github.com/ooni/psiphon/tunnel-core@v0.0.0-20230105123940-fe12a24c96ee/oovendor/qtls-go1-18/handshake_messages.go (about) 1 // Copyright 2009 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 package qtls 6 7 import ( 8 "fmt" 9 "strings" 10 11 "github.com/ooni/psiphon/tunnel-core/psiphon/common/prng" 12 "golang.org/x/crypto/cryptobyte" 13 ) 14 15 // The marshalingFunction type is an adapter to allow the use of ordinary 16 // functions as cryptobyte.MarshalingValue. 17 type marshalingFunction func(b *cryptobyte.Builder) error 18 19 func (f marshalingFunction) Marshal(b *cryptobyte.Builder) error { 20 return f(b) 21 } 22 23 // addBytesWithLength appends a sequence of bytes to the cryptobyte.Builder. If 24 // the length of the sequence is not the value specified, it produces an error. 25 func addBytesWithLength(b *cryptobyte.Builder, v []byte, n int) { 26 b.AddValue(marshalingFunction(func(b *cryptobyte.Builder) error { 27 if len(v) != n { 28 return fmt.Errorf("invalid value length: expected %d, got %d", n, len(v)) 29 } 30 b.AddBytes(v) 31 return nil 32 })) 33 } 34 35 // addUint64 appends a big-endian, 64-bit value to the cryptobyte.Builder. 36 func addUint64(b *cryptobyte.Builder, v uint64) { 37 b.AddUint32(uint32(v >> 32)) 38 b.AddUint32(uint32(v)) 39 } 40 41 // readUint64 decodes a big-endian, 64-bit value into out and advances over it. 42 // It reports whether the read was successful. 43 func readUint64(s *cryptobyte.String, out *uint64) bool { 44 var hi, lo uint32 45 if !s.ReadUint32(&hi) || !s.ReadUint32(&lo) { 46 return false 47 } 48 *out = uint64(hi)<<32 | uint64(lo) 49 return true 50 } 51 52 // readUint8LengthPrefixed acts like s.ReadUint8LengthPrefixed, but targets a 53 // []byte instead of a cryptobyte.String. 54 func readUint8LengthPrefixed(s *cryptobyte.String, out *[]byte) bool { 55 return s.ReadUint8LengthPrefixed((*cryptobyte.String)(out)) 56 } 57 58 // readUint16LengthPrefixed acts like s.ReadUint16LengthPrefixed, but targets a 59 // []byte instead of a cryptobyte.String. 60 func readUint16LengthPrefixed(s *cryptobyte.String, out *[]byte) bool { 61 return s.ReadUint16LengthPrefixed((*cryptobyte.String)(out)) 62 } 63 64 // readUint24LengthPrefixed acts like s.ReadUint24LengthPrefixed, but targets a 65 // []byte instead of a cryptobyte.String. 66 func readUint24LengthPrefixed(s *cryptobyte.String, out *[]byte) bool { 67 return s.ReadUint24LengthPrefixed((*cryptobyte.String)(out)) 68 } 69 70 type clientHelloMsg struct { 71 raw []byte 72 vers uint16 73 random []byte 74 sessionId []byte 75 cipherSuites []uint16 76 compressionMethods []uint8 77 serverName string 78 ocspStapling bool 79 supportedCurves []CurveID 80 supportedPoints []uint8 81 ticketSupported bool 82 sessionTicket []uint8 83 supportedSignatureAlgorithms []SignatureScheme 84 supportedSignatureAlgorithmsCert []SignatureScheme 85 secureRenegotiationSupported bool 86 secureRenegotiation []byte 87 alpnProtocols []string 88 scts bool 89 supportedVersions []uint16 90 cookie []byte 91 keyShares []keyShare 92 earlyData bool 93 pskModes []uint8 94 pskIdentities []pskIdentity 95 pskBinders [][]byte 96 additionalExtensions []Extension 97 98 // [Psiphon] 99 PRNG *prng.PRNG 100 } 101 102 func (m *clientHelloMsg) marshal() []byte { 103 if m.raw != nil { 104 return m.raw 105 } 106 107 // [Psiphon] 108 // Randomize the Client Hello. 109 if m.PRNG != nil { 110 return m.marshalRandomized() 111 } 112 113 var b cryptobyte.Builder 114 b.AddUint8(typeClientHello) 115 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 116 b.AddUint16(m.vers) 117 addBytesWithLength(b, m.random, 32) 118 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 119 b.AddBytes(m.sessionId) 120 }) 121 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 122 for _, suite := range m.cipherSuites { 123 b.AddUint16(suite) 124 } 125 }) 126 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 127 b.AddBytes(m.compressionMethods) 128 }) 129 130 // If extensions aren't present, omit them. 131 var extensionsPresent bool 132 bWithoutExtensions := *b 133 134 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 135 if len(m.serverName) > 0 { 136 // RFC 6066, Section 3 137 b.AddUint16(extensionServerName) 138 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 139 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 140 b.AddUint8(0) // name_type = host_name 141 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 142 b.AddBytes([]byte(m.serverName)) 143 }) 144 }) 145 }) 146 } 147 if m.ocspStapling { 148 // RFC 4366, Section 3.6 149 b.AddUint16(extensionStatusRequest) 150 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 151 b.AddUint8(1) // status_type = ocsp 152 b.AddUint16(0) // empty responder_id_list 153 b.AddUint16(0) // empty request_extensions 154 }) 155 } 156 if len(m.supportedCurves) > 0 { 157 // RFC 4492, sections 5.1.1 and RFC 8446, Section 4.2.7 158 b.AddUint16(extensionSupportedCurves) 159 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 160 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 161 for _, curve := range m.supportedCurves { 162 b.AddUint16(uint16(curve)) 163 } 164 }) 165 }) 166 } 167 if len(m.supportedPoints) > 0 { 168 // RFC 4492, Section 5.1.2 169 b.AddUint16(extensionSupportedPoints) 170 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 171 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 172 b.AddBytes(m.supportedPoints) 173 }) 174 }) 175 } 176 if m.ticketSupported { 177 // RFC 5077, Section 3.2 178 b.AddUint16(extensionSessionTicket) 179 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 180 b.AddBytes(m.sessionTicket) 181 }) 182 } 183 if len(m.supportedSignatureAlgorithms) > 0 { 184 // RFC 5246, Section 7.4.1.4.1 185 b.AddUint16(extensionSignatureAlgorithms) 186 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 187 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 188 for _, sigAlgo := range m.supportedSignatureAlgorithms { 189 b.AddUint16(uint16(sigAlgo)) 190 } 191 }) 192 }) 193 } 194 if len(m.supportedSignatureAlgorithmsCert) > 0 { 195 // RFC 8446, Section 4.2.3 196 b.AddUint16(extensionSignatureAlgorithmsCert) 197 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 198 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 199 for _, sigAlgo := range m.supportedSignatureAlgorithmsCert { 200 b.AddUint16(uint16(sigAlgo)) 201 } 202 }) 203 }) 204 } 205 if m.secureRenegotiationSupported { 206 // RFC 5746, Section 3.2 207 b.AddUint16(extensionRenegotiationInfo) 208 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 209 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 210 b.AddBytes(m.secureRenegotiation) 211 }) 212 }) 213 } 214 if len(m.alpnProtocols) > 0 { 215 // RFC 7301, Section 3.1 216 b.AddUint16(extensionALPN) 217 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 218 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 219 for _, proto := range m.alpnProtocols { 220 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 221 b.AddBytes([]byte(proto)) 222 }) 223 } 224 }) 225 }) 226 } 227 if m.scts { 228 // RFC 6962, Section 3.3.1 229 b.AddUint16(extensionSCT) 230 b.AddUint16(0) // empty extension_data 231 } 232 if len(m.supportedVersions) > 0 { 233 // RFC 8446, Section 4.2.1 234 b.AddUint16(extensionSupportedVersions) 235 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 236 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 237 for _, vers := range