doxygen/msg__server__hello_8cpp_source.html

/*

* TLS Server Hello and Server Hello Done

* (C) 2004-2011,2015,2016,2019 Jack Lloyd

*     2016 Matthias Gierlings

*     2017 Harry Reimann, Rohde & Schwarz Cybersecurity

*     2021 Elektrobit Automotive GmbH

*     2022 René Meusel, Hannes Rantzsch - neXenio GmbH

*     2026 René Meusel - Rohde & Schwarz Cybersecurity GmbH

*

* Botan is released under the Simplified BSD License (see license.txt)

*/


#include <botan/tls_messages.h>

#include <botan/internal/tls_messages_internal.h>


#include <botan/tls_alert.h>

#include <botan/tls_exceptn.h>

#include <botan/tls_policy.h>

#include <botan/internal/ct_utils.h>

#include <botan/internal/tls_reader.h>


namespace Botan::TLS {


std::vector<uint8_t> make_server_hello_random(RandomNumberGenerator& rng,

                                              Protocol_Version offered_version,

                                              Callbacks& cb,

                                              const Policy& policy) {

   auto random = make_hello_random(rng, cb, policy);


   // RFC 8446 4.1.3

   //    TLS 1.3 has a downgrade protection mechanism embedded in the server's

   //    random value. TLS 1.3 servers which negotiate TLS 1.2 or below in

   //    response to a ClientHello MUST set the last 8 bytes of their Random

   //    value specially in their ServerHello.

   //

   //    If negotiating TLS 1.2, TLS 1.3 servers MUST set the last 8 bytes of

   //    their Random value to the bytes: [DOWNGRADE_TLS12]

   if(offered_version.is_pre_tls_13() && policy.allow_tls13()) {

      constexpr size_t downgrade_signal_length = sizeof(DOWNGRADE_TLS12);

      BOTAN_ASSERT_NOMSG(random.size() >= downgrade_signal_length);

      const auto lastbytes = std::span{random}.last(downgrade_signal_length);

      store_be(DOWNGRADE_TLS12, lastbytes);

   }


   return random;

}


Server_Hello_Internal::Server_Hello_Internal(const std::vector<uint8_t>& buf) {

   if(buf.size() < 38) {

      throw Decoding_Error("Server_Hello: Packet corrupted");

   }


   TLS_Data_Reader reader("ServerHello", buf);


   const uint8_t major_version = reader.get_byte();

   const uint8_t minor_version = reader.get_byte();


   m_legacy_version = Protocol_Version(major_version, minor_version);


   // RFC 8446 4.1.3

   //    Upon receiving a message with type server_hello, implementations MUST

   //    first examine the Random value and, if it matches this value, process

   //    it as described in Section 4.1.4 [Hello Retry Request]).

   m_random = reader.get_fixed<uint8_t>(32);

   m_is_hello_retry_request = CT::is_equal<uint8_t>(m_random, HELLO_RETRY_REQUEST_MARKER).as_bool();


   m_session_id = Session_ID(reader.get_range<uint8_t>(1, 0, 32));

   m_ciphersuite = reader.get_uint16_t();

   m_comp_method = reader.get_byte();


   // Note that this code path might parse a TLS 1.2 (or older) server hello message that

   // is nevertheless marked as being a 'hello retry request' (potentially maliciously).

   // Extension parsing will however not be affected by the associated flag.

   // Only after parsing the extensions will the upstream code be able to decide

   // whether we're dealing with TLS 1.3 or older.

   m_extensions.deserialize(reader,

                            Connection_Side::Server,

                            m_is_hello_retry_request ? Handshake_Type::HelloRetryRequest : Handshake_Type::ServerHello);

}


Protocol_Version Server_Hello_Internal::version() const {

   // RFC 8446 4.2.1

   //    A server which negotiates a version of TLS prior to TLS 1.3 MUST set

   //    ServerHello.version and MUST NOT send the "supported_versions"

   //    extension.  A server which negotiates TLS 1.3 MUST respond by sending

   //    a "supported_versions" extension containing the selected version

   //    value (0x0304).

