Botan 3.9.0
Crypto and TLS for C&
Botan::TLS Namespace Reference

Namespaces

namespace  detail
namespace  Internal

Classes

class  Alert
class  Application_Layer_Protocol_Notification
class  BSI_TR_02102_2
class  Callbacks
class  Certificate_12
class  Certificate_13
class  Certificate_Authorities
class  Certificate_Request_12
class  Certificate_Request_13
class  Certificate_Status
class  Certificate_Status_Request
class  Certificate_Type_Base
class  Certificate_Verify
class  Certificate_Verify_12
class  Certificate_Verify_13
class  Change_Cipher_Spec
class  Channel
class  Channel_Impl
class  Channel_Impl_12
class  Channel_Impl_13
class  Cipher_State
class  Ciphersuite
class  Client
class  Client_Certificate_Type
class  Client_Hello
class  Client_Hello_12
class  Client_Hello_13
class  Client_Impl_12
class  Client_Impl_13
class  Client_Key_Exchange
class  Connection_Cipher_State
class  Connection_Sequence_Numbers
class  Datagram_Handshake_IO
class  Datagram_Policy
class  Datagram_Sequence_Numbers
class  EarlyDataIndication
class  Encrypt_then_MAC
class  Encrypted_Extensions
class  Extended_Master_Secret
class  Extension
class  Extensions
class  ExternalPSK
class  Finished
class  Finished_12
class  Finished_13
class  Group_Params
class  Handshake_Hash
class  Handshake_IO
class  Handshake_Layer
class  Handshake_Message
class  Handshake_State
class  Handshake_State_13
class  Handshake_Transitions
class  Hello_Request
class  Hello_Retry_Request
class  Hello_Verify_Request
class  Hybrid_KEM_PrivateKey
class  Hybrid_KEM_PublicKey
class  Key_Share
class  Key_Update
class  New_Session_Ticket_12
class  New_Session_Ticket_13
class  NSA_Suite_B_128
class  NSA_Suite_B_192
class  Policy
class  Protocol_Version
class  PSK
class  PSK_Key_Exchange_Modes
class  PskIdentity
struct  Record
class  Record_Header
class  Record_Layer
class  Record_Size_Limit
class  Renegotiation_Extension
class  Secret_Logger
class  Server
class  Server_Certificate_Type
class  Server_Hello
class  Server_Hello_12
class  Server_Hello_13
class  Server_Hello_Done
class  Server_Impl_12
class  Server_Impl_13
class  Server_Information
class  Server_Key_Exchange
class  Server_Name_Indicator
class  Session
class  Session_Base
class  Session_Handle
 Helper class to embody a session handle in all protocol versions. More...
class  Session_Keys
class  Session_Manager
class  Session_Manager_Hybrid
class  Session_Manager_In_Memory
class  Session_Manager_Noop
class  Session_Manager_SQL
class  Session_Manager_SQLite
class  Session_Manager_Stateless
class  Session_Summary
class  Session_Ticket_Extension
struct  Session_with_Handle
class  Signature_Algorithms
class  Signature_Algorithms_Cert
class  Signature_Scheme
class  SRTP_Protection_Profiles
class  Stream_Handshake_IO
class  Stream_Sequence_Numbers
class  Strict_Policy
class  Supported_Groups
class  Supported_Point_Formats
class  Supported_Versions
class  Text_Policy
class  TLS_CBC_HMAC_AEAD_Decryption
class  TLS_CBC_HMAC_AEAD_Encryption
class  TLS_CBC_HMAC_AEAD_Mode
class  TLS_Data_Reader
class  TLS_Exception
class  TLS_NULL_HMAC_AEAD_Decryption
class  TLS_NULL_HMAC_AEAD_Encryption
class  TLS_NULL_HMAC_AEAD_Mode
class  Transcript_Hash_State
class  Unexpected_Message
class  Unknown_Extension

Typedefs

using BytesNeeded = size_t
using Client_Handshake_13_Message
using Client_Handshake_13_Message_Ref = detail::as_wrapped_references_t<Client_Handshake_13_Message>
using Client_Handshake_State_13
using Client_Post_Handshake_13_Message = std::variant<Key_Update>
typedef Policy Default_Policy
typedef std::function< std::shared_ptr< Connection_Cipher_State >(uint16_t)> get_cipherstate_fn
using Handshake_Message_13
using Handshake_Message_13_Ref = detail::as_wrapped_references_t<Handshake_Message_13>
using Named_Group = Group_Params
using Opaque_Session_Handle = Strong<std::vector<uint8_t>, struct Opaque_Session_Handle_>
 holds an opaque session handle as used in TLS 1.3 that could be either a ticket for stateless resumption or a database handle.
using Post_Handshake_Message_13 = std::variant<New_Session_Ticket_13, Key_Update>
using PresharedKeyID = Strong<std::string, struct PresharedKeyID_>
 holds a PSK identity as used in TLS 1.3
using Server_Handshake_13_Message
using Server_Handshake_13_Message_Ref = detail::as_wrapped_references_t<Server_Handshake_13_Message>
using Server_Handshake_State_13
using Server_Post_Handshake_13_Message = std::variant<New_Session_Ticket_13, Key_Update>
using Session_ID = Strong<std::vector<uint8_t>, struct Session_ID_>
 holds a TLS 1.2 session ID for stateful resumption
using Session_Ticket = Strong<std::vector<uint8_t>, struct Session_Ticket_>
 holds a TLS 1.2 session ticket for stateless resumption
typedef PskIdentity Ticket
using Ticket_Nonce = Strong<std::vector<uint8_t>, struct Ticket_Nonce_>
 Used to derive the ticket's PSK from the resumption_master_secret.
using Transcript_Hash = std::vector<uint8_t>

