1// Copyright 2009 The Go Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style 3// license that can be found in the LICENSE file. 4 5package runner 6 7import ( 8 "bytes" 9 "encoding/binary" 10 "fmt" 11) 12 13func writeLen(buf []byte, v, size int) { 14 for i := 0; i < size; i++ { 15 buf[size-i-1] = byte(v) 16 v >>= 8 17 } 18 if v != 0 { 19 panic("length is too long") 20 } 21} 22 23type byteBuilder struct { 24 buf *[]byte 25 start int 26 prefixLen int 27 child *byteBuilder 28} 29 30func newByteBuilder() *byteBuilder { 31 buf := make([]byte, 0, 32) 32 return &byteBuilder{buf: &buf} 33} 34 35func (bb *byteBuilder) len() int { 36 return len(*bb.buf) - bb.start - bb.prefixLen 37} 38 39func (bb *byteBuilder) data() []byte { 40 bb.flush() 41 return (*bb.buf)[bb.start+bb.prefixLen:] 42} 43 44func (bb *byteBuilder) flush() { 45 if bb.child == nil { 46 return 47 } 48 bb.child.flush() 49 writeLen((*bb.buf)[bb.child.start:], bb.child.len(), bb.child.prefixLen) 50 bb.child = nil 51 return 52} 53 54func (bb *byteBuilder) finish() []byte { 55 bb.flush() 56 return *bb.buf 57} 58 59func (bb *byteBuilder) addU8(u uint8) { 60 bb.flush() 61 *bb.buf = append(*bb.buf, u) 62} 63 64func (bb *byteBuilder) addU16(u uint16) { 65 bb.flush() 66 *bb.buf = append(*bb.buf, byte(u>>8), byte(u)) 67} 68 69func (bb *byteBuilder) addU24(u int) { 70 bb.flush() 71 *bb.buf = append(*bb.buf, byte(u>>16), byte(u>>8), byte(u)) 72} 73 74func (bb *byteBuilder) addU32(u uint32) { 75 bb.flush() 76 *bb.buf = append(*bb.buf, byte(u>>24), byte(u>>16), byte(u>>8), byte(u)) 77} 78 79func (bb *byteBuilder) addU64(u uint64) { 80 bb.flush() 81 var b [8]byte 82 binary.BigEndian.PutUint64(b[:], u) 83 *bb.buf = append(*bb.buf, b[:]...) 84} 85 86func (bb *byteBuilder) addU8LengthPrefixed() *byteBuilder { 87 return bb.createChild(1) 88} 89 90func (bb *byteBuilder) addU16LengthPrefixed() *byteBuilder { 91 return bb.createChild(2) 92} 93 94func (bb *byteBuilder) addU24LengthPrefixed() *byteBuilder { 95 return bb.createChild(3) 96} 97 98func (bb *byteBuilder) addU32LengthPrefixed() *byteBuilder { 99 return bb.createChild(4) 100} 101 102func (bb *byteBuilder) addBytes(b []byte) { 103 bb.flush() 104 *bb.buf = append(*bb.buf, b...) 105} 106 107func (bb *byteBuilder) createChild(lengthPrefixSize int) *byteBuilder { 108 bb.flush() 109 bb.child = &byteBuilder{ 110 buf: bb.buf, 111 start: len(*bb.buf), 112 prefixLen: lengthPrefixSize, 113 } 114 for i := 0; i < lengthPrefixSize; i++ { 115 *bb.buf = append(*bb.buf, 0) 116 } 117 return bb.child 118} 119 120func (bb *byteBuilder) discardChild() { 121 if bb.child == nil { 122 return 123 } 124 *bb.buf = (*bb.buf)[:bb.child.start] 125 bb.child = nil 126} 127 128type byteReader []byte 129 130func (br *byteReader) readInternal(out *byteReader, n int) bool { 131 if len(*br) < n { 132 return false 133 } 134 *out = (*br)[:n] 135 *br = (*br)[n:] 136 return true 137} 138 139func (br *byteReader) readBytes(out *[]byte, n int) bool { 140 var child byteReader 141 if !br.readInternal(&child, n) { 142 return false 143 } 144 *out = []byte(child) 145 return true 146} 147 148func (br *byteReader) readUint(out *uint64, n int) bool { 149 var b []byte 150 if !br.readBytes(&b, n) { 151 return false 152 } 153 *out = 0 154 for _, v := range b { 155 *out <<= 8 156 *out |= uint64(v) 157 } 158 return true 159} 160 161func (br *byteReader) readU8(out *uint8) bool { 162 var b []byte 163 if !br.readBytes(&b, 1) { 164 return false 165 } 166 *out = b[0] 167 return true 168} 169 170func (br *byteReader) readU16(out *uint16) bool { 171 var v uint64 172 if !br.readUint(&v, 2) { 173 return false 174 } 175 *out = uint16(v) 176 return true 177} 178 179func (br *byteReader) readU24(out *uint32) bool { 180 var v uint64 181 if !br.readUint(&v, 3) { 182 return false 183 } 184 *out = uint32(v) 185 return true 186} 187 188func (br *byteReader) readU32(out *uint32) bool { 189 var v uint64 190 if !br.readUint(&v, 4) { 191 return false 192 } 193 *out = uint32(v) 194 return true 195} 196 197func (br *byteReader) readU64(out *uint64) bool { 198 return br.readUint(out, 8) 199} 200 201func (br *byteReader) readLengthPrefixed(out *byteReader, n int) bool { 202 var length uint64 203 return br.readUint(&length, n) && 204 uint64(len(*br)) >= length && 205 br.readInternal(out, int(length)) 206} 207 208func (br *byteReader) readLengthPrefixedBytes(out *[]byte, n int) bool { 209 var length uint64 210 return br.readUint(&length, n) && 211 uint64(len(*br)) >= length && 212 br.readBytes(out, int(length)) 213} 214 215func (br *byteReader) readU8LengthPrefixed(out *byteReader) bool { 216 return br.readLengthPrefixed(out, 1) 217} 218func (br *byteReader) readU8LengthPrefixedBytes(out *[]byte) bool { 219 return br.readLengthPrefixedBytes(out, 1) 220} 221 222func (br *byteReader) readU16LengthPrefixed(out *byteReader) bool { 223 return br.readLengthPrefixed(out, 2) 224} 225func (br *byteReader) readU16LengthPrefixedBytes(out *[]byte) bool { 226 return br.readLengthPrefixedBytes(out, 2) 227} 228 229func (br *byteReader) readU24LengthPrefixed(out *byteReader) bool { 230 return br.readLengthPrefixed(out, 3) 231} 232func (br *byteReader) readU24LengthPrefixedBytes(out *[]byte) bool { 233 return br.readLengthPrefixedBytes(out, 3) 234} 235 236func (br *byteReader) readU32LengthPrefixed(out *byteReader) bool { 237 return br.readLengthPrefixed(out, 4) 238} 239func (br *byteReader) readU32LengthPrefixedBytes(out *[]byte) bool { 240 return br.readLengthPrefixedBytes(out, 4) 241} 242 243type keyShareEntry struct { 244 group CurveID 245 keyExchange []byte 246} 247 248type pskIdentity struct { 249 ticket []uint8 250 obfuscatedTicketAge uint32 251} 252 253type clientHelloMsg struct { 254 raw []byte 255 isDTLS bool 256 vers uint16 257 random []byte 258 sessionId []byte 259 cookie []byte 260 cipherSuites []uint16 261 compressionMethods []uint8 262 nextProtoNeg bool 263 serverName string 264 ocspStapling bool 265 supportedCurves []CurveID 266 supportedPoints []uint8 267 hasKeyShares bool 268 keyShares []keyShareEntry 269 keySharesRaw []byte 270 trailingKeyShareData bool 271 pskIdentities []pskIdentity 272 pskKEModes []byte 273 pskBinders [][]uint8 274 hasEarlyData bool 275 tls13Cookie []byte 276 ticketSupported bool 277 sessionTicket []uint8 278 signatureAlgorithms []signatureAlgorithm 279 signatureAlgorithmsCert []signatureAlgorithm 280 supportedVersions []uint16 281 secureRenegotiation []byte 282 alpnProtocols []string 283 quicTransportParams []byte 284 duplicateExtension bool 285 channelIDSupported bool 286 tokenBindingParams []byte 287 tokenBindingVersion uint16 288 npnAfterAlpn bool 289 extendedMasterSecret bool 290 srtpProtectionProfiles []uint16 291 srtpMasterKeyIdentifier string 292 sctListSupported bool 293 customExtension string 294 hasGREASEExtension bool 295 pskBinderFirst bool 296 omitExtensions bool 297 emptyExtensions bool 298 pad int 299 compressedCertAlgs []uint16 300 delegatedCredentials bool 301} 302 303func (m *clientHelloMsg) equal(i interface{}) bool { 304 m1, ok := i.(*clientHelloMsg) 305 if !ok { 306 return false 307 } 308 309 return bytes.Equal(m.raw, m1.raw) && 310 m.isDTLS == m1.isDTLS && 311 m.vers == m1.vers && 312 bytes.Equal(m.random, m1.random) && 313 bytes.Equal(m.sessionId, m1.sessionId) && 314 bytes.Equal(m.cookie, m1.cookie) && 315 eqUint16s(m.cipherSuites, m1.cipherSuites) && 316 bytes.Equal(m.compressionMethods, m1.compressionMethods) && 317 m.nextProtoNeg == m1.nextProtoNeg && 318 m.serverName == m1.serverName && 319 m.ocspStapling == m1.ocspStapling && 320 eqCurveIDs(m.supportedCurves, m1.supportedCurves) && 321 bytes.Equal(m.supportedPoints, m1.supportedPoints) && 322 m.hasKeyShares == m1.hasKeyShares && 323 eqKeyShareEntryLists(m.keyShares, m1.keyShares) && 324 m.trailingKeyShareData == m1.trailingKeyShareData && 325 eqPSKIdentityLists(m.pskIdentities, m1.pskIdentities) && 326 bytes.Equal(m.pskKEModes, m1.pskKEModes) && 327 eqByteSlices(m.pskBinders, m1.pskBinders) && 328 m.hasEarlyData == m1.hasEarlyData && 329 bytes.Equal(m.tls13Cookie, m1.tls13Cookie) && 330 m.ticketSupported == m1.ticketSupported && 331 bytes.Equal(m.sessionTicket, m1.sessionTicket) && 332 eqSignatureAlgorithms(m.signatureAlgorithms, m1.signatureAlgorithms) && 333 eqSignatureAlgorithms(m.signatureAlgorithmsCert, m1.signatureAlgorithmsCert) && 334 eqUint16s(m.supportedVersions, m1.supportedVersions) && 335 bytes.Equal(m.secureRenegotiation, m1.secureRenegotiation) && 336 (m.secureRenegotiation == nil) == (m1.secureRenegotiation == nil) && 337 eqStrings(m.alpnProtocols, m1.alpnProtocols) && 338 bytes.Equal(m.quicTransportParams, m1.quicTransportParams) && 339 m.duplicateExtension == m1.duplicateExtension && 340 m.channelIDSupported == m1.channelIDSupported && 341 bytes.Equal(m.tokenBindingParams, m1.tokenBindingParams) && 342 m.tokenBindingVersion == m1.tokenBindingVersion && 343 m.npnAfterAlpn == m1.npnAfterAlpn && 344 m.extendedMasterSecret == m1.extendedMasterSecret && 345 eqUint16s(m.srtpProtectionProfiles, m1.srtpProtectionProfiles) && 346 m.srtpMasterKeyIdentifier == m1.srtpMasterKeyIdentifier && 347 m.sctListSupported == m1.sctListSupported && 348 