github.com/gocuntian/go@v0.0.0-20160610041250-fee02d270bf8/src/crypto/tls/handshake_messages.go (about) 1 // Copyright 2009 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 package tls 6 7 import "bytes" 8 9 type clientHelloMsg struct { 10 raw []byte 11 vers uint16 12 random []byte 13 sessionId []byte 14 cipherSuites []uint16 15 compressionMethods []uint8 16 nextProtoNeg bool 17 serverName string 18 ocspStapling bool 19 scts bool 20 supportedCurves []CurveID 21 supportedPoints []uint8 22 ticketSupported bool 23 sessionTicket []uint8 24 signatureAndHashes []signatureAndHash 25 secureRenegotiation []byte 26 secureRenegotiationSupported bool 27 alpnProtocols []string 28 } 29 30 func (m *clientHelloMsg) equal(i interface{}) bool { 31 m1, ok := i.(*clientHelloMsg) 32 if !ok { 33 return false 34 } 35 36 return bytes.Equal(m.raw, m1.raw) && 37 m.vers == m1.vers && 38 bytes.Equal(m.random, m1.random) && 39 bytes.Equal(m.sessionId, m1.sessionId) && 40 eqUint16s(m.cipherSuites, m1.cipherSuites) && 41 bytes.Equal(m.compressionMethods, m1.compressionMethods) && 42 m.nextProtoNeg == m1.nextProtoNeg && 43 m.serverName == m1.serverName && 44 m.ocspStapling == m1.ocspStapling && 45 m.scts == m1.scts && 46 eqCurveIDs(m.supportedCurves, m1.supportedCurves) && 47 bytes.Equal(m.supportedPoints, m1.supportedPoints) && 48 m.ticketSupported == m1.ticketSupported && 49 bytes.Equal(m.sessionTicket, m1.sessionTicket) && 50 eqSignatureAndHashes(m.signatureAndHashes, m1.signatureAndHashes) && 51 m.secureRenegotiationSupported == m1.secureRenegotiationSupported && 52 bytes.Equal(m.secureRenegotiation, m1.secureRenegotiation) && 53 eqStrings(m.alpnProtocols, m1.alpnProtocols) 54 } 55 56 func (m *clientHelloMsg) marshal() []byte { 57 if m.raw != nil { 58 return m.raw 59 } 60 61 length := 2 + 32 + 1 + len(m.sessionId) + 2 + len(m.cipherSuites)*2 + 1 + len(m.compressionMethods) 62 numExtensions := 0 63 extensionsLength := 0 64 if m.nextProtoNeg { 65 numExtensions++ 66 } 67 if m.ocspStapling { 68 extensionsLength += 1 + 2 + 2 69 numExtensions++ 70 } 71 if len(m.serverName) > 0 { 72 extensionsLength += 5 + len(m.serverName) 73 numExtensions++ 74 } 75 if len(m.supportedCurves) > 0 { 76 extensionsLength += 2 + 2*len(m.supportedCurves) 77 numExtensions++ 78 } 79 if len(m.supportedPoints) > 0 { 80 extensionsLength += 1 + len(m.supportedPoints) 81 numExtensions++ 82 } 83 if m.ticketSupported { 84 extensionsLength += len(m.sessionTicket) 85 numExtensions++ 86 } 87 if len(m.signatureAndHashes) > 0 { 88 extensionsLength += 2 + 2*len(m.signatureAndHashes) 89 numExtensions++ 90 } 91 if m.secureRenegotiationSupported { 92 extensionsLength += 1 + len(m.secureRenegotiation) 93 numExtensions++ 94 } 95 if len(m.alpnProtocols) > 0 { 96 extensionsLength += 2 97 for _, s := range m.alpnProtocols { 98 if l := len(s); l == 0 || l > 255 { 99 panic("invalid ALPN protocol") 100 } 101 extensionsLength++ 102 extensionsLength += len(s) 103 } 104 numExtensions++ 105 } 106 if m.scts { 107 numExtensions++ 108 } 109 if numExtensions > 0 { 110 extensionsLength += 4 * numExtensions 111 length += 2 + extensionsLength 112 } 113 114 x := make([]byte, 4+length) 115 x[0] = typeClientHello 116 x[1] = uint8(length >> 16) 117 x[2] = uint8(length >> 8) 118 x[3] = uint8(length) 119 x[4] = uint8(m.vers >> 8) 120 x[5] = uint8(m.vers) 121 copy(x[6:38], m.random) 122 x[38] = uint8(len(m.sessionId)) 123 copy(x[39:39+len(m.sessionId)], m.sessionId) 124 y := x[39+len(m.sessionId):] 125 y[0] = uint8(len(m.cipherSuites) >> 7) 126 y[1] = uint8(len(m.cipherSuites) << 1) 127 for i, suite := range m.cipherSuites { 128 y[2+i*2] = uint8(suite >> 8) 129 y[3+i*2] = uint8(suite) 130 } 131 z := y[2+len(m.cipherSuites)*2:] 132 z[0] = uint8(len(m.compressionMethods)) 133 copy(z[1:], m.compressionMethods) 134 135 z = z[1+len(m.compressionMethods):] 136 if numExtensions > 0 { 137 z[0] = byte(extensionsLength >> 8) 138 z[1] = byte(extensionsLength) 139 z = z[2:] 140 } 141 if m.nextProtoNeg { 142 z[0] = byte(extensionNextProtoNeg >> 8) 143 z[1] = byte(extensionNextProtoNeg & 0xff) 144 // The length is always 0 145 z = z[4:] 146 } 147 if len(m.serverName) > 0 { 148 z[0] = byte(extensionServerName >> 8) 149 z[1] = byte(extensionServerName & 0xff) 150 l := len(m.serverName) + 5 151 z[2] = byte(l >> 8) 152 z[3] = byte(l) 153 z = z[4:] 154 155 // RFC 3546, section 3.1 156 // 157 // struct { 158 // NameType name_type; 159 // select (name_type) { 160 // case host_name: HostName; 161 // } name; 162 // } ServerName; 163 // 164 // enum { 165 // host_name(0), (255) 166 // } NameType; 167 // 168 // opaque HostName<1..2^16-1>; 169 // 170 // struct { 171 // ServerName server_name_list<1..2^16-1> 172 // } ServerNameList; 173 174 z[0] = byte((len(m.serverName) + 3) >> 8) 175 z[1] = byte(len(m.serverName) + 3) 176 z[3] = byte(len(m.serverName) >> 8) 177 z[4] = byte(len(m.serverName)) 178 copy(z[5:], []byte(m.serverName)) 179 z = z[l:] 180 } 181 if m.ocspStapling { 182 // RFC 4366, section 3.6 183 z[0] = byte(extensionStatusRequest >> 8) 184 z[1] = byte(extensionStatusRequest) 185 z[2] = 0 186 z[3] = 5 187 z[4] = 1 // OCSP type 188 // Two zero valued uint16s for the two lengths. 