12#include <botan/tls_messages.h>
14#include <botan/tls_extensions.h>
15#include <botan/tls_exceptn.h>
16#include <botan/tls_callbacks.h>
17#include <botan/tls_session_manager.h>
18#include <botan/internal/tls_reader.h>
19#include <botan/mem_ops.h>
20#include <botan/internal/tls_session_key.h>
21#include <botan/internal/tls_handshake_io.h>
22#include <botan/internal/tls_handshake_hash.h>
23#include <botan/internal/stl_util.h>
31const uint64_t DOWNGRADE_TLS11 = 0x444F574E47524400;
32const uint64_t DOWNGRADE_TLS12 = 0x444F574E47524401;
35const std::vector<uint8_t> HELLO_RETRY_REQUEST_MARKER =
37 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11, 0xBE, 0x1D, 0x8C, 0x02,
38 0x1E, 0x65, 0xB8, 0x91, 0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E,
39 0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C
42bool random_signals_hello_retry_request(
const std::vector<uint8_t>& random)
44 return constant_time_compare(random.data(), HELLO_RETRY_REQUEST_MARKER.data(), HELLO_RETRY_REQUEST_MARKER.size());
48make_server_hello_random(RandomNumberGenerator& rng,
49 Protocol_Version offered_version,
64 if(offered_version.is_pre_tls_13() && policy.allow_tls13())
66 constexpr size_t downgrade_signal_length =
sizeof(DOWNGRADE_TLS12);
68 auto lastbytes = random.data() + random.size() - downgrade_signal_length;
69 store_be(DOWNGRADE_TLS12, lastbytes);
82class Server_Hello_Internal
88 Server_Hello_Internal(
const std::vector<uint8_t>& buf)
92 throw Decoding_Error(
"Server_Hello: Packet corrupted");
95 TLS_Data_Reader reader(
"ServerHello", buf);
97 const uint8_t major_version = reader.get_byte();
98 const uint8_t minor_version = reader.get_byte();
100 m_legacy_version = Protocol_Version(major_version, minor_version);
106 m_random = reader.get_fixed<uint8_t>(32);
107 m_is_hello_retry_request = random_signals_hello_retry_request(m_random);
109 m_session_id =
Session_ID(reader.get_range<uint8_t>(1, 0, 32));
110 m_ciphersuite = reader.get_uint16_t();
111 m_comp_method = reader.get_byte();
119 m_is_hello_retry_request
124 Server_Hello_Internal(Protocol_Version lv,
126 std::vector<uint8_t> r,
130 : m_legacy_version(lv)
131 , m_session_id(
std::move(sid))
132 , m_random(
std::move(r))
133 , m_is_hello_retry_request(is_hrr)
135 , m_comp_method(cm) {}
137 Protocol_Version version()
const
148 return (extensions().has<Supported_Versions>())
149 ? Protocol_Version::TLS_V13
153 Protocol_Version legacy_version()
const {
return m_legacy_version; }
154 const Session_ID& session_id()
const {
return m_session_id; }
155 const std::vector<uint8_t>& random()
const {
return m_random; }
156 uint16_t ciphersuite()
const {
return m_ciphersuite; }
157 uint8_t comp_method()
const {
return m_comp_method; }
158 bool is_hello_retry_request()
const {
return m_is_hello_retry_request; }
160 const Extensions& extensions()
const {
return m_extensions; }
161 Extensions& extensions() {
return m_extensions; }
164 Protocol_Version m_legacy_version;
166 std::vector<uint8_t> m_random;
167 bool m_is_hello_retry_request;
168 uint16_t m_ciphersuite;
169 uint8_t m_comp_method;
171 Extensions m_extensions;
175 : m_data(
std::move(data)) {}
187 std::vector<uint8_t> buf;
190 buf.push_back(m_data->legacy_version().major_version());
191 buf.push_back(m_data->legacy_version().minor_version());
196 buf.push_back(get_byte<0>(m_data->ciphersuite()));
197 buf.push_back(get_byte<1>(m_data->ciphersuite()));
199 buf.push_back(m_data->comp_method());
214 return m_data->legacy_version();
224 return m_data->comp_method();
229 return m_data->session_id();
234 return m_data->ciphersuite();
239 return m_data->extensions().extension_types();
244 return m_data->extensions();
253 const std::vector<uint8_t>& reneg_info,
256 std::string_view next_protocol) :
258 server_settings.protocol_version(),
259 server_settings.session_id(),
260 make_server_hello_random(rng, server_settings.protocol_version(), cb, policy),
261 server_settings.ciphersuite(),
302 if(
m_data->legacy_version().is_datagram_protocol())
307 if(!server_srtp.empty() && !client_srtp.empty())
311 for(
auto s_srtp : server_srtp)
312 for(
auto c_srtp : client_srtp)
314 if(shared == 0 && s_srtp == c_srtp)
336 const std::vector<uint8_t>& reneg_info,
339 bool offer_session_ticket,
340 std::string_view next_protocol) :
343 client_hello.session_id(),
395 if(!
