Source file src/crypto/tls/handshake_messages.go
1
2
3
4
5 package tls
6
7 import "bytes"
8
9 type clientHelloMsg struct {
10 raw []byte
11 vers uint16
12 random []byte
13 sessionId []byte
14 cipherSuites []uint16
15 compressionMethods []uint8
16 nextProtoNeg bool
17 serverName string
18 ocspStapling bool
19 scts bool
20 supportedCurves []CurveID
21 supportedPoints []uint8
22 ticketSupported bool
23 sessionTicket []uint8
24 signatureAndHashes []signatureAndHash
25 secureRenegotiation []byte
26 secureRenegotiationSupported bool
27 alpnProtocols []string
28 }
29
30 func (m *clientHelloMsg) equal(i interface{}) bool {
31 m1, ok := i.(*clientHelloMsg)
32 if !ok {
33 return false
34 }
35
36 return bytes.Equal(m.raw, m1.raw) &&
37 m.vers == m1.vers &&
38 bytes.Equal(m.random, m1.random) &&
39 bytes.Equal(m.sessionId, m1.sessionId) &&
40 eqUint16s(m.cipherSuites, m1.cipherSuites) &&
41 bytes.Equal(m.compressionMethods, m1.compressionMethods) &&
42 m.nextProtoNeg == m1.nextProtoNeg &&
43 m.serverName == m1.serverName &&
44 m.ocspStapling == m1.ocspStapling &&
45 m.scts == m1.scts &&
46 eqCurveIDs(m.supportedCurves, m1.supportedCurves) &&
47 bytes.Equal(m.supportedPoints, m1.supportedPoints) &&
48 m.ticketSupported == m1.ticketSupported &&
49 bytes.Equal(m.sessionTicket, m1.sessionTicket) &&
50 eqSignatureAndHashes(m.signatureAndHashes, m1.signatureAndHashes) &&
51 m.secureRenegotiationSupported == m1.secureRenegotiationSupported &&
52 bytes.Equal(m.secureRenegotiation, m1.secureRenegotiation) &&
53 eqStrings(m.alpnProtocols, m1.alpnProtocols)
54 }
55
56 func (m *clientHelloMsg) marshal() []byte {
57 if m.raw != nil {
58 return m.raw
59 }
60
61 length := 2 + 32 + 1 + len(m.sessionId) + 2 + len(m.cipherSuites)*2 + 1 + len(m.compressionMethods)
62 numExtensions := 0
63 extensionsLength := 0
64 if m.nextProtoNeg {
65 numExtensions++
66 }
67 if m.ocspStapling {
68 extensionsLength += 1 + 2 + 2
69 numExtensions++
70 }
71 if len(m.serverName) > 0 {
72 extensionsLength += 5 + len(m.serverName)
73 numExtensions++
74 }
75 if len(m.supportedCurves) > 0 {
76 extensionsLength += 2 + 2*len(m.supportedCurves)
77 numExtensions++
78 }
79 if len(m.supportedPoints) > 0 {
80 extensionsLength += 1 + len(m.supportedPoints)
81 numExtensions++
82 }
83 if m.ticketSupported {
84 extensionsLength += len(m.sessionTicket)
85 numExtensions++
86 }
87 if len(m.signatureAndHashes) > 0 {
88 extensionsLength += 2 + 2*len(m.signatureAndHashes)
89 numExtensions++
90 }
91 if m.secureRenegotiationSupported {
92 extensionsLength += 1 + len(m.secureRenegotiation)
93 numExtensions++
94 }
95 if len(m.alpnProtocols) > 0 {
96 extensionsLength += 2
97 for _, s := range m.alpnProtocols {
98 if l := len(s); l == 0 || l > 255 {
99 panic("invalid ALPN protocol")
100 }
101 extensionsLength++
102 extensionsLength += len(s)
103 }
104 numExtensions++
105 }
106 if m.scts {
107 numExtensions++
108 }
109 if numExtensions > 0 {
110 extensionsLength += 4 * numExtensions
111 length += 2 + extensionsLength
112 }
113
114 x := make([]byte, 4+length)
115 x[0] = typeClientHello
116 x[1] = uint8(length >> 16)
117 x[2] = uint8(length >> 8)
118 x[3] = uint8(length)
119 x[4] = uint8(m.vers >> 8)
120 x[5] = uint8(m.vers)
121 copy(x[6:38], m.random)
122 x[38] = uint8(len(m.sessionId))
123 copy(x[39:39+len(m.sessionId)], m.sessionId)
124 y := x[39+len(m.sessionId):]
125 y[0] = uint8(len(m.cipherSuites) >> 7)
126 y[1] = uint8(len(m.cipherSuites) << 1)
127 for i, suite := range m.cipherSuites {
128 y[2+i*2] = uint8(suite >> 8)
129 y[3+i*2] = uint8(suite)
130 }
131 z := y[2+len(m.cipherSuites)*2:]
132 z[0] = uint8(len(m.compressionMethods))
133 copy(z[1:], m.compressionMethods)
134
135 z = z[1+len(m.compressionMethods):]
136 if numExtensions > 0 {
137 z[0] = byte(extensionsLength >> 8)
138 z[1] = byte(extensionsLength)
139 z = z[2:]
140 }
141 if m.nextProtoNeg {
142 z[0] = byte(extensionNextProtoNeg >> 8)
143 z[1] = byte(extensionNextProtoNeg & 0xff)
144
145 z = z[4:]
146 }
147 if len(m.serverName) > 0 {
148 z[0] = byte(extensionServerName >> 8)
149 z[1] = byte(extensionServerName & 0xff)
150 l := len(m.serverName) + 5
151 z[2] = byte(l >> 8)
152 z[3] = byte(l)
153 z = z[4:]
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174 z[0] = byte((len(m.serverName) + 3) >> 8)
175 z[1] = byte(len(m.serverName) + 3)
176 z[3] = byte(len(m.serverName) >> 8)
177 z[4] = byte(len(m.serverName))
178 copy(z[5:], []byte(m.serverName))
