Source file src/crypto/tls/handshake_messages.go 

     1  // Copyright 2009 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package tls
     6  
     7  import (
     8  	"errors"
     9  	"fmt"
    10  	"slices"
    11  	"strings"
    12  
    13  	"golang.org/x/crypto/cryptobyte"
    14  )
    15  
    16  // The marshalingFunction type is an adapter to allow the use of ordinary
    17  // functions as cryptobyte.MarshalingValue.
    18  type marshalingFunction func(b *cryptobyte.Builder) error
    19  
    20  func (f marshalingFunction) Marshal(b *cryptobyte.Builder) error {
    21  	return f(b)
    22  }
    23  
    24  // addBytesWithLength appends a sequence of bytes to the cryptobyte.Builder. If
    25  // the length of the sequence is not the value specified, it produces an error.
    26  func addBytesWithLength(b *cryptobyte.Builder, v []byte, n int) {
    27  	b.AddValue(marshalingFunction(func(b *cryptobyte.Builder) error {
    28  		if len(v) != n {
    29  			return fmt.Errorf("invalid value length: expected %d, got %d", n, len(v))
    30  		}
    31  		b.AddBytes(v)
    32  		return nil
    33  	}))
    34  }
    35  
    36  // addUint64 appends a big-endian, 64-bit value to the cryptobyte.Builder.
    37  func addUint64(b *cryptobyte.Builder, v uint64) {
    38  	b.AddUint32(uint32(v >> 32))
    39  	b.AddUint32(uint32(v))
    40  }
    41  
    42  // readUint64 decodes a big-endian, 64-bit value into out and advances over it.
    43  // It reports whether the read was successful.
    44  func readUint64(s *cryptobyte.String, out *uint64) bool {
    45  	var hi, lo uint32
    46  	if !s.ReadUint32(&hi) || !s.ReadUint32(&lo) {
    47  		return false
    48  	}
    49  	*out = uint64(hi)<<32 | uint64(lo)
    50  	return true
    51  }
    52  
    53  // readUint8LengthPrefixed acts like s.ReadUint8LengthPrefixed, but targets a
    54  // []byte instead of a cryptobyte.String.
    55  func readUint8LengthPrefixed(s *cryptobyte.String, out *[]byte) bool {
    56  	return s.ReadUint8LengthPrefixed((*cryptobyte.String)(out))
    57  }
    58  
    59  // readUint16LengthPrefixed acts like s.ReadUint16LengthPrefixed, but targets a
    60  // []byte instead of a cryptobyte.String.
    61  func readUint16LengthPrefixed(s *cryptobyte.String, out *[]byte) bool {
    62  	return s.ReadUint16LengthPrefixed((*cryptobyte.String)(out))
    63  }
    64  
    65  // readUint24LengthPrefixed acts like s.ReadUint24LengthPrefixed, but targets a
    66  // []byte instead of a cryptobyte.String.
    67  func readUint24LengthPrefixed(s *cryptobyte.String, out *[]byte) bool {
    68  	return s.ReadUint24LengthPrefixed((*cryptobyte.String)(out))
    69  }
    70  
    71  type clientHelloMsg struct {
    72  	original                         []byte
    73  	vers                             uint16
    74  	random                           []byte
    75  	sessionId                        []byte
    76  	cipherSuites                     []uint16
    77  	compressionMethods               []uint8
    78  	serverName                       string
    79  	ocspStapling                     bool
    80  	supportedCurves                  []CurveID
    81  	supportedPoints                  []uint8
    82  	ticketSupported                  bool
    83  	sessionTicket                    []uint8
    84  	supportedSignatureAlgorithms     []SignatureScheme
    85  	supportedSignatureAlgorithmsCert []SignatureScheme
    86  	secureRenegotiationSupported     bool
    87  	secureRenegotiation              []byte
    88  	extendedMasterSecret             bool
    89  	alpnProtocols                    []string
    90  	scts                             bool
    91  	supportedVersions                []uint16
    92  	cookie                           []byte
    93  	keyShares                        []keyShare
    94  	earlyData                        bool
    95  	pskModes                         []uint8
    96  	pskIdentities                    []pskIdentity
    97  	pskBinders                       [][]byte
    98  	quicTransportParameters          []byte
    99  	encryptedClientHello             []byte
   100  	// extensions are only populated on the server-side of a handshake
   101  	extensions []uint16
   102  }
   103  
   104  func (m *clientHelloMsg) marshalMsg(echInner bool) ([]byte, error) {
   105  	var exts cryptobyte.Builder
   106  	if len(m.serverName) > 0 {
   107  		// RFC 6066, Section 3
   108  		exts.AddUint16(extensionServerName)
   109  		exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   110  			exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   111  				exts.AddUint8(0) // name_type = host_name
   112  				exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   113  					exts.AddBytes([]byte(m.serverName))
   114  				})
   115  			})
   116  		})
   117  	}
   118  	if len(m.supportedPoints) > 0 && !echInner {
   119  		// RFC 4492, Section 5.1.2
   120  		exts.AddUint16(extensionSupportedPoints)
   121  		exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   122  			exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
   123  				exts.AddBytes(m.supportedPoints)
   124  			})
   125  		})
   126  	}
   127  	if m.ticketSupported && !echInner {
   128  		// RFC 5077, Section 3.2
   129  		exts.AddUint16(extensionSessionTicket)
   130  		exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   131  			exts.AddBytes(m.sessionTicket)
   132  		})
   133  	}
   134  	if m.secureRenegotiationSupported && !echInner {
   135  		// RFC 5746, Section 3.2
   136  		exts.AddUint16(extensionRenegotiationInfo)
   137  		exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   138  			exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
   139  				exts.AddBytes(m.secureRenegotiation)
   140  			})
   141  		})
   142  	}
   143  	if m.extendedMasterSecret && !echInner {
   144  		// RFC 7627
   145  		exts.AddUint16(extensionExtendedMasterSecret)
   146  		exts.AddUint16(0) // empty extension_data
   147  	}
   148  	if m.scts {
   149  		// RFC 6962, Section 3.3.1
   150  		exts.AddUint16(extensionSCT)
   151  		exts.AddUint16(0) // empty extension_data
   152  	}
   153  	if m.earlyData {
   154  		// RFC 8446, Section 4.2.10
   155  		exts.AddUint16(extensionEarlyData)
   156  		exts.AddUint16(0) // empty extension_data
   157  	}
   158  	if m.quicTransportParameters != nil { // marshal zero-length parameters when present
   159  		// RFC 9001, Section 8.2
   160  		exts.AddUint16(extensionQUICTransportParameters)
   161  		exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   162  			exts.AddBytes(m.quicTransportParameters)
   163  		})
   164  	}
   165  	if len(m.encryptedClientHello) > 0 {
   166  		exts.AddUint16(extensionEncryptedClientHello)
   167  		exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   168  			exts.AddBytes(m.encryptedClientHello)
   169  		})
   170  	}
   171  	// Note that any extension that can be compressed during ECH must be
   172  	// contiguous. If any additional extensions are to be compressed they must
   173  	// be added to the following block, so that they can be properly
   174  	// decompressed on the other side.
