Botan 3.9.0
Crypto and TLS for C&
tls_extensions.cpp
Go to the documentation of this file.
1/*
2* TLS Extensions
3* (C) 2011,2012,2015,2016 Jack Lloyd
4* 2016 Juraj Somorovsky
5* 2021 Elektrobit Automotive GmbH
6* 2022 René Meusel, Hannes Rantzsch - neXenio GmbH
7* 2023 Mateusz Berezecki
8* 2023 Fabian Albert, René Meusel - Rohde & Schwarz Cybersecurity
9*
10* Botan is released under the Simplified BSD License (see license.txt)
11*/
12
13#include <botan/tls_extensions.h>
14
15#include <botan/ber_dec.h>
16#include <botan/der_enc.h>
17#include <botan/tls_exceptn.h>
18#include <botan/tls_policy.h>
19#include <botan/internal/mem_utils.h>
20#include <botan/internal/stl_util.h>
21#include <botan/internal/tls_reader.h>
22
23#include <algorithm>
24#include <iterator>
25
26namespace Botan::TLS {
27
28namespace {
29
30std::unique_ptr<Extension> make_extension(TLS_Data_Reader& reader,
31 Extension_Code code,
32 const Connection_Side from,
33 const Handshake_Type message_type) {
34 // This cast is safe because we read exactly a 16 bit length field for
35 // the extension in Extensions::deserialize
36 const uint16_t size = static_cast<uint16_t>(reader.remaining_bytes());
37 switch(code) {
39 return std::make_unique<Server_Name_Indicator>(reader, size);
40
42 return std::make_unique<Supported_Groups>(reader, size);
43
45 return std::make_unique<Certificate_Status_Request>(reader, size, message_type, from);
46
48 return std::make_unique<Supported_Point_Formats>(reader, size);
49
51 return std::make_unique<Renegotiation_Extension>(reader, size);
52
54 return std::make_unique<Signature_Algorithms>(reader, size);
55
57 return std::make_unique<Signature_Algorithms_Cert>(reader, size);
58
60 return std::make_unique<SRTP_Protection_Profiles>(reader, size);
61
63 return std::make_unique<Application_Layer_Protocol_Notification>(reader, size, from);
64
66 return std::make_unique<Client_Certificate_Type>(reader, size, from);
67
69 return std::make_unique<Server_Certificate_Type>(reader, size, from);
70
72 return std::make_unique<Extended_Master_Secret>(reader, size);
73
75 return std::make_unique<Record_Size_Limit>(reader, size, from);
76
78 return std::make_unique<Encrypt_then_MAC>(reader, size);
79
81 return std::make_unique<Session_Ticket_Extension>(reader, size);
82
84 return std::make_unique<Supported_Versions>(reader, size, from);
85
86#if defined(BOTAN_HAS_TLS_13)
88 return std::make_unique<PSK>(reader, size, message_type);
89
91 return std::make_unique<EarlyDataIndication>(reader, size, message_type);
92
94 return std::make_unique<Cookie>(reader, size);
95
97 return std::make_unique<PSK_Key_Exchange_Modes>(reader, size);
98
100 return std::make_unique<Certificate_Authorities>(reader, size);
101
103 return std::make_unique<Key_Share>(reader, size, message_type);
104#endif
105 }
106
107 return std::make_unique<Unknown_Extension>(code, reader, size);
108}
109
110} // namespace
111
112Extensions::~Extensions() = default;
113
115 const auto i =
116 std::find_if(m_extensions.cbegin(), m_extensions.cend(), [type](const auto& ext) { return ext->type() == type; });
117
118 return (i != m_extensions.end()) ? i->get() : nullptr;
119}
120
121void Extensions::add(std::unique_ptr<Extension> extn) {
122 if(has(extn->type())) {
123 throw Invalid_Argument("cannot add the same extension twice: " +
124 std::to_string(static_cast<uint16_t>(extn->type())));
125 }
126
127 m_extensions.emplace_back(extn.release());
128}
129
130void Extensions::deserialize(TLS_Data_Reader& reader, const Connection_Side from, const Handshake_Type message_type) {
131 if(reader.has_remaining()) {
132 const uint16_t all_extn_size = reader.get_uint16_t();
133
134 if(reader.remaining_bytes() != all_extn_size) {
135 throw Decoding_Error("Bad extension size");
136 }
137
138 while(reader.has_remaining()) {
139 const uint16_t extension_code = reader.get_uint16_t();
140 const uint16_t extension_size = reader.get_uint16_t();
141
142 const auto type = static_cast<Extension_Code>(extension_code);
143
144 if(this->has(type)) {
145 throw TLS_Exception(TLS::Alert::DecodeError, "Peer sent duplicated extensions");
146 }
147
148 // TODO offer a function on reader that returns a byte range as a reference
149 // to avoid this copy of the extension data
150 const std::vector<uint8_t> extn_data = reader.get_fixed<uint8_t>(extension_size);
151 TLS_Data_Reader extn_reader("Extension", extn_data);
152 this->add(make_extension(extn_reader, type, from, message_type));
153 extn_reader.assert_done();
154 }
155 }
156}
157
158bool Extensions::contains_other_than(const std::set<Extension_Code>& allowed_extensions,
159 const bool allow_unknown_extensions) const {
160 const auto found = extension_types();
161
162 std::vector<Extension_Code> diff;
163 std::set_difference(
164 found.cbegin(), found.end(), allowed_extensions.cbegin(), allowed_extensions.cend(), std::back_inserter(diff));
165
166 if(allow_unknown_extensions) {
167 // Go through the found unexpected extensions whether any of those
168 // is known to this TLS implementation.
