Botan 3.0.0
Crypto and TLS for C&
tls_client_impl_12.cpp
Go to the documentation of this file.
1/*
2* TLS Client
3* (C) 2004-2011,2012,2015,2016 Jack Lloyd
4* 2016 Matthias Gierlings
5* 2017 Harry Reimann, Rohde & Schwarz Cybersecurity
6*
7* Botan is released under the Simplified BSD License (see license.txt)
8*/
9
10#include <botan/tls_client.h>
11#include <botan/tls_messages.h>
12#include <botan/ocsp.h>
13#include <botan/internal/tls_handshake_state.h>
14#include <botan/internal/stl_util.h>
15#include <botan/internal/tls_client_impl_12.h>
16
17#include <sstream>
18#include <optional>
19
20namespace Botan::TLS {
21
22namespace {
23
24class Client_Handshake_State_12 final : public Handshake_State
25 {
26 public:
27 Client_Handshake_State_12(std::unique_ptr<Handshake_IO> io, Callbacks& cb) :
28 Handshake_State(std::move(io), cb),
29 m_is_reneg(false)
30 {}
31
32 const Public_Key& get_server_public_key() const
33 {
34 BOTAN_ASSERT(server_public_key, "Server sent us a certificate");
35 return *server_public_key.get();
36 }
37
38 bool is_a_resumption() const { return resumed_session.has_value(); }
39
40 bool is_a_renegotiation() const { return m_is_reneg; }
41
42 const secure_vector<uint8_t>& resume_master_secret() const
43 {
44 BOTAN_STATE_CHECK(is_a_resumption());
45 return resumed_session->master_secret();
46 }
47
48 const std::vector<X509_Certificate>& resume_peer_certs() const
49 {
50 BOTAN_STATE_CHECK(is_a_resumption());
51 return resumed_session->peer_certs();
52 }
53
54 std::unique_ptr<Public_Key> server_public_key;
55 // Used during session resumption
56 std::optional<Session> resumed_session;
57 bool m_is_reneg = false;
58 };
59}
60
61/*
62* TLS 1.2 Client Constructor
63*/
64Client_Impl_12::Client_Impl_12(std::shared_ptr<Callbacks> callbacks,
65 std::shared_ptr<Session_Manager> session_manager,
66 std::shared_ptr<Credentials_Manager> creds,
67 std::shared_ptr<const Policy> policy,
68 std::shared_ptr<RandomNumberGenerator> rng,
69 Server_Information info,
70 bool datagram,
71 const std::vector<std::string>& next_protocols,
72 size_t io_buf_sz) :
73 Channel_Impl_12(callbacks, session_manager, rng, policy, false, datagram, io_buf_sz),
74 m_creds(creds),
75 m_info(info)
76 {
77 BOTAN_ASSERT_NONNULL(m_creds);
78 const auto version = datagram ? Protocol_Version::DTLS_V12 : Protocol_Version::TLS_V12;
79 Handshake_State& state = create_handshake_state(version);
80 send_client_hello(state, false, version, std::nullopt /* no a-priori session to resume */, next_protocols);
81 }
82
83Client_Impl_12::Client_Impl_12(const Channel_Impl::Downgrade_Information& downgrade_info) :
84 Channel_Impl_12(downgrade_info.callbacks,
85 downgrade_info.session_manager,
86 downgrade_info.rng,
87 downgrade_info.policy,
88 false /* is_server */,
89 false /* datagram -- not supported by Botan in TLS 1.3 */,
90 downgrade_info.io_buffer_size),
91 m_creds(downgrade_info.creds),
92 m_info(downgrade_info.server_info)
93 {
94 Handshake_State& state = create_handshake_state(Protocol_Version::TLS_V12);
95
96 if(!downgrade_info.client_hello_message.empty())
97 {
98 // Downgrade detected after receiving a TLS 1.2 server hello. We need to
99 // recreate the state as if this implementation issued the client hello.
100 std::vector<uint8_t> client_hello_msg(downgrade_info.client_hello_message.begin() + 4 /* handshake header length */,
101 downgrade_info.client_hello_message.end());
102
103 state.client_hello(new Client_Hello_12(client_hello_msg));
104 state.hash().update(downgrade_info.client_hello_message);
105
106 secure_renegotiation_check(state.client_hello());
107 state.set_expected_next(Handshake_Type::ServerHello);
108 }
109 else
110 {
111 // Downgrade initiated after a TLS 1.2 session was found. No communication
112 // has happened yet but the found session should be used for resumption.
