#include <tls_messages_13.h>

Inheritance diagram for Botan::TLS::Client_Hello_13:

Public Member Functions
std::vector< Signature_Scheme >	certificate_signature_schemes () const
const std::vector< uint16_t > &	ciphersuites () const
	Client_Hello_13 (const Policy &policy, Callbacks &cb, RandomNumberGenerator &rng, std::string_view hostname, const std::vector< std::string > &next_protocols, std::optional< Session_with_Handle > &session, std::vector< ExternalPSK > psks)
const std::vector< uint8_t > &	cookie () const
std::vector< uint8_t >	cookie_input_data () const
std::set< Extension_Code >	extension_types () const
const Extensions &	extensions () const
std::optional< Protocol_Version >	highest_supported_version (const Policy &policy) const
Protocol_Version	legacy_version () const
std::vector< std::string >	next_protocols () const
bool	offered_suite (uint16_t ciphersuite) const
const std::vector< uint8_t > &	random () const
void	retry (const Hello_Retry_Request &hrr, const Transcript_Hash_State &transcript_hash_state, Callbacks &cb, RandomNumberGenerator &rng)
bool	sent_signature_algorithms () const
std::vector< uint8_t >	serialize () const override
const Session_ID &	session_id () const
std::vector< Signature_Scheme >	signature_schemes () const
std::string	sni_hostname () const
std::vector< uint16_t >	srtp_profiles () const
std::vector< Group_Params >	supported_dh_groups () const
std::vector< Group_Params >	supported_ecc_curves () const
std::vector< Protocol_Version >	supported_versions () const
bool	supports_alpn () const
Handshake_Type	type () const override
std::string	type_string () const
void	validate_updates (const Client_Hello_13 &new_ch)
virtual Handshake_Type	wire_type () const

Static Public Member Functions
static std::variant< Client_Hello_13, Client_Hello_12_Shim >	parse (const std::vector< uint8_t > &buf)

Protected Member Functions
const std::vector< uint8_t > &	compression_methods () const

Protected Attributes
std::unique_ptr< Client_Hello_Internal >	m_data

Detailed Description

Definition at line 29 of file tls_messages_13.h.

Constructor & Destructor Documentation

◆ Client_Hello_13()

Botan::TLS::Client_Hello_13::Client_Hello_13	(	const Policy &	policy,
		Callbacks &	cb,
		RandomNumberGenerator &	rng,
		std::string_view	hostname,
		const std::vector< std::string > &	next_protocols,
		std::optional< Session_with_Handle > &	session,
		std::vector< ExternalPSK >	psks )

Creates a client hello which might optionally use the passed-in session for resumption. In that case, this will "extract" the master secret from the passed-in session.

Definition at line 154 of file msg_client_hello_13.cpp.

                                                              {
   // RFC 8446 4.1.2
   //    In TLS 1.3, the client indicates its version preferences in the
   //    "supported_versions" extension (Section 4.2.1) and the
   //    legacy_version field MUST be set to 0x0303, which is the version
   //    number for TLS 1.2.
   m_data->m_legacy_version = Protocol_Version::TLS_V12;
   m_data->m_random = make_hello_random(rng, cb, policy);
   m_data->m_suites = policy.ciphersuite_list(Protocol_Version::TLS_V13);
 
   if(policy.allow_tls12()) {
      // Note: DTLS 1.3 is NYI, hence dtls_12 is not checked
      const auto legacy_suites = policy.ciphersuite_list(Protocol_Version::TLS_V12);
      m_data->m_suites.insert(m_data->m_suites.end(), legacy_suites.cbegin(), legacy_suites.cend());
   }
 
   if(policy.tls_13_middlebox_compatibility_mode()) {
      // RFC 8446 4.1.2
      //    In compatibility mode (see Appendix D.4), this field MUST be non-empty,
      //    so a client not offering a pre-TLS 1.3 session MUST generate a new
      //    32-byte value.
      //
      // Note: we won't ever offer a TLS 1.2 session. In such a case we would
      //       have instantiated a TLS 1.2 client in the first place.
      m_data->m_session_id = Session_ID(make_hello_random(rng, cb, policy));
   }
 