169 const auto itr = std::find_if(diff.cbegin(), diff.cend(), [this](const auto ext_type) {
170 const auto ext = get(ext_type);
171 return ext && ext->is_implemented();
172 });
173
174 // ... if yes, `contains_other_than` is true
175 return itr != diff.cend();
176 }
177
178 return !diff.empty();
179}
180
181std::unique_ptr<Extension> Extensions::take(Extension_Code type) {
182 const auto i =
183 std::find_if(m_extensions.begin(), m_extensions.end(), [type](const auto& ext) { return ext->type() == type; });
184
185 std::unique_ptr<Extension> result;
186 if(i != m_extensions.end()) {
187 std::swap(result, *i);
188 m_extensions.erase(i);
189 }
190
191 return result;
192}
193
194std::vector<uint8_t> Extensions::serialize(Connection_Side whoami) const {
195 std::vector<uint8_t> buf(2); // 2 bytes for length field
196
197 for(const auto& extn : m_extensions) {
198 if(extn->empty()) {
199 continue;
200 }
201
202 const uint16_t extn_code = static_cast<uint16_t>(extn->type());
203
204 const std::vector<uint8_t> extn_val = extn->serialize(whoami);
205
206 buf.push_back(get_byte<0>(extn_code));
207 buf.push_back(get_byte<1>(extn_code));
208
209 buf.push_back(get_byte<0>(static_cast<uint16_t>(extn_val.size())));
210 buf.push_back(get_byte<1>(static_cast<uint16_t>(extn_val.size())));
211
212 buf += extn_val;
213 }
214
215 const uint16_t extn_size = static_cast<uint16_t>(buf.size() - 2);
216
217 buf[0] = get_byte<0>(extn_size);
218 buf[1] = get_byte<1>(extn_size);
219
220 // avoid sending a completely empty extensions block
221 if(buf.size() == 2) {
222 return std::vector<uint8_t>();
223 }
225 return buf;
226}
227
228std::set<Extension_Code> Extensions::extension_types() const {
229 std::set<Extension_Code> offers;
230 std::transform(
231 m_extensions.cbegin(), m_extensions.cend(), std::inserter(offers, offers.begin()), [](const auto& ext) {
232 return ext->type();
233 });
234 return offers;
235}
236
238 m_type(type), m_value(reader.get_fixed<uint8_t>(extension_size)) {}
239
240std::vector<uint8_t> Unknown_Extension::serialize(Connection_Side /*whoami*/) const {
241 return m_value;
242}
243
245 /*
246 * This is used by the server to confirm that it knew the name
247 */
248 if(extension_size == 0) {
249 return;
250 }
251
252 uint16_t name_bytes = reader.get_uint16_t();
253
254 if(name_bytes + 2 != extension_size) {
255 throw Decoding_Error("Bad encoding of SNI extension");
256 }
257
258 while(name_bytes > 0) {
259 uint8_t name_type = reader.get_byte();
260 name_bytes--;
261
262 if(name_type == 0) {
263 // DNS
264 m_sni_host_name = reader.get_string(2, 1, 65535);
265 name_bytes -= static_cast<uint16_t>(2 + m_sni_host_name.size());
266 } else {
267 // some other unknown name type, which we will ignore
268 reader.discard_next(name_bytes);
269 name_bytes = 0;
270 }
271 }
272}
273
274std::vector<uint8_t> Server_Name_Indicator::serialize(Connection_Side whoami) const {
275 // RFC 6066
276 // [...] the server SHALL include an extension of type "server_name" in
277 // the (extended) server hello. The "extension_data" field of this
278 // extension SHALL be empty.
