1 // Copyright 2009 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
11 "golang.org/x/crypto/cryptobyte"
14 // The marshalingFunction type is an adapter to allow the use of ordinary
15 // functions as cryptobyte.MarshalingValue.
16 type marshalingFunction
func(b
*cryptobyte
.Builder
) error
18 func (f marshalingFunction
) Marshal(b
*cryptobyte
.Builder
) error
{
22 // addBytesWithLength appends a sequence of bytes to the cryptobyte.Builder. If
23 // the length of the sequence is not the value specified, it produces an error.
24 func addBytesWithLength(b
*cryptobyte
.Builder
, v
[]byte, n
int) {
25 b
.AddValue(marshalingFunction(func(b
*cryptobyte
.Builder
) error
{
27 return fmt
.Errorf("invalid value length: expected %d, got %d", n
, len(v
))
34 // addUint64 appends a big-endian, 64-bit value to the cryptobyte.Builder.
35 func addUint64(b
*cryptobyte
.Builder
, v
uint64) {
36 b
.AddUint32(uint32(v
>> 32))
37 b
.AddUint32(uint32(v
))
40 // readUint64 decodes a big-endian, 64-bit value into out and advances over it.
41 // It reports whether the read was successful.
42 func readUint64(s
*cryptobyte
.String
, out
*uint64) bool {
44 if !s
.ReadUint32(&hi
) ||
!s
.ReadUint32(&lo
) {
47 *out
= uint64(hi
)<<32 |
uint64(lo
)
51 // readUint8LengthPrefixed acts like s.ReadUint8LengthPrefixed, but targets a
52 // []byte instead of a cryptobyte.String.
53 func readUint8LengthPrefixed(s
*cryptobyte
.String
, out
*[]byte) bool {
54 return s
.ReadUint8LengthPrefixed((*cryptobyte
.String
)(out
))
57 // readUint16LengthPrefixed acts like s.ReadUint16LengthPrefixed, but targets a
58 // []byte instead of a cryptobyte.String.
59 func readUint16LengthPrefixed(s
*cryptobyte
.String
, out
*[]byte) bool {
60 return s
.ReadUint16LengthPrefixed((*cryptobyte
.String
)(out
))
63 // readUint24LengthPrefixed acts like s.ReadUint24LengthPrefixed, but targets a
64 // []byte instead of a cryptobyte.String.
65 func readUint24LengthPrefixed(s
*cryptobyte
.String
, out
*[]byte) bool {
66 return s
.ReadUint24LengthPrefixed((*cryptobyte
.String
)(out
))
69 type clientHelloMsg
struct {
75 compressionMethods
[]uint8
78 supportedCurves
[]CurveID
79 supportedPoints
[]uint8
82 supportedSignatureAlgorithms
[]SignatureScheme
83 supportedSignatureAlgorithmsCert
[]SignatureScheme
84 secureRenegotiationSupported
bool
85 secureRenegotiation
[]byte
86 alpnProtocols
[]string
88 supportedVersions
[]uint16
93 pskIdentities
[]pskIdentity
97 func (m
*clientHelloMsg
) marshal() []byte {
102 var b cryptobyte
.Builder
103 b
.AddUint8(typeClientHello
)
104 b
.AddUint24LengthPrefixed(func(b
*cryptobyte
.Builder
) {
106 addBytesWithLength(b
, m
.random
, 32)
107 b
.AddUint8LengthPrefixed(func(b
*cryptobyte
.Builder
) {
108 b
.AddBytes(m
.sessionId
)
110 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
111 for _
, suite
:= range m
.cipherSuites
{
115 b
.AddUint8LengthPrefixed(func(b
*cryptobyte
.Builder
) {
116 b
.AddBytes(m
.compressionMethods
)
119 // If extensions aren't present, omit them.
120 var extensionsPresent
bool
121 bWithoutExtensions
:= *b
123 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
124 if len(m
.serverName
) > 0 {
125 // RFC 6066, Section 3
126 b
.AddUint16(extensionServerName
)
127 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
128 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
129 b
.AddUint8(0) // name_type = host_name
130 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
131 b
.AddBytes([]byte(m
.serverName
))
137 // RFC 4366, Section 3.6
138 b
.AddUint16(extensionStatusRequest
)
139 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
140 b
.AddUint8(1) // status_type = ocsp
141 b
.AddUint16(0) // empty responder_id_list
142 b
.AddUint16(0) // empty request_extensions
145 if len(m
.supportedCurves
) > 0 {
146 // RFC 4492, sections 5.1.1 and RFC 8446, Section 4.2.7
147 b
.AddUint16(extensionSupportedCurves
)
148 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
149 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
150 for _
, curve
:= range m
.supportedCurves
{
151 b
.AddUint16(uint16(curve
))
156 if len(m
.supportedPoints
) > 0 {
157 // RFC 4492, Section 5.1.2
158 b
.AddUint16(extensionSupportedPoints
)
159 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
160 b
.AddUint8LengthPrefixed(func(b
*cryptobyte
.Builder
) {
161 b
.AddBytes(m
.supportedPoints
)
165 if m
.ticketSupported
{
166 // RFC 5077, Section 3.2
167 b
.AddUint16(extensionSessionTicket
)
168 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
169 b
.AddBytes(m
.sessionTicket
)
172 if len(m
.supportedSignatureAlgorithms
) > 0 {
173 // RFC 5246, Section 7.4.1.4.1
174 b
.AddUint16(extensionSignatureAlgorithms
)
175 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
176 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
177 for _
, sigAlgo
:= range m
.supportedSignatureAlgorithms
{
178 b
.AddUint16(uint16(sigAlgo
))
183 if len(m
.supportedSignatureAlgorithmsCert
) > 0 {
184 // RFC 8446, Section 4.2.3
185 b
.AddUint16(extensionSignatureAlgorithmsCert
)
186 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
187 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
188 for _
, sigAlgo
:= range m
.supportedSignatureAlgorithmsCert
{
189 b
.AddUint16(uint16(sigAlgo
))
194 if m
.secureRenegotiationSupported
{
195 // RFC 5746, Section 3.2
196 b
.AddUint16(extensionRenegotiationInfo
)
197 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
198 b
.AddUint8LengthPrefixed(func(b
*cryptobyte
.Builder
) {
199 b
.AddBytes(m
