github.com/3andne/restls-client-go@v0.1.6/handshake_messages.go (about) 1 // Copyright 2009 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 package tls 6 7 import ( 8 "errors" 9 "fmt" 10 "strings" 11 12 "golang.org/x/crypto/cryptobyte" 13 ) 14 15 // The marshalingFunction type is an adapter to allow the use of ordinary 16 // functions as cryptobyte.MarshalingValue. 17 type marshalingFunction func(b *cryptobyte.Builder) error 18 19 func (f marshalingFunction) Marshal(b *cryptobyte.Builder) error { 20 return f(b) 21 } 22 23 // addBytesWithLength appends a sequence of bytes to the cryptobyte.Builder. If 24 // the length of the sequence is not the value specified, it produces an error. 25 func addBytesWithLength(b *cryptobyte.Builder, v []byte, n int) { 26 b.AddValue(marshalingFunction(func(b *cryptobyte.Builder) error { 27 if len(v) != n { 28 return fmt.Errorf("invalid value length: expected %d, got %d", n, len(v)) 29 } 30 b.AddBytes(v) 31 return nil 32 })) 33 } 34 35 // addUint64 appends a big-endian, 64-bit value to the cryptobyte.Builder. 36 func addUint64(b *cryptobyte.Builder, v uint64) { 37 b.AddUint32(uint32(v >> 32)) 38 b.AddUint32(uint32(v)) 39 } 40 41 // readUint64 decodes a big-endian, 64-bit value into out and advances over it. 42 // It reports whether the read was successful. 43 func readUint64(s *cryptobyte.String, out *uint64) bool { 44 var hi, lo uint32 45 if !s.ReadUint32(&hi) || !s.ReadUint32(&lo) { 46 return false 47 } 48 *out = uint64(hi)<<32 | uint64(lo) 49 return true 50 } 51 52 // readUint8LengthPrefixed acts like s.ReadUint8LengthPrefixed, but targets a 53 // []byte instead of a cryptobyte.String. 54 func readUint8LengthPrefixed(s *cryptobyte.String, out *[]byte) bool { 55 return s.ReadUint8LengthPrefixed((*cryptobyte.String)(out)) 56 } 57 58 // readUint16LengthPrefixed acts like s.ReadUint16LengthPrefixed, but targets a 59 // []byte instead of a cryptobyte.String. 60 func readUint16LengthPrefixed(s *cryptobyte.String, out *[]byte) bool { 61 return s.ReadUint16LengthPrefixed((*cryptobyte.String)(out)) 62 } 63 64 // readUint24LengthPrefixed acts like s.ReadUint24LengthPrefixed, but targets a 65 // []byte instead of a cryptobyte.String. 66 func readUint24LengthPrefixed(s *cryptobyte.String, out *[]byte) bool { 67 return s.ReadUint24LengthPrefixed((*cryptobyte.String)(out)) 68 } 69 70 type clientHelloMsg struct { 71 raw []byte 72 vers uint16 73 random []byte 74 sessionId []byte 75 cipherSuites []uint16 76 compressionMethods []uint8 77 serverName string 78 ocspStapling bool 79 supportedCurves []CurveID 80 supportedPoints []uint8 81 ticketSupported bool 82 sessionTicket []uint8 83 supportedSignatureAlgorithms []SignatureScheme 84 supportedSignatureAlgorithmsCert []SignatureScheme 85 secureRenegotiationSupported bool 86 secureRenegotiation []byte 87 extendedMasterSecret bool 88 alpnProtocols []string 89 scts bool 90 // ems bool // [uTLS] actually implemented due to its prevalence // removed since crypto/tls implements it 91 supportedVersions []uint16 92 cookie []byte 93 keyShares []keyShare 94 earlyData bool 95 pskModes []uint8 96 pskIdentities []pskIdentity 97 pskBinders [][]byte 98 quicTransportParameters []byte 99 100 // [uTLS] 101 nextProtoNeg bool 102 } 103 104 func (m *clientHelloMsg) marshal() ([]byte, error) { 105 debugf(nil, "marshal\n") // #Restls# 106 if m.raw != nil { 107 debugf(nil, "marshal: m.raw != nil return\n") // #Restls# 108 return m.raw, nil 109 } 110 111 var exts cryptobyte.Builder 112 if len(m.serverName) > 0 { 113 // RFC 6066, Section 3 114 exts.AddUint16(extensionServerName) 115 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 116 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 117 exts.AddUint8(0) // name_type = host_name 118 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 119 exts.AddBytes([]byte(m.serverName)) 120 }) 121 }) 122 }) 123 } 124 if m.ocspStapling { 125 // RFC 4366, Section 3.6 126 exts.AddUint16(extensionStatusRequest) 127 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 128 exts.AddUint8(1) // status_type = ocsp 129 exts.AddUint16(0) // empty responder_id_list 130 exts.AddUint16(0) // empty request_extensions 131 }) 132 } 133 if len(m.supportedCurves) > 0 { 134 // RFC 4492, sections 5.1.1 and RFC 8446, Section 4.2.7 135 exts.AddUint16(extensionSupportedCurves) 136 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 137 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 138 for _, curve := range m.supportedCurves { 139 exts.AddUint16(uint16(curve)) 140 } 141 }) 142 }) 143 } 144 if len(m.supportedPoints) > 0 { 145 // RFC 4492, Section 5.1.2 146 exts.AddUint16(extensionSupportedPoints) 147 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 148 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { 149 exts.AddBytes(m.supportedPoints) 150 }) 151 }) 152 } 153 if m.ticketSupported { 154 // RFC 5077, Section 3.2 155 exts.AddUint16(extensionSessionTicket) 156 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 157 exts.AddBytes(m.sessionTicket) 158 }) 159 } 160 if len(m.supportedSignatureAlgorithms) > 0 { 161 // RFC 5246, Section 7.4.1.4.1 162 exts.AddUint16(extensionSignatureAlgorithms) 163 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 164 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 165 for _, sigAlgo := range m.supportedSignatureAlgorithms { 166 exts.AddUint16(uint16(sigAlgo)) 167 } 168 }) 169 }) 170 } 171 if len(m.supportedSignatureAlgorithmsCert) > 0 { 172 // RFC 8446, Section 4.2.3 173 exts.AddUint16(extensionSignatureAlgorithmsCert) 174 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 175 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 176 for _, sigAlgo := range m.supportedSignatureAlgorithmsCert { 177 exts.AddUint16(uint16(sigAlgo)) 178 } 179 }) 180 }) 181 } 182 if m.secureRenegotiationSupported { 183 // RFC 5746, Section 3.2 184 exts.AddUint16(extensionRenegotiationInfo) 185 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 186 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { 187 exts.AddBytes(m.secureRenegotiation) 188 }) 189 }) 190 } 191 if m.extendedMasterSecret { 192 // RFC 7627 193 exts.AddUint16(extensionExtendedMasterSecret) 194 exts.AddUint16(0) // empty extension_data 195 } 196 if len(m.alpnProtocols) > 0 { 197 // RFC 7301, Section 3.1 198 exts.AddUint16(extensionALPN) 199 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 200 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 201 for _, proto := range m.alpnProtocols { 202 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { 203 exts.AddBytes([]byte(proto)) 204 }) 205 } 206 }) 207 }) 208 } 209 if m.scts { 210 // RFC 6962, Section 3.3.1 211 