github.com/ooni/psiphon/tunnel-core@v0.0.0-20230105123940-fe12a24c96ee/oovendor/qtls-go1-17/handshake_messages.go (about) 1 // Copyright 2009 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 package qtls 6 7 import ( 8 "fmt" 9 "strings" 10 11 "github.com/ooni/psiphon/tunnel-core/psiphon/common/prng" 12 "golang.org/x/crypto/cryptobyte" 13 ) 14 15 // The marshalingFunction type is an adapter to allow the use of ordinary 16 // functions as cryptobyte.MarshalingValue. 17 type marshalingFunction func(b *cryptobyte.Builder) error 18 19 func (f marshalingFunction) Marshal(b *cryptobyte.Builder) error { 20 return f(b) 21 } 22 23 // addBytesWithLength appends a sequence of bytes to the cryptobyte.Builder. If 24 // the length of the sequence is not the value specified, it produces an error. 25 func addBytesWithLength(b *cryptobyte.Builder, v []byte, n int) { 26 b.AddValue(marshalingFunction(func(b *cryptobyte.Builder) error { 27 if len(v) != n { 28 return fmt.Errorf("invalid value length: expected %d, got %d", n, len(v)) 29 } 30 b.AddBytes(v) 31 return nil 32 })) 33 } 34 35 // addUint64 appends a big-endian, 64-bit value to the cryptobyte.Builder. 36 func addUint64(b *cryptobyte.Builder, v uint64) { 37 b.AddUint32(uint32(v >> 32)) 38 b.AddUint32(uint32(v)) 39 } 40 41 // readUint64 decodes a big-endian, 64-bit value into out and advances over it. 42 // It reports whether the read was successful. 43 func readUint64(s *cryptobyte.String, out *uint64) bool { 44 var hi, lo uint32 45 if !s.ReadUint32(&hi) || !s.ReadUint32(&lo) { 46 return false 47 } 48 *out = uint64(hi)<<32 | uint64(lo) 49 return true 50 } 51 52 // readUint8LengthPrefixed acts like s.ReadUint8LengthPrefixed, but targets a 53 // []byte instead of a cryptobyte.String. 54 func readUint8LengthPrefixed(s *cryptobyte.String, out *[]byte) bool { 55 return s.ReadUint8LengthPrefixed((*cryptobyte.String)(out)) 56 } 57 58 // readUint16LengthPrefixed acts like s.ReadUint16LengthPrefixed, but targets a 59 // []byte instead of a cryptobyte.String. 60 func readUint16LengthPrefixed(s *cryptobyte.String, out *[]byte) bool { 61 return s.ReadUint16LengthPrefixed((*cryptobyte.String)(out)) 62 } 63 64 // readUint24LengthPrefixed acts like s.ReadUint24LengthPrefixed, but targets a 65 // []byte instead of a cryptobyte.String. 66 func readUint24LengthPrefixed(s *cryptobyte.String, out *[]byte) bool { 67 return s.ReadUint24LengthPrefixed((*cryptobyte.String)(out)) 68 } 69 70 type clientHelloMsg struct { 71 raw []byte 72 vers uint16 73 random []byte 74 sessionId []byte 75 cipherSuites []uint16 76 compressionMethods []uint8 77 serverName string 78 ocspStapling bool 79 supportedCurves []CurveID 80 supportedPoints []uint8 81 ticketSupported bool 82 sessionTicket []uint8 83 supportedSignatureAlgorithms []SignatureScheme 84 supportedSignatureAlgorithmsCert []SignatureScheme 85 secureRenegotiationSupported bool 86 secureRenegotiation []byte 87 alpnProtocols []string 88 scts bool 89 supportedVersions []uint16 90 cookie []byte 91 keyShares []keyShare 92 earlyData bool 93 pskModes []uint8 94 pskIdentities []pskIdentity 95 pskBinders [][]byte 96 additionalExtensions []Extension 97 98 // [Psiphon] 99 PRNG *prng.PRNG 100 } 101 102 func (m *clientHelloMsg) marshal() []byte { 103 if m.raw != nil { 104 return m.raw 105 } 106 107 // [Psiphon] 108 // Randomize the Client Hello. 109 if m.PRNG != nil { 110 return m.marshalRandomized() 111 } 112 113 var b cryptobyte.Builder 114 b.AddUint8(typeClientHello) 115 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 116 b.AddUint16(m.vers) 117 addBytesWithLength(b, m.random, 32) 118 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 119 b.AddBytes(m.sessionId) 120 }) 121 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 122 for _, suite := range m.cipherSuites { 123 b.AddUint16(suite) 124 } 125 }) 126 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 127 b.AddBytes(m.compressionMethods) 128 }) 129 130 // If extensions aren't present, omit them. 131 var extensionsPresent bool 132 bWithoutExtensions := *b 133 134 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 135 if len(m.serverName) > 0 { 136 // RFC 6066, Section 3 137 b.AddUint16(extensionServerName) 138 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 139 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 140 b.AddUint8(0) // name_type = host_name 141 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 142 b.AddBytes([]byte(m.serverName)) 143 }) 144 }) 145 }) 146 } 147 if m.ocspStapling { 148 // RFC 4366, Section 3.6 149 b.AddUint16(extensionStatusRequest) 150 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 151 b.AddUint8(1) // status_type = ocsp 152 b.AddUint16(0) // empty responder_id_list 153 b.AddUint16(0) // empty request_extensions 154 }) 155 } 156 if len(m.supportedCurves) > 0 { 157 // RFC 4492, sections 5.1.1 and RFC 8446, Section 4.2.7 158 b.AddUint16(extensionSupportedCurves) 159 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 160 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 161 for _, curve := range m.supportedCurves { 162 b.AddUint16(uint16(curve)) 163 } 164 }) 165 }) 166 } 167 if len(m.supportedPoints) > 0 { 168 // RFC 4492, Section 5.1.2 169 b.AddUint16(extensionSupportedPoints) 170 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 171 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 172 b.AddBytes(m.supportedPoints) 173 }) 174 }) 175 } 176 if m.ticketSupported { 177 // RFC 5077, Section 3.2 178 b.AddUint16(extensionSessionTicket) 179 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 180 b.AddBytes(m.sessionTicket) 181 }) 182 } 183 if len(m.supportedSignatureAlgorithms) > 0 { 184 // RFC 5246, Section 7.4.1.4.1 185 b.AddUint16(extensionSignatureAlgorithms) 186 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 187 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 188 for _, sigAlgo := range m.supportedSignatureAlgorithms { 189 b.AddUint16(uint16(sigAlgo)) 190 } 191 }) 192 }) 193 } 194 if len(m.supportedSignatureAlgorithmsCert) > 0 { 195 // RFC 8446, Section 4.2.3 196 b.AddUint16(extensionSignatureAlgorithmsCert) 197 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 198 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 199 for _, sigAlgo := range m.supportedSignatureAlgorithmsCert { 200 b.AddUint16(uint16(sigAlgo)) 201 } 202 }) 203 }) 204 } 205 if m.secureRenegotiationSupported { 206 // RFC 5746, Section 3.2 207 b.AddUint16(extensionRenegotiationInfo) 208 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 209 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 210 b.AddBytes(m.secureRenegotiation) 211 }) 212 }) 213 } 214 if len(m.alpnProtocols) > 0 { 215 // RFC 7301, Section 3.1 216 b.AddUint16(extensionALPN) 217 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 218 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 219 for _, proto := range m.alpnProtocols { 220 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 221 b.AddBytes([]byte(proto)) 222 }) 223 } 224 }) 225 }) 226 } 227 if m.scts { 228 // RFC 6962, Section 3.3.1 229 b.AddUint16(extensionSCT) 230 b.AddUint16(0) // empty extension_data 231 } 232 if len(m.supportedVersions) > 0 { 233 // RFC 8446, Section 4.2.1 234 b.AddUint16(extensionSupportedVersions) 235 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 236 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 237 for _, vers := range