12#include <botan/tls_messages.h>
14#include <botan/mem_ops.h>
15#include <botan/tls_callbacks.h>
16#include <botan/tls_exceptn.h>
17#include <botan/tls_extensions.h>
18#include <botan/tls_session_manager.h>
19#include <botan/internal/ct_utils.h>
20#include <botan/internal/stl_util.h>
21#include <botan/internal/tls_handshake_hash.h>
22#include <botan/internal/tls_handshake_io.h>
23#include <botan/internal/tls_reader.h>
24#include <botan/internal/tls_session_key.h>
31const uint64_t DOWNGRADE_TLS11 = 0x444F574E47524400;
32const uint64_t DOWNGRADE_TLS12 = 0x444F574E47524401;
35const std::array<uint8_t, 32> HELLO_RETRY_REQUEST_MARKER = {
36 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11, 0xBE, 0x1D, 0x8C, 0x02, 0x1E, 0x65, 0xB8, 0x91,
37 0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E, 0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C};
39bool random_signals_hello_retry_request(
const std::vector<uint8_t>& random) {
40 return CT::is_equal(random.data(), HELLO_RETRY_REQUEST_MARKER.data(), HELLO_RETRY_REQUEST_MARKER.size()).as_bool();
43std::vector<uint8_t> make_server_hello_random(RandomNumberGenerator& rng,
58 if(offered_version.is_pre_tls_13() && policy.allow_tls13()) {
59 constexpr size_t downgrade_signal_length =
sizeof(DOWNGRADE_TLS12);
61 auto* lastbytes = random.data() + random.size() - downgrade_signal_length;
62 store_be(DOWNGRADE_TLS12, lastbytes);
75class Server_Hello_Internal {
80 explicit Server_Hello_Internal(
const std::vector<uint8_t>& buf) {
82 throw Decoding_Error(
"Server_Hello: Packet corrupted");
85 TLS_Data_Reader reader(
"ServerHello", buf);
87 const uint8_t major_version = reader.get_byte();
88 const uint8_t minor_version = reader.get_byte();
90 m_legacy_version = Protocol_Version(major_version, minor_version);
96 m_random = reader.get_fixed<uint8_t>(32);
97 m_is_hello_retry_request = random_signals_hello_retry_request(m_random);
99 m_session_id =
Session_ID(reader.get_range<uint8_t>(1, 0, 32));
100 m_ciphersuite = reader.get_uint16_t();
101 m_comp_method = reader.get_byte();
108 m_extensions.deserialize(
114 Server_Hello_Internal(Protocol_Version lv,
116 std::vector<uint8_t> r,
119 bool is_hrr =
false) :
120 m_legacy_version(lv),
121 m_session_id(std::move(sid)),
122 m_random(std::move(r)),
123 m_is_hello_retry_request(is_hrr),
127 Protocol_Version version()
const {
137 return (extensions().has<Supported_Versions>()) ? Protocol_Version::TLS_V13 : m_legacy_version;
140 Protocol_Version legacy_version()
const {
return m_legacy_version; }
142 const Session_ID& session_id()
const {
return m_session_id; }
144 const std::vector<uint8_t>& random()
const {
return m_random; }
146 uint16_t ciphersuite()
const {
return m_ciphersuite; }
148 uint8_t comp_method()
const {
return m_comp_method; }
150 bool is_hello_retry_request()
const {
return m_is_hello_retry_request; }
152 const Extensions& extensions()
const {
return m_extensions; }
154 Extensions& extensions() {
return m_extensions; }
157 Protocol_Version m_legacy_version;
159 std::vector<uint8_t> m_random;
160 bool m_is_hello_retry_request;
161 uint16_t m_ciphersuite;
162 uint8_t m_comp_method;
164 Extensions m_extensions;
178 std::vector<uint8_t> buf;
181 buf.push_back(
m_data->legacy_version().major_version());
182 buf.push_back(
m_data->legacy_version().minor_version());
190 buf.push_back(
