gitee.com/lh-her-team/common@v1.5.1/crypto/tls/handshake_messages.go (about) 1 // Copyright 2009 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 package tls 6 7 import ( 8 "fmt" 9 "strings" 10 11 "golang.org/x/crypto/cryptobyte" 12 ) 13 14 // The marshalingFunction type is an adapter to allow the use of ordinary 15 // functions as cryptobyte.MarshalingValue. 16 type marshalingFunction func(b *cryptobyte.Builder) error 17 18 func (f marshalingFunction) Marshal(b *cryptobyte.Builder) error { 19 return f(b) 20 } 21 22 // addBytesWithLength appends a sequence of bytes to the cryptobyte.Builder. If 23 // the length of the sequence is not the value specified, it produces an error. 24 func addBytesWithLength(b *cryptobyte.Builder, v []byte, n int) { 25 b.AddValue(marshalingFunction(func(b *cryptobyte.Builder) error { 26 if len(v) != n { 27 return fmt.Errorf("invalid value length: expected %d, got %d", n, len(v)) 28 } 29 b.AddBytes(v) 30 return nil 31 })) 32 } 33 34 // addUint64 appends a big-endian, 64-bit value to the cryptobyte.Builder. 35 func addUint64(b *cryptobyte.Builder, v uint64) { 36 b.AddUint32(uint32(v >> 32)) 37 b.AddUint32(uint32(v)) 38 } 39 40 // readUint64 decodes a big-endian, 64-bit value into out and advances over it. 41 // It reports whether the read was successful. 42 func readUint64(s *cryptobyte.String, out *uint64) bool { 43 var hi, lo uint32 44 if !s.ReadUint32(&hi) || !s.ReadUint32(&lo) { 45 return false 46 } 47 *out = uint64(hi)<<32 | uint64(lo) 48 return true 49 } 50 51 // readUint8LengthPrefixed acts like s.ReadUint8LengthPrefixed, but targets a 52 // []byte instead of a cryptobyte.String. 53 func readUint8LengthPrefixed(s *cryptobyte.String, out *[]byte) bool { 54 return s.ReadUint8LengthPrefixed((*cryptobyte.String)(out)) 55 } 56 57 // readUint16LengthPrefixed acts like s.ReadUint16LengthPrefixed, but targets a 58 // []byte instead of a cryptobyte.String. 59 func readUint16LengthPrefixed(s *cryptobyte.String, out *[]byte) bool { 60 return s.ReadUint16LengthPrefixed((*cryptobyte.String)(out)) 61 } 62 63 // readUint24LengthPrefixed acts like s.ReadUint24LengthPrefixed, but targets a 64 // []byte instead of a cryptobyte.String. 65 func readUint24LengthPrefixed(s *cryptobyte.String, out *[]byte) bool { 66 return s.ReadUint24LengthPrefixed((*cryptobyte.String)(out)) 67 } 68 69 type clientHelloMsg struct { 70 raw []byte 71 vers uint16 72 random []byte 73 sessionId []byte 74 cipherSuites []uint16 75 compressionMethods []uint8 76 serverName string 77 ocspStapling bool 78 supportedCurves []CurveID 79 supportedPoints []uint8 80 ticketSupported bool 81 sessionTicket []uint8 82 supportedSignatureAlgorithms []SignatureScheme 83 supportedSignatureAlgorithmsCert []SignatureScheme 84 secureRenegotiationSupported bool 85 secureRenegotiation []byte 86 alpnProtocols []string 87 scts bool 88 supportedVersions []uint16 89 cookie []byte 90 keyShares []keyShare 91 earlyData bool 92 pskModes []uint8 93 pskIdentities []pskIdentity 94 pskBinders [][]byte 95 } 96 97 func (m *clientHelloMsg) marshal() []byte { 98 if m.raw != nil { 99 return m.raw 100 } 101 var b cryptobyte.Builder 102 b.AddUint8(typeClientHello) 103 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 104 b.AddUint16(m.vers) 105 addBytesWithLength(b, m.random, 32) 106 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 107 b.AddBytes(m.sessionId) 108 }) 109 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 110 for _, suite := range m.cipherSuites { 111 b.AddUint16(suite) 112 } 113 }) 114 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 115 b.AddBytes(m.compressionMethods) 116 }) 117 // If extensions aren't present, omit them. 118 var extensionsPresent bool 119 bWithoutExtensions := *b 120 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 121 if len(m.serverName) > 0 { 122 // RFC 6066, Section 3 123 b.AddUint16(extensionServerName) 124 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 125 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 126 b.AddUint8(0) // name_type = host_name 127 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 128 b.AddBytes([]byte(m.serverName)) 129 }) 130 }) 131 }) 132 } 133 if m.ocspStapling { 134 // RFC 4366, Section 3.6 135 b.AddUint16(extensionStatusRequest) 136 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 137 b.AddUint8(1) // status_type = ocsp 138 b.AddUint16(0) // empty responder_id_list 139 b.AddUint16(0) // empty request_extensions 140 }) 141 } 142 if len(m.supportedCurves) > 0 { 143 // RFC 4492, sections 5.1.1 and RFC 8446, Section 4.2.7 144 b.AddUint16(extensionSupportedCurves) 145 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 146 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 147 for _, curve := range m.supportedCurves { 148 b.AddUint16(uint16(curve)) 149 } 150 }) 151 }) 152 } 153 if len(m.supportedPoints) > 0 { 154 // RFC 4492, Section 5.1.2 155 b.AddUint16(extensionSupportedPoints) 156 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 157 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 158 b.AddBytes(m.supportedPoints) 159 }) 160 }) 161 } 162 if m.ticketSupported { 163 // RFC 5077, Section 3.2 164 b.AddUint16(extensionSessionTicket) 165 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 166 b.AddBytes(m.sessionTicket) 167 }) 168 } 169 if len(m.supportedSignatureAlgorithms) > 0 { 170 // RFC 5246, Section 7.4.1.4.1 171 b.AddUint16(extensionSignatureAlgorithms) 172 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 173 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 174 for _, sigAlgo := range m.supportedSignatureAlgorithms { 175 b.AddUint16(uint16(sigAlgo)) 176 } 177 }) 178 }) 179 } 180 if len(m.supportedSignatureAlgorithmsCert) > 0 { 181 // RFC 8446, Section 4.2.3 182 b.AddUint16(extensionSignatureAlgorithmsCert) 183 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 184 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 185 for _, sigAlgo := range m.supportedSignatureAlgorithmsCert { 186 b.AddUint16(uint16(sigAlgo)) 187 } 188 }) 189 }) 190 } 191 if m.secureRenegotiationSupported { 192 // RFC 5746, Section 3.2 193 b.AddUint16(extensionRenegotiationInfo) 194 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 195 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 196 b.AddBytes(m.secureRenegotiation) 197 }) 198 }) 199 } 200 if len(m.alpnProtocols) > 0 { 201 // RFC 7301, Section 3.1 202 b.AddUint16(extensionALPN) 203 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 204 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 205 for _, proto := range m.alpnProtocols { 206 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 207 b.AddBytes([]byte(proto)) 208 }) 209 } 210 }) 211 }) 212 } 213 if m.scts { 214 // RFC 6962, Section 3.3.1 215 b.AddUint16(extensionSCT) 216 b.AddUint16(0) // empty extension_data 217 } 218 if len(m.supportedVersions) > 0 { 219 // RFC 8446, Section 4.2.1 220 b.AddUint16(extensionSupportedVersions) 221 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 222 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 223 for _, vers := range m.supportedVersions { 224 b.AddUint16(vers) 225 } 226 }) 227 }) 228 } 229 if len(m.cookie) > 0 { 230 // RFC 8446, Section 4.2.2 231 b.AddUint16(extensionCookie) 232 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 233 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 234 b.AddBytes(m.cookie) 235 }) 236 }) 237 } 238 if len(m.keyShares) > 0 { 239 // RFC 8446, Section 4.2.8 240 b.AddUint16(extensionKeyShare) 241 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 242 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 243 for _, ks := range m.keyShares { 244 b.AddUint16(uint16(ks.group)) 245 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 246 b.AddBytes(ks.data) 247 }) 248 } 249 }) 250 }) 251 } 252 if m.earlyData { 253 // RFC 8446, Section 4.2.10 254 b.AddUint16(extensionEarlyData) 255 b.AddUint16(0) // empty extension_data 256 } 257 if len(m.pskModes) > 0 { 258 // RFC 8446, Section 4.2.9 259 b.AddUint16(extensionPSKModes) 260 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 261 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 262 b.AddBytes(m.pskModes) 263 }) 264 }) 265 } 266 if len(m.pskIdentities) > 0 { // pre_shared_key must be the last extension 267 // RFC 8446, Section 4.2.11 268 b.AddUint16(extensionPreSharedKey) 269 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 270 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 271 for _, psk := range m.pskIdentities { 272 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 273 b.AddBytes(psk.label) 274 }) 275 b.AddUint32(psk.obfuscatedTicketAge) 276 } 277 }) 278 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 279 for _, binder := range m.pskBinders { 280 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 281 b.AddBytes(binder) 282 }) 283 } 284 }) 285 }) 286 } 287 extensionsPresent = len(b.BytesOrPanic()) > 2 288 }) 289 if !extensionsPresent { 290 *b = bWithoutExtensions 291 } 292 }) 293 m.raw = b.BytesOrPanic() 294 return m.raw 295 } 296 297 // marshalWithoutBinders returns the ClientHello through the 298 // PreSharedKeyExtension.identities field, according to RFC 8446, Section 299 // 4.2.11.2. Note that m.pskBinders must be set to slices of the correct length. 300 func (m *clientHelloMsg) marshalWithoutBinders() []byte { 301 bindersLen := 2 // uint16 length prefix 302 for _, binder := range m.pskBinders { 303 bindersLen += 1 // uint8 length prefix 304 bindersLen += len(binder) 305 } 306 fullMessage := m.marshal() 307 return fullMessage[:len(fullMessage)-bindersLen] 308 } 309 310 // updateBinders updates the m.pskBinders field, if necessary updating the 311 // cached marshaled representation. The supplied binders must have the same 312 // length as the current m.pskBinders. 313 func (m *clientHelloMsg) updateBinders(pskBinders [][]byte) { 314 if len(pskBinders) != len(m.pskBinders) { 315 panic("tls: internal error: pskBinders length mismatch") 316 } 317 for i := range m.pskBinders { 318 if len(pskBinders[i]) != len(m.pskBinders[i]) { 319 panic("tls: internal error: pskBinders length mismatch") 320 } 321 } 322 m.pskBinders = pskBinders 323 if m.raw != nil { 324 lenWithoutBinders := len(m.marshalWithoutBinders()) 325 // TODO(filippo): replace with NewFixedBuilder once CL 148882 is imported. 326 b := cryptobyte.NewBuilder(m.raw[:lenWithoutBinders]) 327 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 328 for _, binder := range m.pskBinders { 329 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 330 b.AddBytes(binder) 331 }) 332 } 333 }) 334 if len(b.BytesOrPanic()) != len(m.raw) { 335 panic("tls: internal error: failed to update binders") 336 } 337 } 338 } 339 340 func (m *clientHelloMsg) unmarshal(data []byte) bool { 341 *m = clientHelloMsg{raw: data} 342 s := cryptobyte.String(data) 343 if !s.Skip(4) || // message type and uint24 length field 344 !s.ReadUint16(&m.vers) || !s.ReadBytes(&m.random, 32) || 345 !readUint8LengthPrefixed(&s, &m.sessionId) { 346 return false 347 } 348 var cipherSuites cryptobyte.String 349 if !s.ReadUint16LengthPrefixed(&cipherSuites) { 350 return false 351 } 352 m.cipherSuites = []uint16{} 353 m.secureRenegotiationSupported = false 354 for !cipherSuites.Empty() { 355 var suite uint16 356 if !cipherSuites.ReadUint16(&suite) { 357 return false 358 } 359 if suite == scsvRenegotiation { 360 m.secureRenegotiationSupported = true 361 } 362 m.cipherSuites = append(m.cipherSuites, suite) 363 } 364 if !readUint8LengthPrefixed(&s, &m.compressionMethods) { 365 return false 366 } 367 if s.Empty() { 368 // ClientHello is optionally followed by extension data 369 return true 370 } 371 var extensions cryptobyte.String 372 if !s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() { 373 return false 374 } 375 for !extensions.Empty() { 376 var extension uint16 377 var extData cryptobyte.String 378 if !extensions.ReadUint16(&extension) || 379 !extensions.ReadUint16LengthPrefixed(&extData) { 380 return false 381 } 382 switch extension { 383 case extensionServerName: 384 // RFC 6066, Section 3 385 var nameList cryptobyte.String 386 if !extData.ReadUint16LengthPrefixed(&nameList) || nameList.Empty() { 387 return false 388 } 389 for !nameList.Empty() { 390 var nameType uint8 391 var serverName cryptobyte.String 392 if !nameList.ReadUint8(&nameType) || 393 !nameList.ReadUint16LengthPrefixed(&serverName) || 394 serverName.Empty() { 395 return false 396 } 397 if nameType != 0 { 398 continue 399 } 400 if len(m.serverName) != 0 { 401 // Multiple names of the same name_type are prohibited. 