Botan  2.7.0
Crypto and TLS for C++11
tls_server.cpp
Go to the documentation of this file.
1 /*
2 * TLS Server
3 * (C) 2004-2011,2012,2016 Jack Lloyd
4 * 2016 Matthias Gierlings
5 *
6 * Botan is released under the Simplified BSD License (see license.txt)
7 */
8 
9 #include <botan/tls_server.h>
10 #include <botan/tls_messages.h>
11 #include <botan/internal/tls_handshake_state.h>
12 #include <botan/internal/stl_util.h>
13 #include <botan/tls_magic.h>
14 
15 namespace Botan {
16 
17 namespace TLS {
18 
19 class Server_Handshake_State final : public Handshake_State
20  {
21  public:
22  Server_Handshake_State(Handshake_IO* io, Callbacks& cb)
23  : Handshake_State(io, cb) {}
24 
25  Private_Key* server_rsa_kex_key() { return m_server_rsa_kex_key; }
26  void set_server_rsa_kex_key(Private_Key* key)
27  { m_server_rsa_kex_key = key; }
28 
29  bool allow_session_resumption() const
30  { return m_allow_session_resumption; }
31  void set_allow_session_resumption(bool allow_session_resumption)
32  { m_allow_session_resumption = allow_session_resumption; }
33 
34  const std::vector<X509_Certificate>& resume_peer_certs() const
35  { return m_resume_peer_certs; }
36 
37  void set_resume_certs(const std::vector<X509_Certificate>& certs)
38  { m_resume_peer_certs = certs; }
39 
40  private:
41  // Used by the server only, in case of RSA key exchange. Not owned
42  Private_Key* m_server_rsa_kex_key = nullptr;
43 
44  /*
45  * Used by the server to know if resumption should be allowed on
46  * a server-initiated renegotiation
47  */
48  bool m_allow_session_resumption = true;
49 
50  std::vector<X509_Certificate> m_resume_peer_certs;
51  };
52 
53 namespace {
54 
55 bool check_for_resume(Session& session_info,
56  Session_Manager& session_manager,
57  Credentials_Manager& credentials,
58  const Client_Hello* client_hello,
59  std::chrono::seconds session_ticket_lifetime)
60  {
61  const std::vector<uint8_t>& client_session_id = client_hello->session_id();
62  const std::vector<uint8_t>& session_ticket = client_hello->session_ticket();
63 
64  if(session_ticket.empty())
65  {
66  if(client_session_id.empty()) // not resuming
67  return false;
68 
69  // not found
70  if(!session_manager.load_from_session_id(client_session_id, session_info))
71  return false;
72  }
73  else
74  {
75  // If a session ticket was sent, ignore client session ID
76  try
77  {
78  session_info = Session::decrypt(
79  session_ticket,
80  credentials.psk("tls-server", "session-ticket", ""));
81 
82  if(session_ticket_lifetime != std::chrono::seconds(0) &&
83  session_info.session_age() > session_ticket_lifetime)
84  return false; // ticket has expired
85  }
86  catch(...)
