Botan 3.2.0
Crypto and TLS for C&
tls_extensions.cpp
Go to the documentation of this file.
1/*
2* TLS Extensions
3* (C) 2011,2012,2015,2016 Jack Lloyd
4* 2016 Juraj Somorovsky
5* 2021 Elektrobit Automotive GmbH
6* 2022 René Meusel, Hannes Rantzsch - neXenio GmbH
7* 2023 Mateusz Berezecki
8*
9* Botan is released under the Simplified BSD License (see license.txt)
10*/
11
12#include <botan/tls_extensions.h>
13
14#include <botan/ber_dec.h>
15#include <botan/der_enc.h>
16#include <botan/tls_exceptn.h>
17#include <botan/tls_policy.h>
18#include <botan/internal/stl_util.h>
19#include <botan/internal/tls_reader.h>
20
21#include <iterator>
22
23namespace Botan::TLS {
24
25namespace {
26
27std::unique_ptr<Extension> make_extension(TLS_Data_Reader& reader,
28 Extension_Code code,
29 const Connection_Side from,
30 const Handshake_Type message_type) {
31 // This cast is safe because we read exactly a 16 bit length field for
32 // the extension in Extensions::deserialize
33 const uint16_t size = static_cast<uint16_t>(reader.remaining_bytes());
34 switch(code) {
35 case Extension_Code::ServerNameIndication:
36 return std::make_unique<Server_Name_Indicator>(reader, size);
37
38 case Extension_Code::SupportedGroups:
39 return std::make_unique<Supported_Groups>(reader, size);
40
41 case Extension_Code::CertificateStatusRequest:
42 return std::make_unique<Certificate_Status_Request>(reader, size, message_type, from);
43
44 case Extension_Code::EcPointFormats:
45 return std::make_unique<Supported_Point_Formats>(reader, size);
46
47 case Extension_Code::SafeRenegotiation:
48 return std::make_unique<Renegotiation_Extension>(reader, size);
49
50 case Extension_Code::SignatureAlgorithms:
51 return std::make_unique<Signature_Algorithms>(reader, size);
52
53 case Extension_Code::CertSignatureAlgorithms:
54 return std::make_unique<Signature_Algorithms_Cert>(reader, size);
55
56 case Extension_Code::UseSrtp:
57 return std::make_unique<SRTP_Protection_Profiles>(reader, size);
58
59 case Extension_Code::ApplicationLayerProtocolNegotiation:
60 return std::make_unique<Application_Layer_Protocol_Notification>(reader, size, from);
61
62 case Extension_Code::ExtendedMasterSecret:
63 return std::make_unique<Extended_Master_Secret>(reader, size);
64
65 case Extension_Code::RecordSizeLimit:
66 return std::make_unique<Record_Size_Limit>(reader, size, from);
67
68 case Extension_Code::EncryptThenMac:
69 return std::make_unique<Encrypt_then_MAC>(reader, size);
70
71 case Extension_Code::SessionTicket:
72 return std::make_unique<Session_Ticket_Extension>(reader, size);
73
74 case Extension_Code::SupportedVersions:
75 return std::make_unique<Supported_Versions>(reader, size, from);
76
77#if defined(BOTAN_HAS_TLS_13)
78 case Extension_Code::PresharedKey:
79 return std::make_unique<PSK>(reader, size, message_type);
80
81 case Extension_Code::EarlyData:
82 return std::make_unique<EarlyDataIndication>(reader, size, message_type);
83
84 case Extension_Code::Cookie:
85 return std::make_unique<Cookie>(reader, size);
86
87 case Extension_Code::PskKeyExchangeModes:
88 return std::make_unique<PSK_Key_Exchange_Modes>(reader, size);
89
90 case Extension_Code::CertificateAuthorities:
91 return std::make_unique<Certificate_Authorities>(reader, size);
92
93 case Extension_Code::KeyShare:
94 return std::make_unique<Key_Share>(reader, size, message_type);
95#endif
96 }
97
98 return std::make_unique<Unknown_Extension>(static_cast<Extension_Code>(code), reader, size);
99}
100
101} // namespace
102
103void Extensions::add(std::unique_ptr<Extension> extn) {
104 if(has(extn->type())) {
105 throw Invalid_Argument("cannot add the same extension twice: " +
106 std::to_string(static_cast<uint16_t>(extn->type())));
107 }
108
109 m_extensions.emplace_back(extn.release());
110}
111
112void Extensions::deserialize(TLS_Data_Reader& reader, const Connection_Side from, const Handshake_Type message_type) {
113 if(reader.has_remaining()) {
114 const uint16_t all_extn_size = reader.get_uint16_t();
115
116 if(reader.remaining_bytes() != all_extn_size) {
117 throw Decoding_Error("Bad extension size");
118 }
119
120 while(reader.has_remaining()) {
121 const uint16_t extension_code = reader.get_uint16_t();
122 const uint16_t extension_size = reader.get_uint16_t();
123
124 const auto type = static_cast<Extension_Code>(extension_code);
125
126 if(this->has(type)) {
127 throw TLS_Exception(TLS::Alert::DecodeError, "Peer sent duplicated extensions");
128 }
129
130 // TODO offer a function on reader that returns a byte range as a reference
131 // to avoid this copy of the extension data
132 const std::vector<uint8_t> extn_data = reader.get_fixed<uint8_t>(extension_size);
133 TLS_Data_Reader extn_reader("Extension", extn_data);
134 this->add(make_extension(extn_reader, type, from, message_type));
135 extn_reader.assert_done();
136 }
137 }
138}
139
140bool Extensions::contains_other_than(const std::set<Extension_Code>& allowed_extensions,
141 const bool allow_unknown_extensions) const {
142 const auto found = extension_types();
143
144 std::vector<Extension_Code> diff;
145 std::set_difference(
146 found.cbegin(), found.end(), allowed_extensions.cbegin(), allowed_extensions.cend(), std::back_inserter(diff));
147
148 if(allow_unknown_extensions) {
149 // Go through the found unexpected extensions whether any of those
150 // is known to this TLS implementation.
