github.com/x04/go/src@v0.0.0-20200202162449-3d481ceb3525/crypto/tls/handshake_messages.go (about) 1 // Copyright 2009 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 package tls 6 7 import ( 8 "github.com/x04/go/src/fmt" 9 "github.com/x04/go/src/strings" 10 11 "github.com/x04/go/src/golang.org/x/crypto/cryptobyte" 12 ) 13 14 // The marshalingFunction type is an adapter to allow the use of ordinary 15 // functions as cryptobyte.MarshalingValue. 16 type marshalingFunction func(b *cryptobyte.Builder) error 17 18 func (f marshalingFunction) Marshal(b *cryptobyte.Builder) error { 19 return f(b) 20 } 21 22 // addBytesWithLength appends a sequence of bytes to the cryptobyte.Builder. If 23 // the length of the sequence is not the value specified, it produces an error. 24 func addBytesWithLength(b *cryptobyte.Builder, v []byte, n int) { 25 b.AddValue(marshalingFunction(func(b *cryptobyte.Builder) error { 26 if len(v) != n { 27 return fmt.Errorf("invalid value length: expected %d, got %d", n, len(v)) 28 } 29 b.AddBytes(v) 30 return nil 31 })) 32 } 33 34 // addUint64 appends a big-endian, 64-bit value to the cryptobyte.Builder. 35 func addUint64(b *cryptobyte.Builder, v uint64) { 36 b.AddUint32(uint32(v >> 32)) 37 b.AddUint32(uint32(v)) 38 } 39 40 // readUint64 decodes a big-endian, 64-bit value into out and advances over it. 41 // It reports whether the read was successful. 42 func readUint64(s *cryptobyte.String, out *uint64) bool { 43 var hi, lo uint32 44 if !s.ReadUint32(&hi) || !s.ReadUint32(&lo) { 45 return false 46 } 47 *out = uint64(hi)<<32 | uint64(lo) 48 return true 49 } 50 51 // readUint8LengthPrefixed acts like s.ReadUint8LengthPrefixed, but targets a 52 // []byte instead of a cryptobyte.String. 53 func readUint8LengthPrefixed(s *cryptobyte.String, out *[]byte) bool { 54 return s.ReadUint8LengthPrefixed((*cryptobyte.String)(out)) 55 } 56 57 // readUint16LengthPrefixed acts like s.ReadUint16LengthPrefixed, but targets a 58 // []byte instead of a cryptobyte.String. 59 func readUint16LengthPrefixed(s *cryptobyte.String, out *[]byte) bool { 60 return s.ReadUint16LengthPrefixed((*cryptobyte.String)(out)) 61 } 62 63 // readUint24LengthPrefixed acts like s.ReadUint24LengthPrefixed, but targets a 64 // []byte instead of a cryptobyte.String. 65 func readUint24LengthPrefixed(s *cryptobyte.String, out *[]byte) bool { 66 return s.ReadUint24LengthPrefixed((*cryptobyte.String)(out)) 67 } 68 69 type clientHelloMsg struct { 70 raw []byte 71 vers uint16 72 random []byte 73 sessionId []byte 74 cipherSuites []uint16 75 compressionMethods []uint8 76 serverName string 77 ocspStapling bool 78 supportedCurves []CurveID 79 supportedPoints []uint8 80 ticketSupported bool 81 sessionTicket []uint8 82 supportedSignatureAlgorithms []SignatureScheme 83 supportedSignatureAlgorithmsCert []SignatureScheme 84 secureRenegotiationSupported bool 85 secureRenegotiation []byte 86 alpnProtocols []string 87 scts bool 88 supportedVersions []uint16 89 cookie []byte 90 keyShares []keyShare 91 earlyData bool 92 pskModes []uint8 93 pskIdentities []pskIdentity 94 pskBinders [][]byte 95 extensions []uint16 96 } 97 98 func (m *clientHelloMsg) marshal() []byte { 99 if m.raw != nil { 100 return m.raw 101 } 102 103 var b cryptobyte.Builder 104 b.AddUint8(typeClientHello) 105 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 106 b.AddUint16(m.vers) 107 addBytesWithLength(b, m.random, 32) 108 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 109 b.AddBytes(m.sessionId) 110 }) 111 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 112 for _, suite := range m.cipherSuites { 113 b.AddUint16(suite) 114 } 115 }) 116 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 117 b.AddBytes(m.compressionMethods) 118 }) 119 120 // If extensions aren't present, omit them. 121 var extensionsPresent bool 122 bWithoutExtensions := *b 123 124 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 125 if len(m.serverName) > 0 { 126 // RFC 6066, Section 3 127 b.AddUint16(extensionServerName) 128 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 129 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 130 b.AddUint8(0) // name_type = host_name 131 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 132 b.AddBytes([]byte(m.serverName)) 133 }) 134 }) 135 }) 136 } 137 if m.ocspStapling { 138 // RFC 4366, Section 3.6 139 b.AddUint16(extensionStatusRequest) 140 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 141 b.AddUint8(1) // status_type = ocsp 142 b.AddUint16(0) // empty responder_id_list 143 b.AddUint16(0) // empty request_extensions 144 }) 145 } 146 if len(m.supportedCurves) > 0 { 147 // RFC 4492, sections 5.1.1 and RFC 8446, Section 4.2.7 148 b.AddUint16(extensionSupportedCurves) 149 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 150 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 151 for _, curve := range m.supportedCurves { 152 b.AddUint16(uint16(curve)) 153 } 154 }) 155 }) 156 } 157 if len(m.supportedPoints) > 0 { 158 // RFC 4492, Section 5.1.2 159 b.AddUint16(extensionSupportedPoints) 160 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 161 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 162 b.AddBytes(m.supportedPoints) 163 }) 164 }) 165 } 166 if m.ticketSupported { 167 // RFC 5077, Section 3.2 168 b.AddUint16(extensionSessionTicket) 169 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 170 b.AddBytes(m.sessionTicket) 171 }) 172 } 173 if len(m.supportedSignatureAlgorithms) > 0 { 174 // RFC 5246, Section 7.4.1.4.1 175 b.AddUint16(extensionSignatureAlgorithms) 176 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 177 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 178 for _, sigAlgo := range m.supportedSignatureAlgorithms { 179 b.AddUint16(uint16(sigAlgo)) 180 } 181 }) 182 }) 183 } 184 if len(m.supportedSignatureAlgorithmsCert) > 0 { 185 // RFC 8446, Section 4.2.3 186 b.AddUint16(extensionSignatureAlgorithmsCert) 187 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 188 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 189 for _, sigAlgo := range m.supportedSignatureAlgorithmsCert { 190 b.AddUint16(uint16(sigAlgo)) 191 } 192 }) 193 }) 194 } 195 