gitlab.com/go-extension/tls@v0.0.0-20240304171319-e6745021905e/handshake_messages.go (about) 1 // Copyright 2009 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 package tls 6 7 import ( 8 "errors" 9 "fmt" 10 "strings" 11 12 "gitlab.com/go-extension/rand" 13 "golang.org/x/crypto/cryptobyte" 14 ) 15 16 // The marshalingFunction type is an adapter to allow the use of ordinary 17 // functions as cryptobyte.MarshalingValue. 18 type marshalingFunction func(b *cryptobyte.Builder) error 19 20 func (f marshalingFunction) Marshal(b *cryptobyte.Builder) error { 21 return f(b) 22 } 23 24 // addBytesWithLength appends a sequence of bytes to the cryptobyte.Builder. If 25 // the length of the sequence is not the value specified, it produces an error. 26 func addBytesWithLength(b *cryptobyte.Builder, v []byte, n int) { 27 b.AddValue(marshalingFunction(func(b *cryptobyte.Builder) error { 28 if len(v) != n { 29 return fmt.Errorf("invalid value length: expected %d, got %d", n, len(v)) 30 } 31 b.AddBytes(v) 32 return nil 33 })) 34 } 35 36 // readUint8LengthPrefixed acts like s.ReadUint8LengthPrefixed, but targets a 37 // []byte instead of a cryptobyte.String. 38 func readUint8LengthPrefixed(s *cryptobyte.String, out *[]byte) bool { 39 return s.ReadUint8LengthPrefixed((*cryptobyte.String)(out)) 40 } 41 42 // readUint16LengthPrefixed acts like s.ReadUint16LengthPrefixed, but targets a 43 // []byte instead of a cryptobyte.String. 44 func readUint16LengthPrefixed(s *cryptobyte.String, out *[]byte) bool { 45 return s.ReadUint16LengthPrefixed((*cryptobyte.String)(out)) 46 } 47 48 // readUint24LengthPrefixed acts like s.ReadUint24LengthPrefixed, but targets a 49 // []byte instead of a cryptobyte.String. 50 func readUint24LengthPrefixed(s *cryptobyte.String, out *[]byte) bool { 51 return s.ReadUint24LengthPrefixed((*cryptobyte.String)(out)) 52 } 53 54 type clientHelloMsg struct { 55 raw []byte 56 vers uint16 57 random []byte 58 sessionId []byte 59 cipherSuites []uint16 60 compressionMethods []uint8 61 serverName string 62 ocspStapling bool 63 supportedCurves []CurveID 64 supportedCompressionAlgorithmsCert []CertCompressionAlgorithm 65 supportedPoints []uint8 66 ticketSupported bool 67 sessionTicket []uint8 68 supportedSignatureAlgorithms []SignatureScheme 69 supportedSignatureAlgorithmsCert []SignatureScheme 70 secureRenegotiationSupported bool 71 secureRenegotiation []byte 72 extendedMasterSecret bool 73 alpnProtocols []string 74 alpsProtocols []string 75 scts bool 76 supportedVersions []uint16 77 cookie []byte 78 keyShares []keyShare 79 earlyData bool 80 pskModes []uint8 81 pskIdentities []pskIdentity 82 pskBinders [][]byte 83 quicTransportParameters []byte 84 ech []byte 85 extensions []Extension 86 } 87 88 func (m *clientHelloMsg) marshal() ([]byte, error) { 89 if m.raw != nil { 90 return m.raw, nil 91 } 92 93 var exts cryptobyte.Builder 94 for _, extension := range m.extensions { 95 switch extension.(type) { 96 case nil: 97 case *ServerNameIndicationExtension: 98 if len(m.serverName) > 0 { 99 // RFC 6066, Section 3 100 exts.AddUint16(extensionServerName) 101 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 102 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 103 exts.AddUint8(0) // name_type = host_name 104 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 105 exts.AddBytes([]byte(m.serverName)) 106 }) 107 }) 108 }) 109 } 110 case *StatusRequestExtension: 111 if m.ocspStapling { 112 // RFC 4366, Section 3.6 113 exts.AddUint16(extensionStatusRequest) 114 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 115 exts.AddUint8(1) // status_type = ocsp 116 exts.AddUint16(0) // empty responder_id_list 117 exts.AddUint16(0) // empty request_extensions 118 }) 119 } 120 case *SupportedGroupsExtension: 121 if len(m.supportedCurves) > 0 { 122 // RFC 4492, sections 5.1.1 and RFC 8446, Section 4.2.7 123 exts.AddUint16(extensionSupportedCurves) 124 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 125 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 126 for _, curve := range m.supportedCurves { 127 exts.AddUint16(uint16(curve)) 128 } 129 }) 130 }) 131 } 132 133 case *SupportedPointsExtension: 134 if len(m.supportedPoints) > 0 { 135 // RFC 4492, Section 5.1.2 136 exts.AddUint16(extensionSupportedPoints) 137 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 138 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { 139 exts.AddBytes(m.supportedPoints) 140 }) 141 }) 142 } 143 case *SessionTicketExtension: 144 if m.ticketSupported { 145 // RFC 5077, Section 3.2 146 exts.AddUint16(extensionSessionTicket) 147 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 148 exts.AddBytes(m.sessionTicket) 149 }) 150 } 151 case *SignatureAlgorithmsExtension: 152 if len(m.supportedSignatureAlgorithms) > 0 { 153 // RFC 5246, Section 7.4.1.4.1 154 exts.AddUint16(extensionSignatureAlgorithms) 155 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 156 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 157 for _, sigAlgo := range m.supportedSignatureAlgorithms { 158 exts.AddUint16(uint16(sigAlgo)) 159 } 160 }) 161 }) 162 } 163 case *SignatureAlgorithmsCertExtension: 164 if len(m.supportedSignatureAlgorithmsCert) > 0 { 165 // RFC 8446, Section 4.2.3 166 exts.AddUint16(extensionSignatureAlgorithmsCert) 167 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 168 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 169 for _, sigAlgo := range m.supportedSignatureAlgorithmsCert { 170 exts.AddUint16(uint16(sigAlgo)) 171 } 172 }) 173 }) 174 } 175 case *RenegotiationInfoExtension: 176 if m.secureRenegotiationSupported { 177 // RFC 5746, Section 3.2 178 exts.AddUint16(extensionRenegotiationInfo) 179 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 180 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { 181 exts.AddBytes(m.secureRenegotiation) 182 }) 183 }) 184 } 185 case *ExtendedMasterSecretExtension: 186 if m.extendedMasterSecret { 187 // RFC 7627 188 exts.AddUint16(extensionExtendedMasterSecret) 189 exts.AddUint16(0) // empty extension_data 190 } 191 case *ALPNExtension: 192 if len(m.alpnProtocols) > 0 { 193 // RFC 7301, Section 3.1 194 exts.AddUint16(extensionALPN) 195 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 196 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 197 for _, proto := range m.alpnProtocols { 198 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { 199 exts.AddBytes([]byte(proto)) 200 }) 201 } 202 }) 203 }) 204 } 205 case *ALPSExtension: 206 if len(m.alpsProtocols) > 0 { 207 exts.AddUint16(extensionALPS) 208 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 209 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 210 for _, proto := range m.alpsProtocols { 211 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { 212 exts.AddBytes([]byte(proto)) 213 }) 214 } 215 }) 216 }) 217 } 218 case *SCTExtension: 219 if m.scts { 220 // RFC 6962, Section 3.3.1 221 exts.AddUint16(extensionSCT) 222 exts.AddUint16(0) // empty extension_data 223 } 224 case *SupportedVersionsExtension: 225 if len(m.supportedVersions) > 0 { 226 // RFC 8446, Section 4.2.1 227 exts.AddUint16(extensionSupportedVersions) 228 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 229 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { 230 for _, vers := range m.supportedVersions { 231 exts.AddUint16(vers) 232 } 233 }) 234 }) 235 } 236 case *CompressedCertificateExtension: 237 if len(m.supportedCompressionAlgorithmsCert) > 0 { 238 exts.AddUint16(extensionCompressCert) 239 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 240 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { 241 for _, algorithm := range m.supportedCompressionAlgorithmsCert { 242 exts.AddUint16(uint16(algorithm)) 243 } 244 }) 245 }) 246 } 247 case *CookieExtension: 248 if len(m.cookie) > 0 { 249 // RFC 8446, Section 4.2.2 250 exts.AddUint16(extensionCookie) 251 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 252 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 253 exts.AddBytes(m.cookie) 254 }) 255 }) 256 } 257 case *KeyShareExtension: 258 if len(m.keyShares) > 0 { 259 // RFC 8446, Section 4.2.8 260 exts.AddUint16(extensionKeyShare) 261 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 262 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 263 for _, ks := range m.keyShares { 264 exts.AddUint16(uint16(ks.group)) 265 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 266 exts.AddBytes(ks.data) 267 }) 268 } 269 }) 270 }) 271 } 272 case *EarlyExtension: 273 if m.earlyData { 274 // RFC 8446, Section 4.2.10 275 exts.AddUint16(extensionEarlyData) 276 exts.AddUint16(0) // empty extension_data 277 } 278 case *PSKModesExtension: 279 if len(m.pskModes) > 0 { 280 // RFC 8446, Section 4.2.9 281 exts.AddUint16(extensionPSKModes) 282 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 283 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { 284 exts.AddBytes(m.pskModes) 285 }) 286 }) 287 } 288 case *EncryptedClientHelloExtension: 289 if len(m.ech) > 0 { 290 // draft-ietf-tls-esni-13, "encrypted_client_hello" 291 exts.AddUint16(extensionECH) 292 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 293 exts.AddBytes(m.ech) 294 }) 295 } 296 case *QUICTransportParametersExtension: 297 if m.quicTransportParameters != nil { // marshal zero-length parameters when present 298 // RFC 9001, Section 8.2 299 exts.AddUint16(extensionQUICTransportParameters) 300 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 301 exts.AddBytes(m.quicTransportParameters) 302 }) 303 } 304 case *PreSharedKeyExtension: 305 if len(m.pskIdentities) > 