Coverage Report

Created: 2022-11-24 06:56

/src/botan/src/lib/tls/tls13/tls_channel_impl_13.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
* TLS Channel - implementation for TLS 1.3
3
* (C) 2022 Jack Lloyd
4
*     2021 Elektrobit Automotive GmbH
5
*     2022 Hannes Rantzsch, René Meusel - neXenio GmbH
6
*
7
* Botan is released under the Simplified BSD License (see license.txt)
8
*/
9
10
#include <botan/internal/tls_channel_impl_13.h>
11
12
#include <botan/hash.h>
13
#include <botan/internal/tls_cipher_state.h>
14
#include <botan/internal/tls_handshake_state.h>
15
#include <botan/internal/tls_record.h>
16
#include <botan/internal/tls_seq_numbers.h>
17
#include <botan/internal/stl_util.h>
18
#include <botan/tls_messages.h>
19
20
namespace {
21
bool is_user_canceled_alert(const Botan::TLS::Alert& alert)
22
0
   {
23
0
   return alert.type() == Botan::TLS::Alert::USER_CANCELED;
24
0
   }
25
26
bool is_close_notify_alert(const Botan::TLS::Alert& alert)
27
0
   {
28
0
   return alert.type() == Botan::TLS::Alert::CLOSE_NOTIFY;
29
0
   }
30
31
bool is_error_alert(const Botan::TLS::Alert& alert)
32
0
   {
33
   // In TLS 1.3 all alerts except for closure alerts are considered error alerts.
34
   // (RFC 8446 6.)
35
0
   return !is_close_notify_alert(alert) && !is_user_canceled_alert(alert);
36
0
   }
37
}
38
39
namespace Botan::TLS {
40
41
Channel_Impl_13::Channel_Impl_13(Callbacks& callbacks,
42
                                 Session_Manager& session_manager,
43
                                 Credentials_Manager& credentials_manager,
44
                                 RandomNumberGenerator& rng,
45
                                 const Policy& policy,
46
                                 bool is_server) :
47
   m_side(is_server ? Connection_Side::SERVER : Connection_Side::CLIENT),
48
   m_callbacks(callbacks),
49
   m_session_manager(session_manager),
50
   m_credentials_manager(credentials_manager),
51
   m_rng(rng),
52
   m_policy(policy),
53
   m_record_layer(m_side),
54
   m_handshake_layer(m_side),
55
   m_can_read(true),
56
   m_can_write(true),
57
   m_opportunistic_key_update(false),
58
   m_first_message_sent(false),
59
   m_first_message_received(false)
60
0
   {
61
0
   }
62
63
0
Channel_Impl_13::~Channel_Impl_13() = default;
64
65
size_t Channel_Impl_13::received_data(const uint8_t input[], size_t input_size)
66
0
   {
67
0
   BOTAN_STATE_CHECK(!is_downgrading());
68
69
   // RFC 8446 6.1
70
   //    Any data received after a closure alert has been received MUST be ignored.
71
0
   if(!m_can_read)
72
0
      { return 0; }
73
74
0
   try
75
0
      {
76
0
      if(expects_downgrade())
77
0
         { preserve_peer_transcript(input, input_size); }
78
79
0
      m_record_layer.copy_data(input, input_size);
80
81
0
      while(true)
82
0
         {
83
         // RFC 8446 6.1
84
         //    Any data received after a closure alert has been received MUST be ignored.
85
         //
86
         // ... this data might already be in the record layer's read buffer.
87
0
         if(!m_can_read)
88
0
            { return 0; }
89
90
0
         auto result = m_record_layer.next_record(m_cipher_state.get());
91
92
0
         if(std::holds_alternative<BytesNeeded>(result))
93
0
            { return std::get<BytesNeeded>(result); }
94
95
0
         const auto& record = std::get<Record>(result);
96
97
         // RFC 8446 5.1
98
         //   Handshake messages MUST NOT be interleaved with other record types.
