Source file
src/crypto/tls/handshake_messages.go
1
2
3
4
5 package tls
6
7 import (
8 "errors"
9 "fmt"
10 "strings"
11
12 "golang.org/x/crypto/cryptobyte"
13 )
14
15
16
17 type marshalingFunction func(b *cryptobyte.Builder) error
18
19 func (f marshalingFunction) Marshal(b *cryptobyte.Builder) error {
20 return f(b)
21 }
22
23
24
25 func addBytesWithLength(b *cryptobyte.Builder, v []byte, n int) {
26 b.AddValue(marshalingFunction(func(b *cryptobyte.Builder) error {
27 if len(v) != n {
28 return fmt.Errorf("invalid value length: expected %d, got %d", n, len(v))
29 }
30 b.AddBytes(v)
31 return nil
32 }))
33 }
34
35
36 func addUint64(b *cryptobyte.Builder, v uint64) {
37 b.AddUint32(uint32(v >> 32))
38 b.AddUint32(uint32(v))
39 }
40
41
42
43 func readUint64(s *cryptobyte.String, out *uint64) bool {
44 var hi, lo uint32
45 if !s.ReadUint32(&hi) || !s.ReadUint32(&lo) {
46 return false
47 }
48 *out = uint64(hi)<<32 | uint64(lo)
49 return true
50 }
51
52
53
54 func readUint8LengthPrefixed(s *cryptobyte.String, out *[]byte) bool {
55 return s.ReadUint8LengthPrefixed((*cryptobyte.String)(out))
56 }
57
58
59
60 func readUint16LengthPrefixed(s *cryptobyte.String, out *[]byte) bool {
61 return s.ReadUint16LengthPrefixed((*cryptobyte.String)(out))
62 }
63
64
65
66 func readUint24LengthPrefixed(s *cryptobyte.String, out *[]byte) bool {
67 return s.ReadUint24LengthPrefixed((*cryptobyte.String)(out))
68 }
69
70 type clientHelloMsg struct {
71 raw []byte
72 vers uint16
73 random []byte
74 sessionId []byte
75 cipherSuites []uint16
76 compressionMethods []uint8
77 serverName string
78 ocspStapling bool
79 supportedCurves []CurveID
80 supportedPoints []uint8
81 ticketSupported bool
82 sessionTicket []uint8
83 supportedSignatureAlgorithms []SignatureScheme
84 supportedSignatureAlgorithmsCert []SignatureScheme
85 secureRenegotiationSupported bool
86 secureRenegotiation []byte
87 extendedMasterSecret bool
88 alpnProtocols []string
89 scts bool
90 supportedVersions []uint16
91 cookie []byte
92 keyShares []keyShare
93 earlyData bool
94 pskModes []uint8
95 pskIdentities []pskIdentity
96 pskBinders [][]byte
97 quicTransportParameters []byte
98 }
99
100 func (m *clientHelloMsg) marshal() ([]byte, error) {
101 if m.raw != nil {
102 return m.raw, nil
103 }
104
105 var exts cryptobyte.Builder
106 if len(m.serverName) > 0 {
107
108 exts.AddUint16(extensionServerName)
109 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
110 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
111 exts.AddUint8(0)
112 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
113 exts.AddBytes([]byte(m.serverName))
114 })
115 })
116 })
117 }
118 if m.ocspStapling {
119
120 exts.AddUint16(extensionStatusRequest)
121 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
122 exts.AddUint8(1)
123 exts.AddUint16(0)
124 exts.AddUint16(0)
125 })
126 }
127 if len(m.supportedCurves) > 0 {
128
129 exts.AddUint16(extensionSupportedCurves)
130 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
131 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
132 for _, curve := range m.supportedCurves {
133 exts.AddUint16(uint16(curve))
134 }
135 })
136 })
137 }
138 if len(m.supportedPoints) > 0 {
139
140 exts.AddUint16(extensionSupportedPoints)
141 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
142 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
143 exts.AddBytes(m.supportedPoints)
144 })
145 })
146 }
147 if m.ticketSupported {
148
149 exts.AddUint16(extensionSessionTicket)
150 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
151 exts.AddBytes(m.sessionTicket)
152 })
153 }
154 if len(m.supportedSignatureAlgorithms) > 0 {
155
156 exts.AddUint16(extensionSignatureAlgorithms)
157 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
158 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
159 for _, sigAlgo := range m.supportedSignatureAlgorithms {
160 exts.AddUint16(uint16(sigAlgo))
161 }
162 })
163 })
164 }
165 if len(m.supportedSignatureAlgorithmsCert) > 0 {
166
167 exts.AddUint16(extensionSignatureAlgorithmsCert)
168 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
169 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
170 for _, sigAlgo := range m.supportedSignatureAlgorithmsCert {
171 exts.AddUint16(uint16(sigAlgo))
172 }
173 })
174 })
175 }
176 if m.secureRenegotiationSupported {
177
178 exts.AddUint16(extensionRenegotiationInfo)
179 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
180 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
181 exts.AddBytes(m.secureRenegotiation)
182 })
183 })
184 }
185 if m.extendedMasterSecret {
186
187 exts.AddUint16(extensionExtendedMasterSecret)
188 exts.AddUint16(0)
189 }
190 if len(m.alpnProtocols) > 0 {
191
192 exts.AddUint16(extensionALPN)
193 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
194 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
195 for _, proto := range m.alpnProtocols {
196 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
197 exts.AddBytes([]byte(proto))
198 })
199 }
200 })
201 })
202 }
203 if m.scts {
204
205 exts.AddUint16(extensionSCT)
206 exts.AddUint16(0)
207 }
208 if len(m.supportedVersions) > 0 {
209
210 exts.AddUint16(extensionSupportedVersions)
211 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
212 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
213 for _, vers := range m.supportedVersions {
214 exts.AddUint16(vers)
215 }
216 })
217 })
218 }
219 if len(m.cookie) > 0 {
220
221 exts.AddUint16(extensionCookie)
222 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
223 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
224 exts.AddBytes(m.cookie)
225 })
226 })
227 }
228 if len(m.keyShares) > 0 {
229
230 exts.AddUint16(extensionKeyShare)
231 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
232 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
233 for _, ks := range m.keyShares {
234 exts.AddUint16(uint16(ks.group))
235 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
