handshake_messages.mx raw
1 // Copyright 2009 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
4
5 package tls
6
7 import (
8 "errors"
9 "fmt"
10 "slices"
11 "bytes"
12
13 "golang.org/x/crypto/cryptobyte"
14 )
15
16 // The marshalingFunction type is an adapter to allow the use of ordinary
17 // functions as cryptobyte.MarshalingValue.
18 type marshalingFunction func(b *cryptobyte.Builder) error
19
20 func (f marshalingFunction) Marshal(b *cryptobyte.Builder) error {
21 return f(b)
22 }
23
24 // addBytesWithLength appends a sequence of bytes to the cryptobyte.Builder. If
25 // the length of the sequence is not the value specified, it produces an error.
26 func addBytesWithLength(b *cryptobyte.Builder, v []byte, n int) {
27 b.AddValue(marshalingFunction(func(b *cryptobyte.Builder) error {
28 if len(v) != n {
29 return fmt.Errorf("invalid value length: expected %d, got %d", n, len(v))
30 }
31 b.AddBytes(v)
32 return nil
33 }))
34 }
35
36 // addUint64 appends a big-endian, 64-bit value to the cryptobyte.Builder.
37 func addUint64(b *cryptobyte.Builder, v uint64) {
38 b.AddUint32(uint32(v >> 32))
39 b.AddUint32(uint32(v))
40 }
41
42 // readUint64 decodes a big-endian, 64-bit value into out and advances over it.
43 // It reports whether the read was successful.
44 func readUint64(s *cryptobyte.String, out *uint64) bool {
45 var hi, lo uint32
46 if !s.ReadUint32(&hi) || !s.ReadUint32(&lo) {
47 return false
48 }
49 *out = uint64(hi)<<32 | uint64(lo)
50 return true
51 }
52
53 // readUint8LengthPrefixed acts like s.ReadUint8LengthPrefixed, but targets a
54 // []byte instead of a cryptobyte.String.
55 func readUint8LengthPrefixed(s *cryptobyte.String, out *[]byte) bool {
56 return s.ReadUint8LengthPrefixed((*cryptobyte.String)(out))
57 }
58
59 // readUint16LengthPrefixed acts like s.ReadUint16LengthPrefixed, but targets a
60 // []byte instead of a cryptobyte.String.
61 func readUint16LengthPrefixed(s *cryptobyte.String, out *[]byte) bool {
62 return s.ReadUint16LengthPrefixed((*cryptobyte.String)(out))
63 }
64
65 // readUint24LengthPrefixed acts like s.ReadUint24LengthPrefixed, but targets a
66 // []byte instead of a cryptobyte.String.
67 func readUint24LengthPrefixed(s *cryptobyte.String, out *[]byte) bool {
68 return s.ReadUint24LengthPrefixed((*cryptobyte.String)(out))
69 }
70
71 type clientHelloMsg struct {
72 original []byte
73 vers uint16
74 random []byte
75 sessionId []byte
76 cipherSuites []uint16
77 compressionMethods []uint8
78 serverName []byte
79 ocspStapling bool
80 supportedCurves []CurveID
81 supportedPoints []uint8
82 ticketSupported bool
83 sessionTicket []uint8
84 supportedSignatureAlgorithms []SignatureScheme
85 supportedSignatureAlgorithmsCert []SignatureScheme
86 secureRenegotiationSupported bool
87 secureRenegotiation []byte
88 extendedMasterSecret bool
89 alpnProtocols [][]byte
90 scts bool
91 supportedVersions []uint16
92 cookie []byte
93 keyShares []keyShare
94 earlyData bool
95 pskModes []uint8
96 pskIdentities []pskIdentity
97 pskBinders [][]byte
98 quicTransportParameters []byte
99 encryptedClientHello []byte
100 // extensions are only populated on the server-side of a handshake
101 extensions []uint16
102 }
103
104 func (m *clientHelloMsg) marshalMsg(echInner bool) ([]byte, error) {
105 var exts cryptobyte.Builder
106 if len(m.serverName) > 0 {
107 // RFC 6066, Section 3
108 exts.AddUint16(extensionServerName)
109 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
110 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
111 exts.AddUint8(0) // name_type = host_name
112 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
113 exts.AddBytes([]byte(m.serverName))
114 })
115 })
116 })
117 }
118 if len(m.supportedPoints) > 0 && !echInner {
119 // RFC 4492, Section 5.1.2
120 exts.AddUint16(extensionSupportedPoints)
121 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
122 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
123 exts.AddBytes(m.supportedPoints)
124 })
125 })
126 }
127 if m.ticketSupported && !echInner {
128 // RFC 5077, Section 3.2
129 exts.AddUint16(extensionSessionTicket)
130 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
131 exts.AddBytes(m.sessionTicket)
132 })
133 }
134 if m.secureRenegotiationSupported && !echInner {
135 // RFC 5746, Section 3.2
136 exts.AddUint16(extensionRenegotiationInfo)
137 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
138 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
139 exts.AddBytes(m.secureRenegotiation)
140 })
141 })
142 }
143 if m.extendedMasterSecret && !echInner {
144 // RFC 7627
145 exts.AddUint16(extensionExtendedMasterSecret)
146 exts.AddUint16(0) // empty extension_data
147 }
148 if m.scts {
149 // RFC 6962, Section 3.3.1
150 exts.AddUint16(extensionSCT)
151 exts.AddUint16(0) // empty extension_data
152 }
153 if m.earlyData {
154 // RFC 8446, Section 4.2.10
155 exts.AddUint16(extensionEarlyData)
156 exts.AddUint16(0) // empty extension_data
157 }
158 if m.quicTransportParameters != nil { // marshal zero-length parameters when present
159 // RFC 9001, Section 8.2
160 exts.AddUint16(extensionQUICTransportParameters)
161 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
162 exts.AddBytes(m.quicTransportParameters)
163 })
164 }
165 if len(m.encryptedClientHello) > 0 {
166 exts.AddUint16(extensionEncryptedClientHello)
167 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
168 exts.AddBytes(m.encryptedClientHello)
169 })
170 }
171 // Note that any extension that can be compressed during ECH must be
172 // contiguous. If any additional extensions are to be compressed they must
173 // be added to the following block, so that they can be properly
174 // decompressed on the other side.
