/src/botan/src/lib/tls/tls12/msg_client_kex.cpp

Source (jump to first uncovered line)
/*
* Client Key Exchange Message
* (C) 2004-2010,2016 Jack Lloyd
*     2017 Harry Reimann, Rohde & Schwarz Cybersecurity
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/tls_messages.h>

#include <botan/rng.h>
#include <botan/tls_extensions.h>

#include <botan/credentials_manager.h>
#include <botan/internal/ct_utils.h>
#include <botan/internal/stl_util.h>
#include <botan/internal/tls_handshake_hash.h>
#include <botan/internal/tls_handshake_io.h>
#include <botan/internal/tls_handshake_state.h>
#include <botan/internal/tls_reader.h>

#include <botan/ecdh.h>
#include <botan/rsa.h>

namespace Botan::TLS {

/*
* Create a new Client Key Exchange message
*/
Client_Key_Exchange::Client_Key_Exchange(Handshake_IO& io,
                                         Handshake_State& state,
                                         const Policy& policy,
                                         Credentials_Manager& creds,
                                         const Public_Key* server_public_key,
                                         std::string_view hostname,
                                         RandomNumberGenerator& rng) {
   const Kex_Algo kex_algo = state.ciphersuite().kex_method();

   if(kex_algo == Kex_Algo::PSK) {
      std::string identity_hint;

      if(state.server_kex()) {
         TLS_Data_Reader reader("ClientKeyExchange", state.server_kex()->params());
         identity_hint = reader.get_string(2, 0, 65535);
      }

      m_psk_identity = creds.psk_identity("tls-client", std::string(hostname), identity_hint);

      append_tls_length_value(m_key_material, to_byte_vector(m_psk_identity.value()), 2);

      SymmetricKey psk = creds.psk("tls-client", std::string(hostname), m_psk_identity.value());

      std::vector<uint8_t> zeros(psk.length());

      append_tls_length_value(m_pre_master, zeros, 2);
      append_tls_length_value(m_pre_master, psk.bits_of(), 2);
   } else if(state.server_kex()) {
      TLS_Data_Reader reader("ClientKeyExchange", state.server_kex()->params());

      SymmetricKey psk;

      if(kex_algo == Kex_Algo::ECDHE_PSK) {
         std::string identity_hint = reader.get_string(2, 0, 65535);

         m_psk_identity = creds.psk_identity("tls-client", std::string(hostname), identity_hint);

         append_tls_length_value(m_key_material, to_byte_vector(m_psk_identity.value()), 2);

         psk = creds.psk("tls-client", std::string(hostname), m_psk_identity.value());
      }

      if(kex_algo == Kex_Algo::DH) {
         const auto modulus = BigInt::from_bytes(reader.get_range<uint8_t>(2, 1, 65535));
         const auto generator = BigInt::from_bytes(reader.get_range<uint8_t>(2, 1, 65535));
         const std::vector<uint8_t> peer_public_value = reader.get_range<uint8_t>(2, 1, 65535);

         if(reader.remaining_bytes()) {
            throw Decoding_Error("Bad params size for DH key exchange");
         }

         DL_Group group(modulus, generator);

         if(!group.verify_group(rng, false)) {
            throw TLS_Exception(Alert::InsufficientSecurity, "DH group validation failed");
         }

         const auto private_key = state.callbacks().tls_generate_ephemeral_key(group, rng);
         auto shared_secret = CT::strip_leading_zeros(
            state.callbacks().tls_ephemeral_key_agreement(group, *private_key, peer_public_value, rng, policy));

         if(kex_algo == Kex_Algo::DH) {
            m_pre_master = std::move(shared_secret);
         } else {
            append_tls_length_value(m_pre_master, shared_secret, 2);
            append_tls_length_value(m_pre_master, psk.bits_of(), 2);
         }

         append_tls_length_value(m_key_material, private_key->public_value(), 2);
      } else if(kex_algo == Kex_Algo::ECDH || kex_algo == Kex_Algo::ECDHE_PSK) {
         const uint8_t curve_type = reader.get_byte();
         if(curve_type != 3) {
            throw Decoding_Error("Server sent non-named ECC curve");
         }

         const Group_Params curve_id = static_cast<Group_Params>(reader.get_uint16_t());
         const std::vector<uint8_t> peer_public_value = reader.get_range<uint8_t>(1, 1, 255);

