th5/handshake_messages.go

// Copyright 2009 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

package th5

import (
	"bytes"
	"encoding/binary"
	"strings"
)

// signAlgosCertList helper function returns either list of signature algorithms in case
// signature_algorithms_cert extension should be marshalled or nil in the other case.
// signAlgos is a list of algorithms from signature_algorithms extension. signAlgosCert is a list
// of algorithms from signature_algorithms_cert extension.
func signAlgosCertList(signAlgos, signAlgosCert []SignatureScheme) []SignatureScheme {
	if eqSignatureAlgorithms(signAlgos, signAlgosCert) {
		// ensure that only supported_algorithms extension is send if supported_algorithms_cert
		// has identical content
		return nil
	}
	return signAlgosCert
}

type clientHelloMsg struct {
	raw                              []byte
	rawTruncated                     []byte // for PSK binding
	vers                             uint16
	random                           []byte
	sessionId                        []byte
	cipherSuites                     []uint16
	compressionMethods               []uint8
	nextProtoNeg                     bool
	serverName                       string
	ocspStapling                     bool
	scts                             bool
	supportedCurves                  []CurveID
	supportedPoints                  []uint8
	ticketSupported                  bool
	sessionTicket                    []uint8
	supportedSignatureAlgorithms     []SignatureScheme
	supportedSignatureAlgorithmsCert []SignatureScheme
	secureRenegotiation              []byte
	secureRenegotiationSupported     bool
	alpnProtocols                    []string
	keyShares                        []keyShare
	supportedVersions                []uint16
	psks                             []psk
	pskKeyExchangeModes              []uint8
	earlyData                        bool
	delegatedCredential              bool
	extendedMSSupported              bool // RFC7627
}

// Function used for signature_algorithms and signature_algorithrms_cert
// extensions only (for more details, see TLS 1.3 draft 28, 4.2.3).
//
// It advances data slice and returns it, so that it can be used for further
// processing
func marshalExtensionSignatureAlgorithms(extension uint16, data []byte, schemes []SignatureScheme) []byte {
	algNum := uint16(len(schemes))
	if algNum == 0 {
		return data
	}

	binary.BigEndian.PutUint16(data, extension)
	data = data[2:]
	binary.BigEndian.PutUint16(data, (2*algNum)+2) // +1 for length
	data = data[2:]
	binary.BigEndian.PutUint16(data, (2 * algNum))
	data = data[2:]

	for _, algo := range schemes {
		binary.BigEndian.PutUint16(data, uint16(algo))
		data = data[2:]
	}
	return data
}

// Function used for unmarshalling signature_algorithms or signature_algorithms_cert extensions only
// (for more details, see TLS 1.3 draft 28, 4.2.3)
// In case of error function returns alertDecoderError otherwise filled SignatureScheme slice and alertSuccess
func unmarshalExtensionSignatureAlgorithms(data []byte, length int) ([]SignatureScheme, alert) {

	if length < 2 || length&1 != 0 {
		return nil, alertDecodeError
	}

	algLen := binary.BigEndian.Uint16(data)
	idx := 2

	if int(algLen) != length-2 {
		return nil, alertDecodeError
	}

	schemes := make([]SignatureScheme, algLen/2)
	for i := range schemes {
		schemes[i] = SignatureScheme(binary.BigEndian.Uint16(data[idx:]))
		idx += 2
	}
	return schemes, alertSuccess
}

func (m *clientHelloMsg) equal(i interface{}) bool {
	m1, ok := i.(*clientHelloMsg)
	if !ok {
		return false
	}

	return bytes.Equal(m.raw, m1.raw) &&
		m.vers == m1.vers &&
		bytes.Equal(m.random, m1.random) &&
		bytes.Equal(m.sessionId, m1.sessionId) &&
		eqUint16s(m.cipherSuites, m1.cipherSuites) &&
		bytes.Equal(m.compressionMethods, m1.compressionMethods) &&
		m.nextProtoNeg == m1.nextProtoNeg &&
		m.serverName == m1.serverName &&
		m.ocspStapling == m1.ocspStapling &&
		m.scts == m1.scts &&
		eqCurveIDs(m.supportedCurves, m1.supportedCurves) &&
		bytes.Equal(m.supportedPoints, m1.supportedPoints) &&
		m.ticketSupported == m1.ticketSupported &&
		bytes.Equal(m.sessionTicket, m1.sessionTicket) &&
		eqSignatureAlgorithms(m.supportedSignatureAlgorithms, m1.supportedSignatureAlgorithms) &&
		eqSignatureAlgorithms(m.supportedSignatureAlgorithmsCert, m1.supportedSignatureAlgorithmsCert) &&
		m.secureRenegotiationSupported == m1.secureRenegotiationSupported &&
		bytes.Equal(m.secureRenegotiation, m1.secureRenegotiation) &&
		eqStrings(m.alpnProtocols, m1.alpnProtocols) &&
		eqKeyShares(m.keyShares, m1.keyShares) &&
		eqUint16s(m.supportedVersions, m1.supportedVersions) &&
		m.earlyData == m1.earlyData &&
		m.delegatedCredential == m1.delegatedCredential &&
		m.extendedMSSupported == m1.extendedMSSupported
}

func (m *clientHelloMsg) marshal() []byte {
	if m.raw != nil {
		return m.raw
	}

	length := 2 + 32 + 1 + len(m.sessionId) + 2 + len(m.cipherSuites)*2 + 1 + len(m.compressionMethods)
	numExtensions := 0
	extensionsLength := 0

	if m.nextProtoNeg {
		numExtensions++
	}
	if m.ocspStapling {
		extensionsLength += 1 + 2 + 2
		numExtensions++
	}
	if len(m.serverName) > 0 {
		extensionsLength += 5 + len(m.serverName)
		numExtensions++
	}
	if len(m.supportedCurves) > 0 {
		extensionsLength += 2 + 2*len(m.supportedCurves)
		numExtensions++
	}
	if len(m.supportedPoints) > 0 {
		extensionsLength += 1 + len(m.supportedPoints)
		numExtensions++
	}
	if m.ticketSupported {
		extensionsLength += len(m.sessionTicket)
		numExtensions++
	}
	if len(m.supportedSignatureAlgorithms) > 0 {
		extensionsLength += 2 + 2*len(m.supportedSignatureAlgorithms)
		numExtensions++
	}
	if m.getSignatureAlgorithmsCert() != nil {
		extensionsLength += 2 + 2*len(m.getSignatureAlgorithmsCert())
		numExtensions++
	}
	if m.secureRenegotiationSupported {
		extensionsLength += 1 + len(m.secureRenegotiation)
		numExtensions++
	}
	if len(m.alpnProtocols) > 0 {
		extensionsLength += 2
		for _, s := range m.alpnProtocols {
			if l := len(s); l == 0 || l > 255 {
				panic("invalid ALPN protocol")
			}
			extensionsLength++
			extensionsLength += len(s)
		}
		numExtensions++
	}
	if m.scts {
		numExtensions++
	}
	if len(m.keyShares) > 0 {
		extensionsLength += 2
		for _, k := range m.keyShares {
			extensionsLength += 4 + len(k.data)
		}
		numExtensions++
	}
	if len(m.supportedVersions) > 0 {
		extensionsLength += 1 + 2*len(m.supportedVersions)
		numExtensions++
	}
	if m.earlyData {
		numExtensions++
	}
	if m.delegatedCredential {
		numExtensions++
	}
	if m.extendedMSSupported {
		numExtensions++
	}
	if numExtensions > 0 {
		extensionsLength += 4 * numExtensions
		length += 2 + extensionsLength
	}

	x := make([]byte, 4+length)
	x[0] = typeClientHello
	x[1] = uint8(length >> 16)
	x[2] = uint8(length >> 8)
	x[3] = uint8(length)
	x[4] = uint8(m.vers >> 8)
	x[5] = uint8(m.vers)
	copy(x[6:38], m.random)
	x[38] = uint8(len(m.sessionId))
	copy(x[39:39+len(m.sessionId)], m.sessionId)
	y := x[39+len(m.sessionId):]
	y[0] = uint8(len(m.cipherSuites) >> 7)
	y[1] = uint8(len(m.cipherSuites) << 1)
	for i, suite := range m.cipherSuites {
		y[2+i*2] = uint8(suite >> 8)
		y[3+i*2] = uint8(suite)
	}
	z := y[2+len(m.cipherSuites)*2:]
	z[0] = uint8(len(m.compressionMethods))
	copy(z[1:], m.compressionMethods)

	z = z[1+len(m.compressionMethods):]
	if numExtensions > 0 {
		z[0] = byte(extensionsLength >> 8)
		z[1] = byte(extensionsLength)
		z = z[2:]
	}
	if m.nextProtoNeg {
		z[0] = byte(extensionNextProtoNeg >> 8)
		z[1] = byte(extensionNextProtoNeg & 0xff)
		// The length is always 0
		z = z[4:]
	}
	if len(m.serverName) > 0 {
		z[0] = byte(extensionServerName >> 8)
		z[1] = byte(extensionServerName & 0xff)
		l := len(m.serverName) + 5
		z[2] = byte(l >> 8)
		z[3] = byte(l)
		z = z[4:]

