9#include <botan/internal/tls_server_impl_12.h>
11#include <botan/ocsp.h>
12#include <botan/tls_magic.h>
13#include <botan/tls_messages.h>
14#include <botan/tls_server.h>
15#include <botan/tls_version.h>
16#include <botan/internal/stl_util.h>
17#include <botan/internal/tls_handshake_state.h>
21class Server_Handshake_State
final :
public Handshake_State {
23 Server_Handshake_State(std::unique_ptr<Handshake_IO> io, Callbacks& cb) :
Handshake_State(std::move(io), cb) {}
25 Private_Key* server_rsa_kex_key() {
return m_server_rsa_kex_key.get(); }
27 void set_server_rsa_kex_key(std::shared_ptr<Private_Key> key) { m_server_rsa_kex_key = std::move(key); }
29 bool allow_session_resumption()
const {
return m_allow_session_resumption; }
31 void set_allow_session_resumption(
bool allow_session_resumption) {
32 m_allow_session_resumption = allow_session_resumption;
35 const std::vector<X509_Certificate>& resume_peer_certs()
const {
return m_resume_peer_certs; }
37 void set_resume_certs(
const std::vector<X509_Certificate>& certs) { m_resume_peer_certs = certs; }
39 void mark_as_resumption() { m_is_a_resumption =
true; }
41 bool is_a_resumption()
const {
return m_is_a_resumption; }
45 std::shared_ptr<Private_Key> m_server_rsa_kex_key;
51 bool m_allow_session_resumption =
true;
53 bool m_is_a_resumption =
false;
55 std::vector<X509_Certificate> m_resume_peer_certs;
60std::optional<Session> check_for_resume(
const Session_Handle& handle_to_resume,
61 Session_Manager& session_manager,
64 const Client_Hello_12* client_hello) {
65 auto session = session_manager.retrieve(handle_to_resume, cb, policy);
66 if(!session.has_value()) {
71 if(client_hello->legacy_version() != session->version()) {
76 if(!
value_exists(client_hello->ciphersuites(), session->ciphersuite_code())) {
81 if(!client_hello->sni_hostname().empty() && client_hello->sni_hostname() != session->server_info().hostname()) {
86 if(client_hello->supports_extended_master_secret() != session->supports_extended_master_secret()) {
87 if(!session->supports_extended_master_secret()) {
94 throw TLS_Exception(Alert::HandshakeFailure,
"Client resumed extended ms session without sending extension");
99 if(!client_hello->supports_encrypt_then_mac() && session->supports_encrypt_then_mac()) {
104 throw TLS_Exception(Alert::HandshakeFailure,
"Client resumed Encrypt-then-MAC session without sending extension");
113uint16_t choose_ciphersuite(
const Policy& policy,
114 Protocol_Version version,
115 const std::map<std::string, std::vector<X509_Certificate>>& cert_chains,
116 const Client_Hello_12& client_hello) {
117 const bool our_choice = policy.server_uses_own_ciphersuite_preferences();
118 const std::vector<uint16_t>& client_suites = client_hello.ciphersuites();
119 const std::vector<uint16_t> server_suites = policy.ciphersuite_list(version);
121 if(server_suites.empty()) {
122 throw TLS_Exception(Alert::HandshakeFailure,
"Policy forbids us from negotiating any ciphersuite");
125 const bool have_shared_ecc_curve =
126 (policy.choose_key_exchange_group(client_hello.supported_ecc_curves(), {}) != Group_Params::NONE);
128 const bool client_supports_ffdhe_groups = !client_hello.supported_dh_groups().empty();
130 const bool have_shared_dh_group =
131 (policy.choose_key_exchange_group(client_hello.supported_dh_groups(), {}) != Group_Params::NONE);
136 std::vector<uint16_t> pref_list = server_suites;
137 std::vector<uint16_t> other_list = client_suites;
140 std::swap(pref_list, other_list);
143 for(
auto suite_id : pref_list) {
150 if(!suite.has_value() || !suite->valid()) {
154 if(have_shared_ecc_curve ==
false && suite->ecc_ciphersuite()) {
158 if(suite->kex_method() ==
Kex_Algo::DH && client_supports_ffdhe_groups && !have_shared_dh_group) {
