10#include <botan/tls_client.h>
11#include <botan/tls_messages.h>
12#include <botan/internal/tls_handshake_state.h>
13#include <botan/internal/stl_util.h>
23class Client_Handshake_State
final :
public Handshake_State
26 Client_Handshake_State(Handshake_IO* io, Callbacks& cb) :
27 Handshake_State(io, cb),
31 const Public_Key& get_server_public_key()
const
39 bool is_a_renegotiation()
const {
return m_is_reneg; }
41 const secure_vector<uint8_t>& resume_master_secret()
const
47 const std::vector<X509_Certificate>& resume_peer_certs()
const
71 const std::vector<std::string>& next_protos,
73 Channel(callbacks, session_manager, rng, policy,
74 false, offer_version.is_datagram_protocol(), io_buf_sz),
78 init(offer_version, next_protos);
91 const std::vector<std::string>& next_protos,
94 session_manager, rng, policy, false, offer_version.is_datagram_protocol(), io_buf_sz),
98 init(offer_version, next_protos);
112 const std::vector<std::string>& next_protos) :
113 Channel(data_output_fn, proc_cb, recv_alert_cb, hs_cb, hs_msg_cb,
114 session_manager, rng, policy, false, offer_version.is_datagram_protocol()),
118 init(offer_version, next_protos);
122 const std::vector<std::string>& next_protocols)
127 send_client_hello(state,
false, protocol_version,
128 srp_identifier, next_protocols);
131Handshake_State* Client::new_handshake_state(Handshake_IO* io)
133 return new Client_Handshake_State(io,
callbacks());
136std::vector<X509_Certificate>
137Client::get_peer_cert_chain(
const Handshake_State& state)
const
139 const Client_Handshake_State& cstate =
dynamic_cast<const Client_Handshake_State&
>(state);
141 if(cstate.is_a_resumption())
142 return cstate.resume_peer_certs();
144 if(state.server_certs())
145 return state.server_certs()->cert_chain();
146 return std::vector<X509_Certificate>();
152void Client::initiate_handshake(Handshake_State& state,
153 bool force_full_renegotiation)
155 send_client_hello(state, force_full_renegotiation,
156 policy().latest_supported_version(state.version().is_datagram_protocol()));
159void Client::send_client_hello(Handshake_State& state_base,
160 bool force_full_renegotiation,
161 Protocol_Version version,
162 const std::string& srp_identifier,
163 const std::vector<std::string>& next_protocols)
165 Client_Handshake_State& state =
dynamic_cast<Client_Handshake_State&
>(state_base);
167 if(state.version().is_datagram_protocol())
171 if(!force_full_renegotiation && !m_info.
empty())
173 std::unique_ptr<Session> session_info(
new Session);;
180 const bool exact_version = session_info->version() == version;
181 const bool ok_version =
182 (session_info->version().is_datagram_protocol() == version.is_datagram_protocol()) &&
187 if(
policy().acceptable_ciphersuite(session_info->ciphersuite()) && session_version_ok)
189 if(srp_identifier ==
"" || session_info->srp_identifier() == srp_identifier)
192 new Client_Hello(state.handshake_io(),
201 state.resumed_session = std::move(session_info);
207 if(!state.client_hello())
209 Client_Hello::Settings client_settings(version, m_info.
hostname(), srp_identifier);
210 state.client_hello(
new Client_Hello(
211 state.handshake_io(),
227 const Ciphersuite& suite)
247void Client::process_handshake_msg(
const Handshake_State* active_state,
248 Handshake_State& state_base,
250 const std::vector<uint8_t>& contents,
255 Client_Handshake_State& state =
dynamic_cast<Client_Handshake_State&
>(state_base);
259 Hello_Request hello_request(contents);
261 if(state.client_hello())
266 if(
policy().allow_server_initiated_renegotiation())
270 state.m_is_reneg =
true;
271 this->initiate_handshake(state,
true);
280 if(
policy().abort_connection_on_undesired_renegotiation())
294 state.confirm_transition_to(
type);
297 state.hash().update(state.handshake_io().format(contents,
type));
304 Hello_Verify_Request hello_verify_request(contents);
305 state.hello_verify_request(hello_verify_request);
309 state.server_hello(
new Server_Hello(contents));
311 if(!state.client_hello()->offered_suite(state.server_hello()->ciphersuite()))
314 "Server replied with ciphersuite we didn't send");
320 "Server replied using a ciphersuite not allowed in version it offered");
326 "Server replied with a signaling ciphersuite");
329 if(state.server_hello()->compression_method() != 0)
332 "Server replied with non-null compression method");
335 if(state.client_hello()->version() > state.server_hello()->version())
337 if(state.server_hello()->random_signals_downgrade())
341 auto client_extn = state.client_hello()->extension_types();
342 auto server_extn = state.server_hello()->extension_types();
344 std::vector<Handshake_Extension_Type> diff;
346 std::set_difference(server_extn.begin(), server_extn.end(),
347 client_extn.begin(), client_extn.end(),
348 std::back_inserter(diff));
354 std::ostringstream msg;
355 msg <<
"Server replied with unsupported extensions:";
357 msg <<
" " <<
static_cast<int>(d);
361 if(uint16_t srtp = state.server_hello()->srtp_profile())
363 if(!
