Source file src/crypto/tls/handshake_messages.go

Documentation: crypto/tls

		 1  // Copyright 2009 The Go Authors. All rights reserved.
		 2  // Use of this source code is governed by a BSD-style
		 3  // license that can be found in the LICENSE file.
		 4  
		 5  package tls
		 6  
		 7  import (
		 8  	"fmt"
		 9  	"strings"
		10  
		11  	"golang.org/x/crypto/cryptobyte"
		12  )
		13  
		14  // The marshalingFunction type is an adapter to allow the use of ordinary
		15  // functions as cryptobyte.MarshalingValue.
		16  type marshalingFunction func(b *cryptobyte.Builder) error
		17  
		18  func (f marshalingFunction) Marshal(b *cryptobyte.Builder) error {
		19  	return f(b)
		20  }
		21  
		22  // addBytesWithLength appends a sequence of bytes to the cryptobyte.Builder. If
		23  // the length of the sequence is not the value specified, it produces an error.
		24  func addBytesWithLength(b *cryptobyte.Builder, v []byte, n int) {
		25  	b.AddValue(marshalingFunction(func(b *cryptobyte.Builder) error {
		26  		if len(v) != n {
		27  			return fmt.Errorf("invalid value length: expected %d, got %d", n, len(v))
		28  		}
		29  		b.AddBytes(v)
		30  		return nil
		31  	}))
		32  }
		33  
		34  // addUint64 appends a big-endian, 64-bit value to the cryptobyte.Builder.
		35  func addUint64(b *cryptobyte.Builder, v uint64) {
		36  	b.AddUint32(uint32(v >> 32))
		37  	b.AddUint32(uint32(v))
		38  }
		39  
		40  // readUint64 decodes a big-endian, 64-bit value into out and advances over it.
		41  // It reports whether the read was successful.
		42  func readUint64(s *cryptobyte.String, out *uint64) bool {
		43  	var hi, lo uint32
		44  	if !s.ReadUint32(&hi) || !s.ReadUint32(&lo) {
		45  		return false
		46  	}
		47  	*out = uint64(hi)<<32 | uint64(lo)
		48  	return true
		49  }
		50  
		51  // readUint8LengthPrefixed acts like s.ReadUint8LengthPrefixed, but targets a
		52  // []byte instead of a cryptobyte.String.
		53  func readUint8LengthPrefixed(s *cryptobyte.String, out *[]byte) bool {
		54  	return s.ReadUint8LengthPrefixed((*cryptobyte.String)(out))
		55  }
		56  
		57  // readUint16LengthPrefixed acts like s.ReadUint16LengthPrefixed, but targets a
		58  // []byte instead of a cryptobyte.String.
		59  func readUint16LengthPrefixed(s *cryptobyte.String, out *[]byte) bool {
		60  	return s.ReadUint16LengthPrefixed((*cryptobyte.String)(out))
		61  }
		62  
		63  // readUint24LengthPrefixed acts like s.ReadUint24LengthPrefixed, but targets a
		64  // []byte instead of a cryptobyte.String.
		65  func readUint24LengthPrefixed(s *cryptobyte.String, out *[]byte) bool {
		66  	return s.ReadUint24LengthPrefixed((*cryptobyte.String)(out))
		67  }
		68  
		69  type clientHelloMsg struct {
		70  	raw															[]byte
		71  	vers														 uint16
		72  	random													 []byte
		73  	sessionId												[]byte
		74  	cipherSuites										 []uint16
		75  	compressionMethods							 []uint8
		76  	serverName											 string
		77  	ocspStapling										 bool
		78  	supportedCurves									[]CurveID
		79  	supportedPoints									[]uint8
		80  	ticketSupported									bool
		81  	sessionTicket										[]uint8
		82  	supportedSignatureAlgorithms		 []SignatureScheme
		83  	supportedSignatureAlgorithmsCert []SignatureScheme
		84  	secureRenegotiationSupported		 bool
		85  	secureRenegotiation							[]byte
		86  	alpnProtocols										[]string
		87  	scts														 bool
		88  	supportedVersions								[]uint16
		89  	cookie													 []byte
		90  	keyShares												[]keyShare
		91  	earlyData												bool
		92  	pskModes												 []uint8
		93  	pskIdentities										[]pskIdentity
		94  	pskBinders											 [][]byte
		95  }
		96  
		97  func (m *clientHelloMsg) marshal() []byte {
		98  	if m.raw != nil {
		99  		return m.raw
	 100  	}
	 101  
	 102  	var b cryptobyte.Builder
	 103  	b.AddUint8(typeClientHello)
	 104  	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
	 105  		b.AddUint16(m.vers)
	 106  		addBytesWithLength(b, m.random, 32)
	 107  		b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
	 108  			b.AddBytes(m.sessionId)
	 109  		})
	 110  		b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	 111  			for _, suite := range m.cipherSuites {
	 112  				b.AddUint16(suite)
	 113  			}
	 114  		})
	 115  		b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
	 116  			b.AddBytes(m.compressionMethods)
	 117  		})
	 118  
	 119  		// If extensions aren't present, omit them.
	 120  		var extensionsPresent bool
	 121  		bWithoutExtensions := *b
	 122  
	 123  		b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	 124  			if len(m.serverName) > 0 {
	 125  				// RFC 6066, Section 3
	 126  				b.AddUint16(extensionServerName)
	 127  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	 128  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	 129  						b.AddUint8(0) // name_type = host_name
	 130  						b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	 131  							b.AddBytes([]byte(m.serverName))
	 132  						})
	 133  					})
	 134  				})
	 135  			}
	 136  			if m.ocspStapling {
	 137  				// RFC 4366, Section 3.6
	 138  				b.AddUint16(extensionStatusRequest)
	 139  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	 140  					b.AddUint8(1)	// status_type = ocsp
	 141  					b.AddUint16(0) // empty responder_id_list
	 142  					b.AddUint16(0) // empty request_extensions
	 143  				})
	 144  			}
	 145  			if len(m.supportedCurves) > 0 {
	 146  				// RFC 4492, sections 5.1.1 and RFC 8446, Section 4.2.7
	 147  				b.AddUint16(extensionSupportedCurves)
	 148  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	 149  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	 150  						for _, curve := range m.supportedCurves {
	 151  							b.AddUint16(uint16(curve))
	 152  						}
	 153  					})
	 154  				})
	 155  			}
	 156  			if len(m.supportedPoints) > 0 {
	 157  				// RFC 4492, Section 5.1.2
	 158  				b.AddUint16(extensionSupportedPoints)
	 159  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	 160  					b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
	 161  						b.AddBytes(m.supportedPoints)
	 162  					})
	 163  				})
	 164  			}
	 165  			if m.ticketSupported {
	 166  				// RFC 5077, Section 3.2
	 167  				b.AddUint16(extensionSessionTicket)
	 168  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	 169  					b.AddBytes(m.sessionTicket)
	 170  				})
	 171  			}
	 172  			if len(m.supportedSignatureAlgorithms) > 0 {
	 173  				// RFC 5246, Section 7.4.1.4.1
	 174  				b.AddUint16(extensionSignatureAlgorithms)
	 175  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	 176  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	 177  						for _, sigAlgo := range m.supportedSignatureAlgorithms {
	 178  							b.AddUint16(uint16(sigAlgo))
	 179  						}
	 180  					})
	 181  				})
	 182  			}
	 183  			if len(m.supportedSignatureAlgorithmsCert) > 0 {
	 184  				// RFC 8446, Section 4.2.3
	 185  				b.AddUint16(extensionSignatureAlgorithmsCert)
	 186  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	 187  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	 188  						for _, sigAlgo := range m.supportedSignatureAlgorithmsCert {
	 189  							b.AddUint16(uint16(sigAlgo))
	 190  						}
	 191  					})
	 192  				})
	 193  			}
	 194  			if m.secureRenegotiationSupported {
	 195  				// RFC 5746, Section 3.2
	 196  				b.AddUint16(extensionRenegotiationInfo)
	 197  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	 198  					b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
	 199  						b.AddBytes(m.secureRenegotiation)
	 200  					})
	 201  				})