.secureRenegotiation
)
203 if len(m
.alpnProtocols
) > 0 {
204 // RFC 7301, Section 3.1
205 b
.AddUint16(extensionALPN
)
206 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
207 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
208 for _
, proto
:= range m
.alpnProtocols
{
209 b
.AddUint8LengthPrefixed(func(b
*cryptobyte
.Builder
) {
210 b
.AddBytes([]byte(proto
))
217 // RFC 6962, Section 3.3.1
218 b
.AddUint16(extensionSCT
)
219 b
.AddUint16(0) // empty extension_data
221 if len(m
.supportedVersions
) > 0 {
222 // RFC 8446, Section 4.2.1
223 b
.AddUint16(extensionSupportedVersions
)
224 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
225 b
.AddUint8LengthPrefixed(func(b
*cryptobyte
.Builder
) {
226 for _
, vers
:= range m
.supportedVersions
{
232 if len(m
.cookie
) > 0 {
233 // RFC 8446, Section 4.2.2
234 b
.AddUint16(extensionCookie
)
235 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
236 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
241 if len(m
.keyShares
) > 0 {
242 // RFC 8446, Section 4.2.8
243 b
.AddUint16(extensionKeyShare
)
244 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
245 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
246 for _
, ks
:= range m
.keyShares
{
247 b
.AddUint16(uint16(ks
.group
))
248 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
256 // RFC 8446, Section 4.2.10
257 b
.AddUint16(extensionEarlyData
)
258 b
.AddUint16(0) // empty extension_data
260 if len(m
.pskModes
) > 0 {
261 // RFC 8446, Section 4.2.9
262 b
.AddUint16(extensionPSKModes
)
263 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
264 b
.AddUint8LengthPrefixed(func(b
*cryptobyte
.Builder
) {
265 b
.AddBytes(m
.pskModes
)
269 if len(m
.pskIdentities
) > 0 { // pre_shared_key must be the last extension
270 // RFC 8446, Section 4.2.11
271 b
.AddUint16(extensionPreSharedKey
)
272 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
273 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
274 for _
, psk
:= range m
.pskIdentities
{
275 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
276 b
.AddBytes(psk
.label
)
278 b
.AddUint32(psk
.obfuscatedTicketAge
)
281 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
282 for _
, binder
:= range m
.pskBinders
{
283 b
.AddUint8LengthPrefixed(func(b
*cryptobyte
.Builder
) {
291 extensionsPresent
= len(b
.BytesOrPanic()) > 2
294 if !extensionsPresent
{
295 *b
= bWithoutExtensions
299 m
.raw
= b
.BytesOrPanic()
303 // marshalWithoutBinders returns the ClientHello through the
304 // PreSharedKeyExtension.identities field, according to RFC 8446, Section
305 // 4.2.11.2. Note that m.pskBinders must be set to slices of the correct length.
306 func (m
*clientHelloMsg
) marshalWithoutBinders() []byte {
307 bindersLen
:= 2 // uint16 length prefix
308 for _
, binder
:= range m
.pskBinders
{
309 bindersLen
+= 1 // uint8 length prefix
310 bindersLen
+= len(binder
)
313 fullMessage
:= m
.marshal()
314 return fullMessage
[:len(fullMessage
)-bindersLen
]
317 // updateBinders updates the m.pskBinders field, if necessary updating the
318 // cached marshaled representation. The supplied binders must have the same
319 // length as the current m.pskBinders.
320 func (m
*clientHelloMsg
) updateBinders(pskBinders
[][]byte) {
321 if len(pskBinders
) != len(m
.pskBinders
) {
322 panic("tls: internal error: pskBinders length mismatch")
324 for i
:= range m
.pskBinders
{
325 if len(pskBinders
[i
]) != len(m
.pskBinders
[i
]) {
326 panic("tls: internal error: pskBinders length mismatch")
329 m
.pskBinders
= pskBinders
331 lenWithoutBinders
:= len(m
.marshalWithoutBinders())
332 b
:= cryptobyte
.NewFixedBuilder(m
.raw
[:lenWithoutBinders
])
333 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
334 for _
, binder
:= range m
.pskBinders
{
335 b
.AddUint8LengthPrefixed(func(b
*cryptobyte
.Builder
) {
340 if out
, err
:= b
.Bytes(); err
!= nil ||
len(out
) != len(m
.raw
) {
341 panic("tls: internal error: failed to update binders")
346 func (m
*clientHelloMsg
) unmarshal(data
[]byte) bool {
347 *m
= clientHelloMsg
{raw
: data
}
348 s
:= cryptobyte
.String(data
)
350 if !s
.Skip(4) ||
// message type and uint24 length field
351 !s
.ReadUint16(&m
.vers
) ||
!s
.ReadBytes(&m
.random
, 32) ||
352 !readUint8LengthPrefixed(&s
, &m
.sessionId
) {
356 var cipherSuites cryptobyte
.String
357 if !s
.ReadUint16LengthPrefixed(&cipherSuites
) {
360 m
.cipherSuites
= []uint16{}
361 m
.secureRenegotiationSupported
= false
362 for !cipherSuites
.Empty() {
364 if !cipherSuites
.ReadUint16(&suite
) {
367 if suite
== scsvRenegotiation
{
368 m
.secureRenegotiationSupported
= true
370 m
.cipherSuites
= append(m
.cipherSuites
, suite
)
373 if !readUint8LengthPrefixed(&s
, &m
.compressionMethods
) {
378 // ClientHello is optionally followed by extension data
382 var extensions cryptobyte
.String
383 if !s
.ReadUint16LengthPrefixed(&extensions
) ||
!s
.Empty() {
387 for !extensions
.Empty() {
389 var extData cryptobyte
.String
390 if !extensions
.ReadUint16(&extension
) ||
391 !extensions
.ReadUint16LengthPrefixed(&extData
) {
396 case extensionServerName
:
397 // RFC 6066, Section 3
398 var nameList cryptobyte
.String
399 if !extData
.ReadUint16LengthPrefixed(&nameList
) || nameList
.Empty() {
402 for !nameList
.Empty() {
404 var serverName cryptobyte
.String
405 if !nameList
.ReadUint8(&nameType
) ||
406 !nameList
.ReadUint16LengthPrefixed(&serverName
) ||
413 if len(m
.serverName
) != 0 {
414 // Multiple names of the same name_type are prohibited.
