handshake_messages.go

Documentation: github.com/tjfoc/gmsm/gmtls

     1  /*
     2  Copyright Suzhou Tongji Fintech Research Institute 2017 All Rights Reserved.
     3  Licensed under the Apache License, Version 2.0 (the "License");
     4  you may not use this file except in compliance with the License.
     5  You may obtain a copy of the License at
     6  
     7  	http://www.apache.org/licenses/LICENSE-2.0
     8  
     9  Unless required by applicable law or agreed to in writing, software
    10  distributed under the License is distributed on an "AS IS" BASIS,
    11  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  See the License for the specific language governing permissions and
    13  limitations under the License.
    14  */
    15  
    16  package gmtls
    17  
    18  import "bytes"
    19  
    20  type clientHelloMsg struct {
    21  	raw                          []byte
    22  	vers                         uint16
    23  	random                       []byte
    24  	sessionId                    []byte
    25  	cipherSuites                 []uint16
    26  	compressionMethods           []uint8
    27  	nextProtoNeg                 bool
    28  	serverName                   string
    29  	ocspStapling                 bool
    30  	scts                         bool
    31  	supportedCurves              []CurveID
    32  	supportedPoints              []uint8
    33  	ticketSupported              bool
    34  	sessionTicket                []uint8
    35  	supportedSignatureAlgorithms []SignatureScheme
    36  	secureRenegotiation          []byte
    37  	secureRenegotiationSupported bool
    38  	alpnProtocols                []string
    39  }
    40  
    41  func (m *clientHelloMsg) equal(i interface{}) bool {
    42  	m1, ok := i.(*clientHelloMsg)
    43  	if !ok {
    44  		return false
    45  	}
    46  
    47  	return bytes.Equal(m.raw, m1.raw) &&
    48  		m.vers == m1.vers &&
    49  		bytes.Equal(m.random, m1.random) &&
    50  		bytes.Equal(m.sessionId, m1.sessionId) &&
    51  		eqUint16s(m.cipherSuites, m1.cipherSuites) &&
    52  		bytes.Equal(m.compressionMethods, m1.compressionMethods) &&
    53  		m.nextProtoNeg == m1.nextProtoNeg &&
    54  		m.serverName == m1.serverName &&
    55  		m.ocspStapling == m1.ocspStapling &&
    56  		m.scts == m1.scts &&
    57  		eqCurveIDs(m.supportedCurves, m1.supportedCurves) &&
    58  		bytes.Equal(m.supportedPoints, m1.supportedPoints) &&
    59  		m.ticketSupported == m1.ticketSupported &&
    60  		bytes.Equal(m.sessionTicket, m1.sessionTicket) &&
    61  		eqSignatureAlgorithms(m.supportedSignatureAlgorithms, m1.supportedSignatureAlgorithms) &&
    62  		m.secureRenegotiationSupported == m1.secureRenegotiationSupported &&
    63  		bytes.Equal(m.secureRenegotiation, m1.secureRenegotiation) &&
    64  		eqStrings(m.alpnProtocols, m1.alpnProtocols)
    65  }
    66  
    67  func (m *clientHelloMsg) marshal() []byte {
    68  	if m.raw != nil {
    69  		return m.raw
    70  	}
    71  
    72  	length := 2 + 32 + 1 + len(m.sessionId) + 2 + len(m.cipherSuites)*2 + 1 + len(m.compressionMethods)
    73  	numExtensions := 0
    74  	extensionsLength := 0
    75  	if m.nextProtoNeg {
    76  		numExtensions++
    77  	}
    78  	if m.ocspStapling {
    79  		extensionsLength += 1 + 2 + 2
    80  		numExtensions++
    81  	}
    82  	if len(m.serverName) > 0 {
    83  		extensionsLength += 5 + len(m.serverName)
    84  		numExtensions++
    85  	}
    86  	if len(m.supportedCurves) > 0 {
    87  		extensionsLength += 2 + 2*len(m.supportedCurves)
    88  		numExtensions++
    89  	}
    90  	if len(m.supportedPoints) > 0 {
    91  		extensionsLength += 1 + len(m.supportedPoints)
    92  		numExtensions++
    93  	}
    94  	if m.ticketSupported {
    95  		extensionsLength += len(m.sessionTicket)
    96  		numExtensions++
    97  	}
    98  	if len(m.supportedSignatureAlgorithms) > 0 {
    99  		extensionsLength += 2 + 2*len(m.supportedSignatureAlgorithms)
   100  		numExtensions++
   101  	}
   102  	if m.secureRenegotiationSupported {
   103  		extensionsLength += 1 + len(m.secureRenegotiation)
   104  		numExtensions++
   105  	}
   106  	if len(m.alpnProtocols) > 0 {
   107  		extensionsLength += 2
   108  		for _, s := range m.alpnProtocols {
   109  			if l := len(s); l == 0 || l > 255 {
   110  				panic("invalid ALPN protocol")
   111  			}
   112  			extensionsLength++
   113  			extensionsLength += len(s)
   114  		}
   115  		numExtensions++
   116  	}
   117  	if m.scts {
   118  		numExtensions++
   119  	}
   120  	if numExtensions > 0 {
   121  		extensionsLength += 4 * numExtensions
   122  		length += 2 + extensionsLength
   123  	}
   124  
   125  	x := make([]byte, 4+length)
   126  	x[0] = typeClientHello
   127  	x[1] = uint8(length >> 16)
   128  	x[2] = uint8(length >> 8)
   129  	x[3] = uint8(length)
   130  	x[4] = uint8(m.vers >> 8)
   131  	x[5] = uint8(m.vers)
   132  	copy(x[6:38], m.random)
   133  	x[38] = uint8(len(m.sessionId))
   134  	copy(x[39:39+len(m.sessionId)], m.sessionId)
   135  	y := x[39+len(m.sessionId):]
   136  	y[0] = uint8(len(m.cipherSuites) >> 7)
   137  	y[1] = uint8(len(m.cipherSuites) << 1)
   138  	for i, suite := range m.cipherSuites {
   139  		y[2+i*2] = uint8(suite >> 8)
   140  		y[3+i*2] = uint8(suite)
   141  	}
   142  	z := y[2+len(m.cipherSuites)*2:]
   143  	z[0] = uint8(len(m.compressionMethods))
   144  	copy(z[1:], m.compressionMethods)
   145  
   146  	z = z[1+len(m.compressionMethods):]
   147  	if numExtensions > 0 {
   148  		z[0] = byte(extensionsLength >> 8)
   149  		z[1] = byte(extensionsLength)
   150  		z = z[2:]
   151  	}
   152  	if m.nextProtoNeg {
   153  		z[0] = byte(extensionNextProtoNeg >> 8)
   154  		z[1] = byte(extensionNextProtoNeg & 0xff)
   155  		// The length is always 0
   156  		z = z[4:]
   157  	}
   158  	if len(m.serverName) > 0 {
   159  		z[0] = byte(extensionServerName >> 8)
   160  		z[1] = byte(extensionServerName & 0xff)
   161  		l := len(m.serverName) + 5
   162  		z[2] = byte(l >> 8)
   163  		z[3] = byte(l)
   164  		z = z[4:]
   165  
   166  		// RFC 3546, section 3.1
   167  		//
   168  		// struct {
   169  		//     NameType name_type;
   170  		//     select (name_type) {
   171  		//         case host_name: HostName;
   172  		//     } name;
   173  		// } ServerName;
   174  		//
   175  		// enum {
   176  		//     host_name(0), (255)
   177  		// } NameType;
   178  		//
   179  		// opaque HostName<1..2^16-1>;
   180  		//
   181  		// struct {
   182  		//     ServerName server_name_list<1..2^16-1>
   183  		// } ServerNameList;
   184  
   185  		z[0] = byte((len(m.serverName) + 3) >> 8)
   186  		z[1] = byte(len(m.serverName) + 3)
   187  		z[3] = byte(len(m.serverName) >> 8)
   188  		z[4] = byte(len(m.serverName))
   189  		copy(z[5:], []byte(m.serverName))
   190  		z = z[l:]
   191  	}
   192  	if m.ocspStapling {
   193  		// RFC 4366, section 3.6
   194  		z[0] = byte(extensionStatusRequest >> 8)
   195  		z[1] = byte(extensionStatusRequest)
   196  		z[2] = 0
   197  		z[3] = 5
   198  		z[4] = 1 // OCSP type
   199  		// Two zero valued uint16s for the two lengths.
