Source file
src/crypto/tls/handshake_messages.go
1
2
3
4
5 package tls
6
7 import (
8 "fmt"
9 "strings"
10
11 "golang.org/x/crypto/cryptobyte"
12 )
13
14
15
16 type marshalingFunction func(b *cryptobyte.Builder) error
17
18 func (f marshalingFunction) Marshal(b *cryptobyte.Builder) error {
19 return f(b)
20 }
21
22
23
24 func addBytesWithLength(b *cryptobyte.Builder, v []byte, n int) {
25 b.AddValue(marshalingFunction(func(b *cryptobyte.Builder) error {
26 if len(v) != n {
27 return fmt.Errorf("invalid value length: expected %d, got %d", n, len(v))
28 }
29 b.AddBytes(v)
30 return nil
31 }))
32 }
33
34
35 func addUint64(b *cryptobyte.Builder, v uint64) {
36 b.AddUint32(uint32(v >> 32))
37 b.AddUint32(uint32(v))
38 }
39
40
41
42 func readUint64(s *cryptobyte.String, out *uint64) bool {
43 var hi, lo uint32
44 if !s.ReadUint32(&hi) || !s.ReadUint32(&lo) {
45 return false
46 }
47 *out = uint64(hi)<<32 | uint64(lo)
48 return true
49 }
50
51
52
53 func readUint8LengthPrefixed(s *cryptobyte.String, out *[]byte) bool {
54 return s.ReadUint8LengthPrefixed((*cryptobyte.String)(out))
55 }
56
57
58
59 func readUint16LengthPrefixed(s *cryptobyte.String, out *[]byte) bool {
60 return s.ReadUint16LengthPrefixed((*cryptobyte.String)(out))
61 }
62
63
64
65 func readUint24LengthPrefixed(s *cryptobyte.String, out *[]byte) bool {
66 return s.ReadUint24LengthPrefixed((*cryptobyte.String)(out))
67 }
68
69 type clientHelloMsg struct {
70 raw []byte
71 vers uint16
72 random []byte
73 sessionId []byte
74 cipherSuites []uint16
75 compressionMethods []uint8
76 serverName string
77 ocspStapling bool
78 supportedCurves []CurveID
79 supportedPoints []uint8
80 ticketSupported bool
81 sessionTicket []uint8
82 supportedSignatureAlgorithms []SignatureScheme
83 supportedSignatureAlgorithmsCert []SignatureScheme
84 secureRenegotiationSupported bool
85 secureRenegotiation []byte
86 alpnProtocols []string
87 scts bool
88 supportedVersions []uint16
89 cookie []byte
90 keyShares []keyShare
91 earlyData bool
92 pskModes []uint8
93 pskIdentities []pskIdentity
94 pskBinders [][]byte
95 }
96
97 func (m *clientHelloMsg) marshal() []byte {
98 if m.raw != nil {
99 return m.raw
100 }
101
102 var b cryptobyte.Builder
103 b.AddUint8(typeClientHello)
104 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
105 b.AddUint16(m.vers)
106 addBytesWithLength(b, m.random, 32)
107 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
108 b.AddBytes(m.sessionId)
109 })
110 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
111 for _, suite := range m.cipherSuites {
112 b.AddUint16(suite)
113 }
114 })
115 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
116 b.AddBytes(m.compressionMethods)
117 })
118
119
120 var extensionsPresent bool
121 bWithoutExtensions := *b
122
123 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
124 if len(m.serverName) > 0 {
125
126 b.AddUint16(extensionServerName)
127 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
128 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
129 b.AddUint8(0)
130 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
131 b.AddBytes([]byte(m.serverName))
132 })
133 })
134 })
135 }
136 if m.ocspStapling {
137
138 b.AddUint16(extensionStatusRequest)
139 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
140 b.AddUint8(1)
141 b.AddUint16(0)
142 b.AddUint16(0)
143 })
144 }
145 if len(m.supportedCurves) > 0 {
146
147 b.AddUint16(extensionSupportedCurves)
148 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
149 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
150 for _, curve := range m.supportedCurves {
151 b.AddUint16(uint16(curve))
152 }
153 })
154 })
155 }
156 if len(m.supportedPoints) > 0 {
157
158 b.AddUint16(extensionSupportedPoints)
159 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
160 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
161 b.AddBytes(m.supportedPoints)
162 })
163 })
164 }
165 if m.ticketSupported {
166
167 b.AddUint16(extensionSessionTicket)
168 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
169 b.AddBytes(m.sessionTicket)
170 })
171 }
172 if len(m.supportedSignatureAlgorithms) > 0 {
173
174 b.AddUint16(extensionSignatureAlgorithms)
175 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
176 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
177 for _, sigAlgo := range m.supportedSignatureAlgorithms {
178 b.AddUint16(uint16(sigAlgo))
179 }
180 })
181 })
182 }
183 if len(m.supportedSignatureAlgorithmsCert) > 0 {
184
185 b.AddUint16(extensionSignatureAlgorithmsCert)
186 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
187 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
188 for _, sigAlgo := range m.supportedSignatureAlgorithmsCert {
189 b.AddUint16(uint16(sigAlgo))
190 }
191 })
192 })
193 }
194 if m.secureRenegotiationSupported {
195
196 b.AddUint16(extensionRenegotiationInfo)
197 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
198 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
199 b.AddBytes(m.secureRenegotiation)
200 })
201 })
202 }
203 if len(m.alpnProtocols) > 0 {
204
205 b.AddUint16(extensionALPN)
206 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
207 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
208 for _, proto := range m.alpnProtocols {
209 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
210 b.AddBytes([]byte(proto))
211 })
212 }
213 })
214 })
215 }
216 if m.scts {
217
218 b.AddUint16(extensionSCT)
219 b.AddUint16(0)
220 }
221 if len(m.supportedVersions) > 0 {
222
223 b.AddUint16(extensionSupportedVersions)
224 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
