Botan  2.4.0
Crypto and TLS for C++11
tls_client.cpp
Go to the documentation of this file.
1 /*
2 * TLS Client
3 * (C) 2004-2011,2012,2015,2016 Jack Lloyd
4 * 2016 Matthias Gierlings
5 * 2017 Harry Reimann, Rohde & Schwarz Cybersecurity
6 *
7 * Botan is released under the Simplified BSD License (see license.txt)
8 */
9 
10 #include <botan/tls_client.h>
11 #include <botan/tls_messages.h>
12 #include <botan/internal/tls_handshake_state.h>
13 #include <botan/internal/stl_util.h>
14 #include <iterator>
15 #include <sstream>
16 
17 namespace Botan {
18 
19 namespace TLS {
20 
21 namespace {
22 
23 class Client_Handshake_State final : public Handshake_State
24  {
25  public:
26  // using Handshake_State::Handshake_State;
27 
28  Client_Handshake_State(Handshake_IO* io, Callbacks& cb) : Handshake_State(io, cb) {}
29 
30  const Public_Key& get_server_public_key() const
31  {
32  BOTAN_ASSERT(server_public_key, "Server sent us a certificate");
33  return *server_public_key.get();
34  }
35 
36  bool is_a_resumption() const { return (resume_master_secret.empty() == false); }
37 
38  std::unique_ptr<Public_Key> server_public_key;
39 
40  // Used during session resumption
41  secure_vector<uint8_t> resume_master_secret;
42  std::vector<X509_Certificate> resume_peer_certs;
43  };
44 
45 }
46 
47 /*
48 * TLS Client Constructor
49 */
51  Session_Manager& session_manager,
52  Credentials_Manager& creds,
53  const Policy& policy,
55  const Server_Information& info,
56  const Protocol_Version& offer_version,
57  const std::vector<std::string>& next_protos,
58  size_t io_buf_sz) :
59  Channel(callbacks, session_manager, rng, policy, offer_version.is_datagram_protocol(),
60  io_buf_sz),
61  m_creds(creds),
62  m_info(info)
63  {
64  init(offer_version, next_protos);
65  }
66 
68  data_cb proc_cb,
72  Credentials_Manager& creds,
73  const Policy& policy,
75  const Server_Information& info,
76  const Protocol_Version& offer_version,
77  const std::vector<std::string>& next_protos,
78  size_t io_buf_sz) :
79  Channel(output_fn, proc_cb, alert_cb, handshake_cb, Channel::handshake_msg_cb(),
80  session_manager, rng, policy, offer_version.is_datagram_protocol(), io_buf_sz),
81  m_creds(creds),
82  m_info(info)
83  {
84  init(offer_version, next_protos);
85  }
86 
88  data_cb proc_cb,
91  handshake_msg_cb hs_msg_cb,
93  Credentials_Manager& creds,
94  const Policy& policy,
96  const Server_Information& info,
97  const Protocol_Version& offer_version,
98  const std::vector<std::string>& next_protos) :
99  Channel(output_fn, proc_cb, alert_cb, handshake_cb, hs_msg_cb,
100  session_manager, rng, policy, offer_version.is_datagram_protocol()),
101  m_creds(creds),
102  m_info(info)
103  {
104  init(offer_version, next_protos);
105  }
106 
107 void Client::init(const Protocol_Version& protocol_version,
108  const std::vector<std::string>& next_protocols)
109  {
110  const std::string srp_identifier = m_creds.srp_identifier("tls-client", m_info.hostname());
111 
112  Handshake_State& state = create_handshake_state(protocol_version);
113  send_client_hello(state, false, protocol_version,
114  srp_identifier, next_protocols);
115  }
116 
117 Handshake_State* Client::new_handshake_state(Handshake_IO* io)
118  {
119  return new Client_Handshake_State(io, callbacks());
120  }
121 
122 std::vector<X509_Certificate>
123 Client::get_peer_cert_chain(const Handshake_State& state) const
124  {
125  const Client_Handshake_State& cstate = dynamic_cast<const Client_Handshake_State&>(state);
126  if(cstate.resume_peer_certs.size() > 0)
127  return cstate.resume_peer_certs;
128 
129  if(state.server_certs())
130  return state.server_certs()->cert_chain();
131  return std::vector<X509_Certificate>();
132  }
133 
134 /*
135 * Send a new client hello to renegotiate
136 */
137 void Client::initiate_handshake(Handshake_State& state,
138  bool force_full_renegotiation)
139  {
140  send_client_hello(state, force_full_renegotiation, state.version());
141  }
142 
143 void Client::send_client_hello(Handshake_State& state_base,
144  bool force_full_renegotiation,
145  Protocol_Version version,
146  const std::string& srp_identifier,
147  const std::vector<std::string>& next_protocols)
148  {
149  Client_Handshake_State& state = dynamic_cast<Client_Handshake_State&>(state_base);
150 
151  if(state.version().is_datagram_protocol())
152  state.set_expected_next(HELLO_VERIFY_REQUEST); // optional
