• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1// Copyright 2009 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5package runner
6
7import (
8	"bytes"
9	"encoding/binary"
10	"fmt"
11)
12
13func writeLen(buf []byte, v, size int) {
14	for i := 0; i < size; i++ {
15		buf[size-i-1] = byte(v)
16		v >>= 8
17	}
18	if v != 0 {
19		panic("length is too long")
20	}
21}
22
23type byteBuilder struct {
24	buf       *[]byte
25	start     int
26	prefixLen int
27	child     *byteBuilder
28}
29
30func newByteBuilder() *byteBuilder {
31	buf := make([]byte, 0, 32)
32	return &byteBuilder{buf: &buf}
33}
34
35func (bb *byteBuilder) len() int {
36	return len(*bb.buf) - bb.start - bb.prefixLen
37}
38
39func (bb *byteBuilder) data() []byte {
40	bb.flush()
41	return (*bb.buf)[bb.start+bb.prefixLen:]
42}
43
44func (bb *byteBuilder) flush() {
45	if bb.child == nil {
46		return
47	}
48	bb.child.flush()
49	writeLen((*bb.buf)[bb.child.start:], bb.child.len(), bb.child.prefixLen)
50	bb.child = nil
51	return
52}
53
54func (bb *byteBuilder) finish() []byte {
55	bb.flush()
56	return *bb.buf
57}
58
59func (bb *byteBuilder) addU8(u uint8) {
60	bb.flush()
61	*bb.buf = append(*bb.buf, u)
62}
63
64func (bb *byteBuilder) addU16(u uint16) {
65	bb.flush()
66	*bb.buf = append(*bb.buf, byte(u>>8), byte(u))
67}
68
69func (bb *byteBuilder) addU24(u int) {
70	bb.flush()
71	*bb.buf = append(*bb.buf, byte(u>>16), byte(u>>8), byte(u))
72}
73
74func (bb *byteBuilder) addU32(u uint32) {
75	bb.flush()
76	*bb.buf = append(*bb.buf, byte(u>>24), byte(u>>16), byte(u>>8), byte(u))
77}
78
79func (bb *byteBuilder) addU64(u uint64) {
80	bb.flush()
81	var b [8]byte
82	binary.BigEndian.PutUint64(b[:], u)
83	*bb.buf = append(*bb.buf, b[:]...)
84}
85
86func (bb *byteBuilder) addU8LengthPrefixed() *byteBuilder {
87	return bb.createChild(1)
88}
89
90func (bb *byteBuilder) addU16LengthPrefixed() *byteBuilder {
91	return bb.createChild(2)
92}
93
94func (bb *byteBuilder) addU24LengthPrefixed() *byteBuilder {
95	return bb.createChild(3)
96}
97
98func (bb *byteBuilder) addU32LengthPrefixed() *byteBuilder {
99	return bb.createChild(4)
100}
101
102func (bb *byteBuilder) addBytes(b []byte) {
103	bb.flush()
104	*bb.buf = append(*bb.buf, b...)
105}
106
107func (bb *byteBuilder) createChild(lengthPrefixSize int) *byteBuilder {
108	bb.flush()
109	bb.child = &byteBuilder{
110		buf:       bb.buf,
111		start:     len(*bb.buf),
112		prefixLen: lengthPrefixSize,
113	}
114	for i := 0; i < lengthPrefixSize; i++ {
115		*bb.buf = append(*bb.buf, 0)
116	}
117	return bb.child
118}
119
120func (bb *byteBuilder) discardChild() {
121	if bb.child == nil {
122		return
123	}
124	*bb.buf = (*bb.buf)[:bb.child.start]
125	bb.child = nil
126}
127
128type byteReader []byte
129
130func (br *byteReader) readInternal(out *byteReader, n int) bool {
131	if len(*br) < n {
132		return false
133	}
134	*out = (*br)[:n]
135	*br = (*br)[n:]
136	return true
137}
138
139func (br *byteReader) readBytes(out *[]byte, n int) bool {
140	var child byteReader
141	if !br.readInternal(&child, n) {
142		return false
143	}
144	*out = []byte(child)
145	return true
146}
147
148func (br *byteReader) readUint(out *uint64, n int) bool {
149	var b []byte
150	if !br.readBytes(&b, n) {
151		return false
152	}
153	*out = 0
154	for _, v := range b {
155		*out <<= 8
156		*out |= uint64(v)
157	}
158	return true
159}
160
161func (br *byteReader) readU8(out *uint8) bool {
162	var b []byte
163	if !br.readBytes(&b, 1) {
164		return false
165	}
166	*out = b[0]
167	return true
168}
169
170func (br *byteReader) readU16(out *uint16) bool {
171	var v uint64
172	if !br.readUint(&v, 2) {
173		return false
174	}
175	*out = uint16(v)
176	return true
177}
178
179func (br *byteReader) readU24(out *uint32) bool {
180	var v uint64
181	if !br.readUint(&v, 3) {
182		return false
183	}
184	*out = uint32(v)
185	return true
186}
187
188func (br *byteReader) readU32(out *uint32) bool {
189	var v uint64
190	if !br.readUint(&v, 4) {
191		return false
192	}
193	*out = uint32(v)
194	return true
195}
196
197func (br *byteReader) readU64(out *uint64) bool {
198	return br.readUint(out, 8)
199}
200
201func (br *byteReader) readLengthPrefixed(out *byteReader, n int) bool {
202	var length uint64
203	return br.readUint(&length, n) &&
204		uint64(len(*br)) >= length &&
205		br.readInternal(out, int(length))
206}
207
208func (br *byteReader) readLengthPrefixedBytes(out *[]byte, n int) bool {
209	var length uint64
210	return br.readUint(&length, n) &&
211		uint64(len(*br)) >= length &&
212		br.readBytes(out, int(length))
213}
214
215func (br *byteReader) readU8LengthPrefixed(out *byteReader) bool {
216	return br.readLengthPrefixed(out, 1)
217}
218func (br *byteReader) readU8LengthPrefixedBytes(out *[]byte) bool {
219	return br.readLengthPrefixedBytes(out, 1)
220}
221
222func (br *byteReader) readU16LengthPrefixed(out *byteReader) bool {
223	return br.readLengthPrefixed(out, 2)
224}
225func (br *byteReader) readU16LengthPrefixedBytes(out *[]byte) bool {
226	return br.readLengthPrefixedBytes(out, 2)
227}
228
229func (br *byteReader) readU24LengthPrefixed(out *byteReader) bool {
230	return br.readLengthPrefixed(out, 3)
231}
232func (br *byteReader) readU24LengthPrefixedBytes(out *[]byte) bool {
233	return br.readLengthPrefixedBytes(out, 3)
234}
235
236func (br *byteReader) readU32LengthPrefixed(out *byteReader) bool {
237	return br.readLengthPrefixed(out, 4)
238}
239func (br *byteReader) readU32LengthPrefixedBytes(out *[]byte) bool {
240	return br.readLengthPrefixedBytes(out, 4)
241}
242
243type keyShareEntry struct {
244	group       CurveID
245	keyExchange []byte
246}
247
248type pskIdentity struct {
249	ticket              []uint8
250	obfuscatedTicketAge uint32
251}
252
253type clientHelloMsg struct {
254	raw                     []byte
255	isDTLS                  bool
256	vers                    uint16
257	random                  []byte
258	sessionId               []byte
259	cookie                  []byte
260	cipherSuites            []uint16
261	compressionMethods      []uint8
262	nextProtoNeg            bool
263	serverName              string
264	ocspStapling            bool
265	supportedCurves         []CurveID
266	supportedPoints         []uint8
267	hasKeyShares            bool
268	keyShares               []keyShareEntry
269	trailingKeyShareData    bool
270	pskIdentities           []pskIdentity
271	pskKEModes              []byte
272	pskBinders              [][]uint8
273	hasEarlyData            bool
274	tls13Cookie             []byte
275	ticketSupported         bool
276	sessionTicket           []uint8
277	signatureAlgorithms     []signatureAlgorithm
278	supportedVersions       []uint16
279	secureRenegotiation     []byte
280	alpnProtocols           []string
281	quicTransportParams     []byte
282	duplicateExtension      bool
283	channelIDSupported      bool
284	tokenBindingParams      []byte
285	tokenBindingVersion     uint16
286	npnAfterAlpn            bool
287	extendedMasterSecret    bool
288	srtpProtectionProfiles  []uint16
289	srtpMasterKeyIdentifier string
290	sctListSupported        bool
291	customExtension         string
292	hasGREASEExtension      bool
293	pskBinderFirst          bool
294	omitExtensions          bool
295	emptyExtensions         bool
296	pad                     int
297	dummyPQPaddingLen       int
298}
299
300func (m *clientHelloMsg) equal(i interface{}) bool {
301	m1, ok := i.(*clientHelloMsg)
302	if !ok {
303		return false
304	}
305
306	return bytes.Equal(m.raw, m1.raw) &&
307		m.isDTLS == m1.isDTLS &&
308		m.vers == m1.vers &&
309		bytes.Equal(m.random, m1.random) &&
310		bytes.Equal(m.sessionId, m1.sessionId) &&
311		bytes.Equal(m.cookie, m1.cookie) &&
312		eqUint16s(m.cipherSuites, m1.cipherSuites) &&
313		bytes.Equal(m.compressionMethods, m1.compressionMethods) &&
314		m.nextProtoNeg == m1.nextProtoNeg &&
315		m.serverName == m1.serverName &&
316		m.ocspStapling == m1.ocspStapling &&
317		eqCurveIDs(m.supportedCurves, m1.supportedCurves) &&
318		bytes.Equal(m.supportedPoints, m1.supportedPoints) &&
319		m.hasKeyShares == m1.hasKeyShares &&
320		eqKeyShareEntryLists(m.keyShares, m1.keyShares) &&
321		m.trailingKeyShareData == m1.trailingKeyShareData &&
322		eqPSKIdentityLists(m.pskIdentities, m1.pskIdentities) &&
323		bytes.Equal(m.pskKEModes, m1.pskKEModes) &&
324		eqByteSlices(m.pskBinders, m1.pskBinders) &&
325		m.hasEarlyData == m1.hasEarlyData &&
326		bytes.Equal(m.tls13Cookie, m1.tls13Cookie) &&
327		m.ticketSupported == m1.ticketSupported &&
328		bytes.Equal(m.sessionTicket, m1.sessionTicket) &&
329		eqSignatureAlgorithms(m.signatureAlgorithms, m1.signatureAlgorithms) &&
330		eqUint16s(m.supportedVersions, m1.supportedVersions) &&
331		bytes.Equal(m.secureRenegotiation, m1.secureRenegotiation) &&
332		(m.secureRenegotiation == nil) == (m1.secureRenegotiation == nil) &&
333		eqStrings(m.alpnProtocols, m1.alpnProtocols) &&
334		bytes.Equal(m.quicTransportParams, m1.quicTransportParams) &&
335		m.duplicateExtension == m1.duplicateExtension &&