417 m
.serverName
= string(serverName
)
418 // An SNI value may not include a trailing dot.
419 if strings
.HasSuffix(m
.serverName
, ".") {
423 case extensionStatusRequest
:
424 // RFC 4366, Section 3.6
426 var ignored cryptobyte
.String
427 if !extData
.ReadUint8(&statusType
) ||
428 !extData
.ReadUint16LengthPrefixed(&ignored
) ||
429 !extData
.ReadUint16LengthPrefixed(&ignored
) {
432 m
.ocspStapling
= statusType
== statusTypeOCSP
433 case extensionSupportedCurves
:
434 // RFC 4492, sections 5.1.1 and RFC 8446, Section 4.2.7
435 var curves cryptobyte
.String
436 if !extData
.ReadUint16LengthPrefixed(&curves
) || curves
.Empty() {
439 for !curves
.Empty() {
441 if !curves
.ReadUint16(&curve
) {
444 m
.supportedCurves
= append(m
.supportedCurves
, CurveID(curve
))
446 case extensionSupportedPoints
:
447 // RFC 4492, Section 5.1.2
448 if !readUint8LengthPrefixed(&extData
, &m
.supportedPoints
) ||
449 len(m
.supportedPoints
) == 0 {
452 case extensionSessionTicket
:
453 // RFC 5077, Section 3.2
454 m
.ticketSupported
= true
455 extData
.ReadBytes(&m
.sessionTicket
, len(extData
))
456 case extensionSignatureAlgorithms
:
457 // RFC 5246, Section 7.4.1.4.1
458 var sigAndAlgs cryptobyte
.String
459 if !extData
.ReadUint16LengthPrefixed(&sigAndAlgs
) || sigAndAlgs
.Empty() {
462 for !sigAndAlgs
.Empty() {
464 if !sigAndAlgs
.ReadUint16(&sigAndAlg
) {
467 m
.supportedSignatureAlgorithms
= append(
468 m
.supportedSignatureAlgorithms
, SignatureScheme(sigAndAlg
))
470 case extensionSignatureAlgorithmsCert
:
471 // RFC 8446, Section 4.2.3
472 var sigAndAlgs cryptobyte
.String
473 if !extData
.ReadUint16LengthPrefixed(&sigAndAlgs
) || sigAndAlgs
.Empty() {
476 for !sigAndAlgs
.Empty() {
478 if !sigAndAlgs
.ReadUint16(&sigAndAlg
) {
481 m
.supportedSignatureAlgorithmsCert
= append(
482 m
.supportedSignatureAlgorithmsCert
, SignatureScheme(sigAndAlg
))
484 case extensionRenegotiationInfo
:
485 // RFC 5746, Section 3.2
486 if !readUint8LengthPrefixed(&extData
, &m
.secureRenegotiation
) {
489 m
.secureRenegotiationSupported
= true
491 // RFC 7301, Section 3.1
492 var protoList cryptobyte
.String
493 if !extData
.ReadUint16LengthPrefixed(&protoList
) || protoList
.Empty() {
496 for !protoList
.Empty() {
497 var proto cryptobyte
.String
498 if !protoList
.ReadUint8LengthPrefixed(&proto
) || proto
.Empty() {
501 m
.alpnProtocols
= append(m
.alpnProtocols
, string(proto
))
504 // RFC 6962, Section 3.3.1
506 case extensionSupportedVersions
:
507 // RFC 8446, Section 4.2.1
508 var versList cryptobyte
.String
509 if !extData
.ReadUint8LengthPrefixed(&versList
) || versList
.Empty() {
512 for !versList
.Empty() {
514 if !versList
.ReadUint16(&vers
) {
517 m
.supportedVersions
= append(m
.supportedVersions
, vers
)
519 case extensionCookie
:
520 // RFC 8446, Section 4.2.2
521 if !readUint16LengthPrefixed(&extData
, &m
.cookie
) ||
525 case extensionKeyShare
:
526 // RFC 8446, Section 4.2.8
527 var clientShares cryptobyte
.String
528 if !extData
.ReadUint16LengthPrefixed(&clientShares
) {
531 for !clientShares
.Empty() {
533 if !clientShares
.ReadUint16((*uint16)(&ks
.group
)) ||
534 !readUint16LengthPrefixed(&clientShares
, &ks
.data
) ||
538 m
.keyShares
= append(m
.keyShares
, ks
)
540 case extensionEarlyData
:
541 // RFC 8446, Section 4.2.10
543 case extensionPSKModes
:
544 // RFC 8446, Section 4.2.9
545 if !readUint8LengthPrefixed(&extData
, &m
.pskModes
) {
548 case extensionPreSharedKey
:
549 // RFC 8446, Section 4.2.11
550 if !extensions
.Empty() {
551 return false // pre_shared_key must be the last extension
553 var identities cryptobyte
.String
554 if !extData
.ReadUint16LengthPrefixed(&identities
) || identities
.Empty() {
557 for !identities
.Empty() {
559 if !readUint16LengthPrefixed(&identities
, &psk
.label
) ||
560 !identities
.ReadUint32(&psk
.obfuscatedTicketAge
) ||
561 len(psk
.label
) == 0 {
564 m
.pskIdentities
= append(m
.pskIdentities
, psk
)
566 var binders cryptobyte
.String
567 if !extData
.ReadUint16LengthPrefixed(&binders
) || binders
.Empty() {
570 for !binders
.Empty() {
572 if !readUint8LengthPrefixed(&binders
, &binder
) ||
576 m
.pskBinders
= append(m
.pskBinders
, binder
)
579 // Ignore unknown extensions.
583 if !extData
.Empty() {
591 type serverHelloMsg
struct {
597 compressionMethod
uint8
600 secureRenegotiationSupported
bool
601 secureRenegotiation
[]byte
604 supportedVersion
uint16
606 selectedIdentityPresent
bool
607 selectedIdentity
uint16
608 supportedPoints
[]uint8
610 // HelloRetryRequest extensions
612 selectedGroup CurveID
615 func (m
*serverHelloMsg
) marshal() []byte {
620 var b cryptobyte
.Builder
621 b
.AddUint8(typeServerHello
)
622 b
.AddUint24LengthPrefixed(func(b
*cryptobyte
.Builder
) {
624 addBytesWithLength(b
, m
.random
, 32)
625 b
.AddUint8LengthPrefixed(func(b
*cryptobyte
.Builder
) {
626 b
.AddBytes(m
.sessionId
)
628 b
.AddUint16(m
.cipherSuite
)
629 b
.AddUint8(m
.compressionMethod
)
631 // If extensions aren't present, omit them.