   // NOLINTBEGIN(*-owning-memory)
   if(Server_Name_Indicator::hostname_acceptable_for_sni(hostname)) {
      m_data->extensions().add(new Server_Name_Indicator(hostname));
   }
 
   m_data->extensions().add(new Supported_Groups(policy.key_exchange_groups()));
 
   m_data->extensions().add(new Key_Share(policy, cb, rng));
 
   m_data->extensions().add(new Supported_Versions(Protocol_Version::TLS_V13, policy));
 
   m_data->extensions().add(new Signature_Algorithms(policy.acceptable_signature_schemes()));
   if(auto cert_signing_prefs = policy.acceptable_certificate_signature_schemes()) {
      // RFC 8446 4.2.3
      //    Implementations which have the same policy in both cases MAY omit
      //    the "signature_algorithms_cert" extension.
      m_data->extensions().add(new Signature_Algorithms_Cert(std::move(cert_signing_prefs.value())));
   }
 
   // TODO: Support for PSK-only mode without a key exchange.
   //       This should be configurable in TLS::Policy and should allow no PSK
   //       support at all (e.g. to disable support for session resumption).
   m_data->extensions().add(new PSK_Key_Exchange_Modes({PSK_Key_Exchange_Mode::PSK_DHE_KE}));
 
   if(policy.support_cert_status_message()) {
      m_data->extensions().add(new Certificate_Status_Request({}, {}));
   }
 
   // We currently support "record_size_limit" for TLS 1.3 exclusively. Hence,
   // when TLS 1.2 is advertised as a supported protocol, we must not offer this
   // extension.
   if(policy.record_size_limit().has_value() && !policy.allow_tls12()) {
      m_data->extensions().add(new Record_Size_Limit(policy.record_size_limit().value()));
   }
 
   /*
   * Right now raw public key support is not implemented for TLS 1.2, so we only offer
   * certificate_types (which is used to request raw public key) if additionally TLS 1.2
   * support is disabled. Otherwise a peer might reply with a 1.2 server hello + a certificate_type
   * extension indicating it wishes to use RPK, which would lead to errors later.
   */
   if(!policy.allow_tls12()) {
      m_data->extensions().add(new Client_Certificate_Type(policy.accepted_client_certificate_types()));
      m_data->extensions().add(new Server_Certificate_Type(policy.accepted_server_certificate_types()));
   }
 
   if(!next_protocols.empty()) {
      m_data->extensions().add(new Application_Layer_Protocol_Notification(next_protocols));
   }
 
#if defined(BOTAN_HAS_TLS_12)
   if(policy.allow_tls12()) {
      m_data->extensions().add(new Renegotiation_Extension());
      m_data->extensions().add(new Session_Ticket_Extension());
 
      // EMS must always be used with TLS 1.2, regardless of the policy
      m_data->extensions().add(new Extended_Master_Secret);
 
      if(policy.negotiate_encrypt_then_mac()) {
         m_data->extensions().add(new Encrypt_then_MAC);
      }
 
      if(m_data->extensions().has<Supported_Groups>() &&
         !m_data->extensions().get<Supported_Groups>()->ec_groups().empty()) {
         m_data->extensions().add(new Supported_Point_Formats(policy.use_ecc_point_compression()));
      }
   }
#endif
 
   if(session.has_value() || !psks.empty()) {
      m_data->extensions().add(new PSK(session, std::move(psks), cb));
   }
   // NOLINTEND(*-owning-memory)
 
   cb.tls_modify_extensions(m_data->extensions(), Connection_Side::Client, type());
 
   // The application's tls_modify_extensions callback could have stripped
   // Supported_Groups or Key_Share, which must be there.
   if(!m_data->extensions().has<Supported_Groups>()) {
      throw TLS_Exception(Alert::InternalError,
                          "Application tls_modify_extensions callback removed Supported_Groups from the ClientHello");
   }
   if(!m_data->extensions().has<Key_Share>()) {
      throw TLS_Exception(Alert::InternalError,
                          "Application tls_modify_extensions callback removed Key_Share from the ClientHello");
   }
 
   if(m_data->extensions().has<PSK>()) {
      // RFC 8446 4.2.11
      //    The "pre_shared_key" extension MUST be the last extension in the
      //    ClientHello (this facilitates implementation [...]).
      if(m_data->extensions().last_added() != Extension_Code::PresharedKey) {
         throw TLS_Exception(Alert::InternalError,
                             "Application modified extensions of Client Hello, PSK is not last anymore");
      }
      calculate_psk_binders({});
   }
}

Referenced by Client_Hello_13(), parse(), and validate_updates().

