13#include <botan/tls_extensions.h>
15#include <botan/ber_dec.h>
16#include <botan/der_enc.h>
17#include <botan/tls_exceptn.h>
18#include <botan/tls_policy.h>
19#include <botan/internal/mem_utils.h>
20#include <botan/internal/stl_util.h>
21#include <botan/internal/tls_reader.h>
36 const uint16_t size =
static_cast<uint16_t
>(reader.remaining_bytes());
39 return std::make_unique<Server_Name_Indicator>(reader, size);
42 return std::make_unique<Supported_Groups>(reader, size);
45 return std::make_unique<Certificate_Status_Request>(reader, size, message_type, from);
48 return std::make_unique<Supported_Point_Formats>(reader, size);
51 return std::make_unique<Renegotiation_Extension>(reader, size);
54 return std::make_unique<Signature_Algorithms>(reader, size);
57 return std::make_unique<Signature_Algorithms_Cert>(reader, size);
60 return std::make_unique<SRTP_Protection_Profiles>(reader, size);
63 return std::make_unique<Application_Layer_Protocol_Notification>(reader, size, from);
66 return std::make_unique<Client_Certificate_Type>(reader, size, from);
69 return std::make_unique<Server_Certificate_Type>(reader, size, from);
72 return std::make_unique<Extended_Master_Secret>(reader, size);
75 return std::make_unique<Record_Size_Limit>(reader, size, from);
78 return std::make_unique<Encrypt_then_MAC>(reader, size);
81 return std::make_unique<Session_Ticket_Extension>(reader, size);
84 return std::make_unique<Supported_Versions>(reader, size, from);
86#if defined(BOTAN_HAS_TLS_13)
88 return std::make_unique<PSK>(reader, size, message_type);
91 return std::make_unique<EarlyDataIndication>(reader, size, message_type);
94 return std::make_unique<Cookie>(reader, size);
97 return std::make_unique<PSK_Key_Exchange_Modes>(reader, size);
100 return std::make_unique<Certificate_Authorities>(reader, size);
103 return std::make_unique<Key_Share>(reader, size, message_type);
107 return std::make_unique<Unknown_Extension>(code, reader, size);
116 std::find_if(m_extensions.cbegin(), m_extensions.cend(), [type](
const auto& ext) { return ext->type() == type; });
118 return (i != m_extensions.end()) ? i->get() :
nullptr;
122 if(
has(extn->type())) {
124 std::to_string(
static_cast<uint16_t
>(extn->type())));
127 m_extensions.emplace_back(extn.release());
144 if(this->
has(type)) {
145 throw TLS_Exception(TLS::Alert::DecodeError,
"Peer sent duplicated extensions");
150 const std::vector<uint8_t> extn_data = reader.
get_fixed<uint8_t>(extension_size);
152 this->
add(make_extension(extn_reader, type, from, message_type));
153 extn_reader.assert_done();
159 const bool allow_unknown_extensions)
const {
162 std::vector<Extension_Code> diff;
164 found.cbegin(), found.end(), allowed_extensions.cbegin(), allowed_extensions.cend(), std::back_inserter(diff));
166 if(allow_unknown_extensions) {
169 const auto itr = std::find_if(diff.cbegin(), diff.cend(), [
this](
const auto ext_type) {
170 const auto ext = get(ext_type);
171 return ext && ext->is_implemented();
175 return itr != diff.cend();
178 return !diff.empty();
183 std::find_if(m_extensions.begin(), m_extensions.end(), [type](
const auto& ext) { return ext->type() == type; });
185 std::unique_ptr<Extension> result;
186 if(i != m_extensions.end()) {
187 std::swap(result, *i);
188 m_extensions.erase(i);
195 std::vector<uint8_t> buf(2);
197 for(
const auto& extn : m_extensions) {
202 const uint16_t extn_code =
static_cast<uint16_t
>(extn->type());
204 const std::vector<uint8_t> extn_val = extn->serialize(whoami);
209 buf.push_back(
get_byte<0>(
static_cast<uint16_t
>(extn_val.size())));
210 buf.push_back(
get_byte<1>(
static_cast<uint16_t
>(extn_val.size())));
215 const uint16_t extn_size =
static_cast<uint16_t
>(buf.size() - 2);
221 if(buf.size() == 2) {
222 return std::vector<uint8_t>();
229 std::set<Extension_Code> offers;
231 m_extensions.cbegin(), m_extensions.cend(), std::inserter(offers, offers.begin()), [](
const auto& ext) {
238 m_type(
type), m_value(reader.get_fixed<uint8_t>(extension_size)) {}
248 if(extension_size == 0) {
254 if(name_bytes + 2 != extension_size) {
258 while(name_bytes > 0) {
259 uint8_t name_type = reader.
