1// Copyright 2009 The Go Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style 3// license that can be found in the LICENSE file. 4 5package runner 6 7import ( 8 "errors" 9 "fmt" 10 11 "golang.org/x/crypto/cryptobyte" 12) 13 14func readUint8LengthPrefixedBytes(s *cryptobyte.String, out *[]byte) bool { 15 var child cryptobyte.String 16 if !s.ReadUint8LengthPrefixed(&child) { 17 return false 18 } 19 *out = child 20 return true 21} 22 23func readUint16LengthPrefixedBytes(s *cryptobyte.String, out *[]byte) bool { 24 var child cryptobyte.String 25 if !s.ReadUint16LengthPrefixed(&child) { 26 return false 27 } 28 *out = child 29 return true 30} 31 32func readUint24LengthPrefixedBytes(s *cryptobyte.String, out *[]byte) bool { 33 var child cryptobyte.String 34 if !s.ReadUint24LengthPrefixed(&child) { 35 return false 36 } 37 *out = child 38 return true 39} 40 41func addUint8LengthPrefixedBytes(b *cryptobyte.Builder, v []byte) { 42 b.AddUint8LengthPrefixed(func(child *cryptobyte.Builder) { child.AddBytes(v) }) 43} 44 45func addUint16LengthPrefixedBytes(b *cryptobyte.Builder, v []byte) { 46 b.AddUint16LengthPrefixed(func(child *cryptobyte.Builder) { child.AddBytes(v) }) 47} 48 49func addUint24LengthPrefixedBytes(b *cryptobyte.Builder, v []byte) { 50 b.AddUint24LengthPrefixed(func(child *cryptobyte.Builder) { child.AddBytes(v) }) 51} 52 53type keyShareEntry struct { 54 group CurveID 55 keyExchange []byte 56} 57 58type pskIdentity struct { 59 ticket []uint8 60 obfuscatedTicketAge uint32 61} 62 63type HPKECipherSuite struct { 64 KDF uint16 65 AEAD uint16 66} 67 68type ECHConfig struct { 69 Raw []byte 70 ConfigID uint8 71 KEM uint16 72 PublicKey []byte 73 MaxNameLen uint8 74 PublicName string 75 CipherSuites []HPKECipherSuite 76 // The following fields are only used by CreateECHConfig(). 77 UnsupportedExtension bool 78 UnsupportedMandatoryExtension bool 79} 80 81func CreateECHConfig(template *ECHConfig) *ECHConfig { 82 bb := cryptobyte.NewBuilder(nil) 83 // ECHConfig reuses the encrypted_client_hello extension codepoint as a 84 // version identifier. 85 bb.AddUint16(extensionEncryptedClientHello) 86 bb.AddUint16LengthPrefixed(func(contents *cryptobyte.Builder) { 87 contents.AddUint8(template.ConfigID) 88 contents.AddUint16(template.KEM) 89 addUint16LengthPrefixedBytes(contents, template.PublicKey) 90 contents.AddUint16LengthPrefixed(func(cipherSuites *cryptobyte.Builder) { 91 for _, suite := range template.CipherSuites { 92 cipherSuites.AddUint16(suite.KDF) 93 cipherSuites.AddUint16(suite.AEAD) 94 } 95 }) 96 contents.AddUint8(template.MaxNameLen) 97 addUint8LengthPrefixedBytes(contents, []byte(template.PublicName)) 98 contents.AddUint16LengthPrefixed(func(extensions *cryptobyte.Builder) { 99 // Mandatory extensions have the high bit set. 100 if template.UnsupportedExtension { 101 extensions.AddUint16(0x1111) 102 addUint16LengthPrefixedBytes(extensions, []byte("test")) 103 } 104 if template.UnsupportedMandatoryExtension { 105 extensions.AddUint16(0xaaaa) 106 addUint16LengthPrefixedBytes(extensions, []byte("test")) 107 } 108 }) 109 }) 110 111 // This ought to be a call to a function like ParseECHConfig(bb.BytesOrPanic()), 112 // but this constrains us to constructing ECHConfigs we are willing to 113 // support. We need to test the client's behavior in response to unparsable 114 // or unsupported ECHConfigs, so populate fields from the template directly. 115 ret := *template 116 ret.Raw = bb.BytesOrPanic() 117 return &ret 118} 119 120func CreateECHConfigList(configs ...[]byte) []byte { 121 bb := cryptobyte.NewBuilder(nil) 122 bb.AddUint16LengthPrefixed(func(list *cryptobyte.Builder) { 123 for _, config := range configs { 124 list.AddBytes(config) 125 } 126 }) 127 return bb.BytesOrPanic() 128} 129 130type ServerECHConfig struct { 131 ECHConfig *ECHConfig 132 Key []byte 133} 134 135const ( 136 echClientTypeOuter byte = 0 137 echClientTypeInner byte = 1 138) 139 140type echClientOuter struct { 141 kdfID uint16 142 aeadID uint16 143 configID uint8 144 enc []byte 145 payload []byte 146} 147 148type clientHelloMsg struct { 149 raw []byte 150 isDTLS bool 151 isV2ClientHello bool 152 vers uint16 153 random []byte 154 v2Challenge []byte 155 sessionID []byte 156 cookie []byte 157 cipherSuites []uint16 158 compressionMethods []uint8 159 nextProtoNeg bool 160 serverName string 161 echOuter *echClientOuter 162 echInner bool 163 invalidECHInner []byte 164 ocspStapling bool 165 supportedCurves []CurveID 166 supportedPoints []uint8 167 hasKeyShares bool 168 keyShares []keyShareEntry 169 keySharesRaw []byte 170 trailingKeyShareData bool 171 pskIdentities []pskIdentity 172 pskKEModes []byte 173 pskBinders [][]uint8 174 hasEarlyData bool 175 tls13Cookie []byte 176 ticketSupported bool 177 sessionTicket []uint8 178 signatureAlgorithms []signatureAlgorithm 179 signatureAlgorithmsCert []signatureAlgorithm 180 supportedVersions []uint16 181 secureRenegotiation []byte 182 alpnProtocols []string 183 quicTransportParams []byte 184 quicTransportParamsLegacy []byte 185 duplicateExtension bool 186 channelIDSupported bool 187 extendedMasterSecret bool 188 srtpProtectionProfiles []uint16 189 srtpMasterKeyIdentifier string 190 sctListSupported bool 191 customExtension string 192 hasGREASEExtension bool 193 omitExtensions bool 194 emptyExtensions bool 195 pad int 196 compressedCertAlgs []uint16 197 delegatedCredential []signatureAlgorithm 198 alpsProtocols []string 199 alpsProtocolsOld []string 200 outerExtensions []uint16 201 reorderOuterExtensionsWithoutCompressing bool 202 prefixExtensions []uint16 203 // The following fields are only filled in by |unmarshal| and ignored when 204 // marshaling a new ClientHello. 205 echPayloadStart int 206 echPayloadEnd int 207 rawExtensions []byte 208} 209 210func (m *clientHelloMsg) marshalKeyShares(bb *cryptobyte.Builder) { 211 bb.AddUint16LengthPrefixed(func(keyShares *cryptobyte.Builder) { 212 for _, keyShare := range m.keyShares { 213 keyShares.AddUint16(uint16(keyShare.group)) 214 addUint16LengthPrefixedBytes(keyShares, keyShare.keyExchange) 215 } 216 if m.trailingKeyShareData { 217 keyShares.AddUint8(0) 218 } 219 }) 220} 221 222type clientHelloType int 223 224const ( 225 clientHelloNormal clientHelloType = iota 226 clientHelloEncodedInner 227) 228 229func (m *clientHelloMsg) marshalBody(hello *cryptobyte.Builder, typ clientHelloType) { 230 hello.AddUint16(m.vers) 231 hello.AddBytes(m.random) 232 hello.AddUint8LengthPrefixed(func(sessionID *cryptobyte.Builder) { 233 if typ != clientHelloEncodedInner { 234 sessionID.AddBytes(m.sessionID) 235 } 236 }) 237 if m.isDTLS { 238 hello.AddUint8LengthPrefixed(func(cookie *cryptobyte.Builder) { 239 cookie.AddBytes(m.cookie) 240 }) 241 } 242 hello.AddUint16LengthPrefixed(func(cipherSuites *cryptobyte.Builder) { 243 for _, suite := range m.cipherSuites { 244 cipherSuites.AddUint16(suite) 245 } 246 }) 247 hello.AddUint8LengthPrefixed(func(compressionMethods *cryptobyte.Builder) { 248 compressionMethods.AddBytes(m.compressionMethods) 249 }) 250 251 type extension struct { 252 id uint16 253 body []byte 254 } 255 var extensions []extension 256 257 if m.duplicateExtension { 258 // Add a duplicate bogus extension at the beginning and end. 259 extensions = append(extensions, extension{id: extensionDuplicate}) 260 } 261 if m.nextProtoNeg { 262 extensions = append(extensions, extension{id: extensionNextProtoNeg}) 263 } 264 if len(m.serverName) > 0 { 265 // RFC 3546, section 3.1 266 // 267 // struct { 268 // NameType name_type; 269 // select (name_type) { 270 // case host_name: HostName; 271 // } name; 272 // } ServerName; 273 // 274 // enum { 275 // host_name(0), (255) 276 // } NameType; 277 // 278 // opaque HostName<1..2^16-1>; 279 // 280 // struct { 281 // ServerName server_name_list<1..2^16-1> 282 // } ServerNameList; 283 284 serverNameList := cryptobyte.NewBuilder(nil) 285 serverNameList.AddUint16LengthPrefixed(func(serverName *cryptobyte.Builder) { 286 serverName.AddUint8(0) // NameType host_name(0) 287 addUint16LengthPrefixedBytes(serverName, []byte(m.serverName)) 288 }) 289 290 extensions = append(extensions, extension{ 291 id: extensionServerName, 292 body: serverNameList.BytesOrPanic(), 293 }) 294 } 295 if m.echOuter != nil { 296 body := cryptobyte.NewBuilder(nil) 297 body.AddUint8(echClientTypeOuter) 298 body.AddUint16(m.echOuter.kdfID) 299 body.AddUint16(m.echOuter.aeadID) 300 body.AddUint8(m.echOuter.configID) 301 addUint16LengthPrefixedBytes(body, m.echOuter.enc) 302 addUint16LengthPrefixedBytes(body, m.echOuter.payload) 303 extensions = append(extensions, extension{ 304 id: extensionEncryptedClientHello, 305 body: body.BytesOrPanic(), 306 }) 307 } 308 if m.echInner { 309 body := cryptobyte.NewBuilder(nil) 310 body.AddUint8(echClientTypeInner) 311 // If unset, invalidECHInner is empty, which is the correct serialization. 312 body.AddBytes(m.invalidECHInner) 313 extensions = append(extensions, extension{ 314 id: extensionEncryptedClientHello, 315 body: body.BytesOrPanic(), 316 }) 317 } 318 if m.ocspStapling { 319 certificateStatusRequest := cryptobyte.NewBuilder(nil) 320 // RFC 4366, section 3.6 321 certificateStatusRequest.AddUint8(1) // OCSP type 322 // Two zero valued uint16s for the two lengths. 