Member Function Documentation

◆ certificate_signature_schemes()

std::vector< Signature_Scheme > Botan::TLS::Client_Hello::certificate_signature_schemes ( ) const

inherited

Definition at line 221 of file msg_client_hello.cpp.

                                                                              {
   // RFC 8446 4.2.3
   //   If no "signature_algorithms_cert" extension is present, then the
   //   "signature_algorithms" extension also applies to signatures appearing
   //   in certificates.
   if(const Signature_Algorithms_Cert* sigs = m_data->extensions().get<Signature_Algorithms_Cert>()) {
      return sigs->supported_schemes();
   } else {
      return signature_schemes();
   }
}

References m_data, and signature_schemes().

Referenced by ~Client_Hello().

◆ ciphersuites()

const std::vector< uint16_t > & Botan::TLS::Client_Hello::ciphersuites ( ) const

inherited

Definition at line 157 of file msg_client_hello.cpp.

                                                            {
   return m_data->ciphersuites();
}

References m_data.

Referenced by ~Client_Hello().

◆ compression_methods()

const std::vector< uint8_t > & Botan::TLS::Client_Hello::compression_methods ( ) const

protectedinherited

Definition at line 153 of file msg_client_hello.cpp.

                                                                  {
   return m_data->comp_methods();
}

References m_data.

Referenced by ~Client_Hello().

◆ cookie()

const std::vector< uint8_t > & Botan::TLS::Client_Hello::cookie ( ) const

inherited

Definition at line 283 of file msg_client_hello.cpp.

                                                     {
   return m_data->hello_cookie();
}

References m_data.

Referenced by ~Client_Hello().

◆ cookie_input_data()

std::vector< uint8_t > Botan::TLS::Client_Hello::cookie_input_data ( ) const

inherited

Definition at line 200 of file msg_client_hello.cpp.

                                                         {
   BOTAN_STATE_CHECK(!m_data->hello_cookie_input_bits().empty());
 
   return m_data->hello_cookie_input_bits();
}

References BOTAN_STATE_CHECK, and m_data.

Referenced by ~Client_Hello().

◆ extension_types()

std::set< Extension_Code > Botan::TLS::Client_Hello::extension_types ( ) const

inherited

Definition at line 161 of file msg_client_hello.cpp.

                                                           {
   return m_data->extensions().extension_types();
}

References m_data.

Referenced by Botan::TLS::Server_Hello_12::Server_Hello_12(), Botan::TLS::Client_Hello_13::validate_updates(), and ~Client_Hello().

◆ extensions()

const Extensions & Botan::TLS::Client_Hello::extensions ( ) const

inherited

Definition at line 165 of file msg_client_hello.cpp.

                                                 {
   return m_data->extensions();
}

References m_data.

Referenced by Botan::TLS::Certificate_13::Certificate_13(), Botan::TLS::Server_Hello_13::create(), Botan::TLS::Encrypted_Extensions::Encrypted_Extensions(), Botan::TLS::Hello_Retry_Request::Hello_Retry_Request(), Botan::TLS::Server_Hello_13::Server_Hello_13(), Botan::TLS::Client_Hello_13::validate_updates(), and ~Client_Hello().

◆ highest_supported_version()

std::optional< Protocol_Version > Botan::TLS::Client_Hello_13::highest_supported_version ( const Policy & policy ) const

Select the highest protocol version from the list of versions supported by the client. If no such version can be determined this returns std::nullopt.

Definition at line 486 of file msg_client_hello_13.cpp.

