Source file
src/crypto/tls/handshake_messages.go
1
2
3
4
5 package tls
6
7 import (
8 "errors"
9 "fmt"
10 "strings"
11
12 "golang.org/x/crypto/cryptobyte"
13 )
14
15
16
17 type marshalingFunction func(b *cryptobyte.Builder) error
18
19 func (f marshalingFunction) Marshal(b *cryptobyte.Builder) error {
20 return f(b)
21 }
22
23
24
25 func addBytesWithLength(b *cryptobyte.Builder, v []byte, n int) {
26 b.AddValue(marshalingFunction(func(b *cryptobyte.Builder) error {
27 if len(v) != n {
28 return fmt.Errorf("invalid value length: expected %d, got %d", n, len(v))
29 }
30 b.AddBytes(v)
31 return nil
32 }))
33 }
34
35
36 func addUint64(b *cryptobyte.Builder, v uint64) {
37 b.AddUint32(uint32(v >> 32))
38 b.AddUint32(uint32(v))
39 }
40
41
42
43 func readUint64(s *cryptobyte.String, out *uint64) bool {
44 var hi, lo uint32
45 if !s.ReadUint32(&hi) || !s.ReadUint32(&lo) {
46 return false
47 }
48 *out = uint64(hi)<<32 | uint64(lo)
49 return true
50 }
51
52
53
54 func readUint8LengthPrefixed(s *cryptobyte.String, out *[]byte) bool {
55 return s.ReadUint8LengthPrefixed((*cryptobyte.String)(out))
56 }
57
58
59
60 func readUint16LengthPrefixed(s *cryptobyte.String, out *[]byte) bool {
61 return s.ReadUint16LengthPrefixed((*cryptobyte.String)(out))
62 }
63
64
65
66 func readUint24LengthPrefixed(s *cryptobyte.String, out *[]byte) bool {
67 return s.ReadUint24LengthPrefixed((*cryptobyte.String)(out))
68 }
69
70 type clientHelloMsg struct {
71 original []byte
72 vers uint16
73 random []byte
74 sessionId []byte
75 cipherSuites []uint16
76 compressionMethods []uint8
77 serverName string
78 ocspStapling bool
79 supportedCurves []CurveID
80 supportedPoints []uint8
81 ticketSupported bool
82 sessionTicket []uint8
83 supportedSignatureAlgorithms []SignatureScheme
84 supportedSignatureAlgorithmsCert []SignatureScheme
85 secureRenegotiationSupported bool
86 secureRenegotiation []byte
87 extendedMasterSecret bool
88 alpnProtocols []string
89 scts bool
90 supportedVersions []uint16
91 cookie []byte
92 keyShares []keyShare
93 earlyData bool
94 pskModes []uint8
95 pskIdentities []pskIdentity
96 pskBinders [][]byte
97 quicTransportParameters []byte
98 }
99
100 func (m *clientHelloMsg) marshal() ([]byte, error) {
101 var exts cryptobyte.Builder
102 if len(m.serverName) > 0 {
103
104 exts.AddUint16(extensionServerName)
105 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
106 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
107 exts.AddUint8(0)
108 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
109 exts.AddBytes([]byte(m.serverName))
110 })
111 })
112 })
113 }
114 if m.ocspStapling {
115
116 exts.AddUint16(extensionStatusRequest)
117 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
118 exts.AddUint8(1)
119 exts.AddUint16(0)
120 exts.AddUint16(0)
121 })
122 }
123 if len(m.supportedCurves) > 0 {
124
125 exts.AddUint16(extensionSupportedCurves)
126 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
127 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
128 for _, curve := range m.supportedCurves {
129 exts.AddUint16(uint16(curve))
130 }
131 })
132 })
133 }
134 if len(m.supportedPoints) > 0 {
135
136 exts.AddUint16(extensionSupportedPoints)
137 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
138 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
139 exts.AddBytes(m.supportedPoints)
140 })
141 })
142 }
143 if m.ticketSupported {
144
145 exts.AddUint16(extensionSessionTicket)
146 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
147 exts.AddBytes(m.sessionTicket)
148 })
149 }
150 if len(m.supportedSignatureAlgorithms) > 0 {
151
152 exts.AddUint16(extensionSignatureAlgorithms)
153 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
154 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
155 for _, sigAlgo := range m.supportedSignatureAlgorithms {
156 exts.AddUint16(uint16(sigAlgo))
157 }
158 })
159 })
160 }
161 if len(m.supportedSignatureAlgorithmsCert) > 0 {
162
163 exts.AddUint16(extensionSignatureAlgorithmsCert)
164 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
165 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
166 for _, sigAlgo := range m.supportedSignatureAlgorithmsCert {
167 exts.AddUint16(uint16(sigAlgo))
168 }
169 })
170 })
171 }
172 if m.secureRenegotiationSupported {
173
174 exts.AddUint16(extensionRenegotiationInfo)
175 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
176 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
177 exts.AddBytes(m.secureRenegotiation)
178 })
179 })
180 }
181 if m.extendedMasterSecret {
182
183 exts.AddUint16(extensionExtendedMasterSecret)
184 exts.AddUint16(0)
185 }
186 if len(m.alpnProtocols) > 0 {
187
188 exts.AddUint16(extensionALPN)
189 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
190 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
191 for _, proto := range m.alpnProtocols {
192 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
193 exts.AddBytes([]byte(proto))
194 })
195 }
196 })
197 })
198 }
199 if m.scts {
200
201 exts.AddUint16(extensionSCT)
202 exts.AddUint16(0)
203 }
204 if len(m.supportedVersions) > 0 {
205
206 exts.AddUint16(extensionSupportedVersions)
207 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
208 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
209 for _, vers := range m.supportedVersions {
210 exts.AddUint16(vers)
211 }
212 })
213 })
214 }
215 if len(m.cookie) > 0 {
216
217 exts.AddUint16(extensionCookie)
218 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
219 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
220 exts.AddBytes(m.cookie)
221 })
222 })
223 }
224 if len(m.keyShares) > 0 {
225
226 exts.AddUint16(extensionKeyShare)
227 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