236 exts.AddBytes(ks.data)
237 })
238 }
239 })
240 })
241 }
242 if m.earlyData {
243
244 exts.AddUint16(extensionEarlyData)
245 exts.AddUint16(0)
246 }
247 if len(m.pskModes) > 0 {
248
249 exts.AddUint16(extensionPSKModes)
250 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
251 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
252 exts.AddBytes(m.pskModes)
253 })
254 })
255 }
256 if m.quicTransportParameters != nil {
257
258 exts.AddUint16(extensionQUICTransportParameters)
259 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
260 exts.AddBytes(m.quicTransportParameters)
261 })
262 }
263 if len(m.pskIdentities) > 0 {
264
265 exts.AddUint16(extensionPreSharedKey)
266 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
267 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
268 for _, psk := range m.pskIdentities {
269 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
270 exts.AddBytes(psk.label)
271 })
272 exts.AddUint32(psk.obfuscatedTicketAge)
273 }
274 })
275 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
276 for _, binder := range m.pskBinders {
277 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
278 exts.AddBytes(binder)
279 })
280 }
281 })
282 })
283 }
284 extBytes, err := exts.Bytes()
285 if err != nil {
286 return nil, err
287 }
288
289 var b cryptobyte.Builder
290 b.AddUint8(typeClientHello)
291 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
292 b.AddUint16(m.vers)
293 addBytesWithLength(b, m.random, 32)
294 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
295 b.AddBytes(m.sessionId)
296 })
297 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
298 for _, suite := range m.cipherSuites {
299 b.AddUint16(suite)
300 }
301 })
302 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
303 b.AddBytes(m.compressionMethods)
304 })
305
306 if len(extBytes) > 0 {
307 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
308 b.AddBytes(extBytes)
309 })
310 }
311 })
312
313 m.raw, err = b.Bytes()
314 return m.raw, err
315 }
316
317
318
319
320 func (m *clientHelloMsg) marshalWithoutBinders() ([]byte, error) {
321 bindersLen := 2
322 for _, binder := range m.pskBinders {
323 bindersLen += 1
324 bindersLen += len(binder)
325 }
326
327 fullMessage, err := m.marshal()
328 if err != nil {
329 return nil, err
330 }
331 return fullMessage[:len(fullMessage)-bindersLen], nil
332 }
333
334
335
336
337 func (m *clientHelloMsg) updateBinders(pskBinders [][]byte) error {
338 if len(pskBinders) != len(m.pskBinders) {
339 return errors.New("tls: internal error: pskBinders length mismatch")
340 }
341 for i := range m.pskBinders {
342 if len(pskBinders[i]) != len(m.pskBinders[i]) {
343 return errors.New("tls: internal error: pskBinders length mismatch")
344 }
345 }
346 m.pskBinders = pskBinders
347 if m.raw != nil {
348 helloBytes, err := m.marshalWithoutBinders()
349 if err != nil {
350 return err
351 }
352 lenWithoutBinders := len(helloBytes)
353 b := cryptobyte.NewFixedBuilder(m.raw[:lenWithoutBinders])
354 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
355 for _, binder := range m.pskBinders {
356 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
357 b.AddBytes(binder)
358 })
359 }
360 })
361 if out, err := b.Bytes(); err != nil || len(out) != len(m.raw) {
362 return errors.New("tls: internal error: failed to update binders")
363 }
364 }
365
366 return nil
367 }
368
369 func (m *clientHelloMsg) unmarshal(data []byte) bool {
370 *m = clientHelloMsg{raw: data}
371 s := cryptobyte.String(data)
372
373 if !s.Skip(4) ||
374 !s.ReadUint16(&m.vers) || !s.ReadBytes(&m.random, 32) ||
375 !readUint8LengthPrefixed(&s, &m.sessionId) {
376 return false
377 }
378
379 var cipherSuites cryptobyte.String
380 if !s.ReadUint16LengthPrefixed(&cipherSuites) {
381 return false
382 }
383 m.cipherSuites = []uint16{}
384 m.secureRenegotiationSupported = false
385 for !cipherSuites.Empty() {
386 var suite uint16
387 if !cipherSuites.ReadUint16(&suite) {
388 return false
389 }
390 if suite == scsvRenegotiation {
391 m.secureRenegotiationSupported = true
392 }
393 m.cipherSuites = append(m.cipherSuites, suite)
394 }
395
396 if !readUint8LengthPrefixed(&s, &m.compressionMethods) {
397 return false
398 }
399
400 if s.Empty() {
401
402 return true
403 }
404
405 var extensions cryptobyte.String
406 if !s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() {
407 return false
408 }
409
410 seenExts := make(map[uint16]bool)
411 for !extensions.Empty() {
412 var extension uint16
413 var extData cryptobyte.String
414 if !extensions.ReadUint16(&extension) ||
415 !extensions.ReadUint16LengthPrefixed(&extData) {
416 return false
417 }
418
419 if seenExts[extension] {
420 return false
421 }
422 seenExts[extension] = true
423
424 switch extension {
425 case extensionServerName:
426
427 var nameList cryptobyte.String
428 if !extData.ReadUint16LengthPrefixed(&nameList) || nameList.Empty() {
429 return false
430 }
431 for !nameList.Empty() {
432 var nameType uint8
433 var serverName cryptobyte.String
434 if !nameList.ReadUint8(&nameType) ||
435 !nameList.ReadUint16LengthPrefixed(&serverName) ||
436 serverName.Empty() {
437 return false
438 }
439 if nameType != 0 {
440 continue
441 }
442 if len(m.serverName) != 0 {
443
444 return false
445 }
446 m.serverName = string(serverName)
447
448 if strings.HasSuffix(m.serverName, ".") {
449 return false
450 }
451 }
452 case extensionStatusRequest:
453
454 var statusType uint8
455 var ignored cryptobyte.String
456 if !extData.ReadUint8(&statusType) ||
457 !extData.ReadUint16LengthPrefixed(&ignored) ||
458 !extData.ReadUint16LengthPrefixed(&ignored) {
459 return false
460 }
461 m.ocspStapling = statusType == statusTypeOCSP
462 case extensionSupportedCurves:
463
464 var curves cryptobyte.String
465 if !extData.ReadUint16LengthPrefixed(&curves) || curves.Empty() {
466 return false
467 }
468 for !curves.Empty() {
469 var curve uint16
470 if !curves.ReadUint16(&curve) {
