#include <tls_server_impl_13.h>

Inheritance diagram for Botan::TLS::Server_Impl_13:

Public Member Functions
std::string	application_protocol () const override

void	close ()

bool	expects_downgrade () const

std::optional< std::string >	external_psk_identity () const override

std::unique_ptr< Downgrade_Information >	extract_downgrade_info ()

size_t	from_peer (std::span< const uint8_t > data) override

bool	is_active () const override

bool	is_closed () const override

bool	is_closed_for_reading () const override

bool	is_closed_for_writing () const override

bool	is_downgrading () const

bool	is_handshake_complete () const override

SymmetricKey	key_material_export (std::string_view label, std::string_view context, size_t length) const override

bool	new_session_ticket_supported () const override

std::vector< X509_Certificate >	peer_cert_chain () const override

std::shared_ptr< const Public_Key >	peer_raw_public_key () const override

void	renegotiate (bool) override

bool	secure_renegotiation_supported () const override

void	send_alert (const Alert &alert) override

void	send_fatal_alert (Alert::Type type)

size_t	send_new_session_tickets (size_t tickets) override

void	send_warning_alert (Alert::Type type)

	Server_Impl_13 (const std::shared_ptr< Callbacks > &callbacks, const std::shared_ptr< Session_Manager > &session_manager, const std::shared_ptr< Credentials_Manager > &credentials_manager, const std::shared_ptr< const Policy > &policy, const std::shared_ptr< RandomNumberGenerator > &rng)

bool	timeout_check () override

void	to_peer (std::span< const uint8_t > data) override

void	update_traffic_keys (bool request_peer_update=false) override

Protected Member Functions
AggregatedHandshakeMessages	aggregate_handshake_messages ()

AggregatedPostHandshakeMessages	aggregate_post_handshake_messages ()

Callbacks &	callbacks () const

Credentials_Manager &	credentials_manager ()

void	expect_downgrade (const Server_Information &server_info, const std::vector< std::string > &next_protocols)

void	opportunistically_update_traffic_keys ()

const Policy &	policy () const

virtual bool	prepend_ccs ()

void	preserve_client_hello (std::span< const uint8_t > msg)

void	preserve_peer_transcript (std::span< const uint8_t > input)

void	request_downgrade ()

void	request_downgrade_for_resumption (Session_with_Handle session)

RandomNumberGenerator &	rng ()

void	send_dummy_change_cipher_spec ()

template<typename... MsgTs>
std::vector< uint8_t >	send_handshake_message (const std::variant< MsgTs... > &message)

template<typename MsgT >
std::vector< uint8_t >	send_handshake_message (std::reference_wrapper< MsgT > message)

std::vector< uint8_t >	send_post_handshake_message (Post_Handshake_Message_13 message)

Session_Manager &	session_manager ()

void	set_io_buffer_size (size_t io_buf_sz)

void	set_record_size_limits (uint16_t outgoing_limit, uint16_t incoming_limit)

void	set_selected_certificate_type (Certificate_Type cert_type)

Protected Attributes
std::unique_ptr< Cipher_State >	m_cipher_state

std::unique_ptr< Downgrade_Information >	m_downgrade_info

const Connection_Side	m_side

Transcript_Hash_State	m_transcript_hash

Detailed Description

SSL/TLS Server 1.3 implementation

Definition at line 22 of file tls_server_impl_13.h.

Constructor & Destructor Documentation

◆ Server_Impl_13()

Botan::TLS::Server_Impl_13::Server_Impl_13	(	const std::shared_ptr< Callbacks > &	callbacks,
		const std::shared_ptr< Session_Manager > &	session_manager,
		const std::shared_ptr< Credentials_Manager > &	credentials_manager,
		const std::shared_ptr< const Policy > &	policy,
		const std::shared_ptr< RandomNumberGenerator > &	rng )

explicit

Definition at line 19 of file tls_server_impl_13.cpp.

                                                                                :
      Channel_Impl_13(callbacks, session_manager, credentials_manager, rng, policy, true /* is_server */) {
#if defined(BOTAN_HAS_TLS_12)
   if(policy->allow_tls12()) {
      expect_downgrade({}, {});
   }
#endif
 
   m_transitions.set_expected_next(Handshake_Type::ClientHello);
}

References Botan::TLS::Policy::allow_tls12(), and Botan::TLS::Channel_Impl_13::policy().

Member Function Documentation

◆ aggregate_handshake_messages()

AggregatedHandshakeMessages Botan::TLS::Channel_Impl_13::aggregate_handshake_messages ( )

inlineprotectedinherited

Definition at line 256 of file tls_channel_impl_13.h.

                                                                 {
         return AggregatedHandshakeMessages(*this, m_handshake_layer, m_transcript_hash);
      }

References Botan::TLS::Channel_Impl_13::m_transcript_hash.

Referenced by Botan::TLS::Channel_Impl_13::send_handshake_message().

◆ aggregate_post_handshake_messages()

AggregatedPostHandshakeMessages Botan::TLS::Channel_Impl_13::aggregate_post_handshake_messages ( )

inlineprotectedinherited

Definition at line 260 of file tls_channel_impl_13.h.

                                                                          {
         return AggregatedPostHandshakeMessages(*this, m_handshake_layer);
      }

Referenced by Botan::TLS::Channel_Impl_13::send_post_handshake_message().