323 certificateStatusRequest.AddUint16(0) // ResponderID length 324 certificateStatusRequest.AddUint16(0) // Extensions length 325 extensions = append(extensions, extension{ 326 id: extensionStatusRequest, 327 body: certificateStatusRequest.BytesOrPanic(), 328 }) 329 } 330 if len(m.supportedCurves) > 0 { 331 // http://tools.ietf.org/html/rfc4492#section-5.1.1 332 supportedCurvesList := cryptobyte.NewBuilder(nil) 333 supportedCurvesList.AddUint16LengthPrefixed(func(supportedCurves *cryptobyte.Builder) { 334 for _, curve := range m.supportedCurves { 335 supportedCurves.AddUint16(uint16(curve)) 336 } 337 }) 338 extensions = append(extensions, extension{ 339 id: extensionSupportedCurves, 340 body: supportedCurvesList.BytesOrPanic(), 341 }) 342 } 343 if len(m.supportedPoints) > 0 { 344 // http://tools.ietf.org/html/rfc4492#section-5.1.2 345 supportedPointsList := cryptobyte.NewBuilder(nil) 346 addUint8LengthPrefixedBytes(supportedPointsList, m.supportedPoints) 347 extensions = append(extensions, extension{ 348 id: extensionSupportedPoints, 349 body: supportedPointsList.BytesOrPanic(), 350 }) 351 } 352 if m.hasKeyShares { 353 keyShareList := cryptobyte.NewBuilder(nil) 354 m.marshalKeyShares(keyShareList) 355 extensions = append(extensions, extension{ 356 id: extensionKeyShare, 357 body: keyShareList.BytesOrPanic(), 358 }) 359 } 360 if len(m.pskKEModes) > 0 { 361 pskModesExtension := cryptobyte.NewBuilder(nil) 362 addUint8LengthPrefixedBytes(pskModesExtension, m.pskKEModes) 363 extensions = append(extensions, extension{ 364 id: extensionPSKKeyExchangeModes, 365 body: pskModesExtension.BytesOrPanic(), 366 }) 367 } 368 if m.hasEarlyData { 369 extensions = append(extensions, extension{id: extensionEarlyData}) 370 } 371 if len(m.tls13Cookie) > 0 { 372 body := cryptobyte.NewBuilder(nil) 373 addUint16LengthPrefixedBytes(body, m.tls13Cookie) 374 extensions = append(extensions, extension{ 375 id: extensionCookie, 376 body: body.BytesOrPanic(), 377 }) 378 } 379 if m.ticketSupported { 380 // http://tools.ietf.org/html/rfc5077#section-3.2 381 extensions = append(extensions, extension{ 382 id: extensionSessionTicket, 383 body: m.sessionTicket, 384 }) 385 } 386 if len(m.signatureAlgorithms) > 0 { 387 // https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 388 signatureAlgorithmsExtension := cryptobyte.NewBuilder(nil) 389 signatureAlgorithmsExtension.AddUint16LengthPrefixed(func(signatureAlgorithms *cryptobyte.Builder) { 390 for _, sigAlg := range m.signatureAlgorithms { 391 signatureAlgorithms.AddUint16(uint16(sigAlg)) 392 } 393 }) 394 extensions = append(extensions, extension{ 395 id: extensionSignatureAlgorithms, 396 body: signatureAlgorithmsExtension.BytesOrPanic(), 397 }) 398 } 399 if len(m.signatureAlgorithmsCert) > 0 { 400 signatureAlgorithmsCertExtension := cryptobyte.NewBuilder(nil) 401 signatureAlgorithmsCertExtension.AddUint16LengthPrefixed(func(signatureAlgorithmsCert *cryptobyte.Builder) { 402 for _, sigAlg := range m.signatureAlgorithmsCert { 403 signatureAlgorithmsCert.AddUint16(uint16(sigAlg)) 404 } 405 }) 406 extensions = append(extensions, extension{ 407 id: extensionSignatureAlgorithmsCert, 408 body: signatureAlgorithmsCertExtension.BytesOrPanic(), 409 }) 410 } 411 if len(m.supportedVersions) > 0 { 412 supportedVersionsExtension := cryptobyte.NewBuilder(nil) 413 supportedVersionsExtension.AddUint8LengthPrefixed(func(supportedVersions *cryptobyte.Builder) { 414 for _, version := range m.supportedVersions { 415 supportedVersions.AddUint16(uint16(version)) 416 } 417 }) 418 extensions = append(extensions, extension{ 419 id: extensionSupportedVersions, 420 body: supportedVersionsExtension.BytesOrPanic(), 421 }) 422 } 423 if m.secureRenegotiation != nil { 424 secureRenegoExt := cryptobyte.NewBuilder(nil) 425 addUint8LengthPrefixedBytes(secureRenegoExt, m.secureRenegotiation) 426 extensions = append(extensions, extension{ 427 id: extensionRenegotiationInfo, 428 body: secureRenegoExt.BytesOrPanic(), 429 }) 430 } 431 if len(m.alpnProtocols) > 0 { 432 // https://tools.ietf.org/html/rfc7301#section-3.1 433 alpnExtension := cryptobyte.NewBuilder(nil) 434 alpnExtension.AddUint16LengthPrefixed(func(protocolNameList *cryptobyte.Builder) { 435 for _, s := range m.alpnProtocols { 436 addUint8LengthPrefixedBytes(protocolNameList, []byte(s)) 437 } 438 }) 439 extensions = append(extensions, extension{ 440 id: extensionALPN, 441 body: alpnExtension.BytesOrPanic(), 442 }) 443 } 444 if len(m.quicTransportParams) > 0 { 445 extensions = append(extensions, extension{ 446 id: extensionQUICTransportParams, 447 body: m.quicTransportParams, 448 }) 449 } 450 if len(m.quicTransportParamsLegacy) > 0 { 451 extensions = append(extensions, extension{ 452 id: extensionQUICTransportParamsLegacy, 453 body: m.quicTransportParamsLegacy, 454 }) 455 } 456 if m.channelIDSupported { 457 extensions = append(extensions, extension{id: extensionChannelID}) 458 } 459 if m.duplicateExtension { 460 // Add a duplicate bogus extension at the beginning and end. 461 extensions = append(extensions, extension{id: extensionDuplicate}) 462 } 463 if m.extendedMasterSecret { 464 // https://tools.ietf.org/html/rfc7627 465 extensions = append(extensions, extension{id: extensionExtendedMasterSecret}) 466 } 467 if len(m.srtpProtectionProfiles) > 0 { 468 // https://tools.ietf.org/html/rfc5764#section-4.1.1 469 useSrtpExt := cryptobyte.NewBuilder(nil) 470 471 useSrtpExt.AddUint16LengthPrefixed(func(srtpProtectionProfiles *cryptobyte.Builder) { 472 for _, p := range m.srtpProtectionProfiles { 473 srtpProtectionProfiles.AddUint16(p) 474 } 475 }) 476 addUint8LengthPrefixedBytes(useSrtpExt, []byte(m.srtpMasterKeyIdentifier)) 477 478 extensions = append(extensions, extension{ 479 id: extensionUseSRTP, 480 body: useSrtpExt.BytesOrPanic(), 481 }) 482 } 483 if m.sctListSupported { 484 extensions = append(extensions, extension{id: extensionSignedCertificateTimestamp}) 485 } 486 if len(m.customExtension) > 0 { 487 extensions = append(extensions, extension{ 488 id: extensionCustom, 489 body: []byte(m.customExtension), 490 }) 491 } 492 if len(m.compressedCertAlgs) > 0 { 493 body := cryptobyte.NewBuilder(nil) 494 body.AddUint8LengthPrefixed(func(algIDs *cryptobyte.Builder) { 495 for _, v := range m.compressedCertAlgs { 496 algIDs.AddUint16(v) 497 } 498 }) 499 extensions = append(extensions, extension{ 500 id: extensionCompressedCertAlgs, 501 body: body.BytesOrPanic(), 502 }) 503 } 504 if len(m.delegatedCredential) > 0 { 505 body := cryptobyte.NewBuilder(nil) 506 body.AddUint16LengthPrefixed(func(signatureSchemeList *cryptobyte.Builder) { 507 for _, sigAlg := range m.delegatedCredential { 508 signatureSchemeList.AddUint16(uint16(sigAlg)) 509 } 510 }) 511 extensions = append(extensions, extension{ 512 id: extensionDelegatedCredential, 513 body: body.BytesOrPanic(), 514 }) 515 } 516 if len(m.alpsProtocols) > 0 { 517 body := cryptobyte.NewBuilder(nil) 518 body.AddUint16LengthPrefixed(func(protocolNameList *cryptobyte.Builder) { 519 for _, s := range m.alpsProtocols { 520 addUint8LengthPrefixedBytes(protocolNameList, []byte(s)) 521 } 522 }) 523 extensions = append(extensions, extension{ 524 id: extensionApplicationSettings, 525 body: body.BytesOrPanic(), 526 }) 527 } 528 if len(m.alpsProtocolsOld) > 0 { 529 body := cryptobyte.NewBuilder(nil) 530 body.AddUint16LengthPrefixed(func(protocolNameList *cryptobyte.Builder) { 531 for _, s := range m.alpsProtocolsOld { 532 addUint8LengthPrefixedBytes(protocolNameList, []byte(s)) 533 } 534 }) 535 extensions = append(extensions, extension{ 536 id: extensionApplicationSettingsOld, 537 body: body.BytesOrPanic(), 538 }) 539 } 540 541 // The PSK extension must be last. See https://tools.ietf.org/html/rfc8446#section-4.2.11 542 if len(m.pskIdentities) > 0 { 543 pskExtension := cryptobyte.NewBuilder(nil) 544 pskExtension.AddUint16LengthPrefixed(func(pskIdentities *cryptobyte.Builder) { 545 for _, psk := range m.pskIdentities { 546 addUint16LengthPrefixedBytes(pskIdentities, psk.ticket) 547 pskIdentities.AddUint32(psk.obfuscatedTicketAge) 548 } 549 }) 550 pskExtension.AddUint16LengthPrefixed(func(pskBinders *cryptobyte.Builder) { 551 for _, binder := range m.pskBinders { 552 addUint8LengthPrefixedBytes(pskBinders, binder) 553 } 554 }) 555 extensions = append(extensions, extension{ 556 id: extensionPreSharedKey, 557 body: pskExtension.BytesOrPanic(), 558 }) 559 } 560 561 if m.omitExtensions { 562 return 563 } 564 hello.AddUint16LengthPrefixed(func(extensionsBB *cryptobyte.Builder) { 565 if m.emptyExtensions { 566 return 567 } 568 extMap := make(map[uint16][]byte) 569 extsWritten := make(map[uint16]struct{}) 570 for _, ext := range extensions { 571 extMap[ext.id] = ext.body 572 } 573 // Write each of the prefix extensions, if we have it. 574 for _, extID := range m.prefixExtensions { 575 if body, ok := extMap[extID]; ok { 576 extensionsBB.AddUint16(extID) 577 addUint16LengthPrefixedBytes(extensionsBB, body) 578 extsWritten[extID] = struct{}{} 579 } 580 } 581 // Write outer extensions, possibly in compressed form. 582 if m.outerExtensions != nil { 583 if typ == clientHelloEncodedInner && !m.reorderOuterExtensionsWithoutCompressing { 584 extensionsBB.AddUint16(extensionECHOuterExtensions) 585 extensionsBB.AddUint16LengthPrefixed(func(child *cryptobyte.Builder) { 586 child.AddUint8LengthPrefixed(func(list *cryptobyte.Builder) { 587 for _, extID := range m.outerExtensions { 588 list.AddUint16(extID) 589 extsWritten[extID] = struct{}{} 590 } 591 }) 592 }) 593 } else { 594 for _, extID := range m.outerExtensions { 595 // m.outerExtensions may intentionally contain duplicates to test the 596 // server's reaction. If m.reorderOuterExtensionsWithoutCompressing 597 // is set, we are targetting the second ClientHello and wish to send a 598 // valid first ClientHello. In that case, deduplicate so the error 599 // only appears later. 600 if _, written := extsWritten[extID]; m.reorderOuterExtensionsWithoutCompressing && written { 601 continue 602 } 603 if body, ok := extMap[extID]; ok { 604 extensionsBB.AddUint16(extID) 605 addUint16LengthPrefixedBytes(extensionsBB, body) 606 extsWritten[extID] = struct{}{} 607 } 608 } 609 } 610 } 611 612 // Write each of the remaining extensions in their original order. 613 for _, ext := range extensions { 614 if _, written := extsWritten[ext.id]; !written { 615 extensionsBB.AddUint16(ext.id) 616 addUint16LengthPrefixedBytes(extensionsBB, ext.body) 617 } 618 } 619 620 if m.pad != 0 && len(hello.BytesOrPanic())%m.pad != 0 { 621 extensionsBB.AddUint16(extensionPadding) 622 extensionsBB.AddUint16LengthPrefixed(func(padding *cryptobyte.Builder) { 623 // Note hello.len() has changed at this point from the length 624 // prefix. 625 if l := len(hello.BytesOrPanic()) % m.pad; l != 0 { 626 padding.AddBytes(make([]byte, m.pad-l)) 627 } 628 }) 629 } 630 }) 631} 632 633func (m *clientHelloMsg) marshalForEncodedInner() []byte { 634 hello := cryptobyte.NewBuilder(nil) 635 m.marshalBody(hello, clientHelloEncodedInner) 636 return hello.BytesOrPanic() 637} 638 639func (m *clientHelloMsg) marshal() []byte { 640 if m.raw != nil { 641 return m.raw 642 } 643 644 if m.isV2ClientHello { 645 v2Msg := cryptobyte.NewBuilder(nil) 646 v2Msg.AddUint8(1) 647 v2Msg.AddUint16(m.vers) 648 v2Msg.AddUint16(uint16(len(m.cipherSuites) * 3)) 649 v2Msg.AddUint16(uint16(len(m.sessionID))) 650 v2Msg.AddUint16(uint16(len(m.v2Challenge))) 651 for _, spec := range m.cipherSuites { 652 v2Msg.AddUint24(uint32(spec)) 653 } 654 v2Msg.AddBytes(m.sessionID) 655 v2Msg.AddBytes(m.v2Challenge) 656 m.raw = v2Msg.BytesOrPanic() 657 return m.raw 658 } 659 660 handshakeMsg := cryptobyte.NewBuilder(nil) 661 handshakeMsg.AddUint8(typeClientHello) 662 handshakeMsg.AddUint24LengthPrefixed(func(hello *cryptobyte.Builder) { 663 m.marshalBody(hello, clientHelloNormal) 664 }) 665 m.raw = handshakeMsg.BytesOrPanic() 666 // Sanity-check padding. 