}
type clientHelloMsg struct {
- raw []byte
+ original []byte
vers uint16
random []byte
sessionId []byte
}
func (m *clientHelloMsg) marshal() ([]byte, error) {
- if m.raw != nil {
- return m.raw, nil
- }
-
var exts cryptobyte.Builder
if len(m.serverName) > 0 {
// RFC 6066, Section 3
}
})
- m.raw, err = b.Bytes()
- return m.raw, err
+ return b.Bytes()
}
// marshalWithoutBinders returns the ClientHello through the
bindersLen += len(binder)
}
- fullMessage, err := m.marshal()
- if err != nil {
- return nil, err
+ var fullMessage []byte
+ if m.original != nil {
+ fullMessage = m.original
+ } else {
+ var err error
+ fullMessage, err = m.marshal()
+ if err != nil {
+ return nil, err
+ }
}
return fullMessage[:len(fullMessage)-bindersLen], nil
}
-// updateBinders updates the m.pskBinders field, if necessary updating the
-// cached marshaled representation. The supplied binders must have the same
-// length as the current m.pskBinders.
+// updateBinders updates the m.pskBinders field. The supplied binders must have
+// the same length as the current m.pskBinders.
func (m *clientHelloMsg) updateBinders(pskBinders [][]byte) error {
if len(pskBinders) != len(m.pskBinders) {
return errors.New("tls: internal error: pskBinders length mismatch")
}
}
m.pskBinders = pskBinders
- if m.raw != nil {
- helloBytes, err := m.marshalWithoutBinders()
- if err != nil {
- return err
- }
- lenWithoutBinders := len(helloBytes)
- b := cryptobyte.NewFixedBuilder(m.raw[:lenWithoutBinders])
- b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) {
- for _, binder := range m.pskBinders {
- b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
- b.AddBytes(binder)
- })
- }
- })
- if out, err := b.Bytes(); err != nil || len(out) != len(m.raw) {
- return errors.New("tls: internal error: failed to update binders")
- }
- }
return nil
}
func (m *clientHelloMsg) unmarshal(data []byte) bool {
- *m = clientHelloMsg{raw: data}
+ *m = clientHelloMsg{original: data}
s := cryptobyte.String(data)
if !s.Skip(4) || // message type and uint24 length field
return true
}
+func (m *clientHelloMsg) originalBytes() []byte {
+ return m.original
+}
+
type serverHelloMsg struct {
- raw []byte
+ original []byte
vers uint16
random []byte
sessionId []byte
}
func (m *serverHelloMsg) marshal() ([]byte, error) {
- if m.raw != nil {
- return m.raw, nil
- }
-
var exts cryptobyte.Builder
if m.ocspStapling {
exts.AddUint16(extensionStatusRequest)
}
})
- m.raw, err = b.Bytes()
- return m.raw, err
+ return b.Bytes()
}
func (m *serverHelloMsg) unmarshal(data []byte) bool {
- *m = serverHelloMsg{raw: data}
+ *m = serverHelloMsg{original: data}
s := cryptobyte.String(data)
if !s.Skip(4) || // message type and uint24 length field
return true
}
+func (m *serverHelloMsg) originalBytes() []byte {
+ return m.original
+}
+
type encryptedExtensionsMsg struct {
- raw []byte
alpnProtocol string
quicTransportParameters []byte
earlyData bool
}
func (m *encryptedExtensionsMsg) marshal() ([]byte, error) {
- if m.raw != nil {
- return m.raw, nil
- }
-
var b cryptobyte.Builder
b.AddUint8(typeEncryptedExtensions)
b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
})
})
- var err error
- m.raw, err = b.Bytes()
- return m.raw, err
+ return b.Bytes()
}
func (m *encryptedExtensionsMsg) unmarshal(data []byte) bool {
- *m = encryptedExtensionsMsg{raw: data}
+ *m = encryptedExtensionsMsg{}
s := cryptobyte.String(data)
