Botan 3.9.0
Crypto and TLS for C&
msg_server_hello.cpp
Go to the documentation of this file.
1/*
2* TLS Server Hello and Server Hello Done
3* (C) 2004-2011,2015,2016,2019 Jack Lloyd
4* 2016 Matthias Gierlings
5* 2017 Harry Reimann, Rohde & Schwarz Cybersecurity
6* 2021 Elektrobit Automotive GmbH
7* 2022 René Meusel, Hannes Rantzsch - neXenio GmbH
8*
9* Botan is released under the Simplified BSD License (see license.txt)
10*/
11
12#include <botan/tls_messages.h>
13
14#include <botan/mem_ops.h>
15#include <botan/tls_callbacks.h>
16#include <botan/tls_exceptn.h>
17#include <botan/tls_extensions.h>
18#include <botan/tls_session_manager.h>
19#include <botan/internal/ct_utils.h>
20#include <botan/internal/stl_util.h>
21#include <botan/internal/tls_handshake_hash.h>
22#include <botan/internal/tls_handshake_io.h>
23#include <botan/internal/tls_reader.h>
24#include <botan/internal/tls_session_key.h>
25#include <array>
26
27namespace Botan::TLS {
28
29namespace {
30
31const uint64_t DOWNGRADE_TLS11 = 0x444F574E47524400;
32const uint64_t DOWNGRADE_TLS12 = 0x444F574E47524401;
33
34// SHA-256("HelloRetryRequest")
35const std::array<uint8_t, 32> HELLO_RETRY_REQUEST_MARKER = {
36 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11, 0xBE, 0x1D, 0x8C, 0x02, 0x1E, 0x65, 0xB8, 0x91,
37 0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E, 0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C};
38
39bool random_signals_hello_retry_request(const std::vector<uint8_t>& random) {
40 return CT::is_equal(random.data(), HELLO_RETRY_REQUEST_MARKER.data(), HELLO_RETRY_REQUEST_MARKER.size()).as_bool();
41}
42
43std::vector<uint8_t> make_server_hello_random(RandomNumberGenerator& rng,
44 Protocol_Version offered_version,
45 Callbacks& cb,
46 const Policy& policy) {
47 BOTAN_UNUSED(offered_version);
48 auto random = make_hello_random(rng, cb, policy);
49
50 // RFC 8446 4.1.3
51 // TLS 1.3 has a downgrade protection mechanism embedded in the server's
52 // random value. TLS 1.3 servers which negotiate TLS 1.2 or below in
53 // response to a ClientHello MUST set the last 8 bytes of their Random
54 // value specially in their ServerHello.
55 //
56 // If negotiating TLS 1.2, TLS 1.3 servers MUST set the last 8 bytes of
57 // their Random value to the bytes: [DOWNGRADE_TLS12]
58 if(offered_version.is_pre_tls_13() && policy.allow_tls13()) {
59 constexpr size_t downgrade_signal_length = sizeof(DOWNGRADE_TLS12);
60 BOTAN_ASSERT_NOMSG(random.size() >= downgrade_signal_length);
61 auto* lastbytes = random.data() + random.size() - downgrade_signal_length;
62 store_be(DOWNGRADE_TLS12, lastbytes);
63 }
64
65 return random;
66}
67
68} // namespace
69
70/**
71* Version-agnostic internal server hello data container that allows
72* parsing Server_Hello messages without prior knowledge of the contained
73* protocol version.
74*/
75class Server_Hello_Internal {
76 public:
77 /**
78 * Deserialize a Server Hello message
79 */
80 explicit Server_Hello_Internal(const std::vector<uint8_t>& buf) {
81 if(buf.size() < 38) {
82 throw Decoding_Error("Server_Hello: Packet corrupted");
83 }
84
85 TLS_Data_Reader reader("ServerHello", buf);
86
87 const uint8_t major_version = reader.get_byte();
88 const uint8_t minor_version = reader.get_byte();
89
90 m_legacy_version = Protocol_Version(major_version, minor_version);
91
92 // RFC 8446 4.1.3
93 // Upon receiving a message with type server_hello, implementations MUST
94 // first examine the Random value and, if it matches this value, process
95 // it as described in Section 4.1.4 [Hello Retry Request]).
96 m_random = reader.get_fixed<uint8_t>(32);
97 m_is_hello_retry_request = random_signals_hello_retry_request(m_random);
98
99 m_session_id = Session_ID(reader.get_range<uint8_t>(1, 0, 32));
100 m_ciphersuite = reader.get_uint16_t();
101 m_comp_method = reader.get_byte();
102
103 // Note that this code path might parse a TLS 1.2 (or older) server hello message that
104 // is nevertheless marked as being a 'hello retry request' (potentially maliciously).
