Botan  2.15.0
Crypto and TLS for C++11
tls_extensions.cpp
Go to the documentation of this file.
1 /*
2 * TLS Extensions
3 * (C) 2011,2012,2015,2016 Jack Lloyd
4 * 2016 Juraj Somorovsky
5 *
6 * Botan is released under the Simplified BSD License (see license.txt)
7 */
8 
9 #include <botan/tls_extensions.h>
10 #include <botan/internal/tls_reader.h>
11 #include <botan/tls_exceptn.h>
12 #include <botan/tls_policy.h>
13 
14 namespace Botan {
15 
16 namespace TLS {
17 
18 namespace {
19 
20 Extension* make_extension(TLS_Data_Reader& reader, uint16_t code, uint16_t size, Connection_Side from)
21  {
22  switch(code)
23  {
25  return new Server_Name_Indicator(reader, size);
26 
27 #if defined(BOTAN_HAS_SRP6)
29  return new SRP_Identifier(reader, size);
30 #endif
31 
33  return new Supported_Groups(reader, size);
34 
36  return new Certificate_Status_Request(reader, size, from);
37 
39  return new Supported_Point_Formats(reader, size);
40 
42  return new Renegotiation_Extension(reader, size);
43 
45  return new Signature_Algorithms(reader, size);
46 
47  case TLSEXT_USE_SRTP:
48  return new SRTP_Protection_Profiles(reader, size);
49 
50  case TLSEXT_ALPN:
51  return new Application_Layer_Protocol_Notification(reader, size);
52 
54  return new Extended_Master_Secret(reader, size);
55 
57  return new Encrypt_then_MAC(reader, size);
58 
60  return new Session_Ticket(reader, size);
61 
63  return new Supported_Versions(reader, size, from);
64  }
65 
66  return new Unknown_Extension(static_cast<Handshake_Extension_Type>(code),
67  reader, size);
68  }
69 
70 }
71 
73  {
74  if(reader.has_remaining())
75  {
76  const uint16_t all_extn_size = reader.get_uint16_t();
77 
78  if(reader.remaining_bytes() != all_extn_size)
79  throw Decoding_Error("Bad extension size");
80 
81  while(reader.has_remaining())
82  {
83  const uint16_t extension_code = reader.get_uint16_t();
84  const uint16_t extension_size = reader.get_uint16_t();
85 
86  const auto type = static_cast<Handshake_Extension_Type>(extension_code);
87 
88  if(m_extensions.find(type) != m_extensions.end())
90  "Peer sent duplicated extensions");
91 
92  Extension* extn = make_extension(
93  reader, extension_code, extension_size, from);
94 
95  this->add(extn);
96  }
97  }
98  }
99 
100 std::vector<uint8_t> Extensions::serialize(Connection_Side whoami) const
101  {
102  std::vector<uint8_t> buf(2); // 2 bytes for length field
103 
104  for(auto& extn : m_extensions)
105  {
106  if(extn.second->empty())
107  continue;
108 
109  const uint16_t extn_code = static_cast<uint16_t>(extn.second->type());
110 
111  const std::vector<uint8_t> extn_val = extn.second->serialize(whoami);
112 
113  buf.push_back(get_byte(0, extn_code));
114  buf.push_back(get_byte(1, extn_code));
115 
116  buf.push_back(get_byte(0, static_cast<uint16_t>(extn_val.size())));
117  buf.push_back(get_byte(1, static_cast<uint16_t>(extn_val.size())));
118 
119  buf += extn_val;
120  }
121 
122  const uint16_t extn_size = static_cast<uint16_t>(buf.size() - 2);
123 
124  buf[0] = get_byte(0, extn_size);
125  buf[1] = get_byte(1, extn_size);
126 
127  // avoid sending a completely empty extensions block
128  if(buf.size() == 2)
129  return std::vector<uint8_t>();
130 
131  return buf;
132  }
133 
135  {
136  auto i = m_extensions.find(typ);
137  if(i == m_extensions.end())
138  return false;
139  m_extensions.erase(i);
140  return true;
141  }
