github.com/mtsmfm/go/src@v0.0.0-20221020090648-44bdcb9f8fde/crypto/tls/handshake_messages.go

github.com/mtsmfm/go/src@v0.0.0-20221020090648-44bdcb9f8fde/crypto/tls/handshake_messages.go (about)

     1  // Copyright 2009 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package tls
     6  
     7  import (
     8  	"fmt"
     9  	"strings"
    10  
    11  	"golang.org/x/crypto/cryptobyte"
    12  )
    13  
    14  // The marshalingFunction type is an adapter to allow the use of ordinary
    15  // functions as cryptobyte.MarshalingValue.
    16  type marshalingFunction func(b *cryptobyte.Builder) error
    17  
    18  func (f marshalingFunction) Marshal(b *cryptobyte.Builder) error {
    19  	return f(b)
    20  }
    21  
    22  // addBytesWithLength appends a sequence of bytes to the cryptobyte.Builder. If
    23  // the length of the sequence is not the value specified, it produces an error.
    24  func addBytesWithLength(b *cryptobyte.Builder, v []byte, n int) {
    25  	b.AddValue(marshalingFunction(func(b *cryptobyte.Builder) error {
    26  		if len(v) != n {
    27  			return fmt.Errorf("invalid value length: expected %d, got %d", n, len(v))
    28  		}
    29  		b.AddBytes(v)
    30  		return nil
    31  	}))
    32  }
    33  
    34  // addUint64 appends a big-endian, 64-bit value to the cryptobyte.Builder.
    35  func addUint64(b *cryptobyte.Builder, v uint64) {
    36  	b.AddUint32(uint32(v >> 32))
    37  	b.AddUint32(uint32(v))
    38  }
    39  
    40  // readUint64 decodes a big-endian, 64-bit value into out and advances over it.
    41  // It reports whether the read was successful.
    42  func readUint64(s *cryptobyte.String, out *uint64) bool {
    43  	var hi, lo uint32
    44  	if !s.ReadUint32(&hi) || !s.ReadUint32(&lo) {
    45  		return false
    46  	}
    47  	*out = uint64(hi)<<32 | uint64(lo)
    48  	return true
    49  }
    50  
    51  // readUint8LengthPrefixed acts like s.ReadUint8LengthPrefixed, but targets a
    52  // []byte instead of a cryptobyte.String.
    53  func readUint8LengthPrefixed(s *cryptobyte.String, out *[]byte) bool {
    54  	return s.ReadUint8LengthPrefixed((*cryptobyte.String)(out))
    55  }
    56  
    57  // readUint16LengthPrefixed acts like s.ReadUint16LengthPrefixed, but targets a
    58  // []byte instead of a cryptobyte.String.
    59  func readUint16LengthPrefixed(s *cryptobyte.String, out *[]byte) bool {
    60  	return s.ReadUint16LengthPrefixed((*cryptobyte.String)(out))
    61  }
    62  
    63  // readUint24LengthPrefixed acts like s.ReadUint24LengthPrefixed, but targets a
    64  // []byte instead of a cryptobyte.String.
    65  func readUint24LengthPrefixed(s *cryptobyte.String, out *[]byte) bool {
    66  	return s.ReadUint24LengthPrefixed((*cryptobyte.String)(out))
    67  }
    68  
    69  type clientHelloMsg struct {
    70  	raw                              []byte
    71  	vers                             uint16
    72  	random                           []byte
    73  	sessionId                        []byte
    74  	cipherSuites                     []uint16
    75  	compressionMethods               []uint8
    76  	serverName                       string
    77  	ocspStapling                     bool
    78  	supportedCurves                  []CurveID
    79  	supportedPoints                  []uint8
    80  	ticketSupported                  bool
    81  	sessionTicket                    []uint8
    82  	supportedSignatureAlgorithms     []SignatureScheme
    83  	supportedSignatureAlgorithmsCert []SignatureScheme
    84  	secureRenegotiationSupported     bool
    85  	secureRenegotiation              []byte
    86  	alpnProtocols                    []string
    87  	scts                             bool
    88  	supportedVersions                []uint16
    89  	cookie                           []byte
    90  	keyShares                        []keyShare
    91  	earlyData                        bool
    92  	pskModes                         []uint8
    93  	pskIdentities                    []pskIdentity
    94  	pskBinders                       [][]byte
    95  }
    96  
    97  func (m *clientHelloMsg) marshal() []byte {
    98  	if m.raw != nil {
    99  		return m.raw
   100  	}
   101  
   102  	var b cryptobyte.Builder
   103  	b.AddUint8(typeClientHello)
   104  	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
   105  		b.AddUint16(m.vers)
   106  		addBytesWithLength(b, m.random, 32)
   107  		b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
   108  			b.AddBytes(m.sessionId)
   109  		})
   110  		b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   111  			for _, suite := range m.cipherSuites {
   112  				b.AddUint16(suite)
   113  			}
   114  		})
   115  		b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
   116  			b.AddBytes(m.compressionMethods)
   117  		})
   118  
   119  		// If extensions aren't present, omit them.
   120  		var extensionsPresent bool
   121  		bWithoutExtensions := *b
   122  
   123  		b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   124  			if len(m.serverName) > 0 {
   125  				// RFC 6066, Section 3
   126  				b.AddUint16(extensionServerName)
   127  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   128  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   129  						b.AddUint8(0) // name_type = host_name
   130  						b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   131  							b.AddBytes([]byte(m.serverName))
   132  						})
   133  					})
   134  				})
   135  			}
   136  			if m.ocspStapling {
   137  				// RFC 4366, Section 3.6
   138  				b.AddUint16(extensionStatusRequest)
   139  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   140  					b.AddUint8(1)  // status_type = ocsp
   141  					b.AddUint16(0) // empty responder_id_list
   142  					b.AddUint16(0) // empty request_extensions
   143  				})
   144  			}
   145  			if len(m.supportedCurves) > 0 {
   146  				// RFC 4492, sections 5.1.1 and RFC 8446, Section 4.2.7
   147  				b.AddUint16(extensionSupportedCurves)
   148  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   149  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   150  						for _, curve := range m.supportedCurves {
   151  							b.AddUint16(uint16(curve))
   152  						}
   153  					})
   154  				})
   155  			}
   156  			if len(m.supportedPoints) > 0 {
   157  				// RFC 4492, Section 5.1.2
   158  				b.AddUint16(extensionSupportedPoints)
   159  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   160  					b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
   161  						b.AddBytes(m.supportedPoints)
   162  					})
   163  				})
   164  			}
   165  			if m.ticketSupported {
   166  				// RFC 5077, Section 3.2
   167  				b.AddUint16(extensionSessionTicket)
   168  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   169  					b.AddBytes(m.sessionTicket)
   170  				})
   171  			}
   172  			if len(m.supportedSignatureAlgorithms) > 0 {
   173  				// RFC 5246, Section 7.4.1.4.1
   174  				b.AddUint16(extensionSignatureAlgorithms)
   175  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   176  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   177  						for _, sigAlgo := range m.supportedSignatureAlgorithms {
   178  							b.AddUint16(uint16(sigAlgo))
   179  						}
   180  					})
   181  				})
   182  			}
   183  			if len(m.supportedSignatureAlgorithmsCert) > 0 {
   184  				// RFC 8446, Section 4.2.3
   185  				b.AddUint16(extensionSignatureAlgorithmsCert)
   186  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   187  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   188  						for _, sigAlgo := range m.supportedSignatureAlgorithmsCert {
   189  							b.AddUint16(uint16(sigAlgo))
   190  						}
   191  					})
   192  				})
   193  			}
   194  			if m.secureRenegotiationSupported {
   195  				// RFC 5746, Section 3.2
   196  				b.AddUint16(extensionRenegotiationInfo)
   197  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   198  					b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