228 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
229 for _, ks := range m.keyShares {
230 exts.AddUint16(uint16(ks.group))
231 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
232 exts.AddBytes(ks.data)
233 })
234 }
235 })
236 })
237 }
238 if m.earlyData {
239
240 exts.AddUint16(extensionEarlyData)
241 exts.AddUint16(0)
242 }
243 if len(m.pskModes) > 0 {
244
245 exts.AddUint16(extensionPSKModes)
246 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
247 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
248 exts.AddBytes(m.pskModes)
249 })
250 })
251 }
252 if m.quicTransportParameters != nil {
253
254 exts.AddUint16(extensionQUICTransportParameters)
255 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
256 exts.AddBytes(m.quicTransportParameters)
257 })
258 }
259 if len(m.pskIdentities) > 0 {
260
261 exts.AddUint16(extensionPreSharedKey)
262 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
263 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
264 for _, psk := range m.pskIdentities {
265 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
266 exts.AddBytes(psk.label)
267 })
268 exts.AddUint32(psk.obfuscatedTicketAge)
269 }
270 })
271 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
272 for _, binder := range m.pskBinders {
273 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
274 exts.AddBytes(binder)
275 })
276 }
277 })
278 })
279 }
280 extBytes, err := exts.Bytes()
281 if err != nil {
282 return nil, err
283 }
284
285 var b cryptobyte.Builder
286 b.AddUint8(typeClientHello)
287 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
288 b.AddUint16(m.vers)
289 addBytesWithLength(b, m.random, 32)
290 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
291 b.AddBytes(m.sessionId)
292 })
293 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
294 for _, suite := range m.cipherSuites {
295 b.AddUint16(suite)
296 }
297 })
298 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
299 b.AddBytes(m.compressionMethods)
300 })
301
302 if len(extBytes) > 0 {
303 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
304 b.AddBytes(extBytes)
305 })
306 }
307 })
308
309 return b.Bytes()
310 }
311
312
313
314
315 func (m *clientHelloMsg) marshalWithoutBinders() ([]byte, error) {
316 bindersLen := 2
317 for _, binder := range m.pskBinders {
318 bindersLen += 1
319 bindersLen += len(binder)
320 }
321
322 var fullMessage []byte
323 if m.original != nil {
324 fullMessage = m.original
325 } else {
326 var err error
327 fullMessage, err = m.marshal()
328 if err != nil {
329 return nil, err
330 }
331 }
332 return fullMessage[:len(fullMessage)-bindersLen], nil
333 }
334
335
336
337 func (m *clientHelloMsg) updateBinders(pskBinders [][]byte) error {
338 if len(pskBinders) != len(m.pskBinders) {
339 return errors.New("tls: internal error: pskBinders length mismatch")
340 }
341 for i := range m.pskBinders {
342 if len(pskBinders[i]) != len(m.pskBinders[i]) {
343 return errors.New("tls: internal error: pskBinders length mismatch")
344 }
345 }
346 m.pskBinders = pskBinders
347
348 return nil
349 }
350
351 func (m *clientHelloMsg) unmarshal(data []byte) bool {
352 *m = clientHelloMsg{original: data}
353 s := cryptobyte.String(data)
354
355 if !s.Skip(4) ||
356 !s.ReadUint16(&m.vers) || !s.ReadBytes(&m.random, 32) ||
357 !readUint8LengthPrefixed(&s, &m.sessionId) {
358 return false
359 }
360
361 var cipherSuites cryptobyte.String
362 if !s.ReadUint16LengthPrefixed(&cipherSuites) {
363 return false
364 }
365 m.cipherSuites = []uint16{}
366 m.secureRenegotiationSupported = false
367 for !cipherSuites.Empty() {
368 var suite uint16
369 if !cipherSuites.ReadUint16(&suite) {
370 return false
371 }
372 if suite == scsvRenegotiation {
373 m.secureRenegotiationSupported = true
374 }
375 m.cipherSuites = append(m.cipherSuites, suite)
376 }
377
378 if !readUint8LengthPrefixed(&s, &m.compressionMethods) {
379 return false
380 }
381
382 if s.Empty() {
383
384 return true
385 }
386
387 var extensions cryptobyte.String
388 if !s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() {
389 return false
390 }
391
392 seenExts := make(map[uint16]bool)
393 for !extensions.Empty() {
394 var extension uint16
395 var extData cryptobyte.String
396 if !extensions.ReadUint16(&extension) ||
397 !extensions.ReadUint16LengthPrefixed(&extData) {
398 return false
399 }
400
401 if seenExts[extension] {
402 return false
403 }
404 seenExts[extension] = true
405
406 switch extension {
407 case extensionServerName:
408
409 var nameList cryptobyte.String
410 if !extData.ReadUint16LengthPrefixed(&nameList) || nameList.Empty() {
411 return false
412 }
413 for !nameList.Empty() {
414 var nameType uint8
415 var serverName cryptobyte.String
416 if !nameList.ReadUint8(&nameType) ||
417 !nameList.ReadUint16LengthPrefixed(&serverName) ||
418 serverName.Empty() {
419 return false
420 }
421 if nameType != 0 {
422 continue
423 }
424 if len(m.serverName) != 0 {
425
426 return false
427 }
428 m.serverName = string(serverName)
429
430 if strings.HasSuffix(m.serverName, ".") {
431 return false
432 }
433 }
434 case extensionStatusRequest:
435
436 var statusType uint8
437 var ignored cryptobyte.String
438 if !extData.ReadUint8(&statusType) ||
439 !extData.ReadUint16LengthPrefixed(&ignored) ||
440 !extData.ReadUint16LengthPrefixed(&ignored) {
441 return false
442 }
443 m.ocspStapling = statusType == statusTypeOCSP
444 case extensionSupportedCurves:
445
446 var curves cryptobyte.String
447 if !extData.ReadUint16LengthPrefixed(&curves) || curves.Empty() {
448 return false
449 }
450 for !curves.Empty() {
451 var curve uint16
452 if !curves.ReadUint16(&curve) {
453 return false
454 }
455 m.supportedCurves = append(m.supportedCurves, CurveID(curve))