	 202  			}
	 203  			if len(m.alpnProtocols) > 0 {
	 204  				// RFC 7301, Section 3.1
	 205  				b.AddUint16(extensionALPN)
	 206  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	 207  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	 208  						for _, proto := range m.alpnProtocols {
	 209  							b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
	 210  								b.AddBytes([]byte(proto))
	 211  							})
	 212  						}
	 213  					})
	 214  				})
	 215  			}
	 216  			if m.scts {
	 217  				// RFC 6962, Section 3.3.1
	 218  				b.AddUint16(extensionSCT)
	 219  				b.AddUint16(0) // empty extension_data
	 220  			}
	 221  			if len(m.supportedVersions) > 0 {
	 222  				// RFC 8446, Section 4.2.1
	 223  				b.AddUint16(extensionSupportedVersions)
	 224  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	 225  					b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
	 226  						for _, vers := range m.supportedVersions {
	 227  							b.AddUint16(vers)
	 228  						}
	 229  					})
	 230  				})
	 231  			}
	 232  			if len(m.cookie) > 0 {
	 233  				// RFC 8446, Section 4.2.2
	 234  				b.AddUint16(extensionCookie)
	 235  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	 236  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	 237  						b.AddBytes(m.cookie)
	 238  					})
	 239  				})
	 240  			}
	 241  			if len(m.keyShares) > 0 {
	 242  				// RFC 8446, Section 4.2.8
	 243  				b.AddUint16(extensionKeyShare)
	 244  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	 245  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	 246  						for _, ks := range m.keyShares {
	 247  							b.AddUint16(uint16(ks.group))
	 248  							b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	 249  								b.AddBytes(ks.data)
	 250  							})
	 251  						}
	 252  					})
	 253  				})
	 254  			}
	 255  			if m.earlyData {
	 256  				// RFC 8446, Section 4.2.10
	 257  				b.AddUint16(extensionEarlyData)
	 258  				b.AddUint16(0) // empty extension_data
	 259  			}
	 260  			if len(m.pskModes) > 0 {
	 261  				// RFC 8446, Section 4.2.9
	 262  				b.AddUint16(extensionPSKModes)
	 263  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	 264  					b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
	 265  						b.AddBytes(m.pskModes)
	 266  					})
	 267  				})
	 268  			}
	 269  			if len(m.pskIdentities) > 0 { // pre_shared_key must be the last extension
	 270  				// RFC 8446, Section 4.2.11
	 271  				b.AddUint16(extensionPreSharedKey)
	 272  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	 273  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	 274  						for _, psk := range m.pskIdentities {
	 275  							b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	 276  								b.AddBytes(psk.label)
	 277  							})
	 278  							b.AddUint32(psk.obfuscatedTicketAge)
	 279  						}
	 280  					})
	 281  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	 282  						for _, binder := range m.pskBinders {
	 283  							b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
	 284  								b.AddBytes(binder)
	 285  							})
	 286  						}
	 287  					})
	 288  				})
	 289  			}
	 290  
	 291  			extensionsPresent = len(b.BytesOrPanic()) > 2
	 292  		})
	 293  
	 294  		if !extensionsPresent {
	 295  			*b = bWithoutExtensions
	 296  		}
	 297  	})
	 298  
	 299  	m.raw = b.BytesOrPanic()
	 300  	return m.raw
	 301  }
	 302  
	 303  // marshalWithoutBinders returns the ClientHello through the
	 304  // PreSharedKeyExtension.identities field, according to RFC 8446, Section
	 305  // 4.2.11.2. Note that m.pskBinders must be set to slices of the correct length.
	 306  func (m *clientHelloMsg) marshalWithoutBinders() []byte {
	 307  	bindersLen := 2 // uint16 length prefix
	 308  	for _, binder := range m.pskBinders {
	 309  		bindersLen += 1 // uint8 length prefix
	 310  		bindersLen += len(binder)
	 311  	}
	 312  
	 313  	fullMessage := m.marshal()
	 314  	return fullMessage[:len(fullMessage)-bindersLen]
	 315  }
	 316  
	 317  // updateBinders updates the m.pskBinders field, if necessary updating the
	 318  // cached marshaled representation. The supplied binders must have the same
	 319  // length as the current m.pskBinders.
	 320  func (m *clientHelloMsg) updateBinders(pskBinders [][]byte) {
	 321  	if len(pskBinders) != len(m.pskBinders) {
	 322  		panic("tls: internal error: pskBinders length mismatch")
	 323  	}
	 324  	for i := range m.pskBinders {
	 325  		if len(pskBinders[i]) != len(m.pskBinders[i]) {
	 326  			panic("tls: internal error: pskBinders length mismatch")
	 327  		}
	 328  	}
	 329  	m.pskBinders = pskBinders
	 330  	if m.raw != nil {
	 331  		lenWithoutBinders := len(m.marshalWithoutBinders())
	 332  		// TODO(filippo): replace with NewFixedBuilder once CL 148882 is imported.
	 333  		b := cryptobyte.NewBuilder(m.raw[:lenWithoutBinders])
	 334  		b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	 335  			for _, binder := range m.pskBinders {
	 336  				b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
	 337  					b.AddBytes(binder)
	 338  				})
	 339  			}
	 340  		})
	 341  		if len(b.BytesOrPanic()) != len(m.raw) {
	 342  			panic("tls: internal error: failed to update binders")
	 343  		}
	 344  	}
	 345  }
	 346  
	 347  func (m *clientHelloMsg) unmarshal(data []byte) bool {
	 348  	*m = clientHelloMsg{raw: data}
	 349  	s := cryptobyte.String(data)
	 350  
	 351  	if !s.Skip(4) || // message type and uint24 length field
	 352  		!s.ReadUint16(&m.vers) || !s.ReadBytes(&m.random, 32) ||
	 353  		!readUint8LengthPrefixed(&s, &m.sessionId) {
	 354  		return false
	 355  	}
	 356  
	 357  	var cipherSuites cryptobyte.String
	 358  	if !s.ReadUint16LengthPrefixed(&cipherSuites) {
	 359  		return false
	 360  	}
	 361  	m.cipherSuites = []uint16{}
	 362  	m.secureRenegotiationSupported = false
	 363  	for !cipherSuites.Empty() {
	 364  		var suite uint16
	 365  		if !cipherSuites.ReadUint16(&suite) {
	 366  			return false
	 367  		}
	 368  		if suite == scsvRenegotiation {
	 369  			m.secureRenegotiationSupported = true
	 370  		}
	 371  		m.cipherSuites = append(m.cipherSuites, suite)
	 372  	}
	 373  
	 374  	if !readUint8LengthPrefixed(&s, &m.compressionMethods) {
	 375  		return false
	 376  	}
	 377  
	 378  	if s.Empty() {
	 379  		// ClientHello is optionally followed by extension data
	 380  		return true
	 381  	}
	 382  
	 383  	var extensions cryptobyte.String
	 384  	if !s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() {
	 385  		return false
	 386  	}
	 387  
	 388  	for !extensions.Empty() {
	 389  		var extension uint16
	 390  		var extData cryptobyte.String
	 391  		if !extensions.ReadUint16(&extension) ||
	 392  			!extensions.ReadUint16LengthPrefixed(&extData) {
	 393  			return false
	 394  		}
	 395  
	 396  		switch extension {
	 397  		case extensionServerName:
	 398  			// RFC 6066, Section 3
	 399  			var nameList cryptobyte.String
	 400  			if !extData.ReadUint16LengthPrefixed(&nameList) || nameList.Empty() {
	 401  				return false
	 402  			}
	 403  			for !nameList.Empty() {
	 404  				var nameType uint8
	 405  				var serverName cryptobyte.String
	 406  				if !nameList.ReadUint8(&nameType) ||
	 407  					!nameList.ReadUint16LengthPrefixed(&serverName) ||
	 408  					serverName.Empty() {
	 409  					return false
	 410  				}
	 411  				if nameType != 0 {
	 412  					continue
	 413  				}
	 414  				if len(m.serverName) != 0 {
	 415  					// Multiple names of the same name_type are prohibited.
	 416  					return false
	 417  				}
	 418  				m.serverName = string(serverName)
	 419  				// An SNI value may not include a trailing dot.