   199  						b.AddBytes(m.secureRenegotiation)
   200  					})
   201  				})
   202  			}
   203  			if len(m.alpnProtocols) > 0 {
   204  				// RFC 7301, Section 3.1
   205  				b.AddUint16(extensionALPN)
   206  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   207  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   208  						for _, proto := range m.alpnProtocols {
   209  							b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
   210  								b.AddBytes([]byte(proto))
   211  							})
   212  						}
   213  					})
   214  				})
   215  			}
   216  			if m.scts {
   217  				// RFC 6962, Section 3.3.1
   218  				b.AddUint16(extensionSCT)
   219  				b.AddUint16(0) // empty extension_data
   220  			}
   221  			if len(m.supportedVersions) > 0 {
   222  				// RFC 8446, Section 4.2.1
   223  				b.AddUint16(extensionSupportedVersions)
   224  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   225  					b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
   226  						for _, vers := range m.supportedVersions {
   227  							b.AddUint16(vers)
   228  						}
   229  					})
   230  				})
   231  			}
   232  			if len(m.cookie) > 0 {
   233  				// RFC 8446, Section 4.2.2
   234  				b.AddUint16(extensionCookie)
   235  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   236  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   237  						b.AddBytes(m.cookie)
   238  					})
   239  				})
   240  			}
   241  			if len(m.keyShares) > 0 {
   242  				// RFC 8446, Section 4.2.8
   243  				b.AddUint16(extensionKeyShare)
   244  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   245  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   246  						for _, ks := range m.keyShares {
   247  							b.AddUint16(uint16(ks.group))
   248  							b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   249  								b.AddBytes(ks.data)
   250  							})
   251  						}
   252  					})
   253  				})
   254  			}
   255  			if m.earlyData {
   256  				// RFC 8446, Section 4.2.10
   257  				b.AddUint16(extensionEarlyData)
   258  				b.AddUint16(0) // empty extension_data
   259  			}
   260  			if len(m.pskModes) > 0 {
   261  				// RFC 8446, Section 4.2.9
   262  				b.AddUint16(extensionPSKModes)
   263  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   264  					b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
   265  						b.AddBytes(m.pskModes)
   266  					})
   267  				})
   268  			}
   269  			if len(m.pskIdentities) > 0 { // pre_shared_key must be the last extension
   270  				// RFC 8446, Section 4.2.11
   271  				b.AddUint16(extensionPreSharedKey)
   272  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   273  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   274  						for _, psk := range m.pskIdentities {
   275  							b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   276  								b.AddBytes(psk.label)
   277  							})
   278  							b.AddUint32(psk.obfuscatedTicketAge)
   279  						}
   280  					})
   281  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   282  						for _, binder := range m.pskBinders {
   283  							b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
   284  								b.AddBytes(binder)
   285  							})
   286  						}
   287  					})
   288  				})
   289  			}
   290  
   291  			extensionsPresent = len(b.BytesOrPanic()) > 2
   292  		})
   293  
   294  		if !extensionsPresent {
   295  			*b = bWithoutExtensions
   296  		}
   297  	})
   298  
   299  	m.raw = b.BytesOrPanic()
   300  	return m.raw
   301  }
   302  
   303  // marshalWithoutBinders returns the ClientHello through the
   304  // PreSharedKeyExtension.identities field, according to RFC 8446, Section
   305  // 4.2.11.2. Note that m.pskBinders must be set to slices of the correct length.
   306  func (m *clientHelloMsg) marshalWithoutBinders() []byte {
   307  	bindersLen := 2 // uint16 length prefix
   308  	for _, binder := range m.pskBinders {
   309  		bindersLen += 1 // uint8 length prefix
   310  		bindersLen += len(binder)
   311  	}
   312  
   313  	fullMessage := m.marshal()
   314  	return fullMessage[:len(fullMessage)-bindersLen]
   315  }
   316  
   317  // updateBinders updates the m.pskBinders field, if necessary updating the
   318  // cached marshaled representation. The supplied binders must have the same
   319  // length as the current m.pskBinders.
   320  func (m *clientHelloMsg) updateBinders(pskBinders [][]byte) {
   321  	if len(pskBinders) != len(m.pskBinders) {
   322  		panic("tls: internal error: pskBinders length mismatch")
   323  	}
   324  	for i := range m.pskBinders {
   325  		if len(pskBinders[i]) != len(m.pskBinders[i]) {
   326  			panic("tls: internal error: pskBinders length mismatch")
   327  		}
   328  	}
   329  	m.pskBinders = pskBinders
   330  	if m.raw != nil {
   331  		lenWithoutBinders := len(m.marshalWithoutBinders())
   332  		b := cryptobyte.NewFixedBuilder(m.raw[:lenWithoutBinders])
   333  		b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   334  			for _, binder := range m.pskBinders {
   335  				b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
   336  					b.AddBytes(binder)
   337  				})
   338  			}
   339  		})
   340  		if out, err := b.Bytes(); err != nil || len(out) != len(m.raw) {
   341  			panic("tls: internal error: failed to update binders")
   342  		}
   343  	}
   344  }
   345  
   346  func (m *clientHelloMsg) unmarshal(data []byte) bool {
   347  	*m = clientHelloMsg{raw: data}
   348  	s := cryptobyte.String(data)
   349  
   350  	if !s.Skip(4) || // message type and uint24 length field
   351  		!s.ReadUint16(&m.vers) || !s.ReadBytes(&m.random, 32) ||
   352  		!readUint8LengthPrefixed(&s, &m.sessionId) {
   353  		return false
   354  	}
   355  
   356  	var cipherSuites cryptobyte.String
   357  	if !s.ReadUint16LengthPrefixed(&cipherSuites) {
   358  		return false
   359  	}
   360  	m.cipherSuites = []uint16{}
   361  	m.secureRenegotiationSupported = false
   362  	for !cipherSuites.Empty() {
   363  		var suite uint16
   364  		if !cipherSuites.ReadUint16(&suite) {
   365  			return false
   366  		}
   367  		if suite == scsvRenegotiation {
   368  			m.secureRenegotiationSupported = true
   369  		}
   370  		m.cipherSuites = append(m.cipherSuites, suite)
   371  	}
   372  
   373  	if !readUint8LengthPrefixed(&s, &m.compressionMethods) {
   374  		return false
   375  	}
   376  
   377  	if s.Empty() {
   378  		// ClientHello is optionally followed by extension data
   379  		return true
   380  	}
   381  
   382  	var extensions cryptobyte.String
   383  	if !s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() {
   384  		return false
   385  	}
   386  
   387  	seenExts := make(map[uint16]bool)
   388  	for !extensions.Empty() {
   389  		var extension uint16
   390  		var extData cryptobyte.String
   391  		if !extensions.ReadUint16(&extension) ||
   392  			!extensions.ReadUint16LengthPrefixed(&extData) {
   393  			return false
   394  		}
   395  
   396  		if seenExts[extension] {
   397  			return false
   398  		}
   399  		seenExts[extension] = true
   400  
   401  		switch extension {
   402  		case extensionServerName:
   403  			// RFC 6066, Section 3
   404  			var nameList cryptobyte.String
   405  			if !extData.ReadUint16LengthPrefixed(&nameList) || nameList.Empty() {
   406  				return false
   407  			}
   408  			for !nameList.Empty() {
   409  				var nameType uint8
   410  				var serverName cryptobyte.String
   411  				if !nameList.ReadUint8(&nameType) ||
   412  					!nameList.ReadUint16LengthPrefixed(&serverName) ||
   413  					serverName.Empty() {
   414  					return false
   415  				}
   416  				if nameType != 0 {
   417  					continue
   418  				}
   419  				if len(m.serverName) != 0 {
   420  					// Multiple names of the same name_type are prohibited.
   421  					return false
   422  				}
   423  				m.serverName = string(serverName)
   424  				// An SNI value may not include a trailing dot.
