Botan  2.11.0
Crypto and TLS for C++11
tls_server.cpp
Go to the documentation of this file.
1 /*
2 * TLS Server
3 * (C) 2004-2011,2012,2016 Jack Lloyd
4 * 2016 Matthias Gierlings
5 *
6 * Botan is released under the Simplified BSD License (see license.txt)
7 */
8 
9 #include <botan/tls_server.h>
10 #include <botan/tls_messages.h>
11 #include <botan/internal/tls_handshake_state.h>
12 #include <botan/internal/stl_util.h>
13 #include <botan/tls_magic.h>
14 
15 namespace Botan {
16 
17 namespace TLS {
18 
19 class Server_Handshake_State final : public Handshake_State
20  {
21  public:
22  Server_Handshake_State(Handshake_IO* io, Callbacks& cb)
23  : Handshake_State(io, cb) {}
24 
25  Private_Key* server_rsa_kex_key() { return m_server_rsa_kex_key; }
26  void set_server_rsa_kex_key(Private_Key* key)
27  { m_server_rsa_kex_key = key; }
28 
29  bool allow_session_resumption() const
30  { return m_allow_session_resumption; }
31  void set_allow_session_resumption(bool allow_session_resumption)
32  { m_allow_session_resumption = allow_session_resumption; }
33 
34  const std::vector<X509_Certificate>& resume_peer_certs() const
35  { return m_resume_peer_certs; }
36 
37  void set_resume_certs(const std::vector<X509_Certificate>& certs)
38  { m_resume_peer_certs = certs; }
39 
40  void mark_as_resumption() { m_is_a_resumption = true; }
41 
42  bool is_a_resumption() const { return m_is_a_resumption; }
43 
44  private:
45  // Used by the server only, in case of RSA key exchange. Not owned
46  Private_Key* m_server_rsa_kex_key = nullptr;
47 
48  /*
49  * Used by the server to know if resumption should be allowed on
50  * a server-initiated renegotiation
51  */
52  bool m_allow_session_resumption = true;
53 
54  bool m_is_a_resumption = false;
55 
56  std::vector<X509_Certificate> m_resume_peer_certs;
57  };
58 
59 namespace {
60 
61 bool check_for_resume(Session& session_info,
62  Session_Manager& session_manager,
63  Credentials_Manager& credentials,
64  const Client_Hello* client_hello,
65  std::chrono::seconds session_ticket_lifetime)
66  {
67  const std::vector<uint8_t>& client_session_id = client_hello->session_id();
68  const std::vector<uint8_t>& session_ticket = client_hello->session_ticket();
69 
70  if(session_ticket.empty())
71  {
72  if(client_session_id.empty()) // not resuming
73  return false;
74 
75  // not found
76  if(!session_manager.load_from_session_id(client_session_id, session_info))
77  return false;
78  }
79  else
80  {
81  // If a session ticket was sent, ignore client session ID
82  try
83  {
84  session_info = Session::decrypt(
85  session_ticket,
86  credentials.psk("tls-server", "session-ticket", ""));
87 
88  if(session_ticket_lifetime != std::chrono::seconds(0) &&
89  session_info.session_age() > session_ticket_lifetime)
90  return false; // ticket has expired
91  }
92  catch(...)
93  {
94  return false;
95  }
96  }
97 
98  // wrong version
99  if(client_hello->version() != session_info.version())
100  return false;
101 
102  // client didn't send original ciphersuite
103  if(!value_exists(client_hello->ciphersuites(),
104  session_info.ciphersuite_code()))
105  return false;
106 
107 #if defined(BOTAN_HAS_SRP6)
108  // client sent a different SRP identity
109  if(client_hello->srp_identifier() != "")
110  {
111  if(client_hello->srp_identifier() != session_info.srp_identifier())
112  return false;
113  }
114 #endif
115 
116  // client sent a different SNI hostname
117  if(client_hello->sni_hostname() != "")
118  {
119  if(client_hello->sni_hostname() != session_info.server_info().hostname())
120  return false;
121  }
122 
123  // Checking extended_master_secret on resume (RFC 7627 section 5.3)
124  if(client_hello->supports_extended_master_secret() != session_info.supports_extended_master_secret())
125  {
126  if(!session_info.supports_extended_master_secret())
127  {
128  return false; // force new handshake with extended master secret
129  }
130  else
131  {
132  /*
133  Client previously negotiated session with extended master secret,