456 }
457 case extensionSupportedPoints:
458
459 if !readUint8LengthPrefixed(&extData, &m.supportedPoints) ||
460 len(m.supportedPoints) == 0 {
461 return false
462 }
463 case extensionSessionTicket:
464
465 m.ticketSupported = true
466 extData.ReadBytes(&m.sessionTicket, len(extData))
467 case extensionSignatureAlgorithms:
468
469 var sigAndAlgs cryptobyte.String
470 if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() {
471 return false
472 }
473 for !sigAndAlgs.Empty() {
474 var sigAndAlg uint16
475 if !sigAndAlgs.ReadUint16(&sigAndAlg) {
476 return false
477 }
478 m.supportedSignatureAlgorithms = append(
479 m.supportedSignatureAlgorithms, SignatureScheme(sigAndAlg))
480 }
481 case extensionSignatureAlgorithmsCert:
482
483 var sigAndAlgs cryptobyte.String
484 if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() {
485 return false
486 }
487 for !sigAndAlgs.Empty() {
488 var sigAndAlg uint16
489 if !sigAndAlgs.ReadUint16(&sigAndAlg) {
490 return false
491 }
492 m.supportedSignatureAlgorithmsCert = append(
493 m.supportedSignatureAlgorithmsCert, SignatureScheme(sigAndAlg))
494 }
495 case extensionRenegotiationInfo:
496
497 if !readUint8LengthPrefixed(&extData, &m.secureRenegotiation) {
498 return false
499 }
500 m.secureRenegotiationSupported = true
501 case extensionExtendedMasterSecret:
502
503 m.extendedMasterSecret = true
504 case extensionALPN:
505
506 var protoList cryptobyte.String
507 if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() {
508 return false
509 }
510 for !protoList.Empty() {
511 var proto cryptobyte.String
512 if !protoList.ReadUint8LengthPrefixed(&proto) || proto.Empty() {
513 return false
514 }
515 m.alpnProtocols = append(m.alpnProtocols, string(proto))
516 }
517 case extensionSCT:
518
519 m.scts = true
520 case extensionSupportedVersions:
521
522 var versList cryptobyte.String
523 if !extData.ReadUint8LengthPrefixed(&versList) || versList.Empty() {
524 return false
525 }
526 for !versList.Empty() {
527 var vers uint16
528 if !versList.ReadUint16(&vers) {
529 return false
530 }
531 m.supportedVersions = append(m.supportedVersions, vers)
532 }
533 case extensionCookie:
534
535 if !readUint16LengthPrefixed(&extData, &m.cookie) ||
536 len(m.cookie) == 0 {
537 return false
538 }
539 case extensionKeyShare:
540
541 var clientShares cryptobyte.String
542 if !extData.ReadUint16LengthPrefixed(&clientShares) {
543 return false
544 }
545 for !clientShares.Empty() {
546 var ks keyShare
547 if !clientShares.ReadUint16((*uint16)(&ks.group)) ||
548 !readUint16LengthPrefixed(&clientShares, &ks.data) ||
549 len(ks.data) == 0 {
550 return false
551 }
552 m.keyShares = append(m.keyShares, ks)
553 }
554 case extensionEarlyData:
555
556 m.earlyData = true
557 case extensionPSKModes:
558
559 if !readUint8LengthPrefixed(&extData, &m.pskModes) {
560 return false
561 }
562 case extensionQUICTransportParameters:
563 m.quicTransportParameters = make([]byte, len(extData))
564 if !extData.CopyBytes(m.quicTransportParameters) {
565 return false
566 }
567 case extensionPreSharedKey:
568
569 if !extensions.Empty() {
570 return false
571 }
572 var identities cryptobyte.String
573 if !extData.ReadUint16LengthPrefixed(&identities) || identities.Empty() {
574 return false
575 }
576 for !identities.Empty() {
577 var psk pskIdentity
578 if !readUint16LengthPrefixed(&identities, &psk.label) ||
579 !identities.ReadUint32(&psk.obfuscatedTicketAge) ||
580 len(psk.label) == 0 {
581 return false
582 }
583 m.pskIdentities = append(m.pskIdentities, psk)
584 }
585 var binders cryptobyte.String
586 if !extData.ReadUint16LengthPrefixed(&binders) || binders.Empty() {
587 return false
588 }
589 for !binders.Empty() {
590 var binder []byte
591 if !readUint8LengthPrefixed(&binders, &binder) ||
592 len(binder) == 0 {
593 return false
594 }
595 m.pskBinders = append(m.pskBinders, binder)
596 }
597 default:
598
599 continue
600 }
601
602 if !extData.Empty() {
603 return false
604 }
605 }
606
607 return true
608 }
609
610 func (m *clientHelloMsg) originalBytes() []byte {
611 return m.original
612 }
613
614 type serverHelloMsg struct {
615 original []byte
616 vers uint16
617 random []byte
618 sessionId []byte
619 cipherSuite uint16
620 compressionMethod uint8
621 ocspStapling bool
622 ticketSupported bool
623 secureRenegotiationSupported bool
624 secureRenegotiation []byte
625 extendedMasterSecret bool
626 alpnProtocol string
627 scts [][]byte
628 supportedVersion uint16
629 serverShare keyShare
630 selectedIdentityPresent bool
631 selectedIdentity uint16
632 supportedPoints []uint8
633
634
635 cookie []byte
636 selectedGroup CurveID
637 }
638
639 func (m *serverHelloMsg) marshal() ([]byte, error) {
640 var exts cryptobyte.Builder
641 if m.ocspStapling {
642 exts.AddUint16(extensionStatusRequest)
643 exts.AddUint16(0)
644 }
645 if m.ticketSupported {
646 exts.AddUint16(extensionSessionTicket)
647 exts.AddUint16(0)
648 }
649 if m.secureRenegotiationSupported {
650 exts.AddUint16(extensionRenegotiationInfo)
651 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
652 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
653 exts.AddBytes(m.secureRenegotiation)
654 })
655 })
656 }
657 if m.extendedMasterSecret {
658 exts.AddUint16(extensionExtendedMasterSecret)
659 exts.AddUint16(0)
660 }
661 if len(m.alpnProtocol) > 0 {
662 exts.AddUint16(extensionALPN)
663 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
664 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
665 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
666 exts.AddBytes([]byte(m.alpnProtocol))
667 })
668 })
669 })
670 }
671 if len(m.scts) > 0 {
672 exts.AddUint16(extensionSCT)
673 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
