|
Botan 3.4.0
Crypto and TLS for C&
|
#include <tls_callbacks.h>
Public Member Functions | |
| virtual void | tls_alert (Alert alert)=0 |
| virtual std::chrono::system_clock::time_point | tls_current_timestamp () |
| virtual void | tls_emit_data (std::span< const uint8_t > data)=0 |
| virtual secure_vector< uint8_t > | tls_ephemeral_key_agreement (const std::variant< TLS::Group_Params, DL_Group > &group, const PK_Key_Agreement_Key &private_key, const std::vector< uint8_t > &public_value, RandomNumberGenerator &rng, const Policy &policy) |
| virtual void | tls_examine_extensions (const Extensions &extn, Connection_Side which_side, Handshake_Type which_message) |
| virtual std::unique_ptr< PK_Key_Agreement_Key > | tls_generate_ephemeral_key (const std::variant< TLS::Group_Params, DL_Group > &group, RandomNumberGenerator &rng) |
| virtual void | tls_inspect_handshake_msg (const Handshake_Message &message) |
| virtual secure_vector< uint8_t > | tls_kem_decapsulate (TLS::Group_Params group, const Private_Key &private_key, const std::vector< uint8_t > &encapsulated_bytes, RandomNumberGenerator &rng, const Policy &policy) |
| virtual KEM_Encapsulation | tls_kem_encapsulate (TLS::Group_Params group, const std::vector< uint8_t > &encoded_public_key, RandomNumberGenerator &rng, const Policy &policy) |
| virtual std::unique_ptr< Private_Key > | tls_kem_generate_key (TLS::Group_Params group, RandomNumberGenerator &rng) |
| virtual void | tls_log_debug (const char *what) |
| virtual void | tls_log_debug_bin (const char *descr, const uint8_t val[], size_t val_len) |
| virtual void | tls_log_error (const char *err) |
| virtual void | tls_modify_extensions (Extensions &extn, Connection_Side which_side, Handshake_Type which_message) |
| virtual std::optional< OCSP::Response > | tls_parse_ocsp_response (const std::vector< uint8_t > &raw_response) |
| virtual bool | tls_peer_closed_connection () |
| virtual std::string | tls_peer_network_identity () |
| virtual std::vector< std::vector< uint8_t > > | tls_provide_cert_chain_status (const std::vector< X509_Certificate > &chain, const Certificate_Status_Request &csr) |
| virtual std::vector< uint8_t > | tls_provide_cert_status (const std::vector< X509_Certificate > &chain, const Certificate_Status_Request &csr) |
| virtual void | tls_record_received (uint64_t seq_no, std::span< const uint8_t > data)=0 |
| virtual std::string | tls_server_choose_app_protocol (const std::vector< std::string > &client_protos) |
| virtual void | tls_session_activated () |
| virtual void | tls_session_established (const Session_Summary &session) |
| virtual bool | tls_should_persist_resumption_information (const Session &session) |
| virtual std::vector< uint8_t > | tls_sign_message (const Private_Key &key, RandomNumberGenerator &rng, std::string_view padding, Signature_Format format, const std::vector< uint8_t > &msg) |
| virtual void | tls_verify_cert_chain (const std::vector< X509_Certificate > &cert_chain, const std::vector< std::optional< OCSP::Response > > &ocsp_responses, const std::vector< Certificate_Store * > &trusted_roots, Usage_Type usage, std::string_view hostname, const TLS::Policy &policy) |
| virtual std::chrono::milliseconds | tls_verify_cert_chain_ocsp_timeout () const |
| virtual bool | tls_verify_message (const Public_Key &key, std::string_view padding, Signature_Format format, const std::vector< uint8_t > &msg, const std::vector< uint8_t > &sig) |
| virtual void | tls_verify_raw_public_key (const Public_Key &raw_public_key, Usage_Type usage, std::string_view hostname, const TLS::Policy &policy) |
| virtual | ~Callbacks ()=default |
Encapsulates the callbacks that a TLS channel will make which are due to channel specific operations.
Definition at line 44 of file tls_callbacks.h.
|
virtualdefault |
|
pure virtual |
Mandatory callback: alert received Called when an alert is received from the peer If fatal, the connection is closing. If not fatal, the connection may still be closing (depending on the error and the peer).
| alert | the source of the alert |
|
virtual |
Optional callback: return a custom time stamp value
This allows the library user to specify a custom "now" timestamp when needed. By default it will use the current system clock time.