175 var echOuterExts []uint16
176 if m.ocspStapling {
177 // RFC 4366, Section 3.6
178 if echInner {
179 echOuterExts = append(echOuterExts, extensionStatusRequest)
180 } else {
181 exts.AddUint16(extensionStatusRequest)
182 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
183 exts.AddUint8(1) // status_type = ocsp
184 exts.AddUint16(0) // empty responder_id_list
185 exts.AddUint16(0) // empty request_extensions
186 })
187 }
188 }
189 if len(m.supportedCurves) > 0 {
190 // RFC 4492, sections 5.1.1 and RFC 8446, Section 4.2.7
191 if echInner {
192 echOuterExts = append(echOuterExts, extensionSupportedCurves)
193 } else {
194 exts.AddUint16(extensionSupportedCurves)
195 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
196 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
197 for _, curve := range m.supportedCurves {
198 exts.AddUint16(uint16(curve))
199 }
200 })
201 })
202 }
203 }
204 if len(m.supportedSignatureAlgorithms) > 0 {
205 // RFC 5246, Section 7.4.1.4.1
206 if echInner {
207 echOuterExts = append(echOuterExts, extensionSignatureAlgorithms)
208 } else {
209 exts.AddUint16(extensionSignatureAlgorithms)
210 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
211 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
212 for _, sigAlgo := range m.supportedSignatureAlgorithms {
213 exts.AddUint16(uint16(sigAlgo))
214 }
215 })
216 })
217 }
218 }
219 if len(m.supportedSignatureAlgorithmsCert) > 0 {
220 // RFC 8446, Section 4.2.3
221 if echInner {
222 echOuterExts = append(echOuterExts, extensionSignatureAlgorithmsCert)
223 } else {
224 exts.AddUint16(extensionSignatureAlgorithmsCert)
225 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
226 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
227 for _, sigAlgo := range m.supportedSignatureAlgorithmsCert {
228 exts.AddUint16(uint16(sigAlgo))
229 }
230 })
231 })
232 }
233 }
234 if len(m.alpnProtocols) > 0 {
235 // RFC 7301, Section 3.1
236 if echInner {
237 echOuterExts = append(echOuterExts, extensionALPN)
238 } else {
239 exts.AddUint16(extensionALPN)
240 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
241 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
242 for _, proto := range m.alpnProtocols {
243 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
244 exts.AddBytes([]byte(proto))
245 })
246 }
247 })
248 })
249 }
250 }
251 if len(m.supportedVersions) > 0 {
252 // RFC 8446, Section 4.2.1
253 if echInner {
254 echOuterExts = append(echOuterExts, extensionSupportedVersions)
255 } else {
256 exts.AddUint16(extensionSupportedVersions)
257 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
258 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
259 for _, vers := range m.supportedVersions {
260 exts.AddUint16(vers)
261 }
262 })
263 })
264 }
265 }
266 if len(m.cookie) > 0 {
267 // RFC 8446, Section 4.2.2
268 if echInner {
269 echOuterExts = append(echOuterExts, extensionCookie)
270 } else {
271 exts.AddUint16(extensionCookie)
272 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
273 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
274 exts.AddBytes(m.cookie)
275 })
276 })
277 }
278 }
279 if len(m.keyShares) > 0 {
280 // RFC 8446, Section 4.2.8
281 if echInner {
282 echOuterExts = append(echOuterExts, extensionKeyShare)
283 } else {
284 exts.AddUint16(extensionKeyShare)
285 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
286 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
287 for _, ks := range m.keyShares {
288 exts.AddUint16(uint16(ks.group))
289 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
290 exts.AddBytes(ks.data)
291 })
292 }
293 })
294 })
295 }
296 }
297 if len(m.pskModes) > 0 {
298 // RFC 8446, Section 4.2.9
299 if echInner {
300 echOuterExts = append(echOuterExts, extensionPSKModes)
301 } else {
302 exts.AddUint16(extensionPSKModes)
303 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
304 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
305 exts.AddBytes(m.pskModes)
306 })
307 })
308 }
309 }
310 if len(echOuterExts) > 0 && echInner {
311 exts.AddUint16(extensionECHOuterExtensions)
312 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
313 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
314 for _, e := range echOuterExts {
315 exts.AddUint16(e)
316 }
317 })
318 })
319 }
320 if len(m.pskIdentities) > 0 { // pre_shared_key must be the last extension
321 // RFC 8446, Section 4.2.11
322 exts.AddUint16(extensionPreSharedKey)
323 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
324 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
325 for _, psk := range m.pskIdentities {
326 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
327 exts.AddBytes(psk.label)
328 })
329 exts.AddUint32(psk.obfuscatedTicketAge)
330 }
331 })
332 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
333 for _, binder := range m.pskBinders {
334 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
335 exts.AddBytes(binder)
336 })
337 }
338 })
339 })
340 }
341 extBytes, err := exts.Bytes()
342 if err != nil {
343 return nil, err
344 }
345
346 var b cryptobyte.Builder
347 b.AddUint8(typeClientHello)
348 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
349 b.AddUint16(m.vers)
350 addBytesWithLength(b, m.random, 32)
351 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
352 if !echInner {
353 b.AddBytes(m.sessionId)
354 }
355 })
356 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
357 for _, suite := range m.cipherSuites {
358 b.AddUint16(suite)
359 }
360 })
361 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
362 b.AddBytes(m.compressionMethods)
363 })
364
365 if len(extBytes) > 0 {
366 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
367 b.AddBytes(extBytes)
368 })
369 }
370 })
371
372 return b.Bytes()
373 }
374
375 func (m *clientHelloMsg) marshal() ([]byte, error) {
376 return m.marshalMsg(false)
377 }
378
379 // marshalWithoutBinders returns the ClientHello through the
380 // PreSharedKeyExtension.identities field, according to RFC 8446, Section
381 // 4.2.11.2. Note that m.pskBinders must be set to slices of the correct length.
382 func (m *clientHelloMsg) marshalWithoutBinders() ([]byte, error) {
383 bindersLen := 2 // uint16 length prefix
384 for _, binder := range m.pskBinders {
385 bindersLen += 1 // uint8 length prefix
386 bindersLen += len(binder)
387 }
388
389 var fullMessage []byte
390 if m.original != nil {
391 fullMessage = m.original
392 } else {
393 var err error
394 fullMessage, err = m.marshal()
395 if err != nil {
396 return nil, err
397 }
398 }
399 return fullMessage[:len(fullMessage)-bindersLen], nil
400 }
401
402 // updateBinders updates the m.pskBinders field. The supplied binders must have
403 // the same length as the current m.pskBinders.
404 func (m *clientHelloMsg) updateBinders(pskBinders [][]byte) error {
405 if len(pskBinders) != len(m.pskBinders) {
406 return errors.New("tls: internal error: pskBinders length mismatch")
407 }
408 for i := range m.pskBinders {
409 if len(pskBinders[i]) != len(m.pskBinders[i]) {
410 return errors.New("tls: internal error: pskBinders length mismatch")
411 }
412 }
413 m.pskBinders = pskBinders
414
415 return nil
416 }
417
418 func (m *clientHelloMsg) unmarshal(data []byte) bool {
419 *m = clientHelloMsg{original: data}
420 s := cryptobyte.String(data)
421
422 if !s.Skip(4) || // message type and uint24 length field
423 !s.ReadUint16(&m.vers) || !s.ReadBytes(&m.random, 32) ||
424 !readUint8LengthPrefixed(&s, &m.sessionId) {
425 return false
426 }
427
428 var cipherSuites cryptobyte.String
429 if !s.ReadUint16LengthPrefixed(&cipherSuites) {
430 return false
431 }
432 m.cipherSuites = []uint16{}
433 m.secureRenegotiationSupported = false
434 for !cipherSuites.Empty() {
435 var suite uint16
436 if !cipherSuites.ReadUint16(&suite) {
437 return false
438 }
439 if suite == scsvRenegotiation {
440 m.secureRenegotiationSupported = true
441 }
442 m.cipherSuites = append(m.cipherSuites, suite)
443 }
444
445 if !readUint8LengthPrefixed(&s, &m.compressionMethods) {
446 return false
447 }
448
449 if s.Empty() {
450 // ClientHello is optionally followed by extension data
451 return true
452 }
453
454 var extensions cryptobyte.String
455 if !s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() {
456 return false
457 }
458
459 seenExts := map[uint16]bool{}
460 for !extensions.Empty() {
461 var extension uint16
462 var extData cryptobyte.String
463 if !extensions.ReadUint16(&extension) ||
464 !extensions.ReadUint16LengthPrefixed(&extData) {
465 return false
466 }
467
468 if seenExts[extension] {
469 return false
470 }
471 seenExts[extension] = true
472 m.extensions = append(m.extensions, extension)
473
474 switch extension {
475 case extensionServerName:
476 // RFC 6066, Section 3
477 var nameList cryptobyte.String
478 if !extData.ReadUint16LengthPrefixed(&nameList) || nameList.Empty() {
479 return false
480 }
481 for !nameList.Empty() {
482 var nameType uint8
483 var serverName cryptobyte.String
484 if !nameList.ReadUint8(&nameType) ||
485 !nameList.ReadUint16LengthPrefixed(&serverName) ||
486 serverName.Empty() {
487 return false
488 }
489 if nameType != 0 {
490 continue
491 }
492 if len(m.serverName) != 0 {
493 // Multiple names of the same name_type are prohibited.
494 return false
495 }
496 m.serverName = []byte(serverName)
497 // An SNI value may not include a trailing dot.