   425  				if strings.HasSuffix(m.serverName, ".") {
   426  					return false
   427  				}
   428  			}
   429  		case extensionStatusRequest:
   430  			// RFC 4366, Section 3.6
   431  			var statusType uint8
   432  			var ignored cryptobyte.String
   433  			if !extData.ReadUint8(&statusType) ||
   434  				!extData.ReadUint16LengthPrefixed(&ignored) ||
   435  				!extData.ReadUint16LengthPrefixed(&ignored) {
   436  				return false
   437  			}
   438  			m.ocspStapling = statusType == statusTypeOCSP
   439  		case extensionSupportedCurves:
   440  			// RFC 4492, sections 5.1.1 and RFC 8446, Section 4.2.7
   441  			var curves cryptobyte.String
   442  			if !extData.ReadUint16LengthPrefixed(&curves) || curves.Empty() {
   443  				return false
   444  			}
   445  			for !curves.Empty() {
   446  				var curve uint16
   447  				if !curves.ReadUint16(&curve) {
   448  					return false
   449  				}
   450  				m.supportedCurves = append(m.supportedCurves, CurveID(curve))
   451  			}
   452  		case extensionSupportedPoints:
   453  			// RFC 4492, Section 5.1.2
   454  			if !readUint8LengthPrefixed(&extData, &m.supportedPoints) ||
   455  				len(m.supportedPoints) == 0 {
   456  				return false
   457  			}
   458  		case extensionSessionTicket:
   459  			// RFC 5077, Section 3.2
   460  			m.ticketSupported = true
   461  			extData.ReadBytes(&m.sessionTicket, len(extData))
   462  		case extensionSignatureAlgorithms:
   463  			// RFC 5246, Section 7.4.1.4.1
   464  			var sigAndAlgs cryptobyte.String
   465  			if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() {
   466  				return false
   467  			}
   468  			for !sigAndAlgs.Empty() {
   469  				var sigAndAlg uint16
   470  				if !sigAndAlgs.ReadUint16(&sigAndAlg) {
   471  					return false
   472  				}
   473  				m.supportedSignatureAlgorithms = append(
   474  					m.supportedSignatureAlgorithms, SignatureScheme(sigAndAlg))
   475  			}
   476  		case extensionSignatureAlgorithmsCert:
   477  			// RFC 8446, Section 4.2.3
   478  			var sigAndAlgs cryptobyte.String
   479  			if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() {
   480  				return false
   481  			}
   482  			for !sigAndAlgs.Empty() {
   483  				var sigAndAlg uint16
   484  				if !sigAndAlgs.ReadUint16(&sigAndAlg) {
   485  					return false
   486  				}
   487  				m.supportedSignatureAlgorithmsCert = append(
   488  					m.supportedSignatureAlgorithmsCert, SignatureScheme(sigAndAlg))
   489  			}
   490  		case extensionRenegotiationInfo:
   491  			// RFC 5746, Section 3.2
   492  			if !readUint8LengthPrefixed(&extData, &m.secureRenegotiation) {
   493  				return false
   494  			}
   495  			m.secureRenegotiationSupported = true
   496  		case extensionALPN:
   497  			// RFC 7301, Section 3.1
   498  			var protoList cryptobyte.String
   499  			if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() {
   500  				return false
   501  			}
   502  			for !protoList.Empty() {
   503  				var proto cryptobyte.String
   504  				if !protoList.ReadUint8LengthPrefixed(&proto) || proto.Empty() {
   505  					return false
   506  				}
   507  				m.alpnProtocols = append(m.alpnProtocols, string(proto))
   508  			}
   509  		case extensionSCT:
   510  			// RFC 6962, Section 3.3.1
   511  			m.scts = true
   512  		case extensionSupportedVersions:
   513  			// RFC 8446, Section 4.2.1
   514  			var versList cryptobyte.String
   515  			if !extData.ReadUint8LengthPrefixed(&versList) || versList.Empty() {
   516  				return false
   517  			}
   518  			for !versList.Empty() {
   519  				var vers uint16
   520  				if !versList.ReadUint16(&vers) {
   521  					return false
   522  				}
   523  				m.supportedVersions = append(m.supportedVersions, vers)
   524  			}
   525  		case extensionCookie:
   526  			// RFC 8446, Section 4.2.2
   527  			if !readUint16LengthPrefixed(&extData, &m.cookie) ||
   528  				len(m.cookie) == 0 {
   529  				return false
   530  			}
   531  		case extensionKeyShare:
   532  			// RFC 8446, Section 4.2.8
   533  			var clientShares cryptobyte.String
   534  			if !extData.ReadUint16LengthPrefixed(&clientShares) {
   535  				return false
   536  			}
   537  			for !clientShares.Empty() {
   538  				var ks keyShare
   539  				if !clientShares.ReadUint16((*uint16)(&ks.group)) ||
   540  					!readUint16LengthPrefixed(&clientShares, &ks.data) ||
   541  					len(ks.data) == 0 {
   542  					return false
   543  				}
   544  				m.keyShares = append(m.keyShares, ks)
   545  			}
   546  		case extensionEarlyData:
   547  			// RFC 8446, Section 4.2.10
   548  			m.earlyData = true
   549  		case extensionPSKModes:
   550  			// RFC 8446, Section 4.2.9
   551  			if !readUint8LengthPrefixed(&extData, &m.pskModes) {
   552  				return false
   553  			}
   554  		case extensionPreSharedKey:
   555  			// RFC 8446, Section 4.2.11
   556  			if !extensions.Empty() {
   557  				return false // pre_shared_key must be the last extension
   558  			}
   559  			var identities cryptobyte.String
   560  			if !extData.ReadUint16LengthPrefixed(&identities) || identities.Empty() {
   561  				return false
   562  			}
   563  			for !identities.Empty() {
   564  				var psk pskIdentity
   565  				if !readUint16LengthPrefixed(&identities, &psk.label) ||
   566  					!identities.ReadUint32(&psk.obfuscatedTicketAge) ||
   567  					len(psk.label) == 0 {
   568  					return false
   569  				}
   570  				m.pskIdentities = append(m.pskIdentities, psk)
   571  			}
   572  			var binders cryptobyte.String
   573  			if !extData.ReadUint16LengthPrefixed(&binders) || binders.Empty() {
   574  				return false
   575  			}
   576  			for !binders.Empty() {
   577  				var binder []byte
   578  				if !readUint8LengthPrefixed(&binders, &binder) ||
   579  					len(binder) == 0 {
   580  					return false
   581  				}
   582  				m.pskBinders = append(m.pskBinders, binder)
   583  			}
   584  		default:
   585  			// Ignore unknown extensions.
   586  			continue
   587  		}
   588  
   589  		if !extData.Empty() {
   590  			return false
   591  		}
   592  	}
   593  
   594  	return true
   595  }
   596  
   597  type serverHelloMsg struct {
   598  	raw                          []byte
   599  	vers                         uint16
   600  	random                       []byte
   601  	sessionId                    []byte
   602  	cipherSuite                  uint16
   603  	compressionMethod            uint8
   604  	ocspStapling                 bool
   605  	ticketSupported              bool
   606  	secureRenegotiationSupported bool
   607  	secureRenegotiation          []byte
   608  	alpnProtocol                 string
   609  	scts                         [][]byte
   610  	supportedVersion             uint16
   611  	serverShare                  keyShare
   612  	selectedIdentityPresent      bool
   613  	selectedIdentity             uint16
   614  	supportedPoints              []uint8
   615  
   616  	// HelloRetryRequest extensions
   617  	cookie        []byte
   618  	selectedGroup CurveID
   619  }
   620  
   621  func (m *serverHelloMsg) marshal() []byte {
   622  	if m.raw != nil {
   623  		return m.raw
   624  	}
   625  
   626  	var b cryptobyte.Builder
   627  	b.AddUint8(typeServerHello)
   628  	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
   629  		b.AddUint16(m.vers)
   630  		addBytesWithLength(b, m.random, 32)
   631  		b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
   632  			b.AddBytes(m.sessionId)
   633  		})
   634  		b.AddUint16(m.cipherSuite)
   635  		b.AddUint8(m.compressionMethod)
   636  
   637  		// If extensions aren't present, omit them.