113 BOTAN_ASSERT_NOMSG(downgrade_info.tls12_session.has_value() &&
114 downgrade_info.tls12_session->session.version().is_pre_tls_13());
115 send_client_hello(state, false, downgrade_info.tls12_session->session.version(), downgrade_info.tls12_session, downgrade_info.next_protocols);
116 }
117 }
118
119std::unique_ptr<Handshake_State> Client_Impl_12::new_handshake_state(std::unique_ptr<Handshake_IO> io)
120 {
121 return std::make_unique<Client_Handshake_State_12>(std::move(io), callbacks());
122 }
123
124std::vector<X509_Certificate>
125Client_Impl_12::get_peer_cert_chain(const Handshake_State& state) const
126 {
127 const Client_Handshake_State_12& cstate = dynamic_cast<const Client_Handshake_State_12&>(state);
128
129 if(cstate.is_a_resumption())
130 return cstate.resume_peer_certs();
131
132 if(state.server_certs())
133 return state.server_certs()->cert_chain();
134 return std::vector<X509_Certificate>();
135 }
136
137/*
138* Send a new client hello to renegotiate
139*/
140void Client_Impl_12::initiate_handshake(Handshake_State& state,
141 bool force_full_renegotiation)
142 {
143 // we don't support TLS < 1.2 anymore and TLS 1.3 should not use this client impl
144 const auto version = state.version().is_datagram_protocol()
145 ? Protocol_Version::DTLS_V12
146 : Protocol_Version::TLS_V12;
147 send_client_hello(state, force_full_renegotiation, version);
148 }
149
150void Client_Impl_12::send_client_hello(Handshake_State& state_base,
151 bool force_full_renegotiation,
152 Protocol_Version version,
153 std::optional<Session_with_Handle> session_and_handle,
154 const std::vector<std::string>& next_protocols)
155 {
156 Client_Handshake_State_12& state = dynamic_cast<Client_Handshake_State_12&>(state_base);
157
158 if(state.version().is_datagram_protocol())
159 state.set_expected_next(Handshake_Type::HelloVerifyRequest); // optional
160 state.set_expected_next(Handshake_Type::ServerHello);
161
162 if(!force_full_renegotiation)
163 {
164 // if no session is provided, we need to try and find one opportunistically
165 if(!session_and_handle.has_value() && !m_info.empty())
166 {
167 if(auto sessions = session_manager().find(m_info, callbacks(), policy()); !sessions.empty())
168 {
169 session_and_handle = std::move(sessions.front());
170 }
171 }
172
173 if(session_and_handle.has_value())
174 {
175 /*
176 Ensure that the session protocol cipher and version are acceptable
177 If not skip the resume and establish a new session
178 */
179 auto& session_info = session_and_handle->session;
180 const bool exact_version = session_info.version() == version;
181 const bool ok_version =
182 (session_info.version().is_datagram_protocol() == version.is_datagram_protocol()) &&
183 policy().acceptable_protocol_version(session_info.version());
184
185 const bool session_version_ok = policy().only_resume_with_exact_version() ? exact_version : ok_version;
186
187 if(policy().acceptable_ciphersuite(session_info.ciphersuite()) && session_version_ok)
188 {
189 state.client_hello(
190 new Client_Hello_12(state.handshake_io(),
191 state.hash(),
192 policy(),
193 callbacks(),
194 rng(),
195 secure_renegotiation_data_for_client_hello(),
196 session_and_handle.value(),
197 next_protocols));
198
199 state.resumed_session = std::move(session_info);
200 }
201 }
202 }
203
204 if(!state.client_hello()) // not resuming
205 {
206 Client_Hello_12::Settings client_settings(version, m_info.hostname());
207 state.client_hello(new Client_Hello_12(
208 state.handshake_io(),
209 state.hash(),
210 policy(),
211 callbacks(),
212 rng(),
213 secure_renegotiation_data_for_client_hello(),
214 client_settings,
215 next_protocols));
216 }
217
218 secure_renegotiation_check(state.client_hello());
219 }
220
221namespace {
222
223bool key_usage_matches_ciphersuite(Key_Constraints usage,
224 const Ciphersuite& suite)
225 {
226 if(usage == Key_Constraints::None)
227 return true; // anything goes ...