   200  		z = z[9:]
   201  	}
   202  	if len(m.supportedCurves) > 0 {
   203  		// http://tools.ietf.org/html/rfc4492#section-5.5.1
   204  		z[0] = byte(extensionSupportedCurves >> 8)
   205  		z[1] = byte(extensionSupportedCurves)
   206  		l := 2 + 2*len(m.supportedCurves)
   207  		z[2] = byte(l >> 8)
   208  		z[3] = byte(l)
   209  		l -= 2
   210  		z[4] = byte(l >> 8)
   211  		z[5] = byte(l)
   212  		z = z[6:]
   213  		for _, curve := range m.supportedCurves {
   214  			z[0] = byte(curve >> 8)
   215  			z[1] = byte(curve)
   216  			z = z[2:]
   217  		}
   218  	}
   219  	if len(m.supportedPoints) > 0 {
   220  		// http://tools.ietf.org/html/rfc4492#section-5.5.2
   221  		z[0] = byte(extensionSupportedPoints >> 8)
   222  		z[1] = byte(extensionSupportedPoints)
   223  		l := 1 + len(m.supportedPoints)
   224  		z[2] = byte(l >> 8)
   225  		z[3] = byte(l)
   226  		l--
   227  		z[4] = byte(l)
   228  		z = z[5:]
   229  		for _, pointFormat := range m.supportedPoints {
   230  			z[0] = pointFormat
   231  			z = z[1:]
   232  		}
   233  	}
   234  	if m.ticketSupported {
   235  		// http://tools.ietf.org/html/rfc5077#section-3.2
   236  		z[0] = byte(extensionSessionTicket >> 8)
   237  		z[1] = byte(extensionSessionTicket)
   238  		l := len(m.sessionTicket)
   239  		z[2] = byte(l >> 8)
   240  		z[3] = byte(l)
   241  		z = z[4:]
   242  		copy(z, m.sessionTicket)
   243  		z = z[len(m.sessionTicket):]
   244  	}
   245  	if len(m.supportedSignatureAlgorithms) > 0 {
   246  		// https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
   247  		z[0] = byte(extensionSignatureAlgorithms >> 8)
   248  		z[1] = byte(extensionSignatureAlgorithms)
   249  		l := 2 + 2*len(m.supportedSignatureAlgorithms)
   250  		z[2] = byte(l >> 8)
   251  		z[3] = byte(l)
   252  		z = z[4:]
   253  
   254  		l -= 2
   255  		z[0] = byte(l >> 8)
   256  		z[1] = byte(l)
   257  		z = z[2:]
   258  		for _, sigAlgo := range m.supportedSignatureAlgorithms {
   259  			z[0] = byte(sigAlgo >> 8)
   260  			z[1] = byte(sigAlgo)
   261  			z = z[2:]
   262  		}
   263  	}
   264  	if m.secureRenegotiationSupported {
   265  		z[0] = byte(extensionRenegotiationInfo >> 8)
   266  		z[1] = byte(extensionRenegotiationInfo & 0xff)
   267  		z[2] = 0
   268  		z[3] = byte(len(m.secureRenegotiation) + 1)
   269  		z[4] = byte(len(m.secureRenegotiation))
   270  		z = z[5:]
   271  		copy(z, m.secureRenegotiation)
   272  		z = z[len(m.secureRenegotiation):]
   273  	}
   274  	if len(m.alpnProtocols) > 0 {
   275  		z[0] = byte(extensionALPN >> 8)
   276  		z[1] = byte(extensionALPN & 0xff)
   277  		lengths := z[2:]
   278  		z = z[6:]
   279  
   280  		stringsLength := 0
   281  		for _, s := range m.alpnProtocols {
   282  			l := len(s)
   283  			z[0] = byte(l)
   284  			copy(z[1:], s)
   285  			z = z[1+l:]
   286  			stringsLength += 1 + l
   287  		}
   288  
   289  		lengths[2] = byte(stringsLength >> 8)
   290  		lengths[3] = byte(stringsLength)
   291  		stringsLength += 2
   292  		lengths[0] = byte(stringsLength >> 8)
   293  		lengths[1] = byte(stringsLength)
   294  	}
   295  	if m.scts {
   296  		// https://tools.ietf.org/html/rfc6962#section-3.3.1
   297  		z[0] = byte(extensionSCT >> 8)
   298  		z[1] = byte(extensionSCT)
   299  		// zero uint16 for the zero-length extension_data
   300  		z = z[4:]
   301  	}
   302  
   303  	m.raw = x
   304  
   305  	return x
   306  }
   307  
   308  func (m *clientHelloMsg) unmarshal(data []byte) bool {
   309  	if len(data) < 42 {
   310  		return false
   311  	}
   312  	m.raw = data
   313  	m.vers = uint16(data[4])<<8 | uint16(data[5])
   314  	m.random = data[6:38]
   315  	sessionIdLen := int(data[38])
   316  	if sessionIdLen > 32 || len(data) < 39+sessionIdLen {
   317  		return false
   318  	}
   319  	m.sessionId = data[39 : 39+sessionIdLen]
   320  	data = data[39+sessionIdLen:]
   321  	if len(data) < 2 {
   322  		return false
   323  	}
   324  	// cipherSuiteLen is the number of bytes of cipher suite numbers. Since
   325  	// they are uint16s, the number must be even.