exts.AddUint16(extensionSCT) 212 exts.AddUint16(0) // empty extension_data 213 } 214 if len(m.supportedVersions) > 0 { 215 // RFC 8446, Section 4.2.1 216 exts.AddUint16(extensionSupportedVersions) 217 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 218 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { 219 for _, vers := range m.supportedVersions { 220 exts.AddUint16(vers) 221 } 222 }) 223 }) 224 } 225 if len(m.cookie) > 0 { 226 // RFC 8446, Section 4.2.2 227 exts.AddUint16(extensionCookie) 228 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 229 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 230 exts.AddBytes(m.cookie) 231 }) 232 }) 233 } 234 if len(m.keyShares) > 0 { 235 // RFC 8446, Section 4.2.8 236 exts.AddUint16(extensionKeyShare) 237 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 238 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 239 for _, ks := range m.keyShares { 240 exts.AddUint16(uint16(ks.group)) 241 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 242 exts.AddBytes(ks.data) 243 }) 244 } 245 }) 246 }) 247 } 248 if m.earlyData { 249 // RFC 8446, Section 4.2.10 250 exts.AddUint16(extensionEarlyData) 251 exts.AddUint16(0) // empty extension_data 252 } 253 if len(m.pskModes) > 0 { 254 // RFC 8446, Section 4.2.9 255 exts.AddUint16(extensionPSKModes) 256 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 257 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { 258 exts.AddBytes(m.pskModes) 259 }) 260 }) 261 } 262 if m.quicTransportParameters != nil { // marshal zero-length parameters when present 263 // RFC 9001, Section 8.2 264 exts.AddUint16(extensionQUICTransportParameters) 265 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 266 exts.AddBytes(m.quicTransportParameters) 267 }) 268 } 269 if len(m.pskIdentities) > 0 { // pre_shared_key must be the last extension 270 // RFC 8446, Section 4.2.11 271 debugf(nil, "adding psk ext\n") // #Restls# 272 exts.AddUint16(extensionPreSharedKey) 273 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 274 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 275 for _, psk := range m.pskIdentities { 276 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 277 exts.AddBytes(psk.label) 278 debugf(nil, "adding psk label %v\n", psk.label) // #Restls# 279 }) 280 exts.AddUint32(psk.obfuscatedTicketAge) 281 } 282 }) 283 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 284 for _, binder := range m.pskBinders { 285 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { 286 exts.AddBytes(binder) 287 debugf(nil, "adding psk binder %v\n", binder) 288 }) 289 } 290 }) 291 }) 292 } 293 extBytes, err := exts.Bytes() 294 if err != nil { 295 return nil, err 296 } 297 298 var b cryptobyte.Builder 299 b.AddUint8(typeClientHello) 300 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 301 b.AddUint16(m.vers) 302 addBytesWithLength(b, m.random, 32) 303 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 304 b.AddBytes(m.sessionId) 305 }) 306 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 307 for _, suite := range m.cipherSuites { 308 b.AddUint16(suite) 309 } 310 }) 311 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 312 b.AddBytes(m.compressionMethods) 313 }) 314 315 if len(extBytes) > 0 { 316 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 317 b.AddBytes(extBytes) 318 }) 319 } 320 }) 321 322 m.raw, err = b.Bytes() 323 return m.raw, err 324 } 325 326 // marshalWithoutBinders returns the ClientHello through the 327 // FakePreSharedKeyExtension.identities field, according to RFC 8446, Section 328 // 4.2.11.2. Note that m.pskBinders must be set to slices of the correct length. 329 func (m *clientHelloMsg) marshalWithoutBinders() ([]byte, error) { 330 bindersLen := 2 // uint16 length prefix 331 for _, binder := range m.pskBinders { 332 bindersLen += 1 // uint8 length prefix 333 bindersLen += len(binder) 334 } 335 336 fullMessage, err := m.marshal() 337 if err != nil { 338 return nil, err 339 } 340 return fullMessage[:len(fullMessage)-bindersLen], nil 341 } 342 343 // updateBinders updates the m.pskBinders field, if necessary updating the 344 // cached marshaled representation. The supplied binders must have the same 345 // length as the current m.pskBinders. 346 func (m *clientHelloMsg) updateBinders(pskBinders [][]byte) error { 347 if len(pskBinders) != len(m.pskBinders) { 348 return errors.New("tls: internal error: pskBinders length mismatch") 349 } 350 for i := range m.pskBinders { 351 if len(pskBinders[i]) != len(m.pskBinders[i]) { 352 return errors.New("tls: internal error: pskBinders length mismatch") 353 } 354 } 355 m.pskBinders = pskBinders 356 if m.raw != nil { 357 helloBytes, err := m.marshalWithoutBinders() 358 if err != nil { 359 return err 360 } 361 lenWithoutBinders := len(helloBytes) 362 b := cryptobyte.NewFixedBuilder(m.raw[:lenWithoutBinders]) 363 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 364 for _, binder := range m.pskBinders { 365 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 366 debugf(nil, "updating binder %v\n", binder) // #Restls# 367 b.AddBytes(binder) 368 }) 369 } 370 }) 371 if out, err := b.Bytes(); err != nil || len(out) != len(m.raw) { 372 return errors.New("tls: internal error: failed to update binders") 373 } 374 } 375 376 return nil 377 } 378 379 func (m *clientHelloMsg) unmarshal(data []byte) bool { 380 *m = clientHelloMsg{raw: data} 381 s := cryptobyte.String(data) 382 383 if !s.Skip(4) || // message type and uint24 length field 384 !s.ReadUint16(&m.vers) || !s.ReadBytes(&m.random, 32) || 385 !readUint8LengthPrefixed(&s, &m.sessionId) { 386 return false 387 } 388 389 var cipherSuites cryptobyte.String 390 if !s.ReadUint16LengthPrefixed(&cipherSuites) { 391 return false 392 } 393 m.cipherSuites = []uint16{} 394 m.secureRenegotiationSupported = false 395 for !cipherSuites.Empty() { 396 var suite uint16 397 if !cipherSuites.ReadUint16(&suite) { 398 return false 399 } 400 if suite == scsvRenegotiation { 401 m.secureRenegotiationSupported = true 402 } 403 m.cipherSuites = append(m.cipherSuites, suite) 404 } 405 406 if !readUint8LengthPrefixed(&s, &m.compressionMethods) { 407 return false 408 } 409 410 if s.Empty() { 411 // ClientHello is optionally followed by extension data 412 return true 413 } 414 415 var extensions cryptobyte.String 416 if !s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() { 417 return false 418 } 419 420 seenExts := make(map[uint16]bool) 421 for !extensions.Empty() { 422 var extension uint16 423 var extData cryptobyte.String 424 if !extensions.ReadUint16(&extension) || 425 !extensions.ReadUint16LengthPrefixed(&extData) { 426 return false 427 } 428 429 if seenExts[extension] { 430 return false 431 } 432 seenExts[extension] = true 433 434 switch extension { 435 case extensionServerName: 436 // RFC 6066, Section 3 437 var nameList cryptobyte.String 438 if !extData.ReadUint16LengthPrefixed(&nameList) || nameList.Empty() { 439 return false 440 } 441 for !nameList.Empty() { 442 var nameType uint8 443 var serverName cryptobyte.String 444 if !nameList.ReadUint8(&nameType) || 445 !nameList.ReadUint16LengthPrefixed(&serverName) || 446 serverName.Empty() { 447 return false 448 } 449 if nameType != 0 { 450 continue 451 } 452 if len(m.serverName) != 0 { 453 // Multiple names of the same name_type are prohibited. 