Alternative TLS implementation in Go
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

2723 lines
62 KiB

  1. // Copyright 2009 The Go Authors. All rights reserved.
  2. // Use of this source code is governed by a BSD-style
  3. // license that can be found in the LICENSE file.
  4. package tls
  5. import (
  6. "bytes"
  7. "encoding/binary"
  8. "strings"
  9. )
  10. // signAlgosCertList helper function returns either list of signature algorithms in case
  11. // signature_algorithms_cert extension should be marshalled or nil in the other case.
  12. // signAlgos is a list of algorithms from signature_algorithms extension. signAlgosCert is a list
  13. // of algorithms from signature_algorithms_cert extension.
  14. func signAlgosCertList(signAlgos, signAlgosCert []SignatureScheme) []SignatureScheme {
  15. if eqSignatureAlgorithms(signAlgos, signAlgosCert) {
  16. // ensure that only supported_algorithms extension is send if supported_algorithms_cert
  17. // has identical content
  18. return nil
  19. }
  20. return signAlgosCert
  21. }
  22. type clientHelloMsg struct {
  23. raw []byte
  24. rawTruncated []byte // for PSK binding
  25. vers uint16
  26. random []byte
  27. sessionId []byte
  28. cipherSuites []uint16
  29. compressionMethods []uint8
  30. nextProtoNeg bool
  31. serverName string
  32. ocspStapling bool
  33. scts bool
  34. supportedCurves []CurveID
  35. supportedPoints []uint8
  36. ticketSupported bool
  37. sessionTicket []uint8
  38. supportedSignatureAlgorithms []SignatureScheme
  39. supportedSignatureAlgorithmsCert []SignatureScheme
  40. secureRenegotiation []byte
  41. secureRenegotiationSupported bool
  42. alpnProtocols []string
  43. keyShares []keyShare
  44. supportedVersions []uint16
  45. psks []psk
  46. pskKeyExchangeModes []uint8
  47. earlyData bool
  48. delegatedCredential bool
  49. extendedMSSupported bool // RFC7627
  50. }
  51. // Function used for signature_algorithms and signature_algorithrms_cert
  52. // extensions only (for more details, see TLS 1.3 draft 28, 4.2.3).
  53. //
  54. // It advances data slice and returns it, so that it can be used for further
  55. // processing
  56. func marshalExtensionSignatureAlgorithms(extension uint16, data []byte, schemes []SignatureScheme) []byte {
  57. algNum := uint16(len(schemes))
  58. if algNum == 0 {
  59. return data
  60. }
  61. binary.BigEndian.PutUint16(data, extension)
  62. data = data[2:]
  63. binary.BigEndian.PutUint16(data, (2*algNum)+2) // +1 for length
  64. data = data[2:]
  65. binary.BigEndian.PutUint16(data, (2 * algNum))
  66. data = data[2:]
  67. for _, algo := range schemes {
  68. binary.BigEndian.PutUint16(data, uint16(algo))
  69. data = data[2:]
  70. }
  71. return data
  72. }
  73. // Function used for unmarshalling signature_algorithms or signature_algorithms_cert extensions only
  74. // (for more details, see TLS 1.3 draft 28, 4.2.3)
  75. // In case of error function returns alertDecoderError otherwise filled SignatureScheme slice and alertSuccess
  76. func unmarshalExtensionSignatureAlgorithms(data []byte, length int) ([]SignatureScheme, alert) {
  77. if length < 2 || length&1 != 0 {
  78. return nil, alertDecodeError
  79. }
  80. algLen := binary.BigEndian.Uint16(data)
  81. idx := 2
  82. if int(algLen) != length-2 {
  83. return nil, alertDecodeError
  84. }
  85. schemes := make([]SignatureScheme, algLen/2)
  86. for i := range schemes {
  87. schemes[i] = SignatureScheme(binary.BigEndian.Uint16(data[idx:]))
  88. idx += 2
  89. }
  90. return schemes, alertSuccess
  91. }
  92. func (m *clientHelloMsg) equal(i interface{}) bool {
  93. m1, ok := i.(*clientHelloMsg)
  94. if !ok {
  95. return false
  96. }
  97. return bytes.Equal(m.raw, m1.raw) &&
  98. m.vers == m1.vers &&
  99. bytes.Equal(m.random, m1.random) &&
  100. bytes.Equal(m.sessionId, m1.sessionId) &&
  101. eqUint16s(m.cipherSuites, m1.cipherSuites) &&
  102. bytes.Equal(m.compressionMethods, m1.compressionMethods) &&
  103. m.nextProtoNeg == m1.nextProtoNeg &&
  104. m.serverName == m1.serverName &&
  105. m.ocspStapling == m1.ocspStapling &&
  106. m.scts == m1.scts &&
  107. eqCurveIDs(m.supportedCurves, m1.supportedCurves) &&
  108. bytes.Equal(m.supportedPoints, m1.supportedPoints) &&
  109. m.ticketSupported == m1.ticketSupported &&
  110. bytes.Equal(m.sessionTicket, m1.sessionTicket) &&
  111. eqSignatureAlgorithms(m.supportedSignatureAlgorithms, m1.supportedSignatureAlgorithms) &&
  112. eqSignatureAlgorithms(m.supportedSignatureAlgorithmsCert, m1.supportedSignatureAlgorithmsCert) &&
  113. m.secureRenegotiationSupported == m1.secureRenegotiationSupported &&
  114. bytes.Equal(m.secureRenegotiation, m1.secureRenegotiation) &&
  115. eqStrings(m.alpnProtocols, m1.alpnProtocols) &&
  116. eqKeyShares(m.keyShares, m1.keyShares) &&
  117. eqUint16s(m.supportedVersions, m1.supportedVersions) &&
  118. m.earlyData == m1.earlyData &&
  119. m.delegatedCredential == m1.delegatedCredential &&
  120. m.extendedMSSupported == m1.extendedMSSupported
  121. }
  122. func (m *clientHelloMsg) marshal() []byte {
  123. if m.raw != nil {
  124. return m.raw
  125. }
  126. length := 2 + 32 + 1 + len(m.sessionId) + 2 + len(m.cipherSuites)*2 + 1 + len(m.compressionMethods)
  127. numExtensions := 0
  128. extensionsLength := 0
  129. if m.nextProtoNeg {
  130. numExtensions++
  131. }
  132. if m.ocspStapling {
  133. extensionsLength += 1 + 2 + 2
  134. numExtensions++
  135. }
  136. if len(m.serverName) > 0 {
  137. extensionsLength += 5 + len(m.serverName)
  138. numExtensions++
  139. }
  140. if len(m.supportedCurves) > 0 {
  141. extensionsLength += 2 + 2*len(m.supportedCurves)
  142. numExtensions++
  143. }
  144. if len(m.supportedPoints) > 0 {
  145. extensionsLength += 1 + len(m.supportedPoints)
  146. numExtensions++
  147. }
  148. if m.ticketSupported {
  149. extensionsLength += len(m.sessionTicket)
  150. numExtensions++
  151. }
  152. if len(m.supportedSignatureAlgorithms) > 0 {
  153. extensionsLength += 2 + 2*len(m.supportedSignatureAlgorithms)
  154. numExtensions++
  155. }
  156. if m.getSignatureAlgorithmsCert() != nil {
  157. extensionsLength += 2 + 2*len(m.getSignatureAlgorithmsCert())
  158. numExtensions++
  159. }
  160. if m.secureRenegotiationSupported {
  161. extensionsLength += 1 + len(m.secureRenegotiation)
  162. numExtensions++
  163. }
  164. if len(m.alpnProtocols) > 0 {
  165. extensionsLength += 2
  166. for _, s := range m.alpnProtocols {
  167. if l := len(s); l == 0 || l > 255 {
  168. panic("invalid ALPN protocol")
  169. }
  170. extensionsLength++
  171. extensionsLength += len(s)
  172. }
  173. numExtensions++
  174. }
  175. if m.scts {
  176. numExtensions++
  177. }
  178. if len(m.keyShares) > 0 {
  179. extensionsLength += 2
  180. for _, k := range m.keyShares {
  181. extensionsLength += 4 + len(k.data)
  182. }
  183. numExtensions++
  184. }
  185. if len(m.supportedVersions) > 0 {
  186. extensionsLength += 1 + 2*len(m.supportedVersions)
  187. numExtensions++
  188. }
  189. if m.earlyData {
  190. numExtensions++
  191. }
  192. if m.delegatedCredential {
  193. numExtensions++
  194. }
  195. if m.extendedMSSupported {
  196. numExtensions++
  197. }
  198. if numExtensions > 0 {
  199. extensionsLength += 4 * numExtensions
  200. length += 2 + extensionsLength
  201. }
  202. x := make([]byte, 4+length)
  203. x[0] = typeClientHello
  204. x[1] = uint8(length >> 16)
  205. x[2] = uint8(length >> 8)
  206. x[3] = uint8(length)
  207. x[4] = uint8(m.vers >> 8)
  208. x[5] = uint8(m.vers)
  209. copy(x[6:38], m.random)
  210. x[38] = uint8(len(m.sessionId))
  211. copy(x[39:39+len(m.sessionId)], m.sessionId)
  212. y := x[39+len(m.sessionId):]
  213. y[0] = uint8(len(m.cipherSuites) >> 7)
  214. y[1] = uint8(len(m.cipherSuites) << 1)
  215. for i, suite := range m.cipherSuites {
  216. y[2+i*2] = uint8(suite >> 8)
  217. y[3+i*2] = uint8(suite)
  218. }
  219. z := y[2+len(m.cipherSuites)*2:]
  220. z[0] = uint8(len(m.compressionMethods))
  221. copy(z[1:], m.compressionMethods)
  222. z = z[1+len(m.compressionMethods):]
  223. if numExtensions > 0 {
  224. z[0] = byte(extensionsLength >> 8)
  225. z[1] = byte(extensionsLength)
  226. z = z[2:]
  227. }
  228. if m.nextProtoNeg {
  229. z[0] = byte(extensionNextProtoNeg >> 8)
  230. z[1] = byte(extensionNextProtoNeg & 0xff)
  231. // The length is always 0
  232. z = z[4:]
  233. }
  234. if len(m.serverName) > 0 {
  235. z[0] = byte(extensionServerName >> 8)
  236. z[1] = byte(extensionServerName & 0xff)
  237. l := len(m.serverName) + 5
  238. z[2] = byte(l >> 8)
  239. z[3] = byte(l)
  240. z = z[4:]
  241. // RFC 3546, section 3.1
  242. //
  243. // struct {
  244. // NameType name_type;
  245. // select (name_type) {
  246. // case host_name: HostName;
  247. // } name;
  248. // } ServerName;
  249. //
  250. // enum {
  251. // host_name(0), (255)
  252. // } NameType;
  253. //
  254. // opaque HostName<1..2^16-1>;
  255. //
  256. // struct {
  257. // ServerName server_name_list<1..2^16-1>
  258. // } ServerNameList;
  259. z[0] = byte((len(m.serverName) + 3) >> 8)
  260. z[1] = byte(len(m.serverName) + 3)
  261. z[3] = byte(len(m.serverName) >> 8)
  262. z[4] = byte(len(m.serverName))
  263. copy(z[5:], []byte(m.serverName))
  264. z = z[l:]
  265. }
  266. if m.ocspStapling {
  267. // RFC 4366, section 3.6
  268. z[0] = byte(extensionStatusRequest >> 8)
  269. z[1] = byte(extensionStatusRequest)
  270. z[2] = 0
  271. z[3] = 5
  272. z[4] = 1 // OCSP type
  273. // Two zero valued uint16s for the two lengths.