336		m.channelIDSupported == m1.channelIDSupported &&
337		bytes.Equal(m.tokenBindingParams, m1.tokenBindingParams) &&
338		m.tokenBindingVersion == m1.tokenBindingVersion &&
339		m.npnAfterAlpn == m1.npnAfterAlpn &&
340		m.extendedMasterSecret == m1.extendedMasterSecret &&
341		eqUint16s(m.srtpProtectionProfiles, m1.srtpProtectionProfiles) &&
342		m.srtpMasterKeyIdentifier == m1.srtpMasterKeyIdentifier &&
343		m.sctListSupported == m1.sctListSupported &&
344		m.customExtension == m1.customExtension &&
345		m.hasGREASEExtension == m1.hasGREASEExtension &&
346		m.pskBinderFirst == m1.pskBinderFirst &&
347		m.omitExtensions == m1.omitExtensions &&
348		m.emptyExtensions == m1.emptyExtensions &&
349		m.pad == m1.pad &&
350		m.dummyPQPaddingLen == m1.dummyPQPaddingLen
351}
352
353func (m *clientHelloMsg) marshal() []byte {
354	if m.raw != nil {
355		return m.raw
356	}
357
358	handshakeMsg := newByteBuilder()
359	handshakeMsg.addU8(typeClientHello)
360	hello := handshakeMsg.addU24LengthPrefixed()
361	hello.addU16(m.vers)
362	hello.addBytes(m.random)
363	sessionId := hello.addU8LengthPrefixed()
364	sessionId.addBytes(m.sessionId)
365	if m.isDTLS {
366		cookie := hello.addU8LengthPrefixed()
367		cookie.addBytes(m.cookie)
368	}
369	cipherSuites := hello.addU16LengthPrefixed()
370	for _, suite := range m.cipherSuites {
371		cipherSuites.addU16(suite)
372	}
373	compressionMethods := hello.addU8LengthPrefixed()
374	compressionMethods.addBytes(m.compressionMethods)
375
376	extensions := hello.addU16LengthPrefixed()
377	if len(m.pskIdentities) > 0 && m.pskBinderFirst {
378		extensions.addU16(extensionPreSharedKey)
379		pskExtension := extensions.addU16LengthPrefixed()
380
381		pskIdentities := pskExtension.addU16LengthPrefixed()
382		for _, psk := range m.pskIdentities {
383			pskIdentities.addU16LengthPrefixed().addBytes(psk.ticket)
384			pskIdentities.addU32(psk.obfuscatedTicketAge)
385		}
386		pskBinders := pskExtension.addU16LengthPrefixed()
387		for _, binder := range m.pskBinders {
388			pskBinders.addU8LengthPrefixed().addBytes(binder)
389		}
390	}
391	if m.duplicateExtension {
392		// Add a duplicate bogus extension at the beginning and end.
393		extensions.addU16(0xffff)
394		extensions.addU16(0) // 0-length for empty extension
395	}
396	if m.nextProtoNeg && !m.npnAfterAlpn {
397		extensions.addU16(extensionNextProtoNeg)
398		extensions.addU16(0) // The length is always 0
399	}
400	if len(m.serverName) > 0 {
401		extensions.addU16(extensionServerName)
402		serverNameList := extensions.addU16LengthPrefixed()
403
404		// RFC 3546, section 3.1
405		//
406		// struct {
407		//     NameType name_type;
408		//     select (name_type) {
409		//         case host_name: HostName;
410		//     } name;
411		// } ServerName;
412		//
413		// enum {
414		//     host_name(0), (255)
415		// } NameType;
416		//
417		// opaque HostName<1..2^16-1>;
418		//
419		// struct {
420		//     ServerName server_name_list<1..2^16-1>
421		// } ServerNameList;
422
423		serverName := serverNameList.addU16LengthPrefixed()
424		serverName.addU8(0) // NameType host_name(0)
425		hostName := serverName.addU16LengthPrefixed()
426		hostName.addBytes([]byte(m.serverName))
427	}
428	if m.ocspStapling {
429		extensions.addU16(extensionStatusRequest)
430		certificateStatusRequest := extensions.addU16LengthPrefixed()
431
432		// RFC 4366, section 3.6
433		certificateStatusRequest.addU8(1) // OCSP type
434		// Two zero valued uint16s for the two lengths.
435		certificateStatusRequest.addU16(0) // ResponderID length
436		certificateStatusRequest.addU16(0) // Extensions length
437	}
438	if len(m.supportedCurves) > 0 {
439		// http://tools.ietf.org/html/rfc4492#section-5.1.1
440		extensions.addU16(extensionSupportedCurves)
441		supportedCurvesList := extensions.addU16LengthPrefixed()
442		supportedCurves := supportedCurvesList.addU16LengthPrefixed()
443		for _, curve := range m.supportedCurves {
444			supportedCurves.addU16(uint16(curve))
445		}
446	}
447	if len(m.supportedPoints) > 0 {
448		// http://tools.ietf.org/html/rfc4492#section-5.1.2
449		extensions.addU16(extensionSupportedPoints)
450		supportedPointsList := extensions.addU16LengthPrefixed()
451		supportedPoints := supportedPointsList.addU8LengthPrefixed()
452		supportedPoints.addBytes(m.supportedPoints)
453	}
454	if m.hasKeyShares {
455		extensions.addU16(extensionKeyShare)
456		keyShareList := extensions.addU16LengthPrefixed()
457
458		keyShares := keyShareList.addU16LengthPrefixed()
459		for _, keyShare := range m.keyShares {
460			keyShares.addU16(uint16(keyShare.group))
461			keyExchange := keyShares.addU16LengthPrefixed()
462			keyExchange.addBytes(keyShare.keyExchange)
463		}
464
465		if m.trailingKeyShareData {
466			keyShares.addU8(0)
467		}
468	}
469	if len(m.pskKEModes) > 0 {
470		extensions.addU16(extensionPSKKeyExchangeModes)
471		pskModesExtension := extensions.addU16LengthPrefixed()
472		pskModesExtension.addU8LengthPrefixed().addBytes(m.pskKEModes)
473	}
474	if m.hasEarlyData {
475		extensions.addU16(extensionEarlyData)
476		extensions.addU16(0) // The length is zero.
477	}
478	if len(m.tls13Cookie) > 0 {
479		extensions.addU16(extensionCookie)
480		body := extensions.addU16LengthPrefixed()
481		body.addU16LengthPrefixed().addBytes(m.tls13Cookie)
482	}
483	if m.ticketSupported {
484		// http://tools.ietf.org/html/rfc5077#section-3.2
485		extensions.addU16(extensionSessionTicket)
486		sessionTicketExtension := extensions.addU16LengthPrefixed()
487		sessionTicketExtension.addBytes(m.sessionTicket)
488	}
489	if len(m.signatureAlgorithms) > 0 {
490		// https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
491		extensions.addU16(extensionSignatureAlgorithms)
492		signatureAlgorithmsExtension := extensions.addU16LengthPrefixed()
493		signatureAlgorithms := signatureAlgorithmsExtension.addU16LengthPrefixed()
494		for _, sigAlg := range m.signatureAlgorithms {
495			signatureAlgorithms.addU16(uint16(sigAlg))
496		}
497	}
498	if len(m.supportedVersions) > 0 {
499		extensions.addU16(extensionSupportedVersions)
500		supportedVersionsExtension := extensions.addU16LengthPrefixed()
501		supportedVersions := supportedVersionsExtension.addU8LengthPrefixed()
502		for _, version := range m.supportedVersions {
503			supportedVersions.addU16(uint16(version))
504		}
505	}
506	if m.secureRenegotiation != nil {
507		extensions.addU16(extensionRenegotiationInfo)
508		secureRenegoExt := extensions.addU16LengthPrefixed()
509		secureRenego := secureRenegoExt.addU8LengthPrefixed()
510		secureRenego.addBytes(m.secureRenegotiation)
511	}
512	if len(m.alpnProtocols) > 0 {
513		// https://tools.ietf.org/html/rfc7301#section-3.1
514		extensions.addU16(extensionALPN)
515		alpnExtension := extensions.addU16LengthPrefixed()
516
517		protocolNameList := alpnExtension.addU16LengthPrefixed()
518		for _, s := range m.alpnProtocols {
519			protocolName := protocolNameList.addU8LengthPrefixed()
520			protocolName.addBytes([]byte(s))
521		}
522	}
523	if len(m.quicTransportParams) > 0 {
524		extensions.addU16(extensionQUICTransportParams)
525		params := extensions.addU16LengthPrefixed()
526		params.addBytes(m.quicTransportParams)
527	}
528	if m.channelIDSupported {
529		extensions.addU16(extensionChannelID)
530		extensions.addU16(0) // Length is always 0
531	}
532	if m.tokenBindingParams != nil {
533		extensions.addU16(extensionTokenBinding)
534		tokbindExtension := extensions.addU16LengthPrefixed()
535		tokbindExtension.addU16(m.tokenBindingVersion)
536		tokbindParams := tokbindExtension.addU8LengthPrefixed()
537		tokbindParams.addBytes(m.tokenBindingParams)
538	}
539	if m.nextProtoNeg && m.npnAfterAlpn {
540		extensions.addU16(extensionNextProtoNeg)
541		extensions.addU16(0) // Length is always 0
542	}
543	if m.duplicateExtension {
544		// Add a duplicate bogus extension at the beginning and end.
545		extensions.addU16(0xffff)
546		extensions.addU16(0)
547	}
548	if m.extendedMasterSecret {
549		// https://tools.ietf.org/html/rfc7627
550		extensions.addU16(extensionExtendedMasterSecret)
551		extensions.addU16(0) // Length is always 0
552	}
553	if len(m.srtpProtectionProfiles) > 0 {
554		// https://tools.ietf.org/html/rfc5764#section-4.1.1
555		extensions.addU16(extensionUseSRTP)
556		useSrtpExt := extensions.addU16LengthPrefixed()
557
558		srtpProtectionProfiles := useSrtpExt.addU16LengthPrefixed()
559		for _, p := range m.srtpProtectionProfiles {
560			srtpProtectionProfiles.addU16(p)
561		}
562		srtpMki := useSrtpExt.addU8LengthPrefixed()
563		srtpMki.addBytes([]byte(m.srtpMasterKeyIdentifier))
564	}
565	if m.sctListSupported {
566		extensions.addU16(extensionSignedCertificateTimestamp)
567		extensions.addU16(0) // Length is always 0
568	}
569	if l := len(m.customExtension); l > 0 {
570		extensions.addU16(extensionCustom)
571		customExt := extensions.addU16LengthPrefixed()
572		customExt.addBytes([]byte(m.customExtension))
573	}
574	// The PSK extension must be last (draft-ietf-tls-tls13-18 section 4.2.6).
