/src/botan/src/lib/tls/tls_extensions.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * TLS Extensions |
3 | | * (C) 2011,2012,2015,2016 Jack Lloyd |
4 | | * 2016 Juraj Somorovsky |
5 | | * 2021 Elektrobit Automotive GmbH |
6 | | * 2022 René Meusel, Hannes Rantzsch - neXenio GmbH |
7 | | * |
8 | | * Botan is released under the Simplified BSD License (see license.txt) |
9 | | */ |
10 | | |
11 | | #include <botan/tls_extensions.h> |
12 | | #include <botan/internal/tls_reader.h> |
13 | | #include <botan/tls_exceptn.h> |
14 | | #include <botan/tls_policy.h> |
15 | | #include <botan/ber_dec.h> |
16 | | |
17 | | #include <iterator> |
18 | | |
19 | | namespace Botan::TLS { |
20 | | |
21 | | namespace { |
22 | | |
23 | | std::unique_ptr<Extension> make_extension(TLS_Data_Reader& reader, |
24 | | const uint16_t code, |
25 | | const uint16_t size, |
26 | | const Connection_Side from, |
27 | | const Handshake_Type message_type) |
28 | 231k | { |
29 | 231k | switch(code) |
30 | 231k | { |
31 | 5.57k | case TLSEXT_SERVER_NAME_INDICATION: |
32 | 5.57k | return std::make_unique<Server_Name_Indicator>(reader, size); |
33 | | |
34 | 22.1k | case TLSEXT_SUPPORTED_GROUPS: |
35 | 22.1k | return std::make_unique<Supported_Groups>(reader, size); |
36 | | |
37 | 3.94k | case TLSEXT_CERT_STATUS_REQUEST: |
38 | 3.94k | return std::make_unique<Certificate_Status_Request>(reader, size, from, message_type); |
39 | | |
40 | 4.27k | case TLSEXT_EC_POINT_FORMATS: |
41 | 4.27k | return std::make_unique<Supported_Point_Formats>(reader, size); |
42 | | |
43 | 539 | case TLSEXT_SAFE_RENEGOTIATION: |
44 | 539 | return std::make_unique<Renegotiation_Extension>(reader, size); |
45 | | |
46 | 1.69k | case TLSEXT_SIGNATURE_ALGORITHMS: |
47 | 1.69k | return std::make_unique<Signature_Algorithms>(reader, size); |
48 | | |
49 | 1.20k | case TLSEXT_USE_SRTP: |
50 | 1.20k | return std::make_unique<SRTP_Protection_Profiles>(reader, size); |
51 | | |
52 | 6.12k | case TLSEXT_ALPN: |
53 | 6.12k | return std::make_unique<Application_Layer_Protocol_Notification>(reader, size, from); |
54 | | |
55 | 1.54k | case TLSEXT_EXTENDED_MASTER_SECRET: |
56 | 1.54k | return std::make_unique<Extended_Master_Secret>(reader, size); |
57 | | |
58 | 1.20k | case TLSEXT_RECORD_SIZE_LIMIT: |
59 | 1.20k | return std::make_unique<Record_Size_Limit>(reader, size, from); |
60 | | |
61 | 3.08k | case TLSEXT_ENCRYPT_THEN_MAC: |
62 | 3.08k | return std::make_unique<Encrypt_then_MAC>(reader, size); |
63 | | |
64 | 7.43k | case TLSEXT_SESSION_TICKET: |
65 | 7.43k | return std::make_unique<Session_Ticket>(reader, size); |
66 | | |
67 | 1.57k | case TLSEXT_SUPPORTED_VERSIONS: |
68 | 1.57k | return std::make_unique<Supported_Versions>(reader, size, from); |
69 | | |
70 | 0 | #if defined(BOTAN_HAS_TLS_13) |
71 | 831 | case TLSEXT_PSK: |
72 | 831 | return std::make_unique<PSK>(reader, size, message_type); |
73 | | |
74 | 455 | case TLSEXT_EARLY_DATA: |
75 | 455 | return std::make_unique<EarlyDataIndication>(reader, size, message_type); |
76 | | |
77 | 1.12k | case TLSEXT_COOKIE: |
78 | 1.12k | return std::make_unique<Cookie>(reader, size); |
79 | | |
80 | 1.66k | case TLSEXT_PSK_KEY_EXCHANGE_MODES: |
81 | 1.66k | return std::make_unique<PSK_Key_Exchange_Modes>(reader, size); |
82 | | |
83 | 3.72k | case TLSEXT_CERTIFICATE_AUTHORITIES: |
84 | 3.72k | return std::make_unique<Certificate_Authorities>(reader, size); |
85 | | |
86 | 756 | case TLSEXT_SIGNATURE_ALGORITHMS_CERT: |
87 | 756 | return std::make_unique<Signature_Algorithms_Cert>(reader, size); |
88 | | |
89 | 1.91k | case TLSEXT_KEY_SHARE: |
90 | 1.91k | return std::make_unique<Key_Share>(reader, size, message_type); |
91 | 231k | #endif |
92 | 231k | } |
93 | | |
94 | 160k | return std::make_unique<Unknown_Extension>(static_cast<Handshake_Extension_Type>(code), |
95 | 160k | reader, size);; |
96 | 0 | } |
97 | | |
98 | | } |
99 | | |
100 | | void Extensions::add(std::unique_ptr<Extension> extn) |
101 | 298k | { |
102 | 298k | if (has(extn->type())) |
103 | 0 | { |
104 | 0 | throw Invalid_Argument("cannot add the same extension twice: " + std::to_string(extn->type())); |
105 | 0 | } |
106 | | |
107 | 298k | m_extensions.emplace_back(extn.release()); |