m.customExtension == m1.customExtension && 349 m.hasGREASEExtension == m1.hasGREASEExtension && 350 m.pskBinderFirst == m1.pskBinderFirst && 351 m.omitExtensions == m1.omitExtensions && 352 m.emptyExtensions == m1.emptyExtensions && 353 m.pad == m1.pad && 354 eqUint16s(m.compressedCertAlgs, m1.compressedCertAlgs) && 355 m.delegatedCredentials == m1.delegatedCredentials 356} 357 358func (m *clientHelloMsg) marshalKeyShares(bb *byteBuilder) { 359 keyShares := bb.addU16LengthPrefixed() 360 for _, keyShare := range m.keyShares { 361 keyShares.addU16(uint16(keyShare.group)) 362 keyExchange := keyShares.addU16LengthPrefixed() 363 keyExchange.addBytes(keyShare.keyExchange) 364 } 365 if m.trailingKeyShareData { 366 keyShares.addU8(0) 367 } 368} 369 370func (m *clientHelloMsg) marshal() []byte { 371 if m.raw != nil { 372 return m.raw 373 } 374 375 handshakeMsg := newByteBuilder() 376 handshakeMsg.addU8(typeClientHello) 377 hello := handshakeMsg.addU24LengthPrefixed() 378 hello.addU16(m.vers) 379 hello.addBytes(m.random) 380 sessionId := hello.addU8LengthPrefixed() 381 sessionId.addBytes(m.sessionId) 382 if m.isDTLS { 383 cookie := hello.addU8LengthPrefixed() 384 cookie.addBytes(m.cookie) 385 } 386 cipherSuites := hello.addU16LengthPrefixed() 387 for _, suite := range m.cipherSuites { 388 cipherSuites.addU16(suite) 389 } 390 compressionMethods := hello.addU8LengthPrefixed() 391 compressionMethods.addBytes(m.compressionMethods) 392 393 extensions := hello.addU16LengthPrefixed() 394 if len(m.pskIdentities) > 0 && m.pskBinderFirst { 395 extensions.addU16(extensionPreSharedKey) 396 pskExtension := extensions.addU16LengthPrefixed() 397 398 pskIdentities := pskExtension.addU16LengthPrefixed() 399 for _, psk := range m.pskIdentities { 400 pskIdentities.addU16LengthPrefixed().addBytes(psk.ticket) 401 pskIdentities.addU32(psk.obfuscatedTicketAge) 402 } 403 pskBinders := pskExtension.addU16LengthPrefixed() 404 for _, binder := range m.pskBinders { 405 pskBinders.addU8LengthPrefixed().addBytes(binder) 406 } 407 } 408 if m.duplicateExtension { 409 // Add a duplicate bogus extension at the beginning and end. 410 extensions.addU16(0xffff) 411 extensions.addU16(0) // 0-length for empty extension 412 } 413 if m.nextProtoNeg && !m.npnAfterAlpn { 414 extensions.addU16(extensionNextProtoNeg) 415 extensions.addU16(0) // The length is always 0 416 } 417 if len(m.serverName) > 0 { 418 extensions.addU16(extensionServerName) 419 serverNameList := extensions.addU16LengthPrefixed() 420 421 // RFC 3546, section 3.1 422 // 423 // struct { 424 // NameType name_type; 425 // select (name_type) { 426 // case host_name: HostName; 427 // } name; 428 // } ServerName; 429 // 430 // enum { 431 // host_name(0), (255) 432 // } NameType; 433 // 434 // opaque HostName<1..2^16-1>; 435 // 436 // struct { 437 // ServerName server_name_list<1..2^16-1> 438 // } ServerNameList; 439 440 serverName := serverNameList.addU16LengthPrefixed() 441 serverName.addU8(0) // NameType host_name(0) 442 hostName := serverName.addU16LengthPrefixed() 443 hostName.addBytes([]byte(m.serverName)) 444 } 445 if m.ocspStapling { 446 extensions.addU16(extensionStatusRequest) 447 certificateStatusRequest := extensions.addU16LengthPrefixed() 448 449 // RFC 4366, section 3.6 450 certificateStatusRequest.addU8(1) // OCSP type 451 // Two zero valued uint16s for the two lengths. 452 certificateStatusRequest.addU16(0) // ResponderID length 453 certificateStatusRequest.addU16(0) // Extensions length 454 } 455 if len(m.supportedCurves) > 0 { 456 // http://tools.ietf.org/html/rfc4492#section-5.1.1 457 extensions.addU16(extensionSupportedCurves) 458 supportedCurvesList := extensions.addU16LengthPrefixed() 459 supportedCurves := supportedCurvesList.addU16LengthPrefixed() 460 for _, curve := range m.supportedCurves { 461 supportedCurves.addU16(uint16(curve)) 462 } 463 } 464 if len(m.supportedPoints) > 0 { 465 // http://tools.ietf.org/html/rfc4492#section-5.1.2 466 extensions.addU16(extensionSupportedPoints) 467 supportedPointsList := extensions.addU16LengthPrefixed() 468 supportedPoints := supportedPointsList.addU8LengthPrefixed() 469 supportedPoints.addBytes(m.supportedPoints) 470 } 471 if m.hasKeyShares { 472 extensions.addU16(extensionKeyShare) 473 keyShareList := extensions.addU16LengthPrefixed() 474 m.marshalKeyShares(keyShareList) 475 } 476 if len(m.pskKEModes) > 0 { 477 extensions.addU16(extensionPSKKeyExchangeModes) 478 pskModesExtension := extensions.addU16LengthPrefixed() 479 pskModesExtension.addU8LengthPrefixed().addBytes(m.pskKEModes) 480 } 481 if m.hasEarlyData { 482 extensions.addU16(extensionEarlyData) 483 extensions.addU16(0) // The length is zero. 484 } 485 if len(m.tls13Cookie) > 0 { 486 extensions.addU16(extensionCookie) 487 body := extensions.addU16LengthPrefixed() 488 body.addU16LengthPrefixed().addBytes(m.tls13Cookie) 489 } 490 if m.ticketSupported { 491 // http://tools.ietf.org/html/rfc5077#section-3.2 492 extensions.addU16(extensionSessionTicket) 493 sessionTicketExtension := extensions.addU16LengthPrefixed() 494 sessionTicketExtension.addBytes(m.sessionTicket) 495 } 496 if len(m.signatureAlgorithms) > 0 { 497 // https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 498 extensions.addU16(extensionSignatureAlgorithms) 499 signatureAlgorithmsExtension := extensions.addU16LengthPrefixed() 500 signatureAlgorithms := signatureAlgorithmsExtension.addU16LengthPrefixed() 501 for _, sigAlg := range m.signatureAlgorithms { 502 signatureAlgorithms.addU16(uint16(sigAlg)) 503 } 504 } 505 if len(m.signatureAlgorithmsCert) > 0 { 506 extensions.addU16(extensionSignatureAlgorithmsCert) 507 signatureAlgorithmsCertExtension := extensions.addU16LengthPrefixed() 508 signatureAlgorithmsCert := signatureAlgorithmsCertExtension.addU16LengthPrefixed() 509 for _, sigAlg := range m.signatureAlgorithmsCert { 510 signatureAlgorithmsCert.addU16(uint16(sigAlg)) 511 } 512 } 513 if len(m.supportedVersions) > 0 { 514 extensions.addU16(extensionSupportedVersions) 515 supportedVersionsExtension := extensions.addU16LengthPrefixed() 516 supportedVersions := supportedVersionsExtension.addU8LengthPrefixed() 517 for _, version := range m.supportedVersions { 518 supportedVersions.addU16(uint16(version)) 519 } 520 } 521 if m.secureRenegotiation != nil { 522 extensions.addU16(extensionRenegotiationInfo) 523 secureRenegoExt := extensions.addU16LengthPrefixed() 524 secureRenego := secureRenegoExt.addU8LengthPrefixed() 525 secureRenego.addBytes(m.secureRenegotiation) 526 } 527 if len(m.alpnProtocols) > 0 { 528 // https://tools.ietf.org/html/rfc7301#section-3.1 529 extensions.addU16(extensionALPN) 530 alpnExtension := extensions.addU16LengthPrefixed() 531 532 protocolNameList := alpnExtension.addU16LengthPrefixed() 533 for _, s := range m.alpnProtocols { 534 protocolName := protocolNameList.addU8LengthPrefixed() 535 protocolName.addBytes([]byte(s)) 536 } 537 } 538 if len(m.quicTransportParams) > 0 { 539 extensions.addU16(extensionQUICTransportParams) 540 params := extensions.addU16LengthPrefixed() 541 params.addBytes(m.quicTransportParams) 542 } 543 if m.channelIDSupported { 544 extensions.addU16(extensionChannelID) 545 extensions.addU16(0) // Length is always 0 546 } 547 if m.tokenBindingParams != nil { 548 extensions.addU16(extensionTokenBinding) 549 tokbindExtension := extensions.addU16LengthPrefixed() 550 tokbindExtension.addU16(m.tokenBindingVersion) 551 tokbindParams := tokbindExtension.addU8LengthPrefixed() 552 tokbindParams.addBytes(m.tokenBindingParams) 553 } 554 if m.nextProtoNeg && m.npnAfterAlpn { 555 extensions.addU16(extensionNextProtoNeg) 556 extensions.addU16(0) // Length is always 0 557 } 558 if m.duplicateExtension { 559 // Add a duplicate bogus extension at the beginning and end. 560 extensions.addU16(0xffff) 561 extensions.addU16(0) 562 } 563 if m.extendedMasterSecret { 564 // https://tools.ietf.org/html/rfc7627 565 extensions.addU16(extensionExtendedMasterSecret) 566 extensions.addU16(0) // Length is always 0 567 } 568 if len(m.srtpProtectionProfiles) > 0 { 569 // https://tools.ietf.org/html/rfc5764#section-4.1.1 570 extensions.addU16(extensionUseSRTP) 571 useSrtpExt := extensions.addU16LengthPrefixed() 572 573 srtpProtectionProfiles := useSrtpExt.addU16LengthPrefixed() 574 for _, p := range m.srtpProtectionProfiles { 575 srtpProtectionProfiles.addU16(p) 576 } 577 srtpMki := useSrtpExt.addU8LengthPrefixed() 578 srtpMki.addBytes([]byte(m.srtpMasterKeyIdentifier)) 579 } 580 if m.sctListSupported { 581 extensions.addU16(extensionSignedCertificateTimestamp) 582 extensions.addU16(0) // Length is always 0 583 } 584 if l := len(m.customExtension); l > 0 { 585 extensions.addU16(extensionCustom) 586 customExt := extensions.addU16LengthPrefixed() 587 customExt.addBytes([]byte(m.customExtension)) 588 } 589 if len(m.compressedCertAlgs) > 0 { 590 extensions.addU16(extensionCompressedCertAlgs) 591 body := extensions.addU16LengthPrefixed() 592 algIDs := body.addU8LengthPrefixed() 593 for _, v := range m.compressedCertAlgs { 594 algIDs.addU16(v) 595 } 596 } 597 if m.delegatedCredentials { 598 extensions.addU16(extensionDelegatedCredentials) 599 extensions.addU16(0) // Length is always 0 600 } 601 602 // The PSK extension must be last. See https://tools.ietf.org/html/rfc8446#section-4.2.11 603 if len(m.pskIdentities) > 0 && !m.pskBinderFirst { 604 extensions.addU16(extensionPreSharedKey) 605 pskExtension := extensions.addU16LengthPrefixed() 606 607 pskIdentities := pskExtension.addU16LengthPrefixed() 608 for _, psk := range m.pskIdentities { 609 pskIdentities.addU16LengthPrefixed().addBytes(psk.ticket) 610 pskIdentities.addU32(psk.obfuscatedTicketAge) 611 } 612 pskBinders := pskExtension.addU16LengthPrefixed() 613 for _, binder := range m.pskBinders { 614 pskBinders.addU8LengthPrefixed().addBytes(binder) 615 } 616 } 617 618 if m.pad != 0 && hello.len()%m.pad != 0 { 619 extensions.addU16(extensionPadding) 620 padding := extensions.addU16LengthPrefixed() 621 // Note hello.len() has changed at this point from the length 622 // prefix. 