179 z = z[l:]
180 }
181 if m.ocspStapling {
182
183 z[0] = byte(extensionStatusRequest >> 8)
184 z[1] = byte(extensionStatusRequest)
185 z[2] = 0
186 z[3] = 5
187 z[4] = 1
188
189 z = z[9:]
190 }
191 if len(m.supportedCurves) > 0 {
192
193 z[0] = byte(extensionSupportedCurves >> 8)
194 z[1] = byte(extensionSupportedCurves)
195 l := 2 + 2*len(m.supportedCurves)
196 z[2] = byte(l >> 8)
197 z[3] = byte(l)
198 l -= 2
199 z[4] = byte(l >> 8)
200 z[5] = byte(l)
201 z = z[6:]
202 for _, curve := range m.supportedCurves {
203 z[0] = byte(curve >> 8)
204 z[1] = byte(curve)
205 z = z[2:]
206 }
207 }
208 if len(m.supportedPoints) > 0 {
209
210 z[0] = byte(extensionSupportedPoints >> 8)
211 z[1] = byte(extensionSupportedPoints)
212 l := 1 + len(m.supportedPoints)
213 z[2] = byte(l >> 8)
214 z[3] = byte(l)
215 l--
216 z[4] = byte(l)
217 z = z[5:]
218 for _, pointFormat := range m.supportedPoints {
219 z[0] = pointFormat
220 z = z[1:]
221 }
222 }
223 if m.ticketSupported {
224
225 z[0] = byte(extensionSessionTicket >> 8)
226 z[1] = byte(extensionSessionTicket)
227 l := len(m.sessionTicket)
228 z[2] = byte(l >> 8)
229 z[3] = byte(l)
230 z = z[4:]
231 copy(z, m.sessionTicket)
232 z = z[len(m.sessionTicket):]
233 }
234 if len(m.signatureAndHashes) > 0 {
235
236 z[0] = byte(extensionSignatureAlgorithms >> 8)
237 z[1] = byte(extensionSignatureAlgorithms)
238 l := 2 + 2*len(m.signatureAndHashes)
239 z[2] = byte(l >> 8)
240 z[3] = byte(l)
241 z = z[4:]
242
243 l -= 2
244 z[0] = byte(l >> 8)
245 z[1] = byte(l)
246 z = z[2:]
247 for _, sigAndHash := range m.signatureAndHashes {
248 z[0] = sigAndHash.hash
249 z[1] = sigAndHash.signature
250 z = z[2:]
251 }
252 }
253 if m.secureRenegotiationSupported {
254 z[0] = byte(extensionRenegotiationInfo >> 8)
255 z[1] = byte(extensionRenegotiationInfo & 0xff)
256 z[2] = 0
257 z[3] = byte(len(m.secureRenegotiation) + 1)
258 z[4] = byte(len(m.secureRenegotiation))
259 z = z[5:]
260 copy(z, m.secureRenegotiation)
261 z = z[len(m.secureRenegotiation):]
262 }
263 if len(m.alpnProtocols) > 0 {
264 z[0] = byte(extensionALPN >> 8)
265 z[1] = byte(extensionALPN & 0xff)
266 lengths := z[2:]
267 z = z[6:]
268
269 stringsLength := 0
270 for _, s := range m.alpnProtocols {
271 l := len(s)
272 z[0] = byte(l)
273 copy(z[1:], s)
274 z = z[1+l:]
275 stringsLength += 1 + l
276 }
277
278 lengths[2] = byte(stringsLength >> 8)
279 lengths[3] = byte(stringsLength)
280 stringsLength += 2
281 lengths[0] = byte(stringsLength >> 8)
282 lengths[1] = byte(stringsLength)
283 }
284 if m.scts {
285
286 z[0] = byte(extensionSCT >> 8)
287 z[1] = byte(extensionSCT)
288
289 z = z[4:]
290 }
291
292 m.raw = x
293
294 return x
295 }
296
297 func (m *clientHelloMsg) unmarshal(data []byte) bool {
298 if len(data) < 42 {
299 return false
300 }
301 m.raw = data
302 m.vers = uint16(data[4])<<8 | uint16(data[5])
303 m.random = data[6:38]
304 sessionIdLen := int(data[38])
305 if sessionIdLen > 32 || len(data) < 39+sessionIdLen {
306 return false
307 }
308 m.sessionId = data[39 : 39+sessionIdLen]
309 data = data[39+sessionIdLen:]
310 if len(data) < 2 {
311 return false
312 }
313
314
315 cipherSuiteLen := int(data[0])<<8 | int(data[1])
316 if cipherSuiteLen%2 == 1 || len(data) < 2+cipherSuiteLen {
317 return false
318 }
319 numCipherSuites := cipherSuiteLen / 2
320 m.cipherSuites = make([]uint16, numCipherSuites)
321 for i := 0; i < numCipherSuites; i++ {
322 m.cipherSuites[i] = uint16(data[2+2*i])<<8 | uint16(data[3+2*i])
323 if m.cipherSuites[i] == scsvRenegotiation {
324 m.secureRenegotiationSupported = true
325 }
326 }
327 data = data[2+cipherSuiteLen:]
328 if len(data) < 1 {
329 return false
330 }
331 compressionMethodsLen := int(data[0])
332 if len(data) < 1+compressionMethodsLen {
333 return false
334 }
335 m.compressionMethods = data[1 : 1+compressionMethodsLen]
336
337 data = data[1+compressionMethodsLen:]
338
339 m.nextProtoNeg = false
340 m.serverName = ""
341 m.ocspStapling = false
342 m.ticketSupported = false
343 m.sessionTicket = nil
344 m.signatureAndHashes = nil
345 m.alpnProtocols = nil
346 m.scts = false
347
348 if len(data) == 0 {
349
350 return true
351 }
352 if len(data) < 2 {
353 return false
354 }
355
356 extensionsLength := int(data[0])<<8 | int(data[1])
357 data = data[2:]
358 if extensionsLength != len(data) {
359 return false
360 }
361
362 for len(data) != 0 {
363 if len(data) < 4 {
364 return false
365 }
