Botan 3.12.0
Crypto and TLS for C&
tls_client_impl_12.cpp
Go to the documentation of this file.
1/*
2* TLS Client
3* (C) 2004-2011,2012,2015,2016 Jack Lloyd
4* 2016 Matthias Gierlings
5* 2017 Harry Reimann, Rohde & Schwarz Cybersecurity
6*
7* Botan is released under the Simplified BSD License (see license.txt)
8*/
9
10#include <botan/internal/tls_client_impl_12.h>
11
12#include <botan/ocsp.h>
13#include <botan/tls_callbacks.h>
14#include <botan/tls_messages_12.h>
15#include <botan/tls_policy.h>
16#include <botan/internal/stl_util.h>
17#include <botan/internal/tls_handshake_state.h>
18#include <algorithm>
19#include <optional>
20#include <sstream>
21#include <utility>
22
23namespace Botan::TLS {
24
25namespace {
26
27class Client_Handshake_State_12 final : public Handshake_State {
28 public:
29 Client_Handshake_State_12(std::unique_ptr<Handshake_IO> io, Callbacks& cb) :
30 Handshake_State(std::move(io), cb), m_is_reneg(false) {}
31
32 const Public_Key& server_public_key() const {
33 BOTAN_ASSERT(m_server_public_key, "Server sent us a certificate");
34 return *m_server_public_key;
35 }
36
37 const Public_Key* maybe_server_public_key() const { return m_server_public_key.get(); }
38
39 void record_server_public_key(std::unique_ptr<Public_Key> spk) {
40 BOTAN_STATE_CHECK(!m_server_public_key);
41 m_server_public_key = std::move(spk);
42 }
43
44 bool is_a_resumption() const { return m_resumed_session.has_value(); }
45
46 void discard_resumption_state() { m_resumed_session.reset(); }
47
48 void record_resumption_info(std::optional<Session> session_info) {
49 BOTAN_STATE_CHECK(!m_resumed_session.has_value());
50 m_resumed_session = std::move(session_info);
51 }
52
53 bool is_a_renegotiation() const { return m_is_reneg; }
54
55 void mark_as_renegotiation() { m_is_reneg = true; }
56
57 const secure_vector<uint8_t>& resume_master_secret() const {
58 BOTAN_STATE_CHECK(is_a_resumption());
59 return m_resumed_session->master_secret();
60 }
61
62 const std::vector<X509_Certificate>& resume_peer_certs() const {
63 BOTAN_STATE_CHECK(is_a_resumption());
64 return m_resumed_session->peer_certs();
65 }
66
67 bool resumed_session_supports_extended_master_secret() const {
68 BOTAN_STATE_CHECK(is_a_resumption());
69 return m_resumed_session->supports_extended_master_secret();
70 }
71
72 uint16_t resumed_session_ciphersuite_code() const {
73 BOTAN_STATE_CHECK(is_a_resumption());
74 return m_resumed_session->ciphersuite_code();
75 }
76
77 std::vector<X509_Certificate> peer_cert_chain() const override {
78 if(is_a_resumption()) {
79 return resume_peer_certs();
80 }
81 if(server_certs() != nullptr) {
82 return server_certs()->cert_chain();
83 }
84 return {};
85 }
86
87 private:
88 std::unique_ptr<Public_Key> m_server_public_key;
89
90 // Used during session resumption
91 std::optional<Session> m_resumed_session;
92 bool m_is_reneg = false;
93};
94
95} // namespace
96
97/*
98* TLS 1.2 Client Constructor
99*/
100Client_Impl_12::Client_Impl_12(const std::shared_ptr<Callbacks>& callbacks,
101 const std::shared_ptr<Session_Manager>& session_manager,
102 const std::shared_ptr<Credentials_Manager>& creds,
103 const std::shared_ptr<const Policy>& policy,
104 const std::shared_ptr<RandomNumberGenerator>& rng,
105 Server_Information info,
106 bool datagram,
107 const std::vector<std::string>& next_protocols,
108 size_t io_buf_sz) :
109 Channel_Impl_12(callbacks, session_manager, rng, policy, false, datagram, io_buf_sz),
110 m_creds(creds),
111 m_info(std::move(info)) {
112 BOTAN_ASSERT_NONNULL(m_creds);
113 const auto version = datagram ? Protocol_Version::DTLS_V12 : Protocol_Version::TLS_V12;
114 Handshake_State& state = create_handshake_state(version);
115 send_client_hello(state, false, version, std::nullopt /* no a-priori session to resume */, next_protocols);
116}
117
118Client_Impl_12::Client_Impl_12(const Channel_Impl::Downgrade_Information& downgrade_info) :
119 Channel_Impl_12(downgrade_info.callbacks,
120 downgrade_info.session_manager,
121 downgrade_info.rng,
122 downgrade_info.policy,
123 false /* is_server */,
124 false /* datagram -- not supported by Botan in TLS 1.3 */,
125 downgrade_info.io_buffer_size),
126 m_creds(downgrade_info.creds),
127 m_info(downgrade_info.server_info) {
128 Handshake_State& state = create_handshake_state(Protocol_Version::TLS_V12);
129
130 if(!downgrade_info.client_hello_message.empty()) {
131 // Downgrade detected after receiving a TLS 1.2 server hello. We need to
132 // recreate the state as if this implementation issued the client hello.