575	if len(m.pskIdentities) > 0 && !m.pskBinderFirst {
576		extensions.addU16(extensionPreSharedKey)
577		pskExtension := extensions.addU16LengthPrefixed()
578
579		pskIdentities := pskExtension.addU16LengthPrefixed()
580		for _, psk := range m.pskIdentities {
581			pskIdentities.addU16LengthPrefixed().addBytes(psk.ticket)
582			pskIdentities.addU32(psk.obfuscatedTicketAge)
583		}
584		pskBinders := pskExtension.addU16LengthPrefixed()
585		for _, binder := range m.pskBinders {
586			pskBinders.addU8LengthPrefixed().addBytes(binder)
587		}
588	}
589
590	if m.pad != 0 && hello.len()%m.pad != 0 {
591		extensions.addU16(extensionPadding)
592		padding := extensions.addU16LengthPrefixed()
593		// Note hello.len() has changed at this point from the length
594		// prefix.
595		if l := hello.len() % m.pad; l != 0 {
596			padding.addBytes(make([]byte, m.pad-l))
597		}
598	}
599
600	if m.omitExtensions || m.emptyExtensions {
601		// Silently erase any extensions which were sent.
602		hello.discardChild()
603		if m.emptyExtensions {
604			hello.addU16(0)
605		}
606	}
607
608	m.raw = handshakeMsg.finish()
609	// Sanity-check padding.
610	if m.pad != 0 && (len(m.raw)-4)%m.pad != 0 {
611		panic(fmt.Sprintf("%d is not a multiple of %d", len(m.raw)-4, m.pad))
612	}
613	return m.raw
614}
615
616func parseSignatureAlgorithms(reader *byteReader, out *[]signatureAlgorithm) bool {
617	var sigAlgs byteReader
618	if !reader.readU16LengthPrefixed(&sigAlgs) {
619		return false
620	}
621	*out = make([]signatureAlgorithm, 0, len(sigAlgs)/2)
622	for len(sigAlgs) > 0 {
623		var v uint16
624		if !sigAlgs.readU16(&v) {
625			return false
626		}
627		*out = append(*out, signatureAlgorithm(v))
628	}
629	return true
630}
631
632func (m *clientHelloMsg) unmarshal(data []byte) bool {
633	m.raw = data
634	reader := byteReader(data[4:])
635	if !reader.readU16(&m.vers) ||
636		!reader.readBytes(&m.random, 32) ||
637		!reader.readU8LengthPrefixedBytes(&m.sessionId) ||
638		len(m.sessionId) > 32 {
639		return false
640	}
641	if m.isDTLS {
642		if !reader.readU8LengthPrefixedBytes(&m.cookie) ||
643			len(m.cookie) > 32 {
644			return false
645		}
646	}
647	var cipherSuites byteReader
648	if !reader.readU16LengthPrefixed(&cipherSuites) ||
649		!reader.readU8LengthPrefixedBytes(&m.compressionMethods) {
650		return false
651	}
652
653	m.cipherSuites = make([]uint16, 0, len(cipherSuites)/2)
654	for len(cipherSuites) > 0 {
655		var v uint16
656		if !cipherSuites.readU16(&v) {
657			return false
658		}
659		m.cipherSuites = append(m.cipherSuites, v)
660		if v == scsvRenegotiation {
661			m.secureRenegotiation = []byte{}
662		}
663	}
664
665	m.nextProtoNeg = false
666	m.serverName = ""
667	m.ocspStapling = false
668	m.keyShares = nil
669	m.pskIdentities = nil
670	m.hasEarlyData = false
671	m.ticketSupported = false
672	m.sessionTicket = nil
673	m.signatureAlgorithms = nil
674	m.supportedVersions = nil
675	m.alpnProtocols = nil
676	m.extendedMasterSecret = false
677	m.customExtension = ""
678
679	if len(reader) == 0 {
680		// ClientHello is optionally followed by extension data
681		return true
682	}
683
684	var extensions byteReader
685	if !reader.readU16LengthPrefixed(&extensions) || len(reader) != 0 {
686		return false
687	}
688	for len(extensions) > 0 {
689		var extension uint16
690		var body byteReader
691		if !extensions.readU16(&extension) ||
692			!extensions.readU16LengthPrefixed(&body) {
693			return false
694		}
695		switch extension {
696		case extensionServerName:
697			var names byteReader
698			if !body.readU16LengthPrefixed(&names) || len(body) != 0 {
699				return false
700			}
701			for len(names) > 0 {
702				var nameType byte
703				var name []byte
704				if !names.readU8(&nameType) ||
705					!names.readU16LengthPrefixedBytes(&name) {
706					return false
707				}
708				if nameType == 0 {
709					m.serverName = string(name)
710				}
711			}
712		case extensionNextProtoNeg:
713			if len(body) != 0 {
714				return false
715			}
716			m.nextProtoNeg = true
717		case extensionStatusRequest:
718			m.ocspStapling = len(body) > 0 && body[0] == statusTypeOCSP
719		case extensionSupportedCurves:
720			// http://tools.ietf.org/html/rfc4492#section-5.5.1
721			var curves byteReader
722			if !body.readU16LengthPrefixed(&curves) || len(body) != 0 {
723				return false
724			}
725			m.supportedCurves = make([]CurveID, 0, len(curves)/2)
726			for len(curves) > 0 {
727				var v uint16
728				if !curves.readU16(&v) {
729					return false
730				}
731				m.supportedCurves = append(m.supportedCurves, CurveID(v))
732			}
733		case extensionSupportedPoints:
734			// http://tools.ietf.org/html/rfc4492#section-5.5.2
735			if !body.readU8LengthPrefixedBytes(&m.supportedPoints) || len(body) != 0 {
736				return false
737			}
738		case extensionSessionTicket:
739			// http://tools.ietf.org/html/rfc5077#section-3.2
740			m.ticketSupported = true
741			m.sessionTicket = []byte(body)
742		case extensionKeyShare:
743			// draft-ietf-tls-tls13 section 6.3.2.3
744			var keyShares byteReader
745			if !body.readU16LengthPrefixed(&keyShares) || len(body) != 0 {
746				return false
747			}
748			m.hasKeyShares = true
749			for len(keyShares) > 0 {
750				var entry keyShareEntry
751				var group uint16
752				if !keyShares.readU16(&group) ||
753					!keyShares.readU16LengthPrefixedBytes(&entry.keyExchange) {
754					return false
755				}
756				entry.group = CurveID(group)
757				m.keyShares = append(m.keyShares, entry)
758			}
759		case extensionPreSharedKey:
760			// draft-ietf-tls-tls13-18 section 4.2.6
761			var psks, binders byteReader
762			if !body.readU16LengthPrefixed(&psks) ||
763				!body.readU16LengthPrefixed(&binders) ||
764				len(body) != 0 {
765				return false
766			}
767			for len(psks) > 0 {
768				var psk pskIdentity
769				if !psks.readU16LengthPrefixedBytes(&psk.ticket) ||
770					!psks.readU32(&psk.obfuscatedTicketAge) {
771					return false
772				}
773				m.pskIdentities = append(m.pskIdentities, psk)
774			}
775			for len(binders) > 0 {
776				var binder []byte
777				if !binders.readU8LengthPrefixedBytes(&binder) {
778					return false
779				}
780				m.pskBinders = append(m.pskBinders, binder)
781			}
782
783			// There must be the same number of identities as binders.
784			if len(m.pskIdentities) != len(m.pskBinders) {
785				return false
786			}
787		case extensionPSKKeyExchangeModes:
788			// draft-ietf-tls-tls13-18 section 4.2.7
789			if !body.readU8LengthPrefixedBytes(&m.pskKEModes) || len(body) != 0 {
790				return false
791			}
792		case extensionEarlyData:
793			// draft-ietf-tls-tls13 section 6.3.2.5
794			if len(body) != 0 {
795				return false
796			}
797			m.hasEarlyData = true
798		case extensionCookie:
799			if !body.readU16LengthPrefixedBytes(&m.tls13Cookie) || len(body) != 0 {
800				return false
801			}
802		case extensionSignatureAlgorithms:
803			// https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
804			if !parseSignatureAlgorithms(&body, &m.signatureAlgorithms) || len(body) != 0 {
805				return false
806			}
807		case extensionSupportedVersions:
808			var versions byteReader
809			if !body.readU8LengthPrefixed(&versions) || len(body) != 0 {
810				return false
811			}
812			m.supportedVersions = make([]uint16, 0, len(versions)/2)
813			for len(versions) > 0 {
814				var v uint16
815				if !versions.readU16(&v) {
816					return false
817				}
818				m.supportedVersions = append(m.supportedVersions, v)
819			}
820		case extensionRenegotiationInfo:
821			if !body.readU8LengthPrefixedBytes(&m.secureRenegotiation) || len(body) != 0 {
822				return false
823			}
824		case extensionALPN:
825			var protocols byteReader
826			if !body.readU16LengthPrefixed(&protocols) || len(body) != 0 {
827				return false
828			}
829			for len(protocols) > 0 {
830				var protocol []byte
831				if !protocols.readU8LengthPrefixedBytes(&protocol) {
832					return false
833				}
834				m.alpnProtocols = append(m.alpnProtocols, string(protocol))
835			}
836		case extensionQUICTransportParams:
837			m.quicTransportParams = body
838		case extensionChannelID:
839			if len(body) != 0 {
840				return false
841			}
842			m.channelIDSupported = true
843		case extensionTokenBinding:
844			if !body.readU16(&m.tokenBindingVersion) ||
845				!body.readU8LengthPrefixedBytes(&m.tokenBindingParams) ||
846				len(body) != 0 {
847				return false
848			}
849		case extensionExtendedMasterSecret:
850			if len(body) != 0 {
851				return false
852			}
853			m.extendedMasterSecret = true
854		case extensionUseSRTP:
855			var profiles byteReader
856			var mki []byte
857			if !body.readU16LengthPrefixed(&profiles) ||
858				!body.readU8LengthPrefixedBytes(&mki) ||
859				len(body) != 0 {
860				return false
861			}
862			m.srtpProtectionProfiles = make([]uint16, 0, len(profiles)/2)
863			for len(profiles) > 0 {
864				var v uint16
865				if !profiles.readU16(&v) {
866					return false
867				}
868				m.srtpProtectionProfiles = append(m.srtpProtectionProfiles, v)
869			}
870			m.srtpMasterKeyIdentifier = string(mki)
871		case extensionSignedCertificateTimestamp:
872			if len(body) != 0 {
873				return false
874			}
875			m.sctListSupported = true
876		case extensionCustom:
877			m.customExtension = string(body)
878		case extensionDummyPQPadding:
879			if len(body) == 0 {
880				return false
881			}
882			m.dummyPQPaddingLen = len(body)
883		}
884
885		if isGREASEValue(extension) {
886			m.hasGREASEExtension = true
887		}
888	}
889
890	return true
891}
892
893type serverHelloMsg struct {
894	raw                   []byte
895	isDTLS                bool
896	vers                  uint16
897	versOverride          uint16
898	supportedVersOverride uint16
899	random                []byte
900	sessionId             []byte
901	cipherSuite           uint16
902	hasKeyShare           bool
903	keyShare              keyShareEntry
904	hasPSKIdentity        bool
905	pskIdentity           uint16
906	compressionMethod     uint8
907	customExtension       string
908	unencryptedALPN       string
909	omitExtensions        bool
910	emptyExtensions       bool
911	extensions            serverExtensions
912}
913
914func (m *serverHelloMsg) marshal() []byte {
915	if m.raw != nil {
916		return m.raw
917	}
918
919	handshakeMsg := newByteBuilder()
920	handshakeMsg.addU8(typeServerHello)
921	hello := handshakeMsg.addU24LengthPrefixed()
922
923	// m.vers is used both to determine the format of the rest of the
924	// ServerHello and to override the value, so include a second version
925	// field.
