Botan  2.4.0
Crypto and TLS for C++11
tls_extensions.cpp
Go to the documentation of this file.
1 /*
2 * TLS Extensions
3 * (C) 2011,2012,2015,2016 Jack Lloyd
4 * 2016 Juraj Somorovsky
5 *
6 * Botan is released under the Simplified BSD License (see license.txt)
7 */
8 
9 #include <botan/tls_extensions.h>
10 #include <botan/internal/tls_reader.h>
11 #include <botan/tls_exceptn.h>
12 
13 namespace Botan {
14 
15 namespace TLS {
16 
17 namespace {
18 
19 Extension* make_extension(TLS_Data_Reader& reader, uint16_t code, uint16_t size)
20  {
21  switch(code)
22  {
24  return new Server_Name_Indicator(reader, size);
25 
26 #if defined(BOTAN_HAS_SRP6)
28  return new SRP_Identifier(reader, size);
29 #endif
30 
32  return new Supported_Elliptic_Curves(reader, size);
33 
35  return new Certificate_Status_Request(reader, size);
36 
38  return new Supported_Point_Formats(reader, size);
39 
41  return new Renegotiation_Extension(reader, size);
42 
44  return new Signature_Algorithms(reader, size);
45 
46  case TLSEXT_USE_SRTP:
47  return new SRTP_Protection_Profiles(reader, size);
48 
49  case TLSEXT_ALPN:
50  return new Application_Layer_Protocol_Notification(reader, size);
51 
53  return new Extended_Master_Secret(reader, size);
54 
56  return new Encrypt_then_MAC(reader, size);
57 
59  return new Session_Ticket(reader, size);
60  }
61 
62  return nullptr; // not known
63  }
64 
65 }
66 
68  {
69  if(reader.has_remaining())
70  {
71  const uint16_t all_extn_size = reader.get_uint16_t();
72 
73  if(reader.remaining_bytes() != all_extn_size)
74  throw Decoding_Error("Bad extension size");
75 
76  while(reader.has_remaining())
77  {
78  const uint16_t extension_code = reader.get_uint16_t();
79  const uint16_t extension_size = reader.get_uint16_t();
80 
81  Extension* extn = make_extension(reader,
82  extension_code,
83  extension_size);
84 
85  if(extn)
86  this->add(extn);
87  else // unknown/unhandled extension
88  reader.discard_next(extension_size);
89  }
90  }
91  }
92 
93 std::vector<uint8_t> Extensions::serialize() const
94  {
95  std::vector<uint8_t> buf(2); // 2 bytes for length field
96 
97  for(auto& extn : m_extensions)
98  {
99  if(extn.second->empty())
100  continue;
101 
102  const uint16_t extn_code = extn.second->type();
103 
104  std::vector<uint8_t> extn_val = extn.second->serialize();
105 
106  buf.push_back(get_byte(0, extn_code));
107  buf.push_back(get_byte(1, extn_code));
108 
109  buf.push_back(get_byte(0, static_cast<uint16_t>(extn_val.size())));
110  buf.push_back(get_byte(1, static_cast<uint16_t>(extn_val.size())));
111 
112  buf += extn_val;
113  }
114 
115  const uint16_t extn_size = static_cast<uint16_t>(buf.size() - 2);
116 
117  buf[0] = get_byte(0, extn_size);
118  buf[1] = get_byte(1, extn_size);
119 
120  // avoid sending a completely empty extensions block
121  if(buf.size() == 2)
122  return std::vector<uint8_t>();
123 
124  return buf;
125  }
126 
127 std::set<Handshake_Extension_Type> Extensions::extension_types() const
128  {
129  std::set<Handshake_Extension_Type> offers;
130  for(auto i = m_extensions.begin(); i != m_extensions.end(); ++i)
131  offers.insert(i->first);
132  return offers;
133  }
134 
136  uint16_t extension_size)
137  {
138  /*
139  * This is used by the server to confirm that it knew the name
140  */
141  if(extension_size == 0)