133 const std::vector<uint8_t> client_hello_msg(
134 downgrade_info.client_hello_message.begin() + 4 /* handshake header length */,
135 downgrade_info.client_hello_message.end());
136
137 state.client_hello(std::make_unique<Client_Hello_12>(client_hello_msg));
138 state.hash().update(downgrade_info.client_hello_message);
139
140 secure_renegotiation_check(state.client_hello());
141 state.set_expected_next(Handshake_Type::ServerHello);
142 } else {
143 // Downgrade initiated after a TLS 1.2 session was found. No communication
144 // has happened yet but the found session should be used for resumption.
145 BOTAN_ASSERT_NOMSG(downgrade_info.tls12_session.has_value() &&
146 downgrade_info.tls12_session->session.version().is_pre_tls_13());
147 send_client_hello(state,
148 false,
149 downgrade_info.tls12_session->session.version(),
150 downgrade_info.tls12_session,
151 downgrade_info.next_protocols);
152 }
153}
154
155std::unique_ptr<Handshake_State> Client_Impl_12::new_handshake_state(std::unique_ptr<Handshake_IO> io) {
156 return std::make_unique<Client_Handshake_State_12>(std::move(io), callbacks());
157}
158
159/*
160* Send a new client hello to renegotiate
161*/
162void Client_Impl_12::initiate_handshake(Handshake_State& state, bool force_full_renegotiation) {
163 // we don't support TLS < 1.2 anymore and TLS 1.3 should not use this client impl
164 const auto version = state.version().is_datagram_protocol() ? Protocol_Version::DTLS_V12 : Protocol_Version::TLS_V12;
165 send_client_hello(state, force_full_renegotiation, version);
166}
167
168void Client_Impl_12::send_client_hello(Handshake_State& state_base,
169 bool force_full_renegotiation,
170 Protocol_Version version,
171 std::optional<Session_with_Handle> session_and_handle,
172 const std::vector<std::string>& next_protocols) {
173 Client_Handshake_State_12& state = dynamic_cast<Client_Handshake_State_12&>(state_base);
174
175 if(state.version().is_datagram_protocol()) {
176 state.set_expected_next(Handshake_Type::HelloVerifyRequest); // optional
177 }
178 state.set_expected_next(Handshake_Type::ServerHello);
179
180 if(!force_full_renegotiation) {
181 // if no session is provided, we need to try and find one opportunistically
182 if(!session_and_handle.has_value() && !m_info.empty()) {
183 if(auto sessions = session_manager().find(m_info, callbacks(), policy()); !sessions.empty()) {
184 session_and_handle = std::move(sessions.front());
185 }
186 }
187
188 if(session_and_handle.has_value()) {
189 /*
190 Ensure that the session protocol cipher and version are acceptable
191 If not skip the resume and establish a new session
192 */
193 auto& session_info = session_and_handle->session;
194 const bool exact_version = session_info.version() == version;
195 const bool ok_version = (session_info.version().is_datagram_protocol() == version.is_datagram_protocol()) &&
196 policy().acceptable_protocol_version(session_info.version());
197
198 const bool session_version_ok = policy().only_resume_with_exact_version() ? exact_version : ok_version;
199
200 if(policy().acceptable_ciphersuite(session_info.ciphersuite()) && session_version_ok) {
201 state.client_hello(std::make_unique<Client_Hello_12>(state.handshake_io(),
202 state.hash(),
203 policy(),
204 callbacks(),
205 rng(),
206 secure_renegotiation_data_for_client_hello(),
207 session_and_handle.value(),
208 next_protocols));
209
210 state.record_resumption_info(std::move(session_info));
211 }
212 }
213 }
214
215 if(state.client_hello() == nullptr) {
216 // not resuming
217 const Client_Hello_12::Settings client_settings(version, m_info.hostname());
218 state.client_hello(std::make_unique<Client_Hello_12>(state.handshake_io(),
219 state.hash(),
220 policy(),
221 callbacks(),
222 rng(),
223 secure_renegotiation_data_for_client_hello(),
224 client_settings,
225 next_protocols));
226 }
227
228 secure_renegotiation_check(state.client_hello());
229}
230
231namespace {
232
233bool key_usage_matches_ciphersuite(Key_Constraints usage, const Ciphersuite& suite) {
234 if(usage == Key_Constraints::None) {
235 return true; // anything goes ...