454 return false 455 } 456 m.serverName = string(serverName) 457 // An SNI value may not include a trailing dot. 458 if strings.HasSuffix(m.serverName, ".") { 459 return false 460 } 461 } 462 case extensionStatusRequest: 463 // RFC 4366, Section 3.6 464 var statusType uint8 465 var ignored cryptobyte.String 466 if !extData.ReadUint8(&statusType) || 467 !extData.ReadUint16LengthPrefixed(&ignored) || 468 !extData.ReadUint16LengthPrefixed(&ignored) { 469 return false 470 } 471 m.ocspStapling = statusType == statusTypeOCSP 472 case extensionSupportedCurves: 473 // RFC 4492, sections 5.1.1 and RFC 8446, Section 4.2.7 474 var curves cryptobyte.String 475 if !extData.ReadUint16LengthPrefixed(&curves) || curves.Empty() { 476 return false 477 } 478 for !curves.Empty() { 479 var curve uint16 480 if !curves.ReadUint16(&curve) { 481 return false 482 } 483 m.supportedCurves = append(m.supportedCurves, CurveID(curve)) 484 } 485 case extensionSupportedPoints: 486 // RFC 4492, Section 5.1.2 487 if !readUint8LengthPrefixed(&extData, &m.supportedPoints) || 488 len(m.supportedPoints) == 0 { 489 return false 490 } 491 case extensionSessionTicket: 492 // RFC 5077, Section 3.2 493 m.ticketSupported = true 494 extData.ReadBytes(&m.sessionTicket, len(extData)) 495 case extensionSignatureAlgorithms: 496 // RFC 5246, Section 7.4.1.4.1 497 var sigAndAlgs cryptobyte.String 498 if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() { 499 return false 500 } 501 for !sigAndAlgs.Empty() { 502 var sigAndAlg uint16 503 if !sigAndAlgs.ReadUint16(&sigAndAlg) { 504 return false 505 } 506 m.supportedSignatureAlgorithms = append( 507 m.supportedSignatureAlgorithms, SignatureScheme(sigAndAlg)) 508 } 509 case extensionSignatureAlgorithmsCert: 510 // RFC 8446, Section 4.2.3 511 var sigAndAlgs cryptobyte.String 512 if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() { 513 return false 514 } 515 for !sigAndAlgs.Empty() { 516 var sigAndAlg uint16 517 if !sigAndAlgs.ReadUint16(&sigAndAlg) { 518 return false 519 } 520 m.supportedSignatureAlgorithmsCert = append( 521 m.supportedSignatureAlgorithmsCert, SignatureScheme(sigAndAlg)) 522 } 523 case extensionRenegotiationInfo: 524 // RFC 5746, Section 3.2 525 if !readUint8LengthPrefixed(&extData, &m.secureRenegotiation) { 526 return false 527 } 528 m.secureRenegotiationSupported = true 529 case extensionExtendedMasterSecret: 530 // RFC 7627 531 m.extendedMasterSecret = true 532 case extensionALPN: 533 // RFC 7301, Section 3.1 534 var protoList cryptobyte.String 535 if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() { 536 return false 537 } 538 for !protoList.Empty() { 539 var proto cryptobyte.String 540 if !protoList.ReadUint8LengthPrefixed(&proto) || proto.Empty() { 541 return false 542 } 543 m.alpnProtocols = append(m.alpnProtocols, string(proto)) 544 } 545 case extensionSCT: 546 // RFC 6962, Section 3.3.1 547 m.scts = true 548 case extensionSupportedVersions: 549 // RFC 8446, Section 4.2.1 550 var versList cryptobyte.String 551 if !extData.ReadUint8LengthPrefixed(&versList) || versList.Empty() { 552 return false 553 } 554 for !versList.Empty() { 555 var vers uint16 556 if !versList.ReadUint16(&vers) { 557 return false 558 } 559 m.supportedVersions = append(m.supportedVersions, vers) 560 } 561 case extensionCookie: 562 // RFC 8446, Section 4.2.2 563 if !readUint16LengthPrefixed(&extData, &m.cookie) || 564 len(m.cookie) == 0 { 565 return false 566 } 567 case extensionKeyShare: 568 // RFC 8446, Section 4.2.8 569 var clientShares cryptobyte.String 570 if !extData.ReadUint16LengthPrefixed(&clientShares) { 571 return false 572 } 573 for !clientShares.Empty() { 574 var ks keyShare 575 if !clientShares.ReadUint16((*uint16)(&ks.group)) || 576 !readUint16LengthPrefixed(&clientShares, &ks.data) || 577 len(ks.data) == 0 { 578 return false 579 } 580 m.keyShares = append(m.keyShares, ks) 581 } 582 case extensionEarlyData: 583 // RFC 8446, Section 4.2.10 584 m.earlyData = true 585 case extensionPSKModes: 586 // RFC 8446, Section 4.2.9 587 if !readUint8LengthPrefixed(&extData, &m.pskModes) { 588 return false 589 } 590 case extensionQUICTransportParameters: 591 m.quicTransportParameters = make([]byte, len(extData)) 592 if !extData.CopyBytes(m.quicTransportParameters) { 593 return false 594 } 595 case extensionPreSharedKey: 596 // RFC 8446, Section 4.2.11 597 if !extensions.Empty() { 598 return false // pre_shared_key must be the last extension 599 } 600 var identities cryptobyte.String 601 if !extData.ReadUint16LengthPrefixed(&identities) || identities.Empty() { 602 return false 603 } 604 for !identities.Empty() { 605 var psk pskIdentity 606 if !readUint16LengthPrefixed(&identities, &psk.label) || 607 !identities.ReadUint32(&psk.obfuscatedTicketAge) || 608 len(psk.label) == 0 { 609 return false 610 } 611 m.pskIdentities = append(m.pskIdentities, psk) 612 } 613 var binders cryptobyte.String 614 if !extData.ReadUint16LengthPrefixed(&binders) || binders.Empty() { 615 return false 616 } 617 for !binders.Empty() { 618 var binder []byte 619 if !readUint8LengthPrefixed(&binders, &binder) || 620 len(binder) == 0 { 621 return false 622 } 623 m.pskBinders = append(m.pskBinders, binder) 624 } 625 default: 626 // Ignore unknown extensions. 