163 if(suite->signature_used()) {
164 const std::string sig_algo = suite->sig_algo();
167 if(!cert_chains.contains(sig_algo)) {
171 const std::vector<Signature_Scheme> allowed = policy.allowed_signature_schemes();
173 std::vector<Signature_Scheme> client_sig_methods = client_hello.signature_schemes();
180 bool we_support_some_hash_by_client =
false;
182 for(Signature_Scheme scheme : client_sig_methods) {
183 if(!scheme.is_available()) {
187 if(scheme.algorithm_name() == suite->sig_algo() &&
188 policy.allowed_signature_hash(scheme.hash_function_name())) {
189 we_support_some_hash_by_client =
true;
193 if(we_support_some_hash_by_client ==
false) {
194 throw TLS_Exception(Alert::HandshakeFailure,
195 "Policy does not accept any hash function supported by client");
208 if(client_supports_ffdhe_groups && !have_shared_dh_group) {
209 throw TLS_Exception(Alert::InsufficientSecurity,
"Can't agree on a sufficiently strong ciphersuite with client");
212 throw TLS_Exception(Alert::HandshakeFailure,
"Can't agree on a ciphersuite with client");
215std::map<std::string, std::vector<X509_Certificate>> get_server_certs(
216 std::string_view hostname,
const std::vector<Signature_Scheme>& cert_sig_schemes, Credentials_Manager& creds) {
217 const char* cert_types[] = {
"RSA",
"ECDSA",
"DSA",
nullptr};
219 std::map<std::string, std::vector<X509_Certificate>> cert_chains;
221 for(
size_t i = 0; cert_types[i]; ++i) {
222 const std::vector<X509_Certificate> certs = creds.cert_chain_single_type(
226 cert_chains[cert_types[i]] = certs;
236 const std::shared_ptr<Session_Manager>& session_manager,
237 const std::shared_ptr<Credentials_Manager>& creds,
238 const std::shared_ptr<const Policy>& policy,
239 const std::shared_ptr<RandomNumberGenerator>& rng,
242 Channel_Impl_12(callbacks, session_manager, rng, policy, true, is_datagram, io_buf_sz), m_creds(creds) {
248 downgrade_info.session_manager,
250 downgrade_info.policy,
253 downgrade_info.io_buffer_size),
254 m_creds(downgrade_info.creds) {}
256std::unique_ptr<Handshake_State> Server_Impl_12::new_handshake_state(std::unique_ptr<Handshake_IO> io) {
257 auto state = std::make_unique<Server_Handshake_State>(std::move(io),
callbacks());
262std::vector<X509_Certificate> Server_Impl_12::get_peer_cert_chain(
const Handshake_State& state_base)
const {
263 const Server_Handshake_State& state =
dynamic_cast<const Server_Handshake_State&
>(state_base);
264 if(!state.resume_peer_certs().empty()) {
265 return state.resume_peer_certs();
268 if(state.client_certs()) {
269 return state.client_certs()->cert_chain();
271 return std::vector<X509_Certificate>();
277void Server_Impl_12::initiate_handshake(Handshake_State& state,
bool force_full_renegotiation) {
278 dynamic_cast<Server_Handshake_State&
>(state).set_allow_session_resumption(!force_full_renegotiation);
280 Hello_Request hello_req(state.handshake_io());
285Protocol_Version select_version(
const TLS::Policy& policy,
286 Protocol_Version client_offer,
287 Protocol_Version active_version,
288 const std::vector<Protocol_Version>& supported_versions) {
289 const bool is_datagram = client_offer.is_datagram_protocol();
290 const bool initial_handshake = (active_version.valid() ==
false);
292 if(!supported_versions.empty()) {
294 if(policy.allow_dtls12() &&
value_exists(supported_versions, Protocol_Version(Protocol_Version::DTLS_V12))) {
295 return Protocol_Version::DTLS_V12;
297 throw TLS_Exception(Alert::ProtocolVersion,
"No shared DTLS version");
299 if(policy.allow_tls12() &&
value_exists(supported_versions, Protocol_Version(Protocol_Version::TLS_V12))) {
300 return Protocol_Version::TLS_V12;
302 throw TLS_Exception(Alert::ProtocolVersion,
