1 /*
2 * TLS Extensions
3 * (C) 2011,2012,2015,2016 Jack Lloyd
4 * 2016 Juraj Somorovsky
5 *
6 * Botan is released under the Simplified BSD License (see license.txt)
7 */
8
9 #include <botan/tls_extensions.h>
10 #include <botan/internal/tls_reader.h>
11 #include <botan/tls_exceptn.h>
12 #include <botan/tls_policy.h>
13
14 namespace Botan {
15
16 namespace TLS {
17
18 namespace {
19
make_extension(TLS_Data_Reader & reader,uint16_t code,uint16_t size,Connection_Side from)20 Extension* make_extension(TLS_Data_Reader& reader, uint16_t code, uint16_t size, Connection_Side from)
21 {
22 switch(code)
23 {
24 case TLSEXT_SERVER_NAME_INDICATION:
25 return new Server_Name_Indicator(reader, size);
26
27 #if defined(BOTAN_HAS_SRP6)
28 case TLSEXT_SRP_IDENTIFIER:
29 return new SRP_Identifier(reader, size);
30 #endif
31
32 case TLSEXT_SUPPORTED_GROUPS:
33 return new Supported_Groups(reader, size);
34
35 case TLSEXT_CERT_STATUS_REQUEST:
36 return new Certificate_Status_Request(reader, size, from);
37
38 case TLSEXT_EC_POINT_FORMATS:
39 return new Supported_Point_Formats(reader, size);
40
41 case TLSEXT_SAFE_RENEGOTIATION:
42 return new Renegotiation_Extension(reader, size);
43
44 case TLSEXT_SIGNATURE_ALGORITHMS:
45 return new Signature_Algorithms(reader, size);
46
47 case TLSEXT_USE_SRTP:
48 return new SRTP_Protection_Profiles(reader, size);
49
50 case TLSEXT_ALPN:
51 return new Application_Layer_Protocol_Notification(reader, size);
52
53 case TLSEXT_EXTENDED_MASTER_SECRET:
54 return new Extended_Master_Secret(reader, size);
55
56 case TLSEXT_ENCRYPT_THEN_MAC:
57 return new Encrypt_then_MAC(reader, size);
58
59 case TLSEXT_SESSION_TICKET:
60 return new Session_Ticket(reader, size);
61
62 case TLSEXT_SUPPORTED_VERSIONS:
63 return new Supported_Versions(reader, size, from);
64 }
65
66 return new Unknown_Extension(static_cast<Handshake_Extension_Type>(code),
67 reader, size);
68 }
69
70 }
71
deserialize(TLS_Data_Reader & reader,Connection_Side from)72 void Extensions::deserialize(TLS_Data_Reader& reader, Connection_Side from)
73 {
74 if(reader.has_remaining())
75 {
76 const uint16_t all_extn_size = reader.get_uint16_t();
77
78 if(reader.remaining_bytes() != all_extn_size)
79 throw Decoding_Error("Bad extension size");
80
81 while(reader.has_remaining())
82 {
83 const uint16_t extension_code = reader.get_uint16_t();
84 const uint16_t extension_size = reader.get_uint16_t();
85
86 const auto type = static_cast<Handshake_Extension_Type>(extension_code);
87
88 if(m_extensions.find(type) != m_extensions.end())
89 throw TLS_Exception(TLS::Alert::DECODE_ERROR,
90 "Peer sent duplicated extensions");
91
92 Extension* extn = make_extension(
93 reader, extension_code, extension_size, from);
94
95 this->add(extn);
96 }
97 }
98 }
99
serialize(Connection_Side whoami) const100 std::vector<uint8_t> Extensions::serialize(Connection_Side whoami) const
101 {
102 std::vector<uint8_t> buf(2); // 2 bytes for length field
103
104 for(auto& extn : m_extensions)
105 {
106 if(extn.second->empty())
107 continue;
108
109 const uint16_t extn_code = static_cast<uint16_t>(extn.second->type());
110
111 const std::vector<uint8_t> extn_val = extn.second->serialize(whoami);
112
113 buf.push_back(get_byte(0, extn_code));
114 buf.push_back(get_byte(1, extn_code));
115
116 buf.push_back(get_byte(0, static_cast<uint16_t>(extn_val.size())));
117 buf.push_back(get_byte(1, static_cast<uint16_t>(extn_val.size())));