366 extension := uint16(data[0])<<8 | uint16(data[1])
367 length := int(data[2])<<8 | int(data[3])
368 data = data[4:]
369 if len(data) < length {
370 return false
371 }
372
373 switch extension {
374 case extensionServerName:
375 d := data[:length]
376 if len(d) < 2 {
377 return false
378 }
379 namesLen := int(d[0])<<8 | int(d[1])
380 d = d[2:]
381 if len(d) != namesLen {
382 return false
383 }
384 for len(d) > 0 {
385 if len(d) < 3 {
386 return false
387 }
388 nameType := d[0]
389 nameLen := int(d[1])<<8 | int(d[2])
390 d = d[3:]
391 if len(d) < nameLen {
392 return false
393 }
394 if nameType == 0 {
395 m.serverName = string(d[:nameLen])
396 break
397 }
398 d = d[nameLen:]
399 }
400 case extensionNextProtoNeg:
401 if length > 0 {
402 return false
403 }
404 m.nextProtoNeg = true
405 case extensionStatusRequest:
406 m.ocspStapling = length > 0 && data[0] == statusTypeOCSP
407 case extensionSupportedCurves:
408
409 if length < 2 {
410 return false
411 }
412 l := int(data[0])<<8 | int(data[1])
413 if l%2 == 1 || length != l+2 {
414 return false
415 }
416 numCurves := l / 2
417 m.supportedCurves = make([]CurveID, numCurves)
418 d := data[2:]
419 for i := 0; i < numCurves; i++ {
420 m.supportedCurves[i] = CurveID(d[0])<<8 | CurveID(d[1])
421 d = d[2:]
422 }
423 case extensionSupportedPoints:
424
425 if length < 1 {
426 return false
427 }
428 l := int(data[0])
429 if length != l+1 {
430 return false
431 }
432 m.supportedPoints = make([]uint8, l)
433 copy(m.supportedPoints, data[1:])
434 case extensionSessionTicket:
435
436 m.ticketSupported = true
437 m.sessionTicket = data[:length]
438 case extensionSignatureAlgorithms:
439
440 if length < 2 || length&1 != 0 {
441 return false
442 }
443 l := int(data[0])<<8 | int(data[1])
444 if l != length-2 {
445 return false
446 }
447 n := l / 2
448 d := data[2:]
449 m.signatureAndHashes = make([]signatureAndHash, n)
450 for i := range m.signatureAndHashes {
451 m.signatureAndHashes[i].hash = d[0]
452 m.signatureAndHashes[i].signature = d[1]
453 d = d[2:]
454 }
455 case extensionRenegotiationInfo:
456 if length == 0 {
457 return false
458 }
459 d := data[:length]
460 l := int(d[0])
461 d = d[1:]
462 if l != len(d) {
463 return false
464 }
465
466 m.secureRenegotiation = d
467 m.secureRenegotiationSupported = true
468 case extensionALPN:
469 if length < 2 {
470 return false
471 }
472 l := int(data[0])<<8 | int(data[1])
473 if l != length-2 {
474 return false
475 }
476 d := data[2:length]
477 for len(d) != 0 {
478 stringLen := int(d[0])
479 d = d[1:]
480 if stringLen == 0 || stringLen > len(d) {
481 return false
482 }
483 m.alpnProtocols = append(m.alpnProtocols, string(d[:stringLen]))
484 d = d[stringLen:]
485 }
486 case extensionSCT:
487 m.scts = true
488 if length != 0 {
489 return false
490 }
491 }
492 data = data[length:]
493 }
494
495 return true
496 }
497
498 type serverHelloMsg struct {
499 raw []byte
500 vers uint16
501 random []byte
502 sessionId []byte
503 cipherSuite uint16
504 compressionMethod uint8
505 nextProtoNeg bool
506 nextProtos []string
507 ocspStapling bool
508 scts [][]byte
509 ticketSupported bool
510 secureRenegotiation []byte
511 secureRenegotiationSupported bool
512 alpnProtocol string
513 }
514
515 func (m *serverHelloMsg) equal(i interface{}) bool {
516 m1, ok := i.(*serverHelloMsg)
517 if !ok {
518 return false
519 }
520
521 if len(m.scts) != len(m1.scts) {
522 return false
523 }
524 for i, sct := range m.scts {
525 if !bytes.Equal(sct, m1.scts[i]) {
526 return false
527 }
528 }
529
530 return bytes.Equal(m.raw, m1.raw) &&
531 m.vers == m1.vers &&
532 bytes.Equal(m.random, m1.random) &&
533 bytes.Equal(m.sessionId, m1.sessionId) &&
534 m.cipherSuite == m1.cipherSuite &&
535 m.compressionMethod == m1.compressionMethod &&
536 m.nextProtoNeg == m1.nextProtoNeg &&
537 eqStrings(m.nextProtos, m1.nextProtos) &&
538 m.ocspStapling == m1.ocspStapling &&
539 m.ticketSupported == m1.ticketSupported &&
540 m.secureRenegotiationSupported == m1.secureRenegotiationSupported &&
541 bytes.Equal(m.secureRenegotiation, m1.secureRenegotiation) &&
542 m.alpnProtocol == m1.alpnProtocol
543 }
544
545 func (m *serverHelloMsg) marshal() []byte {
546 if m.raw != nil {
547 return m.raw
548 }
549
550 length := 38 + len(m.sessionId)
551 numExtensions := 0
552 extensionsLength := 0
553
554 nextProtoLen := 0
555 if m.nextProtoNeg {
556 numExtensions++
557 for _, v := range m.nextProtos {
