1// Copyright 2009 The Go Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style 3// license that can be found in the LICENSE file. 4 5package runner 6 7import ( 8 "bytes" 9 "encoding/binary" 10 "fmt" 11) 12 13func writeLen(buf []byte, v, size int) { 14 for i := 0; i < size; i++ { 15 buf[size-i-1] = byte(v) 16 v >>= 8 17 } 18 if v != 0 { 19 panic("length is too long") 20 } 21} 22 23type byteBuilder struct { 24 buf *[]byte 25 start int 26 prefixLen int 27 child *byteBuilder 28} 29 30func newByteBuilder() *byteBuilder { 31 buf := make([]byte, 0, 32) 32 return &byteBuilder{buf: &buf} 33} 34 35func (bb *byteBuilder) len() int { 36 return len(*bb.buf) - bb.start - bb.prefixLen 37} 38 39func (bb *byteBuilder) data() []byte { 40 bb.flush() 41 return (*bb.buf)[bb.start+bb.prefixLen:] 42} 43 44func (bb *byteBuilder) flush() { 45 if bb.child == nil { 46 return 47 } 48 bb.child.flush() 49 writeLen((*bb.buf)[bb.child.start:], bb.child.len(), bb.child.prefixLen) 50 bb.child = nil 51 return 52} 53 54func (bb *byteBuilder) finish() []byte { 55 bb.flush() 56 return *bb.buf 57} 58 59func (bb *byteBuilder) addU8(u uint8) { 60 bb.flush() 61 *bb.buf = append(*bb.buf, u) 62} 63 64func (bb *byteBuilder) addU16(u uint16) { 65 bb.flush() 66 *bb.buf = append(*bb.buf, byte(u>>8), byte(u)) 67} 68 69func (bb *byteBuilder) addU24(u int) { 70 bb.flush() 71 *bb.buf = append(*bb.buf, byte(u>>16), byte(u>>8), byte(u)) 72} 73 74func (bb *byteBuilder) addU32(u uint32) { 75 bb.flush() 76 *bb.buf = append(*bb.buf, byte(u>>24), byte(u>>16), byte(u>>8), byte(u)) 77} 78 79func (bb *byteBuilder) addU64(u uint64) { 80 bb.flush() 81 var b [8]byte 82 binary.BigEndian.PutUint64(b[:], u) 83 *bb.buf = append(*bb.buf, b[:]...) 84} 85 86func (bb *byteBuilder) addU8LengthPrefixed() *byteBuilder { 87 return bb.createChild(1) 88} 89 90func (bb *byteBuilder) addU16LengthPrefixed() *byteBuilder { 91 return bb.createChild(2) 92} 93 94func (bb *byteBuilder) addU24LengthPrefixed() *byteBuilder { 95 return bb.createChild(3) 96} 97 98func (bb *byteBuilder) addU32LengthPrefixed() *byteBuilder { 99 return bb.createChild(4) 100} 101 102func (bb *byteBuilder) addBytes(b []byte) { 103 bb.flush() 104 *bb.buf = append(*bb.buf, b...) 105} 106 107func (bb *byteBuilder) createChild(lengthPrefixSize int) *byteBuilder { 108 bb.flush() 109 bb.child = &byteBuilder{ 110 buf: bb.buf, 111 start: len(*bb.buf), 112 prefixLen: lengthPrefixSize, 113 } 114 for i := 0; i < lengthPrefixSize; i++ { 115 *bb.buf = append(*bb.buf, 0) 116 } 117 return bb.child 118} 119 120func (bb *byteBuilder) discardChild() { 121 if bb.child == nil { 122 return 123 } 124 *bb.buf = (*bb.buf)[:bb.child.start] 125 bb.child = nil 126} 127 128type byteReader []byte 129 130func (br *byteReader) readInternal(out *byteReader, n int) bool { 131 if len(*br) < n { 132 return false 133 } 134 *out = (*br)[:n] 135 *br = (*br)[n:] 136 return true 137} 138 139func (br *byteReader) readBytes(out *[]byte, n int) bool { 140 var child byteReader 141 if !br.readInternal(&child, n) { 142 return false 143 } 144 *out = []byte(child) 145 return true 146} 147 148func (br *byteReader) readUint(out *uint64, n int) bool { 149 var b []byte 150 if !br.readBytes(&b, n) { 151 return false 152 } 153 *out = 0 154 for _, v := range b { 155 *out <<= 8 156 *out |= uint64(v) 157 } 158 return true 159} 160 161func (br *byteReader) readU8(out *uint8) bool { 162 var b []byte 163 if !br.readBytes(&b, 1) { 164 return false 165 } 166 *out = b[0] 167 return true 168} 169 170func (br *byteReader) readU16(out *uint16) bool { 171 var v uint64 172 if !br.readUint(&v, 2) { 173 return false 174 } 175 *out = uint16(v) 176 return true 177} 178 179func (br *byteReader) readU24(out *uint32) bool { 180 var v uint64 181 if !br.readUint(&v, 3) { 182 return false 183 } 184 *out = uint32(v) 185 return true 186} 187 188func (br *byteReader) readU32(out *uint32) bool { 189 var v uint64 190 if !br.readUint(&v, 4) { 191 return false 192 } 193 *out = uint32(v) 194 return true 195} 196 197func (br *byteReader) readU64(out *uint64) bool { 198 return br.readUint(out, 8) 199} 200 201func (br *byteReader) readLengthPrefixed(out *byteReader, n int) bool { 202 var length uint64 203 return br.readUint(&length, n) && 204 uint64(len(*br)) >= length && 205 br.readInternal(out, int(length)) 206} 207 208func (br *byteReader) readLengthPrefixedBytes(out *[]byte, n int) bool { 209 var length uint64 210 return br.readUint(&length, n) && 211 uint64(len(*br)) >= length && 212 br.readBytes(out, int(length)) 213} 214 215func (br *byteReader) readU8LengthPrefixed(out *byteReader) bool { 216 return br.readLengthPrefixed(out, 1) 217} 218func (br *byteReader) readU8LengthPrefixedBytes(out *[]byte) bool { 219 return br.readLengthPrefixedBytes(out, 1) 220} 221 222func (br *byteReader) readU16LengthPrefixed(out *byteReader) bool { 223 return br.readLengthPrefixed(out, 2) 224} 225func (br *byteReader) readU16LengthPrefixedBytes(out *[]byte) bool { 226 return br.readLengthPrefixedBytes(out, 2) 227} 228 229func (br *byteReader) readU24LengthPrefixed(out *byteReader) bool { 230 return br.readLengthPrefixed(out, 3) 231} 232func (br *byteReader) readU24LengthPrefixedBytes(out *[]byte) bool { 233 return br.readLengthPrefixedBytes(out, 3) 234} 235 236func (br *byteReader) readU32LengthPrefixed(out *byteReader) bool { 237 return br.readLengthPrefixed(out, 4) 238} 239func (br *byteReader) readU32LengthPrefixedBytes(out *[]byte) bool { 240 return br.readLengthPrefixedBytes(out, 4) 241} 242 243type keyShareEntry struct { 244 group CurveID 245 keyExchange []byte 246} 247 248type pskIdentity struct { 249 ticket []uint8 250 obfuscatedTicketAge uint32 251} 252 253type clientHelloMsg struct { 254 raw []byte 255 isDTLS bool 256 vers uint16 257 random []byte 258 sessionId []byte 259 cookie []byte 260 cipherSuites []uint16 261 compressionMethods []uint8 262 nextProtoNeg bool 263 serverName string 264 ocspStapling bool 265 supportedCurves []CurveID 266 supportedPoints []uint8 267 hasKeyShares bool 268 keyShares []keyShareEntry 269 keySharesRaw []byte 270 trailingKeyShareData bool 271 pskIdentities []pskIdentity 272 pskKEModes []byte 273 pskBinders [][]uint8 274 hasEarlyData bool 275 tls13Cookie []byte 276 ticketSupported bool 277 sessionTicket []uint8 278 signatureAlgorithms []signatureAlgorithm 279 signatureAlgorithmsCert []signatureAlgorithm 280 supportedVersions []uint16 281 secureRenegotiation []byte 282 alpnProtocols []string 283 quicTransportParams []byte 284 duplicateExtension bool 285 channelIDSupported bool 286 tokenBindingParams []byte 287 tokenBindingVersion uint16 288 npnAfterAlpn bool 289 extendedMasterSecret bool 290 srtpProtectionProfiles []uint16 291 srtpMasterKeyIdentifier string 292 sctListSupported bool 293 customExtension string 294 hasGREASEExtension bool 295 pskBinderFirst bool 296 omitExtensions bool 297 emptyExtensions bool 298 pad int 299 compressedCertAlgs []uint16 300 delegatedCredentials bool 301} 302 303func (m *clientHelloMsg) equal(i interface{}) bool { 304 m1, ok := i.(*clientHelloMsg) 305 if !ok { 306 return false 307 } 308 309 return bytes.Equal(m.raw, m1.raw) && 310 m.isDTLS == m1.isDTLS && 311 m.vers == m1.vers && 312 bytes.Equal(m.random, m1.random) && 313 bytes.Equal(m.sessionId, m1.sessionId) && 314 bytes.Equal(m.cookie, m1.cookie) && 315 eqUint16s(m.cipherSuites, m1.cipherSuites) && 316 bytes.Equal(m.compressionMethods, m1.compressionMethods) && 317 m.nextProtoNeg == m1.nextProtoNeg && 318 m.serverName == m1.serverName && 319 m.ocspStapling == m1.ocspStapling && 320 eqCurveIDs(m.supportedCurves, m1.supportedCurves) && 321 bytes.Equal(m.supportedPoints, m1.supportedPoints) && 322 m.hasKeyShares == m1.hasKeyShares && 323 eqKeyShareEntryLists(m.keyShares, m1.keyShares) && 324 m.trailingKeyShareData == m1.trailingKeyShareData && 325 eqPSKIdentityLists(m.pskIdentities, m1.pskIdentities) && 326 bytes.Equal(m.pskKEModes, m1.pskKEModes) && 327 eqByteSlices(m.pskBinders, m1.pskBinders) && 328 m.hasEarlyData == m1.hasEarlyData && 329 bytes.Equal(m.tls13Cookie, m1.tls13Cookie) && 330 m.ticketSupported == m1.ticketSupported && 331 bytes.Equal(m.sessionTicket, m1.sessionTicket) && 332 eqSignatureAlgorithms(m.signatureAlgorithms, m1.signatureAlgorithms) && 333 eqSignatureAlgorithms(m.signatureAlgorithmsCert, m1.signatureAlgorithmsCert) && 334 eqUint16s(m.supportedVersions, m1.supportedVersions) && 335 bytes.Equal(m.secureRenegotiation, m1.secureRenegotiation) && 336 (m.secureRenegotiation == nil) == (m1.secureRenegotiation == nil) && 337 eqStrings(m.alpnProtocols, m1.alpnProtocols) && 338 bytes.Equal(m.quicTransportParams, m1.quicTransportParams) && 339 m.duplicateExtension == m1.duplicateExtension && 340 m.channelIDSupported == m1.channelIDSupported && 341 bytes.Equal(m.tokenBindingParams, m1.tokenBindingParams) && 342 m.tokenBindingVersion == m1.tokenBindingVersion && 343 m.npnAfterAlpn == m1.npnAfterAlpn && 344 m.extendedMasterSecret == m1.extendedMasterSecret && 345 eqUint16s(m.srtpProtectionProfiles, m1.srtpProtectionProfiles) && 346 m.srtpMasterKeyIdentifier == m1.srtpMasterKeyIdentifier && 347 m.sctListSupported == m1.sctListSupported && 348 