Botan 3.12.0
Crypto and TLS for C&
tls_client_impl_13.cpp
Go to the documentation of this file.
1/*
2* TLS Client - implementation for TLS 1.3
3* (C) 2022 Jack Lloyd
4* 2021 Elektrobit Automotive GmbH
5* 2022 Hannes Rantzsch, René Meusel - neXenio GmbH
6*
7* Botan is released under the Simplified BSD License (see license.txt)
8*/
9
10#include <botan/internal/tls_client_impl_13.h>
11
12#include <botan/credentials_manager.h>
13#include <botan/tls_callbacks.h>
14#include <botan/tls_extensions_13.h>
15#include <botan/tls_messages_13.h>
16#include <botan/tls_policy.h>
17#include <botan/x509cert.h>
18#include <botan/internal/stl_util.h>
19#include <botan/internal/tls_channel_impl_13.h>
20#include <botan/internal/tls_cipher_state.h>
21
22#include <utility>
23
24namespace Botan::TLS {
25
26Client_Impl_13::Client_Impl_13(const std::shared_ptr<Callbacks>& callbacks,
27 const std::shared_ptr<Session_Manager>& session_manager,
28 const std::shared_ptr<Credentials_Manager>& creds,
29 const std::shared_ptr<const Policy>& policy,
30 const std::shared_ptr<RandomNumberGenerator>& rng,
31 Server_Information info,
32 const std::vector<std::string>& next_protocols) :
33 Channel_Impl_13(callbacks, session_manager, creds, rng, policy, false /* is_server */),
34 m_info(std::move(info)),
35 m_handshake(std::make_unique<Pending_Handshake>()) {
36#if defined(BOTAN_HAS_TLS_12)
37 if(policy->allow_tls12()) {
38 expect_downgrade(m_info, next_protocols);
39 }
40#endif
41
42 if(auto session = find_session_for_resumption()) {
43 if(!session->session.version().is_pre_tls_13()) {
44 m_handshake->resumed_session = std::move(session);
45 } else if(expects_downgrade()) {
46 // If we found a session that was created with TLS 1.2, we downgrade
47 // the implementation right away, before even issuing a Client Hello.
48 request_downgrade_for_resumption(std::move(session.value()));
49 return;
50 }
51 }
52
53 auto msg = send_handshake_message(m_handshake->state.sending(
54 Client_Hello_13(*policy,
55 *callbacks,
56 *rng,
57 m_info.hostname(),
58 next_protocols,
59 m_handshake->resumed_session,
60 creds->find_preshared_keys(m_info.hostname(), Connection_Side::Client))));
61
62 if(expects_downgrade()) {
63 preserve_client_hello(msg);
64 }
65
66 // RFC 8446 Appendix D.4
67 // If not offering early data, the client sends a dummy change_cipher_spec
68 // record [...] immediately before its second flight. This may either be before
69 // its second ClientHello or before its encrypted handshake flight.
70 //
71 // TODO: don't schedule ccs here when early data is used
72 if(policy->tls_13_middlebox_compatibility_mode()) {
73 m_handshake->should_send_ccs = true;
74 }
75
76 m_handshake->transitions.set_expected_next({Handshake_Type::ServerHello, Handshake_Type::HelloRetryRequest});
77}
78
79void Client_Impl_13::process_handshake_msg(Handshake_Message_13 message) {
80 BOTAN_STATE_CHECK(m_handshake != nullptr);
81
82 std::visit(
83 [&](auto msg) {
84 // first verify that the message was expected by the state machine...
85 m_handshake->transitions.confirm_transition_to(msg.get().type());
86
87 // ... then allow the library user to abort on their discretion
88 callbacks().tls_inspect_handshake_msg(msg.get());
89
90 // ... finally handle the message
91 handle(msg.get());
92 },
93 m_handshake->state.received(std::move(message)));
94}
95
96void Client_Impl_13::process_post_handshake_msg(Post_Handshake_Message_13 message) {
97 BOTAN_STATE_CHECK(is_handshake_complete());
98
99 const auto msg = specialize_to<Server_Post_Handshake_13_Message>(std::move(message));
100 if(!msg) {
101 throw TLS_Exception(Alert::UnexpectedMessage, "received an unexpected post-handshake message");
102 }
103
104 std::visit([&](auto&& m) { handle(m); }, *msg);
105}
106
107void Client_Impl_13::process_dummy_change_cipher_spec() {
108 // RFC 8446 5.
109 // If an implementation detects a change_cipher_spec record received before
110 // the first ClientHello message or after the peer's Finished message, it MUST be
111 // treated as an unexpected record type [("unexpected_message" alert)].
112 if(!m_handshake || !m_handshake->state.has_client_hello() || m_handshake->state.has_server_finished()) {
113 throw TLS_Exception(Alert::UnexpectedMessage, "Received an unexpected dummy Change Cipher Spec");
114 }
115
116 // RFC 8446 5.
117 // An implementation may receive an unencrypted record of type change_cipher_spec [...]
118 // at any time after the first ClientHello message has been sent or received
119 // and before the peer's Finished message has been received [...]
120 // and MUST simply drop it without further processing.
121 //
122 // ... no further processing.
123}
124
125bool Client_Impl_13::is_handshake_complete() const {
126 return m_active_state.has_value();
127}
128
129std::optional<Session_with_Handle> Client_Impl_13::find_session_for_resumption() {
130 // RFC 8446 4.6.1
131 // Clients MUST only resume if the new SNI value is valid for the
132 // server certificate presented in the original session and SHOULD only
133 // resume if the SNI value matches the one used in the original session.
134 //
135 // Below we search sessions based on their SNI value. Assuming that a
136 // 3rd party session manager does not lie to the implementation, we don't
137 // explicitly re-check that the SNI values match.