if m.secureRenegotiationSupported { 196 // RFC 5746, Section 3.2 197 b.AddUint16(extensionRenegotiationInfo) 198 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 199 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 200 b.AddBytes(m.secureRenegotiation) 201 }) 202 }) 203 } 204 if len(m.alpnProtocols) > 0 { 205 // RFC 7301, Section 3.1 206 b.AddUint16(extensionALPN) 207 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 208 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 209 for _, proto := range m.alpnProtocols { 210 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 211 b.AddBytes([]byte(proto)) 212 }) 213 } 214 }) 215 }) 216 } 217 if m.scts { 218 // RFC 6962, Section 3.3.1 219 b.AddUint16(extensionSCT) 220 b.AddUint16(0) // empty extension_data 221 } 222 if len(m.supportedVersions) > 0 { 223 // RFC 8446, Section 4.2.1 224 b.AddUint16(extensionSupportedVersions) 225 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 226 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 227 for _, vers := range m.supportedVersions { 228 b.AddUint16(vers) 229 } 230 }) 231 }) 232 } 233 if len(m.cookie) > 0 { 234 // RFC 8446, Section 4.2.2 235 b.AddUint16(extensionCookie) 236 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 237 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 238 b.AddBytes(m.cookie) 239 }) 240 }) 241 } 242 if len(m.keyShares) > 0 { 243 // RFC 8446, Section 4.2.8 244 b.AddUint16(extensionKeyShare) 245 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 246 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 247 for _, ks := range m.keyShares { 248 b.AddUint16(uint16(ks.group)) 249 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 250 b.AddBytes(ks.data) 251 }) 252 } 253 }) 254 }) 255 } 256 if m.earlyData { 257 // RFC 8446, Section 4.2.10 258 b.AddUint16(extensionEarlyData) 259 b.AddUint16(0) // empty extension_data 260 } 261 if len(m.pskModes) > 0 { 262 // RFC 8446, Section 4.2.9 263 b.AddUint16(extensionPSKModes) 264 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 265 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 266 b.AddBytes(m.pskModes) 267 }) 268 }) 269 } 270 if len(m.pskIdentities) > 0 { // pre_shared_key must be the last extension 271 // RFC 8446, Section 4.2.11 272 b.AddUint16(extensionPreSharedKey) 273 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 274 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 275 for _, psk := range m.pskIdentities { 276 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 277 b.AddBytes(psk.label) 278 }) 279 b.AddUint32(psk.obfuscatedTicketAge) 280 } 281 }) 282 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 283 for _, binder := range m.pskBinders { 284 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 285 b.AddBytes(binder) 286 }) 287 } 288 }) 289 }) 290 } 291 292 extensionsPresent = len(b.BytesOrPanic()) > 2 293 }) 294 295 if !extensionsPresent { 296 *b = bWithoutExtensions 297 } 298 }) 299 300 m.raw = b.BytesOrPanic() 301 return m.raw 302 } 303 304 // marshalWithoutBinders returns the ClientHello through the 305 // PreSharedKeyExtension.identities field, according to RFC 8446, Section 306 // 4.2.11.2. Note that m.pskBinders must be set to slices of the correct length. 307 func (m *clientHelloMsg) marshalWithoutBinders() []byte { 308 bindersLen := 2 // uint16 length prefix 309 for _, binder := range m.pskBinders { 310 bindersLen += 1 // uint8 length prefix 311 bindersLen += len(binder) 312 } 313 314 fullMessage := m.marshal() 315 return fullMessage[:len(fullMessage)-bindersLen] 316 } 317 318 // updateBinders updates the m.pskBinders field, if necessary updating the 319 // cached marshaled representation. The supplied binders must have the same 320 // length as the current m.pskBinders. 321 func (m *clientHelloMsg) updateBinders(pskBinders [][]byte) { 322 if len(pskBinders) != len(m.pskBinders) { 323 panic("tls: internal error: pskBinders length mismatch") 324 } 325 for i := range m.pskBinders { 326 if len(pskBinders[i]) != len(m.pskBinders[i]) { 327 panic("tls: internal error: pskBinders length mismatch") 328 } 329 } 330 m.pskBinders = pskBinders 331 if m.raw != nil { 332 lenWithoutBinders := len(m.marshalWithoutBinders()) 333 // TODO(filippo): replace with NewFixedBuilder once CL 148882 is imported. 334 b := cryptobyte.NewBuilder(m.raw[:lenWithoutBinders]) 335 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 336 for _, binder := range m.pskBinders { 337 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 338 b.AddBytes(binder) 339 }) 340 } 341 }) 342 if len(b.BytesOrPanic()) != len(m.raw) { 343 panic("tls: internal error: failed to update binders") 344 } 345 } 346 } 347 348 func (m *clientHelloMsg) unmarshal(data []byte) bool { 349 *m = clientHelloMsg{raw: data} 350 s := cryptobyte.String(data) 351 352 if !s.Skip(4) || // message type and uint24 length field 353 !s.ReadUint16(&m.vers) || !s.ReadBytes(&m.random, 32) || 354 !readUint8LengthPrefixed(&s, &m.sessionId) { 355 return false 356 } 357 358 var cipherSuites cryptobyte.String 359 if !s.ReadUint16LengthPrefixed(&cipherSuites) { 360 return false 361 } 362 m.cipherSuites = []uint16{} 363 m.secureRenegotiationSupported = false 364 for !cipherSuites.Empty() { 365 var suite uint16 366 if !cipherSuites.ReadUint16(&suite) { 367 return false 368 } 369 if suite == scsvRenegotiation { 370 m.secureRenegotiationSupported = true 371 } 372 m.cipherSuites = append(m.cipherSuites, suite) 373 } 374 375 if !readUint8LengthPrefixed(&s, &m.compressionMethods) { 376 return false 377 } 378 379 if s.Empty() { 380 // ClientHello is optionally followed by extension data 381 return true 382 } 383 384 var extensions cryptobyte.String 385 if !s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() { 386 return false 387 } 388 389 var arrExtensions []uint16 390 391 for !extensions.Empty() { 392 var extension uint16 393 var extData cryptobyte.String 394 if !extensions.ReadUint16(&extension) || 395 !extensions.ReadUint16LengthPrefixed(&extData) { 396 return false 397 } 398 399 arrExtensions = append(arrExtensions, extension) 400 401 switch extension { 402 case extensionServerName: 403 // RFC 6066, Section 3 404 var nameList cryptobyte.String 405 if !extData.ReadUint16LengthPrefixed(&nameList) || nameList.Empty() { 406 return false 407 } 408 for !nameList.Empty() { 409 var nameType uint8 410 var serverName cryptobyte.String 411 if !nameList.ReadUint8(&nameType) || 412 !nameList.ReadUint16LengthPrefixed(&serverName) || 413 serverName.Empty() { 414 return false 415 } 416 if nameType != 0 { 417 continue 418 } 419 if len(m.serverName) != 0 { 420 // Multiple names of the same name_type are prohibited. 