105 // Extension parsing will however not be affected by the associated flag.
106 // Only after parsing the extensions will the upstream code be able to decide
107 // whether we're dealing with TLS 1.3 or older.
108 m_extensions.deserialize(
109 reader,
112 }
113
114 Server_Hello_Internal(Protocol_Version lv,
115 Session_ID sid,
116 std::vector<uint8_t> r,
117 const uint16_t cs,
118 const uint8_t cm,
119 bool is_hrr = false) :
120 m_legacy_version(lv),
121 m_session_id(std::move(sid)),
122 m_random(std::move(r)),
123 m_is_hello_retry_request(is_hrr),
124 m_ciphersuite(cs),
125 m_comp_method(cm) {}
126
127 Protocol_Version version() const {
128 // RFC 8446 4.2.1
129 // A server which negotiates a version of TLS prior to TLS 1.3 MUST set
130 // ServerHello.version and MUST NOT send the "supported_versions"
131 // extension. A server which negotiates TLS 1.3 MUST respond by sending
132 // a "supported_versions" extension containing the selected version
133 // value (0x0304).
134 //
135 // Note: Here we just take a message parsing decision, further validation of
136 // the extension's contents is done later.
137 return (extensions().has<Supported_Versions>()) ? Protocol_Version::TLS_V13 : m_legacy_version;
138 }
139
140 Protocol_Version legacy_version() const { return m_legacy_version; }
141
142 const Session_ID& session_id() const { return m_session_id; }
143
144 const std::vector<uint8_t>& random() const { return m_random; }
145
146 uint16_t ciphersuite() const { return m_ciphersuite; }
147
148 uint8_t comp_method() const { return m_comp_method; }
149
150 bool is_hello_retry_request() const { return m_is_hello_retry_request; }
151
152 const Extensions& extensions() const { return m_extensions; }
153
154 Extensions& extensions() { return m_extensions; }
155
156 private:
157 Protocol_Version m_legacy_version;
158 Session_ID m_session_id;
159 std::vector<uint8_t> m_random;
160 bool m_is_hello_retry_request;
161 uint16_t m_ciphersuite;
162 uint8_t m_comp_method;
163
164 Extensions m_extensions;
165};
166
167Server_Hello::Server_Hello(std::unique_ptr<Server_Hello_Internal> data) : m_data(std::move(data)) {}
168
169Server_Hello::Server_Hello(Server_Hello&&) noexcept = default;
170Server_Hello& Server_Hello::operator=(Server_Hello&&) noexcept = default;
171
172Server_Hello::~Server_Hello() = default;
173
174/*
175* Serialize a Server Hello message
176*/
177std::vector<uint8_t> Server_Hello::serialize() const {
178 std::vector<uint8_t> buf;
179 buf.reserve(1024); // working around GCC warning
180
181 buf.push_back(m_data->legacy_version().major_version());
182 buf.push_back(m_data->legacy_version().minor_version());
183 buf += m_data->random();
184
185 append_tls_length_value(buf, m_data->session_id().get(), 1);
186
187 buf.push_back(get_byte<0>(m_data->ciphersuite()));
188 buf.push_back(get_byte<1>(m_data->ciphersuite()));
189
190 buf.push_back(m_data->comp_method());
191
192 buf += m_data->extensions().serialize(Connection_Side::Server);
193
194 return buf;
195}
196
200
202 return m_data->legacy_version();
203}
204
205const std::vector<uint8_t>& Server_Hello::random() const {
206 return m_data->random();
207}
208
210 return m_data->comp_method();
211}
212
214 return m_data->session_id();
215}
216
218 return m_data->ciphersuite();
219}
220
221std::set<Extension_Code> Server_Hello::extension_types() const {
222 return m_data->extensions().extension_types();
223}
224
226 return m_data->extensions();
227}
228
229// New session case
231 Handshake_Hash& hash,
232 const Policy& policy,
233 Callbacks& cb,
235 const std::vector<uint8_t>& reneg_info,
236 const Client_Hello_12& client_hello,
237 const Server_Hello_12::Settings& server_settings,
238 std::string_view next_protocol) :
239 Server_Hello(std::make_unique<Server_Hello_Internal>(
240 server_settings.protocol_version(),
241 server_settings.session_id(),
242 make_server_hello_random(rng, server_settings.protocol_version(), cb, policy),
243 server_settings.ciphersuite(),
244 uint8_t(0))) {
245 // NOLINTBEGIN(*-owning-memory)
246 if(client_hello.supports_extended_master_secret()) {
247 m_data->extensions().add(new Extended_Master_Secret);
