1// Copyright 2009 The Go Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style 3// license that can be found in the LICENSE file. 4 5package runner 6 7import ( 8 "bytes" 9 "encoding/binary" 10 "fmt" 11) 12 13func writeLen(buf []byte, v, size int) { 14 for i := 0; i < size; i++ { 15 buf[size-i-1] = byte(v) 16 v >>= 8 17 } 18 if v != 0 { 19 panic("length is too long") 20 } 21} 22 23type byteBuilder struct { 24 buf *[]byte 25 start int 26 prefixLen int 27 child *byteBuilder 28} 29 30func newByteBuilder() *byteBuilder { 31 buf := make([]byte, 0, 32) 32 return &byteBuilder{buf: &buf} 33} 34 35func (bb *byteBuilder) len() int { 36 return len(*bb.buf) - bb.start - bb.prefixLen 37} 38 39func (bb *byteBuilder) data() []byte { 40 bb.flush() 41 return (*bb.buf)[bb.start+bb.prefixLen:] 42} 43 44func (bb *byteBuilder) flush() { 45 if bb.child == nil { 46 return 47 } 48 bb.child.flush() 49 writeLen((*bb.buf)[bb.child.start:], bb.child.len(), bb.child.prefixLen) 50 bb.child = nil 51 return 52} 53 54func (bb *byteBuilder) finish() []byte { 55 bb.flush() 56 return *bb.buf 57} 58 59func (bb *byteBuilder) addU8(u uint8) { 60 bb.flush() 61 *bb.buf = append(*bb.buf, u) 62} 63 64func (bb *byteBuilder) addU16(u uint16) { 65 bb.flush() 66 *bb.buf = append(*bb.buf, byte(u>>8), byte(u)) 67} 68 69func (bb *byteBuilder) addU24(u int) { 70 bb.flush() 71 *bb.buf = append(*bb.buf, byte(u>>16), byte(u>>8), byte(u)) 72} 73 74func (bb *byteBuilder) addU32(u uint32) { 75 bb.flush() 76 *bb.buf = append(*bb.buf, byte(u>>24), byte(u>>16), byte(u>>8), byte(u)) 77} 78 79func (bb *byteBuilder) addU64(u uint64) { 80 bb.flush() 81 var b [8]byte 82 binary.BigEndian.PutUint64(b[:], u) 83 *bb.buf = append(*bb.buf, b[:]...) 84} 85 86func (bb *byteBuilder) addU8LengthPrefixed() *byteBuilder { 87 return bb.createChild(1) 88} 89 90func (bb *byteBuilder) addU16LengthPrefixed() *byteBuilder { 91 return bb.createChild(2) 92} 93 94func (bb *byteBuilder) addU24LengthPrefixed() *byteBuilder { 95 return bb.createChild(3) 96} 97 98func (bb *byteBuilder) addU32LengthPrefixed() *byteBuilder { 99 return bb.createChild(4) 100} 101 102func (bb *byteBuilder) addBytes(b []byte) { 103 bb.flush() 104 *bb.buf = append(*bb.buf, b...) 105} 106 107func (bb *byteBuilder) createChild(lengthPrefixSize int) *byteBuilder { 108 bb.flush() 109 bb.child = &byteBuilder{ 110 buf: bb.buf, 111 start: len(*bb.buf), 112 prefixLen: lengthPrefixSize, 113 } 114 for i := 0; i < lengthPrefixSize; i++ { 115 *bb.buf = append(*bb.buf, 0) 116 } 117 return bb.child 118} 119 120func (bb *byteBuilder) discardChild() { 121 if bb.child == nil { 122 return 123 } 124 *bb.buf = (*bb.buf)[:bb.child.start] 125 bb.child = nil 126} 127 128type byteReader []byte 129 130func (br *byteReader) readInternal(out *byteReader, n int) bool { 131 if len(*br) < n { 132 return false 133 } 134 *out = (*br)[:n] 135 *br = (*br)[n:] 136 return true 137} 138 139func (br *byteReader) readBytes(out *[]byte, n int) bool { 140 var child byteReader 141 if !br.readInternal(&child, n) { 142 return false 143 } 144 *out = []byte(child) 145 return true 146} 147 148func (br *byteReader) readUint(out *uint64, n int) bool { 149 var b []byte 150 if !br.readBytes(&b, n) { 151 return false 152 } 153 *out = 0 154 for _, v := range b { 155 *out <<= 8 156 *out |= uint64(v) 157 } 158 return true 159} 160 161func (br *byteReader) readU8(out *uint8) bool { 162 var b []byte 163 if !br.readBytes(&b, 1) { 164 return false 165 } 166 *out = b[0] 167 return true 168} 169 170func (br *byteReader) readU16(out *uint16) bool { 171 var v uint64 172 if !br.readUint(&v, 2) { 173 return false 174 } 175 *out = uint16(v) 176 return true 177} 178 179func (br *byteReader) readU24(out *uint32) bool { 180 var v uint64 181 if !br.readUint(&v, 3) { 182 return false 183 } 184 *out = uint32(v) 185 return true 186} 187 188func (br *byteReader) readU32(out *uint32) bool { 189 var v uint64 190 if !br.readUint(&v, 4) { 191 return false 192 } 193 *out = uint32(v) 194 return true 195} 196 197func (br *byteReader) readU64(out *uint64) bool { 198 return br.readUint(out, 8) 199} 200 201func (br *byteReader) readLengthPrefixed(out *byteReader, n int) bool { 202 var length uint64 203 return br.readUint(&length, n) && 204 uint64(len(*br)) >= length && 205 br.readInternal(out, int(length)) 206} 207 208func (br *byteReader) readLengthPrefixedBytes(out *[]byte, n int) bool { 209 var length uint64 210 return br.readUint(&length, n) && 211 uint64(len(*br)) >= length && 212 br.readBytes(out, int(length)) 213} 214 215func (br *byteReader) readU8LengthPrefixed(out *byteReader) bool { 216 return br.readLengthPrefixed(out, 1) 217} 218func (br *byteReader) readU8LengthPrefixedBytes(out *[]byte) bool { 219 return br.readLengthPrefixedBytes(out, 1) 220} 221 222func (br *byteReader) readU16LengthPrefixed(out *byteReader) bool { 223 return br.readLengthPrefixed(out, 2) 224} 225func (br *byteReader) readU16LengthPrefixedBytes(out *[]byte) bool { 226 return br.readLengthPrefixedBytes(out, 2) 227} 228 229func (br *byteReader) readU24LengthPrefixed(out *byteReader) bool { 230 return br.readLengthPrefixed(out, 3) 231} 232func (br *byteReader) readU24LengthPrefixedBytes(out *[]byte) bool { 233 return br.readLengthPrefixedBytes(out, 3) 234} 235 236func (br *byteReader) readU32LengthPrefixed(out *byteReader) bool { 237 return br.readLengthPrefixed(out, 4) 238} 239func (br *byteReader) readU32LengthPrefixedBytes(out *[]byte) bool { 240 return br.readLengthPrefixedBytes(out, 4) 241} 242 243type keyShareEntry struct { 244 group CurveID 245 keyExchange []byte 246} 247 248type pskIdentity struct { 249 ticket []uint8 250 obfuscatedTicketAge uint32 251} 252 253type clientHelloMsg struct { 254 raw []byte 255 isDTLS bool 256 vers uint16 257 random []byte 258 sessionId []byte 259 cookie []byte 260 cipherSuites []uint16 261 compressionMethods []uint8 262 nextProtoNeg bool 263 serverName string 264 ocspStapling bool 265 supportedCurves []CurveID 266 supportedPoints []uint8 267 hasKeyShares bool 268 keyShares []keyShareEntry 269 trailingKeyShareData bool 270 pskIdentities []pskIdentity 271 pskKEModes []byte 272 pskBinders [][]uint8 273 hasEarlyData bool 274 tls13Cookie []byte 275 ticketSupported bool 276 sessionTicket []uint8 277 signatureAlgorithms []signatureAlgorithm 278 supportedVersions []uint16 279 secureRenegotiation []byte 280 alpnProtocols []string 281 quicTransportParams []byte 282 duplicateExtension bool 283 channelIDSupported bool 284 tokenBindingParams []byte 285 tokenBindingVersion uint16 286 npnAfterAlpn bool 287 extendedMasterSecret bool 288 srtpProtectionProfiles []uint16 289 srtpMasterKeyIdentifier string 290 sctListSupported bool 291 customExtension string 292 hasGREASEExtension bool 293 pskBinderFirst bool 294 omitExtensions bool 295 emptyExtensions bool 296 pad int 297 dummyPQPaddingLen int 298} 299 300func (m *clientHelloMsg) equal(i interface{}) bool { 301 m1, ok := i.(*clientHelloMsg) 302 if !ok { 303 return false 304 } 305 306 return bytes.Equal(m.raw, m1.raw) && 307 m.isDTLS == m1.isDTLS && 308 m.vers == m1.vers && 309 bytes.Equal(m.random, m1.random) && 310 bytes.Equal(m.sessionId, m1.sessionId) && 311 bytes.Equal(m.cookie, m1.cookie) && 312 eqUint16s(m.cipherSuites, m1.cipherSuites) && 313 bytes.Equal(m.compressionMethods, m1.compressionMethods) && 314 m.nextProtoNeg == m1.nextProtoNeg && 315 m.serverName == m1.serverName && 316 m.ocspStapling == m1.ocspStapling && 317 eqCurveIDs(m.supportedCurves, m1.supportedCurves) && 318 bytes.Equal(m.supportedPoints, m1.supportedPoints) && 319 m.hasKeyShares == m1.hasKeyShares && 320 eqKeyShareEntryLists(m.keyShares, m1.keyShares) && 321 m.trailingKeyShareData == m1.trailingKeyShareData && 322 eqPSKIdentityLists(m.pskIdentities, m1.pskIdentities) && 323 bytes.Equal(m.pskKEModes, m1.pskKEModes) && 324 eqByteSlices(m.pskBinders, m1.pskBinders) && 325 m.hasEarlyData == m1.hasEarlyData && 326 bytes.Equal(m.tls13Cookie, m1.tls13Cookie) && 327 m.ticketSupported == m1.ticketSupported && 328 bytes.Equal(m.sessionTicket, m1.sessionTicket) && 329 eqSignatureAlgorithms(m.signatureAlgorithms, m1.signatureAlgorithms) && 330 eqUint16s(m.supportedVersions, m1.supportedVersions) && 331 bytes.Equal(m.secureRenegotiation, m1.secureRenegotiation) && 332 (m.secureRenegotiation == nil) == (m1.secureRenegotiation == nil) && 333 eqStrings(m.alpnProtocols, m1.alpnProtocols) && 334 bytes.Equal(m.quicTransportParams, m1.quicTransportParams) && 