	 420  				if strings.HasSuffix(m.serverName, ".") {
	 421  					return false
	 422  				}
	 423  			}
	 424  		case extensionStatusRequest:
	 425  			// RFC 4366, Section 3.6
	 426  			var statusType uint8
	 427  			var ignored cryptobyte.String
	 428  			if !extData.ReadUint8(&statusType) ||
	 429  				!extData.ReadUint16LengthPrefixed(&ignored) ||
	 430  				!extData.ReadUint16LengthPrefixed(&ignored) {
	 431  				return false
	 432  			}
	 433  			m.ocspStapling = statusType == statusTypeOCSP
	 434  		case extensionSupportedCurves:
	 435  			// RFC 4492, sections 5.1.1 and RFC 8446, Section 4.2.7
	 436  			var curves cryptobyte.String
	 437  			if !extData.ReadUint16LengthPrefixed(&curves) || curves.Empty() {
	 438  				return false
	 439  			}
	 440  			for !curves.Empty() {
	 441  				var curve uint16
	 442  				if !curves.ReadUint16(&curve) {
	 443  					return false
	 444  				}
	 445  				m.supportedCurves = append(m.supportedCurves, CurveID(curve))
	 446  			}
	 447  		case extensionSupportedPoints:
	 448  			// RFC 4492, Section 5.1.2
	 449  			if !readUint8LengthPrefixed(&extData, &m.supportedPoints) ||
	 450  				len(m.supportedPoints) == 0 {
	 451  				return false
	 452  			}
	 453  		case extensionSessionTicket:
	 454  			// RFC 5077, Section 3.2
	 455  			m.ticketSupported = true
	 456  			extData.ReadBytes(&m.sessionTicket, len(extData))
	 457  		case extensionSignatureAlgorithms:
	 458  			// RFC 5246, Section 7.4.1.4.1
	 459  			var sigAndAlgs cryptobyte.String
	 460  			if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() {
	 461  				return false
	 462  			}
	 463  			for !sigAndAlgs.Empty() {
	 464  				var sigAndAlg uint16
	 465  				if !sigAndAlgs.ReadUint16(&sigAndAlg) {
	 466  					return false
	 467  				}
	 468  				m.supportedSignatureAlgorithms = append(
	 469  					m.supportedSignatureAlgorithms, SignatureScheme(sigAndAlg))
	 470  			}
	 471  		case extensionSignatureAlgorithmsCert:
	 472  			// RFC 8446, Section 4.2.3
	 473  			var sigAndAlgs cryptobyte.String
	 474  			if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() {
	 475  				return false
	 476  			}
	 477  			for !sigAndAlgs.Empty() {
	 478  				var sigAndAlg uint16
	 479  				if !sigAndAlgs.ReadUint16(&sigAndAlg) {
	 480  					return false
	 481  				}
	 482  				m.supportedSignatureAlgorithmsCert = append(
	 483  					m.supportedSignatureAlgorithmsCert, SignatureScheme(sigAndAlg))
	 484  			}
	 485  		case extensionRenegotiationInfo:
	 486  			// RFC 5746, Section 3.2
	 487  			if !readUint8LengthPrefixed(&extData, &m.secureRenegotiation) {
	 488  				return false
	 489  			}
	 490  			m.secureRenegotiationSupported = true
	 491  		case extensionALPN:
	 492  			// RFC 7301, Section 3.1
	 493  			var protoList cryptobyte.String
	 494  			if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() {
	 495  				return false
	 496  			}
	 497  			for !protoList.Empty() {
	 498  				var proto cryptobyte.String
	 499  				if !protoList.ReadUint8LengthPrefixed(&proto) || proto.Empty() {
	 500  					return false
	 501  				}
	 502  				m.alpnProtocols = append(m.alpnProtocols, string(proto))
	 503  			}
	 504  		case extensionSCT:
	 505  			// RFC 6962, Section 3.3.1
	 506  			m.scts = true
	 507  		case extensionSupportedVersions:
	 508  			// RFC 8446, Section 4.2.1
	 509  			var versList cryptobyte.String
	 510  			if !extData.ReadUint8LengthPrefixed(&versList) || versList.Empty() {
	 511  				return false
	 512  			}
	 513  			for !versList.Empty() {
	 514  				var vers uint16
	 515  				if !versList.ReadUint16(&vers) {
	 516  					return false
	 517  				}
	 518  				m.supportedVersions = append(m.supportedVersions, vers)
	 519  			}
	 520  		case extensionCookie:
	 521  			// RFC 8446, Section 4.2.2
	 522  			if !readUint16LengthPrefixed(&extData, &m.cookie) ||
	 523  				len(m.cookie) == 0 {
	 524  				return false
	 525  			}
	 526  		case extensionKeyShare:
	 527  			// RFC 8446, Section 4.2.8
	 528  			var clientShares cryptobyte.String
	 529  			if !extData.ReadUint16LengthPrefixed(&clientShares) {
	 530  				return false
	 531  			}
	 532  			for !clientShares.Empty() {
	 533  				var ks keyShare
	 534  				if !clientShares.ReadUint16((*uint16)(&ks.group)) ||
	 535  					!readUint16LengthPrefixed(&clientShares, &ks.data) ||
	 536  					len(ks.data) == 0 {
	 537  					return false
	 538  				}
	 539  				m.keyShares = append(m.keyShares, ks)
	 540  			}
	 541  		case extensionEarlyData:
	 542  			// RFC 8446, Section 4.2.10
	 543  			m.earlyData = true
	 544  		case extensionPSKModes:
	 545  			// RFC 8446, Section 4.2.9
	 546  			if !readUint8LengthPrefixed(&extData, &m.pskModes) {
	 547  				return false
	 548  			}
	 549  		case extensionPreSharedKey:
	 550  			// RFC 8446, Section 4.2.11
	 551  			if !extensions.Empty() {
	 552  				return false // pre_shared_key must be the last extension
	 553  			}
	 554  			var identities cryptobyte.String
	 555  			if !extData.ReadUint16LengthPrefixed(&identities) || identities.Empty() {
	 556  				return false
	 557  			}
	 558  			for !identities.Empty() {
	 559  				var psk pskIdentity
	 560  				if !readUint16LengthPrefixed(&identities, &psk.label) ||
	 561  					!identities.ReadUint32(&psk.obfuscatedTicketAge) ||
	 562  					len(psk.label) == 0 {
	 563  					return false
	 564  				}
	 565  				m.pskIdentities = append(m.pskIdentities, psk)
	 566  			}
	 567  			var binders cryptobyte.String
	 568  			if !extData.ReadUint16LengthPrefixed(&binders) || binders.Empty() {
	 569  				return false
	 570  			}
	 571  			for !binders.Empty() {
	 572  				var binder []byte
	 573  				if !readUint8LengthPrefixed(&binders, &binder) ||
	 574  					len(binder) == 0 {
	 575  					return false
	 576  				}
	 577  				m.pskBinders = append(m.pskBinders, binder)
	 578  			}
	 579  		default:
	 580  			// Ignore unknown extensions.
	 581  			continue
	 582  		}
	 583  
	 584  		if !extData.Empty() {
	 585  			return false
	 586  		}
	 587  	}
	 588  
	 589  	return true
	 590  }
	 591  
	 592  type serverHelloMsg struct {
	 593  	raw													[]byte
	 594  	vers												 uint16
	 595  	random											 []byte
	 596  	sessionId										[]byte
	 597  	cipherSuite									uint16
	 598  	compressionMethod						uint8
	 599  	ocspStapling								 bool
	 600  	ticketSupported							bool
	 601  	secureRenegotiationSupported bool
	 602  	secureRenegotiation					[]byte
	 603  	alpnProtocol								 string
	 604  	scts												 [][]byte
	 605  	supportedVersion						 uint16
	 606  	serverShare									keyShare
	 607  	selectedIdentityPresent			bool
	 608  	selectedIdentity						 uint16
	 609  	supportedPoints							[]uint8
	 610  
	 611  	// HelloRetryRequest extensions
	 612  	cookie				[]byte
	 613  	selectedGroup CurveID
	 614  }
	 615  
	 616  func (m *serverHelloMsg) marshal() []byte {
	 617  	if m.raw != nil {
	 618  		return m.raw
	 619  	}
	 620  
	 621  	var b cryptobyte.Builder
	 622  	b.AddUint8(typeServerHello)
	 623  	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
	 624  		b.AddUint16(m.vers)
	 625  		addBytesWithLength(b, m.random, 32)
	 626  		b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
	 627  			b.AddBytes(m.sessionId)
	 628  		})
	 629  		b.AddUint16(m.cipherSuite)
	 630  		b.AddUint8(m.compressionMethod)
	 631  
	 632  		// If extensions aren't present, omit them.
