Botan 3.8.1
Crypto and TLS for C&
tls_handshake_state.cpp
Go to the documentation of this file.
1/*
2* TLS Handshaking
3* (C) 2004-2006,2011,2012,2015,2016 Jack Lloyd
4* 2017 Harry Reimann, Rohde & Schwarz Cybersecurity
5*
6* Botan is released under the Simplified BSD License (see license.txt)
7*/
8
9#include <botan/internal/tls_handshake_state.h>
10
11#include <botan/kdf.h>
12#include <botan/tls_messages.h>
13#include <botan/tls_signature_scheme.h>
14#include <botan/internal/tls_record.h>
15#include <sstream>
16
17namespace Botan::TLS {
18
19std::string Handshake_Message::type_string() const {
20 return handshake_type_to_string(type());
21}
22
23const char* handshake_type_to_string(Handshake_Type type) {
24 switch(type) {
25 case Handshake_Type::HelloVerifyRequest:
26 return "hello_verify_request";
27
28 case Handshake_Type::HelloRequest:
29 return "hello_request";
30
31 case Handshake_Type::ClientHello:
32 return "client_hello";
33
34 case Handshake_Type::ServerHello:
35 return "server_hello";
36
37 case Handshake_Type::HelloRetryRequest:
38 return "hello_retry_request";
39
40 case Handshake_Type::Certificate:
41 return "certificate";
42
43 case Handshake_Type::CertificateUrl:
44 return "certificate_url";
45
46 case Handshake_Type::CertificateStatus:
47 return "certificate_status";
48
49 case Handshake_Type::ServerKeyExchange:
50 return "server_key_exchange";
51
52 case Handshake_Type::CertificateRequest:
53 return "certificate_request";
54
55 case Handshake_Type::ServerHelloDone:
56 return "server_hello_done";
57
58 case Handshake_Type::CertificateVerify:
59 return "certificate_verify";
60
61 case Handshake_Type::ClientKeyExchange:
62 return "client_key_exchange";
63
64 case Handshake_Type::NewSessionTicket:
65 return "new_session_ticket";
66
67 case Handshake_Type::HandshakeCCS:
68 return "change_cipher_spec";
69
70 case Handshake_Type::Finished:
71 return "finished";
72
73 case Handshake_Type::EndOfEarlyData:
74 return "end_of_early_data";
75
76 case Handshake_Type::EncryptedExtensions:
77 return "encrypted_extensions";
78
79 case Handshake_Type::KeyUpdate:
80 return "key_update";
81
82 case Handshake_Type::None:
83 return "invalid";
84 }
85
86 throw TLS_Exception(Alert::UnexpectedMessage,
87 "Unknown TLS handshake message type " + std::to_string(static_cast<size_t>(type)));
88}
89
90/*
91* Initialize the SSL/TLS Handshake State
92*/
93Handshake_State::~Handshake_State() = default;
94
95Handshake_State::Handshake_State(std::unique_ptr<Handshake_IO> io, Callbacks& cb) :
96 m_callbacks(cb), m_handshake_io(std::move(io)), m_version(m_handshake_io->initial_record_version()) {}
97
98void Handshake_State::note_message(const Handshake_Message& msg) {
99 m_callbacks.tls_inspect_handshake_msg(msg);
100}
101
102void Handshake_State::hello_verify_request(const Hello_Verify_Request& hello_verify) {
103 note_message(hello_verify);
104
105 m_client_hello->update_hello_cookie(hello_verify);
106 hash().reset();
107 hash().update(handshake_io().send(*m_client_hello));
108 note_message(*m_client_hello);
109}
110
111void Handshake_State::client_hello(Client_Hello_12* client_hello) {
112 if(client_hello == nullptr) {
113 m_client_hello.reset();
114 hash().reset();
115 } else {
116 m_client_hello.reset(client_hello);
117 note_message(*m_client_hello);
118 }
119}
120
121void Handshake_State::server_hello(Server_Hello_12* server_hello) {