134  but has now attempted to resume without the extension: abort
135  */
136  throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
137  "Client resumed extended ms session without sending extension");
138  }
139  }
140 
141  // Checking encrypt_then_mac on resume (RFC 7366 section 3.1)
142  if(!client_hello->supports_encrypt_then_mac() && session_info.supports_encrypt_then_mac())
143  {
144  /*
145  Client previously negotiated session with Encrypt-then-MAC,
146  but has now attempted to resume without the extension: abort
147  */
148  throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
149  "Client resumed Encrypt-then-MAC session without sending extension");
150  }
151 
152  return true;
153  }
154 
155 /*
156 * Choose which ciphersuite to use
157 */
158 uint16_t choose_ciphersuite(
159  const Policy& policy,
160  Protocol_Version version,
161  Credentials_Manager& creds,
162  const std::map<std::string, std::vector<X509_Certificate>>& cert_chains,
163  const Client_Hello& client_hello)
164  {
165  const bool our_choice = policy.server_uses_own_ciphersuite_preferences();
166  const bool have_srp = creds.attempt_srp("tls-server", client_hello.sni_hostname());
167  const std::vector<uint16_t> client_suites = client_hello.ciphersuites();
168  const std::vector<uint16_t> server_suites = policy.ciphersuite_list(version, have_srp);
169 
170  if(server_suites.empty())
171  throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
172  "Policy forbids us from negotiating any ciphersuite");
173 
174  const bool have_shared_ecc_curve =
175  (policy.choose_key_exchange_group(client_hello.supported_ecc_curves()) != Group_Params::NONE);
176 
177  /*
178  Walk down one list in preference order
179  */
180  std::vector<uint16_t> pref_list = server_suites;
181  std::vector<uint16_t> other_list = client_suites;
182 
183  if(!our_choice)
184  std::swap(pref_list, other_list);
185 
186  for(auto suite_id : pref_list)
187  {
188  if(!value_exists(other_list, suite_id))
189  continue;
190 
191  const Ciphersuite suite = Ciphersuite::by_id(suite_id);
192 
193  if(suite.valid() == false)
194  {
195  continue;
196  }
197 
198  if(have_shared_ecc_curve == false && suite.ecc_ciphersuite())
199  {
200  continue;
201  }
202 
203  // For non-anon ciphersuites
204  if(suite.signature_used())
205  {
206  const std::string sig_algo = suite.sig_algo();
207 
208  // Do we have any certificates for this sig?
209  if(cert_chains.count(sig_algo) == 0)
210  {
211  continue;
212  }
213 
214  if(version.supports_negotiable_signature_algorithms())
215  {
216  const std::vector<Signature_Scheme> allowed =
217  policy.allowed_signature_schemes();
218 
219  std::vector<Signature_Scheme> client_sig_methods =
220  client_hello.signature_schemes();
221 
222  if(client_sig_methods.empty())
223  {
224  // If empty, then implicit SHA-1 (TLS v1.2 rules)
225  client_sig_methods.push_back(Signature_Scheme::RSA_PKCS1_SHA1);
226  client_sig_methods.push_back(Signature_Scheme::ECDSA_SHA1);
227  client_sig_methods.push_back(Signature_Scheme::DSA_SHA1);
228  }
229 
230  bool we_support_some_hash_by_client = false;
231 
232  for(Signature_Scheme scheme : client_sig_methods)
233  {
234  if(signature_scheme_is_known(scheme) == false)
235  continue;
236 
237  if(signature_algorithm_of_scheme(scheme) == suite.sig_algo() &&
238  policy.allowed_signature_hash(hash_function_of_scheme(scheme)))
239  {
240  we_support_some_hash_by_client = true;
241  }
242  }
243 
244  if(we_support_some_hash_by_client == false)
245  {
246  throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
247  "Policy does not accept any hash function supported by client");
248  }
249  }
250  }
251 
252 #if defined(BOTAN_HAS_SRP6)
253  /*
254  The client may offer SRP cipher suites in the hello message but
255  omit the SRP extension. If the server would like to select an
256  SRP cipher suite in this case, the server SHOULD return a fatal
257  "unknown_psk_identity" alert immediately after processing the
258  client hello message.