471 return false
472 }
473 m.supportedCurves = append(m.supportedCurves, CurveID(curve))
474 }
475 case extensionSupportedPoints:
476
477 if !readUint8LengthPrefixed(&extData, &m.supportedPoints) ||
478 len(m.supportedPoints) == 0 {
479 return false
480 }
481 case extensionSessionTicket:
482
483 m.ticketSupported = true
484 extData.ReadBytes(&m.sessionTicket, len(extData))
485 case extensionSignatureAlgorithms:
486
487 var sigAndAlgs cryptobyte.String
488 if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() {
489 return false
490 }
491 for !sigAndAlgs.Empty() {
492 var sigAndAlg uint16
493 if !sigAndAlgs.ReadUint16(&sigAndAlg) {
494 return false
495 }
496 m.supportedSignatureAlgorithms = append(
497 m.supportedSignatureAlgorithms, SignatureScheme(sigAndAlg))
498 }
499 case extensionSignatureAlgorithmsCert:
500
501 var sigAndAlgs cryptobyte.String
502 if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() {
503 return false
504 }
505 for !sigAndAlgs.Empty() {
506 var sigAndAlg uint16
507 if !sigAndAlgs.ReadUint16(&sigAndAlg) {
508 return false
509 }
510 m.supportedSignatureAlgorithmsCert = append(
511 m.supportedSignatureAlgorithmsCert, SignatureScheme(sigAndAlg))
512 }
513 case extensionRenegotiationInfo:
514
515 if !readUint8LengthPrefixed(&extData, &m.secureRenegotiation) {
516 return false
517 }
518 m.secureRenegotiationSupported = true
519 case extensionExtendedMasterSecret:
520
521 m.extendedMasterSecret = true
522 case extensionALPN:
523
524 var protoList cryptobyte.String
525 if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() {
526 return false
527 }
528 for !protoList.Empty() {
529 var proto cryptobyte.String
530 if !protoList.ReadUint8LengthPrefixed(&proto) || proto.Empty() {
531 return false
532 }
533 m.alpnProtocols = append(m.alpnProtocols, string(proto))
534 }
535 case extensionSCT:
536
537 m.scts = true
538 case extensionSupportedVersions:
539
540 var versList cryptobyte.String
541 if !extData.ReadUint8LengthPrefixed(&versList) || versList.Empty() {
542 return false
543 }
544 for !versList.Empty() {
545 var vers uint16
546 if !versList.ReadUint16(&vers) {
547 return false
548 }
549 m.supportedVersions = append(m.supportedVersions, vers)
550 }
551 case extensionCookie:
552
553 if !readUint16LengthPrefixed(&extData, &m.cookie) ||
554 len(m.cookie) == 0 {
555 return false
556 }
557 case extensionKeyShare:
558
559 var clientShares cryptobyte.String
560 if !extData.ReadUint16LengthPrefixed(&clientShares) {
561 return false
562 }
563 for !clientShares.Empty() {
564 var ks keyShare
565 if !clientShares.ReadUint16((*uint16)(&ks.group)) ||
566 !readUint16LengthPrefixed(&clientShares, &ks.data) ||
567 len(ks.data) == 0 {
568 return false
569 }
570 m.keyShares = append(m.keyShares, ks)
571 }
572 case extensionEarlyData:
573
574 m.earlyData = true
575 case extensionPSKModes:
576
577 if !readUint8LengthPrefixed(&extData, &m.pskModes) {
578 return false
579 }
580 case extensionQUICTransportParameters:
581 m.quicTransportParameters = make([]byte, len(extData))
582 if !extData.CopyBytes(m.quicTransportParameters) {
583 return false
584 }
585 case extensionPreSharedKey:
586
587 if !extensions.Empty() {
588 return false
589 }
590 var identities cryptobyte.String
591 if !extData.ReadUint16LengthPrefixed(&identities) || identities.Empty() {
592 return false
593 }
594 for !identities.Empty() {
595 var psk pskIdentity
596 if !readUint16LengthPrefixed(&identities, &psk.label) ||
597 !identities.ReadUint32(&psk.obfuscatedTicketAge) ||
598 len(psk.label) == 0 {
599 return false
600 }
601 m.pskIdentities = append(m.pskIdentities, psk)
602 }
603 var binders cryptobyte.String
604 if !extData.ReadUint16LengthPrefixed(&binders) || binders.Empty() {
605 return false
606 }
607 for !binders.Empty() {
608 var binder []byte
609 if !readUint8LengthPrefixed(&binders, &binder) ||
610 len(binder) == 0 {
611 return false
612 }
613 m.pskBinders = append(m.pskBinders, binder)
614 }
615 default:
616
617 continue
618 }
619
620 if !extData.Empty() {
621 return false
622 }
623 }
624
625 return true
626 }
627
628 type serverHelloMsg struct {
629 raw []byte
630 vers uint16
631 random []byte
632 sessionId []byte
633 cipherSuite uint16
634 compressionMethod uint8
635 ocspStapling bool
636 ticketSupported bool
637 secureRenegotiationSupported bool
638 secureRenegotiation []byte
639 extendedMasterSecret bool
640 alpnProtocol string
641 scts [][]byte
642 supportedVersion uint16
643 serverShare keyShare
644 selectedIdentityPresent bool
645 selectedIdentity uint16
646 supportedPoints []uint8
647
648
649 cookie []byte
650 selectedGroup CurveID
651 }
652
653 func (m *serverHelloMsg) marshal() ([]byte, error) {
654 if m.raw != nil {
655 return m.raw, nil
656 }
657
658 var exts cryptobyte.Builder
659 if m.ocspStapling {
660 exts.AddUint16(extensionStatusRequest)
661 exts.AddUint16(0)
662 }
663 if m.ticketSupported {
664 exts.AddUint16(extensionSessionTicket)
665 exts.AddUint16(0)
666 }
667 if m.secureRenegotiationSupported {
668 exts.AddUint16(extensionRenegotiationInfo)
669 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
670 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
671 exts.AddBytes(m.secureRenegotiation)
672 })
673 })
674 }
675 if m.extendedMasterSecret {
676 exts.AddUint16(extensionExtendedMasterSecret)
677 exts.AddUint16(0)
678 }
679 if len(m.alpnProtocol) > 0 {
680 exts.AddUint16(extensionALPN)
681 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
682 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
683 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
684 exts.AddBytes([]byte(m.alpnProtocol))
685 })
686 })
687 })
688 }
689 if len(m.scts) > 0 {
690 exts.AddUint16(extensionSCT)
691 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
692 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
693 for _, sct := range m.scts {
694 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
695 exts.AddBytes(sct)
696 })