  274. z = z[9:]
  275. }
  276. if len(m.supportedCurves) > 0 {
  277. // http://tools.ietf.org/html/rfc4492#section-5.5.1
  278. // https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.4
  279. z[0] = byte(extensionSupportedCurves >> 8)
  280. z[1] = byte(extensionSupportedCurves)
  281. l := 2 + 2*len(m.supportedCurves)
  282. z[2] = byte(l >> 8)
  283. z[3] = byte(l)
  284. l -= 2
  285. z[4] = byte(l >> 8)
  286. z[5] = byte(l)
  287. z = z[6:]
  288. for _, curve := range m.supportedCurves {
  289. z[0] = byte(curve >> 8)
  290. z[1] = byte(curve)
  291. z = z[2:]
  292. }
  293. }
  294. if len(m.supportedPoints) > 0 {
  295. // http://tools.ietf.org/html/rfc4492#section-5.5.2
  296. z[0] = byte(extensionSupportedPoints >> 8)
  297. z[1] = byte(extensionSupportedPoints)
  298. l := 1 + len(m.supportedPoints)
  299. z[2] = byte(l >> 8)
  300. z[3] = byte(l)
  301. l--
  302. z[4] = byte(l)
  303. z = z[5:]
  304. for _, pointFormat := range m.supportedPoints {
  305. z[0] = pointFormat
  306. z = z[1:]
  307. }
  308. }
  309. if m.ticketSupported {
  310. // http://tools.ietf.org/html/rfc5077#section-3.2
  311. z[0] = byte(extensionSessionTicket >> 8)
  312. z[1] = byte(extensionSessionTicket)
  313. l := len(m.sessionTicket)
  314. z[2] = byte(l >> 8)
  315. z[3] = byte(l)
  316. z = z[4:]
  317. copy(z, m.sessionTicket)
  318. z = z[len(m.sessionTicket):]
  319. }
  320. if len(m.supportedSignatureAlgorithms) > 0 {
  321. z = marshalExtensionSignatureAlgorithms(extensionSignatureAlgorithms, z, m.supportedSignatureAlgorithms)
  322. }
  323. if m.getSignatureAlgorithmsCert() != nil {
  324. // Ensure only one list of algorithms is sent if supported_algorithms and supported_algorithms_cert are the same
  325. z = marshalExtensionSignatureAlgorithms(extensionSignatureAlgorithmsCert, z, m.getSignatureAlgorithmsCert())
  326. }
  327. if m.secureRenegotiationSupported {
  328. z[0] = byte(extensionRenegotiationInfo >> 8)
  329. z[1] = byte(extensionRenegotiationInfo & 0xff)
  330. z[2] = 0
  331. z[3] = byte(len(m.secureRenegotiation) + 1)
  332. z[4] = byte(len(m.secureRenegotiation))
  333. z = z[5:]
  334. copy(z, m.secureRenegotiation)
  335. z = z[len(m.secureRenegotiation):]
  336. }
  337. if len(m.alpnProtocols) > 0 {
  338. z[0] = byte(extensionALPN >> 8)
  339. z[1] = byte(extensionALPN & 0xff)
  340. lengths := z[2:]
  341. z = z[6:]
  342. stringsLength := 0
  343. for _, s := range m.alpnProtocols {
  344. l := len(s)
  345. z[0] = byte(l)
  346. copy(z[1:], s)
  347. z = z[1+l:]
  348. stringsLength += 1 + l
  349. }
  350. lengths[2] = byte(stringsLength >> 8)
  351. lengths[3] = byte(stringsLength)
  352. stringsLength += 2
  353. lengths[0] = byte(stringsLength >> 8)
  354. lengths[1] = byte(stringsLength)
  355. }
  356. if m.scts {
  357. // https://tools.ietf.org/html/rfc6962#section-3.3.1
  358. z[0] = byte(extensionSCT >> 8)
  359. z[1] = byte(extensionSCT)
  360. // zero uint16 for the zero-length extension_data
  361. z = z[4:]
  362. }
  363. if len(m.keyShares) > 0 {
  364. // https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.5
  365. z[0] = byte(extensionKeyShare >> 8)
  366. z[1] = byte(extensionKeyShare)
  367. lengths := z[2:]
  368. z = z[6:]
  369. totalLength := 0
  370. for _, ks := range m.keyShares {
  371. z[0] = byte(ks.group >> 8)
  372. z[1] = byte(ks.group)
  373. z[2] = byte(len(ks.data) >> 8)
  374. z[3] = byte(len(ks.data))
  375. copy(z[4:], ks.data)
  376. z = z[4+len(ks.data):]
  377. totalLength += 4 + len(ks.data)
  378. }
  379. lengths[2] = byte(totalLength >> 8)
  380. lengths[3] = byte(totalLength)
  381. totalLength += 2
  382. lengths[0] = byte(totalLength >> 8)
  383. lengths[1] = byte(totalLength)
  384. }
  385. if len(m.supportedVersions) > 0 {
  386. z[0] = byte(extensionSupportedVersions >> 8)
  387. z[1] = byte(extensionSupportedVersions)
  388. l := 1 + 2*len(m.supportedVersions)
  389. z[2] = byte(l >> 8)
  390. z[3] = byte(l)
  391. l -= 1
  392. z[4] = byte(l)
  393. z = z[5:]
  394. for _, v := range m.supportedVersions {
  395. z[0] = byte(v >> 8)
  396. z[1] = byte(v)
  397. z = z[2:]
  398. }
  399. }
  400. if m.earlyData {
  401. z[0] = byte(extensionEarlyData >> 8)
  402. z[1] = byte(extensionEarlyData)
  403. z = z[4:]
  404. }
  405. if m.delegatedCredential {
  406. binary.BigEndian.PutUint16(z, extensionDelegatedCredential)
  407. z = z[4:]
  408. }
  409. if m.extendedMSSupported {
  410. binary.BigEndian.PutUint16(z, extensionEMS)
  411. z = z[4:]
  412. }
  413. m.raw = x
  414. return x
  415. }
  416. func (m *clientHelloMsg) unmarshal(data []byte) alert {
  417. if len(data) < 42 {
  418. return alertDecodeError
  419. }
  420. m.raw = data
  421. m.vers = uint16(data[4])<<8 | uint16(data[5])
  422. m.random = data[6:38]
  423. sessionIdLen := int(data[38])
  424. if sessionIdLen > 32 || len(data) < 39+sessionIdLen {
  425. return alertDecodeError
  426. }
  427. m.sessionId = data[39 : 39+sessionIdLen]
  428. data = data[39+sessionIdLen:]
  429. bindersOffset := 39 + sessionIdLen
  430. if len(data) < 2 {
  431. return alertDecodeError
  432. }
  433. // cipherSuiteLen is the number of bytes of cipher suite numbers. Since
  434. // they are uint16s, the number must be even.
  435. cipherSuiteLen := int(data[0])<<8 | int(data[1])
  436. if cipherSuiteLen%2 == 1 || len(data) < 2+cipherSuiteLen {
  437. return alertDecodeError
  438. }
  439. numCipherSuites := cipherSuiteLen / 2
  440. m.cipherSuites = make([]uint16, numCipherSuites)
  441. for i := 0; i < numCipherSuites; i++ {
  442. m.cipherSuites[i] = uint16(data[2+2*i])<<8 | uint16(data[3+2*i])
  443. if m.cipherSuites[i] == scsvRenegotiation {
  444. m.secureRenegotiationSupported = true
  445. }
  446. }
  447. data = data[2+cipherSuiteLen:]
  448. bindersOffset += 2 + cipherSuiteLen
  449. if len(data) < 1 {
  450. return alertDecodeError
  451. }
  452. compressionMethodsLen := int(data[0])
  453. if len(data) < 1+compressionMethodsLen {
  454. return alertDecodeError
  455. }
  456. m.compressionMethods = data[1 : 1+compressionMethodsLen]
  457. data = data[1+compressionMethodsLen:]
  458. bindersOffset += 1 + compressionMethodsLen
  459. m.nextProtoNeg = false
  460. m.serverName = ""
  461. m.ocspStapling = false
  462. m.ticketSupported = false
  463. m.sessionTicket = nil
  464. m.supportedSignatureAlgorithms = nil
  465. m.alpnProtocols = nil
  466. m.scts = false
  467. m.keyShares = nil
  468. m.supportedVersions = nil
  469. m.psks = nil
  470. m.pskKeyExchangeModes = nil
  471. m.earlyData = false
  472. m.delegatedCredential = false
  473. m.extendedMSSupported = false
  474. if len(data) == 0 {
  475. // ClientHello is optionally followed by extension data
  476. return alertSuccess
  477. }
  478. if len(data) < 2 {
  479. return alertDecodeError
  480. }
  481. extensionsLength := int(data[0])<<8 | int(data[1])
  482. data = data[2:]
  483. bindersOffset += 2
  484. if extensionsLength != len(data) {
  485. return alertDecodeError
  486. }
  487. for len(data) != 0 {
  488. if len(data) < 4 {
  489. return alertDecodeError
  490. }
  491. extension := uint16(data[0])<<8 | uint16(data[1])
  492. length := int(data[2])<<8 | int(data[3])
  493. data = data[4:]
  494. bindersOffset += 4
  495. if len(data) < length {
  496. return alertDecodeError
  497. }
  498. switch extension {
  499. case extensionServerName:
  500. d := data[:length]
  501. if len(d) < 2 {
  502. return alertDecodeError
  503. }
  504. namesLen := int(d[0])<<8 | int(d[1])
  505. d = d[2:]
  506. if len(d) != namesLen {
  507. return alertDecodeError
  508. }
  509. for len(d) > 0 {
  510. if len(d) < 3 {
  511. return alertDecodeError
  512. }
  513. nameType := d[0]
  514. nameLen := int(d[1])<<8 | int(d[2])
  515. d = d[3:]
  516. if len(d) < nameLen {
  517. return alertDecodeError
  518. }
  519. if nameType == 0 {
  520. m.serverName = string(d[:nameLen])
  521. // An SNI value may not include a
  522. // trailing dot. See
  523. // https://tools.ietf.org/html/rfc6066#section-3.
  524. if strings.HasSuffix(m.serverName, ".") {
  525. // TODO use alertDecodeError?