m.customExtension == m1.customExtension && 349 m.hasGREASEExtension == m1.hasGREASEExtension && 350 m.pskBinderFirst == m1.pskBinderFirst && 351 m.omitExtensions == m1.omitExtensions && 352 m.emptyExtensions == m1.emptyExtensions && 353 m.pad == m1.pad && 354 eqUint16s(m.compressedCertAlgs, m1.compressedCertAlgs) && 355 m.delegatedCredentials == m1.delegatedCredentials 356} 357 358func (m *clientHelloMsg) marshalKeyShares(bb *byteBuilder) { 359 keyShares := bb.addU16LengthPrefixed() 360 for _, keyShare := range m.keyShares { 361 keyShares.addU16(uint16(keyShare.group)) 362 keyExchange := keyShares.addU16LengthPrefixed() 363 keyExchange.addBytes(keyShare.keyExchange) 364 } 365 if m.trailingKeyShareData { 366 keyShares.addU8(0) 367 } 368} 369 370func (m *clientHelloMsg) marshal() []byte { 371 if m.raw != nil { 372 return m.raw 373 } 374 375 handshakeMsg := newByteBuilder() 376 handshakeMsg.addU8(typeClientHello) 377 hello := handshakeMsg.addU24LengthPrefixed() 378 hello.addU16(m.vers) 379 hello.addBytes(m.random) 380 sessionId := hello.addU8LengthPrefixed() 381 sessionId.addBytes(m.sessionId) 382 if m.isDTLS { 383 cookie := hello.addU8LengthPrefixed() 384 cookie.addBytes(m.cookie) 385 } 386 cipherSuites := hello.addU16LengthPrefixed() 387 for _, suite := range m.cipherSuites { 388 cipherSuites.addU16(suite) 389 } 390 compressionMethods := hello.addU8LengthPrefixed() 391 compressionMethods.addBytes(m.compressionMethods) 392 393 extensions := hello.addU16LengthPrefixed() 394 if len(m.pskIdentities) > 0 && m.pskBinderFirst { 395 extensions.addU16(extensionPreSharedKey) 396 pskExtension := extensions.addU16LengthPrefixed() 397 398 pskIdentities := pskExtension.addU16LengthPrefixed() 399 for _, psk := range m.pskIdentities { 400 pskIdentities.addU16LengthPrefixed().addBytes(psk.ticket) 401 pskIdentities.addU32(psk.obfuscatedTicketAge) 402 } 403 pskBinders := pskExtension.addU16LengthPrefixed() 404 for _, binder := range m.pskBinders { 405 pskBinders.addU8LengthPrefixed().addBytes(binder) 406 } 407 } 408 if m.duplicateExtension { 409 // Add a duplicate bogus extension at the beginning and end. 410 extensions.addU16(0xffff) 411 extensions.addU16(0) // 0-length for empty extension 412 } 413 if m.nextProtoNeg && !m.npnAfterAlpn { 414 extensions.addU16(extensionNextProtoNeg) 415 extensions.addU16(0) // The length is always 0 416 } 417 if len(m.serverName) > 0 { 418 extensions.addU16(extensionServerName) 419 serverNameList := extensions.addU16LengthPrefixed() 420 421 // RFC 3546, section 3.1 422 // 423 // struct { 424 // NameType name_type; 425 // select (name_type) { 426 // case host_name: HostName; 427 // } name; 428 // } ServerName; 429 // 430 // enum { 431 // host_name(0), (255) 432 // } NameType; 433 // 434 // opaque HostName<1..2^16-1>; 435 // 436 // struct { 437 // ServerName server_name_list<1..2^16-1> 438 // } ServerNameList; 439 440 serverName := serverNameList.addU16LengthPrefixed() 441 serverName.addU8(0) // NameType host_name(0) 442 hostName := serverName.addU16LengthPrefixed() 443 hostName.addBytes([]byte(m.serverName)) 444 } 445 if m.ocspStapling { 446 extensions.addU16(extensionStatusRequest) 447 certificateStatusRequest := extensions.addU16LengthPrefixed() 448 449 // RFC 4366, section 3.6 450 certificateStatusRequest.addU8(1) // OCSP type 451 // Two zero valued uint16s for the two lengths. 452 certificateStatusRequest.addU16(0) // ResponderID length 453 certificateStatusRequest.addU16(0) // Extensions length 454 } 455 if len(m.supportedCurves) > 0 { 456 // http://tools.ietf.org/html/rfc4492#section-5.1.1 457 extensions.addU16(extensionSupportedCurves) 458 supportedCurvesList := extensions.addU16LengthPrefixed() 459 supportedCurves := supportedCurvesList.addU16LengthPrefixed() 460 for _, curve := range m.supportedCurves { 461 supportedCurves.addU16(uint16(curve)) 462 } 463 } 464 if len(m.supportedPoints) > 0 { 465 // http://tools.ietf.org/html/rfc4492#section-5.1.2 466 extensions.addU16(extensionSupportedPoints) 467 supportedPointsList := extensions.addU16LengthPrefixed() 468 supportedPoints := supportedPointsList.addU8LengthPrefixed() 469 supportedPoints.addBytes(m.supportedPoints) 470 } 471 if m.hasKeyShares { 472 extensions.addU16(extensionKeyShare) 473 keyShareList := extensions.addU16LengthPrefixed() 474 m.marshalKeyShares(keyShareList) 475 } 476 if len(m.pskKEModes) > 0 { 477 extensions.addU16(extensionPSKKeyExchangeModes) 478 pskModesExtension := extensions.addU16LengthPrefixed() 479 pskModesExtension.addU8LengthPrefixed().addBytes(m.pskKEModes) 480 } 481 if m.hasEarlyData { 482 extensions.addU16(extensionEarlyData) 483 extensions.addU16(0) // The length is zero. 484 } 485 if len(m.tls13Cookie) > 0 { 486 extensions.addU16(extensionCookie) 487 body := extensions.addU16LengthPrefixed() 488 body.addU16LengthPrefixed().addBytes(m.tls13Cookie) 489 } 490 if m.ticketSupported { 491 // http://tools.ietf.org/html/rfc5077#section-3.2 492 extensions.addU16(extensionSessionTicket) 493 sessionTicketExtension := extensions.addU16LengthPrefixed() 494 sessionTicketExtension.addBytes(m.sessionTicket) 495 } 496 if len(m.signatureAlgorithms) > 0 { 497 // https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 498 extensions.addU16(extensionSignatureAlgorithms) 499 signatureAlgorithmsExtension := extensions.addU16LengthPrefixed() 500 signatureAlgorithms := signatureAlgorithmsExtension.addU16LengthPrefixed() 501 for _, sigAlg := range m.signatureAlgorithms { 502 signatureAlgorithms.addU16(uint16(sigAlg)) 503 } 504 } 505 if len(m.signatureAlgorithmsCert) > 0 { 506 extensions.addU16(extensionSignatureAlgorithmsCert) 507 signatureAlgorithmsCertExtension := extensions.addU16LengthPrefixed() 508 signatureAlgorithmsCert := signatureAlgorithmsCertExtension.addU16LengthPrefixed() 509 for _, sigAlg := range m.signatureAlgorithmsCert { 510 signatureAlgorithmsCert.addU16(uint16(sigAlg)) 511 } 512 } 513 if len(m.supportedVersions) > 0 { 514 extensions.addU16(extensionSupportedVersions) 515 supportedVersionsExtension := extensions.addU16LengthPrefixed() 516 supportedVersions := supportedVersionsExtension.addU8LengthPrefixed() 517 for _, version := range m.supportedVersions { 518 supportedVersions.addU16(uint16(version)) 519 } 520 } 521 if m.secureRenegotiation != nil { 522 extensions.addU16(extensionRenegotiationInfo) 523 secureRenegoExt := extensions.addU16LengthPrefixed() 524 secureRenego := secureRenegoExt.addU8LengthPrefixed() 525 secureRenego.addBytes(m.secureRenegotiation) 526 } 527 if len(m.alpnProtocols) > 0 { 528 // https://tools.ietf.org/html/rfc7301#section-3.1 529 extensions.addU16(extensionALPN) 530 alpnExtension := extensions.addU16LengthPrefixed() 531 532 protocolNameList := alpnExtension.addU16LengthPrefixed() 533 for _, s := range m.alpnProtocols { 534 protocolName := protocolNameList.addU8LengthPrefixed() 535 protocolName.addBytes([]byte(s)) 536 } 537 } 538 if len(m.quicTransportParams) > 0 { 539 extensions.addU16(extensionQUICTransportParams) 540 params := extensions.addU16LengthPrefixed() 541 params.addBytes(m.quicTransportParams) 542 } 543 if m.channelIDSupported { 544 extensions.addU16(extensionChannelID) 545 extensions.addU16(0) // Length is always 0 546 } 547 if m.tokenBindingParams != nil { 548 extensions.addU16(extensionTokenBinding) 549 tokbindExtension := extensions.addU16LengthPrefixed() 550 tokbindExtension.addU16(m.tokenBindingVersion) 551 tokbindParams := tokbindExtension.addU8LengthPrefixed() 552 tokbindParams.addBytes(m.tokenBindingParams) 553 } 554 if m.nextProtoNeg && m.npnAfterAlpn { 555 extensions.addU16(extensionNextProtoNeg) 556 extensions.addU16(0) // Length is always 0 557 } 558 if m.duplicateExtension { 559 // Add a duplicate bogus extension at the beginning and end. 560 extensions.addU16(0xffff) 561 extensions.addU16(0) 562 } 563 if m.extendedMasterSecret { 564 // https://tools.ietf.org/html/rfc7627 565 extensions.addU16(extensionExtendedMasterSecret) 566 extensions.addU16(0) // Length is always 0 567 } 568 if len(m.srtpProtectionProfiles) > 0 { 569 // https://tools.ietf.org/html/rfc5764#section-4.1.1 570 extensions.addU16(extensionUseSRTP) 571 useSrtpExt := extensions.addU16LengthPrefixed() 572 573 srtpProtectionProfiles := useSrtpExt.addU16LengthPrefixed() 574 for _, p := range m.srtpProtectionProfiles { 575 srtpProtectionProfiles.addU16(p) 576 } 577 srtpMki := useSrtpExt.addU8LengthPrefixed() 578 srtpMki.addBytes([]byte(m.srtpMasterKeyIdentifier)) 579 } 580 if m.sctListSupported { 581 extensions.addU16(extensionSignedCertificateTimestamp) 582 extensions.addU16(0) // Length is always 0 583 } 584 if l := len(m.customExtension); l > 0 { 585 extensions.addU16(extensionCustom) 586 customExt := extensions.addU16LengthPrefixed() 587 customExt.addBytes([]byte(m.customExtension)) 588 } 589 if len(m.compressedCertAlgs) > 0 { 590 extensions.addU16(extensionCompressedCertAlgs) 591 body := extensions.addU16LengthPrefixed() 592 algIDs := body.addU8LengthPrefixed() 593 for _, v := range m.compressedCertAlgs { 594 algIDs.addU16(v) 595 } 596 } 597 if m.delegatedCredentials { 598 extensions.addU16(extensionDelegatedCredentials) 599 extensions.addU16(0) // Length is always 0 600 } 601 // The PSK extension must be last. See https://tools.ietf.org/html/rfc8446#section-4.2.11 602 if len(m.pskIdentities) > 0 && !m.pskBinderFirst { 603 extensions.addU16(extensionPreSharedKey) 604 pskExtension := extensions.addU16LengthPrefixed() 605 606 pskIdentities := pskExtension.addU16LengthPrefixed() 607 for _, psk := range m.pskIdentities { 608 pskIdentities.addU16LengthPrefixed().addBytes(psk.ticket) 609 pskIdentities.addU32(psk.obfuscatedTicketAge) 610 } 611 pskBinders := pskExtension.addU16LengthPrefixed() 612 for _, binder := range m.pskBinders { 613 pskBinders.addU8LengthPrefixed().addBytes(binder) 614 } 615 } 616 617 if m.pad != 0 && hello.len()%m.pad != 0 { 618 extensions.addU16(extensionPadding) 619 padding := extensions.addU16LengthPrefixed() 620 // Note hello.len() has changed at this point from the length 621 // prefix. 