279 if(whoami == Connection_Side::Server) {
280 return {};
281 }
282
283 std::vector<uint8_t> buf;
284
285 size_t name_len = m_sni_host_name.size();
286
287 buf.push_back(get_byte<0>(static_cast<uint16_t>(name_len + 3)));
288 buf.push_back(get_byte<1>(static_cast<uint16_t>(name_len + 3)));
289 buf.push_back(0); // DNS
290
291 buf.push_back(get_byte<0>(static_cast<uint16_t>(name_len)));
292 buf.push_back(get_byte<1>(static_cast<uint16_t>(name_len)));
293
294 buf += as_span_of_bytes(m_sni_host_name);
295
296 return buf;
297}
298
300 m_reneg_data(reader.get_range<uint8_t>(1, 0, 255)) {
301 if(m_reneg_data.size() + 1 != extension_size) {
302 throw Decoding_Error("Bad encoding for secure renegotiation extn");
303 }
304}
305
306std::vector<uint8_t> Renegotiation_Extension::serialize(Connection_Side /*whoami*/) const {
307 std::vector<uint8_t> buf;
308 append_tls_length_value(buf, m_reneg_data, 1);
309 return buf;
310}
311
313 uint16_t extension_size,
314 Connection_Side from) {
315 if(extension_size == 0) {
316 return; // empty extension
317 }
318
319 const uint16_t name_bytes = reader.get_uint16_t();
320
321 size_t bytes_remaining = extension_size - 2;
322
323 if(name_bytes != bytes_remaining) {
324 throw Decoding_Error("Bad encoding of ALPN extension, bad length field");
325 }
326
327 while(bytes_remaining > 0) {
328 const std::string p = reader.get_string(1, 0, 255);
329
330 if(bytes_remaining < p.size() + 1) {
331 throw Decoding_Error("Bad encoding of ALPN, length field too long");
332 }
333
334 if(p.empty()) {
335 throw Decoding_Error("Empty ALPN protocol not allowed");
336 }
337
338 bytes_remaining -= (p.size() + 1);
339
340 m_protocols.push_back(p);
341 }
342
343 // RFC 7301 3.1
344 // The "extension_data" field of the [...] extension is structured the
345 // same as described above for the client "extension_data", except that
346 // the "ProtocolNameList" MUST contain exactly one "ProtocolName".
347 if(from == Connection_Side::Server && m_protocols.size() != 1) {
348 throw TLS_Exception(
349 Alert::DecodeError,
350 "Server sent " + std::to_string(m_protocols.size()) + " protocols in ALPN extension response");
351 }
352}
353
355 BOTAN_STATE_CHECK(m_protocols.size() == 1);
356 return m_protocols.front();
357}
358
360 std::vector<uint8_t> buf(2);
361
362 for(auto&& proto : m_protocols) {
363 if(proto.length() >= 256) {
364 throw TLS_Exception(Alert::InternalError, "ALPN name too long");
365 }
366 if(!proto.empty()) {
367 append_tls_length_value(buf, proto, 1);
368 }
369 }
370
371 buf[0] = get_byte<0>(static_cast<uint16_t>(buf.size() - 2));
372 buf[1] = get_byte<1>(static_cast<uint16_t>(buf.size() - 2));
373
374 return buf;
375}
376
378 switch(type) {
380 return "X509";
382 return "RawPublicKey";
383 }
384
385 return "Unknown";
386}
387
388Certificate_Type certificate_type_from_string(const std::string& type_str) {
389 if(type_str == "X509") {
391 } else if(type_str == "RawPublicKey") {
393 } else {
394 throw Decoding_Error("Unknown certificate type: " + type_str);
395 }
396}
397
398Certificate_Type_Base::Certificate_Type_Base(std::vector<Certificate_Type> supported_cert_types) :
399 m_certificate_types(std::move(supported_cert_types)), m_from(Connection_Side::Client) {
400 BOTAN_ARG_CHECK(!m_certificate_types.empty(), "at least one certificate type must be supported");
401}
402
404 Certificate_Type_Base(cct, policy.accepted_client_certificate_types()) {}
405
407 Certificate_Type_Base(sct, policy.accepted_server_certificate_types()) {}
408
410 const std::vector<Certificate_Type>& server_preference) :
411 m_from(Connection_Side::Server) {
412 // RFC 7250 4.2
413 // The server_certificate_type extension in the client hello indicates the
414 // types of certificates the client is able to process when provided by
415 // the server in a subsequent certificate payload. [...] With the
416 // server_certificate_type extension in the server hello, the TLS server
417 // indicates the certificate type carried in the Certificate payload.
418 for(const auto server_supported_cert_type : server_preference) {
419 if(value_exists(certificate_type_from_client.m_certificate_types, server_supported_cert_type)) {
420 m_certificate_types.push_back(server_supported_cert_type);
421 return;
422 }
423 }
424
425 // RFC 7250 4.2 (2.)
426 // The server supports the extension defined in this document, but
427 // it does not have any certificate type in common with the client.
428 // Then, the server terminates the session with a fatal alert of
429 // type "unsupported_certificate".
430 throw TLS_Exception(Alert::UnsupportedCertificate, "Failed to agree on certificate_type");
431}
432
434 m_from(from) {
435 if(extension_size == 0) {
436 throw Decoding_Error("Certificate type extension cannot be empty");
437 }
438
439 if(from == Connection_Side::Client) {
440 const auto type_bytes = reader.get_tls_length_value(1);
441 if(static_cast<size_t>(extension_size) != type_bytes.size() + 1) {
442 throw Decoding_Error("certificate type extension had inconsistent length");
443 }
444 std::transform(
445 type_bytes.begin(), type_bytes.end(), std::back_inserter(m_certificate_types), [](const auto type_byte) {
446 return static_cast<Certificate_Type>(type_byte);
447 });
448 } else {
449 // RFC 7250 4.2
450 // Note that only a single value is permitted in the
451 // server_certificate_type extension when carried in the server hello.
