Botan 3.11.0
Crypto and TLS for C&
tls_client_impl_12.cpp
Go to the documentation of this file.
1/*
2* TLS Client
3* (C) 2004-2011,2012,2015,2016 Jack Lloyd
4* 2016 Matthias Gierlings
5* 2017 Harry Reimann, Rohde & Schwarz Cybersecurity
6*
7* Botan is released under the Simplified BSD License (see license.txt)
8*/
9
10#include <botan/internal/tls_client_impl_12.h>
11
12#include <botan/ocsp.h>
13#include <botan/tls_callbacks.h>
14#include <botan/tls_messages_12.h>
15#include <botan/tls_policy.h>
16#include <botan/internal/stl_util.h>
17#include <botan/internal/tls_handshake_state.h>
18#include <algorithm>
19#include <optional>
20#include <sstream>
21#include <utility>
22
23namespace Botan::TLS {
24
25namespace {
26
27class Client_Handshake_State_12 final : public Handshake_State {
28 public:
29 Client_Handshake_State_12(std::unique_ptr<Handshake_IO> io, Callbacks& cb) :
30 Handshake_State(std::move(io), cb), m_is_reneg(false) {}
31
32 const Public_Key& server_public_key() const {
33 BOTAN_ASSERT(m_server_public_key, "Server sent us a certificate");
34 return *m_server_public_key;
35 }
36
37 const Public_Key* maybe_server_public_key() const { return m_server_public_key.get(); }
38
39 void record_server_public_key(std::unique_ptr<Public_Key> spk) {
40 BOTAN_STATE_CHECK(!m_server_public_key);
41 m_server_public_key = std::move(spk);
42 }
43
44 bool is_a_resumption() const { return m_resumed_session.has_value(); }
45
46 void discard_resumption_state() { m_resumed_session.reset(); }
47
48 void record_resumption_info(std::optional<Session> session_info) {
49 BOTAN_STATE_CHECK(!m_resumed_session.has_value());
50 m_resumed_session = std::move(session_info);
51 }
52
53 bool is_a_renegotiation() const { return m_is_reneg; }
54
55 void mark_as_renegotiation() { m_is_reneg = true; }
56
57 const secure_vector<uint8_t>& resume_master_secret() const {
58 BOTAN_STATE_CHECK(is_a_resumption());
59 return m_resumed_session->master_secret();
60 }
61
62 const std::vector<X509_Certificate>& resume_peer_certs() const {
63 BOTAN_STATE_CHECK(is_a_resumption());
64 return m_resumed_session->peer_certs();
65 }
66
67 bool resumed_session_supports_extended_master_secret() const {
68 BOTAN_STATE_CHECK(is_a_resumption());
69 return m_resumed_session->supports_extended_master_secret();
70 }
71
72 private:
73 std::unique_ptr<Public_Key> m_server_public_key;
74
75 // Used during session resumption
76 std::optional<Session> m_resumed_session;
77 bool m_is_reneg = false;
78};
79
80} // namespace
81
82/*
83* TLS 1.2 Client Constructor
84*/
85Client_Impl_12::Client_Impl_12(const std::shared_ptr<Callbacks>& callbacks,
86 const std::shared_ptr<Session_Manager>& session_manager,
87 const std::shared_ptr<Credentials_Manager>& creds,
88 const std::shared_ptr<const Policy>& policy,
89 const std::shared_ptr<RandomNumberGenerator>& rng,
90 Server_Information info,
91 bool datagram,
92 const std::vector<std::string>& next_protocols,
93 size_t io_buf_sz) :
94 Channel_Impl_12(callbacks, session_manager, rng, policy, false, datagram, io_buf_sz),
95 m_creds(creds),
96 m_info(std::move(info)) {
97 BOTAN_ASSERT_NONNULL(m_creds);
98 const auto version = datagram ? Protocol_Version::DTLS_V12 : Protocol_Version::TLS_V12;
99 Handshake_State& state = create_handshake_state(version);
100 send_client_hello(state, false, version, std::nullopt /* no a-priori session to resume */, next_protocols);
101}
102
103Client_Impl_12::Client_Impl_12(const Channel_Impl::Downgrade_Information& downgrade_info) :
104 Channel_Impl_12(downgrade_info.callbacks,
105 downgrade_info.session_manager,
106 downgrade_info.rng,
107 downgrade_info.policy,
108 false /* is_server */,
109 false /* datagram -- not supported by Botan in TLS 1.3 */,
110 downgrade_info.io_buffer_size),
111 m_creds(downgrade_info.creds),
112 m_info(downgrade_info.server_info) {
113 Handshake_State& state = create_handshake_state(Protocol_Version::TLS_V12);
114
115 if(!downgrade_info.client_hello_message.empty()) {
116 // Downgrade detected after receiving a TLS 1.2 server hello. We need to
117 // recreate the state as if this implementation issued the client hello.