   //

   // Note: Here we just take a message parsing decision, further validation of

   //       the extension's contents is done later.

   return (extensions().has<Supported_Versions>()) ? Protocol_Version::TLS_V13 : m_legacy_version;

}


Server_Hello::Server_Hello(std::unique_ptr<Server_Hello_Internal> data) : m_data(std::move(data)) {}


Server_Hello::Server_Hello(Server_Hello&&) noexcept = default;

Server_Hello& Server_Hello::operator=(Server_Hello&&) noexcept = default;


Server_Hello::~Server_Hello() = default;


/*

* Serialize a Server Hello message

*/


std::vector<uint8_t> Server_Hello::serialize() const {

   std::vector<uint8_t> buf;

   buf.reserve(1024);  // working around GCC warning


   buf.push_back(m_data->legacy_version().major_version());

   buf.push_back(m_data->legacy_version().minor_version());

   buf += m_data->random();


   append_tls_length_value(buf, m_data->session_id().get(), 1);


   buf.push_back(get_byte<0>(m_data->ciphersuite()));

   buf.push_back(get_byte<1>(m_data->ciphersuite()));


   buf.push_back(m_data->comp_method());


   buf += m_data->extensions().serialize(Connection_Side::Server);


   return buf;

}


Handshake_Type Server_Hello::type() const {

   return Handshake_Type::ServerHello;

}


Protocol_Version Server_Hello::legacy_version() const {

   return m_data->legacy_version();

}


const std::vector<uint8_t>& Server_Hello::random() const {

   return m_data->random();

}


uint8_t Server_Hello::compression_method() const {

   return m_data->comp_method();

}


const Session_ID& Server_Hello::session_id() const {

   return m_data->session_id();

}


uint16_t Server_Hello::ciphersuite() const {

   return m_data->ciphersuite();

}


std::set<Extension_Code> Server_Hello::extension_types() const {

   return m_data->extensions().extension_types();

}


const Extensions& Server_Hello::extensions() const {

   return m_data->extensions();

}


Server_Hello_12_Shim::Server_Hello_12_Shim(const std::vector<uint8_t>& buf) :

      Server_Hello_12_Shim(std::make_unique<Server_Hello_Internal>(buf)) {}


Server_Hello_12_Shim::Server_Hello_12_Shim(std::unique_ptr<Server_Hello_Internal> data) :

      Server_Hello(std::move(data)) {

   if(!m_data->version().is_pre_tls_13()) {

      throw TLS_Exception(Alert::ProtocolVersion, "Expected server hello of (D)TLS 1.2 or lower");

   }

}


Protocol_Version Server_Hello_12_Shim::selected_version() const {

   return legacy_version();

}


std::optional<Protocol_Version> Server_Hello_12_Shim::random_signals_downgrade() const {

   const uint64_t last8 = load_be<uint64_t>(m_data->random().data(), 3);

   if(last8 == DOWNGRADE_TLS11) {

      return Protocol_Version::TLS_V11;

   }

   if(last8 == DOWNGRADE_TLS12) {

      return Protocol_Version::TLS_V12;

   }


   return std::nullopt;

}


}  // namespace Botan::TLS

BOTAN_ASSERT_NOMSG
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:75

Botan::Decoding_Error
Definition exceptn.h:192

Botan::RandomNumberGenerator
Definition rng.h:39

Botan::TLS::Callbacks
Definition tls_callbacks.h:57

Botan::TLS::Extensions
Definition tls_extensions.h:460

Botan::TLS::Policy
Definition tls_policy.h:33

Botan::TLS::Policy::allow_tls13
virtual bool allow_tls13() const
Definition tls_policy.cpp:386

Botan::TLS::Protocol_Version
Definition tls_version.h:34

Botan::TLS::Protocol_Version::is_pre_tls_13
bool is_pre_tls_13() const
Definition tls_version.cpp:58

Botan::TLS::Server_Hello_12_Shim::Server_Hello_12_Shim
Server_Hello_12_Shim(const std::vector< uint8_t > &buf)
Definition msg_server_hello.cpp:156

Botan::TLS::Server_Hello_12_Shim::selected_version
Protocol_Version selected_version() const final
Definition msg_server_hello.cpp:166

Botan::TLS::Server_Hello_12_Shim::random_signals_downgrade
std::optional< Protocol_Version > random_signals_downgrade() const
Definition msg_server_hello.cpp:170

Botan::TLS::Server_Hello_Internal
Definition tls_messages_internal.h:110

Botan::TLS::Server_Hello_Internal::Server_Hello_Internal
Server_Hello_Internal(const std::vector< uint8_t > &buf)
Definition msg_server_hello.cpp:48

Botan::TLS::Server_Hello_Internal::extensions
const Extensions & extensions() const
Definition tls_messages_internal.h:144

Botan::TLS::Server_Hello_Internal::version
Protocol_Version version() const
Definition msg_server_hello.cpp:81