421 return false 422 } 423 m.serverName = string(serverName) 424 // An SNI value may not include a trailing dot. 425 if strings.HasSuffix(m.serverName, ".") { 426 return false 427 } 428 } 429 case extensionStatusRequest: 430 // RFC 4366, Section 3.6 431 var statusType uint8 432 var ignored cryptobyte.String 433 if !extData.ReadUint8(&statusType) || 434 !extData.ReadUint16LengthPrefixed(&ignored) || 435 !extData.ReadUint16LengthPrefixed(&ignored) { 436 return false 437 } 438 m.ocspStapling = statusType == statusTypeOCSP 439 case extensionSupportedCurves: 440 // RFC 4492, sections 5.1.1 and RFC 8446, Section 4.2.7 441 var curves cryptobyte.String 442 if !extData.ReadUint16LengthPrefixed(&curves) || curves.Empty() { 443 return false 444 } 445 for !curves.Empty() { 446 var curve uint16 447 if !curves.ReadUint16(&curve) { 448 return false 449 } 450 m.supportedCurves = append(m.supportedCurves, CurveID(curve)) 451 } 452 case extensionSupportedPoints: 453 // RFC 4492, Section 5.1.2 454 if !readUint8LengthPrefixed(&extData, &m.supportedPoints) || 455 len(m.supportedPoints) == 0 { 456 return false 457 } 458 case extensionSessionTicket: 459 // RFC 5077, Section 3.2 460 m.ticketSupported = true 461 extData.ReadBytes(&m.sessionTicket, len(extData)) 462 case extensionSignatureAlgorithms: 463 // RFC 5246, Section 7.4.1.4.1 464 var sigAndAlgs cryptobyte.String 465 if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() { 466 return false 467 } 468 for !sigAndAlgs.Empty() { 469 var sigAndAlg uint16 470 if !sigAndAlgs.ReadUint16(&sigAndAlg) { 471 return false 472 } 473 m.supportedSignatureAlgorithms = append( 474 m.supportedSignatureAlgorithms, SignatureScheme(sigAndAlg)) 475 } 476 case extensionSignatureAlgorithmsCert: 477 // RFC 8446, Section 4.2.3 478 var sigAndAlgs cryptobyte.String 479 if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() { 480 return false 481 } 482 for !sigAndAlgs.Empty() { 483 var sigAndAlg uint16 484 if !sigAndAlgs.ReadUint16(&sigAndAlg) { 485 return false 486 } 487 m.supportedSignatureAlgorithmsCert = append( 488 m.supportedSignatureAlgorithmsCert, SignatureScheme(sigAndAlg)) 489 } 490 case extensionRenegotiationInfo: 491 // RFC 5746, Section 3.2 492 if !readUint8LengthPrefixed(&extData, &m.secureRenegotiation) { 493 return false 494 } 495 m.secureRenegotiationSupported = true 496 case extensionALPN: 497 // RFC 7301, Section 3.1 498 var protoList cryptobyte.String 499 if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() { 500 return false 501 } 502 for !protoList.Empty() { 503 var proto cryptobyte.String 504 if !protoList.ReadUint8LengthPrefixed(&proto) || proto.Empty() { 505 return false 506 } 507 m.alpnProtocols = append(m.alpnProtocols, string(proto)) 508 } 509 case extensionSCT: 510 // RFC 6962, Section 3.3.1 511 m.scts = true 512 case extensionSupportedVersions: 513 // RFC 8446, Section 4.2.1 514 var versList cryptobyte.String 515 if !extData.ReadUint8LengthPrefixed(&versList) || versList.Empty() { 516 return false 517 } 518 for !versList.Empty() { 519 var vers uint16 520 if !versList.ReadUint16(&vers) { 521 return false 522 } 523 m.supportedVersions = append(m.supportedVersions, vers) 524 } 525 case extensionCookie: 526 // RFC 8446, Section 4.2.2 527 if !readUint16LengthPrefixed(&extData, &m.cookie) || 528 len(m.cookie) == 0 { 529 return false 530 } 531 case extensionKeyShare: 532 // RFC 8446, Section 4.2.8 533 var clientShares cryptobyte.String 534 if !extData.ReadUint16LengthPrefixed(&clientShares) { 535 return false 536 } 537 for !clientShares.Empty() { 538 var ks keyShare 539 if !clientShares.ReadUint16((*uint16)(&ks.group)) || 540 !readUint16LengthPrefixed(&clientShares, &ks.data) || 541 len(ks.data) == 0 { 542 return false 543 } 544 m.keyShares = append(m.keyShares, ks) 545 } 546 case extensionEarlyData: 547 // RFC 8446, Section 4.2.10 548 m.earlyData = true 549 case extensionPSKModes: 550 // RFC 8446, Section 4.2.9 551 if !readUint8LengthPrefixed(&extData, &m.pskModes) { 552 return false 553 } 554 case extensionPreSharedKey: 555 // RFC 8446, Section 4.2.11 556 if !extensions.Empty() { 557 return false // pre_shared_key must be the last extension 558 } 559 var identities cryptobyte.String 560 if !extData.ReadUint16LengthPrefixed(&identities) || identities.Empty() { 561 return false 562 } 563 for !identities.Empty() { 564 var psk pskIdentity 565 if !readUint16LengthPrefixed(&identities, &psk.label) || 566 !identities.ReadUint32(&psk.obfuscatedTicketAge) || 567 len(psk.label) == 0 { 568 return false 569 } 570 m.pskIdentities = append(m.pskIdentities, psk) 571 } 572 var binders cryptobyte.String 573 if !extData.ReadUint16LengthPrefixed(&binders) || binders.Empty() { 574 return false 575 } 576 for !binders.Empty() { 577 var binder []byte 578 if !readUint8LengthPrefixed(&binders, &binder) || 579 len(binder) == 0 { 580 return false 581 } 582 m.pskBinders = append(m.pskBinders, binder) 583 } 584 default: 585 // Ignore unknown extensions. 