118
119 buf += extn_val;
120 }
121
122 const uint16_t extn_size = static_cast<uint16_t>(buf.size() - 2);
123
124 buf[0] = get_byte(0, extn_size);
125 buf[1] = get_byte(1, extn_size);
126
127 // avoid sending a completely empty extensions block
128 if(buf.size() == 2)
129 return std::vector<uint8_t>();
130
131 return buf;
132 }
133
remove_extension(Handshake_Extension_Type typ)134 bool Extensions::remove_extension(Handshake_Extension_Type typ)
135 {
136 auto i = m_extensions.find(typ);
137 if(i == m_extensions.end())
138 return false;
139 m_extensions.erase(i);
140 return true;
141 }
142
extension_types() const143 std::set<Handshake_Extension_Type> Extensions::extension_types() const
144 {
145 std::set<Handshake_Extension_Type> offers;
146 for(auto i = m_extensions.begin(); i != m_extensions.end(); ++i)
147 offers.insert(i->first);
148 return offers;
149 }
150
Unknown_Extension(Handshake_Extension_Type type,TLS_Data_Reader & reader,uint16_t extension_size)151 Unknown_Extension::Unknown_Extension(Handshake_Extension_Type type,
152 TLS_Data_Reader& reader,
153 uint16_t extension_size) :
154 m_type(type),
155 m_value(reader.get_fixed<uint8_t>(extension_size))
156 {
157 }
158
serialize(Connection_Side) const159 std::vector<uint8_t> Unknown_Extension::serialize(Connection_Side /*whoami*/) const
160 {
161 throw Invalid_State("Cannot encode an unknown TLS extension");
162 }
163
Server_Name_Indicator(TLS_Data_Reader & reader,uint16_t extension_size)164 Server_Name_Indicator::Server_Name_Indicator(TLS_Data_Reader& reader,
165 uint16_t extension_size)
166 {
167 /*
168 * This is used by the server to confirm that it knew the name
169 */
170 if(extension_size == 0)
171 return;
172
173 uint16_t name_bytes = reader.get_uint16_t();
174
175 if(name_bytes + 2 != extension_size)
176 throw Decoding_Error("Bad encoding of SNI extension");
177
178 while(name_bytes)
179 {
180 uint8_t name_type = reader.get_byte();
181 name_bytes--;
182
183 if(name_type == 0) // DNS
184 {
185 m_sni_host_name = reader.get_string(2, 1, 65535);
186 name_bytes -= static_cast<uint16_t>(2 + m_sni_host_name.size());
187 }
188 else // some other unknown name type
189 {
190 reader.discard_next(name_bytes);
191 name_bytes = 0;
192 }
193 }
194 }
195
serialize(Connection_Side) const196 std::vector<uint8_t> Server_Name_Indicator::serialize(Connection_Side /*whoami*/) const
197 {
198 std::vector<uint8_t> buf;
199
200 size_t name_len = m_sni_host_name.size();
201
202 buf.push_back(get_byte(0, static_cast<uint16_t>(name_len+3)));
203 buf.push_back(get_byte(1, static_cast<uint16_t>(name_len+3)));
204 buf.push_back(0); // DNS
205
206 buf.push_back(get_byte(0, static_cast<uint16_t>(name_len)));
207 buf.push_back(get_byte(1, static_cast<uint16_t>(name_len)));
208
209 buf += std::make_pair(
210 cast_char_ptr_to_uint8(m_sni_host_name.data()),
211 m_sni_host_name.size());
212
213 return buf;
214 }
215
216 #if defined(BOTAN_HAS_SRP6)
217
SRP_Identifier(TLS_Data_Reader & reader,uint16_t extension_size)218 SRP_Identifier::SRP_Identifier(TLS_Data_Reader& reader,
219 uint16_t extension_size) : m_srp_identifier(reader.get_string(1, 1, 255))
220 {
221 if(m_srp_identifier.size() + 1 != extension_size)
222 throw Decoding_Error("Bad encoding for SRP identifier extension");
223 }
224
serialize(Connection_Side) const225 std::vector<uint8_t> SRP_Identifier::serialize(Connection_Side /*whoami*/) const
226 {
227 std::vector<uint8_t> buf;
