Botan 3.5.0
Crypto and TLS for C&
Botan::TLS Namespace Reference

Namespaces

namespace  Internal
 

Classes

class  Alert
 
class  Application_Layer_Protocol_Notification
 
class  BSI_TR_02102_2
 
class  Callbacks
 
class  Certificate_12
 
class  Certificate_13
 
class  Certificate_Authorities
 
class  Certificate_Request_12
 
class  Certificate_Request_13
 
class  Certificate_Status
 
class  Certificate_Status_Request
 
class  Certificate_Type_Base
 
class  Certificate_Verify
 
class  Certificate_Verify_12
 
class  Certificate_Verify_13
 
class  Change_Cipher_Spec
 
class  Channel
 
class  Channel_Impl
 
class  Channel_Impl_12
 
class  Channel_Impl_13
 
class  Cipher_State
 
class  Ciphersuite
 
class  Client
 
class  Client_Certificate_Type
 
class  Client_Hello
 
class  Client_Hello_12
 
class  Client_Hello_13
 
class  Client_Impl_12
 
class  Client_Impl_13
 
class  Client_Key_Exchange
 
class  Connection_Cipher_State
 
class  Connection_Sequence_Numbers
 
class  Cookie
 
class  Datagram_Handshake_IO
 
class  Datagram_Policy
 
class  Datagram_Sequence_Numbers
 
class  EarlyDataIndication
 
class  Encrypt_then_MAC
 
class  Encrypted_Extensions
 
class  Extended_Master_Secret
 
class  Extension
 
class  Extensions
 
class  ExternalPSK
 
class  Finished
 
class  Finished_12
 
class  Finished_13
 
class  Group_Params
 
class  Handshake_Hash
 
class  Handshake_IO
 
class  Handshake_Layer
 
class  Handshake_Message
 
class  Handshake_State
 
class  Handshake_State_13
 
class  Handshake_Transitions
 
class  Hello_Request
 
class  Hello_Retry_Request
 
class  Hello_Verify_Request
 
class  Hybrid_KEM_PrivateKey
 
class  Hybrid_KEM_PublicKey
 
class  KEX_to_KEM_Adapter_PrivateKey
 
class  KEX_to_KEM_Adapter_PublicKey
 
class  Key_Share
 
class  Key_Update
 
class  New_Session_Ticket_12
 
class  New_Session_Ticket_13
 
class  NSA_Suite_B_128
 
class  NSA_Suite_B_192
 
class  Policy
 
class  Protocol_Version
 
class  PSK
 
class  PSK_Key_Exchange_Modes
 
class  PskIdentity
 
struct  Record
 
class  Record_Header
 
class  Record_Layer
 
class  Record_Size_Limit
 
class  Renegotiation_Extension
 
class  Secret_Logger
 
class  Server
 
class  Server_Certificate_Type
 
class  Server_Hello
 
class  Server_Hello_12
 
class  Server_Hello_13
 
class  Server_Hello_Done
 
class  Server_Impl_12
 
class  Server_Impl_13
 
class  Server_Information
 
class  Server_Key_Exchange
 
class  Server_Name_Indicator
 
class  Session
 
class  Session_Base
 
class  Session_Handle
 Helper class to embody a session handle in all protocol versions. More...
 
class  Session_Keys
 
class  Session_Manager
 
class  Session_Manager_Hybrid
 
class  Session_Manager_In_Memory
 
class  Session_Manager_Noop
 
class  Session_Manager_SQL
 
class  Session_Manager_SQLite
 
class  Session_Manager_Stateless
 
class  Session_Summary
 
class  Session_Ticket_Extension
 
struct  Session_with_Handle
 
class  Signature_Algorithms
 
class  Signature_Algorithms_Cert
 
class  Signature_Scheme
 
class  SRTP_Protection_Profiles
 
class  Stream_Handshake_IO
 
class  Stream_Sequence_Numbers
 
class  Strict_Policy
 
class  Supported_Groups
 
class  Supported_Point_Formats
 
class  Supported_Versions
 
class  Text_Policy
 
class  TLS_CBC_HMAC_AEAD_Decryption
 
class  TLS_CBC_HMAC_AEAD_Encryption
 
class  TLS_CBC_HMAC_AEAD_Mode
 
class  TLS_Data_Reader
 
class  TLS_Exception
 
class  Transcript_Hash_State
 
class  Unexpected_Message
 
class  Unknown_Extension
 

Typedefs

using BytesNeeded = size_t
 
using Client_Handshake_13_Message
 
using Client_Handshake_13_Message_Ref = as_wrapped_references_t<Client_Handshake_13_Message>
 
using Client_Handshake_State_13
 
using Client_Post_Handshake_13_Message = std::variant<Key_Update>
 
typedef Policy Default_Policy
 
typedef std::function< std::shared_ptr< Connection_Cipher_State >(uint16_t)> get_cipherstate_fn
 
using Handshake_Message_13
 
using Handshake_Message_13_Ref = as_wrapped_references_t<Handshake_Message_13>
 
using Named_Group = Group_Params
 
using Opaque_Session_Handle = Strong<std::vector<uint8_t>, struct Opaque_Session_Handle_>
 holds an opaque session handle as used in TLS 1.3 that could be either a ticket for stateless resumption or a database handle.
 
using Post_Handshake_Message_13 = std::variant<New_Session_Ticket_13, Key_Update>
 
using PresharedKeyID = Strong<std::string, struct PresharedKeyID_>
 holds a PSK identity as used in TLS 1.3
 
using Server_Handshake_13_Message
 
using Server_Handshake_13_Message_Ref = as_wrapped_references_t<Server_Handshake_13_Message>
 
using Server_Handshake_State_13
 
using Server_Post_Handshake_13_Message = std::variant<New_Session_Ticket_13, Key_Update>
 
using Session_ID = Strong<std::vector<uint8_t>, struct Session_ID_>
 holds a TLS 1.2 session ID for stateful resumption
 
using Session_Ticket = Strong<std::vector<uint8_t>, struct Session_Ticket_>
 holds a TLS 1.2 session ticket for stateless resumption
 
typedef PskIdentity Ticket
 
using Ticket_Nonce = Strong<std::vector<uint8_t>, struct Ticket_Nonce_>
 Used to derive the ticket's PSK from the resumption_master_secret.
 
using Transcript_Hash = std::vector<uint8_t>
 

Enumerations

enum class  AlertType {
  CloseNotify = 0 , UnexpectedMessage = 10 , BadRecordMac = 20 , DecryptionFailed = 21 ,
  RecordOverflow = 22 , DecompressionFailure = 30 , HandshakeFailure = 40 , NoCertificate = 41 ,
  BadCertificate = 42 , UnsupportedCertificate = 43 , CertificateRevoked = 44 , CertificateExpired = 45 ,
  CertificateUnknown = 46 , IllegalParameter = 47 , UnknownCA = 48 , AccessDenied = 49 ,
  DecodeError = 50 , DecryptError = 51 , ExportRestriction = 60 , ProtocolVersion = 70 ,
  InsufficientSecurity = 71 , InternalError = 80 , InappropriateFallback = 86 , UserCanceled = 90 ,
  NoRenegotiation = 100 , MissingExtension = 109 , UnsupportedExtension = 110 , CertificateUnobtainable = 111 ,
  UnrecognizedName = 112 , BadCertificateStatusResponse = 113 , BadCertificateHashValue = 114 , UnknownPSKIdentity = 115 ,
  CertificateRequired = 116 , NoApplicationProtocol = 120 , None = 256 , CLOSE_NOTIFY = CloseNotify ,
  NO_APPLICATION_PROTOCOL = NoApplicationProtocol , PROTOCOL_VERSION = ProtocolVersion
}
 
