9#ifndef BOTAN_TLS_MESSAGES_H_
10#define BOTAN_TLS_MESSAGES_H_
20#include <botan/pk_keys.h>
21#include <botan/strong_type.h>
22#include <botan/tls_ciphersuite.h>
23#include <botan/tls_extensions.h>
24#include <botan/tls_handshake_msg.h>
25#include <botan/tls_policy.h>
26#include <botan/tls_session.h>
27#include <botan/x509cert.h>
55 std::vector<uint8_t>
serialize()
const override;
59 const std::vector<uint8_t>&
cookie()
const {
return m_cookie; }
64 std::string_view client_identity,
68 std::vector<uint8_t> m_cookie;
71class Client_Hello_Internal;
99 const std::vector<uint8_t>&
random() const;
127 std::vector<uint8_t>
serialize() const override;
129 const std::vector<uint8_t>&
cookie() const;
139 explicit
Client_Hello(std::unique_ptr<Client_Hello_Internal> data);
144 std::unique_ptr<Client_Hello_Internal>
m_data;
152 m_new_session_version(version), m_hostname(
hostname) {}
156 const std::string&
hostname()
const {
return m_hostname; }
160 const std::string m_hostname;
171 const std::vector<uint8_t>& reneg_info,
172 const Settings& client_settings,
173 const std::vector<std::string>& next_protocols);
180 const std::vector<uint8_t>& reneg_info,
182 const std::vector<std::string>& next_protocols);
213 void add_tls12_supported_groups_extensions(
const Policy& policy);
216#if defined(BOTAN_HAS_TLS_13)
228 std::string_view hostname,
230 std::optional<Session_with_Handle>& session,
231 std::vector<ExternalPSK> psks);
233 static std::variant<Client_Hello_13, Client_Hello_12>
parse(
const std::vector<uint8_t>& buf);
269class Server_Hello_Internal;
283 std::vector<uint8_t>
serialize() const override;
295 explicit
Server_Hello(std::unique_ptr<Server_Hello_Internal> data);
299 const std::vector<uint8_t>&
random() const;
304 std::unique_ptr<Server_Hello_Internal>
m_data;
315 m_new_session_id(std::move(new_session_id)),
316 m_new_session_version(new_session_version),
331 uint16_t m_ciphersuite;
332 bool m_offer_session_ticket;
340 const std::vector<uint8_t>& secure_reneg_info,
342 const Settings& settings,
343 std::string_view next_protocol);
350 const std::vector<uint8_t>& secure_reneg_info,
352 const Session& resumed_session,
353 bool offer_session_ticket,
354 std::string_view next_protocol);
396#if defined(BOTAN_HAS_TLS_13)
402 static const struct Server_Hello_Tag {
405 static const struct Hello_Retry_Request_Tag {
408 static const struct Hello_Retry_Request_Creation_Tag {
416 explicit Server_Hello_13(std::unique_ptr<Server_Hello_Internal> data, Hello_Retry_Request_Tag tag);
422 std::optional<Named_Group> key_exchange_group,
429 explicit Server_Hello_13(std::unique_ptr<Server_Hello_Internal> data, Hello_Retry_Request_Creation_Tag tag);
433 bool hello_retry_request_allowed,
440 static std::variant<Hello_Retry_Request, Server_Hello_13, Server_Hello_12>
parse(
const std::vector<uint8_t>& buf);
474 std::vector<uint8_t> serialize()
const override;
494 const std::optional<std::string>&
psk_identity()
const {
return m_psk_identity; }
501 std::string_view hostname,
512 std::vector<uint8_t> serialize()
const override {
return m_key_material; }
514 std::vector<uint8_t> m_key_material;
516 std::optional<std::string> m_psk_identity;
526 const std::vector<X509_Certificate>&
cert_chain()
const {
return m_certs; }
528 size_t count()
const {
return m_certs.size(); }
530 bool empty()
const {
return m_certs.empty(); }
536 std::vector<uint8_t> serialize()
const override;
539 std::vector<X509_Certificate> m_certs;
542#if defined(BOTAN_HAS_TLS_13)
544class Certificate_Request_13;
560 std::shared_ptr<const Public_Key>
public_key()
const;
569 std::optional<X509_Certificate> m_certificate;
570 std::shared_ptr<Public_Key> m_raw_public_key;
577 std::vector<X509_Certificate> cert_chain()
const;
579 bool has_certificate_chain()
const;
580 bool is_raw_public_key()
const;
582 size_t count()
const {
return m_entries.size(); }
584 bool empty()
const {