142 
143 std::set<Handshake_Extension_Type> Extensions::extension_types() const
144  {
145  std::set<Handshake_Extension_Type> offers;
146  for(auto i = m_extensions.begin(); i != m_extensions.end(); ++i)
147  offers.insert(i->first);
148  return offers;
149  }
150 
152  TLS_Data_Reader& reader,
153  uint16_t extension_size) :
154  m_type(type),
155  m_value(reader.get_fixed<uint8_t>(extension_size))
156  {
157  }
158 
159 std::vector<uint8_t> Unknown_Extension::serialize(Connection_Side /*whoami*/) const
160  {
161  throw Invalid_State("Cannot encode an unknown TLS extension");
162  }
163 
165  uint16_t extension_size)
166  {
167  /*
168  * This is used by the server to confirm that it knew the name
169  */
170  if(extension_size == 0)
171  return;
172 
173  uint16_t name_bytes = reader.get_uint16_t();
174 
175  if(name_bytes + 2 != extension_size)
176  throw Decoding_Error("Bad encoding of SNI extension");
177 
178  while(name_bytes)
179  {
180  uint8_t name_type = reader.get_byte();
181  name_bytes--;
182 
183  if(name_type == 0) // DNS
184  {
185  m_sni_host_name = reader.get_string(2, 1, 65535);
186  name_bytes -= static_cast<uint16_t>(2 + m_sni_host_name.size());
187  }
188  else // some other unknown name type
189  {
190  reader.discard_next(name_bytes);
191  name_bytes = 0;
192  }
193  }
194  }
195 
196 std::vector<uint8_t> Server_Name_Indicator::serialize(Connection_Side /*whoami*/) const
197  {
198  std::vector<uint8_t> buf;
199 
200  size_t name_len = m_sni_host_name.size();
201 
202  buf.push_back(get_byte(0, static_cast<uint16_t>(name_len+3)));
203  buf.push_back(get_byte(1, static_cast<uint16_t>(name_len+3)));
204  buf.push_back(0); // DNS
205 
206  buf.push_back(get_byte(0, static_cast<uint16_t>(name_len)));
207  buf.push_back(get_byte(1, static_cast<uint16_t>(name_len)));
208 
209  buf += std::make_pair(
210  cast_char_ptr_to_uint8(m_sni_host_name.data()),
211  m_sni_host_name.size());
212 
213  return buf;
214  }
215 
216 #if defined(BOTAN_HAS_SRP6)
217 
218 SRP_Identifier::SRP_Identifier(TLS_Data_Reader& reader,
219  uint16_t extension_size) : m_srp_identifier(reader.get_string(1, 1, 255))
220  {
221  if(m_srp_identifier.size() + 1 != extension_size)
222  throw Decoding_Error("Bad encoding for SRP identifier extension");
223  }
224 
225 std::vector<uint8_t> SRP_Identifier::serialize(Connection_Side /*whoami*/) const
226  {
227  std::vector<uint8_t> buf;
228 
229  const uint8_t* srp_bytes = cast_char_ptr_to_uint8(m_srp_identifier.data());
230  append_tls_length_value(buf, srp_bytes, m_srp_identifier.size(), 1);
231 
232  return buf;
233  }
234 
235 #endif
236 
238  uint16_t extension_size) : m_reneg_data(reader.get_range<uint8_t>(1, 0, 255))
239  {
240  if(m_reneg_data.size() + 1 != extension_size)
241  throw Decoding_Error("Bad encoding for secure renegotiation extn");
242  }
243 
244 std::vector<uint8_t> Renegotiation_Extension::serialize(Connection_Side /*whoami*/) const
245  {
246  std::vector<uint8_t> buf;
247  append_tls_length_value(buf, m_reneg_data, 1);
248  return buf;
249  }
250 
252  uint16_t extension_size)
253  {
254  if(extension_size == 0)
255  return; // empty extension
256 
257  const uint16_t name_bytes = reader.get_uint16_t();
258 
259  size_t bytes_remaining = extension_size - 2;
260 
261  if(name_bytes != bytes_remaining)
262  throw Decoding_Error("Bad encoding of ALPN extension, bad length field");
263 