m.supportedVersions { 238 b.AddUint16(vers) 239 } 240 }) 241 }) 242 } 243 if len(m.cookie) > 0 { 244 // RFC 8446, Section 4.2.2 245 b.AddUint16(extensionCookie) 246 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 247 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 248 b.AddBytes(m.cookie) 249 }) 250 }) 251 } 252 if len(m.keyShares) > 0 { 253 // RFC 8446, Section 4.2.8 254 b.AddUint16(extensionKeyShare) 255 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 256 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 257 for _, ks := range m.keyShares { 258 b.AddUint16(uint16(ks.group)) 259 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 260 b.AddBytes(ks.data) 261 }) 262 } 263 }) 264 }) 265 } 266 if m.earlyData { 267 // RFC 8446, Section 4.2.10 268 b.AddUint16(extensionEarlyData) 269 b.AddUint16(0) // empty extension_data 270 } 271 if len(m.pskModes) > 0 { 272 // RFC 8446, Section 4.2.9 273 b.AddUint16(extensionPSKModes) 274 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 275 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 276 b.AddBytes(m.pskModes) 277 }) 278 }) 279 } 280 for _, ext := range m.additionalExtensions { 281 b.AddUint16(ext.Type) 282 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 283 b.AddBytes(ext.Data) 284 }) 285 } 286 if len(m.pskIdentities) > 0 { // pre_shared_key must be the last extension 287 // RFC 8446, Section 4.2.11 288 b.AddUint16(extensionPreSharedKey) 289 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 290 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 291 for _, psk := range m.pskIdentities { 292 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 293 b.AddBytes(psk.label) 294 }) 295 b.AddUint32(psk.obfuscatedTicketAge) 296 } 297 }) 298 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 299 for _, binder := range m.pskBinders { 300 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 301 b.AddBytes(binder) 302 }) 303 } 304 }) 305 }) 306 } 307 308 extensionsPresent = len(b.BytesOrPanic()) > 2 309 }) 310 311 if !extensionsPresent { 312 *b = bWithoutExtensions 313 } 314 }) 315 316 m.raw = b.BytesOrPanic() 317 return m.raw 318 } 319 320 // [Psiphon] 321 // 322 // marshalRandomized is a randomized variant of marshal. The original Marshal 323 // is retained as-is to ease future merging. 324 // 325 // The offered cipher suites and algorithms are shuffled and truncated. Longer 326 // lists are selected with higher probability. Extensions are shuffled. 327 // 328 // The quic_transport_parameters extension is marshaled in quic-go and is 329 // randomized in TransportParameters.Marshal. 330 func (m *clientHelloMsg) marshalRandomized() []byte { 331 if m.raw != nil { 332 return m.raw 333 } 334 335 // Some inputs, such as m.supportedCurves, point to global variables. Copy 336 // all slices before truncating. 337 338 cipherSuites := make([]uint16, len(m.cipherSuites)) 339 perm := m.PRNG.Perm(len(m.cipherSuites)) 340 for i, j := range perm { 341 cipherSuites[j] = m.cipherSuites[i] 342 } 343 cut := len(cipherSuites) 344 for ; cut > 1; cut-- { 345 if !m.PRNG.FlipCoin() { 346 break 347 } 348 } 349 cipherSuites = cipherSuites[:cut] 350 351 compressionMethods := make([]uint8, len(m.compressionMethods)) 352 perm = m.PRNG.Perm(len(m.compressionMethods)) 353 for i, j := range perm { 354 compressionMethods[j] = m.compressionMethods[i] 355 } 356 cut = len(compressionMethods) 357 for ; cut > 1; cut-- { 358 if !m.PRNG.FlipCoin() { 359 break 360 } 361 } 362 compressionMethods = compressionMethods[:cut] 363 364 supportedCurves := make([]CurveID, len(m.supportedCurves)) 365 perm = m.PRNG.Perm(len(m.supportedCurves)) 366 for i, j := range perm { 367 supportedCurves[j] = m.supportedCurves[i] 368 } 369 cut = len(supportedCurves) 370 for ; cut > 1; cut-- { 371 if !m.PRNG.FlipCoin() { 372 break 373 } 374 } 375 supportedCurves = supportedCurves[:cut] 376 377 supportedPoints := make([]uint8, len(m.supportedPoints)) 378 perm = m.PRNG.Perm(len(m.supportedPoints)) 379 for i, j := range perm { 380 supportedPoints[j] = m.supportedPoints[i] 381 } 382 cut = len(supportedPoints) 383 for ; cut > 1; cut-- { 384 if !m.PRNG.FlipCoin() { 385 break 386 } 387 } 388 supportedPoints = supportedPoints[:cut] 389 390 var b cryptobyte.Builder 391 b.AddUint8(typeClientHello) 392 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 393 b.AddUint16(m.vers) 394 addBytesWithLength(b, m.random, 32) 395 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 396 b.AddBytes(m.sessionId) 397 }) 398 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 399 for _, suite := range cipherSuites { 400 b.AddUint16(suite) 401 } 402 }) 403 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 404 b.AddBytes(compressionMethods) 405 }) 406 407 // If extensions aren't present, omit them. 408 var extensionsPresent bool 409 bWithoutExtensions := *b 410 411 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 412 413 extensionMarshallers := []func(){ 414 415 func() { 416 if len(m.serverName) > 0 { 417 // RFC 6066, Section 3 418 b.AddUint16(extensionServerName) 419 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 420 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 421 b.AddUint8(0) // name_type = host_name 422 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 423 b.AddBytes([]byte(m.serverName)) 424 }) 425 }) 426 }) 427 } 428 }, 429 430 func() { 431 if m.ocspStapling { 432 // RFC 4366, Section 3.6 433 b.AddUint16(extensionStatusRequest) 434 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 435 b.AddUint8(1) // status_type = ocsp 436 b.AddUint16(0) // empty responder_id_list 437 b.AddUint16(0) // empty request_extensions 438 }) 439 } 440 }, 441 442 func() { 443 if len(supportedCurves) > 0 { 444 // RFC 4492, sections 5.1.1 and RFC 8446, Section 4.2.7 445 b.AddUint16(extensionSupportedCurves) 446 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 447 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 448 for _, curve := range supportedCurves { 449 b.AddUint16(uint16(curve)) 450 } 451 }) 452 }) 453 } 454 }, 455 456 func() { 457 if len(supportedPoints) > 0 { 458 // RFC 4492, Section 5.1.2 459 b.AddUint16(extensionSupportedPoints) 460 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 461 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 462 b.AddBytes(supportedPoints) 463 }) 464 }) 465 } 466 }, 467 468 func() { 469 if m.ticketSupported { 470 // RFC 5077, Section 3.2 471 b.AddUint16(extensionSessionTicket) 472 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 473 b.AddBytes(m.sessionTicket) 474 }) 475 } 476 }, 477 478 func() { 479 if len(m.supportedSignatureAlgorithms) > 0 { 480 // RFC 5246, Section 7.4.1.4.1 481 b.AddUint16(extensionSignatureAlgorithms) 482 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 483 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 484 for _, sigAlgo := range m.supportedSignatureAlgorithms { 485 b.AddUint16(uint16(sigAlgo)) 486 } 487 }) 488 }) 489 } 490 }, 491 492 func() { 493 if len(m.supportedSignatureAlgorithmsCert) > 0 { 494 // RFC 8446, Section 4.2.3 495 b.AddUint16(extensionSignatureAlgorithmsCert) 496 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 497 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 498 for _, sigAlgo := range m.supportedSignatureAlgorithmsCert { 499 b.AddUint16(uint16(sigAlgo)) 500 } 501 }) 502 }) 503 } 504 }, 505 506 func() { 507 if m.secureRenegotiationSupported { 