◆ application_protocol()

std::string Botan::TLS::Server_Impl_13::application_protocol ( ) const

overridevirtual

Return the protocol notification set for this connection, if any (ALPN). This value is not tied to the session and a later renegotiation of the same session can choose a new protocol.

Implements Botan::TLS::Channel_Impl.

Definition at line 34 of file tls_server_impl_13.cpp.

                                                     {
   if(is_handshake_complete()) {
      const auto& eee = m_handshake_state.encrypted_extensions().extensions();
      if(const auto alpn = eee.get<Application_Layer_Protocol_Notification>()) {
         return alpn->single_protocol();
      }
   }
 
   return "";
}

◆ callbacks()

Callbacks & Botan::TLS::Channel_Impl_13::callbacks ( ) const

inlineprotectedinherited

Definition at line 264 of file tls_channel_impl_13.h.

264{ return *m_callbacks; }

Referenced by Botan::TLS::Client_Impl_13::Client_Impl_13(), and Botan::TLS::Channel_Impl_13::from_peer().

◆ close()

void Botan::TLS::Channel_Impl::close ( )

inlineinherited

Send a close notification alert

Definition at line 80 of file tls_channel_impl.h.

80{ send_warning_alert(Alert::CloseNotify); }

Botan::TLS::Channel_Impl::send_warning_alert

void send_warning_alert(Alert::Type type)

Definition tls_channel_impl.h:70

References Botan::TLS::Channel_Impl::send_warning_alert().

◆ credentials_manager()

Credentials_Manager & Botan::TLS::Channel_Impl_13::credentials_manager ( )

inlineprotectedinherited

Definition at line 268 of file tls_channel_impl_13.h.

268{ return *m_credentials_manager; }

◆ expect_downgrade()

void Botan::TLS::Channel_Impl_13::expect_downgrade	(	const Server_Information &	server_info,
		const std::vector< std::string > &	next_protocols )

protectedinherited

Indicate that we have to expect a downgrade to TLS 1.2. In which case the current implementation (i.e. Client_Impl_13 or Server_Impl_13) will need to be replaced by their respective counter parts.

This will prepare an internal structure where any information required to downgrade can be preserved.

See also: Channel_Impl::Downgrade_Information

Definition at line 402 of file tls_channel_impl_13.cpp.

                                                                                   {
   Downgrade_Information di{
      {},
      {},
      {},
      server_info,
      next_protocols,
      Botan::TLS::Channel::IO_BUF_DEFAULT_SIZE,
      m_callbacks,
      m_session_manager,
      m_credentials_manager,
      m_rng,
      m_policy,
      false,  // received_tls_13_error_alert
      false   // will_downgrade
   };
   m_downgrade_info = std::make_unique<Downgrade_Information>(std::move(di));
}

References Botan::TLS::Channel::IO_BUF_DEFAULT_SIZE, and Botan::TLS::Channel_Impl::m_downgrade_info.

◆ expects_downgrade()

bool Botan::TLS::Channel_Impl::expects_downgrade ( ) const

inlineinherited

Definition at line 278 of file tls_channel_impl.h.

278{ return m_downgrade_info != nullptr; }

References Botan::TLS::Channel_Impl::m_downgrade_info.

Referenced by Botan::TLS::Client_Impl_13::Client_Impl_13(), and Botan::TLS::Channel_Impl_13::from_peer().

◆ external_psk_identity()

std::optional< std::string > Botan::TLS::Server_Impl_13::external_psk_identity ( ) const

overridevirtual

Returns: identity of the PSK used for this connection or std::nullopt if no PSK was used.

Implements Botan::TLS::Channel_Impl.

Definition at line 70 of file tls_server_impl_13.cpp.

                                                                   {
   return m_psk_identity;
}

◆ extract_downgrade_info()

std::unique_ptr< Downgrade_Information > Botan::TLS::Channel_Impl::extract_downgrade_info ( )

inlineinherited

See also: Downgrade_Information

Definition at line 276 of file tls_channel_impl.h.

276{ return std::exchange(m_downgrade_info, {}); }

References Botan::TLS::Channel_Impl::m_downgrade_info.

◆ from_peer()

size_t Botan::TLS::Channel_Impl_13::from_peer ( std::span< const uint8_t > data )

overridevirtualinherited

Inject TLS traffic received from counterparty

Returns: a hint as the how many more bytes we need to q the current record (this may be 0 if on a record boundary)

Implements Botan::TLS::Channel_Impl.

Definition at line 68 of file tls_channel_impl_13.cpp.