Enumerations

enum class  AlertType : uint16_t {
  CloseNotify = 0 , UnexpectedMessage = 10 , BadRecordMac = 20 , DecryptionFailed = 21 ,
  RecordOverflow = 22 , DecompressionFailure = 30 , HandshakeFailure = 40 , NoCertificate = 41 ,
  BadCertificate = 42 , UnsupportedCertificate = 43 , CertificateRevoked = 44 , CertificateExpired = 45 ,
  CertificateUnknown = 46 , IllegalParameter = 47 , UnknownCA = 48 , AccessDenied = 49 ,
  DecodeError = 50 , DecryptError = 51 , ExportRestriction = 60 , ProtocolVersion = 70 ,
  InsufficientSecurity = 71 , InternalError = 80 , InappropriateFallback = 86 , UserCanceled = 90 ,
  NoRenegotiation = 100 , MissingExtension = 109 , UnsupportedExtension = 110 , CertificateUnobtainable = 111 ,
  UnrecognizedName = 112 , BadCertificateStatusResponse = 113 , BadCertificateHashValue = 114 , UnknownPSKIdentity = 115 ,
  CertificateRequired = 116 , NoApplicationProtocol = 120 , None = 256 , CLOSE_NOTIFY = CloseNotify ,
  NO_APPLICATION_PROTOCOL = NoApplicationProtocol , PROTOCOL_VERSION = ProtocolVersion
}
enum class  Auth_Method : uint32_t { RSA = 0 , ECDSA = 1 , UNDEFINED = 2 , IMPLICIT = 0x10000 }
enum class  Certificate_Type : uint8_t { X509 = 0 , RawPublicKey = 2 }
enum class  Cipher_Algo : uint8_t {
  CHACHA20_POLY1305 , AES_128_GCM , AES_256_GCM , AES_256_OCB ,
  CAMELLIA_128_GCM , CAMELLIA_256_GCM , ARIA_128_GCM , ARIA_256_GCM ,
  AES_128_CCM , AES_256_CCM , AES_128_CCM_8 , AES_256_CCM_8 ,
  AES_128_CBC_HMAC_SHA1 , AES_128_CBC_HMAC_SHA256 , AES_256_CBC_HMAC_SHA1 , AES_256_CBC_HMAC_SHA256 ,
  AES_256_CBC_HMAC_SHA384 , DES_EDE_CBC_HMAC_SHA1
}
enum class  Connection_Side : uint8_t { Client = 1 , Server = 2 , CLIENT = Client , SERVER = Server }
enum class  Extension_Code : uint16_t {
  ServerNameIndication = 0 , CertificateStatusRequest = 5 , SupportedGroups = 10 , EcPointFormats = 11 ,
  SignatureAlgorithms = 13 , CertSignatureAlgorithms = 50 , UseSrtp = 14 , ApplicationLayerProtocolNegotiation = 16 ,
  ClientCertificateType = 19 , ServerCertificateType = 20 , EncryptThenMac = 22 , ExtendedMasterSecret = 23 ,
  RecordSizeLimit = 28 , SessionTicket = 35 , SupportedVersions = 43 , PresharedKey = 41 ,
  EarlyData = 42 , Cookie = 44 , PskKeyExchangeModes = 45 , CertificateAuthorities = 47 ,
  KeyShare = 51 , SafeRenegotiation = 65281
}
enum class  Group_Params_Code : uint16_t {
  NONE = 0 , SECP256R1 = 23 , SECP384R1 = 24 , SECP521R1 = 25 ,
  BRAINPOOL256R1 = 26 , BRAINPOOL384R1 = 27 , BRAINPOOL512R1 = 28 , X25519 = 29 ,
  X448 = 30 , FFDHE_2048 = 256 , FFDHE_3072 = 257 , FFDHE_4096 = 258 ,
  FFDHE_6144 = 259 , FFDHE_8192 = 260 , ML_KEM_512 = 0x0200 , ML_KEM_768 = 0x0201 ,
  ML_KEM_1024 = 0x0202 , eFRODOKEM_640_SHAKE_OQS = 0xFE03 , eFRODOKEM_976_SHAKE_OQS = 0xFE09 , eFRODOKEM_1344_SHAKE_OQS = 0xFE0E ,
  eFRODOKEM_640_AES_OQS = 0xFE00 , eFRODOKEM_976_AES_OQS = 0xFE06 , eFRODOKEM_1344_AES_OQS = 0xFE0C , HYBRID_SECP256R1_ML_KEM_768 = 0x11EB ,
  HYBRID_SECP384R1_ML_KEM_1024 = 0x11ED , HYBRID_X25519_ML_KEM_768 = 0x11EC , HYBRID_X25519_eFRODOKEM_640_SHAKE_OQS = 0xFE05 , HYBRID_X25519_eFRODOKEM_640_AES_OQS = 0xFE02 ,
  HYBRID_X448_eFRODOKEM_976_SHAKE_OQS = 0xFE0B , HYBRID_X448_eFRODOKEM_976_AES_OQS = 0xFE08 , HYBRID_SECP256R1_eFRODOKEM_640_SHAKE_OQS = 0xFE04 , HYBRID_SECP256R1_eFRODOKEM_640_AES_OQS = 0xFE01 ,
  HYBRID_SECP384R1_eFRODOKEM_976_SHAKE_OQS = 0xFE0A , HYBRID_SECP384R1_eFRODOKEM_976_AES_OQS = 0xFE07 , HYBRID_SECP521R1_eFRODOKEM_1344_SHAKE_OQS = 0xFE0F , HYBRID_SECP521R1_eFRODOKEM_1344_AES_OQS = 0xFE0D
}
enum class  Handshake_Type : uint8_t {
  HelloRequest = 0 , ClientHello = 1 , ServerHello = 2 , HelloVerifyRequest = 3 ,
  NewSessionTicket = 4 , EndOfEarlyData = 5 , EncryptedExtensions = 8 , Certificate = 11 ,
  ServerKeyExchange = 12 , CertificateRequest = 13 , ServerHelloDone = 14 , CertificateVerify = 15 ,
  ClientKeyExchange = 16 , Finished = 20 , CertificateUrl = 21 , CertificateStatus = 22 ,
  KeyUpdate = 24 , HelloRetryRequest = 253 , HandshakeCCS = 254 , None = 255
}
enum class  KDF_Algo : uint8_t { SHA_1 , SHA_256 , SHA_384 }
enum class  Kex_Algo : uint8_t {
  STATIC_RSA , DH , ECDH , PSK ,
  ECDHE_PSK , DHE_PSK , KEM , KEM_PSK ,
  HYBRID , HYBRID_PSK , UNDEFINED
}
enum class  Nonce_Format : uint8_t { CBC_MODE , AEAD_IMPLICIT_4 , AEAD_XOR_12 , NULL_CIPHER }
enum class  PSK_Key_Exchange_Mode : uint8_t { PSK_KE = 0 , PSK_DHE_KE = 1 }
enum class  Record_Type : uint8_t {
  Invalid = 0 , ChangeCipherSpec = 20 , Alert = 21 , Handshake = 22 ,
  ApplicationData = 23 , Heartbeat = 24
}
enum  Size_Limits : size_t {
  TLS_HEADER_SIZE = 5 , DTLS_HEADER_SIZE = TLS_HEADER_SIZE + 8 , MAX_PLAINTEXT_SIZE = 16 * 1024 , MAX_COMPRESSED_SIZE = MAX_PLAINTEXT_SIZE + 1024 ,
  MAX_CIPHERTEXT_SIZE = MAX_COMPRESSED_SIZE + 1024 , MAX_AEAD_EXPANSION_SIZE_TLS13 = 255 , MAX_CIPHERTEXT_SIZE_TLS13 = MAX_PLAINTEXT_SIZE + MAX_AEAD_EXPANSION_SIZE_TLS13 + 1
}
enum class  Version_Code : uint16_t {
  TLS_V11 = 0x0302 , TLS_V12 = 0x0303 , TLS_V13 = 0x0304 , DTLS_V12 = 0xFEFD ,
  DTLS_V13 = 0xFEFC
}

Functions

template<typename T, typename Alloc, typename Alloc2>
void append_tls_length_value (std::vector< uint8_t, Alloc > &buf, const std::vector< T, Alloc2 > &vals, size_t tag_size)
template<typename T, typename Alloc>
void append_tls_length_value (std::vector< uint8_t, Alloc > &buf, const T *vals, size_t vals_size, size_t tag_size)
template<typename T, typename Alloc>
void append_tls_length_value (std::vector< uint8_t, Alloc > &buf, std::span< const T > vals, size_t tag_size)
template<typename Alloc>
void append_tls_length_value (std::vector< uint8_t, Alloc > &buf, std::string_view str, size_t tag_size)
Auth_Method auth_method_from_string (std::string_view str)
std::string auth_method_to_string (Auth_Method method)
Certificate_Type certificate_type_from_string (const std::string &type_str)
std::string certificate_type_to_string (Certificate_Type type)
uint16_t check_tls_cbc_padding (const uint8_t record[], size_t record_len)
const char * handshake_type_to_string (Handshake_Type type)
std::string kdf_algo_to_string (KDF_Algo algo)
Kex_Algo kex_method_from_string (std::string_view str)
std::string kex_method_to_string (Kex_Algo method)
bool key_exchange_is_psk (Kex_Algo m)
std::vector< uint8_t > make_hello_random (RandomNumberGenerator &rng, Callbacks &cb, const Policy &policy)
bool operator!= (const Server_Information &a, const Server_Information &b)
bool operator< (const Server_Information &a, const Server_Information &b)
auto operator< (const Session_ID &id1, const Session_ID &id2)
bool operator== (const Server_Information &a, const Server_Information &b)
Record_Header read_record (bool is_datagram, secure_vector< uint8_t > &readbuf, const uint8_t input[], size_t input_len, size_t &consumed, secure_vector< uint8_t > &recbuf, Connection_Sequence_Numbers *sequence_numbers, const get_cipherstate_fn &get_cipherstate, bool allow_epoch0_restart)
std::vector< AlgorithmIdentifierto_algorithm_identifiers (const std::vector< Signature_Scheme > &schemes)
void write_record (secure_vector< uint8_t > &output, Record_Type record_type, Protocol_Version version, uint64_t record_sequence, const uint8_t *message, size_t message_len, Connection_Cipher_State &cs, RandomNumberGenerator &rng)
void write_unencrypted_record (secure_vector< uint8_t > &output, Record_Type record_type, Protocol_Version version, uint64_t record_sequence, const uint8_t *message, size_t message_len)

Detailed Description

Cipher_State state machine adapted from RFC 8446 7.1.