189 z = z[9:] 190 } 191 if len(m.supportedCurves) > 0 { 192 // http://tools.ietf.org/html/rfc4492#section-5.5.1 193 z[0] = byte(extensionSupportedCurves >> 8) 194 z[1] = byte(extensionSupportedCurves) 195 l := 2 + 2*len(m.supportedCurves) 196 z[2] = byte(l >> 8) 197 z[3] = byte(l) 198 l -= 2 199 z[4] = byte(l >> 8) 200 z[5] = byte(l) 201 z = z[6:] 202 for _, curve := range m.supportedCurves { 203 z[0] = byte(curve >> 8) 204 z[1] = byte(curve) 205 z = z[2:] 206 } 207 } 208 if len(m.supportedPoints) > 0 { 209 // http://tools.ietf.org/html/rfc4492#section-5.5.2 210 z[0] = byte(extensionSupportedPoints >> 8) 211 z[1] = byte(extensionSupportedPoints) 212 l := 1 + len(m.supportedPoints) 213 z[2] = byte(l >> 8) 214 z[3] = byte(l) 215 l-- 216 z[4] = byte(l) 217 z = z[5:] 218 for _, pointFormat := range m.supportedPoints { 219 z[0] = pointFormat 220 z = z[1:] 221 } 222 } 223 if m.ticketSupported { 224 // http://tools.ietf.org/html/rfc5077#section-3.2 225 z[0] = byte(extensionSessionTicket >> 8) 226 z[1] = byte(extensionSessionTicket) 227 l := len(m.sessionTicket) 228 z[2] = byte(l >> 8) 229 z[3] = byte(l) 230 z = z[4:] 231 copy(z, m.sessionTicket) 232 z = z[len(m.sessionTicket):] 233 } 234 if len(m.signatureAndHashes) > 0 { 235 // https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 236 z[0] = byte(extensionSignatureAlgorithms >> 8) 237 z[1] = byte(extensionSignatureAlgorithms) 238 l := 2 + 2*len(m.signatureAndHashes) 239 z[2] = byte(l >> 8) 240 z[3] = byte(l) 241 z = z[4:] 242 243 l -= 2 244 z[0] = byte(l >> 8) 245 z[1] = byte(l) 246 z = z[2:] 247 for _, sigAndHash := range m.signatureAndHashes { 248 z[0] = sigAndHash.hash 249 z[1] = sigAndHash.signature 250 z = z[2:] 251 } 252 } 253 if m.secureRenegotiationSupported { 254 z[0] = byte(extensionRenegotiationInfo >> 8) 255 z[1] = byte(extensionRenegotiationInfo & 0xff) 256 z[2] = 0 257 z[3] = byte(len(m.secureRenegotiation) + 1) 258 z[4] = byte(len(m.secureRenegotiation)) 259 z = z[5:] 260 copy(z, m.secureRenegotiation) 261 z = z[len(m.secureRenegotiation):] 262 } 263 if len(m.alpnProtocols) > 0 { 264 z[0] = byte(extensionALPN >> 8) 265 z[1] = byte(extensionALPN & 0xff) 266 lengths := z[2:] 267 z = z[6:] 268 269 stringsLength := 0 270 for _, s := range m.alpnProtocols { 271 l := len(s) 272 z[0] = byte(l) 273 copy(z[1:], s) 274 z = z[1+l:] 275 stringsLength += 1 + l 276 } 277 278 lengths[2] = byte(stringsLength >> 8) 279 lengths[3] = byte(stringsLength) 280 stringsLength += 2 281 lengths[0] = byte(stringsLength >> 8) 282 lengths[1] = byte(stringsLength) 283 } 284 if m.scts { 285 // https://tools.ietf.org/html/rfc6962#section-3.3.1 286 z[0] = byte(extensionSCT >> 8) 287 z[1] = byte(extensionSCT) 288 // zero uint16 for the zero-length extension_data 289 z = z[4:] 290 } 291 292 m.raw = x 293 294 return x 295 } 296 297 func (m *clientHelloMsg) unmarshal(data []byte) bool { 298 if len(data) < 42 { 299 return false 300 } 301 m.raw = data 302 m.vers = uint16(data[4])<<8 | uint16(data[5]) 303 m.random = data[6:38] 304 sessionIdLen := int(data[38]) 305 if sessionIdLen > 32 || len(data) < 39+sessionIdLen { 306 return false 307 } 308 m.sessionId = data[39 : 39+sessionIdLen] 309 data = data[39+sessionIdLen:] 310 if len(data) < 2 { 311 return false 312 } 313 // cipherSuiteLen is the number of bytes of cipher suite numbers. Since 314 // they are uint16s, the number must be even. 315 cipherSuiteLen := int(data[0])<<8 | int(data[1]) 316 if cipherSuiteLen%2 == 1 || len(data) < 2+cipherSuiteLen { 317 return false 318 } 319 numCipherSuites := cipherSuiteLen / 2 320 m.cipherSuites = make([]uint16, numCipherSuites) 321 for i := 0; i < numCipherSuites; i++ { 322 m.cipherSuites[i] = uint16(data[2+2*i])<<8 | uint16(data[3+2*i]) 323 if m.cipherSuites[i] == scsvRenegotiation { 324 m.secureRenegotiationSupported = true 325 } 326 } 327 data = data[2+cipherSuiteLen:] 328 if len(data) < 1 { 329 return false 330 } 331 compressionMethodsLen := int(data[0]) 332 if len(data) < 1+compressionMethodsLen { 333 return false 334 } 335 m.compressionMethods = data[1 : 1+compressionMethodsLen] 