228
229 const uint8_t* srp_bytes = cast_char_ptr_to_uint8(m_srp_identifier.data());
230 append_tls_length_value(buf, srp_bytes, m_srp_identifier.size(), 1);
231
232 return buf;
233 }
234
235 #endif
236
Renegotiation_Extension(TLS_Data_Reader & reader,uint16_t extension_size)237 Renegotiation_Extension::Renegotiation_Extension(TLS_Data_Reader& reader,
238 uint16_t extension_size) : m_reneg_data(reader.get_range<uint8_t>(1, 0, 255))
239 {
240 if(m_reneg_data.size() + 1 != extension_size)
241 throw Decoding_Error("Bad encoding for secure renegotiation extn");
242 }
243
serialize(Connection_Side) const244 std::vector<uint8_t> Renegotiation_Extension::serialize(Connection_Side /*whoami*/) const
245 {
246 std::vector<uint8_t> buf;
247 append_tls_length_value(buf, m_reneg_data, 1);
248 return buf;
249 }
250
Application_Layer_Protocol_Notification(TLS_Data_Reader & reader,uint16_t extension_size)251 Application_Layer_Protocol_Notification::Application_Layer_Protocol_Notification(TLS_Data_Reader& reader,
252 uint16_t extension_size)
253 {
254 if(extension_size == 0)
255 return; // empty extension
256
257 const uint16_t name_bytes = reader.get_uint16_t();
258
259 size_t bytes_remaining = extension_size - 2;
260
261 if(name_bytes != bytes_remaining)
262 throw Decoding_Error("Bad encoding of ALPN extension, bad length field");
263
264 while(bytes_remaining)
265 {
266 const std::string p = reader.get_string(1, 0, 255);
267
268 if(bytes_remaining < p.size() + 1)
269 throw Decoding_Error("Bad encoding of ALPN, length field too long");
270
271 if(p.empty())
272 throw Decoding_Error("Empty ALPN protocol not allowed");
273
274 bytes_remaining -= (p.size() + 1);
275
276 m_protocols.push_back(p);
277 }
278 }
279
single_protocol() const280 const std::string& Application_Layer_Protocol_Notification::single_protocol() const
281 {
282 if(m_protocols.size() != 1)
283 throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
284 "Server sent " + std::to_string(m_protocols.size()) +
285 " protocols in ALPN extension response");
286 return m_protocols[0];
287 }
288
serialize(Connection_Side) const289 std::vector<uint8_t> Application_Layer_Protocol_Notification::serialize(Connection_Side /*whoami*/) const
290 {
291 std::vector<uint8_t> buf(2);
292
293 for(auto&& p: m_protocols)
294 {
295 if(p.length() >= 256)
296 throw TLS_Exception(Alert::INTERNAL_ERROR, "ALPN name too long");
297 if(p != "")
298 append_tls_length_value(buf,
299 cast_char_ptr_to_uint8(p.data()),
300 p.size(),
301 1);
302 }
303
304 buf[0] = get_byte(0, static_cast<uint16_t>(buf.size()-2));
305 buf[1] = get_byte(1, static_cast<uint16_t>(buf.size()-2));
306
307 return buf;
308 }
309
Supported_Groups(const std::vector<Group_Params> & groups)310 Supported_Groups::Supported_Groups(const std::vector<Group_Params>& groups) : m_groups(groups)
311 {
312 }
313
ec_groups() const314 std::vector<Group_Params> Supported_Groups::ec_groups() const
315 {
316 std::vector<Group_Params> ec;
317 for(auto g : m_groups)
318 {
319 if(group_param_is_dh(g) == false)
320 ec.push_back(g);
321 }
322 return ec;
323 }
324
dh_groups() const325 std::vector<Group_Params> Supported_Groups::dh_groups() const
326 {
327 std::vector<Group_Params> dh;
328 for(auto g : m_groups)
329 {
330 if(group_param_is_dh(g) == true)
331 dh.push_back(g);
332 }
333 return dh;
334 }
335
serialize(Connection_Side) const336 std::vector<uint8_t> Supported_Groups::serialize(Connection_Side /*whoami*/) const
