9#include <botan/internal/tls_channel_impl_12.h>
12#include <botan/tls_messages.h>
13#include <botan/tls_policy.h>
14#include <botan/x509cert.h>
15#include <botan/internal/loadstor.h>
16#include <botan/internal/mem_utils.h>
17#include <botan/internal/stl_util.h>
18#include <botan/internal/tls_handshake_state.h>
19#include <botan/internal/tls_record.h>
20#include <botan/internal/tls_seq_numbers.h>
26 const std::shared_ptr<RandomNumberGenerator>&
rng,
27 const std::shared_ptr<const Policy>&
policy,
30 size_t reserved_io_buffer_size) :
31 m_is_server(is_server),
32 m_is_datagram(is_datagram),
37 m_has_been_closed(false) {
44 m_write_cipher_states[0] =
nullptr;
45 m_read_cipher_states[0] =
nullptr;
47 m_writebuf.reserve(reserved_io_buffer_size);
48 m_readbuf.reserve(reserved_io_buffer_size);
51void Channel_Impl_12::reset_state() {
52 m_active_state.reset();
53 m_pending_state.reset();
55 m_write_cipher_states.clear();
56 m_read_cipher_states.clear();
62 m_active_state.reset();
63 m_read_cipher_states.clear();
64 m_write_cipher_states.clear();
66 m_write_cipher_states[0] =
nullptr;
67 m_read_cipher_states[0] =
nullptr;
69 if(m_sequence_numbers) {
70 m_sequence_numbers->reset();
77 BOTAN_ASSERT(m_sequence_numbers,
"Have a sequence numbers object");
78 return *m_sequence_numbers;
81std::shared_ptr<Connection_Cipher_State> Channel_Impl_12::read_cipher_state_epoch(uint16_t epoch)
const {
82 auto i = m_read_cipher_states.find(epoch);
83 if(i == m_read_cipher_states.end()) {
84 throw Internal_Error(
"TLS::Channel_Impl_12 No read cipherstate for epoch " + std::to_string(epoch));
89std::shared_ptr<Connection_Cipher_State> Channel_Impl_12::write_cipher_state_epoch(uint16_t epoch)
const {
90 auto i = m_write_cipher_states.find(epoch);
91 if(i == m_write_cipher_states.end()) {
92 throw Internal_Error(
"TLS::Channel_Impl_12 No write cipherstate for epoch " + std::to_string(epoch));
98 if(
const auto* active = active_state()) {
101 return std::vector<X509_Certificate>();
105 const auto* state = (active_state() !=
nullptr) ? active_state() : pending_state();
106 if(state !=
nullptr) {
107 return state->psk_identity();
114 if(pending_state() !=
nullptr) {
115 throw Internal_Error(
"create_handshake_state called during handshake");
118 if(
const auto* active = active_state()) {
123 "Active state using version " + active_version.
to_string() +
" cannot change to " +
128 if(!m_sequence_numbers) {
130 m_sequence_numbers = std::make_unique<Datagram_Sequence_Numbers>();
132 m_sequence_numbers = std::make_unique<Stream_Sequence_Numbers>();
136 using namespace std::placeholders;
138 std::unique_ptr<Handshake_IO> io;
144 auto send_record_f = [
this](uint16_t epoch,
Record_Type record_type,
const std::vector<uint8_t>& record) {
145 send_record_under_epoch(epoch, record_type, record);
147 io = std::make_unique<Datagram_Handshake_IO>(
148 send_record_f, sequence_numbers(), mtu, initial_timeout_ms, max_timeout_ms);
150 auto send_record_f = [
this](
Record_Type rec_type,
const std::vector<uint8_t>& record) {
151 send_record(rec_type, record);
153 io = std::make_unique<Stream_Handshake_IO>(send_record_f);
158 if(
const auto* active = active_state()) {
159 m_pending_state->set_version(active->version());
162 return *m_pending_state;
166 if(m_pending_state) {
167 return m_pending_state->handshake_io().timeout_check();
175 if(pending_state() !=
nullptr) {
179 if(
const auto* active = active_state()) {
180 if(!force_full_renegotiation) {
186 throw Invalid_State(
"Cannot renegotiate on inactive connection");
195 const auto* pending = pending_state();
197 BOTAN_ASSERT(pending && pending->server_hello(),
