• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1// Copyright 2009 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5package runner
6
7import (
8	"bytes"
9	"encoding/binary"
10	"fmt"
11)
12
13func writeLen(buf []byte, v, size int) {
14	for i := 0; i < size; i++ {
15		buf[size-i-1] = byte(v)
16		v >>= 8
17	}
18	if v != 0 {
19		panic("length is too long")
20	}
21}
22
23type byteBuilder struct {
24	buf       *[]byte
25	start     int
26	prefixLen int
27	child     *byteBuilder
28}
29
30func newByteBuilder() *byteBuilder {
31	buf := make([]byte, 0, 32)
32	return &byteBuilder{buf: &buf}
33}
34
35func (bb *byteBuilder) len() int {
36	return len(*bb.buf) - bb.start - bb.prefixLen
37}
38
39func (bb *byteBuilder) data() []byte {
40	bb.flush()
41	return (*bb.buf)[bb.start+bb.prefixLen:]
42}
43
44func (bb *byteBuilder) flush() {
45	if bb.child == nil {
46		return
47	}
48	bb.child.flush()
49	writeLen((*bb.buf)[bb.child.start:], bb.child.len(), bb.child.prefixLen)
50	bb.child = nil
51	return
52}
53
54func (bb *byteBuilder) finish() []byte {
55	bb.flush()
56	return *bb.buf
57}
58
59func (bb *byteBuilder) addU8(u uint8) {
60	bb.flush()
61	*bb.buf = append(*bb.buf, u)
62}
63
64func (bb *byteBuilder) addU16(u uint16) {
65	bb.flush()
66	*bb.buf = append(*bb.buf, byte(u>>8), byte(u))
67}
68
69func (bb *byteBuilder) addU24(u int) {
70	bb.flush()
71	*bb.buf = append(*bb.buf, byte(u>>16), byte(u>>8), byte(u))
72}
73
74func (bb *byteBuilder) addU32(u uint32) {
75	bb.flush()
76	*bb.buf = append(*bb.buf, byte(u>>24), byte(u>>16), byte(u>>8), byte(u))
77}
78
79func (bb *byteBuilder) addU64(u uint64) {
80	bb.flush()
81	var b [8]byte
82	binary.BigEndian.PutUint64(b[:], u)
83	*bb.buf = append(*bb.buf, b[:]...)
84}
85
86func (bb *byteBuilder) addU8LengthPrefixed() *byteBuilder {
87	return bb.createChild(1)
88}
89
90func (bb *byteBuilder) addU16LengthPrefixed() *byteBuilder {
91	return bb.createChild(2)
92}
93
94func (bb *byteBuilder) addU24LengthPrefixed() *byteBuilder {
95	return bb.createChild(3)
96}
97
98func (bb *byteBuilder) addU32LengthPrefixed() *byteBuilder {
99	return bb.createChild(4)
100}
101
102func (bb *byteBuilder) addBytes(b []byte) {
103	bb.flush()
104	*bb.buf = append(*bb.buf, b...)
105}
106
107func (bb *byteBuilder) createChild(lengthPrefixSize int) *byteBuilder {
108	bb.flush()
109	bb.child = &byteBuilder{
110		buf:       bb.buf,
111		start:     len(*bb.buf),
112		prefixLen: lengthPrefixSize,
113	}
114	for i := 0; i < lengthPrefixSize; i++ {
115		*bb.buf = append(*bb.buf, 0)
116	}
117	return bb.child
118}
119
120func (bb *byteBuilder) discardChild() {
121	if bb.child == nil {
122		return
123	}
124	*bb.buf = (*bb.buf)[:bb.child.start]
125	bb.child = nil
126}
127
128type keyShareEntry struct {
129	group       CurveID
130	keyExchange []byte
131}
132
133type pskIdentity struct {
134	ticket              []uint8
135	obfuscatedTicketAge uint32
136}
137
138type clientHelloMsg struct {
139	raw                     []byte
140	isDTLS                  bool
141	vers                    uint16
142	random                  []byte
143	sessionId               []byte
144	cookie                  []byte
145	cipherSuites            []uint16
146	compressionMethods      []uint8
147	nextProtoNeg            bool
148	serverName              string
149	ocspStapling            bool
150	supportedCurves         []CurveID
151	supportedPoints         []uint8
152	hasKeyShares            bool
153	keyShares               []keyShareEntry
154	trailingKeyShareData    bool
155	pskIdentities           []pskIdentity
156	pskKEModes              []byte
157	pskBinders              [][]uint8
158	hasEarlyData            bool
159	tls13Cookie             []byte
160	ticketSupported         bool
161	sessionTicket           []uint8
162	signatureAlgorithms     []signatureAlgorithm
163	supportedVersions       []uint16
164	secureRenegotiation     []byte
165	alpnProtocols           []string
166	duplicateExtension      bool
167	channelIDSupported      bool
168	npnAfterAlpn            bool
169	extendedMasterSecret    bool
170	srtpProtectionProfiles  []uint16
171	srtpMasterKeyIdentifier string
172	sctListSupported        bool
173	customExtension         string
174	hasGREASEExtension      bool
175	pskBinderFirst          bool
176	omitExtensions          bool
177	emptyExtensions         bool
178}
179
180func (m *clientHelloMsg) equal(i interface{}) bool {
181	m1, ok := i.(*clientHelloMsg)
182	if !ok {
183		return false
184	}
185
186	return bytes.Equal(m.raw, m1.raw) &&
187		m.isDTLS == m1.isDTLS &&
188		m.vers == m1.vers &&
189		bytes.Equal(m.random, m1.random) &&
190		bytes.Equal(m.sessionId, m1.sessionId) &&
191		bytes.Equal(m.cookie, m1.cookie) &&
192		eqUint16s(m.cipherSuites, m1.cipherSuites) &&
193		bytes.Equal(m.compressionMethods, m1.compressionMethods) &&
194		m.nextProtoNeg == m1.nextProtoNeg &&
195		m.serverName == m1.serverName &&
196		m.ocspStapling == m1.ocspStapling &&
197		eqCurveIDs(m.supportedCurves, m1.supportedCurves) &&
198		bytes.Equal(m.supportedPoints, m1.supportedPoints) &&
199		m.hasKeyShares == m1.hasKeyShares &&
200		eqKeyShareEntryLists(m.keyShares, m1.keyShares) &&
201		m.trailingKeyShareData == m1.trailingKeyShareData &&
202		eqPSKIdentityLists(m.pskIdentities, m1.pskIdentities) &&
203		bytes.Equal(m.pskKEModes, m1.pskKEModes) &&
204		eqByteSlices(m.pskBinders, m1.pskBinders) &&
205		m.hasEarlyData == m1.hasEarlyData &&
206		bytes.Equal(m.tls13Cookie, m1.tls13Cookie) &&
207		m.ticketSupported == m1.ticketSupported &&
208		bytes.Equal(m.sessionTicket, m1.sessionTicket) &&
209		eqSignatureAlgorithms(m.signatureAlgorithms, m1.signatureAlgorithms) &&
210		eqUint16s(m.supportedVersions, m1.supportedVersions) &&
211		bytes.Equal(m.secureRenegotiation, m1.secureRenegotiation) &&
212		(m.secureRenegotiation == nil) == (m1.secureRenegotiation == nil) &&
213		eqStrings(m.alpnProtocols, m1.alpnProtocols) &&
214		m.duplicateExtension == m1.duplicateExtension &&
215		m.channelIDSupported == m1.channelIDSupported &&
216		m.npnAfterAlpn == m1.npnAfterAlpn &&
217		m.extendedMasterSecret == m1.extendedMasterSecret &&
218		eqUint16s(m.srtpProtectionProfiles, m1.srtpProtectionProfiles) &&
219		m.srtpMasterKeyIdentifier == m1.srtpMasterKeyIdentifier &&
220		m.sctListSupported == m1.sctListSupported &&
221		m.customExtension == m1.customExtension &&
222		m.hasGREASEExtension == m1.hasGREASEExtension &&
223		m.pskBinderFirst == m1.pskBinderFirst &&
224		m.omitExtensions == m1.omitExtensions &&
225		m.emptyExtensions == m1.emptyExtensions
226}
227
228func (m *clientHelloMsg) marshal() []byte {
229	if m.raw != nil {
230		return m.raw
231	}
232
233	handshakeMsg := newByteBuilder()
234	handshakeMsg.addU8(typeClientHello)
235	hello := handshakeMsg.addU24LengthPrefixed()
236	hello.addU16(m.vers)
237	hello.addBytes(m.random)
238	sessionId := hello.addU8LengthPrefixed()
239	sessionId.addBytes(m.sessionId)
240	if m.isDTLS {
241		cookie := hello.addU8LengthPrefixed()
242		cookie.addBytes(m.cookie)
243	}
244	cipherSuites := hello.addU16LengthPrefixed()
245	for _, suite := range m.cipherSuites {
246		cipherSuites.addU16(suite)
247	}
248	compressionMethods := hello.addU8LengthPrefixed()
249	compressionMethods.addBytes(m.compressionMethods)
250
251	extensions := hello.addU16LengthPrefixed()
252	if len(m.pskIdentities) > 0 && m.pskBinderFirst {
253		extensions.addU16(extensionPreSharedKey)
254		pskExtension := extensions.addU16LengthPrefixed()
255
256		pskIdentities := pskExtension.addU16LengthPrefixed()
257		for _, psk := range m.pskIdentities {
258			pskIdentities.addU16LengthPrefixed().addBytes(psk.ticket)
259			pskIdentities.addU32(psk.obfuscatedTicketAge)
260		}
261		pskBinders := pskExtension.addU16LengthPrefixed()
262		for _, binder := range m.pskBinders {
263			pskBinders.addU8LengthPrefixed().addBytes(binder)
264		}
265	}
266	if m.duplicateExtension {
267		// Add a duplicate bogus extension at the beginning and end.