452 if(extension_size != 1) {
453 throw Decoding_Error("Server's certificate type extension must be of length 1");
454 }
455 const auto type_byte = reader.get_byte();
456 m_certificate_types.push_back(static_cast<Certificate_Type>(type_byte));
457 }
458}
459
460std::vector<uint8_t> Certificate_Type_Base::serialize(Connection_Side whoami) const {
461 std::vector<uint8_t> result;
462 if(whoami == Connection_Side::Client) {
463 std::vector<uint8_t> type_bytes;
464 std::transform(
465 m_certificate_types.begin(), m_certificate_types.end(), std::back_inserter(type_bytes), [](const auto type) {
466 return static_cast<uint8_t>(type);
467 });
468 append_tls_length_value(result, type_bytes, 1);
469 } else {
470 BOTAN_ASSERT_NOMSG(m_certificate_types.size() == 1);
471 result.push_back(static_cast<uint8_t>(m_certificate_types.front()));
472 }
473 return result;
474}
475
478 BOTAN_ASSERT_NOMSG(from_server.m_from == Connection_Side::Server);
479
480 // RFC 7250 4.2
481 // The value conveyed in the [client_]certificate_type extension MUST be
482 // selected from one of the values provided in the [client_]certificate_type
483 // extension sent in the client hello.
484 if(!value_exists(m_certificate_types, from_server.selected_certificate_type())) {
485 throw TLS_Exception(Alert::IllegalParameter,
486 Botan::fmt("Selected certificate type was not offered: {}",
488 }
489}
490
493 BOTAN_ASSERT_NOMSG(m_certificate_types.size() == 1);
494 return m_certificate_types.front();
495}
496
497Supported_Groups::Supported_Groups(const std::vector<Group_Params>& groups) : m_groups(groups) {}
498
499const std::vector<Group_Params>& Supported_Groups::groups() const {
500 return m_groups;
501}
502
503std::vector<Group_Params> Supported_Groups::ec_groups() const {
504 std::vector<Group_Params> ec;
505 for(auto g : m_groups) {
506 if(g.is_pure_ecc_group()) {
507 ec.push_back(g);
508 }
509 }
510 return ec;
511}
512
513std::vector<Group_Params> Supported_Groups::dh_groups() const {
514 std::vector<Group_Params> dh;
515 for(auto g : m_groups) {
516 if(g.is_in_ffdhe_range()) {
517 dh.push_back(g);
518 }
519 }
520 return dh;
521}
522
523std::vector<uint8_t> Supported_Groups::serialize(Connection_Side /*whoami*/) const {
524 std::vector<uint8_t> buf(2);
525
526 for(auto g : m_groups) {
527 const uint16_t id = g.wire_code();
528
529 if(id > 0) {
530 buf.push_back(get_byte<0>(id));
531 buf.push_back(get_byte<1>(id));
532 }
533 }
534
535 buf[0] = get_byte<0>(static_cast<uint16_t>(buf.size() - 2));
536 buf[1] = get_byte<1>(static_cast<uint16_t>(buf.size() - 2));
537
538 return buf;
539}
540
541Supported_Groups::Supported_Groups(TLS_Data_Reader& reader, uint16_t extension_size) {
542 const uint16_t len = reader.get_uint16_t();
543
544 if(len + 2 != extension_size) {
545 throw Decoding_Error("Inconsistent length field in supported groups list");
546 }
547
548 if(len % 2 == 1) {
549 throw Decoding_Error("Supported groups list of strange size");
550 }
551
552 const size_t elems = len / 2;
553
554 for(size_t i = 0; i != elems; ++i) {
555 const auto group = static_cast<Group_Params>(reader.get_uint16_t());
556 // Note: RFC 8446 does not explicitly enforce that groups must be unique.
557 if(!value_exists(m_groups, group)) {
558 m_groups.push_back(group);
559 }
560 }
561}
562
563std::vector<uint8_t> Supported_Point_Formats::serialize(Connection_Side /*whoami*/) const {
564 // if this extension is sent, it MUST include uncompressed (RFC 4492, section 5.1)
565 if(m_prefers_compressed) {
566 return std::vector<uint8_t>{2, ANSIX962_COMPRESSED_PRIME, UNCOMPRESSED};
567 } else {
568 return std::vector<uint8_t>{1, UNCOMPRESSED};
569 }
570}
571
573 uint8_t len = reader.get_byte();
574
575 if(len + 1 != extension_size) {
576 throw Decoding_Error("Inconsistent length field in supported point formats list");
577 }
578
579 bool includes_uncompressed = false;
580 for(size_t i = 0; i != len; ++i) {
581 uint8_t format = reader.get_byte();
582
583 if(static_cast<ECPointFormat>(format) == UNCOMPRESSED) {
584 m_prefers_compressed = false;
585 reader.discard_next(len - i - 1);
586 return;
587 } else if(static_cast<ECPointFormat>(format) == ANSIX962_COMPRESSED_PRIME) {
588 m_prefers_compressed = true;
589 std::vector<uint8_t> remaining_formats = reader.get_fixed<uint8_t>(len - i - 1);
590 includes_uncompressed =
591 std::any_of(std::begin(remaining_formats), std::end(remaining_formats), [](uint8_t remaining_format) {
592 return static_cast<ECPointFormat>(remaining_format) == UNCOMPRESSED;
593 });
594 break;
595 }
596
597 // ignore ANSIX962_COMPRESSED_CHAR2, we don't support these curves
598 }
599
600 // RFC 4492 5.1.:
601 // If the Supported Point Formats Extension is indeed sent, it MUST contain the value 0 (uncompressed)
602 // as one of the items in the list of point formats.