228
229 if(suite.kex_method() == Kex_Algo::STATIC_RSA)
230 {
231 return usage.includes_any(Key_Constraints::KeyEncipherment,
232 Key_Constraints::DataEncipherment);
233 }
234 else
235 {
236 return usage.includes_any(Key_Constraints::DigitalSignature,
237 Key_Constraints::NonRepudiation);
238 }
239 }
240
241}
242
243/*
244* Process a handshake message
245*/
246void Client_Impl_12::process_handshake_msg(const Handshake_State* active_state,
247 Handshake_State& state_base,
248 Handshake_Type type,
249 const std::vector<uint8_t>& contents,
250 bool epoch0_restart)
251 {
252 BOTAN_ASSERT_NOMSG(epoch0_restart == false); // only happens on server side
253
254 Client_Handshake_State_12& state = dynamic_cast<Client_Handshake_State_12&>(state_base);
255
256 if(type == Handshake_Type::HelloRequest && active_state)
257 {
258 Hello_Request hello_request(contents);
259
260 if(state.client_hello())
261 {
262 throw TLS_Exception(Alert::HandshakeFailure, "Cannot renegotiate during a handshake");
263 }
264
265 if(policy().allow_server_initiated_renegotiation())
266 {
267 if(secure_renegotiation_supported() || policy().allow_insecure_renegotiation())
268 {
269 state.m_is_reneg = true;
270 initiate_handshake(state, true /* force_full_renegotiation */);
271 }
272 else
273 {
274 throw TLS_Exception(Alert::HandshakeFailure, "Client policy prohibits insecure renegotiation");
275 }
276 }
277 else
278 {
279 if(policy().abort_connection_on_undesired_renegotiation())
280 {
281 throw TLS_Exception(Alert::NoRenegotiation, "Client policy prohibits renegotiation");
282 }
283 else
284 {
285 // RFC 5746 section 4.2
286 send_warning_alert(Alert::NoRenegotiation);
287 }
288 }
289
290 return;
291 }
292
293 state.confirm_transition_to(type);
294
295 if(type != Handshake_Type::HandshakeCCS &&
296 type != Handshake_Type::Finished &&
297 type != Handshake_Type::HelloVerifyRequest)
298 {
299 state.hash().update(state.handshake_io().format(contents, type));
300 }
301
302 if(type == Handshake_Type::HelloVerifyRequest)
303 {
304 state.set_expected_next(Handshake_Type::ServerHello);
305 state.set_expected_next(Handshake_Type::HelloVerifyRequest); // might get it again
306
307 Hello_Verify_Request hello_verify_request(contents);
308 state.hello_verify_request(hello_verify_request);
309 }
310 else if(type == Handshake_Type::ServerHello)
311 {
312 state.server_hello(new Server_Hello_12(contents));
313
314 if(!state.server_hello()->legacy_version().valid())
315 {
316 throw TLS_Exception(Alert::ProtocolVersion,
317 "Server replied with an invalid version");
318 }
319
320 if(!state.client_hello()->offered_suite(state.server_hello()->ciphersuite()))
321 {
322 throw TLS_Exception(Alert::HandshakeFailure,
323 "Server replied with ciphersuite we didn't send");
324 }
325
326 if(const auto suite = Ciphersuite::by_id(state.server_hello()->ciphersuite());
327 !suite || !suite->usable_in_version(state.server_hello()->legacy_version()))
328 {
329 throw TLS_Exception(Alert::HandshakeFailure,
330 "Server replied using a ciphersuite not allowed in version it offered");
331 }
332
333 if(Ciphersuite::is_scsv(state.server_hello()->ciphersuite()))
334 {
335 throw TLS_Exception(Alert::HandshakeFailure,
336 "Server replied with a signaling ciphersuite");
337 }
338
339 if(state.server_hello()->compression_method() != 0)
340 {
341 throw TLS_Exception(Alert::IllegalParameter,
342 "Server replied with non-null compression method");
343 }
344
345 if(state.client_hello()->legacy_version() > state.server_hello()->legacy_version())
346 {
347 // check for downgrade attacks
348 //
349 // RFC 8446 4.1.3.:
350 // TLS 1.2 clients SHOULD also check that the last 8 bytes are
351 // not equal to the [magic value DOWNGRADE_TLS11] if the ServerHello
352 // indicates TLS 1.1 or below. If a match is found, the client MUST
353 // abort the handshake with an "illegal_parameter" alert.
354 //
355 // TLS 1.3 servers will still set the magic string to DOWNGRADE_TLS12. Don't abort in this case.
356 if(auto requested = state.server_hello()->random_signals_downgrade();
357 requested.has_value() && requested.value() <= Protocol_Version::TLS_V11)
358 throw TLS_Exception(Alert::IllegalParameter, "Downgrade attack detected");
359 }
360
361 auto client_extn = state.client_hello()->extension_types();
362 auto server_extn = state.server_hello()->extension_types();
363
364 std::vector<Extension_Code> diff;
365
366 std::set_difference(server_extn.begin(), server_extn.end(),
367 client_extn.begin(), client_extn.end(),
368 std::back_inserter(diff));
369
370 if(!diff.empty())
371 {
372 // Server sent us back an extension we did not send!