586 continue 587 } 588 589 if !extData.Empty() { 590 return false 591 } 592 } 593 594 m.extensions = arrExtensions 595 596 return true 597 } 598 599 type serverHelloMsg struct { 600 raw []byte 601 vers uint16 602 random []byte 603 sessionId []byte 604 cipherSuite uint16 605 compressionMethod uint8 606 ocspStapling bool 607 ticketSupported bool 608 secureRenegotiationSupported bool 609 secureRenegotiation []byte 610 alpnProtocol string 611 scts [][]byte 612 supportedVersion uint16 613 serverShare keyShare 614 selectedIdentityPresent bool 615 selectedIdentity uint16 616 supportedPoints []uint8 617 618 // HelloRetryRequest extensions 619 cookie []byte 620 selectedGroup CurveID 621 } 622 623 func (m *serverHelloMsg) marshal() []byte { 624 if m.raw != nil { 625 return m.raw 626 } 627 628 var b cryptobyte.Builder 629 b.AddUint8(typeServerHello) 630 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 631 b.AddUint16(m.vers) 632 addBytesWithLength(b, m.random, 32) 633 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 634 b.AddBytes(m.sessionId) 635 }) 636 b.AddUint16(m.cipherSuite) 637 b.AddUint8(m.compressionMethod) 638 639 // If extensions aren't present, omit them. 640 var extensionsPresent bool 641 bWithoutExtensions := *b 642 643 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 644 if m.ocspStapling { 645 b.AddUint16(extensionStatusRequest) 646 b.AddUint16(0) // empty extension_data 647 } 648 if m.ticketSupported { 649 b.AddUint16(extensionSessionTicket) 650 b.AddUint16(0) // empty extension_data 651 } 652 if m.secureRenegotiationSupported { 653 b.AddUint16(extensionRenegotiationInfo) 654 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 655 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 656 b.AddBytes(m.secureRenegotiation) 657 }) 658 }) 659 } 660 if len(m.alpnProtocol) > 0 { 661 b.AddUint16(extensionALPN) 662 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 663 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 664 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 665 b.AddBytes([]byte(m.alpnProtocol)) 666 }) 667 }) 668 }) 669 } 670 if len(m.scts) > 0 { 671 b.AddUint16(extensionSCT) 672 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 673 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 674 for _, sct := range m.scts { 675 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 676 b.AddBytes(sct) 677 }) 678 } 679 }) 680 }) 681 } 682 if m.supportedVersion != 0 { 683 b.AddUint16(extensionSupportedVersions) 684 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 685 b.AddUint16(m.supportedVersion) 686 }) 687 } 688 if m.serverShare.group != 0 { 689 b.AddUint16(extensionKeyShare) 690 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 691 b.AddUint16(uint16(m.serverShare.group)) 692 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 693 b.AddBytes(m.serverShare.data) 694 }) 695 }) 696 } 697 if m.selectedIdentityPresent { 698 b.AddUint16(extensionPreSharedKey) 699 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 700 b.AddUint16(m.selectedIdentity) 701 }) 702 } 703 704 if len(m.cookie) > 0 { 705 b.AddUint16(extensionCookie) 706 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 707 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 708 b.AddBytes(m.cookie) 709 }) 710 }) 711 } 712 if m.selectedGroup != 0 { 713 b.AddUint16(extensionKeyShare) 714 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 715 b.AddUint16(uint16(m.selectedGroup)) 716 }) 717 } 718 if len(m.supportedPoints) > 0 { 719 b.AddUint16(extensionSupportedPoints) 720 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 721 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 722 b.AddBytes(m.supportedPoints) 723 }) 724 }) 725 } 726 727 extensionsPresent = len(b.BytesOrPanic()) > 2 728 }) 729 730 if !extensionsPresent { 731 *b = bWithoutExtensions 732 } 733 }) 734 735 m.raw = b.BytesOrPanic() 736 return m.raw 737 } 738 739 func (m *serverHelloMsg) unmarshal(data []byte) bool { 740 *m = serverHelloMsg{raw: data} 741 s := cryptobyte.String(data) 742 743 if !s.Skip(4) || // message type and uint24 length field 744 !s.ReadUint16(&m.vers) || !s.ReadBytes(&m.random, 32) || 745 !readUint8LengthPrefixed(&s, &m.sessionId) || 746 !s.ReadUint16(&m.cipherSuite) || 747 !s.ReadUint8(&m.compressionMethod) { 748 return false 749 } 750 751 if s.Empty() { 752 // ServerHello is optionally followed by extension data 753 return true 754 } 755 756 var extensions cryptobyte.String 757 if !s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() { 758 return false 759 } 760 761 for !extensions.Empty() { 762 var extension uint16 763 var extData cryptobyte.String 764 if !extensions.ReadUint16(&extension) || 765 !extensions.ReadUint16LengthPrefixed(&extData) { 766 return false 767 } 768 769 switch extension { 770 case extensionStatusRequest: 771 m.ocspStapling = true 772 case extensionSessionTicket: 773 m.ticketSupported = true 774 case extensionRenegotiationInfo: 775 if !readUint8LengthPrefixed(&extData, &m.secureRenegotiation) { 776 return false 777 } 778 m.secureRenegotiationSupported = true 779 case extensionALPN: 780 var protoList cryptobyte.String 781 if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() { 782 return false 783 } 784 var proto cryptobyte.String 785 if !protoList.ReadUint8LengthPrefixed(&proto) || 786 proto.Empty() || !protoList.Empty() { 787 return false 788 } 789 m.alpnProtocol = string(proto) 790 case extensionSCT: 791 var sctList cryptobyte.String 792 if !extData.ReadUint16LengthPrefixed(&sctList) || sctList.Empty() { 793 return false 794 } 795 for !sctList.Empty() { 796 var sct []byte 797 if !readUint16LengthPrefixed(&sctList, &sct) || 798 len(sct) == 0 { 799 return false 800 } 801 m.scts = append(m.scts, sct) 802 } 803 case extensionSupportedVersions: 804 if !extData.ReadUint16(&m.supportedVersion) { 805 return false 806 } 807 case extensionCookie: 808 if !readUint16LengthPrefixed(&extData, &m.cookie) || 809 len(m.cookie) == 0 { 810 return false 811 } 812 case extensionKeyShare: 813 // This extension has different formats in SH and HRR, accept either 814 // and let the handshake logic decide. See RFC 8446, Section 4.2.8. 815 if len(extData) == 2 { 816 if !extData.ReadUint16((*uint16)(&m.selectedGroup)) { 817 return false 818 } 819 } else { 820 if !extData.ReadUint16((*uint16)(&m.serverShare.group)) || 821 !readUint16LengthPrefixed(&extData, &m.serverShare.data) { 822 return false 823 } 824 } 825 case extensionPreSharedKey: 826 m.selectedIdentityPresent = true 827 if !extData.ReadUint16(&m.selectedIdentity) { 828 return false 829 } 830 case extensionSupportedPoints: 831 // RFC 4492, Section 5.1.2 832 if !readUint8LengthPrefixed(&extData, &m.supportedPoints) || 833 len(m.supportedPoints) == 0 { 834 return false 835 } 836 default: 837 // Ignore unknown extensions. 