264  while(bytes_remaining)
265  {
266  const std::string p = reader.get_string(1, 0, 255);
267 
268  if(bytes_remaining < p.size() + 1)
269  throw Decoding_Error("Bad encoding of ALPN, length field too long");
270 
271  if(p.empty())
272  throw Decoding_Error("Empty ALPN protocol not allowed");
273 
274  bytes_remaining -= (p.size() + 1);
275 
276  m_protocols.push_back(p);
277  }
278  }
279 
281  {
282  if(m_protocols.size() != 1)
284  "Server sent " + std::to_string(m_protocols.size()) +
285  " protocols in ALPN extension response");
286  return m_protocols[0];
287  }
288 
290  {
291  std::vector<uint8_t> buf(2);
292 
293  for(auto&& p: m_protocols)
294  {
295  if(p.length() >= 256)
296  throw TLS_Exception(Alert::INTERNAL_ERROR, "ALPN name too long");
297  if(p != "")
299  cast_char_ptr_to_uint8(p.data()),
300  p.size(),
301  1);
302  }
303 
304  buf[0] = get_byte(0, static_cast<uint16_t>(buf.size()-2));
305  buf[1] = get_byte(1, static_cast<uint16_t>(buf.size()-2));
306 
307  return buf;
308  }
309 
310 Supported_Groups::Supported_Groups(const std::vector<Group_Params>& groups) : m_groups(groups)
311  {
312  }
313 
314 std::vector<Group_Params> Supported_Groups::ec_groups() const
315  {
316  std::vector<Group_Params> ec;
317  for(auto g : m_groups)
318  {
319  if(group_param_is_dh(g) == false)
320  ec.push_back(g);
321  }
322  return ec;
323  }
324 
325 std::vector<Group_Params> Supported_Groups::dh_groups() const
326  {
327  std::vector<Group_Params> dh;
328  for(auto g : m_groups)
329  {
330  if(group_param_is_dh(g) == true)
331  dh.push_back(g);
332  }
333  return dh;
334  }
335 
336 std::vector<uint8_t> Supported_Groups::serialize(Connection_Side /*whoami*/) const
337  {
338  std::vector<uint8_t> buf(2);
339 
340  for(auto g : m_groups)
341  {
342  const uint16_t id = static_cast<uint16_t>(g);
343 
344  if(id > 0)
345  {
346  buf.push_back(get_byte(0, id));
347  buf.push_back(get_byte(1, id));
348  }
349  }
350 
351  buf[0] = get_byte(0, static_cast<uint16_t>(buf.size()-2));
352  buf[1] = get_byte(1, static_cast<uint16_t>(buf.size()-2));
353 
354  return buf;
355  }
356 
358  uint16_t extension_size)
359  {
360  const uint16_t len = reader.get_uint16_t();
361 
362  if(len + 2 != extension_size)
363  throw Decoding_Error("Inconsistent length field in supported groups list");
364 
365  if(len % 2 == 1)
366  throw Decoding_Error("Supported groups list of strange size");
367 
368  const size_t elems = len / 2;
369 
370  for(size_t i = 0; i != elems; ++i)
371  {
372  const uint16_t id = reader.get_uint16_t();
373  m_groups.push_back(static_cast<Group_Params>(id));
374  }
375  }
376 
377 std::vector<uint8_t> Supported_Point_Formats::serialize(Connection_Side /*whoami*/) const
378  {
379  // if this extension is sent, it MUST include uncompressed (RFC 4492, section 5.1)
380  if(m_prefers_compressed)
381  {
382  return std::vector<uint8_t>{2, ANSIX962_COMPRESSED_PRIME, UNCOMPRESSED};
383  }
384  else
385  {
386  return std::vector<uint8_t>{1, UNCOMPRESSED};
387  }
388  }
389 
391  uint16_t extension_size)
392  {
393  uint8_t len = reader.get_byte();
394 
395  if(len + 1 != extension_size)
396  throw Decoding_Error("Inconsistent length field in supported point formats list");
397 
398  for(size_t i = 0; i != len; ++i)
399  {
400  uint8_t format = reader.get_byte();
401 
402  if(static_cast<ECPointFormat>(format) == UNCOMPRESSED)
403  {