   638  		var extensionsPresent bool
   639  		bWithoutExtensions := *b
   640  
   641  		b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   642  			if m.ocspStapling {
   643  				b.AddUint16(extensionStatusRequest)
   644  				b.AddUint16(0) // empty extension_data
   645  			}
   646  			if m.ticketSupported {
   647  				b.AddUint16(extensionSessionTicket)
   648  				b.AddUint16(0) // empty extension_data
   649  			}
   650  			if m.secureRenegotiationSupported {
   651  				b.AddUint16(extensionRenegotiationInfo)
   652  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   653  					b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
   654  						b.AddBytes(m.secureRenegotiation)
   655  					})
   656  				})
   657  			}
   658  			if len(m.alpnProtocol) > 0 {
   659  				b.AddUint16(extensionALPN)
   660  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   661  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   662  						b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
   663  							b.AddBytes([]byte(m.alpnProtocol))
   664  						})
   665  					})
   666  				})
   667  			}
   668  			if len(m.scts) > 0 {
   669  				b.AddUint16(extensionSCT)
   670  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   671  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   672  						for _, sct := range m.scts {
   673  							b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   674  								b.AddBytes(sct)
   675  							})
   676  						}
   677  					})
   678  				})
   679  			}
   680  			if m.supportedVersion != 0 {
   681  				b.AddUint16(extensionSupportedVersions)
   682  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   683  					b.AddUint16(m.supportedVersion)
   684  				})
   685  			}
   686  			if m.serverShare.group != 0 {
   687  				b.AddUint16(extensionKeyShare)
   688  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   689  					b.AddUint16(uint16(m.serverShare.group))
   690  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   691  						b.AddBytes(m.serverShare.data)
   692  					})
   693  				})
   694  			}
   695  			if m.selectedIdentityPresent {
   696  				b.AddUint16(extensionPreSharedKey)
   697  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   698  					b.AddUint16(m.selectedIdentity)
   699  				})
   700  			}
   701  
   702  			if len(m.cookie) > 0 {
   703  				b.AddUint16(extensionCookie)
   704  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   705  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   706  						b.AddBytes(m.cookie)
   707  					})
   708  				})
   709  			}
   710  			if m.selectedGroup != 0 {
   711  				b.AddUint16(extensionKeyShare)
   712  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   713  					b.AddUint16(uint16(m.selectedGroup))
   714  				})
   715  			}
   716  			if len(m.supportedPoints) > 0 {
   717  				b.AddUint16(extensionSupportedPoints)
   718  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   719  					b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
   720  						b.AddBytes(m.supportedPoints)
   721  					})
   722  				})
   723  			}
   724  
   725  			extensionsPresent = len(b.BytesOrPanic()) > 2
   726  		})
   727  
   728  		if !extensionsPresent {
   729  			*b = bWithoutExtensions
   730  		}
   731  	})
   732  
   733  	m.raw = b.BytesOrPanic()
   734  	return m.raw
   735  }
   736  
   737  func (m *serverHelloMsg) unmarshal(data []byte) bool {
   738  	*m = serverHelloMsg{raw: data}
   739  	s := cryptobyte.String(data)
   740  
   741  	if !s.Skip(4) || // message type and uint24 length field
   742  		!s.ReadUint16(&m.vers) || !s.ReadBytes(&m.random, 32) ||
   743  		!readUint8LengthPrefixed(&s, &m.sessionId) ||
   744  		!s.ReadUint16(&m.cipherSuite) ||
   745  		!s.ReadUint8(&m.compressionMethod) {
   746  		return false
   747  	}
   748  
   749  	if s.Empty() {
   750  		// ServerHello is optionally followed by extension data
   751  		return true
   752  	}
   753  
   754  	var extensions cryptobyte.String
   755  	if !s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() {
   756  		return false
   757  	}
   758  
   759  	seenExts := make(map[uint16]bool)
   760  	for !extensions.Empty() {
   761  		var extension uint16
   762  		var extData cryptobyte.String
   763  		if !extensions.ReadUint16(&extension) ||
   764  			!extensions.ReadUint16LengthPrefixed(&extData) {
   765  			return false
   766  		}
   767  
   768  		if seenExts[extension] {
   769  			return false
   770  		}
   771  		seenExts[extension] = true
   772  
   773  		switch extension {
   774  		case extensionStatusRequest:
   775  			m.ocspStapling = true
   776  		case extensionSessionTicket:
   777  			m.ticketSupported = true
   778  		case extensionRenegotiationInfo:
   779  			if !readUint8LengthPrefixed(&extData, &m.secureRenegotiation) {
   780  				return false
   781  			}
   782  			m.secureRenegotiationSupported = true
   783  		case extensionALPN:
   784  			var protoList cryptobyte.String
   785  			if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() {
   786  				return false
   787  			}
   788  			var proto cryptobyte.String
   789  			if !protoList.ReadUint8LengthPrefixed(&proto) ||
   790  				proto.Empty() || !protoList.Empty() {
   791  				return false
   792  			}
   793  			m.alpnProtocol = string(proto)
   794  		case extensionSCT:
   795  			var sctList cryptobyte.String
   796  			if !extData.ReadUint16LengthPrefixed(&sctList) || sctList.Empty() {
   797  				return false
   798  			}
   799  			for !sctList.Empty() {
   800  				var sct []byte
   801  				if !readUint16LengthPrefixed(&sctList, &sct) ||
   802  					len(sct) == 0 {
   803  					return false
   804  				}
   805  				m.scts = append(m.scts, sct)
   806  			}
   807  		case extensionSupportedVersions:
   808  			if !extData.ReadUint16(&m.supportedVersion) {
   809  				return false
   810  			}
   811  		case extensionCookie:
   812  			if !readUint16LengthPrefixed(&extData, &m.cookie) ||
   813  				len(m.cookie) == 0 {
   814  				return false
   815  			}
   816  		case extensionKeyShare:
   817  			// This extension has different formats in SH and HRR, accept either
   818  			// and let the handshake logic decide. See RFC 8446, Section 4.2.8.
   819  			if len(extData) == 2 {
   820  				if !extData.ReadUint16((*uint16)(&m.selectedGroup)) {
   821  					return false
   822  				}
   823  			} else {
   824  				if !extData.ReadUint16((*uint16)(&m.serverShare.group)) ||
   825  					!readUint16LengthPrefixed(&extData, &m.serverShare.data) {
   826  					return false
   827  				}
   828  			}
   829  		case extensionPreSharedKey:
   830  			m.selectedIdentityPresent = true
   831  			if !extData.ReadUint16(&m.selectedIdentity) {
   832  				return false
   833  			}
   834  		case extensionSupportedPoints:
   835  			// RFC 4492, Section 5.1.2
   836  			if !readUint8LengthPrefixed(&extData, &m.supportedPoints) ||
   837  				len(m.supportedPoints) == 0 {
   838  				return false
   839  			}
   840  		default:
   841  			// Ignore unknown extensions.
   842  			continue
   843  		}
   844  
   845  		if !extData.Empty() {
   846  			return false
   847  		}
   848  	}
   849  
   850  	return true
   851  }
   852  
   853  type encryptedExtensionsMsg struct {
   854  	raw          []byte
   855  	alpnProtocol string
   856  }
   857  
   858  func (m *encryptedExtensionsMsg) marshal() []byte {
   859  	if m.raw != nil {
   860  		return m.raw
   861  	}
   862  
   863  	var b cryptobyte.Builder
   864  	b.AddUint8(typeEncryptedExtensions)
   865  	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
   866  		b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   867  			if len(m.alpnProtocol) > 0 {
   868  				b.AddUint16(extensionALPN)
   869  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   870  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   871  						b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
   872  							b.AddBytes([]byte(m.alpnProtocol))
   873  						})
   874  					})
   875  				})
   876  			}
   877  		})
   878  	})
   879  
   880  	m.raw = b.BytesOrPanic()
   881  	return m.raw
   882  }
   883  
   884  func (m *encryptedExtensionsMsg) unmarshal(data []byte) bool {
   885  	*m = encryptedExtensionsMsg{raw: data}
   886  	s := cryptobyte.String(data)
   887  
   888  	var extensions cryptobyte.String
   889  	if !s.Skip(4) || // message type and uint24 length field
   890  		!s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() {
   891  		return false
   892  	}
   893  
   894  	for !extensions.Empty() {
   895  		var extension uint16
   896  		var extData cryptobyte.String
   897  		if !extensions.ReadUint16(&extension) ||
   898  			!extensions.ReadUint16LengthPrefixed(&extData) {
   899  			return false
   900  		}
   901  
   902  		switch extension {
   903  		case extensionALPN:
   904  			var protoList cryptobyte.String
   905  			if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() {
   906  				return false
   907  			}
   908  			var proto cryptobyte.String
   909  			if !protoList.ReadUint8LengthPrefixed(&proto) ||
   910  				proto.Empty() || !protoList.Empty() {
   911  				return false
   912  			}
   913  			m.alpnProtocol = string(proto)
   914  		default:
   915  			// Ignore unknown extensions.