87  {
88  return false;
89  }
90  }
91 
92  // wrong version
93  if(client_hello->version() != session_info.version())
94  return false;
95 
96  // client didn't send original ciphersuite
97  if(!value_exists(client_hello->ciphersuites(),
98  session_info.ciphersuite_code()))
99  return false;
100 
101 #if defined(BOTAN_HAS_SRP6)
102  // client sent a different SRP identity
103  if(client_hello->srp_identifier() != "")
104  {
105  if(client_hello->srp_identifier() != session_info.srp_identifier())
106  return false;
107  }
108 #endif
109 
110  // client sent a different SNI hostname
111  if(client_hello->sni_hostname() != "")
112  {
113  if(client_hello->sni_hostname() != session_info.server_info().hostname())
114  return false;
115  }
116 
117  // Checking extended_master_secret on resume (RFC 7627 section 5.3)
118  if(client_hello->supports_extended_master_secret() != session_info.supports_extended_master_secret())
119  {
120  if(!session_info.supports_extended_master_secret())
121  {
122  return false; // force new handshake with extended master secret
123  }
124  else
125  {
126  /*
127  Client previously negotiated session with extended master secret,
128  but has now attempted to resume without the extension: abort
129  */
130  throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
131  "Client resumed extended ms session without sending extension");
132  }
133  }
134 
135  // Checking encrypt_then_mac on resume (RFC 7366 section 3.1)
136  if(!client_hello->supports_encrypt_then_mac() && session_info.supports_encrypt_then_mac())
137  {
138  /*
139  Client previously negotiated session with Encrypt-then-MAC,
140  but has now attempted to resume without the extension: abort
141  */
142  throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
143  "Client resumed Encrypt-then-MAC session without sending extension");
144  }
145 
146  return true;
147  }
148 
149 /*
150 * Choose which ciphersuite to use
151 */
152 uint16_t choose_ciphersuite(
153  const Policy& policy,
154  Protocol_Version version,
155  Credentials_Manager& creds,
156  const std::map<std::string, std::vector<X509_Certificate> >& cert_chains,
157  const Client_Hello& client_hello)
158  {
159  const bool our_choice = policy.server_uses_own_ciphersuite_preferences();
160  const bool have_srp = creds.attempt_srp("tls-server", client_hello.sni_hostname());
161  const std::vector<uint16_t> client_suites = client_hello.ciphersuites();
162  const std::vector<uint16_t> server_suites = policy.ciphersuite_list(version, have_srp);
163 
164  if(server_suites.empty())
165  throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
166  "Policy forbids us from negotiating any ciphersuite");
167 
168  const bool have_shared_ecc_curve =
169  (policy.choose_key_exchange_group(client_hello.supported_ecc_curves()) != Group_Params::NONE);
170 
171  /*
172  Walk down one list in preference order
173  */
174  std::vector<uint16_t> pref_list = server_suites;
175  std::vector<uint16_t> other_list = client_suites;
176 
177  if(!our_choice)
178  std::swap(pref_list, other_list);
179 
180  for(auto suite_id : pref_list)
181  {
182  if(!value_exists(other_list, suite_id))
183  continue;
184 
185  const Ciphersuite suite = Ciphersuite::by_id(suite_id);
186 
187  if(suite.valid() == false)
188  {
189  continue;
190  }
191 
192  if(have_shared_ecc_curve == false && suite.ecc_ciphersuite())
193  {
194  continue;
195  }
196 
197  // For non-anon ciphersuites
198  if(suite.signature_used())
199  {
200  const std::string sig_algo = suite.sig_algo();
201 
202  // Do we have any certificates for this sig?
203  if(cert_chains.count(sig_algo) == 0)
204  {
205  continue;
206  }
207 
208  if(version.supports_negotiable_signature_algorithms())
209  {
210  const std::vector<Signature_Scheme> allowed =
211  policy.allowed_signature_schemes();
212 
213  std::vector<Signature_Scheme> client_sig_methods =
214  client_hello.signature_schemes();
215 
216  if(client_sig_methods.empty())
217  {
218  // If empty, then implicit SHA-1 (TLS v1.2 rules)
219  client_sig_methods.push_back(Signature_Scheme::RSA_PKCS1_SHA1);
220  client_sig_methods.push_back(Signature_Scheme::ECDSA_SHA1);
221  client_sig_methods.push_back(Signature_Scheme::DSA_SHA1);
222  }
223 
224  bool we_support_some_hash_by_client = true;
225 
226  for(Signature_Scheme scheme : client_sig_methods)
227  {
228  if(signature_scheme_is_known(scheme) == false)
229  continue;
230 
231  if(signature_algorithm_of_scheme(scheme) == suite.sig_algo() &&
232  policy.allowed_signature_hash(hash_function_of_scheme(scheme)))
233  {
234  we_support_some_hash_by_client = true;
235  }
236  }
237 
238  if(we_support_some_hash_by_client == false)
239  {
240  throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
241  "Policy does not accept any hash function supported by client");
242  }
243  }
244  }
245 
246 #if defined(BOTAN_HAS_SRP6)
247  /*
248  The client may offer SRP cipher suites in the hello message but
249  omit the SRP extension. If the server would like to select an
250  SRP cipher suite in this case, the server SHOULD return a fatal
251  "unknown_psk_identity" alert immediately after processing the
252  client hello message.