498 if bytes.HasSuffix(m.serverName, ".") {
499 return false
500 }
501 }
502 case extensionStatusRequest:
503 // RFC 4366, Section 3.6
504 var statusType uint8
505 var ignored cryptobyte.String
506 if !extData.ReadUint8(&statusType) ||
507 !extData.ReadUint16LengthPrefixed(&ignored) ||
508 !extData.ReadUint16LengthPrefixed(&ignored) {
509 return false
510 }
511 m.ocspStapling = statusType == statusTypeOCSP
512 case extensionSupportedCurves:
513 // RFC 4492, sections 5.1.1 and RFC 8446, Section 4.2.7
514 var curves cryptobyte.String
515 if !extData.ReadUint16LengthPrefixed(&curves) || curves.Empty() {
516 return false
517 }
518 for !curves.Empty() {
519 var curve uint16
520 if !curves.ReadUint16(&curve) {
521 return false
522 }
523 m.supportedCurves = append(m.supportedCurves, CurveID(curve))
524 }
525 case extensionSupportedPoints:
526 // RFC 4492, Section 5.1.2
527 if !readUint8LengthPrefixed(&extData, &m.supportedPoints) ||
528 len(m.supportedPoints) == 0 {
529 return false
530 }
531 case extensionSessionTicket:
532 // RFC 5077, Section 3.2
533 m.ticketSupported = true
534 extData.ReadBytes(&m.sessionTicket, len(extData))
535 case extensionSignatureAlgorithms:
536 // RFC 5246, Section 7.4.1.4.1
537 var sigAndAlgs cryptobyte.String
538 if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() {
539 return false
540 }
541 for !sigAndAlgs.Empty() {
542 var sigAndAlg uint16
543 if !sigAndAlgs.ReadUint16(&sigAndAlg) {
544 return false
545 }
546 m.supportedSignatureAlgorithms = append(
547 m.supportedSignatureAlgorithms, SignatureScheme(sigAndAlg))
548 }
549 case extensionSignatureAlgorithmsCert:
550 // RFC 8446, Section 4.2.3
551 var sigAndAlgs cryptobyte.String
552 if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() {
553 return false
554 }
555 for !sigAndAlgs.Empty() {
556 var sigAndAlg uint16
557 if !sigAndAlgs.ReadUint16(&sigAndAlg) {
558 return false
559 }
560 m.supportedSignatureAlgorithmsCert = append(
561 m.supportedSignatureAlgorithmsCert, SignatureScheme(sigAndAlg))
562 }
563 case extensionRenegotiationInfo:
564 // RFC 5746, Section 3.2
565 if !readUint8LengthPrefixed(&extData, &m.secureRenegotiation) {
566 return false
567 }
568 m.secureRenegotiationSupported = true
569 case extensionExtendedMasterSecret:
570 // RFC 7627
571 m.extendedMasterSecret = true
572 case extensionALPN:
573 // RFC 7301, Section 3.1
574 var protoList cryptobyte.String
575 if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() {
576 return false
577 }
578 for !protoList.Empty() {
579 var proto cryptobyte.String
580 if !protoList.ReadUint8LengthPrefixed(&proto) || proto.Empty() {
581 return false
582 }
583 m.alpnProtocols = append(m.alpnProtocols, []byte(proto))
584 }
585 case extensionSCT:
586 // RFC 6962, Section 3.3.1
587 m.scts = true
588 case extensionSupportedVersions:
589 // RFC 8446, Section 4.2.1
590 var versList cryptobyte.String
591 if !extData.ReadUint8LengthPrefixed(&versList) || versList.Empty() {
592 return false
593 }
594 for !versList.Empty() {
595 var vers uint16
596 if !versList.ReadUint16(&vers) {
597 return false
598 }
599 m.supportedVersions = append(m.supportedVersions, vers)
600 }
601 case extensionCookie:
602 // RFC 8446, Section 4.2.2
603 if !readUint16LengthPrefixed(&extData, &m.cookie) ||
604 len(m.cookie) == 0 {
605 return false
606 }
607 case extensionKeyShare:
608 // RFC 8446, Section 4.2.8
609 var clientShares cryptobyte.String
610 if !extData.ReadUint16LengthPrefixed(&clientShares) {
611 return false
612 }
613 for !clientShares.Empty() {
614 var ks keyShare
615 if !clientShares.ReadUint16((*uint16)(&ks.group)) ||
616 !readUint16LengthPrefixed(&clientShares, &ks.data) ||
617 len(ks.data) == 0 {
618 return false
619 }
620 m.keyShares = append(m.keyShares, ks)
621 }
622 case extensionEarlyData:
623 // RFC 8446, Section 4.2.10
624 m.earlyData = true
625 case extensionPSKModes:
626 // RFC 8446, Section 4.2.9
627 if !readUint8LengthPrefixed(&extData, &m.pskModes) {
628 return false
629 }
630 case extensionQUICTransportParameters:
631 m.quicTransportParameters = []byte{:len(extData)}
632 if !extData.CopyBytes(m.quicTransportParameters) {
633 return false
634 }
635 case extensionPreSharedKey:
636 // RFC 8446, Section 4.2.11
637 if !extensions.Empty() {
638 return false // pre_shared_key must be the last extension
639 }
640 var identities cryptobyte.String
641 if !extData.ReadUint16LengthPrefixed(&identities) || identities.Empty() {
642 return false
643 }
644 for !identities.Empty() {
645 var psk pskIdentity
646 if !readUint16LengthPrefixed(&identities, &psk.label) ||
647 !identities.ReadUint32(&psk.obfuscatedTicketAge) ||
648 len(psk.label) == 0 {
649 return false
650 }
651 m.pskIdentities = append(m.pskIdentities, psk)
652 }
653 var binders cryptobyte.String
654 if !extData.ReadUint16LengthPrefixed(&binders) || binders.Empty() {
655 return false
656 }
657 for !binders.Empty() {
658 var binder []byte
659 if !readUint8LengthPrefixed(&binders, &binder) ||
660 len(binder) == 0 {
661 return false
662 }
663 m.pskBinders = append(m.pskBinders, binder)
664 }
665 case extensionEncryptedClientHello:
666 if !extData.ReadBytes(&m.encryptedClientHello, len(extData)) {
667 return false
668 }
669 default:
670 // Ignore unknown extensions.