627 continue 628 } 629 630 if !extData.Empty() { 631 return false 632 } 633 } 634 635 return true 636 } 637 638 type serverHelloMsg struct { 639 raw []byte 640 vers uint16 641 random []byte 642 sessionId []byte 643 cipherSuite uint16 644 compressionMethod uint8 645 ocspStapling bool 646 ticketSupported bool 647 secureRenegotiationSupported bool 648 secureRenegotiation []byte 649 extendedMasterSecret bool 650 alpnProtocol string 651 scts [][]byte 652 supportedVersion uint16 653 serverShare keyShare 654 selectedIdentityPresent bool 655 selectedIdentity uint16 656 supportedPoints []uint8 657 658 // HelloRetryRequest extensions 659 cookie []byte 660 selectedGroup CurveID 661 662 // [uTLS] 663 nextProtoNeg bool 664 nextProtos []string 665 } 666 667 func (m *serverHelloMsg) marshal() ([]byte, error) { 668 if m.raw != nil { 669 return m.raw, nil 670 } 671 672 var exts cryptobyte.Builder 673 if m.ocspStapling { 674 exts.AddUint16(extensionStatusRequest) 675 exts.AddUint16(0) // empty extension_data 676 } 677 if m.ticketSupported { 678 exts.AddUint16(extensionSessionTicket) 679 exts.AddUint16(0) // empty extension_data 680 } 681 if m.secureRenegotiationSupported { 682 exts.AddUint16(extensionRenegotiationInfo) 683 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 684 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { 685 exts.AddBytes(m.secureRenegotiation) 686 }) 687 }) 688 } 689 if m.extendedMasterSecret { 690 exts.AddUint16(extensionExtendedMasterSecret) 691 exts.AddUint16(0) // empty extension_data 692 } 693 if len(m.alpnProtocol) > 0 { 694 exts.AddUint16(extensionALPN) 695 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 696 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 697 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { 698 exts.AddBytes([]byte(m.alpnProtocol)) 699 }) 700 }) 701 }) 702 } 703 if len(m.scts) > 0 { 704 exts.AddUint16(extensionSCT) 705 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 706 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 707 for _, sct := range m.scts { 708 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 709 exts.AddBytes(sct) 710 }) 711 } 712 }) 713 }) 714 } 715 if m.supportedVersion != 0 { 716 exts.AddUint16(extensionSupportedVersions) 717 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 718 exts.AddUint16(m.supportedVersion) 719 }) 720 } 721 if m.serverShare.group != 0 { 722 exts.AddUint16(extensionKeyShare) 723 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 724 exts.AddUint16(uint16(m.serverShare.group)) 725 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 726 exts.AddBytes(m.serverShare.data) 727 }) 728 }) 729 } 730 if m.selectedIdentityPresent { 731 exts.AddUint16(extensionPreSharedKey) 732 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 733 exts.AddUint16(m.selectedIdentity) 734 }) 735 } 736 737 if len(m.cookie) > 0 { 738 exts.AddUint16(extensionCookie) 739 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 740 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 741 exts.AddBytes(m.cookie) 742 }) 743 }) 744 } 745 if m.selectedGroup != 0 { 746 exts.AddUint16(extensionKeyShare) 747 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 748 exts.AddUint16(uint16(m.selectedGroup)) 749 }) 750 } 751 if len(m.supportedPoints) > 0 { 752 exts.AddUint16(extensionSupportedPoints) 753 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 754 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { 755 exts.AddBytes(m.supportedPoints) 756 }) 757 }) 758 } 759 760 extBytes, err := exts.Bytes() 761 if err != nil { 762 return nil, err 763 } 764 765 var b cryptobyte.Builder 766 b.AddUint8(typeServerHello) 767 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 768 b.AddUint16(m.vers) 769 addBytesWithLength(b, m.random, 32) 770 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 771 b.AddBytes(m.sessionId) 772 }) 773 b.AddUint16(m.cipherSuite) 774 b.AddUint8(m.compressionMethod) 775 776 if len(extBytes) > 0 { 777 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 778 b.AddBytes(extBytes) 779 }) 780 } 781 }) 782 783 m.raw, err = b.Bytes() 784 return m.raw, err 785 } 786 787 func (m *serverHelloMsg) unmarshal(data []byte) bool { 788 *m = serverHelloMsg{raw: data} 789 s := cryptobyte.String(data) 790 791 if !s.Skip(4) || // message type and uint24 length field 792 !s.ReadUint16(&m.vers) || !s.ReadBytes(&m.random, 32) || 793 !readUint8LengthPrefixed(&s, &m.sessionId) || 794 !s.ReadUint16(&m.cipherSuite) || 795 !s.ReadUint8(&m.compressionMethod) { 796 return false 797 } 798 799 if s.Empty() { 800 // ServerHello is optionally followed by extension data 801 return true 802 } 803 804 var extensions cryptobyte.String 805 if !s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() { 806 return false 807 } 808 809 seenExts := make(map[uint16]bool) 810 for !extensions.Empty() { 811 var extension uint16 812 var extData cryptobyte.String 813 if !extensions.ReadUint16(&extension) || 814 !extensions.ReadUint16LengthPrefixed(&extData) { 815 return false 816 } 817 818 if seenExts[extension] { 819 return false 820 } 821 seenExts[extension] = true 822 823 switch extension { 824 case extensionStatusRequest: 825 m.ocspStapling = true 826 case extensionSessionTicket: 827 m.ticketSupported = true 828 // [UTLS] crypto/tls finally supports EMS! Now we don't do anything special here. 829 // case utlsExtensionExtendedMasterSecret: 830 // // No sanity check for this extension: pretending not to know it. 831 // // if length > 0 { 832 // // return false 833 // // } 834 // m.ems = true 835 case extensionRenegotiationInfo: 836 if !readUint8LengthPrefixed(&extData, &m.secureRenegotiation) { 837 return false 838 } 839 m.secureRenegotiationSupported = true 840 case extensionExtendedMasterSecret: 841 m.extendedMasterSecret = true 842 case extensionALPN: 843 var protoList cryptobyte.String 844 if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() { 845 return false 846 } 847 var proto cryptobyte.String 848 if !protoList.ReadUint8LengthPrefixed(&proto) || 849 proto.Empty() || !protoList.Empty() { 850 return false 851 } 852 m.alpnProtocol = string(proto) 853 case extensionSCT: 854 var sctList cryptobyte.String 855 if !extData.ReadUint16LengthPrefixed(&sctList) || sctList.Empty() { 856 return false 857 } 858 for !sctList.Empty() { 859 var sct []byte 860 if !readUint16LengthPrefixed(&sctList, &sct) || 861 len(sct) == 0 { 862 return false 863 } 864 m.scts = append(m.scts, sct) 865 } 866 case extensionSupportedVersions: 867 if !extData.ReadUint16(&m.supportedVersion) { 868 return false 869 } 870 case extensionCookie: 871 if !readUint16LengthPrefixed(&extData, &m.cookie) || 872 len(m.cookie) == 0 { 873 return false 874 } 875 case extensionKeyShare: 876 // This extension has different formats in SH and HRR, accept either 877 // and let the handshake logic decide. See RFC 8446, Section 4.2.8. 878 if len(extData) == 2 { 879 if !extData.ReadUint16((*uint16)(&m.selectedGroup)) { 880 return false 881 } 882 } else { 883 if !extData.ReadUint16((*uint16)(&m.serverShare.group)) || 884 !readUint16LengthPrefixed(&extData, &m.serverShare.data) { 885 return false 886 } 887 } 888 case extensionPreSharedKey: 889 m.selectedIdentityPresent = true 890 if !extData.ReadUint16(&m.selectedIdentity) { 891 return false 892 } 893 case extensionSupportedPoints: 894 // RFC 4492, Section 5.1.2 895 if !readUint8LengthPrefixed(&extData, &m.supportedPoints) || 896 len(m.supportedPoints) == 0 { 897 return false 898 } 899 default: 900 // Ignore unknown extensions. 