Botan  2.8.0
Crypto and TLS for C++11
tls_client.cpp
Go to the documentation of this file.
1 /*
2 * TLS Client
3 * (C) 2004-2011,2012,2015,2016 Jack Lloyd
4 * 2016 Matthias Gierlings
5 * 2017 Harry Reimann, Rohde & Schwarz Cybersecurity
6 *
7 * Botan is released under the Simplified BSD License (see license.txt)
8 */
9 
10 #include <botan/tls_client.h>
11 #include <botan/tls_messages.h>
12 #include <botan/internal/tls_handshake_state.h>
13 #include <botan/internal/stl_util.h>
14 #include <iterator>
15 #include <sstream>
16 
17 namespace Botan {
18 
19 namespace TLS {
20 
21 namespace {
22 
23 class Client_Handshake_State final : public Handshake_State
24  {
25  public:
26  // using Handshake_State::Handshake_State;
27 
28  Client_Handshake_State(Handshake_IO* io, Callbacks& cb) : Handshake_State(io, cb) {}
29 
30  const Public_Key& get_server_public_key() const
31  {
32  BOTAN_ASSERT(server_public_key, "Server sent us a certificate");
33  return *server_public_key.get();
34  }
35 
36  bool is_a_resumption() const { return (resume_master_secret.empty() == false); }
37 
38  std::unique_ptr<Public_Key> server_public_key;
39 
40  // Used during session resumption
41  secure_vector<uint8_t> resume_master_secret;
42  std::vector<X509_Certificate> resume_peer_certs;
43  };
44 
45 }
46 
47 /*
48 * TLS Client Constructor
49 */
51  Session_Manager& session_manager,
52  Credentials_Manager& creds,
53  const Policy& policy,
55  const Server_Information& info,
56  const Protocol_Version& offer_version,
57  const std::vector<std::string>& next_protos,
58  size_t io_buf_sz) :
59  Channel(callbacks, session_manager, rng, policy, offer_version.is_datagram_protocol(),
60  io_buf_sz),
61  m_creds(creds),
62  m_info(info)
63  {
64  init(offer_version, next_protos);
65  }
66 
67 Client::Client(output_fn data_output_fn,
68  data_cb proc_cb,
69  alert_cb recv_alert_cb,
70  handshake_cb hs_cb,
71  Session_Manager& session_manager,
72  Credentials_Manager& creds,
73  const Policy& policy,
75  const Server_Information& info,
76  const Protocol_Version& offer_version,
77  const std::vector<std::string>& next_protos,
78  size_t io_buf_sz) :
79  Channel(data_output_fn, proc_cb, recv_alert_cb, hs_cb, Channel::handshake_msg_cb(),
80  session_manager, rng, policy, offer_version.is_datagram_protocol(), io_buf_sz),
81  m_creds(creds),
82  m_info(info)
83  {
84  init(offer_version, next_protos);
85  }
86 
87 Client::Client(output_fn data_output_fn,
88  data_cb proc_cb,
89  alert_cb recv_alert_cb,
90  handshake_cb hs_cb,
91  handshake_msg_cb hs_msg_cb,
92  Session_Manager& session_manager,
93  Credentials_Manager& creds,
94  const Policy& policy,
96  const Server_Information& info,
97  const Protocol_Version& offer_version,
98  const std::vector<std::string>& next_protos) :
99  Channel(data_output_fn, proc_cb, recv_alert_cb, hs_cb, hs_msg_cb,
100  session_manager, rng, policy, offer_version.is_datagram_protocol()),
101  m_creds(creds),
102  m_info(info)
103  {
104  init(offer_version, next_protos);
105  }
106 
107 void Client::init(const Protocol_Version& protocol_version,
108  const std::vector<std::string>& next_protocols)
109  {
110  const std::string srp_identifier = m_creds.srp_identifier("tls-client", m_info.hostname());
111 
112  Handshake_State& state = create_handshake_state(protocol_version);
113  send_client_hello(state, false, protocol_version,
114  srp_identifier, next_protocols);
115  }
116 
117 Handshake_State* Client::new_handshake_state(Handshake_IO* io)
118  {
119  return new Client_Handshake_State(io, callbacks());
120  }
121 
122 std::vector<X509_Certificate>
123 Client::get_peer_cert_chain(const Handshake_State& state) const
124  {
125  const Client_Handshake_State& cstate = dynamic_cast<const Client_Handshake_State&>(state);
126  if(cstate.resume_peer_certs.size() > 0)
127  return cstate.resume_peer_certs;
128 
129  if(state.server_certs())
130  return state.server_certs()->cert_chain();
131  return std::vector<X509_Certificate>();
132  }
133 
134 /*
135 * Send a new client hello to renegotiate
136 */
