github.com/JimmyHuang454/JLS-go@v0.0.0-20230831150107-90d536585ba0/tls/handshake_messages.go (about) 1 // Copyright 2009 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 package tls 6 7 import ( 8 "errors" 9 "fmt" 10 "strings" 11 12 "golang.org/x/crypto/cryptobyte" 13 ) 14 15 // The marshalingFunction type is an adapter to allow the use of ordinary 16 // functions as cryptobyte.MarshalingValue. 17 type marshalingFunction func(b *cryptobyte.Builder) error 18 19 func (f marshalingFunction) Marshal(b *cryptobyte.Builder) error { 20 return f(b) 21 } 22 23 // addBytesWithLength appends a sequence of bytes to the cryptobyte.Builder. If 24 // the length of the sequence is not the value specified, it produces an error. 25 func addBytesWithLength(b *cryptobyte.Builder, v []byte, n int) { 26 b.AddValue(marshalingFunction(func(b *cryptobyte.Builder) error { 27 if len(v) != n { 28 return fmt.Errorf("invalid value length: expected %d, got %d", n, len(v)) 29 } 30 b.AddBytes(v) 31 return nil 32 })) 33 } 34 35 // addUint64 appends a big-endian, 64-bit value to the cryptobyte.Builder. 36 func addUint64(b *cryptobyte.Builder, v uint64) { 37 b.AddUint32(uint32(v >> 32)) 38 b.AddUint32(uint32(v)) 39 } 40 41 // readUint64 decodes a big-endian, 64-bit value into out and advances over it. 42 // It reports whether the read was successful. 43 func readUint64(s *cryptobyte.String, out *uint64) bool { 44 var hi, lo uint32 45 if !s.ReadUint32(&hi) || !s.ReadUint32(&lo) { 46 return false 47 } 48 *out = uint64(hi)<<32 | uint64(lo) 49 return true 50 } 51 52 // readUint8LengthPrefixed acts like s.ReadUint8LengthPrefixed, but targets a 53 // []byte instead of a cryptobyte.String. 54 func readUint8LengthPrefixed(s *cryptobyte.String, out *[]byte) bool { 55 return s.ReadUint8LengthPrefixed((*cryptobyte.String)(out)) 56 } 57 58 // readUint16LengthPrefixed acts like s.ReadUint16LengthPrefixed, but targets a 59 // []byte instead of a cryptobyte.String. 60 func readUint16LengthPrefixed(s *cryptobyte.String, out *[]byte) bool { 61 return s.ReadUint16LengthPrefixed((*cryptobyte.String)(out)) 62 } 63 64 // readUint24LengthPrefixed acts like s.ReadUint24LengthPrefixed, but targets a 65 // []byte instead of a cryptobyte.String. 66 func readUint24LengthPrefixed(s *cryptobyte.String, out *[]byte) bool { 67 return s.ReadUint24LengthPrefixed((*cryptobyte.String)(out)) 68 } 69 70 type clientHelloMsg struct { 71 raw []byte 72 vers uint16 73 random []byte 74 sessionId []byte 75 cipherSuites []uint16 76 compressionMethods []uint8 77 serverName string 78 ocspStapling bool 79 supportedCurves []CurveID 80 supportedPoints []uint8 81 ticketSupported bool 82 sessionTicket []uint8 83 supportedSignatureAlgorithms []SignatureScheme 84 supportedSignatureAlgorithmsCert []SignatureScheme 85 secureRenegotiationSupported bool 86 secureRenegotiation []byte 87 extendedMasterSecret bool 88 alpnProtocols []string 89 scts bool 90 supportedVersions []uint16 91 cookie []byte 92 keyShares []keyShare 93 earlyData bool 94 pskModes []uint8 95 pskIdentities []pskIdentity 96 pskBinders [][]byte 97 quicTransportParameters []byte 98 } 99 100 func (m *clientHelloMsg) marshal() ([]byte, error) { 101 if m.raw != nil { 102 return m.raw, nil 103 } 104 105 var exts cryptobyte.Builder 106 if len(m.serverName) > 0 { 107 // RFC 6066, Section 3 108 exts.AddUint16(extensionServerName) 109 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 110 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 111 exts.AddUint8(0) // name_type = host_name 112 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 113 exts.AddBytes([]byte(m.serverName)) 114 }) 115 }) 116 }) 117 } 118 if m.ocspStapling { 119 // RFC 4366, Section 3.6 120 exts.AddUint16(extensionStatusRequest) 121 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 122 exts.AddUint8(1) // status_type = ocsp 123 exts.AddUint16(0) // empty responder_id_list 124 exts.AddUint16(0) // empty request_extensions 125 }) 126 } 127 if len(m.supportedCurves) > 0 { 128 // RFC 4492, sections 5.1.1 and RFC 8446, Section 4.2.7 129 exts.AddUint16(extensionSupportedCurves) 130 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 131 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 132 for _, curve := range m.supportedCurves { 133 exts.AddUint16(uint16(curve)) 134 } 135 }) 136 }) 137 } 138 if len(m.supportedPoints) > 0 { 139 // RFC 4492, Section 5.1.2 140 exts.AddUint16(extensionSupportedPoints) 141 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 142 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { 143 exts.AddBytes(m.supportedPoints) 144 }) 145 }) 146 } 147 if m.ticketSupported { 148 // RFC 5077, Section 3.2 149 exts.AddUint16(extensionSessionTicket) 150 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 151 exts.AddBytes(m.sessionTicket) 152 }) 153 } 154 if len(m.supportedSignatureAlgorithms) > 0 { 155 // RFC 5246, Section 7.4.1.4.1 156 exts.AddUint16(extensionSignatureAlgorithms) 157 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 158 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 159 for _, sigAlgo := range m.supportedSignatureAlgorithms { 160 exts.AddUint16(uint16(sigAlgo)) 161 } 162 }) 163 }) 164 } 165 if len(m.supportedSignatureAlgorithmsCert) > 0 { 166 // RFC 8446, Section 4.2.3 167 exts.AddUint16(extensionSignatureAlgorithmsCert) 168 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 169 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 170 for _, sigAlgo := range m.supportedSignatureAlgorithmsCert { 171 exts.AddUint16(uint16(sigAlgo)) 172 } 173 }) 174 }) 175 } 176 if m.secureRenegotiationSupported { 177 // RFC 5746, Section 3.2 178 exts.AddUint16(extensionRenegotiationInfo) 179 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 180 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { 181 exts.AddBytes(m.secureRenegotiation) 182 }) 183 }) 184 } 185 if m.extendedMasterSecret { 186 // RFC 7627 187 exts.AddUint16(extensionExtendedMasterSecret) 188 exts.AddUint16(0) // empty extension_data 189 } 190 if len(m.alpnProtocols) > 0 { 191 // RFC 7301, Section 3.1 192 exts.AddUint16(extensionALPN) 193 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 194 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 195 for _, proto := range m.alpnProtocols { 196 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { 197 exts.AddBytes([]byte(proto)) 198 }) 199 } 200 }) 201 }) 202 } 203 if m.scts { 204 // RFC 6962, Section 3.3.1 205 exts.AddUint16(extensionSCT) 206 exts.AddUint16(0) // empty extension_data 207 } 208 if len(m.supportedVersions) > 