1// Copyright 2009 The Go Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style 3// license that can be found in the LICENSE file. 4 5package runner 6 7import ( 8 "bytes" 9 "encoding/binary" 10 "fmt" 11) 12 13func writeLen(buf []byte, v, size int) { 14 for i := 0; i < size; i++ { 15 buf[size-i-1] = byte(v) 16 v >>= 8 17 } 18 if v != 0 { 19 panic("length is too long") 20 } 21} 22 23type byteBuilder struct { 24 buf *[]byte 25 start int 26 prefixLen int 27 child *byteBuilder 28} 29 30func newByteBuilder() *byteBuilder { 31 buf := make([]byte, 0, 32) 32 return &byteBuilder{buf: &buf} 33} 34 35func (bb *byteBuilder) len() int { 36 return len(*bb.buf) - bb.start - bb.prefixLen 37} 38 39func (bb *byteBuilder) data() []byte { 40 bb.flush() 41 return (*bb.buf)[bb.start+bb.prefixLen:] 42} 43 44func (bb *byteBuilder) flush() { 45 if bb.child == nil { 46 return 47 } 48 bb.child.flush() 49 writeLen((*bb.buf)[bb.child.start:], bb.child.len(), bb.child.prefixLen) 50 bb.child = nil 51 return 52} 53 54func (bb *byteBuilder) finish() []byte { 55 bb.flush() 56 return *bb.buf 57} 58 59func (bb *byteBuilder) addU8(u uint8) { 60 bb.flush() 61 *bb.buf = append(*bb.buf, u) 62} 63 64func (bb *byteBuilder) addU16(u uint16) { 65 bb.flush() 66 *bb.buf = append(*bb.buf, byte(u>>8), byte(u)) 67} 68 69func (bb *byteBuilder) addU24(u int) { 70 bb.flush() 71 *bb.buf = append(*bb.buf, byte(u>>16), byte(u>>8), byte(u)) 72} 73 74func (bb *byteBuilder) addU32(u uint32) { 75 bb.flush() 76 *bb.buf = append(*bb.buf, byte(u>>24), byte(u>>16), byte(u>>8), byte(u)) 77} 78 79func (bb *byteBuilder) addU64(u uint64) { 80 bb.flush() 81 var b [8]byte 82 binary.BigEndian.PutUint64(b[:], u) 83 *bb.buf = append(*bb.buf, b[:]...) 84} 85 86func (bb *byteBuilder) addU8LengthPrefixed() *byteBuilder { 87 return bb.createChild(1) 88} 89 90func (bb *byteBuilder) addU16LengthPrefixed() *byteBuilder { 91 return bb.createChild(2) 92} 93 94func (bb *byteBuilder) addU24LengthPrefixed() *byteBuilder { 95 return bb.createChild(3) 96} 97 98func (bb *byteBuilder) addU32LengthPrefixed() *byteBuilder { 99 return bb.createChild(4) 100} 101 102func (bb *byteBuilder) addBytes(b []byte) { 103 bb.flush() 104 *bb.buf = append(*bb.buf, b...) 105} 106 107func (bb *byteBuilder) createChild(lengthPrefixSize int) *byteBuilder { 108 bb.flush() 109 bb.child = &byteBuilder{ 110 buf: bb.buf, 111 start: len(*bb.buf), 112 prefixLen: lengthPrefixSize, 113 } 114 for i := 0; i < lengthPrefixSize; i++ { 115 *bb.buf = append(*bb.buf, 0) 116 } 117 return bb.child 118} 119 120func (bb *byteBuilder) discardChild() { 121 if bb.child == nil { 122 return 123 } 124 *bb.buf = (*bb.buf)[:bb.child.start] 125 bb.child = nil 126} 127 128type keyShareEntry struct { 129 group CurveID 130 keyExchange []byte 131} 132 133type pskIdentity struct { 134 ticket []uint8 135 obfuscatedTicketAge uint32 136} 137 138type clientHelloMsg struct { 139 raw []byte 140 isDTLS bool 141 vers uint16 142 random []byte 143 sessionId []byte 144 cookie []byte 145 cipherSuites []uint16 146 compressionMethods []uint8 147 nextProtoNeg bool 148 serverName string 149 ocspStapling bool 150 supportedCurves []CurveID 151 supportedPoints []uint8 152 hasKeyShares bool 153 keyShares []keyShareEntry 154 trailingKeyShareData bool 155 pskIdentities []pskIdentity 156 pskKEModes []byte 157 pskBinders [][]uint8 158 hasEarlyData bool 159 tls13Cookie []byte 160 ticketSupported bool 161 sessionTicket []uint8 162 signatureAlgorithms []signatureAlgorithm 163 supportedVersions []uint16 164 secureRenegotiation []byte 165 alpnProtocols []string 166 duplicateExtension bool 167 channelIDSupported bool 168 npnAfterAlpn bool 169 extendedMasterSecret bool 170 srtpProtectionProfiles []uint16 171 srtpMasterKeyIdentifier string 172 sctListSupported bool 173 customExtension string 174 hasGREASEExtension bool 175 pskBinderFirst bool 176 omitExtensions bool 177 emptyExtensions bool 178} 179 180func (m *clientHelloMsg) equal(i interface{}) bool { 181 m1, ok := i.(*clientHelloMsg) 182 if !ok { 183 return false 184 } 185 186 return bytes.Equal(m.raw, m1.raw) && 187 m.isDTLS == m1.isDTLS && 188 m.vers == m1.vers && 189 bytes.Equal(m.random, m1.random) && 190 bytes.Equal(m.sessionId, m1.sessionId) && 191 bytes.Equal(m.cookie, m1.cookie) && 192 eqUint16s(m.cipherSuites, m1.cipherSuites) && 193 bytes.Equal(m.compressionMethods, m1.compressionMethods) && 194 m.nextProtoNeg == m1.nextProtoNeg && 195 m.serverName == m1.serverName && 196 m.ocspStapling == m1.ocspStapling && 197 eqCurveIDs(m.supportedCurves, m1.supportedCurves) && 198 bytes.Equal(m.supportedPoints, m1.supportedPoints) && 199 m.hasKeyShares == m1.hasKeyShares && 200 eqKeyShareEntryLists(m.keyShares, m1.keyShares) && 201 m.trailingKeyShareData == m1.trailingKeyShareData && 202 eqPSKIdentityLists(m.pskIdentities, m1.pskIdentities) && 203 bytes.Equal(m.pskKEModes, m1.pskKEModes) && 204 eqByteSlices(m.pskBinders, m1.pskBinders) && 205 m.hasEarlyData == m1.hasEarlyData && 206 bytes.Equal(m.tls13Cookie, m1.tls13Cookie) && 207 m.ticketSupported == m1.ticketSupported && 208 bytes.Equal(m.sessionTicket, m1.sessionTicket) && 209 eqSignatureAlgorithms(m.signatureAlgorithms, m1.signatureAlgorithms) && 210 eqUint16s(m.supportedVersions, m1.supportedVersions) && 211 bytes.Equal(m.secureRenegotiation, m1.secureRenegotiation) && 212 (m.secureRenegotiation == nil) == (m1.secureRenegotiation == nil) && 213 eqStrings(m.alpnProtocols, m1.alpnProtocols) && 214 m.duplicateExtension == m1.duplicateExtension && 215 m.channelIDSupported == m1.channelIDSupported && 216 m.npnAfterAlpn == m1.npnAfterAlpn && 217 m.extendedMasterSecret == m1.extendedMasterSecret && 218 eqUint16s(m.srtpProtectionProfiles, m1.srtpProtectionProfiles) && 219 m.srtpMasterKeyIdentifier == m1.srtpMasterKeyIdentifier && 220 m.sctListSupported == m1.sctListSupported && 221 m.customExtension == m1.customExtension && 222 m.hasGREASEExtension == m1.hasGREASEExtension && 223 m.pskBinderFirst == m1.pskBinderFirst && 224 m.omitExtensions == m1.omitExtensions && 225 m.emptyExtensions == m1.emptyExtensions 226} 227 228func (m *clientHelloMsg) marshal() []byte { 229 if m.raw != nil { 230 return m.raw 231 } 232 233 handshakeMsg := newByteBuilder() 234 handshakeMsg.addU8(typeClientHello) 235 hello := handshakeMsg.addU24LengthPrefixed() 236 hello.addU16(m.vers) 237 hello.addBytes(m.random) 238 sessionId := hello.addU8LengthPrefixed() 239 sessionId.addBytes(m.sessionId) 240 if m.isDTLS { 241 cookie := hello.addU8LengthPrefixed() 242 cookie.addBytes(m.cookie) 243 } 244 cipherSuites := hello.addU16LengthPrefixed() 245 for _, suite := range m.cipherSuites { 246 cipherSuites.addU16(suite) 247 } 248 compressionMethods := hello.addU8LengthPrefixed() 249 compressionMethods.addBytes(m.compressionMethods) 250 251 extensions := hello.addU16LengthPrefixed() 252 if len(m.pskIdentities) > 0 && m.pskBinderFirst { 253 extensions.addU16(extensionPreSharedKey) 254 pskExtension := extensions.addU16LengthPrefixed() 255 256 pskIdentities := pskExtension.addU16LengthPrefixed() 257 for _, psk := range m.pskIdentities { 258 pskIdentities.addU16LengthPrefixed().addBytes(psk.ticket) 259 pskIdentities.addU32(psk.obfuscatedTicketAge) 260 } 261 pskBinders := pskExtension.addU16LengthPrefixed() 262 for _, binder := range m.pskBinders { 263 pskBinders.addU8LengthPrefixed().addBytes(binder) 264 } 265 } 266 if m.duplicateExtension { 267 // Add a duplicate bogus extension at the beginning and end. 268 extensions.addU16(0xffff) 269 extensions.addU16(0) // 0-length for empty extension 270 } 271 if m.nextProtoNeg && !m.npnAfterAlpn { 272 extensions.addU16(extensionNextProtoNeg) 273 extensions.addU16(0) // The length is always 0 274 } 275 if len(m.serverName) > 0 { 276 extensions.addU16(extensionServerName) 277 serverNameList := extensions.addU16LengthPrefixed() 278 279 // RFC 3546, section 3.1 280 // 281 // struct { 282 // NameType name_type; 283 // select (name_type) { 284 // case host_name: HostName; 285 // } name; 286 // } ServerName; 287 // 288 // enum { 289 // host_name(0), (255) 290 // } NameType; 291 // 292 // opaque HostName<1..2^16-1>; 293 // 294 // struct { 295 // ServerName server_name_list<1..2^16-1> 296 // } ServerNameList; 297 298 serverName := serverNameList.addU16LengthPrefixed() 299 serverName.addU8(0) // NameType host_name(0) 300 hostName := serverName.addU16LengthPrefixed() 301 hostName.addBytes([]byte(m.serverName)) 302 } 303 if m.ocspStapling { 304 extensions.addU16(extensionStatusRequest) 305 certificateStatusRequest := extensions.addU16LengthPrefixed() 306 307 // RFC 4366, section 3.6 308 certificateStatusRequest.addU8(1) // OCSP type 309 // Two zero valued uint16s for the two lengths. 