259  - RFC 5054 section 2.5.1.2
260  */
261  if(suite.kex_method() == Kex_Algo::SRP_SHA && client_hello.srp_identifier() == "")
262  throw TLS_Exception(Alert::UNKNOWN_PSK_IDENTITY,
263  "Client wanted SRP but did not send username");
264 #endif
265 
266  return suite_id;
267  }
268 
269  throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
270  "Can't agree on a ciphersuite with client");
271  }
272 
273 std::map<std::string, std::vector<X509_Certificate>>
274 get_server_certs(const std::string& hostname,
275  Credentials_Manager& creds)
276  {
277  const char* cert_types[] = { "RSA", "ECDSA", "DSA", nullptr };
278 
279  std::map<std::string, std::vector<X509_Certificate>> cert_chains;
280 
281  for(size_t i = 0; cert_types[i]; ++i)
282  {
283  const std::vector<X509_Certificate> certs =
284  creds.cert_chain_single_type(cert_types[i], "tls-server", hostname);
285 
286  if(!certs.empty())
287  cert_chains[cert_types[i]] = certs;
288  }
289 
290  return cert_chains;
291  }
292 
293 }
294 
295 /*
296 * TLS Server Constructor
297 */
298 Server::Server(Callbacks& callbacks,
299  Session_Manager& session_manager,
300  Credentials_Manager& creds,
301  const Policy& policy,
302  RandomNumberGenerator& rng,
303  bool is_datagram,
304  size_t io_buf_sz) :
305  Channel(callbacks, session_manager, rng, policy,
306  is_datagram, io_buf_sz),
307  m_creds(creds)
308  {
309  }
310 
311 Server::Server(output_fn output,
312  data_cb got_data_cb,
313  alert_cb recv_alert_cb,
314  handshake_cb hs_cb,
315  Session_Manager& session_manager,
316  Credentials_Manager& creds,
317  const Policy& policy,
318  RandomNumberGenerator& rng,
319  next_protocol_fn next_proto,
320  bool is_datagram,
321  size_t io_buf_sz) :
322  Channel(output, got_data_cb, recv_alert_cb, hs_cb,
323  Channel::handshake_msg_cb(), session_manager,
324  rng, policy, is_datagram, io_buf_sz),
325  m_creds(creds),
326  m_choose_next_protocol(next_proto)
327  {
328  }
329 
330 Server::Server(output_fn output,
331  data_cb got_data_cb,
332  alert_cb recv_alert_cb,
333  handshake_cb hs_cb,
334  handshake_msg_cb hs_msg_cb,
335  Session_Manager& session_manager,
336  Credentials_Manager& creds,
337  const Policy& policy,
338  RandomNumberGenerator& rng,
339  next_protocol_fn next_proto,
340  bool is_datagram) :
341  Channel(output, got_data_cb, recv_alert_cb, hs_cb, hs_msg_cb,
342  session_manager, rng, policy, is_datagram),
343  m_creds(creds),
344  m_choose_next_protocol(next_proto)
345  {
346  }
347 
348 Handshake_State* Server::new_handshake_state(Handshake_IO* io)
349  {
350  std::unique_ptr<Handshake_State> state(new Server_Handshake_State(io, callbacks()));
351 
352  state->set_expected_next(CLIENT_HELLO);
353  return state.release();
354  }
355 
356 std::vector<X509_Certificate>
357 Server::get_peer_cert_chain(const Handshake_State& state_base) const
358  {
359  const Server_Handshake_State& state = dynamic_cast<const Server_Handshake_State&>(state_base);
360  if(state.resume_peer_certs().size() > 0)
361  return state.resume_peer_certs();
362 
363  if(state.client_certs())
364  return state.client_certs()->cert_chain();
365  return std::vector<X509_Certificate>();
366  }
367 
368 /*
369 * Send a hello request to the client
370 */
371 void Server::initiate_handshake(Handshake_State& state,
372  bool force_full_renegotiation)
373  {
374  dynamic_cast<Server_Handshake_State&>(state).
375  set_allow_session_resumption(!force_full_renegotiation);
376 
377  Hello_Request hello_req(state.handshake_io());
378  }
379 
380 namespace {
381 
382 Protocol_Version select_version(const Botan::TLS::Policy& policy,
383  Protocol_Version client_offer,
384  Protocol_Version active_version,
385  bool is_fallback,
386  const std::vector<Protocol_Version>& supported_versions)
387  {
388  const bool is_datagram = client_offer.is_datagram_protocol();
389  const bool initial_handshake = (active_version.valid() == false);
390 
391  const Protocol_Version latest_supported = policy.latest_supported_version(is_datagram);
392 
393  if(is_fallback)
394  {
395  if(latest_supported > client_offer)
396  throw TLS_Exception(Alert::INAPPROPRIATE_FALLBACK,
397  "Client signalled fallback SCSV, possible attack");
398  }
399 
400  if(supported_versions.size() > 0)
401  {
402  if(is_datagram)
403  {
404  if(policy.allow_dtls12() && value_exists(supported_versions, Protocol_Version(Protocol_Version::DTLS_V12)))
405  return Protocol_Version::DTLS_V12;
406  if(policy.allow_dtls10() && value_exists(supported_versions, Protocol_Version(Protocol_Version::DTLS_V10)))
407  return Protocol_Version::DTLS_V10;
408  throw TLS_Exception(Alert::PROTOCOL_VERSION, "No shared DTLS version");
409  }
410  else
411  {
412  if(policy.allow_tls12() && value_exists(supported_versions, Protocol_Version(Protocol_Version::TLS_V12)))
413  return Protocol_Version::TLS_V12;
414  if(policy.allow_tls11() && value_exists(supported_versions, Protocol_Version(Protocol_Version::TLS_V11)))
415  return Protocol_Version::TLS_V11;
416  if(policy.allow_tls10() && value_exists(supported_versions, Protocol_Version(Protocol_Version::TLS_V10)))
417  return Protocol_Version::TLS_V10;
418  throw TLS_Exception(Alert::PROTOCOL_VERSION, "No shared TLS version");
419  }
420  }
421 
422  const bool client_offer_acceptable =
423  client_offer.known_version() && policy.acceptable_protocol_version(client_offer);
424 
425  if(!initial_handshake)
426  {
427  /*
428  * If this is a renegotiation, and the client has offered a
429  * later version than what it initially negotiated, negotiate
430  * the old version. This matches OpenSSL's behavior. If the
431  * client is offering a version earlier than what it initially
432  * negotiated, reject as a probable attack.