enum class  Auth_Method { RSA , ECDSA , UNDEFINED , IMPLICIT = 0x10000 }
 
enum class  Certificate_Type : uint8_t { X509 = 0 , RawPublicKey = 2 }
 
enum class  Cipher_Algo {
  CHACHA20_POLY1305 , AES_128_GCM , AES_256_GCM , AES_256_OCB ,
  CAMELLIA_128_GCM , CAMELLIA_256_GCM , ARIA_128_GCM , ARIA_256_GCM ,
  AES_128_CCM , AES_256_CCM , AES_128_CCM_8 , AES_256_CCM_8 ,
  AES_128_CBC_HMAC_SHA1 , AES_128_CBC_HMAC_SHA256 , AES_256_CBC_HMAC_SHA1 , AES_256_CBC_HMAC_SHA256 ,
  AES_256_CBC_HMAC_SHA384 , DES_EDE_CBC_HMAC_SHA1
}
 
enum class  Connection_Side { Client = 1 , Server = 2 , CLIENT = Client , SERVER = Server }
 
enum class  Extension_Code : uint16_t {
  ServerNameIndication = 0 , CertificateStatusRequest = 5 , SupportedGroups = 10 , EcPointFormats = 11 ,
  SignatureAlgorithms = 13 , CertSignatureAlgorithms = 50 , UseSrtp = 14 , ApplicationLayerProtocolNegotiation = 16 ,
  ClientCertificateType = 19 , ServerCertificateType = 20 , EncryptThenMac = 22 , ExtendedMasterSecret = 23 ,
  RecordSizeLimit = 28 , SessionTicket = 35 , SupportedVersions = 43 , PresharedKey = 41 ,
  EarlyData = 42 , Cookie = 44 , PskKeyExchangeModes = 45 , CertificateAuthorities = 47 ,
  KeyShare = 51 , SafeRenegotiation = 65281
}
 
enum class  Group_Params_Code : uint16_t {
  NONE = 0 , SECP256R1 = 23 , SECP384R1 = 24 , SECP521R1 = 25 ,
  BRAINPOOL256R1 = 26 , BRAINPOOL384R1 = 27 , BRAINPOOL512R1 = 28 , X25519 = 29 ,
  X448 = 30 , FFDHE_2048 = 256 , FFDHE_3072 = 257 , FFDHE_4096 = 258 ,
  FFDHE_6144 = 259 , FFDHE_8192 = 260 , KYBER_512_R3_OQS = 0x023A , KYBER_768_R3_OQS = 0x023C ,
  KYBER_1024_R3_OQS = 0x023D , eFRODOKEM_640_SHAKE_OQS = 0x0201 , eFRODOKEM_976_SHAKE_OQS = 0x0203 , eFRODOKEM_1344_SHAKE_OQS = 0x0205 ,
  eFRODOKEM_640_AES_OQS = 0x0200 , eFRODOKEM_976_AES_OQS = 0x0202 , eFRODOKEM_1344_AES_OQS = 0x0204 , HYBRID_X25519_KYBER_512_R3_CLOUDFLARE = 0xFE30 ,
  HYBRID_X25519_KYBER_512_R3_OQS = 0x2F39 , HYBRID_X25519_KYBER_768_R3_OQS = 0x6399 , HYBRID_X448_KYBER_768_R3_OQS = 0x2F90 , HYBRID_SECP256R1_KYBER_512_R3_OQS = 0x2F3A ,
  HYBRID_SECP256R1_KYBER_768_R3_OQS = 0x639A , HYBRID_SECP384R1_KYBER_768_R3_OQS = 0x2F3C , HYBRID_SECP521R1_KYBER_1024_R3_OQS = 0x2F3D , HYBRID_X25519_eFRODOKEM_640_SHAKE_OQS = 0x2F81 ,
  HYBRID_X25519_eFRODOKEM_640_AES_OQS = 0x2F80 , HYBRID_X448_eFRODOKEM_976_SHAKE_OQS = 0x2F83 , HYBRID_X448_eFRODOKEM_976_AES_OQS = 0x2F82 , HYBRID_SECP256R1_eFRODOKEM_640_SHAKE_OQS = 0x2F01 ,
  HYBRID_SECP256R1_eFRODOKEM_640_AES_OQS = 0x2F00 , HYBRID_SECP384R1_eFRODOKEM_976_SHAKE_OQS = 0x2F03 , HYBRID_SECP384R1_eFRODOKEM_976_AES_OQS = 0x2F02 , HYBRID_SECP521R1_eFRODOKEM_1344_SHAKE_OQS = 0x2F05 ,
  HYBRID_SECP521R1_eFRODOKEM_1344_AES_OQS = 0x2F04
}
 
enum class  Handshake_Type {
  HelloRequest = 0 , ClientHello = 1 , ServerHello = 2 , HelloVerifyRequest = 3 ,
  NewSessionTicket = 4 , EndOfEarlyData = 5 , EncryptedExtensions = 8 , Certificate = 11 ,
  ServerKeyExchange = 12 , CertificateRequest = 13 , ServerHelloDone = 14 , CertificateVerify = 15 ,
  ClientKeyExchange = 16 , Finished = 20 , CertificateUrl = 21 , CertificateStatus = 22 ,
  KeyUpdate = 24 , HelloRetryRequest = 253 , HandshakeCCS = 254 , None = 255
}
 
enum class  KDF_Algo { SHA_1 , SHA_256 , SHA_384 }
 
enum class  Kex_Algo {
  STATIC_RSA , DH , ECDH , PSK ,
  ECDHE_PSK , DHE_PSK , KEM , KEM_PSK ,
  HYBRID , HYBRID_PSK , UNDEFINED
}
 
enum class  Nonce_Format { CBC_MODE , AEAD_IMPLICIT_4 , AEAD_XOR_12 }
 
enum class  PSK_Key_Exchange_Mode : uint8_t { PSK_KE = 0 , PSK_DHE_KE = 1 }
 
enum class  Record_Type : uint8_t {
  Invalid = 0 , ChangeCipherSpec = 20 , Alert = 21 , Handshake = 22 ,
  ApplicationData = 23 , Heartbeat = 24
}
 
enum  Size_Limits : size_t {
  TLS_HEADER_SIZE = 5 , DTLS_HEADER_SIZE = TLS_HEADER_SIZE + 8 , MAX_PLAINTEXT_SIZE = 16 * 1024 , MAX_COMPRESSED_SIZE = MAX_PLAINTEXT_SIZE + 1024 ,
  MAX_CIPHERTEXT_SIZE = MAX_COMPRESSED_SIZE + 1024 , MAX_AEAD_EXPANSION_SIZE_TLS13 = 255 , MAX_CIPHERTEXT_SIZE_TLS13 = MAX_PLAINTEXT_SIZE + MAX_AEAD_EXPANSION_SIZE_TLS13 + 1
}
 
enum class  Version_Code : uint16_t {
  TLS_V11 = 0x0302 , TLS_V12 = 0x0303 , TLS_V13 = 0x0304 , DTLS_V12 = 0xFEFD ,
  DTLS_V13 = 0xFEFC
}
 

Functions

template<typename T , typename Alloc , typename Alloc2 >
void append_tls_length_value (std::vector< uint8_t, Alloc > &buf, const std::vector< T, Alloc2 > &vals, size_t tag_size)
 
template<typename T , typename Alloc >
void append_tls_length_value (std::vector< uint8_t, Alloc > &buf, const T *vals, size_t vals_size, size_t tag_size)
 
template<typename Alloc >
void append_tls_length_value (std::vector< uint8_t, Alloc > &buf, std::string_view str, size_t tag_size)
 
Auth_Method auth_method_from_string (std::string_view str)
 
std::string auth_method_to_string (Auth_Method method)
 
Certificate_Type certificate_type_from_string (const std::string &type_str)
 
std::string certificate_type_to_string (Certificate_Type type)
 
uint16_t check_tls_cbc_padding (const uint8_t record[], size_t record_len)
 
const char * handshake_type_to_string (Handshake_Type type)
 
std::string kdf_algo_to_string (KDF_Algo algo)
 
Kex_Algo kex_method_from_string (std::string_view str)
 
std::string kex_method_to_string (Kex_Algo method)
 
bool key_exchange_is_psk (Kex_Algo m)
 
std::vector< uint8_t > make_hello_random (RandomNumberGenerator &rng, Callbacks &cb, const Policy &policy)
 
bool operator!= (const Server_Information &a, const Server_Information &b)
 
bool operator< (const Server_Information &a, const Server_Information &b)
 
auto operator< (const Session_ID &id1, const Session_ID &id2)
 
bool operator== (const Server_Information &a, const Server_Information &b)
 
Record_Header read_record (bool is_datagram, secure_vector< uint8_t > &readbuf, const uint8_t input[], size_t input_len, size_t &consumed, secure_vector< uint8_t > &recbuf, Connection_Sequence_Numbers *sequence_numbers, const get_cipherstate_fn &get_cipherstate, bool allow_epoch0_restart)
 
std::vector< AlgorithmIdentifierto_algorithm_identifiers (const std::vector< Signature_Scheme > &schemes)
 
void write_record (secure_vector< uint8_t > &output, Record_Type record_type, Protocol_Version version, uint64_t record_sequence, const uint8_t *message, size_t message_len, Connection_Cipher_State &cs, RandomNumberGenerator &rng)
 
void write_unencrypted_record (secure_vector< uint8_t > &output, Record_Type record_type, Protocol_Version version, uint64_t record_sequence, const uint8_t *message, size_t message_len)
 

Detailed Description

Cipher_State state machine adapted from RFC 8446 7.1.

