1 // Copyright 2009 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 package tls 6 7 import "bytes" 8 9 type clientHelloMsg struct { 10 raw []byte 11 vers uint16 12 random []byte 13 sessionId []byte 14 cipherSuites []uint16 15 compressionMethods []uint8 16 nextProtoNeg bool 17 serverName string 18 ocspStapling bool 19 scts bool 20 supportedCurves []CurveID 21 supportedPoints []uint8 22 ticketSupported bool 23 sessionTicket []uint8 24 signatureAndHashes []signatureAndHash 25 secureRenegotiation []byte 26 secureRenegotiationSupported bool 27 alpnProtocols []string 28 } 29 30 func (m *clientHelloMsg) equal(i interface{}) bool { 31 m1, ok := i.(*clientHelloMsg) 32 if !ok { 33 return false 34 } 35 36 return bytes.Equal(m.raw, m1.raw) && 37 m.vers == m1.vers && 38 bytes.Equal(m.random, m1.random) && 39 bytes.Equal(m.sessionId, m1.sessionId) && 40 eqUint16s(m.cipherSuites, m1.cipherSuites) && 41 bytes.Equal(m.compressionMethods, m1.compressionMethods) && 42 m.nextProtoNeg == m1.nextProtoNeg && 43 m.serverName == m1.serverName && 44 m.ocspStapling == m1.ocspStapling && 45 m.scts == m1.scts && 46 eqCurveIDs(m.supportedCurves, m1.supportedCurves) && 47 bytes.Equal(m.supportedPoints, m1.supportedPoints) && 48 m.ticketSupported == m1.ticketSupported && 49 bytes.Equal(m.sessionTicket, m1.sessionTicket) && 50 eqSignatureAndHashes(m.signatureAndHashes, m1.signatureAndHashes) && 51 m.secureRenegotiationSupported == m1.secureRenegotiationSupported && 52 bytes.Equal(m.secureRenegotiation, m1.secureRenegotiation) && 53 eqStrings(m.alpnProtocols, m1.alpnProtocols) 54 } 55 56 func (m *clientHelloMsg) marshal() []byte { 57 if m.raw != nil { 58 return m.raw 59 } 60 61 length := 2 + 32 + 1 + len(m.sessionId) + 2 + len(m.cipherSuites)*2 + 1 + len(m.compressionMethods) 62 numExtensions := 0 63 extensionsLength := 0 64 if m.nextProtoNeg { 65 numExtensions++ 66 } 67 if m.ocspStapling { 68 extensionsLength += 1 + 2 + 2 69 numExtensions++ 70 } 71 if len(m.serverName) > 0 { 72 extensionsLength += 5 + len(m.serverName) 73 numExtensions++ 74 } 75 if len(m.supportedCurves) > 0 { 76 extensionsLength += 2 + 2*len(m.supportedCurves) 77 numExtensions++ 78 } 79 if len(m.supportedPoints) > 0 { 80 extensionsLength += 1 + len(m.supportedPoints) 81 numExtensions++ 82 } 83 if m.ticketSupported { 84 extensionsLength += len(m.sessionTicket) 85 numExtensions++ 86 } 87 if len(m.signatureAndHashes) > 0 { 88 extensionsLength += 2 + 2*len(m.signatureAndHashes) 89 numExtensions++ 90 } 91 if m.secureRenegotiationSupported { 92 extensionsLength += 1 + len(m.secureRenegotiation) 93 numExtensions++ 94 } 95 if len(m.alpnProtocols) > 0 { 96 extensionsLength += 2 97 for _, s := range m.alpnProtocols { 98 if l := len(s); l == 0 || l > 255 { 99 panic("invalid ALPN protocol") 100 } 101 extensionsLength++ 102 extensionsLength += len(s) 103 } 104 numExtensions++ 105 } 106 if m.scts { 107 numExtensions++ 108 } 109 if numExtensions > 0 { 110 extensionsLength += 4 * numExtensions 111 length += 2 + extensionsLength 112 } 113 114 x := make([]byte, 4+length) 115 x[0] = typeClientHello 116 x[1] = uint8(length >> 16) 117 x[2] = uint8(length >> 8) 118 x[3] = uint8(length) 119 x[4] = uint8(m.vers >> 8) 120 x[5] = uint8(m.vers) 121 copy(x[6:38], m.random) 122 x[38] = uint8(len(m.sessionId)) 123 copy(x[39:39+len(m.sessionId)], m.sessionId) 124 y := x[39+len(m.sessionId):] 125 y[0] = uint8(len(m.cipherSuites) >> 7) 126 y[1] = uint8(len(m.cipherSuites) << 1) 127 for i, suite := range m.cipherSuites { 128 y[2+i*2] = uint8(suite >> 8) 129 y[3+i*2] = uint8(suite) 130 } 131 z := y[2+len(m.cipherSuites)*2:] 132 z[0] = uint8(len(m.compressionMethods)) 133 copy(z[1:], m.compressionMethods) 134 135 z = z[1+len(m.compressionMethods):] 136 if numExtensions > 0 { 137 z[0] = byte(extensionsLength >> 8) 138 z[1] = byte(extensionsLength) 139 z = z[2:] 140 } 141 if m.nextProtoNeg { 142 z[0] = byte(extensionNextProtoNeg >> 8) 143 z[1] = byte(extensionNextProtoNeg & 0xff) 144 // The length is always 0 145 z = z[4:] 146 } 147 if len(m.serverName) > 0 { 148 z[0] = byte(extensionServerName >> 8) 149 z[1] = byte(extensionServerName & 0xff) 150 l := len(m.serverName) + 5 151 z[2] = byte(l >> 8) 152 z[3] = byte(l) 153 z = z[4:] 154 155 // RFC 3546, section 3.1 156 // 157 // struct { 158 // NameType name_type; 159 // select (name_type) { 160 // case host_name: HostName; 161 // } name; 162 // } ServerName; 163 // 164 // enum { 165 // host_name(0), (255) 166 // } NameType; 167 // 168 // opaque HostName<1..2^16-1>; 169 // 170 // struct { 171 // ServerName server_name_list<1..2^16-1> 172 // } ServerNameList; 173 174 z[0] = byte((len(m.serverName) + 3) >> 8) 175 z[1] = byte(len(m.serverName) + 3) 176 z[3] = byte(len(m.serverName) >> 8) 177 z[4] = byte(len(m.serverName)) 178 copy(z[5:], []byte(m.serverName)) 179 z = z[l:] 180 } 181 if m.ocspStapling { 182 // RFC 4366, section 3.6 183 z[0] = byte(extensionStatusRequest >> 8) 184 z[1] = byte(extensionStatusRequest) 185 z[2] = 0 186 z[3] = 5 187 z[4] = 1 // OCSP type 188 // Two zero valued uint16s for the two lengths. 