Botan 3.0.0
Crypto and TLS for C&
msg_server_hello.cpp
Go to the documentation of this file.
1/*
2* TLS Server Hello and Server Hello Done
3* (C) 2004-2011,2015,2016,2019 Jack Lloyd
4* 2016 Matthias Gierlings
5* 2017 Harry Reimann, Rohde & Schwarz Cybersecurity
6* 2021 Elektrobit Automotive GmbH
7* 2022 René Meusel, Hannes Rantzsch - neXenio GmbH
8*
9* Botan is released under the Simplified BSD License (see license.txt)
10*/
11
12#include <botan/tls_messages.h>
13
14#include <botan/tls_extensions.h>
15#include <botan/tls_exceptn.h>
16#include <botan/tls_callbacks.h>
17#include <botan/tls_session_manager.h>
18#include <botan/internal/tls_reader.h>
19#include <botan/mem_ops.h>
20#include <botan/internal/tls_session_key.h>
21#include <botan/internal/tls_handshake_io.h>
22#include <botan/internal/tls_handshake_hash.h>
23#include <botan/internal/stl_util.h>
24
25#include <array>
26
27namespace Botan::TLS {
28
29namespace {
30
31const uint64_t DOWNGRADE_TLS11 = 0x444F574E47524400;
32const uint64_t DOWNGRADE_TLS12 = 0x444F574E47524401;
33
34// SHA-256("HelloRetryRequest")
35const std::vector<uint8_t> HELLO_RETRY_REQUEST_MARKER =
36 {
37 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11, 0xBE, 0x1D, 0x8C, 0x02,
38 0x1E, 0x65, 0xB8, 0x91, 0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E,
39 0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C
40 };
41
42bool random_signals_hello_retry_request(const std::vector<uint8_t>& random)
43 {
44 return constant_time_compare(random.data(), HELLO_RETRY_REQUEST_MARKER.data(), HELLO_RETRY_REQUEST_MARKER.size());
45 }
46
47std::vector<uint8_t>
48make_server_hello_random(RandomNumberGenerator& rng,
49 Protocol_Version offered_version,
50 Callbacks& cb,
51 const Policy& policy)
52 {
53 BOTAN_UNUSED(offered_version);
54 auto random = make_hello_random(rng, cb, policy);
55
56 // RFC 8446 4.1.3
57 // TLS 1.3 has a downgrade protection mechanism embedded in the server's
58 // random value. TLS 1.3 servers which negotiate TLS 1.2 or below in
59 // response to a ClientHello MUST set the last 8 bytes of their Random
60 // value specially in their ServerHello.
61 //
62 // If negotiating TLS 1.2, TLS 1.3 servers MUST set the last 8 bytes of
63 // their Random value to the bytes: [DOWNGRADE_TLS12]
64 if(offered_version.is_pre_tls_13() && policy.allow_tls13())
65 {
66 constexpr size_t downgrade_signal_length = sizeof(DOWNGRADE_TLS12);
67 BOTAN_ASSERT_NOMSG(random.size() >= downgrade_signal_length);
68 auto lastbytes = random.data() + random.size() - downgrade_signal_length;
69 store_be(DOWNGRADE_TLS12, lastbytes);
70 }
71
72 return random;
73 }
74
75}
76
77/**
78* Version-agnostic internal server hello data container that allows
79* parsing Server_Hello messages without prior knowledge of the contained
80* protocol version.
81*/
82class Server_Hello_Internal
83 {
84 public:
85 /**
86 * Deserialize a Server Hello message
87 */
88 Server_Hello_Internal(const std::vector<uint8_t>& buf)
89 {
90 if(buf.size() < 38)
91 {
92 throw Decoding_Error("Server_Hello: Packet corrupted");
93 }
94
95 TLS_Data_Reader reader("ServerHello", buf);
96
97 const uint8_t major_version = reader.get_byte();
98 const uint8_t minor_version = reader.get_byte();
99
100 m_legacy_version = Protocol_Version(major_version, minor_version);
101
102 // RFC 8446 4.1.3
103 // Upon receiving a message with type server_hello, implementations MUST
104 // first examine the Random value and, if it matches this value, process
105 // it as described in Section 4.1.4 [Hello Retry Request]).
106 m_random = reader.get_fixed<uint8_t>(32);
107 m_is_hello_retry_request = random_signals_hello_retry_request(m_random);
108
109 m_session_id = Session_ID(reader.get_range<uint8_t>(1, 0, 32));
110 m_ciphersuite = reader.get_uint16_t();
111 m_comp_method = reader.get_byte();
112
113 // Note that this code path might parse a TLS 1.2 (or older) server hello message that
114 // is nevertheless marked as being a 'hello retry request' (potentially maliciously).
