Botan 3.5.0
Crypto and TLS for C&
tls_client_impl_13.cpp
Go to the documentation of this file.
1/*
2* TLS Client - implementation for TLS 1.3
3* (C) 2022 Jack Lloyd
4* 2021 Elektrobit Automotive GmbH
5* 2022 Hannes Rantzsch, René Meusel - neXenio GmbH
6*
7* Botan is released under the Simplified BSD License (see license.txt)
8*/
9#include <botan/internal/tls_client_impl_13.h>
10
11#include <botan/credentials_manager.h>
12#include <botan/hash.h>
13#include <botan/tls_client.h>
14#include <botan/tls_messages.h>
15#include <botan/types.h>
16#include <botan/internal/stl_util.h>
17#include <botan/internal/tls_channel_impl_13.h>
18#include <botan/internal/tls_cipher_state.h>
19
20#include <iterator>
21#include <utility>
22
23namespace Botan::TLS {
24
25Client_Impl_13::Client_Impl_13(const std::shared_ptr<Callbacks>& callbacks,
26 const std::shared_ptr<Session_Manager>& session_manager,
27 const std::shared_ptr<Credentials_Manager>& creds,
28 const std::shared_ptr<const Policy>& policy,
29 const std::shared_ptr<RandomNumberGenerator>& rng,
31 const std::vector<std::string>& next_protocols) :
32 Channel_Impl_13(callbacks, session_manager, creds, rng, policy, false /* is_server */),
33 m_info(std::move(info)),
34 m_should_send_ccs(false) {
35#if defined(BOTAN_HAS_TLS_12)
36 if(policy->allow_tls12()) {
37 expect_downgrade(m_info, next_protocols);
38 }
39#endif
40
41 if(auto session = find_session_for_resumption()) {
42 if(!session->session.version().is_pre_tls_13()) {
43 m_resumed_session = std::move(session);
44 } else if(expects_downgrade()) {
45 // If we found a session that was created with TLS 1.2, we downgrade
46 // the implementation right away, before even issuing a Client Hello.
47 request_downgrade_for_resumption(std::move(session.value()));
48 return;
49 }
50 }
51
52 auto msg = send_handshake_message(m_handshake_state.sending(
54 *callbacks,
55 *rng,
56 m_info.hostname(),
57 next_protocols,
58 m_resumed_session,
59 creds->find_preshared_keys(m_info.hostname(), Connection_Side::Client))));
60
61 if(expects_downgrade()) {
63 }
64
65 // RFC 8446 Appendix D.4
66 // If not offering early data, the client sends a dummy change_cipher_spec
67 // record [...] immediately before its second flight. This may either be before
68 // its second ClientHello or before its encrypted handshake flight.
69 //
70 // TODO: don't schedule ccs here when early data is used
72 m_should_send_ccs = true;
73 }
74
76}
77
78void Client_Impl_13::process_handshake_msg(Handshake_Message_13 message) {
79 std::visit(
80 [&](auto msg) {
81 // first verify that the message was expected by the state machine...
82 m_transitions.confirm_transition_to(msg.get().type());
83
84 // ... then allow the library user to abort on their discretion
86
87 // ... finally handle the message
88 handle(msg.get());
89 },
90 m_handshake_state.received(std::move(message)));
91}
92
93void Client_Impl_13::process_post_handshake_msg(Post_Handshake_Message_13 message) {
95
96 std::visit([&](auto msg) { handle(msg); }, m_handshake_state.received(std::move(message)));
97}
98
99void Client_Impl_13::process_dummy_change_cipher_spec() {
100 // RFC 8446 5.
101 // If an implementation detects a change_cipher_spec record received before
102 // the first ClientHello message or after the peer's Finished message, it MUST be
103 // treated as an unexpected record type [("unexpected_message" alert)].
104 if(!m_handshake_state.has_client_hello() || m_handshake_state.has_server_finished()) {
105 throw TLS_Exception(Alert::UnexpectedMessage, "Received an unexpected dummy Change Cipher Spec");
106 }
107
108 // RFC 8446 5.