248 }
249
250 // Sending the extension back does not commit us to sending a stapled response
251 if(client_hello.supports_cert_status_message() && policy.support_cert_status_message()) {
252 m_data->extensions().add(new Certificate_Status_Request);
253 }
254
255 if(!next_protocol.empty() && client_hello.supports_alpn()) {
256 m_data->extensions().add(new Application_Layer_Protocol_Notification(next_protocol));
257 }
258
259 const auto c = Ciphersuite::by_id(m_data->ciphersuite());
260
261 if(c && c->cbc_ciphersuite() && client_hello.supports_encrypt_then_mac() && policy.negotiate_encrypt_then_mac()) {
262 m_data->extensions().add(new Encrypt_then_MAC);
263 }
264
265 if(c && c->ecc_ciphersuite() && client_hello.extension_types().contains(Extension_Code::EcPointFormats)) {
266 m_data->extensions().add(new Supported_Point_Formats(policy.use_ecc_point_compression()));
267 }
268
269 if(client_hello.secure_renegotiation()) {
270 m_data->extensions().add(new Renegotiation_Extension(reneg_info));
271 }
272
273 if(client_hello.supports_session_ticket() && server_settings.offer_session_ticket()) {
274 m_data->extensions().add(new Session_Ticket_Extension());
275 }
276
277 if(m_data->legacy_version().is_datagram_protocol()) {
278 const std::vector<uint16_t> server_srtp = policy.srtp_profiles();
279 const std::vector<uint16_t> client_srtp = client_hello.srtp_profiles();
280
281 if(!server_srtp.empty() && !client_srtp.empty()) {
282 uint16_t shared = 0;
283 // always using server preferences for now
284 for(auto s_srtp : server_srtp) {
285 for(auto c_srtp : client_srtp) {
286 if(shared == 0 && s_srtp == c_srtp) {
287 shared = s_srtp;
288 }
289 }
290 }
291
292 if(shared != 0) {
293 m_data->extensions().add(new SRTP_Protection_Profiles(shared));
294 }
295 }
296 }
297 // NOLINTEND(*-owning-memory)
299 cb.tls_modify_extensions(m_data->extensions(), Connection_Side::Server, type());
301 hash.update(io.send(*this));
302}
303
304// Resuming
306 Handshake_Hash& hash,
307 const Policy& policy,
308 Callbacks& cb,
310 const std::vector<uint8_t>& reneg_info,
311 const Client_Hello_12& client_hello,
312 const Session& resumed_session,
313 bool offer_session_ticket,
314 std::string_view next_protocol) :
315 Server_Hello(std::make_unique<Server_Hello_Internal>(resumed_session.version(),
316 client_hello.session_id(),
317 make_hello_random(rng, cb, policy),
318 resumed_session.ciphersuite_code(),
319 uint8_t(0))) {
320 // NOLINTBEGIN(*-owning-memory)
321 if(client_hello.supports_extended_master_secret()) {
322 m_data->extensions().add(new Extended_Master_Secret);
323 }
324
325 if(!next_protocol.empty() && client_hello.supports_alpn()) {
326 m_data->extensions().add(new Application_Layer_Protocol_Notification(next_protocol));
327 }
328
329 if(client_hello.supports_encrypt_then_mac() && policy.negotiate_encrypt_then_mac()) {
330 Ciphersuite c = resumed_session.ciphersuite();
331 if(c.cbc_ciphersuite()) {
332 m_data->extensions().add(new Encrypt_then_MAC);
333 }
334 }
335
336 if(resumed_session.ciphersuite().ecc_ciphersuite() &&
337 client_hello.extension_types().contains(Extension_Code::EcPointFormats)) {
338 m_data->extensions().add(new Supported_Point_Formats(policy.use_ecc_point_compression()));
339 }
340
341 if(client_hello.secure_renegotiation()) {
342 m_data->extensions().add(new Renegotiation_Extension(reneg_info));
343 }
344
345 if(client_hello.supports_session_ticket() && offer_session_ticket) {
346 m_data->extensions().add(new Session_Ticket_Extension());
347 }
348 // NOLINTEND(*-owning-memory)
349
350 cb.tls_modify_extensions(m_data->extensions(), Connection_Side::Server, type());
351
352 hash.update(io.send(*this));
353}
354
355Server_Hello_12::Server_Hello_12(const std::vector<uint8_t>& buf) :
356 Server_Hello_12(std::make_unique<Server_Hello_Internal>(buf)) {}
357
358Server_Hello_12::Server_Hello_12(std::unique_ptr<Server_Hello_Internal> data) : Server_Hello(std::move(data)) {
359 if(!m_data->version().is_pre_tls_13()) {
360 throw TLS_Exception(Alert::ProtocolVersion, "Expected server hello of (D)TLS 1.2 or lower");
361 }
362}
363
367
369 return m_data->extensions().has<Renegotiation_Extension>();