632 var extensionsPresent
bool
633 bWithoutExtensions
:= *b
635 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
637 b
.AddUint16(extensionStatusRequest
)
638 b
.AddUint16(0) // empty extension_data
640 if m
.ticketSupported
{
641 b
.AddUint16(extensionSessionTicket
)
642 b
.AddUint16(0) // empty extension_data
644 if m
.secureRenegotiationSupported
{
645 b
.AddUint16(extensionRenegotiationInfo
)
646 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
647 b
.AddUint8LengthPrefixed(func(b
*cryptobyte
.Builder
) {
648 b
.AddBytes(m
.secureRenegotiation
)
652 if len(m
.alpnProtocol
) > 0 {
653 b
.AddUint16(extensionALPN
)
654 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
655 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
656 b
.AddUint8LengthPrefixed(func(b
*cryptobyte
.Builder
) {
657 b
.AddBytes([]byte(m
.alpnProtocol
))
663 b
.AddUint16(extensionSCT
)
664 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
665 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
666 for _
, sct
:= range m
.scts
{
667 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
674 if m
.supportedVersion
!= 0 {
675 b
.AddUint16(extensionSupportedVersions
)
676 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
677 b
.AddUint16(m
.supportedVersion
)
680 if m
.serverShare
.group
!= 0 {
681 b
.AddUint16(extensionKeyShare
)
682 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
683 b
.AddUint16(uint16(m
.serverShare
.group
))
684 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
685 b
.AddBytes(m
.serverShare
.data
)
689 if m
.selectedIdentityPresent
{
690 b
.AddUint16(extensionPreSharedKey
)
691 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
692 b
.AddUint16(m
.selectedIdentity
)
696 if len(m
.cookie
) > 0 {
697 b
.AddUint16(extensionCookie
)
698 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
699 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
704 if m
.selectedGroup
!= 0 {
705 b
.AddUint16(extensionKeyShare
)
706 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
707 b
.AddUint16(uint16(m
.selectedGroup
))
710 if len(m
.supportedPoints
) > 0 {
711 b
.AddUint16(extensionSupportedPoints
)
712 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
713 b
.AddUint8LengthPrefixed(func(b
*cryptobyte
.Builder
) {
714 b
.AddBytes(m
.supportedPoints
)
719 extensionsPresent
= len(b
.BytesOrPanic()) > 2
722 if !extensionsPresent
{
723 *b
= bWithoutExtensions
727 m
.raw
= b
.BytesOrPanic()
731 func (m
*serverHelloMsg
) unmarshal(data
[]byte) bool {
732 *m
= serverHelloMsg
{raw
: data
}
733 s
:= cryptobyte
.String(data
)
735 if !s
.Skip(4) ||
// message type and uint24 length field
736 !s
.ReadUint16(&m
.vers
) ||
!s
.ReadBytes(&m
.random
, 32) ||
737 !readUint8LengthPrefixed(&s
, &m
.sessionId
) ||
738 !s
.ReadUint16(&m
.cipherSuite
) ||
739 !s
.ReadUint8(&m
.compressionMethod
) {
744 // ServerHello is optionally followed by extension data
748 var extensions cryptobyte
.String
749 if !s
.ReadUint16LengthPrefixed(&extensions
) ||
!s
.Empty() {
753 for !extensions
.Empty() {
755 var extData cryptobyte
.String
756 if !extensions
.ReadUint16(&extension
) ||
757 !extensions
.ReadUint16LengthPrefixed(&extData
) {
762 case extensionStatusRequest
:
763 m
.ocspStapling
= true
764 case extensionSessionTicket
:
765 m
.ticketSupported
= true
766 case extensionRenegotiationInfo
:
767 if !readUint8LengthPrefixed(&extData
, &m
.secureRenegotiation
) {
770 m
.secureRenegotiationSupported
= true
772 var protoList cryptobyte
.String
773 if !extData
.ReadUint16LengthPrefixed(&protoList
) || protoList
.Empty() {
776 var proto cryptobyte
.String
777 if !protoList
.ReadUint8LengthPrefixed(&proto
) ||
778 proto
.Empty() ||
!protoList
.Empty() {
781 m
.alpnProtocol
= string(proto
)
783 var sctList cryptobyte
.String
784 if !extData
.ReadUint16LengthPrefixed(&sctList
) || sctList
.Empty() {
787 for !sctList
.Empty() {
789 if !readUint16LengthPrefixed(&sctList
, &sct
) ||
793 m
.scts
= append(m
.scts
, sct
)
795 case extensionSupportedVersions
:
796 if !extData
.ReadUint16(&m
.supportedVersion
) {
799 case extensionCookie
:
800 if !readUint16LengthPrefixed(&extData
, &m
.cookie
) ||
804 case extensionKeyShare
:
805 // This extension has different formats in SH and HRR, accept either
806 // and let the handshake logic decide. See RFC 8446, Section 4.2.8.
807 if len(extData
) == 2 {
808 if !extData
.ReadUint16((*uint16)(&m
.selectedGroup
)) {
812 if !extData
.ReadUint16((*uint16)(&m
.serverShare
.group
)) ||
813 !readUint16LengthPrefixed(&extData
, &m
.serverShare
.data
) {
817 case extensionPreSharedKey
:
818 m
.selectedIdentityPresent
= true
819 if !extData
.ReadUint16(&m
.selectedIdentity
) {
822 case extensionSupportedPoints
:
823 // RFC 4492, Section 5.1.2
824 if !readUint8LengthPrefixed(&extData
, &m
.supportedPoints
) ||
825 len(m
.supportedPoints
) == 0 {
829 // Ignore unknown extensions.