189 z = z[9:] 190 } 191 if len(m.supportedCurves) > 0 { 192 // http://tools.ietf.org/html/rfc4492#section-5.5.1 193 z[0] = byte(extensionSupportedCurves >> 8) 194 z[1] = byte(extensionSupportedCurves) 195 l := 2 + 2*len(m.supportedCurves) 196 z[2] = byte(l >> 8) 197 z[3] = byte(l) 198 l -= 2 199 z[4] = byte(l >> 8) 200 z[5] = byte(l) 201 z = z[6:] 202 for _, curve := range m.supportedCurves { 203 z[0] = byte(curve >> 8) 204 z[1] = byte(curve) 205 z = z[2:] 206 } 207 } 208 if len(m.supportedPoints) > 0 { 209 // http://tools.ietf.org/html/rfc4492#section-5.5.2 210 z[0] = byte(extensionSupportedPoints >> 8) 211 z[1] = byte(extensionSupportedPoints) 212 l := 1 + len(m.supportedPoints) 213 z[2] = byte(l >> 8) 214 z[3] = byte(l) 215 l-- 216 z[4] = byte(l) 217 z = z[5:] 218 for _, pointFormat := range m.supportedPoints { 219 z[0] = pointFormat 220 z = z[1:] 221 } 222 } 223 if m.ticketSupported { 224 // http://tools.ietf.org/html/rfc5077#section-3.2 225 z[0] = byte(extensionSessionTicket >> 8) 226 z[1] = byte(extensionSessionTicket) 227 l := len(m.sessionTicket) 228 z[2] = byte(l >> 8) 229 z[3] = byte(l) 230 z = z[4:] 231 copy(z, m.sessionTicket) 232 z = z[len(m.sessionTicket):] 233 } 234 if len(m.signatureAndHashes) > 0 { 235 // https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 236 z[0] = byte(extensionSignatureAlgorithms >> 8) 237 z[1] = byte(extensionSignatureAlgorithms) 238 l := 2 + 2*len(m.signatureAndHashes) 239 z[2] = byte(l >> 8) 240 z[3] = byte(l) 241 z = z[4:] 242 243 l -= 2 244 z[0] = byte(l >> 8) 245 z[1] = byte(l) 246 z = z[2:] 247 for _, sigAndHash := range m.signatureAndHashes { 248 z[0] = sigAndHash.hash 249 z[1] = sigAndHash.signature 250 z = z[2:] 251 } 252 } 253 if m.secureRenegotiationSupported { 254 z[0] = byte(extensionRenegotiationInfo >> 8) 255 z[1] = byte(extensionRenegotiationInfo & 0xff) 256 z[2] = 0 257 z[3] = byte(len(m.secureRenegotiation) + 1) 258 z[4] = byte(len(m.secureRenegotiation)) 259 z = z[5:] 260 copy(z, m.secureRenegotiation) 261 z = z[len(m.secureRenegotiation):] 262 } 263 if len(m.alpnProtocols) > 0 { 264 z[0] = byte(extensionALPN >> 8) 265 z[1] = byte(extensionALPN & 0xff) 266 lengths := z[2:] 267 z = z[6:] 268 269 stringsLength := 0 270 for _, s := range m.alpnProtocols { 271 l := len(s) 272 z[0] = byte(l) 273 copy(z[1:], s) 274 z = z[1+l:] 275 stringsLength += 1 + l 276 } 277 278 lengths[2] = byte(stringsLength >> 8) 279 lengths[3] = byte(stringsLength) 280 stringsLength += 2 281 lengths[0] = byte(stringsLength >> 8) 282 lengths[1] = byte(stringsLength) 283 } 284 if m.scts { 285 // https://tools.ietf.org/html/rfc6962#section-3.3.1 286 z[0] = byte(extensionSCT >> 8) 287 z[1] = byte(extensionSCT) 288 // zero uint16 for the zero-length extension_data 289 z = z[4:] 290 } 291 292 m.raw = x 293 294 return x 295 } 296 297 func (m *clientHelloMsg) unmarshal(data []byte) bool { 298 if len(data) < 42 { 299 return false 300 } 301 m.raw = data 302 m.vers = uint16(data[4])<<8 | uint16(data[5]) 303 m.random = data[6:38] 304 sessionIdLen := int(data[38]) 305 if sessionIdLen > 32 || len(data) < 39+sessionIdLen { 306 return false 307 } 308 m.sessionId = data[39 : 39+sessionIdLen] 309 data = data[39+sessionIdLen:] 310 if len(data) < 2 { 311 return false 312 } 313 // cipherSuiteLen is the number of bytes of cipher suite numbers. Since 314 // they are uint16s, the number must be even. 315 cipherSuiteLen := int(data[0])<<8 | int(data[1]) 316 if cipherSuiteLen%2 == 1 || len(data) < 2+cipherSuiteLen { 317 return false 318 } 319 numCipherSuites := cipherSuiteLen / 2 320 m.cipherSuites = make([]uint16, numCipherSuites) 321 for i := 0; i < numCipherSuites; i++ { 322 m.cipherSuites[i] = uint16(data[2+2*i])<<8 | uint16(data[3+2*i]) 323 if m.cipherSuites[i] == scsvRenegotiation { 324 m.secureRenegotiationSupported = true 325 } 326 } 327 data = data[2+cipherSuiteLen:] 328 if len(data) < 1 { 329 return false 330 } 331 compressionMethodsLen := int(data[0]) 332 if len(data) < 1+compressionMethodsLen { 333 return false 334 } 335 m.compressionMethods = data[1 : 1+compressionMethodsLen] 336 337 data = data[1+compressionMethodsLen:] 338 339 m.nextProtoNeg = false 340 m.serverName = "" 341 m.ocspStapling = false 342 m.ticketSupported = false 343 m.sessionTicket = nil 344 m.signatureAndHashes = nil 345 m.alpnProtocols = nil 346 m.scts = false 347 348 if len(data) == 0 { 349 // ClientHello is optionally followed by extension data 350 return true 351 } 352 if len(data) < 2 { 353 return false 354 } 355 356 extensionsLength := int(data[0])<<8 | int(data[1]) 357 data = data[2:] 358 if extensionsLength != len(data) { 359 return false 360 } 361 362 for len(data) != 0 { 363 if len(data) < 4 { 364 return false 365 } 366 extension := uint16(data[0])<<8 | uint16(data[1]) 367 length := int(data[2])<<8 | int(data[3]) 368 data = data[4:] 369 if len(data) < length { 370 return false 371 } 372 373 switch extension { 374 case extensionServerName: 375 d := data[:length] 376 if len(d) < 2 { 377 return false 378 } 379 namesLen := int(d[0])<<8 | int(d[1]) 380 d = d[2:] 381 if len(d) != namesLen { 382 return false 383 } 384 for len(d) > 0 { 385 if len(d) < 3 { 386 return false 387 } 388 nameType := d[0] 389 nameLen := int(d[1])<<8 | int(d[2]) 390 d = d[3:] 391 if len(d) < nameLen { 392 return false 393 } 394 if nameType == 0 { 395 m.serverName = string(d[:nameLen]) 396 break 397 } 398 d = d[nameLen:] 399 } 400 case extensionNextProtoNeg: 401 if length > 0 { 402 return false 403 } 404 m.nextProtoNeg = true 405 case extensionStatusRequest: 406 m.ocspStapling = length > 0 && data[0] == statusTypeOCSP 407 case extensionSupportedCurves: 408 // http://tools.ietf.org/html/rfc4492#section-5.5.1 409 if length < 2 { 410 return false 411 } 412 l := int(data[0])<<8 | int(data[1]) 413 if l%2 == 1 || length != l+2 { 414 return false 415 } 416 numCurves := l / 2 417 m.supportedCurves = make([]CurveID, numCurves) 418 d := data[2:] 419 for i := 0; i < numCurves; i++ { 420 m.supportedCurves[i] = CurveID(d[0])<<8 | CurveID(d[1]) 421 d = d[2:] 422 } 423 case extensionSupportedPoints: 424 // http://tools.ietf.org/html/rfc4492#section-5.5.2 425 if length < 1 { 426 return false 427 } 428 l := int(data[0]) 429 if length != l+1 { 430 return false 431 } 432 m.supportedPoints = make([]uint8, l) 433 copy(m.supportedPoints, data[1:]) 434 case extensionSessionTicket: 435 // http://tools.ietf.org/html/rfc5077#section-3.2 436 m.ticketSupported = true 437 m.sessionTicket = data[:length] 438 case extensionSignatureAlgorithms: 439 // https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1 440 if length < 2 || length&1 != 0 { 441 return false 442 } 443 l := int(data[0])<<8 | int(data[1]) 444 if l != length-2 { 445 return false 446 } 447 n := l / 2 448 d := data[2:] 449 m.signatureAndHashes = make([]signatureAndHash, n) 450 for i := range m.signatureAndHashes { 451 m.signatureAndHashes[i].hash = d[0] 452 m.signatureAndHashes[i].signature = d[1] 453 d = d[2:] 454 } 455 case extensionRenegotiationInfo: 456 if length == 0 { 457 return false 458 } 459 d := data[:length] 460 l := int(d[0]) 461 d = d[1:] 462 if l != len(d) { 463 return false 464 } 465 466 m.secureRenegotiation = d 467 m.secureRenegotiationSupported = true 468 case extensionALPN: 469 if length < 2 { 470 return false 471 } 472 l := int(data[0])<<8 | int(data[1]) 473 if l != length-2 { 474 return false 475 } 476 d := data[2:length] 477 for len(d) != 0 { 478 stringLen := int(d[0]) 479 d = d[1:] 480 if stringLen == 0 || stringLen > len(d) { 481 return false 482 } 483 m.alpnProtocols = append(m.alpnProtocols, string(d[:stringLen])) 484 d = d[stringLen:] 485 } 486 case extensionSCT: 487 m.scts = true 488 if length != 0 { 489 return false 490 } 491 } 492 data = data[length:] 493 } 494 495 return true 496 } 497 498 type serverHelloMsg struct { 499 raw []byte 500 vers uint16 501 random []byte 502 sessionId []byte 503 cipherSuite uint16 504 compressionMethod uint8 505 nextProtoNeg bool 506 nextProtos []string 507 ocspStapling bool 508 scts [][]byte 509 ticketSupported bool 510 secureRenegotiation []byte 511 secureRenegotiationSupported bool 512 alpnProtocol string 513 } 514 515 func (m *serverHelloMsg) equal(i interface{}) bool { 516 m1, ok := i.