402 return false 403 } 404 m.serverName = string(serverName) 405 // An SNI value may not include a trailing dot. 406 if strings.HasSuffix(m.serverName, ".") { 407 return false 408 } 409 } 410 case extensionStatusRequest: 411 // RFC 4366, Section 3.6 412 var statusType uint8 413 var ignored cryptobyte.String 414 if !extData.ReadUint8(&statusType) || 415 !extData.ReadUint16LengthPrefixed(&ignored) || 416 !extData.ReadUint16LengthPrefixed(&ignored) { 417 return false 418 } 419 m.ocspStapling = statusType == statusTypeOCSP 420 case extensionSupportedCurves: 421 // RFC 4492, sections 5.1.1 and RFC 8446, Section 4.2.7 422 var curves cryptobyte.String 423 if !extData.ReadUint16LengthPrefixed(&curves) || curves.Empty() { 424 return false 425 } 426 for !curves.Empty() { 427 var curve uint16 428 if !curves.ReadUint16(&curve) { 429 return false 430 } 431 m.supportedCurves = append(m.supportedCurves, CurveID(curve)) 432 } 433 case extensionSupportedPoints: 434 // RFC 4492, Section 5.1.2 435 if !readUint8LengthPrefixed(&extData, &m.supportedPoints) || 436 len(m.supportedPoints) == 0 { 437 return false 438 } 439 case extensionSessionTicket: 440 // RFC 5077, Section 3.2 441 m.ticketSupported = true 442 extData.ReadBytes(&m.sessionTicket, len(extData)) 443 case extensionSignatureAlgorithms: 444 // RFC 5246, Section 7.4.1.4.1 445 var sigAndAlgs cryptobyte.String 446 if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() { 447 return false 448 } 449 for !sigAndAlgs.Empty() { 450 var sigAndAlg uint16 451 if !sigAndAlgs.ReadUint16(&sigAndAlg) { 452 return false 453 } 454 m.supportedSignatureAlgorithms = append( 455 m.supportedSignatureAlgorithms, SignatureScheme(sigAndAlg)) 456 } 457 case extensionSignatureAlgorithmsCert: 458 // RFC 8446, Section 4.2.3 459 var sigAndAlgs cryptobyte.String 460 if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() { 461 return false 462 } 463 for !sigAndAlgs.Empty() { 464 var sigAndAlg uint16 465 if !sigAndAlgs.ReadUint16(&sigAndAlg) { 466 return false 467 } 468 m.supportedSignatureAlgorithmsCert = append( 469 m.supportedSignatureAlgorithmsCert, SignatureScheme(sigAndAlg)) 470 } 471 case extensionRenegotiationInfo: 472 // RFC 5746, Section 3.2 473 if !readUint8LengthPrefixed(&extData, &m.secureRenegotiation) { 474 return false 475 } 476 m.secureRenegotiationSupported = true 477 case extensionALPN: 478 // RFC 7301, Section 3.1 479 var protoList cryptobyte.String 480 if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() { 481 return false 482 } 483 for !protoList.Empty() { 484 var proto cryptobyte.String 485 if !protoList.ReadUint8LengthPrefixed(&proto) || proto.Empty() { 486 return false 487 } 488 m.alpnProtocols = append(m.alpnProtocols, string(proto)) 489 } 490 case extensionSCT: 491 // RFC 6962, Section 3.3.1 492 m.scts = true 493 case extensionSupportedVersions: 494 // RFC 8446, Section 4.2.1 495 var versList cryptobyte.String 496 if !extData.ReadUint8LengthPrefixed(&versList) || versList.Empty() { 497 return false 498 } 499 for !versList.Empty() { 500 var vers uint16 501 if !versList.ReadUint16(&vers) { 502 return false 503 } 504 m.supportedVersions = append(m.supportedVersions, vers) 505 } 506 case extensionCookie: 507 // RFC 8446, Section 4.2.2 508 if !readUint16LengthPrefixed(&extData, &m.cookie) || 509 len(m.cookie) == 0 { 510 return false 511 } 512 case extensionKeyShare: 513 // RFC 8446, Section 4.2.8 514 var clientShares cryptobyte.String 515 if !extData.ReadUint16LengthPrefixed(&clientShares) { 516 return false 517 } 518 for !clientShares.Empty() { 519 var ks keyShare 520 if !clientShares.ReadUint16((*uint16)(&ks.group)) || 521 !readUint16LengthPrefixed(&clientShares, &ks.data) || 522 len(ks.data) == 0 { 523 return false 524 } 525 m.keyShares = append(m.keyShares, ks) 526 } 527 case extensionEarlyData: 528 // RFC 8446, Section 4.2.10 529 m.earlyData = true 530 case extensionPSKModes: 531 // RFC 8446, Section 4.2.9 532 if !readUint8LengthPrefixed(&extData, &m.pskModes) { 533 return false 534 } 535 case extensionPreSharedKey: 536 // RFC 8446, Section 4.2.11 537 if !extensions.Empty() { 538 return false // pre_shared_key must be the last extension 539 } 540 var identities cryptobyte.String 541 if !extData.ReadUint16LengthPrefixed(&identities) || identities.Empty() { 542 return false 543 } 544 for !identities.Empty() { 545 var psk pskIdentity 546 if !readUint16LengthPrefixed(&identities, &psk.label) || 547 !identities.ReadUint32(&psk.obfuscatedTicketAge) || 548 len(psk.label) == 0 { 549 return false 550 } 551 m.pskIdentities = append(m.pskIdentities, psk) 552 } 553 var binders cryptobyte.String 554 if !extData.ReadUint16LengthPrefixed(&binders) || binders.Empty() { 555 return false 556 } 557 for !binders.Empty() { 558 var binder []byte 559 if !readUint8LengthPrefixed(&binders, &binder) || 560 len(binder) == 0 { 561 return false 562 } 563 m.pskBinders = append(m.pskBinders, binder) 564 } 565 default: 566 // Ignore unknown extensions. 