623 if l := hello.len() % m.pad; l != 0 { 624 padding.addBytes(make([]byte, m.pad-l)) 625 } 626 } 627 628 if m.omitExtensions || m.emptyExtensions { 629 // Silently erase any extensions which were sent. 630 hello.discardChild() 631 if m.emptyExtensions { 632 hello.addU16(0) 633 } 634 } 635 636 m.raw = handshakeMsg.finish() 637 // Sanity-check padding. 638 if m.pad != 0 && (len(m.raw)-4)%m.pad != 0 { 639 panic(fmt.Sprintf("%d is not a multiple of %d", len(m.raw)-4, m.pad)) 640 } 641 return m.raw 642} 643 644func parseSignatureAlgorithms(reader *byteReader, out *[]signatureAlgorithm, allowEmpty bool) bool { 645 var sigAlgs byteReader 646 if !reader.readU16LengthPrefixed(&sigAlgs) { 647 return false 648 } 649 if !allowEmpty && len(sigAlgs) == 0 { 650 return false 651 } 652 *out = make([]signatureAlgorithm, 0, len(sigAlgs)/2) 653 for len(sigAlgs) > 0 { 654 var v uint16 655 if !sigAlgs.readU16(&v) { 656 return false 657 } 658 *out = append(*out, signatureAlgorithm(v)) 659 } 660 return true 661} 662 663func checkDuplicateExtensions(extensions byteReader) bool { 664 seen := make(map[uint16]struct{}) 665 for len(extensions) > 0 { 666 var extension uint16 667 var body byteReader 668 if !extensions.readU16(&extension) || 669 !extensions.readU16LengthPrefixed(&body) { 670 return false 671 } 672 if _, ok := seen[extension]; ok { 673 return false 674 } 675 seen[extension] = struct{}{} 676 } 677 return true 678} 679 680func (m *clientHelloMsg) unmarshal(data []byte) bool { 681 m.raw = data 682 reader := byteReader(data[4:]) 683 if !reader.readU16(&m.vers) || 684 !reader.readBytes(&m.random, 32) || 685 !reader.readU8LengthPrefixedBytes(&m.sessionId) || 686 len(m.sessionId) > 32 { 687 return false 688 } 689 if m.isDTLS { 690 if !reader.readU8LengthPrefixedBytes(&m.cookie) || 691 len(m.cookie) > 32 { 692 return false 693 } 694 } 695 var cipherSuites byteReader 696 if !reader.readU16LengthPrefixed(&cipherSuites) || 697 !reader.readU8LengthPrefixedBytes(&m.compressionMethods) { 698 return false 699 } 700 701 m.cipherSuites = make([]uint16, 0, len(cipherSuites)/2) 702 for len(cipherSuites) > 0 { 703 var v uint16 704 if !cipherSuites.readU16(&v) { 705 return false 706 } 707 m.cipherSuites = append(m.cipherSuites, v) 708 if v == scsvRenegotiation { 709 m.secureRenegotiation = []byte{} 710 } 711 } 712 713 m.nextProtoNeg = false 714 m.serverName = "" 715 m.ocspStapling = false 716 m.keyShares = nil 717 m.pskIdentities = nil 718 m.hasEarlyData = false 719 m.ticketSupported = false 720 m.sessionTicket = nil 721 m.signatureAlgorithms = nil 722 m.signatureAlgorithmsCert = nil 723 m.supportedVersions = nil 724 m.alpnProtocols = nil 725 m.extendedMasterSecret = false 726 m.customExtension = "" 727 m.delegatedCredentials = false 728 729 if len(reader) == 0 { 730 // ClientHello is optionally followed by extension data 731 return true 732 } 733 734 var extensions byteReader 735 if !reader.readU16LengthPrefixed(&extensions) || len(reader) != 0 || !checkDuplicateExtensions(extensions) { 736 return false 737 } 738 for len(extensions) > 0 { 739 var extension uint16 740 var body byteReader 741 if !extensions.readU16(&extension) || 742 !extensions.readU16LengthPrefixed(&body) { 743 return false 744 } 745 switch extension { 746 case extensionServerName: 747 var names byteReader 748 if !body.readU16LengthPrefixed(&names) || len(body) != 0 { 749 return false 750 } 751 for len(names) > 0 { 752 var nameType byte 753 var name []byte 754 if !names.readU8(&nameType) || 755 !names.readU16LengthPrefixedBytes(&name) { 756 return false 757 } 758 if nameType == 0 { 759 m.serverName = string(name) 760 } 761 } 762 case extensionNextProtoNeg: 763 if len(body) != 0 { 764 return false 765 } 766 m.nextProtoNeg = true 767 case extensionStatusRequest: 768 m.ocspStapling = len(body) > 0 && body[0] == statusTypeOCSP 769 case extensionSupportedCurves: 770 // http://tools.ietf.org/html/rfc4492#section-5.5.1 771 var curves byteReader 772 if !body.readU16LengthPrefixed(&curves) || len(body) != 0 { 773 return false 774 } 775 m.supportedCurves = make([]CurveID, 0, len(curves)/2) 776 for len(curves) > 0 { 777 var v uint16 778 if !curves.readU16(&v) { 779 return false 780 } 781 m.supportedCurves = append(m.supportedCurves, CurveID(v)) 782 } 783 case extensionSupportedPoints: 784 // http://tools.ietf.org/html/rfc4492#section-5.5.2 785 if !body.readU8LengthPrefixedBytes(&m.supportedPoints) || len(body) != 0 { 786 return false 787 } 788 case extensionSessionTicket: 789 // http://tools.ietf.org/html/rfc5077#section-3.2 790 m.ticketSupported = true 791 m.sessionTicket = []byte(body) 792 case extensionKeyShare: 793 // https://tools.ietf.org/html/rfc8446#section-4.2.8 794 m.hasKeyShares = true 795 m.keySharesRaw = body 796 var keyShares byteReader 797 if !body.readU16LengthPrefixed(&keyShares) || len(body) != 0 { 798 return false 799 } 800 for len(keyShares) > 0 { 801 var entry keyShareEntry 802 var group uint16 803 if !keyShares.readU16(&group) || 804 !keyShares.readU16LengthPrefixedBytes(&entry.keyExchange) { 805 return false 806 } 807 entry.group = CurveID(group) 808 m.keyShares = append(m.keyShares, entry) 809 } 810 case extensionPreSharedKey: 811 // https://tools.ietf.org/html/rfc8446#section-4.2.11 812 var psks, binders byteReader 813 if !body.readU16LengthPrefixed(&psks) || 814 !body.readU16LengthPrefixed(&binders) || 815 len(body) != 0 { 816 return false 817 } 818 for len(psks) > 0 { 819 var psk pskIdentity 820 if !psks.readU16LengthPrefixedBytes(&psk.ticket) || 821 !psks.readU32(&psk.obfuscatedTicketAge) { 822 return false 823 } 824 m.pskIdentities = append(m.pskIdentities, psk) 825 } 826 for len(binders) > 0 { 827 var binder []byte 828 if !binders.readU8LengthPrefixedBytes(&binder) { 829 return false 830 } 831 m.pskBinders = append(m.pskBinders, binder) 832 } 833 834 // There must be the same number of identities as binders. 835 if len(m.pskIdentities) != len(m.pskBinders) { 836 return false 837 } 838 case extensionPSKKeyExchangeModes: 839 // https://tools.ietf.org/html/rfc8446#section-4.2.9 840 if !body.readU8LengthPrefixedBytes(&m.pskKEModes) || len(body) != 0 { 841 return false 842 } 843 case extensionEarlyData: 844 // https://tools.ietf.org/html/rfc8446#section-4.2.10 845 if len(body) != 0 { 846 return false 847 } 848 m.hasEarlyData = true 849 case extensionCookie: 850 if !body.readU16LengthPrefixedBytes(&m.tls13Cookie) || len(body) != 0 { 851 return false 852 } 853 case extensionSignatureAlgorithms: 854 // https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 855 if !parseSignatureAlgorithms(&body, &m.signatureAlgorithms, false) || len(body) != 0 { 856 return false 857 } 858 case extensionSignatureAlgorithmsCert: 859 if !parseSignatureAlgorithms(&body, &m.signatureAlgorithmsCert, false) || len(body) != 0 { 860 return false 861 } 862 case extensionSupportedVersions: 863 var versions byteReader 864 if !body.readU8LengthPrefixed(&versions) || len(body) != 0 { 865 return false 866 } 867 m.supportedVersions = make([]uint16, 0, len(versions)/2) 868 for len(versions) > 0 { 869 var v uint16 870 if !versions.readU16(&v) { 871 return false 872 } 873 m.supportedVersions = append(m.supportedVersions, v) 874 } 875 case extensionRenegotiationInfo: 876 if !body.readU8LengthPrefixedBytes(&m.secureRenegotiation) || len(body) != 0 { 877 return false 878 } 879 case extensionALPN: 880 var protocols byteReader 881 if !body.readU16LengthPrefixed(&protocols) || len(body) != 0 { 882 return false 883 } 884 for len(protocols) > 0 { 885 var protocol []byte 886 if !protocols.readU8LengthPrefixedBytes(&protocol) { 887 return false 888 } 889 m.alpnProtocols = append(m.alpnProtocols, string(protocol)) 890 } 891 case extensionQUICTransportParams: 892 m.quicTransportParams = body 893 case extensionChannelID: 894 if len(body) != 0 { 895 return false 896 } 897 m.channelIDSupported = true 898 case extensionTokenBinding: 899 if !body.readU16(&m.tokenBindingVersion) || 900 !body.readU8LengthPrefixedBytes(&m.tokenBindingParams) || 901 len(body) != 0 { 902 return false 903 } 904 case extensionExtendedMasterSecret: 905 if len(body) != 0 { 906 return false 907 } 908 m.extendedMasterSecret = true 909 case extensionUseSRTP: 910 var profiles byteReader 911 var mki []byte 912 if !body.readU16LengthPrefixed(&profiles) || 