0 { // pre_shared_key must be the last extension 306 // RFC 8446, Section 4.2.11 307 exts.AddUint16(extensionPreSharedKey) 308 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 309 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 310 for _, psk := range m.pskIdentities { 311 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 312 exts.AddBytes(psk.label) 313 }) 314 exts.AddUint32(psk.obfuscatedTicketAge) 315 } 316 }) 317 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 318 for _, binder := range m.pskBinders { 319 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { 320 exts.AddBytes(binder) 321 }) 322 } 323 }) 324 }) 325 } 326 default: 327 exts.AddUint16(extension.ExtensionId()) 328 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 329 extension.Marshal(typeClientHello, exts) 330 }) 331 } 332 } 333 334 extBytes, err := exts.Bytes() 335 if err != nil { 336 return nil, err 337 } 338 339 var b cryptobyte.Builder 340 b.AddUint8(typeClientHello) 341 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 342 b.AddUint16(m.vers) 343 addBytesWithLength(b, m.random, 32) 344 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 345 b.AddBytes(m.sessionId) 346 }) 347 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 348 for _, suite := range m.cipherSuites { 349 b.AddUint16(suite) 350 } 351 }) 352 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 353 b.AddBytes(m.compressionMethods) 354 }) 355 356 if len(extBytes) > 0 { 357 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 358 b.AddBytes(extBytes) 359 }) 360 } 361 }) 362 363 m.raw, err = b.Bytes() 364 return m.raw, err 365 } 366 367 func (m *clientHelloMsg) automaticPadding(minSize uint16) { 368 if minSize == 0 { 369 return 370 } 371 372 var length int 373 length += 1 374 length += 3 375 length += 2 376 377 length += 32 378 379 length += 1 380 length += len(m.sessionId) 381 382 length += 2 383 length += len(m.cipherSuites) * 2 384 385 length += 1 386 length += len(m.compressionMethods) 387 388 { 389 var extLength int 390 for _, extension := range m.extensions { 391 switch extension.(type) { 392 case nil: 393 case *ServerNameIndicationExtension: 394 if len(m.serverName) > 0 { 395 extLength += 4 396 // RFC 6066, Section 3 397 extLength += 2 398 extLength += 1 399 extLength += 2 400 extLength += len(m.serverName) 401 } 402 case *StatusRequestExtension: 403 if m.ocspStapling { 404 extLength += 4 405 // RFC 4366, Section 3.6 406 extLength += 1 407 extLength += 2 408 extLength += 2 409 } 410 case *SupportedGroupsExtension: 411 if len(m.supportedCurves) > 0 { 412 extLength += 4 413 // RFC 4492, sections 5.1.1 and RFC 8446, Section 4.2.7 414 extLength += 2 415 extLength += len(m.supportedCurves) * 2 416 } 417 case *SupportedPointsExtension: 418 if len(m.supportedPoints) > 0 { 419 extLength += 4 420 // RFC 4492, Section 5.1.2 421 extLength += 1 422 extLength += len(m.supportedPoints) 423 } 424 case *SessionTicketExtension: 425 if m.ticketSupported { 426 extLength += 4 427 // RFC 5077, Section 3.2 428 extLength += len(m.sessionTicket) 429 } 430 case *SignatureAlgorithmsExtension: 431 if len(m.supportedSignatureAlgorithms) > 0 { 432 extLength += 4 433 // RFC 5246, Section 7.4.1.4.1 434 extLength += 2 435 extLength += len(m.supportedSignatureAlgorithms) * 2 436 } 437 case *SignatureAlgorithmsCertExtension: 438 if len(m.supportedSignatureAlgorithmsCert) > 0 { 439 extLength += 4 440 // RFC 8446, Section 4.2.3 441 extLength += 2 442 extLength += len(m.supportedSignatureAlgorithmsCert) * 2 443 } 444 case *RenegotiationInfoExtension: 445 if m.secureRenegotiationSupported { 446 extLength += 4 447 // RFC 5746, Section 3.2 448 extLength += 1 449 extLength += len(m.secureRenegotiation) 450 } 451 case *ExtendedMasterSecretExtension: 452 if m.extendedMasterSecret { 453 extLength += 4 454 } 455 // RFC 7627 456 case *ALPNExtension: 457 if len(m.alpnProtocols) > 0 { 458 extLength += 4 459 // RFC 7301, Section 3.1 460 extLength += 2 461 for _, proto := range m.alpnProtocols { 462 extLength += 1 463 extLength += len(proto) 464 } 465 } 466 case *ALPSExtension: 467 if len(m.alpsProtocols) > 0 { 468 extLength += 4 469 470 extLength += 2 471 for _, proto := range m.alpsProtocols { 472 extLength += 1 473 extLength += len(proto) 474 } 475 } 476 case *SCTExtension: 477 if m.scts { 478 extLength += 4 479 // RFC 6962, Section 3.3.1 480 } 481 case *SupportedVersionsExtension: 482 if len(m.supportedVersions) > 0 { 483 extLength += 4 484 // RFC 8446, Section 4.2.1 485 extLength += 1 486 extLength += len(m.supportedVersions) * 2 487 } 488 case *CompressedCertificateExtension: 489 if len(m.supportedCompressionAlgorithmsCert) > 0 { 490 extLength += 4 491 492 extLength += 1 493 extLength += len(m.supportedCompressionAlgorithmsCert) * 2 494 } 495 case *CookieExtension: 496 if len(m.cookie) > 0 { 497 extLength += 4 498 // RFC 8446, Section 4.2.2 499 extLength += 2 500 extLength += len(m.cookie) 501 } 502 case *KeyShareExtension: 503 if len(m.keyShares) > 0 { 504 extLength += 4 505 // RFC 8446, Section 4.2.8 506 extLength += 2 507 for _, ks := range m.keyShares { 508 extLength += 2 509 extLength += 2 510 extLength += len(ks.data) 511 } 512 } 513 case *EarlyExtension: 514 if m.earlyData { 515 extLength += 4 516 // RFC 8446, Section 4.2.10 517 } 518 case *PSKModesExtension: 519 if len(m.pskModes) > 0 { 520 extLength += 4 521 // RFC 8446, Section 4.2.9 522 extLength += 1 523 extLength += len(m.pskModes) 524 } 525 case *EncryptedClientHelloExtension: 526 if len(m.ech) > 0 { 527 extLength += 4 528 // RFC 9001, Section 8.2 529 extLength += len(m.ech) 530 } 531 case *QUICTransportParametersExtension: 532 if m.quicTransportParameters != nil { // marshal zero-length parameters when present 533 extLength += 4 534 // RFC 9001, Section 8.2 535 extLength += len(m.quicTransportParameters) 536 } 537 case *PreSharedKeyExtension: 538 if len(m.pskIdentities) > 0 { // pre_shared_key must be the last extension 539 extLength += 4 540 // RFC 8446, Section 4.2.11 541 extLength += 2 542 for _, psk := range m.pskIdentities { 543 extLength += 2 544 extLength += len(psk.label) 545 extLength += 4 546 } 547 548 extLength += 2 549 for _, binder := range m.pskBinders { 550 extLength += 1 551 extLength += len(binder) 552 } 553 } 554 case *PaddingExtension: 555 default: 556 extLength += 4 557 extLength += extension.Len(typeClientHello) 558 } 559 } 560 561 if extLength > 0 { 562 length += 2 563 length += extLength 564 } 565 } 566 567 paddingLength := int(minSize) - length 568 if paddingLength <= 0 { 569 for i, extension := range m.extensions { 570 switch extension.(type) { 571 case *PaddingExtension: 572 m.extensions[i] = nil 573 } 574 } 575 return 576 } 577 578 paddingLength -= 4 579 if paddingLength <= 0 { 580 paddingLength = 1 581 } 582 583 var seenPadding bool 584 for i, extension := range m.extensions { 585 switch extension := extension.(type) { 586 case *PaddingExtension: 587 if seenPadding { 588 m.extensions[i] = nil 589 } else { 590 seenPadding = true 591 extension.Length = uint16(paddingLength) 592 } 593 } 594 } 595 } 596 597 // Shuffle extensions to avoid fingerprinting -- introduced in Chrome 106 598 func (m *clientHelloMsg) automaticShuffle() { 599 // shuffleCheck checks: 600 // - if the m.extensions[i] is a GREASE extension, then it should not be shuffled 601 // - if the m.extensions[i] is a padding/pre_shared_key extension, then it should be the 602 // last extension in the list and should not be shuffled 603 var shuffleCheck = func(i int) bool { 604 switch m.extensions[i].(type) { 605 case *GREASEExtension, *PaddingExtension, *PreSharedKeyExtension: 606 return false 607 default: 608 return true 609 } 610 } 611 612 // Shuffle other extensions 613 rand.Crypto.Shuffle(len(m.extensions), func(i, j int) { 614 if !shuffleCheck(i) || !shuffleCheck(j) { 615 return 616 } 617 618 m.extensions[i], m.extensions[j] = m.extensions[j], m.extensions[i] 619 }) 620 } 621 622 // marshalWithoutBinders returns the ClientHello through the 623 // PreSharedKeyExtension.identities field, according to RFC 8446, Section 624 // 4.2.11.2. Note that m.pskBinders must be set to slices of the correct length. 625 func (m *clientHelloMsg) marshalWithoutBinders() ([]byte, error) { 626 var bindersLen int 627 628 var exts cryptobyte.Builder 629 for _, extension := range m.extensions { 630 switch extension.