  526. return alertUnexpectedMessage
  527. }
  528. break
  529. }
  530. d = d[nameLen:]
  531. }
  532. case extensionNextProtoNeg:
  533. if length > 0 {
  534. return alertDecodeError
  535. }
  536. m.nextProtoNeg = true
  537. case extensionStatusRequest:
  538. m.ocspStapling = length > 0 && data[0] == statusTypeOCSP
  539. case extensionSupportedCurves:
  540. // http://tools.ietf.org/html/rfc4492#section-5.5.1
  541. // https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.4
  542. if length < 2 {
  543. return alertDecodeError
  544. }
  545. l := int(data[0])<<8 | int(data[1])
  546. if l%2 == 1 || length != l+2 {
  547. return alertDecodeError
  548. }
  549. numCurves := l / 2
  550. m.supportedCurves = make([]CurveID, numCurves)
  551. d := data[2:]
  552. for i := 0; i < numCurves; i++ {
  553. m.supportedCurves[i] = CurveID(d[0])<<8 | CurveID(d[1])
  554. d = d[2:]
  555. }
  556. case extensionSupportedPoints:
  557. // http://tools.ietf.org/html/rfc4492#section-5.5.2
  558. if length < 1 {
  559. return alertDecodeError
  560. }
  561. l := int(data[0])
  562. if length != l+1 {
  563. return alertDecodeError
  564. }
  565. m.supportedPoints = make([]uint8, l)
  566. copy(m.supportedPoints, data[1:])
  567. case extensionSessionTicket:
  568. // http://tools.ietf.org/html/rfc5077#section-3.2
  569. m.ticketSupported = true
  570. m.sessionTicket = data[:length]
  571. case extensionSignatureAlgorithms:
  572. // https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
  573. // https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.3
  574. if length < 2 || length&1 != 0 {
  575. return alertDecodeError
  576. }
  577. l := int(data[0])<<8 | int(data[1])
  578. if l != length-2 {
  579. return alertDecodeError
  580. }
  581. n := l / 2
  582. d := data[2:]
  583. m.supportedSignatureAlgorithms = make([]SignatureScheme, n)
  584. for i := range m.supportedSignatureAlgorithms {
  585. m.supportedSignatureAlgorithms[i] = SignatureScheme(d[0])<<8 | SignatureScheme(d[1])
  586. d = d[2:]
  587. }
  588. case extensionRenegotiationInfo:
  589. if length == 0 {
  590. return alertDecodeError
  591. }
  592. d := data[:length]
  593. l := int(d[0])
  594. d = d[1:]
  595. if l != len(d) {
  596. return alertDecodeError
  597. }
  598. m.secureRenegotiation = d
  599. m.secureRenegotiationSupported = true
  600. case extensionALPN:
  601. if length < 2 {
  602. return alertDecodeError
  603. }
  604. l := int(data[0])<<8 | int(data[1])
  605. if l != length-2 {
  606. return alertDecodeError
  607. }
  608. d := data[2:length]
  609. for len(d) != 0 {
  610. stringLen := int(d[0])
  611. d = d[1:]
  612. if stringLen == 0 || stringLen > len(d) {
  613. return alertDecodeError
  614. }
  615. m.alpnProtocols = append(m.alpnProtocols, string(d[:stringLen]))
  616. d = d[stringLen:]
  617. }
  618. case extensionSCT:
  619. m.scts = true
  620. if length != 0 {
  621. return alertDecodeError
  622. }
  623. case extensionKeyShare:
  624. // https://tools.ietf.org/html/rfc8446#section-4.2.8
  625. if length < 2 {
  626. return alertDecodeError
  627. }
  628. l := int(data[0])<<8 | int(data[1])
  629. if l != length-2 {
  630. return alertDecodeError
  631. }
  632. d := data[2:length]
  633. for len(d) != 0 {
  634. if len(d) < 4 {
  635. return alertDecodeError
  636. }
  637. dataLen := int(d[2])<<8 | int(d[3])
  638. if dataLen == 0 || 4+dataLen > len(d) {
  639. return alertDecodeError
  640. }
  641. m.keyShares = append(m.keyShares, keyShare{
  642. group: CurveID(d[0])<<8 | CurveID(d[1]),
  643. data: d[4 : 4+dataLen],
  644. })
  645. d = d[4+dataLen:]
  646. }
  647. case extensionSupportedVersions:
  648. // https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.1
  649. if length < 1 {
  650. return alertDecodeError
  651. }
  652. l := int(data[0])
  653. if l%2 == 1 || length != l+1 {
  654. return alertDecodeError
  655. }
  656. n := l / 2
  657. d := data[1:]
  658. for i := 0; i < n; i++ {
  659. v := uint16(d[0])<<8 + uint16(d[1])
  660. m.supportedVersions = append(m.supportedVersions, v)
  661. d = d[2:]
  662. }
  663. case extensionPreSharedKey:
  664. // https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.6
  665. if length < 2 {
  666. return alertDecodeError
  667. }
  668. // Ensure this extension is the last one in the Client Hello
  669. if len(data) != length {
  670. return alertIllegalParameter
  671. }
  672. li := int(data[0])<<8 | int(data[1])
  673. if 2+li+2 > length {
  674. return alertDecodeError
  675. }
  676. d := data[2 : 2+li]
  677. bindersOffset += 2 + li
  678. for len(d) > 0 {
  679. if len(d) < 6 {
  680. return alertDecodeError
  681. }
  682. l := int(d[0])<<8 | int(d[1])
  683. if len(d) < 2+l+4 {
  684. return alertDecodeError
  685. }
  686. m.psks = append(m.psks, psk{
  687. identity: d[2 : 2+l],
  688. obfTicketAge: uint32(d[l+2])<<24 | uint32(d[l+3])<<16 |
  689. uint32(d[l+4])<<8 | uint32(d[l+5]),
  690. })
  691. d = d[2+l+4:]
  692. }
  693. lb := int(data[li+2])<<8 | int(data[li+3])
  694. d = data[2+li+2:]
  695. if lb != len(d) || lb == 0 {
  696. return alertDecodeError
  697. }
  698. i := 0
  699. for len(d) > 0 {
  700. if i >= len(m.psks) {
  701. return alertIllegalParameter
  702. }
  703. if len(d) < 1 {
  704. return alertDecodeError
  705. }
  706. l := int(d[0])
  707. if l > len(d)-1 {
  708. return alertDecodeError
  709. }
  710. if i >= len(m.psks) {
  711. return alertIllegalParameter
  712. }
  713. m.psks[i].binder = d[1 : 1+l]
  714. d = d[1+l:]
  715. i++
  716. }
  717. if i != len(m.psks) {
  718. return alertIllegalParameter
  719. }
  720. m.rawTruncated = m.raw[:bindersOffset]
  721. case extensionPSKKeyExchangeModes:
  722. if length < 2 {
  723. return alertDecodeError
  724. }
  725. l := int(data[0])
  726. if length != l+1 {
  727. return alertDecodeError
  728. }
  729. m.pskKeyExchangeModes = data[1:length]
  730. case extensionEarlyData:
  731. // https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.8
  732. m.earlyData = true
  733. case extensionDelegatedCredential:
  734. // https://tools.ietf.org/html/draft-ietf-tls-subcerts-02
  735. m.delegatedCredential = true
  736. case extensionEMS:
  737. // RFC 7627
  738. m.extendedMSSupported = true
  739. if length != 0 {
  740. return alertDecodeError
  741. }
  742. }
  743. data = data[length:]
  744. bindersOffset += length
  745. }
  746. return alertSuccess
  747. }
  748. func (m *clientHelloMsg) getSignatureAlgorithmsCert() []SignatureScheme {
  749. return signAlgosCertList(m.supportedSignatureAlgorithms, m.supportedSignatureAlgorithmsCert)
  750. }
  751. type serverHelloMsg struct {
  752. raw []byte
  753. vers uint16
  754. random []byte
  755. sessionId []byte
  756. cipherSuite uint16
  757. compressionMethod uint8
  758. nextProtoNeg bool
  759. nextProtos []string
  760. ocspStapling bool
  761. scts [][]byte
  762. ticketSupported bool
  763. secureRenegotiation []byte
  764. secureRenegotiationSupported bool
  765. alpnProtocol string
  766. // TLS 1.3
  767. keyShare keyShare
  768. psk bool
  769. pskIdentity uint16
  770. // RFC7627
  771. extendedMSSupported bool
  772. }
  773. func (m *serverHelloMsg) equal(i interface{}) bool {
  774. m1, ok := i.(*serverHelloMsg)
  775. if !ok {
  776. return false
  777. }
  778. if len(m.scts) != len(m1.scts) {
  779. return false
  780. }
  781. for i, sct := range m.scts {
  782. if !bytes.Equal(sct, m1.scts[i]) {
  783. return false
  784. }
  785. }
  786. return bytes.Equal(m.raw, m1.raw) &&
  787. m.vers == m1.vers &&
  788. bytes.Equal(m.random, m1.random) &&
  789. bytes.Equal(m.sessionId, m1.sessionId) &&
  790. m.cipherSuite == m1.cipherSuite &&
  791. m.compressionMethod == m1.compressionMethod &&
  792. m.nextProtoNeg == m1.nextProtoNeg &&
  793. eqStrings(m.nextProtos, m1.nextProtos) &&
  794. m.ocspStapling == m1.ocspStapling &&
  795. m.ticketSupported == m1.ticketSupported &&
  796. m.secureRenegotiationSupported == m1.secureRenegotiationSupported &&
  797. bytes.Equal(m.secureRenegotiation, m1.secureRenegotiation) &&
  798. m.alpnProtocol == m1.alpnProtocol &&
  799. m.keyShare.group == m1.keyShare.group &&
  800. bytes.Equal(m.keyShare.data, m1.keyShare.data) &&
  801. m.psk == m1.psk &&
  802. m.pskIdentity == m1.pskIdentity &&
  803. m.extendedMSSupported == m1.extendedMSSupported
  804. }
  805. func (m *serverHelloMsg) marshal() []byte {
  806. if m.raw != nil {
  807. return m.raw
  808. }
  809. length := 38 + len(m.sessionId)
  810. numExtensions := 0
  811. extensionsLength := 0
  812. nextProtoLen := 0
  813. if m.nextProtoNeg {
  814. numExtensions++
  815. for _, v := range m.nextProtos {
  816. nextProtoLen += len(v)
  817. }
  818. nextProtoLen += len(m.nextProtos)
  819. extensionsLength += nextProtoLen
  820. }
  821. if m.ocspStapling {
  822. numExtensions++
  823. }
  824. if m.ticketSupported {
  825. numExtensions++
  826. }
  827. if m.secureRenegotiationSupported {
  828. extensionsLength += 1 + len(m.secureRenegotiation)
  829. numExtensions++
  830. }
  831. if m.extendedMSSupported {
  832. numExtensions++
  833. }
  834. if alpnLen := len(m.alpnProtocol); alpnLen > 0 {
  835. if alpnLen >= 256 {
  836. panic("invalid ALPN protocol")
  837. }
  838. extensionsLength += 2 + 1 + alpnLen
  839. numExtensions++
  840. }
  841. sctLen := 0
  842. if len(m.scts) > 0 {
  843. for _, sct := range m.scts {
  844. sctLen += len(sct) + 2
  845. }
  846. extensionsLength += 2 + sctLen
  847. numExtensions++
  848. }
  849. if m.keyShare.group != 0 {
  850. extensionsLength += 4 + len(m.keyShare.data)
  851. numExtensions++
  852. }
  853. if m.psk {
  854. extensionsLength += 2
  855. numExtensions++
  856. }
  857. // supported_versions extension
  858. if m.vers >= VersionTLS13 {
  859. extensionsLength += 2
  860. numExtensions++
  861. }
  862. if numExtensions > 0 {
  863. extensionsLength += 4 * numExtensions
  864. length += 2 + extensionsLength
  865. }
  866. x := make([]byte, 4+length)
  867. x[0] = typeServerHello
  868. x[1] = uint8(length >> 16)
  869. x[2] = uint8(length >> 8)
  870. x[3] = uint8(length)
  871. if m.vers >= VersionTLS13 {
  872. x[4] = 3
  873. x[5] = 3
  874. } else {
  875. x[4] = uint8(m.vers >> 8)
  876. x[5] = uint8(m.vers)
  877. }
  878. copy(x[6:38], m.random)
  879. z := x[38:]
  880. x[38] = uint8(len(m.sessionId))
  881. copy(x[39:39+len(m.sessionId)], m.sessionId)
  882. z = x[39+len(m.sessionId):]
  883. z[0] = uint8(m.cipherSuite >> 8)
  884. z[1] = uint8(m.cipherSuite)
  885. z[2] = m.compressionMethod