671 continue
672 }
673
674 if !extData.Empty() {
675 return false
676 }
677 }
678
679 return true
680 }
681
682 func (m *clientHelloMsg) originalBytes() []byte {
683 return m.original
684 }
685
686 func (m *clientHelloMsg) clone() *clientHelloMsg {
687 return &clientHelloMsg{
688 original: slices.Clone(m.original),
689 vers: m.vers,
690 random: slices.Clone(m.random),
691 sessionId: slices.Clone(m.sessionId),
692 cipherSuites: slices.Clone(m.cipherSuites),
693 compressionMethods: slices.Clone(m.compressionMethods),
694 serverName: m.serverName,
695 ocspStapling: m.ocspStapling,
696 supportedCurves: slices.Clone(m.supportedCurves),
697 supportedPoints: slices.Clone(m.supportedPoints),
698 ticketSupported: m.ticketSupported,
699 sessionTicket: slices.Clone(m.sessionTicket),
700 supportedSignatureAlgorithms: slices.Clone(m.supportedSignatureAlgorithms),
701 supportedSignatureAlgorithmsCert: slices.Clone(m.supportedSignatureAlgorithmsCert),
702 secureRenegotiationSupported: m.secureRenegotiationSupported,
703 secureRenegotiation: slices.Clone(m.secureRenegotiation),
704 extendedMasterSecret: m.extendedMasterSecret,
705 alpnProtocols: slices.Clone(m.alpnProtocols),
706 scts: m.scts,
707 supportedVersions: slices.Clone(m.supportedVersions),
708 cookie: slices.Clone(m.cookie),
709 keyShares: slices.Clone(m.keyShares),
710 earlyData: m.earlyData,
711 pskModes: slices.Clone(m.pskModes),
712 pskIdentities: slices.Clone(m.pskIdentities),
713 pskBinders: slices.Clone(m.pskBinders),
714 quicTransportParameters: slices.Clone(m.quicTransportParameters),
715 encryptedClientHello: slices.Clone(m.encryptedClientHello),
716 }
717 }
718
719 type serverHelloMsg struct {
720 original []byte
721 vers uint16
722 random []byte
723 sessionId []byte
724 cipherSuite uint16
725 compressionMethod uint8
726 ocspStapling bool
727 ticketSupported bool
728 secureRenegotiationSupported bool
729 secureRenegotiation []byte
730 extendedMasterSecret bool
731 alpnProtocol []byte
732 scts [][]byte
733 supportedVersion uint16
734 serverShare keyShare
735 selectedIdentityPresent bool
736 selectedIdentity uint16
737 supportedPoints []uint8
738 encryptedClientHello []byte
739 serverNameAck bool
740
741 // HelloRetryRequest extensions
742 cookie []byte
743 selectedGroup CurveID
744 }
745
746 func (m *serverHelloMsg) marshal() ([]byte, error) {
747 var exts cryptobyte.Builder
748 if m.ocspStapling {
749 exts.AddUint16(extensionStatusRequest)
750 exts.AddUint16(0) // empty extension_data
751 }
752 if m.ticketSupported {
753 exts.AddUint16(extensionSessionTicket)
754 exts.AddUint16(0) // empty extension_data
755 }
756 if m.secureRenegotiationSupported {
757 exts.AddUint16(extensionRenegotiationInfo)
758 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
759 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
760 exts.AddBytes(m.secureRenegotiation)
761 })
762 })
763 }
764 if m.extendedMasterSecret {
765 exts.AddUint16(extensionExtendedMasterSecret)
766 exts.AddUint16(0) // empty extension_data
767 }
768 if len(m.alpnProtocol) > 0 {
769 exts.AddUint16(extensionALPN)
770 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
771 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
772 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
773 exts.AddBytes([]byte(m.alpnProtocol))
774 })
775 })
776 })
777 }
778 if len(m.scts) > 0 {
779 exts.AddUint16(extensionSCT)
780 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
781 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
782 for _, sct := range m.scts {
783 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
784 exts.AddBytes(sct)
785 })
786 }
787 })
788 })
789 }
790 if m.supportedVersion != 0 {
791 exts.AddUint16(extensionSupportedVersions)
792 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
793 exts.AddUint16(m.supportedVersion)
794 })
795 }
796 if m.serverShare.group != 0 {
797 exts.AddUint16(extensionKeyShare)
798 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
799 exts.AddUint16(uint16(m.serverShare.group))
800 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
801 exts.AddBytes(m.serverShare.data)
802 })
803 })
804 }
805 if m.selectedIdentityPresent {
806 exts.AddUint16(extensionPreSharedKey)
807 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
808 exts.AddUint16(m.selectedIdentity)
809 })
810 }
811
812 if len(m.cookie) > 0 {
813 exts.AddUint16(extensionCookie)
814 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
815 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
816 exts.AddBytes(m.cookie)
817 })
818 })
819 }
820 if m.selectedGroup != 0 {
821 exts.AddUint16(extensionKeyShare)
822 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
823 exts.AddUint16(uint16(m.selectedGroup))
824 })
825 }
826 if len(m.supportedPoints) > 0 {
827 exts.AddUint16(extensionSupportedPoints)
828 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
829 exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
830 exts.AddBytes(m.supportedPoints)
831 })
832 })
833 }
834 if len(m.encryptedClientHello) > 0 {
835 exts.AddUint16(extensionEncryptedClientHello)
836 exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
837 exts.AddBytes(m.encryptedClientHello)
838 })
839 }
840 if m.serverNameAck {
841 exts.AddUint16(extensionServerName)
842 exts.AddUint16(0)
843 }
844
845 extBytes, err := exts.Bytes()
846 if err != nil {
847 return nil, err
848 }
849
850 var b cryptobyte.Builder
851 b.AddUint8(typeServerHello)
852 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
853 b.AddUint16(m.vers)
854 addBytesWithLength(b, m.random, 32)
855 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
856 b.AddBytes(m.sessionId)
857 })
858 b.AddUint16(m.cipherSuite)
859 b.AddUint8(m.compressionMethod)
860
861 if len(extBytes) > 0 {
862 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
863 b.AddBytes(extBytes)
864 })
865 }
866 })
867
868 return b.Bytes()
869 }
870
871 func (m *serverHelloMsg) unmarshal(data []byte) bool {
872 *m = serverHelloMsg{original: data}
873 s := cryptobyte.String(data)
874
875 if !s.Skip(4) || // message type and uint24 length field
876 !s.ReadUint16(&m.vers) || !s.ReadBytes(&m.random, 32) ||
877 !readUint8LengthPrefixed(&s, &m.sessionId) ||
878 !s.ReadUint16(&m.cipherSuite) ||
879 !s.ReadUint8(&m.compressionMethod) {
880 return false
881 }
882
883 if s.Empty() {
884 // ServerHello is optionally followed by extension data
885 return true
886 }
887
888 var extensions cryptobyte.String
889 if !s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() {
890 return false
891 }
892
893 seenExts := map[uint16]bool{}
894 for !extensions.Empty() {
895 var extension uint16
896 var extData cryptobyte.String
897 if !extensions.ReadUint16(&extension) ||
898 !extensions.ReadUint16LengthPrefixed(&extData) {
899 return false
900 }
901
902 if seenExts[extension] {
903 return false
904 }
905 seenExts[extension] = true
906
907 switch extension {
908 case extensionStatusRequest:
909 m.ocspStapling = true
910 case extensionSessionTicket:
911 m.ticketSupported = true
912 case extensionRenegotiationInfo:
913 if !readUint8LengthPrefixed(&extData, &m.secureRenegotiation) {
914 return false
915 }
916 m.secureRenegotiationSupported = true
917 case extensionExtendedMasterSecret:
918 m.extendedMasterSecret = true
919 case extensionALPN:
920 var protoList cryptobyte.String
921 if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() {
922 return false
923 }
924 var proto cryptobyte.String
925 if !protoList.ReadUint8LengthPrefixed(&proto) ||
926 proto.Empty() || !protoList.Empty() {
927 return false
928 }
929 m.alpnProtocol = []byte(proto)
930 case extensionSCT:
931 var sctList cryptobyte.String
932 if !extData.ReadUint16LengthPrefixed(&sctList) || sctList.Empty() {
933 return false
934 }
935 for !sctList.Empty() {
936 var sct []byte
937 if !readUint16LengthPrefixed(&sctList, &sct) ||
938 len(sct) == 0 {
939 return false
940 }
941 m.scts = append(m.scts, sct)
942 }
943 case extensionSupportedVersions:
944 if !extData.ReadUint16(&m.supportedVersion) {
945 return false
946 }
947 case extensionCookie:
948 if !readUint16LengthPrefixed(&extData, &m.cookie) ||
949 len(m.cookie) == 0 {
950 return false
951 }
952 case extensionKeyShare:
953 // This extension has different formats in SH and HRR, accept either
954 // and let the handshake logic decide. See RFC 8446, Section 4.2.8.
955 if len(extData) == 2 {
956 if !extData.ReadUint16((*uint16)(&m.selectedGroup)) {
957 return false
958 }
959 } else {
960 if !extData.ReadUint16((*uint16)(&m.serverShare.group)) ||
961 !readUint16LengthPrefixed(&extData, &m.serverShare.data) {
962 return false
963 }
964 }
965 case extensionPreSharedKey:
966 m.selectedIdentityPresent = true
967 if !extData.ReadUint16(&m.selectedIdentity) {
968 return false
969 }
970 case extensionSupportedPoints:
971 // RFC 4492, Section 5.1.2
972 if !readUint8LengthPrefixed(&extData, &m.supportedPoints) ||
973 len(m.supportedPoints) == 0 {
974 return false
975 }
976 case extensionEncryptedClientHello: // encrypted_client_hello
977 m.encryptedClientHello = []byte{:len(extData)}
978 if !extData.CopyBytes(m.encryptedClientHello) {
979 return false
980 }
981 case extensionServerName:
982 if len(extData) != 0 {
983 return false
984 }
985 m.serverNameAck = true
986 default:
987 // Ignore unknown extensions.