151 const auto itr = std::find_if(diff.cbegin(), diff.cend(), [this](const auto ext_type) {
152 const auto ext = get(ext_type);
153 return ext && ext->is_implemented();
154 });
155
156 // ... if yes, `contains_other_than` is true
157 return itr != diff.cend();
158 }
159
160 return !diff.empty();
161}
162
163std::unique_ptr<Extension> Extensions::take(Extension_Code type) {
164 const auto i =
165 std::find_if(m_extensions.begin(), m_extensions.end(), [type](const auto& ext) { return ext->type() == type; });
166
167 std::unique_ptr<Extension> result;
168 if(i != m_extensions.end()) {
169 std::swap(result, *i);
170 m_extensions.erase(i);
171 }
172
173 return result;
174}
175
176std::vector<uint8_t> Extensions::serialize(Connection_Side whoami) const {
177 std::vector<uint8_t> buf(2); // 2 bytes for length field
178
179 for(const auto& extn : m_extensions) {
180 if(extn->empty()) {
181 continue;
182 }
183
184 const uint16_t extn_code = static_cast<uint16_t>(extn->type());
185
186 const std::vector<uint8_t> extn_val = extn->serialize(whoami);
187
188 buf.push_back(get_byte<0>(extn_code));
189 buf.push_back(get_byte<1>(extn_code));
190
191 buf.push_back(get_byte<0>(static_cast<uint16_t>(extn_val.size())));
192 buf.push_back(get_byte<1>(static_cast<uint16_t>(extn_val.size())));
193
194 buf += extn_val;
195 }
196
197 const uint16_t extn_size = static_cast<uint16_t>(buf.size() - 2);
198
199 buf[0] = get_byte<0>(extn_size);
200 buf[1] = get_byte<1>(extn_size);
201
202 // avoid sending a completely empty extensions block
203 if(buf.size() == 2) {
204 return std::vector<uint8_t>();
205 }
206
207 return buf;
208}
209
210std::set<Extension_Code> Extensions::extension_types() const {
211 std::set<Extension_Code> offers;
212 std::transform(
213 m_extensions.cbegin(), m_extensions.cend(), std::inserter(offers, offers.begin()), [](const auto& ext) {
214 return ext->type();
215 });
216 return offers;
217}
218
219Unknown_Extension::Unknown_Extension(Extension_Code type, TLS_Data_Reader& reader, uint16_t extension_size) :
220 m_type(type), m_value(reader.get_fixed<uint8_t>(extension_size)) {}
221
222std::vector<uint8_t> Unknown_Extension::serialize(Connection_Side /*whoami*/) const {
223 return m_value;
224}
225
226Server_Name_Indicator::Server_Name_Indicator(TLS_Data_Reader& reader, uint16_t extension_size) {
227 /*
228 * This is used by the server to confirm that it knew the name
229 */
230 if(extension_size == 0) {
231 return;
232 }
233
234 uint16_t name_bytes = reader.get_uint16_t();
235
236 if(name_bytes + 2 != extension_size) {
237 throw Decoding_Error("Bad encoding of SNI extension");
238 }
239
240 while(name_bytes) {
241 uint8_t name_type = reader.get_byte();
242 name_bytes--;
243
244 if(name_type == 0) // DNS
245 {
246 m_sni_host_name = reader.get_string(2, 1, 65535);
247 name_bytes -= static_cast<uint16_t>(2 + m_sni_host_name.size());
248 } else // some other unknown name type
249 {
250 reader.discard_next(name_bytes);
251 name_bytes = 0;
252 }
253 }
254}
255
256std::vector<uint8_t> Server_Name_Indicator::serialize(Connection_Side whoami) const {
257 // RFC 6066
258 // [...] the server SHALL include an extension of type "server_name" in
259 // the (extended) server hello. The "extension_data" field of this
260 // extension SHALL be empty.