(type) { 631 case nil: 632 case *ServerNameIndicationExtension: 633 if len(m.serverName) > 0 { 634 // RFC 6066, Section 3 635 exts.AddUint16(extensionServerName) 636 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 637 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 638 exts.AddUint8(0) // name_type = host_name 639 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 640 exts.AddBytes([]byte(m.serverName)) 641 }) 642 }) 643 }) 644 } 645 case *StatusRequestExtension: 646 if m.ocspStapling { 647 // RFC 4366, Section 3.6 648 exts.AddUint16(extensionStatusRequest) 649 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 650 exts.AddUint8(1) // status_type = ocsp 651 exts.AddUint16(0) // empty responder_id_list 652 exts.AddUint16(0) // empty request_extensions 653 }) 654 } 655 case *SupportedGroupsExtension: 656 if len(m.supportedCurves) > 0 { 657 // RFC 4492, sections 5.1.1 and RFC 8446, Section 4.2.7 658 exts.AddUint16(extensionSupportedCurves) 659 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 660 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 661 for _, curve := range m.supportedCurves { 662 exts.AddUint16(uint16(curve)) 663 } 664 }) 665 }) 666 } 667 case *SupportedPointsExtension: 668 if len(m.supportedPoints) > 0 { 669 // RFC 4492, Section 5.1.2 670 exts.AddUint16(extensionSupportedPoints) 671 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 672 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { 673 exts.AddBytes(m.supportedPoints) 674 }) 675 }) 676 } 677 case *SessionTicketExtension: 678 if m.ticketSupported { 679 // RFC 5077, Section 3.2 680 exts.AddUint16(extensionSessionTicket) 681 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 682 exts.AddBytes(m.sessionTicket) 683 }) 684 } 685 case *SignatureAlgorithmsExtension: 686 if len(m.supportedSignatureAlgorithms) > 0 { 687 // RFC 5246, Section 7.4.1.4.1 688 exts.AddUint16(extensionSignatureAlgorithms) 689 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 690 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 691 for _, sigAlgo := range m.supportedSignatureAlgorithms { 692 exts.AddUint16(uint16(sigAlgo)) 693 } 694 }) 695 }) 696 } 697 case *SignatureAlgorithmsCertExtension: 698 if len(m.supportedSignatureAlgorithmsCert) > 0 { 699 // RFC 8446, Section 4.2.3 700 exts.AddUint16(extensionSignatureAlgorithmsCert) 701 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 702 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 703 for _, sigAlgo := range m.supportedSignatureAlgorithmsCert { 704 exts.AddUint16(uint16(sigAlgo)) 705 } 706 }) 707 }) 708 } 709 case *RenegotiationInfoExtension: 710 if m.secureRenegotiationSupported { 711 // RFC 5746, Section 3.2 712 exts.AddUint16(extensionRenegotiationInfo) 713 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 714 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { 715 exts.AddBytes(m.secureRenegotiation) 716 }) 717 }) 718 } 719 case *ExtendedMasterSecretExtension: 720 if m.extendedMasterSecret { 721 // RFC 7627 722 exts.AddUint16(extensionExtendedMasterSecret) 723 exts.AddUint16(0) // empty extension_data 724 } 725 case *ALPNExtension: 726 if len(m.alpnProtocols) > 0 { 727 // RFC 7301, Section 3.1 728 exts.AddUint16(extensionALPN) 729 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 730 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 731 for _, proto := range m.alpnProtocols { 732 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { 733 exts.AddBytes([]byte(proto)) 734 }) 735 } 736 }) 737 }) 738 } 739 case *ALPSExtension: 740 if len(m.alpsProtocols) > 0 { 741 exts.AddUint16(extensionALPS) 742 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 743 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 744 for _, proto := range m.alpsProtocols { 745 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { 746 exts.AddBytes([]byte(proto)) 747 }) 748 } 749 }) 750 }) 751 } 752 case *SCTExtension: 753 if m.scts { 754 // RFC 6962, Section 3.3.1 755 exts.AddUint16(extensionSCT) 756 exts.AddUint16(0) // empty extension_data 757 } 758 case *SupportedVersionsExtension: 759 if len(m.supportedVersions) > 0 { 760 // RFC 8446, Section 4.2.1 761 exts.AddUint16(extensionSupportedVersions) 762 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 763 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { 764 for _, vers := range m.supportedVersions { 765 exts.AddUint16(vers) 766 } 767 }) 768 }) 769 } 770 case *CompressedCertificateExtension: 771 if len(m.supportedCompressionAlgorithmsCert) > 0 { 772 exts.AddUint16(extensionCompressCert) 773 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 774 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { 775 for _, algorithm := range m.supportedCompressionAlgorithmsCert { 776 exts.AddUint16(uint16(algorithm)) 777 } 778 }) 779 }) 780 } 781 case *CookieExtension: 782 if len(m.cookie) > 0 { 783 // RFC 8446, Section 4.2.2 784 exts.AddUint16(extensionCookie) 785 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 786 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 787 exts.AddBytes(m.cookie) 788 }) 789 }) 790 } 791 case *KeyShareExtension: 792 if len(m.keyShares) > 0 { 793 // RFC 8446, Section 4.2.8 794 exts.AddUint16(extensionKeyShare) 795 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 796 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 797 for _, ks := range m.keyShares { 798 exts.AddUint16(uint16(ks.group)) 799 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 800 exts.AddBytes(ks.data) 801 }) 802 } 803 }) 804 }) 805 } 806 case *EarlyExtension: 807 if m.earlyData { 808 // RFC 8446, Section 4.2.10 809 exts.AddUint16(extensionEarlyData) 810 exts.AddUint16(0) // empty extension_data 811 } 812 case *PSKModesExtension: 813 if len(m.pskModes) > 0 { 814 // RFC 8446, Section 4.2.9 815 exts.AddUint16(extensionPSKModes) 816 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 817 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { 818 exts.AddBytes(m.pskModes) 819 }) 820 }) 821 } 822 case *EncryptedClientHelloExtension: 823 if len(m.ech) > 0 { 824 // draft-ietf-tls-esni-13, "encrypted_client_hello" 825 exts.AddUint16(extensionECH) 826 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 827 exts.AddBytes(m.ech) 828 }) 829 } 830 case *QUICTransportParametersExtension: 831 if m.quicTransportParameters != nil { // marshal zero-length parameters when present 832 // RFC 9001, Section 8.2 833 exts.AddUint16(extensionQUICTransportParameters) 834 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 835 exts.AddBytes(m.quicTransportParameters) 836 }) 837 } 838 case *PreSharedKeyExtension: 839 if len(m.pskIdentities) > 0 { // pre_shared_key must be the last extension 840 // RFC 8446, Section 4.2.11 841 exts.AddUint16(extensionPreSharedKey) 842 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 843 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 844 for _, psk := range m.pskIdentities { 845 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 846 exts.AddBytes(psk.label) 847 }) 848 exts.AddUint32(psk.obfuscatedTicketAge) 849 } 850 }) 851 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 852 bindersLen += 2 853 for _, binder := range m.pskBinders { 854 bindersLen += 1 855 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { 856 bindersLen += len(binder) 857 exts.AddBytes(binder) 858 }) 859 } 860 }) 861 }) 862 } 863 default: 864 exts.AddUint16(extension.ExtensionId()) 865 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 866 extension.Marshal(typeClientHello, exts) 867 }) 868 } 869 } 870 871 extBytes, err := exts.Bytes() 872 if err != nil { 873 return nil, err 874 } 875 876 var b cryptobyte.Builder 877 b.AddUint8(typeClientHello) 878 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 879 b.AddUint16(m.vers) 880 addBytesWithLength(b, m.random, 32) 881 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 882 b.AddBytes(m.sessionId) 883 }) 884 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 885 for _, suite := range m.cipherSuites { 886 b.AddUint16(suite) 887 } 888 }) 889 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 890 b.AddBytes(m.compressionMethods) 891 }) 892 893 if len(extBytes) > 0 { 894 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 895 b.AddBytes(extBytes) 896 }) 897 } 898 }) 899 900 full, err := b.Bytes() 901 if err != nil { 902 return nil, err 903 } 904 return full[:len(full)-bindersLen], nil 905 } 906 907 // updateBinders updates the m.pskBinders field, if necessary updating the 908 // cached marshaled representation. The supplied binders must have the same 909 // length as the current m.pskBinders. 910 func (m *clientHelloMsg) updateBinders(pskBinders [][]byte) error { 911 if len(pskBinders) != len(m.pskBinders) { 912 return errors.New("tls: internal error: pskBinders length mismatch") 913 } 914 for i := range m.pskBinders { 915 if len(pskBinders[i]) != len(m.pskBinders[i]) { 916 return errors.New("tls: internal error: pskBinders length mismatch") 917 } 918 } 919 m.pskBinders = pskBinders 920 if m.raw != nil { 921 m.raw = nil 922 if out, err := m.marshal(); err != nil || len(out) != len(m.raw) { 923 return errors.New("tls: internal error: failed to update binders") 924 } 925 } 926 927 return nil 928 } 929 930 func (m *clientHelloMsg) unmarshal(data []byte) bool { 931 *m = clientHelloMsg{raw: data} 932 s := cryptobyte.String(data) 933 934 if !s.Skip(4) || // message type and uint24 length field 935 !s.ReadUint16(&m.vers) || !s.ReadBytes(&m.random, 32) || 936 !readUint8LengthPrefixed(&s, &m.sessionId) { 937 return false 938 } 939 940 var cipherSuites cryptobyte.String 941 if !s.ReadUint16LengthPrefixed(&cipherSuites) { 942 return false 943 } 944 m.cipherSuites = []uint16{} 945 m.secureRenegotiationSupported = false 946 for !cipherSuites.Empty() { 947 var suite uint16 948 if !cipherSuites.ReadUint16(&suite) { 949 return false 950 } 951 if suite == scsvRenegotiation { 952 m.secureRenegotiationSupported = true 953 } 954 m.cipherSuites = append(m.cipherSuites, suite) 955 } 956 957 if !readUint8LengthPrefixed(&s, &m.compressionMethods) { 958 return false 959 } 960 961 if s.Empty() { 962 // ClientHello is optionally followed by extension data 963 return true 964 } 965 966 var extensions cryptobyte.String 967 if !s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() { 968 return false 969 } 970 971 seenExts := make(map[uint16]bool) 972 for !extensions.Empty() { 973 var extension uint16 974 var extData cryptobyte.String 975 if !extensions.ReadUint16(&extension) || 976 !extensions.ReadUint16LengthPrefixed(&extData) { 977 return false 978 } 979 980 if seenExts[extension] { 981 return false 982 } 983 seenExts[extension] = true 984 985 switch extension { 986 case extensionServerName: 987 // RFC 6066, Section 3 988 var nameList cryptobyte.String 989 if !extData.ReadUint16LengthPrefixed(&nameList) || nameList.Empty() { 990 return false 991 } 992 for !nameList.Empty() { 993 var nameType uint8 994 var serverName cryptobyte.String 995 if !nameList.ReadUint8(&nameType) || 996 !nameList.ReadUint16LengthPrefixed(&serverName) || 997 serverName.Empty() { 998 return false 999 } 1000 if nameType != 0 { 1001 continue 1002 } 1003 if len(m.serverName) != 0 { 1004 // Multiple names of the same name_type are prohibited. 