108 | 298k | } |
109 | | |
110 | | void Extensions::deserialize(TLS_Data_Reader& reader, |
111 | | const Connection_Side from, |
112 | | const Handshake_Type message_type) |
113 | 52.8k | { |
114 | 52.8k | if(reader.has_remaining()) |
115 | 46.6k | { |
116 | 46.6k | const uint16_t all_extn_size = reader.get_uint16_t(); |
117 | | |
118 | 46.6k | if(reader.remaining_bytes() != all_extn_size) |
119 | 196 | throw Decoding_Error("Bad extension size"); |
120 | | |
121 | 278k | while(reader.has_remaining()) |
122 | 231k | { |
123 | 231k | const uint16_t extension_code = reader.get_uint16_t(); |
124 | 231k | const uint16_t extension_size = reader.get_uint16_t(); |
125 | | |
126 | 231k | const auto type = static_cast<Handshake_Extension_Type>(extension_code); |
127 | | |
128 | 231k | if(has(type)) |
129 | 61 | throw TLS_Exception(TLS::Alert::DECODE_ERROR, |
130 | 61 | "Peer sent duplicated extensions"); |
131 | | |
132 | 231k | this->add(make_extension(reader, extension_code, extension_size, from, message_type)); |
133 | 231k | } |
134 | 46.4k | } |
135 | 52.8k | } |
136 | | |
137 | | bool Extensions::contains_other_than(const std::set<Handshake_Extension_Type>& allowed_extensions, |
138 | | const bool allow_unknown_extensions) const |
139 | 10.3k | { |
140 | 10.3k | const auto found = extension_types(); |
141 | | |
142 | 10.3k | std::vector<Handshake_Extension_Type> diff; |
143 | 10.3k | std::set_difference(found.cbegin(), found.end(), |
144 | 10.3k | allowed_extensions.cbegin(), allowed_extensions.cend(), |
145 | 10.3k | std::back_inserter(diff)); |
146 | | |
147 | 10.3k | if(allow_unknown_extensions) |
148 | 9.48k | { |
149 | | // Go through the found unexpected extensions whether any of those |
150 | | // is known to this TLS implementation. |
151 | 9.48k | const auto itr = std::find_if(diff.cbegin(), diff.cend(), |
152 | 9.48k | [this](const auto ext_type) |
153 | 23.4k | { |
154 | 23.4k | const auto ext = get(ext_type); |
155 | 23.4k | return ext && ext->is_implemented(); |
156 | 23.4k | }); |
157 | | |
158 | | // ... if yes, `contains_other_than` is true |
159 | 9.48k | return itr != diff.cend(); |
160 | 9.48k | } |
161 | | |
162 | 867 | return !diff.empty(); |
163 | 10.3k | } |
164 | | |
165 | | std::unique_ptr<Extension> Extensions::take(Handshake_Extension_Type type) |
166 | 0 | { |
167 | 0 | const auto i = std::find_if(m_extensions.begin(), m_extensions.end(), |
168 | 0 | [type](const auto &ext) { |
169 | 0 | return ext->type() == type; |
170 | 0 | }); |
171 | |
|
172 | 0 | std::unique_ptr<Extension> result; |
173 | 0 | if (i != m_extensions.end()) |
174 | 0 | { |
175 | 0 | std::swap(result, *i); |
176 | 0 | m_extensions.erase(i); |
177 | 0 | } |
178 | |
|
179 | 0 | return result; |
180 | 0 | } |
181 | | |
182 | | std::vector<uint8_t> Extensions::serialize(Connection_Side whoami) const |
183 | 25.0k | { |
184 | 25.0k | std::vector<uint8_t> buf(2); // 2 bytes for length field |
185 | | |
186 | 25.0k | for(const auto& extn : m_extensions) |
187 | 58.7k | { |
188 | 58.7k | if(extn->empty()) |
189 | 0 | continue; |
190 | | |
191 | 58.7k | const uint16_t extn_code = static_cast<uint16_t>(extn->type()); |
192 | | |
193 | 58.7k | const std::vector<uint8_t> extn_val = extn->serialize(whoami); |
194 | | |
195 | 58.7k | buf.push_back(get_byte<0>(extn_code)); |
196 | 58.7k | buf.push_back(get_byte<1>(extn_code)); |
197 | | |
198 | 58.7k | buf.push_back(get_byte<0>(static_cast<uint16_t>(extn_val.size()))); |
199 | 58.7k | buf.push_back(get_byte<1>(static_cast<uint16_t>(extn_val.size()))); |
200 | | |
201 | 58.7k | buf += extn_val; |
202 | 58.7k | } |
203 | | |
204 | 25.0k | const uint16_t extn_size = static_cast<uint16_t>(buf.size() - 2); |
205 | | |
206 | 25.0k | buf[0] = get_byte<0>(extn_size); |
207 | 25.0k | buf[1] = get_byte<1>(extn_size); |
208 | | |
209 | | // avoid sending a completely empty extensions block |
210 | 25.0k | if(buf.size() == 2) |
211 | 4.65k | return std::vector<uint8_t>(); |
212 | | |
213 | 20.4k | return buf; |
214 | 25.0k | } |
215 | | |
216 | | std::set<Handshake_Extension_Type> Extensions::extension_types() const |
217 | 31.2k | { |
218 | 31.2k | std::set<Handshake_Extension_Type> offers; |
219 | 31.2k | std::transform(m_extensions.cbegin(), m_extensions.cend(), |