261 if(whoami == Connection_Side::Server) {
262 return {};
263 }
264
265 std::vector<uint8_t> buf;
266
267 size_t name_len = m_sni_host_name.size();
268
269 buf.push_back(get_byte<0>(static_cast<uint16_t>(name_len + 3)));
270 buf.push_back(get_byte<1>(static_cast<uint16_t>(name_len + 3)));
271 buf.push_back(0); // DNS
272
273 buf.push_back(get_byte<0>(static_cast<uint16_t>(name_len)));
274 buf.push_back(get_byte<1>(static_cast<uint16_t>(name_len)));
275
276 buf += std::make_pair(cast_char_ptr_to_uint8(m_sni_host_name.data()), m_sni_host_name.size());
277
278 return buf;
279}
280
281Renegotiation_Extension::Renegotiation_Extension(TLS_Data_Reader& reader, uint16_t extension_size) :
282 m_reneg_data(reader.get_range<uint8_t>(1, 0, 255)) {
283 if(m_reneg_data.size() + 1 != extension_size) {
284 throw Decoding_Error("Bad encoding for secure renegotiation extn");
285 }
286}
287
288std::vector<uint8_t> Renegotiation_Extension::serialize(Connection_Side /*whoami*/) const {
289 std::vector<uint8_t> buf;
290 append_tls_length_value(buf, m_reneg_data, 1);
291 return buf;
292}
293
294Application_Layer_Protocol_Notification::Application_Layer_Protocol_Notification(TLS_Data_Reader& reader,
295 uint16_t extension_size,
296 Connection_Side from) {
297 if(extension_size == 0) {
298 return; // empty extension
299 }
300
301 const uint16_t name_bytes = reader.get_uint16_t();
302
303 size_t bytes_remaining = extension_size - 2;
304
305 if(name_bytes != bytes_remaining) {
306 throw Decoding_Error("Bad encoding of ALPN extension, bad length field");
307 }
308
309 while(bytes_remaining) {
310 const std::string p = reader.get_string(1, 0, 255);
311
312 if(bytes_remaining < p.size() + 1) {
313 throw Decoding_Error("Bad encoding of ALPN, length field too long");
314 }
315
316 if(p.empty()) {
317 throw Decoding_Error("Empty ALPN protocol not allowed");
318 }
319
320 bytes_remaining -= (p.size() + 1);
321
322 m_protocols.push_back(p);
323 }
324
325 // RFC 7301 3.1
326 // The "extension_data" field of the [...] extension is structured the
327 // same as described above for the client "extension_data", except that
328 // the "ProtocolNameList" MUST contain exactly one "ProtocolName".
329 if(from == Connection_Side::Server && m_protocols.size() != 1) {
330 throw TLS_Exception(
331 Alert::DecodeError,
332 "Server sent " + std::to_string(m_protocols.size()) + " protocols in ALPN extension response");
333 }
334}
335
336std::string Application_Layer_Protocol_Notification::single_protocol() const {
337 BOTAN_STATE_CHECK(m_protocols.size() == 1);
338 return m_protocols.front();
339}
340
341std::vector<uint8_t> Application_Layer_Protocol_Notification::serialize(Connection_Side /*whoami*/) const {
342 std::vector<uint8_t> buf(2);
343
344 for(auto&& p : m_protocols) {
345 if(p.length() >= 256) {
346 throw TLS_Exception(Alert::InternalError, "ALPN name too long");
347 }
348 if(!p.empty()) {
349 append_tls_length_value(buf, cast_char_ptr_to_uint8(p.data()), p.size(), 1);
350 }
351 }
352
353 buf[0] = get_byte<0>(static_cast<uint16_t>(buf.size() - 2));
354 buf[1] = get_byte<1>(static_cast<uint16_t>(buf.size() - 2));
355
356 return buf;
357}
358
359Supported_Groups::Supported_Groups(const std::vector<Group_Params>& groups) : m_groups(groups) {}
360
361const std::vector<Group_Params>& Supported_Groups::groups() const {
362 return m_groups;
363}
364
365std::vector<Group_Params> Supported_Groups::ec_groups() const {
366 std::vector<Group_Params> ec;
367 for(auto g : m_groups) {
368 if(g.is_pure_ecc_group()) {
369 ec.push_back(g);
370 }
371 }
372 return ec;
373}
374
375std::vector<Group_Params> Supported_Groups::dh_groups() const {
376 std::vector<Group_Params> dh;
377 for(auto g : m_groups) {
378 if(g.is_dh_named_group()) {
379 dh.push_back(g);
380 }
381 }
382 return dh;
383}
384
385std::vector<uint8_t> Supported_Groups::serialize(Connection_Side /*whoami*/) const {
386 std::vector<uint8_t> buf(2);
387
388 for(auto g : m_groups) {
389 const uint16_t id = g.wire_code();
390
391 if(id > 0) {
392 buf.push_back(get_byte<0>(id));
393 buf.push_back(get_byte<1>(id));
394 }
395 }
396
397 buf[0] = get_byte<0>(static_cast<uint16_t>(buf.size() - 2));
398 buf[1] = get_byte<1>(static_cast<uint16_t>(buf.size() - 2));
399
400 return buf;
401}
402
403Supported_Groups::Supported_Groups(TLS_Data_Reader& reader, uint16_t extension_size) {
404 const uint16_t len = reader.get_uint16_t();
405
406 if(len + 2 != extension_size) {
407 throw Decoding_Error("Inconsistent length field in supported groups list");
408 }
409
410 if(len % 2 == 1) {
411 throw Decoding_Error("Supported groups list of strange size");
412 }
413
414 const size_t elems = len / 2;
415
416 for(size_t i = 0; i != elems; ++i) {
417 const auto group = static_cast<Group_Params>(reader.get_uint16_t());
418 // Note: RFC 8446 does not explicitly enforce that groups must be unique.