433  */
434  if(active_version > client_offer)
435  {
436  throw TLS_Exception(Alert::PROTOCOL_VERSION,
437  "Client negotiated " +
438  active_version.to_string() +
439  " then renegotiated with " +
440  client_offer.to_string());
441  }
442  else
443  {
444  return active_version;
445  }
446  }
447  else if(client_offer_acceptable)
448  {
449  return client_offer;
450  }
451  else if(!client_offer.known_version() || client_offer > latest_supported)
452  {
453  /*
454  The client offered some version newer than the latest we
455  support. Offer them the best we know.
456  */
457  return latest_supported;
458  }
459  else
460  {
461  throw TLS_Exception(Alert::PROTOCOL_VERSION,
462  "Client version " + client_offer.to_string() +
463  " is unacceptable by policy");
464  }
465  }
466 
467 }
468 
469 /*
470 * Process a CLIENT HELLO Message
471 */
472 void Server::process_client_hello_msg(const Handshake_State* active_state,
473  Server_Handshake_State& pending_state,
474  const std::vector<uint8_t>& contents)
475  {
476  const bool initial_handshake = !active_state;
477 
478  if(initial_handshake == false && policy().allow_client_initiated_renegotiation() == false)
479  {
480  if(policy().abort_connection_on_undesired_renegotiation())
481  throw TLS_Exception(Alert::NO_RENEGOTIATION, "Server policy prohibits renegotiation");
482  else
483  send_warning_alert(Alert::NO_RENEGOTIATION);
484  return;
485  }
486 
487  if(!policy().allow_insecure_renegotiation() &&
488  !(initial_handshake || secure_renegotiation_supported()))
489  {
490  send_warning_alert(Alert::NO_RENEGOTIATION);
491  return;
492  }
493 
494  pending_state.client_hello(new Client_Hello(contents));
495  const Protocol_Version client_offer = pending_state.client_hello()->version();
496  const bool datagram = client_offer.is_datagram_protocol();
497 
498  if(datagram)
499  {
500  if(client_offer.major_version() == 0xFF)
501  throw TLS_Exception(Alert::PROTOCOL_VERSION, "Client offered DTLS version with major version 0xFF");
502  }
503  else
504  {
505  if(client_offer.major_version() < 3)
506  throw TLS_Exception(Alert::PROTOCOL_VERSION, "Client offered TLS version with major version under 3");
507  if(client_offer.major_version() == 3 && client_offer.minor_version() == 0)
508  throw TLS_Exception(Alert::PROTOCOL_VERSION, "SSLv3 is not supported");
509  }
510 
511  /*
512  * BoGo test suite expects that we will send the hello verify with a record
513  * version matching the version that is eventually negotiated. This is wrong
514  * but harmless, so go with it. Also doing the version negotiation step first
515  * allows to immediately close the connection with an alert if the client has
516  * offered a version that we are not going to negotiate anyway, instead of
517  * making them first do the cookie exchange and then telling them no.
518  *
519  * There is no issue with amplification here, since the alert is just 2 bytes.