567 continue 568 } 569 if !extData.Empty() { 570 return false 571 } 572 } 573 return true 574 } 575 576 type serverHelloMsg struct { 577 raw []byte 578 vers uint16 579 random []byte 580 sessionId []byte 581 cipherSuite uint16 582 compressionMethod uint8 583 ocspStapling bool 584 ticketSupported bool 585 secureRenegotiationSupported bool 586 secureRenegotiation []byte 587 alpnProtocol string 588 scts [][]byte 589 supportedVersion uint16 590 serverShare keyShare 591 selectedIdentityPresent bool 592 selectedIdentity uint16 593 supportedPoints []uint8 594 // HelloRetryRequest extensions 595 cookie []byte 596 selectedGroup CurveID 597 } 598 599 func (m *serverHelloMsg) marshal() []byte { 600 if m.raw != nil { 601 return m.raw 602 } 603 var b cryptobyte.Builder 604 b.AddUint8(typeServerHello) 605 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 606 b.AddUint16(m.vers) 607 addBytesWithLength(b, m.random, 32) 608 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 609 b.AddBytes(m.sessionId) 610 }) 611 b.AddUint16(m.cipherSuite) 612 b.AddUint8(m.compressionMethod) 613 // If extensions aren't present, omit them. 614 var extensionsPresent bool 615 bWithoutExtensions := *b 616 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 617 if m.ocspStapling { 618 b.AddUint16(extensionStatusRequest) 619 b.AddUint16(0) // empty extension_data 620 } 621 if m.ticketSupported { 622 b.AddUint16(extensionSessionTicket) 623 b.AddUint16(0) // empty extension_data 624 } 625 if m.secureRenegotiationSupported { 626 b.AddUint16(extensionRenegotiationInfo) 627 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 628 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 629 b.AddBytes(m.secureRenegotiation) 630 }) 631 }) 632 } 633 if len(m.alpnProtocol) > 0 { 634 b.AddUint16(extensionALPN) 635 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 636 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 637 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 638 b.AddBytes([]byte(m.alpnProtocol)) 639 }) 640 }) 641 }) 642 } 643 if len(m.scts) > 0 { 644 b.AddUint16(extensionSCT) 645 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 646 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 647 for _, sct := range m.scts { 648 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 649 b.AddBytes(sct) 650 }) 651 } 652 }) 653 }) 654 } 655 if m.supportedVersion != 0 { 656 b.AddUint16(extensionSupportedVersions) 657 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 658 b.AddUint16(m.supportedVersion) 659 }) 660 } 661 if m.serverShare.group != 0 { 662 b.AddUint16(extensionKeyShare) 663 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 664 b.AddUint16(uint16(m.serverShare.group)) 665 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 666 b.AddBytes(m.serverShare.data) 667 }) 668 }) 669 } 670 if m.selectedIdentityPresent { 671 b.AddUint16(extensionPreSharedKey) 672 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 673 b.AddUint16(m.selectedIdentity) 674 }) 675 } 676 677 if len(m.cookie) > 0 { 678 b.AddUint16(extensionCookie) 679 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 680 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 681 b.AddBytes(m.cookie) 682 }) 683 }) 684 } 685 if m.selectedGroup != 0 { 686 b.AddUint16(extensionKeyShare) 687 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 688 b.AddUint16(uint16(m.selectedGroup)) 689 }) 690 } 691 if len(m.supportedPoints) > 0 { 692 b.AddUint16(extensionSupportedPoints) 693 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 694 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 695 b.AddBytes(m.supportedPoints) 696 }) 697 }) 698 } 699 extensionsPresent = len(b.BytesOrPanic()) > 2 700 }) 701 if !extensionsPresent { 702 *b = bWithoutExtensions 703 } 704 }) 705 m.raw = b.BytesOrPanic() 706 return m.raw 707 } 708 709 func (m *serverHelloMsg) unmarshal(data []byte) bool { 710 *m = serverHelloMsg{raw: data} 711 s := cryptobyte.String(data) 712 if !s.Skip(4) || // message type and uint24 length field 713 !s.ReadUint16(&m.vers) || !s.ReadBytes(&m.random, 32) || 714 !readUint8LengthPrefixed(&s, &m.sessionId) || 715 !s.ReadUint16(&m.cipherSuite) || 716 !s.ReadUint8(&m.compressionMethod) { 717 return false 718 } 719 if s.Empty() { 720 // ServerHello is optionally followed by extension data 721 return true 722 } 723 var extensions cryptobyte.String 724 if !s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() { 725 return false 726 } 727 for !extensions.Empty() { 728 var extension uint16 729 var extData cryptobyte.String 730 if !extensions.ReadUint16(&extension) || 731 !extensions.ReadUint16LengthPrefixed(&extData) { 732 return false 733 } 734 switch extension { 735 case extensionStatusRequest: 736 m.ocspStapling = true 737 case extensionSessionTicket: 738 m.ticketSupported = true 739 case extensionRenegotiationInfo: 740 if !readUint8LengthPrefixed(&extData, &m.secureRenegotiation) { 741 return false 742 } 743 m.secureRenegotiationSupported = true 744 case extensionALPN: 745 var protoList cryptobyte.String 746 if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() { 747 return false 748 } 749 var proto cryptobyte.String 750 if !protoList.ReadUint8LengthPrefixed(&proto) || 751 proto.Empty() || !protoList.Empty() { 752 return false 753 } 754 m.alpnProtocol = string(proto) 755 case extensionSCT: 756 var sctList cryptobyte.String 757 if !extData.ReadUint16LengthPrefixed(&sctList) || sctList.Empty() { 758 return false 759 } 760 for !sctList.Empty() { 761 var sct []byte 762 if !readUint16LengthPrefixed(&sctList, &sct) || 763 len(sct) == 0 { 764 return false 765 } 766 m.scts = append(m.scts, sct) 767 } 768 case extensionSupportedVersions: 769 if !extData.ReadUint16(&m.supportedVersion) { 770 return false 771 } 772 case extensionCookie: 773 if !readUint16LengthPrefixed(&extData, &m.cookie) || 774 len(m.cookie) == 0 { 775 return false 776 } 777 case extensionKeyShare: 778 // This extension has different formats in SH and HRR, accept either 779 // and let the handshake logic decide. See RFC 8446, Section 4.2.8. 780 if len(extData) == 2 { 781 if !extData.ReadUint16((*uint16)(&m.selectedGroup)) { 782 return false 783 } 784 } else { 785 if !extData.ReadUint16((*uint16)(&m.serverShare.group)) || 786 !readUint16LengthPrefixed(&extData, &m.serverShare.data) { 787 return false 788 } 789 } 790 case extensionPreSharedKey: 791 m.selectedIdentityPresent = true 792 if !extData.ReadUint16(&m.selectedIdentity) { 793 return false 794 } 795 case extensionSupportedPoints: 796 // RFC 4492, Section 5.1.2 797 if !readUint8LengthPrefixed(&extData, &m.supportedPoints) || 798 len(m.supportedPoints) == 0 { 799 return false 800 } 801 default: 802 // Ignore unknown extensions. 