         if(!curve_id.is_ecdh_named_curve() && !curve_id.is_x25519() && !curve_id.is_x448()) {
            throw TLS_Exception(Alert::IllegalParameter,
                                "Server selected a group that is not compatible with the negotiated ciphersuite");
         }

         if(policy.choose_key_exchange_group({curve_id}, {}) != curve_id) {
            throw TLS_Exception(Alert::HandshakeFailure, "Server sent ECC curve prohibited by policy");
         }

         const auto private_key = state.callbacks().tls_generate_ephemeral_key(curve_id, rng);
         auto shared_secret =
            state.callbacks().tls_ephemeral_key_agreement(curve_id, *private_key, peer_public_value, rng, policy);

         if(kex_algo == Kex_Algo::ECDH) {
            m_pre_master = std::move(shared_secret);
         } else {
            append_tls_length_value(m_pre_master, shared_secret, 2);
            append_tls_length_value(m_pre_master, psk.bits_of(), 2);
         }

         if(curve_id.is_ecdh_named_curve()) {
            auto ecdh_key = dynamic_cast<ECDH_PublicKey*>(private_key.get());
            if(!ecdh_key) {
               throw TLS_Exception(Alert::InternalError, "Application did not provide a ECDH_PublicKey");
            }
            append_tls_length_value(m_key_material,
                                    ecdh_key->public_value(state.server_hello()->prefers_compressed_ec_points()
                                                              ? EC_Point_Format::Compressed
                                                              : EC_Point_Format::Uncompressed),
                                    1);
         } else {
            append_tls_length_value(m_key_material, private_key->public_value(), 1);
         }
      } else {
         throw Internal_Error("Client_Key_Exchange: Unknown key exchange method was negotiated");
      }

      reader.assert_done();
   } else {
      // No server key exchange msg better mean RSA kex + RSA key in cert

      if(kex_algo != Kex_Algo::STATIC_RSA) {
         throw Unexpected_Message("No server kex message, but negotiated a key exchange that required it");
      }

      if(!server_public_key) {
         throw Internal_Error("No server public key for RSA exchange");
      }

      if(auto rsa_pub = dynamic_cast<const RSA_PublicKey*>(server_public_key)) {
         const Protocol_Version offered_version = state.client_hello()->legacy_version();

         rng.random_vec(m_pre_master, 48);
         m_pre_master[0] = offered_version.major_version();
         m_pre_master[1] = offered_version.minor_version();

         PK_Encryptor_EME encryptor(*rsa_pub, rng, "PKCS1v15");

         const std::vector<uint8_t> encrypted_key = encryptor.encrypt(m_pre_master, rng);

         append_tls_length_value(m_key_material, encrypted_key, 2);
      } else {
         throw TLS_Exception(Alert::HandshakeFailure,
                             "Expected a RSA key in server cert but got " + server_public_key->algo_name());
      }
   }

   state.hash().update(io.send(*this));
}

/*
* Read a Client Key Exchange message
*/
Client_Key_Exchange::Client_Key_Exchange(const std::vector<uint8_t>& contents,
                                         const Handshake_State& state,
                                         const Private_Key* server_rsa_kex_key,
                                         Credentials_Manager& creds,
                                         const Policy& policy,
                                         RandomNumberGenerator& rng) {
   const Kex_Algo kex_algo = state.ciphersuite().kex_method();

   if(kex_algo == Kex_Algo::STATIC_RSA) {
      BOTAN_ASSERT(state.server_certs() && !state.server_certs()->cert_chain().empty(),
                   "RSA key exchange negotiated so server sent a certificate");

      if(!server_rsa_kex_key) {
         throw Internal_Error("Expected RSA kex but no server kex key set");
      }

      if(server_rsa_kex_key->algo_name() != "RSA") {
         throw Internal_Error("Expected RSA key but got " + server_rsa_kex_key->algo_name());
      }

      TLS_Data_Reader reader("ClientKeyExchange", contents);
      const std::vector<uint8_t> encrypted_pre_master = reader.get_range<uint8_t>(2, 0, 65535);
      reader.assert_done();

      PK_Decryptor_EME decryptor(*server_rsa_kex_key, rng, "PKCS1v15");

      const uint8_t client_major = state.client_hello()->legacy_version().major_version();
      const uint8_t client_minor = state.client_hello()->legacy_version().minor_version();