153  state.set_expected_next(SERVER_HELLO);
154 
155  if(!force_full_renegotiation && !m_info.empty())
156  {
157  Session session_info;
158  if(session_manager().load_from_server_info(m_info, session_info))
159  {
160  /*
161  Ensure that the session protocol type matches what we want to use
162  If not skip the resume and establish a new session
163  */
164  if(version == session_info.version())
165  {
166  if(srp_identifier == "" || session_info.srp_identifier() == srp_identifier)
167  {
168  state.client_hello(
169  new Client_Hello(state.handshake_io(),
170  state.hash(),
171  policy(),
172  rng(),
174  session_info,
175  next_protocols));
176 
177  state.resume_master_secret = session_info.master_secret();
178  state.resume_peer_certs = session_info.peer_certs();
179  }
180  }
181  }
182  }
183 
184  if(!state.client_hello()) // not resuming
185  {
186  Client_Hello::Settings client_settings(version, m_info.hostname(), srp_identifier);
187  state.client_hello(new Client_Hello(
188  state.handshake_io(),
189  state.hash(),
190  policy(),
191  rng(),
193  client_settings,
194  next_protocols));
195  }
196 
197  secure_renegotiation_check(state.client_hello());
198  }
199 
200 /*
201 * Process a handshake message
202 */
203 void Client::process_handshake_msg(const Handshake_State* active_state,
204  Handshake_State& state_base,
206  const std::vector<uint8_t>& contents)
207  {
208  Client_Handshake_State& state = dynamic_cast<Client_Handshake_State&>(state_base);
209 
210  if(type == HELLO_REQUEST && active_state)
211  {
212  Hello_Request hello_request(contents);
213 
214  // Ignore request entirely if we are currently negotiating a handshake
215  if(state.client_hello())
216  return;
217 
219  {
222  else
223  this->initiate_handshake(state, false);
224  }
225  else
226  {
227  // RFC 5746 section 4.2
229  }
230 
231  return;
232  }
233 
234  state.confirm_transition_to(type);
235 
236  if(type != HANDSHAKE_CCS && type != FINISHED && type != HELLO_VERIFY_REQUEST)
237  state.hash().update(state.handshake_io().format(contents, type));
238 
239  if(type == HELLO_VERIFY_REQUEST)
240  {
241  state.set_expected_next(SERVER_HELLO);
242  state.set_expected_next(HELLO_VERIFY_REQUEST); // might get it again
243 
244  Hello_Verify_Request hello_verify_request(contents);
245 
246  state.hello_verify_request(hello_verify_request);
247  }
248  else if(type == SERVER_HELLO)
249  {
250  state.server_hello(new Server_Hello(contents));
251 
252  if(!state.client_hello()->offered_suite(state.server_hello()->ciphersuite()))
253  {
255  "Server replied with ciphersuite we didn't send");
256  }
257 
258  if(Ciphersuite::is_scsv(state.server_hello()->ciphersuite()))
259  {
261  "Server replied with a signaling ciphersuite");
262  }
263 
264  if(!value_exists(state.client_hello()->compression_methods(),
265  state.server_hello()->compression_method()))
266  {
268  "Server replied with compression method we didn't send");
269  }
270 
271  auto client_extn = state.client_hello()->extension_types();
272  auto server_extn = state.server_hello()->extension_types();
273 
274  std::vector<Handshake_Extension_Type> diff;
275 
276  std::set_difference(server_extn.begin(), server_extn.end(),
277  client_extn.begin(), client_extn.end(),
278  std::back_inserter(diff));
279 
280  if(!diff.empty())
281  {
282  // Server sent us back an extension we did not send!
283 
284  std::ostringstream msg;
285  msg << "Server replied with " << diff.size() << " unsupported extensions:";
286  for(auto&& d : diff)
287  msg << " " << static_cast<int>(d);
288  throw TLS_Exception(Alert::HANDSHAKE_FAILURE, msg.str());
289  }
290 
291  if(uint16_t srtp = state.server_hello()->srtp_profile())
292  {
293  if(!value_exists(state.client_hello()->srtp_profiles(), srtp))
295  "Server replied with DTLS-SRTP alg we did not send");
296  }
297 
298  state.set_version(state.server_hello()->version());
299  m_application_protocol = state.server_hello()->next_protocol();
300 
301  secure_renegotiation_check(state.server_hello());
302 
303  const bool server_returned_same_session_id =
304  !state.server_hello()->session_id().empty() &&
305  (state.server_hello()->session_id() == state.client_hello()->session_id());
306 
307  if(server_returned_same_session_id)
308  {
309  // successful resumption
310 
311  /*
312  * In this case, we offered the version used in the original
313  * session, and the server must resume with the same version.