                                                             {
   BOTAN_STATE_CHECK(!is_downgrading());
 
   // RFC 8446 6.1
   //    Any data received after a closure alert has been received MUST be ignored.
   if(!m_can_read) {
      return 0;
   }
 
   try {
      if(expects_downgrade()) {
         preserve_peer_transcript(data);
      }
 
      m_record_layer.copy_data(data);
 
      while(true) {
         // RFC 8446 6.1
         //    Any data received after a closure alert has been received MUST be ignored.
         //
         // ... this data might already be in the record layer's read buffer.
         if(!m_can_read) {
            return 0;
         }
 
         auto result = m_record_layer.next_record(m_cipher_state.get());
 
         if(std::holds_alternative<BytesNeeded>(result)) {
            return std::get<BytesNeeded>(result);
         }
 
         const auto& record = std::get<Record>(result);
 
         // RFC 8446 5.1
         //   Handshake messages MUST NOT be interleaved with other record types.
         if(record.type != Record_Type::Handshake && m_handshake_layer.has_pending_data()) {
            throw Unexpected_Message("Expected remainder of a handshake message");
         }
 
         if(record.type == Record_Type::Handshake) {
            m_handshake_layer.copy_data(record.fragment);
 
            if(!is_handshake_complete()) {
               while(auto handshake_msg = m_handshake_layer.next_message(policy(), m_transcript_hash)) {
                  // RFC 8446 5.1
                  //    Handshake messages MUST NOT span key changes.  Implementations
                  //    MUST verify that all messages immediately preceding a key change
                  //    align with a record boundary; if not, then they MUST terminate the
                  //    connection with an "unexpected_message" alert.  Because the
                  //    ClientHello, EndOfEarlyData, ServerHello, Finished, and KeyUpdate
                  //    messages can immediately precede a key change, implementations
                  //    MUST send these messages in alignment with a record boundary.
                  //
                  // Note: Hello_Retry_Request was added to the list below although it cannot immediately precede a key change.
                  //       However, there cannot be any further sensible messages in the record after HRR.
                  //
                  // Note: Server_Hello_12 was deliberately not included in the check below because in TLS 1.2 Server Hello and
                  //       other handshake messages can be legally coalesced in a single record.
                  //
                  if(holds_any_of<Client_Hello_12,
                                  Client_Hello_13 /*, EndOfEarlyData,*/,
                                  Server_Hello_13,
                                  Hello_Retry_Request,
                                  Finished_13>(handshake_msg.value()) &&
                     m_handshake_layer.has_pending_data()) {
                     throw Unexpected_Message("Unexpected additional handshake message data found in record");
                  }
 
                  process_handshake_msg(std::move(handshake_msg.value()));
 
                  if(is_downgrading()) {
                     // Downgrade to TLS 1.2 was detected. Stop everything we do and await being replaced by a 1.2 implementation.
                     return 0;
                  } else if(m_downgrade_info != nullptr) {
                     // We received a TLS 1.3 error alert that could have been a TLS 1.2 warning alert.
                     // Now that we know that we are talking to a TLS 1.3 server, shut down.
                     if(m_downgrade_info->received_tls_13_error_alert) {
                        shutdown();
                     }
 
                     // Downgrade can only be indicated in the first received peer message. This was not the case.
                     m_downgrade_info.reset();
                  }
 
                  // After the initial handshake message is received, the record
                  // layer must be more restrictive.
                  // See RFC 8446 5.1 regarding "legacy_record_version"
                  if(!m_first_message_received) {
                     m_record_layer.disable_receiving_compat_mode();
                     m_first_message_received = true;
                  }
               }
            } else {
               while(auto handshake_msg = m_handshake_layer.next_post_handshake_message(policy())) {
                  process_post_handshake_msg(std::move(handshake_msg.value()));
               }
            }
         } else if(record.type == Record_Type::ChangeCipherSpec) {
            process_dummy_change_cipher_spec();
         } else if(record.type == Record_Type::ApplicationData) {
            BOTAN_ASSERT(record.seq_no.has_value(), "decrypted application traffic had a sequence number");
            callbacks().tls_record_received(record.seq_no.value(), record.fragment);
         } else if(record.type == Record_Type::Alert) {
            process_alert(record.fragment);
         } else {
            throw Unexpected_Message("Unexpected record type " + std::to_string(static_cast<size_t>(record.type)) +
                                     " from counterparty");
         }
      }
   } catch(TLS_Exception& e) {
      send_fatal_alert(e.type());
      throw;
   } catch(Invalid_Authentication_Tag&) {
      // RFC 8446 5.2
      //    If the decryption fails, the receiver MUST terminate the connection
      //    with a "bad_record_mac" alert.
      send_fatal_alert(Alert::BadRecordMac);
      throw;
   } catch(Decoding_Error&) {
      send_fatal_alert(Alert::DecodeError);
      throw;
   } catch(...) {
      send_fatal_alert(Alert::InternalError);
      throw;
   }
}

◆ is_active()

bool Botan::TLS::Channel_Impl_13::is_active ( ) const

overridevirtualinherited

Returns: true iff the connection is active for sending application data

Note that the connection is active until the application has called close(), even if a CloseNotify has been received from the peer.

Implements Botan::TLS::Channel_Impl.

Definition at line 304 of file tls_channel_impl_13.cpp.

                                      {
   return m_cipher_state != nullptr && m_cipher_state->can_encrypt_application_traffic()  // handshake done
          && m_can_write;                                                                 // close() hasn't been called
}

References Botan::TLS::Channel_Impl_13::m_cipher_state.

Referenced by Botan::TLS::Channel_Impl_13::to_peer().

◆ is_closed()

bool Botan::TLS::Channel_Impl_13::is_closed ( ) const

inlineoverridevirtualinherited

Returns: true iff the connection has been closed, i.e. CloseNotify has been received from the peer.

Implements Botan::TLS::Channel_Impl.

Definition at line 167 of file tls_channel_impl_13.h.