310 certificateStatusRequest.addU16(0) // ResponderID length 311 certificateStatusRequest.addU16(0) // Extensions length 312 } 313 if len(m.supportedCurves) > 0 { 314 // http://tools.ietf.org/html/rfc4492#section-5.1.1 315 extensions.addU16(extensionSupportedCurves) 316 supportedCurvesList := extensions.addU16LengthPrefixed() 317 supportedCurves := supportedCurvesList.addU16LengthPrefixed() 318 for _, curve := range m.supportedCurves { 319 supportedCurves.addU16(uint16(curve)) 320 } 321 } 322 if len(m.supportedPoints) > 0 { 323 // http://tools.ietf.org/html/rfc4492#section-5.1.2 324 extensions.addU16(extensionSupportedPoints) 325 supportedPointsList := extensions.addU16LengthPrefixed() 326 supportedPoints := supportedPointsList.addU8LengthPrefixed() 327 supportedPoints.addBytes(m.supportedPoints) 328 } 329 if m.hasKeyShares { 330 extensions.addU16(extensionKeyShare) 331 keyShareList := extensions.addU16LengthPrefixed() 332 333 keyShares := keyShareList.addU16LengthPrefixed() 334 for _, keyShare := range m.keyShares { 335 keyShares.addU16(uint16(keyShare.group)) 336 keyExchange := keyShares.addU16LengthPrefixed() 337 keyExchange.addBytes(keyShare.keyExchange) 338 } 339 340 if m.trailingKeyShareData { 341 keyShares.addU8(0) 342 } 343 } 344 if len(m.pskKEModes) > 0 { 345 extensions.addU16(extensionPSKKeyExchangeModes) 346 pskModesExtension := extensions.addU16LengthPrefixed() 347 pskModesExtension.addU8LengthPrefixed().addBytes(m.pskKEModes) 348 } 349 if m.hasEarlyData { 350 extensions.addU16(extensionEarlyData) 351 extensions.addU16(0) // The length is zero. 352 } 353 if len(m.tls13Cookie) > 0 { 354 extensions.addU16(extensionCookie) 355 body := extensions.addU16LengthPrefixed() 356 body.addU16LengthPrefixed().addBytes(m.tls13Cookie) 357 } 358 if m.ticketSupported { 359 // http://tools.ietf.org/html/rfc5077#section-3.2 360 extensions.addU16(extensionSessionTicket) 361 sessionTicketExtension := extensions.addU16LengthPrefixed() 362 sessionTicketExtension.addBytes(m.sessionTicket) 363 } 364 if len(m.signatureAlgorithms) > 0 { 365 // https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 366 extensions.addU16(extensionSignatureAlgorithms) 367 signatureAlgorithmsExtension := extensions.addU16LengthPrefixed() 368 signatureAlgorithms := signatureAlgorithmsExtension.addU16LengthPrefixed() 369 for _, sigAlg := range m.signatureAlgorithms { 370 signatureAlgorithms.addU16(uint16(sigAlg)) 371 } 372 } 373 if len(m.supportedVersions) > 0 { 374 extensions.addU16(extensionSupportedVersions) 375 supportedVersionsExtension := extensions.addU16LengthPrefixed() 376 supportedVersions := supportedVersionsExtension.addU8LengthPrefixed() 377 for _, version := range m.supportedVersions { 378 supportedVersions.addU16(uint16(version)) 379 } 380 } 381 if m.secureRenegotiation != nil { 382 extensions.addU16(extensionRenegotiationInfo) 383 secureRenegoExt := extensions.addU16LengthPrefixed() 384 secureRenego := secureRenegoExt.addU8LengthPrefixed() 385 secureRenego.addBytes(m.secureRenegotiation) 386 } 387 if len(m.alpnProtocols) > 0 { 388 // https://tools.ietf.org/html/rfc7301#section-3.1 389 extensions.addU16(extensionALPN) 390 alpnExtension := extensions.addU16LengthPrefixed() 391 392 protocolNameList := alpnExtension.addU16LengthPrefixed() 393 for _, s := range m.alpnProtocols { 394 protocolName := protocolNameList.addU8LengthPrefixed() 395 protocolName.addBytes([]byte(s)) 396 } 397 } 398 if m.channelIDSupported { 399 extensions.addU16(extensionChannelID) 400 extensions.addU16(0) // Length is always 0 401 } 402 if m.nextProtoNeg && m.npnAfterAlpn { 403 extensions.addU16(extensionNextProtoNeg) 404 extensions.addU16(0) // Length is always 0 405 } 406 if m.duplicateExtension { 407 // Add a duplicate bogus extension at the beginning and end. 408 extensions.addU16(0xffff) 409 extensions.addU16(0) 410 } 411 if m.extendedMasterSecret { 412 // https://tools.ietf.org/html/rfc7627 413 extensions.addU16(extensionExtendedMasterSecret) 414 extensions.addU16(0) // Length is always 0 415 } 416 if len(m.srtpProtectionProfiles) > 0 { 417 // https://tools.ietf.org/html/rfc5764#section-4.1.1 418 extensions.addU16(extensionUseSRTP) 419 useSrtpExt := extensions.addU16LengthPrefixed() 420 421 srtpProtectionProfiles := useSrtpExt.addU16LengthPrefixed() 422 for _, p := range m.srtpProtectionProfiles { 423 // An SRTPProtectionProfile is defined as uint8[2], 424 // not uint16. For some reason, we're storing it 425 // as a uint16. 426 srtpProtectionProfiles.addU8(byte(p >> 8)) 427 srtpProtectionProfiles.addU8(byte(p)) 428 } 429 srtpMki := useSrtpExt.addU8LengthPrefixed() 430 srtpMki.addBytes([]byte(m.srtpMasterKeyIdentifier)) 431 } 432 if m.sctListSupported { 433 extensions.addU16(extensionSignedCertificateTimestamp) 434 extensions.addU16(0) // Length is always 0 435 } 436 if l := len(m.customExtension); l > 0 { 437 extensions.addU16(extensionCustom) 438 customExt := extensions.addU16LengthPrefixed() 439 customExt.addBytes([]byte(m.customExtension)) 440 } 441 // The PSK extension must be last (draft-ietf-tls-tls13-18 section 4.2.6). 442 if len(m.pskIdentities) > 0 && !m.pskBinderFirst { 443 extensions.addU16(extensionPreSharedKey) 444 pskExtension := extensions.addU16LengthPrefixed() 445 446 pskIdentities := pskExtension.addU16LengthPrefixed() 447 for _, psk := range m.pskIdentities { 448 pskIdentities.addU16LengthPrefixed().addBytes(psk.ticket) 449 pskIdentities.addU32(psk.obfuscatedTicketAge) 450 } 451 pskBinders := pskExtension.addU16LengthPrefixed() 452 for _, binder := range m.pskBinders { 453 pskBinders.addU8LengthPrefixed().addBytes(binder) 454 } 455 } 456 457 if m.omitExtensions || m.emptyExtensions { 458 // Silently erase any extensions which were sent. 459 hello.discardChild() 460 if m.emptyExtensions { 461 hello.addU16(0) 462 } 463 } 464 465 m.raw = handshakeMsg.finish() 466 return m.raw 467} 468 469func (m *clientHelloMsg) unmarshal(data []byte) bool { 470 if len(data) < 42 { 471 return false 472 } 473 m.raw = data 474 m.vers = uint16(data[4])<<8 | uint16(data[5]) 475 m.random = data[6:38] 476 sessionIdLen := int(data[38]) 477 if sessionIdLen > 32 || len(data) < 39+sessionIdLen { 478 return false 479 } 480 m.sessionId = data[39 : 39+sessionIdLen] 481 data = data[39+sessionIdLen:] 482 if m.isDTLS { 483 if len(data) < 1 { 484 return false 485 } 486 cookieLen := int(data[0]) 487 if cookieLen > 32 || len(data) < 1+cookieLen { 488 return false 489 } 490 m.cookie = data[1 : 1+cookieLen] 491 data = data[1+cookieLen:] 492 } 493 if len(data) < 2 { 494 return false 495 } 496 // cipherSuiteLen is the number of bytes of cipher suite numbers. Since 497 // they are uint16s, the number must be even. 498 cipherSuiteLen := int(data[0])<<8 | int(data[1]) 499 if cipherSuiteLen%2 == 1 || len(data) < 2+cipherSuiteLen { 500 return false 501 } 502 numCipherSuites := cipherSuiteLen / 2 503 m.cipherSuites = make([]uint16, numCipherSuites) 504 for i := 0; i < numCipherSuites; i++ { 505 m.cipherSuites[i] = uint16(data[2+2*i])<<8 | uint16(data[3+2*i]) 506 if m.cipherSuites[i] == scsvRenegotiation { 507 m.secureRenegotiation = []byte{} 508 } 509 } 510 data = data[2+cipherSuiteLen:] 511 if len(data) < 1 { 512 return false 513 } 514 compressionMethodsLen := int(data[0]) 515 if len(data) < 1+compressionMethodsLen { 516 return false 