901 continue 902 } 903 904 if !extData.Empty() { 905 return false 906 } 907 } 908 909 return true 910 } 911 912 type encryptedExtensionsMsg struct { 913 raw []byte 914 alpnProtocol string 915 quicTransportParameters []byte 916 earlyData bool 917 918 utls utlsEncryptedExtensionsMsgExtraFields // [uTLS] 919 } 920 921 func (m *encryptedExtensionsMsg) marshal() ([]byte, error) { 922 if m.raw != nil { 923 return m.raw, nil 924 } 925 926 var b cryptobyte.Builder 927 b.AddUint8(typeEncryptedExtensions) 928 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 929 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 930 if len(m.alpnProtocol) > 0 { 931 b.AddUint16(extensionALPN) 932 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 933 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 934 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 935 b.AddBytes([]byte(m.alpnProtocol)) 936 }) 937 }) 938 }) 939 } 940 if m.quicTransportParameters != nil { // marshal zero-length parameters when present 941 // draft-ietf-quic-tls-32, Section 8.2 942 b.AddUint16(extensionQUICTransportParameters) 943 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 944 b.AddBytes(m.quicTransportParameters) 945 }) 946 } 947 if m.earlyData { 948 // RFC 8446, Section 4.2.10 949 b.AddUint16(extensionEarlyData) 950 b.AddUint16(0) // empty extension_data 951 } 952 }) 953 }) 954 955 var err error 956 m.raw, err = b.Bytes() 957 return m.raw, err 958 } 959 960 func (m *encryptedExtensionsMsg) unmarshal(data []byte) bool { 961 *m = encryptedExtensionsMsg{raw: data} 962 s := cryptobyte.String(data) 963 964 var extensions cryptobyte.String 965 if !s.Skip(4) || // message type and uint24 length field 966 !s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() { 967 return false 968 } 969 970 for !extensions.Empty() { 971 var extension uint16 972 var extData cryptobyte.String 973 if !extensions.ReadUint16(&extension) || 974 !extensions.ReadUint16LengthPrefixed(&extData) { 975 return false 976 } 977 978 switch extension { 979 case extensionALPN: 980 var protoList cryptobyte.String 981 if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() { 982 return false 983 } 984 var proto cryptobyte.String 985 if !protoList.ReadUint8LengthPrefixed(&proto) || 986 proto.Empty() || !protoList.Empty() { 987 return false 988 } 989 m.alpnProtocol = string(proto) 990 case extensionQUICTransportParameters: 991 m.quicTransportParameters = make([]byte, len(extData)) 992 if !extData.CopyBytes(m.quicTransportParameters) { 993 return false 994 } 995 case extensionEarlyData: 996 // RFC 8446, Section 4.2.10 997 m.earlyData = true 998 default: 999 // [UTLS SECTION START] 1000 if !m.utlsUnmarshal(extension, extData) { 1001 return false // return false when ERROR 1002 } 1003 // [UTLS SECTION END] 1004 // Ignore unknown extensions. 1005 continue 1006 } 1007 1008 if !extData.Empty() { 1009 return false 1010 } 1011 } 1012 1013 return true 1014 } 1015 1016 type endOfEarlyDataMsg struct{} 1017 1018 func (m *endOfEarlyDataMsg) marshal() ([]byte, error) { 1019 x := make([]byte, 4) 1020 x[0] = typeEndOfEarlyData 1021 return x, nil 1022 } 1023 1024 func (m *endOfEarlyDataMsg) unmarshal(data []byte) bool { 1025 return len(data) == 4 1026 } 1027 1028 type keyUpdateMsg struct { 1029 raw []byte 1030 updateRequested bool 1031 } 1032 1033 func (m *keyUpdateMsg) marshal() ([]byte, error) { 1034 if m.raw != nil { 1035 return m.raw, nil 1036 } 1037 1038 var b cryptobyte.Builder 1039 b.AddUint8(typeKeyUpdate) 1040 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1041 if m.updateRequested { 1042 b.AddUint8(1) 1043 } else { 1044 b.AddUint8(0) 1045 } 1046 }) 1047 1048 var err error 1049 m.raw, err = b.Bytes() 1050 return m.raw, err 1051 } 1052 1053 func (m *keyUpdateMsg) unmarshal(data []byte) bool { 1054 m.raw = data 1055 s := cryptobyte.String(data) 1056 1057 var updateRequested uint8 1058 if !s.Skip(4) || // message type and uint24 length field 1059 !s.ReadUint8(&updateRequested) || !s.Empty() { 1060 return false 1061 } 1062 switch updateRequested { 1063 case 0: 1064 m.updateRequested = false 1065 case 1: 1066 m.updateRequested = true 1067 default: 1068 return false 1069 } 1070 return true 1071 } 1072 1073 type newSessionTicketMsgTLS13 struct { 1074 raw []byte 1075 lifetime uint32 1076 ageAdd uint32 1077 nonce []byte 1078 label []byte 1079 maxEarlyData uint32 1080 } 1081 1082 func (m *newSessionTicketMsgTLS13) marshal() ([]byte, error) { 1083 if m.raw != nil { 1084 return m.raw, nil 1085 } 1086 1087 var b cryptobyte.Builder 1088 b.AddUint8(typeNewSessionTicket) 1089 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1090 b.AddUint32(m.lifetime) 1091 b.AddUint32(m.ageAdd) 1092 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 1093 b.AddBytes(m.nonce) 1094 }) 1095 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1096 b.AddBytes(m.label) 1097 }) 1098 1099 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1100 if m.maxEarlyData > 0 { 1101 b.AddUint16(extensionEarlyData) 1102 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1103 b.AddUint32(m.maxEarlyData) 1104 }) 1105 } 1106 }) 1107 }) 1108 1109 var err error 1110 m.raw, err = b.Bytes() 1111 return m.raw, err 1112 } 1113 1114 func (m *newSessionTicketMsgTLS13) unmarshal(data []byte) bool { 1115 *m = newSessionTicketMsgTLS13{raw: data} 1116 s := cryptobyte.String(data) 1117 1118 var extensions cryptobyte.String 1119 if !s.Skip(4) || // message type and uint24 length field 1120 !s.ReadUint32(&m.lifetime) || 1121 !s.ReadUint32(&m.ageAdd) || 1122 !readUint8LengthPrefixed(&s, &m.nonce) || 1123 !readUint16LengthPrefixed(&s, &m.label) || 1124 !s.ReadUint16LengthPrefixed(&extensions) || 1125 !s.Empty() { 1126 return false 1127 } 1128 1129 for !extensions.Empty() { 1130 var extension uint16 1131 var extData cryptobyte.String 1132 if !extensions.ReadUint16(&extension) || 1133 !extensions.ReadUint16LengthPrefixed(&extData) { 1134 return false 1135 } 1136 1137 switch extension { 1138 case extensionEarlyData: 1139 if !extData.ReadUint32(&m.maxEarlyData) { 1140 return false 1141 } 1142 default: 1143 // Ignore unknown extensions. 