		// RFC 3546, section 3.1
		//
		// struct {
		//     NameType name_type;
		//     select (name_type) {
		//         case host_name: HostName;
		//     } name;
		// } ServerName;
		//
		// enum {
		//     host_name(0), (255)
		// } NameType;
		//
		// opaque HostName<1..2^16-1>;
		//
		// struct {
		//     ServerName server_name_list<1..2^16-1>
		// } ServerNameList;

		z[0] = byte((len(m.serverName) + 3) >> 8)
		z[1] = byte(len(m.serverName) + 3)
		z[3] = byte(len(m.serverName) >> 8)
		z[4] = byte(len(m.serverName))
		copy(z[5:], []byte(m.serverName))
		z = z[l:]
	}
	if m.ocspStapling {
		// RFC 4366, section 3.6
		z[0] = byte(extensionStatusRequest >> 8)
		z[1] = byte(extensionStatusRequest)
		z[2] = 0
		z[3] = 5
		z[4] = 1 // OCSP type
		// Two zero valued uint16s for the two lengths.
		z = z[9:]
	}
	if len(m.supportedCurves) > 0 {
		// http://tools.ietf.org/html/rfc4492#section-5.5.1
		// https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.4
		z[0] = byte(extensionSupportedCurves >> 8)
		z[1] = byte(extensionSupportedCurves)
		l := 2 + 2*len(m.supportedCurves)
		z[2] = byte(l >> 8)
		z[3] = byte(l)
		l -= 2
		z[4] = byte(l >> 8)
		z[5] = byte(l)
		z = z[6:]
		for _, curve := range m.supportedCurves {
			z[0] = byte(curve >> 8)
			z[1] = byte(curve)
			z = z[2:]
		}
	}
	if len(m.supportedPoints) > 0 {
		// http://tools.ietf.org/html/rfc4492#section-5.5.2
		z[0] = byte(extensionSupportedPoints >> 8)
		z[1] = byte(extensionSupportedPoints)
		l := 1 + len(m.supportedPoints)
		z[2] = byte(l >> 8)
		z[3] = byte(l)
		l--
		z[4] = byte(l)
		z = z[5:]
		for _, pointFormat := range m.supportedPoints {
			z[0] = pointFormat
			z = z[1:]
		}
	}
	if m.ticketSupported {
		// http://tools.ietf.org/html/rfc5077#section-3.2
		z[0] = byte(extensionSessionTicket >> 8)
		z[1] = byte(extensionSessionTicket)
		l := len(m.sessionTicket)
		z[2] = byte(l >> 8)
		z[3] = byte(l)
		z = z[4:]
		copy(z, m.sessionTicket)
		z = z[len(m.sessionTicket):]
	}

	if len(m.supportedSignatureAlgorithms) > 0 {
		z = marshalExtensionSignatureAlgorithms(extensionSignatureAlgorithms, z, m.supportedSignatureAlgorithms)
	}
	if m.getSignatureAlgorithmsCert() != nil {
		// Ensure only one list of algorithms is sent if supported_algorithms and supported_algorithms_cert are the same
		z = marshalExtensionSignatureAlgorithms(extensionSignatureAlgorithmsCert, z, m.getSignatureAlgorithmsCert())
	}

	if m.secureRenegotiationSupported {
		z[0] = byte(extensionRenegotiationInfo >> 8)
		z[1] = byte(extensionRenegotiationInfo & 0xff)
		z[2] = 0
		z[3] = byte(len(m.secureRenegotiation) + 1)
		z[4] = byte(len(m.secureRenegotiation))
		z = z[5:]
		copy(z, m.secureRenegotiation)
		z = z[len(m.secureRenegotiation):]
	}
	if len(m.alpnProtocols) > 0 {
		z[0] = byte(extensionALPN >> 8)
		z[1] = byte(extensionALPN & 0xff)
		lengths := z[2:]
		z = z[6:]

		stringsLength := 0
		for _, s := range m.alpnProtocols {
			l := len(s)
			z[0] = byte(l)
			copy(z[1:], s)
			z = z[1+l:]
			stringsLength += 1 + l
		}

		lengths[2] = byte(stringsLength >> 8)
		lengths[3] = byte(stringsLength)
		stringsLength += 2
		lengths[0] = byte(stringsLength >> 8)
		lengths[1] = byte(stringsLength)
	}
	if m.scts {
		// https://tools.ietf.org/html/rfc6962#section-3.3.1
		z[0] = byte(extensionSCT >> 8)
		z[1] = byte(extensionSCT)
		// zero uint16 for the zero-length extension_data
		z = z[4:]
	}
	if len(m.keyShares) > 0 {
		// https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.5
		z[0] = byte(extensionKeyShare >> 8)
		z[1] = byte(extensionKeyShare)
		lengths := z[2:]
		z = z[6:]

		totalLength := 0
		for _, ks := range m.keyShares {
			z[0] = byte(ks.group >> 8)
			z[1] = byte(ks.group)
			z[2] = byte(len(ks.data) >> 8)
			z[3] = byte(len(ks.data))
			copy(z[4:], ks.data)
			z = z[4+len(ks.data):]
			totalLength += 4 + len(ks.data)
		}

		lengths[2] = byte(totalLength >> 8)
		lengths[3] = byte(totalLength)
		totalLength += 2
		lengths[0] = byte(totalLength >> 8)
		lengths[1] = byte(totalLength)
	}
	if len(m.supportedVersions) > 0 {
		z[0] = byte(extensionSupportedVersions >> 8)
		z[1] = byte(extensionSupportedVersions)
		l := 1 + 2*len(m.supportedVersions)
		z[2] = byte(l >> 8)
		z[3] = byte(l)
		l -= 1
		z[4] = byte(l)
		z = z[5:]
		for _, v := range m.supportedVersions {
			z[0] = byte(v >> 8)
			z[1] = byte(v)
			z = z[2:]
		}
	}
	if m.earlyData {
		z[0] = byte(extensionEarlyData >> 8)
		z[1] = byte(extensionEarlyData)
		z = z[4:]
	}
	if m.delegatedCredential {
		binary.BigEndian.PutUint16(z, extensionDelegatedCredential)
		z = z[4:]
	}
	if m.extendedMSSupported {
		binary.BigEndian.PutUint16(z, extensionEMS)
		z = z[4:]
	}

	m.raw = x

	return x
}

func (m *clientHelloMsg) unmarshal(data []byte) alert {
	if len(data) < 42 {
		return alertDecodeError
	}
	m.raw = data
	m.vers = uint16(data[4])<<8 | uint16(data[5])
	m.random = data[6:38]
	sessionIdLen := int(data[38])
	if sessionIdLen > 32 || len(data) < 39+sessionIdLen {
		return alertDecodeError
	}
	m.sessionId = data[39 : 39+sessionIdLen]
	data = data[39+sessionIdLen:]
	bindersOffset := 39 + sessionIdLen
	if len(data) < 2 {
		return alertDecodeError
	}
	// cipherSuiteLen is the number of bytes of cipher suite numbers. Since
	// they are uint16s, the number must be even.
	cipherSuiteLen := int(data[0])<<8 | int(data[1])
	if cipherSuiteLen%2 == 1 || len(data) < 2+cipherSuiteLen {
		return alertDecodeError
	}
	numCipherSuites := cipherSuiteLen / 2
	m.cipherSuites = make([]uint16, numCipherSuites)
	for i := 0; i < numCipherSuites; i++ {
		m.cipherSuites[i] = uint16(data[2+2*i])<<8 | uint16(data[3+2*i])
		if m.cipherSuites[i] == scsvRenegotiation {
			m.secureRenegotiationSupported = true
		}
	}
	data = data[2+cipherSuiteLen:]
	bindersOffset += 2 + cipherSuiteLen
	if len(data) < 1 {
		return alertDecodeError
	}
	compressionMethodsLen := int(data[0])
	if len(data) < 1+compressionMethodsLen {
		return alertDecodeError
	}
	m.compressionMethods = data[1 : 1+compressionMethodsLen]

	data = data[1+compressionMethodsLen:]
	bindersOffset += 1 + compressionMethodsLen

	m.nextProtoNeg = false
	m.serverName = ""
	m.ocspStapling = false
	m.ticketSupported = false
	m.sessionTicket = nil
	m.supportedSignatureAlgorithms = nil
	m.alpnProtocols = nil
	m.scts = false
	m.keyShares = nil
	m.supportedVersions = nil
	m.psks = nil
	m.pskKeyExchangeModes = nil
	m.earlyData = false
	m.delegatedCredential = false
	m.extendedMSSupported = false

	if len(data) == 0 {
		// ClientHello is optionally followed by extension data
		return alertSuccess
	}
	if len(data) < 2 {
		return alertDecodeError
	}

	extensionsLength := int(data[0])<<8 | int(data[1])
	data = data[2:]
	bindersOffset += 2
	if extensionsLength != len(data) {
		return alertDecodeError
	}

	for len(data) != 0 {
		if len(data) < 4 {
			return alertDecodeError
		}
		extension := uint16(data[0])<<8 | uint16(data[1])
		length := int(data[2])<<8 | int(data[3])
		data = data[4:]
		bindersOffset += 4
		if len(data) < length {
			return alertDecodeError
		}

		switch extension {
		case extensionServerName:
			d := data[:length]
			if len(d) < 2 {
				return alertDecodeError
			}
			namesLen := int(d[0])<<8 | int(d[1])
			d = d[2:]
			if len(d) != namesLen {
				return alertDecodeError
			}
			for len(d) > 0 {
				if len(d) < 3 {
					return alertDecodeError
				}
				nameType := d[0]
				nameLen := int(d[1])<<8 | int(d[2])
				d = d[3:]
				if len(d) < nameLen {
					return alertDecodeError
				}
				if nameType == 0 {
					m.serverName = string(d[:nameLen])
					// An SNI value may not include a
					// trailing dot. See
					// https://tools.ietf.org/html/rfc6066#section-3.
					if strings.HasSuffix(m.serverName, ".") {
						// TODO use alertDecodeError?
						return alertUnexpectedMessage
					}
					break
				}
				d = d[nameLen:]
			}
		case extensionNextProtoNeg:
			if length > 0 {
				return alertDecodeError
			}
			m.nextProtoNeg = true
		case extensionStatusRequest:
			m.ocspStapling = length > 0 && data[0] == statusTypeOCSP
		case extensionSupportedCurves:
			// http://tools.ietf.org/html/rfc4492#section-5.5.1
			// https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.4
			if length < 2 {
				return alertDecodeError
			}
			l := int(data[0])<<8 | int(data[1])
			if l%2 == 1 || length != l+2 {
				return alertDecodeError
			}
			numCurves := l / 2
			m.supportedCurves = make([]CurveID, numCurves)
			d := data[2:]
			for i := 0; i < numCurves; i++ {
				m.supportedCurves[i] = CurveID(d[0])<<8 | CurveID(d[1])
				d = d[2:]
			}
		case extensionSupportedPoints:
			// http://tools.ietf.org/html/rfc4492#section-5.5.2
			if length < 1 {
				return alertDecodeError
			}
			l := int(data[0])
			if length != l+1 {
				return alertDecodeError
			}
			m.supportedPoints = make([]uint8, l)
			copy(m.supportedPoints, data[1:])
		case extensionSessionTicket:
			// http://tools.ietf.org/html/rfc5077#section-3.2
			m.ticketSupported = true
			m.sessionTicket = data[:length]
		case extensionSignatureAlgorithms:
			// https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
			// https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.3
			if length < 2 || length&1 != 0 {
				return alertDecodeError
			}
			l := int(data[0])<<8 | int(data[1])
			if l != length-2 {
				return alertDecodeError
			}
			n := l / 2
			d := data[2:]
			m.supportedSignatureAlgorithms = make([]SignatureScheme, n)
			for i := range m.supportedSignatureAlgorithms {
				m.supportedSignatureAlgorithms[i] = SignatureScheme(d[0])<<8 | SignatureScheme(d[1])
				d = d[2:]
			}
		case extensionRenegotiationInfo:
			if length == 0 {
				return alertDecodeError
			}
			d := data[:length]
			l := int(d[0])
			d = d[1:]
			if l != len(d) {
				return alertDecodeError
			}