	 633  		var extensionsPresent bool
	 634  		bWithoutExtensions := *b
	 635  
	 636  		b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	 637  			if m.ocspStapling {
	 638  				b.AddUint16(extensionStatusRequest)
	 639  				b.AddUint16(0) // empty extension_data
	 640  			}
	 641  			if m.ticketSupported {
	 642  				b.AddUint16(extensionSessionTicket)
	 643  				b.AddUint16(0) // empty extension_data
	 644  			}
	 645  			if m.secureRenegotiationSupported {
	 646  				b.AddUint16(extensionRenegotiationInfo)
	 647  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	 648  					b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
	 649  						b.AddBytes(m.secureRenegotiation)
	 650  					})
	 651  				})
	 652  			}
	 653  			if len(m.alpnProtocol) > 0 {
	 654  				b.AddUint16(extensionALPN)
	 655  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	 656  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	 657  						b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
	 658  							b.AddBytes([]byte(m.alpnProtocol))
	 659  						})
	 660  					})
	 661  				})
	 662  			}
	 663  			if len(m.scts) > 0 {
	 664  				b.AddUint16(extensionSCT)
	 665  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	 666  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	 667  						for _, sct := range m.scts {
	 668  							b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	 669  								b.AddBytes(sct)
	 670  							})
	 671  						}
	 672  					})
	 673  				})
	 674  			}
	 675  			if m.supportedVersion != 0 {
	 676  				b.AddUint16(extensionSupportedVersions)
	 677  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	 678  					b.AddUint16(m.supportedVersion)
	 679  				})
	 680  			}
	 681  			if m.serverShare.group != 0 {
	 682  				b.AddUint16(extensionKeyShare)
	 683  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	 684  					b.AddUint16(uint16(m.serverShare.group))
	 685  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	 686  						b.AddBytes(m.serverShare.data)
	 687  					})
	 688  				})
	 689  			}
	 690  			if m.selectedIdentityPresent {
	 691  				b.AddUint16(extensionPreSharedKey)
	 692  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	 693  					b.AddUint16(m.selectedIdentity)
	 694  				})
	 695  			}
	 696  
	 697  			if len(m.cookie) > 0 {
	 698  				b.AddUint16(extensionCookie)
	 699  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	 700  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	 701  						b.AddBytes(m.cookie)
	 702  					})
	 703  				})
	 704  			}
	 705  			if m.selectedGroup != 0 {
	 706  				b.AddUint16(extensionKeyShare)
	 707  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	 708  					b.AddUint16(uint16(m.selectedGroup))
	 709  				})
	 710  			}
	 711  			if len(m.supportedPoints) > 0 {
	 712  				b.AddUint16(extensionSupportedPoints)
	 713  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	 714  					b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
	 715  						b.AddBytes(m.supportedPoints)
	 716  					})
	 717  				})
	 718  			}
	 719  
	 720  			extensionsPresent = len(b.BytesOrPanic()) > 2
	 721  		})
	 722  
	 723  		if !extensionsPresent {
	 724  			*b = bWithoutExtensions
	 725  		}
	 726  	})
	 727  
	 728  	m.raw = b.BytesOrPanic()
	 729  	return m.raw
	 730  }
	 731  
	 732  func (m *serverHelloMsg) unmarshal(data []byte) bool {
	 733  	*m = serverHelloMsg{raw: data}
	 734  	s := cryptobyte.String(data)
	 735  
	 736  	if !s.Skip(4) || // message type and uint24 length field
	 737  		!s.ReadUint16(&m.vers) || !s.ReadBytes(&m.random, 32) ||
	 738  		!readUint8LengthPrefixed(&s, &m.sessionId) ||
	 739  		!s.ReadUint16(&m.cipherSuite) ||
	 740  		!s.ReadUint8(&m.compressionMethod) {
	 741  		return false
	 742  	}
	 743  
	 744  	if s.Empty() {
	 745  		// ServerHello is optionally followed by extension data
	 746  		return true
	 747  	}
	 748  
	 749  	var extensions cryptobyte.String
	 750  	if !s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() {
	 751  		return false
	 752  	}
	 753  
	 754  	for !extensions.Empty() {
	 755  		var extension uint16
	 756  		var extData cryptobyte.String
	 757  		if !extensions.ReadUint16(&extension) ||
	 758  			!extensions.ReadUint16LengthPrefixed(&extData) {
	 759  			return false
	 760  		}
	 761  
	 762  		switch extension {
	 763  		case extensionStatusRequest:
	 764  			m.ocspStapling = true
	 765  		case extensionSessionTicket:
	 766  			m.ticketSupported = true
	 767  		case extensionRenegotiationInfo:
	 768  			if !readUint8LengthPrefixed(&extData, &m.secureRenegotiation) {
	 769  				return false
	 770  			}
	 771  			m.secureRenegotiationSupported = true
	 772  		case extensionALPN:
	 773  			var protoList cryptobyte.String
	 774  			if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() {
	 775  				return false
	 776  			}
	 777  			var proto cryptobyte.String
	 778  			if !protoList.ReadUint8LengthPrefixed(&proto) ||
	 779  				proto.Empty() || !protoList.Empty() {
	 780  				return false
	 781  			}
	 782  			m.alpnProtocol = string(proto)
	 783  		case extensionSCT:
	 784  			var sctList cryptobyte.String
	 785  			if !extData.ReadUint16LengthPrefixed(&sctList) || sctList.Empty() {
	 786  				return false
	 787  			}
	 788  			for !sctList.Empty() {
	 789  				var sct []byte
	 790  				if !readUint16LengthPrefixed(&sctList, &sct) ||
	 791  					len(sct) == 0 {
	 792  					return false
	 793  				}
	 794  				m.scts = append(m.scts, sct)
	 795  			}
	 796  		case extensionSupportedVersions:
	 797  			if !extData.ReadUint16(&m.supportedVersion) {
	 798  				return false
	 799  			}
	 800  		case extensionCookie:
	 801  			if !readUint16LengthPrefixed(&extData, &m.cookie) ||
	 802  				len(m.cookie) == 0 {
	 803  				return false
	 804  			}
	 805  		case extensionKeyShare:
	 806  			// This extension has different formats in SH and HRR, accept either
	 807  			// and let the handshake logic decide. See RFC 8446, Section 4.2.8.
	 808  			if len(extData) == 2 {
	 809  				if !extData.ReadUint16((*uint16)(&m.selectedGroup)) {
	 810  					return false
	 811  				}
	 812  			} else {
	 813  				if !extData.ReadUint16((*uint16)(&m.serverShare.group)) ||
	 814  					!readUint16LengthPrefixed(&extData, &m.serverShare.data) {
	 815  					return false
	 816  				}
	 817  			}
	 818  		case extensionPreSharedKey:
	 819  			m.selectedIdentityPresent = true
	 820  			if !extData.ReadUint16(&m.selectedIdentity) {
	 821  				return false
	 822  			}
	 823  		case extensionSupportedPoints:
	 824  			// RFC 4492, Section 5.1.2
	 825  			if !readUint8LengthPrefixed(&extData, &m.supportedPoints) ||
	 826  				len(m.supportedPoints) == 0 {
	 827  				return false
	 828  			}
	 829  		default:
	 830  			// Ignore unknown extensions.