558 nextProtoLen += len(v)
559 }
560 nextProtoLen += len(m.nextProtos)
561 extensionsLength += nextProtoLen
562 }
563 if m.ocspStapling {
564 numExtensions++
565 }
566 if m.ticketSupported {
567 numExtensions++
568 }
569 if m.secureRenegotiationSupported {
570 extensionsLength += 1 + len(m.secureRenegotiation)
571 numExtensions++
572 }
573 if alpnLen := len(m.alpnProtocol); alpnLen > 0 {
574 if alpnLen >= 256 {
575 panic("invalid ALPN protocol")
576 }
577 extensionsLength += 2 + 1 + alpnLen
578 numExtensions++
579 }
580 sctLen := 0
581 if len(m.scts) > 0 {
582 for _, sct := range m.scts {
583 sctLen += len(sct) + 2
584 }
585 extensionsLength += 2 + sctLen
586 numExtensions++
587 }
588
589 if numExtensions > 0 {
590 extensionsLength += 4 * numExtensions
591 length += 2 + extensionsLength
592 }
593
594 x := make([]byte, 4+length)
595 x[0] = typeServerHello
596 x[1] = uint8(length >> 16)
597 x[2] = uint8(length >> 8)
598 x[3] = uint8(length)
599 x[4] = uint8(m.vers >> 8)
600 x[5] = uint8(m.vers)
601 copy(x[6:38], m.random)
602 x[38] = uint8(len(m.sessionId))
603 copy(x[39:39+len(m.sessionId)], m.sessionId)
604 z := x[39+len(m.sessionId):]
605 z[0] = uint8(m.cipherSuite >> 8)
606 z[1] = uint8(m.cipherSuite)
607 z[2] = m.compressionMethod
608
609 z = z[3:]
610 if numExtensions > 0 {
611 z[0] = byte(extensionsLength >> 8)
612 z[1] = byte(extensionsLength)
613 z = z[2:]
614 }
615 if m.nextProtoNeg {
616 z[0] = byte(extensionNextProtoNeg >> 8)
617 z[1] = byte(extensionNextProtoNeg & 0xff)
618 z[2] = byte(nextProtoLen >> 8)
619 z[3] = byte(nextProtoLen)
620 z = z[4:]
621
622 for _, v := range m.nextProtos {
623 l := len(v)
624 if l > 255 {
625 l = 255
626 }
627 z[0] = byte(l)
628 copy(z[1:], []byte(v[0:l]))
629 z = z[1+l:]
630 }
631 }
632 if m.ocspStapling {
633 z[0] = byte(extensionStatusRequest >> 8)
634 z[1] = byte(extensionStatusRequest)
635 z = z[4:]
636 }
637 if m.ticketSupported {
638 z[0] = byte(extensionSessionTicket >> 8)
639 z[1] = byte(extensionSessionTicket)
640 z = z[4:]
641 }
642 if m.secureRenegotiationSupported {
643 z[0] = byte(extensionRenegotiationInfo >> 8)
644 z[1] = byte(extensionRenegotiationInfo & 0xff)
645 z[2] = 0
646 z[3] = byte(len(m.secureRenegotiation) + 1)
647 z[4] = byte(len(m.secureRenegotiation))
648 z = z[5:]
649 copy(z, m.secureRenegotiation)
650 z = z[len(m.secureRenegotiation):]
651 }
652 if alpnLen := len(m.alpnProtocol); alpnLen > 0 {
653 z[0] = byte(extensionALPN >> 8)
654 z[1] = byte(extensionALPN & 0xff)
655 l := 2 + 1 + alpnLen
656 z[2] = byte(l >> 8)
657 z[3] = byte(l)
658 l -= 2
659 z[4] = byte(l >> 8)
660 z[5] = byte(l)
661 l -= 1
662 z[6] = byte(l)
663 copy(z[7:], []byte(m.alpnProtocol))
664 z = z[7+alpnLen:]
665 }
666 if sctLen > 0 {
667 z[0] = byte(extensionSCT >> 8)
668 z[1] = byte(extensionSCT)
669 l := sctLen + 2
670 z[2] = byte(l >> 8)
671 z[3] = byte(l)
672 z[4] = byte(sctLen >> 8)
673 z[5] = byte(sctLen)
674
675 z = z[6:]
676 for _, sct := range m.scts {
677 z[0] = byte(len(sct) >> 8)
678 z[1] = byte(len(sct))
679 copy(z[2:], sct)
680 z = z[len(sct)+2:]
681 }
682 }
683
684 m.raw = x
685
686 return x
687 }
688
689 func (m *serverHelloMsg) unmarshal(data []byte) bool {
690 if len(data) < 42 {
691 return false
692 }
693 m.raw = data
694 m.vers = uint16(data[4])<<8 | uint16(data[5])
695 m.random = data[6:38]
696 sessionIdLen := int(data[38])
697 if sessionIdLen > 32 || len(data) < 39+sessionIdLen {
698 return false
699 }
700 m.sessionId = data[39 : 39+sessionIdLen]
701 data = data[39+sessionIdLen:]
702 if len(data) < 3 {
703 return false
704 }
705 m.cipherSuite = uint16(data[0])<<8 | uint16(data[1])
706 m.compressionMethod = data[2]
707 data = data[3:]
708
709 m.nextProtoNeg = false
710 m.nextProtos = nil
711 m.ocspStapling = false
712 m.scts = nil
713 m.ticketSupported = false
714 m.alpnProtocol = ""
715
716 if len(data) == 0 {
717
718 return true
719 }
720 if len(data) < 2 {
721 return false
722 }
723
724 extensionsLength := int(data[0])<<8 | int(data[1])
725 data = data[2:]
726 if len(data) != extensionsLength {
727 return false
728 }
729
730 for len(data) != 0 {
731 if len(data) < 4 {
732 return false
733 }
734 extension := uint16(data[0])<<8 | uint16(data[1])
735 length := int(data[2])<<8 | int(data[3])
736 data = data[4:]
737 if len(data) < length {
738 return false
739 }
740
741 switch extension {
742 case extensionNextProtoNeg:
743 m.nextProtoNeg = true
744 d := data[:length]
745 for len(d) > 0 {