"Have received server hello");
199 if(pending->server_hello()->compression_method() != 0) {
203 sequence_numbers().new_read_cipher_state();
205 const uint16_t epoch = sequence_numbers().current_read_epoch();
207 BOTAN_ASSERT(!m_read_cipher_states.contains(epoch),
"No read cipher state currently set for next epoch");
210 std::shared_ptr<Connection_Cipher_State> read_state(
214 pending->ciphersuite(),
215 pending->session_keys(),
216 pending->server_hello()->supports_encrypt_then_mac()));
218 m_read_cipher_states[epoch] = read_state;
222 const auto* pending = pending_state();
224 BOTAN_ASSERT(pending && pending->server_hello(),
"Have received server hello");
226 if(pending->server_hello()->compression_method() != 0) {
230 sequence_numbers().new_write_cipher_state();
232 const uint16_t epoch = sequence_numbers().current_write_epoch();
234 BOTAN_ASSERT(!m_write_cipher_states.contains(epoch),
"No write cipher state currently set for next epoch");
236 std::shared_ptr<Connection_Cipher_State> write_state(
240 pending->ciphersuite(),
241 pending->session_keys(),
242 pending->server_hello()->supports_encrypt_then_mac()));
244 m_write_cipher_states[epoch] = write_state;
248 return (active_state() !=
nullptr);
256 return m_has_been_closed;
260 std::swap(m_active_state, m_pending_state);
261 m_pending_state.reset();
263 if(!m_active_state->version().is_datagram_protocol()) {
265 const uint16_t current_epoch = sequence_numbers().current_write_epoch();
267 const auto not_current_epoch = [current_epoch](uint16_t epoch) {
return (epoch != current_epoch); };
279 const auto* input = data.data();
280 auto input_size = data.size();
283 while(input_size > 0) {
286 auto get_epoch = [
this](uint16_t epoch) {
return read_cipher_state_epoch(epoch); };
294 m_sequence_numbers.get(),
296 allow_epoch0_restart);
298 const size_t needed = record.
needed();
302 BOTAN_ASSERT(consumed <= input_size,
"Record reader consumed sane amount");
305 input_size -= consumed;
307 BOTAN_ASSERT(input_size == 0 || needed == 0,
"Got a full record or consumed all input");
309 if(input_size == 0 && needed != 0) {
319 throw TLS_Exception(Alert::RecordOverflow,
"TLS plaintext record is larger than allowed maximum");
322 const bool epoch0_restart = m_is_datagram && record.
epoch() == 0 && active_state() !=
nullptr;
325 const bool initial_record = epoch0_restart || (pending_state() ==
nullptr && active_state() ==
nullptr);
326 bool initial_handshake_message =
false;
336 throw TLS_Exception(Alert::ProtocolVersion,
"Received unexpected record version in initial record");
338 }
else if(
const auto* pending = pending_state()) {
339 if(pending->server_hello() !=
nullptr && !initial_handshake_message &&
340 record.
version() != pending->version()) {
341 throw TLS_Exception(Alert::ProtocolVersion,
"Received unexpected record version");
343 }
else if(
const auto* active = active_state()) {
344 if(record.
version() != active->version() && !initial_handshake_message) {
345 throw TLS_Exception(Alert::ProtocolVersion,
"Received unexpected record version");
351 if(m_has_been_closed) {
352 throw TLS_Exception(Alert::UnexpectedMessage,
"Received handshake data after connection closure");
354 process_handshake_ccs(m_record_buf, record.
sequence(), record.
type(), record.
version(), epoch0_restart);
356 if(m_has_been_closed) {
357 throw TLS_Exception(Alert::UnexpectedMessage,
"Received application data after connection closure");
359 if(pending_state() !=
nullptr) {
360 throw TLS_Exception(Alert::UnexpectedMessage,
"Can't interleave application and handshake data");
362 process_application_data(record.