517 } 518 m.compressionMethods = data[1 : 1+compressionMethodsLen] 519 520 data = data[1+compressionMethodsLen:] 521 522 m.nextProtoNeg = false 523 m.serverName = "" 524 m.ocspStapling = false 525 m.keyShares = nil 526 m.pskIdentities = nil 527 m.hasEarlyData = false 528 m.ticketSupported = false 529 m.sessionTicket = nil 530 m.signatureAlgorithms = nil 531 m.supportedVersions = nil 532 m.alpnProtocols = nil 533 m.extendedMasterSecret = false 534 m.customExtension = "" 535 536 if len(data) == 0 { 537 // ClientHello is optionally followed by extension data 538 return true 539 } 540 if len(data) < 2 { 541 return false 542 } 543 544 extensionsLength := int(data[0])<<8 | int(data[1]) 545 data = data[2:] 546 if extensionsLength != len(data) { 547 return false 548 } 549 550 for len(data) != 0 { 551 if len(data) < 4 { 552 return false 553 } 554 extension := uint16(data[0])<<8 | uint16(data[1]) 555 length := int(data[2])<<8 | int(data[3]) 556 data = data[4:] 557 if len(data) < length { 558 return false 559 } 560 561 switch extension { 562 case extensionServerName: 563 if length < 2 { 564 return false 565 } 566 numNames := int(data[0])<<8 | int(data[1]) 567 d := data[2:] 568 for i := 0; i < numNames; i++ { 569 if len(d) < 3 { 570 return false 571 } 572 nameType := d[0] 573 nameLen := int(d[1])<<8 | int(d[2]) 574 d = d[3:] 575 if len(d) < nameLen { 576 return false 577 } 578 if nameType == 0 { 579 m.serverName = string(d[0:nameLen]) 580 break 581 } 582 d = d[nameLen:] 583 } 584 case extensionNextProtoNeg: 585 if length > 0 { 586 return false 587 } 588 m.nextProtoNeg = true 589 case extensionStatusRequest: 590 m.ocspStapling = length > 0 && data[0] == statusTypeOCSP 591 case extensionSupportedCurves: 592 // http://tools.ietf.org/html/rfc4492#section-5.5.1 593 if length < 2 { 594 return false 595 } 596 l := int(data[0])<<8 | int(data[1]) 597 if l%2 == 1 || length != l+2 { 598 return false 599 } 600 numCurves := l / 2 601 m.supportedCurves = make([]CurveID, numCurves) 602 d := data[2:] 603 for i := 0; i < numCurves; i++ { 604 m.supportedCurves[i] = CurveID(d[0])<<8 | CurveID(d[1]) 605 d = d[2:] 606 } 607 case extensionSupportedPoints: 608 // http://tools.ietf.org/html/rfc4492#section-5.5.2 609 if length < 1 { 610 return false 611 } 612 l := int(data[0]) 613 if length != l+1 { 614 return false 615 } 616 m.supportedPoints = data[1 : 1+l] 617 case extensionSessionTicket: 618 // http://tools.ietf.org/html/rfc5077#section-3.2 619 m.ticketSupported = true 620 m.sessionTicket = data[:length] 621 case extensionKeyShare: 622 // draft-ietf-tls-tls13 section 6.3.2.3 623 if length < 2 { 624 return false 625 } 626 l := int(data[0])<<8 | int(data[1]) 627 if l != length-2 { 628 return false 629 } 630 d := data[2:length] 631 m.hasKeyShares = true 632 for len(d) > 0 { 633 // The next KeyShareEntry contains a NamedGroup (2 bytes) and a 634 // key_exchange (2-byte length prefix with at least 1 byte of content). 635 if len(d) < 5 { 636 return false 637 } 638 entry := keyShareEntry{} 639 entry.group = CurveID(d[0])<<8 | CurveID(d[1]) 640 keyExchLen := int(d[2])<<8 | int(d[3]) 641 d = d[4:] 642 if len(d) < keyExchLen { 643 return false 644 } 645 entry.keyExchange = d[:keyExchLen] 646 d = d[keyExchLen:] 647 m.keyShares = append(m.keyShares, entry) 648 } 649 case extensionPreSharedKey: 650 // draft-ietf-tls-tls13-18 section 4.2.6 651 if length < 2 { 652 return false 653 } 654 l := int(data[0])<<8 | int(data[1]) 655 d := data[2 : l+2] 656 // Parse PSK identities. 657 for len(d) > 0 { 658 if len(d) < 2 { 659 return false 660 } 661 pskLen := int(d[0])<<8 | int(d[1]) 662 d = d[2:] 663 664 if len(d) < pskLen+4 { 665 return false 666 } 667 ticket := d[:pskLen] 668 obfuscatedTicketAge := uint32(d[pskLen])<<24 | uint32(d[pskLen+1])<<16 | uint32(d[pskLen+2])<<8 | uint32(d[pskLen+3]) 669 psk := pskIdentity{ 670 ticket: ticket, 671 obfuscatedTicketAge: obfuscatedTicketAge, 672 } 673 m.pskIdentities = append(m.pskIdentities, psk) 674 d = d[pskLen+4:] 675 } 676 d = data[l+2:] 677 if len(d) < 2 { 678 return false 679 } 680 l = int(d[0])<<8 | int(d[1]) 681 d = d[2:] 682 if l != len(d) { 683 return false 684 } 685 // Parse PSK binders. 686 for len(d) > 0 { 687 if len(d) < 1 { 688 return false 689 } 690 binderLen := int(d[0]) 691 d = d[1:] 692 if binderLen > len(d) { 693 return false 694 } 695 m.pskBinders = append(m.pskBinders, d[:binderLen]) 696 d = d[binderLen:] 697 } 698 699 // There must be the same number of identities as binders. 700 if len(m.pskIdentities) != len(m.pskBinders) { 701 return false 702 } 703 case extensionPSKKeyExchangeModes: 704 // draft-ietf-tls-tls13-18 section 4.2.7 705 if length < 1 { 706 return false 707 } 708 l := int(data[0]) 709 if l != length-1 { 710 return false 711 } 712 m.pskKEModes = data[1:length] 713 case extensionEarlyData: 714 // draft-ietf-tls-tls13 section 6.3.2.5 715 if length != 0 { 716 return false 717 } 718 m.hasEarlyData = true 719 case extensionCookie: 720 if length < 2 { 721 return false 722 } 723 l := int(data[0])<<8 | int(data[1]) 724 if l != length-2 || l == 0 { 725 return false 726 } 727 m.tls13Cookie = data[2 : 2+l] 728 case extensionSignatureAlgorithms: 729 // https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 730 if length < 2 || length&1 != 0 { 731 return false 732 } 733 l := int(data[0])<<8 | int(data[1]) 734 if l != length-2 { 735 return false 736 } 737 n := l / 2 738 d := data[2:] 739 m.signatureAlgorithms = make([]signatureAlgorithm, n) 740 for i := range m.signatureAlgorithms { 741 m.signatureAlgorithms[i] = signatureAlgorithm(d[0])<<8 | signatureAlgorithm(d[1]) 742 d = d[2:] 743 } 744 case extensionSupportedVersions: 745 if length < 1+2 { 746 return false 747 } 748 l := int(data[0]) 749 if l != length-1 || l%2 == 1 || l < 2 { 750 return false 751 } 752 n := l / 2 753 d := data[1:] 754 m.supportedVersions = make([]uint16, n) 755 for i := range m.supportedVersions { 756 m.supportedVersions[i] = uint16(d[0])<<8 | uint16(d[1]) 757 d = d[2:] 758 } 759 case extensionRenegotiationInfo: 760 if length < 1 || length != int(data[0])+1 { 761 return false 762 } 763 m.secureRenegotiation = data[1:length] 764 case extensionALPN: 765 if length < 2 { 766 return false 767 } 768 l := int(data[0])<<8 | int(data[1]) 769 if l != length-2 { 770 return false 771 } 772 d := data[2:length] 773 for len(d) != 0 { 774 stringLen := int(d[0]) 775 d = d[1:] 776 if stringLen == 0 || stringLen > len(d) { 777 return false 778 } 779 m.alpnProtocols = append(m.alpnProtocols, string(d[:stringLen])) 780 d = d[stringLen:] 781 } 782 case extensionChannelID: 783 if length > 0 { 784 return false 785 } 786 m.channelIDSupported = true 787 case extensionExtendedMasterSecret: 788 if length != 0 { 789 return false 790 } 791 m.extendedMasterSecret = true 792 case extensionUseSRTP: 793 if length < 2 { 794 return false 795 } 796 l := int(data[0])<<8 | int(data[1]) 797 if l > length-2 || l%2 != 0 { 798 return false 799 } 800 n := l / 2 801 m.srtpProtectionProfiles = make([]uint16, n) 802 d := data[2:length] 803 for i := 0; i < n; i++ { 804 m.srtpProtectionProfiles[i] = uint16(d[0])<<8 | uint16(d[1]) 805 d = d[2:] 806 } 807 if len(d) < 1 || int(d[0]) != len(d)-1 { 808 return false 809 } 810 m.srtpMasterKeyIdentifier = string(d[1:]) 811 case extensionSignedCertificateTimestamp: 812 if length != 0 { 813 return false 814 } 815 m.sctListSupported = true 816 case extensionCustom: 817 m.customExtension = string(data[:length]) 818 } 819 data = data[length:] 820 821 if isGREASEValue(extension) { 822 m.hasGREASEExtension = true 823 } 824 } 825 826 return true 827} 828 829type serverHelloMsg struct { 830 raw []byte 831 isDTLS bool 832 vers uint16 833 versOverride uint16 834 supportedVersOverride uint16 835 random []byte 836 sessionId []byte 837 cipherSuite uint16 838 hasKeyShare bool 839 keyShare keyShareEntry 840 hasPSKIdentity bool 841 pskIdentity uint16 842 compressionMethod uint8 843 customExtension string 844 unencryptedALPN string 845 omitExtensions bool 846 emptyExtensions bool 847 extensions serverExtensions 848} 849 850func (m *serverHelloMsg) marshal() []byte { 851 if m.raw != nil { 852 return m.raw 853 } 854 855 handshakeMsg := newByteBuilder() 856 handshakeMsg.addU8(typeServerHello) 857 hello := handshakeMsg.addU24LengthPrefixed() 858 859 // m.vers is used both to determine the format of the rest of the 860 // ServerHello and to override the value, so include a second version 861 // field. 