                                0
                                |
                                v
                      PSK ->  HKDF-Extract = Early Secret
                                |
                                +-----> Derive-Secret(., "ext binder" | "res binder", "")
                                |                     = binder_key
                         STATE PSK BINDER

This state is reached by constructing the Cipher_State using init_with_psk(). The state can then be further advanced using advance_with_client_hello() once the initial Client Hello is fully generated. | +-----> Derive-Secret(., "c e traffic", ClientHello) | = client_early_traffic_secret | +-----> Derive-Secret(., "e exp master", ClientHello) | = early_exporter_master_secret v Derive-Secret(., "derived", "") |

  • STATE EARLY TRAFFIC This state is reached by calling advance_with_client_hello(). In this state the early data traffic secrets are available. TODO: implement early data. The state can then be further advanced using advance_with_server_hello().
  • | v (EC)DHE -> HKDF-Extract = Handshake Secret | +-----> Derive-Secret(., "c hs traffic", | ClientHello...ServerHello) | = client_handshake_traffic_secret | +-----> Derive-Secret(., "s hs traffic", | ClientHello...ServerHello) | = server_handshake_traffic_secret v Derive-Secret(., "derived", "") |
  • STATE HANDSHAKE TRAFFIC This state is reached by constructing Cipher_State using init_with_server_hello() or advance_with_server_hello(). In this state the handshake traffic secrets are available. The state can then be further advanced using advance_with_server_finished().
  • | v 0 -> HKDF-Extract = Master Secret | +-----> Derive-Secret(., "c ap traffic", | ClientHello...server Finished) | = client_application_traffic_secret_0 | +-----> Derive-Secret(., "s ap traffic", | ClientHello...server Finished) | = server_application_traffic_secret_0 | +-----> Derive-Secret(., "exp master", | ClientHello...server Finished) | = exporter_master_secret
  • STATE SERVER APPLICATION TRAFFIC This state is reached by calling advance_with_server_finished(). It allows the server to send application traffic and the client to receive it. The opposite direction is not yet possible in this state. The state can then be further advanced using advance_with_client_finished().
  • | +-----> Derive-Secret(., "res master", ClientHello...client Finished) = resumption_master_secret STATE COMPLETED Once this state is reached the handshake is finished, both client and server can exchange application data and no further cipher state advances are possible.

Wrapper type for a TLS 1.3 session ticket (C) 2023 Jack Lloyd 2023 René Meusel - Rohde & Schwarz Cybersecurity

Botan is released under the Simplified BSD License (see license.txt)

Composite key pair that exposes the Public/Private key API but combines multiple key agreement schemes into a hybrid algorithm.

(C) 2023 Jack Lloyd 2023 Fabian Albert, René Meusel - Rohde & Schwarz Cybersecurity

Botan is released under the Simplified BSD License (see license.txt)

TLS Session Manger base class implementations (C) 2011-2023 Jack Lloyd 2022-2023 René Meusel - Rohde & Schwarz Cybersecurity

Botan is released under the Simplified BSD License (see license.txt)

Hybrid Session Manager that emits both IDs and Tickets (C) 2023 Jack Lloyd 2023 René Meusel - Rohde & Schwarz Cybersecurity

Botan is released under the Simplified BSD License (see license.txt)

TLS Session Management (C) 2011,2012 Jack Lloyd 2023 René Meusel - Rohde & Schwarz Cybersecurity

Botan is released under the Simplified BSD License (see license.txt)

TLS Stateless Session Manager for stateless servers (C) 2023 Jack Lloyd 2023 René Meusel - Rohde & Schwarz Cybersecurity

Botan is released under the Simplified BSD License (see license.txt)

Typedef Documentation

◆ BytesNeeded

using Botan::TLS::BytesNeeded = size_t

Definition at line 38 of file tls_record_layer_13.h.

◆ Client_Handshake_13_Message

◆ Client_Handshake_13_Message_Ref

◆ Client_Handshake_State_13

Initial value:
std::variant< Client_Hello_13, Client_Hello_12, Certificate_13, Certificate_Verify_13, Finished_13 > Client_Handshake_13_Message
std::variant< Server_Hello_13, Server_Hello_12, Hello_Retry_Request, Encrypted_Extensions, Certificate_13, Certificate_Request_13, Certificate_Verify_13, Finished_13 > Server_Handshake_13_Message
std::variant< New_Session_Ticket_13, Key_Update > Server_Post_Handshake_13_Message

Definition at line 181 of file tls_handshake_state_13.h.

◆ Client_Post_Handshake_13_Message

Definition at line 1074 of file tls_messages.h.

◆ Default_Policy

Definition at line 567 of file tls_policy.h.

◆ get_cipherstate_fn

typedef std::function<std::shared_ptr<Connection_Cipher_State>(uint16_t)> Botan::TLS::get_cipherstate_fn

Definition at line 140 of file tls_record.h.

◆ Handshake_Message_13

◆ Handshake_Message_13_Ref

◆ Named_Group

Definition at line 559 of file tls_extensions.h.

◆ Opaque_Session_Handle

using Botan::TLS::Opaque_Session_Handle = Strong<std::vector<uint8_t>, struct Opaque_Session_Handle_>

holds an opaque session handle as used in TLS 1.3 that could be either a ticket for stateless resumption or a database handle.

Definition at line 38 of file tls_session.h.

◆ Post_Handshake_Message_13

◆ PresharedKeyID

using Botan::TLS::PresharedKeyID = Strong<std::string, struct PresharedKeyID_>

holds a PSK identity as used in TLS 1.3

Definition at line 23 of file tls_psk_identity_13.h.

◆ Server_Handshake_13_Message

◆ Server_Handshake_13_Message_Ref

◆ Server_Handshake_State_13

◆ Server_Post_Handshake_13_Message

◆ Session_ID

using Botan::TLS::Session_ID = Strong<std::vector<uint8_t>, struct Session_ID_>

holds a TLS 1.2 session ID for stateful resumption

Definition at line 31 of file tls_session.h.

◆ Session_Ticket

using Botan::TLS::Session_Ticket = Strong<std::vector<uint8_t>, struct Session_Ticket_>

holds a TLS 1.2 session ticket for stateless resumption

Definition at line 34 of file tls_session.h.

◆ Ticket

Botan 3.0.0 used the class name "Ticket". In Botan 3.1.0 we decided to re-name it to the more generic term "PskIdentity" to better reflect its dual use case for resumption and externally provided PSKs.

Definition at line 72 of file tls_psk_identity_13.h.

◆ Ticket_Nonce

using Botan::TLS::Ticket_Nonce = Strong<std::vector<uint8_t>, struct Ticket_Nonce_>

Used to derive the ticket's PSK from the resumption_master_secret.

Definition at line 966 of file tls_messages.h.