220 | 207k | std::inserter(offers, offers.begin()), [] (const auto &ext) { |
221 | 207k | return ext->type(); |
222 | 207k | }); |
223 | 31.2k | return offers; |
224 | 31.2k | } |
225 | | |
226 | | Unknown_Extension::Unknown_Extension(Handshake_Extension_Type type, |
227 | | TLS_Data_Reader& reader, |
228 | | uint16_t extension_size) : |
229 | | m_type(type), |
230 | | m_value(reader.get_fixed<uint8_t>(extension_size)) |
231 | 160k | { |
232 | 160k | } |
233 | | |
234 | | std::vector<uint8_t> Unknown_Extension::serialize(Connection_Side /*whoami*/) const |
235 | 0 | { |
236 | 0 | throw Invalid_State("Cannot encode an unknown TLS extension"); |
237 | 0 | } |
238 | | |
239 | | Server_Name_Indicator::Server_Name_Indicator(TLS_Data_Reader& reader, |
240 | | uint16_t extension_size) |
241 | 5.57k | { |
242 | | /* |
243 | | * This is used by the server to confirm that it knew the name |
244 | | */ |
245 | 5.57k | if(extension_size == 0) |
246 | 4.03k | return; |
247 | | |
248 | 1.53k | uint16_t name_bytes = reader.get_uint16_t(); |
249 | | |
250 | 1.53k | if(name_bytes + 2 != extension_size) |
251 | 118 | throw Decoding_Error("Bad encoding of SNI extension"); |
252 | | |
253 | 4.14k | while(name_bytes) |
254 | 2.72k | { |
255 | 2.72k | uint8_t name_type = reader.get_byte(); |
256 | 2.72k | name_bytes--; |
257 | | |
258 | 2.72k | if(name_type == 0) // DNS |
259 | 2.00k | { |
260 | 2.00k | m_sni_host_name = reader.get_string(2, 1, 65535); |
261 | 2.00k | name_bytes -= static_cast<uint16_t>(2 + m_sni_host_name.size()); |
262 | 2.00k | } |
263 | 719 | else // some other unknown name type |
264 | 719 | { |
265 | 719 | reader.discard_next(name_bytes); |
266 | 719 | name_bytes = 0; |
267 | 719 | } |
268 | 2.72k | } |
269 | 1.42k | } |
270 | | |
271 | | std::vector<uint8_t> Server_Name_Indicator::serialize(Connection_Side /*whoami*/) const |
272 | 2.57k | { |
273 | 2.57k | std::vector<uint8_t> buf; |
274 | | |
275 | 2.57k | size_t name_len = m_sni_host_name.size(); |
276 | | |
277 | 2.57k | buf.push_back(get_byte<0>(static_cast<uint16_t>(name_len+3))); |
278 | 2.57k | buf.push_back(get_byte<1>(static_cast<uint16_t>(name_len+3))); |
279 | 2.57k | buf.push_back(0); // DNS |
280 | | |
281 | 2.57k | buf.push_back(get_byte<0>(static_cast<uint16_t>(name_len))); |
282 | 2.57k | buf.push_back(get_byte<1>(static_cast<uint16_t>(name_len))); |
283 | | |
284 | 2.57k | buf += std::make_pair( |
285 | 2.57k | cast_char_ptr_to_uint8(m_sni_host_name.data()), |
286 | 2.57k | m_sni_host_name.size()); |
287 | | |
288 | 2.57k | return buf; |
289 | 2.57k | } |
290 | | |
291 | | Renegotiation_Extension::Renegotiation_Extension(TLS_Data_Reader& reader, |
292 | | uint16_t extension_size) : m_reneg_data(reader.get_range<uint8_t>(1, 0, 255)) |
293 | 539 | { |
294 | 539 | if(m_reneg_data.size() + 1 != extension_size) |
295 | 90 | throw Decoding_Error("Bad encoding for secure renegotiation extn"); |
296 | 539 | } |
297 | | |
298 | | std::vector<uint8_t> Renegotiation_Extension::serialize(Connection_Side /*whoami*/) const |
299 | 15.4k | { |
300 | 15.4k | std::vector<uint8_t> buf; |
301 | 15.4k | append_tls_length_value(buf, m_reneg_data, 1); |
302 | 15.4k | return buf; |
303 | 15.4k | } |
304 | | |
305 | | Application_Layer_Protocol_Notification::Application_Layer_Protocol_Notification(TLS_Data_Reader& reader, |
306 | | uint16_t extension_size, |
307 | | Connection_Side from) |
308 | 6.12k | { |
309 | 6.12k | if(extension_size == 0) |
310 | 4.97k | return; // empty extension |
311 | | |
312 | 1.14k | const uint16_t name_bytes = reader.get_uint16_t(); |
313 | | |
314 | 1.14k | size_t bytes_remaining = extension_size - 2; |
315 | | |
316 | 1.14k | if(name_bytes != bytes_remaining) |
317 | 167 | throw Decoding_Error("Bad encoding of ALPN extension, bad length field"); |
318 | | |
319 | 11.9k | while(bytes_remaining) |
320 | 11.0k | { |
321 | 11.0k | const std::string p = reader.get_string(1, 0, 255); |
322 | | |
323 | 11.0k | if(bytes_remaining < p.size() + 1) |
324 | 10 | throw Decoding_Error("Bad encoding of ALPN, length field too long"); |
325 | | |
326 | 11.0k | if(p.empty()) |
327 | 95 | throw Decoding_Error("Empty ALPN protocol not allowed"); |