833 if !extData
.Empty() {
841 type encryptedExtensionsMsg
struct {
846 func (m
*encryptedExtensionsMsg
) marshal() []byte {
851 var b cryptobyte
.Builder
852 b
.AddUint8(typeEncryptedExtensions
)
853 b
.AddUint24LengthPrefixed(func(b
*cryptobyte
.Builder
) {
854 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
855 if len(m
.alpnProtocol
) > 0 {
856 b
.AddUint16(extensionALPN
)
857 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
858 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
859 b
.AddUint8LengthPrefixed(func(b
*cryptobyte
.Builder
) {
860 b
.AddBytes([]byte(m
.alpnProtocol
))
868 m
.raw
= b
.BytesOrPanic()
872 func (m
*encryptedExtensionsMsg
) unmarshal(data
[]byte) bool {
873 *m
= encryptedExtensionsMsg
{raw
: data
}
874 s
:= cryptobyte
.String(data
)
876 var extensions cryptobyte
.String
877 if !s
.Skip(4) ||
// message type and uint24 length field
878 !s
.ReadUint16LengthPrefixed(&extensions
) ||
!s
.Empty() {
882 for !extensions
.Empty() {
884 var extData cryptobyte
.String
885 if !extensions
.ReadUint16(&extension
) ||
886 !extensions
.ReadUint16LengthPrefixed(&extData
) {
892 var protoList cryptobyte
.String
893 if !extData
.ReadUint16LengthPrefixed(&protoList
) || protoList
.Empty() {
896 var proto cryptobyte
.String
897 if !protoList
.ReadUint8LengthPrefixed(&proto
) ||
898 proto
.Empty() ||
!protoList
.Empty() {
901 m
.alpnProtocol
= string(proto
)
903 // Ignore unknown extensions.
907 if !extData
.Empty() {
915 type endOfEarlyDataMsg
struct{}
917 func (m
*endOfEarlyDataMsg
) marshal() []byte {
919 x
[0] = typeEndOfEarlyData
923 func (m
*endOfEarlyDataMsg
) unmarshal(data
[]byte) bool {
924 return len(data
) == 4
927 type keyUpdateMsg
struct {
932 func (m
*keyUpdateMsg
) marshal() []byte {
937 var b cryptobyte
.Builder
938 b
.AddUint8(typeKeyUpdate
)
939 b
.AddUint24LengthPrefixed(func(b
*cryptobyte
.Builder
) {
940 if m
.updateRequested
{
947 m
.raw
= b
.BytesOrPanic()
951 func (m
*keyUpdateMsg
) unmarshal(data
[]byte) bool {
953 s
:= cryptobyte
.String(data
)
955 var updateRequested
uint8
956 if !s
.Skip(4) ||
// message type and uint24 length field
957 !s
.ReadUint8(&updateRequested
) ||
!s
.Empty() {
960 switch updateRequested
{
962 m
.updateRequested
= false
964 m
.updateRequested
= true
971 type newSessionTicketMsgTLS13
struct {
980 func (m
*newSessionTicketMsgTLS13
) marshal() []byte {
985 var b cryptobyte
.Builder
986 b
.AddUint8(typeNewSessionTicket
)
987 b
.AddUint24LengthPrefixed(func(b
*cryptobyte
.Builder
) {
988 b
.AddUint32(m
.lifetime
)
989 b
.AddUint32(m
.ageAdd
)
990 b
.AddUint8LengthPrefixed(func(b
*cryptobyte
.Builder
) {
993 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
997 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
998 if m
.maxEarlyData
> 0 {
999 b
.AddUint16(extensionEarlyData
)
1000 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
1001 b
.AddUint32(m
.maxEarlyData
)
1007 m
.raw
= b
.BytesOrPanic()
1011 func (m
*newSessionTicketMsgTLS13
) unmarshal(data
[]byte) bool {
1012 *m
= newSessionTicketMsgTLS13
{raw
: data
}
1013 s
:= cryptobyte
.String(data
)
1015 var extensions cryptobyte
.String
1016 if !s
.Skip(4) ||
// message type and uint24 length field
1017 !s
.ReadUint32(&m
.lifetime
) ||
1018 !s
.ReadUint32(&m
.ageAdd
) ||
1019 !readUint8LengthPrefixed(&s
, &m
.nonce
) ||
1020 !readUint16LengthPrefixed(&s
, &m
.label
) ||
1021 !s
.ReadUint16LengthPrefixed(&extensions
) ||
1026 for !extensions
.Empty() {
1027 var extension
uint16
1028 var extData cryptobyte
.String
1029 if !extensions
.ReadUint16(&extension
) ||
1030 !extensions
.ReadUint16LengthPrefixed(&extData
) {
1035 case extensionEarlyData
:
1036 if !extData
.ReadUint32(&m
.maxEarlyData
) {
1040 // Ignore unknown extensions.
1044 if !extData
.Empty() {
1052 type certificateRequestMsgTLS13
struct {
1056 supportedSignatureAlgorithms
[]SignatureScheme
1057 supportedSignatureAlgorithmsCert
[]SignatureScheme
1058 certificateAuthorities
[][]byte
1061 func (m
*certificateRequestMsgTLS13
) marshal() []byte {
1066 var b cryptobyte
.Builder
1067 b
.AddUint8(typeCertificateRequest
)
1068 b
.AddUint24LengthPrefixed(func(b
*cryptobyte
.Builder
) {
1069 // certificate_request_context (SHALL be zero length unless used for
1070 // post-handshake authentication)
1073 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
1075 b
.AddUint16(extensionStatusRequest
)
1076 b
.AddUint16(0) // empty extension_data
1079 // RFC 8446, Section 4.4.2.1 makes no mention of
1080 // signed_certificate_timestamp in CertificateRequest, but
1081 // "Extensions in the Certificate message from the client MUST
1082 // correspond to extensions in the CertificateRequest message
1083 // from the server." and it appears in the table in Section 4.2.