1005 return false 1006 } 1007 m.serverName = string(serverName) 1008 // An SNI value may not include a trailing dot. 1009 if strings.HasSuffix(m.serverName, ".") { 1010 return false 1011 } 1012 } 1013 m.extensions = append(m.extensions, &ServerNameIndicationExtension{}) 1014 case extensionStatusRequest: 1015 // RFC 4366, Section 3.6 1016 var statusType uint8 1017 var ignored cryptobyte.String 1018 if !extData.ReadUint8(&statusType) || 1019 !extData.ReadUint16LengthPrefixed(&ignored) || 1020 !extData.ReadUint16LengthPrefixed(&ignored) { 1021 return false 1022 } 1023 m.ocspStapling = statusType == statusTypeOCSP 1024 m.extensions = append(m.extensions, &StatusRequestExtension{}) 1025 case extensionSupportedCurves: 1026 // RFC 4492, sections 5.1.1 and RFC 8446, Section 4.2.7 1027 var curves cryptobyte.String 1028 if !extData.ReadUint16LengthPrefixed(&curves) || curves.Empty() { 1029 return false 1030 } 1031 for !curves.Empty() { 1032 var curve uint16 1033 if !curves.ReadUint16(&curve) { 1034 return false 1035 } 1036 m.supportedCurves = append(m.supportedCurves, CurveID(curve)) 1037 } 1038 m.extensions = append(m.extensions, &SupportedGroupsExtension{}) 1039 case extensionSupportedPoints: 1040 // RFC 4492, Section 5.1.2 1041 if !readUint8LengthPrefixed(&extData, &m.supportedPoints) || 1042 len(m.supportedPoints) == 0 { 1043 return false 1044 } 1045 m.extensions = append(m.extensions, &SupportedPointsExtension{}) 1046 case extensionSessionTicket: 1047 // RFC 5077, Section 3.2 1048 m.ticketSupported = true 1049 extData.ReadBytes(&m.sessionTicket, len(extData)) 1050 m.extensions = append(m.extensions, &SessionTicketExtension{}) 1051 case extensionSignatureAlgorithms: 1052 // RFC 5246, Section 7.4.1.4.1 1053 var sigAndAlgs cryptobyte.String 1054 if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() { 1055 return false 1056 } 1057 for !sigAndAlgs.Empty() { 1058 var sigAndAlg uint16 1059 if !sigAndAlgs.ReadUint16(&sigAndAlg) { 1060 return false 1061 } 1062 m.supportedSignatureAlgorithms = append( 1063 m.supportedSignatureAlgorithms, SignatureScheme(sigAndAlg)) 1064 } 1065 m.extensions = append(m.extensions, &SignatureAlgorithmsExtension{}) 1066 case extensionSignatureAlgorithmsCert: 1067 // RFC 8446, Section 4.2.3 1068 var sigAndAlgs cryptobyte.String 1069 if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() { 1070 return false 1071 } 1072 for !sigAndAlgs.Empty() { 1073 var sigAndAlg uint16 1074 if !sigAndAlgs.ReadUint16(&sigAndAlg) { 1075 return false 1076 } 1077 m.supportedSignatureAlgorithmsCert = append( 1078 m.supportedSignatureAlgorithmsCert, SignatureScheme(sigAndAlg)) 1079 } 1080 m.extensions = append(m.extensions, &SignatureAlgorithmsCertExtension{}) 1081 case extensionRenegotiationInfo: 1082 // RFC 5746, Section 3.2 1083 if !readUint8LengthPrefixed(&extData, &m.secureRenegotiation) { 1084 return false 1085 } 1086 m.secureRenegotiationSupported = true 1087 m.extensions = append(m.extensions, &RenegotiationInfoExtension{}) 1088 case extensionExtendedMasterSecret: 1089 // RFC 7627 1090 m.extendedMasterSecret = true 1091 m.extensions = append(m.extensions, &ExtendedMasterSecretExtension{}) 1092 case extensionALPN: 1093 // RFC 7301, Section 3.1 1094 var protoList cryptobyte.String 1095 if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() { 1096 return false 1097 } 1098 for !protoList.Empty() { 1099 var proto cryptobyte.String 1100 if !protoList.ReadUint8LengthPrefixed(&proto) || proto.Empty() { 1101 return false 1102 } 1103 m.alpnProtocols = append(m.alpnProtocols, string(proto)) 1104 } 1105 m.extensions = append(m.extensions, &ALPNExtension{}) 1106 case extensionALPS: 1107 var protoList cryptobyte.String 1108 if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() { 1109 return false 1110 } 1111 for !protoList.Empty() { 1112 var proto cryptobyte.String 1113 if !protoList.ReadUint8LengthPrefixed(&proto) || proto.Empty() { 1114 return false 1115 } 1116 m.alpsProtocols = append(m.alpsProtocols, string(proto)) 1117 } 1118 m.extensions = append(m.extensions, &ALPSExtension{}) 1119 case extensionSCT: 1120 // RFC 6962, Section 3.3.1 1121 m.scts = true 1122 m.extensions = append(m.extensions, &SCTExtension{}) 1123 case extensionCompressCert: 1124 var compressionList cryptobyte.String 1125 if !extData.ReadUint8LengthPrefixed(&compressionList) || compressionList.Empty() { 1126 return false 1127 } 1128 for !compressionList.Empty() { 1129 var compression uint16 1130 if !compressionList.ReadUint16(&compression) { 1131 return false 1132 } 1133 m.supportedCompressionAlgorithmsCert = append(m.supportedCompressionAlgorithmsCert, CertCompressionAlgorithm(compression)) 1134 } 1135 m.extensions = append(m.extensions, &CompressedCertificateExtension{}) 1136 case extensionSupportedVersions: 1137 // RFC 8446, Section 4.2.1 1138 var versList cryptobyte.String 1139 if !extData.ReadUint8LengthPrefixed(&versList) || versList.Empty() { 1140 return false 1141 } 1142 for !versList.Empty() { 1143 var vers uint16 1144 if !versList.ReadUint16(&vers) { 1145 return false 1146 } 1147 m.supportedVersions = append(m.supportedVersions, vers) 1148 } 1149 m.extensions = append(m.extensions, &SupportedVersionsExtension{}) 1150 case extensionCookie: 1151 // RFC 8446, Section 4.2.2 1152 if !readUint16LengthPrefixed(&extData, &m.cookie) || 1153 len(m.cookie) == 0 { 1154 return false 1155 } 1156 m.extensions = append(m.extensions, &CookieExtension{}) 1157 case extensionKeyShare: 1158 // RFC 8446, Section 4.2.8 1159 var clientShares cryptobyte.String 1160 if !extData.ReadUint16LengthPrefixed(&clientShares) { 1161 return false 1162 } 1163 for !clientShares.Empty() { 1164 var ks keyShare 1165 if !clientShares.ReadUint16((*uint16)(&ks.group)) || 1166 !readUint16LengthPrefixed(&clientShares, &ks.data) || 1167 len(ks.data) == 0 { 1168 return false 1169 } 1170 m.keyShares = append(m.keyShares, ks) 1171 } 1172 m.extensions = append(m.extensions, &KeyShareExtension{}) 1173 case extensionEarlyData: 1174 // RFC 8446, Section 4.2.10 1175 m.earlyData = true 1176 m.extensions = append(m.extensions, &EarlyExtension{}) 1177 case extensionPSKModes: 1178 // RFC 8446, Section 4.2.9 1179 if !readUint8LengthPrefixed(&extData, &m.pskModes) { 1180 return false 1181 } 1182 m.extensions = append(m.extensions, &PSKModesExtension{}) 1183 case extensionECH: 1184 // draft-ietf-tls-esni-13, "encrypted_client_hello" 1185 if len(extData) == 0 || 1186 !extData.ReadBytes(&m.ech, len(extData)) { 1187 return false 1188 } 1189 m.extensions = append(m.extensions, &EncryptedClientHelloExtension{}) 1190 case extensionQUICTransportParameters: 1191 m.quicTransportParameters = make([]byte, len(extData)) 1192 if !extData.CopyBytes(m.quicTransportParameters) { 1193 return false 1194 } 1195 m.extensions = append(m.extensions, &QUICTransportParametersExtension{}) 1196 case extensionPreSharedKey: 1197 // RFC 8446, Section 4.2.11 1198 if !extensions.Empty() { 1199 return false // pre_shared_key must be the last extension 1200 } 1201 var identities cryptobyte.String 1202 if !extData.ReadUint16LengthPrefixed(&identities) || identities.Empty() { 1203 return false 1204 } 1205 for !identities.Empty() { 1206 var psk pskIdentity 1207 if !readUint16LengthPrefixed(&identities, &psk.label) || 1208 !identities.ReadUint32(&psk.obfuscatedTicketAge) || 1209 len(psk.label) == 0 { 1210 return false 1211 } 1212 m.pskIdentities = append(m.pskIdentities, psk) 1213 } 1214 var binders cryptobyte.String 1215 if !extData.ReadUint16LengthPrefixed(&binders) || binders.Empty() { 1216 return false 1217 } 1218 for !binders.Empty() { 1219 var binder []byte 1220 if !readUint8LengthPrefixed(&binders, &binder) || 1221 len(binder) == 0 { 1222 return false 1223 } 1224 m.pskBinders = append(m.pskBinders, binder) 1225 } 1226 m.extensions = append(m.extensions, &PreSharedKeyExtension{}) 1227 case extensionPadding: 1228 ext := &PaddingExtension{} 1229 if !ext.Unmarshal(typeClientHello, extData) { 1230 return false 1231 } 1232 m.extensions = append(m.extensions, ext) 1233 continue 1234 default: 1235 var ext Extension 1236 1237 switch { 1238 case IsGREASE(extension): 1239 ext = &GREASEExtension{Id: extension} 1240 default: 1241 ext = &UnimplementedExtension{Id: extension} 1242 } 1243 1244 if !ext.Unmarshal(typeClientHello, extData) { 1245 return false 1246 } 1247 1248 m.extensions = append(m.extensions, ext) 1249 continue 1250 } 1251 1252 if !extData.Empty() { 1253 return false 1254 } 1255 } 1256 1257 return true 1258 } 1259 1260 type serverHelloMsg struct { 1261 raw []byte 1262 vers uint16 1263 random []byte 1264 sessionId []byte 1265 cipherSuite uint16 1266 compressionMethod uint8 1267 ocspStapling bool 1268 ticketSupported bool 1269 secureRenegotiationSupported bool 1270 secureRenegotiation []byte 1271 extendedMasterSecret bool 1272 alpnProtocol string 1273 scts [][]byte 1274 supportedVersion uint16 1275 serverShare keyShare 1276 selectedIdentityPresent bool 1277 selectedIdentity uint16 1278 supportedPoints []uint8 1279 ech []byte 1280 1281 // HelloRetryRequest extensions 1282 cookie []byte 1283 selectedGroup CurveID 1284 1285 extensions []Extension 1286 } 1287 1288 func (m *serverHelloMsg) marshal() ([]byte, error) { 1289 if m.raw != nil { 1290 return m.raw, nil 1291 } 1292 1293 var exts cryptobyte.Builder 1294 for _, extension := range m.extensions { 1295 switch extension.