167{ return is_closed_for_reading() && is_closed_for_writing(); }

Botan::TLS::Channel_Impl_13::is_closed_for_reading

bool is_closed_for_reading() const override

Definition tls_channel_impl_13.h:169

Botan::TLS::Channel_Impl_13::is_closed_for_writing

bool is_closed_for_writing() const override

Definition tls_channel_impl_13.h:171

References Botan::TLS::Channel_Impl_13::is_closed_for_reading(), and Botan::TLS::Channel_Impl_13::is_closed_for_writing().

◆ is_closed_for_reading()

bool Botan::TLS::Channel_Impl_13::is_closed_for_reading ( ) const

inlineoverridevirtualinherited

Returns: true iff the connection is active for sending application data

Implements Botan::TLS::Channel_Impl.

Definition at line 169 of file tls_channel_impl_13.h.

169{ return !m_can_read; }

Referenced by Botan::TLS::Channel_Impl_13::is_closed().

◆ is_closed_for_writing()

bool Botan::TLS::Channel_Impl_13::is_closed_for_writing ( ) const

inlineoverridevirtualinherited

Returns: true iff the connection has been definitely closed

Implements Botan::TLS::Channel_Impl.

Definition at line 171 of file tls_channel_impl_13.h.

171{ return !m_can_write; }

Referenced by Botan::TLS::Channel_Impl_13::is_closed().

◆ is_downgrading()

bool Botan::TLS::Channel_Impl::is_downgrading ( ) const

inlineinherited

Indicates whether a downgrade to TLS 1.2 or lower is in progress

See also: Downgrade_Information

Definition at line 271 of file tls_channel_impl.h.

271{ return m_downgrade_info && m_downgrade_info->will_downgrade; }

References Botan::TLS::Channel_Impl::m_downgrade_info.

Referenced by Botan::TLS::Channel_Impl_13::from_peer(), Botan::TLS::Channel_Impl_13::key_material_export(), and Botan::TLS::Channel_Impl_13::update_traffic_keys().

◆ is_handshake_complete()

bool Botan::TLS::Server_Impl_13::is_handshake_complete ( ) const

overridevirtual

Returns: true iff the TLS handshake has finished successfully

Implements Botan::TLS::Channel_Impl.

Definition at line 166 of file tls_server_impl_13.cpp.

                                                 {
   return m_handshake_state.handshake_finished();
}

◆ key_material_export()

SymmetricKey Botan::TLS::Channel_Impl_13::key_material_export	(	std::string_view	label,
		std::string_view	context,
		size_t	length ) const

overridevirtualinherited

Key material export (RFC 5705)

Parameters

label	a disambiguating label string
context	a per-association context value
length	the length of the desired key in bytes

Returns: key of length bytes

Implements Botan::TLS::Channel_Impl.

Definition at line 309 of file tls_channel_impl_13.cpp.

                                                                       {
   BOTAN_STATE_CHECK(!is_downgrading());
   BOTAN_STATE_CHECK(m_cipher_state != nullptr && m_cipher_state->can_export_keys());
   return SymmetricKey(m_cipher_state->export_key(label, context, length));
}

References BOTAN_STATE_CHECK, Botan::TLS::Channel_Impl::is_downgrading(), and Botan::TLS::Channel_Impl_13::m_cipher_state.

◆ new_session_ticket_supported()

bool Botan::TLS::Server_Impl_13::new_session_ticket_supported ( ) const

overridevirtual

Returns: true if this channel can issue TLS 1.3 style session tickets.

Reimplemented from Botan::TLS::Channel_Impl.

Definition at line 74 of file tls_server_impl_13.cpp.

                                                        {
   // RFC 8446 4.2.9
   //    This extension also restricts the modes for use with PSK resumption.
   //    Servers SHOULD NOT send NewSessionTicket with tickets that are not
   //    compatible with the advertised modes; however, if a server does so,
   //    the impact will just be that the client's attempts at resumption fail.
   //
   // Note: Applications can overrule this by calling send_new_session_tickets()
   //       regardless of this method indicating no support for tickets.
   //
   // TODO: Implement other PSK KE modes than PSK_DHE_KE
   return is_handshake_complete() && m_handshake_state.client_hello().extensions().has<PSK_Key_Exchange_Modes>() &&
          value_exists(m_handshake_state.client_hello().extensions().get<PSK_Key_Exchange_Modes>()->modes(),
                       PSK_Key_Exchange_Mode::PSK_DHE_KE);
}

References Botan::TLS::PSK_Key_Exchange_Modes::modes(), and Botan::value_exists().

◆ opportunistically_update_traffic_keys()

void Botan::TLS::Channel_Impl_13::opportunistically_update_traffic_keys ( )

inlineprotectedinherited

Schedule a traffic key update to opportunistically happen before the channel sends application data the next time. Such a key update will never request a reciprocal key update from the peer.

Definition at line 238 of file tls_channel_impl_13.h.

238{ m_opportunistic_key_update = true; }

Referenced by Botan::TLS::Channel_Impl_13::handle().

◆ peer_cert_chain()

std::vector< X509_Certificate > Botan::TLS::Server_Impl_13::peer_cert_chain ( ) const

overridevirtual

Returns: certificate chain of the peer (may be empty)

Implements Botan::TLS::Channel_Impl.