   175  	var echOuterExts []uint16
   176  	if m.ocspStapling {
   177  		// RFC 4366, Section 3.6
   178  		if echInner {
   179  			echOuterExts = append(echOuterExts, extensionStatusRequest)
   180  		} else {
   181  			exts.AddUint16(extensionStatusRequest)
   182  			exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   183  				exts.AddUint8(1)  // status_type = ocsp
   184  				exts.AddUint16(0) // empty responder_id_list
   185  				exts.AddUint16(0) // empty request_extensions
   186  			})
   187  		}
   188  	}
   189  	if len(m.supportedCurves) > 0 {
   190  		// RFC 4492, sections 5.1.1 and RFC 8446, Section 4.2.7
   191  		if echInner {
   192  			echOuterExts = append(echOuterExts, extensionSupportedCurves)
   193  		} else {
   194  			exts.AddUint16(extensionSupportedCurves)
   195  			exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   196  				exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   197  					for _, curve := range m.supportedCurves {
   198  						exts.AddUint16(uint16(curve))
   199  					}
   200  				})
   201  			})
   202  		}
   203  	}
   204  	if len(m.supportedSignatureAlgorithms) > 0 {
   205  		// RFC 5246, Section 7.4.1.4.1
   206  		if echInner {
   207  			echOuterExts = append(echOuterExts, extensionSignatureAlgorithms)
   208  		} else {
   209  			exts.AddUint16(extensionSignatureAlgorithms)
   210  			exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   211  				exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   212  					for _, sigAlgo := range m.supportedSignatureAlgorithms {
   213  						exts.AddUint16(uint16(sigAlgo))
   214  					}
   215  				})
   216  			})
   217  		}
   218  	}
   219  	if len(m.supportedSignatureAlgorithmsCert) > 0 {
   220  		// RFC 8446, Section 4.2.3
   221  		if echInner {
   222  			echOuterExts = append(echOuterExts, extensionSignatureAlgorithmsCert)
   223  		} else {
   224  			exts.AddUint16(extensionSignatureAlgorithmsCert)
   225  			exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   226  				exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   227  					for _, sigAlgo := range m.supportedSignatureAlgorithmsCert {
   228  						exts.AddUint16(uint16(sigAlgo))
   229  					}
   230  				})
   231  			})
   232  		}
   233  	}
   234  	if len(m.alpnProtocols) > 0 {
   235  		// RFC 7301, Section 3.1
   236  		if echInner {
   237  			echOuterExts = append(echOuterExts, extensionALPN)
   238  		} else {
   239  			exts.AddUint16(extensionALPN)
   240  			exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   241  				exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   242  					for _, proto := range m.alpnProtocols {
   243  						exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
   244  							exts.AddBytes([]byte(proto))
   245  						})
   246  					}
   247  				})
   248  			})
   249  		}
   250  	}
   251  	if len(m.supportedVersions) > 0 {
   252  		// RFC 8446, Section 4.2.1
   253  		if echInner {
   254  			echOuterExts = append(echOuterExts, extensionSupportedVersions)
   255  		} else {
   256  			exts.AddUint16(extensionSupportedVersions)
   257  			exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   258  				exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
   259  					for _, vers := range m.supportedVersions {
   260  						exts.AddUint16(vers)
   261  					}
   262  				})
   263  			})
   264  		}
   265  	}
   266  	if len(m.cookie) > 0 {
   267  		// RFC 8446, Section 4.2.2
   268  		if echInner {
   269  			echOuterExts = append(echOuterExts, extensionCookie)
   270  		} else {
   271  			exts.AddUint16(extensionCookie)
   272  			exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   273  				exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   274  					exts.AddBytes(m.cookie)
   275  				})
   276  			})
   277  		}
   278  	}
   279  	if len(m.keyShares) > 0 {
   280  		// RFC 8446, Section 4.2.8
   281  		if echInner {
   282  			echOuterExts = append(echOuterExts, extensionKeyShare)
   283  		} else {
   284  			exts.AddUint16(extensionKeyShare)
   285  			exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   286  				exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   287  					for _, ks := range m.keyShares {
   288  						exts.AddUint16(uint16(ks.group))
   289  						exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   290  							exts.AddBytes(ks.data)
   291  						})
   292  					}
   293  				})
   294  			})
   295  		}
   296  	}
   297  	if len(m.pskModes) > 0 {
   298  		// RFC 8446, Section 4.2.9
   299  		if echInner {
   300  			echOuterExts = append(echOuterExts, extensionPSKModes)
   301  		} else {
   302  			exts.AddUint16(extensionPSKModes)
   303  			exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   304  				exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
   305  					exts.AddBytes(m.pskModes)
   306  				})
   307  			})
   308  		}
   309  	}
   310  	if len(echOuterExts) > 0 && echInner {
   311  		exts.AddUint16(extensionECHOuterExtensions)
   312  		exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   313  			exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
   314  				for _, e := range echOuterExts {
   315  					exts.AddUint16(e)
   316  				}
   317  			})
   318  		})
   319  	}
   320  	if len(m.pskIdentities) > 0 { // pre_shared_key must be the last extension
   321  		// RFC 8446, Section 4.2.11
   322  		exts.AddUint16(extensionPreSharedKey)
   323  		exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   324  			exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   325  				for _, psk := range m.pskIdentities {
   326  					exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   327  						exts.AddBytes(psk.label)
   328  					})
   329  					exts.AddUint32(psk.obfuscatedTicketAge)
   330  				}
   331  			})
   332  			exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   333  				for _, binder := range m.pskBinders {
   334  					exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
   335  						exts.AddBytes(binder)
   336  					})
   337  				}
   338  			})
   339  		})
   340  	}
   341  	extBytes, err := exts.Bytes()
   342  	if err != nil {
   343  		return nil, err
   344  	}
   345  
   346  	var b cryptobyte.Builder
   347  	b.AddUint8(typeClientHello)
   348  	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
   349  		b.AddUint16(m.vers)
   350  		addBytesWithLength(b, m.random, 32)
   351  		b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
   352  			if !echInner {
   353  				b.AddBytes(m.sessionId)
   354  			}
   355  		})
   356  		b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   357  			for _, suite := range m.cipherSuites {
   358  				b.AddUint16(suite)
   359  			}
   360  		})
   361  		b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
   362  			b.AddBytes(m.compressionMethods)
   363  		})
   364  
   365  		if len(extBytes) > 0 {
   366  			b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   367  				b.AddBytes(extBytes)
   368  			})
   369  		}
   370  	})
   371  
   372  	return b.Bytes()
   373  }
   374  
   375  func (m *clientHelloMsg) marshal() ([]byte, error) {
   376  	return m.marshalMsg(false)
   377  }
   378  
   379  // marshalWithoutBinders returns the ClientHello through the
   380  // PreSharedKeyExtension.identities field, according to RFC 8446, Section
   381  // 4.2.11.2. Note that m.pskBinders must be set to slices of the correct length.
   382  func (m *clientHelloMsg) marshalWithoutBinders() ([]byte, error) {
   383  	bindersLen := 2 // uint16 length prefix
   384  	for _, binder := range m.pskBinders {
   385  		bindersLen += 1 // uint8 length prefix
   386  		bindersLen += len(binder)
   387  	}
   388  
   389  	var fullMessage []byte
   390  	if m.original != nil {
   391  		fullMessage = m.original
   392  	} else {
   393  		var err error
   394  		fullMessage, err = m.marshal()
   395  		if err != nil {
   396  			return nil, err
   397  		}
   398  	}
   399  	return fullMessage[:len(fullMessage)-bindersLen], nil
   400  }
   401  
   402  // updateBinders updates the m.pskBinders field. The supplied binders must have
   403  // the same length as the current m.pskBinders.
   404  func (m *clientHelloMsg) updateBinders(pskBinders [][]byte) error {
   405  	if len(pskBinders) != len(m.pskBinders) {
   406  		return errors.New("tls: internal error: pskBinders length mismatch")
   407  	}
   408  	for i := range m.pskBinders {
   409  		if len(pskBinders[i]) != len(m.pskBinders[i]) {
   410  			return errors.New("tls: internal error: pskBinders length mismatch")
   411  		}
   412  	}
   413  	m.pskBinders = pskBinders
   414  
   415  	return nil
   416  }
   417  
   418  func (m *clientHelloMsg) unmarshal(data []byte) bool {
   419  	*m = clientHelloMsg{original: data}
   420  	s := cryptobyte.String(data)
   421  
   422  	if !s.Skip(4) || // message type and uint24 length field
   423  		!s.ReadUint16(&m.vers) || !s.ReadBytes(&m.random, 32) ||
   424  		!readUint8LengthPrefixed(&s, &m.sessionId) {
   425  		return false
   426  	}
   427  
   428  	var cipherSuites cryptobyte.String
   429  	if !s.ReadUint16LengthPrefixed(&cipherSuites) {
   430  		return false
   431  	}
   432  	m.cipherSuites = []uint16{}
   433  	m.secureRenegotiationSupported = false
   434  	for !cipherSuites.Empty() {
   435  		var suite uint16
   436  		if !cipherSuites.ReadUint16(&suite) {
   437  			return false
   438  		}
   439  		if suite == scsvRenegotiation {
   440  			m.secureRenegotiationSupported = true
   441  		}
   442  		m.cipherSuites = append(m.cipherSuites, suite)
   443  	}
   444  
   445  	if !readUint8LengthPrefixed(&s, &m.compressionMethods) {
   446  		return false
   447  	}
   448  
   449  	if s.Empty() {
   450  		// ClientHello is optionally followed by extension data
   451  		return true
   452  	}
   453  
   454  	var extensions cryptobyte.String
   455  	if !s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() {
   456  		return false
   457  	}
   458  
   459  	seenExts := make(map[uint16]bool)
   460  	for !extensions.Empty() {
   461  		var extension uint16
   462  		var extData cryptobyte.String
   463  		if !extensions.ReadUint16(&extension) ||
   464  			!extensions.ReadUint16LengthPrefixed(&extData) {
   465  			return false
   466  		}
   467  
   468  		if seenExts[extension] {
   469  			return false
   470  		}
   471  		seenExts[extension] = true
   472  		m.extensions = append(m.extensions, extension)
   473  
   474  		switch extension {
   475  		case extensionServerName:
   476  			// RFC 6066, Section 3
   477  			var nameList cryptobyte.String
   478  			if !extData.ReadUint16LengthPrefixed(&nameList) || nameList.Empty() {
   479  				return false
   480  			}
   481  			for !nameList.Empty() {
   482  				var nameType uint8
   483  				var serverName cryptobyte.String
   484  				if !nameList.ReadUint8(&nameType) ||
   485  					!nameList.ReadUint16LengthPrefixed(&serverName) ||
   486  					serverName.Empty() {
   487  					return false
   488  				}
   489  				if nameType != 0 {
   490  					continue
   491  				}
   492  				if len(m.serverName) != 0 {
   493  					// Multiple names of the same name_type are prohibited.
