Botan 3.9.0
Crypto and TLS for C&
tls_handshake_state.cpp
Go to the documentation of this file.
1/*
2* TLS Handshaking
3* (C) 2004-2006,2011,2012,2015,2016 Jack Lloyd
4* 2017 Harry Reimann, Rohde & Schwarz Cybersecurity
5*
6* Botan is released under the Simplified BSD License (see license.txt)
7*/
8
9#include <botan/internal/tls_handshake_state.h>
10
11#include <botan/kdf.h>
12#include <botan/tls_messages.h>
13#include <botan/tls_signature_scheme.h>
14#include <botan/internal/tls_record.h>
15#include <sstream>
16
17namespace Botan::TLS {
18
19std::string Handshake_Message::type_string() const {
21}
22
24 switch(type) {
26 return "hello_verify_request";
27
29 return "hello_request";
30
32 return "client_hello";
33
35 return "server_hello";
36
38 return "hello_retry_request";
39
41 return "certificate";
42
44 return "certificate_url";
45
47 return "certificate_status";
48
50 return "server_key_exchange";
51
53 return "certificate_request";
54
56 return "server_hello_done";
57
59 return "certificate_verify";
60
62 return "client_key_exchange";
63
65 return "new_session_ticket";
66
68 return "change_cipher_spec";
69
71 return "finished";
72
74 return "end_of_early_data";
75
77 return "encrypted_extensions";
78
80 return "key_update";
81
83 return "invalid";
84 }
85
86 throw TLS_Exception(Alert::UnexpectedMessage,
87 "Unknown TLS handshake message type " + std::to_string(static_cast<size_t>(type)));
88}
89
90/*
91* Initialize the SSL/TLS Handshake State
92*/
94
95Handshake_State::Handshake_State(std::unique_ptr<Handshake_IO> io, Callbacks& cb) :
96 m_callbacks(cb), m_handshake_io(std::move(io)), m_version(m_handshake_io->initial_record_version()) {}
97
99 m_callbacks.tls_inspect_handshake_msg(msg);
100}
101
103 note_message(hello_verify);
104
105 m_client_hello->update_hello_cookie(hello_verify);
106 hash().reset();
107 hash().update(handshake_io().send(*m_client_hello));
108 note_message(*m_client_hello);
109}
110
111void Handshake_State::client_hello(std::unique_ptr<Client_Hello_12> client_hello) {
112 // Legacy behavior (exception to the rule): Allow client_hello to be nullptr to reset state.
113 if(client_hello == nullptr) {
114 m_client_hello.reset();
115 hash().reset();
116 } else {
117 m_client_hello = std::move(client_hello);
118 note_message(*m_client_hello);
119 }
120}
121
122void Handshake_State::server_hello(std::unique_ptr<Server_Hello_12> server_hello) {
124 m_server_hello = std::move(server_hello);
125 m_ciphersuite = Ciphersuite::by_id(m_server_hello->ciphersuite());
126 note_message(*m_server_hello);
127}
128
129void Handshake_State::server_certs(std::unique_ptr<Certificate_12> server_certs) {
131 m_server_certs = std::move(server_certs);
132 note_message(*m_server_certs);
133}
134
135void Handshake_State::server_cert_status(std::unique_ptr<Certificate_Status> server_cert_status) {
137 m_server_cert_status = std::move(server_cert_status);
138 note_message(*m_server_cert_status);
139}
140
141void Handshake_State::server_kex(std::unique_ptr<Server_Key_Exchange> server_kex) {
143 m_server_kex = std::move(server_kex);
144 note_message(*m_server_kex);
145}
146
147void Handshake_State::cert_req(std::unique_ptr<Certificate_Request_12> cert_req) {
149 m_cert_req = std::move(cert_req);
150 note_message(*m_cert_req);
151}
152
153void Handshake_State::server_hello_done(std::unique_ptr<Server_Hello_Done> server_hello_done) {
155 m_server_hello_done = std::move(server_hello_done);
156 note_message(*m_server_hello_done);
157}
158
159void Handshake_State::client_certs(std::unique_ptr<Certificate_12> client_certs) {
161 m_client_certs = std::move(client_certs);
162 note_message(*m_client_certs);
163}
164
165void Handshake_State::client_kex(std::unique_ptr<Client_Key_Exchange> client_kex) {
167 m_client_kex = std::move(client_kex);
168 note_message(*m_client_kex);
169}
170
171void Handshake_State::client_verify(std::unique_ptr<Certificate_Verify_12> client_verify) {
173 m_client_verify = std::move(client_verify);
174 note_message(*m_client_verify);
175}
176
177void Handshake_State::server_verify(std::unique_ptr<Certificate_Verify_12> server_verify) {
179 m_server_verify = std::move(server_verify);
180 note_message(*m_server_verify);
181}
182
183void Handshake_State::new_session_ticket(std::unique_ptr<New_Session_Ticket_12> new_session_ticket) {
185 m_new_session_ticket = std::move(new_session_ticket);
186 note_message(*m_new_session_ticket);
187}
188