Definition at line 45 of file tls_server_impl_13.cpp.

                                                                  {
   if(m_handshake_state.has_client_certificate_msg() &&
      m_handshake_state.client_certificate().has_certificate_chain()) {
      return m_handshake_state.client_certificate().cert_chain();
   }
 
   if(m_resumed_session.has_value()) {
      return m_resumed_session->peer_certs();
   }
 
   return {};
}

◆ peer_raw_public_key()

std::shared_ptr< const Public_Key > Botan::TLS::Server_Impl_13::peer_raw_public_key ( ) const

overridevirtual

Returns: raw public key of the peer (may be nullptr)

Implements Botan::TLS::Channel_Impl.

Definition at line 58 of file tls_server_impl_13.cpp.

                                                                          {
   if(m_handshake_state.has_client_certificate_msg() && m_handshake_state.client_certificate().is_raw_public_key()) {
      return m_handshake_state.client_certificate().public_key();
   }
 
   if(m_resumed_session.has_value()) {
      return m_resumed_session->peer_raw_public_key();
   }
 
   return nullptr;
}

◆ policy()

const Policy & Botan::TLS::Channel_Impl_13::policy ( ) const

inlineprotectedinherited

Definition at line 272 of file tls_channel_impl_13.h.

272{ return *m_policy; }

Referenced by Botan::TLS::Client_Impl_13::Client_Impl_13(), Botan::TLS::Channel_Impl_13::from_peer(), and Server_Impl_13().

◆ prepend_ccs()

virtual bool Botan::TLS::Channel_Impl_13::prepend_ccs ( )

inlineprotectedvirtualinherited

Returns: whether a change cipher spec record should be prepended now

This method can be used by subclasses to indicate that send_record should prepend a CCS before the actual record. This is useful for middlebox compatibility mode. See RFC 8446 D.4.

Definition at line 229 of file tls_channel_impl_13.h.

229{ return false; }

◆ preserve_client_hello()

void Botan::TLS::Channel_Impl::preserve_client_hello ( std::span< const uint8_t > msg )

inlineprotectedinherited

Definition at line 231 of file tls_channel_impl.h.

                                                             {
         BOTAN_STATE_CHECK(m_downgrade_info);
         m_downgrade_info->client_hello_message.assign(msg.begin(), msg.end());
      }

References BOTAN_STATE_CHECK, and Botan::TLS::Channel_Impl::m_downgrade_info.

Referenced by Botan::TLS::Client_Impl_13::Client_Impl_13().

◆ preserve_peer_transcript()

void Botan::TLS::Channel_Impl::preserve_peer_transcript ( std::span< const uint8_t > input )

inlineprotectedinherited

Definition at line 226 of file tls_channel_impl.h.

                                                                  {
         BOTAN_STATE_CHECK(m_downgrade_info);
         m_downgrade_info->peer_transcript.insert(m_downgrade_info->peer_transcript.end(), input.begin(), input.end());
      }

References BOTAN_STATE_CHECK, and Botan::TLS::Channel_Impl::m_downgrade_info.

Referenced by Botan::TLS::Channel_Impl_13::from_peer().

◆ renegotiate()

void Botan::TLS::Channel_Impl_13::renegotiate ( bool )

inlineoverridevirtualinherited

Attempt to renegotiate the session

Implements Botan::TLS::Channel_Impl.

Definition at line 185 of file tls_channel_impl_13.h.

                                        {
         throw Invalid_Argument("renegotiation is not allowed in TLS 1.3");
      }

◆ request_downgrade()

void Botan::TLS::Channel_Impl::request_downgrade ( )

inlineprotectedinherited

Implementations use this to signal that the peer indicated a protocol version downgrade. After calling request_downgrade() no further state changes must be perfomed by the implementation. Particularly, no further handshake messages must be emitted. Instead, they must yield control flow back to the underlying Channel implementation to perform the protocol version downgrade.

Definition at line 252 of file tls_channel_impl.h.

                               {
         BOTAN_STATE_CHECK(m_downgrade_info && !m_downgrade_info->will_downgrade);
         m_downgrade_info->will_downgrade = true;
      }

References BOTAN_STATE_CHECK, and Botan::TLS::Channel_Impl::m_downgrade_info.

Referenced by Botan::TLS::Channel_Impl::request_downgrade_for_resumption().

◆ request_downgrade_for_resumption()

void Botan::TLS::Channel_Impl::request_downgrade_for_resumption ( Session_with_Handle session )

inlineprotectedinherited

Definition at line 257 of file tls_channel_impl.h.

                                                                         {
         BOTAN_STATE_CHECK(m_downgrade_info && m_downgrade_info->client_hello_message.empty() &&
                           m_downgrade_info->peer_transcript.empty() && !m_downgrade_info->tls12_session.has_value());
         BOTAN_ASSERT_NOMSG(session.session.version().is_pre_tls_13());
         m_downgrade_info->tls12_session = std::move(session);
         request_downgrade();
      }

References BOTAN_ASSERT_NOMSG, BOTAN_STATE_CHECK, Botan::TLS::Protocol_Version::is_pre_tls_13(), Botan::TLS::Channel_Impl::m_downgrade_info, Botan::TLS::Channel_Impl::request_downgrade(), Botan::TLS::Session_with_Handle::session, and Botan::TLS::Session_Base::version().