  886. z = z[3:]
  887. if numExtensions > 0 {
  888. z[0] = byte(extensionsLength >> 8)
  889. z[1] = byte(extensionsLength)
  890. z = z[2:]
  891. }
  892. if m.vers >= VersionTLS13 {
  893. z[0] = byte(extensionSupportedVersions >> 8)
  894. z[1] = byte(extensionSupportedVersions)
  895. z[3] = 2
  896. z[4] = uint8(m.vers >> 8)
  897. z[5] = uint8(m.vers)
  898. z = z[6:]
  899. }
  900. if m.nextProtoNeg {
  901. z[0] = byte(extensionNextProtoNeg >> 8)
  902. z[1] = byte(extensionNextProtoNeg & 0xff)
  903. z[2] = byte(nextProtoLen >> 8)
  904. z[3] = byte(nextProtoLen)
  905. z = z[4:]
  906. for _, v := range m.nextProtos {
  907. l := len(v)
  908. if l > 255 {
  909. l = 255
  910. }
  911. z[0] = byte(l)
  912. copy(z[1:], []byte(v[0:l]))
  913. z = z[1+l:]
  914. }
  915. }
  916. if m.ocspStapling {
  917. z[0] = byte(extensionStatusRequest >> 8)
  918. z[1] = byte(extensionStatusRequest)
  919. z = z[4:]
  920. }
  921. if m.ticketSupported {
  922. z[0] = byte(extensionSessionTicket >> 8)
  923. z[1] = byte(extensionSessionTicket)
  924. z = z[4:]
  925. }
  926. if m.secureRenegotiationSupported {
  927. z[0] = byte(extensionRenegotiationInfo >> 8)
  928. z[1] = byte(extensionRenegotiationInfo & 0xff)
  929. z[2] = 0
  930. z[3] = byte(len(m.secureRenegotiation) + 1)
  931. z[4] = byte(len(m.secureRenegotiation))
  932. z = z[5:]
  933. copy(z, m.secureRenegotiation)
  934. z = z[len(m.secureRenegotiation):]
  935. }
  936. if alpnLen := len(m.alpnProtocol); alpnLen > 0 {
  937. z[0] = byte(extensionALPN >> 8)
  938. z[1] = byte(extensionALPN & 0xff)
  939. l := 2 + 1 + alpnLen
  940. z[2] = byte(l >> 8)
  941. z[3] = byte(l)
  942. l -= 2
  943. z[4] = byte(l >> 8)
  944. z[5] = byte(l)
  945. l -= 1
  946. z[6] = byte(l)
  947. copy(z[7:], []byte(m.alpnProtocol))
  948. z = z[7+alpnLen:]
  949. }
  950. if sctLen > 0 {
  951. z[0] = byte(extensionSCT >> 8)
  952. z[1] = byte(extensionSCT)
  953. l := sctLen + 2
  954. z[2] = byte(l >> 8)
  955. z[3] = byte(l)
  956. z[4] = byte(sctLen >> 8)
  957. z[5] = byte(sctLen)
  958. z = z[6:]
  959. for _, sct := range m.scts {
  960. z[0] = byte(len(sct) >> 8)
  961. z[1] = byte(len(sct))
  962. copy(z[2:], sct)
  963. z = z[len(sct)+2:]
  964. }
  965. }
  966. if m.keyShare.group != 0 {
  967. z[0] = uint8(extensionKeyShare >> 8)
  968. z[1] = uint8(extensionKeyShare)
  969. l := 4 + len(m.keyShare.data)
  970. z[2] = uint8(l >> 8)
  971. z[3] = uint8(l)
  972. z[4] = uint8(m.keyShare.group >> 8)
  973. z[5] = uint8(m.keyShare.group)
  974. l -= 4
  975. z[6] = uint8(l >> 8)
  976. z[7] = uint8(l)
  977. copy(z[8:], m.keyShare.data)
  978. z = z[8+l:]
  979. }
  980. if m.psk {
  981. z[0] = byte(extensionPreSharedKey >> 8)
  982. z[1] = byte(extensionPreSharedKey)
  983. z[3] = 2
  984. z[4] = byte(m.pskIdentity >> 8)
  985. z[5] = byte(m.pskIdentity)
  986. z = z[6:]
  987. }
  988. if m.extendedMSSupported {
  989. binary.BigEndian.PutUint16(z, extensionEMS)
  990. z = z[4:]
  991. }
  992. m.raw = x
  993. return x
  994. }
  995. func (m *serverHelloMsg) unmarshal(data []byte) alert {
  996. if len(data) < 42 {
  997. return alertDecodeError
  998. }
  999. m.raw = data
  1000. m.vers = uint16(data[4])<<8 | uint16(data[5])
  1001. m.random = data[6:38]
  1002. sessionIdLen := int(data[38])
  1003. if sessionIdLen > 32 || len(data) < 39+sessionIdLen {
  1004. return alertDecodeError
  1005. }
  1006. m.sessionId = data[39 : 39+sessionIdLen]
  1007. data = data[39+sessionIdLen:]
  1008. if len(data) < 3 {
  1009. return alertDecodeError
  1010. }
  1011. m.cipherSuite = uint16(data[0])<<8 | uint16(data[1])
  1012. m.compressionMethod = data[2]
  1013. data = data[3:]
  1014. m.nextProtoNeg = false
  1015. m.nextProtos = nil
  1016. m.ocspStapling = false
  1017. m.scts = nil
  1018. m.ticketSupported = false
  1019. m.alpnProtocol = ""
  1020. m.keyShare.group = 0
  1021. m.keyShare.data = nil
  1022. m.psk = false
  1023. m.pskIdentity = 0
  1024. m.extendedMSSupported = false
  1025. if len(data) == 0 {
  1026. // ServerHello is optionally followed by extension data
  1027. return alertSuccess
  1028. }
  1029. if len(data) < 2 {
  1030. return alertDecodeError
  1031. }
  1032. extensionsLength := int(data[0])<<8 | int(data[1])
  1033. data = data[2:]
  1034. if len(data) != extensionsLength {
  1035. return alertDecodeError
  1036. }
  1037. svData := findExtension(data, extensionSupportedVersions)
  1038. if svData != nil {
  1039. if len(svData) != 2 {
  1040. return alertDecodeError
  1041. }
  1042. if m.vers != VersionTLS12 {
  1043. return alertDecodeError
  1044. }
  1045. rcvVer := binary.BigEndian.Uint16(svData[0:])
  1046. if rcvVer < VersionTLS13 {
  1047. return alertIllegalParameter
  1048. }
  1049. m.vers = rcvVer
  1050. }
  1051. for len(data) != 0 {
  1052. if len(data) < 4 {
  1053. return alertDecodeError
  1054. }
  1055. extension := uint16(data[0])<<8 | uint16(data[1])
  1056. length := int(data[2])<<8 | int(data[3])
  1057. data = data[4:]
  1058. if len(data) < length {
  1059. return alertDecodeError
  1060. }
  1061. switch extension {
  1062. case extensionNextProtoNeg:
  1063. m.nextProtoNeg = true
  1064. d := data[:length]
  1065. for len(d) > 0 {
  1066. l := int(d[0])
  1067. d = d[1:]
  1068. if l == 0 || l > len(d) {
  1069. return alertDecodeError
  1070. }
  1071. m.nextProtos = append(m.nextProtos, string(d[:l]))
  1072. d = d[l:]
  1073. }
  1074. case extensionStatusRequest:
  1075. if length > 0 {
  1076. return alertDecodeError
  1077. }
  1078. m.ocspStapling = true
  1079. case extensionSessionTicket:
  1080. if length > 0 {
  1081. return alertDecodeError
  1082. }
  1083. m.ticketSupported = true
  1084. case extensionRenegotiationInfo:
  1085. if length == 0 {
  1086. return alertDecodeError
  1087. }
  1088. d := data[:length]
  1089. l := int(d[0])
  1090. d = d[1:]
  1091. if l != len(d) {
  1092. return alertDecodeError
  1093. }
  1094. m.secureRenegotiation = d
  1095. m.secureRenegotiationSupported = true
  1096. case extensionALPN:
  1097. d := data[:length]
  1098. if len(d) < 3 {
  1099. return alertDecodeError
  1100. }
  1101. l := int(d[0])<<8 | int(d[1])
  1102. if l != len(d)-2 {
  1103. return alertDecodeError
  1104. }
  1105. d = d[2:]
  1106. l = int(d[0])
  1107. if l != len(d)-1 {
  1108. return alertDecodeError
  1109. }
  1110. d = d[1:]
  1111. if len(d) == 0 {
  1112. // ALPN protocols must not be empty.
  1113. return alertDecodeError
  1114. }
  1115. m.alpnProtocol = string(d)
  1116. case extensionSCT:
  1117. d := data[:length]
  1118. if len(d) < 2 {
  1119. return alertDecodeError
  1120. }
  1121. l := int(d[0])<<8 | int(d[1])
  1122. d = d[2:]
  1123. if len(d) != l || l == 0 {
  1124. return alertDecodeError
  1125. }
  1126. m.scts = make([][]byte, 0, 3)
  1127. for len(d) != 0 {
  1128. if len(d) < 2 {
  1129. return alertDecodeError
  1130. }
  1131. sctLen := int(d[0])<<8 | int(d[1])
  1132. d = d[2:]
  1133. if sctLen == 0 || len(d) < sctLen {
  1134. return alertDecodeError
  1135. }
  1136. m.scts = append(m.scts, d[:sctLen])
  1137. d = d[sctLen:]
  1138. }
  1139. case extensionKeyShare:
  1140. d := data[:length]
  1141. if len(d) < 4 {
  1142. return alertDecodeError
  1143. }
  1144. m.keyShare.group = CurveID(d[0])<<8 | CurveID(d[1])
  1145. l := int(d[2])<<8 | int(d[3])
  1146. d = d[4:]
  1147. if len(d) != l {
  1148. return alertDecodeError
  1149. }
  1150. m.keyShare.data = d[:l]
  1151. case extensionPreSharedKey:
  1152. if length != 2 {
  1153. return alertDecodeError
  1154. }
  1155. m.psk = true
  1156. m.pskIdentity = uint16(data[0])<<8 | uint16(data[1])
  1157. case extensionEMS:
  1158. m.extendedMSSupported = true
  1159. }
  1160. data = data[length:]
  1161. }
  1162. return alertSuccess
  1163. }
  1164. type encryptedExtensionsMsg struct {
  1165. raw []byte
  1166. alpnProtocol string
  1167. earlyData bool
  1168. }
  1169. func (m *encryptedExtensionsMsg) equal(i interface{}) bool {
  1170. m1, ok := i.(*encryptedExtensionsMsg)
  1171. if !ok {
  1172. return false
  1173. }
  1174. return bytes.Equal(m.raw, m1.raw) &&
  1175. m.alpnProtocol == m1.alpnProtocol &&
  1176. m.earlyData == m1.earlyData
  1177. }
  1178. func (m *encryptedExtensionsMsg) marshal() []byte {
  1179. if m.raw != nil {
  1180. return m.raw
  1181. }
  1182. length := 2
  1183. if m.earlyData {
  1184. length += 4
  1185. }
  1186. alpnLen := len(m.alpnProtocol)
  1187. if alpnLen > 0 {
  1188. if alpnLen >= 256 {
  1189. panic("invalid ALPN protocol")
  1190. }
  1191. length += 2 + 2 + 2 + 1 + alpnLen
  1192. }
  1193. x := make([]byte, 4+length)
  1194. x[0] = typeEncryptedExtensions
  1195. x[1] = uint8(length >> 16)
  1196. x[2] = uint8(length >> 8)
  1197. x[3] = uint8(length)
  1198. length -= 2
  1199. x[4] = uint8(length >> 8)
  1200. x[5] = uint8(length)
  1201. z := x[6:]
  1202. if alpnLen > 0 {
  1203. z[0] = byte(extensionALPN >> 8)
  1204. z[1] = byte(extensionALPN)
  1205. l := 2 + 1 + alpnLen
  1206. z[2] = byte(l >> 8)
  1207. z[3] = byte(l)
  1208. l -= 2
  1209. z[4] = byte(l >> 8)
  1210. z[5] = byte(l)
  1211. l -= 1
  1212. z[6] = byte(l)
  1213. copy(z[7:], []byte(m.alpnProtocol))
  1214. z = z[7+alpnLen:]
  1215. }
  1216. if m.earlyData {
  1217. z[0] = byte(extensionEarlyData >> 8)
  1218. z[1] = byte(extensionEarlyData)
  1219. z = z[4:]
  1220. }
  1221. m.raw = x
  1222. return x
  1223. }
  1224. func (m *encryptedExtensionsMsg) unmarshal(data []byte) alert {
  1225. if len(data) < 6 {
  1226. return alertDecodeError
  1227. }
  1228. m.raw = data
  1229. m.alpnProtocol = ""
  1230. m.earlyData = false
  1231. extensionsLength := int(data[4])<<8 | int(data[5])
  1232. data = data[6:]
  1233. if len(data) != extensionsLength {
  1234. return alertDecodeError
  1235. }
  1236. for len(data) != 0 {
  1237. if len(data) < 4 {
  1238. return alertDecodeError
  1239. }
  1240. extension := uint16(data[0])<<8 | uint16(data[1])
  1241. length := int(data[2])<<8 | int(data[3])
  1242. data = data[4:]
  1243. if len(data) < length {
  1244. return alertDecodeError
  1245. }
  1246. switch extension {
  1247. case extensionALPN:
  1248. d := data[:length]
  1249. if len(d) < 3 {
  1250. return alertDecodeError
  1251. }
  1252. l := int(d[0])<<8 | int(d[1])
  1253. if l != len(d)-2 {
  1254. return alertDecodeError
  1255. }
  1256. d = d[2:]
  1257. l = int(d[0])
  1258. if l != len(d)-1 {
  1259. return alertDecodeError
  1260. }
  1261. d = d[1:]
  1262. if len(d) == 0 {
  1263. // ALPN protocols must not be empty.
