#include <tls_messages.h>

Inheritance diagram for Botan::TLS::Server_Hello_13:

Classes
struct	Hello_Retry_Request_Creation_Tag

struct	Hello_Retry_Request_Tag

struct	Server_Hello_Tag

Public Member Functions
uint16_t	ciphersuite () const

const Extensions &	extensions () const

std::optional< Protocol_Version >	random_signals_downgrade () const

Protocol_Version	selected_version () const final

std::vector< uint8_t >	serialize () const override

const Session_ID &	session_id () const

Handshake_Type	type () const override

std::string	type_string () const

virtual Handshake_Type	wire_type () const

Static Public Member Functions
static std::variant< Hello_Retry_Request, Server_Hello_13 >	create (const Client_Hello_13 &ch, bool hello_retry_request_allowed, Session_Manager &session_mgr, Credentials_Manager &credentials_mgr, RandomNumberGenerator &rng, const Policy &policy, Callbacks &cb)

static std::variant< Hello_Retry_Request, Server_Hello_13, Server_Hello_12 >	parse (const std::vector< uint8_t > &buf)

Protected Member Functions
void	basic_validation () const

uint8_t	compression_method () const

std::set< Extension_Code >	extension_types () const

Protocol_Version	legacy_version () const

const std::vector< uint8_t > &	random () const

	Server_Hello_13 (const Client_Hello_13 &ch, std::optional< Named_Group > key_exchange_group, Session_Manager &session_mgr, Credentials_Manager &credentials_mgr, RandomNumberGenerator &rng, Callbacks &cb, const Policy &policy)

	Server_Hello_13 (std::unique_ptr< Server_Hello_Internal > data, Hello_Retry_Request_Creation_Tag tag)

	Server_Hello_13 (std::unique_ptr< Server_Hello_Internal > data, Hello_Retry_Request_Tag tag)

	Server_Hello_13 (std::unique_ptr< Server_Hello_Internal > data, Server_Hello_Tag tag=as_server_hello)

Protected Attributes
std::unique_ptr< Server_Hello_Internal >	m_data

Static Protected Attributes
static const struct Botan::TLS::Server_Hello_13::Hello_Retry_Request_Tag	as_hello_retry_request

static const struct Botan::TLS::Server_Hello_13::Hello_Retry_Request_Creation_Tag	as_new_hello_retry_request

static const struct Botan::TLS::Server_Hello_13::Server_Hello_Tag	as_server_hello

Detailed Description

Definition at line 400 of file tls_messages.h.

Constructor & Destructor Documentation

◆ Server_Hello_13() [1/4]

Botan::TLS::Server_Hello_13::Server_Hello_13	(	std::unique_ptr< Server_Hello_Internal >	data,
		Server_Hello_13::Server_Hello_Tag	tag = as_server_hello )

explicitprotected

Definition at line 585 of file msg_server_hello.cpp.

                                                                                                           :
      Server_Hello(std::move(data)) {
   BOTAN_ASSERT_NOMSG(!m_data->is_hello_retry_request());
   basic_validation();
 
   const auto& exts = extensions();
 
   // RFC 8446 4.1.3
   //    The ServerHello MUST only include extensions which are required to
   //    establish the cryptographic context and negotiate the protocol version.
   //    [...]
   //    Other extensions (see Section 4.2) are sent separately in the
   //    EncryptedExtensions message.
   //
   // Note that further validation dependent on the client hello is done in the
   // TLS client implementation.
   const std::set<Extension_Code> allowed = {
      Extension_Code::KeyShare,
      Extension_Code::SupportedVersions,
      Extension_Code::PresharedKey,
   };
 
   // As the ServerHello shall only contain essential extensions, we don't give
   // any slack for extensions not implemented by Botan here.
   if(exts.contains_other_than(allowed)) {
      throw TLS_Exception(Alert::UnsupportedExtension, "Server Hello contained an extension that is not allowed");
   }
 
   // RFC 8446 4.1.3
   //    Current ServerHello messages additionally contain
   //    either the "pre_shared_key" extension or the "key_share"
   //    extension, or both [...].
   if(!exts.has<Key_Share>() && !exts.has<PSK_Key_Exchange_Modes>()) {
      throw TLS_Exception(Alert::MissingExtension, "server hello must contain key exchange information");
   }
}

References basic_validation(), BOTAN_ASSERT_NOMSG, Botan::TLS::Server_Hello::extensions(), Botan::TLS::KeyShare, Botan::TLS::Server_Hello::m_data, Botan::TLS::PresharedKey, and Botan::TLS::SupportedVersions.