746 l := int(d[0])
747 d = d[1:]
748 if l == 0 || l > len(d) {
749 return false
750 }
751 m.nextProtos = append(m.nextProtos, string(d[:l]))
752 d = d[l:]
753 }
754 case extensionStatusRequest:
755 if length > 0 {
756 return false
757 }
758 m.ocspStapling = true
759 case extensionSessionTicket:
760 if length > 0 {
761 return false
762 }
763 m.ticketSupported = true
764 case extensionRenegotiationInfo:
765 if length == 0 {
766 return false
767 }
768 d := data[:length]
769 l := int(d[0])
770 d = d[1:]
771 if l != len(d) {
772 return false
773 }
774
775 m.secureRenegotiation = d
776 m.secureRenegotiationSupported = true
777 case extensionALPN:
778 d := data[:length]
779 if len(d) < 3 {
780 return false
781 }
782 l := int(d[0])<<8 | int(d[1])
783 if l != len(d)-2 {
784 return false
785 }
786 d = d[2:]
787 l = int(d[0])
788 if l != len(d)-1 {
789 return false
790 }
791 d = d[1:]
792 if len(d) == 0 {
793
794 return false
795 }
796 m.alpnProtocol = string(d)
797 case extensionSCT:
798 d := data[:length]
799
800 if len(d) < 2 {
801 return false
802 }
803 l := int(d[0])<<8 | int(d[1])
804 d = d[2:]
805 if len(d) != l {
806 return false
807 }
808 if l == 0 {
809 continue
810 }
811
812 m.scts = make([][]byte, 0, 3)
813 for len(d) != 0 {
814 if len(d) < 2 {
815 return false
816 }
817 sctLen := int(d[0])<<8 | int(d[1])
818 d = d[2:]
819 if len(d) < sctLen {
820 return false
821 }
822 m.scts = append(m.scts, d[:sctLen])
823 d = d[sctLen:]
824 }
825 }
826 data = data[length:]
827 }
828
829 return true
830 }
831
832 type certificateMsg struct {
833 raw []byte
834 certificates [][]byte
835 }
836
837 func (m *certificateMsg) equal(i interface{}) bool {
838 m1, ok := i.(*certificateMsg)
839 if !ok {
840 return false
841 }
842
843 return bytes.Equal(m.raw, m1.raw) &&
844 eqByteSlices(m.certificates, m1.certificates)
845 }
846
847 func (m *certificateMsg) marshal() (x []byte) {
848 if m.raw != nil {
849 return m.raw
850 }
851
852 var i int
853 for _, slice := range m.certificates {
854 i += len(slice)
855 }
856
857 length := 3 + 3*len(m.certificates) + i
858 x = make([]byte, 4+length)
859 x[0] = typeCertificate
860 x[1] = uint8(length >> 16)
861 x[2] = uint8(length >> 8)
862 x[3] = uint8(length)
863
864 certificateOctets := length - 3
865 x[4] = uint8(certificateOctets >> 16)
866 x[5] = uint8(certificateOctets >> 8)
867 x[6] = uint8(certificateOctets)
868
869 y := x[7:]
870 for _, slice := range m.certificates {
871 y[0] = uint8(len(slice) >> 16)
872 y[1] = uint8(len(slice) >> 8)
873 y[2] = uint8(len(slice))
874 copy(y[3:], slice)
875 y = y[3+len(slice):]
876 }
877
878 m.raw = x
879 return
880 }
881
882 func (m *certificateMsg) unmarshal(data []byte) bool {
883 if len(data) < 7 {
884 return false
885 }
886
887 m.raw = data
888 certsLen := uint32(data[4])<<16 | uint32(data[5])<<8 | uint32(data[6])
889 if uint32(len(data)) != certsLen+7 {
890 return false
891 }
892
893 numCerts := 0
894 d := data[7:]
895 for certsLen > 0 {
896 if len(d) < 4 {
897 return false
898 }
899 certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2])
900 if uint32(len(d)) < 3+certLen {
901 return false
902 }
903 d = d[3+certLen:]
904 certsLen -= 3 + certLen
905 numCerts++
906 }
907
908 m.certificates = make([][]byte, numCerts)
909 d = data[7:]
910 for i := 0; i < numCerts; i++ {
911 certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2])
912 m.certificates[i] = d[3 : 3+certLen]
913 d = d[3+certLen:]
914 }
915
916 return true
917 }
918
919 type serverKeyExchangeMsg struct {
920 raw []byte
921 key []byte
922 }
923
924 func (m *serverKeyExchangeMsg) equal(i interface{}) bool {
925 m1, ok := i.(*serverKeyExchangeMsg)
926 if !ok {
927 return false
928 }
929
930 return bytes.Equal(m.raw, m1.raw) &&
931 bytes.Equal(m.key, m1.key)
932 }
933
934 func (m *serverKeyExchangeMsg) marshal() []byte {
935 if m.raw != nil {
936 return m.raw
937 }
938 length := len(m.key)
939 x := make([]byte, length+4)
940 x[0] = typeServerKeyExchange
941 x[1] = uint8(length >> 16)
942 x[2] = uint8(length >> 8)
943 x[3] = uint8(length)
944 copy(x[4:], m.key)
945
946 m.raw = x
947 return x
948 }
949
950 func (m *serverKeyExchangeMsg) unmarshal(data []byte) bool {
951 m.raw = data
952 if len(data) < 4 {
953 return false
954 }
955 m.key = data[4:]
956 return true
957 }
958
959 type certificateStatusMsg struct {
960 raw []byte
961 statusType uint8
962 response []byte
963 }
964