336 337 data = data[1+compressionMethodsLen:] 338 339 m.nextProtoNeg = false 340 m.serverName = "" 341 m.ocspStapling = false 342 m.ticketSupported = false 343 m.sessionTicket = nil 344 m.signatureAndHashes = nil 345 m.alpnProtocols = nil 346 m.scts = false 347 348 if len(data) == 0 { 349 // ClientHello is optionally followed by extension data 350 return true 351 } 352 if len(data) < 2 { 353 return false 354 } 355 356 extensionsLength := int(data[0])<<8 | int(data[1]) 357 data = data[2:] 358 if extensionsLength != len(data) { 359 return false 360 } 361 362 for len(data) != 0 { 363 if len(data) < 4 { 364 return false 365 } 366 extension := uint16(data[0])<<8 | uint16(data[1]) 367 length := int(data[2])<<8 | int(data[3]) 368 data = data[4:] 369 if len(data) < length { 370 return false 371 } 372 373 switch extension { 374 case extensionServerName: 375 d := data[:length] 376 if len(d) < 2 { 377 return false 378 } 379 namesLen := int(d[0])<<8 | int(d[1]) 380 d = d[2:] 381 if len(d) != namesLen { 382 return false 383 } 384 for len(d) > 0 { 385 if len(d) < 3 { 386 return false 387 } 388 nameType := d[0] 389 nameLen := int(d[1])<<8 | int(d[2]) 390 d = d[3:] 391 if len(d) < nameLen { 392 return false 393 } 394 if nameType == 0 { 395 m.serverName = string(d[:nameLen]) 396 break 397 } 398 d = d[nameLen:] 399 } 400 case extensionNextProtoNeg: 401 if length > 0 { 402 return false 403 } 404 m.nextProtoNeg = true 405 case extensionStatusRequest: 406 m.ocspStapling = length > 0 && data[0] == statusTypeOCSP 407 case extensionSupportedCurves: 408 // http://tools.ietf.org/html/rfc4492#section-5.5.1 409 if length < 2 { 410 return false 411 } 412 l := int(data[0])<<8 | int(data[1]) 413 if l%2 == 1 || length != l+2 { 414 return false 415 } 416 numCurves := l / 2 417 m.supportedCurves = make([]CurveID, numCurves) 418 d := data[2:] 419 for i := 0; i < numCurves; i++ { 420 m.supportedCurves[i] = CurveID(d[0])<<8 | CurveID(d[1]) 421 d = d[2:] 422 } 423 case extensionSupportedPoints: 424 // http://tools.ietf.org/html/rfc4492#section-5.5.2 425 if length < 1 { 426 return false 427 } 428 l := int(data[0]) 429 if length != l+1 { 430 return false 431 } 432 m.supportedPoints = make([]uint8, l) 433 copy(m.supportedPoints, data[1:]) 434 case extensionSessionTicket: 435 // http://tools.ietf.org/html/rfc5077#section-3.2 436 m.ticketSupported = true 437 m.sessionTicket = data[:length] 438 case extensionSignatureAlgorithms: 439 // https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 440 if length < 2 || length&1 != 0 { 441 return false 442 } 443 l := int(data[0])<<8 | int(data[1]) 444 if l != length-2 { 445 return false 446 } 447 n := l / 2 448 d := data[2:] 449 m.signatureAndHashes = make([]signatureAndHash, n) 450 for i := range m.signatureAndHashes { 451 m.signatureAndHashes[i].hash = d[0] 452 m.signatureAndHashes[i].signature = d[1] 453 d = d[2:] 454 } 455 case extensionRenegotiationInfo: 456 if length == 0 { 457 return false 458 } 459 d := data[:length] 460 l := int(d[0]) 461 d = d[1:] 462 if l != len(d) { 463 return false 464 } 465 466 m.secureRenegotiation = d 467 m.secureRenegotiationSupported = true 468 case extensionALPN: 469 if length < 2 { 470 return false 471 } 472 l := int(data[0])<<8 | int(data[1]) 473 if l != length-2 { 474 return false 475 } 476 d := data[2:length] 477 for len(d) != 0 { 478 stringLen := int(d[0]) 479 d = d[1:] 480 if stringLen == 0 || stringLen > len(d) { 481 return false 482 } 483 m.alpnProtocols = append(m.alpnProtocols, string(d[:stringLen])) 484 d = d[stringLen:] 485 } 486 case extensionSCT: 487 m.scts = true 488 if length != 0 { 489 return false 490 } 491 } 492 data = data[length:] 493 } 494 495 return true 496 } 497 498 type serverHelloMsg struct { 499 raw []byte 500 vers uint16 501 random []byte 502 sessionId []byte 503 cipherSuite uint16 504 compressionMethod uint8 505 nextProtoNeg bool 506 nextProtos []string 507 ocspStapling bool 508 scts [][]byte 509 ticketSupported bool 510 secureRenegotiation []byte 511 secureRenegotiationSupported bool 512 alpnProtocol string 513 } 514 515 func (m *serverHelloMsg) equal(i interface{}) bool { 516 m1, ok := i.