373
374 std::ostringstream msg;
375 msg << "Server replied with unsupported extensions:";
376 for(auto&& d : diff)
377 msg << " " << static_cast<int>(d);
378 throw TLS_Exception(Alert::UnsupportedExtension, msg.str());
379 }
380
381 if(uint16_t srtp = state.server_hello()->srtp_profile())
382 {
383 if(!value_exists(state.client_hello()->srtp_profiles(), srtp))
384 throw TLS_Exception(Alert::HandshakeFailure,
385 "Server replied with DTLS-SRTP alg we did not send");
386 }
387
388 callbacks().tls_examine_extensions(state.server_hello()->extensions(), Connection_Side::Server, Handshake_Type::ServerHello);
389
390 state.set_version(state.server_hello()->legacy_version());
391 m_application_protocol = state.server_hello()->next_protocol();
392
393 secure_renegotiation_check(state.server_hello());
394
395 const bool server_returned_same_session_id =
396 !state.server_hello()->session_id().empty() &&
397 (state.server_hello()->session_id() == state.client_hello()->session_id());
398
399 if(server_returned_same_session_id)
400 {
401 // successful resumption
402 BOTAN_ASSERT_NOMSG(state.resumed_session.has_value());
403
404 /*
405 * In this case, we offered the version used in the original
406 * session, and the server must resume with the same version.
407 */
408 if(state.server_hello()->legacy_version() != state.client_hello()->legacy_version())
409 throw TLS_Exception(Alert::HandshakeFailure,
410 "Server resumed session but with wrong version");
411
412 if(state.server_hello()->supports_extended_master_secret() &&
413 !state.resumed_session->supports_extended_master_secret())
414 {
415 throw TLS_Exception(Alert::HandshakeFailure,
416 "Server resumed session but added extended master secret");
417 }
418
419 if(!state.server_hello()->supports_extended_master_secret() &&
420 state.resumed_session->supports_extended_master_secret())
421 {
422 throw TLS_Exception(Alert::HandshakeFailure,
423 "Server resumed session and removed extended master secret");
424 }
425
426 state.compute_session_keys(state.resume_master_secret());
427
428 if(state.server_hello()->supports_session_ticket())
429 {
430 state.set_expected_next(Handshake_Type::NewSessionTicket);
431 }
432 else
433 {
434 state.set_expected_next(Handshake_Type::HandshakeCCS);
435 }
436 }
437 else
438 {
439 // new session
440
441 if(active_state)
442 {
443 // Here we are testing things that should not change during a renegotation,
444 // even if the server creates a new session. Howerver they might change
445 // in a resumption scenario.
446
447 if(active_state->version() != state.server_hello()->legacy_version())
448 throw TLS_Exception(Alert::ProtocolVersion,
449 "Server changed version after renegotiation");
450
451 if(state.server_hello()->supports_extended_master_secret() !=
452 active_state->server_hello()->supports_extended_master_secret())
453 {
454 throw TLS_Exception(Alert::HandshakeFailure,
455 "Server changed its mind about extended master secret");
456 }
457 }
458
459 state.resumed_session.reset(); // non-null if we were attempting a resumption
460
461 if(state.client_hello()->legacy_version().is_datagram_protocol() !=
462 state.server_hello()->legacy_version().is_datagram_protocol())
463 {
464 throw TLS_Exception(Alert::ProtocolVersion,
465 "Server replied with different protocol type than we offered");
466 }
467
468 if(state.version() > state.client_hello()->legacy_version())
469 {
470 throw TLS_Exception(Alert::HandshakeFailure,
471 "Server replied with later version than client offered");
472 }
473
474 if(state.version().major_version() == 3 && state.version().minor_version() == 0)
475 {
476 throw TLS_Exception(Alert::ProtocolVersion,
477 "Server attempting to negotiate SSLv3 which is not supported");
478 }
479
480 if(!policy().acceptable_protocol_version(state.version()))
481 {
482 throw TLS_Exception(Alert::ProtocolVersion,
483 "Server version " + state.version().to_string() +
484 " is unacceptable by policy");
485 }
486
487 if(state.ciphersuite().signature_used() || state.ciphersuite().kex_method() == Kex_Algo::STATIC_RSA)
488 {
489 state.set_expected_next(Handshake_Type::Certificate);
490 }
491 else if(state.ciphersuite().kex_method() == Kex_Algo::PSK)
492 {
493 /* PSK is anonymous so no certificate/cert req message is
494 ever sent. The server may or may not send a server kex,
495 depending on if it has an identity hint for us.