603 // Note:
604 // RFC 8422 5.1.2. explicitly requires this check,
605 // but only if the Supported Groups extension was sent.
606 if(!includes_uncompressed) {
607 throw TLS_Exception(Alert::IllegalParameter,
608 "Supported Point Formats Extension must contain the uncompressed point format");
609 }
610}
611
612namespace {
613
614std::vector<uint8_t> serialize_signature_algorithms(const std::vector<Signature_Scheme>& schemes) {
615 BOTAN_ASSERT(schemes.size() < 256, "Too many signature schemes");
616
617 std::vector<uint8_t> buf;
618
619 const uint16_t len = static_cast<uint16_t>(schemes.size() * 2);
620
621 buf.push_back(get_byte<0>(len));
622 buf.push_back(get_byte<1>(len));
623
624 for(Signature_Scheme scheme : schemes) {
625 buf.push_back(get_byte<0>(scheme.wire_code()));
626 buf.push_back(get_byte<1>(scheme.wire_code()));
627 }
628
629 return buf;
630}
631
632std::vector<Signature_Scheme> parse_signature_algorithms(TLS_Data_Reader& reader, uint16_t extension_size) {
633 uint16_t len = reader.get_uint16_t();
634
635 if(len + 2 != extension_size || len % 2 == 1 || len == 0) {
636 throw Decoding_Error("Bad encoding on signature algorithms extension");
637 }
638
639 std::vector<Signature_Scheme> schemes;
640 schemes.reserve(len / 2);
641 while(len > 0) {
642 schemes.emplace_back(reader.get_uint16_t());
643 len -= 2;
644 }
645
646 return schemes;
647}
648
649} // namespace
650
651std::vector<uint8_t> Signature_Algorithms::serialize(Connection_Side /*whoami*/) const {
652 return serialize_signature_algorithms(m_schemes);
653}
654
656 m_schemes(parse_signature_algorithms(reader, extension_size)) {}
657
658std::vector<uint8_t> Signature_Algorithms_Cert::serialize(Connection_Side /*whoami*/) const {
659 return serialize_signature_algorithms(m_schemes);
660}
661
663 m_schemes(parse_signature_algorithms(reader, extension_size)) {}
664
666 m_ticket(Session_Ticket(reader.get_elem<uint8_t, std::vector<uint8_t>>(extension_size))) {}
667
669 m_pp(reader.get_range<uint16_t>(2, 0, 65535)) {
670 const std::vector<uint8_t> mki = reader.get_range<uint8_t>(1, 0, 255);
671
672 if(m_pp.size() * 2 + mki.size() + 3 != extension_size) {
673 throw Decoding_Error("Bad encoding for SRTP protection extension");
674 }
675
676 if(!mki.empty()) {
677 throw Decoding_Error("Unhandled non-empty MKI for SRTP protection extension");
678 }
679}
680
681std::vector<uint8_t> SRTP_Protection_Profiles::serialize(Connection_Side /*whoami*/) const {
682 std::vector<uint8_t> buf;
683
684 const uint16_t pp_len = static_cast<uint16_t>(m_pp.size() * 2);
685 buf.push_back(get_byte<0>(pp_len));
686 buf.push_back(get_byte<1>(pp_len));
687
688 for(uint16_t pp : m_pp) {
689 buf.push_back(get_byte<0>(pp));
690 buf.push_back(get_byte<1>(pp));
691 }
692
693 buf.push_back(0); // srtp_mki, always empty here
694
695 return buf;
696}
697
699 if(extension_size != 0) {
700 throw Decoding_Error("Invalid extended_master_secret extension");
701 }
702}
703
704std::vector<uint8_t> Extended_Master_Secret::serialize(Connection_Side /*whoami*/) const {
705 return std::vector<uint8_t>();
706}
707
708Encrypt_then_MAC::Encrypt_then_MAC(TLS_Data_Reader& /*unused*/, uint16_t extension_size) {
709 if(extension_size != 0) {
710 throw Decoding_Error("Invalid encrypt_then_mac extension");
711 }
712}
713
714std::vector<uint8_t> Encrypt_then_MAC::serialize(Connection_Side /*whoami*/) const {
715 return std::vector<uint8_t>();
716}
717