988 continue
989 }
990
991 if !extData.Empty() {
992 return false
993 }
994 }
995
996 return true
997 }
998
999 func (m *serverHelloMsg) originalBytes() []byte {
1000 return m.original
1001 }
1002
1003 type encryptedExtensionsMsg struct {
1004 alpnProtocol []byte
1005 quicTransportParameters []byte
1006 earlyData bool
1007 echRetryConfigs []byte
1008 serverNameAck bool
1009 }
1010
1011 func (m *encryptedExtensionsMsg) marshal() ([]byte, error) {
1012 var b cryptobyte.Builder
1013 b.AddUint8(typeEncryptedExtensions)
1014 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
1015 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1016 if len(m.alpnProtocol) > 0 {
1017 b.AddUint16(extensionALPN)
1018 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1019 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1020 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
1021 b.AddBytes([]byte(m.alpnProtocol))
1022 })
1023 })
1024 })
1025 }
1026 if m.quicTransportParameters != nil { // marshal zero-length parameters when present
1027 // draft-ietf-quic-tls-32, Section 8.2
1028 b.AddUint16(extensionQUICTransportParameters)
1029 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1030 b.AddBytes(m.quicTransportParameters)
1031 })
1032 }
1033 if m.earlyData {
1034 // RFC 8446, Section 4.2.10
1035 b.AddUint16(extensionEarlyData)
1036 b.AddUint16(0) // empty extension_data
1037 }
1038 if len(m.echRetryConfigs) > 0 {
1039 b.AddUint16(extensionEncryptedClientHello)
1040 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1041 b.AddBytes(m.echRetryConfigs)
1042 })
1043 }
1044 if m.serverNameAck {
1045 b.AddUint16(extensionServerName)
1046 b.AddUint16(0) // empty extension_data
1047 }
1048 })
1049 })
1050
1051 return b.Bytes()
1052 }
1053
1054 func (m *encryptedExtensionsMsg) unmarshal(data []byte) bool {
1055 *m = encryptedExtensionsMsg{}
1056 s := cryptobyte.String(data)
1057
1058 var extensions cryptobyte.String
1059 if !s.Skip(4) || // message type and uint24 length field
1060 !s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() {
1061 return false
1062 }
1063
1064 seenExts := map[uint16]bool{}
1065 for !extensions.Empty() {
1066 var extension uint16
1067 var extData cryptobyte.String
1068 if !extensions.ReadUint16(&extension) ||
1069 !extensions.ReadUint16LengthPrefixed(&extData) {
1070 return false
1071 }
1072
1073 if seenExts[extension] {
1074 return false
1075 }
1076 seenExts[extension] = true
1077
1078 switch extension {
1079 case extensionALPN:
1080 var protoList cryptobyte.String
1081 if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() {
1082 return false
1083 }
1084 var proto cryptobyte.String
1085 if !protoList.ReadUint8LengthPrefixed(&proto) ||
1086 proto.Empty() || !protoList.Empty() {
1087 return false
1088 }
1089 m.alpnProtocol = []byte(proto)
1090 case extensionQUICTransportParameters:
1091 m.quicTransportParameters = []byte{:len(extData)}
1092 if !extData.CopyBytes(m.quicTransportParameters) {
1093 return false
1094 }
1095 case extensionEarlyData:
1096 // RFC 8446, Section 4.2.10
1097 m.earlyData = true
1098 case extensionEncryptedClientHello:
1099 m.echRetryConfigs = []byte{:len(extData)}
1100 if !extData.CopyBytes(m.echRetryConfigs) {
1101 return false
1102 }
1103 case extensionServerName:
1104 if len(extData) != 0 {
1105 return false
1106 }
1107 m.serverNameAck = true
1108 default:
1109 // Ignore unknown extensions.
1110 continue
1111 }
1112
1113 if !extData.Empty() {
1114 return false
1115 }
1116 }
1117
1118 return true
1119 }
1120
1121 type endOfEarlyDataMsg struct{}
1122
1123 func (m *endOfEarlyDataMsg) marshal() ([]byte, error) {
1124 x := []byte{:4}
1125 x[0] = typeEndOfEarlyData
1126 return x, nil
1127 }
1128
1129 func (m *endOfEarlyDataMsg) unmarshal(data []byte) bool {
1130 return len(data) == 4
1131 }
1132
1133 type keyUpdateMsg struct {
1134 updateRequested bool
1135 }
1136
1137 func (m *keyUpdateMsg) marshal() ([]byte, error) {
1138 var b cryptobyte.Builder
1139 b.AddUint8(typeKeyUpdate)
1140 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
1141 if m.updateRequested {
1142 b.AddUint8(1)
1143 } else {
1144 b.AddUint8(0)
1145 }
1146 })
1147
1148 return b.Bytes()
1149 }
1150
1151 func (m *keyUpdateMsg) unmarshal(data []byte) bool {
1152 s := cryptobyte.String(data)
1153
1154 var updateRequested uint8
1155 if !s.Skip(4) || // message type and uint24 length field
1156 !s.ReadUint8(&updateRequested) || !s.Empty() {
1157 return false
1158 }
1159 switch updateRequested {
1160 case 0:
1161 m.updateRequested = false
1162 case 1:
1163 m.updateRequested = true
1164 default:
1165 return false
1166 }
1167 return true
1168 }
1169
1170 type newSessionTicketMsgTLS13 struct {
1171 lifetime uint32
1172 ageAdd uint32
1173 nonce []byte
1174 label []byte
1175 maxEarlyData uint32
1176 }
1177
1178 func (m *newSessionTicketMsgTLS13) marshal() ([]byte, error) {
1179 var b cryptobyte.Builder
1180 b.AddUint8(typeNewSessionTicket)
1181 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
1182 b.AddUint32(m.lifetime)
1183 b.AddUint32(m.ageAdd)
1184 b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
1185 b.AddBytes(m.nonce)
1186 })
1187 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1188 b.AddBytes(m.label)
1189 })
1190
1191 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1192 if m.maxEarlyData > 0 {
1193 b.AddUint16(extensionEarlyData)
1194 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1195 b.AddUint32(m.maxEarlyData)
1196 })
1197 }
1198 })
1199 })
1200
1201 return b.Bytes()
1202 }
1203
1204 func (m *newSessionTicketMsgTLS13) unmarshal(data []byte) bool {
1205 *m = newSessionTicketMsgTLS13{}
1206 s := cryptobyte.String(data)
1207
1208 var extensions cryptobyte.String
1209 if !s.Skip(4) || // message type and uint24 length field
1210 !s.ReadUint32(&m.lifetime) ||
1211 !s.ReadUint32(&m.ageAdd) ||
1212 !readUint8LengthPrefixed(&s, &m.nonce) ||
1213 !readUint16LengthPrefixed(&s, &m.label) ||
1214 !s.ReadUint16LengthPrefixed(&extensions) ||
1215 !s.Empty() {
1216 return false
1217 }
1218
1219 for !extensions.Empty() {
1220 var extension uint16
1221 var extData cryptobyte.String
1222 if !extensions.ReadUint16(&extension) ||
1223 !extensions.ReadUint16LengthPrefixed(&extData) {
1224 return false
1225 }
1226
1227 switch extension {
1228 case extensionEarlyData:
1229 if !extData.ReadUint32(&m.maxEarlyData) {
1230 return false
1231 }
1232 default:
1233 // Ignore unknown extensions.