(*serverHelloMsg) 517 if !ok { 518 return false 519 } 520 521 if len(m.scts) != len(m1.scts) { 522 return false 523 } 524 for i, sct := range m.scts { 525 if !bytes.Equal(sct, m1.scts[i]) { 526 return false 527 } 528 } 529 530 return bytes.Equal(m.raw, m1.raw) && 531 m.vers == m1.vers && 532 bytes.Equal(m.random, m1.random) && 533 bytes.Equal(m.sessionId, m1.sessionId) && 534 m.cipherSuite == m1.cipherSuite && 535 m.compressionMethod == m1.compressionMethod && 536 m.nextProtoNeg == m1.nextProtoNeg && 537 eqStrings(m.nextProtos, m1.nextProtos) && 538 m.ocspStapling == m1.ocspStapling && 539 m.ticketSupported == m1.ticketSupported && 540 m.secureRenegotiationSupported == m1.secureRenegotiationSupported && 541 bytes.Equal(m.secureRenegotiation, m1.secureRenegotiation) && 542 m.alpnProtocol == m1.alpnProtocol 543 } 544 545 func (m *serverHelloMsg) marshal() []byte { 546 if m.raw != nil { 547 return m.raw 548 } 549 550 length := 38 + len(m.sessionId) 551 numExtensions := 0 552 extensionsLength := 0 553 554 nextProtoLen := 0 555 if m.nextProtoNeg { 556 numExtensions++ 557 for _, v := range m.nextProtos { 558 nextProtoLen += len(v) 559 } 560 nextProtoLen += len(m.nextProtos) 561 extensionsLength += nextProtoLen 562 } 563 if m.ocspStapling { 564 numExtensions++ 565 } 566 if m.ticketSupported { 567 numExtensions++ 568 } 569 if m.secureRenegotiationSupported { 570 extensionsLength += 1 + len(m.secureRenegotiation) 571 numExtensions++ 572 } 573 if alpnLen := len(m.alpnProtocol); alpnLen > 0 { 574 if alpnLen >= 256 { 575 panic("invalid ALPN protocol") 576 } 577 extensionsLength += 2 + 1 + alpnLen 578 numExtensions++ 579 } 580 sctLen := 0 581 if len(m.scts) > 0 { 582 for _, sct := range m.scts { 583 sctLen += len(sct) + 2 584 } 585 extensionsLength += 2 + sctLen 586 numExtensions++ 587 } 588 589 if numExtensions > 0 { 590 extensionsLength += 4 * numExtensions 591 length += 2 + extensionsLength 592 } 593 594 x := make([]byte, 4+length) 595 x[0] = typeServerHello 596 x[1] = uint8(length >> 16) 597 x[2] = uint8(length >> 8) 598 x[3] = uint8(length) 599 x[4] = uint8(m.vers >> 8) 600 x[5] = uint8(m.vers) 601 copy(x[6:38], m.random) 602 x[38] = uint8(len(m.sessionId)) 603 copy(x[39:39+len(m.sessionId)], m.sessionId) 604 z := x[39+len(m.sessionId):] 605 z[0] = uint8(m.cipherSuite >> 8) 606 z[1] = uint8(m.cipherSuite) 607 z[2] = m.compressionMethod 608 609 z = z[3:] 610 if numExtensions > 0 { 611 z[0] = byte(extensionsLength >> 8) 612 z[1] = byte(extensionsLength) 613 z = z[2:] 614 } 615 if m.nextProtoNeg { 616 z[0] = byte(extensionNextProtoNeg >> 8) 617 z[1] = byte(extensionNextProtoNeg & 0xff) 618 z[2] = byte(nextProtoLen >> 8) 619 z[3] = byte(nextProtoLen) 620 z = z[4:] 621 622 for _, v := range m.nextProtos { 623 l := len(v) 624 if l > 255 { 625 l = 255 626 } 627 z[0] = byte(l) 628 copy(z[1:], []byte(v[0:l])) 629 z = z[1+l:] 630 } 631 } 632 if m.ocspStapling { 633 z[0] = byte(extensionStatusRequest >> 8) 634 z[1] = byte(extensionStatusRequest) 635 z = z[4:] 636 } 637 if m.ticketSupported { 638 z[0] = byte(extensionSessionTicket >> 8) 639 z[1] = byte(extensionSessionTicket) 640 z = z[4:] 641 } 642 if m.secureRenegotiationSupported { 643 z[0] = byte(extensionRenegotiationInfo >> 8) 644 z[1] = byte(extensionRenegotiationInfo & 0xff) 645 z[2] = 0 646 z[3] = byte(len(m.secureRenegotiation) + 1) 647 z[4] = byte(len(m.secureRenegotiation)) 648 z = z[5:] 649 copy(z, m.secureRenegotiation) 650 z = z[len(m.secureRenegotiation):] 651 } 652 if alpnLen := len(m.alpnProtocol); alpnLen > 0 { 653 z[0] = byte(extensionALPN >> 8) 654 z[1] = byte(extensionALPN & 0xff) 655 l := 2 + 1 + alpnLen 656 z[2] = byte(l >> 8) 657 z[3] = byte(l) 658 l -= 2 659 z[4] = byte(l >> 8) 660 z[5] = byte(l) 661 l -= 1 662 z[6] = byte(l) 663 copy(z[7:], []byte(m.alpnProtocol)) 664 z = z[7+alpnLen:] 665 } 666 if sctLen > 0 { 667 z[0] = byte(extensionSCT >> 8) 668 z[1] = byte(extensionSCT) 669 l := sctLen + 2 670 z[2] = byte(l >> 8) 671 z[3] = byte(l) 672 z[4] = byte(sctLen >> 8) 673 z[5] = byte(sctLen) 674 675 z = z[6:] 676 for _, sct := range m.scts { 677 z[0] = byte(len(sct) >> 8) 678 z[1] = byte(len(sct)) 679 copy(z[2:], sct) 680 z = z[len(sct)+2:] 681 } 682 } 683 684 m.raw = x 685 686 return x 687 } 688 689 func (m *serverHelloMsg) unmarshal(data []byte) bool { 690 if len(data) < 42 { 691 return false 692 } 693 m.raw = data 694 m.vers = uint16(data[4])<<8 | uint16(data[5]) 695 m.random = data[6:38] 696 sessionIdLen := int(data[38]) 697 if sessionIdLen > 32 || len(data) < 39+sessionIdLen { 698 return false 699 } 700 m.sessionId = data[39 : 39+sessionIdLen] 701 data = data[39+sessionIdLen:] 702 if len(data) < 3 { 703 return false 704 } 705 m.cipherSuite = uint16(data[0])<<8 | uint16(data[1]) 706 m.compressionMethod = data[2] 707 data = data[3:] 708 709 m.nextProtoNeg = false 710 m.nextProtos = nil 711 m.ocspStapling = false 712 m.scts = nil 713 m.ticketSupported = false 714 m.alpnProtocol = "" 715 716 if len(data) == 0 { 717 // ServerHello is optionally followed by extension data 718 return true 719 } 720 if len(data) < 2 { 721 return false 722 } 723 