Botan 3.11.0
Crypto and TLS for C&
tls_server_impl_12.cpp
Go to the documentation of this file.
1/*
2* TLS Server
3* (C) 2004-2011,2012,2016 Jack Lloyd
4* 2016 Matthias Gierlings
5*
6* Botan is released under the Simplified BSD License (see license.txt)
7*/
8
9#include <botan/internal/tls_server_impl_12.h>
10
11#include <botan/certstor.h>
12#include <botan/ocsp.h>
13#include <botan/tls_callbacks.h>
14#include <botan/tls_magic.h>
15#include <botan/tls_messages_12.h>
16#include <botan/tls_policy.h>
17#include <botan/tls_version.h>
18#include <botan/internal/stl_util.h>
19#include <botan/internal/tls_handshake_state.h>
20#include <botan/internal/tls_messages_internal.h>
21
22namespace Botan::TLS {
23
24class Server_Handshake_State final : public Handshake_State {
25 public:
26 Server_Handshake_State(std::unique_ptr<Handshake_IO> io, Callbacks& cb) : Handshake_State(std::move(io), cb) {}
27
28 Private_Key* server_rsa_kex_key() { return m_server_rsa_kex_key.get(); }
29
30 void set_server_rsa_kex_key(std::shared_ptr<Private_Key> key) { m_server_rsa_kex_key = std::move(key); }
31
32 bool allow_session_resumption() const { return m_allow_session_resumption; }
33
34 void set_allow_session_resumption(bool allow_session_resumption) {
35 m_allow_session_resumption = allow_session_resumption;
36 }
37
38 const std::vector<X509_Certificate>& resume_peer_certs() const { return m_resume_peer_certs; }
39
40 void set_resume_certs(const std::vector<X509_Certificate>& certs) { m_resume_peer_certs = certs; }
41
42 void mark_as_resumption() { m_is_a_resumption = true; }
43
44 bool is_a_resumption() const { return m_is_a_resumption; }
45
46 private:
47 // Used by the server only, in case of RSA key exchange.
48 std::shared_ptr<Private_Key> m_server_rsa_kex_key;
49
50 /*
51 * Used by the server to know if resumption should be allowed on
52 * a server-initiated renegotiation
53 */
54 bool m_allow_session_resumption = true;
55
56 bool m_is_a_resumption = false;
57
58 std::vector<X509_Certificate> m_resume_peer_certs;
59};
60
61namespace {
62
63std::optional<Session> check_for_resume(const Session_Handle& handle_to_resume,
64 Session_Manager& session_manager,
65 Callbacks& cb,
66 const Policy& policy,
67 const Client_Hello_12* client_hello) {
68 auto session = session_manager.retrieve(handle_to_resume, cb, policy);
69 if(!session.has_value()) {
70 return std::nullopt;
71 }
72
73 // wrong version
74 if(client_hello->legacy_version() != session->version()) {
75 return std::nullopt;
76 }
77
78 // client didn't send original ciphersuite
79 if(!value_exists(client_hello->ciphersuites(), session->ciphersuite_code())) {
80 return std::nullopt;
81 }
82
83 // client sent a different SNI hostname
84 if(!client_hello->sni_hostname().empty() && client_hello->sni_hostname() != session->server_info().hostname()) {
85 return std::nullopt;
86 }
87
88 // Checking extended_master_secret on resume (RFC 7627 section 5.3)
89 if(client_hello->supports_extended_master_secret() != session->supports_extended_master_secret()) {
90 if(!session->supports_extended_master_secret()) {
91 return std::nullopt; // force new handshake with extended master secret
92 } else {
93 /*
94 Client previously negotiated session with extended master secret,
95 but has now attempted to resume without the extension: abort
96 */
97 throw TLS_Exception(Alert::HandshakeFailure, "Client resumed extended ms session without sending extension");
98 }
99 }
100
101 // Checking encrypt_then_mac on resume (RFC 7366 section 3.1)
102 if(!client_hello->supports_encrypt_then_mac() && session->supports_encrypt_then_mac()) {
103 /*
104 Client previously negotiated session with Encrypt-then-MAC,
105 but has now attempted to resume without the extension: abort
106 */
107 throw TLS_Exception(Alert::HandshakeFailure, "Client resumed Encrypt-then-MAC session without sending extension");
108 }
109
110 return session;
111}
112
113/*
114* Choose which ciphersuite to use
115*/
116uint16_t choose_ciphersuite(const Policy& policy,
117 Protocol_Version version,
118 const std::map<std::string, std::vector<X509_Certificate>>& cert_chains,
119 const Client_Hello_12& client_hello) {
120 const bool our_choice = policy.server_uses_own_ciphersuite_preferences();
121 const std::vector<uint16_t>& client_suites = client_hello.ciphersuites();
122 const std::vector<uint16_t> server_suites = policy.ciphersuite_list(version);
123
124 if(server_suites.empty()) {
125 throw TLS_Exception(Alert::HandshakeFailure, "Policy forbids us from negotiating any ciphersuite");
126 }
127
128 const bool have_shared_ecc_curve =
129 (policy.choose_key_exchange_group(client_hello.supported_ecc_curves(), {}) != Group_Params::NONE);
130
131 const bool client_supports_ffdhe_groups = !client_hello.supported_dh_groups().empty();
132
133 const bool have_shared_dh_group =
134 (policy.choose_key_exchange_group(client_hello.supported_dh_groups(), {}) != Group_Params::NONE);
135
136 /*
137 Walk down one list in preference order
138 */
139 std::vector<uint16_t> pref_list = server_suites;
140 std::vector<uint16_t> other_list = client_suites;
141
142 if(!our_choice) {
143 std::swap(pref_list, other_list);
144 }
145
146 for(auto suite_id : pref_list) {
147 if(!value_exists(other_list, suite_id)) {
148 continue;
149 }
150
151 const auto suite = Ciphersuite::by_id(suite_id);
152
153 if(!suite.has_value() || !suite->valid()) {
154 continue;
155 }
156
157 if(have_shared_ecc_curve == false && suite->ecc_ciphersuite()) {
158 continue;
159 }
160
161 if(suite->kex_method() == Kex_Algo::DH && client_supports_ffdhe_groups && !have_shared_dh_group) {
162 continue;
163 }
164
165 // For non-anon ciphersuites
166 if(suite->signature_used()) {
167 const std::string sig_algo = suite->sig_algo();
168
169 // Do we have any certificates for this sig?