335 m.duplicateExtension == m1.duplicateExtension && 336 m.channelIDSupported == m1.channelIDSupported && 337 bytes.Equal(m.tokenBindingParams, m1.tokenBindingParams) && 338 m.tokenBindingVersion == m1.tokenBindingVersion && 339 m.npnAfterAlpn == m1.npnAfterAlpn && 340 m.extendedMasterSecret == m1.extendedMasterSecret && 341 eqUint16s(m.srtpProtectionProfiles, m1.srtpProtectionProfiles) && 342 m.srtpMasterKeyIdentifier == m1.srtpMasterKeyIdentifier && 343 m.sctListSupported == m1.sctListSupported && 344 m.customExtension == m1.customExtension && 345 m.hasGREASEExtension == m1.hasGREASEExtension && 346 m.pskBinderFirst == m1.pskBinderFirst && 347 m.omitExtensions == m1.omitExtensions && 348 m.emptyExtensions == m1.emptyExtensions && 349 m.pad == m1.pad && 350 m.dummyPQPaddingLen == m1.dummyPQPaddingLen 351} 352 353func (m *clientHelloMsg) marshal() []byte { 354 if m.raw != nil { 355 return m.raw 356 } 357 358 handshakeMsg := newByteBuilder() 359 handshakeMsg.addU8(typeClientHello) 360 hello := handshakeMsg.addU24LengthPrefixed() 361 hello.addU16(m.vers) 362 hello.addBytes(m.random) 363 sessionId := hello.addU8LengthPrefixed() 364 sessionId.addBytes(m.sessionId) 365 if m.isDTLS { 366 cookie := hello.addU8LengthPrefixed() 367 cookie.addBytes(m.cookie) 368 } 369 cipherSuites := hello.addU16LengthPrefixed() 370 for _, suite := range m.cipherSuites { 371 cipherSuites.addU16(suite) 372 } 373 compressionMethods := hello.addU8LengthPrefixed() 374 compressionMethods.addBytes(m.compressionMethods) 375 376 extensions := hello.addU16LengthPrefixed() 377 if len(m.pskIdentities) > 0 && m.pskBinderFirst { 378 extensions.addU16(extensionPreSharedKey) 379 pskExtension := extensions.addU16LengthPrefixed() 380 381 pskIdentities := pskExtension.addU16LengthPrefixed() 382 for _, psk := range m.pskIdentities { 383 pskIdentities.addU16LengthPrefixed().addBytes(psk.ticket) 384 pskIdentities.addU32(psk.obfuscatedTicketAge) 385 } 386 pskBinders := pskExtension.addU16LengthPrefixed() 387 for _, binder := range m.pskBinders { 388 pskBinders.addU8LengthPrefixed().addBytes(binder) 389 } 390 } 391 if m.duplicateExtension { 392 // Add a duplicate bogus extension at the beginning and end. 393 extensions.addU16(0xffff) 394 extensions.addU16(0) // 0-length for empty extension 395 } 396 if m.nextProtoNeg && !m.npnAfterAlpn { 397 extensions.addU16(extensionNextProtoNeg) 398 extensions.addU16(0) // The length is always 0 399 } 400 if len(m.serverName) > 0 { 401 extensions.addU16(extensionServerName) 402 serverNameList := extensions.addU16LengthPrefixed() 403 404 // RFC 3546, section 3.1 405 // 406 // struct { 407 // NameType name_type; 408 // select (name_type) { 409 // case host_name: HostName; 410 // } name; 411 // } ServerName; 412 // 413 // enum { 414 // host_name(0), (255) 415 // } NameType; 416 // 417 // opaque HostName<1..2^16-1>; 418 // 419 // struct { 420 // ServerName server_name_list<1..2^16-1> 421 // } ServerNameList; 422 423 serverName := serverNameList.addU16LengthPrefixed() 424 serverName.addU8(0) // NameType host_name(0) 425 hostName := serverName.addU16LengthPrefixed() 426 hostName.addBytes([]byte(m.serverName)) 427 } 428 if m.ocspStapling { 429 extensions.addU16(extensionStatusRequest) 430 certificateStatusRequest := extensions.addU16LengthPrefixed() 431 432 // RFC 4366, section 3.6 433 certificateStatusRequest.addU8(1) // OCSP type 434 // Two zero valued uint16s for the two lengths. 435 certificateStatusRequest.addU16(0) // ResponderID length 436 certificateStatusRequest.addU16(0) // Extensions length 437 } 438 if len(m.supportedCurves) > 0 { 439 // http://tools.ietf.org/html/rfc4492#section-5.1.1 440 extensions.addU16(extensionSupportedCurves) 441 supportedCurvesList := extensions.addU16LengthPrefixed() 442 supportedCurves := supportedCurvesList.addU16LengthPrefixed() 443 for _, curve := range m.supportedCurves { 444 supportedCurves.addU16(uint16(curve)) 445 } 446 } 447 if len(m.supportedPoints) > 0 { 448 // http://tools.ietf.org/html/rfc4492#section-5.1.2 449 extensions.addU16(extensionSupportedPoints) 450 supportedPointsList := extensions.addU16LengthPrefixed() 451 supportedPoints := supportedPointsList.addU8LengthPrefixed() 452 supportedPoints.addBytes(m.supportedPoints) 453 } 454 if m.hasKeyShares { 455 extensions.addU16(extensionKeyShare) 456 keyShareList := extensions.addU16LengthPrefixed() 457 458 keyShares := keyShareList.addU16LengthPrefixed() 459 for _, keyShare := range m.keyShares { 460 keyShares.addU16(uint16(keyShare.group)) 461 keyExchange := keyShares.addU16LengthPrefixed() 462 keyExchange.addBytes(keyShare.keyExchange) 463 } 464 465 if m.trailingKeyShareData { 466 keyShares.addU8(0) 467 } 468 } 469 if len(m.pskKEModes) > 0 { 470 extensions.addU16(extensionPSKKeyExchangeModes) 471 pskModesExtension := extensions.addU16LengthPrefixed() 472 pskModesExtension.addU8LengthPrefixed().addBytes(m.pskKEModes) 473 } 474 if m.hasEarlyData { 475 extensions.addU16(extensionEarlyData) 476 extensions.addU16(0) // The length is zero. 477 } 478 if len(m.tls13Cookie) > 0 { 479 extensions.addU16(extensionCookie) 480 body := extensions.addU16LengthPrefixed() 481 body.addU16LengthPrefixed().addBytes(m.tls13Cookie) 482 } 483 if m.ticketSupported { 484 // http://tools.ietf.org/html/rfc5077#section-3.2 485 extensions.addU16(extensionSessionTicket) 486 sessionTicketExtension := extensions.addU16LengthPrefixed() 487 sessionTicketExtension.addBytes(m.sessionTicket) 488 } 489 if len(m.signatureAlgorithms) > 0 { 490 // https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 491 extensions.addU16(extensionSignatureAlgorithms) 492 signatureAlgorithmsExtension := extensions.addU16LengthPrefixed() 493 signatureAlgorithms := signatureAlgorithmsExtension.addU16LengthPrefixed() 494 for _, sigAlg := range m.signatureAlgorithms { 495 signatureAlgorithms.addU16(uint16(sigAlg)) 496 } 497 } 498 if len(m.supportedVersions) > 0 { 499 extensions.addU16(extensionSupportedVersions) 500 supportedVersionsExtension := extensions.addU16LengthPrefixed() 501 supportedVersions := supportedVersionsExtension.addU8LengthPrefixed() 502 for _, version := range m.supportedVersions { 503 supportedVersions.addU16(uint16(version)) 504 } 505 } 506 if m.secureRenegotiation != nil { 507 extensions.addU16(extensionRenegotiationInfo) 508 secureRenegoExt := extensions.addU16LengthPrefixed() 509 secureRenego := secureRenegoExt.addU8LengthPrefixed() 510 secureRenego.addBytes(m.secureRenegotiation) 511 } 512 if len(m.alpnProtocols) > 0 { 513 // https://tools.ietf.org/html/rfc7301#section-3.1 514 extensions.addU16(extensionALPN) 515 alpnExtension := extensions.addU16LengthPrefixed() 516 517 protocolNameList := alpnExtension.addU16LengthPrefixed() 518 for _, s := range m.alpnProtocols { 519 protocolName := protocolNameList.addU8LengthPrefixed() 520 protocolName.addBytes([]byte(s)) 521 } 522 } 523 if len(m.quicTransportParams) > 0 { 524 extensions.addU16(extensionQUICTransportParams) 525 params := extensions.addU16LengthPrefixed() 526 params.addBytes(m.quicTransportParams) 527 } 528 if m.channelIDSupported { 529 extensions.addU16(extensionChannelID) 530 extensions.addU16(0) // Length is always 0 531 } 532 if m.tokenBindingParams != nil { 533 extensions.addU16(extensionTokenBinding) 534 tokbindExtension := extensions.addU16LengthPrefixed() 535 tokbindExtension.addU16(m.tokenBindingVersion) 536 tokbindParams := tokbindExtension.addU8LengthPrefixed() 537 tokbindParams.addBytes(m.tokenBindingParams) 538 } 539 if m.nextProtoNeg && m.npnAfterAlpn { 540 extensions.addU16(extensionNextProtoNeg) 541 extensions.addU16(0) // Length is always 0 542 } 543 if m.duplicateExtension { 544 // Add a duplicate bogus extension at the beginning and end. 545 extensions.addU16(0xffff) 546 extensions.addU16(0) 547 } 548 if m.extendedMasterSecret { 549 // https://tools.ietf.org/html/rfc7627 550 extensions.addU16(extensionExtendedMasterSecret) 551 extensions.addU16(0) // Length is always 0 552 } 553 if len(m.srtpProtectionProfiles) > 0 { 554 // https://tools.ietf.org/html/rfc5764#section-4.1.1 555 extensions.addU16(extensionUseSRTP) 556 useSrtpExt := extensions.addU16LengthPrefixed() 557 558 srtpProtectionProfiles := useSrtpExt.addU16LengthPrefixed() 559 for _, p := range m.srtpProtectionProfiles { 560 srtpProtectionProfiles.addU16(p) 561 } 562 srtpMki := useSrtpExt.addU8LengthPrefixed() 563 srtpMki.addBytes([]byte(m.srtpMasterKeyIdentifier)) 564 } 565 if m.sctListSupported { 566 extensions.addU16(extensionSignedCertificateTimestamp) 567 extensions.addU16(0) // Length is always 0 568 } 569 if l := len(m.customExtension); l > 0 { 570 extensions.addU16(extensionCustom) 571 customExt := extensions.addU16LengthPrefixed() 572 customExt.addBytes([]byte(m.customExtension)) 573 } 574 // The PSK extension must be last (draft-ietf-tls-tls13-18 section 4.2.6). 