419 if(!value_exists(m_groups, group)) {
420 m_groups.push_back(group);
421 }
422 }
423}
424
425std::vector<uint8_t> Supported_Point_Formats::serialize(Connection_Side /*whoami*/) const {
426 // if this extension is sent, it MUST include uncompressed (RFC 4492, section 5.1)
427 if(m_prefers_compressed) {
428 return std::vector<uint8_t>{2, ANSIX962_COMPRESSED_PRIME, UNCOMPRESSED};
429 } else {
430 return std::vector<uint8_t>{1, UNCOMPRESSED};
431 }
432}
433
434Supported_Point_Formats::Supported_Point_Formats(TLS_Data_Reader& reader, uint16_t extension_size) {
435 uint8_t len = reader.get_byte();
436
437 if(len + 1 != extension_size) {
438 throw Decoding_Error("Inconsistent length field in supported point formats list");
439 }
440
441 bool includes_uncompressed = false;
442 for(size_t i = 0; i != len; ++i) {
443 uint8_t format = reader.get_byte();
444
445 if(static_cast<ECPointFormat>(format) == UNCOMPRESSED) {
446 m_prefers_compressed = false;
447 reader.discard_next(len - i - 1);
448 return;
449 } else if(static_cast<ECPointFormat>(format) == ANSIX962_COMPRESSED_PRIME) {
450 m_prefers_compressed = true;
451 std::vector<uint8_t> remaining_formats = reader.get_fixed<uint8_t>(len - i - 1);
452 includes_uncompressed =
453 std::any_of(std::begin(remaining_formats), std::end(remaining_formats), [](uint8_t remaining_format) {
454 return static_cast<ECPointFormat>(remaining_format) == UNCOMPRESSED;
455 });
456 break;
457 }
458
459 // ignore ANSIX962_COMPRESSED_CHAR2, we don't support these curves
460 }
461
462 // RFC 4492 5.1.:
463 // If the Supported Point Formats Extension is indeed sent, it MUST contain the value 0 (uncompressed)
464 // as one of the items in the list of point formats.
465 // Note:
466 // RFC 8422 5.1.2. explicitly requires this check,
467 // but only if the Supported Groups extension was sent.
468 if(!includes_uncompressed) {
469 throw TLS_Exception(Alert::IllegalParameter,
470 "Supported Point Formats Extension must contain the uncompressed point format");
471 }
472}
473
474namespace {
475
476std::vector<uint8_t> serialize_signature_algorithms(const std::vector<Signature_Scheme>& schemes) {
477 BOTAN_ASSERT(schemes.size() < 256, "Too many signature schemes");
478
479 std::vector<uint8_t> buf;
480
481 const uint16_t len = static_cast<uint16_t>(schemes.size() * 2);
482
483 buf.push_back(get_byte<0>(len));
484 buf.push_back(get_byte<1>(len));
485
486 for(Signature_Scheme scheme : schemes) {
487 buf.push_back(get_byte<0>(scheme.wire_code()));
488 buf.push_back(get_byte<1>(scheme.wire_code()));
489 }
490
491 return buf;
492}
493
494std::vector<Signature_Scheme> parse_signature_algorithms(TLS_Data_Reader& reader, uint16_t extension_size) {
495 uint16_t len = reader.get_uint16_t();
496
497 if(len + 2 != extension_size || len % 2 == 1 || len == 0) {
498 throw Decoding_Error("Bad encoding on signature algorithms extension");
499 }
500
501 std::vector<Signature_Scheme> schemes;
502 schemes.reserve(len / 2);
503 while(len) {
504 schemes.emplace_back(reader.get_uint16_t());
505 len -= 2;
506 }
507
508 return schemes;
509}
510
511} // namespace
512
513std::vector<uint8_t> Signature_Algorithms::serialize(Connection_Side /*whoami*/) const {
514 return serialize_signature_algorithms(m_schemes);
515}
516
517Signature_Algorithms::Signature_Algorithms(TLS_Data_Reader& reader, uint16_t extension_size) :
518 m_schemes(parse_signature_algorithms(reader, extension_size)) {}
519
520std::vector<uint8_t> Signature_Algorithms_Cert::serialize(Connection_Side /*whoami*/) const {
521 return serialize_signature_algorithms(m_schemes);
522}
523
524Signature_Algorithms_Cert::Signature_Algorithms_Cert(TLS_Data_Reader& reader, uint16_t extension_size) :
525 m_schemes(parse_signature_algorithms(reader, extension_size)) {}
526
527Session_Ticket_Extension::Session_Ticket_Extension(TLS_Data_Reader& reader, uint16_t extension_size) :
528 m_ticket(Session_Ticket(reader.get_elem<uint8_t, std::vector<uint8_t>>(extension_size))) {}
529
530SRTP_Protection_Profiles::SRTP_Protection_Profiles(TLS_Data_Reader& reader, uint16_t extension_size) :
531 m_pp(reader.get_range<uint16_t>(2, 0, 65535)) {
532 const std::vector<uint8_t> mki = reader.get_range<uint8_t>(1, 0, 255);
533
534 if(m_pp.size() * 2 + mki.size() + 3 != extension_size) {
535 throw Decoding_Error("Bad encoding for SRTP protection extension");
536 }
537
538 if(!mki.empty()) {
539 throw Decoding_Error("Unhandled non-empty MKI for SRTP protection extension");
540 }
541}
542
543std::vector<uint8_t> SRTP_Protection_Profiles::serialize(Connection_Side /*whoami*/) const {
