Botan 3.9.0
Crypto and TLS for C&
Botan::TLS::Server_Key_Exchange Class Referencefinal

#include <tls_messages.h>

Inheritance diagram for Botan::TLS::Server_Key_Exchange:
Botan::TLS::Handshake_Message

Public Member Functions

const std::vector< uint8_t > & params () const
const PK_Key_Agreement_Keyserver_kex_key () const
 Server_Key_Exchange (const std::vector< uint8_t > &buf, Kex_Algo kex_alg, Auth_Method sig_alg, Protocol_Version version)
 Server_Key_Exchange (Handshake_IO &io, Handshake_State &state, const Policy &policy, Credentials_Manager &creds, RandomNumberGenerator &rng, const Private_Key *signing_key=nullptr)
const std::optional< Group_Params > & shared_group () const
Handshake_Type type () const override
std::string type_string () const
bool verify (const Public_Key &server_key, const Handshake_State &state, const Policy &policy) const
virtual Handshake_Type wire_type () const

Detailed Description

Server Key Exchange Message

Definition at line 881 of file tls_messages.h.

Constructor & Destructor Documentation

◆ Server_Key_Exchange() [1/2]

Botan::TLS::Server_Key_Exchange::Server_Key_Exchange ( Handshake_IO & io,
Handshake_State & state,
const Policy & policy,
Credentials_Manager & creds,
RandomNumberGenerator & rng,
const Private_Key * signing_key = nullptr )

Create a new Server Key Exchange message

Definition at line 28 of file msg_server_kex.cpp.

33 {
34 const std::string hostname = state.client_hello()->sni_hostname();
35 const Kex_Algo kex_algo = state.ciphersuite().kex_method();
36
37 if(kex_algo == Kex_Algo::PSK || kex_algo == Kex_Algo::ECDHE_PSK) {
38 std::string identity_hint = creds.psk_identity_hint("tls-server", hostname);
39
40 append_tls_length_value(m_params, identity_hint, 2);
41 }
42
43 if(kex_algo == Kex_Algo::DH) {
44 const std::vector<Group_Params> dh_groups = state.client_hello()->supported_dh_groups();
45
46 m_shared_group = Group_Params::NONE;
47
48 /*
49 RFC 7919 requires that if the client sends any groups in the FFDHE
50 range, that we must select one of these. If this is not possible,
51 then we are required to reject the connection.
52
53 If the client did not send any DH groups, but did offer DH ciphersuites
54 and we selected one, then consult the policy for which DH group to pick.
55 */
56
57 if(dh_groups.empty()) {
58 m_shared_group = policy.default_dh_group();
59 } else {
60 m_shared_group = policy.choose_key_exchange_group(dh_groups, {});
61 }
62
63 if(m_shared_group.value() == Group_Params::NONE) {
64 throw TLS_Exception(Alert::HandshakeFailure, "Could not agree on a DH group with the client");
65 }
66
67 // The policy had better return a group we know about:
68 BOTAN_ASSERT(m_shared_group.value().is_dh_named_group(), "DH ciphersuite is using a known finite field group");
69
70 // Note: TLS 1.2 allows defining and using arbitrary DH groups (additional
71 // to the named and standardized ones). This API doesn't allow the
72 // server to make use of that at the moment. TLS 1.3 does not
73 // provide this flexibility!
74 //
75 // A possible implementation strategy in case one would ever need that:
76 // `Policy::default_dh_group()` could return a `std::variant<Group_Params,
77 // DL_Group>`, allowing it to define arbitrary groups.
78 m_kex_key = state.callbacks().tls_generate_ephemeral_key(m_shared_group.value(), rng);
79 auto* dh = dynamic_cast<DH_PrivateKey*>(m_kex_key.get());
80 if(dh == nullptr) {
81 throw TLS_Exception(Alert::InternalError, "Application did not provide a Diffie-Hellman key");
82 }
83
84 append_tls_length_value(m_params, dh->get_int_field("p").serialize(), 2);
85 append_tls_length_value(m_params, dh->get_int_field("g").serialize(), 2);
86 append_tls_length_value(m_params, dh->public_value(), 2);
87 } else if(kex_algo == Kex_Algo::ECDH || kex_algo == Kex_Algo::ECDHE_PSK) {
88 const std::vector<Group_Params> ec_groups = state.client_hello()->supported_ecc_curves();
89
90 if(ec_groups.empty()) {
91 throw Internal_Error("Client sent no ECC extension but we negotiated ECDH");
92 }
93
94 m_shared_group = policy.choose_key_exchange_group(ec_groups, {});
95
96 if(m_shared_group.value() == Group_Params::NONE) {
97 throw TLS_Exception(Alert::HandshakeFailure, "No shared ECC group with client");
98 }
99
100 std::vector<uint8_t> ecdh_public_val;
101
102 if(m_shared_group.value() == Group_Params::X25519 || m_shared_group.value() == Group_Params::X448) {
103 m_kex_key = state.callbacks().tls_generate_ephemeral_key(m_shared_group.value(), rng);
104 if(!m_kex_key) {
105 throw TLS_Exception(Alert::InternalError, "Application did not provide an EC key");
106 }
107 ecdh_public_val = m_kex_key->public_value();
108 } else {
109 m_kex_key = state.callbacks().tls_generate_ephemeral_key(m_shared_group.value(), rng);
110 auto* ecdh = dynamic_cast<ECDH_PrivateKey*>(m_kex_key.get());
111 if(ecdh == nullptr) {
112 throw TLS_Exception(Alert::InternalError, "Application did not provide a EC-Diffie-Hellman key");
113 }
114
115 // follow client's preference for point compression
116 ecdh_public_val =
117 ecdh->public_value(state.client_hello()->prefers_compressed_ec_points() ? EC_Point_Format::Compressed
119 }
120
121 const uint16_t named_curve_id = m_shared_group.value().wire_code();
122 m_params.push_back(3); // named curve
123 m_params.push_back(get_byte<0>(named_curve_id));
124 m_params.push_back(get_byte<1>(named_curve_id));
125
126 append_tls_length_value(m_params, ecdh_public_val, 1);
127 } else if(kex_algo != Kex_Algo::PSK) {
128 throw Internal_Error("Server_Key_Exchange: Unknown kex type " + kex_method_to_string(kex_algo));
129 }
130
131 if(state.ciphersuite().signature_used()) {
132 BOTAN_ASSERT(signing_key, "Signing key was set");
133
134 std::pair<std::string, Signature_Format> format = state.choose_sig_format(*signing_key, m_scheme, false, policy);
135
136 std::vector<uint8_t> buf = state.client_hello()->random();
137
138 buf += state.server_hello()->random();
139 buf += params();
140
141 m_signature = state.callbacks().tls_sign_message(*signing_key, rng, format.first, format.second, buf);
142 }
143
144 state.hash().update(io.send(*this));
145}
#define BOTAN_ASSERT(expr, assertion_made)
Definition assert.h:62
const std::vector< uint8_t > & params() const
void append_tls_length_value(std::vector< uint8_t, Alloc > &buf, const T *vals, size_t vals_size, size_t tag_size)
Definition tls_reader.h:184
std::string kex_method_to_string(Kex_Algo method)
Definition tls_algos.cpp:28
constexpr uint8_t get_byte(T input)
Definition loadstor.h:79

