13#include <botan/tls_exceptn.h>
14#include <botan/tls_messages.h>
15#include <botan/tls_callbacks.h>
17#include <botan/hash.h>
18#include <botan/credentials_manager.h>
19#include <botan/tls_version.h>
21#include <botan/internal/stl_util.h>
22#include <botan/internal/tls_reader.h>
23#include <botan/internal/tls_session_key.h>
24#include <botan/internal/tls_handshake_io.h>
25#include <botan/internal/tls_handshake_hash.h>
27#ifdef BOTAN_HAS_TLS_13
28 #include <botan/internal/tls_transcript_hash_13.h>
29 #include <botan/internal/tls_handshake_layer_13.h>
46 auto buf = rng.
random_vec<std::vector<uint8_t>>(32);
60 const uint32_t time32 =
static_cast<uint32_t
>(
74class Client_Hello_Internal
77 Client_Hello_Internal() : m_comp_methods({0}) {}
79 Client_Hello_Internal(
const std::vector<uint8_t>& buf)
82 {
throw Decoding_Error(
"Client_Hello: Packet corrupted"); }
84 TLS_Data_Reader reader(
"ClientHello", buf);
86 const uint8_t major_version = reader.get_byte();
87 const uint8_t minor_version = reader.get_byte();
89 m_legacy_version = Protocol_Version(major_version, minor_version);
90 m_random = reader.get_fixed<uint8_t>(32);
91 m_session_id =
Session_ID(reader.get_range<uint8_t>(1, 0, 32));
93 if(m_legacy_version.is_datagram_protocol())
96 sha256->update(reader.get_data_read_so_far());
98 m_hello_cookie = reader.get_range<uint8_t>(1, 0, 255);
100 sha256->update(reader.get_remaining());
101 m_cookie_input_bits = sha256->final_stdvec();
104 m_suites = reader.get_range_vector<uint16_t>(2, 1, 32767);
105 m_comp_methods = reader.get_range_vector<uint8_t>(1, 1, 255);
119 Protocol_Version version()
const
136 if(!extensions().has<Supported_Versions>() ||
137 !extensions().get<Supported_Versions>()->supports(Protocol_Version::TLS_V13))
141 return (m_legacy_version.is_datagram_protocol())
142 ? Protocol_Version::DTLS_V12
143 : Protocol_Version::TLS_V12;
148 return Protocol_Version::TLS_V13;
151 Protocol_Version legacy_version()
const {
return m_legacy_version; }
152 const Session_ID& session_id()
const {
return m_session_id; }
153 const std::vector<uint8_t>& random()
const {
return m_random; }
154 const std::vector<uint16_t>& ciphersuites()
const {
return m_suites; }
155 const std::vector<uint8_t>& comp_methods()
const {
return m_comp_methods; }
157 const std::vector<uint8_t>& hello_cookie()
const {
return m_hello_cookie; }
158 const std::vector<uint8_t>& hello_cookie_input_bits()
const {
return m_cookie_input_bits; }
160 const Extensions& extensions()
const {
return m_extensions; }
161 Extensions& extensions() {
return m_extensions; }
164 Protocol_Version m_legacy_version;
166 std::vector<uint8_t> m_random;
167 std::vector<uint16_t> m_suites;
168 std::vector<uint8_t> m_comp_methods;
169 Extensions m_extensions;
171 std::vector<uint8_t> m_hello_cookie;
172 std::vector<uint8_t> m_cookie_input_bits;
177Client_Hello& Client_Hello::operator=(Client_Hello&&) noexcept = default;
179Client_Hello::~Client_Hello() = default;
182 : m_data(
std::make_unique<Client_Hello_Internal>()) {}
188 : m_data(
std::move(data))
200 return m_data->legacy_version();
210 return m_data->session_id();
215 return m_data->comp_methods();
220 return m_data->ciphersuites();
225 return m_data->extensions().extension_types();
230 return m_data->extensions();
245 std::vector<uint8_t> buf;
248 buf.push_back(
m_data->legacy_version().major_version());
249 buf.push_back(
m_data->legacy_version().minor_version());
254 if(
m_data->legacy_version().is_datagram_protocol())
275 return m_data->hello_cookie_input_bits();
283 return std::find(
m_data->ciphersuites().cbegin(),
m_data->ciphersuites().cend(), ciphersuite) !=
m_data->ciphersuites().cend();
289 {
return sigs->supported_schemes(); }
300 {
return sigs->supported_schemes(); }
308 {
return groups->ec_groups(); }
315 {
return groups->dh_groups(); }
316 return std::vector<Group_Params>();
322 {
return ecc_formats->prefers_compressed(); }
329 {
return sni->host_name(); }
341 {
return reneg->renegotiation_info(); }
348 {
return versions->versions(); }
360 {
return ticket->contents(); }
372 else if(
const auto&
id =
session_id(); !