99
0
         if(record.type != HANDSHAKE && m_handshake_layer.has_pending_data())
100
0
            { throw Unexpected_Message("Expected remainder of a handshake message"); }
101
102
0
         if(record.type == HANDSHAKE)
103
0
            {
104
0
            m_handshake_layer.copy_data(record.fragment);
105
106
0
            if(!handshake_finished())
107
0
               {
108
0
               while(auto handshake_msg = m_handshake_layer.next_message(policy(), m_transcript_hash))
109
0
                  {
110
                  // RFC 8446 5.1
111
                  //    Handshake messages MUST NOT span key changes.  Implementations
112
                  //    MUST verify that all messages immediately preceding a key change
113
                  //    align with a record boundary; if not, then they MUST terminate the
114
                  //    connection with an "unexpected_message" alert.  Because the
115
                  //    ClientHello, EndOfEarlyData, ServerHello, Finished, and KeyUpdate
116
                  //    messages can immediately precede a key change, implementations
117
                  //    MUST send these messages in alignment with a record boundary.
118
                  //
119
                  // Note: Hello_Retry_Request was added to the list below although it cannot immediately precede a key change.
120
                  //       However, there cannot be any further sensible messages in the record after HRR.
121
                  //
122
                  // Note: Server_Hello_12 was deliberately not included in the check below because in TLS 1.2 Server Hello and
123
                  //       other handshake messages can be legally coalesced in a single record.
124
                  //
125
0
                  if(holds_any_of<Client_Hello_13/*, EndOfEarlyData,*/, Server_Hello_13, Hello_Retry_Request, Finished_13>
126
0
                        (handshake_msg.value())
127
0
                        && m_handshake_layer.has_pending_data())
128
0
                     { throw Unexpected_Message("Unexpected additional handshake message data found in record"); }
129
130
0
                  const bool downgrade_requested = std::holds_alternative<Server_Hello_12>(handshake_msg.value());
131
132
0
                  process_handshake_msg(std::move(handshake_msg.value()));
133
134
0
                  if(downgrade_requested)
135
0
                     {
136
                     // Downgrade to TLS 1.2 was detected. Stop everything we do and await being replaced by a 1.2 implementation.
137
0
                     BOTAN_STATE_CHECK(m_downgrade_info);
138
0
                     m_downgrade_info->will_downgrade = true;
139
0
                     return 0;
140
0
                     }
141
0
                  else if(m_downgrade_info != nullptr)
142
0
                     {
143
                     // We received a TLS 1.3 error alert that could have been a TLS 1.2 warning alert.
144
                     // Now that we know that we are talking to a TLS 1.3 server, shut down.
145
0
                     if(m_downgrade_info->received_tls_13_error_alert)
146
0
                        shutdown();
147
148
                     // Downgrade can only happen if the first received message is a Server_Hello_12. This was not the case.
149
0
                     m_downgrade_info.reset();
150
0
                     }
151
152
                  // After the initial handshake message is received, the record
153
                  // layer must be more restrictive.
154
                  // See RFC 8446 5.1 regarding "legacy_record_version"
155
0
                  if(!m_first_message_received)
156
0
                     {
157
0
                     m_record_layer.disable_receiving_compat_mode();
158
0
                     m_first_message_received = true;
159
0
                     }
160
0
                  }
161
0
               }
162
0
            else
163
0
               {
164
0
               while(auto handshake_msg = m_handshake_layer.next_post_handshake_message(policy()))
165
0
                  {
166
                  // make sure Key_Update appears only at the end of a record; see description above
167
0
                  if(std::holds_alternative<Key_Update>(handshake_msg.value()) && m_handshake_layer.has_pending_data())
168
0
                     { throw Unexpected_Message("Unexpected additional post-handshake message data found in record"); }
169
170
0
                  process_post_handshake_msg(std::move(handshake_msg.value()));
171
0
                  }
172
0
               }
173
0
            }
174
0
         else if(record.type == CHANGE_CIPHER_SPEC)
175
0
            {
176
0
            process_dummy_change_cipher_spec();
177
0
            }
178
0
         else if(record.type == APPLICATION_DATA)
179
0
            {
180
0
            BOTAN_ASSERT(record.seq_no.has_value(), "decrypted application traffic had a sequence number");
181
0
            callbacks().tls_record_received(record.seq_no.value(), record.fragment.data(), record.fragment.size());
182
0
            }
183
0
         else if(record.type == ALERT)
184
0
            {
185
0
            process_alert(record.fragment);
186
0
            }
187
0
         else
188
0
            { throw Unexpected_Message("Unexpected record type " + std::to_string(record.type) + " from counterparty"); }
189
0
         }
190
0
      }
191
0
   catch(TLS_Exception& e)
192
0
      {
193
0
      send_fatal_alert(e.type());
194
0
      throw;
195
0
      }
196
0
   catch(Invalid_Authentication_Tag&)
197
0
      {
198
      // RFC 8446 5.2
199
      //    If the decryption fails, the receiver MUST terminate the connection
200
      //    with a "bad_record_mac" alert.