115 // Extension parsing will however not be affected by the associated flag.
116 // Only after parsing the extensions will the upstream code be able to decide
117 // whether we're dealing with TLS 1.3 or older.
118 m_extensions.deserialize(reader, Connection_Side::Server,
119 m_is_hello_retry_request
122 }
123
124 Server_Hello_Internal(Protocol_Version lv,
125 Session_ID sid,
126 std::vector<uint8_t> r,
127 const uint16_t cs,
128 const uint8_t cm,
129 bool is_hrr = false)
130 : m_legacy_version(lv)
131 , m_session_id(std::move(sid))
132 , m_random(std::move(r))
133 , m_is_hello_retry_request(is_hrr)
134 , m_ciphersuite(cs)
135 , m_comp_method(cm) {}
136
137 Protocol_Version version() const
138 {
139 // RFC 8446 4.2.1
140 // A server which negotiates a version of TLS prior to TLS 1.3 MUST set
141 // ServerHello.version and MUST NOT send the "supported_versions"
142 // extension. A server which negotiates TLS 1.3 MUST respond by sending
143 // a "supported_versions" extension containing the selected version
144 // value (0x0304).
145 //
146 // Note: Here we just take a message parsing decision, further validation of
147 // the extension's contents is done later.
148 return (extensions().has<Supported_Versions>())
149 ? Protocol_Version::TLS_V13
150 : m_legacy_version;
151 }
152
153 Protocol_Version legacy_version() const { return m_legacy_version; }
154 const Session_ID& session_id() const { return m_session_id; }
155 const std::vector<uint8_t>& random() const { return m_random; }
156 uint16_t ciphersuite() const { return m_ciphersuite; }
157 uint8_t comp_method() const { return m_comp_method; }
158 bool is_hello_retry_request() const { return m_is_hello_retry_request; }
159
160 const Extensions& extensions() const { return m_extensions; }
161 Extensions& extensions() { return m_extensions; }
162
163 private:
164 Protocol_Version m_legacy_version;
165 Session_ID m_session_id;
166 std::vector<uint8_t> m_random;
167 bool m_is_hello_retry_request;
168 uint16_t m_ciphersuite;
169 uint8_t m_comp_method;
170
171 Extensions m_extensions;
172 };
173
174Server_Hello::Server_Hello(std::unique_ptr<Server_Hello_Internal> data)
175 : m_data(std::move(data)) {}
176
177Server_Hello::Server_Hello(Server_Hello&&) noexcept = default;
178Server_Hello& Server_Hello::operator=(Server_Hello&&) noexcept = default;
179
180Server_Hello::~Server_Hello() = default;
181
182/*
183* Serialize a Server Hello message
184*/
185std::vector<uint8_t> Server_Hello::serialize() const
186 {
187 std::vector<uint8_t> buf;
188 buf.reserve(1024); // working around GCC warning
189
190 buf.push_back(m_data->legacy_version().major_version());
191 buf.push_back(m_data->legacy_version().minor_version());
192 buf += m_data->random();
193
194 append_tls_length_value(buf, m_data->session_id().get(), 1);
195
196 buf.push_back(get_byte<0>(m_data->ciphersuite()));
197 buf.push_back(get_byte<1>(m_data->ciphersuite()));
198
199 buf.push_back(m_data->comp_method());
200
201 buf += m_data->extensions().serialize(Connection_Side::Server);
202
203 return buf;
204 }
205
206
208 {
210 }
211
213 {
214 return m_data->legacy_version();
215 }
216
217const std::vector<uint8_t>& Server_Hello::random() const
218 {
219 return m_data->random();
220 }
221
223 {
224 return m_data->comp_method();
225 }
226
228 {
229 return m_data->session_id();
230 }
231
233 {
234 return m_data->ciphersuite();
235 }
236
237std::set<Extension_Code> Server_Hello::extension_types() const
238 {
239 return m_data->extensions().extension_types();
240 }
241
243 {
244 return m_data->extensions();
245 }
246
247// New session case
249 Handshake_Hash& hash,
250 const Policy& policy,
251 Callbacks& cb,
253 const std::vector<uint8_t>& reneg_info,
254 const Client_Hello_12& client_hello,
255 const Server_Hello_12::Settings& server_settings,
256 std::string_view next_protocol) :