return m_entries.empty(); }
586 std::shared_ptr<const Public_Key> public_key()
const;
596 std::string_view hostname,
631 void validate_extensions(
const std::set<Extension_Code>& requested_extensions,
Callbacks& cb)
const;
641 std::string_view hostname,
642 bool use_ocsp)
const;
644 std::vector<uint8_t> serialize()
const override;
647 void setup_entries(std::vector<X509_Certificate> cert_chain,
650 void setup_entry(std::shared_ptr<Public_Key> raw_public_key,
Callbacks& callbacks);
652 void verify_certificate_chain(
Callbacks& callbacks,
655 std::string_view hostname,
660 std::vector<uint8_t> m_request_context;
661 std::vector<Certificate_Entry> m_entries;
676 const std::vector<uint8_t>&
response()
const {
return m_response; }
689 std::vector<uint8_t> serialize()
const override;
692 std::vector<uint8_t> m_response;
711 const std::vector<X509_DN>& allowed_cas);
715 std::vector<uint8_t>
serialize()
const override;
718 std::vector<X509_DN> m_names;
719 std::vector<std::string> m_cert_key_types;
720 std::vector<Signature_Scheme> m_schemes;
723#if defined(BOTAN_HAS_TLS_13)
744 std::vector<uint8_t> serialize()
const override;
746 const std::vector<uint8_t>&
context()
const {
return m_context; }
752 std::vector<uint8_t> m_context;
767 std::vector<uint8_t>
serialize()
const override;
796#if defined(BOTAN_HAS_TLS_13)
811 const std::vector<Signature_Scheme>& peer_allowed_schemes,
812 std::string_view hostname,
833 explicit Finished(
const std::vector<uint8_t>& buf);
837 std::vector<uint8_t> verify_data()
const;
839 std::vector<uint8_t> serialize()
const override;
854#if defined(BOTAN_HAS_TLS_13)
875 std::vector<uint8_t> serialize()
const override;
885 const std::vector<uint8_t>&
params()
const {
return m_params; }
896 const std::optional<Group_Params>&
shared_group()
const {
return m_shared_group; }
911 std::vector<uint8_t> serialize()
const override;
913 std::unique_ptr<PK_Key_Agreement_Key> m_kex_key;
914 std::optional<Group_Params> m_shared_group;
916 std::vector<uint8_t> m_params;
918 std::vector<uint8_t> m_signature;
933 std::vector<uint8_t> serialize()
const override;
950 std::chrono::seconds lifetime);
956 std::vector<uint8_t> serialize()
const override;
959 std::chrono::seconds m_ticket_lifetime_hint;
963#if defined(BOTAN_HAS_TLS_13)
979 std::vector<uint8_t> serialize()
const override;
989 std::chrono::seconds
lifetime_hint()
const {
return m_ticket_lifetime_hint; }
995 std::optional<uint32_t> early_data_byte_limit()
const;
1005 std::chrono::seconds m_ticket_lifetime_hint;
1006 uint32_t m_ticket_age_add;
1021 std::vector<uint8_t>
serialize()
const override {
return std::vector<uint8_t>(1, 1); }
1024#if defined(BOTAN_HAS_TLS_13)
1030 explicit Key_Update(
bool request_peer_update);
1031 explicit Key_Update(
const std::vector<uint8_t>& buf);
1033 std::vector<uint8_t> serialize()
const override;
1038 bool m_update_requested;
1042template <
typename T>
1043struct as_wrapped_references {};
1045template <
typename... AlternativeTs>
1046struct as_wrapped_references<std::variant<AlternativeTs...>> {
1047 using type = std::variant<std::reference_wrapper<AlternativeTs>...>;
1050template <
typename T>
1051using as_wrapped_references_t =
typename as_wrapped_references<T>::type;
#define BOTAN_UNSTABLE_API
Handshake_Type type() const override
const std::vector< X509_Certificate > & cert_chain() const
Certificate_12(Handshake_IO &io, Handshake_Hash &hash, const std::vector< X509_Certificate > &certs)
const Extensions & extensions() const
Extensions & extensions()
Certificate_Entry(TLS_Data_Reader &reader, const Connection_Side side, const Certificate_Type cert_type)
bool has_certificate() const
std::shared_ptr< const Public_Key > public_key() const
Handshake_Type type() const override
const std::vector< uint8_t > & request_context() const
std::vector< uint8_t > serialize() const override
Certificate_13(const Certificate_Request_13 &cert_request, std::string_view hostname, Credentials_Manager &credentials_manager, Callbacks &callbacks, Certificate_Type cert_type)
const std::vector< std::string > & acceptable_cert_types() const
const std::vector< Signature_Scheme > & signature_schemes() const
std::vector< uint8_t > serialize() const override
const std::vector< X509_DN > & acceptable_CAs() const
Certificate_Request_12(Handshake_IO &io, Handshake_Hash &hash, const Policy &policy, const std::vector< X509_DN > &allowed_cas)
Handshake_Type type() const override
const std::vector< Signature_Scheme > & signature_schemes() const
const Extensions & extensions() const
const std::vector< uint8_t > & context() const
Handshake_Type type() const override
const std::vector< Signature_Scheme > & certificate_signature_schemes() const
static std::optional< Certificate_Request_13 > maybe_create(const Client_Hello_13 &sni_hostname, Credentials_Manager &cred_mgr, Callbacks &callbacks, const Policy &policy)
std::vector< X509_DN > acceptable_CAs() const
Certificate_Request_13(const std::vector< uint8_t > &buf, Connection_Side side)
const std::vector< uint8_t > & response() const
Handshake_Type type() const override
Certificate_Status(const std::vector< uint8_t > &buf, Connection_Side from)
Certificate_Verify(const std::vector< uint8_t > &buf)
bool verify(const X509_Certificate &cert, const Handshake_State &state, const Policy &policy) const
Certificate_Verify_12(Handshake_IO &io, Handshake_State &state, const Policy &policy, RandomNumberGenerator &rng, const Private_Key *key)
bool verify(const Public_Key &public_key, Callbacks &callbacks, const Transcript_Hash &transcript_hash) const
Certificate_Verify_13(const std::vector< uint8_t > &buf, Connection_Side side)
Handshake_Type type() const override
Signature_Scheme m_scheme
Certificate_Verify(const std::vector< uint8_t > &buf)
Certificate_Verify()=default
std::vector< uint8_t > serialize() const override
Signature_Scheme signature_scheme() const
std::vector< uint8_t > m_signature
std::vector< uint8_t > serialize() const override
Handshake_Type type() const override
const std::string & hostname() const
Settings(const Protocol_Version version, std::string_view hostname="")
Protocol_Version protocol_version() const
Client_Hello_12(const std::vector< uint8_t > &buf)
void update_hello_cookie(const Hello_Verify_Request &hello_verify)
std::vector< uint8_t > renegotiation_info() const
bool supports_encrypt_then_mac() const
Session_Ticket session_ticket() const
bool supports_cert_status_message() const
friend class Client_Hello_13
bool secure_renegotiation() const
bool supports_extended_master_secret() const
std::optional< Session_Handle > session_handle() const
bool supports_session_ticket() const
bool prefers_compressed_ec_points() const
void validate_updates(const Client_Hello_13 &new_ch)
static std::variant< Client_Hello_13, Client_Hello_12 > parse(const std::vector< uint8_t > &buf)
std::optional< Protocol_Version > highest_supported_version(const Policy &policy) const
Client_Hello_13(const Policy &policy, Callbacks &cb, RandomNumberGenerator &rng, std::string_view hostname, const std::vector< std::string > &next_protocols, std::optional< Session_with_Handle > &session, std::vector< ExternalPSK > psks)
void retry(const Hello_Retry_Request &hrr, const Transcript_Hash_State &transcript_hash_state, Callbacks &cb, RandomNumberGenerator &rng)
const std::vector< uint8_t > & cookie() const
std::string sni_hostname() const
std::vector< uint8_t > serialize() const override
const std::vector< uint8_t > & random() const
std::vector< Signature_Scheme > signature_schemes() const
const Extensions & extensions() const
Client_Hello(Client_Hello &&) noexcept
bool offered_suite(uint16_t ciphersuite) const
std::unique_ptr< Client_Hello_Internal > m_data
bool sent_signature_algorithms() const
std::vector< Group_Params > supported_ecc_curves() const
