Botan  2.12.1
Crypto and TLS for C++11
tls_handshake_state.cpp
Go to the documentation of this file.
1 /*
2 * TLS Handshaking
3 * (C) 2004-2006,2011,2012,2015,2016 Jack Lloyd
4 * 2017 Harry Reimann, Rohde & Schwarz Cybersecurity
5 *
6 * Botan is released under the Simplified BSD License (see license.txt)
7 */
8 
9 #include <botan/internal/tls_handshake_state.h>
10 #include <botan/internal/tls_record.h>
11 #include <botan/tls_messages.h>
12 #include <botan/kdf.h>
13 #include <sstream>
14 
15 namespace Botan {
16 
17 namespace TLS {
18 
19 std::string Handshake_Message::type_string() const
20  {
22  }
23 
25  {
26  switch(type)
27  {
29  return "hello_verify_request";
30 
31  case HELLO_REQUEST:
32  return "hello_request";
33 
34  case CLIENT_HELLO:
35  return "client_hello";
36 
37  case SERVER_HELLO:
38  return "server_hello";
39 
40  case CERTIFICATE:
41  return "certificate";
42 
43  case CERTIFICATE_URL:
44  return "certificate_url";
45 
46  case CERTIFICATE_STATUS:
47  return "certificate_status";
48 
49  case SERVER_KEX:
50  return "server_key_exchange";
51 
53  return "certificate_request";
54 
55  case SERVER_HELLO_DONE:
56  return "server_hello_done";
57 
58  case CERTIFICATE_VERIFY:
59  return "certificate_verify";
60 
61  case CLIENT_KEX:
62  return "client_key_exchange";
63 
64  case NEW_SESSION_TICKET:
65  return "new_session_ticket";
66 
67  case HANDSHAKE_CCS:
68  return "change_cipher_spec";
69 
70  case FINISHED:
71  return "finished";
72 
73  case HANDSHAKE_NONE:
74  return "invalid";
75  }
76 
78  "Unknown TLS handshake message type " + std::to_string(type));
79  }
80 
81 namespace {
82 
83 uint32_t bitmask_for_handshake_type(Handshake_Type type)
84  {
85  switch(type)
86  {
88  return (1 << 0);
89 
90  case HELLO_REQUEST:
91  return (1 << 1);
92 
93  case CLIENT_HELLO:
94  return (1 << 2);
95 
96  case SERVER_HELLO:
97  return (1 << 3);
98 
99  case CERTIFICATE:
100  return (1 << 4);
101 
102  case CERTIFICATE_URL:
103  return (1 << 5);
104 
105  case CERTIFICATE_STATUS:
106  return (1 << 6);
107 
108  case SERVER_KEX:
109  return (1 << 7);
110 
111  case CERTIFICATE_REQUEST:
112  return (1 << 8);
113 
114  case SERVER_HELLO_DONE:
115  return (1 << 9);
116 
117  case CERTIFICATE_VERIFY:
118  return (1 << 10);
119 
120  case CLIENT_KEX:
121  return (1 << 11);
122 
123  case NEW_SESSION_TICKET:
124  return (1 << 12);
125 
126  case HANDSHAKE_CCS:
127  return (1 << 13);
128 
129  case FINISHED:
130  return (1 << 14);
131 
132  // allow explicitly disabling new handshakes
133  case HANDSHAKE_NONE:
134  return 0;
135  }
136 
137  throw TLS_Exception(Alert::UNEXPECTED_MESSAGE,
138  "Unknown TLS handshake message type " + std::to_string(type));
139  }
140 
141 std::string handshake_mask_to_string(uint32_t mask, char combiner)
142  {
143  const Handshake_Type types[] = {
146  CLIENT_HELLO,
147  SERVER_HELLO,
148  CERTIFICATE,
151  SERVER_KEX,
155  CLIENT_KEX,
158  FINISHED
159  };
160 
161  std::ostringstream o;
162  bool empty = true;
163 
164  for(auto&& t : types)
165  {
166  if(mask & bitmask_for_handshake_type(t))
167  {
168  if(!empty)
169  o << combiner;
170  o << handshake_type_to_string(t);
171  empty = false;
172  }
173  }
174 
175  return o.str();
176  }
177 
178 }
179 
180 /*
181 * Initialize the SSL/TLS Handshake State
182 */
184  m_callbacks(cb),
185  m_handshake_io(io),
186  m_version(m_handshake_io->initial_record_version())
187  {
188  }
189 
191  {
192  m_callbacks.tls_inspect_handshake_msg(msg);
193  }
194 
196  {
197  note_message(hello_verify);
198 
199  m_client_hello->update_hello_cookie(hello_verify);
200  hash().reset();
201  hash().update(handshake_io().send(*m_client_hello));
202  note_message(*m_client_hello);
203  }
204 
206  {
207  if(client_hello == nullptr)
208  {
209  m_client_hello.reset();
210  hash().reset();
211  }
212  else
213  {
214  m_client_hello.reset(client_hello);
215  note_message(*m_client_hello);
216  }
217  }
218 
220  {
221  m_server_hello.reset(server_hello);