337 {
338 std::vector<uint8_t> buf(2);
339
340 for(auto g : m_groups)
341 {
342 const uint16_t id = static_cast<uint16_t>(g);
343
344 if(id > 0)
345 {
346 buf.push_back(get_byte(0, id));
347 buf.push_back(get_byte(1, id));
348 }
349 }
350
351 buf[0] = get_byte(0, static_cast<uint16_t>(buf.size()-2));
352 buf[1] = get_byte(1, static_cast<uint16_t>(buf.size()-2));
353
354 return buf;
355 }
356
Supported_Groups(TLS_Data_Reader & reader,uint16_t extension_size)357 Supported_Groups::Supported_Groups(TLS_Data_Reader& reader,
358 uint16_t extension_size)
359 {
360 const uint16_t len = reader.get_uint16_t();
361
362 if(len + 2 != extension_size)
363 throw Decoding_Error("Inconsistent length field in supported groups list");
364
365 if(len % 2 == 1)
366 throw Decoding_Error("Supported groups list of strange size");
367
368 const size_t elems = len / 2;
369
370 for(size_t i = 0; i != elems; ++i)
371 {
372 const uint16_t id = reader.get_uint16_t();
373 m_groups.push_back(static_cast<Group_Params>(id));
374 }
375 }
376
serialize(Connection_Side) const377 std::vector<uint8_t> Supported_Point_Formats::serialize(Connection_Side /*whoami*/) const
378 {
379 // if this extension is sent, it MUST include uncompressed (RFC 4492, section 5.1)
380 if(m_prefers_compressed)
381 {
382 return std::vector<uint8_t>{2, ANSIX962_COMPRESSED_PRIME, UNCOMPRESSED};
383 }
384 else
385 {
386 return std::vector<uint8_t>{1, UNCOMPRESSED};
387 }
388 }
389
Supported_Point_Formats(TLS_Data_Reader & reader,uint16_t extension_size)390 Supported_Point_Formats::Supported_Point_Formats(TLS_Data_Reader& reader,
391 uint16_t extension_size)
392 {
393 uint8_t len = reader.get_byte();
394
395 if(len + 1 != extension_size)
396 throw Decoding_Error("Inconsistent length field in supported point formats list");
397
398 for(size_t i = 0; i != len; ++i)
399 {
400 uint8_t format = reader.get_byte();
401
402 if(static_cast<ECPointFormat>(format) == UNCOMPRESSED)
403 {
404 m_prefers_compressed = false;
405 reader.discard_next(len-i-1);
406 return;
407 }
408 else if(static_cast<ECPointFormat>(format) == ANSIX962_COMPRESSED_PRIME)
409 {
410 m_prefers_compressed = true;
411 reader.discard_next(len-i-1);
412 return;
413 }
414
415 // ignore ANSIX962_COMPRESSED_CHAR2, we don't support these curves
416 }
417 }
418
serialize(Connection_Side) const419 std::vector<uint8_t> Signature_Algorithms::serialize(Connection_Side /*whoami*/) const
420 {
421 BOTAN_ASSERT(m_schemes.size() < 256, "Too many signature schemes");
422
423 std::vector<uint8_t> buf;
424
425 const uint16_t len = static_cast<uint16_t>(m_schemes.size() * 2);
426
427 buf.push_back(get_byte(0, len));
428 buf.push_back(get_byte(1, len));
429
430 for(Signature_Scheme scheme : m_schemes)
431 {
432 const uint16_t scheme_code = static_cast<uint16_t>(scheme);
433
434 buf.push_back(get_byte(0, scheme_code));
435 buf.push_back(get_byte(1, scheme_code));
436 }
437
438 return buf;
439 }
440
Signature_Algorithms(TLS_Data_Reader & reader,uint16_t extension_size)441 Signature_Algorithms::Signature_Algorithms(TLS_Data_Reader& reader,
442 uint16_t extension_size)
443 {
444 uint16_t len = reader.get_uint16_t();
445
446 if(len + 2 != extension_size || len % 2 == 1 || len == 0)
447 {
448 throw Decoding_Error("Bad encoding on signature algorithms extension");
449 }
450
451 while(len)
452 {
453 const uint16_t scheme_code = reader.get_uint16_t();