225 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
226 for _, vers := range m.supportedVersions {
227 b.AddUint16(vers)
228 }
229 })
230 })
231 }
232 if len(m.cookie) > 0 {
233
234 b.AddUint16(extensionCookie)
235 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
236 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
237 b.AddBytes(m.cookie)
238 })
239 })
240 }
241 if len(m.keyShares) > 0 {
242
243 b.AddUint16(extensionKeyShare)
244 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
245 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
246 for _, ks := range m.keyShares {
247 b.AddUint16(uint16(ks.group))
248 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
249 b.AddBytes(ks.data)
250 })
251 }
252 })
253 })
254 }
255 if m.earlyData {
256
257 b.AddUint16(extensionEarlyData)
258 b.AddUint16(0)
259 }
260 if len(m.pskModes) > 0 {
261
262 b.AddUint16(extensionPSKModes)
263 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
264 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
265 b.AddBytes(m.pskModes)
266 })
267 })
268 }
269 if len(m.pskIdentities) > 0 {
270
271 b.AddUint16(extensionPreSharedKey)
272 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
273 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
274 for _, psk := range m.pskIdentities {
275 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
276 b.AddBytes(psk.label)
277 })
278 b.AddUint32(psk.obfuscatedTicketAge)
279 }
280 })
281 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
282 for _, binder := range m.pskBinders {
283 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
284 b.AddBytes(binder)
285 })
286 }
287 })
288 })
289 }
290
291 extensionsPresent = len(b.BytesOrPanic()) > 2
292 })
293
294 if !extensionsPresent {
295 *b = bWithoutExtensions
296 }
297 })
298
299 m.raw = b.BytesOrPanic()
300 return m.raw
301 }
302
303
304
305
306 func (m *clientHelloMsg) marshalWithoutBinders() []byte {
307 bindersLen := 2
308 for _, binder := range m.pskBinders {
309 bindersLen += 1
310 bindersLen += len(binder)
311 }
312
313 fullMessage := m.marshal()
314 return fullMessage[:len(fullMessage)-bindersLen]
315 }
316
317
318
319
320 func (m *clientHelloMsg) updateBinders(pskBinders [][]byte) {
321 if len(pskBinders) != len(m.pskBinders) {
322 panic("tls: internal error: pskBinders length mismatch")
323 }
324 for i := range m.pskBinders {
325 if len(pskBinders[i]) != len(m.pskBinders[i]) {
326 panic("tls: internal error: pskBinders length mismatch")
327 }
328 }
329 m.pskBinders = pskBinders
330 if m.raw != nil {
331 lenWithoutBinders := len(m.marshalWithoutBinders())
332 b := cryptobyte.NewFixedBuilder(m.raw[:lenWithoutBinders])
333 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
334 for _, binder := range m.pskBinders {
335 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
336 b.AddBytes(binder)
337 })
338 }
339 })
340 if out, err := b.Bytes(); err != nil || len(out) != len(m.raw) {
341 panic("tls: internal error: failed to update binders")
342 }
343 }
344 }
345
346 func (m *clientHelloMsg) unmarshal(data []byte) bool {
347 *m = clientHelloMsg{raw: data}
348 s := cryptobyte.String(data)
349
350 if !s.Skip(4) ||
351 !s.ReadUint16(&m.vers) || !s.ReadBytes(&m.random, 32) ||
352 !readUint8LengthPrefixed(&s, &m.sessionId) {
353 return false
354 }
355
356 var cipherSuites cryptobyte.String
357 if !s.ReadUint16LengthPrefixed(&cipherSuites) {
358 return false
359 }
360 m.cipherSuites = []uint16{}
361 m.secureRenegotiationSupported = false
362 for !cipherSuites.Empty() {
363 var suite uint16
364 if !cipherSuites.ReadUint16(&suite) {
365 return false
366 }
367 if suite == scsvRenegotiation {
368 m.secureRenegotiationSupported = true
369 }
370 m.cipherSuites = append(m.cipherSuites, suite)
371 }
372
373 if !readUint8LengthPrefixed(&s, &m.compressionMethods) {
374 return false
375 }
376
377 if s.Empty() {
378
379 return true
380 }
381
382 var extensions cryptobyte.String
383 if !s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() {
384 return false
385 }
386
387 seenExts := make(map[uint16]bool)
388 for !extensions.Empty() {
389 var extension uint16
390 var extData cryptobyte.String
391 if !extensions.ReadUint16(&extension) ||
392 !extensions.ReadUint16LengthPrefixed(&extData) {
393 return false
394 }
395
396 if seenExts[extension] {
397 return false
398 }
399 seenExts[extension] = true
400
401 switch extension {
402 case extensionServerName:
403
404 var nameList cryptobyte.String
405 if !extData.ReadUint16LengthPrefixed(&nameList) || nameList.Empty() {
406 return false
407 }
408 for !nameList.Empty() {
409 var nameType uint8
410 var serverName cryptobyte.String
411 if !nameList.ReadUint8(&nameType) ||
412 !nameList.ReadUint16LengthPrefixed(&serverName) ||
413 serverName.Empty() {
414 return false
415 }
416 if nameType != 0 {
417 continue
418 }
419 if len(m.serverName) != 0 {
420
421 return false
422 }
423 m.serverName = string(serverName)
424
425 if strings.HasSuffix(m.serverName, ".") {
426 return false
427 }
428 }
429 case extensionStatusRequest:
430
431 var statusType uint8
432 var ignored cryptobyte.String
433 if !extData.ReadUint8(&statusType) ||
434 !extData.ReadUint16LengthPrefixed(&ignored) ||
435 !extData.ReadUint16LengthPrefixed(&ignored) {
436 return false
437 }
438 m.ocspStapling = statusType == statusTypeOCSP
439 case extensionSupportedCurves:
440
441 var curves cryptobyte.String
442 if !extData.ReadUint16LengthPrefixed(&curves) || curves.Empty() {
443 return false
444 }
445 for !curves.Empty() {
446 var curve uint16
447 if !curves.ReadUint16(&curve) {
448 return false
449 }
450 m.supportedCurves = append(m.supportedCurves, CurveID(curve))