544 std::vector<uint8_t> buf;
545
546 const uint16_t pp_len = static_cast<uint16_t>(m_pp.size() * 2);
547 buf.push_back(get_byte<0>(pp_len));
548 buf.push_back(get_byte<1>(pp_len));
549
550 for(uint16_t pp : m_pp) {
551 buf.push_back(get_byte<0>(pp));
552 buf.push_back(get_byte<1>(pp));
553 }
554
555 buf.push_back(0); // srtp_mki, always empty here
556
557 return buf;
558}
559
560Extended_Master_Secret::Extended_Master_Secret(TLS_Data_Reader& /*unused*/, uint16_t extension_size) {
561 if(extension_size != 0) {
562 throw Decoding_Error("Invalid extended_master_secret extension");
563 }
564}
565
566std::vector<uint8_t> Extended_Master_Secret::serialize(Connection_Side /*whoami*/) const {
567 return std::vector<uint8_t>();
568}
569
570Encrypt_then_MAC::Encrypt_then_MAC(TLS_Data_Reader& /*unused*/, uint16_t extension_size) {
571 if(extension_size != 0) {
572 throw Decoding_Error("Invalid encrypt_then_mac extension");
573 }
574}
575
576std::vector<uint8_t> Encrypt_then_MAC::serialize(Connection_Side /*whoami*/) const {
577 return std::vector<uint8_t>();
578}
579
580std::vector<uint8_t> Supported_Versions::serialize(Connection_Side whoami) const {
581 std::vector<uint8_t> buf;
582
583 if(whoami == Connection_Side::Server) {
584 BOTAN_ASSERT_NOMSG(m_versions.size() == 1);
585 buf.push_back(m_versions[0].major_version());
586 buf.push_back(m_versions[0].minor_version());
587 } else {
588 BOTAN_ASSERT_NOMSG(!m_versions.empty());
589 const uint8_t len = static_cast<uint8_t>(m_versions.size() * 2);
590
591 buf.push_back(len);
592
593 for(Protocol_Version version : m_versions) {
594 buf.push_back(version.major_version());
595 buf.push_back(version.minor_version());
596 }
597 }
598
599 return buf;
600}
601
602Supported_Versions::Supported_Versions(Protocol_Version offer, const Policy& policy) {
603 if(offer.is_datagram_protocol()) {
604#if defined(BOTAN_HAS_TLS_12)
605 if(offer >= Protocol_Version::DTLS_V12 && policy.allow_dtls12()) {
606 m_versions.push_back(Protocol_Version::DTLS_V12);
607 }
608#endif
609 } else {
610#if defined(BOTAN_HAS_TLS_13)
611 if(offer >= Protocol_Version::TLS_V13 && policy.allow_tls13()) {
612 m_versions.push_back(Protocol_Version::TLS_V13);
613 }
614#endif
615#if defined(BOTAN_HAS_TLS_12)
616 if(offer >= Protocol_Version::TLS_V12 && policy.allow_tls12()) {
617 m_versions.push_back(Protocol_Version::TLS_V12);
618 }
619#endif
620 }
621}
622
623Supported_Versions::Supported_Versions(TLS_Data_Reader& reader, uint16_t extension_size, Connection_Side from) {
624 if(from == Connection_Side::Server) {
625 if(extension_size != 2) {
626 throw Decoding_Error("Server sent invalid supported_versions extension");
627 }
628 m_versions.push_back(Protocol_Version(reader.get_uint16_t()));
629 } else {
630 auto versions = reader.get_range<uint16_t>(1, 1, 127);
631
632 for(auto v : versions) {
633 m_versions.push_back(Protocol_Version(v));
634 }
635
636 if(extension_size != 1 + 2 * versions.size()) {
637 throw Decoding_Error("Client sent invalid supported_versions extension");
638 }
639 }
640}
641
642bool Supported_Versions::supports(Protocol_Version version) const {
643 for(auto v : m_versions) {
644 if(version == v) {
645 return true;
646 }
647 }
648 return false;
649}
650
651Record_Size_Limit::Record_Size_Limit(const uint16_t limit) : m_limit(limit) {
652 BOTAN_ASSERT(limit >= 64, "RFC 8449 does not allow record size limits smaller than 64 bytes");
653 BOTAN_ASSERT(limit <= MAX_PLAINTEXT_SIZE + 1 /* encrypted content type byte */,
654 "RFC 8449 does not allow record size limits larger than 2^14+1");
655}
656
657Record_Size_Limit::Record_Size_Limit(TLS_Data_Reader& reader, uint16_t extension_size, Connection_Side from) {
658 if(extension_size != 2) {
659 throw TLS_Exception(Alert::DecodeError, "invalid record_size_limit extension");
660 }
661
662 m_limit = reader.get_uint16_t();
663
664 // RFC 8449 4.
665 // This value is the length of the plaintext of a protected record.
666 // The value includes the content type and padding added in TLS 1.3 (that
667 // is, the complete length of TLSInnerPlaintext).
668 //
669 // A server MUST NOT enforce this restriction; a client might advertise
670 // a higher limit that is enabled by an extension or version the server
671 // does not understand. A client MAY abort the handshake with an
672 // "illegal_parameter" alert.
673 //
674 // Note: We are currently supporting this extension in TLS 1.3 only, hence
675 // we check for the TLS 1.3 limit. The TLS 1.2 limit would not include
676 // the "content type byte" and hence be one byte less!