328 | | |
329 | 10.9k | bytes_remaining -= (p.size() + 1); |
330 | | |
331 | 10.9k | m_protocols.push_back(p); |
332 | 10.9k | } |
333 | | |
334 | | // RFC 7301 3.1 |
335 | | // The "extension_data" field of the [...] extension is structured the |
336 | | // same as described above for the client "extension_data", except that |
337 | | // the "ProtocolNameList" MUST contain exactly one "ProtocolName". |
338 | 876 | if(from == Connection_Side::SERVER && m_protocols.size() != 1) |
339 | 23 | { |
340 | 23 | throw TLS_Exception(Alert::DECODE_ERROR, |
341 | 23 | "Server sent " + std::to_string(m_protocols.size()) + |
342 | 23 | " protocols in ALPN extension response"); |
343 | 23 | } |
344 | 876 | } |
345 | | |
346 | | const std::string& Application_Layer_Protocol_Notification::single_protocol() const |
347 | 0 | { |
348 | 0 | BOTAN_STATE_CHECK(m_protocols.size() == 1); |
349 | 0 | return m_protocols.front(); |
350 | 0 | } |
351 | | |
352 | | std::vector<uint8_t> Application_Layer_Protocol_Notification::serialize(Connection_Side /*whoami*/) const |
353 | 3.80k | { |
354 | 3.80k | std::vector<uint8_t> buf(2); |
355 | | |
356 | 3.80k | for(auto&& p: m_protocols) |
357 | 3.80k | { |
358 | 3.80k | if(p.length() >= 256) |
359 | 0 | throw TLS_Exception(Alert::INTERNAL_ERROR, "ALPN name too long"); |
360 | 3.80k | if(!p.empty()) |
361 | 3.80k | append_tls_length_value(buf, |
362 | 3.80k | cast_char_ptr_to_uint8(p.data()), |
363 | 3.80k | p.size(), |
364 | 3.80k | 1); |
365 | 3.80k | } |
366 | | |
367 | 3.80k | buf[0] = get_byte<0>(static_cast<uint16_t>(buf.size()-2)); |
368 | 3.80k | buf[1] = get_byte<1>(static_cast<uint16_t>(buf.size()-2)); |
369 | | |
370 | 3.80k | return buf; |
371 | 3.80k | } |
372 | | |
373 | | Supported_Groups::Supported_Groups(const std::vector<Group_Params>& groups) : m_groups(groups) |
374 | 2.57k | { |
375 | 2.57k | } |
376 | | |
377 | | const std::vector<Group_Params>& Supported_Groups::groups() const |
378 | 0 | { |
379 | 0 | return m_groups; |
380 | 0 | } |
381 | | |
382 | | std::vector<Group_Params> Supported_Groups::ec_groups() const |
383 | 44.6k | { |
384 | 44.6k | std::vector<Group_Params> ec; |
385 | 44.6k | for(auto g : m_groups) |
386 | 200k | { |
387 | 200k | if(group_param_is_dh(g) == false) |
388 | 154k | ec.push_back(g); |
389 | 200k | } |
390 | 44.6k | return ec; |
391 | 44.6k | } |
392 | | |
393 | | std::vector<Group_Params> Supported_Groups::dh_groups() const |
394 | 0 | { |
395 | 0 | std::vector<Group_Params> dh; |
396 | 0 | for(auto g : m_groups) |
397 | 0 | { |
398 | 0 | if(group_param_is_dh(g) == true) |
399 | 0 | dh.push_back(g); |
400 | 0 | } |
401 | 0 | return dh; |
402 | 0 | } |
403 | | |
404 | | std::vector<uint8_t> Supported_Groups::serialize(Connection_Side /*whoami*/) const |
405 | 2.57k | { |
406 | 2.57k | std::vector<uint8_t> buf(2); |
407 | | |
408 | 2.57k | for(auto g : m_groups) |
409 | 30.9k | { |
410 | 30.9k | const uint16_t id = static_cast<uint16_t>(g); |
411 | | |
412 | 30.9k | if(id > 0) |
413 | 30.9k | { |
414 | 30.9k | buf.push_back(get_byte<0>(id)); |
415 | 30.9k | buf.push_back(get_byte<1>(id)); |
416 | 30.9k | } |
417 | 30.9k | } |
418 | | |
419 | 2.57k | buf[0] = get_byte<0>(static_cast<uint16_t>(buf.size()-2)); |
420 | 2.57k | buf[1] = get_byte<1>(static_cast<uint16_t>(buf.size()-2)); |
421 | | |
422 | 2.57k | return buf; |
423 | 2.57k | } |
424 | | |
425 | | Supported_Groups::Supported_Groups(TLS_Data_Reader& reader, |
426 | | uint16_t extension_size) |
427 | 22.1k | { |
428 | 22.1k | const uint16_t len = reader.get_uint16_t(); |
429 | | |
430 | 22.1k | if(len + 2 != extension_size) |
431 | 94 | throw Decoding_Error("Inconsistent length field in supported groups list"); |
432 | | |
433 | 22.0k | if(len % 2 == 1) |
434 | 4 | throw Decoding_Error("Supported groups list of strange size"); |
435 | | |
436 | 22.0k | const size_t elems = len / 2; |
437 | | |
438 | 117k | for(size_t i = 0; i != elems; ++i) |
439 | 95.4k | { |
440 | 95.4k | const uint16_t id = reader.get_uint16_t(); |
441 | 95.4k | m_groups.push_back(static_cast<Group_Params>(id)); |
442 | 95.4k | } |
443 | 22.0k | } |
444 | | |
445 | | std::vector<uint8_t> Supported_Point_Formats::serialize(Connection_Side /*whoami*/) const |