697 }
698 })
699 })
700 }
701 if m.supportedVersion != 0 {
702 exts.AddUint16(extensionSupportedVersions)
703 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
704 exts.AddUint16(m.supportedVersion)
705 })
706 }
707 if m.serverShare.group != 0 {
708 exts.AddUint16(extensionKeyShare)
709 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
710 exts.AddUint16(uint16(m.serverShare.group))
711 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
712 exts.AddBytes(m.serverShare.data)
713 })
714 })
715 }
716 if m.selectedIdentityPresent {
717 exts.AddUint16(extensionPreSharedKey)
718 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
719 exts.AddUint16(m.selectedIdentity)
720 })
721 }
722
723 if len(m.cookie) > 0 {
724 exts.AddUint16(extensionCookie)
725 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
726 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
727 exts.AddBytes(m.cookie)
728 })
729 })
730 }
731 if m.selectedGroup != 0 {
732 exts.AddUint16(extensionKeyShare)
733 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
734 exts.AddUint16(uint16(m.selectedGroup))
735 })
736 }
737 if len(m.supportedPoints) > 0 {
738 exts.AddUint16(extensionSupportedPoints)
739 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
740 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
741 exts.AddBytes(m.supportedPoints)
742 })
743 })
744 }
745
746 extBytes, err := exts.Bytes()
747 if err != nil {
748 return nil, err
749 }
750
751 var b cryptobyte.Builder
752 b.AddUint8(typeServerHello)
753 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
754 b.AddUint16(m.vers)
755 addBytesWithLength(b, m.random, 32)
756 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
757 b.AddBytes(m.sessionId)
758 })
759 b.AddUint16(m.cipherSuite)
760 b.AddUint8(m.compressionMethod)
761
762 if len(extBytes) > 0 {
763 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
764 b.AddBytes(extBytes)
765 })
766 }
767 })
768
769 m.raw, err = b.Bytes()
770 return m.raw, err
771 }
772
773 func (m *serverHelloMsg) unmarshal(data []byte) bool {
774 *m = serverHelloMsg{raw: data}
775 s := cryptobyte.String(data)
776
777 if !s.Skip(4) ||
778 !s.ReadUint16(&m.vers) || !s.ReadBytes(&m.random, 32) ||
779 !readUint8LengthPrefixed(&s, &m.sessionId) ||
780 !s.ReadUint16(&m.cipherSuite) ||
781 !s.ReadUint8(&m.compressionMethod) {
782 return false
783 }
784
785 if s.Empty() {
786
787 return true
788 }
789
790 var extensions cryptobyte.String
791 if !s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() {
792 return false
793 }
794
795 seenExts := make(map[uint16]bool)
796 for !extensions.Empty() {
797 var extension uint16
798 var extData cryptobyte.String
799 if !extensions.ReadUint16(&extension) ||
800 !extensions.ReadUint16LengthPrefixed(&extData) {
801 return false
802 }
803
804 if seenExts[extension] {
805 return false
806 }
807 seenExts[extension] = true
808
809 switch extension {
810 case extensionStatusRequest:
811 m.ocspStapling = true
812 case extensionSessionTicket:
813 m.ticketSupported = true
814 case extensionRenegotiationInfo:
815 if !readUint8LengthPrefixed(&extData, &m.secureRenegotiation) {
816 return false
817 }
818 m.secureRenegotiationSupported = true
819 case extensionExtendedMasterSecret:
820 m.extendedMasterSecret = true
821 case extensionALPN:
822 var protoList cryptobyte.String
823 if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() {
824 return false
825 }
826 var proto cryptobyte.String
827 if !protoList.ReadUint8LengthPrefixed(&proto) ||
828 proto.Empty() || !protoList.Empty() {
829 return false
830 }
831 m.alpnProtocol = string(proto)
832 case extensionSCT:
833 var sctList cryptobyte.String
834 if !extData.ReadUint16LengthPrefixed(&sctList) || sctList.Empty() {
835 return false
836 }
837 for !sctList.Empty() {
838 var sct []byte
839 if !readUint16LengthPrefixed(&sctList, &sct) ||
840 len(sct) == 0 {
841 return false
842 }
843 m.scts = append(m.scts, sct)
844 }
845 case extensionSupportedVersions:
846 if !extData.ReadUint16(&m.supportedVersion) {
847 return false
848 }
849 case extensionCookie:
850 if !readUint16LengthPrefixed(&extData, &m.cookie) ||
851 len(m.cookie) == 0 {
852 return false
853 }
854 case extensionKeyShare:
855
856
857 if len(extData) == 2 {
858 if !extData.ReadUint16((*uint16)(&m.selectedGroup)) {
859 return false
860 }
861 } else {
862 if !extData.ReadUint16((*uint16)(&m.serverShare.group)) ||
863 !readUint16LengthPrefixed(&extData, &m.serverShare.data) {
864 return false
865 }
866 }
867 case extensionPreSharedKey:
868 m.selectedIdentityPresent = true
869 if !extData.ReadUint16(&m.selectedIdentity) {
870 return false
871 }
872 case extensionSupportedPoints:
873
874 if !readUint8LengthPrefixed(&extData, &m.supportedPoints) ||
875 len(m.supportedPoints) == 0 {
876 return false
877 }
878 default:
879
880 continue
881 }
882
883 if !extData.Empty() {
884 return false
885 }
886 }
887
888 return true
889 }
890
891 type encryptedExtensionsMsg struct {
892 raw []byte
893 alpnProtocol string
894 quicTransportParameters []byte
895 earlyData bool
896 }
897
898 func (m *encryptedExtensionsMsg) marshal() ([]byte, error) {
899 if m.raw != nil {
900 return m.raw, nil
901 }
902
903 var b cryptobyte.Builder
904 b.AddUint8(typeEncryptedExtensions)
905 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
906 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
907 if len(m.alpnProtocol) > 0 {
908 b.AddUint16(extensionALPN)
909 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
910 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
911 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
912 b.AddBytes([]byte(m.alpnProtocol))
913 })
914 })
915 })
916 }
917 if m.quicTransportParameters != nil {
918
919 b.AddUint16(extensionQUICTransportParameters)
920 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
921 b.AddBytes(m.quicTransportParameters)
922 })
923 }
924 if m.earlyData {
925
926 b.AddUint16(extensionEarlyData)