965 func (m *certificateStatusMsg) equal(i interface{}) bool {
966 m1, ok := i.(*certificateStatusMsg)
967 if !ok {
968 return false
969 }
970
971 return bytes.Equal(m.raw, m1.raw) &&
972 m.statusType == m1.statusType &&
973 bytes.Equal(m.response, m1.response)
974 }
975
976 func (m *certificateStatusMsg) marshal() []byte {
977 if m.raw != nil {
978 return m.raw
979 }
980
981 var x []byte
982 if m.statusType == statusTypeOCSP {
983 x = make([]byte, 4+4+len(m.response))
984 x[0] = typeCertificateStatus
985 l := len(m.response) + 4
986 x[1] = byte(l >> 16)
987 x[2] = byte(l >> 8)
988 x[3] = byte(l)
989 x[4] = statusTypeOCSP
990
991 l -= 4
992 x[5] = byte(l >> 16)
993 x[6] = byte(l >> 8)
994 x[7] = byte(l)
995 copy(x[8:], m.response)
996 } else {
997 x = []byte{typeCertificateStatus, 0, 0, 1, m.statusType}
998 }
999
1000 m.raw = x
1001 return x
1002 }
1003
1004 func (m *certificateStatusMsg) unmarshal(data []byte) bool {
1005 m.raw = data
1006 if len(data) < 5 {
1007 return false
1008 }
1009 m.statusType = data[4]
1010
1011 m.response = nil
1012 if m.statusType == statusTypeOCSP {
1013 if len(data) < 8 {
1014 return false
1015 }
1016 respLen := uint32(data[5])<<16 | uint32(data[6])<<8 | uint32(data[7])
1017 if uint32(len(data)) != 4+4+respLen {
1018 return false
1019 }
1020 m.response = data[8:]
1021 }
1022 return true
1023 }
1024
1025 type serverHelloDoneMsg struct{}
1026
1027 func (m *serverHelloDoneMsg) equal(i interface{}) bool {
1028 _, ok := i.(*serverHelloDoneMsg)
1029 return ok
1030 }
1031
1032 func (m *serverHelloDoneMsg) marshal() []byte {
1033 x := make([]byte, 4)
1034 x[0] = typeServerHelloDone
1035 return x
1036 }
1037
1038 func (m *serverHelloDoneMsg) unmarshal(data []byte) bool {
1039 return len(data) == 4
1040 }
1041
1042 type clientKeyExchangeMsg struct {
1043 raw []byte
1044 ciphertext []byte
1045 }
1046
1047 func (m *clientKeyExchangeMsg) equal(i interface{}) bool {
1048 m1, ok := i.(*clientKeyExchangeMsg)
1049 if !ok {
1050 return false
1051 }
1052
1053 return bytes.Equal(m.raw, m1.raw) &&
1054 bytes.Equal(m.ciphertext, m1.ciphertext)
1055 }
1056
1057 func (m *clientKeyExchangeMsg) marshal() []byte {
1058 if m.raw != nil {
1059 return m.raw
1060 }
1061 length := len(m.ciphertext)
1062 x := make([]byte, length+4)
1063 x[0] = typeClientKeyExchange
1064 x[1] = uint8(length >> 16)
1065 x[2] = uint8(length >> 8)
1066 x[3] = uint8(length)
1067 copy(x[4:], m.ciphertext)
1068
1069 m.raw = x
1070 return x
1071 }
1072
1073 func (m *clientKeyExchangeMsg) unmarshal(data []byte) bool {
1074 m.raw = data
1075 if len(data) < 4 {
1076 return false
1077 }
1078 l := int(data[1])<<16 | int(data[2])<<8 | int(data[3])
1079 if l != len(data)-4 {
1080 return false
1081 }
1082 m.ciphertext = data[4:]
1083 return true
1084 }
1085
1086 type finishedMsg struct {
1087 raw []byte
1088 verifyData []byte
1089 }
1090
1091 func (m *finishedMsg) equal(i interface{}) bool {
1092 m1, ok := i.(*finishedMsg)
1093 if !ok {
1094 return false
1095 }
1096
1097 return bytes.Equal(m.raw, m1.raw) &&
1098 bytes.Equal(m.verifyData, m1.verifyData)
1099 }
1100
1101 func (m *finishedMsg) marshal() (x []byte) {
1102 if m.raw != nil {
1103 return m.raw
1104 }
1105
1106 x = make([]byte, 4+len(m.verifyData))
1107 x[0] = typeFinished
1108 x[3] = byte(len(m.verifyData))
1109 copy(x[4:], m.verifyData)
1110 m.raw = x
1111 return
1112 }
1113
1114 func (m *finishedMsg) unmarshal(data []byte) bool {
1115 m.raw = data
1116 if len(data) < 4 {
1117 return false
1118 }
1119 m.verifyData = data[4:]
1120 return true
1121 }
1122
1123 type nextProtoMsg struct {
1124 raw []byte
1125 proto string
1126 }
1127
1128 func (m *nextProtoMsg) equal(i interface{}) bool {
1129 m1, ok := i.(*nextProtoMsg)
1130 if !ok {
1131 return false
1132 }
1133
1134 return bytes.Equal(m.raw, m1.raw) &&
1135 m.proto == m1.proto
1136 }
1137
1138 func (m *nextProtoMsg) marshal() []byte {
1139 if m.raw != nil {
1140 return m.raw
1141 }
1142 l := len(m.proto)
1143 if l > 255 {
1144 l = 255
1145 }
1146
1147 padding := 32 - (l+2)%32
1148 length := l + padding + 2
1149 x := make([]byte, length+4)
1150 x[0] = typeNextProtocol
1151 x[1] = uint8(length >> 16)
1152 x[2] = uint8(length >> 8)
1153 x[3] = uint8(length)
1154
1155 y := x[4:]
1156 y[0] = byte(l)
1157 copy(y[1:], []byte(m.proto[0:l]))
1158 y = y[1+l:]
1159 y[0] = byte(padding)
1160
1161 m.raw = x
1162
1163 return x
1164 }
1165
1166 func (m *nextProtoMsg) unmarshal(data []byte) bool {
