tls_extensions_13.cpp

Enable keyboard shortcuts

/*

* TLS 1.3 Specific Extensions

* (C) 2011,2012,2015,2016 Jack Lloyd

*     2016 Juraj Somorovsky

*     2021 Elektrobit Automotive GmbH

*     2022 René Meusel, Hannes Rantzsch - neXenio GmbH

*     2023 Mateusz Berezecki

*     2023 Fabian Albert, René Meusel - Rohde & Schwarz Cybersecurity

*     2026 René Meusel - Rohde & Schwarz Cybersecurity

* Botan is released under the Simplified BSD License (see license.txt)

*/

#include <botan/tls_extensions_13.h>

#include <botan/ber_dec.h>

#include <botan/der_enc.h>

#include <botan/tls_alert.h>

#include <botan/tls_exceptn.h>

#include <botan/internal/tls_reader.h>

namespace Botan::TLS {

Cookie::Cookie(const std::vector<uint8_t>& cookie) : m_cookie(cookie) {}

Cookie::Cookie(TLS_Data_Reader& reader, uint16_t extension_size) {

   if(extension_size == 0) {

      return;

   const uint16_t len = reader.get_uint16_t();

   if(len == 0) {

      // Based on RFC 8446 4.2.2, len of the Cookie buffer must be at least 1

      throw Decoding_Error("Cookie length must be at least 1 byte");

   if(len > reader.remaining_bytes()) {

      throw Decoding_Error("Not enough bytes in the buffer to decode Cookie");

   for(size_t i = 0; i < len; ++i) {

      m_cookie.push_back(reader.get_byte());

std::vector<uint8_t> Cookie::serialize(Connection_Side /*whoami*/) const {

   std::vector<uint8_t> buf;

   const uint16_t len = static_cast<uint16_t>(m_cookie.size());

   buf.push_back(get_byte<0>(len));

   buf.push_back(get_byte<1>(len));

   for(const auto& cookie_byte : m_cookie) {

      buf.push_back(cookie_byte);

   return buf;

std::vector<uint8_t> PSK_Key_Exchange_Modes::serialize(Connection_Side /*whoami*/) const {

   std::vector<uint8_t> buf;

   BOTAN_ASSERT_NOMSG(m_modes.size() < 256);

   buf.push_back(static_cast<uint8_t>(m_modes.size()));

   for(const auto& mode : m_modes) {

      buf.push_back(static_cast<uint8_t>(mode));

   return buf;

PSK_Key_Exchange_Modes::PSK_Key_Exchange_Modes(TLS_Data_Reader& reader, uint16_t extension_size) {

   if(extension_size < 2) {

      throw Decoding_Error("Empty psk_key_exchange_modes extension is illegal");

   const auto mode_count = reader.get_byte();

   for(uint16_t i = 0; i < mode_count; ++i) {

      const auto mode = static_cast<PSK_Key_Exchange_Mode>(reader.get_byte());

      if(mode == PSK_Key_Exchange_Mode::PSK_KE || mode == PSK_Key_Exchange_Mode::PSK_DHE_KE) {

         m_modes.push_back(mode);

std::vector<uint8_t> Certificate_Authorities::serialize(Connection_Side /*whoami*/) const {

   std::vector<uint8_t> out;

   std::vector<uint8_t> dn_list;

   for(const auto& dn : m_distinguished_names) {

      std::vector<uint8_t> encoded_dn;

      auto encoder = DER_Encoder(encoded_dn);

      dn.encode_into(encoder);

      append_tls_length_value(dn_list, encoded_dn, 2);

   append_tls_length_value(out, dn_list, 2);

   return out;

Certificate_Authorities::Certificate_Authorities(TLS_Data_Reader& reader, uint16_t extension_size) {

   if(extension_size < 2) {

      throw Decoding_Error("Empty certificate_authorities extension is illegal");

   const uint16_t purported_size = reader.get_uint16_t();

   if(reader.remaining_bytes() != purported_size) {

      throw Decoding_Error("Inconsistent length in certificate_authorities extension");

   while(reader.has_remaining()) {

      std::vector<uint8_t> name_bits = reader.get_tls_length_value(2);

      BER_Decoder decoder(name_bits.data(), name_bits.size());

      m_distinguished_names.emplace_back();

      decoder.decode(m_distinguished_names.back());

Certificate_Authorities::Certificate_Authorities(std::vector<X509_DN> acceptable_DNs) :

      m_distinguished_names(std::move(acceptable_DNs)) {}

std::vector<uint8_t> EarlyDataIndication::serialize(Connection_Side /*whoami*/) const {

   std::vector<uint8_t> result;

   if(m_max_early_data_size.has_value()) {

      const auto max_data = m_max_early_data_size.value();

      result.push_back(get_byte<0>(max_data));

      result.push_back(get_byte<1>(max_data));

      result.push_back(get_byte<2>(max_data));

      result.push_back(get_byte<3>(max_data));

   return result;

EarlyDataIndication::EarlyDataIndication(TLS_Data_Reader& reader,

                                         uint16_t extension_size,

                                         Handshake_Type message_type) {

   if(message_type == Handshake_Type::NewSessionTicket) {

      if(extension_size != 4) {

         throw TLS_Exception(Alert::DecodeError,

                             "Received an early_data extension in a NewSessionTicket message "

                             "without maximum early data size indication");

      m_max_early_data_size = reader.get_uint32_t();

   } else if(extension_size != 0) {

      throw TLS_Exception(Alert::DecodeError,

                          "Received an early_data extension containing an unexpected data "

                          "size indication");

bool EarlyDataIndication::empty() const {

   // This extension may be empty by definition but still carry information

   return false;

}  // namespace Botan::TLS