m.supportedVersions { 238 b.AddUint16(vers) 239 } 240 }) 241 }) 242 } 243 if len(m.cookie) > 0 { 244 // RFC 8446, Section 4.2.2 245 b.AddUint16(extensionCookie) 246 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 247 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 248 b.AddBytes(m.cookie) 249 }) 250 }) 251 } 252 if len(m.keyShares) > 0 { 253 // RFC 8446, Section 4.2.8 254 b.AddUint16(extensionKeyShare) 255 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 256 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 257 for _, ks := range m.keyShares { 258 b.AddUint16(uint16(ks.group)) 259 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 260 b.AddBytes(ks.data) 261 }) 262 } 263 }) 264 }) 265 } 266 if m.earlyData { 267 // RFC 8446, Section 4.2.10 268 b.AddUint16(extensionEarlyData) 269 b.AddUint16(0) // empty extension_data 270 } 271 if len(m.pskModes) > 0 { 272 // RFC 8446, Section 4.2.9 273 b.AddUint16(extensionPSKModes) 274 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 275 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 276 b.AddBytes(m.pskModes) 277 }) 278 }) 279 } 280 for _, ext := range m.additionalExtensions { 281 b.AddUint16(ext.Type) 282 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 283 b.AddBytes(ext.Data) 284 }) 285 } 286 if len(m.pskIdentities) > 0 { // pre_shared_key must be the last extension 287 // RFC 8446, Section 4.2.11 288 b.AddUint16(extensionPreSharedKey) 289 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 290 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 291 for _, psk := range m.pskIdentities { 292 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 293 b.AddBytes(psk.label) 294 }) 295 b.AddUint32(psk.obfuscatedTicketAge) 296 } 297 }) 298 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 299 for _, binder := range m.pskBinders { 300 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 301 b.AddBytes(binder) 302 }) 303 } 304 }) 305 }) 306 } 307 308 extensionsPresent = len(b.BytesOrPanic()) > 2 309 }) 310 311 if !extensionsPresent { 312 *b = bWithoutExtensions 313 } 314 }) 315 316 m.raw = b.BytesOrPanic() 317 return m.raw 318 } 319 320 // [Psiphon] 321 // 322 // marshalRandomized is a randomized variant of marshal. The original Marshal 323 // is retained as-is to ease future merging. 324 // 325 // The offered cipher suites and algorithms are shuffled and truncated. Longer 326 // lists are selected with higher probability. Extensions are shuffled. 327 // 328 // The quic_transport_parameters extension is marshaled in quic-go and is 329 // randomized in TransportParameters.Marshal. 330 func (m *clientHelloMsg) marshalRandomized() []byte { 331 if m.raw != nil { 332 return m.raw 333 } 334 335 // Some inputs, such as m.supportedCurves, point to global variables. Copy 336 // all slices before truncating. 337 338 cipherSuites := make([]uint16, len(m.cipherSuites)) 339 perm := m.PRNG.Perm(len(m.cipherSuites)) 340 for i, j := range perm { 341 cipherSuites[j] = m.cipherSuites[i] 342 } 343 cut := len(cipherSuites) 344 for ; cut > 1; cut-- { 345 if !m.PRNG.FlipCoin() { 346 break 347 } 348 } 349 cipherSuites = cipherSuites[:cut] 350 351 compressionMethods := make([]uint8, len(m.compressionMethods)) 352 perm = m.PRNG.Perm(len(m.compressionMethods)) 353 for i, j := range perm { 354 compressionMethods[j] = m.compressionMethods[i] 355 } 356 cut = len(compressionMethods) 357 for ; cut > 1; cut-- { 358 if !m.PRNG.FlipCoin() { 359 break 360 } 361 } 362 compressionMethods = compressionMethods[:cut] 363 364 supportedCurves := make([]CurveID, len(m.supportedCurves)) 365 perm = m.PRNG.Perm(len(m.supportedCurves)) 366 for i, j := range perm { 367 supportedCurves[j] = m.supportedCurves[i] 368 } 369 cut = len(supportedCurves) 370 for ; cut > 1; cut-- { 371 if !m.PRNG.FlipCoin() { 372 break 373 } 374 } 375 supportedCurves = supportedCurves[:cut] 376 377 supportedPoints := make([]uint8, len(m.supportedPoints)) 378 perm = m.PRNG.Perm(len(m.supportedPoints)) 379 for i, j := range perm { 380 supportedPoints[j] = m.supportedPoints[i] 381 } 382 cut = len(supportedPoints) 383 for ; cut > 1; cut-- { 384 if !m.PRNG.FlipCoin() { 385 break 386 } 387 } 388 supportedPoints = supportedPoints[:cut] 389 390 var b cryptobyte.Builder 391 b.AddUint8(typeClientHello) 392 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 393 b.AddUint16(m.vers) 394 addBytesWithLength(b, m.random, 32) 395 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 396 b.AddBytes(m.sessionId) 397 }) 398 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 399 for _, suite := range cipherSuites { 400 b.AddUint16(suite) 401 } 402 }) 403 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 404 b.AddBytes(compressionMethods) 405 }) 406 407 // If extensions aren't present, omit them. 408 var extensionsPresent bool 409 bWithoutExtensions := *b 410 411 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 412 413 extensionMarshallers := []func(){ 414 415 func() { 416 if len(m.serverName) > 0 { 417 // RFC 6066, Section 3 418 b.AddUint16(extensionServerName) 419 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 420 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 421 b.AddUint8(0) // name_type = host_name 422 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 423 b.AddBytes([]byte(m.serverName)) 424 }) 425 }) 426 }) 427 } 428 }, 429 430 func() { 431 if m.ocspStapling { 432 // RFC 4366, Section 3.6 433 b.AddUint16(extensionStatusRequest) 434 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 435 b.AddUint8(1) // status_type = ocsp 436 b.AddUint16(0) // empty responder_id_list 437 b.AddUint16(0) // empty request_extensions 438 }) 439 } 440 }, 441 442 func() { 443 if len(supportedCurves) > 0 { 444 // RFC 4492, sections 5.1.1 and RFC 8446, Section 4.2.7 445 b.AddUint16(extensionSupportedCurves) 446 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 447 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 448 for _, curve := range supportedCurves { 449 b.AddUint16(uint16(curve)) 450 } 451 }) 452 }) 453 } 454 }, 455 456 func() { 457 if len(supportedPoints) > 0 { 458 // RFC 4492, Section 5.1.2 459 b.AddUint16(extensionSupportedPoints) 460 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 461 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 462 b.AddBytes(supportedPoints) 463 }) 464 }) 465 } 466 }, 467 468 func() { 469 if m.ticketSupported { 470 // RFC 5077, Section 3.2 471 b.AddUint16(extensionSessionTicket) 472 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 473 b.AddBytes(m.sessionTicket) 474 }) 475 } 476 }, 477 478 func() { 479 if len(m.supportedSignatureAlgorithms) > 0 { 480 // RFC 5246, Section 7.4.1.4.1 481 b.AddUint16(extensionSignatureAlgorithms) 482 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 483 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 484 for _, sigAlgo := range m.supportedSignatureAlgorithms { 485 b.AddUint16(uint16(sigAlgo)) 486 } 487 }) 488 }) 489 } 490 }, 491 492 func() { 493 if len(m.supportedSignatureAlgorithmsCert) > 0 { 494 // RFC 8446, Section 4.2.3 495 b.AddUint16(extensionSignatureAlgorithmsCert) 496 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 497 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 498 for _, sigAlgo := range m.supportedSignatureAlgorithmsCert { 499 b.AddUint16(uint16(sigAlgo)) 500 } 501 }) 502 }) 503 } 504 }, 505 506 func() { 507 if m.secureRenegotiationSupported { 508 // RFC 5746, Section 3.2 509 b.AddUint16(extensionRenegotiationInfo) 510 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 511 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 512 b.AddBytes(m.secureRenegotiation) 513 }) 514 }) 515 } 516 }, 517 518 func() { 519 if len(m.alpnProtocols) > 0 { 520 // RFC 7301, Section 3.1 521 b.AddUint16(extensionALPN) 522 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 523 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 524 for _, proto := range m.alpnProtocols { 525 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 526 b.AddBytes([]byte(proto)) 527 }) 528 } 529 }) 530 }) 531 } 532 }, 533 534 func() { 535 if m.scts { 536 // RFC 6962, Section 3.3.1 537 b.AddUint16(extensionSCT) 538 b.AddUint16(0) // empty extension_data 539 } 540 }, 541 542 func() { 543 if len(m.supportedVersions) > 0 { 544 // RFC 8446, Section 4.2.1 545 b.AddUint16(extensionSupportedVersions) 546 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 547 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 548 for _, vers := range m.supportedVersions { 549 b.AddUint16(vers) 550 } 551 }) 552 }) 553 } 554 }, 555 556 func() { 557 if len(m.cookie) > 0 { 558 // RFC 8446, Section 4.2.2 559 b.AddUint16(extensionCookie) 560 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 561 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 562 b.AddBytes(m.cookie) 563 }) 564 }) 565 } 566 }, 567 568 func() { 569 if len(m.keyShares) > 0 { 570 // RFC 8446, Section 4.2.8 571 b.AddUint16(extensionKeyShare) 572 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 573 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 574 for _, ks := range m.keyShares { 575 b.AddUint16(uint16(ks.group)) 576 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 577 b.AddBytes(ks.data) 578 }) 579 } 580 }) 581 }) 582 } 583 }, 584 585 func() { 586 if m.earlyData { 587 // RFC 8446, Section 4.2.10 588 b.AddUint16(extensionEarlyData) 589 b.AddUint16(0) // empty extension_data 590 } 591 }, 592 593 func() { 594 if len(m.pskModes) > 0 { 595 // RFC 8446, Section 4.2.9 596 b.AddUint16(extensionPSKModes) 597 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 598 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 599 b.AddBytes(m.pskModes) 600 }) 601 }) 602 } 603 }, 604 } 605 606 for _, ext := range m.additionalExtensions { 607 extensionMarshallers = append(extensionMarshallers, 608 609 func() { 610 b.AddUint16(ext.Type) 611 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 612 b.AddBytes(ext.Data) 613 }) 614 615 }) 616 } 617 618 perm = m.PRNG.Perm(len(extensionMarshallers)) 619 for _, j := range perm { 620 extensionMarshallers[j]() 621 } 622 623 if len(m.pskIdentities) > 0 { // pre_shared_key must be the last extension 624 // RFC 8446, Section 4.2.11 625 b.AddUint16(extensionPreSharedKey) 626 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 627 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 628 for _, psk := range m.pskIdentities { 629 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 630 b.AddBytes(psk.label) 631 }) 632 b.AddUint32(psk.obfuscatedTicketAge) 633 } 634 }) 635 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 636 for _, binder := range m.pskBinders { 637 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 638 b.AddBytes(binder) 639 }) 640 } 641 }) 642 }) 643 } 644 645 extensionsPresent = len(b.BytesOrPanic()) > 2 646 }) 647 648 if !extensionsPresent { 649 *b = bWithoutExtensions 650 } 651 }) 652 653 m.raw = b.BytesOrPanic() 654 return m.raw 655 } 656 657 // marshalWithoutBinders returns the ClientHello through the 658 // PreSharedKeyExtension.identities field, according to RFC 8446, Section 659 // 4.2.11.2. Note that m.pskBinders must be set to slices of the correct length. 660 func (m *clientHelloMsg) marshalWithoutBinders() []byte { 661 bindersLen := 2 // uint16 length prefix 662 for _, binder := range m.pskBinders { 663 bindersLen += 1 // uint8 length prefix 664 bindersLen += len(binder) 665 } 666 667 fullMessage := m.marshal() 668 return fullMessage[:len(fullMessage)-bindersLen] 669 } 670 671 // updateBinders updates the m.pskBinders field, if necessary updating the 672 // cached marshaled representation. The supplied binders must have the same 673 // length as the current m.pskBinders. 674 func (m *clientHelloMsg) updateBinders(pskBinders [][]byte) { 675 if len(pskBinders) != len(m.pskBinders) { 676 panic("tls: internal error: pskBinders length mismatch") 677 } 678 for i := range m.pskBinders { 679 if len(pskBinders[i]) != len(m.pskBinders[i]) { 680 panic("tls: internal error: pskBinders length mismatch") 681 } 682 } 683 m.pskBinders = pskBinders 684 if m.raw != nil { 685 lenWithoutBinders := len(m.marshalWithoutBinders()) 686 b := cryptobyte.NewFixedBuilder(m.raw[:lenWithoutBinders]) 687 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 688 for _, binder := range m.pskBinders { 689 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 690 b.AddBytes(binder) 691 }) 692 } 693 }) 694 if out, err := b.Bytes(); err != nil || len(out) != len(m.raw) { 695 panic("tls: internal error: failed to update binders") 696 } 697 } 698 } 699 700 func (m *clientHelloMsg) unmarshal(data []byte) bool { 701 *m = clientHelloMsg{raw: data} 702 s := cryptobyte.String(data) 703 704 if !s.Skip(4) || // message type and uint24 length field 705 !s.ReadUint16(&m.vers) || !s.ReadBytes(&m.random, 32) || 706 !readUint8LengthPrefixed(&s, &m.sessionId) { 707 return false 708 } 709 710 var cipherSuites cryptobyte.String 711 if !s.ReadUint16LengthPrefixed(&cipherSuites) { 712 return false 713 } 714 m.cipherSuites = []uint16{} 715 m.secureRenegotiationSupported = false 716 for !cipherSuites.Empty() { 717 var suite uint16 718 if !cipherSuites.ReadUint16(&suite) { 719 return false 720 } 721 if suite == scsvRenegotiation { 722 m.secureRenegotiationSupported = true 723 } 724 m.cipherSuites = append(m.cipherSuites, suite) 725 } 726 727 if !readUint8LengthPrefixed(&s, &m.compressionMethods) { 728 return false 729 } 730 731 if s.Empty() { 732 // ClientHello is optionally followed by extension data 733 return true 734 } 735 736 var extensions cryptobyte.String 737 if !s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() { 738 return false 739 } 740 741 for !extensions.Empty() { 742 var ext uint16 743 var extData cryptobyte.String 744 if !extensions.ReadUint16(&ext) || 745 !extensions.ReadUint16LengthPrefixed(&extData) { 746 return false 747 } 748 749 switch ext { 750 case extensionServerName: 751 // RFC 6066, Section 3 752 var nameList cryptobyte.String 753 if !extData.ReadUint16LengthPrefixed(&nameList) || nameList.Empty() { 754 return false 755 } 756 for !nameList.Empty() { 757 var nameType uint8 758 var serverName cryptobyte.String 759 if !nameList.ReadUint8(&nameType) || 760 !nameList.ReadUint16LengthPrefixed(&serverName) || 761 serverName.Empty() { 762 return false 763 } 764 if nameType != 0 { 765 continue 766 } 767 if len(m.serverName) != 0 { 768 // Multiple names of the same name_type are prohibited. 