                                0
                                |
                                v
                      PSK ->  HKDF-Extract = Early Secret
                                |
                                +-----> Derive-Secret(., "ext binder" | "res binder", "")
                                |                     = binder_key
                         STATE PSK BINDER

This state is reached by constructing the Cipher_State using init_with_psk(). The state can then be further advanced using advance_with_client_hello() once the initial Client Hello is fully generated. | +-----> Derive-Secret(., "c e traffic", ClientHello) | = client_early_traffic_secret | +-----> Derive-Secret(., "e exp master", ClientHello) | = early_exporter_master_secret v Derive-Secret(., "derived", "") |

  • STATE EARLY TRAFFIC This state is reached by calling advance_with_client_hello(). In this state the early data traffic secrets are available. TODO: implement early data. The state can then be further advanced using advance_with_server_hello().
  • | v (EC)DHE -> HKDF-Extract = Handshake Secret | +-----> Derive-Secret(., "c hs traffic", | ClientHello...ServerHello) | = client_handshake_traffic_secret | +-----> Derive-Secret(., "s hs traffic", | ClientHello...ServerHello) | = server_handshake_traffic_secret v Derive-Secret(., "derived", "") |
  • STATE HANDSHAKE TRAFFIC This state is reached by constructing Cipher_State using init_with_server_hello() or advance_with_server_hello(). In this state the handshake traffic secrets are available. The state can then be further advanced using advance_with_server_finished().
  • | v 0 -> HKDF-Extract = Master Secret | +-----> Derive-Secret(., "c ap traffic", | ClientHello...server Finished) | = client_application_traffic_secret_0 | +-----> Derive-Secret(., "s ap traffic", | ClientHello...server Finished) | = server_application_traffic_secret_0 | +-----> Derive-Secret(., "exp master", | ClientHello...server Finished) | = exporter_master_secret
  • STATE SERVER APPLICATION TRAFFIC This state is reached by calling advance_with_server_finished(). It allows the server to send application traffic and the client to receive it. The opposite direction is not yet possible in this state. The state can then be further advanced using advance_with_client_finished().
  • | +-----> Derive-Secret(., "res master", ClientHello...client Finished) = resumption_master_secret STATE COMPLETED Once this state is reached the handshake is finished, both client and server can exchange application data and no further cipher state advances are possible.

Wrapper type for a TLS 1.3 session ticket (C) 2023 Jack Lloyd 2023 René Meusel - Rohde & Schwarz Cybersecurity

Botan is released under the Simplified BSD License (see license.txt)

Composite key pair that exposes the Public/Private key API but combines multiple key agreement schemes into a hybrid algorithm.

(C) 2023 Jack Lloyd 2023 Fabian Albert, René Meusel - Rohde & Schwarz Cybersecurity

Botan is released under the Simplified BSD License (see license.txt)

Adapter that allows using a KEX key as a KEM, using an ephemeral key in the KEM encapsulation.

(C) 2023 Jack Lloyd 2023 Fabian Albert, René Meusel - Rohde & Schwarz Cybersecurity

Botan is released under the Simplified BSD License (see license.txt)

TLS Session Manger base class implementations (C) 2011-2023 Jack Lloyd 2022-2023 René Meusel - Rohde & Schwarz Cybersecurity

Botan is released under the Simplified BSD License (see license.txt)

Hybrid Session Manager that emits both IDs and Tickets (C) 2023 Jack Lloyd 2023 René Meusel - Rohde & Schwarz Cybersecurity

Botan is released under the Simplified BSD License (see license.txt)

TLS Session Management (C) 2011,2012 Jack Lloyd 2023 René Meusel - Rohde & Schwarz Cybersecurity

Botan is released under the Simplified BSD License (see license.txt)

TLS Stateless Session Manager for stateless servers (C) 2023 Jack Lloyd 2023 René Meusel - Rohde & Schwarz Cybersecurity

Botan is released under the Simplified BSD License (see license.txt)

Typedef Documentation

◆ BytesNeeded

using Botan::TLS::BytesNeeded = size_t

Definition at line 36 of file tls_record_layer_13.h.

◆ Client_Handshake_13_Message

Initial value:
std::variant<Client_Hello_13,
Client_Hello_12,
Certificate_13,
Certificate_Verify_13,
Finished_13>

Definition at line 1086 of file tls_messages.h.

◆ Client_Handshake_13_Message_Ref

Definition at line 1091 of file tls_messages.h.

◆ Client_Handshake_State_13

Initial value:
Handshake_State_13<Connection_Side::Client,
std::variant< Client_Hello_13, Client_Hello_12, Certificate_13, Certificate_Verify_13, Finished_13 > Client_Handshake_13_Message
std::variant< Server_Hello_13, Server_Hello_12, Hello_Retry_Request, Encrypted_Extensions, Certificate_13, Certificate_Request_13, Certificate_Verify_13, Finished_13 > Server_Handshake_13_Message
std::variant< New_Session_Ticket_13, Key_Update > Server_Post_Handshake_13_Message

Definition at line 179 of file tls_handshake_state_13.h.

◆ Client_Post_Handshake_13_Message

Definition at line 1074 of file tls_messages.h.

◆ Default_Policy

Definition at line 474 of file tls_policy.h.

◆ get_cipherstate_fn

typedef std::function<std::shared_ptr<Connection_Cipher_State>(uint16_t)> Botan::TLS::get_cipherstate_fn

Definition at line 141 of file tls_record.h.

◆ Handshake_Message_13

Initial value:
std::variant<Client_Hello_13,
Client_Hello_12,
Server_Hello_13,
Server_Hello_12,
Hello_Retry_Request,
Encrypted_Extensions,
Certificate_13,
Certificate_Request_13,
Certificate_Verify_13,
Finished_13>

Definition at line 1055 of file tls_messages.h.

◆ Handshake_Message_13_Ref

Definition at line 1066 of file tls_messages.h.

◆ Named_Group

Definition at line 560 of file tls_extensions.h.

◆ Opaque_Session_Handle

using Botan::TLS::Opaque_Session_Handle = Strong<std::vector<uint8_t>, struct Opaque_Session_Handle_>

holds an opaque session handle as used in TLS 1.3 that could be either a ticket for stateless resumption or a database handle.

Definition at line 39 of file tls_session.h.

◆ Post_Handshake_Message_13

◆ PresharedKeyID

using Botan::TLS::PresharedKeyID = Strong<std::string, struct PresharedKeyID_>

holds a PSK identity as used in TLS 1.3

Definition at line 23 of file tls_psk_identity_13.h.

◆ Server_Handshake_13_Message

Initial value:
std::variant<Server_Hello_13,
Server_Hello_12,
Hello_Retry_Request,
Encrypted_Extensions,
Certificate_13,
Certificate_Request_13,
Certificate_Verify_13,
Finished_13>

Definition at line 1076 of file tls_messages.h.

◆ Server_Handshake_13_Message_Ref

Definition at line 1084 of file tls_messages.h.

