github.com/hellobchain/newcryptosm@v0.0.0-20221019060107-edb949a317e9/tls/handshake_messages.go (about) 1 /* 2 Copyright Suzhou Tongji Fintech Research Institute 2017 All Rights Reserved. 3 Licensed under the Apache License, Version 2.0 (the "License"); 4 you may not use this file except in compliance with the License. 5 You may obtain a copy of the License at 6 7 http://www.apache.org/licenses/LICENSE-2.0 8 9 Unless required by applicable law or agreed to in writing, software 10 distributed under the License is distributed on an "AS IS" BASIS, 11 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 See the License for the specific language governing permissions and 13 limitations under the License. 14 */ 15 16 package tls 17 18 import "bytes" 19 20 type clientHelloMsg struct { 21 raw []byte 22 vers uint16 23 random []byte 24 sessionId []byte 25 cipherSuites []uint16 26 compressionMethods []uint8 27 nextProtoNeg bool 28 serverName string 29 ocspStapling bool 30 scts bool 31 supportedCurves []CurveID 32 supportedPoints []uint8 33 ticketSupported bool 34 sessionTicket []uint8 35 signatureAndHashes []signatureAndHash 36 secureRenegotiation []byte 37 secureRenegotiationSupported bool 38 alpnProtocols []string 39 } 40 41 func (m *clientHelloMsg) equal(i interface{}) bool { 42 m1, ok := i.(*clientHelloMsg) 43 if !ok { 44 return false 45 } 46 47 return bytes.Equal(m.raw, m1.raw) && 48 m.vers == m1.vers && 49 bytes.Equal(m.random, m1.random) && 50 bytes.Equal(m.sessionId, m1.sessionId) && 51 eqUint16s(m.cipherSuites, m1.cipherSuites) && 52 bytes.Equal(m.compressionMethods, m1.compressionMethods) && 53 m.nextProtoNeg == m1.nextProtoNeg && 54 m.serverName == m1.serverName && 55 m.ocspStapling == m1.ocspStapling && 56 m.scts == m1.scts && 57 eqCurveIDs(m.supportedCurves, m1.supportedCurves) && 58 bytes.Equal(m.supportedPoints, m1.supportedPoints) && 59 m.ticketSupported == m1.ticketSupported && 60 bytes.Equal(m.sessionTicket, m1.sessionTicket) && 61 eqSignatureAndHashes(m.signatureAndHashes, m1.signatureAndHashes) && 62 m.secureRenegotiationSupported == m1.secureRenegotiationSupported && 63 bytes.Equal(m.secureRenegotiation, m1.secureRenegotiation) && 64 eqStrings(m.alpnProtocols, m1.alpnProtocols) 65 } 66 67 func (m *clientHelloMsg) marshal() []byte { 68 if m.raw != nil { 69 return m.raw 70 } 71 72 length := 2 + 32 + 1 + len(m.sessionId) + 2 + len(m.cipherSuites)*2 + 1 + len(m.compressionMethods) 73 numExtensions := 0 74 extensionsLength := 0 75 if m.nextProtoNeg { 76 numExtensions++ 77 } 78 if m.ocspStapling { 79 extensionsLength += 1 + 2 + 2 80 numExtensions++ 81 } 82 if len(m.serverName) > 0 { 83 extensionsLength += 5 + len(m.serverName) 84 numExtensions++ 85 } 86 if len(m.supportedCurves) > 0 { 87 extensionsLength += 2 + 2*len(m.supportedCurves) 88 numExtensions++ 89 } 90 if len(m.supportedPoints) > 0 { 91 extensionsLength += 1 + len(m.supportedPoints) 92 numExtensions++ 93 } 94 if m.ticketSupported { 95 extensionsLength += len(m.sessionTicket) 96 numExtensions++ 97 } 98 if len(m.signatureAndHashes) > 0 { 99 extensionsLength += 2 + 2*len(m.signatureAndHashes) 100 numExtensions++ 101 } 102 if m.secureRenegotiationSupported { 103 extensionsLength += 1 + len(m.secureRenegotiation) 104 numExtensions++ 105 } 106 if len(m.alpnProtocols) > 0 { 107 extensionsLength += 2 108 for _, s := range m.alpnProtocols { 109 if l := len(s); l == 0 || l > 255 { 110 panic("invalid ALPN protocol") 111 } 112 extensionsLength++ 113 extensionsLength += len(s) 114 } 115 numExtensions++ 116 } 117 if m.scts { 118 numExtensions++ 119 } 120 if numExtensions > 0 { 121 extensionsLength += 4 * numExtensions 122 length += 2 + extensionsLength 123 } 124 125 x := make([]byte, 4+length) 126 x[0] = typeClientHello 127 x[1] = uint8(length >> 16) 128 x[2] = uint8(length >> 8) 129 x[3] = uint8(length) 130 x[4] = uint8(m.vers >> 8) 131 x[5] = uint8(m.vers) 132 copy(x[6:38], m.random) 133 x[38] = uint8(len(m.sessionId)) 134 copy(x[39:39+len(m.sessionId)], m.sessionId) 135 y := x[39+len(m.sessionId):] 136 y[0] = uint8(len(m.cipherSuites) >> 7) 137 y[1] = uint8(len(m.cipherSuites) << 1) 138 for i, suite := range m.cipherSuites { 139 y[2+i*2] = uint8(suite >> 8) 140 y[3+i*2] = uint8(suite) 141 } 142 z := y[2+len(m.cipherSuites)*2:] 143 z[0] = uint8(len(m.compressionMethods)) 144 copy(z[1:], m.compressionMethods) 145 146 z = z[1+len(m.compressionMethods):] 147 if numExtensions > 0 { 148 z[0] = byte(extensionsLength >> 8) 149 z[1] = byte(extensionsLength) 150 z = z[2:] 151 } 152 if m.nextProtoNeg { 153 z[0] = byte(extensionNextProtoNeg >> 8) 154 z[1] = byte(extensionNextProtoNeg & 0xff) 155 // The length is always 0 156 z = z[4:] 157 } 158 if