Botan 3.5.0
Crypto and TLS for C&
tls_extensions.cpp
Go to the documentation of this file.
1/*
2* TLS Extensions
3* (C) 2011,2012,2015,2016 Jack Lloyd
4* 2016 Juraj Somorovsky
5* 2021 Elektrobit Automotive GmbH
6* 2022 René Meusel, Hannes Rantzsch - neXenio GmbH
7* 2023 Mateusz Berezecki
8* 2023 Fabian Albert, René Meusel - Rohde & Schwarz Cybersecurity
9*
10* Botan is released under the Simplified BSD License (see license.txt)
11*/
12
13#include <botan/tls_extensions.h>
14
15#include <botan/ber_dec.h>
16#include <botan/der_enc.h>
17#include <botan/tls_exceptn.h>
18#include <botan/tls_policy.h>
19#include <botan/internal/stl_util.h>
20#include <botan/internal/tls_reader.h>
21
22#include <iterator>
23
24namespace Botan::TLS {
25
26namespace {
27
28std::unique_ptr<Extension> make_extension(TLS_Data_Reader& reader,
29 Extension_Code code,
30 const Connection_Side from,
31 const Handshake_Type message_type) {
32 // This cast is safe because we read exactly a 16 bit length field for
33 // the extension in Extensions::deserialize
34 const uint16_t size = static_cast<uint16_t>(reader.remaining_bytes());
35 switch(code) {
37 return std::make_unique<Server_Name_Indicator>(reader, size);
38
40 return std::make_unique<Supported_Groups>(reader, size);
41
43 return std::make_unique<Certificate_Status_Request>(reader, size, message_type, from);
44
46 return std::make_unique<Supported_Point_Formats>(reader, size);
47
49 return std::make_unique<Renegotiation_Extension>(reader, size);
50
52 return std::make_unique<Signature_Algorithms>(reader, size);
53
55 return std::make_unique<Signature_Algorithms_Cert>(reader, size);
56
58 return std::make_unique<SRTP_Protection_Profiles>(reader, size);
59
61 return std::make_unique<Application_Layer_Protocol_Notification>(reader, size, from);
62
64 return std::make_unique<Client_Certificate_Type>(reader, size, from);
65
67 return std::make_unique<Server_Certificate_Type>(reader, size, from);
68
70 return std::make_unique<Extended_Master_Secret>(reader, size);
71
73 return std::make_unique<Record_Size_Limit>(reader, size, from);
74
76 return std::make_unique<Encrypt_then_MAC>(reader, size);
77
79 return std::make_unique<Session_Ticket_Extension>(reader, size);
80
82 return std::make_unique<Supported_Versions>(reader, size, from);
83
84#if defined(BOTAN_HAS_TLS_13)
86 return std::make_unique<PSK>(reader, size, message_type);
87
89 return std::make_unique<EarlyDataIndication>(reader, size, message_type);
90
92 return std::make_unique<Cookie>(reader, size);
93
95 return std::make_unique<PSK_Key_Exchange_Modes>(reader, size);
96
98 return std::make_unique<Certificate_Authorities>(reader, size);
99
101 return std::make_unique<Key_Share>(reader, size, message_type);
102#endif
103 }
104
105 return std::make_unique<Unknown_Extension>(code, reader, size);
106}
107
108} // namespace
109
110void Extensions::add(std::unique_ptr<Extension> extn) {
111 if(has(extn->type())) {
112 throw Invalid_Argument("cannot add the same extension twice: " +
113 std::to_string(static_cast<uint16_t>(extn->type())));
114 }
115
116 m_extensions.emplace_back(extn.release());
117}
118
119void Extensions::deserialize(TLS_Data_Reader& reader, const Connection_Side from, const Handshake_Type message_type) {
120 if(reader.has_remaining()) {
121 const uint16_t all_extn_size = reader.get_uint16_t();
122
123 if(reader.remaining_bytes() != all_extn_size) {
124 throw Decoding_Error("Bad extension size");
125 }
126
127 while(reader.has_remaining()) {
128 const uint16_t extension_code = reader.get_uint16_t();
129 const uint16_t extension_size = reader.get_uint16_t();
130
131 const auto type = static_cast<Extension_Code>(extension_code);
132
133 if(this->has(type)) {
134 throw TLS_Exception(TLS::Alert::DecodeError, "Peer sent duplicated extensions");
135 }
136
137 // TODO offer a function on reader that returns a byte range as a reference
138 // to avoid this copy of the extension data
139 const std::vector<uint8_t> extn_data = reader.get_fixed<uint8_t>(extension_size);
140 TLS_Data_Reader extn_reader("Extension", extn_data);
141 this->add(make_extension(extn_reader, type, from, message_type));
142 extn_reader.assert_done();
143 }
144 }
145}
146
147bool Extensions::contains_other_than(const std::set<Extension_Code>& allowed_extensions,
148 const bool allow_unknown_extensions) const {
149 const auto found = extension_types();
150
151 std::vector<Extension_Code> diff;
152 std::set_difference(
153 found.cbegin(), found.end(), allowed_extensions.cbegin(), allowed_extensions.cend(), std::back_inserter(diff));
154
155 if(allow_unknown_extensions) {
156 // Go through the found unexpected extensions whether any of those
157 // is known to this TLS implementation.