			m.secureRenegotiation = d
			m.secureRenegotiationSupported = true
		case extensionALPN:
			if length < 2 {
				return alertDecodeError
			}
			l := int(data[0])<<8 | int(data[1])
			if l != length-2 {
				return alertDecodeError
			}
			d := data[2:length]
			for len(d) != 0 {
				stringLen := int(d[0])
				d = d[1:]
				if stringLen == 0 || stringLen > len(d) {
					return alertDecodeError
				}
				m.alpnProtocols = append(m.alpnProtocols, string(d[:stringLen]))
				d = d[stringLen:]
			}
		case extensionSCT:
			m.scts = true
			if length != 0 {
				return alertDecodeError
			}
		case extensionKeyShare:
			// https://tools.ietf.org/html/rfc8446#section-4.2.8
			if length < 2 {
				return alertDecodeError
			}
			l := int(data[0])<<8 | int(data[1])
			if l != length-2 {
				return alertDecodeError
			}
			d := data[2:length]
			for len(d) != 0 {
				if len(d) < 4 {
					return alertDecodeError
				}
				dataLen := int(d[2])<<8 | int(d[3])
				if dataLen == 0 || 4+dataLen > len(d) {
					return alertDecodeError
				}
				m.keyShares = append(m.keyShares, keyShare{
					group: CurveID(d[0])<<8 | CurveID(d[1]),
					data:  d[4 : 4+dataLen],
				})
				d = d[4+dataLen:]
			}
		case extensionSupportedVersions:
			// https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.1
			if length < 1 {
				return alertDecodeError
			}
			l := int(data[0])
			if l%2 == 1 || length != l+1 {
				return alertDecodeError
			}
			n := l / 2
			d := data[1:]
			for i := 0; i < n; i++ {
				v := uint16(d[0])<<8 + uint16(d[1])
				m.supportedVersions = append(m.supportedVersions, v)
				d = d[2:]
			}
		case extensionPreSharedKey:
			// https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.6
			if length < 2 {
				return alertDecodeError
			}
			// Ensure this extension is the last one in the Client Hello
			if len(data) != length {
				return alertIllegalParameter
			}
			li := int(data[0])<<8 | int(data[1])
			if 2+li+2 > length {
				return alertDecodeError
			}
			d := data[2 : 2+li]
			bindersOffset += 2 + li
			for len(d) > 0 {
				if len(d) < 6 {
					return alertDecodeError
				}
				l := int(d[0])<<8 | int(d[1])
				if len(d) < 2+l+4 {
					return alertDecodeError
				}
				m.psks = append(m.psks, psk{
					identity: d[2 : 2+l],
					obfTicketAge: uint32(d[l+2])<<24 | uint32(d[l+3])<<16 |
						uint32(d[l+4])<<8 | uint32(d[l+5]),
				})
				d = d[2+l+4:]
			}
			lb := int(data[li+2])<<8 | int(data[li+3])
			d = data[2+li+2:]
			if lb != len(d) || lb == 0 {
				return alertDecodeError
			}
			i := 0
			for len(d) > 0 {
				if i >= len(m.psks) {
					return alertIllegalParameter
				}
				if len(d) < 1 {
					return alertDecodeError
				}
				l := int(d[0])
				if l > len(d)-1 {
					return alertDecodeError
				}
				if i >= len(m.psks) {
					return alertIllegalParameter
				}
				m.psks[i].binder = d[1 : 1+l]
				d = d[1+l:]
				i++
			}
			if i != len(m.psks) {
				return alertIllegalParameter
			}
			m.rawTruncated = m.raw[:bindersOffset]
		case extensionPSKKeyExchangeModes:
			if length < 2 {
				return alertDecodeError
			}
			l := int(data[0])
			if length != l+1 {
				return alertDecodeError
			}
			m.pskKeyExchangeModes = data[1:length]
		case extensionEarlyData:
			// https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.8
			m.earlyData = true
		case extensionDelegatedCredential:
			// https://tools.ietf.org/html/draft-ietf-tls-subcerts-02
			m.delegatedCredential = true
		case extensionEMS:
			// RFC 7627
			m.extendedMSSupported = true
			if length != 0 {
				return alertDecodeError
			}
		}
		data = data[length:]
		bindersOffset += length
	}

	return alertSuccess
}

func (m *clientHelloMsg) getSignatureAlgorithmsCert() []SignatureScheme {
	return signAlgosCertList(m.supportedSignatureAlgorithms, m.supportedSignatureAlgorithmsCert)
}

type serverHelloMsg struct {
	raw                          []byte
	vers                         uint16
	random                       []byte
	sessionId                    []byte
	cipherSuite                  uint16
	compressionMethod            uint8
	nextProtoNeg                 bool
	nextProtos                   []string
	ocspStapling                 bool
	scts                         [][]byte
	ticketSupported              bool
	secureRenegotiation          []byte
	secureRenegotiationSupported bool
	alpnProtocol                 string

	// TLS 1.3
	keyShare    keyShare
	psk         bool
	pskIdentity uint16

	// RFC7627
	extendedMSSupported bool
}

func (m *serverHelloMsg) equal(i interface{}) bool {
	m1, ok := i.(*serverHelloMsg)
	if !ok {
		return false
	}

	if len(m.scts) != len(m1.scts) {
		return false
	}
	for i, sct := range m.scts {
		if !bytes.Equal(sct, m1.scts[i]) {
			return false
		}
	}

	return bytes.Equal(m.raw, m1.raw) &&
		m.vers == m1.vers &&
		bytes.Equal(m.random, m1.random) &&
		bytes.Equal(m.sessionId, m1.sessionId) &&
		m.cipherSuite == m1.cipherSuite &&
		m.compressionMethod == m1.compressionMethod &&
		m.nextProtoNeg == m1.nextProtoNeg &&
		eqStrings(m.nextProtos, m1.nextProtos) &&
		m.ocspStapling == m1.ocspStapling &&
		m.ticketSupported == m1.ticketSupported &&
		m.secureRenegotiationSupported == m1.secureRenegotiationSupported &&
		bytes.Equal(m.secureRenegotiation, m1.secureRenegotiation) &&
		m.alpnProtocol == m1.alpnProtocol &&
		m.keyShare.group == m1.keyShare.group &&
		bytes.Equal(m.keyShare.data, m1.keyShare.data) &&
		m.psk == m1.psk &&
		m.pskIdentity == m1.pskIdentity &&
		m.extendedMSSupported == m1.extendedMSSupported
}

func (m *serverHelloMsg) marshal() []byte {
	if m.raw != nil {
		return m.raw
	}

	length := 38 + len(m.sessionId)
	numExtensions := 0
	extensionsLength := 0

	nextProtoLen := 0
	if m.nextProtoNeg {
		numExtensions++
		for _, v := range m.nextProtos {
			nextProtoLen += len(v)
		}
		nextProtoLen += len(m.nextProtos)
		extensionsLength += nextProtoLen
	}
	if m.ocspStapling {
		numExtensions++
	}
	if m.ticketSupported {
		numExtensions++
	}
	if m.secureRenegotiationSupported {
		extensionsLength += 1 + len(m.secureRenegotiation)
		numExtensions++
	}
	if m.extendedMSSupported {
		numExtensions++
	}
	if alpnLen := len(m.alpnProtocol); alpnLen > 0 {
		if alpnLen >= 256 {
			panic("invalid ALPN protocol")
		}
		extensionsLength += 2 + 1 + alpnLen
		numExtensions++
	}
	sctLen := 0
	if len(m.scts) > 0 {
		for _, sct := range m.scts {
			sctLen += len(sct) + 2
		}
		extensionsLength += 2 + sctLen
		numExtensions++
	}
	if m.keyShare.group != 0 {
		extensionsLength += 4 + len(m.keyShare.data)
		numExtensions++
	}
	if m.psk {
		extensionsLength += 2
		numExtensions++
	}
	// supported_versions extension
	if m.vers >= VersionTLS13 {
		extensionsLength += 2
		numExtensions++
	}

	if numExtensions > 0 {
		extensionsLength += 4 * numExtensions
		length += 2 + extensionsLength
	}