◆ Transcript_Hash

using Botan::TLS::Transcript_Hash = std::vector<uint8_t>

Definition at line 81 of file tls_magic.h.

Enumeration Type Documentation

◆ AlertType

enum class Botan::TLS::AlertType : uint16_t
strong

Type codes for TLS alerts

The enumeration value matches the wire encoding

Enumerator
CloseNotify 
UnexpectedMessage 
BadRecordMac 
DecryptionFailed 
RecordOverflow 
DecompressionFailure 
HandshakeFailure 
NoCertificate 
BadCertificate 
UnsupportedCertificate 
CertificateRevoked 
CertificateExpired 
CertificateUnknown 
IllegalParameter 
UnknownCA 
AccessDenied 
DecodeError 
DecryptError 
ExportRestriction 
ProtocolVersion 
InsufficientSecurity 
InternalError 
InappropriateFallback 
UserCanceled 
NoRenegotiation 
MissingExtension 
UnsupportedExtension 
CertificateUnobtainable 
UnrecognizedName 
BadCertificateStatusResponse 
BadCertificateHashValue 
UnknownPSKIdentity 
CertificateRequired 
NoApplicationProtocol 
None 
CLOSE_NOTIFY 
NO_APPLICATION_PROTOCOL 
PROTOCOL_VERSION 

Definition at line 21 of file tls_alert.h.

21 : uint16_t {
22 CloseNotify = 0,
24 BadRecordMac = 20,
26 RecordOverflow = 22,
29 NoCertificate = 41, // SSLv3 only
30 BadCertificate = 42,
36 UnknownCA = 48,
37 AccessDenied = 49,
38 DecodeError = 50,
39 DecryptError = 51,
41 ProtocolVersion = 70,
43 InternalError = 80,
45 UserCanceled = 90,
46 NoRenegotiation = 100,
47 MissingExtension = 109, // RFC 8446
50 UnrecognizedName = 112,
54 CertificateRequired = 116, // RFC 8446
55 NoApplicationProtocol = 120, // RFC 7301
56
57 // pseudo alert values
58 None = 256,
59
60 // Compat enum variants, will be removed in a future major release
61 CLOSE_NOTIFY BOTAN_DEPRECATED("Use CloseNotify") = CloseNotify,
63 PROTOCOL_VERSION BOTAN_DEPRECATED("Use ProtocolVersion") = ProtocolVersion,
64};
#define BOTAN_DEPRECATED(msg)
Definition api.h:73

◆ Auth_Method

enum class Botan::TLS::Auth_Method : uint32_t
strong
Enumerator
RSA 
ECDSA 
UNDEFINED 
IMPLICIT 

Definition at line 66 of file tls_algos.h.

66 : uint32_t {
67 RSA = 0,
68 ECDSA = 1,
69
70 // To support TLS 1.3 ciphersuites, which do not determine the auth method
71 UNDEFINED = 2,
72
73 // These are placed outside the encodable range
74 IMPLICIT = 0x10000
75};

◆ Certificate_Type

enum class Botan::TLS::Certificate_Type : uint8_t
strong
Enumerator
X509 
RawPublicKey 

Definition at line 204 of file tls_extensions.h.

◆ Cipher_Algo

enum class Botan::TLS::Cipher_Algo : uint8_t
strong
Enumerator
CHACHA20_POLY1305 
AES_128_GCM 
AES_256_GCM 
AES_256_OCB 
CAMELLIA_128_GCM 
CAMELLIA_256_GCM 
ARIA_128_GCM 
ARIA_256_GCM 
AES_128_CCM 
AES_256_CCM 
AES_128_CCM_8 
AES_256_CCM_8 
AES_128_CBC_HMAC_SHA1 
AES_128_CBC_HMAC_SHA256 
AES_256_CBC_HMAC_SHA1 
AES_256_CBC_HMAC_SHA256 
AES_256_CBC_HMAC_SHA384 
DES_EDE_CBC_HMAC_SHA1 

Definition at line 21 of file tls_algos.h.

21 : uint8_t {
23
26
28
31
34
39
45
47};

◆ Connection_Side

enum class Botan::TLS::Connection_Side : uint8_t
strong
Enumerator
Client 
Server 
CLIENT 
SERVER 

Definition at line 43 of file tls_magic.h.

43 : uint8_t {
44 Client = 1,
45 Server = 2,
46
47 CLIENT BOTAN_DEPRECATED("Use Connection_Side::Client") = Client,
48 SERVER BOTAN_DEPRECATED("Use Connection_Side::Server") = Server,
49};

◆ Extension_Code

enum class Botan::TLS::Extension_Code : uint16_t
strong
Enumerator
ServerNameIndication 
CertificateStatusRequest 
SupportedGroups 
EcPointFormats 
SignatureAlgorithms 
CertSignatureAlgorithms 
UseSrtp 
ApplicationLayerProtocolNegotiation 
ClientCertificateType 
ServerCertificateType 
EncryptThenMac 
ExtendedMasterSecret 
RecordSizeLimit 
SessionTicket 
SupportedVersions 
PresharedKey 
EarlyData 
Cookie 
PskKeyExchangeModes 
CertificateAuthorities 
KeyShare 
SafeRenegotiation 

Definition at line 52 of file tls_extensions.h.

52 : uint16_t {
55
56 SupportedGroups = 10,
57 EcPointFormats = 11,
60 UseSrtp = 14,
62
63 // SignedCertificateTimestamp = 18, // NYI
64
65 // RFC 7250 (Raw Public Keys in TLS)
68
69 EncryptThenMac = 22,
71
72 RecordSizeLimit = 28,
73
74 SessionTicket = 35,
75
77#if defined(BOTAN_HAS_TLS_13)
78 PresharedKey = 41,
79 EarlyData = 42,
80 Cookie = 44,
81
84 // OidFilters = 48, // NYI
85
86 KeyShare = 51,
87#endif
88
89 SafeRenegotiation = 65281,
90};

◆ Group_Params_Code

enum class Botan::TLS::Group_Params_Code : uint16_t
strong
Enumerator
NONE 
SECP256R1 
SECP384R1 
SECP521R1 
BRAINPOOL256R1 
BRAINPOOL384R1 
BRAINPOOL512R1 
X25519 
X448 
FFDHE_2048 
FFDHE_3072 
FFDHE_4096 
FFDHE_6144 
FFDHE_8192 
ML_KEM_512 
ML_KEM_768 
ML_KEM_1024 
eFRODOKEM_640_SHAKE_OQS 
eFRODOKEM_976_SHAKE_OQS 
eFRODOKEM_1344_SHAKE_OQS 
eFRODOKEM_640_AES_OQS 
eFRODOKEM_976_AES_OQS 
eFRODOKEM_1344_AES_OQS 
HYBRID_SECP256R1_ML_KEM_768 
HYBRID_SECP384R1_ML_KEM_1024 
HYBRID_X25519_ML_KEM_768 
HYBRID_X25519_eFRODOKEM_640_SHAKE_OQS 
HYBRID_X25519_eFRODOKEM_640_AES_OQS 
HYBRID_X448_eFRODOKEM_976_SHAKE_OQS 
HYBRID_X448_eFRODOKEM_976_AES_OQS 
HYBRID_SECP256R1_eFRODOKEM_640_SHAKE_OQS 
HYBRID_SECP256R1_eFRODOKEM_640_AES_OQS 
HYBRID_SECP384R1_eFRODOKEM_976_SHAKE_OQS 
HYBRID_SECP384R1_eFRODOKEM_976_AES_OQS 
HYBRID_SECP521R1_eFRODOKEM_1344_SHAKE_OQS 
HYBRID_SECP521R1_eFRODOKEM_1344_AES_OQS 

Definition at line 83 of file tls_algos.h.

