/src/botan/src/lib/tls/msg_client_hello.cpp

Source (jump to first uncovered line)
/*
* TLS Hello Request and Client Hello Messages
* (C) 2004-2011,2015,2016 Jack Lloyd
*     2016 Matthias Gierlings
*     2017 Harry Reimann, Rohde & Schwarz Cybersecurity
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/tls_messages.h>
#include <botan/tls_alert.h>
#include <botan/tls_exceptn.h>
#include <botan/tls_callbacks.h>
#include <botan/rng.h>
#include <botan/hash.h>

#include <botan/internal/tls_reader.h>
#include <botan/internal/tls_session_key.h>
#include <botan/internal/tls_handshake_io.h>
#include <botan/internal/tls_handshake_hash.h>
#include <botan/internal/stl_util.h>
#include <chrono>

namespace Botan {

namespace TLS {

enum {
   TLS_EMPTY_RENEGOTIATION_INFO_SCSV        = 0x00FF,
   TLS_FALLBACK_SCSV                        = 0x5600
};

std::vector<uint8_t> make_hello_random(RandomNumberGenerator& rng,
                                       const Policy& policy)
   {
   std::vector<uint8_t> buf(32);
   rng.randomize(buf.data(), buf.size());

   std::unique_ptr<HashFunction> sha256 = HashFunction::create_or_throw("SHA-256");
   sha256->update(buf);
   sha256->final(buf);

   if(policy.include_time_in_hello_random())
      {
      const uint32_t time32 = static_cast<uint32_t>(
         std::chrono::system_clock::to_time_t(std::chrono::system_clock::now()));

      store_be(time32, buf.data());
      }

   return buf;
   }

/*
* Create a new Hello Request message
*/
Hello_Request::Hello_Request(Handshake_IO& io)
   {
   io.send(*this);
   }

/*
* Deserialize a Hello Request message
*/
Hello_Request::Hello_Request(const std::vector<uint8_t>& buf)
   {
   if(buf.size())
      throw Decoding_Error("Bad Hello_Request, has non-zero size");
   }

/*
* Serialize a Hello Request message
*/
std::vector<uint8_t> Hello_Request::serialize() const
   {
   return std::vector<uint8_t>();
   }

/*
* Create a new Client Hello message
*/
Client_Hello::Client_Hello(Handshake_IO& io,
                           Handshake_Hash& hash,
                           const Policy& policy,
                           Callbacks& cb,
                           RandomNumberGenerator& rng,
                           const std::vector<uint8_t>& reneg_info,
                           const Client_Hello::Settings& client_settings,
                           const std::vector<std::string>& next_protocols) :
   m_version(client_settings.protocol_version()),
   m_random(make_hello_random(rng, policy)),
   m_suites(policy.ciphersuite_list(m_version, !client_settings.srp_identifier().empty())),
   m_comp_methods(1)
   {
   if(!policy.acceptable_protocol_version(m_version))
      throw Internal_Error("Offering " + m_version.to_string() +
                           " but our own policy does not accept it");

   /*
   * Place all empty extensions in front to avoid a bug in some systems
   * which reject hellos when the last extension in the list is empty.
   */
   m_extensions.add(new Extended_Master_Secret);
   m_extensions.add(new Session_Ticket());

   if(policy.negotiate_encrypt_then_mac())
      m_extensions.add(new Encrypt_then_MAC);

   m_extensions.add(new Renegotiation_Extension(reneg_info));

   m_extensions.add(new Supported_Versions(m_version, policy));

   if(client_settings.hostname() != "")
      m_extensions.add(new Server_Name_Indicator(client_settings.hostname()));

   if(policy.support_cert_status_message())
      m_extensions.add(new Certificate_Status_Request({}, {}));

   if(reneg_info.empty() && !next_protocols.empty())
      m_extensions.add(new Application_Layer_Protocol_Notification(next_protocols));

   if(m_version.supports_negotiable_signature_algorithms())
      m_extensions.add(new Signature_Algorithms(policy.allowed_signature_schemes()));

   if(m_version.is_datagram_protocol())
      m_extensions.add(new SRTP_Protection_Profiles(policy.srtp_profiles()));