118 const std::vector<uint8_t> client_hello_msg(
119 downgrade_info.client_hello_message.begin() + 4 /* handshake header length */,
120 downgrade_info.client_hello_message.end());
121
122 state.client_hello(std::make_unique<Client_Hello_12>(client_hello_msg));
123 state.hash().update(downgrade_info.client_hello_message);
124
125 secure_renegotiation_check(state.client_hello());
126 state.set_expected_next(Handshake_Type::ServerHello);
127 } else {
128 // Downgrade initiated after a TLS 1.2 session was found. No communication
129 // has happened yet but the found session should be used for resumption.
130 BOTAN_ASSERT_NOMSG(downgrade_info.tls12_session.has_value() &&
131 downgrade_info.tls12_session->session.version().is_pre_tls_13());
132 send_client_hello(state,
133 false,
134 downgrade_info.tls12_session->session.version(),
135 downgrade_info.tls12_session,
136 downgrade_info.next_protocols);
137 }
138}
139
140std::unique_ptr<Handshake_State> Client_Impl_12::new_handshake_state(std::unique_ptr<Handshake_IO> io) {
141 return std::make_unique<Client_Handshake_State_12>(std::move(io), callbacks());
142}
143
144std::vector<X509_Certificate> Client_Impl_12::get_peer_cert_chain(const Handshake_State& state) const {
145 const Client_Handshake_State_12& cstate = dynamic_cast<const Client_Handshake_State_12&>(state);
146
147 if(cstate.is_a_resumption()) {
148 return cstate.resume_peer_certs();
149 }
150
151 if(state.server_certs() != nullptr) {
152 return state.server_certs()->cert_chain();
153 }
154 return std::vector<X509_Certificate>();
155}
156
157/*
158* Send a new client hello to renegotiate
159*/
160void Client_Impl_12::initiate_handshake(Handshake_State& state, bool force_full_renegotiation) {
161 // we don't support TLS < 1.2 anymore and TLS 1.3 should not use this client impl
162 const auto version = state.version().is_datagram_protocol() ? Protocol_Version::DTLS_V12 : Protocol_Version::TLS_V12;
163 send_client_hello(state, force_full_renegotiation, version);
164}
165
166void Client_Impl_12::send_client_hello(Handshake_State& state_base,
167 bool force_full_renegotiation,
168 Protocol_Version version,
169 std::optional<Session_with_Handle> session_and_handle,
170 const std::vector<std::string>& next_protocols) {
171 Client_Handshake_State_12& state = dynamic_cast<Client_Handshake_State_12&>(state_base);
172
173 if(state.version().is_datagram_protocol()) {
174 state.set_expected_next(Handshake_Type::HelloVerifyRequest); // optional
175 }
176 state.set_expected_next(Handshake_Type::ServerHello);
177
178 if(!force_full_renegotiation) {
179 // if no session is provided, we need to try and find one opportunistically
180 if(!session_and_handle.has_value() && !m_info.empty()) {
181 if(auto sessions = session_manager().find(m_info, callbacks(), policy()); !sessions.empty()) {
182 session_and_handle = std::move(sessions.front());
183 }
184 }
185
186 if(session_and_handle.has_value()) {
187 /*
188 Ensure that the session protocol cipher and version are acceptable
189 If not skip the resume and establish a new session
190 */
191 auto& session_info = session_and_handle->session;
192 const bool exact_version = session_info.version() == version;
193 const bool ok_version = (session_info.version().is_datagram_protocol() == version.is_datagram_protocol()) &&
194 policy().acceptable_protocol_version(session_info.version());
195
196 const bool session_version_ok = policy().only_resume_with_exact_version() ? exact_version : ok_version;
197
198 if(policy().acceptable_ciphersuite(session_info.ciphersuite()) && session_version_ok) {
199 state.client_hello(std::make_unique<Client_Hello_12>(state.handshake_io(),
200 state.hash(),
201 policy(),
202 callbacks(),
203 rng(),
204 secure_renegotiation_data_for_client_hello(),
205 session_and_handle.value(),
206 next_protocols));
207
208 state.record_resumption_info(std::move(session_info));
209 }
210 }
211 }
212
213 if(state.client_hello() == nullptr) {
214 // not resuming
215 const Client_Hello_12::Settings client_settings(version, m_info.hostname());
216 state.client_hello(std::make_unique<Client_Hello_12>(state.handshake_io(),
217 state.hash(),
218 policy(),
219 callbacks(),
220 rng(),
221 secure_renegotiation_data_for_client_hello(),
222 client_settings,
223 next_protocols));
224 }
225
226 secure_renegotiation_check(state.client_hello());
227}
228
229namespace {
230
231bool key_usage_matches_ciphersuite(Key_Constraints usage, const Ciphersuite& suite) {
232 if(usage == Key_Constraints::None) {
233 return true; // anything goes ...