	x := make([]byte, 4+length)
	x[0] = typeServerHello
	x[1] = uint8(length >> 16)
	x[2] = uint8(length >> 8)
	x[3] = uint8(length)
	if m.vers >= VersionTLS13 {
		x[4] = 3
		x[5] = 3
	} else {
		x[4] = uint8(m.vers >> 8)
		x[5] = uint8(m.vers)
	}
	copy(x[6:38], m.random)
	z := x[38:]
	x[38] = uint8(len(m.sessionId))
	copy(x[39:39+len(m.sessionId)], m.sessionId)
	z = x[39+len(m.sessionId):]
	z[0] = uint8(m.cipherSuite >> 8)
	z[1] = uint8(m.cipherSuite)
	z[2] = m.compressionMethod
	z = z[3:]

	if numExtensions > 0 {
		z[0] = byte(extensionsLength >> 8)
		z[1] = byte(extensionsLength)
		z = z[2:]
	}
	if m.vers >= VersionTLS13 {
		z[0] = byte(extensionSupportedVersions >> 8)
		z[1] = byte(extensionSupportedVersions)
		z[3] = 2
		z[4] = uint8(m.vers >> 8)
		z[5] = uint8(m.vers)
		z = z[6:]
	}
	if m.nextProtoNeg {
		z[0] = byte(extensionNextProtoNeg >> 8)
		z[1] = byte(extensionNextProtoNeg & 0xff)
		z[2] = byte(nextProtoLen >> 8)
		z[3] = byte(nextProtoLen)
		z = z[4:]

		for _, v := range m.nextProtos {
			l := len(v)
			if l > 255 {
				l = 255
			}
			z[0] = byte(l)
			copy(z[1:], []byte(v[0:l]))
			z = z[1+l:]
		}
	}
	if m.ocspStapling {
		z[0] = byte(extensionStatusRequest >> 8)
		z[1] = byte(extensionStatusRequest)
		z = z[4:]
	}
	if m.ticketSupported {
		z[0] = byte(extensionSessionTicket >> 8)
		z[1] = byte(extensionSessionTicket)
		z = z[4:]
	}
	if m.secureRenegotiationSupported {
		z[0] = byte(extensionRenegotiationInfo >> 8)
		z[1] = byte(extensionRenegotiationInfo & 0xff)
		z[2] = 0
		z[3] = byte(len(m.secureRenegotiation) + 1)
		z[4] = byte(len(m.secureRenegotiation))
		z = z[5:]
		copy(z, m.secureRenegotiation)
		z = z[len(m.secureRenegotiation):]
	}
	if alpnLen := len(m.alpnProtocol); alpnLen > 0 {
		z[0] = byte(extensionALPN >> 8)
		z[1] = byte(extensionALPN & 0xff)
		l := 2 + 1 + alpnLen
		z[2] = byte(l >> 8)
		z[3] = byte(l)
		l -= 2
		z[4] = byte(l >> 8)
		z[5] = byte(l)
		l -= 1
		z[6] = byte(l)
		copy(z[7:], []byte(m.alpnProtocol))
		z = z[7+alpnLen:]
	}
	if sctLen > 0 {
		z[0] = byte(extensionSCT >> 8)
		z[1] = byte(extensionSCT)
		l := sctLen + 2
		z[2] = byte(l >> 8)
		z[3] = byte(l)
		z[4] = byte(sctLen >> 8)
		z[5] = byte(sctLen)

		z = z[6:]
		for _, sct := range m.scts {
			z[0] = byte(len(sct) >> 8)
			z[1] = byte(len(sct))
			copy(z[2:], sct)
			z = z[len(sct)+2:]
		}
	}
	if m.keyShare.group != 0 {
		z[0] = uint8(extensionKeyShare >> 8)
		z[1] = uint8(extensionKeyShare)
		l := 4 + len(m.keyShare.data)
		z[2] = uint8(l >> 8)
		z[3] = uint8(l)
		z[4] = uint8(m.keyShare.group >> 8)
		z[5] = uint8(m.keyShare.group)
		l -= 4
		z[6] = uint8(l >> 8)
		z[7] = uint8(l)
		copy(z[8:], m.keyShare.data)
		z = z[8+l:]
	}

	if m.psk {
		z[0] = byte(extensionPreSharedKey >> 8)
		z[1] = byte(extensionPreSharedKey)
		z[3] = 2
		z[4] = byte(m.pskIdentity >> 8)
		z[5] = byte(m.pskIdentity)
		z = z[6:]
	}
	if m.extendedMSSupported {
		binary.BigEndian.PutUint16(z, extensionEMS)
		z = z[4:]
	}

	m.raw = x

	return x
}

func (m *serverHelloMsg) unmarshal(data []byte) alert {
	if len(data) < 42 {
		return alertDecodeError
	}
	m.raw = data
	m.vers = uint16(data[4])<<8 | uint16(data[5])
	m.random = data[6:38]
	sessionIdLen := int(data[38])
	if sessionIdLen > 32 || len(data) < 39+sessionIdLen {
		return alertDecodeError
	}
	m.sessionId = data[39 : 39+sessionIdLen]
	data = data[39+sessionIdLen:]
	if len(data) < 3 {
		return alertDecodeError
	}
	m.cipherSuite = uint16(data[0])<<8 | uint16(data[1])
	m.compressionMethod = data[2]
	data = data[3:]

	m.nextProtoNeg = false
	m.nextProtos = nil
	m.ocspStapling = false
	m.scts = nil
	m.ticketSupported = false
	m.alpnProtocol = ""
	m.keyShare.group = 0
	m.keyShare.data = nil
	m.psk = false
	m.pskIdentity = 0
	m.extendedMSSupported = false

	if len(data) == 0 {
		// ServerHello is optionally followed by extension data
		return alertSuccess
	}
	if len(data) < 2 {
		return alertDecodeError
	}

	extensionsLength := int(data[0])<<8 | int(data[1])
	data = data[2:]
	if len(data) != extensionsLength {
		return alertDecodeError
	}

	svData := findExtension(data, extensionSupportedVersions)
	if svData != nil {
		if len(svData) != 2 {
			return alertDecodeError
		}
		if m.vers != VersionTLS12 {
			return alertDecodeError
		}
		rcvVer := binary.BigEndian.Uint16(svData[0:])
		if rcvVer < VersionTLS13 {
			return alertIllegalParameter
		}
		m.vers = rcvVer
	}

	for len(data) != 0 {
		if len(data) < 4 {
			return alertDecodeError
		}
		extension := uint16(data[0])<<8 | uint16(data[1])
		length := int(data[2])<<8 | int(data[3])
		data = data[4:]
		if len(data) < length {
			return alertDecodeError
		}

		switch extension {
		case extensionNextProtoNeg:
			m.nextProtoNeg = true
			d := data[:length]
			for len(d) > 0 {
				l := int(d[0])
				d = d[1:]
				if l == 0 || l > len(d) {
					return alertDecodeError
				}
				m.nextProtos = append(m.nextProtos, string(d[:l]))
				d = d[l:]
			}
		case extensionStatusRequest:
			if length > 0 {
				return alertDecodeError
			}
			m.ocspStapling = true
		case extensionSessionTicket:
			if length > 0 {
				return alertDecodeError
			}
			m.ticketSupported = true
		case extensionRenegotiationInfo:
			if length == 0 {
				return alertDecodeError
			}
			d := data[:length]
			l := int(d[0])
			d = d[1:]
			if l != len(d) {
				return alertDecodeError
			}

			m.secureRenegotiation = d
			m.secureRenegotiationSupported = true
		case extensionALPN:
			d := data[:length]
			if len(d) < 3 {
				return alertDecodeError
			}
			l := int(d[0])<<8 | int(d[1])
			if l != len(d)-2 {
				return alertDecodeError
			}
			d = d[2:]
			l = int(d[0])
			if l != len(d)-1 {
				return alertDecodeError
			}
			d = d[1:]
			if len(d) == 0 {
				// ALPN protocols must not be empty.
				return alertDecodeError
			}
			m.alpnProtocol = string(d)
		case extensionSCT:
			d := data[:length]

			if len(d) < 2 {
				return alertDecodeError
			}
			l := int(d[0])<<8 | int(d[1])
			d = d[2:]
			if len(d) != l || l == 0 {
				return alertDecodeError
			}

			m.scts = make([][]byte, 0, 3)
			for len(d) != 0 {
				if len(d) < 2 {
					return alertDecodeError
				}
				sctLen := int(d[0])<<8 | int(d[1])
				d = d[2:]
				if sctLen == 0 || len(d) < sctLen {
					return alertDecodeError
				}
				m.scts = append(m.scts, d[:sctLen])
				d = d[sctLen:]
			}
		case extensionKeyShare:
			d := data[:length]

			if len(d) < 4 {
				return alertDecodeError
			}
			m.keyShare.group = CurveID(d[0])<<8 | CurveID(d[1])
			l := int(d[2])<<8 | int(d[3])
			d = d[4:]
			if len(d) != l {
				return alertDecodeError
			}
			m.keyShare.data = d[:l]
		case extensionPreSharedKey:
			if length != 2 {
				return alertDecodeError
			}
			m.psk = true
			m.pskIdentity = uint16(data[0])<<8 | uint16(data[1])
		case extensionEMS:
			m.extendedMSSupported = true
		}
		data = data[length:]
	}

	return alertSuccess
}

type encryptedExtensionsMsg struct {
	raw          []byte
	alpnProtocol string
	earlyData    bool
}

func (m *encryptedExtensionsMsg) equal(i interface{}) bool {
	m1, ok := i.(*encryptedExtensionsMsg)
	if !ok {
		return false
	}

	return bytes.Equal(m.raw, m1.raw) &&
		m.alpnProtocol == m1.alpnProtocol &&
		m.earlyData == m1.earlyData
}

func (m *encryptedExtensionsMsg) marshal() []byte {
	if m.raw != nil {
		return m.raw
	}

	length := 2

	if m.earlyData {
		length += 4
	}
	alpnLen := len(m.alpnProtocol)
	if alpnLen > 0 {
		if alpnLen >= 256 {
			panic("invalid ALPN protocol")
		}
		length += 2 + 2 + 2 + 1 + alpnLen
	}