References Botan::TLS::append_tls_length_value(), BOTAN_ASSERT, Botan::TLS::Handshake_State::callbacks(), Botan::TLS::Policy::choose_key_exchange_group(), Botan::TLS::Handshake_State::choose_sig_format(), Botan::TLS::Handshake_State::ciphersuite(), Botan::TLS::Handshake_State::client_hello(), Botan::Compressed, Botan::TLS::Policy::default_dh_group(), Botan::TLS::DH, Botan::TLS::ECDH, Botan::TLS::ECDHE_PSK, Botan::get_byte(), Botan::TLS::Handshake_State::hash(), Botan::TLS::Ciphersuite::kex_method(), Botan::TLS::kex_method_to_string(), params(), Botan::TLS::PSK, Botan::Credentials_Manager::psk_identity_hint(), Botan::ECDH_PrivateKey::public_value(), Botan::TLS::Handshake_IO::send(), Botan::TLS::Handshake_State::server_hello(), Botan::TLS::Ciphersuite::signature_used(), Botan::TLS::Callbacks::tls_generate_ephemeral_key(), Botan::TLS::Callbacks::tls_sign_message(), Botan::Uncompressed, Botan::TLS::Handshake_Hash::update(), and Botan::TLS::Group_Params::wire_code().

◆ Server_Key_Exchange() [2/2]

Botan::TLS::Server_Key_Exchange::Server_Key_Exchange ( const std::vector< uint8_t > & buf,
Kex_Algo kex_alg,
Auth_Method sig_alg,
Protocol_Version version )

Deserialize a Server Key Exchange message

Definition at line 150 of file msg_server_kex.cpp.

153 {
154 BOTAN_UNUSED(version); // remove this
155 TLS_Data_Reader reader("ServerKeyExchange", buf);
156
157 /*
158 * Here we are deserializing enough to find out what offset the
159 * signature is at. All processing is done when the Client Key Exchange
160 * is prepared.
161 */
162
163 if(kex_algo == Kex_Algo::PSK || kex_algo == Kex_Algo::ECDHE_PSK) {
164 reader.get_string(2, 0, 65535); // identity hint
165 }
166
167 if(kex_algo == Kex_Algo::DH) {
168 // 3 bigints, DH p, g, Y
169
170 for(size_t i = 0; i != 3; ++i) {
171 reader.get_range<uint8_t>(2, 1, 65535);
172 }
173 } else if(kex_algo == Kex_Algo::ECDH || kex_algo == Kex_Algo::ECDHE_PSK) {
174 reader.get_byte(); // curve type
175 reader.get_uint16_t(); // curve id
176 reader.get_range<uint8_t>(1, 1, 255); // public key
177 } else if(kex_algo != Kex_Algo::PSK) {
178 throw Decoding_Error("Server_Key_Exchange: Unsupported kex type " + kex_method_to_string(kex_algo));
179 }
180
181 m_params.assign(buf.data(), buf.data() + reader.read_so_far());
182
183 if(auth_method != Auth_Method::IMPLICIT) {
184 m_scheme = Signature_Scheme(reader.get_uint16_t());
185 m_signature = reader.get_range<uint8_t>(2, 0, 65535);
186 }
187
188 reader.assert_done();
189}
#define BOTAN_UNUSED
Definition assert.h:144