get_byte();
264 m_sni_host_name = reader.
get_string(2, 1, 65535);
265 name_bytes -=
static_cast<uint16_t
>(2 + m_sni_host_name.size());
283 std::vector<uint8_t> buf;
285 size_t name_len = m_sni_host_name.size();
287 buf.push_back(
get_byte<0>(
static_cast<uint16_t
>(name_len + 3)));
288 buf.push_back(
get_byte<1>(
static_cast<uint16_t
>(name_len + 3)));
291 buf.push_back(
get_byte<0>(
static_cast<uint16_t
>(name_len)));
292 buf.push_back(
get_byte<1>(
static_cast<uint16_t
>(name_len)));
300 m_reneg_data(reader.get_range<uint8_t>(1, 0, 255)) {
301 if(m_reneg_data.size() + 1 != extension_size) {
302 throw Decoding_Error(
"Bad encoding for secure renegotiation extn");
307 std::vector<uint8_t> buf;
313 uint16_t extension_size,
315 if(extension_size == 0) {
321 size_t bytes_remaining = extension_size - 2;
323 if(name_bytes != bytes_remaining) {
324 throw Decoding_Error(
"Bad encoding of ALPN extension, bad length field");
327 while(bytes_remaining > 0) {
328 const std::string p = reader.
get_string(1, 0, 255);
330 if(bytes_remaining < p.size() + 1) {
331 throw Decoding_Error(
"Bad encoding of ALPN, length field too long");
338 bytes_remaining -= (p.size() + 1);
340 m_protocols.push_back(p);
350 "Server sent " + std::to_string(m_protocols.size()) +
" protocols in ALPN extension response");
356 return m_protocols.front();
360 std::vector<uint8_t> buf(2);
362 for(
auto&& proto : m_protocols) {
363 if(proto.length() >= 256) {
364 throw TLS_Exception(Alert::InternalError,
"ALPN name too long");
371 buf[0] =
get_byte<0>(
static_cast<uint16_t
>(buf.size() - 2));
372 buf[1] =
get_byte<1>(
static_cast<uint16_t
>(buf.size() - 2));
382 return "RawPublicKey";
389 if(type_str ==
"X509") {
391 }
else if(type_str ==
"RawPublicKey") {
400 BOTAN_ARG_CHECK(!m_certificate_types.empty(),
"at least one certificate type must be supported");
410 const std::vector<Certificate_Type>& server_preference) :
418 for(
const auto server_supported_cert_type : server_preference) {
419 if(
value_exists(certificate_type_from_client.m_certificate_types, server_supported_cert_type)) {
420 m_certificate_types.push_back(server_supported_cert_type);
430 throw TLS_Exception(Alert::UnsupportedCertificate,
"Failed to agree on certificate_type");
435 if(extension_size == 0) {
436 throw Decoding_Error(
"Certificate type extension cannot be empty");
441 if(
static_cast<size_t>(extension_size) != type_bytes.size() + 1) {
442 throw Decoding_Error(
"certificate type extension had inconsistent length");
445 type_bytes.begin(), type_bytes.end(), std::back_inserter(m_certificate_types), [](
const auto type_byte) {
446 return static_cast<Certificate_Type>(type_byte);
452 if(extension_size != 1) {
453 throw Decoding_Error(
"Server's certificate type extension must be of length 1");
455 const auto type_byte = reader.