0 { 209 // RFC 8446, Section 4.2.1 210 exts.AddUint16(extensionSupportedVersions) 211 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 212 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { 213 for _, vers := range m.supportedVersions { 214 exts.AddUint16(vers) 215 } 216 }) 217 }) 218 } 219 if len(m.cookie) > 0 { 220 // RFC 8446, Section 4.2.2 221 exts.AddUint16(extensionCookie) 222 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 223 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 224 exts.AddBytes(m.cookie) 225 }) 226 }) 227 } 228 if len(m.keyShares) > 0 { 229 // RFC 8446, Section 4.2.8 230 exts.AddUint16(extensionKeyShare) 231 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 232 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 233 for _, ks := range m.keyShares { 234 exts.AddUint16(uint16(ks.group)) 235 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 236 exts.AddBytes(ks.data) 237 }) 238 } 239 }) 240 }) 241 } 242 if m.earlyData { 243 // RFC 8446, Section 4.2.10 244 exts.AddUint16(extensionEarlyData) 245 exts.AddUint16(0) // empty extension_data 246 } 247 if len(m.pskModes) > 0 { 248 // RFC 8446, Section 4.2.9 249 exts.AddUint16(extensionPSKModes) 250 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 251 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { 252 exts.AddBytes(m.pskModes) 253 }) 254 }) 255 } 256 if m.quicTransportParameters != nil { // marshal zero-length parameters when present 257 // RFC 9001, Section 8.2 258 exts.AddUint16(extensionQUICTransportParameters) 259 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 260 exts.AddBytes(m.quicTransportParameters) 261 }) 262 } 263 if len(m.pskIdentities) > 0 { // pre_shared_key must be the last extension 264 // RFC 8446, Section 4.2.11 265 exts.AddUint16(extensionPreSharedKey) 266 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 267 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 268 for _, psk := range m.pskIdentities { 269 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 270 exts.AddBytes(psk.label) 271 }) 272 exts.AddUint32(psk.obfuscatedTicketAge) 273 } 274 }) 275 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 276 for _, binder := range m.pskBinders { 277 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { 278 exts.AddBytes(binder) 279 }) 280 } 281 }) 282 }) 283 } 284 extBytes, err := exts.Bytes() 285 if err != nil { 286 return nil, err 287 } 288 289 var b cryptobyte.Builder 290 b.AddUint8(typeClientHello) 291 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 292 b.AddUint16(m.vers) 293 addBytesWithLength(b, m.random, 32) 294 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 295 b.AddBytes(m.sessionId) 296 }) 297 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 298 for _, suite := range m.cipherSuites { 299 b.AddUint16(suite) 300 } 301 }) 302 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 303 b.AddBytes(m.compressionMethods) 304 }) 305 306 if len(extBytes) > 0 { 307 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 308 b.AddBytes(extBytes) 309 }) 310 } 311 }) 312 313 m.raw, err = b.Bytes() 314 return m.raw, err 315 } 316 317 // marshalWithoutBinders returns the ClientHello through the 318 // PreSharedKeyExtension.identities field, according to RFC 8446, Section 319 // 4.2.11.2. Note that m.pskBinders must be set to slices of the correct length. 320 func (m *clientHelloMsg) marshalWithoutBinders() ([]byte, error) { 321 bindersLen := 2 // uint16 length prefix 322 for _, binder := range m.pskBinders { 323 bindersLen += 1 // uint8 length prefix 324 bindersLen += len(binder) 325 } 326 327 fullMessage, err := m.marshal() 328 if err != nil { 329 return nil, err 330 } 331 return fullMessage[:len(fullMessage)-bindersLen], nil 332 } 333 334 // updateBinders updates the m.pskBinders field, if necessary updating the 335 // cached marshaled representation. The supplied binders must have the same 336 // length as the current m.pskBinders. 337 func (m *clientHelloMsg) updateBinders(pskBinders [][]byte) error { 338 if len(pskBinders) != len(m.pskBinders) { 339 return errors.New("tls: internal error: pskBinders length mismatch") 340 } 341 for i := range m.pskBinders { 342 if len(pskBinders[i]) != len(m.pskBinders[i]) { 343 return errors.New("tls: internal error: pskBinders length mismatch") 344 } 345 } 346 m.pskBinders = pskBinders 347 if m.raw != nil { 348 helloBytes, err := m.marshalWithoutBinders() 349 if err != nil { 350 return err 351 } 352 lenWithoutBinders := len(helloBytes) 353 b := cryptobyte.NewFixedBuilder(m.raw[:lenWithoutBinders]) 354 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 355 for _, binder := range m.pskBinders { 356 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 357 b.AddBytes(binder) 358 }) 359 } 360 }) 361 if out, err := b.Bytes(); err != nil || len(out) != len(m.raw) { 362 return errors.New("tls: internal error: failed to update binders") 363 } 364 } 365 366 return nil 367 } 368 369 func (m *clientHelloMsg) unmarshal(data []byte) bool { 370 *m = clientHelloMsg{raw: data} 371 s := cryptobyte.String(data) 372 373 if !s.Skip(4) || // message type and uint24 length field 374 !s.ReadUint16(&m.vers) || !s.ReadBytes(&m.random, 32) || 375 !readUint8LengthPrefixed(&s, &m.sessionId) { 376 return false 377 } 378 379 var cipherSuites cryptobyte.String 380 if !s.ReadUint16LengthPrefixed(&cipherSuites) { 381 return false 382 } 383 m.cipherSuites = []uint16{} 384 m.secureRenegotiationSupported = false 385 for !cipherSuites.Empty() { 386 var suite uint16 387 if !cipherSuites.ReadUint16(&suite) { 388 return false 389 } 390 if suite == scsvRenegotiation { 391 m.secureRenegotiationSupported = true 392 } 393 m.cipherSuites = append(m.cipherSuites, suite) 394 } 395 396 if !readUint8LengthPrefixed(&s, &m.compressionMethods) { 397 return false 398 } 399 400 if s.Empty() { 401 // ClientHello is optionally followed by extension data 402 return true 403 } 404 405 var extensions cryptobyte.String 406 if !s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() { 407 return false 408 } 409 410 seenExts := make(map[uint16]bool) 411 for !extensions.Empty() { 412 var extension uint16 413 var extData cryptobyte.String 414 if !extensions.ReadUint16(&extension) || 415 !extensions.ReadUint16LengthPrefixed(&extData) { 416 return false 417 } 418 419 if seenExts[extension] { 420 return false 421 } 422 seenExts[extension] = true 423 424 switch extension { 425 case extensionServerName: 426 // RFC 6066, Section 3 427 var nameList cryptobyte.String 428 if !extData.ReadUint16LengthPrefixed(&nameList) || nameList.Empty() { 429 return false 430 } 431 for !nameList.Empty() { 432 var nameType uint8 433 var serverName cryptobyte.String 434 if !nameList.ReadUint8(&nameType) || 435 !nameList.ReadUint16LengthPrefixed(&serverName) || 436 serverName.Empty() { 437 return false 438 } 439 if nameType != 0 { 440 continue 441 } 442 if len(m.serverName) != 0 { 443 // Multiple names of the same name_type are prohibited. 