236 }
237
238 if(suite.kex_method() == Kex_Algo::STATIC_RSA) {
239 return usage.includes_any(Key_Constraints::KeyEncipherment, Key_Constraints::DataEncipherment);
240 } else {
241 return usage.includes_any(Key_Constraints::DigitalSignature, Key_Constraints::NonRepudiation);
242 }
243}
244
245} // namespace
246
247/*
248* Process a handshake message
249*/
250void Client_Impl_12::process_handshake_msg(Handshake_State& state_base,
251 Handshake_Type type,
252 const std::vector<uint8_t>& contents,
253 bool epoch0_restart) {
254 BOTAN_ASSERT_NOMSG(epoch0_restart == false); // only happens on server side
255
256 Client_Handshake_State_12& state = dynamic_cast<Client_Handshake_State_12&>(state_base);
257
258 if(type == Handshake_Type::HelloRequest && active_state().has_value()) {
259 const Hello_Request hello_request(contents);
260
261 if(state.client_hello() != nullptr) {
262 throw TLS_Exception(Alert::HandshakeFailure, "Cannot renegotiate during a handshake");
263 }
264
265 if(policy().allow_server_initiated_renegotiation()) {
266 if(secure_renegotiation_supported() || policy().allow_insecure_renegotiation()) {
267 state.mark_as_renegotiation();
268 initiate_handshake(state, true /* force_full_renegotiation */);
269 } else {
270 throw TLS_Exception(Alert::HandshakeFailure, "Client policy prohibits insecure renegotiation");
271 }
272 } else {
273 if(policy().abort_connection_on_undesired_renegotiation()) {
274 throw TLS_Exception(Alert::NoRenegotiation, "Client policy prohibits renegotiation");
275 } else {
276 // RFC 5746 section 4.2
277 send_warning_alert(Alert::NoRenegotiation);
278 }
279 }
280
281 return;
282 }
283
284 state.confirm_transition_to(type);
285
286 if(type != Handshake_Type::HandshakeCCS && type != Handshake_Type::Finished &&
287 type != Handshake_Type::HelloVerifyRequest) {
288 state.hash().update(state.handshake_io().format(contents, type));
289 }
290
291 if(type == Handshake_Type::HelloVerifyRequest) {
292 state.set_expected_next(Handshake_Type::ServerHello);
293 state.set_expected_next(Handshake_Type::HelloVerifyRequest); // might get it again
294
295 const Hello_Verify_Request hello_verify_request(contents);
296 state.hello_verify_request(hello_verify_request);
297 } else if(type == Handshake_Type::ServerHello) {
298 state.server_hello(std::make_unique<Server_Hello_12>(contents));
299
300 if(!state.server_hello()->legacy_version().valid()) {
301 throw TLS_Exception(Alert::ProtocolVersion, "Server replied with an invalid version");
302 }
303
304 if(!state.client_hello()->offered_suite(state.server_hello()->ciphersuite())) {
305 throw TLS_Exception(Alert::HandshakeFailure, "Server replied with ciphersuite we didn't send");
306 }
307
308 const auto suite = Ciphersuite::by_id(state.server_hello()->ciphersuite());
309 if(!suite || !suite->usable_in_version(state.server_hello()->legacy_version())) {
310 throw TLS_Exception(Alert::HandshakeFailure,
311 "Server replied using a ciphersuite not allowed in version it offered");
312 }
313
314 // RFC 7366 3.:
315 // If a server receives an encrypt-then-MAC request extension from a client
316 // and then selects a stream or Authenticated Encryption with Associated
317 // Data (AEAD) ciphersuite, it MUST NOT send an encrypt-then-MAC
318 // response extension back to the client.
319 if(suite->aead_ciphersuite() && state.server_hello()->supports_encrypt_then_mac()) {
320 throw TLS_Exception(Alert::IllegalParameter,
321 "Server replied using an AEAD ciphersuite and an encrypt-then-MAC response extension");
322 }
323
324 if(Ciphersuite::is_scsv(state.server_hello()->ciphersuite())) {
325 throw TLS_Exception(Alert::HandshakeFailure, "Server replied with a signaling ciphersuite");
326 }
327
328 if(state.server_hello()->compression_method() != 0) {
329 throw TLS_Exception(Alert::IllegalParameter, "Server replied with non-null compression method");
330 }
331
332 if(state.client_hello()->legacy_version() > state.server_hello()->legacy_version()) {
333 // check for downgrade attacks
334 //
335 // RFC 8446 4.1.3.:
336 // TLS 1.2 clients SHOULD also check that the last 8 bytes are
337 // not equal to the [magic value DOWNGRADE_TLS11] if the ServerHello
338 // indicates TLS 1.1 or below. If a match is found, the client MUST
339 // abort the handshake with an "illegal_parameter" alert.
340 //
341 // TLS 1.3 servers will still set the magic string to DOWNGRADE_TLS12. Don't abort in this case.
342 if(auto requested = state.server_hello()->random_signals_downgrade();
343 requested.has_value() && requested.value() <= Protocol_Version::TLS_V11) {
344 throw TLS_Exception(Alert::IllegalParameter, "Downgrade attack detected");
345 }
346 }
347
348 auto client_extn = state.client_hello()->extension_types();
349 auto server_extn = state.server_hello()->extension_types();
350
351 std::vector<Extension_Code> diff;
352
353 std::set_difference(
354 server_extn.begin(), server_extn.end(), client_extn.begin(), client_extn.end(), std::back_inserter(diff));
355
356 if(!diff.empty()) {
357 // Server sent us back an extension we did not send!
