Botan  2.4.0
Crypto and TLS for C++11
tls_server.cpp
Go to the documentation of this file.
1 /*
2 * TLS Server
3 * (C) 2004-2011,2012,2016 Jack Lloyd
4 * 2016 Matthias Gierlings
5 *
6 * Botan is released under the Simplified BSD License (see license.txt)
7 */
8 
9 #include <botan/tls_server.h>
10 #include <botan/tls_messages.h>
11 #include <botan/internal/tls_handshake_state.h>
12 #include <botan/internal/stl_util.h>
13 #include <botan/tls_magic.h>
14 
15 namespace Botan {
16 
17 namespace TLS {
18 
19 class Server_Handshake_State final : public Handshake_State
20  {
21  public:
22  Server_Handshake_State(Handshake_IO* io, Callbacks& cb)
23  : Handshake_State(io, cb) {}
24 
25  Private_Key* server_rsa_kex_key() { return m_server_rsa_kex_key; }
26  void set_server_rsa_kex_key(Private_Key* key)
27  { m_server_rsa_kex_key = key; }
28 
29  bool allow_session_resumption() const
30  { return m_allow_session_resumption; }
31  void set_allow_session_resumption(bool allow_session_resumption)
32  { m_allow_session_resumption = allow_session_resumption; }
33 
34  const std::vector<X509_Certificate>& resume_peer_certs() const
35  { return m_resume_peer_certs; }
36 
37  void set_resume_certs(const std::vector<X509_Certificate>& certs)
38  { m_resume_peer_certs = certs; }
39 
40  private:
41  // Used by the server only, in case of RSA key exchange. Not owned
42  Private_Key* m_server_rsa_kex_key = nullptr;
43 
44  /*
45  * Used by the server to know if resumption should be allowed on
46  * a server-initiated renegotiation
47  */
48  bool m_allow_session_resumption = true;
49 
50  std::vector<X509_Certificate> m_resume_peer_certs;
51  };
52 
53 namespace {
54 
55 bool check_for_resume(Session& session_info,
56  Session_Manager& session_manager,
57  Credentials_Manager& credentials,
58  const Client_Hello* client_hello,
59  std::chrono::seconds session_ticket_lifetime)
60  {
61  const std::vector<uint8_t>& client_session_id = client_hello->session_id();
62  const std::vector<uint8_t>& session_ticket = client_hello->session_ticket();
63 
64  if(session_ticket.empty())
65  {
66  if(client_session_id.empty()) // not resuming
67  return false;
68 
69  // not found
70  if(!session_manager.load_from_session_id(client_session_id, session_info))
71  return false;
72  }
73  else
74  {
75  // If a session ticket was sent, ignore client session ID
76  try
77  {
78  session_info = Session::decrypt(
79  session_ticket,
80  credentials.psk("tls-server", "session-ticket", ""));
81 
82  if(session_ticket_lifetime != std::chrono::seconds(0) &&
83  session_info.session_age() > session_ticket_lifetime)
84  return false; // ticket has expired
85  }
86  catch(...)