109 // An implementation may receive an unencrypted record of type change_cipher_spec [...]
110 // at any time after the first ClientHello message has been sent or received
111 // and before the peer's Finished message has been received [...]
112 // and MUST simply drop it without further processing.
113 //
114 // ... no further processing.
115}
116
118 return m_handshake_state.handshake_finished();
119}
120
121std::optional<Session_with_Handle> Client_Impl_13::find_session_for_resumption() {
122 // RFC 8446 4.6.1
123 // Clients MUST only resume if the new SNI value is valid for the
124 // server certificate presented in the original session and SHOULD only
125 // resume if the SNI value matches the one used in the original session.
126 //
127 // Below we search sessions based on their SNI value. Assuming that a
128 // 3rd party session manager does not lie to the implementation, we don't
129 // explicitly re-check that the SNI values match.
130 //
131 // Also, the default implementation did verify that very same SNI information
132 // against the server's certificate (via Callbacks::tls_verify_cert_chain())
133 // before storing it in the session.
134 //
135 // We therefore assume that the session returned by the `Session_Manager` is
136 // suitable for resumption in this context.
137 auto sessions = session_manager().find(m_info, callbacks(), policy());
138 if(sessions.empty()) {
139 return std::nullopt;
140 }
141
142 // TODO: TLS 1.3 allows sending more than one ticket (for resumption) in a
143 // Client Hello. Currently, we do not support that. The Session_Manager
144 // does imply otherwise with its API, though.
145 auto& session_to_resume = sessions.front();
146
147 return std::move(session_to_resume);
148}
149
150void Client_Impl_13::handle(const Server_Hello_12& server_hello_msg) {
151 if(m_handshake_state.has_hello_retry_request()) {
152 throw TLS_Exception(Alert::UnexpectedMessage, "Version downgrade received after Hello Retry");
153 }
154
155 // RFC 8446 Appendix D.1
156 // If the version chosen by the server is not supported by the client
157 // (or is not acceptable), the client MUST abort the handshake with a
158 // "protocol_version" alert.
159 if(!expects_downgrade()) {
160 throw TLS_Exception(Alert::ProtocolVersion, "Received an unexpected legacy Server Hello");
161 }
162
163 // RFC 8446 4.1.3
164 // TLS 1.3 has a downgrade protection mechanism embedded in the server's
165 // random value. TLS 1.3 servers which negotiate TLS 1.2 or below in
166 // response to a ClientHello MUST set the last 8 bytes of their Random
167 // value specially in their ServerHello.
168 //
169 // TLS 1.3 clients receiving a ServerHello indicating TLS 1.2 or below
170 // MUST check that the [downgrade indication is not set]. [...] If a match
171 // is found, the client MUST abort the handshake with an
172 // "illegal_parameter" alert.
173 if(server_hello_msg.random_signals_downgrade().has_value()) {
174 throw TLS_Exception(Alert::IllegalParameter, "Downgrade attack detected");
175 }
176
177 // RFC 8446 4.2.1
178 // A server which negotiates a version of TLS prior to TLS 1.3 [...]
179 // MUST NOT send the "supported_versions" extension.
180 //
181 // Note that this condition should never happen, as the Server_Hello parsing
182 // code decides to create a Server_Hello_12 based on the absense of this extension.
183 if(server_hello_msg.extensions().has<Supported_Versions>()) {
184 throw TLS_Exception(Alert::IllegalParameter, "Unexpected extension received");
185 }
186
187 // RFC 8446 Appendix D.1
188 // If the version chosen by the server is not supported by the client
189 // (or is not acceptable), the client MUST abort the handshake with a
190 // "protocol_version" alert.
191 const auto& client_hello_exts = m_handshake_state.client_hello().extensions();
192 BOTAN_ASSERT_NOMSG(client_hello_exts.has<Supported_Versions>());
193 if(!client_hello_exts.get<Supported_Versions>()->supports(server_hello_msg.selected_version())) {
194 throw TLS_Exception(Alert::ProtocolVersion, "Protocol version was not offered");
195 }
196
197 if(policy().tls_13_middlebox_compatibility_mode() &&
198 m_handshake_state.client_hello().session_id() == server_hello_msg.session_id()) {
199 // In compatibility mode, the server will reflect the session ID we sent in the client hello.
