Source file src/crypto/tls/handshake_messages.go 

     1  // Copyright 2009 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package tls
     6  
     7  import (
     8  	"errors"
     9  	"fmt"
    10  	"slices"
    11  	"strings"
    12  
    13  	"golang.org/x/crypto/cryptobyte"
    14  )
    15  
    16  // The marshalingFunction type is an adapter to allow the use of ordinary
    17  // functions as cryptobyte.MarshalingValue.
    18  type marshalingFunction func(b *cryptobyte.Builder) error
    19  
    20  func (f marshalingFunction) Marshal(b *cryptobyte.Builder) error {
    21  	return f(b)
    22  }
    23  
    24  // addBytesWithLength appends a sequence of bytes to the cryptobyte.Builder. If
    25  // the length of the sequence is not the value specified, it produces an error.
    26  func addBytesWithLength(b *cryptobyte.Builder, v []byte, n int) {
    27  	b.AddValue(marshalingFunction(func(b *cryptobyte.Builder) error {
    28  		if len(v) != n {
    29  			return fmt.Errorf("invalid value length: expected %d, got %d", n, len(v))
    30  		}
    31  		b.AddBytes(v)
    32  		return nil
    33  	}))
    34  }
    35  
    36  // addUint64 appends a big-endian, 64-bit value to the cryptobyte.Builder.
    37  func addUint64(b *cryptobyte.Builder, v uint64) {
    38  	b.AddUint32(uint32(v >> 32))
    39  	b.AddUint32(uint32(v))
    40  }
    41  
    42  // readUint64 decodes a big-endian, 64-bit value into out and advances over it.
    43  // It reports whether the read was successful.
    44  func readUint64(s *cryptobyte.String, out *uint64) bool {
    45  	var hi, lo uint32
    46  	if !s.ReadUint32(&hi) || !s.ReadUint32(&lo) {
    47  		return false
    48  	}
    49  	*out = uint64(hi)<<32 | uint64(lo)
    50  	return true
    51  }
    52  
    53  // readUint8LengthPrefixed acts like s.ReadUint8LengthPrefixed, but targets a
    54  // []byte instead of a cryptobyte.String.
    55  func readUint8LengthPrefixed(s *cryptobyte.String, out *[]byte) bool {
    56  	return s.ReadUint8LengthPrefixed((*cryptobyte.String)(out))
    57  }
    58  
    59  // readUint16LengthPrefixed acts like s.ReadUint16LengthPrefixed, but targets a
    60  // []byte instead of a cryptobyte.String.
    61  func readUint16LengthPrefixed(s *cryptobyte.String, out *[]byte) bool {
    62  	return s.ReadUint16LengthPrefixed((*cryptobyte.String)(out))
    63  }
    64  
    65  // readUint24LengthPrefixed acts like s.ReadUint24LengthPrefixed, but targets a
    66  // []byte instead of a cryptobyte.String.
    67  func readUint24LengthPrefixed(s *cryptobyte.String, out *[]byte) bool {
    68  	return s.ReadUint24LengthPrefixed((*cryptobyte.String)(out))
    69  }
    70  
    71  type clientHelloMsg struct {
    72  	original                         []byte
    73  	vers                             uint16
    74  	random                           []byte
    75  	sessionId                        []byte
    76  	cipherSuites                     []uint16
    77  	compressionMethods               []uint8
    78  	serverName                       string
    79  	ocspStapling                     bool
    80  	supportedCurves                  []CurveID
    81  	supportedPoints                  []uint8
    82  	ticketSupported                  bool
    83  	sessionTicket                    []uint8
    84  	supportedSignatureAlgorithms     []SignatureScheme
    85  	supportedSignatureAlgorithmsCert []SignatureScheme
    86  	secureRenegotiationSupported     bool
    87  	secureRenegotiation              []byte
    88  	extendedMasterSecret             bool
    89  	alpnProtocols                    []string
    90  	scts                             bool
    91  	supportedVersions                []uint16
    92  	cookie                           []byte
    93  	keyShares                        []keyShare
    94  	earlyData                        bool
    95  	pskModes                         []uint8
    96  	pskIdentities                    []pskIdentity
    97  	pskBinders                       [][]byte
    98  	quicTransportParameters          []byte
    99  	encryptedClientHello             []byte
   100  	// extensions are only populated on the server-side of a handshake
   101  	extensions []uint16
   102  }
   103  
   104  func (m *clientHelloMsg) marshalMsg(echInner bool) ([]byte, error) {
   105  	var exts cryptobyte.Builder
   106  	if len(m.serverName) > 0 {
   107  		// RFC 6066, Section 3
   108  		exts.AddUint16(extensionServerName)
   109  		exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   110  			exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   111  				exts.AddUint8(0) // name_type = host_name
   112  				exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   113  					exts.AddBytes([]byte(m.serverName))
   114  				})
   115  			})
   116  		})
   117  	}
   118  	if len(m.supportedPoints) > 0 && !echInner {
   119  		// RFC 4492, Section 5.1.2
   120  		exts.AddUint16(extensionSupportedPoints)
   121  		exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   122  			exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
   123  				exts.AddBytes(m.supportedPoints)
   124  			})
   125  		})
   126  	}
   127  	if m.ticketSupported && !echInner {
   128  		// RFC 5077, Section 3.2
   129  		exts.AddUint16(extensionSessionTicket)
   130  		exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   131  			exts.AddBytes(m.sessionTicket)
   132  		})
   133  	}
   134  	if m.secureRenegotiationSupported && !echInner {
   135  		// RFC 5746, Section 3.2
   136  		exts.AddUint16(extensionRenegotiationInfo)
   137  		exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   138  			exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
   139  				exts.AddBytes(m.secureRenegotiation)
   140  			})
   141  		})
   142  	}
   143  	if m.extendedMasterSecret && !echInner {
   144  		// RFC 7627
   145  		exts.AddUint16(extensionExtendedMasterSecret)
   146  		exts.AddUint16(0) // empty extension_data
   147  	}
   148  	if m.scts {
   149  		// RFC 6962, Section 3.3.1
   150  		exts.AddUint16(extensionSCT)
   151  		exts.AddUint16(0) // empty extension_data
   152  	}
   153  	if m.earlyData {
   154  		// RFC 8446, Section 4.2.10
   155  		exts.AddUint16(extensionEarlyData)
   156  		exts.AddUint16(0) // empty extension_data
   157  	}
   158  	if m.quicTransportParameters != nil { // marshal zero-length parameters when present
   159  		// RFC 9001, Section 8.2
   160  		exts.AddUint16(extensionQUICTransportParameters)
   161  		exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   162  			exts.AddBytes(m.quicTransportParameters)
   163  		})
   164  	}
   165  	if len(m.encryptedClientHello) > 0 {
   166  		exts.AddUint16(extensionEncryptedClientHello)
   167  		exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   168  			exts.AddBytes(m.encryptedClientHello)
   169  		})
   170  	}
   171  	// Note that any extension that can be compressed during ECH must be
   172  	// contiguous. If any additional extensions are to be compressed they must
   173  	// be added to the following block, so that they can be properly
   174  	// decompressed on the other side.