122 m_server_hello.reset(server_hello);
123 m_ciphersuite = Ciphersuite::by_id(m_server_hello->ciphersuite());
124 note_message(*m_server_hello);
125}
126
127void Handshake_State::server_certs(Certificate_12* server_certs) {
128 m_server_certs.reset(server_certs);
129 note_message(*m_server_certs);
130}
131
132void Handshake_State::server_cert_status(Certificate_Status* server_cert_status) {
133 m_server_cert_status.reset(server_cert_status);
134 note_message(*m_server_cert_status);
135}
136
137void Handshake_State::server_kex(Server_Key_Exchange* server_kex) {
138 m_server_kex.reset(server_kex);
139 note_message(*m_server_kex);
140}
141
142void Handshake_State::cert_req(Certificate_Request_12* cert_req) {
143 m_cert_req.reset(cert_req);
144 note_message(*m_cert_req);
145}
146
147void Handshake_State::server_hello_done(Server_Hello_Done* server_hello_done) {
148 m_server_hello_done.reset(server_hello_done);
149 note_message(*m_server_hello_done);
150}
151
152void Handshake_State::client_certs(Certificate_12* client_certs) {
153 m_client_certs.reset(client_certs);
154 note_message(*m_client_certs);
155}
156
157void Handshake_State::client_kex(Client_Key_Exchange* client_kex) {
158 m_client_kex.reset(client_kex);
159 note_message(*m_client_kex);
160}
161
162void Handshake_State::client_verify(Certificate_Verify_12* client_verify) {
163 m_client_verify.reset(client_verify);
164 note_message(*m_client_verify);
165}
166
167void Handshake_State::server_verify(Certificate_Verify_12* server_verify) {
168 m_server_verify.reset(server_verify);
169 note_message(*m_server_verify);
170}
171
172void Handshake_State::new_session_ticket(New_Session_Ticket_12* new_session_ticket) {
173 m_new_session_ticket.reset(new_session_ticket);
174 note_message(*m_new_session_ticket);
175}
176
177void Handshake_State::server_finished(Finished_12* server_finished) {
178 m_server_finished.reset(server_finished);
179 note_message(*m_server_finished);
180}
181
182void Handshake_State::client_finished(Finished_12* client_finished) {
183 m_client_finished.reset(client_finished);
184 note_message(*m_client_finished);
185}
186
187const Ciphersuite& Handshake_State::ciphersuite() const {
188 if(!m_ciphersuite.has_value()) {
189 throw Invalid_State("Cipher suite is not set");
190 }
191 return m_ciphersuite.value();
192}
193
194std::optional<std::string> Handshake_State::psk_identity() const {
195 if(!m_client_kex) {
196 return std::nullopt;
197 }
198 return m_client_kex->psk_identity();
199}
200
204
205void Handshake_State::compute_session_keys() {
206 m_session_keys = Session_Keys(this, client_kex()->pre_master_secret(), false);
207}
208
209void Handshake_State::compute_session_keys(const secure_vector<uint8_t>& resume_master_secret) {
210 m_session_keys = Session_Keys(this, resume_master_secret, true);
211}
212
213void Handshake_State::confirm_transition_to(Handshake_Type handshake_msg) {
214 m_transitions.confirm_transition_to(handshake_msg);
215}
216
217void Handshake_State::set_expected_next(Handshake_Type handshake_msg) {
218 m_transitions.set_expected_next(handshake_msg);
219}
220
221bool Handshake_State::received_handshake_msg(Handshake_Type handshake_msg) const {
222 return m_transitions.received_handshake_msg(handshake_msg);
223}
224
225std::pair<Handshake_Type, std::vector<uint8_t>> Handshake_State::get_next_handshake_msg() {
