github.com/hxx258456/ccgo@v0.0.5-0.20230213014102-48b35f46f66f/gmtls/handshake_messages.go (about) 1 // Copyright 2022 s1ren@github.com/hxx258456. 2 3 /* 4 gmtls是基于`golang/go`的`tls`包实现的国密改造版本。 5 对应版权声明: thrid_licenses/github.com/golang/go/LICENSE 6 */ 7 8 package gmtls 9 10 import ( 11 "fmt" 12 "strings" 13 14 "golang.org/x/crypto/cryptobyte" 15 ) 16 17 // The marshalingFunction type is an adapter to allow the use of ordinary 18 // functions as cryptobyte.MarshalingValue. 19 type marshalingFunction func(b *cryptobyte.Builder) error 20 21 func (f marshalingFunction) Marshal(b *cryptobyte.Builder) error { 22 return f(b) 23 } 24 25 // addBytesWithLength appends a sequence of bytes to the cryptobyte.Builder. If 26 // the length of the sequence is not the value specified, it produces an error. 27 func addBytesWithLength(b *cryptobyte.Builder, v []byte, n int) { 28 b.AddValue(marshalingFunction(func(b *cryptobyte.Builder) error { 29 if len(v) != n { 30 return fmt.Errorf("invalid value length: expected %d, got %d", n, len(v)) 31 } 32 b.AddBytes(v) 33 return nil 34 })) 35 } 36 37 // addUint64 appends a big-endian, 64-bit value to the cryptobyte.Builder. 38 func addUint64(b *cryptobyte.Builder, v uint64) { 39 b.AddUint32(uint32(v >> 32)) 40 b.AddUint32(uint32(v)) 41 } 42 43 // readUint64 decodes a big-endian, 64-bit value into out and advances over it. 44 // It reports whether the read was successful. 45 func readUint64(s *cryptobyte.String, out *uint64) bool { 46 var hi, lo uint32 47 if !s.ReadUint32(&hi) || !s.ReadUint32(&lo) { 48 return false 49 } 50 *out = uint64(hi)<<32 | uint64(lo) 51 return true 52 } 53 54 // readUint8LengthPrefixed acts like s.ReadUint8LengthPrefixed, but targets a 55 // []byte instead of a cryptobyte.String. 56 func readUint8LengthPrefixed(s *cryptobyte.String, out *[]byte) bool { 57 return s.ReadUint8LengthPrefixed((*cryptobyte.String)(out)) 58 } 59 60 // readUint16LengthPrefixed acts like s.ReadUint16LengthPrefixed, but targets a 61 // []byte instead of a cryptobyte.String. 62 func readUint16LengthPrefixed(s *cryptobyte.String, out *[]byte) bool { 63 return s.ReadUint16LengthPrefixed((*cryptobyte.String)(out)) 64 } 65 66 // readUint24LengthPrefixed acts like s.ReadUint24LengthPrefixed, but targets a 67 // []byte instead of a cryptobyte.String. 68 func readUint24LengthPrefixed(s *cryptobyte.String, out *[]byte) bool { 69 return s.ReadUint24LengthPrefixed((*cryptobyte.String)(out)) 70 } 71 72 type clientHelloMsg struct { 73 raw []byte // 序列化原文 74 vers uint16 // tls协议最高支持版本, tls1.2及之前版本用 75 random []byte // ClientRandom, tls1.2及之前版本用来生成主密钥的参数之一 76 sessionId []byte // 会话ID 77 cipherSuites []uint16 // 支持的密码套件列表 78 compressionMethods []uint8 // 支持的压缩方法列表 79 serverName string // 访问的服务端名称 80 ocspStapling bool // 是否需要OCSP装订 81 supportedCurves []CurveID // 支持的椭圆曲线ID 82 supportedPoints []uint8 // 支持的椭圆曲线点坐标压缩格式 83 ticketSupported bool // 是否支持票据 84 sessionTicket []uint8 // 会话票据 85 supportedSignatureAlgorithms []SignatureScheme // 支持的签名算法 86 supportedSignatureAlgorithmsCert []SignatureScheme // 支持的签名算法证书? 87 secureRenegotiationSupported bool // 是否支持安全重协议 88 secureRenegotiation []byte // 安全重协议用字段,非首次握手时,将上次握手时客户端的Finished消息作为该字段传入 89 alpnProtocols []string // ALPN协议列表 90 scts bool // signed certificate timestamps from server 91 supportedVersions []uint16 // 支持的tls协议, tls1.3后启用的扩展信息 92 cookie []byte // cookie? 93 keyShares []keyShare // 密钥交换算法参数 94 earlyData bool // 上次握手的密钥材料? 95 pskModes []uint8 // psk(pre shared key)模式? 96 pskIdentities []pskIdentity // psk ids 客户端存储的之前的共享密钥ID? 97 pskBinders [][]byte // psk Binders ? 98 } 99 100 func (m *clientHelloMsg) marshal() []byte { 101 if m.raw != nil { 102 return m.raw 103 } 104 105 var b cryptobyte.Builder 106 b.AddUint8(typeClientHello) 107 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 108 b.AddUint16(m.vers) 109 addBytesWithLength(b, m.random, 32) 110 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 111 b.AddBytes(m.sessionId) 112 }) 113 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 114 for _, suite := range m.cipherSuites { 115 b.AddUint16(suite) 116 } 117 }) 118 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 119 b.AddBytes(m.compressionMethods) 120 }) 121 122 // If extensions aren't present, omit them. 123 var extensionsPresent bool 124 bWithoutExtensions := *b 125 126 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 127 if len(m.serverName) > 0 { 128 // RFC 6066, Section 3 129 b.AddUint16(extensionServerName) 130 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 131 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 132 b.AddUint8(0) // name_type = host_name 133 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 134 b.AddBytes([]byte(m.serverName)) 135 }) 136 }) 137 }) 138 } 139 if m.ocspStapling { 140 // RFC 4366, Section 3.6 141 b.AddUint16(extensionStatusRequest) 142 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 143 b.AddUint8(1) // status_type = ocsp 144 b.AddUint16(0) // empty responder_id_list 145 b.AddUint16(0) // empty request_extensions 146 }) 147 } 148 if len(m.supportedCurves) > 0 { 149 // RFC 4492, sections 5.1.1 and RFC 8446, Section 4.2.7 150 b.AddUint16(extensionSupportedCurves) 151 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 152 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 153 for _, curve := range m.supportedCurves { 154 b.AddUint16(uint16(curve)) 155 } 156 }) 157 }) 158 } 159 if len(m.supportedPoints) > 0 { 160 // RFC 4492, Section 5.1.2 161 b.AddUint16(extensionSupportedPoints) 162 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 163 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 164 b.AddBytes(m.supportedPoints) 165 }) 166 }) 167 } 168 if m.ticketSupported { 169 // RFC 5077, Section 3.2 170 b.AddUint16(extensionSessionTicket) 171 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 172 b.AddBytes(m.sessionTicket) 173 }) 174 } 175 if len(m.supportedSignatureAlgorithms) > 0 { 176 // RFC 5246, Section 7.4.1.4.1 177 b.AddUint16(extensionSignatureAlgorithms) 178 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 179 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 180 for _, sigAlgo := range m.supportedSignatureAlgorithms { 181 b.AddUint16(uint16(sigAlgo)) 182 } 183 }) 184 }) 185 } 186 if len(m.supportedSignatureAlgorithmsCert) > 0 { 187 // RFC 8446, Section 4.2.3 188 b.AddUint16(extensionSignatureAlgorithmsCert) 189 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 190 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 191 for _, sigAlgo := range m.supportedSignatureAlgorithmsCert { 192 b.AddUint16(uint16(sigAlgo)) 193 } 194 }) 195 }) 196 } 197 if m.secureRenegotiationSupported { 198 // RFC 5746, Section 3.2 199 b.AddUint16(extensionRenegotiationInfo) 200 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 201 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 202 b.AddBytes(m.secureRenegotiation) 203 }) 204 }) 205 } 206 if len(m.alpnProtocols) > 0 { 207 // RFC 7301, Section 3.1 208 b.AddUint16(extensionALPN) 209 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 210 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 211 for _, proto := range m.alpnProtocols { 212 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 213 b.AddBytes([]byte(proto)) 214 }) 215 } 216 }) 217 }) 218 } 219 if m.scts { 220 // RFC 6962, Section 3.3.1 221 b.AddUint16(extensionSCT) 222 b.AddUint16(0) // empty extension_data 223 } 224 if len(m.supportedVersions) > 0 { 225 // RFC 8446, Section 4.2.1 226 b.AddUint16(extensionSupportedVersions) 227 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 228 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 229 for _, vers := range m.supportedVersions { 230 b.AddUint16(vers) 231 } 232 }) 233 }) 234 } 235 if len(m.cookie) > 0 { 236 // RFC 8446, Section 4.2.2 237 b.AddUint16(extensionCookie) 238 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 239 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 240 b.AddBytes(m.cookie) 241 }) 242 }) 243 } 244 if len(m.keyShares) > 0 { 245 // RFC 8446, Section 4.2.8 246 b.AddUint16(extensionKeyShare) 247 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 248 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 249 for _, ks := range m.keyShares { 250 b.AddUint16(uint16(ks.group)) 251 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 252 b.AddBytes(ks.data) 253 }) 254 } 255 }) 256 }) 257 } 258 if m.earlyData { 259 // RFC 8446, Section 4.2.10 260 b.AddUint16(extensionEarlyData) 261 b.AddUint16(0) // empty extension_data 262 } 263 if len(m.pskModes) > 0 { 264 // RFC 8446, Section 4.2.9 265 b.AddUint16(extensionPSKModes) 266 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 267 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 268 b.AddBytes(m.pskModes) 269 }) 270 }) 271 } 272 if len(m.pskIdentities) > 0 { // pre_shared_key must be the last extension 273 // RFC 8446, Section 4.2.11 274 b.AddUint16(extensionPreSharedKey) 275 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 276 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 277 for _, psk := range m.pskIdentities { 278 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 279 b.AddBytes(psk.label) 280 }) 281 b.AddUint32(psk.obfuscatedTicketAge) 282 } 283 }) 284 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 285 for _, binder := range m.pskBinders { 286 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 287 b.AddBytes(binder) 288 }) 289 } 290 }) 291 }) 292 } 293 294 extensionsPresent = len(b.BytesOrPanic()) > 2 295 }) 296 297 if !extensionsPresent { 298 *b = bWithoutExtensions 299 } 300 }) 301 302 m.raw = b.BytesOrPanic() 303 return m.raw 304 } 305 306 // marshalWithoutBinders returns the ClientHello through the 307 // PreSharedKeyExtension.identities field, according to RFC 8446, Section 308 // 4.2.11.2. Note that m.pskBinders must be set to slices of the correct length. 309 func (m *clientHelloMsg) marshalWithoutBinders() []byte { 310 bindersLen := 2 // uint16 length prefix 311 for _, binder := range m.pskBinders { 312 bindersLen += 1 // uint8 length prefix 313 bindersLen += len(binder) 314 } 315 316 fullMessage := m.marshal() 317 return fullMessage[:len(fullMessage)-bindersLen] 318 } 319 320 // updateBinders updates the m.pskBinders field, if necessary updating the 321 // cached marshaled representation. The supplied binders must have the same 322 // length as the current m.pskBinders. 323 func (m *clientHelloMsg) updateBinders(pskBinders [][]byte) { 324 if len(pskBinders) != len(m.pskBinders) { 325 panic("gmtls: internal error: pskBinders length mismatch") 326 } 327 for i := range m.pskBinders { 328 if len(pskBinders[i]) != len(m.pskBinders[i]) { 329 panic("gmtls: internal error: pskBinders length mismatch") 330 } 331 } 332 m.pskBinders = pskBinders 333 if m.raw != nil { 334 lenWithoutBinders := len(m.marshalWithoutBinders()) 335 // TODO(filippo): replace with NewFixedBuilder once CL 148882 is imported. 336 b := cryptobyte.NewBuilder(m.raw[:lenWithoutBinders]) 337 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 338 for _, binder := range m.pskBinders { 339 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 340 b.AddBytes(binder) 341 }) 342 } 343 }) 344 if len(b.BytesOrPanic()) != len(m.raw) { 345 panic("gmtls: internal error: failed to update binders") 346 } 347 } 348 } 349 350 func (m *clientHelloMsg) unmarshal(data []byte) bool { 351 *m = clientHelloMsg{raw: data} 352 s := cryptobyte.String(data) 353 354 if !s.Skip(4) || // message type and uint24 length field 355 !s.ReadUint16(&m.vers) || !s.ReadBytes(&m.random, 32) || 356 !readUint8LengthPrefixed(&s, &m.sessionId) { 357 return false 358 } 359 360 var cipherSuites cryptobyte.String 361 if !s.ReadUint16LengthPrefixed(&cipherSuites) { 362 return false 363 } 364 m.cipherSuites = []uint16{} 365 m.secureRenegotiationSupported = false 366 for !cipherSuites.Empty() { 367 var suite uint16 368 if !cipherSuites.ReadUint16(&suite) { 369 return false 370 } 371 if suite == scsvRenegotiation { 372 m.secureRenegotiationSupported = true 373 } 374 m.cipherSuites = append(m.cipherSuites, suite) 375 } 376 377 if !readUint8LengthPrefixed(&s, &m.compressionMethods) { 378 return false 379 } 380 381 if s.Empty() { 382 // ClientHello is optionally followed by extension data 383 return true 384 } 385 386 var extensions cryptobyte.String 387 if !s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() { 388 return false 389 } 390 391 for !extensions.Empty() { 392 var extension uint16 393 var extData cryptobyte.String 394 if !extensions.ReadUint16(&extension) || 395 !extensions.ReadUint16LengthPrefixed(&extData) { 396 return false 397 } 398 399 switch extension { 400 case extensionServerName: 401 // RFC 6066, Section 3 402 var nameList cryptobyte.String 403 if !extData.ReadUint16LengthPrefixed(&nameList) || nameList.Empty() { 404 return false 405 } 406 for !nameList.Empty() { 407 var nameType uint8 408 var serverName cryptobyte.String 409 if !nameList.ReadUint8(&nameType) || 410 !nameList.ReadUint16LengthPrefixed(&serverName) || 411 serverName.Empty() { 412 return false 413 } 414 if nameType != 0 { 415 continue 416 } 417 if len(m.serverName) != 0 { 418 // Multiple names of the same name_type are prohibited. 