1144 continue 1145 } 1146 1147 if !extData.Empty() { 1148 return false 1149 } 1150 } 1151 1152 return true 1153 } 1154 1155 type certificateRequestMsgTLS13 struct { 1156 raw []byte 1157 ocspStapling bool 1158 scts bool 1159 supportedSignatureAlgorithms []SignatureScheme 1160 supportedSignatureAlgorithmsCert []SignatureScheme 1161 certificateAuthorities [][]byte 1162 } 1163 1164 func (m *certificateRequestMsgTLS13) marshal() ([]byte, error) { 1165 if m.raw != nil { 1166 return m.raw, nil 1167 } 1168 1169 var b cryptobyte.Builder 1170 b.AddUint8(typeCertificateRequest) 1171 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1172 // certificate_request_context (SHALL be zero length unless used for 1173 // post-handshake authentication) 1174 b.AddUint8(0) 1175 1176 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1177 if m.ocspStapling { 1178 b.AddUint16(extensionStatusRequest) 1179 b.AddUint16(0) // empty extension_data 1180 } 1181 if m.scts { 1182 // RFC 8446, Section 4.4.2.1 makes no mention of 1183 // signed_certificate_timestamp in CertificateRequest, but 1184 // "Extensions in the Certificate message from the client MUST 1185 // correspond to extensions in the CertificateRequest message 1186 // from the server." and it appears in the table in Section 4.2. 1187 b.AddUint16(extensionSCT) 1188 b.AddUint16(0) // empty extension_data 1189 } 1190 if len(m.supportedSignatureAlgorithms) > 0 { 1191 b.AddUint16(extensionSignatureAlgorithms) 1192 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1193 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1194 for _, sigAlgo := range m.supportedSignatureAlgorithms { 1195 b.AddUint16(uint16(sigAlgo)) 1196 } 1197 }) 1198 }) 1199 } 1200 if len(m.supportedSignatureAlgorithmsCert) > 0 { 1201 b.AddUint16(extensionSignatureAlgorithmsCert) 1202 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1203 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1204 for _, sigAlgo := range m.supportedSignatureAlgorithmsCert { 1205 b.AddUint16(uint16(sigAlgo)) 1206 } 1207 }) 1208 }) 1209 } 1210 if len(m.certificateAuthorities) > 0 { 1211 b.AddUint16(extensionCertificateAuthorities) 1212 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1213 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1214 for _, ca := range m.certificateAuthorities { 1215 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1216 b.AddBytes(ca) 1217 }) 1218 } 1219 }) 1220 }) 1221 } 1222 }) 1223 }) 1224 1225 var err error 1226 m.raw, err = b.Bytes() 1227 return m.raw, err 1228 } 1229 1230 func (m *certificateRequestMsgTLS13) unmarshal(data []byte) bool { 1231 *m = certificateRequestMsgTLS13{raw: data} 1232 s := cryptobyte.String(data) 1233 1234 var context, extensions cryptobyte.String 1235 if !s.Skip(4) || // message type and uint24 length field 1236 !s.ReadUint8LengthPrefixed(&context) || !context.Empty() || 1237 !s.ReadUint16LengthPrefixed(&extensions) || 1238 !s.Empty() { 1239 return false 1240 } 1241 1242 for !extensions.Empty() { 1243 var extension uint16 1244 var extData cryptobyte.String 1245 if !extensions.ReadUint16(&extension) || 1246 !extensions.ReadUint16LengthPrefixed(&extData) { 1247 return false 1248 } 1249 1250 switch extension { 1251 case extensionStatusRequest: 1252 m.ocspStapling = true 1253 case extensionSCT: 1254 m.scts = true 1255 case extensionSignatureAlgorithms: 1256 var sigAndAlgs cryptobyte.String 1257 if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() { 1258 return false 1259 } 1260 for !sigAndAlgs.Empty() { 1261 var sigAndAlg uint16 1262 if !sigAndAlgs.ReadUint16(&sigAndAlg) { 1263 return false 1264 } 1265 m.supportedSignatureAlgorithms = append( 1266 m.supportedSignatureAlgorithms, SignatureScheme(sigAndAlg)) 1267 } 1268 case extensionSignatureAlgorithmsCert: 1269 var sigAndAlgs cryptobyte.String 1270 if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() { 1271 return false 1272 } 1273 for !sigAndAlgs.Empty() { 1274 var sigAndAlg uint16 1275 if !sigAndAlgs.ReadUint16(&sigAndAlg) { 1276 return false 1277 } 1278 m.supportedSignatureAlgorithmsCert = append( 1279 m.supportedSignatureAlgorithmsCert, SignatureScheme(sigAndAlg)) 1280 } 1281 case extensionCertificateAuthorities: 1282 var auths cryptobyte.String 1283 if !extData.ReadUint16LengthPrefixed(&auths) || auths.Empty() { 1284 return false 1285 } 1286 for !auths.Empty() { 1287 var ca []byte 1288 if !readUint16LengthPrefixed(&auths, &ca) || len(ca) == 0 { 1289 return false 1290 } 1291 m.certificateAuthorities = append(m.certificateAuthorities, ca) 1292 } 1293 default: 1294 // Ignore unknown extensions. 1295 continue 1296 } 1297 1298 if !extData.Empty() { 1299 return false 1300 } 1301 } 1302 1303 return true 1304 } 1305 1306 type certificateMsg struct { 1307 raw []byte 1308 certificates [][]byte 1309 } 1310 1311 func (m *certificateMsg) marshal() ([]byte, error) { 1312 if m.raw != nil { 1313 return m.raw, nil 1314 } 1315 1316 var i int 1317 for _, slice := range m.certificates { 1318 i += len(slice) 1319 } 1320 1321 length := 3 + 3*len(m.certificates) + i 1322 x := make([]byte, 4+length) 1323 x[0] = typeCertificate 1324 x[1] = uint8(length >> 16) 1325 x[2] = uint8(length >> 8) 1326 x[3] = uint8(length) 1327 1328 certificateOctets := length - 3 1329 x[4] = uint8(certificateOctets >> 16) 1330 x[5] = uint8(certificateOctets >> 8) 1331 x[6] = uint8(certificateOctets) 1332 1333 y := x[7:] 1334 for _, slice := range m.certificates { 1335 y[0] = uint8(len(slice) >> 16) 1336 y[1] = uint8(len(slice) >> 8) 1337 y[2] = uint8(len(slice)) 1338 copy(y[3:], slice) 1339 y = y[3+len(slice):] 1340 } 1341 1342 m.raw = x 1343 return m.raw, nil 1344 } 1345 1346 func (m *certificateMsg) unmarshal(data []byte) bool { 1347 if len(data) < 7 { 1348 return false 1349 } 1350 1351 m.raw = data 1352 certsLen := uint32(data[4])<<16 | uint32(data[5])<<8 | uint32(data[6]) 1353 if uint32(len(data)) != certsLen+7 { 1354 return false 1355 } 1356 1357 numCerts := 0 1358 d := data[7:] 1359 for certsLen > 0 { 1360 if len(d) < 4 { 1361 return false 1362 } 1363 certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2]) 1364 if uint32(len(d)) < 3+certLen { 1365 return false 1366 } 1367 d = d[3+certLen:] 1368 certsLen -= 3 + certLen 1369 numCerts++ 1370 } 1371 1372 m.certificates = make([][]byte, numCerts) 1373 d = data[7:] 1374 for i := 0; i < numCerts; i++ { 1375 certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2]) 1376 m.certificates[i] = d[3 : 3+certLen] 1377 d = d[3+certLen:] 1378 } 1379 1380 return true 1381 } 1382 1383 type certificateMsgTLS13 struct { 1384 raw []byte 1385 certificate Certificate 1386 ocspStapling bool 1387 scts bool 1388 } 1389 1390 func (m *certificateMsgTLS13) marshal() ([]byte, error) { 1391 if m.raw != nil { 1392 return m.raw, nil 1393 } 1394 1395 var b cryptobyte.Builder 1396 b.AddUint8(typeCertificate) 1397 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1398 b.AddUint8(0) // certificate_request_context 1399 1400 certificate := m.certificate 1401 if !m.ocspStapling { 1402 certificate.OCSPStaple = nil 1403 } 1404 if !m.scts { 1405 certificate.SignedCertificateTimestamps = nil 1406 } 1407 marshalCertificate(b, certificate) 1408 }) 1409 1410 var err error 1411 m.raw, err = b.Bytes() 1412 return m.raw, err 1413 } 1414 1415 func marshalCertificate(b *cryptobyte.Builder, certificate Certificate) { 1416 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1417 for i, cert := range certificate.Certificate { 1418 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1419 b.AddBytes(cert) 1420 }) 1421 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1422 if i > 0 { 1423 // This library only supports OCSP and SCT for leaf certificates. 