724 extensionsLength := int(data[0])<<8 | int(data[1]) 725 data = data[2:] 726 if len(data) != extensionsLength { 727 return false 728 } 729 730 for len(data) != 0 { 731 if len(data) < 4 { 732 return false 733 } 734 extension := uint16(data[0])<<8 | uint16(data[1]) 735 length := int(data[2])<<8 | int(data[3]) 736 data = data[4:] 737 if len(data) < length { 738 return false 739 } 740 741 switch extension { 742 case extensionNextProtoNeg: 743 m.nextProtoNeg = true 744 d := data[:length] 745 for len(d) > 0 { 746 l := int(d[0]) 747 d = d[1:] 748 if l == 0 || l > len(d) { 749 return false 750 } 751 m.nextProtos = append(m.nextProtos, string(d[:l])) 752 d = d[l:] 753 } 754 case extensionStatusRequest: 755 if length > 0 { 756 return false 757 } 758 m.ocspStapling = true 759 case extensionSessionTicket: 760 if length > 0 { 761 return false 762 } 763 m.ticketSupported = true 764 case extensionRenegotiationInfo: 765 if length == 0 { 766 return false 767 } 768 d := data[:length] 769 l := int(d[0]) 770 d = d[1:] 771 if l != len(d) { 772 return false 773 } 774 775 m.secureRenegotiation = d 776 m.secureRenegotiationSupported = true 777 case extensionALPN: 778 d := data[:length] 779 if len(d) < 3 { 780 return false 781 } 782 l := int(d[0])<<8 | int(d[1]) 783 if l != len(d)-2 { 784 return false 785 } 786 d = d[2:] 787 l = int(d[0]) 788 if l != len(d)-1 { 789 return false 790 } 791 d = d[1:] 792 if len(d) == 0 { 793 // ALPN protocols must not be empty. 794 return false 795 } 796 m.alpnProtocol = string(d) 797 case extensionSCT: 798 d := data[:length] 799 800 if len(d) < 2 { 801 return false 802 } 803 l := int(d[0])<<8 | int(d[1]) 804 d = d[2:] 805 if len(d) != l { 806 return false 807 } 808 if l == 0 { 809 continue 810 } 811 812 m.scts = make([][]byte, 0, 3) 813 for len(d) != 0 { 814 if len(d) < 2 { 815 return false 816 } 817 sctLen := int(d[0])<<8 | int(d[1]) 818 d = d[2:] 819 if len(d) < sctLen { 820 return false 821 } 822 m.scts = append(m.scts, d[:sctLen]) 823 d = d[sctLen:] 824 } 825 } 826 data = data[length:] 827 } 828 829 return true 830 } 831 832 type certificateMsg struct { 833 raw []byte 834 certificates [][]byte 835 } 836 837 func (m *certificateMsg) equal(i interface{}) bool { 838 m1, ok := i.(*certificateMsg) 839 if !ok { 840 return false 841 } 842 843 return bytes.Equal(m.raw, m1.raw) && 844 eqByteSlices(m.certificates, m1.certificates) 845 } 846 847 func (m *certificateMsg) marshal() (x []byte) { 848 if m.raw != nil { 849 return m.raw 850 } 851 852 var i int 853 for _, slice := range m.certificates { 854 i += len(slice) 855 } 856 857 length := 3 + 3*len(m.certificates) + i 858 x = make([]byte, 4+length) 859 x[0] = typeCertificate 860 x[1] = uint8(length >> 16) 861 x[2] = uint8(length >> 8) 862 x[3] = uint8(length) 863 864 certificateOctets := length - 3 865 x[4] = uint8(certificateOctets >> 16) 866 x[5] = uint8(certificateOctets >> 8) 867 x[6] = uint8(certificateOctets) 868 869 y := x[7:] 870 for _, slice := range m.certificates { 871 y[0] = uint8(len(slice) >> 16) 872 y[1] = uint8(len(slice) >> 8) 873 y[2] = uint8(len(slice)) 874 copy(y[3:], slice) 875 y = y[3+len(slice):] 876 } 877 878 m.raw = x 879 return 880 } 881 882 func (m *certificateMsg) unmarshal(data []byte) bool { 883 if len(data) < 7 { 884 return false 885 } 886 887 m.raw = data 888 certsLen := uint32(data[4])<<16 | uint32(data[5])<<8 | uint32(data[6]) 889 if uint32(len(data)) != certsLen+7 { 890 return false 891 } 892 893 numCerts := 0 894 d := data[7:] 895 for certsLen > 0 { 896 if len(d) < 4 { 897 return false 898 } 899 certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2]) 900 if uint32(len(d)) < 3+certLen { 901 return false 902 } 903 d = d[3+certLen:] 904 certsLen -= 3 + certLen 905 numCerts++ 906 } 907 908 m.certificates = make([][]byte, numCerts) 909 d = data[7:] 910 for i := 0; i < numCerts; i++ { 911 certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2]) 912 m.certificates[i] = d[3 : 3+certLen] 913 d = d[3+certLen:] 914 } 915 916 return true 917 } 918 919 type serverKeyExchangeMsg struct { 920 raw []byte 921 key []byte 922 } 923 924 func (m *serverKeyExchangeMsg) equal(i interface{}) bool { 925 m1, ok := i.(*serverKeyExchangeMsg) 926 if !ok { 927 return false 928 } 929 930 return bytes.Equal(m.raw, m1.raw) && 931 bytes.Equal(m.key, m1.key) 932 } 933 934 func (m *serverKeyExchangeMsg) marshal() []byte { 935 if m.raw != nil { 936 return m.raw 937 } 938 length := len(m.key) 939 x := make([]byte, length+4) 940 x[0] = typeServerKeyExchange 941 x[1] = uint8(length >> 16) 942 x[2] = uint8(length >> 8) 943 x[3] = uint8(length) 944 copy(x[4:], m.key) 945 946 m.raw = x 947 return x 948 } 949 950 func (m *serverKeyExchangeMsg) unmarshal(data []byte) bool { 951 m.raw = data 952 if len(data) < 4 { 953 return false 954 } 955 m.key = data[4:] 956 return true 957 } 958 959 type certificateStatusMsg struct { 960 raw []byte 961 statusType uint8 962 response []byte 963 } 964 965 func (m *certificateStatusMsg) equal(i interface{}) bool { 966 m1, ok := i.