926	vers, ok := wireToVersion(m.vers, m.isDTLS)
927	if !ok {
928		panic("unknown version")
929	}
930	if m.versOverride != 0 {
931		hello.addU16(m.versOverride)
932	} else if vers >= VersionTLS13 {
933		hello.addU16(VersionTLS12)
934	} else {
935		hello.addU16(m.vers)
936	}
937
938	hello.addBytes(m.random)
939	sessionId := hello.addU8LengthPrefixed()
940	sessionId.addBytes(m.sessionId)
941	hello.addU16(m.cipherSuite)
942	hello.addU8(m.compressionMethod)
943
944	extensions := hello.addU16LengthPrefixed()
945
946	if vers >= VersionTLS13 {
947		if m.hasKeyShare {
948			extensions.addU16(extensionKeyShare)
949			keyShare := extensions.addU16LengthPrefixed()
950			keyShare.addU16(uint16(m.keyShare.group))
951			keyExchange := keyShare.addU16LengthPrefixed()
952			keyExchange.addBytes(m.keyShare.keyExchange)
953		}
954		if m.hasPSKIdentity {
955			extensions.addU16(extensionPreSharedKey)
956			extensions.addU16(2) // Length
957			extensions.addU16(m.pskIdentity)
958		}
959		extensions.addU16(extensionSupportedVersions)
960		extensions.addU16(2) // Length
961		if m.supportedVersOverride != 0 {
962			extensions.addU16(m.supportedVersOverride)
963		} else {
964			extensions.addU16(m.vers)
965		}
966		if len(m.customExtension) > 0 {
967			extensions.addU16(extensionCustom)
968			customExt := extensions.addU16LengthPrefixed()
969			customExt.addBytes([]byte(m.customExtension))
970		}
971		if len(m.unencryptedALPN) > 0 {
972			extensions.addU16(extensionALPN)
973			extension := extensions.addU16LengthPrefixed()
974
975			protocolNameList := extension.addU16LengthPrefixed()
976			protocolName := protocolNameList.addU8LengthPrefixed()
977			protocolName.addBytes([]byte(m.unencryptedALPN))
978		}
979	} else {
980		m.extensions.marshal(extensions)
981		if m.omitExtensions || m.emptyExtensions {
982			// Silently erasing server extensions will break the handshake. Instead,
983			// assert that tests which use this field also disable all features which
984			// would write an extension.
985			if extensions.len() != 0 {
986				panic(fmt.Sprintf("ServerHello unexpectedly contained extensions: %x, %+v", extensions.data(), m))
987			}
988			hello.discardChild()
989			if m.emptyExtensions {
990				hello.addU16(0)
991			}
992		}
993	}
994
995	m.raw = handshakeMsg.finish()
996	return m.raw
997}
998
999func (m *serverHelloMsg) unmarshal(data []byte) bool {
1000	m.raw = data
1001	reader := byteReader(data[4:])
1002	if !reader.readU16(&m.vers) ||
1003		!reader.readBytes(&m.random, 32) {
1004		return false
1005	}
1006	vers, ok := wireToVersion(m.vers, m.isDTLS)
1007	if !ok {
1008		return false
1009	}
1010	if !reader.readU8LengthPrefixedBytes(&m.sessionId) ||
1011		!reader.readU16(&m.cipherSuite) ||
1012		!reader.readU8(&m.compressionMethod) {
1013		return false
1014	}
1015
1016	if len(reader) == 0 && m.vers < VersionTLS13 {
1017		// Extension data is optional before TLS 1.3.
1018		m.extensions = serverExtensions{}
1019		m.omitExtensions = true
1020		return true
1021	}
1022
1023	var extensions byteReader
1024	if !reader.readU16LengthPrefixed(&extensions) || len(reader) != 0 {
1025		return false
1026	}
1027
1028	// Parse out the version from supported_versions if available.
1029	if m.vers == VersionTLS12 {
1030		extensionsCopy := extensions
1031		for len(extensionsCopy) > 0 {
1032			var extension uint16
1033			var body byteReader
1034			if !extensionsCopy.readU16(&extension) ||
1035				!extensionsCopy.readU16LengthPrefixed(&body) {
1036				return false
1037			}
1038			if extension == extensionSupportedVersions {
1039				if !body.readU16(&m.vers) || len(body) != 0 {
1040					return false
1041				}
1042				vers, ok = wireToVersion(m.vers, m.isDTLS)
1043				if !ok {
1044					return false
1045				}
1046			}
1047		}
1048	}
1049
1050	if vers >= VersionTLS13 {
1051		for len(extensions) > 0 {
1052			var extension uint16
1053			var body byteReader
1054			if !extensions.readU16(&extension) ||
1055				!extensions.readU16LengthPrefixed(&body) {
1056				return false
1057			}
1058			switch extension {
1059			case extensionKeyShare:
1060				m.hasKeyShare = true
1061				var group uint16
1062				if !body.readU16(&group) ||
1063					!body.readU16LengthPrefixedBytes(&m.keyShare.keyExchange) ||
1064					len(body) != 0 {
1065					return false
1066				}
1067				m.keyShare.group = CurveID(group)
1068			case extensionPreSharedKey:
1069				if !body.readU16(&m.pskIdentity) || len(body) != 0 {
1070					return false
1071				}
1072				m.hasPSKIdentity = true
1073			case extensionSupportedVersions:
1074				// Parsed above.
1075			default:
1076				// Only allow the 3 extensions that are sent in
1077				// the clear in TLS 1.3.
1078				return false
1079			}
1080		}
1081	} else if !m.extensions.unmarshal(extensions, vers) {
1082		return false
1083	}
1084
1085	return true
1086}
1087
1088type encryptedExtensionsMsg struct {
1089	raw        []byte
1090	extensions serverExtensions
1091	empty      bool
1092}
1093
1094func (m *encryptedExtensionsMsg) marshal() []byte {
1095	if m.raw != nil {
1096		return m.raw
1097	}
1098
1099	encryptedExtensionsMsg := newByteBuilder()
1100	encryptedExtensionsMsg.addU8(typeEncryptedExtensions)
1101	encryptedExtensions := encryptedExtensionsMsg.addU24LengthPrefixed()
1102	if !m.empty {
1103		extensions := encryptedExtensions.addU16LengthPrefixed()
1104		m.extensions.marshal(extensions)
1105	}
1106
1107	m.raw = encryptedExtensionsMsg.finish()
1108	return m.raw
1109}
1110
1111func (m *encryptedExtensionsMsg) unmarshal(data []byte) bool {
1112	m.raw = data
1113	reader := byteReader(data[4:])
1114	var extensions byteReader
1115	if !reader.readU16LengthPrefixed(&extensions) || len(reader) != 0 {
1116		return false
1117	}
1118	return m.extensions.unmarshal(extensions, VersionTLS13)
1119}
1120
1121type serverExtensions struct {
1122	nextProtoNeg            bool
1123	nextProtos              []string
1124	ocspStapling            bool
1125	ticketSupported         bool
1126	secureRenegotiation     []byte
1127	alpnProtocol            string
1128	alpnProtocolEmpty       bool
1129	duplicateExtension      bool
1130	channelIDRequested      bool
1131	tokenBindingParams      []byte
1132	tokenBindingVersion     uint16
1133	extendedMasterSecret    bool
1134	srtpProtectionProfile   uint16
1135	srtpMasterKeyIdentifier string
1136	sctList                 []byte
1137	customExtension         string
1138	npnAfterAlpn            bool
1139	hasKeyShare             bool
1140	hasEarlyData            bool
1141	keyShare                keyShareEntry
1142	supportedVersion        uint16
1143	supportedPoints         []uint8
1144	supportedCurves         []CurveID
1145	quicTransportParams     []byte
1146	serverNameAck           bool
1147}
1148
1149func (m *serverExtensions) marshal(extensions *byteBuilder) {
1150	if m.duplicateExtension {
1151		// Add a duplicate bogus extension at the beginning and end.