200 // However, a TLS 1.2 server that wants to downgrade cannot have found the random session ID
201 // we sent. Therefore, we have to consider this as an attack.
202 // (Thanks BoGo test EchoTLS13CompatibilitySessionID!)
203 throw TLS_Exception(Alert::IllegalParameter, "Unexpected session ID during downgrade");
204 }
205
207
208 // After this, no further messages are expected here because this instance will be replaced
209 // by a Client_Impl_12.
210 m_transitions.set_expected_next({});
211}
212
213namespace {
214// validate Server_Hello_13 and Hello_Retry_Request
215void validate_server_hello_ish(const Client_Hello_13& ch, const Server_Hello_13& sh) {
216 // RFC 8446 4.1.3
217 // A client which receives a legacy_session_id_echo field that does not match what
218 // it sent in the ClientHello MUST abort the handshake with an "illegal_parameter" alert.
219 if(ch.session_id() != sh.session_id()) {
220 throw TLS_Exception(Alert::IllegalParameter, "echoed session id did not match");
221 }
222
223 // RFC 8446 4.1.3
224 // A client which receives a cipher suite that was not offered MUST abort the handshake
225 // with an "illegal_parameter" alert.
226 if(!ch.offered_suite(sh.ciphersuite())) {
227 throw TLS_Exception(Alert::IllegalParameter, "Server replied with ciphersuite we didn't send");
228 }
229
230 // RFC 8446 4.2.1
231 // If the "supported_versions" extension in the ServerHello contains a
232 // version not offered by the client or contains a version prior to
233 // TLS 1.3, the client MUST abort the handshake with an "illegal_parameter" alert.
234 //
235 // Note: Server_Hello_13 parsing checks that its selected version is TLS 1.3
236 BOTAN_ASSERT_NOMSG(ch.extensions().has<Supported_Versions>());
237 if(!ch.extensions().get<Supported_Versions>()->supports(sh.selected_version())) {
238 throw TLS_Exception(Alert::IllegalParameter, "Protocol version was not offered");
239 }
240}
241} // namespace
242
243void Client_Impl_13::handle(const Server_Hello_13& sh) {
244 // Note: Basic checks (that do not require contextual information) were already
245 // performed during the construction of the Server_Hello_13 object.
246
247 const auto& ch = m_handshake_state.client_hello();
248
249 validate_server_hello_ish(ch, sh);
250
251 // RFC 8446 4.2
252 // Implementations MUST NOT send extension responses if the remote
253 // endpoint did not send the corresponding extension requests, [...]. Upon
254 // receiving such an extension, an endpoint MUST abort the handshake
255 // with an "unsupported_extension" alert.
256 if(sh.extensions().contains_other_than(ch.extensions().extension_types())) {
257 throw TLS_Exception(Alert::UnsupportedExtension, "Unsupported extension found in Server Hello");
258 }
259
260 if(m_handshake_state.has_hello_retry_request()) {
261 const auto& hrr = m_handshake_state.hello_retry_request();
262
263 // RFC 8446 4.1.4
264 // Upon receiving the ServerHello, clients MUST check that the cipher suite
265 // supplied in the ServerHello is the same as that in the HelloRetryRequest
266 // and otherwise abort the handshake with an "illegal_parameter" alert.
267 if(hrr.ciphersuite() != sh.ciphersuite()) {
268 throw TLS_Exception(Alert::IllegalParameter, "server changed its chosen ciphersuite");
269 }
270
271 // RFC 8446 4.1.4
272 // The value of selected_version in the HelloRetryRequest "supported_versions"
273 // extension MUST be retained in the ServerHello, and a client MUST abort the
274 // handshake with an "illegal_parameter" alert if the value changes.
