Botan 2.19.2
Crypto and TLS for C&
tls_handshake_state.cpp
Go to the documentation of this file.
1/*
2* TLS Handshaking
3* (C) 2004-2006,2011,2012,2015,2016 Jack Lloyd
4* 2017 Harry Reimann, Rohde & Schwarz Cybersecurity
5*
6* Botan is released under the Simplified BSD License (see license.txt)
7*/
8
9#include <botan/internal/tls_handshake_state.h>
10#include <botan/internal/tls_record.h>
11#include <botan/tls_messages.h>
12#include <botan/kdf.h>
13#include <sstream>
14
15namespace Botan {
16
17namespace TLS {
18
20 {
22 }
23
25 {
26 switch(type)
27 {
29 return "hello_verify_request";
30
31 case HELLO_REQUEST:
32 return "hello_request";
33
34 case CLIENT_HELLO:
35 return "client_hello";
36
37 case SERVER_HELLO:
38 return "server_hello";
39
40 case CERTIFICATE:
41 return "certificate";
42
43 case CERTIFICATE_URL:
44 return "certificate_url";
45
47 return "certificate_status";
48
49 case SERVER_KEX:
50 return "server_key_exchange";
51
53 return "certificate_request";
54
56 return "server_hello_done";
57
59 return "certificate_verify";
60
61 case CLIENT_KEX:
62 return "client_key_exchange";
63
65 return "new_session_ticket";
66
67 case HANDSHAKE_CCS:
68 return "change_cipher_spec";
69
70 case FINISHED:
71 return "finished";
72
73 case HANDSHAKE_NONE:
74 return "invalid";
75 }
76
78 "Unknown TLS handshake message type " + std::to_string(type));
79 }
80
81namespace {
82
83uint32_t bitmask_for_handshake_type(Handshake_Type type)
84 {
85 switch(type)
86 {
88 return (1 << 0);
89
90 case HELLO_REQUEST:
91 return (1 << 1);
92
93 case CLIENT_HELLO:
94 return (1 << 2);
95
96 case SERVER_HELLO:
97 return (1 << 3);
98
99 case CERTIFICATE:
100 return (1 << 4);
101
102 case CERTIFICATE_URL:
103 return (1 << 5);
104
106 return (1 << 6);
107
108 case SERVER_KEX:
109 return (1 << 7);
110
112 return (1 << 8);
113
115 return (1 << 9);
116
118 return (1 << 10);
119
120 case CLIENT_KEX:
121 return (1 << 11);
122
124 return (1 << 12);
125
126 case HANDSHAKE_CCS:
127 return (1 << 13);
128
129 case FINISHED:
130 return (1 << 14);
131
132 // allow explicitly disabling new handshakes
133 case HANDSHAKE_NONE:
134 return 0;
135 }
136
137 throw TLS_Exception(Alert::UNEXPECTED_MESSAGE,
138 "Unknown TLS handshake message type " + std::to_string(type));
139 }
140
141std::string handshake_mask_to_string(uint32_t mask, char combiner)
142 {
143 const Handshake_Type types[] = {
159 };
160
161 std::ostringstream o;
162 bool empty = true;
163
164 for(auto&& t : types)
165 {
166 if(mask & bitmask_for_handshake_type(t))
167 {
168 if(!empty)
169 o << combiner;
171 empty = false;
172 }
173 }
174
175 return o.str();
176 }
177
178}
179
180/*
181* Initialize the SSL/TLS Handshake State
182*/
184 m_callbacks(cb),
185 m_handshake_io(io),
186 m_version(m_handshake_io->initial_record_version())
187 {
188 }
189
191 {
192 m_callbacks.tls_inspect_handshake_msg(msg);
193 }
194
196 {
197 note_message(hello_verify);
198
199 m_client_hello->update_hello_cookie(hello_verify);
200 hash().reset();
201 hash().update(handshake_io().send(*m_client_hello));
202 note_message(*m_client_hello);
203 }
204
206 {
207 if(client_hello == nullptr)
208 {
209 m_client_hello.reset();
210 hash().reset();
211 }
212 else
213 {
214 m_client_hello.reset(client_hello);
215 note_message(*m_client_hello);
216 }
217 }
218
220 {
221 m_server_hello.reset(server_hello);
222 m_ciphersuite = Ciphersuite::by_id(m_server_hello->ciphersuite());
223 note_message(*m_server_hello);
224 }
225
227 {
228 m_server_certs.reset(server_certs);
229 note_message(*m_server_certs);
230 }
231
233 {
234 m_server_cert_status.reset(server_cert_status);
235 note_message(*m_server_cert_status);
236 }
237
239 {