(*serverHelloMsg) 517 if !ok { 518 return false 519 } 520 521 if len(m.scts) != len(m1.scts) { 522 return false 523 } 524 for i, sct := range m.scts { 525 if !bytes.Equal(sct, m1.scts[i]) { 526 return false 527 } 528 } 529 530 return bytes.Equal(m.raw, m1.raw) && 531 m.vers == m1.vers && 532 bytes.Equal(m.random, m1.random) && 533 bytes.Equal(m.sessionId, m1.sessionId) && 534 m.cipherSuite == m1.cipherSuite && 535 m.compressionMethod == m1.compressionMethod && 536 m.nextProtoNeg == m1.nextProtoNeg && 537 eqStrings(m.nextProtos, m1.nextProtos) && 538 m.ocspStapling == m1.ocspStapling && 539 m.ticketSupported == m1.ticketSupported && 540 m.secureRenegotiationSupported == m1.secureRenegotiationSupported && 541 bytes.Equal(m.secureRenegotiation, m1.secureRenegotiation) && 542 m.alpnProtocol == m1.alpnProtocol 543 } 544 545 func (m *serverHelloMsg) marshal() []byte { 546 if m.raw != nil { 547 return m.raw 548 } 549 550 length := 38 + len(m.sessionId) 551 numExtensions := 0 552 extensionsLength := 0 553 554 nextProtoLen := 0 555 if m.nextProtoNeg { 556 numExtensions++ 557 for _, v := range m.nextProtos { 558 nextProtoLen += len(v) 559 } 560 nextProtoLen += len(m.nextProtos) 561 extensionsLength += nextProtoLen 562 } 563 if m.ocspStapling { 564 numExtensions++ 565 } 566 if m.ticketSupported { 567 numExtensions++ 568 } 569 if m.secureRenegotiationSupported { 570 extensionsLength += 1 + len(m.secureRenegotiation) 571 numExtensions++ 572 } 573 if alpnLen := len(m.alpnProtocol); alpnLen > 0 { 574 if alpnLen >= 256 { 575 panic("invalid ALPN protocol") 576 } 577 extensionsLength += 2 + 1 + alpnLen 578 numExtensions++ 579 } 580 sctLen := 0 581 if len(m.scts) > 0 { 582 for _, sct := range m.scts { 583 sctLen += len(sct) + 2 584 } 585 extensionsLength += 2 + sctLen 586 numExtensions++ 587 } 588 589 if numExtensions > 0 { 590 extensionsLength += 4 * numExtensions 591 length += 2 + extensionsLength 592 } 593 594 x := make([]byte, 4+length) 595 x[0] = typeServerHello 596 x[1] = uint8(length >> 16) 597 x[2] = uint8(length >> 8) 598 x[3] = uint8(length) 599 x[4] = uint8(m.vers >> 8) 600 x[5] = uint8(m.vers) 601 copy(x[6:38], m.random) 602 x[38] = uint8(len(m.sessionId)) 603 copy(x[39:39+len(m.sessionId)], m.sessionId) 604 z := x[39+len(m.sessionId):] 605 z[0] = uint8(m.cipherSuite >> 8) 606 z[1] = uint8(m.cipherSuite) 607 z[2] = m.compressionMethod 608 609 z = z[3:] 610 if numExtensions > 0 { 611 z[0] = byte(extensionsLength >> 8) 612 z[1] = byte(extensionsLength) 613 z = z[2:] 614 } 615 if m.nextProtoNeg { 616 z[0] = byte(extensionNextProtoNeg >> 8) 617 z[1] = byte(extensionNextProtoNeg & 0xff) 618 z[2] = byte(nextProtoLen >> 8) 619 z[3] = byte(nextProtoLen) 620 z = z[4:] 621 622 for _, v := range m.nextProtos { 623 l := len(v) 624 if l > 255 { 625 l = 255 626 } 627 z[0] = byte(l) 628 copy(z[1:], []byte(v[0:l])) 629 z = z[1+l:] 630 } 631 } 632 if m.ocspStapling { 633 z[0] = byte(extensionStatusRequest >> 8) 634 z[1] = byte(extensionStatusRequest) 635 z = z[4:] 636 } 637 if m.ticketSupported { 638 z[0] = byte(extensionSessionTicket >> 8) 639 z[1] = byte(extensionSessionTicket) 640 z = z[4:] 641 } 642 if m.secureRenegotiationSupported { 643 z[0] = byte(extensionRenegotiationInfo >> 8) 644 z[1] = byte(extensionRenegotiationInfo & 0xff) 645 z[2] = 0 646 z[3] = byte(len(m.secureRenegotiation) + 1) 647 z[4] = byte(len(m.secureRenegotiation)) 648 z = z[5:] 649 copy(z, m.secureRenegotiation) 650 z = z[len(m.secureRenegotiation):] 651 } 652 if alpnLen := len(m.alpnProtocol); alpnLen > 0 { 653 z[0] = byte(extensionALPN >> 8) 654 z[1] = byte(extensionALPN & 0xff) 655 l := 2 + 1 + alpnLen 656 z[2] = byte(l >> 8) 657 z[3] = byte(l) 658 l -= 2 659 z[4] = byte(l >> 8) 660 z[5] = byte(l) 661 l -= 1 662 z[6] = byte(l) 663 copy(z[7:], []byte(m.alpnProtocol)) 664 z = z[7+alpnLen:] 665 } 666 if sctLen > 0 { 667 z[0] = byte(extensionSCT >> 8) 668 z[1] = byte(extensionSCT) 669 l := sctLen + 2 670 z[2] = byte(l >> 8) 671 z[3] = byte(l) 672 z[4] = byte(sctLen >> 8) 673 z[5] = byte(sctLen) 674 675 z = z[6:] 676 for _, sct := range m.scts { 677 z[0] = byte(len(sct) >> 8) 678 z[1] = byte(len(sct)) 679 copy(z[2:], sct) 680 z = z[len(sct)+2:] 681 } 682 } 683 684 m.raw = x 685 686 return x 687 } 688 689 func (m *serverHelloMsg) unmarshal(data []byte) bool { 690 if len(data) < 42 { 691 return false 692 } 693 m.raw = data 694 m.vers = uint16(data[4])<<8 | uint16(data[5]) 695 m.random = data[6:38] 696 sessionIdLen := int(data[38]) 697 if sessionIdLen > 32 || len(data) < 39+sessionIdLen { 698 return false 699 } 700 m.sessionId = data[39 : 39+sessionIdLen] 701 data = data[39+sessionIdLen:] 702 if len(data) < 3 { 703 return false 704 } 705 m.cipherSuite = uint16(data[0])<<8 | uint16(data[1]) 706 m.compressionMethod = data[2] 707 data = data[3:] 708 709 m.nextProtoNeg = false 710 m.nextProtos = nil 711 m.ocspStapling = false 712 m.scts = nil 713 m.ticketSupported = false 714 m.alpnProtocol = "" 715 716 if len(data) == 0 { 717 // ServerHello is optionally followed by extension data 718 return true 719 } 720 if len(data) < 2 { 721 return false 722 } 723 724 extensionsLength := int(data[0])<<8 | int(data[1]) 