234 }
235
236 if(suite.kex_method() == Kex_Algo::STATIC_RSA) {
237 return usage.includes_any(Key_Constraints::KeyEncipherment, Key_Constraints::DataEncipherment);
238 } else {
239 return usage.includes_any(Key_Constraints::DigitalSignature, Key_Constraints::NonRepudiation);
240 }
241}
242
243} // namespace
244
245/*
246* Process a handshake message
247*/
248void Client_Impl_12::process_handshake_msg(const Handshake_State* active_state,
249 Handshake_State& state_base,
250 Handshake_Type type,
251 const std::vector<uint8_t>& contents,
252 bool epoch0_restart) {
253 BOTAN_ASSERT_NOMSG(epoch0_restart == false); // only happens on server side
254
255 Client_Handshake_State_12& state = dynamic_cast<Client_Handshake_State_12&>(state_base);
256
257 if(type == Handshake_Type::HelloRequest && active_state != nullptr) {
258 const Hello_Request hello_request(contents);
259
260 if(state.client_hello() != nullptr) {
261 throw TLS_Exception(Alert::HandshakeFailure, "Cannot renegotiate during a handshake");
262 }
263
264 if(policy().allow_server_initiated_renegotiation()) {
265 if(secure_renegotiation_supported() || policy().allow_insecure_renegotiation()) {
266 state.mark_as_renegotiation();
267 initiate_handshake(state, true /* force_full_renegotiation */);
268 } else {
269 throw TLS_Exception(Alert::HandshakeFailure, "Client policy prohibits insecure renegotiation");
270 }
271 } else {
272 if(policy().abort_connection_on_undesired_renegotiation()) {
273 throw TLS_Exception(Alert::NoRenegotiation, "Client policy prohibits renegotiation");
274 } else {
275 // RFC 5746 section 4.2
276 send_warning_alert(Alert::NoRenegotiation);
277 }
278 }
279
280 return;
281 }
282
283 state.confirm_transition_to(type);
284
285 if(type != Handshake_Type::HandshakeCCS && type != Handshake_Type::Finished &&
286 type != Handshake_Type::HelloVerifyRequest) {
287 state.hash().update(state.handshake_io().format(contents, type));
288 }
289
290 if(type == Handshake_Type::HelloVerifyRequest) {
291 state.set_expected_next(Handshake_Type::ServerHello);
292 state.set_expected_next(Handshake_Type::HelloVerifyRequest); // might get it again
293
294 const Hello_Verify_Request hello_verify_request(contents);
295 state.hello_verify_request(hello_verify_request);
296 } else if(type == Handshake_Type::ServerHello) {
297 state.server_hello(std::make_unique<Server_Hello_12>(contents));
298
299 if(!state.server_hello()->legacy_version().valid()) {
300 throw TLS_Exception(Alert::ProtocolVersion, "Server replied with an invalid version");
301 }
302
303 if(!state.client_hello()->offered_suite(state.server_hello()->ciphersuite())) {
304 throw TLS_Exception(Alert::HandshakeFailure, "Server replied with ciphersuite we didn't send");
305 }
306
307 const auto suite = Ciphersuite::by_id(state.server_hello()->ciphersuite());
308 if(!suite || !suite->usable_in_version(state.server_hello()->legacy_version())) {
309 throw TLS_Exception(Alert::HandshakeFailure,
310 "Server replied using a ciphersuite not allowed in version it offered");
311 }
312
313 // RFC 7366 3.:
314 // If a server receives an encrypt-then-MAC request extension from a client
315 // and then selects a stream or Authenticated Encryption with Associated
316 // Data (AEAD) ciphersuite, it MUST NOT send an encrypt-then-MAC
317 // response extension back to the client.
318 if(suite->aead_ciphersuite() && state.server_hello()->supports_encrypt_then_mac()) {
319 throw TLS_Exception(Alert::IllegalParameter,
320 "Server replied using an AEAD ciphersuite and an encrypt-then-MAC response extension");
321 }
322
323 if(Ciphersuite::is_scsv(state.server_hello()->ciphersuite())) {
324 throw TLS_Exception(Alert::HandshakeFailure, "Server replied with a signaling ciphersuite");
325 }
326
327 if(state.server_hello()->compression_method() != 0) {
328 throw TLS_Exception(Alert::IllegalParameter, "Server replied with non-null compression method");
329 }
330
331 if(state.client_hello()->legacy_version() > state.server_hello()->legacy_version()) {
332 // check for downgrade attacks
333 //
334 // RFC 8446 4.1.3.:
335 // TLS 1.2 clients SHOULD also check that the last 8 bytes are
336 // not equal to the [magic value DOWNGRADE_TLS11] if the ServerHello
337 // indicates TLS 1.1 or below. If a match is found, the client MUST
338 // abort the handshake with an "illegal_parameter" alert.
339 //
340 // TLS 1.3 servers will still set the magic string to DOWNGRADE_TLS12. Don't abort in this case.
341 if(auto requested = state.server_hello()->random_signals_downgrade();
342 requested.has_value() && requested.value() <= Protocol_Version::TLS_V11) {
343 throw TLS_Exception(Alert::IllegalParameter, "Downgrade attack detected");
344 }
345 }
346
347 auto client_extn = state.client_hello()->extension_types();
348 auto server_extn = state.server_hello()->extension_types();
349
350 std::vector<Extension_Code> diff;
351
352 std::set_difference(
353 server_extn.begin(), server_extn.end(), client_extn.begin(), client_extn.end(), std::back_inserter(diff));
354
355 if(!diff.empty()) {
356 // Server sent us back an extension we did not send!