496
497 (EC)DHE_PSK always sends a server key exchange for the
498 DH exchange portion, and is covered by block below
499 */
500
501 state.set_expected_next(Handshake_Type::ServerKeyExchange);
502 state.set_expected_next(Handshake_Type::ServerHelloDone);
503 }
504 else if(state.ciphersuite().kex_method() != Kex_Algo::STATIC_RSA)
505 {
506 state.set_expected_next(Handshake_Type::ServerKeyExchange);
507 }
508 else
509 {
510 state.set_expected_next(Handshake_Type::CertificateRequest); // optional
511 state.set_expected_next(Handshake_Type::ServerHelloDone);
512 }
513 }
514 }
515 else if(type == Handshake_Type::Certificate)
516 {
517 state.server_certs(new Certificate_12(contents, policy()));
518
519 const std::vector<X509_Certificate>& server_certs =
520 state.server_certs()->cert_chain();
521
522 if(server_certs.empty())
523 throw TLS_Exception(Alert::HandshakeFailure,
524 "Client: No certificates sent by server");
525
526 /*
527 If the server supports certificate status messages,
528 certificate verification happens after we receive the server hello done,
529 in case an OCSP response was also available
530 */
531
532 X509_Certificate server_cert = server_certs[0];
533
534 if(active_state && active_state->server_certs())
535 {
536 X509_Certificate current_cert = active_state->server_certs()->cert_chain().at(0);
537
538 if(current_cert != server_cert)
539 throw TLS_Exception(Alert::BadCertificate, "Server certificate changed during renegotiation");
540 }
541
542 auto peer_key = server_cert.subject_public_key();
543
544 const std::string expected_key_type =
545 state.ciphersuite().signature_used() ? state.ciphersuite().sig_algo() : "RSA";
546
547 if(peer_key->algo_name() != expected_key_type)
548 throw TLS_Exception(Alert::IllegalParameter,
549 "Certificate key type did not match ciphersuite");
550
551 if(!key_usage_matches_ciphersuite(server_cert.constraints(), state.ciphersuite()))
552 throw TLS_Exception(Alert::BadCertificate,
553 "Certificate usage constraints do not allow this ciphersuite");
554
555 state.server_public_key.reset(peer_key.release());
556
557 if(state.ciphersuite().kex_method() != Kex_Algo::STATIC_RSA)
558 {
559 state.set_expected_next(Handshake_Type::ServerKeyExchange);
560 }
561 else
562 {
563 state.set_expected_next(Handshake_Type::CertificateRequest); // optional
564 state.set_expected_next(Handshake_Type::ServerHelloDone);
565 }
566
567 if(state.server_hello()->supports_certificate_status_message())
568 {
569 state.set_expected_next(Handshake_Type::CertificateStatus); // optional
570 }
571 else
572 {
573 try
574 {
575 auto trusted_CAs = m_creds->trusted_certificate_authorities("tls-client", m_info.hostname());
576
577 callbacks().tls_verify_cert_chain(server_certs,
578 {},
579 trusted_CAs,
580 Usage_Type::TLS_SERVER_AUTH,
581 m_info.hostname(),
582 policy());
583 }
584 catch(TLS_Exception&)
585 {
586 throw;
587 }
588 catch(std::exception& e)
589 {
590 throw TLS_Exception(Alert::InternalError, e.what());
591 }
592 }
593 }
594 else if(type == Handshake_Type::CertificateStatus)
595 {
596 state.server_cert_status(new Certificate_Status(contents, Connection_Side::Server));
597
598 if(state.ciphersuite().kex_method() != Kex_Algo::STATIC_RSA)
599 {
600 state.set_expected_next(Handshake_Type::ServerKeyExchange);
601 }
602 else
603 {
604 state.set_expected_next(Handshake_Type::CertificateRequest); // optional
605 state.set_expected_next(Handshake_Type::ServerHelloDone);
606 }
607 }
608 else if(type == Handshake_Type::ServerKeyExchange)
609 {
610 if(state.ciphersuite().psk_ciphersuite() == false)
611 state.set_expected_next(Handshake_Type::CertificateRequest); // optional
612 state.set_expected_next(Handshake_Type::ServerHelloDone);
613
614 state.server_kex(
615 new Server_Key_Exchange(contents,
616 state.ciphersuite().kex_method(),
617 state.ciphersuite().auth_method(),
618 state.version())
619 );
620
621 if(state.ciphersuite().signature_used())
622 {
623 const Public_Key& server_key = state.get_server_public_key();
624
625 if(!state.server_kex()->verify(server_key, state, policy()))
626 {
627 throw TLS_Exception(Alert::DecryptError,
628 "Bad signature on server key exchange");
629 }
630 }
631 }
632 else if(type == Handshake_Type::CertificateRequest)
633 {
634 state.set_expected_next(Handshake_Type::ServerHelloDone);
635 state.cert_req(new Certificate_Request_12(contents));
636 }
637 else if(type == Handshake_Type::ServerHelloDone)
638 {
639 state.server_hello_done(new Server_Hello_Done(contents));
640
641 if(state.handshake_io().have_more_data())
642 throw TLS_Exception(Alert::UnexpectedMessage,
643 "Have data remaining in buffer after ServerHelloDone");
644
645
646 if(state.server_certs() != nullptr &&
647 state.server_hello()->supports_certificate_status_message())