id.empty())
375 {
return std::nullopt; }
406 {
return alpn->protocols(); }
413 {
return srtp->profiles(); }
419 return m_data->hello_cookie();
442std::vector<uint8_t> Hello_Request::serialize()
const
444 return std::vector<uint8_t>();
455 if(!reneg->renegotiation_info().empty())
457 "Client sent renegotiation SCSV and non-empty extension");
480 const std::vector<uint8_t>& reneg_info,
482 const std::vector<std::string>& next_protocols)
490 " but our own policy does not accept it");
509 if(!client_settings.
hostname().empty())
516 if(!supported_groups->ec_groups().empty())
520 m_data->extensions().add(supported_groups.release());
535 if(
m_data->legacy_version().is_datagram_protocol())
551 const std::vector<uint8_t>& reneg_info,
553 const std::vector<std::string>& next_protocols)
568 " but our own policy does not accept it");
596 if(!supported_groups->ec_groups().empty())
601 m_data->extensions().add(supported_groups.release());
621#if defined(BOTAN_HAS_TLS_13)
623Client_Hello_13::Client_Hello_13(std::unique_ptr<Client_Hello_Internal> data)
626 const auto& exts =
m_data->extensions();
640 if(
m_data->legacy_version().is_tls_13_or_later())
643 "TLS 1.3 Client Hello has invalid legacy_version");
651 if(
m_data->comp_methods().size() != 1 ||
m_data->comp_methods().front() != 0)
653 throw TLS_Exception(Alert::IllegalParameter,
654 "Client did not offer NULL compression");
664 if(!exts.has<PSK_Key_Exchange_Modes>())
666 throw TLS_Exception(Alert::MissingExtension,
667 "Client Hello offered a PSK without a psk_key_exchange_modes extension");
674 if(exts.all().back()->type() != Extension_Code::PresharedKey)
676 throw TLS_Exception(Alert::IllegalParameter,
677 "PSK extension was not at the very end of the Client Hello");
697 if(!exts.has<Supported_Groups>() || !exts.has<Signature_Algorithms>())
699 throw TLS_Exception(Alert::MissingExtension,
700 "Non-PSK Client Hello did not contain supported_groups and signature_algorithms extensions");
704 if(exts.has<Supported_Groups>() != exts.has<Key_Share>())
706 throw TLS_Exception(Alert::MissingExtension,
707 "Client Hello must either contain both key_share and supported_groups extensions or neither");
710 if(exts.has<Key_Share>())
712 const auto supported_ext = exts.get<Supported_Groups>();
714 const auto supports = supported_ext->groups();
715 const auto offers = exts.get<Key_Share>()->offered_groups();
726 auto found_in_supported_groups = [&supports,support_offset = -1](
auto group)
mutable
728 const auto i = std::find(supports.begin(), supports.end(), group);
729 if(i == supports.end())
734 const auto found_at = std::distance(supports.begin(), i);
735 if(found_at <= support_offset)
741 support_offset =
static_cast<decltype(support_offset)
>(found_at);
745 for(
const auto offered : offers)
750 if(!found_in_supported_groups(offered))
752 throw TLS_Exception(Alert::IllegalParameter,
753 "Offered key exchange groups do not align with claimed supported groups");
767Client_Hello_13::Client_Hello_13(
const Policy& policy,
769 RandomNumberGenerator& rng,
770 std::string_view hostname,
771 const std::vector<std::string>& next_protocols,
772 std::optional<Session_with_Handle>& session)
779 m_data->m_legacy_version = Protocol_Version::TLS_V12;
781 m_data->m_suites = policy.ciphersuite_list(Protocol_Version::TLS_V13);
783 if(policy.allow_tls12())
785 const auto legacy_suites = policy.ciphersuite_list(Protocol_Version::TLS_V12);
786 m_data->m_suites.insert(m_data->m_suites.end(), legacy_suites.cbegin(), legacy_suites.cend());
789 if(policy.tls_13_middlebox_compatibility_mode())
801 if(!hostname.empty())
802 m_data->extensions().add(
new Server_Name_Indicator(hostname));
804 m_data->extensions().add(
new Supported_Groups(policy.key_exchange_groups()));
806 m_data->extensions().add(
new Key_Share(policy, cb, rng));
808 m_data->extensions().add(
new Supported_Versions(Protocol_Version::TLS_V13, policy));
810 m_data->extensions().add(
new Signature_Algorithms(policy.acceptable_signature_schemes()));
811 if(
auto cert_signing_prefs = policy.acceptable_certificate_signature_schemes())
816 m_data->extensions().add(
new Signature_Algorithms_Cert(std::move(cert_signing_prefs.value())));