358
359 std::ostringstream msg;
360 msg << "Server replied with unsupported extensions:";
361 for(auto&& d : diff) {
362 msg << " " << static_cast<int>(d);
363 }
364 throw TLS_Exception(Alert::UnsupportedExtension, msg.str());
365 }
366
367 if(const uint16_t srtp = state.server_hello()->srtp_profile()) {
368 if(!value_exists(state.client_hello()->srtp_profiles(), srtp)) {
369 throw TLS_Exception(Alert::HandshakeFailure, "Server replied with DTLS-SRTP alg we did not send");
370 }
371 }
372
373 callbacks().tls_examine_extensions(
374 state.server_hello()->extensions(), Connection_Side::Server, Handshake_Type::ServerHello);
375
376 state.set_version(state.server_hello()->legacy_version());
377
378 if(state.server_hello()->extensions().has<Application_Layer_Protocol_Notification>()) {
379 const auto* server_alpn = state.server_hello()->extensions().get<Application_Layer_Protocol_Notification>();
380 const auto selected = server_alpn->single_protocol();
381 const auto* client_alpn = state.client_hello()->extensions().get<Application_Layer_Protocol_Notification>();
382 BOTAN_ASSERT_NONNULL(client_alpn);
383 const auto& offered = client_alpn->protocols();
384 if(!value_exists(offered, selected)) {
385 throw TLS_Exception(Alert::IllegalParameter, "Server selected an ALPN protocol not offered by the client");
386 }
387 }
388 m_application_protocol = state.server_hello()->next_protocol();
389
390 secure_renegotiation_check(state.server_hello());
391
392 // RFC 7627 / RFC 9325 4.4: optionally require Extended Master Secret.
393 if(policy().require_extended_master_secret() && !state.server_hello()->supports_extended_master_secret()) {
394 throw TLS_Exception(Alert::HandshakeFailure,
395 "Policy requires the Extended Master Secret extension but the server did not send it");
396 }
397
398 const bool server_returned_same_session_id =
399 !state.server_hello()->session_id().empty() &&
400 (state.server_hello()->session_id() == state.client_hello()->session_id());
401
402 if(server_returned_same_session_id) {
403 // successful resumption
404 BOTAN_ASSERT_NOMSG(state.is_a_resumption());
405
406 /*
407 * In this case, we offered the version used in the original
408 * session, and the server must resume with the same version.
409 */
410 if(state.server_hello()->legacy_version() != state.client_hello()->legacy_version()) {
411 throw TLS_Exception(Alert::HandshakeFailure, "Server resumed session but with wrong version");
412 }
413
414 // RFC 5246 7.4.1.2: when resuming a session, the server MUST use
415 // the same cipher suite that was negotiated in the original session.
416 if(state.server_hello()->ciphersuite() != state.resumed_session_ciphersuite_code()) {
417 throw TLS_Exception(Alert::HandshakeFailure, "Server resumed session with a different ciphersuite");
418 }
419
420 if(state.server_hello()->supports_extended_master_secret() &&
421 !state.resumed_session_supports_extended_master_secret()) {
422 throw TLS_Exception(Alert::HandshakeFailure, "Server resumed session but added extended master secret");
423 }
424
425 if(!state.server_hello()->supports_extended_master_secret() &&
426 state.resumed_session_supports_extended_master_secret()) {
427 throw TLS_Exception(Alert::HandshakeFailure, "Server resumed session and removed extended master secret");
428 }
429
430 state.compute_session_keys(state.resume_master_secret());
431 if(policy().allow_ssl_key_log_file()) {
432 // draft-thomson-tls-keylogfile-00 Section 3.2
433 // An implementation of TLS 1.2 (and also earlier versions) use
434 // the label "CLIENT_RANDOM" to identify the "master" secret for
435 // the connection.
436 callbacks().tls_ssl_key_log_data(
437 "CLIENT_RANDOM", state.client_hello()->random(), state.session_keys().master_secret());
438 }
439
440 if(state.server_hello()->supports_session_ticket()) {
441 state.set_expected_next(Handshake_Type::NewSessionTicket);
442 } else {
443 state.set_expected_next(Handshake_Type::HandshakeCCS);
444 }
445 } else {
446 // new session
447
448 if(active_state().has_value()) {
449 // Here we are testing things that should not change during a renegotiation,
450 // even if the server creates a new session. However they might change
451 // in a resumption scenario.
452
453 if(active_state()->version() != state.server_hello()->legacy_version()) {
454 throw TLS_Exception(Alert::ProtocolVersion, "Server changed version after renegotiation");
455 }
456
457 if(state.server_hello()->supports_extended_master_secret() !=
458 active_state()->supports_extended_master_secret()) {
459 throw TLS_Exception(Alert::HandshakeFailure, "Server changed its mind about extended master secret");
460 }
461 }
462
463 state.discard_resumption_state();
464
465 if(state.client_hello()->legacy_version().is_datagram_protocol() !=
466 state.server_hello()->legacy_version().is_datagram_protocol()) {
467 throw TLS_Exception(Alert::ProtocolVersion, "Server replied with different protocol type than we offered");
468 }
469
470 if(state.version() > state.client_hello()->legacy_version()) {
471 throw TLS_Exception(Alert::HandshakeFailure, "Server replied with later version than client offered");
472 }
473
474 if(state.version().major_version() == 3 && state.version().minor_version() == 0) {
475 throw TLS_Exception(Alert::ProtocolVersion, "Server attempting to negotiate SSLv3 which is not supported");
476 }
477
478 if(!policy().acceptable_protocol_version(state.version())) {
479 throw TLS_Exception(Alert::ProtocolVersion,
480 "Server version " + state.version().to_string() + " is unacceptable by policy");
481 }
482
483 if(state.ciphersuite().is_certificate_required()) {
484 state.set_expected_next(Handshake_Type::Certificate);
485 } else if(state.ciphersuite().kex_method() == Kex_Algo::PSK) {
486 /* PSK is anonymous so no certificate/cert req message is
487 ever sent. The server may or may not send a server kex,
488 depending on if it has an identity hint for us.
489
490 (EC)DHE_PSK always sends a server key exchange for the
491 DH exchange portion, and is covered by block below
492 */
493
494 state.set_expected_next(Handshake_Type::ServerKeyExchange);
495 state.set_expected_next(Handshake_Type::ServerHelloDone);
496 } else {
497 // ECDHE_PSK ServerKeyExchange carries the ECDH parameters and
498 // immediately follows ServerHello.
499 //
500 // Suites using RSA key exchange or signature-authenticated ECDH
501 // were already routed to expect Certificate above.
502 state.set_expected_next(Handshake_Type::ServerKeyExchange);
503 }
504 }
505 } else if(type == Handshake_Type::Certificate) {
506 state.server_certs(std::make_unique<Certificate_12>(contents, policy()));
507
508 const std::vector<X509_Certificate>& server_certs = state.server_certs()->cert_chain();
509
510 if(server_certs.empty()) {
511 throw TLS_Exception(Alert::HandshakeFailure, "Client: No certificates sent by server");
512 }
513
514 /*
515 If the server supports certificate status messages,
516 certificate verification happens after we receive the server hello done,
517 in case an OCSP response was also available
518 */
519
520 const X509_Certificate server_cert = server_certs[0];
521
522 if(active_state().has_value() && !active_state()->peer_certs().empty()) {
523 const X509_Certificate& current_cert = active_state()->peer_certs().at(0);
524
525 if(current_cert != server_cert) {
526 throw TLS_Exception(Alert::BadCertificate, "Server certificate changed during renegotiation");
527 }
528 }
529
530 auto peer_key = server_cert.subject_public_key();
531
532 const std::string expected_key_type =
533 state.ciphersuite().signature_used() ? state.ciphersuite().sig_algo() : "RSA";
534
535 if(peer_key->algo_name() != expected_key_type) {
536 throw TLS_Exception(Alert::IllegalParameter, "Certificate key type did not match ciphersuite");
537 }
538
539 if(!key_usage_matches_ciphersuite(server_cert.constraints(), state.ciphersuite())) {
540 throw TLS_Exception(Alert::BadCertificate, "Certificate usage constraints do not allow this ciphersuite");
541 }
542
543 state.record_server_public_key(std::move(peer_key));
544
545 if(state.ciphersuite().kex_method() != Kex_Algo::STATIC_RSA) {
546 state.set_expected_next(Handshake_Type::ServerKeyExchange);
547 } else {
548 state.set_expected_next(Handshake_Type::CertificateRequest); // optional
549 state.set_expected_next(Handshake_Type::ServerHelloDone);
550 }
551
552 if(state.server_hello()->supports_certificate_status_message()) {
553 state.set_expected_next(Handshake_Type::CertificateStatus); // optional
554 } else {
555 try {
556 auto trusted_CAs = m_creds->trusted_certificate_authorities("tls-client", m_info.hostname());
557
558 callbacks().tls_verify_cert_chain(
559 server_certs, {}, trusted_CAs, Usage_Type::TLS_SERVER_AUTH, m_info.hostname(), policy());
560 } catch(TLS_Exception&) {
561 throw;
562 } catch(std::exception& e) {
563 throw TLS_Exception(Alert::InternalError, e.what());
564 }
565 }
566 } else if(type == Handshake_Type::CertificateStatus) {
567 state.server_cert_status(std::make_unique<Certificate_Status>(contents, Connection_Side::Server));
568
569 if(state.ciphersuite().kex_method() != Kex_Algo::STATIC_RSA) {
570 state.set_expected_next(Handshake_Type::ServerKeyExchange);
571 } else {
572 state.set_expected_next(Handshake_Type::CertificateRequest); // optional
573 state.set_expected_next(Handshake_Type::ServerHelloDone);
574 }
575 } else if(type == Handshake_Type::ServerKeyExchange) {
576 if(!state.ciphersuite().psk_ciphersuite()) {
577 state.set_expected_next(Handshake_Type::CertificateRequest); // optional
578 }
579 state.set_expected_next(Handshake_Type::ServerHelloDone);
580
581 state.server_kex(std::make_unique<Server_Key_Exchange>(
582 contents, state.ciphersuite().kex_method(), state.ciphersuite().auth_method(), state.version()));
583
584 if(state.ciphersuite().signature_used()) {
585 const Public_Key& server_key = state.server_public_key();
586
587 if(!state.server_kex()->verify(server_key, state, policy())) {
588 throw TLS_Exception(Alert::DecryptError, "Bad signature on server key exchange");
589 }
590 }
591 } else if(type == Handshake_Type::CertificateRequest) {
592 state.set_expected_next(Handshake_Type::ServerHelloDone);
593 state.cert_req(std::make_unique<Certificate_Request_12>(contents));
594 } else if(type == Handshake_Type::ServerHelloDone) {
595 state.server_hello_done(std::make_unique<Server_Hello_Done>(contents));
596
597 if(state.handshake_io().have_more_data()) {
598 throw TLS_Exception(Alert::UnexpectedMessage, "Have data remaining in buffer after ServerHelloDone");
599 }
600
601 if(state.server_certs() != nullptr && state.server_hello()->supports_certificate_status_message()) {
602 try {