622 if l := hello.len() % m.pad; l != 0 { 623 padding.addBytes(make([]byte, m.pad-l)) 624 } 625 } 626 627 if m.omitExtensions || m.emptyExtensions { 628 // Silently erase any extensions which were sent. 629 hello.discardChild() 630 if m.emptyExtensions { 631 hello.addU16(0) 632 } 633 } 634 635 m.raw = handshakeMsg.finish() 636 // Sanity-check padding. 637 if m.pad != 0 && (len(m.raw)-4)%m.pad != 0 { 638 panic(fmt.Sprintf("%d is not a multiple of %d", len(m.raw)-4, m.pad)) 639 } 640 return m.raw 641} 642 643func parseSignatureAlgorithms(reader *byteReader, out *[]signatureAlgorithm, allowEmpty bool) bool { 644 var sigAlgs byteReader 645 if !reader.readU16LengthPrefixed(&sigAlgs) { 646 return false 647 } 648 if !allowEmpty && len(sigAlgs) == 0 { 649 return false 650 } 651 *out = make([]signatureAlgorithm, 0, len(sigAlgs)/2) 652 for len(sigAlgs) > 0 { 653 var v uint16 654 if !sigAlgs.readU16(&v) { 655 return false 656 } 657 *out = append(*out, signatureAlgorithm(v)) 658 } 659 return true 660} 661 662func checkDuplicateExtensions(extensions byteReader) bool { 663 seen := make(map[uint16]struct{}) 664 for len(extensions) > 0 { 665 var extension uint16 666 var body byteReader 667 if !extensions.readU16(&extension) || 668 !extensions.readU16LengthPrefixed(&body) { 669 return false 670 } 671 if _, ok := seen[extension]; ok { 672 return false 673 } 674 seen[extension] = struct{}{} 675 } 676 return true 677} 678 679func (m *clientHelloMsg) unmarshal(data []byte) bool { 680 m.raw = data 681 reader := byteReader(data[4:]) 682 if !reader.readU16(&m.vers) || 683 !reader.readBytes(&m.random, 32) || 684 !reader.readU8LengthPrefixedBytes(&m.sessionId) || 685 len(m.sessionId) > 32 { 686 return false 687 } 688 if m.isDTLS { 689 if !reader.readU8LengthPrefixedBytes(&m.cookie) || 690 len(m.cookie) > 32 { 691 return false 692 } 693 } 694 var cipherSuites byteReader 695 if !reader.readU16LengthPrefixed(&cipherSuites) || 696 !reader.readU8LengthPrefixedBytes(&m.compressionMethods) { 697 return false 698 } 699 700 m.cipherSuites = make([]uint16, 0, len(cipherSuites)/2) 701 for len(cipherSuites) > 0 { 702 var v uint16 703 if !cipherSuites.readU16(&v) { 704 return false 705 } 706 m.cipherSuites = append(m.cipherSuites, v) 707 if v == scsvRenegotiation { 708 m.secureRenegotiation = []byte{} 709 } 710 } 711 712 m.nextProtoNeg = false 713 m.serverName = "" 714 m.ocspStapling = false 715 m.keyShares = nil 716 m.pskIdentities = nil 717 m.hasEarlyData = false 718 m.ticketSupported = false 719 m.sessionTicket = nil 720 m.signatureAlgorithms = nil 721 m.signatureAlgorithmsCert = nil 722 m.supportedVersions = nil 723 m.alpnProtocols = nil 724 m.extendedMasterSecret = false 725 m.customExtension = "" 726 m.delegatedCredentials = false 727 728 if len(reader) == 0 { 729 // ClientHello is optionally followed by extension data 730 return true 731 } 732 733 var extensions byteReader 734 if !reader.readU16LengthPrefixed(&extensions) || len(reader) != 0 || !checkDuplicateExtensions(extensions) { 735 return false 736 } 737 for len(extensions) > 0 { 738 var extension uint16 739 var body byteReader 740 if !extensions.readU16(&extension) || 741 !extensions.readU16LengthPrefixed(&body) { 742 return false 743 } 744 switch extension { 745 case extensionServerName: 746 var names byteReader 747 if !body.readU16LengthPrefixed(&names) || len(body) != 0 { 748 return false 749 } 750 for len(names) > 0 { 751 var nameType byte 752 var name []byte 753 if !names.readU8(&nameType) || 754 !names.readU16LengthPrefixedBytes(&name) { 755 return false 756 } 757 if nameType == 0 { 758 m.serverName = string(name) 759 } 760 } 761 case extensionNextProtoNeg: 762 if len(body) != 0 { 763 return false 764 } 765 m.nextProtoNeg = true 766 case extensionStatusRequest: 767 m.ocspStapling = len(body) > 0 && body[0] == statusTypeOCSP 768 case extensionSupportedCurves: 769 // http://tools.ietf.org/html/rfc4492#section-5.5.1 770 var curves byteReader 771 if !body.readU16LengthPrefixed(&curves) || len(body) != 0 { 772 return false 773 } 774 m.supportedCurves = make([]CurveID, 0, len(curves)/2) 775 for len(curves) > 0 { 776 var v uint16 777 if !curves.readU16(&v) { 778 return false 779 } 780 m.supportedCurves = append(m.supportedCurves, CurveID(v)) 781 } 782 case extensionSupportedPoints: 783 // http://tools.ietf.org/html/rfc4492#section-5.5.2 784 if !body.readU8LengthPrefixedBytes(&m.supportedPoints) || len(body) != 0 { 785 return false 786 } 787 case extensionSessionTicket: 788 // http://tools.ietf.org/html/rfc5077#section-3.2 789 m.ticketSupported = true 790 m.sessionTicket = []byte(body) 791 case extensionKeyShare: 792 // https://tools.ietf.org/html/rfc8446#section-4.2.8 793 m.hasKeyShares = true 794 m.keySharesRaw = body 795 var keyShares byteReader 796 if !body.readU16LengthPrefixed(&keyShares) || len(body) != 0 { 797 return false 798 } 799 for len(keyShares) > 0 { 800 var entry keyShareEntry 801 var group uint16 802 if !keyShares.readU16(&group) || 803 !keyShares.readU16LengthPrefixedBytes(&entry.keyExchange) { 804 return false 805 } 806 entry.group = CurveID(group) 807 m.keyShares = append(m.keyShares, entry) 808 } 809 case extensionPreSharedKey: 810 // https://tools.ietf.org/html/rfc8446#section-4.2.11 811 var psks, binders byteReader 812 if !body.readU16LengthPrefixed(&psks) || 813 !body.readU16LengthPrefixed(&binders) || 814 len(body) != 0 { 815 return false 816 } 817 for len(psks) > 0 { 818 var psk pskIdentity 819 if !psks.readU16LengthPrefixedBytes(&psk.ticket) || 820 !psks.readU32(&psk.obfuscatedTicketAge) { 821 return false 822 } 823 m.pskIdentities = append(m.pskIdentities, psk) 824 } 825 for len(binders) > 0 { 826 var binder []byte 827 if !binders.readU8LengthPrefixedBytes(&binder) { 828 return false 829 } 830 m.pskBinders = append(m.pskBinders, binder) 831 } 832 833 // There must be the same number of identities as binders. 834 if len(m.pskIdentities) != len(m.pskBinders) { 835 return false 836 } 837 case extensionPSKKeyExchangeModes: 838 // https://tools.ietf.org/html/rfc8446#section-4.2.9 839 if !body.readU8LengthPrefixedBytes(&m.pskKEModes) || len(body) != 0 { 840 return false 841 } 842 case extensionEarlyData: 843 // https://tools.ietf.org/html/rfc8446#section-4.2.10 844 if len(body) != 0 { 845 return false 846 } 847 m.hasEarlyData = true 848 case extensionCookie: 849 if !body.readU16LengthPrefixedBytes(&m.tls13Cookie) || len(body) != 0 { 850 return false 851 } 852 case extensionSignatureAlgorithms: 853 // https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 854 if !parseSignatureAlgorithms(&body, &m.signatureAlgorithms, false) || len(body) != 0 { 855 return false 856 } 857 case extensionSignatureAlgorithmsCert: 858 if !parseSignatureAlgorithms(&body, &m.signatureAlgorithmsCert, false) || len(body) != 0 { 859 return false 860 } 861 case extensionSupportedVersions: 862 var versions byteReader 863 if !body.readU8LengthPrefixed(&versions) || len(body) != 0 { 864 return false 865 } 866 m.supportedVersions = make([]uint16, 0, len(versions)/2) 867 for len(versions) > 0 { 868 var v uint16 869 if !versions.readU16(&v) { 870 return false 871 } 872 m.supportedVersions = append(m.supportedVersions, v) 873 } 874 case extensionRenegotiationInfo: 875 if !body.readU8LengthPrefixedBytes(&m.secureRenegotiation) || len(body) != 0 { 876 return false 877 } 878 case extensionALPN: 879 var protocols byteReader 880 if !body.readU16LengthPrefixed(&protocols) || len(body) != 0 { 881 return false 882 } 883 for len(protocols) > 0 { 884 var protocol []byte 885 if !protocols.readU8LengthPrefixedBytes(&protocol) { 886 return false 887 } 888 m.alpnProtocols = append(m.alpnProtocols, string(protocol)) 889 } 890 case extensionQUICTransportParams: 891 m.quicTransportParams = body 892 case extensionChannelID: 893 if len(body) != 0 { 894 return false 895 } 896 m.channelIDSupported = true 897 case extensionTokenBinding: 898 if !body.readU16(&m.tokenBindingVersion) || 899 !body.readU8LengthPrefixedBytes(&m.tokenBindingParams) || 900 len(body) != 0 { 901 return false 902 } 903 case extensionExtendedMasterSecret: 904 if len(body) != 0 { 905 return false 906 } 907 m.extendedMasterSecret = true 908 case extensionUseSRTP: 909 var profiles byteReader 910 var mki []byte 911 if !body.readU16LengthPrefixed(&profiles) || 