508 // RFC 5746, Section 3.2 509 b.AddUint16(extensionRenegotiationInfo) 510 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 511 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 512 b.AddBytes(m.secureRenegotiation) 513 }) 514 }) 515 } 516 }, 517 518 func() { 519 if len(m.alpnProtocols) > 0 { 520 // RFC 7301, Section 3.1 521 b.AddUint16(extensionALPN) 522 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 523 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 524 for _, proto := range m.alpnProtocols { 525 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 526 b.AddBytes([]byte(proto)) 527 }) 528 } 529 }) 530 }) 531 } 532 }, 533 534 func() { 535 if m.scts { 536 // RFC 6962, Section 3.3.1 537 b.AddUint16(extensionSCT) 538 b.AddUint16(0) // empty extension_data 539 } 540 }, 541 542 func() { 543 if len(m.supportedVersions) > 0 { 544 // RFC 8446, Section 4.2.1 545 b.AddUint16(extensionSupportedVersions) 546 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 547 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 548 for _, vers := range m.supportedVersions { 549 b.AddUint16(vers) 550 } 551 }) 552 }) 553 } 554 }, 555 556 func() { 557 if len(m.cookie) > 0 { 558 // RFC 8446, Section 4.2.2 559 b.AddUint16(extensionCookie) 560 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 561 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 562 b.AddBytes(m.cookie) 563 }) 564 }) 565 } 566 }, 567 568 func() { 569 if len(m.keyShares) > 0 { 570 // RFC 8446, Section 4.2.8 571 b.AddUint16(extensionKeyShare) 572 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 573 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 574 for _, ks := range m.keyShares { 575 b.AddUint16(uint16(ks.group)) 576 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 577 b.AddBytes(ks.data) 578 }) 579 } 580 }) 581 }) 582 } 583 }, 584 585 func() { 586 if m.earlyData { 587 // RFC 8446, Section 4.2.10 588 b.AddUint16(extensionEarlyData) 589 b.AddUint16(0) // empty extension_data 590 } 591 }, 592 593 func() { 594 if len(m.pskModes) > 0 { 595 // RFC 8446, Section 4.2.9 596 b.AddUint16(extensionPSKModes) 597 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 598 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 599 b.AddBytes(m.pskModes) 600 }) 601 }) 602 } 603 }, 604 } 605 606 for _, ext := range m.additionalExtensions { 607 extensionMarshallers = append(extensionMarshallers, 608 609 func() { 610 b.AddUint16(ext.Type) 611 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 612 b.AddBytes(ext.Data) 613 }) 614 615 }) 616 } 617 618 perm = m.PRNG.Perm(len(extensionMarshallers)) 619 for _, j := range perm { 620 extensionMarshallers[j]() 621 } 622 623 if len(m.pskIdentities) > 0 { // pre_shared_key must be the last extension 624 // RFC 8446, Section 4.2.11 625 b.AddUint16(extensionPreSharedKey) 626 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 627 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 628 for _, psk := range m.pskIdentities { 629 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 630 b.AddBytes(psk.label) 631 }) 632 b.AddUint32(psk.obfuscatedTicketAge) 633 } 634 }) 635 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 636 for _, binder := range m.pskBinders { 637 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 638 b.AddBytes(binder) 639 }) 640 } 641 }) 642 }) 643 } 644 645 extensionsPresent = len(b.BytesOrPanic()) > 2 646 }) 647 648 if !extensionsPresent { 649 *b = bWithoutExtensions 650 } 651 }) 652 653 m.raw = b.BytesOrPanic() 654 return m.raw 655 } 656 657 // marshalWithoutBinders returns the ClientHello through the 658 // PreSharedKeyExtension.identities field, according to RFC 8446, Section 659 // 4.2.11.2. Note that m.pskBinders must be set to slices of the correct length. 660 func (m *clientHelloMsg) marshalWithoutBinders() []byte { 661 bindersLen := 2 // uint16 length prefix 662 for _, binder := range m.pskBinders { 663 bindersLen += 1 // uint8 length prefix 664 bindersLen += len(binder) 665 } 666 667 fullMessage := m.marshal() 668 return fullMessage[:len(fullMessage)-bindersLen] 669 } 670 671 // updateBinders updates the m.pskBinders field, if necessary updating the 672 // cached marshaled representation. The supplied binders must have the same 673 // length as the current m.pskBinders. 674 func (m *clientHelloMsg) updateBinders(pskBinders [][]byte) { 675 if len(pskBinders) != len(m.pskBinders) { 676 panic("tls: internal error: pskBinders length mismatch") 677 } 678 for i := range m.pskBinders { 679 if len(pskBinders[i]) != len(m.pskBinders[i]) { 680 panic("tls: internal error: pskBinders length mismatch") 681 } 682 } 683 m.pskBinders = pskBinders 684 if m.raw != nil { 685 lenWithoutBinders := len(m.marshalWithoutBinders()) 686 // TODO(filippo): replace with NewFixedBuilder once CL 148882 is imported. 687 b := cryptobyte.NewBuilder(m.raw[:lenWithoutBinders]) 688 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 689 for _, binder := range m.pskBinders { 690 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 691 b.AddBytes(binder) 692 }) 693 } 694 }) 695 if len(b.BytesOrPanic()) != len(m.raw) { 696 panic("tls: internal error: failed to update binders") 697 } 698 } 699 } 700 701 func (m *clientHelloMsg) unmarshal(data []byte) bool { 702 *m = clientHelloMsg{raw: data} 703 s := cryptobyte.String(data) 704 705 if !s.Skip(4) || // message type and uint24 length field 706 !s.ReadUint16(&m.vers) || !s.ReadBytes(&m.random, 32) || 707 !readUint8LengthPrefixed(&s, &m.sessionId) { 708 return false 709 } 710 711 var cipherSuites cryptobyte.String 712 if !s.ReadUint16LengthPrefixed(&cipherSuites) { 713 return false 714 } 715 m.cipherSuites = []uint16{} 716 m.secureRenegotiationSupported = false 717 for !cipherSuites.Empty() { 718 var suite uint16 719 if !cipherSuites.ReadUint16(&suite) { 720 return false 721 } 722 if suite == scsvRenegotiation { 723 m.secureRenegotiationSupported = true 724 } 725 m.cipherSuites = append(m.cipherSuites, suite) 726 } 727 728 if !readUint8LengthPrefixed(&s, &m.compressionMethods) { 729 return false 730 } 731 732 if s.Empty() { 733 // ClientHello is optionally followed by extension data 734 return true 735 } 736 737 var extensions cryptobyte.String 738 if !s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() { 739 return false 740 } 741 742 for !extensions.Empty() { 743 var ext uint16 744 var extData cryptobyte.String 745 if !extensions.ReadUint16(&ext) || 746 !extensions.ReadUint16LengthPrefixed(&extData) { 747 return false 748 } 749 750 switch ext { 751 case extensionServerName: 752 // RFC 6066, Section 3 753 var nameList cryptobyte.String 754 if !extData.ReadUint16LengthPrefixed(&nameList) || nameList.Empty() { 755 return false 756 } 757 for !nameList.Empty() { 758 var nameType uint8 759 var serverName cryptobyte.String 760 if !nameList.ReadUint8(&nameType) || 761 !nameList.ReadUint16LengthPrefixed(&serverName) || 762 serverName.Empty() { 763 return false 764 } 765 if nameType != 0 { 766 continue 767 } 768 if len(m.serverName) != 0 { 769 // Multiple names of the same name_type are prohibited. 