Botan::TLS::Encrypted_Extensions Class Reference

#include <tls_messages_13.h>

Inheritance diagram for Botan::TLS::Encrypted_Extensions:

Public Member Functions
	Encrypted_Extensions (const Client_Hello_13 &client_hello, const Policy &policy, Callbacks &cb, bool is_resumption, bool requesting_client_auth)
	Encrypted_Extensions (const std::vector< uint8_t > &buf)
const Extensions &	extensions () const
std::vector< uint8_t >	serialize () const override
Handshake_Type	type () const override
std::string	type_string () const
virtual Handshake_Type	wire_type () const

Detailed Description

Definition at line 146 of file tls_messages_13.h.

Constructor & Destructor Documentation

Encrypted_Extensions() [1/2]

Botan::TLS::Encrypted_Extensions::Encrypted_Extensions ( const std::vector< uint8_t > & buf )

explicit

Definition at line 134 of file msg_encrypted_extensions.cpp.

                                                                        {
   TLS_Data_Reader reader("encrypted extensions reader", buf);
 
   // Encrypted Extensions contains a list of extensions. This list may legally
   // be empty. However, in that case we should at least see a two-byte length
   // field that reads 0x00 0x00.
   if(buf.size() < 2) {
      throw TLS_Exception(Alert::DecodeError, "Server sent an empty Encrypted Extensions message");
   }
 
   m_extensions.deserialize(reader, Connection_Side::Server, type());
 
   // RFC 8446 4.2
   //    If an implementation receives an extension which it recognizes and
   //    which is not specified for the message in which it appears, it MUST
   //    abort the handshake with an "illegal_parameter" alert.
   //
   // Note that we cannot encounter any extensions that we don't recognize here,
   // since only extensions we previously offered are allowed in EE.
   const auto allowed_exts = std::set<Extension_Code>{
      // Allowed extensions listed in RFC 8446 and implemented in Botan
      Extension_Code::ServerNameIndication,
      // MAX_FRAGMENT_LENGTH
      Extension_Code::SupportedGroups,
      Extension_Code::UseSrtp,
      // HEARTBEAT
      Extension_Code::ApplicationLayerProtocolNegotiation,
      // RFC 7250
      Extension_Code::ClientCertificateType,
      Extension_Code::ServerCertificateType,
      // EARLY_DATA
 
      // Allowed extensions not listed in RFC 8446 but acceptable as Botan implements them
      Extension_Code::RecordSizeLimit,
   };
   if(m_extensions.contains_implemented_extensions_other_than(allowed_exts)) {
      throw TLS_Exception(Alert::IllegalParameter, "Encrypted Extensions contained an extension that is not allowed");
   }
 
   reader.assert_done();
}

References Botan::TLS::ApplicationLayerProtocolNegotiation, Botan::TLS::TLS_Data_Reader::assert_done(), Botan::TLS::ClientCertificateType, Botan::TLS::RecordSizeLimit, Botan::TLS::Server, Botan::TLS::ServerCertificateType, Botan::TLS::ServerNameIndication, Botan::TLS::SupportedGroups, type(), and Botan::TLS::UseSrtp.

Encrypted_Extensions() [2/2]

Botan::TLS::Encrypted_Extensions::Encrypted_Extensions	(	const Client_Hello_13 &	client_hello,
		const Policy &	policy,
		Callbacks &	cb,
		bool	is_resumption,
		bool	requesting_client_auth )

Definition at line 19 of file msg_encrypted_extensions.cpp.

                                                                        {
   const auto& exts = client_hello.extensions();
 
   // NOLINTBEGIN(*-owning-memory)
 
   // RFC 8446 4.2.7
   //    As of TLS 1.3, servers are permitted to send the "supported_groups"
   //    extension to the client.  Clients [...] MAY use the information
   //    learned from a successfully completed handshake to change what groups
   //    they use in their "key_share" extension in subsequent connections.
   if(exts.has<Supported_Groups>()) {
      m_extensions.add(new Supported_Groups(policy.key_exchange_groups()));
   }
 
   const auto record_size_limit = policy.record_size_limit();
   const auto max_record_size = MAX_PLAINTEXT_SIZE + 1 /* encrypted content type byte */;
   if(exts.has<Record_Size_Limit>()) {
      // RFC 8449 4
      //    Endpoints SHOULD advertise the "record_size_limit" extension, even
      //    if they have no need to limit the size of records. [...]  For
      //    servers, this allows clients to know that their limit will be
      //    respected.
      m_extensions.add(new Record_Size_Limit(record_size_limit.value_or(max_record_size)));
   } else if(record_size_limit.has_value() && record_size_limit.value() < max_record_size) {
      // RFC 8449 4
      //    Endpoints SHOULD advertise the "record_size_limit" extension, even if
      //    they have no need to limit the size of records. For clients, this
      //    allows servers to advertise a limit at their discretion.
      throw TLS_Exception(Alert::MissingExtension,
                          "Server cannot enforce record size limit without the client supporting it");
   }
 
   // RFC 7250 4.2
   //    If the TLS server wants to request a certificate from the client
   //    (via the certificate_request message), it MUST include the
   //    client_certificate_type extension in the server hello.
   //    [...]
   //    If the server does not send a certificate_request payload [...],
   //    then the client_certificate_type payload in the server hello MUST be
   //    omitted.
   //
   // Note: requesting_client_auth tracks whether the caller will actually
   // emit a CertificateRequest. The server-side decision in
   // Certificate_Request_13::maybe_create depends on both the policy flag
   // *and* the credentials manager's CA list, so re-checking just the
   // policy flag here would miss the trusted-CAs-only configuration.
   if(auto* ch_client_cert_types = exts.get<Client_Certificate_Type>();
      ch_client_cert_types != nullptr && requesting_client_auth) {
      m_extensions.add(new Client_Certificate_Type(*ch_client_cert_types, policy));
   }
 