268		extensions.addU16(0xffff)
269		extensions.addU16(0) // 0-length for empty extension
270	}
271	if m.nextProtoNeg && !m.npnAfterAlpn {
272		extensions.addU16(extensionNextProtoNeg)
273		extensions.addU16(0) // The length is always 0
274	}
275	if len(m.serverName) > 0 {
276		extensions.addU16(extensionServerName)
277		serverNameList := extensions.addU16LengthPrefixed()
278
279		// RFC 3546, section 3.1
280		//
281		// struct {
282		//     NameType name_type;
283		//     select (name_type) {
284		//         case host_name: HostName;
285		//     } name;
286		// } ServerName;
287		//
288		// enum {
289		//     host_name(0), (255)
290		// } NameType;
291		//
292		// opaque HostName<1..2^16-1>;
293		//
294		// struct {
295		//     ServerName server_name_list<1..2^16-1>
296		// } ServerNameList;
297
298		serverName := serverNameList.addU16LengthPrefixed()
299		serverName.addU8(0) // NameType host_name(0)
300		hostName := serverName.addU16LengthPrefixed()
301		hostName.addBytes([]byte(m.serverName))
302	}
303	if m.ocspStapling {
304		extensions.addU16(extensionStatusRequest)
305		certificateStatusRequest := extensions.addU16LengthPrefixed()
306
307		// RFC 4366, section 3.6
308		certificateStatusRequest.addU8(1) // OCSP type
309		// Two zero valued uint16s for the two lengths.
310		certificateStatusRequest.addU16(0) // ResponderID length
311		certificateStatusRequest.addU16(0) // Extensions length
312	}
313	if len(m.supportedCurves) > 0 {
314		// http://tools.ietf.org/html/rfc4492#section-5.1.1
315		extensions.addU16(extensionSupportedCurves)
316		supportedCurvesList := extensions.addU16LengthPrefixed()
317		supportedCurves := supportedCurvesList.addU16LengthPrefixed()
318		for _, curve := range m.supportedCurves {
319			supportedCurves.addU16(uint16(curve))
320		}
321	}
322	if len(m.supportedPoints) > 0 {
323		// http://tools.ietf.org/html/rfc4492#section-5.1.2
324		extensions.addU16(extensionSupportedPoints)
325		supportedPointsList := extensions.addU16LengthPrefixed()
326		supportedPoints := supportedPointsList.addU8LengthPrefixed()
327		supportedPoints.addBytes(m.supportedPoints)
328	}
329	if m.hasKeyShares {
330		extensions.addU16(extensionKeyShare)
331		keyShareList := extensions.addU16LengthPrefixed()
332
333		keyShares := keyShareList.addU16LengthPrefixed()
334		for _, keyShare := range m.keyShares {
335			keyShares.addU16(uint16(keyShare.group))
336			keyExchange := keyShares.addU16LengthPrefixed()
337			keyExchange.addBytes(keyShare.keyExchange)
338		}
339
340		if m.trailingKeyShareData {
341			keyShares.addU8(0)
342		}
343	}
344	if len(m.pskKEModes) > 0 {
345		extensions.addU16(extensionPSKKeyExchangeModes)
346		pskModesExtension := extensions.addU16LengthPrefixed()
347		pskModesExtension.addU8LengthPrefixed().addBytes(m.pskKEModes)
348	}
349	if m.hasEarlyData {
350		extensions.addU16(extensionEarlyData)
351		extensions.addU16(0) // The length is zero.
352	}
353	if len(m.tls13Cookie) > 0 {
354		extensions.addU16(extensionCookie)
355		body := extensions.addU16LengthPrefixed()
356		body.addU16LengthPrefixed().addBytes(m.tls13Cookie)
357	}
358	if m.ticketSupported {
359		// http://tools.ietf.org/html/rfc5077#section-3.2
360		extensions.addU16(extensionSessionTicket)
361		sessionTicketExtension := extensions.addU16LengthPrefixed()
362		sessionTicketExtension.addBytes(m.sessionTicket)
363	}
364	if len(m.signatureAlgorithms) > 0 {
365		// https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
366		extensions.addU16(extensionSignatureAlgorithms)
367		signatureAlgorithmsExtension := extensions.addU16LengthPrefixed()
368		signatureAlgorithms := signatureAlgorithmsExtension.addU16LengthPrefixed()
369		for _, sigAlg := range m.signatureAlgorithms {
370			signatureAlgorithms.addU16(uint16(sigAlg))
371		}
372	}
373	if len(m.supportedVersions) > 0 {
374		extensions.addU16(extensionSupportedVersions)
375		supportedVersionsExtension := extensions.addU16LengthPrefixed()
376		supportedVersions := supportedVersionsExtension.addU8LengthPrefixed()
377		for _, version := range m.supportedVersions {
378			supportedVersions.addU16(uint16(version))
379		}
380	}
381	if m.secureRenegotiation != nil {
382		extensions.addU16(extensionRenegotiationInfo)
383		secureRenegoExt := extensions.addU16LengthPrefixed()
384		secureRenego := secureRenegoExt.addU8LengthPrefixed()
385		secureRenego.addBytes(m.secureRenegotiation)
386	}
387	if len(m.alpnProtocols) > 0 {
388		// https://tools.ietf.org/html/rfc7301#section-3.1
389		extensions.addU16(extensionALPN)
390		alpnExtension := extensions.addU16LengthPrefixed()
391
392		protocolNameList := alpnExtension.addU16LengthPrefixed()
393		for _, s := range m.alpnProtocols {
394			protocolName := protocolNameList.addU8LengthPrefixed()
395			protocolName.addBytes([]byte(s))
396		}
397	}
398	if m.channelIDSupported {
399		extensions.addU16(extensionChannelID)
400		extensions.addU16(0) // Length is always 0
401	}
402	if m.nextProtoNeg && m.npnAfterAlpn {
403		extensions.addU16(extensionNextProtoNeg)
404		extensions.addU16(0) // Length is always 0
405	}
406	if m.duplicateExtension {
407		// Add a duplicate bogus extension at the beginning and end.
408		extensions.addU16(0xffff)
409		extensions.addU16(0)
410	}
411	if m.extendedMasterSecret {
412		// https://tools.ietf.org/html/rfc7627
413		extensions.addU16(extensionExtendedMasterSecret)
414		extensions.addU16(0) // Length is always 0
415	}
416	if len(m.srtpProtectionProfiles) > 0 {
417		// https://tools.ietf.org/html/rfc5764#section-4.1.1
418		extensions.addU16(extensionUseSRTP)
419		useSrtpExt := extensions.addU16LengthPrefixed()
420
421		srtpProtectionProfiles := useSrtpExt.addU16LengthPrefixed()
422		for _, p := range m.srtpProtectionProfiles {
423			// An SRTPProtectionProfile is defined as uint8[2],
424			// not uint16. For some reason, we're storing it
425			// as a uint16.
426			srtpProtectionProfiles.addU8(byte(p >> 8))
427			srtpProtectionProfiles.addU8(byte(p))
428		}
429		srtpMki := useSrtpExt.addU8LengthPrefixed()
430		srtpMki.addBytes([]byte(m.srtpMasterKeyIdentifier))
431	}
432	if m.sctListSupported {
433		extensions.addU16(extensionSignedCertificateTimestamp)
434		extensions.addU16(0) // Length is always 0
435	}
436	if l := len(m.customExtension); l > 0 {
437		extensions.addU16(extensionCustom)
438		customExt := extensions.addU16LengthPrefixed()
439		customExt.addBytes([]byte(m.customExtension))
440	}
441	// The PSK extension must be last (draft-ietf-tls-tls13-18 section 4.2.6).
442	if len(m.pskIdentities) > 0 && !m.pskBinderFirst {
443		extensions.addU16(extensionPreSharedKey)
444		pskExtension := extensions.addU16LengthPrefixed()
445
446		pskIdentities := pskExtension.addU16LengthPrefixed()
447		for _, psk := range m.pskIdentities {
448			pskIdentities.addU16LengthPrefixed().addBytes(psk.ticket)
449			pskIdentities.addU32(psk.obfuscatedTicketAge)
450		}
451		pskBinders := pskExtension.addU16LengthPrefixed()
452		for _, binder := range m.pskBinders {
453			pskBinders.addU8LengthPrefixed().addBytes(binder)
454		}
455	}
456
457	if m.omitExtensions || m.emptyExtensions {
458		// Silently erase any extensions which were sent.
459		hello.discardChild()
460		if m.emptyExtensions {
461			hello.addU16(0)
462		}
463	}
464
465	m.raw = handshakeMsg.finish()
466	return m.raw
467}
468
469func (m *clientHelloMsg) unmarshal(data []byte) bool {
470	if len(data) < 42 {
471		return false
472	}
473	m.raw = data
474	m.vers = uint16(data[4])<<8 | uint16(data[5])
475	m.random = data[6:38]
476	sessionIdLen := int(data[38])
477	if sessionIdLen > 32 || len(data) < 39+sessionIdLen {
478		return false
479	}
480	m.sessionId = data[39 : 39+sessionIdLen]
481	data = data[39+sessionIdLen:]
482	if m.isDTLS {
483		if len(data) < 1 {
484			return false
485		}
486		cookieLen := int(data[0])
487		if cookieLen > 32 || len(data) < 1+cookieLen {
488			return false
489		}
490		m.cookie = data[1 : 1+cookieLen]
491		data = data[1+cookieLen:]
492	}
493	if len(data) < 2 {
494		return false
495	}
496	// cipherSuiteLen is the number of bytes of cipher suite numbers. Since
497	// they are uint16s, the number must be even.