138 //
139 // Also, the default implementation did verify that very same SNI information
140 // against the server's certificate (via Callbacks::tls_verify_cert_chain())
141 // before storing it in the session.
142 //
143 // We therefore assume that the session returned by the `Session_Manager` is
144 // suitable for resumption in this context.
145 auto sessions = session_manager().find(m_info, callbacks(), policy());
146 if(sessions.empty()) {
147 return std::nullopt;
148 }
149
150 // TODO: TLS 1.3 allows sending more than one ticket (for resumption) in a
151 // Client Hello. Currently, we do not support that. The Session_Manager
152 // does imply otherwise with its API, though.
153 auto& session_to_resume = sessions.front();
154
155 return std::move(session_to_resume);
156}
157
158void Client_Impl_13::handle(const Server_Hello_12_Shim& server_hello_msg) {
159 BOTAN_ASSERT_NONNULL(m_handshake);
160
161 if(m_handshake->state.has_hello_retry_request()) {
162 throw TLS_Exception(Alert::UnexpectedMessage, "Version downgrade received after Hello Retry");
163 }
164
165 // RFC 8446 Appendix D.1
166 // If the version chosen by the server is not supported by the client
167 // (or is not acceptable), the client MUST abort the handshake with a
168 // "protocol_version" alert.
169 if(!expects_downgrade()) {
170 throw TLS_Exception(Alert::ProtocolVersion, "Received an unexpected legacy Server Hello");
171 }
172
173 // RFC 8446 4.1.3
174 // TLS 1.3 has a downgrade protection mechanism embedded in the server's
175 // random value. TLS 1.3 servers which negotiate TLS 1.2 or below in
176 // response to a ClientHello MUST set the last 8 bytes of their Random
177 // value specially in their ServerHello.
178 //
179 // TLS 1.3 clients receiving a ServerHello indicating TLS 1.2 or below
180 // MUST check that the [downgrade indication is not set]. [...] If a match
181 // is found, the client MUST abort the handshake with an
182 // "illegal_parameter" alert.
183 if(server_hello_msg.random_signals_downgrade().has_value()) {
184 throw TLS_Exception(Alert::IllegalParameter, "Downgrade attack detected");
185 }
186
187 // RFC 8446 4.2.1
188 // A server which negotiates a version of TLS prior to TLS 1.3 [...]
189 // MUST NOT send the "supported_versions" extension.
190 //
191 // Note that this condition should never happen, as the Server_Hello parsing
192 // code decides to create a Server_Hello_12 based on the absence of this extension.
193 if(server_hello_msg.extensions().has<Supported_Versions>()) {
194 throw TLS_Exception(Alert::IllegalParameter, "Unexpected extension received");
195 }
196
197 // RFC 8446 Appendix D.1
198 // If the version chosen by the server is not supported by the client
199 // (or is not acceptable), the client MUST abort the handshake with a
200 // "protocol_version" alert.
201 const auto& client_hello_exts = m_handshake->state.client_hello().extensions();
202 BOTAN_ASSERT_NOMSG(client_hello_exts.has<Supported_Versions>());
203 if(!client_hello_exts.get<Supported_Versions>()->supports(server_hello_msg.selected_version())) {
204 throw TLS_Exception(Alert::ProtocolVersion, "Protocol version was not offered");
205 }
206
207 if(policy().tls_13_middlebox_compatibility_mode() &&
208 m_handshake->state.client_hello().session_id() == server_hello_msg.session_id()) {
209 // In compatibility mode, the server will reflect the session ID we sent in the client hello.
210 // However, a TLS 1.2 server that wants to downgrade cannot have found the random session ID
211 // we sent. Therefore, we have to consider this as an attack.
212 // (Thanks BoGo test EchoTLS13CompatibilitySessionID!)
213 throw TLS_Exception(Alert::IllegalParameter, "Unexpected session ID during downgrade");
214 }
215
216 request_downgrade();
217
218 // After this, no further messages are expected here because this instance will be replaced
219 // by a Client_Impl_12.
220 m_handshake->transitions.set_expected_next({});
221}
222
223namespace {
224// validate Server_Hello_13 and Hello_Retry_Request
225void validate_server_hello_ish(const Client_Hello_13& ch, const Server_Hello_13& sh) {
226 // RFC 8446 4.1.3
227 // A client which receives a legacy_session_id_echo field that does not match what
228 // it sent in the ClientHello MUST abort the handshake with an "illegal_parameter" alert.
229 if(ch.session_id() != sh.session_id()) {
230 throw TLS_Exception(Alert::IllegalParameter, "echoed session id did not match");
231 }
232
233 // RFC 8446 4.1.3
234 // A client which receives a cipher suite that was not offered MUST abort the handshake
235 // with an "illegal_parameter" alert.
236 if(!ch.offered_suite(sh.ciphersuite())) {
237 throw TLS_Exception(Alert::IllegalParameter, "Server replied with ciphersuite we didn't send");
238 }
239
240 // RFC 8446 4.2.1
241 // If the "supported_versions" extension in the ServerHello contains a
242 // version not offered by the client or contains a version prior to
243 // TLS 1.3, the client MUST abort the handshake with an "illegal_parameter" alert.
244 //
245 // Note: Server_Hello_13 parsing checks that its selected version is TLS 1.3
246 BOTAN_ASSERT_NOMSG(ch.extensions().has<Supported_Versions>());
247 if(!ch.extensions().get<Supported_Versions>()->supports(sh.selected_version())) {
248 throw TLS_Exception(Alert::IllegalParameter, "Protocol version was not offered");
249 }
250}
251} // namespace
252
253void Client_Impl_13::handle(const Server_Hello_13& sh) {
254 // Note: Basic checks (that do not require contextual information) were already
255 // performed during the construction of the Server_Hello_13 object.