189void Handshake_State::server_finished(std::unique_ptr<Finished_12> server_finished) {
191 m_server_finished = std::move(server_finished);
192 note_message(*m_server_finished);
193}
194
195void Handshake_State::client_finished(std::unique_ptr<Finished_12> client_finished) {
197 m_client_finished = std::move(client_finished);
198 note_message(*m_client_finished);
199}
200
202 if(!m_ciphersuite.has_value()) {
203 throw Invalid_State("Cipher suite is not set");
204 }
205 return m_ciphersuite.value();
206}
207
208std::optional<std::string> Handshake_State::psk_identity() const {
209 if(!m_client_kex) {
210 return std::nullopt;
211 }
212 return m_client_kex->psk_identity();
213}
214
218
220 m_session_keys = Session_Keys(this, client_kex()->pre_master_secret(), false);
221}
222
224 m_session_keys = Session_Keys(this, resume_master_secret, true);
225}
226
228 m_transitions.confirm_transition_to(handshake_msg);
229}
230
232 m_transitions.set_expected_next(handshake_msg);
233}
234
236 return m_transitions.received_handshake_msg(handshake_msg);
237}
238
239std::pair<Handshake_Type, std::vector<uint8_t>> Handshake_State::get_next_handshake_msg() {
240 return m_handshake_io->get_next_record(m_transitions.change_cipher_spec_expected());
241}
242
244 if(const auto* nst = new_session_ticket()) {
245 const auto& ticket = nst->ticket();
246 if(!ticket.empty()) {
247 return ticket;
248 }
249 }
250
251 return client_hello()->session_ticket();
252}
253
254std::unique_ptr<KDF> Handshake_State::protocol_specific_prf() const {
255 const std::string prf_algo = ciphersuite().prf_algo();
256
257 if(prf_algo == "MD5" || prf_algo == "SHA-1") {
258 return KDF::create_or_throw("TLS-12-PRF(SHA-256)");
259 }
260
261 return KDF::create_or_throw("TLS-12-PRF(" + prf_algo + ")");
262}
263
264std::pair<std::string, Signature_Format> Handshake_State::choose_sig_format(const Private_Key& key,
265 Signature_Scheme& chosen_scheme,
266 bool for_client_auth,
267 const Policy& policy) const {
268 const std::string sig_algo = key.algo_name();
269
270 const std::vector<Signature_Scheme> allowed = policy.allowed_signature_schemes();
271
272 std::vector<Signature_Scheme> requested =
273 (for_client_auth) ? cert_req()->signature_schemes() : client_hello()->signature_schemes();
274
275 for(Signature_Scheme scheme : allowed) {
276 if(!scheme.is_available()) {
277 continue;
278 }
279
280 if(scheme.algorithm_name() == sig_algo) {
281 if(std::find(requested.begin(), requested.end(), scheme) != requested.end()) {
282 chosen_scheme = scheme;
283 break;
284 }
285 }
286 }
287
288 const std::string hash = chosen_scheme.hash_function_name();
289
290 if(!policy.allowed_signature_hash(hash)) {
291 throw TLS_Exception(Alert::HandshakeFailure, "Policy refuses to accept signing with any hash supported by peer");
292 }
293
294 if(!chosen_scheme.format().has_value()) {
295 throw Invalid_Argument(sig_algo + " is invalid/unknown for TLS signatures");
296 }
297
298 return std::make_pair(chosen_scheme.padding_string(), chosen_scheme.format().value());
299}
300
301namespace {
302
303bool supported_algos_include(const std::vector<Signature_Scheme>& schemes,
304 std::string_view key_type,
305 std::string_view hash_type) {
306 for(Signature_Scheme scheme : schemes) {
307 if(scheme.is_available() && hash_type == scheme.hash_function_name() && key_type == scheme.algorithm_name()) {
308 return true;
309 }
310 }
311
312 return false;
313}
314
315} // namespace
316
317std::pair<std::string, Signature_Format> Handshake_State::parse_sig_format(
318 const Public_Key& key,
319 Signature_Scheme scheme,
320 const std::vector<Signature_Scheme>& offered_schemes,
321 bool for_client_auth,
322 const Policy& policy) const {
323 const std::string key_type = key.algo_name();
324
325 if(!policy.allowed_signature_method(key_type)) {
326 throw TLS_Exception(Alert::HandshakeFailure, "Rejecting " + key_type + " signature");
327 }
328
329 if(!scheme.is_available()) {
330 throw TLS_Exception(Alert::IllegalParameter, "Peer sent unknown signature scheme");
331 }
332
333 if(key_type != scheme.algorithm_name()) {
334 throw Decoding_Error("Counterparty sent inconsistent key and sig types");
335 }
336
337 if(for_client_auth && cert_req() == nullptr) {
338 throw TLS_Exception(Alert::HandshakeFailure, "No CertificateVerify message received");
339 }
340
341 /*
342 Confirm the signature type we just received against the
343 supported_algos list that we sent; it better be there.