725 data = data[2:] 726 if len(data) != extensionsLength { 727 return false 728 } 729 730 for len(data) != 0 { 731 if len(data) < 4 { 732 return false 733 } 734 extension := uint16(data[0])<<8 | uint16(data[1]) 735 length := int(data[2])<<8 | int(data[3]) 736 data = data[4:] 737 if len(data) < length { 738 return false 739 } 740 741 switch extension { 742 case extensionNextProtoNeg: 743 m.nextProtoNeg = true 744 d := data[:length] 745 for len(d) > 0 { 746 l := int(d[0]) 747 d = d[1:] 748 if l == 0 || l > len(d) { 749 return false 750 } 751 m.nextProtos = append(m.nextProtos, string(d[:l])) 752 d = d[l:] 753 } 754 case extensionStatusRequest: 755 if length > 0 { 756 return false 757 } 758 m.ocspStapling = true 759 case extensionSessionTicket: 760 if length > 0 { 761 return false 762 } 763 m.ticketSupported = true 764 case extensionRenegotiationInfo: 765 if length == 0 { 766 return false 767 } 768 d := data[:length] 769 l := int(d[0]) 770 d = d[1:] 771 if l != len(d) { 772 return false 773 } 774 775 m.secureRenegotiation = d 776 m.secureRenegotiationSupported = true 777 case extensionALPN: 778 d := data[:length] 779 if len(d) < 3 { 780 return false 781 } 782 l := int(d[0])<<8 | int(d[1]) 783 if l != len(d)-2 { 784 return false 785 } 786 d = d[2:] 787 l = int(d[0]) 788 if l != len(d)-1 { 789 return false 790 } 791 d = d[1:] 792 if len(d) == 0 { 793 // ALPN protocols must not be empty. 794 return false 795 } 796 m.alpnProtocol = string(d) 797 case extensionSCT: 798 d := data[:length] 799 800 if len(d) < 2 { 801 return false 802 } 803 l := int(d[0])<<8 | int(d[1]) 804 d = d[2:] 805 if len(d) != l || l == 0 { 806 return false 807 } 808 809 m.scts = make([][]byte, 0, 3) 810 for len(d) != 0 { 811 if len(d) < 2 { 812 return false 813 } 814 sctLen := int(d[0])<<8 | int(d[1]) 815 d = d[2:] 816 if sctLen == 0 || len(d) < sctLen { 817 return false 818 } 819 m.scts = append(m.scts, d[:sctLen]) 820 d = d[sctLen:] 821 } 822 } 823 data = data[length:] 824 } 825 826 return true 827 } 828 829 type certificateMsg struct { 830 raw []byte 831 certificates [][]byte 832 } 833 834 func (m *certificateMsg) equal(i interface{}) bool { 835 m1, ok := i.(*certificateMsg) 836 if !ok { 837 return false 838 } 839 840 return bytes.Equal(m.raw, m1.raw) && 841 eqByteSlices(m.certificates, m1.certificates) 842 } 843 844 func (m *certificateMsg) marshal() (x []byte) { 845 if m.raw != nil { 846 return m.raw 847 } 848 849 var i int 850 for _, slice := range m.certificates { 851 i += len(slice) 852 } 853 854 length := 3 + 3*len(m.certificates) + i 855 x = make([]byte, 4+length) 856 x[0] = typeCertificate 857 x[1] = uint8(length >> 16) 858 x[2] = uint8(length >> 8) 859 x[3] = uint8(length) 860 861 certificateOctets := length - 3 862 x[4] = uint8(certificateOctets >> 16) 863 x[5] = uint8(certificateOctets >> 8) 864 x[6] = uint8(certificateOctets) 865 866 y := x[7:] 867 for _, slice := range m.certificates { 868 y[0] = uint8(len(slice) >> 16) 869 y[1] = uint8(len(slice) >> 8) 870 y[2] = uint8(len(slice)) 871 copy(y[3:], slice) 872 y = y[3+len(slice):] 873 } 874 875 m.raw = x 876 return 877 } 878 879 func (m *certificateMsg) unmarshal(data []byte) bool { 880 if len(data) < 7 { 881 return false 882 } 883 884 m.raw = data 885 certsLen := uint32(data[4])<<16 | uint32(data[5])<<8 | uint32(data[6]) 886 if uint32(len(data)) != certsLen+7 { 887 return false 888 } 889 890 numCerts := 0 891 d := data[7:] 892 for certsLen > 0 { 893 if len(d) < 4 { 894 return false 895 } 896 certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2]) 897 if uint32(len(d)) < 3+certLen { 898 return false 899 } 900 d = d[3+certLen:] 901 certsLen -= 3 + certLen 902 numCerts++ 903 } 904 905 m.certificates = make([][]byte, numCerts) 906 d = data[7:] 907 for i := 0; i < numCerts; i++ { 908 certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2]) 909 m.certificates[i] = d[3 : 3+certLen] 910 d = d[3+certLen:] 911 } 912 913 return true 914 } 915 916 type serverKeyExchangeMsg struct { 917 raw []byte 918 key []byte 919 } 920 921 func (m *serverKeyExchangeMsg) equal(i interface{}) bool { 922 m1, ok := i.(*serverKeyExchangeMsg) 923 if !ok { 924 return false 925 } 926 927 return bytes.Equal(m.raw, m1.raw) && 928 bytes.Equal(m.key, m1.key) 929 } 930 931 func (m *serverKeyExchangeMsg) marshal() []byte { 932 if m.raw != nil { 933 return m.raw 934 } 935 length := len(m.key) 936 x := make([]byte, length+4) 937 x[0] = typeServerKeyExchange 938 x[1] = uint8(length >> 16) 939 x[2] = uint8(length >> 8) 940 x[3] = uint8(length) 941 copy(x[4:], m.key) 942 943 m.raw = x 944 return x 945 } 946 947 func (m *serverKeyExchangeMsg) unmarshal(data []byte) bool { 948 m.raw = data 949 if len(data) < 4 { 950 return false 951 } 952 m.key = data[4:] 953 return true 954 } 955 956 type certificateStatusMsg struct { 957 raw []byte 958 statusType uint8 959 response []byte 960 } 961 962 func (m *certificateStatusMsg) equal(i interface{}) bool { 963 m1, ok := i.