256 BOTAN_ASSERT_NONNULL(m_handshake);
257
258 const auto& ch = m_handshake->state.client_hello();
259
260 validate_server_hello_ish(ch, sh);
261
262 // RFC 8446 4.1.3: TLS 1.3 servers downgrading to TLS 1.2 or below set
263 // the last 8 bytes of ServerHello.random to a magic value so the client
264 // can detect a stripped-supported_versions downgrade attack. The Shim
265 // path (Server_Hello_12_Shim) already enforces this; catch it here too
266 // as defense in depth in case a misbehaving server writes the sentinel
267 // into an actual TLS 1.3 ServerHello.
268 if(sh.random_signals_downgrade().has_value()) {
269 throw TLS_Exception(Alert::IllegalParameter, "Downgrade attack detected");
270 }
271
272 // RFC 8446 4.2
273 // Implementations MUST NOT send extension responses if the remote
274 // endpoint did not send the corresponding extension requests, [...]. Upon
275 // receiving such an extension, an endpoint MUST abort the handshake
276 // with an "unsupported_extension" alert.
277 if(sh.extensions().contains_other_than(ch.extensions().extension_types())) {
278 throw TLS_Exception(Alert::UnsupportedExtension, "Unsupported extension found in Server Hello");
279 }
280
281 if(m_handshake->state.has_hello_retry_request()) {
282 const auto& hrr = m_handshake->state.hello_retry_request();
283
284 // RFC 8446 4.1.4
285 // Upon receiving the ServerHello, clients MUST check that the cipher suite
286 // supplied in the ServerHello is the same as that in the HelloRetryRequest
287 // and otherwise abort the handshake with an "illegal_parameter" alert.
288 if(hrr.ciphersuite() != sh.ciphersuite()) {
289 throw TLS_Exception(Alert::IllegalParameter, "server changed its chosen ciphersuite");
290 }
291
292 // RFC 8446 4.1.4
293 // The value of selected_version in the HelloRetryRequest "supported_versions"
294 // extension MUST be retained in the ServerHello, and a client MUST abort the
295 // handshake with an "illegal_parameter" alert if the value changes.
296 if(hrr.selected_version() != sh.selected_version()) {
297 throw TLS_Exception(Alert::IllegalParameter, "server changed its chosen protocol version");
298 }
299 }
300
301 auto cipher = Ciphersuite::by_id(sh.ciphersuite());
302 BOTAN_ASSERT_NOMSG(cipher.has_value()); // should work, since we offered this suite
303
304 // RFC 8446 Appendix B.4
305 // Although TLS 1.3 uses the same cipher suite space as previous versions
306 // of TLS [...] cipher suites for TLS 1.2 and lower cannot be used with
307 // TLS 1.3.
308 if(!cipher->usable_in_version(Protocol_Version::TLS_V13)) {
309 throw TLS_Exception(Alert::IllegalParameter,
310 "Server replied using a ciphersuite not allowed in version it offered");
311 }
312
313 // RFC 8446 4.2.11
314 // Clients MUST verify that [...] a server "key_share" extension is present
315 // if required by the ClientHello "psk_key_exchange_modes" extension. If
316 // these values are not consistent, the client MUST abort the handshake
317 // with an "illegal_parameter" alert.
318 //
319 // Currently, we don't support PSK-only mode, hence a key share extension is
320 // considered mandatory.
321 //
322 // TODO: Implement PSK-only mode.
323 if(!sh.extensions().has<Key_Share>()) {
324 throw TLS_Exception(Alert::IllegalParameter, "Server Hello did not contain a key share extension");
325 }
326
327 auto* my_keyshare = ch.extensions().get<Key_Share>();
328 auto shared_secret = my_keyshare->decapsulate(*sh.extensions().get<Key_Share>(), policy(), callbacks(), rng());
329
330 m_transcript_hash.set_algorithm(cipher.value().prf_algo());
331
332 if(sh.extensions().has<PSK>()) {
333 std::tie(m_handshake->psk_identity, m_cipher_state) =
334 ch.extensions().get<PSK>()->take_selected_psk_info(*sh.extensions().get<PSK>(), cipher.value());
335
336 // If we offered a session for resumption *and* an externally provided PSK
337 // and the latter was chosen by the server over the offered resumption, we
338 // want to invalidate the now-outdated session in m_handshake->resumed_session.
339 if(m_handshake->psk_identity.has_value() && m_handshake->resumed_session.has_value()) {
340 m_handshake->resumed_session.reset();
341 }
342
343 // TODO: When implementing early data, `advance_with_client_hello` must
344 // happen _before_ encrypting any early application data.
345 // Same when we want to support early key export.
346 m_cipher_state->advance_with_client_hello(m_transcript_hash.previous(), *this);
347 m_cipher_state->advance_with_server_hello(
348 cipher.value(), std::move(shared_secret), m_transcript_hash.current(), *this);
349 } else {
350 m_handshake->resumed_session.reset(); // might have been set if we attempted a resumption
351 m_cipher_state = Cipher_State::init_with_server_hello(
352 m_side, std::move(shared_secret), cipher.value(), m_transcript_hash.current(), *this);
353 }
354
355 callbacks().tls_examine_extensions(sh.extensions(), Connection_Side::Server, Handshake_Type::ServerHello);
356
357 m_handshake->transitions.set_expected_next(Handshake_Type::EncryptedExtensions);
358}
359
360void Client_Impl_13::handle(const Hello_Retry_Request& hrr) {
361 // Note: Basic checks (that do not require contextual information) were already
362 // performed during the construction of the Hello_Retry_Request object as
363 // a subclass of Server_Hello_13.