201
0
      send_fatal_alert(Alert::BAD_RECORD_MAC);
202
0
      throw;
203
0
      }
204
0
   catch(Decoding_Error&)
205
0
      {
206
0
      send_fatal_alert(Alert::DECODE_ERROR);
207
0
      throw;
208
0
      }
209
0
   catch(...)
210
0
      {
211
0
      send_fatal_alert(Alert::INTERNAL_ERROR);
212
0
      throw;
213
0
      }
214
0
   }
215
216
217
Channel_Impl_13::AggregatedMessages::AggregatedMessages(Channel_Impl_13& channel,
218
                                                        Handshake_Layer& handshake_layer,
219
                                                        Transcript_Hash_State& transcript_hash)
220
   : m_channel(channel)
221
   , m_handshake_layer(handshake_layer)
222
   , m_transcript_hash(transcript_hash)
223
0
   {}
224
225
Channel_Impl_13::AggregatedMessages&
226
Channel_Impl_13::AggregatedMessages::add(const Handshake_Message_13_Ref message)
227
0
   {
228
0
   std::visit([&](const auto msg) { m_channel.callbacks().tls_inspect_handshake_msg(msg.get()); }, message);
Unexecuted instantiation: tls_channel_impl_13.cpp:auto Botan::TLS::Channel_Impl_13::AggregatedMessages::add(std::__1::variant<std::__1::reference_wrapper<Botan::TLS::Client_Hello_13>, std::__1::reference_wrapper<Botan::TLS::Server_Hello_13>, std::__1::reference_wrapper<Botan::TLS::Server_Hello_12>, std::__1::reference_wrapper<Botan::TLS::Hello_Retry_Request>, std::__1::reference_wrapper<Botan::TLS::Encrypted_Extensions>, std::__1::reference_wrapper<Botan::TLS::Certificate_13>, std::__1::reference_wrapper<Botan::TLS::Certificate_Request_13>, std::__1::reference_wrapper<Botan::TLS::Certificate_Verify_13>, std::__1::reference_wrapper<Botan::TLS::Finished_13> >)::$_0::operator()<std::__1::reference_wrapper<Botan::TLS::Client_Hello_13> >(std::__1::reference_wrapper<Botan::TLS::Client_Hello_13>) const
Unexecuted instantiation: tls_channel_impl_13.cpp:auto Botan::TLS::Channel_Impl_13::AggregatedMessages::add(std::__1::variant<std::__1::reference_wrapper<Botan::TLS::Client_Hello_13>, std::__1::reference_wrapper<Botan::TLS::Server_Hello_13>, std::__1::reference_wrapper<Botan::TLS::Server_Hello_12>, std::__1::reference_wrapper<Botan::TLS::Hello_Retry_Request>, std::__1::reference_wrapper<Botan::TLS::Encrypted_Extensions>, std::__1::reference_wrapper<Botan::TLS::Certificate_13>, std::__1::reference_wrapper<Botan::TLS::Certificate_Request_13>, std::__1::reference_wrapper<Botan::TLS::Certificate_Verify_13>, std::__1::reference_wrapper<Botan::TLS::Finished_13> >)::$_0::operator()<std::__1::reference_wrapper<Botan::TLS::Server_Hello_13> >(std::__1::reference_wrapper<Botan::TLS::Server_Hello_13>) const