444 return false 445 } 446 m.serverName = string(serverName) 447 // An SNI value may not include a trailing dot. 448 if strings.HasSuffix(m.serverName, ".") { 449 return false 450 } 451 } 452 case extensionStatusRequest: 453 // RFC 4366, Section 3.6 454 var statusType uint8 455 var ignored cryptobyte.String 456 if !extData.ReadUint8(&statusType) || 457 !extData.ReadUint16LengthPrefixed(&ignored) || 458 !extData.ReadUint16LengthPrefixed(&ignored) { 459 return false 460 } 461 m.ocspStapling = statusType == statusTypeOCSP 462 case extensionSupportedCurves: 463 // RFC 4492, sections 5.1.1 and RFC 8446, Section 4.2.7 464 var curves cryptobyte.String 465 if !extData.ReadUint16LengthPrefixed(&curves) || curves.Empty() { 466 return false 467 } 468 for !curves.Empty() { 469 var curve uint16 470 if !curves.ReadUint16(&curve) { 471 return false 472 } 473 m.supportedCurves = append(m.supportedCurves, CurveID(curve)) 474 } 475 case extensionSupportedPoints: 476 // RFC 4492, Section 5.1.2 477 if !readUint8LengthPrefixed(&extData, &m.supportedPoints) || 478 len(m.supportedPoints) == 0 { 479 return false 480 } 481 case extensionSessionTicket: 482 // RFC 5077, Section 3.2 483 m.ticketSupported = true 484 extData.ReadBytes(&m.sessionTicket, len(extData)) 485 case extensionSignatureAlgorithms: 486 // RFC 5246, Section 7.4.1.4.1 487 var sigAndAlgs cryptobyte.String 488 if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() { 489 return false 490 } 491 for !sigAndAlgs.Empty() { 492 var sigAndAlg uint16 493 if !sigAndAlgs.ReadUint16(&sigAndAlg) { 494 return false 495 } 496 m.supportedSignatureAlgorithms = append( 497 m.supportedSignatureAlgorithms, SignatureScheme(sigAndAlg)) 498 } 499 case extensionSignatureAlgorithmsCert: 500 // RFC 8446, Section 4.2.3 501 var sigAndAlgs cryptobyte.String 502 if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() { 503 return false 504 } 505 for !sigAndAlgs.Empty() { 506 var sigAndAlg uint16 507 if !sigAndAlgs.ReadUint16(&sigAndAlg) { 508 return false 509 } 510 m.supportedSignatureAlgorithmsCert = append( 511 m.supportedSignatureAlgorithmsCert, SignatureScheme(sigAndAlg)) 512 } 513 case extensionRenegotiationInfo: 514 // RFC 5746, Section 3.2 515 if !readUint8LengthPrefixed(&extData, &m.secureRenegotiation) { 516 return false 517 } 518 m.secureRenegotiationSupported = true 519 case extensionExtendedMasterSecret: 520 // RFC 7627 521 m.extendedMasterSecret = true 522 case extensionALPN: 523 // RFC 7301, Section 3.1 524 var protoList cryptobyte.String 525 if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() { 526 return false 527 } 528 for !protoList.Empty() { 529 var proto cryptobyte.String 530 if !protoList.ReadUint8LengthPrefixed(&proto) || proto.Empty() { 531 return false 532 } 533 m.alpnProtocols = append(m.alpnProtocols, string(proto)) 534 } 535 case extensionSCT: 536 // RFC 6962, Section 3.3.1 537 m.scts = true 538 case extensionSupportedVersions: 539 // RFC 8446, Section 4.2.1 540 var versList cryptobyte.String 541 if !extData.ReadUint8LengthPrefixed(&versList) || versList.Empty() { 542 return false 543 } 544 for !versList.Empty() { 545 var vers uint16 546 if !versList.ReadUint16(&vers) { 547 return false 548 } 549 m.supportedVersions = append(m.supportedVersions, vers) 550 } 551 case extensionCookie: 552 // RFC 8446, Section 4.2.2 553 if !readUint16LengthPrefixed(&extData, &m.cookie) || 554 len(m.cookie) == 0 { 555 return false 556 } 557 case extensionKeyShare: 558 // RFC 8446, Section 4.2.8 559 var clientShares cryptobyte.String 560 if !extData.ReadUint16LengthPrefixed(&clientShares) { 561 return false 562 } 563 for !clientShares.Empty() { 564 var ks keyShare 565 if !clientShares.ReadUint16((*uint16)(&ks.group)) || 566 !readUint16LengthPrefixed(&clientShares, &ks.data) || 567 len(ks.data) == 0 { 568 return false 569 } 570 m.keyShares = append(m.keyShares, ks) 571 } 572 case extensionEarlyData: 573 // RFC 8446, Section 4.2.10 574 m.earlyData = true 575 case extensionPSKModes: 576 // RFC 8446, Section 4.2.9 577 if !readUint8LengthPrefixed(&extData, &m.pskModes) { 578 return false 579 } 580 case extensionQUICTransportParameters: 581 m.quicTransportParameters = make([]byte, len(extData)) 582 if !extData.CopyBytes(m.quicTransportParameters) { 583 return false 584 } 585 case extensionPreSharedKey: 586 // RFC 8446, Section 4.2.11 587 if !extensions.Empty() { 588 return false // pre_shared_key must be the last extension 589 } 590 var identities cryptobyte.String 591 if !extData.ReadUint16LengthPrefixed(&identities) || identities.Empty() { 592 return false 593 } 594 for !identities.Empty() { 595 var psk pskIdentity 596 if !readUint16LengthPrefixed(&identities, &psk.label) || 597 !identities.ReadUint32(&psk.obfuscatedTicketAge) || 598 len(psk.label) == 0 { 599 return false 600 } 601 m.pskIdentities = append(m.pskIdentities, psk) 602 } 603 var binders cryptobyte.String 604 if !extData.ReadUint16LengthPrefixed(&binders) || binders.Empty() { 605 return false 606 } 607 for !binders.Empty() { 608 var binder []byte 609 if !readUint8LengthPrefixed(&binders, &binder) || 610 len(binder) == 0 { 611 return false 612 } 613 m.pskBinders = append(m.pskBinders, binder) 614 } 615 default: 616 // Ignore unknown extensions. 