275 if(hrr.selected_version() != sh.selected_version()) {
276 throw TLS_Exception(Alert::IllegalParameter, "server changed its chosen protocol version");
277 }
278 }
279
280 auto cipher = Ciphersuite::by_id(sh.ciphersuite());
281 BOTAN_ASSERT_NOMSG(cipher.has_value()); // should work, since we offered this suite
282
283 // RFC 8446 Appendix B.4
284 // Although TLS 1.3 uses the same cipher suite space as previous versions
285 // of TLS [...] cipher suites for TLS 1.2 and lower cannot be used with
286 // TLS 1.3.
287 if(!cipher->usable_in_version(Protocol_Version::TLS_V13)) {
288 throw TLS_Exception(Alert::IllegalParameter,
289 "Server replied using a ciphersuite not allowed in version it offered");
290 }
291
292 // RFC 8446 4.2.11
293 // Clients MUST verify that [...] a server "key_share" extension is present
294 // if required by the ClientHello "psk_key_exchange_modes" extension. If
295 // these values are not consistent, the client MUST abort the handshake
296 // with an "illegal_parameter" alert.
297 //
298 // Currently, we don't support PSK-only mode, hence a key share extension is
299 // considered mandatory.
300 //
301 // TODO: Implement PSK-only mode.
302 if(!sh.extensions().has<Key_Share>()) {
303 throw TLS_Exception(Alert::IllegalParameter, "Server Hello did not contain a key share extension");
304 }
305
306 auto my_keyshare = ch.extensions().get<Key_Share>();
307 auto shared_secret = my_keyshare->decapsulate(*sh.extensions().get<Key_Share>(), policy(), callbacks(), rng());
308
309 m_transcript_hash.set_algorithm(cipher.value().prf_algo());
310
311 if(sh.extensions().has<PSK>()) {
312 std::tie(m_psk_identity, m_cipher_state) =
313 ch.extensions().get<PSK>()->take_selected_psk_info(*sh.extensions().get<PSK>(), cipher.value());
314
315 // If we offered a session for resumption *and* an externally provided PSK
316 // and the latter was chosen by the server over the offered resumption, we
317 // want to invalidate the now-outdated session in m_resumed_session.
318 if(m_psk_identity.has_value() && m_resumed_session.has_value()) {
319 m_resumed_session.reset();
320 }
321
322 // TODO: When implementing early data, `advance_with_client_hello` must
323 // happen _before_ encrypting any early application data.
324 // Same when we want to support early key export.
325 m_cipher_state->advance_with_client_hello(m_transcript_hash.previous(), *this);
326 m_cipher_state->advance_with_server_hello(
327 cipher.value(), std::move(shared_secret), m_transcript_hash.current(), *this);
328 } else {
329 m_resumed_session.reset(); // might have been set if we attempted a resumption
331 m_side, std::move(shared_secret), cipher.value(), m_transcript_hash.current(), *this);
332 }
333
335
337}
338
339void Client_Impl_13::handle(const Hello_Retry_Request& hrr) {
340 // Note: Basic checks (that do not require contextual information) were already
341 // performed during the construction of the Hello_Retry_Request object as
342 // a subclass of Server_Hello_13.
343
344 auto& ch = m_handshake_state.client_hello();
345
346 validate_server_hello_ish(ch, hrr);
347
348 // RFC 8446 4.1.4.
349 // A HelloRetryRequest MUST NOT contain any
350 // extensions that were not first offered by the client in its
351 // ClientHello, with the exception of optionally the "cookie".
352 auto allowed_exts = ch.extensions().extension_types();
353 allowed_exts.insert(Extension_Code::Cookie);
354 if(hrr.extensions().contains_other_than(allowed_exts)) {
355 throw TLS_Exception(Alert::UnsupportedExtension, "Unsupported extension found in Hello Retry Request");
356 }
357
358 auto cipher = Ciphersuite::by_id(hrr.ciphersuite());
359 BOTAN_ASSERT_NOMSG(cipher.has_value()); // should work, since we offered this suite
360
363
364 ch.retry(hrr, m_transcript_hash, callbacks(), rng());
365
367
368 send_handshake_message(std::reference_wrapper(ch));
369
370 // RFC 8446 4.1.4
371 // If a client receives a second HelloRetryRequest in the same connection [...],
372 // it MUST abort the handshake with an "unexpected_message" alert.