454 m_schemes.push_back(static_cast<Signature_Scheme>(scheme_code));
455 len -= 2;
456 }
457 }
458
Session_Ticket(TLS_Data_Reader & reader,uint16_t extension_size)459 Session_Ticket::Session_Ticket(TLS_Data_Reader& reader,
460 uint16_t extension_size) : m_ticket(reader.get_elem<uint8_t, std::vector<uint8_t>>(extension_size))
461 {}
462
SRTP_Protection_Profiles(TLS_Data_Reader & reader,uint16_t extension_size)463 SRTP_Protection_Profiles::SRTP_Protection_Profiles(TLS_Data_Reader& reader,
464 uint16_t extension_size) : m_pp(reader.get_range<uint16_t>(2, 0, 65535))
465 {
466 const std::vector<uint8_t> mki = reader.get_range<uint8_t>(1, 0, 255);
467
468 if(m_pp.size() * 2 + mki.size() + 3 != extension_size)
469 throw Decoding_Error("Bad encoding for SRTP protection extension");
470
471 if(!mki.empty())
472 throw Decoding_Error("Unhandled non-empty MKI for SRTP protection extension");
473 }
474
serialize(Connection_Side) const475 std::vector<uint8_t> SRTP_Protection_Profiles::serialize(Connection_Side /*whoami*/) const
476 {
477 std::vector<uint8_t> buf;
478
479 const uint16_t pp_len = static_cast<uint16_t>(m_pp.size() * 2);
480 buf.push_back(get_byte(0, pp_len));
481 buf.push_back(get_byte(1, pp_len));
482
483 for(uint16_t pp : m_pp)
484 {
485 buf.push_back(get_byte(0, pp));
486 buf.push_back(get_byte(1, pp));
487 }
488
489 buf.push_back(0); // srtp_mki, always empty here
490
491 return buf;
492 }
493
Extended_Master_Secret(TLS_Data_Reader &,uint16_t extension_size)494 Extended_Master_Secret::Extended_Master_Secret(TLS_Data_Reader&,
495 uint16_t extension_size)
496 {
497 if(extension_size != 0)
498 throw Decoding_Error("Invalid extended_master_secret extension");
499 }
500
serialize(Connection_Side) const501 std::vector<uint8_t> Extended_Master_Secret::serialize(Connection_Side /*whoami*/) const
502 {
503 return std::vector<uint8_t>();
504 }
505
Encrypt_then_MAC(TLS_Data_Reader &,uint16_t extension_size)506 Encrypt_then_MAC::Encrypt_then_MAC(TLS_Data_Reader&,
507 uint16_t extension_size)
508 {
509 if(extension_size != 0)
510 throw Decoding_Error("Invalid encrypt_then_mac extension");
511 }
512
serialize(Connection_Side) const513 std::vector<uint8_t> Encrypt_then_MAC::serialize(Connection_Side /*whoami*/) const
514 {
515 return std::vector<uint8_t>();
516 }
517
serialize(Connection_Side whoami) const518 std::vector<uint8_t> Certificate_Status_Request::serialize(Connection_Side whoami) const
519 {
520 std::vector<uint8_t> buf;
521
522 if(whoami == Connection_Side::SERVER)
523 return buf; // server reply is empty
524
525 /*
526 opaque ResponderID<1..2^16-1>;
527 opaque Extensions<0..2^16-1>;
528
529 CertificateStatusType status_type = ocsp(1)
530 ResponderID responder_id_list<0..2^16-1>
531 Extensions request_extensions;
532 */
533
534 buf.push_back(1); // CertificateStatusType ocsp
535
536 buf.push_back(0);
537 buf.push_back(0);
538 buf.push_back(0);
539 buf.push_back(0);
540
541 return buf;
542 }
543
Certificate_Status_Request(TLS_Data_Reader & reader,uint16_t extension_size,Connection_Side from)544 Certificate_Status_Request::Certificate_Status_Request(TLS_Data_Reader& reader,
545 uint16_t extension_size,
546 Connection_Side from)
547 {
548 if(from == Connection_Side::SERVER)
549 {
550 if(extension_size != 0)
551 throw Decoding_Error("Server sent non-empty Certificate_Status_Request extension");
552 }
553 else if(extension_size > 0)
554 {