617 continue 618 } 619 620 if !extData.Empty() { 621 return false 622 } 623 } 624 625 return true 626 } 627 628 type serverHelloMsg struct { 629 raw []byte 630 vers uint16 631 random []byte 632 sessionId []byte 633 cipherSuite uint16 634 compressionMethod uint8 635 ocspStapling bool 636 ticketSupported bool 637 secureRenegotiationSupported bool 638 secureRenegotiation []byte 639 extendedMasterSecret bool 640 alpnProtocol string 641 scts [][]byte 642 supportedVersion uint16 643 serverShare keyShare 644 selectedIdentityPresent bool 645 selectedIdentity uint16 646 supportedPoints []uint8 647 648 // HelloRetryRequest extensions 649 cookie []byte 650 selectedGroup CurveID 651 } 652 653 func (m *serverHelloMsg) marshal() ([]byte, error) { 654 if m.raw != nil { 655 return m.raw, nil 656 } 657 658 var exts cryptobyte.Builder 659 if m.ocspStapling { 660 exts.AddUint16(extensionStatusRequest) 661 exts.AddUint16(0) // empty extension_data 662 } 663 if m.ticketSupported { 664 exts.AddUint16(extensionSessionTicket) 665 exts.AddUint16(0) // empty extension_data 666 } 667 if m.secureRenegotiationSupported { 668 exts.AddUint16(extensionRenegotiationInfo) 669 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 670 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { 671 exts.AddBytes(m.secureRenegotiation) 672 }) 673 }) 674 } 675 if m.extendedMasterSecret { 676 exts.AddUint16(extensionExtendedMasterSecret) 677 exts.AddUint16(0) // empty extension_data 678 } 679 if len(m.alpnProtocol) > 0 { 680 exts.AddUint16(extensionALPN) 681 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 682 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 683 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { 684 exts.AddBytes([]byte(m.alpnProtocol)) 685 }) 686 }) 687 }) 688 } 689 if len(m.scts) > 0 { 690 exts.AddUint16(extensionSCT) 691 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 692 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 693 for _, sct := range m.scts { 694 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 695 exts.AddBytes(sct) 696 }) 697 } 698 }) 699 }) 700 } 701 if m.supportedVersion != 0 { 702 exts.AddUint16(extensionSupportedVersions) 703 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 704 exts.AddUint16(m.supportedVersion) 705 }) 706 } 707 if m.serverShare.group != 0 { 708 exts.AddUint16(extensionKeyShare) 709 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 710 exts.AddUint16(uint16(m.serverShare.group)) 711 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 712 exts.AddBytes(m.serverShare.data) 713 }) 714 }) 715 } 716 if m.selectedIdentityPresent { 717 exts.AddUint16(extensionPreSharedKey) 718 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 719 exts.AddUint16(m.selectedIdentity) 720 }) 721 } 722 723 if len(m.cookie) > 0 { 724 exts.AddUint16(extensionCookie) 725 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 726 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 727 exts.AddBytes(m.cookie) 728 }) 729 }) 730 } 731 if m.selectedGroup != 0 { 732 exts.AddUint16(extensionKeyShare) 733 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 734 exts.AddUint16(uint16(m.selectedGroup)) 735 }) 736 } 737 if len(m.supportedPoints) > 0 { 738 exts.AddUint16(extensionSupportedPoints) 739 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 740 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { 741 exts.AddBytes(m.supportedPoints) 742 }) 743 }) 744 } 745 746 extBytes, err := exts.Bytes() 747 if err != nil { 748 return nil, err 749 } 750 751 var b cryptobyte.Builder 752 b.AddUint8(typeServerHello) 753 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 754 b.AddUint16(m.vers) 755 addBytesWithLength(b, m.random, 32) 756 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 757 b.AddBytes(m.sessionId) 758 }) 759 b.AddUint16(m.cipherSuite) 760 b.AddUint8(m.compressionMethod) 761 762 if len(extBytes) > 0 { 763 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 764 b.AddBytes(extBytes) 765 }) 766 } 767 }) 768 769 m.raw, err = b.Bytes() 770 return m.raw, err 771 } 772 773 func (m *serverHelloMsg) unmarshal(data []byte) bool { 774 *m = serverHelloMsg{raw: data} 775 s := cryptobyte.String(data) 776 777 if !s.Skip(4) || // message type and uint24 length field 778 !s.ReadUint16(&m.vers) || !s.ReadBytes(&m.random, 32) || 779 !readUint8LengthPrefixed(&s, &m.sessionId) || 780 !s.ReadUint16(&m.cipherSuite) || 781 !s.ReadUint8(&m.compressionMethod) { 782 return false 783 } 784 785 if s.Empty() { 786 // ServerHello is optionally followed by extension data 787 return true 788 } 789 790 var extensions cryptobyte.String 791 if !s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() { 792 return false 793 } 794 795 seenExts := make(map[uint16]bool) 796 for !extensions.Empty() { 797 var extension uint16 798 var extData cryptobyte.String 799 if !extensions.ReadUint16(&extension) || 800 !extensions.ReadUint16LengthPrefixed(&extData) { 801 return false 802 } 803 804 if seenExts[extension] { 805 return false 806 } 807 seenExts[extension] = true 808 809 switch extension { 810 case extensionStatusRequest: 811 m.ocspStapling = true 812 case extensionSessionTicket: 813 m.ticketSupported = true 814 case extensionRenegotiationInfo: 815 if !readUint8LengthPrefixed(&extData, &m.secureRenegotiation) { 816 return false 817 } 818 m.secureRenegotiationSupported = true 819 case extensionExtendedMasterSecret: 820 m.extendedMasterSecret = true 821 case extensionALPN: 822 var protoList cryptobyte.String 823 if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() { 824 return false 825 } 826 var proto cryptobyte.String 827 if !protoList.ReadUint8LengthPrefixed(&proto) || 828 proto.Empty() || !protoList.Empty() { 829 return false 830 } 831 m.alpnProtocol = string(proto) 832 case extensionSCT: 833 var sctList cryptobyte.String 834 if !extData.ReadUint16LengthPrefixed(&sctList) || sctList.Empty() { 835 return false 836 } 837 for !sctList.Empty() { 838 var sct []byte 839 if !readUint16LengthPrefixed(&sctList, &sct) || 840 len(sct) == 0 { 841 return false 842 } 843 m.scts = append(m.scts, sct) 844 } 845 case extensionSupportedVersions: 846 if !extData.ReadUint16(&m.supportedVersion) { 847 return false 848 } 849 case extensionCookie: 850 if !readUint16LengthPrefixed(&extData, &m.cookie) || 851 len(m.cookie) == 0 { 852 return false 853 } 854 case extensionKeyShare: 855 // This extension has different formats in SH and HRR, accept either 856 // and let the handshake logic decide. See RFC 8446, Section 4.2.8. 857 if len(extData) == 2 { 858 if !extData.ReadUint16((*uint16)(&m.selectedGroup)) { 859 return false 860 } 861 } else { 862 if !extData.ReadUint16((*uint16)(&m.serverShare.group)) || 863 !readUint16LengthPrefixed(&extData, &m.serverShare.data) { 864 return false 865 } 866 } 867 case extensionPreSharedKey: 868 m.selectedIdentityPresent = true 869 if !extData.ReadUint16(&m.selectedIdentity) { 870 return false 871 } 872 case extensionSupportedPoints: 873 // RFC 4492, Section 5.1.2 874 if !readUint8LengthPrefixed(&extData, &m.supportedPoints) || 875 len(m.supportedPoints) == 0 { 876 return false 877 } 878 default: 879 // Ignore unknown extensions. 