374}
375
376void Client_Impl_13::handle(const Encrypted_Extensions& encrypted_extensions_msg) {
377 const auto& exts = encrypted_extensions_msg.extensions();
378
379 // RFC 8446 4.2
380 // Implementations MUST NOT send extension responses if the remote
381 // endpoint did not send the corresponding extension requests, [...]. Upon
382 // receiving such an extension, an endpoint MUST abort the handshake
383 // with an "unsupported_extension" alert.
384 const auto& requested_exts = m_handshake_state.client_hello().extensions().extension_types();
385 if(exts.contains_other_than(requested_exts)) {
386 throw TLS_Exception(Alert::UnsupportedExtension,
387 "Encrypted Extensions contained an extension that was not offered");
388 }
389
390 // Note: As per RFC 6066 3. we can check for an empty SNI extensions to
391 // determine if the server used the SNI we sent here.
392
393 if(exts.has<Record_Size_Limit>() && m_handshake_state.client_hello().extensions().has<Record_Size_Limit>()) {
394 // RFC 8449 4.
395 // The record size limit only applies to records sent toward the
396 // endpoint that advertises the limit. An endpoint can send records
397 // that are larger than the limit it advertises as its own limit.
398 //
399 // Hence, the "outgoing" limit is what the server requested and the
400 // "incoming" limit is what we requested in the Client Hello.
401 const auto outgoing_limit = exts.get<Record_Size_Limit>();
402 const auto incoming_limit = m_handshake_state.client_hello().extensions().get<Record_Size_Limit>();
403 set_record_size_limits(outgoing_limit->limit(), incoming_limit->limit());
404 }
405
406 if(exts.has<Server_Certificate_Type>() &&
407 m_handshake_state.client_hello().extensions().has<Server_Certificate_Type>()) {
408 const auto* server_cert_type = exts.get<Server_Certificate_Type>();
409 const auto* our_server_cert_types = m_handshake_state.client_hello().extensions().get<Server_Certificate_Type>();
410 our_server_cert_types->validate_selection(*server_cert_type);
411
412 // RFC 7250 4.2
413 // With the server_certificate_type extension in the server hello, the
414 // TLS server indicates the certificate type carried in the Certificate
415 // payload.
416 //
417 // Note: TLS 1.3 carries this extension in the Encrypted Extensions
418 // message instead of the Server Hello.
419 set_selected_certificate_type(server_cert_type->selected_certificate_type());
420 }
421
423
424 if(m_handshake_state.server_hello().extensions().has<PSK>()) {
425 // RFC 8446 2.2
426 // As the server is authenticating via a PSK, it does not send a
427 // Certificate or a CertificateVerify message.
429 } else {
431 }
432}
433
434void Client_Impl_13::handle(const Certificate_Request_13& certificate_request_msg) {
435 // RFC 8446 4.3.2
436 // [The 'context' field] SHALL be zero length unless used for the
437 // post-handshake authentication exchanges described in Section 4.6.2.
438 if(!is_handshake_complete() && !certificate_request_msg.context().empty()) {
439 throw TLS_Exception(Alert::DecodeError, "Certificate_Request context must be empty in the main handshake");
440 }
441
443 certificate_request_msg.extensions(), Connection_Side::Server, Handshake_Type::CertificateRequest);
445}
446
447void Client_Impl_13::handle(const Certificate_13& certificate_msg) {
448 // RFC 8446 4.4.2
449 // certificate_request_context: [...] In the case of server authentication,
450 // this field SHALL be zero length.
451 if(!certificate_msg.request_context().empty()) {
452 throw TLS_Exception(Alert::DecodeError, "Received a server certificate message with non-empty request context");
453 }
454
455 // RFC 8446 4.4.2
456 // Extensions in the Certificate message from the server MUST correspond
457 // to ones from the ClientHello message.