137 void Client::initiate_handshake(Handshake_State& state,
138  bool force_full_renegotiation)
139  {
140  send_client_hello(state, force_full_renegotiation, state.version());
141  }
142 
143 void Client::send_client_hello(Handshake_State& state_base,
144  bool force_full_renegotiation,
145  Protocol_Version version,
146  const std::string& srp_identifier,
147  const std::vector<std::string>& next_protocols)
148  {
149  Client_Handshake_State& state = dynamic_cast<Client_Handshake_State&>(state_base);
150 
151  if(state.version().is_datagram_protocol())
152  state.set_expected_next(HELLO_VERIFY_REQUEST); // optional
153  state.set_expected_next(SERVER_HELLO);
154 
155  if(!force_full_renegotiation && !m_info.empty())
156  {
157  Session session_info;
158  if(session_manager().load_from_server_info(m_info, session_info))
159  {
160  /*
161  Ensure that the session protocol type matches what we want to use
162  If not skip the resume and establish a new session
163  */
164  if(version == session_info.version() && policy().acceptable_ciphersuite(session_info.ciphersuite()))
165  {
166  if(srp_identifier == "" || session_info.srp_identifier() == srp_identifier)
167  {
168  state.client_hello(
169  new Client_Hello(state.handshake_io(),
170  state.hash(),
171  policy(),
172  callbacks(),
173  rng(),
175  session_info,
176  next_protocols));
177 
178  state.resume_master_secret = session_info.master_secret();
179  state.resume_peer_certs = session_info.peer_certs();
180  }
181  }
182  }
183  }
184 
185  if(!state.client_hello()) // not resuming
186  {
187  Client_Hello::Settings client_settings(version, m_info.hostname(), srp_identifier);
188  state.client_hello(new Client_Hello(
189  state.handshake_io(),
190  state.hash(),
191  policy(),
192  callbacks(),
193  rng(),
195  client_settings,
196  next_protocols));
197  }
198 
199  secure_renegotiation_check(state.client_hello());
200  }
201 
202 /*
203 * Process a handshake message
204 */
205 void Client::process_handshake_msg(const Handshake_State* active_state,
206  Handshake_State& state_base,
208  const std::vector<uint8_t>& contents)
209  {
210  Client_Handshake_State& state = dynamic_cast<Client_Handshake_State&>(state_base);
211 
212  if(type == HELLO_REQUEST && active_state)
213  {
214  Hello_Request hello_request(contents);
215 
216  // Ignore request entirely if we are currently negotiating a handshake
217  if(state.client_hello())
218  return;
219 
221  {
224  else
225  this->initiate_handshake(state, false);
226  }
227  else
228  {
229  // RFC 5746 section 4.2
231  }
232 
233  return;
234  }
235 
236  state.confirm_transition_to(type);
237 
239  state.hash().update(state.handshake_io().format(contents, type));
240 
242  {
243  state.set_expected_next(SERVER_HELLO);
244  state.set_expected_next(HELLO_VERIFY_REQUEST); // might get it again
245 
246  Hello_Verify_Request hello_verify_request(contents);
247 
248  state.hello_verify_request(hello_verify_request);
249  }
250  else if(type == SERVER_HELLO)
251  {
252  state.server_hello(new Server_Hello(contents));
253 
254  if(!state.client_hello()->offered_suite(state.server_hello()->ciphersuite()))
255  {
256  throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
257  "Server replied with ciphersuite we didn't send");
258  }
259 
260  if(Ciphersuite::is_scsv(state.server_hello()->ciphersuite()))
261  {
262  throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
263  "Server replied with a signaling ciphersuite");
264  }
265 
266  if(state.server_hello()->compression_method() != 0)
267  {
268  throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
269  "Server replied with non-null compression method");
270  }
271 
272  auto client_extn = state.client_hello()->extension_types();
273  auto server_extn = state.server_hello()->extension_types();
274 
275  std::vector<Handshake_Extension_Type> diff;
276 
277  std::set_difference(server_extn.begin(), server_extn.end(),
278  client_extn.begin(), client_extn.end(),
279  std::back_inserter(diff));
280 
281  if(!diff.empty())
282  {
283  // Server sent us back an extension we did not send!