(*certificateStatusMsg) 967 if !ok { 968 return false 969 } 970 971 return bytes.Equal(m.raw, m1.raw) && 972 m.statusType == m1.statusType && 973 bytes.Equal(m.response, m1.response) 974 } 975 976 func (m *certificateStatusMsg) marshal() []byte { 977 if m.raw != nil { 978 return m.raw 979 } 980 981 var x []byte 982 if m.statusType == statusTypeOCSP { 983 x = make([]byte, 4+4+len(m.response)) 984 x[0] = typeCertificateStatus 985 l := len(m.response) + 4 986 x[1] = byte(l >> 16) 987 x[2] = byte(l >> 8) 988 x[3] = byte(l) 989 x[4] = statusTypeOCSP 990 991 l -= 4 992 x[5] = byte(l >> 16) 993 x[6] = byte(l >> 8) 994 x[7] = byte(l) 995 copy(x[8:], m.response) 996 } else { 997 x = []byte{typeCertificateStatus, 0, 0, 1, m.statusType} 998 } 999 1000 m.raw = x 1001 return x 1002 } 1003 1004 func (m *certificateStatusMsg) unmarshal(data []byte) bool { 1005 m.raw = data 1006 if len(data) < 5 { 1007 return false 1008 } 1009 m.statusType = data[4] 1010 1011 m.response = nil 1012 if m.statusType == statusTypeOCSP { 1013 if len(data) < 8 { 1014 return false 1015 } 1016 respLen := uint32(data[5])<<16 | uint32(data[6])<<8 | uint32(data[7]) 1017 if uint32(len(data)) != 4+4+respLen { 1018 return false 1019 } 1020 m.response = data[8:] 1021 } 1022 return true 1023 } 1024 1025 type serverHelloDoneMsg struct{} 1026 1027 func (m *serverHelloDoneMsg) equal(i interface{}) bool { 1028 _, ok := i.(*serverHelloDoneMsg) 1029 return ok 1030 } 1031 1032 func (m *serverHelloDoneMsg) marshal() []byte { 1033 x := make([]byte, 4) 1034 x[0] = typeServerHelloDone 1035 return x 1036 } 1037 1038 func (m *serverHelloDoneMsg) unmarshal(data []byte) bool { 1039 return len(data) == 4 1040 } 1041 1042 type clientKeyExchangeMsg struct { 1043 raw []byte 1044 ciphertext []byte 1045 } 1046 1047 func (m *clientKeyExchangeMsg) equal(i interface{}) bool { 1048 m1, ok := i.(*clientKeyExchangeMsg) 1049 if !ok { 1050 return false 1051 } 1052 1053 return bytes.Equal(m.raw, m1.raw) && 1054 bytes.Equal(m.ciphertext, m1.ciphertext) 1055 } 1056 1057 func (m *clientKeyExchangeMsg) marshal() []byte { 1058 if m.raw != nil { 1059 return m.raw 1060 } 1061 length := len(m.ciphertext) 1062 x := make([]byte, length+4) 1063 x[0] = typeClientKeyExchange 1064 x[1] = uint8(length >> 16) 1065 x[2] = uint8(length >> 8) 1066 x[3] = uint8(length) 1067 copy(x[4:], m.ciphertext) 1068 1069 m.raw = x 1070 return x 1071 } 1072 1073 func (m *clientKeyExchangeMsg) unmarshal(data []byte) bool { 1074 m.raw = data 1075 if len(data) < 4 { 1076 return false 1077 } 1078 l := int(data[1])<<16 | int(data[2])<<8 | int(data[3]) 1079 if l != len(data)-4 { 1080 return false 1081 } 1082 m.ciphertext = data[4:] 1083 return true 1084 } 1085 1086 type finishedMsg struct { 1087 raw []byte 1088 verifyData []byte 1089 } 1090 1091 func (m *finishedMsg) equal(i interface{}) bool { 1092 m1, ok := i.(*finishedMsg) 1093 if !ok { 1094 return false 1095 } 1096 1097 return bytes.Equal(m.raw, m1.raw) && 1098 bytes.Equal(m.verifyData, m1.verifyData) 1099 } 1100 1101 func (m *finishedMsg) marshal() (x []byte) { 1102 if m.raw != nil { 1103 return m.raw 1104 } 1105 1106 x = make([]byte, 4+len(m.verifyData)) 1107 x[0] = typeFinished 1108 x[3] = byte(len(m.verifyData)) 1109 copy(x[4:], m.verifyData) 1110 m.raw = x 1111 return 1112 } 1113 1114 func (m *finishedMsg) unmarshal(data []byte) bool { 1115 m.raw = data 1116 if len(data) < 4 { 1117 return false 1118 } 1119 m.verifyData = data[4:] 1120 return true 1121 } 1122 1123 type nextProtoMsg struct { 1124 raw []byte 1125 proto string 1126 } 1127 1128 func (m *nextProtoMsg) equal(i interface{}) bool { 1129 m1, ok := i.