      /*
      * PK_Decryptor::decrypt_or_random will return a random value if
      * either the length does not match the expected value or if the
      * version number embedded in the PMS does not match the one sent
      * in the client hello.
      */
      const size_t expected_plaintext_size = 48;
      const size_t expected_content_size = 2;
      const uint8_t expected_content_bytes[expected_content_size] = {client_major, client_minor};
      const uint8_t expected_content_pos[expected_content_size] = {0, 1};

      m_pre_master = decryptor.decrypt_or_random(encrypted_pre_master.data(),
                                                 encrypted_pre_master.size(),
                                                 expected_plaintext_size,
                                                 rng,
                                                 expected_content_bytes,
                                                 expected_content_pos,
                                                 expected_content_size);
   } else {
      TLS_Data_Reader reader("ClientKeyExchange", contents);

      SymmetricKey psk;

      if(key_exchange_is_psk(kex_algo)) {
         m_psk_identity = reader.get_string(2, 0, 65535);

         psk = creds.psk("tls-server", state.client_hello()->sni_hostname(), m_psk_identity.value());

         if(psk.empty()) {
            if(policy.hide_unknown_users()) {
               psk = SymmetricKey(rng, 16);
            } else {
               throw TLS_Exception(Alert::UnknownPSKIdentity, "No PSK for identifier " + m_psk_identity.value());
            }
         }
      }

      if(kex_algo == Kex_Algo::PSK) {
         std::vector<uint8_t> zeros(psk.length());
         append_tls_length_value(m_pre_master, zeros, 2);
         append_tls_length_value(m_pre_master, psk.bits_of(), 2);
      } else if(kex_algo == Kex_Algo::DH || kex_algo == Kex_Algo::ECDH || kex_algo == Kex_Algo::ECDHE_PSK) {
         const PK_Key_Agreement_Key& ka_key = state.server_kex()->server_kex_key();

         const std::vector<uint8_t> client_pubkey = (ka_key.algo_name() == "DH")
                                                       ? reader.get_range<uint8_t>(2, 0, 65535)
                                                       : reader.get_range<uint8_t>(1, 1, 255);

         const auto shared_group = state.server_kex()->shared_group();
         BOTAN_STATE_CHECK(shared_group && shared_group.value() != Group_Params::NONE);

         try {
            auto shared_secret =
               state.callbacks().tls_ephemeral_key_agreement(shared_group.value(), ka_key, client_pubkey, rng, policy);

            if(ka_key.algo_name() == "DH") {
               shared_secret = CT::strip_leading_zeros(shared_secret);
            }

            if(kex_algo == Kex_Algo::ECDHE_PSK) {
               append_tls_length_value(m_pre_master, shared_secret, 2);
               append_tls_length_value(m_pre_master, psk.bits_of(), 2);
            } else {
               m_pre_master = shared_secret;
            }
         } catch(Invalid_Argument& e) {
            throw TLS_Exception(Alert::IllegalParameter, e.what());
         } catch(TLS_Exception& e) {
            // NOLINTNEXTLINE(cert-err60-cpp)
            throw e;
         } catch(std::exception&) {
            /*
            * Something failed in the DH/ECDH computation. To avoid possible
            * attacks which are based on triggering and detecting some edge
            * failure condition, randomize the pre-master output and carry on,
            * allowing the protocol to fail later in the finished checks.
            */
            rng.random_vec(m_pre_master, ka_key.public_value().size());
         }

         reader.assert_done();
      } else {
         throw Internal_Error("Client_Key_Exchange: Unknown key exchange negotiated");
      }
   }
}