   175  	var echOuterExts []uint16
   176  	if m.ocspStapling {
   177  		// RFC 4366, Section 3.6
   178  		if echInner {
   179  			echOuterExts = append(echOuterExts, extensionStatusRequest)
   180  		} else {
   181  			exts.AddUint16(extensionStatusRequest)
   182  			exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   183  				exts.AddUint8(1)  // status_type = ocsp
   184  				exts.AddUint16(0) // empty responder_id_list
   185  				exts.AddUint16(0) // empty request_extensions
   186  			})
   187  		}
   188  	}
   189  	if len(m.supportedCurves) > 0 {
   190  		// RFC 4492, sections 5.1.1 and RFC 8446, Section 4.2.7
   191  		if echInner {
   192  			echOuterExts = append(echOuterExts, extensionSupportedCurves)
   193  		} else {
   194  			exts.AddUint16(extensionSupportedCurves)
   195  			exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   196  				exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   197  					for _, curve := range m.supportedCurves {
   198  						exts.AddUint16(uint16(curve))
   199  					}
   200  				})
   201  			})
   202  		}
   203  	}
   204  	if len(m.supportedSignatureAlgorithms) > 0 {
   205  		// RFC 5246, Section 7.4.1.4.1
   206  		if echInner {
   207  			echOuterExts = append(echOuterExts, extensionSignatureAlgorithms)
   208  		} else {
   209  			exts.AddUint16(extensionSignatureAlgorithms)
   210  			exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   211  				exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   212  					for _, sigAlgo := range m.supportedSignatureAlgorithms {
   213  						exts.AddUint16(uint16(sigAlgo))
   214  					}
   215  				})
   216  			})
   217  		}
   218  	}
   219  	if len(m.supportedSignatureAlgorithmsCert) > 0 {
   220  		// RFC 8446, Section 4.2.3
   221  		if echInner {
   222  			echOuterExts = append(echOuterExts, extensionSignatureAlgorithmsCert)
   223  		} else {
   224  			exts.AddUint16(extensionSignatureAlgorithmsCert)
   225  			exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   226  				exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   227  					for _, sigAlgo := range m.supportedSignatureAlgorithmsCert {
   228  						exts.AddUint16(uint16(sigAlgo))
   229  					}
   230  				})
   231  			})
   232  		}
   233  	}
   234  	if len(m.alpnProtocols) > 0 {
   235  		// RFC 7301, Section 3.1
   236  		if echInner {
   237  			echOuterExts = append(echOuterExts, extensionALPN)
   238  		} else {
   239  			exts.AddUint16(extensionALPN)
   240  			exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   241  				exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   242  					for _, proto := range m.alpnProtocols {
   243  						exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
   244  							exts.AddBytes([]byte(proto))
   245  						})
   246  					}
   247  				})
   248  			})
   249  		}
   250  	}
   251  	if len(m.supportedVersions) > 0 {
   252  		// RFC 8446, Section 4.2.1
   253  		if echInner {
   254  			echOuterExts = append(echOuterExts, extensionSupportedVersions)
   255  		} else {
   256  			exts.AddUint16(extensionSupportedVersions)
   257  			exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   258  				exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
   259  					for _, vers := range m.supportedVersions {
   260  						exts.AddUint16(vers)
   261  					}
   262  				})
   263  			})
   264  		}
   265  	}
   266  	if len(m.cookie) > 0 {
   267  		// RFC 8446, Section 4.2.2
   268  		if echInner {
   269  			echOuterExts = append(echOuterExts, extensionCookie)
   270  		} else {
   271  			exts.AddUint16(extensionCookie)
   272  			exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   273  				exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   274  					exts.AddBytes(m.cookie)
   275  				})
   276  			})
   277  		}
   278  	}
   279  	if len(m.keyShares) > 0 {
   280  		// RFC 8446, Section 4.2.8
   281  		if echInner {
   282  			echOuterExts = append(echOuterExts, extensionKeyShare)
   283  		} else {
   284  			exts.AddUint16(extensionKeyShare)
   285  			exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   286  				exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   287  					for _, ks := range m.keyShares {
   288  						exts.AddUint16(uint16(ks.group))
   289  						exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   290  							exts.AddBytes(ks.data)
   291  						})
   292  					}
   293  				})
   294  			})
   295  		}
   296  	}
   297  	if len(m.pskModes) > 0 {
   298  		// RFC 8446, Section 4.2.9
   299  		if echInner {
   300  			echOuterExts = append(echOuterExts, extensionPSKModes)
   301  		} else {
   302  			exts.AddUint16(extensionPSKModes)
   303  			exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   304  				exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
   305  					exts.AddBytes(m.pskModes)
   306  				})
   307  			})
   308  		}
   309  	}
   310  	if len(echOuterExts) > 0 && echInner {
   311  		exts.AddUint16(extensionECHOuterExtensions)
   312  		exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   313  			exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
   314  				for _, e := range echOuterExts {
   315  					exts.AddUint16(e)
   316  				}
   317  			})
   318  		})
   319  	}
   320  	if len(m.pskIdentities) > 0 { // pre_shared_key must be the last extension
   321  		// RFC 8446, Section 4.2.11
   322  		exts.AddUint16(extensionPreSharedKey)
   323  		exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   324  			exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   325  				for _, psk := range m.pskIdentities {
   326  					exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   327  						exts.AddBytes(psk.label)
   328  					})
   329  					exts.AddUint32(psk.obfuscatedTicketAge)
   330  				}
   331  			})
   332  			exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   333  				for _, binder := range m.pskBinders {
   334  					exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
   335  						exts.AddBytes(binder)
   336  					})
   337  				}
   338  			})
   339  		})
   340  	}
   341  	extBytes, err := exts.Bytes()
   342  	if err != nil {
   343  		return nil, err
   344  	}
   345  
   346  	var b cryptobyte.Builder
   347  	b.AddUint8(typeClientHello)
   348  	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
   349  		b.AddUint16(m.vers)
   350  		addBytesWithLength(b, m.random, 32)
   351  		b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
   352  			if !echInner {
   353  				b.AddBytes(m.sessionId)
   354  			}
   355  		})
   356  		b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   357  			for _, suite := range m.cipherSuites {
   358  				b.AddUint16(suite)
   359  			}
   360  		})
   361  		b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
   362  			b.AddBytes(m.compressionMethods)
   363  		})
   364  
   365  		if len(extBytes) > 0 {
   366  			b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   367  				b.AddBytes(extBytes)
   368  			})
   369  		}
   370  	})
   371  
   372  	return b.Bytes()
   373  }
   374  
   375  func (m *clientHelloMsg) marshal() ([]byte, error) {
   376  	return m.marshalMsg(false)
   377  }
   378  
   379  // marshalWithoutBinders returns the ClientHello through the
   380  // PreSharedKeyExtension.identities field, according to RFC 8446, Section
   381  // 4.2.11.2. Note that m.pskBinders must be set to slices of the correct length.
   382  func (m *clientHelloMsg) marshalWithoutBinders() ([]byte, error) {
   383  	bindersLen := 2 // uint16 length prefix
   384  	for _, binder := range m.pskBinders {
   385  		bindersLen += 1 // uint8 length prefix
   386  		bindersLen += len(binder)
   387  	}
   388  
   389  	var fullMessage []byte
   390  	if m.original != nil {
   391  		fullMessage = m.original
   392  	} else {
   393  		var err error
   394  		fullMessage, err = m.marshal()
   395  		if err != nil {
   396  			return nil, err
   397  		}
   398  	}
   399  	return fullMessage[:len(fullMessage)-bindersLen], nil
   400  }
   401  
   402  // updateBinders updates the m.pskBinders field. The supplied binders must have
   403  // the same length as the current m.pskBinders.
   404  func (m *clientHelloMsg) updateBinders(pskBinders [][]byte) error {
   405  	if len(pskBinders) != len(m.pskBinders) {
   406  		return errors.New("tls: internal error: pskBinders length mismatch")
   407  	}
   408  	for i := range m.pskBinders {
   409  		if len(pskBinders[i]) != len(m.pskBinders[i]) {
   410  			return errors.New("tls: internal error: pskBinders length mismatch")
   411  		}
   412  	}
   413  	m.pskBinders = pskBinders
   414  
   415  	return nil
   416  }
   417  
   418  func (m *clientHelloMsg) unmarshal(data []byte) bool {
   419  	*m = clientHelloMsg{original: data}
   420  	s := cryptobyte.String(data)
   421  
   422  	if !s.Skip(4) || // message type and uint24 length field
   423  		!s.ReadUint16(&m.vers) || !s.ReadBytes(&m.random, 32) ||
   424  		!readUint8LengthPrefixed(&s, &m.sessionId) {
   425  		return false
   426  	}
   427  
   428  	var cipherSuites cryptobyte.String
   429  	if !s.ReadUint16LengthPrefixed(&cipherSuites) {
   430  		return false
   431  	}
   432  	m.cipherSuites = []uint16{}
   433  	m.secureRenegotiationSupported = false
   434  	for !cipherSuites.Empty() {
   435  		var suite uint16
   436  		if !cipherSuites.ReadUint16(&suite) {
   437  			return false
   438  		}
   439  		if suite == scsvRenegotiation {
   440  			m.secureRenegotiationSupported = true
   441  		}
   442  		m.cipherSuites = append(m.cipherSuites, suite)
   443  	}
   444  
   445  	if !readUint8LengthPrefixed(&s, &m.compressionMethods) {
   446  		return false
   447  	}
   448  
   449  	if s.Empty() {
   450  		// ClientHello is optionally followed by extension data
   451  		return true
   452  	}
   453  
   454  	var extensions cryptobyte.String
   455  	if !s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() {
   456  		return false
   457  	}
   458  
   459  	seenExts := make(map[uint16]bool)
   460  	for !extensions.Empty() {
   461  		var extension uint16
   462  		var extData cryptobyte.String
   463  		if !extensions.ReadUint16(&extension) ||
   464  			!extensions.ReadUint16LengthPrefixed(&extData) {
   465  			return false
   466  		}
   467  
   468  		if seenExts[extension] {
   469  			return false
   470  		}
   471  		seenExts[extension] = true
   472  		m.extensions = append(m.extensions, extension)
   473  
   474  		switch extension {
   475  		case extensionServerName:
   476  			// RFC 6066, Section 3
   477  			var nameList cryptobyte.String
   478  			if !extData.ReadUint16LengthPrefixed(&nameList) || nameList.Empty() {
   479  				return false
   480  			}
   481  			for !nameList.Empty() {
   482  				var nameType uint8
   483  				var serverName cryptobyte.String
   484  				if !nameList.ReadUint8(&nameType) ||
   485  					!nameList.ReadUint16LengthPrefixed(&serverName) ||
   486  					serverName.Empty() {
   487  					return false
   488  				}
   489  				if nameType != 0 {
   490  					continue
   491  				}
   492  				if len(m.serverName) != 0 {
   493  					// Multiple names of the same name_type are prohibited.