770 return false 771 } 772 m.serverName = string(serverName) 773 // An SNI value may not include a trailing dot. 774 if strings.HasSuffix(m.serverName, ".") { 775 return false 776 } 777 } 778 case extensionStatusRequest: 779 // RFC 4366, Section 3.6 780 var statusType uint8 781 var ignored cryptobyte.String 782 if !extData.ReadUint8(&statusType) || 783 !extData.ReadUint16LengthPrefixed(&ignored) || 784 !extData.ReadUint16LengthPrefixed(&ignored) { 785 return false 786 } 787 m.ocspStapling = statusType == statusTypeOCSP 788 case extensionSupportedCurves: 789 // RFC 4492, sections 5.1.1 and RFC 8446, Section 4.2.7 790 var curves cryptobyte.String 791 if !extData.ReadUint16LengthPrefixed(&curves) || curves.Empty() { 792 return false 793 } 794 for !curves.Empty() { 795 var curve uint16 796 if !curves.ReadUint16(&curve) { 797 return false 798 } 799 m.supportedCurves = append(m.supportedCurves, CurveID(curve)) 800 } 801 case extensionSupportedPoints: 802 // RFC 4492, Section 5.1.2 803 if !readUint8LengthPrefixed(&extData, &m.supportedPoints) || 804 len(m.supportedPoints) == 0 { 805 return false 806 } 807 case extensionSessionTicket: 808 // RFC 5077, Section 3.2 809 m.ticketSupported = true 810 extData.ReadBytes(&m.sessionTicket, len(extData)) 811 case extensionSignatureAlgorithms: 812 // RFC 5246, Section 7.4.1.4.1 813 var sigAndAlgs cryptobyte.String 814 if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() { 815 return false 816 } 817 for !sigAndAlgs.Empty() { 818 var sigAndAlg uint16 819 if !sigAndAlgs.ReadUint16(&sigAndAlg) { 820 return false 821 } 822 m.supportedSignatureAlgorithms = append( 823 m.supportedSignatureAlgorithms, SignatureScheme(sigAndAlg)) 824 } 825 case extensionSignatureAlgorithmsCert: 826 // RFC 8446, Section 4.2.3 827 var sigAndAlgs cryptobyte.String 828 if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() { 829 return false 830 } 831 for !sigAndAlgs.Empty() { 832 var sigAndAlg uint16 833 if !sigAndAlgs.ReadUint16(&sigAndAlg) { 834 return false 835 } 836 m.supportedSignatureAlgorithmsCert = append( 837 m.supportedSignatureAlgorithmsCert, SignatureScheme(sigAndAlg)) 838 } 839 case extensionRenegotiationInfo: 840 // RFC 5746, Section 3.2 841 if !readUint8LengthPrefixed(&extData, &m.secureRenegotiation) { 842 return false 843 } 844 m.secureRenegotiationSupported = true 845 case extensionALPN: 846 // RFC 7301, Section 3.1 847 var protoList cryptobyte.String 848 if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() { 849 return false 850 } 851 for !protoList.Empty() { 852 var proto cryptobyte.String 853 if !protoList.ReadUint8LengthPrefixed(&proto) || proto.Empty() { 854 return false 855 } 856 m.alpnProtocols = append(m.alpnProtocols, string(proto)) 857 } 858 case extensionSCT: 859 // RFC 6962, Section 3.3.1 860 m.scts = true 861 case extensionSupportedVersions: 862 // RFC 8446, Section 4.2.1 863 var versList cryptobyte.String 864 if !extData.ReadUint8LengthPrefixed(&versList) || versList.Empty() { 865 return false 866 } 867 for !versList.Empty() { 868 var vers uint16 869 if !versList.ReadUint16(&vers) { 870 return false 871 } 872 m.supportedVersions = append(m.supportedVersions, vers) 873 } 874 case extensionCookie: 875 // RFC 8446, Section 4.2.2 876 if !readUint16LengthPrefixed(&extData, &m.cookie) || 877 len(m.cookie) == 0 { 878 return false 879 } 880 case extensionKeyShare: 881 // RFC 8446, Section 4.2.8 882 var clientShares cryptobyte.String 883 if !extData.ReadUint16LengthPrefixed(&clientShares) { 884 return false 885 } 886 for !clientShares.Empty() { 887 var ks keyShare 888 if !clientShares.ReadUint16((*uint16)(&ks.group)) || 889 !readUint16LengthPrefixed(&clientShares, &ks.data) || 890 len(ks.data) == 0 { 891 return false 892 } 893 m.keyShares = append(m.keyShares, ks) 894 } 895 case extensionEarlyData: 896 // RFC 8446, Section 4.2.10 897 m.earlyData = true 898 case extensionPSKModes: 899 // RFC 8446, Section 4.2.9 900 if !readUint8LengthPrefixed(&extData, &m.pskModes) { 901 return false 902 } 903 case extensionPreSharedKey: 904 // RFC 8446, Section 4.2.11 905 if !extensions.Empty() { 906 return false // pre_shared_key must be the last extension 907 } 908 var identities cryptobyte.String 909 if !extData.ReadUint16LengthPrefixed(&identities) || identities.Empty() { 910 return false 911 } 912 for !identities.Empty() { 913 var psk pskIdentity 914 if !readUint16LengthPrefixed(&identities, &psk.label) || 915 !identities.ReadUint32(&psk.obfuscatedTicketAge) || 916 len(psk.label) == 0 { 917 return false 918 } 919 m.pskIdentities = append(m.pskIdentities, psk) 920 } 921 var binders cryptobyte.String 922 if !extData.ReadUint16LengthPrefixed(&binders) || binders.Empty() { 923 return false 924 } 925 for !binders.Empty() { 926 var binder []byte 927 if !readUint8LengthPrefixed(&binders, &binder) || 928 len(binder) == 0 { 929 return false 930 } 931 m.pskBinders = append(m.pskBinders, binder) 932 } 933 default: 934 m.additionalExtensions = append(m.additionalExtensions, Extension{Type: ext, Data: extData}) 935 continue 936 } 937 938 if !extData.Empty() { 939 return false 940 } 941 } 942 943 return true 944 } 945 946 type serverHelloMsg struct { 947 raw []byte 948 vers uint16 949 random []byte 950 sessionId []byte 951 cipherSuite uint16 952 compressionMethod uint8 953 ocspStapling bool 954 ticketSupported bool 955 secureRenegotiationSupported bool 956 secureRenegotiation []byte 957 alpnProtocol string 958 scts [][]byte 959 supportedVersion uint16 960 serverShare keyShare 961 selectedIdentityPresent bool 962 selectedIdentity uint16 963 supportedPoints []uint8 964 965 // HelloRetryRequest extensions 966 cookie []byte 967 selectedGroup CurveID 968 } 969 970 func (m *serverHelloMsg) marshal() []byte { 971 if m.raw != nil { 972 return m.raw 973 } 974 975 var b cryptobyte.Builder 976 b.AddUint8(typeServerHello) 977 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 978 b.AddUint16(m.vers) 979 addBytesWithLength(b, m.random, 32) 980 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 981 b.AddBytes(m.sessionId) 982 }) 983 b.AddUint16(m.cipherSuite) 984 b.AddUint8(m.compressionMethod) 985 986 // If extensions aren't present, omit them. 987 var extensionsPresent bool 988 bWithoutExtensions := *b 989 990 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 991 if m.ocspStapling { 992 b.AddUint16(extensionStatusRequest) 993 b.AddUint16(0) // empty extension_data 994 } 995 if m.ticketSupported { 996 b.AddUint16(extensionSessionTicket) 997 b.AddUint16(0) // empty extension_data 998 } 999 if m.secureRenegotiationSupported { 1000 b.AddUint16(extensionRenegotiationInfo) 1001 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1002 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 1003 b.AddBytes(m.secureRenegotiation) 1004 }) 1005 }) 1006 } 1007 if len(m.alpnProtocol) > 0 { 1008 b.AddUint16(extensionALPN) 1009 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1010 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1011 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 1012 b.AddBytes([]byte(m.alpnProtocol)) 1013 }) 1014 }) 1015 }) 1016 } 1017 if len(m.scts) > 0 { 1018 b.AddUint16(extensionSCT) 1019 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1020 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1021 for _, sct := range m.scts { 1022 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1023 b.AddBytes(sct) 1024 }) 1025 } 1026 }) 1027 }) 1028 } 1029 if m.supportedVersion != 0 { 1030 b.AddUint16(extensionSupportedVersions) 1031 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1032 b.AddUint16(m.supportedVersion) 1033 }) 1034 } 1035 if m.serverShare.group != 0 { 1036 b.AddUint16(extensionKeyShare) 1037 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1038 