sequence(), m_record_buf);
364 process_alert(m_record_buf);
367 " from counterparty");
388 uint64_t record_sequence,
391 bool epoch0_restart) {
392 if(!m_pending_state) {
395 if(m_sequence_numbers) {
402 const uint16_t epoch = record_sequence >> 48;
404 if(epoch == sequence_numbers().current_read_epoch()) {
406 }
else if(epoch == sequence_numbers().current_read_epoch() - 1) {
408 m_active_state->handshake_io().add_record(record.data(), record.size(), record_type, record_sequence);
419 if(m_pending_state) {
420 m_pending_state->handshake_io().add_record(record.data(), record.size(), record_type, record_sequence);
422 while(
auto* pending = m_pending_state.get()) {
423 auto msg = pending->get_next_handshake_msg();
431 if(!m_pending_state) {
439 if(active_state() ==
nullptr) {
440 throw Unexpected_Message(
"Application data before handshake done");
447 Alert alert_msg(record);
449 if(alert_msg.type() == Alert::NoRenegotiation) {
450 m_pending_state.reset();
455 if(alert_msg.is_fatal()) {
456 if(
const auto* active = active_state()) {
457 const auto& session_id = active->server_hello()->session_id();
458 if(!session_id.empty()) {
464 if(alert_msg.type() == Alert::CloseNotify) {
471 if(alert_msg.type() == Alert::CloseNotify || alert_msg.is_fatal()) {
472 m_has_been_closed =
true;
479 const uint8_t input[],
481 BOTAN_ASSERT(m_pending_state || m_active_state,
"Some connection state exists");
483 const Protocol_Version record_version =
484 (m_pending_state) ? (m_pending_state->version()) : (m_active_state->version());
486 const uint64_t next_seq = sequence_numbers().next_write_sequence(epoch);
488 if(cipher_state ==
nullptr) {
491 TLS::write_record(m_writebuf, record_type, record_version, next_seq, input, length, *cipher_state,
rng());
497void Channel_Impl_12::send_record_array(uint16_t epoch,
Record_Type type,
const uint8_t input[],
size_t length) {
502 auto cipher_state = write_cipher_state_epoch(epoch);
506 write_record(cipher_state.get(), epoch, type, input, sending);
513void Channel_Impl_12::send_record(
Record_Type record_type,
const std::vector<uint8_t>& record) {
514 send_record_array(sequence_numbers().current_write_epoch(), record_type, record.data(), record.size());
517void Channel_Impl_12::send_record_under_epoch(uint16_t epoch,
519 const std::vector<uint8_t>& record) {
520 send_record_array(epoch, record_type, record.data(), record.size());
525 throw Invalid_State(
"Data cannot be sent on inactive TLS connection");
532 const bool ready_to_send_anything = !
is_closed() && m_sequence_numbers;
533 if(alert.
is_valid() && ready_to_send_anything) {
540 if(alert.
type() == Alert::NoRenegotiation) {
541 m_pending_state.reset();
545 if(
const auto* active = active_state()) {
546 const auto& session_id = active->server_hello()->session_id();
547 if(!session_id.empty()) {
554 if(alert.
type() == Alert::CloseNotify || alert.
is_fatal()) {
555 m_has_been_closed =
true;
562 if(
const auto* active = active_state()) {
563 const bool active_sr = active->client_hello()->secure_renegotiation();
565 if(active_sr != secure_renegotiation) {
566 throw TLS_Exception(Alert::HandshakeFailure,
"Client changed its mind about secure renegotiation");
570 if(secure_renegotiation) {
574 throw TLS_Exception(Alert::HandshakeFailure,
"Client sent bad values for secure renegotiation");
582 if(
const auto* active = active_state()) {
583 const bool active_sr = active->server_hello()->secure_renegotiation();
585 if(active_sr != secure_renegotiation) {
586 throw TLS_Exception(Alert::HandshakeFailure,
"Server changed its mind about secure renegotiation");
590 if(secure_renegotiation) {
594 throw TLS_Exception(Alert::HandshakeFailure,
"Server sent bad values for secure renegotiation");
600 if(
const auto* active = active_state()) {
601 return active->client_finished()->verify_data();
603 return std::vector<uint8_t>();
607 if(
const auto* active = active_state()) {
608 std::vector<uint8_t> buf = active->client_finished()->verify_data();
609 buf += active->server_finished()->verify_data();
613 return std::vector<uint8_t>();
617 if(
const auto* active = active_state()) {
618 return active->server_hello()->secure_renegotiation();
621 if(
const auto* pending = pending_state()) {
622 if(
const auto* hello = pending->server_hello()) {
623 return hello->secure_renegotiation();
631 std::string_view context,
632 size_t length)
const {
633 if(
const auto* active = active_state()) {
634 if(pending_state() !=
nullptr) {
635 throw Invalid_State(
"Channel_Impl_12::key_material_export cannot export during renegotiation");
638 auto prf = active->protocol_specific_prf();
642 std::vector<uint8_t> salt;
643 salt += active->client_hello()->random();