#if defined(BOTAN_HAS_SRP6)
   m_extensions.add(new SRP_Identifier(client_settings.srp_identifier()));
#else
   if(!client_settings.srp_identifier().empty())
      {
      throw Invalid_State("Attempting to initiate SRP session but TLS-SRP support disabled");
      }
#endif

   std::unique_ptr<Supported_Groups> supported_groups(new Supported_Groups(policy.key_exchange_groups()));

   if(supported_groups->ec_groups().size() > 0)
      {
      m_extensions.add(new Supported_Point_Formats(policy.use_ecc_point_compression()));
      }

   m_extensions.add(supported_groups.release());

   cb.tls_modify_extensions(m_extensions, CLIENT);

   if(policy.send_fallback_scsv(client_settings.protocol_version()))
      m_suites.push_back(TLS_FALLBACK_SCSV);

   hash.update(io.send(*this));
   }

/*
* Create a new Client Hello message (session resumption case)
*/
Client_Hello::Client_Hello(Handshake_IO& io,
                           Handshake_Hash& hash,
                           const Policy& policy,
                           Callbacks& cb,
                           RandomNumberGenerator& rng,
                           const std::vector<uint8_t>& reneg_info,
                           const Session& session,
                           const std::vector<std::string>& next_protocols) :
   m_version(session.version()),
   m_session_id(session.session_id()),
   m_random(make_hello_random(rng, policy)),
   m_suites(policy.ciphersuite_list(m_version, (session.srp_identifier() != ""))),
   m_comp_methods(1)
   {
   if(!policy.acceptable_protocol_version(m_version))
      throw Internal_Error("Offering " + m_version.to_string() +
                           " but our own policy does not accept it");

   if(!value_exists(m_suites, session.ciphersuite_code()))
      m_suites.push_back(session.ciphersuite_code());

   /*
   We always add the EMS extension, even if not used in the original session.
   If the server understands it and follows the RFC it should reject our resume
   attempt and upgrade us to a new session with the EMS protection.
   */
   m_extensions.add(new Extended_Master_Secret);

   m_extensions.add(new Renegotiation_Extension(reneg_info));
   m_extensions.add(new Server_Name_Indicator(session.server_info().hostname()));
   m_extensions.add(new Session_Ticket(session.session_ticket()));

   if(policy.support_cert_status_message())
      m_extensions.add(new Certificate_Status_Request({}, {}));

   std::unique_ptr<Supported_Groups> supported_groups(new Supported_Groups(policy.key_exchange_groups()));

   if(supported_groups->ec_groups().size() > 0)
      {
      m_extensions.add(new Supported_Point_Formats(policy.use_ecc_point_compression()));
      }

   m_extensions.add(supported_groups.release());

   if(session.supports_encrypt_then_mac())
      m_extensions.add(new Encrypt_then_MAC);

#if defined(BOTAN_HAS_SRP6)
   m_extensions.add(new SRP_Identifier(session.srp_identifier()));
#else
   if(!session.srp_identifier().empty())
      {
      throw Invalid_State("Attempting to resume SRP session but TLS-SRP support disabled");
      }
#endif

   if(m_version.supports_negotiable_signature_algorithms())
      m_extensions.add(new Signature_Algorithms(policy.allowed_signature_schemes()));

   if(reneg_info.empty() && !next_protocols.empty())
      m_extensions.add(new Application_Layer_Protocol_Notification(next_protocols));

   cb.tls_modify_extensions(m_extensions, CLIENT);

   hash.update(io.send(*this));
   }

void Client_Hello::update_hello_cookie(const Hello_Verify_Request& hello_verify)
   {
   if(!m_version.is_datagram_protocol())
      throw Invalid_State("Cannot use hello cookie with stream protocol");

   m_hello_cookie = hello_verify.cookie();
   }

/*
* Serialize a Client Hello message
*/
std::vector<uint8_t> Client_Hello::serialize() const
   {
   std::vector<uint8_t> buf;

   buf.push_back(m_version.major_version());
   buf.push_back(m_version.minor_version());
   buf += m_random;

   append_tls_length_value(buf, m_session_id, 1);

   if(m_version.is_datagram_protocol())
      append_tls_length_value(buf, m_hello_cookie, 1);

   append_tls_length_value(buf, m_suites, 2);
   append_tls_length_value(buf, m_comp_methods, 1);