257 Server_Hello(std::make_unique<Server_Hello_Internal>(
258 server_settings.protocol_version(),
259 server_settings.session_id(),
260 make_server_hello_random(rng, server_settings.protocol_version(), cb, policy),
261 server_settings.ciphersuite(),
262 uint8_t(0)))
263 {
264 if(client_hello.supports_extended_master_secret())
265 {
266 m_data->extensions().add(new Extended_Master_Secret);
267 }
268
269 // Sending the extension back does not commit us to sending a stapled response
270 if(client_hello.supports_cert_status_message() && policy.support_cert_status_message())
271 {
272 m_data->extensions().add(new Certificate_Status_Request);
273 }
274
275 if(!next_protocol.empty() && client_hello.supports_alpn())
276 {
278 }
279
280 const auto c = Ciphersuite::by_id(m_data->ciphersuite());
281
282 if(c && c->cbc_ciphersuite() && client_hello.supports_encrypt_then_mac() && policy.negotiate_encrypt_then_mac())
283 {
284 m_data->extensions().add(new Encrypt_then_MAC);
285 }
286
287 if(c && c->ecc_ciphersuite() && client_hello.extension_types().contains(Extension_Code::EcPointFormats))
288 {
289 m_data->extensions().add(new Supported_Point_Formats(policy.use_ecc_point_compression()));
290 }
291
292 if(client_hello.secure_renegotiation())
293 {
294 m_data->extensions().add(new Renegotiation_Extension(reneg_info));
295 }
296
297 if(client_hello.supports_session_ticket() && server_settings.offer_session_ticket())
298 {
299 m_data->extensions().add(new Session_Ticket_Extension());
300 }
301
302 if(m_data->legacy_version().is_datagram_protocol())
304 const std::vector<uint16_t> server_srtp = policy.srtp_profiles();
305 const std::vector<uint16_t> client_srtp = client_hello.srtp_profiles();
307 if(!server_srtp.empty() && !client_srtp.empty())
308 {
309 uint16_t shared = 0;
310 // always using server preferences for now
311 for(auto s_srtp : server_srtp)
312 for(auto c_srtp : client_srtp)
313 {
314 if(shared == 0 && s_srtp == c_srtp)
315 { shared = s_srtp; }
316 }
317
318 if(shared)
319 {
320 m_data->extensions().add(new SRTP_Protection_Profiles(shared));
321 }
322 }
323 }
324
326
327 hash.update(io.send(*this));
328 }
329
330// Resuming
332 Handshake_Hash& hash,
333 const Policy& policy,
334 Callbacks& cb,
336 const std::vector<uint8_t>& reneg_info,
337 const Client_Hello_12& client_hello,
339 bool offer_session_ticket,
340 std::string_view next_protocol) :
341 Server_Hello(std::make_unique<Server_Hello_Internal>(
342 resumed_session.version(),
343 client_hello.session_id(),
344 make_hello_random(rng, cb, policy),
345 resumed_session.ciphersuite_code(),
346 uint8_t(0)))
347 {
348 if(client_hello.supports_extended_master_secret())
349 {
350 m_data->extensions().add(new Extended_Master_Secret);
351 }
352
353 if(!next_protocol.empty() && client_hello.supports_alpn())
354 {
356 }
357
358 if(client_hello.supports_encrypt_then_mac() && policy.negotiate_encrypt_then_mac())
359 {
360 Ciphersuite c = resumed_session.ciphersuite();
361 if(c.cbc_ciphersuite())
362 {
363 m_data->extensions().add(new Encrypt_then_MAC);
364 }
365 }
366
367 if(resumed_session.ciphersuite().ecc_ciphersuite() && client_hello.extension_types().contains(Extension_Code::EcPointFormats))
368 {
369 m_data->extensions().add(new Supported_Point_Formats(policy.use_ecc_point_compression()));
370 }
371
372 if(client_hello.secure_renegotiation())
373 {
374 m_data->extensions().add(new Renegotiation_Extension(reneg_info));
375 }
376
377 if(client_hello.supports_session_ticket() && offer_session_ticket)
378 {
379 m_data->extensions().add(new Session_Ticket_Extension());
380 }
381
383
384 hash.update(io.send(*this));
385 }
386
387
388Server_Hello_12::Server_Hello_12(const std::vector<uint8_t>& buf)
389 : Server_Hello_12(std::make_unique<Server_Hello_Internal>(buf))
390 {}
391
392Server_Hello_12::Server_Hello_12(std::unique_ptr<Server_Hello_Internal> data)
393 : Server_Hello(std::move(data))