446 | 5.83k | { |
447 | | // if this extension is sent, it MUST include uncompressed (RFC 4492, section 5.1) |
448 | 5.83k | if(m_prefers_compressed) |
449 | 0 | { |
450 | 0 | return std::vector<uint8_t>{2, ANSIX962_COMPRESSED_PRIME, UNCOMPRESSED}; |
451 | 0 | } |
452 | 5.83k | else |
453 | 5.83k | { |
454 | 5.83k | return std::vector<uint8_t>{1, UNCOMPRESSED}; |
455 | 5.83k | } |
456 | 5.83k | } |
457 | | |
458 | | Supported_Point_Formats::Supported_Point_Formats(TLS_Data_Reader& reader, |
459 | | uint16_t extension_size) |
460 | 4.27k | { |
461 | 4.27k | uint8_t len = reader.get_byte(); |
462 | | |
463 | 4.27k | if(len + 1 != extension_size) |
464 | 71 | throw Decoding_Error("Inconsistent length field in supported point formats list"); |
465 | | |
466 | 6.36k | for(size_t i = 0; i != len; ++i) |
467 | 5.27k | { |
468 | 5.27k | uint8_t format = reader.get_byte(); |
469 | | |
470 | 5.27k | if(static_cast<ECPointFormat>(format) == UNCOMPRESSED) |
471 | 423 | { |
472 | 423 | m_prefers_compressed = false; |
473 | 423 | reader.discard_next(len-i-1); |
474 | 423 | return; |
475 | 423 | } |
476 | 4.84k | else if(static_cast<ECPointFormat>(format) == ANSIX962_COMPRESSED_PRIME) |
477 | 2.69k | { |
478 | 2.69k | m_prefers_compressed = true; |
479 | 2.69k | reader.discard_next(len-i-1); |
480 | 2.69k | return; |
481 | 2.69k | } |
482 | | |
483 | | // ignore ANSIX962_COMPRESSED_CHAR2, we don't support these curves |
484 | 5.27k | } |
485 | 4.20k | } |
486 | | |
487 | | std::vector<uint8_t> Signature_Algorithms::serialize(Connection_Side /*whoami*/) const |
488 | 2.57k | { |
489 | 2.57k | BOTAN_ASSERT(m_schemes.size() < 256, "Too many signature schemes"); |
490 | | |
491 | 2.57k | std::vector<uint8_t> buf; |
492 | | |
493 | 2.57k | const uint16_t len = static_cast<uint16_t>(m_schemes.size() * 2); |
494 | | |
495 | 2.57k | buf.push_back(get_byte<0>(len)); |
496 | 2.57k | buf.push_back(get_byte<1>(len)); |
497 | | |
498 | 2.57k | for(Signature_Scheme scheme : m_schemes) |
499 | 23.2k | { |
500 | 23.2k | buf.push_back(get_byte<0>(scheme.wire_code())); |
501 | 23.2k | buf.push_back(get_byte<1>(scheme.wire_code())); |
502 | 23.2k | } |
503 | | |
504 | 2.57k | return buf; |
505 | 2.57k | } |
506 | | |
507 | | Signature_Algorithms::Signature_Algorithms(TLS_Data_Reader& reader, |
508 | | uint16_t extension_size) |
509 | 2.45k | { |
510 | 2.45k | uint16_t len = reader.get_uint16_t(); |
511 | | |
512 | 2.45k | if(len + 2 != extension_size || len % 2 == 1 || len == 0) |
513 | 101 | { |
514 | 101 | throw Decoding_Error("Bad encoding on signature algorithms extension"); |
515 | 101 | } |
516 | | |
517 | 24.1k | while(len) |
518 | 21.8k | { |
519 | 21.8k | m_schemes.emplace_back(reader.get_uint16_t()); |
520 | 21.8k | len -= 2; |
521 | 21.8k | } |
522 | 2.34k | } |
523 | | |
524 | | Session_Ticket::Session_Ticket(TLS_Data_Reader& reader, |
525 | | uint16_t extension_size) : m_ticket(reader.get_elem<uint8_t, std::vector<uint8_t>>(extension_size)) |
526 | 7.43k | {} |
527 | | |
528 | | SRTP_Protection_Profiles::SRTP_Protection_Profiles(TLS_Data_Reader& reader, |
529 | | uint16_t extension_size) : m_pp(reader.get_range<uint16_t>(2, 0, 65535)) |
530 | 1.20k | { |
531 | 1.20k | const std::vector<uint8_t> mki = reader.get_range<uint8_t>(1, 0, 255); |
532 | | |
533 | 1.20k | if(m_pp.size() * 2 + mki.size() + 3 != extension_size) |
534 | 104 | throw Decoding_Error("Bad encoding for SRTP protection extension"); |
535 | | |
536 | 1.10k | if(!mki.empty()) |
537 | 4 | throw Decoding_Error("Unhandled non-empty MKI for SRTP protection extension"); |
538 | 1.10k | } |
539 | | |
540 | | std::vector<uint8_t> SRTP_Protection_Profiles::serialize(Connection_Side /*whoami*/) const |
541 | 0 | { |
542 | 0 | std::vector<uint8_t> buf; |
543 | |
|
544 | 0 | const uint16_t pp_len = static_cast<uint16_t>(m_pp.size() * 2); |
545 | 0 | buf.push_back(get_byte<0>(pp_len)); |
546 | 0 | buf.push_back(get_byte<1>(pp_len)); |
547 | |
|
548 | 0 | for(uint16_t pp : m_pp) |
549 | 0 | { |
550 | 0 | buf.push_back(get_byte<0>(pp)); |
551 | 0 | buf.push_back(get_byte<1>(pp)); |
552 | 0 | } |
553 | |
|
554 | 0 | buf.push_back(0); // srtp_mki, always empty here |
555 | |
|
556 | 0 | return buf; |