419 return false 420 } 421 m.serverName = string(serverName) 422 // An SNI value may not include a trailing dot. 423 if strings.HasSuffix(m.serverName, ".") { 424 return false 425 } 426 } 427 case extensionStatusRequest: 428 // RFC 4366, Section 3.6 429 var statusType uint8 430 var ignored cryptobyte.String 431 if !extData.ReadUint8(&statusType) || 432 !extData.ReadUint16LengthPrefixed(&ignored) || 433 !extData.ReadUint16LengthPrefixed(&ignored) { 434 return false 435 } 436 m.ocspStapling = statusType == statusTypeOCSP 437 case extensionSupportedCurves: 438 // RFC 4492, sections 5.1.1 and RFC 8446, Section 4.2.7 439 var curves cryptobyte.String 440 if !extData.ReadUint16LengthPrefixed(&curves) || curves.Empty() { 441 return false 442 } 443 for !curves.Empty() { 444 var curve uint16 445 if !curves.ReadUint16(&curve) { 446 return false 447 } 448 m.supportedCurves = append(m.supportedCurves, CurveID(curve)) 449 } 450 case extensionSupportedPoints: 451 // RFC 4492, Section 5.1.2 452 if !readUint8LengthPrefixed(&extData, &m.supportedPoints) || 453 len(m.supportedPoints) == 0 { 454 return false 455 } 456 case extensionSessionTicket: 457 // RFC 5077, Section 3.2 458 m.ticketSupported = true 459 extData.ReadBytes(&m.sessionTicket, len(extData)) 460 case extensionSignatureAlgorithms: 461 // RFC 5246, Section 7.4.1.4.1 462 var sigAndAlgs cryptobyte.String 463 if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() { 464 return false 465 } 466 for !sigAndAlgs.Empty() { 467 var sigAndAlg uint16 468 if !sigAndAlgs.ReadUint16(&sigAndAlg) { 469 return false 470 } 471 m.supportedSignatureAlgorithms = append( 472 m.supportedSignatureAlgorithms, SignatureScheme(sigAndAlg)) 473 } 474 case extensionSignatureAlgorithmsCert: 475 // RFC 8446, Section 4.2.3 476 var sigAndAlgs cryptobyte.String 477 if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() { 478 return false 479 } 480 for !sigAndAlgs.Empty() { 481 var sigAndAlg uint16 482 if !sigAndAlgs.ReadUint16(&sigAndAlg) { 483 return false 484 } 485 m.supportedSignatureAlgorithmsCert = append( 486 m.supportedSignatureAlgorithmsCert, SignatureScheme(sigAndAlg)) 487 } 488 case extensionRenegotiationInfo: 489 // RFC 5746, Section 3.2 490 if !readUint8LengthPrefixed(&extData, &m.secureRenegotiation) { 491 return false 492 } 493 m.secureRenegotiationSupported = true 494 case extensionALPN: 495 // RFC 7301, Section 3.1 496 var protoList cryptobyte.String 497 if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() { 498 return false 499 } 500 for !protoList.Empty() { 501 var proto cryptobyte.String 502 if !protoList.ReadUint8LengthPrefixed(&proto) || proto.Empty() { 503 return false 504 } 505 m.alpnProtocols = append(m.alpnProtocols, string(proto)) 506 } 507 case extensionSCT: 508 // RFC 6962, Section 3.3.1 509 m.scts = true 510 case extensionSupportedVersions: 511 // RFC 8446, Section 4.2.1 512 var versList cryptobyte.String 513 if !extData.ReadUint8LengthPrefixed(&versList) || versList.Empty() { 514 return false 515 } 516 for !versList.Empty() { 517 var vers uint16 518 if !versList.ReadUint16(&vers) { 519 return false 520 } 521 m.supportedVersions = append(m.supportedVersions, vers) 522 } 523 case extensionCookie: 524 // RFC 8446, Section 4.2.2 525 if !readUint16LengthPrefixed(&extData, &m.cookie) || 526 len(m.cookie) == 0 { 527 return false 528 } 529 case extensionKeyShare: 530 // RFC 8446, Section 4.2.8 531 var clientShares cryptobyte.String 532 if !extData.ReadUint16LengthPrefixed(&clientShares) { 533 return false 534 } 535 for !clientShares.Empty() { 536 var ks keyShare 537 if !clientShares.ReadUint16((*uint16)(&ks.group)) || 538 !readUint16LengthPrefixed(&clientShares, &ks.data) || 539 len(ks.data) == 0 { 540 return false 541 } 542 m.keyShares = append(m.keyShares, ks) 543 } 544 case extensionEarlyData: 545 // RFC 8446, Section 4.2.10 546 m.earlyData = true 547 case extensionPSKModes: 548 // RFC 8446, Section 4.2.9 549 if !readUint8LengthPrefixed(&extData, &m.pskModes) { 550 return false 551 } 552 case extensionPreSharedKey: 553 // RFC 8446, Section 4.2.11 554 if !extensions.Empty() { 555 return false // pre_shared_key must be the last extension 556 } 557 var identities cryptobyte.String 558 if !extData.ReadUint16LengthPrefixed(&identities) || identities.Empty() { 559 return false 560 } 561 for !identities.Empty() { 562 var psk pskIdentity 563 if !readUint16LengthPrefixed(&identities, &psk.label) || 564 !identities.ReadUint32(&psk.obfuscatedTicketAge) || 565 len(psk.label) == 0 { 566 return false 567 } 568 m.pskIdentities = append(m.pskIdentities, psk) 569 } 570 var binders cryptobyte.String 571 if !extData.ReadUint16LengthPrefixed(&binders) || binders.Empty() { 572 return false 573 } 574 for !binders.Empty() { 575 var binder []byte 576 if !readUint8LengthPrefixed(&binders, &binder) || 577 len(binder) == 0 { 578 return false 579 } 580 m.pskBinders = append(m.pskBinders, binder) 581 } 582 default: 583 // Ignore unknown extensions. 584 continue 585 } 586 587 if !extData.Empty() { 588 return false 589 } 590 } 591 592 return true 593 } 594 595 type serverHelloMsg struct { 596 raw []byte // 序列化原文 597 vers uint16 // 协商好的tls协议, tls1.2及之前版本用 598 random []byte // ServerRandom, tls1.2及之前版本用来生成主密钥的参数之一,tls1.3用来标识是否 HelloRetryRequest 599 sessionId []byte // 会话ID 600 cipherSuite uint16 // 协商好的密码套件 601 compressionMethod uint8 // 压缩方法 602 ocspStapling bool // 是否需要OCSP装订 603 ticketSupported bool // 是否支持票据 604 secureRenegotiationSupported bool // 是否支持安全重协议 605 secureRenegotiation []byte // 安全重协议? 