458 certificate_msg.validate_extensions(m_handshake_state.client_hello().extensions().extension_types(), callbacks());
459 certificate_msg.verify(callbacks(),
460 policy(),
462 m_info.hostname(),
463 m_handshake_state.client_hello().extensions().has<Certificate_Status_Request>());
464
466}
467
468void Client_Impl_13::handle(const Certificate_Verify_13& certificate_verify_msg) {
469 // RFC 8446 4.4.3
470 // If the CertificateVerify message is sent by a server, the signature
471 // algorithm MUST be one offered in the client's "signature_algorithms"
472 // extension unless no valid certificate chain can be produced without
473 // unsupported algorithms.
474 //
475 // Note: if the server failed to produce a certificate chain without using
476 // an unsupported signature scheme, we opt to abort the handshake.
477 const auto offered = m_handshake_state.client_hello().signature_schemes();
478 if(!value_exists(offered, certificate_verify_msg.signature_scheme())) {
479 throw TLS_Exception(Alert::IllegalParameter,
480 "We did not offer the usage of " + certificate_verify_msg.signature_scheme().to_string() +
481 " as a signature scheme");
482 }
483
484 bool sig_valid = certificate_verify_msg.verify(
486
487 if(!sig_valid) {
488 throw TLS_Exception(Alert::DecryptError, "Server certificate verification failed");
489 }
490
492}
493
494void Client_Impl_13::send_client_authentication(Channel_Impl_13::AggregatedHandshakeMessages& flight) {
495 BOTAN_ASSERT_NOMSG(m_handshake_state.has_certificate_request());
496 const auto& cert_request = m_handshake_state.certificate_request();
497
498 const auto cert_type = [&] {
499 const auto& exts = m_handshake_state.encrypted_extensions().extensions();
500 const auto& chexts = m_handshake_state.client_hello().extensions();
501 if(exts.has<Client_Certificate_Type>() && chexts.has<Client_Certificate_Type>()) {
502 const auto* client_cert_type = exts.get<Client_Certificate_Type>();
503 chexts.get<Client_Certificate_Type>()->validate_selection(*client_cert_type);
504
505 // RFC 7250 4.2
506 // This client_certificate_type extension in the server hello then
507 // indicates the type of certificates the client is requested to
508 // provide in a subsequent certificate payload.
509 //
510 // Note: TLS 1.3 carries this extension in the Encrypted Extensions
511 // message instead of the Server Hello.
512 return client_cert_type->selected_certificate_type();
513 } else {
514 // RFC 8446 4.4.2
515 // If the corresponding certificate type extension [...] was not
516 // negotiated in EncryptedExtensions, [...] then each
517 // CertificateEntry contains a DER-encoded X.509 certificate.
519 }
520 }();
521
522 // RFC 8446 4.4.2
523 // certificate_request_context: If this message is in response to a
524 // CertificateRequest, the value of certificate_request_context in
525 // that message.
526 flight.add(m_handshake_state.sending(
527 Certificate_13(cert_request, m_info.hostname(), credentials_manager(), callbacks(), cert_type)));
528
529 // RFC 8446 4.4.2
530 // If the server requests client authentication but no suitable certificate
531 // is available, the client MUST send a Certificate message containing no
532 // certificates.
533 //
534 // In that case, no Certificate Verify message will be sent.
535 if(!m_handshake_state.client_certificate().empty()) {
536 flight.add(m_handshake_state.sending(Certificate_Verify_13(m_handshake_state.client_certificate(),
537 cert_request.signature_schemes(),
538 m_info.hostname(),
542 policy(),
543 callbacks(),
544 rng())));
545 }
546}
547
548void Client_Impl_13::handle(const Finished_13& finished_msg) {
549 // RFC 8446 4.4.4
550 // Recipients of Finished messages MUST verify that the contents are
551 // correct and if incorrect MUST terminate the connection with a
552 // "decrypt_error" alert.