862 vers, ok := wireToVersion(m.vers, m.isDTLS) 863 if !ok { 864 panic("unknown version") 865 } 866 if m.versOverride != 0 { 867 hello.addU16(m.versOverride) 868 } else if m.vers == tls13ExperimentVersion { 869 hello.addU16(VersionTLS12) 870 } else { 871 hello.addU16(m.vers) 872 } 873 874 hello.addBytes(m.random) 875 if vers < VersionTLS13 || m.vers == tls13ExperimentVersion { 876 sessionId := hello.addU8LengthPrefixed() 877 sessionId.addBytes(m.sessionId) 878 } 879 hello.addU16(m.cipherSuite) 880 if vers < VersionTLS13 || m.vers == tls13ExperimentVersion { 881 hello.addU8(m.compressionMethod) 882 } 883 884 extensions := hello.addU16LengthPrefixed() 885 886 if vers >= VersionTLS13 { 887 if m.hasKeyShare { 888 extensions.addU16(extensionKeyShare) 889 keyShare := extensions.addU16LengthPrefixed() 890 keyShare.addU16(uint16(m.keyShare.group)) 891 keyExchange := keyShare.addU16LengthPrefixed() 892 keyExchange.addBytes(m.keyShare.keyExchange) 893 } 894 if m.hasPSKIdentity { 895 extensions.addU16(extensionPreSharedKey) 896 extensions.addU16(2) // Length 897 extensions.addU16(m.pskIdentity) 898 } 899 if m.vers == tls13ExperimentVersion || m.supportedVersOverride != 0 { 900 extensions.addU16(extensionSupportedVersions) 901 extensions.addU16(2) // Length 902 if m.supportedVersOverride != 0 { 903 extensions.addU16(m.supportedVersOverride) 904 } else { 905 extensions.addU16(m.vers) 906 } 907 } 908 if len(m.customExtension) > 0 { 909 extensions.addU16(extensionCustom) 910 customExt := extensions.addU16LengthPrefixed() 911 customExt.addBytes([]byte(m.customExtension)) 912 } 913 if len(m.unencryptedALPN) > 0 { 914 extensions.addU16(extensionALPN) 915 extension := extensions.addU16LengthPrefixed() 916 917 protocolNameList := extension.addU16LengthPrefixed() 918 protocolName := protocolNameList.addU8LengthPrefixed() 919 protocolName.addBytes([]byte(m.unencryptedALPN)) 920 } 921 } else { 922 m.extensions.marshal(extensions) 923 if m.omitExtensions || m.emptyExtensions { 924 // Silently erasing server extensions will break the handshake. Instead, 925 // assert that tests which use this field also disable all features which 926 // would write an extension. 927 if extensions.len() != 0 { 928 panic(fmt.Sprintf("ServerHello unexpectedly contained extensions: %x, %+v", extensions.data(), m)) 929 } 930 hello.discardChild() 931 if m.emptyExtensions { 932 hello.addU16(0) 933 } 934 } 935 } 936 937 m.raw = handshakeMsg.finish() 938 return m.raw 939} 940 941func (m *serverHelloMsg) unmarshal(data []byte) bool { 942 if len(data) < 42 { 943 return false 944 } 945 m.raw = data 946 m.vers = uint16(data[4])<<8 | uint16(data[5]) 947 vers, ok := wireToVersion(m.vers, m.isDTLS) 948 if !ok { 949 return false 950 } 951 m.random = data[6:38] 952 data = data[38:] 953 if vers < VersionTLS13 || m.vers == tls13ExperimentVersion { 954 sessionIdLen := int(data[0]) 955 if sessionIdLen > 32 || len(data) < 1+sessionIdLen { 956 return false 957 } 958 m.sessionId = data[1 : 1+sessionIdLen] 959 data = data[1+sessionIdLen:] 960 } 961 if len(data) < 2 { 962 return false 963 } 964 m.cipherSuite = uint16(data[0])<<8 | uint16(data[1]) 965 data = data[2:] 966 if vers < VersionTLS13 || m.vers == tls13ExperimentVersion { 967 if len(data) < 1 { 968 return false 969 } 970 m.compressionMethod = data[0] 971 data = data[1:] 972 } 973 974 if len(data) == 0 && m.vers < VersionTLS13 { 975 // Extension data is optional before TLS 1.3. 976 m.extensions = serverExtensions{} 977 return true 978 } 979 if len(data) < 2 { 980 return false 981 } 982 983 extensionsLength := int(data[0])<<8 | int(data[1]) 984 data = data[2:] 985 if len(data) != extensionsLength { 986 return false 987 } 988 989 // Parse out the version from supported_versions if available. 990 if m.vers == VersionTLS12 { 991 vdata := data 992 for len(vdata) != 0 { 993 if len(vdata) < 4 { 994 return false 995 } 996 extension := uint16(vdata[0])<<8 | uint16(vdata[1]) 997 length := int(vdata[2])<<8 | int(vdata[3]) 998 vdata = vdata[4:] 999 1000 if len(vdata) < length { 1001 return false 1002 } 1003 d := vdata[:length] 1004 vdata = vdata[length:] 1005 1006 if extension == extensionSupportedVersions { 1007 if len(d) < 2 { 1008 return false 1009 } 1010 m.vers = uint16(d[0])<<8 | uint16(d[1]) 1011 vers, ok = wireToVersion(m.vers, m.isDTLS) 1012 if !ok { 1013 return false 1014 } 1015 } 1016 } 1017 } 1018 1019 if vers >= VersionTLS13 { 1020 for len(data) != 0 { 1021 if len(data) < 4 { 1022 return false 1023 } 1024 extension := uint16(data[0])<<8 | uint16(data[1]) 1025 length := int(data[2])<<8 | int(data[3]) 1026 data = data[4:] 1027 1028 if len(data) < length { 1029 return false 1030 } 1031 d := data[:length] 1032 data = data[length:] 1033 1034 switch extension { 1035 case extensionKeyShare: 1036 m.hasKeyShare = true 1037 if len(d) < 4 { 1038 return false 1039 } 1040 m.keyShare.group = CurveID(uint16(d[0])<<8 | uint16(d[1])) 1041 keyExchLen := int(d[2])<<8 | int(d[3]) 1042 if keyExchLen != len(d)-4 { 1043 return false 1044 } 1045 m.keyShare.keyExchange = make([]byte, keyExchLen) 1046 copy(m.keyShare.keyExchange, d[4:]) 1047 case extensionPreSharedKey: 1048 if len(d) != 2 { 1049 return false 1050 } 1051 m.pskIdentity = uint16(d[0])<<8 | uint16(d[1]) 1052 m.hasPSKIdentity = true 1053 case extensionSupportedVersions: 1054 if m.vers != tls13ExperimentVersion { 1055 return false 1056 } 1057 default: 1058 // Only allow the 3 extensions that are sent in 1059 // the clear in TLS 1.3. 1060 return false 1061 } 1062 } 1063 } else if !m.extensions.unmarshal(data, vers) { 1064 return false 1065 } 1066 1067 return true 1068} 1069 1070type encryptedExtensionsMsg struct { 1071 raw []byte 1072 extensions serverExtensions 1073 empty bool 1074} 1075 1076func (m *encryptedExtensionsMsg) marshal() []byte { 1077 if m.raw != nil { 1078 return m.raw 1079 } 1080 1081 encryptedExtensionsMsg := newByteBuilder() 1082 encryptedExtensionsMsg.addU8(typeEncryptedExtensions) 1083 encryptedExtensions := encryptedExtensionsMsg.addU24LengthPrefixed() 1084 if !m.empty { 1085 extensions := encryptedExtensions.addU16LengthPrefixed() 1086 m.extensions.marshal(extensions) 1087 } 1088 1089 m.raw = encryptedExtensionsMsg.finish() 1090 return m.raw 1091} 1092 1093func (m *encryptedExtensionsMsg) unmarshal(data []byte) bool { 1094 m.raw = data 1095 if len(data) < 6 { 1096 return false 1097 } 1098 if data[0] != typeEncryptedExtensions { 1099 return false 1100 } 1101 msgLen := int(data[1])<<16 | int(data[2])<<8 | int(data[3]) 1102 data = data[4:] 1103 if len(data) != msgLen { 1104 return false 1105 } 1106 extLen := int(data[0])<<8 | int(data[1]) 1107 data = data[2:] 1108 if extLen != len(data) { 1109 return false 1110 } 1111 return m.extensions.unmarshal(data, VersionTLS13) 1112} 1113 1114type serverExtensions struct { 1115 nextProtoNeg bool 1116 nextProtos []string 1117 ocspStapling bool 1118 ticketSupported bool 1119 secureRenegotiation []byte 1120 alpnProtocol string 1121 alpnProtocolEmpty bool 1122 duplicateExtension bool 1123 channelIDRequested bool 1124 extendedMasterSecret bool 1125 srtpProtectionProfile uint16 1126 srtpMasterKeyIdentifier string 1127 sctList []byte 1128 customExtension string 1129 npnAfterAlpn bool 1130 hasKeyShare bool 1131 hasEarlyData bool 1132 keyShare keyShareEntry 1133 supportedVersion uint16 1134 supportedPoints []uint8 1135 serverNameAck bool 1136} 1137 1138func (m *serverExtensions) marshal(extensions *byteBuilder) { 1139 if m.duplicateExtension { 1140 // Add a duplicate bogus extension at the beginning and end. 1141 extensions.addU16(0xffff) 