Referenced by create(), and parse().

◆ Server_Hello_13() [2/4]

Botan::TLS::Server_Hello_13::Server_Hello_13	(	std::unique_ptr< Server_Hello_Internal >	data,
		Server_Hello_13::Hello_Retry_Request_Tag	tag )

explicitprotected

Definition at line 622 of file msg_server_hello.cpp.

                                                                         :
      Server_Hello(std::move(data)) {
   BOTAN_ASSERT_NOMSG(m_data->is_hello_retry_request());
   basic_validation();
 
   const auto& exts = extensions();
 
   // RFC 8446 4.1.4
   //     The HelloRetryRequest extensions defined in this specification are:
   //     -  supported_versions (see Section 4.2.1)
   //     -  cookie (see Section 4.2.2)
   //     -  key_share (see Section 4.2.8)
   const std::set<Extension_Code> allowed = {
      Extension_Code::Cookie,
      Extension_Code::SupportedVersions,
      Extension_Code::KeyShare,
   };
 
   // As the Hello Retry Request shall only contain essential extensions, we
   // don't give any slack for extensions not implemented by Botan here.
   if(exts.contains_other_than(allowed)) {
      throw TLS_Exception(Alert::UnsupportedExtension,
                          "Hello Retry Request contained an extension that is not allowed");
   }
 
   // RFC 8446 4.1.4
   //    Clients MUST abort the handshake with an "illegal_parameter" alert if
   //    the HelloRetryRequest would not result in any change in the ClientHello.
   if(!exts.has<Key_Share>() && !exts.has<Cookie>()) {
      throw TLS_Exception(Alert::IllegalParameter, "Hello Retry Request does not request any changes to Client Hello");
   }
}

References basic_validation(), BOTAN_ASSERT_NOMSG, Botan::TLS::Cookie, Botan::TLS::Server_Hello::extensions(), Botan::TLS::KeyShare, Botan::TLS::Server_Hello::m_data, and Botan::TLS::SupportedVersions.

◆ Server_Hello_13() [3/4]

Botan::TLS::Server_Hello_13::Server_Hello_13	(	const Client_Hello_13 &	ch,
		std::optional< Named_Group >	key_exchange_group,
		Session_Manager &	session_mgr,
		Credentials_Manager &	credentials_mgr,
		RandomNumberGenerator &	rng,
		Callbacks &	cb,
		const Policy &	policy )

protected

Definition at line 705 of file msg_server_hello.cpp.

                                                       :
      Server_Hello(std::make_unique<Server_Hello_Internal>(
         Protocol_Version::TLS_V12,
         ch.session_id(),
         make_server_hello_random(rng, Protocol_Version::TLS_V13, cb, policy),
         choose_ciphersuite(ch, policy),
         uint8_t(0) /* compression method */
         )) {
   // RFC 8446 4.2.1
   //    A server which negotiates TLS 1.3 MUST respond by sending a
   //    "supported_versions" extension containing the selected version
   //    value (0x0304). It MUST set the ServerHello.legacy_version field to
   //     0x0303 (TLS 1.2).
   //
   // Note that the legacy version (TLS 1.2) is set in this constructor's
   // initializer list, accordingly.
   m_data->extensions().add(new Supported_Versions(Protocol_Version::TLS_V13));
 
   if(key_exchange_group.has_value()) {
      BOTAN_ASSERT_NOMSG(ch.extensions().has<Key_Share>());
      m_data->extensions().add(Key_Share::create_as_encapsulation(
         key_exchange_group.value(), *ch.extensions().get<Key_Share>(), policy, cb, rng));
   }
 
   auto& ch_exts = ch.extensions();
 
   if(ch_exts.has<PSK>()) {
      const auto cs = Ciphersuite::by_id(m_data->ciphersuite());
      BOTAN_ASSERT_NOMSG(cs);
 