Unexecuted instantiation: tls_channel_impl_13.cpp:auto Botan::TLS::Channel_Impl_13::AggregatedMessages::add(std::__1::variant<std::__1::reference_wrapper<Botan::TLS::Client_Hello_13>, std::__1::reference_wrapper<Botan::TLS::Server_Hello_13>, std::__1::reference_wrapper<Botan::TLS::Server_Hello_12>, std::__1::reference_wrapper<Botan::TLS::Hello_Retry_Request>, std::__1::reference_wrapper<Botan::TLS::Encrypted_Extensions>, std::__1::reference_wrapper<Botan::TLS::Certificate_13>, std::__1::reference_wrapper<Botan::TLS::Certificate_Request_13>, std::__1::reference_wrapper<Botan::TLS::Certificate_Verify_13>, std::__1::reference_wrapper<Botan::TLS::Finished_13> >)::$_0::operator()<std::__1::reference_wrapper<Botan::TLS::Server_Hello_12> >(std::__1::reference_wrapper<Botan::TLS::Server_Hello_12>) const
Unexecuted instantiation: tls_channel_impl_13.cpp:auto Botan::TLS::Channel_Impl_13::AggregatedMessages::add(std::__1::variant<std::__1::reference_wrapper<Botan::TLS::Client_Hello_13>, std::__1::reference_wrapper<Botan::TLS::Server_Hello_13>, std::__1::reference_wrapper<Botan::TLS::Server_Hello_12>, std::__1::reference_wrapper<Botan::TLS::Hello_Retry_Request>, std::__1::reference_wrapper<Botan::TLS::Encrypted_Extensions>, std::__1::reference_wrapper<Botan::TLS::Certificate_13>, std::__1::reference_wrapper<Botan::TLS::Certificate_Request_13>, std::__1::reference_wrapper<Botan::TLS::Certificate_Verify_13>, std::__1::reference_wrapper<Botan::TLS::Finished_13> >)::$_0::operator()<std::__1::reference_wrapper<Botan::TLS::Hello_Retry_Request> >(std::__1::reference_wrapper<Botan::TLS::Hello_Retry_Request>) const
Unexecuted instantiation: tls_channel_impl_13.cpp:auto Botan::TLS::Channel_Impl_13::AggregatedMessages::add(std::__1::variant<std::__1::reference_wrapper<Botan::TLS::Client_Hello_13>, std::__1::reference_wrapper<Botan::TLS::Server_Hello_13>, std::__1::reference_wrapper<Botan::TLS::Server_Hello_12>, std::__1::reference_wrapper<Botan::TLS::Hello_Retry_Request>, std::__1::reference_wrapper<Botan::TLS::Encrypted_Extensions>, std::__1::reference_wrapper<Botan::TLS::Certificate_13>, std::__1::reference_wrapper<Botan::TLS::Certificate_Request_13>, std::__1::reference_wrapper<Botan::TLS::Certificate_Verify_13>, std::__1::reference_wrapper<Botan::TLS::Finished_13> >)::$_0::operator()<std::__1::reference_wrapper<Botan::TLS::Encrypted_Extensions> >(std::__1::reference_wrapper<Botan::TLS::Encrypted_Extensions>) const
Unexecuted instantiation: tls_channel_impl_13.cpp:auto Botan::TLS::Channel_Impl_13::AggregatedMessages::add(std::__1::variant<std::__1::reference_wrapper<Botan::TLS::Client_Hello_13>, std::__1::reference_wrapper<Botan::TLS::Server_Hello_13>, std::__1::reference_wrapper<Botan::TLS::Server_Hello_12>, std::__1::reference_wrapper<Botan::TLS::Hello_Retry_Request>, std::__1::reference_wrapper<Botan::TLS::Encrypted_Extensions>, std::__1::reference_wrapper<Botan::TLS::Certificate_13>, std::__1::reference_wrapper<Botan::TLS::Certificate_Request_13>, std::__1::reference_wrapper<Botan::TLS::Certificate_Verify_13>, std::__1::reference_wrapper<Botan::TLS::Finished_13> >)::$_0::operator()<std::__1::reference_wrapper<Botan::TLS::Certificate_13> >(std::__1::reference_wrapper<Botan::TLS::Certificate_13>) const