557 | 0 | } |
558 | | |
559 | | Extended_Master_Secret::Extended_Master_Secret(TLS_Data_Reader& /*unused*/, |
560 | | uint16_t extension_size) |
561 | 1.54k | { |
562 | 1.54k | if(extension_size != 0) |
563 | 60 | throw Decoding_Error("Invalid extended_master_secret extension"); |
564 | 1.54k | } |
565 | | |
566 | | std::vector<uint8_t> Extended_Master_Secret::serialize(Connection_Side /*whoami*/) const |
567 | 3.73k | { |
568 | 3.73k | return std::vector<uint8_t>(); |
569 | 3.73k | } |
570 | | |
571 | | Encrypt_then_MAC::Encrypt_then_MAC(TLS_Data_Reader& /*unused*/, |
572 | | uint16_t extension_size) |
573 | 3.08k | { |
574 | 3.08k | if(extension_size != 0) |
575 | 58 | throw Decoding_Error("Invalid encrypt_then_mac extension"); |
576 | 3.08k | } |
577 | | |
578 | | std::vector<uint8_t> Encrypt_then_MAC::serialize(Connection_Side /*whoami*/) const |
579 | 5.22k | { |
580 | 5.22k | return std::vector<uint8_t>(); |
581 | 5.22k | } |
582 | | |
583 | | std::vector<uint8_t> Supported_Versions::serialize(Connection_Side whoami) const |
584 | 2.57k | { |
585 | 2.57k | std::vector<uint8_t> buf; |
586 | | |
587 | 2.57k | if(whoami == Connection_Side::SERVER) |
588 | 0 | { |
589 | 0 | BOTAN_ASSERT_NOMSG(m_versions.size() == 1); |
590 | 0 | buf.push_back(m_versions[0].major_version()); |
591 | 0 | buf.push_back(m_versions[0].minor_version()); |
592 | 0 | } |
593 | 2.57k | else |
594 | 2.57k | { |
595 | 2.57k | BOTAN_ASSERT_NOMSG(!m_versions.empty()); |
596 | 2.57k | const uint8_t len = static_cast<uint8_t>(m_versions.size() * 2); |
597 | | |
598 | 2.57k | buf.push_back(len); |
599 | | |
600 | 2.57k | for(Protocol_Version version : m_versions) |
601 | 2.57k | { |
602 | 2.57k | buf.push_back(version.major_version()); |
603 | 2.57k | buf.push_back(version.minor_version()); |
604 | 2.57k | } |
605 | 2.57k | } |
606 | | |
607 | 2.57k | return buf; |
608 | 2.57k | } |
609 | | |
610 | | |
611 | | Supported_Versions::Supported_Versions(Protocol_Version offer, const Policy& policy) |
612 | 2.57k | { |
613 | 2.57k | if(offer.is_datagram_protocol()) |
614 | 0 | { |
615 | 0 | #if defined(BOTAN_HAS_TLS_12) |
616 | 0 | if(offer >= Protocol_Version::DTLS_V12 && policy.allow_dtls12()) |
617 | 0 | m_versions.push_back(Protocol_Version::DTLS_V12); |
618 | 0 | #endif |
619 | 0 | } |
620 | 2.57k | else |
621 | 2.57k | { |
622 | 2.57k | #if defined(BOTAN_HAS_TLS_13) |
623 | 2.57k | if(offer >= Protocol_Version::TLS_V13 && policy.allow_tls13()) |
624 | 0 | m_versions.push_back(Protocol_Version::TLS_V13); |
625 | 2.57k | #endif |
626 | 2.57k | #if defined(BOTAN_HAS_TLS_12) |
627 | 2.57k | if(offer >= Protocol_Version::TLS_V12 && policy.allow_tls12()) |
628 | 2.57k | m_versions.push_back(Protocol_Version::TLS_V12); |
629 | 2.57k | #endif |
630 | 2.57k | } |
631 | 2.57k | } |
632 | | |
633 | | Supported_Versions::Supported_Versions(TLS_Data_Reader& reader, |
634 | | uint16_t extension_size, |
635 | | Connection_Side from) |
636 | 1.57k | { |
637 | 1.57k | if(from == Connection_Side::SERVER) |
638 | 995 | { |
639 | 995 | if(extension_size != 2) |
640 | 36 | throw Decoding_Error("Server sent invalid supported_versions extension"); |
641 | 959 | m_versions.push_back(Protocol_Version(reader.get_uint16_t())); |
642 | 959 | } |
643 | 581 | else |
644 | 581 | { |
645 | 581 | auto versions = reader.get_range<uint16_t>(1, 1, 127); |
646 | | |
647 | 581 | for(auto v : versions) |
648 | 2.73k | m_versions.push_back(Protocol_Version(v)); |
649 | | |
650 | 581 | if(extension_size != 1+2*versions.size()) |
651 | 79 | throw Decoding_Error("Client sent invalid supported_versions extension"); |
652 | 581 | } |
653 | 1.57k | } |
654 | | |
655 | | bool Supported_Versions::supports(Protocol_Version version) const |
656 | 0 | { |
657 | 0 | for(auto v : m_versions) |
658 | 0 | if(version == v) |
659 | 0 | return true; |
660 | 0 | return false; |
661 | 0 | } |
662 | | |
663 | | |
664 | | Record_Size_Limit::Record_Size_Limit(const uint16_t limit) |
665 | | : m_limit(limit) |
666 | 0 | { |
667 | 0 | BOTAN_ASSERT(limit >= 64, |
668 | 0 | "RFC 8449 does not allow record size limits smaller than 64 bytes"); |
669 | 0 | BOTAN_ASSERT(limit <= MAX_PLAINTEXT_SIZE + 1 /* encrypted content type byte */, |