   494  					return false
   495  				}
   496  				m.serverName = string(serverName)
   497  				// An SNI value may not include a trailing dot.
   498  				if strings.HasSuffix(m.serverName, ".") {
   499  					return false
   500  				}
   501  			}
   502  		case extensionStatusRequest:
   503  			// RFC 4366, Section 3.6
   504  			var statusType uint8
   505  			var ignored cryptobyte.String
   506  			if !extData.ReadUint8(&statusType) ||
   507  				!extData.ReadUint16LengthPrefixed(&ignored) ||
   508  				!extData.ReadUint16LengthPrefixed(&ignored) {
   509  				return false
   510  			}
   511  			m.ocspStapling = statusType == statusTypeOCSP
   512  		case extensionSupportedCurves:
   513  			// RFC 4492, sections 5.1.1 and RFC 8446, Section 4.2.7
   514  			var curves cryptobyte.String
   515  			if !extData.ReadUint16LengthPrefixed(&curves) || curves.Empty() {
   516  				return false
   517  			}
   518  			for !curves.Empty() {
   519  				var curve uint16
   520  				if !curves.ReadUint16(&curve) {
   521  					return false
   522  				}
   523  				m.supportedCurves = append(m.supportedCurves, CurveID(curve))
   524  			}
   525  		case extensionSupportedPoints:
   526  			// RFC 4492, Section 5.1.2
   527  			if !readUint8LengthPrefixed(&extData, &m.supportedPoints) ||
   528  				len(m.supportedPoints) == 0 {
   529  				return false
   530  			}
   531  		case extensionSessionTicket:
   532  			// RFC 5077, Section 3.2
   533  			m.ticketSupported = true
   534  			extData.ReadBytes(&m.sessionTicket, len(extData))
   535  		case extensionSignatureAlgorithms:
   536  			// RFC 5246, Section 7.4.1.4.1
   537  			var sigAndAlgs cryptobyte.String
   538  			if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() {
   539  				return false
   540  			}
   541  			for !sigAndAlgs.Empty() {
   542  				var sigAndAlg uint16
   543  				if !sigAndAlgs.ReadUint16(&sigAndAlg) {
   544  					return false
   545  				}
   546  				m.supportedSignatureAlgorithms = append(
   547  					m.supportedSignatureAlgorithms, SignatureScheme(sigAndAlg))
   548  			}
   549  		case extensionSignatureAlgorithmsCert:
   550  			// RFC 8446, Section 4.2.3
   551  			var sigAndAlgs cryptobyte.String
   552  			if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() {
   553  				return false
   554  			}
   555  			for !sigAndAlgs.Empty() {
   556  				var sigAndAlg uint16
   557  				if !sigAndAlgs.ReadUint16(&sigAndAlg) {
   558  					return false
   559  				}
   560  				m.supportedSignatureAlgorithmsCert = append(
   561  					m.supportedSignatureAlgorithmsCert, SignatureScheme(sigAndAlg))
   562  			}
   563  		case extensionRenegotiationInfo:
   564  			// RFC 5746, Section 3.2
   565  			if !readUint8LengthPrefixed(&extData, &m.secureRenegotiation) {
   566  				return false
   567  			}
   568  			m.secureRenegotiationSupported = true
   569  		case extensionExtendedMasterSecret:
   570  			// RFC 7627
   571  			m.extendedMasterSecret = true
   572  		case extensionALPN:
   573  			// RFC 7301, Section 3.1
   574  			var protoList cryptobyte.String
   575  			if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() {
   576  				return false
   577  			}
   578  			for !protoList.Empty() {
   579  				var proto cryptobyte.String
   580  				if !protoList.ReadUint8LengthPrefixed(&proto) || proto.Empty() {
   581  					return false
   582  				}
   583  				m.alpnProtocols = append(m.alpnProtocols, string(proto))
   584  			}
   585  		case extensionSCT:
   586  			// RFC 6962, Section 3.3.1
   587  			m.scts = true
   588  		case extensionSupportedVersions:
   589  			// RFC 8446, Section 4.2.1
   590  			var versList cryptobyte.String
   591  			if !extData.ReadUint8LengthPrefixed(&versList) || versList.Empty() {
   592  				return false
   593  			}
   594  			for !versList.Empty() {
   595  				var vers uint16
   596  				if !versList.ReadUint16(&vers) {
   597  					return false
   598  				}
   599  				m.supportedVersions = append(m.supportedVersions, vers)
   600  			}
   601  		case extensionCookie:
   602  			// RFC 8446, Section 4.2.2
   603  			if !readUint16LengthPrefixed(&extData, &m.cookie) ||
   604  				len(m.cookie) == 0 {
   605  				return false
   606  			}
   607  		case extensionKeyShare:
   608  			// RFC 8446, Section 4.2.8
   609  			var clientShares cryptobyte.String
   610  			if !extData.ReadUint16LengthPrefixed(&clientShares) {
   611  				return false
   612  			}
   613  			for !clientShares.Empty() {
   614  				var ks keyShare
   615  				if !clientShares.ReadUint16((*uint16)(&ks.group)) ||
   616  					!readUint16LengthPrefixed(&clientShares, &ks.data) ||
   617  					len(ks.data) == 0 {
   618  					return false
   619  				}
   620  				m.keyShares = append(m.keyShares, ks)
   621  			}
   622  		case extensionEarlyData:
   623  			// RFC 8446, Section 4.2.10
   624  			m.earlyData = true
   625  		case extensionPSKModes:
   626  			// RFC 8446, Section 4.2.9
   627  			if !readUint8LengthPrefixed(&extData, &m.pskModes) {
   628  				return false
   629  			}
   630  		case extensionQUICTransportParameters:
   631  			m.quicTransportParameters = make([]byte, len(extData))
   632  			if !extData.CopyBytes(m.quicTransportParameters) {
   633  				return false
   634  			}
   635  		case extensionPreSharedKey:
   636  			// RFC 8446, Section 4.2.11
   637  			if !extensions.Empty() {
   638  				return false // pre_shared_key must be the last extension
   639  			}
   640  			var identities cryptobyte.String
   641  			if !extData.ReadUint16LengthPrefixed(&identities) || identities.Empty() {
   642  				return false
   643  			}
   644  			for !identities.Empty() {
   645  				var psk pskIdentity
   646  				if !readUint16LengthPrefixed(&identities, &psk.label) ||
   647  					!identities.ReadUint32(&psk.obfuscatedTicketAge) ||
   648  					len(psk.label) == 0 {
   649  					return false
   650  				}
   651  				m.pskIdentities = append(m.pskIdentities, psk)
   652  			}
   653  			var binders cryptobyte.String
   654  			if !extData.ReadUint16LengthPrefixed(&binders) || binders.Empty() {
   655  				return false
   656  			}
   657  			for !binders.Empty() {
   658  				var binder []byte
   659  				if !readUint8LengthPrefixed(&binders, &binder) ||
   660  					len(binder) == 0 {
   661  					return false
   662  				}
   663  				m.pskBinders = append(m.pskBinders, binder)
   664  			}
   665  		case extensionEncryptedClientHello:
   666  			if !extData.ReadBytes(&m.encryptedClientHello, len(extData)) {
   667  				return false
   668  			}
   669  		default:
   670  			// Ignore unknown extensions.