b.AddUint16(uint16(m.serverShare.group)) 1039 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1040 b.AddBytes(m.serverShare.data) 1041 }) 1042 }) 1043 } 1044 if m.selectedIdentityPresent { 1045 b.AddUint16(extensionPreSharedKey) 1046 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1047 b.AddUint16(m.selectedIdentity) 1048 }) 1049 } 1050 1051 if len(m.cookie) > 0 { 1052 b.AddUint16(extensionCookie) 1053 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1054 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1055 b.AddBytes(m.cookie) 1056 }) 1057 }) 1058 } 1059 if m.selectedGroup != 0 { 1060 b.AddUint16(extensionKeyShare) 1061 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1062 b.AddUint16(uint16(m.selectedGroup)) 1063 }) 1064 } 1065 if len(m.supportedPoints) > 0 { 1066 b.AddUint16(extensionSupportedPoints) 1067 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1068 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 1069 b.AddBytes(m.supportedPoints) 1070 }) 1071 }) 1072 } 1073 1074 extensionsPresent = len(b.BytesOrPanic()) > 2 1075 }) 1076 1077 if !extensionsPresent { 1078 *b = bWithoutExtensions 1079 } 1080 }) 1081 1082 m.raw = b.BytesOrPanic() 1083 return m.raw 1084 } 1085 1086 func (m *serverHelloMsg) unmarshal(data []byte) bool { 1087 *m = serverHelloMsg{raw: data} 1088 s := cryptobyte.String(data) 1089 1090 if !s.Skip(4) || // message type and uint24 length field 1091 !s.ReadUint16(&m.vers) || !s.ReadBytes(&m.random, 32) || 1092 !readUint8LengthPrefixed(&s, &m.sessionId) || 1093 !s.ReadUint16(&m.cipherSuite) || 1094 !s.ReadUint8(&m.compressionMethod) { 1095 return false 1096 } 1097 1098 if s.Empty() { 1099 // ServerHello is optionally followed by extension data 1100 return true 1101 } 1102 1103 var extensions cryptobyte.String 1104 if !s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() { 1105 return false 1106 } 1107 1108 for !extensions.Empty() { 1109 var extension uint16 1110 var extData cryptobyte.String 1111 if !extensions.ReadUint16(&extension) || 1112 !extensions.ReadUint16LengthPrefixed(&extData) { 1113 return false 1114 } 1115 1116 switch extension { 1117 case extensionStatusRequest: 1118 m.ocspStapling = true 1119 case extensionSessionTicket: 1120 m.ticketSupported = true 1121 case extensionRenegotiationInfo: 1122 if !readUint8LengthPrefixed(&extData, &m.secureRenegotiation) { 1123 return false 1124 } 1125 m.secureRenegotiationSupported = true 1126 case extensionALPN: 1127 var protoList cryptobyte.String 1128 if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() { 1129 return false 1130 } 1131 var proto cryptobyte.String 1132 if !protoList.ReadUint8LengthPrefixed(&proto) || 1133 proto.Empty() || !protoList.Empty() { 1134 return false 1135 } 1136 m.alpnProtocol = string(proto) 1137 case extensionSCT: 1138 var sctList cryptobyte.String 1139 if !extData.ReadUint16LengthPrefixed(&sctList) || sctList.Empty() { 1140 return false 1141 } 1142 for !sctList.Empty() { 1143 var sct []byte 1144 if !readUint16LengthPrefixed(&sctList, &sct) || 1145 len(sct) == 0 { 1146 return false 1147 } 1148 m.scts = append(m.scts, sct) 1149 } 1150 case extensionSupportedVersions: 1151 if !extData.ReadUint16(&m.supportedVersion) { 1152 return false 1153 } 1154 case extensionCookie: 1155 if !readUint16LengthPrefixed(&extData, &m.cookie) || 1156 len(m.cookie) == 0 { 1157 return false 1158 } 1159 case extensionKeyShare: 1160 // This extension has different formats in SH and HRR, accept either 1161 // and let the handshake logic decide. See RFC 8446, Section 4.2.8. 1162 if len(extData) == 2 { 1163 if !extData.ReadUint16((*uint16)(&m.selectedGroup)) { 1164 return false 1165 } 1166 } else { 1167 if !extData.ReadUint16((*uint16)(&m.serverShare.group)) || 1168 !readUint16LengthPrefixed(&extData, &m.serverShare.data) { 1169 return false 1170 } 1171 } 1172 case extensionPreSharedKey: 1173 m.selectedIdentityPresent = true 1174 if !extData.ReadUint16(&m.selectedIdentity) { 1175 return false 1176 } 1177 case extensionSupportedPoints: 1178 // RFC 4492, Section 5.1.2 1179 if !readUint8LengthPrefixed(&extData, &m.supportedPoints) || 1180 len(m.supportedPoints) == 0 { 1181 return false 1182 } 1183 default: 1184 // Ignore unknown extensions. 1185 continue 1186 } 1187 1188 if !extData.Empty() { 1189 return false 1190 } 1191 } 1192 1193 return true 1194 } 1195 1196 type encryptedExtensionsMsg struct { 1197 raw []byte 1198 alpnProtocol string 1199 earlyData bool 1200 1201 additionalExtensions []Extension 1202 } 1203 1204 func (m *encryptedExtensionsMsg) marshal() []byte { 1205 if m.raw != nil { 1206 return m.raw 1207 } 1208 1209 var b cryptobyte.Builder 1210 b.AddUint8(typeEncryptedExtensions) 1211 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1212 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1213 if len(m.alpnProtocol) > 0 { 1214 b.AddUint16(extensionALPN) 1215 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1216 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1217 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 1218 b.AddBytes([]byte(m.alpnProtocol)) 1219 }) 1220 }) 1221 }) 1222 } 1223 if m.earlyData { 1224 // RFC 8446, Section 4.2.10 1225 b.AddUint16(extensionEarlyData) 1226 b.AddUint16(0) // empty extension_data 1227 } 1228 for _, ext := range m.additionalExtensions { 1229 b.AddUint16(ext.Type) 1230 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1231 b.AddBytes(ext.Data) 1232 }) 1233 } 1234 }) 1235 }) 1236 1237 m.raw = b.BytesOrPanic() 1238 return m.raw 1239 } 1240 1241 func (m *encryptedExtensionsMsg) unmarshal(data []byte) bool { 1242 *m = encryptedExtensionsMsg{raw: data} 1243 s := cryptobyte.String(data) 1244 1245 var extensions cryptobyte.String 1246 if !s.Skip(4) || // message type and uint24 length field 1247 !s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() { 1248 return false 1249 } 1250 1251 for !extensions.Empty() { 1252 var ext uint16 1253 var extData cryptobyte.String 1254 if !extensions.ReadUint16(&ext) || 1255 !extensions.ReadUint16LengthPrefixed(&extData) { 1256 return false 1257 } 1258 1259 switch ext { 1260 case extensionALPN: 1261 var protoList cryptobyte.String 1262 if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() { 1263 return false 1264 } 1265 var proto cryptobyte.String 1266 if !protoList.ReadUint8LengthPrefixed(&proto) || 1267 proto.Empty() || !protoList.Empty() { 1268 return false 1269 } 1270 m.alpnProtocol = string(proto) 1271 case extensionEarlyData: 1272 m.earlyData = true 1273 default: 1274 m.additionalExtensions = append(m.additionalExtensions, Extension{Type: ext, Data: extData}) 1275 continue 1276 } 1277 1278 if !extData.Empty() { 1279 return false 1280 } 1281 } 1282 1283 return true 1284 } 1285 1286 type endOfEarlyDataMsg struct{} 1287 1288 func (m *endOfEarlyDataMsg) marshal() []byte { 1289 x := make([]byte, 4) 1290 x[0] = typeEndOfEarlyData 1291 return x 1292 } 1293 1294 func (m *endOfEarlyDataMsg) unmarshal(data []byte) bool { 1295 return len(data) == 4 1296 } 1297 1298 type keyUpdateMsg struct { 1299 raw []byte 1300 updateRequested bool 1301 } 1302 1303 func (m *keyUpdateMsg) marshal() []byte { 1304 if m.raw != nil { 1305 return m.raw 1306 } 1307 1308 var b cryptobyte.Builder 1309 b.AddUint8(typeKeyUpdate) 1310 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1311 if m.updateRequested { 1312 b.AddUint8(1) 1313 } else { 1314 b.AddUint8(0) 1315 } 1316 }) 1317 1318 m.raw = b.BytesOrPanic() 1319 return m.raw 1320 } 1321 1322 func (m *keyUpdateMsg) unmarshal(data []byte) bool { 1323 m.raw = data 1324 s := cryptobyte.String(data) 1325 1326 var updateRequested uint8 1327 if !s.Skip(4) || // message type and uint24 length field 1328 !s.ReadUint8(&updateRequested) || !s.Empty() { 1329 return false 1330 } 1331 switch updateRequested { 1332 case 0: 1333 m.updateRequested = false 1334 case 1: 1335 m.updateRequested = true 1336 default: 1337 return false 1338 } 1339 return true 1340 } 1341 1342 type newSessionTicketMsgTLS13 struct { 1343 raw []byte 1344 lifetime uint32 1345 ageAdd uint32 1346 nonce []byte 1347 label []byte 1348 maxEarlyData uint32 1349 } 1350 1351 func (m *newSessionTicketMsgTLS13) marshal() []byte { 1352 if m.raw != nil { 1353 return m.raw 1354 } 1355 1356 var b cryptobyte.Builder 1357 b.AddUint8(typeNewSessionTicket) 1358 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1359 b.AddUint32(m.lifetime) 1360 b.AddUint32(m.ageAdd) 1361 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 1362 b.AddBytes(m.nonce) 1363 }) 1364 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1365 b.AddBytes(m.label) 1366 }) 1367 1368 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1369 if m.maxEarlyData > 0 { 1370 b.AddUint16(extensionEarlyData) 1371 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1372 b.AddUint32(m.maxEarlyData) 1373 }) 1374 } 1375 }) 1376 }) 1377 1378 m.raw = b.BytesOrPanic() 1379 return m.raw 1380 } 1381 1382 func (m *newSessionTicketMsgTLS13) unmarshal(data []byte) bool { 1383 *m = newSessionTicketMsgTLS13{raw: data} 1384 s := cryptobyte.String(data) 1385 1386 var extensions cryptobyte.String 1387 if !s.Skip(4) || // message type and uint24 length field 1388 !s.ReadUint32(&m.lifetime) || 1389 !s.ReadUint32(&m.ageAdd) || 1390 !readUint8LengthPrefixed(&s, &m.nonce) || 1391 !readUint16LengthPrefixed(&s, &m.label) || 1392 !s.ReadUint16LengthPrefixed(&extensions) || 1393 !s.Empty() { 1394 return false 1395 } 1396 1397 for !extensions.Empty() { 1398 var extension uint16 1399 var extData cryptobyte.String 1400 if !extensions.ReadUint16(&extension) || 1401 !extensions.ReadUint16LengthPrefixed(&extData) { 1402 return false 1403 } 1404 1405 switch extension { 1406 case extensionEarlyData: 1407 if !extData.ReadUint32(&m.maxEarlyData) { 1408 return false 1409 } 1410 default: 1411 // Ignore unknown extensions. 1412 continue 1413 } 1414 1415 if !extData.Empty() { 1416 return false 1417 } 1418 } 1419 1420 return true 1421 } 1422 1423 type certificateRequestMsgTLS13 struct { 1424 raw []byte 1425 ocspStapling bool 1426 scts bool 1427 supportedSignatureAlgorithms []SignatureScheme 1428 supportedSignatureAlgorithmsCert []SignatureScheme 1429 certificateAuthorities [][]byte 1430 } 1431 1432 func (m *certificateRequestMsgTLS13) marshal() []byte { 1433 if m.raw != nil { 1434 return m.raw 1435 } 1436 1437 var b cryptobyte.Builder 1438 b.AddUint8(typeCertificateRequest) 1439 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1440 // certificate_request_context (SHALL be zero length unless used for 1441 // post-handshake authentication) 1442 b.AddUint8(0) 1443 1444 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1445 if m.ocspStapling { 1446 b.AddUint16(extensionStatusRequest) 1447 b.AddUint16(0) // empty extension_data 1448 } 1449 if m.scts { 1450 // RFC 8446, Section 4.4.2.1 makes no mention of 1451 // signed_certificate_timestamp in CertificateRequest, but 1452 // "Extensions in the Certificate message from the client MUST 1453 // correspond to extensions in the CertificateRequest message 1454 // from the server." and it appears in the table in Section 4.2. 1455 b.AddUint16(extensionSCT) 1456 b.AddUint16(0) // empty extension_data 1457 } 1458 if len(m.supportedSignatureAlgorithms) > 0 { 1459 b.AddUint16(extensionSignatureAlgorithms) 1460 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1461 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1462 for _, sigAlgo := range m.supportedSignatureAlgorithms { 1463 b.AddUint16(uint16(sigAlgo)) 1464 } 1465 }) 1466 }) 1467 } 1468 if len(m.supportedSignatureAlgorithmsCert) > 0 { 1469 b.AddUint16(extensionSignatureAlgorithmsCert) 1470 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1471 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1472 for _, sigAlgo := range m.supportedSignatureAlgorithmsCert { 1473 b.AddUint16(uint16(sigAlgo)) 1474 } 1475 }) 1476 }) 1477 } 1478 if len(m.certificateAuthorities) > 0 { 1479 b.AddUint16(extensionCertificateAuthorities) 1480 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1481 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1482 for _, ca := range m.certificateAuthorities { 1483 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1484 b.AddBytes(ca) 1485 }) 1486 } 1487 }) 1488 }) 1489 } 1490 }) 1491 }) 1492 1493 m.raw = b.BytesOrPanic() 1494 return m.raw 1495 } 1496 1497 func (m *certificateRequestMsgTLS13) unmarshal(data []byte) bool { 1498 *m = certificateRequestMsgTLS13{raw: data} 1499 s := cryptobyte.String(data) 1500 1501 var context, extensions cryptobyte.String 1502 if !s.Skip(4) || // message type and uint24 length field 1503 !s.ReadUint8LengthPrefixed(&context) || !context.Empty() || 1504 !s.ReadUint16LengthPrefixed(&extensions) || 1505 !s.Empty() { 1506 return false 1507 } 1508 1509 for !extensions.Empty() { 1510 var extension uint16 1511 var extData cryptobyte.String 1512 if !extensions.ReadUint16(&extension) || 1513 !extensions.ReadUint16LengthPrefixed(&extData) { 1514 return false 1515 } 1516 1517 switch extension { 1518 case extensionStatusRequest: 1519 m.ocspStapling = true 1520 case extensionSCT: 1521 m.scts = true 1522 case extensionSignatureAlgorithms: 1523 var sigAndAlgs cryptobyte.String 1524 if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() { 1525 return false 1526 } 1527 for !sigAndAlgs.Empty() { 1528 var sigAndAlg uint16 1529 if !sigAndAlgs.ReadUint16(&sigAndAlg) { 1530 return false 1531 } 1532 m.supportedSignatureAlgorithms = append( 1533 m.supportedSignatureAlgorithms, SignatureScheme(sigAndAlg)) 1534 } 1535 case extensionSignatureAlgorithmsCert: 1536 var sigAndAlgs cryptobyte.String 1537 if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() { 1538 return false 1539 } 1540 for !sigAndAlgs.Empty() { 1541 var sigAndAlg uint16 1542 if !sigAndAlgs.ReadUint16(&sigAndAlg) { 1543 return false 1544 } 1545 m.supportedSignatureAlgorithmsCert = append( 1546 m.supportedSignatureAlgorithmsCert, SignatureScheme(sigAndAlg)) 1547 } 1548 case extensionCertificateAuthorities: 1549 var auths cryptobyte.String 1550 if !extData.ReadUint16LengthPrefixed(&auths) || auths.Empty() { 1551 return false 1552 } 1553 for !auths.Empty() { 1554 var ca []byte 1555 if !readUint16LengthPrefixed(&auths, &ca) || len(ca) == 0 { 1556 return false 1557 } 1558 m.certificateAuthorities = append(m.certificateAuthorities, ca) 1559 } 1560 default: 1561 // Ignore unknown extensions. 