   326  	cipherSuiteLen := int(data[0])<<8 | int(data[1])
   327  	if cipherSuiteLen%2 == 1 || len(data) < 2+cipherSuiteLen {
   328  		return false
   329  	}
   330  	numCipherSuites := cipherSuiteLen / 2
   331  	m.cipherSuites = make([]uint16, numCipherSuites)
   332  	for i := 0; i < numCipherSuites; i++ {
   333  		m.cipherSuites[i] = uint16(data[2+2*i])<<8 | uint16(data[3+2*i])
   334  		if m.cipherSuites[i] == scsvRenegotiation {
   335  			m.secureRenegotiationSupported = true
   336  		}
   337  	}
   338  	data = data[2+cipherSuiteLen:]
   339  	if len(data) < 1 {
   340  		return false
   341  	}
   342  	compressionMethodsLen := int(data[0])
   343  	if len(data) < 1+compressionMethodsLen {
   344  		return false
   345  	}
   346  	m.compressionMethods = data[1 : 1+compressionMethodsLen]
   347  
   348  	data = data[1+compressionMethodsLen:]
   349  
   350  	m.nextProtoNeg = false
   351  	m.serverName = ""
   352  	m.ocspStapling = false
   353  	m.ticketSupported = false
   354  	m.sessionTicket = nil
   355  	m.supportedSignatureAlgorithms = nil
   356  	m.alpnProtocols = nil
   357  	m.scts = false
   358  
   359  	if len(data) == 0 {
   360  		// ClientHello is optionally followed by extension data
   361  		return true
   362  	}
   363  	if len(data) < 2 {
   364  		return false
   365  	}
   366  
   367  	extensionsLength := int(data[0])<<8 | int(data[1])
   368  	data = data[2:]
   369  	if extensionsLength != len(data) {
   370  		return false
   371  	}
   372  
   373  	for len(data) != 0 {
   374  		if len(data) < 4 {
   375  			return false
   376  		}
   377  		extension := uint16(data[0])<<8 | uint16(data[1])
   378  		length := int(data[2])<<8 | int(data[3])
   379  		data = data[4:]
   380  		if len(data) < length {
   381  			return false
   382  		}
   383  
   384  		switch extension {
   385  		case extensionServerName:
   386  			d := data[:length]
   387  			if len(d) < 2 {
   388  				return false
   389  			}
   390  			namesLen := int(d[0])<<8 | int(d[1])
   391  			d = d[2:]
   392  			if len(d) != namesLen {
   393  				return false
   394  			}
   395  			for len(d) > 0 {
   396  				if len(d) < 3 {
   397  					return false
   398  				}
   399  				nameType := d[0]
   400  				nameLen := int(d[1])<<8 | int(d[2])
   401  				d = d[3:]
   402  				if len(d) < nameLen {
   403  					return false
   404  				}
   405  				if nameType == 0 {
   406  					m.serverName = string(d[:nameLen])
   407  					break
   408  				}
   409  				d = d[nameLen:]
   410  			}
   411  		case extensionNextProtoNeg:
   412  			if length > 0 {
   413  				return false
   414  			}
   415  			m.nextProtoNeg = true
   416  		case extensionStatusRequest:
   417  			m.ocspStapling = length > 0 && data[0] == statusTypeOCSP
   418  		case extensionSupportedCurves:
   419  			// http://tools.ietf.org/html/rfc4492#section-5.5.1
   420  			if length < 2 {
   421  				return false
   422  			}
   423  			l := int(data[0])<<8 | int(data[1])
   424  			if l%2 == 1 || length != l+2 {
   425  				return false
   426  			}
   427  			numCurves := l / 2
   428  			m.supportedCurves = make([]CurveID, numCurves)
   429  			d := data[2:]
   430  			for i := 0; i < numCurves; i++ {
   431  				m.supportedCurves[i] = CurveID(d[0])<<8 | CurveID(d[1])
   432  				d = d[2:]
   433  			}
   434  		case extensionSupportedPoints:
   435  			// http://tools.ietf.org/html/rfc4492#section-5.5.2
   436  			if length < 1 {
   437  				return false
   438  			}
   439  			l := int(data[0])
   440  			if length != l+1 {
   441  				return false
   442  			}
   443  			m.supportedPoints = make([]uint8, l)
   444  			copy(m.supportedPoints, data[1:])
   445  		case extensionSessionTicket:
   446  			// http://tools.ietf.org/html/rfc5077#section-3.2
   447  			m.ticketSupported = true
   448  			m.sessionTicket = data[:length]
   449  		case extensionSignatureAlgorithms:
   450  			// https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
   451  			if length < 2 || length&1 != 0 {
   452  				return false
   453  			}
   454  			l := int(data[0])<<8 | int(data[1])
   455  			if l != length-2 {
   456  				return false
   457  			}
   458  			n := l / 2
   459  			d := data[2:]
   460  			m.supportedSignatureAlgorithms = make([]SignatureScheme, n)
   461  			for i := range m.supportedSignatureAlgorithms {
   462  				m.supportedSignatureAlgorithms[i] = SignatureScheme(d[0])<<8 | SignatureScheme(d[1])
   463  				d = d[2:]
   464  			
   465  			}
   466  		case extensionRenegotiationInfo:
   467  			if length == 0 {
   468  				return false
   469  			}
   470  			d := data[:length]
   471  			l := int(d[0])
   472  			d = d[1:]
   473  			if l != len(d) {
   474  				return false
   475  			}
   476  
   477  			m.secureRenegotiation = d
   478  			m.secureRenegotiationSupported = true
   479  		case extensionALPN:
   480  			if length < 2 {
   481  				return false
   482  			}
   483  			l := int(data[0])<<8 | int(data[1])
   484  			if l != length-2 {
   485  				return false
   486  			}
   487  			d := data[2:length]
   488  			for len(d) != 0 {
   489  				stringLen := int(d[0])
   490  				d = d[1:]
   491  				if stringLen == 0 || stringLen > len(d) {
   492  					return false
   493  				}
   494  				m.alpnProtocols = append(m.alpnProtocols, string(d[:stringLen]))
   495  				d = d[stringLen:]
   496  			}
   497  		case extensionSCT:
   498  			m.scts = true
   499  			if length != 0 {
   500  				return false
   501  			}
   502  		}
   503  		data = data[length:]
   504  	}
   505  
   506  	return true
   507  }
   508  
   509  type serverHelloMsg struct {
   510  	raw                          []byte
   511  	vers                         uint16
   512  	random                       []byte
   513  	sessionId                    []byte
   514  	cipherSuite                  uint16
   515  	compressionMethod            uint8
   516  	nextProtoNeg                 bool
   517  	nextProtos                   []string
   518  	ocspStapling                 bool
   519  	scts                         [][]byte
   520  	ticketSupported              bool
   521  	secureRenegotiation          []byte
   522  	secureRenegotiationSupported bool