len(m.serverName) > 0 { 159 z[0] = byte(extensionServerName >> 8) 160 z[1] = byte(extensionServerName & 0xff) 161 l := len(m.serverName) + 5 162 z[2] = byte(l >> 8) 163 z[3] = byte(l) 164 z = z[4:] 165 166 // RFC 3546, section 3.1 167 // 168 // struct { 169 // NameType name_type; 170 // select (name_type) { 171 // case host_name: HostName; 172 // } name; 173 // } ServerName; 174 // 175 // enum { 176 // host_name(0), (255) 177 // } NameType; 178 // 179 // opaque HostName<1..2^16-1>; 180 // 181 // struct { 182 // ServerName server_name_list<1..2^16-1> 183 // } ServerNameList; 184 185 z[0] = byte((len(m.serverName) + 3) >> 8) 186 z[1] = byte(len(m.serverName) + 3) 187 z[3] = byte(len(m.serverName) >> 8) 188 z[4] = byte(len(m.serverName)) 189 copy(z[5:], []byte(m.serverName)) 190 z = z[l:] 191 } 192 if m.ocspStapling { 193 // RFC 4366, section 3.6 194 z[0] = byte(extensionStatusRequest >> 8) 195 z[1] = byte(extensionStatusRequest) 196 z[2] = 0 197 z[3] = 5 198 z[4] = 1 // OCSP type 199 // Two zero valued uint16s for the two lengths. 200 z = z[9:] 201 } 202 if len(m.supportedCurves) > 0 { 203 // http://tools.ietf.org/html/rfc4492#section-5.5.1 204 z[0] = byte(extensionSupportedCurves >> 8) 205 z[1] = byte(extensionSupportedCurves) 206 l := 2 + 2*len(m.supportedCurves) 207 z[2] = byte(l >> 8) 208 z[3] = byte(l) 209 l -= 2 210 z[4] = byte(l >> 8) 211 z[5] = byte(l) 212 z = z[6:] 213 for _, curve := range m.supportedCurves { 214 z[0] = byte(curve >> 8) 215 z[1] = byte(curve) 216 z = z[2:] 217 } 218 } 219 if len(m.supportedPoints) > 0 { 220 // http://tools.ietf.org/html/rfc4492#section-5.5.2 221 z[0] = byte(extensionSupportedPoints >> 8) 222 z[1] = byte(extensionSupportedPoints) 223 l := 1 + len(m.supportedPoints) 224 z[2] = byte(l >> 8) 225 z[3] = byte(l) 226 l-- 227 z[4] = byte(l) 228 z = z[5:] 229 for _, pointFormat := range m.supportedPoints { 230 z[0] = pointFormat 231 z = z[1:] 232 } 233 } 234 if m.ticketSupported { 235 // http://tools.ietf.org/html/rfc5077#section-3.2 236 z[0] = byte(extensionSessionTicket >> 8) 237 z[1] = byte(extensionSessionTicket) 238 l := len(m.sessionTicket) 239 z[2] = byte(l >> 8) 240 z[3] = byte(l) 241 z = z[4:] 242 copy(z, m.sessionTicket) 243 z = z[len(m.sessionTicket):] 244 } 245 if len(m.signatureAndHashes) > 0 { 246 // https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 247 z[0] = byte(extensionSignatureAlgorithms >> 8) 248 z[1] = byte(extensionSignatureAlgorithms) 249 l := 2 + 2*len(m.signatureAndHashes) 250 z[2] = byte(l >> 8) 251 z[3] = byte(l) 252 z = z[4:] 253 254 l -= 2 255 z[0] = byte(l >> 8) 256 z[1] = byte(l) 257 z = z[2:] 258 for _, sigAndHash := range m.signatureAndHashes { 259 z[0] = sigAndHash.hash 260 z[1] = sigAndHash.signature 261 z = z[2:] 262 } 263 } 264 if m.secureRenegotiationSupported { 265 z[0] = byte(extensionRenegotiationInfo >> 8) 266 z[1] = byte(extensionRenegotiationInfo & 0xff) 267 z[2] = 0 268 z[3] = byte(len(m.secureRenegotiation) + 1) 269 z[4] = byte(len(m.secureRenegotiation)) 270 z = z[5:] 271 copy(z, m.secureRenegotiation) 272 z = z[len(m.secureRenegotiation):] 273 } 274 if len(m.alpnProtocols) > 0 { 275 z[0] = byte(extensionALPN >> 8) 276 z[1] = byte(extensionALPN & 0xff) 277 lengths := z[2:] 278 z = z[6:] 279 280 stringsLength := 0 281 for _, s := range m.alpnProtocols { 282 l := len(s) 283 z[0] = byte(l) 284 copy(z[1:], s) 285 z = z[1+l:] 286 stringsLength += 1 + l 287 } 288 289 lengths[2] = byte(stringsLength >> 8) 290 lengths[3] = byte(stringsLength) 291 stringsLength += 2 292 lengths[0] = byte(stringsLength >> 8) 293 lengths[1] = byte(stringsLength) 294 } 295 if m.scts { 296 // https://tools.ietf.org/html/rfc6962#section-3.3.1 297 z[0] = byte(extensionSCT >> 8) 298 z[1] = byte(extensionSCT) 299 // zero uint16 for the zero-length extension_data 300 z = z[4:] 301 } 302 303 m.raw = x 304 305 return x 306 } 307 308 func (m *clientHelloMsg) unmarshal(data []byte) bool { 309 if len(data) < 42 { 310 return false 311 } 312 m.raw = data 313 m.vers = uint16(data[4])<<8 | uint16(data[5]) 314 m.random = data[6:38] 315 sessionIdLen := int(data[38]) 316 if sessionIdLen > 32 || len(data) < 39+sessionIdLen { 317 return false 318 } 319 m.sessionId = data[39 : 39+sessionIdLen] 320 data = data[39+sessionIdLen:] 321 if len(data) < 2 { 322 return false 323 } 324 // cipherSuiteLen is the number of bytes of cipher suite numbers. Since 325 // they are uint16s, the number must be even. 326 cipherSuiteLen := int(data[0])<<8 | int(data[1]) 327 if cipherSuiteLen%2 == 1 || len(data) < 2+cipherSuiteLen { 328 return false 329 } 330 numCipherSuites := cipherSuiteLen / 2 331 m.cipherSuites = make([]uint16, numCipherSuites) 332 for i := 0; i < numCipherSuites; i++ { 333 m.cipherSuites[i] = uint16(data[2+2*i])<<8 | uint16(data[3+2*i]) 334 if m.cipherSuites[i] == scsvRenegotiation { 335 m.secureRenegotiationSupported = true 336 } 337 } 338 data = data[2+cipherSuiteLen:] 339 if len(data) < 1 { 340 return false 341 } 342 compressionMethodsLen := int(data[0]) 343 if len(data) < 1+compressionMethodsLen { 344 return false 345 } 346 m.compressionMethods = data[1 : 1+compressionMethodsLen] 347 348 data = data[1+compressionMethodsLen:] 349 350 m.nextProtoNeg = false 351 m.serverName = "" 352 m.ocspStapling = false 353 m.ticketSupported = false 354 m.sessionTicket = nil 355 m.signatureAndHashes = nil 356 m.alpnProtocols = nil 357 m.scts = false 358 359 if len(data) == 0 { 360 // ClientHello is optionally followed by extension data 361 return true 362 } 363 if len(data) < 2 { 364 return false 365 } 366 367 extensionsLength := int(data[0])<<8 | int(data[1]) 368 data = data[2:] 369 if extensionsLength != len(data) { 370 return false 371 } 372 373 for len(data) != 0 { 374 if len(data) < 4 { 375 return false 376 } 377 extension := uint16(data[0])<<8 | uint16(data[1]) 378 length := int(data[2])<<8 | int(data[3]) 379 data = data[4:] 380 if len(data) < length { 381 return false 382 } 383 384 switch extension { 385 case extensionServerName: 386 d := data[:length] 387 if len(d) < 2 { 388 return false 389 } 390 namesLen := int(d[0])<<8 | int(d[1]) 391 d = d[2:] 392 if len(d) != namesLen { 393 return false 394 } 395 for len(d) > 0 { 396 if len(d) < 3 { 397 return false 398 } 399 nameType := d[0] 400 nameLen := int(d[1])<<8 | int(d[2]) 401 d = d[3:] 402 if len(d) < nameLen { 403 return false 404 } 405 if nameType == 0 { 406 m.serverName = string(d[:nameLen]) 407 break 408 } 409 d = d[nameLen:] 410 } 411 case extensionNextProtoNeg: 412 if length > 0 { 413 return false 414 } 415 m.nextProtoNeg = true 416 case extensionStatusRequest: 417 m.ocspStapling = length > 0 && data[0] == statusTypeOCSP 418 case extensionSupportedCurves: 419 // http://tools.ietf.org/html/rfc4492#section-5.5.1 420 if length < 2 { 421 return false 422 } 423 l := int(data[0])<<8 | int(data[1]) 424 if l%2 == 1 || length != l+2 { 425 return false 426 } 427 numCurves := l / 2 428 m.supportedCurves = make([]CurveID, numCurves) 429 d := data[2:] 430 for i := 0; i < numCurves; i++ { 431 m.supportedCurves[i] = CurveID(d[0])<<8 | CurveID(d[1]) 432 d = d[2:] 433 } 434 case extensionSupportedPoints: 435 // http://tools.ietf.org/html/rfc4492#section-5.5.2 436 if length < 1 { 437 return false 438 } 439 l := int(data[0]) 440 if length != l+1 { 441 return false 442 } 443 m.supportedPoints = make([]uint8, l) 444 copy(m.supportedPoints, data[1:]) 445 case extensionSessionTicket: 446 // http://tools.ietf.org/html/rfc5077#section-3.2 447 m.ticketSupported = true 448 m.sessionTicket = data[:length] 449 case extensionSignatureAlgorithms: 450 // https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 451 if length < 2 || length&1 != 0 { 452 return false 453 } 454 l := int(data[0])<<8 | int(data[1]) 455 if l != length-2 { 456 return false 457 } 458 n := l / 2 459 d := data[2:] 460 m.signatureAndHashes = make([]signatureAndHash, n) 461 for i := range m.signatureAndHashes { 462 m.signatureAndHashes[i].hash = d[0] 463 m.signatureAndHashes[i].signature = d[1] 464 d = d[2:] 465 } 466 case extensionRenegotiationInfo: 467 if length == 0 { 468 return false 469 } 470 d := data[:length] 471 l := int(d[0]) 472 d = d[1:] 473 if l != len(d) { 474 return false 475 } 476 477 m.secureRenegotiation = d 478 m.secureRenegotiationSupported = true 479 case extensionALPN: 480 if length < 2 { 481 return false 482 } 483 l := int(data[0])<<8 | int(data[1]) 484 if l != length-2 { 485 return false 486 } 487 d := data[2:length] 488 for len(d) != 0 { 489 stringLen := int(d[0]) 490 d = d[1:] 491 if stringLen == 0 || stringLen > len(d) { 492 return false 493 } 494 m.alpnProtocols = append(m.alpnProtocols, string(d[:stringLen])) 495 d = d[stringLen:] 496 } 497 case extensionSCT: 498 m.scts = true 499 if length != 0 { 500 return false 501 } 502 } 503 data = data[length:] 504 } 505 506 return true 507 } 508 509 type serverHelloMsg struct { 510 raw []byte 511 vers uint16 512 random []byte 513 sessionId []byte 514 cipherSuite uint16 515 compressionMethod uint8 516 nextProtoNeg bool 517 nextProtos []string 518 ocspStapling bool 519 scts [][]byte 520 ticketSupported bool 521 secureRenegotiation []byte 522 secureRenegotiationSupported bool 523 alpnProtocol string 524 } 525 526 func (m *serverHelloMsg) equal(i interface{}) bool { 527 m1, ok := i.