718std::vector<uint8_t> Supported_Versions::serialize(Connection_Side whoami) const {
719 std::vector<uint8_t> buf;
720
721 if(whoami == Connection_Side::Server) {
722 BOTAN_ASSERT_NOMSG(m_versions.size() == 1);
723 buf.push_back(m_versions[0].major_version());
724 buf.push_back(m_versions[0].minor_version());
725 } else {
726 BOTAN_ASSERT_NOMSG(!m_versions.empty());
727 const uint8_t len = static_cast<uint8_t>(m_versions.size() * 2);
728
729 buf.push_back(len);
730
731 for(Protocol_Version version : m_versions) {
732 buf.push_back(version.major_version());
733 buf.push_back(version.minor_version());
734 }
735 }
736
737 return buf;
738}
739
741 if(offer.is_datagram_protocol()) {
742#if defined(BOTAN_HAS_TLS_12)
743 if(offer >= Protocol_Version::DTLS_V12 && policy.allow_dtls12()) {
744 m_versions.push_back(Protocol_Version::DTLS_V12);
745 }
746#endif
747 } else {
748#if defined(BOTAN_HAS_TLS_13)
749 if(offer >= Protocol_Version::TLS_V13 && policy.allow_tls13()) {
750 m_versions.push_back(Protocol_Version::TLS_V13);
751 }
752#endif
753#if defined(BOTAN_HAS_TLS_12)
754 if(offer >= Protocol_Version::TLS_V12 && policy.allow_tls12()) {
755 m_versions.push_back(Protocol_Version::TLS_V12);
756 }
757#endif
758 }
759}
760
762 if(from == Connection_Side::Server) {
763 if(extension_size != 2) {
764 throw Decoding_Error("Server sent invalid supported_versions extension");
765 }
766 m_versions.push_back(Protocol_Version(reader.get_uint16_t()));
767 } else {
768 auto versions = reader.get_range<uint16_t>(1, 1, 127);
769
770 for(auto v : versions) {
771 m_versions.push_back(Protocol_Version(v));
772 }
773
774 if(extension_size != 1 + 2 * versions.size()) {
775 throw Decoding_Error("Client sent invalid supported_versions extension");
776 }
777 }
778}
779
781 for(auto v : m_versions) {
782 if(version == v) {
783 return true;
784 }
785 }
786 return false;
787}
788
790 BOTAN_ASSERT(limit >= 64, "RFC 8449 does not allow record size limits smaller than 64 bytes");
791 BOTAN_ASSERT(limit <= MAX_PLAINTEXT_SIZE + 1 /* encrypted content type byte */,
792 "RFC 8449 does not allow record size limits larger than 2^14+1");
793}
794
796 if(extension_size != 2) {
797 throw TLS_Exception(Alert::DecodeError, "invalid record_size_limit extension");
798 }
799
800 m_limit = reader.get_uint16_t();
801
802 // RFC 8449 4.
803 // This value is the length of the plaintext of a protected record.
804 // The value includes the content type and padding added in TLS 1.3 (that
805 // is, the complete length of TLSInnerPlaintext).
806 //
807 // A server MUST NOT enforce this restriction; a client might advertise
808 // a higher limit that is enabled by an extension or version the server
809 // does not understand. A client MAY abort the handshake with an
810 // "illegal_parameter" alert.
811 //
812 // Note: We are currently supporting this extension in TLS 1.3 only, hence
813 // we check for the TLS 1.3 limit. The TLS 1.2 limit would not include
814 // the "content type byte" and hence be one byte less!
815 if(m_limit > MAX_PLAINTEXT_SIZE + 1 /* encrypted content type byte */ && from == Connection_Side::Server) {
816 throw TLS_Exception(Alert::IllegalParameter,
817 "Server requested a record size limit larger than the protocol's maximum");
818 }
819
820 // RFC 8449 4.
821 // Endpoints MUST NOT send a "record_size_limit" extension with a value
822 // smaller than 64. An endpoint MUST treat receipt of a smaller value
823 // as a fatal error and generate an "illegal_parameter" alert.