142  return;
143 
144  uint16_t name_bytes = reader.get_uint16_t();
145 
146  if(name_bytes + 2 != extension_size)
147  throw Decoding_Error("Bad encoding of SNI extension");
148 
149  while(name_bytes)
150  {
151  uint8_t name_type = reader.get_byte();
152  name_bytes--;
153 
154  if(name_type == 0) // DNS
155  {
156  m_sni_host_name = reader.get_string(2, 1, 65535);
157  name_bytes -= static_cast<uint16_t>(2 + m_sni_host_name.size());
158  }
159  else // some other unknown name type
160  {
161  reader.discard_next(name_bytes);
162  name_bytes = 0;
163  }
164  }
165  }
166 
167 std::vector<uint8_t> Server_Name_Indicator::serialize() const
168  {
169  std::vector<uint8_t> buf;
170 
171  size_t name_len = m_sni_host_name.size();
172 
173  buf.push_back(get_byte(0, static_cast<uint16_t>(name_len+3)));
174  buf.push_back(get_byte(1, static_cast<uint16_t>(name_len+3)));
175  buf.push_back(0); // DNS
176 
177  buf.push_back(get_byte(0, static_cast<uint16_t>(name_len)));
178  buf.push_back(get_byte(1, static_cast<uint16_t>(name_len)));
179 
180  buf += std::make_pair(
181  cast_char_ptr_to_uint8(m_sni_host_name.data()),
182  m_sni_host_name.size());
183 
184  return buf;
185  }
186 
187 #if defined(BOTAN_HAS_SRP6)
188 
189 SRP_Identifier::SRP_Identifier(TLS_Data_Reader& reader,
190  uint16_t extension_size) : m_srp_identifier(reader.get_string(1, 1, 255))
191  {
192  if(m_srp_identifier.size() + 1 != extension_size)
193  throw Decoding_Error("Bad encoding for SRP identifier extension");
194  }
195 
196 std::vector<uint8_t> SRP_Identifier::serialize() const
197  {
198  std::vector<uint8_t> buf;
199 
200  const uint8_t* srp_bytes = cast_char_ptr_to_uint8(m_srp_identifier.data());
201  append_tls_length_value(buf, srp_bytes, m_srp_identifier.size(), 1);
202 
203  return buf;
204  }
205 
206 #endif
207 
209  uint16_t extension_size) : m_reneg_data(reader.get_range<uint8_t>(1, 0, 255))
210  {
211  if(m_reneg_data.size() + 1 != extension_size)
212  throw Decoding_Error("Bad encoding for secure renegotiation extn");
213  }
214 
215 std::vector<uint8_t> Renegotiation_Extension::serialize() const
216  {
217  std::vector<uint8_t> buf;
218  append_tls_length_value(buf, m_reneg_data, 1);
219  return buf;
220  }
221 
223  uint16_t extension_size)
224  {
225  if(extension_size == 0)
226  return; // empty extension
227 
228  const uint16_t name_bytes = reader.get_uint16_t();
229 
230  size_t bytes_remaining = extension_size - 2;
231 
232  if(name_bytes != bytes_remaining)
233  throw Decoding_Error("Bad encoding of ALPN extension, bad length field");
234 
235  while(bytes_remaining)
236  {
237  const std::string p = reader.get_string(1, 0, 255);
238 
239  if(bytes_remaining < p.size() + 1)
240  throw Decoding_Error("Bad encoding of ALPN, length field too long");
241 
242  bytes_remaining -= (p.size() + 1);
243 
244  m_protocols.push_back(p);
245  }
246  }
247 
249  {
250  if(m_protocols.size() != 1)
252  "Server sent " + std::to_string(m_protocols.size()) +
253  " protocols in ALPN extension response");
254  return m_protocols[0];
255  }
256 
258  {
259  std::vector<uint8_t> buf(2);
260 
261  for(auto&& p: m_protocols)
262  {
263  if(p.length() >= 256)
264  throw TLS_Exception(Alert::INTERNAL_ERROR, "ALPN name too long");
265  if(p != "")
267  cast_char_ptr_to_uint8(p.data()),
268  p.size(),
269  1);