364 BOTAN_ASSERT_NONNULL(m_handshake);
365
366 auto& ch = m_handshake->state.client_hello();
367
368 validate_server_hello_ish(ch, hrr);
369
370 // RFC 8446 4.1.4.
371 // A HelloRetryRequest MUST NOT contain any
372 // extensions that were not first offered by the client in its
373 // ClientHello, with the exception of optionally the "cookie".
374 auto allowed_exts = ch.extensions().extension_types();
375 allowed_exts.insert(Extension_Code::Cookie);
376 if(hrr.extensions().contains_other_than(allowed_exts)) {
377 throw TLS_Exception(Alert::UnsupportedExtension, "Unsupported extension found in Hello Retry Request");
378 }
379
380 auto cipher = Ciphersuite::by_id(hrr.ciphersuite());
381 BOTAN_ASSERT_NOMSG(cipher.has_value()); // should work, since we offered this suite
382
383 // RFC 8446 4.1.4 / Appendix B.4
384 // Similarly, cipher suites for TLS 1.2 and lower cannot be used with
385 // TLS 1.3.
386 if(!cipher->usable_in_version(Protocol_Version::TLS_V13)) {
387 throw TLS_Exception(Alert::IllegalParameter, "HelloRetryRequest selected a cipher suite not usable in TLS 1.3");
388 }
389
390 m_transcript_hash =
391 Transcript_Hash_State::recreate_after_hello_retry_request(cipher.value().prf_algo(), m_transcript_hash);
392
393 ch.retry(hrr, m_transcript_hash, callbacks(), rng());
394
395 callbacks().tls_examine_extensions(hrr.extensions(), Connection_Side::Server, Handshake_Type::HelloRetryRequest);
396
397 send_handshake_message(std::reference_wrapper(ch));
398
399 // RFC 8446 4.1.4
400 // If a client receives a second HelloRetryRequest in the same connection [...],
401 // it MUST abort the handshake with an "unexpected_message" alert.
402 m_handshake->transitions.set_expected_next(Handshake_Type::ServerHello);
403}
404
405void Client_Impl_13::handle(const Encrypted_Extensions& encrypted_extensions_msg) {
406 BOTAN_ASSERT_NONNULL(m_handshake);
407
408 const auto& exts = encrypted_extensions_msg.extensions();
409
410 // RFC 8446 4.2
411 // Implementations MUST NOT send extension responses if the remote
412 // endpoint did not send the corresponding extension requests, [...]. Upon
413 // receiving such an extension, an endpoint MUST abort the handshake
414 // with an "unsupported_extension" alert.
415 const auto& requested_exts = m_handshake->state.client_hello().extensions().extension_types();
416 if(exts.contains_other_than(requested_exts)) {
417 throw TLS_Exception(Alert::UnsupportedExtension,
418 "Encrypted Extensions contained an extension that was not offered");
419 }
420
421 // Note: As per RFC 6066 3. we can check for an empty SNI extensions to
422 // determine if the server used the SNI we sent here.
423
424 if(exts.has<Application_Layer_Protocol_Notification>()) {
425 // RFC 7301 3.2
426 // The "extension_data" field of the [...] "application_layer_protocol_negotiation"
427 // extension [...] SHALL include the server's selection of a protocol from among
428 // the list that was advertised by the client.
429 const auto* server_alpn = exts.get<Application_Layer_Protocol_Notification>();
430 const auto selected = server_alpn->single_protocol();
431 const auto* client_alpn =
432 m_handshake->state.client_hello().extensions().get<Application_Layer_Protocol_Notification>();
433 BOTAN_ASSERT_NONNULL(client_alpn); // unrequested extension check above ensures this
434 const auto& offered = client_alpn->protocols();
435 if(!value_exists(offered, selected)) {
436 throw TLS_Exception(Alert::IllegalParameter, "Server selected an ALPN protocol not offered by the client");
437 }
438 }
439
440 if(exts.has<Record_Size_Limit>() && m_handshake->state.client_hello().extensions().has<Record_Size_Limit>()) {
441 // RFC 8449 4.
442 // The record size limit only applies to records sent toward the
443 // endpoint that advertises the limit. An endpoint can send records
444 // that are larger than the limit it advertises as its own limit.
445 //
446 // Hence, the "outgoing" limit is what the server requested and the
447 // "incoming" limit is what we requested in the Client Hello.
448 auto* const outgoing_limit = exts.get<Record_Size_Limit>();
449 auto* const incoming_limit = m_handshake->state.client_hello().extensions().get<Record_Size_Limit>();
450 set_record_size_limits(outgoing_limit->limit(), incoming_limit->limit());
451 }
452
453 if(exts.has<Server_Certificate_Type>()) {
454 // The unrequested-extension check above ensures the client offered this.
455 BOTAN_ASSERT_NOMSG(m_handshake->state.client_hello().extensions().has<Server_Certificate_Type>());
456 const auto* server_cert_type = exts.get<Server_Certificate_Type>();
457 const auto* our_server_cert_types = m_handshake->state.client_hello().extensions().get<Server_Certificate_Type>();
458 our_server_cert_types->validate_selection(*server_cert_type);
459
460 // RFC 7250 4.2
461 // With the server_certificate_type extension in the server hello, the
462 // TLS server indicates the certificate type carried in the Certificate
463 // payload.
464 //
465 // Note: TLS 1.3 carries this extension in the Encrypted Extensions
466 // message instead of the Server Hello.