   /*
   * May not want to send extensions at all in some cases. If so,
   * should include SCSV value (if reneg info is empty, if not we are
   * renegotiating with a modern server)
   */

   buf += m_extensions.serialize(Connection_Side::CLIENT);

   return buf;
   }

std::vector<uint8_t> Client_Hello::cookie_input_data() const
   {
   std::vector<uint8_t> buf;

   buf.push_back(m_version.major_version());
   buf.push_back(m_version.minor_version());
   buf += m_random;

   append_tls_length_value(buf, m_session_id, 1);

   append_tls_length_value(buf, m_suites, 2);
   append_tls_length_value(buf, m_comp_methods, 1);

   // Here we don't serialize the extensions since the client extensions
   // may contain values we don't know how to serialize back.

   return buf;
   }

/*
* Read a counterparty client hello
*/
Client_Hello::Client_Hello(const std::vector<uint8_t>& buf)
   {
   if(buf.size() < 41)
      throw Decoding_Error("Client_Hello: Packet corrupted");

   TLS_Data_Reader reader("ClientHello", buf);

   const uint8_t major_version = reader.get_byte();
   const uint8_t minor_version = reader.get_byte();

   m_version = Protocol_Version(major_version, minor_version);

   m_random = reader.get_fixed<uint8_t>(32);

   m_session_id = reader.get_range<uint8_t>(1, 0, 32);

   if(m_version.is_datagram_protocol())
      m_hello_cookie = reader.get_range<uint8_t>(1, 0, 255);

   m_suites = reader.get_range_vector<uint16_t>(2, 1, 32767);

   m_comp_methods = reader.get_range_vector<uint8_t>(1, 1, 255);

   m_extensions.deserialize(reader, Connection_Side::CLIENT);

   if(offered_suite(static_cast<uint16_t>(TLS_EMPTY_RENEGOTIATION_INFO_SCSV)))
      {
      if(Renegotiation_Extension* reneg = m_extensions.get<Renegotiation_Extension>())
         {
         if(!reneg->renegotiation_info().empty())
            throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
                                "Client sent renegotiation SCSV and non-empty extension");
         }
      else
         {
         // add fake extension
         m_extensions.add(new Renegotiation_Extension());
         }
      }
   }

bool Client_Hello::sent_fallback_scsv() const
   {
   return offered_suite(static_cast<uint16_t>(TLS_FALLBACK_SCSV));
   }

/*
* Check if we offered this ciphersuite
*/
bool Client_Hello::offered_suite(uint16_t ciphersuite) const
   {
   for(size_t i = 0; i != m_suites.size(); ++i)
      if(m_suites[i] == ciphersuite)
         return true;
   return false;
   }

std::vector<Signature_Scheme> Client_Hello::signature_schemes() const
   {
   std::vector<Signature_Scheme> schemes;

   if(Signature_Algorithms* sigs = m_extensions.get<Signature_Algorithms>())
      {
      schemes = sigs->supported_schemes();
      }

   return schemes;
   }

std::vector<Group_Params> Client_Hello::supported_ecc_curves() const
   {
   if(Supported_Groups* groups = m_extensions.get<Supported_Groups>())
      return groups->ec_groups();
   return std::vector<Group_Params>();
   }

std::vector<Group_Params> Client_Hello::supported_dh_groups() const
   {
   if(Supported_Groups* groups = m_extensions.get<Supported_Groups>())
      return groups->dh_groups();
   return std::vector<Group_Params>();
   }

bool Client_Hello::prefers_compressed_ec_points() const
   {
   if(Supported_Point_Formats* ecc_formats = m_extensions.get<Supported_Point_Formats>())
      {
      return ecc_formats->prefers_compressed();
      }
   return false;
   }

std::string Client_Hello::sni_hostname() const
   {
   if(Server_Name_Indicator* sni = m_extensions.get<Server_Name_Indicator>())
      return sni->host_name();
   return "";
   }

#if defined(BOTAN_HAS_SRP6)
std::string Client_Hello::srp_identifier() const
   {
   if(SRP_Identifier* srp = m_extensions.get<SRP_Identifier>())
      return srp->identifier();
   return "";
   }
#endif

bool Client_Hello::secure_renegotiation() const
   {
   return m_extensions.has<Renegotiation_Extension>();
   }

std::vector<uint8_t> Client_Hello::renegotiation_info() const
   {
   if(Renegotiation_Extension* reneg = m_extensions.get<Renegotiation_Extension>())
      return reneg->renegotiation_info();
   return std::vector<uint8_t>();
   }

std::vector<Protocol_Version> Client_Hello::supported_versions() const
   {
   if(Supported_Versions* versions = m_extensions.get<Supported_Versions>())
      return versions->versions();
   return {};
   }

bool Client_Hello::supports_session_ticket() const
   {
   return m_extensions.has<Session_Ticket>();
   }

std::vector<uint8_t> Client_Hello::session_ticket() const
   {
   if(Session_Ticket* ticket = m_extensions.get<Session_Ticket>())
      return ticket->contents();
   return std::vector<uint8_t>();
   }

bool Client_Hello::supports_alpn() const
   {
   return m_extensions.has<Application_Layer_Protocol_Notification>();
   }

bool Client_Hello::supports_extended_master_secret() const
   {
   return m_extensions.has<Extended_Master_Secret>();
   }

bool Client_Hello::supports_cert_status_message() const
   {
   return m_extensions.has<Certificate_Status_Request>();
   }

bool Client_Hello::supports_encrypt_then_mac() const
   {
   return m_extensions.has<Encrypt_then_MAC>();
   }

bool Client_Hello::sent_signature_algorithms() const
   {
   return m_extensions.has<Signature_Algorithms>();
   }

std::vector<std::string> Client_Hello::next_protocols() const
   {
   if(auto alpn = m_extensions.get<Application_Layer_Protocol_Notification>())
      return alpn->protocols();
   return std::vector<std::string>();
   }

std::vector<uint16_t> Client_Hello::srtp_profiles() const
   {
   if(SRTP_Protection_Profiles* srtp = m_extensions.get<SRTP_Protection_Profiles>())
      return srtp->profiles();
   return std::vector<uint16_t>();
   }