677 if(m_limit > MAX_PLAINTEXT_SIZE + 1 /* encrypted content type byte */ && from == Connection_Side::Server) {
678 throw TLS_Exception(Alert::IllegalParameter,
679 "Server requested a record size limit larger than the protocol's maximum");
680 }
681
682 // RFC 8449 4.
683 // Endpoints MUST NOT send a "record_size_limit" extension with a value
684 // smaller than 64. An endpoint MUST treat receipt of a smaller value
685 // as a fatal error and generate an "illegal_parameter" alert.
686 if(m_limit < 64) {
687 throw TLS_Exception(Alert::IllegalParameter, "Received a record size limit smaller than 64 bytes");
688 }
689}
690
691std::vector<uint8_t> Record_Size_Limit::serialize(Connection_Side) const {
692 std::vector<uint8_t> buf;
693
694 buf.push_back(get_byte<0>(m_limit));
695 buf.push_back(get_byte<1>(m_limit));
696
697 return buf;
698}
699
700#if defined(BOTAN_HAS_TLS_13)
701Cookie::Cookie(const std::vector<uint8_t>& cookie) : m_cookie(cookie) {}
702
703Cookie::Cookie(TLS_Data_Reader& reader, uint16_t extension_size) {
704 if(extension_size == 0) {
705 return;
706 }
707
708 const uint16_t len = reader.get_uint16_t();
709
710 if(len == 0) {
711 // Based on RFC 8446 4.2.2, len of the Cookie buffer must be at least 1
712 throw Decoding_Error("Cookie length must be at least 1 byte");
713 }
714
715 if(len > reader.remaining_bytes()) {
716 throw Decoding_Error("Not enough bytes in the buffer to decode Cookie");
717 }
718
719 for(size_t i = 0; i < len; ++i) {
720 m_cookie.push_back(reader.get_byte());
721 }
722}
723
724std::vector<uint8_t> Cookie::serialize(Connection_Side /*whoami*/) const {
725 std::vector<uint8_t> buf;
726
727 const uint16_t len = static_cast<uint16_t>(m_cookie.size());
728
729 buf.push_back(get_byte<0>(len));
730 buf.push_back(get_byte<1>(len));
731
732 for(const auto& cookie_byte : m_cookie) {
733 buf.push_back(cookie_byte);
734 }
735
736 return buf;
737}
738
739std::vector<uint8_t> PSK_Key_Exchange_Modes::serialize(Connection_Side) const {
740 std::vector<uint8_t> buf;
741
742 BOTAN_ASSERT_NOMSG(m_modes.size() < 256);
743 buf.push_back(static_cast<uint8_t>(m_modes.size()));
744 for(const auto& mode : m_modes) {
745 buf.push_back(static_cast<uint8_t>(mode));
746 }
747
748 return buf;
749}
750
751PSK_Key_Exchange_Modes::PSK_Key_Exchange_Modes(TLS_Data_Reader& reader, uint16_t extension_size) {
752 if(extension_size < 2) {
753 throw Decoding_Error("Empty psk_key_exchange_modes extension is illegal");
754 }
755
756 const auto mode_count = reader.get_byte();
757 for(uint16_t i = 0; i < mode_count; ++i) {
758 const auto mode = static_cast<PSK_Key_Exchange_Mode>(reader.get_byte());
759 if(mode == PSK_Key_Exchange_Mode::PSK_KE || mode == PSK_Key_Exchange_Mode::PSK_DHE_KE) {
760 m_modes.push_back(mode);
761 }
762 }
763}
764
765std::vector<uint8_t> Certificate_Authorities::serialize(Connection_Side) const {
766 std::vector<uint8_t> out;
767 std::vector<uint8_t> dn_list;
768
769 for(const auto& dn : m_distinguished_names) {
770 std::vector<uint8_t> encoded_dn;
771 auto encoder = DER_Encoder(encoded_dn);
772 dn.encode_into(encoder);
773 append_tls_length_value(dn_list, encoded_dn, 2);
774 }
775
776 append_tls_length_value(out, dn_list, 2);
777
778 return out;
779}
780
781Certificate_Authorities::Certificate_Authorities(TLS_Data_Reader& reader, uint16_t extension_size) {
782 if(extension_size < 2) {
783 throw Decoding_Error("Empty certificate_authorities extension is illegal");
784 }
785
786 const uint16_t purported_size = reader.get_uint16_t();
787
788 if(reader.remaining_bytes() != purported_size) {
789 throw Decoding_Error("Inconsistent length in certificate_authorities extension");
790 }
791
792 while(reader.has_remaining()) {
793 std::vector<uint8_t> name_bits = reader.get_tls_length_value(2);
794
795 BER_Decoder decoder(name_bits.data(), name_bits.size());
796 m_distinguished_names.emplace_back();
797 decoder.decode(m_distinguished_names.back());
798 }
799}
800
801Certificate_Authorities::Certificate_Authorities(std::vector<X509_DN> acceptable_DNs) :
802 m_distinguished_names(std::move(acceptable_DNs)) {}
803
804std::vector<uint8_t> EarlyDataIndication::serialize(Connection_Side) const {
805 std::vector<uint8_t> result;
806 if(m_max_early_data_size.has_value()) {
807 const auto max_data = m_max_early_data_size.value();
808 result.push_back(get_byte<0>(max_data));
809 result.push_back(get_byte<1>(max_data));
810 result.push_back(get_byte<2>(max_data));
811 result.push_back(get_byte<3>(max_data));
812 }
813 return result;
814}