m_data->comp_method());
202 return m_data->legacy_version();
210 return m_data->comp_method();
214 return m_data->session_id();
218 return m_data->ciphersuite();
222 return m_data->extensions().extension_types();
226 return m_data->extensions();
235 const std::vector<uint8_t>& reneg_info,
240 server_settings.protocol_version(),
242 make_server_hello_random(rng, server_settings.protocol_version(), cb, policy),
247 m_data->extensions().add(new Extended_Master_Secret);
252 m_data->extensions().add(new Certificate_Status_Request);
256 m_data->extensions().add(new Application_Layer_Protocol_Notification(next_protocol));
262 m_data->extensions().add(new Encrypt_then_MAC);
266 m_data->extensions().add(new Supported_Point_Formats(policy.use_ecc_point_compression()));
270 m_data->extensions().add(new Renegotiation_Extension(reneg_info));
274 m_data->extensions().add(new Session_Ticket_Extension());
277 if(
m_data->legacy_version().is_datagram_protocol()) {
278 const std::vector<uint16_t> server_srtp = policy.srtp_profiles();
279 const std::vector<uint16_t> client_srtp = client_hello.srtp_profiles();
281 if(!server_srtp.empty() && !client_srtp.empty()) {
284 for(auto s_srtp : server_srtp) {
285 for(auto c_srtp : client_srtp) {
286 if(shared == 0 && s_srtp == c_srtp) {
293 m_data->extensions().add(new SRTP_Protection_Profiles(shared));
301 hash.update(io.send(*
this));
310 const std::vector<uint8_t>& reneg_info,
312 const Session& resumed_session,
313 bool offer_session_ticket,
315 Server_Hello(std::make_unique<Server_Hello_Internal>(resumed_session.version(),
318 resumed_session.ciphersuite_code(),
322 m_data->extensions().add(new Extended_Master_Secret);
326 m_data->extensions().add(new Application_Layer_Protocol_Notification(next_protocol));
330 Ciphersuite c = resumed_session.ciphersuite();
331 if(c.cbc_ciphersuite()) {
332 m_data->extensions().add(new Encrypt_then_MAC);
336 if(resumed_session.ciphersuite().ecc_ciphersuite() &&
338 m_data->extensions().add(new Supported_Point_Formats(policy.use_ecc_point_compression()));
341 if(client_hello.secure_renegotiation()) {
342 m_data->extensions().add(new Renegotiation_Extension(reneg_info));
345 if(client_hello.supports_session_ticket() && offer_session_ticket) {
346 m_data->extensions().add(new Session_Ticket_Extension());
352 hash.update(io.send(*
this));
359 if(!
m_data->version().is_pre_tls_13()) {
360 throw TLS_Exception(Alert::ProtocolVersion,
"Expected server hello of (D)TLS 1.2 or lower");
374 return reneg->renegotiation_info();
376 return std::vector<uint8_t>();
397 auto prof = srtp->profiles();
398 if(prof.size() != 1 || prof[0] == 0) {
399 throw Decoding_Error(
"Server sent malformed DTLS-SRTP extension");
409 return alpn->single_protocol();
416 return ecc_formats->prefers_compressed();
423 if(last8 == DOWNGRADE_TLS11) {
424 return Protocol_Version::TLS_V11;
426 if(last8 == DOWNGRADE_TLS12) {
427 return Protocol_Version::TLS_V12;
445 throw Decoding_Error(
"Server_Hello_Done: Must be empty, and is not");
453 return std::vector<uint8_t>();
456#if defined(BOTAN_HAS_TLS_13)
463 bool hello_retry_request_allowed,
479 const auto& offered_by_client = exts.get<
Key_Share>()->offered_groups();
486 if(selected_group == Named_Group::NONE) {
487 throw TLS_Exception(Alert::HandshakeFailure,
"Client did not offer any acceptable group");
493 if(!