Unexecuted instantiation: tls_channel_impl_13.cpp:auto Botan::TLS::Channel_Impl_13::AggregatedMessages::add(std::__1::variant<std::__1::reference_wrapper<Botan::TLS::Client_Hello_13>, std::__1::reference_wrapper<Botan::TLS::Server_Hello_13>, std::__1::reference_wrapper<Botan::TLS::Server_Hello_12>, std::__1::reference_wrapper<Botan::TLS::Hello_Retry_Request>, std::__1::reference_wrapper<Botan::TLS::Encrypted_Extensions>, std::__1::reference_wrapper<Botan::TLS::Certificate_13>, std::__1::reference_wrapper<Botan::TLS::Certificate_Request_13>, std::__1::reference_wrapper<Botan::TLS::Certificate_Verify_13>, std::__1::reference_wrapper<Botan::TLS::Finished_13> >)::$_0::operator()<std::__1::reference_wrapper<Botan::TLS::Certificate_Request_13> >(std::__1::reference_wrapper<Botan::TLS::Certificate_Request_13>) const
Unexecuted instantiation: tls_channel_impl_13.cpp:auto Botan::TLS::Channel_Impl_13::AggregatedMessages::add(std::__1::variant<std::__1::reference_wrapper<Botan::TLS::Client_Hello_13>, std::__1::reference_wrapper<Botan::TLS::Server_Hello_13>, std::__1::reference_wrapper<Botan::TLS::Server_Hello_12>, std::__1::reference_wrapper<Botan::TLS::Hello_Retry_Request>, std::__1::reference_wrapper<Botan::TLS::Encrypted_Extensions>, std::__1::reference_wrapper<Botan::TLS::Certificate_13>, std::__1::reference_wrapper<Botan::TLS::Certificate_Request_13>, std::__1::reference_wrapper<Botan::TLS::Certificate_Verify_13>, std::__1::reference_wrapper<Botan::TLS::Finished_13> >)::$_0::operator()<std::__1::reference_wrapper<Botan::TLS::Certificate_Verify_13> >(std::__1::reference_wrapper<Botan::TLS::Certificate_Verify_13>) const
Unexecuted instantiation: tls_channel_impl_13.cpp:auto Botan::TLS::Channel_Impl_13::AggregatedMessages::add(std::__1::variant<std::__1::reference_wrapper<Botan::TLS::Client_Hello_13>, std::__1::reference_wrapper<Botan::TLS::Server_Hello_13>, std::__1::reference_wrapper<Botan::TLS::Server_Hello_12>, std::__1::reference_wrapper<Botan::TLS::Hello_Retry_Request>, std::__1::reference_wrapper<Botan::TLS::Encrypted_Extensions>, std::__1::reference_wrapper<Botan::TLS::Certificate_13>, std::__1::reference_wrapper<Botan::TLS::Certificate_Request_13>, std::__1::reference_wrapper<Botan::TLS::Certificate_Verify_13>, std::__1::reference_wrapper<Botan::TLS::Finished_13> >)::$_0::operator()<std::__1::reference_wrapper<Botan::TLS::Finished_13> >(std::__1::reference_wrapper<Botan::TLS::Finished_13>) const
229
0
   m_message_buffer += m_handshake_layer.prepare_message(message, m_transcript_hash);
230
0
   return *this;
231
0
   }
232
233
std::vector<uint8_t> Channel_Impl_13::AggregatedMessages::send()
234
0
   {
235
0
   BOTAN_STATE_CHECK(!m_message_buffer.empty());
236
0
   m_channel.send_record(Record_Type::HANDSHAKE, m_message_buffer);
237
0
   return std::exchange(m_message_buffer, {});
238
0
   }
239
240
void Channel_Impl_13::send_post_handshake_message(const Post_Handshake_Message_13 message)
241
0
   {
242
0
   send_record(Record_Type::HANDSHAKE, m_handshake_layer.prepare_post_handshake_message(message));
243
0
   }
244
245
void Channel_Impl_13::send_dummy_change_cipher_spec()
246
0
   {
247
   // RFC 8446 5.