824 if(m_limit < 64) {
825 throw TLS_Exception(Alert::IllegalParameter, "Received a record size limit smaller than 64 bytes");
826 }
827}
828
829std::vector<uint8_t> Record_Size_Limit::serialize(Connection_Side /*whoami*/) const {
830 std::vector<uint8_t> buf;
831
832 buf.push_back(get_byte<0>(m_limit));
833 buf.push_back(get_byte<1>(m_limit));
834
835 return buf;
836}
837
838#if defined(BOTAN_HAS_TLS_13)
839Cookie::Cookie(const std::vector<uint8_t>& cookie) : m_cookie(cookie) {}
840
841Cookie::Cookie(TLS_Data_Reader& reader, uint16_t extension_size) {
842 if(extension_size == 0) {
843 return;
844 }
845
846 const uint16_t len = reader.get_uint16_t();
847
848 if(len == 0) {
849 // Based on RFC 8446 4.2.2, len of the Cookie buffer must be at least 1
850 throw Decoding_Error("Cookie length must be at least 1 byte");
851 }
852
853 if(len > reader.remaining_bytes()) {
854 throw Decoding_Error("Not enough bytes in the buffer to decode Cookie");
855 }
856
857 for(size_t i = 0; i < len; ++i) {
858 m_cookie.push_back(reader.get_byte());
859 }
860}
861
862std::vector<uint8_t> Cookie::serialize(Connection_Side /*whoami*/) const {
863 std::vector<uint8_t> buf;
864
865 const uint16_t len = static_cast<uint16_t>(m_cookie.size());
866
867 buf.push_back(get_byte<0>(len));
868 buf.push_back(get_byte<1>(len));
869
870 for(const auto& cookie_byte : m_cookie) {
871 buf.push_back(cookie_byte);
872 }
873
874 return buf;
875}
876
877std::vector<uint8_t> PSK_Key_Exchange_Modes::serialize(Connection_Side /*whoami*/) const {
878 std::vector<uint8_t> buf;
879
880 BOTAN_ASSERT_NOMSG(m_modes.size() < 256);
881 buf.push_back(static_cast<uint8_t>(m_modes.size()));
882 for(const auto& mode : m_modes) {
883 buf.push_back(static_cast<uint8_t>(mode));
884 }
885
886 return buf;
887}
888
890 if(extension_size < 2) {
891 throw Decoding_Error("Empty psk_key_exchange_modes extension is illegal");
892 }
893
894 const auto mode_count = reader.get_byte();
895 for(uint16_t i = 0; i < mode_count; ++i) {
896 const auto mode = static_cast<PSK_Key_Exchange_Mode>(reader.get_byte());
898 m_modes.push_back(mode);
899 }
900 }
901}
902
903std::vector<uint8_t> Certificate_Authorities::serialize(Connection_Side /*whoami*/) const {
904 std::vector<uint8_t> out;
905 std::vector<uint8_t> dn_list;
906
907 for(const auto& dn : m_distinguished_names) {
908 std::vector<uint8_t> encoded_dn;
909 auto encoder = DER_Encoder(encoded_dn);
910 dn.encode_into(encoder);
911 append_tls_length_value(dn_list, encoded_dn, 2);
912 }
913
914 append_tls_length_value(out, dn_list, 2);
915
916 return out;
917}
918
920 if(extension_size < 2) {
921 throw Decoding_Error("Empty certificate_authorities extension is illegal");
922 }
923
924 const uint16_t purported_size = reader.get_uint16_t();
925
926 if(reader.remaining_bytes() != purported_size) {
927 throw Decoding_Error("Inconsistent length in certificate_authorities extension");
928 }
929
930 while(reader.has_remaining()) {
931 std::vector<uint8_t> name_bits = reader.get_tls_length_value(2);
932
933 BER_Decoder decoder(name_bits.data(), name_bits.size());
934 m_distinguished_names.emplace_back();
935 decoder.decode(m_distinguished_names.back());
936 }
937}
938
939Certificate_Authorities::Certificate_Authorities(std::vector<X509_DN> acceptable_DNs) :
940 m_distinguished_names(std::move(acceptable_DNs)) {}
941
942std::vector<uint8_t> EarlyDataIndication::serialize(Connection_Side /*whoami*/) const {
943 std::vector<uint8_t> result;
944 if(m_max_early_data_size.has_value()) {
945 const auto max_data = m_max_early_data_size.value();
946 result.push_back(get_byte<0>(max_data));
947 result.push_back(get_byte<1>(max_data));
948 result.push_back(get_byte<2>(max_data));
949 result.push_back(get_byte<3>(max_data));
950 }
951 return result;
952}
953
955 uint16_t extension_size,
956 Handshake_Type message_type) {
957 if(message_type == Handshake_Type::NewSessionTicket) {
958 if(extension_size != 4) {
959 throw TLS_Exception(Alert::DecodeError,
960 "Received an early_data extension in a NewSessionTicket message "
961 "without maximum early data size indication");
962 }
963
964 m_max_early_data_size = reader.get_uint32_t();
965 } else if(extension_size != 0) {
966 throw TLS_Exception(Alert::DecodeError,
967 "Received an early_data extension containing an unexpected data "
968 "size indication");
969 }
970}
971
973 // This extension may be empty by definition but still carry information
974 return false;
975}
976
977#endif
978} // namespace Botan::TLS
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:75
#define BOTAN_STATE_CHECK(expr)
Definition assert.h:49
#define BOTAN_ARG_CHECK(expr, msg)
Definition assert.h:33
#define BOTAN_ASSERT(expr, assertion_made)
Definition assert.h:62
BER_Decoder & decode(bool &out)
Definition ber_dec.h:188