      // RFC 8446 4.2.9
      //    A client MUST provide a "psk_key_exchange_modes" extension if it
      //    offers a "pre_shared_key" extension.
      //
      // Note: Client_Hello_13 constructor already performed a graceful check.
      const auto psk_modes = ch_exts.get<PSK_Key_Exchange_Modes>();
      BOTAN_ASSERT_NONNULL(psk_modes);
 
      // TODO: also support PSK_Key_Exchange_Mode::PSK_KE
      //       (PSK-based handshake without an additional ephemeral key exchange)
      if(value_exists(psk_modes->modes(), PSK_Key_Exchange_Mode::PSK_DHE_KE)) {
         if(auto server_psk = ch_exts.get<PSK>()->select_offered_psk(
               ch.sni_hostname(), cs.value(), session_mgr, credentials_mgr, cb, policy)) {
            // RFC 8446 4.2.11
            //    In order to accept PSK key establishment, the server sends a
            //    "pre_shared_key" extension indicating the selected identity.
            m_data->extensions().add(std::move(server_psk));
         }
      }
   }
 
   cb.tls_modify_extensions(m_data->extensions(), Connection_Side::Server, type());
}

References Botan::TLS::Extensions::add(), BOTAN_ASSERT_NOMSG, BOTAN_ASSERT_NONNULL, Botan::TLS::Ciphersuite::by_id(), Botan::TLS::Key_Share::create_as_encapsulation(), Botan::TLS::Client_Hello::extensions(), Botan::TLS::Server_Hello::extensions(), Botan::TLS::Extensions::get(), Botan::TLS::Extensions::has(), Botan::TLS::Server_Hello::m_data, Botan::TLS::PSK_DHE_KE, Botan::TLS::PSK::select_offered_psk(), Botan::TLS::Server, Botan::TLS::Client_Hello::sni_hostname(), Botan::TLS::Callbacks::tls_modify_extensions(), Botan::TLS::Server_Hello::type(), and Botan::value_exists().

◆ Server_Hello_13() [4/4]

Botan::TLS::Server_Hello_13::Server_Hello_13	(	std::unique_ptr< Server_Hello_Internal >	data,
		Hello_Retry_Request_Creation_Tag	tag )

explicitprotected

Definition at line 656 of file msg_server_hello.cpp.

656 :

657 Server_Hello(std::move(data)) {}

Member Function Documentation

◆ basic_validation()

void Botan::TLS::Server_Hello_13::basic_validation ( ) const

protected

Validation that applies to both Server Hello and Hello Retry Request

Definition at line 540 of file msg_server_hello.cpp.

                                             {
   BOTAN_ASSERT_NOMSG(m_data->version() == Protocol_Version::TLS_V13);
 
   // Note: checks that cannot be performed without contextual information
   //       are done in the specific TLS client implementation.
   // Note: The Supported_Version extension makes sure internally that
   //       exactly one entry is provided.
 
   // Note: Hello Retry Request basic validation is equivalent with the
   //       basic validations required for Server Hello
   //
   // RFC 8446 4.1.4
   //    Upon receipt of a HelloRetryRequest, the client MUST check the
   //    legacy_version, [...], and legacy_compression_method as specified in
   //    Section 4.1.3 and then process the extensions, starting with determining
   //    the version using "supported_versions".
 
   // RFC 8446 4.1.3
   //    In TLS 1.3, [...] the legacy_version field MUST be set to 0x0303
   if(legacy_version() != Protocol_Version::TLS_V12) {
      throw TLS_Exception(Alert::ProtocolVersion,
                          "legacy_version '" + legacy_version().to_string() + "' is not allowed");
   }
 
   // RFC 8446 4.1.3
   //    legacy_compression_method:  A single byte which MUST have the value 0.
   if(compression_method() != 0x00) {
      throw TLS_Exception(Alert::DecodeError, "compression is not supported in TLS 1.3");
   }
 
   // RFC 8446 4.1.3
   //    All TLS 1.3 ServerHello messages MUST contain the "supported_versions" extension.
   if(!extensions().has<Supported_Versions>()) {
      throw TLS_Exception(Alert::MissingExtension, "server hello did not contain 'supported version' extension");
   }
 
   // RFC 8446 4.2.1
   //    A server which negotiates TLS 1.3 MUST respond by sending
   //    a "supported_versions" extension containing the selected version
   //    value (0x0304).
   if(selected_version() != Protocol_Version::TLS_V13) {
      throw TLS_Exception(Alert::IllegalParameter, "TLS 1.3 Server Hello selected a different version");
   }
}

References BOTAN_ASSERT_NOMSG, Botan::TLS::Server_Hello::compression_method(), Botan::TLS::Server_Hello::extensions(), Botan::TLS::Server_Hello::legacy_version(), Botan::TLS::Server_Hello::m_data, selected_version(), and Botan::to_string().