   671  			continue
   672  		}
   673  
   674  		if !extData.Empty() {
   675  			return false
   676  		}
   677  	}
   678  
   679  	return true
   680  }
   681  
   682  func (m *clientHelloMsg) originalBytes() []byte {
   683  	return m.original
   684  }
   685  
   686  func (m *clientHelloMsg) clone() *clientHelloMsg {
   687  	return &clientHelloMsg{
   688  		original:                         slices.Clone(m.original),
   689  		vers:                             m.vers,
   690  		random:                           slices.Clone(m.random),
   691  		sessionId:                        slices.Clone(m.sessionId),
   692  		cipherSuites:                     slices.Clone(m.cipherSuites),
   693  		compressionMethods:               slices.Clone(m.compressionMethods),
   694  		serverName:                       m.serverName,
   695  		ocspStapling:                     m.ocspStapling,
   696  		supportedCurves:                  slices.Clone(m.supportedCurves),
   697  		supportedPoints:                  slices.Clone(m.supportedPoints),
   698  		ticketSupported:                  m.ticketSupported,
   699  		sessionTicket:                    slices.Clone(m.sessionTicket),
   700  		supportedSignatureAlgorithms:     slices.Clone(m.supportedSignatureAlgorithms),
   701  		supportedSignatureAlgorithmsCert: slices.Clone(m.supportedSignatureAlgorithmsCert),
   702  		secureRenegotiationSupported:     m.secureRenegotiationSupported,
   703  		secureRenegotiation:              slices.Clone(m.secureRenegotiation),
   704  		extendedMasterSecret:             m.extendedMasterSecret,
   705  		alpnProtocols:                    slices.Clone(m.alpnProtocols),
   706  		scts:                             m.scts,
   707  		supportedVersions:                slices.Clone(m.supportedVersions),
   708  		cookie:                           slices.Clone(m.cookie),
   709  		keyShares:                        slices.Clone(m.keyShares),
   710  		earlyData:                        m.earlyData,
   711  		pskModes:                         slices.Clone(m.pskModes),
   712  		pskIdentities:                    slices.Clone(m.pskIdentities),
   713  		pskBinders:                       slices.Clone(m.pskBinders),
   714  		quicTransportParameters:          slices.Clone(m.quicTransportParameters),
   715  		encryptedClientHello:             slices.Clone(m.encryptedClientHello),
   716  	}
   717  }
   718  
   719  type serverHelloMsg struct {
   720  	original                     []byte
   721  	vers                         uint16
   722  	random                       []byte
   723  	sessionId                    []byte
   724  	cipherSuite                  uint16
   725  	compressionMethod            uint8
   726  	ocspStapling                 bool
   727  	ticketSupported              bool
   728  	secureRenegotiationSupported bool
   729  	secureRenegotiation          []byte
   730  	extendedMasterSecret         bool
   731  	alpnProtocol                 string
   732  	scts                         [][]byte
   733  	supportedVersion             uint16
   734  	serverShare                  keyShare
   735  	selectedIdentityPresent      bool
   736  	selectedIdentity             uint16
   737  	supportedPoints              []uint8
   738  	encryptedClientHello         []byte
   739  	serverNameAck                bool
   740  
   741  	// HelloRetryRequest extensions
   742  	cookie        []byte
   743  	selectedGroup CurveID
   744  }
   745  
   746  func (m *serverHelloMsg) marshal() ([]byte, error) {
   747  	var exts cryptobyte.Builder
   748  	if m.ocspStapling {
   749  		exts.AddUint16(extensionStatusRequest)
   750  		exts.AddUint16(0) // empty extension_data
   751  	}
   752  	if m.ticketSupported {
   753  		exts.AddUint16(extensionSessionTicket)
   754  		exts.AddUint16(0) // empty extension_data
   755  	}
   756  	if m.secureRenegotiationSupported {
   757  		exts.AddUint16(extensionRenegotiationInfo)
   758  		exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   759  			exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
   760  				exts.AddBytes(m.secureRenegotiation)
   761  			})
   762  		})
   763  	}
   764  	if m.extendedMasterSecret {
   765  		exts.AddUint16(extensionExtendedMasterSecret)
   766  		exts.AddUint16(0) // empty extension_data
   767  	}
   768  	if len(m.alpnProtocol) > 0 {
   769  		exts.AddUint16(extensionALPN)
   770  		exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   771  			exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   772  				exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
   773  					exts.AddBytes([]byte(m.alpnProtocol))
   774  				})
   775  			})
   776  		})
   777  	}
   778  	if len(m.scts) > 0 {
   779  		exts.AddUint16(extensionSCT)
   780  		exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   781  			exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   782  				for _, sct := range m.scts {
   783  					exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   784  						exts.AddBytes(sct)
   785  					})
   786  				}
   787  			})
   788  		})
   789  	}
   790  	if m.supportedVersion != 0 {
   791  		exts.AddUint16(extensionSupportedVersions)
   792  		exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   793  			exts.AddUint16(m.supportedVersion)
   794  		})
   795  	}
   796  	if m.serverShare.group != 0 {
   797  		exts.AddUint16(extensionKeyShare)
   798  		exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   799  			exts.AddUint16(uint16(m.serverShare.group))
   800  			exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   801  				exts.AddBytes(m.serverShare.data)
   802  			})
   803  		})
   804  	}
   805  	if m.selectedIdentityPresent {
   806  		exts.AddUint16(extensionPreSharedKey)
   807  		exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   808  			exts.AddUint16(m.selectedIdentity)
   809  		})
   810  	}
   811  
   812  	if len(m.cookie) > 0 {
   813  		exts.AddUint16(extensionCookie)
   814  		exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   815  			exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   816  				exts.AddBytes(m.cookie)
   817  			})
   818  		})
   819  	}
   820  	if m.selectedGroup != 0 {
   821  		exts.AddUint16(extensionKeyShare)
   822  		exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   823  			exts.AddUint16(uint16(m.selectedGroup))
   824  		})
   825  	}
   826  	if len(m.supportedPoints) > 0 {
   827  		exts.AddUint16(extensionSupportedPoints)
   828  		exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   829  			exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) {
   830  				exts.AddBytes(m.supportedPoints)
   831  			})
   832  		})
   833  	}
   834  	if len(m.encryptedClientHello) > 0 {
   835  		exts.AddUint16(extensionEncryptedClientHello)
   836  		exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) {
   837  			exts.AddBytes(m.encryptedClientHello)
   838  		})
   839  	}
   840  	if m.serverNameAck {
   841  		exts.AddUint16(extensionServerName)
   842  		exts.AddUint16(0)
   843  	}
   844  
   845  	extBytes, err := exts.Bytes()
   846  	if err != nil {
   847  		return nil, err
   848  	}
   849  
   850  	var b cryptobyte.Builder
   851  	b.AddUint8(typeServerHello)
   852  	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
   853  		b.AddUint16(m.vers)
   854  		addBytesWithLength(b, m.random, 32)
   855  		b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
   856  			b.AddBytes(m.sessionId)
   857  		})
   858  		b.AddUint16(m.cipherSuite)
   859  		b.AddUint8(m.compressionMethod)
   860  
   861  		if len(extBytes) > 0 {
   862  			b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
   863  				b.AddBytes(extBytes)
   864  			})
   865  		}
   866  	})
   867  
   868  	return b.Bytes()
   869  }
   870  
   871  func (m *serverHelloMsg) unmarshal(data []byte) bool {
   872  	*m = serverHelloMsg{original: data}
   873  	s := cryptobyte.String(data)
   874  
   875  	if !s.Skip(4) || // message type and uint24 length field
   876  		!s.ReadUint16(&m.vers) || !s.ReadBytes(&m.random, 32) ||
   877  		!readUint8LengthPrefixed(&s, &m.sessionId) ||
   878  		!s.ReadUint16(&m.cipherSuite) ||
   879  		!s.ReadUint8(&m.compressionMethod) {
   880  		return false
   881  	}
   882  
   883  	if s.Empty() {
   884  		// ServerHello is optionally followed by extension data
   885  		return true
   886  	}
   887  
   888  	var extensions cryptobyte.String
   889  	if !s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() {
   890  		return false
   891  	}
   892  
   893  	seenExts := make(map[uint16]bool)
   894  	for !extensions.Empty() {
   895  		var extension uint16
   896  		var extData cryptobyte.String
   897  		if !extensions.ReadUint16(&extension) ||
   898  			!extensions.ReadUint16LengthPrefixed(&extData) {
   899  			return false
   900  		}
   901  
   902  		if seenExts[extension] {
   903  			return false
   904  		}
   905  		seenExts[extension] = true
   906  
   907  		switch extension {
   908  		case extensionStatusRequest:
   909  			m.ocspStapling = true
   910  		case extensionSessionTicket:
   911  			m.ticketSupported = true
   912  		case extensionRenegotiationInfo:
   913  			if !readUint8LengthPrefixed(&extData, &m.secureRenegotiation) {
   914  				return false
   915  			}
   916  			m.secureRenegotiationSupported = true
   917  		case extensionExtendedMasterSecret:
   918  			m.extendedMasterSecret = true
   919  		case extensionALPN:
   920  			var protoList cryptobyte.String
   921  			if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() {
   922  				return false
   923  			}
   924  			var proto cryptobyte.String
   925  			if !protoList.ReadUint8LengthPrefixed(&proto) ||
   926  				proto.Empty() || !protoList.Empty() {
   927  				return false
   928  			}
   929  			m.alpnProtocol = string(proto)
   930  		case extensionSCT:
   931  			var sctList cryptobyte.String
   932  			if !extData.ReadUint16LengthPrefixed(&sctList) || sctList.Empty() {
   933  				return false
   934  			}
   935  			for !sctList.Empty() {
   936  				var sct []byte
   937  				if !readUint16LengthPrefixed(&sctList, &sct) ||
   938  					len(sct) == 0 {
   939  					return false
   940  				}
   941  				m.scts = append(m.scts, sct)
   942  			}
   943  		case extensionSupportedVersions:
   944  			if !extData.ReadUint16(&m.supportedVersion) {
   945  				return false
   946  			}
   947  		case extensionCookie:
   948  			if !readUint16LengthPrefixed(&extData, &m.cookie) ||
   949  				len(m.cookie) == 0 {
   950  				return false
   951  			}
   952  		case extensionKeyShare:
   953  			// This extension has different formats in SH and HRR, accept either
   954  			// and let the handshake logic decide. See RFC 8446, Section 4.2.8.
