Botan  2.11.0
Crypto and TLS for C++11
tls_extensions.cpp
Go to the documentation of this file.
1 /*
2 * TLS Extensions
3 * (C) 2011,2012,2015,2016 Jack Lloyd
4 * 2016 Juraj Somorovsky
5 *
6 * Botan is released under the Simplified BSD License (see license.txt)
7 */
8 
9 #include <botan/tls_extensions.h>
10 #include <botan/internal/tls_reader.h>
11 #include <botan/tls_exceptn.h>
12 #include <botan/tls_policy.h>
13 
14 namespace Botan {
15 
16 namespace TLS {
17 
18 namespace {
19 
20 Extension* make_extension(TLS_Data_Reader& reader, uint16_t code, uint16_t size, Connection_Side from)
21  {
22  switch(code)
23  {
25  return new Server_Name_Indicator(reader, size);
26 
27 #if defined(BOTAN_HAS_SRP6)
29  return new SRP_Identifier(reader, size);
30 #endif
31 
33  return new Supported_Groups(reader, size);
34 
36  return new Certificate_Status_Request(reader, size, from);
37 
39  return new Supported_Point_Formats(reader, size);
40 
42  return new Renegotiation_Extension(reader, size);
43 
45  return new Signature_Algorithms(reader, size);
46 
47  case TLSEXT_USE_SRTP:
48  return new SRTP_Protection_Profiles(reader, size);
49 
50  case TLSEXT_ALPN:
51  return new Application_Layer_Protocol_Notification(reader, size);
52 
54  return new Extended_Master_Secret(reader, size);
55 
57  return new Encrypt_then_MAC(reader, size);
58 
60  return new Session_Ticket(reader, size);
61 
63  return new Supported_Versions(reader, size, from);
64  }
65 
66  return new Unknown_Extension(static_cast<Handshake_Extension_Type>(code),
67  reader, size);
68  }
69 
70 }
71 
73  {
74  if(reader.has_remaining())
75  {
76  const uint16_t all_extn_size = reader.get_uint16_t();
77 
78  if(reader.remaining_bytes() != all_extn_size)
79  throw Decoding_Error("Bad extension size");
80 
81  while(reader.has_remaining())
82  {
83  const uint16_t extension_code = reader.get_uint16_t();
84  const uint16_t extension_size = reader.get_uint16_t();
85 
86  const auto type = static_cast<Handshake_Extension_Type>(extension_code);
87 
88  if(m_extensions.find(type) != m_extensions.end())
89  throw TLS_Exception(TLS::Alert::DECODE_ERROR,
90  "Peer sent duplicated extensions");
91 
92  Extension* extn = make_extension(
93  reader, extension_code, extension_size, from);
94 
95  this->add(extn);
96  }
97  }
98  }
99 
100 std::vector<uint8_t> Extensions::serialize(Connection_Side whoami) const
101  {
102  std::vector<uint8_t> buf(2); // 2 bytes for length field
103 
104  for(auto& extn : m_extensions)
105  {
106  if(extn.second->empty())
107  continue;
108 
109  const uint16_t extn_code = static_cast<uint16_t>(extn.second->type());
110 
111  const std::vector<uint8_t> extn_val = extn.second->serialize(whoami);
112 
113  buf.push_back(get_byte(0, extn_code));
114  buf.push_back(get_byte(1, extn_code));
115 
116  buf.push_back(get_byte(0, static_cast<uint16_t>(extn_val.size())));
117  buf.push_back(get_byte(1, static_cast<uint16_t>(extn_val.size())));
118 
119  buf += extn_val;
120  }
121 
122  const uint16_t extn_size = static_cast<uint16_t>(buf.size() - 2);
123 
124  buf[0] = get_byte(0, extn_size);
125  buf[1] = get_byte(1, extn_size);
126 
127  // avoid sending a completely empty extensions block
128  if(buf.size() == 2)
129  return std::vector<uint8_t>();
130 
131  return buf;
132  }
133 
135  {
136  auto i = m_extensions.find(typ);
137  if(i == m_extensions.end())
138  return false;
139  m_extensions.erase(i);
140  return true;
141  }
142 