912 !body.readU8LengthPrefixedBytes(&mki) || 913 len(body) != 0 { 914 return false 915 } 916 m.srtpProtectionProfiles = make([]uint16, 0, len(profiles)/2) 917 for len(profiles) > 0 { 918 var v uint16 919 if !profiles.readU16(&v) { 920 return false 921 } 922 m.srtpProtectionProfiles = append(m.srtpProtectionProfiles, v) 923 } 924 m.srtpMasterKeyIdentifier = string(mki) 925 case extensionSignedCertificateTimestamp: 926 if len(body) != 0 { 927 return false 928 } 929 m.sctListSupported = true 930 case extensionCustom: 931 m.customExtension = string(body) 932 case extensionCompressedCertAlgs: 933 var algIDs byteReader 934 if !body.readU8LengthPrefixed(&algIDs) { 935 return false 936 } 937 938 seen := make(map[uint16]struct{}) 939 for len(algIDs) > 0 { 940 var algID uint16 941 if !algIDs.readU16(&algID) { 942 return false 943 } 944 if _, ok := seen[algID]; ok { 945 return false 946 } 947 seen[algID] = struct{}{} 948 m.compressedCertAlgs = append(m.compressedCertAlgs, algID) 949 } 950 case extensionPadding: 951 // Padding bytes must be all zero. 952 for _, b := range body { 953 if b != 0 { 954 return false 955 } 956 } 957 case extensionDelegatedCredentials: 958 if len(body) != 0 { 959 return false 960 } 961 m.delegatedCredentials = true 962 } 963 964 if isGREASEValue(extension) { 965 m.hasGREASEExtension = true 966 } 967 } 968 969 return true 970} 971 972type serverHelloMsg struct { 973 raw []byte 974 isDTLS bool 975 vers uint16 976 versOverride uint16 977 supportedVersOverride uint16 978 omitSupportedVers bool 979 random []byte 980 sessionId []byte 981 cipherSuite uint16 982 hasKeyShare bool 983 keyShare keyShareEntry 984 hasPSKIdentity bool 985 pskIdentity uint16 986 compressionMethod uint8 987 customExtension string 988 unencryptedALPN string 989 omitExtensions bool 990 emptyExtensions bool 991 extensions serverExtensions 992} 993 994func (m *serverHelloMsg) marshal() []byte { 995 if m.raw != nil { 996 return m.raw 997 } 998 999 handshakeMsg := newByteBuilder() 1000 handshakeMsg.addU8(typeServerHello) 1001 hello := handshakeMsg.addU24LengthPrefixed() 1002 1003 // m.vers is used both to determine the format of the rest of the 1004 // ServerHello and to override the value, so include a second version 1005 // field. 1006 vers, ok := wireToVersion(m.vers, m.isDTLS) 1007 if !ok { 1008 panic("unknown version") 1009 } 1010 if m.versOverride != 0 { 1011 hello.addU16(m.versOverride) 1012 } else if vers >= VersionTLS13 { 1013 hello.addU16(VersionTLS12) 1014 } else { 1015 hello.addU16(m.vers) 1016 } 1017 1018 hello.addBytes(m.random) 1019 sessionId := hello.addU8LengthPrefixed() 1020 sessionId.addBytes(m.sessionId) 1021 hello.addU16(m.cipherSuite) 1022 hello.addU8(m.compressionMethod) 1023 1024 extensions := hello.addU16LengthPrefixed() 1025 1026 if vers >= VersionTLS13 { 1027 if m.hasKeyShare { 1028 extensions.addU16(extensionKeyShare) 1029 keyShare := extensions.addU16LengthPrefixed() 1030 keyShare.addU16(uint16(m.keyShare.group)) 1031 keyExchange := keyShare.addU16LengthPrefixed() 1032 keyExchange.addBytes(m.keyShare.keyExchange) 1033 } 1034 if m.hasPSKIdentity { 1035 extensions.addU16(extensionPreSharedKey) 1036 extensions.addU16(2) // Length 1037 extensions.addU16(m.pskIdentity) 1038 } 1039 if !m.omitSupportedVers { 1040 extensions.addU16(extensionSupportedVersions) 1041 extensions.addU16(2) // Length 1042 if m.supportedVersOverride != 0 { 1043 extensions.addU16(m.supportedVersOverride) 1044 } else { 1045 extensions.addU16(m.vers) 1046 } 1047 } 1048 if len(m.customExtension) > 0 { 1049 extensions.addU16(extensionCustom) 1050 customExt := extensions.addU16LengthPrefixed() 1051 customExt.addBytes([]byte(m.customExtension)) 1052 } 1053 if len(m.unencryptedALPN) > 0 { 1054 extensions.addU16(extensionALPN) 1055 extension := extensions.addU16LengthPrefixed() 1056 1057 protocolNameList := extension.addU16LengthPrefixed() 1058 protocolName := protocolNameList.addU8LengthPrefixed() 1059 protocolName.addBytes([]byte(m.unencryptedALPN)) 1060 } 1061 } else { 1062 m.extensions.marshal(extensions) 1063 if m.omitExtensions || m.emptyExtensions { 1064 // Silently erasing server extensions will break the handshake. Instead, 1065 // assert that tests which use this field also disable all features which 1066 // would write an extension. 1067 if extensions.len() != 0 { 1068 panic(fmt.Sprintf("ServerHello unexpectedly contained extensions: %x, %+v", extensions.data(), m)) 1069 } 1070 hello.discardChild() 1071 if m.emptyExtensions { 1072 hello.addU16(0) 1073 } 1074 } 1075 } 1076 1077 m.raw = handshakeMsg.finish() 1078 return m.raw 1079} 1080 1081func (m *serverHelloMsg) unmarshal(data []byte) bool { 1082 m.raw = data 1083 reader := byteReader(data[4:]) 1084 if !reader.readU16(&m.vers) || 1085 !reader.readBytes(&m.random, 32) { 1086 return false 1087 } 1088 vers, ok := wireToVersion(m.vers, m.isDTLS) 1089 if !ok { 1090 return false 1091 } 1092 if !reader.readU8LengthPrefixedBytes(&m.sessionId) || 1093 !reader.readU16(&m.cipherSuite) || 1094 !reader.readU8(&m.compressionMethod) { 1095 return false 1096 } 1097 1098 if len(reader) == 0 && m.vers < VersionTLS13 { 1099 // Extension data is optional before TLS 1.3. 1100 m.extensions = serverExtensions{} 1101 m.omitExtensions = true 1102 return true 1103 } 1104 1105 var extensions byteReader 1106 if !reader.readU16LengthPrefixed(&extensions) || len(reader) != 0 || !checkDuplicateExtensions(extensions) { 1107 return false 1108 } 1109 1110 // Parse out the version from supported_versions if available. 1111 if m.vers == VersionTLS12 { 1112 extensionsCopy := extensions 1113 for len(extensionsCopy) > 0 { 1114 var extension uint16 1115 var body byteReader 1116 if !extensionsCopy.readU16(&extension) || 1117 !extensionsCopy.readU16LengthPrefixed(&body) { 1118 return false 1119 } 1120 if extension == extensionSupportedVersions { 1121 if !body.readU16(&m.vers) || len(body) != 0 { 1122 return false 1123 } 1124 vers, ok = wireToVersion(m.vers, m.isDTLS) 1125 if !ok { 1126 return false 1127 } 1128 } 1129 } 1130 } 1131 1132 if vers >= VersionTLS13 { 1133 for len(extensions) > 0 { 1134 var extension uint16 1135 var body byteReader 1136 if !extensions.readU16(&extension) || 1137 !extensions.readU16LengthPrefixed(&body) { 1138 return false 1139 } 1140 switch extension { 1141 case extensionKeyShare: 1142 m.hasKeyShare = true 1143 var group uint16 1144 if !body.readU16(&group) || 1145 !body.readU16LengthPrefixedBytes(&m.keyShare.keyExchange) || 1146 len(body) != 0 { 1147 return false 1148 } 1149 m.keyShare.group = CurveID(group) 1150 case extensionPreSharedKey: 1151 if !body.readU16(&m.pskIdentity) || len(body) != 0 { 1152 return false 1153 } 1154 m.hasPSKIdentity = true 1155 case extensionSupportedVersions: 1156 // Parsed above. 1157 default: 1158 // Only allow the 3 extensions that are sent in 1159 // the clear in TLS 1.3. 1160 return false 1161 } 1162 } 1163 } else if !m.extensions.unmarshal(extensions, vers) { 1164 return false 1165 } 1166 1167 return true 1168} 1169 1170type encryptedExtensionsMsg struct { 1171 raw []byte 1172 extensions serverExtensions 1173 empty bool 1174} 1175 1176func (m *encryptedExtensionsMsg) marshal() []byte { 1177 if m.raw != nil { 1178 return m.raw 1179 } 1180 1181 encryptedExtensionsMsg := newByteBuilder() 1182 encryptedExtensionsMsg.addU8(typeEncryptedExtensions) 1183 encryptedExtensions := encryptedExtensionsMsg.addU24LengthPrefixed() 1184 if !m.empty { 1185 extensions := encryptedExtensions.addU16LengthPrefixed() 1186 m.extensions.marshal(extensions) 1187 } 1188 1189 m.raw = encryptedExtensionsMsg.finish() 1190 return m.raw 1191} 1192 1193func (m *encryptedExtensionsMsg) unmarshal(data []byte) bool { 1194 m.raw = data 1195 reader := byteReader(data[4:]) 1196 var extensions byteReader 1197 if !reader.readU16LengthPrefixed(&extensions) || len(reader) != 0 { 1198 return false 1199 } 1200 return m.extensions.unmarshal(extensions, VersionTLS13) 1201} 1202 1203type serverExtensions struct { 1204 nextProtoNeg bool 1205 nextProtos []string 1206 ocspStapling bool 1207 ticketSupported bool 1208 secureRenegotiation []byte 1209 alpnProtocol string 1210 alpnProtocolEmpty bool 1211 duplicateExtension bool 1212 channelIDRequested bool 1213 tokenBindingParams []byte 1214 tokenBindingVersion uint16 1215 extendedMasterSecret bool 1216 srtpProtectionProfile uint16 1217 srtpMasterKeyIdentifier string 1218 sctList []byte 1219 customExtension string 1220 npnAfterAlpn bool 1221 hasKeyShare bool 1222 hasEarlyData bool 1223 keyShare keyShareEntry 1224 supportedVersion uint16 1225 supportedPoints []uint8 1226 supportedCurves []CurveID 1227 quicTransportParams []byte 1228 serverNameAck bool 1229} 1230 1231func (m *serverExtensions) marshal(extensions *byteBuilder) { 1232 if m.duplicateExtension { 1233 // Add a duplicate bogus extension at the beginning and end. 1234 extensions.addU16(0xffff) 1235 extensions.addU16(0) // length = 0 for empty extension 1236 } 1237 if m.nextProtoNeg && !m.npnAfterAlpn { 1238 extensions.addU16(extensionNextProtoNeg) 1239 extension := extensions.addU16LengthPrefixed() 1240 1241 for _, v := range m.nextProtos { 1242 if