222  m_ciphersuite = Ciphersuite::by_id(m_server_hello->ciphersuite());
223  note_message(*m_server_hello);
224  }
225 
227  {
228  m_server_certs.reset(server_certs);
229  note_message(*m_server_certs);
230  }
231 
233  {
234  m_server_cert_status.reset(server_cert_status);
235  note_message(*m_server_cert_status);
236  }
237 
239  {
240  m_server_kex.reset(server_kex);
241  note_message(*m_server_kex);
242  }
243 
245  {
246  m_cert_req.reset(cert_req);
247  note_message(*m_cert_req);
248  }
249 
251  {
252  m_server_hello_done.reset(server_hello_done);
253  note_message(*m_server_hello_done);
254  }
255 
257  {
258  m_client_certs.reset(client_certs);
259  note_message(*m_client_certs);
260  }
261 
263  {
264  m_client_kex.reset(client_kex);
265  note_message(*m_client_kex);
266  }
267 
269  {
270  m_client_verify.reset(client_verify);
271  note_message(*m_client_verify);
272  }
273 
275  {
276  m_new_session_ticket.reset(new_session_ticket);
277  note_message(*m_new_session_ticket);
278  }
279 
281  {
282  m_server_finished.reset(server_finished);
283  note_message(*m_server_finished);
284  }
285 
287  {
288  m_client_finished.reset(client_finished);
289  note_message(*m_client_finished);
290  }
291 
293  {
294  m_version = version;
295  }
296 
298  {
299  m_session_keys = Session_Keys(this, client_kex()->pre_master_secret(), false);
300  }
301 
303  {
304  m_session_keys = Session_Keys(this, resume_master_secret, true);
305  }
306 
308  {
309  const uint32_t mask = bitmask_for_handshake_type(handshake_msg);
310 
311  m_hand_received_mask |= mask;
312 
313  const bool ok = (m_hand_expecting_mask & mask) != 0; // overlap?
314 
315  if(!ok)
316  {
317  const uint32_t seen_so_far = m_hand_received_mask & ~mask;
318 
319  std::ostringstream msg;
320 
321  msg << "Unexpected state transition in handshake got a " << handshake_type_to_string(handshake_msg);
322 
323  if(m_hand_expecting_mask == 0)
324  msg << " not expecting messages";
325  else
326  msg << " expected " << handshake_mask_to_string(m_hand_expecting_mask, '|');
327 
328  if(seen_so_far != 0)
329  msg << " seen " << handshake_mask_to_string(seen_so_far, '+');
330 
331  throw Unexpected_Message(msg.str());
332  }
333 
334  /* We don't know what to expect next, so force a call to
335  set_expected_next; if it doesn't happen, the next transition
336  check will always fail which is what we want.
337  */
338  m_hand_expecting_mask = 0;
339  }
340 
342  {
343  m_hand_expecting_mask |= bitmask_for_handshake_type(handshake_msg);
344  }
345 
347  {
348  const uint32_t mask = bitmask_for_handshake_type(handshake_msg);
349 
350  return (m_hand_received_mask & mask) != 0;
351  }
352 
353 std::pair<Handshake_Type, std::vector<uint8_t>>
355  {
356  const bool expecting_ccs =
357  (bitmask_for_handshake_type(HANDSHAKE_CCS) & m_hand_expecting_mask) != 0;
358 
359  return m_handshake_io->get_next_record(expecting_ccs);
360  }
361 
363  {
364 #if defined(BOTAN_HAS_SRP6)
365  // Authenticated via the successful key exchange
366  if(ciphersuite().valid() && ciphersuite().kex_method() == Kex_Algo::SRP_SHA)
367  return client_hello()->srp_identifier();
368 #endif
369 
370  return "";
371  }
372 
373 
374 std::vector<uint8_t> Handshake_State::session_ticket() const
375  {
376  if(new_session_ticket() && !new_session_ticket()->ticket().empty())
377  return new_session_ticket()->ticket();
378 
379  return client_hello()->session_ticket();
380  }
381 
383  {
384  if(version().supports_ciphersuite_specific_prf())
385  {
386  const std::string prf_algo = ciphersuite().prf_algo();
387 
388  if(prf_algo == "MD5" || prf_algo == "SHA-1")
389  return get_kdf("TLS-12-PRF(SHA-256)");
390 
391  return get_kdf("TLS-12-PRF(" + prf_algo + ")");
392  }
393 
394  // Old PRF used in TLS v1.0, v1.1 and DTLS v1.0
395  return get_kdf("TLS-PRF");
396  }
397 
398 std::pair<std::string, Signature_Format>
400  Signature_Scheme& chosen_scheme,
401  bool for_client_auth,
402  const Policy& policy) const