815
816EarlyDataIndication::EarlyDataIndication(TLS_Data_Reader& reader,
817 uint16_t extension_size,
818 Handshake_Type message_type) {
819 if(message_type == Handshake_Type::NewSessionTicket) {
820 if(extension_size != 4) {
821 throw TLS_Exception(Alert::DecodeError,
822 "Received an early_data extension in a NewSessionTicket message "
823 "without maximum early data size indication");
824 }
825
826 m_max_early_data_size = reader.get_uint32_t();
827 } else if(extension_size != 0) {
828 throw TLS_Exception(Alert::DecodeError,
829 "Received an early_data extension containing an unexpected data "
830 "size indication");
831 }
832}
833
834bool EarlyDataIndication::empty() const {
835 // This extension may be empty by definition but still carry information
836 return false;
837}
838
839#endif
840} // namespace Botan::TLS
BOTAN_ASSERT_NOMSG
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:59
BOTAN_STATE_CHECK
#define BOTAN_STATE_CHECK(expr)
Definition assert.h:41
BOTAN_ASSERT
#define BOTAN_ASSERT(expr, assertion_made)
Definition assert.h:50
Botan::Decoding_Error
Definition exceptn.h:191
Botan::Invalid_Argument
Definition exceptn.h:131
Botan::TLS::Application_Layer_Protocol_Notification::Application_Layer_Protocol_Notification
Application_Layer_Protocol_Notification(std::string_view protocol)
Definition tls_extensions.h:180
Botan::TLS::Application_Layer_Protocol_Notification::single_protocol
std::string single_protocol() const
Definition tls_extensions.cpp:336
Botan::TLS::Application_Layer_Protocol_Notification::serialize
std::vector< uint8_t > serialize(Connection_Side whoami) const override
Definition tls_extensions.cpp:341
Botan::TLS::Encrypt_then_MAC::Encrypt_then_MAC
Encrypt_then_MAC()=default
Botan::TLS::Encrypt_then_MAC::serialize
std::vector< uint8_t > serialize(Connection_Side whoami) const override
Definition tls_extensions.cpp:576
Botan::TLS::Extended_Master_Secret::serialize
std::vector< uint8_t > serialize(Connection_Side whoami) const override
Definition tls_extensions.cpp:566
Botan::TLS::Extended_Master_Secret::Extended_Master_Secret
Extended_Master_Secret()=default
Botan::TLS::Extensions::serialize
std::vector< uint8_t > serialize(Connection_Side whoami) const
Definition tls_extensions.cpp:176
Botan::TLS::Extensions::deserialize
void deserialize(TLS_Data_Reader &reader, Connection_Side from, Handshake_Type message_type)
Definition tls_extensions.cpp:112
Botan::TLS::Extensions::take
decltype(auto) take()
Definition tls_extensions.h:882
Botan::TLS::Extensions::extension_types
std::set< Extension_Code > extension_types() const
Definition tls_extensions.cpp:210
Botan::TLS::Extensions::add
void add(std::unique_ptr< Extension > extn)
Definition tls_extensions.cpp:103
Botan::TLS::Extensions::contains_other_than
bool contains_other_than(const std::set< Extension_Code > &allowed_extensions, bool allow_unknown_extensions=false) const
Definition tls_extensions.cpp:140
Botan::TLS::Group_Params
Definition tls_algos.h:124
Botan::TLS::Policy::allow_tls12
virtual bool allow_tls12() const
Definition tls_policy.cpp:314
Botan::TLS::Policy::allow_tls13
virtual bool allow_tls13() const
Definition tls_policy.cpp:322
Botan::TLS::Policy::allow_dtls12
virtual bool allow_dtls12() const
Definition tls_policy.cpp:330
Botan::TLS::Protocol_Version
Definition tls_version.h:29
Botan::TLS::Protocol_Version::is_datagram_protocol
bool is_datagram_protocol() const
Definition tls_version.cpp:36
Botan::TLS::Record_Size_Limit::serialize
std::vector< uint8_t > serialize(Connection_Side whoami) const override
Definition tls_extensions.cpp:691
Botan::TLS::Record_Size_Limit::limit
uint16_t limit() const
Definition tls_extensions.h:494
Botan::TLS::Record_Size_Limit::Record_Size_Limit
Record_Size_Limit(uint16_t limit)
Definition tls_extensions.cpp:651
Botan::TLS::Renegotiation_Extension::serialize
std::vector< uint8_t > serialize(Connection_Side whoami) const override
Definition tls_extensions.cpp:288
Botan::TLS::Renegotiation_Extension::Renegotiation_Extension
Renegotiation_Extension()=default
Botan::TLS::SRTP_Protection_Profiles::SRTP_Protection_Profiles
SRTP_Protection_Profiles(const std::vector< uint16_t > &pp)
Definition tls_extensions.h:364
Botan::TLS::SRTP_Protection_Profiles::serialize
std::vector< uint8_t > serialize(Connection_Side whoami) const override
Definition tls_extensions.cpp:543
Botan::TLS::Server_Name_Indicator::serialize
std::vector< uint8_t > serialize(Connection_Side whoami) const override
Definition tls_extensions.cpp:256