(*serverHelloMsg) 528 if !ok { 529 return false 530 } 531 532 if len(m.scts) != len(m1.scts) { 533 return false 534 } 535 for i, sct := range m.scts { 536 if !bytes.Equal(sct, m1.scts[i]) { 537 return false 538 } 539 } 540 541 return bytes.Equal(m.raw, m1.raw) && 542 m.vers == m1.vers && 543 bytes.Equal(m.random, m1.random) && 544 bytes.Equal(m.sessionId, m1.sessionId) && 545 m.cipherSuite == m1.cipherSuite && 546 m.compressionMethod == m1.compressionMethod && 547 m.nextProtoNeg == m1.nextProtoNeg && 548 eqStrings(m.nextProtos, m1.nextProtos) && 549 m.ocspStapling == m1.ocspStapling && 550 m.ticketSupported == m1.ticketSupported && 551 m.secureRenegotiationSupported == m1.secureRenegotiationSupported && 552 bytes.Equal(m.secureRenegotiation, m1.secureRenegotiation) && 553 m.alpnProtocol == m1.alpnProtocol 554 } 555 556 func (m *serverHelloMsg) marshal() []byte { 557 if m.raw != nil { 558 return m.raw 559 } 560 561 length := 38 + len(m.sessionId) 562 numExtensions := 0 563 extensionsLength := 0 564 565 nextProtoLen := 0 566 if m.nextProtoNeg { 567 numExtensions++ 568 for _, v := range m.nextProtos { 569 nextProtoLen += len(v) 570 } 571 nextProtoLen += len(m.nextProtos) 572 extensionsLength += nextProtoLen 573 } 574 if m.ocspStapling { 575 numExtensions++ 576 } 577 if m.ticketSupported { 578 numExtensions++ 579 } 580 if m.secureRenegotiationSupported { 581 extensionsLength += 1 + len(m.secureRenegotiation) 582 numExtensions++ 583 } 584 if alpnLen := len(m.alpnProtocol); alpnLen > 0 { 585 if alpnLen >= 256 { 586 panic("invalid ALPN protocol") 587 } 588 extensionsLength += 2 + 1 + alpnLen 589 numExtensions++ 590 } 591 sctLen := 0 592 if len(m.scts) > 0 { 593 for _, sct := range m.scts { 594 sctLen += len(sct) + 2 595 } 596 extensionsLength += 2 + sctLen 597 numExtensions++ 598 } 599 600 if numExtensions > 0 { 601 extensionsLength += 4 * numExtensions 602 length += 2 + extensionsLength 603 } 604 605 x := make([]byte, 4+length) 606 x[0] = typeServerHello 607 x[1] = uint8(length >> 16) 608 x[2] = uint8(length >> 8) 609 x[3] = uint8(length) 610 x[4] = uint8(m.vers >> 8) 611 x[5] = uint8(m.vers) 612 copy(x[6:38], m.random) 613 x[38] = uint8(len(m.sessionId)) 614 copy(x[39:39+len(m.sessionId)], m.sessionId) 615 z := x[39+len(m.sessionId):] 616 z[0] = uint8(m.cipherSuite >> 8) 617 z[1] = uint8(m.cipherSuite) 618 z[2] = m.compressionMethod 619 620 z = z[3:] 621 if numExtensions > 0 { 622 z[0] = byte(extensionsLength >> 8) 623 z[1] = byte(extensionsLength) 624 z = z[2:] 625 } 626 if m.nextProtoNeg { 627 z[0] = byte(extensionNextProtoNeg >> 8) 628 z[1] = byte(extensionNextProtoNeg & 0xff) 629 z[2] = byte(nextProtoLen >> 8) 630 z[3] = byte(nextProtoLen) 631 z = z[4:] 632 633 for _, v := range m.nextProtos { 634 l := len(v) 635 if l > 255 { 636 l = 255 637 } 638 z[0] = byte(l) 639 copy(z[1:], []byte(v[0:l])) 640 z = z[1+l:] 641 } 642 } 643 if m.ocspStapling { 644 z[0] = byte(extensionStatusRequest >> 8) 645 z[1] = byte(extensionStatusRequest) 646 z = z[4:] 647 } 648 if m.ticketSupported { 649 z[0] = byte(extensionSessionTicket >> 8) 650 z[1] = byte(extensionSessionTicket) 651 z = z[4:] 652 } 653 if m.secureRenegotiationSupported { 654 z[0] = byte(extensionRenegotiationInfo >> 8) 655 z[1] = byte(extensionRenegotiationInfo & 0xff) 656 z[2] = 0 657 z[3] = byte(len(m.secureRenegotiation) + 1) 658 z[4] = byte(len(m.secureRenegotiation)) 659 z = z[5:] 660 copy(z, m.secureRenegotiation) 661 z = z[len(m.secureRenegotiation):] 662 } 663 if alpnLen := len(m.alpnProtocol); alpnLen > 0 { 664 z[0] = byte(extensionALPN >> 8) 665 z[1] = byte(extensionALPN & 0xff) 666 l := 2 + 1 + alpnLen 667 z[2] = byte(l >> 8) 668 z[3] = byte(l) 669 l -= 2 670 z[4] = byte(l >> 8) 671 z[5] = byte(l) 672 l -= 1 673 z[6] = byte(l) 674 copy(z[7:], []byte(m.alpnProtocol)) 675 z = z[7+alpnLen:] 676 } 677 if sctLen > 0 { 678 z[0] = byte(extensionSCT >> 8) 679 z[1] = byte(extensionSCT) 680 l := sctLen + 2 681 z[2] = byte(l >> 8) 682 z[3] = byte(l) 683 z[4] = byte(sctLen >> 8) 684 z[5] = byte(sctLen) 685 686 z = z[6:] 687 for _, sct := range m.scts { 688 z[0] = byte(len(sct) >> 8) 689 z[1] = byte(len(sct)) 690 copy(z[2:], sct) 691 z = z[len(sct)+2:] 692 } 693 } 694 695 m.raw = x 696 697 return x 698 } 699 700 func (m *serverHelloMsg) unmarshal(data []byte) bool { 701 if len(data) < 42 { 702 return false 703 } 704 m.raw = data 705 m.vers = uint16(data[4])<<8 | uint16(data[5]) 706 m.random = data[6:38] 707 sessionIdLen := int(data[38]) 708 if sessionIdLen > 32 || len(data) < 39+sessionIdLen { 709 return false 710 } 711 m.sessionId = data[39 : 39+sessionIdLen] 712 data = data[39+sessionIdLen:] 713 if len(data) < 3 { 714 return false 715 } 716 m.cipherSuite = uint16(data[0])<<8 | uint16(data[1]) 717 m.compressionMethod = data[2] 718 data = data[3:] 719 720 m.nextProtoNeg = false 