575 if len(m.pskIdentities) > 0 && !m.pskBinderFirst { 576 extensions.addU16(extensionPreSharedKey) 577 pskExtension := extensions.addU16LengthPrefixed() 578 579 pskIdentities := pskExtension.addU16LengthPrefixed() 580 for _, psk := range m.pskIdentities { 581 pskIdentities.addU16LengthPrefixed().addBytes(psk.ticket) 582 pskIdentities.addU32(psk.obfuscatedTicketAge) 583 } 584 pskBinders := pskExtension.addU16LengthPrefixed() 585 for _, binder := range m.pskBinders { 586 pskBinders.addU8LengthPrefixed().addBytes(binder) 587 } 588 } 589 590 if m.pad != 0 && hello.len()%m.pad != 0 { 591 extensions.addU16(extensionPadding) 592 padding := extensions.addU16LengthPrefixed() 593 // Note hello.len() has changed at this point from the length 594 // prefix. 595 if l := hello.len() % m.pad; l != 0 { 596 padding.addBytes(make([]byte, m.pad-l)) 597 } 598 } 599 600 if m.omitExtensions || m.emptyExtensions { 601 // Silently erase any extensions which were sent. 602 hello.discardChild() 603 if m.emptyExtensions { 604 hello.addU16(0) 605 } 606 } 607 608 m.raw = handshakeMsg.finish() 609 // Sanity-check padding. 610 if m.pad != 0 && (len(m.raw)-4)%m.pad != 0 { 611 panic(fmt.Sprintf("%d is not a multiple of %d", len(m.raw)-4, m.pad)) 612 } 613 return m.raw 614} 615 616func parseSignatureAlgorithms(reader *byteReader, out *[]signatureAlgorithm) bool { 617 var sigAlgs byteReader 618 if !reader.readU16LengthPrefixed(&sigAlgs) { 619 return false 620 } 621 *out = make([]signatureAlgorithm, 0, len(sigAlgs)/2) 622 for len(sigAlgs) > 0 { 623 var v uint16 624 if !sigAlgs.readU16(&v) { 625 return false 626 } 627 *out = append(*out, signatureAlgorithm(v)) 628 } 629 return true 630} 631 632func (m *clientHelloMsg) unmarshal(data []byte) bool { 633 m.raw = data 634 reader := byteReader(data[4:]) 635 if !reader.readU16(&m.vers) || 636 !reader.readBytes(&m.random, 32) || 637 !reader.readU8LengthPrefixedBytes(&m.sessionId) || 638 len(m.sessionId) > 32 { 639 return false 640 } 641 if m.isDTLS { 642 if !reader.readU8LengthPrefixedBytes(&m.cookie) || 643 len(m.cookie) > 32 { 644 return false 645 } 646 } 647 var cipherSuites byteReader 648 if !reader.readU16LengthPrefixed(&cipherSuites) || 649 !reader.readU8LengthPrefixedBytes(&m.compressionMethods) { 650 return false 651 } 652 653 m.cipherSuites = make([]uint16, 0, len(cipherSuites)/2) 654 for len(cipherSuites) > 0 { 655 var v uint16 656 if !cipherSuites.readU16(&v) { 657 return false 658 } 659 m.cipherSuites = append(m.cipherSuites, v) 660 if v == scsvRenegotiation { 661 m.secureRenegotiation = []byte{} 662 } 663 } 664 665 m.nextProtoNeg = false 666 m.serverName = "" 667 m.ocspStapling = false 668 m.keyShares = nil 669 m.pskIdentities = nil 670 m.hasEarlyData = false 671 m.ticketSupported = false 672 m.sessionTicket = nil 673 m.signatureAlgorithms = nil 674 m.supportedVersions = nil 675 m.alpnProtocols = nil 676 m.extendedMasterSecret = false 677 m.customExtension = "" 678 679 if len(reader) == 0 { 680 // ClientHello is optionally followed by extension data 681 return true 682 } 683 684 var extensions byteReader 685 if !reader.readU16LengthPrefixed(&extensions) || len(reader) != 0 { 686 return false 687 } 688 for len(extensions) > 0 { 689 var extension uint16 690 var body byteReader 691 if !extensions.readU16(&extension) || 692 !extensions.readU16LengthPrefixed(&body) { 693 return false 694 } 695 switch extension { 696 case extensionServerName: 697 var names byteReader 698 if !body.readU16LengthPrefixed(&names) || len(body) != 0 { 699 return false 700 } 701 for len(names) > 0 { 702 var nameType byte 703 var name []byte 704 if !names.readU8(&nameType) || 705 !names.readU16LengthPrefixedBytes(&name) { 706 return false 707 } 708 if nameType == 0 { 709 m.serverName = string(name) 710 } 711 } 712 case extensionNextProtoNeg: 713 if len(body) != 0 { 714 return false 715 } 716 m.nextProtoNeg = true 717 case extensionStatusRequest: 718 m.ocspStapling = len(body) > 0 && body[0] == statusTypeOCSP 719 case extensionSupportedCurves: 720 // http://tools.ietf.org/html/rfc4492#section-5.5.1 721 var curves byteReader 722 if !body.readU16LengthPrefixed(&curves) || len(body) != 0 { 723 return false 724 } 725 m.supportedCurves = make([]CurveID, 0, len(curves)/2) 726 for len(curves) > 0 { 727 var v uint16 728 if !curves.readU16(&v) { 729 return false 730 } 731 m.supportedCurves = append(m.supportedCurves, CurveID(v)) 732 } 733 case extensionSupportedPoints: 734 // http://tools.ietf.org/html/rfc4492#section-5.5.2 735 if !body.readU8LengthPrefixedBytes(&m.supportedPoints) || len(body) != 0 { 736 return false 737 } 738 case extensionSessionTicket: 739 // http://tools.ietf.org/html/rfc5077#section-3.2 740 m.ticketSupported = true 741 m.sessionTicket = []byte(body) 742 case extensionKeyShare: 743 // draft-ietf-tls-tls13 section 6.3.2.3 744 var keyShares byteReader 745 if !body.readU16LengthPrefixed(&keyShares) || len(body) != 0 { 746 return false 747 } 748 m.hasKeyShares = true 749 for len(keyShares) > 0 { 750 var entry keyShareEntry 751 var group uint16 752 if !keyShares.readU16(&group) || 753 !keyShares.readU16LengthPrefixedBytes(&entry.keyExchange) { 754 return false 755 } 756 entry.group = CurveID(group) 757 m.keyShares = append(m.keyShares, entry) 758 } 759 case extensionPreSharedKey: 760 // draft-ietf-tls-tls13-18 section 4.2.6 761 var psks, binders byteReader 762 if !body.readU16LengthPrefixed(&psks) || 763 !body.readU16LengthPrefixed(&binders) || 764 len(body) != 0 { 765 return false 766 } 767 for len(psks) > 0 { 768 var psk pskIdentity 769 if !psks.readU16LengthPrefixedBytes(&psk.ticket) || 770 !psks.readU32(&psk.obfuscatedTicketAge) { 771 return false 772 } 773 m.pskIdentities = append(m.pskIdentities, psk) 774 } 775 for len(binders) > 0 { 776 var binder []byte 777 if !binders.readU8LengthPrefixedBytes(&binder) { 778 return false 779 } 780 m.pskBinders = append(m.pskBinders, binder) 781 } 782 783 // There must be the same number of identities as binders. 784 if len(m.pskIdentities) != len(m.pskBinders) { 785 return false 786 } 787 case extensionPSKKeyExchangeModes: 788 // draft-ietf-tls-tls13-18 section 4.2.7 789 if !body.readU8LengthPrefixedBytes(&m.pskKEModes) || len(body) != 0 { 790 return false 791 } 792 case extensionEarlyData: 793 // draft-ietf-tls-tls13 section 6.3.2.5 794 if len(body) != 0 { 795 return false 796 } 797 m.hasEarlyData = true 798 case extensionCookie: 799 if !body.readU16LengthPrefixedBytes(&m.tls13Cookie) || len(body) != 0 { 800 return false 801 } 802 case extensionSignatureAlgorithms: 803 // https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 804 if !parseSignatureAlgorithms(&body, &m.signatureAlgorithms) || len(body) != 0 { 805 return false 806 } 807 case extensionSupportedVersions: 808 var versions byteReader 809 if !body.readU8LengthPrefixed(&versions) || len(body) != 0 { 810 return false 811 } 812 m.supportedVersions = make([]uint16, 0, len(versions)/2) 813 for len(versions) > 0 { 814 var v uint16 815 if !versions.readU16(&v) { 816 return false 817 } 818 m.supportedVersions = append(m.supportedVersions, v) 819 } 820 case extensionRenegotiationInfo: 821 if !body.readU8LengthPrefixedBytes(&m.secureRenegotiation) || len(body) != 0 { 822 return false 823 } 824 case extensionALPN: 825 var protocols byteReader 826 if !body.readU16LengthPrefixed(&protocols) || len(body) != 0 { 827 return false 828 } 829 for len(protocols) > 0 { 830 var protocol []byte 831 if !protocols.readU8LengthPrefixedBytes(&protocol) { 832 return false 833 } 834 m.alpnProtocols = append(m.alpnProtocols, string(protocol)) 835 } 836 case extensionQUICTransportParams: 837 m.quicTransportParams = body 838 case extensionChannelID: 839 if len(body) != 0 { 840 return false 841 } 842 m.channelIDSupported = true 843 case extensionTokenBinding: 844 if !body.readU16(&m.tokenBindingVersion) || 845 !body.readU8LengthPrefixedBytes(&m.tokenBindingParams) || 846 len(body) != 0 { 847 return false 848 } 849 case extensionExtendedMasterSecret: 850 if len(body) != 0 { 851 return false 852 } 853 m.extendedMasterSecret = true 854 case extensionUseSRTP: 855 var profiles byteReader 856 var mki []byte 857 if !body.readU16LengthPrefixed(&profiles) || 858 !body.readU8LengthPrefixedBytes(&mki) || 859 len(body) != 0 { 860 return false 861 } 862 m.srtpProtectionProfiles = make([]uint16, 0, len(profiles)/2) 863 for len(profiles) > 0 { 864 var v uint16 865 if !profiles.readU16(&v) { 866 return false 867 } 868 m.srtpProtectionProfiles = append(m.srtpProtectionProfiles, v) 869 } 870 m.srtpMasterKeyIdentifier = string(mki) 871 case extensionSignedCertificateTimestamp: 872 if len(body) != 0 { 873 return false 874 } 875 m.sctListSupported = true 876 case extensionCustom: 877 m.customExtension = string(body) 878 case extensionDummyPQPadding: 879 if len(body) == 0 { 880 return false 881 } 882 m.dummyPQPaddingLen = len(body) 883 } 884 885 if isGREASEValue(extension) { 886 m.hasGREASEExtension = true 887 } 888 } 889 890 return true 891} 892 893type serverHelloMsg struct { 894 raw []byte 895 isDTLS bool 896 vers uint16 897 versOverride uint16 898 supportedVersOverride uint16 899 random []byte 900 sessionId []byte 901 cipherSuite uint16 902 hasKeyShare bool 903 keyShare keyShareEntry 904 hasPSKIdentity bool 905 pskIdentity uint16 906 compressionMethod uint8 907 customExtension string 908 unencryptedALPN string 909 omitExtensions bool 910 emptyExtensions bool 911 extensions serverExtensions 912} 913 914func (m *serverHelloMsg) marshal() []byte { 915 if m.raw != nil { 916 return m.raw 917 } 918 919 handshakeMsg := newByteBuilder() 920 handshakeMsg.addU8(typeServerHello) 921 hello := handshakeMsg.addU24LengthPrefixed() 922 923 // m.vers is used both to determine the format of the rest of the 924 // ServerHello and to override the value, so include a second version 925 // field. 926 vers, ok := wireToVersion(m.vers, m.isDTLS) 927 if !ok { 928 panic("unknown version") 929 } 930 if m.versOverride != 0 { 931 hello.addU16(m.versOverride) 932 } else if vers >= VersionTLS13 { 933 hello.addU16(VersionTLS12) 934 } else { 935 hello.addU16(m.vers) 936 } 937 938 hello.addBytes(m.random) 939 sessionId := hello.addU8LengthPrefixed() 940 sessionId.addBytes(m.sessionId) 941 hello.addU16(m.cipherSuite) 942 hello.addU8(m.compressionMethod) 943 944 extensions := hello.addU16LengthPrefixed() 945 946 if vers >= VersionTLS13 { 947 if m.hasKeyShare { 948 extensions.addU16(extensionKeyShare) 949 keyShare := extensions.addU16LengthPrefixed() 950 keyShare.addU16(uint16(m.keyShare.group)) 951 keyExchange := keyShare.addU16LengthPrefixed() 952 keyExchange.addBytes(m.keyShare.keyExchange) 953 } 954 if m.hasPSKIdentity { 955 extensions.addU16(extensionPreSharedKey) 956 extensions.addU16(2) // Length 957 extensions.addU16(m.pskIdentity) 958 } 959 extensions.addU16(extensionSupportedVersions) 960 extensions.addU16(2) // Length 961 if m.supportedVersOverride != 0 { 962 extensions.addU16(m.supportedVersOverride) 963 } else { 964 extensions.addU16(m.vers) 965 } 966 if len(m.customExtension) > 0 { 967 extensions.addU16(extensionCustom) 968 customExt := extensions.addU16LengthPrefixed() 969 customExt.addBytes([]byte(m.customExtension)) 970 } 971 if len(m.unencryptedALPN) > 0 { 972 extensions.addU16(extensionALPN) 973 extension := extensions.addU16LengthPrefixed() 974 975 protocolNameList := extension.addU16LengthPrefixed() 976 protocolName := protocolNameList.addU8LengthPrefixed() 977 protocolName.addBytes([]byte(m.unencryptedALPN)) 978 } 979 } else { 980 m.extensions.marshal(extensions) 981 if m.omitExtensions || m.emptyExtensions { 982 // Silently erasing server extensions will break the handshake. Instead, 983 // assert that tests which use this field also disable all features which 984 // would write an extension. 985 if extensions.len() != 0 { 986 panic(fmt.Sprintf("ServerHello unexpectedly contained extensions: %x, %+v", extensions.data(), m)) 987 } 988 hello.discardChild() 989 if m.emptyExtensions { 990 hello.addU16(0) 991 } 992 } 993 } 994 995 m.raw = handshakeMsg.finish() 996 return m.raw 997} 998 999func (m *serverHelloMsg) unmarshal(data []byte) bool { 1000 m.raw = data 1001 reader := byteReader(data[4:]) 1002 if !reader.readU16(&m.vers) || 1003 !reader.readBytes(&m.random, 32) { 1004 return false 1005 } 1006 vers, ok := wireToVersion(m.vers, m.isDTLS) 1007 if !ok { 1008 return false 1009 } 1010 if !reader.readU8LengthPrefixedBytes(&m.sessionId) || 1011 !reader.readU16(&m.cipherSuite) || 1012 !reader.readU8(&m.compressionMethod) { 1013 return false 1014 } 1015 1016 if len(reader) == 0 && m.vers < VersionTLS13 { 1017 // Extension data is optional before TLS 1.3. 1018 m.extensions = serverExtensions{} 1019 m.omitExtensions = true 1020 return true 1021 } 1022 1023 var extensions byteReader 1024 if !reader.readU16LengthPrefixed(&extensions) || len(reader) != 0 { 1025 return false 1026 } 1027 1028 // Parse out the version from supported_versions if available. 1029 if m.vers == VersionTLS12 { 1030 extensionsCopy := extensions 1031 for len(extensionsCopy) > 0 { 1032 var extension uint16 1033 var body byteReader 1034 if !extensionsCopy.readU16(&extension) || 1035 !extensionsCopy.readU16LengthPrefixed(&body) { 1036 return false 1037 } 1038 if extension == extensionSupportedVersions { 1039 if !body.readU16(&m.vers) || len(body) != 0 { 1040 return false 1041 } 1042 vers, ok = wireToVersion(m.vers, m.isDTLS) 1043 if !ok { 1044 return false 1045 } 1046 } 1047 } 1048 } 1049 1050 if vers >= VersionTLS13 { 1051 for len(extensions) > 0 { 1052 var extension uint16 1053 var body byteReader 1054 if !extensions.readU16(&extension) || 1055 !extensions.readU16LengthPrefixed(&body) { 1056 return false 1057 } 1058 switch extension { 1059 case extensionKeyShare: 1060 m.hasKeyShare = true 1061 var group uint16 1062 if !body.readU16(&group) || 1063 !body.readU16LengthPrefixedBytes(&m.keyShare.keyExchange) || 1064 len(body) != 0 { 1065 return false 1066 } 1067 m.keyShare.group = CurveID(group) 1068 case extensionPreSharedKey: 1069 if !body.readU16(&m.pskIdentity) || len(body) != 0 { 1070 return false 1071 } 1072 m.hasPSKIdentity = true 1073 case extensionSupportedVersions: 1074 // Parsed above. 1075 default: 1076 // Only allow the 3 extensions that are sent in 1077 // the clear in TLS 1.3. 1078 return false 1079 } 1080 } 1081 } else if !m.extensions.unmarshal(extensions, vers) { 1082 return false 1083 } 1084 1085 return true 1086} 1087 1088type encryptedExtensionsMsg struct { 1089 raw []byte 1090 extensions serverExtensions 1091 empty bool 1092} 1093 1094func (m *encryptedExtensionsMsg) marshal() []byte { 1095 if m.raw != nil { 1096 return m.raw 1097 } 1098 1099 encryptedExtensionsMsg := newByteBuilder() 1100 encryptedExtensionsMsg.addU8(typeEncryptedExtensions) 1101 encryptedExtensions := encryptedExtensionsMsg.addU24LengthPrefixed() 1102 if !m.empty { 1103 extensions := encryptedExtensions.addU16LengthPrefixed() 1104 m.extensions.marshal(extensions) 1105 } 1106 1107 m.raw = encryptedExtensionsMsg.finish() 1108 return m.raw 1109} 1110 1111func (m *encryptedExtensionsMsg) unmarshal(data []byte) bool { 1112 m.raw = data 1113 reader := byteReader(data[4:]) 1114 var extensions byteReader 1115 if !reader.readU16LengthPrefixed(&extensions) || len(reader) != 0 { 1116 return false 1117 } 1118 return m.extensions.unmarshal(extensions, VersionTLS13) 1119} 1120 1121type serverExtensions struct { 1122 nextProtoNeg bool 1123 nextProtos []string 1124 ocspStapling bool 1125 ticketSupported bool 1126 secureRenegotiation []byte 1127 alpnProtocol string 1128 alpnProtocolEmpty bool 1129 duplicateExtension bool 1130 channelIDRequested bool 1131 tokenBindingParams []byte 1132 tokenBindingVersion uint16 1133 extendedMasterSecret bool 1134 srtpProtectionProfile uint16 1135 srtpMasterKeyIdentifier string 1136 sctList []byte 1137 customExtension string 1138 npnAfterAlpn bool 1139 hasKeyShare bool 1140 hasEarlyData bool 1141 keyShare keyShareEntry 1142 supportedVersion uint16 1143 supportedPoints []uint8 1144 supportedCurves []CurveID 1145 quicTransportParams []byte 1146 serverNameAck bool 1147} 1148 1149func (m *serverExtensions) marshal(extensions *byteBuilder) { 1150 if m.duplicateExtension { 1151 // Add a duplicate bogus extension at the beginning and end. 1152 extensions.addU16(0xffff) 1153 extensions.addU16(0) // length = 0 for empty extension 1154 } 1155 if m.nextProtoNeg && !m.npnAfterAlpn { 1156 