803 continue 804 } 805 if !extData.Empty() { 806 return false 807 } 808 } 809 return true 810 } 811 812 type encryptedExtensionsMsg struct { 813 raw []byte 814 alpnProtocol string 815 } 816 817 func (m *encryptedExtensionsMsg) marshal() []byte { 818 if m.raw != nil { 819 return m.raw 820 } 821 var b cryptobyte.Builder 822 b.AddUint8(typeEncryptedExtensions) 823 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 824 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 825 if len(m.alpnProtocol) > 0 { 826 b.AddUint16(extensionALPN) 827 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 828 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 829 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 830 b.AddBytes([]byte(m.alpnProtocol)) 831 }) 832 }) 833 }) 834 } 835 }) 836 }) 837 m.raw = b.BytesOrPanic() 838 return m.raw 839 } 840 841 func (m *encryptedExtensionsMsg) unmarshal(data []byte) bool { 842 *m = encryptedExtensionsMsg{raw: data} 843 s := cryptobyte.String(data) 844 var extensions cryptobyte.String 845 if !s.Skip(4) || // message type and uint24 length field 846 !s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() { 847 return false 848 } 849 for !extensions.Empty() { 850 var extension uint16 851 var extData cryptobyte.String 852 if !extensions.ReadUint16(&extension) || 853 !extensions.ReadUint16LengthPrefixed(&extData) { 854 return false 855 } 856 switch extension { 857 case extensionALPN: 858 var protoList cryptobyte.String 859 if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() { 860 return false 861 } 862 var proto cryptobyte.String 863 if !protoList.ReadUint8LengthPrefixed(&proto) || 864 proto.Empty() || !protoList.Empty() { 865 return false 866 } 867 m.alpnProtocol = string(proto) 868 default: 869 // Ignore unknown extensions. 870 continue 871 } 872 if !extData.Empty() { 873 return false 874 } 875 } 876 return true 877 } 878 879 type endOfEarlyDataMsg struct{} 880 881 func (m *endOfEarlyDataMsg) marshal() []byte { 882 x := make([]byte, 4) 883 x[0] = typeEndOfEarlyData 884 return x 885 } 886 887 func (m *endOfEarlyDataMsg) unmarshal(data []byte) bool { 888 return len(data) == 4 889 } 890 891 type keyUpdateMsg struct { 892 raw []byte 893 updateRequested bool 894 } 895 896 func (m *keyUpdateMsg) marshal() []byte { 897 if m.raw != nil { 898 return m.raw 899 } 900 var b cryptobyte.Builder 901 b.AddUint8(typeKeyUpdate) 902 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 903 if m.updateRequested { 904 b.AddUint8(1) 905 } else { 906 b.AddUint8(0) 907 } 908 }) 909 m.raw = b.BytesOrPanic() 910 return m.raw 911 } 912 913 func (m *keyUpdateMsg) unmarshal(data []byte) bool { 914 m.raw = data 915 s := cryptobyte.String(data) 916 var updateRequested uint8 917 if !s.Skip(4) || // message type and uint24 length field 918 !s.ReadUint8(&updateRequested) || !s.Empty() { 919 return false 920 } 921 switch updateRequested { 922 case 0: 923 m.updateRequested = false 924 case 1: 925 m.updateRequested = true 926 default: 927 return false 928 } 929 return true 930 } 931 932 type newSessionTicketMsgTLS13 struct { 933 raw []byte 934 lifetime uint32 935 ageAdd uint32 936 nonce []byte 937 label []byte 938 maxEarlyData uint32 939 } 940 941 func (m *newSessionTicketMsgTLS13) marshal() []byte { 942 if m.raw != nil { 943 return m.raw 944 } 945 var b cryptobyte.Builder 946 b.AddUint8(typeNewSessionTicket) 947 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 948 b.AddUint32(m.lifetime) 949 b.AddUint32(m.ageAdd) 950 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 951 b.AddBytes(m.nonce) 952 }) 953 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 954 b.AddBytes(m.label) 955 }) 956 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 957 if m.maxEarlyData > 0 { 958 b.AddUint16(extensionEarlyData) 959 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 960 b.AddUint32(m.maxEarlyData) 961 }) 962 } 963 }) 964 }) 965 m.raw = b.BytesOrPanic() 966 return m.raw 967 } 968 969 func (m *newSessionTicketMsgTLS13) unmarshal(data []byte) bool { 970 *m = newSessionTicketMsgTLS13{raw: data} 971 s := cryptobyte.String(data) 972 var extensions cryptobyte.String 973 if !s.Skip(4) || // message type and uint24 length field 974 !s.ReadUint32(&m.lifetime) || 975 !s.ReadUint32(&m.ageAdd) || 976 !readUint8LengthPrefixed(&s, &m.nonce) || 977 !readUint16LengthPrefixed(&s, &m.label) || 978 !s.ReadUint16LengthPrefixed(&extensions) || 979 !s.Empty() { 980 return false 981 } 982 for !extensions.Empty() { 983 var extension uint16 984 var extData cryptobyte.String 985 if !extensions.ReadUint16(&extension) || 986 !extensions.ReadUint16LengthPrefixed(&extData) { 987 return false 988 } 989 switch extension { 990 case extensionEarlyData: 991 if !extData.ReadUint32(&m.maxEarlyData) { 992 return false 993 } 994 default: 995 // Ignore unknown extensions. 996 continue 997 } 998 if !extData.Empty() { 999 return false 1000 } 1001 } 1002 return true 1003 } 1004 1005 type certificateRequestMsgTLS13 struct { 1006 raw []byte 1007 ocspStapling bool 1008 scts bool 1009 supportedSignatureAlgorithms []SignatureScheme 1010 supportedSignatureAlgorithmsCert []SignatureScheme 1011 certificateAuthorities [][]byte 1012 } 1013 1014 func (m *certificateRequestMsgTLS13) marshal() []byte { 1015 if m.raw != nil { 1016 return m.raw 1017 } 1018 var b cryptobyte.Builder 1019 b.AddUint8(typeCertificateRequest) 1020 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1021 // certificate_request_context (SHALL be zero length unless used for 1022 // post-handshake authentication) 1023 b.AddUint8(0) 1024 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1025 if m.ocspStapling { 1026 b.AddUint16(extensionStatusRequest) 1027 b.AddUint16(0) // empty extension_data 1028 } 1029 if m.scts { 1030 // RFC 8446, Section 4.4.2.1 makes no mention of 1031 // signed_certificate_timestamp in CertificateRequest, but 1032 // "Extensions in the Certificate message from the client MUST 1033 // correspond to extensions in the CertificateRequest message 1034 // from the server." and it appears in the table in Section 4.2. 