1142 extensions.addU16(0) // length = 0 for empty extension 1143 } 1144 if m.nextProtoNeg && !m.npnAfterAlpn { 1145 extensions.addU16(extensionNextProtoNeg) 1146 extension := extensions.addU16LengthPrefixed() 1147 1148 for _, v := range m.nextProtos { 1149 if len(v) > 255 { 1150 v = v[:255] 1151 } 1152 npn := extension.addU8LengthPrefixed() 1153 npn.addBytes([]byte(v)) 1154 } 1155 } 1156 if m.ocspStapling { 1157 extensions.addU16(extensionStatusRequest) 1158 extensions.addU16(0) 1159 } 1160 if m.ticketSupported { 1161 extensions.addU16(extensionSessionTicket) 1162 extensions.addU16(0) 1163 } 1164 if m.secureRenegotiation != nil { 1165 extensions.addU16(extensionRenegotiationInfo) 1166 extension := extensions.addU16LengthPrefixed() 1167 secureRenego := extension.addU8LengthPrefixed() 1168 secureRenego.addBytes(m.secureRenegotiation) 1169 } 1170 if len(m.alpnProtocol) > 0 || m.alpnProtocolEmpty { 1171 extensions.addU16(extensionALPN) 1172 extension := extensions.addU16LengthPrefixed() 1173 1174 protocolNameList := extension.addU16LengthPrefixed() 1175 protocolName := protocolNameList.addU8LengthPrefixed() 1176 protocolName.addBytes([]byte(m.alpnProtocol)) 1177 } 1178 if m.channelIDRequested { 1179 extensions.addU16(extensionChannelID) 1180 extensions.addU16(0) 1181 } 1182 if m.duplicateExtension { 1183 // Add a duplicate bogus extension at the beginning and end. 1184 extensions.addU16(0xffff) 1185 extensions.addU16(0) 1186 } 1187 if m.extendedMasterSecret { 1188 extensions.addU16(extensionExtendedMasterSecret) 1189 extensions.addU16(0) 1190 } 1191 if m.srtpProtectionProfile != 0 { 1192 extensions.addU16(extensionUseSRTP) 1193 extension := extensions.addU16LengthPrefixed() 1194 1195 srtpProtectionProfiles := extension.addU16LengthPrefixed() 1196 srtpProtectionProfiles.addU8(byte(m.srtpProtectionProfile >> 8)) 1197 srtpProtectionProfiles.addU8(byte(m.srtpProtectionProfile)) 1198 srtpMki := extension.addU8LengthPrefixed() 1199 srtpMki.addBytes([]byte(m.srtpMasterKeyIdentifier)) 1200 } 1201 if m.sctList != nil { 1202 extensions.addU16(extensionSignedCertificateTimestamp) 1203 extension := extensions.addU16LengthPrefixed() 1204 extension.addBytes(m.sctList) 1205 } 1206 if l := len(m.customExtension); l > 0 { 1207 extensions.addU16(extensionCustom) 1208 customExt := extensions.addU16LengthPrefixed() 1209 customExt.addBytes([]byte(m.customExtension)) 1210 } 1211 if m.nextProtoNeg && m.npnAfterAlpn { 1212 extensions.addU16(extensionNextProtoNeg) 1213 extension := extensions.addU16LengthPrefixed() 1214 1215 for _, v := range m.nextProtos { 1216 if len(v) > 255 { 1217 v = v[0:255] 1218 } 1219 npn := extension.addU8LengthPrefixed() 1220 npn.addBytes([]byte(v)) 1221 } 1222 } 1223 if m.hasKeyShare { 1224 extensions.addU16(extensionKeyShare) 1225 keyShare := extensions.addU16LengthPrefixed() 1226 keyShare.addU16(uint16(m.keyShare.group)) 1227 keyExchange := keyShare.addU16LengthPrefixed() 1228 keyExchange.addBytes(m.keyShare.keyExchange) 1229 } 1230 if m.supportedVersion != 0 { 1231 extensions.addU16(extensionSupportedVersions) 1232 extensions.addU16(2) // Length 1233 extensions.addU16(m.supportedVersion) 1234 } 1235 if len(m.supportedPoints) > 0 { 1236 // http://tools.ietf.org/html/rfc4492#section-5.1.2 1237 extensions.addU16(extensionSupportedPoints) 1238 supportedPointsList := extensions.addU16LengthPrefixed() 1239 supportedPoints := supportedPointsList.addU8LengthPrefixed() 1240 supportedPoints.addBytes(m.supportedPoints) 1241 } 1242 if m.hasEarlyData { 1243 extensions.addU16(extensionEarlyData) 1244 extensions.addBytes([]byte{0, 0}) 1245 } 1246 if m.serverNameAck { 1247 extensions.addU16(extensionServerName) 1248 extensions.addU16(0) // zero length 1249 } 1250} 1251 1252func (m *serverExtensions) unmarshal(data []byte, version uint16) bool { 1253 // Reset all fields. 1254 *m = serverExtensions{} 1255 1256 for len(data) != 0 { 1257 if len(data) < 4 { 1258 return false 1259 } 1260 extension := uint16(data[0])<<8 | uint16(data[1]) 1261 length := int(data[2])<<8 | int(data[3]) 1262 data = data[4:] 1263 if len(data) < length { 1264 return false 1265 } 1266 1267 switch extension { 1268 case extensionNextProtoNeg: 1269 m.nextProtoNeg = true 1270 d := data[:length] 1271 for len(d) > 0 { 1272 l := int(d[0]) 1273 d = d[1:] 1274 if l == 0 || l > len(d) { 1275 return false 1276 } 1277 m.nextProtos = append(m.nextProtos, string(d[:l])) 1278 d = d[l:] 1279 } 1280 case extensionStatusRequest: 1281 if length > 0 { 1282 return false 1283 } 1284 m.ocspStapling = true 1285 case extensionSessionTicket: 1286 if length > 0 { 1287 return false 1288 } 1289 m.ticketSupported = true 1290 case extensionRenegotiationInfo: 1291 if length < 1 || length != int(data[0])+1 { 1292 return false 1293 } 1294 m.secureRenegotiation = data[1:length] 1295 case extensionALPN: 1296 d := data[:length] 1297 if len(d) < 3 { 1298 return false 1299 } 1300 l := int(d[0])<<8 | int(d[1]) 1301 if l != len(d)-2 { 1302 return false 1303 } 1304 d = d[2:] 1305 l = int(d[0]) 1306 if l != len(d)-1 { 1307 return false 1308 } 1309 d = d[1:] 1310 m.alpnProtocol = string(d) 1311 m.alpnProtocolEmpty = len(d) == 0 1312 case extensionChannelID: 1313 if length > 0 { 1314 return false 1315 } 1316 m.channelIDRequested = true 1317 case extensionExtendedMasterSecret: 1318 if length != 0 { 1319 return false 1320 } 1321 m.extendedMasterSecret = true 1322 case extensionUseSRTP: 1323 if length < 2+2+1 { 1324 return false 1325 } 1326 if data[0] != 0 || data[1] != 2 { 1327 return false 1328 } 1329 m.srtpProtectionProfile = uint16(data[2])<<8 | uint16(data[3]) 1330 d := data[4:length] 1331 l := int(d[0]) 1332 if l != len(d)-1 { 1333 return false 1334 } 1335 m.srtpMasterKeyIdentifier = string(d[1:]) 1336 case extensionSignedCertificateTimestamp: 1337 m.sctList = data[:length] 1338 case extensionCustom: 1339 m.customExtension = string(data[:length]) 1340 case extensionServerName: 1341 if length != 0 { 1342 return false 1343 } 1344 m.serverNameAck = true 1345 case extensionSupportedPoints: 1346 // supported_points is illegal in TLS 1.3. 1347 if version >= VersionTLS13 { 1348 return false 1349 } 1350 // http://tools.ietf.org/html/rfc4492#section-5.5.2 1351 if length < 1 { 1352 return false 1353 } 1354 l := int(data[0]) 1355 if length != l+1 { 1356 return false 1357 } 1358 m.supportedPoints = data[1 : 1+l] 1359 case extensionSupportedCurves: 1360 // The server can only send supported_curves in TLS 1.3. 1361 if version < VersionTLS13 { 1362 return false 1363 } 1364 case extensionEarlyData: 1365 if version < VersionTLS13 || length != 0 { 1366 return false 1367 } 1368 m.hasEarlyData = true 1369 default: 1370 // Unknown extensions are illegal from the server. 1371 return false 1372 } 1373 data = data[length:] 1374 } 1375 1376 return true 1377} 1378 1379type helloRetryRequestMsg struct { 1380 raw []byte 1381 vers uint16 1382 hasSelectedGroup bool 1383 selectedGroup CurveID 1384 cookie []byte 1385 customExtension string 1386 duplicateExtensions bool 1387} 1388 1389func (m *helloRetryRequestMsg) marshal() []byte { 1390 if m.raw != nil { 1391 return m.raw 1392 } 1393 1394 retryRequestMsg := newByteBuilder() 1395 retryRequestMsg.addU8(typeHelloRetryRequest) 1396 retryRequest := retryRequestMsg.addU24LengthPrefixed() 1397 retryRequest.addU16(m.vers) 1398 extensions := retryRequest.addU16LengthPrefixed() 1399 1400 count := 1 1401 if m.duplicateExtensions { 1402 count = 2 1403 } 1404 1405 for i := 0; i < count; i++ { 1406 if m.hasSelectedGroup { 1407 extensions.addU16(extensionKeyShare) 1408 extensions.addU16(2) // length 1409 extensions.addU16(uint16(m.selectedGroup)) 1410 } 1411 if len(m.cookie) > 0 { 1412 extensions.addU16(extensionCookie) 1413 body := extensions.addU16LengthPrefixed() 1414 body.addU16LengthPrefixed().addBytes(m.cookie) 1415 } 1416 if len(m.customExtension) > 0 { 1417 extensions.addU16(extensionCustom) 1418 extensions.addU16LengthPrefixed().addBytes([]byte(m.customExtension)) 1419 } 1420 } 1421 1422 m.raw = retryRequestMsg.finish() 1423 return m.raw 1424} 1425 1426func (m *helloRetryRequestMsg) unmarshal(data []byte) bool { 1427 m.raw = data 1428 if len(data) < 8 { 1429 return false 1430 } 1431 m.vers = uint16(data[4])<<8 | uint16(data[5]) 1432 extLen := int(data[6])<<8 | int(data[7]) 1433 data = data[8:] 1434 if len(data) != extLen || len(data) == 0 { 1435 return false 1436 } 1437 for len(data) > 0 { 1438 if len(data) < 4 { 1439 return false 1440 } 1441 extension := uint16(data[0])<<8 | uint16(data[1]) 1442 length := int(data[2])<<8 | int(data[3]) 1443 data = data[4:] 1444 if len(data) < length { 1445 return false 1446 } 1447 1448 switch extension { 1449 case extensionKeyShare: 1450 if length != 2 { 1451 return false 1452 } 1453 m.hasSelectedGroup = true 1454 m.selectedGroup = CurveID(data[0])<<8 | CurveID(data[1]) 1455 case extensionCookie: 1456 if length < 2 { 1457 return false 1458 } 1459 cookieLen := int(data[0])<<8 | int(data[1]) 1460 if 2+cookieLen != length { 1461 return false 1462 } 1463 m.cookie = data[2 : 2+cookieLen] 1464 default: 1465 // Unknown extensions are illegal from the server. 