170 if(!cert_chains.contains(sig_algo)) {
171 continue;
172 }
173
174 const std::vector<Signature_Scheme> allowed = policy.allowed_signature_schemes();
175
176 const std::vector<Signature_Scheme> client_sig_methods = client_hello.signature_schemes();
177
178 /*
179 Contrary to the wording of draft-ietf-tls-md5-sha1-deprecate we do
180 not enforce that clients do not offer support SHA-1 or MD5
181 signatures; we just ignore it.
182 */
183 bool we_support_some_hash_by_client = false;
184
185 for(const Signature_Scheme scheme : client_sig_methods) {
186 if(!scheme.is_available()) {
187 continue;
188 }
189
190 if(scheme.algorithm_name() == suite->sig_algo() &&
191 policy.allowed_signature_hash(scheme.hash_function_name())) {
192 we_support_some_hash_by_client = true;
193 }
194 }
195
196 if(we_support_some_hash_by_client == false) {
197 throw TLS_Exception(Alert::HandshakeFailure,
198 "Policy does not accept any hash function supported by client");
199 }
200 }
201
202 return suite_id;
203 }
204
205 // RFC 7919 Section 4.
206 // If the [Supported Groups] extension is present
207 // with FFDHE groups, none of the client’s offered groups are acceptable
208 // by the server, and none of the client’s proposed non-FFDHE cipher
209 // suites are acceptable to the server, the server MUST end the
210 // connection with a fatal TLS alert of type insufficient_security(71).
211 if(client_supports_ffdhe_groups && !have_shared_dh_group) {
212 throw TLS_Exception(Alert::InsufficientSecurity, "Can't agree on a sufficiently strong ciphersuite with client");
213 }
214
215 throw TLS_Exception(Alert::HandshakeFailure, "Can't agree on a ciphersuite with client");
216}
217
218std::map<std::string, std::vector<X509_Certificate>> get_server_certs(
219 std::string_view hostname, const std::vector<Signature_Scheme>& cert_sig_schemes, Credentials_Manager& creds) {
220 const std::vector<std::string> cert_types = {"RSA", "ECDSA"};
221
222 std::map<std::string, std::vector<X509_Certificate>> cert_chains;
223
224 for(const auto& cert_type : cert_types) {
225 const std::vector<X509_Certificate> certs = creds.cert_chain_single_type(
226 cert_type, to_algorithm_identifiers(cert_sig_schemes), "tls-server", std::string(hostname));
227
228 if(!certs.empty()) {
229 cert_chains[cert_type] = certs;
230 }
231 }
232
233 return cert_chains;
234}
235
236} // namespace
237
238Server_Impl_12::Server_Impl_12(const std::shared_ptr<Callbacks>& callbacks,
239 const std::shared_ptr<Session_Manager>& session_manager,
240 const std::shared_ptr<Credentials_Manager>& creds,
241 const std::shared_ptr<const Policy>& policy,
242 const std::shared_ptr<RandomNumberGenerator>& rng,
243 bool is_datagram,
244 size_t io_buf_sz) :
245 Channel_Impl_12(callbacks, session_manager, rng, policy, true, is_datagram, io_buf_sz), m_creds(creds) {
246 BOTAN_ASSERT_NONNULL(m_creds);
247}
248
249Server_Impl_12::Server_Impl_12(const Channel_Impl::Downgrade_Information& downgrade_info) :
250 Channel_Impl_12(downgrade_info.callbacks,
251 downgrade_info.session_manager,
252 downgrade_info.rng,
253 downgrade_info.policy,
254 true /* is_server*/,
255 false /* TLS 1.3 does not support DTLS yet */,
256 downgrade_info.io_buffer_size),
257 m_creds(downgrade_info.creds) {}
258
259std::unique_ptr<Handshake_State> Server_Impl_12::new_handshake_state(std::unique_ptr<Handshake_IO> io) {
260 auto state = std::make_unique<Server_Handshake_State>(std::move(io), callbacks());
261 state->set_expected_next(Handshake_Type::ClientHello);
262 return state;
263}
264
265std::vector<X509_Certificate> Server_Impl_12::get_peer_cert_chain(const Handshake_State& state_base) const {
266 const Server_Handshake_State& state = dynamic_cast<const Server_Handshake_State&>(state_base);
267 if(!state.resume_peer_certs().empty()) {
268 return state.resume_peer_certs();
269 }
270
271 if(state.client_certs() != nullptr) {
272 return state.client_certs()->cert_chain();
273 }
274 return std::vector<X509_Certificate>();
275}
276
277/*
278* Send a hello request to the client
279*/
280void Server_Impl_12::initiate_handshake(Handshake_State& state, bool force_full_renegotiation) {
281 dynamic_cast<Server_Handshake_State&>(state).set_allow_session_resumption(!force_full_renegotiation);
282
283 const Hello_Request hello_req(state.handshake_io());
284}
285
286namespace {
287
288Protocol_Version select_version(const TLS::Policy& policy,
289 Protocol_Version client_offer,
290 Protocol_Version active_version,
291 const std::vector<Protocol_Version>& supported_versions) {
292 const bool is_datagram = client_offer.is_datagram_protocol();
293 const bool initial_handshake = (active_version.valid() == false);
294
295 if(!supported_versions.empty()) {
296 if(is_datagram) {
297 if(policy.allow_dtls12() && value_exists(supported_versions, Protocol_Version(Protocol_Version::DTLS_V12))) {
298 return Protocol_Version::DTLS_V12;
299 }
300 throw TLS_Exception(Alert::ProtocolVersion, "No shared DTLS version");
301 } else {
302 if(policy.allow_tls12() && value_exists(supported_versions, Protocol_Version(Protocol_Version::TLS_V12))) {
303 return Protocol_Version::TLS_V12;
304 }
305 throw TLS_Exception(Alert::ProtocolVersion, "No shared TLS version");
306 }
307 }
308
309 if(!initial_handshake) {
310 /*
311 * If this is a renegotiation, and the client has offered a
312 * later version than what it initially negotiated, negotiate
313 * the old version. This matches OpenSSL's behavior. If the
314 * client is offering a version earlier than what it initially
315 * negotiated, reject as a probable attack.