248
   //    The change_cipher_spec record is used only for compatibility purposes
249
   //    (see Appendix D.4).
250
   //
251
   // The only allowed CCS message content is 0x01, all other CCS records MUST
252
   // be rejected by TLS 1.3 implementations.
253
0
   send_record(Record_Type::CHANGE_CIPHER_SPEC, {0x01});
254
0
   }
255
256
void Channel_Impl_13::send(const uint8_t buf[], size_t buf_size)
257
0
   {
258
0
   if(!is_active())
259
0
      { throw Invalid_State("Data cannot be sent on inactive TLS connection"); }
260
261
   // RFC 8446 4.6.3
262
   //    If the request_update field [of a received KeyUpdate] is set to
263
   //    "update_requested", then the receiver MUST send a KeyUpdate of its own
264
   //    with request_update set to "update_not_requested" prior to sending its
265
   //    next Application Data record.
266
   //    This mechanism allows either side to force an update to the entire
267
   //    connection, but causes an implementation which receives multiple
268
   //    KeyUpdates while it is silent to respond with a single update.
269
0
   if(m_opportunistic_key_update)
270
0
      {
271
0
      update_traffic_keys(false /* update_requested */);
272
0
      m_opportunistic_key_update = false;
273
0
      }
274
275
0
   send_record(Record_Type::APPLICATION_DATA, {buf, buf+buf_size});
276
0
   }
277
278
void Channel_Impl_13::send_alert(const Alert& alert)
279
0
   {
280
0
   if(alert.is_valid() && m_can_write)
281
0
      {
282
0
      try
283
0
         {
284
0
         send_record(Record_Type::ALERT, alert.serialize());
285
0
         }
286
0
      catch(...) { /* swallow it */ }
287
0
      }
288
289
   // Note: In TLS 1.3 sending a CLOSE_NOTIFY must not immediately lead to closing the reading end.
290
   // RFC 8446 6.1
291
   //    Each party MUST send a "close_notify" alert before closing its write
292
   //    side of the connection, unless it has already sent some error alert.
293
   //    This does not have any effect on its read side of the connection.
294
0
   if(is_close_notify_alert(alert) && m_can_write)
295
0
      {
296
0
      BOTAN_ASSERT_NONNULL(m_cipher_state);
297
0
      m_can_write = false;
298
0
      m_cipher_state->clear_write_keys();
299
0
      }
300
301
0
   if(is_error_alert(alert))
302
0
      { shutdown(); }
303
0
   }
304
305
bool Channel_Impl_13::is_active() const
306
0
   {
307
0
   return
308
0
      m_cipher_state != nullptr && m_cipher_state->can_encrypt_application_traffic() // handshake done
309
0
      && m_can_write;  // close() hasn't been called
310
0
   }
311
312
SymmetricKey Channel_Impl_13::key_material_export(const std::string& label,
313
      const std::string& context,
314
      size_t length) const
315
0
   {
316
0
   BOTAN_STATE_CHECK(!is_downgrading());
317
0
   BOTAN_STATE_CHECK(m_cipher_state != nullptr && m_cipher_state->can_export_keys());
318
0
   return m_cipher_state->export_key(label, context, length);
319
0
   }
320
321
void Channel_Impl_13::update_traffic_keys(bool request_peer_update)
322
0
   {
323
0
   BOTAN_STATE_CHECK(!is_downgrading());
324
0
   BOTAN_STATE_CHECK(handshake_finished());
325
0
   BOTAN_ASSERT_NONNULL(m_cipher_state);
326
0
   send_post_handshake_message(Key_Update(request_peer_update));
327
0
   m_cipher_state->update_write_keys();
328
0
   }
329
330
void Channel_Impl_13::send_record(uint8_t record_type, const std::vector<uint8_t>& record)
331
0
   {
332
0
   BOTAN_STATE_CHECK(!is_downgrading());
333
0
   BOTAN_STATE_CHECK(m_can_write);
334
335
0
   const auto type = static_cast<Record_Type>(record_type);
336
0
   auto to_write = m_record_layer.prepare_records(type, record, m_cipher_state.get());
337
338
   // After the initial handshake message is sent, the record layer must
339
   // adhere to a more strict record specification. Note that for the
340
   // server case this is a NOOP.