	x := make([]byte, 4+length)
	x[0] = typeEncryptedExtensions
	x[1] = uint8(length >> 16)
	x[2] = uint8(length >> 8)
	x[3] = uint8(length)
	length -= 2
	x[4] = uint8(length >> 8)
	x[5] = uint8(length)

	z := x[6:]
	if alpnLen > 0 {
		z[0] = byte(extensionALPN >> 8)
		z[1] = byte(extensionALPN)
		l := 2 + 1 + alpnLen
		z[2] = byte(l >> 8)
		z[3] = byte(l)
		l -= 2
		z[4] = byte(l >> 8)
		z[5] = byte(l)
		l -= 1
		z[6] = byte(l)
		copy(z[7:], []byte(m.alpnProtocol))
		z = z[7+alpnLen:]
	}

	if m.earlyData {
		z[0] = byte(extensionEarlyData >> 8)
		z[1] = byte(extensionEarlyData)
		z = z[4:]
	}

	m.raw = x
	return x
}

func (m *encryptedExtensionsMsg) unmarshal(data []byte) alert {
	if len(data) < 6 {
		return alertDecodeError
	}
	m.raw = data

	m.alpnProtocol = ""
	m.earlyData = false

	extensionsLength := int(data[4])<<8 | int(data[5])
	data = data[6:]
	if len(data) != extensionsLength {
		return alertDecodeError
	}

	for len(data) != 0 {
		if len(data) < 4 {
			return alertDecodeError
		}
		extension := uint16(data[0])<<8 | uint16(data[1])
		length := int(data[2])<<8 | int(data[3])
		data = data[4:]
		if len(data) < length {
			return alertDecodeError
		}

		switch extension {
		case extensionALPN:
			d := data[:length]
			if len(d) < 3 {
				return alertDecodeError
			}
			l := int(d[0])<<8 | int(d[1])
			if l != len(d)-2 {
				return alertDecodeError
			}
			d = d[2:]
			l = int(d[0])
			if l != len(d)-1 {
				return alertDecodeError
			}
			d = d[1:]
			if len(d) == 0 {
				// ALPN protocols must not be empty.
				return alertDecodeError
			}
			m.alpnProtocol = string(d)
		case extensionEarlyData:
			// https://tools.ietf.org/html/draft-ietf-tls-tls13-18#section-4.2.8
			m.earlyData = true
		}

		data = data[length:]
	}

	return alertSuccess
}

type certificateMsg struct {
	raw          []byte
	certificates [][]byte
}

func (m *certificateMsg) equal(i interface{}) bool {
	m1, ok := i.(*certificateMsg)
	if !ok {
		return false
	}

	return bytes.Equal(m.raw, m1.raw) &&
		eqByteSlices(m.certificates, m1.certificates)
}

func (m *certificateMsg) marshal() (x []byte) {
	if m.raw != nil {
		return m.raw
	}

	var i int
	for _, slice := range m.certificates {
		i += len(slice)
	}

	length := 3 + 3*len(m.certificates) + i
	x = make([]byte, 4+length)
	x[0] = typeCertificate
	x[1] = uint8(length >> 16)
	x[2] = uint8(length >> 8)
	x[3] = uint8(length)

	certificateOctets := length - 3
	x[4] = uint8(certificateOctets >> 16)
	x[5] = uint8(certificateOctets >> 8)
	x[6] = uint8(certificateOctets)

	y := x[7:]
	for _, slice := range m.certificates {
		y[0] = uint8(len(slice) >> 16)
		y[1] = uint8(len(slice) >> 8)
		y[2] = uint8(len(slice))
		copy(y[3:], slice)
		y = y[3+len(slice):]
	}

	m.raw = x
	return
}

func (m *certificateMsg) unmarshal(data []byte) alert {
	if len(data) < 7 {
		return alertDecodeError
	}

	m.raw = data
	certsLen := uint32(data[4])<<16 | uint32(data[5])<<8 | uint32(data[6])
	if uint32(len(data)) != certsLen+7 {
		return alertDecodeError
	}

	numCerts := 0
	d := data[7:]
	for certsLen > 0 {
		if len(d) < 4 {
			return alertDecodeError
		}
		certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2])
		if uint32(len(d)) < 3+certLen {
			return alertDecodeError
		}
		d = d[3+certLen:]
		certsLen -= 3 + certLen
		numCerts++
	}

	m.certificates = make([][]byte, numCerts)
	d = data[7:]
	for i := 0; i < numCerts; i++ {
		certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2])
		m.certificates[i] = d[3 : 3+certLen]
		d = d[3+certLen:]
	}

	return alertSuccess
}

type certificateEntry struct {
	data                []byte
	ocspStaple          []byte
	sctList             [][]byte
	delegatedCredential []byte
}

type certificateMsg13 struct {
	raw            []byte
	requestContext []byte
	certificates   []certificateEntry
}

func (m *certificateMsg13) equal(i interface{}) bool {
	m1, ok := i.(*certificateMsg13)
	if !ok {
		return false
	}

	if len(m.certificates) != len(m1.certificates) {
		return false
	}
	for i, _ := range m.certificates {
		ok := bytes.Equal(m.certificates[i].data, m1.certificates[i].data)
		ok = ok && bytes.Equal(m.certificates[i].ocspStaple, m1.certificates[i].ocspStaple)
		ok = ok && eqByteSlices(m.certificates[i].sctList, m1.certificates[i].sctList)
		ok = ok && bytes.Equal(m.certificates[i].delegatedCredential, m1.certificates[i].delegatedCredential)
		if !ok {
			return false
		}
	}

	return bytes.Equal(m.raw, m1.raw) &&
		bytes.Equal(m.requestContext, m1.requestContext)
}

func (m *certificateMsg13) marshal() (x []byte) {
	if m.raw != nil {
		return m.raw
	}

	var i int
	for _, cert := range m.certificates {
		i += len(cert.data)
		if len(cert.ocspStaple) != 0 {
			i += 8 + len(cert.ocspStaple)
		}
		if len(cert.sctList) != 0 {
			i += 6
			for _, sct := range cert.sctList {
				i += 2 + len(sct)
			}
		}
		if len(cert.delegatedCredential) != 0 {
			i += 4 + len(cert.delegatedCredential)
		}
	}

	length := 3 + 3*len(m.certificates) + i
	length += 2 * len(m.certificates) // extensions
	length += 1 + len(m.requestContext)
	x = make([]byte, 4+length)
	x[0] = typeCertificate
	x[1] = uint8(length >> 16)
	x[2] = uint8(length >> 8)
	x[3] = uint8(length)

	z := x[4:]

	z[0] = byte(len(m.requestContext))
	copy(z[1:], m.requestContext)
	z = z[1+len(m.requestContext):]

	certificateOctets := len(z) - 3
	z[0] = uint8(certificateOctets >> 16)
	z[1] = uint8(certificateOctets >> 8)
	z[2] = uint8(certificateOctets)

	z = z[3:]
	for _, cert := range m.certificates {
		z[0] = uint8(len(cert.data) >> 16)
		z[1] = uint8(len(cert.data) >> 8)
		z[2] = uint8(len(cert.data))
		copy(z[3:], cert.data)
		z = z[3+len(cert.data):]

		extLenPos := z[:2]
		z = z[2:]

		extensionLen := 0
		if len(cert.ocspStaple) != 0 {
			stapleLen := 4 + len(cert.ocspStaple)
			z[0] = uint8(extensionStatusRequest >> 8)
			z[1] = uint8(extensionStatusRequest)
			z[2] = uint8(stapleLen >> 8)
			z[3] = uint8(stapleLen)

			stapleLen -= 4
			z[4] = statusTypeOCSP
			z[5] = uint8(stapleLen >> 16)
			z[6] = uint8(stapleLen >> 8)
			z[7] = uint8(stapleLen)
			copy(z[8:], cert.ocspStaple)
			z = z[8+stapleLen:]

			extensionLen += 8 + stapleLen
		}
		if len(cert.sctList) != 0 {
			z[0] = uint8(extensionSCT >> 8)
			z[1] = uint8(extensionSCT)
			sctLenPos := z[2:6]
			z = z[6:]
			extensionLen += 6

			sctLen := 2
			for _, sct := range cert.sctList {
				z[0] = uint8(len(sct) >> 8)
				z[1] = uint8(len(sct))
				copy(z[2:], sct)
				z = z[2+len(sct):]

				extensionLen += 2 + len(sct)
				sctLen += 2 + len(sct)
			}
			sctLenPos[0] = uint8(sctLen >> 8)
			sctLenPos[1] = uint8(sctLen)
			sctLen -= 2
			sctLenPos[2] = uint8(sctLen >> 8)
			sctLenPos[3] = uint8(sctLen)
		}
		if len(cert.delegatedCredential) != 0 {
			binary.BigEndian.PutUint16(z, extensionDelegatedCredential)
			binary.BigEndian.PutUint16(z[2:], uint16(len(cert.delegatedCredential)))
			z = z[4:]
			copy(z, cert.delegatedCredential)
			z = z[len(cert.delegatedCredential):]
			extensionLen += 4 + len(cert.delegatedCredential)
		}

		extLenPos[0] = uint8(extensionLen >> 8)
		extLenPos[1] = uint8(extensionLen)
	}

	m.raw = x
	return
}

func (m *certificateMsg13) unmarshal(data []byte) alert {
	if len(data) < 5 {
		return alertDecodeError
	}

	m.raw = data

	ctxLen := data[4]
	if len(data) < int(ctxLen)+5+3 {
		return alertDecodeError
	}
	m.requestContext = data[5 : 5+ctxLen]

	d := data[5+ctxLen:]
	certsLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2])
	if uint32(len(d)) != certsLen+3 {
		return alertDecodeError
	}

	numCerts := 0
	d = d[3:]
	for certsLen > 0 {
		if len(d) < 4 {
			return alertDecodeError
		}
		certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2])
		if uint32(len(d)) < 3+certLen {
			return alertDecodeError
		}
		d = d[3+certLen:]