838 continue 839 } 840 841 if !extData.Empty() { 842 return false 843 } 844 } 845 846 return true 847 } 848 849 type encryptedExtensionsMsg struct { 850 raw []byte 851 alpnProtocol string 852 } 853 854 func (m *encryptedExtensionsMsg) marshal() []byte { 855 if m.raw != nil { 856 return m.raw 857 } 858 859 var b cryptobyte.Builder 860 b.AddUint8(typeEncryptedExtensions) 861 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 862 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 863 if len(m.alpnProtocol) > 0 { 864 b.AddUint16(extensionALPN) 865 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 866 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 867 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 868 b.AddBytes([]byte(m.alpnProtocol)) 869 }) 870 }) 871 }) 872 } 873 }) 874 }) 875 876 m.raw = b.BytesOrPanic() 877 return m.raw 878 } 879 880 func (m *encryptedExtensionsMsg) unmarshal(data []byte) bool { 881 *m = encryptedExtensionsMsg{raw: data} 882 s := cryptobyte.String(data) 883 884 var extensions cryptobyte.String 885 if !s.Skip(4) || // message type and uint24 length field 886 !s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() { 887 return false 888 } 889 890 for !extensions.Empty() { 891 var extension uint16 892 var extData cryptobyte.String 893 if !extensions.ReadUint16(&extension) || 894 !extensions.ReadUint16LengthPrefixed(&extData) { 895 return false 896 } 897 898 switch extension { 899 case extensionALPN: 900 var protoList cryptobyte.String 901 if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() { 902 return false 903 } 904 var proto cryptobyte.String 905 if !protoList.ReadUint8LengthPrefixed(&proto) || 906 proto.Empty() || !protoList.Empty() { 907 return false 908 } 909 m.alpnProtocol = string(proto) 910 default: 911 // Ignore unknown extensions. 912 continue 913 } 914 915 if !extData.Empty() { 916 return false 917 } 918 } 919 920 return true 921 } 922 923 type endOfEarlyDataMsg struct{} 924 925 func (m *endOfEarlyDataMsg) marshal() []byte { 926 x := make([]byte, 4) 927 x[0] = typeEndOfEarlyData 928 return x 929 } 930 931 func (m *endOfEarlyDataMsg) unmarshal(data []byte) bool { 932 return len(data) == 4 933 } 934 935 type keyUpdateMsg struct { 936 raw []byte 937 updateRequested bool 938 } 939 940 func (m *keyUpdateMsg) marshal() []byte { 941 if m.raw != nil { 942 return m.raw 943 } 944 945 var b cryptobyte.Builder 946 b.AddUint8(typeKeyUpdate) 947 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 948 if m.updateRequested { 949 b.AddUint8(1) 950 } else { 951 b.AddUint8(0) 952 } 953 }) 954 955 m.raw = b.BytesOrPanic() 956 return m.raw 957 } 958 959 func (m *keyUpdateMsg) unmarshal(data []byte) bool { 960 m.raw = data 961 s := cryptobyte.String(data) 962 963 var updateRequested uint8 964 if !s.Skip(4) || // message type and uint24 length field 965 !s.ReadUint8(&updateRequested) || !s.Empty() { 966 return false 967 } 968 switch updateRequested { 969 case 0: 970 m.updateRequested = false 971 case 1: 972 m.updateRequested = true 973 default: 974 return false 975 } 976 return true 977 } 978 979 type newSessionTicketMsgTLS13 struct { 980 raw []byte 981 lifetime uint32 982 ageAdd uint32 983 nonce []byte 984 label []byte 985 maxEarlyData uint32 986 } 987 988 func (m *newSessionTicketMsgTLS13) marshal() []byte { 989 if m.raw != nil { 990 return m.raw 991 } 992 993 var b cryptobyte.Builder 994 b.AddUint8(typeNewSessionTicket) 995 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 996 b.AddUint32(m.lifetime) 997 b.AddUint32(m.ageAdd) 998 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 999 b.AddBytes(m.nonce) 1000 }) 1001 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1002 b.AddBytes(m.label) 1003 }) 1004 1005 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1006 if m.maxEarlyData > 0 { 1007 b.AddUint16(extensionEarlyData) 1008 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1009 b.AddUint32(m.maxEarlyData) 1010 }) 1011 } 1012 }) 1013 }) 1014 1015 m.raw = b.BytesOrPanic() 1016 return m.raw 1017 } 1018 1019 func (m *newSessionTicketMsgTLS13) unmarshal(data []byte) bool { 1020 *m = newSessionTicketMsgTLS13{raw: data} 1021 s := cryptobyte.String(data) 1022 1023 var extensions cryptobyte.String 1024 if !s.Skip(4) || // message type and uint24 length field 1025 !s.ReadUint32(&m.lifetime) || 1026 !s.ReadUint32(&m.ageAdd) || 1027 !readUint8LengthPrefixed(&s, &m.nonce) || 1028 !readUint16LengthPrefixed(&s, &m.label) || 1029 !s.ReadUint16LengthPrefixed(&extensions) || 1030 !s.Empty() { 1031 return false 1032 } 1033 1034 for !extensions.Empty() { 1035 var extension uint16 1036 var extData cryptobyte.String 1037 if !extensions.ReadUint16(&extension) || 1038 !extensions.ReadUint16LengthPrefixed(&extData) { 1039 return false 1040 } 1041 1042 switch extension { 1043 case extensionEarlyData: 1044 if !extData.ReadUint32(&m.maxEarlyData) { 1045 return false 1046 } 1047 default: 1048 // Ignore unknown extensions. 1049 continue 1050 } 1051 1052 if !extData.Empty() { 1053 return false 1054 } 1055 } 1056 1057 return true 1058 } 1059 1060 type certificateRequestMsgTLS13 struct { 1061 raw []byte 1062 ocspStapling bool 1063 scts bool 1064 supportedSignatureAlgorithms []SignatureScheme 1065 supportedSignatureAlgorithmsCert []SignatureScheme 1066 certificateAuthorities [][]byte 1067 } 1068 1069 func (m *certificateRequestMsgTLS13) marshal() []byte { 1070 if m.raw != nil { 1071 return m.raw 1072 } 1073 1074 var b cryptobyte.Builder 1075 b.AddUint8(typeCertificateRequest) 1076 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1077 // certificate_request_context (SHALL be zero length unless used for 1078 // post-handshake authentication) 1079 b.AddUint8(0) 1080 1081 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1082 if m.ocspStapling { 1083 b.AddUint16(extensionStatusRequest) 1084 b.AddUint16(0) // empty extension_data 1085 } 1086 if m.scts { 1087 // RFC 8446, Section 4.4.2.1 makes no mention of 1088 // signed_certificate_timestamp in CertificateRequest, but 1089 // "Extensions in the Certificate message from the client MUST 1090 // correspond to extensions in the CertificateRequest message 1091 // from the server." and it appears in the table in Section 4.2. 