158 const auto itr = std::find_if(diff.cbegin(), diff.cend(), [this](const auto ext_type) {
159 const auto ext = get(ext_type);
160 return ext && ext->is_implemented();
161 });
162
163 // ... if yes, `contains_other_than` is true
164 return itr != diff.cend();
165 }
166
167 return !diff.empty();
168}
169
170std::unique_ptr<Extension> Extensions::take(Extension_Code type) {
171 const auto i =
172 std::find_if(m_extensions.begin(), m_extensions.end(), [type](const auto& ext) { return ext->type() == type; });
173
174 std::unique_ptr<Extension> result;
175 if(i != m_extensions.end()) {
176 std::swap(result, *i);
177 m_extensions.erase(i);
178 }
179
180 return result;
181}
182
183std::vector<uint8_t> Extensions::serialize(Connection_Side whoami) const {
184 std::vector<uint8_t> buf(2); // 2 bytes for length field
185
186 for(const auto& extn : m_extensions) {
187 if(extn->empty()) {
188 continue;
189 }
190
191 const uint16_t extn_code = static_cast<uint16_t>(extn->type());
192
193 const std::vector<uint8_t> extn_val = extn->serialize(whoami);
194
195 buf.push_back(get_byte<0>(extn_code));
196 buf.push_back(get_byte<1>(extn_code));
197
198 buf.push_back(get_byte<0>(static_cast<uint16_t>(extn_val.size())));
199 buf.push_back(get_byte<1>(static_cast<uint16_t>(extn_val.size())));
200
201 buf += extn_val;
202 }
203
204 const uint16_t extn_size = static_cast<uint16_t>(buf.size() - 2);
205
206 buf[0] = get_byte<0>(extn_size);
207 buf[1] = get_byte<1>(extn_size);
208
209 // avoid sending a completely empty extensions block
210 if(buf.size() == 2) {
211 return std::vector<uint8_t>();
212 }
213
214 return buf;
215}
216
217std::set<Extension_Code> Extensions::extension_types() const {
218 std::set<Extension_Code> offers;
219 std::transform(
220 m_extensions.cbegin(), m_extensions.cend(), std::inserter(offers, offers.begin()), [](const auto& ext) {
221 return ext->type();
222 });
223 return offers;
224}
227 m_type(type), m_value(reader.get_fixed<uint8_t>(extension_size)) {}
228
229std::vector<uint8_t> Unknown_Extension::serialize(Connection_Side /*whoami*/) const {
230 return m_value;
231}
232
234 /*
235 * This is used by the server to confirm that it knew the name
236 */
237 if(extension_size == 0) {
238 return;
239 }
240
241 uint16_t name_bytes = reader.get_uint16_t();
242
243 if(name_bytes + 2 != extension_size) {
244 throw Decoding_Error("Bad encoding of SNI extension");
245 }
246
247 while(name_bytes) {
248 uint8_t name_type = reader.get_byte();
249 name_bytes--;
250
251 if(name_type == 0) // DNS
252 {
253 m_sni_host_name = reader.get_string(2, 1, 65535);
254 name_bytes -= static_cast<uint16_t>(2 + m_sni_host_name.size());
255 } else // some other unknown name type
256 {
257 reader.discard_next(name_bytes);
258 name_bytes = 0;
259 }
260 }
261}
262
263std::vector<uint8_t> Server_Name_Indicator::serialize(Connection_Side whoami) const {
264 // RFC 6066
265 // [...] the server SHALL include an extension of type "server_name" in
266 // the (extended) server hello. The "extension_data" field of this
267 // extension SHALL be empty.