Application_Layer_Protocol_Notification(std::string_view protocol)
std::vector< uint8_t > serialize(Connection_Side whoami) const override
std::vector< uint8_t > serialize(Connection_Side whoami) const override
Certificate_Authorities(TLS_Data_Reader &reader, uint16_t extension_size)
Certificate_Type selected_certificate_type() const
Certificate_Type_Base(std::vector< Certificate_Type > supported_cert_types)
void validate_selection(const Certificate_Type_Base &from_server) const
std::vector< uint8_t > serialize(Connection_Side whoami) const override
Client_Certificate_Type(const Client_Certificate_Type &cct, const Policy &policy)
Certificate_Type_Base(std::vector< Certificate_Type > supported_cert_types)
Cookie(const std::vector< uint8_t > &cookie)
std::vector< uint8_t > serialize(Connection_Side whoami) const override
std::vector< uint8_t > serialize(Connection_Side whoami) const override
EarlyDataIndication(TLS_Data_Reader &reader, uint16_t extension_size, Handshake_Type message_type)
std::vector< uint8_t > serialize(Connection_Side whoami) const override
std::vector< uint8_t > serialize(Connection_Side whoami) const override
virtual Extension_Code type() const =0
std::vector< uint8_t > serialize(Connection_Side whoami) const
void deserialize(TLS_Data_Reader &reader, Connection_Side from, Handshake_Type message_type)
decltype(auto) take()
std::set< Extension_Code > extension_types() const
void add(std::unique_ptr< Extension > extn)
bool contains_other_than(const std::set< Extension_Code > &allowed_extensions, bool allow_unknown_extensions=false) const
PSK_Key_Exchange_Modes(std::vector< PSK_Key_Exchange_Mode > modes)
std::vector< uint8_t > serialize(Connection_Side whoami) const override
virtual bool allow_tls12() const
virtual bool allow_tls13() const
virtual bool allow_dtls12() const
std::vector< uint8_t > serialize(Connection_Side whoami) const override
std::vector< uint8_t > serialize(Connection_Side whoami) const override
SRTP_Protection_Profiles(const std::vector< uint16_t > &pp)
std::vector< uint8_t > serialize(Connection_Side whoami) const override
Server_Certificate_Type(const Server_Certificate_Type &sct, const Policy &policy)
Certificate_Type_Base(std::vector< Certificate_Type > supported_cert_types)
std::vector< uint8_t > serialize(Connection_Side whoami) const override
Server_Name_Indicator(std::string_view host_name)
Signature_Algorithms_Cert(std::vector< Signature_Scheme > schemes)
std::vector< uint8_t > serialize(Connection_Side whoami) const override
Signature_Algorithms(std::vector< Signature_Scheme > schemes)
std::vector< uint8_t > serialize(Connection_Side whoami) const override
Supported_Groups(const std::vector< Group_Params > &groups)
std::vector< Group_Params > ec_groups() const
const std::vector< Group_Params > & groups() const
std::vector< uint8_t > serialize(Connection_Side whoami) const override
std::vector< Group_Params > dh_groups() const
std::vector< uint8_t > serialize(Connection_Side whoami) const override
Supported_Point_Formats(bool prefer_compressed)
bool supports(Protocol_Version version) const
Supported_Versions(Protocol_Version version, const Policy &policy)
const std::vector< Protocol_Version > & versions() const
std::vector< uint8_t > serialize(Connection_Side whoami) const override
std::string get_string(size_t len_bytes, size_t min_bytes, size_t max_bytes)
Definition tls_reader.h:123
void discard_next(size_t bytes)
Definition tls_reader.h:52
std::vector< T > get_range(size_t len_bytes, size_t min_elems, size_t max_elems)
Definition tls_reader.h:110
size_t remaining_bytes() const
Definition tls_reader.h:38
std::vector< uint8_t > get_tls_length_value(size_t len_bytes)
Definition tls_reader.h:105
std::vector< T > get_fixed(size_t size)
Definition tls_reader.h:129
std::vector< uint8_t > serialize(Connection_Side whoami) const override
Unknown_Extension(Extension_Code type, TLS_Data_Reader &reader, uint16_t extension_size)
Extension_Code type() const override
std::string certificate_type_to_string(Certificate_Type type)
void append_tls_length_value(std::vector< uint8_t, Alloc > &buf, const T *vals, size_t vals_size, size_t tag_size)
Definition tls_reader.h:184
@ MAX_PLAINTEXT_SIZE
Definition tls_magic.h:30
Certificate_Type certificate_type_from_string(const std::string &type_str)
Strong< std::vector< uint8_t >, struct Session_Ticket_ > Session_Ticket
holds a TLS 1.2 session ticket for stateless resumption
Definition tls_session.h:34
constexpr uint8_t get_byte(T input)
Definition loadstor.h:79
std::span< const uint8_t > as_span_of_bytes(const char *s, size_t len)
Definition mem_utils.h:28
std::string fmt(std::string_view format, const T &... args)
Definition fmt.h:53
bool value_exists(const std::vector< T > &vec, const OT &val)
Definition stl_util.h:52