403  {
404  const std::string sig_algo = key.algo_name();
405 
406  if(this->version().supports_negotiable_signature_algorithms())
407  {
408  const std::vector<Signature_Scheme> allowed = policy.allowed_signature_schemes();
409 
410  std::vector<Signature_Scheme> requested =
411  (for_client_auth) ? cert_req()->signature_schemes() : client_hello()->signature_schemes();
412 
413  if(requested.empty())
414  {
415  // Implicit SHA-1
416  requested.push_back(Signature_Scheme::RSA_PKCS1_SHA1);
417  requested.push_back(Signature_Scheme::ECDSA_SHA1);
418  requested.push_back(Signature_Scheme::DSA_SHA1);
419  }
420 
421  for(Signature_Scheme scheme : allowed)
422  {
423  if(signature_scheme_is_known(scheme) == false)
424  {
425  continue;
426  }
427 
428  if(signature_algorithm_of_scheme(scheme) == sig_algo)
429  {
430  if(std::find(requested.begin(), requested.end(), scheme) != requested.end())
431  {
432  chosen_scheme = scheme;
433  break;
434  }
435  }
436  }
437 
438  const std::string hash = hash_function_of_scheme(chosen_scheme);
439 
440  if(!policy.allowed_signature_hash(hash))
441  {
443  "Policy refuses to accept signing with any hash supported by peer");
444  }
445 
446  if(sig_algo == "RSA")
447  {
448  return std::make_pair(padding_string_for_scheme(chosen_scheme), IEEE_1363);
449  }
450  else if(sig_algo == "DSA" || sig_algo == "ECDSA")
451  {
452  return std::make_pair(padding_string_for_scheme(chosen_scheme), DER_SEQUENCE);
453  }
454  }
455  else
456  {
457  if(sig_algo == "RSA")
458  {
459  const std::string padding = "PKCS1v15(Parallel(MD5,SHA-160))";
460  return std::make_pair(padding, IEEE_1363);
461  }
462  else if(sig_algo == "DSA" || sig_algo == "ECDSA")
463  {
464  const std::string padding = "EMSA1(SHA-1)";
465  return std::make_pair(padding, DER_SEQUENCE);
466  }
467  }
468 
469  throw Invalid_Argument(sig_algo + " is invalid/unknown for TLS signatures");
470  }
471 
472 namespace {
473 
474 bool supported_algos_include(
475  const std::vector<Signature_Scheme>& schemes,
476  const std::string& key_type,
477  const std::string& hash_type)
478  {
479  for(Signature_Scheme scheme : schemes)
480  {
481  if(signature_scheme_is_known(scheme) &&
482  hash_function_of_scheme(scheme) == hash_type &&
483  signature_algorithm_of_scheme(scheme) == key_type)
484  {
485  return true;
486  }
487  }
488 
489  return false;
490  }
491 
492 }
493 
494 std::pair<std::string, Signature_Format>
496  Signature_Scheme scheme,
497  bool for_client_auth,
498  const Policy& policy) const
499  {
500  const std::string key_type = key.algo_name();
501 
502  if(!policy.allowed_signature_method(key_type))
503  {
505  "Rejecting " + key_type + " signature");
506  }
507 
508  if(this->version().supports_negotiable_signature_algorithms() == false)
509  {
510  if(scheme != Signature_Scheme::NONE)
511  throw Decoding_Error("Counterparty sent hash/sig IDs with old version");
512 
513  /*
514  There is no check on the acceptability of a v1.0/v1.1 hash type,
515  since it's implicit with use of the protocol
516  */
517 
518  if(key_type == "RSA")
519  {
520  const std::string padding = "PKCS1v15(Parallel(MD5,SHA-160))";
521  return std::make_pair(padding, IEEE_1363);
522  }
523  else if(key_type == "DSA" || key_type == "ECDSA")
524  {
525  const std::string padding = "EMSA1(SHA-1)";
526  return std::make_pair(padding, DER_SEQUENCE);
527  }
528  else
529  throw Invalid_Argument(key_type + " is invalid/unknown for TLS signatures");
530  }
531 
532  if(scheme == Signature_Scheme::NONE)
533  throw Decoding_Error("Counterparty did not send hash/sig IDS");
534 
535  if(key_type != signature_algorithm_of_scheme(scheme))
536  throw Decoding_Error("Counterparty sent inconsistent key and sig types");
537 
538  if(for_client_auth && !cert_req())
539  {
541  "No certificate verify set");
542  }
543 
544  /*
545  Confirm the signature type we just received against the
546  supported_algos list that we sent; it better be there.