370}
371
372std::vector<uint8_t> Server_Hello_12::renegotiation_info() const {
373 if(Renegotiation_Extension* reneg = m_data->extensions().get<Renegotiation_Extension>()) {
374 return reneg->renegotiation_info();
375 }
376 return std::vector<uint8_t>();
377}
378
380 return m_data->extensions().has<Extended_Master_Secret>();
381}
382
384 return m_data->extensions().has<Encrypt_then_MAC>();
385}
386
390
392 return m_data->extensions().has<Session_Ticket_Extension>();
393}
394
396 if(auto* srtp = m_data->extensions().get<SRTP_Protection_Profiles>()) {
397 auto prof = srtp->profiles();
398 if(prof.size() != 1 || prof[0] == 0) {
399 throw Decoding_Error("Server sent malformed DTLS-SRTP extension");
400 }
401 return prof[0];
402 }
403
404 return 0;
405}
406
408 if(auto* alpn = m_data->extensions().get<Application_Layer_Protocol_Notification>()) {
409 return alpn->single_protocol();
410 }
411 return "";
412}
413
415 if(auto* ecc_formats = m_data->extensions().get<Supported_Point_Formats>()) {
416 return ecc_formats->prefers_compressed();
417 }
418 return false;
419}
420
421std::optional<Protocol_Version> Server_Hello_12::random_signals_downgrade() const {
422 const uint64_t last8 = load_be<uint64_t>(m_data->random().data(), 3);
423 if(last8 == DOWNGRADE_TLS11) {
424 return Protocol_Version::TLS_V11;
425 }
426 if(last8 == DOWNGRADE_TLS12) {
427 return Protocol_Version::TLS_V12;
428 }
429
430 return std::nullopt;
431}
432
433/*
434* Create a new Server Hello Done message
435*/
439
440/*
441* Deserialize a Server Hello Done message
442*/
443Server_Hello_Done::Server_Hello_Done(const std::vector<uint8_t>& buf) {
444 if(!buf.empty()) {
445 throw Decoding_Error("Server_Hello_Done: Must be empty, and is not");
446 }
447}
448
449/*
450* Serialize a Server Hello Done message
451*/
452std::vector<uint8_t> Server_Hello_Done::serialize() const {
453 return std::vector<uint8_t>();
454}
455
456#if defined(BOTAN_HAS_TLS_13)
457
458const Server_Hello_13::Server_Hello_Tag Server_Hello_13::as_server_hello;
459const Server_Hello_13::Hello_Retry_Request_Tag Server_Hello_13::as_hello_retry_request;
460const Server_Hello_13::Hello_Retry_Request_Creation_Tag Server_Hello_13::as_new_hello_retry_request;
461
462std::variant<Hello_Retry_Request, Server_Hello_13> Server_Hello_13::create(const Client_Hello_13& ch,
463 bool hello_retry_request_allowed,
464 Session_Manager& session_mgr,
465 Credentials_Manager& credentials_mgr,
467 const Policy& policy,
468 Callbacks& cb) {
469 const auto& exts = ch.extensions();
470
471 // RFC 8446 4.2.9
472 // [With PSK with (EC)DHE key establishment], the client and server MUST
473 // supply "key_share" values [...].
474 //
475 // Note: We currently do not support PSK without (EC)DHE, hence, we can
476 // assume that those extensions are available.
477 BOTAN_ASSERT_NOMSG(exts.has<Supported_Groups>() && exts.has<Key_Share>());
478 const auto& supported_by_client = exts.get<Supported_Groups>()->groups();
479 const auto& offered_by_client = exts.get<Key_Share>()->offered_groups();
480 const auto selected_group = policy.choose_key_exchange_group(supported_by_client, offered_by_client);
481
482 // RFC 8446 4.1.1
483 // If there is no overlap between the received "supported_groups" and the
484 // groups supported by the server, then the server MUST abort the
485 // handshake with a "handshake_failure" or an "insufficient_security" alert.
486 if(selected_group == Named_Group::NONE) {
487 throw TLS_Exception(Alert::HandshakeFailure, "Client did not offer any acceptable group");
488 }
489
490 // RFC 8446 4.2.8:
491 // Servers MUST NOT send a KeyShareEntry for any group not indicated in the
492 // client's "supported_groups" extension [...]
493 if(!value_exists(supported_by_client, selected_group)) {
494 throw TLS_Exception(Alert::InternalError, "Application selected a group that is not supported by the client");
495 }
496
497 // RFC 8446 4.1.4
498 // The server will send this message in response to a ClientHello
499 // message if it is able to find an acceptable set of parameters but the
500 // ClientHello does not contain sufficient information to proceed with
501 // the handshake.