394 {
395 if(!m_data->version().is_pre_tls_13())
396 {
397 throw TLS_Exception(Alert::ProtocolVersion, "Expected server hello of (D)TLS 1.2 or lower");
398 }
399 }
400
402 {
403 return legacy_version();
404 }
405
407 {
408 return m_data->extensions().has<Renegotiation_Extension>();
409 }
410
411std::vector<uint8_t> Server_Hello_12::renegotiation_info() const
412 {
413 if(Renegotiation_Extension* reneg = m_data->extensions().get<Renegotiation_Extension>())
414 { return reneg->renegotiation_info(); }
415 return std::vector<uint8_t>();
416 }
417
419 {
420 return m_data->extensions().has<Extended_Master_Secret>();
421 }
422
424 {
425 return m_data->extensions().has<Encrypt_then_MAC>();
426 }
427
429 {
430 return m_data->extensions().has<Certificate_Status_Request>();
431 }
432
434 {
435 return m_data->extensions().has<Session_Ticket_Extension>();
436 }
437
439 {
440 if(auto srtp = m_data->extensions().get<SRTP_Protection_Profiles>())
441 {
442 auto prof = srtp->profiles();
443 if(prof.size() != 1 || prof[0] == 0)
444 { throw Decoding_Error("Server sent malformed DTLS-SRTP extension"); }
445 return prof[0];
446 }
447
448 return 0;
449 }
450
452 {
453 if(auto alpn = m_data->extensions().get<Application_Layer_Protocol_Notification>())
454 {
455 return alpn->single_protocol();
456 }
457 return "";
458 }
459
461 {
462 if(auto ecc_formats = m_data->extensions().get<Supported_Point_Formats>())
463 {
464 return ecc_formats->prefers_compressed();
465 }
466 return false;
467 }
468
469std::optional<Protocol_Version> Server_Hello_12::random_signals_downgrade() const
470 {
471 const uint64_t last8 = load_be<uint64_t>(m_data->random().data(), 3);
472 if(last8 == DOWNGRADE_TLS11)
473 { return Protocol_Version::TLS_V11; }
474 if(last8 == DOWNGRADE_TLS12)
475 { return Protocol_Version::TLS_V12; }
476
477 return std::nullopt;
478 }
479
480
481/*
482* Create a new Server Hello Done message
483*/
485 Handshake_Hash& hash)
486 {
487 hash.update(io.send(*this));
488 }
489
490/*
491* Deserialize a Server Hello Done message
492*/
493Server_Hello_Done::Server_Hello_Done(const std::vector<uint8_t>& buf)
494 {
495 if(!buf.empty())
496 { throw Decoding_Error("Server_Hello_Done: Must be empty, and is not"); }
497 }
498
499/*
500* Serialize a Server Hello Done message
501*/
502std::vector<uint8_t> Server_Hello_Done::serialize() const
503 {
504 return std::vector<uint8_t>();
505 }
506
507#if defined(BOTAN_HAS_TLS_13)
508
509Server_Hello_13::Server_Hello_Tag Server_Hello_13::as_server_hello;
510Server_Hello_13::Hello_Retry_Request_Tag Server_Hello_13::as_hello_retry_request;
511Server_Hello_13::Hello_Retry_Request_Creation_Tag Server_Hello_13::as_new_hello_retry_request;
512
513std::variant<Hello_Retry_Request, Server_Hello_13> Server_Hello_13::create(const Client_Hello_13& ch,
514 bool hello_retry_request_allowed,
515 Session_Manager& session_mgr,
516 RandomNumberGenerator& rng, const Policy& policy, Callbacks& cb)
517 {
518 const auto& exts = ch.extensions();
519
520 // RFC 8446 4.2.9
521 // [With PSK with (EC)DHE key establishment], the client and server MUST
522 // supply "key_share" values [...].
523 //
524 // Note: We currently do not support PSK without (EC)DHE, hence, we can
525 // assume that those extensions are available.
526 BOTAN_ASSERT_NOMSG(exts.has<Supported_Groups>() && exts.has<Key_Share>());
527 const auto& supported_by_client = exts.get<Supported_Groups>()->groups();
528 const auto& offered_by_client = exts.get<Key_Share>()->offered_groups();
529 const auto selected_group = policy.choose_key_exchange_group(supported_by_client, offered_by_client);
530
531 // RFC 8446 4.1.1
532 // If there is no overlap between the received "supported_groups" and the
533 // groups supported by the server, then the server MUST abort the
534 // handshake with a "handshake_failure" or an "insufficient_security" alert.