   494  					return false
   495  				}
   496  				m.serverName = string(serverName)
   497  				// An SNI value may not include a trailing dot.
   498  				if strings.HasSuffix(m.serverName, ".") {
   499  					return false
   500  				}
   501  			}
   502  		case extensionStatusRequest:
   503  			// RFC 4366, Section 3.6
   504  			var statusType uint8
   505  			var ignored cryptobyte.String
   506  			if !extData.ReadUint8(&statusType) ||
   507  				!extData.ReadUint16LengthPrefixed(&ignored) ||
   508  				!extData.ReadUint16LengthPrefixed(&ignored) {
   509  				return false
   510  			}
   511  			m.ocspStapling = statusType == statusTypeOCSP
   512  		case extensionSupportedCurves:
   513  			// RFC 4492, sections 5.1.1 and RFC 8446, Section 4.2.7
   514  			var curves cryptobyte.String
   515  			if !extData.ReadUint16LengthPrefixed(&curves) || curves.Empty() {
   516  				return false
   517  			}
   518  			for !curves.Empty() {
   519  				var curve uint16
   520  				if !curves.ReadUint16(&curve) {
   521  					return false
   522  				}
   523  				m.supportedCurves = append(m.supportedCurves, CurveID(curve))
   524  			}
   525  		case extensionSupportedPoints:
   526  			// RFC 4492, Section 5.1.2
   527  			if !readUint8LengthPrefixed(&extData, &m.supportedPoints) ||
   528  				len(m.supportedPoints) == 0 {
   529  				return false
   530  			}
   531  		case extensionSessionTicket:
   532  			// RFC 5077, Section 3.2
   533  			m.ticketSupported = true
   534  			extData.ReadBytes(&m.sessionTicket, len(extData))
   535  		case extensionSignatureAlgorithms:
   536  			// RFC 5246, Section 7.4.1.4.1
   537  			var sigAndAlgs cryptobyte.String
   538  			if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() {
   539  				return false
   540  			}
   541  			for !sigAndAlgs.Empty() {
   542  				var sigAndAlg uint16
   543  				if !sigAndAlgs.ReadUint16(&sigAndAlg) {
   544  					return false
   545  				}
   546  				m.supportedSignatureAlgorithms = append(
   547  					m.supportedSignatureAlgorithms, SignatureScheme(sigAndAlg))
   548  			}
   549  		case extensionSignatureAlgorithmsCert:
   550  			// RFC 8446, Section 4.2.3
   551  			var sigAndAlgs cryptobyte.String
   552  			if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() {
   553  				return false
   554  			}
   555  			for !sigAndAlgs.Empty() {
   556  				var sigAndAlg uint16
   557  				if !sigAndAlgs.ReadUint16(&sigAndAlg) {
   558  					return false
   559  				}
   560  				m.supportedSignatureAlgorithmsCert = append(
   561  					m.supportedSignatureAlgorithmsCert, SignatureScheme(sigAndAlg))
   562  			}
   563  		case extensionRenegotiationInfo:
   564  			// RFC 5746, Section 3.2
   565  			if !readUint8LengthPrefixed(&extData, &m.secureRenegotiation) {
   566  				return false
   567  			}
   568  			m.secureRenegotiationSupported = true
   569  		case extensionExtendedMasterSecret:
   570  			// RFC 7627
   571  			m.extendedMasterSecret = true
   572  		case extensionALPN:
   573  			// RFC 7301, Section 3.1
   574  			var protoList cryptobyte.String
   575  			if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() {
   576  				return false
   577  			}
   578  			for !protoList.Empty() {
   579  				var proto cryptobyte.String
   580  				if !protoList.ReadUint8LengthPrefixed(&proto) || proto.Empty() {
   581  					return false
   582  				}
   583  				m.alpnProtocols = append(m.alpnProtocols, string(proto))
   584  			}
   585  		case extensionSCT:
   586  			// RFC 6962, Section 3.3.1
   587  			m.scts = true
   588  		case extensionSupportedVersions:
   589  			// RFC 8446, Section 4.2.1
   590  			var versList cryptobyte.String
   591  			if !extData.ReadUint8LengthPrefixed(&versList) || versList.Empty() {
   592  				return false
   593  			}
   594  			for !versList.Empty() {
   595  				var vers uint16
   596  				if !versList.ReadUint16(&vers) {
   597  					return false
   598  				}
   599  				m.supportedVersions = append(m.supportedVersions, vers)
   600  			}
   601  		case extensionCookie:
   602  			// RFC 8446, Section 4.2.2
   603  			if !readUint16LengthPrefixed(&extData, &m.cookie) ||
   604  				len(m.cookie) == 0 {
   605  				return false
   606  			}
   607  		case extensionKeyShare:
   608  			// RFC 8446, Section 4.2.8
   609  			var clientShares cryptobyte.String
   610  			if !extData.ReadUint16LengthPrefixed(&clientShares) {
   611  				return false
   612  			}
   613  			for !clientShares.Empty() {
   614  				var ks keyShare
   615  				if !clientShares.ReadUint16((*uint16)(&ks.group)) ||
   616  					!readUint16LengthPrefixed(&clientShares, &ks.data) ||
   617  					len(ks.data) == 0 {
   618  					return false
   619  				}
   620  				m.keyShares = append(m.keyShares, ks)
   621  			}
   622  		case extensionEarlyData:
   623  			// RFC 8446, Section 4.2.10
   624  			m.earlyData = true
   625  		case extensionPSKModes:
   626  			// RFC 8446, Section 4.2.9
   627  			if !readUint8LengthPrefixed(&extData, &m.pskModes) {
   628  				return false
   629  			}
   630  		case extensionQUICTransportParameters:
   631  			m.quicTransportParameters = make([]byte, len(extData))
   632  			if !extData.CopyBytes(m.quicTransportParameters) {
   633  				return false
   634  			}
   635  		case extensionPreSharedKey:
   636  			// RFC 8446, Section 4.2.11
   637  			if !extensions.Empty() {
   638  				return false // pre_shared_key must be the last extension
   639  			}
   640  			var identities cryptobyte.String
   641  			if !extData.ReadUint16LengthPrefixed(&identities) || identities.Empty() {
   642  				return false
   643  			}
   644  			for !identities.Empty() {
   645  				var psk pskIdentity
   646  				if !readUint16LengthPrefixed(&identities, &psk.label) ||
   647  					!identities.ReadUint32(&psk.obfuscatedTicketAge) ||
   648  					len(psk.label) == 0 {
   649  					return false
   650  				}
   651  				m.pskIdentities = append(m.pskIdentities, psk)
   652  			}
   653  			var binders cryptobyte.String
   654  			if !extData.ReadUint16LengthPrefixed(&binders) || binders.Empty() {
   655  				return false
   656  			}
   657  			for !binders.Empty() {
   658  				var binder []byte
   659  				if !readUint8LengthPrefixed(&binders, &binder) ||
   660  					len(binder) == 0 {
   661  					return false
   662  				}
   663  				m.pskBinders = append(m.pskBinders, binder)
   664  			}
   665  		case extensionEncryptedClientHello:
   666  			if !extData.ReadBytes(&m.encryptedClientHello, len(extData)) {
   667  				return false
   668  			}
   669  		default:
   670  			// Ignore unknown extensions.