268 if(whoami == Connection_Side::Server) {
269 return {};
270 }
271
272 std::vector<uint8_t> buf;
273
274 size_t name_len = m_sni_host_name.size();
275
276 buf.push_back(get_byte<0>(static_cast<uint16_t>(name_len + 3)));
277 buf.push_back(get_byte<1>(static_cast<uint16_t>(name_len + 3)));
278 buf.push_back(0); // DNS
279
280 buf.push_back(get_byte<0>(static_cast<uint16_t>(name_len)));
281 buf.push_back(get_byte<1>(static_cast<uint16_t>(name_len)));
282
283 buf += std::make_pair(cast_char_ptr_to_uint8(m_sni_host_name.data()), m_sni_host_name.size());
284
285 return buf;
286}
287
289 m_reneg_data(reader.get_range<uint8_t>(1, 0, 255)) {
290 if(m_reneg_data.size() + 1 != extension_size) {
291 throw Decoding_Error("Bad encoding for secure renegotiation extn");
292 }
293}
294
295std::vector<uint8_t> Renegotiation_Extension::serialize(Connection_Side /*whoami*/) const {
296 std::vector<uint8_t> buf;
297 append_tls_length_value(buf, m_reneg_data, 1);
298 return buf;
299}
300
302 uint16_t extension_size,
303 Connection_Side from) {
304 if(extension_size == 0) {
305 return; // empty extension
306 }
307
308 const uint16_t name_bytes = reader.get_uint16_t();
309
310 size_t bytes_remaining = extension_size - 2;
311
312 if(name_bytes != bytes_remaining) {
313 throw Decoding_Error("Bad encoding of ALPN extension, bad length field");
314 }
315
316 while(bytes_remaining) {
317 const std::string p = reader.get_string(1, 0, 255);
318
319 if(bytes_remaining < p.size() + 1) {
320 throw Decoding_Error("Bad encoding of ALPN, length field too long");
321 }
322
323 if(p.empty()) {
324 throw Decoding_Error("Empty ALPN protocol not allowed");
325 }
326
327 bytes_remaining -= (p.size() + 1);
328
329 m_protocols.push_back(p);
330 }
331
332 // RFC 7301 3.1
333 // The "extension_data" field of the [...] extension is structured the
334 // same as described above for the client "extension_data", except that
335 // the "ProtocolNameList" MUST contain exactly one "ProtocolName".
336 if(from == Connection_Side::Server && m_protocols.size() != 1) {
337 throw TLS_Exception(
338 Alert::DecodeError,
339 "Server sent " + std::to_string(m_protocols.size()) + " protocols in ALPN extension response");
340 }
341}
342
344 BOTAN_STATE_CHECK(m_protocols.size() == 1);
345 return m_protocols.front();
346}
347
349 std::vector<uint8_t> buf(2);
350
351 for(auto&& p : m_protocols) {
352 if(p.length() >= 256) {
353 throw TLS_Exception(Alert::InternalError, "ALPN name too long");
354 }
355 if(!p.empty()) {
356 append_tls_length_value(buf, cast_char_ptr_to_uint8(p.data()), p.size(), 1);
357 }
358 }
359
360 buf[0] = get_byte<0>(static_cast<uint16_t>(buf.size() - 2));
361 buf[1] = get_byte<1>(static_cast<uint16_t>(buf.size() - 2));
362
363 return buf;
364}
365
367 switch(type) {
369 return "X509";
371 return "RawPublicKey";
372 }
373
374 return "Unknown";
375}
376
377Certificate_Type certificate_type_from_string(const std::string& type_str) {
378 if(type_str == "X509") {
380 } else if(type_str == "RawPublicKey") {
382 } else {
383 throw Decoding_Error("Unknown certificate type: " + type_str);
384 }
385}
386
387Certificate_Type_Base::Certificate_Type_Base(std::vector<Certificate_Type> supported_cert_types) :
388 m_certificate_types(std::move(supported_cert_types)), m_from(Connection_Side::Client) {
389 BOTAN_ARG_CHECK(!m_certificate_types.empty(), "at least one certificate type must be supported");
390}
391
393 Certificate_Type_Base(cct, policy.accepted_client_certificate_types()) {}
394
396 Certificate_Type_Base(sct, policy.accepted_server_certificate_types()) {}
397
399 const std::vector<Certificate_Type>& server_preference) :
400 m_from(Connection_Side::Server) {
401 // RFC 7250 4.2
402 // The server_certificate_type extension in the client hello indicates the
403 // types of certificates the client is able to process when provided by
404 // the server in a subsequent certificate payload. [...] With the
405 // server_certificate_type extension in the server hello, the TLS server
406 // indicates the certificate type carried in the Certificate payload.
407 for(const auto server_supported_cert_type : server_preference) {
408 if(value_exists(certificate_type_from_client.m_certificate_types, server_supported_cert_type)) {
409 m_certificate_types.push_back(server_supported_cert_type);
410 return;
411 }
412 }
413
414 // RFC 7250 4.2 (2.)
415 // The server supports the extension defined in this document, but
416 // it does not have any certificate type in common with the client.
417 // Then, the server terminates the session with a fatal alert of
418 // type "unsupported_certificate".
419 throw TLS_Exception(Alert::UnsupportedCertificate, "Failed to agree on certificate_type");
420}
421
423 m_from(from) {
424 if(extension_size == 0) {
425 throw Decoding_Error("Certificate type extension cannot be empty");
426 }
427
428 if(from == Connection_Side::Client) {
429 const auto type_bytes = reader.get_tls_length_value(1);
430 if(static_cast<size_t>(extension_size) != type_bytes.size() + 1) {
431 throw Decoding_Error("certificate type extension had inconsistent length");
432 }
433 std::transform(
434 type_bytes.begin(), type_bytes.end(), std::back_inserter(m_certificate_types), [](const auto type_byte) {
435 return static_cast<Certificate_Type>(type_byte);
436 });
437 } else {
438 // RFC 7250 4.2
439 // Note that only a single value is permitted in the
440 // server_certificate_type extension when carried in the server hello.