927 b.AddUint16(0)
928 }
929 })
930 })
931
932 var err error
933 m.raw, err = b.Bytes()
934 return m.raw, err
935 }
936
937 func (m *encryptedExtensionsMsg) unmarshal(data []byte) bool {
938 *m = encryptedExtensionsMsg{raw: data}
939 s := cryptobyte.String(data)
940
941 var extensions cryptobyte.String
942 if !s.Skip(4) ||
943 !s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() {
944 return false
945 }
946
947 for !extensions.Empty() {
948 var extension uint16
949 var extData cryptobyte.String
950 if !extensions.ReadUint16(&extension) ||
951 !extensions.ReadUint16LengthPrefixed(&extData) {
952 return false
953 }
954
955 switch extension {
956 case extensionALPN:
957 var protoList cryptobyte.String
958 if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() {
959 return false
960 }
961 var proto cryptobyte.String
962 if !protoList.ReadUint8LengthPrefixed(&proto) ||
963 proto.Empty() || !protoList.Empty() {
964 return false
965 }
966 m.alpnProtocol = string(proto)
967 case extensionQUICTransportParameters:
968 m.quicTransportParameters = make([]byte, len(extData))
969 if !extData.CopyBytes(m.quicTransportParameters) {
970 return false
971 }
972 case extensionEarlyData:
973
974 m.earlyData = true
975 default:
976
977 continue
978 }
979
980 if !extData.Empty() {
981 return false
982 }
983 }
984
985 return true
986 }
987
988 type endOfEarlyDataMsg struct{}
989
990 func (m *endOfEarlyDataMsg) marshal() ([]byte, error) {
991 x := make([]byte, 4)
992 x[0] = typeEndOfEarlyData
993 return x, nil
994 }
995
996 func (m *endOfEarlyDataMsg) unmarshal(data []byte) bool {
997 return len(data) == 4
998 }
999
1000 type keyUpdateMsg struct {
1001 raw []byte
1002 updateRequested bool
1003 }
1004
1005 func (m *keyUpdateMsg) marshal() ([]byte, error) {
1006 if m.raw != nil {
1007 return m.raw, nil
1008 }
1009
1010 var b cryptobyte.Builder
1011 b.AddUint8(typeKeyUpdate)
1012 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
1013 if m.updateRequested {
1014 b.AddUint8(1)
1015 } else {
1016 b.AddUint8(0)
1017 }
1018 })
1019
1020 var err error
1021 m.raw, err = b.Bytes()
1022 return m.raw, err
1023 }
1024
1025 func (m *keyUpdateMsg) unmarshal(data []byte) bool {
1026 m.raw = data
1027 s := cryptobyte.String(data)
1028
1029 var updateRequested uint8
1030 if !s.Skip(4) ||
1031 !s.ReadUint8(&updateRequested) || !s.Empty() {
1032 return false
1033 }
1034 switch updateRequested {
1035 case 0:
1036 m.updateRequested = false
1037 case 1:
1038 m.updateRequested = true
1039 default:
1040 return false
1041 }
1042 return true
1043 }
1044
1045 type newSessionTicketMsgTLS13 struct {
1046 raw []byte
1047 lifetime uint32
1048 ageAdd uint32
1049 nonce []byte
1050 label []byte
1051 maxEarlyData uint32
1052 }
1053
1054 func (m *newSessionTicketMsgTLS13) marshal() ([]byte, error) {
1055 if m.raw != nil {
1056 return m.raw, nil
1057 }
1058
1059 var b cryptobyte.Builder
1060 b.AddUint8(typeNewSessionTicket)
1061 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
1062 b.AddUint32(m.lifetime)
1063 b.AddUint32(m.ageAdd)
1064 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
1065 b.AddBytes(m.nonce)
1066 })
1067 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1068 b.AddBytes(m.label)
1069 })
1070
1071 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1072 if m.maxEarlyData > 0 {
1073 b.AddUint16(extensionEarlyData)
1074 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1075 b.AddUint32(m.maxEarlyData)
1076 })
1077 }
1078 })
1079 })
1080
1081 var err error
1082 m.raw, err = b.Bytes()
1083 return m.raw, err
1084 }
1085
1086 func (m *newSessionTicketMsgTLS13) unmarshal(data []byte) bool {
1087 *m = newSessionTicketMsgTLS13{raw: data}
1088 s := cryptobyte.String(data)
1089
1090 var extensions cryptobyte.String
1091 if !s.Skip(4) ||
1092 !s.ReadUint32(&m.lifetime) ||
1093 !s.ReadUint32(&m.ageAdd) ||
1094 !readUint8LengthPrefixed(&s, &m.nonce) ||
1095 !readUint16LengthPrefixed(&s, &m.label) ||
1096 !s.ReadUint16LengthPrefixed(&extensions) ||
1097 !s.Empty() {
1098 return false
1099 }
1100
1101 for !extensions.Empty() {
1102 var extension uint16
1103 var extData cryptobyte.String
1104 if !extensions.ReadUint16(&extension) ||
1105 !extensions.ReadUint16LengthPrefixed(&extData) {
1106 return false
1107 }
1108
1109 switch extension {
1110 case extensionEarlyData:
1111 if !extData.ReadUint32(&m.maxEarlyData) {
1112 return false
1113 }
1114 default:
1115
1116 continue
1117 }
1118
1119 if !extData.Empty() {
1120 return false
1121 }
1122 }
1123
1124 return true
1125 }
1126
1127 type certificateRequestMsgTLS13 struct {
1128 raw []byte
1129 ocspStapling bool
1130 scts bool
1131 supportedSignatureAlgorithms []SignatureScheme
1132 supportedSignatureAlgorithmsCert []SignatureScheme
1133 certificateAuthorities [][]byte
1134 }
1135
1136 func (m *certificateRequestMsgTLS13) marshal() ([]byte, error) {
1137 if m.raw != nil {
1138 return m.raw, nil
1139 }
1140
1141 var b cryptobyte.Builder
1142 b.AddUint8(typeCertificateRequest)
1143 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
1144
1145
1146 b.AddUint8(0)
1147
1148 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1149 if m.ocspStapling {
1150 b.AddUint16(extensionStatusRequest)
1151 b.AddUint16(0)
1152 }
1153 if m.scts {
1154
1155
1156
1157
1158
1159 b.AddUint16(extensionSCT)
1160 b.AddUint16(0)
1161 }
1162 if len(m.supportedSignatureAlgorithms) > 0 {
1163 b.AddUint16(extensionSignatureAlgorithms)
1164 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1165 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1166 for _, sigAlgo := range m.supportedSignatureAlgorithms {
1167 b.AddUint16(uint16(sigAlgo))
1168 }
1169 })
1170 })
1171 }
1172 if len(m.supportedSignatureAlgorithmsCert) > 0 {
1173 b.AddUint16(extensionSignatureAlgorithmsCert)
1174 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1175 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1176 for _, sigAlgo := range m.supportedSignatureAlgorithmsCert {