535 if(selected_group == Named_Group::NONE)
536 {
537 throw TLS_Exception(Alert::HandshakeFailure, "Client did not offer any acceptable group");
538 }
539
540 if(!value_exists(offered_by_client, selected_group))
541 {
542 // RFC 8446 4.1.4
543 // If a client receives a second HelloRetryRequest in the same
544 // connection (i.e., where the ClientHello was itself in response to a
545 // HelloRetryRequest), it MUST abort the handshake with an
546 // "unexpected_message" alert.
547 BOTAN_STATE_CHECK(hello_retry_request_allowed);
548 return Hello_Retry_Request(ch, selected_group, policy, cb);
549 }
550 else
551 {
552 return Server_Hello_13(ch, selected_group, session_mgr, rng, cb, policy);
553 }
554 }
555
556std::variant<Hello_Retry_Request, Server_Hello_13, Server_Hello_12>
557Server_Hello_13::parse(const std::vector<uint8_t>& buf)
558 {
559 auto data = std::make_unique<Server_Hello_Internal>(buf);
560 const auto version = data->version();
561
562 // server hello that appears to be pre-TLS 1.3, takes precedence over...
563 if(version.is_pre_tls_13())
564 { return Server_Hello_12(std::move(data)); }
565
566 // ... the TLS 1.3 "special case" aka. Hello_Retry_Request
567 if(version == Protocol_Version::TLS_V13)
568 {
569 if(data->is_hello_retry_request())
570 { return Hello_Retry_Request(std::move(data)); }
571
572 return Server_Hello_13(std::move(data));
573 }
574
575 throw TLS_Exception(Alert::ProtocolVersion,
576 "unexpected server hello version: " + version.to_string());
577 }
578
579/**
580 * Validation that applies to both Server Hello and Hello Retry Request
581 */
582void Server_Hello_13::basic_validation() const
583 {
584 BOTAN_ASSERT_NOMSG(m_data->version() == Protocol_Version::TLS_V13);
585
586 // Note: checks that cannot be performed without contextual information
587 // are done in the specific TLS client implementation.
588 // Note: The Supported_Version extension makes sure internally that
589 // exactly one entry is provided.
590
591 // Note: Hello Retry Request basic validation is equivalent with the
592 // basic validations required for Server Hello
593 //
594 // RFC 8446 4.1.4
595 // Upon receipt of a HelloRetryRequest, the client MUST check the
596 // legacy_version, [...], and legacy_compression_method as specified in
597 // Section 4.1.3 and then process the extensions, starting with determining
598 // the version using "supported_versions".
599
600 // RFC 8446 4.1.3
601 // In TLS 1.3, [...] the legacy_version field MUST be set to 0x0303
602 if(legacy_version() != Protocol_Version::TLS_V12)
603 {
604 throw TLS_Exception(Alert::ProtocolVersion,
605 "legacy_version '" + legacy_version().to_string() + "' is not allowed");
606 }
607
608 // RFC 8446 4.1.3
609 // legacy_compression_method: A single byte which MUST have the value 0.
610 if(compression_method() != 0x00)
611 {
612 throw TLS_Exception(Alert::DecodeError, "compression is not supported in TLS 1.3");
613 }
614
615 // RFC 8446 4.1.3
616 // All TLS 1.3 ServerHello messages MUST contain the "supported_versions" extension.
617 if(!extensions().has<Supported_Versions>())
618 {
619 throw TLS_Exception(Alert::MissingExtension,
620 "server hello did not contain 'supported version' extension");
621 }
622
623 // RFC 8446 4.2.1
624 // A server which negotiates TLS 1.3 MUST respond by sending
625 // a "supported_versions" extension containing the selected version
626 // value (0x0304).
627 if(selected_version() != Protocol_Version::TLS_V13)
628 {
629 throw TLS_Exception(Alert::IllegalParameter, "TLS 1.3 Server Hello selected a different version");
630 }
631 }
632
633Server_Hello_13::Server_Hello_13(std::unique_ptr<Server_Hello_Internal> data,
634 Server_Hello_13::Server_Hello_Tag)
635 : Server_Hello(std::move(data))
636 {
637 BOTAN_ASSERT_NOMSG(!m_data->is_hello_retry_request());
638 basic_validation();
639
640 const auto& exts = extensions();
641
642 // RFC 8446 4.1.3
643 // The ServerHello MUST only include extensions which are required to
644 // establish the cryptographic context and negotiate the protocol version.
645 // [...]
646 // Other extensions (see Section 4.2) are sent separately in the
647 // EncryptedExtensions message.
648 //
649 // Note that further validation dependent on the client hello is done in the
650 // TLS client implementation.