(type) { 1296 case nil: 1297 case *StatusRequestExtension: 1298 if m.ocspStapling { 1299 exts.AddUint16(extensionStatusRequest) 1300 exts.AddUint16(0) // empty extension_data 1301 } 1302 case *SessionTicketExtension: 1303 if m.ticketSupported { 1304 exts.AddUint16(extensionSessionTicket) 1305 exts.AddUint16(0) // empty extension_data 1306 } 1307 case *RenegotiationInfoExtension: 1308 if m.secureRenegotiationSupported { 1309 exts.AddUint16(extensionRenegotiationInfo) 1310 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 1311 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { 1312 exts.AddBytes(m.secureRenegotiation) 1313 }) 1314 }) 1315 } 1316 case *ExtendedMasterSecretExtension: 1317 if m.extendedMasterSecret { 1318 // RFC 7627 1319 exts.AddUint16(extensionExtendedMasterSecret) 1320 exts.AddUint16(0) // empty extension_data 1321 } 1322 case *ALPNExtension: 1323 if len(m.alpnProtocol) > 0 { 1324 exts.AddUint16(extensionALPN) 1325 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 1326 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 1327 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { 1328 exts.AddBytes([]byte(m.alpnProtocol)) 1329 }) 1330 }) 1331 }) 1332 } 1333 case *SCTExtension: 1334 if len(m.scts) > 0 { 1335 exts.AddUint16(extensionSCT) 1336 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 1337 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 1338 for _, sct := range m.scts { 1339 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 1340 exts.AddBytes(sct) 1341 }) 1342 } 1343 }) 1344 }) 1345 } 1346 case *SupportedVersionsExtension: 1347 if m.supportedVersion != 0 { 1348 exts.AddUint16(extensionSupportedVersions) 1349 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 1350 exts.AddUint16(m.supportedVersion) 1351 }) 1352 } 1353 case *KeyShareExtension: 1354 if m.serverShare.group != 0 { 1355 exts.AddUint16(extensionKeyShare) 1356 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 1357 exts.AddUint16(uint16(m.serverShare.group)) 1358 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 1359 exts.AddBytes(m.serverShare.data) 1360 }) 1361 }) 1362 } 1363 1364 if m.selectedGroup != 0 { 1365 exts.AddUint16(extensionKeyShare) 1366 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 1367 exts.AddUint16(uint16(m.selectedGroup)) 1368 }) 1369 } 1370 case *PreSharedKeyExtension: 1371 if m.selectedIdentityPresent { 1372 exts.AddUint16(extensionPreSharedKey) 1373 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 1374 exts.AddUint16(m.selectedIdentity) 1375 }) 1376 } 1377 case *CookieExtension: 1378 if len(m.cookie) > 0 { 1379 exts.AddUint16(extensionCookie) 1380 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 1381 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 1382 exts.AddBytes(m.cookie) 1383 }) 1384 }) 1385 } 1386 case *SupportedPointsExtension: 1387 if len(m.supportedPoints) > 0 { 1388 exts.AddUint16(extensionSupportedPoints) 1389 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 1390 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { 1391 exts.AddBytes(m.supportedPoints) 1392 }) 1393 }) 1394 } 1395 case *EncryptedClientHelloExtension: 1396 if len(m.ech) > 0 { 1397 // draft-ietf-tls-esni-13, "encrypted_client_hello" 1398 exts.AddUint16(extensionECH) 1399 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 1400 exts.AddBytes(m.ech) 1401 }) 1402 } 1403 default: 1404 if extension.Negotiate(typeServerHello) { 1405 exts.AddUint16(extension.ExtensionId()) 1406 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 1407 extension.Marshal(typeServerHello, exts) 1408 }) 1409 } 1410 } 1411 } 1412 1413 extBytes, err := exts.Bytes() 1414 if err != nil { 1415 return nil, err 1416 } 1417 1418 var b cryptobyte.Builder 1419 b.AddUint8(typeServerHello) 1420 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1421 b.AddUint16(m.vers) 1422 addBytesWithLength(b, m.random, 32) 1423 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 1424 b.AddBytes(m.sessionId) 1425 }) 1426 b.AddUint16(m.cipherSuite) 1427 b.AddUint8(m.compressionMethod) 1428 1429 if len(extBytes) > 0 { 1430 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1431 b.AddBytes(extBytes) 1432 }) 1433 } 1434 }) 1435 1436 m.raw, err = b.Bytes() 1437 return m.raw, err 1438 } 1439 1440 func (m *serverHelloMsg) unmarshal(data []byte) bool { 1441 *m = serverHelloMsg{raw: data} 1442 s := cryptobyte.String(data) 1443 1444 if !s.Skip(4) || // message type and uint24 length field 1445 !s.ReadUint16(&m.vers) || !s.ReadBytes(&m.random, 32) || 1446 !readUint8LengthPrefixed(&s, &m.sessionId) || 1447 !s.ReadUint16(&m.cipherSuite) || 1448 !s.ReadUint8(&m.compressionMethod) { 1449 return false 1450 } 1451 1452 if s.Empty() { 1453 // ServerHello is optionally followed by extension data 1454 return true 1455 } 1456 1457 var extensions cryptobyte.String 1458 if !s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() { 1459 return false 1460 } 1461 1462 seenExts := make(map[uint16]bool) 1463 for !extensions.Empty() { 1464 var extension uint16 1465 var extData cryptobyte.String 1466 if !extensions.ReadUint16(&extension) || 1467 !extensions.ReadUint16LengthPrefixed(&extData) { 1468 return false 1469 } 1470 1471 if seenExts[extension] { 1472 return false 1473 } 1474 seenExts[extension] = true 1475 1476 switch extension { 1477 case extensionStatusRequest: 1478 m.ocspStapling = true 1479 m.extensions = append(m.extensions, &StatusRequestExtension{}) 1480 case extensionSessionTicket: 1481 m.ticketSupported = true 1482 m.extensions = append(m.extensions, &SessionTicketExtension{}) 1483 case extensionRenegotiationInfo: 1484 if !readUint8LengthPrefixed(&extData, &m.secureRenegotiation) { 1485 return false 1486 } 1487 m.secureRenegotiationSupported = true 1488 m.extensions = append(m.extensions, &RenegotiationInfoExtension{}) 1489 case extensionExtendedMasterSecret: 1490 m.extendedMasterSecret = true 1491 m.extensions = append(m.extensions, &ExtendedMasterSecretExtension{}) 1492 case extensionALPN: 1493 var protoList cryptobyte.String 1494 if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() { 1495 return false 1496 } 1497 var proto cryptobyte.String 1498 if !protoList.ReadUint8LengthPrefixed(&proto) || 1499 proto.Empty() || !protoList.Empty() { 1500 return false 1501 } 1502 m.alpnProtocol = string(proto) 1503 m.extensions = append(m.extensions, &ALPNExtension{}) 1504 case extensionSCT: 1505 var sctList cryptobyte.String 1506 if !extData.ReadUint16LengthPrefixed(&sctList) || sctList.Empty() { 1507 return false 1508 } 1509 for !sctList.Empty() { 1510 var sct []byte 1511 if !readUint16LengthPrefixed(&sctList, &sct) || 1512 len(sct) == 0 { 1513 return false 1514 } 1515 m.scts = append(m.scts, sct) 1516 } 1517 m.extensions = append(m.extensions, &SCTExtension{}) 1518 case extensionSupportedVersions: 1519 if !extData.ReadUint16(&m.supportedVersion) { 1520 return false 1521 } 1522 m.extensions = append(m.extensions, &SupportedVersionsExtension{}) 1523 case extensionCookie: 1524 if !readUint16LengthPrefixed(&extData, &m.cookie) || 1525 len(m.cookie) == 0 { 1526 return false 1527 } 1528 m.extensions = append(m.extensions, &CookieExtension{}) 1529 case extensionKeyShare: 1530 // This extension has different formats in SH and HRR, accept either 1531 // and let the handshake logic decide. See RFC 8446, Section 4.2.8. 1532 if len(extData) == 2 { 1533 if !extData.ReadUint16((*uint16)(&m.selectedGroup)) { 1534 return false 1535 } 1536 } else { 1537 if !extData.ReadUint16((*uint16)(&m.serverShare.group)) || 1538 !readUint16LengthPrefixed(&extData, &m.serverShare.data) { 1539 return false 1540 } 1541 } 1542 m.extensions = append(m.extensions, &KeyShareExtension{}) 1543 case extensionPreSharedKey: 1544 m.selectedIdentityPresent = true 1545 if !extData.ReadUint16(&m.selectedIdentity) { 1546 return false 1547 } 1548 m.extensions = append(m.extensions, &PreSharedKeyExtension{}) 1549 case extensionSupportedPoints: 1550 // RFC 4492, Section 5.1.2 1551 if !readUint8LengthPrefixed(&extData, &m.supportedPoints) || 1552 len(m.supportedPoints) == 0 { 1553 return false 1554 } 1555 m.extensions = append(m.extensions, &SupportedPointsExtension{}) 1556 case extensionECH: 1557 // draft-ietf-tls-esni-13, "encrypted_client_hello" 1558 if len(extData) == 0 || 1559 !extData.ReadBytes(&m.ech, len(extData)) { 1560 return false 1561 } 1562 m.extensions = append(m.extensions, &EncryptedClientHelloExtension{}) 1563 default: 1564 var ext Extension 1565 1566 switch { 1567 case IsGREASE(extension): 1568 ext = &GREASEExtension{Id: extension} 1569 default: 1570 ext = &UnimplementedExtension{Id: extension} 1571 } 1572 1573 if !ext.Unmarshal(typeServerHello, extData) { 1574 return false 1575 } 1576 1577 m.extensions = append(m.extensions, ext) 1578 continue 1579 } 1580 1581 if !extData.Empty() { 1582 return false 1583 } 1584 } 1585 1586 return true 1587 } 1588 1589 type encryptedExtensionsMsg struct { 1590 raw []byte 1591 alpnProtocol string 1592 alps bool 1593 alpnSetting []byte 1594 quicTransportParameters []byte 1595 earlyData bool 1596 ech []byte 1597 1598 extensions []Extension 1599 } 1600 1601 func (m *encryptedExtensionsMsg) marshal() ([]byte, error) { 1602 if m.raw != nil { 1603 return m.raw, nil 1604 } 1605 1606 var b cryptobyte.Builder 1607 b.AddUint8(typeEncryptedExtensions) 1608 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1609 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1610 for _, extension := range m.extensions { 1611 switch extension.