553 if(!finished_msg.verify(m_cipher_state.get(), m_transcript_hash.previous())) {
554 throw TLS_Exception(Alert::DecryptError, "Finished message didn't verify");
555 }
556
557 // Give the application a chance for a final veto before fully
558 // establishing the connection.
559 callbacks().tls_session_established(Session_Summary(m_handshake_state.server_hello(),
564 m_resumed_session.has_value(),
565 m_info,
566 callbacks().tls_current_timestamp()));
567
568 // Derives the secrets for receiving application data but defers
569 // the derivation of sending application data.
570 m_cipher_state->advance_with_server_finished(m_transcript_hash.current(), *this);
571
572 auto flight = aggregate_handshake_messages();
573
574 // RFC 8446 4.4.2
575 // The client MUST send a Certificate message if and only if the server
576 // has requested client authentication via a CertificateRequest message.
577 if(m_handshake_state.has_certificate_request()) {
578 send_client_authentication(flight);
579 }
580
581 // send client finished handshake message (still using handshake traffic secrets)
582 flight.add(m_handshake_state.sending(Finished_13(m_cipher_state.get(), m_transcript_hash.current())));
583
584 flight.send();
585
586 // derives the sending application traffic secrets
587 m_cipher_state->advance_with_client_finished(m_transcript_hash.current());
588
589 // TODO: Create a dummy session object and invoke tls_session_established.
590 // Alternatively, consider changing the expectations described in the
591 // callback's doc string.
592
593 // no more handshake messages expected
594 m_transitions.set_expected_next({});
595
597}
598
599void TLS::Client_Impl_13::handle(const New_Session_Ticket_13& new_session_ticket) {
600 callbacks().tls_examine_extensions(
601 new_session_ticket.extensions(), Connection_Side::Server, Handshake_Type::NewSessionTicket);
602
603 Session session(m_cipher_state->psk(new_session_ticket.nonce()),
604 new_session_ticket.early_data_byte_limit(),
605 new_session_ticket.ticket_age_add(),
606 new_session_ticket.lifetime_hint(),
607 m_handshake_state.server_hello().selected_version(),
608 m_handshake_state.server_hello().ciphersuite(),
610 peer_cert_chain(),
611 peer_raw_public_key(),
612 m_info,
613 callbacks().tls_current_timestamp());
614
615 if(callbacks().tls_should_persist_resumption_information(session)) {
616 session_manager().store(session, new_session_ticket.handle());
617 }
618}
619
620std::vector<X509_Certificate> Client_Impl_13::peer_cert_chain() const {
621 if(m_handshake_state.has_server_certificate_msg() &&
622 m_handshake_state.server_certificate().has_certificate_chain()) {
623 return m_handshake_state.server_certificate().cert_chain();
624 }
625
626 if(m_resumed_session.has_value()) {
627 return m_resumed_session->session.peer_certs();
628 }
629
630 return {};
631}
632
633std::shared_ptr<const Public_Key> Client_Impl_13::peer_raw_public_key() const {
634 if(m_handshake_state.has_server_certificate_msg() && m_handshake_state.server_certificate().is_raw_public_key()) {
635 return m_handshake_state.server_certificate().public_key();
636 }
637
638 if(m_resumed_session.has_value()) {
639 return m_resumed_session->session.peer_raw_public_key();
640 }
641
642 return nullptr;
643}
644
645std::optional<std::string> Client_Impl_13::external_psk_identity() const {
646 return m_psk_identity;
647}
648
649bool Client_Impl_13::prepend_ccs() {
650 return std::exchange(m_should_send_ccs, false); // test-and-set
651}
652
653void Client_Impl_13::maybe_log_secret(std::string_view label, std::span<const uint8_t> secret) const {
654 if(policy().allow_ssl_key_log_file()) {
655 callbacks().tls_ssl_key_log_data(label, m_handshake_state.client_hello().random(), secret);
656 }
657}
658
661 const auto& eee = m_handshake_state.encrypted_extensions().extensions();
663 return eee.get<Application_Layer_Protocol_Notification>()->single_protocol();
664 }
665 }
666
667 return "";
668}
669
670} // namespace Botan::TLS