451 }
452 case extensionSupportedPoints:
453
454 if !readUint8LengthPrefixed(&extData, &m.supportedPoints) ||
455 len(m.supportedPoints) == 0 {
456 return false
457 }
458 case extensionSessionTicket:
459
460 m.ticketSupported = true
461 extData.ReadBytes(&m.sessionTicket, len(extData))
462 case extensionSignatureAlgorithms:
463
464 var sigAndAlgs cryptobyte.String
465 if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() {
466 return false
467 }
468 for !sigAndAlgs.Empty() {
469 var sigAndAlg uint16
470 if !sigAndAlgs.ReadUint16(&sigAndAlg) {
471 return false
472 }
473 m.supportedSignatureAlgorithms = append(
474 m.supportedSignatureAlgorithms, SignatureScheme(sigAndAlg))
475 }
476 case extensionSignatureAlgorithmsCert:
477
478 var sigAndAlgs cryptobyte.String
479 if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() {
480 return false
481 }
482 for !sigAndAlgs.Empty() {
483 var sigAndAlg uint16
484 if !sigAndAlgs.ReadUint16(&sigAndAlg) {
485 return false
486 }
487 m.supportedSignatureAlgorithmsCert = append(
488 m.supportedSignatureAlgorithmsCert, SignatureScheme(sigAndAlg))
489 }
490 case extensionRenegotiationInfo:
491
492 if !readUint8LengthPrefixed(&extData, &m.secureRenegotiation) {
493 return false
494 }
495 m.secureRenegotiationSupported = true
496 case extensionALPN:
497
498 var protoList cryptobyte.String
499 if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() {
500 return false
501 }
502 for !protoList.Empty() {
503 var proto cryptobyte.String
504 if !protoList.ReadUint8LengthPrefixed(&proto) || proto.Empty() {
505 return false
506 }
507 m.alpnProtocols = append(m.alpnProtocols, string(proto))
508 }
509 case extensionSCT:
510
511 m.scts = true
512 case extensionSupportedVersions:
513
514 var versList cryptobyte.String
515 if !extData.ReadUint8LengthPrefixed(&versList) || versList.Empty() {
516 return false
517 }
518 for !versList.Empty() {
519 var vers uint16
520 if !versList.ReadUint16(&vers) {
521 return false
522 }
523 m.supportedVersions = append(m.supportedVersions, vers)
524 }
525 case extensionCookie:
526
527 if !readUint16LengthPrefixed(&extData, &m.cookie) ||
528 len(m.cookie) == 0 {
529 return false
530 }
531 case extensionKeyShare:
532
533 var clientShares cryptobyte.String
534 if !extData.ReadUint16LengthPrefixed(&clientShares) {
535 return false
536 }
537 for !clientShares.Empty() {
538 var ks keyShare
539 if !clientShares.ReadUint16((*uint16)(&ks.group)) ||
540 !readUint16LengthPrefixed(&clientShares, &ks.data) ||
541 len(ks.data) == 0 {
542 return false
543 }
544 m.keyShares = append(m.keyShares, ks)
545 }
546 case extensionEarlyData:
547
548 m.earlyData = true
549 case extensionPSKModes:
550
551 if !readUint8LengthPrefixed(&extData, &m.pskModes) {
552 return false
553 }
554 case extensionPreSharedKey:
555
556 if !extensions.Empty() {
557 return false
558 }
559 var identities cryptobyte.String
560 if !extData.ReadUint16LengthPrefixed(&identities) || identities.Empty() {
561 return false
562 }
563 for !identities.Empty() {
564 var psk pskIdentity
565 if !readUint16LengthPrefixed(&identities, &psk.label) ||
566 !identities.ReadUint32(&psk.obfuscatedTicketAge) ||
567 len(psk.label) == 0 {
568 return false
569 }
570 m.pskIdentities = append(m.pskIdentities, psk)
571 }
572 var binders cryptobyte.String
573 if !extData.ReadUint16LengthPrefixed(&binders) || binders.Empty() {
574 return false
575 }
576 for !binders.Empty() {
577 var binder []byte
578 if !readUint8LengthPrefixed(&binders, &binder) ||
579 len(binder) == 0 {
580 return false
581 }
582 m.pskBinders = append(m.pskBinders, binder)
583 }
584 default:
585
586 continue
587 }
588
589 if !extData.Empty() {
590 return false
591 }
592 }
593
594 return true
595 }
596
597 type serverHelloMsg struct {
598 raw []byte
599 vers uint16
600 random []byte
601 sessionId []byte
602 cipherSuite uint16
603 compressionMethod uint8
604 ocspStapling bool
605 ticketSupported bool
606 secureRenegotiationSupported bool
607 secureRenegotiation []byte
608 alpnProtocol string
609 scts [][]byte
610 supportedVersion uint16
611 serverShare keyShare
612 selectedIdentityPresent bool
613 selectedIdentity uint16
614 supportedPoints []uint8
615
616
617 cookie []byte
618 selectedGroup CurveID
619 }
620
621 func (m *serverHelloMsg) marshal() []byte {
622 if m.raw != nil {
623 return m.raw
624 }
625
626 var b cryptobyte.Builder
627 b.AddUint8(typeServerHello)
628 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
629 b.AddUint16(m.vers)
630 addBytesWithLength(b, m.random, 32)
631 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
632 b.AddBytes(m.sessionId)
633 })
634 b.AddUint16(m.cipherSuite)
635 b.AddUint8(m.compressionMethod)
636
637
638 var extensionsPresent bool
639 bWithoutExtensions := *b
640
641 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
642 if m.ocspStapling {
643 b.AddUint16(extensionStatusRequest)
644 b.AddUint16(0)
645 }
646 if m.ticketSupported {
647 b.AddUint16(extensionSessionTicket)
648 b.AddUint16(0)
649 }
650 if m.secureRenegotiationSupported {
651 b.AddUint16(extensionRenegotiationInfo)
652 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
653 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
654 b.AddBytes(m.secureRenegotiation)
655 })
656 })
657 }
658 if len(m.alpnProtocol) > 0 {
659 b.AddUint16(extensionALPN)
660 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
661 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
662 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
663 b.AddBytes([]byte(m.alpnProtocol))
664 })
665 })
666 })
667 }
668 if len(m.scts) > 0 {