References Botan::TLS::TLS_Data_Reader::assert_done(), BOTAN_UNUSED, Botan::TLS::DH, Botan::TLS::ECDH, Botan::TLS::ECDHE_PSK, Botan::TLS::TLS_Data_Reader::get_byte(), Botan::TLS::TLS_Data_Reader::get_range(), Botan::TLS::TLS_Data_Reader::get_string(), Botan::TLS::TLS_Data_Reader::get_uint16_t(), Botan::TLS::IMPLICIT, Botan::TLS::kex_method_to_string(), Botan::TLS::PSK, and Botan::TLS::TLS_Data_Reader::read_so_far().

Member Function Documentation

◆ params()

const std::vector< uint8_t > & Botan::TLS::Server_Key_Exchange::params ( ) const
inline

Definition at line 885 of file tls_messages.h.

885{ return m_params; }

Referenced by Server_Key_Exchange(), and verify().

◆ server_kex_key()

const PK_Key_Agreement_Key & Botan::TLS::Server_Key_Exchange::server_kex_key ( ) const

Definition at line 236 of file msg_server_kex.cpp.

236 {
237 BOTAN_ASSERT_NONNULL(m_kex_key);
238 return *m_kex_key;
239}
#define BOTAN_ASSERT_NONNULL(ptr)
Definition assert.h:114

References BOTAN_ASSERT_NONNULL.

◆ shared_group()

const std::optional< Group_Params > & Botan::TLS::Server_Key_Exchange::shared_group ( ) const
inline
Returns
the agreed upon KEX group or std::nullopt if the KEX type does not depend on a group

Definition at line 896 of file tls_messages.h.

896{ return m_shared_group; }

◆ type()

Handshake_Type Botan::TLS::Server_Key_Exchange::type ( ) const
inlineoverridevirtual
Returns
the message type

Implements Botan::TLS::Handshake_Message.

Definition at line 883 of file tls_messages.h.

References Botan::TLS::ServerKeyExchange.

◆ type_string()

std::string Botan::TLS::Handshake_Message::type_string ( ) const
inherited
Returns
string representation of this message type

Definition at line 19 of file tls_handshake_state.cpp.

19 {
21}
virtual Handshake_Type type() const =0
const char * handshake_type_to_string(Handshake_Type type)

References Botan::TLS::handshake_type_to_string(), and type().

◆ verify()

bool Botan::TLS::Server_Key_Exchange::verify ( const Public_Key & server_key,
const Handshake_State & state,
const Policy & policy ) const

Verify a Server Key Exchange message

Definition at line 212 of file msg_server_kex.cpp.

214 {
215 policy.check_peer_key_acceptable(server_key);
216
217 std::pair<std::string, Signature_Format> format =
218 state.parse_sig_format(server_key, m_scheme, state.client_hello()->signature_schemes(), false, policy);
219
220 std::vector<uint8_t> buf = state.client_hello()->random();
221
222 buf += state.server_hello()->random();
223 buf += params();
224
225 const bool signature_valid =
226 state.callbacks().tls_verify_message(server_key, format.first, format.second, buf, m_signature);
227
228#if defined(BOTAN_UNSAFE_FUZZER_MODE)
229 BOTAN_UNUSED(signature_valid);
230 return true;
231#else
232 return signature_valid;
233#endif
234}

References BOTAN_UNUSED, Botan::TLS::Handshake_State::callbacks(), Botan::TLS::Policy::check_peer_key_acceptable(), Botan::TLS::Handshake_State::client_hello(), params(), Botan::TLS::Handshake_State::parse_sig_format(), Botan::TLS::Handshake_State::server_hello(), and Botan::TLS::Callbacks::tls_verify_message().

◆ wire_type()

virtual Handshake_Type Botan::TLS::Handshake_Message::wire_type ( ) const
inlinevirtualinherited
Returns
the wire representation of the message's type

Reimplemented in Botan::TLS::Hello_Retry_Request.

Definition at line 39 of file tls_handshake_msg.h.

39 {
40 // Usually equal to the Handshake_Type enum value,
41 // with the exception of TLS 1.3 Hello Retry Request.
42 return type();
43 }

References type().

Referenced by Botan::TLS::Stream_Handshake_IO::send().


The documentation for this class was generated from the following files: