Botan  2.1.0
Crypto and TLS for C++11
tls_extensions.cpp
Go to the documentation of this file.
1 /*
2 * TLS Extensions
3 * (C) 2011,2012,2015,2016 Jack Lloyd
4 * 2016 Juraj Somorovsky
5 *
6 * Botan is released under the Simplified BSD License (see license.txt)
7 */
8 
9 #include <botan/tls_extensions.h>
10 #include <botan/internal/tls_reader.h>
11 #include <botan/tls_exceptn.h>
12 
13 namespace Botan {
14 
15 namespace TLS {
16 
17 namespace {
18 
19 Extension* make_extension(TLS_Data_Reader& reader, uint16_t code, uint16_t size)
20  {
21  switch(code)
22  {
24  return new Server_Name_Indicator(reader, size);
25 
26 #if defined(BOTAN_HAS_SRP6)
28  return new SRP_Identifier(reader, size);
29 #endif
30 
32  return new Supported_Elliptic_Curves(reader, size);
33 
35  return new Certificate_Status_Request(reader, size);
36 
38  return new Supported_Point_Formats(reader, size);
39 
41  return new Renegotiation_Extension(reader, size);
42 
44  return new Signature_Algorithms(reader, size);
45 
46  case TLSEXT_USE_SRTP:
47  return new SRTP_Protection_Profiles(reader, size);
48 
49  case TLSEXT_ALPN:
50  return new Application_Layer_Protocol_Notification(reader, size);
51 
53  return new Extended_Master_Secret(reader, size);
54 
56  return new Encrypt_then_MAC(reader, size);
57 
59  return new Session_Ticket(reader, size);
60  }
61 
62  return nullptr; // not known
63  }
64 
65 }
66 
68  {
69  if(reader.has_remaining())
70  {
71  const uint16_t all_extn_size = reader.get_uint16_t();
72 
73  if(reader.remaining_bytes() != all_extn_size)
74  throw Decoding_Error("Bad extension size");
75 
76  while(reader.has_remaining())
77  {
78  const uint16_t extension_code = reader.get_uint16_t();
79  const uint16_t extension_size = reader.get_uint16_t();
80 
81  Extension* extn = make_extension(reader,
82  extension_code,
83  extension_size);
84 
85  if(extn)
86  this->add(extn);
87  else // unknown/unhandled extension
88  reader.discard_next(extension_size);
89  }
90  }
91  }
92 
93 std::vector<uint8_t> Extensions::serialize() const
94  {
95  std::vector<uint8_t> buf(2); // 2 bytes for length field
96 
97  for(auto& extn : m_extensions)
98  {
99  if(extn.second->empty())
100  continue;
101 
102  const uint16_t extn_code = extn.second->type();
103 
104  std::vector<uint8_t> extn_val = extn.second->serialize();
105 
106  buf.push_back(get_byte(0, extn_code));
107  buf.push_back(get_byte(1, extn_code));
108 
109  buf.push_back(get_byte(0, static_cast<uint16_t>(extn_val.size())));
110  buf.push_back(get_byte(1, static_cast<uint16_t>(extn_val.size())));
111 
112  buf += extn_val;
113  }
114 
115  const uint16_t extn_size = static_cast<uint16_t>(buf.size() - 2);
116 
117  buf[0] = get_byte(0, extn_size);
118  buf[1] = get_byte(1, extn_size);
119 
120  // avoid sending a completely empty extensions block
121  if(buf.size() == 2)
122  return std::vector<uint8_t>();
123 
124  return buf;
125  }
126 
127 std::set<Handshake_Extension_Type> Extensions::extension_types() const
128  {
129  std::set<Handshake_Extension_Type> offers;
130  for(auto i = m_extensions.begin(); i != m_extensions.end(); ++i)
131  offers.insert(i->first);
132  return offers;
133  }
134 
136  uint16_t extension_size)
137  {
138  /*
139  * This is used by the server to confirm that it knew the name
140  */
141  if(extension_size == 0)
142  return;
143 
144  uint16_t name_bytes = reader.get_uint16_t();
145 
146  if(name_bytes + 2 != extension_size)
147  throw Decoding_Error("Bad encoding of SNI extension");
148 
149  while(name_bytes)
150  {
151  uint8_t name_type = reader.get_byte();
152  name_bytes--;
153 
154  if(name_type == 0) // DNS
155  {
156  m_sni_host_name = reader.get_string(2, 1, 65535);