606 alpnProtocol string // 协商好的ALPN协议 607 scts [][]byte // signed certificate timestamps from server 608 supportedVersion uint16 // 协商好的tls协议, tls1.3后启用的扩展信息 609 serverShare keyShare // 服务端密钥交换算法参数 610 selectedIdentityPresent bool // 是否选择恢复之前的会话的pskID 611 selectedIdentity uint16 // 选择恢复会话的pskID 612 supportedPoints []uint8 // 支持的曲线坐标点? 613 cookie []byte // cookie , HelloRetryRequest扩展信息 614 selectedGroup CurveID // 曲线ID , HelloRetryRequest扩展信息 615 } 616 617 func (m *serverHelloMsg) marshal() []byte { 618 if m.raw != nil { 619 return m.raw 620 } 621 622 var b cryptobyte.Builder 623 b.AddUint8(typeServerHello) 624 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 625 b.AddUint16(m.vers) 626 addBytesWithLength(b, m.random, 32) 627 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 628 b.AddBytes(m.sessionId) 629 }) 630 b.AddUint16(m.cipherSuite) 631 b.AddUint8(m.compressionMethod) 632 633 // If extensions aren't present, omit them. 634 var extensionsPresent bool 635 bWithoutExtensions := *b 636 637 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 638 if m.ocspStapling { 639 b.AddUint16(extensionStatusRequest) 640 b.AddUint16(0) // empty extension_data 641 } 642 if m.ticketSupported { 643 b.AddUint16(extensionSessionTicket) 644 b.AddUint16(0) // empty extension_data 645 } 646 if m.secureRenegotiationSupported { 647 b.AddUint16(extensionRenegotiationInfo) 648 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 649 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 650 b.AddBytes(m.secureRenegotiation) 651 }) 652 }) 653 } 654 if len(m.alpnProtocol) > 0 { 655 b.AddUint16(extensionALPN) 656 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 657 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 658 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 659 b.AddBytes([]byte(m.alpnProtocol)) 660 }) 661 }) 662 }) 663 } 664 if len(m.scts) > 0 { 665 b.AddUint16(extensionSCT) 666 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 667 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 668 for _, sct := range m.scts { 669 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 670 b.AddBytes(sct) 671 }) 672 } 673 }) 674 }) 675 } 676 if m.supportedVersion != 0 { 677 b.AddUint16(extensionSupportedVersions) 678 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 679 b.AddUint16(m.supportedVersion) 680 }) 681 } 682 if m.serverShare.group != 0 { 683 b.AddUint16(extensionKeyShare) 684 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 685 b.AddUint16(uint16(m.serverShare.group)) 686 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 687 b.AddBytes(m.serverShare.data) 688 }) 689 }) 690 } 691 if m.selectedIdentityPresent { 692 b.AddUint16(extensionPreSharedKey) 693 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 694 b.AddUint16(m.selectedIdentity) 695 }) 696 } 697 698 if len(m.cookie) > 0 { 699 b.AddUint16(extensionCookie) 700 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 701 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 702 b.AddBytes(m.cookie) 703 }) 704 }) 705 } 706 if m.selectedGroup != 0 { 707 b.AddUint16(extensionKeyShare) 708 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 709 b.AddUint16(uint16(m.selectedGroup)) 710 }) 711 } 712 if len(m.supportedPoints) > 0 { 713 b.AddUint16(extensionSupportedPoints) 714 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 715 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 716 b.AddBytes(m.supportedPoints) 717 }) 718 }) 719 } 720 721 extensionsPresent = len(b.BytesOrPanic()) > 2 722 }) 723 724 if !extensionsPresent { 725 *b = bWithoutExtensions 726 } 727 }) 728 729 m.raw = b.BytesOrPanic() 730 return m.raw 731 } 732 733 func (m *serverHelloMsg) unmarshal(data []byte) bool { 734 *m = serverHelloMsg{raw: data} 735 s := cryptobyte.String(data) 736 737 if !s.Skip(4) || // message type and uint24 length field 738 !s.ReadUint16(&m.vers) || !s.ReadBytes(&m.random, 32) || 739 !readUint8LengthPrefixed(&s, &m.sessionId) || 740 !s.ReadUint16(&m.cipherSuite) || 741 !s.ReadUint8(&m.compressionMethod) { 742 return false 743 } 744 745 if s.Empty() { 746 // ServerHello is optionally followed by extension data 747 return true 748 } 749 750 var extensions cryptobyte.String 751 if !s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() { 752 return false 753 } 754 755 for !extensions.Empty() { 756 var extension uint16 757 var extData cryptobyte.String 758 if !extensions.ReadUint16(&extension) || 759 !extensions.ReadUint16LengthPrefixed(&extData) { 760 return false 761 } 762 763 switch extension { 764 case extensionStatusRequest: 765 m.ocspStapling = true 766 case extensionSessionTicket: 767 m.ticketSupported = true 768 case extensionRenegotiationInfo: 769 if !readUint8LengthPrefixed(&extData, &m.secureRenegotiation) { 770 return false 771 } 772 m.secureRenegotiationSupported = true 773 case extensionALPN: 774 var protoList cryptobyte.String 775 if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() { 776 return false 777 } 778 var proto cryptobyte.String 779 if !protoList.ReadUint8LengthPrefixed(&proto) || 780 proto.Empty() || !protoList.Empty() { 781 return false 782 } 783 m.alpnProtocol = string(proto) 784 case extensionSCT: 785 var sctList cryptobyte.String 786 if !extData.ReadUint16LengthPrefixed(&sctList) || sctList.Empty() { 787 return false 788 } 789 for !sctList.Empty() { 790 var sct []byte 791 if !readUint16LengthPrefixed(&sctList, &sct) || 792 len(sct) == 0 { 793 return false 794 } 795 m.scts = append(m.scts, sct) 796 } 797 case extensionSupportedVersions: 798 if !extData.ReadUint16(&m.supportedVersion) { 799 return false 800 } 801 case extensionCookie: 802 if !readUint16LengthPrefixed(&extData, &m.cookie) || 803 len(m.cookie) == 0 { 804 return false 805 } 806 case extensionKeyShare: 807 // This extension has different formats in SH and HRR, accept either 808 // and let the handshake logic decide. See RFC 8446, Section 4.2.8. 809 if len(extData) == 2 { 810 if !extData.ReadUint16((*uint16)(&m.selectedGroup)) { 811 return false 812 } 813 } else { 814 if !extData.ReadUint16((*uint16)(&m.serverShare.group)) || 815 !readUint16LengthPrefixed(&extData, &m.serverShare.data) { 816 return false 817 } 818 } 819 case extensionPreSharedKey: 820 m.selectedIdentityPresent = true 821 if !extData.ReadUint16(&m.selectedIdentity) { 822 return false 823 } 824 case extensionSupportedPoints: 825 // RFC 4492, Section 5.1.2 826 if !readUint8LengthPrefixed(&extData, &m.supportedPoints) || 827 len(m.supportedPoints) == 0 { 828 return false 829 } 830 default: 831 // Ignore unknown extensions. 