  1264. return alertDecodeError
  1265. }
  1266. m.alpnProtocol = string(d)
  1267. case extensionEarlyData:
  1268. // https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.8
  1269. m.earlyData = true
  1270. }
  1271. data = data[length:]
  1272. }
  1273. return alertSuccess
  1274. }
  1275. type certificateMsg struct {
  1276. raw []byte
  1277. certificates [][]byte
  1278. }
  1279. func (m *certificateMsg) equal(i interface{}) bool {
  1280. m1, ok := i.(*certificateMsg)
  1281. if !ok {
  1282. return false
  1283. }
  1284. return bytes.Equal(m.raw, m1.raw) &&
  1285. eqByteSlices(m.certificates, m1.certificates)
  1286. }
  1287. func (m *certificateMsg) marshal() (x []byte) {
  1288. if m.raw != nil {
  1289. return m.raw
  1290. }
  1291. var i int
  1292. for _, slice := range m.certificates {
  1293. i += len(slice)
  1294. }
  1295. length := 3 + 3*len(m.certificates) + i
  1296. x = make([]byte, 4+length)
  1297. x[0] = typeCertificate
  1298. x[1] = uint8(length >> 16)
  1299. x[2] = uint8(length >> 8)
  1300. x[3] = uint8(length)
  1301. certificateOctets := length - 3
  1302. x[4] = uint8(certificateOctets >> 16)
  1303. x[5] = uint8(certificateOctets >> 8)
  1304. x[6] = uint8(certificateOctets)
  1305. y := x[7:]
  1306. for _, slice := range m.certificates {
  1307. y[0] = uint8(len(slice) >> 16)
  1308. y[1] = uint8(len(slice) >> 8)
  1309. y[2] = uint8(len(slice))
  1310. copy(y[3:], slice)
  1311. y = y[3+len(slice):]
  1312. }
  1313. m.raw = x
  1314. return
  1315. }
  1316. func (m *certificateMsg) unmarshal(data []byte) alert {
  1317. if len(data) < 7 {
  1318. return alertDecodeError
  1319. }
  1320. m.raw = data
  1321. certsLen := uint32(data[4])<<16 | uint32(data[5])<<8 | uint32(data[6])
  1322. if uint32(len(data)) != certsLen+7 {
  1323. return alertDecodeError
  1324. }
  1325. numCerts := 0
  1326. d := data[7:]
  1327. for certsLen > 0 {
  1328. if len(d) < 4 {
  1329. return alertDecodeError
  1330. }
  1331. certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2])
  1332. if uint32(len(d)) < 3+certLen {
  1333. return alertDecodeError
  1334. }
  1335. d = d[3+certLen:]
  1336. certsLen -= 3 + certLen
  1337. numCerts++
  1338. }
  1339. m.certificates = make([][]byte, numCerts)
  1340. d = data[7:]
  1341. for i := 0; i < numCerts; i++ {
  1342. certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2])
  1343. m.certificates[i] = d[3 : 3+certLen]
  1344. d = d[3+certLen:]
  1345. }
  1346. return alertSuccess
  1347. }
  1348. type certificateEntry struct {
  1349. data []byte
  1350. ocspStaple []byte
  1351. sctList [][]byte
  1352. delegatedCredential []byte
  1353. }
  1354. type certificateMsg13 struct {
  1355. raw []byte
  1356. requestContext []byte
  1357. certificates []certificateEntry
  1358. }
  1359. func (m *certificateMsg13) equal(i interface{}) bool {
  1360. m1, ok := i.(*certificateMsg13)
  1361. if !ok {
  1362. return false
  1363. }
  1364. if len(m.certificates) != len(m1.certificates) {
  1365. return false
  1366. }
  1367. for i, _ := range m.certificates {
  1368. ok := bytes.Equal(m.certificates[i].data, m1.certificates[i].data)
  1369. ok = ok && bytes.Equal(m.certificates[i].ocspStaple, m1.certificates[i].ocspStaple)
  1370. ok = ok && eqByteSlices(m.certificates[i].sctList, m1.certificates[i].sctList)
  1371. ok = ok && bytes.Equal(m.certificates[i].delegatedCredential, m1.certificates[i].delegatedCredential)
  1372. if !ok {
  1373. return false
  1374. }
  1375. }
  1376. return bytes.Equal(m.raw, m1.raw) &&
  1377. bytes.Equal(m.requestContext, m1.requestContext)
  1378. }
  1379. func (m *certificateMsg13) marshal() (x []byte) {
  1380. if m.raw != nil {
  1381. return m.raw
  1382. }
  1383. var i int
  1384. for _, cert := range m.certificates {
  1385. i += len(cert.data)
  1386. if len(cert.ocspStaple) != 0 {
  1387. i += 8 + len(cert.ocspStaple)
  1388. }
  1389. if len(cert.sctList) != 0 {
  1390. i += 6
  1391. for _, sct := range cert.sctList {
  1392. i += 2 + len(sct)
  1393. }
  1394. }
  1395. if len(cert.delegatedCredential) != 0 {
  1396. i += 4 + len(cert.delegatedCredential)
  1397. }
  1398. }
  1399. length := 3 + 3*len(m.certificates) + i
  1400. length += 2 * len(m.certificates) // extensions
  1401. length += 1 + len(m.requestContext)
  1402. x = make([]byte, 4+length)
  1403. x[0] = typeCertificate
  1404. x[1] = uint8(length >> 16)
  1405. x[2] = uint8(length >> 8)
  1406. x[3] = uint8(length)
  1407. z := x[4:]
  1408. z[0] = byte(len(m.requestContext))
  1409. copy(z[1:], m.requestContext)
  1410. z = z[1+len(m.requestContext):]
  1411. certificateOctets := len(z) - 3
  1412. z[0] = uint8(certificateOctets >> 16)
  1413. z[1] = uint8(certificateOctets >> 8)
  1414. z[2] = uint8(certificateOctets)
  1415. z = z[3:]
  1416. for _, cert := range m.certificates {
  1417. z[0] = uint8(len(cert.data) >> 16)
  1418. z[1] = uint8(len(cert.data) >> 8)
  1419. z[2] = uint8(len(cert.data))
  1420. copy(z[3:], cert.data)
  1421. z = z[3+len(cert.data):]
  1422. extLenPos := z[:2]
  1423. z = z[2:]
  1424. extensionLen := 0
  1425. if len(cert.ocspStaple) != 0 {
  1426. stapleLen := 4 + len(cert.ocspStaple)
  1427. z[0] = uint8(extensionStatusRequest >> 8)
  1428. z[1] = uint8(extensionStatusRequest)
  1429. z[2] = uint8(stapleLen >> 8)
  1430. z[3] = uint8(stapleLen)
  1431. stapleLen -= 4
  1432. z[4] = statusTypeOCSP
  1433. z[5] = uint8(stapleLen >> 16)
  1434. z[6] = uint8(stapleLen >> 8)
  1435. z[7] = uint8(stapleLen)
  1436. copy(z[8:], cert.ocspStaple)
  1437. z = z[8+stapleLen:]
  1438. extensionLen += 8 + stapleLen
  1439. }
  1440. if len(cert.sctList) != 0 {
  1441. z[0] = uint8(extensionSCT >> 8)
  1442. z[1] = uint8(extensionSCT)
  1443. sctLenPos := z[2:6]
  1444. z = z[6:]
  1445. extensionLen += 6
  1446. sctLen := 2
  1447. for _, sct := range cert.sctList {
  1448. z[0] = uint8(len(sct) >> 8)
  1449. z[1] = uint8(len(sct))
  1450. copy(z[2:], sct)
  1451. z = z[2+len(sct):]
  1452. extensionLen += 2 + len(sct)
  1453. sctLen += 2 + len(sct)
  1454. }
  1455. sctLenPos[0] = uint8(sctLen >> 8)
  1456. sctLenPos[1] = uint8(sctLen)
  1457. sctLen -= 2
  1458. sctLenPos[2] = uint8(sctLen >> 8)
  1459. sctLenPos[3] = uint8(sctLen)
  1460. }
  1461. if len(cert.delegatedCredential) != 0 {
  1462. binary.BigEndian.PutUint16(z, extensionDelegatedCredential)
  1463. binary.BigEndian.PutUint16(z[2:], uint16(len(cert.delegatedCredential)))
  1464. z = z[4:]
  1465. copy(z, cert.delegatedCredential)
  1466. z = z[len(cert.delegatedCredential):]
  1467. extensionLen += 4 + len(cert.delegatedCredential)
  1468. }
  1469. extLenPos[0] = uint8(extensionLen >> 8)
  1470. extLenPos[1] = uint8(extensionLen)
  1471. }
  1472. m.raw = x
  1473. return
  1474. }
  1475. func (m *certificateMsg13) unmarshal(data []byte) alert {
  1476. if len(data) < 5 {
  1477. return alertDecodeError
  1478. }
  1479. m.raw = data
  1480. ctxLen := data[4]
  1481. if len(data) < int(ctxLen)+5+3 {
  1482. return alertDecodeError
  1483. }
  1484. m.requestContext = data[5 : 5+ctxLen]
  1485. d := data[5+ctxLen:]
  1486. certsLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2])
  1487. if uint32(len(d)) != certsLen+3 {
  1488. return alertDecodeError
  1489. }
  1490. numCerts := 0
  1491. d = d[3:]
  1492. for certsLen > 0 {
  1493. if len(d) < 4 {
  1494. return alertDecodeError
  1495. }
  1496. certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2])
  1497. if uint32(len(d)) < 3+certLen {
  1498. return alertDecodeError
  1499. }
  1500. d = d[3+certLen:]
  1501. if len(d) < 2 {
  1502. return alertDecodeError
  1503. }
  1504. extLen := uint16(d[0])<<8 | uint16(d[1])
  1505. if uint16(len(d)) < 2+extLen {
  1506. return alertDecodeError
  1507. }
  1508. d = d[2+extLen:]
  1509. certsLen -= 3 + certLen + 2 + uint32(extLen)
  1510. numCerts++
  1511. }
  1512. m.certificates = make([]certificateEntry, numCerts)
  1513. d = data[8+ctxLen:]
  1514. for i := 0; i < numCerts; i++ {
  1515. certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2])
  1516. m.certificates[i].data = d[3 : 3+certLen]
  1517. d = d[3+certLen:]
  1518. extLen := uint16(d[0])<<8 | uint16(d[1])
  1519. d = d[2:]
  1520. for extLen > 0 {