◆ Server_Handshake_State_13

Initial value:
Handshake_State_13<Connection_Side::Server,
std::variant< Key_Update > Client_Post_Handshake_13_Message

Definition at line 184 of file tls_handshake_state_13.h.

◆ Server_Post_Handshake_13_Message

◆ Session_ID

using Botan::TLS::Session_ID = Strong<std::vector<uint8_t>, struct Session_ID_>

holds a TLS 1.2 session ID for stateful resumption

Definition at line 32 of file tls_session.h.

◆ Session_Ticket

using Botan::TLS::Session_Ticket = Strong<std::vector<uint8_t>, struct Session_Ticket_>

holds a TLS 1.2 session ticket for stateless resumption

Definition at line 35 of file tls_session.h.

◆ Ticket

Botan 3.0.0 used the class name "Ticket". In Botan 3.1.0 we decided to re-name it to the more generic term "PskIdentity" to better reflect its dual use case for resumption and externally provided PSKs.

Definition at line 72 of file tls_psk_identity_13.h.

◆ Ticket_Nonce

using Botan::TLS::Ticket_Nonce = Strong<std::vector<uint8_t>, struct Ticket_Nonce_>

Used to derive the ticket's PSK from the resumption_master_secret.

Definition at line 966 of file tls_messages.h.

◆ Transcript_Hash

using Botan::TLS::Transcript_Hash = std::vector<uint8_t>

Definition at line 81 of file tls_magic.h.

Enumeration Type Documentation

◆ AlertType

enum class Botan::TLS::AlertType
strong

Type codes for TLS alerts

The enumeration value matches the wire encoding

Enumerator
CloseNotify 
UnexpectedMessage 
BadRecordMac 
DecryptionFailed 
RecordOverflow 
DecompressionFailure 
HandshakeFailure 
NoCertificate 
BadCertificate 
UnsupportedCertificate 
CertificateRevoked 
CertificateExpired 
CertificateUnknown 
IllegalParameter 
UnknownCA 
AccessDenied 
DecodeError 
DecryptError 
ExportRestriction 
ProtocolVersion 
InsufficientSecurity 
InternalError 
InappropriateFallback 
UserCanceled 
NoRenegotiation 
MissingExtension 
UnsupportedExtension 
CertificateUnobtainable 
UnrecognizedName 
BadCertificateStatusResponse 
BadCertificateHashValue 
UnknownPSKIdentity 
CertificateRequired 
NoApplicationProtocol 
None 
CLOSE_NOTIFY 
NO_APPLICATION_PROTOCOL 
PROTOCOL_VERSION 

Definition at line 21 of file tls_alert.h.

21 {
22 CloseNotify = 0,
24 BadRecordMac = 20,
26 RecordOverflow = 22,
29 NoCertificate = 41, // SSLv3 only
30 BadCertificate = 42,
36 UnknownCA = 48,
37 AccessDenied = 49,
38 DecodeError = 50,
39 DecryptError = 51,
41 ProtocolVersion = 70,
43 InternalError = 80,
45 UserCanceled = 90,
46 NoRenegotiation = 100,
47 MissingExtension = 109, // RFC 8446
50 UnrecognizedName = 112,
54 CertificateRequired = 116, // RFC 8446
55 NoApplicationProtocol = 120, // RFC 7301
56
57 // pseudo alert values
58 None = 256,
59
60 // Compat enum variants, will be removed in a future major release
61 CLOSE_NOTIFY BOTAN_DEPRECATED("Use CloseNotify") = CloseNotify,
63 PROTOCOL_VERSION BOTAN_DEPRECATED("Use ProtocolVersion") = ProtocolVersion,
64};
#define BOTAN_DEPRECATED(msg)
Definition compiler.h:125

◆ Auth_Method

enum class Botan::TLS::Auth_Method
strong
Enumerator
RSA 
ECDSA 
UNDEFINED 
IMPLICIT 

Definition at line 65 of file tls_algos.h.

65 {
66 RSA,
67 ECDSA,
68
69 // To support TLS 1.3 ciphersuites, which do not determine the auth method
71
72 // These are placed outside the encodable range
73 IMPLICIT = 0x10000
74};

◆ Certificate_Type

enum class Botan::TLS::Certificate_Type : uint8_t
strong
Enumerator
X509 
RawPublicKey 

Definition at line 205 of file tls_extensions.h.

205: uint8_t { X509 = 0, RawPublicKey = 2 };

◆ Cipher_Algo

enum class Botan::TLS::Cipher_Algo
strong
Enumerator
CHACHA20_POLY1305 
AES_128_GCM 
AES_256_GCM 
AES_256_OCB 
CAMELLIA_128_GCM 
CAMELLIA_256_GCM 
ARIA_128_GCM 
ARIA_256_GCM 
AES_128_CCM 
AES_256_CCM 
AES_128_CCM_8 
AES_256_CCM_8 
AES_128_CBC_HMAC_SHA1 
AES_128_CBC_HMAC_SHA256 
AES_256_CBC_HMAC_SHA1 
AES_256_CBC_HMAC_SHA256 
AES_256_CBC_HMAC_SHA384 
DES_EDE_CBC_HMAC_SHA1 

Definition at line 21 of file tls_algos.h.

◆ Connection_Side

enum class Botan::TLS::Connection_Side
strong
Enumerator
Client 
Server 
CLIENT 
SERVER 

Definition at line 43 of file tls_magic.h.

43 {
44 Client = 1,
45 Server = 2,
46
47 CLIENT BOTAN_DEPRECATED("Use Connection_Side::Client") = Client,
48 SERVER BOTAN_DEPRECATED("Use Connection_Side::Server") = Server,
49};

◆ Extension_Code

enum class Botan::TLS::Extension_Code : uint16_t
strong
Enumerator
ServerNameIndication 
CertificateStatusRequest 
SupportedGroups 
EcPointFormats 
SignatureAlgorithms 
CertSignatureAlgorithms 
UseSrtp 
ApplicationLayerProtocolNegotiation 
ClientCertificateType 
ServerCertificateType 
EncryptThenMac 
ExtendedMasterSecret 
RecordSizeLimit 
SessionTicket 
SupportedVersions 
PresharedKey 
EarlyData 
Cookie 
PskKeyExchangeModes 
CertificateAuthorities 
KeyShare 
SafeRenegotiation 

Definition at line 53 of file tls_extensions.h.

53 : uint16_t {
56
57 SupportedGroups = 10,
58 EcPointFormats = 11,
61 UseSrtp = 14,
63
64 // SignedCertificateTimestamp = 18, // NYI
65
66 // RFC 7250 (Raw Public Keys in TLS)
69
70 EncryptThenMac = 22,
72
73 RecordSizeLimit = 28,
74
75 SessionTicket = 35,
76
78#if defined(BOTAN_HAS_TLS_13)
79 PresharedKey = 41,
80 EarlyData = 42,
81 Cookie = 44,
82
85 // OidFilters = 48, // NYI
86
87 KeyShare = 51,
88#endif
89
90 SafeRenegotiation = 65281,
91};