441 if(extension_size != 1) {
442 throw Decoding_Error("Server's certificate type extension must be of length 1");
443 }
444 const auto type_byte = reader.get_byte();
445 m_certificate_types.push_back(static_cast<Certificate_Type>(type_byte));
446 }
447}
448
449std::vector<uint8_t> Certificate_Type_Base::serialize(Connection_Side whoami) const {
450 std::vector<uint8_t> result;
451 if(whoami == Connection_Side::Client) {
452 std::vector<uint8_t> type_bytes;
453 std::transform(
454 m_certificate_types.begin(), m_certificate_types.end(), std::back_inserter(type_bytes), [](const auto type) {
455 return static_cast<uint8_t>(type);
456 });
457 append_tls_length_value(result, type_bytes, 1);
458 } else {
459 BOTAN_ASSERT_NOMSG(m_certificate_types.size() == 1);
460 result.push_back(static_cast<uint8_t>(m_certificate_types.front()));
461 }
462 return result;
463}
464
467 BOTAN_ASSERT_NOMSG(from_server.m_from == Connection_Side::Server);
468
469 // RFC 7250 4.2
470 // The value conveyed in the [client_]certificate_type extension MUST be
471 // selected from one of the values provided in the [client_]certificate_type
472 // extension sent in the client hello.
473 if(!value_exists(m_certificate_types, from_server.selected_certificate_type())) {
474 throw TLS_Exception(Alert::IllegalParameter,
475 Botan::fmt("Selected certificate type was not offered: {}",
477 }
478}
479
482 BOTAN_ASSERT_NOMSG(m_certificate_types.size() == 1);
483 return m_certificate_types.front();
484}
485
486Supported_Groups::Supported_Groups(const std::vector<Group_Params>& groups) : m_groups(groups) {}
487
488const std::vector<Group_Params>& Supported_Groups::groups() const {
489 return m_groups;
490}
491
492std::vector<Group_Params> Supported_Groups::ec_groups() const {
493 std::vector<Group_Params> ec;
494 for(auto g : m_groups) {
495 if(g.is_pure_ecc_group()) {
496 ec.push_back(g);
497 }
498 }
499 return ec;
500}
501
502std::vector<Group_Params> Supported_Groups::dh_groups() const {
503 std::vector<Group_Params> dh;
504 for(auto g : m_groups) {
505 if(g.is_in_ffdhe_range()) {
506 dh.push_back(g);
507 }
508 }
509 return dh;
510}
511
512std::vector<uint8_t> Supported_Groups::serialize(Connection_Side /*whoami*/) const {
513 std::vector<uint8_t> buf(2);
514
515 for(auto g : m_groups) {
516 const uint16_t id = g.wire_code();
517
518 if(id > 0) {
519 buf.push_back(get_byte<0>(id));
520 buf.push_back(get_byte<1>(id));
521 }
522 }
523
524 buf[0] = get_byte<0>(static_cast<uint16_t>(buf.size() - 2));
525 buf[1] = get_byte<1>(static_cast<uint16_t>(buf.size() - 2));
526
527 return buf;
528}
529
530Supported_Groups::Supported_Groups(TLS_Data_Reader& reader, uint16_t extension_size) {
531 const uint16_t len = reader.get_uint16_t();
532
533 if(len + 2 != extension_size) {
534 throw Decoding_Error("Inconsistent length field in supported groups list");
535 }
536
537 if(len % 2 == 1) {
538 throw Decoding_Error("Supported groups list of strange size");
539 }
540
541 const size_t elems = len / 2;
542
543 for(size_t i = 0; i != elems; ++i) {
544 const auto group = static_cast<Group_Params>(reader.get_uint16_t());
545 // Note: RFC 8446 does not explicitly enforce that groups must be unique.