1092 b.AddUint16(extensionSCT) 1093 b.AddUint16(0) // empty extension_data 1094 } 1095 if len(m.supportedSignatureAlgorithms) > 0 { 1096 b.AddUint16(extensionSignatureAlgorithms) 1097 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1098 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1099 for _, sigAlgo := range m.supportedSignatureAlgorithms { 1100 b.AddUint16(uint16(sigAlgo)) 1101 } 1102 }) 1103 }) 1104 } 1105 if len(m.supportedSignatureAlgorithmsCert) > 0 { 1106 b.AddUint16(extensionSignatureAlgorithmsCert) 1107 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1108 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1109 for _, sigAlgo := range m.supportedSignatureAlgorithmsCert { 1110 b.AddUint16(uint16(sigAlgo)) 1111 } 1112 }) 1113 }) 1114 } 1115 if len(m.certificateAuthorities) > 0 { 1116 b.AddUint16(extensionCertificateAuthorities) 1117 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1118 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1119 for _, ca := range m.certificateAuthorities { 1120 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1121 b.AddBytes(ca) 1122 }) 1123 } 1124 }) 1125 }) 1126 } 1127 }) 1128 }) 1129 1130 m.raw = b.BytesOrPanic() 1131 return m.raw 1132 } 1133 1134 func (m *certificateRequestMsgTLS13) unmarshal(data []byte) bool { 1135 *m = certificateRequestMsgTLS13{raw: data} 1136 s := cryptobyte.String(data) 1137 1138 var context, extensions cryptobyte.String 1139 if !s.Skip(4) || // message type and uint24 length field 1140 !s.ReadUint8LengthPrefixed(&context) || !context.Empty() || 1141 !s.ReadUint16LengthPrefixed(&extensions) || 1142 !s.Empty() { 1143 return false 1144 } 1145 1146 for !extensions.Empty() { 1147 var extension uint16 1148 var extData cryptobyte.String 1149 if !extensions.ReadUint16(&extension) || 1150 !extensions.ReadUint16LengthPrefixed(&extData) { 1151 return false 1152 } 1153 1154 switch extension { 1155 case extensionStatusRequest: 1156 m.ocspStapling = true 1157 case extensionSCT: 1158 m.scts = true 1159 case extensionSignatureAlgorithms: 1160 var sigAndAlgs cryptobyte.String 1161 if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() { 1162 return false 1163 } 1164 for !sigAndAlgs.Empty() { 1165 var sigAndAlg uint16 1166 if !sigAndAlgs.ReadUint16(&sigAndAlg) { 1167 return false 1168 } 1169 m.supportedSignatureAlgorithms = append( 1170 m.supportedSignatureAlgorithms, SignatureScheme(sigAndAlg)) 1171 } 1172 case extensionSignatureAlgorithmsCert: 1173 var sigAndAlgs cryptobyte.String 1174 if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() { 1175 return false 1176 } 1177 for !sigAndAlgs.Empty() { 1178 var sigAndAlg uint16 1179 if !sigAndAlgs.ReadUint16(&sigAndAlg) { 1180 return false 1181 } 1182 m.supportedSignatureAlgorithmsCert = append( 1183 m.supportedSignatureAlgorithmsCert, SignatureScheme(sigAndAlg)) 1184 } 1185 case extensionCertificateAuthorities: 1186 var auths cryptobyte.String 1187 if !extData.ReadUint16LengthPrefixed(&auths) || auths.Empty() { 1188 return false 1189 } 1190 for !auths.Empty() { 1191 var ca []byte 1192 if !readUint16LengthPrefixed(&auths, &ca) || len(ca) == 0 { 1193 return false 1194 } 1195 m.certificateAuthorities = append(m.certificateAuthorities, ca) 1196 } 1197 default: 1198 // Ignore unknown extensions. 1199 continue 1200 } 1201 1202 if !extData.Empty() { 1203 return false 1204 } 1205 } 1206 1207 return true 1208 } 1209 1210 type certificateMsg struct { 1211 raw []byte 1212 certificates [][]byte 1213 } 1214 1215 func (m *certificateMsg) marshal() (x []byte) { 1216 if m.raw != nil { 1217 return m.raw 1218 } 1219 1220 var i int 1221 for _, slice := range m.certificates { 1222 i += len(slice) 1223 } 1224 1225 length := 3 + 3*len(m.certificates) + i 1226 x = make([]byte, 4+length) 1227 x[0] = typeCertificate 1228 x[1] = uint8(length >> 16) 1229 x[2] = uint8(length >> 8) 1230 x[3] = uint8(length) 1231 1232 certificateOctets := length - 3 1233 x[4] = uint8(certificateOctets >> 16) 1234 x[5] = uint8(certificateOctets >> 8) 1235 x[6] = uint8(certificateOctets) 1236 1237 y := x[7:] 1238 for _, slice := range m.certificates { 1239 y[0] = uint8(len(slice) >> 16) 1240 y[1] = uint8(len(slice) >> 8) 1241 y[2] = uint8(len(slice)) 1242 copy(y[3:], slice) 1243 y = y[3+len(slice):] 1244 } 1245 1246 m.raw = x 1247 return 1248 } 1249 1250 func (m *certificateMsg) unmarshal(data []byte) bool { 1251 if len(data) < 7 { 1252 return false 1253 } 1254 1255 m.raw = data 1256 certsLen := uint32(data[4])<<16 | uint32(data[5])<<8 | uint32(data[6]) 1257 if uint32(len(data)) != certsLen+7 { 1258 return false 1259 } 1260 1261 numCerts := 0 1262 d := data[7:] 1263 for certsLen > 0 { 1264 if len(d) < 4 { 1265 return false 1266 } 1267 certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2]) 1268 if uint32(len(d)) < 3+certLen { 1269 return false 1270 } 1271 d = d[3+certLen:] 1272 certsLen -= 3 + certLen 1273 numCerts++ 1274 } 1275 1276 m.certificates = make([][]byte, numCerts) 1277 d = data[7:] 1278 for i := 0; i < numCerts; i++ { 1279 certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2]) 1280 m.certificates[i] = d[3 : 3+certLen] 1281 d = d[3+certLen:] 1282 } 1283 1284 return true 1285 } 1286 1287 type certificateMsgTLS13 struct { 1288 raw []byte 1289 certificate Certificate 1290 ocspStapling bool 1291 scts bool 1292 } 1293 1294 func (m *certificateMsgTLS13) marshal() []byte { 1295 if m.raw != nil { 1296 return m.raw 1297 } 1298 1299 var b cryptobyte.Builder 1300 b.AddUint8(typeCertificate) 1301 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1302 b.AddUint8(0) // certificate_request_context 1303 1304 certificate := m.certificate 1305 if !m.ocspStapling { 1306 certificate.OCSPStaple = nil 1307 } 1308 if !m.scts { 1309 certificate.SignedCertificateTimestamps = nil 1310 } 1311 marshalCertificate(b, certificate) 1312 }) 1313 1314 m.raw = b.BytesOrPanic() 1315 return m.raw 1316 } 1317 1318 func marshalCertificate(b *cryptobyte.Builder, certificate Certificate) { 1319 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1320 for i, cert := range certificate.Certificate { 1321 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1322 b.AddBytes(cert) 1323 }) 1324 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1325 if i > 0 { 1326 // This library only supports OCSP and SCT for leaf certificates. 