10#include <botan/internal/tls_client_impl_12.h>
12#include <botan/ocsp.h>
13#include <botan/tls_client.h>
14#include <botan/tls_messages.h>
15#include <botan/internal/stl_util.h>
16#include <botan/internal/tls_handshake_state.h>
26class Client_Handshake_State_12
final :
public Handshake_State {
28 Client_Handshake_State_12(std::unique_ptr<Handshake_IO> io, Callbacks& cb) :
29 Handshake_State(std::move(io), cb), m_is_reneg(false) {}
31 const Public_Key& server_public_key()
const {
32 BOTAN_ASSERT(m_server_public_key,
"Server sent us a certificate");
33 return *m_server_public_key;
36 const Public_Key* maybe_server_public_key()
const {
return m_server_public_key.get(); }
38 void record_server_public_key(std::unique_ptr<Public_Key> spk) {
40 m_server_public_key = std::move(spk);
43 bool is_a_resumption()
const {
return m_resumed_session.has_value(); }
45 void discard_resumption_state() { m_resumed_session.reset(); }
47 void record_resumption_info(std::optional<Session> session_info) {
49 m_resumed_session = std::move(session_info);
52 bool is_a_renegotiation()
const {
return m_is_reneg; }
54 void mark_as_renegotiation() { m_is_reneg =
true; }
58 return m_resumed_session->master_secret();
61 const std::vector<X509_Certificate>& resume_peer_certs()
const {
63 return m_resumed_session->peer_certs();
66 bool resumed_session_supports_extended_master_secret()
const {
68 return m_resumed_session->supports_extended_master_secret();
72 std::unique_ptr<Public_Key> m_server_public_key;
75 std::optional<Session> m_resumed_session;
76 bool m_is_reneg =
false;
85 const std::shared_ptr<Session_Manager>& session_manager,
86 const std::shared_ptr<Credentials_Manager>& creds,
87 const std::shared_ptr<const Policy>& policy,
88 const std::shared_ptr<RandomNumberGenerator>& rng,
91 const std::vector<std::string>& next_protocols,
93 Channel_Impl_12(callbacks, session_manager, rng, policy, false, datagram, io_buf_sz),
95 m_info(std::move(info)) {
97 const auto version = datagram ? Protocol_Version::DTLS_V12 : Protocol_Version::TLS_V12;
99 send_client_hello(state,
false, version, std::nullopt , next_protocols);
104 downgrade_info.session_manager,
106 downgrade_info.policy,
109 downgrade_info.io_buffer_size),
110 m_creds(downgrade_info.creds),
111 m_info(downgrade_info.server_info) {
117 std::vector<uint8_t> client_hello_msg(
130 downgrade_info.
tls12_session->session.version().is_pre_tls_13());
131 send_client_hello(state,
139std::unique_ptr<Handshake_State> Client_Impl_12::new_handshake_state(std::unique_ptr<Handshake_IO> io) {
140 return std::make_unique<Client_Handshake_State_12>(std::move(io),
callbacks());
143std::vector<X509_Certificate> Client_Impl_12::get_peer_cert_chain(
const Handshake_State& state)
const {
144 const Client_Handshake_State_12& cstate =
dynamic_cast<const Client_Handshake_State_12&
>(state);
146 if(cstate.is_a_resumption()) {
147 return cstate.resume_peer_certs();
150 if(state.server_certs()) {
151 return state.server_certs()->cert_chain();
153 return std::vector<X509_Certificate>();
159void Client_Impl_12::initiate_handshake(Handshake_State& state,
bool force_full_renegotiation) {
161 const auto version = state.version().is_datagram_protocol() ? Protocol_Version::DTLS_V12 : Protocol_Version::TLS_V12;
162 send_client_hello(state, force_full_renegotiation, version);
165void Client_Impl_12::send_client_hello(Handshake_State& state_base,
166 bool force_full_renegotiation,
167 Protocol_Version version,
168 std::optional<Session_with_Handle> session_and_handle,
169 const std::vector<std::string>& next_protocols) {
170 Client_Handshake_State_12& state =
dynamic_cast<Client_Handshake_State_12&
>(state_base);
172 if(state.version().is_datagram_protocol()) {
177 if(!force_full_renegotiation) {
179 if(!session_and_handle.has_value() && !m_info.
