10#include <botan/internal/tls_record.h>
13#include <botan/tls_callbacks.h>
14#include <botan/tls_ciphersuite.h>
15#include <botan/tls_exceptn.h>
16#include <botan/internal/ct_utils.h>
17#include <botan/internal/fmt.h>
18#include <botan/internal/loadstor.h>
19#include <botan/internal/tls_seq_numbers.h>
20#include <botan/internal/tls_session_key.h>
23#if defined(BOTAN_HAS_TLS_CBC)
24 #include <botan/internal/tls_cbc.h>
27#if defined(BOTAN_HAS_TLS_NULL)
28 #include <botan/internal/tls_null.h>
38 bool uses_encrypt_then_mac) {
45 m_nonce = keys.
nonce(side);
51#if defined(BOTAN_HAS_TLS_CBC)
57 m_aead = std::make_unique<TLS_CBC_HMAC_AEAD_Encryption>(std::move(cipher),
62 uses_encrypt_then_mac);
64 m_aead = std::make_unique<TLS_CBC_HMAC_AEAD_Decryption>(std::move(cipher),
69 uses_encrypt_then_mac);
74 throw Internal_Error(
"Negotiated disabled TLS CBC+HMAC ciphersuite");
77#if defined(BOTAN_HAS_TLS_NULL)
81 m_aead = std::make_unique<TLS_NULL_HMAC_AEAD_Encryption>(std::move(mac), suite.
mac_keylen());
83 m_aead = std::make_unique<TLS_NULL_HMAC_AEAD_Decryption>(std::move(mac), suite.
mac_keylen());
93 m_aead->set_key(aead_key);
97 switch(m_nonce_format) {
99 return std::vector<uint8_t>{};
102 if(!m_nonce.empty()) {
103 std::vector<uint8_t> nonce;
108 rng.
randomize(nonce.data(), nonce.size());
112 std::vector<uint8_t> nonce(12);
114 xor_buf(nonce, m_nonce.data(), m_nonce.size());
119 std::vector<uint8_t> nonce(12);
120 copy_mem(&nonce[0], m_nonce.data(), 4);
130 switch(m_nonce_format) {
132 return std::vector<uint8_t>{};
136 std::vector<uint8_t> nonce;
147 std::vector<uint8_t> nonce(12);
149 xor_buf(nonce, m_nonce.data(), m_nonce.size());
155 throw Decoding_Error(
"Invalid AEAD packet too short to be valid");
157 std::vector<uint8_t> nonce(12);
158 copy_mem(&nonce[0], m_nonce.data(), 4);
170 uint16_t msg_length) {
171 std::vector<uint8_t> ad(13);
174 ad[8] =
static_cast<uint8_t
>(msg_type);
186 const uint16_t len16 =
static_cast<uint16_t
>(len_field);
194 Protocol_Version version,
195 uint64_t record_sequence) {
198 output.push_back(
static_cast<uint8_t
>(record_type));
199 output.push_back(version.major_version());
200 output.push_back(version.minor_version());
202 if(version.is_datagram_protocol()) {
203 for(
size_t i = 0; i != 8; ++i) {
214 uint64_t record_sequence,
215 const uint8_t* message,
216 size_t message_len) {
218 throw Internal_Error(
"Writing an unencrypted TLS application data record");
220 write_record_header(output, record_type, version, record_sequence);
221 append_u16_len(output, message_len);
222 output.insert(output.end(), message, message + message_len);
228 uint64_t record_sequence,
229 const uint8_t* message,
233 write_record_header(output, record_type, version, record_sequence);
236 std::vector<uint8_t> aad = cs.
format_ad(record_sequence, record_type, version,
static_cast<uint16_t
>(message_len));
244 const std::vector<uint8_t> nonce = cs.
aead_nonce(record_sequence, rng);
246 append_u16_len(output, rec_size);
256 const size_t header_size = output.size();
257 output += std::make_pair(message, message_len);
260 aead.
finish(output, header_size);
267size_t fill_buffer_to(
268 secure_vector<uint8_t>& readbuf,
const uint8_t*& input,
size_t& input_size,
size_t& input_consumed,
size_t desired) {
269 if(readbuf.size() >= desired) {
273 const size_t taken = std::min(input_size, desired - readbuf.size());
275 readbuf.insert(readbuf.end(), input, input + taken);
276 input_consumed += taken;
280 return (desired - readbuf.size());
284 uint8_t record_contents[],
286 uint64_t record_sequence,
290 AEAD_Mode& aead = cs.aead();
292 const std::vector<uint8_t> nonce = cs.aead_nonce(record_contents, record_len, record_sequence);
293 const uint8_t* msg = &record_contents[cs.nonce_bytes_from_record()];
294 const size_t msg_length = record_len - cs.nonce_bytes_from_record();
303 if(msg_length < aead.minimum_final_size()) {
304 throw TLS_Exception(Alert::BadRecordMac,
"AEAD packet is shorter than the tag");
307 const size_t ptext_size = aead.output_length(msg_length);
309 aead.set_associated_data(
310 cs.format_ad(record_sequence, record_type, record_version,
static_cast<uint16_t
>(ptext_size)));
314 output.assign(msg, msg + msg_length);
315 aead.finish(output, 0);
319 const uint8_t input[],
327 if(
size_t needed = fill_buffer_to(readbuf, input, input_len, consumed,
TLS_HEADER_SIZE)) {
346 const bool bad_record_type = readbuf[0] < 20 || readbuf[0] > 23;
347 const bool bad_record_version = readbuf[1] != 3 || readbuf[2] >= 4;
349 if(bad_record_type || bad_record_version) {
351 const std::string first5 = std::string(
reinterpret_cast<const char*
>(readbuf.data()), 5);
353 if(first5 ==
"GET /" || first5 ==
"PUT /" || first5 ==
"POST " || first5 ==
"HEAD ") {
354 throw TLS_Exception(Alert::ProtocolVersion,
"Client sent plaintext HTTP request instead of TLS handshake");
357 if(first5 ==
"CONNE") {
359 "Client sent plaintext HTTP proxy CONNECT request instead of TLS handshake");
362 if(bad_record_type) {
366 throw TLS_Exception(Alert::UnexpectedMessage,
"TLS record type had unexpected value");
368 throw TLS_Exception(Alert::ProtocolVersion,
"TLS record version had unexpected value");
373 if(version.is_datagram_protocol()) {
374 throw TLS_Exception(Alert::ProtocolVersion,
"Expected TLS but got a record with DTLS version");
380 throw TLS_Exception(Alert::RecordOverflow,
"Received a record that exceeds maximum size");
383 if(record_size == 0) {
384 throw TLS_Exception(Alert::DecodeError,
"Received a completely empty record");
387 if(
size_t needed = fill_buffer_to(readbuf, input, input_len, consumed,
TLS_HEADER_SIZE + record_size)) {
397 uint64_t sequence = 0;
398 if(sequence_numbers !=
nullptr) {
399 sequence = sequence_numbers->next_read_sequence();
400 epoch = sequence_numbers->current_read_epoch();
414 auto cs = get_cipherstate(epoch);
418 decrypt_record(recbuf, &readbuf[
TLS_HEADER_SIZE], record_size, sequence, version, type, *cs);
420 if(sequence_numbers !=
nullptr) {
421 sequence_numbers->read_accept(sequence);
429 const uint8_t input[],
435 bool allow_epoch0_restart) {
438 if(fill_buffer_to(readbuf, input, input_len, consumed,
DTLS_HEADER_SIZE) != 0) {
448 if(version.is_datagram_protocol() ==
false) {
461 if(fill_buffer_to(readbuf, input, input_len, consumed,
DTLS_HEADER_SIZE + record_size) != 0) {
472 const uint16_t epoch = (sequence >> 48);
474 const bool already_seen = sequence_numbers !=
nullptr && sequence_numbers->already_seen(sequence);
476 if(already_seen && !(epoch == 0 && allow_epoch0_restart)) {
485 if(sequence_numbers !=
nullptr) {
486 sequence_numbers->read_accept(sequence);
493 auto cs = get_cipherstate(epoch);
497 decrypt_record(recbuf, &readbuf[
DTLS_HEADER_SIZE], record_size, sequence, version, type, *cs);
498 }
catch(std::exception&) {
503 if(sequence_numbers !=
nullptr) {
504 sequence_numbers->read_accept(sequence);
515 const uint8_t input[],
521 bool allow_epoch0_restart) {
523 return read_dtls_record(
524 readbuf, input, input_len, consumed, recbuf, sequence_numbers, get_cipherstate, allow_epoch0_restart);
526 return read_tls_record(readbuf, input, input_len, consumed, recbuf, sequence_numbers, get_cipherstate);
#define BOTAN_ASSERT_NOMSG(expr)
#define BOTAN_ASSERT_EQUAL(expr1, expr2, assertion_made)
#define BOTAN_ASSERT(expr, assertion_made)
void set_associated_data(std::span< const uint8_t > ad)
static std::unique_ptr< AEAD_Mode > create_or_throw(std::string_view algo, Cipher_Dir direction, std::string_view provider="")
static std::unique_ptr< BlockCipher > create_or_throw(std::string_view algo_spec, std::string_view provider="")
void start(std::span< const uint8_t > nonce)
void finish(secure_vector< uint8_t > &final_block, size_t offset=0)
virtual size_t output_length(size_t input_length) const =0
static std::unique_ptr< MessageAuthenticationCode > create_or_throw(std::string_view algo_spec, std::string_view provider="")
void randomize(std::span< uint8_t > output)
size_t nonce_bytes_from_record(Protocol_Version version) const
Nonce_Format nonce_format() const
size_t mac_keylen() const
size_t cipher_keylen() const
size_t nonce_bytes_from_handshake() const
std::string mac_algo() const
std::string cipher_algo() const
size_t nonce_bytes_from_record() const
Nonce_Format nonce_format() const
size_t nonce_bytes_from_handshake() const
Connection_Cipher_State(Protocol_Version version, Connection_Side which_side, bool is_our_side, const Ciphersuite &suite, const Session_Keys &keys, bool uses_encrypt_then_mac)
std::vector< uint8_t > aead_nonce(uint64_t seq, RandomNumberGenerator &rng)
std::vector< uint8_t > format_ad(uint64_t seq, Record_Type type, Protocol_Version version, uint16_t ptext_length)
uint8_t major_version() const
uint8_t minor_version() const
const std::vector< uint8_t > & nonce(Connection_Side side) const
const secure_vector< uint8_t > & aead_key(Connection_Side side) const
Record_Header read_record(bool is_datagram, secure_vector< uint8_t > &readbuf, const uint8_t input[], size_t input_len, size_t &consumed, secure_vector< uint8_t > &recbuf, Connection_Sequence_Numbers *sequence_numbers, const get_cipherstate_fn &get_cipherstate, bool allow_epoch0_restart)
void write_unencrypted_record(secure_vector< uint8_t > &output, Record_Type record_type, Protocol_Version version, uint64_t record_sequence, const uint8_t *message, size_t message_len)
std::function< std::shared_ptr< Connection_Cipher_State >(uint16_t)> get_cipherstate_fn
void write_record(secure_vector< uint8_t > &output, Record_Type record_type, Protocol_Version version, uint64_t record_sequence, const uint8_t *message, size_t message_len, Connection_Cipher_State &cs, RandomNumberGenerator &rng)
constexpr uint8_t get_byte(T input)
constexpr void copy_mem(T *out, const T *in, size_t n)
std::string fmt(std::string_view format, const T &... args)
constexpr void xor_buf(ranges::contiguous_output_range< uint8_t > auto &&out, ranges::contiguous_range< uint8_t > auto &&in)
std::vector< T, secure_allocator< T > > secure_vector
constexpr uint8_t get_byte_var(size_t byte_num, T input)
constexpr auto store_be(ParamTs &&... params)
constexpr auto load_be(ParamTs &&... params)
constexpr uint16_t make_uint16(uint8_t i0, uint8_t i1)