357
358 std::ostringstream msg;
359 msg << "Server replied with unsupported extensions:";
360 for(auto&& d : diff) {
361 msg << " " << static_cast<int>(d);
362 }
363 throw TLS_Exception(Alert::UnsupportedExtension, msg.str());
364 }
365
366 if(const uint16_t srtp = state.server_hello()->srtp_profile()) {
367 if(!value_exists(state.client_hello()->srtp_profiles(), srtp)) {
368 throw TLS_Exception(Alert::HandshakeFailure, "Server replied with DTLS-SRTP alg we did not send");
369 }
370 }
371
372 callbacks().tls_examine_extensions(
373 state.server_hello()->extensions(), Connection_Side::Server, Handshake_Type::ServerHello);
374
375 state.set_version(state.server_hello()->legacy_version());
376 m_application_protocol = state.server_hello()->next_protocol();
377
378 secure_renegotiation_check(state.server_hello());
379
380 const bool server_returned_same_session_id =
381 !state.server_hello()->session_id().empty() &&
382 (state.server_hello()->session_id() == state.client_hello()->session_id());
383
384 if(server_returned_same_session_id) {
385 // successful resumption
386 BOTAN_ASSERT_NOMSG(state.is_a_resumption());
387
388 /*
389 * In this case, we offered the version used in the original
390 * session, and the server must resume with the same version.
391 */
392 if(state.server_hello()->legacy_version() != state.client_hello()->legacy_version()) {
393 throw TLS_Exception(Alert::HandshakeFailure, "Server resumed session but with wrong version");
394 }
395
396 if(state.server_hello()->supports_extended_master_secret() &&
397 !state.resumed_session_supports_extended_master_secret()) {
398 throw TLS_Exception(Alert::HandshakeFailure, "Server resumed session but added extended master secret");
399 }
400
401 if(!state.server_hello()->supports_extended_master_secret() &&
402 state.resumed_session_supports_extended_master_secret()) {
403 throw TLS_Exception(Alert::HandshakeFailure, "Server resumed session and removed extended master secret");
404 }
405
406 state.compute_session_keys(state.resume_master_secret());
407 if(policy().allow_ssl_key_log_file()) {
408 // draft-thomson-tls-keylogfile-00 Section 3.2
409 // An implementation of TLS 1.2 (and also earlier versions) use
410 // the label "CLIENT_RANDOM" to identify the "master" secret for
411 // the connection.
412 callbacks().tls_ssl_key_log_data(
413 "CLIENT_RANDOM", state.client_hello()->random(), state.session_keys().master_secret());
414 }
415
416 if(state.server_hello()->supports_session_ticket()) {
417 state.set_expected_next(Handshake_Type::NewSessionTicket);
418 } else {
419 state.set_expected_next(Handshake_Type::HandshakeCCS);
420 }
421 } else {
422 // new session
423
424 if(active_state != nullptr) {
425 // Here we are testing things that should not change during a renegotiation,
426 // even if the server creates a new session. However they might change
427 // in a resumption scenario.
428
429 if(active_state->version() != state.server_hello()->legacy_version()) {
430 throw TLS_Exception(Alert::ProtocolVersion, "Server changed version after renegotiation");
431 }
432
433 if(state.server_hello()->supports_extended_master_secret() !=
434 active_state->server_hello()->supports_extended_master_secret()) {
435 throw TLS_Exception(Alert::HandshakeFailure, "Server changed its mind about extended master secret");
436 }
437 }
438
439 state.discard_resumption_state();
440
441 if(state.client_hello()->legacy_version().is_datagram_protocol() !=
442 state.server_hello()->legacy_version().is_datagram_protocol()) {
443 throw TLS_Exception(Alert::ProtocolVersion, "Server replied with different protocol type than we offered");
444 }
445
446 if(state.version() > state.client_hello()->legacy_version()) {
447 throw TLS_Exception(Alert::HandshakeFailure, "Server replied with later version than client offered");
448 }
449
450 if(state.version().major_version() == 3 && state.version().minor_version() == 0) {
451 throw TLS_Exception(Alert::ProtocolVersion, "Server attempting to negotiate SSLv3 which is not supported");
452 }
453
454 if(!policy().acceptable_protocol_version(state.version())) {
455 throw TLS_Exception(Alert::ProtocolVersion,
456 "Server version " + state.version().to_string() + " is unacceptable by policy");
457 }
458
459 if(state.ciphersuite().signature_used() || state.ciphersuite().kex_method() == Kex_Algo::STATIC_RSA) {
460 state.set_expected_next(Handshake_Type::Certificate);
461 } else if(state.ciphersuite().kex_method() == Kex_Algo::PSK) {
462 /* PSK is anonymous so no certificate/cert req message is
463 ever sent. The server may or may not send a server kex,
464 depending on if it has an identity hint for us.