Referenced by Server_Hello_13(), and Server_Hello_13().

◆ ciphersuite()

uint16_t Botan::TLS::Server_Hello::ciphersuite ( ) const

inherited

Definition at line 218 of file msg_server_hello.cpp.

                                         {
   return m_data->ciphersuite();
}

References Botan::TLS::Server_Hello::m_data.

Referenced by Botan::TLS::Client_Hello_13::retry().

◆ compression_method()

uint8_t Botan::TLS::Server_Hello::compression_method ( ) const

protectedinherited

Definition at line 210 of file msg_server_hello.cpp.

                                               {
   return m_data->comp_method();
}

References Botan::TLS::Server_Hello::m_data.

Referenced by basic_validation().

◆ create()

std::variant< Hello_Retry_Request, Server_Hello_13 > Botan::TLS::Server_Hello_13::create	(	const Client_Hello_13 &	ch,
		bool	hello_retry_request_allowed,
		Session_Manager &	session_mgr,
		Credentials_Manager &	credentials_mgr,
		RandomNumberGenerator &	rng,
		const Policy &	policy,
		Callbacks &	cb )

static

Definition at line 459 of file msg_server_hello.cpp.

                                                                                          {
   const auto& exts = ch.extensions();
 
   // RFC 8446 4.2.9
   //    [With PSK with (EC)DHE key establishment], the client and server MUST
   //    supply "key_share" values [...].
   //
   // Note: We currently do not support PSK without (EC)DHE, hence, we can
   //       assume that those extensions are available.
   BOTAN_ASSERT_NOMSG(exts.has<Supported_Groups>() && exts.has<Key_Share>());
   const auto& supported_by_client = exts.get<Supported_Groups>()->groups();
   const auto& offered_by_client = exts.get<Key_Share>()->offered_groups();
   const auto selected_group = policy.choose_key_exchange_group(supported_by_client, offered_by_client);
 
   // RFC 8446 4.1.1
   //    If there is no overlap between the received "supported_groups" and the
   //    groups supported by the server, then the server MUST abort the
   //    handshake with a "handshake_failure" or an "insufficient_security" alert.
   if(selected_group == Named_Group::NONE) {
      throw TLS_Exception(Alert::HandshakeFailure, "Client did not offer any acceptable group");
   }
 
   // RFC 8446 4.2.8:
   //    Servers MUST NOT send a KeyShareEntry for any group not indicated in the
   //    client's "supported_groups" extension [...]
   if(!value_exists(supported_by_client, selected_group)) {
      throw TLS_Exception(Alert::InternalError, "Application selected a group that is not supported by the client");
   }
 
   // RFC 8446 4.1.4
   //    The server will send this message in response to a ClientHello
   //    message if it is able to find an acceptable set of parameters but the
   //    ClientHello does not contain sufficient information to proceed with
   //    the handshake.
   //
   // In this case, the Client Hello did not contain a key share offer for
   // the group selected by the application.
   if(!value_exists(offered_by_client, selected_group)) {
      // RFC 8446 4.1.4
      //    If a client receives a second HelloRetryRequest in the same
      //    connection (i.e., where the ClientHello was itself in response to a
      //    HelloRetryRequest), it MUST abort the handshake with an
      //    "unexpected_message" alert.
      BOTAN_STATE_CHECK(hello_retry_request_allowed);
      return Hello_Retry_Request(ch, selected_group, policy, cb);
   } else {
      return Server_Hello_13(ch, selected_group, session_mgr, credentials_mgr, rng, cb, policy);
   }
}

References BOTAN_ASSERT_NOMSG, BOTAN_STATE_CHECK, Botan::TLS::Policy::choose_key_exchange_group(), Botan::TLS::Client_Hello::extensions(), Server_Hello_13(), and Botan::value_exists().