   916  			continue
   917  		}
   918  
   919  		if !extData.Empty() {
   920  			return false
   921  		}
   922  	}
   923  
   924  	return true
   925  }
   926  
   927  type endOfEarlyDataMsg struct{}
   928  
   929  func (m *endOfEarlyDataMsg) marshal() []byte {
   930  	x := make([]byte, 4)
   931  	x[0] = typeEndOfEarlyData
   932  	return x
   933  }
   934  
   935  func (m *endOfEarlyDataMsg) unmarshal(data []byte) bool {
   936  	return len(data) == 4
   937  }
   938  
   939  type keyUpdateMsg struct {
   940  	raw             []byte
   941  	updateRequested bool
   942  }
   943  
   944  func (m *keyUpdateMsg) marshal() []byte {
   945  	if m.raw != nil {
   946  		return m.raw
   947  	}
   948  
   949  	var b cryptobyte.Builder
   950  	b.AddUint8(typeKeyUpdate)
   951  	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
   952  		if m.updateRequested {
   953  			b.AddUint8(1)
   954  		} else {
   955  			b.AddUint8(0)
   956  		}
   957  	})
   958  
   959  	m.raw = b.BytesOrPanic()
   960  	return m.raw
   961  }
   962  
   963  func (m *keyUpdateMsg) unmarshal(data []byte) bool {
   964  	m.raw = data
   965  	s := cryptobyte.String(data)
   966  
   967  	var updateRequested uint8
   968  	if !s.Skip(4) || // message type and uint24 length field
   969  		!s.ReadUint8(&updateRequested) || !s.Empty() {
   970  		return false
   971  	}
   972  	switch updateRequested {
   973  	case 0:
   974  		m.updateRequested = false
   975  	case 1:
   976  		m.updateRequested = true
   977  	default:
   978  		return false
   979  	}
   980  	return true
   981  }
   982  
   983  type newSessionTicketMsgTLS13 struct {
   984  	raw          []byte
   985  	lifetime     uint32
   986  	ageAdd       uint32
   987  	nonce        []byte
   988  	label        []byte
   989  	maxEarlyData uint32
   990  }
   991  
   992  func (m *newSessionTicketMsgTLS13) marshal() []byte {
   993  	if m.raw != nil {
   994  		return m.raw
   995  	}
   996  
   997  	var b cryptobyte.Builder
   998  	b.AddUint8(typeNewSessionTicket)
   999  	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
  1000  		b.AddUint32(m.lifetime)
  1001  		b.AddUint32(m.ageAdd)
  1002  		b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
  1003  			b.AddBytes(m.nonce)
  1004  		})
  1005  		b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1006  			b.AddBytes(m.label)
  1007  		})
  1008  
  1009  		b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1010  			if m.maxEarlyData > 0 {
  1011  				b.AddUint16(extensionEarlyData)
  1012  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1013  					b.AddUint32(m.maxEarlyData)
  1014  				})
  1015  			}
  1016  		})
  1017  	})
  1018  
  1019  	m.raw = b.BytesOrPanic()
  1020  	return m.raw
  1021  }
  1022  
  1023  func (m *newSessionTicketMsgTLS13) unmarshal(data []byte) bool {
  1024  	*m = newSessionTicketMsgTLS13{raw: data}
  1025  	s := cryptobyte.String(data)
  1026  
  1027  	var extensions cryptobyte.String
  1028  	if !s.Skip(4) || // message type and uint24 length field
  1029  		!s.ReadUint32(&m.lifetime) ||
  1030  		!s.ReadUint32(&m.ageAdd) ||
  1031  		!readUint8LengthPrefixed(&s, &m.nonce) ||
  1032  		!readUint16LengthPrefixed(&s, &m.label) ||
  1033  		!s.ReadUint16LengthPrefixed(&extensions) ||
  1034  		!s.Empty() {
  1035  		return false
  1036  	}
  1037  
  1038  	for !extensions.Empty() {
  1039  		var extension uint16
  1040  		var extData cryptobyte.String
  1041  		if !extensions.ReadUint16(&extension) ||
  1042  			!extensions.ReadUint16LengthPrefixed(&extData) {
  1043  			return false
  1044  		}
  1045  
  1046  		switch extension {
  1047  		case extensionEarlyData:
  1048  			if !extData.ReadUint32(&m.maxEarlyData) {
  1049  				return false
  1050  			}
  1051  		default:
  1052  			// Ignore unknown extensions.
  1053  			continue
  1054  		}
  1055  
  1056  		if !extData.Empty() {
  1057  			return false
  1058  		}
  1059  	}
  1060  
  1061  	return true
  1062  }
  1063  
  1064  type certificateRequestMsgTLS13 struct {
  1065  	raw                              []byte
  1066  	ocspStapling                     bool
  1067  	scts                             bool
  1068  	supportedSignatureAlgorithms     []SignatureScheme
  1069  	supportedSignatureAlgorithmsCert []SignatureScheme
  1070  	certificateAuthorities           [][]byte
  1071  }
  1072  
  1073  func (m *certificateRequestMsgTLS13) marshal() []byte {
  1074  	if m.raw != nil {
  1075  		return m.raw
  1076  	}
  1077  
  1078  	var b cryptobyte.Builder
  1079  	b.AddUint8(typeCertificateRequest)
  1080  	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
  1081  		// certificate_request_context (SHALL be zero length unless used for
  1082  		// post-handshake authentication)
  1083  		b.AddUint8(0)
  1084  
  1085  		b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1086  			if m.ocspStapling {
  1087  				b.AddUint16(extensionStatusRequest)
  1088  				b.AddUint16(0) // empty extension_data
  1089  			}
  1090  			if m.scts {
  1091  				// RFC 8446, Section 4.4.2.1 makes no mention of
  1092  				// signed_certificate_timestamp in CertificateRequest, but
  1093  				// "Extensions in the Certificate message from the client MUST
  1094  				// correspond to extensions in the CertificateRequest message
  1095  				// from the server." and it appears in the table in Section 4.2.