465
466 (EC)DHE_PSK always sends a server key exchange for the
467 DH exchange portion, and is covered by block below
468 */
469
470 state.set_expected_next(Handshake_Type::ServerKeyExchange);
471 state.set_expected_next(Handshake_Type::ServerHelloDone);
472 } else if(state.ciphersuite().kex_method() != Kex_Algo::STATIC_RSA) {
473 state.set_expected_next(Handshake_Type::ServerKeyExchange);
474 } else {
475 state.set_expected_next(Handshake_Type::CertificateRequest); // optional
476 state.set_expected_next(Handshake_Type::ServerHelloDone);
477 }
478 }
479 } else if(type == Handshake_Type::Certificate) {
480 state.server_certs(std::make_unique<Certificate_12>(contents, policy()));
481
482 const std::vector<X509_Certificate>& server_certs = state.server_certs()->cert_chain();
483
484 if(server_certs.empty()) {
485 throw TLS_Exception(Alert::HandshakeFailure, "Client: No certificates sent by server");
486 }
487
488 /*
489 If the server supports certificate status messages,
490 certificate verification happens after we receive the server hello done,
491 in case an OCSP response was also available
492 */
493
494 const X509_Certificate server_cert = server_certs[0];
495
496 if(active_state != nullptr && active_state->server_certs() != nullptr) {
497 const X509_Certificate current_cert = active_state->server_certs()->cert_chain().at(0);
498
499 if(current_cert != server_cert) {
500 throw TLS_Exception(Alert::BadCertificate, "Server certificate changed during renegotiation");
501 }
502 }
503
504 auto peer_key = server_cert.subject_public_key();
505
506 const std::string expected_key_type =
507 state.ciphersuite().signature_used() ? state.ciphersuite().sig_algo() : "RSA";
508
509 if(peer_key->algo_name() != expected_key_type) {
510 throw TLS_Exception(Alert::IllegalParameter, "Certificate key type did not match ciphersuite");
511 }
512
513 if(!key_usage_matches_ciphersuite(server_cert.constraints(), state.ciphersuite())) {
514 throw TLS_Exception(Alert::BadCertificate, "Certificate usage constraints do not allow this ciphersuite");
515 }
516
517 state.record_server_public_key(std::move(peer_key));
518
519 if(state.ciphersuite().kex_method() != Kex_Algo::STATIC_RSA) {
520 state.set_expected_next(Handshake_Type::ServerKeyExchange);
521 } else {
522 state.set_expected_next(Handshake_Type::CertificateRequest); // optional
523 state.set_expected_next(Handshake_Type::ServerHelloDone);
524 }
525
526 if(state.server_hello()->supports_certificate_status_message()) {
527 state.set_expected_next(Handshake_Type::CertificateStatus); // optional
528 } else {
529 try {
530 auto trusted_CAs = m_creds->trusted_certificate_authorities("tls-client", m_info.hostname());
531
532 callbacks().tls_verify_cert_chain(
533 server_certs, {}, trusted_CAs, Usage_Type::TLS_SERVER_AUTH, m_info.hostname(), policy());
534 } catch(TLS_Exception&) {
535 throw;
536 } catch(std::exception& e) {
537 throw TLS_Exception(Alert::InternalError, e.what());
538 }
539 }
540 } else if(type == Handshake_Type::CertificateStatus) {
541 state.server_cert_status(std::make_unique<Certificate_Status>(contents, Connection_Side::Server));
542
543 if(state.ciphersuite().kex_method() != Kex_Algo::STATIC_RSA) {
544 state.set_expected_next(Handshake_Type::ServerKeyExchange);
545 } else {
546 state.set_expected_next(Handshake_Type::CertificateRequest); // optional
547 state.set_expected_next(Handshake_Type::ServerHelloDone);
548 }
549 } else if(type == Handshake_Type::ServerKeyExchange) {
550 if(!state.ciphersuite().psk_ciphersuite()) {
551 state.set_expected_next(Handshake_Type::CertificateRequest); // optional
552 }
553 state.set_expected_next(Handshake_Type::ServerHelloDone);
554
555 state.server_kex(std::make_unique<Server_Key_Exchange>(
556 contents, state.ciphersuite().kex_method(), state.ciphersuite().auth_method(), state.version()));
557
558 if(state.ciphersuite().signature_used()) {
559 const Public_Key& server_key = state.server_public_key();
560
561 if(!state.server_kex()->verify(server_key, state, policy())) {
562 throw TLS_Exception(Alert::DecryptError, "Bad signature on server key exchange");
563 }
564 }
565 } else if(type == Handshake_Type::CertificateRequest) {
566 state.set_expected_next(Handshake_Type::ServerHelloDone);
567 state.cert_req(std::make_unique<Certificate_Request_12>(contents));
568 } else if(type == Handshake_Type::ServerHelloDone) {
569 state.server_hello_done(std::make_unique<Server_Hello_Done>(contents));
570
571 if(state.handshake_io().have_more_data()) {
572 throw TLS_Exception(Alert::UnexpectedMessage, "Have data remaining in buffer after ServerHelloDone");
573 }
574
575 if(state.server_certs() != nullptr && state.server_hello()->supports_certificate_status_message()) {
576 try {