721 m.nextProtos = nil 722 m.ocspStapling = false 723 m.scts = nil 724 m.ticketSupported = false 725 m.alpnProtocol = "" 726 727 if len(data) == 0 { 728 // ServerHello is optionally followed by extension data 729 return true 730 } 731 if len(data) < 2 { 732 return false 733 } 734 735 extensionsLength := int(data[0])<<8 | int(data[1]) 736 data = data[2:] 737 if len(data) != extensionsLength { 738 return false 739 } 740 741 for len(data) != 0 { 742 if len(data) < 4 { 743 return false 744 } 745 extension := uint16(data[0])<<8 | uint16(data[1]) 746 length := int(data[2])<<8 | int(data[3]) 747 data = data[4:] 748 if len(data) < length { 749 return false 750 } 751 752 switch extension { 753 case extensionNextProtoNeg: 754 m.nextProtoNeg = true 755 d := data[:length] 756 for len(d) > 0 { 757 l := int(d[0]) 758 d = d[1:] 759 if l == 0 || l > len(d) { 760 return false 761 } 762 m.nextProtos = append(m.nextProtos, string(d[:l])) 763 d = d[l:] 764 } 765 case extensionStatusRequest: 766 if length > 0 { 767 return false 768 } 769 m.ocspStapling = true 770 case extensionSessionTicket: 771 if length > 0 { 772 return false 773 } 774 m.ticketSupported = true 775 case extensionRenegotiationInfo: 776 if length == 0 { 777 return false 778 } 779 d := data[:length] 780 l := int(d[0]) 781 d = d[1:] 782 if l != len(d) { 783 return false 784 } 785 786 m.secureRenegotiation = d 787 m.secureRenegotiationSupported = true 788 case extensionALPN: 789 d := data[:length] 790 if len(d) < 3 { 791 return false 792 } 793 l := int(d[0])<<8 | int(d[1]) 794 if l != len(d)-2 { 795 return false 796 } 797 d = d[2:] 798 l = int(d[0]) 799 if l != len(d)-1 { 800 return false 801 } 802 d = d[1:] 803 if len(d) == 0 { 804 // ALPN protocols must not be empty. 805 return false 806 } 807 m.alpnProtocol = string(d) 808 case extensionSCT: 809 d := data[:length] 810 811 if len(d) < 2 { 812 return false 813 } 814 l := int(d[0])<<8 | int(d[1]) 815 d = d[2:] 816 if len(d) != l || l == 0 { 817 return false 818 } 819 820 m.scts = make([][]byte, 0, 3) 821 for len(d) != 0 { 822 if len(d) < 2 { 823 return false 824 } 825 sctLen := int(d[0])<<8 | int(d[1]) 826 d = d[2:] 827 if sctLen == 0 || len(d) < sctLen { 828 return false 829 } 830 m.scts = append(m.scts, d[:sctLen]) 831 d = d[sctLen:] 832 } 833 } 834 data = data[length:] 835 } 836 837 return true 838 } 839 840 type certificateMsg struct { 841 raw []byte 842 certificates [][]byte 843 } 844 845 func (m *certificateMsg) equal(i interface{}) bool { 846 m1, ok := i.(*certificateMsg) 847 if !ok { 848 return false 849 } 850 851 return bytes.Equal(m.raw, m1.raw) && 852 eqByteSlices(m.certificates, m1.certificates) 853 } 854 855 func (m *certificateMsg) marshal() (x []byte) { 856 if m.raw != nil { 857 return m.raw 858 } 859 860 var i int 861 for _, slice := range m.certificates { 862 i += len(slice) 863 } 864 865 length := 3 + 3*len(m.certificates) + i 866 x = make([]byte, 4+length) 867 x[0] = typeCertificate 868 x[1] = uint8(length >> 16) 869 x[2] = uint8(length >> 8) 870 x[3] = uint8(length) 871 872 certificateOctets := length - 3 873 x[4] = uint8(certificateOctets >> 16) 874 x[5] = uint8(certificateOctets >> 8) 875 x[6] = uint8(certificateOctets) 876 877 y := x[7:] 878 for _, slice := range m.certificates { 879 y[0] = uint8(len(slice) >> 16) 880 y[1] = uint8(len(slice) >> 8) 881 y[2] = uint8(len(slice)) 882 copy(y[3:], slice) 883 y = y[3+len(slice):] 884 } 885 886 m.raw = x 887 return 888 } 889 890 func (m *certificateMsg) unmarshal(data []byte) bool { 891 if len(data) < 7 { 892 return false 893 } 894 895 m.raw = data 896 certsLen := uint32(data[4])<<16 | uint32(data[5])<<8 | uint32(data[6]) 897 if uint32(len(data)) != certsLen+7 { 898 return false 899 } 900 901 numCerts := 0 902 d := data[7:] 903 for certsLen > 0 { 904 if len(d) < 4 { 905 return false 906 } 907 certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2]) 908 if uint32(len(d)) < 3+certLen { 909 return false 910 } 911 d = d[3+certLen:] 912 certsLen -= 3 + certLen 913 numCerts++ 914 } 915 916 m.certificates = make([][]byte, numCerts) 917 d = data[7:] 918 for i := 0; i < numCerts; i++ { 919 certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2]) 920 m.certificates[i] = d[3 : 3+certLen] 921 d = d[3+certLen:] 922 } 923 924 return true 925 } 926 927 type serverKeyExchangeMsg struct { 928 raw []byte 929 key []byte 930 } 931 932 func (m *serverKeyExchangeMsg) equal(i interface{}) bool { 933 m1, ok := i.