832 continue 833 } 834 835 if !extData.Empty() { 836 return false 837 } 838 } 839 840 return true 841 } 842 843 type encryptedExtensionsMsg struct { 844 raw []byte 845 alpnProtocol string 846 } 847 848 func (m *encryptedExtensionsMsg) marshal() []byte { 849 if m.raw != nil { 850 return m.raw 851 } 852 853 var b cryptobyte.Builder 854 b.AddUint8(typeEncryptedExtensions) 855 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 856 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 857 if len(m.alpnProtocol) > 0 { 858 b.AddUint16(extensionALPN) 859 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 860 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 861 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 862 b.AddBytes([]byte(m.alpnProtocol)) 863 }) 864 }) 865 }) 866 } 867 }) 868 }) 869 870 m.raw = b.BytesOrPanic() 871 return m.raw 872 } 873 874 func (m *encryptedExtensionsMsg) unmarshal(data []byte) bool { 875 *m = encryptedExtensionsMsg{raw: data} 876 s := cryptobyte.String(data) 877 878 var extensions cryptobyte.String 879 if !s.Skip(4) || // message type and uint24 length field 880 !s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() { 881 return false 882 } 883 884 for !extensions.Empty() { 885 var extension uint16 886 var extData cryptobyte.String 887 if !extensions.ReadUint16(&extension) || 888 !extensions.ReadUint16LengthPrefixed(&extData) { 889 return false 890 } 891 892 switch extension { 893 case extensionALPN: 894 var protoList cryptobyte.String 895 if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() { 896 return false 897 } 898 var proto cryptobyte.String 899 if !protoList.ReadUint8LengthPrefixed(&proto) || 900 proto.Empty() || !protoList.Empty() { 901 return false 902 } 903 m.alpnProtocol = string(proto) 904 default: 905 // Ignore unknown extensions. 906 continue 907 } 908 909 if !extData.Empty() { 910 return false 911 } 912 } 913 914 return true 915 } 916 917 type endOfEarlyDataMsg struct{} 918 919 func (m *endOfEarlyDataMsg) marshal() []byte { 920 x := make([]byte, 4) 921 x[0] = typeEndOfEarlyData 922 return x 923 } 924 925 func (m *endOfEarlyDataMsg) unmarshal(data []byte) bool { 926 return len(data) == 4 927 } 928 929 type keyUpdateMsg struct { 930 raw []byte 931 updateRequested bool 932 } 933 934 func (m *keyUpdateMsg) marshal() []byte { 935 if m.raw != nil { 936 return m.raw 937 } 938 939 var b cryptobyte.Builder 940 b.AddUint8(typeKeyUpdate) 941 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 942 if m.updateRequested { 943 b.AddUint8(1) 944 } else { 945 b.AddUint8(0) 946 } 947 }) 948 949 m.raw = b.BytesOrPanic() 950 return m.raw 951 } 952 953 func (m *keyUpdateMsg) unmarshal(data []byte) bool { 954 m.raw = data 955 s := cryptobyte.String(data) 956 957 var updateRequested uint8 958 if !s.Skip(4) || // message type and uint24 length field 959 !s.ReadUint8(&updateRequested) || !s.Empty() { 960 return false 961 } 962 switch updateRequested { 963 case 0: 964 m.updateRequested = false 965 case 1: 966 m.updateRequested = true 967 default: 968 return false 969 } 970 return true 971 } 972 973 type newSessionTicketMsgTLS13 struct { 974 raw []byte 975 lifetime uint32 976 ageAdd uint32 977 nonce []byte 978 label []byte 979 maxEarlyData uint32 980 } 981 982 func (m *newSessionTicketMsgTLS13) marshal() []byte { 983 if m.raw != nil { 984 return m.raw 985 } 986 987 var b cryptobyte.Builder 988 b.AddUint8(typeNewSessionTicket) 989 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 990 b.AddUint32(m.lifetime) 991 b.AddUint32(m.ageAdd) 992 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 993 b.AddBytes(m.nonce) 994 }) 995 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 996 b.AddBytes(m.label) 997 }) 998 999 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1000 if m.maxEarlyData > 0 { 1001 b.AddUint16(extensionEarlyData) 1002 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1003 b.AddUint32(m.maxEarlyData) 1004 }) 1005 } 1006 }) 1007 }) 1008 1009 m.raw = b.BytesOrPanic() 1010 return m.raw 1011 } 1012 1013 func (m *newSessionTicketMsgTLS13) unmarshal(data []byte) bool { 1014 *m = newSessionTicketMsgTLS13{raw: data} 1015 s := cryptobyte.String(data) 1016 1017 var extensions cryptobyte.String 1018 if !s.Skip(4) || // message type and uint24 length field 1019 !s.ReadUint32(&m.lifetime) || 1020 !s.ReadUint32(&m.ageAdd) || 1021 !readUint8LengthPrefixed(&s, &m.nonce) || 1022 !readUint16LengthPrefixed(&s, &m.label) || 1023 !s.ReadUint16LengthPrefixed(&extensions) || 1024 !s.Empty() { 1025 return false 1026 } 1027 1028 for !extensions.Empty() { 1029 var extension uint16 1030 var extData cryptobyte.String 1031 if !extensions.ReadUint16(&extension) || 1032 !extensions.ReadUint16LengthPrefixed(&extData) { 1033 return false 1034 } 1035 1036 switch extension { 1037 case extensionEarlyData: 1038 if !extData.ReadUint32(&m.maxEarlyData) { 1039 return false 1040 } 1041 default: 1042 // Ignore unknown extensions. 1043 continue 1044 } 1045 1046 if !extData.Empty() { 1047 return false 1048 } 1049 } 1050 1051 return true 1052 } 1053 1054 type certificateRequestMsgTLS13 struct { 1055 raw []byte 1056 ocspStapling bool 1057 scts bool 1058 supportedSignatureAlgorithms []SignatureScheme 1059 supportedSignatureAlgorithmsCert []SignatureScheme 1060 certificateAuthorities [][]byte 1061 } 1062 1063 func (m *certificateRequestMsgTLS13) marshal() []byte { 1064 if m.raw != nil { 1065 return m.raw 1066 } 1067 1068 var b cryptobyte.Builder 1069 b.AddUint8(typeCertificateRequest) 1070 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1071 // certificate_request_context (SHALL be zero length unless used for 1072 // post-handshake authentication) 1073 b.AddUint8(0) 1074 1075 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1076 if m.ocspStapling { 1077 b.AddUint16(extensionStatusRequest) 1078 b.AddUint16(0) // empty extension_data 1079 } 1080 if m.scts { 1081 // RFC 8446, Section 4.4.2.1 makes no mention of 1082 // signed_certificate_timestamp in CertificateRequest, but 1083 // "Extensions in the Certificate message from the client MUST 1084 // correspond to extensions in the CertificateRequest message 1085 // from the server." and it appears in the table in Section 4.2. 