1035 b.AddUint16(extensionSCT) 1036 b.AddUint16(0) // empty extension_data 1037 } 1038 if len(m.supportedSignatureAlgorithms) > 0 { 1039 b.AddUint16(extensionSignatureAlgorithms) 1040 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1041 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1042 for _, sigAlgo := range m.supportedSignatureAlgorithms { 1043 b.AddUint16(uint16(sigAlgo)) 1044 } 1045 }) 1046 }) 1047 } 1048 if len(m.supportedSignatureAlgorithmsCert) > 0 { 1049 b.AddUint16(extensionSignatureAlgorithmsCert) 1050 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1051 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1052 for _, sigAlgo := range m.supportedSignatureAlgorithmsCert { 1053 b.AddUint16(uint16(sigAlgo)) 1054 } 1055 }) 1056 }) 1057 } 1058 if len(m.certificateAuthorities) > 0 { 1059 b.AddUint16(extensionCertificateAuthorities) 1060 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1061 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1062 for _, ca := range m.certificateAuthorities { 1063 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1064 b.AddBytes(ca) 1065 }) 1066 } 1067 }) 1068 }) 1069 } 1070 }) 1071 }) 1072 m.raw = b.BytesOrPanic() 1073 return m.raw 1074 } 1075 1076 func (m *certificateRequestMsgTLS13) unmarshal(data []byte) bool { 1077 *m = certificateRequestMsgTLS13{raw: data} 1078 s := cryptobyte.String(data) 1079 var context, extensions cryptobyte.String 1080 if !s.Skip(4) || // message type and uint24 length field 1081 !s.ReadUint8LengthPrefixed(&context) || !context.Empty() || 1082 !s.ReadUint16LengthPrefixed(&extensions) || 1083 !s.Empty() { 1084 return false 1085 } 1086 for !extensions.Empty() { 1087 var extension uint16 1088 var extData cryptobyte.String 1089 if !extensions.ReadUint16(&extension) || 1090 !extensions.ReadUint16LengthPrefixed(&extData) { 1091 return false 1092 } 1093 switch extension { 1094 case extensionStatusRequest: 1095 m.ocspStapling = true 1096 case extensionSCT: 1097 m.scts = true 1098 case extensionSignatureAlgorithms: 1099 var sigAndAlgs cryptobyte.String 1100 if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() { 1101 return false 1102 } 1103 for !sigAndAlgs.Empty() { 1104 var sigAndAlg uint16 1105 if !sigAndAlgs.ReadUint16(&sigAndAlg) { 1106 return false 1107 } 1108 m.supportedSignatureAlgorithms = append( 1109 m.supportedSignatureAlgorithms, SignatureScheme(sigAndAlg)) 1110 } 1111 case extensionSignatureAlgorithmsCert: 1112 var sigAndAlgs cryptobyte.String 1113 if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() { 1114 return false 1115 } 1116 for !sigAndAlgs.Empty() { 1117 var sigAndAlg uint16 1118 if !sigAndAlgs.ReadUint16(&sigAndAlg) { 1119 return false 1120 } 1121 m.supportedSignatureAlgorithmsCert = append( 1122 m.supportedSignatureAlgorithmsCert, SignatureScheme(sigAndAlg)) 1123 } 1124 case extensionCertificateAuthorities: 1125 var auths cryptobyte.String 1126 if !extData.ReadUint16LengthPrefixed(&auths) || auths.Empty() { 1127 return false 1128 } 1129 for !auths.Empty() { 1130 var ca []byte 1131 if !readUint16LengthPrefixed(&auths, &ca) || len(ca) == 0 { 1132 return false 1133 } 1134 m.certificateAuthorities = append(m.certificateAuthorities, ca) 1135 } 1136 default: 1137 // Ignore unknown extensions. 1138 continue 1139 } 1140 if !extData.Empty() { 1141 return false 1142 } 1143 } 1144 return true 1145 } 1146 1147 type certificateMsg struct { 1148 raw []byte 1149 certificates [][]byte 1150 } 1151 1152 func (m *certificateMsg) marshal() (x []byte) { 1153 if m.raw != nil { 1154 return m.raw 1155 } 1156 var i int 1157 for _, slice := range m.certificates { 1158 i += len(slice) 1159 } 1160 length := 3 + 3*len(m.certificates) + i 1161 x = make([]byte, 4+length) 1162 x[0] = typeCertificate 1163 x[1] = uint8(length >> 16) 1164 x[2] = uint8(length >> 8) 1165 x[3] = uint8(length) 1166 certificateOctets := length - 3 1167 x[4] = uint8(certificateOctets >> 16) 1168 x[5] = uint8(certificateOctets >> 8) 1169 x[6] = uint8(certificateOctets) 1170 y := x[7:] 1171 for _, slice := range m.certificates { 1172 y[0] = uint8(len(slice) >> 16) 1173 y[1] = uint8(len(slice) >> 8) 1174 y[2] = uint8(len(slice)) 1175 copy(y[3:], slice) 1176 y = y[3+len(slice):] 1177 } 1178 m.raw = x 1179 return 1180 } 1181 1182 func (m *certificateMsg) unmarshal(data []byte) bool { 1183 if len(data) < 7 { 1184 return false 1185 } 1186 m.raw = data 1187 certsLen := uint32(data[4])<<16 | uint32(data[5])<<8 | uint32(data[6]) 1188 if uint32(len(data)) != certsLen+7 { 1189 return false 1190 } 1191 numCerts := 0 1192 d := data[7:] 1193 for certsLen > 0 { 1194 if len(d) < 4 { 1195 return false 1196 } 1197 certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2]) 1198 if uint32(len(d)) < 3+certLen { 1199 return false 1200 } 1201 d = d[3+certLen:] 1202 certsLen -= 3 + certLen 1203 numCerts++ 1204 } 1205 m.certificates = make([][]byte, numCerts) 1206 d = data[7:] 1207 for i := 0; i < numCerts; i++ { 1208 certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2]) 1209 m.certificates[i] = d[3 : 3+certLen] 1210 d = d[3+certLen:] 1211 } 1212 return true 1213 } 1214 1215 type certificateMsgTLS13 struct { 1216 raw []byte 1217 certificate Certificate 1218 ocspStapling bool 1219 scts bool 1220 } 1221 1222 func (m *certificateMsgTLS13) marshal() []byte { 1223 if m.raw != nil { 1224 return m.raw 1225 } 1226 var b cryptobyte.Builder 1227 b.AddUint8(typeCertificate) 1228 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1229 b.AddUint8(0) // certificate_request_context 1230 certificate := m.certificate 1231 if !m.ocspStapling { 1232 certificate.OCSPStaple = nil 1233 } 1234 if !m.scts { 1235 certificate.SignedCertificateTimestamps = nil 1236 } 1237 marshalCertificate(b, certificate) 1238 }) 1239 m.raw = b.BytesOrPanic() 1240 return m.raw 1241 } 1242 1243 func marshalCertificate(b *cryptobyte.Builder, certificate Certificate) { 1244 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1245 for i, cert := range certificate.Certificate { 1246 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1247 b.AddBytes(cert) 1248 }) 1249 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1250 if i > 0 { 1251 // This library only supports OCSP and SCT for leaf certificates. 