doxygen/msg__server__kex_8cpp_source.html

/*

* Server Key Exchange Message

* (C) 2004-2010,2012,2015,2016 Jack Lloyd

*     2017 Harry Reimann, Rohde & Schwarz Cybersecurity

*

* Botan is released under the Simplified BSD License (see license.txt)

*/


#include <botan/tls_messages.h>


#include <botan/credentials_manager.h>

#include <botan/pubkey.h>

#include <botan/tls_extensions.h>

#include <botan/internal/loadstor.h>

#include <botan/internal/target_info.h>

#include <botan/internal/tls_handshake_io.h>

#include <botan/internal/tls_handshake_state.h>

#include <botan/internal/tls_reader.h>


#include <botan/dh.h>


namespace Botan::TLS {


/**

* Create a new Server Key Exchange message

*/


Server_Key_Exchange::Server_Key_Exchange(Handshake_IO& io,

                                         Handshake_State& state,

                                         const Policy& policy,

                                         Credentials_Manager& creds,

                                         RandomNumberGenerator& rng,

                                         const Private_Key* signing_key) {

   const std::string hostname = state.client_hello()->sni_hostname();

   const Kex_Algo kex_algo = state.ciphersuite().kex_method();


   if(kex_algo == Kex_Algo::PSK || kex_algo == Kex_Algo::ECDHE_PSK) {

      std::string identity_hint = creds.psk_identity_hint("tls-server", hostname);


      append_tls_length_value(m_params, identity_hint, 2);

   }


   if(kex_algo == Kex_Algo::DH) {

      const std::vector<Group_Params> dh_groups = state.client_hello()->supported_dh_groups();


      m_shared_group = Group_Params::NONE;


      /*

      RFC 7919 requires that if the client sends any groups in the FFDHE

      range, that we must select one of these. If this is not possible,

      then we are required to reject the connection.


      If the client did not send any DH groups, but did offer DH ciphersuites

      and we selected one, then consult the policy for which DH group to pick.

      */


      if(dh_groups.empty()) {

         m_shared_group = policy.default_dh_group();

      } else {

         m_shared_group = policy.choose_key_exchange_group(dh_groups, {});

      }


      if(m_shared_group.value() == Group_Params::NONE) {

         throw TLS_Exception(Alert::HandshakeFailure, "Could not agree on a DH group with the client");

      }


      // The policy had better return a group we know about:

      BOTAN_ASSERT(m_shared_group.value().is_dh_named_group(), "DH ciphersuite is using a known finite field group");


      // Note: TLS 1.2 allows defining and using arbitrary DH groups (additional

      //       to the named and standardized ones). This API doesn't allow the

      //       server to make use of that at the moment. TLS 1.3 does not

      //       provide this flexibility!

      //

      // A possible implementation strategy in case one would ever need that:

      // `Policy::default_dh_group()` could return a `std::variant<Group_Params,

      // DL_Group>`, allowing it to define arbitrary groups.

      m_kex_key = state.callbacks().tls_generate_ephemeral_key(m_shared_group.value(), rng);

      auto* dh = dynamic_cast<DH_PrivateKey*>(m_kex_key.get());

      if(dh == nullptr) {

         throw TLS_Exception(Alert::InternalError, "Application did not provide a Diffie-Hellman key");

      }


      append_tls_length_value(m_params, dh->get_int_field("p").serialize(), 2);

      append_tls_length_value(m_params, dh->get_int_field("g").serialize(), 2);

      append_tls_length_value(m_params, dh->public_value(), 2);

   } else if(kex_algo == Kex_Algo::ECDH || kex_algo == Kex_Algo::ECDHE_PSK) {

      const std::vector<Group_Params> ec_groups = state.client_hello()->supported_ecc_curves();


      if(ec_groups.empty()) {

         throw Internal_Error("Client sent no ECC extension but we negotiated ECDH");

      }


      m_shared_group = policy.choose_key_exchange_group(ec_groups, {});


      if(m_shared_group.value() == Group_Params::NONE) {

         throw TLS_Exception(Alert::HandshakeFailure, "No shared ECC group with client");

      }


      m_kex_key = [&] {

         if(m_shared_group->is_ecdh_named_curve()) {

            const auto pubkey_point_format = state.client_hello()->prefers_compressed_ec_points()

                                                ? EC_Point_Format::Compressed

                                                : EC_Point_Format::Uncompressed;

            return state.callbacks().tls12_generate_ephemeral_ecdh_key(*m_shared_group, rng, pubkey_point_format);

