Botan  2.12.1
Crypto and TLS for C++11
msg_server_hello.cpp
Go to the documentation of this file.
1 /*
2 * TLS Server Hello and Server Hello Done
3 * (C) 2004-2011,2015,2016,2019 Jack Lloyd
4 * 2016 Matthias Gierlings
5 * 2017 Harry Reimann, Rohde & Schwarz Cybersecurity
6 *
7 * Botan is released under the Simplified BSD License (see license.txt)
8 */
9 
10 #include <botan/tls_messages.h>
11 #include <botan/tls_extensions.h>
12 #include <botan/tls_callbacks.h>
13 #include <botan/internal/tls_reader.h>
14 #include <botan/internal/tls_session_key.h>
15 #include <botan/internal/tls_handshake_io.h>
16 #include <botan/internal/tls_handshake_hash.h>
17 #include <botan/internal/stl_util.h>
18 
19 namespace Botan {
20 
21 namespace TLS {
22 
23 namespace {
24 
25 const uint64_t DOWNGRADE_TLS11 = 0x444F574E47524400;
26 //const uint64_t DOWNGRADE_TLS12 = 0x444F574E47524401;
27 
28 std::vector<uint8_t>
29 make_server_hello_random(RandomNumberGenerator& rng,
30  Protocol_Version offered_version,
31  const Policy& policy)
32  {
33  auto random = make_hello_random(rng, policy);
34 
35  if((offered_version == Protocol_Version::TLS_V10 ||
36  offered_version == Protocol_Version::TLS_V11) &&
37  policy.allow_tls12())
38  {
39  store_be(DOWNGRADE_TLS11, &random[24]);
40  }
41 
42  if(offered_version == Protocol_Version::DTLS_V10 && policy.allow_dtls12())
43  {
44  store_be(DOWNGRADE_TLS11, &random[24]);
45  }
46 
47  return random;
48  }
49 
50 }
51 
52 // New session case
55  const Policy& policy,
56  Callbacks& cb,
58  const std::vector<uint8_t>& reneg_info,
59  const Client_Hello& client_hello,
60  const Server_Hello::Settings& server_settings,
61  const std::string next_protocol) :
62  m_version(server_settings.protocol_version()),
63  m_session_id(server_settings.session_id()),
64  m_random(make_server_hello_random(rng, m_version, policy)),
65  m_ciphersuite(server_settings.ciphersuite()),
66  m_comp_method(0)
67  {
68  if(client_hello.supports_extended_master_secret())
69  m_extensions.add(new Extended_Master_Secret);
70 
71  // Sending the extension back does not commit us to sending a stapled response
72  if(client_hello.supports_cert_status_message() && policy.support_cert_status_message())
73  m_extensions.add(new Certificate_Status_Request);
74 
75  Ciphersuite c = Ciphersuite::by_id(m_ciphersuite);
76 
77  if(c.cbc_ciphersuite() && client_hello.supports_encrypt_then_mac() && policy.negotiate_encrypt_then_mac())
78  {
79  m_extensions.add(new Encrypt_then_MAC);
80  }
81 
82  if(c.ecc_ciphersuite() && client_hello.extension_types().count(TLSEXT_EC_POINT_FORMATS))
83  {
84  m_extensions.add(new Supported_Point_Formats(policy.use_ecc_point_compression()));
85  }
86 
87  if(client_hello.secure_renegotiation())
88  m_extensions.add(new Renegotiation_Extension(reneg_info));
89 
90  if(client_hello.supports_session_ticket() && server_settings.offer_session_ticket())
91  m_extensions.add(new Session_Ticket());
92 
93  if(!next_protocol.empty() && client_hello.supports_alpn())
95 
96  if(m_version.is_datagram_protocol())
97  {
98  const std::vector<uint16_t> server_srtp = policy.srtp_profiles();
99  const std::vector<uint16_t> client_srtp = client_hello.srtp_profiles();
100 
101  if(!server_srtp.empty() && !client_srtp.empty())
102  {
103  uint16_t shared = 0;
104  // always using server preferences for now
105  for(auto s_srtp : server_srtp)
106  for(auto c_srtp : client_srtp)
107  {
108  if(shared == 0 && s_srtp == c_srtp)
109  shared = s_srtp;
110  }
111 
112  if(shared)
113  m_extensions.add(new SRTP_Protection_Profiles(shared));
114  }
115  }
116 
117  cb.tls_modify_extensions(m_extensions, SERVER);
118 
119  hash.update(io.send(*this));
120  }
121 
122 // Resuming
125  const Policy& policy,
126  Callbacks& cb,
128  const std::vector<uint8_t>& reneg_info,
129  const Client_Hello& client_hello,
131  bool offer_session_ticket,
132  const std::string& next_protocol) :
133  m_version(resumed_session.version()),
134  m_session_id(client_hello.session_id()),
135  m_random(make_hello_random(rng, policy)),
136  m_ciphersuite(resumed_session.ciphersuite_code()),
137  m_comp_method(0)
138  {
139  if(client_hello.supports_extended_master_secret())
140  m_extensions.add(new Extended_Master_Secret);
141 
142  if(client_hello.supports_encrypt_then_mac() && policy.negotiate_encrypt_then_mac())
143  {
144  Ciphersuite c = resumed_session.ciphersuite();
145  if(c.cbc_ciphersuite())
146  m_extensions.add(new Encrypt_then_MAC);
147  }
148 
149  if(resumed_session.ciphersuite().ecc_ciphersuite() && client_hello.extension_types().count(TLSEXT_EC_POINT_FORMATS))
150  {