1084 b
.AddUint16(extensionSCT
)
1085 b
.AddUint16(0) // empty extension_data
1087 if len(m
.supportedSignatureAlgorithms
) > 0 {
1088 b
.AddUint16(extensionSignatureAlgorithms
)
1089 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
1090 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
1091 for _
, sigAlgo
:= range m
.supportedSignatureAlgorithms
{
1092 b
.AddUint16(uint16(sigAlgo
))
1097 if len(m
.supportedSignatureAlgorithmsCert
) > 0 {
1098 b
.AddUint16(extensionSignatureAlgorithmsCert
)
1099 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
1100 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
1101 for _
, sigAlgo
:= range m
.supportedSignatureAlgorithmsCert
{
1102 b
.AddUint16(uint16(sigAlgo
))
1107 if len(m
.certificateAuthorities
) > 0 {
1108 b
.AddUint16(extensionCertificateAuthorities
)
1109 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
1110 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
1111 for _
, ca
:= range m
.certificateAuthorities
{
1112 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
1122 m
.raw
= b
.BytesOrPanic()
1126 func (m
*certificateRequestMsgTLS13
) unmarshal(data
[]byte) bool {
1127 *m
= certificateRequestMsgTLS13
{raw
: data
}
1128 s
:= cryptobyte
.String(data
)
1130 var context
, extensions cryptobyte
.String
1131 if !s
.Skip(4) ||
// message type and uint24 length field
1132 !s
.ReadUint8LengthPrefixed(&context
) ||
!context
.Empty() ||
1133 !s
.ReadUint16LengthPrefixed(&extensions
) ||
1138 for !extensions
.Empty() {
1139 var extension
uint16
1140 var extData cryptobyte
.String
1141 if !extensions
.ReadUint16(&extension
) ||
1142 !extensions
.ReadUint16LengthPrefixed(&extData
) {
1147 case extensionStatusRequest
:
1148 m
.ocspStapling
= true
1151 case extensionSignatureAlgorithms
:
1152 var sigAndAlgs cryptobyte
.String
1153 if !extData
.ReadUint16LengthPrefixed(&sigAndAlgs
) || sigAndAlgs
.Empty() {
1156 for !sigAndAlgs
.Empty() {
1157 var sigAndAlg
uint16
1158 if !sigAndAlgs
.ReadUint16(&sigAndAlg
) {
1161 m
.supportedSignatureAlgorithms
= append(
1162 m
.supportedSignatureAlgorithms
, SignatureScheme(sigAndAlg
))
1164 case extensionSignatureAlgorithmsCert
:
1165 var sigAndAlgs cryptobyte
.String
1166 if !extData
.ReadUint16LengthPrefixed(&sigAndAlgs
) || sigAndAlgs
.Empty() {
1169 for !sigAndAlgs
.Empty() {
1170 var sigAndAlg
uint16
1171 if !sigAndAlgs
.ReadUint16(&sigAndAlg
) {
1174 m
.supportedSignatureAlgorithmsCert
= append(
1175 m
.supportedSignatureAlgorithmsCert
, SignatureScheme(sigAndAlg
))
1177 case extensionCertificateAuthorities
:
1178 var auths cryptobyte
.String
1179 if !extData
.ReadUint16LengthPrefixed(&auths
) || auths
.Empty() {
1182 for !auths
.Empty() {
1184 if !readUint16LengthPrefixed(&auths
, &ca
) ||
len(ca
) == 0 {
1187 m
.certificateAuthorities
= append(m
.certificateAuthorities
, ca
)
1190 // Ignore unknown extensions.
1194 if !extData
.Empty() {
1202 type certificateMsg
struct {
1204 certificates
[][]byte
1207 func (m
*certificateMsg
) marshal() (x
[]byte) {
1213 for _
, slice
:= range m
.certificates
{
1217 length
:= 3 + 3*len(m
.certificates
) + i
1218 x
= make([]byte, 4+length
)
1219 x
[0] = typeCertificate
1220 x
[1] = uint8(length
>> 16)
1221 x
[2] = uint8(length
>> 8)
1222 x
[3] = uint8(length
)
1224 certificateOctets
:= length
- 3
1225 x
[4] = uint8(certificateOctets
>> 16)
1226 x
[5] = uint8(certificateOctets
>> 8)
1227 x
[6] = uint8(certificateOctets
)
1230 for _
, slice
:= range m
.certificates
{
1231 y
[0] = uint8(len(slice
) >> 16)
1232 y
[1] = uint8(len(slice
) >> 8)
1233 y
[2] = uint8(len(slice
))
1235 y
= y
[3+len(slice
):]
1242 func (m
*certificateMsg
) unmarshal(data
[]byte) bool {
1248 certsLen
:= uint32(data
[4])<<16 |
uint32(data
[5])<<8 |
uint32(data
[6])
1249 if uint32(len(data
)) != certsLen
+7 {
1259 certLen
:= uint32(d
[0])<<16 |
uint32(d
[1])<<8 |
uint32(d
[2])
1260 if uint32(len(d
)) < 3+certLen
{
1264 certsLen
-= 3 + certLen
1268 m
.certificates
= make([][]byte, numCerts
)
1270 for i
:= 0; i
< numCerts
; i
++ {
1271 certLen
:= uint32(d
[0])<<16 |
uint32(d
[1])<<8 |
uint32(d
[2])
1272 m
.certificates
[i
] = d
[3 : 3+certLen
]
1279 type certificateMsgTLS13
struct {
1281 certificate Certificate
1286 func (m
*certificateMsgTLS13
) marshal() []byte {
1291 var b cryptobyte
.Builder
1292 b
.AddUint8(typeCertificate
)
1293 b
.AddUint24LengthPrefixed(func(b
*cryptobyte
.Builder
) {
1294 b
.AddUint8(0) // certificate_request_context
1296 certificate
:= m
.certificate
1297 if !m
.ocspStapling
{
1298 certificate
.OCSPStaple
= nil
1301 certificate
.SignedCertificateTimestamps
= nil
1303 marshalCertificate(b
, certificate
)
1306 m
.raw
= b
.BytesOrPanic()
1310 func marshalCertificate(b
*cryptobyte
.Builder
, certificate Certificate
) {
1311 b
.AddUint24LengthPrefixed(func(b
*cryptobyte
.Builder
) {
1312 for i
, cert
:= range certificate
.Certificate
{
1313 b
.AddUint24LengthPrefixed(func(b
*cryptobyte
.Builder
) {
1316 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
1318 // This library only supports OCSP and SCT for leaf certificates.