341
   // See (RFC 8446 5.1. regarding "legacy_record_version")
342
0
   if(!m_first_message_sent && type == Record_Type::HANDSHAKE)
343
0
      {
344
0
      m_record_layer.disable_sending_compat_mode();
345
0
      m_first_message_sent = true;
346
0
      }
347
348
   // The dummy CCS must not be prepended if the following record is
349
   // an unprotected Alert record.
350
0
   if(prepend_ccs() && (m_cipher_state || record_type != Record_Type::ALERT))
351
0
      {
352
0
      const auto ccs = m_record_layer.prepare_records(Record_Type::CHANGE_CIPHER_SPEC, {0x01}, m_cipher_state.get());
353
0
      to_write = concat(ccs, to_write);
354
0
      }
355
356
0
   callbacks().tls_emit_data(to_write.data(), to_write.size());
357
0
   }
358
359
void Channel_Impl_13::process_alert(const secure_vector<uint8_t>& record)
360
0
   {
361
0
   Alert alert(record);
362
363
0
   if(is_close_notify_alert(alert))
364
0
      {
365
0
      m_can_read = false;
366
0
      if(m_cipher_state)
367
0
         m_cipher_state->clear_read_keys();
368
0
      m_record_layer.clear_read_buffer();
369
0
      }
370
371
   // user canceled alerts are ignored
372
373
   // TODO: the server doesn't have to expect downgrading; move this to the client
374
0
   if(!expects_downgrade())
375
0
      {
376
      // RFC 8446 5.
377
      //    All the alerts listed in Section 6.2 MUST be sent with
378
      //    AlertLevel=fatal and MUST be treated as error alerts when received
379
      //    regardless of the AlertLevel in the message.  Unknown Alert types
380
      //    MUST be treated as error alerts.
381
0
      if(is_error_alert(alert) && !alert.is_fatal())
382
0
         {
383
0
         throw TLS_Exception(Alert::DECODE_ERROR, "Error alert not marked fatal");  // will shutdown in send_alert
384
0
         }
385
0
      }
386
0
   else
387
0
      {
388
      // Don't immediately shut down in case we might be dealing with a TLS 1.2 server. In this case,
389
      // we cannot immediately shut down on alerts that are warnings in TLS 1.2.
390
      // However, if the server turns out to _not_ downgrade, treat this as an error and do shut down.
391
      // Note that this should not happen with a valid implementation, as the TLS 1.3 server shouldn't
392
      // send a SERVER HELLO after the alert.
393
0
      if(is_error_alert(alert))
394
0
         m_downgrade_info->received_tls_13_error_alert = true;
395
0
      }
396
397
0
   if(alert.is_fatal())
398
0
      shutdown();
399
400
0
   callbacks().tls_alert(alert);
401
0
   }
402
403
void Channel_Impl_13::shutdown()
404
0
   {
405
   // RFC 8446 6.2
406
   //    Upon transmission or receipt of a fatal alert message, both
407
   //    parties MUST immediately close the connection.
408
0
   m_can_read = false;
409
0
   m_can_write = false;
410
0
   m_cipher_state.reset();
411
0
   }
412
413
void Channel_Impl_13::expect_downgrade(const Server_Information& server_info)
414
0
   {
415
0
   Downgrade_Information di
416
0
      {
417
0
         {},
418
0
         {},
419
0
      server_info,
420
0
      callbacks(),
421
0
      session_manager(),
422
0
      credentials_manager(),
423
0
      rng(),
424
0
      policy(),
425
0
      false, // received_tls_13_error_alert
426
0
      false  // will_downgrade
427
0
      };
428
0
   m_downgrade_info = std::make_unique<Downgrade_Information>(std::move(di));
429
0
   }
430
431
void Channel_Impl_13::set_record_size_limits(const uint16_t outgoing_limit,
432
                                             const uint16_t incoming_limit)
433
0
   {
434
0
   m_record_layer.set_record_size_limits(outgoing_limit, incoming_limit);
435
0
   }
436
437
}