240 m_server_kex.reset(server_kex);
241 note_message(*m_server_kex);
242 }
243
245 {
246 m_cert_req.reset(cert_req);
247 note_message(*m_cert_req);
248 }
249
251 {
252 m_server_hello_done.reset(server_hello_done);
253 note_message(*m_server_hello_done);
254 }
255
257 {
258 m_client_certs.reset(client_certs);
259 note_message(*m_client_certs);
260 }
261
263 {
264 m_client_kex.reset(client_kex);
265 note_message(*m_client_kex);
266 }
267
269 {
270 m_client_verify.reset(client_verify);
271 note_message(*m_client_verify);
272 }
273
275 {
276 m_new_session_ticket.reset(new_session_ticket);
277 note_message(*m_new_session_ticket);
278 }
279
281 {
282 m_server_finished.reset(server_finished);
283 note_message(*m_server_finished);
284 }
285
287 {
288 m_client_finished.reset(client_finished);
289 note_message(*m_client_finished);
290 }
291
293 {
294 m_version = version;
295 }
296
298 {
299 m_session_keys = Session_Keys(this, client_kex()->pre_master_secret(), false);
300 }
301
303 {
304 m_session_keys = Session_Keys(this, resume_master_secret, true);
305 }
306
308 {
309 const uint32_t mask = bitmask_for_handshake_type(handshake_msg);
310
311 m_hand_received_mask |= mask;
312
313 const bool ok = (m_hand_expecting_mask & mask) != 0; // overlap?
314
315 if(!ok)
316 {
317 const uint32_t seen_so_far = m_hand_received_mask & ~mask;
318
319 std::ostringstream msg;
320
321 msg << "Unexpected state transition in handshake got a " << handshake_type_to_string(handshake_msg);
322
323 if(m_hand_expecting_mask == 0)
324 msg << " not expecting messages";
325 else
326 msg << " expected " << handshake_mask_to_string(m_hand_expecting_mask, '|');
327
328 if(seen_so_far != 0)
329 msg << " seen " << handshake_mask_to_string(seen_so_far, '+');
330
331 throw Unexpected_Message(msg.str());
332 }
333
334 /* We don't know what to expect next, so force a call to
335 set_expected_next; if it doesn't happen, the next transition
336 check will always fail which is what we want.
337 */
338 m_hand_expecting_mask = 0;
339 }
340
342 {
343 m_hand_expecting_mask |= bitmask_for_handshake_type(handshake_msg);
344 }
345
347 {
348 const uint32_t mask = bitmask_for_handshake_type(handshake_msg);
349
350 return (m_hand_received_mask & mask) != 0;
351 }
352
353std::pair<Handshake_Type, std::vector<uint8_t>>
355 {
356 const bool expecting_ccs =
357 (bitmask_for_handshake_type(HANDSHAKE_CCS) & m_hand_expecting_mask) != 0;
358
359 return m_handshake_io->get_next_record(expecting_ccs);
360 }
361
363 {
364#if defined(BOTAN_HAS_SRP6)
365 // Authenticated via the successful key exchange
366 if(ciphersuite().valid() && ciphersuite().kex_method() == Kex_Algo::SRP_SHA)
367 return client_hello()->srp_identifier();
368#endif
369
370 return "";
371 }
372
373
374std::vector<uint8_t> Handshake_State::session_ticket() const
375 {
376 if(new_session_ticket() && !new_session_ticket()->ticket().empty())
377 return new_session_ticket()->ticket();
378
379 return client_hello()->session_ticket();
380 }
381
383 {
384 if(version().supports_ciphersuite_specific_prf())
385 {
386 const std::string prf_algo = ciphersuite().prf_algo();
387
388 if(prf_algo == "MD5" || prf_algo == "SHA-1")
389 return get_kdf("TLS-12-PRF(SHA-256)");
390
391 return get_kdf("TLS-12-PRF(" + prf_algo + ")");
392 }
393
394 // Old PRF used in TLS v1.0, v1.1 and DTLS v1.0
395 return get_kdf("TLS-PRF");
396 }
397
398std::pair<std::string, Signature_Format>
400 Signature_Scheme& chosen_scheme,
401 bool for_client_auth,
402 const Policy& policy) const
403 {
404 const std::string sig_algo = key.algo_name();
405
406 if(this->version().supports_negotiable_signature_algorithms())
407 {