226 return m_handshake_io->get_next_record(m_transitions.change_cipher_spec_expected());
227}
228
229Session_Ticket Handshake_State::session_ticket() const {
230 if(new_session_ticket() && !new_session_ticket()->ticket().empty()) {
231 return new_session_ticket()->ticket();
232 }
233
234 return client_hello()->session_ticket();
235}
236
237std::unique_ptr<KDF> Handshake_State::protocol_specific_prf() const {
238 const std::string prf_algo = ciphersuite().prf_algo();
239
240 if(prf_algo == "MD5" || prf_algo == "SHA-1") {
241 return KDF::create_or_throw("TLS-12-PRF(SHA-256)");
242 }
243
244 return KDF::create_or_throw("TLS-12-PRF(" + prf_algo + ")");
245}
246
247std::pair<std::string, Signature_Format> Handshake_State::choose_sig_format(const Private_Key& key,
248 Signature_Scheme& chosen_scheme,
249 bool for_client_auth,
250 const Policy& policy) const {
251 const std::string sig_algo = key.algo_name();
252
253 const std::vector<Signature_Scheme> allowed = policy.allowed_signature_schemes();
254
255 std::vector<Signature_Scheme> requested =
256 (for_client_auth) ? cert_req()->signature_schemes() : client_hello()->signature_schemes();
257
258 for(Signature_Scheme scheme : allowed) {
259 if(!scheme.is_available()) {
260 continue;
261 }
262
263 if(scheme.algorithm_name() == sig_algo) {
264 if(std::find(requested.begin(), requested.end(), scheme) != requested.end()) {
265 chosen_scheme = scheme;
266 break;
267 }
268 }
269 }
270
271 const std::string hash = chosen_scheme.hash_function_name();
272
273 if(!policy.allowed_signature_hash(hash)) {
274 throw TLS_Exception(Alert::HandshakeFailure, "Policy refuses to accept signing with any hash supported by peer");
275 }
276
277 if(!chosen_scheme.format().has_value()) {
278 throw Invalid_Argument(sig_algo + " is invalid/unknown for TLS signatures");
279 }
280
281 return std::make_pair(chosen_scheme.padding_string(), chosen_scheme.format().value());
282}
283
284namespace {
285
286bool supported_algos_include(const std::vector<Signature_Scheme>& schemes,
287 std::string_view key_type,
288 std::string_view hash_type) {
289 for(Signature_Scheme scheme : schemes) {
290 if(scheme.is_available() && hash_type == scheme.hash_function_name() && key_type == scheme.algorithm_name()) {
291 return true;
292 }
293 }
294
295 return false;
296}
297
298} // namespace
299
300std::pair<std::string, Signature_Format> Handshake_State::parse_sig_format(
301 const Public_Key& key,
302 Signature_Scheme scheme,
303 const std::vector<Signature_Scheme>& offered_schemes,
304 bool for_client_auth,
305 const Policy& policy) const {
306 const std::string key_type = key.algo_name();
307
308 if(!policy.allowed_signature_method(key_type)) {
309 throw TLS_Exception(Alert::HandshakeFailure, "Rejecting " + key_type + " signature");
310 }
311
312 if(!scheme.is_available()) {
313 throw TLS_Exception(Alert::IllegalParameter, "Peer sent unknown signature scheme");
314 }
315
316 if(key_type != scheme.algorithm_name()) {
317 throw Decoding_Error("Counterparty sent inconsistent key and sig types");
318 }
319
320 if(for_client_auth && !cert_req()) {
321 throw TLS_Exception(Alert::HandshakeFailure, "No certificate verify set");
322 }
323
324 /*
325 Confirm the signature type we just received against the
326 supported_algos list that we sent; it better be there.