651 const std::set<Extension_Code> allowed =
652 {
653 Extension_Code::KeyShare,
655 Extension_Code::PresharedKey,
656 };
657
658 // As the ServerHello shall only contain essential extensions, we don't give
659 // any slack for extensions not implemented by Botan here.
660 if(exts.contains_other_than(allowed))
661 {
662 throw TLS_Exception(Alert::UnsupportedExtension,
663 "Server Hello contained an extension that is not allowed");
664 }
665
666 // RFC 8446 4.1.3
667 // Current ServerHello messages additionally contain
668 // either the "pre_shared_key" extension or the "key_share"
669 // extension, or both [...].
670 if(!exts.has<Key_Share>() && !exts.has<PSK_Key_Exchange_Modes>())
671 {
672 throw TLS_Exception(Alert::MissingExtension,
673 "server hello must contain key exchange information");
674 }
675 }
676
677Server_Hello_13::Server_Hello_13(std::unique_ptr<Server_Hello_Internal> data, Server_Hello_13::Hello_Retry_Request_Tag)
678 : Server_Hello(std::move(data))
679 {
680 BOTAN_ASSERT_NOMSG(m_data->is_hello_retry_request());
681 basic_validation();
682
683 const auto& exts = extensions();
684
685 // RFC 8446 4.1.4
686 // The HelloRetryRequest extensions defined in this specification are:
687 // - supported_versions (see Section 4.2.1)
688 // - cookie (see Section 4.2.2)
689 // - key_share (see Section 4.2.8)
690 const std::set<Extension_Code> allowed =
691 {
692 Extension_Code::Cookie,
694 Extension_Code::KeyShare,
695 };
696
697 // As the Hello Retry Request shall only contain essential extensions, we
698 // don't give any slack for extensions not implemented by Botan here.
699 if(exts.contains_other_than(allowed))
700 {
701 throw TLS_Exception(Alert::UnsupportedExtension,
702 "Hello Retry Request contained an extension that is not allowed");
703 }
704
705 // RFC 8446 4.1.4
706 // Clients MUST abort the handshake with an "illegal_parameter" alert if
707 // the HelloRetryRequest would not result in any change in the ClientHello.
708 if(!exts.has<Key_Share>() && !exts.has<Cookie>())
709 {
710 throw TLS_Exception(Alert::IllegalParameter,
711 "Hello Retry Request does not request any changes to Client Hello");
712 }
713 }
714
715Server_Hello_13::Server_Hello_13(std::unique_ptr<Server_Hello_Internal> data, Hello_Retry_Request_Creation_Tag)
716 : Server_Hello(std::move(data)) {}
717
718namespace {
719
720uint16_t choose_ciphersuite(const Client_Hello_13& ch, const Policy& policy)
721 {
722 auto pref_list = ch.ciphersuites();
723 // TODO: DTLS might need to make this version dynamic
724 auto other_list = policy.ciphersuite_list(Protocol_Version::TLS_V13);
725
726 if(policy.server_uses_own_ciphersuite_preferences())
727 {
728 std::swap(pref_list, other_list);
729 }
730
731 for(auto suite_id : pref_list)
732 {
733 // TODO: take potentially available PSKs into account to select a
734 // compatible ciphersuite.
735 //
736 // Assuming the client sent one or more PSKs, we would first need to find
737 // the hash functions they are associated to. For session tickets, that
738 // would mean decrypting the ticket and comparing the cipher suite used in
739 // those tickets. For (currently not yet supported) pre-assigned PSKs, the
740 // hash function needs to be specified along with them.
741 //
742 // Then we could refine the ciphersuite selection using the required hash
743 // function for the PSK(s) we are wishing to use down the road.
744 //
745 // For now, we just negotiate the cipher suite blindly and hope for the
746 // best. As long as PSKs are used for session resumption only, this has a
747 // high chance of success. Previous handshakes with this client have very
748 // likely selected the same ciphersuite anyway.
749 //
750 // See also RFC 8446 4.2.11
751 // When session resumption is the primary use case of PSKs, the most
752 // straightforward way to implement the PSK/cipher suite matching
753 // requirements is to negotiate the cipher suite first [...].
754 if(value_exists(other_list, suite_id))
755 { return suite_id; }
756 }
757
758 // RFC 8446 4.1.1
759 // If the server is unable to negotiate a supported set of parameters
760 // [...], it MUST abort the handshake with either a "handshake_failure"
761 // or "insufficient_security" fatal alert [...].