467 set_selected_certificate_type(server_cert_type->selected_certificate_type());
468 }
469
470 callbacks().tls_examine_extensions(exts, Connection_Side::Server, Handshake_Type::EncryptedExtensions);
471
472 if(m_handshake->state.server_hello().extensions().has<PSK>()) {
473 // RFC 8446 2.2
474 // As the server is authenticating via a PSK, it does not send a
475 // Certificate or a CertificateVerify message.
476 m_handshake->transitions.set_expected_next(Handshake_Type::Finished);
477 } else {
478 m_handshake->transitions.set_expected_next({Handshake_Type::Certificate, Handshake_Type::CertificateRequest});
479 }
480}
481
482void Client_Impl_13::handle(const Certificate_Request_13& certificate_request_msg) {
483 BOTAN_ASSERT_NONNULL(m_handshake);
484
485 // RFC 8446 4.3.2
486 // [The 'context' field] SHALL be zero length unless used for the
487 // post-handshake authentication exchanges described in Section 4.6.2.
488 if(!is_handshake_complete() && !certificate_request_msg.context().empty()) {
489 throw TLS_Exception(Alert::DecodeError, "Certificate_Request context must be empty in the main handshake");
490 }
491
492 callbacks().tls_examine_extensions(
493 certificate_request_msg.extensions(), Connection_Side::Server, Handshake_Type::CertificateRequest);
494 m_handshake->transitions.set_expected_next(Handshake_Type::Certificate);
495}
496
497void Client_Impl_13::handle(const Certificate_13& certificate_msg) {
498 BOTAN_ASSERT_NONNULL(m_handshake);
499
500 // RFC 8446 4.4.2
501 // certificate_request_context: [...] In the case of server authentication,
502 // this field SHALL be zero length.
503 if(!certificate_msg.request_context().empty()) {
504 throw TLS_Exception(Alert::DecodeError, "Received a server certificate message with non-empty request context");
505 }
506
507 // RFC 8446 4.4.2
508 // Extensions in the Certificate message from the server MUST correspond
509 // to ones from the ClientHello message.
510 certificate_msg.validate_extensions(m_handshake->state.client_hello().extensions().extension_types(), callbacks());
511 certificate_msg.verify(callbacks(),
512 policy(),
513 credentials_manager(),
514 m_info.hostname(),
515 m_handshake->state.client_hello().extensions().has<Certificate_Status_Request>());
516
517 m_handshake->transitions.set_expected_next(Handshake_Type::CertificateVerify);
518}
519
520void Client_Impl_13::handle(const Certificate_Verify_13& certificate_verify_msg) {
521 BOTAN_ASSERT_NONNULL(m_handshake);
522
523 // RFC 8446 4.4.3
524 // If the CertificateVerify message is sent by a server, the signature
525 // algorithm MUST be one offered in the client's "signature_algorithms"
526 // extension unless no valid certificate chain can be produced without
527 // unsupported algorithms.
528 //
529 // Note: if the server failed to produce a certificate chain without using
530 // an unsupported signature scheme, we opt to abort the handshake.
531 const auto offered = m_handshake->state.client_hello().signature_schemes();
532 if(!value_exists(offered, certificate_verify_msg.signature_scheme())) {
533 throw TLS_Exception(Alert::IllegalParameter,
534 "We did not offer the usage of " + certificate_verify_msg.signature_scheme().to_string() +
535 " as a signature scheme");
536 }
537
538 const bool sig_valid = certificate_verify_msg.verify(
539 *m_handshake->state.server_certificate().public_key(), callbacks(), m_transcript_hash.previous());
540
541 if(!sig_valid) {
542 throw TLS_Exception(Alert::DecryptError, "Server certificate verification failed");
543 }
544
545 m_handshake->transitions.set_expected_next(Handshake_Type::Finished);
546}
547
548void Client_Impl_13::send_client_authentication(Channel_Impl_13::AggregatedHandshakeMessages& flight) {
549 BOTAN_ASSERT_NOMSG(m_handshake->state.has_certificate_request());
550 const auto& cert_request = m_handshake->state.certificate_request();
551
552 const auto cert_type = [&] {
553 const auto& exts = m_handshake->state.encrypted_extensions().extensions();
554 const auto& chexts = m_handshake->state.client_hello().extensions();
555 if(exts.has<Client_Certificate_Type>()) {
556 // The unrequested-extension check in handle(Encrypted_Extensions) ensures the client offered this.
557 BOTAN_ASSERT_NOMSG(chexts.has<Client_Certificate_Type>());
558 const auto* client_cert_type = exts.get<Client_Certificate_Type>();
559 chexts.get<Client_Certificate_Type>()->validate_selection(*client_cert_type);
560
561 // RFC 7250 4.2
562 // This client_certificate_type extension in the server hello then
563 // indicates the type of certificates the client is requested to
564 // provide in a subsequent certificate payload.
565 //
566 // Note: TLS 1.3 carries this extension in the Encrypted Extensions
567 // message instead of the Server Hello.
568 return client_cert_type->selected_certificate_type();
569 } else {
570 // RFC 8446 4.4.2
571 // If the corresponding certificate type extension [...] was not
572 // negotiated in EncryptedExtensions, [...] then each
573 // CertificateEntry contains a DER-encoded X.509 certificate.
574 return Certificate_Type::X509;
575 }
576 }();
577
578 // RFC 8446 4.4.2
579 // certificate_request_context: If this message is in response to a
580 // CertificateRequest, the value of certificate_request_context in
581 // that message.
582 flight.add(m_handshake->state.sending(
583 Certificate_13(cert_request, m_info.hostname(), credentials_manager(), callbacks(), cert_type)));
584
585 // RFC 8446 4.4.2
586 // If the server requests client authentication but no suitable certificate
587 // is available, the client MUST send a Certificate message containing no
588 // certificates.