316 */
317 if(active_version > client_offer) {
318 throw TLS_Exception(
319 Alert::ProtocolVersion,
320 "Client negotiated " + active_version.to_string() + " then renegotiated with " + client_offer.to_string());
321 } else {
322 return active_version;
323 }
324 }
325
326 if(is_datagram) {
327 if(policy.allow_dtls12() && client_offer >= Protocol_Version::DTLS_V12) {
328 return Protocol_Version::DTLS_V12;
329 }
330 } else {
331 if(policy.allow_tls12() && client_offer >= Protocol_Version::TLS_V12) {
332 return Protocol_Version::TLS_V12;
333 }
334 }
335
336 throw TLS_Exception(Alert::ProtocolVersion,
337 "Client version " + client_offer.to_string() + " is unacceptable by policy");
338}
339} // namespace
340
341/*
342* Process a Client Hello Message
343*/
344void Server_Impl_12::process_client_hello_msg(const Handshake_State* active_state,
345 Server_Handshake_State& pending_state,
346 const std::vector<uint8_t>& contents,
347 bool epoch0_restart) {
348 BOTAN_ASSERT_IMPLICATION(epoch0_restart, active_state != nullptr, "Can't restart with a dead connection");
349
350 const bool initial_handshake = epoch0_restart || active_state == nullptr;
351
352 if(initial_handshake == false && policy().allow_client_initiated_renegotiation() == false) {
353 if(policy().abort_connection_on_undesired_renegotiation()) {
354 throw TLS_Exception(Alert::NoRenegotiation, "Server policy prohibits renegotiation");
355 } else {
356 send_warning_alert(Alert::NoRenegotiation);
357 }
358 return;
359 }
360
361 if(!policy().allow_insecure_renegotiation() && !(initial_handshake || secure_renegotiation_supported())) {
362 send_warning_alert(Alert::NoRenegotiation);
363 return;
364 }
365
366 if(pending_state.handshake_io().have_more_data()) {
367 throw TLS_Exception(Alert::UnexpectedMessage, "Have data remaining in buffer after ClientHello");
368 }
369
370 pending_state.client_hello(std::make_unique<Client_Hello_12>(contents));
371 const Protocol_Version client_offer = pending_state.client_hello()->legacy_version();
372 const bool datagram = client_offer.is_datagram_protocol();
373
374 if(datagram) {
375 if(client_offer.major_version() == 0xFF) {
376 throw TLS_Exception(Alert::ProtocolVersion, "Client offered DTLS version with major version 0xFF");
377 }
378 } else {
379 if(client_offer.major_version() < 3) {
380 throw TLS_Exception(Alert::ProtocolVersion, "Client offered TLS version with major version under 3");
381 }
382 if(client_offer.major_version() == 3 && client_offer.minor_version() == 0) {
383 throw TLS_Exception(Alert::ProtocolVersion, "Client offered SSLv3 which is not supported");
384 }
385 }
386
387 /*
388 * BoGo test suite expects that we will send the hello verify with a record
389 * version matching the version that is eventually negotiated. This is wrong
390 * but harmless, so go with it. Also doing the version negotiation step first
391 * allows to immediately close the connection with an alert if the client has
392 * offered a version that we are not going to negotiate anyway, instead of
393 * making them first do the cookie exchange and then telling them no.
394 *
395 * There is no issue with amplification here, since the alert is just 2 bytes.