◆ Group_Params_Code

enum class Botan::TLS::Group_Params_Code : uint16_t
strong
Enumerator
NONE 
SECP256R1 
SECP384R1 
SECP521R1 
BRAINPOOL256R1 
BRAINPOOL384R1 
BRAINPOOL512R1 
X25519 
X448 
FFDHE_2048 
FFDHE_3072 
FFDHE_4096 
FFDHE_6144 
FFDHE_8192 
KYBER_512_R3_OQS 
KYBER_768_R3_OQS 
KYBER_1024_R3_OQS 
eFRODOKEM_640_SHAKE_OQS 
eFRODOKEM_976_SHAKE_OQS 
eFRODOKEM_1344_SHAKE_OQS 
eFRODOKEM_640_AES_OQS 
eFRODOKEM_976_AES_OQS 
eFRODOKEM_1344_AES_OQS 
HYBRID_X25519_KYBER_512_R3_CLOUDFLARE 
HYBRID_X25519_KYBER_512_R3_OQS 
HYBRID_X25519_KYBER_768_R3_OQS 
HYBRID_X448_KYBER_768_R3_OQS 
HYBRID_SECP256R1_KYBER_512_R3_OQS 
HYBRID_SECP256R1_KYBER_768_R3_OQS 
HYBRID_SECP384R1_KYBER_768_R3_OQS 
HYBRID_SECP521R1_KYBER_1024_R3_OQS 
HYBRID_X25519_eFRODOKEM_640_SHAKE_OQS 
HYBRID_X25519_eFRODOKEM_640_AES_OQS 
HYBRID_X448_eFRODOKEM_976_SHAKE_OQS 
HYBRID_X448_eFRODOKEM_976_AES_OQS 
HYBRID_SECP256R1_eFRODOKEM_640_SHAKE_OQS 
HYBRID_SECP256R1_eFRODOKEM_640_AES_OQS 
HYBRID_SECP384R1_eFRODOKEM_976_SHAKE_OQS 
HYBRID_SECP384R1_eFRODOKEM_976_AES_OQS 
HYBRID_SECP521R1_eFRODOKEM_1344_SHAKE_OQS 
HYBRID_SECP521R1_eFRODOKEM_1344_AES_OQS 

Definition at line 82 of file tls_algos.h.

82 : uint16_t {
83 NONE = 0,
84
85 SECP256R1 = 23,
86 SECP384R1 = 24,
87 SECP521R1 = 25,
88 BRAINPOOL256R1 = 26,
89 BRAINPOOL384R1 = 27,
90 BRAINPOOL512R1 = 28,
91
92 X25519 = 29,
93 X448 = 30,
94
95 FFDHE_2048 = 256,
96 FFDHE_3072 = 257,
97 FFDHE_4096 = 258,
98 FFDHE_6144 = 259,
99 FFDHE_8192 = 260,
100
101 // libOQS defines those in:
102 // https://github.com/open-quantum-safe/oqs-provider/blob/main/ALGORITHMS.md
103 KYBER_512_R3_OQS = 0x023A,
104 KYBER_768_R3_OQS = 0x023C,
105 KYBER_1024_R3_OQS = 0x023D,
106
110 eFRODOKEM_640_AES_OQS = 0x0200,
111 eFRODOKEM_976_AES_OQS = 0x0202,
112 eFRODOKEM_1344_AES_OQS = 0x0204,
113
114 // Cloudflare code points for hybrid PQC
115 // https://blog.cloudflare.com/post-quantum-for-all/
117
118 // libOQS defines those in:
119 // https://github.com/open-quantum-safe/oqs-provider/blob/main/ALGORITHMS.md
120 //
121 // X25519/Kyber768 is also defined in:
122 // https://datatracker.ietf.org/doc/draft-tls-westerbaan-xyber768d00/03/
125
127
130
132
134
137
140
143
146
149};
@ NONE
Definition filter.h:165

◆ Handshake_Type

enum class Botan::TLS::Handshake_Type
strong
Enumerator
HelloRequest 
ClientHello 
ServerHello 
HelloVerifyRequest 
NewSessionTicket 
EndOfEarlyData 
EncryptedExtensions 
Certificate 
ServerKeyExchange 
CertificateRequest 
ServerHelloDone 
CertificateVerify 
ClientKeyExchange 
Finished 
CertificateUrl 
CertificateStatus 
KeyUpdate 
HelloRetryRequest 
HandshakeCCS 
None 

Definition at line 51 of file tls_magic.h.

51 {
52 HelloRequest = 0,
53 ClientHello = 1,
54 ServerHello = 2,
56 NewSessionTicket = 4, // RFC 5077
57
58 EndOfEarlyData = 5, // RFC 8446 (TLS 1.3)
59 EncryptedExtensions = 8, // RFC 8446 (TLS 1.3)
60
61 Certificate = 11,
64 ServerHelloDone = 14,
67 Finished = 20,
68
69 CertificateUrl = 21,
71
72 KeyUpdate = 24, // RFC 8446 (TLS 1.3)
73
74 HelloRetryRequest = 253, // Not a wire value (HRR appears as an ordinary Server Hello)
75 HandshakeCCS = 254, // Not a wire value (TLS 1.3 uses this value for 'message_hash' -- RFC 8446 4.4.1)
76 None = 255 // Null value
77};

◆ KDF_Algo

enum class Botan::TLS::KDF_Algo
strong
Enumerator
SHA_1 
SHA_256 
SHA_384 

Definition at line 49 of file tls_algos.h.

49 {
50 SHA_1,
51 SHA_256,
52 SHA_384,
53};

◆ Kex_Algo

enum class Botan::TLS::Kex_Algo
strong
Enumerator
STATIC_RSA 
DH 
ECDH 
PSK 
ECDHE_PSK 
DHE_PSK 
KEM 
KEM_PSK 
HYBRID 
HYBRID_PSK 
UNDEFINED 

Definition at line 245 of file tls_algos.h.

245 {
247 DH,
248 ECDH,
249 PSK,
250 ECDHE_PSK,
251 DHE_PSK,
252 KEM,
253 KEM_PSK,
254 HYBRID,
256
257 // To support TLS 1.3 ciphersuites, which do not determine the kex algo
259};

◆ Nonce_Format

enum class Botan::TLS::Nonce_Format
strong
Enumerator
CBC_MODE 
AEAD_IMPLICIT_4 
AEAD_XOR_12 

Definition at line 57 of file tls_algos.h.

◆ PSK_Key_Exchange_Mode

enum class Botan::TLS::PSK_Key_Exchange_Mode : uint8_t
strong
Enumerator
PSK_KE 
PSK_DHE_KE 

Definition at line 47 of file tls_extensions.h.

◆ Record_Type

enum class Botan::TLS::Record_Type : uint8_t
strong
Enumerator
Invalid 
ChangeCipherSpec 
Alert 
Handshake 
ApplicationData 
Heartbeat 

Definition at line 32 of file tls_channel_impl.h.

32 : uint8_t {
33 Invalid = 0, // RFC 8446 (TLS 1.3)
34
36 Alert = 21,
37 Handshake = 22,
38 ApplicationData = 23,
39
40 Heartbeat = 24, // RFC 6520 (TLS 1.3)
41};

◆ Size_Limits

enum Botan::TLS::Size_Limits : size_t

Protocol Constants for SSL/TLS

TODO: this should not be an enum

Enumerator
TLS_HEADER_SIZE 
DTLS_HEADER_SIZE 
MAX_PLAINTEXT_SIZE 
MAX_COMPRESSED_SIZE 
MAX_CIPHERTEXT_SIZE 
MAX_AEAD_EXPANSION_SIZE_TLS13 
MAX_CIPHERTEXT_SIZE_TLS13 

Definition at line 24 of file tls_magic.h.

24 : size_t {
27
28 // The "TLSInnerPlaintext" length, i.e. the maximum amount of plaintext
29 // application data that can be transmitted in a single TLS record.
30 MAX_PLAINTEXT_SIZE = 16 * 1024,
31
34
35 // RFC 8446 5.2:
36 // This limit is derived from the maximum TLSInnerPlaintext length of 2^14
37 // octets + 1 octet for ContentType + the maximum AEAD expansion of 255
38 // octets.
41};
@ MAX_CIPHERTEXT_SIZE
Definition tls_magic.h:33
@ MAX_PLAINTEXT_SIZE
Definition tls_magic.h:30
@ MAX_CIPHERTEXT_SIZE_TLS13
Definition tls_magic.h:40
@ MAX_AEAD_EXPANSION_SIZE_TLS13
Definition tls_magic.h:39
@ TLS_HEADER_SIZE
Definition tls_magic.h:25
@ MAX_COMPRESSED_SIZE
Definition tls_magic.h:32
@ DTLS_HEADER_SIZE
Definition tls_magic.h:26

◆ Version_Code

enum class Botan::TLS::Version_Code : uint16_t
strong
Enumerator
TLS_V11 
TLS_V12 
TLS_V13 
DTLS_V12 
DTLS_V13 

Definition at line 18 of file tls_version.h.