empty()) {
181 session_and_handle = std::move(sessions.front());
185 if(session_and_handle.has_value()) {
190 auto& session_info = session_and_handle->session;
191 const bool exact_version = session_info.version() == version;
192 const bool ok_version = (session_info.version().is_datagram_protocol() == version.is_datagram_protocol()) &&
197 if(
policy().acceptable_ciphersuite(session_info.ciphersuite()) && session_version_ok) {
198 state.client_hello(
new Client_Hello_12(state.handshake_io(),
204 session_and_handle.value(),
207 state.record_resumption_info(std::move(session_info));
212 if(!state.client_hello())
214 Client_Hello_12::Settings client_settings(version, m_info.
hostname());
215 state.client_hello(
new Client_Hello_12(state.handshake_io(),
230bool key_usage_matches_ciphersuite(Key_Constraints usage,
const Ciphersuite& suite) {
247void Client_Impl_12::process_handshake_msg(
const Handshake_State* active_state,
248 Handshake_State& state_base,
250 const std::vector<uint8_t>& contents,
251 bool epoch0_restart) {
254 Client_Handshake_State_12& state =
dynamic_cast<Client_Handshake_State_12&
>(state_base);
257 Hello_Request hello_request(contents);
259 if(state.client_hello()) {
260 throw TLS_Exception(Alert::HandshakeFailure,
"Cannot renegotiate during a handshake");
263 if(
policy().allow_server_initiated_renegotiation()) {
265 state.mark_as_renegotiation();
266 initiate_handshake(state,
true );
268 throw TLS_Exception(Alert::HandshakeFailure,
"Client policy prohibits insecure renegotiation");
271 if(
policy().abort_connection_on_undesired_renegotiation()) {
272 throw TLS_Exception(Alert::NoRenegotiation,
"Client policy prohibits renegotiation");
282 state.confirm_transition_to(type);
286 state.hash().update(state.handshake_io().format(contents, type));
293 Hello_Verify_Request hello_verify_request(contents);
294 state.hello_verify_request(hello_verify_request);
296 state.server_hello(
new Server_Hello_12(contents));
298 if(!state.server_hello()->legacy_version().valid()) {
299 throw TLS_Exception(Alert::ProtocolVersion,
"Server replied with an invalid version");
302 if(!state.client_hello()->offered_suite(state.server_hello()->ciphersuite())) {
303 throw TLS_Exception(Alert::HandshakeFailure,
"Server replied with ciphersuite we didn't send");
307 if(!suite || !suite->usable_in_version(state.server_hello()->legacy_version())) {
308 throw TLS_Exception(Alert::HandshakeFailure,
309 "Server replied using a ciphersuite not allowed in version it offered");
317 if(suite->aead_ciphersuite() && state.server_hello()->supports_encrypt_then_mac()) {
318 throw TLS_Exception(Alert::IllegalParameter,
319 "Server replied using an AEAD ciphersuite and an encrypt-then-MAC response extension");
323 throw TLS_Exception(Alert::HandshakeFailure,
"Server replied with a signaling ciphersuite");
326 if(state.server_hello()->compression_method() != 0) {
327 throw TLS_Exception(Alert::IllegalParameter,
"Server replied with non-null compression method");
330 if(state.client_hello()->legacy_version() > state.server_hello()->legacy_version()) {
340 if(
auto requested = state.server_hello()->random_signals_downgrade();
341 requested.has_value() && requested.value() <= Protocol_Version::TLS_V11) {
342 throw TLS_Exception(Alert::IllegalParameter,
"Downgrade attack detected");
346 auto client_extn = state.client_hello()->extension_types();
347 auto server_extn = state.server_hello()->extension_types();
349 std::vector<Extension_Code> diff;
352 server_extn.begin(), server_extn.end(), client_extn.begin(), client_extn.end(), std::back_inserter(diff));
357 std::ostringstream msg;
358 msg <<
"Server replied with unsupported extensions:";
359 for(
auto&& d : diff) {
360 msg <<
" " <<
static_cast<int>(d);
362 throw TLS_Exception(Alert::UnsupportedExtension, msg.str());
365 if(uint16_t srtp = state.server_hello()->srtp_profile()) {
366 if(!