m_data->version().is_pre_tls_13())
397 throw TLS_Exception(Alert::ProtocolVersion,
"Expected server hello of (D)TLS 1.2 or lower");
414 {
return reneg->renegotiation_info(); }
415 return std::vector<uint8_t>();
442 auto prof = srtp->profiles();
443 if(prof.size() != 1 || prof[0] == 0)
444 {
throw Decoding_Error(
"Server sent malformed DTLS-SRTP extension"); }
455 return alpn->single_protocol();
464 return ecc_formats->prefers_compressed();
472 if(last8 == DOWNGRADE_TLS11)
473 {
return Protocol_Version::TLS_V11; }
474 if(last8 == DOWNGRADE_TLS12)
475 {
return Protocol_Version::TLS_V12; }
496 {
throw Decoding_Error(
"Server_Hello_Done: Must be empty, and is not"); }
502std::vector<uint8_t> Server_Hello_Done::serialize()
const
504 return std::vector<uint8_t>();
507#if defined(BOTAN_HAS_TLS_13)
509Server_Hello_13::Server_Hello_Tag Server_Hello_13::as_server_hello;
510Server_Hello_13::Hello_Retry_Request_Tag Server_Hello_13::as_hello_retry_request;
511Server_Hello_13::Hello_Retry_Request_Creation_Tag Server_Hello_13::as_new_hello_retry_request;
513std::variant<Hello_Retry_Request, Server_Hello_13> Server_Hello_13::create(
const Client_Hello_13& ch,
514 bool hello_retry_request_allowed,
515 Session_Manager& session_mgr,
518 const auto& exts = ch.extensions();
527 const auto& supported_by_client = exts.get<Supported_Groups>()->groups();
528 const auto& offered_by_client = exts.get<Key_Share>()->offered_groups();
529 const auto selected_group = policy.choose_key_exchange_group(supported_by_client, offered_by_client);
537 throw TLS_Exception(Alert::HandshakeFailure,
"Client did not offer any acceptable group");
548 return Hello_Retry_Request(ch, selected_group, policy, cb);
552 return Server_Hello_13(ch, selected_group, session_mgr, rng, cb, policy);
556std::variant<Hello_Retry_Request, Server_Hello_13, Server_Hello_12>
557Server_Hello_13::parse(
const std::vector<uint8_t>& buf)
559 auto data = std::make_unique<Server_Hello_Internal>(buf);
560 const auto version = data->version();
563 if(version.is_pre_tls_13())
564 {
return Server_Hello_12(std::move(data)); }
567 if(version == Protocol_Version::TLS_V13)
569 if(data->is_hello_retry_request())
570 {
return Hello_Retry_Request(std::move(data)); }
572 return Server_Hello_13(std::move(data));
575 throw TLS_Exception(Alert::ProtocolVersion,
576 "unexpected server hello version: " + version.to_string());
582void Server_Hello_13::basic_validation()
const
602 if(legacy_version() != Protocol_Version::TLS_V12)
604 throw TLS_Exception(Alert::ProtocolVersion,
605 "legacy_version '" + legacy_version().