◆ extension_types()

std::set< Extension_Code > Botan::TLS::Server_Hello::extension_types ( ) const

protectedinherited

Definition at line 222 of file msg_server_hello.cpp.

                                                           {
   return m_data->extensions().extension_types();
}

References Botan::TLS::Server_Hello::m_data.

◆ extensions()

const Extensions & Botan::TLS::Server_Hello::extensions ( ) const

inherited

Definition at line 226 of file msg_server_hello.cpp.

                                                 {
   return m_data->extensions();
}

References Botan::TLS::Server_Hello::m_data.

Referenced by basic_validation(), Botan::TLS::Client_Hello_13::retry(), Botan::TLS::Server_Hello_12::Server_Hello_12(), Botan::TLS::Server_Hello_12::Server_Hello_12(), Server_Hello_13(), Server_Hello_13(), and Server_Hello_13().

◆ legacy_version()

Protocol_Version Botan::TLS::Server_Hello::legacy_version ( ) const

protectedinherited

Definition at line 202 of file msg_server_hello.cpp.

                                                    {
   return m_data->legacy_version();
}

References Botan::TLS::Server_Hello::m_data.

Referenced by basic_validation().

◆ parse()

std::variant< Hello_Retry_Request, Server_Hello_13, Server_Hello_12 > Botan::TLS::Server_Hello_13::parse ( const std::vector< uint8_t > & buf )

static

Definition at line 515 of file msg_server_hello.cpp.

                                  {
   auto data = std::make_unique<Server_Hello_Internal>(buf);
   const auto version = data->version();
 
   // server hello that appears to be pre-TLS 1.3, takes precedence over...
   if(version.is_pre_tls_13()) {
      return Server_Hello_12(std::move(data));
   }
 
   // ... the TLS 1.3 "special case" aka. Hello_Retry_Request
   if(version == Protocol_Version::TLS_V13) {
      if(data->is_hello_retry_request()) {
         return Hello_Retry_Request(std::move(data));
      }
 
      return Server_Hello_13(std::move(data));
   }
 
   throw TLS_Exception(Alert::ProtocolVersion, "unexpected server hello version: " + version.to_string());
}

References Server_Hello_13().

◆ random()

const std::vector< uint8_t > & Botan::TLS::Server_Hello::random ( ) const

protectedinherited

Definition at line 206 of file msg_server_hello.cpp.

                                                     {
   return m_data->random();
}

References Botan::TLS::Server_Hello::m_data.

Referenced by Botan::TLS::Server_Hello::serialize().

◆ random_signals_downgrade()

std::optional< Protocol_Version > Botan::TLS::Server_Hello_13::random_signals_downgrade ( ) const

Return desired downgrade version indicated by hello random, if any.

Definition at line 765 of file msg_server_hello.cpp.

                                                                              {
   const uint64_t last8 = load_be<uint64_t>(m_data->random().data(), 3);
   if(last8 == DOWNGRADE_TLS11) {
      return Protocol_Version::TLS_V11;
   }
   if(last8 == DOWNGRADE_TLS12) {
      return Protocol_Version::TLS_V12;
   }
 
   return std::nullopt;
}

References Botan::TLS::Server_Hello::m_data.

◆ selected_version()

Protocol_Version Botan::TLS::Server_Hello_13::selected_version ( ) const

finalvirtual

Returns: the selected version as indicated by the supported_versions extension

Implements Botan::TLS::Server_Hello.

Definition at line 777 of file msg_server_hello.cpp.

                                                         {
   const auto versions_ext = m_data->extensions().get<Supported_Versions>();
   BOTAN_ASSERT_NOMSG(versions_ext);
   const auto& versions = versions_ext->versions();
   BOTAN_ASSERT_NOMSG(versions.size() == 1);
   return versions.front();
}

References BOTAN_ASSERT_NOMSG, and Botan::TLS::Server_Hello::m_data.

Referenced by basic_validation().

◆ serialize()

std::vector< uint8_t > Botan::TLS::Server_Hello::serialize ( ) const

overridevirtualinherited

Returns: DER representation of this message

Implements Botan::TLS::Handshake_Message.

Definition at line 178 of file msg_server_hello.cpp.