1152		extensions.addU16(0xffff)
1153		extensions.addU16(0) // length = 0 for empty extension
1154	}
1155	if m.nextProtoNeg && !m.npnAfterAlpn {
1156		extensions.addU16(extensionNextProtoNeg)
1157		extension := extensions.addU16LengthPrefixed()
1158
1159		for _, v := range m.nextProtos {
1160			if len(v) > 255 {
1161				v = v[:255]
1162			}
1163			npn := extension.addU8LengthPrefixed()
1164			npn.addBytes([]byte(v))
1165		}
1166	}
1167	if m.ocspStapling {
1168		extensions.addU16(extensionStatusRequest)
1169		extensions.addU16(0)
1170	}
1171	if m.ticketSupported {
1172		extensions.addU16(extensionSessionTicket)
1173		extensions.addU16(0)
1174	}
1175	if m.secureRenegotiation != nil {
1176		extensions.addU16(extensionRenegotiationInfo)
1177		extension := extensions.addU16LengthPrefixed()
1178		secureRenego := extension.addU8LengthPrefixed()
1179		secureRenego.addBytes(m.secureRenegotiation)
1180	}
1181	if len(m.alpnProtocol) > 0 || m.alpnProtocolEmpty {
1182		extensions.addU16(extensionALPN)
1183		extension := extensions.addU16LengthPrefixed()
1184
1185		protocolNameList := extension.addU16LengthPrefixed()
1186		protocolName := protocolNameList.addU8LengthPrefixed()
1187		protocolName.addBytes([]byte(m.alpnProtocol))
1188	}
1189	if m.channelIDRequested {
1190		extensions.addU16(extensionChannelID)
1191		extensions.addU16(0)
1192	}
1193	if m.tokenBindingParams != nil {
1194		extensions.addU16(extensionTokenBinding)
1195		tokbindExtension := extensions.addU16LengthPrefixed()
1196		tokbindExtension.addU16(m.tokenBindingVersion)
1197		tokbindParams := tokbindExtension.addU8LengthPrefixed()
1198		tokbindParams.addBytes(m.tokenBindingParams)
1199	}
1200	if m.duplicateExtension {
1201		// Add a duplicate bogus extension at the beginning and end.
1202		extensions.addU16(0xffff)
1203		extensions.addU16(0)
1204	}
1205	if m.extendedMasterSecret {
1206		extensions.addU16(extensionExtendedMasterSecret)
1207		extensions.addU16(0)
1208	}
1209	if m.srtpProtectionProfile != 0 {
1210		extensions.addU16(extensionUseSRTP)
1211		extension := extensions.addU16LengthPrefixed()
1212
1213		srtpProtectionProfiles := extension.addU16LengthPrefixed()
1214		srtpProtectionProfiles.addU16(m.srtpProtectionProfile)
1215		srtpMki := extension.addU8LengthPrefixed()
1216		srtpMki.addBytes([]byte(m.srtpMasterKeyIdentifier))
1217	}
1218	if m.sctList != nil {
1219		extensions.addU16(extensionSignedCertificateTimestamp)
1220		extension := extensions.addU16LengthPrefixed()
1221		extension.addBytes(m.sctList)
1222	}
1223	if l := len(m.customExtension); l > 0 {
1224		extensions.addU16(extensionCustom)
1225		customExt := extensions.addU16LengthPrefixed()
1226		customExt.addBytes([]byte(m.customExtension))
1227	}
1228	if m.nextProtoNeg && m.npnAfterAlpn {
1229		extensions.addU16(extensionNextProtoNeg)
1230		extension := extensions.addU16LengthPrefixed()
1231
1232		for _, v := range m.nextProtos {
1233			if len(v) > 255 {
1234				v = v[0:255]
1235			}
1236			npn := extension.addU8LengthPrefixed()
1237			npn.addBytes([]byte(v))
1238		}
1239	}
1240	if m.hasKeyShare {
1241		extensions.addU16(extensionKeyShare)
1242		keyShare := extensions.addU16LengthPrefixed()
1243		keyShare.addU16(uint16(m.keyShare.group))
1244		keyExchange := keyShare.addU16LengthPrefixed()
1245		keyExchange.addBytes(m.keyShare.keyExchange)
1246	}
1247	if m.supportedVersion != 0 {
1248		extensions.addU16(extensionSupportedVersions)
1249		extensions.addU16(2) // Length
1250		extensions.addU16(m.supportedVersion)
1251	}
1252	if len(m.supportedPoints) > 0 {
1253		// http://tools.ietf.org/html/rfc4492#section-5.1.2
1254		extensions.addU16(extensionSupportedPoints)
1255		supportedPointsList := extensions.addU16LengthPrefixed()
1256		supportedPoints := supportedPointsList.addU8LengthPrefixed()
1257		supportedPoints.addBytes(m.supportedPoints)
1258	}
1259	if len(m.supportedCurves) > 0 {
1260		// https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.4
1261		extensions.addU16(extensionSupportedCurves)
1262		supportedCurvesList := extensions.addU16LengthPrefixed()
1263		supportedCurves := supportedCurvesList.addU16LengthPrefixed()
1264		for _, curve := range m.supportedCurves {
1265			supportedCurves.addU16(uint16(curve))
1266		}
1267	}
1268	if len(m.quicTransportParams) > 0 {
1269		extensions.addU16(extensionQUICTransportParams)
1270		params := extensions.addU16LengthPrefixed()
1271		params.addBytes(m.quicTransportParams)
1272	}
1273	if m.hasEarlyData {
1274		extensions.addU16(extensionEarlyData)
1275		extensions.addBytes([]byte{0, 0})
1276	}
1277	if m.serverNameAck {
1278		extensions.addU16(extensionServerName)
1279		extensions.addU16(0) // zero length
1280	}
1281}
1282
1283func (m *serverExtensions) unmarshal(data byteReader, version uint16) bool {
1284	// Reset all fields.
1285	*m = serverExtensions{}
1286
1287	for len(data) > 0 {
1288		var extension uint16
1289		var body byteReader
1290		if !data.readU16(&extension) ||
1291			!data.readU16LengthPrefixed(&body) {
1292			return false
1293		}
1294		switch extension {
1295		case extensionNextProtoNeg:
1296			m.nextProtoNeg = true
1297			for len(body) > 0 {
1298				var protocol []byte
1299				if !body.readU8LengthPrefixedBytes(&protocol) {
1300					return false
1301				}
1302				m.nextProtos = append(m.nextProtos, string(protocol))
1303			}
1304		case extensionStatusRequest:
1305			if len(body) != 0 {
1306				return false
1307			}
1308			m.ocspStapling = true
1309		case extensionSessionTicket:
1310			if len(body) != 0 {
1311				return false
1312			}
1313			m.ticketSupported = true
1314		case extensionRenegotiationInfo:
1315			if !body.readU8LengthPrefixedBytes(&m.secureRenegotiation) || len(body) != 0 {
1316				return false
1317			}
1318		case extensionALPN:
1319			var protocols, protocol byteReader
1320			if !body.readU16LengthPrefixed(&protocols) ||
1321				len(body) != 0 ||
1322				!protocols.readU8LengthPrefixed(&protocol) ||
1323				len(protocols) != 0 {
1324				return false
1325			}
1326			m.alpnProtocol = string(protocol)
1327			m.alpnProtocolEmpty = len(protocol) == 0
1328		case extensionChannelID:
1329			if len(body) != 0 {
1330				return false
1331			}
1332			m.channelIDRequested = true
1333		case extensionTokenBinding:
1334			if !body.readU16(&m.tokenBindingVersion) ||
1335				!body.readU8LengthPrefixedBytes(&m.tokenBindingParams) ||
1336				len(m.tokenBindingParams) != 1 ||
1337				len(body) != 0 {
1338				return false
1339			}
1340		case extensionExtendedMasterSecret:
1341			if len(body) != 0 {
1342				return false
1343			}
1344			m.extendedMasterSecret = true
1345		case extensionUseSRTP:
1346			var profiles, mki byteReader
1347			if !body.readU16LengthPrefixed(&profiles) ||
1348				!profiles.readU16(&m.srtpProtectionProfile) ||
1349				len(profiles) != 0 ||
1350				!body.readU8LengthPrefixed(&mki) ||
1351				len(body) != 0 {
1352				return false
1353			}
1354			m.srtpMasterKeyIdentifier = string(mki)
1355		case extensionSignedCertificateTimestamp:
1356			m.sctList = []byte(body)
1357		case extensionCustom:
1358			m.customExtension = string(body)
1359		case extensionServerName:
1360			if len(body) != 0 {
1361				return false
1362			}
1363			m.serverNameAck = true
1364		case extensionSupportedPoints:
1365			// supported_points is illegal in TLS 1.3.
1366			if version >= VersionTLS13 {
1367				return false
1368			}
1369			// http://tools.ietf.org/html/rfc4492#section-5.5.2
1370			if !body.readU8LengthPrefixedBytes(&m.supportedPoints) || len(body) != 0 {
1371				return false
1372			}
1373		case extensionSupportedCurves:
1374			// The server can only send supported_curves in TLS 1.3.
1375			if version < VersionTLS13 {
1376				return false
1377			}
1378		case extensionQUICTransportParams:
1379			m.quicTransportParams = body
1380		case extensionEarlyData:
1381			if version < VersionTLS13 || len(body) != 0 {
1382				return false
1383			}
1384			m.hasEarlyData = true
1385		default:
1386			// Unknown extensions are illegal from the server.
1387			return false
1388		}
1389	}
1390
1391	return true
1392}
1393
1394type helloRetryRequestMsg struct {
1395	raw                 []byte
1396	vers                uint16
1397	isServerHello       bool
1398	sessionId           []byte
1399	cipherSuite         uint16
1400	compressionMethod   uint8
1401	hasSelectedGroup    bool
1402	selectedGroup       CurveID
1403	cookie              []byte
1404	customExtension     string
1405	duplicateExtensions bool
1406}
1407
1408func (m *helloRetryRequestMsg) marshal() []byte {
1409	if m.raw != nil {
1410		return m.raw
1411	}
1412
1413	retryRequestMsg := newByteBuilder()
1414	retryRequestMsg.addU8(typeServerHello)
1415	retryRequest := retryRequestMsg.addU24LengthPrefixed()
1416	retryRequest.addU16(VersionTLS12)
1417	retryRequest.addBytes(tls13HelloRetryRequest)
1418	sessionId := retryRequest.addU8LengthPrefixed()
1419	sessionId.addBytes(m.sessionId)
1420	retryRequest.addU16(m.cipherSuite)
1421	retryRequest.addU8(m.compressionMethod)
1422
1423	extensions := retryRequest.addU16LengthPrefixed()
1424
1425	count := 1
1426	if m.duplicateExtensions {
1427		count = 2
1428	}
1429
1430	for i := 0; i < count; i++ {
1431		extensions.addU16(extensionSupportedVersions)
1432		extensions.addU16(2) // Length
1433		extensions.addU16(m.vers)
1434		if m.hasSelectedGroup {
1435			extensions.addU16(extensionKeyShare)
1436			extensions.addU16(2) // length
1437			extensions.addU16(uint16(m.selectedGroup))
1438		}
1439		// m.cookie may be a non-nil empty slice for empty cookie tests.