   955  			if len(extData) == 2 {
   956  				if !extData.ReadUint16((*uint16)(&m.selectedGroup)) {
   957  					return false
   958  				}
   959  			} else {
   960  				if !extData.ReadUint16((*uint16)(&m.serverShare.group)) ||
   961  					!readUint16LengthPrefixed(&extData, &m.serverShare.data) {
   962  					return false
   963  				}
   964  			}
   965  		case extensionPreSharedKey:
   966  			m.selectedIdentityPresent = true
   967  			if !extData.ReadUint16(&m.selectedIdentity) {
   968  				return false
   969  			}
   970  		case extensionSupportedPoints:
   971  			// RFC 4492, Section 5.1.2
   972  			if !readUint8LengthPrefixed(&extData, &m.supportedPoints) ||
   973  				len(m.supportedPoints) == 0 {
   974  				return false
   975  			}
   976  		case extensionEncryptedClientHello: // encrypted_client_hello
   977  			m.encryptedClientHello = make([]byte, len(extData))
   978  			if !extData.CopyBytes(m.encryptedClientHello) {
   979  				return false
   980  			}
   981  		case extensionServerName:
   982  			if len(extData) != 0 {
   983  				return false
   984  			}
   985  			m.serverNameAck = true
   986  		default:
   987  			// Ignore unknown extensions.
   988  			continue
   989  		}
   990  
   991  		if !extData.Empty() {
   992  			return false
   993  		}
   994  	}
   995  
   996  	return true
   997  }
   998  
   999  func (m *serverHelloMsg) originalBytes() []byte {
  1000  	return m.original
  1001  }
  1002  
  1003  type encryptedExtensionsMsg struct {
  1004  	alpnProtocol            string
  1005  	quicTransportParameters []byte
  1006  	earlyData               bool
  1007  	echRetryConfigs         []byte
  1008  }
  1009  
  1010  func (m *encryptedExtensionsMsg) marshal() ([]byte, error) {
  1011  	var b cryptobyte.Builder
  1012  	b.AddUint8(typeEncryptedExtensions)
  1013  	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
  1014  		b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1015  			if len(m.alpnProtocol) > 0 {
  1016  				b.AddUint16(extensionALPN)
  1017  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1018  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1019  						b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
  1020  							b.AddBytes([]byte(m.alpnProtocol))
  1021  						})
  1022  					})
  1023  				})
  1024  			}
  1025  			if m.quicTransportParameters != nil { // marshal zero-length parameters when present
  1026  				// draft-ietf-quic-tls-32, Section 8.2
  1027  				b.AddUint16(extensionQUICTransportParameters)
  1028  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1029  					b.AddBytes(m.quicTransportParameters)
  1030  				})
  1031  			}
  1032  			if m.earlyData {
  1033  				// RFC 8446, Section 4.2.10
  1034  				b.AddUint16(extensionEarlyData)
  1035  				b.AddUint16(0) // empty extension_data
  1036  			}
  1037  			if len(m.echRetryConfigs) > 0 {
  1038  				b.AddUint16(extensionEncryptedClientHello)
  1039  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1040  					b.AddBytes(m.echRetryConfigs)
  1041  				})
  1042  			}
  1043  		})
  1044  	})
  1045  
  1046  	return b.Bytes()
  1047  }
  1048  
  1049  func (m *encryptedExtensionsMsg) unmarshal(data []byte) bool {
  1050  	*m = encryptedExtensionsMsg{}
  1051  	s := cryptobyte.String(data)
  1052  
  1053  	var extensions cryptobyte.String
  1054  	if !s.Skip(4) || // message type and uint24 length field
  1055  		!s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() {
  1056  		return false
  1057  	}
  1058  
  1059  	for !extensions.Empty() {
  1060  		var extension uint16
  1061  		var extData cryptobyte.String
  1062  		if !extensions.ReadUint16(&extension) ||
  1063  			!extensions.ReadUint16LengthPrefixed(&extData) {
  1064  			return false
  1065  		}
  1066  
  1067  		switch extension {
  1068  		case extensionALPN:
  1069  			var protoList cryptobyte.String
  1070  			if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() {
  1071  				return false
  1072  			}
  1073  			var proto cryptobyte.String
  1074  			if !protoList.ReadUint8LengthPrefixed(&proto) ||
  1075  				proto.Empty() || !protoList.Empty() {
  1076  				return false
  1077  			}
  1078  			m.alpnProtocol = string(proto)
  1079  		case extensionQUICTransportParameters:
  1080  			m.quicTransportParameters = make([]byte, len(extData))
  1081  			if !extData.CopyBytes(m.quicTransportParameters) {
  1082  				return false
  1083  			}
  1084  		case extensionEarlyData:
  1085  			// RFC 8446, Section 4.2.10
  1086  			m.earlyData = true
  1087  		case extensionEncryptedClientHello:
  1088  			m.echRetryConfigs = make([]byte, len(extData))
  1089  			if !extData.CopyBytes(m.echRetryConfigs) {
  1090  				return false
  1091  			}
  1092  		default:
  1093  			// Ignore unknown extensions.
  1094  			continue
  1095  		}
  1096  
  1097  		if !extData.Empty() {
  1098  			return false
  1099  		}
  1100  	}
  1101  
  1102  	return true
  1103  }
  1104  
  1105  type endOfEarlyDataMsg struct{}
  1106  
  1107  func (m *endOfEarlyDataMsg) marshal() ([]byte, error) {
  1108  	x := make([]byte, 4)
  1109  	x[0] = typeEndOfEarlyData
  1110  	return x, nil
  1111  }
  1112  
  1113  func (m *endOfEarlyDataMsg) unmarshal(data []byte) bool {
  1114  	return len(data) == 4
  1115  }
  1116  
  1117  type keyUpdateMsg struct {
  1118  	updateRequested bool
  1119  }
  1120  
  1121  func (m *keyUpdateMsg) marshal() ([]byte, error) {
  1122  	var b cryptobyte.Builder
  1123  	b.AddUint8(typeKeyUpdate)
  1124  	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
  1125  		if m.updateRequested {
  1126  			b.AddUint8(1)
  1127  		} else {
  1128  			b.AddUint8(0)
  1129  		}
  1130  	})
  1131  
  1132  	return b.Bytes()
  1133  }
  1134  
  1135  func (m *keyUpdateMsg) unmarshal(data []byte) bool {
  1136  	s := cryptobyte.String(data)
  1137  
  1138  	var updateRequested uint8
  1139  	if !s.Skip(4) || // message type and uint24 length field
  1140  		!s.ReadUint8(&updateRequested) || !s.Empty() {
  1141  		return false
  1142  	}
  1143  	switch updateRequested {
  1144  	case 0:
  1145  		m.updateRequested = false
  1146  	case 1:
  1147  		m.updateRequested = true
  1148  	default:
  1149  		return false
  1150  	}
  1151  	return true
  1152  }
  1153  
  1154  type newSessionTicketMsgTLS13 struct {
  1155  	lifetime     uint32
  1156  	ageAdd       uint32
  1157  	nonce        []byte
  1158  	label        []byte
  1159  	maxEarlyData uint32
  1160  }
  1161  
  1162  func (m *newSessionTicketMsgTLS13) marshal() ([]byte, error) {
  1163  	var b cryptobyte.Builder
  1164  	b.AddUint8(typeNewSessionTicket)
  1165  	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
  1166  		b.AddUint32(m.lifetime)
  1167  		b.AddUint32(m.ageAdd)
  1168  		b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
  1169  			b.AddBytes(m.nonce)
  1170  		})
  1171  		b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1172  			b.AddBytes(m.label)
  1173  		})
  1174  
  1175  		b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1176  			if m.maxEarlyData > 0 {
  1177  				b.AddUint16(extensionEarlyData)
  1178  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1179  					b.AddUint32(m.maxEarlyData)
  1180  				})
  1181  			}
  1182  		})
  1183  	})
  1184  
  1185  	return b.Bytes()
  1186  }
  1187  
  1188  func (m *newSessionTicketMsgTLS13) unmarshal(data []byte) bool {
  1189  	*m = newSessionTicketMsgTLS13{}
  1190  	s := cryptobyte.String(data)
  1191  
  1192  	var extensions cryptobyte.String
  1193  	if !s.Skip(4) || // message type and uint24 length field
  1194  		!s.ReadUint32(&m.lifetime) ||
  1195  		!s.ReadUint32(&m.ageAdd) ||
  1196  		!readUint8LengthPrefixed(&s, &m.nonce) ||
  1197  		!readUint16LengthPrefixed(&s, &m.label) ||
  1198  		!s.ReadUint16LengthPrefixed(&extensions) ||
  1199  		!s.Empty() {
  1200  		return false
  1201  	}
  1202  
  1203  	for !extensions.Empty() {
  1204  		var extension uint16
  1205  		var extData cryptobyte.String
  1206  		if !extensions.ReadUint16(&extension) ||
  1207  			!extensions.ReadUint16LengthPrefixed(&extData) {
  1208  			return false
  1209  		}
  1210  
  1211  		switch extension {
  1212  		case extensionEarlyData:
  1213  			if !extData.ReadUint32(&m.maxEarlyData) {
  1214  				return false
  1215  			}
  1216  		default:
  1217  			// Ignore unknown extensions.