  1521. if extLen < 4 {
  1522. return alertDecodeError
  1523. }
  1524. typ := uint16(d[0])<<8 | uint16(d[1])
  1525. bodyLen := uint16(d[2])<<8 | uint16(d[3])
  1526. if extLen < 4+bodyLen {
  1527. return alertDecodeError
  1528. }
  1529. body := d[4 : 4+bodyLen]
  1530. d = d[4+bodyLen:]
  1531. extLen -= 4 + bodyLen
  1532. switch typ {
  1533. case extensionStatusRequest:
  1534. if len(body) < 4 || body[0] != 0x01 {
  1535. return alertDecodeError
  1536. }
  1537. ocspLen := int(body[1])<<16 | int(body[2])<<8 | int(body[3])
  1538. if len(body) != 4+ocspLen {
  1539. return alertDecodeError
  1540. }
  1541. m.certificates[i].ocspStaple = body[4:]
  1542. case extensionSCT:
  1543. if len(body) < 2 {
  1544. return alertDecodeError
  1545. }
  1546. listLen := int(body[0])<<8 | int(body[1])
  1547. body = body[2:]
  1548. if len(body) != listLen {
  1549. return alertDecodeError
  1550. }
  1551. for len(body) > 0 {
  1552. if len(body) < 2 {
  1553. return alertDecodeError
  1554. }
  1555. sctLen := int(body[0])<<8 | int(body[1])
  1556. if len(body) < 2+sctLen {
  1557. return alertDecodeError
  1558. }
  1559. m.certificates[i].sctList = append(m.certificates[i].sctList, body[2:2+sctLen])
  1560. body = body[2+sctLen:]
  1561. }
  1562. case extensionDelegatedCredential:
  1563. m.certificates[i].delegatedCredential = body
  1564. }
  1565. }
  1566. }
  1567. return alertSuccess
  1568. }
  1569. type serverKeyExchangeMsg struct {
  1570. raw []byte
  1571. key []byte
  1572. }
  1573. func (m *serverKeyExchangeMsg) equal(i interface{}) bool {
  1574. m1, ok := i.(*serverKeyExchangeMsg)
  1575. if !ok {
  1576. return false
  1577. }
  1578. return bytes.Equal(m.raw, m1.raw) &&
  1579. bytes.Equal(m.key, m1.key)
  1580. }
  1581. func (m *serverKeyExchangeMsg) marshal() []byte {
  1582. if m.raw != nil {
  1583. return m.raw
  1584. }
  1585. length := len(m.key)
  1586. x := make([]byte, length+4)
  1587. x[0] = typeServerKeyExchange
  1588. x[1] = uint8(length >> 16)
  1589. x[2] = uint8(length >> 8)
  1590. x[3] = uint8(length)
  1591. copy(x[4:], m.key)
  1592. m.raw = x
  1593. return x
  1594. }
  1595. func (m *serverKeyExchangeMsg) unmarshal(data []byte) alert {
  1596. m.raw = data
  1597. if len(data) < 4 {
  1598. return alertDecodeError
  1599. }
  1600. m.key = data[4:]
  1601. return alertSuccess
  1602. }
  1603. type certificateStatusMsg struct {
  1604. raw []byte
  1605. statusType uint8
  1606. response []byte
  1607. }
  1608. func (m *certificateStatusMsg) equal(i interface{}) bool {
  1609. m1, ok := i.(*certificateStatusMsg)
  1610. if !ok {
  1611. return false
  1612. }
  1613. return bytes.Equal(m.raw, m1.raw) &&
  1614. m.statusType == m1.statusType &&
  1615. bytes.Equal(m.response, m1.response)
  1616. }
  1617. func (m *certificateStatusMsg) marshal() []byte {
  1618. if m.raw != nil {
  1619. return m.raw
  1620. }
  1621. var x []byte
  1622. if m.statusType == statusTypeOCSP {
  1623. x = make([]byte, 4+4+len(m.response))
  1624. x[0] = typeCertificateStatus
  1625. l := len(m.response) + 4
  1626. x[1] = byte(l >> 16)
  1627. x[2] = byte(l >> 8)
  1628. x[3] = byte(l)
  1629. x[4] = statusTypeOCSP
  1630. l -= 4
  1631. x[5] = byte(l >> 16)
  1632. x[6] = byte(l >> 8)
  1633. x[7] = byte(l)
  1634. copy(x[8:], m.response)
  1635. } else {
  1636. x = []byte{typeCertificateStatus, 0, 0, 1, m.statusType}
  1637. }
  1638. m.raw = x
  1639. return x
  1640. }
  1641. func (m *certificateStatusMsg) unmarshal(data []byte) alert {
  1642. m.raw = data
  1643. if len(data) < 5 {
  1644. return alertDecodeError
  1645. }
  1646. m.statusType = data[4]
  1647. m.response = nil
  1648. if m.statusType == statusTypeOCSP {
  1649. if len(data) < 8 {
  1650. return alertDecodeError
  1651. }
  1652. respLen := uint32(data[5])<<16 | uint32(data[6])<<8 | uint32(data[7])
  1653. if uint32(len(data)) != 4+4+respLen {
  1654. return alertDecodeError
  1655. }
  1656. m.response = data[8:]
  1657. }
  1658. return alertSuccess
  1659. }
  1660. type serverHelloDoneMsg struct{}
  1661. func (m *serverHelloDoneMsg) equal(i interface{}) bool {
  1662. _, ok := i.(*serverHelloDoneMsg)
  1663. return ok
  1664. }
  1665. func (m *serverHelloDoneMsg) marshal() []byte {
  1666. x := make([]byte, 4)
  1667. x[0] = typeServerHelloDone
  1668. return x
  1669. }
  1670. func (m *serverHelloDoneMsg) unmarshal(data []byte) alert {
  1671. if len(data) != 4 {
  1672. return alertDecodeError
  1673. }
  1674. return alertSuccess
  1675. }
  1676. type clientKeyExchangeMsg struct {
  1677. raw []byte
  1678. ciphertext []byte
  1679. }
  1680. func (m *clientKeyExchangeMsg) equal(i interface{}) bool {
  1681. m1, ok := i.(*clientKeyExchangeMsg)
  1682. if !ok {
  1683. return false
  1684. }
  1685. return bytes.Equal(m.raw, m1.raw) &&
  1686. bytes.Equal(m.ciphertext, m1.ciphertext)
  1687. }
  1688. func (m *clientKeyExchangeMsg) marshal() []byte {
  1689. if m.raw != nil {
  1690. return m.raw
  1691. }
  1692. length := len(m.ciphertext)
  1693. x := make([]byte, length+4)
  1694. x[0] = typeClientKeyExchange
  1695. x[1] = uint8(length >> 16)
  1696. x[2] = uint8(length >> 8)
  1697. x[3] = uint8(length)
  1698. copy(x[4:], m.ciphertext)
  1699. m.raw = x
  1700. return x
  1701. }
  1702. func (m *clientKeyExchangeMsg) unmarshal(data []byte) alert {
  1703. m.raw = data
  1704. if len(data) < 4 {
  1705. return alertDecodeError
  1706. }
  1707. l := int(data[1])<<16 | int(data[2])<<8 | int(data[3])
  1708. if l != len(data)-4 {
  1709. return alertDecodeError
  1710. }
  1711. m.ciphertext = data[4:]
  1712. return alertSuccess
  1713. }
  1714. type finishedMsg struct {
  1715. raw []byte
  1716. verifyData []byte
  1717. }
  1718. func (m *finishedMsg) equal(i interface{}) bool {
  1719. m1, ok := i.(*finishedMsg)
  1720. if !ok {
  1721. return false
  1722. }
  1723. return bytes.Equal(m.raw, m1.raw) &&
  1724. bytes.Equal(m.verifyData, m1.verifyData)
  1725. }
  1726. func (m *finishedMsg) marshal() (x []byte) {
  1727. if m.raw != nil {
  1728. return m.raw
  1729. }
  1730. x = make([]byte, 4+len(m.verifyData))
  1731. x[0] = typeFinished
  1732. x[3] = byte(len(m.verifyData))
  1733. copy(x[4:], m.verifyData)
  1734. m.raw = x
  1735. return
  1736. }
  1737. func (m *finishedMsg) unmarshal(data []byte) alert {
  1738. m.raw = data
  1739. if len(data) < 4 {
  1740. return alertDecodeError
  1741. }
  1742. m.verifyData = data[4:]
  1743. return alertSuccess
  1744. }
  1745. type nextProtoMsg struct {
  1746. raw []byte
  1747. proto string
  1748. }
  1749. func (m *nextProtoMsg) equal(i interface{}) bool {
  1750. m1, ok := i.(*nextProtoMsg)
  1751. if !ok {
  1752. return false
  1753. }
  1754. return bytes.Equal(m.raw, m1.raw) &&
  1755. m.proto == m1.proto
  1756. }
  1757. func (m *nextProtoMsg) marshal() []byte {
  1758. if m.raw != nil {
  1759. return m.raw
  1760. }
  1761. l := len(m.proto)
  1762. if l > 255 {
  1763. l = 255
  1764. }
  1765. padding := 32 - (l+2)%32
  1766. length := l + padding + 2
  1767. x := make([]byte, length+4)
  1768. x[0] = typeNextProtocol
  1769. x[1] = uint8(length >> 16)
  1770. x[2] = uint8(length >> 8)
  1771. x[3] = uint8(length)
  1772. y := x[4:]
  1773. y[0] = byte(l)
  1774. copy(y[1:], []byte(m.proto[0:l]))
  1775. y = y[1+l:]
  1776. y[0] = byte(padding)
  1777. m.raw = x
  1778. return x
  1779. }
  1780. func (m *nextProtoMsg) unmarshal(data []byte) alert {
  1781. m.raw = data
  1782. if len(data) < 5 {
  1783. return alertDecodeError
  1784. }
  1785. data = data[4:]
  1786. protoLen := int(data[0])
  1787. data = data[1:]
  1788. if len(data) < protoLen {
  1789. return alertDecodeError
  1790. }
  1791. m.proto = string(data[0:protoLen])
  1792. data = data[protoLen:]
  1793. if len(data) < 1 {
  1794. return alertDecodeError
  1795. }
  1796. paddingLen := int(data[0])
  1797. data = data[1:]
  1798. if len(data) != paddingLen {
  1799. return alertDecodeError
  1800. }
  1801. return alertSuccess
  1802. }
  1803. type certificateRequestMsg struct {
  1804. raw []byte
  1805. // hasSignatureAndHash indicates whether this message includes a list
  1806. // of signature and hash functions. This change was introduced with TLS
  1807. // 1.2.