669 b.AddUint16(extensionSCT)
670 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
671 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
672 for _, sct := range m.scts {
673 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
674 b.AddBytes(sct)
675 })
676 }
677 })
678 })
679 }
680 if m.supportedVersion != 0 {
681 b.AddUint16(extensionSupportedVersions)
682 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
683 b.AddUint16(m.supportedVersion)
684 })
685 }
686 if m.serverShare.group != 0 {
687 b.AddUint16(extensionKeyShare)
688 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
689 b.AddUint16(uint16(m.serverShare.group))
690 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
691 b.AddBytes(m.serverShare.data)
692 })
693 })
694 }
695 if m.selectedIdentityPresent {
696 b.AddUint16(extensionPreSharedKey)
697 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
698 b.AddUint16(m.selectedIdentity)
699 })
700 }
701
702 if len(m.cookie) > 0 {
703 b.AddUint16(extensionCookie)
704 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
705 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
706 b.AddBytes(m.cookie)
707 })
708 })
709 }
710 if m.selectedGroup != 0 {
711 b.AddUint16(extensionKeyShare)
712 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
713 b.AddUint16(uint16(m.selectedGroup))
714 })
715 }
716 if len(m.supportedPoints) > 0 {
717 b.AddUint16(extensionSupportedPoints)
718 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
719 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
720 b.AddBytes(m.supportedPoints)
721 })
722 })
723 }
724
725 extensionsPresent = len(b.BytesOrPanic()) > 2
726 })
727
728 if !extensionsPresent {
729 *b = bWithoutExtensions
730 }
731 })
732
733 m.raw = b.BytesOrPanic()
734 return m.raw
735 }
736
737 func (m *serverHelloMsg) unmarshal(data []byte) bool {
738 *m = serverHelloMsg{raw: data}
739 s := cryptobyte.String(data)
740
741 if !s.Skip(4) ||
742 !s.ReadUint16(&m.vers) || !s.ReadBytes(&m.random, 32) ||
743 !readUint8LengthPrefixed(&s, &m.sessionId) ||
744 !s.ReadUint16(&m.cipherSuite) ||
745 !s.ReadUint8(&m.compressionMethod) {
746 return false
747 }
748
749 if s.Empty() {
750
751 return true
752 }
753
754 var extensions cryptobyte.String
755 if !s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() {
756 return false
757 }
758
759 seenExts := make(map[uint16]bool)
760 for !extensions.Empty() {
761 var extension uint16
762 var extData cryptobyte.String
763 if !extensions.ReadUint16(&extension) ||
764 !extensions.ReadUint16LengthPrefixed(&extData) {
765 return false
766 }
767
768 if seenExts[extension] {
769 return false
770 }
771 seenExts[extension] = true
772
773 switch extension {
774 case extensionStatusRequest:
775 m.ocspStapling = true
776 case extensionSessionTicket:
777 m.ticketSupported = true
778 case extensionRenegotiationInfo:
779 if !readUint8LengthPrefixed(&extData, &m.secureRenegotiation) {
780 return false
781 }
782 m.secureRenegotiationSupported = true
783 case extensionALPN:
784 var protoList cryptobyte.String
785 if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() {
786 return false
787 }
788 var proto cryptobyte.String
789 if !protoList.ReadUint8LengthPrefixed(&proto) ||
790 proto.Empty() || !protoList.Empty() {
791 return false
792 }
793 m.alpnProtocol = string(proto)
794 case extensionSCT:
795 var sctList cryptobyte.String
796 if !extData.ReadUint16LengthPrefixed(&sctList) || sctList.Empty() {
797 return false
798 }
799 for !sctList.Empty() {
800 var sct []byte
801 if !readUint16LengthPrefixed(&sctList, &sct) ||
802 len(sct) == 0 {
803 return false
804 }
805 m.scts = append(m.scts, sct)
806 }
807 case extensionSupportedVersions:
808 if !extData.ReadUint16(&m.supportedVersion) {
809 return false
810 }
811 case extensionCookie:
812 if !readUint16LengthPrefixed(&extData, &m.cookie) ||
813 len(m.cookie) == 0 {
814 return false
815 }
816 case extensionKeyShare:
817
818
819 if len(extData) == 2 {
820 if !extData.ReadUint16((*uint16)(&m.selectedGroup)) {
821 return false
822 }
823 } else {
824 if !extData.ReadUint16((*uint16)(&m.serverShare.group)) ||
825 !readUint16LengthPrefixed(&extData, &m.serverShare.data) {
826 return false
827 }
828 }
829 case extensionPreSharedKey:
830 m.selectedIdentityPresent = true
831 if !extData.ReadUint16(&m.selectedIdentity) {
832 return false
833 }
834 case extensionSupportedPoints:
835
836 if !readUint8LengthPrefixed(&extData, &m.supportedPoints) ||
837 len(m.supportedPoints) == 0 {
838 return false
839 }
840 default:
841
842 continue
843 }
844
845 if !extData.Empty() {
846 return false
847 }
848 }
849
850 return true
851 }
852
853 type encryptedExtensionsMsg struct {
854 raw []byte
855 alpnProtocol string
856 }
857
858 func (m *encryptedExtensionsMsg) marshal() []byte {
859 if m.raw != nil {
860 return m.raw
861 }
862
863 var b cryptobyte.Builder
864 b.AddUint8(typeEncryptedExtensions)
865 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
866 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
867 if len(m.alpnProtocol) > 0 {
868 b.AddUint16(extensionALPN)
869 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
870 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
871 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
872 b.AddBytes([]byte(m.alpnProtocol))
873 })
874 })
875 })
876 }
877 })
878 })
879
880 m.raw = b.BytesOrPanic()
881 return m.raw
882 }
883
884 func (m *encryptedExtensionsMsg) unmarshal(data []byte) bool {
885 *m = encryptedExtensionsMsg{raw: data}
886 s := cryptobyte.String(data)
887
888 var extensions cryptobyte.String
889 if !s.Skip(4) ||