   671  			continue
   672  		}
   673  
   674  		if !extData.Empty() {
   675  			return false
   676  		}
   677  	}
   678  
   679  	return true
   680  }
   681  
   682  func (m *clientHelloMsg) originalBytes() []byte {
   683  	return m.original
   684  }
   685  
   686  func (m *clientHelloMsg) clone() *clientHelloMsg {
   687  	return &clientHelloMsg{
   688  		original:                         slices.Clone(m.original),
   689  		vers:                             m.vers,
   690  		random:                           slices.Clone(m.random),
   691  		sessionId:                        slices.Clone(m.sessionId),
   692  		cipherSuites:                     slices.Clone(m.cipherSuites),
   693  		compressionMethods:               slices.Clone(m.compressionMethods),
   694  		serverName:                       m.serverName,
   695  		ocspStapling:                     m.ocspStapling,
   696  		supportedCurves:                  slices.Clone(m.supportedCurves),
   697  		supportedPoints:                  slices.Clone(m.supportedPoints),
   698  		ticketSupported:                  m.ticketSupported,
   699  		sessionTicket:                    slices.Clone(m.sessionTicket),
   700  		supportedSignatureAlgorithms:     slices.Clone(m.supportedSignatureAlgorithms),
   701  		supportedSignatureAlgorithmsCert: slices.Clone(m.supportedSignatureAlgorithmsCert),
   702  		secureRenegotiationSupported:     m.secureRenegotiationSupported,
   703  		secureRenegotiation:              slices.Clone(m.secureRenegotiation),
   704  		extendedMasterSecret:             m.extendedMasterSecret,
   705  		alpnProtocols:                    slices.Clone(m.alpnProtocols),
   706  		scts:                             m.scts,
   707  		supportedVersions:                slices.Clone(m.supportedVersions),
   708  		cookie:                           slices.Clone(m.cookie),
   709  		keyShares:                        slices.Clone(m.keyShares),
   710  		earlyData:                        m.earlyData,
   711  		pskModes:                         slices.Clone(m.pskModes),
   712  		pskIdentities:                    slices.Clone(m.pskIdentities),
   713  		pskBinders:                       slices.Clone(m.pskBinders),
   714  		quicTransportParameters:          slices.Clone(m.quicTransportParameters),
   715  		encryptedClientHello:             slices.Clone(m.encryptedClientHello),
   716  	}
   717  }
   718  
   719  type serverHelloMsg struct {
   720  	original                     []byte
   721  	vers                         uint16
   722  	random                       []byte
   723  	sessionId                    []byte
   724  	cipherSuite                  uint16
   725  	compressionMethod            uint8
   726  	ocspStapling                 bool
   727  	ticketSupported              bool
   728  	secureRenegotiationSupported bool
   729  	secureRenegotiation          []byte
   730  	extendedMasterSecret         bool
   731  	alpnProtocol                 string
   732  	scts                         [][]byte
   733  	supportedVersion             uint16
   734  	serverShare                  keyShare
   735  	selectedIdentityPresent      bool
   736  	selectedIdentity             uint16
   737  	supportedPoints              []uint8
   738  	encryptedClientHello         []byte
   739  	serverNameAck                bool
   740  
   741  	// HelloRetryRequest extensions
   742  	cookie        []byte
   743  	selectedGroup CurveID
   744  }
   745  
   746  func (m *serverHelloMsg) marshal() ([]byte, error) {
   747  	var exts cryptobyte.Builder
   748  	if m.ocspStapling {
   749  		exts.AddUint16(extensionStatusRequest)
   750  		exts.AddUint16(0) // empty extension_data
   751  	}
   752  	if m.ticketSupported {
   753  		exts.AddUint16(extensionSessionTicket)
   754  		exts.AddUint16(0) // empty extension_data
   755  	}
   756  	if m.secureRenegotiationSupported {
   757  		exts.AddUint16(extensionRenegotiationInfo)
   758  		exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   759  			exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
   760  				exts.AddBytes(m.secureRenegotiation)
   761  			})
   762  		})
   763  	}
   764  	if m.extendedMasterSecret {
   765  		exts.AddUint16(extensionExtendedMasterSecret)
   766  		exts.AddUint16(0) // empty extension_data
   767  	}
   768  	if len(m.alpnProtocol) > 0 {
   769  		exts.AddUint16(extensionALPN)
   770  		exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   771  			exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   772  				exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
   773  					exts.AddBytes([]byte(m.alpnProtocol))
   774  				})
   775  			})
   776  		})
   777  	}
   778  	if len(m.scts) > 0 {
   779  		exts.AddUint16(extensionSCT)
   780  		exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   781  			exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   782  				for _, sct := range m.scts {
   783  					exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   784  						exts.AddBytes(sct)
   785  					})
   786  				}
   787  			})
   788  		})
   789  	}
   790  	if m.supportedVersion != 0 {
   791  		exts.AddUint16(extensionSupportedVersions)
   792  		exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   793  			exts.AddUint16(m.supportedVersion)
   794  		})
   795  	}
   796  	if m.serverShare.group != 0 {
   797  		exts.AddUint16(extensionKeyShare)
   798  		exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   799  			exts.AddUint16(uint16(m.serverShare.group))
   800  			exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   801  				exts.AddBytes(m.serverShare.data)
   802  			})
   803  		})
   804  	}
   805  	if m.selectedIdentityPresent {
   806  		exts.AddUint16(extensionPreSharedKey)
   807  		exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   808  			exts.AddUint16(m.selectedIdentity)
   809  		})
   810  	}
   811  
   812  	if len(m.cookie) > 0 {
   813  		exts.AddUint16(extensionCookie)
   814  		exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   815  			exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   816  				exts.AddBytes(m.cookie)
   817  			})
   818  		})
   819  	}
   820  	if m.selectedGroup != 0 {
   821  		exts.AddUint16(extensionKeyShare)
   822  		exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   823  			exts.AddUint16(uint16(m.selectedGroup))
   824  		})
   825  	}
   826  	if len(m.supportedPoints) > 0 {
   827  		exts.AddUint16(extensionSupportedPoints)
   828  		exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   829  			exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
   830  				exts.AddBytes(m.supportedPoints)
   831  			})
   832  		})
   833  	}
   834  	if len(m.encryptedClientHello) > 0 {
   835  		exts.AddUint16(extensionEncryptedClientHello)
   836  		exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   837  			exts.AddBytes(m.encryptedClientHello)
   838  		})
   839  	}
   840  	if m.serverNameAck {
   841  		exts.AddUint16(extensionServerName)
   842  		exts.AddUint16(0)
   843  	}
   844  
   845  	extBytes, err := exts.Bytes()
   846  	if err != nil {
   847  		return nil, err
   848  	}
   849  
   850  	var b cryptobyte.Builder
   851  	b.AddUint8(typeServerHello)
   852  	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
   853  		b.AddUint16(m.vers)
   854  		addBytesWithLength(b, m.random, 32)
   855  		b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
   856  			b.AddBytes(m.sessionId)
   857  		})
   858  		b.AddUint16(m.cipherSuite)
   859  		b.AddUint8(m.compressionMethod)
   860  
   861  		if len(extBytes) > 0 {
   862  			b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   863  				b.AddBytes(extBytes)
   864  			})
   865  		}
   866  	})
   867  
   868  	return b.Bytes()
   869  }
   870  
   871  func (m *serverHelloMsg) unmarshal(data []byte) bool {
   872  	*m = serverHelloMsg{original: data}
   873  	s := cryptobyte.String(data)
   874  
   875  	if !s.Skip(4) || // message type and uint24 length field
   876  		!s.ReadUint16(&m.vers) || !s.ReadBytes(&m.random, 32) ||
   877  		!readUint8LengthPrefixed(&s, &m.sessionId) ||
   878  		!s.ReadUint16(&m.cipherSuite) ||
   879  		!s.ReadUint8(&m.compressionMethod) {
   880  		return false
   881  	}
   882  
   883  	if s.Empty() {
   884  		// ServerHello is optionally followed by extension data
   885  		return true
   886  	}
   887  
   888  	var extensions cryptobyte.String
   889  	if !s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() {
   890  		return false
   891  	}
   892  
   893  	seenExts := make(map[uint16]bool)
   894  	for !extensions.Empty() {
   895  		var extension uint16
   896  		var extData cryptobyte.String
   897  		if !extensions.ReadUint16(&extension) ||
   898  			!extensions.ReadUint16LengthPrefixed(&extData) {
   899  			return false
   900  		}
   901  
   902  		if seenExts[extension] {
   903  			return false
   904  		}
   905  		seenExts[extension] = true
   906  
   907  		switch extension {
   908  		case extensionStatusRequest:
   909  			m.ocspStapling = true
   910  		case extensionSessionTicket:
   911  			m.ticketSupported = true
   912  		case extensionRenegotiationInfo:
   913  			if !readUint8LengthPrefixed(&extData, &m.secureRenegotiation) {
   914  				return false
   915  			}
   916  			m.secureRenegotiationSupported = true
   917  		case extensionExtendedMasterSecret:
   918  			m.extendedMasterSecret = true
   919  		case extensionALPN:
   920  			var protoList cryptobyte.String
   921  			if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() {
   922  				return false
   923  			}
   924  			var proto cryptobyte.String
   925  			if !protoList.ReadUint8LengthPrefixed(&proto) ||
   926  				proto.Empty() || !protoList.Empty() {
   927  				return false
   928  			}
   929  			m.alpnProtocol = string(proto)
   930  		case extensionSCT:
   931  			var sctList cryptobyte.String
   932  			if !extData.ReadUint16LengthPrefixed(&sctList) || sctList.Empty() {
   933  				return false
   934  			}
   935  			for !sctList.Empty() {
   936  				var sct []byte
   937  				if !readUint16LengthPrefixed(&sctList, &sct) ||
   938  					len(sct) == 0 {
   939  					return false
   940  				}
   941  				m.scts = append(m.scts, sct)
   942  			}
   943  		case extensionSupportedVersions:
   944  			if !extData.ReadUint16(&m.supportedVersion) {
   945  				return false
   946  			}
   947  		case extensionCookie:
   948  			if !readUint16LengthPrefixed(&extData, &m.cookie) ||
   949  				len(m.cookie) == 0 {
   950  				return false
   951  			}
   952  		case extensionKeyShare:
   953  			// This extension has different formats in SH and HRR, accept either
   954  			// and let the handshake logic decide. See RFC 8446, Section 4.2.8.