1321 if certificate
.OCSPStaple
!= nil {
1322 b
.AddUint16(extensionStatusRequest
)
1323 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
1324 b
.AddUint8(statusTypeOCSP
)
1325 b
.AddUint24LengthPrefixed(func(b
*cryptobyte
.Builder
) {
1326 b
.AddBytes(certificate
.OCSPStaple
)
1330 if certificate
.SignedCertificateTimestamps
!= nil {
1331 b
.AddUint16(extensionSCT
)
1332 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
1333 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
1334 for _
, sct
:= range certificate
.SignedCertificateTimestamps
{
1335 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
1347 func (m
*certificateMsgTLS13
) unmarshal(data
[]byte) bool {
1348 *m
= certificateMsgTLS13
{raw
: data
}
1349 s
:= cryptobyte
.String(data
)
1351 var context cryptobyte
.String
1352 if !s
.Skip(4) ||
// message type and uint24 length field
1353 !s
.ReadUint8LengthPrefixed(&context
) ||
!context
.Empty() ||
1354 !unmarshalCertificate(&s
, &m
.certificate
) ||
1359 m
.scts
= m
.certificate
.SignedCertificateTimestamps
!= nil
1360 m
.ocspStapling
= m
.certificate
.OCSPStaple
!= nil
1365 func unmarshalCertificate(s
*cryptobyte
.String
, certificate
*Certificate
) bool {
1366 var certList cryptobyte
.String
1367 if !s
.ReadUint24LengthPrefixed(&certList
) {
1370 for !certList
.Empty() {
1372 var extensions cryptobyte
.String
1373 if !readUint24LengthPrefixed(&certList
, &cert
) ||
1374 !certList
.ReadUint16LengthPrefixed(&extensions
) {
1377 certificate
.Certificate
= append(certificate
.Certificate
, cert
)
1378 for !extensions
.Empty() {
1379 var extension
uint16
1380 var extData cryptobyte
.String
1381 if !extensions
.ReadUint16(&extension
) ||
1382 !extensions
.ReadUint16LengthPrefixed(&extData
) {
1385 if len(certificate
.Certificate
) > 1 {
1386 // This library only supports OCSP and SCT for leaf certificates.
1391 case extensionStatusRequest
:
1392 var statusType
uint8
1393 if !extData
.ReadUint8(&statusType
) || statusType
!= statusTypeOCSP ||
1394 !readUint24LengthPrefixed(&extData
, &certificate
.OCSPStaple
) ||
1395 len(certificate
.OCSPStaple
) == 0 {
1399 var sctList cryptobyte
.String
1400 if !extData
.ReadUint16LengthPrefixed(&sctList
) || sctList
.Empty() {
1403 for !sctList
.Empty() {
1405 if !readUint16LengthPrefixed(&sctList
, &sct
) ||
1409 certificate
.SignedCertificateTimestamps
= append(
1410 certificate
.SignedCertificateTimestamps
, sct
)
1413 // Ignore unknown extensions.
1417 if !extData
.Empty() {
1425 type serverKeyExchangeMsg
struct {
1430 func (m
*serverKeyExchangeMsg
) marshal() []byte {
1434 length
:= len(m
.key
)
1435 x
:= make([]byte, length
+4)
1436 x
[0] = typeServerKeyExchange
1437 x
[1] = uint8(length
>> 16)
1438 x
[2] = uint8(length
>> 8)
1439 x
[3] = uint8(length
)
1446 func (m
*serverKeyExchangeMsg
) unmarshal(data
[]byte) bool {
1455 type certificateStatusMsg
struct {
1460 func (m
*certificateStatusMsg
) marshal() []byte {
1465 var b cryptobyte
.Builder
1466 b
.AddUint8(typeCertificateStatus
)
1467 b
.AddUint24LengthPrefixed(func(b
*cryptobyte
.Builder
) {
1468 b
.AddUint8(statusTypeOCSP
)
1469 b
.AddUint24LengthPrefixed(func(b
*cryptobyte
.Builder
) {
1470 b
.AddBytes(m
.response
)
1474 m
.raw
= b
.BytesOrPanic()
1478 func (m
*certificateStatusMsg
) unmarshal(data
[]byte) bool {
1480 s
:= cryptobyte
.String(data
)
1482 var statusType
uint8
1483 if !s
.Skip(4) ||
// message type and uint24 length field
1484 !s
.ReadUint8(&statusType
) || statusType
!= statusTypeOCSP ||
1485 !readUint24LengthPrefixed(&s
, &m
.response
) ||
1486 len(m
.response
) == 0 ||
!s
.Empty() {
1492 type serverHelloDoneMsg
struct{}
1494 func (m
*serverHelloDoneMsg
) marshal() []byte {
1495 x
:= make([]byte, 4)
1496 x
[0] = typeServerHelloDone
1500 func (m
*serverHelloDoneMsg
) unmarshal(data
[]byte) bool {
1501 return len(data
) == 4
1504 type clientKeyExchangeMsg
struct {
1509 func (m
*clientKeyExchangeMsg
) marshal() []byte {
1513 length
:= len(m
.ciphertext
)
1514 x
:= make([]byte, length
+4)
1515 x
[0] = typeClientKeyExchange
1516 x
[1] = uint8(length
>> 16)
1517 x
[2] = uint8(length
>> 8)
1518 x
[3] = uint8(length
)
1519 copy(x
[4:], m
.ciphertext
)
1525 func (m
*clientKeyExchangeMsg
) unmarshal(data
[]byte) bool {
1530 l
:= int(data
[1])<<16 |
int(data
[2])<<8 |
int(data
[3])
1531 if l
!= len(data
)-4 {
1534 m
.ciphertext
= data
[4:]
1538 type finishedMsg
struct {
1543 func (m
*finishedMsg
) marshal() []byte {
1548 var b cryptobyte
.Builder
1549 b
.AddUint8(typeFinished
)
1550 b
.AddUint24LengthPrefixed(func(b
*cryptobyte
.Builder
) {
1551 b
.AddBytes(m
.verifyData
)
1554 m
.raw
= b
.BytesOrPanic()
1558 func (m
*finishedMsg
) unmarshal(data
[]byte) bool {
1560 s
:= cryptobyte
.String(data
)
1562 readUint24LengthPrefixed(&s
, &m
.verifyData
) &&
1566 type certificateRequestMsg
struct {
1568 // hasSignatureAlgorithm indicates whether this message includes a list of
1569 // supported signature algorithms. This change was introduced with TLS 1.2.