  1096  				b.AddUint16(extensionSCT)
  1097  				b.AddUint16(0) // empty extension_data
  1098  			}
  1099  			if len(m.supportedSignatureAlgorithms) > 0 {
  1100  				b.AddUint16(extensionSignatureAlgorithms)
  1101  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1102  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1103  						for _, sigAlgo := range m.supportedSignatureAlgorithms {
  1104  							b.AddUint16(uint16(sigAlgo))
  1105  						}
  1106  					})
  1107  				})
  1108  			}
  1109  			if len(m.supportedSignatureAlgorithmsCert) > 0 {
  1110  				b.AddUint16(extensionSignatureAlgorithmsCert)
  1111  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1112  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1113  						for _, sigAlgo := range m.supportedSignatureAlgorithmsCert {
  1114  							b.AddUint16(uint16(sigAlgo))
  1115  						}
  1116  					})
  1117  				})
  1118  			}
  1119  			if len(m.certificateAuthorities) > 0 {
  1120  				b.AddUint16(extensionCertificateAuthorities)
  1121  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1122  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1123  						for _, ca := range m.certificateAuthorities {
  1124  							b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1125  								b.AddBytes(ca)
  1126  							})
  1127  						}
  1128  					})
  1129  				})
  1130  			}
  1131  		})
  1132  	})
  1133  
  1134  	m.raw = b.BytesOrPanic()
  1135  	return m.raw
  1136  }
  1137  
  1138  func (m *certificateRequestMsgTLS13) unmarshal(data []byte) bool {
  1139  	*m = certificateRequestMsgTLS13{raw: data}
  1140  	s := cryptobyte.String(data)
  1141  
  1142  	var context, extensions cryptobyte.String
  1143  	if !s.Skip(4) || // message type and uint24 length field
  1144  		!s.ReadUint8LengthPrefixed(&context) || !context.Empty() ||
  1145  		!s.ReadUint16LengthPrefixed(&extensions) ||
  1146  		!s.Empty() {
  1147  		return false
  1148  	}
  1149  
  1150  	for !extensions.Empty() {
  1151  		var extension uint16
  1152  		var extData cryptobyte.String
  1153  		if !extensions.ReadUint16(&extension) ||
  1154  			!extensions.ReadUint16LengthPrefixed(&extData) {
  1155  			return false
  1156  		}
  1157  
  1158  		switch extension {
  1159  		case extensionStatusRequest:
  1160  			m.ocspStapling = true
  1161  		case extensionSCT:
  1162  			m.scts = true
  1163  		case extensionSignatureAlgorithms:
  1164  			var sigAndAlgs cryptobyte.String
  1165  			if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() {
  1166  				return false
  1167  			}
  1168  			for !sigAndAlgs.Empty() {
  1169  				var sigAndAlg uint16
  1170  				if !sigAndAlgs.ReadUint16(&sigAndAlg) {
  1171  					return false
  1172  				}
  1173  				m.supportedSignatureAlgorithms = append(
  1174  					m.supportedSignatureAlgorithms, SignatureScheme(sigAndAlg))
  1175  			}
  1176  		case extensionSignatureAlgorithmsCert:
  1177  			var sigAndAlgs cryptobyte.String
  1178  			if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() {
  1179  				return false
  1180  			}
  1181  			for !sigAndAlgs.Empty() {
  1182  				var sigAndAlg uint16
  1183  				if !sigAndAlgs.ReadUint16(&sigAndAlg) {
  1184  					return false
  1185  				}
  1186  				m.supportedSignatureAlgorithmsCert = append(
  1187  					m.supportedSignatureAlgorithmsCert, SignatureScheme(sigAndAlg))
  1188  			}
  1189  		case extensionCertificateAuthorities:
  1190  			var auths cryptobyte.String
  1191  			if !extData.ReadUint16LengthPrefixed(&auths) || auths.Empty() {
  1192  				return false
  1193  			}
  1194  			for !auths.Empty() {
  1195  				var ca []byte
  1196  				if !readUint16LengthPrefixed(&auths, &ca) || len(ca) == 0 {
  1197  					return false
  1198  				}
  1199  				m.certificateAuthorities = append(m.certificateAuthorities, ca)
  1200  			}
  1201  		default:
  1202  			// Ignore unknown extensions.
  1203  			continue
  1204  		}
  1205  
  1206  		if !extData.Empty() {
  1207  			return false
  1208  		}
  1209  	}
  1210  
  1211  	return true
  1212  }
  1213  
  1214  type certificateMsg struct {
  1215  	raw          []byte
  1216  	certificates [][]byte
  1217  }
  1218  
  1219  func (m *certificateMsg) marshal() (x []byte) {
  1220  	if m.raw != nil {
  1221  		return m.raw
  1222  	}
  1223  
  1224  	var i int
  1225  	for _, slice := range m.certificates {
  1226  		i += len(slice)
  1227  	}
  1228  
  1229  	length := 3 + 3*len(m.certificates) + i
  1230  	x = make([]byte, 4+length)
  1231  	x[0] = typeCertificate
  1232  	x[1] = uint8(length >> 16)
  1233  	x[2] = uint8(length >> 8)
  1234  	x[3] = uint8(length)
  1235  
  1236  	certificateOctets := length - 3
  1237  	x[4] = uint8(certificateOctets >> 16)
  1238  	x[5] = uint8(certificateOctets >> 8)
  1239  	x[6] = uint8(certificateOctets)
  1240  
  1241  	y := x[7:]
  1242  	for _, slice := range m.certificates {
  1243  		y[0] = uint8(len(slice) >> 16)
  1244  		y[1] = uint8(len(slice) >> 8)
  1245  		y[2] = uint8(len(slice))
  1246  		copy(y[3:], slice)
  1247  		y = y[3+len(slice):]
  1248  	}
  1249  
  1250  	m.raw = x
  1251  	return
  1252  }
  1253  
  1254  func (m *certificateMsg) unmarshal(data []byte) bool {
  1255  	if len(data) < 7 {
  1256  		return false
  1257  	}
  1258  
  1259  	m.raw = data
  1260  	certsLen := uint32(data[4])<<16 | uint32(data[5])<<8 | uint32(data[6])
  1261  	if uint32(len(data)) != certsLen+7 {
  1262  		return false
  1263  	}
  1264  
  1265  	numCerts := 0
  1266  	d := data[7:]
  1267  	for certsLen > 0 {
  1268  		if len(d) < 4 {
  1269  			return false
  1270  		}
  1271  		certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2])
  1272  		if uint32(len(d)) < 3+certLen {
  1273  			return false
  1274  		}
  1275  		d = d[3+certLen:]
  1276  		certsLen -= 3 + certLen
  1277  		numCerts++
  1278  	}
  1279  
  1280  	m.certificates = make([][]byte, numCerts)
  1281  	d = data[7:]
  1282  	for i := 0; i < numCerts; i++ {
  1283  		certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2])
  1284  		m.certificates[i] = d[3 : 3+certLen]
  1285  		d = d[3+certLen:]
  1286  	}
  1287  
  1288  	return true
  1289  }
  1290  
  1291  type certificateMsgTLS13 struct {
  1292  	raw          []byte
  1293  	certificate  Certificate
  1294  	ocspStapling bool
  1295  	scts         bool
  1296  }
  1297  
  1298  func (m *certificateMsgTLS13) marshal() []byte {
  1299  	if m.raw != nil {
  1300  		return m.raw
  1301  	}
  1302  
  1303  	var b cryptobyte.Builder
  1304  	b.AddUint8(typeCertificate)
  1305  	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
  1306  		b.AddUint8(0) // certificate_request_context
  1307  
  1308  		certificate := m.certificate
  1309  		if !m.ocspStapling {
  1310  			certificate.OCSPStaple = nil
  1311  		}
  1312  		if !m.scts {
  1313  			certificate.SignedCertificateTimestamps = nil
  1314  		}
  1315  		marshalCertificate(b, certificate)
  1316  	})
  1317  
  1318  	m.raw = b.BytesOrPanic()
  1319  	return m.raw
  1320  }
  1321  
  1322  func marshalCertificate(b *cryptobyte.Builder, certificate Certificate) {
  1323  	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
  1324  		for i, cert := range certificate.Certificate {
  1325  			b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
  1326  				b.AddBytes(cert)
  1327  			})
  1328  			b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1329  				if i > 0 {
  1330  					// This library only supports OCSP and SCT for leaf certificates.
  1331  					return
  1332  				}
  1333  				if certificate.OCSPStaple != nil {
  1334  					b.AddUint16(extensionStatusRequest)
  1335  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1336  						b.AddUint8(statusTypeOCSP)
  1337  						b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
  1338  							b.AddBytes(certificate.OCSPStaple)
  1339  						})
  1340  					})
  1341  				}
  1342  				if certificate.SignedCertificateTimestamps != nil {
  1343  					b.AddUint16(extensionSCT)
  1344  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1345  						b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1346  							for _, sct := range certificate.SignedCertificateTimestamps {
  1347  								b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1348  									b.AddBytes(sct)
  1349  								})
  1350  							}
  1351  						})
  1352  					})
  1353  				}
  1354  			})
  1355  		}
  1356  	})
  1357  }
  1358  
  1359  func (m *certificateMsgTLS13) unmarshal(data []byte) bool {
  1360  	*m = certificateMsgTLS13{raw: data}
  1361  	s := cryptobyte.String(data)
  1362  
  1363  	var context cryptobyte.String
  1364  	if !s.Skip(4) || // message type and uint24 length field
  1365  		!s.ReadUint8LengthPrefixed(&context) || !context.Empty() ||
  1366  		!unmarshalCertificate(&s, &m.certificate) ||
  1367  		!s.Empty() {
  1368  		return false
  1369  	}
  1370  
  1371  	m.scts = m.certificate.SignedCertificateTimestamps != nil
  1372  	m.ocspStapling = m.certificate.OCSPStaple != nil
  1373  
  1374  	return true
  1375  }
  1376  
  1377  func unmarshalCertificate(s *cryptobyte.String, certificate *Certificate) bool {
  1378  	var certList cryptobyte.String
  1379  	if !s.ReadUint24LengthPrefixed(&certList) {
  1380  		return false
  1381  	}
  1382  	for !certList.Empty() {
  1383  		var cert []byte
  1384  		var extensions cryptobyte.String
  1385  		if !readUint24LengthPrefixed(&certList, &cert) ||
  1386  			!certList.ReadUint16LengthPrefixed(&extensions) {
  1387  			return false
  1388  		}
  1389  		certificate.Certificate = append(certificate.Certificate, cert)
  1390  		for !extensions.Empty() {
  1391  			var extension uint16
  1392  			var extData cryptobyte.String
  1393  			if !extensions.ReadUint16(&extension) ||
  1394  				!extensions.ReadUint16LengthPrefixed(&extData) {
  1395  				return false
  1396  			}
  1397  			if len(certificate.Certificate) > 1 {
  1398  				// This library only supports OCSP and SCT for leaf certificates.