83 : uint16_t {
84 NONE = 0,
85
86 SECP256R1 = 23,
87 SECP384R1 = 24,
88 SECP521R1 = 25,
89 BRAINPOOL256R1 = 26,
90 BRAINPOOL384R1 = 27,
91 BRAINPOOL512R1 = 28,
92
93 X25519 = 29,
94 X448 = 30,
95
96 FFDHE_2048 = 256,
97 FFDHE_3072 = 257,
98 FFDHE_4096 = 258,
99 FFDHE_6144 = 259,
100 FFDHE_8192 = 260,
101
102 // https://datatracker.ietf.org/doc/draft-connolly-tls-mlkem-key-agreement/05/
103 ML_KEM_512 = 0x0200,
104 ML_KEM_768 = 0x0201,
105 ML_KEM_1024 = 0x0202,
106
107 // libOQS defines those in:
108 // https://github.com/open-quantum-safe/oqs-provider/blob/main/ALGORITHMS.md
109 // (last update: 6th June 2025 - matching oqs commit 9447f68)
113 eFRODOKEM_640_AES_OQS = 0xFE00,
114 eFRODOKEM_976_AES_OQS = 0xFE06,
115 eFRODOKEM_1344_AES_OQS = 0xFE0C,
116
117 // https://datatracker.ietf.org/doc/draft-kwiatkowski-tls-ecdhe-mlkem/03/
121
122 // https://github.com/open-quantum-safe/oqs-provider/blob/main/ALGORITHMS.md
123 // (last update: 6th June 2025 - matching oqs commit 9447f68)
126
129
132
135
138};
@ NONE
Definition filter.h:167

◆ Handshake_Type

enum class Botan::TLS::Handshake_Type : uint8_t
strong
Enumerator
HelloRequest 
ClientHello 
ServerHello 
HelloVerifyRequest 
NewSessionTicket 
EndOfEarlyData 
EncryptedExtensions 
Certificate 
ServerKeyExchange 
CertificateRequest 
ServerHelloDone 
CertificateVerify 
ClientKeyExchange 
Finished 
CertificateUrl 
CertificateStatus 
KeyUpdate 
HelloRetryRequest 
HandshakeCCS 
None 

Definition at line 51 of file tls_magic.h.

51 : uint8_t {
52 HelloRequest = 0,
53 ClientHello = 1,
54 ServerHello = 2,
56 NewSessionTicket = 4, // RFC 5077
57
58 EndOfEarlyData = 5, // RFC 8446 (TLS 1.3)
59 EncryptedExtensions = 8, // RFC 8446 (TLS 1.3)
60
61 Certificate = 11,
64 ServerHelloDone = 14,
67 Finished = 20,
68
69 CertificateUrl = 21,
71
72 KeyUpdate = 24, // RFC 8446 (TLS 1.3)
73
74 HelloRetryRequest = 253, // Not a wire value (HRR appears as an ordinary Server Hello)
75 HandshakeCCS = 254, // Not a wire value (TLS 1.3 uses this value for 'message_hash' -- RFC 8446 4.4.1)
76 None = 255 // Null value
77};

◆ KDF_Algo

enum class Botan::TLS::KDF_Algo : uint8_t
strong
Enumerator
SHA_1 
SHA_256 
SHA_384 

Definition at line 49 of file tls_algos.h.

◆ Kex_Algo

enum class Botan::TLS::Kex_Algo : uint8_t
strong
Enumerator
STATIC_RSA 
DH 
ECDH 
PSK 
ECDHE_PSK 
DHE_PSK 
KEM 
KEM_PSK 
HYBRID 
HYBRID_PSK 
UNDEFINED 

Definition at line 258 of file tls_algos.h.

258 : uint8_t {
260 DH,
261 ECDH,
262 PSK,
263 ECDHE_PSK,
264 DHE_PSK,
265 KEM,
266 KEM_PSK,
267 HYBRID,
269
270 // To support TLS 1.3 ciphersuites, which do not determine the kex algo
272};

◆ Nonce_Format

enum class Botan::TLS::Nonce_Format : uint8_t
strong
Enumerator
CBC_MODE 
AEAD_IMPLICIT_4 
AEAD_XOR_12 
NULL_CIPHER 

Definition at line 57 of file tls_algos.h.

◆ PSK_Key_Exchange_Mode

enum class Botan::TLS::PSK_Key_Exchange_Mode : uint8_t
strong
Enumerator
PSK_KE 
PSK_DHE_KE 

Definition at line 46 of file tls_extensions.h.

◆ Record_Type

enum class Botan::TLS::Record_Type : uint8_t
strong
Enumerator
Invalid 
ChangeCipherSpec 
Alert 
Handshake 
ApplicationData 
Heartbeat 

Definition at line 33 of file tls_channel_impl.h.

33 : uint8_t {
34 Invalid = 0, // RFC 8446 (TLS 1.3)
35
37 Alert = 21,
38 Handshake = 22,
39 ApplicationData = 23,
40
41 Heartbeat = 24, // RFC 6520 (TLS 1.3)
42};

◆ Size_Limits

enum Botan::TLS::Size_Limits : size_t

Protocol Constants for SSL/TLS

TODO: this should not be an enum

Enumerator
TLS_HEADER_SIZE 
DTLS_HEADER_SIZE 
MAX_PLAINTEXT_SIZE 
MAX_COMPRESSED_SIZE 
MAX_CIPHERTEXT_SIZE 
MAX_AEAD_EXPANSION_SIZE_TLS13 
MAX_CIPHERTEXT_SIZE_TLS13 

Definition at line 24 of file tls_magic.h.

24 : size_t /* NOLINT(*-enum-size) */ {
27
28 // The "TLSInnerPlaintext" length, i.e. the maximum amount of plaintext
29 // application data that can be transmitted in a single TLS record.
30 MAX_PLAINTEXT_SIZE = 16 * 1024,
31
34
35 // RFC 8446 5.2:
36 // This limit is derived from the maximum TLSInnerPlaintext length of 2^14
37 // octets + 1 octet for ContentType + the maximum AEAD expansion of 255
38 // octets.
41};
@ MAX_CIPHERTEXT_SIZE
Definition tls_magic.h:33
@ MAX_PLAINTEXT_SIZE
Definition tls_magic.h:30
@ MAX_CIPHERTEXT_SIZE_TLS13
Definition tls_magic.h:40
@ MAX_AEAD_EXPANSION_SIZE_TLS13
Definition tls_magic.h:39
@ TLS_HEADER_SIZE
Definition tls_magic.h:25
@ MAX_COMPRESSED_SIZE
Definition tls_magic.h:32
@ DTLS_HEADER_SIZE
Definition tls_magic.h:26

◆ Version_Code

enum class Botan::TLS::Version_Code : uint16_t
strong
Enumerator
TLS_V11 

TLSv1.1 (no longer supported)

TLS_V12 

TLSv1.2.

TLS_V13 

TLSv1.3.

DTLS_V12 

DTLSv1.2.

DTLS_V13 

DTLSv1.3 (not supported yet)

Definition at line 18 of file tls_version.h.

18 : uint16_t {
19 /// TLSv1.1 (no longer supported)
20 TLS_V11 = 0x0302,
21 /// TLSv1.2
22 TLS_V12 = 0x0303,
23 /// TLSv1.3
24 TLS_V13 = 0x0304,
25 /// DTLSv1.2
26 DTLS_V12 = 0xFEFD,
27 /// DTLSv1.3 (not supported yet)
28 DTLS_V13 = 0xFEFC,
29};
@ TLS_V11
TLSv1.1 (no longer supported)
Definition tls_version.h:20
@ DTLS_V13
DTLSv1.3 (not supported yet)
Definition tls_version.h:28

Function Documentation

◆ append_tls_length_value() [1/4]

template<typename T, typename Alloc, typename Alloc2>
void Botan::TLS::append_tls_length_value ( std::vector< uint8_t, Alloc > & buf,
const std::vector< T, Alloc2 > & vals,
size_t tag_size )
inline

Definition at line 217 of file tls_reader.h.