498	cipherSuiteLen := int(data[0])<<8 | int(data[1])
499	if cipherSuiteLen%2 == 1 || len(data) < 2+cipherSuiteLen {
500		return false
501	}
502	numCipherSuites := cipherSuiteLen / 2
503	m.cipherSuites = make([]uint16, numCipherSuites)
504	for i := 0; i < numCipherSuites; i++ {
505		m.cipherSuites[i] = uint16(data[2+2*i])<<8 | uint16(data[3+2*i])
506		if m.cipherSuites[i] == scsvRenegotiation {
507			m.secureRenegotiation = []byte{}
508		}
509	}
510	data = data[2+cipherSuiteLen:]
511	if len(data) < 1 {
512		return false
513	}
514	compressionMethodsLen := int(data[0])
515	if len(data) < 1+compressionMethodsLen {
516		return false
517	}
518	m.compressionMethods = data[1 : 1+compressionMethodsLen]
519
520	data = data[1+compressionMethodsLen:]
521
522	m.nextProtoNeg = false
523	m.serverName = ""
524	m.ocspStapling = false
525	m.keyShares = nil
526	m.pskIdentities = nil
527	m.hasEarlyData = false
528	m.ticketSupported = false
529	m.sessionTicket = nil
530	m.signatureAlgorithms = nil
531	m.supportedVersions = nil
532	m.alpnProtocols = nil
533	m.extendedMasterSecret = false
534	m.customExtension = ""
535
536	if len(data) == 0 {
537		// ClientHello is optionally followed by extension data
538		return true
539	}
540	if len(data) < 2 {
541		return false
542	}
543
544	extensionsLength := int(data[0])<<8 | int(data[1])
545	data = data[2:]
546	if extensionsLength != len(data) {
547		return false
548	}
549
550	for len(data) != 0 {
551		if len(data) < 4 {
552			return false
553		}
554		extension := uint16(data[0])<<8 | uint16(data[1])
555		length := int(data[2])<<8 | int(data[3])
556		data = data[4:]
557		if len(data) < length {
558			return false
559		}
560
561		switch extension {
562		case extensionServerName:
563			if length < 2 {
564				return false
565			}
566			numNames := int(data[0])<<8 | int(data[1])
567			d := data[2:]
568			for i := 0; i < numNames; i++ {
569				if len(d) < 3 {
570					return false
571				}
572				nameType := d[0]
573				nameLen := int(d[1])<<8 | int(d[2])
574				d = d[3:]
575				if len(d) < nameLen {
576					return false
577				}
578				if nameType == 0 {
579					m.serverName = string(d[0:nameLen])
580					break
581				}
582				d = d[nameLen:]
583			}
584		case extensionNextProtoNeg:
585			if length > 0 {
586				return false
587			}
588			m.nextProtoNeg = true
589		case extensionStatusRequest:
590			m.ocspStapling = length > 0 && data[0] == statusTypeOCSP
591		case extensionSupportedCurves:
592			// http://tools.ietf.org/html/rfc4492#section-5.5.1
593			if length < 2 {
594				return false
595			}
596			l := int(data[0])<<8 | int(data[1])
597			if l%2 == 1 || length != l+2 {
598				return false
599			}
600			numCurves := l / 2
601			m.supportedCurves = make([]CurveID, numCurves)
602			d := data[2:]
603			for i := 0; i < numCurves; i++ {
604				m.supportedCurves[i] = CurveID(d[0])<<8 | CurveID(d[1])
605				d = d[2:]
606			}
607		case extensionSupportedPoints:
608			// http://tools.ietf.org/html/rfc4492#section-5.5.2
609			if length < 1 {
610				return false
611			}
612			l := int(data[0])
613			if length != l+1 {
614				return false
615			}
616			m.supportedPoints = data[1 : 1+l]
617		case extensionSessionTicket:
618			// http://tools.ietf.org/html/rfc5077#section-3.2
619			m.ticketSupported = true
620			m.sessionTicket = data[:length]
621		case extensionKeyShare:
622			// draft-ietf-tls-tls13 section 6.3.2.3
623			if length < 2 {
624				return false
625			}
626			l := int(data[0])<<8 | int(data[1])
627			if l != length-2 {
628				return false
629			}
630			d := data[2:length]
631			m.hasKeyShares = true
632			for len(d) > 0 {
633				// The next KeyShareEntry contains a NamedGroup (2 bytes) and a
634				// key_exchange (2-byte length prefix with at least 1 byte of content).
635				if len(d) < 5 {
636					return false
637				}
638				entry := keyShareEntry{}
639				entry.group = CurveID(d[0])<<8 | CurveID(d[1])
640				keyExchLen := int(d[2])<<8 | int(d[3])
641				d = d[4:]
642				if len(d) < keyExchLen {
643					return false
644				}
645				entry.keyExchange = d[:keyExchLen]
646				d = d[keyExchLen:]
647				m.keyShares = append(m.keyShares, entry)
648			}
649		case extensionPreSharedKey:
650			// draft-ietf-tls-tls13-18 section 4.2.6
651			if length < 2 {
652				return false
653			}
654			l := int(data[0])<<8 | int(data[1])
655			d := data[2 : l+2]
656			// Parse PSK identities.
657			for len(d) > 0 {
658				if len(d) < 2 {
659					return false
660				}
661				pskLen := int(d[0])<<8 | int(d[1])
662				d = d[2:]
663
664				if len(d) < pskLen+4 {
665					return false
666				}
667				ticket := d[:pskLen]
668				obfuscatedTicketAge := uint32(d[pskLen])<<24 | uint32(d[pskLen+1])<<16 | uint32(d[pskLen+2])<<8 | uint32(d[pskLen+3])
669				psk := pskIdentity{
670					ticket:              ticket,
671					obfuscatedTicketAge: obfuscatedTicketAge,
672				}
673				m.pskIdentities = append(m.pskIdentities, psk)
674				d = d[pskLen+4:]
675			}
676			d = data[l+2:]
677			if len(d) < 2 {
678				return false
679			}
680			l = int(d[0])<<8 | int(d[1])
681			d = d[2:]
682			if l != len(d) {
683				return false
684			}
685			// Parse PSK binders.
686			for len(d) > 0 {
687				if len(d) < 1 {
688					return false
689				}
690				binderLen := int(d[0])
691				d = d[1:]
692				if binderLen > len(d) {
693					return false
694				}
695				m.pskBinders = append(m.pskBinders, d[:binderLen])
696				d = d[binderLen:]
697			}
698
699			// There must be the same number of identities as binders.
700			if len(m.pskIdentities) != len(m.pskBinders) {
701				return false
702			}
703		case extensionPSKKeyExchangeModes:
704			// draft-ietf-tls-tls13-18 section 4.2.7
705			if length < 1 {
706				return false
707			}
708			l := int(data[0])
709			if l != length-1 {
710				return false
711			}
712			m.pskKEModes = data[1:length]
713		case extensionEarlyData:
714			// draft-ietf-tls-tls13 section 6.3.2.5
715			if length != 0 {
716				return false
717			}
718			m.hasEarlyData = true
719		case extensionCookie:
720			if length < 2 {
721				return false
722			}
723			l := int(data[0])<<8 | int(data[1])
724			if l != length-2 || l == 0 {
725				return false
726			}
727			m.tls13Cookie = data[2 : 2+l]
728		case extensionSignatureAlgorithms:
729			// https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
730			if length < 2 || length&1 != 0 {
731				return false
732			}
733			l := int(data[0])<<8 | int(data[1])
734			if l != length-2 {
735				return false
736			}
737			n := l / 2
738			d := data[2:]
739			m.signatureAlgorithms = make([]signatureAlgorithm, n)
740			for i := range m.signatureAlgorithms {
741				m.signatureAlgorithms[i] = signatureAlgorithm(d[0])<<8 | signatureAlgorithm(d[1])
742				d = d[2:]
743			}
744		case extensionSupportedVersions:
745			if length < 1+2 {
746				return false
747			}
748			l := int(data[0])
749			if l != length-1 || l%2 == 1 || l < 2 {
750				return false
751			}
752			n := l / 2
753			d := data[1:]
754			m.supportedVersions = make([]uint16, n)
755			for i := range m.supportedVersions {
756				m.supportedVersions[i] = uint16(d[0])<<8 | uint16(d[1])
757				d = d[2:]
758			}
759		case extensionRenegotiationInfo:
760			if length < 1 || length != int(data[0])+1 {
761				return false
762			}
763			m.secureRenegotiation = data[1:length]
764		case extensionALPN:
765			if length < 2 {
766				return false
767			}
768			l := int(data[0])<<8 | int(data[1])
769			if l != length-2 {
770				return false
771			}
772			d := data[2:length]
773			for len(d) != 0 {
774				stringLen := int(d[0])
775				d = d[1:]
776				if stringLen == 0 || stringLen > len(d) {
777					return false
778				}
779				m.alpnProtocols = append(m.alpnProtocols, string(d[:stringLen]))
780				d = d[stringLen:]
781			}
782		case extensionChannelID:
783			if length > 0 {
784				return false
785			}
786			m.channelIDSupported = true
787		case extensionExtendedMasterSecret:
788			if length != 0 {
789				return false
790			}
791			m.extendedMasterSecret = true
792		case extensionUseSRTP:
793			if length < 2 {
794				return false
795			}
796			l := int(data[0])<<8 | int(data[1])
797			if l > length-2 || l%2 != 0 {
798				return false
799			}
800			n := l / 2
801			m.srtpProtectionProfiles = make([]uint16, n)
802			d := data[2:length]
803			for i := 0; i < n; i++ {
804				m.srtpProtectionProfiles[i] = uint16(d[0])<<8 | uint16(d[1])
805				d = d[2:]
806			}
807			if len(d) < 1 || int(d[0]) != len(d)-1 {
808				return false
809			}
810			m.srtpMasterKeyIdentifier = string(d[1:])
811		case extensionSignedCertificateTimestamp:
812			if length != 0 {
813				return false
814			}
815			m.sctListSupported = true
816		case extensionCustom:
817			m.customExtension = string(data[:length])
818		}
819		data = data[length:]
820
821		if isGREASEValue(extension) {
822			m.hasGREASEExtension = true
823		}
824	}
825
826	return true
827}
828
829type serverHelloMsg struct {
830	raw                   []byte
831	isDTLS                bool
832	vers                  uint16
833	versOverride          uint16
834	supportedVersOverride uint16
835	random                []byte
836	sessionId             []byte
837	cipherSuite           uint16
838	hasKeyShare           bool
839	keyShare              keyShareEntry
840	hasPSKIdentity        bool
841	pskIdentity           uint16
842	compressionMethod     uint8
843	customExtension       string
844	unencryptedALPN       string
845	omitExtensions        bool
846	emptyExtensions       bool
847	extensions            serverExtensions
848}
849
850func (m *serverHelloMsg) marshal() []byte {
851	if m.raw != nil {
852		return m.raw
853	}
854
855	handshakeMsg := newByteBuilder()
856	handshakeMsg.addU8(typeServerHello)
857	hello := handshakeMsg.addU24LengthPrefixed()
858
859	// m.vers is used both to determine the format of the rest of the
860	// ServerHello and to override the value, so include a second version
861	// field.