Note that typical usages will not need to override this callback but it is useful for testing purposes to allow for deterministic test outcomes.
Definition at line 59 of file tls_callbacks.cpp.
Referenced by Botan::TLS::make_hello_random(), Botan::TLS::PSK::PSK(), and Botan::TLS::Session_Manager::retrieve().
|
pure virtual |
Mandatory callback: output function The channel will call this with data which needs to be sent to the peer (eg, over a socket or some other form of IPC). The array will be overwritten when the function returns so a copy must be made if the data cannot be sent immediately.
| data | a contiguous data buffer to send |
|
virtual |
Agree on a shared secret with the peer's ephemeral public key for the TLS handshake.
Applications may use this to add custom groups, curves or entirely different ephemeral key agreement mechanisms to the TLS handshake. Note that this callback must be used in conjunction with Callbacks::tls_generate_ephemeral_key.
Typical use cases of the library don't need to do that and serious security risks are associated with customizing TLS's key exchange mechanism.
| group | the TLS group identifier to be used TLS 1.2 allows for specifying custom discrete logarithm parameters as part of the protocol. Hence the variant<>. |
| private_key | the private key (generated ahead in tls_generate_ephemeral_key) |
| public_value | the public key exchange information received by the peer |
| rng | a random number generator |
| policy | a TLS policy object |
Definition at line 294 of file tls_callbacks.cpp.
References Botan::OctetString::bits_of(), BOTAN_ASSERT_NOMSG, Botan::TLS::Policy::check_peer_key_acceptable(), Botan::BigInt::decode(), Botan::PK_Key_Agreement::derive_key(), Botan::EC_Group::OS2ECP(), and Y.
Referenced by Botan::TLS::Client_Key_Exchange::Client_Key_Exchange(), and Botan::TLS::Client_Key_Exchange::Client_Key_Exchange().
|
virtual |
Optional callback: examine peer extensions.
Both client and server will call this callback with the Extensions object after receiving it from the peer. This allows examining the Extensions, for example to implement a custom extension. It also allows an application to require that a particular extension be implemented; throw an exception from this function to abort the handshake.
Default implementation does nothing.
| extn | the extensions |
| which_side | will be Connection_Side::Client if these are are the clients extensions (ie we are the server) or Connection_Side::Server if these are the server extensions (we are the client). |
| which_message | will state the handshake message type containing the extensions |
Definition at line 67 of file tls_callbacks.cpp.
Referenced by Botan::TLS::Certificate_13::validate_extensions().
|
virtual |
Generate an ephemeral key pair for the TLS handshake.
Applications may use this to add custom groups, curves or entirely different ephemeral key agreement mechanisms to the TLS handshake. Note that this callback must be used in conjunction with Callbacks::tls_ephemeral_key_agreement.
Typical use cases of the library don't need to do that and serious security risks are associated with customizing TLS's key exchange mechanism.
| TLS_Exception(Alert::DecodeError) | if the group is not known. |
| group | the group identifier to generate an ephemeral keypair for TLS 1.2 allows for specifying custom discrete logarithm parameters as part of the protocol. Hence the variant<>. |
| rng | a random number generator |
Definition at line 260 of file tls_callbacks.cpp.
References BOTAN_ASSERT_NOMSG.
Referenced by Botan::TLS::Client_Key_Exchange::Client_Key_Exchange(), and Botan::TLS::Server_Key_Exchange::Server_Key_Exchange().
|
virtual |
Optional callback: inspect handshake message Throw an exception to abort the handshake. Default simply ignores the message.
Note: On connections that negotiated TLS 1.3 this callback is also invoked for post-handshake messages.
| message | the handshake message |
Definition at line 47 of file tls_callbacks.cpp.
Referenced by Botan::TLS::Handshake_State::note_message().
|
virtual |
Performs a key decapsulation operation (used for TLS 1.3 clients).
Applications may use this to add custom KEM algorithms or entirely different key exchange schemes to the TLS 1.3 handshake. For instance, this could provide an entry point to implement a hybrid key exchange with both a traditional algorithm like ECDH and a quantum-secure KEM. Typical use cases of the library don't need to do that and serious security risks are associated with customizing TLS's key encapsulation mechanism.
Note that the KEM interface is usable for TLS 1.3 handshakes, only.