   523  	alpnProtocol                 string
   524  }
   525  
   526  func (m *serverHelloMsg) equal(i interface{}) bool {
   527  	m1, ok := i.(*serverHelloMsg)
   528  	if !ok {
   529  		return false
   530  	}
   531  
   532  	if len(m.scts) != len(m1.scts) {
   533  		return false
   534  	}
   535  	for i, sct := range m.scts {
   536  		if !bytes.Equal(sct, m1.scts[i]) {
   537  			return false
   538  		}
   539  	}
   540  
   541  	return bytes.Equal(m.raw, m1.raw) &&
   542  		m.vers == m1.vers &&
   543  		bytes.Equal(m.random, m1.random) &&
   544  		bytes.Equal(m.sessionId, m1.sessionId) &&
   545  		m.cipherSuite == m1.cipherSuite &&
   546  		m.compressionMethod == m1.compressionMethod &&
   547  		m.nextProtoNeg == m1.nextProtoNeg &&
   548  		eqStrings(m.nextProtos, m1.nextProtos) &&
   549  		m.ocspStapling == m1.ocspStapling &&
   550  		m.ticketSupported == m1.ticketSupported &&
   551  		m.secureRenegotiationSupported == m1.secureRenegotiationSupported &&
   552  		bytes.Equal(m.secureRenegotiation, m1.secureRenegotiation) &&
   553  		m.alpnProtocol == m1.alpnProtocol
   554  }
   555  
   556  func (m *serverHelloMsg) marshal() []byte {
   557  	if m.raw != nil {
   558  		return m.raw
   559  	}
   560  
   561  	length := 38 + len(m.sessionId)
   562  	numExtensions := 0
   563  	extensionsLength := 0
   564  
   565  	nextProtoLen := 0
   566  	if m.nextProtoNeg {
   567  		numExtensions++
   568  		for _, v := range m.nextProtos {
   569  			nextProtoLen += len(v)
   570  		}
   571  		nextProtoLen += len(m.nextProtos)
   572  		extensionsLength += nextProtoLen
   573  	}
   574  	if m.ocspStapling {
   575  		numExtensions++
   576  	}
   577  	if m.ticketSupported {
   578  		numExtensions++
   579  	}
   580  	if m.secureRenegotiationSupported {
   581  		extensionsLength += 1 + len(m.secureRenegotiation)
   582  		numExtensions++
   583  	}
   584  	if alpnLen := len(m.alpnProtocol); alpnLen > 0 {
   585  		if alpnLen >= 256 {
   586  			panic("invalid ALPN protocol")
   587  		}
   588  		extensionsLength += 2 + 1 + alpnLen
   589  		numExtensions++
   590  	}
   591  	sctLen := 0
   592  	if len(m.scts) > 0 {
   593  		for _, sct := range m.scts {
   594  			sctLen += len(sct) + 2
   595  		}
   596  		extensionsLength += 2 + sctLen
   597  		numExtensions++
   598  	}
   599  
   600  	if numExtensions > 0 {
   601  		extensionsLength += 4 * numExtensions
   602  		length += 2 + extensionsLength
   603  	}
   604  
   605  	x := make([]byte, 4+length)
   606  	x[0] = typeServerHello
   607  	x[1] = uint8(length >> 16)
   608  	x[2] = uint8(length >> 8)
   609  	x[3] = uint8(length)
   610  	x[4] = uint8(m.vers >> 8)
   611  	x[5] = uint8(m.vers)
   612  	copy(x[6:38], m.random)
   613  	x[38] = uint8(len(m.sessionId))
   614  	copy(x[39:39+len(m.sessionId)], m.sessionId)
   615  	z := x[39+len(m.sessionId):]
   616  	z[0] = uint8(m.cipherSuite >> 8)
   617  	z[1] = uint8(m.cipherSuite)
   618  	z[2] = m.compressionMethod
   619  
   620  	z = z[3:]
   621  	if numExtensions > 0 {
   622  		z[0] = byte(extensionsLength >> 8)
   623  		z[1] = byte(extensionsLength)
   624  		z = z[2:]
   625  	}
   626  	if m.nextProtoNeg {
   627  		z[0] = byte(extensionNextProtoNeg >> 8)
   628  		z[1] = byte(extensionNextProtoNeg & 0xff)
   629  		z[2] = byte(nextProtoLen >> 8)
   630  		z[3] = byte(nextProtoLen)
   631  		z = z[4:]
   632  
   633  		for _, v := range m.nextProtos {
   634  			l := len(v)
   635  			if l > 255 {
   636  				l = 255
   637  			}
   638  			z[0] = byte(l)
   639  			copy(z[1:], []byte(v[0:l]))
   640  			z = z[1+l:]
   641  		}
   642  	}
   643  	if m.ocspStapling {
   644  		z[0] = byte(extensionStatusRequest >> 8)
   645  		z[1] = byte(extensionStatusRequest)
   646  		z = z[4:]
   647  	}
   648  	if m.ticketSupported {
   649  		z[0] = byte(extensionSessionTicket >> 8)
   650  		z[1] = byte(extensionSessionTicket)
   651  		z = z[4:]
   652  	}
   653  	if m.secureRenegotiationSupported {
   654  		z[0] = byte(extensionRenegotiationInfo >> 8)
   655  		z[1] = byte(extensionRenegotiationInfo & 0xff)
   656  		z[2] = 0
   657  		z[3] = byte(len(m.secureRenegotiation) + 1)
   658  		z[4] = byte(len(m.secureRenegotiation))
   659  		z = z[5:]
   660  		copy(z, m.secureRenegotiation)
   661  		z = z[len(m.secureRenegotiation):]
   662  	}
   663  	if alpnLen := len(m.alpnProtocol); alpnLen > 0 {
   664  		z[0] = byte(extensionALPN >> 8)
   665  		z[1] = byte(extensionALPN & 0xff)
   666  		l := 2 + 1 + alpnLen
   667  		z[2] = byte(l >> 8)
   668  		z[3] = byte(l)
   669  		l -= 2
   670  		z[4] = byte(l >> 8)
   671  		z[5] = byte(l)
   672  		l -= 1
   673  		z[6] = byte(l)
   674  		copy(z[7:], []byte(m.alpnProtocol))
   675  		z = z[7+alpnLen:]
   676  	}
   677  	if sctLen > 0 {
   678  		z[0] = byte(extensionSCT >> 8)
   679  		z[1] = byte(extensionSCT)
   680  		l := sctLen + 2
   681  		z[2] = byte(l >> 8)
   682  		z[3] = byte(l)
   683  		z[4] = byte(sctLen >> 8)
   684  		z[5] = byte(sctLen)
   685  
   686  		z = z[6:]
   687  		for _, sct := range m.scts {
   688  			z[0] = byte(len(sct) >> 8)
   689  			z[1] = byte(len(sct))
   690  			copy(z[2:], sct)
   691  			z = z[len(sct)+2:]
   692  		}
   693  	}
   694  
   695  	m.raw = x
   696  
   697  	return x
   698  }
   699  
   700  func (m *serverHelloMsg) unmarshal(data []byte) bool {
   701  	if len(data) < 42 {
   702  		return false
   703  	}
   704  	m.raw = data
   705  	m.vers = uint16(data[4])<<8 | uint16(data[5])
   706  	m.random = data[6:38]
   707  	sessionIdLen := int(data[38])
   708  	if sessionIdLen > 32 || len(data) < 39+sessionIdLen {
   709  		return false
   710  	}
   711  	m.sessionId = data[39 : 39+sessionIdLen]
   712  	data = data[39+sessionIdLen:]
   713  	if len(data) < 3 {
   714  		return false
   715  	}
   716  	m.cipherSuite = uint16(data[0])<<8 | uint16(data[1])
   717  	m.compressionMethod = data[2]
   718  	data = data[3:]
   719  
   720  	m.nextProtoNeg = false
   721  	m.nextProtos = nil
   722  	m.ocspStapling = false
   723  	m.scts = nil
   724  	m.ticketSupported = false
   725  	m.alpnProtocol = ""
   726  
   727  	if len(data) == 0 {
   728  		// ServerHello is optionally followed by extension data