	 831  			continue
	 832  		}
	 833  
	 834  		if !extData.Empty() {
	 835  			return false
	 836  		}
	 837  	}
	 838  
	 839  	return true
	 840  }
	 841  
	 842  type encryptedExtensionsMsg struct {
	 843  	raw					[]byte
	 844  	alpnProtocol string
	 845  }
	 846  
	 847  func (m *encryptedExtensionsMsg) marshal() []byte {
	 848  	if m.raw != nil {
	 849  		return m.raw
	 850  	}
	 851  
	 852  	var b cryptobyte.Builder
	 853  	b.AddUint8(typeEncryptedExtensions)
	 854  	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
	 855  		b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	 856  			if len(m.alpnProtocol) > 0 {
	 857  				b.AddUint16(extensionALPN)
	 858  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	 859  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	 860  						b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
	 861  							b.AddBytes([]byte(m.alpnProtocol))
	 862  						})
	 863  					})
	 864  				})
	 865  			}
	 866  		})
	 867  	})
	 868  
	 869  	m.raw = b.BytesOrPanic()
	 870  	return m.raw
	 871  }
	 872  
	 873  func (m *encryptedExtensionsMsg) unmarshal(data []byte) bool {
	 874  	*m = encryptedExtensionsMsg{raw: data}
	 875  	s := cryptobyte.String(data)
	 876  
	 877  	var extensions cryptobyte.String
	 878  	if !s.Skip(4) || // message type and uint24 length field
	 879  		!s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() {
	 880  		return false
	 881  	}
	 882  
	 883  	for !extensions.Empty() {
	 884  		var extension uint16
	 885  		var extData cryptobyte.String
	 886  		if !extensions.ReadUint16(&extension) ||
	 887  			!extensions.ReadUint16LengthPrefixed(&extData) {
	 888  			return false
	 889  		}
	 890  
	 891  		switch extension {
	 892  		case extensionALPN:
	 893  			var protoList cryptobyte.String
	 894  			if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() {
	 895  				return false
	 896  			}
	 897  			var proto cryptobyte.String
	 898  			if !protoList.ReadUint8LengthPrefixed(&proto) ||
	 899  				proto.Empty() || !protoList.Empty() {
	 900  				return false
	 901  			}
	 902  			m.alpnProtocol = string(proto)
	 903  		default:
	 904  			// Ignore unknown extensions.
	 905  			continue
	 906  		}
	 907  
	 908  		if !extData.Empty() {
	 909  			return false
	 910  		}
	 911  	}
	 912  
	 913  	return true
	 914  }
	 915  
	 916  type endOfEarlyDataMsg struct{}
	 917  
	 918  func (m *endOfEarlyDataMsg) marshal() []byte {
	 919  	x := make([]byte, 4)
	 920  	x[0] = typeEndOfEarlyData
	 921  	return x
	 922  }
	 923  
	 924  func (m *endOfEarlyDataMsg) unmarshal(data []byte) bool {
	 925  	return len(data) == 4
	 926  }
	 927  
	 928  type keyUpdateMsg struct {
	 929  	raw						 []byte
	 930  	updateRequested bool
	 931  }
	 932  
	 933  func (m *keyUpdateMsg) marshal() []byte {
	 934  	if m.raw != nil {
	 935  		return m.raw
	 936  	}
	 937  
	 938  	var b cryptobyte.Builder
	 939  	b.AddUint8(typeKeyUpdate)
	 940  	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
	 941  		if m.updateRequested {
	 942  			b.AddUint8(1)
	 943  		} else {
	 944  			b.AddUint8(0)
	 945  		}
	 946  	})
	 947  
	 948  	m.raw = b.BytesOrPanic()
	 949  	return m.raw
	 950  }
	 951  
	 952  func (m *keyUpdateMsg) unmarshal(data []byte) bool {
	 953  	m.raw = data
	 954  	s := cryptobyte.String(data)
	 955  
	 956  	var updateRequested uint8
	 957  	if !s.Skip(4) || // message type and uint24 length field
	 958  		!s.ReadUint8(&updateRequested) || !s.Empty() {
	 959  		return false
	 960  	}
	 961  	switch updateRequested {
	 962  	case 0:
	 963  		m.updateRequested = false
	 964  	case 1:
	 965  		m.updateRequested = true
	 966  	default:
	 967  		return false
	 968  	}
	 969  	return true
	 970  }
	 971  
	 972  type newSessionTicketMsgTLS13 struct {
	 973  	raw					[]byte
	 974  	lifetime		 uint32
	 975  	ageAdd			 uint32
	 976  	nonce				[]byte
	 977  	label				[]byte
	 978  	maxEarlyData uint32
	 979  }
	 980  
	 981  func (m *newSessionTicketMsgTLS13) marshal() []byte {
	 982  	if m.raw != nil {
	 983  		return m.raw
	 984  	}
	 985  
	 986  	var b cryptobyte.Builder
	 987  	b.AddUint8(typeNewSessionTicket)
	 988  	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
	 989  		b.AddUint32(m.lifetime)
	 990  		b.AddUint32(m.ageAdd)
	 991  		b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
	 992  			b.AddBytes(m.nonce)
	 993  		})
	 994  		b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	 995  			b.AddBytes(m.label)
	 996  		})
	 997  
	 998  		b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	 999  			if m.maxEarlyData > 0 {
	1000  				b.AddUint16(extensionEarlyData)
	1001  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	1002  					b.AddUint32(m.maxEarlyData)
	1003  				})
	1004  			}
	1005  		})
	1006  	})
	1007  
	1008  	m.raw = b.BytesOrPanic()
	1009  	return m.raw
	1010  }
	1011  
	1012  func (m *newSessionTicketMsgTLS13) unmarshal(data []byte) bool {
	1013  	*m = newSessionTicketMsgTLS13{raw: data}
	1014  	s := cryptobyte.String(data)
	1015  
	1016  	var extensions cryptobyte.String
	1017  	if !s.Skip(4) || // message type and uint24 length field
	1018  		!s.ReadUint32(&m.lifetime) ||
	1019  		!s.ReadUint32(&m.ageAdd) ||
	1020  		!readUint8LengthPrefixed(&s, &m.nonce) ||
	1021  		!readUint16LengthPrefixed(&s, &m.label) ||
	1022  		!s.ReadUint16LengthPrefixed(&extensions) ||
	1023  		!s.Empty() {
	1024  		return false
	1025  	}
	1026  
	1027  	for !extensions.Empty() {
	1028  		var extension uint16
	1029  		var extData cryptobyte.String
	1030  		if !extensions.ReadUint16(&extension) ||
	1031  			!extensions.ReadUint16LengthPrefixed(&extData) {
	1032  			return false
	1033  		}
	1034  
	1035  		switch extension {
	1036  		case extensionEarlyData:
	1037  			if !extData.ReadUint32(&m.maxEarlyData) {
	1038  				return false
	1039  			}
	1040  		default:
	1041  			// Ignore unknown extensions.
	1042  			continue
	1043  		}
	1044  
	1045  		if !extData.Empty() {
	1046  			return false
	1047  		}
	1048  	}
	1049  
	1050  	return true
	1051  }
	1052  
	1053  type certificateRequestMsgTLS13 struct {
	1054  	raw															[]byte
	1055  	ocspStapling										 bool
	1056  	scts														 bool
	1057  	supportedSignatureAlgorithms		 []SignatureScheme
	1058  	supportedSignatureAlgorithmsCert []SignatureScheme
	1059  	certificateAuthorities					 [][]byte
	1060  }
	1061  
	1062  func (m *certificateRequestMsgTLS13) marshal() []byte {
	1063  	if m.raw != nil {
	1064  		return m.raw
	1065  	}
	1066  
	1067  	var b cryptobyte.Builder
	1068  	b.AddUint8(typeCertificateRequest)
	1069  	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
	1070  		// certificate_request_context (SHALL be zero length unless used for
	1071  		// post-handshake authentication)
	1072  		b.AddUint8(0)
	1073  
	1074  		b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	1075  			if m.ocspStapling {
	1076  				b.AddUint16(extensionStatusRequest)
	1077  				b.AddUint16(0) // empty extension_data
	1078  			}
	1079  			if m.scts {
	1080  				// RFC 8446, Section 4.4.2.1 makes no mention of
	1081  				// signed_certificate_timestamp in CertificateRequest, but
	1082  				// "Extensions in the Certificate message from the client MUST
	1083  				// correspond to extensions in the CertificateRequest message
	1084  				// from the server." and it appears in the table in Section 4.2.