589 //
590 // In that case, no Certificate Verify message will be sent.
591 if(!m_handshake->state.client_certificate().empty()) {
592 flight.add(m_handshake->state.sending(Certificate_Verify_13(m_handshake->state.client_certificate(),
593 cert_request.signature_schemes(),
594 m_info.hostname(),
595 m_transcript_hash.current(),
596 Connection_Side::Client,
597 credentials_manager(),
598 policy(),
599 callbacks(),
600 rng())));
601 }
602}
603
604void Client_Impl_13::handle(const Finished_13& finished_msg) {
605 BOTAN_ASSERT_NONNULL(m_handshake);
606
607 // RFC 8446 4.4.4
608 // Recipients of Finished messages MUST verify that the contents are
609 // correct and if incorrect MUST terminate the connection with a
610 // "decrypt_error" alert.
611 if(!finished_msg.verify(m_cipher_state.get(), m_transcript_hash.previous())) {
612 throw TLS_Exception(Alert::DecryptError, "Finished message didn't verify");
613 }
614
615 m_handshake->state.confirm_peer_finished_verified();
616
617 // Give the application a chance for a final veto before fully
618 // establishing the connection.
619 callbacks().tls_session_established(Session_Summary(m_handshake->state.server_hello(),
620 Connection_Side::Client,
621 peer_cert_chain(),
622 peer_raw_public_key(),
623 external_psk_identity(),
624 m_handshake->resumed_session.has_value(),
625 m_info,
626 callbacks().tls_current_timestamp()));
627
628 // Derives the secrets for receiving application data but defers
629 // the derivation of sending application data.
630 m_cipher_state->advance_with_server_finished(m_transcript_hash.current(), *this);
631
632 auto flight = aggregate_handshake_messages();
633
634 // RFC 8446 4.4.2
635 // The client MUST send a Certificate message if and only if the server
636 // has requested client authentication via a CertificateRequest message.
637 if(m_handshake->state.has_certificate_request()) {
638 send_client_authentication(flight);
639 }
640
641 // send client finished handshake message (still using handshake traffic secrets)
642 flight.add(m_handshake->state.sending(Finished_13(m_cipher_state.get(), m_transcript_hash.current())));
643
644 flight.send();
645
646 // derives the sending application traffic secrets
647 m_cipher_state->advance_with_client_finished(m_transcript_hash.current());
648
649 // TODO: Create a dummy session object and invoke tls_session_established.
650 // Alternatively, consider changing the expectations described in the
651 // callback's doc string.
652
653 // no more handshake messages expected
654 m_handshake->transitions.set_expected_next({});
655
656 // Extract post-handshake state before signaling activation.
657 // After this point, only m_active_state should be consulted
658 // for connection properties.
659 {
660 auto extract_certs = [&]() -> std::vector<X509_Certificate> {
661 if(m_handshake->state.has_server_certificate_msg() &&
662 m_handshake->state.server_certificate().has_certificate_chain()) {
663 return m_handshake->state.server_certificate().cert_chain();
664 }
665 if(m_handshake->resumed_session.has_value()) {
666 return m_handshake->resumed_session->session.peer_certs();
667 }
668 return {};
669 };
670
671 auto extract_raw_pk = [&]() -> std::shared_ptr<const Public_Key> {
672 if(m_handshake->state.has_server_certificate_msg() &&
673 m_handshake->state.server_certificate().is_raw_public_key()) {
674 return m_handshake->state.server_certificate().public_key();
675 }
676 if(m_handshake->resumed_session.has_value()) {
677 return m_handshake->resumed_session->session.peer_raw_public_key();
678 }
679 return nullptr;
680 };
681
682 m_active_state = Active_Connection_State_13(m_handshake->state,
683 extract_certs(),
684 extract_raw_pk(),
685 m_handshake->psk_identity,
686 m_info.hostname(),
687 false /* peer_supports_psk_dhe_ke - client doesn't need this */);
688 }
689
690 m_handshake.reset();
691 m_transcript_hash = Transcript_Hash_State();
692 callbacks().tls_session_activated();
693}
694
695void TLS::Client_Impl_13::handle(const New_Session_Ticket_13& new_session_ticket) {
696 BOTAN_STATE_CHECK(m_active_state.has_value());
697
698 if(const size_t max_tickets = policy().maximum_session_tickets_per_connection();
699 max_tickets > 0 && m_session_tickets_received >= max_tickets) {
700 // Silently ignore excess tickets rather than terminating the connection,
701 // since the server may have legitimate reasons to send many tickets.