   955  			if len(extData) == 2 {
   956  				if !extData.ReadUint16((*uint16)(&m.selectedGroup)) {
   957  					return false
   958  				}
   959  			} else {
   960  				if !extData.ReadUint16((*uint16)(&m.serverShare.group)) ||
   961  					!readUint16LengthPrefixed(&extData, &m.serverShare.data) {
   962  					return false
   963  				}
   964  			}
   965  		case extensionPreSharedKey:
   966  			m.selectedIdentityPresent = true
   967  			if !extData.ReadUint16(&m.selectedIdentity) {
   968  				return false
   969  			}
   970  		case extensionSupportedPoints:
   971  			// RFC 4492, Section 5.1.2
   972  			if !readUint8LengthPrefixed(&extData, &m.supportedPoints) ||
   973  				len(m.supportedPoints) == 0 {
   974  				return false
   975  			}
   976  		case extensionEncryptedClientHello: // encrypted_client_hello
   977  			m.encryptedClientHello = make([]byte, len(extData))
   978  			if !extData.CopyBytes(m.encryptedClientHello) {
   979  				return false
   980  			}
   981  		case extensionServerName:
   982  			if len(extData) != 0 {
   983  				return false
   984  			}
   985  			m.serverNameAck = true
   986  		default:
   987  			// Ignore unknown extensions.
   988  			continue
   989  		}
   990  
   991  		if !extData.Empty() {
   992  			return false
   993  		}
   994  	}
   995  
   996  	return true
   997  }
   998  
   999  func (m *serverHelloMsg) originalBytes() []byte {
  1000  	return m.original
  1001  }
  1002  
  1003  type encryptedExtensionsMsg struct {
  1004  	alpnProtocol            string
  1005  	quicTransportParameters []byte
  1006  	earlyData               bool
  1007  	echRetryConfigs         []byte
  1008  	serverNameAck           bool
  1009  }
  1010  
  1011  func (m *encryptedExtensionsMsg) marshal() ([]byte, error) {
  1012  	var b cryptobyte.Builder
  1013  	b.AddUint8(typeEncryptedExtensions)
  1014  	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
  1015  		b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1016  			if len(m.alpnProtocol) > 0 {
  1017  				b.AddUint16(extensionALPN)
  1018  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1019  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1020  						b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
  1021  							b.AddBytes([]byte(m.alpnProtocol))
  1022  						})
  1023  					})
  1024  				})
  1025  			}
  1026  			if m.quicTransportParameters != nil { // marshal zero-length parameters when present
  1027  				// draft-ietf-quic-tls-32, Section 8.2
  1028  				b.AddUint16(extensionQUICTransportParameters)
  1029  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1030  					b.AddBytes(m.quicTransportParameters)
  1031  				})
  1032  			}
  1033  			if m.earlyData {
  1034  				// RFC 8446, Section 4.2.10
  1035  				b.AddUint16(extensionEarlyData)
  1036  				b.AddUint16(0) // empty extension_data
  1037  			}
  1038  			if len(m.echRetryConfigs) > 0 {
  1039  				b.AddUint16(extensionEncryptedClientHello)
  1040  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1041  					b.AddBytes(m.echRetryConfigs)
  1042  				})
  1043  			}
  1044  			if m.serverNameAck {
  1045  				b.AddUint16(extensionServerName)
  1046  				b.AddUint16(0) // empty extension_data
  1047  			}
  1048  		})
  1049  	})
  1050  
  1051  	return b.Bytes()
  1052  }
  1053  
  1054  func (m *encryptedExtensionsMsg) unmarshal(data []byte) bool {
  1055  	*m = encryptedExtensionsMsg{}
  1056  	s := cryptobyte.String(data)
  1057  
  1058  	var extensions cryptobyte.String
  1059  	if !s.Skip(4) || // message type and uint24 length field
  1060  		!s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() {
  1061  		return false
  1062  	}
  1063  
  1064  	seenExts := make(map[uint16]bool)
  1065  	for !extensions.Empty() {
  1066  		var extension uint16
  1067  		var extData cryptobyte.String
  1068  		if !extensions.ReadUint16(&extension) ||
  1069  			!extensions.ReadUint16LengthPrefixed(&extData) {
  1070  			return false
  1071  		}
  1072  
  1073  		if seenExts[extension] {
  1074  			return false
  1075  		}
  1076  		seenExts[extension] = true
  1077  
  1078  		switch extension {
  1079  		case extensionALPN:
  1080  			var protoList cryptobyte.String
  1081  			if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() {
  1082  				return false
  1083  			}
  1084  			var proto cryptobyte.String
  1085  			if !protoList.ReadUint8LengthPrefixed(&proto) ||
  1086  				proto.Empty() || !protoList.Empty() {
  1087  				return false
  1088  			}
  1089  			m.alpnProtocol = string(proto)
  1090  		case extensionQUICTransportParameters:
  1091  			m.quicTransportParameters = make([]byte, len(extData))
  1092  			if !extData.CopyBytes(m.quicTransportParameters) {
  1093  				return false
  1094  			}
  1095  		case extensionEarlyData:
  1096  			// RFC 8446, Section 4.2.10
  1097  			m.earlyData = true
  1098  		case extensionEncryptedClientHello:
  1099  			m.echRetryConfigs = make([]byte, len(extData))
  1100  			if !extData.CopyBytes(m.echRetryConfigs) {
  1101  				return false
  1102  			}
  1103  		case extensionServerName:
  1104  			if len(extData) != 0 {
  1105  				return false
  1106  			}
  1107  			m.serverNameAck = true
  1108  		default:
  1109  			// Ignore unknown extensions.
  1110  			continue
  1111  		}
  1112  
  1113  		if !extData.Empty() {
  1114  			return false
  1115  		}
  1116  	}
  1117  
  1118  	return true
  1119  }
  1120  
  1121  type endOfEarlyDataMsg struct{}
  1122  
  1123  func (m *endOfEarlyDataMsg) marshal() ([]byte, error) {
  1124  	x := make([]byte, 4)
  1125  	x[0] = typeEndOfEarlyData
  1126  	return x, nil
  1127  }
  1128  
  1129  func (m *endOfEarlyDataMsg) unmarshal(data []byte) bool {
  1130  	return len(data) == 4
  1131  }
  1132  
  1133  type keyUpdateMsg struct {
  1134  	updateRequested bool
  1135  }
  1136  
  1137  func (m *keyUpdateMsg) marshal() ([]byte, error) {
  1138  	var b cryptobyte.Builder
  1139  	b.AddUint8(typeKeyUpdate)
  1140  	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
  1141  		if m.updateRequested {
  1142  			b.AddUint8(1)
  1143  		} else {
  1144  			b.AddUint8(0)
  1145  		}
  1146  	})
  1147  
  1148  	return b.Bytes()
  1149  }
  1150  
  1151  func (m *keyUpdateMsg) unmarshal(data []byte) bool {
  1152  	s := cryptobyte.String(data)
  1153  
  1154  	var updateRequested uint8
  1155  	if !s.Skip(4) || // message type and uint24 length field
  1156  		!s.ReadUint8(&updateRequested) || !s.Empty() {
  1157  		return false
  1158  	}
  1159  	switch updateRequested {
  1160  	case 0:
  1161  		m.updateRequested = false
  1162  	case 1:
  1163  		m.updateRequested = true
  1164  	default:
  1165  		return false
  1166  	}
  1167  	return true
  1168  }
  1169  
  1170  type newSessionTicketMsgTLS13 struct {
  1171  	lifetime     uint32
  1172  	ageAdd       uint32
  1173  	nonce        []byte
  1174  	label        []byte
  1175  	maxEarlyData uint32
  1176  }
  1177  
  1178  func (m *newSessionTicketMsgTLS13) marshal() ([]byte, error) {
  1179  	var b cryptobyte.Builder
  1180  	b.AddUint8(typeNewSessionTicket)
  1181  	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
  1182  		b.AddUint32(m.lifetime)
  1183  		b.AddUint32(m.ageAdd)
  1184  		b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
  1185  			b.AddBytes(m.nonce)
  1186  		})
  1187  		b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1188  			b.AddBytes(m.label)
  1189  		})
  1190  
  1191  		b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1192  			if m.maxEarlyData > 0 {
  1193  				b.AddUint16(extensionEarlyData)
  1194  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1195  					b.AddUint32(m.maxEarlyData)
  1196  				})
  1197  			}
  1198  		})
  1199  	})
  1200  
  1201  	return b.Bytes()
  1202  }
  1203  
  1204  func (m *newSessionTicketMsgTLS13) unmarshal(data []byte) bool {
  1205  	*m = newSessionTicketMsgTLS13{}
  1206  	s := cryptobyte.String(data)
  1207  
  1208  	var extensions cryptobyte.String
  1209  	if !s.Skip(4) || // message type and uint24 length field
  1210  		!s.ReadUint32(&m.lifetime) ||
  1211  		!s.ReadUint32(&m.ageAdd) ||
  1212  		!readUint8LengthPrefixed(&s, &m.nonce) ||
  1213  		!readUint16LengthPrefixed(&s, &m.label) ||
  1214  		!s.ReadUint16LengthPrefixed(&extensions) ||
  1215  		!s.Empty() {
  1216  		return false
  1217  	}
  1218  
  1219  	for !extensions.Empty() {
  1220  		var extension uint16
  1221  		var extData cryptobyte.String
  1222  		if !extensions.ReadUint16(&extension) ||
  1223  			!extensions.ReadUint16LengthPrefixed(&extData) {
  1224  			return false
  1225  		}
  1226  
  1227  		switch extension {
  1228  		case extensionEarlyData:
  1229  			if !extData.ReadUint32(&m.maxEarlyData) {
  1230  				return false
  1231  			}
  1232  		default:
  1233  			// Ignore unknown extensions.