502 //
503 // In this case, the Client Hello did not contain a key share offer for
504 // the group selected by the application.
505 if(!value_exists(offered_by_client, selected_group)) {
506 // RFC 8446 4.1.4
507 // If a client receives a second HelloRetryRequest in the same
508 // connection (i.e., where the ClientHello was itself in response to a
509 // HelloRetryRequest), it MUST abort the handshake with an
510 // "unexpected_message" alert.
511 BOTAN_STATE_CHECK(hello_retry_request_allowed);
512 return Hello_Retry_Request(ch, selected_group, policy, cb);
513 } else {
514 return Server_Hello_13(ch, selected_group, session_mgr, credentials_mgr, rng, cb, policy);
515 }
516}
517
518std::variant<Hello_Retry_Request, Server_Hello_13, Server_Hello_12> Server_Hello_13::parse(
519 const std::vector<uint8_t>& buf) {
520 auto data = std::make_unique<Server_Hello_Internal>(buf);
521 const auto version = data->version();
522
523 // server hello that appears to be pre-TLS 1.3, takes precedence over...
524 if(version.is_pre_tls_13()) {
525 return Server_Hello_12(std::move(data));
526 }
527
528 // ... the TLS 1.3 "special case" aka. Hello_Retry_Request
529 if(version == Protocol_Version::TLS_V13) {
530 if(data->is_hello_retry_request()) {
531 return Hello_Retry_Request(std::move(data));
532 }
533
534 return Server_Hello_13(std::move(data));
535 }
536
537 throw TLS_Exception(Alert::ProtocolVersion, "unexpected server hello version: " + version.to_string());
538}
539
540/**
541 * Validation that applies to both Server Hello and Hello Retry Request
542 */
544 BOTAN_ASSERT_NOMSG(m_data->version() == Protocol_Version::TLS_V13);
545
546 // Note: checks that cannot be performed without contextual information
547 // are done in the specific TLS client implementation.
548 // Note: The Supported_Version extension makes sure internally that
549 // exactly one entry is provided.
550
551 // Note: Hello Retry Request basic validation is equivalent with the
552 // basic validations required for Server Hello
553 //
554 // RFC 8446 4.1.4
555 // Upon receipt of a HelloRetryRequest, the client MUST check the
556 // legacy_version, [...], and legacy_compression_method as specified in
557 // Section 4.1.3 and then process the extensions, starting with determining
558 // the version using "supported_versions".
559
560 // RFC 8446 4.1.3
561 // In TLS 1.3, [...] the legacy_version field MUST be set to 0x0303
562 if(legacy_version() != Protocol_Version::TLS_V12) {
563 throw TLS_Exception(Alert::ProtocolVersion,
564 "legacy_version '" + legacy_version().to_string() + "' is not allowed");
565 }
566
567 // RFC 8446 4.1.3
568 // legacy_compression_method: A single byte which MUST have the value 0.
569 if(compression_method() != 0x00) {
570 throw TLS_Exception(Alert::DecodeError, "compression is not supported in TLS 1.3");
571 }
572
573 // RFC 8446 4.1.3
574 // All TLS 1.3 ServerHello messages MUST contain the "supported_versions" extension.
575 if(!extensions().has<Supported_Versions>()) {
576 throw TLS_Exception(Alert::MissingExtension, "server hello did not contain 'supported version' extension");
577 }
578
579 // RFC 8446 4.2.1
580 // A server which negotiates TLS 1.3 MUST respond by sending
581 // a "supported_versions" extension containing the selected version
582 // value (0x0304).
583 if(selected_version() != Protocol_Version::TLS_V13) {
584 throw TLS_Exception(Alert::IllegalParameter, "TLS 1.3 Server Hello selected a different version");
585 }
586}
587
588Server_Hello_13::Server_Hello_13(std::unique_ptr<Server_Hello_Internal> data,
589 Server_Hello_13::Server_Hello_Tag /*tag*/) :
590 Server_Hello(std::move(data)) {
591 BOTAN_ASSERT_NOMSG(!m_data->is_hello_retry_request());
593
594 const auto& exts = extensions();
595
596 // RFC 8446 4.1.3
597 // The ServerHello MUST only include extensions which are required to
598 // establish the cryptographic context and negotiate the protocol version.
599 // [...]
600 // Other extensions (see Section 4.2) are sent separately in the
601 // EncryptedExtensions message.
602 //
603 // Note that further validation dependent on the client hello is done in the
604 // TLS client implementation.