1466 return false 1467 } 1468 data = data[length:] 1469 } 1470 return true 1471} 1472 1473type certificateEntry struct { 1474 data []byte 1475 ocspResponse []byte 1476 sctList []byte 1477 duplicateExtensions bool 1478 extraExtension []byte 1479} 1480 1481type certificateMsg struct { 1482 raw []byte 1483 hasRequestContext bool 1484 requestContext []byte 1485 certificates []certificateEntry 1486} 1487 1488func (m *certificateMsg) marshal() (x []byte) { 1489 if m.raw != nil { 1490 return m.raw 1491 } 1492 1493 certMsg := newByteBuilder() 1494 certMsg.addU8(typeCertificate) 1495 certificate := certMsg.addU24LengthPrefixed() 1496 if m.hasRequestContext { 1497 context := certificate.addU8LengthPrefixed() 1498 context.addBytes(m.requestContext) 1499 } 1500 certificateList := certificate.addU24LengthPrefixed() 1501 for _, cert := range m.certificates { 1502 certEntry := certificateList.addU24LengthPrefixed() 1503 certEntry.addBytes(cert.data) 1504 if m.hasRequestContext { 1505 extensions := certificateList.addU16LengthPrefixed() 1506 count := 1 1507 if cert.duplicateExtensions { 1508 count = 2 1509 } 1510 1511 for i := 0; i < count; i++ { 1512 if cert.ocspResponse != nil { 1513 extensions.addU16(extensionStatusRequest) 1514 body := extensions.addU16LengthPrefixed() 1515 body.addU8(statusTypeOCSP) 1516 response := body.addU24LengthPrefixed() 1517 response.addBytes(cert.ocspResponse) 1518 } 1519 1520 if cert.sctList != nil { 1521 extensions.addU16(extensionSignedCertificateTimestamp) 1522 extension := extensions.addU16LengthPrefixed() 1523 extension.addBytes(cert.sctList) 1524 } 1525 } 1526 if cert.extraExtension != nil { 1527 extensions.addBytes(cert.extraExtension) 1528 } 1529 } 1530 } 1531 1532 m.raw = certMsg.finish() 1533 return m.raw 1534} 1535 1536func (m *certificateMsg) unmarshal(data []byte) bool { 1537 if len(data) < 4 { 1538 return false 1539 } 1540 1541 m.raw = data 1542 data = data[4:] 1543 1544 if m.hasRequestContext { 1545 if len(data) == 0 { 1546 return false 1547 } 1548 contextLen := int(data[0]) 1549 if len(data) < 1+contextLen { 1550 return false 1551 } 1552 m.requestContext = make([]byte, contextLen) 1553 copy(m.requestContext, data[1:]) 1554 data = data[1+contextLen:] 1555 } 1556 1557 if len(data) < 3 { 1558 return false 1559 } 1560 certsLen := int(data[0])<<16 | int(data[1])<<8 | int(data[2]) 1561 data = data[3:] 1562 if len(data) != certsLen { 1563 return false 1564 } 1565 1566 m.certificates = nil 1567 for len(data) != 0 { 1568 if len(data) < 3 { 1569 return false 1570 } 1571 certLen := int(data[0])<<16 | int(data[1])<<8 | int(data[2]) 1572 if len(data) < 3+certLen { 1573 return false 1574 } 1575 cert := certificateEntry{ 1576 data: data[3 : 3+certLen], 1577 } 1578 data = data[3+certLen:] 1579 if m.hasRequestContext { 1580 if len(data) < 2 { 1581 return false 1582 } 1583 extensionsLen := int(data[0])<<8 | int(data[1]) 1584 if len(data) < 2+extensionsLen { 1585 return false 1586 } 1587 extensions := data[2 : 2+extensionsLen] 1588 data = data[2+extensionsLen:] 1589 for len(extensions) != 0 { 1590 if len(extensions) < 4 { 1591 return false 1592 } 1593 extension := uint16(extensions[0])<<8 | uint16(extensions[1]) 1594 length := int(extensions[2])<<8 | int(extensions[3]) 1595 if len(extensions) < 4+length { 1596 return false 1597 } 1598 contents := extensions[4 : 4+length] 1599 extensions = extensions[4+length:] 1600 1601 switch extension { 1602 case extensionStatusRequest: 1603 if length < 4 { 1604 return false 1605 } 1606 if contents[0] != statusTypeOCSP { 1607 return false 1608 } 1609 respLen := int(contents[1])<<16 | int(contents[2])<<8 | int(contents[3]) 1610 if respLen+4 != len(contents) || respLen == 0 { 1611 return false 1612 } 1613 cert.ocspResponse = contents[4:] 1614 case extensionSignedCertificateTimestamp: 1615 cert.sctList = contents 1616 default: 1617 return false 1618 } 1619 } 1620 } 1621 m.certificates = append(m.certificates, cert) 1622 } 1623 1624 return true 1625} 1626 1627type serverKeyExchangeMsg struct { 1628 raw []byte 1629 key []byte 1630} 1631 1632func (m *serverKeyExchangeMsg) marshal() []byte { 1633 if m.raw != nil { 1634 return m.raw 1635 } 1636 length := len(m.key) 1637 x := make([]byte, length+4) 1638 x[0] = typeServerKeyExchange 1639 x[1] = uint8(length >> 16) 1640 x[2] = uint8(length >> 8) 1641 x[3] = uint8(length) 1642 copy(x[4:], m.key) 1643 1644 m.raw = x 1645 return x 1646} 1647 1648func (m *serverKeyExchangeMsg) unmarshal(data []byte) bool { 1649 m.raw = data 1650 if len(data) < 4 { 1651 return false 1652 } 1653 m.key = data[4:] 1654 return true 1655} 1656 1657type certificateStatusMsg struct { 1658 raw []byte 1659 statusType uint8 1660 response []byte 1661} 1662 1663func (m *certificateStatusMsg) marshal() []byte { 1664 if m.raw != nil { 1665 return m.raw 1666 } 1667 1668 var x []byte 1669 if m.statusType == statusTypeOCSP { 1670 x = make([]byte, 4+4+len(m.response)) 1671 x[0] = typeCertificateStatus 1672 l := len(m.response) + 4 1673 x[1] = byte(l >> 16) 1674 x[2] = byte(l >> 8) 1675 x[3] = byte(l) 1676 x[4] = statusTypeOCSP 1677 1678 l -= 4 1679 x[5] = byte(l >> 16) 1680 x[6] = byte(l >> 8) 1681 x[7] = byte(l) 1682 copy(x[8:], m.response) 1683 } else { 1684 x = []byte{typeCertificateStatus, 0, 0, 1, m.statusType} 1685 } 1686 1687 m.raw = x 1688 return x 1689} 1690 1691func (m *certificateStatusMsg) unmarshal(data []byte) bool { 1692 m.raw = data 1693 if len(data) < 5 { 1694 return false 1695 } 1696 m.statusType = data[4] 1697 1698 m.response = nil 1699 if m.statusType == statusTypeOCSP { 1700 if len(data) < 8 { 1701 return false 1702 } 1703 respLen := uint32(data[5])<<16 | uint32(data[6])<<8 | uint32(data[7]) 1704 if uint32(len(data)) != 4+4+respLen { 1705 return false 1706 } 1707 m.response = data[8:] 1708 } 1709 return true 1710} 1711 1712type serverHelloDoneMsg struct{} 1713 1714func (m *serverHelloDoneMsg) marshal() []byte { 1715 x := make([]byte, 4) 1716 x[0] = typeServerHelloDone 1717 return x 1718} 1719 1720func (m *serverHelloDoneMsg) unmarshal(data []byte) bool { 1721 return len(data) == 4 1722} 1723 1724type clientKeyExchangeMsg struct { 1725 raw []byte 1726 ciphertext []byte 1727} 1728 1729func (m *clientKeyExchangeMsg) marshal() []byte { 1730 if m.raw != nil { 1731 return m.raw 1732 } 1733 length := len(m.ciphertext) 1734 x := make([]byte, length+4) 1735 x[0] = typeClientKeyExchange 1736 x[1] = uint8(length >> 16) 1737 x[2] = uint8(length >> 8) 1738 x[3] = uint8(length) 1739 copy(x[4:], m.ciphertext) 1740 1741 m.raw = x 1742 return x 1743} 1744 1745func (m *clientKeyExchangeMsg) unmarshal(data []byte) bool { 1746 m.raw = data 1747 if len(data) < 4 { 1748 return false 1749 } 1750 l := int(data[1])<<16 | int(data[2])<<8 | int(data[3]) 1751 if l != len(data)-4 { 1752 return false 1753 } 1754 m.ciphertext = data[4:] 1755 return true 1756} 1757 1758type finishedMsg struct { 1759 raw []byte 1760 verifyData []byte 1761} 1762 1763func (m *finishedMsg) marshal() (x []byte) { 1764 if m.raw != nil { 1765 return m.raw 1766 } 1767 1768 x = make([]byte, 4+len(m.verifyData)) 1769 x[0] = typeFinished 1770 x[3] = byte(len(m.verifyData)) 1771 copy(x[4:], m.verifyData) 1772 m.raw = x 1773 return 1774} 1775 1776func (m *finishedMsg) unmarshal(data []byte) bool { 1777 m.raw = data 1778 if len(data) < 4 { 1779 return false 1780 } 1781 m.verifyData = data[4:] 1782 return true 1783} 1784 1785type nextProtoMsg struct { 1786 raw []byte 1787 proto string 1788} 1789 1790func (m *nextProtoMsg) marshal() []byte { 1791 if m.raw != nil { 1792 return m.raw 1793 } 1794 l := len(m.proto) 1795 if l > 255 { 1796 l = 255 1797 } 1798 1799 padding := 32 - (l+2)%32 1800 length := l + padding + 2 1801 x := make([]byte, length+4) 1802 x[0] = typeNextProtocol 1803 x[1] = uint8(length >> 16) 1804 x[2] = uint8(length >> 8) 1805 x[3] = uint8(length) 1806 1807 y := x[4:] 1808 y[0] = byte(l) 1809 copy(y[1:], []byte(m.proto[0:l])) 1810 y = y[1+l:] 1811 y[0] = byte(padding) 1812 1813 m.raw = x 1814 1815 return x 1816} 1817 1818func (m *nextProtoMsg) unmarshal(data []byte) bool { 1819 m.raw = data 1820 1821 if len(data) < 5 { 1822 return false 1823 } 1824 data = data[4:] 1825 protoLen := int(data[0]) 1826 data = data[1:] 1827 if len(data) < protoLen { 1828 return false 1829 } 1830 m.proto = string(data[0:protoLen]) 1831 data = data[protoLen:] 1832 1833 if len(data) < 1 { 1834 return false 1835 } 1836 paddingLen := int(data[0]) 1837 data = data[1:] 1838 if len(data) != paddingLen { 1839 return false 1840 } 1841 1842 return true 1843} 1844 1845type certificateRequestMsg struct { 1846 raw []byte 1847 // hasSignatureAlgorithm indicates whether this message includes a list 1848 // of signature and hash functions. This change was introduced with TLS 1849 // 1.2. 1850 hasSignatureAlgorithm bool 1851 // hasRequestContext indicates whether this message includes a context 1852 // field instead of certificateTypes. This change was introduced with 1853 // TLS 1.3. 1854 hasRequestContext bool 1855 1856 certificateTypes []byte 1857 requestContext []byte 1858 signatureAlgorithms []signatureAlgorithm 1859 certificateAuthorities [][]byte 1860} 1861 1862func (m *certificateRequestMsg) marshal() []byte { 1863 if m.raw != nil { 1864 return m.raw 1865 } 1866 1867 // See http://tools.ietf.org/html/rfc4346#section-7.4.4 1868 builder := newByteBuilder() 1869 builder.addU8(typeCertificateRequest) 1870 body := builder.addU24LengthPrefixed() 1871 1872 if m.hasRequestContext { 1873 requestContext := body.addU8LengthPrefixed() 1874 requestContext.addBytes(m.requestContext) 1875 } else { 1876 certificateTypes := body.addU8LengthPrefixed() 1877 certificateTypes.addBytes(m.certificateTypes) 1878 } 1879 1880 if m.hasSignatureAlgorithm { 1881 signatureAlgorithms := body.addU16LengthPrefixed() 1882 for _, sigAlg := range m.signatureAlgorithms { 1883 signatureAlgorithms.addU16(uint16(sigAlg)) 1884 } 1885 } 1886 1887 certificateAuthorities := body.addU16LengthPrefixed() 1888 for _, ca := range m.certificateAuthorities { 1889 caEntry := certificateAuthorities.addU16LengthPrefixed() 1890 caEntry.addBytes(ca) 1891 } 1892 1893 if m.hasRequestContext { 1894 // Emit no certificate extensions. 1895 body.addU16(0) 1896 } 1897 1898 m.raw = builder.finish() 1899 return m.raw 1900} 1901 1902func (m *certificateRequestMsg) unmarshal(data []byte) bool { 1903 m.raw = data 1904 1905 if len(data) < 5 { 1906 return false 1907 } 1908 data = data[4:] 1909 1910 if m.hasRequestContext { 1911 contextLen := int(data[0]) 1912 if len(data) < 1+contextLen { 1913 return false 1914 } 1915 m.requestContext = make([]byte, contextLen) 1916 copy(m.requestContext, data[1:]) 1917 data = data[1+contextLen:] 1918 } else { 1919 numCertTypes := int(data[0]) 1920 if len(data) < 1+numCertTypes { 1921 return false 1922 } 1923 m.certificateTypes = make([]byte, numCertTypes) 1924 copy(m.certificateTypes, data[1:]) 1925 data = data[1+numCertTypes:] 1926 } 1927 1928 if m.hasSignatureAlgorithm { 1929 if len(data) < 2 { 1930 return false 1931 } 1932 sigAlgsLen := uint16(data[0])<<8 | uint16(data[1]) 1933 data = data[2:] 1934 if sigAlgsLen&1 != 0 { 1935 return false 1936 } 1937 if len(data) < int(sigAlgsLen) { 1938 return false 1939 } 1940 numSigAlgs := sigAlgsLen / 2 1941 m.signatureAlgorithms = make([]signatureAlgorithm, numSigAlgs) 1942 for i := range m.signatureAlgorithms { 1943 m.signatureAlgorithms[i] = signatureAlgorithm(data[0])<<8 | signatureAlgorithm(data[1]) 1944 data = data[2:] 1945 } 1946 } 1947 1948 if len(data) < 2 { 1949 return false 1950 } 1951 casLength := uint16(data[0])<<8 | uint16(data[1]) 1952 data = data[2:] 1953 if len(data) < int(casLength) { 1954 return false 1955 } 1956 cas := make([]byte, casLength) 1957 copy(cas, data) 1958 data = data[casLength:] 1959 1960 m.certificateAuthorities = nil 1961 for len(cas) > 0 { 1962 if len(cas) < 2 { 1963 return false 1964 } 1965 caLen := uint16(cas[0])<<8 | uint16(cas[1]) 1966 cas = cas[2:] 1967 1968 if len(cas) < int(caLen) { 1969 return false 1970 } 1971 1972 m.certificateAuthorities = append(m.certificateAuthorities, cas[:caLen]) 1973 cas = cas[caLen:] 1974 } 1975 1976 if m.hasRequestContext { 1977 // Ignore certificate extensions. 1978 if len(data) < 2 { 1979 return false 1980 } 1981 extsLength := int(data[0])<<8 | int(data[1]) 1982 if len(data) < 2+extsLength { 1983 return false 1984 } 1985 data = data[2+extsLength:] 1986 } 1987 1988 if len(data) > 0 { 1989 return false 1990 } 1991 1992 return true 1993} 1994 1995type certificateVerifyMsg struct { 1996 raw []byte 1997 hasSignatureAlgorithm bool 1998 signatureAlgorithm signatureAlgorithm 1999 signature []byte 2000} 2001 2002func (m *certificateVerifyMsg) marshal() (x []byte) { 2003 if m.raw != nil { 2004 return m.raw 2005 } 2006 2007 // See http://tools.ietf.org/html/rfc4346#section-7.4.8 2008 siglength := len(m.signature) 2009 length := 2 + siglength 2010 if m.hasSignatureAlgorithm { 2011 length += 2 2012 } 2013 x = make([]byte, 4+length) 2014 x[0] = typeCertificateVerify 2015 x[1] = uint8(length >> 16) 2016 x[2] = uint8(length >> 8) 2017 x[3] = uint8(length) 2018 y := x[4:] 2019 if m.hasSignatureAlgorithm { 2020 y[0] = byte(m.signatureAlgorithm >> 8) 2021 y[1] = byte(m.signatureAlgorithm) 2022 y = y[2:] 2023 } 2024 y[0] = uint8(siglength >> 8) 2025 y[1] = uint8(siglength) 2026 copy(y[2:], m.signature) 2027 2028 m.raw = x 2029 2030 return 2031} 2032 2033func (m *certificateVerifyMsg) unmarshal(data []byte) bool { 2034 m.raw = data 2035 2036 if len(data) < 6 { 2037 return false 2038 } 2039 2040 length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3]) 2041 if uint32(len(data))-4 != length { 2042 return false 2043 } 2044 2045 data = data[4:] 2046 if m.hasSignatureAlgorithm { 2047 m.signatureAlgorithm = signatureAlgorithm(data[0])<<8 | signatureAlgorithm(data[1]) 2048 data = data[2:] 2049 } 2050 2051 if len(data) < 2 { 2052 return false 2053 } 2054 siglength := int(data[0])<<8 + int(data[1]) 2055 data = data[2:] 2056 if len(data) != siglength { 2057 return false 2058 } 2059 2060 m.signature = data 2061 2062 return true 2063} 2064 2065type newSessionTicketMsg struct { 2066 raw []byte 2067 version uint16 2068 ticketLifetime uint32 2069 ticketAgeAdd uint32 2070 ticket []byte 2071 maxEarlyDataSize uint32 2072 customExtension string 2073 duplicateEarlyDataInfo bool 2074 hasGREASEExtension bool 2075} 2076 2077func (m *newSessionTicketMsg) marshal() []byte { 2078 if m.raw != nil { 2079 return m.raw 2080 } 2081 2082 // See http://tools.ietf.org/html/rfc5077#section-3.3 2083 ticketMsg := newByteBuilder() 2084 ticketMsg.addU8(typeNewSessionTicket) 2085 body := ticketMsg.addU24LengthPrefixed() 2086 body.addU32(m.ticketLifetime) 2087 if m.version >= VersionTLS13 { 2088 body.addU32(m.ticketAgeAdd) 2089 } 2090 2091 ticket := body.addU16LengthPrefixed() 2092 ticket.addBytes(m.ticket) 2093 2094 if m.version >= VersionTLS13 { 2095 