913 !body.readU8LengthPrefixedBytes(&mki) || 914 len(body) != 0 { 915 return false 916 } 917 m.srtpProtectionProfiles = make([]uint16, 0, len(profiles)/2) 918 for len(profiles) > 0 { 919 var v uint16 920 if !profiles.readU16(&v) { 921 return false 922 } 923 m.srtpProtectionProfiles = append(m.srtpProtectionProfiles, v) 924 } 925 m.srtpMasterKeyIdentifier = string(mki) 926 case extensionSignedCertificateTimestamp: 927 if len(body) != 0 { 928 return false 929 } 930 m.sctListSupported = true 931 case extensionCustom: 932 m.customExtension = string(body) 933 case extensionCompressedCertAlgs: 934 var algIDs byteReader 935 if !body.readU8LengthPrefixed(&algIDs) { 936 return false 937 } 938 939 seen := make(map[uint16]struct{}) 940 for len(algIDs) > 0 { 941 var algID uint16 942 if !algIDs.readU16(&algID) { 943 return false 944 } 945 if _, ok := seen[algID]; ok { 946 return false 947 } 948 seen[algID] = struct{}{} 949 m.compressedCertAlgs = append(m.compressedCertAlgs, algID) 950 } 951 case extensionPadding: 952 // Padding bytes must be all zero. 953 for _, b := range body { 954 if b != 0 { 955 return false 956 } 957 } 958 case extensionDelegatedCredentials: 959 if len(body) != 0 { 960 return false 961 } 962 m.delegatedCredentials = true 963 } 964 965 if isGREASEValue(extension) { 966 m.hasGREASEExtension = true 967 } 968 } 969 970 return true 971} 972 973type serverHelloMsg struct { 974 raw []byte 975 isDTLS bool 976 vers uint16 977 versOverride uint16 978 supportedVersOverride uint16 979 omitSupportedVers bool 980 random []byte 981 sessionId []byte 982 cipherSuite uint16 983 hasKeyShare bool 984 keyShare keyShareEntry 985 hasPSKIdentity bool 986 pskIdentity uint16 987 compressionMethod uint8 988 customExtension string 989 unencryptedALPN string 990 omitExtensions bool 991 emptyExtensions bool 992 extensions serverExtensions 993} 994 995func (m *serverHelloMsg) marshal() []byte { 996 if m.raw != nil { 997 return m.raw 998 } 999 1000 handshakeMsg := newByteBuilder() 1001 handshakeMsg.addU8(typeServerHello) 1002 hello := handshakeMsg.addU24LengthPrefixed() 1003 1004 // m.vers is used both to determine the format of the rest of the 1005 // ServerHello and to override the value, so include a second version 1006 // field. 1007 vers, ok := wireToVersion(m.vers, m.isDTLS) 1008 if !ok { 1009 panic("unknown version") 1010 } 1011 if m.versOverride != 0 { 1012 hello.addU16(m.versOverride) 1013 } else if vers >= VersionTLS13 { 1014 hello.addU16(VersionTLS12) 1015 } else { 1016 hello.addU16(m.vers) 1017 } 1018 1019 hello.addBytes(m.random) 1020 sessionId := hello.addU8LengthPrefixed() 1021 sessionId.addBytes(m.sessionId) 1022 hello.addU16(m.cipherSuite) 1023 hello.addU8(m.compressionMethod) 1024 1025 extensions := hello.addU16LengthPrefixed() 1026 1027 if vers >= VersionTLS13 { 1028 if m.hasKeyShare { 1029 extensions.addU16(extensionKeyShare) 1030 keyShare := extensions.addU16LengthPrefixed() 1031 keyShare.addU16(uint16(m.keyShare.group)) 1032 keyExchange := keyShare.addU16LengthPrefixed() 1033 keyExchange.addBytes(m.keyShare.keyExchange) 1034 } 1035 if m.hasPSKIdentity { 1036 extensions.addU16(extensionPreSharedKey) 1037 extensions.addU16(2) // Length 1038 extensions.addU16(m.pskIdentity) 1039 } 1040 if !m.omitSupportedVers { 1041 extensions.addU16(extensionSupportedVersions) 1042 extensions.addU16(2) // Length 1043 if m.supportedVersOverride != 0 { 1044 extensions.addU16(m.supportedVersOverride) 1045 } else { 1046 extensions.addU16(m.vers) 1047 } 1048 } 1049 if len(m.customExtension) > 0 { 1050 extensions.addU16(extensionCustom) 1051 customExt := extensions.addU16LengthPrefixed() 1052 customExt.addBytes([]byte(m.customExtension)) 1053 } 1054 if len(m.unencryptedALPN) > 0 { 1055 extensions.addU16(extensionALPN) 1056 extension := extensions.addU16LengthPrefixed() 1057 1058 protocolNameList := extension.addU16LengthPrefixed() 1059 protocolName := protocolNameList.addU8LengthPrefixed() 1060 protocolName.addBytes([]byte(m.unencryptedALPN)) 1061 } 1062 } else { 1063 m.extensions.marshal(extensions) 1064 if m.omitExtensions || m.emptyExtensions { 1065 // Silently erasing server extensions will break the handshake. Instead, 1066 // assert that tests which use this field also disable all features which 1067 // would write an extension. 1068 if extensions.len() != 0 { 1069 panic(fmt.Sprintf("ServerHello unexpectedly contained extensions: %x, %+v", extensions.data(), m)) 1070 } 1071 hello.discardChild() 1072 if m.emptyExtensions { 1073 hello.addU16(0) 1074 } 1075 } 1076 } 1077 1078 m.raw = handshakeMsg.finish() 1079 return m.raw 1080} 1081 1082func (m *serverHelloMsg) unmarshal(data []byte) bool { 1083 m.raw = data 1084 reader := byteReader(data[4:]) 1085 if !reader.readU16(&m.vers) || 1086 !reader.readBytes(&m.random, 32) { 1087 return false 1088 } 1089 vers, ok := wireToVersion(m.vers, m.isDTLS) 1090 if !ok { 1091 return false 1092 } 1093 if !reader.readU8LengthPrefixedBytes(&m.sessionId) || 1094 !reader.readU16(&m.cipherSuite) || 1095 !reader.readU8(&m.compressionMethod) { 1096 return false 1097 } 1098 1099 if len(reader) == 0 && m.vers < VersionTLS13 { 1100 // Extension data is optional before TLS 1.3. 1101 m.extensions = serverExtensions{} 1102 m.omitExtensions = true 1103 return true 1104 } 1105 1106 var extensions byteReader 1107 if !reader.readU16LengthPrefixed(&extensions) || len(reader) != 0 || !checkDuplicateExtensions(extensions) { 1108 return false 1109 } 1110 1111 // Parse out the version from supported_versions if available. 1112 if m.vers == VersionTLS12 { 1113 extensionsCopy := extensions 1114 for len(extensionsCopy) > 0 { 1115 var extension uint16 1116 var body byteReader 1117 if !extensionsCopy.readU16(&extension) || 1118 !extensionsCopy.readU16LengthPrefixed(&body) { 1119 return false 1120 } 1121 if extension == extensionSupportedVersions { 1122 if !body.readU16(&m.vers) || len(body) != 0 { 1123 return false 1124 } 1125 vers, ok = wireToVersion(m.vers, m.isDTLS) 1126 if !ok { 1127 return false 1128 } 1129 } 1130 } 1131 } 1132 1133 if vers >= VersionTLS13 { 1134 for len(extensions) > 0 { 1135 var extension uint16 1136 var body byteReader 1137 if !extensions.readU16(&extension) || 1138 !extensions.readU16LengthPrefixed(&body) { 1139 return false 1140 } 1141 switch extension { 1142 case extensionKeyShare: 1143 m.hasKeyShare = true 1144 var group uint16 1145 if !body.readU16(&group) || 1146 !body.readU16LengthPrefixedBytes(&m.keyShare.keyExchange) || 1147 len(body) != 0 { 1148 return false 1149 } 1150 m.keyShare.group = CurveID(group) 1151 case extensionPreSharedKey: 1152 if !body.readU16(&m.pskIdentity) || len(body) != 0 { 1153 return false 1154 } 1155 m.hasPSKIdentity = true 1156 case extensionSupportedVersions: 1157 // Parsed above. 1158 default: 1159 // Only allow the 3 extensions that are sent in 1160 // the clear in TLS 1.3. 1161 return false 1162 } 1163 } 1164 } else if !m.extensions.unmarshal(extensions, vers) { 1165 return false 1166 } 1167 1168 return true 1169} 1170 1171type encryptedExtensionsMsg struct { 1172 raw []byte 1173 extensions serverExtensions 1174 empty bool 1175} 1176 1177func (m *encryptedExtensionsMsg) marshal() []byte { 1178 if m.raw != nil { 1179 return m.raw 1180 } 1181 1182 encryptedExtensionsMsg := newByteBuilder() 1183 encryptedExtensionsMsg.addU8(typeEncryptedExtensions) 1184 encryptedExtensions := encryptedExtensionsMsg.addU24LengthPrefixed() 1185 if !m.empty { 1186 extensions := encryptedExtensions.addU16LengthPrefixed() 1187 m.extensions.marshal(extensions) 1188 } 1189 1190 m.raw = encryptedExtensionsMsg.finish() 1191 return m.raw 1192} 1193 1194func (m *encryptedExtensionsMsg) unmarshal(data []byte) bool { 1195 m.raw = data 1196 reader := byteReader(data[4:]) 1197 var extensions byteReader 1198 if !reader.readU16LengthPrefixed(&extensions) || len(reader) != 0 { 1199 return false 1200 } 1201 return m.extensions.unmarshal(extensions, VersionTLS13) 1202} 1203 1204type serverExtensions struct { 1205 nextProtoNeg bool 1206 nextProtos []string 1207 ocspStapling bool 1208 ticketSupported bool 1209 secureRenegotiation []byte 1210 alpnProtocol string 1211 alpnProtocolEmpty bool 1212 duplicateExtension bool 1213 channelIDRequested bool 1214 tokenBindingParams []byte 1215 tokenBindingVersion uint16 1216 extendedMasterSecret bool 1217 srtpProtectionProfile uint16 1218 srtpMasterKeyIdentifier string 1219 sctList []byte 1220 customExtension string 1221 npnAfterAlpn bool 1222 hasKeyShare bool 1223 hasEarlyData bool 1224 keyShare keyShareEntry 1225 supportedVersion uint16 1226 supportedPoints []uint8 1227 supportedCurves []CurveID 1228 quicTransportParams []byte 1229 serverNameAck bool 1230} 1231 1232func (m *serverExtensions) marshal(extensions *byteBuilder) { 1233 if m.duplicateExtension { 1234 // Add a duplicate bogus extension at the beginning and end. 1235 extensions.addU16(0xffff) 1236 extensions.addU16(0) // length = 0 for empty extension 1237 } 1238 if m.nextProtoNeg && !m.npnAfterAlpn { 1239 extensions.addU16(extensionNextProtoNeg) 1240 extension := extensions.addU16LengthPrefixed() 1241 1242 for _, v := range m.nextProtos { 1243 