769 return false 770 } 771 m.serverName = string(serverName) 772 // An SNI value may not include a trailing dot. 773 if strings.HasSuffix(m.serverName, ".") { 774 return false 775 } 776 } 777 case extensionStatusRequest: 778 // RFC 4366, Section 3.6 779 var statusType uint8 780 var ignored cryptobyte.String 781 if !extData.ReadUint8(&statusType) || 782 !extData.ReadUint16LengthPrefixed(&ignored) || 783 !extData.ReadUint16LengthPrefixed(&ignored) { 784 return false 785 } 786 m.ocspStapling = statusType == statusTypeOCSP 787 case extensionSupportedCurves: 788 // RFC 4492, sections 5.1.1 and RFC 8446, Section 4.2.7 789 var curves cryptobyte.String 790 if !extData.ReadUint16LengthPrefixed(&curves) || curves.Empty() { 791 return false 792 } 793 for !curves.Empty() { 794 var curve uint16 795 if !curves.ReadUint16(&curve) { 796 return false 797 } 798 m.supportedCurves = append(m.supportedCurves, CurveID(curve)) 799 } 800 case extensionSupportedPoints: 801 // RFC 4492, Section 5.1.2 802 if !readUint8LengthPrefixed(&extData, &m.supportedPoints) || 803 len(m.supportedPoints) == 0 { 804 return false 805 } 806 case extensionSessionTicket: 807 // RFC 5077, Section 3.2 808 m.ticketSupported = true 809 extData.ReadBytes(&m.sessionTicket, len(extData)) 810 case extensionSignatureAlgorithms: 811 // RFC 5246, Section 7.4.1.4.1 812 var sigAndAlgs cryptobyte.String 813 if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() { 814 return false 815 } 816 for !sigAndAlgs.Empty() { 817 var sigAndAlg uint16 818 if !sigAndAlgs.ReadUint16(&sigAndAlg) { 819 return false 820 } 821 m.supportedSignatureAlgorithms = append( 822 m.supportedSignatureAlgorithms, SignatureScheme(sigAndAlg)) 823 } 824 case extensionSignatureAlgorithmsCert: 825 // RFC 8446, Section 4.2.3 826 var sigAndAlgs cryptobyte.String 827 if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() { 828 return false 829 } 830 for !sigAndAlgs.Empty() { 831 var sigAndAlg uint16 832 if !sigAndAlgs.ReadUint16(&sigAndAlg) { 833 return false 834 } 835 m.supportedSignatureAlgorithmsCert = append( 836 m.supportedSignatureAlgorithmsCert, SignatureScheme(sigAndAlg)) 837 } 838 case extensionRenegotiationInfo: 839 // RFC 5746, Section 3.2 840 if !readUint8LengthPrefixed(&extData, &m.secureRenegotiation) { 841 return false 842 } 843 m.secureRenegotiationSupported = true 844 case extensionALPN: 845 // RFC 7301, Section 3.1 846 var protoList cryptobyte.String 847 if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() { 848 return false 849 } 850 for !protoList.Empty() { 851 var proto cryptobyte.String 852 if !protoList.ReadUint8LengthPrefixed(&proto) || proto.Empty() { 853 return false 854 } 855 m.alpnProtocols = append(m.alpnProtocols, string(proto)) 856 } 857 case extensionSCT: 858 // RFC 6962, Section 3.3.1 859 m.scts = true 860 case extensionSupportedVersions: 861 // RFC 8446, Section 4.2.1 862 var versList cryptobyte.String 863 if !extData.ReadUint8LengthPrefixed(&versList) || versList.Empty() { 864 return false 865 } 866 for !versList.Empty() { 867 var vers uint16 868 if !versList.ReadUint16(&vers) { 869 return false 870 } 871 m.supportedVersions = append(m.supportedVersions, vers) 872 } 873 case extensionCookie: 874 // RFC 8446, Section 4.2.2 875 if !readUint16LengthPrefixed(&extData, &m.cookie) || 876 len(m.cookie) == 0 { 877 return false 878 } 879 case extensionKeyShare: 880 // RFC 8446, Section 4.2.8 881 var clientShares cryptobyte.String 882 if !extData.ReadUint16LengthPrefixed(&clientShares) { 883 return false 884 } 885 for !clientShares.Empty() { 886 var ks keyShare 887 if !clientShares.ReadUint16((*uint16)(&ks.group)) || 888 !readUint16LengthPrefixed(&clientShares, &ks.data) || 889 len(ks.data) == 0 { 890 return false 891 } 892 m.keyShares = append(m.keyShares, ks) 893 } 894 case extensionEarlyData: 895 // RFC 8446, Section 4.2.10 896 m.earlyData = true 897 case extensionPSKModes: 898 // RFC 8446, Section 4.2.9 899 if !readUint8LengthPrefixed(&extData, &m.pskModes) { 900 return false 901 } 902 case extensionPreSharedKey: 903 // RFC 8446, Section 4.2.11 904 if !extensions.Empty() { 905 return false // pre_shared_key must be the last extension 906 } 907 var identities cryptobyte.String 908 if !extData.ReadUint16LengthPrefixed(&identities) || identities.Empty() { 909 return false 910 } 911 for !identities.Empty() { 912 var psk pskIdentity 913 if !readUint16LengthPrefixed(&identities, &psk.label) || 914 !identities.ReadUint32(&psk.obfuscatedTicketAge) || 915 len(psk.label) == 0 { 916 return false 917 } 918 m.pskIdentities = append(m.pskIdentities, psk) 919 } 920 var binders cryptobyte.String 921 if !extData.ReadUint16LengthPrefixed(&binders) || binders.Empty() { 922 return false 923 } 924 for !binders.Empty() { 925 var binder []byte 926 if !readUint8LengthPrefixed(&binders, &binder) || 927 len(binder) == 0 { 928 return false 929 } 930 m.pskBinders = append(m.pskBinders, binder) 931 } 932 default: 933 m.additionalExtensions = append(m.additionalExtensions, Extension{Type: ext, Data: extData}) 934 continue 935 } 936 937 if !extData.Empty() { 938 return false 939 } 940 } 941 942 return true 943 } 944 945 type serverHelloMsg struct { 946 raw []byte 947 vers uint16 948 random []byte 949 sessionId []byte 950 cipherSuite uint16 951 compressionMethod uint8 952 ocspStapling bool 953 ticketSupported bool 954 secureRenegotiationSupported bool 955 secureRenegotiation []byte 956 alpnProtocol string 957 scts [][]byte 958 supportedVersion uint16 959 serverShare keyShare 960 selectedIdentityPresent bool 961 selectedIdentity uint16 962 supportedPoints []uint8 963 964 // HelloRetryRequest extensions 965 cookie []byte 966 selectedGroup CurveID 967 } 968 969 func (m *serverHelloMsg) marshal() []byte { 970 if m.raw != nil { 971 return m.raw 972 } 973 974 var b cryptobyte.Builder 975 b.AddUint8(typeServerHello) 976 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 977 b.AddUint16(m.vers) 978 addBytesWithLength(b, m.random, 32) 979 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 980 b.AddBytes(m.sessionId) 981 }) 982 b.AddUint16(m.cipherSuite) 983 b.AddUint8(m.compressionMethod) 984 985 // If extensions aren't present, omit them. 986 var extensionsPresent bool 987 bWithoutExtensions := *b 988 989 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 990 if m.ocspStapling { 991 b.AddUint16(extensionStatusRequest) 992 b.AddUint16(0) // empty extension_data 993 } 994 if m.ticketSupported { 995 b.AddUint16(extensionSessionTicket) 996 b.AddUint16(0) // empty extension_data 997 } 998 if m.secureRenegotiationSupported { 999 b.AddUint16(extensionRenegotiationInfo) 1000 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1001 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 1002 b.AddBytes(m.secureRenegotiation) 1003 }) 1004 }) 1005 } 1006 if len(m.alpnProtocol) > 0 { 1007 b.AddUint16(extensionALPN) 1008 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1009 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1010 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 1011 b.AddBytes([]byte(m.alpnProtocol)) 1012 }) 1013 }) 1014 }) 1015 } 1016 if len(m.scts) > 0 { 1017 b.AddUint16(extensionSCT) 1018 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1019 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1020 for _, sct := range m.scts { 1021 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1022 b.AddBytes(sct) 1023 }) 1024 } 1025 }) 1026 }) 1027 } 1028 if m.supportedVersion != 0 { 1029 b.AddUint16(extensionSupportedVersions) 1030 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1031 b.AddUint16(m.supportedVersion) 1032 }) 1033 } 1034 if m.serverShare.group != 0 { 1035 b.AddUint16(extensionKeyShare) 1036 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1037 