404  m_prefers_compressed = false;
405  reader.discard_next(len-i-1);
406  return;
407  }
408  else if(static_cast<ECPointFormat>(format) == ANSIX962_COMPRESSED_PRIME)
409  {
410  m_prefers_compressed = true;
411  reader.discard_next(len-i-1);
412  return;
413  }
414 
415  // ignore ANSIX962_COMPRESSED_CHAR2, we don't support these curves
416  }
417  }
418 
419 std::vector<uint8_t> Signature_Algorithms::serialize(Connection_Side /*whoami*/) const
420  {
421  BOTAN_ASSERT(m_schemes.size() < 256, "Too many signature schemes");
422 
423  std::vector<uint8_t> buf;
424 
425  const uint16_t len = static_cast<uint16_t>(m_schemes.size() * 2);
426 
427  buf.push_back(get_byte(0, len));
428  buf.push_back(get_byte(1, len));
429 
430  for(Signature_Scheme scheme : m_schemes)
431  {
432  const uint16_t scheme_code = static_cast<uint16_t>(scheme);
433 
434  buf.push_back(get_byte(0, scheme_code));
435  buf.push_back(get_byte(1, scheme_code));
436  }
437 
438  return buf;
439  }
440 
442  uint16_t extension_size)
443  {
444  uint16_t len = reader.get_uint16_t();
445 
446  if(len + 2 != extension_size || len % 2 == 1 || len == 0)
447  {
448  throw Decoding_Error("Bad encoding on signature algorithms extension");
449  }
450 
451  while(len)
452  {
453  const uint16_t scheme_code = reader.get_uint16_t();
454  m_schemes.push_back(static_cast<Signature_Scheme>(scheme_code));
455  len -= 2;
456  }
457  }
458 
460  uint16_t extension_size) : m_ticket(reader.get_elem<uint8_t, std::vector<uint8_t>>(extension_size))
461  {}
462 
464  uint16_t extension_size) : m_pp(reader.get_range<uint16_t>(2, 0, 65535))
465  {
466  const std::vector<uint8_t> mki = reader.get_range<uint8_t>(1, 0, 255);
467 
468  if(m_pp.size() * 2 + mki.size() + 3 != extension_size)
469  throw Decoding_Error("Bad encoding for SRTP protection extension");
470 
471  if(!mki.empty())
472  throw Decoding_Error("Unhandled non-empty MKI for SRTP protection extension");
473  }
474 
475 std::vector<uint8_t> SRTP_Protection_Profiles::serialize(Connection_Side /*whoami*/) const
476  {
477  std::vector<uint8_t> buf;
478 
479  const uint16_t pp_len = static_cast<uint16_t>(m_pp.size() * 2);
480  buf.push_back(get_byte(0, pp_len));
481  buf.push_back(get_byte(1, pp_len));
482 
483  for(uint16_t pp : m_pp)
484  {
485  buf.push_back(get_byte(0, pp));
486  buf.push_back(get_byte(1, pp));
487  }
488 
489  buf.push_back(0); // srtp_mki, always empty here
490 
491  return buf;
492  }
493 
495  uint16_t extension_size)
496  {
497  if(extension_size != 0)
498  throw Decoding_Error("Invalid extended_master_secret extension");
499  }
500 
501 std::vector<uint8_t> Extended_Master_Secret::serialize(Connection_Side /*whoami*/) const
502  {
503  return std::vector<uint8_t>();
504  }
505 
507  uint16_t extension_size)
508  {
509  if(extension_size != 0)
510  throw Decoding_Error("Invalid encrypt_then_mac extension");
511  }
512 
513 std::vector<uint8_t> Encrypt_then_MAC::serialize(Connection_Side /*whoami*/) const
514  {
515  return std::vector<uint8_t>();
516  }
517 
518 std::vector<uint8_t> Certificate_Status_Request::serialize(Connection_Side whoami) const
519  {
520  std::vector<uint8_t> buf;
521 
522  if(whoami == Connection_Side::SERVER)
523  return buf; // server reply is empty
524 
525  /*
526  opaque ResponderID<1..2^16-1>;
527  opaque Extensions<0..2^16-1>;
528 
529  CertificateStatusType status_type = ocsp(1)