(*serverKeyExchangeMsg) 934 if !ok { 935 return false 936 } 937 938 return bytes.Equal(m.raw, m1.raw) && 939 bytes.Equal(m.key, m1.key) 940 } 941 942 func (m *serverKeyExchangeMsg) marshal() []byte { 943 if m.raw != nil { 944 return m.raw 945 } 946 length := len(m.key) 947 x := make([]byte, length+4) 948 x[0] = typeServerKeyExchange 949 x[1] = uint8(length >> 16) 950 x[2] = uint8(length >> 8) 951 x[3] = uint8(length) 952 copy(x[4:], m.key) 953 954 m.raw = x 955 return x 956 } 957 958 func (m *serverKeyExchangeMsg) unmarshal(data []byte) bool { 959 m.raw = data 960 if len(data) < 4 { 961 return false 962 } 963 m.key = data[4:] 964 return true 965 } 966 967 type certificateStatusMsg struct { 968 raw []byte 969 statusType uint8 970 response []byte 971 } 972 973 func (m *certificateStatusMsg) equal(i interface{}) bool { 974 m1, ok := i.(*certificateStatusMsg) 975 if !ok { 976 return false 977 } 978 979 return bytes.Equal(m.raw, m1.raw) && 980 m.statusType == m1.statusType && 981 bytes.Equal(m.response, m1.response) 982 } 983 984 func (m *certificateStatusMsg) marshal() []byte { 985 if m.raw != nil { 986 return m.raw 987 } 988 989 var x []byte 990 if m.statusType == statusTypeOCSP { 991 x = make([]byte, 4+4+len(m.response)) 992 x[0] = typeCertificateStatus 993 l := len(m.response) + 4 994 x[1] = byte(l >> 16) 995 x[2] = byte(l >> 8) 996 x[3] = byte(l) 997 x[4] = statusTypeOCSP 998 999 l -= 4 1000 x[5] = byte(l >> 16) 1001 x[6] = byte(l >> 8) 1002 x[7] = byte(l) 1003 copy(x[8:], m.response) 1004 } else { 1005 x = []byte{typeCertificateStatus, 0, 0, 1, m.statusType} 1006 } 1007 1008 m.raw = x 1009 return x 1010 } 1011 1012 func (m *certificateStatusMsg) unmarshal(data []byte) bool { 1013 m.raw = data 1014 if len(data) < 5 { 1015 return false 1016 } 1017 m.statusType = data[4] 1018 1019 m.response = nil 1020 if m.statusType == statusTypeOCSP { 1021 if len(data) < 8 { 1022 return false 1023 } 1024 respLen := uint32(data[5])<<16 | uint32(data[6])<<8 | uint32(data[7]) 1025 if uint32(len(data)) != 4+4+respLen { 1026 return false 1027 } 1028 m.response = data[8:] 1029 } 1030 return true 1031 } 1032 1033 type serverHelloDoneMsg struct{} 1034 1035 func (m *serverHelloDoneMsg) equal(i interface{}) bool { 1036 _, ok := i.(*serverHelloDoneMsg) 1037 return ok 1038 } 1039 1040 func (m *serverHelloDoneMsg) marshal() []byte { 1041 x := make([]byte, 4) 1042 x[0] = typeServerHelloDone 1043 return x 1044 } 1045 1046 func (m *serverHelloDoneMsg) unmarshal(data []byte) bool { 1047 return len(data) == 4 1048 } 1049 1050 type clientKeyExchangeMsg struct { 1051 raw []byte 1052 ciphertext []byte 1053 } 1054 1055 func (m *clientKeyExchangeMsg) equal(i interface{}) bool { 1056 m1, ok := i.(*clientKeyExchangeMsg) 1057 if !ok { 1058 return false 1059 } 1060 1061 return bytes.Equal(m.raw, m1.raw) && 1062 bytes.Equal(m.ciphertext, m1.ciphertext) 1063 } 1064 1065 func (m *clientKeyExchangeMsg) marshal() []byte { 1066 if m.raw != nil { 1067 return m.raw 1068 } 1069 length := len(m.ciphertext) 1070 x := make([]byte, length+4) 1071 x[0] = typeClientKeyExchange 1072 x[1] = uint8(length >> 16) 1073 x[2] = uint8(length >> 8) 1074 x[3] = uint8(length) 1075 copy(x[4:], m.ciphertext) 1076 1077 m.raw = x 1078 return x 1079 } 1080 1081 func (m *clientKeyExchangeMsg) unmarshal(data []byte) bool { 1082 m.raw = data 1083 if len(data) < 4 { 1084 return false 1085 } 1086 l := int(data[1])<<16 | int(data[2])<<8 | int(data[3]) 1087 if l != len(data)-4 { 1088 return false 1089 } 1090 m.ciphertext = data[4:] 1091 return true 1092 } 1093 1094 type finishedMsg struct { 1095 raw []byte 1096 verifyData []byte 1097 } 1098 1099 func (m *finishedMsg) equal(i interface{}) bool { 1100 m1, ok := i.(*finishedMsg) 1101 if !ok { 1102 return false 1103 } 1104 1105 return bytes.Equal(m.raw, m1.raw) && 1106 bytes.Equal(m.verifyData, m1.verifyData) 1107 } 1108 1109 func (m *finishedMsg) marshal() (x []byte) { 1110 if m.raw != nil { 1111 return m.raw 1112 } 1113 1114 x = make([]byte, 4+len(m.verifyData)) 1115 x[0] = typeFinished 1116 x[3] = byte(len(m.verifyData)) 1117 copy(x[4:], m.verifyData) 1118 m.raw = x 1119 return 1120 } 1121 1122 func (m *finishedMsg) unmarshal(data []byte) bool { 1123 m.raw = data 1124 if len(data) < 4 { 1125 return false 1126 } 1127 m.verifyData = data[4:] 1128 return true 1129 } 1130 1131 type nextProtoMsg struct { 1132 raw []byte 1133 proto string 1134 } 1135 1136 func (m *nextProtoMsg) equal(i interface{}) bool { 1137 m1, ok := i.