(type) { 1612 case nil: 1613 case *ALPNExtension: 1614 if len(m.alpnProtocol) > 0 { 1615 b.AddUint16(extensionALPN) 1616 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1617 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1618 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 1619 b.AddBytes([]byte(m.alpnProtocol)) 1620 }) 1621 }) 1622 }) 1623 } 1624 case *ALPSExtension: 1625 if m.alps { 1626 b.AddUint16(extensionALPS) 1627 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1628 b.AddBytes([]byte(m.alpnSetting)) 1629 }) 1630 } 1631 case *EarlyExtension: 1632 if m.earlyData { 1633 // RFC 8446, Section 4.2.10 1634 b.AddUint16(extensionEarlyData) 1635 b.AddUint16(0) // empty extension_data 1636 } 1637 case *EncryptedClientHelloExtension: 1638 if len(m.ech) > 0 { 1639 // draft-ietf-tls-esni-13, "encrypted_client_hello" 1640 b.AddUint16(extensionECH) 1641 b.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { 1642 exts.AddBytes(m.ech) 1643 }) 1644 } 1645 case *QUICTransportParametersExtension: 1646 if m.quicTransportParameters != nil { // marshal zero-length parameters when present 1647 // draft-ietf-quic-tls-32, Section 8.2 1648 b.AddUint16(extensionQUICTransportParameters) 1649 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1650 b.AddBytes(m.quicTransportParameters) 1651 }) 1652 } 1653 default: 1654 if extension.Negotiate(typeEncryptedExtensions) { 1655 b.AddUint16(extension.ExtensionId()) 1656 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1657 extension.Marshal(typeEncryptedExtensions, b) 1658 }) 1659 } 1660 } 1661 } 1662 }) 1663 }) 1664 1665 var err error 1666 m.raw, err = b.Bytes() 1667 return m.raw, err 1668 } 1669 1670 func (m *encryptedExtensionsMsg) unmarshal(data []byte) bool { 1671 *m = encryptedExtensionsMsg{raw: data} 1672 s := cryptobyte.String(data) 1673 1674 var extensions cryptobyte.String 1675 if !s.Skip(4) || // message type and uint24 length field 1676 !s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() { 1677 return false 1678 } 1679 1680 for !extensions.Empty() { 1681 var extension uint16 1682 var extData cryptobyte.String 1683 if !extensions.ReadUint16(&extension) || 1684 !extensions.ReadUint16LengthPrefixed(&extData) { 1685 return false 1686 } 1687 1688 switch extension { 1689 case extensionALPN: 1690 var protoList cryptobyte.String 1691 if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() { 1692 return false 1693 } 1694 var proto cryptobyte.String 1695 if !protoList.ReadUint8LengthPrefixed(&proto) || 1696 proto.Empty() || !protoList.Empty() { 1697 return false 1698 } 1699 m.alpnProtocol = string(proto) 1700 m.extensions = append(m.extensions, &ALPNExtension{}) 1701 case extensionALPS: 1702 m.alps = true 1703 m.alpnSetting = extData 1704 m.extensions = append(m.extensions, &ALPSExtension{}) 1705 continue 1706 case extensionEarlyData: 1707 m.earlyData = true 1708 m.extensions = append(m.extensions, &EarlyExtension{}) 1709 case extensionECH: 1710 // draft-ietf-tls-esni-13, "encrypted_client_hello" 1711 if len(extData) == 0 || 1712 !extData.ReadBytes(&m.ech, len(extData)) { 1713 return false 1714 } 1715 m.extensions = append(m.extensions, &EncryptedClientHelloExtension{}) 1716 case extensionQUICTransportParameters: 1717 m.quicTransportParameters = make([]byte, len(extData)) 1718 if !extData.CopyBytes(m.quicTransportParameters) { 1719 return false 1720 } 1721 m.extensions = append(m.extensions, &QUICTransportParametersExtension{}) 1722 default: 1723 var ext Extension 1724 1725 switch { 1726 case IsGREASE(extension): 1727 ext = &GREASEExtension{Id: extension} 1728 default: 1729 ext = &UnimplementedExtension{Id: extension} 1730 } 1731 1732 if !ext.Unmarshal(typeEncryptedExtensions, extData) { 1733 return false 1734 } 1735 1736 m.extensions = append(m.extensions, ext) 1737 continue 1738 } 1739 1740 if !extData.Empty() { 1741 return false 1742 } 1743 } 1744 1745 return true 1746 } 1747 1748 type endOfEarlyDataMsg struct { 1749 raw []byte 1750 } 1751 1752 func (m *endOfEarlyDataMsg) marshal() ([]byte, error) { 1753 if m.raw != nil { 1754 return m.raw, nil 1755 } 1756 1757 var b cryptobyte.Builder 1758 b.AddUint8(typeEndOfEarlyData) 1759 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {}) 1760 1761 var err error 1762 m.raw, err = b.Bytes() 1763 return m.raw, err 1764 } 1765 1766 func (m *endOfEarlyDataMsg) unmarshal(data []byte) bool { 1767 m.raw = data 1768 s := cryptobyte.String(data) 1769 1770 if !s.Skip(4) { // message type and uint24 length field 1771 return false 1772 } 1773 return s.Empty() 1774 } 1775 1776 type keyUpdateMsg struct { 1777 raw []byte 1778 updateRequested bool 1779 } 1780 1781 func (m *keyUpdateMsg) marshal() ([]byte, error) { 1782 if m.raw != nil { 1783 return m.raw, nil 1784 } 1785 1786 var b cryptobyte.Builder 1787 b.AddUint8(typeKeyUpdate) 1788 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1789 if m.updateRequested { 1790 b.AddUint8(1) 1791 } else { 1792 b.AddUint8(0) 1793 } 1794 }) 1795 1796 var err error 1797 m.raw, err = b.Bytes() 1798 return m.raw, err 1799 } 1800 1801 func (m *keyUpdateMsg) unmarshal(data []byte) bool { 1802 m.raw = data 1803 s := cryptobyte.String(data) 1804 1805 var updateRequested uint8 1806 if !s.Skip(4) || // message type and uint24 length field 1807 !s.ReadUint8(&updateRequested) || !s.Empty() { 1808 return false 1809 } 1810 switch updateRequested { 1811 case 0: 1812 m.updateRequested = false 1813 case 1: 1814 m.updateRequested = true 1815 default: 1816 return false 1817 } 1818 return true 1819 } 1820 1821 type newSessionTicketMsgTLS13 struct { 1822 raw []byte 1823 lifetime uint32 1824 ageAdd uint32 1825 nonce []byte 1826 label []byte 1827 maxEarlyData uint32 1828 } 1829 1830 func (m *newSessionTicketMsgTLS13) marshal() ([]byte, error) { 1831 if m.raw != nil { 1832 return m.raw, nil 1833 } 1834 1835 var b cryptobyte.Builder 1836 b.AddUint8(typeNewSessionTicket) 1837 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1838 b.AddUint32(m.lifetime) 1839 b.AddUint32(m.ageAdd) 1840 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 1841 b.AddBytes(m.nonce) 1842 }) 1843 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1844 b.AddBytes(m.label) 1845 }) 1846 1847 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1848 if m.maxEarlyData > 0 { 1849 b.AddUint16(extensionEarlyData) 1850 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1851 b.AddUint32(m.maxEarlyData) 1852 }) 1853 } 1854 }) 1855 }) 1856 1857 var err error 1858 m.raw, err = b.Bytes() 1859 return m.raw, err 1860 } 1861 1862 func (m *newSessionTicketMsgTLS13) unmarshal(data []byte) bool { 1863 *m = newSessionTicketMsgTLS13{raw: data} 1864 s := cryptobyte.String(data) 1865 1866 var extensions cryptobyte.String 1867 if !s.Skip(4) || // message type and uint24 length field 1868 !s.ReadUint32(&m.lifetime) || 1869 !s.ReadUint32(&m.ageAdd) || 1870 !readUint8LengthPrefixed(&s, &m.nonce) || 1871 !readUint16LengthPrefixed(&s, &m.label) || 1872 !s.ReadUint16LengthPrefixed(&extensions) || 1873 !s.Empty() { 1874 return false 1875 } 1876 1877 for !extensions.Empty() { 1878 var extension uint16 1879 var extData cryptobyte.String 1880 if !extensions.ReadUint16(&extension) || 1881 !extensions.ReadUint16LengthPrefixed(&extData) { 1882 return false 1883 } 1884 1885 switch extension { 1886 case extensionEarlyData: 1887 if !extData.ReadUint32(&m.maxEarlyData) { 1888 return false 1889 } 1890 default: 1891 // Ignore unknown extensions. 1892 continue 1893 } 1894 1895 if !extData.Empty() { 1896 return false 1897 } 1898 } 1899 1900 return true 1901 } 1902 1903 type certificateRequestMsgTLS13 struct { 1904 raw []byte 1905 ocspStapling bool 1906 scts bool 1907 supportedSignatureAlgorithms []SignatureScheme 1908 supportedSignatureAlgorithmsCert []SignatureScheme 1909 certificateAuthorities [][]byte 1910 } 1911 1912 func (m *certificateRequestMsgTLS13) marshal() ([]byte, error) { 1913 if m.raw != nil { 1914 return m.raw, nil 1915 } 1916 1917 var b cryptobyte.Builder 1918 b.AddUint8(typeCertificateRequest) 1919 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 1920 // certificate_request_context (SHALL be zero length unless used for 1921 // post-handshake authentication) 1922 b.AddUint8(0) 1923 1924 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1925 if m.ocspStapling { 1926 b.AddUint16(extensionStatusRequest) 1927 b.AddUint16(0) // empty extension_data 1928 } 1929 if m.scts { 1930 // RFC 8446, Section 4.4.2.1 makes no mention of 1931 // signed_certificate_timestamp in CertificateRequest, but 1932 // "Extensions in the Certificate message from the client MUST 1933 // correspond to extensions in the CertificateRequest message 1934 // from the server." and it appears in the table in Section 4.2. 