530  ResponderID responder_id_list<0..2^16-1>
531  Extensions request_extensions;
532  */
533 
534  buf.push_back(1); // CertificateStatusType ocsp
535 
536  buf.push_back(0);
537  buf.push_back(0);
538  buf.push_back(0);
539  buf.push_back(0);
540 
541  return buf;
542  }
543 
545  uint16_t extension_size,
546  Connection_Side from)
547  {
548  if(from == Connection_Side::SERVER)
549  {
550  if(extension_size != 0)
551  throw Decoding_Error("Server sent non-empty Certificate_Status_Request extension");
552  }
553  else if(extension_size > 0)
554  {
555  const uint8_t type = reader.get_byte();
556  if(type == 1)
557  {
558  const size_t len_resp_id_list = reader.get_uint16_t();
559  m_ocsp_names = reader.get_fixed<uint8_t>(len_resp_id_list);
560  const size_t len_requ_ext = reader.get_uint16_t();
561  m_extension_bytes = reader.get_fixed<uint8_t>(len_requ_ext);
562  }
563  else
564  {
565  reader.discard_next(extension_size - 1);
566  }
567  }
568  }
569 
570 Certificate_Status_Request::Certificate_Status_Request(const std::vector<uint8_t>& ocsp_responder_ids,
571  const std::vector<std::vector<uint8_t>>& ocsp_key_ids) :
572  m_ocsp_names(ocsp_responder_ids),
573  m_ocsp_keys(ocsp_key_ids)
574  {
575  }
576 
577 std::vector<uint8_t> Supported_Versions::serialize(Connection_Side whoami) const
578  {
579  std::vector<uint8_t> buf;
580 
581  if(whoami == Connection_Side::SERVER)
582  {
583  BOTAN_ASSERT_NOMSG(m_versions.size() == 1);
584  buf.push_back(m_versions[0].major_version());
585  buf.push_back(m_versions[0].minor_version());
586  }
587  else
588  {
589  BOTAN_ASSERT_NOMSG(m_versions.size() >= 1);
590  const uint8_t len = static_cast<uint8_t>(m_versions.size() * 2);
591 
592  buf.push_back(len);
593 
594  for(Protocol_Version version : m_versions)
595  {
596  buf.push_back(get_byte(0, version.major_version()));
597  buf.push_back(get_byte(1, version.minor_version()));
598  }
599  }
600 
601  return buf;
602  }
603 
605  {
606  if(offer.is_datagram_protocol())
607  {
608  if(offer >= Protocol_Version::DTLS_V12 && policy.allow_dtls12())
609  m_versions.push_back(Protocol_Version::DTLS_V12);
610 #if defined(BOTAN_HAS_TLS_V10)
611  if(offer >= Protocol_Version::DTLS_V10 && policy.allow_dtls10())
612  m_versions.push_back(Protocol_Version::DTLS_V10);
613 #endif
614  }
615  else
616  {
617  if(offer >= Protocol_Version::TLS_V12 && policy.allow_tls12())
618  m_versions.push_back(Protocol_Version::TLS_V12);
619 #if defined(BOTAN_HAS_TLS_V10)
620  if(offer >= Protocol_Version::TLS_V11 && policy.allow_tls11())
621  m_versions.push_back(Protocol_Version::TLS_V11);
622  if(offer >= Protocol_Version::TLS_V10 && policy.allow_tls10())
623  m_versions.push_back(Protocol_Version::TLS_V10);
624 #endif
625  }
626  }
627 
629  uint16_t extension_size,
630  Connection_Side from)
631  {
632  if(from == Connection_Side::SERVER)
633  {
634  if(extension_size != 2)
635  throw Decoding_Error("Server sent invalid supported_versions extension");
636  m_versions.push_back(Protocol_Version(reader.get_uint16_t()));
637  }
638  else
639  {
640  auto versions = reader.get_range<uint16_t>(1, 1, 127);
641 
642  for(auto v : versions)
643  m_versions.push_back(Protocol_Version(v));
644 
645  if(extension_size != 1+2*versions.size())
646  throw Decoding_Error("Client sent invalid supported_versions extension");
647  }
648  }
649 
651  {
652  for(auto v : m_versions)
653  if(version == v)