157  name_bytes -= static_cast<uint16_t>(2 + m_sni_host_name.size());
158  }
159  else // some other unknown name type
160  {
161  reader.discard_next(name_bytes);
162  name_bytes = 0;
163  }
164  }
165  }
166 
167 std::vector<uint8_t> Server_Name_Indicator::serialize() const
168  {
169  std::vector<uint8_t> buf;
170 
171  size_t name_len = m_sni_host_name.size();
172 
173  buf.push_back(get_byte(0, static_cast<uint16_t>(name_len+3)));
174  buf.push_back(get_byte(1, static_cast<uint16_t>(name_len+3)));
175  buf.push_back(0); // DNS
176 
177  buf.push_back(get_byte(0, static_cast<uint16_t>(name_len)));
178  buf.push_back(get_byte(1, static_cast<uint16_t>(name_len)));
179 
180  buf += std::make_pair(
181  reinterpret_cast<const uint8_t*>(m_sni_host_name.data()),
182  m_sni_host_name.size());
183 
184  return buf;
185  }
186 
187 #if defined(BOTAN_HAS_SRP6)
188 
189 SRP_Identifier::SRP_Identifier(TLS_Data_Reader& reader,
190  uint16_t extension_size) : m_srp_identifier(reader.get_string(1, 1, 255))
191  {
192  if(m_srp_identifier.size() + 1 != extension_size)
193  throw Decoding_Error("Bad encoding for SRP identifier extension");
194  }
195 
196 std::vector<uint8_t> SRP_Identifier::serialize() const
197  {
198  std::vector<uint8_t> buf;
199 
200  const uint8_t* srp_bytes =
201  reinterpret_cast<const uint8_t*>(m_srp_identifier.data());
202 
203  append_tls_length_value(buf, srp_bytes, m_srp_identifier.size(), 1);
204 
205  return buf;
206  }
207 
208 #endif
209 
211  uint16_t extension_size) : m_reneg_data(reader.get_range<uint8_t>(1, 0, 255))
212  {
213  if(m_reneg_data.size() + 1 != extension_size)
214  throw Decoding_Error("Bad encoding for secure renegotiation extn");
215  }
216 
217 std::vector<uint8_t> Renegotiation_Extension::serialize() const
218  {
219  std::vector<uint8_t> buf;
220  append_tls_length_value(buf, m_reneg_data, 1);
221  return buf;
222  }
223 
225  uint16_t extension_size)
226  {
227  if(extension_size == 0)
228  return; // empty extension
229 
230  const uint16_t name_bytes = reader.get_uint16_t();
231 
232  size_t bytes_remaining = extension_size - 2;
233 
234  if(name_bytes != bytes_remaining)
235  throw Decoding_Error("Bad encoding of ALPN extension, bad length field");
236 
237  while(bytes_remaining)
238  {
239  const std::string p = reader.get_string(1, 0, 255);
240 
241  if(bytes_remaining < p.size() + 1)
242  throw Decoding_Error("Bad encoding of ALPN, length field too long");
243 
244  bytes_remaining -= (p.size() + 1);
245 
246  m_protocols.push_back(p);
247  }
248  }
249 
251  {
252  if(m_protocols.size() != 1)
254  "Server sent " + std::to_string(m_protocols.size()) +
255  " protocols in ALPN extension response");
256  return m_protocols[0];
257  }
258 
260  {
261  std::vector<uint8_t> buf(2);
262 
263  for(auto&& p: m_protocols)
264  {
265  if(p.length() >= 256)
266  throw TLS_Exception(Alert::INTERNAL_ERROR, "ALPN name too long");
267  if(p != "")
269  reinterpret_cast<const uint8_t*>(p.data()),
270  p.size(),
271  1);
272  }
273 
274  buf[0] = get_byte(0, static_cast<uint16_t>(buf.size()-2));
275  buf[1] = get_byte(1, static_cast<uint16_t>(buf.size()-2));
276 
277  return buf;
278  }
279 
281  {
282  switch(id)
283  {
284  case 23:
285  return "secp256r1";
286  case 24:
287  return "secp384r1";
288  case 25:
289  return "secp521r1";
290  case 26:
291  return "brainpool256r1";
292  case 27:
293  return "brainpool384r1";
294  case 28:
295  return "brainpool512r1";
296 
297 #if defined(BOTAN_HAS_CURVE_25519)
298  case 29:
299  return "x25519";
300 #endif
301 
302 #if defined(BOTAN_HOUSE_ECC_CURVE_NAME)
303  case BOTAN_HOUSE_ECC_CURVE_TLS_ID:
304  return BOTAN_HOUSE_ECC_CURVE_NAME;
305 #endif
306 
307  default:
308  return ""; // something we don't know or support
309  }
310  }
311 
312 uint16_t Supported_Elliptic_Curves::name_to_curve_id(const std::string& name)
313  {
314  if(name == "secp256r1")
315  return 23;
316  if(name == "secp384r1")
317  return 24;
318  if(name == "secp521r1")
319  return 25;
320  if(name == "brainpool256r1")
321  return 26;
322  if(name == "brainpool384r1")
323  return 27;
324  if(name == "brainpool512r1")
325  return 28;
326 
327 #if defined(BOTAN_HAS_CURVE_25519)
328  if(name == "x25519")
329  return 29;
330 #endif
331 
332 #if defined(BOTAN_HOUSE_ECC_CURVE_NAME)
333  if(name == BOTAN_HOUSE_ECC_CURVE_NAME)
334  return BOTAN_HOUSE_ECC_CURVE_TLS_ID;
335 #endif
336 
337  // Unknown/unavailable EC curves are ignored
338  return 0;
339  }
340 
341 std::vector<uint8_t> Supported_Elliptic_Curves::serialize() const
342  {
343  std::vector<uint8_t> buf(2);
344 
345  for(size_t i = 0; i != m_curves.size(); ++i)
346  {
347  const uint16_t id = name_to_curve_id(m_curves[i]);
348 
349  if(id > 0)
350  {
351  buf.push_back(get_byte(0, id));
352  buf.push_back(get_byte(1, id));
353  }
354  }
355 
356  buf[0] = get_byte(0, static_cast<uint16_t>(buf.size()-2));
357  buf[1] = get_byte(1, static_cast<uint16_t>(buf.size()-2));
358 
359  return buf;
360  }
361 
363  uint16_t extension_size)
364  {
365  uint16_t len = reader.get_uint16_t();
366 
367  if(len + 2 != extension_size)
368  throw Decoding_Error("Inconsistent length field in elliptic curve list");
369 
370  if(len % 2 == 1)
371  throw Decoding_Error("Elliptic curve list of strange size");
372 
373  len /= 2;
374 
375  for(size_t i = 0; i != len; ++i)
376  {
377  const uint16_t id = reader.get_uint16_t();
378  const std::string name = curve_id_to_name(id);
379 
380  if(!name.empty())
381  m_curves.push_back(name);
382  }
383  }
384 
385 std::vector<uint8_t> Supported_Point_Formats::serialize() const
386  {
387  // if this extension is sent, it MUST include uncompressed (RFC 4492, section 5.1)
388  if(m_prefers_compressed)
389  {
390  return std::vector<uint8_t>{2, ANSIX962_COMPRESSED_PRIME, UNCOMPRESSED};
391  }
392  else
393  {
394  return std::vector<uint8_t>{1, UNCOMPRESSED};
395  }
396  }
397 
399  uint16_t extension_size)
400  {
401  uint8_t len = reader.get_byte();
402 
403  if(len + 1 != extension_size)
404  throw Decoding_Error("Inconsistent length field in supported point formats list");
405 
406  for(size_t i = 0; i != len; ++i)
407  {
408  uint8_t format = reader.get_byte();
409 
410  if(static_cast<ECPointFormat>(format) == UNCOMPRESSED)
411  {
412  m_prefers_compressed = false;
413  reader.discard_next(len-i-1);
414  return;
415  }
416  else if(static_cast<ECPointFormat>(format) == ANSIX962_COMPRESSED_PRIME)
417  {
418  m_prefers_compressed = true;
419  reader.discard_next(len-i-1);
420  return;
421  }
422 
423  // ignore ANSIX962_COMPRESSED_CHAR2, we don't support these curves
424  }
425  }
426 
427 std::string Signature_Algorithms::hash_algo_name(uint8_t code)
428  {
429  switch(code)
430  {
431  // code 1 is MD5 - ignore it
432 
433  case 2:
434  return "SHA-1";
435 
436  // code 3 is SHA-224
437 
438  case 4:
439  return "SHA-256";
440  case 5:
441  return "SHA-384";
442  case 6:
443  return "SHA-512";
444  default:
445  return "";
446  }
447  }
448 
449 uint8_t Signature_Algorithms::hash_algo_code(const std::string& name)
450  {
451  if(name == "SHA-1")
452  return 2;
453 
454  if(name == "SHA-256")
455  return 4;
456 
457  if(name == "SHA-384")
458  return 5;
459 
460  if(name == "SHA-512")
461  return 6;
462 
463  throw Internal_Error("Unknown hash ID " + name + " for signature_algorithms");