         } else {

            return state.callbacks().tls_generate_ephemeral_key(*m_shared_group, rng);

         }

      }();


      if(!m_kex_key) {

         throw TLS_Exception(Alert::InternalError, "Application did not provide an EC key");

      }


      const uint16_t named_curve_id = m_shared_group.value().wire_code();

      m_params.push_back(3);  // named curve

      m_params.push_back(get_byte<0>(named_curve_id));

      m_params.push_back(get_byte<1>(named_curve_id));


      // Note: In contrast to public_value(), raw_public_key_bits() takes the

      // point format (compressed vs. uncompressed) into account that was set

      // in its construction within tls_generate_ephemeral_key().

      append_tls_length_value(m_params, m_kex_key->raw_public_key_bits(), 1);

   } else if(kex_algo != Kex_Algo::PSK) {

      throw Internal_Error("Server_Key_Exchange: Unknown kex type " + kex_method_to_string(kex_algo));

   }


   if(state.ciphersuite().signature_used()) {

      BOTAN_ASSERT(signing_key, "Signing key was set");


      std::pair<std::string, Signature_Format> format = state.choose_sig_format(*signing_key, m_scheme, false, policy);


      std::vector<uint8_t> buf = state.client_hello()->random();


      buf += state.server_hello()->random();

      buf += params();


      m_signature = state.callbacks().tls_sign_message(*signing_key, rng, format.first, format.second, buf);

   }


   state.hash().update(io.send(*this));

}


/**

* Deserialize a Server Key Exchange message

*/


Server_Key_Exchange::Server_Key_Exchange(const std::vector<uint8_t>& buf,

                                         const Kex_Algo kex_algo,

                                         const Auth_Method auth_method,

                                         Protocol_Version version) {

   BOTAN_UNUSED(version);  // remove this

   TLS_Data_Reader reader("ServerKeyExchange", buf);


   /*

   * Here we are deserializing enough to find out what offset the

   * signature is at. All processing is done when the Client Key Exchange

   * is prepared.

   */


   if(kex_algo == Kex_Algo::PSK || kex_algo == Kex_Algo::ECDHE_PSK) {

      reader.get_string(2, 0, 65535);  // identity hint

   }


   if(kex_algo == Kex_Algo::DH) {

      // 3 bigints, DH p, g, Y


      for(size_t i = 0; i != 3; ++i) {

         reader.get_range<uint8_t>(2, 1, 65535);

      }

   } else if(kex_algo == Kex_Algo::ECDH || kex_algo == Kex_Algo::ECDHE_PSK) {

      reader.get_byte();                     // curve type

      reader.get_uint16_t();                 // curve id

      reader.get_range<uint8_t>(1, 1, 255);  // public key

   } else if(kex_algo != Kex_Algo::PSK) {

      throw Decoding_Error("Server_Key_Exchange: Unsupported kex type " + kex_method_to_string(kex_algo));

   }


   m_params.assign(buf.data(), buf.data() + reader.read_so_far());


   if(auth_method != Auth_Method::IMPLICIT) {

      m_scheme = Signature_Scheme(reader.get_uint16_t());

      m_signature = reader.get_range<uint8_t>(2, 0, 65535);

   }


   reader.assert_done();

}


/**

* Serialize a Server Key Exchange message

*/

std::vector<uint8_t> Server_Key_Exchange::serialize() const {

   std::vector<uint8_t> buf = params();


   if(!m_signature.empty()) {

      if(m_scheme.is_set()) {

         buf.push_back(get_byte<0>(m_scheme.wire_code()));

         buf.push_back(get_byte<1>(m_scheme.wire_code()));

      }


      append_tls_length_value(buf, m_signature, 2);

   }


   return buf;

}


/**

* Verify a Server Key Exchange message

*/


bool Server_Key_Exchange::verify(const Public_Key& server_key,

                                 const Handshake_State& state,

                                 const Policy& policy) const {

   policy.check_peer_key_acceptable(server_key);


   std::pair<std::string, Signature_Format> format =

      state.parse_sig_format(server_key, m_scheme, state.client_hello()->signature_schemes(), false, policy);


   std::vector<uint8_t> buf = state.client_hello()->random();


   buf += state.server_hello()->random();

   buf += params();


   const bool signature_valid =

      state.callbacks().tls_verify_message(server_key, format.first, format.second, buf, m_signature);


#if defined(BOTAN_UNSAFE_FUZZER_MODE)

   BOTAN_UNUSED(signature_valid);

   return true;

#else

   return signature_valid;