890 !s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() {
891 return false
892 }
893
894 for !extensions.Empty() {
895 var extension uint16
896 var extData cryptobyte.String
897 if !extensions.ReadUint16(&extension) ||
898 !extensions.ReadUint16LengthPrefixed(&extData) {
899 return false
900 }
901
902 switch extension {
903 case extensionALPN:
904 var protoList cryptobyte.String
905 if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() {
906 return false
907 }
908 var proto cryptobyte.String
909 if !protoList.ReadUint8LengthPrefixed(&proto) ||
910 proto.Empty() || !protoList.Empty() {
911 return false
912 }
913 m.alpnProtocol = string(proto)
914 default:
915
916 continue
917 }
918
919 if !extData.Empty() {
920 return false
921 }
922 }
923
924 return true
925 }
926
927 type endOfEarlyDataMsg struct{}
928
929 func (m *endOfEarlyDataMsg) marshal() []byte {
930 x := make([]byte, 4)
931 x[0] = typeEndOfEarlyData
932 return x
933 }
934
935 func (m *endOfEarlyDataMsg) unmarshal(data []byte) bool {
936 return len(data) == 4
937 }
938
939 type keyUpdateMsg struct {
940 raw []byte
941 updateRequested bool
942 }
943
944 func (m *keyUpdateMsg) marshal() []byte {
945 if m.raw != nil {
946 return m.raw
947 }
948
949 var b cryptobyte.Builder
950 b.AddUint8(typeKeyUpdate)
951 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
952 if m.updateRequested {
953 b.AddUint8(1)
954 } else {
955 b.AddUint8(0)
956 }
957 })
958
959 m.raw = b.BytesOrPanic()
960 return m.raw
961 }
962
963 func (m *keyUpdateMsg) unmarshal(data []byte) bool {
964 m.raw = data
965 s := cryptobyte.String(data)
966
967 var updateRequested uint8
968 if !s.Skip(4) ||
969 !s.ReadUint8(&updateRequested) || !s.Empty() {
970 return false
971 }
972 switch updateRequested {
973 case 0:
974 m.updateRequested = false
975 case 1:
976 m.updateRequested = true
977 default:
978 return false
979 }
980 return true
981 }
982
983 type newSessionTicketMsgTLS13 struct {
984 raw []byte
985 lifetime uint32
986 ageAdd uint32
987 nonce []byte
988 label []byte
989 maxEarlyData uint32
990 }
991
992 func (m *newSessionTicketMsgTLS13) marshal() []byte {
993 if m.raw != nil {
994 return m.raw
995 }
996
997 var b cryptobyte.Builder
998 b.AddUint8(typeNewSessionTicket)
999 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
1000 b.AddUint32(m.lifetime)
1001 b.AddUint32(m.ageAdd)
1002 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
1003 b.AddBytes(m.nonce)
1004 })
1005 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1006 b.AddBytes(m.label)
1007 })
1008
1009 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1010 if m.maxEarlyData > 0 {
1011 b.AddUint16(extensionEarlyData)
1012 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1013 b.AddUint32(m.maxEarlyData)
1014 })
1015 }
1016 })
1017 })
1018
1019 m.raw = b.BytesOrPanic()
1020 return m.raw
1021 }
1022
1023 func (m *newSessionTicketMsgTLS13) unmarshal(data []byte) bool {
1024 *m = newSessionTicketMsgTLS13{raw: data}
1025 s := cryptobyte.String(data)
1026
1027 var extensions cryptobyte.String
1028 if !s.Skip(4) ||
1029 !s.ReadUint32(&m.lifetime) ||
1030 !s.ReadUint32(&m.ageAdd) ||
1031 !readUint8LengthPrefixed(&s, &m.nonce) ||
1032 !readUint16LengthPrefixed(&s, &m.label) ||
1033 !s.ReadUint16LengthPrefixed(&extensions) ||
1034 !s.Empty() {
1035 return false
1036 }
1037
1038 for !extensions.Empty() {
1039 var extension uint16
1040 var extData cryptobyte.String
1041 if !extensions.ReadUint16(&extension) ||
1042 !extensions.ReadUint16LengthPrefixed(&extData) {
1043 return false
1044 }
1045
1046 switch extension {
1047 case extensionEarlyData:
1048 if !extData.ReadUint32(&m.maxEarlyData) {
1049 return false
1050 }
1051 default:
1052
1053 continue
1054 }
1055
1056 if !extData.Empty() {
1057 return false
1058 }
1059 }
1060
1061 return true
1062 }
1063
1064 type certificateRequestMsgTLS13 struct {
1065 raw []byte
1066 ocspStapling bool
1067 scts bool
1068 supportedSignatureAlgorithms []SignatureScheme
1069 supportedSignatureAlgorithmsCert []SignatureScheme
1070 certificateAuthorities [][]byte
1071 }
1072
1073 func (m *certificateRequestMsgTLS13) marshal() []byte {
1074 if m.raw != nil {
1075 return m.raw
1076 }
1077
1078 var b cryptobyte.Builder
1079 b.AddUint8(typeCertificateRequest)
1080 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
1081
1082
1083 b.AddUint8(0)
1084
1085 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1086 if m.ocspStapling {
1087 b.AddUint16(extensionStatusRequest)
1088 b.AddUint16(0)
1089 }
1090 if m.scts {
1091
1092
1093
1094
1095
1096 b.AddUint16(extensionSCT)
1097 b.AddUint16(0)
1098 }
1099 if len(m.supportedSignatureAlgorithms) > 0 {
1100 b.AddUint16(extensionSignatureAlgorithms)
1101 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1102 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1103 for _, sigAlgo := range m.supportedSignatureAlgorithms {
1104 b.AddUint16(uint16(sigAlgo))
1105 }
1106 })
1107 })
1108 }
1109 if len(m.supportedSignatureAlgorithmsCert) > 0 {
1110 b.AddUint16(extensionSignatureAlgorithmsCert)
1111 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1112 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1113 for _, sigAlgo := range m.supportedSignatureAlgorithmsCert {
1114 b.AddUint16(uint16(sigAlgo))
1115 }
1116 })
1117 })
1118 }
1119 if len(m.certificateAuthorities) > 0 {
1120 b.AddUint16(extensionCertificateAuthorities)
1121 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1122 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1123 for _, ca := range m.certificateAuthorities {
1124 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1125 b.AddBytes(ca)