(*certificateStatusMsg) 964 if !ok { 965 return false 966 } 967 968 return bytes.Equal(m.raw, m1.raw) && 969 m.statusType == m1.statusType && 970 bytes.Equal(m.response, m1.response) 971 } 972 973 func (m *certificateStatusMsg) marshal() []byte { 974 if m.raw != nil { 975 return m.raw 976 } 977 978 var x []byte 979 if m.statusType == statusTypeOCSP { 980 x = make([]byte, 4+4+len(m.response)) 981 x[0] = typeCertificateStatus 982 l := len(m.response) + 4 983 x[1] = byte(l >> 16) 984 x[2] = byte(l >> 8) 985 x[3] = byte(l) 986 x[4] = statusTypeOCSP 987 988 l -= 4 989 x[5] = byte(l >> 16) 990 x[6] = byte(l >> 8) 991 x[7] = byte(l) 992 copy(x[8:], m.response) 993 } else { 994 x = []byte{typeCertificateStatus, 0, 0, 1, m.statusType} 995 } 996 997 m.raw = x 998 return x 999 } 1000 1001 func (m *certificateStatusMsg) unmarshal(data []byte) bool { 1002 m.raw = data 1003 if len(data) < 5 { 1004 return false 1005 } 1006 m.statusType = data[4] 1007 1008 m.response = nil 1009 if m.statusType == statusTypeOCSP { 1010 if len(data) < 8 { 1011 return false 1012 } 1013 respLen := uint32(data[5])<<16 | uint32(data[6])<<8 | uint32(data[7]) 1014 if uint32(len(data)) != 4+4+respLen { 1015 return false 1016 } 1017 m.response = data[8:] 1018 } 1019 return true 1020 } 1021 1022 type serverHelloDoneMsg struct{} 1023 1024 func (m *serverHelloDoneMsg) equal(i interface{}) bool { 1025 _, ok := i.(*serverHelloDoneMsg) 1026 return ok 1027 } 1028 1029 func (m *serverHelloDoneMsg) marshal() []byte { 1030 x := make([]byte, 4) 1031 x[0] = typeServerHelloDone 1032 return x 1033 } 1034 1035 func (m *serverHelloDoneMsg) unmarshal(data []byte) bool { 1036 return len(data) == 4 1037 } 1038 1039 type clientKeyExchangeMsg struct { 1040 raw []byte 1041 ciphertext []byte 1042 } 1043 1044 func (m *clientKeyExchangeMsg) equal(i interface{}) bool { 1045 m1, ok := i.(*clientKeyExchangeMsg) 1046 if !ok { 1047 return false 1048 } 1049 1050 return bytes.Equal(m.raw, m1.raw) && 1051 bytes.Equal(m.ciphertext, m1.ciphertext) 1052 } 1053 1054 func (m *clientKeyExchangeMsg) marshal() []byte { 1055 if m.raw != nil { 1056 return m.raw 1057 } 1058 length := len(m.ciphertext) 1059 x := make([]byte, length+4) 1060 x[0] = typeClientKeyExchange 1061 x[1] = uint8(length >> 16) 1062 x[2] = uint8(length >> 8) 1063 x[3] = uint8(length) 1064 copy(x[4:], m.ciphertext) 1065 1066 m.raw = x 1067 return x 1068 } 1069 1070 func (m *clientKeyExchangeMsg) unmarshal(data []byte) bool { 1071 m.raw = data 1072 if len(data) < 4 { 1073 return false 1074 } 1075 l := int(data[1])<<16 | int(data[2])<<8 | int(data[3]) 1076 if l != len(data)-4 { 1077 return false 1078 } 1079 m.ciphertext = data[4:] 1080 return true 1081 } 1082 1083 type finishedMsg struct { 1084 raw []byte 1085 verifyData []byte 1086 } 1087 1088 func (m *finishedMsg) equal(i interface{}) bool { 1089 m1, ok := i.(*finishedMsg) 1090 if !ok { 1091 return false 1092 } 1093 1094 return bytes.Equal(m.raw, m1.raw) && 1095 bytes.Equal(m.verifyData, m1.verifyData) 1096 } 1097 1098 func (m *finishedMsg) marshal() (x []byte) { 1099 if m.raw != nil { 1100 return m.raw 1101 } 1102 1103 x = make([]byte, 4+len(m.verifyData)) 1104 x[0] = typeFinished 1105 x[3] = byte(len(m.verifyData)) 1106 copy(x[4:], m.verifyData) 1107 m.raw = x 1108 return 1109 } 1110 1111 func (m *finishedMsg) unmarshal(data []byte) bool { 1112 m.raw = data 1113 if len(data) < 4 { 1114 return false 1115 } 1116 m.verifyData = data[4:] 1117 return true 1118 } 1119 1120 type nextProtoMsg struct { 1121 raw []byte 1122 proto string 1123 } 1124 1125 func (m *nextProtoMsg) equal(i interface{}) bool { 1126 m1, ok := i.