len(v) > 255 { 1243 v = v[:255] 1244 } 1245 npn := extension.addU8LengthPrefixed() 1246 npn.addBytes([]byte(v)) 1247 } 1248 } 1249 if m.ocspStapling { 1250 extensions.addU16(extensionStatusRequest) 1251 extensions.addU16(0) 1252 } 1253 if m.ticketSupported { 1254 extensions.addU16(extensionSessionTicket) 1255 extensions.addU16(0) 1256 } 1257 if m.secureRenegotiation != nil { 1258 extensions.addU16(extensionRenegotiationInfo) 1259 extension := extensions.addU16LengthPrefixed() 1260 secureRenego := extension.addU8LengthPrefixed() 1261 secureRenego.addBytes(m.secureRenegotiation) 1262 } 1263 if len(m.alpnProtocol) > 0 || m.alpnProtocolEmpty { 1264 extensions.addU16(extensionALPN) 1265 extension := extensions.addU16LengthPrefixed() 1266 1267 protocolNameList := extension.addU16LengthPrefixed() 1268 protocolName := protocolNameList.addU8LengthPrefixed() 1269 protocolName.addBytes([]byte(m.alpnProtocol)) 1270 } 1271 if m.channelIDRequested { 1272 extensions.addU16(extensionChannelID) 1273 extensions.addU16(0) 1274 } 1275 if m.tokenBindingParams != nil { 1276 extensions.addU16(extensionTokenBinding) 1277 tokbindExtension := extensions.addU16LengthPrefixed() 1278 tokbindExtension.addU16(m.tokenBindingVersion) 1279 tokbindParams := tokbindExtension.addU8LengthPrefixed() 1280 tokbindParams.addBytes(m.tokenBindingParams) 1281 } 1282 if m.duplicateExtension { 1283 // Add a duplicate bogus extension at the beginning and end. 1284 extensions.addU16(0xffff) 1285 extensions.addU16(0) 1286 } 1287 if m.extendedMasterSecret { 1288 extensions.addU16(extensionExtendedMasterSecret) 1289 extensions.addU16(0) 1290 } 1291 if m.srtpProtectionProfile != 0 { 1292 extensions.addU16(extensionUseSRTP) 1293 extension := extensions.addU16LengthPrefixed() 1294 1295 srtpProtectionProfiles := extension.addU16LengthPrefixed() 1296 srtpProtectionProfiles.addU16(m.srtpProtectionProfile) 1297 srtpMki := extension.addU8LengthPrefixed() 1298 srtpMki.addBytes([]byte(m.srtpMasterKeyIdentifier)) 1299 } 1300 if m.sctList != nil { 1301 extensions.addU16(extensionSignedCertificateTimestamp) 1302 extension := extensions.addU16LengthPrefixed() 1303 extension.addBytes(m.sctList) 1304 } 1305 if l := len(m.customExtension); l > 0 { 1306 extensions.addU16(extensionCustom) 1307 customExt := extensions.addU16LengthPrefixed() 1308 customExt.addBytes([]byte(m.customExtension)) 1309 } 1310 if m.nextProtoNeg && m.npnAfterAlpn { 1311 extensions.addU16(extensionNextProtoNeg) 1312 extension := extensions.addU16LengthPrefixed() 1313 1314 for _, v := range m.nextProtos { 1315 if len(v) > 255 { 1316 v = v[0:255] 1317 } 1318 npn := extension.addU8LengthPrefixed() 1319 npn.addBytes([]byte(v)) 1320 } 1321 } 1322 if m.hasKeyShare { 1323 extensions.addU16(extensionKeyShare) 1324 keyShare := extensions.addU16LengthPrefixed() 1325 keyShare.addU16(uint16(m.keyShare.group)) 1326 keyExchange := keyShare.addU16LengthPrefixed() 1327 keyExchange.addBytes(m.keyShare.keyExchange) 1328 } 1329 if m.supportedVersion != 0 { 1330 extensions.addU16(extensionSupportedVersions) 1331 extensions.addU16(2) // Length 1332 extensions.addU16(m.supportedVersion) 1333 } 1334 if len(m.supportedPoints) > 0 { 1335 // http://tools.ietf.org/html/rfc4492#section-5.1.2 1336 extensions.addU16(extensionSupportedPoints) 1337 supportedPointsList := extensions.addU16LengthPrefixed() 1338 supportedPoints := supportedPointsList.addU8LengthPrefixed() 1339 supportedPoints.addBytes(m.supportedPoints) 1340 } 1341 if len(m.supportedCurves) > 0 { 1342 // https://tools.ietf.org/html/rfc8446#section-4.2.7 1343 extensions.addU16(extensionSupportedCurves) 1344 supportedCurvesList := extensions.addU16LengthPrefixed() 1345 supportedCurves := supportedCurvesList.addU16LengthPrefixed() 1346 for _, curve := range m.supportedCurves { 1347 supportedCurves.addU16(uint16(curve)) 1348 } 1349 } 1350 if len(m.quicTransportParams) > 0 { 1351 extensions.addU16(extensionQUICTransportParams) 1352 params := extensions.addU16LengthPrefixed() 1353 params.addBytes(m.quicTransportParams) 1354 } 1355 if m.hasEarlyData { 1356 extensions.addU16(extensionEarlyData) 1357 extensions.addBytes([]byte{0, 0}) 1358 } 1359 if m.serverNameAck { 1360 extensions.addU16(extensionServerName) 1361 extensions.addU16(0) // zero length 1362 } 1363} 1364 1365func (m *serverExtensions) unmarshal(data byteReader, version uint16) bool { 1366 // Reset all fields. 1367 *m = serverExtensions{} 1368 1369 if !checkDuplicateExtensions(data) { 1370 return false 1371 } 1372 1373 for len(data) > 0 { 1374 var extension uint16 1375 var body byteReader 1376 if !data.readU16(&extension) || 1377 !data.readU16LengthPrefixed(&body) { 1378 return false 1379 } 1380 switch extension { 1381 case extensionNextProtoNeg: 1382 m.nextProtoNeg = true 1383 for len(body) > 0 { 1384 var protocol []byte 1385 if !body.readU8LengthPrefixedBytes(&protocol) { 1386 return false 1387 } 1388 m.nextProtos = append(m.nextProtos, string(protocol)) 1389 } 1390 case extensionStatusRequest: 1391 if len(body) != 0 { 1392 return false 1393 } 1394 m.ocspStapling = true 1395 case extensionSessionTicket: 1396 if len(body) != 0 { 1397 return false 1398 } 1399 m.ticketSupported = true 1400 case extensionRenegotiationInfo: 1401 if !body.readU8LengthPrefixedBytes(&m.secureRenegotiation) || len(body) != 0 { 1402 return false 1403 } 1404 case extensionALPN: 1405 var protocols, protocol byteReader 1406 if !body.readU16LengthPrefixed(&protocols) || 1407 len(body) != 0 || 1408 !protocols.readU8LengthPrefixed(&protocol) || 1409 len(protocols) != 0 { 1410 return false 1411 } 1412 m.alpnProtocol = string(protocol) 1413 m.alpnProtocolEmpty = len(protocol) == 0 1414 case extensionChannelID: 1415 if len(body) != 0 { 1416 return false 1417 } 1418 m.channelIDRequested = true 1419 case extensionTokenBinding: 1420 if !body.readU16(&m.tokenBindingVersion) || 1421 !body.readU8LengthPrefixedBytes(&m.tokenBindingParams) || 1422 len(m.tokenBindingParams) != 1 || 1423 len(body) != 0 { 1424 return false 1425 } 1426 case extensionExtendedMasterSecret: 1427 if len(body) != 0 { 1428 return false 1429 } 1430 m.extendedMasterSecret = true 1431 case extensionUseSRTP: 1432 var profiles, mki byteReader 1433 if !body.readU16LengthPrefixed(&profiles) || 1434 !profiles.readU16(&m.srtpProtectionProfile) || 1435 len(profiles) != 0 || 1436 !body.readU8LengthPrefixed(&mki) || 1437 len(body) != 0 { 1438 return false 1439 } 1440 m.srtpMasterKeyIdentifier = string(mki) 1441 case extensionSignedCertificateTimestamp: 1442 m.sctList = []byte(body) 1443 case extensionCustom: 1444 m.customExtension = string(body) 1445 case extensionServerName: 1446 if len(body) != 0 { 1447 return false 1448 } 1449 m.serverNameAck = true 1450 case extensionSupportedPoints: 1451 // supported_points is illegal in TLS 1.3. 1452 if version >= VersionTLS13 { 1453 return false 1454 } 1455 // http://tools.ietf.org/html/rfc4492#section-5.5.2 1456 if !body.readU8LengthPrefixedBytes(&m.supportedPoints) || len(body) != 0 { 1457 return false 1458 } 1459 case extensionSupportedCurves: 1460 // The server can only send supported_curves in TLS 1.3. 1461 if version < VersionTLS13 { 1462 return false 1463 } 1464 case extensionQUICTransportParams: 1465 m.quicTransportParams = body 1466 case extensionEarlyData: 1467 if version < VersionTLS13 || len(body) != 0 { 1468 return false 1469 } 1470 m.hasEarlyData = true 1471 default: 1472 // Unknown extensions are illegal from the server. 1473 return false 1474 } 1475 } 1476 1477 return true 1478} 1479 1480type helloRetryRequestMsg struct { 1481 raw []byte 1482 vers uint16 1483 isServerHello bool 1484 sessionId []byte 1485 cipherSuite uint16 1486 compressionMethod uint8 1487 hasSelectedGroup bool 1488 selectedGroup CurveID 1489 cookie []byte 1490 customExtension string 1491 duplicateExtensions bool 1492} 1493 1494func (m *helloRetryRequestMsg) marshal() []byte { 1495 if m.raw != nil { 1496 return m.raw 1497 } 1498 1499 retryRequestMsg := newByteBuilder() 1500 retryRequestMsg.addU8(typeServerHello) 1501 retryRequest := retryRequestMsg.addU24LengthPrefixed() 1502 retryRequest.addU16(VersionTLS12) 1503 retryRequest.addBytes(tls13HelloRetryRequest) 1504 sessionId := retryRequest.addU8LengthPrefixed() 1505 sessionId.addBytes(m.sessionId) 1506 retryRequest.addU16(m.cipherSuite) 1507 retryRequest.addU8(m.compressionMethod) 1508 1509 extensions := retryRequest.addU16LengthPrefixed() 1510 1511 count := 1 1512 if m.duplicateExtensions { 1513 count = 2 1514 } 1515 1516 for i := 0; i < count; i++ { 1517 extensions.addU16(extensionSupportedVersions) 1518 extensions.addU16(2) // Length 1519 extensions.addU16(m.vers) 1520 if m.hasSelectedGroup { 1521 extensions.addU16(extensionKeyShare) 1522 extensions.addU16(2) // length 1523 extensions.addU16(uint16(m.selectedGroup)) 1524 } 1525 // m.cookie may be a non-nil empty slice for empty cookie tests. 