674 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
675 for _, sct := range m.scts {
676 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
677 exts.AddBytes(sct)
678 })
679 }
680 })
681 })
682 }
683 if m.supportedVersion != 0 {
684 exts.AddUint16(extensionSupportedVersions)
685 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
686 exts.AddUint16(m.supportedVersion)
687 })
688 }
689 if m.serverShare.group != 0 {
690 exts.AddUint16(extensionKeyShare)
691 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
692 exts.AddUint16(uint16(m.serverShare.group))
693 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
694 exts.AddBytes(m.serverShare.data)
695 })
696 })
697 }
698 if m.selectedIdentityPresent {
699 exts.AddUint16(extensionPreSharedKey)
700 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
701 exts.AddUint16(m.selectedIdentity)
702 })
703 }
704
705 if len(m.cookie) > 0 {
706 exts.AddUint16(extensionCookie)
707 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
708 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
709 exts.AddBytes(m.cookie)
710 })
711 })
712 }
713 if m.selectedGroup != 0 {
714 exts.AddUint16(extensionKeyShare)
715 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
716 exts.AddUint16(uint16(m.selectedGroup))
717 })
718 }
719 if len(m.supportedPoints) > 0 {
720 exts.AddUint16(extensionSupportedPoints)
721 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
722 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
723 exts.AddBytes(m.supportedPoints)
724 })
725 })
726 }
727
728 extBytes, err := exts.Bytes()
729 if err != nil {
730 return nil, err
731 }
732
733 var b cryptobyte.Builder
734 b.AddUint8(typeServerHello)
735 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
736 b.AddUint16(m.vers)
737 addBytesWithLength(b, m.random, 32)
738 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
739 b.AddBytes(m.sessionId)
740 })
741 b.AddUint16(m.cipherSuite)
742 b.AddUint8(m.compressionMethod)
743
744 if len(extBytes) > 0 {
745 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
746 b.AddBytes(extBytes)
747 })
748 }
749 })
750
751 return b.Bytes()
752 }
753
754 func (m *serverHelloMsg) unmarshal(data []byte) bool {
755 *m = serverHelloMsg{original: data}
756 s := cryptobyte.String(data)
757
758 if !s.Skip(4) ||
759 !s.ReadUint16(&m.vers) || !s.ReadBytes(&m.random, 32) ||
760 !readUint8LengthPrefixed(&s, &m.sessionId) ||
761 !s.ReadUint16(&m.cipherSuite) ||
762 !s.ReadUint8(&m.compressionMethod) {
763 return false
764 }
765
766 if s.Empty() {
767
768 return true
769 }
770
771 var extensions cryptobyte.String
772 if !s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() {
773 return false
774 }
775
776 seenExts := make(map[uint16]bool)
777 for !extensions.Empty() {
778 var extension uint16
779 var extData cryptobyte.String
780 if !extensions.ReadUint16(&extension) ||
781 !extensions.ReadUint16LengthPrefixed(&extData) {
782 return false
783 }
784
785 if seenExts[extension] {
786 return false
787 }
788 seenExts[extension] = true
789
790 switch extension {
791 case extensionStatusRequest:
792 m.ocspStapling = true
793 case extensionSessionTicket:
794 m.ticketSupported = true
795 case extensionRenegotiationInfo:
796 if !readUint8LengthPrefixed(&extData, &m.secureRenegotiation) {
797 return false
798 }
799 m.secureRenegotiationSupported = true
800 case extensionExtendedMasterSecret:
801 m.extendedMasterSecret = true
802 case extensionALPN:
803 var protoList cryptobyte.String
804 if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() {
805 return false
806 }
807 var proto cryptobyte.String
808 if !protoList.ReadUint8LengthPrefixed(&proto) ||
809 proto.Empty() || !protoList.Empty() {
810 return false
811 }
812 m.alpnProtocol = string(proto)
813 case extensionSCT:
814 var sctList cryptobyte.String
815 if !extData.ReadUint16LengthPrefixed(&sctList) || sctList.Empty() {
816 return false
817 }
818 for !sctList.Empty() {
819 var sct []byte
820 if !readUint16LengthPrefixed(&sctList, &sct) ||
821 len(sct) == 0 {
822 return false
823 }
824 m.scts = append(m.scts, sct)
825 }
826 case extensionSupportedVersions:
827 if !extData.ReadUint16(&m.supportedVersion) {
828 return false
829 }
830 case extensionCookie:
831 if !readUint16LengthPrefixed(&extData, &m.cookie) ||
832 len(m.cookie) == 0 {
833 return false
834 }
835 case extensionKeyShare:
836
837
838 if len(extData) == 2 {
839 if !extData.ReadUint16((*uint16)(&m.selectedGroup)) {
840 return false
841 }
842 } else {
843 if !extData.ReadUint16((*uint16)(&m.serverShare.group)) ||
844 !readUint16LengthPrefixed(&extData, &m.serverShare.data) {
845 return false
846 }
847 }
848 case extensionPreSharedKey:
849 m.selectedIdentityPresent = true
850 if !extData.ReadUint16(&m.selectedIdentity) {
851 return false
852 }
853 case extensionSupportedPoints:
854
855 if !readUint8LengthPrefixed(&extData, &m.supportedPoints) ||
856 len(m.supportedPoints) == 0 {
857 return false
858 }
859 default:
860
861 continue
862 }
863
864 if !extData.Empty() {
865 return false
866 }
867 }
868
869 return true
870 }
871
872 func (m *serverHelloMsg) originalBytes() []byte {
873 return m.original
874 }
875
876 type encryptedExtensionsMsg struct {
877 alpnProtocol string
878 quicTransportParameters []byte
879 earlyData bool
880 }
881
882 func (m *encryptedExtensionsMsg) marshal() ([]byte, error) {
883 var b cryptobyte.Builder
884 b.AddUint8(typeEncryptedExtensions)
885 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
886 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
887 if len(m.alpnProtocol) > 0 {
888 b.AddUint16(extensionALPN)
889 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
890 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