(*nextProtoMsg) 1127 if !ok { 1128 return false 1129 } 1130 1131 return bytes.Equal(m.raw, m1.raw) && 1132 m.proto == m1.proto 1133 } 1134 1135 func (m *nextProtoMsg) marshal() []byte { 1136 if m.raw != nil { 1137 return m.raw 1138 } 1139 l := len(m.proto) 1140 if l > 255 { 1141 l = 255 1142 } 1143 1144 padding := 32 - (l+2)%32 1145 length := l + padding + 2 1146 x := make([]byte, length+4) 1147 x[0] = typeNextProtocol 1148 x[1] = uint8(length >> 16) 1149 x[2] = uint8(length >> 8) 1150 x[3] = uint8(length) 1151 1152 y := x[4:] 1153 y[0] = byte(l) 1154 copy(y[1:], []byte(m.proto[0:l])) 1155 y = y[1+l:] 1156 y[0] = byte(padding) 1157 1158 m.raw = x 1159 1160 return x 1161 } 1162 1163 func (m *nextProtoMsg) unmarshal(data []byte) bool { 1164 m.raw = data 1165 1166 if len(data) < 5 { 1167 return false 1168 } 1169 data = data[4:] 1170 protoLen := int(data[0]) 1171 data = data[1:] 1172 if len(data) < protoLen { 1173 return false 1174 } 1175 m.proto = string(data[0:protoLen]) 1176 data = data[protoLen:] 1177 1178 if len(data) < 1 { 1179 return false 1180 } 1181 paddingLen := int(data[0]) 1182 data = data[1:] 1183 if len(data) != paddingLen { 1184 return false 1185 } 1186 1187 return true 1188 } 1189 1190 type certificateRequestMsg struct { 1191 raw []byte 1192 // hasSignatureAndHash indicates whether this message includes a list 1193 // of signature and hash functions. This change was introduced with TLS 1194 // 1.2. 1195 hasSignatureAndHash bool 1196 1197 certificateTypes []byte 1198 signatureAndHashes []signatureAndHash 1199 certificateAuthorities [][]byte 1200 } 1201 1202 func (m *certificateRequestMsg) equal(i interface{}) bool { 1203 m1, ok := i.(*certificateRequestMsg) 1204 if !ok { 1205 return false 1206 } 1207 1208 return bytes.Equal(m.raw, m1.raw) && 1209 bytes.Equal(m.certificateTypes, m1.certificateTypes) && 1210 eqByteSlices(m.certificateAuthorities, m1.certificateAuthorities) && 1211 eqSignatureAndHashes(m.signatureAndHashes, m1.signatureAndHashes) 1212 } 1213 1214 func (m *certificateRequestMsg) marshal() (x []byte) { 1215 if m.raw != nil { 1216 return m.raw 1217 } 1218 1219 // See http://tools.ietf.org/html/rfc4346#section-7.4.4 1220 length := 1 + len(m.certificateTypes) + 2 1221 casLength := 0 1222 for _, ca := range m.certificateAuthorities { 1223 casLength += 2 + len(ca) 1224 } 1225 length += casLength 1226 1227 if m.hasSignatureAndHash { 1228 length += 2 + 2*len(m.signatureAndHashes) 1229 } 1230 1231 x = make([]byte, 4+length) 1232 x[0] = typeCertificateRequest 1233 x[1] = uint8(length >> 16) 1234 x[2] = uint8(length >> 8) 1235 x[3] = uint8(length) 1236 1237 x[4] = uint8(len(m.certificateTypes)) 1238 1239 copy(x[5:], m.certificateTypes) 1240 y := x[5+len(m.certificateTypes):] 1241 1242 if m.hasSignatureAndHash { 1243 n := len(m.signatureAndHashes) * 2 1244 y[0] = uint8(n >> 8) 1245 y[1] = uint8(n) 1246 y = y[2:] 1247 for _, sigAndHash := range m.signatureAndHashes { 1248 y[0] = sigAndHash.hash 1249 y[1] = sigAndHash.signature 1250 y = y[2:] 1251 } 1252 } 1253 1254 y[0] = uint8(casLength >> 8) 1255 y[1] = uint8(casLength) 1256 y = y[2:] 1257 for _, ca := range m.certificateAuthorities { 1258 y[0] = uint8(len(ca) >> 8) 1259 y[1] = uint8(len(ca)) 1260 y = y[2:] 1261 copy(y, ca) 1262 y = y[len(ca):] 1263 } 1264 1265 m.raw = x 1266 return 1267 } 1268 1269 func (m *certificateRequestMsg) unmarshal(data []byte) bool { 1270 m.raw = data 1271 1272 if len(data) < 5 { 1273 return false 1274 } 1275 1276 length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3]) 1277 if uint32(len(data))-4 != length { 1278 return false 1279 } 1280 1281 numCertTypes := int(data[4]) 1282 data = data[5:] 1283 if numCertTypes == 0 || len(data) <= numCertTypes { 1284 return false 1285 } 1286 1287 m.certificateTypes = make([]byte, numCertTypes) 1288 if copy(m.certificateTypes, data) != numCertTypes { 1289 return false 1290 } 1291 1292 data = data[numCertTypes:] 1293 1294 if m.hasSignatureAndHash { 1295 if len(data) < 2 { 1296 return false 1297 } 1298 sigAndHashLen := uint16(data[0])<<8 | uint16(data[1]) 1299 data = data[2:] 1300 if sigAndHashLen&1 != 0 { 1301 return false 1302 } 1303 if len(data) < int(sigAndHashLen) { 1304 return false 1305 } 1306 numSigAndHash := sigAndHashLen / 2 1307 m.signatureAndHashes = make([]signatureAndHash, numSigAndHash) 1308 for i := range m.signatureAndHashes { 1309 m.signatureAndHashes[i].hash = data[0] 1310 m.signatureAndHashes[i].signature = data[1] 1311 data = data[2:] 1312 } 1313 } 1314 1315 if len(data) < 2 { 1316 return false 1317 } 1318 casLength := uint16(data[0])<<8 | uint16(data[1]) 1319 data = data[2:] 1320 if len(data) < int(casLength) { 1321 return false 1322 } 1323 cas := make([]byte, casLength) 1324 copy(cas, data) 1325 data = data[casLength:] 1326 1327 m.certificateAuthorities = nil 1328 for len(cas) > 0 { 1329 if len(cas) < 2 { 1330 return false 1331 } 1332 caLen := uint16(cas[0])<<8 | uint16(cas[1]) 1333 cas = cas[2:] 1334 1335 if len(cas) < int(caLen) { 1336 return false 1337 } 1338 1339 m.certificateAuthorities = append(m.certificateAuthorities, cas[:caLen]) 1340 cas = cas[caLen:] 1341 } 1342 1343 return len(data) == 0 1344 } 1345 1346 type certificateVerifyMsg struct { 1347 raw []byte 1348 hasSignatureAndHash bool 1349 signatureAndHash signatureAndHash 1350 signature []byte 1351 } 1352 1353 func (m *certificateVerifyMsg) equal(i interface{}) bool { 1354 m1, ok := i.