270  }
271 
272  buf[0] = get_byte(0, static_cast<uint16_t>(buf.size()-2));
273  buf[1] = get_byte(1, static_cast<uint16_t>(buf.size()-2));
274 
275  return buf;
276  }
277 
278 Supported_Groups::Supported_Groups(const std::vector<std::string>& groups) :
279  m_groups(groups)
280  {
281  for(const auto& group : m_groups)
282  {
283  if(is_dh_group(group))
284  {
285  m_dh_groups.push_back(group);
286  }
287  else
288  {
289  m_curves.push_back(group);
290  }
291  }
292  }
293 
294 std::string Supported_Groups::curve_id_to_name(uint16_t id)
295  {
296  switch(id)
297  {
298  case 23:
299  return "secp256r1";
300  case 24:
301  return "secp384r1";
302  case 25:
303  return "secp521r1";
304  case 26:
305  return "brainpool256r1";
306  case 27:
307  return "brainpool384r1";
308  case 28:
309  return "brainpool512r1";
310 
311 #if defined(BOTAN_HAS_CURVE_25519)
312  case 29:
313  return "x25519";
314 #endif
315 
316 #if defined(BOTAN_HOUSE_ECC_CURVE_NAME)
317  case BOTAN_HOUSE_ECC_CURVE_TLS_ID:
318  return BOTAN_HOUSE_ECC_CURVE_NAME;
319 #endif
320 
321  case 256:
322  return "ffdhe/ietf/2048";
323  case 257:
324  return "ffdhe/ietf/3072";
325  case 258:
326  return "ffdhe/ietf/4096";
327  case 259:
328  return "ffdhe/ietf/6144";
329  case 260:
330  return "ffdhe/ietf/8192";
331 
332  default:
333  return ""; // something we don't know or support
334  }
335  }
336 
337 uint16_t Supported_Groups::name_to_curve_id(const std::string& name)
338  {
339  if(name == "secp256r1")
340  return 23;
341  if(name == "secp384r1")
342  return 24;
343  if(name == "secp521r1")
344  return 25;
345  if(name == "brainpool256r1")
346  return 26;
347  if(name == "brainpool384r1")
348  return 27;
349  if(name == "brainpool512r1")
350  return 28;
351 
352 #if defined(BOTAN_HAS_CURVE_25519)
353  if(name == "x25519")
354  return 29;
355 #endif
356 
357 #if defined(BOTAN_HOUSE_ECC_CURVE_NAME)
358  if(name == BOTAN_HOUSE_ECC_CURVE_NAME)
359  return BOTAN_HOUSE_ECC_CURVE_TLS_ID;
360 #endif
361 
362  if(name == "ffdhe/ietf/2048")
363  return 256;
364  if(name == "ffdhe/ietf/3072")
365  return 257;
366  if(name == "ffdhe/ietf/4096")
367  return 258;
368  if(name == "ffdhe/ietf/6144")
369  return 259;
370  if(name == "ffdhe/ietf/8192")
371  return 260;
372 
373  // Unknown/unavailable DH groups/EC curves are ignored
374  return 0;
375  }
376 
377 bool Supported_Groups::is_dh_group( const std::string& group_name )
378  {
379  if(group_name == "ffdhe/ietf/2048" || group_name == "ffdhe/ietf/3072"
380  || group_name == "ffdhe/ietf/4096" || group_name == "ffdhe/ietf/6144"
381  || group_name == "ffdhe/ietf/8192")
382  {
383  return true;
384  }
385  return false;
386  }
387 
388 std::vector<uint8_t> Supported_Groups::serialize() const
389  {
390  std::vector<uint8_t> buf(2);
391 
392  for(size_t i = 0; i != m_groups.size(); ++i)
393  {
394  const uint16_t id = name_to_curve_id(m_groups[i]);
395 
396  if(id > 0)
397  {
398  buf.push_back(get_byte(0, id));
399  buf.push_back(get_byte(1, id));
400  }
401  }
402 
403  buf[0] = get_byte(0, static_cast<uint16_t>(buf.size()-2));
404  buf[1] = get_byte(1, static_cast<uint16_t>(buf.size()-2));
405 
406  return buf;
407  }
408 
410  uint16_t extension_size)
411  {
412  uint16_t len = reader.get_uint16_t();
413 
414  if(len + 2 != extension_size)