	1085  				b.AddUint16(extensionSCT)
	1086  				b.AddUint16(0) // empty extension_data
	1087  			}
	1088  			if len(m.supportedSignatureAlgorithms) > 0 {
	1089  				b.AddUint16(extensionSignatureAlgorithms)
	1090  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	1091  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	1092  						for _, sigAlgo := range m.supportedSignatureAlgorithms {
	1093  							b.AddUint16(uint16(sigAlgo))
	1094  						}
	1095  					})
	1096  				})
	1097  			}
	1098  			if len(m.supportedSignatureAlgorithmsCert) > 0 {
	1099  				b.AddUint16(extensionSignatureAlgorithmsCert)
	1100  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	1101  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	1102  						for _, sigAlgo := range m.supportedSignatureAlgorithmsCert {
	1103  							b.AddUint16(uint16(sigAlgo))
	1104  						}
	1105  					})
	1106  				})
	1107  			}
	1108  			if len(m.certificateAuthorities) > 0 {
	1109  				b.AddUint16(extensionCertificateAuthorities)
	1110  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	1111  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	1112  						for _, ca := range m.certificateAuthorities {
	1113  							b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	1114  								b.AddBytes(ca)
	1115  							})
	1116  						}
	1117  					})
	1118  				})
	1119  			}
	1120  		})
	1121  	})
	1122  
	1123  	m.raw = b.BytesOrPanic()
	1124  	return m.raw
	1125  }
	1126  
	1127  func (m *certificateRequestMsgTLS13) unmarshal(data []byte) bool {
	1128  	*m = certificateRequestMsgTLS13{raw: data}
	1129  	s := cryptobyte.String(data)
	1130  
	1131  	var context, extensions cryptobyte.String
	1132  	if !s.Skip(4) || // message type and uint24 length field
	1133  		!s.ReadUint8LengthPrefixed(&context) || !context.Empty() ||
	1134  		!s.ReadUint16LengthPrefixed(&extensions) ||
	1135  		!s.Empty() {
	1136  		return false
	1137  	}
	1138  
	1139  	for !extensions.Empty() {
	1140  		var extension uint16
	1141  		var extData cryptobyte.String
	1142  		if !extensions.ReadUint16(&extension) ||
	1143  			!extensions.ReadUint16LengthPrefixed(&extData) {
	1144  			return false
	1145  		}
	1146  
	1147  		switch extension {
	1148  		case extensionStatusRequest:
	1149  			m.ocspStapling = true
	1150  		case extensionSCT:
	1151  			m.scts = true
	1152  		case extensionSignatureAlgorithms:
	1153  			var sigAndAlgs cryptobyte.String
	1154  			if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() {
	1155  				return false
	1156  			}
	1157  			for !sigAndAlgs.Empty() {
	1158  				var sigAndAlg uint16
	1159  				if !sigAndAlgs.ReadUint16(&sigAndAlg) {
	1160  					return false
	1161  				}
	1162  				m.supportedSignatureAlgorithms = append(
	1163  					m.supportedSignatureAlgorithms, SignatureScheme(sigAndAlg))
	1164  			}
	1165  		case extensionSignatureAlgorithmsCert:
	1166  			var sigAndAlgs cryptobyte.String
	1167  			if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() {
	1168  				return false
	1169  			}
	1170  			for !sigAndAlgs.Empty() {
	1171  				var sigAndAlg uint16
	1172  				if !sigAndAlgs.ReadUint16(&sigAndAlg) {
	1173  					return false
	1174  				}
	1175  				m.supportedSignatureAlgorithmsCert = append(
	1176  					m.supportedSignatureAlgorithmsCert, SignatureScheme(sigAndAlg))
	1177  			}
	1178  		case extensionCertificateAuthorities:
	1179  			var auths cryptobyte.String
	1180  			if !extData.ReadUint16LengthPrefixed(&auths) || auths.Empty() {
	1181  				return false
	1182  			}
	1183  			for !auths.Empty() {
	1184  				var ca []byte
	1185  				if !readUint16LengthPrefixed(&auths, &ca) || len(ca) == 0 {
	1186  					return false
	1187  				}
	1188  				m.certificateAuthorities = append(m.certificateAuthorities, ca)
	1189  			}
	1190  		default:
	1191  			// Ignore unknown extensions.
	1192  			continue
	1193  		}
	1194  
	1195  		if !extData.Empty() {
	1196  			return false
	1197  		}
	1198  	}
	1199  
	1200  	return true
	1201  }
	1202  
	1203  type certificateMsg struct {
	1204  	raw					[]byte
	1205  	certificates [][]byte
	1206  }
	1207  
	1208  func (m *certificateMsg) marshal() (x []byte) {
	1209  	if m.raw != nil {
	1210  		return m.raw
	1211  	}
	1212  
	1213  	var i int
	1214  	for _, slice := range m.certificates {
	1215  		i += len(slice)
	1216  	}
	1217  
	1218  	length := 3 + 3*len(m.certificates) + i
	1219  	x = make([]byte, 4+length)
	1220  	x[0] = typeCertificate
	1221  	x[1] = uint8(length >> 16)
	1222  	x[2] = uint8(length >> 8)
	1223  	x[3] = uint8(length)
	1224  
	1225  	certificateOctets := length - 3
	1226  	x[4] = uint8(certificateOctets >> 16)
	1227  	x[5] = uint8(certificateOctets >> 8)
	1228  	x[6] = uint8(certificateOctets)
	1229  
	1230  	y := x[7:]
	1231  	for _, slice := range m.certificates {
	1232  		y[0] = uint8(len(slice) >> 16)
	1233  		y[1] = uint8(len(slice) >> 8)
	1234  		y[2] = uint8(len(slice))
	1235  		copy(y[3:], slice)
	1236  		y = y[3+len(slice):]
	1237  	}
	1238  
	1239  	m.raw = x
	1240  	return
	1241  }
	1242  
	1243  func (m *certificateMsg) unmarshal(data []byte) bool {
	1244  	if len(data) < 7 {
	1245  		return false
	1246  	}
	1247  
	1248  	m.raw = data
	1249  	certsLen := uint32(data[4])<<16 | uint32(data[5])<<8 | uint32(data[6])
	1250  	if uint32(len(data)) != certsLen+7 {
	1251  		return false
	1252  	}
	1253  
	1254  	numCerts := 0
	1255  	d := data[7:]
	1256  	for certsLen > 0 {
	1257  		if len(d) < 4 {
	1258  			return false
	1259  		}
	1260  		certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2])
	1261  		if uint32(len(d)) < 3+certLen {
	1262  			return false
	1263  		}
	1264  		d = d[3+certLen:]
	1265  		certsLen -= 3 + certLen
	1266  		numCerts++
	1267  	}
	1268  
	1269  	m.certificates = make([][]byte, numCerts)
	1270  	d = data[7:]
	1271  	for i := 0; i < numCerts; i++ {
	1272  		certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2])
	1273  		m.certificates[i] = d[3 : 3+certLen]
	1274  		d = d[3+certLen:]
	1275  	}
	1276  
	1277  	return true
	1278  }
	1279  
	1280  type certificateMsgTLS13 struct {
	1281  	raw					[]byte
	1282  	certificate	Certificate
	1283  	ocspStapling bool
	1284  	scts				 bool
	1285  }
	1286  
	1287  func (m *certificateMsgTLS13) marshal() []byte {
	1288  	if m.raw != nil {
	1289  		return m.raw
	1290  	}
	1291  
	1292  	var b cryptobyte.Builder
	1293  	b.AddUint8(typeCertificate)
	1294  	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
	1295  		b.AddUint8(0) // certificate_request_context
	1296  
	1297  		certificate := m.certificate
	1298  		if !m.ocspStapling {
	1299  			certificate.OCSPStaple = nil
	1300  		}
	1301  		if !m.scts {
	1302  			certificate.SignedCertificateTimestamps = nil
	1303  		}
	1304  		marshalCertificate(b, certificate)
	1305  	})
	1306  
	1307  	m.raw = b.BytesOrPanic()
	1308  	return m.raw
	1309  }
	1310  
	1311  func marshalCertificate(b *cryptobyte.Builder, certificate Certificate) {
	1312  	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
	1313  		for i, cert := range certificate.Certificate {
	1314  			b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
	1315  				b.AddBytes(cert)
	1316  			})
	1317  			b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	1318  				if i > 0 {
	1319  					// This library only supports OCSP and SCT for leaf certificates.
