2
* TLS Server Hello and Server Hello Done
3
* (C) 2004-2011,2015,2016 Jack Lloyd
4
* 2016 Matthias Gierlings
5
* 2017 Harry Reimann, Rohde & Schwarz Cybersecurity
7
* Botan is released under the Simplified BSD License (see license.txt)
10
#include <botan/tls_messages.h>
11
#include <botan/tls_extensions.h>
12
#include <botan/internal/tls_reader.h>
13
#include <botan/internal/tls_session_key.h>
14
#include <botan/internal/tls_handshake_io.h>
15
#include <botan/internal/tls_handshake_hash.h>
16
#include <botan/internal/stl_util.h>
23
Server_Hello::Server_Hello(Handshake_IO& io,
26
RandomNumberGenerator& rng,
27
const std::vector<uint8_t>& reneg_info,
28
const Client_Hello& client_hello,
29
const Server_Hello::Settings& server_settings,
30
const std::string next_protocol) :
31
m_version(server_settings.protocol_version()),
32
m_session_id(server_settings.session_id()),
33
m_random(make_hello_random(rng, policy)),
34
m_ciphersuite(server_settings.ciphersuite()),
35
m_comp_method(server_settings.compression())
37
if(client_hello.supports_extended_master_secret())
38
m_extensions.add(new Extended_Master_Secret);
40
// Sending the extension back does not commit us to sending a stapled response
41
if(client_hello.supports_cert_status_message() && policy.support_cert_status_message())
42
m_extensions.add(new Certificate_Status_Request);
44
Ciphersuite c = Ciphersuite::by_id(m_ciphersuite);
46
if(c.cbc_ciphersuite() && client_hello.supports_encrypt_then_mac() && policy.negotiate_encrypt_then_mac())
48
m_extensions.add(new Encrypt_then_MAC);
51
if(c.ecc_ciphersuite() && client_hello.extension_types().count(TLSEXT_EC_POINT_FORMATS))
53
m_extensions.add(new Supported_Point_Formats(policy.use_ecc_point_compression()));
56
if(client_hello.secure_renegotiation())
57
m_extensions.add(new Renegotiation_Extension(reneg_info));
59
if(client_hello.supports_session_ticket() && server_settings.offer_session_ticket())
60
m_extensions.add(new Session_Ticket());
62
if(!next_protocol.empty() && client_hello.supports_alpn())
63
m_extensions.add(new Application_Layer_Protocol_Notification(next_protocol));
65
if(m_version.is_datagram_protocol())
67
const std::vector<uint16_t> server_srtp = policy.srtp_profiles();
68
const std::vector<uint16_t> client_srtp = client_hello.srtp_profiles();
70
if(!server_srtp.empty() && !client_srtp.empty())
73
// always using server preferences for now
74
for(auto s_srtp : server_srtp)
75
for(auto c_srtp : client_srtp)
77
if(shared == 0 && s_srtp == c_srtp)
82
m_extensions.add(new SRTP_Protection_Profiles(shared));
86
hash.update(io.send(*this));
90
Server_Hello::Server_Hello(Handshake_IO& io,
93
RandomNumberGenerator& rng,
94
const std::vector<uint8_t>& reneg_info,
95
const Client_Hello& client_hello,
96
Session& resumed_session,
97
bool offer_session_ticket,
98
const std::string& next_protocol) :
99
m_version(resumed_session.version()),
100
m_session_id(client_hello.session_id()),
101
m_random(make_hello_random(rng, policy)),
102
m_ciphersuite(resumed_session.ciphersuite_code()),
103
m_comp_method(resumed_session.compression_method())
105
if(client_hello.supports_extended_master_secret())
106
m_extensions.add(new Extended_Master_Secret);
108
// Sending the extension back does not commit us to sending a stapled response
109
if(client_hello.supports_cert_status_message() && policy.support_cert_status_message())
110
m_extensions.add(new Certificate_Status_Request);
112
if(client_hello.supports_encrypt_then_mac() && policy.negotiate_encrypt_then_mac())
114
Ciphersuite c = resumed_session.ciphersuite();
115
if(c.cbc_ciphersuite())
116
m_extensions.add(new Encrypt_then_MAC);
119
if(resumed_session.ciphersuite().ecc_ciphersuite())
121
m_extensions.add(new Supported_Point_Formats(policy.use_ecc_point_compression()));
124
if(client_hello.secure_renegotiation())
125
m_extensions.add(new Renegotiation_Extension(reneg_info));
127
if(client_hello.supports_session_ticket() && offer_session_ticket)
128
m_extensions.add(new Session_Ticket());
130
if(!next_protocol.empty() && client_hello.supports_alpn())
131
m_extensions.add(new Application_Layer_Protocol_Notification(next_protocol));
133
hash.update(io.send(*this));
137
* Deserialize a Server Hello message
139
Server_Hello::Server_Hello(const std::vector<uint8_t>& buf)
142
throw Decoding_Error("Server_Hello: Packet corrupted");
144
TLS_Data_Reader reader("ServerHello", buf);
146
const uint8_t major_version = reader.get_byte();
147
const uint8_t minor_version = reader.get_byte();
149
m_version = Protocol_Version(major_version, minor_version);
151
m_random = reader.get_fixed<uint8_t>(32);
153
m_session_id = reader.get_range<uint8_t>(1, 0, 32);
155
m_ciphersuite = reader.get_uint16_t();
157
m_comp_method = reader.get_byte();
159
m_extensions.deserialize(reader);
163
* Serialize a Server Hello message
165
std::vector<uint8_t> Server_Hello::serialize() const
167
std::vector<uint8_t> buf;
169
buf.push_back(m_version.major_version());
170
buf.push_back(m_version.minor_version());
173
append_tls_length_value(buf, m_session_id, 1);
175
buf.push_back(get_byte(0, m_ciphersuite));
176
buf.push_back(get_byte(1, m_ciphersuite));
178
buf.push_back(m_comp_method);
180
buf += m_extensions.serialize();
186
* Create a new Server Hello Done message
188
Server_Hello_Done::Server_Hello_Done(Handshake_IO& io,
189
Handshake_Hash& hash)
191
hash.update(io.send(*this));
195
* Deserialize a Server Hello Done message
197
Server_Hello_Done::Server_Hello_Done(const std::vector<uint8_t>& buf)
200
throw Decoding_Error("Server_Hello_Done: Must be empty, and is not");
204
* Serialize a Server Hello Done message
206
std::vector<uint8_t> Server_Hello_Done::serialize() const
208
return std::vector<uint8_t>();