396 */
397 const Protocol_Version negotiated_version =
398 select_version(policy(),
399 client_offer,
400 active_state != nullptr ? active_state->version() : Protocol_Version(),
401 pending_state.client_hello()->supported_versions());
402
403 pending_state.set_version(negotiated_version);
404
405 const auto compression_methods = pending_state.client_hello()->compression_methods();
406 if(!value_exists(compression_methods, uint8_t(0))) {
407 throw TLS_Exception(Alert::IllegalParameter, "Client did not offer NULL compression");
408 }
409
410 if(initial_handshake && datagram) {
411 SymmetricKey cookie_secret;
412
413 try {
414 cookie_secret = m_creds->psk("tls-server", "dtls-cookie-secret", "");
415 } catch(...) {}
416
417 if(!cookie_secret.empty()) {
418 const std::string client_identity = callbacks().tls_peer_network_identity();
419 const Hello_Verify_Request verify(
420 pending_state.client_hello()->cookie_input_data(), client_identity, cookie_secret);
421
422 if(pending_state.client_hello()->cookie() != verify.cookie()) {
423 if(epoch0_restart) {
424 pending_state.handshake_io().send_under_epoch(verify, 0);
425 } else {
426 pending_state.handshake_io().send(verify);
427 }
428
429 pending_state.client_hello(nullptr);
430 pending_state.set_expected_next(Handshake_Type::ClientHello);
431 return;
432 }
433 } else if(epoch0_restart) {
434 throw TLS_Exception(Alert::HandshakeFailure, "Reuse of DTLS association requires DTLS cookie secret be set");
435 }
436 }
437
438 if(epoch0_restart) {
439 // If we reached here then we were able to verify the cookie
440 reset_active_association_state();
441 }
442
443 secure_renegotiation_check(pending_state.client_hello());
444
445 callbacks().tls_examine_extensions(
446 pending_state.client_hello()->extensions(), Connection_Side::Client, Handshake_Type::ClientHello);
447
448 const auto session_handle = pending_state.client_hello()->session_handle();
449
450 std::optional<Session> session_info;
451 if(pending_state.allow_session_resumption() && session_handle.has_value()) {
452 session_info = check_for_resume(
453 session_handle.value(), session_manager(), callbacks(), policy(), pending_state.client_hello());
454 }
455
456 m_next_protocol = "";
457 if(pending_state.client_hello()->supports_alpn()) {
458 m_next_protocol = callbacks().tls_server_choose_app_protocol(pending_state.client_hello()->next_protocols());
459 }
460
461 if(session_info.has_value()) {
462 this->session_resume(pending_state, {session_info.value(), session_handle.value()});
463 } else {
464 // new session
465 this->session_create(pending_state);
466 }
467}
468
469void Server_Impl_12::process_certificate_msg(Server_Handshake_State& pending_state,
470 const std::vector<uint8_t>& contents) {
471 pending_state.client_certs(std::make_unique<Certificate_12>(contents, policy()));
472
473 // CERTIFICATE_REQUIRED would make more sense but BoGo expects handshake failure alert
474 if(pending_state.client_certs()->empty() && policy().require_client_certificate_authentication()) {
475 throw TLS_Exception(Alert::HandshakeFailure, "Policy requires client send a certificate, but it did not");
476 }
477
478 pending_state.set_expected_next(Handshake_Type::ClientKeyExchange);
479}
480
481void Server_Impl_12::process_client_key_exchange_msg(Server_Handshake_State& pending_state,
482 const std::vector<uint8_t>& contents) {
483 if(pending_state.received_handshake_msg(Handshake_Type::Certificate) && !pending_state.client_certs()->empty()) {
484 pending_state.set_expected_next(Handshake_Type::CertificateVerify);
485 } else {
486 pending_state.set_expected_next(Handshake_Type::HandshakeCCS);
487 }
488
489 pending_state.client_kex(std::make_unique<Client_Key_Exchange>(
490 contents, pending_state, pending_state.server_rsa_kex_key(), *m_creds, policy(), rng()));
491
492 pending_state.compute_session_keys();
493 if(policy().allow_ssl_key_log_file()) {
494 // draft-thomson-tls-keylogfile-00 Section 3.2
495 // An implementation of TLS 1.2 (and also earlier versions) use
496 // the label "CLIENT_RANDOM" to identify the "master" secret for
497 // the connection.
498 callbacks().tls_ssl_key_log_data(
499 "CLIENT_RANDOM", pending_state.client_hello()->random(), pending_state.session_keys().master_secret());
500 }
501}
502
503void Server_Impl_12::process_change_cipher_spec_msg(Server_Handshake_State& pending_state) {
504 pending_state.set_expected_next(Handshake_Type::Finished);
505 change_cipher_spec_reader(Connection_Side::Server);
506}
507
508void Server_Impl_12::process_certificate_verify_msg(Server_Handshake_State& pending_state,
509 Handshake_Type type,
510 const std::vector<uint8_t>& contents) {
511 pending_state.client_verify(std::make_unique<Certificate_Verify_12>(contents));
512
513 const std::vector<X509_Certificate>& client_certs = pending_state.client_certs()->cert_chain();
514
515 if(client_certs.empty()) {
516 throw TLS_Exception(Alert::DecodeError, "No client certificate sent");
517 }
518
519 if(!client_certs[0].allowed_usage(Key_Constraints::DigitalSignature)) {
520 throw TLS_Exception(Alert::BadCertificate, "Client certificate does not support signing");
521 }
522
523 const bool sig_valid = pending_state.client_verify()->verify(client_certs[0], pending_state, policy());
524
525 pending_state.hash().update(pending_state.handshake_io().format(contents, type));
526
527 /*
528 * Using DECRYPT_ERROR looks weird here, but per RFC 4346 is for
529 * "A handshake cryptographic operation failed, including being
530 * unable to correctly verify a signature, ..."