648 {
649 try
650 {
651 auto trusted_CAs = m_creds->trusted_certificate_authorities("tls-client", m_info.hostname());
652
653 std::vector<std::optional<OCSP::Response>> ocsp;
654 if(state.server_cert_status() != nullptr)
655 {
656 ocsp.emplace_back(callbacks().tls_parse_ocsp_response(state.server_cert_status()->response()));
657 }
658
659 callbacks().tls_verify_cert_chain(state.server_certs()->cert_chain(),
660 ocsp,
661 trusted_CAs,
662 Usage_Type::TLS_SERVER_AUTH,
663 m_info.hostname(),
664 policy());
665 }
666 catch(TLS_Exception&)
667 {
668 throw;
669 }
670 catch(std::exception& e)
671 {
672 throw TLS_Exception(Alert::InternalError, e.what());
673 }
674 }
675
676 if(state.received_handshake_msg(Handshake_Type::CertificateRequest))
677 {
678 const auto& types = state.cert_req()->acceptable_cert_types();
679
680 std::vector<X509_Certificate> client_certs =
681 m_creds->find_cert_chain(types,
682 {},
683 state.cert_req()->acceptable_CAs(),
684 "tls-client",
685 m_info.hostname());
686
687 state.client_certs(new Certificate_12(state.handshake_io(),
688 state.hash(),
689 client_certs));
690 }
691
692 state.client_kex(
693 new Client_Key_Exchange(state.handshake_io(),
694 state,
695 policy(),
696 *m_creds,
697 state.server_public_key.get(),
698 m_info.hostname(),
699 rng())
700 );
701
702 state.compute_session_keys();
703
704 if(state.received_handshake_msg(Handshake_Type::CertificateRequest) &&
705 !state.client_certs()->empty())
706 {
707 auto private_key =
708 m_creds->private_key_for(state.client_certs()->cert_chain()[0],
709 "tls-client",
710 m_info.hostname());
711
712 if(!private_key)
713 throw TLS_Exception(Alert::InternalError, "Failed to get private key for signing");
714
715 state.client_verify(
716 new Certificate_Verify_12(state.handshake_io(),
717 state,
718 policy(),
719 rng(),
720 private_key.get())
721 );
722 }
723
724 state.handshake_io().send(Change_Cipher_Spec());
725
726 change_cipher_spec_writer(Connection_Side::Client);
727
728 state.client_finished(new Finished_12(state.handshake_io(), state, Connection_Side::Client));
729
730 if(state.server_hello()->supports_session_ticket())
731 state.set_expected_next(Handshake_Type::NewSessionTicket);
732 else
733 state.set_expected_next(Handshake_Type::HandshakeCCS);
734 }
735 else if(type == Handshake_Type::NewSessionTicket)
736 {
737 state.new_session_ticket(new New_Session_Ticket_12(contents));
738
739 state.set_expected_next(Handshake_Type::HandshakeCCS);
740 }
741 else if(type == Handshake_Type::HandshakeCCS)
742 {
743 state.set_expected_next(Handshake_Type::Finished);
744
745 change_cipher_spec_reader(Connection_Side::Client);
746 }
747 else if(type == Handshake_Type::Finished)
748 {
749 if(state.handshake_io().have_more_data())
750 throw TLS_Exception(Alert::UnexpectedMessage,
751 "Have data remaining in buffer after Finished");
752
753 state.server_finished(new Finished_12(contents));
754
755 if(!state.server_finished()->verify(state, Connection_Side::Server))
756 throw TLS_Exception(Alert::DecryptError,
757 "Finished message didn't verify");
758
759 state.hash().update(state.handshake_io().format(contents, type));
760
761 if(!state.client_finished())
762 {
763 // session resume case
764 state.handshake_io().send(Change_Cipher_Spec());
765 change_cipher_spec_writer(Connection_Side::Client);
766 state.client_finished(new Finished_12(state.handshake_io(), state, Connection_Side::Client));
767 }
768
769 Session session_info(
770 state.session_keys().master_secret(),
771 state.server_hello()->legacy_version(),
772 state.server_hello()->ciphersuite(),
773 Connection_Side::Client,
774 state.server_hello()->supports_extended_master_secret(),
775 state.server_hello()->supports_encrypt_then_mac(),
776 get_peer_cert_chain(state),
777 m_info,
778 state.server_hello()->srtp_profile(),
779 callbacks().tls_current_timestamp(),
780
781 // Session Tickets (as defined in RFC 5077) contain a lifetime_hint,
782 // sessions identified via a Session_ID do not.
783 ((state.new_session_ticket())
784 ? state.new_session_ticket()->ticket_lifetime_hint()
785 : std::chrono::seconds::max())
786 );
787
788 // RFC 5077 3.4
789 // If the client receives a session ticket from the server, then it
790 // discards any Session ID that was sent in the ServerHello.
791 const auto handle = [&]() -> std::optional<Session_Handle>
792 {
793 if(const auto& session_ticket = state.session_ticket(); !session_ticket.empty())
794 { return session_ticket; }
795 else if(const auto& session_id = state.server_hello()->session_id(); !session_id.empty())
796 { return session_id; }
797 else
798 { return std::nullopt; }
799 }();
800
801 // Give the application a chance for a final veto before fully
802 // establishing the connection.