1327 return 1328 } 1329 if certificate.OCSPStaple != nil { 1330 b.AddUint16(extensionStatusRequest) 1331 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1332 b.AddUint8(statusTypeOCSP) 1333 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1334 b.AddBytes(certificate.OCSPStaple) 1335 }) 1336 }) 1337 } 1338 if certificate.SignedCertificateTimestamps != nil { 1339 b.AddUint16(extensionSCT) 1340 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1341 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1342 for _, sct := range certificate.SignedCertificateTimestamps { 1343 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1344 b.AddBytes(sct) 1345 }) 1346 } 1347 }) 1348 }) 1349 } 1350 }) 1351 } 1352 }) 1353 } 1354 1355 func (m *certificateMsgTLS13) unmarshal(data []byte) bool { 1356 *m = certificateMsgTLS13{raw: data} 1357 s := cryptobyte.String(data) 1358 1359 var context cryptobyte.String 1360 if !s.Skip(4) || // message type and uint24 length field 1361 !s.ReadUint8LengthPrefixed(&context) || !context.Empty() || 1362 !unmarshalCertificate(&s, &m.certificate) || 1363 !s.Empty() { 1364 return false 1365 } 1366 1367 m.scts = m.certificate.SignedCertificateTimestamps != nil 1368 m.ocspStapling = m.certificate.OCSPStaple != nil 1369 1370 return true 1371 } 1372 1373 func unmarshalCertificate(s *cryptobyte.String, certificate *Certificate) bool { 1374 var certList cryptobyte.String 1375 if !s.ReadUint24LengthPrefixed(&certList) { 1376 return false 1377 } 1378 for !certList.Empty() { 1379 var cert []byte 1380 var extensions cryptobyte.String 1381 if !readUint24LengthPrefixed(&certList, &cert) || 1382 !certList.ReadUint16LengthPrefixed(&extensions) { 1383 return false 1384 } 1385 certificate.Certificate = append(certificate.Certificate, cert) 1386 for !extensions.Empty() { 1387 var extension uint16 1388 var extData cryptobyte.String 1389 if !extensions.ReadUint16(&extension) || 1390 !extensions.ReadUint16LengthPrefixed(&extData) { 1391 return false 1392 } 1393 if len(certificate.Certificate) > 1 { 1394 // This library only supports OCSP and SCT for leaf certificates. 1395 continue 1396 } 1397 1398 switch extension { 1399 case extensionStatusRequest: 1400 var statusType uint8 1401 if !extData.ReadUint8(&statusType) || statusType != statusTypeOCSP || 1402 !readUint24LengthPrefixed(&extData, &certificate.OCSPStaple) || 1403 len(certificate.OCSPStaple) == 0 { 1404 return false 1405 } 1406 case extensionSCT: 1407 var sctList cryptobyte.String 1408 if !extData.ReadUint16LengthPrefixed(&sctList) || sctList.Empty() { 1409 return false 1410 } 1411 for !sctList.Empty() { 1412 var sct []byte 1413 if !readUint16LengthPrefixed(&sctList, &sct) || 1414 len(sct) == 0 { 1415 return false 1416 } 1417 certificate.SignedCertificateTimestamps = append( 1418 certificate.SignedCertificateTimestamps, sct) 1419 } 1420 default: 1421 // Ignore unknown extensions. 1422 continue 1423 } 1424 1425 if !extData.Empty() { 1426 return false 1427 } 1428 } 1429 } 1430 return true 1431 } 1432 1433 type serverKeyExchangeMsg struct { 1434 raw []byte 1435 key []byte 1436 } 1437 1438 func (m *serverKeyExchangeMsg) marshal() []byte { 1439 if m.raw != nil { 1440 return m.raw 1441 } 1442 length := len(m.key) 1443 x := make([]byte, length+4) 1444 x[0] = typeServerKeyExchange 1445 x[1] = uint8(length >> 16) 1446 x[2] = uint8(length >> 8) 1447 x[3] = uint8(length) 1448 copy(x[4:], m.key) 1449 1450 m.raw = x 1451 return x 1452 } 1453 1454 func (m *serverKeyExchangeMsg) unmarshal(data []byte) bool { 1455 m.raw = data 1456 if len(data) < 4 { 1457 return false 1458 } 1459 m.key = data[4:] 1460 return true 1461 } 1462 1463 type certificateStatusMsg struct { 1464 raw []byte 1465 response []byte 1466 } 1467 1468 func (m *certificateStatusMsg) marshal() []byte { 1469 if m.raw != nil { 1470 return m.raw 1471 } 1472 1473 var b cryptobyte.Builder 1474 b.AddUint8(typeCertificateStatus) 1475 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1476 b.AddUint8(statusTypeOCSP) 1477 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1478 b.AddBytes(m.response) 1479 }) 1480 }) 1481 1482 m.raw = b.BytesOrPanic() 1483 return m.raw 1484 } 1485 1486 func (m *certificateStatusMsg) unmarshal(data []byte) bool { 1487 m.raw = data 1488 s := cryptobyte.String(data) 1489 1490 var statusType uint8 1491 if !s.Skip(4) || // message type and uint24 length field 1492 !s.ReadUint8(&statusType) || statusType != statusTypeOCSP || 1493 !readUint24LengthPrefixed(&s, &m.response) || 1494 len(m.response) == 0 || !s.Empty() { 1495 return false 1496 } 1497 return true 1498 } 1499 1500 type serverHelloDoneMsg struct{} 1501 1502 func (m *serverHelloDoneMsg) marshal() []byte { 1503 x := make([]byte, 4) 1504 x[0] = typeServerHelloDone 1505 return x 1506 } 1507 1508 func (m *serverHelloDoneMsg) unmarshal(data []byte) bool { 1509 return len(data) == 4 1510 } 1511 1512 type clientKeyExchangeMsg struct { 1513 raw []byte 1514 ciphertext []byte 1515 } 1516 1517 func (m *clientKeyExchangeMsg) marshal() []byte { 1518 if m.raw != nil { 1519 return m.raw 1520 } 1521 length := len(m.ciphertext) 1522 x := make([]byte, length+4) 1523 x[0] = typeClientKeyExchange 1524 x[1] = uint8(length >> 16) 1525 x[2] = uint8(length >> 8) 1526 x[3] = uint8(length) 1527 copy(x[4:], m.ciphertext) 1528 1529 m.raw = x 1530 return x 1531 } 1532 1533 func (m *clientKeyExchangeMsg) unmarshal(data []byte) bool { 1534 m.raw = data 1535 if len(data) < 4 { 1536 return false 1537 } 1538 l := int(data[1])<<16 | int(data[2])<<8 | int(data[3]) 1539 if l != len(data)-4 { 1540 return false 1541 } 1542 m.ciphertext = data[4:] 1543 return true 1544 } 1545 1546 type finishedMsg struct { 1547 raw []byte 1548 verifyData []byte 1549 } 1550 1551 func (m *finishedMsg) marshal() []byte { 1552 if m.raw != nil { 1553 return m.raw 1554 } 1555 1556 var b cryptobyte.Builder 1557 b.AddUint8(typeFinished) 1558 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1559 b.AddBytes(m.verifyData) 1560 }) 1561 1562 m.raw = b.BytesOrPanic() 1563 return m.raw 1564 } 1565 1566 func (m *finishedMsg) unmarshal(data []byte) bool { 1567 m.raw = data 1568 s := cryptobyte.String(data) 1569 return s.Skip(1) && 1570 readUint24LengthPrefixed(&s, &m.verifyData) && 1571 s.Empty() 1572 } 1573 1574 type certificateRequestMsg struct { 1575 raw []byte 1576 // hasSignatureAlgorithm indicates whether this message includes a list of 1577 // supported signature algorithms. This change was introduced with TLS 1.2. 