702 return;
703 }
704 ++m_session_tickets_received;
705
706 callbacks().tls_examine_extensions(
707 new_session_ticket.extensions(), Connection_Side::Server, Handshake_Type::NewSessionTicket);
708
709 const Session session(m_cipher_state->psk(new_session_ticket.nonce()),
710 new_session_ticket.early_data_byte_limit(),
711 new_session_ticket.ticket_age_add(),
712 new_session_ticket.lifetime_hint(),
713 m_active_state->version(),
714 m_active_state->ciphersuite_code(),
715 Connection_Side::Client,
716 peer_cert_chain(),
717 peer_raw_public_key(),
718 m_info,
719 callbacks().tls_current_timestamp());
720
721 if(callbacks().tls_should_persist_resumption_information(session)) {
722 session_manager().store(session, Session_Handle(new_session_ticket.handle()));
723 }
724}
725
726std::vector<X509_Certificate> Client_Impl_13::peer_cert_chain() const {
727 if(m_active_state.has_value()) {
728 return m_active_state->peer_certs();
729 }
730
731 // During handshake, before m_active_state is populated
732 if(m_handshake) {
733 if(m_handshake->state.has_server_certificate_msg() &&
734 m_handshake->state.server_certificate().has_certificate_chain()) {
735 return m_handshake->state.server_certificate().cert_chain();
736 }
737
738 if(m_handshake->resumed_session.has_value()) {
739 return m_handshake->resumed_session->session.peer_certs();
740 }
741 }
742
743 return {};
744}
745
746std::shared_ptr<const Public_Key> Client_Impl_13::peer_raw_public_key() const {
747 if(m_active_state.has_value()) {
748 return m_active_state->peer_raw_public_key();
749 }
750
751 // During handshake, before m_active_state is populated
752 if(m_handshake) {
753 if(m_handshake->state.has_server_certificate_msg() &&
754 m_handshake->state.server_certificate().is_raw_public_key()) {
755 return m_handshake->state.server_certificate().public_key();
756 }
757
758 if(m_handshake->resumed_session.has_value()) {
759 return m_handshake->resumed_session->session.peer_raw_public_key();
760 }
761 }
762
763 return nullptr;
764}
765
766std::optional<std::string> Client_Impl_13::external_psk_identity() const {
767 if(m_active_state.has_value()) {
768 return m_active_state->psk_identity();
769 }
770 if(m_handshake) {
771 return m_handshake->psk_identity;
772 }
773 return std::nullopt;
774}
775
776bool Client_Impl_13::prepend_ccs() {
777 return m_handshake && std::exchange(m_handshake->should_send_ccs, false);
778}
779
780void Client_Impl_13::maybe_log_secret(std::string_view label, std::span<const uint8_t> secret) const {
781 if(policy().allow_ssl_key_log_file()) {
782 if(m_active_state.has_value()) {
783 callbacks().tls_ssl_key_log_data(label, m_active_state->client_random(), secret);
784 } else {
785 callbacks().tls_ssl_key_log_data(label, m_handshake->state.client_hello().random(), secret);
786 }
787 }
788}
789
790std::string Client_Impl_13::application_protocol() const {
791 if(m_active_state.has_value()) {
792 return m_active_state->application_protocol();
793 }
794
795 return "";
796}
797
798} // namespace Botan::TLS
BOTAN_ASSERT_NOMSG
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:75
BOTAN_STATE_CHECK
#define BOTAN_STATE_CHECK(expr)
Definition assert.h:49
BOTAN_ASSERT_NONNULL
#define BOTAN_ASSERT_NONNULL(ptr)
Definition assert.h:114
Botan::TLS::Callbacks::tls_session_activated
virtual void tls_session_activated()
Definition tls_callbacks.h:154
Botan::TLS::Callbacks::tls_examine_extensions
virtual void tls_examine_extensions(const Extensions &extn, Connection_Side which_side, Handshake_Type which_message)
Definition tls_callbacks.cpp:69
Botan::TLS::Callbacks::tls_session_established
virtual void tls_session_established(const Session_Summary &session)
Definition tls_callbacks.cpp:431
Botan::TLS::Callbacks::tls_ssl_key_log_data
virtual void tls_ssl_key_log_data(std::string_view label, std::span< const uint8_t > client_random, std::span< const uint8_t > secret) const
Definition tls_callbacks.cpp:453
Botan::TLS::Callbacks::tls_inspect_handshake_msg
virtual void tls_inspect_handshake_msg(const Handshake_Message &message)
Definition tls_callbacks.cpp:49
Botan::TLS::Certificate_13
Definition tls_messages_13.h:170
Botan::TLS::Certificate_Request_13
Definition tls_messages_13.h:294
Botan::TLS::Certificate_Verify_13
Definition tls_messages_13.h:328
Botan::TLS::Channel_Impl_13::AggregatedHandshakeMessages
Definition tls_channel_impl_13.h:94
Botan::TLS::Channel_Impl_13::policy
const Policy & policy() const
Definition tls_channel_impl_13.h:275
Botan::TLS::Channel_Impl_13::aggregate_handshake_messages
AggregatedHandshakeMessages aggregate_handshake_messages()
Definition tls_channel_impl_13.h:259
Botan::TLS::Channel_Impl_13::credentials_manager
Credentials_Manager & credentials_manager()
Definition tls_channel_impl_13.h:271
Botan::TLS::Channel_Impl_13::rng
RandomNumberGenerator & rng()
Definition tls_channel_impl_13.h:273
Botan::TLS::Channel_Impl_13::send_handshake_message
std::vector< uint8_t > send_handshake_message(const std::variant< MsgTs... > &message)
Definition tls_channel_impl_13.h:244
Botan::TLS::Channel_Impl_13::prepend_ccs
virtual bool prepend_ccs()
Definition tls_channel_impl_13.h:232
Botan::TLS::Channel_Impl_13::m_transcript_hash
Transcript_Hash_State m_transcript_hash
Definition tls_channel_impl_13.h:290
Botan::TLS::Channel_Impl_13::m_active_state
std::optional< Active_Connection_State_13 > m_active_state
Definition tls_channel_impl_13.h:292
Botan::TLS::Channel_Impl_13::Channel_Impl_13