  1234  			continue
  1235  		}
  1236  
  1237  		if !extData.Empty() {
  1238  			return false
  1239  		}
  1240  	}
  1241  
  1242  	return true
  1243  }
  1244  
  1245  type certificateRequestMsgTLS13 struct {
  1246  	ocspStapling                     bool
  1247  	scts                             bool
  1248  	supportedSignatureAlgorithms     []SignatureScheme
  1249  	supportedSignatureAlgorithmsCert []SignatureScheme
  1250  	certificateAuthorities           [][]byte
  1251  }
  1252  
  1253  func (m *certificateRequestMsgTLS13) marshal() ([]byte, error) {
  1254  	var b cryptobyte.Builder
  1255  	b.AddUint8(typeCertificateRequest)
  1256  	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
  1257  		// certificate_request_context (SHALL be zero length unless used for
  1258  		// post-handshake authentication)
  1259  		b.AddUint8(0)
  1260  
  1261  		b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1262  			if m.ocspStapling {
  1263  				b.AddUint16(extensionStatusRequest)
  1264  				b.AddUint16(0) // empty extension_data
  1265  			}
  1266  			if m.scts {
  1267  				// RFC 8446, Section 4.4.2.1 makes no mention of
  1268  				// signed_certificate_timestamp in CertificateRequest, but
  1269  				// "Extensions in the Certificate message from the client MUST
  1270  				// correspond to extensions in the CertificateRequest message
  1271  				// from the server." and it appears in the table in Section 4.2.
  1272  				b.AddUint16(extensionSCT)
  1273  				b.AddUint16(0) // empty extension_data
  1274  			}
  1275  			if len(m.supportedSignatureAlgorithms) > 0 {
  1276  				b.AddUint16(extensionSignatureAlgorithms)
  1277  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1278  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1279  						for _, sigAlgo := range m.supportedSignatureAlgorithms {
  1280  							b.AddUint16(uint16(sigAlgo))
  1281  						}
  1282  					})
  1283  				})
  1284  			}
  1285  			if len(m.supportedSignatureAlgorithmsCert) > 0 {
  1286  				b.AddUint16(extensionSignatureAlgorithmsCert)
  1287  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1288  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1289  						for _, sigAlgo := range m.supportedSignatureAlgorithmsCert {
  1290  							b.AddUint16(uint16(sigAlgo))
  1291  						}
  1292  					})
  1293  				})
  1294  			}
  1295  			if len(m.certificateAuthorities) > 0 {
  1296  				b.AddUint16(extensionCertificateAuthorities)
  1297  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1298  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1299  						for _, ca := range m.certificateAuthorities {
  1300  							b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1301  								b.AddBytes(ca)
  1302  							})
  1303  						}
  1304  					})
  1305  				})
  1306  			}
  1307  		})
  1308  	})
  1309  
  1310  	return b.Bytes()
  1311  }
  1312  
  1313  func (m *certificateRequestMsgTLS13) unmarshal(data []byte) bool {
  1314  	*m = certificateRequestMsgTLS13{}
  1315  	s := cryptobyte.String(data)
  1316  
  1317  	var context, extensions cryptobyte.String
  1318  	if !s.Skip(4) || // message type and uint24 length field
  1319  		!s.ReadUint8LengthPrefixed(&context) || !context.Empty() ||
  1320  		!s.ReadUint16LengthPrefixed(&extensions) ||
  1321  		!s.Empty() {
  1322  		return false
  1323  	}
  1324  
  1325  	for !extensions.Empty() {
  1326  		var extension uint16
  1327  		var extData cryptobyte.String
  1328  		if !extensions.ReadUint16(&extension) ||
  1329  			!extensions.ReadUint16LengthPrefixed(&extData) {
  1330  			return false
  1331  		}
  1332  
  1333  		switch extension {
  1334  		case extensionStatusRequest:
  1335  			m.ocspStapling = true
  1336  		case extensionSCT:
  1337  			m.scts = true
  1338  		case extensionSignatureAlgorithms:
  1339  			var sigAndAlgs cryptobyte.String
  1340  			if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() {
  1341  				return false
  1342  			}
  1343  			for !sigAndAlgs.Empty() {
  1344  				var sigAndAlg uint16
  1345  				if !sigAndAlgs.ReadUint16(&sigAndAlg) {
  1346  					return false
  1347  				}
  1348  				m.supportedSignatureAlgorithms = append(
  1349  					m.supportedSignatureAlgorithms, SignatureScheme(sigAndAlg))
  1350  			}
  1351  		case extensionSignatureAlgorithmsCert:
  1352  			var sigAndAlgs cryptobyte.String
  1353  			if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() {
  1354  				return false
  1355  			}
  1356  			for !sigAndAlgs.Empty() {
  1357  				var sigAndAlg uint16
  1358  				if !sigAndAlgs.ReadUint16(&sigAndAlg) {
  1359  					return false
  1360  				}
  1361  				m.supportedSignatureAlgorithmsCert = append(
  1362  					m.supportedSignatureAlgorithmsCert, SignatureScheme(sigAndAlg))
  1363  			}
  1364  		case extensionCertificateAuthorities:
  1365  			var auths cryptobyte.String
  1366  			if !extData.ReadUint16LengthPrefixed(&auths) || auths.Empty() {
  1367  				return false
  1368  			}
  1369  			for !auths.Empty() {
  1370  				var ca []byte
  1371  				if !readUint16LengthPrefixed(&auths, &ca) || len(ca) == 0 {
  1372  					return false
  1373  				}
  1374  				m.certificateAuthorities = append(m.certificateAuthorities, ca)
  1375  			}
  1376  		default:
  1377  			// Ignore unknown extensions.
  1378  			continue
  1379  		}
  1380  
  1381  		if !extData.Empty() {
  1382  			return false
  1383  		}
  1384  	}
  1385  
  1386  	return true
  1387  }
  1388  
  1389  type certificateMsg struct {
  1390  	certificates [][]byte
  1391  }
  1392  
  1393  func (m *certificateMsg) marshal() ([]byte, error) {
  1394  	var i int
  1395  	for _, slice := range m.certificates {
  1396  		i += len(slice)
  1397  	}
  1398  
  1399  	length := 3 + 3*len(m.certificates) + i
  1400  	x := make([]byte, 4+length)
  1401  	x[0] = typeCertificate
  1402  	x[1] = uint8(length >> 16)
  1403  	x[2] = uint8(length >> 8)
  1404  	x[3] = uint8(length)
  1405  
  1406  	certificateOctets := length - 3
  1407  	x[4] = uint8(certificateOctets >> 16)
  1408  	x[5] = uint8(certificateOctets >> 8)
  1409  	x[6] = uint8(certificateOctets)
  1410  
  1411  	y := x[7:]
  1412  	for _, slice := range m.certificates {
  1413  		y[0] = uint8(len(slice) >> 16)
  1414  		y[1] = uint8(len(slice) >> 8)
  1415  		y[2] = uint8(len(slice))
  1416  		copy(y[3:], slice)
  1417  		y = y[3+len(slice):]
  1418  	}
  1419  
  1420  	return x, nil
  1421  }
  1422  
  1423  func (m *certificateMsg) unmarshal(data []byte) bool {
  1424  	if len(data) < 7 {
  1425  		return false
  1426  	}
  1427  
  1428  	certsLen := uint32(data[4])<<16 | uint32(data[5])<<8 | uint32(data[6])
  1429  	if uint32(len(data)) != certsLen+7 {
  1430  		return false
  1431  	}
  1432  
  1433  	numCerts := 0
  1434  	d := data[7:]
  1435  	for certsLen > 0 {
  1436  		if len(d) < 4 {
  1437  			return false
  1438  		}
  1439  		certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2])
  1440  		if uint32(len(d)) < 3+certLen {
  1441  			return false
  1442  		}
  1443  		d = d[3+certLen:]
  1444  		certsLen -= 3 + certLen
  1445  		numCerts++
  1446  	}
  1447  
  1448  	m.certificates = make([][]byte, numCerts)
  1449  	d = data[7:]
  1450  	for i := 0; i < numCerts; i++ {
  1451  		certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2])
  1452  		m.certificates[i] = d[3 : 3+certLen]
  1453  		d = d[3+certLen:]
  1454  	}
  1455  
  1456  	return true
  1457  }
  1458  
  1459  type certificateMsgTLS13 struct {
  1460  	certificate  Certificate
  1461  	ocspStapling bool
  1462  	scts         bool
  1463  }
  1464  
  1465  func (m *certificateMsgTLS13) marshal() ([]byte, error) {
  1466  	var b cryptobyte.Builder
  1467  	b.AddUint8(typeCertificate)
  1468  	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
  1469  		b.AddUint8(0) // certificate_request_context
  1470  
  1471  		certificate := m.certificate
  1472  		if !m.ocspStapling {
  1473  			certificate.OCSPStaple = nil
  1474  		}
  1475  		if !m.scts {
  1476  			certificate.SignedCertificateTimestamps = nil
  1477  		}
  1478  		marshalCertificate(b, certificate)
  1479  	})
  1480  
  1481  	return b.Bytes()
  1482  }
  1483  
  1484  func marshalCertificate(b *cryptobyte.Builder, certificate Certificate) {
  1485  	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
  1486  		for i, cert := range certificate.Certificate {
  1487  			b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
  1488  				b.AddBytes(cert)
  1489  			})
  1490  			b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1491  				if i > 0 {
  1492  					// This library only supports OCSP and SCT for leaf certificates.