87  {
88  return false;
89  }
90  }
91 
92  // wrong version
93  if(client_hello->version() != session_info.version())
94  return false;
95 
96  // client didn't send original ciphersuite
97  if(!value_exists(client_hello->ciphersuites(),
98  session_info.ciphersuite_code()))
99  return false;
100 
101  // client didn't send original compression method
102  if(!value_exists(client_hello->compression_methods(),
103  session_info.compression_method()))
104  return false;
105 
106 #if defined(BOTAN_HAS_SRP6)
107  // client sent a different SRP identity
108  if(client_hello->srp_identifier() != "")
109  {
110  if(client_hello->srp_identifier() != session_info.srp_identifier())
111  return false;
112  }
113 #endif
114 
115  // client sent a different SNI hostname
116  if(client_hello->sni_hostname() != "")
117  {
118  if(client_hello->sni_hostname() != session_info.server_info().hostname())
119  return false;
120  }
121 
122  // Checking extended_master_secret on resume (RFC 7627 section 5.3)
123  if(client_hello->supports_extended_master_secret() != session_info.supports_extended_master_secret())
124  {
125  if(!session_info.supports_extended_master_secret())
126  {
127  return false; // force new handshake with extended master secret
128  }
129  else
130  {
131  /*
132  Client previously negotiated session with extended master secret,
133  but has now attempted to resume without the extension: abort
134  */
135  throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
136  "Client resumed extended ms session without sending extension");
137  }
138  }
139 
140  // Checking encrypt_then_mac on resume (RFC 7366 section 3.1)
141  if(!client_hello->supports_encrypt_then_mac() && session_info.supports_encrypt_then_mac())
142  {
143  /*
144  Client previously negotiated session with Encrypt-then-MAC,
145  but has now attempted to resume without the extension: abort
146  */
147  throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
148  "Client resumed Encrypt-then-MAC session without sending extension");
149  }
150 
151  return true;
152  }
153 
154 /*
155 * Choose which ciphersuite to use
156 */
157 uint16_t choose_ciphersuite(
158  const Policy& policy,
159  Protocol_Version version,
160  Credentials_Manager& creds,
161  const std::map<std::string, std::vector<X509_Certificate> >& cert_chains,
162  const Client_Hello& client_hello)
163  {
164  const bool our_choice = policy.server_uses_own_ciphersuite_preferences();
165  const bool have_srp = creds.attempt_srp("tls-server", client_hello.sni_hostname());
166  const std::vector<uint16_t> client_suites = client_hello.ciphersuites();
167  const std::vector<uint16_t> server_suites = policy.ciphersuite_list(version, have_srp);
168 
169  if(server_suites.empty())
170  throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
171  "Policy forbids us from negotiating any ciphersuite");
172 
173  const bool have_shared_ecc_curve =
174  (policy.choose_curve(client_hello.supported_ecc_curves()) != "");
175 
176  /*
177  Walk down one list in preference order
178  */
179  std::vector<uint16_t> pref_list = server_suites;
180  std::vector<uint16_t> other_list = client_suites;
181 
182  if(!our_choice)
183  std::swap(pref_list, other_list);
184 
185  const std::set<std::string> client_sig_algos = client_hello.supported_sig_algos();
186 
187  for(auto suite_id : pref_list)
188  {
189  if(!value_exists(other_list, suite_id))
190  continue;
191 
192  const Ciphersuite suite = Ciphersuite::by_id(suite_id);
193 
194  if(suite.valid() == false)
195  continue;
196 
197  if(suite.ecc_ciphersuite() && have_shared_ecc_curve == false)
198  continue;
199 
200  // For non-anon ciphersuites
201  if(suite.sig_algo() != "")
202  {
203  // Do we have any certificates for this sig?
204  if(cert_chains.count(suite.sig_algo()) == 0)
205  continue;
206 
207  // Client reques
208  if(!client_sig_algos.empty() && client_sig_algos.count(suite.sig_algo()) == 0)
209  continue;
210  }
211 
212  if(version.supports_negotiable_signature_algorithms() && suite.sig_algo() != "")
213  {
214  const std::vector<std::pair<std::string, std::string>> client_sig_hash_pairs =
215  client_hello.supported_algos();
216 
217  if(client_hello.supported_algos().empty() == false)
218  {
219  bool we_support_some_hash_by_client = false;
220 
221  for(auto&& hash_and_sig : client_hello.supported_algos())
222  {
223  if(hash_and_sig.second == suite.sig_algo() &&
224  policy.allowed_signature_hash(hash_and_sig.first))
225  {
226  we_support_some_hash_by_client = true;
227  break;
228  }
229  }
230 
231  if(we_support_some_hash_by_client == false)
232  {
233  throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
234  "Policy does not accept any hash function supported by client");
235  }
236  }
237  else
238  {
239  if(policy.allowed_signature_hash("SHA-1") == false)
240  throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
241  "Client did not send signature_algorithms extension "
242  "and policy prohibits SHA-1 fallback");
243  }
244  }
245 
246 #if defined(BOTAN_HAS_SRP6)
247  /*
248  The client may offer SRP cipher suites in the hello message but
249  omit the SRP extension. If the server would like to select an
250  SRP cipher suite in this case, the server SHOULD return a fatal
251  "unknown_psk_identity" alert immediately after processing the
252  client hello message.