546 if(!value_exists(m_groups, group)) {
547 m_groups.push_back(group);
548 }
549 }
550}
551
552std::vector<uint8_t> Supported_Point_Formats::serialize(Connection_Side /*whoami*/) const {
553 // if this extension is sent, it MUST include uncompressed (RFC 4492, section 5.1)
554 if(m_prefers_compressed) {
555 return std::vector<uint8_t>{2, ANSIX962_COMPRESSED_PRIME, UNCOMPRESSED};
556 } else {
557 return std::vector<uint8_t>{1, UNCOMPRESSED};
558 }
559}
560
562 uint8_t len = reader.get_byte();
563
564 if(len + 1 != extension_size) {
565 throw Decoding_Error("Inconsistent length field in supported point formats list");
566 }
567
568 bool includes_uncompressed = false;
569 for(size_t i = 0; i != len; ++i) {
570 uint8_t format = reader.get_byte();
571
572 if(static_cast<ECPointFormat>(format) == UNCOMPRESSED) {
573 m_prefers_compressed = false;
574 reader.discard_next(len - i - 1);
575 return;
576 } else if(static_cast<ECPointFormat>(format) == ANSIX962_COMPRESSED_PRIME) {
577 m_prefers_compressed = true;
578 std::vector<uint8_t> remaining_formats = reader.get_fixed<uint8_t>(len - i - 1);
579 includes_uncompressed =
580 std::any_of(std::begin(remaining_formats), std::end(remaining_formats), [](uint8_t remaining_format) {
581 return static_cast<ECPointFormat>(remaining_format) == UNCOMPRESSED;
582 });
583 break;
584 }
585
586 // ignore ANSIX962_COMPRESSED_CHAR2, we don't support these curves
587 }
588
589 // RFC 4492 5.1.:
590 // If the Supported Point Formats Extension is indeed sent, it MUST contain the value 0 (uncompressed)
591 // as one of the items in the list of point formats.
592 // Note:
593 // RFC 8422 5.1.2. explicitly requires this check,
594 // but only if the Supported Groups extension was sent.
595 if(!includes_uncompressed) {
596 throw TLS_Exception(Alert::IllegalParameter,
597 "Supported Point Formats Extension must contain the uncompressed point format");
598 }
599}
600
601namespace {
602
603std::vector<uint8_t> serialize_signature_algorithms(const std::vector<Signature_Scheme>& schemes) {
604 BOTAN_ASSERT(schemes.size() < 256, "Too many signature schemes");
605
606 std::vector<uint8_t> buf;
607
608 const uint16_t len = static_cast<uint16_t>(schemes.size() * 2);
609
610 buf.push_back(get_byte<0>(len));
611 buf.push_back(get_byte<1>(len));
612
613 for(Signature_Scheme scheme : schemes) {
614 buf.push_back(get_byte<0>(scheme.wire_code()));
615 buf.push_back(get_byte<1>(scheme.wire_code()));
616 }
617
618 return buf;
619}
620
621std::vector<Signature_Scheme> parse_signature_algorithms(TLS_Data_Reader& reader, uint16_t extension_size) {
622 uint16_t len = reader.get_uint16_t();
623
624 if(len + 2 != extension_size || len % 2 == 1 || len == 0) {
625 throw Decoding_Error("Bad encoding on signature algorithms extension");
626 }
627
628 std::vector<Signature_Scheme> schemes;
629 schemes.reserve(len / 2);
630 while(len) {
631 schemes.emplace_back(reader.get_uint16_t());
632 len -= 2;
633 }
634
635 return schemes;
636}
637
638} // namespace
639
640std::vector<uint8_t> Signature_Algorithms::serialize(Connection_Side /*whoami*/) const {
641 return serialize_signature_algorithms(m_schemes);
642}
643
645 m_schemes(parse_signature_algorithms(reader, extension_size)) {}
646
647std::vector<uint8_t> Signature_Algorithms_Cert::serialize(Connection_Side /*whoami*/) const {
648 return serialize_signature_algorithms(m_schemes);
649}
650
652 m_schemes(parse_signature_algorithms(reader, extension_size)) {}
653
655 m_ticket(Session_Ticket(reader.get_elem<uint8_t, std::vector<uint8_t>>(extension_size))) {}
656
658 m_pp(reader.get_range<uint16_t>(2, 0, 65535)) {
659 const std::vector<uint8_t> mki = reader.get_range<uint8_t>(1, 0, 255);
660
661 if(m_pp.size() * 2 + mki.size() + 3 != extension_size) {
662 throw Decoding_Error("Bad encoding for SRTP protection extension");
663 }
664
665 if(!mki.empty()) {
666 throw Decoding_Error("Unhandled non-empty MKI for SRTP protection extension");
667 }
668}
669
670std::vector<uint8_t> SRTP_Protection_Profiles::serialize(Connection_Side /*whoami*/) const {
671 std::vector<uint8_t> buf;
672
673 const uint16_t pp_len = static_cast<uint16_t>(m_pp.size() * 2);
674 buf.push_back(get_byte<0>(pp_len));
675 buf.push_back(get_byte<1>(pp_len));
676
677 for(uint16_t pp : m_pp) {
678 buf.push_back(get_byte<0>(pp));