#endif

}


const PK_Key_Agreement_Key& Server_Key_Exchange::server_kex_key() const {

   BOTAN_ASSERT_NONNULL(m_kex_key);

   return *m_kex_key;

}


}  // namespace Botan::TLS

BOTAN_UNUSED
#define BOTAN_UNUSED
Definition assert.h:144

BOTAN_ASSERT_NONNULL
#define BOTAN_ASSERT_NONNULL(ptr)
Definition assert.h:114

BOTAN_ASSERT
#define BOTAN_ASSERT(expr, assertion_made)
Definition assert.h:62

Botan::Credentials_Manager
Definition credentials_manager.h:34

Botan::Credentials_Manager::psk_identity_hint
virtual std::string psk_identity_hint(const std::string &type, const std::string &context)
Definition credentials_manager.cpp:15

Botan::DH_PrivateKey
Definition dh.h:84

Botan::Decoding_Error
Definition exceptn.h:191

Botan::Internal_Error
Definition exceptn.h:321

Botan::PK_Key_Agreement_Key
Definition pk_keys.h:415

Botan::Private_Key
Definition pk_keys.h:291

Botan::Public_Key
Definition pk_keys.h:148

Botan::RandomNumberGenerator
Definition rng.h:30

Botan::TLS::Callbacks::tls12_generate_ephemeral_ecdh_key
virtual std::unique_ptr< PK_Key_Agreement_Key > tls12_generate_ephemeral_ecdh_key(TLS::Group_Params group, RandomNumberGenerator &rng, EC_Point_Format tls12_ecc_pubkey_encoding_format)
Definition tls_callbacks.cpp:356

Botan::TLS::Callbacks::tls_sign_message
virtual std::vector< uint8_t > tls_sign_message(const Private_Key &key, RandomNumberGenerator &rng, std::string_view padding, Signature_Format format, const std::vector< uint8_t > &msg)
Definition tls_callbacks.cpp:140

Botan::TLS::Callbacks::tls_generate_ephemeral_key
virtual std::unique_ptr< PK_Key_Agreement_Key > tls_generate_ephemeral_key(const std::variant< TLS::Group_Params, DL_Group > &group, RandomNumberGenerator &rng)
Definition tls_callbacks.cpp:322

Botan::TLS::Callbacks::tls_verify_message
virtual bool tls_verify_message(const Public_Key &key, std::string_view padding, Signature_Format format, const std::vector< uint8_t > &msg, const std::vector< uint8_t > &sig)
Definition tls_callbacks.cpp:150

Botan::TLS::Ciphersuite::signature_used
bool signature_used() const
Definition tls_ciphersuite.cpp:94

Botan::TLS::Ciphersuite::kex_method
Kex_Algo kex_method() const
Definition tls_ciphersuite.h:96

Botan::TLS::Group_Params::wire_code
constexpr uint16_t wire_code() const
Definition tls_algos.h:165

Botan::TLS::Handshake_Hash::update
void update(const uint8_t in[], size_t length)
Definition tls_handshake_hash.h:21

Botan::TLS::Handshake_IO
Definition tls_handshake_io.h:44

Botan::TLS::Handshake_IO::send
virtual std::vector< uint8_t > send(const Handshake_Message &msg)=0

Botan::TLS::Handshake_Message::serialize
virtual std::vector< uint8_t > serialize() const =0

Botan::TLS::Handshake_State
Definition tls_handshake_state.h:59

Botan::TLS::Handshake_State::parse_sig_format
std::pair< std::string, Signature_Format > parse_sig_format(const Public_Key &key, Signature_Scheme scheme, const std::vector< Signature_Scheme > &offered_schemes, bool for_client_auth, const Policy &policy) const
Definition tls_handshake_state.cpp:316

Botan::TLS::Handshake_State::client_hello
void client_hello(std::unique_ptr< Client_Hello_12 > client_hello)
Definition tls_handshake_state.cpp:110

Botan::TLS::Handshake_State::callbacks
Callbacks & callbacks() const
Definition tls_handshake_state.h:165

Botan::TLS::Handshake_State::server_hello
void server_hello(std::unique_ptr< Server_Hello_12 > server_hello)
Definition tls_handshake_state.cpp:121

Botan::TLS::Handshake_State::ciphersuite
const Ciphersuite & ciphersuite() const
Definition tls_handshake_state.cpp:200

Botan::TLS::Handshake_State::hash
Handshake_Hash & hash()
Definition tls_handshake_state.h:171