   // RFC 7250 4.2
   //    The server_certificate_type extension in the client hello indicates the
   //    types of certificates the client is able to process when provided by
   //    the server in a subsequent certificate payload. [...] With the
   //    server_certificate_type extension in the server hello, the TLS server
   //    indicates the certificate type carried in the Certificate payload.
   if(auto* ch_server_cert_types = exts.get<Server_Certificate_Type>()) {
      m_extensions.add(new Server_Certificate_Type(*ch_server_cert_types, policy));
   }
 
   // RFC 6066 3
   //    A server that receives a client hello containing the "server_name"
   //    extension [...] SHALL include an extension of type "server_name" in the
   //    (extended) server hello. The "extension_data" field of this extension
   //    SHALL be empty.
   //
   //    When resuming a session, the server MUST NOT include a server_name
   //    extension in the server hello.
   if(exts.has<Server_Name_Indicator>() && !is_resumption) {
      m_extensions.add(new Server_Name_Indicator(""));
   }
 
   if(auto* alpn_ext = exts.get<Application_Layer_Protocol_Notification>()) {
      const auto& offered = alpn_ext->protocols();
      const auto next_protocol = cb.tls_server_choose_app_protocol(offered);
      if(!next_protocol.empty()) {
         // RFC 7301 3.2: if a protocol is selected, the server MUST select
         // one of the protocols advertised by the client.
         if(!value_exists(offered, next_protocol)) {
            throw TLS_Exception(Alert::InternalError,
                                "Application chose an ALPN protocol that the client did not offer");
         }
         m_extensions.add(new Application_Layer_Protocol_Notification(next_protocol));
      }
   }
 
   // NOLINTEND(*-owning-memory)
 
   // TODO: Implement handling for (at least)
   //       * SRTP
 
   cb.tls_modify_extensions(m_extensions, Connection_Side::Server, type());
 
   // After the application's tls_modify_extensions callback runs, re-check the
   // RFC-MUST invariants we just established above. The application can add or
   // reorder extensions, but shouldn't remove ones required direct response to
   // ClientHello extensions would put us out of spec.
   if(exts.has<Server_Certificate_Type>() && !m_extensions.has<Server_Certificate_Type>()) {
      throw TLS_Exception(
         Alert::InternalError,
         "Application tls_modify_extensions callback removed Server_Certificate_Type from EncryptedExtensions");
   }
 
   if(requesting_client_auth && exts.has<Client_Certificate_Type>() && !m_extensions.has<Client_Certificate_Type>()) {
      throw TLS_Exception(
         Alert::InternalError,
         "Application tls_modify_extensions callback removed Client_Certificate_Type from EncryptedExtensions");
   }
}

References Botan::TLS::Client_Hello::extensions(), Botan::TLS::Policy::key_exchange_groups(), Botan::TLS::MAX_PLAINTEXT_SIZE, Botan::TLS::Policy::record_size_limit(), Botan::TLS::Server, Botan::TLS::Callbacks::tls_modify_extensions(), Botan::TLS::Callbacks::tls_server_choose_app_protocol(), type(), and Botan::value_exists().

Member Function Documentation

extensions()

const Extensions & Botan::TLS::Encrypted_Extensions::extensions ( ) const

inline

Definition at line 157 of file tls_messages_13.h.

{ return m_extensions; }

serialize()

std::vector< uint8_t > Botan::TLS::Encrypted_Extensions::serialize ( ) const

overridevirtual

Returns

DER representation of this message

Implements Botan::TLS::Handshake_Message.

Definition at line 176 of file msg_encrypted_extensions.cpp.

                                                         {
   // RFC 8446 4.3.1: EncryptedExtensions carries Extension extensions<0..2^16-1>;
   // an empty list still requires a 2-byte length-prefix on the wire.
   // Extensions::serialize collapses empty to {} to suit other contexts, so
   // emit the explicit length here. Mirrors the same fallback in
   // New_Session_Ticket_13::serialize.
   if(m_extensions.empty()) {
      return {0x00, 0x00};
   }
   return m_extensions.serialize(Connection_Side::Server);
}

References Botan::TLS::Server.

type()

Handshake_Type Botan::TLS::Encrypted_Extensions::type ( ) const

inlineoverridevirtual

Returns

the message type

Implements Botan::TLS::Handshake_Message.

Definition at line 155 of file tls_messages_13.h.

{ return Handshake_Type::EncryptedExtensions; }

References Botan::TLS::EncryptedExtensions.

Referenced by Encrypted_Extensions(), and Encrypted_Extensions().

type_string()

std::string Botan::TLS::Handshake_Message::type_string ( ) const

inherited

Returns

string representation of this message type

Definition at line 21 of file tls_handshake_state.cpp.

                                               {
   return handshake_type_to_string(type());
}

References Botan::TLS::handshake_type_to_string(), and type().

wire_type()

virtual Handshake_Type Botan::TLS::Handshake_Message::wire_type ( ) const

inlinevirtualinherited

Returns

the wire representation of the message's type

Reimplemented in Botan::TLS::Hello_Retry_Request.

Definition at line 39 of file tls_handshake_msg.h.

                                               {
         // Usually equal to the Handshake_Type enum value,
         // with the exception of TLS 1.3 Hello Retry Request.
         return type();
      }

References type().

Referenced by Botan::TLS::Stream_Handshake_IO::send().

---

The documentation for this class was generated from the following files:

• src/lib/tls/tls13/tls_messages_13.h
• src/lib/tls/tls13/msg_encrypted_extensions.cpp