var extensions cryptobyte.String
}
type keyUpdateMsg struct {
- raw []byte
updateRequested bool
}
func (m *keyUpdateMsg) marshal() ([]byte, error) {
- if m.raw != nil {
- return m.raw, nil
- }
-
var b cryptobyte.Builder
b.AddUint8(typeKeyUpdate)
b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
}
})
- var err error
- m.raw, err = b.Bytes()
- return m.raw, err
+ return b.Bytes()
}
func (m *keyUpdateMsg) unmarshal(data []byte) bool {
- m.raw = data
s := cryptobyte.String(data)
var updateRequested uint8
}
type newSessionTicketMsgTLS13 struct {
- raw []byte
lifetime uint32
ageAdd uint32
nonce []byte
}
func (m *newSessionTicketMsgTLS13) marshal() ([]byte, error) {
- if m.raw != nil {
- return m.raw, nil
- }
-
var b cryptobyte.Builder
b.AddUint8(typeNewSessionTicket)
b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
})
})
- var err error
- m.raw, err = b.Bytes()
- return m.raw, err
+ return b.Bytes()
}
func (m *newSessionTicketMsgTLS13) unmarshal(data []byte) bool {
- *m = newSessionTicketMsgTLS13{raw: data}
+ *m = newSessionTicketMsgTLS13{}
s := cryptobyte.String(data)
var extensions cryptobyte.String
}
type certificateRequestMsgTLS13 struct {
- raw []byte
ocspStapling bool
scts bool
supportedSignatureAlgorithms []SignatureScheme
}
func (m *certificateRequestMsgTLS13) marshal() ([]byte, error) {
- if m.raw != nil {
- return m.raw, nil
- }
-
var b cryptobyte.Builder
b.AddUint8(typeCertificateRequest)
b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
})
})
- var err error
- m.raw, err = b.Bytes()
- return m.raw, err
+ return b.Bytes()
}
func (m *certificateRequestMsgTLS13) unmarshal(data []byte) bool {
- *m = certificateRequestMsgTLS13{raw: data}
+ *m = certificateRequestMsgTLS13{}
s := cryptobyte.String(data)
var context, extensions cryptobyte.String
}
type certificateMsg struct {
- raw []byte
certificates [][]byte
}
func (m *certificateMsg) marshal() ([]byte, error) {
- if m.raw != nil {
- return m.raw, nil
- }
-
var i int
for _, slice := range m.certificates {
i += len(slice)
y = y[3+len(slice):]
}
- m.raw = x
- return m.raw, nil
+ return x, nil
}
func (m *certificateMsg) unmarshal(data []byte) bool {
return false
}
- m.raw = data
certsLen := uint32(data[4])<<16 | uint32(data[5])<<8 | uint32(data[6])
if uint32(len(data)) != certsLen+7 {
return false
}
type certificateMsgTLS13 struct {
- raw []byte
certificate Certificate
ocspStapling bool
scts bool
}
func (m *certificateMsgTLS13) marshal() ([]byte, error) {
- if m.raw != nil {
- return m.raw, nil
- }
-
var b cryptobyte.Builder
b.AddUint8(typeCertificate)
b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
marshalCertificate(b, certificate)
})
- var err error
- m.raw, err = b.Bytes()
- return m.raw, err
+ return b.Bytes()
}
func marshalCertificate(b *cryptobyte.Builder, certificate Certificate) {
}
func (m *certificateMsgTLS13) unmarshal(data []byte) bool {
- *m = certificateMsgTLS13{raw: data}
+ *m = certificateMsgTLS13{}
s := cryptobyte.String(data)
var context cryptobyte.String
}
type serverKeyExchangeMsg struct {
- raw []byte
key []byte
}
func (m *serverKeyExchangeMsg) marshal() ([]byte, error) {
- if m.raw != nil {
- return m.raw, nil
- }
length := len(m.key)
x := make([]byte, length+4)
x[0] = typeServerKeyExchange
x[3] = uint8(length)
copy(x[4:], m.key)
- m.raw = x
return x, nil
}
func (m *serverKeyExchangeMsg) unmarshal(data []byte) bool {
- m.raw = data
if len(data) < 4 {