1935 b.AddUint16(extensionSCT) 1936 b.AddUint16(0) // empty extension_data 1937 } 1938 if len(m.supportedSignatureAlgorithms) > 0 { 1939 b.AddUint16(extensionSignatureAlgorithms) 1940 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1941 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1942 for _, sigAlgo := range m.supportedSignatureAlgorithms { 1943 b.AddUint16(uint16(sigAlgo)) 1944 } 1945 }) 1946 }) 1947 } 1948 if len(m.supportedSignatureAlgorithmsCert) > 0 { 1949 b.AddUint16(extensionSignatureAlgorithmsCert) 1950 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1951 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1952 for _, sigAlgo := range m.supportedSignatureAlgorithmsCert { 1953 b.AddUint16(uint16(sigAlgo)) 1954 } 1955 }) 1956 }) 1957 } 1958 if len(m.certificateAuthorities) > 0 { 1959 b.AddUint16(extensionCertificateAuthorities) 1960 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1961 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1962 for _, ca := range m.certificateAuthorities { 1963 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 1964 b.AddBytes(ca) 1965 }) 1966 } 1967 }) 1968 }) 1969 } 1970 }) 1971 }) 1972 1973 var err error 1974 m.raw, err = b.Bytes() 1975 return m.raw, err 1976 } 1977 1978 func (m *certificateRequestMsgTLS13) unmarshal(data []byte) bool { 1979 *m = certificateRequestMsgTLS13{raw: data} 1980 s := cryptobyte.String(data) 1981 1982 var context, extensions cryptobyte.String 1983 if !s.Skip(4) || // message type and uint24 length field 1984 !s.ReadUint8LengthPrefixed(&context) || !context.Empty() || 1985 !s.ReadUint16LengthPrefixed(&extensions) || 1986 !s.Empty() { 1987 return false 1988 } 1989 1990 for !extensions.Empty() { 1991 var extension uint16 1992 var extData cryptobyte.String 1993 if !extensions.ReadUint16(&extension) || 1994 !extensions.ReadUint16LengthPrefixed(&extData) { 1995 return false 1996 } 1997 1998 switch extension { 1999 case extensionStatusRequest: 2000 m.ocspStapling = true 2001 case extensionSCT: 2002 m.scts = true 2003 case extensionSignatureAlgorithms: 2004 var sigAndAlgs cryptobyte.String 2005 if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() { 2006 return false 2007 } 2008 for !sigAndAlgs.Empty() { 2009 var sigAndAlg uint16 2010 if !sigAndAlgs.ReadUint16(&sigAndAlg) { 2011 return false 2012 } 2013 m.supportedSignatureAlgorithms = append( 2014 m.supportedSignatureAlgorithms, SignatureScheme(sigAndAlg)) 2015 } 2016 case extensionSignatureAlgorithmsCert: 2017 var sigAndAlgs cryptobyte.String 2018 if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() { 2019 return false 2020 } 2021 for !sigAndAlgs.Empty() { 2022 var sigAndAlg uint16 2023 if !sigAndAlgs.ReadUint16(&sigAndAlg) { 2024 return false 2025 } 2026 m.supportedSignatureAlgorithmsCert = append( 2027 m.supportedSignatureAlgorithmsCert, SignatureScheme(sigAndAlg)) 2028 } 2029 case extensionCertificateAuthorities: 2030 var auths cryptobyte.String 2031 if !extData.ReadUint16LengthPrefixed(&auths) || auths.Empty() { 2032 return false 2033 } 2034 for !auths.Empty() { 2035 var ca []byte 2036 if !readUint16LengthPrefixed(&auths, &ca) || len(ca) == 0 { 2037 return false 2038 } 2039 m.certificateAuthorities = append(m.certificateAuthorities, ca) 2040 } 2041 default: 2042 // Ignore unknown extensions. 2043 continue 2044 } 2045 2046 if !extData.Empty() { 2047 return false 2048 } 2049 } 2050 2051 return true 2052 } 2053 2054 type certificateMsg struct { 2055 raw []byte 2056 certificates [][]byte 2057 } 2058 2059 func (m *certificateMsg) marshal() ([]byte, error) { 2060 if m.raw != nil { 2061 return m.raw, nil 2062 } 2063 2064 var i int 2065 for _, slice := range m.certificates { 2066 i += len(slice) 2067 } 2068 2069 length := 3 + 3*len(m.certificates) + i 2070 x := make([]byte, 4+length) 2071 x[0] = typeCertificate 2072 x[1] = uint8(length >> 16) 2073 x[2] = uint8(length >> 8) 2074 x[3] = uint8(length) 2075 2076 certificateOctets := length - 3 2077 x[4] = uint8(certificateOctets >> 16) 2078 x[5] = uint8(certificateOctets >> 8) 2079 x[6] = uint8(certificateOctets) 2080 2081 y := x[7:] 2082 for _, slice := range m.certificates { 2083 y[0] = uint8(len(slice) >> 16) 2084 y[1] = uint8(len(slice) >> 8) 2085 y[2] = uint8(len(slice)) 2086 copy(y[3:], slice) 2087 y = y[3+len(slice):] 2088 } 2089 2090 m.raw = x 2091 return m.raw, nil 2092 } 2093 2094 func (m *certificateMsg) unmarshal(data []byte) bool { 2095 if len(data) < 7 { 2096 return false 2097 } 2098 2099 m.raw = data 2100 certsLen := uint32(data[4])<<16 | uint32(data[5])<<8 | uint32(data[6]) 2101 if uint32(len(data)) != certsLen+7 { 2102 return false 2103 } 2104 2105 numCerts := 0 2106 d := data[7:] 2107 for certsLen > 0 { 2108 if len(d) < 4 { 2109 return false 2110 } 2111 certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2]) 2112 if uint32(len(d)) < 3+certLen { 2113 return false 2114 } 2115 d = d[3+certLen:] 2116 certsLen -= 3 + certLen 2117 numCerts++ 2118 } 2119 2120 m.certificates = make([][]byte, numCerts) 2121 d = data[7:] 2122 for i := 0; i < numCerts; i++ { 2123 certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2]) 2124 m.certificates[i] = d[3 : 3+certLen] 2125 d = d[3+certLen:] 2126 } 2127 2128 return true 2129 } 2130 2131 type certificateMsgTLS13 struct { 2132 raw []byte 2133 certificate Certificate 2134 ocspStapling bool 2135 scts bool 2136 } 2137 2138 func (m *certificateMsgTLS13) marshal() ([]byte, error) { 2139 if m.raw != nil { 2140 return m.raw, nil 2141 } 2142 2143 var b cryptobyte.Builder 2144 b.AddUint8(typeCertificate) 2145 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 2146 b.AddUint8(0) // certificate_request_context 2147 2148 certificate := m.certificate 2149 if !m.ocspStapling { 2150 certificate.OCSPStaple = nil 2151 } 2152 if !m.scts { 2153 certificate.SignedCertificateTimestamps = nil 2154 } 2155 marshalCertificate(b, certificate) 2156 }) 2157 2158 var err error 2159 m.raw, err = b.Bytes() 2160 return m.raw, err 2161 } 2162 2163 func marshalCertificate(b *cryptobyte.Builder, certificate Certificate) { 2164 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 2165 for i, cert := range certificate.Certificate { 2166 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 2167 b.AddBytes(cert) 2168 }) 2169 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 2170 if i > 0 { 2171 // This library only supports OCSP and SCT for leaf certificates. 2172 return 2173 } 2174 if certificate.OCSPStaple != nil { 2175 b.AddUint16(extensionStatusRequest) 2176 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 2177 b.AddUint8(statusTypeOCSP) 2178 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 2179 b.AddBytes(certificate.OCSPStaple) 2180 }) 2181 }) 2182 } 2183 if certificate.SignedCertificateTimestamps != nil { 2184 b.AddUint16(extensionSCT) 2185 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 2186 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 2187 for _, sct := range certificate.SignedCertificateTimestamps { 2188 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 2189 b.AddBytes(sct) 2190 }) 2191 } 2192 }) 2193 }) 2194 } 2195 }) 2196 } 2197 }) 2198 } 2199 2200 func (m *certificateMsgTLS13) unmarshal(data []byte) bool { 2201 *m = certificateMsgTLS13{raw: data} 2202 s := cryptobyte.String(data) 2203 2204 var context cryptobyte.String 2205 if !s.Skip(4) || // message type and uint24 length field 2206 !s.ReadUint8LengthPrefixed(&context) || !context.Empty() || 2207 !unmarshalCertificate(&s, &m.certificate) || 2208 !s.Empty() { 2209 return false 2210 } 2211 2212 m.scts = m.certificate.SignedCertificateTimestamps != nil 2213 m.ocspStapling = m.certificate.OCSPStaple != nil 2214 2215 return true 2216 } 2217 2218 func unmarshalCertificate(s *cryptobyte.String, certificate *Certificate) bool { 2219 var certList cryptobyte.String 2220 if !s.ReadUint24LengthPrefixed(&certList) { 2221 return false 2222 } 2223 for !certList.Empty() { 2224 var cert []byte 2225 var extensions cryptobyte.String 2226 if !readUint24LengthPrefixed(&certList, &cert) || 2227 !certList.ReadUint16LengthPrefixed(&extensions) { 2228 return false 2229 } 2230 certificate.Certificate = append(certificate.Certificate, cert) 2231 for !extensions.Empty() { 2232 var extension uint16 2233 var extData cryptobyte.String 2234 if !extensions.ReadUint16(&extension) || 2235 !extensions.ReadUint16LengthPrefixed(&extData) { 2236 return false 2237 } 2238 if len(certificate.Certificate) > 1 { 2239 // This library only supports OCSP and SCT for leaf certificates. 2240 continue 2241 } 2242 2243 switch extension { 2244 case extensionStatusRequest: 2245 var statusType uint8 2246 if !extData.ReadUint8(&statusType) || statusType != statusTypeOCSP || 2247 !readUint24LengthPrefixed(&extData, &certificate.OCSPStaple) || 2248 len(certificate.OCSPStaple) == 0 { 2249 return false 2250 } 2251 case extensionSCT: 2252 var sctList cryptobyte.String 2253 if !extData.ReadUint16LengthPrefixed(&sctList) || sctList.Empty() { 2254 return false 2255 } 2256 for !sctList.Empty() { 2257 var sct []byte 2258 if !readUint16LengthPrefixed(&sctList, &sct) || 2259 len(sct) == 0 { 2260 return false 2261 } 2262 certificate.SignedCertificateTimestamps = append( 2263 certificate.SignedCertificateTimestamps, sct) 2264 } 2265 default: 2266 // Ignore unknown extensions. 