}

}

Coverage Report

Created: 2020-02-14 15:38

Line	Count	Source (jump to first uncovered line)
1		/*
2		* TLS Hello Request and Client Hello Messages
3		* (C) 2004-2011,2015,2016 Jack Lloyd
4		* 2016 Matthias Gierlings
5		* 2017 Harry Reimann, Rohde & Schwarz Cybersecurity
6		*
7		* Botan is released under the Simplified BSD License (see license.txt)
8		*/
9
10		#include <botan/tls_messages.h>
11		#include <botan/tls_alert.h>
12		#include <botan/tls_exceptn.h>
13		#include <botan/tls_callbacks.h>
14		#include <botan/rng.h>
15		#include <botan/hash.h>
16
17		#include <botan/internal/tls_reader.h>
18		#include <botan/internal/tls_session_key.h>
19		#include <botan/internal/tls_handshake_io.h>
20		#include <botan/internal/tls_handshake_hash.h>
21		#include <botan/internal/stl_util.h>
22		#include <chrono>
23
24		namespace Botan {
25
26		namespace TLS {
27
28		enum {
29		TLS_EMPTY_RENEGOTIATION_INFO_SCSV = 0x00FF,
30		TLS_FALLBACK_SCSV = 0x5600
31		};
32
33		std::vector<uint8_t> make_hello_random(RandomNumberGenerator& rng,
34		const Policy& policy)
35	52.6k	{
36	52.6k	std::vector<uint8_t> buf(32);
37	52.6k	rng.randomize(buf.data(), buf.size());
38	52.6k
39	52.6k	std::unique_ptr<HashFunction> sha256 = HashFunction::create_or_throw("SHA-256");
40	52.6k	sha256->update(buf);
41	52.6k	sha256->final(buf);
42	52.6k
43	52.6k	if(policy.include_time_in_hello_random())
44	52.6k	{
45	52.6k	const uint32_t time32 = static_cast<uint32_t>(
46	52.6k	std::chrono::system_clock::to_time_t(std::chrono::system_clock::now()));
47	52.6k
48	52.6k	store_be(time32, buf.data());
49	52.6k	}
50	52.6k
51	52.6k	return buf;
52	52.6k	}
53
54		/*
55		* Create a new Hello Request message
56		*/
57		Hello_Request::Hello_Request(Handshake_IO& io)
58	0	{
59	0	io.send(*this);
60	0	}
61
62		/*
63		* Deserialize a Hello Request message
64		*/
65		Hello_Request::Hello_Request(const std::vector<uint8_t>& buf)
66	0	{
67	0	if(buf.size())
68	0	throw Decoding_Error("Bad Hello_Request, has non-zero size");
69	0	}
70
71		/*
72		* Serialize a Hello Request message
73		*/
74		std::vector<uint8_t> Hello_Request::serialize() const
75	0	{
76	0	return std::vector<uint8_t>();
77	0	}
78
79		/*
80		* Create a new Client Hello message
81		*/
82		Client_Hello::Client_Hello(Handshake_IO& io,
83		Handshake_Hash& hash,
84		const Policy& policy,
85		Callbacks& cb,
86		RandomNumberGenerator& rng,
87		const std::vector<uint8_t>& reneg_info,
88		const Client_Hello::Settings& client_settings,
89		const std::vector<std::string>& next_protocols) :
90		m_version(client_settings.protocol_version()),
91		m_random(make_hello_random(rng, policy)),
92		m_suites(policy.ciphersuite_list(m_version, !client_settings.srp_identifier().empty())),
93		m_comp_methods(1)
94	5.89k	{
95	5.89k	if(!policy.acceptable_protocol_version(m_version))
96	0	throw Internal_Error("Offering " + m_version.to_string() +
97	0	" but our own policy does not accept it");
98	5.89k
99	5.89k	/*
100	5.89k	* Place all empty extensions in front to avoid a bug in some systems
101	5.89k	* which reject hellos when the last extension in the list is empty.
102	5.89k	*/
103	5.89k	m_extensions.add(new Extended_Master_Secret);
104	5.89k	m_extensions.add(new Session_Ticket());
105	5.89k
106	5.89k	if(policy.negotiate_encrypt_then_mac())
107	5.89k	m_extensions.add(new Encrypt_then_MAC);
108	5.89k
109	5.89k	m_extensions.add(new Renegotiation_Extension(reneg_info));
110	5.89k
111	5.89k	m_extensions.add(new Supported_Versions(m_version, policy));
112	5.89k
113	5.89k	if(client_settings.hostname() != "")
114	5.89k	m_extensions.add(new Server_Name_Indicator(client_settings.hostname()));
115	5.89k
116	5.89k	if(policy.support_cert_status_message())
117	5.89k	m_extensions.add(new Certificate_Status_Request({}, {}));
118	5.89k
119	5.89k	if(reneg_info.empty() && !next_protocols.empty())
120	0	m_extensions.add(new Application_Layer_Protocol_Notification(next_protocols));