Botan::TLS::Server_Hello
Definition tls_messages.h:172

Botan::TLS::Server_Hello::Server_Hello
Server_Hello(const Server_Hello &)=delete

Botan::TLS::Server_Hello::ciphersuite
uint16_t ciphersuite() const
Definition msg_server_hello.cpp:144

Botan::TLS::Server_Hello::serialize
std::vector< uint8_t > serialize() const override
Definition msg_server_hello.cpp:104

Botan::TLS::Server_Hello::extension_types
std::set< Extension_Code > extension_types() const
Definition msg_server_hello.cpp:148

Botan::TLS::Server_Hello::type
Handshake_Type type() const override
Definition msg_server_hello.cpp:124

Botan::TLS::Server_Hello::session_id
const Session_ID & session_id() const
Definition msg_server_hello.cpp:140

Botan::TLS::Server_Hello::random
const std::vector< uint8_t > & random() const
Definition msg_server_hello.cpp:132

Botan::TLS::Server_Hello::compression_method
uint8_t compression_method() const
Definition msg_server_hello.cpp:136

Botan::TLS::Server_Hello::m_data
std::unique_ptr< Server_Hello_Internal > m_data
Definition tls_messages.h:202

Botan::TLS::Server_Hello::extensions
const Extensions & extensions() const
Definition msg_server_hello.cpp:152

Botan::TLS::Server_Hello::legacy_version
Protocol_Version legacy_version() const
Definition msg_server_hello.cpp:128

Botan::TLS::TLS_Data_Reader
Definition tls_reader.h:24

Botan::TLS::TLS_Data_Reader::get_byte
uint8_t get_byte()
Definition tls_reader.h:83

Botan::TLS::TLS_Data_Reader::get_range
std::vector< T > get_range(size_t len_bytes, size_t min_elems, size_t max_elems)
Definition tls_reader.h:110

Botan::TLS::TLS_Data_Reader::get_fixed
std::vector< T > get_fixed(size_t size)
Definition tls_reader.h:129

Botan::TLS::TLS_Data_Reader::get_uint16_t
uint16_t get_uint16_t()
Definition tls_reader.h:71

Botan::CT::is_equal
constexpr CT::Mask< T > is_equal(const T x[], const T y[], size_t len)
Definition ct_utils.h:798

Botan::TLS
Definition asio_context.cpp:18

Botan::TLS::DOWNGRADE_TLS12
constexpr uint64_t DOWNGRADE_TLS12
Definition tls_magic.h:118

Botan::TLS::append_tls_length_value
void append_tls_length_value(std::vector< uint8_t, Alloc > &buf, const T *vals, size_t vals_size, size_t tag_size)
Definition tls_reader.h:177

Botan::TLS::make_hello_random
std::vector< uint8_t > make_hello_random(RandomNumberGenerator &rng, Callbacks &cb, const Policy &policy)
Definition msg_client_hello.cpp:25

Botan::TLS::Connection_Side::Server
@ Server
Definition tls_magic.h:46

Botan::TLS::Handshake_Type
Handshake_Type
Definition tls_magic.h:63

Botan::TLS::Handshake_Type::HelloRetryRequest
@ HelloRetryRequest
Definition tls_magic.h:86

Botan::TLS::Handshake_Type::ServerHello
@ ServerHello
Definition tls_magic.h:66

Botan::TLS::Session_ID
Strong< std::vector< uint8_t >, struct Session_ID_ > Session_ID
holds a TLS 1.2 session ID for stateful resumption
Definition tls_session_id.h:22

Botan::TLS::make_server_hello_random
std::vector< uint8_t > make_server_hello_random(RandomNumberGenerator &rng, Protocol_Version offered_version, Callbacks &cb, const Policy &policy)
Definition msg_server_hello.cpp:24

Botan::TLS::DOWNGRADE_TLS11
constexpr uint64_t DOWNGRADE_TLS11
Definition tls_magic.h:107

Botan::TLS::HELLO_RETRY_REQUEST_MARKER
constexpr std::array< uint8_t, 32 > HELLO_RETRY_REQUEST_MARKER
Definition tls_magic.h:126

Botan::get_byte
constexpr uint8_t get_byte(T input)
Definition loadstor.h:79

Botan::store_be
constexpr auto store_be(ParamTs &&... params)
Definition loadstor.h:745

Botan::load_be
constexpr auto load_be(ParamTs &&... params)
Definition loadstor.h:504