577 auto trusted_CAs = m_creds->trusted_certificate_authorities("tls-client", m_info.hostname());
578
579 std::vector<std::optional<OCSP::Response>> ocsp;
580 if(state.server_cert_status() != nullptr) {
581 ocsp.emplace_back(callbacks().tls_parse_ocsp_response(state.server_cert_status()->response()));
582 }
583
584 callbacks().tls_verify_cert_chain(state.server_certs()->cert_chain(),
585 ocsp,
586 trusted_CAs,
587 Usage_Type::TLS_SERVER_AUTH,
588 m_info.hostname(),
589 policy());
590 } catch(TLS_Exception&) {
591 throw;
592 } catch(std::exception& e) {
593 throw TLS_Exception(Alert::InternalError, e.what());
594 }
595 }
596
597 if(state.received_handshake_msg(Handshake_Type::CertificateRequest)) {
598 const auto& types = state.cert_req()->acceptable_cert_types();
599
600 const std::vector<X509_Certificate> client_certs =
601 m_creds->find_cert_chain(types, {}, state.cert_req()->acceptable_CAs(), "tls-client", m_info.hostname());
602
603 state.client_certs(std::make_unique<Certificate_12>(state.handshake_io(), state.hash(), client_certs));
604 }
605
606 state.client_kex(std::make_unique<Client_Key_Exchange>(
607 state.handshake_io(), state, policy(), *m_creds, state.maybe_server_public_key(), m_info.hostname(), rng()));
608
609 state.compute_session_keys();
610 if(policy().allow_ssl_key_log_file()) {
611 // draft-thomson-tls-keylogfile-00 Section 3.2
612 // An implementation of TLS 1.2 (and also earlier versions) use
613 // the label "CLIENT_RANDOM" to identify the "master" secret for
614 // the connection.
615 callbacks().tls_ssl_key_log_data(
616 "CLIENT_RANDOM", state.client_hello()->random(), state.session_keys().master_secret());
617 }
618
619 if(state.received_handshake_msg(Handshake_Type::CertificateRequest) && !state.client_certs()->empty()) {
620 auto private_key =
621 m_creds->private_key_for(state.client_certs()->cert_chain()[0], "tls-client", m_info.hostname());
622
623 if(!private_key) {
624 throw TLS_Exception(Alert::InternalError, "Failed to get private key for signing");
625 }
626
627 state.client_verify(
628 std::make_unique<Certificate_Verify_12>(state.handshake_io(), state, policy(), rng(), private_key.get()));
629 }
630
631 state.handshake_io().send(Change_Cipher_Spec());
632
633 change_cipher_spec_writer(Connection_Side::Client);
634
635 state.client_finished(std::make_unique<Finished_12>(state.handshake_io(), state, Connection_Side::Client));
636
637 if(state.server_hello()->supports_session_ticket()) {
638 state.set_expected_next(Handshake_Type::NewSessionTicket);
639 } else {
640 state.set_expected_next(Handshake_Type::HandshakeCCS);
641 }
642 } else if(type == Handshake_Type::NewSessionTicket) {
643 state.new_session_ticket(std::make_unique<New_Session_Ticket_12>(contents));
644
645 state.set_expected_next(Handshake_Type::HandshakeCCS);
646 } else if(type == Handshake_Type::HandshakeCCS) {
647 state.set_expected_next(Handshake_Type::Finished);
648
649 change_cipher_spec_reader(Connection_Side::Client);
650 } else if(type == Handshake_Type::Finished) {
651 if(state.handshake_io().have_more_data()) {
652 throw TLS_Exception(Alert::UnexpectedMessage, "Have data remaining in buffer after Finished");
653 }
654
655 state.server_finished(std::make_unique<Finished_12>(contents));
656
657 if(!state.server_finished()->verify(state, Connection_Side::Server)) {
658 throw TLS_Exception(Alert::DecryptError, "Finished message didn't verify");
659 }
660
661 state.hash().update(state.handshake_io().format(contents, type));
662
663 if(state.client_finished() == nullptr) {
664 // session resume case
665 state.handshake_io().send(Change_Cipher_Spec());
666 change_cipher_spec_writer(Connection_Side::Client);
667 state.client_finished(std::make_unique<Finished_12>(state.handshake_io(), state, Connection_Side::Client));
668 }
669
670 // Session Tickets (as defined in RFC 5077) contain a lifetime_hint,
671 // sessions identified via a Session_ID do not.
672 const std::chrono::seconds session_lifetime_hint = [&] {
673 if(state.new_session_ticket() != nullptr) {
674 return std::chrono::seconds(state.new_session_ticket()->ticket_lifetime_hint());
675 } else {
676 return std::chrono::seconds::max();
677 }
678 }();
679
680 Session session_info(state.session_keys().master_secret(),
681 state.server_hello()->legacy_version(),
682 state.server_hello()->ciphersuite(),
683 Connection_Side::Client,
684 state.server_hello()->supports_extended_master_secret(),
685 state.server_hello()->supports_encrypt_then_mac(),
686 get_peer_cert_chain(state),
687 m_info,
688 state.server_hello()->srtp_profile(),
689 callbacks().tls_current_timestamp(),
690 session_lifetime_hint);
691
692 // RFC 5077 3.4
693 // If the client receives a session ticket from the server, then it
694 // discards any Session ID that was sent in the ServerHello.