18 : uint16_t {
19 TLS_V11 = 0x0302, // not supported by Botan
20 TLS_V12 = 0x0303,
21 TLS_V13 = 0x0304,
22 DTLS_V12 = 0xFEFD,
23 DTLS_V13 = 0xFEFC, // not supported by Botan
24};

Function Documentation

◆ append_tls_length_value() [1/3]

template<typename T , typename Alloc , typename Alloc2 >
void Botan::TLS::append_tls_length_value ( std::vector< uint8_t, Alloc > & buf,
const std::vector< T, Alloc2 > & vals,
size_t tag_size )

Definition at line 205 of file tls_reader.h.

205 {
206 append_tls_length_value(buf, vals.data(), vals.size(), tag_size);
207}
void append_tls_length_value(std::vector< uint8_t, Alloc > &buf, const T *vals, size_t vals_size, size_t tag_size)
Definition tls_reader.h:180

References append_tls_length_value().

◆ append_tls_length_value() [2/3]

template<typename T , typename Alloc >
void Botan::TLS::append_tls_length_value ( std::vector< uint8_t, Alloc > & buf,
const T * vals,
size_t vals_size,
size_t tag_size )

Helper function for encoding length-tagged vectors

Definition at line 180 of file tls_reader.h.

180 {
181 const size_t T_size = sizeof(T);
182 const size_t val_bytes = T_size * vals_size;
183
184 if(tag_size != 1 && tag_size != 2 && tag_size != 3) {
185 throw Invalid_Argument("append_tls_length_value: invalid tag size");
186 }
187
188 if((tag_size == 1 && val_bytes > 255) || (tag_size == 2 && val_bytes > 65535) ||
189 (tag_size == 3 && val_bytes > 16777215)) {
190 throw Invalid_Argument("append_tls_length_value: value too large");
191 }
192
193 for(size_t i = 0; i != tag_size; ++i) {
194 buf.push_back(get_byte_var(sizeof(val_bytes) - tag_size + i, val_bytes));
195 }
196
197 for(size_t i = 0; i != vals_size; ++i) {
198 for(size_t j = 0; j != T_size; ++j) {
199 buf.push_back(get_byte_var(j, vals[i]));
200 }
201 }
202}
FE_25519 T
Definition ge.cpp:34
constexpr uint8_t get_byte_var(size_t byte_num, T input)
Definition loadstor.h:65

References Botan::get_byte_var(), and T.

Referenced by append_tls_length_value(), append_tls_length_value(), Botan::TLS::Client_Key_Exchange::Client_Key_Exchange(), Botan::TLS::Client_Key_Exchange::Client_Key_Exchange(), Botan::TLS::Application_Layer_Protocol_Notification::serialize(), Botan::TLS::Certificate_13::serialize(), Botan::TLS::Certificate_Authorities::serialize(), Botan::TLS::Certificate_Request_12::serialize(), Botan::TLS::Certificate_Request_13::serialize(), Botan::TLS::Certificate_Type_Base::serialize(), Botan::TLS::Client_Hello::serialize(), Botan::TLS::New_Session_Ticket_12::serialize(), Botan::TLS::New_Session_Ticket_13::serialize(), Botan::TLS::PSK::serialize(), Botan::TLS::Renegotiation_Extension::serialize(), Botan::TLS::Server_Hello::serialize(), and Botan::TLS::Server_Key_Exchange::Server_Key_Exchange().

◆ append_tls_length_value() [3/3]

template<typename Alloc >
void Botan::TLS::append_tls_length_value ( std::vector< uint8_t, Alloc > & buf,
std::string_view str,
size_t tag_size )

Definition at line 210 of file tls_reader.h.

210 {
211 append_tls_length_value(buf, cast_char_ptr_to_uint8(str.data()), str.size(), tag_size);
212}
const uint8_t * cast_char_ptr_to_uint8(const char *s)
Definition mem_ops.h:273

References append_tls_length_value(), and Botan::cast_char_ptr_to_uint8().

◆ auth_method_from_string()

Auth_Method BOTAN_TEST_API Botan::TLS::auth_method_from_string ( std::string_view str)

Definition at line 120 of file tls_algos.cpp.

120 {
121 if(str == "RSA") {
122 return Auth_Method::RSA;
123 }
124 if(str == "ECDSA") {
125 return Auth_Method::ECDSA;
126 }
127 if(str == "IMPLICIT") {
128 return Auth_Method::IMPLICIT;
129 }
130 if(str == "UNDEFINED") {
131 return Auth_Method::UNDEFINED;
132 }
133
134 throw Invalid_Argument(fmt("Unknown TLS signature method '{}'", str));
135}
std::string fmt(std::string_view format, const T &... args)
Definition fmt.h:53

References ECDSA, Botan::fmt(), IMPLICIT, RSA, and UNDEFINED.

◆ auth_method_to_string()

std::string BOTAN_TEST_API Botan::TLS::auth_method_to_string ( Auth_Method method)

Definition at line 105 of file tls_algos.cpp.

105 {
106 switch(method) {
107 case Auth_Method::RSA:
108 return "RSA";
109 case Auth_Method::ECDSA:
110 return "ECDSA";
111 case Auth_Method::IMPLICIT:
112 return "IMPLICIT";
113 case Auth_Method::UNDEFINED:
114 return "UNDEFINED";
115 }
116
117 throw Invalid_State("auth_method_to_string unknown enum value");
118}

References ECDSA, IMPLICIT, RSA, and UNDEFINED.

Referenced by Botan::TLS::Ciphersuite::sig_algo().

◆ certificate_type_from_string()

Certificate_Type Botan::TLS::certificate_type_from_string ( const std::string & type_str)

Definition at line 377 of file tls_extensions.cpp.

377 {
378 if(type_str == "X509") {
379 return Certificate_Type::X509;
380 } else if(type_str == "RawPublicKey") {
381 return Certificate_Type::RawPublicKey;
382 } else {
383 throw Decoding_Error("Unknown certificate type: " + type_str);
384 }
385}

References RawPublicKey, and X509.

Referenced by Botan::TLS::Text_Policy::read_cert_type_list().

◆ certificate_type_to_string()

std::string Botan::TLS::certificate_type_to_string ( Certificate_Type type)

Definition at line 366 of file tls_extensions.cpp.

366 {
367 switch(type) {
368 case Certificate_Type::X509:
369 return "X509";
370 case Certificate_Type::RawPublicKey:
371 return "RawPublicKey";
372 }
373
374 return "Unknown";
375}

References RawPublicKey, and X509.

Referenced by Botan::TLS::Certificate_Type_Base::validate_selection().

◆ check_tls_cbc_padding()

BOTAN_TEST_API uint16_t Botan::TLS::check_tls_cbc_padding ( const uint8_t record[],
size_t record_len )

Check the TLS padding of a record

Parameters
recordthe record bits
record_lenlength of record
Returns
0 if padding is invalid, otherwise padding_bytes + 1

Definition at line 237 of file tls_cbc.cpp.

237 {
238 if(record_len == 0 || record_len > 0xFFFF) {
239 return 0;
240 }
241
242 const uint16_t rec16 = static_cast<uint16_t>(record_len);
243
244 /*
245 * TLS v1.0 and up require all the padding bytes be the same value
246 * and allows up to 255 bytes.
247 */
248
249 const uint16_t to_check = std::min<uint16_t>(256, static_cast<uint16_t>(record_len));
250 const uint8_t pad_byte = record[record_len - 1];
251 const uint16_t pad_bytes = 1 + pad_byte;
252
253 auto pad_invalid = CT::Mask<uint16_t>::is_lt(rec16, pad_bytes);
254
255 for(uint16_t i = rec16 - to_check; i != rec16; ++i) {
256 const uint16_t offset = rec16 - i;
257 const auto in_pad_range = CT::Mask<uint16_t>::is_lte(offset, pad_bytes);
258 const auto pad_correct = CT::Mask<uint16_t>::is_equal(record[i], pad_byte);
259 pad_invalid |= in_pad_range & ~pad_correct;
260 }
261
262 return pad_invalid.if_not_set_return(pad_bytes);
263}

References Botan::CT::Mask< T >::is_equal(), Botan::CT::Mask< T >::is_lt(), and Botan::CT::Mask< T >::is_lte().