  1493  					return
  1494  				}
  1495  				if certificate.OCSPStaple != nil {
  1496  					b.AddUint16(extensionStatusRequest)
  1497  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1498  						b.AddUint8(statusTypeOCSP)
  1499  						b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
  1500  							b.AddBytes(certificate.OCSPStaple)
  1501  						})
  1502  					})
  1503  				}
  1504  				if certificate.SignedCertificateTimestamps != nil {
  1505  					b.AddUint16(extensionSCT)
  1506  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1507  						b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1508  							for _, sct := range certificate.SignedCertificateTimestamps {
  1509  								b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1510  									b.AddBytes(sct)
  1511  								})
  1512  							}
  1513  						})
  1514  					})
  1515  				}
  1516  			})
  1517  		}
  1518  	})
  1519  }
  1520  
  1521  func (m *certificateMsgTLS13) unmarshal(data []byte) bool {
  1522  	*m = certificateMsgTLS13{}
  1523  	s := cryptobyte.String(data)
  1524  
  1525  	var context cryptobyte.String
  1526  	if !s.Skip(4) || // message type and uint24 length field
  1527  		!s.ReadUint8LengthPrefixed(&context) || !context.Empty() ||
  1528  		!unmarshalCertificate(&s, &m.certificate) ||
  1529  		!s.Empty() {
  1530  		return false
  1531  	}
  1532  
  1533  	m.scts = m.certificate.SignedCertificateTimestamps != nil
  1534  	m.ocspStapling = m.certificate.OCSPStaple != nil
  1535  
  1536  	return true
  1537  }
  1538  
  1539  func unmarshalCertificate(s *cryptobyte.String, certificate *Certificate) bool {
  1540  	var certList cryptobyte.String
  1541  	if !s.ReadUint24LengthPrefixed(&certList) {
  1542  		return false
  1543  	}
  1544  	for !certList.Empty() {
  1545  		var cert []byte
  1546  		var extensions cryptobyte.String
  1547  		if !readUint24LengthPrefixed(&certList, &cert) ||
  1548  			!certList.ReadUint16LengthPrefixed(&extensions) {
  1549  			return false
  1550  		}
  1551  		certificate.Certificate = append(certificate.Certificate, cert)
  1552  		for !extensions.Empty() {
  1553  			var extension uint16
  1554  			var extData cryptobyte.String
  1555  			if !extensions.ReadUint16(&extension) ||
  1556  				!extensions.ReadUint16LengthPrefixed(&extData) {
  1557  				return false
  1558  			}
  1559  			if len(certificate.Certificate) > 1 {
  1560  				// This library only supports OCSP and SCT for leaf certificates.
  1561  				continue
  1562  			}
  1563  
  1564  			switch extension {
  1565  			case extensionStatusRequest:
  1566  				var statusType uint8
  1567  				if !extData.ReadUint8(&statusType) || statusType != statusTypeOCSP ||
  1568  					!readUint24LengthPrefixed(&extData, &certificate.OCSPStaple) ||
  1569  					len(certificate.OCSPStaple) == 0 {
  1570  					return false
  1571  				}
  1572  			case extensionSCT:
  1573  				var sctList cryptobyte.String
  1574  				if !extData.ReadUint16LengthPrefixed(&sctList) || sctList.Empty() {
  1575  					return false
  1576  				}
  1577  				for !sctList.Empty() {
  1578  					var sct []byte
  1579  					if !readUint16LengthPrefixed(&sctList, &sct) ||
  1580  						len(sct) == 0 {
  1581  						return false
  1582  					}
  1583  					certificate.SignedCertificateTimestamps = append(
  1584  						certificate.SignedCertificateTimestamps, sct)
  1585  				}
  1586  			default:
  1587  				// Ignore unknown extensions.
  1588  				continue
  1589  			}
  1590  
  1591  			if !extData.Empty() {
  1592  				return false
  1593  			}
  1594  		}
  1595  	}
  1596  	return true
  1597  }
  1598  
  1599  type serverKeyExchangeMsg struct {
  1600  	key []byte
  1601  }
  1602  
  1603  func (m *serverKeyExchangeMsg) marshal() ([]byte, error) {
  1604  	length := len(m.key)
  1605  	x := make([]byte, length+4)
  1606  	x[0] = typeServerKeyExchange
  1607  	x[1] = uint8(length >> 16)
  1608  	x[2] = uint8(length >> 8)
  1609  	x[3] = uint8(length)
  1610  	copy(x[4:], m.key)
  1611  
  1612  	return x, nil
  1613  }
  1614  
  1615  func (m *serverKeyExchangeMsg) unmarshal(data []byte) bool {
  1616  	if len(data) < 4 {
  1617  		return false
  1618  	}
  1619  	m.key = data[4:]
  1620  	return true
  1621  }
  1622  
  1623  type certificateStatusMsg struct {
  1624  	response []byte
  1625  }
  1626  
  1627  func (m *certificateStatusMsg) marshal() ([]byte, error) {
  1628  	var b cryptobyte.Builder
  1629  	b.AddUint8(typeCertificateStatus)
  1630  	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
  1631  		b.AddUint8(statusTypeOCSP)
  1632  		b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
  1633  			b.AddBytes(m.response)
  1634  		})
  1635  	})
  1636  
  1637  	return b.Bytes()
  1638  }
  1639  
  1640  func (m *certificateStatusMsg) unmarshal(data []byte) bool {
  1641  	s := cryptobyte.String(data)
  1642  
  1643  	var statusType uint8
  1644  	if !s.Skip(4) || // message type and uint24 length field
  1645  		!s.ReadUint8(&statusType) || statusType != statusTypeOCSP ||
  1646  		!readUint24LengthPrefixed(&s, &m.response) ||
  1647  		len(m.response) == 0 || !s.Empty() {
  1648  		return false
  1649  	}
  1650  	return true
  1651  }
  1652  
  1653  type serverHelloDoneMsg struct{}
  1654  
  1655  func (m *serverHelloDoneMsg) marshal() ([]byte, error) {
  1656  	x := make([]byte, 4)
  1657  	x[0] = typeServerHelloDone
  1658  	return x, nil
  1659  }
  1660  
  1661  func (m *serverHelloDoneMsg) unmarshal(data []byte) bool {
  1662  	return len(data) == 4
  1663  }
  1664  
  1665  type clientKeyExchangeMsg struct {
  1666  	ciphertext []byte
  1667  }
  1668  
  1669  func (m *clientKeyExchangeMsg) marshal() ([]byte, error) {
  1670  	length := len(m.ciphertext)
  1671  	x := make([]byte, length+4)
  1672  	x[0] = typeClientKeyExchange
  1673  	x[1] = uint8(length >> 16)
  1674  	x[2] = uint8(length >> 8)
  1675  	x[3] = uint8(length)
  1676  	copy(x[4:], m.ciphertext)
  1677  
  1678  	return x, nil
  1679  }
  1680  
  1681  func (m *clientKeyExchangeMsg) unmarshal(data []byte) bool {
  1682  	if len(data) < 4 {
  1683  		return false
  1684  	}
  1685  	l := int(data[1])<<16 | int(data[2])<<8 | int(data[3])
  1686  	if l != len(data)-4 {
  1687  		return false
  1688  	}
  1689  	m.ciphertext = data[4:]
  1690  	return true
  1691  }
  1692  
  1693  type finishedMsg struct {
  1694  	verifyData []byte
  1695  }
  1696  
  1697  func (m *finishedMsg) marshal() ([]byte, error) {
  1698  	var b cryptobyte.Builder
  1699  	b.AddUint8(typeFinished)
  1700  	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
  1701  		b.AddBytes(m.verifyData)
  1702  	})
  1703  
  1704  	return b.Bytes()
  1705  }
  1706  
  1707  func (m *finishedMsg) unmarshal(data []byte) bool {
  1708  	s := cryptobyte.String(data)
  1709  	return s.Skip(1) &&
  1710  		readUint24LengthPrefixed(&s, &m.verifyData) &&
  1711  		s.Empty()
  1712  }
  1713  
  1714  type certificateRequestMsg struct {
  1715  	// hasSignatureAlgorithm indicates whether this message includes a list of
  1716  	// supported signature algorithms. This change was introduced with TLS 1.2.
  1717  	hasSignatureAlgorithm bool
  1718  
  1719  	certificateTypes             []byte
  1720  	supportedSignatureAlgorithms []SignatureScheme
  1721  	certificateAuthorities       [][]byte
  1722  }
  1723  
  1724  func (m *certificateRequestMsg) marshal() ([]byte, error) {
  1725  	// See RFC 4346, Section 7.4.4.