253  - RFC 5054 section 2.5.1.2
254  */
255  if(suite.kex_method() == Kex_Algo::SRP_SHA && client_hello.srp_identifier() == "")
256  throw TLS_Exception(Alert::UNKNOWN_PSK_IDENTITY,
257  "Client wanted SRP but did not send username");
258 #endif
259 
260  return suite_id;
261  }
262 
263  throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
264  "Can't agree on a ciphersuite with client");
265  }
266 
267 std::map<std::string, std::vector<X509_Certificate> >
268 get_server_certs(const std::string& hostname,
269  Credentials_Manager& creds)
270  {
271  const char* cert_types[] = { "RSA", "DSA", "ECDSA", nullptr };
272 
273  std::map<std::string, std::vector<X509_Certificate> > cert_chains;
274 
275  for(size_t i = 0; cert_types[i]; ++i)
276  {
277  std::vector<X509_Certificate> certs =
278  creds.cert_chain_single_type(cert_types[i], "tls-server", hostname);
279 
280  if(!certs.empty())
281  cert_chains[cert_types[i]] = certs;
282  }
283 
284  return cert_chains;
285  }
286 
287 }
288 
289 /*
290 * TLS Server Constructor
291 */
293  Session_Manager& session_manager,
294  Credentials_Manager& creds,
295  const Policy& policy,
297  bool is_datagram,
298  size_t io_buf_sz) :
299  Channel(callbacks, session_manager, rng, policy,
300  is_datagram, io_buf_sz),
301  m_creds(creds)
302  {
303  }
304 
306  data_cb got_data_cb,
307  alert_cb recv_alert_cb,
308  handshake_cb hs_cb,
309  Session_Manager& session_manager,
310  Credentials_Manager& creds,
311  const Policy& policy,
313  next_protocol_fn next_proto,
314  bool is_datagram,
315  size_t io_buf_sz) :
316  Channel(output, got_data_cb, recv_alert_cb, hs_cb,
317  Channel::handshake_msg_cb(), session_manager,
318  rng, policy, is_datagram, io_buf_sz),
319  m_creds(creds),
320  m_choose_next_protocol(next_proto)
321  {
322  }
323 
324 
326  data_cb got_data_cb,
327  alert_cb recv_alert_cb,
328  handshake_cb hs_cb,
329  handshake_msg_cb hs_msg_cb,
330  Session_Manager& session_manager,
331  Credentials_Manager& creds,
332  const Policy& policy,
334  next_protocol_fn next_proto,
335  bool is_datagram) :
336  Channel(output, got_data_cb, recv_alert_cb, hs_cb, hs_msg_cb,
337  session_manager, rng, policy, is_datagram),
338  m_creds(creds),
339  m_choose_next_protocol(next_proto)
340  {
341  }
342 
343 Handshake_State* Server::new_handshake_state(Handshake_IO* io)
344  {
345  std::unique_ptr<Handshake_State> state(new Server_Handshake_State(io, callbacks()));
346 
347  state->set_expected_next(CLIENT_HELLO);
348  return state.release();
349  }
350 
351 std::vector<X509_Certificate>
352 Server::get_peer_cert_chain(const Handshake_State& state_base) const
353  {
354  const Server_Handshake_State& state = dynamic_cast<const Server_Handshake_State&>(state_base);
355  if(state.resume_peer_certs().size() > 0)
356  return state.resume_peer_certs();
357 
358  if(state.client_certs())
359  return state.client_certs()->cert_chain();
360  return std::vector<X509_Certificate>();
361  }
362 
363 /*
364 * Send a hello request to the client
365 */
366 void Server::initiate_handshake(Handshake_State& state,
367  bool force_full_renegotiation)
368  {
369  dynamic_cast<Server_Handshake_State&>(state).