Botan::TLS::Server_Name_Indicator::Server_Name_Indicator
Server_Name_Indicator(std::string_view host_name)
Definition tls_extensions.h:125
Botan::TLS::Session_Ticket_Extension::Session_Ticket_Extension
Session_Ticket_Extension()=default
Botan::TLS::Signature_Algorithms_Cert::Signature_Algorithms_Cert
Signature_Algorithms_Cert(std::vector< Signature_Scheme > schemes)
Definition tls_extensions.h:341
Botan::TLS::Signature_Algorithms_Cert::serialize
std::vector< uint8_t > serialize(Connection_Side whoami) const override
Definition tls_extensions.cpp:520
Botan::TLS::Signature_Algorithms::Signature_Algorithms
Signature_Algorithms(std::vector< Signature_Scheme > schemes)
Definition tls_extensions.h:308
Botan::TLS::Signature_Algorithms::serialize
std::vector< uint8_t > serialize(Connection_Side whoami) const override
Definition tls_extensions.cpp:513
Botan::TLS::Signature_Scheme
Definition tls_signature_scheme.h:23
Botan::TLS::Supported_Groups::Supported_Groups
Supported_Groups(const std::vector< Group_Params > &groups)
Definition tls_extensions.cpp:359
Botan::TLS::Supported_Groups::ec_groups
std::vector< Group_Params > ec_groups() const
Definition tls_extensions.cpp:365
Botan::TLS::Supported_Groups::groups
const std::vector< Group_Params > & groups() const
Definition tls_extensions.cpp:361
Botan::TLS::Supported_Groups::serialize
std::vector< uint8_t > serialize(Connection_Side whoami) const override
Definition tls_extensions.cpp:385
Botan::TLS::Supported_Groups::dh_groups
std::vector< Group_Params > dh_groups() const
Definition tls_extensions.cpp:375
Botan::TLS::Supported_Point_Formats::serialize
std::vector< uint8_t > serialize(Connection_Side whoami) const override
Definition tls_extensions.cpp:425
Botan::TLS::Supported_Point_Formats::Supported_Point_Formats
Supported_Point_Formats(bool prefer_compressed)
Definition tls_extensions.h:281
Botan::TLS::Supported_Point_Formats::ECPointFormat
ECPointFormat
Definition tls_extensions.h:269
Botan::TLS::Supported_Point_Formats::UNCOMPRESSED
@ UNCOMPRESSED
Definition tls_extensions.h:270
Botan::TLS::Supported_Point_Formats::ANSIX962_COMPRESSED_PRIME
@ ANSIX962_COMPRESSED_PRIME
Definition tls_extensions.h:271
Botan::TLS::Supported_Versions::supports
bool supports(Protocol_Version version) const
Definition tls_extensions.cpp:642
Botan::TLS::Supported_Versions::Supported_Versions
Supported_Versions(Protocol_Version version, const Policy &policy)
Definition tls_extensions.cpp:602
Botan::TLS::Supported_Versions::versions
const std::vector< Protocol_Version > & versions() const
Definition tls_extensions.h:471
Botan::TLS::Supported_Versions::serialize
std::vector< uint8_t > serialize(Connection_Side whoami) const override
Definition tls_extensions.cpp:580
Botan::TLS::TLS_Data_Reader
Definition tls_reader.h:24
Botan::TLS::TLS_Data_Reader::get_string
std::string get_string(size_t len_bytes, size_t min_bytes, size_t max_bytes)
Definition tls_reader.h:118
Botan::TLS::TLS_Data_Reader::has_remaining
bool has_remaining() const
Definition tls_reader.h:39
Botan::TLS::TLS_Data_Reader::discard_next
void discard_next(size_t bytes)
Definition tls_reader.h:47
Botan::TLS::TLS_Data_Reader::get_byte
uint8_t get_byte()
Definition tls_reader.h:78
Botan::TLS::TLS_Data_Reader::get_range
std::vector< T > get_range(size_t len_bytes, size_t min_elems, size_t max_elems)
Definition tls_reader.h:105
Botan::TLS::TLS_Data_Reader::remaining_bytes
size_t remaining_bytes() const
Definition tls_reader.h:37
Botan::TLS::TLS_Data_Reader::get_fixed
std::vector< T > get_fixed(size_t size)
Definition tls_reader.h:125
Botan::TLS::TLS_Data_Reader::get_uint16_t
uint16_t get_uint16_t()
Definition tls_reader.h:66
Botan::TLS::TLS_Exception
Definition tls_exceptn.h:19
Botan::TLS::Unknown_Extension::serialize
std::vector< uint8_t > serialize(Connection_Side whoami) const override
Definition tls_extensions.cpp:222
Botan::TLS::Unknown_Extension::Unknown_Extension
Unknown_Extension(Extension_Code type, TLS_Data_Reader &reader, uint16_t extension_size)
Definition tls_extensions.cpp:219
Botan::TLS::append_tls_length_value
void append_tls_length_value(std::vector< uint8_t, Alloc > &buf, const T *vals, size_t vals_size, size_t tag_size)
Definition tls_reader.h:180
Botan::TLS::MAX_PLAINTEXT_SIZE
@ MAX_PLAINTEXT_SIZE
Definition tls_magic.h:30
Botan::value_exists
bool value_exists(const std::vector< T > &vec, const OT &val)
Definition stl_util.h:116
Botan::cast_char_ptr_to_uint8
const uint8_t * cast_char_ptr_to_uint8(const char *s)
Definition mem_ops.h:177
Generated by doxygen 1.9.8