143 std::set<Handshake_Extension_Type> Extensions::extension_types() const
144  {
145  std::set<Handshake_Extension_Type> offers;
146  for(auto i = m_extensions.begin(); i != m_extensions.end(); ++i)
147  offers.insert(i->first);
148  return offers;
149  }
150 
152  TLS_Data_Reader& reader,
153  uint16_t extension_size) :
154  m_type(type),
155  m_value(reader.get_fixed<uint8_t>(extension_size))
156  {
157  }
158 
159 std::vector<uint8_t> Unknown_Extension::serialize(Connection_Side /*whoami*/) const
160  {
161  throw Invalid_State("Cannot encode an unknown TLS extension");
162  }
163 
165  uint16_t extension_size)
166  {
167  /*
168  * This is used by the server to confirm that it knew the name
169  */
170  if(extension_size == 0)
171  return;
172 
173  uint16_t name_bytes = reader.get_uint16_t();
174 
175  if(name_bytes + 2 != extension_size)
176  throw Decoding_Error("Bad encoding of SNI extension");
177 
178  while(name_bytes)
179  {
180  uint8_t name_type = reader.get_byte();
181  name_bytes--;
182 
183  if(name_type == 0) // DNS
184  {
185  m_sni_host_name = reader.get_string(2, 1, 65535);
186  name_bytes -= static_cast<uint16_t>(2 + m_sni_host_name.size());
187  }
188  else // some other unknown name type
189  {
190  reader.discard_next(name_bytes);
191  name_bytes = 0;
192  }
193  }
194  }
195 
196 std::vector<uint8_t> Server_Name_Indicator::serialize(Connection_Side /*whoami*/) const
197  {
198  std::vector<uint8_t> buf;
199 
200  size_t name_len = m_sni_host_name.size();
201 
202  buf.push_back(get_byte(0, static_cast<uint16_t>(name_len+3)));
203  buf.push_back(get_byte(1, static_cast<uint16_t>(name_len+3)));
204  buf.push_back(0); // DNS
205 
206  buf.push_back(get_byte(0, static_cast<uint16_t>(name_len)));
207  buf.push_back(get_byte(1, static_cast<uint16_t>(name_len)));
208 
209  buf += std::make_pair(
210  cast_char_ptr_to_uint8(m_sni_host_name.data()),
211  m_sni_host_name.size());
212 
213  return buf;
214  }
215 
216 #if defined(BOTAN_HAS_SRP6)
217 
218 SRP_Identifier::SRP_Identifier(TLS_Data_Reader& reader,
219  uint16_t extension_size) : m_srp_identifier(reader.get_string(1, 1, 255))
220  {
221  if(m_srp_identifier.size() + 1 != extension_size)
222  throw Decoding_Error("Bad encoding for SRP identifier extension");
223  }
224 
225 std::vector<uint8_t> SRP_Identifier::serialize(Connection_Side /*whoami*/) const
226  {
227  std::vector<uint8_t> buf;
228 
229  const uint8_t* srp_bytes = cast_char_ptr_to_uint8(m_srp_identifier.data());
230  append_tls_length_value(buf, srp_bytes, m_srp_identifier.size(), 1);
231 
232  return buf;
233  }
234 
235 #endif
236 
238  uint16_t extension_size) : m_reneg_data(reader.get_range<uint8_t>(1, 0, 255))
239  {
240  if(m_reneg_data.size() + 1 != extension_size)
241  throw Decoding_Error("Bad encoding for secure renegotiation extn");
242  }
243 
244 std::vector<uint8_t> Renegotiation_Extension::serialize(Connection_Side /*whoami*/) const
245  {
246  std::vector<uint8_t> buf;
247  append_tls_length_value(buf, m_reneg_data, 1);
248  return buf;
249  }
250 
252  uint16_t extension_size)
253  {
254  if(extension_size == 0)
255  return; // empty extension
256 
257  const uint16_t name_bytes = reader.get_uint16_t();
258 
259  size_t bytes_remaining = extension_size - 2;
260 
261  if(name_bytes != bytes_remaining)
262  throw Decoding_Error("Bad encoding of ALPN extension, bad length field");
263 
264  while(bytes_remaining)
265  {
266  const std::string p = reader.get_string(1, 0, 255);