return false
}
}
type certificateStatusMsg struct {
- raw []byte
response []byte
}
func (m *certificateStatusMsg) marshal() ([]byte, error) {
- if m.raw != nil {
- return m.raw, nil
- }
-
var b cryptobyte.Builder
b.AddUint8(typeCertificateStatus)
b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
})
})
- var err error
- m.raw, err = b.Bytes()
- return m.raw, err
+ return b.Bytes()
}
func (m *certificateStatusMsg) unmarshal(data []byte) bool {
- m.raw = data
s := cryptobyte.String(data)
var statusType uint8
}
type clientKeyExchangeMsg struct {
- raw []byte
ciphertext []byte
}
func (m *clientKeyExchangeMsg) marshal() ([]byte, error) {
- if m.raw != nil {
- return m.raw, nil
- }
length := len(m.ciphertext)
x := make([]byte, length+4)
x[0] = typeClientKeyExchange
x[3] = uint8(length)
copy(x[4:], m.ciphertext)
- m.raw = x
return x, nil
}
func (m *clientKeyExchangeMsg) unmarshal(data []byte) bool {
- m.raw = data
if len(data) < 4 {
return false
}
}
type finishedMsg struct {
- raw []byte
verifyData []byte
}
func (m *finishedMsg) marshal() ([]byte, error) {
- if m.raw != nil {
- return m.raw, nil
- }
-
var b cryptobyte.Builder
b.AddUint8(typeFinished)
b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
b.AddBytes(m.verifyData)
})
- var err error
- m.raw, err = b.Bytes()
- return m.raw, err
+ return b.Bytes()
}
func (m *finishedMsg) unmarshal(data []byte) bool {
- m.raw = data
s := cryptobyte.String(data)
return s.Skip(1) &&
readUint24LengthPrefixed(&s, &m.verifyData) &&
}
type certificateRequestMsg struct {
- raw []byte
// hasSignatureAlgorithm indicates whether this message includes a list of
// supported signature algorithms. This change was introduced with TLS 1.2.
hasSignatureAlgorithm bool
}
func (m *certificateRequestMsg) marshal() ([]byte, error) {
- if m.raw != nil {
- return m.raw, nil
- }
-
// See RFC 4346, Section 7.4.4.
length := 1 + len(m.certificateTypes) + 2
casLength := 0
y = y[len(ca):]
}
- m.raw = x
- return m.raw, nil
+ return x, nil
}
func (m *certificateRequestMsg) unmarshal(data []byte) bool {
- m.raw = data
-
if len(data) < 5 {
return false
}
}
type certificateVerifyMsg struct {
- raw []byte
hasSignatureAlgorithm bool // format change introduced in TLS 1.2
signatureAlgorithm SignatureScheme
signature []byte
}
func (m *certificateVerifyMsg) marshal() ([]byte, error) {
- if m.raw != nil {
- return m.raw, nil
- }
-
var b cryptobyte.Builder
b.AddUint8(typeCertificateVerify)
b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) {
})
})
- var err error
- m.raw, err = b.Bytes()
- return m.raw, err
+ return b.Bytes()
}
func (m *certificateVerifyMsg) unmarshal(data []byte) bool {
- m.raw = data
s := cryptobyte.String(data)
if !s.Skip(4) { // message type and uint24 length field
}
type newSessionTicketMsg struct {
- raw []byte
ticket []byte
}
func (m *newSessionTicketMsg) marshal() ([]byte, error) {
- if m.raw != nil {
- return m.raw, nil
- }
-
// See RFC 5077, Section 3.3.
ticketLen := len(m.ticket)
length := 2 + 4 + ticketLen
x[9] = uint8(ticketLen)
copy(x[10:], m.ticket)
- m.raw = x
-
- return m.raw, nil
+ return x, nil
}
func (m *newSessionTicketMsg) unmarshal(data []byte) bool {
- m.raw = data
-
if len(data) < 10 {
return false
}
Write([]byte) (int, error)
}
-// transcriptMsg is a helper used to marshal and hash messages which typically
-// are not written to the wire, and as such aren't hashed during Conn.writeRecord.