◆ handshake_type_to_string()

BOTAN_TEST_API const char * Botan::TLS::handshake_type_to_string ( Handshake_Type type)

Definition at line 23 of file tls_handshake_state.cpp.

23 {
24 switch(type) {
25 case Handshake_Type::HelloVerifyRequest:
26 return "hello_verify_request";
27
28 case Handshake_Type::HelloRequest:
29 return "hello_request";
30
31 case Handshake_Type::ClientHello:
32 return "client_hello";
33
34 case Handshake_Type::ServerHello:
35 return "server_hello";
36
37 case Handshake_Type::HelloRetryRequest:
38 return "hello_retry_request";
39
40 case Handshake_Type::Certificate:
41 return "certificate";
42
43 case Handshake_Type::CertificateUrl:
44 return "certificate_url";
45
46 case Handshake_Type::CertificateStatus:
47 return "certificate_status";
48
49 case Handshake_Type::ServerKeyExchange:
50 return "server_key_exchange";
51
52 case Handshake_Type::CertificateRequest:
53 return "certificate_request";
54
55 case Handshake_Type::ServerHelloDone:
56 return "server_hello_done";
57
58 case Handshake_Type::CertificateVerify:
59 return "certificate_verify";
60
61 case Handshake_Type::ClientKeyExchange:
62 return "client_key_exchange";
63
64 case Handshake_Type::NewSessionTicket:
65 return "new_session_ticket";
66
67 case Handshake_Type::HandshakeCCS:
68 return "change_cipher_spec";
69
70 case Handshake_Type::Finished:
71 return "finished";
72
73 case Handshake_Type::EndOfEarlyData:
74 return "end_of_early_data";
75
76 case Handshake_Type::EncryptedExtensions:
77 return "encrypted_extensions";
78
79 case Handshake_Type::KeyUpdate:
80 return "key_update";
81
82 case Handshake_Type::None:
83 return "invalid";
84 }
85
86 throw TLS_Exception(Alert::UnexpectedMessage,
87 "Unknown TLS handshake message type " + std::to_string(static_cast<size_t>(type)));
88}

References Certificate, CertificateRequest, CertificateStatus, CertificateUrl, CertificateVerify, ClientHello, ClientKeyExchange, EncryptedExtensions, EndOfEarlyData, Finished, HandshakeCCS, HelloRequest, HelloRetryRequest, HelloVerifyRequest, KeyUpdate, NewSessionTicket, None, ServerHello, ServerHelloDone, and ServerKeyExchange.

Referenced by Botan::TLS::Handshake_Transitions::confirm_transition_to(), Botan::TLS::Key_Share::Key_Share(), and Botan::TLS::Handshake_Message::type_string().

◆ kdf_algo_to_string()

std::string BOTAN_DLL Botan::TLS::kdf_algo_to_string ( KDF_Algo algo)

Definition at line 15 of file tls_algos.cpp.

15 {
16 switch(algo) {
17 case KDF_Algo::SHA_1:
18 return "SHA-1";
19 case KDF_Algo::SHA_256:
20 return "SHA-256";
21 case KDF_Algo::SHA_384:
22 return "SHA-384";
23 }
24
25 throw Invalid_State("kdf_algo_to_string unknown enum value");
26}

References SHA_1, SHA_256, and SHA_384.

Referenced by Botan::TLS::Ciphersuite::prf_algo().

◆ kex_method_from_string()

Kex_Algo BOTAN_TEST_API Botan::TLS::kex_method_from_string ( std::string_view str)

Definition at line 57 of file tls_algos.cpp.

57 {
58 if(str == "RSA") {
59 return Kex_Algo::STATIC_RSA;
60 }
61
62 if(str == "DH") {
63 return Kex_Algo::DH;
64 }
65
66 if(str == "ECDH") {
67 return Kex_Algo::ECDH;
68 }
69
70 if(str == "PSK") {
71 return Kex_Algo::PSK;
72 }
73
74 if(str == "ECDHE_PSK") {
75 return Kex_Algo::ECDHE_PSK;
76 }
77
78 if(str == "DHE_PSK") {
79 return Kex_Algo::DHE_PSK;
80 }
81
82 if(str == "KEM") {
83 return Kex_Algo::KEM;
84 }
85
86 if(str == "KEM_PSK") {
87 return Kex_Algo::KEM_PSK;
88 }
89
90 if(str == "HYBRID") {
91 return Kex_Algo::HYBRID;
92 }
93
94 if(str == "HYBRID_PSK") {
95 return Kex_Algo::HYBRID_PSK;
96 }
97
98 if(str == "UNDEFINED") {
99 return Kex_Algo::UNDEFINED;
100 }
101
102 throw Invalid_Argument(fmt("Unknown kex method '{}'", str));
103}

References DH, DHE_PSK, ECDH, ECDHE_PSK, Botan::fmt(), HYBRID, HYBRID_PSK, KEM, KEM_PSK, PSK, STATIC_RSA, and UNDEFINED.

◆ kex_method_to_string()

std::string BOTAN_TEST_API Botan::TLS::kex_method_to_string ( Kex_Algo method)

Definition at line 28 of file tls_algos.cpp.

28 {
29 switch(method) {
30 case Kex_Algo::STATIC_RSA:
31 return "RSA";
32 case Kex_Algo::DH:
33 return "DH";
34 case Kex_Algo::ECDH:
35 return "ECDH";
36 case Kex_Algo::PSK:
37 return "PSK";
38 case Kex_Algo::ECDHE_PSK:
39 return "ECDHE_PSK";
40 case Kex_Algo::DHE_PSK:
41 return "DHE_PSK";
42 case Kex_Algo::KEM:
43 return "KEM";
44 case Kex_Algo::KEM_PSK:
45 return "KEM_PSK";
46 case Kex_Algo::HYBRID:
47 return "HYBRID";
48 case Kex_Algo::HYBRID_PSK:
49 return "HYBRID_PSK";
50 case Kex_Algo::UNDEFINED:
51 return "UNDEFINED";
52 }
53
54 throw Invalid_State("kex_method_to_string unknown enum value");
55}

References DH, DHE_PSK, ECDH, ECDHE_PSK, HYBRID, HYBRID_PSK, KEM, KEM_PSK, PSK, STATIC_RSA, and UNDEFINED.

Referenced by Botan::TLS::Ciphersuite::kex_algo(), Botan::TLS::Server_Key_Exchange::Server_Key_Exchange(), and Botan::TLS::Server_Key_Exchange::Server_Key_Exchange().

◆ key_exchange_is_psk()

bool Botan::TLS::key_exchange_is_psk ( Kex_Algo m)
inline

Definition at line 264 of file tls_algos.h.

264 {
265 return (m == Kex_Algo::PSK || m == Kex_Algo::ECDHE_PSK || m == Kex_Algo::DHE_PSK);
266}

References DHE_PSK, ECDHE_PSK, and PSK.

Referenced by Botan::TLS::Client_Key_Exchange::Client_Key_Exchange().

◆ make_hello_random()

std::vector< uint8_t > Botan::TLS::make_hello_random ( RandomNumberGenerator & rng,
Callbacks & cb,
const Policy & policy )

Definition at line 38 of file msg_client_hello.cpp.