464  }
465 
466 std::string Signature_Algorithms::sig_algo_name(uint8_t code)
467  {
468  switch(code)
469  {
470  case 1:
471  return "RSA";
472  case 2:
473  return "DSA";
474  case 3:
475  return "ECDSA";
476  default:
477  return "";
478  }
479  }
480 
481 uint8_t Signature_Algorithms::sig_algo_code(const std::string& name)
482  {
483  if(name == "RSA")
484  return 1;
485 
486  if(name == "DSA")
487  return 2;
488 
489  if(name == "ECDSA")
490  return 3;
491 
492  throw Internal_Error("Unknown sig ID " + name + " for signature_algorithms");
493  }
494 
495 std::vector<uint8_t> Signature_Algorithms::serialize() const
496  {
497  std::vector<uint8_t> buf(2);
498 
499  for(size_t i = 0; i != m_supported_algos.size(); ++i)
500  {
501  try
502  {
503  const uint8_t hash_code = hash_algo_code(m_supported_algos[i].first);
504  const uint8_t sig_code = sig_algo_code(m_supported_algos[i].second);
505 
506  buf.push_back(hash_code);
507  buf.push_back(sig_code);
508  }
509  catch(...)
510  {}
511  }
512 
513  buf[0] = get_byte(0, static_cast<uint16_t>(buf.size()-2));
514  buf[1] = get_byte(1, static_cast<uint16_t>(buf.size()-2));
515 
516  return buf;
517  }
518 
519 Signature_Algorithms::Signature_Algorithms(const std::vector<std::string>& hashes,
520  const std::vector<std::string>& sigs)
521  {
522  for(size_t i = 0; i != hashes.size(); ++i)
523  for(size_t j = 0; j != sigs.size(); ++j)
524  m_supported_algos.push_back(std::make_pair(hashes[i], sigs[j]));
525  }
526 
528  uint16_t extension_size)
529  {
530  uint16_t len = reader.get_uint16_t();
531 
532  if(len + 2 != extension_size)
533  throw Decoding_Error("Bad encoding on signature algorithms extension");
534 
535  while(len)
536  {
537  const uint8_t hash_code = reader.get_byte();
538  const uint8_t sig_code = reader.get_byte();
539  len -= 2;
540 
541  if(sig_code == 0)
542  {
543  /*
544  RFC 5247 7.4.1.4.1 explicitly prohibits anonymous (0) signature code in
545  the client hello. ("It MUST NOT appear in this extension.")
546  */
547  throw TLS_Exception(Alert::DECODE_ERROR, "Client sent ANON signature");
548  }
549 
550  const std::string hash_name = hash_algo_name(hash_code);
551  const std::string sig_name = sig_algo_name(sig_code);
552 
553  // If not something we know, ignore it completely
554  if(hash_name.empty() || sig_name.empty())
555  continue;
556 
557  m_supported_algos.push_back(std::make_pair(hash_name, sig_name));
558  }
559  }
560 
562  uint16_t extension_size) : m_ticket(reader.get_elem<uint8_t, std::vector<uint8_t>>(extension_size))
563  {}
564 
566  uint16_t extension_size) : m_pp(reader.get_range<uint16_t>(2, 0, 65535))
567  {
568  const std::vector<uint8_t> mki = reader.get_range<uint8_t>(1, 0, 255);
569 
570  if(m_pp.size() * 2 + mki.size() + 3 != extension_size)
571  throw Decoding_Error("Bad encoding for SRTP protection extension");
572 
573  if(!mki.empty())
574  throw Decoding_Error("Unhandled non-empty MKI for SRTP protection extension");
575  }
576 
577 std::vector<uint8_t> SRTP_Protection_Profiles::serialize() const
578  {
579  std::vector<uint8_t> buf;
580 
581  const uint16_t pp_len = static_cast<uint16_t>(m_pp.size() * 2);
582  buf.push_back(get_byte(0, pp_len));
583  buf.push_back(get_byte(1, pp_len));
584 
585  for(uint16_t pp : m_pp)
586  {
587  buf.push_back(get_byte(0, pp));
588  buf.push_back(get_byte(1, pp));
589  }
590 
591  buf.push_back(0); // srtp_mki, always empty here
592 
593  return buf;
594  }
595 
597  uint16_t extension_size)
598  {
599  if(extension_size != 0)
600  throw Decoding_Error("Invalid extended_master_secret extension");
601  }
602 
603 std::vector<uint8_t> Extended_Master_Secret::serialize() const