		if len(d) < 2 {
			return alertDecodeError
		}
		extLen := uint16(d[0])<<8 | uint16(d[1])
		if uint16(len(d)) < 2+extLen {
			return alertDecodeError
		}
		d = d[2+extLen:]

		certsLen -= 3 + certLen + 2 + uint32(extLen)
		numCerts++
	}

	m.certificates = make([]certificateEntry, numCerts)
	d = data[8+ctxLen:]
	for i := 0; i < numCerts; i++ {
		certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2])
		m.certificates[i].data = d[3 : 3+certLen]
		d = d[3+certLen:]

		extLen := uint16(d[0])<<8 | uint16(d[1])
		d = d[2:]
		for extLen > 0 {
			if extLen < 4 {
				return alertDecodeError
			}
			typ := uint16(d[0])<<8 | uint16(d[1])
			bodyLen := uint16(d[2])<<8 | uint16(d[3])
			if extLen < 4+bodyLen {
				return alertDecodeError
			}
			body := d[4 : 4+bodyLen]
			d = d[4+bodyLen:]
			extLen -= 4 + bodyLen

			switch typ {
			case extensionStatusRequest:
				if len(body) < 4 || body[0] != 0x01 {
					return alertDecodeError
				}
				ocspLen := int(body[1])<<16 | int(body[2])<<8 | int(body[3])
				if len(body) != 4+ocspLen {
					return alertDecodeError
				}
				m.certificates[i].ocspStaple = body[4:]

			case extensionSCT:
				if len(body) < 2 {
					return alertDecodeError
				}
				listLen := int(body[0])<<8 | int(body[1])
				body = body[2:]
				if len(body) != listLen {
					return alertDecodeError
				}
				for len(body) > 0 {
					if len(body) < 2 {
						return alertDecodeError
					}
					sctLen := int(body[0])<<8 | int(body[1])
					if len(body) < 2+sctLen {
						return alertDecodeError
					}
					m.certificates[i].sctList = append(m.certificates[i].sctList, body[2:2+sctLen])
					body = body[2+sctLen:]
				}
			case extensionDelegatedCredential:
				m.certificates[i].delegatedCredential = body
			}
		}
	}

	return alertSuccess
}

type serverKeyExchangeMsg struct {
	raw []byte
	key []byte
}

func (m *serverKeyExchangeMsg) equal(i interface{}) bool {
	m1, ok := i.(*serverKeyExchangeMsg)
	if !ok {
		return false
	}

	return bytes.Equal(m.raw, m1.raw) &&
		bytes.Equal(m.key, m1.key)
}

func (m *serverKeyExchangeMsg) marshal() []byte {
	if m.raw != nil {
		return m.raw
	}
	length := len(m.key)
	x := make([]byte, length+4)
	x[0] = typeServerKeyExchange
	x[1] = uint8(length >> 16)
	x[2] = uint8(length >> 8)
	x[3] = uint8(length)
	copy(x[4:], m.key)

	m.raw = x
	return x
}

func (m *serverKeyExchangeMsg) unmarshal(data []byte) alert {
	m.raw = data
	if len(data) < 4 {
		return alertDecodeError
	}
	m.key = data[4:]
	return alertSuccess
}

type certificateStatusMsg struct {
	raw        []byte
	statusType uint8
	response   []byte
}

func (m *certificateStatusMsg) equal(i interface{}) bool {
	m1, ok := i.(*certificateStatusMsg)
	if !ok {
		return false
	}

	return bytes.Equal(m.raw, m1.raw) &&
		m.statusType == m1.statusType &&
		bytes.Equal(m.response, m1.response)
}

func (m *certificateStatusMsg) marshal() []byte {
	if m.raw != nil {
		return m.raw
	}

	var x []byte
	if m.statusType == statusTypeOCSP {
		x = make([]byte, 4+4+len(m.response))
		x[0] = typeCertificateStatus
		l := len(m.response) + 4
		x[1] = byte(l >> 16)
		x[2] = byte(l >> 8)
		x[3] = byte(l)
		x[4] = statusTypeOCSP

		l -= 4
		x[5] = byte(l >> 16)
		x[6] = byte(l >> 8)
		x[7] = byte(l)
		copy(x[8:], m.response)
	} else {
		x = []byte{typeCertificateStatus, 0, 0, 1, m.statusType}
	}

	m.raw = x
	return x
}

func (m *certificateStatusMsg) unmarshal(data []byte) alert {
	m.raw = data
	if len(data) < 5 {
		return alertDecodeError
	}
	m.statusType = data[4]

	m.response = nil
	if m.statusType == statusTypeOCSP {
		if len(data) < 8 {
			return alertDecodeError
		}
		respLen := uint32(data[5])<<16 | uint32(data[6])<<8 | uint32(data[7])
		if uint32(len(data)) != 4+4+respLen {
			return alertDecodeError
		}
		m.response = data[8:]
	}
	return alertSuccess
}

type serverHelloDoneMsg struct{}

func (m *serverHelloDoneMsg) equal(i interface{}) bool {
	_, ok := i.(*serverHelloDoneMsg)
	return ok
}

func (m *serverHelloDoneMsg) marshal() []byte {
	x := make([]byte, 4)
	x[0] = typeServerHelloDone
	return x
}

func (m *serverHelloDoneMsg) unmarshal(data []byte) alert {
	if len(data) != 4 {
		return alertDecodeError
	}
	return alertSuccess
}

type clientKeyExchangeMsg struct {
	raw        []byte
	ciphertext []byte
}

func (m *clientKeyExchangeMsg) equal(i interface{}) bool {
	m1, ok := i.(*clientKeyExchangeMsg)
	if !ok {
		return false
	}

	return bytes.Equal(m.raw, m1.raw) &&
		bytes.Equal(m.ciphertext, m1.ciphertext)
}

func (m *clientKeyExchangeMsg) marshal() []byte {
	if m.raw != nil {
		return m.raw
	}
	length := len(m.ciphertext)
	x := make([]byte, length+4)
	x[0] = typeClientKeyExchange
	x[1] = uint8(length >> 16)
	x[2] = uint8(length >> 8)
	x[3] = uint8(length)
	copy(x[4:], m.ciphertext)

	m.raw = x
	return x
}

func (m *clientKeyExchangeMsg) unmarshal(data []byte) alert {
	m.raw = data
	if len(data) < 4 {
		return alertDecodeError
	}
	l := int(data[1])<<16 | int(data[2])<<8 | int(data[3])
	if l != len(data)-4 {
		return alertDecodeError
	}
	m.ciphertext = data[4:]
	return alertSuccess
}

type finishedMsg struct {
	raw        []byte
	verifyData []byte
}

func (m *finishedMsg) equal(i interface{}) bool {
	m1, ok := i.(*finishedMsg)
	if !ok {
		return false
	}

	return bytes.Equal(m.raw, m1.raw) &&
		bytes.Equal(m.verifyData, m1.verifyData)
}

func (m *finishedMsg) marshal() (x []byte) {
	if m.raw != nil {
		return m.raw
	}

	x = make([]byte, 4+len(m.verifyData))
	x[0] = typeFinished
	x[3] = byte(len(m.verifyData))
	copy(x[4:], m.verifyData)
	m.raw = x
	return
}

func (m *finishedMsg) unmarshal(data []byte) alert {
	m.raw = data
	if len(data) < 4 {
		return alertDecodeError
	}
	m.verifyData = data[4:]
	return alertSuccess
}

type nextProtoMsg struct {
	raw   []byte
	proto string
}

func (m *nextProtoMsg) equal(i interface{}) bool {
	m1, ok := i.(*nextProtoMsg)
	if !ok {
		return false
	}

	return bytes.Equal(m.raw, m1.raw) &&
		m.proto == m1.proto
}

func (m *nextProtoMsg) marshal() []byte {
	if m.raw != nil {
		return m.raw
	}
	l := len(m.proto)
	if l > 255 {
		l = 255
	}

	padding := 32 - (l+2)%32
	length := l + padding + 2
	x := make([]byte, length+4)
	x[0] = typeNextProtocol
	x[1] = uint8(length >> 16)
	x[2] = uint8(length >> 8)
	x[3] = uint8(length)

	y := x[4:]
	y[0] = byte(l)
	copy(y[1:], []byte(m.proto[0:l]))
	y = y[1+l:]
	y[0] = byte(padding)

	m.raw = x

	return x
}

func (m *nextProtoMsg) unmarshal(data []byte) alert {
	m.raw = data

	if len(data) < 5 {
		return alertDecodeError
	}
	data = data[4:]
	protoLen := int(data[0])
	data = data[1:]
	if len(data) < protoLen {
		return alertDecodeError
	}
	m.proto = string(data[0:protoLen])
	data = data[protoLen:]

	if len(data) < 1 {
		return alertDecodeError
	}
	paddingLen := int(data[0])
	data = data[1:]
	if len(data) != paddingLen {
		return alertDecodeError
	}

	return alertSuccess
}

type certificateRequestMsg struct {
	raw []byte
	// hasSignatureAndHash indicates whether this message includes a list
	// of signature and hash functions. This change was introduced with TLS
	// 1.2.
	hasSignatureAndHash bool

	certificateTypes             []byte
	supportedSignatureAlgorithms []SignatureScheme
	certificateAuthorities       [][]byte
}

func (m *certificateRequestMsg) equal(i interface{}) bool {
	m1, ok := i.(*certificateRequestMsg)
	if !ok {
		return false
	}

	return bytes.Equal(m.raw, m1.raw) &&
		bytes.Equal(m.certificateTypes, m1.certificateTypes) &&
		eqByteSlices(m.certificateAuthorities, m1.certificateAuthorities) &&
		eqSignatureAlgorithms(m.supportedSignatureAlgorithms, m1.supportedSignatureAlgorithms)
}

func (m *certificateRequestMsg) marshal() (x []byte) {
	if m.raw != nil {
		return m.raw
	}