667 if m.pad != 0 && (len(m.raw)-4)%m.pad != 0 { 668 panic(fmt.Sprintf("%d is not a multiple of %d", len(m.raw)-4, m.pad)) 669 } 670 return m.raw 671} 672 673func parseSignatureAlgorithms(reader *cryptobyte.String, out *[]signatureAlgorithm, allowEmpty bool) bool { 674 var sigAlgs cryptobyte.String 675 if !reader.ReadUint16LengthPrefixed(&sigAlgs) { 676 return false 677 } 678 if !allowEmpty && len(sigAlgs) == 0 { 679 return false 680 } 681 *out = make([]signatureAlgorithm, 0, len(sigAlgs)/2) 682 for len(sigAlgs) > 0 { 683 var v uint16 684 if !sigAlgs.ReadUint16(&v) { 685 return false 686 } 687 if signatureAlgorithm(v) == signatureRSAPKCS1WithMD5AndSHA1 { 688 // signatureRSAPKCS1WithMD5AndSHA1 is an internal value BoringSSL 689 // uses to represent the TLS 1.0 MD5/SHA-1 concatenation. It should 690 // never appear on the wire. 691 return false 692 } 693 *out = append(*out, signatureAlgorithm(v)) 694 } 695 return true 696} 697 698func checkDuplicateExtensions(extensions cryptobyte.String) bool { 699 seen := make(map[uint16]struct{}) 700 for len(extensions) > 0 { 701 var extension uint16 702 var body cryptobyte.String 703 if !extensions.ReadUint16(&extension) || 704 !extensions.ReadUint16LengthPrefixed(&body) { 705 return false 706 } 707 if _, ok := seen[extension]; ok { 708 return false 709 } 710 seen[extension] = struct{}{} 711 } 712 return true 713} 714 715func (m *clientHelloMsg) unmarshal(data []byte) bool { 716 m.raw = data 717 reader := cryptobyte.String(data[4:]) 718 if !reader.ReadUint16(&m.vers) || 719 !reader.ReadBytes(&m.random, 32) || 720 !readUint8LengthPrefixedBytes(&reader, &m.sessionID) || 721 len(m.sessionID) > 32 { 722 return false 723 } 724 if m.isDTLS && !readUint8LengthPrefixedBytes(&reader, &m.cookie) { 725 return false 726 } 727 var cipherSuites cryptobyte.String 728 if !reader.ReadUint16LengthPrefixed(&cipherSuites) || 729 !readUint8LengthPrefixedBytes(&reader, &m.compressionMethods) { 730 return false 731 } 732 733 m.cipherSuites = make([]uint16, 0, len(cipherSuites)/2) 734 for len(cipherSuites) > 0 { 735 var v uint16 736 if !cipherSuites.ReadUint16(&v) { 737 return false 738 } 739 m.cipherSuites = append(m.cipherSuites, v) 740 if v == scsvRenegotiation { 741 m.secureRenegotiation = []byte{} 742 } 743 } 744 745 m.nextProtoNeg = false 746 m.serverName = "" 747 m.ocspStapling = false 748 m.keyShares = nil 749 m.pskIdentities = nil 750 m.hasEarlyData = false 751 m.ticketSupported = false 752 m.sessionTicket = nil 753 m.signatureAlgorithms = nil 754 m.signatureAlgorithmsCert = nil 755 m.supportedVersions = nil 756 m.alpnProtocols = nil 757 m.extendedMasterSecret = false 758 m.customExtension = "" 759 m.delegatedCredential = nil 760 m.alpsProtocols = nil 761 m.alpsProtocolsOld = nil 762 763 if len(reader) == 0 { 764 // ClientHello is optionally followed by extension data 765 return true 766 } 767 768 var extensions cryptobyte.String 769 if !reader.ReadUint16LengthPrefixed(&extensions) || len(reader) != 0 || !checkDuplicateExtensions(extensions) { 770 return false 771 } 772 m.rawExtensions = extensions 773 for len(extensions) > 0 { 774 var extension uint16 775 var body cryptobyte.String 776 if !extensions.ReadUint16(&extension) || 777 !extensions.ReadUint16LengthPrefixed(&body) { 778 return false 779 } 780 switch extension { 781 case extensionServerName: 782 var names cryptobyte.String 783 if !body.ReadUint16LengthPrefixed(&names) || len(body) != 0 { 784 return false 785 } 786 for len(names) > 0 { 787 var nameType byte 788 var name []byte 789 if !names.ReadUint8(&nameType) || 790 !readUint16LengthPrefixedBytes(&names, &name) { 791 return false 792 } 793 if nameType == 0 { 794 m.serverName = string(name) 795 } 796 } 797 case extensionEncryptedClientHello: 798 var typ byte 799 if !body.ReadUint8(&typ) { 800 return false 801 } 802 switch typ { 803 case echClientTypeOuter: 804 var echOuter echClientOuter 805 if !body.ReadUint16(&echOuter.kdfID) || 806 !body.ReadUint16(&echOuter.aeadID) || 807 !body.ReadUint8(&echOuter.configID) || 808 !readUint16LengthPrefixedBytes(&body, &echOuter.enc) || 809 !readUint16LengthPrefixedBytes(&body, &echOuter.payload) || 810 len(echOuter.payload) == 0 || 811 len(body) > 0 { 812 return false 813 } 814 m.echOuter = &echOuter 815 m.echPayloadEnd = len(data) - len(extensions) 816 m.echPayloadStart = m.echPayloadEnd - len(echOuter.payload) 817 case echClientTypeInner: 818 if len(body) > 0 { 819 return false 820 } 821 m.echInner = true 822 default: 823 return false 824 } 825 case extensionNextProtoNeg: 826 if len(body) != 0 { 827 return false 828 } 829 m.nextProtoNeg = true 830 case extensionStatusRequest: 831 // This parse is stricter than a production implementation would 832 // use. The status_request extension has many layers of interior 833 // extensibility, but we expect our client to only send empty 834 // requests of type OCSP. 835 var statusType uint8 836 var responderIDList, innerExtensions cryptobyte.String 837 if !body.ReadUint8(&statusType) || 838 statusType != statusTypeOCSP || 839 !body.ReadUint16LengthPrefixed(&responderIDList) || 840 !body.ReadUint16LengthPrefixed(&innerExtensions) || 841 len(responderIDList) != 0 || 842 len(innerExtensions) != 0 || 843 len(body) != 0 { 844 return false 845 } 846 m.ocspStapling = true 847 case extensionSupportedCurves: 848 // http://tools.ietf.org/html/rfc4492#section-5.5.1 849 var curves cryptobyte.String 850 if !body.ReadUint16LengthPrefixed(&curves) || len(body) != 0 { 851 return false 852 } 853 m.supportedCurves = make([]CurveID, 0, len(curves)/2) 854 for len(curves) > 0 { 855 var v uint16 856 if !curves.ReadUint16(&v) { 857 return false 858 } 859 m.supportedCurves = append(m.supportedCurves, CurveID(v)) 860 } 861 case extensionSupportedPoints: 862 // http://tools.ietf.org/html/rfc4492#section-5.1.2 863 if !readUint8LengthPrefixedBytes(&body, &m.supportedPoints) || len(m.supportedPoints) == 0 || len(body) != 0 { 864 return false 865 } 866 case extensionSessionTicket: 867 // http://tools.ietf.org/html/rfc5077#section-3.2 868 m.ticketSupported = true 869 m.sessionTicket = []byte(body) 870 case extensionKeyShare: 871 // https://tools.ietf.org/html/rfc8446#section-4.2.8 872 m.hasKeyShares = true 873 m.keySharesRaw = body 874 var keyShares cryptobyte.String 875 if !body.ReadUint16LengthPrefixed(&keyShares) || len(body) != 0 { 876 return false 877 } 878 for len(keyShares) > 0 { 879 var entry keyShareEntry 880 var group uint16 881 if !keyShares.ReadUint16(&group) || 882 !readUint16LengthPrefixedBytes(&keyShares, &entry.keyExchange) { 883 return false 884 } 885 entry.group = CurveID(group) 886 m.keyShares = append(m.keyShares, entry) 887 } 888 case extensionPreSharedKey: 889 // https://tools.ietf.org/html/rfc8446#section-4.2.11 890 var psks, binders cryptobyte.String 891 if !body.ReadUint16LengthPrefixed(&psks) || 892 !body.ReadUint16LengthPrefixed(&binders) || 893 len(body) != 0 { 894 return false 895 } 896 for len(psks) > 0 { 897 var psk pskIdentity 898 if !readUint16LengthPrefixedBytes(&psks, &psk.ticket) || 899 !psks.ReadUint32(&psk.obfuscatedTicketAge) { 900 return false 901 } 902 m.pskIdentities = append(m.pskIdentities, psk) 903 } 904 for len(binders) > 0 { 905 var binder []byte 906 if !readUint8LengthPrefixedBytes(&binders, &binder) { 907 return false 908 } 909 m.pskBinders = append(m.pskBinders, binder) 910 } 911 912 // There must be the same number of identities as binders. 913 if len(m.pskIdentities) != len(m.pskBinders) { 914 return false 915 } 916 case extensionPSKKeyExchangeModes: 917 // https://tools.ietf.org/html/rfc8446#section-4.2.9 918 if !readUint8LengthPrefixedBytes(&body, &m.pskKEModes) || len(body) != 0 { 919 return false 920 } 921 case extensionEarlyData: 922 // https://tools.ietf.org/html/rfc8446#section-4.2.10 923 if len(body) != 0 { 924 return false 925 } 926 m.hasEarlyData = true 927 case extensionCookie: 928 if !readUint16LengthPrefixedBytes(&body, &m.tls13Cookie) || len(body) != 0 { 929 return false 930 } 931 case extensionSignatureAlgorithms: 932 // https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 933 if !parseSignatureAlgorithms(&body, &m.signatureAlgorithms, false) || len(body) != 0 { 934 return false 935 } 936 case extensionSignatureAlgorithmsCert: 937 if !parseSignatureAlgorithms(&body, &m.signatureAlgorithmsCert, false) || len(body) != 0 { 938 return false 939 } 940 case extensionSupportedVersions: 941 var versions cryptobyte.String 942 if !body.ReadUint8LengthPrefixed(&versions) || len(body) != 0 { 943 return false 944 } 945 m.supportedVersions = make([]uint16, 0, len(versions)/2) 946 for len(versions) > 0 { 947 var v uint16 948 if !versions.ReadUint16(&v) { 949 return false 950 } 951 m.supportedVersions = append(m.supportedVersions, v) 952 } 953 case extensionRenegotiationInfo: 954 if !readUint8LengthPrefixedBytes(&body, &m.secureRenegotiation) || len(body) != 0 { 955 return false 956 } 957 case extensionALPN: 958 var protocols cryptobyte.String 959 if !body.ReadUint16LengthPrefixed(&protocols) || len(body) != 0 { 960 return false 961 } 962 for len(protocols) > 0 { 963 var protocol []byte 964 if !readUint8LengthPrefixedBytes(&protocols, &protocol) || len(protocol) == 0 { 965 return false 966 } 967 m.alpnProtocols = append(m.alpnProtocols, string(protocol)) 968 } 969 case extensionQUICTransportParams: 970 m.quicTransportParams = body 971 case extensionQUICTransportParamsLegacy: 972 m.quicTransportParamsLegacy = body 973 case extensionChannelID: 974 if len(body) != 0 { 975 return false 976 } 977 m.channelIDSupported = true 978 case extensionExtendedMasterSecret: 979 if len(body) != 0 { 980 return false 981 } 982 m.extendedMasterSecret = true 983 case extensionUseSRTP: 984 var profiles cryptobyte.String 985 var mki []byte 986 if !body.ReadUint16LengthPrefixed(&profiles) || 987 !readUint8LengthPrefixedBytes(&body, &mki) || 988 len(body) != 0 { 989 return false 990 } 991 m.srtpProtectionProfiles = make([]uint16, 0, len(profiles)/2) 992 for len(profiles) > 0 { 993 var v uint16 994 if !profiles.ReadUint16(&v) { 995 return false 996 } 997 m.srtpProtectionProfiles = append(m.srtpProtectionProfiles, v) 998 } 999 m.srtpMasterKeyIdentifier = string(mki) 1000 case extensionSignedCertificateTimestamp: 1001 if len(body) != 0 { 1002 return false 1003 } 1004 m.sctListSupported = true 1005 case extensionCustom: 1006 m.customExtension = string(body) 1007 case extensionCompressedCertAlgs: 1008 var algIDs cryptobyte.String 1009 if !body.ReadUint8LengthPrefixed(&algIDs) { 1010 return false 1011 } 1012 1013 seen := make(map[uint16]struct{}) 1014 for len(algIDs) > 0 { 1015 var algID uint16 1016 if !algIDs.ReadUint16(&algID) { 1017 return false 1018 } 1019 if _, ok := seen[algID]; ok { 1020 return false 1021 } 1022 seen[algID] = struct{}{} 1023 m.compressedCertAlgs = append(m.compressedCertAlgs, algID) 1024 } 1025 case extensionPadding: 1026 // Padding bytes must be all zero. 1027 for _, b := range body { 1028 if b != 0 { 1029 return false 1030 } 1031 } 1032 case extensionDelegatedCredential: 1033 if !parseSignatureAlgorithms(&body, &m.delegatedCredential, false) || len(body) != 0 { 1034 return false 1035 } 1036 case extensionApplicationSettings: 1037 var protocols cryptobyte.String 1038 if !body.ReadUint16LengthPrefixed(&protocols) || len(body) != 0 { 1039 return false 1040 } 1041 for len(protocols) > 0 { 1042 var protocol []byte 1043 if !readUint8LengthPrefixedBytes(&protocols, &protocol) || len(protocol) == 0 { 1044 return false 1045 } 1046 m.alpsProtocols = append(m.alpsProtocols, string(protocol)) 1047 } 1048 case extensionApplicationSettingsOld: 1049 var protocols cryptobyte.String 1050 if !body.ReadUint16LengthPrefixed(&protocols) || len(body) != 0 { 1051 return false 1052 } 1053 for len(protocols) > 0 { 1054 var protocol []byte 1055 if !readUint8LengthPrefixedBytes(&protocols, &protocol) || len(protocol) == 0 { 1056 return false 1057 } 1058 m.alpsProtocolsOld = append(m.alpsProtocolsOld, string(protocol)) 1059 } 1060 } 1061 1062 if isGREASEValue(extension) { 1063 m.hasGREASEExtension = true 1064 } 1065 } 1066 1067 return true 1068} 1069 1070func decodeClientHelloInner(config *Config, encoded []byte, helloOuter *clientHelloMsg) (*clientHelloMsg, error) { 1071 reader := cryptobyte.String(encoded) 1072 var versAndRandom, sessionID, cipherSuites, compressionMethods []byte 1073 var extensions cryptobyte.String 1074 if !reader.ReadBytes(&versAndRandom, 2+32) || 1075 !readUint8LengthPrefixedBytes(&reader, &sessionID) || 1076 len(sessionID) != 0 || // Copied from |helloOuter| 1077 !readUint16LengthPrefixedBytes(&reader, &cipherSuites) || 1078 !readUint8LengthPrefixedBytes(&reader, &compressionMethods) || 1079 !reader.ReadUint16LengthPrefixed(&extensions) { 1080 return nil, errors.New("tls: error parsing EncodedClientHelloInner") 1081 } 1082 1083 // The remainder of the structure is padding. 1084 for _, padding := range reader { 1085 if padding != 0 { 1086 return nil, errors.New("tls: non-zero padding in EncodedClientHelloInner") 1087 } 1088 } 1089 1090 copied := make(map[uint16]struct{}) 1091 builder := cryptobyte.NewBuilder(nil) 1092 builder.AddUint8(typeClientHello) 1093 builder.AddUint24LengthPrefixed(func(body *cryptobyte.Builder) { 1094 body.AddBytes(versAndRandom) 1095 addUint8LengthPrefixedBytes(body, helloOuter.sessionID) 1096 addUint16LengthPrefixedBytes(body, cipherSuites) 1097 addUint8LengthPrefixedBytes(body, compressionMethods) 1098 body.AddUint16LengthPrefixed(func(newExtensions *cryptobyte.Builder) { 1099 var seenOuterExtensions bool 1100 outerExtensions := cryptobyte.String(helloOuter.rawExtensions) 1101 for len(extensions) > 0 { 1102 var extType uint16 1103 var extBody cryptobyte.String 1104 if !extensions.ReadUint16(&extType) || 1105 !extensions.ReadUint16LengthPrefixed(&extBody) { 1106 newExtensions.SetError(errors.New("tls: error parsing EncodedClientHelloInner")) 1107 return 1108 } 1109 if extType != extensionECHOuterExtensions { 1110 newExtensions.AddUint16(extType) 1111 addUint16LengthPrefixedBytes(newExtensions, extBody) 1112 continue 1113 } 1114 if seenOuterExtensions { 1115 newExtensions.SetError(errors.New("tls: duplicate ech_outer_extensions extension")) 1116 return 1117 } 1118 seenOuterExtensions = true 1119 var extList cryptobyte.String 1120 if !extBody.ReadUint8LengthPrefixed(&extList) || len(extList) == 0 || len(extBody) != 0 { 1121 newExtensions.SetError(errors.New("tls: error parsing ech_outer_extensions")) 1122 return 1123 } 1124 for len(extList) != 0 { 1125 var newExtType uint16 1126 if !extList.ReadUint16(&newExtType) { 1127 newExtensions.SetError(errors.New("tls: error parsing ech_outer_extensions")) 1128 return 1129 } 1130 if newExtType == extensionEncryptedClientHello { 1131 newExtensions.SetError(errors.New("tls: error parsing ech_outer_extensions")) 1132 return 1133 } 1134 for { 1135 if len(outerExtensions) == 0 { 1136 newExtensions.SetError(fmt.Errorf("tls: extension %d not found in ClientHelloOuter", newExtType)) 1137 return 1138 } 1139 var foundExt uint16 1140 var newExtBody []byte 1141 if !outerExtensions.ReadUint16(&foundExt) || 1142 !readUint16LengthPrefixedBytes(&outerExtensions, &newExtBody) { 1143 newExtensions.SetError(errors.New("tls: error parsing ClientHelloOuter")) 1144 return 1145 } 1146 if foundExt == newExtType { 1147 newExtensions.AddUint16(newExtType) 1148 addUint16LengthPrefixedBytes(newExtensions, newExtBody) 1149 copied[newExtType] = struct{}{} 1150 break 1151 } 1152 } 1153 } 1154 } 1155 }) 1156 }) 1157 1158 bytes, err := builder.Bytes() 1159 if err != nil { 1160 return nil, err 1161 } 1162 1163 for _, expected := range config.Bugs.ExpectECHOuterExtensions { 1164 if _, ok := copied[expected]; !ok { 1165 return nil, fmt.Errorf("tls: extension %d not found in ech_outer_extensions", expected) 1166 } 1167 } 1168 for _, expected := range config.Bugs.ExpectECHUncompressedExtensions { 1169 if _, ok := copied[expected]; ok { 1170 return nil, fmt.Errorf("tls: extension %d unexpectedly found in ech_outer_extensions", expected) 1171 } 1172 } 1173 1174 ret := new(clientHelloMsg) 1175 if !ret.unmarshal(bytes) { 1176 return nil, errors.New("tls: error parsing reconstructed ClientHello") 1177 } 1178 1179 return ret, nil 1180} 1181 1182type serverHelloMsg struct { 1183 raw []byte 1184 isDTLS bool 1185 vers uint16 1186 versOverride uint16 1187 supportedVersOverride uint16 1188 omitSupportedVers bool 1189 random []byte 1190 sessionID []byte 1191 cipherSuite uint16 1192 hasKeyShare bool 1193 keyShare keyShareEntry 1194 hasPSKIdentity bool 1195 pskIdentity uint16 1196 compressionMethod uint8 1197 customExtension string 1198 unencryptedALPN string 1199 omitExtensions bool 1200 emptyExtensions bool 1201 extensions serverExtensions 1202} 1203 1204func (m *serverHelloMsg) marshal() []byte { 1205 if m.raw != nil { 1206 return m.raw 1207 } 1208 1209 handshakeMsg := cryptobyte.NewBuilder(nil) 1210 handshakeMsg.AddUint8(typeServerHello) 1211 handshakeMsg.AddUint24LengthPrefixed(func(hello *cryptobyte.Builder) { 1212 // m.vers is used both to determine the format of the rest of the 1213 // ServerHello and to override the value, so include a second version 1214 // field. 1215 vers, ok := wireToVersion(m.vers, m.isDTLS) 1216 if !ok { 1217 panic("unknown version") 1218 } 1219 if m.versOverride != 0 { 1220 hello.AddUint16(m.versOverride) 1221 } else if vers >= VersionTLS13 { 1222 hello.AddUint16(VersionTLS12) 1223 } else { 1224 hello.AddUint16(m.vers) 1225 } 1226 1227 hello.AddBytes(m.random) 1228 addUint8LengthPrefixedBytes(hello, m.sessionID) 1229 hello.AddUint16(m.cipherSuite) 1230 hello.AddUint8(m.compressionMethod) 1231 1232 hello.AddUint16LengthPrefixed(func(extensions *cryptobyte.Builder) { 1233 if vers >= VersionTLS13 { 1234 if m.hasKeyShare { 1235 extensions.AddUint16(extensionKeyShare) 1236 extensions.AddUint16LengthPrefixed(func(keyShare *cryptobyte.Builder) { 1237 keyShare.AddUint16(uint16(m.keyShare.group)) 1238 addUint16LengthPrefixedBytes(keyShare, m.keyShare.keyExchange) 1239 }) 1240 } 1241 if m.hasPSKIdentity { 1242 extensions.AddUint16(extensionPreSharedKey) 1243 extensions.AddUint16(2) // Length 1244 extensions.AddUint16(m.pskIdentity) 1245 } 1246 if !m.omitSupportedVers { 1247 extensions.AddUint16(extensionSupportedVersions) 1248 extensions.AddUint16(2) // Length 1249 if m.supportedVersOverride != 0 { 1250 extensions.AddUint16(m.supportedVersOverride) 1251 } else { 1252 extensions.AddUint16(m.vers) 1253 } 1254 } 1255 if len(m.customExtension) > 0 { 1256 extensions.AddUint16(extensionCustom) 1257 addUint16LengthPrefixedBytes(extensions, []byte(m.customExtension)) 1258 } 1259 if len(m.unencryptedALPN) > 0 { 1260 extensions.AddUint16(extensionALPN) 1261 extensions.AddUint16LengthPrefixed(func(extension *cryptobyte.Builder) { 1262 extension.AddUint16LengthPrefixed(func(protocolNameList *cryptobyte.Builder) { 1263 addUint8LengthPrefixedBytes(protocolNameList, []byte(m.unencryptedALPN)) 1264 }) 1265 }) 1266 } 1267 } else { 1268 m.extensions.marshal(extensions) 1269 } 1270 if m.omitExtensions || m.emptyExtensions { 1271 // Silently erasing server extensions will break the handshake. Instead, 1272 // assert that tests which use this field also disable all features which 1273 // would write an extension. Note the length includes the length prefix. 1274 if b := extensions.BytesOrPanic(); len(b) != 2 { 1275 panic(fmt.Sprintf("ServerHello unexpectedly contained extensions: %x, %+v", b, m)) 1276 } 1277 } 1278 }) 1279 // Remove the length prefix. 1280 if m.omitExtensions { 1281 hello.Unwrite(2) 1282 } 1283 }) 1284 1285 m.raw = handshakeMsg.BytesOrPanic() 1286 return m.raw 1287} 1288 1289func (m *serverHelloMsg) unmarshal(data []byte) bool { 1290 m.raw = data 1291 reader := cryptobyte.String(data[4:]) 1292 if !reader.ReadUint16(&m.vers) || 1293 !reader.ReadBytes(&m.random, 32) { 1294 return false 1295 } 1296 vers, ok := wireToVersion(m.vers, m.isDTLS) 1297 if !ok { 1298 return false 1299 } 1300 if !readUint8LengthPrefixedBytes(&reader, &m.sessionID) || 1301 !reader.ReadUint16(&m.cipherSuite) || 1302 !reader.ReadUint8(&m.compressionMethod) { 1303 return false 1304 } 1305 1306 if len(reader) == 0 && m.vers < VersionTLS13 { 1307 // Extension data is optional before TLS 1.3. 1308 m.extensions = serverExtensions{} 1309 m.omitExtensions = true 1310 return true 1311 } 1312 1313 var extensions cryptobyte.String 1314 if !reader.ReadUint16LengthPrefixed(&extensions) || len(reader) != 0 || !checkDuplicateExtensions(extensions) { 1315 return false 1316 } 1317 1318 // Parse out the version from supported_versions if available. 