1167 m.raw = data
1168
1169 if len(data) < 5 {
1170 return false
1171 }
1172 data = data[4:]
1173 protoLen := int(data[0])
1174 data = data[1:]
1175 if len(data) < protoLen {
1176 return false
1177 }
1178 m.proto = string(data[0:protoLen])
1179 data = data[protoLen:]
1180
1181 if len(data) < 1 {
1182 return false
1183 }
1184 paddingLen := int(data[0])
1185 data = data[1:]
1186 if len(data) != paddingLen {
1187 return false
1188 }
1189
1190 return true
1191 }
1192
1193 type certificateRequestMsg struct {
1194 raw []byte
1195
1196
1197
1198 hasSignatureAndHash bool
1199
1200 certificateTypes []byte
1201 signatureAndHashes []signatureAndHash
1202 certificateAuthorities [][]byte
1203 }
1204
1205 func (m *certificateRequestMsg) equal(i interface{}) bool {
1206 m1, ok := i.(*certificateRequestMsg)
1207 if !ok {
1208 return false
1209 }
1210
1211 return bytes.Equal(m.raw, m1.raw) &&
1212 bytes.Equal(m.certificateTypes, m1.certificateTypes) &&
1213 eqByteSlices(m.certificateAuthorities, m1.certificateAuthorities) &&
1214 eqSignatureAndHashes(m.signatureAndHashes, m1.signatureAndHashes)
1215 }
1216
1217 func (m *certificateRequestMsg) marshal() (x []byte) {
1218 if m.raw != nil {
1219 return m.raw
1220 }
1221
1222
1223 length := 1 + len(m.certificateTypes) + 2
1224 casLength := 0
1225 for _, ca := range m.certificateAuthorities {
1226 casLength += 2 + len(ca)
1227 }
1228 length += casLength
1229
1230 if m.hasSignatureAndHash {
1231 length += 2 + 2*len(m.signatureAndHashes)
1232 }
1233
1234 x = make([]byte, 4+length)
1235 x[0] = typeCertificateRequest
1236 x[1] = uint8(length >> 16)
1237 x[2] = uint8(length >> 8)
1238 x[3] = uint8(length)
1239
1240 x[4] = uint8(len(m.certificateTypes))
1241
1242 copy(x[5:], m.certificateTypes)
1243 y := x[5+len(m.certificateTypes):]
1244
1245 if m.hasSignatureAndHash {
1246 n := len(m.signatureAndHashes) * 2
1247 y[0] = uint8(n >> 8)
1248 y[1] = uint8(n)
1249 y = y[2:]
1250 for _, sigAndHash := range m.signatureAndHashes {
1251 y[0] = sigAndHash.hash
1252 y[1] = sigAndHash.signature
1253 y = y[2:]
1254 }
1255 }
1256
1257 y[0] = uint8(casLength >> 8)
1258 y[1] = uint8(casLength)
1259 y = y[2:]
1260 for _, ca := range m.certificateAuthorities {
1261 y[0] = uint8(len(ca) >> 8)
1262 y[1] = uint8(len(ca))
1263 y = y[2:]
1264 copy(y, ca)
1265 y = y[len(ca):]
1266 }
1267
1268 m.raw = x
1269 return
1270 }
1271
1272 func (m *certificateRequestMsg) unmarshal(data []byte) bool {
1273 m.raw = data
1274
1275 if len(data) < 5 {
1276 return false
1277 }
1278
1279 length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3])
1280 if uint32(len(data))-4 != length {
1281 return false
1282 }
1283
1284 numCertTypes := int(data[4])
1285 data = data[5:]
1286 if numCertTypes == 0 || len(data) <= numCertTypes {
1287 return false
1288 }
1289
1290 m.certificateTypes = make([]byte, numCertTypes)
1291 if copy(m.certificateTypes, data) != numCertTypes {
1292 return false
1293 }
1294
1295 data = data[numCertTypes:]
1296
1297 if m.hasSignatureAndHash {
1298 if len(data) < 2 {
1299 return false
1300 }
1301 sigAndHashLen := uint16(data[0])<<8 | uint16(data[1])
1302 data = data[2:]
1303 if sigAndHashLen&1 != 0 {
1304 return false
1305 }
1306 if len(data) < int(sigAndHashLen) {
1307 return false
1308 }
1309 numSigAndHash := sigAndHashLen / 2
1310 m.signatureAndHashes = make([]signatureAndHash, numSigAndHash)
1311 for i := range m.signatureAndHashes {
1312 m.signatureAndHashes[i].hash = data[0]
1313 m.signatureAndHashes[i].signature = data[1]
1314 data = data[2:]
1315 }
1316 }
1317
1318 if len(data) < 2 {
1319 return false
1320 }
1321 casLength := uint16(data[0])<<8 | uint16(data[1])
1322 data = data[2:]
1323 if len(data) < int(casLength) {
1324 return false
1325 }
1326 cas := make([]byte, casLength)
1327 copy(cas, data)
1328 data = data[casLength:]
1329
1330 m.certificateAuthorities = nil
1331 for len(cas) > 0 {
1332 if len(cas) < 2 {
1333 return false
1334 }
1335 caLen := uint16(cas[0])<<8 | uint16(cas[1])
1336 cas = cas[2:]
1337
1338 if len(cas) < int(caLen) {
1339 return false
1340 }
1341
1342 m.certificateAuthorities = append(m.certificateAuthorities, cas[:caLen])
1343 cas = cas[caLen:]
1344 }
1345
1346 return len(data) == 0
1347 }
1348
1349 type certificateVerifyMsg struct {
1350 raw []byte
1351 hasSignatureAndHash bool
1352 signatureAndHash signatureAndHash
1353 signature []byte
1354 }
1355