531 */
532 if(!sig_valid) {
533 throw TLS_Exception(Alert::DecryptError, "Client cert verify failed");
534 }
535
536 try {
537 const std::string sni_hostname = pending_state.client_hello()->sni_hostname();
538 auto trusted_CAs = m_creds->trusted_certificate_authorities("tls-server", sni_hostname);
539
540 callbacks().tls_verify_cert_chain(client_certs,
541 {}, // ocsp
542 trusted_CAs,
543 Usage_Type::TLS_CLIENT_AUTH,
544 sni_hostname,
545 policy());
546 } catch(std::exception& e) {
547 throw TLS_Exception(Alert::BadCertificate, e.what());
548 }
549
550 pending_state.set_expected_next(Handshake_Type::HandshakeCCS);
551}
552
553void Server_Impl_12::process_finished_msg(Server_Handshake_State& pending_state,
554 Handshake_Type type,
555 const std::vector<uint8_t>& contents) {
556 pending_state.set_expected_next(Handshake_Type::None);
557
558 if(pending_state.handshake_io().have_more_data()) {
559 throw TLS_Exception(Alert::UnexpectedMessage, "Have data remaining in buffer after Finished");
560 }
561
562 pending_state.client_finished(std::make_unique<Finished_12>(contents));
563
564 if(!pending_state.client_finished()->verify(pending_state, Connection_Side::Client)) {
565 throw TLS_Exception(Alert::DecryptError, "Finished message didn't verify");
566 }
567
568 if(pending_state.server_finished() == nullptr) {
569 // already sent finished if resuming, so this is a new session
570
571 pending_state.hash().update(pending_state.handshake_io().format(contents, type));
572
573 Session session_info(pending_state.session_keys().master_secret(),
574 pending_state.server_hello()->legacy_version(),
575 pending_state.server_hello()->ciphersuite(),
576 Connection_Side::Server,
577 pending_state.server_hello()->supports_extended_master_secret(),
578 pending_state.server_hello()->supports_encrypt_then_mac(),
579 get_peer_cert_chain(pending_state),
580 Server_Information(pending_state.client_hello()->sni_hostname()),
581 pending_state.server_hello()->srtp_profile(),
582 callbacks().tls_current_timestamp());
583
584 // Give the application a chance for a final veto before fully
585 // establishing the connection.
586 callbacks().tls_session_established([&, this] {
587 Session_Summary summary(session_info, pending_state.is_a_resumption(), external_psk_identity());
588 summary.set_session_id(pending_state.server_hello()->session_id());
589 return summary;
590 }());
591
592 if(callbacks().tls_should_persist_resumption_information(session_info)) {
593 auto handle = session_manager().establish(session_info,
594 pending_state.server_hello()->session_id(),
595 !pending_state.server_hello()->supports_session_ticket());
596
597 if(pending_state.server_hello()->supports_session_ticket() && handle.has_value() && handle->is_ticket()) {
598 pending_state.new_session_ticket(std::make_unique<New_Session_Ticket_12>(
599 pending_state.handshake_io(),
600 pending_state.hash(),
601 handle->ticket().value(),
602 static_cast<uint32_t>(policy().session_ticket_lifetime().count())));
603 }
604 }
605
606 if(pending_state.new_session_ticket() == nullptr && pending_state.server_hello()->supports_session_ticket()) {
607 pending_state.new_session_ticket(
608 std::make_unique<New_Session_Ticket_12>(pending_state.handshake_io(), pending_state.hash()));
609 }
610
611 pending_state.handshake_io().send(Change_Cipher_Spec());
612
613 change_cipher_spec_writer(Connection_Side::Server);
614
615 pending_state.server_finished(
616 std::make_unique<Finished_12>(pending_state.handshake_io(), pending_state, Connection_Side::Server));
617 }
618
619 activate_session();
620}
621
622/*
623* Process a handshake message
624*/
625void Server_Impl_12::process_handshake_msg(const Handshake_State* active_state,
626 Handshake_State& state_base,
627 Handshake_Type type,
628 const std::vector<uint8_t>& contents,
629 bool epoch0_restart) {
630 Server_Handshake_State& state = dynamic_cast<Server_Handshake_State&>(state_base);
631 state.confirm_transition_to(type);
632
633 /*
634 * The change cipher spec message isn't technically a handshake
635 * message so it's not included in the hash. The finished and
636 * certificate verify messages are verified based on the current
637 * state of the hash *before* this message so we delay adding them
638 * to the hash computation until we've processed them below.
639 */
640 if(type != Handshake_Type::HandshakeCCS && type != Handshake_Type::Finished &&
641 type != Handshake_Type::CertificateVerify) {
642 state.hash().update(state.handshake_io().format(contents, type));
643 }
644
645 switch(type) {
646 case Handshake_Type::ClientHello:
647 return this->process_client_hello_msg(active_state, state, contents, epoch0_restart);
648
649 case Handshake_Type::Certificate:
650 return this->process_certificate_msg(state, contents);
651
652 case Handshake_Type::ClientKeyExchange:
653 return this->process_client_key_exchange_msg(state, contents);
654
655 case Handshake_Type::CertificateVerify:
656 return this->process_certificate_verify_msg(state, type, contents);
657
658 case Handshake_Type::HandshakeCCS:
659 return this->process_change_cipher_spec_msg(state);
660
661 case Handshake_Type::Finished:
662 return this->process_finished_msg(state, type, contents);
663
664 default:
665 throw Unexpected_Message("Unknown handshake message received");
666 }
667}
668
669void Server_Impl_12::session_resume(Server_Handshake_State& pending_state, const Session_with_Handle& session) {
670 // Only offer a resuming client a new ticket if they didn't send one this time,
671 // ie, resumed via server-side resumption. TODO: also send one if expiring soon?