880 continue 881 } 882 883 if !extData.Empty() { 884 return false 885 } 886 } 887 888 return true 889 } 890 891 type encryptedExtensionsMsg struct { 892 raw []byte 893 alpnProtocol string 894 quicTransportParameters []byte 895 earlyData bool 896 } 897 898 func (m *encryptedExtensionsMsg) marshal() ([]byte, error) { 899 if m.raw != nil { 900 return m.raw, nil 901 } 902 903 var b cryptobyte.Builder 904 b.AddUint8(typeEncryptedExtensions) 905 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 906 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 907 if len(m.alpnProtocol) > 0 { 908 b.AddUint16(extensionALPN) 909 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 910 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 911 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 912 b.AddBytes([]byte(m.alpnProtocol)) 913 }) 914 }) 915 }) 916 } 917 if m.quicTransportParameters != nil { // marshal zero-length parameters when present 918 // draft-ietf-quic-tls-32, Section 8.2 919 b.AddUint16(extensionQUICTransportParameters) 920 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 921 b.AddBytes(m.quicTransportParameters) 922 }) 923 } 924 if m.earlyData { 925 // RFC 8446, Section 4.2.10 926 b.AddUint16(extensionEarlyData) 927 b.AddUint16(0) // empty extension_data 928 } 929 }) 930 }) 931 932 var err error 933 m.raw, err = b.Bytes() 934 return m.raw, err 935 } 936 937 func (m *encryptedExtensionsMsg) unmarshal(data []byte) bool { 938 *m = encryptedExtensionsMsg{raw: data} 939 s := cryptobyte.String(data) 940 941 var extensions cryptobyte.String 942 if !s.Skip(4) || // message type and uint24 length field 943 !s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() { 944 return false 945 } 946 947 for !extensions.Empty() { 948 var extension uint16 949 var extData cryptobyte.String 950 if !extensions.ReadUint16(&extension) || 951 !extensions.ReadUint16LengthPrefixed(&extData) { 952 return false 953 } 954 955 switch extension { 956 case extensionALPN: 957 var protoList cryptobyte.String 958 if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() { 959 return false 960 } 961 var proto cryptobyte.String 962 if !protoList.ReadUint8LengthPrefixed(&proto) || 963 proto.Empty() || !protoList.Empty() { 964 return false 965 } 966 m.alpnProtocol = string(proto) 967 case extensionQUICTransportParameters: 968 m.quicTransportParameters = make([]byte, len(extData)) 969 if !extData.CopyBytes(m.quicTransportParameters) { 970 return false 971 } 972 case extensionEarlyData: 973 // RFC 8446, Section 4.2.10 974 m.earlyData = true 975 default: 976 // Ignore unknown extensions. 977 continue 978 } 979 980 if !extData.Empty() { 981 return false 982 } 983 } 984 985 return true 986 } 987 988 type endOfEarlyDataMsg struct{} 989 990 func (m *endOfEarlyDataMsg) marshal() ([]byte, error) { 991 x := make([]byte, 4) 992 x[0] = typeEndOfEarlyData 993 return x, nil 994 } 995 996 func (m *endOfEarlyDataMsg) unmarshal(data []byte) bool { 997 return len(data) == 4 998 } 999 1000 type keyUpdateMsg struct { 1001 raw []byte 1002 updateRequested bool 1003 } 1004 1005 func (m *keyUpdateMsg) marshal() ([]byte, error) { 1006 if m.raw != nil { 1007 return m.raw, nil 1008 } 1009 1010 var b cryptobyte.Builder 1011 b.AddUint8(typeKeyUpdate) 1012 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1013 if m.updateRequested { 1014 b.AddUint8(1) 1015 } else { 1016 b.AddUint8(0) 1017 } 1018 }) 1019 1020 var err error 1021 m.raw, err = b.Bytes() 1022 return m.raw, err 1023 } 1024 1025 func (m *keyUpdateMsg) unmarshal(data []byte) bool { 1026 m.raw = data 1027 s := cryptobyte.String(data) 1028 1029 var updateRequested uint8 1030 if !s.Skip(4) || // message type and uint24 length field 1031 !s.ReadUint8(&updateRequested) || !s.Empty() { 1032 return false 1033 } 1034 switch updateRequested { 1035 case 0: 1036 m.updateRequested = false 1037 case 1: 1038 m.updateRequested = true 1039 default: 1040 return false 1041 } 1042 return true 1043 } 1044 1045 type newSessionTicketMsgTLS13 struct { 1046 raw []byte 1047 lifetime uint32 1048 ageAdd uint32 1049 nonce []byte 1050 label []byte 1051 maxEarlyData uint32 1052 } 1053 1054 func (m *newSessionTicketMsgTLS13) marshal() ([]byte, error) { 1055 if m.raw != nil { 1056 return m.raw, nil 1057 } 1058 1059 var b cryptobyte.Builder 1060 b.AddUint8(typeNewSessionTicket) 1061 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1062 b.AddUint32(m.lifetime) 1063 b.AddUint32(m.ageAdd) 1064 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 1065 b.AddBytes(m.nonce) 1066 }) 1067 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1068 b.AddBytes(m.label) 1069 }) 1070 1071 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1072 if m.maxEarlyData > 0 { 1073 b.AddUint16(extensionEarlyData) 1074 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1075 b.AddUint32(m.maxEarlyData) 1076 }) 1077 } 1078 }) 1079 }) 1080 1081 var err error 1082 m.raw, err = b.Bytes() 1083 return m.raw, err 1084 } 1085 1086 func (m *newSessionTicketMsgTLS13) unmarshal(data []byte) bool { 1087 *m = newSessionTicketMsgTLS13{raw: data} 1088 s := cryptobyte.String(data) 1089 1090 var extensions cryptobyte.String 1091 if !s.Skip(4) || // message type and uint24 length field 1092 !s.ReadUint32(&m.lifetime) || 1093 !s.ReadUint32(&m.ageAdd) || 1094 !readUint8LengthPrefixed(&s, &m.nonce) || 1095 !readUint16LengthPrefixed(&s, &m.label) || 1096 !s.ReadUint16LengthPrefixed(&extensions) || 1097 !s.Empty() { 1098 return false 1099 } 1100 1101 for !extensions.Empty() { 1102 var extension uint16 1103 var extData cryptobyte.String 1104 if !extensions.ReadUint16(&extension) || 1105 !extensions.ReadUint16LengthPrefixed(&extData) { 1106 return false 1107 } 1108 1109 switch extension { 1110 case extensionEarlyData: 1111 if !extData.ReadUint32(&m.maxEarlyData) { 1112 return false 1113 } 1114 default: 1115 // Ignore unknown extensions. 1116 continue 1117 } 1118 1119 if !extData.Empty() { 1120 return false 1121 } 1122 } 1123 1124 return true 1125 } 1126 1127 type certificateRequestMsgTLS13 struct { 1128 raw []byte 1129 ocspStapling bool 1130 scts bool 1131 supportedSignatureAlgorithms []SignatureScheme 1132 supportedSignatureAlgorithmsCert []SignatureScheme 1133 certificateAuthorities [][]byte 1134 } 1135 1136 func (m *certificateRequestMsgTLS13) marshal() ([]byte, error) { 1137 if m.raw != nil { 1138 return m.raw, nil 1139 } 1140 1141 var b cryptobyte.Builder 1142 b.AddUint8(typeCertificateRequest) 1143 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1144 // certificate_request_context (SHALL be zero length unless used for 1145 // post-handshake authentication) 1146 b.AddUint8(0) 1147 1148 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1149 if m.ocspStapling { 1150 b.AddUint16(extensionStatusRequest) 1151 b.AddUint16(0) // empty extension_data 1152 } 1153 if m.scts { 1154 // RFC 8446, Section 4.4.2.1 makes no mention of 1155 // signed_certificate_timestamp in CertificateRequest, but 1156 // "Extensions in the Certificate message from the client MUST 1157 // correspond to extensions in the CertificateRequest message 1158 // from the server." and it appears in the table in Section 4.2. 