1234 continue
1235 }
1236
1237 if !extData.Empty() {
1238 return false
1239 }
1240 }
1241
1242 return true
1243 }
1244
1245 type certificateRequestMsgTLS13 struct {
1246 ocspStapling bool
1247 scts bool
1248 supportedSignatureAlgorithms []SignatureScheme
1249 supportedSignatureAlgorithmsCert []SignatureScheme
1250 certificateAuthorities [][]byte
1251 }
1252
1253 func (m *certificateRequestMsgTLS13) marshal() ([]byte, error) {
1254 var b cryptobyte.Builder
1255 b.AddUint8(typeCertificateRequest)
1256 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
1257 // certificate_request_context (SHALL be zero length unless used for
1258 // post-handshake authentication)
1259 b.AddUint8(0)
1260
1261 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1262 if m.ocspStapling {
1263 b.AddUint16(extensionStatusRequest)
1264 b.AddUint16(0) // empty extension_data
1265 }
1266 if m.scts {
1267 // RFC 8446, Section 4.4.2.1 makes no mention of
1268 // signed_certificate_timestamp in CertificateRequest, but
1269 // "Extensions in the Certificate message from the client MUST
1270 // correspond to extensions in the CertificateRequest message
1271 // from the server." and it appears in the table in Section 4.2.
1272 b.AddUint16(extensionSCT)
1273 b.AddUint16(0) // empty extension_data
1274 }
1275 if len(m.supportedSignatureAlgorithms) > 0 {
1276 b.AddUint16(extensionSignatureAlgorithms)
1277 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1278 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1279 for _, sigAlgo := range m.supportedSignatureAlgorithms {
1280 b.AddUint16(uint16(sigAlgo))
1281 }
1282 })
1283 })
1284 }
1285 if len(m.supportedSignatureAlgorithmsCert) > 0 {
1286 b.AddUint16(extensionSignatureAlgorithmsCert)
1287 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1288 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1289 for _, sigAlgo := range m.supportedSignatureAlgorithmsCert {
1290 b.AddUint16(uint16(sigAlgo))
1291 }
1292 })
1293 })
1294 }
1295 if len(m.certificateAuthorities) > 0 {
1296 b.AddUint16(extensionCertificateAuthorities)
1297 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1298 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1299 for _, ca := range m.certificateAuthorities {
1300 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1301 b.AddBytes(ca)
1302 })
1303 }
1304 })
1305 })
1306 }
1307 })
1308 })
1309
1310 return b.Bytes()
1311 }
1312
1313 func (m *certificateRequestMsgTLS13) unmarshal(data []byte) bool {
1314 *m = certificateRequestMsgTLS13{}
1315 s := cryptobyte.String(data)
1316
1317 var context, extensions cryptobyte.String
1318 if !s.Skip(4) || // message type and uint24 length field
1319 !s.ReadUint8LengthPrefixed(&context) || !context.Empty() ||
1320 !s.ReadUint16LengthPrefixed(&extensions) ||
1321 !s.Empty() {
1322 return false
1323 }
1324
1325 for !extensions.Empty() {
1326 var extension uint16
1327 var extData cryptobyte.String
1328 if !extensions.ReadUint16(&extension) ||
1329 !extensions.ReadUint16LengthPrefixed(&extData) {
1330 return false
1331 }
1332
1333 switch extension {
1334 case extensionStatusRequest:
1335 m.ocspStapling = true
1336 case extensionSCT:
1337 m.scts = true
1338 case extensionSignatureAlgorithms:
1339 var sigAndAlgs cryptobyte.String
1340 if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() {
1341 return false
1342 }
1343 for !sigAndAlgs.Empty() {
1344 var sigAndAlg uint16
1345 if !sigAndAlgs.ReadUint16(&sigAndAlg) {
1346 return false
1347 }
1348 m.supportedSignatureAlgorithms = append(
1349 m.supportedSignatureAlgorithms, SignatureScheme(sigAndAlg))
1350 }
1351 case extensionSignatureAlgorithmsCert:
1352 var sigAndAlgs cryptobyte.String
1353 if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() {
1354 return false
1355 }
1356 for !sigAndAlgs.Empty() {
1357 var sigAndAlg uint16
1358 if !sigAndAlgs.ReadUint16(&sigAndAlg) {
1359 return false
1360 }
1361 m.supportedSignatureAlgorithmsCert = append(
1362 m.supportedSignatureAlgorithmsCert, SignatureScheme(sigAndAlg))
1363 }
1364 case extensionCertificateAuthorities:
1365 var auths cryptobyte.String
1366 if !extData.ReadUint16LengthPrefixed(&auths) || auths.Empty() {
1367 return false
1368 }
1369 for !auths.Empty() {
1370 var ca []byte
1371 if !readUint16LengthPrefixed(&auths, &ca) || len(ca) == 0 {
1372 return false
1373 }
1374 m.certificateAuthorities = append(m.certificateAuthorities, ca)
1375 }
1376 default:
1377 // Ignore unknown extensions.
1378 continue
1379 }
1380
1381 if !extData.Empty() {
1382 return false
1383 }
1384 }
1385
1386 return true
1387 }
1388
1389 type certificateMsg struct {
1390 certificates [][]byte
1391 }
1392
1393 func (m *certificateMsg) marshal() ([]byte, error) {
1394 var i int
1395 for _, slice := range m.certificates {
1396 i += len(slice)
1397 }
1398
1399 length := 3 + 3*len(m.certificates) + i
1400 x := []byte{:4+length}
1401 x[0] = typeCertificate
1402 x[1] = uint8(length >> 16)
1403 x[2] = uint8(length >> 8)
1404 x[3] = uint8(length)
1405
1406 certificateOctets := length - 3
1407 x[4] = uint8(certificateOctets >> 16)
1408 x[5] = uint8(certificateOctets >> 8)
1409 x[6] = uint8(certificateOctets)
1410
1411 y := x[7:]
1412 for _, slice := range m.certificates {
1413 y[0] = uint8(len(slice) >> 16)
1414 y[1] = uint8(len(slice) >> 8)
1415 y[2] = uint8(len(slice))
1416 copy(y[3:], slice)
1417 y = y[3+len(slice):]
1418 }
1419
1420 return x, nil
1421 }
1422
1423 func (m *certificateMsg) unmarshal(data []byte) bool {
1424 if len(data) < 7 {
1425 return false
1426 }
1427
1428 certsLen := uint32(data[4])<<16 | uint32(data[5])<<8 | uint32(data[6])
1429 if uint32(len(data)) != certsLen+7 {
1430 return false
1431 }
1432
1433 numCerts := 0
1434 d := data[7:]
1435 for certsLen > 0 {
1436 if len(d) < 4 {
1437 return false
1438 }
1439 certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2])
1440 if uint32(len(d)) < 3+certLen {
1441 return false
1442 }
1443 d = d[3+certLen:]
1444 certsLen -= 3 + certLen
1445 numCerts++
1446 }
1447
1448 m.certificates = [][]byte{:numCerts}
1449 d = data[7:]
1450 for i := 0; i < numCerts; i++ {
1451 certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2])
1452 m.certificates[i] = d[3 : 3+certLen]
1453 d = d[3+certLen:]
1454 }
1455
1456 return true
1457 }
1458
1459 type certificateMsgTLS13 struct {
1460 certificate Certificate
1461 ocspStapling bool
1462 scts bool
1463 }
1464
1465 func (m *certificateMsgTLS13) marshal() ([]byte, error) {
1466 var b cryptobyte.Builder
1467 b.AddUint8(typeCertificate)
1468 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
1469 b.AddUint8(0) // certificate_request_context
1470
1471 certificate := m.certificate
1472 if !m.ocspStapling {
1473 certificate.OCSPStaple = nil
1474 }
1475 if !m.scts {
1476 certificate.SignedCertificateTimestamps = nil
1477 }
1478 marshalCertificate(b, certificate)
1479 })
1480
1481 return b.Bytes()
1482 }
1483
1484 func marshalCertificate(b *cryptobyte.Builder, certificate Certificate) {
1485 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
1486 for i, cert := range certificate.Certificate {
1487 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
1488 b.AddBytes(cert)
1489 })
1490 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1491 if i > 0 {
1492 // This library only supports OCSP and SCT for leaf certificates.