644 salt += active->server_hello()->random();
646 if(!context.empty()) {
647 size_t context_size = context.length();
648 if(context_size > 0xFFFF) {
651 salt.push_back(
get_byte<0>(
static_cast<uint16_t
>(context_size)));
652 salt.push_back(
get_byte<1>(
static_cast<uint16_t
>(context_size)));
658 throw Invalid_State(
"Channel_Impl_12::key_material_export connection not active");
#define BOTAN_ASSERT_NOMSG(expr)
#define BOTAN_ASSERT_NONNULL(ptr)
#define BOTAN_ASSERT_IMPLICATION(expr1, expr2, msg)
#define BOTAN_ASSERT(expr, assertion_made)
std::vector< uint8_t > serialize() const
virtual void tls_session_activated()
virtual void tls_record_received(uint64_t seq_no, std::span< const uint8_t > data)=0
virtual void tls_alert(Alert alert)=0
virtual bool tls_peer_closed_connection()
virtual void tls_emit_data(std::span< const uint8_t > data)=0
RandomNumberGenerator & rng()
virtual std::vector< X509_Certificate > get_peer_cert_chain(const Handshake_State &state) const =0
bool is_closed() const override
void change_cipher_spec_reader(Connection_Side side)
void update_traffic_keys(bool request_peer_update=false) override
Handshake_State & create_handshake_state(Protocol_Version version)
std::vector< uint8_t > secure_renegotiation_data_for_server_hello() const
~Channel_Impl_12() override
bool is_handshake_complete() const override
Callbacks & callbacks() const
size_t from_peer(std::span< const uint8_t > data) override
void secure_renegotiation_check(const Client_Hello_12 *client_hello)
bool timeout_check() override
bool is_active() const override
Session_Manager & session_manager()
const Policy & policy() const
void send_alert(const Alert &alert) override
virtual void initiate_handshake(Handshake_State &state, bool force_full_renegotiation)=0
std::vector< X509_Certificate > peer_cert_chain() const override
void to_peer(std::span< const uint8_t > data) override
void change_cipher_spec_writer(Connection_Side side)
std::vector< uint8_t > secure_renegotiation_data_for_client_hello() const
virtual std::unique_ptr< Handshake_State > new_handshake_state(std::unique_ptr< class Handshake_IO > io)=0
Channel_Impl_12(const std::shared_ptr< Callbacks > &callbacks, const std::shared_ptr< Session_Manager > &session_manager, const std::shared_ptr< RandomNumberGenerator > &rng, const std::shared_ptr< const Policy > &policy, bool is_server, bool is_datagram, size_t io_buf_sz=TLS::Channel::IO_BUF_DEFAULT_SIZE)
SymmetricKey key_material_export(std::string_view label, std::string_view context, size_t length) const override
std::optional< std::string > external_psk_identity() const override
void reset_active_association_state()
virtual void process_handshake_msg(const Handshake_State *active_state, Handshake_State &pending_state, Handshake_Type type, const std::vector< uint8_t > &contents, bool epoch0_restart)=0
bool secure_renegotiation_supported() const override
void renegotiate(bool force_full_renegotiation=false) override
void send_warning_alert(Alert::Type type)
void send_fatal_alert(Alert::Type type)
std::vector< uint8_t > renegotiation_info() const
bool secure_renegotiation() const
virtual void read_accept(uint64_t seq)=0
virtual size_t dtls_maximum_timeout() const
virtual size_t dtls_default_mtu() const
virtual bool allow_dtls_epoch0_restart() const
virtual size_t dtls_initial_timeout() const
virtual bool allow_resumption_for_renegotiation() const
std::string to_string() const
uint8_t major_version() const
bool is_datagram_protocol() const
std::vector< uint8_t > renegotiation_info() const
bool secure_renegotiation() const
Helper class to embody a session handle in all protocol versions.
virtual size_t remove(const Session_Handle &handle)=0
Record_Header read_record(bool is_datagram, secure_vector< uint8_t > &readbuf, const uint8_t input[], size_t input_len, size_t &consumed, secure_vector< uint8_t > &recbuf, Connection_Sequence_Numbers *sequence_numbers, const get_cipherstate_fn &get_cipherstate, bool allow_epoch0_restart)
void write_unencrypted_record(secure_vector< uint8_t > &output, Record_Type record_type, Protocol_Version version, uint64_t record_sequence, const uint8_t *message, size_t message_len)
void write_record(secure_vector< uint8_t > &output, Record_Type record_type, Protocol_Version version, uint64_t record_sequence, const uint8_t *message, size_t message_len, Connection_Cipher_State &cs, RandomNumberGenerator &rng)
Strong< std::vector< uint8_t >, struct Session_ID_ > Session_ID
holds a TLS 1.2 session ID for stateful resumption
constexpr uint8_t get_byte(T input)
void map_remove_if(Pred pred, T &assoc)
std::span< const uint8_t > as_span_of_bytes(const char *s, size_t len)
std::vector< T, secure_allocator< T > > secure_vector