1159 b.AddUint16(extensionSCT) 1160 b.AddUint16(0) // empty extension_data 1161 } 1162 if len(m.supportedSignatureAlgorithms) > 0 { 1163 b.AddUint16(extensionSignatureAlgorithms) 1164 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1165 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1166 for _, sigAlgo := range m.supportedSignatureAlgorithms { 1167 b.AddUint16(uint16(sigAlgo)) 1168 } 1169 }) 1170 }) 1171 } 1172 if len(m.supportedSignatureAlgorithmsCert) > 0 { 1173 b.AddUint16(extensionSignatureAlgorithmsCert) 1174 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1175 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1176 for _, sigAlgo := range m.supportedSignatureAlgorithmsCert { 1177 b.AddUint16(uint16(sigAlgo)) 1178 } 1179 }) 1180 }) 1181 } 1182 if len(m.certificateAuthorities) > 0 { 1183 b.AddUint16(extensionCertificateAuthorities) 1184 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1185 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1186 for _, ca := range m.certificateAuthorities { 1187 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1188 b.AddBytes(ca) 1189 }) 1190 } 1191 }) 1192 }) 1193 } 1194 }) 1195 }) 1196 1197 var err error 1198 m.raw, err = b.Bytes() 1199 return m.raw, err 1200 } 1201 1202 func (m *certificateRequestMsgTLS13) unmarshal(data []byte) bool { 1203 *m = certificateRequestMsgTLS13{raw: data} 1204 s := cryptobyte.String(data) 1205 1206 var context, extensions cryptobyte.String 1207 if !s.Skip(4) || // message type and uint24 length field 1208 !s.ReadUint8LengthPrefixed(&context) || !context.Empty() || 1209 !s.ReadUint16LengthPrefixed(&extensions) || 1210 !s.Empty() { 1211 return false 1212 } 1213 1214 for !extensions.Empty() { 1215 var extension uint16 1216 var extData cryptobyte.String 1217 if !extensions.ReadUint16(&extension) || 1218 !extensions.ReadUint16LengthPrefixed(&extData) { 1219 return false 1220 } 1221 1222 switch extension { 1223 case extensionStatusRequest: 1224 m.ocspStapling = true 1225 case extensionSCT: 1226 m.scts = true 1227 case extensionSignatureAlgorithms: 1228 var sigAndAlgs cryptobyte.String 1229 if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() { 1230 return false 1231 } 1232 for !sigAndAlgs.Empty() { 1233 var sigAndAlg uint16 1234 if !sigAndAlgs.ReadUint16(&sigAndAlg) { 1235 return false 1236 } 1237 m.supportedSignatureAlgorithms = append( 1238 m.supportedSignatureAlgorithms, SignatureScheme(sigAndAlg)) 1239 } 1240 case extensionSignatureAlgorithmsCert: 1241 var sigAndAlgs cryptobyte.String 1242 if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() { 1243 return false 1244 } 1245 for !sigAndAlgs.Empty() { 1246 var sigAndAlg uint16 1247 if !sigAndAlgs.ReadUint16(&sigAndAlg) { 1248 return false 1249 } 1250 m.supportedSignatureAlgorithmsCert = append( 1251 m.supportedSignatureAlgorithmsCert, SignatureScheme(sigAndAlg)) 1252 } 1253 case extensionCertificateAuthorities: 1254 var auths cryptobyte.String 1255 if !extData.ReadUint16LengthPrefixed(&auths) || auths.Empty() { 1256 return false 1257 } 1258 for !auths.Empty() { 1259 var ca []byte 1260 if !readUint16LengthPrefixed(&auths, &ca) || len(ca) == 0 { 1261 return false 1262 } 1263 m.certificateAuthorities = append(m.certificateAuthorities, ca) 1264 } 1265 default: 1266 // Ignore unknown extensions. 1267 continue 1268 } 1269 1270 if !extData.Empty() { 1271 return false 1272 } 1273 } 1274 1275 return true 1276 } 1277 1278 type certificateMsg struct { 1279 raw []byte 1280 certificates [][]byte 1281 } 1282 1283 func (m *certificateMsg) marshal() ([]byte, error) { 1284 if m.raw != nil { 1285 return m.raw, nil 1286 } 1287 1288 var i int 1289 for _, slice := range m.certificates { 1290 i += len(slice) 1291 } 1292 1293 length := 3 + 3*len(m.certificates) + i 1294 x := make([]byte, 4+length) 1295 x[0] = typeCertificate 1296 x[1] = uint8(length >> 16) 1297 x[2] = uint8(length >> 8) 1298 x[3] = uint8(length) 1299 1300 certificateOctets := length - 3 1301 x[4] = uint8(certificateOctets >> 16) 1302 x[5] = uint8(certificateOctets >> 8) 1303 x[6] = uint8(certificateOctets) 1304 1305 y := x[7:] 1306 for _, slice := range m.certificates { 1307 y[0] = uint8(len(slice) >> 16) 1308 y[1] = uint8(len(slice) >> 8) 1309 y[2] = uint8(len(slice)) 1310 copy(y[3:], slice) 1311 y = y[3+len(slice):] 1312 } 1313 1314 m.raw = x 1315 return m.raw, nil 1316 } 1317 1318 func (m *certificateMsg) unmarshal(data []byte) bool { 1319 if len(data) < 7 { 1320 return false 1321 } 1322 1323 m.raw = data 1324 certsLen := uint32(data[4])<<16 | uint32(data[5])<<8 | uint32(data[6]) 1325 if uint32(len(data)) != certsLen+7 { 1326 return false 1327 } 1328 1329 numCerts := 0 1330 d := data[7:] 1331 for certsLen > 0 { 1332 if len(d) < 4 { 1333 return false 1334 } 1335 certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2]) 1336 if uint32(len(d)) < 3+certLen { 1337 return false 1338 } 1339 d = d[3+certLen:] 1340 certsLen -= 3 + certLen 1341 numCerts++ 1342 } 1343 1344 m.certificates = make([][]byte, numCerts) 1345 d = data[7:] 1346 for i := 0; i < numCerts; i++ { 1347 certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2]) 1348 m.certificates[i] = d[3 : 3+certLen] 1349 d = d[3+certLen:] 1350 } 1351 1352 return true 1353 } 1354 1355 type certificateMsgTLS13 struct { 1356 raw []byte 1357 certificate Certificate 1358 ocspStapling bool 1359 scts bool 1360 } 1361 1362 func (m *certificateMsgTLS13) marshal() ([]byte, error) { 1363 if m.raw != nil { 1364 return m.raw, nil 1365 } 1366 1367 var b cryptobyte.Builder 1368 b.AddUint8(typeCertificate) 1369 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1370 b.AddUint8(0) // certificate_request_context 1371 1372 certificate := m.certificate 1373 if !m.ocspStapling { 1374 certificate.OCSPStaple = nil 1375 } 1376 if !m.scts { 1377 certificate.SignedCertificateTimestamps = nil 1378 } 1379 marshalCertificate(b, certificate) 1380 }) 1381 1382 var err error 1383 m.raw, err = b.Bytes() 1384 return m.raw, err 1385 } 1386 1387 func marshalCertificate(b *cryptobyte.Builder, certificate Certificate) { 1388 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1389 for i, cert := range certificate.Certificate { 1390 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1391 b.AddBytes(cert) 1392 }) 1393 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1394 if i > 0 { 1395 // This library only supports OCSP and SCT for leaf certificates. 