                                                                                                   {
   // RFC 8446 4.2.1
   //    The "supported_versions" extension is used by the client to indicate
   //    which versions of TLS it supports and by the server to indicate which
   //    version it is using. The extension contains a list of supported
   //    versions in preference order, with the most preferred version first.
   auto* const supvers = m_data->extensions().get<Supported_Versions>();
   BOTAN_ASSERT_NONNULL(supvers);
 
   std::optional<Protocol_Version> result;
 
   for(const auto& v : supvers->versions()) {
      // RFC 8446 4.2.1
      //    Servers MUST only select a version of TLS present in that extension
      //    and MUST ignore any unknown versions that are present in that
      //    extension.
      if(!v.known_version() || !policy.acceptable_protocol_version(v)) {
         continue;
      }
 
      result = (result.has_value()) ? std::optional(std::max(result.value(), v)) : std::optional(v);
   }
 
   return result;
}

References Botan::TLS::Policy::acceptable_protocol_version(), BOTAN_ASSERT_NONNULL, highest_supported_version(), and Botan::TLS::Client_Hello::m_data.

Referenced by highest_supported_version().

◆ legacy_version()

Protocol_Version Botan::TLS::Client_Hello::legacy_version ( ) const

inherited

Return the version indicated in the ClientHello. This may differ from the version indicated in the supported_versions extension.

See RFC 8446 4.1.2: TLS 1.3, the client indicates its version preferences in the "supported_versions" extension (Section 4.2.1) and the legacy_version field MUST be set to 0x0303, which is the version number for TLS 1.2.

Definition at line 141 of file msg_client_hello.cpp.

                                                    {
   return m_data->legacy_version();
}

Referenced by ~Client_Hello().

◆ next_protocols()

std::vector< std::string > Botan::TLS::Client_Hello::next_protocols ( ) const

inherited

Definition at line 269 of file msg_client_hello.cpp.

                                                        {
   if(auto* alpn = m_data->extensions().get<Application_Layer_Protocol_Notification>()) {
      return alpn->protocols();
   }
   return {};
}

References m_data.

Referenced by Botan::TLS::Client_Hello_12::Client_Hello_12(), Botan::TLS::Client_Hello_12::Client_Hello_12(), Botan::TLS::Client_Hello_13::Client_Hello_13(), and ~Client_Hello().

◆ offered_suite()

bool Botan::TLS::Client_Hello::offered_suite ( uint16_t ciphersuite ) const

inherited

Definition at line 209 of file msg_client_hello.cpp.

                                                           {
   return std::find(m_data->ciphersuites().cbegin(), m_data->ciphersuites().cend(), ciphersuite) !=
          m_data->ciphersuites().cend();
}

References m_data.

Referenced by ~Client_Hello().

◆ parse()

std::variant< Client_Hello_13, Client_Hello_12_Shim > Botan::TLS::Client_Hello_13::parse ( const std::vector< uint8_t > & buf )

static

Definition at line 286 of file msg_client_hello_13.cpp.

                                                                                                      {
   auto data = std::make_unique<Client_Hello_Internal>(buf);
   const auto version = data->version();
 
   if(version.is_pre_tls_13()) {
      return Client_Hello_12_Shim(std::move(data));
   } else {
      return Client_Hello_13(std::move(data));
   }
}

References Client_Hello_13(), and parse().

Referenced by parse().

◆ random()

const std::vector< uint8_t > & Botan::TLS::Client_Hello::random ( ) const

inherited

Definition at line 145 of file msg_client_hello.cpp.

                                                     {
   return m_data->random();
}

Referenced by ~Client_Hello().

◆ retry()

void Botan::TLS::Client_Hello_13::retry	(	const Hello_Retry_Request &	hrr,
		const Transcript_Hash_State &	transcript_hash_state,
		Callbacks &	cb,
		RandomNumberGenerator &	rng )

Definition at line 297 of file msg_client_hello_13.cpp.