1252 return 1253 } 1254 if certificate.OCSPStaple != nil { 1255 b.AddUint16(extensionStatusRequest) 1256 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1257 b.AddUint8(statusTypeOCSP) 1258 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1259 b.AddBytes(certificate.OCSPStaple) 1260 }) 1261 }) 1262 } 1263 if certificate.SignedCertificateTimestamps != nil { 1264 b.AddUint16(extensionSCT) 1265 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1266 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1267 for _, sct := range certificate.SignedCertificateTimestamps { 1268 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1269 b.AddBytes(sct) 1270 }) 1271 } 1272 }) 1273 }) 1274 } 1275 }) 1276 } 1277 }) 1278 } 1279 1280 func (m *certificateMsgTLS13) unmarshal(data []byte) bool { 1281 *m = certificateMsgTLS13{raw: data} 1282 s := cryptobyte.String(data) 1283 var context cryptobyte.String 1284 if !s.Skip(4) || // message type and uint24 length field 1285 !s.ReadUint8LengthPrefixed(&context) || !context.Empty() || 1286 !unmarshalCertificate(&s, &m.certificate) || 1287 !s.Empty() { 1288 return false 1289 } 1290 m.scts = m.certificate.SignedCertificateTimestamps != nil 1291 m.ocspStapling = m.certificate.OCSPStaple != nil 1292 return true 1293 } 1294 1295 func unmarshalCertificate(s *cryptobyte.String, certificate *Certificate) bool { 1296 var certList cryptobyte.String 1297 if !s.ReadUint24LengthPrefixed(&certList) { 1298 return false 1299 } 1300 for !certList.Empty() { 1301 var cert []byte 1302 var extensions cryptobyte.String 1303 if !readUint24LengthPrefixed(&certList, &cert) || 1304 !certList.ReadUint16LengthPrefixed(&extensions) { 1305 return false 1306 } 1307 certificate.Certificate = append(certificate.Certificate, cert) 1308 for !extensions.Empty() { 1309 var extension uint16 1310 var extData cryptobyte.String 1311 if !extensions.ReadUint16(&extension) || 1312 !extensions.ReadUint16LengthPrefixed(&extData) { 1313 return false 1314 } 1315 if len(certificate.Certificate) > 1 { 1316 // This library only supports OCSP and SCT for leaf certificates. 1317 continue 1318 } 1319 switch extension { 1320 case extensionStatusRequest: 1321 var statusType uint8 1322 if !extData.ReadUint8(&statusType) || statusType != statusTypeOCSP || 1323 !readUint24LengthPrefixed(&extData, &certificate.OCSPStaple) || 1324 len(certificate.OCSPStaple) == 0 { 1325 return false 1326 } 1327 case extensionSCT: 1328 var sctList cryptobyte.String 1329 if !extData.ReadUint16LengthPrefixed(&sctList) || sctList.Empty() { 1330 return false 1331 } 1332 for !sctList.Empty() { 1333 var sct []byte 1334 if !readUint16LengthPrefixed(&sctList, &sct) || 1335 len(sct) == 0 { 1336 return false 1337 } 1338 certificate.SignedCertificateTimestamps = append( 1339 certificate.SignedCertificateTimestamps, sct) 1340 } 1341 default: 1342 // Ignore unknown extensions. 1343 continue 1344 } 1345 if !extData.Empty() { 1346 return false 1347 } 1348 } 1349 } 1350 return true 1351 } 1352 1353 type serverKeyExchangeMsg struct { 1354 raw []byte 1355 key []byte 1356 } 1357 1358 func (m *serverKeyExchangeMsg) marshal() []byte { 1359 if m.raw != nil { 1360 return m.raw 1361 } 1362 length := len(m.key) 1363 x := make([]byte, length+4) 1364 x[0] = typeServerKeyExchange 1365 x[1] = uint8(length >> 16) 1366 x[2] = uint8(length >> 8) 1367 x[3] = uint8(length) 1368 copy(x[4:], m.key) 1369 m.raw = x 1370 return x 1371 } 1372 1373 func (m *serverKeyExchangeMsg) unmarshal(data []byte) bool { 1374 m.raw = data 1375 if len(data) < 4 { 1376 return false 1377 } 1378 m.key = data[4:] 1379 return true 1380 } 1381 1382 type certificateStatusMsg struct { 1383 raw []byte 1384 response []byte 1385 } 1386 1387 func (m *certificateStatusMsg) marshal() []byte { 1388 if m.raw != nil { 1389 return m.raw 1390 } 1391 var b cryptobyte.Builder 1392 b.AddUint8(typeCertificateStatus) 1393 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1394 b.AddUint8(statusTypeOCSP) 1395 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1396 b.AddBytes(m.response) 1397 }) 1398 }) 1399 m.raw = b.BytesOrPanic() 1400 return m.raw 1401 } 1402 1403 func (m *certificateStatusMsg) unmarshal(data []byte) bool { 1404 m.raw = data 1405 s := cryptobyte.String(data) 1406 var statusType uint8 1407 if !s.Skip(4) || // message type and uint24 length field 1408 !s.ReadUint8(&statusType) || statusType != statusTypeOCSP || 1409 !readUint24LengthPrefixed(&s, &m.response) || 1410 len(m.response) == 0 || !s.Empty() { 1411 return false 1412 } 1413 return true 1414 } 1415 1416 type serverHelloDoneMsg struct{} 1417 1418 func (m *serverHelloDoneMsg) marshal() []byte { 1419 x := make([]byte, 4) 1420 x[0] = typeServerHelloDone 1421 return x 1422 } 1423 1424 func (m *serverHelloDoneMsg) unmarshal(data []byte) bool { 1425 return len(data) == 4 1426 } 1427 1428 type clientKeyExchangeMsg struct { 1429 raw []byte 1430 ciphertext []byte 1431 } 1432 1433 func (m *clientKeyExchangeMsg) marshal() []byte { 1434 if m.raw != nil { 1435 return m.raw 1436 } 1437 length := len(m.ciphertext) 1438 x := make([]byte, length+4) 1439 x[0] = typeClientKeyExchange 1440 x[1] = uint8(length >> 16) 1441 x[2] = uint8(length >> 8) 1442 x[3] = uint8(length) 1443 copy(x[4:], m.ciphertext) 1444 m.raw = x 1445 return x 1446 } 1447 1448 func (m *clientKeyExchangeMsg) unmarshal(data []byte) bool { 1449 m.raw = data 1450 if len(data) < 4 { 1451 return false 1452 } 1453 l := int(data[1])<<16 | int(data[2])<<8 | int(data[3]) 1454 if l != len(data)-4 { 1455 return false 1456 } 1457 m.ciphertext = data[4:] 1458 return true 1459 } 1460 1461 type finishedMsg struct { 1462 raw []byte 1463 verifyData []byte 1464 } 1465 1466 func (m *finishedMsg) marshal() []byte { 1467 if m.raw != nil { 1468 return m.raw 1469 } 1470 var b cryptobyte.Builder 1471 b.AddUint8(typeFinished) 1472 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1473 b.AddBytes(m.verifyData) 1474 }) 1475 m.raw = b.BytesOrPanic() 1476 return m.raw 1477 } 1478 1479 func (m *finishedMsg) unmarshal(data []byte) bool { 1480 m.raw = data 1481 s := cryptobyte.String(data) 1482 return s.Skip(1) && 1483 readUint24LengthPrefixed(&s, &m.verifyData) && 1484 s.Empty() 1485 } 1486 1487 type certificateRequestMsg struct { 1488 raw []byte 1489 // hasSignatureAlgorithm indicates whether this message includes a list of 1490 // supported signature algorithms. This change was introduced with TLS 1.2. 