The default implementation simply delegates this to the tls_ephemeral_key_agreement() callback to obtain the shared secret.
| group | the group identifier of the KEM/KEX algorithm |
| private_key | the private key used for decapsulation/KEX |
| encapsulated_bytes | the content to decapsulate (or the public key share) |
| rng | a random number generator |
| policy | a TLS policy object |
encapsulated_bytes after decapsulation with private_key. Definition at line 222 of file tls_callbacks.cpp.
References Botan::PK_KEM_Decryptor::decrypt(), and Botan::TLS::Group_Params::is_kem().
|
virtual |
Performs a key encapsulation operation (used for TLS 1.3 servers)
Applications may use this to add custom KEM algorithms or entirely different key exchange schemes to the TLS 1.3 handshake. For instance, this could provide an entry point to implement a hybrid key exchange with both a traditional algorithm like ECDH and a quantum-secure KEM. Typical use cases of the library don't need to do that and serious security risks are associated with customizing TLS's key encapsulation mechanism.
Note that the KEM interface is usable for TLS 1.3 handshakes, only.
The default implementation implements this key encapsulation as a combination of tls_generate_ephemeral_key() followed by tls_ephemeral_key_agreement() with the provided encoded_public_key. The just-generated ephemeral private key is destroyed immediately.
| group | the group identifier of the KEM/KEX algorithm |
| encoded_public_key | the public key used for encapsulation/KEX |
| rng | a random number generator |
| policy | a TLS policy object |
encoded_public_key. Definition at line 183 of file tls_callbacks.cpp.
References Botan::PK_KEM_Encryptor::encrypt(), Botan::TLS::Group_Params::is_kem(), Botan::TLS::Group_Params::is_pqc_hybrid(), Botan::TLS::Group_Params::is_pure_frodokem(), Botan::TLS::Group_Params::is_pure_kyber(), Botan::TLS::Hybrid_KEM_PublicKey::load_for_group(), and Botan::TLS::Group_Params::to_string().
|
virtual |
Generate an ephemeral KEM key for a TLS 1.3 handshake
Applications may use this to add custom KEM algorithms or entirely different key exchange schemes to the TLS 1.3 handshake. For instance, this could provide an entry point to implement a hybrid key exchange with both a traditional algorithm like ECDH and a quantum-secure KEM. Typical use cases of the library don't need to do that and serious security risks are associated with customizing TLS's key encapsulation mechanism.
Note that the KEM interface is usable for TLS 1.3 handshakes, only.
The default implementation simply delegates this to the tls_generate_ephemeral_key() call when appropriate.
| group | the group identifier to generate an ephemeral keypair for |
| rng | a random number generator |
Definition at line 161 of file tls_callbacks.cpp.
References Botan::TLS::Hybrid_KEM_PrivateKey::generate_from_group(), Botan::TLS::Group_Params::is_pqc_hybrid(), Botan::TLS::Group_Params::is_pure_frodokem(), Botan::TLS::Group_Params::is_pure_kyber(), and Botan::TLS::Group_Params::to_string().
|
inlinevirtual |
Optional callback: debug logging. (not currently called)
| what | Some hopefully informative string |
Definition at line 552 of file tls_callbacks.h.
References BOTAN_UNUSED.
|
inlinevirtual |
Optional callback: debug logging taking a buffer. (not currently called)
| descr | What this buffer is |
| val | the bytes |
| val_len | length of val |
Definition at line 560 of file tls_callbacks.h.
References BOTAN_UNUSED.
|
inlinevirtual |
Optional callback: error logging. (not currently called)
| err | An error message related to this connection. |
Definition at line 546 of file tls_callbacks.h.
References BOTAN_UNUSED.
|
virtual |
Optional callback: examine/modify Extensions before sending.
Both client and server will call this callback on the Extensions object before serializing it in the specific handshake message. This allows an application to modify which extensions are sent during the handshake.
Default implementation does nothing.
| extn | the extensions |
| which_side | will be Connection_Side::Client or Connection_Side::Server which is the current applications role in the exchange. |
| which_message | will state the handshake message type containing the extensions |
Definition at line 63 of file tls_callbacks.cpp.