Botan::TLS::Handshake_State::choose_sig_format
std::pair< std::string, Signature_Format > choose_sig_format(const Private_Key &key, Signature_Scheme &scheme, bool for_client_auth, const Policy &policy) const
Definition tls_handshake_state.cpp:263

Botan::TLS::Policy
Definition tls_policy.h:32

Botan::TLS::Policy::check_peer_key_acceptable
virtual void check_peer_key_acceptable(const Public_Key &public_key) const
Definition tls_policy.cpp:275

Botan::TLS::Policy::default_dh_group
virtual Group_Params default_dh_group() const
Definition tls_policy.cpp:163

Botan::TLS::Policy::choose_key_exchange_group
virtual Group_Params choose_key_exchange_group(const std::vector< Group_Params > &supported_by_peer, const std::vector< Group_Params > &offered_by_peer) const
Definition tls_policy.cpp:122

Botan::TLS::Protocol_Version
Definition tls_version.h:34

Botan::TLS::Server_Key_Exchange::verify
bool verify(const Public_Key &server_key, const Handshake_State &state, const Policy &policy) const
Definition msg_server_kex.cpp:208

Botan::TLS::Server_Key_Exchange::server_kex_key
const PK_Key_Agreement_Key & server_kex_key() const
Definition msg_server_kex.cpp:232

Botan::TLS::Server_Key_Exchange::params
const std::vector< uint8_t > & params() const
Definition tls_messages.h:885

Botan::TLS::Server_Key_Exchange::Server_Key_Exchange
Server_Key_Exchange(Handshake_IO &io, Handshake_State &state, const Policy &policy, Credentials_Manager &creds, RandomNumberGenerator &rng, const Private_Key *signing_key=nullptr)
Definition msg_server_kex.cpp:27

Botan::TLS::Signature_Scheme
Definition tls_signature_scheme.h:23

Botan::TLS::Signature_Scheme::wire_code
Signature_Scheme::Code wire_code() const noexcept
Definition tls_signature_scheme.h:68

Botan::TLS::Signature_Scheme::is_set
bool is_set() const noexcept
Definition tls_signature_scheme.cpp:57

Botan::TLS::TLS_Data_Reader
Definition tls_reader.h:25

Botan::TLS::TLS_Data_Reader::get_string
std::string get_string(size_t len_bytes, size_t min_bytes, size_t max_bytes)
Definition tls_reader.h:123

Botan::TLS::TLS_Data_Reader::assert_done
void assert_done() const
Definition tls_reader.h:30

Botan::TLS::TLS_Data_Reader::read_so_far
size_t read_so_far() const
Definition tls_reader.h:36

Botan::TLS::TLS_Data_Reader::get_byte
uint8_t get_byte()
Definition tls_reader.h:83

Botan::TLS::TLS_Data_Reader::get_range
std::vector< T > get_range(size_t len_bytes, size_t min_elems, size_t max_elems)
Definition tls_reader.h:110

Botan::TLS::TLS_Data_Reader::get_uint16_t
uint16_t get_uint16_t()
Definition tls_reader.h:71

Botan::TLS::TLS_Exception
Definition tls_exceptn.h:19

Botan::TLS
Definition asio_context.cpp:17

Botan::TLS::Kex_Algo
Kex_Algo
Definition tls_algos.h:258

Botan::TLS::Kex_Algo::ECDH
@ ECDH
Definition tls_algos.h:261

Botan::TLS::Kex_Algo::PSK
@ PSK
Definition tls_algos.h:262

Botan::TLS::Kex_Algo::ECDHE_PSK
@ ECDHE_PSK
Definition tls_algos.h:263

Botan::TLS::Kex_Algo::DH
@ DH
Definition tls_algos.h:260

Botan::TLS::Auth_Method
Auth_Method
Definition tls_algos.h:66

Botan::TLS::Auth_Method::IMPLICIT
@ IMPLICIT
Definition tls_algos.h:74

Botan::TLS::append_tls_length_value
void append_tls_length_value(std::vector< uint8_t, Alloc > &buf, const T *vals, size_t vals_size, size_t tag_size)
Definition tls_reader.h:184

Botan::TLS::kex_method_to_string
std::string kex_method_to_string(Kex_Algo method)
Definition tls_algos.cpp:27

Botan::get_byte
constexpr uint8_t get_byte(T input)
Definition loadstor.h:79

Botan::EC_Point_Format::Compressed
@ Compressed
Definition ec_point_format.h:23

Botan::EC_Point_Format::Uncompressed
@ Uncompressed
Definition ec_point_format.h:22