1177 b.AddUint16(uint16(sigAlgo))
1178 }
1179 })
1180 })
1181 }
1182 if len(m.certificateAuthorities) > 0 {
1183 b.AddUint16(extensionCertificateAuthorities)
1184 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1185 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1186 for _, ca := range m.certificateAuthorities {
1187 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1188 b.AddBytes(ca)
1189 })
1190 }
1191 })
1192 })
1193 }
1194 })
1195 })
1196
1197 var err error
1198 m.raw, err = b.Bytes()
1199 return m.raw, err
1200 }
1201
1202 func (m *certificateRequestMsgTLS13) unmarshal(data []byte) bool {
1203 *m = certificateRequestMsgTLS13{raw: data}
1204 s := cryptobyte.String(data)
1205
1206 var context, extensions cryptobyte.String
1207 if !s.Skip(4) ||
1208 !s.ReadUint8LengthPrefixed(&context) || !context.Empty() ||
1209 !s.ReadUint16LengthPrefixed(&extensions) ||
1210 !s.Empty() {
1211 return false
1212 }
1213
1214 for !extensions.Empty() {
1215 var extension uint16
1216 var extData cryptobyte.String
1217 if !extensions.ReadUint16(&extension) ||
1218 !extensions.ReadUint16LengthPrefixed(&extData) {
1219 return false
1220 }
1221
1222 switch extension {
1223 case extensionStatusRequest:
1224 m.ocspStapling = true
1225 case extensionSCT:
1226 m.scts = true
1227 case extensionSignatureAlgorithms:
1228 var sigAndAlgs cryptobyte.String
1229 if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() {
1230 return false
1231 }
1232 for !sigAndAlgs.Empty() {
1233 var sigAndAlg uint16
1234 if !sigAndAlgs.ReadUint16(&sigAndAlg) {
1235 return false
1236 }
1237 m.supportedSignatureAlgorithms = append(
1238 m.supportedSignatureAlgorithms, SignatureScheme(sigAndAlg))
1239 }
1240 case extensionSignatureAlgorithmsCert:
1241 var sigAndAlgs cryptobyte.String
1242 if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() {
1243 return false
1244 }
1245 for !sigAndAlgs.Empty() {
1246 var sigAndAlg uint16
1247 if !sigAndAlgs.ReadUint16(&sigAndAlg) {
1248 return false
1249 }
1250 m.supportedSignatureAlgorithmsCert = append(
1251 m.supportedSignatureAlgorithmsCert, SignatureScheme(sigAndAlg))
1252 }
1253 case extensionCertificateAuthorities:
1254 var auths cryptobyte.String
1255 if !extData.ReadUint16LengthPrefixed(&auths) || auths.Empty() {
1256 return false
1257 }
1258 for !auths.Empty() {
1259 var ca []byte
1260 if !readUint16LengthPrefixed(&auths, &ca) || len(ca) == 0 {
1261 return false
1262 }
1263 m.certificateAuthorities = append(m.certificateAuthorities, ca)
1264 }
1265 default:
1266
1267 continue
1268 }
1269
1270 if !extData.Empty() {
1271 return false
1272 }
1273 }
1274
1275 return true
1276 }
1277
1278 type certificateMsg struct {
1279 raw []byte
1280 certificates [][]byte
1281 }
1282
1283 func (m *certificateMsg) marshal() ([]byte, error) {
1284 if m.raw != nil {
1285 return m.raw, nil
1286 }
1287
1288 var i int
1289 for _, slice := range m.certificates {
1290 i += len(slice)
1291 }
1292
1293 length := 3 + 3*len(m.certificates) + i
1294 x := make([]byte, 4+length)
1295 x[0] = typeCertificate
1296 x[1] = uint8(length >> 16)
1297 x[2] = uint8(length >> 8)
1298 x[3] = uint8(length)
1299
1300 certificateOctets := length - 3
1301 x[4] = uint8(certificateOctets >> 16)
1302 x[5] = uint8(certificateOctets >> 8)
1303 x[6] = uint8(certificateOctets)
1304
1305 y := x[7:]
1306 for _, slice := range m.certificates {
1307 y[0] = uint8(len(slice) >> 16)
1308 y[1] = uint8(len(slice) >> 8)
1309 y[2] = uint8(len(slice))
1310 copy(y[3:], slice)
1311 y = y[3+len(slice):]
1312 }
1313
1314 m.raw = x
1315 return m.raw, nil
1316 }
1317
1318 func (m *certificateMsg) unmarshal(data []byte) bool {
1319 if len(data) < 7 {
1320 return false
1321 }
1322
1323 m.raw = data
1324 certsLen := uint32(data[4])<<16 | uint32(data[5])<<8 | uint32(data[6])
1325 if uint32(len(data)) != certsLen+7 {
1326 return false
1327 }
1328
1329 numCerts := 0
1330 d := data[7:]
1331 for certsLen > 0 {
1332 if len(d) < 4 {
1333 return false
1334 }
1335 certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2])
1336 if uint32(len(d)) < 3+certLen {
1337 return false
1338 }
1339 d = d[3+certLen:]
1340 certsLen -= 3 + certLen
1341 numCerts++
1342 }
1343
1344 m.certificates = make([][]byte, numCerts)
1345 d = data[7:]
1346 for i := 0; i < numCerts; i++ {
1347 certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2])
1348 m.certificates[i] = d[3 : 3+certLen]
1349 d = d[3+certLen:]
1350 }
1351
1352 return true
1353 }
1354
1355 type certificateMsgTLS13 struct {
1356 raw []byte
1357 certificate Certificate
1358 ocspStapling bool
1359 scts bool
1360 }
1361
1362 func (m *certificateMsgTLS13) marshal() ([]byte, error) {
1363 if m.raw != nil {
1364 return m.raw, nil
1365 }
1366
1367 var b cryptobyte.Builder
1368 b.AddUint8(typeCertificate)
1369 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
1370 b.AddUint8(0)
1371
1372 certificate := m.certificate
1373 if !m.ocspStapling {
1374 certificate.OCSPStaple = nil
1375 }
1376 if !m.scts {
1377 certificate.SignedCertificateTimestamps = nil
1378 }
1379 marshalCertificate(b, certificate)
1380 })
1381
1382 var err error
1383 m.raw, err = b.Bytes()
1384 return m.raw, err
1385 }
1386
1387 func marshalCertificate(b *cryptobyte.Builder, certificate Certificate) {
1388 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
1389 for i, cert := range certificate.Certificate {
1390 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
1391 b.AddBytes(cert)
1392 })
1393 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1394 if i > 0 {
1395
1396 return
1397 }
1398 if certificate.OCSPStaple != nil {
1399 b.AddUint16(extensionStatusRequest)
1400 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1401 b.AddUint8(statusTypeOCSP)
1402 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
1403 b.AddBytes(certificate.OCSPStaple)
1404 })
1405 })
1406 }
1407 if certificate.SignedCertificateTimestamps != nil {
1408 b.AddUint16(extensionSCT)