Referenced by Botan::TLS::Client_Impl_13::Client_Impl_13().

◆ rng()

RandomNumberGenerator & Botan::TLS::Channel_Impl_13::rng ( )

inlineprotectedinherited

Definition at line 270 of file tls_channel_impl_13.h.

270{ return *m_rng; }

Referenced by Botan::TLS::Client_Impl_13::Client_Impl_13().

◆ secure_renegotiation_supported()

bool Botan::TLS::Channel_Impl_13::secure_renegotiation_supported ( ) const

inlineoverridevirtualinherited

Returns: true iff the counterparty supports the secure renegotiation extensions.

Implements Botan::TLS::Channel_Impl.

Definition at line 201 of file tls_channel_impl_13.h.

                                                           {
         // Secure renegotiation is not supported in TLS 1.3, though BoGo
         // tests expect us to claim that it is available.
         return true;
      }

◆ send_alert()

void Botan::TLS::Channel_Impl_13::send_alert ( const Alert & alert )

overridevirtualinherited

Send a TLS alert message. If the alert is fatal, the internal state (keys, etc) will be reset.

Parameters

alert the Alert to send

Implements Botan::TLS::Channel_Impl.

Definition at line 279 of file tls_channel_impl_13.cpp.

                                                   {
   if(alert.is_valid() && m_can_write) {
      try {
         send_record(Record_Type::Alert, alert.serialize());
      } catch(...) { /* swallow it */
      }
   }
 
   // Note: In TLS 1.3 sending a CloseNotify must not immediately lead to closing the reading end.
   // RFC 8446 6.1
   //    Each party MUST send a "close_notify" alert before closing its write
   //    side of the connection, unless it has already sent some error alert.
   //    This does not have any effect on its read side of the connection.
   if(is_close_notify_alert(alert) && m_can_write) {
      m_can_write = false;
      if(m_cipher_state) {
         m_cipher_state->clear_write_keys();
      }
   }
 
   if(is_error_alert(alert)) {
      shutdown();
   }
}

References Botan::TLS::Alert, Botan::TLS::Alert::is_valid(), Botan::TLS::Channel_Impl_13::m_cipher_state, and Botan::TLS::Alert::serialize().

◆ send_dummy_change_cipher_spec()

void Botan::TLS::Channel_Impl_13::send_dummy_change_cipher_spec ( )

protectedinherited

Definition at line 248 of file tls_channel_impl_13.cpp.

                                                    {
   // RFC 8446 5.
   //    The change_cipher_spec record is used only for compatibility purposes
   //    (see Appendix D.4).
   //
   // The only allowed CCS message content is 0x01, all other CCS records MUST
   // be rejected by TLS 1.3 implementations.
   send_record(Record_Type::ChangeCipherSpec, {0x01});
}

References Botan::TLS::ChangeCipherSpec.

◆ send_fatal_alert()

void Botan::TLS::Channel_Impl::send_fatal_alert ( Alert::Type type )

inlineinherited

Send a fatal alert

Definition at line 75 of file tls_channel_impl.h.

75{ send_alert(Alert(type, true)); }

Botan::TLS::Channel_Impl::send_alert

virtual void send_alert(const Alert &alert)=0

References Botan::TLS::Alert, and Botan::TLS::Channel_Impl::send_alert().

Referenced by Botan::TLS::Channel_Impl_12::from_peer(), and Botan::TLS::Channel_Impl_13::from_peer().

◆ send_handshake_message() [1/2]

template<typename... MsgTs>

std::vector< uint8_t > Botan::TLS::Channel_Impl_13::send_handshake_message ( const std::variant< MsgTs... > & message )

inlineprotectedinherited

Definition at line 241 of file tls_channel_impl_13.h.

                                                                                     {
         return aggregate_handshake_messages().add(generalize_to<Handshake_Message_13_Ref>(message)).send();
      }

References Botan::TLS::Channel_Impl_13::AggregatedHandshakeMessages::add(), Botan::TLS::Channel_Impl_13::aggregate_handshake_messages(), Botan::generalize_to(), and Botan::TLS::Channel_Impl_13::AggregatedMessages::send().

Referenced by Botan::TLS::Client_Impl_13::Client_Impl_13(), and Botan::TLS::Channel_Impl_13::send_handshake_message().

◆ send_handshake_message() [2/2]

template<typename MsgT >

std::vector< uint8_t > Botan::TLS::Channel_Impl_13::send_handshake_message ( std::reference_wrapper< MsgT > message )

inlineprotectedinherited

Definition at line 246 of file tls_channel_impl_13.h.

                                                                                    {
         return send_handshake_message(generalize_to<Handshake_Message_13_Ref>(message));
      }

References Botan::generalize_to(), and Botan::TLS::Channel_Impl_13::send_handshake_message().

◆ send_new_session_tickets()

size_t Botan::TLS::Server_Impl_13::send_new_session_tickets ( size_t )

overridevirtual

Send tickets new session tickets to the peer. This is only supported on TLS 1.3 servers.

If the server's Session_Manager does not accept the generated Session objects, the server implementation won't be able to send new tickets. Additionally, anything but TLS 1.3 servers will return 0 (because they don't support sending such session tickets).