get_byte();
461 std::vector<uint8_t> result;
463 std::vector<uint8_t> type_bytes;
465 m_certificate_types.begin(), m_certificate_types.end(), std::back_inserter(type_bytes), [](
const auto type) {
466 return static_cast<uint8_t>(type);
471 result.push_back(
static_cast<uint8_t
>(m_certificate_types.front()));
486 Botan::fmt(
"Selected certificate type was not offered: {}",
494 return m_certificate_types.front();
504 std::vector<Group_Params> ec;
505 for(
auto g : m_groups) {
506 if(g.is_pure_ecc_group()) {
514 std::vector<Group_Params> dh;
515 for(
auto g : m_groups) {
516 if(g.is_in_ffdhe_range()) {
524 std::vector<uint8_t> buf(2);
526 for(
auto g : m_groups) {
527 const uint16_t
id = g.wire_code();
535 buf[0] =
get_byte<0>(
static_cast<uint16_t
>(buf.size() - 2));
536 buf[1] =
get_byte<1>(
static_cast<uint16_t
>(buf.size() - 2));
544 if(len + 2 != extension_size) {
545 throw Decoding_Error(
"Inconsistent length field in supported groups list");
552 const size_t elems = len / 2;
554 for(
size_t i = 0; i != elems; ++i) {
558 m_groups.push_back(group);
565 if(m_prefers_compressed) {
575 if(len + 1 != extension_size) {
576 throw Decoding_Error(
"Inconsistent length field in supported point formats list");
579 bool includes_uncompressed =
false;
580 for(
size_t i = 0; i != len; ++i) {
584 m_prefers_compressed =
false;
588 m_prefers_compressed =
true;
589 std::vector<uint8_t> remaining_formats = reader.
get_fixed<uint8_t>(len - i - 1);
590 includes_uncompressed =
591 std::any_of(std::begin(remaining_formats), std::end(remaining_formats), [](uint8_t remaining_format) {
606 if(!includes_uncompressed) {
608 "Supported Point Formats Extension must contain the uncompressed point format");
614std::vector<uint8_t> serialize_signature_algorithms(
const std::vector<Signature_Scheme>& schemes) {
615 BOTAN_ASSERT(schemes.size() < 256,
"Too many signature schemes");
617 std::vector<uint8_t> buf;
619 const uint16_t len =
static_cast<uint16_t
>(schemes.size() * 2);
632std::vector<Signature_Scheme> parse_signature_algorithms(TLS_Data_Reader& reader, uint16_t extension_size) {
633 uint16_t len = reader.get_uint16_t();
635 if(len + 2 != extension_size || len % 2 == 1 || len == 0) {
636 throw Decoding_Error(
"Bad encoding on signature algorithms extension");
639 std::vector<Signature_Scheme> schemes;
640 schemes.reserve(len / 2);
642 schemes.emplace_back(reader.get_uint16_t());
652 return serialize_signature_algorithms(m_schemes);
656 m_schemes(parse_signature_algorithms(reader, extension_size)) {}
659 return serialize_signature_algorithms(m_schemes);
663 m_schemes(parse_signature_algorithms(reader, extension_size)) {}
666 m_ticket(
Session_Ticket(reader.get_elem<uint8_t, std::vector<uint8_t>>(extension_size))) {}
669 m_pp(reader.get_range<uint16_t>(2, 0, 65535)) {
670 const std::vector<uint8_t> mki = reader.
get_range<uint8_t>(1, 0, 255);
672 if(m_pp.size() * 2 + mki.size() + 3 != extension_size) {
673 throw Decoding_Error(
"Bad encoding for SRTP protection extension");
677 throw Decoding_Error(
"Unhandled non-empty MKI for SRTP protection extension");
682 std::vector<uint8_t> buf;
684 const uint16_t pp_len =
static_cast<uint16_t
>(m_pp.size() * 2);
688 for(uint16_t pp : m_pp) {
699 if(extension_size != 0) {
705 return std::vector<uint8_t>();
709 if(extension_size != 0) {
715 return std::vector<uint8_t>();
719 std::vector<uint8_t> buf;
723 buf.push_back(m_versions[0].major_version());
724 buf.push_back(m_versions[0].minor_version());
727 const uint8_t len =
static_cast<uint8_t
>(m_versions.size() * 2);
732 buf.push_back(version.major_version());
733 buf.push_back(version.minor_version());
742#if defined(BOTAN_HAS_TLS_12)
743 if(offer >= Protocol_Version::DTLS_V12 && policy.
allow_dtls12()) {
744 m_versions.push_back(Protocol_Version::DTLS_V12);
748#if defined(BOTAN_HAS_TLS_13)
749 if(offer >= Protocol_Version::TLS_V13 && policy.