822 m_data->extensions().add(
new PSK_Key_Exchange_Modes({PSK_Key_Exchange_Mode::PSK_DHE_KE}));
824 if(policy.support_cert_status_message())
825 m_data->extensions().add(
new Certificate_Status_Request({}, {}));
830 if(policy.record_size_limit().has_value() && !policy.allow_tls12())
831 m_data->extensions().add(
new Record_Size_Limit(policy.record_size_limit().value()));
833 if(!next_protocols.empty())
834 m_data->extensions().add(
new Application_Layer_Protocol_Notification(next_protocols));
836 if(policy.allow_tls12())
838 m_data->extensions().add(
new Renegotiation_Extension());
839 m_data->extensions().add(
new Session_Ticket_Extension());
842 m_data->extensions().add(
new Extended_Master_Secret);
844 if(policy.negotiate_encrypt_then_mac())
845 m_data->extensions().add(
new Encrypt_then_MAC);
847 if(m_data->extensions().has<Supported_Groups>() && !m_data->extensions().get<Supported_Groups>()->ec_groups().empty())
848 m_data->extensions().add(
new Supported_Point_Formats(policy.use_ecc_point_compression()));
851 if(session.has_value())
853 m_data->extensions().add(
new PSK(session.value(), cb));
858 if(m_data->extensions().has<
PSK>())
863 if(m_data->extensions().all().back()->type() != Extension_Code::PresharedKey)
865 throw TLS_Exception(Alert::InternalError,
866 "Application modified extensions of Client Hello, PSK is not last anymore");
868 calculate_psk_binders({});
873std::variant<Client_Hello_13, Client_Hello_12>
874Client_Hello_13::parse(
const std::vector<uint8_t>& buf)
876 auto data = std::make_unique<Client_Hello_Internal>(buf);
877 const auto version = data->version();
879 if(version.is_pre_tls_13())
880 return Client_Hello_12(std::move(data));
882 return Client_Hello_13(std::move(data));
885void Client_Hello_13::retry(
const Hello_Retry_Request& hrr,
886 const Transcript_Hash_State& transcript_hash_state,
888 RandomNumberGenerator& rng)
893 auto hrr_ks = hrr.extensions().get<Key_Share>();
894 const auto& supported_groups = m_data->extensions().get<Supported_Groups>()->groups();
896 if(hrr.extensions().has<Key_Share>())
897 m_data->extensions().get<Key_Share>()->retry_offer(*hrr_ks, supported_groups, cb, rng);
907 if(hrr.extensions().has<Cookie>())
910 m_data->extensions().add(
new Cookie(hrr.extensions().get<Cookie>()->get_cookie()));
919 auto psk = m_data->extensions().get<
PSK>();
930 psk->filter(cipher.value());
935 calculate_psk_binders(transcript_hash_state.clone());
939void Client_Hello_13::validate_updates(
const Client_Hello_13& new_ch)
946 if(m_data->session_id() != new_ch.m_data->session_id() ||
947 m_data->random() != new_ch.m_data->random() ||
948 m_data->ciphersuites() != new_ch.m_data->ciphersuites() ||
949 m_data->comp_methods() != new_ch.m_data->comp_methods())
951 throw TLS_Exception(Alert::IllegalParameter,
"Client Hello core values changed after Hello Retry Request");
954 const auto oldexts = extension_types();
955 const auto newexts = new_ch.extension_types();
958 for(
const auto oldext : oldexts)
960 if(!newexts.contains(oldext))
962 const auto ext = extensions().get(oldext);
965 if(!ext->is_implemented())
971 if(oldext == EarlyDataIndication::static_type())
982 throw TLS_Exception(Alert::IllegalParameter,
"Extension removed in updated Client Hello");
987 for(
const auto newext : newexts)
989 if(!oldexts.contains(newext))
991 const auto ext = new_ch.extensions().get(newext);
994 if(!ext->is_implemented())
1000 if(newext == Cookie::static_type())
1011 throw TLS_Exception(Alert::UnsupportedExtension,
"Added an extension in updated Client Hello");
1018 if(new_ch.extensions().has<EarlyDataIndication>())
1020 throw TLS_Exception(Alert::IllegalParameter,
"Updated Client Hello indicates early data");
1039void Client_Hello_13::calculate_psk_binders(Transcript_Hash_State ths)
1041 auto psk = m_data->extensions().get<
PSK>();
1042 if(!psk || psk->empty())
1055 psk->calculate_binders(ths);
1058std::optional<Protocol_Version> Client_Hello_13::highest_supported_version(
const Policy& policy)
const
1065 const auto supvers = m_data->extensions().get<Supported_Versions>();
1068 std::optional<Protocol_Version> result;
1070 for(