(*nextProtoMsg) 1130 if !ok { 1131 return false 1132 } 1133 1134 return bytes.Equal(m.raw, m1.raw) && 1135 m.proto == m1.proto 1136 } 1137 1138 func (m *nextProtoMsg) marshal() []byte { 1139 if m.raw != nil { 1140 return m.raw 1141 } 1142 l := len(m.proto) 1143 if l > 255 { 1144 l = 255 1145 } 1146 1147 padding := 32 - (l+2)%32 1148 length := l + padding + 2 1149 x := make([]byte, length+4) 1150 x[0] = typeNextProtocol 1151 x[1] = uint8(length >> 16) 1152 x[2] = uint8(length >> 8) 1153 x[3] = uint8(length) 1154 1155 y := x[4:] 1156 y[0] = byte(l) 1157 copy(y[1:], []byte(m.proto[0:l])) 1158 y = y[1+l:] 1159 y[0] = byte(padding) 1160 1161 m.raw = x 1162 1163 return x 1164 } 1165 1166 func (m *nextProtoMsg) unmarshal(data []byte) bool { 1167 m.raw = data 1168 1169 if len(data) < 5 { 1170 return false 1171 } 1172 data = data[4:] 1173 protoLen := int(data[0]) 1174 data = data[1:] 1175 if len(data) < protoLen { 1176 return false 1177 } 1178 m.proto = string(data[0:protoLen]) 1179 data = data[protoLen:] 1180 1181 if len(data) < 1 { 1182 return false 1183 } 1184 paddingLen := int(data[0]) 1185 data = data[1:] 1186 if len(data) != paddingLen { 1187 return false 1188 } 1189 1190 return true 1191 } 1192 1193 type certificateRequestMsg struct { 1194 raw []byte 1195 // hasSignatureAndHash indicates whether this message includes a list 1196 // of signature and hash functions. This change was introduced with TLS 1197 // 1.2. 1198 hasSignatureAndHash bool 1199 1200 certificateTypes []byte 1201 signatureAndHashes []signatureAndHash 1202 certificateAuthorities [][]byte 1203 } 1204 1205 func (m *certificateRequestMsg) equal(i interface{}) bool { 1206 m1, ok := i.(*certificateRequestMsg) 1207 if !ok { 1208 return false 1209 } 1210 1211 return bytes.Equal(m.raw, m1.raw) && 1212 bytes.Equal(m.certificateTypes, m1.certificateTypes) && 1213 eqByteSlices(m.certificateAuthorities, m1.certificateAuthorities) && 1214 eqSignatureAndHashes(m.signatureAndHashes, m1.signatureAndHashes) 1215 } 1216 1217 func (m *certificateRequestMsg) marshal() (x []byte) { 1218 if m.raw != nil { 1219 return m.raw 1220 } 1221 1222 // See http://tools.ietf.org/html/rfc4346#section-7.4.4 1223 length := 1 + len(m.certificateTypes) + 2 1224 casLength := 0 1225 for _, ca := range m.certificateAuthorities { 1226 casLength += 2 + len(ca) 1227 } 1228 length += casLength 1229 1230 if m.hasSignatureAndHash { 1231 length += 2 + 2*len(m.signatureAndHashes) 1232 } 1233 1234 x = make([]byte, 4+length) 1235 x[0] = typeCertificateRequest 1236 x[1] = uint8(length >> 16) 1237 x[2] = uint8(length >> 8) 1238 x[3] = uint8(length) 1239 1240 x[4] = uint8(len(m.certificateTypes)) 1241 1242 copy(x[5:], m.certificateTypes) 1243 y := x[5+len(m.certificateTypes):] 1244 1245 if m.hasSignatureAndHash { 1246 n := len(m.signatureAndHashes) * 2 1247 y[0] = uint8(n >> 8) 1248 y[1] = uint8(n) 1249 y = y[2:] 1250 for _, sigAndHash := range m.signatureAndHashes { 1251 y[0] = sigAndHash.hash 1252 y[1] = sigAndHash.signature 1253 y = y[2:] 1254 } 1255 } 1256 1257 y[0] = uint8(casLength >> 8) 1258 y[1] = uint8(casLength) 1259 y = y[2:] 1260 for _, ca := range m.certificateAuthorities { 1261 y[0] = uint8(len(ca) >> 8) 1262 y[1] = uint8(len(ca)) 1263 y = y[2:] 1264 copy(y, ca) 1265 y = y[len(ca):] 1266 } 1267 1268 m.raw = x 1269 return 1270 } 1271 1272 func (m *certificateRequestMsg) unmarshal(data []byte) bool { 1273 m.raw = data 1274 1275 if len(data) < 5 { 1276 return false 1277 } 1278 1279 length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3]) 1280 if uint32(len(data))-4 != length { 1281 return false 1282 } 1283 1284 numCertTypes := int(data[4]) 1285 data = data[5:] 1286 if numCertTypes == 0 || len(data) <= numCertTypes { 1287 return false 1288 } 1289 1290 m.certificateTypes = make([]byte, numCertTypes) 1291 if copy(m.certificateTypes, data) != numCertTypes { 1292 return false 1293 } 1294 1295 data = data[numCertTypes:] 1296 1297 if m.hasSignatureAndHash { 1298 if len(data) < 2 { 1299 return false 1300 } 1301 sigAndHashLen := uint16(data[0])<<8 | uint16(data[1]) 1302 data = data[2:] 1303 if sigAndHashLen&1 != 0 { 1304 return false 1305 } 1306 if len(data) < int(sigAndHashLen) { 1307 return false 1308 } 1309 numSigAndHash := sigAndHashLen / 2 1310 m.signatureAndHashes = make([]signatureAndHash, numSigAndHash) 1311 for i := range m.signatureAndHashes { 1312 m.signatureAndHashes[i].hash = data[0] 1313 m.signatureAndHashes[i].signature = data[1] 1314 data = data[2:] 1315 } 1316 } 1317 1318 if len(data) < 2 { 1319 return false 1320 } 1321 casLength := uint16(data[0])<<8 | uint16(data[1]) 1322 data = data[2:] 1323 if len(data) < int(casLength) { 1324 return false 1325 } 1326 cas := make([]byte, casLength) 1327 copy(cas, data) 1328 data = data[casLength:] 1329 1330 m.certificateAuthorities = nil 1331 for len(cas) > 0 { 1332 if len(cas) < 2 { 1333 return false 1334 } 1335 caLen := uint16(cas[0])<<8 | uint16(cas[1]) 1336 cas = cas[2:] 1337 1338 if len(cas) < int(caLen) { 1339 return false 1340 } 1341 1342 m.certificateAuthorities = append(m.certificateAuthorities, cas[:caLen]) 1343 cas = cas[caLen:] 1344 } 1345 1346 return len(data) == 0 1347 } 1348 1349 type certificateVerifyMsg struct { 1350 raw []byte 1351 hasSignatureAndHash bool 1352 signatureAndHash signatureAndHash 1353 signature []byte 1354 } 1355 1356 func (m *certificateVerifyMsg) equal(i interface{}) bool { 1357 m1, ok := i.