	1320  					return
	1321  				}
	1322  				if certificate.OCSPStaple != nil {
	1323  					b.AddUint16(extensionStatusRequest)
	1324  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	1325  						b.AddUint8(statusTypeOCSP)
	1326  						b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
	1327  							b.AddBytes(certificate.OCSPStaple)
	1328  						})
	1329  					})
	1330  				}
	1331  				if certificate.SignedCertificateTimestamps != nil {
	1332  					b.AddUint16(extensionSCT)
	1333  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	1334  						b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	1335  							for _, sct := range certificate.SignedCertificateTimestamps {
	1336  								b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	1337  									b.AddBytes(sct)
	1338  								})
	1339  							}
	1340  						})
	1341  					})
	1342  				}
	1343  			})
	1344  		}
	1345  	})
	1346  }
	1347  
	1348  func (m *certificateMsgTLS13) unmarshal(data []byte) bool {
	1349  	*m = certificateMsgTLS13{raw: data}
	1350  	s := cryptobyte.String(data)
	1351  
	1352  	var context cryptobyte.String
	1353  	if !s.Skip(4) || // message type and uint24 length field
	1354  		!s.ReadUint8LengthPrefixed(&context) || !context.Empty() ||
	1355  		!unmarshalCertificate(&s, &m.certificate) ||
	1356  		!s.Empty() {
	1357  		return false
	1358  	}
	1359  
	1360  	m.scts = m.certificate.SignedCertificateTimestamps != nil
	1361  	m.ocspStapling = m.certificate.OCSPStaple != nil
	1362  
	1363  	return true
	1364  }
	1365  
	1366  func unmarshalCertificate(s *cryptobyte.String, certificate *Certificate) bool {
	1367  	var certList cryptobyte.String
	1368  	if !s.ReadUint24LengthPrefixed(&certList) {
	1369  		return false
	1370  	}
	1371  	for !certList.Empty() {
	1372  		var cert []byte
	1373  		var extensions cryptobyte.String
	1374  		if !readUint24LengthPrefixed(&certList, &cert) ||
	1375  			!certList.ReadUint16LengthPrefixed(&extensions) {
	1376  			return false
	1377  		}
	1378  		certificate.Certificate = append(certificate.Certificate, cert)
	1379  		for !extensions.Empty() {
	1380  			var extension uint16
	1381  			var extData cryptobyte.String
	1382  			if !extensions.ReadUint16(&extension) ||
	1383  				!extensions.ReadUint16LengthPrefixed(&extData) {
	1384  				return false
	1385  			}
	1386  			if len(certificate.Certificate) > 1 {
	1387  				// This library only supports OCSP and SCT for leaf certificates.
	1388  				continue
	1389  			}
	1390  
	1391  			switch extension {
	1392  			case extensionStatusRequest:
	1393  				var statusType uint8
	1394  				if !extData.ReadUint8(&statusType) || statusType != statusTypeOCSP ||
	1395  					!readUint24LengthPrefixed(&extData, &certificate.OCSPStaple) ||
	1396  					len(certificate.OCSPStaple) == 0 {
	1397  					return false
	1398  				}
	1399  			case extensionSCT:
	1400  				var sctList cryptobyte.String
	1401  				if !extData.ReadUint16LengthPrefixed(&sctList) || sctList.Empty() {
	1402  					return false
	1403  				}
	1404  				for !sctList.Empty() {
	1405  					var sct []byte
	1406  					if !readUint16LengthPrefixed(&sctList, &sct) ||
	1407  						len(sct) == 0 {
	1408  						return false
	1409  					}
	1410  					certificate.SignedCertificateTimestamps = append(
	1411  						certificate.SignedCertificateTimestamps, sct)
	1412  				}
	1413  			default:
	1414  				// Ignore unknown extensions.
	1415  				continue
	1416  			}
	1417  
	1418  			if !extData.Empty() {
	1419  				return false
	1420  			}
	1421  		}
	1422  	}
	1423  	return true
	1424  }
	1425  
	1426  type serverKeyExchangeMsg struct {
	1427  	raw []byte
	1428  	key []byte
	1429  }
	1430  
	1431  func (m *serverKeyExchangeMsg) marshal() []byte {
	1432  	if m.raw != nil {
	1433  		return m.raw
	1434  	}
	1435  	length := len(m.key)
	1436  	x := make([]byte, length+4)
	1437  	x[0] = typeServerKeyExchange
	1438  	x[1] = uint8(length >> 16)
	1439  	x[2] = uint8(length >> 8)
	1440  	x[3] = uint8(length)
	1441  	copy(x[4:], m.key)
	1442  
	1443  	m.raw = x
	1444  	return x
	1445  }
	1446  
	1447  func (m *serverKeyExchangeMsg) unmarshal(data []byte) bool {
	1448  	m.raw = data
	1449  	if len(data) < 4 {
	1450  		return false
	1451  	}
	1452  	m.key = data[4:]
	1453  	return true
	1454  }
	1455  
	1456  type certificateStatusMsg struct {
	1457  	raw			[]byte
	1458  	response []byte
	1459  }
	1460  
	1461  func (m *certificateStatusMsg) marshal() []byte {
	1462  	if m.raw != nil {
	1463  		return m.raw
	1464  	}
	1465  
	1466  	var b cryptobyte.Builder
	1467  	b.AddUint8(typeCertificateStatus)
	1468  	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
	1469  		b.AddUint8(statusTypeOCSP)
	1470  		b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
	1471  			b.AddBytes(m.response)
	1472  		})
	1473  	})
	1474  
	1475  	m.raw = b.BytesOrPanic()
	1476  	return m.raw
	1477  }
	1478  
	1479  func (m *certificateStatusMsg) unmarshal(data []byte) bool {
	1480  	m.raw = data
	1481  	s := cryptobyte.String(data)
	1482  
	1483  	var statusType uint8
	1484  	if !s.Skip(4) || // message type and uint24 length field
	1485  		!s.ReadUint8(&statusType) || statusType != statusTypeOCSP ||
	1486  		!readUint24LengthPrefixed(&s, &m.response) ||
	1487  		len(m.response) == 0 || !s.Empty() {
	1488  		return false
	1489  	}
	1490  	return true
	1491  }
	1492  
	1493  type serverHelloDoneMsg struct{}
	1494  
	1495  func (m *serverHelloDoneMsg) marshal() []byte {
	1496  	x := make([]byte, 4)
	1497  	x[0] = typeServerHelloDone
	1498  	return x
	1499  }
	1500  
	1501  func (m *serverHelloDoneMsg) unmarshal(data []byte) bool {
	1502  	return len(data) == 4
	1503  }
	1504  
	1505  type clientKeyExchangeMsg struct {
	1506  	raw				[]byte
	1507  	ciphertext []byte
	1508  }
	1509  
	1510  func (m *clientKeyExchangeMsg) marshal() []byte {
	1511  	if m.raw != nil {
	1512  		return m.raw
	1513  	}
	1514  	length := len(m.ciphertext)
	1515  	x := make([]byte, length+4)
	1516  	x[0] = typeClientKeyExchange
	1517  	x[1] = uint8(length >> 16)
	1518  	x[2] = uint8(length >> 8)
	1519  	x[3] = uint8(length)
	1520  	copy(x[4:], m.ciphertext)
	1521  
	1522  	m.raw = x
	1523  	return x
	1524  }
	1525  
	1526  func (m *clientKeyExchangeMsg) unmarshal(data []byte) bool {
	1527  	m.raw = data
	1528  	if len(data) < 4 {
	1529  		return false
	1530  	}
	1531  	l := int(data[1])<<16 | int(data[2])<<8 | int(data[3])
	1532  	if l != len(data)-4 {
	1533  		return false
	1534  	}
	1535  	m.ciphertext = data[4:]
	1536  	return true
	1537  }
	1538  
	1539  type finishedMsg struct {
	1540  	raw				[]byte
	1541  	verifyData []byte
	1542  }
	1543  
	1544  func (m *finishedMsg) marshal() []byte {
	1545  	if m.raw != nil {
	1546  		return m.raw
	1547  	}
	1548  
	1549  	var b cryptobyte.Builder
	1550  	b.AddUint8(typeFinished)
	1551  	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
	1552  		b.AddBytes(m.verifyData)
	1553  	})
	1554  
	1555  	m.raw = b.BytesOrPanic()
	1556  	return m.raw
	1557  }
	1558  
	1559  func (m *finishedMsg) unmarshal(data []byte) bool {
	1560  	m.raw = data
	1561  	s := cryptobyte.String(data)
	1562  	return s.Skip(1) &&
	1563  		readUint24LengthPrefixed(&s, &m.verifyData) &&
	1564  		s.Empty()
	1565  }
	1566  
	1567  type certificateRequestMsg struct {
	1568  	raw []byte
	1569  	// hasSignatureAlgorithm indicates whether this message includes a list of
	1570  	// supported signature algorithms. This change was introduced with TLS 1.2.
	1571  	hasSignatureAlgorithm bool
	1572  
	1573  	certificateTypes						 []byte
	1574  	supportedSignatureAlgorithms []SignatureScheme
	1575  	certificateAuthorities			 [][]byte
	1576  }
	1577  
	1578  func (m *certificateRequestMsg) marshal() (x []byte) {
	1579  	if m.raw != nil {
	1580  		return m.raw
	1581  	}
	1582  
	1583  	// See RFC 4346, Section 7.4.4.