862	vers, ok := wireToVersion(m.vers, m.isDTLS)
863	if !ok {
864		panic("unknown version")
865	}
866	if m.versOverride != 0 {
867		hello.addU16(m.versOverride)
868	} else if m.vers == tls13ExperimentVersion {
869		hello.addU16(VersionTLS12)
870	} else {
871		hello.addU16(m.vers)
872	}
873
874	hello.addBytes(m.random)
875	if vers < VersionTLS13 || m.vers == tls13ExperimentVersion {
876		sessionId := hello.addU8LengthPrefixed()
877		sessionId.addBytes(m.sessionId)
878	}
879	hello.addU16(m.cipherSuite)
880	if vers < VersionTLS13 || m.vers == tls13ExperimentVersion {
881		hello.addU8(m.compressionMethod)
882	}
883
884	extensions := hello.addU16LengthPrefixed()
885
886	if vers >= VersionTLS13 {
887		if m.hasKeyShare {
888			extensions.addU16(extensionKeyShare)
889			keyShare := extensions.addU16LengthPrefixed()
890			keyShare.addU16(uint16(m.keyShare.group))
891			keyExchange := keyShare.addU16LengthPrefixed()
892			keyExchange.addBytes(m.keyShare.keyExchange)
893		}
894		if m.hasPSKIdentity {
895			extensions.addU16(extensionPreSharedKey)
896			extensions.addU16(2) // Length
897			extensions.addU16(m.pskIdentity)
898		}
899		if m.vers == tls13ExperimentVersion || m.supportedVersOverride != 0 {
900			extensions.addU16(extensionSupportedVersions)
901			extensions.addU16(2) // Length
902			if m.supportedVersOverride != 0 {
903				extensions.addU16(m.supportedVersOverride)
904			} else {
905				extensions.addU16(m.vers)
906			}
907		}
908		if len(m.customExtension) > 0 {
909			extensions.addU16(extensionCustom)
910			customExt := extensions.addU16LengthPrefixed()
911			customExt.addBytes([]byte(m.customExtension))
912		}
913		if len(m.unencryptedALPN) > 0 {
914			extensions.addU16(extensionALPN)
915			extension := extensions.addU16LengthPrefixed()
916
917			protocolNameList := extension.addU16LengthPrefixed()
918			protocolName := protocolNameList.addU8LengthPrefixed()
919			protocolName.addBytes([]byte(m.unencryptedALPN))
920		}
921	} else {
922		m.extensions.marshal(extensions)
923		if m.omitExtensions || m.emptyExtensions {
924			// Silently erasing server extensions will break the handshake. Instead,
925			// assert that tests which use this field also disable all features which
926			// would write an extension.
927			if extensions.len() != 0 {
928				panic(fmt.Sprintf("ServerHello unexpectedly contained extensions: %x, %+v", extensions.data(), m))
929			}
930			hello.discardChild()
931			if m.emptyExtensions {
932				hello.addU16(0)
933			}
934		}
935	}
936
937	m.raw = handshakeMsg.finish()
938	return m.raw
939}
940
941func (m *serverHelloMsg) unmarshal(data []byte) bool {
942	if len(data) < 42 {
943		return false
944	}
945	m.raw = data
946	m.vers = uint16(data[4])<<8 | uint16(data[5])
947	vers, ok := wireToVersion(m.vers, m.isDTLS)
948	if !ok {
949		return false
950	}
951	m.random = data[6:38]
952	data = data[38:]
953	if vers < VersionTLS13 || m.vers == tls13ExperimentVersion {
954		sessionIdLen := int(data[0])
955		if sessionIdLen > 32 || len(data) < 1+sessionIdLen {
956			return false
957		}
958		m.sessionId = data[1 : 1+sessionIdLen]
959		data = data[1+sessionIdLen:]
960	}
961	if len(data) < 2 {
962		return false
963	}
964	m.cipherSuite = uint16(data[0])<<8 | uint16(data[1])
965	data = data[2:]
966	if vers < VersionTLS13 || m.vers == tls13ExperimentVersion {
967		if len(data) < 1 {
968			return false
969		}
970		m.compressionMethod = data[0]
971		data = data[1:]
972	}
973
974	if len(data) == 0 && m.vers < VersionTLS13 {
975		// Extension data is optional before TLS 1.3.
976		m.extensions = serverExtensions{}
977		return true
978	}
979	if len(data) < 2 {
980		return false
981	}
982
983	extensionsLength := int(data[0])<<8 | int(data[1])
984	data = data[2:]
985	if len(data) != extensionsLength {
986		return false
987	}
988
989	// Parse out the version from supported_versions if available.
990	if m.vers == VersionTLS12 {
991		vdata := data
992		for len(vdata) != 0 {
993			if len(vdata) < 4 {
994				return false
995			}
996			extension := uint16(vdata[0])<<8 | uint16(vdata[1])
997			length := int(vdata[2])<<8 | int(vdata[3])
998			vdata = vdata[4:]
999
1000			if len(vdata) < length {
1001				return false
1002			}
1003			d := vdata[:length]
1004			vdata = vdata[length:]
1005
1006			if extension == extensionSupportedVersions {
1007				if len(d) < 2 {
1008					return false
1009				}
1010				m.vers = uint16(d[0])<<8 | uint16(d[1])
1011				vers, ok = wireToVersion(m.vers, m.isDTLS)
1012				if !ok {
1013					return false
1014				}
1015			}
1016		}
1017	}
1018
1019	if vers >= VersionTLS13 {
1020		for len(data) != 0 {
1021			if len(data) < 4 {
1022				return false
1023			}
1024			extension := uint16(data[0])<<8 | uint16(data[1])
1025			length := int(data[2])<<8 | int(data[3])
1026			data = data[4:]
1027
1028			if len(data) < length {
1029				return false
1030			}
1031			d := data[:length]
1032			data = data[length:]
1033
1034			switch extension {
1035			case extensionKeyShare:
1036				m.hasKeyShare = true
1037				if len(d) < 4 {
1038					return false
1039				}
1040				m.keyShare.group = CurveID(uint16(d[0])<<8 | uint16(d[1]))
1041				keyExchLen := int(d[2])<<8 | int(d[3])
1042				if keyExchLen != len(d)-4 {
1043					return false
1044				}
1045				m.keyShare.keyExchange = make([]byte, keyExchLen)
1046				copy(m.keyShare.keyExchange, d[4:])
1047			case extensionPreSharedKey:
1048				if len(d) != 2 {
1049					return false
1050				}
1051				m.pskIdentity = uint16(d[0])<<8 | uint16(d[1])
1052				m.hasPSKIdentity = true
1053			case extensionSupportedVersions:
1054				if m.vers != tls13ExperimentVersion {
1055					return false
1056				}
1057			default:
1058				// Only allow the 3 extensions that are sent in
1059				// the clear in TLS 1.3.
1060				return false
1061			}
1062		}
1063	} else if !m.extensions.unmarshal(data, vers) {
1064		return false
1065	}
1066
1067	return true
1068}
1069
1070type encryptedExtensionsMsg struct {
1071	raw        []byte
1072	extensions serverExtensions
1073	empty      bool
1074}
1075
1076func (m *encryptedExtensionsMsg) marshal() []byte {
1077	if m.raw != nil {
1078		return m.raw
1079	}
1080
1081	encryptedExtensionsMsg := newByteBuilder()
1082	encryptedExtensionsMsg.addU8(typeEncryptedExtensions)
1083	encryptedExtensions := encryptedExtensionsMsg.addU24LengthPrefixed()
1084	if !m.empty {
1085		extensions := encryptedExtensions.addU16LengthPrefixed()
1086		m.extensions.marshal(extensions)
1087	}
1088
1089	m.raw = encryptedExtensionsMsg.finish()
1090	return m.raw
1091}
1092
1093func (m *encryptedExtensionsMsg) unmarshal(data []byte) bool {
1094	m.raw = data
1095	if len(data) < 6 {
1096		return false
1097	}
1098	if data[0] != typeEncryptedExtensions {
1099		return false
1100	}
1101	msgLen := int(data[1])<<16 | int(data[2])<<8 | int(data[3])
1102	data = data[4:]
1103	if len(data) != msgLen {
1104		return false
1105	}
1106	extLen := int(data[0])<<8 | int(data[1])
1107	data = data[2:]
1108	if extLen != len(data) {
1109		return false
1110	}
1111	return m.extensions.unmarshal(data, VersionTLS13)
1112}
1113
1114type serverExtensions struct {
1115	nextProtoNeg            bool
1116	nextProtos              []string
1117	ocspStapling            bool
1118	ticketSupported         bool
1119	secureRenegotiation     []byte
1120	alpnProtocol            string
1121	alpnProtocolEmpty       bool
1122	duplicateExtension      bool
1123	channelIDRequested      bool
1124	extendedMasterSecret    bool
1125	srtpProtectionProfile   uint16
1126	srtpMasterKeyIdentifier string
1127	sctList                 []byte
1128	customExtension         string
1129	npnAfterAlpn            bool
1130	hasKeyShare             bool
1131	hasEarlyData            bool
1132	keyShare                keyShareEntry
1133	supportedVersion        uint16
1134	supportedPoints         []uint8
1135	serverNameAck           bool
1136}
1137
1138func (m *serverExtensions) marshal(extensions *byteBuilder) {
1139	if m.duplicateExtension {
1140		// Add a duplicate bogus extension at the beginning and end.