344 */
345
346 const std::vector<Signature_Scheme> supported_algos =
347 for_client_auth ? cert_req()->signature_schemes() : offered_schemes;
348
349 const std::string hash_algo = scheme.hash_function_name();
350
351 if(!scheme.is_compatible_with(Protocol_Version::TLS_V12)) {
352 throw TLS_Exception(Alert::IllegalParameter, "Peer sent unexceptable signature scheme");
353 }
354
355 if(!supported_algos_include(supported_algos, key_type, hash_algo)) {
356 throw TLS_Exception(Alert::IllegalParameter,
357 "TLS signature extension did not allow for " + key_type + "/" + hash_algo + " signature");
358 }
359
360 if(!scheme.format().has_value()) {
361 throw Invalid_Argument(key_type + " is invalid/unknown for TLS signatures");
362 }
363
364 return std::make_pair(scheme.padding_string(), scheme.format().value());
365}
366
367} // namespace Botan::TLS
#define BOTAN_ASSERT_NONNULL(ptr)
Definition assert.h:114
virtual std::string algo_name() const =0
static std::unique_ptr< KDF > create_or_throw(std::string_view algo_spec, std::string_view provider="")
Definition kdf.cpp:204
const std::vector< Signature_Scheme > & signature_schemes() const
static std::optional< Ciphersuite > by_id(uint16_t suite)
std::string prf_algo() const
Session_Ticket session_ticket() const
std::vector< Signature_Scheme > signature_schemes() const
void update(const uint8_t in[], size_t length)
virtual Handshake_Type type() const =0
std::pair< std::string, Signature_Format > parse_sig_format(const Public_Key &key, Signature_Scheme scheme, const std::vector< Signature_Scheme > &offered_schemes, bool for_client_auth, const Policy &policy) const
void server_finished(std::unique_ptr< Finished_12 > server_finished)
void client_hello(std::unique_ptr< Client_Hello_12 > client_hello)
std::pair< Handshake_Type, std::vector< uint8_t > > get_next_handshake_msg()
const Server_Hello_Done * server_hello_done() const
void hello_verify_request(const Hello_Verify_Request &hello_verify)
void set_expected_next(Handshake_Type msg_type)
void note_message(const Handshake_Message &msg)
const Server_Key_Exchange * server_kex() const
const Certificate_Status * server_cert_status() const
const Certificate_Verify_12 * server_verify() const
Handshake_State(std::unique_ptr< Handshake_IO > io, Callbacks &callbacks)
void server_verify(std::unique_ptr< Certificate_Verify_12 > server_verify)
void new_session_ticket(std::unique_ptr< New_Session_Ticket_12 > new_session_ticket)
void client_certs(std::unique_ptr< Certificate_12 > client_certs)
void client_kex(std::unique_ptr< Client_Key_Exchange > client_kex)
const Certificate_Verify_12 * client_verify() const
const Finished_12 * server_finished() const
void server_hello_done(std::unique_ptr< Server_Hello_Done > server_hello_done)
const Client_Hello_12 * client_hello() const
const Client_Key_Exchange * client_kex() const
void cert_req(std::unique_ptr< Certificate_Request_12 > cert_req)
void server_cert_status(std::unique_ptr< Certificate_Status > server_cert_status)
void server_hello(std::unique_ptr< Server_Hello_12 > server_hello)
void confirm_transition_to(Handshake_Type msg_type)
void set_version(const Protocol_Version &version)
void client_finished(std::unique_ptr< Finished_12 > client_finished)
std::optional< std::string > psk_identity() const
const Certificate_12 * server_certs() const
const Certificate_12 * client_certs() const
void client_verify(std::unique_ptr< Certificate_Verify_12 > client_verify)
const Finished_12 * client_finished() const
const Certificate_Request_12 * cert_req() const
const Ciphersuite & ciphersuite() const
Session_Ticket session_ticket() const
void server_kex(std::unique_ptr< Server_Key_Exchange > server_kex)
const Server_Hello_12 * server_hello() const
bool received_handshake_msg(Handshake_Type msg_type) const
void server_certs(std::unique_ptr< Certificate_12 > server_certs)
std::unique_ptr< KDF > protocol_specific_prf() const
const New_Session_Ticket_12 * new_session_ticket() const
std::pair< std::string, Signature_Format > choose_sig_format(const Private_Key &key, Signature_Scheme &scheme, bool for_client_auth, const Policy &policy) const
Protocol_Version version() const
virtual std::vector< Signature_Scheme > allowed_signature_schemes() const
bool allowed_signature_method(std::string_view sig_method) const
bool allowed_signature_hash(std::string_view hash) const
std::string hash_function_name() const noexcept
bool is_compatible_with(const Protocol_Version &protocol_version) const noexcept
std::optional< Signature_Format > format() const noexcept
std::string padding_string() const noexcept
std::string algorithm_name() const noexcept
const char * handshake_type_to_string(Handshake_Type type)
Strong< std::vector< uint8_t >, struct Session_Ticket_ > Session_Ticket
holds a TLS 1.2 session ticket for stateless resumption
Definition tls_session.h:34
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:69