value_exists(state.client_hello()->srtp_profiles(), srtp))
365 "Server replied with DTLS-SRTP alg we did not send");
370 state.set_version(state.server_hello()->version());
371 m_application_protocol = state.server_hello()->next_protocol();
375 const bool server_returned_same_session_id =
376 !state.server_hello()->session_id().empty() &&
377 (state.server_hello()->session_id() == state.client_hello()->session_id());
379 if(server_returned_same_session_id)
387 if(state.server_hello()->version() != state.client_hello()->version())
389 "Server resumed session but with wrong version");
391 if(state.server_hello()->supports_extended_master_secret() &&
392 !state.resumed_session->supports_extended_master_secret())
395 "Server resumed session but added extended master secret");
398 if(!state.server_hello()->supports_extended_master_secret() &&
399 state.resumed_session->supports_extended_master_secret())
402 "Server resumed session and removed extended master secret");
405 state.compute_session_keys(state.resume_master_secret());
407 if(state.server_hello()->supports_session_ticket())
426 if(active_state->version() != state.server_hello()->version())
428 "Server changed version after renegotiation");
430 if(state.server_hello()->supports_extended_master_secret() !=
431 active_state->server_hello()->supports_extended_master_secret())
434 "Server changed its mind about extended master secret");
438 state.resumed_session.reset();
440 if(state.client_hello()->version().is_datagram_protocol() !=
441 state.server_hello()->version().is_datagram_protocol())
444 "Server replied with different protocol type than we offered");
447 if(state.version() > state.client_hello()->version())
450 "Server replied with later version than client offered");
453 if(state.version().major_version() == 3 && state.version().minor_version() == 0)
456 "Server attempting to negotiate SSLv3 which is not supported");
459 if(!
policy().acceptable_protocol_version(state.version()))
462 "Server version " + state.version().to_string() +
463 " is unacceptable by policy");
466 if(state.ciphersuite().signature_used() || state.ciphersuite().kex_method() ==
Kex_Algo::STATIC_RSA)
498 const std::vector<X509_Certificate>& server_certs =
499 state.server_certs()->cert_chain();
501 if(server_certs.empty())
503 "Client: No certificates sent by server");
511 X509_Certificate server_cert = server_certs[0];
513 if(active_state && active_state->server_certs())
515 X509_Certificate current_cert = active_state->server_certs()->cert_chain().at(0);
517 if(current_cert != server_cert)
521 std::unique_ptr<Public_Key> peer_key(server_cert.subject_public_key());
523 const std::string expected_key_type =
524 state.ciphersuite().signature_used() ? state.ciphersuite().sig_algo() :
"RSA";
526 if(peer_key->algo_name() != expected_key_type)
528 "Certificate key type did not match ciphersuite");
530 if(!key_usage_matches_ciphersuite(server_cert.constraints(), state.ciphersuite()))
532 "Certificate usage constraints do not allow this ciphersuite");
534 state.server_public_key.reset(peer_key.release());
546 if(state.server_hello()->supports_certificate_status_message())
563 catch(TLS_Exception&)
567 catch(std::exception& e)
575 state.server_cert_status(
new Certificate_Status(contents));
589 if(state.ciphersuite().psk_ciphersuite() ==
false)
594 new Server_Key_Exchange(contents,
595 state.ciphersuite().kex_method(),
596 state.ciphersuite().auth_method(),
600 if(state.ciphersuite().signature_used())
602 const Public_Key& server_key = state.get_server_public_key();
604 if(!state.server_kex()->verify(server_key, state,
policy()))
607 "Bad signature on server key exchange");
614 state.cert_req(
new Certificate_Req(contents, state.version()));
618 state.server_hello_done(
new Server_Hello_Done(contents));
620 if(state.server_certs() !=
nullptr &&
621 state.server_hello()->supports_certificate_status_message())
627 std::vector<std::shared_ptr<const OCSP::Response>> ocsp;
628 if(state.server_cert_status() !=
nullptr)
631 ocsp.push_back(std::make_shared<OCSP::Response>(state.server_cert_status()->response()));
633 catch(Decoding_Error&)
646 catch(TLS_Exception&)
650 catch(std::exception& e)
658 const auto& types = state.cert_req()->acceptable_cert_types();
660 std::vector<X509_Certificate> client_certs =
662 state.cert_req()->acceptable_CAs(),
666 state.client_certs(
new Certificate(state.handshake_io(),
672 new Client_Key_Exchange(state.handshake_io(),