  1399  				continue
  1400  			}
  1401  
  1402  			switch extension {
  1403  			case extensionStatusRequest:
  1404  				var statusType uint8
  1405  				if !extData.ReadUint8(&statusType) || statusType != statusTypeOCSP ||
  1406  					!readUint24LengthPrefixed(&extData, &certificate.OCSPStaple) ||
  1407  					len(certificate.OCSPStaple) == 0 {
  1408  					return false
  1409  				}
  1410  			case extensionSCT:
  1411  				var sctList cryptobyte.String
  1412  				if !extData.ReadUint16LengthPrefixed(&sctList) || sctList.Empty() {
  1413  					return false
  1414  				}
  1415  				for !sctList.Empty() {
  1416  					var sct []byte
  1417  					if !readUint16LengthPrefixed(&sctList, &sct) ||
  1418  						len(sct) == 0 {
  1419  						return false
  1420  					}
  1421  					certificate.SignedCertificateTimestamps = append(
  1422  						certificate.SignedCertificateTimestamps, sct)
  1423  				}
  1424  			default:
  1425  				// Ignore unknown extensions.
  1426  				continue
  1427  			}
  1428  
  1429  			if !extData.Empty() {
  1430  				return false
  1431  			}
  1432  		}
  1433  	}
  1434  	return true
  1435  }
  1436  
  1437  type serverKeyExchangeMsg struct {
  1438  	raw []byte
  1439  	key []byte
  1440  }
  1441  
  1442  func (m *serverKeyExchangeMsg) marshal() []byte {
  1443  	if m.raw != nil {
  1444  		return m.raw
  1445  	}
  1446  	length := len(m.key)
  1447  	x := make([]byte, length+4)
  1448  	x[0] = typeServerKeyExchange
  1449  	x[1] = uint8(length >> 16)
  1450  	x[2] = uint8(length >> 8)
  1451  	x[3] = uint8(length)
  1452  	copy(x[4:], m.key)
  1453  
  1454  	m.raw = x
  1455  	return x
  1456  }
  1457  
  1458  func (m *serverKeyExchangeMsg) unmarshal(data []byte) bool {
  1459  	m.raw = data
  1460  	if len(data) < 4 {
  1461  		return false
  1462  	}
  1463  	m.key = data[4:]
  1464  	return true
  1465  }
  1466  
  1467  type certificateStatusMsg struct {
  1468  	raw      []byte
  1469  	response []byte
  1470  }
  1471  
  1472  func (m *certificateStatusMsg) marshal() []byte {
  1473  	if m.raw != nil {
  1474  		return m.raw
  1475  	}
  1476  
  1477  	var b cryptobyte.Builder
  1478  	b.AddUint8(typeCertificateStatus)
  1479  	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
  1480  		b.AddUint8(statusTypeOCSP)
  1481  		b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
  1482  			b.AddBytes(m.response)
  1483  		})
  1484  	})
  1485  
  1486  	m.raw = b.BytesOrPanic()
  1487  	return m.raw
  1488  }
  1489  
  1490  func (m *certificateStatusMsg) unmarshal(data []byte) bool {
  1491  	m.raw = data
  1492  	s := cryptobyte.String(data)
  1493  
  1494  	var statusType uint8
  1495  	if !s.Skip(4) || // message type and uint24 length field
  1496  		!s.ReadUint8(&statusType) || statusType != statusTypeOCSP ||
  1497  		!readUint24LengthPrefixed(&s, &m.response) ||
  1498  		len(m.response) == 0 || !s.Empty() {
  1499  		return false
  1500  	}
  1501  	return true
  1502  }
  1503  
  1504  type serverHelloDoneMsg struct{}
  1505  
  1506  func (m *serverHelloDoneMsg) marshal() []byte {
  1507  	x := make([]byte, 4)
  1508  	x[0] = typeServerHelloDone
  1509  	return x
  1510  }
  1511  
  1512  func (m *serverHelloDoneMsg) unmarshal(data []byte) bool {
  1513  	return len(data) == 4
  1514  }
  1515  
  1516  type clientKeyExchangeMsg struct {
  1517  	raw        []byte
  1518  	ciphertext []byte
  1519  }
  1520  
  1521  func (m *clientKeyExchangeMsg) marshal() []byte {
  1522  	if m.raw != nil {
  1523  		return m.raw
  1524  	}
  1525  	length := len(m.ciphertext)
  1526  	x := make([]byte, length+4)
  1527  	x[0] = typeClientKeyExchange
  1528  	x[1] = uint8(length >> 16)
  1529  	x[2] = uint8(length >> 8)
  1530  	x[3] = uint8(length)
  1531  	copy(x[4:], m.ciphertext)
  1532  
  1533  	m.raw = x
  1534  	return x
  1535  }
  1536  
  1537  func (m *clientKeyExchangeMsg) unmarshal(data []byte) bool {
  1538  	m.raw = data
  1539  	if len(data) < 4 {
  1540  		return false
  1541  	}
  1542  	l := int(data[1])<<16 | int(data[2])<<8 | int(data[3])
  1543  	if l != len(data)-4 {
  1544  		return false
  1545  	}
  1546  	m.ciphertext = data[4:]
  1547  	return true
  1548  }
  1549  
  1550  type finishedMsg struct {
  1551  	raw        []byte
  1552  	verifyData []byte
  1553  }
  1554  
  1555  func (m *finishedMsg) marshal() []byte {
  1556  	if m.raw != nil {
  1557  		return m.raw
  1558  	}
  1559  
  1560  	var b cryptobyte.Builder
  1561  	b.AddUint8(typeFinished)
  1562  	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
  1563  		b.AddBytes(m.verifyData)
  1564  	})
  1565  
  1566  	m.raw = b.BytesOrPanic()
  1567  	return m.raw
  1568  }
  1569  
  1570  func (m *finishedMsg) unmarshal(data []byte) bool {
  1571  	m.raw = data
  1572  	s := cryptobyte.String(data)
  1573  	return s.Skip(1) &&
  1574  		readUint24LengthPrefixed(&s, &m.verifyData) &&
  1575  		s.Empty()
  1576  }
  1577  
  1578  type certificateRequestMsg struct {
  1579  	raw []byte
  1580  	// hasSignatureAlgorithm indicates whether this message includes a list of
  1581  	// supported signature algorithms. This change was introduced with TLS 1.2.
  1582  	hasSignatureAlgorithm bool
  1583  
  1584  	certificateTypes             []byte
  1585  	supportedSignatureAlgorithms []SignatureScheme
  1586  	certificateAuthorities       [][]byte
  1587  }
  1588  
  1589  func (m *certificateRequestMsg) marshal() (x []byte) {
  1590  	if m.raw != nil {
  1591  		return m.raw
  1592  	}
  1593  
  1594  	// See RFC 4346, Section 7.4.4.