370  set_allow_session_resumption(!force_full_renegotiation);
371 
372  Hello_Request hello_req(state.handshake_io());
373  }
374 
375 /*
376 * Process a CLIENT HELLO Message
377 */
378 void Server::process_client_hello_msg(const Handshake_State* active_state,
379  Server_Handshake_State& pending_state,
380  const std::vector<uint8_t>& contents)
381  {
382  const bool initial_handshake = !active_state;
383 
384  if(initial_handshake == false && policy().allow_client_initiated_renegotiation() == false)
385  {
387  return;
388  }
389 
390  if(!policy().allow_insecure_renegotiation() &&
391  !(initial_handshake || secure_renegotiation_supported()))
392  {
394  return;
395  }
396 
397  pending_state.client_hello(new Client_Hello(contents));
398  const Protocol_Version client_version = pending_state.client_hello()->version();
399 
400  if(client_version.major_version() < 3)
401  throw TLS_Exception(Alert::PROTOCOL_VERSION, "Client offered version with major version under 3");
402  if(client_version.major_version() == 3 && client_version.minor_version() == 0)
403  throw TLS_Exception(Alert::PROTOCOL_VERSION, "SSLv3 is not supported");
404 
405  Protocol_Version negotiated_version;
406 
407  const Protocol_Version latest_supported =
408  policy().latest_supported_version(client_version.is_datagram_protocol());
409 
410  if((initial_handshake && client_version.known_version()) ||
411  (!initial_handshake && client_version == active_state->version()))
412  {
413  /*
414  Common cases: new client hello with some known version, or a
415  renegotiation using the same version as previously
416  negotiated.
417  */
418 
419  negotiated_version = client_version;
420  }
421  else if(!initial_handshake && (client_version != active_state->version()))
422  {
423  /*
424  * If this is a renegotiation, and the client has offered a
425  * later version than what it initially negotiated, negotiate
426  * the old version. This matches OpenSSL's behavior. If the
427  * client is offering a version earlier than what it initially
428  * negotiated, reject as a probable attack.
429  */
430  if(active_state->version() > client_version)
431  {
432  throw TLS_Exception(Alert::PROTOCOL_VERSION,
433  "Client negotiated " +
434  active_state->version().to_string() +
435  " then renegotiated with " +
436  client_version.to_string());
437  }
438  else
439  negotiated_version = active_state->version();
440  }
441  else
442  {
443  /*
444  New negotiation using a version we don't know. Offer them the
445  best we currently know and support
446  */
447  negotiated_version = latest_supported;
448  }
449 
450  if(!policy().acceptable_protocol_version(negotiated_version))
451  {
452  throw TLS_Exception(Alert::PROTOCOL_VERSION,
453  "Client version " + negotiated_version.to_string() +
454  " is unacceptable by policy");
455  }
456 
457  if(pending_state.client_hello()->sent_fallback_scsv())
458  {
459  if(latest_supported > client_version)
460  throw TLS_Exception(Alert::INAPPROPRIATE_FALLBACK,
461  "Client signalled fallback SCSV, possible attack");
462  }
463 
464  secure_renegotiation_check(pending_state.client_hello());
465 
466  pending_state.set_version(negotiated_version);
467 
468  callbacks().tls_examine_extensions(pending_state.client_hello()->extensions(), CLIENT);
469 
470  Session session_info;
471  const bool resuming =
472  pending_state.allow_session_resumption() &&
473  check_for_resume(session_info,
474  session_manager(),
475  m_creds,
476  pending_state.client_hello(),
477  std::chrono::seconds(policy().session_ticket_lifetime()));
478 
479  bool have_session_ticket_key = false;
480 
481  try
482  {
483  have_session_ticket_key =
484  m_creds.psk("tls-server", "session-ticket", "").length() > 0;
485  }
486  catch(...) {}
487 
488  m_next_protocol = "";
489  if(pending_state.client_hello()->supports_alpn())
490  {
491  m_next_protocol = callbacks().tls_server_choose_app_protocol(pending_state.client_hello()->next_protocols());
492 
493  // if the callback return was empty, fall back to the (deprecated) std::function
494  if(m_next_protocol.empty() && m_choose_next_protocol)
495  {
496  m_next_protocol = m_choose_next_protocol(pending_state.client_hello()->next_protocols());
497  }
498  }
499 
500  if(resuming)
501  {
502  this->session_resume(pending_state, have_session_ticket_key, session_info);
503  }
504  else // new session
505  {
506  this->session_create(pending_state, have_session_ticket_key);
507  }
508  }
509 