1086 b.AddUint16(extensionSCT) 1087 b.AddUint16(0) // empty extension_data 1088 } 1089 if len(m.supportedSignatureAlgorithms) > 0 { 1090 b.AddUint16(extensionSignatureAlgorithms) 1091 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1092 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1093 for _, sigAlgo := range m.supportedSignatureAlgorithms { 1094 b.AddUint16(uint16(sigAlgo)) 1095 } 1096 }) 1097 }) 1098 } 1099 if len(m.supportedSignatureAlgorithmsCert) > 0 { 1100 b.AddUint16(extensionSignatureAlgorithmsCert) 1101 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1102 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1103 for _, sigAlgo := range m.supportedSignatureAlgorithmsCert { 1104 b.AddUint16(uint16(sigAlgo)) 1105 } 1106 }) 1107 }) 1108 } 1109 if len(m.certificateAuthorities) > 0 { 1110 b.AddUint16(extensionCertificateAuthorities) 1111 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1112 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1113 for _, ca := range m.certificateAuthorities { 1114 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1115 b.AddBytes(ca) 1116 }) 1117 } 1118 }) 1119 }) 1120 } 1121 }) 1122 }) 1123 1124 m.raw = b.BytesOrPanic() 1125 return m.raw 1126 } 1127 1128 func (m *certificateRequestMsgTLS13) unmarshal(data []byte) bool { 1129 *m = certificateRequestMsgTLS13{raw: data} 1130 s := cryptobyte.String(data) 1131 1132 var context, extensions cryptobyte.String 1133 if !s.Skip(4) || // message type and uint24 length field 1134 !s.ReadUint8LengthPrefixed(&context) || !context.Empty() || 1135 !s.ReadUint16LengthPrefixed(&extensions) || 1136 !s.Empty() { 1137 return false 1138 } 1139 1140 for !extensions.Empty() { 1141 var extension uint16 1142 var extData cryptobyte.String 1143 if !extensions.ReadUint16(&extension) || 1144 !extensions.ReadUint16LengthPrefixed(&extData) { 1145 return false 1146 } 1147 1148 switch extension { 1149 case extensionStatusRequest: 1150 m.ocspStapling = true 1151 case extensionSCT: 1152 m.scts = true 1153 case extensionSignatureAlgorithms: 1154 var sigAndAlgs cryptobyte.String 1155 if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() { 1156 return false 1157 } 1158 for !sigAndAlgs.Empty() { 1159 var sigAndAlg uint16 1160 if !sigAndAlgs.ReadUint16(&sigAndAlg) { 1161 return false 1162 } 1163 m.supportedSignatureAlgorithms = append( 1164 m.supportedSignatureAlgorithms, SignatureScheme(sigAndAlg)) 1165 } 1166 case extensionSignatureAlgorithmsCert: 1167 var sigAndAlgs cryptobyte.String 1168 if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() { 1169 return false 1170 } 1171 for !sigAndAlgs.Empty() { 1172 var sigAndAlg uint16 1173 if !sigAndAlgs.ReadUint16(&sigAndAlg) { 1174 return false 1175 } 1176 m.supportedSignatureAlgorithmsCert = append( 1177 m.supportedSignatureAlgorithmsCert, SignatureScheme(sigAndAlg)) 1178 } 1179 case extensionCertificateAuthorities: 1180 var auths cryptobyte.String 1181 if !extData.ReadUint16LengthPrefixed(&auths) || auths.Empty() { 1182 return false 1183 } 1184 for !auths.Empty() { 1185 var ca []byte 1186 if !readUint16LengthPrefixed(&auths, &ca) || len(ca) == 0 { 1187 return false 1188 } 1189 m.certificateAuthorities = append(m.certificateAuthorities, ca) 1190 } 1191 default: 1192 // Ignore unknown extensions. 1193 continue 1194 } 1195 1196 if !extData.Empty() { 1197 return false 1198 } 1199 } 1200 1201 return true 1202 } 1203 1204 type certificateMsg struct { 1205 raw []byte 1206 certificates [][]byte 1207 } 1208 1209 func (m *certificateMsg) marshal() (x []byte) { 1210 if m.raw != nil { 1211 return m.raw 1212 } 1213 1214 var i int 1215 for _, slice := range m.certificates { 1216 i += len(slice) 1217 } 1218 1219 length := 3 + 3*len(m.certificates) + i 1220 x = make([]byte, 4+length) 1221 x[0] = typeCertificate 1222 x[1] = uint8(length >> 16) 1223 x[2] = uint8(length >> 8) 1224 x[3] = uint8(length) 1225 1226 certificateOctets := length - 3 1227 x[4] = uint8(certificateOctets >> 16) 1228 x[5] = uint8(certificateOctets >> 8) 1229 x[6] = uint8(certificateOctets) 1230 1231 y := x[7:] 1232 for _, slice := range m.certificates { 1233 y[0] = uint8(len(slice) >> 16) 1234 y[1] = uint8(len(slice) >> 8) 1235 y[2] = uint8(len(slice)) 1236 copy(y[3:], slice) 1237 y = y[3+len(slice):] 1238 } 1239 1240 m.raw = x 1241 return 1242 } 1243 1244 func (m *certificateMsg) unmarshal(data []byte) bool { 1245 if len(data) < 7 { 1246 return false 1247 } 1248 1249 m.raw = data 1250 certsLen := uint32(data[4])<<16 | uint32(data[5])<<8 | uint32(data[6]) 1251 if uint32(len(data)) != certsLen+7 { 1252 return false 1253 } 1254 1255 numCerts := 0 1256 d := data[7:] 1257 for certsLen > 0 { 1258 if len(d) < 4 { 1259 return false 1260 } 1261 certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2]) 1262 if uint32(len(d)) < 3+certLen { 1263 return false 1264 } 1265 d = d[3+certLen:] 1266 certsLen -= 3 + certLen 1267 numCerts++ 1268 } 1269 1270 m.certificates = make([][]byte, numCerts) 1271 d = data[7:] 1272 for i := 0; i < numCerts; i++ { 1273 certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2]) 1274 m.certificates[i] = d[3 : 3+certLen] 1275 d = d[3+certLen:] 1276 } 1277 1278 return true 1279 } 1280 1281 type certificateMsgTLS13 struct { 1282 raw []byte 1283 certificate Certificate 1284 ocspStapling bool 1285 scts bool 1286 } 1287 1288 func (m *certificateMsgTLS13) marshal() []byte { 1289 if m.raw != nil { 1290 return m.raw 1291 } 1292 1293 var b cryptobyte.Builder 1294 b.AddUint8(typeCertificate) 1295 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1296 b.AddUint8(0) // certificate_request_context 1297 1298 certificate := m.certificate 1299 if !m.ocspStapling { 1300 certificate.OCSPStaple = nil 1301 } 1302 if !m.scts { 1303 certificate.SignedCertificateTimestamps = nil 1304 } 1305 marshalCertificate(b, certificate) 1306 }) 1307 1308 m.raw = b.BytesOrPanic() 1309 return m.raw 1310 } 1311 1312 func marshalCertificate(b *cryptobyte.Builder, certificate Certificate) { 1313 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1314 for i, cert := range certificate.Certificate { 1315 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1316 b.AddBytes(cert) 1317 }) 1318 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1319 if i > 0 { 1320 // This library only supports OCSP and SCT for leaf certificates. 