267 
268  if(bytes_remaining < p.size() + 1)
269  throw Decoding_Error("Bad encoding of ALPN, length field too long");
270 
271  if(p.empty())
272  throw Decoding_Error("Empty ALPN protocol not allowed");
273 
274  bytes_remaining -= (p.size() + 1);
275 
276  m_protocols.push_back(p);
277  }
278  }
279 
281  {
282  if(m_protocols.size() != 1)
283  throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
284  "Server sent " + std::to_string(m_protocols.size()) +
285  " protocols in ALPN extension response");
286  return m_protocols[0];
287  }
288 
290  {
291  std::vector<uint8_t> buf(2);
292 
293  for(auto&& p: m_protocols)
294  {
295  if(p.length() >= 256)
296  throw TLS_Exception(Alert::INTERNAL_ERROR, "ALPN name too long");
297  if(p != "")
299  cast_char_ptr_to_uint8(p.data()),
300  p.size(),
301  1);
302  }
303 
304  buf[0] = get_byte(0, static_cast<uint16_t>(buf.size()-2));
305  buf[1] = get_byte(1, static_cast<uint16_t>(buf.size()-2));
306 
307  return buf;
308  }
309 
310 Supported_Groups::Supported_Groups(const std::vector<Group_Params>& groups) : m_groups(groups)
311  {
312  }
313 
314 std::vector<Group_Params> Supported_Groups::ec_groups() const
315  {
316  std::vector<Group_Params> ec;
317  for(auto g : m_groups)
318  {
319  if(group_param_is_dh(g) == false)
320  ec.push_back(g);
321  }
322  return ec;
323  }
324 
325 std::vector<Group_Params> Supported_Groups::dh_groups() const
326  {
327  std::vector<Group_Params> dh;
328  for(auto g : m_groups)
329  {
330  if(group_param_is_dh(g) == true)
331  dh.push_back(g);
332  }
333  return dh;
334  }
335 
336 std::vector<uint8_t> Supported_Groups::serialize(Connection_Side /*whoami*/) const
337  {
338  std::vector<uint8_t> buf(2);
339 
340  for(auto g : m_groups)
341  {
342  const uint16_t id = static_cast<uint16_t>(g);
343 
344  if(id > 0)
345  {
346  buf.push_back(get_byte(0, id));
347  buf.push_back(get_byte(1, id));
348  }
349  }
350 
351  buf[0] = get_byte(0, static_cast<uint16_t>(buf.size()-2));
352  buf[1] = get_byte(1, static_cast<uint16_t>(buf.size()-2));
353 
354  return buf;
355  }
356 
358  uint16_t extension_size)
359  {
360  const uint16_t len = reader.get_uint16_t();
361 
362  if(len + 2 != extension_size)
363  throw Decoding_Error("Inconsistent length field in supported groups list");
364 
365  if(len % 2 == 1)
366  throw Decoding_Error("Supported groups list of strange size");
367 
368  for(size_t i = 0; i != len / 2; ++i)
369  {
370  const uint16_t id = reader.get_uint16_t();
371  m_groups.push_back(static_cast<Group_Params>(id));
372  }
373  }
374 
375 std::vector<uint8_t> Supported_Point_Formats::serialize(Connection_Side /*whoami*/) const
376  {
377  // if this extension is sent, it MUST include uncompressed (RFC 4492, section 5.1)
378  if(m_prefers_compressed)
379  {
380  return std::vector<uint8_t>{2, ANSIX962_COMPRESSED_PRIME, UNCOMPRESSED};
381  }
382  else
383  {
384  return std::vector<uint8_t>{1, UNCOMPRESSED};
385  }
386  }
387 
389  uint16_t extension_size)
390  {
391  uint8_t len = reader.get_byte();
392 
393  if(len + 1 != extension_size)
394  throw Decoding_Error("Inconsistent length field in supported point formats list");
395 
396  for(size_t i = 0; i != len; ++i)
397  {
398  uint8_t format = reader.get_byte();
399 
400  if(static_cast<ECPointFormat>(format) == UNCOMPRESSED)
401  {
402  m_prefers_compressed = false;
403  reader.discard_next(len-i-1);
404  return;
405  }