654  return true;
655  return false;
656  }
657 
658 }
659 
660 }
virtual bool allow_tls11() const
Definition: tls_policy.cpp:336
std::vector< T > get_fixed(size_t size)
Definition: tls_reader.h:126
Handshake_Extension_Type type() const override
bool group_param_is_dh(Group_Params group)
Definition: tls_algos.cpp:118
std::vector< uint8_t > serialize(Connection_Side whoami) const override
std::vector< uint8_t > serialize(Connection_Side whoami) const override
Server_Name_Indicator(const std::string &host_name)
std::vector< uint8_t > serialize(Connection_Side whoami) const
void add(Extension *extn)
Signature_Scheme
Definition: tls_algos.h:86
constexpr uint8_t get_byte(size_t byte_num, T input)
Definition: loadstor.h:41
const uint8_t * cast_char_ptr_to_uint8(const char *s)
Definition: mem_ops.h:190
Definition: bigint.h:1142
std::vector< uint8_t > serialize(Connection_Side whoami) const override
#define BOTAN_ASSERT_NOMSG(expr)
Definition: assert.h:68
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:213
MechanismType type
Signature_Algorithms(const std::vector< Signature_Scheme > &schemes)
void deserialize(TLS_Data_Reader &reader, Connection_Side from)
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:55
std::string get_string(size_t len_bytes, size_t min_bytes, size_t max_bytes)
Definition: tls_reader.h:115
Unknown_Extension(Handshake_Extension_Type type, TLS_Data_Reader &reader, uint16_t extension_size)
std::vector< T > get_range(size_t len_bytes, size_t min_elems, size_t max_elems)
Definition: tls_reader.h:94
Application_Layer_Protocol_Notification(const std::string &protocol)
std::vector< uint8_t > serialize(Connection_Side whoami) const override
virtual bool allow_dtls10() const
Definition: tls_policy.cpp:338
std::vector< uint8_t > serialize(Connection_Side whoami) const override
std::vector< uint8_t > serialize(Connection_Side whoami) const override
Definition: alg_id.cpp:13
std::vector< Group_Params > ec_groups() const
std::vector< uint8_t > serialize(Connection_Side whoami) const override
Supported_Versions(Protocol_Version version, const Policy &policy)
std::set< Handshake_Extension_Type > extension_types() const
virtual bool allow_tls12() const
Definition: tls_policy.cpp:337
virtual bool allow_dtls12() const
Definition: tls_policy.cpp:339
std::vector< uint8_t > serialize(Connection_Side whoami) const override
bool supports(Protocol_Version version) const
const std::vector< Protocol_Version > versions() const
void discard_next(size_t bytes)
Definition: tls_reader.h:47
std::vector< uint8_t > serialize(Connection_Side whoami) const override
std::vector< uint8_t > serialize(Connection_Side whoami) const override
SRTP_Protection_Profiles(const std::vector< uint16_t > &pp)
std::vector< uint8_t > serialize(Connection_Side whoami) const override
std::vector< Group_Params > dh_groups() const
size_t remaining_bytes() const
Definition: tls_reader.h:38
Supported_Groups(const std::vector< Group_Params > &groups)
Supported_Point_Formats(bool prefer_compressed)
std::vector< uint8_t > serialize(Connection_Side whoami) const override
virtual bool allow_tls10() const
Definition: tls_policy.cpp:335
bool has_remaining() const
Definition: tls_reader.h:40
void append_tls_length_value(std::vector< uint8_t, Alloc > &buf, const T *vals, size_t vals_size, size_t tag_size)
Definition: tls_reader.h:185
bool remove_extension(Handshake_Extension_Type typ)