121	5.89k
122	5.89k	if(m_version.supports_negotiable_signature_algorithms())
123	5.89k	m_extensions.add(new Signature_Algorithms(policy.allowed_signature_schemes()));
124	5.89k
125	5.89k	if(m_version.is_datagram_protocol())
126	0	m_extensions.add(new SRTP_Protection_Profiles(policy.srtp_profiles()));
127	5.89k
128	5.89k	#if defined(BOTAN_HAS_SRP6)
129	5.89k	m_extensions.add(new SRP_Identifier(client_settings.srp_identifier()));
130		#else
131		if(!client_settings.srp_identifier().empty())
132		{
133		throw Invalid_State("Attempting to initiate SRP session but TLS-SRP support disabled");
134		}
135		#endif
136
137	5.89k	std::unique_ptr<Supported_Groups> supported_groups(new Supported_Groups(policy.key_exchange_groups()));
138	5.89k
139	5.89k	if(supported_groups->ec_groups().size() > 0)
140	5.89k	{
141	5.89k	m_extensions.add(new Supported_Point_Formats(policy.use_ecc_point_compression()));
142	5.89k	}
143	5.89k
144	5.89k	m_extensions.add(supported_groups.release());
145	5.89k
146	5.89k	cb.tls_modify_extensions(m_extensions, CLIENT);
147	5.89k
148	5.89k	if(policy.send_fallback_scsv(client_settings.protocol_version()))
149	0	m_suites.push_back(TLS_FALLBACK_SCSV);
150	5.89k
151	5.89k	hash.update(io.send(*this));
152	5.89k	}
153
154		/*
155		* Create a new Client Hello message (session resumption case)
156		*/
157		Client_Hello::Client_Hello(Handshake_IO& io,
158		Handshake_Hash& hash,
159		const Policy& policy,
160		Callbacks& cb,
161		RandomNumberGenerator& rng,
162		const std::vector<uint8_t>& reneg_info,
163		const Session& session,
164		const std::vector<std::string>& next_protocols) :
165		m_version(session.version()),
166		m_session_id(session.session_id()),
167		m_random(make_hello_random(rng, policy)),
168		m_suites(policy.ciphersuite_list(m_version, (session.srp_identifier() != ""))),
169		m_comp_methods(1)
170	0	{
171	0	if(!policy.acceptable_protocol_version(m_version))
172	0	throw Internal_Error("Offering " + m_version.to_string() +
173	0	" but our own policy does not accept it");
174	0
175	0	if(!value_exists(m_suites, session.ciphersuite_code()))
176	0	m_suites.push_back(session.ciphersuite_code());
177	0
178	0	/*
179	0	We always add the EMS extension, even if not used in the original session.
180	0	If the server understands it and follows the RFC it should reject our resume
181	0	attempt and upgrade us to a new session with the EMS protection.
182	0	*/
183	0	m_extensions.add(new Extended_Master_Secret);
184	0
185	0	m_extensions.add(new Renegotiation_Extension(reneg_info));
186	0	m_extensions.add(new Server_Name_Indicator(session.server_info().hostname()));
187	0	m_extensions.add(new Session_Ticket(session.session_ticket()));
188	0
189	0	if(policy.support_cert_status_message())
190	0	m_extensions.add(new Certificate_Status_Request({}, {}));
191	0
192	0	std::unique_ptr<Supported_Groups> supported_groups(new Supported_Groups(policy.key_exchange_groups()));
193	0
194	0	if(supported_groups->ec_groups().size() > 0)
195	0	{
196	0	m_extensions.add(new Supported_Point_Formats(policy.use_ecc_point_compression()));
197	0	}
198	0
199	0	m_extensions.add(supported_groups.release());
200	0
201	0	if(session.supports_encrypt_then_mac())
202	0	m_extensions.add(new Encrypt_then_MAC);
203	0
204	0	#if defined(BOTAN_HAS_SRP6)
205	0	m_extensions.add(new SRP_Identifier(session.srp_identifier()));
206		#else
207		if(!session.srp_identifier().empty())
208		{
209		throw Invalid_State("Attempting to resume SRP session but TLS-SRP support disabled");
210		}
211		#endif
212
213	0	if(m_version.supports_negotiable_signature_algorithms())
214	0	m_extensions.add(new Signature_Algorithms(policy.allowed_signature_schemes()));
215	0
216	0	if(reneg_info.empty() && !next_protocols.empty())
217	0	m_extensions.add(new Application_Layer_Protocol_Notification(next_protocols));
218	0
219	0	cb.tls_modify_extensions(m_extensions, CLIENT);
220	0