219 {
220 append_tls_length_value(buf, std::span{vals}, tag_size);
221}
void append_tls_length_value(std::vector< uint8_t, Alloc > &buf, const T *vals, size_t vals_size, size_t tag_size)
Definition tls_reader.h:184

References append_tls_length_value().

◆ append_tls_length_value() [2/4]

template<typename T, typename Alloc>
void Botan::TLS::append_tls_length_value ( std::vector< uint8_t, Alloc > & buf,
const T * vals,
size_t vals_size,
size_t tag_size )
inline

Helper function for encoding length-tagged vectors

Definition at line 184 of file tls_reader.h.

187 {
188 const size_t T_size = sizeof(T);
189 const size_t val_bytes = T_size * vals_size;
190
191 if(tag_size != 1 && tag_size != 2 && tag_size != 3) {
192 throw Invalid_Argument("append_tls_length_value: invalid tag size");
193 }
194
195 if((tag_size == 1 && val_bytes > 255) || (tag_size == 2 && val_bytes > 65535) ||
196 (tag_size == 3 && val_bytes > 16777215)) {
197 throw Invalid_Argument("append_tls_length_value: value too large");
198 }
199
200 for(size_t i = 0; i != tag_size; ++i) {
201 buf.push_back(get_byte_var(sizeof(val_bytes) - tag_size + i, val_bytes));
202 }
203
204 for(size_t i = 0; i != vals_size; ++i) {
205 for(size_t j = 0; j != T_size; ++j) {
206 buf.push_back(get_byte_var(j, vals[i]));
207 }
208 }
209}
constexpr uint8_t get_byte_var(size_t byte_num, T input)
Definition loadstor.h:69

References Botan::get_byte_var().

Referenced by append_tls_length_value(), append_tls_length_value(), append_tls_length_value(), Botan::TLS::Client_Key_Exchange::Client_Key_Exchange(), Botan::TLS::Client_Key_Exchange::Client_Key_Exchange(), Botan::TLS::Application_Layer_Protocol_Notification::serialize(), Botan::TLS::Certificate_13::serialize(), Botan::TLS::Certificate_Authorities::serialize(), Botan::TLS::Certificate_Request_12::serialize(), Botan::TLS::Certificate_Request_13::serialize(), Botan::TLS::Certificate_Type_Base::serialize(), Botan::TLS::Client_Hello::serialize(), Botan::TLS::New_Session_Ticket_12::serialize(), Botan::TLS::New_Session_Ticket_13::serialize(), Botan::TLS::PSK::serialize(), Botan::TLS::Renegotiation_Extension::serialize(), Botan::TLS::Server_Hello::serialize(), and Botan::TLS::Server_Key_Exchange::Server_Key_Exchange().

◆ append_tls_length_value() [3/4]

template<typename T, typename Alloc>
void Botan::TLS::append_tls_length_value ( std::vector< uint8_t, Alloc > & buf,
std::span< const T > vals,
size_t tag_size )
inline

Definition at line 212 of file tls_reader.h.

212 {
213 append_tls_length_value(buf, vals.data(), vals.size(), tag_size);
214}

References append_tls_length_value().

◆ append_tls_length_value() [4/4]

template<typename Alloc>
void Botan::TLS::append_tls_length_value ( std::vector< uint8_t, Alloc > & buf,
std::string_view str,
size_t tag_size )
inline

Definition at line 224 of file tls_reader.h.

224 {
225 append_tls_length_value(buf, as_span_of_bytes(str), tag_size);
226}
std::span< const uint8_t > as_span_of_bytes(const char *s, size_t len)
Definition mem_utils.h:28

References append_tls_length_value(), and Botan::as_span_of_bytes().

◆ auth_method_from_string()

Auth_Method BOTAN_TEST_API Botan::TLS::auth_method_from_string ( std::string_view str)

Definition at line 120 of file tls_algos.cpp.

120 {
121 if(str == "RSA") {
122 return Auth_Method::RSA;
123 }
124 if(str == "ECDSA") {
125 return Auth_Method::ECDSA;
126 }
127 if(str == "IMPLICIT") {
129 }
130 if(str == "UNDEFINED") {
132 }
133
134 throw Invalid_Argument(fmt("Unknown TLS signature method '{}'", str));
135}
std::string fmt(std::string_view format, const T &... args)
Definition fmt.h:53

References ECDSA, Botan::fmt(), IMPLICIT, RSA, and UNDEFINED.

◆ auth_method_to_string()

std::string BOTAN_TEST_API Botan::TLS::auth_method_to_string ( Auth_Method method)

Definition at line 105 of file tls_algos.cpp.

105 {
106 switch(method) {
107 case Auth_Method::RSA:
108 return "RSA";
110 return "ECDSA";
112 return "IMPLICIT";
114 return "UNDEFINED";
115 }
116
117 throw Invalid_State("auth_method_to_string unknown enum value");
118}

References ECDSA, IMPLICIT, RSA, and UNDEFINED.

Referenced by Botan::TLS::Ciphersuite::sig_algo().

◆ certificate_type_from_string()

Certificate_Type Botan::TLS::certificate_type_from_string ( const std::string & type_str)

Definition at line 388 of file tls_extensions.cpp.

388 {
389 if(type_str == "X509") {
391 } else if(type_str == "RawPublicKey") {
393 } else {
394 throw Decoding_Error("Unknown certificate type: " + type_str);
395 }
396}

References RawPublicKey, and X509.

Referenced by Botan::TLS::Text_Policy::read_cert_type_list().

◆ certificate_type_to_string()

std::string Botan::TLS::certificate_type_to_string ( Certificate_Type type)

Definition at line 377 of file tls_extensions.cpp.

377 {
378 switch(type) {
380 return "X509";
382 return "RawPublicKey";
383 }
384
385 return "Unknown";
386}

References RawPublicKey, and X509.

Referenced by Botan::TLS::Certificate_Type_Base::validate_selection().

◆ check_tls_cbc_padding()

BOTAN_TEST_API uint16_t Botan::TLS::check_tls_cbc_padding ( const uint8_t record[],
size_t record_len )

Check the TLS padding of a record

Parameters
recordthe record bits
record_lenlength of record
Returns
0 if padding is invalid, otherwise padding_bytes + 1

Definition at line 236 of file tls_cbc.cpp.

236 {
237 if(record_len == 0 || record_len > 0xFFFF) {
238 return 0;
239 }
240
241 const uint16_t rec16 = static_cast<uint16_t>(record_len);
242
243 /*
244 * TLS v1.0 and up require all the padding bytes be the same value
245 * and allows up to 255 bytes.
246 */
247
248 const uint16_t to_check = std::min<uint16_t>(256, static_cast<uint16_t>(record_len));
249 const uint8_t pad_byte = record[record_len - 1];
250 const uint16_t pad_bytes = 1 + pad_byte;
251
252 auto pad_invalid = CT::Mask<uint16_t>::is_lt(rec16, pad_bytes);
253
254 for(uint16_t i = rec16 - to_check; i != rec16; ++i) {
255 const uint16_t offset = rec16 - i;
256 const auto in_pad_range = CT::Mask<uint16_t>::is_lte(offset, pad_bytes);
257 const auto pad_correct = CT::Mask<uint16_t>::is_equal(record[i], pad_byte);
258 pad_invalid |= in_pad_range & ~pad_correct;
259 }
260
261 return pad_invalid.if_not_set_return(pad_bytes);
262}
static constexpr Mask< T > is_lte(T x, T y)
Definition ct_utils.h:491
static constexpr Mask< T > is_equal(T x, T y)
Definition ct_utils.h:470
static constexpr Mask< T > is_lt(T x, T y)
Definition ct_utils.h:478

References Botan::CT::Mask< T >::is_equal(), Botan::CT::Mask< T >::is_lt(), and Botan::CT::Mask< T >::is_lte().