1440		if m.cookie != nil {
1441			extensions.addU16(extensionCookie)
1442			body := extensions.addU16LengthPrefixed()
1443			body.addU16LengthPrefixed().addBytes(m.cookie)
1444		}
1445		if len(m.customExtension) > 0 {
1446			extensions.addU16(extensionCustom)
1447			extensions.addU16LengthPrefixed().addBytes([]byte(m.customExtension))
1448		}
1449	}
1450
1451	m.raw = retryRequestMsg.finish()
1452	return m.raw
1453}
1454
1455func (m *helloRetryRequestMsg) unmarshal(data []byte) bool {
1456	m.raw = data
1457	reader := byteReader(data[4:])
1458	if !reader.readU16(&m.vers) {
1459		return false
1460	}
1461	if m.isServerHello {
1462		var random []byte
1463		var compressionMethod byte
1464		if !reader.readBytes(&random, 32) ||
1465			!reader.readU8LengthPrefixedBytes(&m.sessionId) ||
1466			!reader.readU16(&m.cipherSuite) ||
1467			!reader.readU8(&compressionMethod) ||
1468			compressionMethod != 0 {
1469			return false
1470		}
1471	} else if !reader.readU16(&m.cipherSuite) {
1472		return false
1473	}
1474	var extensions byteReader
1475	if !reader.readU16LengthPrefixed(&extensions) || len(reader) != 0 {
1476		return false
1477	}
1478	extensionsCopy := extensions
1479	for len(extensionsCopy) > 0 {
1480		var extension uint16
1481		var body byteReader
1482		if !extensionsCopy.readU16(&extension) ||
1483			!extensionsCopy.readU16LengthPrefixed(&body) {
1484			return false
1485		}
1486		switch extension {
1487		case extensionSupportedVersions:
1488			if !m.isServerHello ||
1489				!body.readU16(&m.vers) ||
1490				len(body) != 0 {
1491				return false
1492			}
1493		default:
1494		}
1495	}
1496	for len(extensions) > 0 {
1497		var extension uint16
1498		var body byteReader
1499		if !extensions.readU16(&extension) ||
1500			!extensions.readU16LengthPrefixed(&body) {
1501			return false
1502		}
1503		switch extension {
1504		case extensionSupportedVersions:
1505			// Parsed above.
1506		case extensionKeyShare:
1507			var v uint16
1508			if !body.readU16(&v) || len(body) != 0 {
1509				return false
1510			}
1511			m.hasSelectedGroup = true
1512			m.selectedGroup = CurveID(v)
1513		case extensionCookie:
1514			if !body.readU16LengthPrefixedBytes(&m.cookie) || len(body) != 0 {
1515				return false
1516			}
1517		default:
1518			// Unknown extensions are illegal from the server.
1519			return false
1520		}
1521	}
1522	return true
1523}
1524
1525type certificateEntry struct {
1526	data                []byte
1527	ocspResponse        []byte
1528	sctList             []byte
1529	duplicateExtensions bool
1530	extraExtension      []byte
1531}
1532
1533type certificateMsg struct {
1534	raw               []byte
1535	hasRequestContext bool
1536	requestContext    []byte
1537	certificates      []certificateEntry
1538}
1539
1540func (m *certificateMsg) marshal() (x []byte) {
1541	if m.raw != nil {
1542		return m.raw
1543	}
1544
1545	certMsg := newByteBuilder()
1546	certMsg.addU8(typeCertificate)
1547	certificate := certMsg.addU24LengthPrefixed()
1548	if m.hasRequestContext {
1549		context := certificate.addU8LengthPrefixed()
1550		context.addBytes(m.requestContext)
1551	}
1552	certificateList := certificate.addU24LengthPrefixed()
1553	for _, cert := range m.certificates {
1554		certEntry := certificateList.addU24LengthPrefixed()
1555		certEntry.addBytes(cert.data)
1556		if m.hasRequestContext {
1557			extensions := certificateList.addU16LengthPrefixed()
1558			count := 1
1559			if cert.duplicateExtensions {
1560				count = 2
1561			}
1562
1563			for i := 0; i < count; i++ {
1564				if cert.ocspResponse != nil {
1565					extensions.addU16(extensionStatusRequest)
1566					body := extensions.addU16LengthPrefixed()
1567					body.addU8(statusTypeOCSP)
1568					response := body.addU24LengthPrefixed()
1569					response.addBytes(cert.ocspResponse)
1570				}
1571
1572				if cert.sctList != nil {
1573					extensions.addU16(extensionSignedCertificateTimestamp)
1574					extension := extensions.addU16LengthPrefixed()
1575					extension.addBytes(cert.sctList)
1576				}
1577			}
1578			if cert.extraExtension != nil {
1579				extensions.addBytes(cert.extraExtension)
1580			}
1581		}
1582	}
1583
1584	m.raw = certMsg.finish()
1585	return m.raw
1586}
1587
1588func (m *certificateMsg) unmarshal(data []byte) bool {
1589	m.raw = data
1590	reader := byteReader(data[4:])
1591
1592	if m.hasRequestContext && !reader.readU8LengthPrefixedBytes(&m.requestContext) {
1593		return false
1594	}
1595
1596	var certs byteReader
1597	if !reader.readU24LengthPrefixed(&certs) || len(reader) != 0 {
1598		return false
1599	}
1600	m.certificates = nil
1601	for len(certs) > 0 {
1602		var cert certificateEntry
1603		if !certs.readU24LengthPrefixedBytes(&cert.data) {
1604			return false
1605		}
1606		if m.hasRequestContext {
1607			var extensions byteReader
1608			if !certs.readU16LengthPrefixed(&extensions) {
1609				return false
1610			}
1611			for len(extensions) > 0 {
1612				var extension uint16
1613				var body byteReader
1614				if !extensions.readU16(&extension) ||
1615					!extensions.readU16LengthPrefixed(&body) {
1616					return false
1617				}
1618				switch extension {
1619				case extensionStatusRequest:
1620					var statusType byte
1621					if !body.readU8(&statusType) ||
1622						statusType != statusTypeOCSP ||
1623						!body.readU24LengthPrefixedBytes(&cert.ocspResponse) ||
1624						len(body) != 0 {
1625						return false
1626					}
1627				case extensionSignedCertificateTimestamp:
1628					cert.sctList = []byte(body)
1629				default:
1630					return false
1631				}
1632			}
1633		}
1634		m.certificates = append(m.certificates, cert)
1635	}
1636
1637	return true
1638}
1639
1640type serverKeyExchangeMsg struct {
1641	raw []byte
1642	key []byte
1643}
1644
1645func (m *serverKeyExchangeMsg) marshal() []byte {
1646	if m.raw != nil {
1647		return m.raw
1648	}
1649	msg := newByteBuilder()
1650	msg.addU8(typeServerKeyExchange)
1651	msg.addU24LengthPrefixed().addBytes(m.key)
1652	m.raw = msg.finish()
1653	return m.raw
1654}
1655
1656func (m *serverKeyExchangeMsg) unmarshal(data []byte) bool {
1657	m.raw = data
1658	if len(data) < 4 {
1659		return false
1660	}
1661	m.key = data[4:]
1662	return true
1663}
1664
1665type certificateStatusMsg struct {
1666	raw        []byte
1667	statusType uint8
1668	response   []byte
1669}
1670
1671func (m *certificateStatusMsg) marshal() []byte {
1672	if m.raw != nil {
1673		return m.raw
1674	}
1675
1676	var x []byte
1677	if m.statusType == statusTypeOCSP {
1678		msg := newByteBuilder()
1679		msg.addU8(typeCertificateStatus)
1680		body := msg.addU24LengthPrefixed()
1681		body.addU8(statusTypeOCSP)
1682		body.addU24LengthPrefixed().addBytes(m.response)
1683		x = msg.finish()
1684	} else {
1685		x = []byte{typeCertificateStatus, 0, 0, 1, m.statusType}
1686	}
1687
1688	m.raw = x
1689	return x
1690}
1691
1692func (m *certificateStatusMsg) unmarshal(data []byte) bool {
1693	m.raw = data
1694	reader := byteReader(data[4:])
1695	if !reader.readU8(&m.statusType) ||
1696		m.statusType != statusTypeOCSP ||
1697		!reader.readU24LengthPrefixedBytes(&m.response) ||
1698		len(reader) != 0 {
1699		return false
1700	}
1701	return true
1702}
1703
1704type serverHelloDoneMsg struct{}
1705
1706func (m *serverHelloDoneMsg) marshal() []byte {
1707	x := make([]byte, 4)
1708	x[0] = typeServerHelloDone
1709	return x
1710}
1711
1712func (m *serverHelloDoneMsg) unmarshal(data []byte) bool {
1713	return len(data) == 4
1714}
1715
1716type clientKeyExchangeMsg struct {
1717	raw        []byte
1718	ciphertext []byte
1719}
1720
1721func (m *clientKeyExchangeMsg) marshal() []byte {
1722	if m.raw != nil {
1723		return m.raw
1724	}
1725	msg := newByteBuilder()
1726	msg.addU8(typeClientKeyExchange)
1727	msg.addU24LengthPrefixed().addBytes(m.ciphertext)
1728	m.raw = msg.finish()
1729	return m.raw
1730}
1731
1732func (m *clientKeyExchangeMsg) unmarshal(data []byte) bool {
1733	m.raw = data
1734	if len(data) < 4 {
1735		return false
1736	}
1737	l := int(data[1])<<16 | int(data[2])<<8 | int(data[3])
1738	if l != len(data)-4 {
1739		return false
1740	}
1741	m.ciphertext = data[4:]
1742	return true
1743}
1744
1745type finishedMsg struct {
1746	raw        []byte
1747	verifyData []byte
1748}
1749
1750func (m *finishedMsg) marshal() []byte {
1751	if m.raw != nil {
1752		return m.raw
1753	}
1754
1755	msg := newByteBuilder()
1756	msg.addU8(typeFinished)
1757	msg.addU24LengthPrefixed().addBytes(m.verifyData)
1758	m.raw = msg.finish()
1759	return m.raw
1760}
1761
1762func (m *finishedMsg) unmarshal(data []byte) bool {
1763	m.raw = data
1764	if len(data) < 4 {
1765		return false
1766	}
1767	m.verifyData = data[4:]
1768	return true
1769}
1770
1771type nextProtoMsg struct {
1772	raw   []byte
1773	proto string
1774}
1775
1776func (m *nextProtoMsg) marshal() []byte {
1777	if m.raw != nil {
1778		return m.raw
1779	}
1780
1781	padding := 32 - (len(m.proto)+2)%32
1782
1783	msg := newByteBuilder()
1784	msg.addU8(typeNextProtocol)
1785	body := msg.addU24LengthPrefixed()
1786	body.addU8LengthPrefixed().addBytes([]byte(m.proto))
1787	body.addU8LengthPrefixed().addBytes(make([]byte, padding))
1788	m.raw = msg.finish()
1789	return m.raw
1790}
1791
1792func (m *nextProtoMsg) unmarshal(data []byte) bool {
1793	m.raw = data
1794	reader := byteReader(data[4:])
1795	var proto, padding []byte
1796	if !reader.readU8LengthPrefixedBytes(&proto) ||
1797		!reader.readU8LengthPrefixedBytes(&padding) ||
1798		len(reader) != 0 {
1799		return false
1800	}
1801	m.proto = string(proto)
1802
1803	// Padding is not meant to be checked normally, but as this is a testing
1804	// implementation, we check the padding is as expected.