b.AddUint16(uint16(m.serverShare.group)) 1038 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1039 b.AddBytes(m.serverShare.data) 1040 }) 1041 }) 1042 } 1043 if m.selectedIdentityPresent { 1044 b.AddUint16(extensionPreSharedKey) 1045 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1046 b.AddUint16(m.selectedIdentity) 1047 }) 1048 } 1049 1050 if len(m.cookie) > 0 { 1051 b.AddUint16(extensionCookie) 1052 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1053 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1054 b.AddBytes(m.cookie) 1055 }) 1056 }) 1057 } 1058 if m.selectedGroup != 0 { 1059 b.AddUint16(extensionKeyShare) 1060 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1061 b.AddUint16(uint16(m.selectedGroup)) 1062 }) 1063 } 1064 if len(m.supportedPoints) > 0 { 1065 b.AddUint16(extensionSupportedPoints) 1066 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1067 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 1068 b.AddBytes(m.supportedPoints) 1069 }) 1070 }) 1071 } 1072 1073 extensionsPresent = len(b.BytesOrPanic()) > 2 1074 }) 1075 1076 if !extensionsPresent { 1077 *b = bWithoutExtensions 1078 } 1079 }) 1080 1081 m.raw = b.BytesOrPanic() 1082 return m.raw 1083 } 1084 1085 func (m *serverHelloMsg) unmarshal(data []byte) bool { 1086 *m = serverHelloMsg{raw: data} 1087 s := cryptobyte.String(data) 1088 1089 if !s.Skip(4) || // message type and uint24 length field 1090 !s.ReadUint16(&m.vers) || !s.ReadBytes(&m.random, 32) || 1091 !readUint8LengthPrefixed(&s, &m.sessionId) || 1092 !s.ReadUint16(&m.cipherSuite) || 1093 !s.ReadUint8(&m.compressionMethod) { 1094 return false 1095 } 1096 1097 if s.Empty() { 1098 // ServerHello is optionally followed by extension data 1099 return true 1100 } 1101 1102 var extensions cryptobyte.String 1103 if !s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() { 1104 return false 1105 } 1106 1107 for !extensions.Empty() { 1108 var extension uint16 1109 var extData cryptobyte.String 1110 if !extensions.ReadUint16(&extension) || 1111 !extensions.ReadUint16LengthPrefixed(&extData) { 1112 return false 1113 } 1114 1115 switch extension { 1116 case extensionStatusRequest: 1117 m.ocspStapling = true 1118 case extensionSessionTicket: 1119 m.ticketSupported = true 1120 case extensionRenegotiationInfo: 1121 if !readUint8LengthPrefixed(&extData, &m.secureRenegotiation) { 1122 return false 1123 } 1124 m.secureRenegotiationSupported = true 1125 case extensionALPN: 1126 var protoList cryptobyte.String 1127 if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() { 1128 return false 1129 } 1130 var proto cryptobyte.String 1131 if !protoList.ReadUint8LengthPrefixed(&proto) || 1132 proto.Empty() || !protoList.Empty() { 1133 return false 1134 } 1135 m.alpnProtocol = string(proto) 1136 case extensionSCT: 1137 var sctList cryptobyte.String 1138 if !extData.ReadUint16LengthPrefixed(&sctList) || sctList.Empty() { 1139 return false 1140 } 1141 for !sctList.Empty() { 1142 var sct []byte 1143 if !readUint16LengthPrefixed(&sctList, &sct) || 1144 len(sct) == 0 { 1145 return false 1146 } 1147 m.scts = append(m.scts, sct) 1148 } 1149 case extensionSupportedVersions: 1150 if !extData.ReadUint16(&m.supportedVersion) { 1151 return false 1152 } 1153 case extensionCookie: 1154 if !readUint16LengthPrefixed(&extData, &m.cookie) || 1155 len(m.cookie) == 0 { 1156 return false 1157 } 1158 case extensionKeyShare: 1159 // This extension has different formats in SH and HRR, accept either 1160 // and let the handshake logic decide. See RFC 8446, Section 4.2.8. 1161 if len(extData) == 2 { 1162 if !extData.ReadUint16((*uint16)(&m.selectedGroup)) { 1163 return false 1164 } 1165 } else { 1166 if !extData.ReadUint16((*uint16)(&m.serverShare.group)) || 1167 !readUint16LengthPrefixed(&extData, &m.serverShare.data) { 1168 return false 1169 } 1170 } 1171 case extensionPreSharedKey: 1172 m.selectedIdentityPresent = true 1173 if !extData.ReadUint16(&m.selectedIdentity) { 1174 return false 1175 } 1176 case extensionSupportedPoints: 1177 // RFC 4492, Section 5.1.2 1178 if !readUint8LengthPrefixed(&extData, &m.supportedPoints) || 1179 len(m.supportedPoints) == 0 { 1180 return false 1181 } 1182 default: 1183 // Ignore unknown extensions. 1184 continue 1185 } 1186 1187 if !extData.Empty() { 1188 return false 1189 } 1190 } 1191 1192 return true 1193 } 1194 1195 type encryptedExtensionsMsg struct { 1196 raw []byte 1197 alpnProtocol string 1198 earlyData bool 1199 1200 additionalExtensions []Extension 1201 } 1202 1203 func (m *encryptedExtensionsMsg) marshal() []byte { 1204 if m.raw != nil { 1205 return m.raw 1206 } 1207 1208 var b cryptobyte.Builder 1209 b.AddUint8(typeEncryptedExtensions) 1210 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1211 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1212 if len(m.alpnProtocol) > 0 { 1213 b.AddUint16(extensionALPN) 1214 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1215 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1216 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 1217 b.AddBytes([]byte(m.alpnProtocol)) 1218 }) 1219 }) 1220 }) 1221 } 1222 if m.earlyData { 1223 // RFC 8446, Section 4.2.10 1224 b.AddUint16(extensionEarlyData) 1225 b.AddUint16(0) // empty extension_data 1226 } 1227 for _, ext := range m.additionalExtensions { 1228 b.AddUint16(ext.Type) 1229 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1230 b.AddBytes(ext.Data) 1231 }) 1232 } 1233 }) 1234 }) 1235 1236 m.raw = b.BytesOrPanic() 1237 return m.raw 1238 } 1239 1240 func (m *encryptedExtensionsMsg) unmarshal(data []byte) bool { 1241 *m = encryptedExtensionsMsg{raw: data} 1242 s := cryptobyte.String(data) 1243 1244 var extensions cryptobyte.String 1245 if !s.Skip(4) || // message type and uint24 length field 1246 !s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() { 1247 return false 1248 } 1249 1250 for !extensions.Empty() { 1251 var ext uint16 1252 var extData cryptobyte.String 1253 if !extensions.ReadUint16(&ext) || 1254 !extensions.ReadUint16LengthPrefixed(&extData) { 1255 return false 1256 } 1257 1258 switch ext { 1259 case extensionALPN: 1260 var protoList cryptobyte.String 1261 if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() { 1262 return false 1263 } 1264 var proto cryptobyte.String 1265 if !protoList.ReadUint8LengthPrefixed(&proto) || 1266 proto.Empty() || !protoList.Empty() { 1267 return false 1268 } 1269 m.alpnProtocol = string(proto) 1270 case extensionEarlyData: 1271 m.earlyData = true 1272 default: 1273 m.additionalExtensions = append(m.additionalExtensions, Extension{Type: ext, Data: extData}) 1274 continue 1275 } 1276 1277 if !extData.Empty() { 1278 return false 1279 } 1280 } 1281 1282 return true 1283 } 1284 1285 type endOfEarlyDataMsg struct{} 1286 1287 func (m *endOfEarlyDataMsg) marshal() []byte { 1288 x := make([]byte, 4) 1289 x[0] = typeEndOfEarlyData 1290 return x 1291 } 1292 1293 func (m *endOfEarlyDataMsg) unmarshal(data []byte) bool { 1294 return len(data) == 4 1295 } 1296 1297 type keyUpdateMsg struct { 1298 raw []byte 1299 updateRequested bool 1300 } 1301 1302 func (m *keyUpdateMsg) marshal() []byte { 1303 if m.raw != nil { 1304 return m.raw 1305 } 1306 1307 var b cryptobyte.Builder 1308 b.AddUint8(typeKeyUpdate) 1309 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1310 if m.updateRequested { 1311 b.AddUint8(1) 1312 } else { 1313 b.AddUint8(0) 1314 } 1315 }) 1316 1317 m.raw = b.BytesOrPanic() 1318 return m.raw 1319 } 1320 1321 func (m *keyUpdateMsg) unmarshal(data []byte) bool { 1322 m.raw = data 1323 s := cryptobyte.String(data) 1324 1325 var updateRequested uint8 1326 if !s.Skip(4) || // message type and uint24 length field 1327 !s.ReadUint8(&updateRequested) || !s.Empty() { 1328 return false 1329 } 1330 switch updateRequested { 1331 case 0: 1332 m.updateRequested = false 1333 case 1: 1334 m.updateRequested = true 1335 default: 1336 return false 1337 } 1338 return true 1339 } 1340 1341 type newSessionTicketMsgTLS13 struct { 1342 raw []byte 1343 lifetime uint32 1344 ageAdd uint32 1345 nonce []byte 1346 label []byte 1347 maxEarlyData uint32 1348 } 1349 1350 func (m *newSessionTicketMsgTLS13) marshal() []byte { 1351 if m.raw != nil { 1352 return m.raw 1353 } 1354 1355 var b cryptobyte.Builder 1356 b.AddUint8(typeNewSessionTicket) 1357 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1358 b.AddUint32(m.lifetime) 1359 b.AddUint32(m.ageAdd) 1360 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 1361 b.AddBytes(m.nonce) 1362 }) 1363 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1364 b.AddBytes(m.label) 1365 }) 1366 1367 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1368 if m.maxEarlyData > 0 { 1369 b.AddUint16(extensionEarlyData) 1370 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1371 b.AddUint32(m.maxEarlyData) 1372 }) 1373 } 1374 }) 1375 }) 1376 1377 m.raw = b.BytesOrPanic() 1378 return m.raw 1379 } 1380 1381 func (m *newSessionTicketMsgTLS13) unmarshal(data []byte) bool { 1382 *m = newSessionTicketMsgTLS13{raw: data} 1383 s := cryptobyte.String(data) 1384 1385 var extensions cryptobyte.String 1386 if !s.Skip(4) || // message type and uint24 length field 1387 !s.ReadUint32(&m.lifetime) || 1388 !s.ReadUint32(&m.ageAdd) || 1389 !readUint8LengthPrefixed(&s, &m.nonce) || 1390 !readUint16LengthPrefixed(&s, &m.label) || 1391 !s.ReadUint16LengthPrefixed(&extensions) || 1392 !s.Empty() { 1393 return false 1394 } 1395 1396 for !extensions.Empty() { 1397 var extension uint16 1398 var extData cryptobyte.String 1399 if !extensions.ReadUint16(&extension) || 1400 !extensions.ReadUint16LengthPrefixed(&extData) { 1401 return false 1402 } 1403 1404 switch extension { 1405 case extensionEarlyData: 1406 if !extData.ReadUint32(&m.maxEarlyData) { 1407 return false 1408 } 1409 default: 1410 // Ignore unknown extensions. 1411 continue 1412 } 1413 1414 if !extData.Empty() { 1415 return false 1416 } 1417 } 1418 1419 return true 1420 } 1421 1422 type certificateRequestMsgTLS13 struct { 1423 raw []byte 1424 ocspStapling bool 1425 scts bool 1426 supportedSignatureAlgorithms []SignatureScheme 1427 supportedSignatureAlgorithmsCert []SignatureScheme 1428 certificateAuthorities [][]byte 1429 } 1430 1431 func (m *certificateRequestMsgTLS13) marshal() []byte { 1432 if m.raw != nil { 1433 return m.raw 1434 } 1435 1436 var b cryptobyte.Builder 1437 b.AddUint8(typeCertificateRequest) 1438 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1439 // certificate_request_context (SHALL be zero length unless used for 1440 // post-handshake authentication) 1441 b.AddUint8(0) 1442 1443 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1444 if m.ocspStapling { 1445 b.AddUint16(extensionStatusRequest) 1446 b.AddUint16(0) // empty extension_data 1447 } 1448 if m.scts { 1449 // RFC 8446, Section 4.4.2.1 makes no mention of 1450 // signed_certificate_timestamp in CertificateRequest, but 1451 // "Extensions in the Certificate message from the client MUST 1452 // correspond to extensions in the CertificateRequest message 1453 // from the server." and it appears in the table in Section 4.2. 1454 b.AddUint16(extensionSCT) 1455 b.AddUint16(0) // empty extension_data 1456 } 1457 if len(m.supportedSignatureAlgorithms) > 0 { 1458 b.AddUint16(extensionSignatureAlgorithms) 1459 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1460 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1461 for _, sigAlgo := range m.supportedSignatureAlgorithms { 1462 b.AddUint16(uint16(sigAlgo)) 1463 } 1464 }) 1465 }) 1466 } 1467 if len(m.supportedSignatureAlgorithmsCert) > 0 { 1468 b.AddUint16(extensionSignatureAlgorithmsCert) 1469 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1470 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1471 for _, sigAlgo := range m.supportedSignatureAlgorithmsCert { 1472 b.AddUint16(uint16(sigAlgo)) 1473 } 1474 }) 1475 }) 1476 } 1477 if len(m.certificateAuthorities) > 0 { 1478 b.AddUint16(extensionCertificateAuthorities) 1479 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1480 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1481 for _, ca := range m.certificateAuthorities { 1482 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1483 b.AddBytes(ca) 1484 }) 1485 } 1486 }) 1487 }) 1488 } 1489 }) 1490 }) 1491 1492 m.raw = b.BytesOrPanic() 1493 return m.raw 1494 } 1495 1496 func (m *certificateRequestMsgTLS13) unmarshal(data []byte) bool { 1497 *m = certificateRequestMsgTLS13{raw: data} 1498 s := cryptobyte.String(data) 1499 1500 var context, extensions cryptobyte.String 1501 if !s.Skip(4) || // message type and uint24 length field 1502 !s.ReadUint8LengthPrefixed(&context) || !context.Empty() || 1503 !s.ReadUint16LengthPrefixed(&extensions) || 1504 !s.Empty() { 1505 return false 1506 } 1507 1508 for !extensions.Empty() { 1509 var extension uint16 1510 var extData cryptobyte.String 1511 if !extensions.ReadUint16(&extension) || 1512 !extensions.ReadUint16LengthPrefixed(&extData) { 1513 return false 1514 } 1515 1516 switch extension { 1517 case extensionStatusRequest: 1518 m.ocspStapling = true 1519 case extensionSCT: 1520 m.scts = true 1521 case extensionSignatureAlgorithms: 1522 var sigAndAlgs cryptobyte.String 1523 if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() { 1524 return false 1525 } 1526 for !sigAndAlgs.Empty() { 1527 var sigAndAlg uint16 1528 if !sigAndAlgs.ReadUint16(&sigAndAlg) { 1529 return false 1530 } 1531 m.supportedSignatureAlgorithms = append( 1532 m.supportedSignatureAlgorithms, SignatureScheme(sigAndAlg)) 1533 } 1534 case extensionSignatureAlgorithmsCert: 1535 var sigAndAlgs cryptobyte.String 1536 if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() { 1537 return false 1538 } 1539 for !sigAndAlgs.Empty() { 1540 var sigAndAlg uint16 1541 if !sigAndAlgs.ReadUint16(&sigAndAlg) { 1542 return false 1543 } 1544 m.supportedSignatureAlgorithmsCert = append( 1545 m.supportedSignatureAlgorithmsCert, SignatureScheme(sigAndAlg)) 1546 } 1547 case extensionCertificateAuthorities: 1548 var auths cryptobyte.String 1549 if !extData.ReadUint16LengthPrefixed(&auths) || auths.Empty() { 1550 return false 1551 } 1552 for !auths.Empty() { 1553 var ca []byte 1554 if !readUint16LengthPrefixed(&auths, &ca) || len(ca) == 0 { 1555 return false 1556 } 1557 m.certificateAuthorities = append(m.certificateAuthorities, ca) 1558 } 1559 default: 1560 // Ignore unknown extensions. 