if len(v) > 255 { 1244 v = v[:255] 1245 } 1246 npn := extension.addU8LengthPrefixed() 1247 npn.addBytes([]byte(v)) 1248 } 1249 } 1250 if m.ocspStapling { 1251 extensions.addU16(extensionStatusRequest) 1252 extensions.addU16(0) 1253 } 1254 if m.ticketSupported { 1255 extensions.addU16(extensionSessionTicket) 1256 extensions.addU16(0) 1257 } 1258 if m.secureRenegotiation != nil { 1259 extensions.addU16(extensionRenegotiationInfo) 1260 extension := extensions.addU16LengthPrefixed() 1261 secureRenego := extension.addU8LengthPrefixed() 1262 secureRenego.addBytes(m.secureRenegotiation) 1263 } 1264 if len(m.alpnProtocol) > 0 || m.alpnProtocolEmpty { 1265 extensions.addU16(extensionALPN) 1266 extension := extensions.addU16LengthPrefixed() 1267 1268 protocolNameList := extension.addU16LengthPrefixed() 1269 protocolName := protocolNameList.addU8LengthPrefixed() 1270 protocolName.addBytes([]byte(m.alpnProtocol)) 1271 } 1272 if m.channelIDRequested { 1273 extensions.addU16(extensionChannelID) 1274 extensions.addU16(0) 1275 } 1276 if m.tokenBindingParams != nil { 1277 extensions.addU16(extensionTokenBinding) 1278 tokbindExtension := extensions.addU16LengthPrefixed() 1279 tokbindExtension.addU16(m.tokenBindingVersion) 1280 tokbindParams := tokbindExtension.addU8LengthPrefixed() 1281 tokbindParams.addBytes(m.tokenBindingParams) 1282 } 1283 if m.duplicateExtension { 1284 // Add a duplicate bogus extension at the beginning and end. 1285 extensions.addU16(0xffff) 1286 extensions.addU16(0) 1287 } 1288 if m.extendedMasterSecret { 1289 extensions.addU16(extensionExtendedMasterSecret) 1290 extensions.addU16(0) 1291 } 1292 if m.srtpProtectionProfile != 0 { 1293 extensions.addU16(extensionUseSRTP) 1294 extension := extensions.addU16LengthPrefixed() 1295 1296 srtpProtectionProfiles := extension.addU16LengthPrefixed() 1297 srtpProtectionProfiles.addU16(m.srtpProtectionProfile) 1298 srtpMki := extension.addU8LengthPrefixed() 1299 srtpMki.addBytes([]byte(m.srtpMasterKeyIdentifier)) 1300 } 1301 if m.sctList != nil { 1302 extensions.addU16(extensionSignedCertificateTimestamp) 1303 extension := extensions.addU16LengthPrefixed() 1304 extension.addBytes(m.sctList) 1305 } 1306 if l := len(m.customExtension); l > 0 { 1307 extensions.addU16(extensionCustom) 1308 customExt := extensions.addU16LengthPrefixed() 1309 customExt.addBytes([]byte(m.customExtension)) 1310 } 1311 if m.nextProtoNeg && m.npnAfterAlpn { 1312 extensions.addU16(extensionNextProtoNeg) 1313 extension := extensions.addU16LengthPrefixed() 1314 1315 for _, v := range m.nextProtos { 1316 if len(v) > 255 { 1317 v = v[0:255] 1318 } 1319 npn := extension.addU8LengthPrefixed() 1320 npn.addBytes([]byte(v)) 1321 } 1322 } 1323 if m.hasKeyShare { 1324 extensions.addU16(extensionKeyShare) 1325 keyShare := extensions.addU16LengthPrefixed() 1326 keyShare.addU16(uint16(m.keyShare.group)) 1327 keyExchange := keyShare.addU16LengthPrefixed() 1328 keyExchange.addBytes(m.keyShare.keyExchange) 1329 } 1330 if m.supportedVersion != 0 { 1331 extensions.addU16(extensionSupportedVersions) 1332 extensions.addU16(2) // Length 1333 extensions.addU16(m.supportedVersion) 1334 } 1335 if len(m.supportedPoints) > 0 { 1336 // http://tools.ietf.org/html/rfc4492#section-5.1.2 1337 extensions.addU16(extensionSupportedPoints) 1338 supportedPointsList := extensions.addU16LengthPrefixed() 1339 supportedPoints := supportedPointsList.addU8LengthPrefixed() 1340 supportedPoints.addBytes(m.supportedPoints) 1341 } 1342 if len(m.supportedCurves) > 0 { 1343 // https://tools.ietf.org/html/rfc8446#section-4.2.7 1344 extensions.addU16(extensionSupportedCurves) 1345 supportedCurvesList := extensions.addU16LengthPrefixed() 1346 supportedCurves := supportedCurvesList.addU16LengthPrefixed() 1347 for _, curve := range m.supportedCurves { 1348 supportedCurves.addU16(uint16(curve)) 1349 } 1350 } 1351 if len(m.quicTransportParams) > 0 { 1352 extensions.addU16(extensionQUICTransportParams) 1353 params := extensions.addU16LengthPrefixed() 1354 params.addBytes(m.quicTransportParams) 1355 } 1356 if m.hasEarlyData { 1357 extensions.addU16(extensionEarlyData) 1358 extensions.addBytes([]byte{0, 0}) 1359 } 1360 if m.serverNameAck { 1361 extensions.addU16(extensionServerName) 1362 extensions.addU16(0) // zero length 1363 } 1364} 1365 1366func (m *serverExtensions) unmarshal(data byteReader, version uint16) bool { 1367 // Reset all fields. 1368 *m = serverExtensions{} 1369 1370 if !checkDuplicateExtensions(data) { 1371 return false 1372 } 1373 1374 for len(data) > 0 { 1375 var extension uint16 1376 var body byteReader 1377 if !data.readU16(&extension) || 1378 !data.readU16LengthPrefixed(&body) { 1379 return false 1380 } 1381 switch extension { 1382 case extensionNextProtoNeg: 1383 m.nextProtoNeg = true 1384 for len(body) > 0 { 1385 var protocol []byte 1386 if !body.readU8LengthPrefixedBytes(&protocol) { 1387 return false 1388 } 1389 m.nextProtos = append(m.nextProtos, string(protocol)) 1390 } 1391 case extensionStatusRequest: 1392 if len(body) != 0 { 1393 return false 1394 } 1395 m.ocspStapling = true 1396 case extensionSessionTicket: 1397 if len(body) != 0 { 1398 return false 1399 } 1400 m.ticketSupported = true 1401 case extensionRenegotiationInfo: 1402 if !body.readU8LengthPrefixedBytes(&m.secureRenegotiation) || len(body) != 0 { 1403 return false 1404 } 1405 case extensionALPN: 1406 var protocols, protocol byteReader 1407 if !body.readU16LengthPrefixed(&protocols) || 1408 len(body) != 0 || 1409 !protocols.readU8LengthPrefixed(&protocol) || 1410 len(protocols) != 0 { 1411 return false 1412 } 1413 m.alpnProtocol = string(protocol) 1414 m.alpnProtocolEmpty = len(protocol) == 0 1415 case extensionChannelID: 1416 if len(body) != 0 { 1417 return false 1418 } 1419 m.channelIDRequested = true 1420 case extensionTokenBinding: 1421 if !body.readU16(&m.tokenBindingVersion) || 1422 !body.readU8LengthPrefixedBytes(&m.tokenBindingParams) || 1423 len(m.tokenBindingParams) != 1 || 1424 len(body) != 0 { 1425 return false 1426 } 1427 case extensionExtendedMasterSecret: 1428 if len(body) != 0 { 1429 return false 1430 } 1431 m.extendedMasterSecret = true 1432 case extensionUseSRTP: 1433 var profiles, mki byteReader 1434 if !body.readU16LengthPrefixed(&profiles) || 1435 !profiles.readU16(&m.srtpProtectionProfile) || 1436 len(profiles) != 0 || 1437 !body.readU8LengthPrefixed(&mki) || 1438 len(body) != 0 { 1439 return false 1440 } 1441 m.srtpMasterKeyIdentifier = string(mki) 1442 case extensionSignedCertificateTimestamp: 1443 m.sctList = []byte(body) 1444 case extensionCustom: 1445 m.customExtension = string(body) 1446 case extensionServerName: 1447 if len(body) != 0 { 1448 return false 1449 } 1450 m.serverNameAck = true 1451 case extensionSupportedPoints: 1452 // supported_points is illegal in TLS 1.3. 1453 if version >= VersionTLS13 { 1454 return false 1455 } 1456 // http://tools.ietf.org/html/rfc4492#section-5.5.2 1457 if !body.readU8LengthPrefixedBytes(&m.supportedPoints) || len(body) != 0 { 1458 return false 1459 } 1460 case extensionSupportedCurves: 1461 // The server can only send supported_curves in TLS 1.3. 1462 if version < VersionTLS13 { 1463 return false 1464 } 1465 case extensionQUICTransportParams: 1466 m.quicTransportParams = body 1467 case extensionEarlyData: 1468 if version < VersionTLS13 || len(body) != 0 { 1469 return false 1470 } 1471 m.hasEarlyData = true 1472 default: 1473 // Unknown extensions are illegal from the server. 1474 return false 1475 } 1476 } 1477 1478 return true 1479} 1480 1481type helloRetryRequestMsg struct { 1482 raw []byte 1483 vers uint16 1484 isServerHello bool 1485 sessionId []byte 1486 cipherSuite uint16 1487 compressionMethod uint8 1488 hasSelectedGroup bool 1489 selectedGroup CurveID 1490 cookie []byte 1491 customExtension string 1492 duplicateExtensions bool 1493} 1494 1495func (m *helloRetryRequestMsg) marshal() []byte { 1496 if m.raw != nil { 1497 return m.raw 1498 } 1499 1500 retryRequestMsg := newByteBuilder() 1501 retryRequestMsg.addU8(typeServerHello) 1502 retryRequest := retryRequestMsg.addU24LengthPrefixed() 1503 retryRequest.addU16(VersionTLS12) 1504 retryRequest.addBytes(tls13HelloRetryRequest) 1505 sessionId := retryRequest.addU8LengthPrefixed() 1506 sessionId.addBytes(m.sessionId) 1507 retryRequest.addU16(m.cipherSuite) 1508 retryRequest.addU8(m.compressionMethod) 1509 1510 extensions := retryRequest.addU16LengthPrefixed() 1511 1512 count := 1 1513 if m.duplicateExtensions { 1514 count = 2 1515 } 1516 1517 for i := 0; i < count; i++ { 1518 extensions.addU16(extensionSupportedVersions) 1519 extensions.addU16(2) // Length 1520 extensions.addU16(m.vers) 1521 if m.hasSelectedGroup { 1522 extensions.addU16(extensionKeyShare) 1523 extensions.addU16(2) // length 1524 extensions.addU16(uint16(m.selectedGroup)) 1525 } 1526 // m.cookie may be a non-nil empty slice for empty cookie tests. 