520  */
521  const Protocol_Version negotiated_version =
522  select_version(policy(), client_offer,
523  active_state ? active_state->version() : Protocol_Version(),
524  pending_state.client_hello()->sent_fallback_scsv(),
525  pending_state.client_hello()->supported_versions());
526 
527  pending_state.set_version(negotiated_version);
528 
529  const auto compression_methods = pending_state.client_hello()->compression_methods();
530  if(!value_exists(compression_methods, uint8_t(0)))
531  throw TLS_Exception(Alert::ILLEGAL_PARAMETER, "Client did not offer NULL compression");
532 
533  if(initial_handshake && datagram)
534  {
535  SymmetricKey cookie_secret;
536 
537  try
538  {
539  cookie_secret = m_creds.psk("tls-server", "dtls-cookie-secret", "");
540  }
541  catch(...) {}
542 
543  if(cookie_secret.size() > 0)
544  {
545  const std::string client_identity = callbacks().tls_peer_network_identity();
546  Hello_Verify_Request verify(pending_state.client_hello()->cookie_input_data(), client_identity, cookie_secret);
547 
548  if(pending_state.client_hello()->cookie() != verify.cookie())
549  {
550  pending_state.handshake_io().send(verify);
551  pending_state.client_hello(nullptr);
552  pending_state.set_expected_next(CLIENT_HELLO);
553  return;
554  }
555  }
556  }
557 
558  secure_renegotiation_check(pending_state.client_hello());
559 
560  callbacks().tls_examine_extensions(pending_state.client_hello()->extensions(), CLIENT);
561 
562  Session session_info;
563  const bool resuming =
564  pending_state.allow_session_resumption() &&
565  check_for_resume(session_info,
566  session_manager(),
567  m_creds,
568  pending_state.client_hello(),
569  std::chrono::seconds(policy().session_ticket_lifetime()));
570 
571  bool have_session_ticket_key = false;
572 
573  try
574  {
575  have_session_ticket_key =
576  m_creds.psk("tls-server", "session-ticket", "").length() > 0;
577  }
578  catch(...) {}
579 
580  m_next_protocol = "";
581  if(pending_state.client_hello()->supports_alpn())
582  {
583  m_next_protocol = callbacks().tls_server_choose_app_protocol(pending_state.client_hello()->next_protocols());
584 
585  // if the callback return was empty, fall back to the (deprecated) std::function
586  if(m_next_protocol.empty() && m_choose_next_protocol)
587  {
588  m_next_protocol = m_choose_next_protocol(pending_state.client_hello()->next_protocols());
589  }
590  }
591 
592  if(resuming)
593  {
594  this->session_resume(pending_state, have_session_ticket_key, session_info);
595  }
596  else // new session
597  {
598  this->session_create(pending_state, have_session_ticket_key);
599  }
600  }
601 
602 void Server::process_certificate_msg(Server_Handshake_State& pending_state,
603  const std::vector<uint8_t>& contents)
604  {
605  pending_state.client_certs(new Certificate(contents, policy()));
606 
607  // CERTIFICATE_REQUIRED would make more sense but BoGo expects handshake failure alert
608  if(pending_state.client_certs()->empty() && policy().require_client_certificate_authentication())
609  throw TLS_Exception(Alert::HANDSHAKE_FAILURE, "Policy requires client send a certificate, but it did not");
610 
611  pending_state.set_expected_next(CLIENT_KEX);
612  }
613 
614 void Server::process_client_key_exchange_msg(Server_Handshake_State& pending_state,
615  const std::vector<uint8_t>& contents)
616  {
617  if(pending_state.received_handshake_msg(CERTIFICATE) && !pending_state.client_certs()->empty())
618  pending_state.set_expected_next(CERTIFICATE_VERIFY);
619  else
620  pending_state.set_expected_next(HANDSHAKE_CCS);
621 
622  pending_state.client_kex(new Client_Key_Exchange(contents, pending_state,
623  pending_state.server_rsa_kex_key(),
624  m_creds, policy(), rng()));
625 
626  pending_state.compute_session_keys();
627  }
628 
629 void Server::process_change_cipher_spec_msg(Server_Handshake_State& pending_state)
630  {
631  pending_state.set_expected_next(FINISHED);
632  change_cipher_spec_reader(SERVER);
633  }
634 
635 void Server::process_certificate_verify_msg(Server_Handshake_State& pending_state,
637  const std::vector<uint8_t>& contents)
638  {
639  pending_state.client_verify(new Certificate_Verify(contents, pending_state.version()));
640 
641  const std::vector<X509_Certificate>& client_certs =
642  pending_state.client_certs()->cert_chain();
643 
644  const bool sig_valid =
645  pending_state.client_verify()->verify(client_certs[0], pending_state, policy());
646 
647  pending_state.hash().update(pending_state.handshake_io().format(contents, type));
648 
649  /*
650  * Using DECRYPT_ERROR looks weird here, but per RFC 4346 is for
651  * "A handshake cryptographic operation failed, including being
652  * unable to correctly verify a signature, ..."