extensions.addU16(extensionNextProtoNeg) 1157 extension := extensions.addU16LengthPrefixed() 1158 1159 for _, v := range m.nextProtos { 1160 if len(v) > 255 { 1161 v = v[:255] 1162 } 1163 npn := extension.addU8LengthPrefixed() 1164 npn.addBytes([]byte(v)) 1165 } 1166 } 1167 if m.ocspStapling { 1168 extensions.addU16(extensionStatusRequest) 1169 extensions.addU16(0) 1170 } 1171 if m.ticketSupported { 1172 extensions.addU16(extensionSessionTicket) 1173 extensions.addU16(0) 1174 } 1175 if m.secureRenegotiation != nil { 1176 extensions.addU16(extensionRenegotiationInfo) 1177 extension := extensions.addU16LengthPrefixed() 1178 secureRenego := extension.addU8LengthPrefixed() 1179 secureRenego.addBytes(m.secureRenegotiation) 1180 } 1181 if len(m.alpnProtocol) > 0 || m.alpnProtocolEmpty { 1182 extensions.addU16(extensionALPN) 1183 extension := extensions.addU16LengthPrefixed() 1184 1185 protocolNameList := extension.addU16LengthPrefixed() 1186 protocolName := protocolNameList.addU8LengthPrefixed() 1187 protocolName.addBytes([]byte(m.alpnProtocol)) 1188 } 1189 if m.channelIDRequested { 1190 extensions.addU16(extensionChannelID) 1191 extensions.addU16(0) 1192 } 1193 if m.tokenBindingParams != nil { 1194 extensions.addU16(extensionTokenBinding) 1195 tokbindExtension := extensions.addU16LengthPrefixed() 1196 tokbindExtension.addU16(m.tokenBindingVersion) 1197 tokbindParams := tokbindExtension.addU8LengthPrefixed() 1198 tokbindParams.addBytes(m.tokenBindingParams) 1199 } 1200 if m.duplicateExtension { 1201 // Add a duplicate bogus extension at the beginning and end. 1202 extensions.addU16(0xffff) 1203 extensions.addU16(0) 1204 } 1205 if m.extendedMasterSecret { 1206 extensions.addU16(extensionExtendedMasterSecret) 1207 extensions.addU16(0) 1208 } 1209 if m.srtpProtectionProfile != 0 { 1210 extensions.addU16(extensionUseSRTP) 1211 extension := extensions.addU16LengthPrefixed() 1212 1213 srtpProtectionProfiles := extension.addU16LengthPrefixed() 1214 srtpProtectionProfiles.addU16(m.srtpProtectionProfile) 1215 srtpMki := extension.addU8LengthPrefixed() 1216 srtpMki.addBytes([]byte(m.srtpMasterKeyIdentifier)) 1217 } 1218 if m.sctList != nil { 1219 extensions.addU16(extensionSignedCertificateTimestamp) 1220 extension := extensions.addU16LengthPrefixed() 1221 extension.addBytes(m.sctList) 1222 } 1223 if l := len(m.customExtension); l > 0 { 1224 extensions.addU16(extensionCustom) 1225 customExt := extensions.addU16LengthPrefixed() 1226 customExt.addBytes([]byte(m.customExtension)) 1227 } 1228 if m.nextProtoNeg && m.npnAfterAlpn { 1229 extensions.addU16(extensionNextProtoNeg) 1230 extension := extensions.addU16LengthPrefixed() 1231 1232 for _, v := range m.nextProtos { 1233 if len(v) > 255 { 1234 v = v[0:255] 1235 } 1236 npn := extension.addU8LengthPrefixed() 1237 npn.addBytes([]byte(v)) 1238 } 1239 } 1240 if m.hasKeyShare { 1241 extensions.addU16(extensionKeyShare) 1242 keyShare := extensions.addU16LengthPrefixed() 1243 keyShare.addU16(uint16(m.keyShare.group)) 1244 keyExchange := keyShare.addU16LengthPrefixed() 1245 keyExchange.addBytes(m.keyShare.keyExchange) 1246 } 1247 if m.supportedVersion != 0 { 1248 extensions.addU16(extensionSupportedVersions) 1249 extensions.addU16(2) // Length 1250 extensions.addU16(m.supportedVersion) 1251 } 1252 if len(m.supportedPoints) > 0 { 1253 // http://tools.ietf.org/html/rfc4492#section-5.1.2 1254 extensions.addU16(extensionSupportedPoints) 1255 supportedPointsList := extensions.addU16LengthPrefixed() 1256 supportedPoints := supportedPointsList.addU8LengthPrefixed() 1257 supportedPoints.addBytes(m.supportedPoints) 1258 } 1259 if len(m.supportedCurves) > 0 { 1260 // https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.4 1261 extensions.addU16(extensionSupportedCurves) 1262 supportedCurvesList := extensions.addU16LengthPrefixed() 1263 supportedCurves := supportedCurvesList.addU16LengthPrefixed() 1264 for _, curve := range m.supportedCurves { 1265 supportedCurves.addU16(uint16(curve)) 1266 } 1267 } 1268 if len(m.quicTransportParams) > 0 { 1269 extensions.addU16(extensionQUICTransportParams) 1270 params := extensions.addU16LengthPrefixed() 1271 params.addBytes(m.quicTransportParams) 1272 } 1273 if m.hasEarlyData { 1274 extensions.addU16(extensionEarlyData) 1275 extensions.addBytes([]byte{0, 0}) 1276 } 1277 if m.serverNameAck { 1278 extensions.addU16(extensionServerName) 1279 extensions.addU16(0) // zero length 1280 } 1281} 1282 1283func (m *serverExtensions) unmarshal(data byteReader, version uint16) bool { 1284 // Reset all fields. 1285 *m = serverExtensions{} 1286 1287 for len(data) > 0 { 1288 var extension uint16 1289 var body byteReader 1290 if !data.readU16(&extension) || 1291 !data.readU16LengthPrefixed(&body) { 1292 return false 1293 } 1294 switch extension { 1295 case extensionNextProtoNeg: 1296 m.nextProtoNeg = true 1297 for len(body) > 0 { 1298 var protocol []byte 1299 if !body.readU8LengthPrefixedBytes(&protocol) { 1300 return false 1301 } 1302 m.nextProtos = append(m.nextProtos, string(protocol)) 1303 } 1304 case extensionStatusRequest: 1305 if len(body) != 0 { 1306 return false 1307 } 1308 m.ocspStapling = true 1309 case extensionSessionTicket: 1310 if len(body) != 0 { 1311 return false 1312 } 1313 m.ticketSupported = true 1314 case extensionRenegotiationInfo: 1315 if !body.readU8LengthPrefixedBytes(&m.secureRenegotiation) || len(body) != 0 { 1316 return false 1317 } 1318 case extensionALPN: 1319 var protocols, protocol byteReader 1320 if !body.readU16LengthPrefixed(&protocols) || 1321 len(body) != 0 || 1322 !protocols.readU8LengthPrefixed(&protocol) || 1323 len(protocols) != 0 { 1324 return false 1325 } 1326 m.alpnProtocol = string(protocol) 1327 m.alpnProtocolEmpty = len(protocol) == 0 1328 case extensionChannelID: 1329 if len(body) != 0 { 1330 return false 1331 } 1332 m.channelIDRequested = true 1333 case extensionTokenBinding: 1334 if !body.readU16(&m.tokenBindingVersion) || 1335 !body.readU8LengthPrefixedBytes(&m.tokenBindingParams) || 1336 len(m.tokenBindingParams) != 1 || 1337 len(body) != 0 { 1338 return false 1339 } 1340 case extensionExtendedMasterSecret: 1341 if len(body) != 0 { 1342 return false 1343 } 1344 m.extendedMasterSecret = true 1345 case extensionUseSRTP: 1346 var profiles, mki byteReader 1347 if !body.readU16LengthPrefixed(&profiles) || 1348 !profiles.readU16(&m.srtpProtectionProfile) || 1349 len(profiles) != 0 || 1350 !body.readU8LengthPrefixed(&mki) || 1351 len(body) != 0 { 1352 return false 1353 } 1354 m.srtpMasterKeyIdentifier = string(mki) 1355 case extensionSignedCertificateTimestamp: 1356 m.sctList = []byte(body) 1357 case extensionCustom: 1358 m.customExtension = string(body) 1359 case extensionServerName: 1360 if len(body) != 0 { 1361 return false 1362 } 1363 m.serverNameAck = true 1364 case extensionSupportedPoints: 1365 // supported_points is illegal in TLS 1.3. 1366 if version >= VersionTLS13 { 1367 return false 1368 } 1369 // http://tools.ietf.org/html/rfc4492#section-5.5.2 1370 if !body.readU8LengthPrefixedBytes(&m.supportedPoints) || len(body) != 0 { 1371 return false 1372 } 1373 case extensionSupportedCurves: 1374 // The server can only send supported_curves in TLS 1.3. 1375 if version < VersionTLS13 { 1376 return false 1377 } 1378 case extensionQUICTransportParams: 1379 m.quicTransportParams = body 1380 case extensionEarlyData: 1381 if version < VersionTLS13 || len(body) != 0 { 1382 return false 1383 } 1384 m.hasEarlyData = true 1385 default: 1386 // Unknown extensions are illegal from the server. 1387 return false 1388 } 1389 } 1390 1391 return true 1392} 1393 1394type helloRetryRequestMsg struct { 1395 raw []byte 1396 vers uint16 1397 isServerHello bool 1398 sessionId []byte 1399 cipherSuite uint16 1400 compressionMethod uint8 1401 hasSelectedGroup bool 1402 selectedGroup CurveID 1403 cookie []byte 1404 customExtension string 1405 duplicateExtensions bool 1406} 1407 1408func (m *helloRetryRequestMsg) marshal() []byte { 1409 if m.raw != nil { 1410 return m.raw 1411 } 1412 1413 retryRequestMsg := newByteBuilder() 1414 retryRequestMsg.addU8(typeServerHello) 1415 retryRequest := retryRequestMsg.addU24LengthPrefixed() 1416 retryRequest.addU16(VersionTLS12) 1417 retryRequest.addBytes(tls13HelloRetryRequest) 1418 sessionId := retryRequest.addU8LengthPrefixed() 1419 sessionId.addBytes(m.sessionId) 1420 retryRequest.addU16(m.cipherSuite) 1421 retryRequest.addU8(m.compressionMethod) 1422 1423 extensions := retryRequest.addU16LengthPrefixed() 1424 1425 count := 1 1426 if m.duplicateExtensions { 1427 count = 2 1428 } 1429 1430 for i := 0; i < count; i++ { 1431 extensions.addU16(extensionSupportedVersions) 1432 extensions.addU16(2) // Length 1433 extensions.addU16(m.vers) 1434 if m.hasSelectedGroup { 1435 extensions.addU16(extensionKeyShare) 1436 extensions.addU16(2) // length 1437 extensions.addU16(uint16(m.selectedGroup)) 1438 } 1439 // m.cookie may be a non-nil empty slice for empty cookie tests. 