284 
285  std::ostringstream msg;
286  msg << "Server replied with " << diff.size() << " unsupported extensions:";
287  for(auto&& d : diff)
288  msg << " " << static_cast<int>(d);
289  throw TLS_Exception(Alert::HANDSHAKE_FAILURE, msg.str());
290  }
291 
292  if(uint16_t srtp = state.server_hello()->srtp_profile())
293  {
294  if(!value_exists(state.client_hello()->srtp_profiles(), srtp))
295  throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
296  "Server replied with DTLS-SRTP alg we did not send");
297  }
298 
299  callbacks().tls_examine_extensions(state.server_hello()->extensions(), SERVER);
300 
301  state.set_version(state.server_hello()->version());
302  m_application_protocol = state.server_hello()->next_protocol();
303 
304  secure_renegotiation_check(state.server_hello());
305 
306  const bool server_returned_same_session_id =
307  !state.server_hello()->session_id().empty() &&
308  (state.server_hello()->session_id() == state.client_hello()->session_id());
309 
310  if(server_returned_same_session_id)
311  {
312  // successful resumption
313 
314  /*
315  * In this case, we offered the version used in the original
316  * session, and the server must resume with the same version.
317  */
318  if(state.server_hello()->version() != state.client_hello()->version())
319  throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
320  "Server resumed session but with wrong version");
321 
322  state.compute_session_keys(state.resume_master_secret);
323 
324  if(state.server_hello()->supports_session_ticket())
325  state.set_expected_next(NEW_SESSION_TICKET);
326  else
327  {
328  state.set_expected_next(HANDSHAKE_CCS);
329  }
330  }
331  else
332  {
333  // new session
334 
335  state.resume_master_secret.clear();
336  state.resume_peer_certs.clear();
337 
338  if(state.client_hello()->version().is_datagram_protocol() !=
339  state.server_hello()->version().is_datagram_protocol())
340  {
341  throw TLS_Exception(Alert::PROTOCOL_VERSION,
342  "Server replied with different protocol type than we offered");
343  }
344 
345  if(state.version() > state.client_hello()->version())
346  {
347  throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
348  "Server replied with later version than client offered");
349  }
350 
351  if(state.version().major_version() == 3 && state.version().minor_version() == 0)
352  {
353  throw TLS_Exception(Alert::PROTOCOL_VERSION,
354  "Server attempting to negotiate SSLv3 which is not supported");
355  }
356 
357  if(!policy().acceptable_protocol_version(state.version()))
358  {
359  throw TLS_Exception(Alert::PROTOCOL_VERSION,
360  "Server version " + state.version().to_string() +
361  " is unacceptable by policy");
362  }
363 
364  if(state.ciphersuite().signature_used() || state.ciphersuite().kex_method() == Kex_Algo::STATIC_RSA)
365  {
366  state.set_expected_next(CERTIFICATE);
367  }
368  else if(state.ciphersuite().kex_method() == Kex_Algo::PSK)
369  {
370  /* PSK is anonymous so no certificate/cert req message is
371  ever sent. The server may or may not send a server kex,
372  depending on if it has an identity hint for us.