  1595  	length := 1 + len(m.certificateTypes) + 2
  1596  	casLength := 0
  1597  	for _, ca := range m.certificateAuthorities {
  1598  		casLength += 2 + len(ca)
  1599  	}
  1600  	length += casLength
  1601  
  1602  	if m.hasSignatureAlgorithm {
  1603  		length += 2 + 2*len(m.supportedSignatureAlgorithms)
  1604  	}
  1605  
  1606  	x = make([]byte, 4+length)
  1607  	x[0] = typeCertificateRequest
  1608  	x[1] = uint8(length >> 16)
  1609  	x[2] = uint8(length >> 8)
  1610  	x[3] = uint8(length)
  1611  
  1612  	x[4] = uint8(len(m.certificateTypes))
  1613  
  1614  	copy(x[5:], m.certificateTypes)
  1615  	y := x[5+len(m.certificateTypes):]
  1616  
  1617  	if m.hasSignatureAlgorithm {
  1618  		n := len(m.supportedSignatureAlgorithms) * 2
  1619  		y[0] = uint8(n >> 8)
  1620  		y[1] = uint8(n)
  1621  		y = y[2:]
  1622  		for _, sigAlgo := range m.supportedSignatureAlgorithms {
  1623  			y[0] = uint8(sigAlgo >> 8)
  1624  			y[1] = uint8(sigAlgo)
  1625  			y = y[2:]
  1626  		}
  1627  	}
  1628  
  1629  	y[0] = uint8(casLength >> 8)
  1630  	y[1] = uint8(casLength)
  1631  	y = y[2:]
  1632  	for _, ca := range m.certificateAuthorities {
  1633  		y[0] = uint8(len(ca) >> 8)
  1634  		y[1] = uint8(len(ca))
  1635  		y = y[2:]
  1636  		copy(y, ca)
  1637  		y = y[len(ca):]
  1638  	}
  1639  
  1640  	m.raw = x
  1641  	return
  1642  }
  1643  
  1644  func (m *certificateRequestMsg) unmarshal(data []byte) bool {
  1645  	m.raw = data
  1646  
  1647  	if len(data) < 5 {
  1648  		return false
  1649  	}
  1650  
  1651  	length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3])
  1652  	if uint32(len(data))-4 != length {
  1653  		return false
  1654  	}
  1655  
  1656  	numCertTypes := int(data[4])
  1657  	data = data[5:]
  1658  	if numCertTypes == 0 || len(data) <= numCertTypes {
  1659  		return false
  1660  	}
  1661  
  1662  	m.certificateTypes = make([]byte, numCertTypes)
  1663  	if copy(m.certificateTypes, data) != numCertTypes {
  1664  		return false
  1665  	}
  1666  
  1667  	data = data[numCertTypes:]
  1668  
  1669  	if m.hasSignatureAlgorithm {
  1670  		if len(data) < 2 {
  1671  			return false
  1672  		}
  1673  		sigAndHashLen := uint16(data[0])<<8 | uint16(data[1])
  1674  		data = data[2:]
  1675  		if sigAndHashLen&1 != 0 {
  1676  			return false
  1677  		}
  1678  		if len(data) < int(sigAndHashLen) {
  1679  			return false
  1680  		}
  1681  		numSigAlgos := sigAndHashLen / 2
  1682  		m.supportedSignatureAlgorithms = make([]SignatureScheme, numSigAlgos)
  1683  		for i := range m.supportedSignatureAlgorithms {
  1684  			m.supportedSignatureAlgorithms[i] = SignatureScheme(data[0])<<8 | SignatureScheme(data[1])
  1685  			data = data[2:]
  1686  		}
  1687  	}
  1688  
  1689  	if len(data) < 2 {
  1690  		return false
  1691  	}
  1692  	casLength := uint16(data[0])<<8 | uint16(data[1])
  1693  	data = data[2:]
  1694  	if len(data) < int(casLength) {
  1695  		return false
  1696  	}
  1697  	cas := make([]byte, casLength)
  1698  	copy(cas, data)
  1699  	data = data[casLength:]
  1700  
  1701  	m.certificateAuthorities = nil
  1702  	for len(cas) > 0 {
  1703  		if len(cas) < 2 {
  1704  			return false
  1705  		}
  1706  		caLen := uint16(cas[0])<<8 | uint16(cas[1])
  1707  		cas = cas[2:]
  1708  
  1709  		if len(cas) < int(caLen) {
  1710  			return false
  1711  		}
  1712  
  1713  		m.certificateAuthorities = append(m.certificateAuthorities, cas[:caLen])
  1714  		cas = cas[caLen:]
  1715  	}
  1716  
  1717  	return len(data) == 0
  1718  }
  1719  
  1720  type certificateVerifyMsg struct {
  1721  	raw                   []byte
  1722  	hasSignatureAlgorithm bool // format change introduced in TLS 1.2
  1723  	signatureAlgorithm    SignatureScheme
  1724  	signature             []byte
  1725  }
  1726  
  1727  func (m *certificateVerifyMsg) marshal() (x []byte) {
  1728  	if m.raw != nil {
  1729  		return m.raw
  1730  	}
  1731  
  1732  	var b cryptobyte.Builder
  1733  	b.AddUint8(typeCertificateVerify)
  1734  	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
  1735  		if m.hasSignatureAlgorithm {
  1736  			b.AddUint16(uint16(m.signatureAlgorithm))
  1737  		}
  1738  		b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1739  			b.AddBytes(m.signature)
  1740  		})
  1741  	})
  1742  
  1743  	m.raw = b.BytesOrPanic()
  1744  	return m.raw
  1745  }
  1746  
  1747  func (m *certificateVerifyMsg) unmarshal(data []byte) bool {
  1748  	m.raw = data
  1749  	s := cryptobyte.String(data)
  1750  
  1751  	if !s.Skip(4) { // message type and uint24 length field
  1752  		return false
  1753  	}
  1754  	if m.hasSignatureAlgorithm {
  1755  		if !s.ReadUint16((*uint16)(&m.signatureAlgorithm)) {
  1756  			return false
  1757  		}
  1758  	}
  1759  	return readUint16LengthPrefixed(&s, &m.signature) && s.Empty()
  1760  }
  1761  
  1762  type newSessionTicketMsg struct {
  1763  	raw    []byte
  1764  	ticket []byte
  1765  }
  1766  
  1767  func (m *newSessionTicketMsg) marshal() (x []byte) {
  1768  	if m.raw != nil {
  1769  		return m.raw
  1770  	}
  1771  
  1772  	// See RFC 5077, Section 3.3.
  1773  	ticketLen := len(m.ticket)
  1774  	length := 2 + 4 + ticketLen
  1775  	x = make([]byte, 4+length)
  1776  	x[0] = typeNewSessionTicket
  1777  	x[1] = uint8(length >> 16)
  1778  	x[2] = uint8(length >> 8)
  1779  	x[3] = uint8(length)
  1780  	x[8] = uint8(ticketLen >> 8)
  1781  	x[9] = uint8(ticketLen)
  1782  	copy(x[10:], m.ticket)
  1783  
  1784  	m.raw = x
  1785  
  1786  	return
  1787  }
  1788  
  1789  func (m *newSessionTicketMsg) unmarshal(data []byte) bool {
  1790  	m.raw = data
  1791  
  1792  	if len(data) < 10 {
  1793  		return false
  1794  	}
  1795  
  1796  	length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3])
  1797  	if uint32(len(data))-4 != length {
  1798  		return false
  1799  	}
  1800  
  1801  	ticketLen := int(data[8])<<8 + int(data[9])
  1802  	if len(data)-10 != ticketLen {
  1803  		return false
  1804  	}
  1805  
  1806  	m.ticket = data[10:]
  1807  
  1808  	return true
  1809  }
  1810  
  1811  type helloRequestMsg struct {
  1812  }
  1813  
  1814  func (*helloRequestMsg) marshal() []byte {
  1815  	return []byte{typeHelloRequest, 0, 0, 0}
  1816  }
  1817  
  1818  func (*helloRequestMsg) unmarshal(data []byte) bool {
  1819  	return len(data) == 4
  1820  }