                                                        {
   BOTAN_STATE_CHECK(m_data->extensions().has<Supported_Groups>());
   BOTAN_STATE_CHECK(m_data->extensions().has<Key_Share>());
 
   auto* hrr_ks = hrr.extensions().get<Key_Share>();
   const auto& supported_groups = m_data->extensions().get<Supported_Groups>()->groups();
 
   if(hrr.extensions().has<Key_Share>()) {
      m_data->extensions().get<Key_Share>()->retry_offer(*hrr_ks, supported_groups, cb, rng);
   }
 
   // RFC 8446 4.2.2
   //    When sending the new ClientHello, the client MUST copy
   //    the contents of the extension received in the HelloRetryRequest into
   //    a "cookie" extension in the new ClientHello.
   //
   // RFC 8446 4.2.2
   //    Clients MUST NOT use cookies in their initial ClientHello in subsequent
   //    connections.
   if(hrr.extensions().has<Cookie>()) {
      BOTAN_STATE_CHECK(!m_data->extensions().has<Cookie>());
      m_data->extensions().add(new Cookie(hrr.extensions().get<Cookie>()->get_cookie()));  // NOLINT(*-owning-memory)
   }
 
   // Note: the consumer of the TLS implementation won't be able to distinguish
   //       invocations to this callback due to the first Client_Hello or the
   //       retried Client_Hello after receiving a Hello_Retry_Request. We assume
   //       that the user keeps and detects this state themselves.
   cb.tls_modify_extensions(m_data->extensions(), Connection_Side::Client, type());
 
   // Same invariants as in the constructor: the callback must not strip
   // Supported_Groups or Key_Share
   if(!m_data->extensions().has<Supported_Groups>()) {
      throw TLS_Exception(
         Alert::InternalError,
         "Application tls_modify_extensions callback removed Supported_Groups from the retried ClientHello");
   }
   if(!m_data->extensions().has<Key_Share>()) {
      throw TLS_Exception(Alert::InternalError,
                          "Application tls_modify_extensions callback removed Key_Share from the retried ClientHello");
   }
 
   auto* psk = m_data->extensions().get<PSK>();
   if(psk != nullptr) {
      // RFC 8446 4.2.11
      //    The "pre_shared_key" extension MUST be the last extension in the
      //    ClientHello (this facilitates implementation [...]).
      m_data->extensions().reorder({Extension_Code::PresharedKey});
 
      // Cipher suite should always be a known suite as this is checked upstream
      const auto cipher = Ciphersuite::by_id(hrr.ciphersuite());
      BOTAN_ASSERT_NOMSG(cipher.has_value());
 
      // RFC 8446 4.1.4
      //    In [...] its updated ClientHello, the client SHOULD NOT offer
      //    any pre-shared keys associated with a hash other than that of the
      //    selected cipher suite.
      psk->filter(cipher.value());
 
      // RFC 8446 4.2.11.2
      //    If the server responds with a HelloRetryRequest and the client
      //    then sends ClientHello2, its binder will be computed over: [...].
      calculate_psk_binders(transcript_hash_state.clone());
   }
}

References BOTAN_ASSERT_NOMSG, BOTAN_STATE_CHECK, Botan::TLS::Ciphersuite::by_id(), Botan::TLS::Server_Hello::ciphersuite(), Botan::TLS::Client, Botan::TLS::Transcript_Hash_State::clone(), Botan::TLS::Server_Hello::extensions(), Botan::TLS::Extensions::get(), Botan::TLS::Cookie::get_cookie(), Botan::TLS::Extensions::has(), Botan::TLS::Client_Hello::m_data, Botan::TLS::PresharedKey, retry(), Botan::TLS::Callbacks::tls_modify_extensions(), and Botan::TLS::Client_Hello::type().

Referenced by retry().

◆ sent_signature_algorithms()

bool Botan::TLS::Client_Hello::sent_signature_algorithms ( ) const

inherited

Definition at line 265 of file msg_client_hello.cpp.

                                                   {
   return m_data->extensions().has<Signature_Algorithms>();
}

References m_data.

Referenced by ~Client_Hello().

◆ serialize()

std::vector< uint8_t > Botan::TLS::Client_Hello::serialize ( ) const

overridevirtualinherited

Returns: DER representation of this message

Implements Botan::TLS::Handshake_Message.

Definition at line 172 of file msg_client_hello.cpp.