547  */
548 
549  const std::vector<Signature_Scheme> supported_algos =
550  for_client_auth ? cert_req()->signature_schemes() :
552 
553  if(!signature_scheme_is_known(scheme))
555  "Peer sent unknown signature scheme");
556 
557  const std::string hash_algo = hash_function_of_scheme(scheme);
558 
559  if(!supported_algos_include(supported_algos, key_type, hash_algo))
560  {
562  "TLS signature extension did not allow for " +
563  key_type + "/" + hash_algo + " signature");
564  }
565 
566  if(key_type == "RSA")
567  {
568  return std::make_pair(padding_string_for_scheme(scheme), IEEE_1363);
569  }
570  else if(key_type == "DSA" || key_type == "ECDSA")
571  {
572  return std::make_pair(padding_string_for_scheme(scheme), DER_SEQUENCE);
573  }
574 
575  throw Invalid_Argument(key_type + " is invalid/unknown for TLS signatures");
576  }
577 
578 }
579 
580 }
const Client_Key_Exchange * client_kex() const
std::pair< std::string, Signature_Format > parse_sig_format(const Public_Key &key, Signature_Scheme scheme, bool for_client_auth, const Policy &policy) const
std::vector< uint8_t > session_ticket() const
std::vector< uint8_t > session_ticket() const
std::string prf_algo() const
std::string hash_function_of_scheme(Signature_Scheme scheme)
Definition: tls_algos.cpp:191
Signature_Scheme
Definition: tls_algos.h:86
std::pair< std::string, Signature_Format > choose_sig_format(const Private_Key &key, Signature_Scheme &scheme, bool for_client_auth, const Policy &policy) const
const Server_Hello * server_hello() const
virtual std::string algo_name() const =0
const Certificate * server_certs() const
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:213
Handshake_State(Handshake_IO *io, Callbacks &callbacks)
const Finished * server_finished() const
MechanismType type
std::string padding_string_for_scheme(Signature_Scheme scheme)
Definition: tls_algos.cpp:379
const Server_Key_Exchange * server_kex() const
const Ciphersuite & ciphersuite() const
bool signature_scheme_is_known(Signature_Scheme scheme)
Definition: tls_algos.cpp:262
void set_version(const Protocol_Version &version)
const Certificate_Req * cert_req() const
const Certificate_Verify * client_verify() const
const Certificate_Status * server_cert_status() const
std::pair< Handshake_Type, std::vector< uint8_t > > get_next_handshake_msg()
const Finished * client_finished() const
bool allowed_signature_method(const std::string &sig_method) const
Definition: tls_policy.cpp:117
void update(const uint8_t in[], size_t length)
std::vector< Signature_Scheme > signature_schemes() const
const Certificate * client_certs() const
KDF * get_kdf(const std::string &algo_spec)
Definition: kdf.cpp:237
bool allowed_signature_hash(const std::string &hash) const
Definition: tls_policy.cpp:122
Definition: alg_id.cpp:13
bool received_handshake_msg(Handshake_Type msg_type) const
void confirm_transition_to(Handshake_Type msg_type)
AlgorithmIdentifier hash_algo
Definition: x509_obj.cpp:22
virtual Handshake_Type type() const =0
void note_message(const Handshake_Message &msg)
Definition: kdf.h:20
const std::vector< uint8_t > & ticket() const
Definition: tls_messages.h:619
const New_Session_Ticket * new_session_ticket() const
std::string signature_algorithm_of_scheme(Signature_Scheme scheme)
Definition: tls_algos.cpp:291
const Server_Hello_Done * server_hello_done() const
static Ciphersuite by_id(uint16_t suite)
void hello_verify_request(const Hello_Verify_Request &hello_verify)
Protocol_Version version() const
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:65
virtual void tls_inspect_handshake_msg(const Handshake_Message &message)
const Client_Hello * client_hello() const
const std::vector< Signature_Scheme > & signature_schemes() const
Definition: tls_messages.h:435
const char * handshake_type_to_string(Handshake_Type type)
void set_expected_next(Handshake_Type msg_type)
virtual std::vector< Signature_Scheme > allowed_signature_schemes() const
Definition: tls_policy.cpp:22