1805	if len(padding) != 32-(len(m.proto)+2)%32 {
1806		return false
1807	}
1808	for _, v := range padding {
1809		if v != 0 {
1810			return false
1811		}
1812	}
1813
1814	return true
1815}
1816
1817type certificateRequestMsg struct {
1818	raw  []byte
1819	vers uint16
1820	// hasSignatureAlgorithm indicates whether this message includes a list
1821	// of signature and hash functions. This change was introduced with TLS
1822	// 1.2.
1823	hasSignatureAlgorithm bool
1824	// hasRequestContext indicates whether this message includes a context
1825	// field instead of certificateTypes. This change was introduced with
1826	// TLS 1.3.
1827	hasRequestContext bool
1828
1829	certificateTypes       []byte
1830	requestContext         []byte
1831	signatureAlgorithms    []signatureAlgorithm
1832	certificateAuthorities [][]byte
1833	hasCAExtension         bool
1834	customExtension        uint16
1835}
1836
1837func (m *certificateRequestMsg) marshal() []byte {
1838	if m.raw != nil {
1839		return m.raw
1840	}
1841
1842	// See http://tools.ietf.org/html/rfc4346#section-7.4.4
1843	builder := newByteBuilder()
1844	builder.addU8(typeCertificateRequest)
1845	body := builder.addU24LengthPrefixed()
1846
1847	if m.hasRequestContext {
1848		requestContext := body.addU8LengthPrefixed()
1849		requestContext.addBytes(m.requestContext)
1850		extensions := newByteBuilder()
1851		extensions = body.addU16LengthPrefixed()
1852		if m.hasSignatureAlgorithm {
1853			extensions.addU16(extensionSignatureAlgorithms)
1854			signatureAlgorithms := extensions.addU16LengthPrefixed().addU16LengthPrefixed()
1855			for _, sigAlg := range m.signatureAlgorithms {
1856				signatureAlgorithms.addU16(uint16(sigAlg))
1857			}
1858		}
1859		if len(m.certificateAuthorities) > 0 {
1860			extensions.addU16(extensionCertificateAuthorities)
1861			certificateAuthorities := extensions.addU16LengthPrefixed().addU16LengthPrefixed()
1862			for _, ca := range m.certificateAuthorities {
1863				caEntry := certificateAuthorities.addU16LengthPrefixed()
1864				caEntry.addBytes(ca)
1865			}
1866		}
1867
1868		if m.customExtension > 0 {
1869			extensions.addU16(m.customExtension)
1870			extensions.addU16LengthPrefixed()
1871		}
1872	} else {
1873		certificateTypes := body.addU8LengthPrefixed()
1874		certificateTypes.addBytes(m.certificateTypes)
1875
1876		if m.hasSignatureAlgorithm {
1877			signatureAlgorithms := body.addU16LengthPrefixed()
1878			for _, sigAlg := range m.signatureAlgorithms {
1879				signatureAlgorithms.addU16(uint16(sigAlg))
1880			}
1881		}
1882
1883		certificateAuthorities := body.addU16LengthPrefixed()
1884		for _, ca := range m.certificateAuthorities {
1885			caEntry := certificateAuthorities.addU16LengthPrefixed()
1886			caEntry.addBytes(ca)
1887		}
1888	}
1889
1890	m.raw = builder.finish()
1891	return m.raw
1892}
1893
1894func parseCAs(reader *byteReader, out *[][]byte) bool {
1895	var cas byteReader
1896	if !reader.readU16LengthPrefixed(&cas) {
1897		return false
1898	}
1899	for len(cas) > 0 {
1900		var ca []byte
1901		if !cas.readU16LengthPrefixedBytes(&ca) {
1902			return false
1903		}
1904		*out = append(*out, ca)
1905	}
1906	return true
1907}
1908
1909func (m *certificateRequestMsg) unmarshal(data []byte) bool {
1910	m.raw = data
1911	reader := byteReader(data[4:])
1912
1913	if m.hasRequestContext {
1914		var extensions byteReader
1915		if !reader.readU8LengthPrefixedBytes(&m.requestContext) ||
1916			!reader.readU16LengthPrefixed(&extensions) ||
1917			len(reader) != 0 {
1918			return false
1919		}
1920		for len(extensions) > 0 {
1921			var extension uint16
1922			var body byteReader
1923			if !extensions.readU16(&extension) ||
1924				!extensions.readU16LengthPrefixed(&body) {
1925				return false
1926			}
1927			switch extension {
1928			case extensionSignatureAlgorithms:
1929				if !parseSignatureAlgorithms(&body, &m.signatureAlgorithms) || len(body) != 0 {
1930					return false
1931				}
1932			case extensionCertificateAuthorities:
1933				if !parseCAs(&body, &m.certificateAuthorities) || len(body) != 0 {
1934					return false
1935				}
1936				m.hasCAExtension = true
1937			}
1938		}
1939	} else {
1940		if !reader.readU8LengthPrefixedBytes(&m.certificateTypes) {
1941			return false
1942		}
1943		if m.hasSignatureAlgorithm && !parseSignatureAlgorithms(&reader, &m.signatureAlgorithms) {
1944			return false
1945		}
1946		if !parseCAs(&reader, &m.certificateAuthorities) ||
1947			len(reader) != 0 {
1948			return false
1949		}
1950	}
1951
1952	return true
1953}
1954
1955type certificateVerifyMsg struct {
1956	raw                   []byte
1957	hasSignatureAlgorithm bool
1958	signatureAlgorithm    signatureAlgorithm
1959	signature             []byte
1960}
1961
1962func (m *certificateVerifyMsg) marshal() (x []byte) {
1963	if m.raw != nil {
1964		return m.raw
1965	}
1966
1967	// See http://tools.ietf.org/html/rfc4346#section-7.4.8
1968	siglength := len(m.signature)
1969	length := 2 + siglength
1970	if m.hasSignatureAlgorithm {
1971		length += 2
1972	}
1973	x = make([]byte, 4+length)
1974	x[0] = typeCertificateVerify
1975	x[1] = uint8(length >> 16)
1976	x[2] = uint8(length >> 8)
1977	x[3] = uint8(length)
1978	y := x[4:]
1979	if m.hasSignatureAlgorithm {
1980		y[0] = byte(m.signatureAlgorithm >> 8)
1981		y[1] = byte(m.signatureAlgorithm)
1982		y = y[2:]
1983	}
1984	y[0] = uint8(siglength >> 8)
1985	y[1] = uint8(siglength)
1986	copy(y[2:], m.signature)
1987
1988	m.raw = x
1989
1990	return
1991}
1992
1993func (m *certificateVerifyMsg) unmarshal(data []byte) bool {
1994	m.raw = data
1995
1996	if len(data) < 6 {
1997		return false
1998	}
1999
2000	length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3])
2001	if uint32(len(data))-4 != length {
2002		return false
2003	}
2004
2005	data = data[4:]
2006	if m.hasSignatureAlgorithm {
2007		m.signatureAlgorithm = signatureAlgorithm(data[0])<<8 | signatureAlgorithm(data[1])
2008		data = data[2:]
2009	}
2010
2011	if len(data) < 2 {
2012		return false
2013	}
2014	siglength := int(data[0])<<8 + int(data[1])
2015	data = data[2:]
2016	if len(data) != siglength {
2017		return false
2018	}
2019
2020	m.signature = data
2021
2022	return true
2023}
2024
2025type newSessionTicketMsg struct {
2026	raw                         []byte
2027	vers                        uint16
2028	isDTLS                      bool
2029	ticketLifetime              uint32
2030	ticketAgeAdd                uint32
2031	ticketNonce                 []byte
2032	ticket                      []byte
2033	maxEarlyDataSize            uint32
2034	customExtension             string
2035	duplicateEarlyDataExtension bool
2036	hasGREASEExtension          bool
2037}
2038
2039func (m *newSessionTicketMsg) marshal() []byte {
2040	if m.raw != nil {
2041		return m.raw
2042	}
2043
2044	version, ok := wireToVersion(m.vers, m.isDTLS)
2045	if !ok {
2046		panic("unknown version")
2047	}
2048
2049	// See http://tools.ietf.org/html/rfc5077#section-3.3
2050	ticketMsg := newByteBuilder()
2051	ticketMsg.addU8(typeNewSessionTicket)
2052	body := ticketMsg.addU24LengthPrefixed()
2053	body.addU32(m.ticketLifetime)
2054	if version >= VersionTLS13 {
2055		body.addU32(m.ticketAgeAdd)
2056		body.addU8LengthPrefixed().addBytes(m.ticketNonce)
2057	}
2058
2059	ticket := body.addU16LengthPrefixed()
2060	ticket.addBytes(m.ticket)
2061
2062	if version >= VersionTLS13 {
2063		extensions := body.addU16LengthPrefixed()
2064		if m.maxEarlyDataSize > 0 {
2065			extensions.addU16(extensionEarlyData)
2066			extensions.addU16LengthPrefixed().addU32(m.maxEarlyDataSize)
2067			if m.duplicateEarlyDataExtension {
2068				extensions.addU16(extensionEarlyData)
2069				extensions.addU16LengthPrefixed().addU32(m.maxEarlyDataSize)
2070			}
2071		}
2072		if len(m.customExtension) > 0 {
2073			extensions.addU16(extensionCustom)
2074			extensions.addU16LengthPrefixed().addBytes([]byte(m.customExtension))
2075		}
2076	}
2077
2078	m.raw = ticketMsg.finish()
2079	return m.raw
2080}
2081
2082func (m *newSessionTicketMsg) unmarshal(data []byte) bool {
2083	m.raw = data
2084
2085	version, ok := wireToVersion(m.vers, m.isDTLS)