1396 return 1397 } 1398 if certificate.OCSPStaple != nil { 1399 b.AddUint16(extensionStatusRequest) 1400 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1401 b.AddUint8(statusTypeOCSP) 1402 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1403 b.AddBytes(certificate.OCSPStaple) 1404 }) 1405 }) 1406 } 1407 if certificate.SignedCertificateTimestamps != nil { 1408 b.AddUint16(extensionSCT) 1409 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1410 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1411 for _, sct := range certificate.SignedCertificateTimestamps { 1412 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1413 b.AddBytes(sct) 1414 }) 1415 } 1416 }) 1417 }) 1418 } 1419 }) 1420 } 1421 }) 1422 } 1423 1424 func (m *certificateMsgTLS13) unmarshal(data []byte) bool { 1425 *m = certificateMsgTLS13{raw: data} 1426 s := cryptobyte.String(data) 1427 1428 var context cryptobyte.String 1429 if !s.Skip(4) || // message type and uint24 length field 1430 !s.ReadUint8LengthPrefixed(&context) || !context.Empty() || 1431 !unmarshalCertificate(&s, &m.certificate) || 1432 !s.Empty() { 1433 return false 1434 } 1435 1436 m.scts = m.certificate.SignedCertificateTimestamps != nil 1437 m.ocspStapling = m.certificate.OCSPStaple != nil 1438 1439 return true 1440 } 1441 1442 func unmarshalCertificate(s *cryptobyte.String, certificate *Certificate) bool { 1443 var certList cryptobyte.String 1444 if !s.ReadUint24LengthPrefixed(&certList) { 1445 return false 1446 } 1447 for !certList.Empty() { 1448 var cert []byte 1449 var extensions cryptobyte.String 1450 if !readUint24LengthPrefixed(&certList, &cert) || 1451 !certList.ReadUint16LengthPrefixed(&extensions) { 1452 return false 1453 } 1454 certificate.Certificate = append(certificate.Certificate, cert) 1455 for !extensions.Empty() { 1456 var extension uint16 1457 var extData cryptobyte.String 1458 if !extensions.ReadUint16(&extension) || 1459 !extensions.ReadUint16LengthPrefixed(&extData) { 1460 return false 1461 } 1462 if len(certificate.Certificate) > 1 { 1463 // This library only supports OCSP and SCT for leaf certificates. 1464 continue 1465 } 1466 1467 switch extension { 1468 case extensionStatusRequest: 1469 var statusType uint8 1470 if !extData.ReadUint8(&statusType) || statusType != statusTypeOCSP || 1471 !readUint24LengthPrefixed(&extData, &certificate.OCSPStaple) || 1472 len(certificate.OCSPStaple) == 0 { 1473 return false 1474 } 1475 case extensionSCT: 1476 var sctList cryptobyte.String 1477 if !extData.ReadUint16LengthPrefixed(&sctList) || sctList.Empty() { 1478 return false 1479 } 1480 for !sctList.Empty() { 1481 var sct []byte 1482 if !readUint16LengthPrefixed(&sctList, &sct) || 1483 len(sct) == 0 { 1484 return false 1485 } 1486 certificate.SignedCertificateTimestamps = append( 1487 certificate.SignedCertificateTimestamps, sct) 1488 } 1489 default: 1490 // Ignore unknown extensions. 1491 continue 1492 } 1493 1494 if !extData.Empty() { 1495 return false 1496 } 1497 } 1498 } 1499 return true 1500 } 1501 1502 type serverKeyExchangeMsg struct { 1503 raw []byte 1504 key []byte 1505 } 1506 1507 func (m *serverKeyExchangeMsg) marshal() ([]byte, error) { 1508 if m.raw != nil { 1509 return m.raw, nil 1510 } 1511 length := len(m.key) 1512 x := make([]byte, length+4) 1513 x[0] = typeServerKeyExchange 1514 x[1] = uint8(length >> 16) 1515 x[2] = uint8(length >> 8) 1516 x[3] = uint8(length) 1517 copy(x[4:], m.key) 1518 1519 m.raw = x 1520 return x, nil 1521 } 1522 1523 func (m *serverKeyExchangeMsg) unmarshal(data []byte) bool { 1524 m.raw = data 1525 if len(data) < 4 { 1526 return false 1527 } 1528 m.key = data[4:] 1529 return true 1530 } 1531 1532 type certificateStatusMsg struct { 1533 raw []byte 1534 response []byte 1535 } 1536 1537 func (m *certificateStatusMsg) marshal() ([]byte, error) { 1538 if m.raw != nil { 1539 return m.raw, nil 1540 } 1541 1542 var b cryptobyte.Builder 1543 b.AddUint8(typeCertificateStatus) 1544 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1545 b.AddUint8(statusTypeOCSP) 1546 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1547 b.AddBytes(m.response) 1548 }) 1549 }) 1550 1551 var err error 1552 m.raw, err = b.Bytes() 1553 return m.raw, err 1554 } 1555 1556 func (m *certificateStatusMsg) unmarshal(data []byte) bool { 1557 m.raw = data 1558 s := cryptobyte.String(data) 1559 1560 var statusType uint8 1561 if !s.Skip(4) || // message type and uint24 length field 1562 !s.ReadUint8(&statusType) || statusType != statusTypeOCSP || 1563 !readUint24LengthPrefixed(&s, &m.response) || 1564 len(m.response) == 0 || !s.Empty() { 1565 return false 1566 } 1567 return true 1568 } 1569 1570 type serverHelloDoneMsg struct{} 1571 1572 func (m *serverHelloDoneMsg) marshal() ([]byte, error) { 1573 x := make([]byte, 4) 1574 x[0] = typeServerHelloDone 1575 return x, nil 1576 } 1577 1578 func (m *serverHelloDoneMsg) unmarshal(data []byte) bool { 1579 return len(data) == 4 1580 } 1581 1582 type clientKeyExchangeMsg struct { 1583 raw []byte 1584 ciphertext []byte 1585 } 1586 1587 func (m *clientKeyExchangeMsg) marshal() ([]byte, error) { 1588 if m.raw != nil { 1589 return m.raw, nil 1590 } 1591 length := len(m.ciphertext) 1592 x := make([]byte, length+4) 1593 x[0] = typeClientKeyExchange 1594 x[1] = uint8(length >> 16) 1595 x[2] = uint8(length >> 8) 1596 x[3] = uint8(length) 1597 copy(x[4:], m.ciphertext) 1598 1599 m.raw = x 1600 return x, nil 1601 } 1602 1603 func (m *clientKeyExchangeMsg) unmarshal(data []byte) bool { 1604 m.raw = data 1605 if len(data) < 4 { 1606 return false 1607 } 1608 l := int(data[1])<<16 | int(data[2])<<8 | int(data[3]) 1609 if l != len(data)-4 { 1610 return false 1611 } 1612 m.ciphertext = data[4:] 1613 return true 1614 } 1615 1616 type finishedMsg struct { 1617 raw []byte 1618 verifyData []byte 1619 } 1620 1621 func (m *finishedMsg) marshal() ([]byte, error) { 1622 if m.raw != nil { 1623 return m.raw, nil 1624 } 1625 1626 var b cryptobyte.Builder 1627 b.AddUint8(typeFinished) 1628 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1629 b.AddBytes(m.verifyData) 1630 }) 1631 1632 var err error 1633 m.raw, err = b.Bytes() 1634 return m.raw, err 1635 } 1636 1637 func (m *finishedMsg) unmarshal(data []byte) bool { 1638 m.raw = data 1639 s := cryptobyte.String(data) 1640 return s.Skip(1) && 1641 readUint24LengthPrefixed(&s, &m.verifyData) && 1642 s.Empty() 1643 } 1644 1645 type certificateRequestMsg struct { 1646 raw []byte 1647 // hasSignatureAlgorithm indicates whether this message includes a list of 1648 // supported signature algorithms. This change was introduced with TLS 1.2. 