653  */
654  if(!sig_valid)
655  throw TLS_Exception(Alert::DECRYPT_ERROR, "Client cert verify failed");
656 
657  try
658  {
659  const std::string sni_hostname = pending_state.client_hello()->sni_hostname();
660  auto trusted_CAs = m_creds.trusted_certificate_authorities("tls-server", sni_hostname);
661 
662  callbacks().tls_verify_cert_chain(client_certs,
663  {}, // ocsp
664  trusted_CAs,
666  sni_hostname,
667  policy());
668  }
669  catch(std::exception& e)
670  {
671  throw TLS_Exception(Alert::BAD_CERTIFICATE, e.what());
672  }
673 
674  pending_state.set_expected_next(HANDSHAKE_CCS);
675  }
676 
677 void Server::process_finished_msg(Server_Handshake_State& pending_state,
679  const std::vector<uint8_t>& contents)
680  {
681  pending_state.set_expected_next(HANDSHAKE_NONE);
682 
683  pending_state.client_finished(new Finished(contents));
684 
685  if(!pending_state.client_finished()->verify(pending_state, CLIENT))
686  throw TLS_Exception(Alert::DECRYPT_ERROR,
687  "Finished message didn't verify");
688 
689  if(!pending_state.server_finished())
690  {
691  // already sent finished if resuming, so this is a new session
692 
693  pending_state.hash().update(pending_state.handshake_io().format(contents, type));
694 
695  Session session_info(
696  pending_state.server_hello()->session_id(),
697  pending_state.session_keys().master_secret(),
698  pending_state.server_hello()->version(),
699  pending_state.server_hello()->ciphersuite(),
700  SERVER,
701  pending_state.server_hello()->supports_extended_master_secret(),
702  pending_state.server_hello()->supports_encrypt_then_mac(),
703  get_peer_cert_chain(pending_state),
704  std::vector<uint8_t>(),
705  Server_Information(pending_state.client_hello()->sni_hostname()),
706  pending_state.srp_identifier(),
707  pending_state.server_hello()->srtp_profile());
708 
709  if(save_session(session_info))
710  {
711  if(pending_state.server_hello()->supports_session_ticket())
712  {
713  try
714  {
715  const SymmetricKey ticket_key = m_creds.psk("tls-server", "session-ticket", "");
716 
717  pending_state.new_session_ticket(
718  new New_Session_Ticket(pending_state.handshake_io(),
719  pending_state.hash(),
720  session_info.encrypt(ticket_key, rng()),
721  policy().session_ticket_lifetime()));
722  }
723  catch(...) {}
724  }
725  else
726  session_manager().save(session_info);
727  }
728 
729  if(!pending_state.new_session_ticket() &&
730  pending_state.server_hello()->supports_session_ticket())
731  {
732  pending_state.new_session_ticket(
733  new New_Session_Ticket(pending_state.handshake_io(), pending_state.hash()));
734  }
735 
736  pending_state.handshake_io().send(Change_Cipher_Spec());
737 
738  change_cipher_spec_writer(SERVER);
739 
740  pending_state.server_finished(new Finished(pending_state.handshake_io(), pending_state, SERVER));
741  }
742 
743  activate_session();
744  }
745 
746 /*
747 * Process a handshake message
748 */
749 void Server::process_handshake_msg(const Handshake_State* active_state,
750  Handshake_State& state_base,
752  const std::vector<uint8_t>& contents)
753  {
754  Server_Handshake_State& state = dynamic_cast<Server_Handshake_State&>(state_base);
755  state.confirm_transition_to(type);
756 
757  /*
758  * The change cipher spec message isn't technically a handshake
759  * message so it's not included in the hash. The finished and
760  * certificate verify messages are verified based on the current
761  * state of the hash *before* this message so we delay adding them
762  * to the hash computation until we've processed them below.
763  */
765  {
766  state.hash().update(state.handshake_io().format(contents, type));
767  }
768 
769  switch(type)
770  {
771  case CLIENT_HELLO:
772  return this->process_client_hello_msg(active_state, state, contents);
773 
774  case CERTIFICATE:
775  return this->process_certificate_msg(state, contents);
776 
777  case CLIENT_KEX:
778  return this->process_client_key_exchange_msg(state, contents);
779 
780  case CERTIFICATE_VERIFY:
781  return this->process_certificate_verify_msg(state, type, contents);
782 
783  case HANDSHAKE_CCS:
784  return this->process_change_cipher_spec_msg(state);
785 
786  case FINISHED:
787  return this->process_finished_msg(state, type, contents);
788 
789  default:
790  throw Unexpected_Message("Unknown handshake message received");
791  }
792  }
793 
794 void Server::session_resume(Server_Handshake_State& pending_state,
795  bool have_session_ticket_key,
796  Session& session_info)
797  {
798  // Only offer a resuming client a new ticket if they didn't send one this time,
799  // ie, resumed via server-side resumption. TODO: also send one if expiring soon?