803 callbacks().tls_session_established([&]
804 {
805 Session_Summary summary(session_info, state.is_a_resumption());
806 summary.set_session_id(state.server_hello()->session_id());
807 if(auto nst = state.new_session_ticket())
808 {
809 summary.set_session_ticket(nst->ticket());
810 }
811 return summary;
812 }());
813
814 if(handle.has_value())
815 {
816 const bool should_save =
817 callbacks().tls_should_persist_resumption_information(session_info);
818
819 // RFC 5077 3.3
820 // If the server successfully verifies the client's ticket, then it
821 // MAY renew the ticket by including a NewSessionTicket handshake
822 // message after the ServerHello in the abbreviated handshake. The
823 // client should start using the new ticket as soon as possible
824 // after it verifies the server's Finished message for new
825 // connections.
826 if(state.is_a_resumption() &&
827 !state.client_hello()->session_ticket().empty() &&
828 handle->is_ticket() &&
829 should_save)
830 {
831 // renew the session ticket by removing the one we used to establish
832 // this connection and replace it with the one we just received
833 session_manager().remove(state.client_hello()->session_ticket());
834 session_manager().store(session_info, handle.value());
835 }
836
837 if(!state.is_a_resumption())
838 {
839 if(should_save)
840 session_manager().store(session_info, handle.value());
841 else
842 session_manager().remove(handle.value());
843 }
844 }
845
846 activate_session();
847 }
848 else
849 throw Unexpected_Message("Unknown handshake message received");
850 }
851
852}
BOTAN_ASSERT_NOMSG
#define BOTAN_ASSERT_NOMSG(expr)
Definition: assert.h:67
BOTAN_STATE_CHECK
#define BOTAN_STATE_CHECK(expr)
Definition: assert.h:48
BOTAN_ASSERT_NONNULL
#define BOTAN_ASSERT_NONNULL(ptr)
Definition: assert.h:106
BOTAN_ASSERT
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:54
Botan::Key_Constraints::DigitalSignature
@ DigitalSignature
Definition: pkix_enums.h:110
Botan::Key_Constraints::None
@ None
Definition: pkix_enums.h:109
Botan::Key_Constraints::NonRepudiation
@ NonRepudiation
Definition: pkix_enums.h:111
Botan::Key_Constraints::DataEncipherment
@ DataEncipherment
Definition: pkix_enums.h:113
Botan::Key_Constraints::KeyEncipherment
@ KeyEncipherment
Definition: pkix_enums.h:112
Botan::TLS::Callbacks::tls_session_established
virtual void tls_session_established(const Session_Summary &session)
Definition: tls_callbacks.h:88
Botan::TLS::Callbacks::tls_examine_extensions
virtual void tls_examine_extensions(const Extensions &extn, Connection_Side which_side, Handshake_Type which_message)
Definition: tls_callbacks.cpp:53
Botan::TLS::Callbacks::tls_should_persist_resumption_information
virtual bool tls_should_persist_resumption_information(const Session &session)
Definition: tls_callbacks.cpp:57
Botan::TLS::Callbacks::tls_verify_cert_chain
virtual void tls_verify_cert_chain(const std::vector< X509_Certificate > &cert_chain, const std::vector< std::optional< OCSP::Response > > &ocsp_responses, const std::vector< Certificate_Store * > &trusted_roots, Usage_Type usage, std::string_view hostname, const TLS::Policy &policy)
Definition: tls_callbacks.cpp:74
Botan::TLS::Channel_Impl_12
Definition: tls_channel_impl_12.h:41
Botan::TLS::Channel_Impl_12::rng
RandomNumberGenerator & rng()
Definition: tls_channel_impl_12.h:171
Botan::TLS::Channel_Impl_12::activate_session
void activate_session()
Definition: tls_channel_impl_12.cpp:255
Botan::TLS::Channel_Impl_12::change_cipher_spec_reader
void change_cipher_spec_reader(Connection_Side side)
Definition: tls_channel_impl_12.cpp:186
Botan::TLS::Channel_Impl_12::create_handshake_state
Handshake_State & create_handshake_state(Protocol_Version version)
Definition: tls_channel_impl_12.cpp:105
Botan::TLS::Channel_Impl_12::callbacks
Callbacks & callbacks() const
Definition: tls_channel_impl_12.h:177
Botan::TLS::Channel_Impl_12::secure_renegotiation_check
void secure_renegotiation_check(const Client_Hello_12 *client_hello)
Definition: tls_channel_impl_12.cpp:624
Botan::TLS::Channel_Impl_12::session_manager
Session_Manager & session_manager()
Definition: tls_channel_impl_12.h:173
Botan::TLS::Channel_Impl_12::policy