327 */
328
329 const std::vector<Signature_Scheme> supported_algos =
330 for_client_auth ? cert_req()->signature_schemes() : offered_schemes;
331
332 const std::string hash_algo = scheme.hash_function_name();
333
334 if(!scheme.is_compatible_with(Protocol_Version::TLS_V12)) {
335 throw TLS_Exception(Alert::IllegalParameter, "Peer sent unexceptable signature scheme");
336 }
337
338 if(!supported_algos_include(supported_algos, key_type, hash_algo)) {
339 throw TLS_Exception(Alert::IllegalParameter,
340 "TLS signature extension did not allow for " + key_type + "/" + hash_algo + " signature");
341 }
342
343 if(!scheme.format().has_value()) {
344 throw Invalid_Argument(key_type + " is invalid/unknown for TLS signatures");
345 }
346
347 return std::make_pair(scheme.padding_string(), scheme.format().value());
348}
349
350} // namespace Botan::TLS
Botan::Asymmetric_Key::algo_name
virtual std::string algo_name() const =0
Botan::Decoding_Error
Definition exceptn.h:191
Botan::Invalid_Argument
Definition exceptn.h:131
Botan::Invalid_State
Definition exceptn.h:206
Botan::KDF::create_or_throw
static std::unique_ptr< KDF > create_or_throw(std::string_view algo_spec, std::string_view provider="")
Definition kdf.cpp:203
Botan::Private_Key
Definition pk_keys.h:290
Botan::Public_Key
Definition pk_keys.h:148
Botan::TLS::Certificate_12
Definition tls_messages.h:522
Botan::TLS::Certificate_Request_12
Definition tls_messages.h:698
Botan::TLS::Certificate_Request_12::signature_schemes
const std::vector< Signature_Scheme > & signature_schemes() const
Definition msg_cert_req.cpp:119
Botan::TLS::Certificate_Status
Definition tls_messages.h:670
Botan::TLS::Certificate_Verify_12
Definition tls_messages.h:777
Botan::TLS::Ciphersuite::by_id
static std::optional< Ciphersuite > by_id(uint16_t suite)
Definition tls_ciphersuite.cpp:91
Botan::TLS::Ciphersuite::prf_algo
std::string prf_algo() const
Definition tls_ciphersuite.h:110
Botan::TLS::Client_Hello_12
Definition tls_messages.h:147
Botan::TLS::Client_Hello_12::session_ticket
Session_Ticket session_ticket() const
Definition msg_client_hello.cpp:332
Botan::TLS::Client_Hello::signature_schemes
std::vector< Signature_Scheme > signature_schemes() const
Definition msg_client_hello.cpp:263
Botan::TLS::Client_Key_Exchange
Definition tls_messages.h:485
Botan::TLS::Finished_12
Definition tls_messages.h:846
Botan::TLS::Handshake_Hash::update
void update(const uint8_t in[], size_t length)
Definition tls_handshake_hash.h:21
Botan::TLS::Handshake_Hash::reset
void reset()
Definition tls_handshake_hash.h:29
Botan::TLS::Handshake_Message
Definition tls_handshake_msg.h:24
Botan::TLS::Handshake_Message::type_string
std::string type_string() const
Definition tls_handshake_state.cpp:19
Botan::TLS::Handshake_Message::type
virtual Handshake_Type type() const =0
Botan::TLS::Handshake_State::parse_sig_format
std::pair< std::string, Signature_Format > parse_sig_format(const Public_Key &key, Signature_Scheme scheme, const std::vector< Signature_Scheme > &offered_schemes, bool for_client_auth, const Policy &policy) const
Definition tls_handshake_state.cpp:300
Botan::TLS::Handshake_State::client_finished
void client_finished(Finished_12 *client_finished)
Definition tls_handshake_state.cpp:182
Botan::TLS::Handshake_State::get_next_handshake_msg
std::pair< Handshake_Type, std::vector< uint8_t > > get_next_handshake_msg()
Definition tls_handshake_state.cpp:225
Botan::TLS::Handshake_State::server_hello_done
const Server_Hello_Done * server_hello_done() const
Definition tls_handshake_state.h:141
Botan::TLS::Handshake_State::hello_verify_request
void hello_verify_request(const Hello_Verify_Request &hello_verify)
Definition tls_handshake_state.cpp:102
Botan::TLS::Handshake_State::set_expected_next
void set_expected_next(Handshake_Type msg_type)
Definition tls_handshake_state.cpp:217