314  */
315  if(state.server_hello()->version() != state.client_hello()->version())
317  "Server resumed session but with wrong version");
318 
319  state.compute_session_keys(state.resume_master_secret);
320 
321  if(state.server_hello()->supports_session_ticket())
322  state.set_expected_next(NEW_SESSION_TICKET);
323  else
324  {
325  state.set_expected_next(HANDSHAKE_CCS);
326  }
327  }
328  else
329  {
330  // new session
331 
332  state.resume_master_secret.clear();
333  state.resume_peer_certs.clear();
334 
335  if(state.client_hello()->version().is_datagram_protocol() !=
336  state.server_hello()->version().is_datagram_protocol())
337  {
339  "Server replied with different protocol type than we offered");
340  }
341 
342  if(state.version() > state.client_hello()->version())
343  {
345  "Server replied with later version than client offered");
346  }
347 
348  if(state.version().major_version() == 3 && state.version().minor_version() == 0)
349  {
351  "Server attempting to negotiate SSLv3 which is not supported");
352  }
353 
354  if(!policy().acceptable_protocol_version(state.version()))
355  {
357  "Server version " + state.version().to_string() +
358  " is unacceptable by policy");
359  }
360 
361  if(state.ciphersuite().sig_algo() != "")
362  {
363  state.set_expected_next(CERTIFICATE);
364  }
365  else if(state.ciphersuite().kex_algo() == "PSK")
366  {
367  /* PSK is anonymous so no certificate/cert req message is
368  ever sent. The server may or may not send a server kex,
369  depending on if it has an identity hint for us.
370 
371  (EC)DHE_PSK always sends a server key exchange for the
372  DH exchange portion.
373  */
374 
375  state.set_expected_next(SERVER_KEX);
376  state.set_expected_next(SERVER_HELLO_DONE);
377  }
378  else if(state.ciphersuite().kex_algo() != "RSA")
379  {
380  state.set_expected_next(SERVER_KEX);
381  }
382  else
383  {
384  state.set_expected_next(CERTIFICATE_REQUEST); // optional
385  state.set_expected_next(SERVER_HELLO_DONE);
386  }
387  }
388  }
389  else if(type == CERTIFICATE)
390  {
391  state.server_certs(new Certificate(contents, policy()));
392 
393  const std::vector<X509_Certificate>& server_certs =
394  state.server_certs()->cert_chain();
395 
396  if(server_certs.empty())
398  "Client: No certificates sent by server");
399 
400  /*
401  If the server supports certificate status messages,
402  certificate verification happens after we receive the server hello done,
403  in case an OCSP response was also available
404  */
405 
406  std::unique_ptr<Public_Key> peer_key(server_certs[0].subject_public_key());
407 
408  if(peer_key->algo_name() != state.ciphersuite().sig_algo())
410  "Certificate key type did not match ciphersuite");
411 
412  state.server_public_key.reset(peer_key.release());
413 
414  if(state.ciphersuite().kex_algo() != "RSA")
415  {
416  state.set_expected_next(SERVER_KEX);
417  }
418  else
419  {
420  state.set_expected_next(CERTIFICATE_REQUEST); // optional
421  state.set_expected_next(SERVER_HELLO_DONE);
422  }
423 
424  if(state.server_hello()->supports_certificate_status_message())
425  {
426  state.set_expected_next(CERTIFICATE_STATUS); // optional
427  }
428  else
429  {
430  try
431  {
432  auto trusted_CAs = m_creds.trusted_certificate_authorities("tls-client", m_info.hostname());
433 
434  callbacks().tls_verify_cert_chain(server_certs,
435  {},
436  trusted_CAs,
438  m_info.hostname(),
439  policy());
440  }
441  catch(std::exception& e)
442  {
443  throw TLS_Exception(Alert::BAD_CERTIFICATE, e.what());
444  }
445  }
446  }
447  else if(type == CERTIFICATE_STATUS)
448  {
449  state.server_cert_status(new Certificate_Status(contents));
450 
451  if(state.ciphersuite().kex_algo() != "RSA")
452  {
453  state.set_expected_next(SERVER_KEX);
454  }
455  else
456  {
457  state.set_expected_next(CERTIFICATE_REQUEST); // optional
458  state.set_expected_next(SERVER_HELLO_DONE);
459  }
460  }
461  else if(type == SERVER_KEX)
462  {
463  state.set_expected_next(CERTIFICATE_REQUEST); // optional
464  state.set_expected_next(SERVER_HELLO_DONE);
465 
466  state.server_kex(