(*certificateVerifyMsg) 1358 if !ok { 1359 return false 1360 } 1361 1362 return bytes.Equal(m.raw, m1.raw) && 1363 m.hasSignatureAndHash == m1.hasSignatureAndHash && 1364 m.signatureAndHash.hash == m1.signatureAndHash.hash && 1365 m.signatureAndHash.signature == m1.signatureAndHash.signature && 1366 bytes.Equal(m.signature, m1.signature) 1367 } 1368 1369 func (m *certificateVerifyMsg) marshal() (x []byte) { 1370 if m.raw != nil { 1371 return m.raw 1372 } 1373 1374 // See http://tools.ietf.org/html/rfc4346#section-7.4.8 1375 siglength := len(m.signature) 1376 length := 2 + siglength 1377 if m.hasSignatureAndHash { 1378 length += 2 1379 } 1380 x = make([]byte, 4+length) 1381 x[0] = typeCertificateVerify 1382 x[1] = uint8(length >> 16) 1383 x[2] = uint8(length >> 8) 1384 x[3] = uint8(length) 1385 y := x[4:] 1386 if m.hasSignatureAndHash { 1387 y[0] = m.signatureAndHash.hash 1388 y[1] = m.signatureAndHash.signature 1389 y = y[2:] 1390 } 1391 y[0] = uint8(siglength >> 8) 1392 y[1] = uint8(siglength) 1393 copy(y[2:], m.signature) 1394 1395 m.raw = x 1396 1397 return 1398 } 1399 1400 func (m *certificateVerifyMsg) unmarshal(data []byte) bool { 1401 m.raw = data 1402 1403 if len(data) < 6 { 1404 return false 1405 } 1406 1407 length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3]) 1408 if uint32(len(data))-4 != length { 1409 return false 1410 } 1411 1412 data = data[4:] 1413 if m.hasSignatureAndHash { 1414 m.signatureAndHash.hash = data[0] 1415 m.signatureAndHash.signature = data[1] 1416 data = data[2:] 1417 } 1418 1419 if len(data) < 2 { 1420 return false 1421 } 1422 siglength := int(data[0])<<8 + int(data[1]) 1423 data = data[2:] 1424 if len(data) != siglength { 1425 return false 1426 } 1427 1428 m.signature = data 1429 1430 return true 1431 } 1432 1433 type newSessionTicketMsg struct { 1434 raw []byte 1435 ticket []byte 1436 } 1437 1438 func (m *newSessionTicketMsg) equal(i interface{}) bool { 1439 m1, ok := i.(*newSessionTicketMsg) 1440 if !ok { 1441 return false 1442 } 1443 1444 return bytes.Equal(m.raw, m1.raw) && 1445 bytes.Equal(m.ticket, m1.ticket) 1446 } 1447 1448 func (m *newSessionTicketMsg) marshal() (x []byte) { 1449 if m.raw != nil { 1450 return m.raw 1451 } 1452 1453 // See http://tools.ietf.org/html/rfc5077#section-3.3 1454 ticketLen := len(m.ticket) 1455 length := 2 + 4 + ticketLen 1456 x = make([]byte, 4+length) 1457 x[0] = typeNewSessionTicket 1458 x[1] = uint8(length >> 16) 1459 x[2] = uint8(length >> 8) 1460 x[3] = uint8(length) 1461 x[8] = uint8(ticketLen >> 8) 1462 x[9] = uint8(ticketLen) 1463 copy(x[10:], m.ticket) 1464 1465 m.raw = x 1466 1467 return 1468 } 1469 1470 func (m *newSessionTicketMsg) unmarshal(data []byte) bool { 1471 m.raw = data 1472 1473 if len(data) < 10 { 1474 return false 1475 } 1476 1477 length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3]) 1478 if uint32(len(data))-4 != length { 1479 return false 1480 } 1481 1482 ticketLen := int(data[8])<<8 + int(data[9]) 1483 if len(data)-10 != ticketLen { 1484 return false 1485 } 1486 1487 m.ticket = data[10:] 1488 1489 return true 1490 } 1491 1492 type helloRequestMsg struct { 1493 } 1494 1495 func (*helloRequestMsg) marshal() []byte { 1496 return []byte{typeHelloRequest, 0, 0, 0} 1497 } 1498 1499 func (*helloRequestMsg) unmarshal(data []byte) bool { 1500 return len(data) == 4 1501 } 1502 1503 func eqUint16s(x, y []uint16) bool { 1504 if len(x) != len(y) { 1505 return false 1506 } 1507 for i, v := range x { 1508 if y[i] != v { 1509 return false 1510 } 1511 } 1512 return true 1513 } 1514 1515 func eqCurveIDs(x, y []CurveID) bool { 1516 if len(x) != len(y) { 1517 return false 1518 } 1519 for i, v := range x { 1520 if y[i] != v { 1521 return false 1522 } 1523 } 1524 return true 1525 } 1526 1527 func eqStrings(x, y []string) bool { 1528 if len(x) != len(y) { 1529 return false 1530 } 1531 for i, v := range x { 1532 if y[i] != v { 1533 return false 1534 } 1535 } 1536 return true 1537 } 1538 1539 func eqByteSlices(x, y [][]byte) bool { 1540 if len(x) != len(y) { 1541 return false 1542 } 1543 for i, v := range x { 1544 if !bytes.Equal(v, y[i]) { 1545 return false 1546 } 1547 } 1548 return true 1549 } 1550 1551 func eqSignatureAndHashes(x, y []signatureAndHash) bool { 1552 if len(x) != len(y) { 1553 return false 1554 } 1555 for i, v := range x { 1556 v2 := y[i] 1557 if v.hash != v2.hash || v.signature != v2.signature { 1558 return false 1559 } 1560 } 1561 return true 1562 }