605 const std::set<Extension_Code> allowed = {
609 };
610
611 // As the ServerHello shall only contain essential extensions, we don't give
612 // any slack for extensions not implemented by Botan here.
613 if(exts.contains_other_than(allowed)) {
614 throw TLS_Exception(Alert::UnsupportedExtension, "Server Hello contained an extension that is not allowed");
615 }
616
617 // RFC 8446 4.1.3
618 // Current ServerHello messages additionally contain
619 // either the "pre_shared_key" extension or the "key_share"
620 // extension, or both [...].
621 if(!exts.has<Key_Share>() && !exts.has<PSK_Key_Exchange_Modes>()) {
622 throw TLS_Exception(Alert::MissingExtension, "server hello must contain key exchange information");
623 }
624}
625
626Server_Hello_13::Server_Hello_13(std::unique_ptr<Server_Hello_Internal> data,
627 Server_Hello_13::Hello_Retry_Request_Tag /*tag*/) :
628 Server_Hello(std::move(data)) {
629 BOTAN_ASSERT_NOMSG(m_data->is_hello_retry_request());
631
632 const auto& exts = extensions();
633
634 // RFC 8446 4.1.4
635 // The HelloRetryRequest extensions defined in this specification are:
636 // - supported_versions (see Section 4.2.1)
637 // - cookie (see Section 4.2.2)
638 // - key_share (see Section 4.2.8)
639 const std::set<Extension_Code> allowed = {
643 };
644
645 // As the Hello Retry Request shall only contain essential extensions, we
646 // don't give any slack for extensions not implemented by Botan here.
647 if(exts.contains_other_than(allowed)) {
648 throw TLS_Exception(Alert::UnsupportedExtension,
649 "Hello Retry Request contained an extension that is not allowed");
650 }
651
652 // RFC 8446 4.1.4
653 // Clients MUST abort the handshake with an "illegal_parameter" alert if
654 // the HelloRetryRequest would not result in any change in the ClientHello.
655 if(!exts.has<Key_Share>() && !exts.has<Cookie>()) {
656 throw TLS_Exception(Alert::IllegalParameter, "Hello Retry Request does not request any changes to Client Hello");
657 }
658}
659
660Server_Hello_13::Server_Hello_13(std::unique_ptr<Server_Hello_Internal> data,
661 Hello_Retry_Request_Creation_Tag /*tag*/) :
662 Server_Hello(std::move(data)) {}
663
664namespace {
665
666uint16_t choose_ciphersuite(const Client_Hello_13& ch, const Policy& policy) {
667 auto pref_list = ch.ciphersuites();
668 // TODO: DTLS might need to make this version dynamic
669 auto other_list = policy.ciphersuite_list(Protocol_Version::TLS_V13);
670
672 std::swap(pref_list, other_list);
673 }
674
675 for(auto suite_id : pref_list) {
676 // TODO: take potentially available PSKs into account to select a
677 // compatible ciphersuite.
678 //
679 // Assuming the client sent one or more PSKs, we would first need to find
680 // the hash functions they are associated to. For session tickets, that
681 // would mean decrypting the ticket and comparing the cipher suite used in
682 // those tickets. For (currently not yet supported) pre-assigned PSKs, the
683 // hash function needs to be specified along with them.
684 //
685 // Then we could refine the ciphersuite selection using the required hash
686 // function for the PSK(s) we are wishing to use down the road.
687 //
688 // For now, we just negotiate the cipher suite blindly and hope for the
689 // best. As long as PSKs are used for session resumption only, this has a
690 // high chance of success. Previous handshakes with this client have very
691 // likely selected the same ciphersuite anyway.
692 //
693 // See also RFC 8446 4.2.11
694 // When session resumption is the primary use case of PSKs, the most
695 // straightforward way to implement the PSK/cipher suite matching
696 // requirements is to negotiate the cipher suite first [...].
697 if(value_exists(other_list, suite_id)) {
698 return suite_id;
699 }
700 }
701
702 // RFC 8446 4.1.1
703 // If the server is unable to negotiate a supported set of parameters
704 // [...], it MUST abort the handshake with either a "handshake_failure"
705 // or "insufficient_security" fatal alert [...].
706 throw TLS_Exception(Alert::HandshakeFailure, "Can't agree on a ciphersuite with client");
707}
708} // namespace
709
711 std::optional<Named_Group> key_exchange_group,
712 Session_Manager& session_mgr,
713 Credentials_Manager& credentials_mgr,
715 Callbacks& cb,
716 const Policy& policy) :
717 Server_Hello(std::make_unique<Server_Hello_Internal>(
719 ch.session_id(),
720 make_server_hello_random(rng, Protocol_Version::TLS_V13, cb, policy),
721 choose_ciphersuite(ch, policy),
722 uint8_t(0) /* compression method */
723 )) {
724 // RFC 8446 4.2.1
725 // A server which negotiates TLS 1.3 MUST respond by sending a
726 // "supported_versions" extension containing the selected version
727 // value (0x0304). It MUST set the ServerHello.legacy_version field to
728 // 0x0303 (TLS 1.2).