Channel_Impl_13(const std::shared_ptr< Callbacks > &callbacks, const std::shared_ptr< Session_Manager > &session_manager, const std::shared_ptr< Credentials_Manager > &credentials_manager, const std::shared_ptr< RandomNumberGenerator > &rng, const std::shared_ptr< const Policy > &policy, bool is_server)
Definition tls_channel_impl_13.cpp:40
Botan::TLS::Channel_Impl_13::process_dummy_change_cipher_spec
virtual void process_dummy_change_cipher_spec()=0
Botan::TLS::Channel_Impl_13::session_manager
Session_Manager & session_manager()
Definition tls_channel_impl_13.h:269
Botan::TLS::Channel_Impl_13::m_cipher_state
std::unique_ptr< Cipher_State > m_cipher_state
Definition tls_channel_impl_13.h:291
Botan::TLS::Channel_Impl_13::m_side
const Connection_Side m_side
Definition tls_channel_impl_13.h:289
Botan::TLS::Channel_Impl_13::callbacks
Callbacks & callbacks() const
Definition tls_channel_impl_13.h:267
Botan::TLS::Channel_Impl_13::set_selected_certificate_type
void set_selected_certificate_type(Certificate_Type cert_type)
Definition tls_channel_impl_13.cpp:446
Botan::TLS::Channel_Impl_13::set_record_size_limits
void set_record_size_limits(uint16_t outgoing_limit, uint16_t incoming_limit)
Definition tls_channel_impl_13.cpp:442
Botan::TLS::Channel_Impl::request_downgrade_for_resumption
void request_downgrade_for_resumption(Session_with_Handle session)
Definition tls_channel_impl.h:255
Botan::TLS::Channel_Impl::preserve_client_hello
void preserve_client_hello(std::span< const uint8_t > msg)
Definition tls_channel_impl.h:229
Botan::TLS::Channel_Impl::expects_downgrade
bool expects_downgrade() const
Definition tls_channel_impl.h:276
Botan::TLS::Channel_Impl::request_downgrade
void request_downgrade()
Definition tls_channel_impl.h:250
Botan::TLS::Cipher_State::init_with_server_hello
static std::unique_ptr< Cipher_State > init_with_server_hello(Connection_Side side, secure_vector< uint8_t > &&shared_secret, const Ciphersuite &cipher, const Transcript_Hash &transcript_hash, const Secret_Logger &channel)
Definition tls_cipher_state.cpp:121
Botan::TLS::Ciphersuite::by_id
static std::optional< Ciphersuite > by_id(uint16_t suite)
Definition tls_ciphersuite.cpp:111
Botan::TLS::Client_Hello_13
Definition tls_messages_13.h:29
Botan::TLS::Client_Impl_13::Client_Impl_13
Client_Impl_13(const std::shared_ptr< Callbacks > &callbacks, const std::shared_ptr< Session_Manager > &session_manager, const std::shared_ptr< Credentials_Manager > &creds, const std::shared_ptr< const Policy > &policy, const std::shared_ptr< RandomNumberGenerator > &rng, Server_Information server_info=Server_Information(), const std::vector< std::string > &next_protocols={})
Definition tls_client_impl_13.cpp:26
Botan::TLS::Client_Impl_13::external_psk_identity
std::optional< std::string > external_psk_identity() const override
Definition tls_client_impl_13.cpp:766
Botan::TLS::Client_Impl_13::application_protocol
std::string application_protocol() const override
Definition tls_client_impl_13.cpp:790
Botan::TLS::Client_Impl_13::peer_raw_public_key
std::shared_ptr< const Public_Key > peer_raw_public_key() const override
Definition tls_client_impl_13.cpp:746
Botan::TLS::Client_Impl_13::is_handshake_complete
bool is_handshake_complete() const override
Definition tls_client_impl_13.cpp:125
Botan::TLS::Client_Impl_13::peer_cert_chain
std::vector< X509_Certificate > peer_cert_chain() const override
Definition tls_client_impl_13.cpp:726
Botan::TLS::Encrypted_Extensions
Definition tls_messages_13.h:146
Botan::TLS::Finished_13
Definition tls_messages_13.h:353
Botan::TLS::Hello_Retry_Request
Definition tls_messages_13.h:134
Botan::TLS::New_Session_Ticket_13
Definition tls_messages_13.h:361
Botan::TLS::Server_Hello_13
Definition tls_messages_13.h:80
Botan::TLS::Server_Information
Definition tls_server_info.h:19
Botan::TLS::Session_Handle
Helper class to embody a session handle in all protocol versions.
Definition tls_session_id.h:51
Botan::TLS::Session_Manager::find
virtual std::vector< Session_with_Handle > find(const Server_Information &info, Callbacks &callbacks, const Policy &policy)
Find all sessions that match a given server info.
Definition tls_session_manager.cpp:169
Botan::TLS::Supported_Versions
Definition tls_extensions.h:384
Botan::TLS::Supported_Versions::supports
bool supports(Protocol_Version version) const
Definition tls_extensions.cpp:857
Botan::TLS::TLS_Exception
Definition tls_exceptn.h:19
Botan::TLS::Transcript_Hash_State::recreate_after_hello_retry_request
static Transcript_Hash_State recreate_after_hello_retry_request(std::string_view algo_spec, const Transcript_Hash_State &prev_transcript_hash_state)
Definition tls_transcript_hash_13.cpp:38
Botan::TLS::Handshake_Message_13
std::variant< Client_Hello_13, Client_Hello_12_Shim, Server_Hello_13, Server_Hello_12_Shim, Hello_Retry_Request, Encrypted_Extensions, Certificate_13, Certificate_Request_13, Certificate_Verify_13, Finished_13 > Handshake_Message_13
Definition tls_messages_13.h:434
Botan::TLS::Post_Handshake_Message_13
std::variant< New_Session_Ticket_13, Key_Update > Post_Handshake_Message_13
Definition tls_messages_13.h:447
Botan::specialize_to
constexpr std::optional< SpecificVariantT > specialize_to(GeneralVariantT &&v)
Converts a given variant into another variant whose type states are a subset of the given variant.
Definition stl_util.h:117
Botan::value_exists
bool value_exists(const std::vector< T > &vec, const V &val)
Definition stl_util.h:44
Generated by doxygen 1.16.1