1409 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1410 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1411 for _, sct := range certificate.SignedCertificateTimestamps {
1412 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1413 b.AddBytes(sct)
1414 })
1415 }
1416 })
1417 })
1418 }
1419 })
1420 }
1421 })
1422 }
1423
1424 func (m *certificateMsgTLS13) unmarshal(data []byte) bool {
1425 *m = certificateMsgTLS13{raw: data}
1426 s := cryptobyte.String(data)
1427
1428 var context cryptobyte.String
1429 if !s.Skip(4) ||
1430 !s.ReadUint8LengthPrefixed(&context) || !context.Empty() ||
1431 !unmarshalCertificate(&s, &m.certificate) ||
1432 !s.Empty() {
1433 return false
1434 }
1435
1436 m.scts = m.certificate.SignedCertificateTimestamps != nil
1437 m.ocspStapling = m.certificate.OCSPStaple != nil
1438
1439 return true
1440 }
1441
1442 func unmarshalCertificate(s *cryptobyte.String, certificate *Certificate) bool {
1443 var certList cryptobyte.String
1444 if !s.ReadUint24LengthPrefixed(&certList) {
1445 return false
1446 }
1447 for !certList.Empty() {
1448 var cert []byte
1449 var extensions cryptobyte.String
1450 if !readUint24LengthPrefixed(&certList, &cert) ||
1451 !certList.ReadUint16LengthPrefixed(&extensions) {
1452 return false
1453 }
1454 certificate.Certificate = append(certificate.Certificate, cert)
1455 for !extensions.Empty() {
1456 var extension uint16
1457 var extData cryptobyte.String
1458 if !extensions.ReadUint16(&extension) ||
1459 !extensions.ReadUint16LengthPrefixed(&extData) {
1460 return false
1461 }
1462 if len(certificate.Certificate) > 1 {
1463
1464 continue
1465 }
1466
1467 switch extension {
1468 case extensionStatusRequest:
1469 var statusType uint8
1470 if !extData.ReadUint8(&statusType) || statusType != statusTypeOCSP ||
1471 !readUint24LengthPrefixed(&extData, &certificate.OCSPStaple) ||
1472 len(certificate.OCSPStaple) == 0 {
1473 return false
1474 }
1475 case extensionSCT:
1476 var sctList cryptobyte.String
1477 if !extData.ReadUint16LengthPrefixed(&sctList) || sctList.Empty() {
1478 return false
1479 }
1480 for !sctList.Empty() {
1481 var sct []byte
1482 if !readUint16LengthPrefixed(&sctList, &sct) ||
1483 len(sct) == 0 {
1484 return false
1485 }
1486 certificate.SignedCertificateTimestamps = append(
1487 certificate.SignedCertificateTimestamps, sct)
1488 }
1489 default:
1490
1491 continue
1492 }
1493
1494 if !extData.Empty() {
1495 return false
1496 }
1497 }
1498 }
1499 return true
1500 }
1501
1502 type serverKeyExchangeMsg struct {
1503 raw []byte
1504 key []byte
1505 }
1506
1507 func (m *serverKeyExchangeMsg) marshal() ([]byte, error) {
1508 if m.raw != nil {
1509 return m.raw, nil
1510 }
1511 length := len(m.key)
1512 x := make([]byte, length+4)
1513 x[0] = typeServerKeyExchange
1514 x[1] = uint8(length >> 16)
1515 x[2] = uint8(length >> 8)
1516 x[3] = uint8(length)
1517 copy(x[4:], m.key)
1518
1519 m.raw = x
1520 return x, nil
1521 }
1522
1523 func (m *serverKeyExchangeMsg) unmarshal(data []byte) bool {
1524 m.raw = data
1525 if len(data) < 4 {
1526 return false
1527 }
1528 m.key = data[4:]
1529 return true
1530 }
1531
1532 type certificateStatusMsg struct {
1533 raw []byte
1534 response []byte
1535 }
1536
1537 func (m *certificateStatusMsg) marshal() ([]byte, error) {
1538 if m.raw != nil {
1539 return m.raw, nil
1540 }
1541
1542 var b cryptobyte.Builder
1543 b.AddUint8(typeCertificateStatus)
1544 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
1545 b.AddUint8(statusTypeOCSP)
1546 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
1547 b.AddBytes(m.response)
1548 })
1549 })
1550
1551 var err error
1552 m.raw, err = b.Bytes()
1553 return m.raw, err
1554 }
1555
1556 func (m *certificateStatusMsg) unmarshal(data []byte) bool {
1557 m.raw = data
1558 s := cryptobyte.String(data)
1559
1560 var statusType uint8
1561 if !s.Skip(4) ||
1562 !s.ReadUint8(&statusType) || statusType != statusTypeOCSP ||
1563 !readUint24LengthPrefixed(&s, &m.response) ||
1564 len(m.response) == 0 || !s.Empty() {
1565 return false
1566 }
1567 return true
1568 }
1569
1570 type serverHelloDoneMsg struct{}
1571
1572 func (m *serverHelloDoneMsg) marshal() ([]byte, error) {
1573 x := make([]byte, 4)
1574 x[0] = typeServerHelloDone
1575 return x, nil
1576 }
1577
1578 func (m *serverHelloDoneMsg) unmarshal(data []byte) bool {
1579 return len(data) == 4
1580 }
1581
1582 type clientKeyExchangeMsg struct {
1583 raw []byte
1584 ciphertext []byte
1585 }
1586
1587 func (m *clientKeyExchangeMsg) marshal() ([]byte, error) {
1588 if m.raw != nil {
1589 return m.raw, nil
1590 }
1591 length := len(m.ciphertext)
1592 x := make([]byte, length+4)
1593 x[0] = typeClientKeyExchange
1594 x[1] = uint8(length >> 16)
1595 x[2] = uint8(length >> 8)
1596 x[3] = uint8(length)
1597 copy(x[4:], m.ciphertext)
1598
1599 m.raw = x
1600 return x, nil
1601 }
1602
1603 func (m *clientKeyExchangeMsg) unmarshal(data []byte) bool {
1604 m.raw = data
1605 if len(data) < 4 {
1606 return false
1607 }
1608 l := int(data[1])<<16 | int(data[2])<<8 | int(data[3])
1609 if l != len(data)-4 {
1610 return false
1611 }
1612 m.ciphertext = data[4:]
1613 return true
1614 }
1615
1616 type finishedMsg struct {
1617 raw []byte
1618 verifyData []byte
1619 }
1620
1621 func (m *finishedMsg) marshal() ([]byte, error) {
1622 if m.raw != nil {
1623 return m.raw, nil
1624 }
1625
1626 var b cryptobyte.Builder
1627 b.AddUint8(typeFinished)
1628 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
1629 b.AddBytes(m.verifyData)
1630 })
1631
1632 var err error
1633 m.raw, err = b.Bytes()
1634 return m.raw, err
1635 }
1636
1637 func (m *finishedMsg) unmarshal(data []byte) bool {
1638 m.raw = data
1639 s := cryptobyte.String(data)
1640 return s.Skip(1) &&
1641 readUint24LengthPrefixed(&s, &m.verifyData) &&
1642 s.Empty()
1643 }
1644
1645 type certificateRequestMsg struct {
1646 raw []byte
1647
1648
1649 hasSignatureAlgorithm bool
1650
1651 certificateTypes []byte