695 const auto handle = [&]() -> std::optional<Session_Handle> {
696 if(const auto& session_ticket = state.session_ticket(); !session_ticket.empty()) {
697 return Session_Handle(session_ticket);
698 } else if(const auto& session_id = state.server_hello()->session_id(); !session_id.empty()) {
699 return Session_Handle(session_id);
700 } else {
701 return std::nullopt;
702 }
703 }();
704
705 // Give the application a chance for a final veto before fully
706 // establishing the connection.
707 callbacks().tls_session_established([&, this] {
708 Session_Summary summary(session_info, state.is_a_resumption(), external_psk_identity());
709 summary.set_session_id(state.server_hello()->session_id());
710 if(const auto* nst = state.new_session_ticket()) {
711 summary.set_session_ticket(nst->ticket());
712 }
713 return summary;
714 }());
715
716 if(handle.has_value()) {
717 const bool should_save = callbacks().tls_should_persist_resumption_information(session_info);
718
719 // RFC 5077 3.3
720 // If the server successfully verifies the client's ticket, then it
721 // MAY renew the ticket by including a NewSessionTicket handshake
722 // message after the ServerHello in the abbreviated handshake. The
723 // client should start using the new ticket as soon as possible
724 // after it verifies the server's Finished message for new
725 // connections.
726 if(state.is_a_resumption() && !state.client_hello()->session_ticket().empty() && handle->is_ticket() &&
727 should_save) {
728 // renew the session ticket by removing the one we used to establish
729 // this connection and replace it with the one we just received
730 session_manager().remove(Session_Handle(state.client_hello()->session_ticket()));
731 session_manager().store(session_info, handle.value());
732 }
733
734 if(!state.is_a_resumption()) {
735 if(should_save) {
736 session_manager().store(session_info, handle.value());
737 } else {
738 session_manager().remove(handle.value());
739 }
740 }
741 }
742
743 activate_session();
744 } else {
745 throw Unexpected_Message("Unknown handshake message received");
746 }
747}
748
749} // namespace Botan::TLS
BOTAN_ASSERT_NOMSG
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:75
BOTAN_STATE_CHECK
#define BOTAN_STATE_CHECK(expr)
Definition assert.h:49
BOTAN_ASSERT_NONNULL
#define BOTAN_ASSERT_NONNULL(ptr)
Definition assert.h:114
BOTAN_ASSERT
#define BOTAN_ASSERT(expr, assertion_made)
Definition assert.h:62
Botan::Key_Constraints::DigitalSignature
@ DigitalSignature
Definition pkix_enums.h:116
Botan::Key_Constraints::None
@ None
Definition pkix_enums.h:115
Botan::Key_Constraints::NonRepudiation
@ NonRepudiation
Definition pkix_enums.h:117
Botan::Key_Constraints::DataEncipherment
@ DataEncipherment
Definition pkix_enums.h:119
Botan::Key_Constraints::KeyEncipherment
@ KeyEncipherment
Definition pkix_enums.h:118
Botan::TLS::Callbacks::tls_examine_extensions
virtual void tls_examine_extensions(const Extensions &extn, Connection_Side which_side, Handshake_Type which_message)
Definition tls_callbacks.cpp:69
Botan::TLS::Callbacks::tls_session_established
virtual void tls_session_established(const Session_Summary &session)
Definition tls_callbacks.cpp:412
Botan::TLS::Callbacks::tls_should_persist_resumption_information
virtual bool tls_should_persist_resumption_information(const Session &session)
Definition tls_callbacks.cpp:73
Botan::TLS::Callbacks::tls_verify_cert_chain
virtual void tls_verify_cert_chain(const std::vector< X509_Certificate > &cert_chain, const std::vector< std::optional< OCSP::Response > > &ocsp_responses, const std::vector< Certificate_Store * > &trusted_roots, Usage_Type usage, std::string_view hostname, const TLS::Policy &policy)
Definition tls_callbacks.cpp:88
Botan::TLS::Callbacks::tls_ssl_key_log_data
virtual void tls_ssl_key_log_data(std::string_view label, std::span< const uint8_t > client_random, std::span< const uint8_t > secret) const
Definition tls_callbacks.cpp:434
Botan::TLS::Channel_Impl_12::rng
RandomNumberGenerator & rng()
Definition tls_channel_impl_12.h:177
Botan::TLS::Channel_Impl_12::activate_session
void activate_session()
Definition tls_channel_impl_12.cpp:259
Botan::TLS::Channel_Impl_12::change_cipher_spec_reader
void change_cipher_spec_reader(Connection_Side side)
Definition tls_channel_impl_12.cpp:195
Botan::TLS::Channel_Impl_12::create_handshake_state
Handshake_State & create_handshake_state(Protocol_Version version)
Definition tls_channel_impl_12.cpp:114