670 | 0 | "RFC 8449 does not allow record size limits larger than 2^14+1"); |
671 | 0 | } |
672 | | |
673 | | Record_Size_Limit::Record_Size_Limit(TLS_Data_Reader& reader, |
674 | | uint16_t extension_size, |
675 | | Connection_Side from) |
676 | 1.20k | { |
677 | 1.20k | if(extension_size != 2) |
678 | 41 | { |
679 | 41 | throw TLS_Exception(Alert::DECODE_ERROR, "invalid record_size_limit extension"); |
680 | 41 | } |
681 | | |
682 | 1.15k | m_limit = reader.get_uint16_t(); |
683 | | |
684 | | // RFC 8449 4. |
685 | | // This value is the length of the plaintext of a protected record. |
686 | | // The value includes the content type and padding added in TLS 1.3 (that |
687 | | // is, the complete length of TLSInnerPlaintext). |
688 | | // |
689 | | // A server MUST NOT enforce this restriction; a client might advertise |
690 | | // a higher limit that is enabled by an extension or version the server |
691 | | // does not understand. A client MAY abort the handshake with an |
692 | | // "illegal_parameter" alert. |
693 | | // |
694 | | // Note: We are currently supporting this extension in TLS 1.3 only, hence |
695 | | // we check for the TLS 1.3 limit. The TLS 1.2 limit would not include |
696 | | // the "content type byte" and hence be one byte less! |
697 | 1.15k | if(m_limit > MAX_PLAINTEXT_SIZE + 1 /* encrypted content type byte */ && from == SERVER) |
698 | 8 | { |
699 | 8 | throw TLS_Exception(Alert::ILLEGAL_PARAMETER, |
700 | 8 | "Server requested a record size limit larger than the protocol's maximum"); |
701 | 8 | } |
702 | | |
703 | | // RFC 8449 4. |
704 | | // Endpoints MUST NOT send a "record_size_limit" extension with a value |
705 | | // smaller than 64. An endpoint MUST treat receipt of a smaller value |
706 | | // as a fatal error and generate an "illegal_parameter" alert. |
707 | 1.15k | if(m_limit < 64) |
708 | 24 | { |
709 | 24 | throw TLS_Exception(Alert::ILLEGAL_PARAMETER, |
710 | 24 | "Received a record size limit smaller than 64 bytes"); |
711 | 24 | } |
712 | 1.15k | } |
713 | | |
714 | | std::vector<uint8_t> Record_Size_Limit::serialize(Connection_Side) const |
715 | 0 | { |
716 | 0 | std::vector<uint8_t> buf; |
717 | |
|
718 | 0 | buf.push_back(get_byte<0>(m_limit)); |
719 | 0 | buf.push_back(get_byte<1>(m_limit)); |
720 | |
|
721 | 0 | return buf; |
722 | 0 | } |
723 | | |
724 | | |
725 | | #if defined(BOTAN_HAS_TLS_13) |
726 | | Cookie::Cookie(const std::vector<uint8_t>& cookie) : |
727 | | m_cookie(cookie) |
728 | 0 | { |
729 | 0 | } |
730 | | |
731 | | Cookie::Cookie(TLS_Data_Reader& reader, |
732 | | uint16_t extension_size) |
733 | 1.12k | { |
734 | 1.12k | if (extension_size == 0) |
735 | 372 | { |
736 | 372 | return; |
737 | 372 | } |
738 | | |
739 | 756 | const uint16_t len = reader.get_uint16_t(); |
740 | | |
741 | 756 | if (len == 0) |
742 | 4 | { |
743 | | // Based on RFC 8446 4.2.2, len of the Cookie buffer must be at least 1 |
744 | 4 | throw Decoding_Error("Cookie length must be at least 1 byte"); |
745 | 4 | } |
746 | | |
747 | 752 | if (len > reader.remaining_bytes()) |
748 | 65 | { |
749 | 65 | throw Decoding_Error("Not enough bytes in the buffer to decode Cookie"); |
750 | 65 | } |
751 | | |
752 | 21.3k | for (auto i = 0u; i < len; ++i) |
753 | 20.6k | { |
754 | 20.6k | m_cookie.push_back(reader.get_byte()); |
755 | 20.6k | } |
756 | 687 | } |
757 | | |
758 | | std::vector<uint8_t> Cookie::serialize(Connection_Side /*whoami*/) const |
759 | 0 | { |
760 | 0 | std::vector<uint8_t> buf; |
761 | |
|
762 | 0 | const uint16_t len = static_cast<uint16_t>(m_cookie.size()); |
763 | |
|
764 | 0 | buf.push_back(get_byte<0>(len)); |
765 | 0 | buf.push_back(get_byte<1>(len)); |
766 | |
|
767 | 0 | for (const auto& cookie_byte : m_cookie) |
768 | 0 | { |
769 | 0 | buf.push_back(cookie_byte); |
770 | 0 | } |
771 | |
|
772 | 0 | return buf; |
773 | 0 | } |
774 | | |
775 | | |
776 | | std::vector<uint8_t> PSK_Key_Exchange_Modes::serialize(Connection_Side) const |
777 | 0 | { |
778 | 0 | std::vector<uint8_t> buf; |
779 | |
|
780 | 0 | BOTAN_ASSERT_NOMSG(m_modes.size() < 256); |
781 | 0 | buf.push_back(static_cast<uint8_t>(m_modes.size())); |
782 | 0 | for (const auto& mode : m_modes) |
783 | 0 | { |