◆ handshake_type_to_string()

BOTAN_TEST_API const char * Botan::TLS::handshake_type_to_string ( Handshake_Type type)

Definition at line 23 of file tls_handshake_state.cpp.

23 {
24 switch(type) {
26 return "hello_verify_request";
27
29 return "hello_request";
30
32 return "client_hello";
33
35 return "server_hello";
36
38 return "hello_retry_request";
39
41 return "certificate";
42
44 return "certificate_url";
45
47 return "certificate_status";
48
50 return "server_key_exchange";
51
53 return "certificate_request";
54
56 return "server_hello_done";
57
59 return "certificate_verify";
60
62 return "client_key_exchange";
63
65 return "new_session_ticket";
66
68 return "change_cipher_spec";
69
71 return "finished";
72
74 return "end_of_early_data";
75
77 return "encrypted_extensions";
78
80 return "key_update";
81
83 return "invalid";
84 }
85
86 throw TLS_Exception(Alert::UnexpectedMessage,
87 "Unknown TLS handshake message type " + std::to_string(static_cast<size_t>(type)));
88}

References Certificate, CertificateRequest, CertificateStatus, CertificateUrl, CertificateVerify, ClientHello, ClientKeyExchange, EncryptedExtensions, EndOfEarlyData, Finished, HandshakeCCS, HelloRequest, HelloRetryRequest, HelloVerifyRequest, KeyUpdate, NewSessionTicket, None, ServerHello, ServerHelloDone, and ServerKeyExchange.

Referenced by Botan::TLS::Handshake_Transitions::confirm_transition_to(), Botan::TLS::Key_Share::Key_Share(), and Botan::TLS::Handshake_Message::type_string().

◆ kdf_algo_to_string()

std::string BOTAN_DLL Botan::TLS::kdf_algo_to_string ( KDF_Algo algo)

Definition at line 15 of file tls_algos.cpp.

15 {
16 switch(algo) {
17 case KDF_Algo::SHA_1:
18 return "SHA-1";
20 return "SHA-256";
22 return "SHA-384";
23 }
24
25 throw Invalid_State("kdf_algo_to_string unknown enum value");
26}

References SHA_1, SHA_256, and SHA_384.

Referenced by Botan::TLS::Ciphersuite::prf_algo().

◆ kex_method_from_string()

Kex_Algo BOTAN_TEST_API Botan::TLS::kex_method_from_string ( std::string_view str)

Definition at line 57 of file tls_algos.cpp.

57 {
58 if(str == "RSA") {
60 }
61
62 if(str == "DH") {
63 return Kex_Algo::DH;
64 }
65
66 if(str == "ECDH") {
67 return Kex_Algo::ECDH;
68 }
69
70 if(str == "PSK") {
71 return Kex_Algo::PSK;
72 }
73
74 if(str == "ECDHE_PSK") {
76 }
77
78 if(str == "DHE_PSK") {
79 return Kex_Algo::DHE_PSK;
80 }
81
82 if(str == "KEM") {
83 return Kex_Algo::KEM;
84 }
85
86 if(str == "KEM_PSK") {
87 return Kex_Algo::KEM_PSK;
88 }
89
90 if(str == "HYBRID") {
91 return Kex_Algo::HYBRID;
92 }
93
94 if(str == "HYBRID_PSK") {
96 }
97
98 if(str == "UNDEFINED") {
100 }
101
102 throw Invalid_Argument(fmt("Unknown kex method '{}'", str));
103}

References DH, DHE_PSK, ECDH, ECDHE_PSK, Botan::fmt(), HYBRID, HYBRID_PSK, KEM, KEM_PSK, PSK, STATIC_RSA, and UNDEFINED.

◆ kex_method_to_string()

std::string BOTAN_TEST_API Botan::TLS::kex_method_to_string ( Kex_Algo method)

Definition at line 28 of file tls_algos.cpp.

28 {
29 switch(method) {
31 return "RSA";
32 case Kex_Algo::DH:
33 return "DH";
34 case Kex_Algo::ECDH:
35 return "ECDH";
36 case Kex_Algo::PSK:
37 return "PSK";
39 return "ECDHE_PSK";
41 return "DHE_PSK";
42 case Kex_Algo::KEM:
43 return "KEM";
45 return "KEM_PSK";
47 return "HYBRID";
49 return "HYBRID_PSK";
51 return "UNDEFINED";
52 }
53
54 throw Invalid_State("kex_method_to_string unknown enum value");
55}

References DH, DHE_PSK, ECDH, ECDHE_PSK, HYBRID, HYBRID_PSK, KEM, KEM_PSK, PSK, STATIC_RSA, and UNDEFINED.

Referenced by Botan::TLS::Ciphersuite::kex_algo(), Botan::TLS::Server_Key_Exchange::Server_Key_Exchange(), and Botan::TLS::Server_Key_Exchange::Server_Key_Exchange().

◆ key_exchange_is_psk()

bool Botan::TLS::key_exchange_is_psk ( Kex_Algo m)
inline

Definition at line 277 of file tls_algos.h.

277 {
278 return (m == Kex_Algo::PSK || m == Kex_Algo::ECDHE_PSK || m == Kex_Algo::DHE_PSK);
279}

References DHE_PSK, ECDHE_PSK, and PSK.

Referenced by Botan::TLS::Client_Key_Exchange::Client_Key_Exchange().

◆ make_hello_random()

std::vector< uint8_t > Botan::TLS::make_hello_random ( RandomNumberGenerator & rng,
Callbacks & cb,
const Policy & policy )

Definition at line 38 of file msg_client_hello.cpp.

38 {
39 auto buf = rng.random_vec<std::vector<uint8_t>>(32);
40
41 if(policy.hash_hello_random()) {
42 auto sha256 = HashFunction::create_or_throw("SHA-256");
43 sha256->update(buf);
44 sha256->final(buf);
45 }
46
47 // TLS 1.3 does not require the insertion of a timestamp in the client hello
48 // random. When offering both TLS 1.2 and 1.3 we nevertheless comply with the
49 // legacy specification.
50 if(policy.include_time_in_hello_random() && (policy.allow_tls12() || policy.allow_dtls12())) {
51 const uint32_t time32 = static_cast<uint32_t>(std::chrono::system_clock::to_time_t(cb.tls_current_timestamp()));
52
53 store_be(time32, buf.data());
54 }
55
56 return buf;
57}
static std::unique_ptr< HashFunction > create_or_throw(std::string_view algo_spec, std::string_view provider="")
Definition hash.cpp:298
void random_vec(std::span< uint8_t > v)
Definition rng.h:199
virtual std::chrono::system_clock::time_point tls_current_timestamp()
virtual bool include_time_in_hello_random() const
virtual bool allow_tls12() const
virtual bool hash_hello_random() const
virtual bool allow_dtls12() const
constexpr auto store_be(ParamTs &&... params)
Definition loadstor.h:745

References Botan::TLS::Policy::allow_dtls12(), Botan::TLS::Policy::allow_tls12(), Botan::HashFunction::create_or_throw(), Botan::TLS::Policy::hash_hello_random(), Botan::TLS::Policy::include_time_in_hello_random(), Botan::RandomNumberGenerator::random_vec(), Botan::store_be(), and Botan::TLS::Callbacks::tls_current_timestamp().