373 
374  (EC)DHE_PSK always sends a server key exchange for the
375  DH exchange portion.
376  */
377 
378  state.set_expected_next(SERVER_KEX);
379  state.set_expected_next(SERVER_HELLO_DONE);
380  }
381  else if(state.ciphersuite().kex_method() != Kex_Algo::STATIC_RSA)
382  {
383  state.set_expected_next(SERVER_KEX);
384  }
385  else
386  {
387  state.set_expected_next(CERTIFICATE_REQUEST); // optional
388  state.set_expected_next(SERVER_HELLO_DONE);
389  }
390  }
391  }
392  else if(type == CERTIFICATE)
393  {
394  state.server_certs(new Certificate(contents, policy()));
395 
396  const std::vector<X509_Certificate>& server_certs =
397  state.server_certs()->cert_chain();
398 
399  if(server_certs.empty())
400  throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
401  "Client: No certificates sent by server");
402 
403  /*
404  If the server supports certificate status messages,
405  certificate verification happens after we receive the server hello done,
406  in case an OCSP response was also available
407  */
408 
409  std::unique_ptr<Public_Key> peer_key(server_certs[0].subject_public_key());
410 
411  const std::string expected_key_type =
412  state.ciphersuite().signature_used() ? state.ciphersuite().sig_algo() : "RSA";
413 
414  if(peer_key->algo_name() != expected_key_type)
415  throw TLS_Exception(Alert::ILLEGAL_PARAMETER,
416  "Certificate key type did not match ciphersuite");
417 
418  state.server_public_key.reset(peer_key.release());
419 
420  if(state.ciphersuite().kex_method() != Kex_Algo::STATIC_RSA)
421  {
422  state.set_expected_next(SERVER_KEX);
423  }
424  else
425  {
426  state.set_expected_next(CERTIFICATE_REQUEST); // optional
427  state.set_expected_next(SERVER_HELLO_DONE);
428  }
429 
430  if(state.server_hello()->supports_certificate_status_message())
431  {
432  state.set_expected_next(CERTIFICATE_STATUS); // optional
433  }
434  else
435  {
436  try
437  {
438  auto trusted_CAs = m_creds.trusted_certificate_authorities("tls-client", m_info.hostname());
439 
440  callbacks().tls_verify_cert_chain(server_certs,
441  {},
442  trusted_CAs,
444  m_info.hostname(),
445  policy());
446  }
447  catch(std::exception& e)
448  {
449  throw TLS_Exception(Alert::BAD_CERTIFICATE, e.what());
450  }
451  }
452  }
453  else if(type == CERTIFICATE_STATUS)
454  {
455  state.server_cert_status(new Certificate_Status(contents));
456 
457  if(state.ciphersuite().kex_method() != Kex_Algo::STATIC_RSA)
458  {
459  state.set_expected_next(SERVER_KEX);
460  }
461  else
462  {
463  state.set_expected_next(CERTIFICATE_REQUEST); // optional
464  state.set_expected_next(SERVER_HELLO_DONE);
465  }
466  }
467  else if(type == SERVER_KEX)
468  {
469  state.set_expected_next(CERTIFICATE_REQUEST); // optional
470  state.set_expected_next(SERVER_HELLO_DONE);
471 
472  state.server_kex(
473  new Server_Key_Exchange(contents,
474  state.ciphersuite().kex_method(),
475  state.ciphersuite().auth_method(),
476  state.version())
477  );
478 
479  if(state.ciphersuite().signature_used())
480  {
481  const Public_Key& server_key = state.get_server_public_key();
482 
483  if(!state.server_kex()->verify(server_key, state, policy()))
484  {
485  throw TLS_Exception(Alert::DECRYPT_ERROR,
486  "Bad signature on server key exchange");
487  }
488  }
489  }
490  else if(type == CERTIFICATE_REQUEST)
491  {
492  state.set_expected_next(SERVER_HELLO_DONE);
493  state.cert_req(new Certificate_Req(contents, state.version()));
494  }
495  else if(type == SERVER_HELLO_DONE)
496  {
497  state.server_hello_done(new Server_Hello_Done(contents));
498 
499  if(state.server_certs() != nullptr &&
500  state.server_hello()->supports_certificate_status_message())