bool supports_alpn() const
std::vector< Signature_Scheme > certificate_signature_schemes() const
const std::vector< uint16_t > & ciphersuites() const
std::vector< uint8_t > cookie_input_data() const
std::set< Extension_Code > extension_types() const
std::vector< Group_Params > supported_dh_groups() const
std::vector< std::string > next_protocols() const
const Session_ID & session_id() const
Protocol_Version legacy_version() const
const std::vector< uint8_t > & compression_methods() const
Client_Hello & operator=(const Client_Hello &)=delete
std::vector< uint16_t > srtp_profiles() const
Handshake_Type type() const override
std::vector< Protocol_Version > supported_versions() const
Client_Hello(const Client_Hello &)=delete
Handshake_Type type() const override
const std::optional< std::string > & psk_identity() const
const secure_vector< uint8_t > & pre_master_secret() const
Client_Key_Exchange(Handshake_IO &io, Handshake_State &state, const Policy &policy, Credentials_Manager &creds, const Public_Key *server_public_key, std::string_view hostname, RandomNumberGenerator &rng)
const Extensions & extensions() const
Handshake_Type type() const override
Encrypted_Extensions(const std::vector< uint8_t > &buf)
Finished(const std::vector< uint8_t > &buf)
bool verify(const Handshake_State &state, Connection_Side side) const
Finished_12(Handshake_IO &io, Handshake_State &state, Connection_Side side)
Finished(const std::vector< uint8_t > &buf)
bool verify(Cipher_State *cipher_state, const Transcript_Hash &transcript_hash) const
Finished_13(Cipher_State *cipher_state, const Transcript_Hash &transcript_hash)
Handshake_Message()=default
Finished(const std::vector< uint8_t > &buf)
std::vector< uint8_t > m_verification_data
Handshake_Type type() const override
Handshake_Message()=default
Handshake_Type type() const override
Hello_Request(Handshake_IO &io)
friend class Server_Hello_13
Hello_Retry_Request(std::unique_ptr< Server_Hello_Internal > data)
Handshake_Type wire_type() const override
Handshake_Type type() const override
Handshake_Type type() const override
Hello_Verify_Request(const std::vector< uint8_t > &buf)
const std::vector< uint8_t > & cookie() const
std::vector< uint8_t > serialize() const override
bool expects_reciprocation() const
Key_Update(bool request_peer_update)
Handshake_Type type() const override
std::chrono::seconds ticket_lifetime_hint() const
Handshake_Type type() const override
const Session_Ticket & ticket() const
New_Session_Ticket_12(Handshake_IO &io, Handshake_Hash &hash, Session_Ticket ticket, std::chrono::seconds lifetime)
Handshake_Type type() const override
std::chrono::seconds lifetime_hint() const
uint32_t ticket_age_add() const
const Ticket_Nonce & nonce() const
New_Session_Ticket_13(Ticket_Nonce nonce, const Session &session, const Session_Handle &handle, Callbacks &callbacks)
const Opaque_Session_Handle & handle() const
const Extensions & extensions() const
uint16_t ciphersuite() const
Protocol_Version protocol_version() const
Settings(Session_ID new_session_id, Protocol_Version new_session_version, uint16_t ciphersuite, bool offer_session_ticket)
const Session_ID & session_id() const
bool offer_session_ticket() const
std::optional< Protocol_Version > random_signals_downgrade() const
bool supports_session_ticket() const
friend class Server_Hello_13
bool supports_extended_master_secret() const
bool prefers_compressed_ec_points() const
Protocol_Version selected_version() const override
uint16_t srtp_profile() const
bool supports_encrypt_then_mac() const
bool supports_certificate_status_message() const
std::string next_protocol() const
std::vector< uint8_t > renegotiation_info() const
bool secure_renegotiation() const
Server_Hello_12(Handshake_IO &io, Handshake_Hash &hash, const Policy &policy, Callbacks &cb, RandomNumberGenerator &rng, const std::vector< uint8_t > &secure_reneg_info, const Client_Hello_12 &client_hello, const Settings &settings, std::string_view next_protocol)