467  new Server_Key_Exchange(contents,
468  state.ciphersuite().kex_algo(),
469  state.ciphersuite().sig_algo(),
470  state.version())
471  );
472 
473  if(state.ciphersuite().sig_algo() != "")
474  {
475  const Public_Key& server_key = state.get_server_public_key();
476 
477  if(!state.server_kex()->verify(server_key, state, policy()))
478  {
480  "Bad signature on server key exchange");
481  }
482  }
483  }
484  else if(type == CERTIFICATE_REQUEST)
485  {
486  state.set_expected_next(SERVER_HELLO_DONE);
487  state.cert_req(new Certificate_Req(contents, state.version()));
488  }
489  else if(type == SERVER_HELLO_DONE)
490  {
491  state.server_hello_done(new Server_Hello_Done(contents));
492 
493  if(state.server_certs() != nullptr &&
494  state.server_hello()->supports_certificate_status_message())
495  {
496  try
497  {
498  auto trusted_CAs = m_creds.trusted_certificate_authorities("tls-client", m_info.hostname());
499 
500  std::vector<std::shared_ptr<const OCSP::Response>> ocsp;
501  if(state.server_cert_status() != nullptr)
502  ocsp.push_back(state.server_cert_status()->response());
503 
504  callbacks().tls_verify_cert_chain(state.server_certs()->cert_chain(),
505  ocsp,
506  trusted_CAs,
508  m_info.hostname(),
509  policy());
510  }
511  catch(std::exception& e)
512  {
513  throw TLS_Exception(Alert::BAD_CERTIFICATE, e.what());
514  }
515  }
516 
517  if(state.received_handshake_msg(CERTIFICATE_REQUEST))
518  {
519  const auto& types = state.cert_req()->acceptable_cert_types();
520 
521  std::vector<X509_Certificate> client_certs =
522  m_creds.cert_chain(types,
523  "tls-client",
524  m_info.hostname());
525 
526  state.client_certs(new Certificate(state.handshake_io(),
527  state.hash(),
528  client_certs));
529  }
530 
531  state.client_kex(
532  new Client_Key_Exchange(state.handshake_io(),
533  state,
534  policy(),
535  m_creds,
536  state.server_public_key.get(),
537  m_info.hostname(),
538  rng())
539  );
540 
541  state.compute_session_keys();
542 
543  if(state.received_handshake_msg(CERTIFICATE_REQUEST) &&
544  !state.client_certs()->empty())
545  {
546  Private_Key* private_key =
547  m_creds.private_key_for(state.client_certs()->cert_chain()[0],
548  "tls-client",
549  m_info.hostname());
550 
551  state.client_verify(
552  new Certificate_Verify(state.handshake_io(),
553  state,
554  policy(),
555  rng(),
556  private_key)
557  );
558  }
559 
560  state.handshake_io().send(Change_Cipher_Spec());
561 
563 
564  state.client_finished(new Finished(state.handshake_io(), state, CLIENT));
565 
566  if(state.server_hello()->supports_session_ticket())
567  state.set_expected_next(NEW_SESSION_TICKET);
568  else
569  state.set_expected_next(HANDSHAKE_CCS);
570  }
571  else if(type == NEW_SESSION_TICKET)
572  {
573  state.new_session_ticket(new New_Session_Ticket(contents));
574 
575  state.set_expected_next(HANDSHAKE_CCS);
576  }
577  else if(type == HANDSHAKE_CCS)
578  {
579  state.set_expected_next(FINISHED);
580 
582  }
583  else if(type == FINISHED)
584  {
585  state.server_finished(new Finished(contents));
586 
587  if(!state.server_finished()->verify(state, SERVER))
589  "Finished message didn't verify");
590 
591  state.hash().update(state.handshake_io().format(contents, type));
592 
593  if(!state.client_finished()) // session resume case
594  {
595  state.handshake_io().send(Change_Cipher_Spec());
597  state.client_finished(new Finished(state.handshake_io(), state, CLIENT));
598  }
599 
600  std::vector<uint8_t> session_id = state.server_hello()->session_id();
601 
602  const std::vector<uint8_t>& session_ticket = state.session_ticket();
603 
604  if(session_id.empty() && !session_ticket.empty())
605  session_id = make_hello_random(rng(), policy());
606 
607  Session session_info(
608  session_id,
609  state.session_keys().master_secret(),
610  state.server_hello()->version(),
611  state.server_hello()->ciphersuite(),
612  state.server_hello()->compression_method(),
613  CLIENT,
614  state.server_hello()->supports_extended_master_secret(),
615  state.server_hello()->supports_encrypt_then_mac(),