415  throw Decoding_Error("Inconsistent length field in supported groups list");
416 
417  if(len % 2 == 1)
418  throw Decoding_Error("Supported groups list of strange size");
419 
420  len /= 2;
421 
422  for(size_t i = 0; i != len; ++i)
423  {
424  const uint16_t id = reader.get_uint16_t();
425  const std::string name = curve_id_to_name(id);
426 
427  if(!name.empty())
428  {
429  m_groups.push_back(name);
430  if(is_dh_group(name))
431  {
432  m_dh_groups.push_back(name);
433  }
434  else
435  {
436  m_curves.push_back(name);
437  }
438  }
439  }
440  }
441 
442 std::vector<uint8_t> Supported_Point_Formats::serialize() const
443  {
444  // if this extension is sent, it MUST include uncompressed (RFC 4492, section 5.1)
445  if(m_prefers_compressed)
446  {
447  return std::vector<uint8_t>{2, ANSIX962_COMPRESSED_PRIME, UNCOMPRESSED};
448  }
449  else
450  {
451  return std::vector<uint8_t>{1, UNCOMPRESSED};
452  }
453  }
454 
456  uint16_t extension_size)
457  {
458  uint8_t len = reader.get_byte();
459 
460  if(len + 1 != extension_size)
461  throw Decoding_Error("Inconsistent length field in supported point formats list");
462 
463  for(size_t i = 0; i != len; ++i)
464  {
465  uint8_t format = reader.get_byte();
466 
467  if(static_cast<ECPointFormat>(format) == UNCOMPRESSED)
468  {
469  m_prefers_compressed = false;
470  reader.discard_next(len-i-1);
471  return;
472  }
473  else if(static_cast<ECPointFormat>(format) == ANSIX962_COMPRESSED_PRIME)
474  {
475  m_prefers_compressed = true;
476  reader.discard_next(len-i-1);
477  return;
478  }
479 
480  // ignore ANSIX962_COMPRESSED_CHAR2, we don't support these curves
481  }
482  }
483 
484 std::string Signature_Algorithms::hash_algo_name(uint8_t code)
485  {
486  switch(code)
487  {
488  // code 1 is MD5 - ignore it
489 
490  case 2:
491  return "SHA-1";
492 
493  // code 3 is SHA-224
494 
495  case 4:
496  return "SHA-256";
497  case 5:
498  return "SHA-384";
499  case 6:
500  return "SHA-512";
501  default:
502  return "";
503  }
504  }
505 
506 uint8_t Signature_Algorithms::hash_algo_code(const std::string& name)
507  {
508  if(name == "SHA-1")
509  return 2;
510 
511  if(name == "SHA-256")
512  return 4;
513 
514  if(name == "SHA-384")
515  return 5;
516 
517  if(name == "SHA-512")
518  return 6;
519 
520  throw Internal_Error("Unknown hash ID " + name + " for signature_algorithms");
521  }
522 
523 std::string Signature_Algorithms::sig_algo_name(uint8_t code)
524  {
525  switch(code)
526  {
527  case 1:
528  return "RSA";
529  case 2:
530  return "DSA";
531  case 3:
532  return "ECDSA";
533  default:
534  return "";
535  }
536  }
537 
538 uint8_t Signature_Algorithms::sig_algo_code(const std::string& name)
539  {
540  if(name == "RSA")
541  return 1;
542 
543  if(name == "DSA")
544  return 2;
545 
546  if(name == "ECDSA")
547  return 3;
548 
549  throw Internal_Error("Unknown sig ID " + name + " for signature_algorithms");
550  }
551 
552 std::vector<uint8_t> Signature_Algorithms::serialize() const
553  {
554  std::vector<uint8_t> buf(2);
555 
556  for(size_t i = 0; i != m_supported_algos.size(); ++i)
557  {
558  try
559  {
560  const uint8_t hash_code = hash_algo_code(m_supported_algos[i].first);
561  const uint8_t sig_code = sig_algo_code(m_supported_algos[i].second);
562 
563  buf.push_back(hash_code);
564  buf.push_back(sig_code);
565  }
566  catch(...)