(*certificateVerifyMsg) 1355 if !ok { 1356 return false 1357 } 1358 1359 return bytes.Equal(m.raw, m1.raw) && 1360 m.hasSignatureAndHash == m1.hasSignatureAndHash && 1361 m.signatureAndHash.hash == m1.signatureAndHash.hash && 1362 m.signatureAndHash.signature == m1.signatureAndHash.signature && 1363 bytes.Equal(m.signature, m1.signature) 1364 } 1365 1366 func (m *certificateVerifyMsg) marshal() (x []byte) { 1367 if m.raw != nil { 1368 return m.raw 1369 } 1370 1371 // See http://tools.ietf.org/html/rfc4346#section-7.4.8 1372 siglength := len(m.signature) 1373 length := 2 + siglength 1374 if m.hasSignatureAndHash { 1375 length += 2 1376 } 1377 x = make([]byte, 4+length) 1378 x[0] = typeCertificateVerify 1379 x[1] = uint8(length >> 16) 1380 x[2] = uint8(length >> 8) 1381 x[3] = uint8(length) 1382 y := x[4:] 1383 if m.hasSignatureAndHash { 1384 y[0] = m.signatureAndHash.hash 1385 y[1] = m.signatureAndHash.signature 1386 y = y[2:] 1387 } 1388 y[0] = uint8(siglength >> 8) 1389 y[1] = uint8(siglength) 1390 copy(y[2:], m.signature) 1391 1392 m.raw = x 1393 1394 return 1395 } 1396 1397 func (m *certificateVerifyMsg) unmarshal(data []byte) bool { 1398 m.raw = data 1399 1400 if len(data) < 6 { 1401 return false 1402 } 1403 1404 length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3]) 1405 if uint32(len(data))-4 != length { 1406 return false 1407 } 1408 1409 data = data[4:] 1410 if m.hasSignatureAndHash { 1411 m.signatureAndHash.hash = data[0] 1412 m.signatureAndHash.signature = data[1] 1413 data = data[2:] 1414 } 1415 1416 if len(data) < 2 { 1417 return false 1418 } 1419 siglength := int(data[0])<<8 + int(data[1]) 1420 data = data[2:] 1421 if len(data) != siglength { 1422 return false 1423 } 1424 1425 m.signature = data 1426 1427 return true 1428 } 1429 1430 type newSessionTicketMsg struct { 1431 raw []byte 1432 ticket []byte 1433 } 1434 1435 func (m *newSessionTicketMsg) equal(i interface{}) bool { 1436 m1, ok := i.(*newSessionTicketMsg) 1437 if !ok { 1438 return false 1439 } 1440 1441 return bytes.Equal(m.raw, m1.raw) && 1442 bytes.Equal(m.ticket, m1.ticket) 1443 } 1444 1445 func (m *newSessionTicketMsg) marshal() (x []byte) { 1446 if m.raw != nil { 1447 return m.raw 1448 } 1449 1450 // See http://tools.ietf.org/html/rfc5077#section-3.3 1451 ticketLen := len(m.ticket) 1452 length := 2 + 4 + ticketLen 1453 x = make([]byte, 4+length) 1454 x[0] = typeNewSessionTicket 1455 x[1] = uint8(length >> 16) 1456 x[2] = uint8(length >> 8) 1457 x[3] = uint8(length) 1458 x[8] = uint8(ticketLen >> 8) 1459 x[9] = uint8(ticketLen) 1460 copy(x[10:], m.ticket) 1461 1462 m.raw = x 1463 1464 return 1465 } 1466 1467 func (m *newSessionTicketMsg) unmarshal(data []byte) bool { 1468 m.raw = data 1469 1470 if len(data) < 10 { 1471 return false 1472 } 1473 1474 length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3]) 1475 if uint32(len(data))-4 != length { 1476 return false 1477 } 1478 1479 ticketLen := int(data[8])<<8 + int(data[9]) 1480 if len(data)-10 != ticketLen { 1481 return false 1482 } 1483 1484 m.ticket = data[10:] 1485 1486 return true 1487 } 1488 1489 type helloRequestMsg struct { 1490 } 1491 1492 func (*helloRequestMsg) marshal() []byte { 1493 return []byte{typeHelloRequest, 0, 0, 0} 1494 } 1495 1496 func (*helloRequestMsg) unmarshal(data []byte) bool { 1497 return len(data) == 4 1498 } 1499 1500 func eqUint16s(x, y []uint16) bool { 1501 if len(x) != len(y) { 1502 return false 1503 } 1504 for i, v := range x { 1505 if y[i] != v { 1506 return false 1507 } 1508 } 1509 return true 1510 } 1511 1512 func eqCurveIDs(x, y []CurveID) bool { 1513 if len(x) != len(y) { 1514 return false 1515 } 1516 for i, v := range x { 1517 if y[i] != v { 1518 return false 1519 } 1520 } 1521 return true 1522 } 1523 1524 func eqStrings(x, y []string) bool { 1525 if len(x) != len(y) { 1526 return false 1527 } 1528 for i, v := range x { 1529 if y[i] != v { 1530 return false 1531 } 1532 } 1533 return true 1534 } 1535 1536 func eqByteSlices(x, y [][]byte) bool { 1537 if len(x) != len(y) { 1538 return false 1539 } 1540 for i, v := range x { 1541 if !bytes.Equal(v, y[i]) { 1542 return false 1543 } 1544 } 1545 return true 1546 } 1547 1548 func eqSignatureAndHashes(x, y []signatureAndHash) bool { 1549 if len(x) != len(y) { 1550 return false 1551 } 1552 for i, v := range x { 1553 v2 := y[i] 1554 if v.hash != v2.hash || v.signature != v2.signature { 1555 return false 1556 } 1557 } 1558 return true 1559 } 1560