static const struct Botan::TLS::Server_Hello_13::Hello_Retry_Request_Tag as_hello_retry_request
static const struct Botan::TLS::Server_Hello_13::Hello_Retry_Request_Creation_Tag as_new_hello_retry_request
Server_Hello_13(std::unique_ptr< Server_Hello_Internal > data, Server_Hello_Tag tag=as_server_hello)
std::optional< Protocol_Version > random_signals_downgrade() const
void basic_validation() const
static std::variant< Hello_Retry_Request, Server_Hello_13 > create(const Client_Hello_13 &ch, bool hello_retry_request_allowed, Session_Manager &session_mgr, Credentials_Manager &credentials_mgr, RandomNumberGenerator &rng, const Policy &policy, Callbacks &cb)
Protocol_Version selected_version() const final
static std::variant< Hello_Retry_Request, Server_Hello_13, Server_Hello_12 > parse(const std::vector< uint8_t > &buf)
static const struct Botan::TLS::Server_Hello_13::Server_Hello_Tag as_server_hello
Handshake_Type type() const override
Server_Hello_Done(Handshake_IO &io, Handshake_Hash &hash)
Server_Hello(const Server_Hello &)=delete
uint16_t ciphersuite() const
std::vector< uint8_t > serialize() const override
std::set< Extension_Code > extension_types() const
Handshake_Type type() const override
const Session_ID & session_id() const
const std::vector< uint8_t > & random() const
uint8_t compression_method() const
Server_Hello(Server_Hello &&) noexcept
std::unique_ptr< Server_Hello_Internal > m_data
const Extensions & extensions() const
Server_Hello & operator=(const Server_Hello &)=delete
virtual Protocol_Version selected_version() const =0
Protocol_Version legacy_version() const
Handshake_Type type() const override
const std::vector< uint8_t > & params() const
const std::optional< Group_Params > & shared_group() const
Server_Key_Exchange(Handshake_IO &io, Handshake_State &state, const Policy &policy, Credentials_Manager &creds, RandomNumberGenerator &rng, const Private_Key *signing_key=nullptr)
Helper class to embody a session handle in all protocol versions.
as_wrapped_references_t< Server_Handshake_13_Message > Server_Handshake_13_Message_Ref
as_wrapped_references_t< Client_Handshake_13_Message > Client_Handshake_13_Message_Ref
std::vector< uint8_t > Transcript_Hash
as_wrapped_references_t< Handshake_Message_13 > Handshake_Message_13_Ref
std::variant< Key_Update > Client_Post_Handshake_13_Message
std::variant< Client_Hello_13, Client_Hello_12, Certificate_13, Certificate_Verify_13, Finished_13 > Client_Handshake_13_Message
std::variant< Server_Hello_13, Server_Hello_12, Hello_Retry_Request, Encrypted_Extensions, Certificate_13, Certificate_Request_13, Certificate_Verify_13, Finished_13 > Server_Handshake_13_Message
std::vector< uint8_t > make_hello_random(RandomNumberGenerator &rng, Callbacks &cb, const Policy &policy)
Strong< std::vector< uint8_t >, struct Ticket_Nonce_ > Ticket_Nonce
Used to derive the ticket's PSK from the resumption_master_secret.
std::variant< New_Session_Ticket_13, Key_Update > Post_Handshake_Message_13
Strong< std::vector< uint8_t >, struct Session_ID_ > Session_ID
holds a TLS 1.2 session ID for stateful resumption
std::variant< New_Session_Ticket_13, Key_Update > Server_Post_Handshake_13_Message
std::variant< Client_Hello_13, Client_Hello_12, Server_Hello_13, Server_Hello_12, Hello_Retry_Request, Encrypted_Extensions, Certificate_13, Certificate_Request_13, Certificate_Verify_13, Finished_13 > Handshake_Message_13
Strong< std::vector< uint8_t >, struct Session_Ticket_ > Session_Ticket
holds a TLS 1.2 session ticket for stateless resumption
Strong< std::vector< uint8_t >, struct Opaque_Session_Handle_ > Opaque_Session_Handle
holds an opaque session handle as used in TLS 1.3 that could be either a ticket for stateless resumpt...
std::vector< T, secure_allocator< T > > secure_vector