allow_tls13()) {
750 m_versions.push_back(Protocol_Version::TLS_V13);
753#if defined(BOTAN_HAS_TLS_12)
754 if(offer >= Protocol_Version::TLS_V12 && policy.
allow_tls12()) {
755 m_versions.push_back(Protocol_Version::TLS_V12);
763 if(extension_size != 2) {
764 throw Decoding_Error(
"Server sent invalid supported_versions extension");
774 if(extension_size != 1 + 2 *
versions.size()) {
775 throw Decoding_Error(
"Client sent invalid supported_versions extension");
781 for(
auto v : m_versions) {
790 BOTAN_ASSERT(
limit >= 64,
"RFC 8449 does not allow record size limits smaller than 64 bytes");
792 "RFC 8449 does not allow record size limits larger than 2^14+1");
796 if(extension_size != 2) {
797 throw TLS_Exception(Alert::DecodeError,
"invalid record_size_limit extension");
817 "Server requested a record size limit larger than the protocol's maximum");
825 throw TLS_Exception(Alert::IllegalParameter,
"Received a record size limit smaller than 64 bytes");
830 std::vector<uint8_t> buf;
838#if defined(BOTAN_HAS_TLS_13)
842 if(extension_size == 0) {
854 throw Decoding_Error(
"Not enough bytes in the buffer to decode Cookie");
857 for(
size_t i = 0; i < len; ++i) {
858 m_cookie.push_back(reader.
get_byte());
863 std::vector<uint8_t> buf;
865 const uint16_t len =
static_cast<uint16_t
>(m_cookie.size());
870 for(
const auto& cookie_byte : m_cookie) {
871 buf.push_back(cookie_byte);
878 std::vector<uint8_t> buf;
881 buf.push_back(
static_cast<uint8_t
>(m_modes.size()));
882 for(
const auto& mode : m_modes) {
883 buf.push_back(
static_cast<uint8_t
>(mode));
890 if(extension_size < 2) {
891 throw Decoding_Error(
"Empty psk_key_exchange_modes extension is illegal");
894 const auto mode_count = reader.
get_byte();
895 for(uint16_t i = 0; i < mode_count; ++i) {
898 m_modes.push_back(mode);
904 std::vector<uint8_t> out;
905 std::vector<uint8_t> dn_list;
907 for(
const auto& dn : m_distinguished_names) {
908 std::vector<uint8_t> encoded_dn;
910 dn.encode_into(encoder);
920 if(extension_size < 2) {
921 throw Decoding_Error(
"Empty certificate_authorities extension is illegal");
927 throw Decoding_Error(
"Inconsistent length in certificate_authorities extension");
933 BER_Decoder decoder(name_bits.data(), name_bits.size());
934 m_distinguished_names.emplace_back();
935 decoder.
decode(m_distinguished_names.back());
940 m_distinguished_names(std::move(acceptable_DNs)) {}
943 std::vector<uint8_t> result;
944 if(m_max_early_data_size.has_value()) {
945 const auto max_data = m_max_early_data_size.value();
955 uint16_t extension_size,
958 if(extension_size != 4) {
960 "Received an early_data extension in a NewSessionTicket message "
961 "without maximum early data size indication");
965 }
else if(extension_size != 0) {
967 "Received an early_data extension containing an unexpected data "
#define BOTAN_ASSERT_NOMSG(expr)
#define BOTAN_STATE_CHECK(expr)
#define BOTAN_ARG_CHECK(expr, msg)
#define BOTAN_ASSERT(expr, assertion_made)
BER_Decoder & decode(bool &out)
Application_Layer_Protocol_Notification(std::string_view protocol)
std::string single_protocol() const
std::vector< uint8_t > serialize(Connection_Side whoami) const override
std::vector< uint8_t > serialize(Connection_Side whoami) const override
Certificate_Authorities(TLS_Data_Reader &reader, uint16_t extension_size)
Certificate_Type selected_certificate_type() const
Certificate_Type_Base(std::vector< Certificate_Type > supported_cert_types)
void validate_selection(const Certificate_Type_Base &from_server) const
std::vector< uint8_t > serialize(Connection_Side whoami) const override
Client_Certificate_Type(const Client_Certificate_Type &cct, const Policy &policy)
Certificate_Type_Base(std::vector< Certificate_Type > supported_cert_types)
Cookie(const std::vector< uint8_t > &cookie)