567  {}
568  }
569 
570  buf[0] = get_byte(0, static_cast<uint16_t>(buf.size()-2));
571  buf[1] = get_byte(1, static_cast<uint16_t>(buf.size()-2));
572 
573  return buf;
574  }
575 
576 Signature_Algorithms::Signature_Algorithms(const std::vector<std::string>& hashes,
577  const std::vector<std::string>& sigs)
578  {
579  for(size_t i = 0; i != hashes.size(); ++i)
580  for(size_t j = 0; j != sigs.size(); ++j)
581  m_supported_algos.push_back(std::make_pair(hashes[i], sigs[j]));
582  }
583 
585  uint16_t extension_size)
586  {
587  uint16_t len = reader.get_uint16_t();
588 
589  if(len + 2 != extension_size || len % 2 == 1 || len == 0)
590  throw Decoding_Error("Bad encoding on signature algorithms extension");
591 
592  while(len)
593  {
594  const uint8_t hash_code = reader.get_byte();
595  const uint8_t sig_code = reader.get_byte();
596  len -= 2;
597 
598  if(sig_code == 0)
599  {
600  /*
601  RFC 5247 7.4.1.4.1 explicitly prohibits anonymous (0) signature code in
602  the client hello. ("It MUST NOT appear in this extension.")
603  */
604  throw TLS_Exception(Alert::DECODE_ERROR, "Client sent ANON signature");
605  }
606 
607  const std::string hash_name = hash_algo_name(hash_code);
608  const std::string sig_name = sig_algo_name(sig_code);
609 
610  // If not something we know, ignore it completely
611  if(hash_name.empty() || sig_name.empty())
612  continue;
613 
614  m_supported_algos.push_back(std::make_pair(hash_name, sig_name));
615  }
616  }
617 
619  uint16_t extension_size) : m_ticket(reader.get_elem<uint8_t, std::vector<uint8_t>>(extension_size))
620  {}
621 
623  uint16_t extension_size) : m_pp(reader.get_range<uint16_t>(2, 0, 65535))
624  {
625  const std::vector<uint8_t> mki = reader.get_range<uint8_t>(1, 0, 255);
626 
627  if(m_pp.size() * 2 + mki.size() + 3 != extension_size)
628  throw Decoding_Error("Bad encoding for SRTP protection extension");
629 
630  if(!mki.empty())
631  throw Decoding_Error("Unhandled non-empty MKI for SRTP protection extension");
632  }
633 
634 std::vector<uint8_t> SRTP_Protection_Profiles::serialize() const
635  {
636  std::vector<uint8_t> buf;
637 
638  const uint16_t pp_len = static_cast<uint16_t>(m_pp.size() * 2);
639  buf.push_back(get_byte(0, pp_len));
640  buf.push_back(get_byte(1, pp_len));
641 
642  for(uint16_t pp : m_pp)
643  {
644  buf.push_back(get_byte(0, pp));
645  buf.push_back(get_byte(1, pp));
646  }
647 
648  buf.push_back(0); // srtp_mki, always empty here
649 
650  return buf;
651  }
652 
654  uint16_t extension_size)
655  {
656  if(extension_size != 0)
657  throw Decoding_Error("Invalid extended_master_secret extension");
658  }
659 
660 std::vector<uint8_t> Extended_Master_Secret::serialize() const
661  {
662  return std::vector<uint8_t>();
663  }
664 
666  uint16_t extension_size)
667  {
668  if(extension_size != 0)
669  throw Decoding_Error("Invalid encrypt_then_mac extension");
670  }
671 
672 std::vector<uint8_t> Encrypt_then_MAC::serialize() const
673  {
674  return std::vector<uint8_t>();
675  }
676 
677 std::vector<uint8_t> Certificate_Status_Request::serialize() const
678  {
679  std::vector<uint8_t> buf;
680 
681  if(m_server_side)
682  return buf; // server reply is empty
683 
684  /*
685  opaque ResponderID<1..2^16-1>;
686  opaque Extensions<0..2^16-1>;