1141		extensions.addU16(0xffff)
1142		extensions.addU16(0) // length = 0 for empty extension
1143	}
1144	if m.nextProtoNeg && !m.npnAfterAlpn {
1145		extensions.addU16(extensionNextProtoNeg)
1146		extension := extensions.addU16LengthPrefixed()
1147
1148		for _, v := range m.nextProtos {
1149			if len(v) > 255 {
1150				v = v[:255]
1151			}
1152			npn := extension.addU8LengthPrefixed()
1153			npn.addBytes([]byte(v))
1154		}
1155	}
1156	if m.ocspStapling {
1157		extensions.addU16(extensionStatusRequest)
1158		extensions.addU16(0)
1159	}
1160	if m.ticketSupported {
1161		extensions.addU16(extensionSessionTicket)
1162		extensions.addU16(0)
1163	}
1164	if m.secureRenegotiation != nil {
1165		extensions.addU16(extensionRenegotiationInfo)
1166		extension := extensions.addU16LengthPrefixed()
1167		secureRenego := extension.addU8LengthPrefixed()
1168		secureRenego.addBytes(m.secureRenegotiation)
1169	}
1170	if len(m.alpnProtocol) > 0 || m.alpnProtocolEmpty {
1171		extensions.addU16(extensionALPN)
1172		extension := extensions.addU16LengthPrefixed()
1173
1174		protocolNameList := extension.addU16LengthPrefixed()
1175		protocolName := protocolNameList.addU8LengthPrefixed()
1176		protocolName.addBytes([]byte(m.alpnProtocol))
1177	}
1178	if m.channelIDRequested {
1179		extensions.addU16(extensionChannelID)
1180		extensions.addU16(0)
1181	}
1182	if m.duplicateExtension {
1183		// Add a duplicate bogus extension at the beginning and end.
1184		extensions.addU16(0xffff)
1185		extensions.addU16(0)
1186	}
1187	if m.extendedMasterSecret {
1188		extensions.addU16(extensionExtendedMasterSecret)
1189		extensions.addU16(0)
1190	}
1191	if m.srtpProtectionProfile != 0 {
1192		extensions.addU16(extensionUseSRTP)
1193		extension := extensions.addU16LengthPrefixed()
1194
1195		srtpProtectionProfiles := extension.addU16LengthPrefixed()
1196		srtpProtectionProfiles.addU8(byte(m.srtpProtectionProfile >> 8))
1197		srtpProtectionProfiles.addU8(byte(m.srtpProtectionProfile))
1198		srtpMki := extension.addU8LengthPrefixed()
1199		srtpMki.addBytes([]byte(m.srtpMasterKeyIdentifier))
1200	}
1201	if m.sctList != nil {
1202		extensions.addU16(extensionSignedCertificateTimestamp)
1203		extension := extensions.addU16LengthPrefixed()
1204		extension.addBytes(m.sctList)
1205	}
1206	if l := len(m.customExtension); l > 0 {
1207		extensions.addU16(extensionCustom)
1208		customExt := extensions.addU16LengthPrefixed()
1209		customExt.addBytes([]byte(m.customExtension))
1210	}
1211	if m.nextProtoNeg && m.npnAfterAlpn {
1212		extensions.addU16(extensionNextProtoNeg)
1213		extension := extensions.addU16LengthPrefixed()
1214
1215		for _, v := range m.nextProtos {
1216			if len(v) > 255 {
1217				v = v[0:255]
1218			}
1219			npn := extension.addU8LengthPrefixed()
1220			npn.addBytes([]byte(v))
1221		}
1222	}
1223	if m.hasKeyShare {
1224		extensions.addU16(extensionKeyShare)
1225		keyShare := extensions.addU16LengthPrefixed()
1226		keyShare.addU16(uint16(m.keyShare.group))
1227		keyExchange := keyShare.addU16LengthPrefixed()
1228		keyExchange.addBytes(m.keyShare.keyExchange)
1229	}
1230	if m.supportedVersion != 0 {
1231		extensions.addU16(extensionSupportedVersions)
1232		extensions.addU16(2) // Length
1233		extensions.addU16(m.supportedVersion)
1234	}
1235	if len(m.supportedPoints) > 0 {
1236		// http://tools.ietf.org/html/rfc4492#section-5.1.2
1237		extensions.addU16(extensionSupportedPoints)
1238		supportedPointsList := extensions.addU16LengthPrefixed()
1239		supportedPoints := supportedPointsList.addU8LengthPrefixed()
1240		supportedPoints.addBytes(m.supportedPoints)
1241	}
1242	if m.hasEarlyData {
1243		extensions.addU16(extensionEarlyData)
1244		extensions.addBytes([]byte{0, 0})
1245	}
1246	if m.serverNameAck {
1247		extensions.addU16(extensionServerName)
1248		extensions.addU16(0) // zero length
1249	}
1250}
1251
1252func (m *serverExtensions) unmarshal(data []byte, version uint16) bool {
1253	// Reset all fields.
1254	*m = serverExtensions{}
1255
1256	for len(data) != 0 {
1257		if len(data) < 4 {
1258			return false
1259		}
1260		extension := uint16(data[0])<<8 | uint16(data[1])
1261		length := int(data[2])<<8 | int(data[3])
1262		data = data[4:]
1263		if len(data) < length {
1264			return false
1265		}
1266
1267		switch extension {
1268		case extensionNextProtoNeg:
1269			m.nextProtoNeg = true
1270			d := data[:length]
1271			for len(d) > 0 {
1272				l := int(d[0])
1273				d = d[1:]
1274				if l == 0 || l > len(d) {
1275					return false
1276				}
1277				m.nextProtos = append(m.nextProtos, string(d[:l]))
1278				d = d[l:]
1279			}
1280		case extensionStatusRequest:
1281			if length > 0 {
1282				return false
1283			}
1284			m.ocspStapling = true
1285		case extensionSessionTicket:
1286			if length > 0 {
1287				return false
1288			}
1289			m.ticketSupported = true
1290		case extensionRenegotiationInfo:
1291			if length < 1 || length != int(data[0])+1 {
1292				return false
1293			}
1294			m.secureRenegotiation = data[1:length]
1295		case extensionALPN:
1296			d := data[:length]
1297			if len(d) < 3 {
1298				return false
1299			}
1300			l := int(d[0])<<8 | int(d[1])
1301			if l != len(d)-2 {
1302				return false
1303			}
1304			d = d[2:]
1305			l = int(d[0])
1306			if l != len(d)-1 {
1307				return false
1308			}
1309			d = d[1:]
1310			m.alpnProtocol = string(d)
1311			m.alpnProtocolEmpty = len(d) == 0
1312		case extensionChannelID:
1313			if length > 0 {
1314				return false
1315			}
1316			m.channelIDRequested = true
1317		case extensionExtendedMasterSecret:
1318			if length != 0 {
1319				return false
1320			}
1321			m.extendedMasterSecret = true
1322		case extensionUseSRTP:
1323			if length < 2+2+1 {
1324				return false
1325			}
1326			if data[0] != 0 || data[1] != 2 {
1327				return false
1328			}
1329			m.srtpProtectionProfile = uint16(data[2])<<8 | uint16(data[3])
1330			d := data[4:length]
1331			l := int(d[0])
1332			if l != len(d)-1 {
1333				return false
1334			}
1335			m.srtpMasterKeyIdentifier = string(d[1:])
1336		case extensionSignedCertificateTimestamp:
1337			m.sctList = data[:length]
1338		case extensionCustom:
1339			m.customExtension = string(data[:length])
1340		case extensionServerName:
1341			if length != 0 {
1342				return false
1343			}
1344			m.serverNameAck = true
1345		case extensionSupportedPoints:
1346			// supported_points is illegal in TLS 1.3.
1347			if version >= VersionTLS13 {
1348				return false
1349			}
1350			// http://tools.ietf.org/html/rfc4492#section-5.5.2
1351			if length < 1 {
1352				return false
1353			}
1354			l := int(data[0])
1355			if length != l+1 {
1356				return false
1357			}
1358			m.supportedPoints = data[1 : 1+l]
1359		case extensionSupportedCurves:
1360			// The server can only send supported_curves in TLS 1.3.
1361			if version < VersionTLS13 {
1362				return false
1363			}
1364		case extensionEarlyData:
1365			if version < VersionTLS13 || length != 0 {
1366				return false
1367			}
1368			m.hasEarlyData = true
1369		default:
1370			// Unknown extensions are illegal from the server.
1371			return false
1372		}
1373		data = data[length:]
1374	}
1375
1376	return true
1377}
1378
1379type helloRetryRequestMsg struct {
1380	raw                 []byte
1381	vers                uint16
1382	hasSelectedGroup    bool
1383	selectedGroup       CurveID
1384	cookie              []byte
1385	customExtension     string
1386	duplicateExtensions bool
1387}
1388
1389func (m *helloRetryRequestMsg) marshal() []byte {
1390	if m.raw != nil {
1391		return m.raw
1392	}
1393
1394	retryRequestMsg := newByteBuilder()
1395	retryRequestMsg.addU8(typeHelloRetryRequest)
1396	retryRequest := retryRequestMsg.addU24LengthPrefixed()
1397	retryRequest.addU16(m.vers)
1398	extensions := retryRequest.addU16LengthPrefixed()
1399
1400	count := 1
1401	if m.duplicateExtensions {
1402		count = 2
1403	}
1404
1405	for i := 0; i < count; i++ {
1406		if m.hasSelectedGroup {
1407			extensions.addU16(extensionKeyShare)
1408			extensions.addU16(2) // length
1409			extensions.addU16(uint16(m.selectedGroup))
1410		}
1411		if len(m.cookie) > 0 {
1412			extensions.addU16(extensionCookie)
1413			body := extensions.addU16LengthPrefixed()
1414			body.addU16LengthPrefixed().addBytes(m.cookie)
1415		}
1416		if len(m.customExtension) > 0 {
1417			extensions.addU16(extensionCustom)
1418			extensions.addU16LengthPrefixed().addBytes([]byte(m.customExtension))
1419		}
1420	}
1421
1422	m.raw = retryRequestMsg.finish()
1423	return m.raw
1424}
1425
1426func (m *helloRetryRequestMsg) unmarshal(data []byte) bool {
1427	m.raw = data
1428	if len(data) < 8 {
1429		return false
1430	}
1431	m.vers = uint16(data[4])<<8 | uint16(data[5])
1432	extLen := int(data[6])<<8 | int(data[7])
1433	data = data[8:]
1434	if len(data) != extLen || len(data) == 0 {
1435		return false
1436	}
1437	for len(data) > 0 {
1438		if len(data) < 4 {
1439			return false
1440		}
1441		extension := uint16(data[0])<<8 | uint16(data[1])
1442		length := int(data[2])<<8 | int(data[3])
1443		data = data[4:]
1444		if len(data) < length {
1445			return false
1446		}
1447
1448		switch extension {
1449		case extensionKeyShare:
1450			if length != 2 {
1451				return false
1452			}
1453			m.hasSelectedGroup = true
1454			m.selectedGroup = CurveID(data[0])<<8 | CurveID(data[1])
1455		case extensionCookie:
1456			if length < 2 {
1457				return false
1458			}
1459			cookieLen := int(data[0])<<8 | int(data[1])
1460			if 2+cookieLen != length {
1461				return false
1462			}
1463			m.cookie = data[2 : 2+cookieLen]
1464		default:
1465			// Unknown extensions are illegal from the server.