891 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
892 b.AddBytes([]byte(m.alpnProtocol))
893 })
894 })
895 })
896 }
897 if m.quicTransportParameters != nil {
898
899 b.AddUint16(extensionQUICTransportParameters)
900 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
901 b.AddBytes(m.quicTransportParameters)
902 })
903 }
904 if m.earlyData {
905
906 b.AddUint16(extensionEarlyData)
907 b.AddUint16(0)
908 }
909 })
910 })
911
912 return b.Bytes()
913 }
914
915 func (m *encryptedExtensionsMsg) unmarshal(data []byte) bool {
916 *m = encryptedExtensionsMsg{}
917 s := cryptobyte.String(data)
918
919 var extensions cryptobyte.String
920 if !s.Skip(4) ||
921 !s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() {
922 return false
923 }
924
925 for !extensions.Empty() {
926 var extension uint16
927 var extData cryptobyte.String
928 if !extensions.ReadUint16(&extension) ||
929 !extensions.ReadUint16LengthPrefixed(&extData) {
930 return false
931 }
932
933 switch extension {
934 case extensionALPN:
935 var protoList cryptobyte.String
936 if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() {
937 return false
938 }
939 var proto cryptobyte.String
940 if !protoList.ReadUint8LengthPrefixed(&proto) ||
941 proto.Empty() || !protoList.Empty() {
942 return false
943 }
944 m.alpnProtocol = string(proto)
945 case extensionQUICTransportParameters:
946 m.quicTransportParameters = make([]byte, len(extData))
947 if !extData.CopyBytes(m.quicTransportParameters) {
948 return false
949 }
950 case extensionEarlyData:
951
952 m.earlyData = true
953 default:
954
955 continue
956 }
957
958 if !extData.Empty() {
959 return false
960 }
961 }
962
963 return true
964 }
965
966 type endOfEarlyDataMsg struct{}
967
968 func (m *endOfEarlyDataMsg) marshal() ([]byte, error) {
969 x := make([]byte, 4)
970 x[0] = typeEndOfEarlyData
971 return x, nil
972 }
973
974 func (m *endOfEarlyDataMsg) unmarshal(data []byte) bool {
975 return len(data) == 4
976 }
977
978 type keyUpdateMsg struct {
979 updateRequested bool
980 }
981
982 func (m *keyUpdateMsg) marshal() ([]byte, error) {
983 var b cryptobyte.Builder
984 b.AddUint8(typeKeyUpdate)
985 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
986 if m.updateRequested {
987 b.AddUint8(1)
988 } else {
989 b.AddUint8(0)
990 }
991 })
992
993 return b.Bytes()
994 }
995
996 func (m *keyUpdateMsg) unmarshal(data []byte) bool {
997 s := cryptobyte.String(data)
998
999 var updateRequested uint8
1000 if !s.Skip(4) ||
1001 !s.ReadUint8(&updateRequested) || !s.Empty() {
1002 return false
1003 }
1004 switch updateRequested {
1005 case 0:
1006 m.updateRequested = false
1007 case 1:
1008 m.updateRequested = true
1009 default:
1010 return false
1011 }
1012 return true
1013 }
1014
1015 type newSessionTicketMsgTLS13 struct {
1016 lifetime uint32
1017 ageAdd uint32
1018 nonce []byte
1019 label []byte
1020 maxEarlyData uint32
1021 }
1022
1023 func (m *newSessionTicketMsgTLS13) marshal() ([]byte, error) {
1024 var b cryptobyte.Builder
1025 b.AddUint8(typeNewSessionTicket)
1026 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
1027 b.AddUint32(m.lifetime)
1028 b.AddUint32(m.ageAdd)
1029 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
1030 b.AddBytes(m.nonce)
1031 })
1032 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1033 b.AddBytes(m.label)
1034 })
1035
1036 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1037 if m.maxEarlyData > 0 {
1038 b.AddUint16(extensionEarlyData)
1039 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1040 b.AddUint32(m.maxEarlyData)
1041 })
1042 }
1043 })
1044 })
1045
1046 return b.Bytes()
1047 }
1048
1049 func (m *newSessionTicketMsgTLS13) unmarshal(data []byte) bool {
1050 *m = newSessionTicketMsgTLS13{}
1051 s := cryptobyte.String(data)
1052
1053 var extensions cryptobyte.String
1054 if !s.Skip(4) ||
1055 !s.ReadUint32(&m.lifetime) ||
1056 !s.ReadUint32(&m.ageAdd) ||
1057 !readUint8LengthPrefixed(&s, &m.nonce) ||
1058 !readUint16LengthPrefixed(&s, &m.label) ||
1059 !s.ReadUint16LengthPrefixed(&extensions) ||
1060 !s.Empty() {
1061 return false
1062 }
1063
1064 for !extensions.Empty() {
1065 var extension uint16
1066 var extData cryptobyte.String
1067 if !extensions.ReadUint16(&extension) ||
1068 !extensions.ReadUint16LengthPrefixed(&extData) {
1069 return false
1070 }
1071
1072 switch extension {
1073 case extensionEarlyData:
1074 if !extData.ReadUint32(&m.maxEarlyData) {
1075 return false
1076 }
1077 default:
1078
1079 continue
1080 }
1081
1082 if !extData.Empty() {
1083 return false
1084 }
1085 }
1086
1087 return true
1088 }
1089
1090 type certificateRequestMsgTLS13 struct {
1091 ocspStapling bool
1092 scts bool
1093 supportedSignatureAlgorithms []SignatureScheme
1094 supportedSignatureAlgorithmsCert []SignatureScheme
1095 certificateAuthorities [][]byte
1096 }
1097
1098 func (m *certificateRequestMsgTLS13) marshal() ([]byte, error) {
1099 var b cryptobyte.Builder
1100 b.AddUint8(typeCertificateRequest)
1101 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
1102
1103
1104 b.AddUint8(0)
1105
1106 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1107 if m.ocspStapling {
1108 b.AddUint16(extensionStatusRequest)
1109 b.AddUint16(0)
1110 }
1111 if m.scts {
1112
1113
1114
1115
1116
1117 b.AddUint16(extensionSCT)
1118 b.AddUint16(0)
1119 }
1120 if len(m.supportedSignatureAlgorithms) > 0 {
1121 b.AddUint16(extensionSignatureAlgorithms)
1122 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1123 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1124 for _, sigAlgo := range m.supportedSignatureAlgorithms {
1125 b.AddUint16(uint16(sigAlgo))
1126 }
1127 })
1128 })
1129 }
1130 if len(m.supportedSignatureAlgorithmsCert) > 0 {