Returns: the number of session tickets successfully sent to the client

Reimplemented from Botan::TLS::Channel_Impl.

Definition at line 90 of file tls_server_impl_13.cpp.

                                                                    {
   BOTAN_STATE_CHECK(is_handshake_complete());
 
   if(tickets == 0) {
      return 0;
   }
 
   auto flight = aggregate_post_handshake_messages();
   size_t tickets_created = 0;
 
   for(size_t i = 0; i < tickets; ++i) {
      auto nonce = m_cipher_state->next_ticket_nonce();
      const Session session(m_cipher_state->psk(nonce),
                            std::nullopt,  // early data not yet implemented
                            policy().session_ticket_lifetime(),
                            peer_cert_chain(),
                            peer_raw_public_key(),
                            m_handshake_state.client_hello(),
                            m_handshake_state.server_hello(),
                            callbacks(),
                            rng());
 
      if(callbacks().tls_should_persist_resumption_information(session)) {
         if(auto handle = session_manager().establish(session)) {
            flight.add(New_Session_Ticket_13(std::move(nonce), session, handle.value(), callbacks()));
            ++tickets_created;
         }
      }
   }
 
   if(flight.contains_messages()) {
      flight.send();
   }
 
   return tickets_created;
}

References BOTAN_STATE_CHECK.

◆ send_post_handshake_message()

std::vector< uint8_t > Botan::TLS::Channel_Impl_13::send_post_handshake_message ( Post_Handshake_Message_13 message )

inlineprotectedinherited

Definition at line 250 of file tls_channel_impl_13.h.

                                                                                        {
         return aggregate_post_handshake_messages().add(std::move(message)).send();
      }

References Botan::TLS::Channel_Impl_13::AggregatedPostHandshakeMessages::add(), Botan::TLS::Channel_Impl_13::aggregate_post_handshake_messages(), and Botan::TLS::Channel_Impl_13::AggregatedMessages::send().

Referenced by Botan::TLS::Channel_Impl_13::update_traffic_keys().

◆ send_warning_alert()

void Botan::TLS::Channel_Impl::send_warning_alert ( Alert::Type type )

inlineinherited

Send a warning alert

Definition at line 70 of file tls_channel_impl.h.

70{ send_alert(Alert(type, false)); }

References Botan::TLS::Alert, and Botan::TLS::Channel_Impl::send_alert().

Referenced by Botan::TLS::Channel_Impl::close().

◆ session_manager()

Session_Manager & Botan::TLS::Channel_Impl_13::session_manager ( )

inlineprotectedinherited

Definition at line 266 of file tls_channel_impl_13.h.

266{ return *m_session_manager; }

◆ set_io_buffer_size()

void Botan::TLS::Channel_Impl::set_io_buffer_size ( size_t io_buf_sz )

inlineprotectedinherited

Definition at line 239 of file tls_channel_impl.h.

                                                {
         BOTAN_STATE_CHECK(m_downgrade_info);
         m_downgrade_info->io_buffer_size = io_buf_sz;
      }

References BOTAN_STATE_CHECK, and Botan::TLS::Channel_Impl::m_downgrade_info.

◆ set_record_size_limits()

void Botan::TLS::Channel_Impl_13::set_record_size_limits	(	uint16_t	outgoing_limit,
		uint16_t	incoming_limit )

protectedinherited

Set the record size limits as negotiated by the "record_size_limit" extension (RFC 8449).

Parameters

outgoing_limit	the maximal number of plaintext bytes to be sent in a protected record
incoming_limit	the maximal number of plaintext bytes to be accepted in a received protected record

Definition at line 422 of file tls_channel_impl_13.cpp.

                                                                                                         {
   m_record_layer.set_record_size_limits(outgoing_limit, incoming_limit);
}

References Botan::TLS::Record_Layer::set_record_size_limits().

◆ set_selected_certificate_type()

void Botan::TLS::Channel_Impl_13::set_selected_certificate_type ( Certificate_Type cert_type )

protectedinherited

Set the expected certificate type needed to parse Certificate messages in the handshake layer. See RFC 7250 and 8446 4.4.2 for further details.

Definition at line 426 of file tls_channel_impl_13.cpp.

                                                                                    {
   m_handshake_layer.set_selected_certificate_type(cert_type);
}

References Botan::TLS::Handshake_Layer::set_selected_certificate_type().

◆ timeout_check()

bool Botan::TLS::Channel_Impl_13::timeout_check ( )

inlineoverridevirtualinherited

Perform a handshake timeout check. This does nothing unless this is a DTLS channel with a pending handshake state, in which case we check for timeout and potentially retransmit handshake packets.

In the TLS 1.3 implementation, this always returns false.

Implements Botan::TLS::Channel_Impl.

Definition at line 215 of file tls_channel_impl_13.h.

215{ return false; }

◆ to_peer()

void Botan::TLS::Channel_Impl_13::to_peer ( std::span< const uint8_t > data )

overridevirtualinherited

Inject plaintext intended for counterparty Throws an exception if is_active() is false

Implements Botan::TLS::Channel_Impl.

Definition at line 258 of file tls_channel_impl_13.cpp.