406  else if(static_cast<ECPointFormat>(format) == ANSIX962_COMPRESSED_PRIME)
407  {
408  m_prefers_compressed = true;
409  reader.discard_next(len-i-1);
410  return;
411  }
412 
413  // ignore ANSIX962_COMPRESSED_CHAR2, we don't support these curves
414  }
415  }
416 
417 std::vector<uint8_t> Signature_Algorithms::serialize(Connection_Side /*whoami*/) const
418  {
419  BOTAN_ASSERT(m_schemes.size() < 256, "Too many signature schemes");
420 
421  std::vector<uint8_t> buf;
422 
423  const uint16_t len = static_cast<uint16_t>(m_schemes.size() * 2);
424 
425  buf.push_back(get_byte(0, len));
426  buf.push_back(get_byte(1, len));
427 
428  for(Signature_Scheme scheme : m_schemes)
429  {
430  const uint16_t scheme_code = static_cast<uint16_t>(scheme);
431 
432  buf.push_back(get_byte(0, scheme_code));
433  buf.push_back(get_byte(1, scheme_code));
434  }
435 
436  return buf;
437  }
438 
440  uint16_t extension_size)
441  {
442  uint16_t len = reader.get_uint16_t();
443 
444  if(len + 2 != extension_size || len % 2 == 1 || len == 0)
445  {
446  throw Decoding_Error("Bad encoding on signature algorithms extension");
447  }
448 
449  while(len)
450  {
451  const uint16_t scheme_code = reader.get_uint16_t();
452  m_schemes.push_back(static_cast<Signature_Scheme>(scheme_code));
453  len -= 2;
454  }
455  }
456 
458  uint16_t extension_size) : m_ticket(reader.get_elem<uint8_t, std::vector<uint8_t>>(extension_size))
459  {}
460 
462  uint16_t extension_size) : m_pp(reader.get_range<uint16_t>(2, 0, 65535))
463  {
464  const std::vector<uint8_t> mki = reader.get_range<uint8_t>(1, 0, 255);
465 
466  if(m_pp.size() * 2 + mki.size() + 3 != extension_size)
467  throw Decoding_Error("Bad encoding for SRTP protection extension");
468 
469  if(!mki.empty())
470  throw Decoding_Error("Unhandled non-empty MKI for SRTP protection extension");
471  }
472 
473 std::vector<uint8_t> SRTP_Protection_Profiles::serialize(Connection_Side /*whoami*/) const
474  {
475  std::vector<uint8_t> buf;
476 
477  const uint16_t pp_len = static_cast<uint16_t>(m_pp.size() * 2);
478  buf.push_back(get_byte(0, pp_len));
479  buf.push_back(get_byte(1, pp_len));
480 
481  for(uint16_t pp : m_pp)
482  {
483  buf.push_back(get_byte(0, pp));
484  buf.push_back(get_byte(1, pp));
485  }
486 
487  buf.push_back(0); // srtp_mki, always empty here
488 
489  return buf;
490  }
491 
493  uint16_t extension_size)
494  {
495  if(extension_size != 0)
496  throw Decoding_Error("Invalid extended_master_secret extension");
497  }
498 
499 std::vector<uint8_t> Extended_Master_Secret::serialize(Connection_Side /*whoami*/) const
500  {
501  return std::vector<uint8_t>();
502  }
503 
505  uint16_t extension_size)
506  {
507  if(extension_size != 0)
508  throw Decoding_Error("Invalid encrypt_then_mac extension");
509  }
510 
511 std::vector<uint8_t> Encrypt_then_MAC::serialize(Connection_Side /*whoami*/) const
512  {
513  return std::vector<uint8_t>();
514  }
515 
516 std::vector<uint8_t> Certificate_Status_Request::serialize(Connection_Side whoami) const
517  {
518  std::vector<uint8_t> buf;
519 
520  if(whoami == Connection_Side::SERVER)
521  return buf; // server reply is empty
522 
523  /*
524  opaque ResponderID<1..2^16-1>;
525  opaque Extensions<0..2^16-1>;
526 
527  CertificateStatusType status_type = ocsp(1)
528  ResponderID responder_id_list<0..2^16-1>
529  Extensions request_extensions;
530  */
531 
532  buf.push_back(1); // CertificateStatusType ocsp
533 
534  buf.push_back(0);