603 auto trusted_CAs = m_creds->trusted_certificate_authorities("tls-client", m_info.hostname());
604
605 std::vector<std::optional<OCSP::Response>> ocsp;
606 if(state.server_cert_status() != nullptr) {
607 ocsp.emplace_back(callbacks().tls_parse_ocsp_response(state.server_cert_status()->response()));
608 }
609
610 callbacks().tls_verify_cert_chain(state.server_certs()->cert_chain(),
611 ocsp,
612 trusted_CAs,
613 Usage_Type::TLS_SERVER_AUTH,
614 m_info.hostname(),
615 policy());
616 } catch(TLS_Exception&) {
617 throw;
618 } catch(std::exception& e) {
619 throw TLS_Exception(Alert::InternalError, e.what());
620 }
621 }
622
623 if(state.received_handshake_msg(Handshake_Type::CertificateRequest)) {
624 const auto& types = state.cert_req()->acceptable_cert_types();
625
626 const std::vector<X509_Certificate> client_certs =
627 m_creds->find_cert_chain(types, {}, state.cert_req()->acceptable_CAs(), "tls-client", m_info.hostname());
628
629 state.client_certs(std::make_unique<Certificate_12>(state.handshake_io(), state.hash(), client_certs));
630 }
631
632 state.client_kex(std::make_unique<Client_Key_Exchange>(
633 state.handshake_io(), state, policy(), *m_creds, state.maybe_server_public_key(), m_info.hostname(), rng()));
634
635 state.compute_session_keys();
636 if(policy().allow_ssl_key_log_file()) {
637 // draft-thomson-tls-keylogfile-00 Section 3.2
638 // An implementation of TLS 1.2 (and also earlier versions) use
639 // the label "CLIENT_RANDOM" to identify the "master" secret for
640 // the connection.
641 callbacks().tls_ssl_key_log_data(
642 "CLIENT_RANDOM", state.client_hello()->random(), state.session_keys().master_secret());
643 }
644
645 if(state.received_handshake_msg(Handshake_Type::CertificateRequest) && !state.client_certs()->empty()) {
646 auto private_key =
647 m_creds->private_key_for(state.client_certs()->cert_chain()[0], "tls-client", m_info.hostname());
648
649 if(!private_key) {
650 throw TLS_Exception(Alert::InternalError, "Failed to get private key for signing");
651 }
652
653 state.client_verify(
654 std::make_unique<Certificate_Verify_12>(state.handshake_io(), state, policy(), rng(), private_key.get()));
655 }
656
657 state.handshake_io().send(Change_Cipher_Spec());
658
659 change_cipher_spec_writer(Connection_Side::Client);
660
661 state.client_finished(std::make_unique<Finished_12>(state.handshake_io(), state, Connection_Side::Client));
662
663 if(state.server_hello()->supports_session_ticket()) {
664 state.set_expected_next(Handshake_Type::NewSessionTicket);
665 } else {
666 state.set_expected_next(Handshake_Type::HandshakeCCS);
667 }
668 } else if(type == Handshake_Type::NewSessionTicket) {
669 state.new_session_ticket(std::make_unique<New_Session_Ticket_12>(contents));
670
671 state.set_expected_next(Handshake_Type::HandshakeCCS);
672 } else if(type == Handshake_Type::HandshakeCCS) {
673 state.set_expected_next(Handshake_Type::Finished);
674
675 change_cipher_spec_reader(Connection_Side::Client);
676 } else if(type == Handshake_Type::Finished) {
677 if(state.handshake_io().have_more_data()) {
678 throw TLS_Exception(Alert::UnexpectedMessage, "Have data remaining in buffer after Finished");
679 }
680
681 state.server_finished(std::make_unique<Finished_12>(contents));
682
683 if(!state.server_finished()->verify(state, Connection_Side::Server)) {
684 throw TLS_Exception(Alert::DecryptError, "Finished message didn't verify");
685 }
686
687 state.hash().update(state.handshake_io().format(contents, type));
688
689 if(state.client_finished() == nullptr) {
690 // session resume case
691 state.handshake_io().send(Change_Cipher_Spec());
692 change_cipher_spec_writer(Connection_Side::Client);
693 state.client_finished(std::make_unique<Finished_12>(state.handshake_io(), state, Connection_Side::Client));
694 }
695
696 // Session Tickets (as defined in RFC 5077) contain a lifetime_hint,
697 // sessions identified via a Session_ID do not.
698 const std::chrono::seconds session_lifetime_hint = [&] {
699 if(state.new_session_ticket() != nullptr) {
700 return std::chrono::seconds(state.new_session_ticket()->ticket_lifetime_hint());
701 } else {
702 return std::chrono::seconds::max();
703 }
704 }();
705
706 Session session_info(state.session_keys().master_secret(),
707 state.server_hello()->legacy_version(),
708 state.server_hello()->ciphersuite(),
709 Connection_Side::Client,
710 state.server_hello()->supports_extended_master_secret(),
711 state.server_hello()->supports_encrypt_then_mac(),
712 state.peer_cert_chain(),
713 m_info,
714 state.server_hello()->srtp_profile(),
715 callbacks().tls_current_timestamp(),
716 session_lifetime_hint);
717
718 // RFC 5077 3.4
719 // If the client receives a session ticket from the server, then it
720 // discards any Session ID that was sent in the ServerHello.