1131 b.AddUint16(extensionSignatureAlgorithmsCert)
1132 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1133 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1134 for _, sigAlgo := range m.supportedSignatureAlgorithmsCert {
1135 b.AddUint16(uint16(sigAlgo))
1136 }
1137 })
1138 })
1139 }
1140 if len(m.certificateAuthorities) > 0 {
1141 b.AddUint16(extensionCertificateAuthorities)
1142 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1143 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1144 for _, ca := range m.certificateAuthorities {
1145 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1146 b.AddBytes(ca)
1147 })
1148 }
1149 })
1150 })
1151 }
1152 })
1153 })
1154
1155 return b.Bytes()
1156 }
1157
1158 func (m *certificateRequestMsgTLS13) unmarshal(data []byte) bool {
1159 *m = certificateRequestMsgTLS13{}
1160 s := cryptobyte.String(data)
1161
1162 var context, extensions cryptobyte.String
1163 if !s.Skip(4) ||
1164 !s.ReadUint8LengthPrefixed(&context) || !context.Empty() ||
1165 !s.ReadUint16LengthPrefixed(&extensions) ||
1166 !s.Empty() {
1167 return false
1168 }
1169
1170 for !extensions.Empty() {
1171 var extension uint16
1172 var extData cryptobyte.String
1173 if !extensions.ReadUint16(&extension) ||
1174 !extensions.ReadUint16LengthPrefixed(&extData) {
1175 return false
1176 }
1177
1178 switch extension {
1179 case extensionStatusRequest:
1180 m.ocspStapling = true
1181 case extensionSCT:
1182 m.scts = true
1183 case extensionSignatureAlgorithms:
1184 var sigAndAlgs cryptobyte.String
1185 if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() {
1186 return false
1187 }
1188 for !sigAndAlgs.Empty() {
1189 var sigAndAlg uint16
1190 if !sigAndAlgs.ReadUint16(&sigAndAlg) {
1191 return false
1192 }
1193 m.supportedSignatureAlgorithms = append(
1194 m.supportedSignatureAlgorithms, SignatureScheme(sigAndAlg))
1195 }
1196 case extensionSignatureAlgorithmsCert:
1197 var sigAndAlgs cryptobyte.String
1198 if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() {
1199 return false
1200 }
1201 for !sigAndAlgs.Empty() {
1202 var sigAndAlg uint16
1203 if !sigAndAlgs.ReadUint16(&sigAndAlg) {
1204 return false
1205 }
1206 m.supportedSignatureAlgorithmsCert = append(
1207 m.supportedSignatureAlgorithmsCert, SignatureScheme(sigAndAlg))
1208 }
1209 case extensionCertificateAuthorities:
1210 var auths cryptobyte.String
1211 if !extData.ReadUint16LengthPrefixed(&auths) || auths.Empty() {
1212 return false
1213 }
1214 for !auths.Empty() {
1215 var ca []byte
1216 if !readUint16LengthPrefixed(&auths, &ca) || len(ca) == 0 {
1217 return false
1218 }
1219 m.certificateAuthorities = append(m.certificateAuthorities, ca)
1220 }
1221 default:
1222
1223 continue
1224 }
1225
1226 if !extData.Empty() {
1227 return false
1228 }
1229 }
1230
1231 return true
1232 }
1233
1234 type certificateMsg struct {
1235 certificates [][]byte
1236 }
1237
1238 func (m *certificateMsg) marshal() ([]byte, error) {
1239 var i int
1240 for _, slice := range m.certificates {
1241 i += len(slice)
1242 }
1243
1244 length := 3 + 3*len(m.certificates) + i
1245 x := make([]byte, 4+length)
1246 x[0] = typeCertificate
1247 x[1] = uint8(length >> 16)
1248 x[2] = uint8(length >> 8)
1249 x[3] = uint8(length)
1250
1251 certificateOctets := length - 3
1252 x[4] = uint8(certificateOctets >> 16)
1253 x[5] = uint8(certificateOctets >> 8)
1254 x[6] = uint8(certificateOctets)
1255
1256 y := x[7:]
1257 for _, slice := range m.certificates {
1258 y[0] = uint8(len(slice) >> 16)
1259 y[1] = uint8(len(slice) >> 8)
1260 y[2] = uint8(len(slice))
1261 copy(y[3:], slice)
1262 y = y[3+len(slice):]
1263 }
1264
1265 return x, nil
1266 }
1267
1268 func (m *certificateMsg) unmarshal(data []byte) bool {
1269 if len(data) < 7 {
1270 return false
1271 }
1272
1273 certsLen := uint32(data[4])<<16 | uint32(data[5])<<8 | uint32(data[6])
1274 if uint32(len(data)) != certsLen+7 {
1275 return false
1276 }
1277
1278 numCerts := 0
1279 d := data[7:]
1280 for certsLen > 0 {
1281 if len(d) < 4 {
1282 return false
1283 }
1284 certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2])
1285 if uint32(len(d)) < 3+certLen {
1286 return false
1287 }
1288 d = d[3+certLen:]
1289 certsLen -= 3 + certLen
1290 numCerts++
1291 }
1292
1293 m.certificates = make([][]byte, numCerts)
1294 d = data[7:]
1295 for i := 0; i < numCerts; i++ {
1296 certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2])
1297 m.certificates[i] = d[3 : 3+certLen]
1298 d = d[3+certLen:]
1299 }
1300
1301 return true
1302 }
1303
1304 type certificateMsgTLS13 struct {
1305 certificate Certificate
1306 ocspStapling bool
1307 scts bool
1308 }
1309
1310 func (m *certificateMsgTLS13) marshal() ([]byte, error) {
1311 var b cryptobyte.Builder
1312 b.AddUint8(typeCertificate)
1313 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
1314 b.AddUint8(0)
1315
1316 certificate := m.certificate
1317 if !m.ocspStapling {
1318 certificate.OCSPStaple = nil
1319 }
1320 if !m.scts {
1321 certificate.SignedCertificateTimestamps = nil
1322 }
1323 marshalCertificate(b, certificate)
1324 })
1325
1326 return b.Bytes()
1327 }
1328
1329 func marshalCertificate(b *cryptobyte.Builder, certificate Certificate) {
1330 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
1331 for i, cert := range certificate.Certificate {
1332 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
1333 b.AddBytes(cert)
1334 })
1335 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1336 if i > 0 {
1337
1338 return
1339 }
1340 if certificate.OCSPStaple != nil {
1341 b.AddUint16(extensionStatusRequest)
1342 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1343 b.AddUint8(statusTypeOCSP)
1344 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