1321 return 1322 } 1323 if certificate.OCSPStaple != nil { 1324 b.AddUint16(extensionStatusRequest) 1325 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1326 b.AddUint8(statusTypeOCSP) 1327 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1328 b.AddBytes(certificate.OCSPStaple) 1329 }) 1330 }) 1331 } 1332 if certificate.SignedCertificateTimestamps != nil { 1333 b.AddUint16(extensionSCT) 1334 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1335 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1336 for _, sct := range certificate.SignedCertificateTimestamps { 1337 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1338 b.AddBytes(sct) 1339 }) 1340 } 1341 }) 1342 }) 1343 } 1344 }) 1345 } 1346 }) 1347 } 1348 1349 func (m *certificateMsgTLS13) unmarshal(data []byte) bool { 1350 *m = certificateMsgTLS13{raw: data} 1351 s := cryptobyte.String(data) 1352 1353 var context cryptobyte.String 1354 if !s.Skip(4) || // message type and uint24 length field 1355 !s.ReadUint8LengthPrefixed(&context) || !context.Empty() || 1356 !unmarshalCertificate(&s, &m.certificate) || 1357 !s.Empty() { 1358 return false 1359 } 1360 1361 m.scts = m.certificate.SignedCertificateTimestamps != nil 1362 m.ocspStapling = m.certificate.OCSPStaple != nil 1363 1364 return true 1365 } 1366 1367 func unmarshalCertificate(s *cryptobyte.String, certificate *Certificate) bool { 1368 var certList cryptobyte.String 1369 if !s.ReadUint24LengthPrefixed(&certList) { 1370 return false 1371 } 1372 for !certList.Empty() { 1373 var cert []byte 1374 var extensions cryptobyte.String 1375 if !readUint24LengthPrefixed(&certList, &cert) || 1376 !certList.ReadUint16LengthPrefixed(&extensions) { 1377 return false 1378 } 1379 certificate.Certificate = append(certificate.Certificate, cert) 1380 for !extensions.Empty() { 1381 var extension uint16 1382 var extData cryptobyte.String 1383 if !extensions.ReadUint16(&extension) || 1384 !extensions.ReadUint16LengthPrefixed(&extData) { 1385 return false 1386 } 1387 if len(certificate.Certificate) > 1 { 1388 // This library only supports OCSP and SCT for leaf certificates. 1389 continue 1390 } 1391 1392 switch extension { 1393 case extensionStatusRequest: 1394 var statusType uint8 1395 if !extData.ReadUint8(&statusType) || statusType != statusTypeOCSP || 1396 !readUint24LengthPrefixed(&extData, &certificate.OCSPStaple) || 1397 len(certificate.OCSPStaple) == 0 { 1398 return false 1399 } 1400 case extensionSCT: 1401 var sctList cryptobyte.String 1402 if !extData.ReadUint16LengthPrefixed(&sctList) || sctList.Empty() { 1403 return false 1404 } 1405 for !sctList.Empty() { 1406 var sct []byte 1407 if !readUint16LengthPrefixed(&sctList, &sct) || 1408 len(sct) == 0 { 1409 return false 1410 } 1411 certificate.SignedCertificateTimestamps = append( 1412 certificate.SignedCertificateTimestamps, sct) 1413 } 1414 default: 1415 // Ignore unknown extensions. 1416 continue 1417 } 1418 1419 if !extData.Empty() { 1420 return false 1421 } 1422 } 1423 } 1424 return true 1425 } 1426 1427 type serverKeyExchangeMsg struct { 1428 raw []byte 1429 key []byte 1430 } 1431 1432 func (m *serverKeyExchangeMsg) marshal() []byte { 1433 if m.raw != nil { 1434 return m.raw 1435 } 1436 length := len(m.key) 1437 x := make([]byte, length+4) 1438 x[0] = typeServerKeyExchange 1439 x[1] = uint8(length >> 16) 1440 x[2] = uint8(length >> 8) 1441 x[3] = uint8(length) 1442 copy(x[4:], m.key) 1443 1444 m.raw = x 1445 return x 1446 } 1447 1448 func (m *serverKeyExchangeMsg) unmarshal(data []byte) bool { 1449 m.raw = data 1450 if len(data) < 4 { 1451 return false 1452 } 1453 m.key = data[4:] 1454 return true 1455 } 1456 1457 type certificateStatusMsg struct { 1458 raw []byte 1459 response []byte 1460 } 1461 1462 func (m *certificateStatusMsg) marshal() []byte { 1463 if m.raw != nil { 1464 return m.raw 1465 } 1466 1467 var b cryptobyte.Builder 1468 b.AddUint8(typeCertificateStatus) 1469 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1470 b.AddUint8(statusTypeOCSP) 1471 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1472 b.AddBytes(m.response) 1473 }) 1474 }) 1475 1476 m.raw = b.BytesOrPanic() 1477 return m.raw 1478 } 1479 1480 func (m *certificateStatusMsg) unmarshal(data []byte) bool { 1481 m.raw = data 1482 s := cryptobyte.String(data) 1483 1484 var statusType uint8 1485 if !s.Skip(4) || // message type and uint24 length field 1486 !s.ReadUint8(&statusType) || statusType != statusTypeOCSP || 1487 !readUint24LengthPrefixed(&s, &m.response) || 1488 len(m.response) == 0 || !s.Empty() { 1489 return false 1490 } 1491 return true 1492 } 1493 1494 type serverHelloDoneMsg struct{} 1495 1496 func (m *serverHelloDoneMsg) marshal() []byte { 1497 x := make([]byte, 4) 1498 x[0] = typeServerHelloDone 1499 return x 1500 } 1501 1502 func (m *serverHelloDoneMsg) unmarshal(data []byte) bool { 1503 return len(data) == 4 1504 } 1505 1506 type clientKeyExchangeMsg struct { 1507 raw []byte 1508 ciphertext []byte 1509 } 1510 1511 func (m *clientKeyExchangeMsg) marshal() []byte { 1512 if m.raw != nil { 1513 return m.raw 1514 } 1515 length := len(m.ciphertext) 1516 x := make([]byte, length+4) 1517 x[0] = typeClientKeyExchange 1518 x[1] = uint8(length >> 16) 1519 x[2] = uint8(length >> 8) 1520 x[3] = uint8(length) 1521 copy(x[4:], m.ciphertext) 1522 1523 m.raw = x 1524 return x 1525 } 1526 1527 func (m *clientKeyExchangeMsg) unmarshal(data []byte) bool { 1528 m.raw = data 1529 if len(data) < 4 { 1530 return false 1531 } 1532 l := int(data[1])<<16 | int(data[2])<<8 | int(data[3]) 1533 if l != len(data)-4 { 1534 return false 1535 } 1536 m.ciphertext = data[4:] 1537 return true 1538 } 1539 1540 type finishedMsg struct { 1541 raw []byte 1542 verifyData []byte 1543 } 1544 1545 func (m *finishedMsg) marshal() []byte { 1546 if m.raw != nil { 1547 return m.raw 1548 } 1549 1550 var b cryptobyte.Builder 1551 b.AddUint8(typeFinished) 1552 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1553 b.AddBytes(m.verifyData) 1554 }) 1555 1556 m.raw = b.BytesOrPanic() 1557 return m.raw 1558 } 1559 1560 func (m *finishedMsg) unmarshal(data []byte) bool { 1561 m.raw = data 1562 s := cryptobyte.String(data) 1563 return s.Skip(1) && 1564 readUint24LengthPrefixed(&s, &m.verifyData) && 1565 s.Empty() 1566 } 1567 1568 type certificateRequestMsg struct { 1569 raw []byte 1570 // hasSignatureAlgorithm indicates whether this message includes a list of 1571 // supported signature algorithms. This change was introduced with TLS 1.2. 