value_exists(state.client_hello()->srtp_profiles(), srtp)) {
367 throw TLS_Exception(Alert::HandshakeFailure,
"Server replied with DTLS-SRTP alg we did not send");
374 state.set_version(state.server_hello()->legacy_version());
375 m_application_protocol = state.server_hello()->next_protocol();
379 const bool server_returned_same_session_id =
380 !state.server_hello()->session_id().empty() &&
381 (state.server_hello()->session_id() == state.client_hello()->session_id());
383 if(server_returned_same_session_id) {
391 if(state.server_hello()->legacy_version() != state.client_hello()->legacy_version()) {
392 throw TLS_Exception(Alert::HandshakeFailure,
"Server resumed session but with wrong version");
395 if(state.server_hello()->supports_extended_master_secret() &&
396 !state.resumed_session_supports_extended_master_secret()) {
397 throw TLS_Exception(Alert::HandshakeFailure,
"Server resumed session but added extended master secret");
400 if(!state.server_hello()->supports_extended_master_secret() &&
401 state.resumed_session_supports_extended_master_secret()) {
402 throw TLS_Exception(Alert::HandshakeFailure,
"Server resumed session and removed extended master secret");
405 state.compute_session_keys(state.resume_master_secret());
406 if(
policy().allow_ssl_key_log_file()) {
412 "CLIENT_RANDOM", state.client_hello()->random(), state.session_keys().master_secret());
415 if(state.server_hello()->supports_session_ticket()) {
428 if(active_state->version() != state.server_hello()->legacy_version()) {
429 throw TLS_Exception(Alert::ProtocolVersion,
"Server changed version after renegotiation");
432 if(state.server_hello()->supports_extended_master_secret() !=
433 active_state->server_hello()->supports_extended_master_secret()) {
434 throw TLS_Exception(Alert::HandshakeFailure,
"Server changed its mind about extended master secret");
438 state.discard_resumption_state();
440 if(state.client_hello()->legacy_version().is_datagram_protocol() !=
441 state.server_hello()->legacy_version().is_datagram_protocol()) {
442 throw TLS_Exception(Alert::ProtocolVersion,
"Server replied with different protocol type than we offered");
445 if(state.version() > state.client_hello()->legacy_version()) {
446 throw TLS_Exception(Alert::HandshakeFailure,
"Server replied with later version than client offered");
449 if(state.version().major_version() == 3 && state.version().minor_version() == 0) {
450 throw TLS_Exception(Alert::ProtocolVersion,
"Server attempting to negotiate SSLv3 which is not supported");
453 if(!
policy().acceptable_protocol_version(state.version())) {
454 throw TLS_Exception(Alert::ProtocolVersion,
455 "Server version " + state.version().to_string() +
" is unacceptable by policy");
458 if(state.ciphersuite().signature_used() || state.ciphersuite().kex_method() ==
Kex_Algo::STATIC_RSA) {
460 }
else if(state.ciphersuite().kex_method() ==
Kex_Algo::PSK) {
479 state.server_certs(
new Certificate_12(contents,
policy()));
481 const std::vector<X509_Certificate>& server_certs = state.server_certs()->cert_chain();
483 if(server_certs.empty()) {
484 throw TLS_Exception(Alert::HandshakeFailure,
"Client: No certificates sent by server");
493 X509_Certificate server_cert = server_certs[0];
495 if(active_state && active_state->server_certs()) {
496 X509_Certificate current_cert = active_state->server_certs()->cert_chain().at(0);
498 if(current_cert != server_cert) {
499 throw TLS_Exception(Alert::BadCertificate,
"Server certificate changed during renegotiation");
503 auto peer_key = server_cert.subject_public_key();
505 const std::string expected_key_type =
506 state.ciphersuite().signature_used() ? state.ciphersuite().sig_algo() :
"RSA";
508 if(peer_key->algo_name() != expected_key_type) {
509 throw TLS_Exception(Alert::IllegalParameter,
"Certificate key type did not match ciphersuite");
512 if(!key_usage_matches_ciphersuite(server_cert.constraints(), state.ciphersuite())) {
513 throw TLS_Exception(Alert::BadCertificate,
"Certificate usage constraints do not allow this ciphersuite");
516 state.record_server_public_key(std::move(peer_key));
525 if(state.server_hello()->supports_certificate_status_message()) {
529 auto trusted_CAs = m_creds->trusted_certificate_authorities(
"tls-client", m_info.