1345 b.AddBytes(certificate.OCSPStaple)
1346 })
1347 })
1348 }
1349 if certificate.SignedCertificateTimestamps != nil {
1350 b.AddUint16(extensionSCT)
1351 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1352 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1353 for _, sct := range certificate.SignedCertificateTimestamps {
1354 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1355 b.AddBytes(sct)
1356 })
1357 }
1358 })
1359 })
1360 }
1361 })
1362 }
1363 })
1364 }
1365
1366 func (m *certificateMsgTLS13) unmarshal(data []byte) bool {
1367 *m = certificateMsgTLS13{}
1368 s := cryptobyte.String(data)
1369
1370 var context cryptobyte.String
1371 if !s.Skip(4) ||
1372 !s.ReadUint8LengthPrefixed(&context) || !context.Empty() ||
1373 !unmarshalCertificate(&s, &m.certificate) ||
1374 !s.Empty() {
1375 return false
1376 }
1377
1378 m.scts = m.certificate.SignedCertificateTimestamps != nil
1379 m.ocspStapling = m.certificate.OCSPStaple != nil
1380
1381 return true
1382 }
1383
1384 func unmarshalCertificate(s *cryptobyte.String, certificate *Certificate) bool {
1385 var certList cryptobyte.String
1386 if !s.ReadUint24LengthPrefixed(&certList) {
1387 return false
1388 }
1389 for !certList.Empty() {
1390 var cert []byte
1391 var extensions cryptobyte.String
1392 if !readUint24LengthPrefixed(&certList, &cert) ||
1393 !certList.ReadUint16LengthPrefixed(&extensions) {
1394 return false
1395 }
1396 certificate.Certificate = append(certificate.Certificate, cert)
1397 for !extensions.Empty() {
1398 var extension uint16
1399 var extData cryptobyte.String
1400 if !extensions.ReadUint16(&extension) ||
1401 !extensions.ReadUint16LengthPrefixed(&extData) {
1402 return false
1403 }
1404 if len(certificate.Certificate) > 1 {
1405
1406 continue
1407 }
1408
1409 switch extension {
1410 case extensionStatusRequest:
1411 var statusType uint8
1412 if !extData.ReadUint8(&statusType) || statusType != statusTypeOCSP ||
1413 !readUint24LengthPrefixed(&extData, &certificate.OCSPStaple) ||
1414 len(certificate.OCSPStaple) == 0 {
1415 return false
1416 }
1417 case extensionSCT:
1418 var sctList cryptobyte.String
1419 if !extData.ReadUint16LengthPrefixed(&sctList) || sctList.Empty() {
1420 return false
1421 }
1422 for !sctList.Empty() {
1423 var sct []byte
1424 if !readUint16LengthPrefixed(&sctList, &sct) ||
1425 len(sct) == 0 {
1426 return false
1427 }
1428 certificate.SignedCertificateTimestamps = append(
1429 certificate.SignedCertificateTimestamps, sct)
1430 }
1431 default:
1432
1433 continue
1434 }
1435
1436 if !extData.Empty() {
1437 return false
1438 }
1439 }
1440 }
1441 return true
1442 }
1443
1444 type serverKeyExchangeMsg struct {
1445 key []byte
1446 }
1447
1448 func (m *serverKeyExchangeMsg) marshal() ([]byte, error) {
1449 length := len(m.key)
1450 x := make([]byte, length+4)
1451 x[0] = typeServerKeyExchange
1452 x[1] = uint8(length >> 16)
1453 x[2] = uint8(length >> 8)
1454 x[3] = uint8(length)
1455 copy(x[4:], m.key)
1456
1457 return x, nil
1458 }
1459
1460 func (m *serverKeyExchangeMsg) unmarshal(data []byte) bool {
1461 if len(data) < 4 {
1462 return false
1463 }
1464 m.key = data[4:]
1465 return true
1466 }
1467
1468 type certificateStatusMsg struct {
1469 response []byte
1470 }
1471
1472 func (m *certificateStatusMsg) marshal() ([]byte, error) {
1473 var b cryptobyte.Builder
1474 b.AddUint8(typeCertificateStatus)
1475 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
1476 b.AddUint8(statusTypeOCSP)
1477 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
1478 b.AddBytes(m.response)
1479 })
1480 })
1481
1482 return b.Bytes()
1483 }
1484
1485 func (m *certificateStatusMsg) unmarshal(data []byte) bool {
1486 s := cryptobyte.String(data)
1487
1488 var statusType uint8
1489 if !s.Skip(4) ||
1490 !s.ReadUint8(&statusType) || statusType != statusTypeOCSP ||
1491 !readUint24LengthPrefixed(&s, &m.response) ||
1492 len(m.response) == 0 || !s.Empty() {
1493 return false
1494 }
1495 return true
1496 }
1497
1498 type serverHelloDoneMsg struct{}
1499
1500 func (m *serverHelloDoneMsg) marshal() ([]byte, error) {
1501 x := make([]byte, 4)
1502 x[0] = typeServerHelloDone
1503 return x, nil
1504 }
1505
1506 func (m *serverHelloDoneMsg) unmarshal(data []byte) bool {
1507 return len(data) == 4
1508 }
1509
1510 type clientKeyExchangeMsg struct {
1511 ciphertext []byte
1512 }
1513
1514 func (m *clientKeyExchangeMsg) marshal() ([]byte, error) {
1515 length := len(m.ciphertext)
1516 x := make([]byte, length+4)
1517 x[0] = typeClientKeyExchange
1518 x[1] = uint8(length >> 16)
1519 x[2] = uint8(length >> 8)
1520 x[3] = uint8(length)
1521 copy(x[4:], m.ciphertext)
1522
1523 return x, nil
1524 }
1525
1526 func (m *clientKeyExchangeMsg) unmarshal(data []byte) bool {
1527 if len(data) < 4 {
1528 return false
1529 }
1530 l := int(data[1])<<16 | int(data[2])<<8 | int(data[3])
1531 if l != len(data)-4 {
1532 return false
1533 }
1534 m.ciphertext = data[4:]
1535 return true
1536 }
1537
1538 type finishedMsg struct {
1539 verifyData []byte
1540 }
1541
1542 func (m *finishedMsg) marshal() ([]byte, error) {
1543 var b cryptobyte.Builder
1544 b.AddUint8(typeFinished)
1545 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
1546 b.AddBytes(m.verifyData)
1547 })
1548
1549 return b.Bytes()
1550 }
1551
1552 func (m *finishedMsg) unmarshal(data []byte) bool {
1553 s := cryptobyte.String(data)
1554 return s.Skip(1) &&
1555 readUint24LengthPrefixed(&s, &m.verifyData) &&
1556 s.Empty()
1557 }
1558
1559 type certificateRequestMsg struct {
1560
1561
1562 hasSignatureAlgorithm bool
1563
1564 certificateTypes []byte
1565 supportedSignatureAlgorithms []SignatureScheme
1566 certificateAuthorities [][]byte
1567 }
1568