1527 if m.cookie != nil { 1528 extensions.addU16(extensionCookie) 1529 body := extensions.addU16LengthPrefixed() 1530 body.addU16LengthPrefixed().addBytes(m.cookie) 1531 } 1532 if len(m.customExtension) > 0 { 1533 extensions.addU16(extensionCustom) 1534 extensions.addU16LengthPrefixed().addBytes([]byte(m.customExtension)) 1535 } 1536 } 1537 1538 m.raw = retryRequestMsg.finish() 1539 return m.raw 1540} 1541 1542func (m *helloRetryRequestMsg) unmarshal(data []byte) bool { 1543 m.raw = data 1544 reader := byteReader(data[4:]) 1545 if !reader.readU16(&m.vers) { 1546 return false 1547 } 1548 if m.isServerHello { 1549 var random []byte 1550 var compressionMethod byte 1551 if !reader.readBytes(&random, 32) || 1552 !reader.readU8LengthPrefixedBytes(&m.sessionId) || 1553 !reader.readU16(&m.cipherSuite) || 1554 !reader.readU8(&compressionMethod) || 1555 compressionMethod != 0 { 1556 return false 1557 } 1558 } else if !reader.readU16(&m.cipherSuite) { 1559 return false 1560 } 1561 var extensions byteReader 1562 if !reader.readU16LengthPrefixed(&extensions) || len(reader) != 0 { 1563 return false 1564 } 1565 extensionsCopy := extensions 1566 for len(extensionsCopy) > 0 { 1567 var extension uint16 1568 var body byteReader 1569 if !extensionsCopy.readU16(&extension) || 1570 !extensionsCopy.readU16LengthPrefixed(&body) { 1571 return false 1572 } 1573 switch extension { 1574 case extensionSupportedVersions: 1575 if !m.isServerHello || 1576 !body.readU16(&m.vers) || 1577 len(body) != 0 { 1578 return false 1579 } 1580 default: 1581 } 1582 } 1583 for len(extensions) > 0 { 1584 var extension uint16 1585 var body byteReader 1586 if !extensions.readU16(&extension) || 1587 !extensions.readU16LengthPrefixed(&body) { 1588 return false 1589 } 1590 switch extension { 1591 case extensionSupportedVersions: 1592 // Parsed above. 1593 case extensionKeyShare: 1594 var v uint16 1595 if !body.readU16(&v) || len(body) != 0 { 1596 return false 1597 } 1598 m.hasSelectedGroup = true 1599 m.selectedGroup = CurveID(v) 1600 case extensionCookie: 1601 if !body.readU16LengthPrefixedBytes(&m.cookie) || len(body) != 0 { 1602 return false 1603 } 1604 default: 1605 // Unknown extensions are illegal from the server. 1606 return false 1607 } 1608 } 1609 return true 1610} 1611 1612type certificateEntry struct { 1613 data []byte 1614 ocspResponse []byte 1615 sctList []byte 1616 duplicateExtensions bool 1617 extraExtension []byte 1618 delegatedCredential *delegatedCredential 1619} 1620 1621type delegatedCredential struct { 1622 // https://tools.ietf.org/html/draft-ietf-tls-subcerts-03#section-3 1623 signedBytes []byte 1624 lifetimeSecs uint32 1625 expectedCertVerifyAlgo signatureAlgorithm 1626 pkixPublicKey []byte 1627 algorithm signatureAlgorithm 1628 signature []byte 1629} 1630 1631type certificateMsg struct { 1632 raw []byte 1633 hasRequestContext bool 1634 requestContext []byte 1635 certificates []certificateEntry 1636} 1637 1638func (m *certificateMsg) marshal() (x []byte) { 1639 if m.raw != nil { 1640 return m.raw 1641 } 1642 1643 certMsg := newByteBuilder() 1644 certMsg.addU8(typeCertificate) 1645 certificate := certMsg.addU24LengthPrefixed() 1646 if m.hasRequestContext { 1647 context := certificate.addU8LengthPrefixed() 1648 context.addBytes(m.requestContext) 1649 } 1650 certificateList := certificate.addU24LengthPrefixed() 1651 for _, cert := range m.certificates { 1652 certEntry := certificateList.addU24LengthPrefixed() 1653 certEntry.addBytes(cert.data) 1654 if m.hasRequestContext { 1655 extensions := certificateList.addU16LengthPrefixed() 1656 count := 1 1657 if cert.duplicateExtensions { 1658 count = 2 1659 } 1660 1661 for i := 0; i < count; i++ { 1662 if cert.ocspResponse != nil { 1663 extensions.addU16(extensionStatusRequest) 1664 body := extensions.addU16LengthPrefixed() 1665 body.addU8(statusTypeOCSP) 1666 response := body.addU24LengthPrefixed() 1667 response.addBytes(cert.ocspResponse) 1668 } 1669 1670 if cert.sctList != nil { 1671 extensions.addU16(extensionSignedCertificateTimestamp) 1672 extension := extensions.addU16LengthPrefixed() 1673 extension.addBytes(cert.sctList) 1674 } 1675 } 1676 if cert.extraExtension != nil { 1677 extensions.addBytes(cert.extraExtension) 1678 } 1679 } 1680 } 1681 1682 m.raw = certMsg.finish() 1683 return m.raw 1684} 1685 1686func (m *certificateMsg) unmarshal(data []byte) bool { 1687 m.raw = data 1688 reader := byteReader(data[4:]) 1689 1690 if m.hasRequestContext && !reader.readU8LengthPrefixedBytes(&m.requestContext) { 1691 return false 1692 } 1693 1694 var certs byteReader 1695 if !reader.readU24LengthPrefixed(&certs) || len(reader) != 0 { 1696 return false 1697 } 1698 m.certificates = nil 1699 for len(certs) > 0 { 1700 var cert certificateEntry 1701 if !certs.readU24LengthPrefixedBytes(&cert.data) { 1702 return false 1703 } 1704 if m.hasRequestContext { 1705 var extensions byteReader 1706 if !certs.readU16LengthPrefixed(&extensions) || !checkDuplicateExtensions(extensions) { 1707 return false 1708 } 1709 for len(extensions) > 0 { 1710 var extension uint16 1711 var body byteReader 1712 if !extensions.readU16(&extension) || 1713 !extensions.readU16LengthPrefixed(&body) { 1714 return false 1715 } 1716 switch extension { 1717 case extensionStatusRequest: 1718 var statusType byte 1719 if !body.readU8(&statusType) || 1720 statusType != statusTypeOCSP || 1721 !body.readU24LengthPrefixedBytes(&cert.ocspResponse) || 1722 len(body) != 0 { 1723 return false 1724 } 1725 case extensionSignedCertificateTimestamp: 1726 cert.sctList = []byte(body) 1727 case extensionDelegatedCredentials: 1728 // https://tools.ietf.org/html/draft-ietf-tls-subcerts-03#section-3 1729 if cert.delegatedCredential != nil { 1730 return false 1731 } 1732 1733 dc := new(delegatedCredential) 1734 origBody := body 1735 var expectedCertVerifyAlgo, algorithm uint16 1736 1737 if !body.readU32(&dc.lifetimeSecs) || 1738 !body.readU16(&expectedCertVerifyAlgo) || 1739 !body.readU24LengthPrefixedBytes(&dc.pkixPublicKey) || 1740 !body.readU16(&algorithm) || 1741 !body.readU16LengthPrefixedBytes(&dc.signature) || 1742 len(body) != 0 { 1743 return false 1744 } 1745 1746 dc.expectedCertVerifyAlgo = signatureAlgorithm(expectedCertVerifyAlgo) 1747 dc.algorithm = signatureAlgorithm(algorithm) 1748 dc.signedBytes = []byte(origBody)[:4+2+3+len(dc.pkixPublicKey)] 1749 cert.delegatedCredential = dc 1750 default: 1751 return false 1752 } 1753 } 1754 } 1755 m.certificates = append(m.certificates, cert) 1756 } 1757 1758 return true 1759} 1760 1761type compressedCertificateMsg struct { 1762 raw []byte 1763 algID uint16 1764 uncompressedLength uint32 1765 compressed []byte 1766} 1767 1768func (m *compressedCertificateMsg) marshal() (x []byte) { 1769 if m.raw != nil { 1770 return m.raw 1771 } 1772 1773 certMsg := newByteBuilder() 1774 certMsg.addU8(typeCompressedCertificate) 1775 certificate := certMsg.addU24LengthPrefixed() 1776 certificate.addU16(m.algID) 1777 certificate.addU24(int(m.uncompressedLength)) 1778 compressed := certificate.addU24LengthPrefixed() 1779 compressed.addBytes(m.compressed) 1780 1781 m.raw = certMsg.finish() 1782 return m.raw 1783} 1784 1785func (m *compressedCertificateMsg) unmarshal(data []byte) bool { 1786 m.raw = data 1787 reader := byteReader(data[4:]) 1788 1789 if !reader.readU16(&m.algID) || 1790 !reader.readU24(&m.uncompressedLength) || 1791 !reader.readU24LengthPrefixedBytes(&m.compressed) || 1792 len(reader) != 0 { 1793 return false 1794 } 1795 1796 if m.uncompressedLength >= 1<<17 { 1797 return false 1798 } 1799 1800 return true 1801} 1802 1803type serverKeyExchangeMsg struct { 1804 raw []byte 1805 key []byte 1806} 1807 1808func (m *serverKeyExchangeMsg) marshal() []byte { 1809 if m.raw != nil { 1810 return m.raw 1811 } 1812 msg := newByteBuilder() 1813 msg.addU8(typeServerKeyExchange) 1814 msg.addU24LengthPrefixed().addBytes(m.key) 1815 m.raw = msg.finish() 1816 return m.raw 1817} 1818 1819func (m *serverKeyExchangeMsg) unmarshal(data []byte) bool { 1820 m.raw = data 1821 if len(data) < 4 { 1822 return false 1823 } 1824 m.key = data[4:] 1825 return true 1826} 1827 1828type certificateStatusMsg struct { 1829 raw []byte 1830 statusType uint8 1831 response []byte 1832} 1833 1834func (m *certificateStatusMsg) marshal() []byte { 1835 if m.raw != nil { 1836 return m.raw 1837 } 1838 1839 var x []byte 1840 if m.statusType == statusTypeOCSP { 1841 msg := newByteBuilder() 1842 msg.addU8(typeCertificateStatus) 1843 body := msg.addU24LengthPrefixed() 1844 body.addU8(statusTypeOCSP) 1845 body.addU24LengthPrefixed().addBytes(m.response) 1846 x = msg.finish() 1847 } else { 1848 x = []byte{typeCertificateStatus, 0, 0, 1, m.statusType} 1849 } 1850 1851 m.raw = x 1852 return x 1853} 1854 1855func (m *certificateStatusMsg) unmarshal(data []byte) bool { 1856 m.raw = data 1857 reader := byteReader(data[4:]) 1858 if !reader.readU8(&m.statusType) || 1859 m.statusType != statusTypeOCSP || 1860 !reader.readU24LengthPrefixedBytes(&m.response) || 1861 len(reader) != 0 { 1862 return false 1863 } 1864 return true 1865} 1866 1867type serverHelloDoneMsg struct{} 1868 1869func (m *serverHelloDoneMsg) marshal() []byte { 1870 x := make([]byte, 4) 1871 x[0] = typeServerHelloDone 1872 return x 1873} 1874 1875func (m *serverHelloDoneMsg) unmarshal(data []byte) bool { 1876 return len(data) == 4 1877} 1878 1879type clientKeyExchangeMsg struct { 1880 raw []byte 1881 ciphertext []byte 1882} 1883 1884func (m *clientKeyExchangeMsg) marshal() []byte { 1885 if m.raw != nil { 1886 return m.raw 1887 } 1888 msg := newByteBuilder() 1889 msg.addU8(typeClientKeyExchange) 1890 msg.addU24LengthPrefixed().addBytes(m.ciphertext) 1891 m.raw = msg.finish() 1892 return m.raw 1893} 1894 1895func (m *clientKeyExchangeMsg) unmarshal(data []byte) bool { 1896 m.raw = data 1897 if len(data) < 4 { 1898 return false 1899 } 1900 l := int(data[1])<<16 | int(data[2])<<8 | int(data[3]) 1901 if l != len(data)-4 { 1902 return false 1903 } 1904 m.ciphertext = data[4:] 1905 return true 1906} 1907 1908type finishedMsg struct { 1909 raw []byte 1910 verifyData []byte 1911} 1912 1913func (m *finishedMsg) marshal() []byte { 1914 if m.raw != nil { 1915 return m.raw 1916 } 1917 1918 msg := newByteBuilder() 1919 msg.addU8(typeFinished) 1920 msg.addU24LengthPrefixed().addBytes(m.verifyData) 1921 m.raw = msg.finish() 1922 return m.raw 1923} 1924 1925func (m *finishedMsg) unmarshal(data []byte) bool { 1926 m.raw = data 1927 if len(data) < 4 { 1928 return false 1929 } 1930 m.verifyData = data[4:] 1931 return true 1932} 1933 1934type nextProtoMsg struct { 1935 raw []byte 1936 proto string 1937} 1938 1939func (m *nextProtoMsg) marshal() []byte { 1940 if m.raw != nil { 1941 return m.raw 1942 } 1943 1944 padding := 32 - (len(m.proto)+2)%32 1945 1946 msg := newByteBuilder() 1947 msg.addU8(typeNextProtocol) 1948 body := msg.addU24LengthPrefixed() 1949 body.addU8LengthPrefixed().addBytes([]byte(m.proto)) 1950 body.addU8LengthPrefixed().addBytes(make([]byte, padding)) 1951 m.raw = msg.finish() 1952 return m.raw 1953} 1954 1955func (m *nextProtoMsg) unmarshal(data []byte) bool { 1956 m.raw = data 1957 reader := byteReader(data[4:]) 1958 var proto, padding []byte 1959 if !reader.readU8LengthPrefixedBytes(&proto) || 1960 !reader.readU8LengthPrefixedBytes(&padding) || 1961 len(reader) != 0 { 1962 return false 1963 } 1964 m.proto = string(proto) 1965 1966 // Padding is not meant to be checked normally, but as this is a testing 1967 // implementation, we check the padding is as expected. 1968 if len(padding) != 32-(len(m.proto)+2)%32 { 1969 return false 1970 } 1971 for _, v := range padding { 1972 if v != 0 { 1973 return false 1974 } 1975 } 1976 1977 return true 1978} 1979 1980type certificateRequestMsg struct { 1981 raw []byte 1982 vers uint16 1983 // hasSignatureAlgorithm indicates whether this message includes a list 1984 // of signature and hash functions. This change was introduced with TLS 1985 // 1.2. 1986 hasSignatureAlgorithm bool 1987 // hasRequestContext indicates whether this message includes a context 1988 // field instead of certificateTypes. This change was introduced with 1989 // TLS 1.3. 1990 hasRequestContext bool 1991 1992 certificateTypes []byte 1993 requestContext []byte 1994 signatureAlgorithms []signatureAlgorithm 1995 signatureAlgorithmsCert []signatureAlgorithm 1996 certificateAuthorities [][]byte 1997 hasCAExtension bool 1998 customExtension uint16 1999} 2000 2001func (m *certificateRequestMsg) marshal() []byte { 2002 if m.raw != nil { 2003 return m.raw 2004 } 2005 2006 // See http://tools.ietf.org/html/rfc4346#section-7.4.4 2007 builder := newByteBuilder() 2008 builder.addU8(typeCertificateRequest) 2009 body := builder.addU24LengthPrefixed() 2010 2011 if m.hasRequestContext { 2012 requestContext := body.addU8LengthPrefixed() 2013 requestContext.addBytes(m.requestContext) 2014 extensions := newByteBuilder() 2015 extensions = body.addU16LengthPrefixed() 2016 if m.hasSignatureAlgorithm { 2017 extensions.addU16(extensionSignatureAlgorithms) 2018 signatureAlgorithms := extensions.addU16LengthPrefixed().addU16LengthPrefixed() 2019 for _, sigAlg := range m.signatureAlgorithms { 2020 signatureAlgorithms.addU16(uint16(sigAlg)) 2021 } 2022 } 2023 if len(m.signatureAlgorithmsCert) > 0 { 2024 extensions.addU16(extensionSignatureAlgorithmsCert) 2025 signatureAlgorithmsCert := extensions.addU16LengthPrefixed().addU16LengthPrefixed() 2026 for _, sigAlg := range m.signatureAlgorithmsCert { 2027 signatureAlgorithmsCert.addU16(uint16(sigAlg)) 2028 } 2029 } 2030 if len(m.certificateAuthorities) > 0 { 2031 extensions.addU16(extensionCertificateAuthorities) 2032 certificateAuthorities := extensions.addU16LengthPrefixed().addU16LengthPrefixed() 2033 for _, ca := range m.certificateAuthorities { 2034 caEntry := certificateAuthorities.addU16LengthPrefixed() 2035 caEntry.addBytes(ca) 2036 } 2037 } 2038 2039 if m.customExtension > 0 { 2040 extensions.addU16(m.customExtension) 2041 extensions.addU16LengthPrefixed() 2042 } 2043 } else { 2044 certificateTypes := body.addU8LengthPrefixed() 2045 certificateTypes.addBytes(m.certificateTypes) 2046 2047 if m.hasSignatureAlgorithm { 2048 signatureAlgorithms := body.addU16LengthPrefixed() 2049 for _, sigAlg := range m.signatureAlgorithms { 2050 signatureAlgorithms.addU16(uint16(sigAlg)) 2051 } 2052 } 2053 2054 certificateAuthorities := body.addU16LengthPrefixed() 2055 for _, ca := range m.certificateAuthorities { 2056 caEntry := certificateAuthorities.addU16LengthPrefixed() 2057 caEntry.addBytes(ca) 2058 } 2059 } 2060 2061 m.raw = builder.finish() 2062 return m.raw 2063} 2064 2065func parseCAs(reader *byteReader, out *[][]byte) bool { 2066 var cas byteReader 2067 if !reader.readU16LengthPrefixed(&cas) { 2068 return false 2069 } 2070 for len(cas) > 0 { 2071 var ca []byte 2072 if !cas.readU16LengthPrefixedBytes(&ca) { 2073 return false 2074 } 2075 *out = append(*out, ca) 2076 } 2077 return true 2078} 2079 2080func (m *certificateRequestMsg) unmarshal(data []byte) bool { 2081 m.raw = data 2082 reader := byteReader(data[4:]) 2083 2084 if m.hasRequestContext { 2085 var extensions byteReader 2086 if !reader.readU8LengthPrefixedBytes(&m.requestContext) || 2087 !reader.readU16LengthPrefixed(&extensions) || 2088 len(reader) != 0 || 2089 !checkDuplicateExtensions(extensions) { 2090 return false 2091 } 2092 for len(extensions) > 0 { 2093 var extension uint16 2094 var body byteReader 2095 if !extensions.readU16(&extension) || 2096 !extensions.readU16LengthPrefixed(&body) { 2097 return false 2098 } 2099 switch extension { 2100 case extensionSignatureAlgorithms: 2101 if !parseSignatureAlgorithms(&body, &m.signatureAlgorithms, false) || len(body) != 0 { 2102 return false 2103 } 2104 case extensionSignatureAlgorithmsCert: 2105 if !parseSignatureAlgorithms(&body, &m.signatureAlgorithmsCert, false) || len(body) != 0 { 2106 return false 2107 } 2108 case extensionCertificateAuthorities: 2109 if !parseCAs(&body, &m.certificateAuthorities) || len(body) != 0 { 2110 return false 2111 } 2112 m.hasCAExtension = true 2113 } 2114 } 2115 } else { 2116 if !reader.readU8LengthPrefixedBytes(&m.certificateTypes) { 2117 return false 2118 } 2119 // In TLS 1.2, the supported_signature_algorithms field in 2120 // CertificateRequest may be empty. 2121 if m.hasSignatureAlgorithm && !parseSignatureAlgorithms(&reader, &m.signatureAlgorithms, true) { 2122 return false 2123 } 2124 if !parseCAs(&reader, &m.certificateAuthorities) || 2125 len(reader) != 0 { 2126 return false 2127 } 2128 } 2129 2130 return true 2131} 2132 2133type certificateVerifyMsg struct { 2134 raw []byte 2135 hasSignatureAlgorithm bool 2136 signatureAlgorithm signatureAlgorithm 2137 signature []byte 2138} 2139 2140func (m *certificateVerifyMsg) marshal() (x []byte) { 2141 if m.raw != nil { 2142 return m.raw 2143 } 2144 2145 // See http://tools.ietf.org/html/rfc4346#section-7.4.8 2146 siglength := len(m.signature) 2147 length := 2 + siglength 2148 if m.hasSignatureAlgorithm { 2149 length += 2 2150 } 2151 x = make([]byte, 4+length) 2152 x[0] = typeCertificateVerify 2153 x[1] = uint8(length >> 16) 2154 x[2] = uint8(length >> 8) 2155 x[3] = uint8(length) 2156 y := x[4:] 2157 if m.hasSignatureAlgorithm { 2158 y[0] = byte(m.signatureAlgorithm >> 8) 2159 y[1] = byte(m.signatureAlgorithm) 2160 y = y[2:] 2161 } 2162 y[0] = uint8(siglength >> 8) 2163 y[1] = uint8(siglength) 2164 copy(y[2:], m.signature) 2165 2166 m.raw = x 2167 2168 return 2169} 2170 2171func (m *certificateVerifyMsg) unmarshal(data []byte) bool { 2172 m.raw = data 2173 2174 if len(data) < 6 { 2175 return false 2176 } 2177 2178 length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3]) 2179 if uint32(len(data))-4 != length { 2180 return false 2181 } 2182 2183 data = data[4:] 2184 if m.hasSignatureAlgorithm { 2185 m.signatureAlgorithm = signatureAlgorithm(data[0])<<8 | signatureAlgorithm(data[1]) 2186 data = data[2:] 2187 } 2188 2189 if len(data) < 2 { 2190 return false 2191 } 2192 siglength := int(data[0])<<8 + int(data[1]) 2193 data = data[2:] 2194 if len(data) != siglength { 2195 return false 2196 } 2197 2198 m.signature = data 2199 2200 return true 2201} 2202 2203type newSessionTicketMsg struct { 2204 raw []byte 2205 vers uint16 2206 isDTLS bool 2207 ticketLifetime uint32 2208 ticketAgeAdd uint32 2209 ticketNonce []byte 2210 ticket []byte 2211 maxEarlyDataSize uint32 2212 customExtension string 2213 duplicateEarlyDataExtension bool 2214 hasGREASEExtension bool 2215} 2216 2217func (m *newSessionTicketMsg) marshal() []byte { 2218 if m.raw != nil { 2219 return m.raw 2220 } 2221 2222 version, ok := wireToVersion(m.vers, m.isDTLS) 2223 if !ok { 2224 panic("unknown version") 2225 } 2226 2227 // See http://tools.ietf.org/html/rfc5077#section-3.3 2228 ticketMsg := newByteBuilder() 2229 ticketMsg.addU8(typeNewSessionTicket) 2230 body := ticketMsg.addU24LengthPrefixed() 2231 body.addU32(m.ticketLifetime) 2232 if version >= VersionTLS13 { 2233 body.addU32(m.ticketAgeAdd) 2234 body.addU8LengthPrefixed().addBytes(m.ticketNonce) 2235 } 2236 2237 ticket := body.addU16LengthPrefixed() 2238 ticket.addBytes(m.ticket) 2239 2240 if version >= VersionTLS13 { 2241 extensions := body.addU16LengthPrefixed() 2242 if m.maxEarlyDataSize > 0 { 2243 extensions.addU16(extensionEarlyData) 2244 extensions.addU16LengthPrefixed().addU32(m.maxEarlyDataSize) 2245 if m.duplicateEarlyDataExtension { 2246 extensions.addU16(extensionEarlyData) 2247 extensions.addU16LengthPrefixed().addU32(m.maxEarlyDataSize) 2248 } 2249 } 2250 if len(m.customExtension) > 0 { 2251 extensions.addU16(extensionCustom) 2252 extensions.addU16LengthPrefixed().addBytes([]byte(m.customExtension)) 2253 } 2254 } 2255 2256 m.raw = ticketMsg.finish() 2257 return m.raw 2258} 2259 2260func (m *newSessionTicketMsg) unmarshal(data []byte) bool { 2261 m.raw = data 2262 2263 version, ok := wireToVersion(m.vers, m.isDTLS) 2264 if !ok { 2265 panic("unknown version") 2266 } 2267 2268 if len(data) < 8 { 2269 return false 2270 } 2271 m.ticketLifetime = uint32(data[4])<<24 | uint32(data[5])<<16 | uint32(data[6])<<8 | uint32(data[7]) 2272 data = data[8:] 2273 2274 if version >= VersionTLS13 { 2275 if len(data) < 4 { 2276 return false 2277 } 2278 m.ticketAgeAdd = uint32(data[0])<<24 | uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3]) 2279 data = data[4:] 2280 nonceLen := int(data[0]) 2281 data = data[1:] 2282 if len(data) < nonceLen { 2283 return false 2284 } 2285 m.ticketNonce = data[:nonceLen] 2286 data = data[nonceLen:] 2287 } 2288 2289 if len(data) < 2 { 2290 return false 2291 } 2292 ticketLen := int(data[0])<<8 + int(data[1]) 2293 data = data[2:] 2294 if len(data) < ticketLen { 2295 return false 2296 } 2297 2298 if version >= VersionTLS13 && ticketLen == 0 { 2299 return false 2300 } 2301 2302 m.ticket = data[:ticketLen] 2303 data = data[ticketLen:] 2304 2305 if version >= VersionTLS13 { 2306 if len(data) < 2 { 2307 return false 2308 } 2309 2310 extensionsLength := int(data[0])<<8 | int(data[1]) 2311 data = data[2:] 2312 if extensionsLength != len(data) { 2313 return false 2314 } 2315 2316 for len(data) != 0 { 2317 if len(data) < 4 { 2318 return false 2319 } 2320 extension := uint16(data[0])<<8 | uint16(data[1]) 2321 length := int(data[2])<<8 | int(data[3]) 2322 data = data[4:] 2323 if len(data) < length { 2324 return false 2325 } 2326 2327 switch extension { 2328 case extensionEarlyData: 2329 if length != 4 { 2330 return false 2331 } 2332 m.maxEarlyDataSize = uint32(data[0])<<24 | uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3]) 2333 default: 2334 if isGREASEValue(extension) { 2335 m.hasGREASEExtension = true 2336 } 2337 } 2338 2339 data = data[length:] 2340 } 2341 } 2342 2343 if len(data) > 0 { 2344 return false 2345 } 2346 2347 return true 2348} 2349 2350type v2ClientHelloMsg struct { 2351 raw []byte 2352 vers uint16 2353 cipherSuites []uint16 2354 sessionId []byte 2355 challenge []byte 2356} 2357 2358func (m *v2ClientHelloMsg) marshal() []byte { 2359 if m.raw != nil { 2360 return m.raw 2361 } 2362 2363 length := 1 + 2 + 2 + 2 + 2 + len(m.cipherSuites)*3 + len(m.sessionId) + len(m.challenge) 2364 2365 x := make([]byte, length) 2366 x[0] = 1 2367 x[1] = uint8(m.vers >> 8) 2368 x[2] = uint8(m.vers) 2369 x[3] = uint8((len(m.cipherSuites) * 3) >> 8) 2370 x[4] = uint8(len(m.cipherSuites) * 3) 2371 x[5] = uint8(len(m.sessionId) >> 8) 2372 x[6] = uint8(len(m.sessionId)) 2373 x[7] = uint8(len(m.challenge) >> 8) 2374 x[8] = uint8(len(m.challenge)) 2375 y := x[9:] 2376 for i, spec := range m.cipherSuites { 2377 y[i*3] = 0 2378 y[i*3+1] = uint8(spec >> 8) 2379 y[i*3+2] = uint8(spec) 2380 } 2381 y = y[len(m.cipherSuites)*3:] 2382 copy(y, m.sessionId) 2383 y = y[len(m.sessionId):] 2384 copy(y, m.challenge) 2385 2386 m.raw = x 2387 2388 return x 2389} 2390 2391type helloVerifyRequestMsg struct { 2392 raw []byte 2393 vers uint16 2394 cookie []byte 2395} 2396 2397func (m *helloVerifyRequestMsg) marshal() []byte { 2398 if m.raw != nil { 2399 return m.raw 2400 } 2401 2402 length := 2 + 1 + len(m.cookie) 2403 2404 x := make([]byte, 4+length) 2405 x[0] = typeHelloVerifyRequest 2406 x[1] = uint8(length >> 16) 2407 x[2] = uint8(length >> 8) 2408 x[3] = uint8(length) 2409 vers := m.vers 2410 x[4] = uint8(vers >> 8) 2411 x[5] = uint8(vers) 2412 x[6] = uint8(len(m.cookie)) 2413 copy(x[7:7+len(m.cookie)], m.cookie) 2414 2415 return x 2416} 2417 2418func (m *helloVerifyRequestMsg) unmarshal(data []byte) bool { 2419 if len(data) < 4+2+1 { 2420 return false 2421 } 2422 m.raw = data 2423 m.vers = uint16(data[4])<<8 | uint16(data[5]) 2424 cookieLen := int(data[6]) 2425 if cookieLen > 32 || len(data) != 7+cookieLen { 2426 return false 2427 } 2428 m.cookie = data[7 : 7+cookieLen] 2429 2430 return true 2431} 2432 2433type channelIDMsg struct { 2434 raw []byte 2435 channelID []byte 2436} 2437 2438func (m *channelIDMsg) marshal() []byte { 2439 if m.raw != nil { 2440 return m.raw 2441 } 2442 2443 length := 2 + 2 + len(m.channelID) 2444 2445 x := make([]byte, 4+length) 2446 x[0] = typeChannelID 2447 x[1] = uint8(length >> 16) 2448 x[2] = uint8(length >> 8) 2449 x[3] = uint8(length) 2450 x[4] = uint8(extensionChannelID >> 8) 2451 x[5] = uint8(extensionChannelID & 0xff) 2452 x[6] = uint8(len(m.channelID) >> 8) 2453 x[7] = uint8(len(m.channelID) & 0xff) 2454 copy(x[8:], m.channelID) 2455 2456 return x 2457} 2458 2459func (m *channelIDMsg) unmarshal(data []byte) bool { 2460 if len(data) != 4+2+2+128 { 2461 return false 2462 } 2463 m.raw = data 2464 if (uint16(data[4])<<8)|uint16(data[5]) != extensionChannelID { 2465 return false 2466 } 2467 if int(data[6])<<8|int(data[7]) != 128 { 2468 return false 2469 } 2470 m.channelID = data[4+2+2:] 2471 2472 return true 2473} 2474 2475type helloRequestMsg struct { 2476} 2477 2478func (*helloRequestMsg) marshal() []byte { 2479 return []byte{typeHelloRequest, 0, 0, 0} 2480} 2481 2482func (*helloRequestMsg) unmarshal(data []byte) bool { 2483 return len(data) == 4 2484} 2485 2486type keyUpdateMsg struct { 2487 raw []byte 2488 keyUpdateRequest byte 2489} 2490 2491func (m *keyUpdateMsg) marshal() []byte { 2492 if m.raw != nil { 2493 return m.raw 2494 } 2495 2496 return []byte{typeKeyUpdate, 0, 0, 1, m.keyUpdateRequest} 2497} 2498 2499func (m *keyUpdateMsg) unmarshal(data []byte) bool { 2500 m.raw = data 2501 2502 if len(data) != 5 { 2503 return false 2504 } 2505 2506 length := int(data[1])<<16 | int(data[2])<<8 | int(data[3]) 2507 if len(data)-4 != length { 2508 return false 2509 } 2510 2511 m.keyUpdateRequest = data[4] 2512 return m.keyUpdateRequest == keyUpdateNotRequested || m.keyUpdateRequest == keyUpdateRequested 2513} 2514 2515type endOfEarlyDataMsg struct { 2516 nonEmpty bool 2517} 2518 2519func (m *endOfEarlyDataMsg) marshal() []byte { 2520 if m.nonEmpty { 2521 return []byte{typeEndOfEarlyData, 0, 0, 1, 42} 2522 } 2523 return []byte{typeEndOfEarlyData, 0, 0, 0} 2524} 2525 2526func (*endOfEarlyDataMsg) unmarshal(data []byte) bool { 2527 return len(data) == 4 2528} 2529 2530// ssl3NoCertificateMsg is a dummy message to handle SSL 3.0 using a warning 2531// alert in the handshake. 2532type ssl3NoCertificateMsg struct{} 2533 2534func eqUint16s(x, y []uint16) bool { 2535 if len(x) != len(y) { 2536 return false 2537 } 2538 for i, v := range x { 2539 if y[i] != v { 2540 return false 2541 } 2542 } 2543 return true 2544} 2545 2546func eqCurveIDs(x, y []CurveID) bool { 2547 if len(x) != len(y) { 2548 return false 2549 } 2550 for i, v := range x { 2551 if y[i] != v { 2552 return false 2553 } 2554 } 2555 return true 2556} 2557 2558func eqStrings(x, y []string) bool { 2559 if len(x) != len(y) { 2560 return false 2561 } 2562 for i, v := range x { 2563 if y[i] != v { 2564 return false 2565 } 2566 } 2567 return true 2568} 2569 2570func eqByteSlices(x, y [][]byte) bool { 2571 if len(x) != len(y) { 2572 return false 2573 } 2574 for i, v := range x { 2575 if !bytes.Equal(v, y[i]) { 2576 return false 2577 } 2578 } 2579 return true 2580} 2581 2582func eqSignatureAlgorithms(x, y []signatureAlgorithm) bool { 2583 if len(x) != len(y) { 2584 return false 2585 } 2586 for i, v := range x { 2587 v2 := y[i] 2588 if v != v2 { 2589 return false 2590 } 2591 } 2592 return true 2593} 2594 2595func eqKeyShareEntryLists(x, y []keyShareEntry) bool { 2596 if len(x) != len(y) { 2597 return false 2598 } 2599 for i, v := range x { 2600 if y[i].group != v.group || !bytes.Equal(y[i].keyExchange, v.keyExchange) { 2601 return false 2602 } 2603 } 2604 return true 2605 2606} 2607 2608func eqPSKIdentityLists(x, y []pskIdentity) bool { 2609 if len(x) != len(y) { 2610 return false 2611 } 2612 for i, v := range x { 2613 if !bytes.Equal(y[i].ticket, v.ticket) || y[i].obfuscatedTicketAge != v.obfuscatedTicketAge { 2614 return false 2615 } 2616 } 2617 return true 2618 2619} 2620