  1726  	length := 1 + len(m.certificateTypes) + 2
  1727  	casLength := 0
  1728  	for _, ca := range m.certificateAuthorities {
  1729  		casLength += 2 + len(ca)
  1730  	}
  1731  	length += casLength
  1732  
  1733  	if m.hasSignatureAlgorithm {
  1734  		length += 2 + 2*len(m.supportedSignatureAlgorithms)
  1735  	}
  1736  
  1737  	x := make([]byte, 4+length)
  1738  	x[0] = typeCertificateRequest
  1739  	x[1] = uint8(length >> 16)
  1740  	x[2] = uint8(length >> 8)
  1741  	x[3] = uint8(length)
  1742  
  1743  	x[4] = uint8(len(m.certificateTypes))
  1744  
  1745  	copy(x[5:], m.certificateTypes)
  1746  	y := x[5+len(m.certificateTypes):]
  1747  
  1748  	if m.hasSignatureAlgorithm {
  1749  		n := len(m.supportedSignatureAlgorithms) * 2
  1750  		y[0] = uint8(n >> 8)
  1751  		y[1] = uint8(n)
  1752  		y = y[2:]
  1753  		for _, sigAlgo := range m.supportedSignatureAlgorithms {
  1754  			y[0] = uint8(sigAlgo >> 8)
  1755  			y[1] = uint8(sigAlgo)
  1756  			y = y[2:]
  1757  		}
  1758  	}
  1759  
  1760  	y[0] = uint8(casLength >> 8)
  1761  	y[1] = uint8(casLength)
  1762  	y = y[2:]
  1763  	for _, ca := range m.certificateAuthorities {
  1764  		y[0] = uint8(len(ca) >> 8)
  1765  		y[1] = uint8(len(ca))
  1766  		y = y[2:]
  1767  		copy(y, ca)
  1768  		y = y[len(ca):]
  1769  	}
  1770  
  1771  	return x, nil
  1772  }
  1773  
  1774  func (m *certificateRequestMsg) unmarshal(data []byte) bool {
  1775  	if len(data) < 5 {
  1776  		return false
  1777  	}
  1778  
  1779  	length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3])
  1780  	if uint32(len(data))-4 != length {
  1781  		return false
  1782  	}
  1783  
  1784  	numCertTypes := int(data[4])
  1785  	data = data[5:]
  1786  	if numCertTypes == 0 || len(data) <= numCertTypes {
  1787  		return false
  1788  	}
  1789  
  1790  	m.certificateTypes = make([]byte, numCertTypes)
  1791  	if copy(m.certificateTypes, data) != numCertTypes {
  1792  		return false
  1793  	}
  1794  
  1795  	data = data[numCertTypes:]
  1796  
  1797  	if m.hasSignatureAlgorithm {
  1798  		if len(data) < 2 {
  1799  			return false
  1800  		}
  1801  		sigAndHashLen := uint16(data[0])<<8 | uint16(data[1])
  1802  		data = data[2:]
  1803  		if sigAndHashLen&1 != 0 || sigAndHashLen == 0 {
  1804  			return false
  1805  		}
  1806  		if len(data) < int(sigAndHashLen) {
  1807  			return false
  1808  		}
  1809  		numSigAlgos := sigAndHashLen / 2
  1810  		m.supportedSignatureAlgorithms = make([]SignatureScheme, numSigAlgos)
  1811  		for i := range m.supportedSignatureAlgorithms {
  1812  			m.supportedSignatureAlgorithms[i] = SignatureScheme(data[0])<<8 | SignatureScheme(data[1])
  1813  			data = data[2:]
  1814  		}
  1815  	}
  1816  
  1817  	if len(data) < 2 {
  1818  		return false
  1819  	}
  1820  	casLength := uint16(data[0])<<8 | uint16(data[1])
  1821  	data = data[2:]
  1822  	if len(data) < int(casLength) {
  1823  		return false
  1824  	}
  1825  	cas := make([]byte, casLength)
  1826  	copy(cas, data)
  1827  	data = data[casLength:]
  1828  
  1829  	m.certificateAuthorities = nil
  1830  	for len(cas) > 0 {
  1831  		if len(cas) < 2 {
  1832  			return false
  1833  		}
  1834  		caLen := uint16(cas[0])<<8 | uint16(cas[1])
  1835  		cas = cas[2:]
  1836  
  1837  		if len(cas) < int(caLen) {
  1838  			return false
  1839  		}
  1840  
  1841  		m.certificateAuthorities = append(m.certificateAuthorities, cas[:caLen])
  1842  		cas = cas[caLen:]
  1843  	}
  1844  
  1845  	return len(data) == 0
  1846  }
  1847  
  1848  type certificateVerifyMsg struct {
  1849  	hasSignatureAlgorithm bool // format change introduced in TLS 1.2
  1850  	signatureAlgorithm    SignatureScheme
  1851  	signature             []byte
  1852  }
  1853  
  1854  func (m *certificateVerifyMsg) marshal() ([]byte, error) {
  1855  	var b cryptobyte.Builder
  1856  	b.AddUint8(typeCertificateVerify)
  1857  	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
  1858  		if m.hasSignatureAlgorithm {
  1859  			b.AddUint16(uint16(m.signatureAlgorithm))
  1860  		}
  1861  		b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1862  			b.AddBytes(m.signature)
  1863  		})
  1864  	})
  1865  
  1866  	return b.Bytes()
  1867  }
  1868  
  1869  func (m *certificateVerifyMsg) unmarshal(data []byte) bool {
  1870  	s := cryptobyte.String(data)
  1871  
  1872  	if !s.Skip(4) { // message type and uint24 length field
  1873  		return false
  1874  	}
  1875  	if m.hasSignatureAlgorithm {
  1876  		if !s.ReadUint16((*uint16)(&m.signatureAlgorithm)) {
  1877  			return false
  1878  		}
  1879  	}
  1880  	return readUint16LengthPrefixed(&s, &m.signature) && s.Empty()
  1881  }
  1882  
  1883  type newSessionTicketMsg struct {
  1884  	ticket []byte
  1885  }
  1886  
  1887  func (m *newSessionTicketMsg) marshal() ([]byte, error) {
  1888  	// See RFC 5077, Section 3.3.
  1889  	ticketLen := len(m.ticket)
  1890  	length := 2 + 4 + ticketLen
  1891  	x := make([]byte, 4+length)
  1892  	x[0] = typeNewSessionTicket
  1893  	x[1] = uint8(length >> 16)
  1894  	x[2] = uint8(length >> 8)
  1895  	x[3] = uint8(length)
  1896  	x[8] = uint8(ticketLen >> 8)
  1897  	x[9] = uint8(ticketLen)
  1898  	copy(x[10:], m.ticket)
  1899  
  1900  	return x, nil
  1901  }
  1902  
  1903  func (m *newSessionTicketMsg) unmarshal(data []byte) bool {
  1904  	if len(data) < 10 {
  1905  		return false
  1906  	}
  1907  
  1908  	length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3])
  1909  	if uint32(len(data))-4 != length {
  1910  		return false
  1911  	}
  1912  
  1913  	ticketLen := int(data[8])<<8 + int(data[9])
  1914  	if len(data)-10 != ticketLen {
  1915  		return false
  1916  	}
  1917  
  1918  	m.ticket = data[10:]
  1919  
  1920  	return true
  1921  }
  1922  
  1923  type helloRequestMsg struct {
  1924  }
  1925  
  1926  func (*helloRequestMsg) marshal() ([]byte, error) {
  1927  	return []byte{typeHelloRequest, 0, 0, 0}, nil
  1928  }
  1929  
  1930  func (*helloRequestMsg) unmarshal(data []byte) bool {
  1931  	return len(data) == 4
  1932  }
  1933  
  1934  type transcriptHash interface {
  1935  	Write([]byte) (int, error)
  1936  }
  1937  
  1938  // transcriptMsg is a helper used to hash messages which are not hashed when
  1939  // they are read from, or written to, the wire. This is typically the case for
  1940  // messages which are either not sent, or need to be hashed out of order from
  1941  // when they are read/written.
  1942  //
  1943  // For most messages, the message is marshalled using their marshal method,
  1944  // since their wire representation is idempotent. For clientHelloMsg and
  1945  // serverHelloMsg, we store the original wire representation of the message and
  1946  // use that for hashing, since unmarshal/marshal are not idempotent due to
  1947  // extension ordering and other malleable fields, which may cause differences
  1948  // between what was received and what we marshal.
  1949  func transcriptMsg(msg handshakeMessage, h transcriptHash) error {
  1950  	if msgWithOrig, ok := msg.(handshakeMessageWithOriginalBytes); ok {
  1951  		if orig := msgWithOrig.originalBytes(); orig != nil {
  1952  			h.Write(msgWithOrig.originalBytes())
  1953  			return nil
  1954  		}
  1955  	}
  1956  
  1957  	data, err := msg.marshal()
  1958  	if err != nil {
  1959  		return err
  1960  	}
  1961  	h.Write(data)
  1962  	return nil
  1963  }
  1964  

View as plain text

go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.