   729  		return true
   730  	}
   731  	if len(data) < 2 {
   732  		return false
   733  	}
   734  
   735  	extensionsLength := int(data[0])<<8 | int(data[1])
   736  	data = data[2:]
   737  	if len(data) != extensionsLength {
   738  		return false
   739  	}
   740  
   741  	for len(data) != 0 {
   742  		if len(data) < 4 {
   743  			return false
   744  		}
   745  		extension := uint16(data[0])<<8 | uint16(data[1])
   746  		length := int(data[2])<<8 | int(data[3])
   747  		data = data[4:]
   748  		if len(data) < length {
   749  			return false
   750  		}
   751  
   752  		switch extension {
   753  		case extensionNextProtoNeg:
   754  			m.nextProtoNeg = true
   755  			d := data[:length]
   756  			for len(d) > 0 {
   757  				l := int(d[0])
   758  				d = d[1:]
   759  				if l == 0 || l > len(d) {
   760  					return false
   761  				}
   762  				m.nextProtos = append(m.nextProtos, string(d[:l]))
   763  				d = d[l:]
   764  			}
   765  		case extensionStatusRequest:
   766  			if length > 0 {
   767  				return false
   768  			}
   769  			m.ocspStapling = true
   770  		case extensionSessionTicket:
   771  			if length > 0 {
   772  				return false
   773  			}
   774  			m.ticketSupported = true
   775  		case extensionRenegotiationInfo:
   776  			if length == 0 {
   777  				return false
   778  			}
   779  			d := data[:length]
   780  			l := int(d[0])
   781  			d = d[1:]
   782  			if l != len(d) {
   783  				return false
   784  			}
   785  
   786  			m.secureRenegotiation = d
   787  			m.secureRenegotiationSupported = true
   788  		case extensionALPN:
   789  			d := data[:length]
   790  			if len(d) < 3 {
   791  				return false
   792  			}
   793  			l := int(d[0])<<8 | int(d[1])
   794  			if l != len(d)-2 {
   795  				return false
   796  			}
   797  			d = d[2:]
   798  			l = int(d[0])
   799  			if l != len(d)-1 {
   800  				return false
   801  			}
   802  			d = d[1:]
   803  			if len(d) == 0 {
   804  				// ALPN protocols must not be empty.
   805  				return false
   806  			}
   807  			m.alpnProtocol = string(d)
   808  		case extensionSCT:
   809  			d := data[:length]
   810  
   811  			if len(d) < 2 {
   812  				return false
   813  			}
   814  			l := int(d[0])<<8 | int(d[1])
   815  			d = d[2:]
   816  			if len(d) != l || l == 0 {
   817  				return false
   818  			}
   819  
   820  			m.scts = make([][]byte, 0, 3)
   821  			for len(d) != 0 {
   822  				if len(d) < 2 {
   823  					return false
   824  				}
   825  				sctLen := int(d[0])<<8 | int(d[1])
   826  				d = d[2:]
   827  				if sctLen == 0 || len(d) < sctLen {
   828  					return false
   829  				}
   830  				m.scts = append(m.scts, d[:sctLen])
   831  				d = d[sctLen:]
   832  			}
   833  		}
   834  		data = data[length:]
   835  	}
   836  
   837  	return true
   838  }
   839  
   840  type certificateMsg struct {
   841  	raw          []byte
   842  	certificates [][]byte
   843  }
   844  
   845  func (m *certificateMsg) equal(i interface{}) bool {
   846  	m1, ok := i.(*certificateMsg)
   847  	if !ok {
   848  		return false
   849  	}
   850  
   851  	return bytes.Equal(m.raw, m1.raw) &&
   852  		eqByteSlices(m.certificates, m1.certificates)
   853  }
   854  
   855  func (m *certificateMsg) marshal() (x []byte) {
   856  	if m.raw != nil {
   857  		return m.raw
   858  	}
   859  
   860  	var i int
   861  	for _, slice := range m.certificates {
   862  		i += len(slice)
   863  	}
   864  
   865  	length := 3 + 3*len(m.certificates) + i
   866  	x = make([]byte, 4+length)
   867  	x[0] = typeCertificate
   868  	x[1] = uint8(length >> 16)
   869  	x[2] = uint8(length >> 8)
   870  	x[3] = uint8(length)
   871  
   872  	certificateOctets := length - 3
   873  	x[4] = uint8(certificateOctets >> 16)
   874  	x[5] = uint8(certificateOctets >> 8)
   875  	x[6] = uint8(certificateOctets)
   876  
   877  	y := x[7:]
   878  	for _, slice := range m.certificates {
   879  		y[0] = uint8(len(slice) >> 16)
   880  		y[1] = uint8(len(slice) >> 8)
   881  		y[2] = uint8(len(slice))
   882  		copy(y[3:], slice)
   883  		y = y[3+len(slice):]
   884  	}
   885  
   886  	m.raw = x
   887  	return
   888  }
   889  
   890  func (m *certificateMsg) unmarshal(data []byte) bool {
   891  	if len(data) < 7 {
   892  		return false
   893  	}
   894  
   895  	m.raw = data
   896  	certsLen := uint32(data[4])<<16 | uint32(data[5])<<8 | uint32(data[6])
   897  	if uint32(len(data)) != certsLen+7 {
   898  		return false
   899  	}
   900  
   901  	numCerts := 0
   902  	d := data[7:]
   903  	for certsLen > 0 {
   904  		if len(d) < 4 {
   905  			return false
   906  		}
   907  		certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2])
   908  		if uint32(len(d)) < 3+certLen {
   909  			return false
   910  		}
   911  		d = d[3+certLen:]
   912  		certsLen -= 3 + certLen
   913  		numCerts++
   914  	}
   915  
   916  	m.certificates = make([][]byte, numCerts)
   917  	d = data[7:]
   918  	for i := 0; i < numCerts; i++ {
   919  		certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2])
   920  		m.certificates[i] = d[3 : 3+certLen]
   921  		d = d[3+certLen:]
   922  	}
   923  
   924  	return true
   925  }
   926  
   927  type serverKeyExchangeMsg struct {
   928  	raw []byte
   929  	key []byte
   930  }
   931  
   932  func (m *serverKeyExchangeMsg) equal(i interface{}) bool {
   933  	m1, ok := i.(*serverKeyExchangeMsg)
   934  	if !ok {
   935  		return false
   936  	}
   937  
   938  	return bytes.Equal(m.raw, m1.raw) &&
   939  		bytes.Equal(m.key, m1.key)
   940  }
   941  
   942  func (m *serverKeyExchangeMsg) marshal() []byte {
   943  	if m.raw != nil {
   944  		return m.raw
   945  	}
   946  	length := len(m.key)
   947  	x := make([]byte, length+4)
   948  	x[0] = typeServerKeyExchange
   949  	x[1] = uint8(length >> 16)
   950  	x[2] = uint8(length >> 8)
   951  	x[3] = uint8(length)
   952  	copy(x[4:], m.key)
   953  
   954  	m.raw = x
   955  	return x
   956  }
   957  
   958  func (m *serverKeyExchangeMsg) unmarshal(data []byte) bool {
   959  	m.raw = data
   960  	if len(data) < 4 {
   961  		return false
   962  	}
   963  	m.key = data[4:]
   964  	return true
   965  }