151  m_extensions.add(new Supported_Point_Formats(policy.use_ecc_point_compression()));
152  }
153 
154  if(client_hello.secure_renegotiation())
155  m_extensions.add(new Renegotiation_Extension(reneg_info));
156 
157  if(client_hello.supports_session_ticket() && offer_session_ticket)
158  m_extensions.add(new Session_Ticket());
159 
160  if(!next_protocol.empty() && client_hello.supports_alpn())
162 
163  cb.tls_modify_extensions(m_extensions, SERVER);
164 
165  hash.update(io.send(*this));
166  }
167 
168 /*
169 * Deserialize a Server Hello message
170 */
171 Server_Hello::Server_Hello(const std::vector<uint8_t>& buf)
172  {
173  if(buf.size() < 38)
174  throw Decoding_Error("Server_Hello: Packet corrupted");
175 
176  TLS_Data_Reader reader("ServerHello", buf);
177 
178  const uint8_t major_version = reader.get_byte();
179  const uint8_t minor_version = reader.get_byte();
180 
181  m_version = Protocol_Version(major_version, minor_version);
182 
183  m_random = reader.get_fixed<uint8_t>(32);
184 
185  m_session_id = reader.get_range<uint8_t>(1, 0, 32);
186 
187  m_ciphersuite = reader.get_uint16_t();
188 
189  m_comp_method = reader.get_byte();
190 
191  m_extensions.deserialize(reader, Connection_Side::SERVER);
192  }
193 
194 /*
195 * Serialize a Server Hello message
196 */
197 std::vector<uint8_t> Server_Hello::serialize() const
198  {
199  std::vector<uint8_t> buf;
200 
201  buf.push_back(m_version.major_version());
202  buf.push_back(m_version.minor_version());
203  buf += m_random;
204 
205  append_tls_length_value(buf, m_session_id, 1);
206 
207  buf.push_back(get_byte(0, m_ciphersuite));
208  buf.push_back(get_byte(1, m_ciphersuite));
209 
210  buf.push_back(m_comp_method);
211 
212  buf += m_extensions.serialize(Connection_Side::SERVER);
213 
214  return buf;
215  }
216 
218  {
219  const uint64_t last8 = load_be<uint64_t>(m_random.data(), 3);
220  return (last8 == DOWNGRADE_TLS11);
221  }
222 
223 /*
224 * Create a new Server Hello Done message
225 */
228  {
229  hash.update(io.send(*this));
230  }
231 
232 /*
233 * Deserialize a Server Hello Done message
234 */
235 Server_Hello_Done::Server_Hello_Done(const std::vector<uint8_t>& buf)
236  {
237  if(buf.size())
238  throw Decoding_Error("Server_Hello_Done: Must be empty, and is not");
239  }
240 
241 /*
242 * Serialize a Server Hello Done message
243 */
244 std::vector<uint8_t> Server_Hello_Done::serialize() const
245  {
246  return std::vector<uint8_t>();
247  }
248 
249 }
250 
251 }
std::string next_protocol() const
Definition: tls_messages.h:279
std::vector< T > get_fixed(size_t size)
Definition: tls_reader.h:126
virtual std::vector< uint8_t > send(const Handshake_Message &msg)=0
Server_Hello_Done(Handshake_IO &io, Handshake_Hash &hash)
void store_be(uint16_t in, uint8_t out[2])
Definition: loadstor.h:438
uint8_t minor_version() const
Definition: tls_version.h:84
bool supports_encrypt_then_mac() const
std::set< Handshake_Extension_Type > extension_types() const
Definition: tls_messages.h:153
std::vector< uint8_t > serialize(Connection_Side whoami) const
void add(Extension *extn)
virtual bool negotiate_encrypt_then_mac() const
Definition: tls_policy.cpp:332
std::unique_ptr< Session > resumed_session
Definition: tls_client.cpp:55
constexpr uint8_t get_byte(size_t byte_num, T input)
Definition: loadstor.h:41
virtual std::vector< uint16_t > srtp_profiles() const
Definition: tls_policy.cpp:353
virtual bool use_ecc_point_compression() const
Definition: tls_policy.cpp:127
void deserialize(TLS_Data_Reader &reader, Connection_Side from)
uint64_t load_be< uint64_t >(const uint8_t in[], size_t off)
Definition: loadstor.h:217
std::vector< T > get_range(size_t len_bytes, size_t min_elems, size_t max_elems)
Definition: tls_reader.h:94
Server_Hello(Handshake_IO &io, Handshake_Hash &hash, const Policy &policy, Callbacks &cb, RandomNumberGenerator &rng, const std::vector< uint8_t > &secure_reneg_info, const Client_Hello &client_hello, const Server_Hello::Settings &settings, const std::string next_protocol)
Definition: alg_id.cpp:13
virtual bool support_cert_status_message() const
Definition: tls_policy.cpp:333
std::vector< uint8_t > make_hello_random(RandomNumberGenerator &rng, const Policy &policy)
virtual void tls_modify_extensions(Extensions &extn, Connection_Side which_side)
static Ciphersuite by_id(uint16_t suite)
bool supports_cert_status_message() const
uint8_t major_version() const
Definition: tls_version.h:79
std::vector< uint16_t > srtp_profiles() const
bool supports_extended_master_secret() const
MechanismType hash
void append_tls_length_value(std::vector< uint8_t, Alloc > &buf, const T *vals, size_t vals_size, size_t tag_size)
Definition: tls_reader.h:185