604  {
605  return std::vector<uint8_t>();
606  }
607 
609  uint16_t extension_size)
610  {
611  if(extension_size != 0)
612  throw Decoding_Error("Invalid encrypt_then_mac extension");
613  }
614 
615 std::vector<uint8_t> Encrypt_then_MAC::serialize() const
616  {
617  return std::vector<uint8_t>();
618  }
619 
620 std::vector<uint8_t> Certificate_Status_Request::serialize() const
621  {
622  std::vector<uint8_t> buf;
623 
624  if(m_server_side)
625  return buf; // server reply is empty
626 
627  /*
628  opaque ResponderID<1..2^16-1>;
629  opaque Extensions<0..2^16-1>;
630 
631  CertificateStatusType status_type = ocsp(1)
632  ResponderID responder_id_list<0..2^16-1>
633  Extensions request_extensions;
634  */
635 
636  buf.push_back(1); // CertificateStatusType ocsp
637 
638  buf.push_back(0);
639  buf.push_back(0);
640  buf.push_back(0);
641  buf.push_back(0);
642 
643  return buf;
644  }
645 
647  uint16_t extension_size)
648  {
649  if(extension_size > 0)
650  {
651  const uint8_t type = reader.get_byte();
652  if(type == 1)
653  {
654  reader.discard_next(extension_size - 1); // fixme
655  }
656  else
657  {
658  reader.discard_next(extension_size - 1);
659  }
660  }
661  }
662 
663 Certificate_Status_Request::Certificate_Status_Request(const std::vector<X509_DN>& ocsp_responder_ids,
664  const std::vector<std::vector<uint8_t>>& ocsp_key_ids) :
665  m_ocsp_names(ocsp_responder_ids),
666  m_ocsp_keys(ocsp_key_ids),
667  m_server_side(false)
668  {
669 
670  }
671 
673  {
674 
675  }
676 
677 }
678 
679 }
std::vector< uint8_t > serialize() const
std::vector< uint8_t > serialize() const override
std::vector< uint8_t > serialize() const override
static uint8_t sig_algo_code(const std::string &name)
Handshake_Extension_Type type() const override
Server_Name_Indicator(const std::string &host_name)
size_t remaining_bytes() const
Definition: tls_reader.h:38
Supported_Elliptic_Curves(const std::vector< std::string > &curves)
void add(Extension *extn)
static uint16_t name_to_curve_id(const std::string &name)
Definition: bigint.h:619
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:47
std::vector< uint8_t > serialize() const override
static uint8_t hash_algo_code(const std::string &name)
std::vector< uint8_t > serialize() const override
static std::string curve_id_to_name(uint16_t id)
std::string get_string(size_t len_bytes, size_t min_bytes, size_t max_bytes)
Definition: tls_reader.h:115
std::vector< T > get_range(size_t len_bytes, size_t min_elems, size_t max_elems)
Definition: tls_reader.h:94
std::vector< uint8_t > serialize() const override
Application_Layer_Protocol_Notification(const std::string &protocol)
std::vector< uint8_t > serialize() const override
bool has_remaining() const
Definition: tls_reader.h:40
Definition: alg_id.cpp:13
Signature_Algorithms(const std::vector< std::string > &hashes, const std::vector< std::string > &sig_algos)
static std::string sig_algo_name(uint8_t code)
std::vector< uint8_t > serialize() const override
std::vector< uint8_t > serialize() const override
std::vector< uint8_t > serialize() const override
std::set< Handshake_Extension_Type > extension_types() const
void discard_next(size_t bytes)
Definition: tls_reader.h:47
SRTP_Protection_Profiles(const std::vector< uint16_t > &pp)
uint8_t get_byte(size_t byte_num, T input)
Definition: loadstor.h:47
void deserialize(TLS_Data_Reader &reader)
std::vector< uint8_t > serialize() const override
Supported_Point_Formats(bool prefer_compressed)
static std::string hash_algo_name(uint8_t code)
void append_tls_length_value(std::vector< uint8_t, Alloc > &buf, const T *vals, size_t vals_size, size_t tag_size)
Definition: tls_reader.h:185