2267 continue 2268 } 2269 2270 if !extData.Empty() { 2271 return false 2272 } 2273 } 2274 } 2275 return true 2276 } 2277 2278 type compressedCertificateMsg struct { 2279 raw []byte 2280 2281 algorithm uint16 2282 uncompressedLength uint32 // uint24 2283 compressedCertificateMessage []byte 2284 } 2285 2286 func (m *compressedCertificateMsg) marshal() ([]byte, error) { 2287 if m.raw != nil { 2288 return m.raw, nil 2289 } 2290 2291 var b cryptobyte.Builder 2292 b.AddUint8(typeCompressedCertificate) 2293 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 2294 b.AddUint16(m.algorithm) 2295 b.AddUint24(m.uncompressedLength) 2296 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 2297 b.AddBytes(m.compressedCertificateMessage) 2298 }) 2299 }) 2300 2301 var err error 2302 m.raw, err = b.Bytes() 2303 return m.raw, err 2304 } 2305 2306 func (m *compressedCertificateMsg) unmarshal(data []byte) bool { 2307 *m = compressedCertificateMsg{raw: data} 2308 s := cryptobyte.String(data) 2309 2310 if !s.Skip(4) || // message type and uint24 length field 2311 !s.ReadUint16(&m.algorithm) || 2312 !s.ReadUint24(&m.uncompressedLength) || 2313 !readUint24LengthPrefixed(&s, &m.compressedCertificateMessage) { 2314 return false 2315 } 2316 return true 2317 } 2318 2319 type serverKeyExchangeMsg struct { 2320 raw []byte 2321 key []byte 2322 } 2323 2324 func (m *serverKeyExchangeMsg) marshal() ([]byte, error) { 2325 if m.raw != nil { 2326 return m.raw, nil 2327 } 2328 2329 var b cryptobyte.Builder 2330 b.AddUint8(typeServerKeyExchange) 2331 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 2332 b.AddBytes(m.key) 2333 }) 2334 2335 var err error 2336 m.raw, err = b.Bytes() 2337 return m.raw, err 2338 } 2339 2340 func (m *serverKeyExchangeMsg) unmarshal(data []byte) bool { 2341 m.raw = data 2342 s := cryptobyte.String(data) 2343 2344 if !s.Skip(1) { // message type 2345 return false 2346 } 2347 return readUint24LengthPrefixed(&s, &m.key) && s.Empty() 2348 } 2349 2350 type certificateStatusMsg struct { 2351 raw []byte 2352 response []byte 2353 } 2354 2355 func (m *certificateStatusMsg) marshal() ([]byte, error) { 2356 if m.raw != nil { 2357 return m.raw, nil 2358 } 2359 2360 var b cryptobyte.Builder 2361 b.AddUint8(typeCertificateStatus) 2362 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 2363 b.AddUint8(statusTypeOCSP) 2364 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 2365 b.AddBytes(m.response) 2366 }) 2367 }) 2368 2369 var err error 2370 m.raw, err = b.Bytes() 2371 return m.raw, err 2372 } 2373 2374 func (m *certificateStatusMsg) unmarshal(data []byte) bool { 2375 m.raw = data 2376 s := cryptobyte.String(data) 2377 2378 var statusType uint8 2379 if !s.Skip(4) || // message type and uint24 length field 2380 !s.ReadUint8(&statusType) || statusType != statusTypeOCSP || 2381 !readUint24LengthPrefixed(&s, &m.response) || 2382 len(m.response) == 0 || !s.Empty() { 2383 return false 2384 } 2385 return true 2386 } 2387 2388 type serverHelloDoneMsg struct { 2389 raw []byte 2390 } 2391 2392 func (m *serverHelloDoneMsg) marshal() ([]byte, error) { 2393 if m.raw != nil { 2394 return m.raw, nil 2395 } 2396 2397 var b cryptobyte.Builder 2398 b.AddUint8(typeServerHelloDone) 2399 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {}) 2400 2401 var err error 2402 m.raw, err = b.Bytes() 2403 return m.raw, err 2404 } 2405 2406 func (m *serverHelloDoneMsg) unmarshal(data []byte) bool { 2407 m.raw = data 2408 s := cryptobyte.String(data) 2409 2410 if !s.Skip(4) { // message type and uint24 length field 2411 return false 2412 } 2413 return s.Empty() 2414 } 2415 2416 type clientKeyExchangeMsg struct { 2417 raw []byte 2418 ciphertext []byte 2419 } 2420 2421 func (m *clientKeyExchangeMsg) marshal() ([]byte, error) { 2422 if m.raw != nil { 2423 return m.raw, nil 2424 } 2425 2426 var b cryptobyte.Builder 2427 b.AddUint8(typeClientKeyExchange) 2428 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 2429 b.AddBytes(m.ciphertext) 2430 }) 2431 2432 var err error 2433 m.raw, err = b.Bytes() 2434 return m.raw, err 2435 } 2436 2437 func (m *clientKeyExchangeMsg) unmarshal(data []byte) bool { 2438 m.raw = data 2439 s := cryptobyte.String(data) 2440 2441 if !s.Skip(1) { // message type 2442 return false 2443 } 2444 return readUint24LengthPrefixed(&s, &m.ciphertext) && s.Empty() 2445 } 2446 2447 type finishedMsg struct { 2448 raw []byte 2449 verifyData []byte 2450 } 2451 2452 func (m *finishedMsg) marshal() ([]byte, error) { 2453 if m.raw != nil { 2454 return m.raw, nil 2455 } 2456 2457 var b cryptobyte.Builder 2458 b.AddUint8(typeFinished) 2459 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 2460 b.AddBytes(m.verifyData) 2461 }) 2462 2463 var err error 2464 m.raw, err = b.Bytes() 2465 return m.raw, err 2466 } 2467 2468 func (m *finishedMsg) unmarshal(data []byte) bool { 2469 m.raw = data 2470 s := cryptobyte.String(data) 2471 return s.Skip(1) && 2472 readUint24LengthPrefixed(&s, &m.verifyData) && 2473 s.Empty() 2474 } 2475 2476 type certificateRequestMsg struct { 2477 raw []byte 2478 // hasSignatureAlgorithm indicates whether this message includes a list of 2479 // supported signature algorithms. This change was introduced with TLS 1.2. 2480 hasSignatureAlgorithm bool 2481 2482 certificateTypes []byte 2483 supportedSignatureAlgorithms []SignatureScheme 2484 certificateAuthorities [][]byte 2485 } 2486 2487 func (m *certificateRequestMsg) marshal() ([]byte, error) { 2488 if m.raw != nil { 2489 return m.raw, nil 2490 } 2491 2492 // See RFC 4346, Section 7.4.4. 2493 var b cryptobyte.Builder 2494 b.AddUint8(typeCertificateRequest) 2495 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 2496 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { 2497 b.AddBytes(m.certificateTypes) 2498 }) 2499 2500 if m.hasSignatureAlgorithm { 2501 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 2502 for _, sigAlgo := range m.supportedSignatureAlgorithms { 2503 b.AddUint16(uint16(sigAlgo)) 2504 } 2505 }) 2506 } 2507 2508 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 2509 for _, ca := range m.certificateAuthorities { 2510 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 2511 b.AddBytes(ca) 2512 }) 2513 } 2514 }) 2515 }) 2516 2517 var err error 2518 m.raw, err = b.Bytes() 2519 return m.raw, err 2520 } 2521 2522 func (m *certificateRequestMsg) unmarshal(data []byte) bool { 2523 m.raw = data 2524 s := cryptobyte.String(data) 2525 2526 if !s.Skip(4) { // message type and uint24 length field 2527 return false 2528 } 2529 2530 if !readUint8LengthPrefixed(&s, &m.certificateTypes) { 2531 return false 2532 } 2533 2534 if m.hasSignatureAlgorithm { 2535 var sigAlgoList cryptobyte.String 2536 if !s.ReadUint16LengthPrefixed(&sigAlgoList) || sigAlgoList.Empty() { 2537 return false 2538 } 2539 2540 for !sigAlgoList.Empty() { 2541 var sigAlgo uint16 2542 if !sigAlgoList.ReadUint16(&sigAlgo) { 2543 return false 2544 } 2545 m.supportedSignatureAlgorithms = append(m.supportedSignatureAlgorithms, SignatureScheme(sigAlgo)) 2546 } 2547 } 2548 2549 var caList cryptobyte.String 2550 if !s.ReadUint16LengthPrefixed(&caList) { 2551 return false 2552 } 2553 2554 m.certificateAuthorities = nil 2555 for !caList.Empty() { 2556 var ca []byte 2557 if !readUint16LengthPrefixed(&caList, &ca) { 2558 return false 2559 } 2560 m.certificateAuthorities = append(m.certificateAuthorities, ca) 2561 } 2562 return s.Empty() 2563 } 2564 2565 type certificateVerifyMsg struct { 2566 raw []byte 2567 hasSignatureAlgorithm bool // format change introduced in TLS 1.2 2568 signatureAlgorithm SignatureScheme 2569 signature []byte 2570 } 2571 2572 func (m *certificateVerifyMsg) marshal() ([]byte, error) { 2573 if m.raw != nil { 2574 return m.raw, nil 2575 } 2576 2577 var b cryptobyte.Builder 2578 b.AddUint8(typeCertificateVerify) 2579 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 2580 if m.hasSignatureAlgorithm { 2581 b.AddUint16(uint16(m.signatureAlgorithm)) 2582 } 2583 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 2584 b.AddBytes(m.signature) 2585 }) 2586 }) 2587 2588 var err error 2589 m.raw, err = b.Bytes() 2590 return m.raw, err 2591 } 2592 2593 func (m *certificateVerifyMsg) unmarshal(data []byte) bool { 2594 m.raw = data 2595 s := cryptobyte.String(data) 2596 2597 if !s.Skip(4) { // message type and uint24 length field 2598 return false 2599 } 2600 if m.hasSignatureAlgorithm { 2601 if !s.ReadUint16((*uint16)(&m.signatureAlgorithm)) { 2602 return false 2603 } 2604 } 2605 return readUint16LengthPrefixed(&s, &m.signature) && s.Empty() 2606 } 2607 2608 type newSessionTicketMsg struct { 2609 raw []byte 2610 ticket []byte 2611 } 2612 2613 func (m *newSessionTicketMsg) marshal() ([]byte, error) { 2614 if m.raw != nil { 2615 return m.raw, nil 2616 } 2617 2618 // See RFC 5077, Section 3.3. 2619 var b cryptobyte.Builder 2620 b.AddUint8(typeNewSessionTicket) 2621 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { 2622 b.AddUint32(0) 2623 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { 2624 b.AddBytes(m.ticket) 2625 }) 2626 }) 2627 2628 var err error 2629 m.raw, err = b.Bytes() 2630 return m.raw, err 2631 } 2632 2633 func (m *newSessionTicketMsg) unmarshal(data []byte) bool { 2634 m.raw = data 2635 s := cryptobyte.String(data) 2636 2637 if !s.Skip(4) { // message type and uint24 length field 2638 return false 2639 } 2640 2641 if !s.Skip(4) { 2642 return false 2643 } 2644 return readUint16LengthPrefixed(&s, &m.ticket) && s.Empty() 2645 } 2646 2647 type helloRequestMsg struct { 2648 raw []byte 2649 } 2650 2651 func (m *helloRequestMsg) marshal() ([]byte, error) { 2652 if m.raw != nil { 2653 return m.raw, nil 2654 } 2655 2656 var b cryptobyte.Builder 2657 b.AddUint8(typeHelloRequest) 2658 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {}) 2659 2660 var err error 2661 m.raw, err = b.Bytes() 2662 return m.raw, err 2663 } 2664 2665 func (m *helloRequestMsg) unmarshal(data []byte) bool { 2666 m.raw = data 2667 s := cryptobyte.String(data) 2668 2669 if !s.Skip(4) { // message type and uint24 length field 2670 return false 2671 } 2672 return s.Empty() 2673 } 2674 2675 type transcriptHash interface { 2676 Write([]byte) (int, error) 2677 } 2678 2679 // transcriptMsg is a helper used to marshal and hash messages which typically 2680 // are not written to the wire, and as such aren't hashed during Conn.writeRecord. 2681 func transcriptMsg(msg handshakeMessage, h transcriptHash) error { 2682 data, err := msg.marshal() 2683 if err != nil { 2684 return err 2685 } 2686 h.Write(data) 2687 return nil 2688 }