Botan 3.6.1
Crypto and TLS for C&
msg_encrypted_extensions.cpp
Go to the documentation of this file.
1/*
2* TLS Hello Request and Client Hello Messages
3* (C) 2022 Jack Lloyd
4* 2022 René Meusel, Hannes Rantzsch - neXenio GmbH
5*
6* Botan is released under the Simplified BSD License (see license.txt)
7*/
8
9#include <botan/tls_messages.h>
10
11#include <botan/tls_callbacks.h>
12#include <botan/tls_exceptn.h>
13#include <botan/internal/tls_reader.h>
14
15namespace Botan::TLS {
16
18 const auto& exts = client_hello.extensions();
19
20 // RFC 8446 4.2.7
21 // As of TLS 1.3, servers are permitted to send the "supported_groups"
22 // extension to the client. Clients [...] MAY use the information
23 // learned from a successfully completed handshake to change what groups
24 // they use in their "key_share" extension in subsequent connections.
25 if(exts.has<Supported_Groups>()) {
26 m_extensions.add(new Supported_Groups(policy.key_exchange_groups()));
27 }
28
29 const auto record_size_limit = policy.record_size_limit();
30 const auto max_record_size = MAX_PLAINTEXT_SIZE + 1 /* encrypted content type byte */;
31 if(exts.has<Record_Size_Limit>()) {
32 // RFC 8449 4
33 // Endpoints SHOULD advertise the "record_size_limit" extension, even
34 // if they have no need to limit the size of records. [...] For
35 // servers, this allows clients to know that their limit will be
36 // respected.
37 m_extensions.add(new Record_Size_Limit(record_size_limit.value_or(max_record_size)));
38 } else if(record_size_limit.has_value() && record_size_limit.value() < max_record_size) {
39 // RFC 8449 4
40 // Endpoints SHOULD advertise the "record_size_limit" extension, even if
41 // they have no need to limit the size of records. For clients, this
42 // allows servers to advertise a limit at their discretion.
43 throw TLS_Exception(Alert::MissingExtension,
44 "Server cannot enforce record size limit without the client supporting it");
45 }
46
47 // RFC 7250 4.2
48 // If the TLS server wants to request a certificate from the client
49 // (via the certificate_request message), it MUST include the
50 // client_certificate_type extension in the server hello.
51 // [...]
52 // If the server does not send a certificate_request payload [...],
53 // then the client_certificate_type payload in the server hello MUST be
54 // omitted.
55 if(auto ch_client_cert_types = exts.get<Client_Certificate_Type>();
56 ch_client_cert_types && policy.request_client_certificate_authentication()) {
57 m_extensions.add(new Client_Certificate_Type(*ch_client_cert_types, policy));
58 }
59
60 // RFC 7250 4.2
61 // The server_certificate_type extension in the client hello indicates the
62 // types of certificates the client is able to process when provided by
63 // the server in a subsequent certificate payload. [...] With the
64 // server_certificate_type extension in the server hello, the TLS server
65 // indicates the certificate type carried in the Certificate payload.
66 if(auto ch_server_cert_types = exts.get<Server_Certificate_Type>()) {
67 m_extensions.add(new Server_Certificate_Type(*ch_server_cert_types, policy));
68 }
69
70 // RFC 6066 3
71 // A server that receives a client hello containing the "server_name"
72 // extension [...] SHALL include an extension of type "server_name" in the
73 // (extended) server hello. The "extension_data" field of this extension
74 // SHALL be empty.
75 if(exts.has<Server_Name_Indicator>()) {
76 m_extensions.add(new Server_Name_Indicator(""));
77 }
78
79 if(auto alpn_ext = exts.get<Application_Layer_Protocol_Notification>()) {
80 const auto next_protocol = cb.tls_server_choose_app_protocol(alpn_ext->protocols());
81 if(!next_protocol.empty()) {
82 m_extensions.add(new Application_Layer_Protocol_Notification(next_protocol));
83 }
84 }
85
86 // TODO: Implement handling for (at least)
87 // * SRTP
88
90}
91
92Encrypted_Extensions::Encrypted_Extensions(const std::vector<uint8_t>& buf) {
93 TLS_Data_Reader reader("encrypted extensions reader", buf);
94
95 // Encrypted Extensions contains a list of extensions. This list may legally
96 // be empty. However, in that case we should at least see a two-byte length
97 // field that reads 0x00 0x00.
98 if(buf.size() < 2) {
99 throw TLS_Exception(Alert::DecodeError, "Server sent an empty Encrypted Extensions message");
100 }
101
102 m_extensions.deserialize(reader, Connection_Side::Server, type());
103
104 // RFC 8446 4.2
105 // If an implementation receives an extension which it recognizes and
106 // which is not specified for the message in which it appears, it MUST
107 // abort the handshake with an "illegal_parameter" alert.
108 //
109 // Note that we cannot encounter any extensions that we don't recognize here,
110 // since only extensions we previously offered are allowed in EE.
111 const auto allowed_exts = std::set<Extension_Code>{
112 // Allowed extensions listed in RFC 8446 and implemented in Botan
114 // MAX_FRAGMENT_LENGTH
117 // HEARTBEAT
119 // RFC 7250
122 // EARLY_DATA
123
124 // Allowed extensions not listed in RFC 8446 but acceptable as Botan implements them
126 };
127 if(m_extensions.contains_implemented_extensions_other_than(allowed_exts)) {
128 throw TLS_Exception(Alert::IllegalParameter, "Encrypted Extensions contained an extension that is not allowed");
129 }
130}
131
132std::vector<uint8_t> Encrypted_Extensions::serialize() const {
133 return m_extensions.serialize(Connection_Side::Server);
134}
135
136} // namespace Botan::TLS
virtual void tls_modify_extensions(Extensions &extn, Connection_Side which_side, Handshake_Type which_message)
virtual std::string tls_server_choose_app_protocol(const std::vector< std::string > &client_protos)
const Extensions & extensions() const
std::vector< uint8_t > serialize() const override
Handshake_Type type() const override
Encrypted_Extensions(const std::vector< uint8_t > &buf)
bool contains_implemented_extensions_other_than(const std::set< Extension_Code > &allowed_extensions) const
std::vector< uint8_t > serialize(Connection_Side whoami) const
void deserialize(TLS_Data_Reader &reader, Connection_Side from, Handshake_Type message_type)
void add(std::unique_ptr< Extension > extn)
virtual std::vector< Group_Params > key_exchange_groups() const
virtual bool request_client_certificate_authentication() const
virtual std::optional< uint16_t > record_size_limit() const
@ MAX_PLAINTEXT_SIZE
Definition tls_magic.h:30