721 const auto handle = [&]() -> std::optional<Session_Handle> {
722 /*
723 On successful resumption an empty (or absent) NewSessionTicket means "keep using
724 the old ticket" so we inherit it from the ClientHello. On a fresh negotiation
725 an empty NewSessionTicket means "no ticket for this session", so inheriting the
726 ClientHello's old ticket would store the new master secret under a ticket the
727 server has discarded.
728 */
729 if(const auto* nst = state.new_session_ticket(); nst != nullptr && !nst->ticket().empty()) {
730 return Session_Handle(nst->ticket());
731 }
732 if(state.is_a_resumption() && !state.client_hello()->session_ticket().empty()) {
733 return Session_Handle(state.client_hello()->session_ticket());
734 }
735 if(const auto& session_id = state.server_hello()->session_id(); !session_id.empty()) {
736 return Session_Handle(session_id);
737 }
738 return std::nullopt;
739 }();
740
741 // Give the application a chance for a final veto before fully
742 // establishing the connection.
743 callbacks().tls_session_established([&, this] {
744 Session_Summary summary(session_info, state.is_a_resumption(), external_psk_identity());
745 summary.set_session_id(state.server_hello()->session_id());
746 if(const auto* nst = state.new_session_ticket()) {
747 summary.set_session_ticket(nst->ticket());
748 }
749 return summary;
750 }());
751
752 if(handle.has_value()) {
753 const bool should_save = callbacks().tls_should_persist_resumption_information(session_info);
754
755 // RFC 5077 3.3
756 // If the server successfully verifies the client's ticket, then it
757 // MAY renew the ticket by including a NewSessionTicket handshake
758 // message after the ServerHello in the abbreviated handshake. The
759 // client should start using the new ticket as soon as possible
760 // after it verifies the server's Finished message for new
761 // connections.
762 if(state.is_a_resumption() && !state.client_hello()->session_ticket().empty() && handle->is_ticket() &&
763 should_save) {
764 // renew the session ticket by removing the one we used to establish
765 // this connection and replace it with the one we just received
766 session_manager().remove(Session_Handle(state.client_hello()->session_ticket()));
767 session_manager().store(session_info, handle.value());
768 }
769
770 if(!state.is_a_resumption()) {
771 if(should_save) {
772 session_manager().store(session_info, handle.value());
773 } else {
774 session_manager().remove(handle.value());
775 }
776 }
777 }
778
779 activate_session();
780 } else {
781 throw Unexpected_Message("Unknown handshake message received");
782 }
783}
784
785} // namespace Botan::TLS
BOTAN_ASSERT_NOMSG
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:75
BOTAN_STATE_CHECK
#define BOTAN_STATE_CHECK(expr)
Definition assert.h:49
BOTAN_ASSERT_NONNULL
#define BOTAN_ASSERT_NONNULL(ptr)
Definition assert.h:114
BOTAN_ASSERT
#define BOTAN_ASSERT(expr, assertion_made)
Definition assert.h:62
Botan::Key_Constraints::DigitalSignature
@ DigitalSignature
Definition pkix_enums.h:122
Botan::Key_Constraints::None
@ None
Definition pkix_enums.h:121
Botan::Key_Constraints::NonRepudiation
@ NonRepudiation
Definition pkix_enums.h:123
Botan::Key_Constraints::DataEncipherment
@ DataEncipherment
Definition pkix_enums.h:125
Botan::Key_Constraints::KeyEncipherment
@ KeyEncipherment
Definition pkix_enums.h:124
Botan::TLS::Callbacks::tls_examine_extensions
virtual void tls_examine_extensions(const Extensions &extn, Connection_Side which_side, Handshake_Type which_message)
Definition tls_callbacks.cpp:69
Botan::TLS::Callbacks::tls_session_established
virtual void tls_session_established(const Session_Summary &session)
Definition tls_callbacks.cpp:431
Botan::TLS::Callbacks::tls_should_persist_resumption_information
virtual bool tls_should_persist_resumption_information(const Session &session)
Definition tls_callbacks.cpp:73
Botan::TLS::Callbacks::tls_verify_cert_chain
virtual void tls_verify_cert_chain(const std::vector< X509_Certificate > &cert_chain, const std::vector< std::optional< OCSP::Response > > &ocsp_responses, const std::vector< Certificate_Store * > &trusted_roots, Usage_Type usage, std::string_view hostname, const TLS::Policy &policy)
Definition tls_callbacks.cpp:88
Botan::TLS::Callbacks::tls_ssl_key_log_data
virtual void tls_ssl_key_log_data(std::string_view label, std::span< const uint8_t > client_random, std::span< const uint8_t > secret) const
Definition tls_callbacks.cpp:453
Botan::TLS::Channel_Impl_12::rng
RandomNumberGenerator & rng()
Definition tls_channel_impl_12.h:179
Botan::TLS::Channel_Impl_12::activate_session
void activate_session()
Definition tls_channel_impl_12.cpp:266
Botan::TLS::Channel_Impl_12::change_cipher_spec_reader