729 //
730 // Note that the legacy version (TLS 1.2) is set in this constructor's
731 // initializer list, accordingly.
732 m_data->extensions().add(new Supported_Versions(Protocol_Version::TLS_V13)); // NOLINT(*-owning-memory)
733
734 if(key_exchange_group.has_value()) {
735 BOTAN_ASSERT_NOMSG(ch.extensions().has<Key_Share>());
736 m_data->extensions().add(Key_Share::create_as_encapsulation(
737 key_exchange_group.value(), *ch.extensions().get<Key_Share>(), policy, cb, rng));
738 }
739
740 const auto& ch_exts = ch.extensions();
741
742 if(ch_exts.has<PSK>()) {
743 const auto cs = Ciphersuite::by_id(m_data->ciphersuite());
744 BOTAN_ASSERT_NOMSG(cs);
745
746 // RFC 8446 4.2.9
747 // A client MUST provide a "psk_key_exchange_modes" extension if it
748 // offers a "pre_shared_key" extension.
749 //
750 // Note: Client_Hello_13 constructor already performed a graceful check.
751 auto* const psk_modes = ch_exts.get<PSK_Key_Exchange_Modes>();
752 BOTAN_ASSERT_NONNULL(psk_modes);
753
754 // TODO: also support PSK_Key_Exchange_Mode::PSK_KE
755 // (PSK-based handshake without an additional ephemeral key exchange)
756 if(value_exists(psk_modes->modes(), PSK_Key_Exchange_Mode::PSK_DHE_KE)) {
757 if(auto server_psk = ch_exts.get<PSK>()->select_offered_psk(
758 ch.sni_hostname(), cs.value(), session_mgr, credentials_mgr, cb, policy)) {
759 // RFC 8446 4.2.11
760 // In order to accept PSK key establishment, the server sends a
761 // "pre_shared_key" extension indicating the selected identity.
762 m_data->extensions().add(std::move(server_psk));
763 }
764 }
765 }
766
767 cb.tls_modify_extensions(m_data->extensions(), Connection_Side::Server, type());
768}
769
770std::optional<Protocol_Version> Server_Hello_13::random_signals_downgrade() const {
771 const uint64_t last8 = load_be<uint64_t>(m_data->random().data(), 3);
772 if(last8 == DOWNGRADE_TLS11) {
773 return Protocol_Version::TLS_V11;
774 }
775 if(last8 == DOWNGRADE_TLS12) {
776 return Protocol_Version::TLS_V12;
777 }
778
779 return std::nullopt;
780}
781
783 auto* const versions_ext = m_data->extensions().get<Supported_Versions>();
784 BOTAN_ASSERT_NOMSG(versions_ext);
785 const auto& versions = versions_ext->versions();
786 BOTAN_ASSERT_NOMSG(versions.size() == 1);
787 return versions.front();
788}
789
790Hello_Retry_Request::Hello_Retry_Request(std::unique_ptr<Server_Hello_Internal> data) :
792
794 Named_Group selected_group,
795 const Policy& policy,
796 Callbacks& cb) :
797 Server_Hello_13(std::make_unique<Server_Hello_Internal>(
798 Protocol_Version::TLS_V12 /* legacy_version */,
799 ch.session_id(),
800 std::vector<uint8_t>(HELLO_RETRY_REQUEST_MARKER.begin(), HELLO_RETRY_REQUEST_MARKER.end()),
801 choose_ciphersuite(ch, policy),
802 uint8_t(0) /* compression method */,
803 true /* is Hello Retry Request */
804 ),
806 // RFC 8446 4.1.4
807 // As with the ServerHello, a HelloRetryRequest MUST NOT contain any
808 // extensions that were not first offered by the client in its
809 // ClientHello, with the exception of optionally the "cookie" [...]
810 // extension.
813
815
816 // RFC 8446 4.1.4
817 // The server's extensions MUST contain "supported_versions".
818 //
819 // RFC 8446 4.2.1
820 // A server which negotiates TLS 1.3 MUST respond by sending a
821 // "supported_versions" extension containing the selected version
822 // value (0x0304). It MUST set the ServerHello.legacy_version field to
823 // 0x0303 (TLS 1.2).
824 //
825 // Note that the legacy version (TLS 1.2) is set in this constructor's
826 // initializer list, accordingly.