hostname());
533 }
catch(TLS_Exception&) {
535 }
catch(std::exception& e) {
536 throw TLS_Exception(Alert::InternalError, e.what());
549 if(state.ciphersuite().psk_ciphersuite() ==
false) {
554 state.server_kex(
new Server_Key_Exchange(
555 contents, state.ciphersuite().kex_method(), state.ciphersuite().auth_method(), state.version()));
557 if(state.ciphersuite().signature_used()) {
558 const Public_Key& server_key = state.server_public_key();
560 if(!state.server_kex()->verify(server_key, state,
policy())) {
561 throw TLS_Exception(Alert::DecryptError,
"Bad signature on server key exchange");
566 state.cert_req(
new Certificate_Request_12(contents));
568 state.server_hello_done(
new Server_Hello_Done(contents));
570 if(state.handshake_io().have_more_data()) {
571 throw TLS_Exception(Alert::UnexpectedMessage,
"Have data remaining in buffer after ServerHelloDone");
574 if(state.server_certs() !=
nullptr && state.server_hello()->supports_certificate_status_message()) {
576 auto trusted_CAs = m_creds->trusted_certificate_authorities(
"tls-client", m_info.
hostname());
578 std::vector<std::optional<OCSP::Response>> ocsp;
579 if(state.server_cert_status() !=
nullptr) {
580 ocsp.emplace_back(
callbacks().tls_parse_ocsp_response(state.server_cert_status()->response()));
589 }
catch(TLS_Exception&) {
591 }
catch(std::exception& e) {
592 throw TLS_Exception(Alert::InternalError, e.what());
597 const auto& types = state.cert_req()->acceptable_cert_types();
599 std::vector<X509_Certificate> client_certs =
600 m_creds->find_cert_chain(types, {}, state.cert_req()->acceptable_CAs(),
"tls-client", m_info.
hostname());
602 state.client_certs(
new Certificate_12(state.handshake_io(), state.hash(), client_certs));
605 state.client_kex(
new Client_Key_Exchange(
606 state.handshake_io(), state,
policy(), *m_creds, state.maybe_server_public_key(), m_info.
hostname(),
rng()));
608 state.compute_session_keys();
609 if(
policy().allow_ssl_key_log_file()) {
615 "CLIENT_RANDOM", state.client_hello()->random(), state.session_keys().master_secret());
620 m_creds->private_key_for(state.client_certs()->cert_chain()[0],
"tls-client", m_info.