38 {
39 auto buf = rng.random_vec<std::vector<uint8_t>>(32);
40
41 if(policy.hash_hello_random()) {
42 auto sha256 = HashFunction::create_or_throw("SHA-256");
43 sha256->update(buf);
44 sha256->final(buf);
45 }
46
47 // TLS 1.3 does not require the insertion of a timestamp in the client hello
48 // random. When offering both TLS 1.2 and 1.3 we nevertheless comply with the
49 // legacy specification.
50 if(policy.include_time_in_hello_random() && (policy.allow_tls12() || policy.allow_dtls12())) {
51 const uint32_t time32 = static_cast<uint32_t>(std::chrono::system_clock::to_time_t(cb.tls_current_timestamp()));
52
53 store_be(time32, buf.data());
54 }
55
56 return buf;
57}
void random_vec(std::span< uint8_t > v)
Definition rng.h:179
virtual std::chrono::system_clock::time_point tls_current_timestamp()
virtual bool include_time_in_hello_random() const
virtual bool allow_tls12() const
virtual bool hash_hello_random() const
virtual bool allow_dtls12() const
constexpr auto store_be(ParamTs &&... params)
Definition loadstor.h:707

References Botan::TLS::Policy::allow_dtls12(), Botan::TLS::Policy::allow_tls12(), Botan::HashFunction::create_or_throw(), Botan::TLS::Policy::hash_hello_random(), Botan::TLS::Policy::include_time_in_hello_random(), Botan::RandomNumberGenerator::random_vec(), Botan::store_be(), and Botan::TLS::Callbacks::tls_current_timestamp().

Referenced by Botan::TLS::Client_Hello_12::Client_Hello_12(), Botan::TLS::Client_Hello_12::Client_Hello_12(), and Botan::TLS::Client_Hello_13::Client_Hello_13().

◆ operator!=()

bool Botan::TLS::operator!= ( const Server_Information & a,
const Server_Information & b )
inline

Definition at line 74 of file tls_server_info.h.

74 {
75 return !(a == b);
76}

◆ operator<() [1/2]

bool Botan::TLS::operator< ( const Server_Information & a,
const Server_Information & b )
inline

Definition at line 78 of file tls_server_info.h.

78 {
79 if(a.hostname() != b.hostname()) {
80 return (a.hostname() < b.hostname());
81 }
82 if(a.service() != b.service()) {
83 return (a.service() < b.service());
84 }
85 if(a.port() != b.port()) {
86 return (a.port() < b.port());
87 }
88 return false; // equal
89}

References Botan::TLS::Server_Information::hostname(), Botan::TLS::Server_Information::port(), and Botan::TLS::Server_Information::service().

◆ operator<() [2/2]

auto Botan::TLS::operator< ( const Session_ID & id1,
const Session_ID & id2 )
inline

Definition at line 41 of file tls_session.h.

41 {
42 // TODO: C++20 better use std::lexicographical_compare_three_way
43 // that was not available on all target platforms at the time
44 // of this writing.
45 return std::lexicographical_compare(id1.begin(), id1.end(), id2.begin(), id2.end());
46}

◆ operator==()

bool Botan::TLS::operator== ( const Server_Information & a,
const Server_Information & b )
inline

Definition at line 70 of file tls_server_info.h.

70 {
71 return (a.hostname() == b.hostname()) && (a.service() == b.service()) && (a.port() == b.port());
72}

References Botan::TLS::Server_Information::hostname(), Botan::TLS::Server_Information::port(), and Botan::TLS::Server_Information::service().

◆ read_record()

Record_Header Botan::TLS::read_record ( bool is_datagram,
secure_vector< uint8_t > & read_buffer,
const uint8_t input[],
size_t input_len,
size_t & consumed,
secure_vector< uint8_t > & record_buf,
Connection_Sequence_Numbers * sequence_numbers,
const get_cipherstate_fn & get_cipherstate,
bool allow_epoch0_restart )

Decode a TLS record

Returns
zero if full message, else number of bytes still needed

Definition at line 488 of file tls_record.cpp.

496 {
497 if(is_datagram) {
498 return read_dtls_record(
499 readbuf, input, input_len, consumed, recbuf, sequence_numbers, get_cipherstate, allow_epoch0_restart);
500 } else {
501 return read_tls_record(readbuf, input, input_len, consumed, recbuf, sequence_numbers, get_cipherstate);
502 }
503}

Referenced by Botan::TLS::Channel_Impl_12::from_peer().

◆ to_algorithm_identifiers()

std::vector< AlgorithmIdentifier > Botan::TLS::to_algorithm_identifiers ( const std::vector< Signature_Scheme > & schemes)

Definition at line 332 of file tls_signature_scheme.cpp.

332 {
333 std::vector<AlgorithmIdentifier> result;
334 std::transform(schemes.begin(), schemes.end(), std::back_inserter(result), [](const auto& scheme) {
335 return scheme.algorithm_identifier();
336 });
337 return result;
338}

Referenced by Botan::TLS::Certificate_13::Certificate_13(), and Botan::TLS::Certificate_13::Certificate_13().

◆ write_record()

void Botan::TLS::write_record ( secure_vector< uint8_t > & write_buffer,
Record_Type record_type,
Protocol_Version record_version,
uint64_t record_sequence,
const uint8_t * message,
size_t message_len,
Connection_Cipher_State & cipherstate,
RandomNumberGenerator & rng )

Create a TLS record

Parameters
write_bufferthe output record is placed here
record_typethe record layer type
record_versionthe record layer version
record_sequencethe record layer sequence number
messagethe record contents
message_lenis size of message
cipherstateis the writing cipher state
rngis a random number generator

Definition at line 200 of file tls_record.cpp.

207 {
208 write_record_header(output, record_type, version, record_sequence);
209
210 AEAD_Mode& aead = cs.aead();
211 std::vector<uint8_t> aad = cs.format_ad(record_sequence, record_type, version, static_cast<uint16_t>(message_len));
212
213 const size_t ctext_size = aead.output_length(message_len);
214
215 const size_t rec_size = ctext_size + cs.nonce_bytes_from_record();
216
217 aead.set_associated_data(aad);
218
219 const std::vector<uint8_t> nonce = cs.aead_nonce(record_sequence, rng);
220
221 append_u16_len(output, rec_size);
222
223 if(cs.nonce_bytes_from_record() > 0) {
224 if(cs.nonce_format() == Nonce_Format::CBC_MODE) {
225 output += nonce;
226 } else {
227 output += std::make_pair(&nonce[cs.nonce_bytes_from_handshake()], cs.nonce_bytes_from_record());
228 }
229 }
230
231 const size_t header_size = output.size();
232 output += std::make_pair(message, message_len);
233
234 aead.start(nonce);
235 aead.finish(output, header_size);
236
237 BOTAN_ASSERT(output.size() < MAX_CIPHERTEXT_SIZE, "Produced ciphertext larger than protocol allows");
238}
#define BOTAN_ASSERT(expr, assertion_made)
Definition assert.h:50
void set_associated_data(std::span< const uint8_t > ad)
Definition aead.h:59
void start(std::span< const uint8_t > nonce)
Definition cipher_mode.h:89
void finish(secure_vector< uint8_t > &final_block, size_t offset=0)
virtual size_t output_length(size_t input_length) const =0

References Botan::TLS::Connection_Cipher_State::aead(), Botan::TLS::Connection_Cipher_State::aead_nonce(), BOTAN_ASSERT, CBC_MODE, Botan::Cipher_Mode::finish(), Botan::TLS::Connection_Cipher_State::format_ad(), MAX_CIPHERTEXT_SIZE, Botan::TLS::Connection_Cipher_State::nonce_bytes_from_handshake(), Botan::TLS::Connection_Cipher_State::nonce_bytes_from_record(), Botan::TLS::Connection_Cipher_State::nonce_format(), Botan::Cipher_Mode::output_length(), Botan::AEAD_Mode::set_associated_data(), and Botan::Cipher_Mode::start().

◆ write_unencrypted_record()

void Botan::TLS::write_unencrypted_record ( secure_vector< uint8_t > & write_buffer,
Record_Type record_type,
Protocol_Version record_version,
uint64_t record_sequence,
const uint8_t * message,
size_t message_len )

Create an initial (unencrypted) TLS handshake record

Parameters
write_bufferthe output record is placed here
record_typethe record layer type
record_versionthe record layer version
record_sequencethe record layer sequence number
messagethe record contents
message_lenis size of message

Definition at line 186 of file tls_record.cpp.

191 {
192 if(record_type == Record_Type::ApplicationData) {
193 throw Internal_Error("Writing an unencrypted TLS application data record");
194 }
195 write_record_header(output, record_type, version, record_sequence);
196 append_u16_len(output, message_len);
197 output.insert(output.end(), message, message + message_len);
198}

References ApplicationData.