1424 return 1425 } 1426 if certificate.OCSPStaple != nil { 1427 b.AddUint16(extensionStatusRequest) 1428 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1429 b.AddUint8(statusTypeOCSP) 1430 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1431 b.AddBytes(certificate.OCSPStaple) 1432 }) 1433 }) 1434 } 1435 if certificate.SignedCertificateTimestamps != nil { 1436 b.AddUint16(extensionSCT) 1437 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1438 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1439 for _, sct := range certificate.SignedCertificateTimestamps { 1440 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1441 b.AddBytes(sct) 1442 }) 1443 } 1444 }) 1445 }) 1446 } 1447 }) 1448 } 1449 }) 1450 } 1451 1452 func (m *certificateMsgTLS13) unmarshal(data []byte) bool { 1453 *m = certificateMsgTLS13{raw: data} 1454 s := cryptobyte.String(data) 1455 1456 var context cryptobyte.String 1457 if !s.Skip(4) || // message type and uint24 length field 1458 !s.ReadUint8LengthPrefixed(&context) || !context.Empty() || 1459 !unmarshalCertificate(&s, &m.certificate) || 1460 !s.Empty() { 1461 return false 1462 } 1463 1464 m.scts = m.certificate.SignedCertificateTimestamps != nil 1465 m.ocspStapling = m.certificate.OCSPStaple != nil 1466 1467 return true 1468 } 1469 1470 func unmarshalCertificate(s *cryptobyte.String, certificate *Certificate) bool { 1471 var certList cryptobyte.String 1472 if !s.ReadUint24LengthPrefixed(&certList) { 1473 return false 1474 } 1475 for !certList.Empty() { 1476 var cert []byte 1477 var extensions cryptobyte.String 1478 if !readUint24LengthPrefixed(&certList, &cert) || 1479 !certList.ReadUint16LengthPrefixed(&extensions) { 1480 return false 1481 } 1482 certificate.Certificate = append(certificate.Certificate, cert) 1483 for !extensions.Empty() { 1484 var extension uint16 1485 var extData cryptobyte.String 1486 if !extensions.ReadUint16(&extension) || 1487 !extensions.ReadUint16LengthPrefixed(&extData) { 1488 return false 1489 } 1490 if len(certificate.Certificate) > 1 { 1491 // This library only supports OCSP and SCT for leaf certificates. 1492 continue 1493 } 1494 1495 switch extension { 1496 case extensionStatusRequest: 1497 var statusType uint8 1498 if !extData.ReadUint8(&statusType) || statusType != statusTypeOCSP || 1499 !readUint24LengthPrefixed(&extData, &certificate.OCSPStaple) || 1500 len(certificate.OCSPStaple) == 0 { 1501 return false 1502 } 1503 case extensionSCT: 1504 var sctList cryptobyte.String 1505 if !extData.ReadUint16LengthPrefixed(&sctList) || sctList.Empty() { 1506 return false 1507 } 1508 for !sctList.Empty() { 1509 var sct []byte 1510 if !readUint16LengthPrefixed(&sctList, &sct) || 1511 len(sct) == 0 { 1512 return false 1513 } 1514 certificate.SignedCertificateTimestamps = append( 1515 certificate.SignedCertificateTimestamps, sct) 1516 } 1517 default: 1518 // Ignore unknown extensions. 1519 continue 1520 } 1521 1522 if !extData.Empty() { 1523 return false 1524 } 1525 } 1526 } 1527 return true 1528 } 1529 1530 type serverKeyExchangeMsg struct { 1531 raw []byte 1532 key []byte 1533 } 1534 1535 func (m *serverKeyExchangeMsg) marshal() ([]byte, error) { 1536 if m.raw != nil { 1537 return m.raw, nil 1538 } 1539 length := len(m.key) 1540 x := make([]byte, length+4) 1541 x[0] = typeServerKeyExchange 1542 x[1] = uint8(length >> 16) 1543 x[2] = uint8(length >> 8) 1544 x[3] = uint8(length) 1545 copy(x[4:], m.key) 1546 1547 m.raw = x 1548 return x, nil 1549 } 1550 1551 func (m *serverKeyExchangeMsg) unmarshal(data []byte) bool { 1552 m.raw = data 1553 if len(data) < 4 { 1554 return false 1555 } 1556 m.key = data[4:] 1557 return true 1558 } 1559 1560 type certificateStatusMsg struct { 1561 raw []byte 1562 response []byte 1563 } 1564 1565 func (m *certificateStatusMsg) marshal() ([]byte, error) { 1566 if m.raw != nil { 1567 return m.raw, nil 1568 } 1569 1570 var b cryptobyte.Builder 1571 b.AddUint8(typeCertificateStatus) 1572 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1573 b.AddUint8(statusTypeOCSP) 1574 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1575 b.AddBytes(m.response) 1576 }) 1577 }) 1578 1579 var err error 1580 m.raw, err = b.Bytes() 1581 return m.raw, err 1582 } 1583 1584 func (m *certificateStatusMsg) unmarshal(data []byte) bool { 1585 m.raw = data 1586 s := cryptobyte.String(data) 1587 1588 var statusType uint8 1589 if !s.Skip(4) || // message type and uint24 length field 1590 !s.ReadUint8(&statusType) || statusType != statusTypeOCSP || 1591 !readUint24LengthPrefixed(&s, &m.response) || 1592 len(m.response) == 0 || !s.Empty() { 1593 return false 1594 } 1595 return true 1596 } 1597 1598 type serverHelloDoneMsg struct{} 1599 1600 func (m *serverHelloDoneMsg) marshal() ([]byte, error) { 1601 x := make([]byte, 4) 1602 x[0] = typeServerHelloDone 1603 return x, nil 1604 } 1605 1606 func (m *serverHelloDoneMsg) unmarshal(data []byte) bool { 1607 return len(data) == 4 1608 } 1609 1610 type clientKeyExchangeMsg struct { 1611 raw []byte 1612 ciphertext []byte 1613 } 1614 1615 func (m *clientKeyExchangeMsg) marshal() ([]byte, error) { 1616 if m.raw != nil { 1617 return m.raw, nil 1618 } 1619 length := len(m.ciphertext) 1620 x := make([]byte, length+4) 1621 x[0] = typeClientKeyExchange 1622 x[1] = uint8(length >> 16) 1623 x[2] = uint8(length >> 8) 1624 x[3] = uint8(length) 1625 copy(x[4:], m.ciphertext) 1626 1627 m.raw = x 1628 return x, nil 1629 } 1630 1631 func (m *clientKeyExchangeMsg) unmarshal(data []byte) bool { 1632 m.raw = data 1633 if len(data) < 4 { 1634 return false 1635 } 1636 l := int(data[1])<<16 | int(data[2])<<8 | int(data[3]) 1637 if l != len(data)-4 { 1638 return false 1639 } 1640 m.ciphertext = data[4:] 1641 return true 1642 } 1643 1644 type finishedMsg struct { 1645 raw []byte 1646 verifyData []byte 1647 } 1648 1649 func (m *finishedMsg) marshal() ([]byte, error) { 1650 if m.raw != nil { 1651 return m.raw, nil 1652 } 1653 1654 var b cryptobyte.Builder 1655 b.AddUint8(typeFinished) 1656 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1657 b.AddBytes(m.verifyData) 1658 }) 1659 1660 var err error 1661 m.raw, err = b.Bytes() 1662 return m.raw, err 1663 } 1664 1665 func (m *finishedMsg) unmarshal(data []byte) bool { 1666 m.raw = data 1667 s := cryptobyte.String(data) 1668 return s.Skip(1) && 1669 readUint24LengthPrefixed(&s, &m.verifyData) && 1670 s.Empty() 1671 } 1672 1673 type certificateRequestMsg struct { 1674 raw []byte 1675 // hasSignatureAlgorithm indicates whether this message includes a list of 1676 // supported signature algorithms. This change was introduced with TLS 1.2. 