1526 if m.cookie != nil { 1527 extensions.addU16(extensionCookie) 1528 body := extensions.addU16LengthPrefixed() 1529 body.addU16LengthPrefixed().addBytes(m.cookie) 1530 } 1531 if len(m.customExtension) > 0 { 1532 extensions.addU16(extensionCustom) 1533 extensions.addU16LengthPrefixed().addBytes([]byte(m.customExtension)) 1534 } 1535 } 1536 1537 m.raw = retryRequestMsg.finish() 1538 return m.raw 1539} 1540 1541func (m *helloRetryRequestMsg) unmarshal(data []byte) bool { 1542 m.raw = data 1543 reader := byteReader(data[4:]) 1544 if !reader.readU16(&m.vers) { 1545 return false 1546 } 1547 if m.isServerHello { 1548 var random []byte 1549 var compressionMethod byte 1550 if !reader.readBytes(&random, 32) || 1551 !reader.readU8LengthPrefixedBytes(&m.sessionId) || 1552 !reader.readU16(&m.cipherSuite) || 1553 !reader.readU8(&compressionMethod) || 1554 compressionMethod != 0 { 1555 return false 1556 } 1557 } else if !reader.readU16(&m.cipherSuite) { 1558 return false 1559 } 1560 var extensions byteReader 1561 if !reader.readU16LengthPrefixed(&extensions) || len(reader) != 0 { 1562 return false 1563 } 1564 extensionsCopy := extensions 1565 for len(extensionsCopy) > 0 { 1566 var extension uint16 1567 var body byteReader 1568 if !extensionsCopy.readU16(&extension) || 1569 !extensionsCopy.readU16LengthPrefixed(&body) { 1570 return false 1571 } 1572 switch extension { 1573 case extensionSupportedVersions: 1574 if !m.isServerHello || 1575 !body.readU16(&m.vers) || 1576 len(body) != 0 { 1577 return false 1578 } 1579 default: 1580 } 1581 } 1582 for len(extensions) > 0 { 1583 var extension uint16 1584 var body byteReader 1585 if !extensions.readU16(&extension) || 1586 !extensions.readU16LengthPrefixed(&body) { 1587 return false 1588 } 1589 switch extension { 1590 case extensionSupportedVersions: 1591 // Parsed above. 1592 case extensionKeyShare: 1593 var v uint16 1594 if !body.readU16(&v) || len(body) != 0 { 1595 return false 1596 } 1597 m.hasSelectedGroup = true 1598 m.selectedGroup = CurveID(v) 1599 case extensionCookie: 1600 if !body.readU16LengthPrefixedBytes(&m.cookie) || len(body) != 0 { 1601 return false 1602 } 1603 default: 1604 // Unknown extensions are illegal from the server. 1605 return false 1606 } 1607 } 1608 return true 1609} 1610 1611type certificateEntry struct { 1612 data []byte 1613 ocspResponse []byte 1614 sctList []byte 1615 duplicateExtensions bool 1616 extraExtension []byte 1617 delegatedCredential *delegatedCredential 1618} 1619 1620type delegatedCredential struct { 1621 // https://tools.ietf.org/html/draft-ietf-tls-subcerts-03#section-3 1622 signedBytes []byte 1623 lifetimeSecs uint32 1624 expectedCertVerifyAlgo signatureAlgorithm 1625 pkixPublicKey []byte 1626 algorithm signatureAlgorithm 1627 signature []byte 1628} 1629 1630type certificateMsg struct { 1631 raw []byte 1632 hasRequestContext bool 1633 requestContext []byte 1634 certificates []certificateEntry 1635} 1636 1637func (m *certificateMsg) marshal() (x []byte) { 1638 if m.raw != nil { 1639 return m.raw 1640 } 1641 1642 certMsg := newByteBuilder() 1643 certMsg.addU8(typeCertificate) 1644 certificate := certMsg.addU24LengthPrefixed() 1645 if m.hasRequestContext { 1646 context := certificate.addU8LengthPrefixed() 1647 context.addBytes(m.requestContext) 1648 } 1649 certificateList := certificate.addU24LengthPrefixed() 1650 for _, cert := range m.certificates { 1651 certEntry := certificateList.addU24LengthPrefixed() 1652 certEntry.addBytes(cert.data) 1653 if m.hasRequestContext { 1654 extensions := certificateList.addU16LengthPrefixed() 1655 count := 1 1656 if cert.duplicateExtensions { 1657 count = 2 1658 } 1659 1660 for i := 0; i < count; i++ { 1661 if cert.ocspResponse != nil { 1662 extensions.addU16(extensionStatusRequest) 1663 body := extensions.addU16LengthPrefixed() 1664 body.addU8(statusTypeOCSP) 1665 response := body.addU24LengthPrefixed() 1666 response.addBytes(cert.ocspResponse) 1667 } 1668 1669 if cert.sctList != nil { 1670 extensions.addU16(extensionSignedCertificateTimestamp) 1671 extension := extensions.addU16LengthPrefixed() 1672 extension.addBytes(cert.sctList) 1673 } 1674 } 1675 if cert.extraExtension != nil { 1676 extensions.addBytes(cert.extraExtension) 1677 } 1678 } 1679 } 1680 1681 m.raw = certMsg.finish() 1682 return m.raw 1683} 1684 1685func (m *certificateMsg) unmarshal(data []byte) bool { 1686 m.raw = data 1687 reader := byteReader(data[4:]) 1688 1689 if m.hasRequestContext && !reader.readU8LengthPrefixedBytes(&m.requestContext) { 1690 return false 1691 } 1692 1693 var certs byteReader 1694 if !reader.readU24LengthPrefixed(&certs) || len(reader) != 0 { 1695 return false 1696 } 1697 m.certificates = nil 1698 for len(certs) > 0 { 1699 var cert certificateEntry 1700 if !certs.readU24LengthPrefixedBytes(&cert.data) { 1701 return false 1702 } 1703 if m.hasRequestContext { 1704 var extensions byteReader 1705 if !certs.readU16LengthPrefixed(&extensions) || !checkDuplicateExtensions(extensions) { 1706 return false 1707 } 1708 for len(extensions) > 0 { 1709 var extension uint16 1710 var body byteReader 1711 if !extensions.readU16(&extension) || 1712 !extensions.readU16LengthPrefixed(&body) { 1713 return false 1714 } 1715 switch extension { 1716 case extensionStatusRequest: 1717 var statusType byte 1718 if !body.readU8(&statusType) || 1719 statusType != statusTypeOCSP || 1720 !body.readU24LengthPrefixedBytes(&cert.ocspResponse) || 1721 len(body) != 0 { 1722 return false 1723 } 1724 case extensionSignedCertificateTimestamp: 1725 cert.sctList = []byte(body) 1726 case extensionDelegatedCredentials: 1727 // https://tools.ietf.org/html/draft-ietf-tls-subcerts-03#section-3 1728 if cert.delegatedCredential != nil { 1729 return false 1730 } 1731 1732 dc := new(delegatedCredential) 1733 origBody := body 1734 var expectedCertVerifyAlgo, algorithm uint16 1735 1736 if !body.readU32(&dc.lifetimeSecs) || 1737 !body.readU16(&expectedCertVerifyAlgo) || 1738 !body.readU24LengthPrefixedBytes(&dc.pkixPublicKey) || 1739 !body.readU16(&algorithm) || 1740 !body.readU16LengthPrefixedBytes(&dc.signature) || 1741 len(body) != 0 { 1742 return false 1743 } 1744 1745 dc.expectedCertVerifyAlgo = signatureAlgorithm(expectedCertVerifyAlgo) 1746 dc.algorithm = signatureAlgorithm(algorithm) 1747 dc.signedBytes = []byte(origBody)[:4+2+3+len(dc.pkixPublicKey)] 1748 cert.delegatedCredential = dc 1749 default: 1750 return false 1751 } 1752 } 1753 } 1754 m.certificates = append(m.certificates, cert) 1755 } 1756 1757 return true 1758} 1759 1760type compressedCertificateMsg struct { 1761 raw []byte 1762 algID uint16 1763 uncompressedLength uint32 1764 compressed []byte 1765} 1766 1767func (m *compressedCertificateMsg) marshal() (x []byte) { 1768 if m.raw != nil { 1769 return m.raw 1770 } 1771 1772 certMsg := newByteBuilder() 1773 certMsg.addU8(typeCompressedCertificate) 1774 certificate := certMsg.addU24LengthPrefixed() 1775 certificate.addU16(m.algID) 1776 certificate.addU24(int(m.uncompressedLength)) 1777 compressed := certificate.addU24LengthPrefixed() 1778 compressed.addBytes(m.compressed) 1779 1780 m.raw = certMsg.finish() 1781 return m.raw 1782} 1783 1784func (m *compressedCertificateMsg) unmarshal(data []byte) bool { 1785 m.raw = data 1786 reader := byteReader(data[4:]) 1787 1788 if !reader.readU16(&m.algID) || 1789 !reader.readU24(&m.uncompressedLength) || 1790 !reader.readU24LengthPrefixedBytes(&m.compressed) || 1791 len(reader) != 0 { 1792 return false 1793 } 1794 1795 if m.uncompressedLength >= 1<<17 { 1796 return false 1797 } 1798 1799 return true 1800} 1801 1802type serverKeyExchangeMsg struct { 1803 raw []byte 1804 key []byte 1805} 1806 1807func (m *serverKeyExchangeMsg) marshal() []byte { 1808 if m.raw != nil { 1809 return m.raw 1810 } 1811 msg := newByteBuilder() 1812 msg.addU8(typeServerKeyExchange) 1813 msg.addU24LengthPrefixed().addBytes(m.key) 1814 m.raw = msg.finish() 1815 return m.raw 1816} 1817 1818func (m *serverKeyExchangeMsg) unmarshal(data []byte) bool { 1819 m.raw = data 1820 if len(data) < 4 { 1821 return false 1822 } 1823 m.key = data[4:] 1824 return true 1825} 1826 1827type certificateStatusMsg struct { 1828 raw []byte 1829 statusType uint8 1830 response []byte 1831} 1832 1833func (m *certificateStatusMsg) marshal() []byte { 1834 if m.raw != nil { 1835 return m.raw 1836 } 1837 1838 var x []byte 1839 if m.statusType == statusTypeOCSP { 1840 msg := newByteBuilder() 1841 msg.addU8(typeCertificateStatus) 1842 body := msg.addU24LengthPrefixed() 1843 body.addU8(statusTypeOCSP) 1844 body.addU24LengthPrefixed().addBytes(m.response) 1845 x = msg.finish() 1846 } else { 1847 x = []byte{typeCertificateStatus, 0, 0, 1, m.statusType} 1848 } 1849 1850 m.raw = x 1851 return x 1852} 1853 1854func (m *certificateStatusMsg) unmarshal(data []byte) bool { 1855 m.raw = data 1856 reader := byteReader(data[4:]) 1857 if !reader.readU8(&m.statusType) || 1858 m.statusType != statusTypeOCSP || 1859 !reader.readU24LengthPrefixedBytes(&m.response) || 1860 len(reader) != 0 { 1861 return false 1862 } 1863 return true 1864} 1865 1866type serverHelloDoneMsg struct{} 1867 1868func (m *serverHelloDoneMsg) marshal() []byte { 1869 x := make([]byte, 4) 1870 x[0] = typeServerHelloDone 1871 return x 1872} 1873 1874func (m *serverHelloDoneMsg) unmarshal(data []byte) bool { 1875 return len(data) == 4 1876} 1877 1878type clientKeyExchangeMsg struct { 1879 raw []byte 1880 ciphertext []byte 1881} 1882 1883func (m *clientKeyExchangeMsg) marshal() []byte { 1884 if m.raw != nil { 1885 return m.raw 1886 } 1887 msg := newByteBuilder() 1888 msg.addU8(typeClientKeyExchange) 1889 msg.addU24LengthPrefixed().addBytes(m.ciphertext) 1890 m.raw = msg.finish() 1891 return m.raw 1892} 1893 1894func (m *clientKeyExchangeMsg) unmarshal(data []byte) bool { 1895 m.raw = data 1896 if len(data) < 4 { 1897 return false 1898 } 1899 l := int(data[1])<<16 | int(data[2])<<8 | int(data[3]) 1900 if l != len(data)-4 { 1901 return false 1902 } 1903 m.ciphertext = data[4:] 1904 return true 1905} 1906 1907type finishedMsg struct { 1908 raw []byte 1909 verifyData []byte 1910} 1911 1912func (m *finishedMsg) marshal() []byte { 1913 if m.raw != nil { 1914 return m.raw 1915 } 1916 1917 msg := newByteBuilder() 1918 msg.addU8(typeFinished) 1919 msg.addU24LengthPrefixed().addBytes(m.verifyData) 1920 m.raw = msg.finish() 1921 return m.raw 1922} 1923 1924func (m *finishedMsg) unmarshal(data []byte) bool { 1925 m.raw = data 1926 if len(data) < 4 { 1927 return false 1928 } 1929 m.verifyData = data[4:] 1930 return true 1931} 1932 1933type nextProtoMsg struct { 1934 raw []byte 1935 proto string 1936} 1937 1938func (m *nextProtoMsg) marshal() []byte { 1939 if m.raw != nil { 1940 return m.raw 1941 } 1942 1943 padding := 32 - (len(m.proto)+2)%32 1944 1945 msg := newByteBuilder() 1946 msg.addU8(typeNextProtocol) 1947 body := msg.addU24LengthPrefixed() 1948 body.addU8LengthPrefixed().addBytes([]byte(m.proto)) 1949 body.addU8LengthPrefixed().addBytes(make([]byte, padding)) 1950 m.raw = msg.finish() 1951 return m.raw 1952} 1953 1954func (m *nextProtoMsg) unmarshal(data []byte) bool { 1955 m.raw = data 1956 reader := byteReader(data[4:]) 1957 var proto, padding []byte 1958 if !reader.readU8LengthPrefixedBytes(&proto) || 1959 !reader.readU8LengthPrefixedBytes(&padding) || 1960 len(reader) != 0 { 1961 return false 1962 } 1963 m.proto = string(proto) 1964 1965 // Padding is not meant to be checked normally, but as this is a testing 1966 // implementation, we check the padding is as expected. 1967 if len(padding) != 32-(len(m.proto)+2)%32 { 1968 return false 1969 } 1970 for _, v := range padding { 1971 if v != 0 { 1972 return false 1973 } 1974 } 1975 1976 return true 1977} 1978 1979type certificateRequestMsg struct { 1980 raw []byte 1981 vers uint16 1982 // hasSignatureAlgorithm indicates whether this message includes a list 1983 // of signature and hash functions. This change was introduced with TLS 1984 // 1.2. 1985 hasSignatureAlgorithm bool 1986 // hasRequestContext indicates whether this message includes a context 1987 // field instead of certificateTypes. This change was introduced with 1988 // TLS 1.3. 1989 hasRequestContext bool 1990 1991 certificateTypes []byte 1992 requestContext []byte 1993 signatureAlgorithms []signatureAlgorithm 1994 signatureAlgorithmsCert []signatureAlgorithm 1995 certificateAuthorities [][]byte 1996 hasCAExtension bool 1997 customExtension uint16 1998} 1999 2000func (m *certificateRequestMsg) marshal() []byte { 2001 if m.raw != nil { 2002 return m.raw 2003 } 2004 2005 // See http://tools.ietf.org/html/rfc4346#section-7.4.4 2006 builder := newByteBuilder() 2007 builder.addU8(typeCertificateRequest) 2008 body := builder.addU24LengthPrefixed() 2009 2010 if m.hasRequestContext { 2011 requestContext := body.addU8LengthPrefixed() 2012 requestContext.addBytes(m.requestContext) 2013 extensions := newByteBuilder() 2014 extensions = body.addU16LengthPrefixed() 2015 if m.hasSignatureAlgorithm { 2016 extensions.addU16(extensionSignatureAlgorithms) 2017 signatureAlgorithms := extensions.addU16LengthPrefixed().addU16LengthPrefixed() 2018 for _, sigAlg := range m.signatureAlgorithms { 2019 signatureAlgorithms.addU16(uint16(sigAlg)) 2020 } 2021 } 2022 if len(m.signatureAlgorithmsCert) > 0 { 2023 extensions.addU16(extensionSignatureAlgorithmsCert) 2024 signatureAlgorithmsCert := extensions.addU16LengthPrefixed().addU16LengthPrefixed() 2025 for _, sigAlg := range m.signatureAlgorithmsCert { 2026 signatureAlgorithmsCert.addU16(uint16(sigAlg)) 2027 } 2028 } 2029 if len(m.certificateAuthorities) > 0 { 2030 extensions.addU16(extensionCertificateAuthorities) 2031 certificateAuthorities := extensions.addU16LengthPrefixed().addU16LengthPrefixed() 2032 for _, ca := range m.certificateAuthorities { 2033 caEntry := certificateAuthorities.addU16LengthPrefixed() 2034 caEntry.addBytes(ca) 2035 } 2036 } 2037 2038 if m.customExtension > 0 { 2039 extensions.addU16(m.customExtension) 2040 extensions.addU16LengthPrefixed() 2041 } 2042 } else { 2043 certificateTypes := body.addU8LengthPrefixed() 2044 certificateTypes.addBytes(m.certificateTypes) 2045 2046 if m.hasSignatureAlgorithm { 2047 signatureAlgorithms := body.addU16LengthPrefixed() 2048 for _, sigAlg := range m.signatureAlgorithms { 2049 signatureAlgorithms.addU16(uint16(sigAlg)) 2050 } 2051 } 2052 2053 certificateAuthorities := body.addU16LengthPrefixed() 2054 for _, ca := range m.certificateAuthorities { 2055 caEntry := certificateAuthorities.addU16LengthPrefixed() 2056 caEntry.addBytes(ca) 2057 } 2058 } 2059 2060 m.raw = builder.finish() 2061 return m.raw 2062} 2063 2064func parseCAs(reader *byteReader, out *[][]byte) bool { 2065 var cas byteReader 2066 if !reader.readU16LengthPrefixed(&cas) { 2067 return false 2068 } 2069 for len(cas) > 0 { 2070 var ca []byte 2071 if !cas.readU16LengthPrefixedBytes(&ca) { 2072 return false 2073 } 2074 *out = append(*out, ca) 2075 } 2076 return true 2077} 2078 2079func (m *certificateRequestMsg) unmarshal(data []byte) bool { 2080 m.raw = data 2081 reader := byteReader(data[4:]) 2082 2083 if m.hasRequestContext { 2084 var extensions byteReader 2085 if !reader.readU8LengthPrefixedBytes(&m.requestContext) || 2086 !reader.readU16LengthPrefixed(&extensions) || 2087 len(reader) != 0 || 2088 !checkDuplicateExtensions(extensions) { 2089 return false 2090 } 2091 for len(extensions) > 0 { 2092 var extension uint16 2093 var body byteReader 2094 if !extensions.readU16(&extension) || 2095 !extensions.readU16LengthPrefixed(&body) { 2096 return false 2097 } 2098 switch extension { 2099 case extensionSignatureAlgorithms: 2100 if !parseSignatureAlgorithms(&body, &m.signatureAlgorithms, false) || len(body) != 0 { 2101 return false 2102 } 2103 case extensionSignatureAlgorithmsCert: 2104 if !parseSignatureAlgorithms(&body, &m.signatureAlgorithmsCert, false) || len(body) != 0 { 2105 return false 2106 } 2107 case extensionCertificateAuthorities: 2108 if !parseCAs(&body, &m.certificateAuthorities) || len(body) != 0 { 2109 return false 2110 } 2111 m.hasCAExtension = true 2112 } 2113 } 2114 } else { 2115 if !reader.readU8LengthPrefixedBytes(&m.certificateTypes) { 2116 return false 2117 } 2118 // In TLS 1.2, the supported_signature_algorithms field in 2119 // CertificateRequest may be empty. 2120 if m.hasSignatureAlgorithm && !parseSignatureAlgorithms(&reader, &m.signatureAlgorithms, true) { 2121 return false 2122 } 2123 if !parseCAs(&reader, &m.certificateAuthorities) || 2124 len(reader) != 0 { 2125 return false 2126 } 2127 } 2128 2129 return true 2130} 2131 2132type certificateVerifyMsg struct { 2133 raw []byte 2134 hasSignatureAlgorithm bool 2135 signatureAlgorithm signatureAlgorithm 2136 signature []byte 2137} 2138 2139func (m *certificateVerifyMsg) marshal() (x []byte) { 2140 if m.raw != nil { 2141 return m.raw 2142 } 2143 2144 // See http://tools.ietf.org/html/rfc4346#section-7.4.8 2145 siglength := len(m.signature) 2146 length := 2 + siglength 2147 if m.hasSignatureAlgorithm { 2148 length += 2 2149 } 2150 x = make([]byte, 4+length) 2151 x[0] = typeCertificateVerify 2152 x[1] = uint8(length >> 16) 2153 x[2] = uint8(length >> 8) 2154 x[3] = uint8(length) 2155 y := x[4:] 2156 if m.hasSignatureAlgorithm { 2157 y[0] = byte(m.signatureAlgorithm >> 8) 2158 y[1] = byte(m.signatureAlgorithm) 2159 y = y[2:] 2160 } 2161 y[0] = uint8(siglength >> 8) 2162 y[1] = uint8(siglength) 2163 copy(y[2:], m.signature) 2164 2165 m.raw = x 2166 2167 return 2168} 2169 2170func (m *certificateVerifyMsg) unmarshal(data []byte) bool { 2171 m.raw = data 2172 2173 if len(data) < 6 { 2174 return false 2175 } 2176 2177 length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3]) 2178 if uint32(len(data))-4 != length { 2179 return false 2180 } 2181 2182 data = data[4:] 2183 if m.hasSignatureAlgorithm { 2184 m.signatureAlgorithm = signatureAlgorithm(data[0])<<8 | signatureAlgorithm(data[1]) 2185 data = data[2:] 2186 } 2187 2188 if len(data) < 2 { 2189 return false 2190 } 2191 siglength := int(data[0])<<8 + int(data[1]) 2192 data = data[2:] 2193 if len(data) != siglength { 2194 return false 2195 } 2196 2197 m.signature = data 2198 2199 return true 2200} 2201 2202type newSessionTicketMsg struct { 2203 raw []byte 2204 vers uint16 2205 isDTLS bool 2206 ticketLifetime uint32 2207 ticketAgeAdd uint32 2208 ticketNonce []byte 2209 ticket []byte 2210 maxEarlyDataSize uint32 2211 customExtension string 2212 duplicateEarlyDataExtension bool 2213 hasGREASEExtension bool 2214} 2215 2216func (m *newSessionTicketMsg) marshal() []byte { 2217 if m.raw != nil { 2218 return m.raw 2219 } 2220 2221 version, ok := wireToVersion(m.vers, m.isDTLS) 2222 if !ok { 2223 panic("unknown version") 2224 } 2225 2226 // See http://tools.ietf.org/html/rfc5077#section-3.3 2227 ticketMsg := newByteBuilder() 2228 ticketMsg.addU8(typeNewSessionTicket) 2229 body := ticketMsg.addU24LengthPrefixed() 2230 body.addU32(m.ticketLifetime) 2231 if version >= VersionTLS13 { 2232 body.addU32(m.ticketAgeAdd) 2233 body.addU8LengthPrefixed().addBytes(m.ticketNonce) 2234 } 2235 2236 ticket := body.addU16LengthPrefixed() 2237 ticket.addBytes(m.ticket) 2238 2239 if version >= VersionTLS13 { 2240 extensions := body.addU16LengthPrefixed() 2241 if m.maxEarlyDataSize > 0 { 2242 extensions.addU16(extensionEarlyData) 2243 extensions.addU16LengthPrefixed().addU32(m.maxEarlyDataSize) 2244 if m.duplicateEarlyDataExtension { 2245 extensions.addU16(extensionEarlyData) 2246 extensions.addU16LengthPrefixed().addU32(m.maxEarlyDataSize) 2247 } 2248 } 2249 if len(m.customExtension) > 0 { 2250 extensions.addU16(extensionCustom) 2251 extensions.addU16LengthPrefixed().addBytes([]byte(m.customExtension)) 2252 } 2253 } 2254 2255 m.raw = ticketMsg.finish() 2256 return m.raw 2257} 2258 2259func (m *newSessionTicketMsg) unmarshal(data []byte) bool { 2260 m.raw = data 2261 2262 version, ok := wireToVersion(m.vers, m.isDTLS) 2263 if !ok { 2264 panic("unknown version") 2265 } 2266 2267 if len(data) < 8 { 2268 return false 2269 } 2270 m.ticketLifetime = uint32(data[4])<<24 | uint32(data[5])<<16 | uint32(data[6])<<8 | uint32(data[7]) 2271 data = data[8:] 2272 2273 if version >= VersionTLS13 { 2274 if len(data) < 4 { 2275 return false 2276 } 2277 m.ticketAgeAdd = uint32(data[0])<<24 | uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3]) 2278 data = data[4:] 2279 nonceLen := int(data[0]) 2280 data = data[1:] 2281 if len(data) < nonceLen { 2282 return false 2283 } 2284 m.ticketNonce = data[:nonceLen] 2285 data = data[nonceLen:] 2286 } 2287 2288 if len(data) < 2 { 2289 return false 2290 } 2291 ticketLen := int(data[0])<<8 + int(data[1]) 2292 data = data[2:] 2293 if len(data) < ticketLen { 2294 return false 2295 } 2296 2297 if version >= VersionTLS13 && ticketLen == 0 { 2298 return false 2299 } 2300 2301 m.ticket = data[:ticketLen] 2302 data = data[ticketLen:] 2303 2304 if version >= VersionTLS13 { 2305 if len(data) < 2 { 2306 return false 2307 } 2308 2309 extensionsLength := int(data[0])<<8 | int(data[1]) 2310 data = data[2:] 2311 if extensionsLength != len(data) { 2312 return false 2313 } 2314 2315 for len(data) != 0 { 2316 if len(data) < 4 { 2317 return false 2318 } 2319 extension := uint16(data[0])<<8 | uint16(data[1]) 2320 length := int(data[2])<<8 | int(data[3]) 2321 data = data[4:] 2322 if len(data) < length { 2323 return false 2324 } 2325 2326 switch extension { 2327 case extensionEarlyData: 2328 if length != 4 { 2329 return false 2330 } 2331 m.maxEarlyDataSize = uint32(data[0])<<24 | uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3]) 2332 default: 2333 if isGREASEValue(extension) { 2334 m.hasGREASEExtension = true 2335 } 2336 } 2337 2338 data = data[length:] 2339 } 2340 } 2341 2342 if len(data) > 0 { 2343 return false 2344 } 2345 2346 return true 2347} 2348 2349type v2ClientHelloMsg struct { 2350 raw []byte 2351 vers uint16 2352 cipherSuites []uint16 2353 sessionId []byte 2354 challenge []byte 2355} 2356 2357func (m *v2ClientHelloMsg) marshal() []byte { 2358 if m.raw != nil { 2359 return m.raw 2360 } 2361 2362 length := 1 + 2 + 2 + 2 + 2 + len(m.cipherSuites)*3 + len(m.sessionId) + len(m.challenge) 2363 2364 x := make([]byte, length) 2365 x[0] = 1 2366 x[1] = uint8(m.vers >> 8) 2367 x[2] = uint8(m.vers) 2368 x[3] = uint8((len(m.cipherSuites) * 3) >> 8) 2369 x[4] = uint8(len(m.cipherSuites) * 3) 2370 x[5] = uint8(len(m.sessionId) >> 8) 2371 x[6] = uint8(len(m.sessionId)) 2372 x[7] = uint8(len(m.challenge) >> 8) 2373 x[8] = uint8(len(m.challenge)) 2374 y := x[9:] 2375 for i, spec := range m.cipherSuites { 2376 y[i*3] = 0 2377 y[i*3+1] = uint8(spec >> 8) 2378 y[i*3+2] = uint8(spec) 2379 } 2380 y = y[len(m.cipherSuites)*3:] 2381 copy(y, m.sessionId) 2382 y = y[len(m.sessionId):] 2383 copy(y, m.challenge) 2384 2385 m.raw = x 2386 2387 return x 2388} 2389 2390type helloVerifyRequestMsg struct { 2391 raw []byte 2392 vers uint16 2393 cookie []byte 2394} 2395 2396func (m *helloVerifyRequestMsg) marshal() []byte { 2397 if m.raw != nil { 2398 return m.raw 2399 } 2400 2401 length := 2 + 1 + len(m.cookie) 2402 2403 x := make([]byte, 4+length) 2404 x[0] = typeHelloVerifyRequest 2405 x[1] = uint8(length >> 16) 2406 x[2] = uint8(length >> 8) 2407 x[3] = uint8(length) 2408 vers := m.vers 2409 x[4] = uint8(vers >> 8) 2410 x[5] = uint8(vers) 2411 x[6] = uint8(len(m.cookie)) 2412 copy(x[7:7+len(m.cookie)], m.cookie) 2413 2414 return x 2415} 2416 2417func (m *helloVerifyRequestMsg) unmarshal(data []byte) bool { 2418 if len(data) < 4+2+1 { 2419 return false 2420 } 2421 m.raw = data 2422 m.vers = uint16(data[4])<<8 | uint16(data[5]) 2423 cookieLen := int(data[6]) 2424 if cookieLen > 32 || len(data) != 7+cookieLen { 2425 return false 2426 } 2427 m.cookie = data[7 : 7+cookieLen] 2428 2429 return true 2430} 2431 2432type channelIDMsg struct { 2433 raw []byte 2434 channelID []byte 2435} 2436 2437func (m *channelIDMsg) marshal() []byte { 2438 if m.raw != nil { 2439 return m.raw 2440 } 2441 2442 length := 2 + 2 + len(m.channelID) 2443 2444 x := make([]byte, 4+length) 2445 x[0] = typeChannelID 2446 x[1] = uint8(length >> 16) 2447 x[2] = uint8(length >> 8) 2448 x[3] = uint8(length) 2449 x[4] = uint8(extensionChannelID >> 8) 2450 x[5] = uint8(extensionChannelID & 0xff) 2451 x[6] = uint8(len(m.channelID) >> 8) 2452 x[7] = uint8(len(m.channelID) & 0xff) 2453 copy(x[8:], m.channelID) 2454 2455 return x 2456} 2457 2458func (m *channelIDMsg) unmarshal(data []byte) bool { 2459 if len(data) != 4+2+2+128 { 2460 return false 2461 } 2462 m.raw = data 2463 if (uint16(data[4])<<8)|uint16(data[5]) != extensionChannelID { 2464 return false 2465 } 2466 if int(data[6])<<8|int(data[7]) != 128 { 2467 return false 2468 } 2469 m.channelID = data[4+2+2:] 2470 2471 return true 2472} 2473 2474type helloRequestMsg struct { 2475} 2476 2477func (*helloRequestMsg) marshal() []byte { 2478 return []byte{typeHelloRequest, 0, 0, 0} 2479} 2480 2481func (*helloRequestMsg) unmarshal(data []byte) bool { 2482 return len(data) == 4 2483} 2484 2485type keyUpdateMsg struct { 2486 raw []byte 2487 keyUpdateRequest byte 2488} 2489 2490func (m *keyUpdateMsg) marshal() []byte { 2491 if m.raw != nil { 2492 return m.raw 2493 } 2494 2495 return []byte{typeKeyUpdate, 0, 0, 1, m.keyUpdateRequest} 2496} 2497 2498func (m *keyUpdateMsg) unmarshal(data []byte) bool { 2499 m.raw = data 2500 2501 if len(data) != 5 { 2502 return false 2503 } 2504 2505 length := int(data[1])<<16 | int(data[2])<<8 | int(data[3]) 2506 if len(data)-4 != length { 2507 return false 2508 } 2509 2510 m.keyUpdateRequest = data[4] 2511 return m.keyUpdateRequest == keyUpdateNotRequested || m.keyUpdateRequest == keyUpdateRequested 2512} 2513 2514type endOfEarlyDataMsg struct { 2515 nonEmpty bool 2516} 2517 2518func (m *endOfEarlyDataMsg) marshal() []byte { 2519 if m.nonEmpty { 2520 return []byte{typeEndOfEarlyData, 0, 0, 1, 42} 2521 } 2522 return []byte{typeEndOfEarlyData, 0, 0, 0} 2523} 2524 2525func (*endOfEarlyDataMsg) unmarshal(data []byte) bool { 2526 return len(data) == 4 2527} 2528 2529// ssl3NoCertificateMsg is a dummy message to handle SSL 3.0 using a warning 2530// alert in the handshake. 2531type ssl3NoCertificateMsg struct{} 2532 2533func eqUint16s(x, y []uint16) bool { 2534 if len(x) != len(y) { 2535 return false 2536 } 2537 for i, v := range x { 2538 if y[i] != v { 2539 return false 2540 } 2541 } 2542 return true 2543} 2544 2545func eqCurveIDs(x, y []CurveID) bool { 2546 if len(x) != len(y) { 2547 return false 2548 } 2549 for i, v := range x { 2550 if y[i] != v { 2551 return false 2552 } 2553 } 2554 return true 2555} 2556 2557func eqStrings(x, y []string) bool { 2558 if len(x) != len(y) { 2559 return false 2560 } 2561 for i, v := range x { 2562 if y[i] != v { 2563 return false 2564 } 2565 } 2566 return true 2567} 2568 2569func eqByteSlices(x, y [][]byte) bool { 2570 if len(x) != len(y) { 2571 return false 2572 } 2573 for i, v := range x { 2574 if !bytes.Equal(v, y[i]) { 2575 return false 2576 } 2577 } 2578 return true 2579} 2580 2581func eqSignatureAlgorithms(x, y []signatureAlgorithm) bool { 2582 if len(x) != len(y) { 2583 return false 2584 } 2585 for i, v := range x { 2586 v2 := y[i] 2587 if v != v2 { 2588 return false 2589 } 2590 } 2591 return true 2592} 2593 2594func eqKeyShareEntryLists(x, y []keyShareEntry) bool { 2595 if len(x) != len(y) { 2596 return false 2597 } 2598 for i, v := range x { 2599 if y[i].group != v.group || !bytes.Equal(y[i].keyExchange, v.keyExchange) { 2600 return false 2601 } 2602 } 2603 return true 2604 2605} 2606 2607func eqPSKIdentityLists(x, y []pskIdentity) bool { 2608 if len(x) != len(y) { 2609 return false 2610 } 2611 for i, v := range x { 2612 if !bytes.Equal(y[i].ticket, v.ticket) || y[i].obfuscatedTicketAge != v.obfuscatedTicketAge { 2613 return false 2614 } 2615 } 2616 return true 2617 2618} 2619