1126 })
1127 }
1128 })
1129 })
1130 }
1131 })
1132 })
1133
1134 m.raw = b.BytesOrPanic()
1135 return m.raw
1136 }
1137
1138 func (m *certificateRequestMsgTLS13) unmarshal(data []byte) bool {
1139 *m = certificateRequestMsgTLS13{raw: data}
1140 s := cryptobyte.String(data)
1141
1142 var context, extensions cryptobyte.String
1143 if !s.Skip(4) ||
1144 !s.ReadUint8LengthPrefixed(&context) || !context.Empty() ||
1145 !s.ReadUint16LengthPrefixed(&extensions) ||
1146 !s.Empty() {
1147 return false
1148 }
1149
1150 for !extensions.Empty() {
1151 var extension uint16
1152 var extData cryptobyte.String
1153 if !extensions.ReadUint16(&extension) ||
1154 !extensions.ReadUint16LengthPrefixed(&extData) {
1155 return false
1156 }
1157
1158 switch extension {
1159 case extensionStatusRequest:
1160 m.ocspStapling = true
1161 case extensionSCT:
1162 m.scts = true
1163 case extensionSignatureAlgorithms:
1164 var sigAndAlgs cryptobyte.String
1165 if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() {
1166 return false
1167 }
1168 for !sigAndAlgs.Empty() {
1169 var sigAndAlg uint16
1170 if !sigAndAlgs.ReadUint16(&sigAndAlg) {
1171 return false
1172 }
1173 m.supportedSignatureAlgorithms = append(
1174 m.supportedSignatureAlgorithms, SignatureScheme(sigAndAlg))
1175 }
1176 case extensionSignatureAlgorithmsCert:
1177 var sigAndAlgs cryptobyte.String
1178 if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() {
1179 return false
1180 }
1181 for !sigAndAlgs.Empty() {
1182 var sigAndAlg uint16
1183 if !sigAndAlgs.ReadUint16(&sigAndAlg) {
1184 return false
1185 }
1186 m.supportedSignatureAlgorithmsCert = append(
1187 m.supportedSignatureAlgorithmsCert, SignatureScheme(sigAndAlg))
1188 }
1189 case extensionCertificateAuthorities:
1190 var auths cryptobyte.String
1191 if !extData.ReadUint16LengthPrefixed(&auths) || auths.Empty() {
1192 return false
1193 }
1194 for !auths.Empty() {
1195 var ca []byte
1196 if !readUint16LengthPrefixed(&auths, &ca) || len(ca) == 0 {
1197 return false
1198 }
1199 m.certificateAuthorities = append(m.certificateAuthorities, ca)
1200 }
1201 default:
1202
1203 continue
1204 }
1205
1206 if !extData.Empty() {
1207 return false
1208 }
1209 }
1210
1211 return true
1212 }
1213
1214 type certificateMsg struct {
1215 raw []byte
1216 certificates [][]byte
1217 }
1218
1219 func (m *certificateMsg) marshal() (x []byte) {
1220 if m.raw != nil {
1221 return m.raw
1222 }
1223
1224 var i int
1225 for _, slice := range m.certificates {
1226 i += len(slice)
1227 }
1228
1229 length := 3 + 3*len(m.certificates) + i
1230 x = make([]byte, 4+length)
1231 x[0] = typeCertificate
1232 x[1] = uint8(length >> 16)
1233 x[2] = uint8(length >> 8)
1234 x[3] = uint8(length)
1235
1236 certificateOctets := length - 3
1237 x[4] = uint8(certificateOctets >> 16)
1238 x[5] = uint8(certificateOctets >> 8)
1239 x[6] = uint8(certificateOctets)
1240
1241 y := x[7:]
1242 for _, slice := range m.certificates {
1243 y[0] = uint8(len(slice) >> 16)
1244 y[1] = uint8(len(slice) >> 8)
1245 y[2] = uint8(len(slice))
1246 copy(y[3:], slice)
1247 y = y[3+len(slice):]
1248 }
1249
1250 m.raw = x
1251 return
1252 }
1253
1254 func (m *certificateMsg) unmarshal(data []byte) bool {
1255 if len(data) < 7 {
1256 return false
1257 }
1258
1259 m.raw = data
1260 certsLen := uint32(data[4])<<16 | uint32(data[5])<<8 | uint32(data[6])
1261 if uint32(len(data)) != certsLen+7 {
1262 return false
1263 }
1264
1265 numCerts := 0
1266 d := data[7:]
1267 for certsLen > 0 {
1268 if len(d) < 4 {
1269 return false
1270 }
1271 certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2])
1272 if uint32(len(d)) < 3+certLen {
1273 return false
1274 }
1275 d = d[3+certLen:]
1276 certsLen -= 3 + certLen
1277 numCerts++
1278 }
1279
1280 m.certificates = make([][]byte, numCerts)
1281 d = data[7:]
1282 for i := 0; i < numCerts; i++ {
1283 certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2])
1284 m.certificates[i] = d[3 : 3+certLen]
1285 d = d[3+certLen:]
1286 }
1287
1288 return true
1289 }
1290
1291 type certificateMsgTLS13 struct {
1292 raw []byte
1293 certificate Certificate
1294 ocspStapling bool
1295 scts bool
1296 }
1297
1298 func (m *certificateMsgTLS13) marshal() []byte {
1299 if m.raw != nil {
1300 return m.raw
1301 }
1302
1303 var b cryptobyte.Builder
1304 b.AddUint8(typeCertificate)
1305 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
1306 b.AddUint8(0)
1307
1308 certificate := m.certificate
1309 if !m.ocspStapling {
1310 certificate.OCSPStaple = nil
1311 }
1312 if !m.scts {
1313 certificate.SignedCertificateTimestamps = nil
1314 }
1315 marshalCertificate(b, certificate)
1316 })
1317
1318 m.raw = b.BytesOrPanic()
1319 return m.raw
1320 }
1321
1322 func marshalCertificate(b *cryptobyte.Builder, certificate Certificate) {
1323 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
1324 for i, cert := range certificate.Certificate {
1325 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
1326 b.AddBytes(cert)
1327 })
1328 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1329 if i > 0 {
1330
1331 return
1332 }
1333 if certificate.OCSPStaple != nil {
1334 b.AddUint16(extensionStatusRequest)
1335 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1336 b.AddUint8(statusTypeOCSP)
1337 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
1338 b.AddBytes(certificate.OCSPStaple)
1339 })
1340 })
1341 }
1342 if certificate.SignedCertificateTimestamps != nil {
1343 b.AddUint16(extensionSCT)
1344 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1345 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1346 for _, sct := range certificate.SignedCertificateTimestamps {