1561 continue 1562 } 1563 1564 if !extData.Empty() { 1565 return false 1566 } 1567 } 1568 1569 return true 1570 } 1571 1572 type certificateMsg struct { 1573 raw []byte 1574 certificates [][]byte 1575 } 1576 1577 func (m *certificateMsg) marshal() (x []byte) { 1578 if m.raw != nil { 1579 return m.raw 1580 } 1581 1582 var i int 1583 for _, slice := range m.certificates { 1584 i += len(slice) 1585 } 1586 1587 length := 3 + 3*len(m.certificates) + i 1588 x = make([]byte, 4+length) 1589 x[0] = typeCertificate 1590 x[1] = uint8(length >> 16) 1591 x[2] = uint8(length >> 8) 1592 x[3] = uint8(length) 1593 1594 certificateOctets := length - 3 1595 x[4] = uint8(certificateOctets >> 16) 1596 x[5] = uint8(certificateOctets >> 8) 1597 x[6] = uint8(certificateOctets) 1598 1599 y := x[7:] 1600 for _, slice := range m.certificates { 1601 y[0] = uint8(len(slice) >> 16) 1602 y[1] = uint8(len(slice) >> 8) 1603 y[2] = uint8(len(slice)) 1604 copy(y[3:], slice) 1605 y = y[3+len(slice):] 1606 } 1607 1608 m.raw = x 1609 return 1610 } 1611 1612 func (m *certificateMsg) unmarshal(data []byte) bool { 1613 if len(data) < 7 { 1614 return false 1615 } 1616 1617 m.raw = data 1618 certsLen := uint32(data[4])<<16 | uint32(data[5])<<8 | uint32(data[6]) 1619 if uint32(len(data)) != certsLen+7 { 1620 return false 1621 } 1622 1623 numCerts := 0 1624 d := data[7:] 1625 for certsLen > 0 { 1626 if len(d) < 4 { 1627 return false 1628 } 1629 certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2]) 1630 if uint32(len(d)) < 3+certLen { 1631 return false 1632 } 1633 d = d[3+certLen:] 1634 certsLen -= 3 + certLen 1635 numCerts++ 1636 } 1637 1638 m.certificates = make([][]byte, numCerts) 1639 d = data[7:] 1640 for i := 0; i < numCerts; i++ { 1641 certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2]) 1642 m.certificates[i] = d[3 : 3+certLen] 1643 d = d[3+certLen:] 1644 } 1645 1646 return true 1647 } 1648 1649 type certificateMsgTLS13 struct { 1650 raw []byte 1651 certificate Certificate 1652 ocspStapling bool 1653 scts bool 1654 } 1655 1656 func (m *certificateMsgTLS13) marshal() []byte { 1657 if m.raw != nil { 1658 return m.raw 1659 } 1660 1661 var b cryptobyte.Builder 1662 b.AddUint8(typeCertificate) 1663 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1664 b.AddUint8(0) // certificate_request_context 1665 1666 certificate := m.certificate 1667 if !m.ocspStapling { 1668 certificate.OCSPStaple = nil 1669 } 1670 if !m.scts { 1671 certificate.SignedCertificateTimestamps = nil 1672 } 1673 marshalCertificate(b, certificate) 1674 }) 1675 1676 m.raw = b.BytesOrPanic() 1677 return m.raw 1678 } 1679 1680 func marshalCertificate(b *cryptobyte.Builder, certificate Certificate) { 1681 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1682 for i, cert := range certificate.Certificate { 1683 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1684 b.AddBytes(cert) 1685 }) 1686 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1687 if i > 0 { 1688 // This library only supports OCSP and SCT for leaf certificates. 1689 return 1690 } 1691 if certificate.OCSPStaple != nil { 1692 b.AddUint16(extensionStatusRequest) 1693 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1694 b.AddUint8(statusTypeOCSP) 1695 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1696 b.AddBytes(certificate.OCSPStaple) 1697 }) 1698 }) 1699 } 1700 if certificate.SignedCertificateTimestamps != nil { 1701 b.AddUint16(extensionSCT) 1702 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1703 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1704 for _, sct := range certificate.SignedCertificateTimestamps { 1705 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1706 b.AddBytes(sct) 1707 }) 1708 } 1709 }) 1710 }) 1711 } 1712 }) 1713 } 1714 }) 1715 } 1716 1717 func (m *certificateMsgTLS13) unmarshal(data []byte) bool { 1718 *m = certificateMsgTLS13{raw: data} 1719 s := cryptobyte.String(data) 1720 1721 var context cryptobyte.String 1722 if !s.Skip(4) || // message type and uint24 length field 1723 !s.ReadUint8LengthPrefixed(&context) || !context.Empty() || 1724 !unmarshalCertificate(&s, &m.certificate) || 1725 !s.Empty() { 1726 return false 1727 } 1728 1729 m.scts = m.certificate.SignedCertificateTimestamps != nil 1730 m.ocspStapling = m.certificate.OCSPStaple != nil 1731 1732 return true 1733 } 1734 1735 func unmarshalCertificate(s *cryptobyte.String, certificate *Certificate) bool { 1736 var certList cryptobyte.String 1737 if !s.ReadUint24LengthPrefixed(&certList) { 1738 return false 1739 } 1740 for !certList.Empty() { 1741 var cert []byte 1742 var extensions cryptobyte.String 1743 if !readUint24LengthPrefixed(&certList, &cert) || 1744 !certList.ReadUint16LengthPrefixed(&extensions) { 1745 return false 1746 } 1747 certificate.Certificate = append(certificate.Certificate, cert) 1748 for !extensions.Empty() { 1749 var extension uint16 1750 var extData cryptobyte.String 1751 if !extensions.ReadUint16(&extension) || 1752 !extensions.ReadUint16LengthPrefixed(&extData) { 1753 return false 1754 } 1755 if len(certificate.Certificate) > 1 { 1756 // This library only supports OCSP and SCT for leaf certificates. 1757 continue 1758 } 1759 1760 switch extension { 1761 case extensionStatusRequest: 1762 var statusType uint8 1763 if !extData.ReadUint8(&statusType) || statusType != statusTypeOCSP || 1764 !readUint24LengthPrefixed(&extData, &certificate.OCSPStaple) || 1765 len(certificate.OCSPStaple) == 0 { 1766 return false 1767 } 1768 case extensionSCT: 1769 var sctList cryptobyte.String 1770 if !extData.ReadUint16LengthPrefixed(&sctList) || sctList.Empty() { 1771 return false 1772 } 1773 for !sctList.Empty() { 1774 var sct []byte 1775 if !readUint16LengthPrefixed(&sctList, &sct) || 1776 len(sct) == 0 { 1777 return false 1778 } 1779 certificate.SignedCertificateTimestamps = append( 1780 certificate.SignedCertificateTimestamps, sct) 1781 } 1782 default: 1783 // Ignore unknown extensions. 1784 continue 1785 } 1786 1787 if !extData.Empty() { 1788 return false 1789 } 1790 } 1791 } 1792 return true 1793 } 1794 1795 type serverKeyExchangeMsg struct { 1796 raw []byte 1797 key []byte 1798 } 1799 1800 func (m *serverKeyExchangeMsg) marshal() []byte { 1801 if m.raw != nil { 1802 return m.raw 1803 } 1804 length := len(m.key) 1805 x := make([]byte, length+4) 1806 x[0] = typeServerKeyExchange 1807 x[1] = uint8(length >> 16) 1808 x[2] = uint8(length >> 8) 1809 x[3] = uint8(length) 1810 copy(x[4:], m.key) 1811 1812 m.raw = x 1813 return x 1814 } 1815 1816 func (m *serverKeyExchangeMsg) unmarshal(data []byte) bool { 1817 m.raw = data 1818 if len(data) < 4 { 1819 return false 1820 } 1821 m.key = data[4:] 1822 return true 1823 } 1824 1825 type certificateStatusMsg struct { 1826 raw []byte 1827 response []byte 1828 } 1829 1830 func (m *certificateStatusMsg) marshal() []byte { 1831 if m.raw != nil { 1832 return m.raw 1833 } 1834 1835 var b cryptobyte.Builder 1836 b.AddUint8(typeCertificateStatus) 1837 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1838 b.AddUint8(statusTypeOCSP) 1839 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1840 b.AddBytes(m.response) 1841 }) 1842 }) 1843 1844 m.raw = b.BytesOrPanic() 1845 return m.raw 1846 } 1847 1848 func (m *certificateStatusMsg) unmarshal(data []byte) bool { 1849 m.raw = data 1850 s := cryptobyte.String(data) 1851 1852 var statusType uint8 1853 if !s.Skip(4) || // message type and uint24 length field 1854 !s.ReadUint8(&statusType) || statusType != statusTypeOCSP || 1855 !readUint24LengthPrefixed(&s, &m.response) || 1856 len(m.response) == 0 || !s.Empty() { 1857 return false 1858 } 1859 return true 1860 } 1861 1862 type serverHelloDoneMsg struct{} 1863 1864 func (m *serverHelloDoneMsg) marshal() []byte { 1865 x := make([]byte, 4) 1866 x[0] = typeServerHelloDone 1867 return x 1868 } 1869 1870 func (m *serverHelloDoneMsg) unmarshal(data []byte) bool { 1871 return len(data) == 4 1872 } 1873 1874 type clientKeyExchangeMsg struct { 1875 raw []byte 1876 ciphertext []byte 1877 } 1878 1879 func (m *clientKeyExchangeMsg) marshal() []byte { 1880 if m.raw != nil { 1881 return m.raw 1882 } 1883 length := len(m.ciphertext) 1884 x := make([]byte, length+4) 1885 x[0] = typeClientKeyExchange 1886 x[1] = uint8(length >> 16) 1887 x[2] = uint8(length >> 8) 1888 x[3] = uint8(length) 1889 copy(x[4:], m.ciphertext) 1890 1891 m.raw = x 1892 return x 1893 } 1894 1895 func (m *clientKeyExchangeMsg) unmarshal(data []byte) bool { 1896 m.raw = data 1897 if len(data) < 4 { 1898 return false 1899 } 1900 l := int(data[1])<<16 | int(data[2])<<8 | int(data[3]) 1901 if l != len(data)-4 { 1902 return false 1903 } 1904 m.ciphertext = data[4:] 1905 return true 1906 } 1907 1908 type finishedMsg struct { 1909 raw []byte 1910 verifyData []byte 1911 } 1912 1913 func (m *finishedMsg) marshal() []byte { 1914 if m.raw != nil { 1915 return m.raw 1916 } 1917 1918 var b cryptobyte.Builder 1919 b.AddUint8(typeFinished) 1920 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1921 b.AddBytes(m.verifyData) 1922 }) 1923 1924 m.raw = b.BytesOrPanic() 1925 return m.raw 1926 } 1927 1928 func (m *finishedMsg) unmarshal(data []byte) bool { 1929 m.raw = data 1930 s := cryptobyte.String(data) 1931 return s.Skip(1) && 1932 readUint24LengthPrefixed(&s, &m.verifyData) && 1933 s.Empty() 1934 } 1935 1936 type certificateRequestMsg struct { 1937 raw []byte 1938 // hasSignatureAlgorithm indicates whether this message includes a list of 1939 // supported signature algorithms. This change was introduced with TLS 1.2. 1940 hasSignatureAlgorithm bool 1941 1942 certificateTypes []byte 1943 supportedSignatureAlgorithms []SignatureScheme 1944 certificateAuthorities [][]byte 1945 } 1946 1947 func (m *certificateRequestMsg) marshal() (x []byte) { 1948 if m.raw != nil { 1949 return m.raw 1950 } 1951 1952 // See RFC 4346, Section 7.4.4. 1953 length := 1 + len(m.certificateTypes) + 2 1954 casLength := 0 1955 for _, ca := range m.certificateAuthorities { 1956 casLength += 2 + len(ca) 1957 } 1958 length += casLength 1959 1960 if m.hasSignatureAlgorithm { 1961 length += 2 + 2*len(m.supportedSignatureAlgorithms) 1962 } 1963 1964 x = make([]byte, 4+length) 1965 x[0] = typeCertificateRequest 1966 x[1] = uint8(length >> 16) 1967 x[2] = uint8(length >> 8) 1968 x[3] = uint8(length) 1969 1970 x[4] = uint8(len(m.certificateTypes)) 1971 1972 copy(x[5:], m.certificateTypes) 1973 y := x[5+len(m.certificateTypes):] 1974 1975 if m.hasSignatureAlgorithm { 1976 n := len(m.supportedSignatureAlgorithms) * 2 1977 y[0] = uint8(n >> 8) 1978 y[1] = uint8(n) 1979 y = y[2:] 1980 for _, sigAlgo := range m.supportedSignatureAlgorithms { 1981 y[0] = uint8(sigAlgo >> 8) 1982 y[1] = uint8(sigAlgo) 1983 y = y[2:] 1984 } 1985 } 1986 1987 y[0] = uint8(casLength >> 8) 1988 y[1] = uint8(casLength) 1989 y = y[2:] 1990 for _, ca := range m.certificateAuthorities { 1991 y[0] = uint8(len(ca) >> 8) 1992 y[1] = uint8(len(ca)) 1993 y = y[2:] 1994 copy(y, ca) 1995 y = y[len(ca):] 1996 } 1997 1998 m.raw = x 1999 return 2000 } 2001 2002 func (m *certificateRequestMsg) unmarshal(data []byte) bool { 2003 m.raw = data 2004 2005 if len(data) < 5 { 2006 return false 2007 } 2008 2009 length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3]) 2010 if uint32(len(data))-4 != length { 2011 return false 2012 } 2013 2014 numCertTypes := int(data[4]) 2015 data = data[5:] 2016 if numCertTypes == 0 || len(data) <= numCertTypes { 2017 return false 2018 } 2019 2020 m.certificateTypes = make([]byte, numCertTypes) 2021 if copy(m.certificateTypes, data) != numCertTypes { 2022 return false 2023 } 2024 2025 data = data[numCertTypes:] 2026 2027 if m.hasSignatureAlgorithm { 2028 if len(data) < 2 { 2029 return false 2030 } 2031 sigAndHashLen := uint16(data[0])<<8 | uint16(data[1]) 2032 data = data[2:] 2033 if sigAndHashLen&1 != 0 { 2034 return false 2035 } 2036 if len(data) < int(sigAndHashLen) { 2037 return false 2038 } 2039 numSigAlgos := sigAndHashLen / 2 2040 m.supportedSignatureAlgorithms = make([]SignatureScheme, numSigAlgos) 2041 for i := range m.supportedSignatureAlgorithms { 2042 m.supportedSignatureAlgorithms[i] = SignatureScheme(data[0])<<8 | SignatureScheme(data[1]) 2043 data = data[2:] 2044 } 2045 } 2046 2047 if len(data) < 2 { 2048 return false 2049 } 2050 casLength := uint16(data[0])<<8 | uint16(data[1]) 2051 data = data[2:] 2052 if len(data) < int(casLength) { 2053 return false 2054 } 2055 cas := make([]byte, casLength) 2056 copy(cas, data) 2057 data = data[casLength:] 2058 2059 m.certificateAuthorities = nil 2060 for len(cas) > 0 { 2061 if len(cas) < 2 { 2062 return false 2063 } 2064 caLen := uint16(cas[0])<<8 | uint16(cas[1]) 2065 cas = cas[2:] 2066 2067 if len(cas) < int(caLen) { 2068 return false 2069 } 2070 2071 m.certificateAuthorities = append(m.certificateAuthorities, cas[:caLen]) 2072 cas = cas[caLen:] 2073 } 2074 2075 return len(data) == 0 2076 } 2077 2078 type certificateVerifyMsg struct { 2079 raw []byte 2080 hasSignatureAlgorithm bool // format change introduced in TLS 1.2 2081 signatureAlgorithm SignatureScheme 2082 signature []byte 2083 } 2084 2085 func (m *certificateVerifyMsg) marshal() (x []byte) { 2086 if m.raw != nil { 2087 return m.raw 2088 } 2089 2090 var b cryptobyte.Builder 2091 b.AddUint8(typeCertificateVerify) 2092 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 2093 if m.hasSignatureAlgorithm { 2094 b.AddUint16(uint16(m.signatureAlgorithm)) 2095 } 2096 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 2097 b.AddBytes(m.signature) 2098 }) 2099 }) 2100 2101 m.raw = b.BytesOrPanic() 2102 return m.raw 2103 } 2104 2105 func (m *certificateVerifyMsg) unmarshal(data []byte) bool { 2106 m.raw = data 2107 s := cryptobyte.String(data) 2108 2109 if !s.Skip(4) { // message type and uint24 length field 2110 return false 2111 } 2112 if m.hasSignatureAlgorithm { 2113 if !s.ReadUint16((*uint16)(&m.signatureAlgorithm)) { 2114 return false 2115 } 2116 } 2117 return readUint16LengthPrefixed(&s, &m.signature) && s.Empty() 2118 } 2119 2120 type newSessionTicketMsg struct { 2121 raw []byte 2122 ticket []byte 2123 } 2124 2125 func (m *newSessionTicketMsg) marshal() (x []byte) { 2126 if m.raw != nil { 2127 return m.raw 2128 } 2129 2130 // See RFC 5077, Section 3.3. 2131 ticketLen := len(m.ticket) 2132 length := 2 + 4 + ticketLen 2133 x = make([]byte, 4+length) 2134 x[0] = typeNewSessionTicket 2135 x[1] = uint8(length >> 16) 2136 x[2] = uint8(length >> 8) 2137 x[3] = uint8(length) 2138 x[8] = uint8(ticketLen >> 8) 2139 x[9] = uint8(ticketLen) 2140 copy(x[10:], m.ticket) 2141 2142 m.raw = x 2143 2144 return 2145 } 2146 2147 func (m *newSessionTicketMsg) unmarshal(data []byte) bool { 2148 m.raw = data 2149 2150 if len(data) < 10 { 2151 return false 2152 } 2153 2154 length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3]) 2155 if uint32(len(data))-4 != length { 2156 return false 2157 } 2158 2159 ticketLen := int(data[8])<<8 + int(data[9]) 2160 if len(data)-10 != ticketLen { 2161 return false 2162 } 2163 2164 m.ticket = data[10:] 2165 2166 return true 2167 } 2168 2169 type helloRequestMsg struct { 2170 } 2171 2172 func (*helloRequestMsg) marshal() []byte { 2173 return []byte{typeHelloRequest, 0, 0, 0} 2174 } 2175 2176 func (*helloRequestMsg) unmarshal(data []byte) bool { 2177 return len(data) == 4 2178 }