Botan 2.19.1
Crypto and TLS for C&
msg_server_hello.cpp
Go to the documentation of this file.
1/*
2* TLS Server Hello and Server Hello Done
3* (C) 2004-2011,2015,2016,2019 Jack Lloyd
4* 2016 Matthias Gierlings
5* 2017 Harry Reimann, Rohde & Schwarz Cybersecurity
6*
7* Botan is released under the Simplified BSD License (see license.txt)
8*/
9
10#include <botan/tls_messages.h>
11#include <botan/tls_extensions.h>
12#include <botan/tls_callbacks.h>
13#include <botan/internal/tls_reader.h>
14#include <botan/internal/tls_session_key.h>
15#include <botan/internal/tls_handshake_io.h>
16#include <botan/internal/tls_handshake_hash.h>
17#include <botan/internal/stl_util.h>
18
19namespace Botan {
20
21namespace TLS {
22
23namespace {
24
25const uint64_t DOWNGRADE_TLS11 = 0x444F574E47524400;
26//const uint64_t DOWNGRADE_TLS12 = 0x444F574E47524401;
27
28std::vector<uint8_t>
29make_server_hello_random(RandomNumberGenerator& rng,
30 Protocol_Version offered_version,
31 const Policy& policy)
32 {
33 auto random = make_hello_random(rng, policy);
34
35 if((offered_version == Protocol_Version::TLS_V10 ||
36 offered_version == Protocol_Version::TLS_V11) &&
37 policy.allow_tls12())
38 {
39 store_be(DOWNGRADE_TLS11, &random[24]);
40 }
41
42 if(offered_version == Protocol_Version::DTLS_V10 && policy.allow_dtls12())
43 {
44 store_be(DOWNGRADE_TLS11, &random[24]);
45 }
46
47 return random;
48 }
49
50}
51
52// New session case
55 const Policy& policy,
56 Callbacks& cb,
58 const std::vector<uint8_t>& reneg_info,
59 const Client_Hello& client_hello,
60 const Server_Hello::Settings& server_settings,
61 const std::string next_protocol) :
62 m_version(server_settings.protocol_version()),
63 m_session_id(server_settings.session_id()),
64 m_random(make_server_hello_random(rng, m_version, policy)),
65 m_ciphersuite(server_settings.ciphersuite()),
66 m_comp_method(0)
67 {
68 if(client_hello.supports_extended_master_secret())
69 m_extensions.add(new Extended_Master_Secret);
70
71 // Sending the extension back does not commit us to sending a stapled response
73 m_extensions.add(new Certificate_Status_Request);
74
75 Ciphersuite c = Ciphersuite::by_id(m_ciphersuite);
76
77 if(c.cbc_ciphersuite() && client_hello.supports_encrypt_then_mac() && policy.negotiate_encrypt_then_mac())
78 {
79 m_extensions.add(new Encrypt_then_MAC);
80 }
81
82 if(c.ecc_ciphersuite() && client_hello.extension_types().count(TLSEXT_EC_POINT_FORMATS))
83 {
84 m_extensions.add(new Supported_Point_Formats(policy.use_ecc_point_compression()));
85 }
86
87 if(client_hello.secure_renegotiation())
88 m_extensions.add(new Renegotiation_Extension(reneg_info));
89
90 if(client_hello.supports_session_ticket() && server_settings.offer_session_ticket())
91 m_extensions.add(new Session_Ticket());
92
93 if(!next_protocol.empty() && client_hello.supports_alpn())
95
96 if(m_version.is_datagram_protocol())
97 {
98 const std::vector<uint16_t> server_srtp = policy.srtp_profiles();
99 const std::vector<uint16_t> client_srtp = client_hello.srtp_profiles();
100
101 if(!server_srtp.empty() && !client_srtp.empty())
102 {
103 uint16_t shared = 0;
104 // always using server preferences for now
105 for(auto s_srtp : server_srtp)
106 for(auto c_srtp : client_srtp)
107 {
108 if(shared == 0 && s_srtp == c_srtp)
109 shared = s_srtp;
110 }
111
112 if(shared)
113 m_extensions.add(new SRTP_Protection_Profiles(shared));
114 }
115 }
116
117 cb.tls_modify_extensions(m_extensions, SERVER);
118
119 hash.update(io.send(*this));
120 }
121
122// Resuming
125 const Policy& policy,
126 Callbacks& cb,
128 const std::vector<uint8_t>& reneg_info,
129 const Client_Hello& client_hello,
131 bool offer_session_ticket,
132 const std::string& next_protocol) :
133 m_version(resumed_session.version()),
134 m_session_id(client_hello.session_id()),
135 m_random(make_hello_random(rng, policy)),
136 m_ciphersuite(resumed_session.ciphersuite_code()),
137 m_comp_method(0)
138 {
139 if(client_hello.supports_extended_master_secret())
140 m_extensions.add(new Extended_Master_Secret);
141
142 if(client_hello.supports_encrypt_then_mac() && policy.negotiate_encrypt_then_mac())
143 {
144 Ciphersuite c = resumed_session.ciphersuite();
145 if(c.cbc_ciphersuite())
146 m_extensions.add(new Encrypt_then_MAC);
147 }
148
149 if(resumed_session.ciphersuite().ecc_ciphersuite() && client_hello.extension_types().count(TLSEXT_EC_POINT_FORMATS))
150 {
151 m_extensions.add(new Supported_Point_Formats(policy.use_ecc_point_compression()));
152 }
153
154 if(client_hello.secure_renegotiation())