679 buf.push_back(get_byte<1>(pp));
680 }
681
682 buf.push_back(0); // srtp_mki, always empty here
683
684 return buf;
685}
686
688 if(extension_size != 0) {
689 throw Decoding_Error("Invalid extended_master_secret extension");
690 }
691}
692
693std::vector<uint8_t> Extended_Master_Secret::serialize(Connection_Side /*whoami*/) const {
694 return std::vector<uint8_t>();
695}
696
697Encrypt_then_MAC::Encrypt_then_MAC(TLS_Data_Reader& /*unused*/, uint16_t extension_size) {
698 if(extension_size != 0) {
699 throw Decoding_Error("Invalid encrypt_then_mac extension");
700 }
701}
702
703std::vector<uint8_t> Encrypt_then_MAC::serialize(Connection_Side /*whoami*/) const {
704 return std::vector<uint8_t>();
705}
706
707std::vector<uint8_t> Supported_Versions::serialize(Connection_Side whoami) const {
708 std::vector<uint8_t> buf;
709
710 if(whoami == Connection_Side::Server) {
711 BOTAN_ASSERT_NOMSG(m_versions.size() == 1);
712 buf.push_back(m_versions[0].major_version());
713 buf.push_back(m_versions[0].minor_version());
714 } else {
715 BOTAN_ASSERT_NOMSG(!m_versions.empty());
716 const uint8_t len = static_cast<uint8_t>(m_versions.size() * 2);
717
718 buf.push_back(len);
719
720 for(Protocol_Version version : m_versions) {
721 buf.push_back(version.major_version());
722 buf.push_back(version.minor_version());
723 }
724 }
725
726 return buf;
727}
728
730 if(offer.is_datagram_protocol()) {
731#if defined(BOTAN_HAS_TLS_12)
732 if(offer >= Protocol_Version::DTLS_V12 && policy.allow_dtls12()) {
733 m_versions.push_back(Protocol_Version::DTLS_V12);
734 }
735#endif
736 } else {
737#if defined(BOTAN_HAS_TLS_13)
738 if(offer >= Protocol_Version::TLS_V13 && policy.allow_tls13()) {
739 m_versions.push_back(Protocol_Version::TLS_V13);
740 }
741#endif
742#if defined(BOTAN_HAS_TLS_12)
743 if(offer >= Protocol_Version::TLS_V12 && policy.allow_tls12()) {
744 m_versions.push_back(Protocol_Version::TLS_V12);
745 }
746#endif
747 }
748}
749
751 if(from == Connection_Side::Server) {
752 if(extension_size != 2) {
753 throw Decoding_Error("Server sent invalid supported_versions extension");
754 }
755 m_versions.push_back(Protocol_Version(reader.get_uint16_t()));
756 } else {
757 auto versions = reader.get_range<uint16_t>(1, 1, 127);
758
759 for(auto v : versions) {
760 m_versions.push_back(Protocol_Version(v));
761 }
762
763 if(extension_size != 1 + 2 * versions.size()) {
764 throw Decoding_Error("Client sent invalid supported_versions extension");
765 }
766 }
767}
768
770 for(auto v : m_versions) {
771 if(version == v) {
772 return true;
773 }
774 }
775 return false;
776}
777
778Record_Size_Limit::Record_Size_Limit(const uint16_t limit) : m_limit(limit) {
779 BOTAN_ASSERT(limit >= 64, "RFC 8449 does not allow record size limits smaller than 64 bytes");
780 BOTAN_ASSERT(limit <= MAX_PLAINTEXT_SIZE + 1 /* encrypted content type byte */,
781 "RFC 8449 does not allow record size limits larger than 2^14+1");
782}
783
785 if(extension_size != 2) {
786 throw TLS_Exception(Alert::DecodeError, "invalid record_size_limit extension");
787 }
788
789 m_limit = reader.get_uint16_t();
790
791 // RFC 8449 4.
792 // This value is the length of the plaintext of a protected record.
793 // The value includes the content type and padding added in TLS 1.3 (that
794 // is, the complete length of TLSInnerPlaintext).
795 //
796 // A server MUST NOT enforce this restriction; a client might advertise
797 // a higher limit that is enabled by an extension or version the server
798 // does not understand. A client MAY abort the handshake with an
799 // "illegal_parameter" alert.
800 //
801 // Note: We are currently supporting this extension in TLS 1.3 only, hence
802 // we check for the TLS 1.3 limit. The TLS 1.2 limit would not include
803 // the "content type byte" and hence be one byte less!
804 if(m_limit > MAX_PLAINTEXT_SIZE + 1 /* encrypted content type byte */ && from == Connection_Side::Server) {
805 throw TLS_Exception(Alert::IllegalParameter,
806 "Server requested a record size limit larger than the protocol's maximum");
807 }
808
809 // RFC 8449 4.
810 // Endpoints MUST NOT send a "record_size_limit" extension with a value
811 // smaller than 64. An endpoint MUST treat receipt of a smaller value
812 // as a fatal error and generate an "illegal_parameter" alert.