501  {
502  try
503  {
504  auto trusted_CAs = m_creds.trusted_certificate_authorities("tls-client", m_info.hostname());
505 
506  std::vector<std::shared_ptr<const OCSP::Response>> ocsp;
507  if(state.server_cert_status() != nullptr)
508  ocsp.push_back(state.server_cert_status()->response());
509 
510  callbacks().tls_verify_cert_chain(state.server_certs()->cert_chain(),
511  ocsp,
512  trusted_CAs,
514  m_info.hostname(),
515  policy());
516  }
517  catch(std::exception& e)
518  {
519  throw TLS_Exception(Alert::BAD_CERTIFICATE, e.what());
520  }
521  }
522 
523  if(state.received_handshake_msg(CERTIFICATE_REQUEST))
524  {
525  const auto& types = state.cert_req()->acceptable_cert_types();
526 
527  std::vector<X509_Certificate> client_certs =
528  m_creds.find_cert_chain(types,
529  state.cert_req()->acceptable_CAs(),
530  "tls-client",
531  m_info.hostname());
532 
533  state.client_certs(new Certificate(state.handshake_io(),
534  state.hash(),
535  client_certs));
536  }
537 
538  state.client_kex(
539  new Client_Key_Exchange(state.handshake_io(),
540  state,
541  policy(),
542  m_creds,
543  state.server_public_key.get(),
544  m_info.hostname(),
545  rng())
546  );
547 
548  state.compute_session_keys();
549 
550  if(state.received_handshake_msg(CERTIFICATE_REQUEST) &&
551  !state.client_certs()->empty())
552  {
553  Private_Key* private_key =
554  m_creds.private_key_for(state.client_certs()->cert_chain()[0],
555  "tls-client",
556  m_info.hostname());
557 
558  state.client_verify(
559  new Certificate_Verify(state.handshake_io(),
560  state,
561  policy(),
562  rng(),
563  private_key)
564  );
565  }
566 
567  state.handshake_io().send(Change_Cipher_Spec());
568 
570 
571  state.client_finished(new Finished(state.handshake_io(), state, CLIENT));
572 
573  if(state.server_hello()->supports_session_ticket())
574  state.set_expected_next(NEW_SESSION_TICKET);
575  else
576  state.set_expected_next(HANDSHAKE_CCS);
577  }
578  else if(type == NEW_SESSION_TICKET)
579  {
580  state.new_session_ticket(new New_Session_Ticket(contents));
581 
582  state.set_expected_next(HANDSHAKE_CCS);
583  }
584  else if(type == HANDSHAKE_CCS)
585  {
586  state.set_expected_next(FINISHED);
587 
589  }
590  else if(type == FINISHED)
591  {
592  state.server_finished(new Finished(contents));
593 
594  if(!state.server_finished()->verify(state, SERVER))
595  throw TLS_Exception(Alert::DECRYPT_ERROR,
596  "Finished message didn't verify");
597 
598  state.hash().update(state.handshake_io().format(contents, type));
599 
600  if(!state.client_finished()) // session resume case
601  {
602  state.handshake_io().send(Change_Cipher_Spec());
604  state.client_finished(new Finished(state.handshake_io(), state, CLIENT));
605  }
606 
607  std::vector<uint8_t> session_id = state.server_hello()->session_id();
608 
609  const std::vector<uint8_t>& session_ticket = state.session_ticket();
610 
611  if(session_id.empty() && !session_ticket.empty())
612  session_id = make_hello_random(rng(), policy());
613 
614  Session session_info(
615  session_id,
616  state.session_keys().master_secret(),
617  state.server_hello()->version(),
618  state.server_hello()->ciphersuite(),
619  CLIENT,
620  state.server_hello()->supports_extended_master_secret(),
621  state.server_hello()->supports_encrypt_then_mac(),
622  get_peer_cert_chain(state),
623  session_ticket,
624  m_info,
625  "",
626  state.server_hello()->srtp_profile()
627  );
628 
629  const bool should_save = save_session(session_info);
630 
631  if(session_id.size() > 0 && state.is_a_resumption() == false)
632  {
633  if(should_save)
634  session_manager().save(session_info);