to_string() +
"' is not allowed");
610 if(compression_method() != 0x00)
612 throw TLS_Exception(Alert::DecodeError,
"compression is not supported in TLS 1.3");
617 if(!extensions().has<Supported_Versions>())
619 throw TLS_Exception(Alert::MissingExtension,
620 "server hello did not contain 'supported version' extension");
627 if(selected_version() != Protocol_Version::TLS_V13)
629 throw TLS_Exception(Alert::IllegalParameter,
"TLS 1.3 Server Hello selected a different version");
633Server_Hello_13::Server_Hello_13(std::unique_ptr<Server_Hello_Internal> data,
634 Server_Hello_13::Server_Hello_Tag)
635 : Server_Hello(
std::move(data))
640 const auto& exts = extensions();
651 const std::set<Extension_Code> allowed =
653 Extension_Code::KeyShare,
655 Extension_Code::PresharedKey,
660 if(exts.contains_other_than(allowed))
662 throw TLS_Exception(Alert::UnsupportedExtension,
663 "Server Hello contained an extension that is not allowed");
670 if(!exts.has<Key_Share>() && !exts.has<PSK_Key_Exchange_Modes>())
672 throw TLS_Exception(Alert::MissingExtension,
673 "server hello must contain key exchange information");
677Server_Hello_13::Server_Hello_13(std::unique_ptr<Server_Hello_Internal> data, Server_Hello_13::Hello_Retry_Request_Tag)
678 : Server_Hello(
std::move(data))
683 const auto& exts = extensions();
690 const std::set<Extension_Code> allowed =
692 Extension_Code::Cookie,
694 Extension_Code::KeyShare,
699 if(exts.contains_other_than(allowed))
701 throw TLS_Exception(Alert::UnsupportedExtension,
702 "Hello Retry Request contained an extension that is not allowed");
708 if(!exts.has<Key_Share>() && !exts.has<Cookie>())
710 throw TLS_Exception(Alert::IllegalParameter,
711 "Hello Retry Request does not request any changes to Client Hello");
715Server_Hello_13::Server_Hello_13(std::unique_ptr<Server_Hello_Internal> data, Hello_Retry_Request_Creation_Tag)
716 : Server_Hello(
std::move(data)) {}
720uint16_t choose_ciphersuite(
const Client_Hello_13& ch,
const Policy& policy)
722 auto pref_list = ch.ciphersuites();
724 auto other_list = policy.ciphersuite_list(Protocol_Version::TLS_V13);
726 if(policy.server_uses_own_ciphersuite_preferences())
728 std::swap(pref_list, other_list);
731 for(
auto suite_id : pref_list)
762 throw TLS_Exception(Alert::HandshakeFailure,
763 "Can't agree on a ciphersuite with client");
767Server_Hello_13::Server_Hello_13(
const Client_Hello_13& ch,
768 std::optional<Named_Group> key_exchange_group,
769 Session_Manager& session_mgr,
770 RandomNumberGenerator& rng,
772 const Policy& policy)
773 : Server_Hello(
std::make_unique<Server_Hello_Internal>(
776 make_server_hello_random(rng, Protocol_Version::
TLS_V13, cb, policy),
777 choose_ciphersuite(ch, policy),
789 m_data->extensions().add(
new Supported_Versions(Protocol_Version::TLS_V13));
791 if(key_exchange_group.has_value())
792 { m_data->extensions().add(
new Key_Share(key_exchange_group.value(), cb, rng)); }
794 auto& ch_exts = ch.extensions();
796 if(ch_exts.has<
PSK>())
806 const auto psk_modes = ch_exts.get<PSK_Key_Exchange_Modes>();
811 if(
value_exists(psk_modes->modes(), PSK_Key_Exchange_Mode::PSK_DHE_KE))
813 if(
auto server_psk = ch_exts.get<
PSK>()->select_offered_psk(cs.value(), session_mgr, cb, policy))
818 m_data->extensions().add(std::move(server_psk));
826std::optional<Protocol_Version> Server_Hello_13::random_signals_downgrade()
const
829 if(last8 == DOWNGRADE_TLS11)
830 {
return Protocol_Version::TLS_V11; }
831 if(last8 == DOWNGRADE_TLS12)
832 {
return Protocol_Version::TLS_V12; }
837Protocol_Version Server_Hello_13::selected_version()
const
839 const auto versions_ext = m_data->extensions().get<Supported_Versions>();
841 const auto& versions = versions_ext->versions();
843 return versions.front();
846Hello_Retry_Request::Hello_Retry_Request(std::unique_ptr<Server_Hello_Internal> data)
847 : Server_Hello_13(
std::move(data), Server_Hello_13::as_hello_retry_request) {}
849Hello_Retry_Request::Hello_Retry_Request(
const Client_Hello_13& ch,
Named_Group selected_group,
const Policy& policy, Callbacks& cb)
850 : Server_Hello_13(
std::make_unique<Server_Hello_Internal>(
853 HELLO_RETRY_REQUEST_MARKER,
854 choose_ciphersuite(ch, policy),
857 ), as_new_hello_retry_request)
880 m_data->extensions().add(
new Supported_Versions(Protocol_Version::TLS_V13));
882 m_data->extensions().add(
new Key_Share(selected_group));
#define BOTAN_ASSERT_NOMSG(expr)
#define BOTAN_STATE_CHECK(expr)
#define BOTAN_UNUSED(...)
#define BOTAN_ASSERT_NONNULL(ptr)
virtual void tls_modify_extensions(Extensions &extn, Connection_Side which_side, Handshake_Type which_message)
bool cbc_ciphersuite() const
static std::optional< Ciphersuite > by_id(uint16_t suite)
bool supports_encrypt_then_mac() const
bool supports_cert_status_message() const
bool secure_renegotiation() const
bool supports_extended_master_secret() const
bool supports_session_ticket() const
bool supports_alpn() const
std::set< Extension_Code > extension_types() const
std::vector< uint16_t > srtp_profiles() const
void update(const uint8_t in[], size_t length)
virtual std::vector< uint8_t > send(const Handshake_Message &msg)=0
virtual bool negotiate_encrypt_then_mac() const
virtual std::vector< uint16_t > srtp_profiles() const
virtual bool support_cert_status_message() const
virtual bool use_ecc_point_compression() const
bool offer_session_ticket() const
std::optional< Protocol_Version > random_signals_downgrade() const
bool supports_session_ticket() const
bool supports_extended_master_secret() const
bool prefers_compressed_ec_points() const
Protocol_Version selected_version() const override
uint16_t srtp_profile() const
bool supports_encrypt_then_mac() const
bool supports_certificate_status_message() const
std::string next_protocol() const
std::vector< uint8_t > renegotiation_info() const
bool secure_renegotiation() const
Server_Hello_12(Handshake_IO &io, Handshake_Hash &hash, const Policy &policy, Callbacks &cb, RandomNumberGenerator &rng, const std::vector< uint8_t > &secure_reneg_info, const Client_Hello_12 &client_hello, const Settings &settings, std::string_view next_protocol)
Protocol_Version legacy_version() const
Handshake_Type type() const override
Server_Hello_Done(Handshake_IO &io, Handshake_Hash &hash)
Server_Hello(const Server_Hello &)=delete
uint16_t ciphersuite() const
std::set< Extension_Code > extension_types() const
Handshake_Type type() const override
const Session_ID & session_id() const
const std::vector< uint8_t > & random() const
uint8_t compression_method() const
std::unique_ptr< Server_Hello_Internal > m_data
const Extensions & extensions() const
Protocol_Version legacy_version() const
void append_tls_length_value(std::vector< uint8_t, Alloc > &buf, const T *vals, size_t vals_size, size_t tag_size)
std::vector< uint8_t > make_hello_random(RandomNumberGenerator &rng, Callbacks &cb, const Policy &policy)
Strong< std::vector< uint8_t >, struct Session_ID_ > Session_ID
holds a TLS 1.2 session ID for stateful resumption
constexpr uint64_t load_be< uint64_t >(const uint8_t in[], size_t off)
bool constant_time_compare(const uint8_t x[], const uint8_t y[], size_t len)
constexpr void store_be(uint16_t in, uint8_t out[2])
bool value_exists(const std::vector< T > &vec, const OT &val)
std::string to_string(ErrorType type)
Convert an ErrorType to string.
std::optional< Session > resumed_session