1466			return false
1467		}
1468		data = data[length:]
1469	}
1470	return true
1471}
1472
1473type certificateEntry struct {
1474	data                []byte
1475	ocspResponse        []byte
1476	sctList             []byte
1477	duplicateExtensions bool
1478	extraExtension      []byte
1479}
1480
1481type certificateMsg struct {
1482	raw               []byte
1483	hasRequestContext bool
1484	requestContext    []byte
1485	certificates      []certificateEntry
1486}
1487
1488func (m *certificateMsg) marshal() (x []byte) {
1489	if m.raw != nil {
1490		return m.raw
1491	}
1492
1493	certMsg := newByteBuilder()
1494	certMsg.addU8(typeCertificate)
1495	certificate := certMsg.addU24LengthPrefixed()
1496	if m.hasRequestContext {
1497		context := certificate.addU8LengthPrefixed()
1498		context.addBytes(m.requestContext)
1499	}
1500	certificateList := certificate.addU24LengthPrefixed()
1501	for _, cert := range m.certificates {
1502		certEntry := certificateList.addU24LengthPrefixed()
1503		certEntry.addBytes(cert.data)
1504		if m.hasRequestContext {
1505			extensions := certificateList.addU16LengthPrefixed()
1506			count := 1
1507			if cert.duplicateExtensions {
1508				count = 2
1509			}
1510
1511			for i := 0; i < count; i++ {
1512				if cert.ocspResponse != nil {
1513					extensions.addU16(extensionStatusRequest)
1514					body := extensions.addU16LengthPrefixed()
1515					body.addU8(statusTypeOCSP)
1516					response := body.addU24LengthPrefixed()
1517					response.addBytes(cert.ocspResponse)
1518				}
1519
1520				if cert.sctList != nil {
1521					extensions.addU16(extensionSignedCertificateTimestamp)
1522					extension := extensions.addU16LengthPrefixed()
1523					extension.addBytes(cert.sctList)
1524				}
1525			}
1526			if cert.extraExtension != nil {
1527				extensions.addBytes(cert.extraExtension)
1528			}
1529		}
1530	}
1531
1532	m.raw = certMsg.finish()
1533	return m.raw
1534}
1535
1536func (m *certificateMsg) unmarshal(data []byte) bool {
1537	if len(data) < 4 {
1538		return false
1539	}
1540
1541	m.raw = data
1542	data = data[4:]
1543
1544	if m.hasRequestContext {
1545		if len(data) == 0 {
1546			return false
1547		}
1548		contextLen := int(data[0])
1549		if len(data) < 1+contextLen {
1550			return false
1551		}
1552		m.requestContext = make([]byte, contextLen)
1553		copy(m.requestContext, data[1:])
1554		data = data[1+contextLen:]
1555	}
1556
1557	if len(data) < 3 {
1558		return false
1559	}
1560	certsLen := int(data[0])<<16 | int(data[1])<<8 | int(data[2])
1561	data = data[3:]
1562	if len(data) != certsLen {
1563		return false
1564	}
1565
1566	m.certificates = nil
1567	for len(data) != 0 {
1568		if len(data) < 3 {
1569			return false
1570		}
1571		certLen := int(data[0])<<16 | int(data[1])<<8 | int(data[2])
1572		if len(data) < 3+certLen {
1573			return false
1574		}
1575		cert := certificateEntry{
1576			data: data[3 : 3+certLen],
1577		}
1578		data = data[3+certLen:]
1579		if m.hasRequestContext {
1580			if len(data) < 2 {
1581				return false
1582			}
1583			extensionsLen := int(data[0])<<8 | int(data[1])
1584			if len(data) < 2+extensionsLen {
1585				return false
1586			}
1587			extensions := data[2 : 2+extensionsLen]
1588			data = data[2+extensionsLen:]
1589			for len(extensions) != 0 {
1590				if len(extensions) < 4 {
1591					return false
1592				}
1593				extension := uint16(extensions[0])<<8 | uint16(extensions[1])
1594				length := int(extensions[2])<<8 | int(extensions[3])
1595				if len(extensions) < 4+length {
1596					return false
1597				}
1598				contents := extensions[4 : 4+length]
1599				extensions = extensions[4+length:]
1600
1601				switch extension {
1602				case extensionStatusRequest:
1603					if length < 4 {
1604						return false
1605					}
1606					if contents[0] != statusTypeOCSP {
1607						return false
1608					}
1609					respLen := int(contents[1])<<16 | int(contents[2])<<8 | int(contents[3])
1610					if respLen+4 != len(contents) || respLen == 0 {
1611						return false
1612					}
1613					cert.ocspResponse = contents[4:]
1614				case extensionSignedCertificateTimestamp:
1615					cert.sctList = contents
1616				default:
1617					return false
1618				}
1619			}
1620		}
1621		m.certificates = append(m.certificates, cert)
1622	}
1623
1624	return true
1625}
1626
1627type serverKeyExchangeMsg struct {
1628	raw []byte
1629	key []byte
1630}
1631
1632func (m *serverKeyExchangeMsg) marshal() []byte {
1633	if m.raw != nil {
1634		return m.raw
1635	}
1636	length := len(m.key)
1637	x := make([]byte, length+4)
1638	x[0] = typeServerKeyExchange
1639	x[1] = uint8(length >> 16)
1640	x[2] = uint8(length >> 8)
1641	x[3] = uint8(length)
1642	copy(x[4:], m.key)
1643
1644	m.raw = x
1645	return x
1646}
1647
1648func (m *serverKeyExchangeMsg) unmarshal(data []byte) bool {
1649	m.raw = data
1650	if len(data) < 4 {
1651		return false
1652	}
1653	m.key = data[4:]
1654	return true
1655}
1656
1657type certificateStatusMsg struct {
1658	raw        []byte
1659	statusType uint8
1660	response   []byte
1661}
1662
1663func (m *certificateStatusMsg) marshal() []byte {
1664	if m.raw != nil {
1665		return m.raw
1666	}
1667
1668	var x []byte
1669	if m.statusType == statusTypeOCSP {
1670		x = make([]byte, 4+4+len(m.response))
1671		x[0] = typeCertificateStatus
1672		l := len(m.response) + 4
1673		x[1] = byte(l >> 16)
1674		x[2] = byte(l >> 8)
1675		x[3] = byte(l)
1676		x[4] = statusTypeOCSP
1677
1678		l -= 4
1679		x[5] = byte(l >> 16)
1680		x[6] = byte(l >> 8)
1681		x[7] = byte(l)
1682		copy(x[8:], m.response)
1683	} else {
1684		x = []byte{typeCertificateStatus, 0, 0, 1, m.statusType}
1685	}
1686
1687	m.raw = x
1688	return x
1689}
1690
1691func (m *certificateStatusMsg) unmarshal(data []byte) bool {
1692	m.raw = data
1693	if len(data) < 5 {
1694		return false
1695	}
1696	m.statusType = data[4]
1697
1698	m.response = nil
1699	if m.statusType == statusTypeOCSP {
1700		if len(data) < 8 {
1701			return false
1702		}
1703		respLen := uint32(data[5])<<16 | uint32(data[6])<<8 | uint32(data[7])
1704		if uint32(len(data)) != 4+4+respLen {
1705			return false
1706		}
1707		m.response = data[8:]
1708	}
1709	return true
1710}
1711
1712type serverHelloDoneMsg struct{}
1713
1714func (m *serverHelloDoneMsg) marshal() []byte {
1715	x := make([]byte, 4)
1716	x[0] = typeServerHelloDone
1717	return x
1718}
1719
1720func (m *serverHelloDoneMsg) unmarshal(data []byte) bool {
1721	return len(data) == 4
1722}
1723
1724type clientKeyExchangeMsg struct {
1725	raw        []byte
1726	ciphertext []byte
1727}
1728
1729func (m *clientKeyExchangeMsg) marshal() []byte {
1730	if m.raw != nil {
1731		return m.raw
1732	}
1733	length := len(m.ciphertext)
1734	x := make([]byte, length+4)
1735	x[0] = typeClientKeyExchange
1736	x[1] = uint8(length >> 16)
1737	x[2] = uint8(length >> 8)
1738	x[3] = uint8(length)
1739	copy(x[4:], m.ciphertext)
1740
1741	m.raw = x
1742	return x
1743}
1744
1745func (m *clientKeyExchangeMsg) unmarshal(data []byte) bool {
1746	m.raw = data
1747	if len(data) < 4 {
1748		return false
1749	}
1750	l := int(data[1])<<16 | int(data[2])<<8 | int(data[3])
1751	if l != len(data)-4 {
1752		return false
1753	}
1754	m.ciphertext = data[4:]
1755	return true
1756}
1757
1758type finishedMsg struct {
1759	raw        []byte
1760	verifyData []byte
1761}
1762
1763func (m *finishedMsg) marshal() (x []byte) {
1764	if m.raw != nil {
1765		return m.raw
1766	}
1767
1768	x = make([]byte, 4+len(m.verifyData))
1769	x[0] = typeFinished
1770	x[3] = byte(len(m.verifyData))
1771	copy(x[4:], m.verifyData)
1772	m.raw = x
1773	return
1774}
1775
1776func (m *finishedMsg) unmarshal(data []byte) bool {
1777	m.raw = data
1778	if len(data) < 4 {
1779		return false
1780	}
1781	m.verifyData = data[4:]
1782	return true
1783}
1784
1785type nextProtoMsg struct {
1786	raw   []byte
1787	proto string
1788}
1789
1790func (m *nextProtoMsg) marshal() []byte {
1791	if m.raw != nil {
1792		return m.raw
1793	}
1794	l := len(m.proto)
1795	if l > 255 {
1796		l = 255
1797	}
1798
1799	padding := 32 - (l+2)%32
1800	length := l + padding + 2
1801	x := make([]byte, length+4)
1802	x[0] = typeNextProtocol
1803	x[1] = uint8(length >> 16)
1804	x[2] = uint8(length >> 8)
1805	x[3] = uint8(length)
1806
1807	y := x[4:]
1808	y[0] = byte(l)
1809	copy(y[1:], []byte(m.proto[0:l]))
1810	y = y[1+l:]
1811	y[0] = byte(padding)
1812
1813	m.raw = x
1814
1815	return x
1816}
1817
1818func (m *nextProtoMsg) unmarshal(data []byte) bool {
1819	m.raw = data
1820
1821	if len(data) < 5 {
1822		return false
1823	}
1824	data = data[4:]
1825	protoLen := int(data[0])
1826	data = data[1:]
1827	if len(data) < protoLen {
1828		return false
1829	}
1830	m.proto = string(data[0:protoLen])
1831	data = data[protoLen:]
1832
1833	if len(data) < 1 {
1834		return false
1835	}
1836	paddingLen := int(data[0])
1837	data = data[1:]
1838	if len(data) != paddingLen {
1839		return false
1840	}
1841
1842	return true
1843}
1844
1845type certificateRequestMsg struct {
1846	raw []byte
1847	// hasSignatureAlgorithm indicates whether this message includes a list
1848	// of signature and hash functions. This change was introduced with TLS
1849	// 1.2.