672
673 const bool offer_new_session_ticket = pending_state.client_hello()->supports_session_ticket() &&
674 pending_state.client_hello()->session_ticket().empty() &&
675 session_manager().emits_session_tickets();
676
677 pending_state.server_hello(std::make_unique<Server_Hello_12>(pending_state.handshake_io(),
678 pending_state.hash(),
679 policy(),
680 callbacks(),
681 rng(),
682 secure_renegotiation_data_for_server_hello(),
683 *pending_state.client_hello(),
684 session.session,
685 offer_new_session_ticket,
686 m_next_protocol));
687
688 secure_renegotiation_check(pending_state.server_hello());
689
690 pending_state.mark_as_resumption();
691 pending_state.compute_session_keys(session.session.master_secret());
692 if(policy().allow_ssl_key_log_file()) {
693 // draft-thomson-tls-keylogfile-00 Section 3.2
694 // An implementation of TLS 1.2 (and also earlier versions) use
695 // the label "CLIENT_RANDOM" to identify the "master" secret for
696 // the connection.
697 callbacks().tls_ssl_key_log_data(
698 "CLIENT_RANDOM", pending_state.client_hello()->random(), pending_state.session_keys().master_secret());
699 }
700 pending_state.set_resume_certs(session.session.peer_certs());
701
702 // Give the application a chance for a final veto before fully
703 // establishing the connection.
704 callbacks().tls_session_established([&, this] {
705 Session_Summary summary(session.session, pending_state.is_a_resumption(), external_psk_identity());
706 summary.set_session_id(pending_state.server_hello()->session_id());
707 if(auto ticket = session.handle.ticket()) {
708 summary.set_session_ticket(std::move(ticket.value()));
709 }
710 return summary;
711 }());
712
713 auto new_handle = [&, this]() -> std::optional<Session_Handle> {
714 if(!callbacks().tls_should_persist_resumption_information(session.session)) {
715 session_manager().remove(session.handle);
716 return std::nullopt;
717 } else {
718 return session_manager().establish(session.session, session.handle.id());
719 }
720 }();
721
722 if(pending_state.server_hello()->supports_session_ticket()) {
723 if(new_handle.has_value() && new_handle->is_ticket()) {
724 const uint32_t lifetime = static_cast<uint32_t>(policy().session_ticket_lifetime().count());
725 pending_state.new_session_ticket(std::make_unique<New_Session_Ticket_12>(
726 pending_state.handshake_io(), pending_state.hash(), new_handle->ticket().value(), lifetime));
727 } else {
728 pending_state.new_session_ticket(
729 std::make_unique<New_Session_Ticket_12>(pending_state.handshake_io(), pending_state.hash()));
730 }
731 }
732
733 pending_state.handshake_io().send(Change_Cipher_Spec());
734
735 change_cipher_spec_writer(Connection_Side::Server);
736
737 pending_state.server_finished(
738 std::make_unique<Finished_12>(pending_state.handshake_io(), pending_state, Connection_Side::Server));
739 pending_state.set_expected_next(Handshake_Type::HandshakeCCS);
740}
741
742void Server_Impl_12::session_create(Server_Handshake_State& pending_state) {
743 std::map<std::string, std::vector<X509_Certificate>> cert_chains;
744
745 const std::string sni_hostname = pending_state.client_hello()->sni_hostname();
746
747 // RFC 8446 1.3
748 // The "signature_algorithms_cert" extension allows a client to indicate
749 // which signature algorithms it can validate in X.509 certificates.
750 //
751 // RFC 8446 4.2.3
752 // TLS 1.2 implementations SHOULD also process this extension.
753 const auto cert_signature_schemes = pending_state.client_hello()->certificate_signature_schemes();
754 cert_chains = get_server_certs(sni_hostname, cert_signature_schemes, *m_creds);
755
756 if(!sni_hostname.empty() && cert_chains.empty()) {
757 cert_chains = get_server_certs("", cert_signature_schemes, *m_creds);
758
759 /*
760 * Only send the unrecognized_name alert if we couldn't
761 * find any certs for the requested name but did find at
762 * least one cert to use in general. That avoids sending an
763 * unrecognized_name when a server is configured for purely
764 * anonymous/PSK operation.