784 | 0 | buf.push_back(static_cast<uint8_t>(mode)); |
785 | 0 | } |
786 | |
|
787 | 0 | return buf; |
788 | 0 | } |
789 | | |
790 | | PSK_Key_Exchange_Modes::PSK_Key_Exchange_Modes(TLS_Data_Reader& reader, uint16_t extension_size) |
791 | 1.66k | { |
792 | 1.66k | if (extension_size < 2) |
793 | 9 | { |
794 | 9 | throw Decoding_Error("Empty psk_key_exchange_modes extension is illegal"); |
795 | 9 | } |
796 | | |
797 | 1.65k | const auto mode_count = reader.get_byte(); |
798 | 7.29k | for(uint16_t i = 0; i < mode_count; ++i) |
799 | 5.70k | { |
800 | 5.70k | const uint8_t mode = reader.get_byte(); |
801 | 5.70k | if (mode != 0 && mode != 1) |
802 | 67 | { |
803 | 67 | throw Decoding_Error("Unexpected PSK mode: " + std::to_string(mode)); |
804 | 67 | } |
805 | | |
806 | 5.64k | m_modes.push_back(PSK_Key_Exchange_Mode(mode)); |
807 | 5.64k | } |
808 | 1.65k | } |
809 | | |
810 | | |
811 | | std::vector<uint8_t> Certificate_Authorities::serialize(Connection_Side) const |
812 | 0 | { throw Botan::Not_Implemented("serializing Certificate_Authorities is NYI"); } |
813 | | |
814 | | Certificate_Authorities::Certificate_Authorities(TLS_Data_Reader& reader, uint16_t extension_size) |
815 | 3.72k | { |
816 | 3.72k | if (extension_size < 2) |
817 | 6 | { |
818 | 6 | throw Decoding_Error("Empty certificate_authorities extension is illegal"); |
819 | 6 | } |
820 | | |
821 | 3.71k | const uint16_t purported_size = reader.get_uint16_t(); |
822 | | |
823 | 3.71k | if(reader.remaining_bytes() != purported_size) |
824 | 91 | throw Decoding_Error("Inconsistent length in certificate_authorities extension"); |
825 | | |
826 | 8.08k | while(reader.has_remaining()) |
827 | 4.45k | { |
828 | 4.45k | std::vector<uint8_t> name_bits = reader.get_tls_length_value(2); |
829 | | |
830 | 4.45k | BER_Decoder decoder(name_bits.data(), name_bits.size()); |
831 | 4.45k | m_distinguished_names.emplace_back(); |
832 | 4.45k | decoder.decode(m_distinguished_names.back()); |
833 | 4.45k | } |
834 | 3.62k | } |
835 | | |
836 | | |
837 | | Signature_Algorithms_Cert::Signature_Algorithms_Cert(const std::vector<Signature_Scheme>& schemes) |
838 | | : m_siganture_algorithms(schemes) |
839 | 0 | { |
840 | 0 | } |
841 | | |
842 | | Signature_Algorithms_Cert::Signature_Algorithms_Cert(TLS_Data_Reader& reader, uint16_t extension_size) |
843 | | : m_siganture_algorithms(reader, extension_size) |
844 | 756 | { |
845 | 756 | } |
846 | | |
847 | | std::vector<uint8_t> Signature_Algorithms_Cert::serialize(Connection_Side whoami) const |
848 | 0 | { |
849 | 0 | return m_siganture_algorithms.serialize(whoami); |
850 | 0 | } |
851 | | |
852 | | std::vector<uint8_t> EarlyDataIndication::serialize(Connection_Side) const |
853 | 0 | { |
854 | 0 | std::vector<uint8_t> result; |
855 | 0 | if(m_max_early_data_size.has_value()) |
856 | 0 | { |
857 | 0 | const auto max_data = m_max_early_data_size.value(); |
858 | 0 | result.push_back(get_byte<0>(max_data)); |
859 | 0 | result.push_back(get_byte<1>(max_data)); |
860 | 0 | result.push_back(get_byte<2>(max_data)); |
861 | 0 | result.push_back(get_byte<3>(max_data)); |
862 | 0 | } |
863 | 0 | return result; |
864 | 0 | } |
865 | | |
866 | | EarlyDataIndication::EarlyDataIndication(TLS_Data_Reader& reader, |
867 | | uint16_t extension_size, |
868 | | Handshake_Type message_type) |
869 | 455 | { |
870 | 455 | if(message_type == NEW_SESSION_TICKET) |
871 | 0 | { |
872 | 0 | if(extension_size != 4) |
873 | 0 | { |
874 | 0 | throw TLS_Exception(Alert::DECODE_ERROR, |
875 | 0 | "Received an early_data extension in a NewSessionTicket message " |
876 | 0 | "without maximum early data size indication"); |
877 | 0 | } |
878 | | |
879 | 0 | m_max_early_data_size = reader.get_uint32_t(); |
880 | 0 | } |
881 | 455 | else if(extension_size != 0) |
882 | 62 | { |
883 | 62 | throw TLS_Exception(Alert::DECODE_ERROR, |
884 | 62 | "Received an early_data extension containing an unexpected data " |
885 | 62 | "size indication"); |
886 | 62 | } |
887 | 455 | } |
888 | | |
889 | | bool EarlyDataIndication::empty() const |
890 | 0 | { |
891 | | // This extension may be empty by definition but still carry information |
892 | 0 | return false; |
893 | 0 | } |
894 | | |
895 | | #endif |
896 | | } |