const Policy & policy() const
Definition: tls_channel_impl_12.h:175
Botan::TLS::Channel_Impl_12::change_cipher_spec_writer
void change_cipher_spec_writer(Connection_Side side)
Definition: tls_channel_impl_12.cpp:215
Botan::TLS::Channel_Impl_12::secure_renegotiation_data_for_client_hello
std::vector< uint8_t > secure_renegotiation_data_for_client_hello() const
Definition: tls_channel_impl_12.cpp:670
Botan::TLS::Channel_Impl_12::secure_renegotiation_supported
bool secure_renegotiation_supported() const override
Definition: tls_channel_impl_12.cpp:689
Botan::TLS::Channel_Impl::send_warning_alert
void send_warning_alert(Alert::Type type)
Definition: tls_channel_impl.h:71
Botan::TLS::Ciphersuite::is_scsv
static bool is_scsv(uint16_t suite)
Definition: tls_ciphersuite.cpp:54
Botan::TLS::Ciphersuite::by_id
static std::optional< Ciphersuite > by_id(uint16_t suite)
Definition: tls_ciphersuite.cpp:98
Botan::TLS::Client_Hello_12
Definition: tls_messages.h:151
Botan::TLS::Client_Impl_12::Client_Impl_12
Client_Impl_12(std::shared_ptr< Callbacks > callbacks, std::shared_ptr< Session_Manager > session_manager, std::shared_ptr< Credentials_Manager > creds, std::shared_ptr< const Policy > policy, std::shared_ptr< RandomNumberGenerator > rng, Server_Information server_info=Server_Information(), bool datagram=false, const std::vector< std::string > &next_protocols={}, size_t reserved_io_buffer_size=TLS::Channel::IO_BUF_DEFAULT_SIZE)
Definition: tls_client_impl_12.cpp:64
Botan::TLS::Handshake_Hash::update
void update(const uint8_t in[], size_t length)
Definition: tls_handshake_hash.h:24
Botan::TLS::Handshake_State
Definition: tls_handshake_state.h:60
Botan::TLS::Handshake_State::set_expected_next
void set_expected_next(Handshake_Type msg_type)
Definition: tls_handshake_state.cpp:243
Botan::TLS::Handshake_State::hash
Handshake_Hash & hash()
Definition: tls_handshake_state.h:187
Botan::TLS::Handshake_State::client_hello
void client_hello(Client_Hello_12 *client_hello)
Definition: tls_handshake_state.cpp:121
Botan::TLS::Policy::only_resume_with_exact_version
virtual bool only_resume_with_exact_version() const
Definition: tls_policy.cpp:378
Botan::TLS::Policy::acceptable_protocol_version
virtual bool acceptable_protocol_version(Protocol_Version version) const
Definition: tls_policy.cpp:298
Botan::TLS::Server_Information
Definition: tls_server_info.h:22
Botan::TLS::Server_Information::hostname
std::string hostname() const
Definition: tls_server_info.h:53
Botan::TLS::Server_Information::empty
bool empty() const
Definition: tls_server_info.h:69
Botan::TLS::Session_Manager::remove
virtual size_t remove(const Session_Handle &handle)=0
Botan::TLS::Session_Manager::store
virtual void store(const Session &session, const Session_Handle &handle)=0
Save a Session under a Session_Handle (TLS Client)
Botan::TLS::Session_Manager::find
virtual std::vector< Session_with_Handle > find(const Server_Information &info, Callbacks &callbacks, const Policy &policy)
Find all sessions that match a given server info.
Definition: tls_session_manager.cpp:173
final
int(* final)(unsigned char *, CTX *)
Definition: commoncrypto_hash.cpp:29
Botan::value_exists
bool value_exists(const std::vector< T > &vec, const OT &val)
Definition: stl_util.h:104
std
Definition: bigint.h:1092
Botan::TLS::Channel_Impl::Downgrade_Information
Definition: tls_channel_impl.h:185
Botan::TLS::Channel_Impl::Downgrade_Information::next_protocols
std::vector< std::string > next_protocols
Definition: tls_channel_impl.h:197
Botan::TLS::Channel_Impl::Downgrade_Information::client_hello_message
std::vector< uint8_t > client_hello_message
The client hello message including the handshake header bytes as transferred to the peer.
Definition: tls_channel_impl.h:187
Botan::TLS::Channel_Impl::Downgrade_Information::tls12_session
std::optional< Session_with_Handle > tls12_session
Definition: tls_channel_impl.h:194
server_public_key
std::unique_ptr< Public_Key > server_public_key
Definition: tls_client_impl_12.cpp:54
resumed_session
std::optional< Session > resumed_session
Definition: tls_client_impl_12.cpp:56
m_is_reneg
bool m_is_reneg
Definition: tls_client_impl_12.cpp:57
Generated by doxygen 1.9.6