253  - RFC 5054 section 2.5.1.2
254  */
255  if(suite.kex_algo() == "SRP_SHA" && client_hello.srp_identifier() == "")
256  throw TLS_Exception(Alert::UNKNOWN_PSK_IDENTITY,
257  "Client wanted SRP but did not send username");
258 #endif
259 
260  return suite_id;
261  }
262 
263  throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
264  "Can't agree on a ciphersuite with client");
265  }
266 
267 
268 /*
269 * Choose which compression algorithm to use
270 */
271 uint8_t choose_compression(const Policy& policy,
272  const std::vector<uint8_t>& c_comp)
273  {
274  std::vector<uint8_t> s_comp = policy.compression();
275 
276  for(size_t i = 0; i != s_comp.size(); ++i)
277  for(size_t j = 0; j != c_comp.size(); ++j)
278  if(s_comp[i] == c_comp[j])
279  return s_comp[i];
280 
281  return NO_COMPRESSION;
282  }
283 
284 std::map<std::string, std::vector<X509_Certificate> >
285 get_server_certs(const std::string& hostname,
286  Credentials_Manager& creds)
287  {
288  const char* cert_types[] = { "RSA", "DSA", "ECDSA", nullptr };
289 
290  std::map<std::string, std::vector<X509_Certificate> > cert_chains;
291 
292  for(size_t i = 0; cert_types[i]; ++i)
293  {
294  std::vector<X509_Certificate> certs =
295  creds.cert_chain_single_type(cert_types[i], "tls-server", hostname);
296 
297  if(!certs.empty())
298  cert_chains[cert_types[i]] = certs;
299  }
300 
301  return cert_chains;
302  }
303 
304 }
305 
306 /*
307 * TLS Server Constructor
308 */
310  Session_Manager& session_manager,
311  Credentials_Manager& creds,
312  const Policy& policy,
314  bool is_datagram,
315  size_t io_buf_sz) :
316  Channel(callbacks, session_manager, rng, policy,
317  is_datagram, io_buf_sz),
318  m_creds(creds)
319  {
320  }
321 
326  Session_Manager& session_manager,
327  Credentials_Manager& creds,
328  const Policy& policy,
330  next_protocol_fn next_proto,
331  bool is_datagram,
332  size_t io_buf_sz) :
333  Channel(output, data_cb, alert_cb, handshake_cb,
334  Channel::handshake_msg_cb(), session_manager,
335  rng, policy, is_datagram, io_buf_sz),
336  m_creds(creds),
337  m_choose_next_protocol(next_proto)
338  {
339  }
340 
341 
346  handshake_msg_cb hs_msg_cb,
347  Session_Manager& session_manager,
348  Credentials_Manager& creds,
349  const Policy& policy,
351  next_protocol_fn next_proto,
352  bool is_datagram) :
353  Channel(output, data_cb, alert_cb, handshake_cb, hs_msg_cb,
354  session_manager, rng, policy, is_datagram),
355  m_creds(creds),
356  m_choose_next_protocol(next_proto)
357  {
358  }
359 
360 Handshake_State* Server::new_handshake_state(Handshake_IO* io)
361  {
362  std::unique_ptr<Handshake_State> state(new Server_Handshake_State(io, callbacks()));
363 
364  state->set_expected_next(CLIENT_HELLO);
365  return state.release();
366  }
367 
368 std::vector<X509_Certificate>
369 Server::get_peer_cert_chain(const Handshake_State& state_base) const
370  {
371  const Server_Handshake_State& state = dynamic_cast<const Server_Handshake_State&>(state_base);
372  if(state.resume_peer_certs().size() > 0)
373  return state.resume_peer_certs();
374 
375  if(state.client_certs())
376  return state.client_certs()->cert_chain();
377  return std::vector<X509_Certificate>();
378  }
379 
380 /*
381 * Send a hello request to the client
382 */
383 void Server::initiate_handshake(Handshake_State& state,
384  bool force_full_renegotiation)
385  {
386  dynamic_cast<Server_Handshake_State&>(state).