2086	if !ok {
2087		panic("unknown version")
2088	}
2089
2090	if len(data) < 8 {
2091		return false
2092	}
2093	m.ticketLifetime = uint32(data[4])<<24 | uint32(data[5])<<16 | uint32(data[6])<<8 | uint32(data[7])
2094	data = data[8:]
2095
2096	if version >= VersionTLS13 {
2097		if len(data) < 4 {
2098			return false
2099		}
2100		m.ticketAgeAdd = uint32(data[0])<<24 | uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3])
2101		data = data[4:]
2102		nonceLen := int(data[0])
2103		data = data[1:]
2104		if len(data) < nonceLen {
2105			return false
2106		}
2107		m.ticketNonce = data[:nonceLen]
2108		data = data[nonceLen:]
2109	}
2110
2111	if len(data) < 2 {
2112		return false
2113	}
2114	ticketLen := int(data[0])<<8 + int(data[1])
2115	data = data[2:]
2116	if len(data) < ticketLen {
2117		return false
2118	}
2119
2120	if version >= VersionTLS13 && ticketLen == 0 {
2121		return false
2122	}
2123
2124	m.ticket = data[:ticketLen]
2125	data = data[ticketLen:]
2126
2127	if version >= VersionTLS13 {
2128		if len(data) < 2 {
2129			return false
2130		}
2131
2132		extensionsLength := int(data[0])<<8 | int(data[1])
2133		data = data[2:]
2134		if extensionsLength != len(data) {
2135			return false
2136		}
2137
2138		for len(data) != 0 {
2139			if len(data) < 4 {
2140				return false
2141			}
2142			extension := uint16(data[0])<<8 | uint16(data[1])
2143			length := int(data[2])<<8 | int(data[3])
2144			data = data[4:]
2145			if len(data) < length {
2146				return false
2147			}
2148
2149			switch extension {
2150			case extensionEarlyData:
2151				if length != 4 {
2152					return false
2153				}
2154				m.maxEarlyDataSize = uint32(data[0])<<24 | uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3])
2155			default:
2156				if isGREASEValue(extension) {
2157					m.hasGREASEExtension = true
2158				}
2159			}
2160
2161			data = data[length:]
2162		}
2163	}
2164
2165	if len(data) > 0 {
2166		return false
2167	}
2168
2169	return true
2170}
2171
2172type v2ClientHelloMsg struct {
2173	raw          []byte
2174	vers         uint16
2175	cipherSuites []uint16
2176	sessionId    []byte
2177	challenge    []byte
2178}
2179
2180func (m *v2ClientHelloMsg) marshal() []byte {
2181	if m.raw != nil {
2182		return m.raw
2183	}
2184
2185	length := 1 + 2 + 2 + 2 + 2 + len(m.cipherSuites)*3 + len(m.sessionId) + len(m.challenge)
2186
2187	x := make([]byte, length)
2188	x[0] = 1
2189	x[1] = uint8(m.vers >> 8)
2190	x[2] = uint8(m.vers)
2191	x[3] = uint8((len(m.cipherSuites) * 3) >> 8)
2192	x[4] = uint8(len(m.cipherSuites) * 3)
2193	x[5] = uint8(len(m.sessionId) >> 8)
2194	x[6] = uint8(len(m.sessionId))
2195	x[7] = uint8(len(m.challenge) >> 8)
2196	x[8] = uint8(len(m.challenge))
2197	y := x[9:]
2198	for i, spec := range m.cipherSuites {
2199		y[i*3] = 0
2200		y[i*3+1] = uint8(spec >> 8)
2201		y[i*3+2] = uint8(spec)
2202	}
2203	y = y[len(m.cipherSuites)*3:]
2204	copy(y, m.sessionId)
2205	y = y[len(m.sessionId):]
2206	copy(y, m.challenge)
2207
2208	m.raw = x
2209
2210	return x
2211}
2212
2213type helloVerifyRequestMsg struct {
2214	raw    []byte
2215	vers   uint16
2216	cookie []byte
2217}
2218
2219func (m *helloVerifyRequestMsg) marshal() []byte {
2220	if m.raw != nil {
2221		return m.raw
2222	}
2223
2224	length := 2 + 1 + len(m.cookie)
2225
2226	x := make([]byte, 4+length)
2227	x[0] = typeHelloVerifyRequest
2228	x[1] = uint8(length >> 16)
2229	x[2] = uint8(length >> 8)
2230	x[3] = uint8(length)
2231	vers := m.vers
2232	x[4] = uint8(vers >> 8)
2233	x[5] = uint8(vers)
2234	x[6] = uint8(len(m.cookie))
2235	copy(x[7:7+len(m.cookie)], m.cookie)
2236
2237	return x
2238}
2239
2240func (m *helloVerifyRequestMsg) unmarshal(data []byte) bool {
2241	if len(data) < 4+2+1 {
2242		return false
2243	}
2244	m.raw = data
2245	m.vers = uint16(data[4])<<8 | uint16(data[5])
2246	cookieLen := int(data[6])
2247	if cookieLen > 32 || len(data) != 7+cookieLen {
2248		return false
2249	}
2250	m.cookie = data[7 : 7+cookieLen]
2251
2252	return true
2253}
2254
2255type channelIDMsg struct {
2256	raw       []byte
2257	channelID []byte
2258}
2259
2260func (m *channelIDMsg) marshal() []byte {
2261	if m.raw != nil {
2262		return m.raw
2263	}
2264
2265	length := 2 + 2 + len(m.channelID)
2266
2267	x := make([]byte, 4+length)
2268	x[0] = typeChannelID
2269	x[1] = uint8(length >> 16)
2270	x[2] = uint8(length >> 8)
2271	x[3] = uint8(length)
2272	x[4] = uint8(extensionChannelID >> 8)
2273	x[5] = uint8(extensionChannelID & 0xff)
2274	x[6] = uint8(len(m.channelID) >> 8)
2275	x[7] = uint8(len(m.channelID) & 0xff)
2276	copy(x[8:], m.channelID)
2277
2278	return x
2279}
2280
2281func (m *channelIDMsg) unmarshal(data []byte) bool {
2282	if len(data) != 4+2+2+128 {
2283		return false
2284	}
2285	m.raw = data
2286	if (uint16(data[4])<<8)|uint16(data[5]) != extensionChannelID {
2287		return false
2288	}
2289	if int(data[6])<<8|int(data[7]) != 128 {
2290		return false
2291	}
2292	m.channelID = data[4+2+2:]
2293
2294	return true
2295}
2296
2297type helloRequestMsg struct {
2298}
2299
2300func (*helloRequestMsg) marshal() []byte {
2301	return []byte{typeHelloRequest, 0, 0, 0}
2302}
2303
2304func (*helloRequestMsg) unmarshal(data []byte) bool {
2305	return len(data) == 4
2306}
2307
2308type keyUpdateMsg struct {
2309	raw              []byte
2310	keyUpdateRequest byte
2311}
2312
2313func (m *keyUpdateMsg) marshal() []byte {
2314	if m.raw != nil {
2315		return m.raw
2316	}
2317
2318	return []byte{typeKeyUpdate, 0, 0, 1, m.keyUpdateRequest}
2319}
2320
2321func (m *keyUpdateMsg) unmarshal(data []byte) bool {
2322	m.raw = data
2323
2324	if len(data) != 5 {
2325		return false
2326	}
2327
2328	length := int(data[1])<<16 | int(data[2])<<8 | int(data[3])
2329	if len(data)-4 != length {
2330		return false
2331	}
2332
2333	m.keyUpdateRequest = data[4]
2334	return m.keyUpdateRequest == keyUpdateNotRequested || m.keyUpdateRequest == keyUpdateRequested
2335}
2336
2337type endOfEarlyDataMsg struct {
2338	nonEmpty bool
2339}
2340
2341func (m *endOfEarlyDataMsg) marshal() []byte {
2342	if m.nonEmpty {
2343		return []byte{typeEndOfEarlyData, 0, 0, 1, 42}
2344	}
2345	return []byte{typeEndOfEarlyData, 0, 0, 0}
2346}
2347
2348func (*endOfEarlyDataMsg) unmarshal(data []byte) bool {
2349	return len(data) == 4
2350}
2351
2352// ssl3NoCertificateMsg is a dummy message to handle SSL 3.0 using a warning
2353// alert in the handshake.
2354type ssl3NoCertificateMsg struct{}
2355
2356func eqUint16s(x, y []uint16) bool {
2357	if len(x) != len(y) {
2358		return false
2359	}
2360	for i, v := range x {
2361		if y[i] != v {
2362			return false
2363		}
2364	}
2365	return true
2366}
2367
2368func eqCurveIDs(x, y []CurveID) bool {
2369	if len(x) != len(y) {
2370		return false
2371	}
2372	for i, v := range x {
2373		if y[i] != v {
2374			return false
2375		}
2376	}
2377	return true
2378}
2379
2380func eqStrings(x, y []string) bool {
2381	if len(x) != len(y) {
2382		return false
2383	}
2384	for i, v := range x {
2385		if y[i] != v {
2386			return false
2387		}
2388	}
2389	return true
2390}
2391
2392func eqByteSlices(x, y [][]byte) bool {
2393	if len(x) != len(y) {
2394		return false
2395	}
2396	for i, v := range x {
2397		if !bytes.Equal(v, y[i]) {
2398			return false
2399		}
2400	}
2401	return true
2402}
2403
2404func eqSignatureAlgorithms(x, y []signatureAlgorithm) bool {
2405	if len(x) != len(y) {
2406		return false
2407	}
2408	for i, v := range x {
2409		v2 := y[i]
2410		if v != v2 {
2411			return false
2412		}
2413	}
2414	return true
2415}
2416
2417func eqKeyShareEntryLists(x, y []keyShareEntry) bool {
2418	if len(x) != len(y) {
2419		return false
2420	}
2421	for i, v := range x {
2422		if y[i].group != v.group || !bytes.Equal(y[i].keyExchange, v.keyExchange) {
2423			return false
2424		}
2425	}
2426	return true
2427
2428}
2429
2430func eqPSKIdentityLists(x, y []pskIdentity) bool {
2431	if len(x) != len(y) {
2432		return false
2433	}
2434	for i, v := range x {
2435		if !bytes.Equal(y[i].ticket, v.ticket) || y[i].obfuscatedTicketAge != v.obfuscatedTicketAge {
2436			return false
2437		}
2438	}
2439	return true
2440
2441}
2442