800 
801  const bool offer_new_session_ticket =
802  (pending_state.client_hello()->supports_session_ticket() &&
803  pending_state.client_hello()->session_ticket().empty() &&
804  have_session_ticket_key);
805 
806  pending_state.server_hello(new Server_Hello(
807  pending_state.handshake_io(),
808  pending_state.hash(),
809  policy(),
810  callbacks(),
811  rng(),
812  secure_renegotiation_data_for_server_hello(),
813  *pending_state.client_hello(),
814  session_info,
815  offer_new_session_ticket,
816  m_next_protocol));
817 
818  secure_renegotiation_check(pending_state.server_hello());
819 
820  pending_state.mark_as_resumption();
821  pending_state.compute_session_keys(session_info.master_secret());
822  pending_state.set_resume_certs(session_info.peer_certs());
823 
824  if(!save_session(session_info))
825  {
826  session_manager().remove_entry(session_info.session_id());
827 
828  if(pending_state.server_hello()->supports_session_ticket()) // send an empty ticket
829  {
830  pending_state.new_session_ticket(
831  new New_Session_Ticket(pending_state.handshake_io(),
832  pending_state.hash()));
833  }
834  }
835 
836  if(pending_state.server_hello()->supports_session_ticket() && !pending_state.new_session_ticket())
837  {
838  try
839  {
840  const SymmetricKey ticket_key = m_creds.psk("tls-server", "session-ticket", "");
841 
842  pending_state.new_session_ticket(
843  new New_Session_Ticket(pending_state.handshake_io(),
844  pending_state.hash(),
845  session_info.encrypt(ticket_key, rng()),
846  policy().session_ticket_lifetime()));
847  }
848  catch(...) {}
849 
850  if(!pending_state.new_session_ticket())
851  {
852  pending_state.new_session_ticket(
853  new New_Session_Ticket(pending_state.handshake_io(), pending_state.hash()));
854  }
855  }
856 
857  pending_state.handshake_io().send(Change_Cipher_Spec());
858 
859  change_cipher_spec_writer(SERVER);
860 
861  pending_state.server_finished(new Finished(pending_state.handshake_io(), pending_state, SERVER));
862  pending_state.set_expected_next(HANDSHAKE_CCS);
863  }
864 
865 void Server::session_create(Server_Handshake_State& pending_state,
866  bool have_session_ticket_key)
867  {
868  std::map<std::string, std::vector<X509_Certificate>> cert_chains;
869 
870  const std::string sni_hostname = pending_state.client_hello()->sni_hostname();
871 
872  cert_chains = get_server_certs(sni_hostname, m_creds);
873 
874  if(sni_hostname != "" && cert_chains.empty())
875  {
876  cert_chains = get_server_certs("", m_creds);
877 
878  /*
879  * Only send the unrecognized_name alert if we couldn't
880  * find any certs for the requested name but did find at
881  * least one cert to use in general. That avoids sending an
882  * unrecognized_name when a server is configured for purely
883  * anonymous/PSK operation.
884  */
885  if(!cert_chains.empty())
886  send_warning_alert(Alert::UNRECOGNIZED_NAME);
887  }
888 
889  const uint16_t ciphersuite = choose_ciphersuite(policy(), pending_state.version(),
890  m_creds, cert_chains,
891  *pending_state.client_hello());
892 
893  Server_Hello::Settings srv_settings(
894  make_hello_random(rng(), policy()), // new session ID
895  pending_state.version(),
896  ciphersuite,
897  have_session_ticket_key);
898 
899  pending_state.server_hello(new Server_Hello(
900  pending_state.handshake_io(),
901  pending_state.hash(),
902  policy(),
903  callbacks(),
904  rng(),
905  secure_renegotiation_data_for_server_hello(),
906  *pending_state.client_hello(),
907  srv_settings,
908  m_next_protocol));
909 
910  secure_renegotiation_check(pending_state.server_hello());
911 
912  const Ciphersuite& pending_suite = pending_state.ciphersuite();
913 
914  Private_Key* private_key = nullptr;
915 
916  if(pending_suite.signature_used() || pending_suite.kex_method() == Kex_Algo::STATIC_RSA)
917  {
918  const std::string algo_used =
919  pending_suite.signature_used() ? pending_suite.sig_algo() : "RSA";
920 
921  BOTAN_ASSERT(!cert_chains[algo_used].empty(),
922  "Attempting to send empty certificate chain");
923 
924  pending_state.server_certs(new Certificate(pending_state.handshake_io(),