1493 return
1494 }
1495 if certificate.OCSPStaple != nil {
1496 b.AddUint16(extensionStatusRequest)
1497 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1498 b.AddUint8(statusTypeOCSP)
1499 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
1500 b.AddBytes(certificate.OCSPStaple)
1501 })
1502 })
1503 }
1504 if certificate.SignedCertificateTimestamps != nil {
1505 b.AddUint16(extensionSCT)
1506 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1507 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1508 for _, sct := range certificate.SignedCertificateTimestamps {
1509 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1510 b.AddBytes(sct)
1511 })
1512 }
1513 })
1514 })
1515 }
1516 })
1517 }
1518 })
1519 }
1520
1521 func (m *certificateMsgTLS13) unmarshal(data []byte) bool {
1522 *m = certificateMsgTLS13{}
1523 s := cryptobyte.String(data)
1524
1525 var context cryptobyte.String
1526 if !s.Skip(4) || // message type and uint24 length field
1527 !s.ReadUint8LengthPrefixed(&context) || !context.Empty() ||
1528 !unmarshalCertificate(&s, &m.certificate) ||
1529 !s.Empty() {
1530 return false
1531 }
1532
1533 m.scts = m.certificate.SignedCertificateTimestamps != nil
1534 m.ocspStapling = m.certificate.OCSPStaple != nil
1535
1536 return true
1537 }
1538
1539 func unmarshalCertificate(s *cryptobyte.String, certificate *Certificate) bool {
1540 var certList cryptobyte.String
1541 if !s.ReadUint24LengthPrefixed(&certList) {
1542 return false
1543 }
1544 for !certList.Empty() {
1545 var cert []byte
1546 var extensions cryptobyte.String
1547 if !readUint24LengthPrefixed(&certList, &cert) ||
1548 !certList.ReadUint16LengthPrefixed(&extensions) {
1549 return false
1550 }
1551 certificate.Certificate = append(certificate.Certificate, cert)
1552 for !extensions.Empty() {
1553 var extension uint16
1554 var extData cryptobyte.String
1555 if !extensions.ReadUint16(&extension) ||
1556 !extensions.ReadUint16LengthPrefixed(&extData) {
1557 return false
1558 }
1559 if len(certificate.Certificate) > 1 {
1560 // This library only supports OCSP and SCT for leaf certificates.
1561 continue
1562 }
1563
1564 switch extension {
1565 case extensionStatusRequest:
1566 var statusType uint8
1567 if !extData.ReadUint8(&statusType) || statusType != statusTypeOCSP ||
1568 !readUint24LengthPrefixed(&extData, &certificate.OCSPStaple) ||
1569 len(certificate.OCSPStaple) == 0 {
1570 return false
1571 }
1572 case extensionSCT:
1573 var sctList cryptobyte.String
1574 if !extData.ReadUint16LengthPrefixed(&sctList) || sctList.Empty() {
1575 return false
1576 }
1577 for !sctList.Empty() {
1578 var sct []byte
1579 if !readUint16LengthPrefixed(&sctList, &sct) ||
1580 len(sct) == 0 {
1581 return false
1582 }
1583 certificate.SignedCertificateTimestamps = append(
1584 certificate.SignedCertificateTimestamps, sct)
1585 }
1586 default:
1587 // Ignore unknown extensions.
1588 continue
1589 }
1590
1591 if !extData.Empty() {
1592 return false
1593 }
1594 }
1595 }
1596 return true
1597 }
1598
1599 type serverKeyExchangeMsg struct {
1600 key []byte
1601 }
1602
1603 func (m *serverKeyExchangeMsg) marshal() ([]byte, error) {
1604 length := len(m.key)
1605 x := []byte{:length+4}
1606 x[0] = typeServerKeyExchange
1607 x[1] = uint8(length >> 16)
1608 x[2] = uint8(length >> 8)
1609 x[3] = uint8(length)
1610 copy(x[4:], m.key)
1611
1612 return x, nil
1613 }
1614
1615 func (m *serverKeyExchangeMsg) unmarshal(data []byte) bool {
1616 if len(data) < 4 {
1617 return false
1618 }
1619 m.key = data[4:]
1620 return true
1621 }
1622
1623 type certificateStatusMsg struct {
1624 response []byte
1625 }
1626
1627 func (m *certificateStatusMsg) marshal() ([]byte, error) {
1628 var b cryptobyte.Builder
1629 b.AddUint8(typeCertificateStatus)
1630 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
1631 b.AddUint8(statusTypeOCSP)
1632 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
1633 b.AddBytes(m.response)
1634 })
1635 })
1636
1637 return b.Bytes()
1638 }
1639
1640 func (m *certificateStatusMsg) unmarshal(data []byte) bool {
1641 s := cryptobyte.String(data)
1642
1643 var statusType uint8
1644 if !s.Skip(4) || // message type and uint24 length field
1645 !s.ReadUint8(&statusType) || statusType != statusTypeOCSP ||
1646 !readUint24LengthPrefixed(&s, &m.response) ||
1647 len(m.response) == 0 || !s.Empty() {
1648 return false
1649 }
1650 return true
1651 }
1652
1653 type serverHelloDoneMsg struct{}
1654
1655 func (m *serverHelloDoneMsg) marshal() ([]byte, error) {
1656 x := []byte{:4}
1657 x[0] = typeServerHelloDone
1658 return x, nil
1659 }
1660
1661 func (m *serverHelloDoneMsg) unmarshal(data []byte) bool {
1662 return len(data) == 4
1663 }
1664
1665 type clientKeyExchangeMsg struct {
1666 ciphertext []byte
1667 }
1668
1669 func (m *clientKeyExchangeMsg) marshal() ([]byte, error) {
1670 length := len(m.ciphertext)
1671 x := []byte{:length+4}
1672 x[0] = typeClientKeyExchange
1673 x[1] = uint8(length >> 16)
1674 x[2] = uint8(length >> 8)
1675 x[3] = uint8(length)
1676 copy(x[4:], m.ciphertext)
1677
1678 return x, nil
1679 }
1680
1681 func (m *clientKeyExchangeMsg) unmarshal(data []byte) bool {
1682 if len(data) < 4 {
1683 return false
1684 }
1685 l := int(data[1])<<16 | int(data[2])<<8 | int(data[3])
1686 if l != len(data)-4 {
1687 return false
1688 }
1689 m.ciphertext = data[4:]
1690 return true
1691 }
1692
1693 type finishedMsg struct {
1694 verifyData []byte
1695 }
1696
1697 func (m *finishedMsg) marshal() ([]byte, error) {
1698 var b cryptobyte.Builder
1699 b.AddUint8(typeFinished)
1700 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
1701 b.AddBytes(m.verifyData)
1702 })
1703
1704 return b.Bytes()
1705 }
1706
1707 func (m *finishedMsg) unmarshal(data []byte) bool {
1708 s := cryptobyte.String(data)
1709 return s.Skip(1) &&
1710 readUint24LengthPrefixed(&s, &m.verifyData) &&
1711 s.Empty()
1712 }
1713
1714 type certificateRequestMsg struct {
1715 // hasSignatureAlgorithm indicates whether this message includes a list of
1716 // supported signature algorithms. This change was introduced with TLS 1.2.
1717 hasSignatureAlgorithm bool
1718
1719 certificateTypes []byte
1720 supportedSignatureAlgorithms []SignatureScheme
1721 certificateAuthorities [][]byte
1722 }
1723
1724 func (m *certificateRequestMsg) marshal() ([]byte, error) {
1725 // See RFC 4346, Section 7.4.4.