   966  
   967  type certificateStatusMsg struct {
   968  	raw        []byte
   969  	statusType uint8
   970  	response   []byte
   971  }
   972  
   973  func (m *certificateStatusMsg) equal(i interface{}) bool {
   974  	m1, ok := i.(*certificateStatusMsg)
   975  	if !ok {
   976  		return false
   977  	}
   978  
   979  	return bytes.Equal(m.raw, m1.raw) &&
   980  		m.statusType == m1.statusType &&
   981  		bytes.Equal(m.response, m1.response)
   982  }
   983  
   984  func (m *certificateStatusMsg) marshal() []byte {
   985  	if m.raw != nil {
   986  		return m.raw
   987  	}
   988  
   989  	var x []byte
   990  	if m.statusType == statusTypeOCSP {
   991  		x = make([]byte, 4+4+len(m.response))
   992  		x[0] = typeCertificateStatus
   993  		l := len(m.response) + 4
   994  		x[1] = byte(l >> 16)
   995  		x[2] = byte(l >> 8)
   996  		x[3] = byte(l)
   997  		x[4] = statusTypeOCSP
   998  
   999  		l -= 4
  1000  		x[5] = byte(l >> 16)
  1001  		x[6] = byte(l >> 8)
  1002  		x[7] = byte(l)
  1003  		copy(x[8:], m.response)
  1004  	} else {
  1005  		x = []byte{typeCertificateStatus, 0, 0, 1, m.statusType}
  1006  	}
  1007  
  1008  	m.raw = x
  1009  	return x
  1010  }
  1011  
  1012  func (m *certificateStatusMsg) unmarshal(data []byte) bool {
  1013  	m.raw = data
  1014  	if len(data) < 5 {
  1015  		return false
  1016  	}
  1017  	m.statusType = data[4]
  1018  
  1019  	m.response = nil
  1020  	if m.statusType == statusTypeOCSP {
  1021  		if len(data) < 8 {
  1022  			return false
  1023  		}
  1024  		respLen := uint32(data[5])<<16 | uint32(data[6])<<8 | uint32(data[7])
  1025  		if uint32(len(data)) != 4+4+respLen {
  1026  			return false
  1027  		}
  1028  		m.response = data[8:]
  1029  	}
  1030  	return true
  1031  }
  1032  
  1033  type serverHelloDoneMsg struct{}
  1034  
  1035  func (m *serverHelloDoneMsg) equal(i interface{}) bool {
  1036  	_, ok := i.(*serverHelloDoneMsg)
  1037  	return ok
  1038  }
  1039  
  1040  func (m *serverHelloDoneMsg) marshal() []byte {
  1041  	x := make([]byte, 4)
  1042  	x[0] = typeServerHelloDone
  1043  	return x
  1044  }
  1045  
  1046  func (m *serverHelloDoneMsg) unmarshal(data []byte) bool {
  1047  	return len(data) == 4
  1048  }
  1049  
  1050  type clientKeyExchangeMsg struct {
  1051  	raw        []byte
  1052  	ciphertext []byte
  1053  }
  1054  
  1055  func (m *clientKeyExchangeMsg) equal(i interface{}) bool {
  1056  	m1, ok := i.(*clientKeyExchangeMsg)
  1057  	if !ok {
  1058  		return false
  1059  	}
  1060  
  1061  	return bytes.Equal(m.raw, m1.raw) &&
  1062  		bytes.Equal(m.ciphertext, m1.ciphertext)
  1063  }
  1064  
  1065  func (m *clientKeyExchangeMsg) marshal() []byte {
  1066  	if m.raw != nil {
  1067  		return m.raw
  1068  	}
  1069  	length := len(m.ciphertext)
  1070  	x := make([]byte, length+4)
  1071  	x[0] = typeClientKeyExchange
  1072  	x[1] = uint8(length >> 16)
  1073  	x[2] = uint8(length >> 8)
  1074  	x[3] = uint8(length)
  1075  	copy(x[4:], m.ciphertext)
  1076  
  1077  	m.raw = x
  1078  	return x
  1079  }
  1080  
  1081  func (m *clientKeyExchangeMsg) unmarshal(data []byte) bool {
  1082  	m.raw = data
  1083  	if len(data) < 4 {
  1084  		return false
  1085  	}
  1086  	l := int(data[1])<<16 | int(data[2])<<8 | int(data[3])
  1087  	if l != len(data)-4 {
  1088  		return false
  1089  	}
  1090  	m.ciphertext = data[4:]
  1091  	return true
  1092  }
  1093  
  1094  type finishedMsg struct {
  1095  	raw        []byte
  1096  	verifyData []byte
  1097  }
  1098  
  1099  func (m *finishedMsg) equal(i interface{}) bool {
  1100  	m1, ok := i.(*finishedMsg)
  1101  	if !ok {
  1102  		return false
  1103  	}
  1104  
  1105  	return bytes.Equal(m.raw, m1.raw) &&
  1106  		bytes.Equal(m.verifyData, m1.verifyData)
  1107  }
  1108  
  1109  func (m *finishedMsg) marshal() (x []byte) {
  1110  	if m.raw != nil {
  1111  		return m.raw
  1112  	}
  1113  
  1114  	x = make([]byte, 4+len(m.verifyData))
  1115  	x[0] = typeFinished
  1116  	x[3] = byte(len(m.verifyData))
  1117  	copy(x[4:], m.verifyData)
  1118  	m.raw = x
  1119  	return
  1120  }
  1121  
  1122  func (m *finishedMsg) unmarshal(data []byte) bool {
  1123  	m.raw = data
  1124  	if len(data) < 4 {
  1125  		return false
  1126  	}
  1127  	m.verifyData = data[4:]
  1128  	return true
  1129  }
  1130  
  1131  type nextProtoMsg struct {
  1132  	raw   []byte
  1133  	proto string
  1134  }
  1135  
  1136  func (m *nextProtoMsg) equal(i interface{}) bool {
  1137  	m1, ok := i.(*nextProtoMsg)
  1138  	if !ok {
  1139  		return false
  1140  	}
  1141  
  1142  	return bytes.Equal(m.raw, m1.raw) &&
  1143  		m.proto == m1.proto
  1144  }
  1145  
  1146  func (m *nextProtoMsg) marshal() []byte {
  1147  	if m.raw != nil {
  1148  		return m.raw
  1149  	}
  1150  	l := len(m.proto)
  1151  	if l > 255 {
  1152  		l = 255
  1153  	}
  1154  
  1155  	padding := 32 - (l+2)%32
  1156  	length := l + padding + 2
  1157  	x := make([]byte, length+4)
  1158  	x[0] = typeNextProtocol
  1159  	x[1] = uint8(length >> 16)
  1160  	x[2] = uint8(length >> 8)
  1161  	x[3] = uint8(length)
  1162  
  1163  	y := x[4:]
  1164  	y[0] = byte(l)
  1165  	copy(y[1:], []byte(m.proto[0:l]))
  1166  	y = y[1+l:]
  1167  	y[0] = byte(padding)
  1168  
  1169  	m.raw = x
  1170  
  1171  	return x
  1172  }
  1173  
  1174  func (m *nextProtoMsg) unmarshal(data []byte) bool {
  1175  	m.raw = data
  1176  
  1177  	if len(data) < 5 {
  1178  		return false
  1179  	}
  1180  	data = data[4:]
  1181  	protoLen := int(data[0])
  1182  	data = data[1:]
  1183  	if len(data) < protoLen {
  1184  		return false
  1185  	}
  1186  	m.proto = string(data[0:protoLen])
  1187  	data = data[protoLen:]
  1188  
  1189  	if len(data) < 1 {
  1190  		return false
  1191  	}
  1192  	paddingLen := int(data[0])
  1193  	data = data[1:]
  1194  	if len(data) != paddingLen {
  1195  		return false
  1196  	}
  1197  
  1198  	return true
  1199  }
  1200  
  1201  type certificateRequestMsg struct {
  1202  	raw []byte
  1203  	// hasSignatureAndHash indicates whether this message includes a list
  1204  	// of signature and hash functions. This change was introduced with TLS
  1205  	// 1.2.