1347 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1348 b.AddBytes(sct)
1349 })
1350 }
1351 })
1352 })
1353 }
1354 })
1355 }
1356 })
1357 }
1358
1359 func (m *certificateMsgTLS13) unmarshal(data []byte) bool {
1360 *m = certificateMsgTLS13{raw: data}
1361 s := cryptobyte.String(data)
1362
1363 var context cryptobyte.String
1364 if !s.Skip(4) ||
1365 !s.ReadUint8LengthPrefixed(&context) || !context.Empty() ||
1366 !unmarshalCertificate(&s, &m.certificate) ||
1367 !s.Empty() {
1368 return false
1369 }
1370
1371 m.scts = m.certificate.SignedCertificateTimestamps != nil
1372 m.ocspStapling = m.certificate.OCSPStaple != nil
1373
1374 return true
1375 }
1376
1377 func unmarshalCertificate(s *cryptobyte.String, certificate *Certificate) bool {
1378 var certList cryptobyte.String
1379 if !s.ReadUint24LengthPrefixed(&certList) {
1380 return false
1381 }
1382 for !certList.Empty() {
1383 var cert []byte
1384 var extensions cryptobyte.String
1385 if !readUint24LengthPrefixed(&certList, &cert) ||
1386 !certList.ReadUint16LengthPrefixed(&extensions) {
1387 return false
1388 }
1389 certificate.Certificate = append(certificate.Certificate, cert)
1390 for !extensions.Empty() {
1391 var extension uint16
1392 var extData cryptobyte.String
1393 if !extensions.ReadUint16(&extension) ||
1394 !extensions.ReadUint16LengthPrefixed(&extData) {
1395 return false
1396 }
1397 if len(certificate.Certificate) > 1 {
1398
1399 continue
1400 }
1401
1402 switch extension {
1403 case extensionStatusRequest:
1404 var statusType uint8
1405 if !extData.ReadUint8(&statusType) || statusType != statusTypeOCSP ||
1406 !readUint24LengthPrefixed(&extData, &certificate.OCSPStaple) ||
1407 len(certificate.OCSPStaple) == 0 {
1408 return false
1409 }
1410 case extensionSCT:
1411 var sctList cryptobyte.String
1412 if !extData.ReadUint16LengthPrefixed(&sctList) || sctList.Empty() {
1413 return false
1414 }
1415 for !sctList.Empty() {
1416 var sct []byte
1417 if !readUint16LengthPrefixed(&sctList, &sct) ||
1418 len(sct) == 0 {
1419 return false
1420 }
1421 certificate.SignedCertificateTimestamps = append(
1422 certificate.SignedCertificateTimestamps, sct)
1423 }
1424 default:
1425
1426 continue
1427 }
1428
1429 if !extData.Empty() {
1430 return false
1431 }
1432 }
1433 }
1434 return true
1435 }
1436
1437 type serverKeyExchangeMsg struct {
1438 raw []byte
1439 key []byte
1440 }
1441
1442 func (m *serverKeyExchangeMsg) marshal() []byte {
1443 if m.raw != nil {
1444 return m.raw
1445 }
1446 length := len(m.key)
1447 x := make([]byte, length+4)
1448 x[0] = typeServerKeyExchange
1449 x[1] = uint8(length >> 16)
1450 x[2] = uint8(length >> 8)
1451 x[3] = uint8(length)
1452 copy(x[4:], m.key)
1453
1454 m.raw = x
1455 return x
1456 }
1457
1458 func (m *serverKeyExchangeMsg) unmarshal(data []byte) bool {
1459 m.raw = data
1460 if len(data) < 4 {
1461 return false
1462 }
1463 m.key = data[4:]
1464 return true
1465 }
1466
1467 type certificateStatusMsg struct {
1468 raw []byte
1469 response []byte
1470 }
1471
1472 func (m *certificateStatusMsg) marshal() []byte {
1473 if m.raw != nil {
1474 return m.raw
1475 }
1476
1477 var b cryptobyte.Builder
1478 b.AddUint8(typeCertificateStatus)
1479 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
1480 b.AddUint8(statusTypeOCSP)
1481 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
1482 b.AddBytes(m.response)
1483 })
1484 })
1485
1486 m.raw = b.BytesOrPanic()
1487 return m.raw
1488 }
1489
1490 func (m *certificateStatusMsg) unmarshal(data []byte) bool {
1491 m.raw = data
1492 s := cryptobyte.String(data)
1493
1494 var statusType uint8
1495 if !s.Skip(4) ||
1496 !s.ReadUint8(&statusType) || statusType != statusTypeOCSP ||
1497 !readUint24LengthPrefixed(&s, &m.response) ||
1498 len(m.response) == 0 || !s.Empty() {
1499 return false
1500 }
1501 return true
1502 }
1503
1504 type serverHelloDoneMsg struct{}
1505
1506 func (m *serverHelloDoneMsg) marshal() []byte {
1507 x := make([]byte, 4)
1508 x[0] = typeServerHelloDone
1509 return x
1510 }
1511
1512 func (m *serverHelloDoneMsg) unmarshal(data []byte) bool {
1513 return len(data) == 4
1514 }
1515
1516 type clientKeyExchangeMsg struct {
1517 raw []byte
1518 ciphertext []byte
1519 }
1520
1521 func (m *clientKeyExchangeMsg) marshal() []byte {
1522 if m.raw != nil {
1523 return m.raw
1524 }
1525 length := len(m.ciphertext)
1526 x := make([]byte, length+4)
1527 x[0] = typeClientKeyExchange
1528 x[1] = uint8(length >> 16)
1529 x[2] = uint8(length >> 8)
1530 x[3] = uint8(length)
1531 copy(x[4:], m.ciphertext)
1532
1533 m.raw = x
1534 return x
1535 }
1536
1537 func (m *clientKeyExchangeMsg) unmarshal(data []byte) bool {
1538 m.raw = data
1539 if len(data) < 4 {
1540 return false
1541 }
1542 l := int(data[1])<<16 | int(data[2])<<8 | int(data[3])
1543 if l != len(data)-4 {
1544 return false
1545 }
1546 m.ciphertext = data[4:]
1547 return true
1548 }
1549
1550 type finishedMsg struct {
1551 raw []byte
1552 verifyData []byte
1553 }
1554
1555 func (m *finishedMsg) marshal() []byte {
1556 if m.raw != nil {
1557 return m.raw
1558 }
1559
1560 var b cryptobyte.Builder
1561 b.AddUint8(typeFinished)
1562 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
1563 b.AddBytes(m.verifyData)
1564 })
1565
1566 m.raw = b.BytesOrPanic()
1567 return m.raw
1568 }
1569
1570 func (m *finishedMsg) unmarshal(data []byte) bool {
1571 m.raw = data
1572 s := cryptobyte.String(data)
1573 return s.Skip(1) &&
1574 readUint24LengthPrefixed(&s, &m.verifyData) &&
1575 s.Empty()
1576 }
1577
1578 type certificateRequestMsg struct {
1579 raw []byte
1580
1581
1582 hasSignatureAlgorithm bool