765 */
766 if(!cert_chains.empty()) {
767 send_warning_alert(Alert::UnrecognizedName);
768 }
769 }
770
771 const uint16_t ciphersuite =
772 choose_ciphersuite(policy(), pending_state.version(), cert_chains, *pending_state.client_hello());
773
774 const Server_Hello_12::Settings srv_settings(Session_ID(make_hello_random(rng(), callbacks(), policy())),
775 pending_state.version(),
776 ciphersuite,
777 session_manager().emits_session_tickets());
778
779 pending_state.server_hello(std::make_unique<Server_Hello_12>(pending_state.handshake_io(),
780 pending_state.hash(),
781 policy(),
782 callbacks(),
783 rng(),
784 secure_renegotiation_data_for_server_hello(),
785 *pending_state.client_hello(),
786 srv_settings,
787 m_next_protocol));
788
789 secure_renegotiation_check(pending_state.server_hello());
790
791 const Ciphersuite& pending_suite = pending_state.ciphersuite();
792
793 std::shared_ptr<Private_Key> private_key;
794
795 if(pending_suite.signature_used() || pending_suite.kex_method() == Kex_Algo::STATIC_RSA) {
796 const std::string algo_used = pending_suite.signature_used() ? pending_suite.sig_algo() : "RSA";
797
798 BOTAN_ASSERT(!cert_chains[algo_used].empty(), "Attempting to send empty certificate chain");
799
800 pending_state.server_certs(
801 std::make_unique<Certificate_12>(pending_state.handshake_io(), pending_state.hash(), cert_chains[algo_used]));
802
803 if(pending_state.client_hello()->supports_cert_status_message() && pending_state.is_a_resumption() == false) {
804 auto* csr = pending_state.client_hello()->extensions().get<Certificate_Status_Request>();
805 // csr is non-null if client_hello()->supports_cert_status_message()
806 BOTAN_ASSERT_NOMSG(csr != nullptr);
807 const auto resp_bytes = callbacks().tls_provide_cert_status(cert_chains[algo_used], *csr);
808 if(!resp_bytes.empty()) {
809 pending_state.server_cert_status(
810 std::make_unique<Certificate_Status_12>(pending_state.handshake_io(), pending_state.hash(), resp_bytes));
811 }
812 }
813
814 private_key = m_creds->private_key_for(pending_state.server_certs()->cert_chain()[0], "tls-server", sni_hostname);
815
816 if(!private_key) {
817 throw Internal_Error("No private key located for associated server cert");
818 }
819 }
820
821 if(pending_suite.kex_method() == Kex_Algo::STATIC_RSA) {
822 pending_state.set_server_rsa_kex_key(private_key);
823 } else {
824 pending_state.server_kex(std::make_unique<Server_Key_Exchange>(
825 pending_state.handshake_io(), pending_state, policy(), *m_creds, rng(), private_key.get()));
826 }
827
828 auto trusted_CAs = m_creds->trusted_certificate_authorities("tls-server", sni_hostname);
829
830 std::vector<X509_DN> client_auth_CAs;
831
832 for(auto* store : trusted_CAs) {
833 auto subjects = store->all_subjects();
834 client_auth_CAs.insert(client_auth_CAs.end(), subjects.begin(), subjects.end());
835 }
836
837 const bool request_cert = (client_auth_CAs.empty() == false) || policy().request_client_certificate_authentication();
838
839 if(request_cert && pending_state.ciphersuite().signature_used()) {
840 pending_state.cert_req(std::make_unique<Certificate_Request_12>(
841 pending_state.handshake_io(), pending_state.hash(), policy(), client_auth_CAs));
842
843 /*
844 SSLv3 allowed clients to skip the Certificate message entirely
845 if they wanted. In TLS v1.0 and later clients must send a
846 (possibly empty) Certificate message
847 */
848 pending_state.set_expected_next(Handshake_Type::Certificate);
849 } else {
850 pending_state.set_expected_next(Handshake_Type::ClientKeyExchange);
851 }
852
853 pending_state.server_hello_done(
854 std::make_unique<Server_Hello_Done>(pending_state.handshake_io(), pending_state.hash()));
855}
856} // namespace Botan::TLS
BOTAN_ASSERT_NOMSG
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:75
BOTAN_ASSERT_NONNULL
#define BOTAN_ASSERT_NONNULL(ptr)
Definition assert.h:114
BOTAN_ASSERT_IMPLICATION
#define BOTAN_ASSERT_IMPLICATION(expr1, expr2, msg)
Definition assert.h:101
BOTAN_ASSERT
#define BOTAN_ASSERT(expr, assertion_made)
Definition assert.h:62
Botan::Key_Constraints::DigitalSignature
@ DigitalSignature
Definition pkix_enums.h:116
Botan::TLS::Callbacks::tls_provide_cert_status
virtual std::vector< uint8_t > tls_provide_cert_status(const std::vector< X509_Certificate > &chain, const Certificate_Status_Request &csr)
Definition tls_callbacks.cpp:416
Botan::TLS::Callbacks::tls_peer_network_identity
virtual std::string tls_peer_network_identity()
Definition tls_callbacks.cpp:57
Botan::TLS::Callbacks::tls_server_choose_app_protocol
virtual std::string tls_server_choose_app_protocol(const std::vector< std::string > &client_protos)
Definition tls_callbacks.cpp:53
Botan::TLS::Callbacks::tls_examine_extensions
virtual void tls_examine_extensions(const Extensions &extn, Connection_Side which_side, Handshake_Type which_message)
Definition tls_callbacks.cpp:69
Botan::TLS::Callbacks::tls_session_established
virtual void tls_session_established(const Session_Summary &session)
Definition tls_callbacks.cpp:412
Botan::TLS::Callbacks::tls_verify_cert_chain
virtual void tls_verify_cert_chain(const std::vector< X509_Certificate > &cert_chain, const std::vector< std::optional< OCSP::Response > > &ocsp_responses, const std::vector< Certificate_Store * > &trusted_roots, Usage_Type usage, std::string_view hostname, const TLS::Policy &policy)