387  set_allow_session_resumption(!force_full_renegotiation);
388 
389  Hello_Request hello_req(state.handshake_io());
390  }
391 
392 /*
393 * Process a CLIENT HELLO Message
394 */
395 void Server::process_client_hello_msg(const Handshake_State* active_state,
396  Server_Handshake_State& pending_state,
397  const std::vector<uint8_t>& contents)
398  {
399  const bool initial_handshake = !active_state;
400 
401  if(initial_handshake == false && policy().allow_client_initiated_renegotiation() == false)
402  {
404  return;
405  }
406 
407  if(!policy().allow_insecure_renegotiation() &&
408  !(initial_handshake || secure_renegotiation_supported()))
409  {
411  return;
412  }
413 
414  pending_state.client_hello(new Client_Hello(contents));
415  const Protocol_Version client_version = pending_state.client_hello()->version();
416 
417  if(client_version.major_version() < 3)
418  throw TLS_Exception(Alert::PROTOCOL_VERSION, "Client offered version with major version under 3");
419  if(client_version.major_version() == 3 && client_version.minor_version() == 0)
420  throw TLS_Exception(Alert::PROTOCOL_VERSION, "SSLv3 is not supported");
421 
422  Protocol_Version negotiated_version;
423 
424  const Protocol_Version latest_supported =
426 
427  if((initial_handshake && client_version.known_version()) ||
428  (!initial_handshake && client_version == active_state->version()))
429  {
430  /*
431  Common cases: new client hello with some known version, or a
432  renegotiation using the same version as previously
433  negotiated.
434  */
435 
436  negotiated_version = client_version;
437  }
438  else if(!initial_handshake && (client_version != active_state->version()))
439  {
440  /*
441  * If this is a renegotiation, and the client has offered a
442  * later version than what it initially negotiated, negotiate
443  * the old version. This matches OpenSSL's behavior. If the
444  * client is offering a version earlier than what it initially
445  * negotiated, reject as a probable attack.
446  */
447  if(active_state->version() > client_version)
448  {
450  "Client negotiated " +
451  active_state->version().to_string() +
452  " then renegotiated with " +
453  client_version.to_string());
454  }
455  else
456  negotiated_version = active_state->version();
457  }
458  else
459  {
460  /*
461  New negotiation using a version we don't know. Offer them the
462  best we currently know and support
463  */
464  negotiated_version = latest_supported;
465  }
466 
467  if(!policy().acceptable_protocol_version(negotiated_version))
468  {
470  "Client version " + negotiated_version.to_string() +
471  " is unacceptable by policy");
472  }
473 
474  if(pending_state.client_hello()->sent_fallback_scsv())
475  {
476  if(latest_supported > client_version)
478  "Client signalled fallback SCSV, possible attack");
479  }
480 
481  secure_renegotiation_check(pending_state.client_hello());
482 
483  pending_state.set_version(negotiated_version);
484 
485  Session session_info;
486  const bool resuming =
487  pending_state.allow_session_resumption() &&
488  check_for_resume(session_info,
489  session_manager(),
490  m_creds,
491  pending_state.client_hello(),
492  std::chrono::seconds(policy().session_ticket_lifetime()));
493 
494  bool have_session_ticket_key = false;
495 
496  try
497  {
498  have_session_ticket_key =
499  m_creds.psk("tls-server", "session-ticket", "").length() > 0;
500  }
501  catch(...) {}
502 
503  m_next_protocol = "";
504  if(pending_state.client_hello()->supports_alpn())
505  {
506  m_next_protocol = callbacks().tls_server_choose_app_protocol(pending_state.client_hello()->next_protocols());
507 
508  // if the callback return was empty, fall back to the (deprecated) std::function
509  if(m_next_protocol.empty() && m_choose_next_protocol)
510  {
511  m_next_protocol = m_choose_next_protocol(pending_state.client_hello()->next_protocols());
512  }
513  }
514 
515  if(resuming)
516  {
517  this->session_resume(pending_state, have_session_ticket_key, session_info);
518  }
519  else // new session
520  {
521  this->session_create(pending_state, have_session_ticket_key);
522  }
523  }
524 
525 void Server::process_certificate_msg(Server_Handshake_State& pending_state,
526  const std::vector<uint8_t>& contents)
527  {
528  pending_state.client_certs(new Certificate(contents, policy()));
529  pending_state.set_expected_next(CLIENT_KEX);
530  }
531 