  1218  			continue
  1219  		}
  1220  
  1221  		if !extData.Empty() {
  1222  			return false
  1223  		}
  1224  	}
  1225  
  1226  	return true
  1227  }
  1228  
  1229  type certificateRequestMsgTLS13 struct {
  1230  	ocspStapling                     bool
  1231  	scts                             bool
  1232  	supportedSignatureAlgorithms     []SignatureScheme
  1233  	supportedSignatureAlgorithmsCert []SignatureScheme
  1234  	certificateAuthorities           [][]byte
  1235  }
  1236  
  1237  func (m *certificateRequestMsgTLS13) marshal() ([]byte, error) {
  1238  	var b cryptobyte.Builder
  1239  	b.AddUint8(typeCertificateRequest)
  1240  	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
  1241  		// certificate_request_context (SHALL be zero length unless used for
  1242  		// post-handshake authentication)
  1243  		b.AddUint8(0)
  1244  
  1245  		b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1246  			if m.ocspStapling {
  1247  				b.AddUint16(extensionStatusRequest)
  1248  				b.AddUint16(0) // empty extension_data
  1249  			}
  1250  			if m.scts {
  1251  				// RFC 8446, Section 4.4.2.1 makes no mention of
  1252  				// signed_certificate_timestamp in CertificateRequest, but
  1253  				// "Extensions in the Certificate message from the client MUST
  1254  				// correspond to extensions in the CertificateRequest message
  1255  				// from the server." and it appears in the table in Section 4.2.
  1256  				b.AddUint16(extensionSCT)
  1257  				b.AddUint16(0) // empty extension_data
  1258  			}
  1259  			if len(m.supportedSignatureAlgorithms) > 0 {
  1260  				b.AddUint16(extensionSignatureAlgorithms)
  1261  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1262  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1263  						for _, sigAlgo := range m.supportedSignatureAlgorithms {
  1264  							b.AddUint16(uint16(sigAlgo))
  1265  						}
  1266  					})
  1267  				})
  1268  			}
  1269  			if len(m.supportedSignatureAlgorithmsCert) > 0 {
  1270  				b.AddUint16(extensionSignatureAlgorithmsCert)
  1271  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1272  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1273  						for _, sigAlgo := range m.supportedSignatureAlgorithmsCert {
  1274  							b.AddUint16(uint16(sigAlgo))
  1275  						}
  1276  					})
  1277  				})
  1278  			}
  1279  			if len(m.certificateAuthorities) > 0 {
  1280  				b.AddUint16(extensionCertificateAuthorities)
  1281  				b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1282  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1283  						for _, ca := range m.certificateAuthorities {
  1284  							b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1285  								b.AddBytes(ca)
  1286  							})
  1287  						}
  1288  					})
  1289  				})
  1290  			}
  1291  		})
  1292  	})
  1293  
  1294  	return b.Bytes()
  1295  }
  1296  
  1297  func (m *certificateRequestMsgTLS13) unmarshal(data []byte) bool {
  1298  	*m = certificateRequestMsgTLS13{}
  1299  	s := cryptobyte.String(data)
  1300  
  1301  	var context, extensions cryptobyte.String
  1302  	if !s.Skip(4) || // message type and uint24 length field
  1303  		!s.ReadUint8LengthPrefixed(&context) || !context.Empty() ||
  1304  		!s.ReadUint16LengthPrefixed(&extensions) ||
  1305  		!s.Empty() {
  1306  		return false
  1307  	}
  1308  
  1309  	for !extensions.Empty() {
  1310  		var extension uint16
  1311  		var extData cryptobyte.String
  1312  		if !extensions.ReadUint16(&extension) ||
  1313  			!extensions.ReadUint16LengthPrefixed(&extData) {
  1314  			return false
  1315  		}
  1316  
  1317  		switch extension {
  1318  		case extensionStatusRequest:
  1319  			m.ocspStapling = true
  1320  		case extensionSCT:
  1321  			m.scts = true
  1322  		case extensionSignatureAlgorithms:
  1323  			var sigAndAlgs cryptobyte.String
  1324  			if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() {
  1325  				return false
  1326  			}
  1327  			for !sigAndAlgs.Empty() {
  1328  				var sigAndAlg uint16
  1329  				if !sigAndAlgs.ReadUint16(&sigAndAlg) {
  1330  					return false
  1331  				}
  1332  				m.supportedSignatureAlgorithms = append(
  1333  					m.supportedSignatureAlgorithms, SignatureScheme(sigAndAlg))
  1334  			}
  1335  		case extensionSignatureAlgorithmsCert:
  1336  			var sigAndAlgs cryptobyte.String
  1337  			if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() {
  1338  				return false
  1339  			}
  1340  			for !sigAndAlgs.Empty() {
  1341  				var sigAndAlg uint16
  1342  				if !sigAndAlgs.ReadUint16(&sigAndAlg) {
  1343  					return false
  1344  				}
  1345  				m.supportedSignatureAlgorithmsCert = append(
  1346  					m.supportedSignatureAlgorithmsCert, SignatureScheme(sigAndAlg))
  1347  			}
  1348  		case extensionCertificateAuthorities:
  1349  			var auths cryptobyte.String
  1350  			if !extData.ReadUint16LengthPrefixed(&auths) || auths.Empty() {
  1351  				return false
  1352  			}
  1353  			for !auths.Empty() {
  1354  				var ca []byte
  1355  				if !readUint16LengthPrefixed(&auths, &ca) || len(ca) == 0 {
  1356  					return false
  1357  				}
  1358  				m.certificateAuthorities = append(m.certificateAuthorities, ca)
  1359  			}
  1360  		default:
  1361  			// Ignore unknown extensions.
  1362  			continue
  1363  		}
  1364  
  1365  		if !extData.Empty() {
  1366  			return false
  1367  		}
  1368  	}
  1369  
  1370  	return true
  1371  }
  1372  
  1373  type certificateMsg struct {
  1374  	certificates [][]byte
  1375  }
  1376  
  1377  func (m *certificateMsg) marshal() ([]byte, error) {
  1378  	var i int
  1379  	for _, slice := range m.certificates {
  1380  		i += len(slice)
  1381  	}
  1382  
  1383  	length := 3 + 3*len(m.certificates) + i
  1384  	x := make([]byte, 4+length)
  1385  	x[0] = typeCertificate
  1386  	x[1] = uint8(length >> 16)
  1387  	x[2] = uint8(length >> 8)
  1388  	x[3] = uint8(length)
  1389  
  1390  	certificateOctets := length - 3
  1391  	x[4] = uint8(certificateOctets >> 16)
  1392  	x[5] = uint8(certificateOctets >> 8)
  1393  	x[6] = uint8(certificateOctets)
  1394  
  1395  	y := x[7:]
  1396  	for _, slice := range m.certificates {
  1397  		y[0] = uint8(len(slice) >> 16)
  1398  		y[1] = uint8(len(slice) >> 8)
  1399  		y[2] = uint8(len(slice))
  1400  		copy(y[3:], slice)
  1401  		y = y[3+len(slice):]
  1402  	}
  1403  
  1404  	return x, nil
  1405  }
  1406  
  1407  func (m *certificateMsg) unmarshal(data []byte) bool {
  1408  	if len(data) < 7 {
  1409  		return false
  1410  	}
  1411  
  1412  	certsLen := uint32(data[4])<<16 | uint32(data[5])<<8 | uint32(data[6])
  1413  	if uint32(len(data)) != certsLen+7 {
  1414  		return false
  1415  	}
  1416  
  1417  	numCerts := 0
  1418  	d := data[7:]
  1419  	for certsLen > 0 {
  1420  		if len(d) < 4 {
  1421  			return false
  1422  		}
  1423  		certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2])
  1424  		if uint32(len(d)) < 3+certLen {
  1425  			return false
  1426  		}
  1427  		d = d[3+certLen:]
  1428  		certsLen -= 3 + certLen
  1429  		numCerts++
  1430  	}
  1431  
  1432  	m.certificates = make([][]byte, numCerts)
  1433  	d = data[7:]
  1434  	for i := 0; i < numCerts; i++ {
  1435  		certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2])
  1436  		m.certificates[i] = d[3 : 3+certLen]
  1437  		d = d[3+certLen:]
  1438  	}
  1439  
  1440  	return true
  1441  }
  1442  
  1443  type certificateMsgTLS13 struct {
  1444  	certificate  Certificate
  1445  	ocspStapling bool
  1446  	scts         bool
  1447  }
  1448  
  1449  func (m *certificateMsgTLS13) marshal() ([]byte, error) {
  1450  	var b cryptobyte.Builder
  1451  	b.AddUint8(typeCertificate)
  1452  	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
  1453  		b.AddUint8(0) // certificate_request_context
  1454  
  1455  		certificate := m.certificate
  1456  		if !m.ocspStapling {
  1457  			certificate.OCSPStaple = nil
  1458  		}
  1459  		if !m.scts {
  1460  			certificate.SignedCertificateTimestamps = nil
  1461  		}
  1462  		marshalCertificate(b, certificate)
  1463  	})
  1464  
  1465  	return b.Bytes()
  1466  }
  1467  
  1468  func marshalCertificate(b *cryptobyte.Builder, certificate Certificate) {
  1469  	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
  1470  		for i, cert := range certificate.Certificate {
  1471  			b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
  1472  				b.AddBytes(cert)
  1473  			})
  1474  			b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1475  				if i > 0 {
  1476  					// This library only supports OCSP and SCT for leaf certificates.