221	0	hash.update(io.send(*this));
222	0	}
223
224		void Client_Hello::update_hello_cookie(const Hello_Verify_Request& hello_verify)
225	0	{
226	0	if(!m_version.is_datagram_protocol())
227	0	throw Invalid_State("Cannot use hello cookie with stream protocol");
228	0
229	0	m_hello_cookie = hello_verify.cookie();
230	0	}
231
232		/*
233		* Serialize a Client Hello message
234		*/
235		std::vector<uint8_t> Client_Hello::serialize() const
236	5.89k	{
237	5.89k	std::vector<uint8_t> buf;
238	5.89k
239	5.89k	buf.push_back(m_version.major_version());
240	5.89k	buf.push_back(m_version.minor_version());
241	5.89k	buf += m_random;
242	5.89k
243	5.89k	append_tls_length_value(buf, m_session_id, 1);
244	5.89k
245	5.89k	if(m_version.is_datagram_protocol())
246	0	append_tls_length_value(buf, m_hello_cookie, 1);
247	5.89k
248	5.89k	append_tls_length_value(buf, m_suites, 2);
249	5.89k	append_tls_length_value(buf, m_comp_methods, 1);
250	5.89k
251	5.89k	/*
252	5.89k	* May not want to send extensions at all in some cases. If so,
253	5.89k	* should include SCSV value (if reneg info is empty, if not we are
254	5.89k	* renegotiating with a modern server)
255	5.89k	*/
256	5.89k
257	5.89k	buf += m_extensions.serialize(Connection_Side::CLIENT);
258	5.89k
259	5.89k	return buf;
260	5.89k	}
261
262		std::vector<uint8_t> Client_Hello::cookie_input_data() const
263	6.65k	{
264	6.65k	std::vector<uint8_t> buf;
265	6.65k
266	6.65k	buf.push_back(m_version.major_version());
267	6.65k	buf.push_back(m_version.minor_version());
268	6.65k	buf += m_random;
269	6.65k
270	6.65k	append_tls_length_value(buf, m_session_id, 1);
271	6.65k
272	6.65k	append_tls_length_value(buf, m_suites, 2);
273	6.65k	append_tls_length_value(buf, m_comp_methods, 1);
274	6.65k
275	6.65k	// Here we don't serialize the extensions since the client extensions
276	6.65k	// may contain values we don't know how to serialize back.
277	6.65k
278	6.65k	return buf;
279	6.65k	}
280
281		/*
282		* Read a counterparty client hello
283		*/
284		Client_Hello::Client_Hello(const std::vector<uint8_t>& buf)
285	32.2k	{
286	32.2k	if(buf.size() < 41)
287	75	throw Decoding_Error("Client_Hello: Packet corrupted");
288	32.2k
289	32.2k	TLS_Data_Reader reader("ClientHello", buf);
290	32.2k
291	32.2k	const uint8_t major_version = reader.get_byte();
292	32.2k	const uint8_t minor_version = reader.get_byte();
293	32.2k
294	32.2k	m_version = Protocol_Version(major_version, minor_version);
295	32.2k
296	32.2k	m_random = reader.get_fixed<uint8_t>(32);
297	32.2k
298	32.2k	m_session_id = reader.get_range<uint8_t>(1, 0, 32);
299	32.2k
300	32.2k	if(m_version.is_datagram_protocol())
301	6.97k	m_hello_cookie = reader.get_range<uint8_t>(1, 0, 255);
302	32.2k
303	32.2k	m_suites = reader.get_range_vector<uint16_t>(2, 1, 32767);
304	32.2k
305	32.2k	m_comp_methods = reader.get_range_vector<uint8_t>(1, 1, 255);
306	32.2k
307	32.2k	m_extensions.deserialize(reader, Connection_Side::CLIENT);
308	32.2k
309	32.2k	if(offered_suite(static_cast<uint16_t>(TLS_EMPTY_RENEGOTIATION_INFO_SCSV)))
310	2.52k	{
311	2.52k	if(Renegotiation_Extension* reneg = m_extensions.get<Renegotiation_Extension>())
312	22	{
313	22	if(!reneg->renegotiation_info().empty())
314	2	throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
315	2	"Client sent renegotiation SCSV and non-empty extension");
316	2.50k	}
317	2.50k	else
318	2.50k	{
319	2.50k	// add fake extension
320	2.50k	m_extensions.add(new Renegotiation_Extension());
321	2.50k	}
322	2.52k	}
323	32.2k	}
324
325		bool Client_Hello::sent_fallback_scsv() const
326	30.3k	{
327	30.3k	return offered_suite(static_cast<uint16_t>(TLS_FALLBACK_SCSV));
328	30.3k	}
329
330		/*
331		* Check if we offered this ciphersuite
332		*/
333		bool Client_Hello::offered_suite(uint16_t ciphersuite) const
334	65.5k	{
335	587k	for(size_t i = 0; i != m_suites.size(); ++i)
336	529k	if(m_suites[i] == ciphersuite)
337	7.17k	return true;
338	65.5k	return false;