532 void Server::process_client_key_exchange_msg(Server_Handshake_State& pending_state,
533  const std::vector<uint8_t>& contents)
534  {
535  if(pending_state.received_handshake_msg(CERTIFICATE) && !pending_state.client_certs()->empty())
536  pending_state.set_expected_next(CERTIFICATE_VERIFY);
537  else
538  pending_state.set_expected_next(HANDSHAKE_CCS);
539 
540  pending_state.client_kex(new Client_Key_Exchange(contents, pending_state,
541  pending_state.server_rsa_kex_key(),
542  m_creds, policy(), rng()));
543 
544  pending_state.compute_session_keys();
545  }
546 
547 void Server::process_change_cipher_spec_msg(Server_Handshake_State& pending_state)
548  {
549  pending_state.set_expected_next(FINISHED);
551  }
552 
553 void Server::process_certificate_verify_msg(Server_Handshake_State& pending_state,
555  const std::vector<uint8_t>& contents)
556  {
557  pending_state.client_verify(new Certificate_Verify(contents, pending_state.version()));
558 
559  const std::vector<X509_Certificate>& client_certs =
560  pending_state.client_certs()->cert_chain();
561 
562  const bool sig_valid =
563  pending_state.client_verify()->verify(client_certs[0], pending_state, policy());
564 
565  pending_state.hash().update(pending_state.handshake_io().format(contents, type));
566 
567  /*
568  * Using DECRYPT_ERROR looks weird here, but per RFC 4346 is for
569  * "A handshake cryptographic operation failed, including being
570  * unable to correctly verify a signature, ..."
571  */
572  if(!sig_valid)
573  throw TLS_Exception(Alert::DECRYPT_ERROR, "Client cert verify failed");
574 
575  try
576  {
577  const std::string sni_hostname = pending_state.client_hello()->sni_hostname();
578  auto trusted_CAs = m_creds.trusted_certificate_authorities("tls-server", sni_hostname);
579 
580  callbacks().tls_verify_cert_chain(client_certs,
581  {}, // ocsp
582  trusted_CAs,
584  sni_hostname,
585  policy());
586  }
587  catch(std::exception& e)
588  {
589  throw TLS_Exception(Alert::BAD_CERTIFICATE, e.what());
590  }
591 
592  pending_state.set_expected_next(HANDSHAKE_CCS);
593  }
594 
595 void Server::process_finished_msg(Server_Handshake_State& pending_state,
596  Handshake_Type type,
597  const std::vector<uint8_t>& contents)
598  {
599  pending_state.set_expected_next(HANDSHAKE_NONE);
600 
601  pending_state.client_finished(new Finished(contents));
602 
603  if(!pending_state.client_finished()->verify(pending_state, CLIENT))
605  "Finished message didn't verify");
606 
607  if(!pending_state.server_finished())
608  {
609  // already sent finished if resuming, so this is a new session
610 
611  pending_state.hash().update(pending_state.handshake_io().format(contents, type));
612 
613  Session session_info(
614  pending_state.server_hello()->session_id(),
615  pending_state.session_keys().master_secret(),
616  pending_state.server_hello()->version(),
617  pending_state.server_hello()->ciphersuite(),
618  pending_state.server_hello()->compression_method(),
619  SERVER,
620  pending_state.server_hello()->supports_extended_master_secret(),
621  pending_state.server_hello()->supports_encrypt_then_mac(),
622  get_peer_cert_chain(pending_state),
623  std::vector<uint8_t>(),
624  Server_Information(pending_state.client_hello()->sni_hostname()),
625  pending_state.srp_identifier(),
626  pending_state.server_hello()->srtp_profile());
627 
628  if(save_session(session_info))
629  {
630  if(pending_state.server_hello()->supports_session_ticket())
631  {
632  try
633  {
634  const SymmetricKey ticket_key = m_creds.psk("tls-server", "session-ticket", "");
635 
636  pending_state.new_session_ticket(
637  new New_Session_Ticket(pending_state.handshake_io(),
638  pending_state.hash(),
639  session_info.encrypt(ticket_key, rng()),
641  }
642  catch(...) {}
643  }
644  else
645  session_manager().save(session_info);
646  }
647 
648  if(!pending_state.new_session_ticket() &&
649  pending_state.server_hello()->supports_session_ticket())
650  {
651  pending_state.new_session_ticket(
652  new New_Session_Ticket(pending_state.handshake_io(), pending_state.hash()));
653  }
654 
655  pending_state.handshake_io().send(Change_Cipher_Spec());
656 
658 
659  pending_state.server_finished(new Finished(pending_state.handshake_io(), pending_state, SERVER));
660  }
661 
663  }
664 
665 /*
666 * Process a handshake message
667 */
668 void Server::process_handshake_msg(const Handshake_State* active_state,