  1477  					return
  1478  				}
  1479  				if certificate.OCSPStaple != nil {
  1480  					b.AddUint16(extensionStatusRequest)
  1481  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1482  						b.AddUint8(statusTypeOCSP)
  1483  						b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
  1484  							b.AddBytes(certificate.OCSPStaple)
  1485  						})
  1486  					})
  1487  				}
  1488  				if certificate.SignedCertificateTimestamps != nil {
  1489  					b.AddUint16(extensionSCT)
  1490  					b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1491  						b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1492  							for _, sct := range certificate.SignedCertificateTimestamps {
  1493  								b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1494  									b.AddBytes(sct)
  1495  								})
  1496  							}
  1497  						})
  1498  					})
  1499  				}
  1500  			})
  1501  		}
  1502  	})
  1503  }
  1504  
  1505  func (m *certificateMsgTLS13) unmarshal(data []byte) bool {
  1506  	*m = certificateMsgTLS13{}
  1507  	s := cryptobyte.String(data)
  1508  
  1509  	var context cryptobyte.String
  1510  	if !s.Skip(4) || // message type and uint24 length field
  1511  		!s.ReadUint8LengthPrefixed(&context) || !context.Empty() ||
  1512  		!unmarshalCertificate(&s, &m.certificate) ||
  1513  		!s.Empty() {
  1514  		return false
  1515  	}
  1516  
  1517  	m.scts = m.certificate.SignedCertificateTimestamps != nil
  1518  	m.ocspStapling = m.certificate.OCSPStaple != nil
  1519  
  1520  	return true
  1521  }
  1522  
  1523  func unmarshalCertificate(s *cryptobyte.String, certificate *Certificate) bool {
  1524  	var certList cryptobyte.String
  1525  	if !s.ReadUint24LengthPrefixed(&certList) {
  1526  		return false
  1527  	}
  1528  	for !certList.Empty() {
  1529  		var cert []byte
  1530  		var extensions cryptobyte.String
  1531  		if !readUint24LengthPrefixed(&certList, &cert) ||
  1532  			!certList.ReadUint16LengthPrefixed(&extensions) {
  1533  			return false
  1534  		}
  1535  		certificate.Certificate = append(certificate.Certificate, cert)
  1536  		for !extensions.Empty() {
  1537  			var extension uint16
  1538  			var extData cryptobyte.String
  1539  			if !extensions.ReadUint16(&extension) ||
  1540  				!extensions.ReadUint16LengthPrefixed(&extData) {
  1541  				return false
  1542  			}
  1543  			if len(certificate.Certificate) > 1 {
  1544  				// This library only supports OCSP and SCT for leaf certificates.
  1545  				continue
  1546  			}
  1547  
  1548  			switch extension {
  1549  			case extensionStatusRequest:
  1550  				var statusType uint8
  1551  				if !extData.ReadUint8(&statusType) || statusType != statusTypeOCSP ||
  1552  					!readUint24LengthPrefixed(&extData, &certificate.OCSPStaple) ||
  1553  					len(certificate.OCSPStaple) == 0 {
  1554  					return false
  1555  				}
  1556  			case extensionSCT:
  1557  				var sctList cryptobyte.String
  1558  				if !extData.ReadUint16LengthPrefixed(&sctList) || sctList.Empty() {
  1559  					return false
  1560  				}
  1561  				for !sctList.Empty() {
  1562  					var sct []byte
  1563  					if !readUint16LengthPrefixed(&sctList, &sct) ||
  1564  						len(sct) == 0 {
  1565  						return false
  1566  					}
  1567  					certificate.SignedCertificateTimestamps = append(
  1568  						certificate.SignedCertificateTimestamps, sct)
  1569  				}
  1570  			default:
  1571  				// Ignore unknown extensions.
  1572  				continue
  1573  			}
  1574  
  1575  			if !extData.Empty() {
  1576  				return false
  1577  			}
  1578  		}
  1579  	}
  1580  	return true
  1581  }
  1582  
  1583  type serverKeyExchangeMsg struct {
  1584  	key []byte
  1585  }
  1586  
  1587  func (m *serverKeyExchangeMsg) marshal() ([]byte, error) {
  1588  	length := len(m.key)
  1589  	x := make([]byte, length+4)
  1590  	x[0] = typeServerKeyExchange
  1591  	x[1] = uint8(length >> 16)
  1592  	x[2] = uint8(length >> 8)
  1593  	x[3] = uint8(length)
  1594  	copy(x[4:], m.key)
  1595  
  1596  	return x, nil
  1597  }
  1598  
  1599  func (m *serverKeyExchangeMsg) unmarshal(data []byte) bool {
  1600  	if len(data) < 4 {
  1601  		return false
  1602  	}
  1603  	m.key = data[4:]
  1604  	return true
  1605  }
  1606  
  1607  type certificateStatusMsg struct {
  1608  	response []byte
  1609  }
  1610  
  1611  func (m *certificateStatusMsg) marshal() ([]byte, error) {
  1612  	var b cryptobyte.Builder
  1613  	b.AddUint8(typeCertificateStatus)
  1614  	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
  1615  		b.AddUint8(statusTypeOCSP)
  1616  		b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
  1617  			b.AddBytes(m.response)
  1618  		})
  1619  	})
  1620  
  1621  	return b.Bytes()
  1622  }
  1623  
  1624  func (m *certificateStatusMsg) unmarshal(data []byte) bool {
  1625  	s := cryptobyte.String(data)
  1626  
  1627  	var statusType uint8
  1628  	if !s.Skip(4) || // message type and uint24 length field
  1629  		!s.ReadUint8(&statusType) || statusType != statusTypeOCSP ||
  1630  		!readUint24LengthPrefixed(&s, &m.response) ||
  1631  		len(m.response) == 0 || !s.Empty() {
  1632  		return false
  1633  	}
  1634  	return true
  1635  }
  1636  
  1637  type serverHelloDoneMsg struct{}
  1638  
  1639  func (m *serverHelloDoneMsg) marshal() ([]byte, error) {
  1640  	x := make([]byte, 4)
  1641  	x[0] = typeServerHelloDone
  1642  	return x, nil
  1643  }
  1644  
  1645  func (m *serverHelloDoneMsg) unmarshal(data []byte) bool {
  1646  	return len(data) == 4
  1647  }
  1648  
  1649  type clientKeyExchangeMsg struct {
  1650  	ciphertext []byte
  1651  }
  1652  
  1653  func (m *clientKeyExchangeMsg) marshal() ([]byte, error) {
  1654  	length := len(m.ciphertext)
  1655  	x := make([]byte, length+4)
  1656  	x[0] = typeClientKeyExchange
  1657  	x[1] = uint8(length >> 16)
  1658  	x[2] = uint8(length >> 8)
  1659  	x[3] = uint8(length)
  1660  	copy(x[4:], m.ciphertext)
  1661  
  1662  	return x, nil
  1663  }
  1664  
  1665  func (m *clientKeyExchangeMsg) unmarshal(data []byte) bool {
  1666  	if len(data) < 4 {
  1667  		return false
  1668  	}
  1669  	l := int(data[1])<<16 | int(data[2])<<8 | int(data[3])
  1670  	if l != len(data)-4 {
  1671  		return false
  1672  	}
  1673  	m.ciphertext = data[4:]
  1674  	return true
  1675  }
  1676  
  1677  type finishedMsg struct {
  1678  	verifyData []byte
  1679  }
  1680  
  1681  func (m *finishedMsg) marshal() ([]byte, error) {
  1682  	var b cryptobyte.Builder
  1683  	b.AddUint8(typeFinished)
  1684  	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
  1685  		b.AddBytes(m.verifyData)
  1686  	})
  1687  
  1688  	return b.Bytes()
  1689  }
  1690  
  1691  func (m *finishedMsg) unmarshal(data []byte) bool {
  1692  	s := cryptobyte.String(data)
  1693  	return s.Skip(1) &&
  1694  		readUint24LengthPrefixed(&s, &m.verifyData) &&
  1695  		s.Empty()
  1696  }
  1697  
  1698  type certificateRequestMsg struct {
  1699  	// hasSignatureAlgorithm indicates whether this message includes a list of
  1700  	// supported signature algorithms. This change was introduced with TLS 1.2.
  1701  	hasSignatureAlgorithm bool
  1702  
  1703  	certificateTypes             []byte
  1704  	supportedSignatureAlgorithms []SignatureScheme
  1705  	certificateAuthorities       [][]byte
  1706  }
  1707  
  1708  func (m *certificateRequestMsg) marshal() ([]byte, error) {
  1709  	// See RFC 4346, Section 7.4.4.