1726 length := 1 + len(m.certificateTypes) + 2
1727 casLength := 0
1728 for _, ca := range m.certificateAuthorities {
1729 casLength += 2 + len(ca)
1730 }
1731 length += casLength
1732
1733 if m.hasSignatureAlgorithm {
1734 length += 2 + 2*len(m.supportedSignatureAlgorithms)
1735 }
1736
1737 x := []byte{:4+length}
1738 x[0] = typeCertificateRequest
1739 x[1] = uint8(length >> 16)
1740 x[2] = uint8(length >> 8)
1741 x[3] = uint8(length)
1742
1743 x[4] = uint8(len(m.certificateTypes))
1744
1745 copy(x[5:], m.certificateTypes)
1746 y := x[5+len(m.certificateTypes):]
1747
1748 if m.hasSignatureAlgorithm {
1749 n := len(m.supportedSignatureAlgorithms) * 2
1750 y[0] = uint8(n >> 8)
1751 y[1] = uint8(n)
1752 y = y[2:]
1753 for _, sigAlgo := range m.supportedSignatureAlgorithms {
1754 y[0] = uint8(sigAlgo >> 8)
1755 y[1] = uint8(sigAlgo)
1756 y = y[2:]
1757 }
1758 }
1759
1760 y[0] = uint8(casLength >> 8)
1761 y[1] = uint8(casLength)
1762 y = y[2:]
1763 for _, ca := range m.certificateAuthorities {
1764 y[0] = uint8(len(ca) >> 8)
1765 y[1] = uint8(len(ca))
1766 y = y[2:]
1767 copy(y, ca)
1768 y = y[len(ca):]
1769 }
1770
1771 return x, nil
1772 }
1773
1774 func (m *certificateRequestMsg) unmarshal(data []byte) bool {
1775 if len(data) < 5 {
1776 return false
1777 }
1778
1779 length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3])
1780 if uint32(len(data))-4 != length {
1781 return false
1782 }
1783
1784 numCertTypes := int(data[4])
1785 data = data[5:]
1786 if numCertTypes == 0 || len(data) <= numCertTypes {
1787 return false
1788 }
1789
1790 m.certificateTypes = []byte{:numCertTypes}
1791 if copy(m.certificateTypes, data) != numCertTypes {
1792 return false
1793 }
1794
1795 data = data[numCertTypes:]
1796
1797 if m.hasSignatureAlgorithm {
1798 if len(data) < 2 {
1799 return false
1800 }
1801 sigAndHashLen := uint16(data[0])<<8 | uint16(data[1])
1802 data = data[2:]
1803 if sigAndHashLen&1 != 0 || sigAndHashLen == 0 {
1804 return false
1805 }
1806 if len(data) < int(sigAndHashLen) {
1807 return false
1808 }
1809 numSigAlgos := sigAndHashLen / 2
1810 m.supportedSignatureAlgorithms = []SignatureScheme{:numSigAlgos}
1811 for i := range m.supportedSignatureAlgorithms {
1812 m.supportedSignatureAlgorithms[i] = SignatureScheme(data[0])<<8 | SignatureScheme(data[1])
1813 data = data[2:]
1814 }
1815 }
1816
1817 if len(data) < 2 {
1818 return false
1819 }
1820 casLength := uint16(data[0])<<8 | uint16(data[1])
1821 data = data[2:]
1822 if len(data) < int(casLength) {
1823 return false
1824 }
1825 cas := []byte{:casLength}
1826 copy(cas, data)
1827 data = data[casLength:]
1828
1829 m.certificateAuthorities = nil
1830 for len(cas) > 0 {
1831 if len(cas) < 2 {
1832 return false
1833 }
1834 caLen := uint16(cas[0])<<8 | uint16(cas[1])
1835 cas = cas[2:]
1836
1837 if len(cas) < int(caLen) {
1838 return false
1839 }
1840
1841 m.certificateAuthorities = append(m.certificateAuthorities, cas[:caLen])
1842 cas = cas[caLen:]
1843 }
1844
1845 return len(data) == 0
1846 }
1847
1848 type certificateVerifyMsg struct {
1849 hasSignatureAlgorithm bool // format change introduced in TLS 1.2
1850 signatureAlgorithm SignatureScheme
1851 signature []byte
1852 }
1853
1854 func (m *certificateVerifyMsg) marshal() ([]byte, error) {
1855 var b cryptobyte.Builder
1856 b.AddUint8(typeCertificateVerify)
1857 b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
1858 if m.hasSignatureAlgorithm {
1859 b.AddUint16(uint16(m.signatureAlgorithm))
1860 }
1861 b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
1862 b.AddBytes(m.signature)
1863 })
1864 })
1865
1866 return b.Bytes()
1867 }
1868
1869 func (m *certificateVerifyMsg) unmarshal(data []byte) bool {
1870 s := cryptobyte.String(data)
1871
1872 if !s.Skip(4) { // message type and uint24 length field
1873 return false
1874 }
1875 if m.hasSignatureAlgorithm {
1876 if !s.ReadUint16((*uint16)(&m.signatureAlgorithm)) {
1877 return false
1878 }
1879 }
1880 return readUint16LengthPrefixed(&s, &m.signature) && s.Empty()
1881 }
1882
1883 type newSessionTicketMsg struct {
1884 ticket []byte
1885 }
1886
1887 func (m *newSessionTicketMsg) marshal() ([]byte, error) {
1888 // See RFC 5077, Section 3.3.
1889 ticketLen := len(m.ticket)
1890 length := 2 + 4 + ticketLen
1891 x := []byte{:4+length}
1892 x[0] = typeNewSessionTicket
1893 x[1] = uint8(length >> 16)
1894 x[2] = uint8(length >> 8)
1895 x[3] = uint8(length)
1896 x[8] = uint8(ticketLen >> 8)
1897 x[9] = uint8(ticketLen)
1898 copy(x[10:], m.ticket)
1899
1900 return x, nil
1901 }
1902
1903 func (m *newSessionTicketMsg) unmarshal(data []byte) bool {
1904 if len(data) < 10 {
1905 return false
1906 }
1907
1908 length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3])
1909 if uint32(len(data))-4 != length {
1910 return false
1911 }
1912
1913 ticketLen := int(data[8])<<8 + int(data[9])
1914 if len(data)-10 != ticketLen {
1915 return false
1916 }
1917
1918 m.ticket = data[10:]
1919
1920 return true
1921 }
1922
1923 type helloRequestMsg struct {
1924 }
1925
1926 func (*helloRequestMsg) marshal() ([]byte, error) {
1927 return []byte{typeHelloRequest, 0, 0, 0}, nil
1928 }
1929
1930 func (*helloRequestMsg) unmarshal(data []byte) bool {
1931 return len(data) == 4
1932 }
1933
1934 type transcriptHash interface {
1935 Write([]byte) (int, error)
1936 }
1937
1938 // transcriptMsg is a helper used to hash messages which are not hashed when
1939 // they are read from, or written to, the wire. This is typically the case for
1940 // messages which are either not sent, or need to be hashed out of order from
1941 // when they are read/written.
1942 //
1943 // For most messages, the message is marshalled using their marshal method,
1944 // since their wire representation is idempotent. For clientHelloMsg and
1945 // serverHelloMsg, we store the original wire representation of the message and
1946 // use that for hashing, since unmarshal/marshal are not idempotent due to
1947 // extension ordering and other malleable fields, which may cause differences
1948 // between what was received and what we marshal.
1949 func transcriptMsg(msg handshakeMessage, h transcriptHash) error {
1950 if msgWithOrig, ok := msg.(handshakeMessageWithOriginalBytes); ok {
1951 if orig := msgWithOrig.originalBytes(); orig != nil {
1952 h.Write(msgWithOrig.originalBytes())
1953 return nil
1954 }
1955 }
1956
1957 data, err := msg.marshal()
1958 if err != nil {
1959 return err
1960 }
1961 h.Write(data)
1962 return nil
1963 }
1964