Referenced by Botan::TLS::Client_Hello_12::Client_Hello_12(), Botan::TLS::Client_Hello_12::Client_Hello_12(), Botan::TLS::Client_Hello_13::Client_Hello_13(), and Botan::TLS::Server_Hello_12::Server_Hello_12().

◆ operator!=()

bool Botan::TLS::operator!= ( const Server_Information & a,
const Server_Information & b )
inline

Definition at line 75 of file tls_server_info.h.

75 {
76 return !(a == b);
77}

◆ operator<() [1/2]

bool Botan::TLS::operator< ( const Server_Information & a,
const Server_Information & b )
inline

Definition at line 79 of file tls_server_info.h.

79 {
80 if(a.hostname() != b.hostname()) {
81 return (a.hostname() < b.hostname());
82 }
83 if(a.service() != b.service()) {
84 return (a.service() < b.service());
85 }
86 if(a.port() != b.port()) {
87 return (a.port() < b.port());
88 }
89 return false; // equal
90}

References Botan::TLS::Server_Information::hostname(), Botan::TLS::Server_Information::port(), and Botan::TLS::Server_Information::service().

◆ operator<() [2/2]

auto Botan::TLS::operator< ( const Session_ID & id1,
const Session_ID & id2 )
inline

Definition at line 40 of file tls_session.h.

40 {
41 // TODO: C++20 better use std::lexicographical_compare_three_way
42 // that was not available on all target platforms at the time
43 // of this writing.
44 return std::lexicographical_compare(id1.begin(), id1.end(), id2.begin(), id2.end());
45}
decltype(auto) begin() noexcept(noexcept(this->get().begin()))
Definition strong_type.h:92
decltype(auto) end() noexcept(noexcept(this->get().end()))
Definition strong_type.h:96

References Botan::detail::Container_Strong_Adapter_Base< T >::begin(), and Botan::detail::Container_Strong_Adapter_Base< T >::end().

◆ operator==()

bool Botan::TLS::operator== ( const Server_Information & a,
const Server_Information & b )
inline

Definition at line 71 of file tls_server_info.h.

71 {
72 return (a.hostname() == b.hostname()) && (a.service() == b.service()) && (a.port() == b.port());
73}

References Botan::TLS::Server_Information::hostname(), Botan::TLS::Server_Information::port(), and Botan::TLS::Server_Information::service().

◆ read_record()

Record_Header Botan::TLS::read_record ( bool is_datagram,
secure_vector< uint8_t > & read_buffer,
const uint8_t input[],
size_t input_len,
size_t & consumed,
secure_vector< uint8_t > & record_buf,
Connection_Sequence_Numbers * sequence_numbers,
const get_cipherstate_fn & get_cipherstate,
bool allow_epoch0_restart )

Decode a TLS record

Returns
zero if full message, else number of bytes still needed

Definition at line 513 of file tls_record.cpp.

521 {
522 if(is_datagram) {
523 return read_dtls_record(
524 readbuf, input, input_len, consumed, recbuf, sequence_numbers, get_cipherstate, allow_epoch0_restart);
525 } else {
526 return read_tls_record(readbuf, input, input_len, consumed, recbuf, sequence_numbers, get_cipherstate);
527 }
528}

Referenced by Botan::TLS::Channel_Impl_12::from_peer().

◆ to_algorithm_identifiers()

std::vector< AlgorithmIdentifier > Botan::TLS::to_algorithm_identifiers ( const std::vector< Signature_Scheme > & schemes)

Definition at line 331 of file tls_signature_scheme.cpp.

331 {
332 std::vector<AlgorithmIdentifier> result;
333 std::transform(schemes.begin(), schemes.end(), std::back_inserter(result), [](const auto& scheme) {
334 return scheme.algorithm_identifier();
335 });
336 return result;
337}

Referenced by Botan::TLS::Certificate_13::Certificate_13(), and Botan::TLS::Certificate_13::Certificate_13().

◆ write_record()

void Botan::TLS::write_record ( secure_vector< uint8_t > & write_buffer,
Record_Type record_type,
Protocol_Version record_version,
uint64_t record_sequence,
const uint8_t * message,
size_t message_len,
Connection_Cipher_State & cipherstate,
RandomNumberGenerator & rng )

Create a TLS record

Parameters
write_bufferthe output record is placed here
record_typethe record layer type
record_versionthe record layer version
record_sequencethe record layer sequence number
messagethe record contents
message_lenis size of message
cipherstateis the writing cipher state
rngis a random number generator

Definition at line 225 of file tls_record.cpp.

232 {
233 write_record_header(output, record_type, version, record_sequence);
234
235 AEAD_Mode& aead = cs.aead();
236 std::vector<uint8_t> aad = cs.format_ad(record_sequence, record_type, version, static_cast<uint16_t>(message_len));
237
238 const size_t ctext_size = aead.output_length(message_len);
239
240 const size_t rec_size = ctext_size + cs.nonce_bytes_from_record();
241
242 aead.set_associated_data(aad);
243
244 const std::vector<uint8_t> nonce = cs.aead_nonce(record_sequence, rng);
245
246 append_u16_len(output, rec_size);
247
248 if(cs.nonce_bytes_from_record() > 0) {
249 if(cs.nonce_format() == Nonce_Format::CBC_MODE) {
250 output += nonce;
251 } else {
252 output += std::make_pair(&nonce[cs.nonce_bytes_from_handshake()], cs.nonce_bytes_from_record());
253 }
254 }
255
256 const size_t header_size = output.size();
257 output += std::make_pair(message, message_len);
258
259 aead.start(nonce);
260 aead.finish(output, header_size);
261
262 BOTAN_ASSERT(output.size() < MAX_CIPHERTEXT_SIZE, "Produced ciphertext larger than protocol allows");
263}
#define BOTAN_ASSERT(expr, assertion_made)
Definition assert.h:62
void set_associated_data(std::span< const uint8_t > ad)
Definition aead.h:59
void start(std::span< const uint8_t > nonce)
Definition cipher_mode.h:98
void finish(secure_vector< uint8_t > &final_block, size_t offset=0)
virtual size_t output_length(size_t input_length) const =0

References Botan::TLS::Connection_Cipher_State::aead(), Botan::TLS::Connection_Cipher_State::aead_nonce(), BOTAN_ASSERT, CBC_MODE, Botan::Cipher_Mode::finish(), Botan::TLS::Connection_Cipher_State::format_ad(), MAX_CIPHERTEXT_SIZE, Botan::TLS::Connection_Cipher_State::nonce_bytes_from_handshake(), Botan::TLS::Connection_Cipher_State::nonce_bytes_from_record(), Botan::TLS::Connection_Cipher_State::nonce_format(), Botan::Cipher_Mode::output_length(), Botan::AEAD_Mode::set_associated_data(), and Botan::Cipher_Mode::start().

◆ write_unencrypted_record()

void Botan::TLS::write_unencrypted_record ( secure_vector< uint8_t > & write_buffer,
Record_Type record_type,
Protocol_Version record_version,
uint64_t record_sequence,
const uint8_t * message,
size_t message_len )

Create an initial (unencrypted) TLS handshake record

Parameters
write_bufferthe output record is placed here
record_typethe record layer type
record_versionthe record layer version
record_sequencethe record layer sequence number
messagethe record contents
message_lenis size of message

Definition at line 211 of file tls_record.cpp.

216 {
217 if(record_type == Record_Type::ApplicationData) {
218 throw Internal_Error("Writing an unencrypted TLS application data record");
219 }
220 write_record_header(output, record_type, version, record_sequence);
221 append_u16_len(output, message_len);
222 output.insert(output.end(), message, message + message_len);
223}

References ApplicationData.