}  // namespace Botan::TLS

Coverage Report

Created: 2024-11-29 06:10

Line	Count	Source (jump to first uncovered line)
1		/*
2		* Client Key Exchange Message
3		* (C) 2004-2010,2016 Jack Lloyd
4		* 2017 Harry Reimann, Rohde & Schwarz Cybersecurity
5		*
6		* Botan is released under the Simplified BSD License (see license.txt)
7		*/
8
9		#include <botan/tls_messages.h>
10
11		#include <botan/rng.h>
12		#include <botan/tls_extensions.h>
13
14		#include <botan/credentials_manager.h>
15		#include <botan/internal/ct_utils.h>
16		#include <botan/internal/stl_util.h>
17		#include <botan/internal/tls_handshake_hash.h>
18		#include <botan/internal/tls_handshake_io.h>
19		#include <botan/internal/tls_handshake_state.h>
20		#include <botan/internal/tls_reader.h>
21
22		#include <botan/ecdh.h>
23		#include <botan/rsa.h>
24
25		namespace Botan::TLS {
26
27		/*
28		* Create a new Client Key Exchange message
29		*/
30		Client_Key_Exchange::Client_Key_Exchange(Handshake_IO& io,
31		Handshake_State& state,
32		const Policy& policy,
33		Credentials_Manager& creds,
34		const Public_Key* server_public_key,
35		std::string_view hostname,
36	0	RandomNumberGenerator& rng) {
37	0	const Kex_Algo kex_algo = state.ciphersuite().kex_method();
38
39	0	if(kex_algo == Kex_Algo::PSK) {
40	0	std::string identity_hint;
41
42	0	if(state.server_kex()) {
43	0	TLS_Data_Reader reader("ClientKeyExchange", state.server_kex()->params());
44	0	identity_hint = reader.get_string(2, 0, 65535);
45	0	}
46
47	0	m_psk_identity = creds.psk_identity("tls-client", std::string(hostname), identity_hint);
48
49	0	append_tls_length_value(m_key_material, to_byte_vector(m_psk_identity.value()), 2);
50
51	0	SymmetricKey psk = creds.psk("tls-client", std::string(hostname), m_psk_identity.value());
52
53	0	std::vector<uint8_t> zeros(psk.length());
54
55	0	append_tls_length_value(m_pre_master, zeros, 2);
56	0	append_tls_length_value(m_pre_master, psk.bits_of(), 2);
57	0	} else if(state.server_kex()) {
58	0	TLS_Data_Reader reader("ClientKeyExchange", state.server_kex()->params());
59
60	0	SymmetricKey psk;
61
62	0	if(kex_algo == Kex_Algo::ECDHE_PSK) {
63	0	std::string identity_hint = reader.get_string(2, 0, 65535);
64
65	0	m_psk_identity = creds.psk_identity("tls-client", std::string(hostname), identity_hint);
66
67	0	append_tls_length_value(m_key_material, to_byte_vector(m_psk_identity.value()), 2);
68
69	0	psk = creds.psk("tls-client", std::string(hostname), m_psk_identity.value());
70	0	}
71
72	0	if(kex_algo == Kex_Algo::DH) {
73	0	const auto modulus = BigInt::from_bytes(reader.get_range<uint8_t>(2, 1, 65535));
74	0	const auto generator = BigInt::from_bytes(reader.get_range<uint8_t>(2, 1, 65535));
75	0	const std::vector<uint8_t> peer_public_value = reader.get_range<uint8_t>(2, 1, 65535);
76
77	0	if(reader.remaining_bytes()) {
78	0	throw Decoding_Error("Bad params size for DH key exchange");
79	0	}
80
81	0	DL_Group group(modulus, generator);
82
83	0	if(!group.verify_group(rng, false)) {
84	0	throw TLS_Exception(Alert::InsufficientSecurity, "DH group validation failed");
85	0	}
86
87	0	const auto private_key = state.callbacks().tls_generate_ephemeral_key(group, rng);
88	0	auto shared_secret = CT::strip_leading_zeros(
89	0	state.callbacks().tls_ephemeral_key_agreement(group, *private_key, peer_public_value, rng, policy));
90
91	0	if(kex_algo == Kex_Algo::DH) {
92	0	m_pre_master = std::move(shared_secret);
93	0	} else {
94	0	append_tls_length_value(m_pre_master, shared_secret, 2);
95	0	append_tls_length_value(m_pre_master, psk.bits_of(), 2);
96	0	}
97
98	0	append_tls_length_value(m_key_material, private_key->public_value(), 2);
99	0	} else if(kex_algo == Kex_Algo::ECDH \|\| kex_algo == Kex_Algo::ECDHE_PSK) {
100	0	const uint8_t curve_type = reader.get_byte();
101	0	if(curve_type != 3) {
102	0	throw Decoding_Error("Server sent non-named ECC curve");