1583
1584 certificateTypes []byte
1585 supportedSignatureAlgorithms []SignatureScheme
1586 certificateAuthorities [][]byte
1587 }
1588
1589 func (m *certificateRequestMsg) marshal() (x []byte) {
1590 if m.raw != nil {
1591 return m.raw
1592 }
1593
1594
1595 length := 1 + len(m.certificateTypes) + 2
1596 casLength := 0
1597 for _, ca := range m.certificateAuthorities {
1598 casLength += 2 + len(ca)
1599 }
1600 length += casLength
1601
1602 if m.hasSignatureAlgorithm {
1603 length += 2 + 2*len(m.supportedSignatureAlgorithms)
1604 }
1605
1606 x = make([]byte, 4+length)
1607 x[0] = typeCertificateRequest
1608 x[1] = uint8(length >> 16)
1609 x[2] = uint8(length >> 8)
1610 x[3] = uint8(length)
1611
1612 x[4] = uint8(len(m.certificateTypes))
1613
1614 copy(x[5:], m.certificateTypes)
1615 y := x[5+len(m.certificateTypes):]
1616
1617 if m.hasSignatureAlgorithm {
1618 n := len(m.supportedSignatureAlgorithms) * 2
1619 y[0] = uint8(n >> 8)
1620 y[1] = uint8(n)
1621 y = y[2:]
1622 for _, sigAlgo := range m.supportedSignatureAlgorithms {
1623 y[0] = uint8(sigAlgo >> 8)
1624 y[1] = uint8(sigAlgo)
1625 y = y[2:]
1626 }
1627 }
1628
1629 y[0] = uint8(casLength >> 8)
1630 y[1] = uint8(casLength)
1631 y = y[2:]
1632 for _, ca := range m.certificateAuthorities {
1633 y[0] = uint8(len(ca) >> 8)
1634 y[1] = uint8(len(ca))
1635 y = y[2:]
1636 copy(y, ca)
1637 y = y[len(ca):]
1638 }
1639
1640 m.raw = x
1641 return
1642 }
1643
1644 func (m *certificateRequestMsg) unmarshal(data []byte) bool {
1645 m.raw = data
1646
1647 if len(data) < 5 {
1648 return false
1649 }
1650
1651 length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3])
1652 if uint32(len(data))-4 != length {
1653 return false
1654 }
1655
1656 numCertTypes := int(data[4])
1657 data = data[5:]
1658 if numCertTypes == 0 || len(data) <= numCertTypes {
1659 return false
1660 }
1661
1662 m.certificateTypes = make([]byte, numCertTypes)
1663 if copy(m.certificateTypes, data) != numCertTypes {
1664 return false
1665 }
1666
1667 data = data[numCertTypes:]
1668
1669 if m.hasSignatureAlgorithm {
1670 if len(data) < 2 {
1671 return false
1672 }
1673 sigAndHashLen := uint16(data[0])<<8 | uint16(data[1])
1674 data = data[2:]
1675 if sigAndHashLen&1 != 0 {
1676 return false
1677 }
1678 if len(data) < int(sigAndHashLen) {
1679 return false
1680 }
1681 numSigAlgos := sigAndHashLen / 2
1682 m.supportedSignatureAlgorithms = make([]SignatureScheme, numSigAlgos)
1683 for i := range m.supportedSignatureAlgorithms {
1684 m.supportedSignatureAlgorithms[i] = SignatureScheme(data[0])<<8 | SignatureScheme(data[1])
1685 data = data[2:]
1686 }
1687 }
1688
1689 if len(data) < 2 {
1690 return false
1691 }
1692 casLength := uint16(data[0])<<8 | uint16(data[1])
1693 data = data[2:]
1694 if len(data) < int(casLength) {
1695 return false
1696 }
1697 cas := make([]byte, casLength)
1698 copy(cas, data)
1699 data = data[casLength:]
1700
1701 m.certificateAuthorities = nil
1702 for len(cas) > 0 {
1703 if len(cas) < 2 {
1704 return false
1705 }
1706 caLen := uint16(cas[0])<<8 | uint16(cas[1])
1707 cas = cas[2:]
1708
1709 if len(cas) < int(caLen) {
1710 return false
1711 }
1712
1713 m.certificateAuthorities = append(m.certificateAuthorities, cas[:caLen])
1714 cas = cas[caLen:]
1715 }
1716
1717 return len(data) == 0
1718 }
1719
1720 type certificateVerifyMsg struct {
1721 raw []byte
1722 hasSignatureAlgorithm bool
1723 signatureAlgorithm SignatureScheme
1724 signature []byte
1725 }
1726
1727 func (m *certificateVerifyMsg) marshal() (x []byte) {
1728 if m.raw != nil {
1729 return m.raw
1730 }
1731
1732 var b cryptobyte.Builder
1733 b.AddUint8(typeCertificateVerify)
1734 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
1735 if m.hasSignatureAlgorithm {
1736 b.AddUint16(uint16(m.signatureAlgorithm))
1737 }
1738 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1739 b.AddBytes(m.signature)
1740 })
1741 })
1742
1743 m.raw = b.BytesOrPanic()
1744 return m.raw
1745 }
1746
1747 func (m *certificateVerifyMsg) unmarshal(data []byte) bool {
1748 m.raw = data
1749 s := cryptobyte.String(data)
1750
1751 if !s.Skip(4) {
1752 return false
1753 }
1754 if m.hasSignatureAlgorithm {
1755 if !s.ReadUint16((*uint16)(&m.signatureAlgorithm)) {
1756 return false
1757 }
1758 }
1759 return readUint16LengthPrefixed(&s, &m.signature) && s.Empty()
1760 }
1761
1762 type newSessionTicketMsg struct {
1763 raw []byte
1764 ticket []byte
1765 }
1766
1767 func (m *newSessionTicketMsg) marshal() (x []byte) {
1768 if m.raw != nil {
1769 return m.raw
1770 }
1771
1772
1773 ticketLen := len(m.ticket)
1774 length := 2 + 4 + ticketLen
1775 x = make([]byte, 4+length)
1776 x[0] = typeNewSessionTicket
1777 x[1] = uint8(length >> 16)
1778 x[2] = uint8(length >> 8)
1779 x[3] = uint8(length)
1780 x[8] = uint8(ticketLen >> 8)
1781 x[9] = uint8(ticketLen)
1782 copy(x[10:], m.ticket)
1783
1784 m.raw = x
1785
1786 return
1787 }
1788
1789 func (m *newSessionTicketMsg) unmarshal(data []byte) bool {
1790 m.raw = data
1791
1792 if len(data) < 10 {
1793 return false
1794 }
1795
1796 length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3])
1797 if uint32(len(data))-4 != length {
1798 return false
1799 }
1800
1801 ticketLen := int(data[8])<<8 + int(data[9])
1802 if len(data)-10 != ticketLen {
1803 return false
1804 }
1805
1806 m.ticket = data[10:]
1807
1808 return true
1809 }
1810
1811 type helloRequestMsg struct {
1812 }
1813
1814 func (*helloRequestMsg) marshal() []byte {
1815 return []byte{typeHelloRequest, 0, 0, 0}
1816 }
1817
1818 func (*helloRequestMsg) unmarshal(data []byte) bool {
1819 return len(data) == 4
1820 }
1821
View as plain text