1319 if m.vers == VersionTLS12 { 1320 extensionsCopy := extensions 1321 for len(extensionsCopy) > 0 { 1322 var extension uint16 1323 var body cryptobyte.String 1324 if !extensionsCopy.ReadUint16(&extension) || 1325 !extensionsCopy.ReadUint16LengthPrefixed(&body) { 1326 return false 1327 } 1328 if extension == extensionSupportedVersions { 1329 if !body.ReadUint16(&m.vers) || len(body) != 0 { 1330 return false 1331 } 1332 vers, ok = wireToVersion(m.vers, m.isDTLS) 1333 if !ok { 1334 return false 1335 } 1336 } 1337 } 1338 } 1339 1340 if vers >= VersionTLS13 { 1341 for len(extensions) > 0 { 1342 var extension uint16 1343 var body cryptobyte.String 1344 if !extensions.ReadUint16(&extension) || 1345 !extensions.ReadUint16LengthPrefixed(&body) { 1346 return false 1347 } 1348 switch extension { 1349 case extensionKeyShare: 1350 m.hasKeyShare = true 1351 var group uint16 1352 if !body.ReadUint16(&group) || 1353 !readUint16LengthPrefixedBytes(&body, &m.keyShare.keyExchange) || 1354 len(body) != 0 { 1355 return false 1356 } 1357 m.keyShare.group = CurveID(group) 1358 case extensionPreSharedKey: 1359 if !body.ReadUint16(&m.pskIdentity) || len(body) != 0 { 1360 return false 1361 } 1362 m.hasPSKIdentity = true 1363 case extensionSupportedVersions: 1364 // Parsed above. 1365 default: 1366 // Only allow the 3 extensions that are sent in 1367 // the clear in TLS 1.3. 1368 return false 1369 } 1370 } 1371 } else if !m.extensions.unmarshal(extensions, vers) { 1372 return false 1373 } 1374 1375 return true 1376} 1377 1378type encryptedExtensionsMsg struct { 1379 raw []byte 1380 extensions serverExtensions 1381 empty bool 1382} 1383 1384func (m *encryptedExtensionsMsg) marshal() []byte { 1385 if m.raw != nil { 1386 return m.raw 1387 } 1388 1389 encryptedExtensionsMsg := cryptobyte.NewBuilder(nil) 1390 encryptedExtensionsMsg.AddUint8(typeEncryptedExtensions) 1391 encryptedExtensionsMsg.AddUint24LengthPrefixed(func(encryptedExtensions *cryptobyte.Builder) { 1392 if !m.empty { 1393 encryptedExtensions.AddUint16LengthPrefixed(func(extensions *cryptobyte.Builder) { 1394 m.extensions.marshal(extensions) 1395 }) 1396 } 1397 }) 1398 1399 m.raw = encryptedExtensionsMsg.BytesOrPanic() 1400 return m.raw 1401} 1402 1403func (m *encryptedExtensionsMsg) unmarshal(data []byte) bool { 1404 m.raw = data 1405 reader := cryptobyte.String(data[4:]) 1406 var extensions cryptobyte.String 1407 if !reader.ReadUint16LengthPrefixed(&extensions) || len(reader) != 0 { 1408 return false 1409 } 1410 return m.extensions.unmarshal(extensions, VersionTLS13) 1411} 1412 1413type serverExtensions struct { 1414 nextProtoNeg bool 1415 nextProtos []string 1416 ocspStapling bool 1417 ticketSupported bool 1418 secureRenegotiation []byte 1419 alpnProtocol string 1420 alpnProtocolEmpty bool 1421 duplicateExtension bool 1422 channelIDRequested bool 1423 extendedMasterSecret bool 1424 srtpProtectionProfile uint16 1425 srtpMasterKeyIdentifier string 1426 sctList []byte 1427 customExtension string 1428 npnAfterAlpn bool 1429 hasKeyShare bool 1430 hasEarlyData bool 1431 keyShare keyShareEntry 1432 supportedVersion uint16 1433 supportedPoints []uint8 1434 supportedCurves []CurveID 1435 quicTransportParams []byte 1436 quicTransportParamsLegacy []byte 1437 serverNameAck bool 1438 applicationSettings []byte 1439 hasApplicationSettings bool 1440 applicationSettingsOld []byte 1441 hasApplicationSettingsOld bool 1442 echRetryConfigs []byte 1443} 1444 1445func (m *serverExtensions) marshal(extensions *cryptobyte.Builder) { 1446 if m.duplicateExtension { 1447 // Add a duplicate bogus extension at the beginning and end. 1448 extensions.AddUint16(extensionDuplicate) 1449 extensions.AddUint16(0) // length = 0 for empty extension 1450 } 1451 if m.nextProtoNeg && !m.npnAfterAlpn { 1452 extensions.AddUint16(extensionNextProtoNeg) 1453 extensions.AddUint16LengthPrefixed(func(extension *cryptobyte.Builder) { 1454 for _, v := range m.nextProtos { 1455 addUint8LengthPrefixedBytes(extension, []byte(v)) 1456 } 1457 }) 1458 } 1459 if m.ocspStapling { 1460 extensions.AddUint16(extensionStatusRequest) 1461 extensions.AddUint16(0) 1462 } 1463 if m.ticketSupported { 1464 extensions.AddUint16(extensionSessionTicket) 1465 extensions.AddUint16(0) 1466 } 1467 if m.secureRenegotiation != nil { 1468 extensions.AddUint16(extensionRenegotiationInfo) 1469 extensions.AddUint16LengthPrefixed(func(extension *cryptobyte.Builder) { 1470 addUint8LengthPrefixedBytes(extension, m.secureRenegotiation) 1471 }) 1472 } 1473 if len(m.alpnProtocol) > 0 || m.alpnProtocolEmpty { 1474 extensions.AddUint16(extensionALPN) 1475 extensions.AddUint16LengthPrefixed(func(extension *cryptobyte.Builder) { 1476 extension.AddUint16LengthPrefixed(func(protocolNameList *cryptobyte.Builder) { 1477 addUint8LengthPrefixedBytes(protocolNameList, []byte(m.alpnProtocol)) 1478 }) 1479 }) 1480 } 1481 if m.channelIDRequested { 1482 extensions.AddUint16(extensionChannelID) 1483 extensions.AddUint16(0) 1484 } 1485 if m.duplicateExtension { 1486 // Add a duplicate bogus extension at the beginning and end. 1487 extensions.AddUint16(extensionDuplicate) 1488 extensions.AddUint16(0) 1489 } 1490 if m.extendedMasterSecret { 1491 extensions.AddUint16(extensionExtendedMasterSecret) 1492 extensions.AddUint16(0) 1493 } 1494 if m.srtpProtectionProfile != 0 { 1495 extensions.AddUint16(extensionUseSRTP) 1496 extensions.AddUint16LengthPrefixed(func(extension *cryptobyte.Builder) { 1497 extension.AddUint16LengthPrefixed(func(srtpProtectionProfiles *cryptobyte.Builder) { 1498 srtpProtectionProfiles.AddUint16(m.srtpProtectionProfile) 1499 }) 1500 addUint8LengthPrefixedBytes(extension, []byte(m.srtpMasterKeyIdentifier)) 1501 }) 1502 } 1503 if m.sctList != nil { 1504 extensions.AddUint16(extensionSignedCertificateTimestamp) 1505 addUint16LengthPrefixedBytes(extensions, m.sctList) 1506 } 1507 if l := len(m.customExtension); l > 0 { 1508 extensions.AddUint16(extensionCustom) 1509 addUint16LengthPrefixedBytes(extensions, []byte(m.customExtension)) 1510 } 1511 if m.nextProtoNeg && m.npnAfterAlpn { 1512 extensions.AddUint16(extensionNextProtoNeg) 1513 extensions.AddUint16LengthPrefixed(func(extension *cryptobyte.Builder) { 1514 for _, v := range m.nextProtos { 1515 addUint8LengthPrefixedBytes(extension, []byte(v)) 1516 } 1517 }) 1518 } 1519 if m.hasKeyShare { 1520 extensions.AddUint16(extensionKeyShare) 1521 extensions.AddUint16LengthPrefixed(func(keyShare *cryptobyte.Builder) { 1522 keyShare.AddUint16(uint16(m.keyShare.group)) 1523 addUint16LengthPrefixedBytes(keyShare, m.keyShare.keyExchange) 1524 }) 1525 } 1526 if m.supportedVersion != 0 { 1527 extensions.AddUint16(extensionSupportedVersions) 1528 extensions.AddUint16(2) // Length 1529 extensions.AddUint16(m.supportedVersion) 1530 } 1531 if len(m.supportedPoints) > 0 { 1532 // http://tools.ietf.org/html/rfc4492#section-5.1.2 1533 extensions.AddUint16(extensionSupportedPoints) 1534 extensions.AddUint16LengthPrefixed(func(supportedPointsList *cryptobyte.Builder) { 1535 addUint8LengthPrefixedBytes(supportedPointsList, m.supportedPoints) 1536 }) 1537 } 1538 if len(m.supportedCurves) > 0 { 1539 // https://tools.ietf.org/html/rfc8446#section-4.2.7 1540 extensions.AddUint16(extensionSupportedCurves) 1541 extensions.AddUint16LengthPrefixed(func(supportedCurvesList *cryptobyte.Builder) { 1542 supportedCurvesList.AddUint16LengthPrefixed(func(supportedCurves *cryptobyte.Builder) { 1543 for _, curve := range m.supportedCurves { 1544 supportedCurves.AddUint16(uint16(curve)) 1545 } 1546 }) 1547 }) 1548 } 1549 if len(m.quicTransportParams) > 0 { 1550 extensions.AddUint16(extensionQUICTransportParams) 1551 addUint16LengthPrefixedBytes(extensions, m.quicTransportParams) 1552 } 1553 if len(m.quicTransportParamsLegacy) > 0 { 1554 extensions.AddUint16(extensionQUICTransportParamsLegacy) 1555 addUint16LengthPrefixedBytes(extensions, m.quicTransportParamsLegacy) 1556 } 1557 if m.hasEarlyData { 1558 extensions.AddUint16(extensionEarlyData) 1559 extensions.AddBytes([]byte{0, 0}) 1560 } 1561 if m.serverNameAck { 1562 extensions.AddUint16(extensionServerName) 1563 extensions.AddUint16(0) // zero length 1564 } 1565 if m.hasApplicationSettings { 1566 extensions.AddUint16(extensionApplicationSettings) 1567 addUint16LengthPrefixedBytes(extensions, m.applicationSettings) 1568 } 1569 if m.hasApplicationSettingsOld { 1570 extensions.AddUint16(extensionApplicationSettingsOld) 1571 addUint16LengthPrefixedBytes(extensions, m.applicationSettingsOld) 1572 } 1573 if len(m.echRetryConfigs) > 0 { 1574 extensions.AddUint16(extensionEncryptedClientHello) 1575 addUint16LengthPrefixedBytes(extensions, m.echRetryConfigs) 1576 } 1577} 1578 1579func (m *serverExtensions) unmarshal(data cryptobyte.String, version uint16) bool { 1580 // Reset all fields. 1581 *m = serverExtensions{} 1582 1583 if !checkDuplicateExtensions(data) { 1584 return false 1585 } 1586 1587 for len(data) > 0 { 1588 var extension uint16 1589 var body cryptobyte.String 1590 if !data.ReadUint16(&extension) || 1591 !data.ReadUint16LengthPrefixed(&body) { 1592 return false 1593 } 1594 switch extension { 1595 case extensionNextProtoNeg: 1596 m.nextProtoNeg = true 1597 for len(body) > 0 { 1598 var protocol []byte 1599 if !readUint8LengthPrefixedBytes(&body, &protocol) { 1600 return false 1601 } 1602 m.nextProtos = append(m.nextProtos, string(protocol)) 1603 } 1604 case extensionStatusRequest: 1605 if len(body) != 0 { 1606 return false 1607 } 1608 m.ocspStapling = true 1609 case extensionSessionTicket: 1610 if len(body) != 0 { 1611 return false 1612 } 1613 m.ticketSupported = true 1614 case extensionRenegotiationInfo: 1615 if !readUint8LengthPrefixedBytes(&body, &m.secureRenegotiation) || len(body) != 0 { 1616 return false 1617 } 1618 case extensionALPN: 1619 var protocols, protocol cryptobyte.String 1620 if !body.ReadUint16LengthPrefixed(&protocols) || 1621 len(body) != 0 || 1622 !protocols.ReadUint8LengthPrefixed(&protocol) || 1623 len(protocols) != 0 { 1624 return false 1625 } 1626 m.alpnProtocol = string(protocol) 1627 m.alpnProtocolEmpty = len(protocol) == 0 1628 case extensionChannelID: 1629 if len(body) != 0 { 1630 return false 1631 } 1632 m.channelIDRequested = true 1633 case extensionExtendedMasterSecret: 1634 if len(body) != 0 { 1635 return false 1636 } 1637 m.extendedMasterSecret = true 1638 case extensionUseSRTP: 1639 var profiles, mki cryptobyte.String 1640 if !body.ReadUint16LengthPrefixed(&profiles) || 1641 !profiles.ReadUint16(&m.srtpProtectionProfile) || 1642 len(profiles) != 0 || 1643 !body.ReadUint8LengthPrefixed(&mki) || 1644 len(body) != 0 { 1645 return false 1646 } 1647 m.srtpMasterKeyIdentifier = string(mki) 1648 case extensionSignedCertificateTimestamp: 1649 m.sctList = []byte(body) 1650 case extensionCustom: 1651 m.customExtension = string(body) 1652 case extensionServerName: 1653 if len(body) != 0 { 1654 return false 1655 } 1656 m.serverNameAck = true 1657 case extensionSupportedPoints: 1658 // supported_points is illegal in TLS 1.3. 