103	0	}
104
105	0	const Group_Params curve_id = static_cast<Group_Params>(reader.get_uint16_t());
106	0	const std::vector<uint8_t> peer_public_value = reader.get_range<uint8_t>(1, 1, 255);
107
108	0	if(!curve_id.is_ecdh_named_curve() && !curve_id.is_x25519() && !curve_id.is_x448()) {
109	0	throw TLS_Exception(Alert::IllegalParameter,
110	0	"Server selected a group that is not compatible with the negotiated ciphersuite");
111	0	}
112
113	0	if(policy.choose_key_exchange_group({curve_id}, {}) != curve_id) {
114	0	throw TLS_Exception(Alert::HandshakeFailure, "Server sent ECC curve prohibited by policy");
115	0	}
116
117	0	const auto private_key = state.callbacks().tls_generate_ephemeral_key(curve_id, rng);
118	0	auto shared_secret =
119	0	state.callbacks().tls_ephemeral_key_agreement(curve_id, *private_key, peer_public_value, rng, policy);
120
121	0	if(kex_algo == Kex_Algo::ECDH) {
122	0	m_pre_master = std::move(shared_secret);
123	0	} else {
124	0	append_tls_length_value(m_pre_master, shared_secret, 2);
125	0	append_tls_length_value(m_pre_master, psk.bits_of(), 2);
126	0	}
127
128	0	if(curve_id.is_ecdh_named_curve()) {
129	0	auto ecdh_key = dynamic_cast<ECDH_PublicKey*>(private_key.get());
130	0	if(!ecdh_key) {
131	0	throw TLS_Exception(Alert::InternalError, "Application did not provide a ECDH_PublicKey");
132	0	}
133	0	append_tls_length_value(m_key_material,
134	0	ecdh_key->public_value(state.server_hello()->prefers_compressed_ec_points()
135	0	? EC_Point_Format::Compressed
136	0	: EC_Point_Format::Uncompressed),
137	0	1);
138	0	} else {
139	0	append_tls_length_value(m_key_material, private_key->public_value(), 1);
140	0	}
141	0	} else {
142	0	throw Internal_Error("Client_Key_Exchange: Unknown key exchange method was negotiated");
143	0	}
144
145	0	reader.assert_done();
146	0	} else {
147		// No server key exchange msg better mean RSA kex + RSA key in cert
148
149	0	if(kex_algo != Kex_Algo::STATIC_RSA) {
150	0	throw Unexpected_Message("No server kex message, but negotiated a key exchange that required it");
151	0	}
152
153	0	if(!server_public_key) {
154	0	throw Internal_Error("No server public key for RSA exchange");
155	0	}
156
157	0	if(auto rsa_pub = dynamic_cast<const RSA_PublicKey*>(server_public_key)) {
158	0	const Protocol_Version offered_version = state.client_hello()->legacy_version();
159
160	0	rng.random_vec(m_pre_master, 48);
161	0	m_pre_master[0] = offered_version.major_version();
162	0	m_pre_master[1] = offered_version.minor_version();
163
164	0	PK_Encryptor_EME encryptor(*rsa_pub, rng, "PKCS1v15");
165
166	0	const std::vector<uint8_t> encrypted_key = encryptor.encrypt(m_pre_master, rng);
167
168	0	append_tls_length_value(m_key_material, encrypted_key, 2);
169	0	} else {
170	0	throw TLS_Exception(Alert::HandshakeFailure,
171	0	"Expected a RSA key in server cert but got " + server_public_key->algo_name());
172	0	}
173	0	}
174
175	0	state.hash().update(io.send(*this));
176	0	}
177
178		/*
179		* Read a Client Key Exchange message
180		*/
181		Client_Key_Exchange::Client_Key_Exchange(const std::vector<uint8_t>& contents,
182		const Handshake_State& state,
183		const Private_Key* server_rsa_kex_key,
184		Credentials_Manager& creds,
185		const Policy& policy,
186	3.57k	RandomNumberGenerator& rng) {
187	3.57k	const Kex_Algo kex_algo = state.ciphersuite().kex_method();
188
189	3.57k	if(kex_algo == Kex_Algo::STATIC_RSA) {
190	0	BOTAN_ASSERT(state.server_certs() && !state.server_certs()->cert_chain().empty(),
191	0	"RSA key exchange negotiated so server sent a certificate");
192
193	0	if(!server_rsa_kex_key) {
194	0	throw Internal_Error("Expected RSA kex but no server kex key set");
195	0	}
196
197	0	if(server_rsa_kex_key->algo_name() != "RSA") {
198	0	throw Internal_Error("Expected RSA key but got " + server_rsa_kex_key->algo_name());
199	0	}
200
201	0	TLS_Data_Reader reader("ClientKeyExchange", contents);