+// transcriptMsg is a helper used to hash messages which are not hashed when
+// they are read from, or written to, the wire. This is typically the case for
+// messages which are either not sent, or need to be hashed out of order from
+// when they are read/written.
+//
+// For most messages, the message is marshalled using their marshal method,
+// since their wire representation is idempotent. For clientHelloMsg and
+// serverHelloMsg, we store the original wire representation of the message and
+// use that for hashing, since unmarshal/marshal are not idempotent due to
+// extension ordering and other malleable fields, which may cause differences
+// between what was received and what we marshal.
func transcriptMsg(msg handshakeMessage, h transcriptHash) error {
+ if msgWithOrig, ok := msg.(handshakeMessageWithOriginalBytes); ok {
+ if orig := msgWithOrig.originalBytes(); orig != nil {
+ h.Write(msgWithOrig.originalBytes())
+ return nil
+ }
+ }
+
data, err := msg.marshal()
if err != nil {
return err
for i, m := range tests {
ty := reflect.ValueOf(m).Type()
-
- n := 100
- if testing.Short() {
- n = 5
- }
- for j := 0; j < n; j++ {
- v, ok := quick.Value(ty, rand)
- if !ok {
- t.Errorf("#%d: failed to create value", i)
- break
+ t.Run(ty.String(), func(t *testing.T) {
+ n := 100
+ if testing.Short() {
+ n = 5
}
+ for j := 0; j < n; j++ {
+ v, ok := quick.Value(ty, rand)
+ if !ok {
+ t.Errorf("#%d: failed to create value", i)
+ break
+ }
- m1 := v.Interface().(handshakeMessage)
- marshaled := mustMarshal(t, m1)
- if !m.unmarshal(marshaled) {
- t.Errorf("#%d failed to unmarshal %#v %x", i, m1, marshaled)
- break
- }
- m.marshal() // to fill any marshal cache in the message
+ m1 := v.Interface().(handshakeMessage)
+ marshaled := mustMarshal(t, m1)
+ if !m.unmarshal(marshaled) {
+ t.Errorf("#%d failed to unmarshal %#v %x", i, m1, marshaled)
+ break
+ }
- if m, ok := m.(*SessionState); ok {
- m.activeCertHandles = nil
- }
+ if m, ok := m.(*SessionState); ok {
+ m.activeCertHandles = nil
+ }
- if !reflect.DeepEqual(m1, m) {
- t.Errorf("#%d got:%#v want:%#v %x", i, m, m1, marshaled)
- break
- }
+ // clientHelloMsg and serverHelloMsg, when unmarshalled, store
+ // their original representation, for later use in the handshake
+ // transcript. In order to prevent DeepEqual from failing since
+ // we didn't create the original message via unmarshalling, nil
+ // the field.
+ switch t := m.(type) {
+ case *clientHelloMsg:
+ t.original = nil
+ case *serverHelloMsg:
+ t.original = nil
+ }
- if i >= 3 {
- // The first three message types (ClientHello,
- // ServerHello and Finished) are allowed to
- // have parsable prefixes because the extension
- // data is optional and the length of the
- // Finished varies across versions.
- for j := 0; j < len(marshaled); j++ {
- if m.unmarshal(marshaled[0:j]) {
- t.Errorf("#%d unmarshaled a prefix of length %d of %#v", i, j, m1)
- break
+ if !reflect.DeepEqual(m1, m) {
+ t.Errorf("#%d got:%#v want:%#v %x", i, m, m1, marshaled)
+ break
+ }
+
+ if i >= 3 {
+ // The first three message types (ClientHello,
+ // ServerHello and Finished) are allowed to
+ // have parsable prefixes because the extension
+ // data is optional and the length of the
+ // Finished varies across versions.
+ for j := 0; j < len(marshaled); j++ {
+ if m.unmarshal(marshaled[0:j]) {
+ t.Errorf("#%d unmarshaled a prefix of length %d of %#v", i, j, m1)
+ break
+ }
}
}
}
- }
+ })
}
}