408 const std::vector<Signature_Scheme> allowed = policy.allowed_signature_schemes();
409
410 std::vector<Signature_Scheme> requested =
411 (for_client_auth) ? cert_req()->signature_schemes() : client_hello()->signature_schemes();
412
413 if(requested.empty())
414 {
415 // Implicit SHA-1
416 requested.push_back(Signature_Scheme::RSA_PKCS1_SHA1);
417 requested.push_back(Signature_Scheme::ECDSA_SHA1);
418 requested.push_back(Signature_Scheme::DSA_SHA1);
419 }
420
421 for(Signature_Scheme scheme : allowed)
422 {
423 if(signature_scheme_is_known(scheme) == false)
424 {
425 continue;
426 }
427
428 if(signature_algorithm_of_scheme(scheme) == sig_algo)
429 {
430 if(std::find(requested.begin(), requested.end(), scheme) != requested.end())
431 {
432 chosen_scheme = scheme;
433 break;
434 }
435 }
436 }
437
438 const std::string hash = hash_function_of_scheme(chosen_scheme);
439
440 if(!policy.allowed_signature_hash(hash))
441 {
443 "Policy refuses to accept signing with any hash supported by peer");
444 }
445
446 if(sig_algo == "RSA")
447 {
448 return std::make_pair(padding_string_for_scheme(chosen_scheme), IEEE_1363);
449 }
450 else if(sig_algo == "DSA" || sig_algo == "ECDSA")
451 {
452 return std::make_pair(padding_string_for_scheme(chosen_scheme), DER_SEQUENCE);
453 }
454 }
455 else
456 {
457 if(sig_algo == "RSA")
458 {
459 const std::string padding = "PKCS1v15(Parallel(MD5,SHA-160))";
460 return std::make_pair(padding, IEEE_1363);
461 }
462 else if(sig_algo == "DSA" || sig_algo == "ECDSA")
463 {
464 const std::string padding = "EMSA1(SHA-1)";
465 return std::make_pair(padding, DER_SEQUENCE);
466 }
467 }
468
469 throw Invalid_Argument(sig_algo + " is invalid/unknown for TLS signatures");
470 }
471
472namespace {
473
474bool supported_algos_include(
475 const std::vector<Signature_Scheme>& schemes,
476 const std::string& key_type,
477 const std::string& hash_type)
478 {
479 for(Signature_Scheme scheme : schemes)
480 {
481 if(signature_scheme_is_known(scheme) &&
482 hash_function_of_scheme(scheme) == hash_type &&
483 signature_algorithm_of_scheme(scheme) == key_type)
484 {
485 return true;
486 }
487 }
488
489 return false;
490 }
491
492}
493
494std::pair<std::string, Signature_Format>
496 Signature_Scheme scheme,
497 bool for_client_auth,
498 const Policy& policy) const
499 {
500 const std::string key_type = key.algo_name();
501
502 if(!policy.allowed_signature_method(key_type))
503 {
505 "Rejecting " + key_type + " signature");
506 }
507
508 if(this->version().supports_negotiable_signature_algorithms() == false)
509 {
510 if(scheme != Signature_Scheme::NONE)
511 throw Decoding_Error("Counterparty sent hash/sig IDs with old version");
512
513 /*
514 There is no check on the acceptability of a v1.0/v1.1 hash type,
515 since it's implicit with use of the protocol
516 */
517
518 if(key_type == "RSA")
519 {
520 const std::string padding = "PKCS1v15(Parallel(MD5,SHA-160))";
521 return std::make_pair(padding, IEEE_1363);
522 }
523 else if(key_type == "DSA" || key_type == "ECDSA")
524 {
525 const std::string padding = "EMSA1(SHA-1)";
526 return std::make_pair(padding, DER_SEQUENCE);
527 }
528 else
529 throw Invalid_Argument(key_type + " is invalid/unknown for TLS signatures");
530 }
531
532 if(scheme == Signature_Scheme::NONE)
533 throw Decoding_Error("Counterparty did not send hash/sig IDS");
534
535 if(key_type != signature_algorithm_of_scheme(scheme))
536 throw Decoding_Error("Counterparty sent inconsistent key and sig types");
537
538 if(for_client_auth && !cert_req())
539 {
541 "No certificate verify set");
542 }
543
544 /*
545 Confirm the signature type we just received against the
546 supported_algos list that we sent; it better be there.