202	0	const std::vector<uint8_t> encrypted_pre_master = reader.get_range<uint8_t>(2, 0, 65535);
203	0	reader.assert_done();
204
205	0	PK_Decryptor_EME decryptor(*server_rsa_kex_key, rng, "PKCS1v15");
206
207	0	const uint8_t client_major = state.client_hello()->legacy_version().major_version();
208	0	const uint8_t client_minor = state.client_hello()->legacy_version().minor_version();
209
210		/*
211		* PK_Decryptor::decrypt_or_random will return a random value if
212		* either the length does not match the expected value or if the
213		* version number embedded in the PMS does not match the one sent
214		* in the client hello.
215		*/
216	0	const size_t expected_plaintext_size = 48;
217	0	const size_t expected_content_size = 2;
218	0	const uint8_t expected_content_bytes[expected_content_size] = {client_major, client_minor};
219	0	const uint8_t expected_content_pos[expected_content_size] = {0, 1};
220
221	0	m_pre_master = decryptor.decrypt_or_random(encrypted_pre_master.data(),
222	0	encrypted_pre_master.size(),
223	0	expected_plaintext_size,
224	0	rng,
225	0	expected_content_bytes,
226	0	expected_content_pos,
227	0	expected_content_size);
228	3.57k	} else {
229	3.57k	TLS_Data_Reader reader("ClientKeyExchange", contents);
230
231	3.57k	SymmetricKey psk;
232
233	3.57k	if(key_exchange_is_psk(kex_algo)) {
234	3.57k	m_psk_identity = reader.get_string(2, 0, 65535);
235
236	3.57k	psk = creds.psk("tls-server", state.client_hello()->sni_hostname(), m_psk_identity.value());
237
238	3.57k	if(psk.empty()) {
239	0	if(policy.hide_unknown_users()) {
240	0	psk = SymmetricKey(rng, 16);
241	0	} else {
242	0	throw TLS_Exception(Alert::UnknownPSKIdentity, "No PSK for identifier " + m_psk_identity.value());
243	0	}
244	0	}
245	3.57k	}
246
247	3.57k	if(kex_algo == Kex_Algo::PSK) {
248	2.68k	std::vector<uint8_t> zeros(psk.length());
249	2.68k	append_tls_length_value(m_pre_master, zeros, 2);
250	2.68k	append_tls_length_value(m_pre_master, psk.bits_of(), 2);
251	2.68k	} else if(kex_algo == Kex_Algo::DH \|\| kex_algo == Kex_Algo::ECDH \|\| kex_algo == Kex_Algo::ECDHE_PSK) {
252	800	const PK_Key_Agreement_Key& ka_key = state.server_kex()->server_kex_key();
253
254	800	const std::vector<uint8_t> client_pubkey = (ka_key.algo_name() == "DH")
255	800	? reader.get_range<uint8_t>(2, 0, 65535)
256	800	: reader.get_range<uint8_t>(1, 1, 255);
257
258	800	const auto shared_group = state.server_kex()->shared_group();
259	800	BOTAN_STATE_CHECK(shared_group && shared_group.value() != Group_Params::NONE);
260
261	800	try {
262	800	auto shared_secret =
263	800	state.callbacks().tls_ephemeral_key_agreement(shared_group.value(), ka_key, client_pubkey, rng, policy);
264
265	800	if(ka_key.algo_name() == "DH") {
266	0	shared_secret = CT::strip_leading_zeros(shared_secret);
267	0	}
268
269	800	if(kex_algo == Kex_Algo::ECDHE_PSK) {
270	533	append_tls_length_value(m_pre_master, shared_secret, 2);
271	533	append_tls_length_value(m_pre_master, psk.bits_of(), 2);
272	533	} else {
273	267	m_pre_master = shared_secret;
274	267	}
275	800	} catch(Invalid_Argument& e) {
276	6	throw TLS_Exception(Alert::IllegalParameter, e.what());
277	156	} catch(TLS_Exception& e) {
278		// NOLINTNEXTLINE(cert-err60-cpp)
279	156	throw e;
280	156	} catch(std::exception&) {
281		/*
282		* Something failed in the DH/ECDH computation. To avoid possible
283		* attacks which are based on triggering and detecting some edge
284		* failure condition, randomize the pre-master output and carry on,
285		* allowing the protocol to fail later in the finished checks.
286		*/
287	102	rng.random_vec(m_pre_master, ka_key.public_value().size());
288	102	}
289
290	635	reader.assert_done();
291	635	} else {
292	86	throw Internal_Error("Client_Key_Exchange: Unknown key exchange negotiated");
293	86	}
294	3.57k	}
295	3.57k	}
296
297		} // namespace Botan::TLS