813 if(m_limit < 64) {
814 throw TLS_Exception(Alert::IllegalParameter, "Received a record size limit smaller than 64 bytes");
815 }
816}
817
819 std::vector<uint8_t> buf;
820
821 buf.push_back(get_byte<0>(m_limit));
822 buf.push_back(get_byte<1>(m_limit));
823
824 return buf;
825}
826
827#if defined(BOTAN_HAS_TLS_13)
828Cookie::Cookie(const std::vector<uint8_t>& cookie) : m_cookie(cookie) {}
829
830Cookie::Cookie(TLS_Data_Reader& reader, uint16_t extension_size) {
831 if(extension_size == 0) {
832 return;
833 }
834
835 const uint16_t len = reader.get_uint16_t();
836
837 if(len == 0) {
838 // Based on RFC 8446 4.2.2, len of the Cookie buffer must be at least 1
839 throw Decoding_Error("Cookie length must be at least 1 byte");
840 }
841
842 if(len > reader.remaining_bytes()) {
843 throw Decoding_Error("Not enough bytes in the buffer to decode Cookie");
844 }
845
846 for(size_t i = 0; i < len; ++i) {
847 m_cookie.push_back(reader.get_byte());
848 }
849}
850
851std::vector<uint8_t> Cookie::serialize(Connection_Side /*whoami*/) const {
852 std::vector<uint8_t> buf;
853
854 const uint16_t len = static_cast<uint16_t>(m_cookie.size());
855
856 buf.push_back(get_byte<0>(len));
857 buf.push_back(get_byte<1>(len));
858
859 for(const auto& cookie_byte : m_cookie) {
860 buf.push_back(cookie_byte);
861 }
862
863 return buf;
864}
865
867 std::vector<uint8_t> buf;
868
869 BOTAN_ASSERT_NOMSG(m_modes.size() < 256);
870 buf.push_back(static_cast<uint8_t>(m_modes.size()));
871 for(const auto& mode : m_modes) {
872 buf.push_back(static_cast<uint8_t>(mode));
873 }
874
875 return buf;
876}
877
879 if(extension_size < 2) {
880 throw Decoding_Error("Empty psk_key_exchange_modes extension is illegal");
881 }
882
883 const auto mode_count = reader.get_byte();
884 for(uint16_t i = 0; i < mode_count; ++i) {
885 const auto mode = static_cast<PSK_Key_Exchange_Mode>(reader.get_byte());
887 m_modes.push_back(mode);
888 }
889 }
890}
891
893 std::vector<uint8_t> out;
894 std::vector<uint8_t> dn_list;
895
896 for(const auto& dn : m_distinguished_names) {
897 std::vector<uint8_t> encoded_dn;
898 auto encoder = DER_Encoder(encoded_dn);
899 dn.encode_into(encoder);
900 append_tls_length_value(dn_list, encoded_dn, 2);
901 }
902
903 append_tls_length_value(out, dn_list, 2);
904
905 return out;
906}
907
909 if(extension_size < 2) {
910 throw Decoding_Error("Empty certificate_authorities extension is illegal");
911 }
912
913 const uint16_t purported_size = reader.get_uint16_t();
914
915 if(reader.remaining_bytes() != purported_size) {
916 throw Decoding_Error("Inconsistent length in certificate_authorities extension");
917 }
918
919 while(reader.has_remaining()) {
920 std::vector<uint8_t> name_bits = reader.get_tls_length_value(2);
921
922 BER_Decoder decoder(name_bits.data(), name_bits.size());
923 m_distinguished_names.emplace_back();
924 decoder.decode(m_distinguished_names.back());
925 }
926}
927
928Certificate_Authorities::Certificate_Authorities(std::vector<X509_DN> acceptable_DNs) :
929 m_distinguished_names(std::move(acceptable_DNs)) {}
930
932 std::vector<uint8_t> result;
933 if(m_max_early_data_size.has_value()) {
934 const auto max_data = m_max_early_data_size.value();
935 result.push_back(get_byte<0>(max_data));
936 result.push_back(get_byte<1>(max_data));
937 result.push_back(get_byte<2>(max_data));
938 result.push_back(get_byte<3>(max_data));
939 }
940 return result;
941}
942
944 uint16_t extension_size,
945 Handshake_Type message_type) {
946 if(message_type == Handshake_Type::NewSessionTicket) {
947 if(extension_size != 4) {
948 throw TLS_Exception(Alert::DecodeError,
949 "Received an early_data extension in a NewSessionTicket message "
950 "without maximum early data size indication");
951 }
952
953 m_max_early_data_size = reader.get_uint32_t();
954 } else if(extension_size != 0) {
955 throw TLS_Exception(Alert::DecodeError,
956 "Received an early_data extension containing an unexpected data "
957 "size indication");
958 }
959}
960
962 // This extension may be empty by definition but still carry information
963 return false;
964}
965
966#endif
967} // namespace Botan::TLS
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:59
#define BOTAN_STATE_CHECK(expr)
Definition assert.h:41
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:29
#define BOTAN_ASSERT(expr, assertion_made)
Definition assert.h:50
BER_Decoder & decode(bool &out)
Definition ber_dec.h:186