1570 hasSignatureAlgorithm
bool
1572 certificateTypes
[]byte
1573 supportedSignatureAlgorithms
[]SignatureScheme
1574 certificateAuthorities
[][]byte
1577 func (m
*certificateRequestMsg
) marshal() (x
[]byte) {
1582 // See RFC 4346, Section 7.4.4.
1583 length
:= 1 + len(m
.certificateTypes
) + 2
1585 for _
, ca
:= range m
.certificateAuthorities
{
1586 casLength
+= 2 + len(ca
)
1590 if m
.hasSignatureAlgorithm
{
1591 length
+= 2 + 2*len(m
.supportedSignatureAlgorithms
)
1594 x
= make([]byte, 4+length
)
1595 x
[0] = typeCertificateRequest
1596 x
[1] = uint8(length
>> 16)
1597 x
[2] = uint8(length
>> 8)
1598 x
[3] = uint8(length
)
1600 x
[4] = uint8(len(m
.certificateTypes
))
1602 copy(x
[5:], m
.certificateTypes
)
1603 y
:= x
[5+len(m
.certificateTypes
):]
1605 if m
.hasSignatureAlgorithm
{
1606 n
:= len(m
.supportedSignatureAlgorithms
) * 2
1607 y
[0] = uint8(n
>> 8)
1610 for _
, sigAlgo
:= range m
.supportedSignatureAlgorithms
{
1611 y
[0] = uint8(sigAlgo
>> 8)
1612 y
[1] = uint8(sigAlgo
)
1617 y
[0] = uint8(casLength
>> 8)
1618 y
[1] = uint8(casLength
)
1620 for _
, ca
:= range m
.certificateAuthorities
{
1621 y
[0] = uint8(len(ca
) >> 8)
1622 y
[1] = uint8(len(ca
))
1632 func (m
*certificateRequestMsg
) unmarshal(data
[]byte) bool {
1639 length
:= uint32(data
[1])<<16 |
uint32(data
[2])<<8 |
uint32(data
[3])
1640 if uint32(len(data
))-4 != length
{
1644 numCertTypes
:= int(data
[4])
1646 if numCertTypes
== 0 ||
len(data
) <= numCertTypes
{
1650 m
.certificateTypes
= make([]byte, numCertTypes
)
1651 if copy(m
.certificateTypes
, data
) != numCertTypes
{
1655 data
= data
[numCertTypes
:]
1657 if m
.hasSignatureAlgorithm
{
1661 sigAndHashLen
:= uint16(data
[0])<<8 |
uint16(data
[1])
1663 if sigAndHashLen
&1 != 0 {
1666 if len(data
) < int(sigAndHashLen
) {
1669 numSigAlgos
:= sigAndHashLen
/ 2
1670 m
.supportedSignatureAlgorithms
= make([]SignatureScheme
, numSigAlgos
)
1671 for i
:= range m
.supportedSignatureAlgorithms
{
1672 m
.supportedSignatureAlgorithms
[i
] = SignatureScheme(data
[0])<<8 |
SignatureScheme(data
[1])
1680 casLength
:= uint16(data
[0])<<8 |
uint16(data
[1])
1682 if len(data
) < int(casLength
) {
1685 cas
:= make([]byte, casLength
)
1687 data
= data
[casLength
:]
1689 m
.certificateAuthorities
= nil
1694 caLen
:= uint16(cas
[0])<<8 |
uint16(cas
[1])
1697 if len(cas
) < int(caLen
) {
1701 m
.certificateAuthorities
= append(m
.certificateAuthorities
, cas
[:caLen
])
1705 return len(data
) == 0
1708 type certificateVerifyMsg
struct {
1710 hasSignatureAlgorithm
bool // format change introduced in TLS 1.2
1711 signatureAlgorithm SignatureScheme
1715 func (m
*certificateVerifyMsg
) marshal() (x
[]byte) {
1720 var b cryptobyte
.Builder
1721 b
.AddUint8(typeCertificateVerify
)
1722 b
.AddUint24LengthPrefixed(func(b
*cryptobyte
.Builder
) {
1723 if m
.hasSignatureAlgorithm
{
1724 b
.AddUint16(uint16(m
.signatureAlgorithm
))
1726 b
.AddUint16LengthPrefixed(func(b
*cryptobyte
.Builder
) {
1727 b
.AddBytes(m
.signature
)
1731 m
.raw
= b
.BytesOrPanic()
1735 func (m
*certificateVerifyMsg
) unmarshal(data
[]byte) bool {
1737 s
:= cryptobyte
.String(data
)
1739 if !s
.Skip(4) { // message type and uint24 length field
1742 if m
.hasSignatureAlgorithm
{
1743 if !s
.ReadUint16((*uint16)(&m
.signatureAlgorithm
)) {
1747 return readUint16LengthPrefixed(&s
, &m
.signature
) && s
.Empty()
1750 type newSessionTicketMsg
struct {
1755 func (m
*newSessionTicketMsg
) marshal() (x
[]byte) {
1760 // See RFC 5077, Section 3.3.
1761 ticketLen
:= len(m
.ticket
)
1762 length
:= 2 + 4 + ticketLen
1763 x
= make([]byte, 4+length
)
1764 x
[0] = typeNewSessionTicket
1765 x
[1] = uint8(length
>> 16)
1766 x
[2] = uint8(length
>> 8)
1767 x
[3] = uint8(length
)
1768 x
[8] = uint8(ticketLen
>> 8)
1769 x
[9] = uint8(ticketLen
)
1770 copy(x
[10:], m
.ticket
)
1777 func (m
*newSessionTicketMsg
) unmarshal(data
[]byte) bool {
1784 length
:= uint32(data
[1])<<16 |
uint32(data
[2])<<8 |
uint32(data
[3])
1785 if uint32(len(data
))-4 != length
{
1789 ticketLen
:= int(data
[8])<<8 + int(data
[9])
1790 if len(data
)-10 != ticketLen
{
1794 m
.ticket
= data
[10:]
1799 type helloRequestMsg
struct {
1802 func (*helloRequestMsg
) marshal() []byte {
1803 return []byte{typeHelloRequest
, 0, 0, 0}
1806 func (*helloRequestMsg
) unmarshal(data
[]byte) bool {
1807 return len(data
) == 4