339	65.5k	}
340
341		std::vector<Signature_Scheme> Client_Hello::signature_schemes() const
342	445	{
343	445	std::vector<Signature_Scheme> schemes;
344	445
345	445	if(Signature_Algorithms* sigs = m_extensions.get<Signature_Algorithms>())
346	407	{
347	407	schemes = sigs->supported_schemes();
348	407	}
349	445
350	445	return schemes;
351	445	}
352
353		std::vector<Group_Params> Client_Hello::supported_ecc_curves() const
354	39.8k	{
355	39.8k	if(Supported_Groups* groups = m_extensions.get<Supported_Groups>())
356	34.8k	return groups->ec_groups();
357	5.01k	return std::vector<Group_Params>();
358	5.01k	}
359
360		std::vector<Group_Params> Client_Hello::supported_dh_groups() const
361	6.59k	{
362	6.59k	if(Supported_Groups* groups = m_extensions.get<Supported_Groups>())
363	2.22k	return groups->dh_groups();
364	4.37k	return std::vector<Group_Params>();
365	4.37k	}
366
367		bool Client_Hello::prefers_compressed_ec_points() const
368	15.7k	{
369	15.7k	if(Supported_Point_Formats* ecc_formats = m_extensions.get<Supported_Point_Formats>())
370	552	{
371	552	return ecc_formats->prefers_compressed();
372	552	}
373	15.2k	return false;
374	15.2k	}
375
376		std::string Client_Hello::sni_hostname() const
377	85.4k	{
378	85.4k	if(Server_Name_Indicator* sni = m_extensions.get<Server_Name_Indicator>())
379	18.5k	return sni->host_name();
380	66.9k	return "";
381	66.9k	}
382
383		#if defined(BOTAN_HAS_SRP6)
384		std::string Client_Hello::srp_identifier() const
385	0	{
386	0	if(SRP_Identifier* srp = m_extensions.get<SRP_Identifier>())
387	0	return srp->identifier();
388	0	return "";
389	0	}
390		#endif
391
392		bool Client_Hello::secure_renegotiation() const
393	52.9k	{
394	52.9k	return m_extensions.has<Renegotiation_Extension>();
395	52.9k	}
396
397		std::vector<uint8_t> Client_Hello::renegotiation_info() const
398	9.88k	{
399	9.88k	if(Renegotiation_Extension* reneg = m_extensions.get<Renegotiation_Extension>())
400	9.88k	return reneg->renegotiation_info();
401	0	return std::vector<uint8_t>();
402	0	}
403
404		std::vector<Protocol_Version> Client_Hello::supported_versions() const
405	30.3k	{
406	30.3k	if(Supported_Versions* versions = m_extensions.get<Supported_Versions>())
407	9	return versions->versions();
408	30.3k	return {};
409	30.3k	}
410
411		bool Client_Hello::supports_session_ticket() const
412	23.3k	{
413	23.3k	return m_extensions.has<Session_Ticket>();
414	23.3k	}
415
416		std::vector<uint8_t> Client_Hello::session_ticket() const
417	23.7k	{
418	23.7k	if(Session_Ticket* ticket = m_extensions.get<Session_Ticket>())
419	825	return ticket->contents();
420	22.9k	return std::vector<uint8_t>();
421	22.9k	}
422
423		bool Client_Hello::supports_alpn() const
424	26.9k	{
425	26.9k	return m_extensions.has<Application_Layer_Protocol_Notification>();
426	26.9k	}
427
428		bool Client_Hello::supports_extended_master_secret() const
429	23.3k	{
430	23.3k	return m_extensions.has<Extended_Master_Secret>();
431	23.3k	}
432
433		bool Client_Hello::supports_cert_status_message() const
434	23.5k	{
435	23.5k	return m_extensions.has<Certificate_Status_Request>();
436	23.5k	}
437
438		bool Client_Hello::supports_encrypt_then_mac() const
439	12.6k	{
440	12.6k	return m_extensions.has<Encrypt_then_MAC>();
441	12.6k	}
442
443		bool Client_Hello::sent_signature_algorithms() const
444	0	{
445	0	return m_extensions.has<Signature_Algorithms>();
446	0	}
447
448		std::vector<std::string> Client_Hello::next_protocols() const
449	3.32k	{
450	3.32k	if(auto alpn = m_extensions.get<Application_Layer_Protocol_Notification>())
451	3.32k	return alpn->protocols();
452	0	return std::vector<std::string>();
453	0	}
454
455		std::vector<uint16_t> Client_Hello::srtp_profiles() const
456	0	{
457	0	if(SRTP_Protection_Profiles* srtp = m_extensions.get<SRTP_Protection_Profiles>())
458	0	return srtp->profiles();
459	0	return std::vector<uint16_t>();
460	0	}
461
462
463		}
464
465		}