510 void Server::process_certificate_msg(Server_Handshake_State& pending_state,
511  const std::vector<uint8_t>& contents)
512  {
513  pending_state.client_certs(new Certificate(contents, policy()));
514  pending_state.set_expected_next(CLIENT_KEX);
515  }
516 
517 void Server::process_client_key_exchange_msg(Server_Handshake_State& pending_state,
518  const std::vector<uint8_t>& contents)
519  {
520  if(pending_state.received_handshake_msg(CERTIFICATE) && !pending_state.client_certs()->empty())
521  pending_state.set_expected_next(CERTIFICATE_VERIFY);
522  else
523  pending_state.set_expected_next(HANDSHAKE_CCS);
524 
525  pending_state.client_kex(new Client_Key_Exchange(contents, pending_state,
526  pending_state.server_rsa_kex_key(),
527  m_creds, policy(), rng()));
528 
529  pending_state.compute_session_keys();
530  }
531 
532 void Server::process_change_cipher_spec_msg(Server_Handshake_State& pending_state)
533  {
534  pending_state.set_expected_next(FINISHED);
536  }
537 
538 void Server::process_certificate_verify_msg(Server_Handshake_State& pending_state,
540  const std::vector<uint8_t>& contents)
541  {
542  pending_state.client_verify(new Certificate_Verify(contents, pending_state.version()));
543 
544  const std::vector<X509_Certificate>& client_certs =
545  pending_state.client_certs()->cert_chain();
546 
547  const bool sig_valid =
548  pending_state.client_verify()->verify(client_certs[0], pending_state, policy());
549 
550  pending_state.hash().update(pending_state.handshake_io().format(contents, type));
551 
552  /*
553  * Using DECRYPT_ERROR looks weird here, but per RFC 4346 is for
554  * "A handshake cryptographic operation failed, including being
555  * unable to correctly verify a signature, ..."
556  */
557  if(!sig_valid)
558  throw TLS_Exception(Alert::DECRYPT_ERROR, "Client cert verify failed");
559 
560  try
561  {
562  const std::string sni_hostname = pending_state.client_hello()->sni_hostname();
563  auto trusted_CAs = m_creds.trusted_certificate_authorities("tls-server", sni_hostname);
564 
565  callbacks().tls_verify_cert_chain(client_certs,
566  {}, // ocsp
567  trusted_CAs,
569  sni_hostname,
570  policy());
571  }
572  catch(std::exception& e)
573  {
574  throw TLS_Exception(Alert::BAD_CERTIFICATE, e.what());
575  }
576 
577  pending_state.set_expected_next(HANDSHAKE_CCS);
578  }
579 
580 void Server::process_finished_msg(Server_Handshake_State& pending_state,
582  const std::vector<uint8_t>& contents)
583  {
584  pending_state.set_expected_next(HANDSHAKE_NONE);
585 
586  pending_state.client_finished(new Finished(contents));
587 
588  if(!pending_state.client_finished()->verify(pending_state, CLIENT))
589  throw TLS_Exception(Alert::DECRYPT_ERROR,
590  "Finished message didn't verify");
591 
592  if(!pending_state.server_finished())
593  {
594  // already sent finished if resuming, so this is a new session
595 
596  pending_state.hash().update(pending_state.handshake_io().format(contents, type));
597 
598  Session session_info(
599  pending_state.server_hello()->session_id(),
600  pending_state.session_keys().master_secret(),
601  pending_state.server_hello()->version(),
602  pending_state.server_hello()->ciphersuite(),
603  SERVER,
604  pending_state.server_hello()->supports_extended_master_secret(),
605  pending_state.server_hello()->supports_encrypt_then_mac(),
606  get_peer_cert_chain(pending_state),
607  std::vector<uint8_t>(),
608  Server_Information(pending_state.client_hello()->sni_hostname()),
609  pending_state.srp_identifier(),
610  pending_state.server_hello()->srtp_profile());
611 
612  if(save_session(session_info))
613  {
614  if(pending_state.server_hello()->supports_session_ticket())
615  {
616  try
617  {
618  const SymmetricKey ticket_key = m_creds.psk("tls-server", "session-ticket", "");
619 
620  pending_state.new_session_ticket(
621  new New_Session_Ticket(pending_state.handshake_io(),
622  pending_state.hash(),
623  session_info.encrypt(ticket_key, rng()),
625  }
626  catch(...) {}
627  }
628  else
629  session_manager().save(session_info);
630  }
631 
632  if(!pending_state.new_session_ticket() &&
633  pending_state.server_hello()->supports_session_ticket())
634  {
635  pending_state.new_session_ticket(
636  new New_Session_Ticket(pending_state.handshake_io(), pending_state.hash()));
637  }
638 
639  pending_state.handshake_io().send(Change_Cipher_Spec());
640 
642 
643  pending_state.server_finished(new Finished(pending_state.handshake_io(), pending_state, SERVER));