1677 hasSignatureAlgorithm bool 1678 1679 certificateTypes []byte 1680 supportedSignatureAlgorithms []SignatureScheme 1681 certificateAuthorities [][]byte 1682 } 1683 1684 func (m *certificateRequestMsg) marshal() ([]byte, error) { 1685 if m.raw != nil { 1686 return m.raw, nil 1687 } 1688 1689 // See RFC 4346, Section 7.4.4. 1690 length := 1 + len(m.certificateTypes) + 2 1691 casLength := 0 1692 for _, ca := range m.certificateAuthorities { 1693 casLength += 2 + len(ca) 1694 } 1695 length += casLength 1696 1697 if m.hasSignatureAlgorithm { 1698 length += 2 + 2*len(m.supportedSignatureAlgorithms) 1699 } 1700 1701 x := make([]byte, 4+length) 1702 x[0] = typeCertificateRequest 1703 x[1] = uint8(length >> 16) 1704 x[2] = uint8(length >> 8) 1705 x[3] = uint8(length) 1706 1707 x[4] = uint8(len(m.certificateTypes)) 1708 1709 copy(x[5:], m.certificateTypes) 1710 y := x[5+len(m.certificateTypes):] 1711 1712 if m.hasSignatureAlgorithm { 1713 n := len(m.supportedSignatureAlgorithms) * 2 1714 y[0] = uint8(n >> 8) 1715 y[1] = uint8(n) 1716 y = y[2:] 1717 for _, sigAlgo := range m.supportedSignatureAlgorithms { 1718 y[0] = uint8(sigAlgo >> 8) 1719 y[1] = uint8(sigAlgo) 1720 y = y[2:] 1721 } 1722 } 1723 1724 y[0] = uint8(casLength >> 8) 1725 y[1] = uint8(casLength) 1726 y = y[2:] 1727 for _, ca := range m.certificateAuthorities { 1728 y[0] = uint8(len(ca) >> 8) 1729 y[1] = uint8(len(ca)) 1730 y = y[2:] 1731 copy(y, ca) 1732 y = y[len(ca):] 1733 } 1734 1735 m.raw = x 1736 return m.raw, nil 1737 } 1738 1739 func (m *certificateRequestMsg) unmarshal(data []byte) bool { 1740 m.raw = data 1741 1742 if len(data) < 5 { 1743 return false 1744 } 1745 1746 length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3]) 1747 if uint32(len(data))-4 != length { 1748 return false 1749 } 1750 1751 numCertTypes := int(data[4]) 1752 data = data[5:] 1753 if numCertTypes == 0 || len(data) <= numCertTypes { 1754 return false 1755 } 1756 1757 m.certificateTypes = make([]byte, numCertTypes) 1758 if copy(m.certificateTypes, data) != numCertTypes { 1759 return false 1760 } 1761 1762 data = data[numCertTypes:] 1763 1764 if m.hasSignatureAlgorithm { 1765 if len(data) < 2 { 1766 return false 1767 } 1768 sigAndHashLen := uint16(data[0])<<8 | uint16(data[1]) 1769 data = data[2:] 1770 if sigAndHashLen&1 != 0 { 1771 return false 1772 } 1773 if len(data) < int(sigAndHashLen) { 1774 return false 1775 } 1776 numSigAlgos := sigAndHashLen / 2 1777 m.supportedSignatureAlgorithms = make([]SignatureScheme, numSigAlgos) 1778 for i := range m.supportedSignatureAlgorithms { 1779 m.supportedSignatureAlgorithms[i] = SignatureScheme(data[0])<<8 | SignatureScheme(data[1]) 1780 data = data[2:] 1781 } 1782 } 1783 1784 if len(data) < 2 { 1785 return false 1786 } 1787 casLength := uint16(data[0])<<8 | uint16(data[1]) 1788 data = data[2:] 1789 if len(data) < int(casLength) { 1790 return false 1791 } 1792 cas := make([]byte, casLength) 1793 copy(cas, data) 1794 data = data[casLength:] 1795 1796 m.certificateAuthorities = nil 1797 for len(cas) > 0 { 1798 if len(cas) < 2 { 1799 return false 1800 } 1801 caLen := uint16(cas[0])<<8 | uint16(cas[1]) 1802 cas = cas[2:] 1803 1804 if len(cas) < int(caLen) { 1805 return false 1806 } 1807 1808 m.certificateAuthorities = append(m.certificateAuthorities, cas[:caLen]) 1809 cas = cas[caLen:] 1810 } 1811 1812 return len(data) == 0 1813 } 1814 1815 type certificateVerifyMsg struct { 1816 raw []byte 1817 hasSignatureAlgorithm bool // format change introduced in TLS 1.2 1818 signatureAlgorithm SignatureScheme 1819 signature []byte 1820 } 1821 1822 func (m *certificateVerifyMsg) marshal() ([]byte, error) { 1823 if m.raw != nil { 1824 return m.raw, nil 1825 } 1826 1827 var b cryptobyte.Builder 1828 b.AddUint8(typeCertificateVerify) 1829 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1830 if m.hasSignatureAlgorithm { 1831 b.AddUint16(uint16(m.signatureAlgorithm)) 1832 } 1833 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1834 b.AddBytes(m.signature) 1835 }) 1836 }) 1837 1838 var err error 1839 m.raw, err = b.Bytes() 1840 return m.raw, err 1841 } 1842 1843 func (m *certificateVerifyMsg) unmarshal(data []byte) bool { 1844 m.raw = data 1845 s := cryptobyte.String(data) 1846 1847 if !s.Skip(4) { // message type and uint24 length field 1848 return false 1849 } 1850 if m.hasSignatureAlgorithm { 1851 if !s.ReadUint16((*uint16)(&m.signatureAlgorithm)) { 1852 return false 1853 } 1854 } 1855 return readUint16LengthPrefixed(&s, &m.signature) && s.Empty() 1856 } 1857 1858 type newSessionTicketMsg struct { 1859 raw []byte 1860 ticket []byte 1861 } 1862 1863 func (m *newSessionTicketMsg) marshal() ([]byte, error) { 1864 if m.raw != nil { 1865 return m.raw, nil 1866 } 1867 1868 // See RFC 5077, Section 3.3. 1869 ticketLen := len(m.ticket) 1870 length := 2 + 4 + ticketLen 1871 x := make([]byte, 4+length) 1872 x[0] = typeNewSessionTicket 1873 x[1] = uint8(length >> 16) 1874 x[2] = uint8(length >> 8) 1875 x[3] = uint8(length) 1876 x[8] = uint8(ticketLen >> 8) 1877 x[9] = uint8(ticketLen) 1878 copy(x[10:], m.ticket) 1879 1880 m.raw = x 1881 1882 return m.raw, nil 1883 } 1884 1885 func (m *newSessionTicketMsg) unmarshal(data []byte) bool { 1886 m.raw = data 1887 1888 if len(data) < 10 { 1889 return false 1890 } 1891 1892 length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3]) 1893 if uint32(len(data))-4 != length { 1894 return false 1895 } 1896 1897 ticketLen := int(data[8])<<8 + int(data[9]) 1898 if len(data)-10 != ticketLen { 1899 return false 1900 } 1901 1902 m.ticket = data[10:] 1903 1904 return true 1905 } 1906 1907 type helloRequestMsg struct { 1908 } 1909 1910 func (*helloRequestMsg) marshal() ([]byte, error) { 1911 return []byte{typeHelloRequest, 0, 0, 0}, nil 1912 } 1913 1914 func (*helloRequestMsg) unmarshal(data []byte) bool { 1915 return len(data) == 4 1916 } 1917 1918 type transcriptHash interface { 1919 Write([]byte) (int, error) 1920 } 1921 1922 // transcriptMsg is a helper used to marshal and hash messages which typically 1923 // are not written to the wire, and as such aren't hashed during Conn.writeRecord. 1924 func transcriptMsg(msg handshakeMessage, h transcriptHash) error { 1925 data, err := msg.marshal() 1926 if err != nil { 1927 return err 1928 } 1929 h.Write(data) 1930 return nil 1931 }