std::vector< uint8_t > serialize(Connection_Side whoami) const override
std::vector< uint8_t > serialize(Connection_Side whoami) const override
EarlyDataIndication(TLS_Data_Reader &reader, uint16_t extension_size, Handshake_Type message_type)
bool empty() const override
Encrypt_then_MAC()=default
std::vector< uint8_t > serialize(Connection_Side whoami) const override
std::vector< uint8_t > serialize(Connection_Side whoami) const override
Extended_Master_Secret()=default
virtual Extension_Code type() const =0
std::vector< uint8_t > serialize(Connection_Side whoami) const
void deserialize(TLS_Data_Reader &reader, Connection_Side from, Handshake_Type message_type)
std::set< Extension_Code > extension_types() const
void add(std::unique_ptr< Extension > extn)
bool contains_other_than(const std::set< Extension_Code > &allowed_extensions, bool allow_unknown_extensions=false) const
PSK_Key_Exchange_Modes(std::vector< PSK_Key_Exchange_Mode > modes)
std::vector< uint8_t > serialize(Connection_Side whoami) const override
virtual bool allow_tls12() const
virtual bool allow_tls13() const
virtual bool allow_dtls12() const
bool is_datagram_protocol() const
std::vector< uint8_t > serialize(Connection_Side whoami) const override
Record_Size_Limit(uint16_t limit)
std::vector< uint8_t > serialize(Connection_Side whoami) const override
Renegotiation_Extension()=default
SRTP_Protection_Profiles(const std::vector< uint16_t > &pp)
std::vector< uint8_t > serialize(Connection_Side whoami) const override
Server_Certificate_Type(const Server_Certificate_Type &sct, const Policy &policy)
Certificate_Type_Base(std::vector< Certificate_Type > supported_cert_types)
std::vector< uint8_t > serialize(Connection_Side whoami) const override
Server_Name_Indicator(std::string_view host_name)
Session_Ticket_Extension()=default
Signature_Algorithms_Cert(std::vector< Signature_Scheme > schemes)
std::vector< uint8_t > serialize(Connection_Side whoami) const override
Signature_Algorithms(std::vector< Signature_Scheme > schemes)
std::vector< uint8_t > serialize(Connection_Side whoami) const override
Supported_Groups(const std::vector< Group_Params > &groups)
std::vector< Group_Params > ec_groups() const
const std::vector< Group_Params > & groups() const
std::vector< uint8_t > serialize(Connection_Side whoami) const override
std::vector< Group_Params > dh_groups() const
bool supports(Protocol_Version version) const
Supported_Versions(Protocol_Version version, const Policy &policy)
const std::vector< Protocol_Version > & versions() const
std::vector< uint8_t > serialize(Connection_Side whoami) const override
std::string get_string(size_t len_bytes, size_t min_bytes, size_t max_bytes)
bool has_remaining() const
void discard_next(size_t bytes)
std::vector< T > get_range(size_t len_bytes, size_t min_elems, size_t max_elems)
size_t remaining_bytes() const
std::vector< uint8_t > get_tls_length_value(size_t len_bytes)
std::vector< T > get_fixed(size_t size)
std::vector< uint8_t > serialize(Connection_Side whoami) const override
Unknown_Extension(Extension_Code type, TLS_Data_Reader &reader, uint16_t extension_size)
Extension_Code type() const override
std::string certificate_type_to_string(Certificate_Type type)
void append_tls_length_value(std::vector< uint8_t, Alloc > &buf, const T *vals, size_t vals_size, size_t tag_size)
@ CertSignatureAlgorithms
@ ApplicationLayerProtocolNegotiation
@ CertificateStatusRequest
Certificate_Type certificate_type_from_string(const std::string &type_str)
Strong< std::vector< uint8_t >, struct Session_Ticket_ > Session_Ticket
holds a TLS 1.2 session ticket for stateless resumption
constexpr uint8_t get_byte(T input)
std::span< const uint8_t > as_span_of_bytes(const char *s, size_t len)
std::string fmt(std::string_view format, const T &... args)
bool value_exists(const std::vector< T > &vec, const OT &val)