1562 continue 1563 } 1564 1565 if !extData.Empty() { 1566 return false 1567 } 1568 } 1569 1570 return true 1571 } 1572 1573 type certificateMsg struct { 1574 raw []byte 1575 certificates [][]byte 1576 } 1577 1578 func (m *certificateMsg) marshal() (x []byte) { 1579 if m.raw != nil { 1580 return m.raw 1581 } 1582 1583 var i int 1584 for _, slice := range m.certificates { 1585 i += len(slice) 1586 } 1587 1588 length := 3 + 3*len(m.certificates) + i 1589 x = make([]byte, 4+length) 1590 x[0] = typeCertificate 1591 x[1] = uint8(length >> 16) 1592 x[2] = uint8(length >> 8) 1593 x[3] = uint8(length) 1594 1595 certificateOctets := length - 3 1596 x[4] = uint8(certificateOctets >> 16) 1597 x[5] = uint8(certificateOctets >> 8) 1598 x[6] = uint8(certificateOctets) 1599 1600 y := x[7:] 1601 for _, slice := range m.certificates { 1602 y[0] = uint8(len(slice) >> 16) 1603 y[1] = uint8(len(slice) >> 8) 1604 y[2] = uint8(len(slice)) 1605 copy(y[3:], slice) 1606 y = y[3+len(slice):] 1607 } 1608 1609 m.raw = x 1610 return 1611 } 1612 1613 func (m *certificateMsg) unmarshal(data []byte) bool { 1614 if len(data) < 7 { 1615 return false 1616 } 1617 1618 m.raw = data 1619 certsLen := uint32(data[4])<<16 | uint32(data[5])<<8 | uint32(data[6]) 1620 if uint32(len(data)) != certsLen+7 { 1621 return false 1622 } 1623 1624 numCerts := 0 1625 d := data[7:] 1626 for certsLen > 0 { 1627 if len(d) < 4 { 1628 return false 1629 } 1630 certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2]) 1631 if uint32(len(d)) < 3+certLen { 1632 return false 1633 } 1634 d = d[3+certLen:] 1635 certsLen -= 3 + certLen 1636 numCerts++ 1637 } 1638 1639 m.certificates = make([][]byte, numCerts) 1640 d = data[7:] 1641 for i := 0; i < numCerts; i++ { 1642 certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2]) 1643 m.certificates[i] = d[3 : 3+certLen] 1644 d = d[3+certLen:] 1645 } 1646 1647 return true 1648 } 1649 1650 type certificateMsgTLS13 struct { 1651 raw []byte 1652 certificate Certificate 1653 ocspStapling bool 1654 scts bool 1655 } 1656 1657 func (m *certificateMsgTLS13) marshal() []byte { 1658 if m.raw != nil { 1659 return m.raw 1660 } 1661 1662 var b cryptobyte.Builder 1663 b.AddUint8(typeCertificate) 1664 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1665 b.AddUint8(0) // certificate_request_context 1666 1667 certificate := m.certificate 1668 if !m.ocspStapling { 1669 certificate.OCSPStaple = nil 1670 } 1671 if !m.scts { 1672 certificate.SignedCertificateTimestamps = nil 1673 } 1674 marshalCertificate(b, certificate) 1675 }) 1676 1677 m.raw = b.BytesOrPanic() 1678 return m.raw 1679 } 1680 1681 func marshalCertificate(b *cryptobyte.Builder, certificate Certificate) { 1682 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1683 for i, cert := range certificate.Certificate { 1684 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1685 b.AddBytes(cert) 1686 }) 1687 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1688 if i > 0 { 1689 // This library only supports OCSP and SCT for leaf certificates. 1690 return 1691 } 1692 if certificate.OCSPStaple != nil { 1693 b.AddUint16(extensionStatusRequest) 1694 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1695 b.AddUint8(statusTypeOCSP) 1696 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1697 b.AddBytes(certificate.OCSPStaple) 1698 }) 1699 }) 1700 } 1701 if certificate.SignedCertificateTimestamps != nil { 1702 b.AddUint16(extensionSCT) 1703 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1704 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1705 for _, sct := range certificate.SignedCertificateTimestamps { 1706 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1707 b.AddBytes(sct) 1708 }) 1709 } 1710 }) 1711 }) 1712 } 1713 }) 1714 } 1715 }) 1716 } 1717 1718 func (m *certificateMsgTLS13) unmarshal(data []byte) bool { 1719 *m = certificateMsgTLS13{raw: data} 1720 s := cryptobyte.String(data) 1721 1722 var context cryptobyte.String 1723 if !s.Skip(4) || // message type and uint24 length field 1724 !s.ReadUint8LengthPrefixed(&context) || !context.Empty() || 1725 !unmarshalCertificate(&s, &m.certificate) || 1726 !s.Empty() { 1727 return false 1728 } 1729 1730 m.scts = m.certificate.SignedCertificateTimestamps != nil 1731 m.ocspStapling = m.certificate.OCSPStaple != nil 1732 1733 return true 1734 } 1735 1736 func unmarshalCertificate(s *cryptobyte.String, certificate *Certificate) bool { 1737 var certList cryptobyte.String 1738 if !s.ReadUint24LengthPrefixed(&certList) { 1739 return false 1740 } 1741 for !certList.Empty() { 1742 var cert []byte 1743 var extensions cryptobyte.String 1744 if !readUint24LengthPrefixed(&certList, &cert) || 1745 !certList.ReadUint16LengthPrefixed(&extensions) { 1746 return false 1747 } 1748 certificate.Certificate = append(certificate.Certificate, cert) 1749 for !extensions.Empty() { 1750 var extension uint16 1751 var extData cryptobyte.String 1752 if !extensions.ReadUint16(&extension) || 1753 !extensions.ReadUint16LengthPrefixed(&extData) { 1754 return false 1755 } 1756 if len(certificate.Certificate) > 1 { 1757 // This library only supports OCSP and SCT for leaf certificates. 1758 continue 1759 } 1760 1761 switch extension { 1762 case extensionStatusRequest: 1763 var statusType uint8 1764 if !extData.ReadUint8(&statusType) || statusType != statusTypeOCSP || 1765 !readUint24LengthPrefixed(&extData, &certificate.OCSPStaple) || 1766 len(certificate.OCSPStaple) == 0 { 1767 return false 1768 } 1769 case extensionSCT: 1770 var sctList cryptobyte.String 1771 if !extData.ReadUint16LengthPrefixed(&sctList) || sctList.Empty() { 1772 return false 1773 } 1774 for !sctList.Empty() { 1775 var sct []byte 1776 if !readUint16LengthPrefixed(&sctList, &sct) || 1777 len(sct) == 0 { 1778 return false 1779 } 1780 certificate.SignedCertificateTimestamps = append( 1781 certificate.SignedCertificateTimestamps, sct) 1782 } 1783 default: 1784 // Ignore unknown extensions. 1785 continue 1786 } 1787 1788 if !extData.Empty() { 1789 return false 1790 } 1791 } 1792 } 1793 return true 1794 } 1795 1796 type serverKeyExchangeMsg struct { 1797 raw []byte 1798 key []byte 1799 } 1800 1801 func (m *serverKeyExchangeMsg) marshal() []byte { 1802 if m.raw != nil { 1803 return m.raw 1804 } 1805 length := len(m.key) 1806 x := make([]byte, length+4) 1807 x[0] = typeServerKeyExchange 1808 x[1] = uint8(length >> 16) 1809 x[2] = uint8(length >> 8) 1810 x[3] = uint8(length) 1811 copy(x[4:], m.key) 1812 1813 m.raw = x 1814 return x 1815 } 1816 1817 func (m *serverKeyExchangeMsg) unmarshal(data []byte) bool { 1818 m.raw = data 1819 if len(data) < 4 { 1820 return false 1821 } 1822 m.key = data[4:] 1823 return true 1824 } 1825 1826 type certificateStatusMsg struct { 1827 raw []byte 1828 response []byte 1829 } 1830 1831 func (m *certificateStatusMsg) marshal() []byte { 1832 if m.raw != nil { 1833 return m.raw 1834 } 1835 1836 var b cryptobyte.Builder 1837 b.AddUint8(typeCertificateStatus) 1838 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1839 b.AddUint8(statusTypeOCSP) 1840 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1841 b.AddBytes(m.response) 1842 }) 1843 }) 1844 1845 m.raw = b.BytesOrPanic() 1846 return m.raw 1847 } 1848 1849 func (m *certificateStatusMsg) unmarshal(data []byte) bool { 1850 m.raw = data 1851 s := cryptobyte.String(data) 1852 1853 var statusType uint8 1854 if !s.Skip(4) || // message type and uint24 length field 1855 !s.ReadUint8(&statusType) || statusType != statusTypeOCSP || 1856 !readUint24LengthPrefixed(&s, &m.response) || 1857 len(m.response) == 0 || !s.Empty() { 1858 return false 1859 } 1860 return true 1861 } 1862 1863 type serverHelloDoneMsg struct{} 1864 1865 func (m *serverHelloDoneMsg) marshal() []byte { 1866 x := make([]byte, 4) 1867 x[0] = typeServerHelloDone 1868 return x 1869 } 1870 1871 func (m *serverHelloDoneMsg) unmarshal(data []byte) bool { 1872 return len(data) == 4 1873 } 1874 1875 type clientKeyExchangeMsg struct { 1876 raw []byte 1877 ciphertext []byte 1878 } 1879 1880 func (m *clientKeyExchangeMsg) marshal() []byte { 1881 if m.raw != nil { 1882 return m.raw 1883 } 1884 length := len(m.ciphertext) 1885 x := make([]byte, length+4) 1886 x[0] = typeClientKeyExchange 1887 x[1] = uint8(length >> 16) 1888 x[2] = uint8(length >> 8) 1889 x[3] = uint8(length) 1890 copy(x[4:], m.ciphertext) 1891 1892 m.raw = x 1893 return x 1894 } 1895 1896 func (m *clientKeyExchangeMsg) unmarshal(data []byte) bool { 1897 m.raw = data 1898 if len(data) < 4 { 1899 return false 1900 } 1901 l := int(data[1])<<16 | int(data[2])<<8 | int(data[3]) 1902 if l != len(data)-4 { 1903 return false 1904 } 1905 m.ciphertext = data[4:] 1906 return true 1907 } 1908 1909 type finishedMsg struct { 1910 raw []byte 1911 verifyData []byte 1912 } 1913 1914 func (m *finishedMsg) marshal() []byte { 1915 if m.raw != nil { 1916 return m.raw 1917 } 1918 1919 var b cryptobyte.Builder 1920 b.AddUint8(typeFinished) 1921 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1922 b.AddBytes(m.verifyData) 1923 }) 1924 1925 m.raw = b.BytesOrPanic() 1926 return m.raw 1927 } 1928 1929 func (m *finishedMsg) unmarshal(data []byte) bool { 1930 m.raw = data 1931 s := cryptobyte.String(data) 1932 return s.Skip(1) && 1933 readUint24LengthPrefixed(&s, &m.verifyData) && 1934 s.Empty() 1935 } 1936 1937 type certificateRequestMsg struct { 1938 raw []byte 1939 // hasSignatureAlgorithm indicates whether this message includes a list of 1940 // supported signature algorithms. This change was introduced with TLS 1.2. 1941 hasSignatureAlgorithm bool 1942 1943 certificateTypes []byte 1944 supportedSignatureAlgorithms []SignatureScheme 1945 certificateAuthorities [][]byte 1946 } 1947 1948 func (m *certificateRequestMsg) marshal() (x []byte) { 1949 if m.raw != nil { 1950 return m.raw 1951 } 1952 1953 // See RFC 4346, Section 7.4.4. 1954 length := 1 + len(m.certificateTypes) + 2 1955 casLength := 0 1956 for _, ca := range m.certificateAuthorities { 1957 casLength += 2 + len(ca) 1958 } 1959 length += casLength 1960 1961 if m.hasSignatureAlgorithm { 1962 length += 2 + 2*len(m.supportedSignatureAlgorithms) 1963 } 1964 1965 x = make([]byte, 4+length) 1966 x[0] = typeCertificateRequest 1967 x[1] = uint8(length >> 16) 1968 x[2] = uint8(length >> 8) 1969 x[3] = uint8(length) 1970 1971 x[4] = uint8(len(m.certificateTypes)) 1972 1973 copy(x[5:], m.certificateTypes) 1974 y := x[5+len(m.certificateTypes):] 1975 1976 if m.hasSignatureAlgorithm { 1977 n := len(m.supportedSignatureAlgorithms) * 2 1978 y[0] = uint8(n >> 8) 1979 y[1] = uint8(n) 1980 y = y[2:] 1981 for _, sigAlgo := range m.supportedSignatureAlgorithms { 1982 y[0] = uint8(sigAlgo >> 8) 1983 y[1] = uint8(sigAlgo) 1984 y = y[2:] 1985 } 1986 } 1987 1988 y[0] = uint8(casLength >> 8) 1989 y[1] = uint8(casLength) 1990 y = y[2:] 1991 for _, ca := range m.certificateAuthorities { 1992 y[0] = uint8(len(ca) >> 8) 1993 y[1] = uint8(len(ca)) 1994 y = y[2:] 1995 copy(y, ca) 1996 y = y[len(ca):] 1997 } 1998 1999 m.raw = x 2000 return 2001 } 2002 2003 func (m *certificateRequestMsg) unmarshal(data []byte) bool { 2004 m.raw = data 2005 2006 if len(data) < 5 { 2007 return false 2008 } 2009 2010 length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3]) 2011 if uint32(len(data))-4 != length { 2012 return false 2013 } 2014 2015 numCertTypes := int(data[4]) 2016 data = data[5:] 2017 if numCertTypes == 0 || len(data) <= numCertTypes { 2018 return false 2019 } 2020 2021 m.certificateTypes = make([]byte, numCertTypes) 2022 if copy(m.certificateTypes, data) != numCertTypes { 2023 return false 2024 } 2025 2026 data = data[numCertTypes:] 2027 2028 if m.hasSignatureAlgorithm { 2029 if len(data) < 2 { 2030 return false 2031 } 2032 sigAndHashLen := uint16(data[0])<<8 | uint16(data[1]) 2033 data = data[2:] 2034 if sigAndHashLen&1 != 0 { 2035 return false 2036 } 2037 if len(data) < int(sigAndHashLen) { 2038 return false 2039 } 2040 numSigAlgos := sigAndHashLen / 2 2041 m.supportedSignatureAlgorithms = make([]SignatureScheme, numSigAlgos) 2042 for i := range m.supportedSignatureAlgorithms { 2043 m.supportedSignatureAlgorithms[i] = SignatureScheme(data[0])<<8 | SignatureScheme(data[1]) 2044 data = data[2:] 2045 } 2046 } 2047 2048 if len(data) < 2 { 2049 return false 2050 } 2051 casLength := uint16(data[0])<<8 | uint16(data[1]) 2052 data = data[2:] 2053 if len(data) < int(casLength) { 2054 return false 2055 } 2056 cas := make([]byte, casLength) 2057 copy(cas, data) 2058 data = data[casLength:] 2059 2060 m.certificateAuthorities = nil 2061 for len(cas) > 0 { 2062 if len(cas) < 2 { 2063 return false 2064 } 2065 caLen := uint16(cas[0])<<8 | uint16(cas[1]) 2066 cas = cas[2:] 2067 2068 if len(cas) < int(caLen) { 2069 return false 2070 } 2071 2072 m.certificateAuthorities = append(m.certificateAuthorities, cas[:caLen]) 2073 cas = cas[caLen:] 2074 } 2075 2076 return len(data) == 0 2077 } 2078 2079 type certificateVerifyMsg struct { 2080 raw []byte 2081 hasSignatureAlgorithm bool // format change introduced in TLS 1.2 2082 signatureAlgorithm SignatureScheme 2083 signature []byte 2084 } 2085 2086 func (m *certificateVerifyMsg) marshal() (x []byte) { 2087 if m.raw != nil { 2088 return m.raw 2089 } 2090 2091 var b cryptobyte.Builder 2092 b.AddUint8(typeCertificateVerify) 2093 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 2094 if m.hasSignatureAlgorithm { 2095 b.AddUint16(uint16(m.signatureAlgorithm)) 2096 } 2097 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 2098 b.AddBytes(m.signature) 2099 }) 2100 }) 2101 2102 m.raw = b.BytesOrPanic() 2103 return m.raw 2104 } 2105 2106 func (m *certificateVerifyMsg) unmarshal(data []byte) bool { 2107 m.raw = data 2108 s := cryptobyte.String(data) 2109 2110 if !s.Skip(4) { // message type and uint24 length field 2111 return false 2112 } 2113 if m.hasSignatureAlgorithm { 2114 if !s.ReadUint16((*uint16)(&m.signatureAlgorithm)) { 2115 return false 2116 } 2117 } 2118 return readUint16LengthPrefixed(&s, &m.signature) && s.Empty() 2119 } 2120 2121 type newSessionTicketMsg struct { 2122 raw []byte 2123 ticket []byte 2124 } 2125 2126 func (m *newSessionTicketMsg) marshal() (x []byte) { 2127 if m.raw != nil { 2128 return m.raw 2129 } 2130 2131 // See RFC 5077, Section 3.3. 2132 ticketLen := len(m.ticket) 2133 length := 2 + 4 + ticketLen 2134 x = make([]byte, 4+length) 2135 x[0] = typeNewSessionTicket 2136 x[1] = uint8(length >> 16) 2137 x[2] = uint8(length >> 8) 2138 x[3] = uint8(length) 2139 x[8] = uint8(ticketLen >> 8) 2140 x[9] = uint8(ticketLen) 2141 copy(x[10:], m.ticket) 2142 2143 m.raw = x 2144 2145 return 2146 } 2147 2148 func (m *newSessionTicketMsg) unmarshal(data []byte) bool { 2149 m.raw = data 2150 2151 if len(data) < 10 { 2152 return false 2153 } 2154 2155 length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3]) 2156 if uint32(len(data))-4 != length { 2157 return false 2158 } 2159 2160 ticketLen := int(data[8])<<8 + int(data[9]) 2161 if len(data)-10 != ticketLen { 2162 return false 2163 } 2164 2165 m.ticket = data[10:] 2166 2167 return true 2168 } 2169 2170 type helloRequestMsg struct { 2171 } 2172 2173 func (*helloRequestMsg) marshal() []byte { 2174 return []byte{typeHelloRequest, 0, 0, 0} 2175 } 2176 2177 func (*helloRequestMsg) unmarshal(data []byte) bool { 2178 return len(data) == 4 2179 }