                                                         {
   if(!is_active()) {
      throw Invalid_State("Data cannot be sent on inactive TLS connection");
   }
 
   // RFC 8446 4.6.3
   //    If the request_update field [of a received KeyUpdate] is set to
   //    "update_requested", then the receiver MUST send a KeyUpdate of its own
   //    with request_update set to "update_not_requested" prior to sending its
   //    next Application Data record.
   //    This mechanism allows either side to force an update to the entire
   //    connection, but causes an implementation which receives multiple
   //    KeyUpdates while it is silent to respond with a single update.
   if(m_opportunistic_key_update) {
      update_traffic_keys(false /* update_requested */);
      m_opportunistic_key_update = false;
   }
 
   send_record(Record_Type::ApplicationData, {data.begin(), data.end()});
}

References Botan::TLS::ApplicationData, Botan::TLS::Channel_Impl_13::is_active(), and Botan::TLS::Channel_Impl_13::update_traffic_keys().

◆ update_traffic_keys()

void Botan::TLS::Channel_Impl_13::update_traffic_keys ( bool request_peer_update = false )

overridevirtualinherited

Attempt to update the session's traffic key material Note that this is possible with a TLS 1.3 channel, only.

Parameters

request_peer_update if true, require a reciprocal key update

Implements Botan::TLS::Channel_Impl.

Definition at line 317 of file tls_channel_impl_13.cpp.

                                                                  {
   BOTAN_STATE_CHECK(!is_downgrading());
   BOTAN_STATE_CHECK(is_handshake_complete());
   BOTAN_ASSERT_NONNULL(m_cipher_state);
   send_post_handshake_message(Key_Update(request_peer_update));
   m_cipher_state->update_write_keys(*this);
}

References BOTAN_ASSERT_NONNULL, BOTAN_STATE_CHECK, Botan::TLS::Channel_Impl::is_downgrading(), Botan::TLS::Channel_Impl::is_handshake_complete(), Botan::TLS::Channel_Impl_13::m_cipher_state, and Botan::TLS::Channel_Impl_13::send_post_handshake_message().

Referenced by Botan::TLS::Channel_Impl_13::to_peer().

Member Data Documentation

◆ m_cipher_state

std::unique_ptr<Cipher_State> Botan::TLS::Channel_Impl_13::m_cipher_state

protectedinherited

Definition at line 288 of file tls_channel_impl_13.h.

Referenced by Botan::TLS::Channel_Impl_13::from_peer(), Botan::TLS::Channel_Impl_13::handle(), Botan::TLS::Channel_Impl_13::is_active(), Botan::TLS::Channel_Impl_13::key_material_export(), Botan::TLS::Channel_Impl_13::send_alert(), and Botan::TLS::Channel_Impl_13::update_traffic_keys().

◆ m_downgrade_info

std::unique_ptr<Downgrade_Information> Botan::TLS::Channel_Impl::m_downgrade_info

protectedinherited

Definition at line 224 of file tls_channel_impl.h.

◆ m_side

const Connection_Side Botan::TLS::Channel_Impl_13::m_side

protectedinherited

Definition at line 286 of file tls_channel_impl_13.h.

◆ m_transcript_hash

Transcript_Hash_State Botan::TLS::Channel_Impl_13::m_transcript_hash

protectedinherited

Definition at line 287 of file tls_channel_impl_13.h.

Referenced by Botan::TLS::Channel_Impl_13::AggregatedHandshakeMessages::add(), Botan::TLS::Channel_Impl_13::aggregate_handshake_messages(), and Botan::TLS::Channel_Impl_13::from_peer().

The documentation for this class was generated from the following files:

src/lib/tls/tls13/tls_server_impl_13.h
src/lib/tls/tls13/tls_server_impl_13.cpp

Public Member Functions

Protected Member Functions

Protected Attributes

Detailed Description

Constructor & Destructor Documentation

◆ Server_Impl_13()

Member Function Documentation

◆ aggregate_handshake_messages()

◆ aggregate_post_handshake_messages()

◆ application_protocol()

◆ callbacks()

◆ close()

◆ credentials_manager()

◆ expect_downgrade()

◆ expects_downgrade()

◆ external_psk_identity()

◆ extract_downgrade_info()

◆ from_peer()

◆ is_active()

◆ is_closed()

◆ is_closed_for_reading()

◆ is_closed_for_writing()

◆ is_downgrading()

◆ is_handshake_complete()

◆ key_material_export()

◆ new_session_ticket_supported()

◆ opportunistically_update_traffic_keys()

◆ peer_cert_chain()

◆ peer_raw_public_key()

◆ policy()

◆ prepend_ccs()

◆ preserve_client_hello()

◆ preserve_peer_transcript()

◆ renegotiate()

◆ request_downgrade()

◆ request_downgrade_for_resumption()

◆ rng()

◆ secure_renegotiation_supported()

◆ send_alert()

◆ send_dummy_change_cipher_spec()

◆ send_fatal_alert()

◆ send_handshake_message() [1/2]

◆ send_handshake_message() [2/2]

◆ send_new_session_tickets()

◆ send_post_handshake_message()

◆ send_warning_alert()

◆ session_manager()

◆ set_io_buffer_size()

◆ set_record_size_limits()

◆ set_selected_certificate_type()

◆ timeout_check()

◆ to_peer()

◆ update_traffic_keys()

Member Data Documentation

◆ m_cipher_state

◆ m_downgrade_info

◆ m_side

◆ m_transcript_hash