value_exists(supported_by_client, selected_group)) {
494 throw TLS_Exception(Alert::InternalError,
"Application selected a group that is not supported by the client");
514 return Server_Hello_13(ch, selected_group, session_mgr, credentials_mgr, rng, cb, policy);
519 const std::vector<uint8_t>& buf) {
520 auto data = std::make_unique<Server_Hello_Internal>(buf);
521 const auto version = data->version();
524 if(version.is_pre_tls_13()) {
529 if(version == Protocol_Version::TLS_V13) {
530 if(data->is_hello_retry_request()) {
537 throw TLS_Exception(Alert::ProtocolVersion,
"unexpected server hello version: " + version.to_string());
570 throw TLS_Exception(Alert::DecodeError,
"compression is not supported in TLS 1.3");
576 throw TLS_Exception(Alert::MissingExtension,
"server hello did not contain 'supported version' extension");
584 throw TLS_Exception(Alert::IllegalParameter,
"TLS 1.3 Server Hello selected a different version");
589 Server_Hello_13::Server_Hello_Tag ) :
605 const std::set<Extension_Code> allowed = {
613 if(exts.contains_other_than(allowed)) {
614 throw TLS_Exception(Alert::UnsupportedExtension,
"Server Hello contained an extension that is not allowed");
622 throw TLS_Exception(Alert::MissingExtension,
"server hello must contain key exchange information");
627 Server_Hello_13::Hello_Retry_Request_Tag ) :
639 const std::set<Extension_Code> allowed = {
647 if(exts.contains_other_than(allowed)) {
649 "Hello Retry Request contained an extension that is not allowed");
656 throw TLS_Exception(Alert::IllegalParameter,
"Hello Retry Request does not request any changes to Client Hello");
661 Hello_Retry_Request_Creation_Tag ) :
672 std::swap(pref_list, other_list);
675 for(
auto suite_id : pref_list) {
706 throw TLS_Exception(Alert::HandshakeFailure,
"Can't agree on a ciphersuite with client");
711 std::optional<Named_Group> key_exchange_group,
721 choose_ciphersuite(ch, policy),
734 if(key_exchange_group.has_value()) {
735 BOTAN_ASSERT_NOMSG(ch.extensions().has<Key_Share>());
736 m_data->extensions().add(Key_Share::create_as_encapsulation(
737 key_exchange_group.value(), *ch.extensions().get<Key_Share>(), policy, cb, rng));
742 if(ch_exts.has<
PSK>()) {
743 const auto cs = Ciphersuite::by_id(m_data->ciphersuite());
744 BOTAN_ASSERT_NOMSG(cs);
751 auto* const psk_modes = ch_exts.get<PSK_Key_Exchange_Modes>();
752 BOTAN_ASSERT_NONNULL(psk_modes);
756 if(value_exists(psk_modes->modes(), PSK_Key_Exchange_Mode::PSK_DHE_KE)) {
757 if(auto server_psk = ch_exts.get<PSK>()->select_offered_psk(
758 ch.sni_hostname(), cs.value(), session_mgr, credentials_mgr, cb, policy)) {
762 m_data->extensions().add(std::move(server_psk));
772 if(last8 == DOWNGRADE_TLS11) {
773 return Protocol_Version::TLS_V11;
775 if(last8 == DOWNGRADE_TLS12) {
776 return Protocol_Version::TLS_V12;
785 const auto& versions = versions_ext->versions();
787 return versions.front();
800 std::vector<uint8_t>(HELLO_RETRY_REQUEST_MARKER.begin(), HELLO_RETRY_REQUEST_MARKER.end()),
801 choose_ciphersuite(ch, policy),
#define BOTAN_ASSERT_NOMSG(expr)
#define BOTAN_STATE_CHECK(expr)
virtual void tls_modify_extensions(Extensions &extn, Connection_Side which_side, Handshake_Type which_message)
static std::optional< Ciphersuite > by_id(uint16_t suite)
bool supports_encrypt_then_mac() const
bool supports_cert_status_message() const
bool secure_renegotiation() const
bool supports_extended_master_secret() const
bool supports_session_ticket() const
const Extensions & extensions() const
bool supports_alpn() const
const std::vector< uint16_t > & ciphersuites() const
std::set< Extension_Code > extension_types() const