155 m_extensions.add(new Renegotiation_Extension(reneg_info));
156
157 if(client_hello.supports_session_ticket() && offer_session_ticket)
158 m_extensions.add(new Session_Ticket());
159
160 if(!next_protocol.empty() && client_hello.supports_alpn())
162
163 cb.tls_modify_extensions(m_extensions, SERVER);
164
165 hash.update(io.send(*this));
166 }
167
168/*
169* Deserialize a Server Hello message
170*/
171Server_Hello::Server_Hello(const std::vector<uint8_t>& buf)
172 {
173 if(buf.size() < 38)
174 throw Decoding_Error("Server_Hello: Packet corrupted");
175
176 TLS_Data_Reader reader("ServerHello", buf);
177
178 const uint8_t major_version = reader.get_byte();
179 const uint8_t minor_version = reader.get_byte();
180
181 m_version = Protocol_Version(major_version, minor_version);
182
183 m_random = reader.get_fixed<uint8_t>(32);
184
185 m_session_id = reader.get_range<uint8_t>(1, 0, 32);
186
187 m_ciphersuite = reader.get_uint16_t();
188
189 m_comp_method = reader.get_byte();
190
191 m_extensions.deserialize(reader, Connection_Side::SERVER);
192 }
193
194/*
195* Serialize a Server Hello message
196*/
197std::vector<uint8_t> Server_Hello::serialize() const
198 {
199 std::vector<uint8_t> buf;
200
201 buf.push_back(m_version.major_version());
202 buf.push_back(m_version.minor_version());
203 buf += m_random;
204
205 append_tls_length_value(buf, m_session_id, 1);
206
207 buf.push_back(get_byte(0, m_ciphersuite));
208 buf.push_back(get_byte(1, m_ciphersuite));
209
210 buf.push_back(m_comp_method);
211
212 buf += m_extensions.serialize(Connection_Side::SERVER);
213
214 return buf;
215 }
216
218 {
219 const uint64_t last8 = load_be<uint64_t>(m_random.data(), 3);
220 return (last8 == DOWNGRADE_TLS11);
221 }
222
223/*
224* Create a new Server Hello Done message
225*/
228 {
229 hash.update(io.send(*this));
230 }
231
232/*
233* Deserialize a Server Hello Done message
234*/
235Server_Hello_Done::Server_Hello_Done(const std::vector<uint8_t>& buf)
236 {
237 if(buf.size())
238 throw Decoding_Error("Server_Hello_Done: Must be empty, and is not");
239 }
240
241/*
242* Serialize a Server Hello Done message
243*/
244std::vector<uint8_t> Server_Hello_Done::serialize() const
245 {
246 return std::vector<uint8_t>();
247 }
248
249}
250
251}
virtual void tls_modify_extensions(Extensions &extn, Connection_Side which_side)
static Ciphersuite by_id(uint16_t suite)
bool supports_cert_status_message() const
bool supports_extended_master_secret() const
std::set< Handshake_Extension_Type > extension_types() const
Definition: tls_messages.h:153
bool supports_encrypt_then_mac() const
std::vector< uint16_t > srtp_profiles() const
void add(Extension *extn)
std::vector< uint8_t > serialize(Connection_Side whoami) const
void deserialize(TLS_Data_Reader &reader, Connection_Side from)
virtual std::vector< uint8_t > send(const Handshake_Message &msg)=0
virtual bool negotiate_encrypt_then_mac() const
Definition: tls_policy.cpp:343
virtual std::vector< uint16_t > srtp_profiles() const
Definition: tls_policy.cpp:364
virtual bool support_cert_status_message() const
Definition: tls_policy.cpp:344
virtual bool use_ecc_point_compression() const
Definition: tls_policy.cpp:127
uint8_t major_version() const
Definition: tls_version.h:79
uint8_t minor_version() const
Definition: tls_version.h:84
Server_Hello_Done(Handshake_IO &io, Handshake_Hash &hash)
std::string next_protocol() const
Definition: tls_messages.h:279
Server_Hello(Handshake_IO &io, Handshake_Hash &hash, const Policy &policy, Callbacks &cb, RandomNumberGenerator &rng, const std::vector< uint8_t > &secure_reneg_info, const Client_Hello &client_hello, const Server_Hello::Settings &settings, const std::string next_protocol)
std::vector< T > get_range(size_t len_bytes, size_t min_elems, size_t max_elems)
Definition: tls_reader.h:94
std::vector< T > get_fixed(size_t size)
Definition: tls_reader.h:126
void append_tls_length_value(std::vector< uint8_t, Alloc > &buf, const T *vals, size_t vals_size, size_t tag_size)
Definition: tls_reader.h:185
std::vector< uint8_t > make_hello_random(RandomNumberGenerator &rng, const Policy &policy)
@ TLSEXT_EC_POINT_FORMATS
Definition: alg_id.cpp:13
void store_be(uint16_t in, uint8_t out[2])
Definition: loadstor.h:438
uint64_t load_be< uint64_t >(const uint8_t in[], size_t off)
Definition: loadstor.h:217
constexpr uint8_t get_byte(size_t byte_num, T input)
Definition: loadstor.h:41
MechanismType hash
std::unique_ptr< Session > resumed_session
Definition: tls_client.cpp:55