687 
688  CertificateStatusType status_type = ocsp(1)
689  ResponderID responder_id_list<0..2^16-1>
690  Extensions request_extensions;
691  */
692 
693  buf.push_back(1); // CertificateStatusType ocsp
694 
695  buf.push_back(0);
696  buf.push_back(0);
697  buf.push_back(0);
698  buf.push_back(0);
699 
700  return buf;
701  }
702 
704  uint16_t extension_size) :
705  m_server_side(false)
706  {
707  if(extension_size > 0)
708  {
709  const uint8_t type = reader.get_byte();
710  if(type == 1)
711  {
712  reader.discard_next(extension_size - 1); // fixme
713  }
714  else
715  {
716  reader.discard_next(extension_size - 1);
717  }
718  }
719  }
720 
721 Certificate_Status_Request::Certificate_Status_Request(const std::vector<X509_DN>& ocsp_responder_ids,
722  const std::vector<std::vector<uint8_t>>& ocsp_key_ids) :
723  m_ocsp_names(ocsp_responder_ids),
724  m_ocsp_keys(ocsp_key_ids),
725  m_server_side(false)
726  {
727 
728  }
729 
731  {
732 
733  }
734 
735 }
736 
737 }
std::vector< uint8_t > serialize() const
std::vector< uint8_t > serialize() const override
std::vector< uint8_t > serialize() const override
static uint8_t sig_algo_code(const std::string &name)
Supported_Groups(const std::vector< std::string > &groups)
Handshake_Extension_Type type() const override
Server_Name_Indicator(const std::string &host_name)
static std::string curve_id_to_name(uint16_t id)
void add(Extension *extn)
std::vector< uint8_t > serialize() const override
const uint8_t * cast_char_ptr_to_uint8(const char *s)
Definition: mem_ops.h:120
Definition: bigint.h:635
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:108
Supported_Groups Supported_Elliptic_Curves
std::vector< uint8_t > serialize() const override
static uint8_t hash_algo_code(const std::string &name)
std::vector< uint8_t > serialize() const override
std::string get_string(size_t len_bytes, size_t min_bytes, size_t max_bytes)
Definition: tls_reader.h:115
std::vector< T > get_range(size_t len_bytes, size_t min_elems, size_t max_elems)
Definition: tls_reader.h:94
std::vector< uint8_t > serialize() const override
Application_Layer_Protocol_Notification(const std::string &protocol)
std::vector< uint8_t > serialize() const override
Definition: alg_id.cpp:13
Signature_Algorithms(const std::vector< std::string > &hashes, const std::vector< std::string > &sig_algos)
static std::string sig_algo_name(uint8_t code)
std::vector< uint8_t > serialize() const override
std::set< Handshake_Extension_Type > extension_types() const
std::vector< uint8_t > serialize() const override
void discard_next(size_t bytes)
Definition: tls_reader.h:47
SRTP_Protection_Profiles(const std::vector< uint16_t > &pp)
uint8_t get_byte(size_t byte_num, T input)
Definition: loadstor.h:39
void deserialize(TLS_Data_Reader &reader)
size_t remaining_bytes() const
Definition: tls_reader.h:38
std::vector< uint8_t > serialize() const override
Supported_Point_Formats(bool prefer_compressed)
static uint16_t name_to_curve_id(const std::string &name)
static bool is_dh_group(const std::string &group_name)
static std::string hash_algo_name(uint8_t code)
bool has_remaining() const
Definition: tls_reader.h:40
void append_tls_length_value(std::vector< uint8_t, Alloc > &buf, const T *vals, size_t vals_size, size_t tag_size)
Definition: tls_reader.h:185