635  else
636  session_manager().remove_entry(session_info.session_id());
637  }
638 
640  }
641  else
642  throw Unexpected_Message("Unknown handshake message received");
643  }
644 
645 }
646 
647 }
virtual std::vector< X509_Certificate > find_cert_chain(const std::vector< std::string > &cert_key_types, const std::vector< X509_DN > &acceptable_CAs, const std::string &type, const std::string &context)
virtual void remove_entry(const std::vector< uint8_t > &session_id)=0
virtual bool allow_server_initiated_renegotiation() const
Definition: tls_policy.cpp:320
virtual std::string srp_identifier(const std::string &type, const std::string &context)
std::function< void(Alert, const uint8_t[], size_t)> alert_cb
Definition: tls_channel.h:42
void change_cipher_spec_reader(Connection_Side side)
virtual bool acceptable_ciphersuite(const Ciphersuite &suite) const
Definition: tls_policy.cpp:313
int(* final)(unsigned char *, CTX *)
static bool is_scsv(uint16_t suite)
void change_cipher_spec_writer(Connection_Side side)
Client(Callbacks &callbacks, Session_Manager &session_manager, Credentials_Manager &creds, const Policy &policy, RandomNumberGenerator &rng, const Server_Information &server_info=Server_Information(), const Protocol_Version &offer_version=Protocol_Version::latest_tls_version(), const std::vector< std::string > &next_protocols={}, size_t reserved_io_buffer_size=TLS::Client::IO_BUF_DEFAULT_SIZE)
Definition: tls_client.cpp:50
void send_warning_alert(Alert::Type type)
Definition: tls_channel.h:141
std::function< void(const uint8_t[], size_t)> output_fn
Definition: tls_channel.h:40
bool secure_renegotiation_supported() const
Handshake_State & create_handshake_state(Protocol_Version version)
RandomNumberGenerator & rng()
Definition: tls_channel.h:234
std::string hostname() const
MechanismType type
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:55
virtual bool allow_insecure_renegotiation() const
Definition: tls_policy.cpp:321
std::vector< uint8_t > secure_renegotiation_data_for_client_hello() const
std::function< bool(const Session &)> handshake_cb
Definition: tls_channel.h:43
bool save_session(const Session &session)
virtual void tls_verify_cert_chain(const std::vector< X509_Certificate > &cert_chain, const std::vector< std::shared_ptr< const OCSP::Response >> &ocsp_responses, const std::vector< Certificate_Store *> &trusted_roots, Usage_Type usage, const std::string &hostname, const TLS::Policy &policy)
Definition: alg_id.cpp:13
std::vector< X509_Certificate > resume_peer_certs
Definition: tls_client.cpp:42
virtual void tls_examine_extensions(const Extensions &extn, Connection_Side which_side)
void secure_renegotiation_check(const Client_Hello *client_hello)
secure_vector< uint8_t > resume_master_secret
Definition: tls_client.cpp:41
std::vector< uint8_t > make_hello_random(RandomNumberGenerator &rng, const Policy &policy)
std::function< void(const uint8_t[], size_t)> data_cb
Definition: tls_channel.h:41
std::unique_ptr< Public_Key > server_public_key
Definition: tls_client.cpp:38
bool value_exists(const std::vector< T > &vec, const T &val)
Definition: stl_util.h:86
virtual std::vector< Certificate_Store * > trusted_certificate_authorities(const std::string &type, const std::string &context)
Callbacks & callbacks() const
Definition: tls_channel.h:242
const Policy & policy() const
Definition: tls_channel.h:238
virtual void save(const Session &session)=0
Session_Manager & session_manager()
Definition: tls_channel.h:236
std::function< void(const Handshake_Message &)> handshake_msg_cb
Definition: tls_channel.h:44
virtual bool load_from_server_info(const Server_Information &info, Session &session)=0