1572 hasSignatureAlgorithm bool 1573 1574 certificateTypes []byte 1575 supportedSignatureAlgorithms []SignatureScheme 1576 certificateAuthorities [][]byte 1577 } 1578 1579 func (m *certificateRequestMsg) marshal() (x []byte) { 1580 if m.raw != nil { 1581 return m.raw 1582 } 1583 1584 // See RFC 4346, Section 7.4.4. 1585 length := 1 + len(m.certificateTypes) + 2 1586 casLength := 0 1587 for _, ca := range m.certificateAuthorities { 1588 casLength += 2 + len(ca) 1589 } 1590 length += casLength 1591 1592 if m.hasSignatureAlgorithm { 1593 length += 2 + 2*len(m.supportedSignatureAlgorithms) 1594 } 1595 1596 x = make([]byte, 4+length) 1597 x[0] = typeCertificateRequest 1598 x[1] = uint8(length >> 16) 1599 x[2] = uint8(length >> 8) 1600 x[3] = uint8(length) 1601 1602 x[4] = uint8(len(m.certificateTypes)) 1603 1604 copy(x[5:], m.certificateTypes) 1605 y := x[5+len(m.certificateTypes):] 1606 1607 if m.hasSignatureAlgorithm { 1608 n := len(m.supportedSignatureAlgorithms) * 2 1609 y[0] = uint8(n >> 8) 1610 y[1] = uint8(n) 1611 y = y[2:] 1612 for _, sigAlgo := range m.supportedSignatureAlgorithms { 1613 y[0] = uint8(sigAlgo >> 8) 1614 y[1] = uint8(sigAlgo) 1615 y = y[2:] 1616 } 1617 } 1618 1619 y[0] = uint8(casLength >> 8) 1620 y[1] = uint8(casLength) 1621 y = y[2:] 1622 for _, ca := range m.certificateAuthorities { 1623 y[0] = uint8(len(ca) >> 8) 1624 y[1] = uint8(len(ca)) 1625 y = y[2:] 1626 copy(y, ca) 1627 y = y[len(ca):] 1628 } 1629 1630 m.raw = x 1631 return 1632 } 1633 1634 func (m *certificateRequestMsg) unmarshal(data []byte) bool { 1635 m.raw = data 1636 1637 if len(data) < 5 { 1638 return false 1639 } 1640 1641 length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3]) 1642 if uint32(len(data))-4 != length { 1643 return false 1644 } 1645 1646 numCertTypes := int(data[4]) 1647 data = data[5:] 1648 if numCertTypes == 0 || len(data) <= numCertTypes { 1649 return false 1650 } 1651 1652 m.certificateTypes = make([]byte, numCertTypes) 1653 if copy(m.certificateTypes, data) != numCertTypes { 1654 return false 1655 } 1656 1657 data = data[numCertTypes:] 1658 1659 if m.hasSignatureAlgorithm { 1660 if len(data) < 2 { 1661 return false 1662 } 1663 sigAndHashLen := uint16(data[0])<<8 | uint16(data[1]) 1664 data = data[2:] 1665 if sigAndHashLen&1 != 0 { 1666 return false 1667 } 1668 if len(data) < int(sigAndHashLen) { 1669 return false 1670 } 1671 numSigAlgos := sigAndHashLen / 2 1672 m.supportedSignatureAlgorithms = make([]SignatureScheme, numSigAlgos) 1673 for i := range m.supportedSignatureAlgorithms { 1674 m.supportedSignatureAlgorithms[i] = SignatureScheme(data[0])<<8 | SignatureScheme(data[1]) 1675 data = data[2:] 1676 } 1677 } 1678 1679 if len(data) < 2 { 1680 return false 1681 } 1682 casLength := uint16(data[0])<<8 | uint16(data[1]) 1683 data = data[2:] 1684 if len(data) < int(casLength) { 1685 return false 1686 } 1687 cas := make([]byte, casLength) 1688 copy(cas, data) 1689 data = data[casLength:] 1690 1691 m.certificateAuthorities = nil 1692 for len(cas) > 0 { 1693 if len(cas) < 2 { 1694 return false 1695 } 1696 caLen := uint16(cas[0])<<8 | uint16(cas[1]) 1697 cas = cas[2:] 1698 1699 if len(cas) < int(caLen) { 1700 return false 1701 } 1702 1703 m.certificateAuthorities = append(m.certificateAuthorities, cas[:caLen]) 1704 cas = cas[caLen:] 1705 } 1706 1707 return len(data) == 0 1708 } 1709 1710 type certificateVerifyMsg struct { 1711 raw []byte 1712 hasSignatureAlgorithm bool // format change introduced in TLS 1.2 1713 signatureAlgorithm SignatureScheme 1714 signature []byte 1715 } 1716 1717 func (m *certificateVerifyMsg) marshal() (x []byte) { 1718 if m.raw != nil { 1719 return m.raw 1720 } 1721 1722 var b cryptobyte.Builder 1723 b.AddUint8(typeCertificateVerify) 1724 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1725 if m.hasSignatureAlgorithm { 1726 b.AddUint16(uint16(m.signatureAlgorithm)) 1727 } 1728 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1729 b.AddBytes(m.signature) 1730 }) 1731 }) 1732 1733 m.raw = b.BytesOrPanic() 1734 return m.raw 1735 } 1736 1737 func (m *certificateVerifyMsg) unmarshal(data []byte) bool { 1738 m.raw = data 1739 s := cryptobyte.String(data) 1740 1741 if !s.Skip(4) { // message type and uint24 length field 1742 return false 1743 } 1744 if m.hasSignatureAlgorithm { 1745 if !s.ReadUint16((*uint16)(&m.signatureAlgorithm)) { 1746 return false 1747 } 1748 } 1749 return readUint16LengthPrefixed(&s, &m.signature) && s.Empty() 1750 } 1751 1752 type newSessionTicketMsg struct { 1753 raw []byte 1754 ticket []byte 1755 } 1756 1757 func (m *newSessionTicketMsg) marshal() (x []byte) { 1758 if m.raw != nil { 1759 return m.raw 1760 } 1761 1762 // See RFC 5077, Section 3.3. 1763 ticketLen := len(m.ticket) 1764 length := 2 + 4 + ticketLen 1765 x = make([]byte, 4+length) 1766 x[0] = typeNewSessionTicket 1767 x[1] = uint8(length >> 16) 1768 x[2] = uint8(length >> 8) 1769 x[3] = uint8(length) 1770 x[8] = uint8(ticketLen >> 8) 1771 x[9] = uint8(ticketLen) 1772 copy(x[10:], m.ticket) 1773 1774 m.raw = x 1775 1776 return 1777 } 1778 1779 func (m *newSessionTicketMsg) unmarshal(data []byte) bool { 1780 m.raw = data 1781 1782 if len(data) < 10 { 1783 return false 1784 } 1785 1786 length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3]) 1787 if uint32(len(data))-4 != length { 1788 return false 1789 } 1790 1791 ticketLen := int(data[8])<<8 + int(data[9]) 1792 if len(data)-10 != ticketLen { 1793 return false 1794 } 1795 1796 m.ticket = data[10:] 1797 1798 return true 1799 } 1800 1801 type helloRequestMsg struct { 1802 } 1803 1804 func (*helloRequestMsg) marshal() []byte { 1805 return []byte{typeHelloRequest, 0, 0, 0} 1806 } 1807 1808 func (*helloRequestMsg) unmarshal(data []byte) bool { 1809 return len(data) == 4 1810 }