Referenced by Botan::TLS::Client_Hello_12::Client_Hello_12(), Botan::TLS::Client_Hello_12::Client_Hello_12(), Botan::TLS::Client_Hello_13::Client_Hello_13(), Botan::TLS::Encrypted_Extensions::Encrypted_Extensions(), Botan::TLS::Hello_Retry_Request::Hello_Retry_Request(), Botan::TLS::New_Session_Ticket_13::New_Session_Ticket_13(), Botan::TLS::Client_Hello_13::retry(), Botan::TLS::Server_Hello_12::Server_Hello_12(), and Botan::TLS::Server_Hello_13::Server_Hello_13().
|
virtual |
Optional callback: parse a single OCSP Response
Note: Typically a user of the library would not want to override this callback. We provide this callback to be able to support OCSP related tests from BoringSSL's BoGo tests that provide unparsable responses.
Default implementation tries to parse the provided raw OCSP response.
This function should not throw an exception but return a std::nullopt if the OCSP response cannot be parsed.
| raw_response | raw OCSP response buffer |
Definition at line 123 of file tls_callbacks.cpp.
|
inlinevirtual |
Optional callback: peer closed connection (sent a "close_notify" alert)
The peer signaled that it wishes to shut down the connection. The application should not expect to receive any more data from the peer and may tear down the underlying transport socket.
Prior to TLS 1.3 it was required that peers discard pending writes and immediately respond with their own "close_notify". With TLS 1.3, applications can continue to send data despite the peer having already signaled their wish to shut down.
Returning true will cause the TLS 1.3 implementation to write all pending data and then also signal a connection shut down. Otherwise the application is responsible to call the Channel::close() method.
For TLS 1.2 the return value has no effect.
Definition at line 115 of file tls_callbacks.h.
|
virtual |
Optional callback: return peer network identity
There is no expected or specified format. The only expectation is this function will return a unique value. For example returning the peer host IP and port.
This is used to bind the DTLS cookie to a particular network identity. It is only called if the dtls-cookie-secret PSK is also defined.
Definition at line 55 of file tls_callbacks.cpp.
|
virtual |
Called by TLS 1.3 client or server whenever the peer indicated that OCSP stapling is supported. In contrast to tls_provide_cert_status, this allows providing OCSP responses for each certificate in the chain.
The default implementation invokes tls_provide_cert_status assuming that no OCSP responses for intermediate certificates are available.
chain. Definition at line 132 of file tls_callbacks.cpp.
|
inlinevirtual |
Called by the TLS server whenever the client included the status_request extension (see RFC 6066, a.k.a OCSP stapling) in the ClientHello.
Definition at line 226 of file tls_callbacks.h.
References BOTAN_UNUSED.
|
pure virtual |
Mandatory callback: process application data Called when application data record is received from the peer. Again the array is overwritten immediately after the function returns.
| seq_no | the underlying TLS/DTLS record sequence number |
| data | a contiguous data buffer containing the received record |
Referenced by Botan::TLS::Channel_Impl_13::from_peer().
|
virtual |
Optional callback for server: choose ALPN protocol
ALPN (RFC 7301) works by the client sending a list of application protocols it is willing to negotiate. The server then selects which protocol to use. RFC 7301 requires that if the server does not support any protocols offered by the client, then it should close the connection with an alert of no_application_protocol. Within this callback this would be done by throwing a TLS_Exception(Alert::NoApplicationProtocol)
| client_protos | the vector of protocols the client is willing to negotiate |
The default implementation returns the empty string, causing client ALPN to be ignored.
It is highly recommended to support ALPN whenever possible to avoid cross-protocol attacks.
Definition at line 51 of file tls_callbacks.cpp.
Referenced by Botan::TLS::Encrypted_Extensions::Encrypted_Extensions().
|
inlinevirtual |
Optional callback: session activated Called when a session is active and can be written to
Definition at line 93 of file tls_callbacks.h.
Referenced by Botan::TLS::Channel_Impl_12::activate_session().
|
inlinevirtual |
Optional callback: session established Called when a session is established. Throw an exception to abort the connection.
| session | the session descriptor |
Definition at line 87 of file tls_callbacks.h.
References BOTAN_UNUSED.
|
virtual |
Optional callback: Resumption information was received/established
TLS 1.3 calls this when we sent or received a TLS 1.3 session ticket at any point after the initial handshake has finished.
TLS 1.2 calls this when a session was established successfully and its resumption information may be stored for later usage.