Botan::TLS::Handshake_State::server_certs
void server_certs(Certificate_12 *server_certs)
Definition tls_handshake_state.cpp:127
Botan::TLS::Handshake_State::client_certs
void client_certs(Certificate_12 *client_certs)
Definition tls_handshake_state.cpp:152
Botan::TLS::Handshake_State::note_message
void note_message(const Handshake_Message &msg)
Definition tls_handshake_state.cpp:98
Botan::TLS::Handshake_State::server_kex
const Server_Key_Exchange * server_kex() const
Definition tls_handshake_state.h:137
Botan::TLS::Handshake_State::server_hello
void server_hello(Server_Hello_12 *server_hello)
Definition tls_handshake_state.cpp:121
Botan::TLS::Handshake_State::~Handshake_State
virtual ~Handshake_State()
Botan::TLS::Handshake_State::server_cert_status
const Certificate_Status * server_cert_status() const
Definition tls_handshake_state.h:151
Botan::TLS::Handshake_State::server_kex
void server_kex(Server_Key_Exchange *server_kex)
Definition tls_handshake_state.cpp:137
Botan::TLS::Handshake_State::server_verify
const Certificate_Verify_12 * server_verify() const
Definition tls_handshake_state.h:149
Botan::TLS::Handshake_State::Handshake_State
Handshake_State(std::unique_ptr< Handshake_IO > io, Callbacks &callbacks)
Definition tls_handshake_state.cpp:95
Botan::TLS::Handshake_State::handshake_io
Handshake_IO & handshake_io()
Definition tls_handshake_state.h:67
Botan::TLS::Handshake_State::client_verify
const Certificate_Verify_12 * client_verify() const
Definition tls_handshake_state.h:147
Botan::TLS::Handshake_State::server_finished
const Finished_12 * server_finished() const
Definition tls_handshake_state.h:155
Botan::TLS::Handshake_State::server_hello_done
void server_hello_done(Server_Hello_Done *server_hello_done)
Definition tls_handshake_state.cpp:147
Botan::TLS::Handshake_State::server_verify
void server_verify(Certificate_Verify_12 *server_verify)
Definition tls_handshake_state.cpp:167
Botan::TLS::Handshake_State::client_hello
const Client_Hello_12 * client_hello() const
Definition tls_handshake_state.h:131
Botan::TLS::Handshake_State::cert_req
void cert_req(Certificate_Request_12 *cert_req)
Definition tls_handshake_state.cpp:142
Botan::TLS::Handshake_State::client_kex
const Client_Key_Exchange * client_kex() const
Definition tls_handshake_state.h:145
Botan::TLS::Handshake_State::client_kex
void client_kex(Client_Key_Exchange *client_kex)
Definition tls_handshake_state.cpp:157
Botan::TLS::Handshake_State::new_session_ticket
void new_session_ticket(New_Session_Ticket_12 *new_session_ticket)
Definition tls_handshake_state.cpp:172
Botan::TLS::Handshake_State::server_finished
void server_finished(Finished_12 *server_finished)
Definition tls_handshake_state.cpp:177
Botan::TLS::Handshake_State::confirm_transition_to
void confirm_transition_to(Handshake_Type msg_type)
Definition tls_handshake_state.cpp:213
Botan::TLS::Handshake_State::client_verify
void client_verify(Certificate_Verify_12 *client_verify)
Definition tls_handshake_state.cpp:162
Botan::TLS::Handshake_State::set_version
void set_version(const Protocol_Version &version)
Definition tls_handshake_state.cpp:201
Botan::TLS::Handshake_State::psk_identity
std::optional< std::string > psk_identity() const
Definition tls_handshake_state.cpp:194
Botan::TLS::Handshake_State::server_certs
const Certificate_12 * server_certs() const
Definition tls_handshake_state.h:135
Botan::TLS::Handshake_State::client_certs
const Certificate_12 * client_certs() const
Definition tls_handshake_state.h:143
Botan::TLS::Handshake_State::client_finished
const Finished_12 * client_finished() const
Definition tls_handshake_state.h:157
Botan::TLS::Handshake_State::cert_req
const Certificate_Request_12 * cert_req() const
Definition tls_handshake_state.h:139
Botan::TLS::Handshake_State::compute_session_keys
void compute_session_keys()