  1808. hasSignatureAndHash bool
  1809. certificateTypes []byte
  1810. supportedSignatureAlgorithms []SignatureScheme
  1811. certificateAuthorities [][]byte
  1812. }
  1813. func (m *certificateRequestMsg) equal(i interface{}) bool {
  1814. m1, ok := i.(*certificateRequestMsg)
  1815. if !ok {
  1816. return false
  1817. }
  1818. return bytes.Equal(m.raw, m1.raw) &&
  1819. bytes.Equal(m.certificateTypes, m1.certificateTypes) &&
  1820. eqByteSlices(m.certificateAuthorities, m1.certificateAuthorities) &&
  1821. eqSignatureAlgorithms(m.supportedSignatureAlgorithms, m1.supportedSignatureAlgorithms)
  1822. }
  1823. func (m *certificateRequestMsg) marshal() (x []byte) {
  1824. if m.raw != nil {
  1825. return m.raw
  1826. }
  1827. // See http://tools.ietf.org/html/rfc4346#section-7.4.4
  1828. length := 1 + len(m.certificateTypes) + 2
  1829. casLength := 0
  1830. for _, ca := range m.certificateAuthorities {
  1831. casLength += 2 + len(ca)
  1832. }
  1833. length += casLength
  1834. if m.hasSignatureAndHash {
  1835. length += 2 + 2*len(m.supportedSignatureAlgorithms)
  1836. }
  1837. x = make([]byte, 4+length)
  1838. x[0] = typeCertificateRequest
  1839. x[1] = uint8(length >> 16)
  1840. x[2] = uint8(length >> 8)
  1841. x[3] = uint8(length)
  1842. x[4] = uint8(len(m.certificateTypes))
  1843. copy(x[5:], m.certificateTypes)
  1844. y := x[5+len(m.certificateTypes):]
  1845. if m.hasSignatureAndHash {
  1846. n := len(m.supportedSignatureAlgorithms) * 2
  1847. y[0] = uint8(n >> 8)
  1848. y[1] = uint8(n)
  1849. y = y[2:]
  1850. for _, sigAlgo := range m.supportedSignatureAlgorithms {
  1851. y[0] = uint8(sigAlgo >> 8)
  1852. y[1] = uint8(sigAlgo)
  1853. y = y[2:]
  1854. }
  1855. }
  1856. y[0] = uint8(casLength >> 8)
  1857. y[1] = uint8(casLength)
  1858. y = y[2:]
  1859. for _, ca := range m.certificateAuthorities {
  1860. y[0] = uint8(len(ca) >> 8)
  1861. y[1] = uint8(len(ca))
  1862. y = y[2:]
  1863. copy(y, ca)
  1864. y = y[len(ca):]
  1865. }
  1866. m.raw = x
  1867. return
  1868. }
  1869. func (m *certificateRequestMsg) unmarshal(data []byte) alert {
  1870. m.raw = data
  1871. if len(data) < 5 {
  1872. return alertDecodeError
  1873. }
  1874. length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3])
  1875. if uint32(len(data))-4 != length {
  1876. return alertDecodeError
  1877. }
  1878. numCertTypes := int(data[4])
  1879. data = data[5:]
  1880. if numCertTypes == 0 || len(data) <= numCertTypes {
  1881. return alertDecodeError
  1882. }
  1883. m.certificateTypes = make([]byte, numCertTypes)
  1884. if copy(m.certificateTypes, data) != numCertTypes {
  1885. return alertDecodeError
  1886. }
  1887. data = data[numCertTypes:]
  1888. if m.hasSignatureAndHash {
  1889. if len(data) < 2 {
  1890. return alertDecodeError
  1891. }
  1892. sigAndHashLen := uint16(data[0])<<8 | uint16(data[1])
  1893. data = data[2:]
  1894. if sigAndHashLen&1 != 0 {
  1895. return alertDecodeError
  1896. }
  1897. if len(data) < int(sigAndHashLen) {
  1898. return alertDecodeError
  1899. }
  1900. numSigAlgos := sigAndHashLen / 2
  1901. m.supportedSignatureAlgorithms = make([]SignatureScheme, numSigAlgos)
  1902. for i := range m.supportedSignatureAlgorithms {
  1903. m.supportedSignatureAlgorithms[i] = SignatureScheme(data[0])<<8 | SignatureScheme(data[1])
  1904. data = data[2:]
  1905. }
  1906. }
  1907. if len(data) < 2 {
  1908. return alertDecodeError
  1909. }
  1910. casLength := uint16(data[0])<<8 | uint16(data[1])
  1911. data = data[2:]
  1912. if len(data) < int(casLength) {
  1913. return alertDecodeError
  1914. }
  1915. cas := make([]byte, casLength)
  1916. copy(cas, data)
  1917. data = data[casLength:]
  1918. m.certificateAuthorities = nil
  1919. for len(cas) > 0 {
  1920. if len(cas) < 2 {
  1921. return alertDecodeError
  1922. }
  1923. caLen := uint16(cas[0])<<8 | uint16(cas[1])
  1924. cas = cas[2:]
  1925. if len(cas) < int(caLen) {
  1926. return alertDecodeError
  1927. }
  1928. m.certificateAuthorities = append(m.certificateAuthorities, cas[:caLen])
  1929. cas = cas[caLen:]
  1930. }
  1931. if len(data) != 0 {
  1932. return alertDecodeError
  1933. }
  1934. return alertSuccess
  1935. }
  1936. type certificateRequestMsg13 struct {
  1937. raw []byte
  1938. requestContext []byte
  1939. supportedSignatureAlgorithms []SignatureScheme
  1940. supportedSignatureAlgorithmsCert []SignatureScheme
  1941. certificateAuthorities [][]byte
  1942. }
  1943. func (m *certificateRequestMsg13) equal(i interface{}) bool {
  1944. m1, ok := i.(*certificateRequestMsg13)
  1945. return ok &&
  1946. bytes.Equal(m.raw, m1.raw) &&
  1947. bytes.Equal(m.requestContext, m1.requestContext) &&
  1948. eqByteSlices(m.certificateAuthorities, m1.certificateAuthorities) &&
  1949. eqSignatureAlgorithms(m.supportedSignatureAlgorithms, m1.supportedSignatureAlgorithms) &&
  1950. eqSignatureAlgorithms(m.supportedSignatureAlgorithmsCert, m1.supportedSignatureAlgorithmsCert)
  1951. }
  1952. func (m *certificateRequestMsg13) marshal() (x []byte) {
  1953. if m.raw != nil {
  1954. return m.raw
  1955. }
  1956. // See https://tools.ietf.org/html/draft-ietf-tls-tls13-21#section-4.3.2
  1957. length := 1 + len(m.requestContext)
  1958. numExtensions := 1
  1959. extensionsLength := 2 + 2*len(m.supportedSignatureAlgorithms)
  1960. if m.getSignatureAlgorithmsCert() != nil {
  1961. numExtensions += 1
  1962. extensionsLength += 2 + 2*len(m.getSignatureAlgorithmsCert())
  1963. }
  1964. casLength := 0
  1965. if len(m.certificateAuthorities) > 0 {
  1966. for _, ca := range m.certificateAuthorities {
  1967. casLength += 2 + len(ca)
  1968. }
  1969. extensionsLength += 2 + casLength
  1970. numExtensions++
  1971. }
  1972. extensionsLength += 4 * numExtensions
  1973. length += 2 + extensionsLength
  1974. x = make([]byte, 4+length)
  1975. x[0] = typeCertificateRequest
  1976. x[1] = uint8(length >> 16)
  1977. x[2] = uint8(length >> 8)
  1978. x[3] = uint8(length)
  1979. x[4] = uint8(len(m.requestContext))
  1980. copy(x[5:], m.requestContext)
  1981. z := x[5+len(m.requestContext):]
  1982. z[0] = byte(extensionsLength >> 8)
  1983. z[1] = byte(extensionsLength)
  1984. z = z[2:]
  1985. // TODO: this function should be reused by CH
  1986. z = marshalExtensionSignatureAlgorithms(extensionSignatureAlgorithms, z, m.supportedSignatureAlgorithms)
  1987. if m.getSignatureAlgorithmsCert() != nil {
  1988. z = marshalExtensionSignatureAlgorithms(extensionSignatureAlgorithmsCert, z, m.getSignatureAlgorithmsCert())
  1989. }
  1990. // certificate_authorities
  1991. if casLength > 0 {
  1992. z[0] = byte(extensionCAs >> 8)
  1993. z[1] = byte(extensionCAs)
  1994. l := 2 + casLength
  1995. z[2] = byte(l >> 8)
  1996. z[3] = byte(l)
  1997. z = z[4:]
  1998. z[0] = uint8(casLength >> 8)
  1999. z[1] = uint8(casLength)
  2000. z = z[2:]
  2001. for _, ca := range m.certificateAuthorities {
  2002. z[0] = uint8(len(ca) >> 8)
  2003. z[1] = uint8(len(ca))
  2004. z = z[2:]
  2005. copy(z, ca)
  2006. z = z[len(ca):]
  2007. }
  2008. }
  2009. m.raw = x
  2010. return
  2011. }
  2012. func (m *certificateRequestMsg13) unmarshal(data []byte) alert {
  2013. m.raw = data
  2014. m.supportedSignatureAlgorithms = nil
  2015. m.certificateAuthorities = nil
  2016. if len(data) < 5 {
  2017. return alertDecodeError
  2018. }
  2019. length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3])
  2020. if uint32(len(data))-4 != length {
  2021. return alertDecodeError
  2022. }
  2023. ctxLen := data[4]
  2024. if len(data) < 5+int(ctxLen)+2 {
  2025. return alertDecodeError
  2026. }
  2027. m.requestContext = data[5 : 5+ctxLen]
  2028. data = data[5+ctxLen:]
  2029. extensionsLength := int(data[0])<<8 | int(data[1])
  2030. data = data[2:]
  2031. if len(data) != extensionsLength {
  2032. return alertDecodeError
  2033. }
  2034. for len(data) != 0 {
  2035. if len(data) < 4 {
  2036. return alertDecodeError
  2037. }
  2038. extension := uint16(data[0])<<8 | uint16(data[1])
  2039. length := int(data[2])<<8 | int(data[3])
  2040. data = data[4:]
  2041. if len(data) < length {
  2042. return alertDecodeError
  2043. }
  2044. switch extension {
  2045. case extensionSignatureAlgorithms:
  2046. // TODO: unmarshalExtensionSignatureAlgorithms should be shared with CH and pre-1.3 CV
  2047. // https://tools.ietf.org/html/draft-ietf-tls-tls13-21#section-4.2.3
  2048. var err alert
  2049. m.supportedSignatureAlgorithms, err = unmarshalExtensionSignatureAlgorithms(data, length)
  2050. if err != alertSuccess {
  2051. return err
  2052. }
  2053. case extensionSignatureAlgorithmsCert:
  2054. var err alert
  2055. m.supportedSignatureAlgorithmsCert, err = unmarshalExtensionSignatureAlgorithms(data, length)
  2056. if err != alertSuccess {
  2057. return err
  2058. }
  2059. case extensionCAs:
  2060. // TODO DRY: share code with CH
  2061. if length < 2 {
  2062. return alertDecodeError
  2063. }
  2064. l := int(data[0])<<8 | int(data[1])
  2065. if l != length-2 || l < 3 {
  2066. return alertDecodeError
  2067. }
  2068. cas := make([]byte, l)
  2069. copy(cas, data[2:])
  2070. m.certificateAuthorities = nil
  2071. for len(cas) > 0 {
  2072. if len(cas) < 2 {
  2073. return alertDecodeError
  2074. }
  2075. caLen := uint16(cas[0])<<8 | uint16(cas[1])
  2076. cas = cas[2:]
  2077. if len(cas) < int(caLen) {
  2078. return alertDecodeError
  2079. }
  2080. m.certificateAuthorities = append(m.certificateAuthorities, cas[:caLen])
  2081. cas = cas[caLen:]
  2082. }
  2083. }
  2084. data = data[length:]
  2085. }
  2086. if len(m.supportedSignatureAlgorithms) == 0 {
  2087. return alertDecodeError
  2088. }
  2089. return alertSuccess
  2090. }
  2091. func (m *certificateRequestMsg13) getSignatureAlgorithmsCert() []SignatureScheme {
  2092. return signAlgosCertList(m.supportedSignatureAlgorithms, m.supportedSignatureAlgorithmsCert)
  2093. }
  2094. type certificateVerifyMsg struct {
  2095. raw []byte
  2096. hasSignatureAndHash bool
  2097. signatureAlgorithm SignatureScheme