555 const uint8_t type = reader.get_byte();
556 if(type == 1)
557 {
558 const size_t len_resp_id_list = reader.get_uint16_t();
559 m_ocsp_names = reader.get_fixed<uint8_t>(len_resp_id_list);
560 const size_t len_requ_ext = reader.get_uint16_t();
561 m_extension_bytes = reader.get_fixed<uint8_t>(len_requ_ext);
562 }
563 else
564 {
565 reader.discard_next(extension_size - 1);
566 }
567 }
568 }
569
Certificate_Status_Request(const std::vector<uint8_t> & ocsp_responder_ids,const std::vector<std::vector<uint8_t>> & ocsp_key_ids)570 Certificate_Status_Request::Certificate_Status_Request(const std::vector<uint8_t>& ocsp_responder_ids,
571 const std::vector<std::vector<uint8_t>>& ocsp_key_ids) :
572 m_ocsp_names(ocsp_responder_ids),
573 m_ocsp_keys(ocsp_key_ids)
574 {
575 }
576
serialize(Connection_Side whoami) const577 std::vector<uint8_t> Supported_Versions::serialize(Connection_Side whoami) const
578 {
579 std::vector<uint8_t> buf;
580
581 if(whoami == Connection_Side::SERVER)
582 {
583 BOTAN_ASSERT_NOMSG(m_versions.size() == 1);
584 buf.push_back(m_versions[0].major_version());
585 buf.push_back(m_versions[0].minor_version());
586 }
587 else
588 {
589 BOTAN_ASSERT_NOMSG(m_versions.size() >= 1);
590 const uint8_t len = static_cast<uint8_t>(m_versions.size() * 2);
591
592 buf.push_back(len);
593
594 for(Protocol_Version version : m_versions)
595 {
596 buf.push_back(get_byte(0, version.major_version()));
597 buf.push_back(get_byte(1, version.minor_version()));
598 }
599 }
600
601 return buf;
602 }
603
Supported_Versions(Protocol_Version offer,const Policy & policy)604 Supported_Versions::Supported_Versions(Protocol_Version offer, const Policy& policy)
605 {
606 if(offer.is_datagram_protocol())
607 {
608 if(offer >= Protocol_Version::DTLS_V12 && policy.allow_dtls12())
609 m_versions.push_back(Protocol_Version::DTLS_V12);
610 #if defined(BOTAN_HAS_TLS_V10)
611 if(offer >= Protocol_Version::DTLS_V10 && policy.allow_dtls10())
612 m_versions.push_back(Protocol_Version::DTLS_V10);
613 #endif
614 }
615 else
616 {
617 if(offer >= Protocol_Version::TLS_V12 && policy.allow_tls12())
618 m_versions.push_back(Protocol_Version::TLS_V12);
619 #if defined(BOTAN_HAS_TLS_V10)
620 if(offer >= Protocol_Version::TLS_V11 && policy.allow_tls11())
621 m_versions.push_back(Protocol_Version::TLS_V11);
622 if(offer >= Protocol_Version::TLS_V10 && policy.allow_tls10())
623 m_versions.push_back(Protocol_Version::TLS_V10);
624 #endif
625 }
626 }
627
Supported_Versions(TLS_Data_Reader & reader,uint16_t extension_size,Connection_Side from)628 Supported_Versions::Supported_Versions(TLS_Data_Reader& reader,
629 uint16_t extension_size,
630 Connection_Side from)
631 {
632 if(from == Connection_Side::SERVER)
633 {
634 if(extension_size != 2)
635 throw Decoding_Error("Server sent invalid supported_versions extension");
636 m_versions.push_back(Protocol_Version(reader.get_uint16_t()));
637 }
638 else
639 {
640 auto versions = reader.get_range<uint16_t>(1, 1, 127);
641
642 for(auto v : versions)
643 m_versions.push_back(Protocol_Version(v));
644
645 if(extension_size != 1+2*versions.size())
646 throw Decoding_Error("Client sent invalid supported_versions extension");
647 }
648 }
649
supports(Protocol_Version version) const650 bool Supported_Versions::supports(Protocol_Version version) const
651 {
652 for(auto v : m_versions)
653 if(version == v)
654 return true;
655 return false;
656 }
657
658 }
659
660 }
661