535  buf.push_back(0);
536  buf.push_back(0);
537  buf.push_back(0);
538 
539  return buf;
540  }
541 
543  uint16_t extension_size,
544  Connection_Side from)
545  {
546  if(from == Connection_Side::SERVER)
547  {
548  if(extension_size != 0)
549  throw Decoding_Error("Server sent non-empty Certificate_Status_Request extension");
550  }
551  else if(extension_size > 0)
552  {
553  const uint8_t type = reader.get_byte();
554  if(type == 1)
555  {
556  const size_t len_resp_id_list = reader.get_uint16_t();
557  m_ocsp_names = reader.get_fixed<uint8_t>(len_resp_id_list);
558  const size_t len_requ_ext = reader.get_uint16_t();
559  m_extension_bytes = reader.get_fixed<uint8_t>(len_requ_ext);
560  }
561  else
562  {
563  reader.discard_next(extension_size - 1);
564  }
565  }
566  }
567 
568 Certificate_Status_Request::Certificate_Status_Request(const std::vector<uint8_t>& ocsp_responder_ids,
569  const std::vector<std::vector<uint8_t>>& ocsp_key_ids) :
570  m_ocsp_names(ocsp_responder_ids),
571  m_ocsp_keys(ocsp_key_ids)
572  {
573  }
574 
575 std::vector<uint8_t> Supported_Versions::serialize(Connection_Side whoami) const
576  {
577  std::vector<uint8_t> buf;
578 
579  if(whoami == Connection_Side::SERVER)
580  {
581  BOTAN_ASSERT_NOMSG(m_versions.size() == 1);
582  buf.push_back(m_versions[0].major_version());
583  buf.push_back(m_versions[0].minor_version());
584  }
585  else
586  {
587  BOTAN_ASSERT_NOMSG(m_versions.size() >= 1);
588  const uint8_t len = static_cast<uint8_t>(m_versions.size() * 2);
589 
590  buf.push_back(len);
591 
592  for(Protocol_Version version : m_versions)
593  {
594  buf.push_back(get_byte(0, version.major_version()));
595  buf.push_back(get_byte(1, version.minor_version()));
596  }
597  }
598 
599  return buf;
600  }
601 
602 Supported_Versions::Supported_Versions(Protocol_Version offer, const Policy& policy)
603  {
604  if(offer.is_datagram_protocol())
605  {
606  if(offer >= Protocol_Version::DTLS_V12 && policy.allow_dtls12())
607  m_versions.push_back(Protocol_Version::DTLS_V12);
608  if(offer >= Protocol_Version::DTLS_V10 && policy.allow_dtls10())
609  m_versions.push_back(Protocol_Version::DTLS_V10);
610  }
611  else
612  {
613  if(offer >= Protocol_Version::TLS_V12 && policy.allow_tls12())
614  m_versions.push_back(Protocol_Version::TLS_V12);
615  if(offer >= Protocol_Version::TLS_V11 && policy.allow_tls11())
616  m_versions.push_back(Protocol_Version::TLS_V11);
617  if(offer >= Protocol_Version::TLS_V10 && policy.allow_tls10())
618  m_versions.push_back(Protocol_Version::TLS_V10);
619  }
620  }
621 
623  uint16_t extension_size,
624  Connection_Side from)
625  {
626  if(from == Connection_Side::SERVER)
627  {
628  if(extension_size != 2)
629  throw Decoding_Error("Server sent invalid supported_versions extension");
630  m_versions.push_back(Protocol_Version(reader.get_uint16_t()));
631  }
632  else
633  {
634  auto versions = reader.get_range<uint16_t>(1, 1, 127);
635 
636  for(auto v : versions)
637  m_versions.push_back(Protocol_Version(v));
638 
639  if(extension_size != 1+2*versions.size())
640  throw Decoding_Error("Client sent invalid supported_versions extension");
641  }
642  }
643 
644 bool Supported_Versions::supports(Protocol_Version version) const
645  {
646  for(auto v : m_versions)
647  if(version == v)
648  return true;
649  return false;
650  }
651 
652 }
653 
654 }
std::vector< T > get_fixed(size_t size)
Definition: tls_reader.h:126
std::string size_t len