                                                 {
   std::vector<uint8_t> buf;
   buf.reserve(1024);  // working around GCC warning
 
   buf.push_back(m_data->legacy_version().major_version());
   buf.push_back(m_data->legacy_version().minor_version());
   buf += m_data->random();
 
   append_tls_length_value(buf, m_data->session_id().get(), 1);
 
   if(m_data->legacy_version().is_datagram_protocol()) {
      append_tls_length_value(buf, m_data->hello_cookie(), 1);
   }
 
   append_tls_length_value(buf, m_data->ciphersuites(), 2);
   append_tls_length_value(buf, m_data->comp_methods(), 1);
 
   /*
   * May not want to send extensions at all in some cases. If so,
   * should include SCSV value (if reneg info is empty, if not we are
   * renegotiating with a modern server)
   */
 
   buf += m_data->extensions().serialize(Connection_Side::Client);
 
   return buf;
}

References Botan::TLS::append_tls_length_value(), Botan::TLS::Client, and m_data.

Referenced by ~Client_Hello().

◆ session_id()

const Session_ID & Botan::TLS::Client_Hello::session_id ( ) const

inherited

Definition at line 149 of file msg_client_hello.cpp.

                                                 {
   return m_data->session_id();
}

References m_data.

Referenced by Botan::TLS::Client_Hello_12::session_handle(), and ~Client_Hello().

◆ signature_schemes()

std::vector< Signature_Scheme > Botan::TLS::Client_Hello::signature_schemes ( ) const

inherited

Definition at line 214 of file msg_client_hello.cpp.

                                                                  {
   if(const Signature_Algorithms* sigs = m_data->extensions().get<Signature_Algorithms>()) {
      return sigs->supported_schemes();
   }
   return {};
}

References m_data.

Referenced by Botan::TLS::Certificate_13::Certificate_13(), certificate_signature_schemes(), Botan::TLS::Handshake_State::choose_sig_format(), and ~Client_Hello().

◆ sni_hostname()

std::string Botan::TLS::Client_Hello::sni_hostname ( ) const

inherited

Definition at line 247 of file msg_client_hello.cpp.

                                           {
   if(const Server_Name_Indicator* sni = m_data->extensions().get<Server_Name_Indicator>()) {
      return sni->host_name();
   }
   return "";
}

References m_data.

Referenced by Botan::TLS::Certificate_13::Certificate_13(), Botan::TLS::Certificate_Request_13::maybe_create(), and ~Client_Hello().

◆ srtp_profiles()

std::vector< uint16_t > Botan::TLS::Client_Hello::srtp_profiles ( ) const

inherited

Definition at line 276 of file msg_client_hello.cpp.

                                                      {
   if(const SRTP_Protection_Profiles* srtp = m_data->extensions().get<SRTP_Protection_Profiles>()) {
      return srtp->profiles();
   }
   return {};
}

References m_data.

Referenced by ~Client_Hello().

◆ supported_dh_groups()

std::vector< Group_Params > Botan::TLS::Client_Hello::supported_dh_groups ( ) const

inherited

Definition at line 240 of file msg_client_hello.cpp.

                                                                {
   if(const Supported_Groups* groups = m_data->extensions().get<Supported_Groups>()) {
      return groups->dh_groups();
   }
   return std::vector<Group_Params>();
}

References m_data.

Referenced by ~Client_Hello().

◆ supported_ecc_curves()

std::vector< Group_Params > Botan::TLS::Client_Hello::supported_ecc_curves ( ) const

inherited

Definition at line 233 of file msg_client_hello.cpp.

                                                                 {
   if(const Supported_Groups* groups = m_data->extensions().get<Supported_Groups>()) {
      return groups->ec_groups();
   }
   return {};
}

References m_data.

Referenced by ~Client_Hello().

◆ supported_versions()

std::vector< Protocol_Version > Botan::TLS::Client_Hello::supported_versions ( ) const

inherited

Definition at line 254 of file msg_client_hello.cpp.

                                                                   {
   if(const Supported_Versions* versions = m_data->extensions().get<Supported_Versions>()) {
      return versions->versions();
   }
   return {};
}

References m_data.

Referenced by ~Client_Hello().