hostname());
623 throw TLS_Exception(Alert::InternalError,
"Failed to get private key for signing");
627 new Certificate_Verify_12(state.handshake_io(), state,
policy(),
rng(), private_key.get()));
630 state.handshake_io().send(Change_Cipher_Spec());
636 if(state.server_hello()->supports_session_ticket()) {
642 state.new_session_ticket(
new New_Session_Ticket_12(contents));
650 if(state.handshake_io().have_more_data()) {
651 throw TLS_Exception(Alert::UnexpectedMessage,
"Have data remaining in buffer after Finished");
654 state.server_finished(
new Finished_12(contents));
657 throw TLS_Exception(Alert::DecryptError,
"Finished message didn't verify");
660 state.hash().update(state.handshake_io().format(contents, type));
662 if(!state.client_finished()) {
664 state.handshake_io().send(Change_Cipher_Spec());
669 Session session_info(state.session_keys().master_secret(),
670 state.server_hello()->legacy_version(),
671 state.server_hello()->ciphersuite(),
673 state.server_hello()->supports_extended_master_secret(),
674 state.server_hello()->supports_encrypt_then_mac(),
675 get_peer_cert_chain(state),
677 state.server_hello()->srtp_profile(),
682 ((state.new_session_ticket()) ? state.new_session_ticket()->ticket_lifetime_hint()
683 : std::chrono::seconds::max()));
688 const auto handle = [&]() -> std::optional<Session_Handle> {
689 if(
const auto& session_ticket = state.session_ticket(); !session_ticket.empty()) {
690 return session_ticket;
691 }
else if(
const auto& session_id = state.server_hello()->session_id(); !session_id.empty()) {
702 summary.set_session_id(state.server_hello()->session_id());
703 if(
auto nst = state.new_session_ticket()) {
704 summary.set_session_ticket(nst->ticket());
709 if(handle.has_value()) {
719 if(state.is_a_resumption() && !state.client_hello()->session_ticket().empty() && handle->is_ticket() &&
727 if(!state.is_a_resumption()) {
738 throw Unexpected_Message(
"Unknown handshake message received");
#define BOTAN_ASSERT_NOMSG(expr)
#define BOTAN_STATE_CHECK(expr)
#define BOTAN_ASSERT_NONNULL(ptr)
#define BOTAN_ASSERT(expr, assertion_made)
virtual void tls_session_established(const Session_Summary &session)
virtual void tls_ssl_key_log_data(std::string_view label, std::span< const uint8_t > client_random, std::span< const uint8_t > secret) const
virtual void tls_examine_extensions(const Extensions &extn, Connection_Side which_side, Handshake_Type which_message)
virtual bool tls_should_persist_resumption_information(const Session &session)
virtual void tls_verify_cert_chain(const std::vector< X509_Certificate > &cert_chain, const std::vector< std::optional< OCSP::Response > > &ocsp_responses, const std::vector< Certificate_Store * > &trusted_roots, Usage_Type usage, std::string_view hostname, const TLS::Policy &policy)
RandomNumberGenerator & rng()
void change_cipher_spec_reader(Connection_Side side)
Handshake_State & create_handshake_state(Protocol_Version version)
Callbacks & callbacks() const
void secure_renegotiation_check(const Client_Hello_12 *client_hello)
Session_Manager & session_manager()
const Policy & policy() const
void change_cipher_spec_writer(Connection_Side side)
std::vector< uint8_t > secure_renegotiation_data_for_client_hello() const
std::optional< std::string > external_psk_identity() const override
bool secure_renegotiation_supported() const override
void send_warning_alert(Alert::Type type)
static bool is_scsv(uint16_t suite)
static std::optional< Ciphersuite > by_id(uint16_t suite)
Client_Impl_12(const std::shared_ptr< Callbacks > &callbacks, const std::shared_ptr< Session_Manager > &session_manager, const std::shared_ptr< Credentials_Manager > &creds, const std::shared_ptr< const Policy > &policy, const std::shared_ptr< RandomNumberGenerator > &rng, Server_Information server_info=Server_Information(), bool datagram=false, const std::vector< std::string > &next_protocols={}, size_t reserved_io_buffer_size=TLS::Channel::IO_BUF_DEFAULT_SIZE)
void update(const uint8_t in[], size_t length)
void set_expected_next(Handshake_Type msg_type)
void client_hello(Client_Hello_12 *client_hello)
virtual bool only_resume_with_exact_version() const
virtual bool acceptable_protocol_version(Protocol_Version version) const
virtual size_t remove(const Session_Handle &handle)=0
virtual void store(const Session &session, const Session_Handle &handle)=0
Save a Session under a Session_Handle (TLS Client)
virtual std::vector< Session_with_Handle > find(const Server_Information &info, Callbacks &callbacks, const Policy &policy)
Find all sessions that match a given server info.
int(* final)(unsigned char *, CTX *)
bool value_exists(const std::vector< T > &vec, const OT &val)
std::vector< T, secure_allocator< T > > secure_vector