Definition: pk_keys.h:305
void add(Extension *extn)
Handshake_Extension_Type type() const override
bool group_param_is_dh(Group_Params group)
Definition: tls_algos.cpp:118
std::vector< uint8_t > serialize(Connection_Side whoami) const override
std::vector< uint8_t > serialize(Connection_Side whoami) const override
Server_Name_Indicator(const std::string &host_name)
std::vector< uint8_t > serialize(Connection_Side whoami) const
const uint8_t * buf
Definition: ffi.h:371
BigInt const BigInt & p
Definition: numthry.h:150
Signature_Scheme
Definition: tls_algos.h:84
constexpr uint8_t get_byte(size_t byte_num, T input)
Definition: loadstor.h:39
const uint8_t * cast_char_ptr_to_uint8(const char *s)
Definition: mem_ops.h:159
Definition: bigint.h:1136
std::vector< uint8_t > serialize(Connection_Side whoami) const override
#define BOTAN_ASSERT_NOMSG(expr)
Definition: assert.h:68
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:213
MechanismType type
Signature_Algorithms(const std::vector< Signature_Scheme > &schemes)
void deserialize(TLS_Data_Reader &reader, Connection_Side from)
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:55
std::string get_string(size_t len_bytes, size_t min_bytes, size_t max_bytes)
Definition: tls_reader.h:115
Unknown_Extension(Handshake_Extension_Type type, TLS_Data_Reader &reader, uint16_t extension_size)
std::vector< T > get_range(size_t len_bytes, size_t min_elems, size_t max_elems)
Definition: tls_reader.h:94
Application_Layer_Protocol_Notification(const std::string &protocol)
std::vector< uint8_t > serialize(Connection_Side whoami) const override
std::vector< uint8_t > serialize(Connection_Side whoami) const override
std::vector< uint8_t > serialize(Connection_Side whoami) const override
Definition: alg_id.cpp:13
std::vector< Group_Params > ec_groups() const
std::vector< uint8_t > serialize(Connection_Side whoami) const override
Supported_Versions(Protocol_Version version, const Policy &policy)
std::set< Handshake_Extension_Type > extension_types() const
std::vector< uint8_t > serialize(Connection_Side whoami) const override
bool supports(Protocol_Version version) const
const std::vector< Protocol_Version > versions() const
void discard_next(size_t bytes)
Definition: tls_reader.h:47
std::vector< uint8_t > serialize(Connection_Side whoami) const override
std::vector< uint8_t > serialize(Connection_Side whoami) const override
char size_t * name_len
Definition: ffi.h:330
SRTP_Protection_Profiles(const std::vector< uint16_t > &pp)
std::vector< uint8_t > serialize(Connection_Side whoami) const override
std::pair< BigInt, SymmetricKey > BOTAN_PUBLIC_API(2, 0) srp6_client_agree(const std std::pair< BigInt, SymmetricKey > BOTAN_PUBLIC_API(2, 11) srp6_client_agree(const std BigInt BOTAN_PUBLIC_API(2, 0) generate_srp6_verifier(const std BigInt BOTAN_PUBLIC_API(2, 11) generate_srp6_verifier(const std std::string const BigInt & g
Definition: srp6.h:102
std::vector< Group_Params > dh_groups() const
size_t remaining_bytes() const
Definition: tls_reader.h:38
Supported_Groups(const std::vector< Group_Params > &groups)
Supported_Point_Formats(bool prefer_compressed)
std::vector< uint8_t > serialize(Connection_Side whoami) const override
bool has_remaining() const
Definition: tls_reader.h:40
void append_tls_length_value(std::vector< uint8_t, Alloc > &buf, const T *vals, size_t vals_size, size_t tag_size)
Definition: tls_reader.h:185
bool remove_extension(Handshake_Extension_Type typ)