1659 if version >= VersionTLS13 { 1660 return false 1661 } 1662 // http://tools.ietf.org/html/rfc4492#section-5.5.2 1663 if !readUint8LengthPrefixedBytes(&body, &m.supportedPoints) || len(body) != 0 { 1664 return false 1665 } 1666 case extensionSupportedCurves: 1667 // The server can only send supported_curves in TLS 1.3. 1668 if version < VersionTLS13 { 1669 return false 1670 } 1671 case extensionQUICTransportParams: 1672 m.quicTransportParams = body 1673 case extensionQUICTransportParamsLegacy: 1674 m.quicTransportParamsLegacy = body 1675 case extensionEarlyData: 1676 if version < VersionTLS13 || len(body) != 0 { 1677 return false 1678 } 1679 m.hasEarlyData = true 1680 case extensionApplicationSettings: 1681 m.hasApplicationSettings = true 1682 m.applicationSettings = body 1683 case extensionApplicationSettingsOld: 1684 m.hasApplicationSettingsOld = true 1685 m.applicationSettingsOld = body 1686 case extensionEncryptedClientHello: 1687 if version < VersionTLS13 { 1688 return false 1689 } 1690 m.echRetryConfigs = body 1691 1692 // Validate the ECHConfig with a top-level parse. 1693 var echConfigs cryptobyte.String 1694 if !body.ReadUint16LengthPrefixed(&echConfigs) { 1695 return false 1696 } 1697 for len(echConfigs) > 0 { 1698 var version uint16 1699 var contents cryptobyte.String 1700 if !echConfigs.ReadUint16(&version) || 1701 !echConfigs.ReadUint16LengthPrefixed(&contents) { 1702 return false 1703 } 1704 } 1705 if len(body) > 0 { 1706 return false 1707 } 1708 default: 1709 // Unknown extensions are illegal from the server. 1710 return false 1711 } 1712 } 1713 1714 return true 1715} 1716 1717type clientEncryptedExtensionsMsg struct { 1718 raw []byte 1719 applicationSettings []byte 1720 hasApplicationSettings bool 1721 applicationSettingsOld []byte 1722 hasApplicationSettingsOld bool 1723 customExtension []byte 1724} 1725 1726func (m *clientEncryptedExtensionsMsg) marshal() (x []byte) { 1727 if m.raw != nil { 1728 return m.raw 1729 } 1730 1731 builder := cryptobyte.NewBuilder(nil) 1732 builder.AddUint8(typeEncryptedExtensions) 1733 builder.AddUint24LengthPrefixed(func(body *cryptobyte.Builder) { 1734 body.AddUint16LengthPrefixed(func(extensions *cryptobyte.Builder) { 1735 if m.hasApplicationSettings { 1736 extensions.AddUint16(extensionApplicationSettings) 1737 addUint16LengthPrefixedBytes(extensions, m.applicationSettings) 1738 } 1739 if m.hasApplicationSettingsOld { 1740 extensions.AddUint16(extensionApplicationSettingsOld) 1741 addUint16LengthPrefixedBytes(extensions, m.applicationSettingsOld) 1742 } 1743 if len(m.customExtension) > 0 { 1744 extensions.AddUint16(extensionCustom) 1745 addUint16LengthPrefixedBytes(extensions, m.customExtension) 1746 } 1747 }) 1748 }) 1749 1750 m.raw = builder.BytesOrPanic() 1751 return m.raw 1752} 1753 1754func (m *clientEncryptedExtensionsMsg) unmarshal(data []byte) bool { 1755 m.raw = data 1756 reader := cryptobyte.String(data[4:]) 1757 1758 var extensions cryptobyte.String 1759 if !reader.ReadUint16LengthPrefixed(&extensions) || 1760 len(reader) != 0 { 1761 return false 1762 } 1763 1764 if !checkDuplicateExtensions(extensions) { 1765 return false 1766 } 1767 1768 for len(extensions) > 0 { 1769 var extension uint16 1770 var body cryptobyte.String 1771 if !extensions.ReadUint16(&extension) || 1772 !extensions.ReadUint16LengthPrefixed(&body) { 1773 return false 1774 } 1775 switch extension { 1776 case extensionApplicationSettings: 1777 m.hasApplicationSettings = true 1778 m.applicationSettings = body 1779 case extensionApplicationSettingsOld: 1780 m.hasApplicationSettingsOld = true 1781 m.applicationSettingsOld = body 1782 default: 1783 // Unknown extensions are illegal in EncryptedExtensions. 1784 return false 1785 } 1786 } 1787 return true 1788} 1789 1790type helloRetryRequestMsg struct { 1791 raw []byte 1792 vers uint16 1793 sessionID []byte 1794 cipherSuite uint16 1795 compressionMethod uint8 1796 hasSelectedGroup bool 1797 selectedGroup CurveID 1798 cookie []byte 1799 customExtension string 1800 echConfirmation []byte 1801 echConfirmationOffset int 1802 duplicateExtensions bool 1803} 1804 1805func (m *helloRetryRequestMsg) marshal() []byte { 1806 if m.raw != nil { 1807 return m.raw 1808 } 1809 1810 retryRequestMsg := cryptobyte.NewBuilder(nil) 1811 retryRequestMsg.AddUint8(typeServerHello) 1812 retryRequestMsg.AddUint24LengthPrefixed(func(retryRequest *cryptobyte.Builder) { 1813 retryRequest.AddUint16(VersionTLS12) 1814 retryRequest.AddBytes(tls13HelloRetryRequest) 1815 addUint8LengthPrefixedBytes(retryRequest, m.sessionID) 1816 retryRequest.AddUint16(m.cipherSuite) 1817 retryRequest.AddUint8(m.compressionMethod) 1818 1819 retryRequest.AddUint16LengthPrefixed(func(extensions *cryptobyte.Builder) { 1820 count := 1 1821 if m.duplicateExtensions { 1822 count = 2 1823 } 1824 1825 for i := 0; i < count; i++ { 1826 extensions.AddUint16(extensionSupportedVersions) 1827 extensions.AddUint16(2) // Length 1828 extensions.AddUint16(m.vers) 1829 if m.hasSelectedGroup { 1830 extensions.AddUint16(extensionKeyShare) 1831 extensions.AddUint16(2) // length 1832 extensions.AddUint16(uint16(m.selectedGroup)) 1833 } 1834 // m.cookie may be a non-nil empty slice for empty cookie tests. 1835 if m.cookie != nil { 1836 extensions.AddUint16(extensionCookie) 1837 extensions.AddUint16LengthPrefixed(func(body *cryptobyte.Builder) { 1838 addUint16LengthPrefixedBytes(body, m.cookie) 1839 }) 1840 } 1841 if len(m.customExtension) > 0 { 1842 extensions.AddUint16(extensionCustom) 1843 addUint16LengthPrefixedBytes(extensions, []byte(m.customExtension)) 1844 } 1845 if len(m.echConfirmation) > 0 { 1846 extensions.AddUint16(extensionEncryptedClientHello) 1847 addUint16LengthPrefixedBytes(extensions, m.echConfirmation) 1848 } 1849 } 1850 }) 1851 }) 1852 1853 m.raw = retryRequestMsg.BytesOrPanic() 1854 return m.raw 1855} 1856 1857func (m *helloRetryRequestMsg) unmarshal(data []byte) bool { 1858 m.raw = data 1859 reader := cryptobyte.String(data[4:]) 1860 var legacyVers uint16 1861 var random []byte 1862 var compressionMethod byte 1863 var extensions cryptobyte.String 1864 if !reader.ReadUint16(&legacyVers) || 1865 legacyVers != VersionTLS12 || 1866 !reader.ReadBytes(&random, 32) || 1867 !readUint8LengthPrefixedBytes(&reader, &m.sessionID) || 1868 !reader.ReadUint16(&m.cipherSuite) || 1869 !reader.ReadUint8(&compressionMethod) || 1870 compressionMethod != 0 || 1871 !reader.ReadUint16LengthPrefixed(&extensions) || 1872 len(reader) != 0 { 1873 return false 1874 } 1875 for len(extensions) > 0 { 1876 var extension uint16 1877 var body cryptobyte.String 1878 if !extensions.ReadUint16(&extension) || 1879 !extensions.ReadUint16LengthPrefixed(&body) { 1880 return false 1881 } 1882 switch extension { 1883 case extensionSupportedVersions: 1884 if !body.ReadUint16(&m.vers) || 1885 len(body) != 0 { 1886 return false 1887 } 1888 case extensionKeyShare: 1889 var v uint16 1890 if !body.ReadUint16(&v) || len(body) != 0 { 1891 return false 1892 } 1893 m.hasSelectedGroup = true 1894 m.selectedGroup = CurveID(v) 1895 case extensionCookie: 1896 if !readUint16LengthPrefixedBytes(&body, &m.cookie) || 1897 len(m.cookie) == 0 || 1898 len(body) != 0 { 1899 return false 1900 } 1901 case extensionEncryptedClientHello: 1902 if len(body) != echAcceptConfirmationLength { 1903 return false 1904 } 1905 m.echConfirmation = body 1906 m.echConfirmationOffset = len(m.raw) - len(extensions) - len(body) 1907 default: 1908 // Unknown extensions are illegal from the server. 1909 return false 1910 } 1911 } 1912 return true 1913} 1914 1915type certificateEntry struct { 1916 data []byte 1917 ocspResponse []byte 1918 sctList []byte 1919 duplicateExtensions bool 1920 extraExtension []byte 1921 delegatedCredential *delegatedCredential 1922} 1923 1924type delegatedCredential struct { 1925 // https://www.rfc-editor.org/rfc/rfc9345.html#section-4 1926 raw []byte 1927 signedBytes []byte 1928 lifetimeSecs uint32 1929 dcCertVerifyAlgo signatureAlgorithm 1930 pkixPublicKey []byte 1931 algorithm signatureAlgorithm 1932 signature []byte 1933} 1934 1935type certificateMsg struct { 1936 raw []byte 1937 hasRequestContext bool 1938 requestContext []byte 1939 certificates []certificateEntry 1940} 1941 1942func (m *certificateMsg) marshal() (x []byte) { 1943 if m.raw != nil { 1944 return m.raw 1945 } 1946 1947 certMsg := cryptobyte.NewBuilder(nil) 1948 certMsg.AddUint8(typeCertificate) 1949 certMsg.AddUint24LengthPrefixed(func(certificate *cryptobyte.Builder) { 1950 if m.hasRequestContext { 1951 addUint8LengthPrefixedBytes(certificate, m.requestContext) 1952 } 1953 certificate.AddUint24LengthPrefixed(func(certificateList *cryptobyte.Builder) { 1954 for _, cert := range m.certificates { 1955 addUint24LengthPrefixedBytes(certificateList, cert.data) 1956 if m.hasRequestContext { 1957 certificateList.AddUint16LengthPrefixed(func(extensions *cryptobyte.Builder) { 1958 count := 1 1959 if cert.duplicateExtensions { 1960 count = 2 1961 } 1962 1963 for i := 0; i < count; i++ { 1964 if cert.ocspResponse != nil { 1965 extensions.AddUint16(extensionStatusRequest) 1966 extensions.AddUint16LengthPrefixed(func(body *cryptobyte.Builder) { 1967 body.AddUint8(statusTypeOCSP) 1968 addUint24LengthPrefixedBytes(body, cert.ocspResponse) 1969 }) 1970 } 1971 1972 if cert.sctList != nil { 1973 extensions.AddUint16(extensionSignedCertificateTimestamp) 1974 addUint16LengthPrefixedBytes(extensions, cert.sctList) 1975 } 1976 } 1977 if cert.extraExtension != nil { 1978 extensions.AddBytes(cert.extraExtension) 1979 } 1980 }) 1981 } 1982 } 1983 }) 1984 1985 }) 1986 1987 m.raw = certMsg.BytesOrPanic() 1988 return m.raw 1989} 1990 1991func (m *certificateMsg) unmarshal(data []byte) bool { 1992 m.raw = data 1993 reader := cryptobyte.String(data[4:]) 1994 1995 if m.hasRequestContext && !readUint8LengthPrefixedBytes(&reader, &m.requestContext) { 1996 return false 1997 } 1998 1999 var certs cryptobyte.String 2000 if !reader.ReadUint24LengthPrefixed(&certs) || len(reader) != 0 { 2001 return false 2002 } 2003 m.certificates = nil 2004 for len(certs) > 0 { 2005 var cert certificateEntry 2006 if !readUint24LengthPrefixedBytes(&certs, &cert.data) { 