(*nextProtoMsg) 1138 if !ok { 1139 return false 1140 } 1141 1142 return bytes.Equal(m.raw, m1.raw) && 1143 m.proto == m1.proto 1144 } 1145 1146 func (m *nextProtoMsg) marshal() []byte { 1147 if m.raw != nil { 1148 return m.raw 1149 } 1150 l := len(m.proto) 1151 if l > 255 { 1152 l = 255 1153 } 1154 1155 padding := 32 - (l+2)%32 1156 length := l + padding + 2 1157 x := make([]byte, length+4) 1158 x[0] = typeNextProtocol 1159 x[1] = uint8(length >> 16) 1160 x[2] = uint8(length >> 8) 1161 x[3] = uint8(length) 1162 1163 y := x[4:] 1164 y[0] = byte(l) 1165 copy(y[1:], []byte(m.proto[0:l])) 1166 y = y[1+l:] 1167 y[0] = byte(padding) 1168 1169 m.raw = x 1170 1171 return x 1172 } 1173 1174 func (m *nextProtoMsg) unmarshal(data []byte) bool { 1175 m.raw = data 1176 1177 if len(data) < 5 { 1178 return false 1179 } 1180 data = data[4:] 1181 protoLen := int(data[0]) 1182 data = data[1:] 1183 if len(data) < protoLen { 1184 return false 1185 } 1186 m.proto = string(data[0:protoLen]) 1187 data = data[protoLen:] 1188 1189 if len(data) < 1 { 1190 return false 1191 } 1192 paddingLen := int(data[0]) 1193 data = data[1:] 1194 if len(data) != paddingLen { 1195 return false 1196 } 1197 1198 return true 1199 } 1200 1201 type certificateRequestMsg struct { 1202 raw []byte 1203 // hasSignatureAndHash indicates whether this message includes a list 1204 // of signature and hash functions. This change was introduced with TLS 1205 // 1.2. 1206 hasSignatureAndHash bool 1207 1208 certificateTypes []byte 1209 signatureAndHashes []signatureAndHash 1210 certificateAuthorities [][]byte 1211 } 1212 1213 func (m *certificateRequestMsg) equal(i interface{}) bool { 1214 m1, ok := i.(*certificateRequestMsg) 1215 if !ok { 1216 return false 1217 } 1218 1219 return bytes.Equal(m.raw, m1.raw) && 1220 bytes.Equal(m.certificateTypes, m1.certificateTypes) && 1221 eqByteSlices(m.certificateAuthorities, m1.certificateAuthorities) && 1222 eqSignatureAndHashes(m.signatureAndHashes, m1.signatureAndHashes) 1223 } 1224 1225 func (m *certificateRequestMsg) marshal() (x []byte) { 1226 if m.raw != nil { 1227 return m.raw 1228 } 1229 1230 // See http://tools.ietf.org/html/rfc4346#section-7.4.4 1231 length := 1 + len(m.certificateTypes) + 2 1232 casLength := 0 1233 for _, ca := range m.certificateAuthorities { 1234 casLength += 2 + len(ca) 1235 } 1236 length += casLength 1237 1238 if m.hasSignatureAndHash { 1239 length += 2 + 2*len(m.signatureAndHashes) 1240 } 1241 1242 x = make([]byte, 4+length) 1243 x[0] = typeCertificateRequest 1244 x[1] = uint8(length >> 16) 1245 x[2] = uint8(length >> 8) 1246 x[3] = uint8(length) 1247 1248 x[4] = uint8(len(m.certificateTypes)) 1249 1250 copy(x[5:], m.certificateTypes) 1251 y := x[5+len(m.certificateTypes):] 1252 1253 if m.hasSignatureAndHash { 1254 n := len(m.signatureAndHashes) * 2 1255 y[0] = uint8(n >> 8) 1256 y[1] = uint8(n) 1257 y = y[2:] 1258 for _, sigAndHash := range m.signatureAndHashes { 1259 y[0] = sigAndHash.hash 1260 y[1] = sigAndHash.signature 1261 y = y[2:] 1262 } 1263 } 1264 1265 y[0] = uint8(casLength >> 8) 1266 y[1] = uint8(casLength) 1267 y = y[2:] 1268 for _, ca := range m.certificateAuthorities { 1269 y[0] = uint8(len(ca) >> 8) 1270 y[1] = uint8(len(ca)) 1271 y = y[2:] 1272 copy(y, ca) 1273 y = y[len(ca):] 1274 } 1275 1276 m.raw = x 1277 return 1278 } 1279 1280 func (m *certificateRequestMsg) unmarshal(data []byte) bool { 1281 m.raw = data 1282 1283 if len(data) < 5 { 1284 return false 1285 } 1286 1287 length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3]) 1288 if uint32(len(data))-4 != length { 1289 return false 1290 } 1291 1292 numCertTypes := int(data[4]) 1293 data = data[5:] 1294 if numCertTypes == 0 || len(data) <= numCertTypes { 1295 return false 1296 } 1297 1298 m.certificateTypes = make([]byte, numCertTypes) 1299 if copy(m.certificateTypes, data) != numCertTypes { 1300 return false 1301 } 1302 1303 data = data[numCertTypes:] 1304 1305 if m.hasSignatureAndHash { 1306 if len(data) < 2 { 1307 return false 1308 } 1309 sigAndHashLen := uint16(data[0])<<8 | uint16(data[1]) 1310 data = data[2:] 1311 if sigAndHashLen&1 != 0 { 1312 return false 1313 } 1314 if len(data) < int(sigAndHashLen) { 1315 return false 1316 } 1317 numSigAndHash := sigAndHashLen / 2 1318 m.signatureAndHashes = make([]signatureAndHash, numSigAndHash) 1319 for i := range m.signatureAndHashes { 1320 m.signatureAndHashes[i].hash = data[0] 1321 m.signatureAndHashes[i].signature = data[1] 1322 data = data[2:] 1323 } 1324 } 1325 1326 if len(data) < 2 { 1327 return false 1328 } 1329 casLength := uint16(data[0])<<8 | uint16(data[1]) 1330 data = data[2:] 1331 if len(data) < int(casLength) { 1332 return false 1333 } 1334 cas := make([]byte, casLength) 1335 copy(cas, data) 1336 data = data[casLength:] 1337 1338 m.certificateAuthorities = nil 1339 for len(cas) > 0 { 1340 if len(cas) < 2 { 1341 return false 1342 } 1343 caLen := uint16(cas[0])<<8 | uint16(cas[1]) 1344 cas = cas[2:] 1345 1346 if len(cas) < int(caLen) { 1347 return false 1348 } 1349 1350 m.certificateAuthorities = append(m.certificateAuthorities, cas[:caLen]) 1351 cas = cas[caLen:] 1352 } 1353 1354 return len(data) == 0 1355 } 1356 1357 type certificateVerifyMsg struct { 1358 raw []byte 1359 hasSignatureAndHash bool 1360 signatureAndHash signatureAndHash 1361 signature []byte 1362 } 1363 1364 func (m *certificateVerifyMsg) equal(i interface{}) bool { 1365 m1, ok := i.