1440 if m.cookie != nil { 1441 extensions.addU16(extensionCookie) 1442 body := extensions.addU16LengthPrefixed() 1443 body.addU16LengthPrefixed().addBytes(m.cookie) 1444 } 1445 if len(m.customExtension) > 0 { 1446 extensions.addU16(extensionCustom) 1447 extensions.addU16LengthPrefixed().addBytes([]byte(m.customExtension)) 1448 } 1449 } 1450 1451 m.raw = retryRequestMsg.finish() 1452 return m.raw 1453} 1454 1455func (m *helloRetryRequestMsg) unmarshal(data []byte) bool { 1456 m.raw = data 1457 reader := byteReader(data[4:]) 1458 if !reader.readU16(&m.vers) { 1459 return false 1460 } 1461 if m.isServerHello { 1462 var random []byte 1463 var compressionMethod byte 1464 if !reader.readBytes(&random, 32) || 1465 !reader.readU8LengthPrefixedBytes(&m.sessionId) || 1466 !reader.readU16(&m.cipherSuite) || 1467 !reader.readU8(&compressionMethod) || 1468 compressionMethod != 0 { 1469 return false 1470 } 1471 } else if !reader.readU16(&m.cipherSuite) { 1472 return false 1473 } 1474 var extensions byteReader 1475 if !reader.readU16LengthPrefixed(&extensions) || len(reader) != 0 { 1476 return false 1477 } 1478 extensionsCopy := extensions 1479 for len(extensionsCopy) > 0 { 1480 var extension uint16 1481 var body byteReader 1482 if !extensionsCopy.readU16(&extension) || 1483 !extensionsCopy.readU16LengthPrefixed(&body) { 1484 return false 1485 } 1486 switch extension { 1487 case extensionSupportedVersions: 1488 if !m.isServerHello || 1489 !body.readU16(&m.vers) || 1490 len(body) != 0 { 1491 return false 1492 } 1493 default: 1494 } 1495 } 1496 for len(extensions) > 0 { 1497 var extension uint16 1498 var body byteReader 1499 if !extensions.readU16(&extension) || 1500 !extensions.readU16LengthPrefixed(&body) { 1501 return false 1502 } 1503 switch extension { 1504 case extensionSupportedVersions: 1505 // Parsed above. 1506 case extensionKeyShare: 1507 var v uint16 1508 if !body.readU16(&v) || len(body) != 0 { 1509 return false 1510 } 1511 m.hasSelectedGroup = true 1512 m.selectedGroup = CurveID(v) 1513 case extensionCookie: 1514 if !body.readU16LengthPrefixedBytes(&m.cookie) || len(body) != 0 { 1515 return false 1516 } 1517 default: 1518 // Unknown extensions are illegal from the server. 1519 return false 1520 } 1521 } 1522 return true 1523} 1524 1525type certificateEntry struct { 1526 data []byte 1527 ocspResponse []byte 1528 sctList []byte 1529 duplicateExtensions bool 1530 extraExtension []byte 1531} 1532 1533type certificateMsg struct { 1534 raw []byte 1535 hasRequestContext bool 1536 requestContext []byte 1537 certificates []certificateEntry 1538} 1539 1540func (m *certificateMsg) marshal() (x []byte) { 1541 if m.raw != nil { 1542 return m.raw 1543 } 1544 1545 certMsg := newByteBuilder() 1546 certMsg.addU8(typeCertificate) 1547 certificate := certMsg.addU24LengthPrefixed() 1548 if m.hasRequestContext { 1549 context := certificate.addU8LengthPrefixed() 1550 context.addBytes(m.requestContext) 1551 } 1552 certificateList := certificate.addU24LengthPrefixed() 1553 for _, cert := range m.certificates { 1554 certEntry := certificateList.addU24LengthPrefixed() 1555 certEntry.addBytes(cert.data) 1556 if m.hasRequestContext { 1557 extensions := certificateList.addU16LengthPrefixed() 1558 count := 1 1559 if cert.duplicateExtensions { 1560 count = 2 1561 } 1562 1563 for i := 0; i < count; i++ { 1564 if cert.ocspResponse != nil { 1565 extensions.addU16(extensionStatusRequest) 1566 body := extensions.addU16LengthPrefixed() 1567 body.addU8(statusTypeOCSP) 1568 response := body.addU24LengthPrefixed() 1569 response.addBytes(cert.ocspResponse) 1570 } 1571 1572 if cert.sctList != nil { 1573 extensions.addU16(extensionSignedCertificateTimestamp) 1574 extension := extensions.addU16LengthPrefixed() 1575 extension.addBytes(cert.sctList) 1576 } 1577 } 1578 if cert.extraExtension != nil { 1579 extensions.addBytes(cert.extraExtension) 1580 } 1581 } 1582 } 1583 1584 m.raw = certMsg.finish() 1585 return m.raw 1586} 1587 1588func (m *certificateMsg) unmarshal(data []byte) bool { 1589 m.raw = data 1590 reader := byteReader(data[4:]) 1591 1592 if m.hasRequestContext && !reader.readU8LengthPrefixedBytes(&m.requestContext) { 1593 return false 1594 } 1595 1596 var certs byteReader 1597 if !reader.readU24LengthPrefixed(&certs) || len(reader) != 0 { 1598 return false 1599 } 1600 m.certificates = nil 1601 for len(certs) > 0 { 1602 var cert certificateEntry 1603 if !certs.readU24LengthPrefixedBytes(&cert.data) { 1604 return false 1605 } 1606 if m.hasRequestContext { 1607 var extensions byteReader 1608 if !certs.readU16LengthPrefixed(&extensions) { 1609 return false 1610 } 1611 for len(extensions) > 0 { 1612 var extension uint16 1613 var body byteReader 1614 if !extensions.readU16(&extension) || 1615 !extensions.readU16LengthPrefixed(&body) { 1616 return false 1617 } 1618 switch extension { 1619 case extensionStatusRequest: 1620 var statusType byte 1621 if !body.readU8(&statusType) || 1622 statusType != statusTypeOCSP || 1623 !body.readU24LengthPrefixedBytes(&cert.ocspResponse) || 1624 len(body) != 0 { 1625 return false 1626 } 1627 case extensionSignedCertificateTimestamp: 1628 cert.sctList = []byte(body) 1629 default: 1630 return false 1631 } 1632 } 1633 } 1634 m.certificates = append(m.certificates, cert) 1635 } 1636 1637 return true 1638} 1639 1640type serverKeyExchangeMsg struct { 1641 raw []byte 1642 key []byte 1643} 1644 1645func (m *serverKeyExchangeMsg) marshal() []byte { 1646 if m.raw != nil { 1647 return m.raw 1648 } 1649 msg := newByteBuilder() 1650 msg.addU8(typeServerKeyExchange) 1651 msg.addU24LengthPrefixed().addBytes(m.key) 1652 m.raw = msg.finish() 1653 return m.raw 1654} 1655 1656func (m *serverKeyExchangeMsg) unmarshal(data []byte) bool { 1657 m.raw = data 1658 if len(data) < 4 { 1659 return false 1660 } 1661 m.key = data[4:] 1662 return true 1663} 1664 1665type certificateStatusMsg struct { 1666 raw []byte 1667 statusType uint8 1668 response []byte 1669} 1670 1671func (m *certificateStatusMsg) marshal() []byte { 1672 if m.raw != nil { 1673 return m.raw 1674 } 1675 1676 var x []byte 1677 if m.statusType == statusTypeOCSP { 1678 msg := newByteBuilder() 1679 msg.addU8(typeCertificateStatus) 1680 body := msg.addU24LengthPrefixed() 1681 body.addU8(statusTypeOCSP) 1682 body.addU24LengthPrefixed().addBytes(m.response) 1683 x = msg.finish() 1684 } else { 1685 x = []byte{typeCertificateStatus, 0, 0, 1, m.statusType} 1686 } 1687 1688 m.raw = x 1689 return x 1690} 1691 1692func (m *certificateStatusMsg) unmarshal(data []byte) bool { 1693 m.raw = data 1694 reader := byteReader(data[4:]) 1695 if !reader.readU8(&m.statusType) || 1696 m.statusType != statusTypeOCSP || 1697 !reader.readU24LengthPrefixedBytes(&m.response) || 1698 len(reader) != 0 { 1699 return false 1700 } 1701 return true 1702} 1703 1704type serverHelloDoneMsg struct{} 1705 1706func (m *serverHelloDoneMsg) marshal() []byte { 1707 x := make([]byte, 4) 1708 x[0] = typeServerHelloDone 1709 return x 1710} 1711 1712func (m *serverHelloDoneMsg) unmarshal(data []byte) bool { 1713 return len(data) == 4 1714} 1715 1716type clientKeyExchangeMsg struct { 1717 raw []byte 1718 ciphertext []byte 1719} 1720 1721func (m *clientKeyExchangeMsg) marshal() []byte { 1722 if m.raw != nil { 1723 return m.raw 1724 } 1725 msg := newByteBuilder() 1726 msg.addU8(typeClientKeyExchange) 1727 msg.addU24LengthPrefixed().addBytes(m.ciphertext) 1728 m.raw = msg.finish() 1729 return m.raw 1730} 1731 1732func (m *clientKeyExchangeMsg) unmarshal(data []byte) bool { 1733 m.raw = data 1734 if len(data) < 4 { 1735 return false 1736 } 1737 l := int(data[1])<<16 | int(data[2])<<8 | int(data[3]) 1738 if l != len(data)-4 { 1739 return false 1740 } 1741 m.ciphertext = data[4:] 1742 return true 1743} 1744 1745type finishedMsg struct { 1746 raw []byte 1747 verifyData []byte 1748} 1749 1750func (m *finishedMsg) marshal() []byte { 1751 if m.raw != nil { 1752 return m.raw 1753 } 1754 1755 msg := newByteBuilder() 1756 msg.addU8(typeFinished) 1757 msg.addU24LengthPrefixed().addBytes(m.verifyData) 1758 m.raw = msg.finish() 1759 return m.raw 1760} 1761 1762func (m *finishedMsg) unmarshal(data []byte) bool { 1763 m.raw = data 1764 if len(data) < 4 { 1765 return false 1766 } 1767 m.verifyData = data[4:] 1768 return true 1769} 1770 1771type nextProtoMsg struct { 1772 raw []byte 1773 proto string 1774} 1775 1776func (m *nextProtoMsg) marshal() []byte { 1777 if m.raw != nil { 1778 return m.raw 1779 } 1780 1781 padding := 32 - (len(m.proto)+2)%32 1782 1783 msg := newByteBuilder() 1784 msg.addU8(typeNextProtocol) 1785 body := msg.addU24LengthPrefixed() 1786 body.addU8LengthPrefixed().addBytes([]byte(m.proto)) 1787 body.addU8LengthPrefixed().addBytes(make([]byte, padding)) 1788 m.raw = msg.finish() 1789 return m.raw 1790} 1791 1792func (m *nextProtoMsg) unmarshal(data []byte) bool { 1793 m.raw = data 1794 reader := byteReader(data[4:]) 1795 var proto, padding []byte 1796 if !reader.readU8LengthPrefixedBytes(&proto) || 1797 !reader.readU8LengthPrefixedBytes(&padding) || 1798 len(reader) != 0 { 1799 return false 1800 } 1801 m.proto = string(proto) 1802 1803 // Padding is not meant to be checked normally, but as this is a testing 1804 // implementation, we check the padding is as expected. 1805 if len(padding) != 32-(len(m.proto)+2)%32 { 1806 return false 1807 } 1808 for _, v := range padding { 1809 if v != 0 { 1810 return false 1811 } 1812 } 1813 1814 return true 1815} 1816 1817type certificateRequestMsg struct { 1818 raw []byte 1819 vers uint16 1820 // hasSignatureAlgorithm indicates whether this message includes a list 1821 // of signature and hash functions. This change was introduced with TLS 1822 // 1.2. 1823 hasSignatureAlgorithm bool 1824 // hasRequestContext indicates whether this message includes a context 1825 // field instead of certificateTypes. This change was introduced with 1826 // TLS 1.3. 1827 hasRequestContext bool 1828 1829 certificateTypes []byte 1830 requestContext []byte 1831 signatureAlgorithms []signatureAlgorithm 1832 certificateAuthorities [][]byte 1833 hasCAExtension bool 1834 customExtension uint16 1835} 1836 1837func (m *certificateRequestMsg) marshal() []byte { 1838 if m.raw != nil { 1839 return m.raw 1840 } 1841 1842 // See http://tools.ietf.org/html/rfc4346#section-7.4.4 1843 builder := newByteBuilder() 1844 builder.addU8(typeCertificateRequest) 1845 body := builder.addU24LengthPrefixed() 1846 1847 if m.hasRequestContext { 1848 requestContext := body.addU8LengthPrefixed() 1849 requestContext.addBytes(m.requestContext) 1850 extensions := newByteBuilder() 1851 extensions = body.addU16LengthPrefixed() 1852 if m.hasSignatureAlgorithm { 1853 extensions.addU16(extensionSignatureAlgorithms) 1854 signatureAlgorithms := extensions.addU16LengthPrefixed().addU16LengthPrefixed() 1855 for _, sigAlg := range m.signatureAlgorithms { 1856 signatureAlgorithms.addU16(uint16(sigAlg)) 1857 } 1858 } 1859 if len(m.certificateAuthorities) > 0 { 1860 extensions.addU16(extensionCertificateAuthorities) 1861 certificateAuthorities := extensions.addU16LengthPrefixed().addU16LengthPrefixed() 1862 for _, ca := range m.certificateAuthorities { 1863 caEntry := certificateAuthorities.addU16LengthPrefixed() 1864 caEntry.addBytes(ca) 1865 } 1866 } 1867 1868 if m.customExtension > 0 { 1869 extensions.addU16(m.customExtension) 1870 extensions.addU16LengthPrefixed() 1871 } 1872 } else { 1873 certificateTypes := body.addU8LengthPrefixed() 1874 certificateTypes.addBytes(m.certificateTypes) 1875 1876 if m.hasSignatureAlgorithm { 1877 signatureAlgorithms := body.addU16LengthPrefixed() 1878 for _, sigAlg := range m.signatureAlgorithms { 1879 signatureAlgorithms.addU16(uint16(sigAlg)) 1880 } 1881 } 1882 1883 certificateAuthorities := body.addU16LengthPrefixed() 1884 for _, ca := range m.certificateAuthorities { 1885 caEntry := certificateAuthorities.addU16LengthPrefixed() 1886 caEntry.addBytes(ca) 1887 } 1888 } 1889 1890 m.raw = builder.finish() 1891 return m.raw 1892} 1893 1894func parseCAs(reader *byteReader, out *[][]byte) bool { 1895 var cas byteReader 1896 if !reader.readU16LengthPrefixed(&cas) { 1897 return false 1898 } 1899 for len(cas) > 0 { 1900 var ca []byte 1901 if !cas.readU16LengthPrefixedBytes(&ca) { 1902 return false 1903 } 1904 *out = append(*out, ca) 1905 } 1906 return true 1907} 1908 1909func (m *certificateRequestMsg) unmarshal(data []byte) bool { 1910 m.raw = data 1911 reader := byteReader(data[4:]) 1912 1913 if m.hasRequestContext { 1914 var extensions byteReader 1915 if !reader.readU8LengthPrefixedBytes(&m.requestContext) || 1916 !reader.readU16LengthPrefixed(&extensions) || 1917 len(reader) != 0 { 1918 return false 1919 } 1920 for len(extensions) > 0 { 1921 var extension uint16 1922 var body byteReader 1923 if !extensions.readU16(&extension) || 1924 !extensions.readU16LengthPrefixed(&body) { 1925 return false 1926 } 1927 switch extension { 1928 case extensionSignatureAlgorithms: 1929 if !parseSignatureAlgorithms(&body, &m.signatureAlgorithms) || len(body) != 0 { 1930 return false 1931 } 1932 case extensionCertificateAuthorities: 1933 if !parseCAs(&body, &m.certificateAuthorities) || len(body) != 0 { 1934 return false 1935 } 1936 m.hasCAExtension = true 1937 } 1938 } 1939 } else { 1940 if !reader.readU8LengthPrefixedBytes(&m.certificateTypes) { 1941 return false 1942 } 1943 if m.hasSignatureAlgorithm && !parseSignatureAlgorithms(&reader, &m.signatureAlgorithms) { 1944 return false 1945 } 1946 if !parseCAs(&reader, &m.certificateAuthorities) || 1947 len(reader) != 0 { 1948 return false 1949 } 1950 } 1951 1952 return true 1953} 1954 1955type certificateVerifyMsg struct { 1956 raw []byte 1957 hasSignatureAlgorithm bool 1958 signatureAlgorithm signatureAlgorithm 1959 signature []byte 1960} 1961 1962func (m *certificateVerifyMsg) marshal() (x []byte) { 1963 if m.raw != nil { 1964 return m.raw 1965 } 1966 1967 // See http://tools.ietf.org/html/rfc4346#section-7.4.8 1968 siglength := len(m.signature) 1969 length := 2 + siglength 1970 if m.hasSignatureAlgorithm { 1971 length += 2 1972 } 1973 x = make([]byte, 4+length) 1974 x[0] = typeCertificateVerify 1975 x[1] = uint8(length >> 16) 1976 x[2] = uint8(length >> 8) 1977 x[3] = uint8(length) 1978 y := x[4:] 1979 if m.hasSignatureAlgorithm { 1980 y[0] = byte(m.signatureAlgorithm >> 8) 1981 y[1] = byte(m.signatureAlgorithm) 1982 y = y[2:] 1983 } 1984 y[0] = uint8(siglength >> 8) 1985 y[1] = uint8(siglength) 1986 copy(y[2:], m.signature) 1987 1988 m.raw = x 1989 1990 return 1991} 1992 1993func (m *certificateVerifyMsg) unmarshal(data []byte) bool { 1994 m.raw = data 1995 1996 if len(data) < 6 { 1997 return false 1998 } 1999 2000 length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3]) 2001 if uint32(len(data))-4 != length { 2002 return false 2003 } 2004 2005 data = data[4:] 2006 if m.hasSignatureAlgorithm { 2007 m.signatureAlgorithm = signatureAlgorithm(data[0])<<8 | signatureAlgorithm(data[1]) 2008 data = data[2:] 2009 } 2010 2011 if len(data) < 2 { 2012 return false 2013 } 2014 siglength := int(data[0])<<8 + int(data[1]) 2015 data = data[2:] 2016 if len(data) != siglength { 2017 return false 2018 } 2019 2020 m.signature = data 2021 2022 return true 2023} 2024 2025type newSessionTicketMsg struct { 2026 raw []byte 2027 vers uint16 2028 isDTLS bool 2029 ticketLifetime uint32 2030 ticketAgeAdd uint32 2031 ticketNonce []byte 2032 ticket []byte 2033 maxEarlyDataSize uint32 2034 customExtension string 2035 duplicateEarlyDataExtension bool 2036 hasGREASEExtension bool 2037} 2038 2039func (m *newSessionTicketMsg) marshal() []byte { 2040 if m.raw != nil { 2041 return m.raw 2042 } 2043 2044 version, ok := wireToVersion(m.vers, m.isDTLS) 2045 if !ok { 2046 panic("unknown version") 2047 } 2048 2049 // See http://tools.ietf.org/html/rfc5077#section-3.3 2050 ticketMsg := newByteBuilder() 2051 ticketMsg.addU8(typeNewSessionTicket) 2052 body := ticketMsg.addU24LengthPrefixed() 2053 body.addU32(m.ticketLifetime) 2054 if version >= VersionTLS13 { 2055 body.addU32(m.ticketAgeAdd) 2056 body.addU8LengthPrefixed().addBytes(m.ticketNonce) 2057 } 2058 2059 ticket := body.addU16LengthPrefixed() 2060 ticket.addBytes(m.ticket) 2061 2062 if version >= VersionTLS13 { 2063 extensions := body.addU16LengthPrefixed() 2064 if m.maxEarlyDataSize > 0 { 2065 extensions.addU16(extensionEarlyData) 2066 extensions.addU16LengthPrefixed().addU32(m.maxEarlyDataSize) 