762 throw TLS_Exception(Alert::HandshakeFailure,
763 "Can't agree on a ciphersuite with client");
764 }
765}
766
767Server_Hello_13::Server_Hello_13(const Client_Hello_13& ch,
768 std::optional<Named_Group> key_exchange_group,
769 Session_Manager& session_mgr,
770 RandomNumberGenerator& rng,
771 Callbacks& cb,
772 const Policy& policy)
773 : Server_Hello(std::make_unique<Server_Hello_Internal>(
774 Protocol_Version::TLS_V12,
775 ch.session_id(),
776 make_server_hello_random(rng, Protocol_Version::TLS_V13, cb, policy),
777 choose_ciphersuite(ch, policy),
778 uint8_t(0) /* compression method */
779 ))
780 {
781 // RFC 8446 4.2.1
782 // A server which negotiates TLS 1.3 MUST respond by sending a
783 // "supported_versions" extension containing the selected version
784 // value (0x0304). It MUST set the ServerHello.legacy_version field to
785 // 0x0303 (TLS 1.2).
786 //
787 // Note that the legacy version (TLS 1.2) is set in this constructor's
788 // initializer list, accordingly.
789 m_data->extensions().add(new Supported_Versions(Protocol_Version::TLS_V13));
790
791 if(key_exchange_group.has_value())
792 { m_data->extensions().add(new Key_Share(key_exchange_group.value(), cb, rng)); }
793
794 auto& ch_exts = ch.extensions();
795
796 if(ch_exts.has<PSK>())
797 {
798 const auto cs = Ciphersuite::by_id(m_data->ciphersuite());
800
801 // RFC 8446 4.2.9
802 // A client MUST provide a "psk_key_exchange_modes" extension if it
803 // offers a "pre_shared_key" extension.
804 //
805 // Note: Client_Hello_13 constructor already performed a graceful check.
806 const auto psk_modes = ch_exts.get<PSK_Key_Exchange_Modes>();
807 BOTAN_ASSERT_NONNULL(psk_modes);
808
809 // TODO: also support PSK_Key_Exchange_Mode::PSK_KE
810 // (PSK-based handshake without an additional ephemeral key exchange)
811 if(value_exists(psk_modes->modes(), PSK_Key_Exchange_Mode::PSK_DHE_KE))
812 {
813 if(auto server_psk = ch_exts.get<PSK>()->select_offered_psk(cs.value(), session_mgr, cb, policy))
814 {
815 // RFC 8446 4.2.11
816 // In order to accept PSK key establishment, the server sends a
817 // "pre_shared_key" extension indicating the selected identity.
818 m_data->extensions().add(std::move(server_psk));
819 }
820 }
821 }
822
823 cb.tls_modify_extensions(m_data->extensions(), Connection_Side::Server, type());
824 }
825
826std::optional<Protocol_Version> Server_Hello_13::random_signals_downgrade() const
827 {
828 const uint64_t last8 = load_be<uint64_t>(m_data->random().data(), 3);
829 if(last8 == DOWNGRADE_TLS11)
830 { return Protocol_Version::TLS_V11; }
831 if(last8 == DOWNGRADE_TLS12)
832 { return Protocol_Version::TLS_V12; }
833
834 return std::nullopt;
835 }
836
837Protocol_Version Server_Hello_13::selected_version() const
838 {
839 const auto versions_ext = m_data->extensions().get<Supported_Versions>();
840 BOTAN_ASSERT_NOMSG(versions_ext);
841 const auto& versions = versions_ext->versions();
842 BOTAN_ASSERT_NOMSG(versions.size() == 1);
843 return versions.front();
844 }
845
846Hello_Retry_Request::Hello_Retry_Request(std::unique_ptr<Server_Hello_Internal> data)
847 : Server_Hello_13(std::move(data), Server_Hello_13::as_hello_retry_request) {}
848
849Hello_Retry_Request::Hello_Retry_Request(const Client_Hello_13& ch, Named_Group selected_group, const Policy& policy, Callbacks& cb)
850 : Server_Hello_13(std::make_unique<Server_Hello_Internal>(
851 Protocol_Version::TLS_V12 /* legacy_version */,
852 ch.session_id(),
853 HELLO_RETRY_REQUEST_MARKER,
854 choose_ciphersuite(ch, policy),
855 uint8_t(0) /* compression method */,
856 true /* is Hello Retry Request */
857 ), as_new_hello_retry_request)
858 {
859 // RFC 8446 4.1.4
860 // As with the ServerHello, a HelloRetryRequest MUST NOT contain any
861 // extensions that were not first offered by the client in its
862 // ClientHello, with the exception of optionally the "cookie" [...]