Botan::TLS::Channel_Impl_12::callbacks
Callbacks & callbacks() const
Definition tls_channel_impl_12.h:183
Botan::TLS::Channel_Impl_12::secure_renegotiation_check
void secure_renegotiation_check(const Client_Hello_12 *client_hello)
Definition tls_channel_impl_12.cpp:561
Botan::TLS::Channel_Impl_12::session_manager
Session_Manager & session_manager()
Definition tls_channel_impl_12.h:179
Botan::TLS::Channel_Impl_12::policy
const Policy & policy() const
Definition tls_channel_impl_12.h:181
Botan::TLS::Channel_Impl_12::change_cipher_spec_writer
void change_cipher_spec_writer(Connection_Side side)
Definition tls_channel_impl_12.cpp:222
Botan::TLS::Channel_Impl_12::secure_renegotiation_data_for_client_hello
std::vector< uint8_t > secure_renegotiation_data_for_client_hello() const
Definition tls_channel_impl_12.cpp:605
Botan::TLS::Channel_Impl_12::Channel_Impl_12
Channel_Impl_12(const std::shared_ptr< Callbacks > &callbacks, const std::shared_ptr< Session_Manager > &session_manager, const std::shared_ptr< RandomNumberGenerator > &rng, const std::shared_ptr< const Policy > &policy, bool is_server, bool is_datagram, size_t io_buf_sz=TLS::Channel::IO_BUF_DEFAULT_SIZE)
Definition tls_channel_impl_12.cpp:25
Botan::TLS::Channel_Impl_12::external_psk_identity
std::optional< std::string > external_psk_identity() const override
Definition tls_channel_impl_12.cpp:105
Botan::TLS::Channel_Impl_12::secure_renegotiation_supported
bool secure_renegotiation_supported() const override
Definition tls_channel_impl_12.cpp:625
Botan::TLS::Channel_Impl::send_warning_alert
void send_warning_alert(Alert::Type type)
Definition tls_channel_impl.h:66
Botan::TLS::Ciphersuite::is_scsv
static bool is_scsv(uint16_t suite)
Definition tls_ciphersuite.cpp:55
Botan::TLS::Ciphersuite::by_id
static std::optional< Ciphersuite > by_id(uint16_t suite)
Definition tls_ciphersuite.cpp:98
Botan::TLS::Client_Impl_12::Client_Impl_12
Client_Impl_12(const std::shared_ptr< Callbacks > &callbacks, const std::shared_ptr< Session_Manager > &session_manager, const std::shared_ptr< Credentials_Manager > &creds, const std::shared_ptr< const Policy > &policy, const std::shared_ptr< RandomNumberGenerator > &rng, Server_Information server_info=Server_Information(), bool datagram=false, const std::vector< std::string > &next_protocols={}, size_t reserved_io_buffer_size=TLS::Channel::IO_BUF_DEFAULT_SIZE)
Definition tls_client_impl_12.cpp:85
Botan::TLS::Handshake_Hash::update
void update(const uint8_t in[], size_t length)
Definition tls_handshake_hash.h:21
Botan::TLS::Handshake_State
Definition tls_handshake_state.h:59
Botan::TLS::Handshake_State::client_hello
void client_hello(std::unique_ptr< Client_Hello_12 > client_hello)
Definition tls_handshake_state.cpp:47
Botan::TLS::Handshake_State::set_expected_next
void set_expected_next(Handshake_Type msg_type)
Definition tls_handshake_state.cpp:168
Botan::TLS::Handshake_State::hash
Handshake_Hash & hash()
Definition tls_handshake_state.h:171
Botan::TLS::Policy::only_resume_with_exact_version
virtual bool only_resume_with_exact_version() const
Definition tls_policy.cpp:434
Botan::TLS::Policy::acceptable_protocol_version
virtual bool acceptable_protocol_version(Protocol_Version version) const
Definition tls_policy.cpp:319
Botan::TLS::Protocol_Version
Definition tls_version.h:34
Botan::TLS::Server_Information
Definition tls_server_info.h:19
Botan::TLS::Session_Manager::remove
virtual size_t remove(const Session_Handle &handle)=0
Botan::TLS::Session_Manager::store
virtual void store(const Session &session, const Session_Handle &handle)=0
Save a Session under a Session_Handle (TLS Client).
Botan::value_exists
bool value_exists(const std::vector< T > &vec, const V &val)
Definition stl_util.h:43
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:68
Botan::TLS::Channel_Impl::Downgrade_Information
Definition tls_channel_impl.h:197
Botan::TLS::Channel_Impl::Downgrade_Information::next_protocols
std::vector< std::string > next_protocols
Definition tls_channel_impl.h:209
Botan::TLS::Channel_Impl::Downgrade_Information::client_hello_message
std::vector< uint8_t > client_hello_message
The client hello message including the handshake header bytes as transferred to the peer.
Definition tls_channel_impl.h:199
Botan::TLS::Channel_Impl::Downgrade_Information::tls12_session
std::optional< Session_with_Handle > tls12_session
Definition tls_channel_impl.h:206
Generated by doxygen 1.15.0