extensions := body.addU16LengthPrefixed() 2096 if m.maxEarlyDataSize > 0 { 2097 extensions.addU16(extensionTicketEarlyDataInfo) 2098 extensions.addU16LengthPrefixed().addU32(m.maxEarlyDataSize) 2099 if m.duplicateEarlyDataInfo { 2100 extensions.addU16(extensionTicketEarlyDataInfo) 2101 extensions.addU16LengthPrefixed().addU32(m.maxEarlyDataSize) 2102 } 2103 } 2104 if len(m.customExtension) > 0 { 2105 extensions.addU16(extensionCustom) 2106 extensions.addU16LengthPrefixed().addBytes([]byte(m.customExtension)) 2107 } 2108 } 2109 2110 m.raw = ticketMsg.finish() 2111 return m.raw 2112} 2113 2114func (m *newSessionTicketMsg) unmarshal(data []byte) bool { 2115 m.raw = data 2116 2117 if len(data) < 8 { 2118 return false 2119 } 2120 m.ticketLifetime = uint32(data[4])<<24 | uint32(data[5])<<16 | uint32(data[6])<<8 | uint32(data[7]) 2121 data = data[8:] 2122 2123 if m.version >= VersionTLS13 { 2124 if len(data) < 4 { 2125 return false 2126 } 2127 m.ticketAgeAdd = uint32(data[0])<<24 | uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3]) 2128 data = data[4:] 2129 } 2130 2131 if len(data) < 2 { 2132 return false 2133 } 2134 ticketLen := int(data[0])<<8 + int(data[1]) 2135 data = data[2:] 2136 if len(data) < ticketLen { 2137 return false 2138 } 2139 2140 if m.version >= VersionTLS13 && ticketLen == 0 { 2141 return false 2142 } 2143 2144 m.ticket = data[:ticketLen] 2145 data = data[ticketLen:] 2146 2147 if m.version >= VersionTLS13 { 2148 if len(data) < 2 { 2149 return false 2150 } 2151 2152 extensionsLength := int(data[0])<<8 | int(data[1]) 2153 data = data[2:] 2154 if extensionsLength != len(data) { 2155 return false 2156 } 2157 2158 for len(data) != 0 { 2159 if len(data) < 4 { 2160 return false 2161 } 2162 extension := uint16(data[0])<<8 | uint16(data[1]) 2163 length := int(data[2])<<8 | int(data[3]) 2164 data = data[4:] 2165 if len(data) < length { 2166 return false 2167 } 2168 2169 switch extension { 2170 case extensionTicketEarlyDataInfo: 2171 if length != 4 { 2172 return false 2173 } 2174 m.maxEarlyDataSize = uint32(data[0])<<24 | uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3]) 2175 default: 2176 if isGREASEValue(extension) { 2177 m.hasGREASEExtension = true 2178 } 2179 } 2180 2181 data = data[length:] 2182 } 2183 } 2184 2185 if len(data) > 0 { 2186 return false 2187 } 2188 2189 return true 2190} 2191 2192type v2ClientHelloMsg struct { 2193 raw []byte 2194 vers uint16 2195 cipherSuites []uint16 2196 sessionId []byte 2197 challenge []byte 2198} 2199 2200func (m *v2ClientHelloMsg) marshal() []byte { 2201 if m.raw != nil { 2202 return m.raw 2203 } 2204 2205 length := 1 + 2 + 2 + 2 + 2 + len(m.cipherSuites)*3 + len(m.sessionId) + len(m.challenge) 2206 2207 x := make([]byte, length) 2208 x[0] = 1 2209 x[1] = uint8(m.vers >> 8) 2210 x[2] = uint8(m.vers) 2211 x[3] = uint8((len(m.cipherSuites) * 3) >> 8) 2212 x[4] = uint8(len(m.cipherSuites) * 3) 2213 x[5] = uint8(len(m.sessionId) >> 8) 2214 x[6] = uint8(len(m.sessionId)) 2215 x[7] = uint8(len(m.challenge) >> 8) 2216 x[8] = uint8(len(m.challenge)) 2217 y := x[9:] 2218 for i, spec := range m.cipherSuites { 2219 y[i*3] = 0 2220 y[i*3+1] = uint8(spec >> 8) 2221 y[i*3+2] = uint8(spec) 2222 } 2223 y = y[len(m.cipherSuites)*3:] 2224 copy(y, m.sessionId) 2225 y = y[len(m.sessionId):] 2226 copy(y, m.challenge) 2227 2228 m.raw = x 2229 2230 return x 2231} 2232 2233type helloVerifyRequestMsg struct { 2234 raw []byte 2235 vers uint16 2236 cookie []byte 2237} 2238 2239func (m *helloVerifyRequestMsg) marshal() []byte { 2240 if m.raw != nil { 2241 return m.raw 2242 } 2243 2244 length := 2 + 1 + len(m.cookie) 2245 2246 x := make([]byte, 4+length) 2247 x[0] = typeHelloVerifyRequest 2248 x[1] = uint8(length >> 16) 2249 x[2] = uint8(length >> 8) 2250 x[3] = uint8(length) 2251 vers := m.vers 2252 x[4] = uint8(vers >> 8) 2253 x[5] = uint8(vers) 2254 x[6] = uint8(len(m.cookie)) 2255 copy(x[7:7+len(m.cookie)], m.cookie) 2256 2257 return x 2258} 2259 2260func (m *helloVerifyRequestMsg) unmarshal(data []byte) bool { 2261 if len(data) < 4+2+1 { 2262 return false 2263 } 2264 m.raw = data 2265 m.vers = uint16(data[4])<<8 | uint16(data[5]) 2266 cookieLen := int(data[6]) 2267 if cookieLen > 32 || len(data) != 7+cookieLen { 2268 return false 2269 } 2270 m.cookie = data[7 : 7+cookieLen] 2271 2272 return true 2273} 2274 2275type channelIDMsg struct { 2276 raw []byte 2277 channelID []byte 2278} 2279 2280func (m *channelIDMsg) marshal() []byte { 2281 if m.raw != nil { 2282 return m.raw 2283 } 2284 2285 length := 2 + 2 + len(m.channelID) 2286 2287 x := make([]byte, 4+length) 2288 x[0] = typeChannelID 2289 x[1] = uint8(length >> 16) 2290 x[2] = uint8(length >> 8) 2291 x[3] = uint8(length) 2292 x[4] = uint8(extensionChannelID >> 8) 2293 x[5] = uint8(extensionChannelID & 0xff) 2294 x[6] = uint8(len(m.channelID) >> 8) 2295 x[7] = uint8(len(m.channelID) & 0xff) 2296 copy(x[8:], m.channelID) 2297 2298 return x 2299} 2300 2301func (m *channelIDMsg) unmarshal(data []byte) bool { 2302 if len(data) != 4+2+2+128 { 2303 return false 2304 } 2305 m.raw = data 2306 if (uint16(data[4])<<8)|uint16(data[5]) != extensionChannelID { 2307 return false 2308 } 2309 if int(data[6])<<8|int(data[7]) != 128 { 2310 return false 2311 } 2312 m.channelID = data[4+2+2:] 2313 2314 return true 2315} 2316 2317type helloRequestMsg struct { 2318} 2319 2320func (*helloRequestMsg) marshal() []byte { 2321 return []byte{typeHelloRequest, 0, 0, 0} 2322} 2323 2324func (*helloRequestMsg) unmarshal(data []byte) bool { 2325 return len(data) == 4 2326} 2327 2328type keyUpdateMsg struct { 2329 raw []byte 2330 keyUpdateRequest byte 2331} 2332 2333func (m *keyUpdateMsg) marshal() []byte { 2334 if m.raw != nil { 2335 return m.raw 2336 } 2337 2338 return []byte{typeKeyUpdate, 0, 0, 1, m.keyUpdateRequest} 2339} 2340 2341func (m *keyUpdateMsg) unmarshal(data []byte) bool { 2342 m.raw = data 2343 2344 if len(data) != 5 { 2345 return false 2346 } 2347 2348 length := int(data[1])<<16 | int(data[2])<<8 | int(data[3]) 2349 if len(data)-4 != length { 2350 return false 2351 } 2352 2353 m.keyUpdateRequest = data[4] 2354 return m.keyUpdateRequest == keyUpdateNotRequested || m.keyUpdateRequest == keyUpdateRequested 2355} 2356 2357// ssl3NoCertificateMsg is a dummy message to handle SSL 3.0 using a warning 2358// alert in the handshake. 2359type ssl3NoCertificateMsg struct{} 2360 2361func eqUint16s(x, y []uint16) bool { 2362 if len(x) != len(y) { 2363 return false 2364 } 2365 for i, v := range x { 2366 if y[i] != v { 2367 return false 2368 } 2369 } 2370 return true 2371} 2372 2373func eqCurveIDs(x, y []CurveID) bool { 2374 if len(x) != len(y) { 2375 return false 2376 } 2377 for i, v := range x { 2378 if y[i] != v { 2379 return false 2380 } 2381 } 2382 return true 2383} 2384 2385func eqStrings(x, y []string) bool { 2386 if len(x) != len(y) { 2387 return false 2388 } 2389 for i, v := range x { 2390 if y[i] != v { 2391 return false 2392 } 2393 } 2394 return true 2395} 2396 2397func eqByteSlices(x, y [][]byte) bool { 2398 if len(x) != len(y) { 2399 return false 2400 } 2401 for i, v := range x { 2402 if !bytes.Equal(v, y[i]) { 2403 return false 2404 } 2405 } 2406 return true 2407} 2408 2409func eqSignatureAlgorithms(x, y []signatureAlgorithm) bool { 2410 if len(x) != len(y) { 2411 return false 2412 } 2413 for i, v := range x { 2414 v2 := y[i] 2415 if v != v2 { 2416 return false 2417 } 2418 } 2419 return true 2420} 2421 2422func eqKeyShareEntryLists(x, y []keyShareEntry) bool { 2423 if len(x) != len(y) { 2424 return false 2425 } 2426 for i, v := range x { 2427 if y[i].group != v.group || !bytes.Equal(y[i].keyExchange, v.keyExchange) { 2428 return false 2429 } 2430 } 2431 return true 2432 2433} 2434 2435func eqPSKIdentityLists(x, y []pskIdentity) bool { 2436 if len(x) != len(y) { 2437 return false 2438 } 2439 for i, v := range x { 2440 if !bytes.Equal(y[i].ticket, v.ticket) || y[i].obfuscatedTicketAge != v.obfuscatedTicketAge { 2441 return false 2442 } 2443 } 2444 return true 2445 2446} 2447