	1584  	length := 1 + len(m.certificateTypes) + 2
	1585  	casLength := 0
	1586  	for _, ca := range m.certificateAuthorities {
	1587  		casLength += 2 + len(ca)
	1588  	}
	1589  	length += casLength
	1590  
	1591  	if m.hasSignatureAlgorithm {
	1592  		length += 2 + 2*len(m.supportedSignatureAlgorithms)
	1593  	}
	1594  
	1595  	x = make([]byte, 4+length)
	1596  	x[0] = typeCertificateRequest
	1597  	x[1] = uint8(length >> 16)
	1598  	x[2] = uint8(length >> 8)
	1599  	x[3] = uint8(length)
	1600  
	1601  	x[4] = uint8(len(m.certificateTypes))
	1602  
	1603  	copy(x[5:], m.certificateTypes)
	1604  	y := x[5+len(m.certificateTypes):]
	1605  
	1606  	if m.hasSignatureAlgorithm {
	1607  		n := len(m.supportedSignatureAlgorithms) * 2
	1608  		y[0] = uint8(n >> 8)
	1609  		y[1] = uint8(n)
	1610  		y = y[2:]
	1611  		for _, sigAlgo := range m.supportedSignatureAlgorithms {
	1612  			y[0] = uint8(sigAlgo >> 8)
	1613  			y[1] = uint8(sigAlgo)
	1614  			y = y[2:]
	1615  		}
	1616  	}
	1617  
	1618  	y[0] = uint8(casLength >> 8)
	1619  	y[1] = uint8(casLength)
	1620  	y = y[2:]
	1621  	for _, ca := range m.certificateAuthorities {
	1622  		y[0] = uint8(len(ca) >> 8)
	1623  		y[1] = uint8(len(ca))
	1624  		y = y[2:]
	1625  		copy(y, ca)
	1626  		y = y[len(ca):]
	1627  	}
	1628  
	1629  	m.raw = x
	1630  	return
	1631  }
	1632  
	1633  func (m *certificateRequestMsg) unmarshal(data []byte) bool {
	1634  	m.raw = data
	1635  
	1636  	if len(data) < 5 {
	1637  		return false
	1638  	}
	1639  
	1640  	length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3])
	1641  	if uint32(len(data))-4 != length {
	1642  		return false
	1643  	}
	1644  
	1645  	numCertTypes := int(data[4])
	1646  	data = data[5:]
	1647  	if numCertTypes == 0 || len(data) <= numCertTypes {
	1648  		return false
	1649  	}
	1650  
	1651  	m.certificateTypes = make([]byte, numCertTypes)
	1652  	if copy(m.certificateTypes, data) != numCertTypes {
	1653  		return false
	1654  	}
	1655  
	1656  	data = data[numCertTypes:]
	1657  
	1658  	if m.hasSignatureAlgorithm {
	1659  		if len(data) < 2 {
	1660  			return false
	1661  		}
	1662  		sigAndHashLen := uint16(data[0])<<8 | uint16(data[1])
	1663  		data = data[2:]
	1664  		if sigAndHashLen&1 != 0 {
	1665  			return false
	1666  		}
	1667  		if len(data) < int(sigAndHashLen) {
	1668  			return false
	1669  		}
	1670  		numSigAlgos := sigAndHashLen / 2
	1671  		m.supportedSignatureAlgorithms = make([]SignatureScheme, numSigAlgos)
	1672  		for i := range m.supportedSignatureAlgorithms {
	1673  			m.supportedSignatureAlgorithms[i] = SignatureScheme(data[0])<<8 | SignatureScheme(data[1])
	1674  			data = data[2:]
	1675  		}
	1676  	}
	1677  
	1678  	if len(data) < 2 {
	1679  		return false
	1680  	}
	1681  	casLength := uint16(data[0])<<8 | uint16(data[1])
	1682  	data = data[2:]
	1683  	if len(data) < int(casLength) {
	1684  		return false
	1685  	}
	1686  	cas := make([]byte, casLength)
	1687  	copy(cas, data)
	1688  	data = data[casLength:]
	1689  
	1690  	m.certificateAuthorities = nil
	1691  	for len(cas) > 0 {
	1692  		if len(cas) < 2 {
	1693  			return false
	1694  		}
	1695  		caLen := uint16(cas[0])<<8 | uint16(cas[1])
	1696  		cas = cas[2:]
	1697  
	1698  		if len(cas) < int(caLen) {
	1699  			return false
	1700  		}
	1701  
	1702  		m.certificateAuthorities = append(m.certificateAuthorities, cas[:caLen])
	1703  		cas = cas[caLen:]
	1704  	}
	1705  
	1706  	return len(data) == 0
	1707  }
	1708  
	1709  type certificateVerifyMsg struct {
	1710  	raw									 []byte
	1711  	hasSignatureAlgorithm bool // format change introduced in TLS 1.2
	1712  	signatureAlgorithm		SignatureScheme
	1713  	signature						 []byte
	1714  }
	1715  
	1716  func (m *certificateVerifyMsg) marshal() (x []byte) {
	1717  	if m.raw != nil {
	1718  		return m.raw
	1719  	}
	1720  
	1721  	var b cryptobyte.Builder
	1722  	b.AddUint8(typeCertificateVerify)
	1723  	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
	1724  		if m.hasSignatureAlgorithm {
	1725  			b.AddUint16(uint16(m.signatureAlgorithm))
	1726  		}
	1727  		b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
	1728  			b.AddBytes(m.signature)
	1729  		})
	1730  	})
	1731  
	1732  	m.raw = b.BytesOrPanic()
	1733  	return m.raw
	1734  }
	1735  
	1736  func (m *certificateVerifyMsg) unmarshal(data []byte) bool {
	1737  	m.raw = data
	1738  	s := cryptobyte.String(data)
	1739  
	1740  	if !s.Skip(4) { // message type and uint24 length field
	1741  		return false
	1742  	}
	1743  	if m.hasSignatureAlgorithm {
	1744  		if !s.ReadUint16((*uint16)(&m.signatureAlgorithm)) {
	1745  			return false
	1746  		}
	1747  	}
	1748  	return readUint16LengthPrefixed(&s, &m.signature) && s.Empty()
	1749  }
	1750  
	1751  type newSessionTicketMsg struct {
	1752  	raw		[]byte
	1753  	ticket []byte
	1754  }
	1755  
	1756  func (m *newSessionTicketMsg) marshal() (x []byte) {
	1757  	if m.raw != nil {
	1758  		return m.raw
	1759  	}
	1760  
	1761  	// See RFC 5077, Section 3.3.
	1762  	ticketLen := len(m.ticket)
	1763  	length := 2 + 4 + ticketLen
	1764  	x = make([]byte, 4+length)
	1765  	x[0] = typeNewSessionTicket
	1766  	x[1] = uint8(length >> 16)
	1767  	x[2] = uint8(length >> 8)
	1768  	x[3] = uint8(length)
	1769  	x[8] = uint8(ticketLen >> 8)
	1770  	x[9] = uint8(ticketLen)
	1771  	copy(x[10:], m.ticket)
	1772  
	1773  	m.raw = x
	1774  
	1775  	return
	1776  }
	1777  
	1778  func (m *newSessionTicketMsg) unmarshal(data []byte) bool {
	1779  	m.raw = data
	1780  
	1781  	if len(data) < 10 {
	1782  		return false
	1783  	}
	1784  
	1785  	length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3])
	1786  	if uint32(len(data))-4 != length {
	1787  		return false
	1788  	}
	1789  
	1790  	ticketLen := int(data[8])<<8 + int(data[9])
	1791  	if len(data)-10 != ticketLen {
	1792  		return false
	1793  	}
	1794  
	1795  	m.ticket = data[10:]
	1796  
	1797  	return true
	1798  }
	1799  
	1800  type helloRequestMsg struct {
	1801  }
	1802  
	1803  func (*helloRequestMsg) marshal() []byte {
	1804  	return []byte{typeHelloRequest, 0, 0, 0}
	1805  }
	1806  
	1807  func (*helloRequestMsg) unmarshal(data []byte) bool {
	1808  	return len(data) == 4
	1809  }
	1810  

View as plain text