Note that for servers this is called as soon as resumption information is available and could be sent to the client. If this callback returns 'false', the information will neither be cached nor sent.
| session | the session descriptor |
Definition at line 71 of file tls_callbacks.cpp.
References Botan::TLS::Protocol_Version::is_pre_tls_13(), Botan::TLS::Session::lifetime_hint(), and Botan::TLS::Session_Base::version().
|
virtual |
Optional callback with default impl: sign a message
Default implementation uses PK_Signer::sign_message(). Override to provide a different approach, e.g. using an external device.
| key | the private key of the signer |
| rng | a random number generator |
| padding | the encoding method to be applied to the message |
| format | the signature format |
| msg | the input data for the signature |
Definition at line 141 of file tls_callbacks.cpp.
References Botan::PK_Signer::sign_message().
Referenced by Botan::TLS::Certificate_Verify_12::Certificate_Verify_12(), Botan::TLS::Certificate_Verify_13::Certificate_Verify_13(), and Botan::TLS::Server_Key_Exchange::Server_Key_Exchange().
|
virtual |
Optional callback with default impl: verify cert chain
Default implementation performs a standard PKIX validation and initiates network OCSP request for end-entity cert. Override to provide different behavior.
Check the certificate chain is valid up to a trusted root, and optionally (if hostname != "") that the hostname given is consistent with the leaf certificate.
This function should throw an exception derived from std::exception with an informative what() result if the certificate chain cannot be verified.
| cert_chain | specifies a certificate chain leading to a trusted root CA certificate. |
| ocsp_responses | the server may have provided some |
| trusted_roots | the list of trusted certificates |
| usage | what this cert chain is being used for Usage_Type::TLS_SERVER_AUTH for server chains, Usage_Type::TLS_CLIENT_AUTH for client chains, Usage_Type::UNSPECIFIED for other uses |
| hostname | when authenticating a server, this is the hostname the client requested (eg via SNI). When authenticating a client, this is the server name the client is authenticating to. Empty in other cases or if no hostname was used. |
| policy | the TLS policy associated with the session being authenticated using the certificate chain |
Definition at line 86 of file tls_callbacks.cpp.
References Botan::TLS::Policy::minimum_signature_strength(), Botan::TLS::Policy::require_cert_revocation_info(), Botan::Path_Validation_Result::result_string(), Botan::Path_Validation_Result::successful_validation(), Botan::TLS_SERVER_AUTH, and Botan::x509_path_validate().
|
inlinevirtual |
Called by default tls_verify_cert_chain to get the timeout to use for OCSP requests. Return 0 to disable online OCSP checks.
This function should not be "const" since the implementation might need to perform some side effecting operation to compute the result.
Definition at line 212 of file tls_callbacks.h.
|
virtual |
Optional callback with default impl: verify a message signature
Default implementation uses PK_Verifier::verify_message(). Override to provide a different approach, e.g. using an external device.
| key | the public key of the signer |
| padding | the encoding method to be applied to the message |
| format | the signature format |
| msg | the input data for the signature |
| sig | the signature to be checked |
Definition at line 151 of file tls_callbacks.cpp.
References Botan::PK_Verifier::verify_message().
Referenced by Botan::TLS::Certificate_Verify_13::verify(), Botan::TLS::Server_Key_Exchange::verify(), and Botan::TLS::Certificate_Verify_12::verify().
|
virtual |
Optional callback. Default impl always rejects.
This allows using raw public keys for authentication of peers as described in RFC 7250 and RFC 8446 4.2.2. Applications that wish to use raw public keys MUST override this callback to verify the authenticity of the received public keys.
Default implementation always rejects the raw public key.
This function should throw an exception derived from std::exception with an informative what() result if the raw public key cannot be verified.
| raw_public_key | specifies the raw public key to be used for peer authentication |
| usage | what this cert chain is being used for Usage_Type::TLS_SERVER_AUTH for server chains, Usage_Type::TLS_CLIENT_AUTH for client chains, |
| hostname | when authenticating a server, this is the hostname the client requested (eg via SNI). When authenticating a client, this is the server name the client is authenticating to. Empty in other cases or if no hostname was used. |
| policy | the TLS policy associated with the session being authenticated using the raw public key |
Definition at line 113 of file tls_callbacks.cpp.
References BOTAN_UNUSED.
Referenced by Botan::TLS::Certificate_13::verify().
1.10.0