◆ supports_alpn()

bool Botan::TLS::Client_Hello::supports_alpn ( ) const

inherited

Definition at line 261 of file msg_client_hello.cpp.

                                       {
   return m_data->extensions().has<Application_Layer_Protocol_Notification>();
}

References m_data.

Referenced by Botan::TLS::Server_Hello_12::Server_Hello_12(), Botan::TLS::Server_Hello_12::Server_Hello_12(), and ~Client_Hello().

◆ type()

Handshake_Type Botan::TLS::Client_Hello::type ( ) const

overridevirtualinherited

Returns: the message type

Implements Botan::TLS::Handshake_Message.

Definition at line 137 of file msg_client_hello.cpp.

                                        {
   return Handshake_Type::ClientHello;
}

References Botan::TLS::ClientHello.

Referenced by Botan::TLS::Client_Hello_12::Client_Hello_12(), Botan::TLS::Client_Hello_12::Client_Hello_12(), Botan::TLS::Client_Hello_13::Client_Hello_13(), Botan::TLS::Client_Hello_13::retry(), and ~Client_Hello().

◆ type_string()

std::string Botan::TLS::Handshake_Message::type_string ( ) const

inherited

Returns: string representation of this message type

Definition at line 21 of file tls_handshake_state.cpp.

                                               {
   return handshake_type_to_string(type());
}

References Botan::TLS::handshake_type_to_string(), and type().

◆ validate_updates()

void Botan::TLS::Client_Hello_13::validate_updates ( const Client_Hello_13 & new_ch )

This validates that a Client Hello received after sending a Hello Retry Request was updated in accordance with RFC 8446 4.1.2. If issues are found, this method throws accordingly.

Definition at line 366 of file msg_client_hello_13.cpp.

                                                                    {
   // RFC 8446 4.1.2
   //    The client will also send a ClientHello when the server has responded
   //    to its ClientHello with a HelloRetryRequest. In that case, the client
   //    MUST send the same ClientHello without modification, except as follows:
 
   if(m_data->session_id() != new_ch.m_data->session_id() || m_data->random() != new_ch.m_data->random() ||
      m_data->ciphersuites() != new_ch.m_data->ciphersuites() ||
      m_data->comp_methods() != new_ch.m_data->comp_methods()) {
      throw TLS_Exception(Alert::IllegalParameter, "Client Hello core values changed after Hello Retry Request");
   }
 
   const auto oldexts = extension_types();
   const auto newexts = new_ch.extension_types();
 
   // Check that extension omissions are justified. RFC 8446 4.1.2 lists the
   // only mutations the client may make between CH1 and CH2; any other
   // extension removal is an illegal parameter regardless of whether the
   // extension is one this implementation recognizes.
   for(const auto oldext : oldexts) {
      if(!newexts.contains(oldext)) {
         // RFC 8446 4.1.2
         //    Removing the "early_data" extension (Section 4.2.10) if one was
         //    present.  Early data is not permitted after a HelloRetryRequest.
         if(oldext == EarlyDataIndication::static_type()) {
            continue;
         }
 
         // RFC 8446 4.1.2
         //    Optionally adding, removing, or changing the length of the
         //    "padding" extension.
         if(oldext == Extension_Code::Padding) {
            continue;
         }
 
         throw TLS_Exception(Alert::IllegalParameter, "Extension removed in updated Client Hello");
      }
   }
 
   // Check that extension additions are justified. Same reasoning: only the
   // RFC-listed mutations are allowed, including for unknown extension codes.
   for(const auto newext : newexts) {
      if(!oldexts.contains(newext)) {
         // RFC 8446 4.1.2
         //    Including a "cookie" extension if one was provided in the
         //    HelloRetryRequest.
         if(newext == Cookie::static_type()) {
            continue;
         }
 
         // RFC 8446 4.1.2
         //    Optionally adding, removing, or changing the length of the
         //    "padding" extension.
         if(newext == Extension_Code::Padding) {
            continue;
         }
 
         throw TLS_Exception(Alert::UnsupportedExtension, "Added an extension in updated Client Hello");
      }
   }
 