676 state.server_public_key.get(),
681 state.compute_session_keys();
684 !state.client_certs()->empty())
686 Private_Key* private_key =
692 new Certificate_Verify(state.handshake_io(),
700 state.handshake_io().send(Change_Cipher_Spec());
704 state.client_finished(
new Finished(state.handshake_io(), state,
CLIENT));
706 if(state.server_hello()->supports_session_ticket())
713 state.new_session_ticket(
new New_Session_Ticket(contents));
725 state.server_finished(
new Finished(contents));
727 if(!state.server_finished()->verify(state,
SERVER))
729 "Finished message didn't verify");
731 state.hash().update(state.handshake_io().format(contents,
type));
733 if(!state.client_finished())
735 state.handshake_io().send(Change_Cipher_Spec());
737 state.client_finished(
new Finished(state.handshake_io(), state,
CLIENT));
740 std::vector<uint8_t> session_id = state.server_hello()->session_id();
742 const std::vector<uint8_t>& session_ticket = state.session_ticket();
744 if(session_id.empty() && !session_ticket.empty())
747 Session session_info(
749 state.session_keys().master_secret(),
750 state.server_hello()->version(),
751 state.server_hello()->ciphersuite(),
753 state.server_hello()->supports_extended_master_secret(),
754 state.server_hello()->supports_encrypt_then_mac(),
755 get_peer_cert_chain(state),
759 state.server_hello()->srtp_profile()
764 if(session_id.size() > 0 && state.is_a_resumption() ==
false)
775 throw Unexpected_Message(
"Unknown handshake message received");
#define BOTAN_ASSERT_NOMSG(expr)
#define BOTAN_STATE_CHECK(expr)
#define BOTAN_ASSERT(expr, assertion_made)
virtual Private_Key * private_key_for(const X509_Certificate &cert, const std::string &type, const std::string &context)
virtual std::vector< Certificate_Store * > trusted_certificate_authorities(const std::string &type, const std::string &context)
virtual std::vector< X509_Certificate > find_cert_chain(const std::vector< std::string > &cert_key_types, const std::vector< X509_DN > &acceptable_CAs, const std::string &type, const std::string &context)
virtual std::string srp_identifier(const std::string &type, const std::string &context)
virtual void tls_examine_extensions(const Extensions &extn, Connection_Side which_side)
virtual void tls_verify_cert_chain(const std::vector< X509_Certificate > &cert_chain, const std::vector< std::shared_ptr< const OCSP::Response > > &ocsp_responses, const std::vector< Certificate_Store * > &trusted_roots, Usage_Type usage, const std::string &hostname, const TLS::Policy &policy)
bool secure_renegotiation_supported() const
Handshake_State & create_handshake_state(Protocol_Version version)
void send_warning_alert(Alert::Type type)
Callbacks & callbacks() const
std::vector< uint8_t > secure_renegotiation_data_for_client_hello() const
bool save_session(const Session &session)
std::function< bool(const Session &)> handshake_cb
void change_cipher_spec_writer(Connection_Side side)
std::function< void(Alert, const uint8_t[], size_t)> alert_cb
Session_Manager & session_manager()
std::function< void(const Handshake_Message &)> handshake_msg_cb
const Policy & policy() const
RandomNumberGenerator & rng()
void change_cipher_spec_reader(Connection_Side side)
std::function< void(const uint8_t[], size_t)> output_fn
void secure_renegotiation_check(const Client_Hello *client_hello)
std::function< void(const uint8_t[], size_t)> data_cb
static Ciphersuite by_id(uint16_t suite)
bool usable_in_version(Protocol_Version version) const
static bool is_scsv(uint16_t suite)
Client(Callbacks &callbacks, Session_Manager &session_manager, Credentials_Manager &creds, const Policy &policy, RandomNumberGenerator &rng, const Server_Information &server_info=Server_Information(), const Protocol_Version &offer_version=Protocol_Version::latest_tls_version(), const std::vector< std::string > &next_protocols={}, size_t reserved_io_buffer_size=TLS::Client::IO_BUF_DEFAULT_SIZE)
virtual bool only_resume_with_exact_version() const
virtual bool acceptable_protocol_version(Protocol_Version version) const
virtual void remove_entry(const std::vector< uint8_t > &session_id)=0
virtual void save(const Session &session)=0
int(* final)(unsigned char *, CTX *)
std::vector< uint8_t > make_hello_random(RandomNumberGenerator &rng, const Policy &policy)
bool value_exists(const std::vector< T > &vec, const T &val)
std::unique_ptr< Session > resumed_session
std::unique_ptr< Public_Key > server_public_key