Definition tls_handshake_state.cpp:205
Botan::TLS::Handshake_State::ciphersuite
const Ciphersuite & ciphersuite() const
Definition tls_handshake_state.cpp:187
Botan::TLS::Handshake_State::session_ticket
Session_Ticket session_ticket() const
Definition tls_handshake_state.cpp:229
Botan::TLS::Handshake_State::server_cert_status
void server_cert_status(Certificate_Status *server_cert_status)
Definition tls_handshake_state.cpp:132
Botan::TLS::Handshake_State::hash
Handshake_Hash & hash()
Definition tls_handshake_state.h:171
Botan::TLS::Handshake_State::server_hello
const Server_Hello_12 * server_hello() const
Definition tls_handshake_state.h:133
Botan::TLS::Handshake_State::received_handshake_msg
bool received_handshake_msg(Handshake_Type msg_type) const
Definition tls_handshake_state.cpp:221
Botan::TLS::Handshake_State::protocol_specific_prf
std::unique_ptr< KDF > protocol_specific_prf() const
Definition tls_handshake_state.cpp:237
Botan::TLS::Handshake_State::new_session_ticket
const New_Session_Ticket_12 * new_session_ticket() const
Definition tls_handshake_state.h:153
Botan::TLS::Handshake_State::client_hello
void client_hello(Client_Hello_12 *client_hello)
Definition tls_handshake_state.cpp:111
Botan::TLS::Handshake_State::choose_sig_format
std::pair< std::string, Signature_Format > choose_sig_format(const Private_Key &key, Signature_Scheme &scheme, bool for_client_auth, const Policy &policy) const
Definition tls_handshake_state.cpp:247
Botan::TLS::Handshake_State::version
Protocol_Version version() const
Definition tls_handshake_state.h:104
Botan::TLS::Hello_Verify_Request
Definition tls_messages.h:53
Botan::TLS::New_Session_Ticket_12
Definition tls_messages.h:939
Botan::TLS::New_Session_Ticket_12::ticket
const Session_Ticket & ticket() const
Definition tls_messages.h:945
Botan::TLS::Policy::allowed_signature_schemes
virtual std::vector< Signature_Scheme > allowed_signature_schemes() const
Definition tls_policy.cpp:27
Botan::TLS::Policy::allowed_signature_method
bool allowed_signature_method(std::string_view sig_method) const
Definition tls_policy.cpp:110
Botan::TLS::Policy::allowed_signature_hash
bool allowed_signature_hash(std::string_view hash) const
Definition tls_policy.cpp:114
Botan::TLS::Protocol_Version
Definition tls_version.h:34
Botan::TLS::Server_Hello_12
Definition tls_messages.h:307
Botan::TLS::Server_Hello_Done
Definition tls_messages.h:925
Botan::TLS::Server_Key_Exchange
Definition tls_messages.h:881
Botan::TLS::Session_Keys
Definition tls_session_key.h:21
Botan::TLS::Signature_Scheme
Definition tls_signature_scheme.h:23
Botan::TLS::Signature_Scheme::hash_function_name
std::string hash_function_name() const noexcept
Definition tls_signature_scheme.cpp:102
Botan::TLS::Signature_Scheme::is_compatible_with
bool is_compatible_with(const Protocol_Version &protocol_version) const noexcept
Definition tls_signature_scheme.cpp:283
Botan::TLS::Signature_Scheme::format
std::optional< Signature_Format > format() const noexcept
Definition tls_signature_scheme.cpp:259
Botan::TLS::Signature_Scheme::padding_string
std::string padding_string() const noexcept
Definition tls_signature_scheme.cpp:132
Botan::TLS::Signature_Scheme::is_available
bool is_available() const noexcept
Definition tls_signature_scheme.cpp:57
Botan::TLS::Signature_Scheme::algorithm_name
std::string algorithm_name() const noexcept
Definition tls_signature_scheme.cpp:169
Botan::TLS::TLS_Exception
Definition tls_exceptn.h:19
Botan::TLS::handshake_type_to_string
const char * handshake_type_to_string(Handshake_Type type)
Definition tls_handshake_state.cpp:23
Botan::TLS::Session_Ticket
Strong< std::vector< uint8_t >, struct Session_Ticket_ > Session_Ticket
holds a TLS 1.2 session ticket for stateless resumption
Definition tls_session.h:34
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:65
Generated by doxygen 1.13.2