2007 return false 2008 } 2009 if m.hasRequestContext { 2010 var extensions cryptobyte.String 2011 if !certs.ReadUint16LengthPrefixed(&extensions) || !checkDuplicateExtensions(extensions) { 2012 return false 2013 } 2014 for len(extensions) > 0 { 2015 var extension uint16 2016 var body cryptobyte.String 2017 if !extensions.ReadUint16(&extension) || 2018 !extensions.ReadUint16LengthPrefixed(&body) { 2019 return false 2020 } 2021 switch extension { 2022 case extensionStatusRequest: 2023 var statusType byte 2024 if !body.ReadUint8(&statusType) || 2025 statusType != statusTypeOCSP || 2026 !readUint24LengthPrefixedBytes(&body, &cert.ocspResponse) || 2027 len(body) != 0 { 2028 return false 2029 } 2030 case extensionSignedCertificateTimestamp: 2031 cert.sctList = []byte(body) 2032 case extensionDelegatedCredential: 2033 // https://www.rfc-editor.org/rfc/rfc9345.html#section-4 2034 if cert.delegatedCredential != nil { 2035 return false 2036 } 2037 2038 dc := new(delegatedCredential) 2039 origBody := body 2040 var dcCertVerifyAlgo, algorithm uint16 2041 2042 if !body.ReadUint32(&dc.lifetimeSecs) || 2043 !body.ReadUint16(&dcCertVerifyAlgo) || 2044 !readUint24LengthPrefixedBytes(&body, &dc.pkixPublicKey) || 2045 !body.ReadUint16(&algorithm) || 2046 !readUint16LengthPrefixedBytes(&body, &dc.signature) || 2047 len(body) != 0 { 2048 return false 2049 } 2050 2051 dc.dcCertVerifyAlgo = signatureAlgorithm(dcCertVerifyAlgo) 2052 dc.algorithm = signatureAlgorithm(algorithm) 2053 dc.raw = origBody 2054 dc.signedBytes = []byte(origBody)[:4+2+3+len(dc.pkixPublicKey)] 2055 cert.delegatedCredential = dc 2056 default: 2057 return false 2058 } 2059 } 2060 } 2061 m.certificates = append(m.certificates, cert) 2062 } 2063 2064 return true 2065} 2066 2067type compressedCertificateMsg struct { 2068 raw []byte 2069 algID uint16 2070 uncompressedLength uint32 2071 compressed []byte 2072} 2073 2074func (m *compressedCertificateMsg) marshal() (x []byte) { 2075 if m.raw != nil { 2076 return m.raw 2077 } 2078 2079 certMsg := cryptobyte.NewBuilder(nil) 2080 certMsg.AddUint8(typeCompressedCertificate) 2081 certMsg.AddUint24LengthPrefixed(func(certificate *cryptobyte.Builder) { 2082 certificate.AddUint16(m.algID) 2083 certificate.AddUint24(m.uncompressedLength) 2084 addUint24LengthPrefixedBytes(certificate, m.compressed) 2085 }) 2086 2087 m.raw = certMsg.BytesOrPanic() 2088 return m.raw 2089} 2090 2091func (m *compressedCertificateMsg) unmarshal(data []byte) bool { 2092 m.raw = data 2093 reader := cryptobyte.String(data[4:]) 2094 2095 if !reader.ReadUint16(&m.algID) || 2096 !reader.ReadUint24(&m.uncompressedLength) || 2097 !readUint24LengthPrefixedBytes(&reader, &m.compressed) || 2098 len(reader) != 0 { 2099 return false 2100 } 2101 2102 if m.uncompressedLength >= 1<<17 { 2103 return false 2104 } 2105 2106 return true 2107} 2108 2109type serverKeyExchangeMsg struct { 2110 raw []byte 2111 key []byte 2112} 2113 2114func (m *serverKeyExchangeMsg) marshal() []byte { 2115 if m.raw != nil { 2116 return m.raw 2117 } 2118 msg := cryptobyte.NewBuilder(nil) 2119 msg.AddUint8(typeServerKeyExchange) 2120 addUint24LengthPrefixedBytes(msg, m.key) 2121 m.raw = msg.BytesOrPanic() 2122 return m.raw 2123} 2124 2125func (m *serverKeyExchangeMsg) unmarshal(data []byte) bool { 2126 m.raw = data 2127 if len(data) < 4 { 2128 return false 2129 } 2130 m.key = data[4:] 2131 return true 2132} 2133 2134type certificateStatusMsg struct { 2135 raw []byte 2136 statusType uint8 2137 response []byte 2138} 2139 2140func (m *certificateStatusMsg) marshal() []byte { 2141 if m.raw != nil { 2142 return m.raw 2143 } 2144 2145 var x []byte 2146 if m.statusType == statusTypeOCSP { 2147 msg := cryptobyte.NewBuilder(nil) 2148 msg.AddUint8(typeCertificateStatus) 2149 msg.AddUint24LengthPrefixed(func(body *cryptobyte.Builder) { 2150 body.AddUint8(statusTypeOCSP) 2151 addUint24LengthPrefixedBytes(body, m.response) 2152 }) 2153 x = msg.BytesOrPanic() 2154 } else { 2155 x = []byte{typeCertificateStatus, 0, 0, 1, m.statusType} 2156 } 2157 2158 m.raw = x 2159 return x 2160} 2161 2162func (m *certificateStatusMsg) unmarshal(data []byte) bool { 2163 m.raw = data 2164 reader := cryptobyte.String(data[4:]) 2165 if !reader.ReadUint8(&m.statusType) || 2166 m.statusType != statusTypeOCSP || 2167 !readUint24LengthPrefixedBytes(&reader, &m.response) || 2168 len(reader) != 0 { 2169 return false 2170 } 2171 return true 2172} 2173 2174type serverHelloDoneMsg struct{} 2175 2176func (m *serverHelloDoneMsg) marshal() []byte { 2177 x := make([]byte, 4) 2178 x[0] = typeServerHelloDone 2179 return x 2180} 2181 2182func (m *serverHelloDoneMsg) unmarshal(data []byte) bool { 2183 return len(data) == 4 2184} 2185 2186type clientKeyExchangeMsg struct { 2187 raw []byte 2188 ciphertext []byte 2189} 2190 2191func (m *clientKeyExchangeMsg) marshal() []byte { 2192 if m.raw != nil { 2193 return m.raw 2194 } 2195 msg := cryptobyte.NewBuilder(nil) 2196 msg.AddUint8(typeClientKeyExchange) 2197 addUint24LengthPrefixedBytes(msg, m.ciphertext) 2198 m.raw = msg.BytesOrPanic() 2199 return m.raw 2200} 2201 2202func (m *clientKeyExchangeMsg) unmarshal(data []byte) bool { 2203 m.raw = data 2204 if len(data) < 4 { 2205 return false 2206 } 2207 l := int(data[1])<<16 | int(data[2])<<8 | int(data[3]) 2208 if l != len(data)-4 { 2209 return false 2210 } 2211 m.ciphertext = data[4:] 2212 return true 2213} 2214 2215type finishedMsg struct { 2216 raw []byte 2217 verifyData []byte 2218} 2219 2220func (m *finishedMsg) marshal() []byte { 2221 if m.raw != nil { 2222 return m.raw 2223 } 2224 2225 msg := cryptobyte.NewBuilder(nil) 2226 msg.AddUint8(typeFinished) 2227 addUint24LengthPrefixedBytes(msg, m.verifyData) 2228 m.raw = msg.BytesOrPanic() 2229 return m.raw 2230} 2231 2232func (m *finishedMsg) unmarshal(data []byte) bool { 2233 m.raw = data 2234 if len(data) < 4 { 2235 return false 2236 } 2237 m.verifyData = data[4:] 2238 return true 2239} 2240 2241type nextProtoMsg struct { 2242 raw []byte 2243 proto string 2244} 2245 2246func (m *nextProtoMsg) marshal() []byte { 2247 if m.raw != nil { 2248 return m.raw 2249 } 2250 2251 padding := 32 - (len(m.proto)+2)%32 2252 2253 msg := cryptobyte.NewBuilder(nil) 2254 msg.AddUint8(typeNextProtocol) 2255 msg.AddUint24LengthPrefixed(func(body *cryptobyte.Builder) { 2256 addUint8LengthPrefixedBytes(body, []byte(m.proto)) 2257 addUint8LengthPrefixedBytes(body, make([]byte, padding)) 2258 }) 2259 m.raw = msg.BytesOrPanic() 2260 return m.raw 2261} 2262 2263func (m *nextProtoMsg) unmarshal(data []byte) bool { 2264 m.raw = data 2265 reader := cryptobyte.String(data[4:]) 2266 var proto, padding []byte 2267 if !readUint8LengthPrefixedBytes(&reader, &proto) || 2268 !readUint8LengthPrefixedBytes(&reader, &padding) || 2269 len(reader) != 0 { 2270 return false 2271 } 2272 m.proto = string(proto) 2273 2274 // Padding is not meant to be checked normally, but as this is a testing 2275 // implementation, we check the padding is as expected. 2276 if len(padding) != 32-(len(m.proto)+2)%32 { 2277 return false 2278 } 2279 for _, v := range padding { 2280 if v != 0 { 2281 return false 2282 } 2283 } 2284 2285 return true 2286} 2287 2288type certificateRequestMsg struct { 2289 raw []byte 2290 vers uint16 2291 // hasSignatureAlgorithm indicates whether this message includes a list 2292 // of signature and hash functions. This change was introduced with TLS 2293 // 1.2. 2294 hasSignatureAlgorithm bool 2295 // hasRequestContext indicates whether this message includes a context 2296 // field instead of certificateTypes. This change was introduced with 2297 // TLS 1.3. 2298 hasRequestContext bool 2299 2300 certificateTypes []byte 2301 requestContext []byte 2302 signatureAlgorithms []signatureAlgorithm 2303 signatureAlgorithmsCert []signatureAlgorithm 2304 certificateAuthorities [][]byte 2305 hasCAExtension bool 2306 customExtension uint16 2307} 2308 2309func (m *certificateRequestMsg) marshal() []byte { 2310 if m.raw != nil { 2311 return m.raw 2312 } 2313 2314 // See http://tools.ietf.org/html/rfc4346#section-7.4.4 2315 builder := cryptobyte.NewBuilder(nil) 2316 builder.AddUint8(typeCertificateRequest) 2317 builder.AddUint24LengthPrefixed(func(body *cryptobyte.Builder) { 2318 if m.hasRequestContext { 2319 addUint8LengthPrefixedBytes(body, m.requestContext) 2320 body.AddUint16LengthPrefixed(func(extensions *cryptobyte.Builder) { 2321 if m.hasSignatureAlgorithm { 2322 extensions.AddUint16(extensionSignatureAlgorithms) 2323 extensions.AddUint16LengthPrefixed(func(extension *cryptobyte.Builder) { 2324 extension.AddUint16LengthPrefixed(func(signatureAlgorithms *cryptobyte.Builder) { 2325 for _, sigAlg := range m.signatureAlgorithms { 2326 signatureAlgorithms.AddUint16(uint16(sigAlg)) 2327 } 2328 }) 2329 }) 2330 } 2331 if len(m.signatureAlgorithmsCert) > 0 { 2332 extensions.AddUint16(extensionSignatureAlgorithmsCert) 2333 extensions.AddUint16LengthPrefixed(func(extension *cryptobyte.Builder) { 2334 extension.AddUint16LengthPrefixed(func(signatureAlgorithmsCert *cryptobyte.Builder) { 2335 for _, sigAlg := range m.signatureAlgorithmsCert { 2336 signatureAlgorithmsCert.AddUint16(uint16(sigAlg)) 2337 } 2338 }) 2339 }) 2340 } 2341 if len(m.certificateAuthorities) > 0 { 2342 extensions.AddUint16(extensionCertificateAuthorities) 2343 extensions.AddUint16LengthPrefixed(func(extension *cryptobyte.Builder) { 2344 extension.AddUint16LengthPrefixed(func(certificateAuthorities *cryptobyte.Builder) { 2345 for _, ca := range m.certificateAuthorities { 2346 addUint16LengthPrefixedBytes(certificateAuthorities, ca) 2347 } 2348 }) 2349 }) 2350 } 2351 2352 if m.customExtension > 0 { 2353 extensions.AddUint16(m.customExtension) 2354 extensions.AddUint16(0) // Empty extension 2355 } 2356 }) 2357 } else { 2358 addUint8LengthPrefixedBytes(body, m.certificateTypes) 2359 2360 if m.hasSignatureAlgorithm { 2361 body.AddUint16LengthPrefixed(func(signatureAlgorithms *cryptobyte.Builder) { 2362 for _, sigAlg := range m.signatureAlgorithms { 2363 signatureAlgorithms.AddUint16(uint16(sigAlg)) 2364 } 2365 }) 2366 } 2367 2368 body.AddUint16LengthPrefixed(func(certificateAuthorities *cryptobyte.Builder) { 2369 for _, ca := range m.certificateAuthorities { 2370 addUint16LengthPrefixedBytes(certificateAuthorities, ca) 2371 } 2372 }) 2373 } 2374 }) 2375 2376 m.raw = builder.BytesOrPanic() 2377 return m.raw 2378} 2379 2380func parseCAs(reader *cryptobyte.String, out *[][]byte) bool { 2381 var cas cryptobyte.String 2382 if !reader.ReadUint16LengthPrefixed(&cas) { 2383 return false 2384 } 2385 for len(cas) > 0 { 2386 var ca []byte 2387 if !readUint16LengthPrefixedBytes(&cas, &ca) { 2388 return false 2389 } 2390 *out = append(*out, ca) 2391 } 2392 return true 2393} 2394 2395func (m *certificateRequestMsg) unmarshal(data []byte) bool { 2396 m.raw = data 2397 reader := cryptobyte.String(data[4:]) 2398 2399 if m.hasRequestContext { 2400 var extensions cryptobyte.String 2401 if !readUint8LengthPrefixedBytes(&reader, &m.requestContext) || 2402 !reader.ReadUint16LengthPrefixed(&extensions) || 2403 len(reader) != 0 || 2404 !checkDuplicateExtensions(extensions) { 2405 return false 2406 } 2407 for len(extensions) > 0 { 2408 var extension uint16 2409 var body cryptobyte.String 2410 if !extensions.ReadUint16(&extension) || 2411 !extensions.ReadUint16LengthPrefixed(&body) { 2412 return false 2413 } 2414 switch extension { 2415 case extensionSignatureAlgorithms: 2416 if !parseSignatureAlgorithms(&body, &m.signatureAlgorithms, false) || len(body) != 0 { 2417 return false 2418 } 2419 case extensionSignatureAlgorithmsCert: 2420 if !parseSignatureAlgorithms(&body, &m.signatureAlgorithmsCert, false) || len(body) != 0 { 2421 return false 2422 } 2423 case extensionCertificateAuthorities: 2424 if !parseCAs(&body, &m.certificateAuthorities) || len(body) != 0 { 2425 return false 2426 } 2427 m.hasCAExtension = true 2428 } 2429 } 2430 } else { 2431 if !readUint8LengthPrefixedBytes(&reader, &m.certificateTypes) { 2432 return false 2433 } 2434 // In TLS 1.2, the supported_signature_algorithms field in 2435 // CertificateRequest may be empty. 2436 if m.hasSignatureAlgorithm && !parseSignatureAlgorithms(&reader, &m.signatureAlgorithms, true) { 2437 return false 2438 } 2439 if !parseCAs(&reader, &m.certificateAuthorities) || 2440 len(reader) != 0 { 2441 return false 2442 } 2443 } 2444 2445 return true 2446} 2447 2448type certificateVerifyMsg struct { 2449 raw []byte 2450 hasSignatureAlgorithm bool 2451 signatureAlgorithm signatureAlgorithm 2452 signature []byte 2453} 2454 2455func (m *certificateVerifyMsg) marshal() (x []byte) { 2456 if m.raw != nil { 2457 return m.raw 2458 } 2459 2460 // See http://tools.ietf.org/html/rfc4346#section-7.4.8 2461 siglength := len(m.signature) 2462 length := 2 + siglength 2463 if m.hasSignatureAlgorithm { 2464 length += 2 2465 } 2466 x = make([]byte, 4+length) 2467 x[0] = typeCertificateVerify 2468 x[1] = uint8(length >> 16) 2469 x[2] = uint8(length >> 8) 2470 x[3] = uint8(length) 2471 y := x[4:] 2472 if m.hasSignatureAlgorithm { 2473 y[0] = byte(m.signatureAlgorithm >> 8) 2474 y[1] = byte(m.signatureAlgorithm) 2475 y = y[2:] 2476 } 2477 y[0] = uint8(siglength >> 8) 2478 y[1] = uint8(siglength) 2479 copy(y[2:], m.signature) 2480 2481 m.raw = x 2482 2483 return 2484} 2485 2486func (m *certificateVerifyMsg) unmarshal(data []byte) bool { 2487 m.raw = data 2488 2489 if len(data) < 6 { 2490 return false 2491 } 2492 2493 length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3]) 2494 if uint32(len(data))-4 != length { 2495 return false 2496 } 2497 2498 data = data[4:] 2499 if m.hasSignatureAlgorithm { 2500 m.signatureAlgorithm = signatureAlgorithm(data[0])<<8 | signatureAlgorithm(data[1]) 2501 data = data[2:] 2502 } 2503 2504 if len(data) < 2 { 2505 return false 2506 } 2507 siglength := int(data[0])<<8 + int(data[1]) 2508 data = data[2:] 2509 if len(data) != siglength { 2510 return false 2511 } 2512 2513 m.signature = data 2514 2515 return true 2516} 2517 2518type newSessionTicketMsg struct { 2519 raw []byte 2520 vers uint16 2521 isDTLS bool 2522 ticketLifetime uint32 2523 ticketAgeAdd uint32 2524 ticketNonce []byte 2525 ticket []byte 2526 maxEarlyDataSize uint32 2527 customExtension string 2528 duplicateEarlyDataExtension bool 2529 hasGREASEExtension bool 2530} 2531 2532func (m *newSessionTicketMsg) marshal() []byte { 2533 if m.raw != nil { 2534 return m.raw 2535 } 2536 2537 version, ok := wireToVersion(m.vers, m.isDTLS) 2538 if !ok { 2539 panic("unknown version") 2540 } 2541 2542 // See http://tools.ietf.org/html/rfc5077#section-3.3 2543 ticketMsg := cryptobyte.NewBuilder(nil) 2544 ticketMsg.AddUint8(typeNewSessionTicket) 2545 ticketMsg.AddUint24LengthPrefixed(func(body *cryptobyte.Builder) { 2546 body.AddUint32(m.ticketLifetime) 2547 if version >= VersionTLS13 { 2548 body.AddUint32(m.ticketAgeAdd) 2549 addUint8LengthPrefixedBytes(body, m.ticketNonce) 2550 } 2551 2552 addUint16LengthPrefixedBytes(body, m.ticket) 2553 2554 if version >= VersionTLS13 { 2555 body.AddUint16LengthPrefixed(func(extensions *cryptobyte.Builder) { 2556 if m.maxEarlyDataSize > 0 { 2557 extensions.AddUint16(extensionEarlyData) 2558 extensions.AddUint16LengthPrefixed(func(child *cryptobyte.Builder) { 2559 child.AddUint32(m.maxEarlyDataSize) 2560 }) 2561 if m.duplicateEarlyDataExtension { 2562 extensions.AddUint16(extensionEarlyData) 2563 extensions.AddUint16LengthPrefixed(func(child *cryptobyte.Builder) { 2564 child.AddUint32(m.maxEarlyDataSize) 2565 }) 2566 } 2567 } 2568 if len(m.customExtension) > 0 { 2569 extensions.AddUint16(extensionCustom) 2570 addUint16LengthPrefixedBytes(extensions, []byte(m.customExtension)) 2571 } 2572 }) 2573 } 2574 }) 2575 2576 m.raw = ticketMsg.BytesOrPanic() 2577 return m.raw 2578} 2579 2580func (m *newSessionTicketMsg) unmarshal(data []byte) bool { 2581 m.raw = data 2582 2583 version, ok := wireToVersion(m.vers, m.isDTLS) 2584 if !ok { 2585 panic("unknown version") 2586 } 2587 2588 if len(data) < 8 { 2589 return false 2590 } 2591 m.ticketLifetime = uint32(data[4])<<24 | uint32(data[5])<<16 | uint32(data[6])<<8 | uint32(data[7]) 2592 data = data[8:] 2593 2594 if version >= VersionTLS13 { 2595 if len(data) < 4 { 2596 return false 2597 } 2598 m.ticketAgeAdd = uint32(data[0])<<24 | uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3]) 2599 data = data[4:] 2600 nonceLen := int(data[0]) 2601 data = data[1:] 2602 if len(data) < nonceLen { 2603 return false 2604 } 2605 m.ticketNonce = data[:nonceLen] 2606 data = data[nonceLen:] 2607 } 2608 2609 if len(data) < 2 { 2610 return false 2611 } 2612 ticketLen := int(data[0])<<8 + int(data[1]) 2613 data = data[2:] 2614 if len(data) < ticketLen { 2615 return false 2616 } 2617 2618 if version >= VersionTLS13 && ticketLen == 0 { 2619 return false 2620 } 2621 2622 m.ticket = data[:ticketLen] 2623 data = data[ticketLen:] 2624 2625 if version >= VersionTLS13 { 2626 if len(data) < 2 { 2627 return false 2628 } 2629 2630 extensionsLength := int(data[0])<<8 | int(data[1]) 2631 data = data[2:] 2632 if extensionsLength != len(data) { 2633 return false 2634 } 2635 2636 for len(data) != 0 { 2637 if len(data) < 4 { 2638 return false 2639 } 2640 extension := uint16(data[0])<<8 | uint16(data[1]) 2641 length := int(data[2])<<8 | int(data[3]) 2642 data = data[4:] 2643 if len(data) < length { 2644 return false 2645 } 2646 2647 switch extension { 2648 case extensionEarlyData: 2649 if length != 4 { 2650 return false 2651 } 2652 m.maxEarlyDataSize = uint32(data[0])<<24 | uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3]) 2653 default: 2654 if isGREASEValue(extension) { 2655 m.hasGREASEExtension = true 2656 } 2657 } 2658 2659 data = data[length:] 2660 } 2661 } 2662 2663 if len(data) > 0 { 2664 return false 2665 } 2666 2667 return true 2668} 2669 2670type helloVerifyRequestMsg struct { 2671 raw []byte 2672 vers uint16 2673 cookie []byte 2674} 2675 2676func (m *helloVerifyRequestMsg) marshal() []byte { 2677 if m.raw != nil { 2678 return m.raw 2679 } 2680 2681 length := 2 + 1 + len(m.cookie) 2682 2683 x := make([]byte, 4+length) 2684 x[0] = typeHelloVerifyRequest 2685 x[1] = uint8(length >> 16) 2686 x[2] = uint8(length >> 8) 2687 x[3] = uint8(length) 2688 vers := m.vers 2689 x[4] = uint8(vers >> 8) 2690 x[5] = uint8(vers) 2691 x[6] = uint8(len(m.cookie)) 2692 copy(x[7:7+len(m.cookie)], m.cookie) 2693 2694 return x 2695} 2696 2697func (m *helloVerifyRequestMsg) unmarshal(data []byte) bool { 2698 if len(data) < 4+2+1 { 2699 return false 2700 } 2701 m.raw = data 2702 m.vers = uint16(data[4])<<8 | uint16(data[5]) 2703 cookieLen := int(data[6]) 2704 if cookieLen > 32 || len(data) != 7+cookieLen { 2705 return false 2706 } 2707 m.cookie = data[7 : 7+cookieLen] 2708 2709 return true 2710} 2711 2712type channelIDMsg struct { 2713 raw []byte 2714 channelID []byte 2715} 2716 2717func (m *channelIDMsg) marshal() []byte { 2718 if m.raw != nil { 2719 return m.raw 2720 } 2721 2722 length := 2 + 2 + len(m.channelID) 2723 2724 x := make([]byte, 4+length) 2725 x[0] = typeChannelID 2726 x[1] = uint8(length >> 16) 2727 x[2] = uint8(length >> 8) 2728 x[3] = uint8(length) 2729 x[4] = uint8(extensionChannelID >> 8) 2730 x[5] = uint8(extensionChannelID & 0xff) 2731 x[6] = uint8(len(m.channelID) >> 8) 2732 x[7] = uint8(len(m.channelID) & 0xff) 2733 copy(x[8:], m.channelID) 2734 2735 return x 2736} 2737 2738func (m *channelIDMsg) unmarshal(data []byte) bool { 2739 if len(data) != 4+2+2+128 { 2740 return false 2741 } 2742 m.raw = data 2743 if (uint16(data[4])<<8)|uint16(data[5]) != extensionChannelID { 2744 return false 2745 } 2746 if int(data[6])<<8|int(data[7]) != 128 { 2747 return false 2748 } 2749 m.channelID = data[4+2+2:] 2750 2751 return true 2752} 2753 2754type helloRequestMsg struct { 2755} 2756 2757func (*helloRequestMsg) marshal() []byte { 2758 return []byte{typeHelloRequest, 0, 0, 0} 2759} 2760 2761func (*helloRequestMsg) unmarshal(data []byte) bool { 2762 return len(data) == 4 2763} 2764 2765type keyUpdateMsg struct { 2766 raw []byte 2767 keyUpdateRequest byte 2768} 2769 2770func (m *keyUpdateMsg) marshal() []byte { 2771 if m.raw != nil { 2772 return m.raw 2773 } 2774 2775 return []byte{typeKeyUpdate, 0, 0, 1, m.keyUpdateRequest} 2776} 2777 2778func (m *keyUpdateMsg) unmarshal(data []byte) bool { 2779 m.raw = data 2780 2781 if len(data) != 5 { 2782 return false 2783 } 2784 2785 length := int(data[1])<<16 | int(data[2])<<8 | int(data[3]) 2786 if len(data)-4 != length { 2787 return false 2788 } 2789 2790 m.keyUpdateRequest = data[4] 2791 return m.keyUpdateRequest == keyUpdateNotRequested || m.keyUpdateRequest == keyUpdateRequested 2792} 2793 2794type endOfEarlyDataMsg struct { 2795 nonEmpty bool 2796} 2797 2798func (m *endOfEarlyDataMsg) marshal() []byte { 2799 if m.nonEmpty { 2800 return []byte{typeEndOfEarlyData, 0, 0, 1, 42} 2801 } 2802 return []byte{typeEndOfEarlyData, 0, 0, 0} 2803} 2804 2805func (*endOfEarlyDataMsg) unmarshal(data []byte) bool { 2806 return len(data) == 4 2807} 2808