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:59
#define BOTAN_STATE_CHECK(expr)
Definition assert.h:41
virtual void tls_session_established(const Session_Summary &session)
virtual void tls_session_activated()
virtual void tls_ssl_key_log_data(std::string_view label, std::span< const uint8_t > client_random, std::span< const uint8_t > secret) const
virtual void tls_examine_extensions(const Extensions &extn, Connection_Side which_side, Handshake_Type which_message)
virtual void tls_inspect_handshake_msg(const Handshake_Message &message)
std::shared_ptr< const Public_Key > public_key() const
std::vector< X509_Certificate > cert_chain() const
const Policy & policy() const
void expect_downgrade(const Server_Information &server_info, const std::vector< std::string > &next_protocols)
AggregatedHandshakeMessages aggregate_handshake_messages()
Credentials_Manager & credentials_manager()
RandomNumberGenerator & rng()
std::vector< uint8_t > send_handshake_message(const std::variant< MsgTs... > &message)
Transcript_Hash_State m_transcript_hash
Session_Manager & session_manager()
std::unique_ptr< Cipher_State > m_cipher_state
void set_selected_certificate_type(Certificate_Type cert_type)
void set_record_size_limits(uint16_t outgoing_limit, uint16_t incoming_limit)
void request_downgrade_for_resumption(Session_with_Handle session)
void preserve_client_hello(std::span< const uint8_t > msg)
static std::unique_ptr< Cipher_State > init_with_server_hello(Connection_Side side, secure_vector< uint8_t > &&shared_secret, const Ciphersuite &cipher, const Transcript_Hash &transcript_hash, const Secret_Logger &channel)
static std::optional< Ciphersuite > by_id(uint16_t suite)
const std::vector< uint8_t > & random() const
std::vector< Signature_Scheme > signature_schemes() const
const Extensions & extensions() const
const Session_ID & session_id() const
Client_Impl_13(const std::shared_ptr< Callbacks > &callbacks, const std::shared_ptr< Session_Manager > &session_manager, const std::shared_ptr< Credentials_Manager > &creds, const std::shared_ptr< const Policy > &policy, const std::shared_ptr< RandomNumberGenerator > &rng, Server_Information server_info=Server_Information(), const std::vector< std::string > &next_protocols={})
std::optional< std::string > external_psk_identity() const override
std::string application_protocol() const override
std::shared_ptr< const Public_Key > peer_raw_public_key() const override
bool is_handshake_complete() const override
std::vector< X509_Certificate > peer_cert_chain() const override
const Extensions & extensions() const
std::set< Extension_Code > extension_types() const
std::reference_wrapper< MsgT > sending(MsgT msg)
decltype(auto) received(Handshake_Message_13 message)
void confirm_transition_to(Handshake_Type msg_type)
void set_expected_next(Handshake_Type msg_type)
const Hello_Retry_Request & hello_retry_request() const
const Certificate_Request_13 & certificate_request() const
const Encrypted_Extensions & encrypted_extensions() const
virtual bool allow_tls12() const
virtual bool tls_13_middlebox_compatibility_mode() const
const Extensions & extensions() const
virtual std::vector< Session_with_Handle > find(const Server_Information &info, Callbacks &callbacks, const Policy &policy)
Find all sessions that match a given server info.
const Transcript_Hash & current() const
static Transcript_Hash_State recreate_after_hello_retry_request(std::string_view algo_spec, const Transcript_Hash_State &prev_transcript_hash_state)
void set_algorithm(std::string_view algo_spec)
const Transcript_Hash & previous() const
std::variant< New_Session_Ticket_13, Key_Update > Post_Handshake_Message_13
std::variant< Client_Hello_13, Client_Hello_12, Server_Hello_13, Server_Hello_12, Hello_Retry_Request, Encrypted_Extensions, Certificate_13, Certificate_Request_13, Certificate_Verify_13, Finished_13 > Handshake_Message_13
bool value_exists(const std::vector< T > &vec, const OT &val)
Definition stl_util.h:60