669  Handshake_State& state_base,
670  Handshake_Type type,
671  const std::vector<uint8_t>& contents)
672  {
673  Server_Handshake_State& state = dynamic_cast<Server_Handshake_State&>(state_base);
674  state.confirm_transition_to(type);
675 
676  /*
677  * The change cipher spec message isn't technically a handshake
678  * message so it's not included in the hash. The finished and
679  * certificate verify messages are verified based on the current
680  * state of the hash *before* this message so we delay adding them
681  * to the hash computation until we've processed them below.
682  */
683  if(type != HANDSHAKE_CCS && type != FINISHED && type != CERTIFICATE_VERIFY)
684  {
685  state.hash().update(state.handshake_io().format(contents, type));
686  }
687 
688  switch(type)
689  {
690  case CLIENT_HELLO:
691  return this->process_client_hello_msg(active_state, state, contents);
692 
693  case CERTIFICATE:
694  return this->process_certificate_msg(state, contents);
695 
696  case CLIENT_KEX:
697  return this->process_client_key_exchange_msg(state, contents);
698 
699  case CERTIFICATE_VERIFY:
700  return this->process_certificate_verify_msg(state, type, contents);
701 
702  case HANDSHAKE_CCS:
703  return this->process_change_cipher_spec_msg(state);
704 
705  case FINISHED:
706  return this->process_finished_msg(state, type, contents);
707 
708  default:
709  throw Unexpected_Message("Unknown handshake message received");
710  }
711  }
712 
713 void Server::session_resume(Server_Handshake_State& pending_state,
714  bool have_session_ticket_key,
715  Session& session_info)
716  {
717  // Only offer a resuming client a new ticket if they didn't send one this time,
718  // ie, resumed via server-side resumption. TODO: also send one if expiring soon?
719 
720  const bool offer_new_session_ticket =
721  (pending_state.client_hello()->supports_session_ticket() &&
722  pending_state.client_hello()->session_ticket().empty() &&
723  have_session_ticket_key);
724 
725  pending_state.server_hello(new Server_Hello(
726  pending_state.handshake_io(),
727  pending_state.hash(),
728  policy(),
729  rng(),
731  *pending_state.client_hello(),
732  session_info,
733  offer_new_session_ticket,
734  m_next_protocol));
735 
736  secure_renegotiation_check(pending_state.server_hello());
737 
738  pending_state.compute_session_keys(session_info.master_secret());
739  pending_state.set_resume_certs(session_info.peer_certs());
740 
741  if(!save_session(session_info))
742  {
743  session_manager().remove_entry(session_info.session_id());
744 
745  if(pending_state.server_hello()->supports_session_ticket()) // send an empty ticket
746  {
747  pending_state.new_session_ticket(
748  new New_Session_Ticket(pending_state.handshake_io(),
749  pending_state.hash()));
750  }
751  }
752 
753  if(pending_state.server_hello()->supports_session_ticket() && !pending_state.new_session_ticket())
754  {
755  try
756  {
757  const SymmetricKey ticket_key = m_creds.psk("tls-server", "session-ticket", "");
758 
759  pending_state.new_session_ticket(
760  new New_Session_Ticket(pending_state.handshake_io(),
761  pending_state.hash(),
762  session_info.encrypt(ticket_key, rng()),
764  }
765  catch(...) {}
766 
767  if(!pending_state.new_session_ticket())
768  {
769  pending_state.new_session_ticket(
770  new New_Session_Ticket(pending_state.handshake_io(), pending_state.hash()));
771  }
772  }
773 
774  pending_state.handshake_io().send(Change_Cipher_Spec());
775 
777 
778  pending_state.server_finished(new Finished(pending_state.handshake_io(), pending_state, SERVER));
779  pending_state.set_expected_next(HANDSHAKE_CCS);
780  }
781 
782 void Server::session_create(Server_Handshake_State& pending_state,
783  bool have_session_ticket_key)
784  {
785  std::map<std::string, std::vector<X509_Certificate> > cert_chains;
786 
787  const std::string sni_hostname = pending_state.client_hello()->sni_hostname();
788 
789  cert_chains = get_server_certs(sni_hostname, m_creds);
790 
791  if(sni_hostname != "" && cert_chains.empty())
792  {
793  cert_chains = get_server_certs("", m_creds);
794 
795  /*
796  * Only send the unrecognized_name alert if we couldn't
797  * find any certs for the requested name but did find at
798  * least one cert to use in general. That avoids sending an
799  * unrecognized_name when a server is configured for purely
800  * anonymous operation.