  2098. signature []byte
  2099. }
  2100. func (m *certificateVerifyMsg) equal(i interface{}) bool {
  2101. m1, ok := i.(*certificateVerifyMsg)
  2102. if !ok {
  2103. return false
  2104. }
  2105. return bytes.Equal(m.raw, m1.raw) &&
  2106. m.hasSignatureAndHash == m1.hasSignatureAndHash &&
  2107. m.signatureAlgorithm == m1.signatureAlgorithm &&
  2108. bytes.Equal(m.signature, m1.signature)
  2109. }
  2110. func (m *certificateVerifyMsg) marshal() (x []byte) {
  2111. if m.raw != nil {
  2112. return m.raw
  2113. }
  2114. // See http://tools.ietf.org/html/rfc4346#section-7.4.8
  2115. siglength := len(m.signature)
  2116. length := 2 + siglength
  2117. if m.hasSignatureAndHash {
  2118. length += 2
  2119. }
  2120. x = make([]byte, 4+length)
  2121. x[0] = typeCertificateVerify
  2122. x[1] = uint8(length >> 16)
  2123. x[2] = uint8(length >> 8)
  2124. x[3] = uint8(length)
  2125. y := x[4:]
  2126. if m.hasSignatureAndHash {
  2127. y[0] = uint8(m.signatureAlgorithm >> 8)
  2128. y[1] = uint8(m.signatureAlgorithm)
  2129. y = y[2:]
  2130. }
  2131. y[0] = uint8(siglength >> 8)
  2132. y[1] = uint8(siglength)
  2133. copy(y[2:], m.signature)
  2134. m.raw = x
  2135. return
  2136. }
  2137. func (m *certificateVerifyMsg) unmarshal(data []byte) alert {
  2138. m.raw = data
  2139. if len(data) < 6 {
  2140. return alertDecodeError
  2141. }
  2142. length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3])
  2143. if uint32(len(data))-4 != length {
  2144. return alertDecodeError
  2145. }
  2146. data = data[4:]
  2147. if m.hasSignatureAndHash {
  2148. m.signatureAlgorithm = SignatureScheme(data[0])<<8 | SignatureScheme(data[1])
  2149. data = data[2:]
  2150. }
  2151. if len(data) < 2 {
  2152. return alertDecodeError
  2153. }
  2154. siglength := int(data[0])<<8 + int(data[1])
  2155. data = data[2:]
  2156. if len(data) != siglength {
  2157. return alertDecodeError
  2158. }
  2159. m.signature = data
  2160. return alertSuccess
  2161. }
  2162. type newSessionTicketMsg struct {
  2163. raw []byte
  2164. ticket []byte
  2165. }
  2166. func (m *newSessionTicketMsg) equal(i interface{}) bool {
  2167. m1, ok := i.(*newSessionTicketMsg)
  2168. if !ok {
  2169. return false
  2170. }
  2171. return bytes.Equal(m.raw, m1.raw) &&
  2172. bytes.Equal(m.ticket, m1.ticket)
  2173. }
  2174. func (m *newSessionTicketMsg) marshal() (x []byte) {
  2175. if m.raw != nil {
  2176. return m.raw
  2177. }
  2178. // See http://tools.ietf.org/html/rfc5077#section-3.3
  2179. ticketLen := len(m.ticket)
  2180. length := 2 + 4 + ticketLen
  2181. x = make([]byte, 4+length)
  2182. x[0] = typeNewSessionTicket
  2183. x[1] = uint8(length >> 16)
  2184. x[2] = uint8(length >> 8)
  2185. x[3] = uint8(length)
  2186. x[8] = uint8(ticketLen >> 8)
  2187. x[9] = uint8(ticketLen)
  2188. copy(x[10:], m.ticket)
  2189. m.raw = x
  2190. return
  2191. }
  2192. func (m *newSessionTicketMsg) unmarshal(data []byte) alert {
  2193. m.raw = data
  2194. if len(data) < 10 {
  2195. return alertDecodeError
  2196. }
  2197. length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3])
  2198. if uint32(len(data))-4 != length {
  2199. return alertDecodeError
  2200. }
  2201. ticketLen := int(data[8])<<8 + int(data[9])
  2202. if len(data)-10 != ticketLen {
  2203. return alertDecodeError
  2204. }
  2205. m.ticket = data[10:]
  2206. return alertSuccess
  2207. }
  2208. type newSessionTicketMsg13 struct {
  2209. raw []byte
  2210. lifetime uint32
  2211. ageAdd uint32
  2212. nonce []byte
  2213. ticket []byte
  2214. withEarlyDataInfo bool
  2215. maxEarlyDataLength uint32
  2216. }
  2217. func (m *newSessionTicketMsg13) equal(i interface{}) bool {
  2218. m1, ok := i.(*newSessionTicketMsg13)
  2219. if !ok {
  2220. return false
  2221. }
  2222. return bytes.Equal(m.raw, m1.raw) &&
  2223. m.lifetime == m1.lifetime &&
  2224. m.ageAdd == m1.ageAdd &&
  2225. bytes.Equal(m.nonce, m1.nonce) &&
  2226. bytes.Equal(m.ticket, m1.ticket) &&
  2227. m.withEarlyDataInfo == m1.withEarlyDataInfo &&
  2228. m.maxEarlyDataLength == m1.maxEarlyDataLength
  2229. }
  2230. func (m *newSessionTicketMsg13) marshal() (x []byte) {
  2231. if m.raw != nil {
  2232. return m.raw
  2233. }
  2234. // See https://tools.ietf.org/html/draft-ietf-tls-tls13-21#section-4.6.1
  2235. nonceLen := len(m.nonce)
  2236. ticketLen := len(m.ticket)
  2237. length := 13 + nonceLen + ticketLen
  2238. if m.withEarlyDataInfo {
  2239. length += 8
  2240. }
  2241. x = make([]byte, 4+length)
  2242. x[0] = typeNewSessionTicket
  2243. x[1] = uint8(length >> 16)
  2244. x[2] = uint8(length >> 8)
  2245. x[3] = uint8(length)
  2246. x[4] = uint8(m.lifetime >> 24)
  2247. x[5] = uint8(m.lifetime >> 16)
  2248. x[6] = uint8(m.lifetime >> 8)
  2249. x[7] = uint8(m.lifetime)
  2250. x[8] = uint8(m.ageAdd >> 24)
  2251. x[9] = uint8(m.ageAdd >> 16)
  2252. x[10] = uint8(m.ageAdd >> 8)
  2253. x[11] = uint8(m.ageAdd)
  2254. x[12] = uint8(nonceLen)
  2255. copy(x[13:13+nonceLen], m.nonce)
  2256. y := x[13+nonceLen:]
  2257. y[0] = uint8(ticketLen >> 8)
  2258. y[1] = uint8(ticketLen)
  2259. copy(y[2:2+ticketLen], m.ticket)
  2260. if m.withEarlyDataInfo {
  2261. z := y[2+ticketLen:]
  2262. // z[0] is already 0, this is the extensions vector length.
  2263. z[1] = 8
  2264. z[2] = uint8(extensionEarlyData >> 8)
  2265. z[3] = uint8(extensionEarlyData)
  2266. z[5] = 4
  2267. z[6] = uint8(m.maxEarlyDataLength >> 24)
  2268. z[7] = uint8(m.maxEarlyDataLength >> 16)
  2269. z[8] = uint8(m.maxEarlyDataLength >> 8)
  2270. z[9] = uint8(m.maxEarlyDataLength)
  2271. }
  2272. m.raw = x
  2273. return
  2274. }
  2275. func (m *newSessionTicketMsg13) unmarshal(data []byte) alert {
  2276. m.raw = data
  2277. m.maxEarlyDataLength = 0
  2278. m.withEarlyDataInfo = false
  2279. if len(data) < 17 {
  2280. return alertDecodeError
  2281. }
  2282. length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3])
  2283. if uint32(len(data))-4 != length {
  2284. return alertDecodeError
  2285. }
  2286. m.lifetime = uint32(data[4])<<24 | uint32(data[5])<<16 |
  2287. uint32(data[6])<<8 | uint32(data[7])
  2288. m.ageAdd = uint32(data[8])<<24 | uint32(data[9])<<16 |
  2289. uint32(data[10])<<8 | uint32(data[11])
  2290. nonceLen := int(data[12])
  2291. if nonceLen == 0 || 13+nonceLen+2 > len(data) {
  2292. return alertDecodeError
  2293. }
  2294. m.nonce = data[13 : 13+nonceLen]
  2295. data = data[13+nonceLen:]
  2296. ticketLen := int(data[0])<<8 + int(data[1])
  2297. if ticketLen == 0 || 2+ticketLen+2 > len(data) {
  2298. return alertDecodeError
  2299. }
  2300. m.ticket = data[2 : 2+ticketLen]
  2301. data = data[2+ticketLen:]
  2302. extLen := int(data[0])<<8 + int(data[1])
  2303. if extLen != len(data)-2 {
  2304. return alertDecodeError
  2305. }
  2306. data = data[2:]
  2307. for len(data) > 0 {
  2308. if len(data) < 4 {
  2309. return alertDecodeError
  2310. }
  2311. extType := uint16(data[0])<<8 + uint16(data[1])
  2312. length := int(data[2])<<8 + int(data[3])
  2313. data = data[4:]
  2314. switch extType {
  2315. case extensionEarlyData:
  2316. if length != 4 {
  2317. return alertDecodeError
  2318. }
  2319. m.withEarlyDataInfo = true
  2320. m.maxEarlyDataLength = uint32(data[0])<<24 | uint32(data[1])<<16 |
  2321. uint32(data[2])<<8 | uint32(data[3])
  2322. }
  2323. data = data[length:]
  2324. }
  2325. return alertSuccess
  2326. }
  2327. type endOfEarlyDataMsg struct {
  2328. }
  2329. func (*endOfEarlyDataMsg) marshal() []byte {
  2330. return []byte{typeEndOfEarlyData, 0, 0, 0}
  2331. }
  2332. func (*endOfEarlyDataMsg) unmarshal(data []byte) alert {
  2333. if len(data) != 4 {
  2334. return alertDecodeError
  2335. }
  2336. return alertSuccess
  2337. }
  2338. type helloRequestMsg struct {
  2339. }
  2340. func (*helloRequestMsg) marshal() []byte {
  2341. return []byte{typeHelloRequest, 0, 0, 0}
  2342. }
  2343. func (*helloRequestMsg) unmarshal(data []byte) alert {
  2344. if len(data) != 4 {
  2345. return alertDecodeError
  2346. }
  2347. return alertSuccess
  2348. }
  2349. func eqUint16s(x, y []uint16) bool {
  2350. if len(x) != len(y) {
  2351. return false
  2352. }
  2353. for i, v := range x {
  2354. if y[i] != v {
  2355. return false
  2356. }
  2357. }
  2358. return true
  2359. }
  2360. func eqCurveIDs(x, y []CurveID) bool {
  2361. if len(x) != len(y) {
  2362. return false
  2363. }
  2364. for i, v := range x {
  2365. if y[i] != v {
  2366. return false
  2367. }
  2368. }
  2369. return true
  2370. }
  2371. func eqStrings(x, y []string) bool {
  2372. if len(x) != len(y) {
  2373. return false
  2374. }
  2375. for i, v := range x {
  2376. if y[i] != v {
  2377. return false
  2378. }
  2379. }
  2380. return true
  2381. }
  2382. func eqByteSlices(x, y [][]byte) bool {
  2383. if len(x) != len(y) {
  2384. return false
  2385. }
  2386. for i, v := range x {
  2387. if !bytes.Equal(v, y[i]) {
  2388. return false
  2389. }
  2390. }
  2391. return true
  2392. }
  2393. func eqSignatureAlgorithms(x, y []SignatureScheme) bool {
  2394. if len(x) != len(y) {
  2395. return false
  2396. }
  2397. for i, v := range x {
  2398. if v != y[i] {
  2399. return false
  2400. }
  2401. }
  2402. return true
  2403. }
  2404. func eqKeyShares(x, y []keyShare) bool {
  2405. if len(x) != len(y) {
  2406. return false
  2407. }
  2408. for i := range x {
  2409. if x[i].group != y[i].group {
  2410. return false
  2411. }
  2412. if !bytes.Equal(x[i].data, y[i].data) {
  2413. return false
  2414. }
  2415. }
  2416. return true
  2417. }
  2418. func findExtension(data []byte, extensionType uint16) []byte {
  2419. for len(data) != 0 {
  2420. if len(data) < 4 {
  2421. return nil
  2422. }
  2423. extension := uint16(data[0])<<8 | uint16(data[1])
  2424. length := int(data[2])<<8 | int(data[3])
  2425. data = data[4:]
  2426. if len(data) < length {
  2427. return nil
  2428. }
  2429. if extension == extensionType {
  2430. return data[:length]
  2431. }
  2432. data = data[length:]
  2433. }
  2434. return nil
  2435. }