const auto& v : supvers->versions())
1076 if(!v.known_version() || !policy.acceptable_protocol_version(v))
1079 result = (result.has_value())
1080 ? std::optional(std::max(result.value(), v))
#define BOTAN_ASSERT_NOMSG(expr)
#define BOTAN_STATE_CHECK(expr)
#define BOTAN_ASSERT_NONNULL(ptr)
static std::unique_ptr< HashFunction > create_or_throw(std::string_view algo_spec, std::string_view provider="")
void random_vec(std::span< uint8_t > v)
virtual void tls_modify_extensions(Extensions &extn, Connection_Side which_side, Handshake_Type which_message)
virtual std::chrono::system_clock::time_point tls_current_timestamp()
static std::optional< Ciphersuite > by_id(uint16_t suite)
const Protocol_Version protocol_version() const
const std::string hostname() const
Client_Hello_12(const std::vector< uint8_t > &buf)
void update_hello_cookie(const Hello_Verify_Request &hello_verify)
std::vector< uint8_t > renegotiation_info() const
bool supports_encrypt_then_mac() const
Session_Ticket session_ticket() const
bool supports_cert_status_message() const
bool secure_renegotiation() const
bool supports_extended_master_secret() const
std::optional< Session_Handle > session_handle() const
bool supports_session_ticket() const
bool prefers_compressed_ec_points() const
const std::vector< uint8_t > & cookie() const
std::string sni_hostname() const
std::vector< uint8_t > serialize() const override
const std::vector< uint8_t > & random() const
std::vector< Signature_Scheme > signature_schemes() const
const Extensions & extensions() const
bool offered_suite(uint16_t ciphersuite) const
std::unique_ptr< Client_Hello_Internal > m_data
bool sent_signature_algorithms() const
std::vector< Group_Params > supported_ecc_curves() const
bool supports_alpn() const
std::vector< Signature_Scheme > certificate_signature_schemes() const
const std::vector< uint16_t > & ciphersuites() const
std::vector< uint8_t > cookie_input_data() const
std::set< Extension_Code > extension_types() const
std::vector< Group_Params > supported_dh_groups() const
std::vector< std::string > next_protocols() const
const Session_ID & session_id() const
Protocol_Version legacy_version() const
const std::vector< uint8_t > & compression_methods() const
std::vector< uint16_t > srtp_profiles() const
Handshake_Type type() const override
std::vector< Protocol_Version > supported_versions() const
void update(const uint8_t in[], size_t length)
virtual std::vector< uint8_t > send(const Handshake_Message &msg)=0
static std::vector< uint8_t > prepare_message(const Handshake_Message_13_Ref message, Transcript_Hash_State &transcript_hash)
Hello_Request(Handshake_IO &io)
const std::vector< uint8_t > & cookie() const
virtual bool include_time_in_hello_random() const
virtual bool allow_tls12() const
virtual std::vector< uint16_t > ciphersuite_list(Protocol_Version version) const
virtual std::vector< Group_Params > key_exchange_groups() const
virtual bool negotiate_encrypt_then_mac() const
virtual bool acceptable_protocol_version(Protocol_Version version) const
virtual std::vector< uint16_t > srtp_profiles() const
virtual bool support_cert_status_message() const
virtual std::optional< std::vector< Signature_Scheme > > acceptable_certificate_signature_schemes() const
virtual bool hash_hello_random() const
virtual std::vector< Signature_Scheme > acceptable_signature_schemes() const
virtual bool use_ecc_point_compression() const
virtual bool allow_dtls12() const
Protocol_Version version() const
bool supports_encrypt_then_mac() const
uint16_t ciphersuite_code() const
const Server_Information & server_info() const
std::optional< Session_Ticket > ticket() const
std::optional< Session_ID > id() const
void append_tls_length_value(std::vector< uint8_t, Alloc > &buf, const T *vals, size_t vals_size, size_t tag_size)
std::vector< uint8_t > make_hello_random(RandomNumberGenerator &rng, Callbacks &cb, const Policy &policy)
@ TLS_EMPTY_RENEGOTIATION_INFO_SCSV
Strong< std::vector< uint8_t >, struct Session_ID_ > Session_ID
holds a TLS 1.2 session ID for stateful resumption
constexpr void store_be(uint16_t in, uint8_t out[2])
bool value_exists(const std::vector< T > &vec, const OT &val)