801  */
802  if(!cert_chains.empty())
804  }
805 
806  const uint16_t ciphersuite = choose_ciphersuite(policy(), pending_state.version(),
807  m_creds, cert_chains,
808  *pending_state.client_hello());
809 
810  Server_Hello::Settings srv_settings(
811  make_hello_random(rng(), policy()), // new session ID
812  pending_state.version(),
813  ciphersuite,
814  choose_compression(policy(), pending_state.client_hello()->compression_methods()),
815  have_session_ticket_key);
816 
817  pending_state.server_hello(new Server_Hello(
818  pending_state.handshake_io(),
819  pending_state.hash(),
820  policy(),
821  rng(),
823  *pending_state.client_hello(),
824  srv_settings,
825  m_next_protocol));
826 
827  secure_renegotiation_check(pending_state.server_hello());
828 
829  const std::string sig_algo = pending_state.ciphersuite().sig_algo();
830  const std::string kex_algo = pending_state.ciphersuite().kex_algo();
831 
832  if(sig_algo != "")
833  {
834  BOTAN_ASSERT(!cert_chains[sig_algo].empty(),
835  "Attempting to send empty certificate chain");
836 
837  pending_state.server_certs(new Certificate(pending_state.handshake_io(),
838  pending_state.hash(),
839  cert_chains[sig_algo]));
840  }
841 
842  Private_Key* private_key = nullptr;
843 
844  if(kex_algo == "RSA" || sig_algo != "")
845  {
846  private_key = m_creds.private_key_for(
847  pending_state.server_certs()->cert_chain()[0],
848  "tls-server",
849  sni_hostname);
850 
851  if(!private_key)
852  throw Internal_Error("No private key located for associated server cert");
853  }
854 
855  if(kex_algo == "RSA")
856  {
857  pending_state.set_server_rsa_kex_key(private_key);
858  }
859  else
860  {
861  pending_state.server_kex(new Server_Key_Exchange(pending_state.handshake_io(),
862  pending_state, policy(),
863  m_creds, rng(), private_key));
864  }
865 
866  auto trusted_CAs = m_creds.trusted_certificate_authorities("tls-server", sni_hostname);
867 
868  std::vector<X509_DN> client_auth_CAs;
869 
870  for(auto store : trusted_CAs)
871  {
872  auto subjects = store->all_subjects();
873  client_auth_CAs.insert(client_auth_CAs.end(), subjects.begin(), subjects.end());
874  }
875 
876  if(!client_auth_CAs.empty() && pending_state.ciphersuite().sig_algo() != "")
877  {
878  pending_state.cert_req(
879  new Certificate_Req(pending_state.handshake_io(),
880  pending_state.hash(),
881  policy(),
882  client_auth_CAs,
883  pending_state.version()));
884 
885  /*
886  SSLv3 allowed clients to skip the Certificate message entirely
887  if they wanted. In TLS v1.0 and later clients must send a
888  (possibly empty) Certificate message
889  */
890  pending_state.set_expected_next(CERTIFICATE);
891  }
892  else
893  {
894  pending_state.set_expected_next(CLIENT_KEX);
895  }
896 
897  pending_state.server_hello_done(new Server_Hello_Done(pending_state.handshake_io(), pending_state.hash()));
898  }
899 }
900 
901 }
const std::vector< uint8_t > & session_id() const
Definition: tls_session.h:156
static Session decrypt(const uint8_t ctext[], size_t ctext_size, const SymmetricKey &key)
virtual void remove_entry(const std::vector< uint8_t > &session_id)=0
std::vector< uint8_t > session_ticket() const
virtual std::string tls_server_choose_app_protocol(const std::vector< std::string > &client_protos)
uint8_t minor_version() const