  1206  	hasSignatureAndHash bool
  1207  
  1208  	certificateTypes       []byte
  1209  	supportedSignatureAlgorithms []SignatureScheme
  1210  	certificateAuthorities [][]byte
  1211  }
  1212  
  1213  func (m *certificateRequestMsg) equal(i interface{}) bool {
  1214  	m1, ok := i.(*certificateRequestMsg)
  1215  	if !ok {
  1216  		return false
  1217  	}
  1218  
  1219  	return bytes.Equal(m.raw, m1.raw) &&
  1220  		bytes.Equal(m.certificateTypes, m1.certificateTypes) &&
  1221  		eqByteSlices(m.certificateAuthorities, m1.certificateAuthorities) &&
  1222  		eqSignatureAlgorithms(m.supportedSignatureAlgorithms, m1.supportedSignatureAlgorithms)
  1223  }
  1224  
  1225  func (m *certificateRequestMsg) marshal() (x []byte) {
  1226  	if m.raw != nil {
  1227  		return m.raw
  1228  	}
  1229  
  1230  	// See http://tools.ietf.org/html/rfc4346#section-7.4.4
  1231  	length := 1 + len(m.certificateTypes) + 2
  1232  	casLength := 0
  1233  	for _, ca := range m.certificateAuthorities {
  1234  		casLength += 2 + len(ca)
  1235  	}
  1236  	length += casLength
  1237  
  1238  	if m.hasSignatureAndHash {
  1239  		length += 2 +2*len(m.supportedSignatureAlgorithms)
  1240  	}
  1241  
  1242  	x = make([]byte, 4+length)
  1243  	x[0] = typeCertificateRequest
  1244  	x[1] = uint8(length >> 16)
  1245  	x[2] = uint8(length >> 8)
  1246  	x[3] = uint8(length)
  1247  
  1248  	x[4] = uint8(len(m.certificateTypes))
  1249  
  1250  	copy(x[5:], m.certificateTypes)
  1251  	y := x[5+len(m.certificateTypes):]
  1252  
  1253  	if m.hasSignatureAndHash {
  1254  		n := len(m.supportedSignatureAlgorithms) * 2
  1255  		y[0] = uint8(n >> 8)
  1256  		y[1] = uint8(n)
  1257  		y = y[2:]
  1258  		for _, sigAlgo := range m.supportedSignatureAlgorithms {
  1259  			y[0] = uint8(sigAlgo >> 8)
  1260  			y[1] = uint8(sigAlgo)
  1261  			y = y[2:]
  1262  		}
  1263  	}
  1264  
  1265  	y[0] = uint8(casLength >> 8)
  1266  	y[1] = uint8(casLength)
  1267  	y = y[2:]
  1268  	for _, ca := range m.certificateAuthorities {
  1269  		y[0] = uint8(len(ca) >> 8)
  1270  		y[1] = uint8(len(ca))
  1271  		y = y[2:]
  1272  		copy(y, ca)
  1273  		y = y[len(ca):]
  1274  	}
  1275  
  1276  	m.raw = x
  1277  	return
  1278  }
  1279  
  1280  func (m *certificateRequestMsg) unmarshal(data []byte) bool {
  1281  	m.raw = data
  1282  
  1283  	if len(data) < 5 {
  1284  		return false
  1285  	}
  1286  
  1287  	length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3])
  1288  	if uint32(len(data))-4 != length {
  1289  		return false
  1290  	}
  1291  
  1292  	numCertTypes := int(data[4])
  1293  	data = data[5:]
  1294  	if numCertTypes == 0 || len(data) <= numCertTypes {
  1295  		return false
  1296  	}
  1297  
  1298  	m.certificateTypes = make([]byte, numCertTypes)
  1299  	if copy(m.certificateTypes, data) != numCertTypes {
  1300  		return false
  1301  	}
  1302  
  1303  	data = data[numCertTypes:]
  1304  
  1305  	if m.hasSignatureAndHash {
  1306  		if len(data) < 2 {
  1307  			return false
  1308  		}
  1309  		sigAndHashLen := uint16(data[0])<<8 | uint16(data[1])
  1310  		data = data[2:]
  1311  		if sigAndHashLen&1 != 0 {
  1312  			return false
  1313  		}
  1314  		if len(data) < int(sigAndHashLen) {
  1315  			return false
  1316  		}
  1317  		numSigAlgos := sigAndHashLen / 2
  1318  		m.supportedSignatureAlgorithms = make([]SignatureScheme, numSigAlgos)
  1319  		for i := range m.supportedSignatureAlgorithms {
  1320  			m.supportedSignatureAlgorithms[i] = SignatureScheme(data[0])<<8 | SignatureScheme(data[1])
  1321  			data = data[2:]
  1322  		}
  1323  	}
  1324  
  1325  	if len(data) < 2 {
  1326  		return false
  1327  	}
  1328  	casLength := uint16(data[0])<<8 | uint16(data[1])
  1329  	data = data[2:]
  1330  	if len(data) < int(casLength) {
  1331  		return false
  1332  	}
  1333  	cas := make([]byte, casLength)
  1334  	copy(cas, data)
  1335  	data = data[casLength:]
  1336  
  1337  	m.certificateAuthorities = nil
  1338  	for len(cas) > 0 {
  1339  		if len(cas) < 2 {
  1340  			return false
  1341  		}
  1342  		caLen := uint16(cas[0])<<8 | uint16(cas[1])
  1343  		cas = cas[2:]
  1344  
  1345  		if len(cas) < int(caLen) {
  1346  			return false
  1347  		}
  1348  
  1349  		m.certificateAuthorities = append(m.certificateAuthorities, cas[:caLen])
  1350  		cas = cas[caLen:]
  1351  	}
  1352  
  1353  	return len(data) == 0
  1354  }
  1355  
  1356  type certificateVerifyMsg struct {
  1357  	raw                 []byte
  1358  	hasSignatureAndHash bool
  1359  	signatureAlgorithm    SignatureScheme
  1360  	signature           []byte
  1361  }
  1362  
  1363  func (m *certificateVerifyMsg) equal(i interface{}) bool {
  1364  	m1, ok := i.(*certificateVerifyMsg)
  1365  	if !ok {
  1366  		return false
  1367  	}
  1368  
  1369  	return bytes.Equal(m.raw, m1.raw) &&
  1370  		m.hasSignatureAndHash == m1.hasSignatureAndHash &&