1356 func (m *certificateVerifyMsg) equal(i interface{}) bool {
1357 m1, ok := i.(*certificateVerifyMsg)
1358 if !ok {
1359 return false
1360 }
1361
1362 return bytes.Equal(m.raw, m1.raw) &&
1363 m.hasSignatureAndHash == m1.hasSignatureAndHash &&
1364 m.signatureAndHash.hash == m1.signatureAndHash.hash &&
1365 m.signatureAndHash.signature == m1.signatureAndHash.signature &&
1366 bytes.Equal(m.signature, m1.signature)
1367 }
1368
1369 func (m *certificateVerifyMsg) marshal() (x []byte) {
1370 if m.raw != nil {
1371 return m.raw
1372 }
1373
1374
1375 siglength := len(m.signature)
1376 length := 2 + siglength
1377 if m.hasSignatureAndHash {
1378 length += 2
1379 }
1380 x = make([]byte, 4+length)
1381 x[0] = typeCertificateVerify
1382 x[1] = uint8(length >> 16)
1383 x[2] = uint8(length >> 8)
1384 x[3] = uint8(length)
1385 y := x[4:]
1386 if m.hasSignatureAndHash {
1387 y[0] = m.signatureAndHash.hash
1388 y[1] = m.signatureAndHash.signature
1389 y = y[2:]
1390 }
1391 y[0] = uint8(siglength >> 8)
1392 y[1] = uint8(siglength)
1393 copy(y[2:], m.signature)
1394
1395 m.raw = x
1396
1397 return
1398 }
1399
1400 func (m *certificateVerifyMsg) unmarshal(data []byte) bool {
1401 m.raw = data
1402
1403 if len(data) < 6 {
1404 return false
1405 }
1406
1407 length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3])
1408 if uint32(len(data))-4 != length {
1409 return false
1410 }
1411
1412 data = data[4:]
1413 if m.hasSignatureAndHash {
1414 m.signatureAndHash.hash = data[0]
1415 m.signatureAndHash.signature = data[1]
1416 data = data[2:]
1417 }
1418
1419 if len(data) < 2 {
1420 return false
1421 }
1422 siglength := int(data[0])<<8 + int(data[1])
1423 data = data[2:]
1424 if len(data) != siglength {
1425 return false
1426 }
1427
1428 m.signature = data
1429
1430 return true
1431 }
1432
1433 type newSessionTicketMsg struct {
1434 raw []byte
1435 ticket []byte
1436 }
1437
1438 func (m *newSessionTicketMsg) equal(i interface{}) bool {
1439 m1, ok := i.(*newSessionTicketMsg)
1440 if !ok {
1441 return false
1442 }
1443
1444 return bytes.Equal(m.raw, m1.raw) &&
1445 bytes.Equal(m.ticket, m1.ticket)
1446 }
1447
1448 func (m *newSessionTicketMsg) marshal() (x []byte) {
1449 if m.raw != nil {
1450 return m.raw
1451 }
1452
1453
1454 ticketLen := len(m.ticket)
1455 length := 2 + 4 + ticketLen
1456 x = make([]byte, 4+length)
1457 x[0] = typeNewSessionTicket
1458 x[1] = uint8(length >> 16)
1459 x[2] = uint8(length >> 8)
1460 x[3] = uint8(length)
1461 x[8] = uint8(ticketLen >> 8)
1462 x[9] = uint8(ticketLen)
1463 copy(x[10:], m.ticket)
1464
1465 m.raw = x
1466
1467 return
1468 }
1469
1470 func (m *newSessionTicketMsg) unmarshal(data []byte) bool {
1471 m.raw = data
1472
1473 if len(data) < 10 {
1474 return false
1475 }
1476
1477 length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3])
1478 if uint32(len(data))-4 != length {
1479 return false
1480 }
1481
1482 ticketLen := int(data[8])<<8 + int(data[9])
1483 if len(data)-10 != ticketLen {
1484 return false
1485 }
1486
1487 m.ticket = data[10:]
1488
1489 return true
1490 }
1491
1492 type helloRequestMsg struct {
1493 }
1494
1495 func (*helloRequestMsg) marshal() []byte {
1496 return []byte{typeHelloRequest, 0, 0, 0}
1497 }
1498
1499 func (*helloRequestMsg) unmarshal(data []byte) bool {
1500 return len(data) == 4
1501 }
1502
1503 func eqUint16s(x, y []uint16) bool {
1504 if len(x) != len(y) {
1505 return false
1506 }
1507 for i, v := range x {
1508 if y[i] != v {
1509 return false
1510 }
1511 }
1512 return true
1513 }
1514
1515 func eqCurveIDs(x, y []CurveID) bool {
1516 if len(x) != len(y) {
1517 return false
1518 }
1519 for i, v := range x {
1520 if y[i] != v {
1521 return false
1522 }
1523 }
1524 return true
1525 }
1526
1527 func eqStrings(x, y []string) bool {
1528 if len(x) != len(y) {
1529 return false
1530 }
1531 for i, v := range x {
1532 if y[i] != v {
1533 return false
1534 }
1535 }
1536 return true
1537 }
1538
1539 func eqByteSlices(x, y [][]byte) bool {
1540 if len(x) != len(y) {
1541 return false
1542 }
1543 for i, v := range x {
1544 if !bytes.Equal(v, y[i]) {
1545 return false
1546 }
1547 }
1548 return true
1549 }
1550
1551 func eqSignatureAndHashes(x, y []signatureAndHash) bool {
1552 if len(x) != len(y) {
1553 return false
1554 }
1555 for i, v := range x {
1556 v2 := y[i]
1557 if v.hash != v2.hash || v.signature != v2.signature {
1558 return false
1559 }
1560 }
1561 return true
1562 }
1563
View as plain text