2067 if m.duplicateEarlyDataExtension { 2068 extensions.addU16(extensionEarlyData) 2069 extensions.addU16LengthPrefixed().addU32(m.maxEarlyDataSize) 2070 } 2071 } 2072 if len(m.customExtension) > 0 { 2073 extensions.addU16(extensionCustom) 2074 extensions.addU16LengthPrefixed().addBytes([]byte(m.customExtension)) 2075 } 2076 } 2077 2078 m.raw = ticketMsg.finish() 2079 return m.raw 2080} 2081 2082func (m *newSessionTicketMsg) unmarshal(data []byte) bool { 2083 m.raw = data 2084 2085 version, ok := wireToVersion(m.vers, m.isDTLS) 2086 if !ok { 2087 panic("unknown version") 2088 } 2089 2090 if len(data) < 8 { 2091 return false 2092 } 2093 m.ticketLifetime = uint32(data[4])<<24 | uint32(data[5])<<16 | uint32(data[6])<<8 | uint32(data[7]) 2094 data = data[8:] 2095 2096 if version >= VersionTLS13 { 2097 if len(data) < 4 { 2098 return false 2099 } 2100 m.ticketAgeAdd = uint32(data[0])<<24 | uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3]) 2101 data = data[4:] 2102 nonceLen := int(data[0]) 2103 data = data[1:] 2104 if len(data) < nonceLen { 2105 return false 2106 } 2107 m.ticketNonce = data[:nonceLen] 2108 data = data[nonceLen:] 2109 } 2110 2111 if len(data) < 2 { 2112 return false 2113 } 2114 ticketLen := int(data[0])<<8 + int(data[1]) 2115 data = data[2:] 2116 if len(data) < ticketLen { 2117 return false 2118 } 2119 2120 if version >= VersionTLS13 && ticketLen == 0 { 2121 return false 2122 } 2123 2124 m.ticket = data[:ticketLen] 2125 data = data[ticketLen:] 2126 2127 if version >= VersionTLS13 { 2128 if len(data) < 2 { 2129 return false 2130 } 2131 2132 extensionsLength := int(data[0])<<8 | int(data[1]) 2133 data = data[2:] 2134 if extensionsLength != len(data) { 2135 return false 2136 } 2137 2138 for len(data) != 0 { 2139 if len(data) < 4 { 2140 return false 2141 } 2142 extension := uint16(data[0])<<8 | uint16(data[1]) 2143 length := int(data[2])<<8 | int(data[3]) 2144 data = data[4:] 2145 if len(data) < length { 2146 return false 2147 } 2148 2149 switch extension { 2150 case extensionEarlyData: 2151 if length != 4 { 2152 return false 2153 } 2154 m.maxEarlyDataSize = uint32(data[0])<<24 | uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3]) 2155 default: 2156 if isGREASEValue(extension) { 2157 m.hasGREASEExtension = true 2158 } 2159 } 2160 2161 data = data[length:] 2162 } 2163 } 2164 2165 if len(data) > 0 { 2166 return false 2167 } 2168 2169 return true 2170} 2171 2172type v2ClientHelloMsg struct { 2173 raw []byte 2174 vers uint16 2175 cipherSuites []uint16 2176 sessionId []byte 2177 challenge []byte 2178} 2179 2180func (m *v2ClientHelloMsg) marshal() []byte { 2181 if m.raw != nil { 2182 return m.raw 2183 } 2184 2185 length := 1 + 2 + 2 + 2 + 2 + len(m.cipherSuites)*3 + len(m.sessionId) + len(m.challenge) 2186 2187 x := make([]byte, length) 2188 x[0] = 1 2189 x[1] = uint8(m.vers >> 8) 2190 x[2] = uint8(m.vers) 2191 x[3] = uint8((len(m.cipherSuites) * 3) >> 8) 2192 x[4] = uint8(len(m.cipherSuites) * 3) 2193 x[5] = uint8(len(m.sessionId) >> 8) 2194 x[6] = uint8(len(m.sessionId)) 2195 x[7] = uint8(len(m.challenge) >> 8) 2196 x[8] = uint8(len(m.challenge)) 2197 y := x[9:] 2198 for i, spec := range m.cipherSuites { 2199 y[i*3] = 0 2200 y[i*3+1] = uint8(spec >> 8) 2201 y[i*3+2] = uint8(spec) 2202 } 2203 y = y[len(m.cipherSuites)*3:] 2204 copy(y, m.sessionId) 2205 y = y[len(m.sessionId):] 2206 copy(y, m.challenge) 2207 2208 m.raw = x 2209 2210 return x 2211} 2212 2213type helloVerifyRequestMsg struct { 2214 raw []byte 2215 vers uint16 2216 cookie []byte 2217} 2218 2219func (m *helloVerifyRequestMsg) marshal() []byte { 2220 if m.raw != nil { 2221 return m.raw 2222 } 2223 2224 length := 2 + 1 + len(m.cookie) 2225 2226 x := make([]byte, 4+length) 2227 x[0] = typeHelloVerifyRequest 2228 x[1] = uint8(length >> 16) 2229 x[2] = uint8(length >> 8) 2230 x[3] = uint8(length) 2231 vers := m.vers 2232 x[4] = uint8(vers >> 8) 2233 x[5] = uint8(vers) 2234 x[6] = uint8(len(m.cookie)) 2235 copy(x[7:7+len(m.cookie)], m.cookie) 2236 2237 return x 2238} 2239 2240func (m *helloVerifyRequestMsg) unmarshal(data []byte) bool { 2241 if len(data) < 4+2+1 { 2242 return false 2243 } 2244 m.raw = data 2245 m.vers = uint16(data[4])<<8 | uint16(data[5]) 2246 cookieLen := int(data[6]) 2247 if cookieLen > 32 || len(data) != 7+cookieLen { 2248 return false 2249 } 2250 m.cookie = data[7 : 7+cookieLen] 2251 2252 return true 2253} 2254 2255type channelIDMsg struct { 2256 raw []byte 2257 channelID []byte 2258} 2259 2260func (m *channelIDMsg) marshal() []byte { 2261 if m.raw != nil { 2262 return m.raw 2263 } 2264 2265 length := 2 + 2 + len(m.channelID) 2266 2267 x := make([]byte, 4+length) 2268 x[0] = typeChannelID 2269 x[1] = uint8(length >> 16) 2270 x[2] = uint8(length >> 8) 2271 x[3] = uint8(length) 2272 x[4] = uint8(extensionChannelID >> 8) 2273 x[5] = uint8(extensionChannelID & 0xff) 2274 x[6] = uint8(len(m.channelID) >> 8) 2275 x[7] = uint8(len(m.channelID) & 0xff) 2276 copy(x[8:], m.channelID) 2277 2278 return x 2279} 2280 2281func (m *channelIDMsg) unmarshal(data []byte) bool { 2282 if len(data) != 4+2+2+128 { 2283 return false 2284 } 2285 m.raw = data 2286 if (uint16(data[4])<<8)|uint16(data[5]) != extensionChannelID { 2287 return false 2288 } 2289 if int(data[6])<<8|int(data[7]) != 128 { 2290 return false 2291 } 2292 m.channelID = data[4+2+2:] 2293 2294 return true 2295} 2296 2297type helloRequestMsg struct { 2298} 2299 2300func (*helloRequestMsg) marshal() []byte { 2301 return []byte{typeHelloRequest, 0, 0, 0} 2302} 2303 2304func (*helloRequestMsg) unmarshal(data []byte) bool { 2305 return len(data) == 4 2306} 2307 2308type keyUpdateMsg struct { 2309 raw []byte 2310 keyUpdateRequest byte 2311} 2312 2313func (m *keyUpdateMsg) marshal() []byte { 2314 if m.raw != nil { 2315 return m.raw 2316 } 2317 2318 return []byte{typeKeyUpdate, 0, 0, 1, m.keyUpdateRequest} 2319} 2320 2321func (m *keyUpdateMsg) unmarshal(data []byte) bool { 2322 m.raw = data 2323 2324 if len(data) != 5 { 2325 return false 2326 } 2327 2328 length := int(data[1])<<16 | int(data[2])<<8 | int(data[3]) 2329 if len(data)-4 != length { 2330 return false 2331 } 2332 2333 m.keyUpdateRequest = data[4] 2334 return m.keyUpdateRequest == keyUpdateNotRequested || m.keyUpdateRequest == keyUpdateRequested 2335} 2336 2337type endOfEarlyDataMsg struct { 2338 nonEmpty bool 2339} 2340 2341func (m *endOfEarlyDataMsg) marshal() []byte { 2342 if m.nonEmpty { 2343 return []byte{typeEndOfEarlyData, 0, 0, 1, 42} 2344 } 2345 return []byte{typeEndOfEarlyData, 0, 0, 0} 2346} 2347 2348func (*endOfEarlyDataMsg) unmarshal(data []byte) bool { 2349 return len(data) == 4 2350} 2351 2352// ssl3NoCertificateMsg is a dummy message to handle SSL 3.0 using a warning 2353// alert in the handshake. 2354type ssl3NoCertificateMsg struct{} 2355 2356func eqUint16s(x, y []uint16) bool { 2357 if len(x) != len(y) { 2358 return false 2359 } 2360 for i, v := range x { 2361 if y[i] != v { 2362 return false 2363 } 2364 } 2365 return true 2366} 2367 2368func eqCurveIDs(x, y []CurveID) bool { 2369 if len(x) != len(y) { 2370 return false 2371 } 2372 for i, v := range x { 2373 if y[i] != v { 2374 return false 2375 } 2376 } 2377 return true 2378} 2379 2380func eqStrings(x, y []string) bool { 2381 if len(x) != len(y) { 2382 return false 2383 } 2384 for i, v := range x { 2385 if y[i] != v { 2386 return false 2387 } 2388 } 2389 return true 2390} 2391 2392func eqByteSlices(x, y [][]byte) bool { 2393 if len(x) != len(y) { 2394 return false 2395 } 2396 for i, v := range x { 2397 if !bytes.Equal(v, y[i]) { 2398 return false 2399 } 2400 } 2401 return true 2402} 2403 2404func eqSignatureAlgorithms(x, y []signatureAlgorithm) bool { 2405 if len(x) != len(y) { 2406 return false 2407 } 2408 for i, v := range x { 2409 v2 := y[i] 2410 if v != v2 { 2411 return false 2412 } 2413 } 2414 return true 2415} 2416 2417func eqKeyShareEntryLists(x, y []keyShareEntry) bool { 2418 if len(x) != len(y) { 2419 return false 2420 } 2421 for i, v := range x { 2422 if y[i].group != v.group || !bytes.Equal(y[i].keyExchange, v.keyExchange) { 2423 return false 2424 } 2425 } 2426 return true 2427 2428} 2429 2430func eqPSKIdentityLists(x, y []pskIdentity) bool { 2431 if len(x) != len(y) { 2432 return false 2433 } 2434 for i, v := range x { 2435 if !bytes.Equal(y[i].ticket, v.ticket) || y[i].obfuscatedTicketAge != v.obfuscatedTicketAge { 2436 return false 2437 } 2438 } 2439 return true 2440 2441} 2442