644  }
645 
647  }
648 
649 /*
650 * Process a handshake message
651 */
652 void Server::process_handshake_msg(const Handshake_State* active_state,
653  Handshake_State& state_base,
655  const std::vector<uint8_t>& contents)
656  {
657  Server_Handshake_State& state = dynamic_cast<Server_Handshake_State&>(state_base);
658  state.confirm_transition_to(type);
659 
660  /*
661  * The change cipher spec message isn't technically a handshake
662  * message so it's not included in the hash. The finished and
663  * certificate verify messages are verified based on the current
664  * state of the hash *before* this message so we delay adding them
665  * to the hash computation until we've processed them below.
666  */
668  {
669  state.hash().update(state.handshake_io().format(contents, type));
670  }
671 
672  switch(type)
673  {
674  case CLIENT_HELLO:
675  return this->process_client_hello_msg(active_state, state, contents);
676 
677  case CERTIFICATE:
678  return this->process_certificate_msg(state, contents);
679 
680  case CLIENT_KEX:
681  return this->process_client_key_exchange_msg(state, contents);
682 
683  case CERTIFICATE_VERIFY:
684  return this->process_certificate_verify_msg(state, type, contents);
685 
686  case HANDSHAKE_CCS:
687  return this->process_change_cipher_spec_msg(state);
688 
689  case FINISHED:
690  return this->process_finished_msg(state, type, contents);
691 
692  default:
693  throw Unexpected_Message("Unknown handshake message received");
694  }
695  }
696 
697 void Server::session_resume(Server_Handshake_State& pending_state,
698  bool have_session_ticket_key,
699  Session& session_info)
700  {
701  // Only offer a resuming client a new ticket if they didn't send one this time,
702  // ie, resumed via server-side resumption. TODO: also send one if expiring soon?
703 
704  const bool offer_new_session_ticket =
705  (pending_state.client_hello()->supports_session_ticket() &&
706  pending_state.client_hello()->session_ticket().empty() &&
707  have_session_ticket_key);
708 
709  pending_state.server_hello(new Server_Hello(
710  pending_state.handshake_io(),
711  pending_state.hash(),
712  policy(),
713  callbacks(),
714  rng(),
716  *pending_state.client_hello(),
717  session_info,
718  offer_new_session_ticket,
719  m_next_protocol));
720 
721  secure_renegotiation_check(pending_state.server_hello());
722 
723  pending_state.compute_session_keys(session_info.master_secret());
724  pending_state.set_resume_certs(session_info.peer_certs());
725 
726  if(!save_session(session_info))
727  {
728  session_manager().remove_entry(session_info.session_id());
729 
730  if(pending_state.server_hello()->supports_session_ticket()) // send an empty ticket
731  {
732  pending_state.new_session_ticket(
733  new New_Session_Ticket(pending_state.handshake_io(),
734  pending_state.hash()));
735  }
736  }
737 
738  if(pending_state.server_hello()->supports_session_ticket() && !pending_state.new_session_ticket())
739  {
740  try
741  {
742  const SymmetricKey ticket_key = m_creds.psk("tls-server", "session-ticket", "");
743 
744  pending_state.new_session_ticket(
745  new New_Session_Ticket(pending_state.handshake_io(),
746  pending_state.hash(),
747  session_info.encrypt(ticket_key, rng()),
749  }
750  catch(...) {}
751 
752  if(!pending_state.new_session_ticket())
753  {
754  pending_state.new_session_ticket(
755  new New_Session_Ticket(pending_state.handshake_io(), pending_state.hash()));
756  }
757  }
758 
759  pending_state.handshake_io().send(Change_Cipher_Spec());
760 
762 
763  pending_state.server_finished(new Finished(pending_state.handshake_io(), pending_state, SERVER));
764  pending_state.set_expected_next(HANDSHAKE_CCS);
765  }
766 
767 void Server::session_create(Server_Handshake_State& pending_state,
768  bool have_session_ticket_key)
769  {
770  std::map<std::string, std::vector<X509_Certificate> > cert_chains;
771 
772  const std::string sni_hostname = pending_state.client_hello()->sni_hostname();
773 
774  cert_chains = get_server_certs(sni_hostname, m_creds);
775 
776  if(sni_hostname != "" && cert_chains.empty())
777  {
778  cert_chains = get_server_certs("", m_creds);
779 
780  /*
781  * Only send the unrecognized_name alert if we couldn't
782  * find any certs for the requested name but did find at
783  * least one cert to use in general. That avoids sending an
784  * unrecognized_name when a server is configured for purely
785  * anonymous operation.