1649 hasSignatureAlgorithm bool 1650 1651 certificateTypes []byte 1652 supportedSignatureAlgorithms []SignatureScheme 1653 certificateAuthorities [][]byte 1654 } 1655 1656 func (m *certificateRequestMsg) marshal() ([]byte, error) { 1657 if m.raw != nil { 1658 return m.raw, nil 1659 } 1660 1661 // See RFC 4346, Section 7.4.4. 1662 length := 1 + len(m.certificateTypes) + 2 1663 casLength := 0 1664 for _, ca := range m.certificateAuthorities { 1665 casLength += 2 + len(ca) 1666 } 1667 length += casLength 1668 1669 if m.hasSignatureAlgorithm { 1670 length += 2 + 2*len(m.supportedSignatureAlgorithms) 1671 } 1672 1673 x := make([]byte, 4+length) 1674 x[0] = typeCertificateRequest 1675 x[1] = uint8(length >> 16) 1676 x[2] = uint8(length >> 8) 1677 x[3] = uint8(length) 1678 1679 x[4] = uint8(len(m.certificateTypes)) 1680 1681 copy(x[5:], m.certificateTypes) 1682 y := x[5+len(m.certificateTypes):] 1683 1684 if m.hasSignatureAlgorithm { 1685 n := len(m.supportedSignatureAlgorithms) * 2 1686 y[0] = uint8(n >> 8) 1687 y[1] = uint8(n) 1688 y = y[2:] 1689 for _, sigAlgo := range m.supportedSignatureAlgorithms { 1690 y[0] = uint8(sigAlgo >> 8) 1691 y[1] = uint8(sigAlgo) 1692 y = y[2:] 1693 } 1694 } 1695 1696 y[0] = uint8(casLength >> 8) 1697 y[1] = uint8(casLength) 1698 y = y[2:] 1699 for _, ca := range m.certificateAuthorities { 1700 y[0] = uint8(len(ca) >> 8) 1701 y[1] = uint8(len(ca)) 1702 y = y[2:] 1703 copy(y, ca) 1704 y = y[len(ca):] 1705 } 1706 1707 m.raw = x 1708 return m.raw, nil 1709 } 1710 1711 func (m *certificateRequestMsg) unmarshal(data []byte) bool { 1712 m.raw = data 1713 1714 if len(data) < 5 { 1715 return false 1716 } 1717 1718 length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3]) 1719 if uint32(len(data))-4 != length { 1720 return false 1721 } 1722 1723 numCertTypes := int(data[4]) 1724 data = data[5:] 1725 if numCertTypes == 0 || len(data) <= numCertTypes { 1726 return false 1727 } 1728 1729 m.certificateTypes = make([]byte, numCertTypes) 1730 if copy(m.certificateTypes, data) != numCertTypes { 1731 return false 1732 } 1733 1734 data = data[numCertTypes:] 1735 1736 if m.hasSignatureAlgorithm { 1737 if len(data) < 2 { 1738 return false 1739 } 1740 sigAndHashLen := uint16(data[0])<<8 | uint16(data[1]) 1741 data = data[2:] 1742 if sigAndHashLen&1 != 0 { 1743 return false 1744 } 1745 if len(data) < int(sigAndHashLen) { 1746 return false 1747 } 1748 numSigAlgos := sigAndHashLen / 2 1749 m.supportedSignatureAlgorithms = make([]SignatureScheme, numSigAlgos) 1750 for i := range m.supportedSignatureAlgorithms { 1751 m.supportedSignatureAlgorithms[i] = SignatureScheme(data[0])<<8 | SignatureScheme(data[1]) 1752 data = data[2:] 1753 } 1754 } 1755 1756 if len(data) < 2 { 1757 return false 1758 } 1759 casLength := uint16(data[0])<<8 | uint16(data[1]) 1760 data = data[2:] 1761 if len(data) < int(casLength) { 1762 return false 1763 } 1764 cas := make([]byte, casLength) 1765 copy(cas, data) 1766 data = data[casLength:] 1767 1768 m.certificateAuthorities = nil 1769 for len(cas) > 0 { 1770 if len(cas) < 2 { 1771 return false 1772 } 1773 caLen := uint16(cas[0])<<8 | uint16(cas[1]) 1774 cas = cas[2:] 1775 1776 if len(cas) < int(caLen) { 1777 return false 1778 } 1779 1780 m.certificateAuthorities = append(m.certificateAuthorities, cas[:caLen]) 1781 cas = cas[caLen:] 1782 } 1783 1784 return len(data) == 0 1785 } 1786 1787 type certificateVerifyMsg struct { 1788 raw []byte 1789 hasSignatureAlgorithm bool // format change introduced in TLS 1.2 1790 signatureAlgorithm SignatureScheme 1791 signature []byte 1792 } 1793 1794 func (m *certificateVerifyMsg) marshal() ([]byte, error) { 1795 if m.raw != nil { 1796 return m.raw, nil 1797 } 1798 1799 var b cryptobyte.Builder 1800 b.AddUint8(typeCertificateVerify) 1801 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1802 if m.hasSignatureAlgorithm { 1803 b.AddUint16(uint16(m.signatureAlgorithm)) 1804 } 1805 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1806 b.AddBytes(m.signature) 1807 }) 1808 }) 1809 1810 var err error 1811 m.raw, err = b.Bytes() 1812 return m.raw, err 1813 } 1814 1815 func (m *certificateVerifyMsg) unmarshal(data []byte) bool { 1816 m.raw = data 1817 s := cryptobyte.String(data) 1818 1819 if !s.Skip(4) { // message type and uint24 length field 1820 return false 1821 } 1822 if m.hasSignatureAlgorithm { 1823 if !s.ReadUint16((*uint16)(&m.signatureAlgorithm)) { 1824 return false 1825 } 1826 } 1827 return readUint16LengthPrefixed(&s, &m.signature) && s.Empty() 1828 } 1829 1830 type newSessionTicketMsg struct { 1831 raw []byte 1832 ticket []byte 1833 } 1834 1835 func (m *newSessionTicketMsg) marshal() ([]byte, error) { 1836 if m.raw != nil { 1837 return m.raw, nil 1838 } 1839 1840 // See RFC 5077, Section 3.3. 1841 ticketLen := len(m.ticket) 1842 length := 2 + 4 + ticketLen 1843 x := make([]byte, 4+length) 1844 x[0] = typeNewSessionTicket 1845 x[1] = uint8(length >> 16) 1846 x[2] = uint8(length >> 8) 1847 x[3] = uint8(length) 1848 x[8] = uint8(ticketLen >> 8) 1849 x[9] = uint8(ticketLen) 1850 copy(x[10:], m.ticket) 1851 1852 m.raw = x 1853 1854 return m.raw, nil 1855 } 1856 1857 func (m *newSessionTicketMsg) unmarshal(data []byte) bool { 1858 m.raw = data 1859 1860 if len(data) < 10 { 1861 return false 1862 } 1863 1864 length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3]) 1865 if uint32(len(data))-4 != length { 1866 return false 1867 } 1868 1869 ticketLen := int(data[8])<<8 + int(data[9]) 1870 if len(data)-10 != ticketLen { 1871 return false 1872 } 1873 1874 m.ticket = data[10:] 1875 1876 return true 1877 } 1878 1879 type helloRequestMsg struct { 1880 } 1881 1882 func (*helloRequestMsg) marshal() ([]byte, error) { 1883 return []byte{typeHelloRequest, 0, 0, 0}, nil 1884 } 1885 1886 func (*helloRequestMsg) unmarshal(data []byte) bool { 1887 return len(data) == 4 1888 } 1889 1890 type transcriptHash interface { 1891 Write([]byte) (int, error) 1892 } 1893 1894 // transcriptMsg is a helper used to marshal and hash messages which typically 1895 // are not written to the wire, and as such aren't hashed during Conn.writeRecord. 1896 func transcriptMsg(msg handshakeMessage, h transcriptHash) error { 1897 data, err := msg.marshal() 1898 if err != nil { 1899 return err 1900 } 1901 h.Write(data) 1902 return nil 1903 }