1850	hasSignatureAlgorithm bool
1851	// hasRequestContext indicates whether this message includes a context
1852	// field instead of certificateTypes. This change was introduced with
1853	// TLS 1.3.
1854	hasRequestContext bool
1855
1856	certificateTypes       []byte
1857	requestContext         []byte
1858	signatureAlgorithms    []signatureAlgorithm
1859	certificateAuthorities [][]byte
1860}
1861
1862func (m *certificateRequestMsg) marshal() []byte {
1863	if m.raw != nil {
1864		return m.raw
1865	}
1866
1867	// See http://tools.ietf.org/html/rfc4346#section-7.4.4
1868	builder := newByteBuilder()
1869	builder.addU8(typeCertificateRequest)
1870	body := builder.addU24LengthPrefixed()
1871
1872	if m.hasRequestContext {
1873		requestContext := body.addU8LengthPrefixed()
1874		requestContext.addBytes(m.requestContext)
1875	} else {
1876		certificateTypes := body.addU8LengthPrefixed()
1877		certificateTypes.addBytes(m.certificateTypes)
1878	}
1879
1880	if m.hasSignatureAlgorithm {
1881		signatureAlgorithms := body.addU16LengthPrefixed()
1882		for _, sigAlg := range m.signatureAlgorithms {
1883			signatureAlgorithms.addU16(uint16(sigAlg))
1884		}
1885	}
1886
1887	certificateAuthorities := body.addU16LengthPrefixed()
1888	for _, ca := range m.certificateAuthorities {
1889		caEntry := certificateAuthorities.addU16LengthPrefixed()
1890		caEntry.addBytes(ca)
1891	}
1892
1893	if m.hasRequestContext {
1894		// Emit no certificate extensions.
1895		body.addU16(0)
1896	}
1897
1898	m.raw = builder.finish()
1899	return m.raw
1900}
1901
1902func (m *certificateRequestMsg) unmarshal(data []byte) bool {
1903	m.raw = data
1904
1905	if len(data) < 5 {
1906		return false
1907	}
1908	data = data[4:]
1909
1910	if m.hasRequestContext {
1911		contextLen := int(data[0])
1912		if len(data) < 1+contextLen {
1913			return false
1914		}
1915		m.requestContext = make([]byte, contextLen)
1916		copy(m.requestContext, data[1:])
1917		data = data[1+contextLen:]
1918	} else {
1919		numCertTypes := int(data[0])
1920		if len(data) < 1+numCertTypes {
1921			return false
1922		}
1923		m.certificateTypes = make([]byte, numCertTypes)
1924		copy(m.certificateTypes, data[1:])
1925		data = data[1+numCertTypes:]
1926	}
1927
1928	if m.hasSignatureAlgorithm {
1929		if len(data) < 2 {
1930			return false
1931		}
1932		sigAlgsLen := uint16(data[0])<<8 | uint16(data[1])
1933		data = data[2:]
1934		if sigAlgsLen&1 != 0 {
1935			return false
1936		}
1937		if len(data) < int(sigAlgsLen) {
1938			return false
1939		}
1940		numSigAlgs := sigAlgsLen / 2
1941		m.signatureAlgorithms = make([]signatureAlgorithm, numSigAlgs)
1942		for i := range m.signatureAlgorithms {
1943			m.signatureAlgorithms[i] = signatureAlgorithm(data[0])<<8 | signatureAlgorithm(data[1])
1944			data = data[2:]
1945		}
1946	}
1947
1948	if len(data) < 2 {
1949		return false
1950	}
1951	casLength := uint16(data[0])<<8 | uint16(data[1])
1952	data = data[2:]
1953	if len(data) < int(casLength) {
1954		return false
1955	}
1956	cas := make([]byte, casLength)
1957	copy(cas, data)
1958	data = data[casLength:]
1959
1960	m.certificateAuthorities = nil
1961	for len(cas) > 0 {
1962		if len(cas) < 2 {
1963			return false
1964		}
1965		caLen := uint16(cas[0])<<8 | uint16(cas[1])
1966		cas = cas[2:]
1967
1968		if len(cas) < int(caLen) {
1969			return false
1970		}
1971
1972		m.certificateAuthorities = append(m.certificateAuthorities, cas[:caLen])
1973		cas = cas[caLen:]
1974	}
1975
1976	if m.hasRequestContext {
1977		// Ignore certificate extensions.
1978		if len(data) < 2 {
1979			return false
1980		}
1981		extsLength := int(data[0])<<8 | int(data[1])
1982		if len(data) < 2+extsLength {
1983			return false
1984		}
1985		data = data[2+extsLength:]
1986	}
1987
1988	if len(data) > 0 {
1989		return false
1990	}
1991
1992	return true
1993}
1994
1995type certificateVerifyMsg struct {
1996	raw                   []byte
1997	hasSignatureAlgorithm bool
1998	signatureAlgorithm    signatureAlgorithm
1999	signature             []byte
2000}
2001
2002func (m *certificateVerifyMsg) marshal() (x []byte) {
2003	if m.raw != nil {
2004		return m.raw
2005	}
2006
2007	// See http://tools.ietf.org/html/rfc4346#section-7.4.8
2008	siglength := len(m.signature)
2009	length := 2 + siglength
2010	if m.hasSignatureAlgorithm {
2011		length += 2
2012	}
2013	x = make([]byte, 4+length)
2014	x[0] = typeCertificateVerify
2015	x[1] = uint8(length >> 16)
2016	x[2] = uint8(length >> 8)
2017	x[3] = uint8(length)
2018	y := x[4:]
2019	if m.hasSignatureAlgorithm {
2020		y[0] = byte(m.signatureAlgorithm >> 8)
2021		y[1] = byte(m.signatureAlgorithm)
2022		y = y[2:]
2023	}
2024	y[0] = uint8(siglength >> 8)
2025	y[1] = uint8(siglength)
2026	copy(y[2:], m.signature)
2027
2028	m.raw = x
2029
2030	return
2031}
2032
2033func (m *certificateVerifyMsg) unmarshal(data []byte) bool {
2034	m.raw = data
2035
2036	if len(data) < 6 {
2037		return false
2038	}
2039
2040	length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3])
2041	if uint32(len(data))-4 != length {
2042		return false
2043	}
2044
2045	data = data[4:]
2046	if m.hasSignatureAlgorithm {
2047		m.signatureAlgorithm = signatureAlgorithm(data[0])<<8 | signatureAlgorithm(data[1])
2048		data = data[2:]
2049	}
2050
2051	if len(data) < 2 {
2052		return false
2053	}
2054	siglength := int(data[0])<<8 + int(data[1])
2055	data = data[2:]
2056	if len(data) != siglength {
2057		return false
2058	}
2059
2060	m.signature = data
2061
2062	return true
2063}
2064
2065type newSessionTicketMsg struct {
2066	raw                    []byte
2067	version                uint16
2068	ticketLifetime         uint32
2069	ticketAgeAdd           uint32
2070	ticket                 []byte
2071	maxEarlyDataSize       uint32
2072	customExtension        string
2073	duplicateEarlyDataInfo bool
2074	hasGREASEExtension     bool
2075}
2076
2077func (m *newSessionTicketMsg) marshal() []byte {
2078	if m.raw != nil {
2079		return m.raw
2080	}
2081
2082	// See http://tools.ietf.org/html/rfc5077#section-3.3
2083	ticketMsg := newByteBuilder()
2084	ticketMsg.addU8(typeNewSessionTicket)
2085	body := ticketMsg.addU24LengthPrefixed()
2086	body.addU32(m.ticketLifetime)
2087	if m.version >= VersionTLS13 {
2088		body.addU32(m.ticketAgeAdd)
2089	}
2090
2091	ticket := body.addU16LengthPrefixed()
2092	ticket.addBytes(m.ticket)
2093
2094	if m.version >= VersionTLS13 {
2095		extensions := body.addU16LengthPrefixed()
2096		if m.maxEarlyDataSize > 0 {
2097			extensions.addU16(extensionTicketEarlyDataInfo)
2098			extensions.addU16LengthPrefixed().addU32(m.maxEarlyDataSize)
2099			if m.duplicateEarlyDataInfo {
2100				extensions.addU16(extensionTicketEarlyDataInfo)
2101				extensions.addU16LengthPrefixed().addU32(m.maxEarlyDataSize)
2102			}
2103		}
2104		if len(m.customExtension) > 0 {
2105			extensions.addU16(extensionCustom)
2106			extensions.addU16LengthPrefixed().addBytes([]byte(m.customExtension))
2107		}
2108	}
2109
2110	m.raw = ticketMsg.finish()
2111	return m.raw
2112}
2113
2114func (m *newSessionTicketMsg) unmarshal(data []byte) bool {
2115	m.raw = data
2116
2117	if len(data) < 8 {
2118		return false
2119	}
2120	m.ticketLifetime = uint32(data[4])<<24 | uint32(data[5])<<16 | uint32(data[6])<<8 | uint32(data[7])
2121	data = data[8:]
2122
2123	if m.version >= VersionTLS13 {