1652 supportedSignatureAlgorithms []SignatureScheme
1653 certificateAuthorities [][]byte
1654 }
1655
1656 func (m *certificateRequestMsg) marshal() ([]byte, error) {
1657 if m.raw != nil {
1658 return m.raw, nil
1659 }
1660
1661
1662 length := 1 + len(m.certificateTypes) + 2
1663 casLength := 0
1664 for _, ca := range m.certificateAuthorities {
1665 casLength += 2 + len(ca)
1666 }
1667 length += casLength
1668
1669 if m.hasSignatureAlgorithm {
1670 length += 2 + 2*len(m.supportedSignatureAlgorithms)
1671 }
1672
1673 x := make([]byte, 4+length)
1674 x[0] = typeCertificateRequest
1675 x[1] = uint8(length >> 16)
1676 x[2] = uint8(length >> 8)
1677 x[3] = uint8(length)
1678
1679 x[4] = uint8(len(m.certificateTypes))
1680
1681 copy(x[5:], m.certificateTypes)
1682 y := x[5+len(m.certificateTypes):]
1683
1684 if m.hasSignatureAlgorithm {
1685 n := len(m.supportedSignatureAlgorithms) * 2
1686 y[0] = uint8(n >> 8)
1687 y[1] = uint8(n)
1688 y = y[2:]
1689 for _, sigAlgo := range m.supportedSignatureAlgorithms {
1690 y[0] = uint8(sigAlgo >> 8)
1691 y[1] = uint8(sigAlgo)
1692 y = y[2:]
1693 }
1694 }
1695
1696 y[0] = uint8(casLength >> 8)
1697 y[1] = uint8(casLength)
1698 y = y[2:]
1699 for _, ca := range m.certificateAuthorities {
1700 y[0] = uint8(len(ca) >> 8)
1701 y[1] = uint8(len(ca))
1702 y = y[2:]
1703 copy(y, ca)
1704 y = y[len(ca):]
1705 }
1706
1707 m.raw = x
1708 return m.raw, nil
1709 }
1710
1711 func (m *certificateRequestMsg) unmarshal(data []byte) bool {
1712 m.raw = data
1713
1714 if len(data) < 5 {
1715 return false
1716 }
1717
1718 length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3])
1719 if uint32(len(data))-4 != length {
1720 return false
1721 }
1722
1723 numCertTypes := int(data[4])
1724 data = data[5:]
1725 if numCertTypes == 0 || len(data) <= numCertTypes {
1726 return false
1727 }
1728
1729 m.certificateTypes = make([]byte, numCertTypes)
1730 if copy(m.certificateTypes, data) != numCertTypes {
1731 return false
1732 }
1733
1734 data = data[numCertTypes:]
1735
1736 if m.hasSignatureAlgorithm {
1737 if len(data) < 2 {
1738 return false
1739 }
1740 sigAndHashLen := uint16(data[0])<<8 | uint16(data[1])
1741 data = data[2:]
1742 if sigAndHashLen&1 != 0 {
1743 return false
1744 }
1745 if len(data) < int(sigAndHashLen) {
1746 return false
1747 }
1748 numSigAlgos := sigAndHashLen / 2
1749 m.supportedSignatureAlgorithms = make([]SignatureScheme, numSigAlgos)
1750 for i := range m.supportedSignatureAlgorithms {
1751 m.supportedSignatureAlgorithms[i] = SignatureScheme(data[0])<<8 | SignatureScheme(data[1])
1752 data = data[2:]
1753 }
1754 }
1755
1756 if len(data) < 2 {
1757 return false
1758 }
1759 casLength := uint16(data[0])<<8 | uint16(data[1])
1760 data = data[2:]
1761 if len(data) < int(casLength) {
1762 return false
1763 }
1764 cas := make([]byte, casLength)
1765 copy(cas, data)
1766 data = data[casLength:]
1767
1768 m.certificateAuthorities = nil
1769 for len(cas) > 0 {
1770 if len(cas) < 2 {
1771 return false
1772 }
1773 caLen := uint16(cas[0])<<8 | uint16(cas[1])
1774 cas = cas[2:]
1775
1776 if len(cas) < int(caLen) {
1777 return false
1778 }
1779
1780 m.certificateAuthorities = append(m.certificateAuthorities, cas[:caLen])
1781 cas = cas[caLen:]
1782 }
1783
1784 return len(data) == 0
1785 }
1786
1787 type certificateVerifyMsg struct {
1788 raw []byte
1789 hasSignatureAlgorithm bool
1790 signatureAlgorithm SignatureScheme
1791 signature []byte
1792 }
1793
1794 func (m *certificateVerifyMsg) marshal() ([]byte, error) {
1795 if m.raw != nil {
1796 return m.raw, nil
1797 }
1798
1799 var b cryptobyte.Builder
1800 b.AddUint8(typeCertificateVerify)
1801 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
1802 if m.hasSignatureAlgorithm {
1803 b.AddUint16(uint16(m.signatureAlgorithm))
1804 }
1805 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1806 b.AddBytes(m.signature)
1807 })
1808 })
1809
1810 var err error
1811 m.raw, err = b.Bytes()
1812 return m.raw, err
1813 }
1814
1815 func (m *certificateVerifyMsg) unmarshal(data []byte) bool {
1816 m.raw = data
1817 s := cryptobyte.String(data)
1818
1819 if !s.Skip(4) {
1820 return false
1821 }
1822 if m.hasSignatureAlgorithm {
1823 if !s.ReadUint16((*uint16)(&m.signatureAlgorithm)) {
1824 return false
1825 }
1826 }
1827 return readUint16LengthPrefixed(&s, &m.signature) && s.Empty()
1828 }
1829
1830 type newSessionTicketMsg struct {
1831 raw []byte
1832 ticket []byte
1833 }
1834
1835 func (m *newSessionTicketMsg) marshal() ([]byte, error) {
1836 if m.raw != nil {
1837 return m.raw, nil
1838 }
1839
1840
1841 ticketLen := len(m.ticket)
1842 length := 2 + 4 + ticketLen
1843 x := make([]byte, 4+length)
1844 x[0] = typeNewSessionTicket
1845 x[1] = uint8(length >> 16)
1846 x[2] = uint8(length >> 8)
1847 x[3] = uint8(length)
1848 x[8] = uint8(ticketLen >> 8)
1849 x[9] = uint8(ticketLen)
1850 copy(x[10:], m.ticket)
1851
1852 m.raw = x
1853
1854 return m.raw, nil
1855 }
1856
1857 func (m *newSessionTicketMsg) unmarshal(data []byte) bool {
1858 m.raw = data
1859
1860 if len(data) < 10 {
1861 return false
1862 }
1863
1864 length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3])
1865 if uint32(len(data))-4 != length {
1866 return false
1867 }
1868
1869 ticketLen := int(data[8])<<8 + int(data[9])
1870 if len(data)-10 != ticketLen {
1871 return false
1872 }
1873
1874 m.ticket = data[10:]
1875
1876 return true
1877 }
1878
1879 type helloRequestMsg struct {
1880 }
1881
1882 func (*helloRequestMsg) marshal() ([]byte, error) {
1883 return []byte{typeHelloRequest, 0, 0, 0}, nil
1884 }
1885
1886 func (*helloRequestMsg) unmarshal(data []byte) bool {
1887 return len(data) == 4
1888 }
1889
1890 type transcriptHash interface {
1891 Write([]byte) (int, error)
1892 }
1893
1894
1895
1896 func transcriptMsg(msg handshakeMessage, h transcriptHash) error {
1897 data, err := msg.marshal()
1898 if err != nil {
1899 return err
1900 }
1901 h.Write(data)
1902 return nil
1903 }
1904
View as plain text