827 // NOLINTBEGIN(*-owning-memory)
828 m_data->extensions().add(new Supported_Versions(Protocol_Version::TLS_V13));
829
830 m_data->extensions().add(new Key_Share(selected_group));
831 // NOLINTEND(*-owning-memory)
832
834}
835
836#endif // BOTAN_HAS_TLS_13
837
838} // namespace Botan::TLS
#define BOTAN_UNUSED
Definition assert.h:144
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:75
#define BOTAN_STATE_CHECK(expr)
Definition assert.h:49
virtual void tls_modify_extensions(Extensions &extn, Connection_Side which_side, Handshake_Type which_message)
static std::optional< Ciphersuite > by_id(uint16_t suite)
const Extensions & extensions() const
const std::vector< uint16_t > & ciphersuites() const
std::set< Extension_Code > extension_types() const
void update(const uint8_t in[], size_t length)
virtual std::vector< uint8_t > send(const Handshake_Message &msg)=0
virtual std::vector< uint8_t > serialize() const =0
Hello_Retry_Request(std::unique_ptr< Server_Hello_Internal > data)
Handshake_Type type() const override
std::vector< Named_Group > offered_groups() const
virtual std::vector< uint16_t > ciphersuite_list(Protocol_Version version) const
virtual bool negotiate_encrypt_then_mac() const
virtual bool server_uses_own_ciphersuite_preferences() const
virtual bool support_cert_status_message() const
virtual Group_Params choose_key_exchange_group(const std::vector< Group_Params > &supported_by_peer, const std::vector< Group_Params > &offered_by_peer) const
std::optional< Protocol_Version > random_signals_downgrade() const
Protocol_Version selected_version() const override
bool supports_certificate_status_message() const
std::string next_protocol() const
std::vector< uint8_t > renegotiation_info() const
Server_Hello_12(Handshake_IO &io, Handshake_Hash &hash, const Policy &policy, Callbacks &cb, RandomNumberGenerator &rng, const std::vector< uint8_t > &secure_reneg_info, const Client_Hello_12 &client_hello, const Settings &settings, std::string_view next_protocol)
Protocol_Version legacy_version() const
static const struct Botan::TLS::Server_Hello_13::Hello_Retry_Request_Tag as_hello_retry_request
static const struct Botan::TLS::Server_Hello_13::Hello_Retry_Request_Creation_Tag as_new_hello_retry_request
Server_Hello_13(std::unique_ptr< Server_Hello_Internal > data, Server_Hello_Tag tag=as_server_hello)
std::optional< Protocol_Version > random_signals_downgrade() const
static std::variant< Hello_Retry_Request, Server_Hello_13 > create(const Client_Hello_13 &ch, bool hello_retry_request_allowed, Session_Manager &session_mgr, Credentials_Manager &credentials_mgr, RandomNumberGenerator &rng, const Policy &policy, Callbacks &cb)
Protocol_Version selected_version() const final
static std::variant< Hello_Retry_Request, Server_Hello_13, Server_Hello_12 > parse(const std::vector< uint8_t > &buf)
static const struct Botan::TLS::Server_Hello_13::Server_Hello_Tag as_server_hello
Server_Hello_Done(Handshake_IO &io, Handshake_Hash &hash)
Server_Hello(const Server_Hello &)=delete
std::vector< uint8_t > serialize() const override
std::set< Extension_Code > extension_types() const
Handshake_Type type() const override
const Session_ID & session_id() const
const std::vector< uint8_t > & random() const
std::unique_ptr< Server_Hello_Internal > m_data
const Extensions & extensions() const
Protocol_Version legacy_version() const
constexpr CT::Mask< T > is_equal(const T x[], const T y[], size_t len)
Definition ct_utils.h:826
void append_tls_length_value(std::vector< uint8_t, Alloc > &buf, const T *vals, size_t vals_size, size_t tag_size)
Definition tls_reader.h:184
std::vector< uint8_t > make_hello_random(RandomNumberGenerator &rng, Callbacks &cb, const Policy &policy)
Group_Params Named_Group
Strong< std::vector< uint8_t >, struct Session_ID_ > Session_ID
holds a TLS 1.2 session ID for stateful resumption
Definition tls_session.h:31
constexpr uint8_t get_byte(T input)
Definition loadstor.h:79
bool value_exists(const std::vector< T > &vec, const OT &val)
Definition stl_util.h:52
std::string to_string(ErrorType type)
Convert an ErrorType to string.
Definition exceptn.cpp:13
constexpr auto store_be(ParamTs &&... params)
Definition loadstor.h:745
constexpr auto load_be(ParamTs &&... params)
Definition loadstor.h:504