1578 hasSignatureAlgorithm bool 1579 1580 certificateTypes []byte 1581 supportedSignatureAlgorithms []SignatureScheme 1582 certificateAuthorities [][]byte 1583 } 1584 1585 func (m *certificateRequestMsg) marshal() (x []byte) { 1586 if m.raw != nil { 1587 return m.raw 1588 } 1589 1590 // See RFC 4346, Section 7.4.4. 1591 length := 1 + len(m.certificateTypes) + 2 1592 casLength := 0 1593 for _, ca := range m.certificateAuthorities { 1594 casLength += 2 + len(ca) 1595 } 1596 length += casLength 1597 1598 if m.hasSignatureAlgorithm { 1599 length += 2 + 2*len(m.supportedSignatureAlgorithms) 1600 } 1601 1602 x = make([]byte, 4+length) 1603 x[0] = typeCertificateRequest 1604 x[1] = uint8(length >> 16) 1605 x[2] = uint8(length >> 8) 1606 x[3] = uint8(length) 1607 1608 x[4] = uint8(len(m.certificateTypes)) 1609 1610 copy(x[5:], m.certificateTypes) 1611 y := x[5+len(m.certificateTypes):] 1612 1613 if m.hasSignatureAlgorithm { 1614 n := len(m.supportedSignatureAlgorithms) * 2 1615 y[0] = uint8(n >> 8) 1616 y[1] = uint8(n) 1617 y = y[2:] 1618 for _, sigAlgo := range m.supportedSignatureAlgorithms { 1619 y[0] = uint8(sigAlgo >> 8) 1620 y[1] = uint8(sigAlgo) 1621 y = y[2:] 1622 } 1623 } 1624 1625 y[0] = uint8(casLength >> 8) 1626 y[1] = uint8(casLength) 1627 y = y[2:] 1628 for _, ca := range m.certificateAuthorities { 1629 y[0] = uint8(len(ca) >> 8) 1630 y[1] = uint8(len(ca)) 1631 y = y[2:] 1632 copy(y, ca) 1633 y = y[len(ca):] 1634 } 1635 1636 m.raw = x 1637 return 1638 } 1639 1640 func (m *certificateRequestMsg) unmarshal(data []byte) bool { 1641 m.raw = data 1642 1643 if len(data) < 5 { 1644 return false 1645 } 1646 1647 length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3]) 1648 if uint32(len(data))-4 != length { 1649 return false 1650 } 1651 1652 numCertTypes := int(data[4]) 1653 data = data[5:] 1654 if numCertTypes == 0 || len(data) <= numCertTypes { 1655 return false 1656 } 1657 1658 m.certificateTypes = make([]byte, numCertTypes) 1659 if copy(m.certificateTypes, data) != numCertTypes { 1660 return false 1661 } 1662 1663 data = data[numCertTypes:] 1664 1665 if m.hasSignatureAlgorithm { 1666 if len(data) < 2 { 1667 return false 1668 } 1669 sigAndHashLen := uint16(data[0])<<8 | uint16(data[1]) 1670 data = data[2:] 1671 if sigAndHashLen&1 != 0 { 1672 return false 1673 } 1674 if len(data) < int(sigAndHashLen) { 1675 return false 1676 } 1677 numSigAlgos := sigAndHashLen / 2 1678 m.supportedSignatureAlgorithms = make([]SignatureScheme, numSigAlgos) 1679 for i := range m.supportedSignatureAlgorithms { 1680 m.supportedSignatureAlgorithms[i] = SignatureScheme(data[0])<<8 | SignatureScheme(data[1]) 1681 data = data[2:] 1682 } 1683 } 1684 1685 if len(data) < 2 { 1686 return false 1687 } 1688 casLength := uint16(data[0])<<8 | uint16(data[1]) 1689 data = data[2:] 1690 if len(data) < int(casLength) { 1691 return false 1692 } 1693 cas := make([]byte, casLength) 1694 copy(cas, data) 1695 data = data[casLength:] 1696 1697 m.certificateAuthorities = nil 1698 for len(cas) > 0 { 1699 if len(cas) < 2 { 1700 return false 1701 } 1702 caLen := uint16(cas[0])<<8 | uint16(cas[1]) 1703 cas = cas[2:] 1704 1705 if len(cas) < int(caLen) { 1706 return false 1707 } 1708 1709 m.certificateAuthorities = append(m.certificateAuthorities, cas[:caLen]) 1710 cas = cas[caLen:] 1711 } 1712 1713 return len(data) == 0 1714 } 1715 1716 type certificateVerifyMsg struct { 1717 raw []byte 1718 hasSignatureAlgorithm bool // format change introduced in TLS 1.2 1719 signatureAlgorithm SignatureScheme 1720 signature []byte 1721 } 1722 1723 func (m *certificateVerifyMsg) marshal() (x []byte) { 1724 if m.raw != nil { 1725 return m.raw 1726 } 1727 1728 var b cryptobyte.Builder 1729 b.AddUint8(typeCertificateVerify) 1730 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1731 if m.hasSignatureAlgorithm { 1732 b.AddUint16(uint16(m.signatureAlgorithm)) 1733 } 1734 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1735 b.AddBytes(m.signature) 1736 }) 1737 }) 1738 1739 m.raw = b.BytesOrPanic() 1740 return m.raw 1741 } 1742 1743 func (m *certificateVerifyMsg) unmarshal(data []byte) bool { 1744 m.raw = data 1745 s := cryptobyte.String(data) 1746 1747 if !s.Skip(4) { // message type and uint24 length field 1748 return false 1749 } 1750 if m.hasSignatureAlgorithm { 1751 if !s.ReadUint16((*uint16)(&m.signatureAlgorithm)) { 1752 return false 1753 } 1754 } 1755 return readUint16LengthPrefixed(&s, &m.signature) && s.Empty() 1756 } 1757 1758 type newSessionTicketMsg struct { 1759 raw []byte 1760 ticket []byte 1761 } 1762 1763 func (m *newSessionTicketMsg) marshal() (x []byte) { 1764 if m.raw != nil { 1765 return m.raw 1766 } 1767 1768 // See RFC 5077, Section 3.3. 1769 ticketLen := len(m.ticket) 1770 length := 2 + 4 + ticketLen 1771 x = make([]byte, 4+length) 1772 x[0] = typeNewSessionTicket 1773 x[1] = uint8(length >> 16) 1774 x[2] = uint8(length >> 8) 1775 x[3] = uint8(length) 1776 x[8] = uint8(ticketLen >> 8) 1777 x[9] = uint8(ticketLen) 1778 copy(x[10:], m.ticket) 1779 1780 m.raw = x 1781 1782 return 1783 } 1784 1785 func (m *newSessionTicketMsg) unmarshal(data []byte) bool { 1786 m.raw = data 1787 1788 if len(data) < 10 { 1789 return false 1790 } 1791 1792 length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3]) 1793 if uint32(len(data))-4 != length { 1794 return false 1795 } 1796 1797 ticketLen := int(data[8])<<8 + int(data[9]) 1798 if len(data)-10 != ticketLen { 1799 return false 1800 } 1801 1802 m.ticket = data[10:] 1803 1804 return true 1805 } 1806 1807 type helloRequestMsg struct { 1808 } 1809 1810 func (*helloRequestMsg) marshal() []byte { 1811 return []byte{typeHelloRequest, 0, 0, 0} 1812 } 1813 1814 func (*helloRequestMsg) unmarshal(data []byte) bool { 1815 return len(data) == 4 1816 }