   // RFC 8446 4.1.2
   //    Removing the "early_data" extension (Section 4.2.10) if one was
   //    present.  Early data is not permitted after a HelloRetryRequest.
   if(new_ch.extensions().has<EarlyDataIndication>()) {
      throw TLS_Exception(Alert::IllegalParameter, "Updated Client Hello indicates early data");
   }
 
   // RFC 8446 4.1.2
   //    The client MUST send the same ClientHello without modification,
   //    except as follows: [key_share, pre_shared_key, early_data, cookie, padding]
   //
   // Verify that extensions whose content must not change between the
   // initial and retried Client Hello have identical wire encodings.
   const std::set<Extension_Code> extensions_allowed_to_change = {
      Extension_Code::KeyShare,
      Extension_Code::PresharedKey,
      Extension_Code::EarlyData,
      Extension_Code::Cookie,
      Extension_Code::Padding,
   };
 
   for(const auto ext_type : oldexts) {
      if(extensions_allowed_to_change.contains(ext_type)) {
         continue;
      }
 
      const auto old_bytes = extensions().extension_raw_bytes(ext_type);
      const auto new_bytes = new_ch.extensions().extension_raw_bytes(ext_type);
 
      // Both Client Hellos validated here are received from the peer and went
      // through Extensions::deserialize, which records raw bytes for every
      // parsed extension. A missing raw_bytes on either side would mean an
      // extension was added by us programmatically - which shouldn't happen
      BOTAN_ASSERT_NOMSG(old_bytes.has_value() && new_bytes.has_value());
      if(old_bytes.value() != new_bytes.value()) {
         throw TLS_Exception(Alert::IllegalParameter, "Extension content changed in updated Client Hello");
      }
   }
}

References BOTAN_ASSERT_NOMSG, Client_Hello_13(), Botan::TLS::Cookie, Botan::TLS::EarlyData, Botan::TLS::Extensions::extension_raw_bytes(), Botan::TLS::Client_Hello::extension_types(), Botan::TLS::Client_Hello::extensions(), Botan::TLS::Extensions::has(), Botan::TLS::KeyShare, Botan::TLS::Client_Hello::m_data, Botan::TLS::Padding, Botan::TLS::PresharedKey, Botan::TLS::Cookie::static_type(), Botan::TLS::EarlyDataIndication::static_type(), and validate_updates().

Referenced by validate_updates().

◆ wire_type()

virtual Handshake_Type Botan::TLS::Handshake_Message::wire_type ( ) const

inlinevirtualinherited

Returns: the wire representation of the message's type

Reimplemented in Botan::TLS::Hello_Retry_Request.

Definition at line 39 of file tls_handshake_msg.h.

                                               {
         // Usually equal to the Handshake_Type enum value,
         // with the exception of TLS 1.3 Hello Retry Request.
         return type();
      }

References type().

Referenced by Botan::TLS::Stream_Handshake_IO::send().

Member Data Documentation

◆ m_data

std::unique_ptr<Client_Hello_Internal> Botan::TLS::Client_Hello::m_data

protectedinherited

Definition at line 148 of file tls_messages.h.

The documentation for this class was generated from the following files:

src/lib/tls/tls13/tls_messages_13.h
src/lib/tls/tls13/msg_client_hello_13.cpp

Public Member Functions

Static Public Member Functions

Protected Member Functions

Protected Attributes

Detailed Description

Constructor & Destructor Documentation

◆ Client_Hello_13()

Member Function Documentation

◆ certificate_signature_schemes()

◆ ciphersuites()

◆ compression_methods()

◆ cookie()

◆ cookie_input_data()

◆ extension_types()

◆ extensions()

◆ highest_supported_version()

◆ legacy_version()

◆ next_protocols()

◆ offered_suite()

◆ parse()

◆ random()

◆ retry()

◆ sent_signature_algorithms()

◆ serialize()

◆ session_id()

◆ signature_schemes()

◆ sni_hostname()

◆ srtp_profiles()

◆ supported_dh_groups()

◆ supported_ecc_curves()

◆ supported_versions()

◆ supports_alpn()

◆ type()

◆ type_string()

◆ validate_updates()

◆ wire_type()

Member Data Documentation

◆ m_data