void update(const uint8_t in[], size_t length)
virtual std::vector< uint8_t > send(const Handshake_Message &msg)=0
virtual std::vector< uint8_t > serialize() const =0
friend class Server_Hello_13
Hello_Retry_Request(std::unique_ptr< Server_Hello_Internal > data)
Handshake_Type type() const override
std::vector< Named_Group > offered_groups() const
virtual std::vector< uint16_t > ciphersuite_list(Protocol_Version version) const
virtual bool negotiate_encrypt_then_mac() const
virtual bool server_uses_own_ciphersuite_preferences() const
virtual bool support_cert_status_message() const
virtual Group_Params choose_key_exchange_group(const std::vector< Group_Params > &supported_by_peer, const std::vector< Group_Params > &offered_by_peer) const
bool offer_session_ticket() const
std::optional< Protocol_Version > random_signals_downgrade() const
bool supports_session_ticket() const
bool supports_extended_master_secret() const
bool prefers_compressed_ec_points() const
Protocol_Version selected_version() const override
uint16_t srtp_profile() const
bool supports_encrypt_then_mac() const
bool supports_certificate_status_message() const
std::string next_protocol() const
std::vector< uint8_t > renegotiation_info() const
bool secure_renegotiation() const
Server_Hello_12(Handshake_IO &io, Handshake_Hash &hash, const Policy &policy, Callbacks &cb, RandomNumberGenerator &rng, const std::vector< uint8_t > &secure_reneg_info, const Client_Hello_12 &client_hello, const Settings &settings, std::string_view next_protocol)
Protocol_Version legacy_version() const
static const struct Botan::TLS::Server_Hello_13::Hello_Retry_Request_Tag as_hello_retry_request
static const struct Botan::TLS::Server_Hello_13::Hello_Retry_Request_Creation_Tag as_new_hello_retry_request
Server_Hello_13(std::unique_ptr< Server_Hello_Internal > data, Server_Hello_Tag tag=as_server_hello)
std::optional< Protocol_Version > random_signals_downgrade() const
void basic_validation() const
static std::variant< Hello_Retry_Request, Server_Hello_13 > create(const Client_Hello_13 &ch, bool hello_retry_request_allowed, Session_Manager &session_mgr, Credentials_Manager &credentials_mgr, RandomNumberGenerator &rng, const Policy &policy, Callbacks &cb)
Protocol_Version selected_version() const final
static std::variant< Hello_Retry_Request, Server_Hello_13, Server_Hello_12 > parse(const std::vector< uint8_t > &buf)
static const struct Botan::TLS::Server_Hello_13::Server_Hello_Tag as_server_hello
Server_Hello_Done(Handshake_IO &io, Handshake_Hash &hash)
Server_Hello(const Server_Hello &)=delete
uint16_t ciphersuite() const
std::vector< uint8_t > serialize() const override
std::set< Extension_Code > extension_types() const
Handshake_Type type() const override
const Session_ID & session_id() const
const std::vector< uint8_t > & random() const
uint8_t compression_method() const
std::unique_ptr< Server_Hello_Internal > m_data
const Extensions & extensions() const
Protocol_Version legacy_version() const
constexpr CT::Mask< T > is_equal(const T x[], const T y[], size_t len)
void append_tls_length_value(std::vector< uint8_t, Alloc > &buf, const T *vals, size_t vals_size, size_t tag_size)
std::vector< uint8_t > make_hello_random(RandomNumberGenerator &rng, Callbacks &cb, const Policy &policy)
Strong< std::vector< uint8_t >, struct Session_ID_ > Session_ID
holds a TLS 1.2 session ID for stateful resumption
constexpr uint8_t get_byte(T input)
bool value_exists(const std::vector< T > &vec, const OT &val)
std::string to_string(ErrorType type)
Convert an ErrorType to string.
constexpr auto store_be(ParamTs &&... params)
constexpr auto load_be(ParamTs &&... params)