Definition: tls_version.h:82
std::function< void(Alert, const uint8_t[], size_t)> alert_cb
Definition: tls_channel.h:42
void change_cipher_spec_reader(Connection_Side side)
void change_cipher_spec_writer(Connection_Side side)
void send_warning_alert(Alert::Type type)
Definition: tls_channel.h:141
std::function< void(const uint8_t[], size_t)> output_fn
Definition: tls_channel.h:40
bool secure_renegotiation_supported() const
RandomNumberGenerator & rng()
Definition: tls_channel.h:234
Handshake_State(Handshake_IO *io, Callbacks &callbacks)
MechanismType type
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:29
void send_alert(const Alert &alert)
std::string to_string() const
Definition: tls_version.cpp:15
std::function< bool(const Session &)> handshake_cb
Definition: tls_channel.h:43
std::vector< uint8_t > encrypt(const SymmetricKey &key, RandomNumberGenerator &rng) const
bool save_session(const Session &session)
std::vector< uint8_t > secure_renegotiation_data_for_server_hello() const
std::function< std::string(std::vector< std::string >)> next_protocol_fn
Definition: tls_server.h:29
virtual void tls_verify_cert_chain(const std::vector< X509_Certificate > &cert_chain, const std::vector< std::shared_ptr< const OCSP::Response >> &ocsp_responses, const std::vector< Certificate_Store *> &trusted_roots, Usage_Type usage, const std::string &hostname, const TLS::Policy &policy)
Definition: alg_id.cpp:13
std::vector< X509_Certificate > resume_peer_certs
Definition: tls_client.cpp:42
void secure_renegotiation_check(const Client_Hello *client_hello)
size_t length() const
Definition: symkey.h:25
std::vector< uint8_t > make_hello_random(RandomNumberGenerator &rng, const Policy &policy)
virtual SymmetricKey psk(const std::string &type, const std::string &context, const std::string &identity)
std::function< void(const uint8_t[], size_t)> data_cb
Definition: tls_channel.h:41
bool value_exists(const std::vector< T > &vec, const T &val)
Definition: stl_util.h:86
const secure_vector< uint8_t > & master_secret() const
Definition: tls_session.h:151
static Ciphersuite by_id(uint16_t suite)
virtual std::vector< Certificate_Store * > trusted_certificate_authorities(const std::string &type, const std::string &context)
Callbacks & callbacks() const
Definition: tls_channel.h:242
uint8_t major_version() const
Definition: tls_version.h:77
const Policy & policy() const
Definition: tls_channel.h:238
const std::vector< X509_Certificate > & peer_certs() const
Definition: tls_session.h:170
Server(Callbacks &callbacks, Session_Manager &session_manager, Credentials_Manager &creds, const Policy &policy, RandomNumberGenerator &rng, bool is_datagram=false, size_t reserved_io_buffer_size=TLS::Server::IO_BUF_DEFAULT_SIZE)
Definition: tls_server.cpp:309
Protocol_Version version() const
virtual void save(const Session &session)=0
virtual uint32_t session_ticket_lifetime() const
Definition: tls_policy.cpp:281
virtual Protocol_Version latest_supported_version(bool datagram) const
Definition: tls_policy.cpp:306
Session_Manager & session_manager()
Definition: tls_channel.h:236
std::function< void(const Handshake_Message &)> handshake_msg_cb
Definition: tls_channel.h:44
virtual Private_Key * private_key_for(const X509_Certificate &cert, const std::string &type, const std::string &context)