHashLen&1 != 0 {
  1740				return false
  1741			}
  1742			if len(data) < int(sigAndHashLen) {
  1743				return false
  1744			}
  1745			numSigAlgos := sigAndHashLen / 2
  1746			m.supportedSignatureAlgorithms = make([]SignatureScheme, numSigAlgos)
  1747			for i := range m.supportedSignatureAlgorithms {
  1748				m.supportedSignatureAlgorithms[i] = SignatureScheme(data[0])<<8 | SignatureScheme(data[1])
  1749				data = data[2:]
  1750			}
  1751		}
  1752	
  1753		if len(data) < 2 {
  1754			return false
  1755		}
  1756		casLength := uint16(data[0])<<8 | uint16(data[1])
  1757		data = data[2:]
  1758		if len(data) < int(casLength) {
  1759			return false
  1760		}
  1761		cas := make([]byte, casLength)
  1762		copy(cas, data)
  1763		data = data[casLength:]
  1764	
  1765		m.certificateAuthorities = nil
  1766		for len(cas) > 0 {
  1767			if len(cas) < 2 {
  1768				return false
  1769			}
  1770			caLen := uint16(cas[0])<<8 | uint16(cas[1])
  1771			cas = cas[2:]
  1772	
  1773			if len(cas) < int(caLen) {
  1774				return false
  1775			}
  1776	
  1777			m.certificateAuthorities = append(m.certificateAuthorities, cas[:caLen])
  1778			cas = cas[caLen:]
  1779		}
  1780	
  1781		return len(data) == 0
  1782	}
  1783	
  1784	type certificateVerifyMsg struct {
  1785		raw                   []byte
  1786		hasSignatureAlgorithm bool // format change introduced in TLS 1.2
  1787		signatureAlgorithm    SignatureScheme
  1788		signature             []byte
  1789	}
  1790	
  1791	func (m *certificateVerifyMsg) marshal() (x []byte) {
  1792		if m.raw != nil {
  1793			return m.raw
  1794		}
  1795	
  1796		var b cryptobyte.Builder
  1797		b.AddUint8(typeCertificateVerify)
  1798		b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
  1799			if m.hasSignatureAlgorithm {
  1800				b.AddUint16(uint16(m.signatureAlgorithm))
  1801			}
  1802			b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1803				b.AddBytes(m.signature)
  1804			})
  1805		})
  1806	
  1807		m.raw = b.BytesOrPanic()
  1808		return m.raw
  1809	}
  1810	
  1811	func (m *certificateVerifyMsg) unmarshal(data []byte) bool {
  1812		m.raw = data
  1813		s := cryptobyte.String(data)
  1814	
  1815		if !s.Skip(4) { // message type and uint24 length field
  1816			return false
  1817		}
  1818		if m.hasSignatureAlgorithm {
  1819			if !s.ReadUint16((*uint16)(&m.signatureAlgorithm)) {
  1820				return false
  1821			}
  1822		}
  1823		return readUint16LengthPrefixed(&s, &m.signature) && s.Empty()
  1824	}
  1825	
  1826	type newSessionTicketMsg struct {
  1827		raw    []byte
  1828		ticket []byte
  1829	}
  1830	
  1831	func (m *newSessionTicketMsg) marshal() (x []byte) {
  1832		if m.raw != nil {
  1833			return m.raw
  1834		}
  1835	
  1836		// See RFC 5077, Section 3.3.
  1837		ticketLen := len(m.ticket)
  1838		length := 2 + 4 + ticketLen
  1839		x = make([]byte, 4+length)
  1840		x[0] = typeNewSessionTicket
  1841		x[1] = uint8(length >> 16)
  1842		x[2] = uint8(length >> 8)
  1843		x[3] = uint8(length)
  1844		x[8] = uint8(ticketLen >> 8)
  1845		x[9] = uint8(ticketLen)
  1846		copy(x[10:], m.ticket)
  1847	
  1848		m.raw = x
  1849	
  1850		return
  1851	}
  1852	
  1853	func (m *newSessionTicketMsg) unmarshal(data []byte) bool {
  1854		m.raw = data
  1855	
  1856		if len(data) < 10 {
  1857			return false
  1858		}
  1859	
  1860		length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3])
  1861		if uint32(len(data))-4 != length {
  1862			return false
  1863		}
  1864	
  1865		ticketLen := int(data[8])<<8 + int(data[9])
  1866		if len(data)-10 != ticketLen {
  1867			return false
  1868		}
  1869	
  1870		m.ticket = data[10:]
  1871	
  1872		return true
  1873	}
  1874	
  1875	type helloRequestMsg struct {
  1876	}
  1877	
  1878	func (*helloRequestMsg) marshal() []byte {
  1879		return []byte{typeHelloRequest, 0, 0, 0}
  1880	}
  1881	
  1882	func (*helloRequestMsg) unmarshal(data []byte) bool {
  1883		return len(data) == 4
  1884	}
  1885

View as plain text