786  */
787  if(!cert_chains.empty())
789  }
790 
791  const uint16_t ciphersuite = choose_ciphersuite(policy(), pending_state.version(),
792  m_creds, cert_chains,
793  *pending_state.client_hello());
794 
795  Server_Hello::Settings srv_settings(
796  make_hello_random(rng(), policy()), // new session ID
797  pending_state.version(),
798  ciphersuite,
799  have_session_ticket_key);
800 
801  pending_state.server_hello(new Server_Hello(
802  pending_state.handshake_io(),
803  pending_state.hash(),
804  policy(),
805  callbacks(),
806  rng(),
808  *pending_state.client_hello(),
809  srv_settings,
810  m_next_protocol));
811 
812  secure_renegotiation_check(pending_state.server_hello());
813 
814  const Ciphersuite& pending_suite = pending_state.ciphersuite();
815 
816  Private_Key* private_key = nullptr;
817 
818  if(pending_suite.signature_used() || pending_suite.kex_method() == Kex_Algo::STATIC_RSA)
819  {
820  const std::string algo_used =
821  pending_suite.signature_used() ? pending_suite.sig_algo() : "RSA";
822 
823  BOTAN_ASSERT(!cert_chains[algo_used].empty(),
824  "Attempting to send empty certificate chain");
825 
826  pending_state.server_certs(new Certificate(pending_state.handshake_io(),
827  pending_state.hash(),
828  cert_chains[algo_used]));
829 
830  private_key = m_creds.private_key_for(
831  pending_state.server_certs()->cert_chain()[0],
832  "tls-server",
833  sni_hostname);
834 
835  if(!private_key)
836  throw Internal_Error("No private key located for associated server cert");
837  }
838 
839  if(pending_suite.kex_method() == Kex_Algo::STATIC_RSA)
840  {
841  pending_state.set_server_rsa_kex_key(private_key);
842  }
843  else
844  {
845  pending_state.server_kex(new Server_Key_Exchange(pending_state.handshake_io(),
846  pending_state, policy(),
847  m_creds, rng(), private_key));
848  }
849 
850  auto trusted_CAs = m_creds.trusted_certificate_authorities("tls-server", sni_hostname);
851 
852  std::vector<X509_DN> client_auth_CAs;
853 
854  for(auto store : trusted_CAs)
855  {
856  auto subjects = store->all_subjects();
857  client_auth_CAs.insert(client_auth_CAs.end(), subjects.begin(), subjects.end());
858  }
859 
860  if(!client_auth_CAs.empty() && pending_state.ciphersuite().signature_used())
861  {
862  pending_state.cert_req(
863  new Certificate_Req(pending_state.handshake_io(),
864  pending_state.hash(),
865  policy(),
866  client_auth_CAs,
867  pending_state.version()));
868 
869  /*
870  SSLv3 allowed clients to skip the Certificate message entirely
871  if they wanted. In TLS v1.0 and later clients must send a
872  (possibly empty) Certificate message
873  */
874  pending_state.set_expected_next(CERTIFICATE);
875  }
876  else
877  {
878  pending_state.set_expected_next(CLIENT_KEX);
879  }
880 
881  pending_state.server_hello_done(new Server_Hello_Done(pending_state.handshake_io(), pending_state.hash()));
882  }
883 }
884 
885 }
static Session decrypt(const uint8_t ctext[], size_t ctext_size, const SymmetricKey &key)
virtual void remove_entry(const std::vector< uint8_t > &session_id)=0
std::string hash_function_of_scheme(Signature_Scheme scheme)
Definition: tls_algos.cpp:191
virtual std::string tls_server_choose_app_protocol(const std::vector< std::string > &client_protos)