Definition tls_callbacks.cpp:88
Botan::TLS::Callbacks::tls_ssl_key_log_data
virtual void tls_ssl_key_log_data(std::string_view label, std::span< const uint8_t > client_random, std::span< const uint8_t > secret) const
Definition tls_callbacks.cpp:434
Botan::TLS::Channel_Impl_12::rng
RandomNumberGenerator & rng()
Definition tls_channel_impl_12.h:177
Botan::TLS::Channel_Impl_12::activate_session
void activate_session()
Definition tls_channel_impl_12.cpp:259
Botan::TLS::Channel_Impl_12::change_cipher_spec_reader
void change_cipher_spec_reader(Connection_Side side)
Definition tls_channel_impl_12.cpp:195
Botan::TLS::Channel_Impl_12::secure_renegotiation_data_for_server_hello
std::vector< uint8_t > secure_renegotiation_data_for_server_hello() const
Definition tls_channel_impl_12.cpp:613
Botan::TLS::Channel_Impl_12::callbacks
Callbacks & callbacks() const
Definition tls_channel_impl_12.h:183
Botan::TLS::Channel_Impl_12::secure_renegotiation_check
void secure_renegotiation_check(const Client_Hello_12 *client_hello)
Definition tls_channel_impl_12.cpp:561
Botan::TLS::Channel_Impl_12::session_manager
Session_Manager & session_manager()
Definition tls_channel_impl_12.h:179
Botan::TLS::Channel_Impl_12::policy
const Policy & policy() const
Definition tls_channel_impl_12.h:181
Botan::TLS::Channel_Impl_12::change_cipher_spec_writer
void change_cipher_spec_writer(Connection_Side side)
Definition tls_channel_impl_12.cpp:222
Botan::TLS::Channel_Impl_12::Channel_Impl_12
Channel_Impl_12(const std::shared_ptr< Callbacks > &callbacks, const std::shared_ptr< Session_Manager > &session_manager, const std::shared_ptr< RandomNumberGenerator > &rng, const std::shared_ptr< const Policy > &policy, bool is_server, bool is_datagram, size_t io_buf_sz=TLS::Channel::IO_BUF_DEFAULT_SIZE)
Definition tls_channel_impl_12.cpp:25
Botan::TLS::Channel_Impl_12::external_psk_identity
std::optional< std::string > external_psk_identity() const override
Definition tls_channel_impl_12.cpp:105
Botan::TLS::Channel_Impl_12::reset_active_association_state
void reset_active_association_state()
Definition tls_channel_impl_12.cpp:60
Botan::TLS::Channel_Impl_12::secure_renegotiation_supported
bool secure_renegotiation_supported() const override
Definition tls_channel_impl_12.cpp:625
Botan::TLS::Channel_Impl::send_warning_alert
void send_warning_alert(Alert::Type type)
Definition tls_channel_impl.h:66
Botan::TLS::Ciphersuite::by_id
static std::optional< Ciphersuite > by_id(uint16_t suite)
Definition tls_ciphersuite.cpp:98
Botan::TLS::Client_Hello_12
Definition tls_messages_12.h:21
Botan::TLS::Handshake_State
Definition tls_handshake_state.h:59
Botan::TLS::Handshake_State::Handshake_State
Handshake_State(std::unique_ptr< Handshake_IO > io, Callbacks &callbacks)
Definition tls_handshake_state.cpp:30
Botan::TLS::Policy::request_client_certificate_authentication
virtual bool request_client_certificate_authentication() const
Definition tls_policy.cpp:442
Botan::TLS::Policy::session_ticket_lifetime
virtual std::chrono::seconds session_ticket_lifetime() const
Definition tls_policy.cpp:307
Botan::TLS::Protocol_Version
Definition tls_version.h:34
Botan::TLS::Protocol_Version::is_datagram_protocol
bool is_datagram_protocol() const
Definition tls_version.cpp:54
Botan::TLS::Server_Impl_12::Server_Impl_12
Server_Impl_12(const std::shared_ptr< Callbacks > &callbacks, const std::shared_ptr< Session_Manager > &session_manager, const std::shared_ptr< Credentials_Manager > &creds, const std::shared_ptr< const Policy > &policy, const std::shared_ptr< RandomNumberGenerator > &rng, bool is_datagram=false, size_t reserved_io_buffer_size=TLS::Channel::IO_BUF_DEFAULT_SIZE)
Definition tls_server_impl_12.cpp:238
Botan::TLS::Session_Handle
Helper class to embody a session handle in all protocol versions.
Definition tls_session_id.h:51
Botan::TLS::Session_Manager
Definition tls_session_manager.h:46
Botan::TLS::Session_Manager::remove
virtual size_t remove(const Session_Handle &handle)=0
Botan::TLS::Session_Manager::establish
virtual std::optional< Session_Handle > establish(const Session &session, const std::optional< Session_ID > &id=std::nullopt, bool tls12_no_ticket=false)
Save a new Session and assign a Session_Handle (TLS Server).
Definition tls_session_manager.cpp:28
Botan::TLS::Session_Manager::emits_session_tickets
virtual bool emits_session_tickets()
Definition tls_session_manager.h:215
Botan::TLS::Session_with_Handle
Definition tls_session.h:400
Botan::TLS::Signature_Scheme
Definition tls_signature_scheme.h:29
Botan::TLS::TLS_Exception
Definition tls_exceptn.h:19
Botan::TLS::to_algorithm_identifiers
std::vector< AlgorithmIdentifier > to_algorithm_identifiers(const std::vector< Signature_Scheme > &schemes)
Definition tls_signature_scheme.cpp:336
Botan::TLS::make_hello_random
std::vector< uint8_t > make_hello_random(RandomNumberGenerator &rng, Callbacks &cb, const Policy &policy)
Definition msg_client_hello.cpp:25
Botan::TLS::Session_ID
Strong< std::vector< uint8_t >, struct Session_ID_ > Session_ID
holds a TLS 1.2 session ID for stateful resumption
Definition tls_session_id.h:22
Botan::SymmetricKey
OctetString SymmetricKey
Definition symkey.h:140
Botan::value_exists
bool value_exists(const std::vector< T > &vec, const V &val)
Definition stl_util.h:43
Botan::TLS::Channel_Impl::Downgrade_Information
Definition tls_channel_impl.h:197
Generated by doxygen 1.15.0