                                                 {
   std::vector<uint8_t> buf;
   buf.reserve(1024);  // working around GCC warning
 
   buf.push_back(m_data->legacy_version().major_version());
   buf.push_back(m_data->legacy_version().minor_version());
   buf += m_data->random();
 
   append_tls_length_value(buf, m_data->session_id().get(), 1);
 
   buf.push_back(get_byte<0>(m_data->ciphersuite()));
   buf.push_back(get_byte<1>(m_data->ciphersuite()));
 
   buf.push_back(m_data->comp_method());
 
   buf += m_data->extensions().serialize(Connection_Side::Server);
 
   return buf;
}

References Botan::TLS::append_tls_length_value(), Botan::TLS::Server_Hello::random(), and Botan::TLS::Server.

◆ session_id()

const Session_ID & Botan::TLS::Server_Hello::session_id ( ) const

inherited

Definition at line 214 of file msg_server_hello.cpp.

                                                 {
   return m_data->session_id();
}

References Botan::TLS::Server_Hello::m_data.

◆ type()

Handshake_Type Botan::TLS::Server_Hello::type ( ) const

overridevirtualinherited

Returns: the message type

Implements Botan::TLS::Handshake_Message.

Definition at line 198 of file msg_server_hello.cpp.

                                        {
   return Handshake_Type::ServerHello;
}

References Botan::TLS::ServerHello.

Referenced by Botan::TLS::Server_Hello_12::Server_Hello_12(), and Server_Hello_13().

◆ type_string()

std::string Botan::TLS::Handshake_Message::type_string ( ) const

inherited

Returns: string representation of this message type

Definition at line 19 of file tls_handshake_state.cpp.

                                               {
   return handshake_type_to_string(type());
}

References Botan::TLS::handshake_type_to_string(), and Botan::TLS::Handshake_Message::type().

◆ wire_type()

virtual Handshake_Type Botan::TLS::Handshake_Message::wire_type ( ) const

inlinevirtualinherited

Returns: the wire representation of the message's type

Reimplemented in Botan::TLS::Hello_Retry_Request.

Definition at line 39 of file tls_handshake_msg.h.

                                               {
         // Usually equal to the Handshake_Type enum value,
         // with the exception of TLS 1.3 Hello Retry Request.
         return type();
      }

Referenced by Botan::TLS::Stream_Handshake_IO::send().

Member Data Documentation

◆ as_hello_retry_request

const Server_Hello_13::Hello_Retry_Request_Tag Botan::TLS::Server_Hello_13::as_hello_retry_request

staticprotected

Definition at line 456 of file msg_server_hello.cpp.

◆ as_new_hello_retry_request

const Server_Hello_13::Hello_Retry_Request_Creation_Tag Botan::TLS::Server_Hello_13::as_new_hello_retry_request

staticprotected

Definition at line 457 of file msg_server_hello.cpp.

◆ as_server_hello

const Server_Hello_13::Server_Hello_Tag Botan::TLS::Server_Hello_13::as_server_hello

staticprotected

Definition at line 455 of file msg_server_hello.cpp.

◆ m_data

std::unique_ptr<Server_Hello_Internal> Botan::TLS::Server_Hello::m_data

protectedinherited

Definition at line 304 of file tls_messages.h.

The documentation for this class was generated from the following files:

src/lib/tls/tls_messages.h
src/lib/tls/msg_server_hello.cpp

Classes

Public Member Functions

Static Public Member Functions

Protected Member Functions

Protected Attributes

Static Protected Attributes

Detailed Description

Constructor & Destructor Documentation

◆ Server_Hello_13() [1/4]

◆ Server_Hello_13() [2/4]

◆ Server_Hello_13() [3/4]

◆ Server_Hello_13() [4/4]

Member Function Documentation

◆ basic_validation()

◆ ciphersuite()

◆ compression_method()

◆ create()

◆ extension_types()

◆ extensions()

◆ legacy_version()

◆ parse()

◆ random()

◆ random_signals_downgrade()

◆ selected_version()

◆ serialize()

◆ session_id()

◆ type()

◆ type_string()

◆ wire_type()

Member Data Documentation

◆ as_hello_retry_request

◆ as_new_hello_retry_request

◆ as_server_hello

◆ m_data