  1710  	length := 1 + len(m.certificateTypes) + 2
  1711  	casLength := 0
  1712  	for _, ca := range m.certificateAuthorities {
  1713  		casLength += 2 + len(ca)
  1714  	}
  1715  	length += casLength
  1716  
  1717  	if m.hasSignatureAlgorithm {
  1718  		length += 2 + 2*len(m.supportedSignatureAlgorithms)
  1719  	}
  1720  
  1721  	x := make([]byte, 4+length)
  1722  	x[0] = typeCertificateRequest
  1723  	x[1] = uint8(length >> 16)
  1724  	x[2] = uint8(length >> 8)
  1725  	x[3] = uint8(length)
  1726  
  1727  	x[4] = uint8(len(m.certificateTypes))
  1728  
  1729  	copy(x[5:], m.certificateTypes)
  1730  	y := x[5+len(m.certificateTypes):]
  1731  
  1732  	if m.hasSignatureAlgorithm {
  1733  		n := len(m.supportedSignatureAlgorithms) * 2
  1734  		y[0] = uint8(n >> 8)
  1735  		y[1] = uint8(n)
  1736  		y = y[2:]
  1737  		for _, sigAlgo := range m.supportedSignatureAlgorithms {
  1738  			y[0] = uint8(sigAlgo >> 8)
  1739  			y[1] = uint8(sigAlgo)
  1740  			y = y[2:]
  1741  		}
  1742  	}
  1743  
  1744  	y[0] = uint8(casLength >> 8)
  1745  	y[1] = uint8(casLength)
  1746  	y = y[2:]
  1747  	for _, ca := range m.certificateAuthorities {
  1748  		y[0] = uint8(len(ca) >> 8)
  1749  		y[1] = uint8(len(ca))
  1750  		y = y[2:]
  1751  		copy(y, ca)
  1752  		y = y[len(ca):]
  1753  	}
  1754  
  1755  	return x, nil
  1756  }
  1757  
  1758  func (m *certificateRequestMsg) unmarshal(data []byte) bool {
  1759  	if len(data) < 5 {
  1760  		return false
  1761  	}
  1762  
  1763  	length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3])
  1764  	if uint32(len(data))-4 != length {
  1765  		return false
  1766  	}
  1767  
  1768  	numCertTypes := int(data[4])
  1769  	data = data[5:]
  1770  	if numCertTypes == 0 || len(data) <= numCertTypes {
  1771  		return false
  1772  	}
  1773  
  1774  	m.certificateTypes = make([]byte, numCertTypes)
  1775  	if copy(m.certificateTypes, data) != numCertTypes {
  1776  		return false
  1777  	}
  1778  
  1779  	data = data[numCertTypes:]
  1780  
  1781  	if m.hasSignatureAlgorithm {
  1782  		if len(data) < 2 {
  1783  			return false
  1784  		}
  1785  		sigAndHashLen := uint16(data[0])<<8 | uint16(data[1])
  1786  		data = data[2:]
  1787  		if sigAndHashLen&1 != 0 {
  1788  			return false
  1789  		}
  1790  		if len(data) < int(sigAndHashLen) {
  1791  			return false
  1792  		}
  1793  		numSigAlgos := sigAndHashLen / 2
  1794  		m.supportedSignatureAlgorithms = make([]SignatureScheme, numSigAlgos)
  1795  		for i := range m.supportedSignatureAlgorithms {
  1796  			m.supportedSignatureAlgorithms[i] = SignatureScheme(data[0])<<8 | SignatureScheme(data[1])
  1797  			data = data[2:]
  1798  		}
  1799  	}
  1800  
  1801  	if len(data) < 2 {
  1802  		return false
  1803  	}
  1804  	casLength := uint16(data[0])<<8 | uint16(data[1])
  1805  	data = data[2:]
  1806  	if len(data) < int(casLength) {
  1807  		return false
  1808  	}
  1809  	cas := make([]byte, casLength)
  1810  	copy(cas, data)
  1811  	data = data[casLength:]
  1812  
  1813  	m.certificateAuthorities = nil
  1814  	for len(cas) > 0 {
  1815  		if len(cas) < 2 {
  1816  			return false
  1817  		}
  1818  		caLen := uint16(cas[0])<<8 | uint16(cas[1])
  1819  		cas = cas[2:]
  1820  
  1821  		if len(cas) < int(caLen) {
  1822  			return false
  1823  		}
  1824  
  1825  		m.certificateAuthorities = append(m.certificateAuthorities, cas[:caLen])
  1826  		cas = cas[caLen:]
  1827  	}
  1828  
  1829  	return len(data) == 0
  1830  }
  1831  
  1832  type certificateVerifyMsg struct {
  1833  	hasSignatureAlgorithm bool // format change introduced in TLS 1.2
  1834  	signatureAlgorithm    SignatureScheme
  1835  	signature             []byte
  1836  }
  1837  
  1838  func (m *certificateVerifyMsg) marshal() ([]byte, error) {
  1839  	var b cryptobyte.Builder
  1840  	b.AddUint8(typeCertificateVerify)
  1841  	b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
  1842  		if m.hasSignatureAlgorithm {
  1843  			b.AddUint16(uint16(m.signatureAlgorithm))
  1844  		}
  1845  		b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
  1846  			b.AddBytes(m.signature)
  1847  		})
  1848  	})
  1849  
  1850  	return b.Bytes()
  1851  }
  1852  
  1853  func (m *certificateVerifyMsg) unmarshal(data []byte) bool {
  1854  	s := cryptobyte.String(data)
  1855  
  1856  	if !s.Skip(4) { // message type and uint24 length field
  1857  		return false
  1858  	}
  1859  	if m.hasSignatureAlgorithm {
  1860  		if !s.ReadUint16((*uint16)(&m.signatureAlgorithm)) {
  1861  			return false
  1862  		}
  1863  	}
  1864  	return readUint16LengthPrefixed(&s, &m.signature) && s.Empty()
  1865  }
  1866  
  1867  type newSessionTicketMsg struct {
  1868  	ticket []byte
  1869  }
  1870  
  1871  func (m *newSessionTicketMsg) marshal() ([]byte, error) {
  1872  	// See RFC 5077, Section 3.3.
  1873  	ticketLen := len(m.ticket)
  1874  	length := 2 + 4 + ticketLen
  1875  	x := make([]byte, 4+length)
  1876  	x[0] = typeNewSessionTicket
  1877  	x[1] = uint8(length >> 16)
  1878  	x[2] = uint8(length >> 8)
  1879  	x[3] = uint8(length)
  1880  	x[8] = uint8(ticketLen >> 8)
  1881  	x[9] = uint8(ticketLen)
  1882  	copy(x[10:], m.ticket)
  1883  
  1884  	return x, nil
  1885  }
  1886  
  1887  func (m *newSessionTicketMsg) unmarshal(data []byte) bool {
  1888  	if len(data) < 10 {
  1889  		return false
  1890  	}
  1891  
  1892  	length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3])
  1893  	if uint32(len(data))-4 != length {
  1894  		return false
  1895  	}
  1896  
  1897  	ticketLen := int(data[8])<<8 + int(data[9])
  1898  	if len(data)-10 != ticketLen {
  1899  		return false
  1900  	}
  1901  
  1902  	m.ticket = data[10:]
  1903  
  1904  	return true
  1905  }
  1906  
  1907  type helloRequestMsg struct {
  1908  }
  1909  
  1910  func (*helloRequestMsg) marshal() ([]byte, error) {
  1911  	return []byte{typeHelloRequest, 0, 0, 0}, nil
  1912  }
  1913  
  1914  func (*helloRequestMsg) unmarshal(data []byte) bool {
  1915  	return len(data) == 4
  1916  }
  1917  
  1918  type transcriptHash interface {
  1919  	Write([]byte) (int, error)
  1920  }
  1921  
  1922  // transcriptMsg is a helper used to hash messages which are not hashed when
  1923  // they are read from, or written to, the wire. This is typically the case for
  1924  // messages which are either not sent, or need to be hashed out of order from
  1925  // when they are read/written.
  1926  //
  1927  // For most messages, the message is marshalled using their marshal method,
  1928  // since their wire representation is idempotent. For clientHelloMsg and
  1929  // serverHelloMsg, we store the original wire representation of the message and
  1930  // use that for hashing, since unmarshal/marshal are not idempotent due to
  1931  // extension ordering and other malleable fields, which may cause differences
  1932  // between what was received and what we marshal.
  1933  func transcriptMsg(msg handshakeMessage, h transcriptHash) error {
  1934  	if msgWithOrig, ok := msg.(handshakeMessageWithOriginalBytes); ok {
  1935  		if orig := msgWithOrig.originalBytes(); orig != nil {
  1936  			h.Write(msgWithOrig.originalBytes())
  1937  			return nil
  1938  		}
  1939  	}
  1940  
  1941  	data, err := msg.marshal()
  1942  	if err != nil {
  1943  		return err
  1944  	}
  1945  	h.Write(data)
  1946  	return nil
  1947  }
  1948  

View as plain text

go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.