547 */
548
549 const std::vector<Signature_Scheme> supported_algos =
550 for_client_auth ? cert_req()->signature_schemes() :
552
553 if(!signature_scheme_is_known(scheme))
555 "Peer sent unknown signature scheme");
556
557 const std::string hash_algo = hash_function_of_scheme(scheme);
558
559 if(!supported_algos_include(supported_algos, key_type, hash_algo))
560 {
562 "TLS signature extension did not allow for " +
563 key_type + "/" + hash_algo + " signature");
564 }
565
566 if(key_type == "RSA")
567 {
568 return std::make_pair(padding_string_for_scheme(scheme), IEEE_1363);
569 }
570 else if(key_type == "DSA" || key_type == "ECDSA")
571 {
572 return std::make_pair(padding_string_for_scheme(scheme), DER_SEQUENCE);
573 }
574
575 throw Invalid_Argument(key_type + " is invalid/unknown for TLS signatures");
576 }
577
578}
579
580}
Definition: kdf.h:21
virtual std::string algo_name() const =0
virtual void tls_inspect_handshake_msg(const Handshake_Message &message)
const std::vector< Signature_Scheme > & signature_schemes() const
Definition: tls_messages.h:435
static Ciphersuite by_id(uint16_t suite)
std::string prf_algo() const
std::vector< Signature_Scheme > signature_schemes() const
std::vector< uint8_t > session_ticket() const
void update(const uint8_t in[], size_t length)
virtual Handshake_Type type() const =0
Handshake_State(Handshake_IO *io, Callbacks &callbacks)
std::pair< Handshake_Type, std::vector< uint8_t > > get_next_handshake_msg()
const Certificate_Verify * client_verify() const
const Client_Hello * client_hello() const
const Server_Hello_Done * server_hello_done() const
void hello_verify_request(const Hello_Verify_Request &hello_verify)
void set_expected_next(Handshake_Type msg_type)
void note_message(const Handshake_Message &msg)
const Server_Key_Exchange * server_kex() const
const Certificate_Status * server_cert_status() const
const Finished * client_finished() const
const Certificate_Req * cert_req() const
std::vector< uint8_t > session_ticket() const
const Client_Key_Exchange * client_kex() const
const Certificate * client_certs() const
const Finished * server_finished() const
std::pair< std::string, Signature_Format > parse_sig_format(const Public_Key &key, Signature_Scheme scheme, bool for_client_auth, const Policy &policy) const
void confirm_transition_to(Handshake_Type msg_type)
const New_Session_Ticket * new_session_ticket() const
void set_version(const Protocol_Version &version)
const Ciphersuite & ciphersuite() const
bool received_handshake_msg(Handshake_Type msg_type) const
const Server_Hello * server_hello() const
const Certificate * server_certs() const
std::pair< std::string, Signature_Format > choose_sig_format(const Private_Key &key, Signature_Scheme &scheme, bool for_client_auth, const Policy &policy) const
Protocol_Version version() const
const std::vector< uint8_t > & ticket() const
Definition: tls_messages.h:619
virtual std::vector< Signature_Scheme > allowed_signature_schemes() const
Definition: tls_policy.cpp:22
bool allowed_signature_method(const std::string &sig_method) const
Definition: tls_policy.cpp:117
bool allowed_signature_hash(const std::string &hash) const
Definition: tls_policy.cpp:122
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:213
bool signature_scheme_is_known(Signature_Scheme scheme)
Definition: tls_algos.cpp:262
@ HELLO_VERIFY_REQUEST
Definition: tls_magic.h:49
@ CLIENT_KEX
Definition: tls_magic.h:56
@ HANDSHAKE_CCS
Definition: tls_magic.h:62
@ CERTIFICATE_URL
Definition: tls_magic.h:59
@ SERVER_HELLO
Definition: tls_magic.h:48
@ NEW_SESSION_TICKET
Definition: tls_magic.h:50
@ SERVER_HELLO_DONE
Definition: tls_magic.h:54
@ HELLO_REQUEST
Definition: tls_magic.h:46
@ CERTIFICATE_REQUEST
Definition: tls_magic.h:53
@ CERTIFICATE
Definition: tls_magic.h:51
@ CERTIFICATE_STATUS
Definition: tls_magic.h:60
@ CERTIFICATE_VERIFY
Definition: tls_magic.h:55
@ HANDSHAKE_NONE
Definition: tls_magic.h:63
@ SERVER_KEX
Definition: tls_magic.h:52
@ CLIENT_HELLO
Definition: tls_magic.h:47
const char * handshake_type_to_string(Handshake_Type type)
Signature_Scheme
Definition: tls_algos.h:86
std::string hash_function_of_scheme(Signature_Scheme scheme)
Definition: tls_algos.cpp:191
std::string padding_string_for_scheme(Signature_Scheme scheme)
Definition: tls_algos.cpp:379
std::string signature_algorithm_of_scheme(Signature_Scheme scheme)
Definition: tls_algos.cpp:291
Definition: alg_id.cpp:13
KDF * get_kdf(const std::string &algo_spec)
Definition: kdf.cpp:241
@ DER_SEQUENCE
Definition: pk_keys.h:23
@ IEEE_1363
Definition: pk_keys.h:23
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:65
MechanismType type
AlgorithmIdentifier hash_algo
Definition: x509_obj.cpp:22