(*certificateVerifyMsg) 1366 if !ok { 1367 return false 1368 } 1369 1370 return bytes.Equal(m.raw, m1.raw) && 1371 m.hasSignatureAndHash == m1.hasSignatureAndHash && 1372 m.signatureAndHash.hash == m1.signatureAndHash.hash && 1373 m.signatureAndHash.signature == m1.signatureAndHash.signature && 1374 bytes.Equal(m.signature, m1.signature) 1375 } 1376 1377 func (m *certificateVerifyMsg) marshal() (x []byte) { 1378 if m.raw != nil { 1379 return m.raw 1380 } 1381 1382 // See http://tools.ietf.org/html/rfc4346#section-7.4.8 1383 siglength := len(m.signature) 1384 length := 2 + siglength 1385 if m.hasSignatureAndHash { 1386 length += 2 1387 } 1388 x = make([]byte, 4+length) 1389 x[0] = typeCertificateVerify 1390 x[1] = uint8(length >> 16) 1391 x[2] = uint8(length >> 8) 1392 x[3] = uint8(length) 1393 y := x[4:] 1394 if m.hasSignatureAndHash { 1395 y[0] = m.signatureAndHash.hash 1396 y[1] = m.signatureAndHash.signature 1397 y = y[2:] 1398 } 1399 y[0] = uint8(siglength >> 8) 1400 y[1] = uint8(siglength) 1401 copy(y[2:], m.signature) 1402 1403 m.raw = x 1404 1405 return 1406 } 1407 1408 func (m *certificateVerifyMsg) unmarshal(data []byte) bool { 1409 m.raw = data 1410 1411 if len(data) < 6 { 1412 return false 1413 } 1414 1415 length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3]) 1416 if uint32(len(data))-4 != length { 1417 return false 1418 } 1419 1420 data = data[4:] 1421 if m.hasSignatureAndHash { 1422 m.signatureAndHash.hash = data[0] 1423 m.signatureAndHash.signature = data[1] 1424 data = data[2:] 1425 } 1426 1427 if len(data) < 2 { 1428 return false 1429 } 1430 siglength := int(data[0])<<8 + int(data[1]) 1431 data = data[2:] 1432 if len(data) != siglength { 1433 return false 1434 } 1435 1436 m.signature = data 1437 1438 return true 1439 } 1440 1441 type newSessionTicketMsg struct { 1442 raw []byte 1443 ticket []byte 1444 } 1445 1446 func (m *newSessionTicketMsg) equal(i interface{}) bool { 1447 m1, ok := i.(*newSessionTicketMsg) 1448 if !ok { 1449 return false 1450 } 1451 1452 return bytes.Equal(m.raw, m1.raw) && 1453 bytes.Equal(m.ticket, m1.ticket) 1454 } 1455 1456 func (m *newSessionTicketMsg) marshal() (x []byte) { 1457 if m.raw != nil { 1458 return m.raw 1459 } 1460 1461 // See http://tools.ietf.org/html/rfc5077#section-3.3 1462 ticketLen := len(m.ticket) 1463 length := 2 + 4 + ticketLen 1464 x = make([]byte, 4+length) 1465 x[0] = typeNewSessionTicket 1466 x[1] = uint8(length >> 16) 1467 x[2] = uint8(length >> 8) 1468 x[3] = uint8(length) 1469 x[8] = uint8(ticketLen >> 8) 1470 x[9] = uint8(ticketLen) 1471 copy(x[10:], m.ticket) 1472 1473 m.raw = x 1474 1475 return 1476 } 1477 1478 func (m *newSessionTicketMsg) unmarshal(data []byte) bool { 1479 m.raw = data 1480 1481 if len(data) < 10 { 1482 return false 1483 } 1484 1485 length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3]) 1486 if uint32(len(data))-4 != length { 1487 return false 1488 } 1489 1490 ticketLen := int(data[8])<<8 + int(data[9]) 1491 if len(data)-10 != ticketLen { 1492 return false 1493 } 1494 1495 m.ticket = data[10:] 1496 1497 return true 1498 } 1499 1500 type helloRequestMsg struct { 1501 } 1502 1503 func (*helloRequestMsg) marshal() []byte { 1504 return []byte{typeHelloRequest, 0, 0, 0} 1505 } 1506 1507 func (*helloRequestMsg) unmarshal(data []byte) bool { 1508 return len(data) == 4 1509 } 1510 1511 func eqUint16s(x, y []uint16) bool { 1512 if len(x) != len(y) { 1513 return false 1514 } 1515 for i, v := range x { 1516 if y[i] != v { 1517 return false 1518 } 1519 } 1520 return true 1521 } 1522 1523 func eqCurveIDs(x, y []CurveID) bool { 1524 if len(x) != len(y) { 1525 return false 1526 } 1527 for i, v := range x { 1528 if y[i] != v { 1529 return false 1530 } 1531 } 1532 return true 1533 } 1534 1535 func eqStrings(x, y []string) bool { 1536 if len(x) != len(y) { 1537 return false 1538 } 1539 for i, v := range x { 1540 if y[i] != v { 1541 return false 1542 } 1543 } 1544 return true 1545 } 1546 1547 func eqByteSlices(x, y [][]byte) bool { 1548 if len(x) != len(y) { 1549 return false 1550 } 1551 for i, v := range x { 1552 if !bytes.Equal(v, y[i]) { 1553 return false 1554 } 1555 } 1556 return true 1557 } 1558 1559 func eqSignatureAndHashes(x, y []signatureAndHash) bool { 1560 if len(x) != len(y) { 1561 return false 1562 } 1563 for i, v := range x { 1564 v2 := y[i] 1565 if v.hash != v2.hash || v.signature != v2.signature { 1566 return false 1567 } 1568 } 1569 return true 1570 }