void change_cipher_spec_reader(Connection_Side side)
Definition tls_channel_impl_12.cpp:202
Botan::TLS::Channel_Impl_12::create_handshake_state
Handshake_State & create_handshake_state(Protocol_Version version)
Definition tls_channel_impl_12.cpp:117
Botan::TLS::Channel_Impl_12::callbacks
Callbacks & callbacks() const
Definition tls_channel_impl_12.h:185
Botan::TLS::Channel_Impl_12::secure_renegotiation_check
void secure_renegotiation_check(const Client_Hello_12 *client_hello)
Definition tls_channel_impl_12.cpp:588
Botan::TLS::Channel_Impl_12::session_manager
Session_Manager & session_manager()
Definition tls_channel_impl_12.h:181
Botan::TLS::Channel_Impl_12::policy
const Policy & policy() const
Definition tls_channel_impl_12.h:183
Botan::TLS::Channel_Impl_12::change_cipher_spec_writer
void change_cipher_spec_writer(Connection_Side side)
Definition tls_channel_impl_12.cpp:229
Botan::TLS::Channel_Impl_12::secure_renegotiation_data_for_client_hello
std::vector< uint8_t > secure_renegotiation_data_for_client_hello() const
Definition tls_channel_impl_12.cpp:624
Botan::TLS::Channel_Impl_12::Channel_Impl_12
Channel_Impl_12(const std::shared_ptr< Callbacks > &callbacks, const std::shared_ptr< Session_Manager > &session_manager, const std::shared_ptr< RandomNumberGenerator > &rng, const std::shared_ptr< const Policy > &policy, bool is_server, bool is_datagram, size_t io_buf_sz=TLS::Channel::IO_BUF_DEFAULT_SIZE)
Definition tls_channel_impl_12.cpp:27
Botan::TLS::Channel_Impl_12::active_state
const std::optional< Active_Connection_State_12 > & active_state() const
Definition tls_channel_impl_12.h:153
Botan::TLS::Channel_Impl_12::external_psk_identity
std::optional< std::string > external_psk_identity() const override
Definition tls_channel_impl_12.cpp:107
Botan::TLS::Channel_Impl_12::secure_renegotiation_supported
bool secure_renegotiation_supported() const override
Definition tls_channel_impl_12.cpp:639
Botan::TLS::Channel_Impl::send_warning_alert
void send_warning_alert(Alert::Type type)
Definition tls_channel_impl.h:66
Botan::TLS::Ciphersuite::is_scsv
static bool is_scsv(uint16_t suite)
Definition tls_ciphersuite.cpp:46
Botan::TLS::Ciphersuite::by_id
static std::optional< Ciphersuite > by_id(uint16_t suite)
Definition tls_ciphersuite.cpp:111
Botan::TLS::Client_Impl_12::Client_Impl_12
Client_Impl_12(const std::shared_ptr< Callbacks > &callbacks, const std::shared_ptr< Session_Manager > &session_manager, const std::shared_ptr< Credentials_Manager > &creds, const std::shared_ptr< const Policy > &policy, const std::shared_ptr< RandomNumberGenerator > &rng, Server_Information server_info=Server_Information(), bool datagram=false, const std::vector< std::string > &next_protocols={}, size_t reserved_io_buffer_size=TLS::Channel::IO_BUF_DEFAULT_SIZE)
Definition tls_client_impl_12.cpp:100
Botan::TLS::Handshake_Hash::update
void update(const uint8_t in[], size_t length)
Definition tls_handshake_hash.h:21
Botan::TLS::Handshake_State
Definition tls_handshake_state.h:61
Botan::TLS::Handshake_State::client_hello
void client_hello(std::unique_ptr< Client_Hello_12 > client_hello)
Definition tls_handshake_state.cpp:47
Botan::TLS::Handshake_State::set_expected_next
void set_expected_next(Handshake_Type msg_type)
Definition tls_handshake_state.cpp:168
Botan::TLS::Handshake_State::hash
Handshake_Hash & hash()
Definition tls_handshake_state.h:177
Botan::TLS::Policy::only_resume_with_exact_version
virtual bool only_resume_with_exact_version() const
Definition tls_policy.cpp:442
Botan::TLS::Policy::acceptable_protocol_version
virtual bool acceptable_protocol_version(Protocol_Version version) const
Definition tls_policy.cpp:323
Botan::TLS::Server_Information
Definition tls_server_info.h:19
Botan::TLS::Session_Manager::remove
virtual size_t remove(const Session_Handle &handle)=0
Botan::TLS::Session_Manager::store
virtual void store(const Session &session, const Session_Handle &handle)=0
Save a Session under a Session_Handle (TLS Client).
Botan::value_exists
bool value_exists(const std::vector< T > &vec, const V &val)
Definition stl_util.h:44
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:68
Botan::TLS::Channel_Impl::Downgrade_Information
Definition tls_channel_impl.h:197
Botan::TLS::Channel_Impl::Downgrade_Information::next_protocols
std::vector< std::string > next_protocols
Definition tls_channel_impl.h:209
Botan::TLS::Channel_Impl::Downgrade_Information::client_hello_message
std::vector< uint8_t > client_hello_message
The client hello message including the handshake header bytes as transferred to the peer.
Definition tls_channel_impl.h:199
Botan::TLS::Channel_Impl::Downgrade_Information::tls12_session
std::optional< Session_with_Handle > tls12_session
Definition tls_channel_impl.h:206
Generated by doxygen 1.16.1