2124		if len(data) < 4 {
2125			return false
2126		}
2127		m.ticketAgeAdd = uint32(data[0])<<24 | uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3])
2128		data = data[4:]
2129	}
2130
2131	if len(data) < 2 {
2132		return false
2133	}
2134	ticketLen := int(data[0])<<8 + int(data[1])
2135	data = data[2:]
2136	if len(data) < ticketLen {
2137		return false
2138	}
2139
2140	if m.version >= VersionTLS13 && ticketLen == 0 {
2141		return false
2142	}
2143
2144	m.ticket = data[:ticketLen]
2145	data = data[ticketLen:]
2146
2147	if m.version >= VersionTLS13 {
2148		if len(data) < 2 {
2149			return false
2150		}
2151
2152		extensionsLength := int(data[0])<<8 | int(data[1])
2153		data = data[2:]
2154		if extensionsLength != len(data) {
2155			return false
2156		}
2157
2158		for len(data) != 0 {
2159			if len(data) < 4 {
2160				return false
2161			}
2162			extension := uint16(data[0])<<8 | uint16(data[1])
2163			length := int(data[2])<<8 | int(data[3])
2164			data = data[4:]
2165			if len(data) < length {
2166				return false
2167			}
2168
2169			switch extension {
2170			case extensionTicketEarlyDataInfo:
2171				if length != 4 {
2172					return false
2173				}
2174				m.maxEarlyDataSize = uint32(data[0])<<24 | uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3])
2175			default:
2176				if isGREASEValue(extension) {
2177					m.hasGREASEExtension = true
2178				}
2179			}
2180
2181			data = data[length:]
2182		}
2183	}
2184
2185	if len(data) > 0 {
2186		return false
2187	}
2188
2189	return true
2190}
2191
2192type v2ClientHelloMsg struct {
2193	raw          []byte
2194	vers         uint16
2195	cipherSuites []uint16
2196	sessionId    []byte
2197	challenge    []byte
2198}
2199
2200func (m *v2ClientHelloMsg) marshal() []byte {
2201	if m.raw != nil {
2202		return m.raw
2203	}
2204
2205	length := 1 + 2 + 2 + 2 + 2 + len(m.cipherSuites)*3 + len(m.sessionId) + len(m.challenge)
2206
2207	x := make([]byte, length)
2208	x[0] = 1
2209	x[1] = uint8(m.vers >> 8)
2210	x[2] = uint8(m.vers)
2211	x[3] = uint8((len(m.cipherSuites) * 3) >> 8)
2212	x[4] = uint8(len(m.cipherSuites) * 3)
2213	x[5] = uint8(len(m.sessionId) >> 8)
2214	x[6] = uint8(len(m.sessionId))
2215	x[7] = uint8(len(m.challenge) >> 8)
2216	x[8] = uint8(len(m.challenge))
2217	y := x[9:]
2218	for i, spec := range m.cipherSuites {
2219		y[i*3] = 0
2220		y[i*3+1] = uint8(spec >> 8)
2221		y[i*3+2] = uint8(spec)
2222	}
2223	y = y[len(m.cipherSuites)*3:]
2224	copy(y, m.sessionId)
2225	y = y[len(m.sessionId):]
2226	copy(y, m.challenge)
2227
2228	m.raw = x
2229
2230	return x
2231}
2232
2233type helloVerifyRequestMsg struct {
2234	raw    []byte
2235	vers   uint16
2236	cookie []byte
2237}
2238
2239func (m *helloVerifyRequestMsg) marshal() []byte {
2240	if m.raw != nil {
2241		return m.raw
2242	}
2243
2244	length := 2 + 1 + len(m.cookie)
2245
2246	x := make([]byte, 4+length)
2247	x[0] = typeHelloVerifyRequest
2248	x[1] = uint8(length >> 16)
2249	x[2] = uint8(length >> 8)
2250	x[3] = uint8(length)
2251	vers := m.vers
2252	x[4] = uint8(vers >> 8)
2253	x[5] = uint8(vers)
2254	x[6] = uint8(len(m.cookie))
2255	copy(x[7:7+len(m.cookie)], m.cookie)
2256
2257	return x
2258}
2259
2260func (m *helloVerifyRequestMsg) unmarshal(data []byte) bool {
2261	if len(data) < 4+2+1 {
2262		return false
2263	}
2264	m.raw = data
2265	m.vers = uint16(data[4])<<8 | uint16(data[5])
2266	cookieLen := int(data[6])
2267	if cookieLen > 32 || len(data) != 7+cookieLen {
2268		return false
2269	}
2270	m.cookie = data[7 : 7+cookieLen]
2271
2272	return true
2273}
2274
2275type channelIDMsg struct {
2276	raw       []byte
2277	channelID []byte
2278}
2279
2280func (m *channelIDMsg) marshal() []byte {
2281	if m.raw != nil {
2282		return m.raw
2283	}
2284
2285	length := 2 + 2 + len(m.channelID)
2286
2287	x := make([]byte, 4+length)
2288	x[0] = typeChannelID
2289	x[1] = uint8(length >> 16)
2290	x[2] = uint8(length >> 8)
2291	x[3] = uint8(length)
2292	x[4] = uint8(extensionChannelID >> 8)
2293	x[5] = uint8(extensionChannelID & 0xff)
2294	x[6] = uint8(len(m.channelID) >> 8)
2295	x[7] = uint8(len(m.channelID) & 0xff)
2296	copy(x[8:], m.channelID)
2297
2298	return x
2299}
2300
2301func (m *channelIDMsg) unmarshal(data []byte) bool {
2302	if len(data) != 4+2+2+128 {
2303		return false
2304	}
2305	m.raw = data
2306	if (uint16(data[4])<<8)|uint16(data[5]) != extensionChannelID {
2307		return false
2308	}
2309	if int(data[6])<<8|int(data[7]) != 128 {
2310		return false
2311	}
2312	m.channelID = data[4+2+2:]
2313
2314	return true
2315}
2316
2317type helloRequestMsg struct {
2318}
2319
2320func (*helloRequestMsg) marshal() []byte {
2321	return []byte{typeHelloRequest, 0, 0, 0}
2322}
2323
2324func (*helloRequestMsg) unmarshal(data []byte) bool {
2325	return len(data) == 4
2326}
2327
2328type keyUpdateMsg struct {
2329	raw              []byte
2330	keyUpdateRequest byte
2331}
2332
2333func (m *keyUpdateMsg) marshal() []byte {
2334	if m.raw != nil {
2335		return m.raw
2336	}
2337
2338	return []byte{typeKeyUpdate, 0, 0, 1, m.keyUpdateRequest}
2339}
2340
2341func (m *keyUpdateMsg) unmarshal(data []byte) bool {
2342	m.raw = data
2343
2344	if len(data) != 5 {
2345		return false
2346	}
2347
2348	length := int(data[1])<<16 | int(data[2])<<8 | int(data[3])
2349	if len(data)-4 != length {
2350		return false
2351	}
2352
2353	m.keyUpdateRequest = data[4]
2354	return m.keyUpdateRequest == keyUpdateNotRequested || m.keyUpdateRequest == keyUpdateRequested
2355}
2356
2357// ssl3NoCertificateMsg is a dummy message to handle SSL 3.0 using a warning
2358// alert in the handshake.
2359type ssl3NoCertificateMsg struct{}
2360
2361func eqUint16s(x, y []uint16) bool {
2362	if len(x) != len(y) {
2363		return false
2364	}
2365	for i, v := range x {
2366		if y[i] != v {
2367			return false
2368		}
2369	}
2370	return true
2371}
2372
2373func eqCurveIDs(x, y []CurveID) bool {
2374	if len(x) != len(y) {
2375		return false
2376	}
2377	for i, v := range x {
2378		if y[i] != v {
2379			return false
2380		}
2381	}
2382	return true
2383}
2384
2385func eqStrings(x, y []string) bool {
2386	if len(x) != len(y) {
2387		return false
2388	}
2389	for i, v := range x {
2390		if y[i] != v {
2391			return false
2392		}
2393	}
2394	return true
2395}
2396
2397func eqByteSlices(x, y [][]byte) bool {
2398	if len(x) != len(y) {
2399		return false
2400	}
2401	for i, v := range x {
2402		if !bytes.Equal(v, y[i]) {
2403			return false
2404		}
2405	}
2406	return true
2407}
2408
2409func eqSignatureAlgorithms(x, y []signatureAlgorithm) bool {
2410	if len(x) != len(y) {
2411		return false
2412	}
2413	for i, v := range x {
2414		v2 := y[i]
2415		if v != v2 {
2416			return false
2417		}
2418	}
2419	return true
2420}
2421
2422func eqKeyShareEntryLists(x, y []keyShareEntry) bool {
2423	if len(x) != len(y) {
2424		return false
2425	}
2426	for i, v := range x {
2427		if y[i].group != v.group || !bytes.Equal(y[i].keyExchange, v.keyExchange) {
2428			return false
2429		}
2430	}
2431	return true
2432
2433}
2434
2435func eqPSKIdentityLists(x, y []pskIdentity) bool {
2436	if len(x) != len(y) {
2437		return false
2438	}
2439	for i, v := range x {
2440		if !bytes.Equal(y[i].ticket, v.ticket) || y[i].obfuscatedTicketAge != v.obfuscatedTicketAge {
2441			return false
2442		}
2443	}
2444	return true
2445
2446}
2447