Application_Layer_Protocol_Notification(std::string_view protocol)
std::vector< uint8_t > serialize(Connection_Side whoami) const override
std::vector< uint8_t > serialize(Connection_Side whoami) const override
Certificate_Authorities(TLS_Data_Reader &reader, uint16_t extension_size)
Certificate_Type selected_certificate_type() const
Certificate_Type_Base(std::vector< Certificate_Type > supported_cert_types)
void validate_selection(const Certificate_Type_Base &from_server) const
std::vector< uint8_t > serialize(Connection_Side whoami) const override
Client_Certificate_Type(const Client_Certificate_Type &cct, const Policy &policy)
Cookie(const std::vector< uint8_t > &cookie)
std::vector< uint8_t > serialize(Connection_Side whoami) const override
std::vector< uint8_t > serialize(Connection_Side whoami) const override
EarlyDataIndication(TLS_Data_Reader &reader, uint16_t extension_size, Handshake_Type message_type)
std::vector< uint8_t > serialize(Connection_Side whoami) const override
std::vector< uint8_t > serialize(Connection_Side whoami) const override
virtual Extension_Code type() const =0
std::vector< uint8_t > serialize(Connection_Side whoami) const
void deserialize(TLS_Data_Reader &reader, Connection_Side from, Handshake_Type message_type)
decltype(auto) take()
std::set< Extension_Code > extension_types() const
void add(std::unique_ptr< Extension > extn)
bool contains_other_than(const std::set< Extension_Code > &allowed_extensions, bool allow_unknown_extensions=false) const
PSK_Key_Exchange_Modes(std::vector< PSK_Key_Exchange_Mode > modes)
std::vector< uint8_t > serialize(Connection_Side whoami) const override
virtual bool allow_tls12() const
virtual bool allow_tls13() const
virtual bool allow_dtls12() const
std::vector< uint8_t > serialize(Connection_Side whoami) const override
std::vector< uint8_t > serialize(Connection_Side whoami) const override
SRTP_Protection_Profiles(const std::vector< uint16_t > &pp)
std::vector< uint8_t > serialize(Connection_Side whoami) const override
Server_Certificate_Type(const Server_Certificate_Type &sct, const Policy &policy)
std::vector< uint8_t > serialize(Connection_Side whoami) const override
Server_Name_Indicator(std::string_view host_name)
Signature_Algorithms_Cert(std::vector< Signature_Scheme > schemes)
std::vector< uint8_t > serialize(Connection_Side whoami) const override
Signature_Algorithms(std::vector< Signature_Scheme > schemes)
std::vector< uint8_t > serialize(Connection_Side whoami) const override
Supported_Groups(const std::vector< Group_Params > &groups)
std::vector< Group_Params > ec_groups() const
const std::vector< Group_Params > & groups() const
std::vector< uint8_t > serialize(Connection_Side whoami) const override
std::vector< Group_Params > dh_groups() const
std::vector< uint8_t > serialize(Connection_Side whoami) const override
Supported_Point_Formats(bool prefer_compressed)
bool supports(Protocol_Version version) const
Supported_Versions(Protocol_Version version, const Policy &policy)
const std::vector< Protocol_Version > & versions() const
std::vector< uint8_t > serialize(Connection_Side whoami) const override
std::string get_string(size_t len_bytes, size_t min_bytes, size_t max_bytes)
Definition tls_reader.h:118
void discard_next(size_t bytes)
Definition tls_reader.h:47
std::vector< T > get_range(size_t len_bytes, size_t min_elems, size_t max_elems)
Definition tls_reader.h:105
size_t remaining_bytes() const
Definition tls_reader.h:37
std::vector< uint8_t > get_tls_length_value(size_t len_bytes)
Definition tls_reader.h:100
std::vector< T > get_fixed(size_t size)
Definition tls_reader.h:125
std::vector< uint8_t > serialize(Connection_Side whoami) const override
Unknown_Extension(Extension_Code type, TLS_Data_Reader &reader, uint16_t extension_size)
std::string certificate_type_to_string(Certificate_Type type)
void append_tls_length_value(std::vector< uint8_t, Alloc > &buf, const T *vals, size_t vals_size, size_t tag_size)
Definition tls_reader.h:180
@ MAX_PLAINTEXT_SIZE
Definition tls_magic.h:30
Certificate_Type certificate_type_from_string(const std::string &type_str)
constexpr uint8_t get_byte(T input)
Definition loadstor.h:75
std::string fmt(std::string_view format, const T &... args)
Definition fmt.h:53
bool value_exists(const std::vector< T > &vec, const OT &val)
Definition stl_util.h:60
const uint8_t * cast_char_ptr_to_uint8(const char *s)
Definition mem_ops.h:273