std::function< void(Alert, const uint8_t[], size_t)> alert_cb
Definition: tls_channel.h:42
void change_cipher_spec_reader(Connection_Side side)
Signature_Scheme
Definition: tls_algos.h:84
void change_cipher_spec_writer(Connection_Side side)
void send_warning_alert(Alert::Type type)
Definition: tls_channel.h:141
std::function< void(const uint8_t[], size_t)> output_fn
Definition: tls_channel.h:40
bool secure_renegotiation_supported() const
RandomNumberGenerator & rng()
Definition: tls_channel.h:234
Handshake_State(Handshake_IO *io, Callbacks &callbacks)
MechanismType type
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:43
void send_alert(const Alert &alert)
std::function< bool(const Session &)> handshake_cb
Definition: tls_channel.h:43
bool save_session(const Session &session)
std::vector< uint8_t > secure_renegotiation_data_for_server_hello() const
std::function< std::string(std::vector< std::string >)> next_protocol_fn
Definition: tls_server.h:29
virtual void tls_verify_cert_chain(const std::vector< X509_Certificate > &cert_chain, const std::vector< std::shared_ptr< const OCSP::Response >> &ocsp_responses, const std::vector< Certificate_Store *> &trusted_roots, Usage_Type usage, const std::string &hostname, const TLS::Policy &policy)
Definition: alg_id.cpp:13
std::vector< X509_Certificate > resume_peer_certs
Definition: tls_client.cpp:42
OctetString SymmetricKey
Definition: symkey.h:136
virtual void tls_examine_extensions(const Extensions &extn, Connection_Side which_side)
void secure_renegotiation_check(const Client_Hello *client_hello)
size_t length() const
Definition: symkey.h:25
std::vector< uint8_t > make_hello_random(RandomNumberGenerator &rng, const Policy &policy)
virtual SymmetricKey psk(const std::string &type, const std::string &context, const std::string &identity)
std::function< void(const uint8_t[], size_t)> data_cb
Definition: tls_channel.h:41
std::string signature_algorithm_of_scheme(Signature_Scheme scheme)
Definition: tls_algos.cpp:291
bool value_exists(const std::vector< T > &vec, const T &val)
Definition: stl_util.h:86
bool signature_scheme_is_known(Signature_Scheme scheme)
Definition: tls_algos.cpp:262
static Ciphersuite by_id(uint16_t suite)
virtual std::vector< Certificate_Store * > trusted_certificate_authorities(const std::string &type, const std::string &context)
Callbacks & callbacks() const
Definition: tls_channel.h:242
const Policy & policy() const
Definition: tls_channel.h:238
Server(Callbacks &callbacks, Session_Manager &session_manager, Credentials_Manager &creds, const Policy &policy, RandomNumberGenerator &rng, bool is_datagram=false, size_t reserved_io_buffer_size=TLS::Server::IO_BUF_DEFAULT_SIZE)
Definition: tls_server.cpp:292
virtual void save(const Session &session)=0
virtual uint32_t session_ticket_lifetime() const
Definition: tls_policy.cpp:266
virtual Protocol_Version latest_supported_version(bool datagram) const
Definition: tls_policy.cpp:291
Session_Manager & session_manager()
Definition: tls_channel.h:236
std::function< void(const Handshake_Message &)> handshake_msg_cb
Definition: tls_channel.h:44
virtual Private_Key * private_key_for(const X509_Certificate &cert, const std::string &type, const std::string &context)