925  pending_state.hash(),
926  cert_chains[algo_used]));
927 
928  if(pending_state.client_hello()->supports_cert_status_message() && pending_state.is_a_resumption() == false)
929  {
930  auto csr = pending_state.client_hello()->extensions().get<Certificate_Status_Request>();
931  // csr is non-null if client_hello()->supports_cert_status_message()
932  BOTAN_ASSERT_NOMSG(csr != nullptr);
933  const auto resp_bytes = callbacks().tls_provide_cert_status(cert_chains[algo_used], *csr);
934  if(resp_bytes.size() > 0)
935  {
936  pending_state.server_cert_status(new Certificate_Status(
937  pending_state.handshake_io(),
938  pending_state.hash(),
939  resp_bytes
940  ));
941  }
942  }
943 
944  private_key = m_creds.private_key_for(
945  pending_state.server_certs()->cert_chain()[0],
946  "tls-server",
947  sni_hostname);
948 
949  if(!private_key)
950  throw Internal_Error("No private key located for associated server cert");
951  }
952 
953  if(pending_suite.kex_method() == Kex_Algo::STATIC_RSA)
954  {
955  pending_state.set_server_rsa_kex_key(private_key);
956  }
957  else
958  {
959  pending_state.server_kex(new Server_Key_Exchange(pending_state.handshake_io(),
960  pending_state, policy(),
961  m_creds, rng(), private_key));
962  }
963 
964  auto trusted_CAs = m_creds.trusted_certificate_authorities("tls-server", sni_hostname);
965 
966  std::vector<X509_DN> client_auth_CAs;
967 
968  for(auto store : trusted_CAs)
969  {
970  auto subjects = store->all_subjects();
971  client_auth_CAs.insert(client_auth_CAs.end(), subjects.begin(), subjects.end());
972  }
973 
974  const bool request_cert =
975  (client_auth_CAs.empty() == false) ||
976  policy().request_client_certificate_authentication();
977 
978  if(request_cert && pending_state.ciphersuite().signature_used())
979  {
980  pending_state.cert_req(
981  new Certificate_Req(pending_state.handshake_io(),
982  pending_state.hash(),
983  policy(),
984  client_auth_CAs,
985  pending_state.version()));
986 
987  /*
988  SSLv3 allowed clients to skip the Certificate message entirely
989  if they wanted. In TLS v1.0 and later clients must send a
990  (possibly empty) Certificate message
991  */
992  pending_state.set_expected_next(CERTIFICATE);
993  }
994  else
995  {
996  pending_state.set_expected_next(CLIENT_KEX);
997  }
998 
999  pending_state.server_hello_done(new Server_Hello_Done(pending_state.handshake_io(), pending_state.hash()));
1000  }
1001 }
1002 
1003 }
Path_Validation_Result const Path_Validation_Restrictions const Certificate_Store & store
Definition: x509path.h:272
bool RandomNumberGenerator & rng
Definition: numthry.h:176
std::string hash_function_of_scheme(Signature_Scheme scheme)
Definition: tls_algos.cpp:191
const Private_Key & private_key
Definition: keypair.h:28
int(* final)(unsigned char *, CTX *)
Signature_Scheme
Definition: tls_algos.h:84
#define BOTAN_ASSERT_NOMSG(expr)
Definition: assert.h:68
Handshake_State(Handshake_IO *io, Callbacks &callbacks)
MechanismType type
Path_Validation_Result const Path_Validation_Restrictions const std::vector< Certificate_Store * > const std::string & hostname
Definition: x509path.h:252
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:55
bool signature_scheme_is_known(Signature_Scheme scheme)
Definition: tls_algos.cpp:262
std::string decrypt(const uint8_t input[], size_t input_len, const std::string &passphrase)
Definition: cryptobox.cpp:162
class BOTAN_PUBLIC_API(2, 11) Argon2 final class BOTAN_PUBLIC_API(2, 11) Argon2_Family final void size_t const char size_t const uint8_t size_t const uint8_t key[]
Definition: argon2.h:87
Definition: alg_id.cpp:13
OctetString SymmetricKey
Definition: symkey.h:141
std::vector< uint8_t > make_hello_random(RandomNumberGenerator &rng, const Policy &policy)
std::string signature_algorithm_of_scheme(Signature_Scheme scheme)
Definition: tls_algos.cpp:291
bool value_exists(const std::vector< T > &vec, const T &val)
Definition: stl_util.h:86
void BlockCipher const uint8_t size_t uint8_t output[]
Definition: package.h:29
botan_mp_t botan_mp_t botan_mp_t e
Definition: ffi.h:1116