	// See http://tools.ietf.org/html/rfc4346#section-7.4.4
	length := 1 + len(m.certificateTypes) + 2
	casLength := 0
	for _, ca := range m.certificateAuthorities {
		casLength += 2 + len(ca)
	}
	length += casLength

	if m.hasSignatureAndHash {
		length += 2 + 2*len(m.supportedSignatureAlgorithms)
	}

	x = make([]byte, 4+length)
	x[0] = typeCertificateRequest
	x[1] = uint8(length >> 16)
	x[2] = uint8(length >> 8)
	x[3] = uint8(length)

	x[4] = uint8(len(m.certificateTypes))

	copy(x[5:], m.certificateTypes)
	y := x[5+len(m.certificateTypes):]

	if m.hasSignatureAndHash {
		n := len(m.supportedSignatureAlgorithms) * 2
		y[0] = uint8(n >> 8)
		y[1] = uint8(n)
		y = y[2:]
		for _, sigAlgo := range m.supportedSignatureAlgorithms {
			y[0] = uint8(sigAlgo >> 8)
			y[1] = uint8(sigAlgo)
			y = y[2:]
		}
	}

	y[0] = uint8(casLength >> 8)
	y[1] = uint8(casLength)
	y = y[2:]
	for _, ca := range m.certificateAuthorities {
		y[0] = uint8(len(ca) >> 8)
		y[1] = uint8(len(ca))
		y = y[2:]
		copy(y, ca)
		y = y[len(ca):]
	}

	m.raw = x
	return
}

func (m *certificateRequestMsg) unmarshal(data []byte) alert {
	m.raw = data

	if len(data) < 5 {
		return alertDecodeError
	}

	length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3])
	if uint32(len(data))-4 != length {
		return alertDecodeError
	}

	numCertTypes := int(data[4])
	data = data[5:]
	if numCertTypes == 0 || len(data) <= numCertTypes {
		return alertDecodeError
	}

	m.certificateTypes = make([]byte, numCertTypes)
	if copy(m.certificateTypes, data) != numCertTypes {
		return alertDecodeError
	}

	data = data[numCertTypes:]

	if m.hasSignatureAndHash {
		if len(data) < 2 {
			return alertDecodeError
		}
		sigAndHashLen := uint16(data[0])<<8 | uint16(data[1])
		data = data[2:]
		if sigAndHashLen&1 != 0 {
			return alertDecodeError
		}
		if len(data) < int(sigAndHashLen) {
			return alertDecodeError
		}
		numSigAlgos := sigAndHashLen / 2
		m.supportedSignatureAlgorithms = make([]SignatureScheme, numSigAlgos)
		for i := range m.supportedSignatureAlgorithms {
			m.supportedSignatureAlgorithms[i] = SignatureScheme(data[0])<<8 | SignatureScheme(data[1])
			data = data[2:]
		}
	}

	if len(data) < 2 {
		return alertDecodeError
	}
	casLength := uint16(data[0])<<8 | uint16(data[1])
	data = data[2:]
	if len(data) < int(casLength) {
		return alertDecodeError
	}
	cas := make([]byte, casLength)
	copy(cas, data)
	data = data[casLength:]

	m.certificateAuthorities = nil
	for len(cas) > 0 {
		if len(cas) < 2 {
			return alertDecodeError
		}
		caLen := uint16(cas[0])<<8 | uint16(cas[1])
		cas = cas[2:]

		if len(cas) < int(caLen) {
			return alertDecodeError
		}

		m.certificateAuthorities = append(m.certificateAuthorities, cas[:caLen])
		cas = cas[caLen:]
	}

	if len(data) != 0 {
		return alertDecodeError
	}

	return alertSuccess
}

type certificateRequestMsg13 struct {
	raw []byte

	requestContext                   []byte
	supportedSignatureAlgorithms     []SignatureScheme
	supportedSignatureAlgorithmsCert []SignatureScheme
	certificateAuthorities           [][]byte
}

func (m *certificateRequestMsg13) equal(i interface{}) bool {
	m1, ok := i.(*certificateRequestMsg13)
	return ok &&
		bytes.Equal(m.raw, m1.raw) &&
		bytes.Equal(m.requestContext, m1.requestContext) &&
		eqByteSlices(m.certificateAuthorities, m1.certificateAuthorities) &&
		eqSignatureAlgorithms(m.supportedSignatureAlgorithms, m1.supportedSignatureAlgorithms) &&
		eqSignatureAlgorithms(m.supportedSignatureAlgorithmsCert, m1.supportedSignatureAlgorithmsCert)
}

func (m *certificateRequestMsg13) marshal() (x []byte) {
	if m.raw != nil {
		return m.raw
	}

	// See https://tools.ietf.org/html/draft-ietf-tls-tls13-21#section-4.3.2
	length := 1 + len(m.requestContext)
	numExtensions := 1
	extensionsLength := 2 + 2*len(m.supportedSignatureAlgorithms)

	if m.getSignatureAlgorithmsCert() != nil {
		numExtensions += 1
		extensionsLength += 2 + 2*len(m.getSignatureAlgorithmsCert())
	}

	casLength := 0
	if len(m.certificateAuthorities) > 0 {
		for _, ca := range m.certificateAuthorities {
			casLength += 2 + len(ca)
		}
		extensionsLength += 2 + casLength
		numExtensions++
	}

	extensionsLength += 4 * numExtensions
	length += 2 + extensionsLength

	x = make([]byte, 4+length)
	x[0] = typeCertificateRequest
	x[1] = uint8(length >> 16)
	x[2] = uint8(length >> 8)
	x[3] = uint8(length)

	x[4] = uint8(len(m.requestContext))
	copy(x[5:], m.requestContext)
	z := x[5+len(m.requestContext):]

	z[0] = byte(extensionsLength >> 8)
	z[1] = byte(extensionsLength)
	z = z[2:]

	// TODO: this function should be reused by CH
	z = marshalExtensionSignatureAlgorithms(extensionSignatureAlgorithms, z, m.supportedSignatureAlgorithms)

	if m.getSignatureAlgorithmsCert() != nil {
		z = marshalExtensionSignatureAlgorithms(extensionSignatureAlgorithmsCert, z, m.getSignatureAlgorithmsCert())
	}
	// certificate_authorities
	if casLength > 0 {
		z[0] = byte(extensionCAs >> 8)
		z[1] = byte(extensionCAs)
		l := 2 + casLength
		z[2] = byte(l >> 8)
		z[3] = byte(l)
		z = z[4:]

		z[0] = uint8(casLength >> 8)
		z[1] = uint8(casLength)
		z = z[2:]
		for _, ca := range m.certificateAuthorities {
			z[0] = uint8(len(ca) >> 8)
			z[1] = uint8(len(ca))
			z = z[2:]
			copy(z, ca)
			z = z[len(ca):]
		}
	}

	m.raw = x
	return
}

func (m *certificateRequestMsg13) unmarshal(data []byte) alert {
	m.raw = data
	m.supportedSignatureAlgorithms = nil
	m.certificateAuthorities = nil

	if len(data) < 5 {
		return alertDecodeError
	}

	length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3])
	if uint32(len(data))-4 != length {
		return alertDecodeError
	}

	ctxLen := data[4]
	if len(data) < 5+int(ctxLen)+2 {
		return alertDecodeError
	}
	m.requestContext = data[5 : 5+ctxLen]
	data = data[5+ctxLen:]

	extensionsLength := int(data[0])<<8 | int(data[1])
	data = data[2:]
	if len(data) != extensionsLength {
		return alertDecodeError
	}

	for len(data) != 0 {
		if len(data) < 4 {
			return alertDecodeError
		}
		extension := uint16(data[0])<<8 | uint16(data[1])
		length := int(data[2])<<8 | int(data[3])
		data = data[4:]
		if len(data) < length {
			return alertDecodeError
		}

		switch extension {
		case extensionSignatureAlgorithms:
			// TODO: unmarshalExtensionSignatureAlgorithms should be shared with CH and pre-1.3 CV
			// https://tools.ietf.org/html/draft-ietf-tls-tls13-21#section-4.2.3
			var err alert
			m.supportedSignatureAlgorithms, err = unmarshalExtensionSignatureAlgorithms(data, length)
			if err != alertSuccess {
				return err
			}
		case extensionSignatureAlgorithmsCert:
			var err alert
			m.supportedSignatureAlgorithmsCert, err = unmarshalExtensionSignatureAlgorithms(data, length)
			if err != alertSuccess {
				return err
			}
		case extensionCAs:
			// TODO DRY: share code with CH
			if length < 2 {
				return alertDecodeError
			}
			l := int(data[0])<<8 | int(data[1])
			if l != length-2 || l < 3 {
				return alertDecodeError
			}
			cas := make([]byte, l)
			copy(cas, data[2:])
			m.certificateAuthorities = nil
			for len(cas) > 0 {
				if len(cas) < 2 {
					return alertDecodeError
				}
				caLen := uint16(cas[0])<<8 | uint16(cas[1])
				cas = cas[2:]

				if len(cas) < int(caLen) {
					return alertDecodeError
				}

				m.certificateAuthorities = append(m.certificateAuthorities, cas[:caLen])
				cas = cas[caLen:]
			}
		}
		data = data[length:]
	}

	if len(m.supportedSignatureAlgorithms) == 0 {
		return alertDecodeError
	}
	return alertSuccess
}

func (m *certificateRequestMsg13) getSignatureAlgorithmsCert() []SignatureScheme {
	return signAlgosCertList(m.supportedSignatureAlgorithms, m.supportedSignatureAlgorithmsCert)
}

type certificateVerifyMsg struct {
	raw                 []byte
	hasSignatureAndHash bool
	signatureAlgorithm  SignatureScheme
	signature           []byte
}

func (m *certificateVerifyMsg) equal(i interface{}) bool {
	m1, ok := i.(*certificateVerifyMsg)
	if !ok {
		return false
	}

	return bytes.Equal(m.raw, m1.raw) &&
		m.hasSignatureAndHash == m1.hasSignatureAndHash &&
		m.signatureAlgorithm == m1.signatureAlgorithm &&
		bytes.Equal(m.signature, m1.signature)
}

func (m *certificateVerifyMsg) marshal() (x []byte) {
	if m.raw != nil {
		return m.raw
	}