1569 func (m *certificateRequestMsg) marshal() ([]byte, error) {
1570
1571 length := 1 + len(m.certificateTypes) + 2
1572 casLength := 0
1573 for _, ca := range m.certificateAuthorities {
1574 casLength += 2 + len(ca)
1575 }
1576 length += casLength
1577
1578 if m.hasSignatureAlgorithm {
1579 length += 2 + 2*len(m.supportedSignatureAlgorithms)
1580 }
1581
1582 x := make([]byte, 4+length)
1583 x[0] = typeCertificateRequest
1584 x[1] = uint8(length >> 16)
1585 x[2] = uint8(length >> 8)
1586 x[3] = uint8(length)
1587
1588 x[4] = uint8(len(m.certificateTypes))
1589
1590 copy(x[5:], m.certificateTypes)
1591 y := x[5+len(m.certificateTypes):]
1592
1593 if m.hasSignatureAlgorithm {
1594 n := len(m.supportedSignatureAlgorithms) * 2
1595 y[0] = uint8(n >> 8)
1596 y[1] = uint8(n)
1597 y = y[2:]
1598 for _, sigAlgo := range m.supportedSignatureAlgorithms {
1599 y[0] = uint8(sigAlgo >> 8)
1600 y[1] = uint8(sigAlgo)
1601 y = y[2:]
1602 }
1603 }
1604
1605 y[0] = uint8(casLength >> 8)
1606 y[1] = uint8(casLength)
1607 y = y[2:]
1608 for _, ca := range m.certificateAuthorities {
1609 y[0] = uint8(len(ca) >> 8)
1610 y[1] = uint8(len(ca))
1611 y = y[2:]
1612 copy(y, ca)
1613 y = y[len(ca):]
1614 }
1615
1616 return x, nil
1617 }
1618
1619 func (m *certificateRequestMsg) unmarshal(data []byte) bool {
1620 if len(data) < 5 {
1621 return false
1622 }
1623
1624 length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3])
1625 if uint32(len(data))-4 != length {
1626 return false
1627 }
1628
1629 numCertTypes := int(data[4])
1630 data = data[5:]
1631 if numCertTypes == 0 || len(data) <= numCertTypes {
1632 return false
1633 }
1634
1635 m.certificateTypes = make([]byte, numCertTypes)
1636 if copy(m.certificateTypes, data) != numCertTypes {
1637 return false
1638 }
1639
1640 data = data[numCertTypes:]
1641
1642 if m.hasSignatureAlgorithm {
1643 if len(data) < 2 {
1644 return false
1645 }
1646 sigAndHashLen := uint16(data[0])<<8 | uint16(data[1])
1647 data = data[2:]
1648 if sigAndHashLen&1 != 0 {
1649 return false
1650 }
1651 if len(data) < int(sigAndHashLen) {
1652 return false
1653 }
1654 numSigAlgos := sigAndHashLen / 2
1655 m.supportedSignatureAlgorithms = make([]SignatureScheme, numSigAlgos)
1656 for i := range m.supportedSignatureAlgorithms {
1657 m.supportedSignatureAlgorithms[i] = SignatureScheme(data[0])<<8 | SignatureScheme(data[1])
1658 data = data[2:]
1659 }
1660 }
1661
1662 if len(data) < 2 {
1663 return false
1664 }
1665 casLength := uint16(data[0])<<8 | uint16(data[1])
1666 data = data[2:]
1667 if len(data) < int(casLength) {
1668 return false
1669 }
1670 cas := make([]byte, casLength)
1671 copy(cas, data)
1672 data = data[casLength:]
1673
1674 m.certificateAuthorities = nil
1675 for len(cas) > 0 {
1676 if len(cas) < 2 {
1677 return false
1678 }
1679 caLen := uint16(cas[0])<<8 | uint16(cas[1])
1680 cas = cas[2:]
1681
1682 if len(cas) < int(caLen) {
1683 return false
1684 }
1685
1686 m.certificateAuthorities = append(m.certificateAuthorities, cas[:caLen])
1687 cas = cas[caLen:]
1688 }
1689
1690 return len(data) == 0
1691 }
1692
1693 type certificateVerifyMsg struct {
1694 hasSignatureAlgorithm bool
1695 signatureAlgorithm SignatureScheme
1696 signature []byte
1697 }
1698
1699 func (m *certificateVerifyMsg) marshal() ([]byte, error) {
1700 var b cryptobyte.Builder
1701 b.AddUint8(typeCertificateVerify)
1702 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
1703 if m.hasSignatureAlgorithm {
1704 b.AddUint16(uint16(m.signatureAlgorithm))
1705 }
1706 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1707 b.AddBytes(m.signature)
1708 })
1709 })
1710
1711 return b.Bytes()
1712 }
1713
1714 func (m *certificateVerifyMsg) unmarshal(data []byte) bool {
1715 s := cryptobyte.String(data)
1716
1717 if !s.Skip(4) {
1718 return false
1719 }
1720 if m.hasSignatureAlgorithm {
1721 if !s.ReadUint16((*uint16)(&m.signatureAlgorithm)) {
1722 return false
1723 }
1724 }
1725 return readUint16LengthPrefixed(&s, &m.signature) && s.Empty()
1726 }
1727
1728 type newSessionTicketMsg struct {
1729 ticket []byte
1730 }
1731
1732 func (m *newSessionTicketMsg) marshal() ([]byte, error) {
1733
1734 ticketLen := len(m.ticket)
1735 length := 2 + 4 + ticketLen
1736 x := make([]byte, 4+length)
1737 x[0] = typeNewSessionTicket
1738 x[1] = uint8(length >> 16)
1739 x[2] = uint8(length >> 8)
1740 x[3] = uint8(length)
1741 x[8] = uint8(ticketLen >> 8)
1742 x[9] = uint8(ticketLen)
1743 copy(x[10:], m.ticket)
1744
1745 return x, nil
1746 }
1747
1748 func (m *newSessionTicketMsg) unmarshal(data []byte) bool {
1749 if len(data) < 10 {
1750 return false
1751 }
1752
1753 length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3])
1754 if uint32(len(data))-4 != length {
1755 return false
1756 }
1757
1758 ticketLen := int(data[8])<<8 + int(data[9])
1759 if len(data)-10 != ticketLen {
1760 return false
1761 }
1762
1763 m.ticket = data[10:]
1764
1765 return true
1766 }
1767
1768 type helloRequestMsg struct {
1769 }
1770
1771 func (*helloRequestMsg) marshal() ([]byte, error) {
1772 return []byte{typeHelloRequest, 0, 0, 0}, nil
1773 }
1774
1775 func (*helloRequestMsg) unmarshal(data []byte) bool {
1776 return len(data) == 4
1777 }
1778
1779 type transcriptHash interface {
1780 Write([]byte) (int, error)
1781 }
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794 func transcriptMsg(msg handshakeMessage, h transcriptHash) error {
1795 if msgWithOrig, ok := msg.(handshakeMessageWithOriginalBytes); ok {
1796 if orig := msgWithOrig.originalBytes(); orig != nil {
1797 h.Write(msgWithOrig.originalBytes())
1798 return nil
1799 }
1800 }
1801
1802 data, err := msg.marshal()
1803 if err != nil {
1804 return err
1805 }
1806 h.Write(data)
1807 return nil
1808 }
1809
View as plain text