  1371  		m.signatureAlgorithm == m1.signatureAlgorithm &&
  1372  		bytes.Equal(m.signature, m1.signature)
  1373  }
  1374  
  1375  func (m *certificateVerifyMsg) marshal() (x []byte) {
  1376  	if m.raw != nil {
  1377  		return m.raw
  1378  	}
  1379  
  1380  	// See http://tools.ietf.org/html/rfc4346#section-7.4.8
  1381  	siglength := len(m.signature)
  1382  	length := 2 + siglength
  1383  	if m.hasSignatureAndHash {
  1384  		length += 2
  1385  	}
  1386  	x = make([]byte, 4+length)
  1387  	x[0] = typeCertificateVerify
  1388  	x[1] = uint8(length >> 16)
  1389  	x[2] = uint8(length >> 8)
  1390  	x[3] = uint8(length)
  1391  	y := x[4:]
  1392  	if m.hasSignatureAndHash {
  1393  		y[0] = uint8(m.signatureAlgorithm >> 8)
  1394  		y[1] = uint8(m.signatureAlgorithm)
  1395  		y = y[2:]
  1396  	}
  1397  	y[0] = uint8(siglength >> 8)
  1398  	y[1] = uint8(siglength)
  1399  	copy(y[2:], m.signature)
  1400  
  1401  	m.raw = x
  1402  
  1403  	return
  1404  }
  1405  
  1406  func (m *certificateVerifyMsg) unmarshal(data []byte) bool {
  1407  	m.raw = data
  1408  
  1409  	if len(data) < 6 {
  1410  		return false
  1411  	}
  1412  
  1413  	length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3])
  1414  	if uint32(len(data))-4 != length {
  1415  		return false
  1416  	}
  1417  
  1418  	data = data[4:]
  1419  	if m.hasSignatureAndHash {
  1420  		m.signatureAlgorithm = SignatureScheme(data[0])<<8 | SignatureScheme(data[1])
  1421  		data = data[2:]
  1422  	}
  1423  
  1424  	if len(data) < 2 {
  1425  		return false
  1426  	}
  1427  	siglength := int(data[0])<<8 + int(data[1])
  1428  	data = data[2:]
  1429  	if len(data) != siglength {
  1430  		return false
  1431  	}
  1432  
  1433  	m.signature = data
  1434  
  1435  	return true
  1436  }
  1437  
  1438  type newSessionTicketMsg struct {
  1439  	raw    []byte
  1440  	ticket []byte
  1441  }
  1442  
  1443  func (m *newSessionTicketMsg) equal(i interface{}) bool {
  1444  	m1, ok := i.(*newSessionTicketMsg)
  1445  	if !ok {
  1446  		return false
  1447  	}
  1448  
  1449  	return bytes.Equal(m.raw, m1.raw) &&
  1450  		bytes.Equal(m.ticket, m1.ticket)
  1451  }
  1452  
  1453  func (m *newSessionTicketMsg) marshal() (x []byte) {
  1454  	if m.raw != nil {
  1455  		return m.raw
  1456  	}
  1457  
  1458  	// See http://tools.ietf.org/html/rfc5077#section-3.3
  1459  	ticketLen := len(m.ticket)
  1460  	length := 2 + 4 + ticketLen
  1461  	x = make([]byte, 4+length)
  1462  	x[0] = typeNewSessionTicket
  1463  	x[1] = uint8(length >> 16)
  1464  	x[2] = uint8(length >> 8)
  1465  	x[3] = uint8(length)
  1466  	x[8] = uint8(ticketLen >> 8)
  1467  	x[9] = uint8(ticketLen)
  1468  	copy(x[10:], m.ticket)
  1469  
  1470  	m.raw = x
  1471  
  1472  	return
  1473  }
  1474  
  1475  func (m *newSessionTicketMsg) unmarshal(data []byte) bool {
  1476  	m.raw = data
  1477  
  1478  	if len(data) < 10 {
  1479  		return false
  1480  	}
  1481  
  1482  	length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3])
  1483  	if uint32(len(data))-4 != length {
  1484  		return false
  1485  	}
  1486  
  1487  	ticketLen := int(data[8])<<8 + int(data[9])
  1488  	if len(data)-10 != ticketLen {
  1489  		return false
  1490  	}
  1491  
  1492  	m.ticket = data[10:]
  1493  
  1494  	return true
  1495  }
  1496  
  1497  type helloRequestMsg struct {
  1498  }
  1499  
  1500  func (*helloRequestMsg) marshal() []byte {
  1501  	return []byte{typeHelloRequest, 0, 0, 0}
  1502  }
  1503  
  1504  func (*helloRequestMsg) unmarshal(data []byte) bool {
  1505  	return len(data) == 4
  1506  }
  1507  
  1508  func eqUint16s(x, y []uint16) bool {
  1509  	if len(x) != len(y) {
  1510  		return false
  1511  	}
  1512  	for i, v := range x {
  1513  		if y[i] != v {
  1514  			return false
  1515  		}
  1516  	}
  1517  	return true
  1518  }
  1519  
  1520  func eqCurveIDs(x, y []CurveID) bool {
  1521  	if len(x) != len(y) {
  1522  		return false
  1523  	}
  1524  	for i, v := range x {
  1525  		if y[i] != v {
  1526  			return false
  1527  		}
  1528  	}
  1529  	return true
  1530  }
  1531  
  1532  func eqStrings(x, y []string) bool {
  1533  	if len(x) != len(y) {
  1534  		return false
  1535  	}
  1536  	for i, v := range x {
  1537  		if y[i] != v {
  1538  			return false
  1539  		}
  1540  	}
  1541  	return true
  1542  }
  1543  
  1544  func eqByteSlices(x, y [][]byte) bool {
  1545  	if len(x) != len(y) {
  1546  		return false
  1547  	}
  1548  	for i, v := range x {
  1549  		if !bytes.Equal(v, y[i]) {
  1550  			return false
  1551  		}
  1552  	}
  1553  	return true
  1554  }
  1555  
  1556  func  eqSignatureAlgorithms(x, y []SignatureScheme) bool  {
  1557  	if len(x) != len(y) {
  1558  		return false
  1559  	}
  1560  	for i, v := range x {
  1561  		if v != y[i] {
  1562  			return false
  1563  		}
  1564  	}
  1565  	return true
  1566  }
  1567
View as plain text