	// See http://tools.ietf.org/html/rfc4346#section-7.4.8
	siglength := len(m.signature)
	length := 2 + siglength
	if m.hasSignatureAndHash {
		length += 2
	}
	x = make([]byte, 4+length)
	x[0] = typeCertificateVerify
	x[1] = uint8(length >> 16)
	x[2] = uint8(length >> 8)
	x[3] = uint8(length)
	y := x[4:]
	if m.hasSignatureAndHash {
		y[0] = uint8(m.signatureAlgorithm >> 8)
		y[1] = uint8(m.signatureAlgorithm)
		y = y[2:]
	}
	y[0] = uint8(siglength >> 8)
	y[1] = uint8(siglength)
	copy(y[2:], m.signature)

	m.raw = x

	return
}

func (m *certificateVerifyMsg) unmarshal(data []byte) alert {
	m.raw = data

	if len(data) < 6 {
		return alertDecodeError
	}

	length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3])
	if uint32(len(data))-4 != length {
		return alertDecodeError
	}

	data = data[4:]
	if m.hasSignatureAndHash {
		m.signatureAlgorithm = SignatureScheme(data[0])<<8 | SignatureScheme(data[1])
		data = data[2:]
	}

	if len(data) < 2 {
		return alertDecodeError
	}
	siglength := int(data[0])<<8 + int(data[1])
	data = data[2:]
	if len(data) != siglength {
		return alertDecodeError
	}

	m.signature = data

	return alertSuccess
}

type newSessionTicketMsg struct {
	raw    []byte
	ticket []byte
}

func (m *newSessionTicketMsg) equal(i interface{}) bool {
	m1, ok := i.(*newSessionTicketMsg)
	if !ok {
		return false
	}

	return bytes.Equal(m.raw, m1.raw) &&
		bytes.Equal(m.ticket, m1.ticket)
}

func (m *newSessionTicketMsg) marshal() (x []byte) {
	if m.raw != nil {
		return m.raw
	}

	// See http://tools.ietf.org/html/rfc5077#section-3.3
	ticketLen := len(m.ticket)
	length := 2 + 4 + ticketLen
	x = make([]byte, 4+length)
	x[0] = typeNewSessionTicket
	x[1] = uint8(length >> 16)
	x[2] = uint8(length >> 8)
	x[3] = uint8(length)
	x[8] = uint8(ticketLen >> 8)
	x[9] = uint8(ticketLen)
	copy(x[10:], m.ticket)

	m.raw = x

	return
}

func (m *newSessionTicketMsg) unmarshal(data []byte) alert {
	m.raw = data

	if len(data) < 10 {
		return alertDecodeError
	}

	length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3])
	if uint32(len(data))-4 != length {
		return alertDecodeError
	}

	ticketLen := int(data[8])<<8 + int(data[9])
	if len(data)-10 != ticketLen {
		return alertDecodeError
	}

	m.ticket = data[10:]

	return alertSuccess
}

type newSessionTicketMsg13 struct {
	raw                []byte
	lifetime           uint32
	ageAdd             uint32
	nonce              []byte
	ticket             []byte
	withEarlyDataInfo  bool
	maxEarlyDataLength uint32
}

func (m *newSessionTicketMsg13) equal(i interface{}) bool {
	m1, ok := i.(*newSessionTicketMsg13)
	if !ok {
		return false
	}

	return bytes.Equal(m.raw, m1.raw) &&
		m.lifetime == m1.lifetime &&
		m.ageAdd == m1.ageAdd &&
		bytes.Equal(m.nonce, m1.nonce) &&
		bytes.Equal(m.ticket, m1.ticket) &&
		m.withEarlyDataInfo == m1.withEarlyDataInfo &&
		m.maxEarlyDataLength == m1.maxEarlyDataLength
}

func (m *newSessionTicketMsg13) marshal() (x []byte) {
	if m.raw != nil {
		return m.raw
	}

	// See https://tools.ietf.org/html/draft-ietf-tls-tls13-21#section-4.6.1
	nonceLen := len(m.nonce)
	ticketLen := len(m.ticket)
	length := 13 + nonceLen + ticketLen
	if m.withEarlyDataInfo {
		length += 8
	}
	x = make([]byte, 4+length)
	x[0] = typeNewSessionTicket
	x[1] = uint8(length >> 16)
	x[2] = uint8(length >> 8)
	x[3] = uint8(length)

	x[4] = uint8(m.lifetime >> 24)
	x[5] = uint8(m.lifetime >> 16)
	x[6] = uint8(m.lifetime >> 8)
	x[7] = uint8(m.lifetime)
	x[8] = uint8(m.ageAdd >> 24)
	x[9] = uint8(m.ageAdd >> 16)
	x[10] = uint8(m.ageAdd >> 8)
	x[11] = uint8(m.ageAdd)

	x[12] = uint8(nonceLen)
	copy(x[13:13+nonceLen], m.nonce)

	y := x[13+nonceLen:]
	y[0] = uint8(ticketLen >> 8)
	y[1] = uint8(ticketLen)
	copy(y[2:2+ticketLen], m.ticket)

	if m.withEarlyDataInfo {
		z := y[2+ticketLen:]
		// z[0] is already 0, this is the extensions vector length.
		z[1] = 8
		z[2] = uint8(extensionEarlyData >> 8)
		z[3] = uint8(extensionEarlyData)
		z[5] = 4
		z[6] = uint8(m.maxEarlyDataLength >> 24)
		z[7] = uint8(m.maxEarlyDataLength >> 16)
		z[8] = uint8(m.maxEarlyDataLength >> 8)
		z[9] = uint8(m.maxEarlyDataLength)
	}

	m.raw = x

	return
}

func (m *newSessionTicketMsg13) unmarshal(data []byte) alert {
	m.raw = data
	m.maxEarlyDataLength = 0
	m.withEarlyDataInfo = false

	if len(data) < 17 {
		return alertDecodeError
	}

	length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3])
	if uint32(len(data))-4 != length {
		return alertDecodeError
	}

	m.lifetime = uint32(data[4])<<24 | uint32(data[5])<<16 |
		uint32(data[6])<<8 | uint32(data[7])
	m.ageAdd = uint32(data[8])<<24 | uint32(data[9])<<16 |
		uint32(data[10])<<8 | uint32(data[11])

	nonceLen := int(data[12])
	if nonceLen == 0 || 13+nonceLen+2 > len(data) {
		return alertDecodeError
	}
	m.nonce = data[13 : 13+nonceLen]

	data = data[13+nonceLen:]
	ticketLen := int(data[0])<<8 + int(data[1])
	if ticketLen == 0 || 2+ticketLen+2 > len(data) {
		return alertDecodeError
	}
	m.ticket = data[2 : 2+ticketLen]

	data = data[2+ticketLen:]
	extLen := int(data[0])<<8 + int(data[1])
	if extLen != len(data)-2 {
		return alertDecodeError
	}

	data = data[2:]
	for len(data) > 0 {
		if len(data) < 4 {
			return alertDecodeError
		}
		extType := uint16(data[0])<<8 + uint16(data[1])
		length := int(data[2])<<8 + int(data[3])
		data = data[4:]

		switch extType {
		case extensionEarlyData:
			if length != 4 {
				return alertDecodeError
			}
			m.withEarlyDataInfo = true
			m.maxEarlyDataLength = uint32(data[0])<<24 | uint32(data[1])<<16 |
				uint32(data[2])<<8 | uint32(data[3])
		}
		data = data[length:]
	}

	return alertSuccess
}

type endOfEarlyDataMsg struct {
}

func (*endOfEarlyDataMsg) marshal() []byte {
	return []byte{typeEndOfEarlyData, 0, 0, 0}
}

func (*endOfEarlyDataMsg) unmarshal(data []byte) alert {
	if len(data) != 4 {
		return alertDecodeError
	}
	return alertSuccess
}

type helloRequestMsg struct {
}

func (*helloRequestMsg) marshal() []byte {
	return []byte{typeHelloRequest, 0, 0, 0}
}

func (*helloRequestMsg) unmarshal(data []byte) alert {
	if len(data) != 4 {
		return alertDecodeError
	}
	return alertSuccess
}

func eqUint16s(x, y []uint16) bool {
	if len(x) != len(y) {
		return false
	}
	for i, v := range x {
		if y[i] != v {
			return false
		}
	}
	return true
}

func eqCurveIDs(x, y []CurveID) bool {
	if len(x) != len(y) {
		return false
	}
	for i, v := range x {
		if y[i] != v {
			return false
		}
	}
	return true
}

func eqStrings(x, y []string) bool {
	if len(x) != len(y) {
		return false
	}
	for i, v := range x {
		if y[i] != v {
			return false
		}
	}
	return true
}

func eqByteSlices(x, y [][]byte) bool {
	if len(x) != len(y) {
		return false
	}
	for i, v := range x {
		if !bytes.Equal(v, y[i]) {
			return false
		}
	}
	return true
}

func eqSignatureAlgorithms(x, y []SignatureScheme) bool {
	if len(x) != len(y) {
		return false
	}
	for i, v := range x {
		if v != y[i] {
			return false
		}
	}
	return true
}

func eqKeyShares(x, y []keyShare) bool {
	if len(x) != len(y) {
		return false
	}
	for i := range x {
		if x[i].group != y[i].group {
			return false
		}
		if !bytes.Equal(x[i].data, y[i].data) {
			return false
		}
	}
	return true
}

func findExtension(data []byte, extensionType uint16) []byte {
	for len(data) != 0 {
		if len(data) < 4 {
			return nil
		}
		extension := uint16(data[0])<<8 | uint16(data[1])
		length := int(data[2])<<8 | int(data[3])
		data = data[4:]
		if len(data) < length {
			return nil
		}
		if extension == extensionType {
			return data[:length]
		}
		data = data[length:]
	}
	return nil
}