616  get_peer_cert_chain(state),
617  session_ticket,
618  m_info,
619  "",
620  state.server_hello()->srtp_profile()
621  );
622 
623  const bool should_save = save_session(session_info);
624 
625  if(session_id.size() > 0 && state.is_a_resumption() == false)
626  {
627  if(should_save)
628  session_manager().save(session_info);
629  else
630  session_manager().remove_entry(session_info.session_id());
631  }
632 
634  }
635  else
636  throw Unexpected_Message("Unknown handshake message received");
637  }
638 
639 }
640 
641 }
virtual void remove_entry(const std::vector< uint8_t > &session_id)=0
virtual bool allow_server_initiated_renegotiation() const
Definition: tls_policy.cpp:334
virtual std::string srp_identifier(const std::string &type, const std::string &context)
std::function< void(Alert, const uint8_t[], size_t)> alert_cb
Definition: tls_channel.h:42
void change_cipher_spec_reader(Connection_Side side)
static bool is_scsv(uint16_t suite)
void change_cipher_spec_writer(Connection_Side side)
Client(Callbacks &callbacks, Session_Manager &session_manager, Credentials_Manager &creds, const Policy &policy, RandomNumberGenerator &rng, const Server_Information &server_info=Server_Information(), const Protocol_Version &offer_version=Protocol_Version::latest_tls_version(), const std::vector< std::string > &next_protocols={}, size_t reserved_io_buffer_size=TLS::Client::IO_BUF_DEFAULT_SIZE)
Definition: tls_client.cpp:50
void send_warning_alert(Alert::Type type)
Definition: tls_channel.h:141
std::function< void(const uint8_t[], size_t)> output_fn
Definition: tls_channel.h:40
bool secure_renegotiation_supported() const
Handshake_State & create_handshake_state(Protocol_Version version)
RandomNumberGenerator & rng()
Definition: tls_channel.h:234
std::string hostname() const
MechanismType type
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:29
virtual bool allow_insecure_renegotiation() const
Definition: tls_policy.cpp:335
virtual std::vector< X509_Certificate > cert_chain(const std::vector< std::string > &cert_key_types, const std::string &type, const std::string &context)
std::vector< uint8_t > secure_renegotiation_data_for_client_hello() const
std::function< bool(const Session &)> handshake_cb
Definition: tls_channel.h:43
bool save_session(const Session &session)
virtual void tls_verify_cert_chain(const std::vector< X509_Certificate > &cert_chain, const std::vector< std::shared_ptr< const OCSP::Response >> &ocsp_responses, const std::vector< Certificate_Store *> &trusted_roots, Usage_Type usage, const std::string &hostname, const TLS::Policy &policy)
Definition: alg_id.cpp:13
std::vector< X509_Certificate > resume_peer_certs
Definition: tls_client.cpp:42
void secure_renegotiation_check(const Client_Hello *client_hello)
secure_vector< uint8_t > resume_master_secret
Definition: tls_client.cpp:41
std::vector< uint8_t > make_hello_random(RandomNumberGenerator &rng, const Policy &policy)
std::function< void(const uint8_t[], size_t)> data_cb
Definition: tls_channel.h:41
std::unique_ptr< Public_Key > server_public_key
Definition: tls_client.cpp:38
bool value_exists(const std::vector< T > &vec, const T &val)
Definition: stl_util.h:86
const secure_vector< uint8_t > & master_secret() const
Definition: tls_session.h:151
virtual std::vector< Certificate_Store * > trusted_certificate_authorities(const std::string &type, const std::string &context)
Callbacks & callbacks() const
Definition: tls_channel.h:242
void server_certs(Certificate *server_certs)
const Policy & policy() const
Definition: tls_channel.h:238
const std::vector< X509_Certificate > & peer_certs() const
Definition: tls_session.h:170
Protocol_Version version() const
virtual void save(const Session &session)=0
Protocol_Version version() const
Definition: tls_session.h:120
Session_Manager & session_manager()
Definition: tls_channel.h:236
std::function< void(const Handshake_Message &)> handshake_msg_cb
Definition: tls_channel.h:44
const std::string & srp_identifier() const
Definition: tls_session.h:146
virtual bool load_from_server_info(const Server_Information &info, Session &session)=0