863 // extension.
864 BOTAN_STATE_CHECK(ch.extensions().has<Supported_Groups>());
865 BOTAN_STATE_CHECK(ch.extensions().has<Key_Share>());
866
867 BOTAN_STATE_CHECK(!value_exists(ch.extensions().get<Key_Share>()->offered_groups(), selected_group));
868
869 // RFC 8446 4.1.4
870 // The server's extensions MUST contain "supported_versions".
871 //
872 // RFC 8446 4.2.1
873 // A server which negotiates TLS 1.3 MUST respond by sending a
874 // "supported_versions" extension containing the selected version
875 // value (0x0304). It MUST set the ServerHello.legacy_version field to
876 // 0x0303 (TLS 1.2).
877 //
878 // Note that the legacy version (TLS 1.2) is set in this constructor's
879 // initializer list, accordingly.
880 m_data->extensions().add(new Supported_Versions(Protocol_Version::TLS_V13));
881
882 m_data->extensions().add(new Key_Share(selected_group));
883
884 cb.tls_modify_extensions(m_data->extensions(), Connection_Side::Server, type());
885 }
886
887#endif // BOTAN_HAS_TLS_13
888
889}
#define BOTAN_ASSERT_NOMSG(expr)
Definition: assert.h:67
#define BOTAN_STATE_CHECK(expr)
Definition: assert.h:48
#define BOTAN_UNUSED(...)
Definition: assert.h:141
#define BOTAN_ASSERT_NONNULL(ptr)
Definition: assert.h:106
virtual void tls_modify_extensions(Extensions &extn, Connection_Side which_side, Handshake_Type which_message)
static std::optional< Ciphersuite > by_id(uint16_t suite)
bool supports_extended_master_secret() const
std::set< Extension_Code > extension_types() const
std::vector< uint16_t > srtp_profiles() const
void update(const uint8_t in[], size_t length)
virtual std::vector< uint8_t > send(const Handshake_Message &msg)=0
virtual bool negotiate_encrypt_then_mac() const
Definition: tls_policy.cpp:372
virtual std::vector< uint16_t > srtp_profiles() const
Definition: tls_policy.cpp:396
virtual bool support_cert_status_message() const
Definition: tls_policy.cpp:374
virtual bool use_ecc_point_compression() const
Definition: tls_policy.cpp:126
std::optional< Protocol_Version > random_signals_downgrade() const
bool supports_extended_master_secret() const
Protocol_Version selected_version() const override
bool supports_certificate_status_message() const
std::string next_protocol() const
std::vector< uint8_t > renegotiation_info() const
Server_Hello_12(Handshake_IO &io, Handshake_Hash &hash, const Policy &policy, Callbacks &cb, RandomNumberGenerator &rng, const std::vector< uint8_t > &secure_reneg_info, const Client_Hello_12 &client_hello, const Settings &settings, std::string_view next_protocol)
Protocol_Version legacy_version() const
Handshake_Type type() const override
Definition: tls_messages.h:905
Server_Hello_Done(Handshake_IO &io, Handshake_Hash &hash)
Server_Hello(const Server_Hello &)=delete
std::set< Extension_Code > extension_types() const
Handshake_Type type() const override
const Session_ID & session_id() const
const std::vector< uint8_t > & random() const
uint8_t compression_method() const
std::unique_ptr< Server_Hello_Internal > m_data
Definition: tls_messages.h:309
const Extensions & extensions() const
Protocol_Version legacy_version() const
void append_tls_length_value(std::vector< uint8_t, Alloc > &buf, const T *vals, size_t vals_size, size_t tag_size)
Definition: tls_reader.h:214
std::vector< uint8_t > make_hello_random(RandomNumberGenerator &rng, Callbacks &cb, const Policy &policy)
Group_Params Named_Group
Strong< std::vector< uint8_t >, struct Session_ID_ > Session_ID
holds a TLS 1.2 session ID for stateful resumption
Definition: tls_session.h:34
constexpr uint64_t load_be< uint64_t >(const uint8_t in[], size_t off)
Definition: loadstor.h:228
bool constant_time_compare(const uint8_t x[], const uint8_t y[], size_t len)
Definition: mem_ops.h:82
constexpr void store_be(uint16_t in, uint8_t out[2])
Definition: loadstor.h:449
bool value_exists(const std::vector< T > &vec, const OT &val)
Definition: stl_util.h:104
std::string to_string(ErrorType type)
Convert an ErrorType to string.
Definition: exceptn.cpp:12
Definition: bigint.h:1092
std::optional< Session > resumed_session