1491 hasSignatureAlgorithm bool 1492 1493 certificateTypes []byte 1494 supportedSignatureAlgorithms []SignatureScheme 1495 certificateAuthorities [][]byte 1496 } 1497 1498 func (m *certificateRequestMsg) marshal() (x []byte) { 1499 if m.raw != nil { 1500 return m.raw 1501 } 1502 // See RFC 4346, Section 7.4.4. 1503 length := 1 + len(m.certificateTypes) + 2 1504 casLength := 0 1505 for _, ca := range m.certificateAuthorities { 1506 casLength += 2 + len(ca) 1507 } 1508 length += casLength 1509 if m.hasSignatureAlgorithm { 1510 length += 2 + 2*len(m.supportedSignatureAlgorithms) 1511 } 1512 x = make([]byte, 4+length) 1513 x[0] = typeCertificateRequest 1514 x[1] = uint8(length >> 16) 1515 x[2] = uint8(length >> 8) 1516 x[3] = uint8(length) 1517 x[4] = uint8(len(m.certificateTypes)) 1518 copy(x[5:], m.certificateTypes) 1519 y := x[5+len(m.certificateTypes):] 1520 if m.hasSignatureAlgorithm { 1521 n := len(m.supportedSignatureAlgorithms) * 2 1522 y[0] = uint8(n >> 8) 1523 y[1] = uint8(n) 1524 y = y[2:] 1525 for _, sigAlgo := range m.supportedSignatureAlgorithms { 1526 y[0] = uint8(sigAlgo >> 8) 1527 y[1] = uint8(sigAlgo) 1528 y = y[2:] 1529 } 1530 } 1531 y[0] = uint8(casLength >> 8) 1532 y[1] = uint8(casLength) 1533 y = y[2:] 1534 for _, ca := range m.certificateAuthorities { 1535 y[0] = uint8(len(ca) >> 8) 1536 y[1] = uint8(len(ca)) 1537 y = y[2:] 1538 copy(y, ca) 1539 y = y[len(ca):] 1540 } 1541 m.raw = x 1542 return 1543 } 1544 1545 func (m *certificateRequestMsg) unmarshal(data []byte) bool { 1546 m.raw = data 1547 if len(data) < 5 { 1548 return false 1549 } 1550 length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3]) 1551 if uint32(len(data))-4 != length { 1552 return false 1553 } 1554 numCertTypes := int(data[4]) 1555 data = data[5:] 1556 if numCertTypes == 0 || len(data) <= numCertTypes { 1557 return false 1558 } 1559 m.certificateTypes = make([]byte, numCertTypes) 1560 if copy(m.certificateTypes, data) != numCertTypes { 1561 return false 1562 } 1563 data = data[numCertTypes:] 1564 if m.hasSignatureAlgorithm { 1565 if len(data) < 2 { 1566 return false 1567 } 1568 sigAndHashLen := uint16(data[0])<<8 | uint16(data[1]) 1569 data = data[2:] 1570 if sigAndHashLen&1 != 0 { 1571 return false 1572 } 1573 if len(data) < int(sigAndHashLen) { 1574 return false 1575 } 1576 numSigAlgos := sigAndHashLen / 2 1577 m.supportedSignatureAlgorithms = make([]SignatureScheme, numSigAlgos) 1578 for i := range m.supportedSignatureAlgorithms { 1579 m.supportedSignatureAlgorithms[i] = SignatureScheme(data[0])<<8 | SignatureScheme(data[1]) 1580 data = data[2:] 1581 } 1582 } 1583 if len(data) < 2 { 1584 return false 1585 } 1586 casLength := uint16(data[0])<<8 | uint16(data[1]) 1587 data = data[2:] 1588 if len(data) < int(casLength) { 1589 return false 1590 } 1591 cas := make([]byte, casLength) 1592 copy(cas, data) 1593 data = data[casLength:] 1594 m.certificateAuthorities = nil 1595 for len(cas) > 0 { 1596 if len(cas) < 2 { 1597 return false 1598 } 1599 caLen := uint16(cas[0])<<8 | uint16(cas[1]) 1600 cas = cas[2:] 1601 if len(cas) < int(caLen) { 1602 return false 1603 } 1604 m.certificateAuthorities = append(m.certificateAuthorities, cas[:caLen]) 1605 cas = cas[caLen:] 1606 } 1607 return len(data) == 0 1608 } 1609 1610 type certificateVerifyMsg struct { 1611 raw []byte 1612 hasSignatureAlgorithm bool // format change introduced in TLS 1.2 1613 signatureAlgorithm SignatureScheme 1614 signature []byte 1615 } 1616 1617 func (m *certificateVerifyMsg) marshal() (x []byte) { 1618 if m.raw != nil { 1619 return m.raw 1620 } 1621 var b cryptobyte.Builder 1622 b.AddUint8(typeCertificateVerify) 1623 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1624 if m.hasSignatureAlgorithm { 1625 b.AddUint16(uint16(m.signatureAlgorithm)) 1626 } 1627 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1628 b.AddBytes(m.signature) 1629 }) 1630 }) 1631 m.raw = b.BytesOrPanic() 1632 return m.raw 1633 } 1634 1635 func (m *certificateVerifyMsg) unmarshal(data []byte) bool { 1636 m.raw = data 1637 s := cryptobyte.String(data) 1638 if !s.Skip(4) { // message type and uint24 length field 1639 return false 1640 } 1641 if m.hasSignatureAlgorithm { 1642 if !s.ReadUint16((*uint16)(&m.signatureAlgorithm)) { 1643 return false 1644 } 1645 } 1646 return readUint16LengthPrefixed(&s, &m.signature) && s.Empty() 1647 } 1648 1649 type newSessionTicketMsg struct { 1650 raw []byte 1651 ticket []byte 1652 } 1653 1654 func (m *newSessionTicketMsg) marshal() (x []byte) { 1655 if m.raw != nil { 1656 return m.raw 1657 } 1658 // See RFC 5077, Section 3.3. 1659 ticketLen := len(m.ticket) 1660 length := 2 + 4 + ticketLen 1661 x = make([]byte, 4+length) 1662 x[0] = typeNewSessionTicket 1663 x[1] = uint8(length >> 16) 1664 x[2] = uint8(length >> 8) 1665 x[3] = uint8(length) 1666 x[8] = uint8(ticketLen >> 8) 1667 x[9] = uint8(ticketLen) 1668 copy(x[10:], m.ticket) 1669 m.raw = x 1670 return 1671 } 1672 1673 func (m *newSessionTicketMsg) unmarshal(data []byte) bool { 1674 m.raw = data 1675 if len(data) < 10 { 1676 return false 1677 } 1678 length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3]) 1679 if uint32(len(data))-4 != length { 1680 return false 1681 } 1682 ticketLen := int(data[8])<<8 + int(data[9]) 1683 if len(data)-10 != ticketLen { 1684 return false 1685 } 1686 m.ticket = data[10:] 1687 return true 1688 } 1689 1690 type helloRequestMsg struct { 1691 } 1692 1693 func (*helloRequestMsg) marshal() []byte { 1694 return []byte{typeHelloRequest, 0, 0, 0} 1695 } 1696 1697 func (*helloRequestMsg) unmarshal(data []byte) bool { 1698 return len(data) == 4 1699 }