"No shared TLS version");
306 if(!initial_handshake) {
314 if(active_version > client_offer) {
316 Alert::ProtocolVersion,
317 "Client negotiated " + active_version.to_string() +
" then renegotiated with " + client_offer.to_string());
319 return active_version;
324 if(policy.allow_dtls12() && client_offer >= Protocol_Version::DTLS_V12) {
325 return Protocol_Version::DTLS_V12;
328 if(policy.allow_tls12() && client_offer >= Protocol_Version::TLS_V12) {
329 return Protocol_Version::TLS_V12;
333 throw TLS_Exception(Alert::ProtocolVersion,
334 "Client version " + client_offer.to_string() +
" is unacceptable by policy");
341void Server_Impl_12::process_client_hello_msg(
const Handshake_State* active_state,
342 Server_Handshake_State& pending_state,
343 const std::vector<uint8_t>& contents,
344 bool epoch0_restart) {
347 const bool initial_handshake = epoch0_restart || !active_state;
349 if(initial_handshake ==
false &&
policy().allow_client_initiated_renegotiation() ==
false) {
350 if(
policy().abort_connection_on_undesired_renegotiation()) {
351 throw TLS_Exception(Alert::NoRenegotiation,
"Server policy prohibits renegotiation");
363 if(pending_state.handshake_io().have_more_data()) {
364 throw TLS_Exception(Alert::UnexpectedMessage,
"Have data remaining in buffer after ClientHello");
367 pending_state.client_hello(
new Client_Hello_12(contents));
368 const Protocol_Version client_offer = pending_state.client_hello()->legacy_version();
369 const bool datagram = client_offer.is_datagram_protocol();
372 if(client_offer.major_version() == 0xFF) {
373 throw TLS_Exception(Alert::ProtocolVersion,
"Client offered DTLS version with major version 0xFF");
376 if(client_offer.major_version() < 3) {
377 throw TLS_Exception(Alert::ProtocolVersion,
"Client offered TLS version with major version under 3");
379 if(client_offer.major_version() == 3 && client_offer.minor_version() == 0) {
380 throw TLS_Exception(Alert::ProtocolVersion,
"Client offered SSLv3 which is not supported");
394 const Protocol_Version negotiated_version =
397 active_state ? active_state->version() : Protocol_Version(),
398 pending_state.client_hello()->supported_versions());
400 pending_state.set_version(negotiated_version);
402 const auto compression_methods = pending_state.client_hello()->compression_methods();
404 throw TLS_Exception(Alert::IllegalParameter,
"Client did not offer NULL compression");
407 if(initial_handshake && datagram) {
411 cookie_secret = m_creds->psk(
"tls-server",
"dtls-cookie-secret",
"");
414 if(!cookie_secret.empty()) {
416 Hello_Verify_Request verify(pending_state.client_hello()->cookie_input_data(), client_identity, cookie_secret);
418 if(pending_state.client_hello()->cookie() != verify.cookie()) {
420 pending_state.handshake_io().send_under_epoch(verify, 0);
422 pending_state.handshake_io().send(verify);
425 pending_state.client_hello(
static_cast<Client_Hello_12*
>(
nullptr));
429 }
else if(epoch0_restart) {
430 throw TLS_Exception(Alert::HandshakeFailure,
"Reuse of DTLS association requires DTLS cookie secret be set");
444 const auto session_handle = pending_state.client_hello()->session_handle();
446 std::optional<Session> session_info;
447 if(pending_state.allow_session_resumption() && session_handle.has_value()) {
448 session_info = check_for_resume(
452 m_next_protocol =
"";
453 if(pending_state.client_hello()->supports_alpn()) {
457 if(session_info.has_value()) {
458 this->session_resume(pending_state, {session_info.value(), session_handle.value()});
461 this->session_create(pending_state);
465void Server_Impl_12::process_certificate_msg(Server_Handshake_State& pending_state,
466 const std::vector<uint8_t>& contents) {
467 pending_state.client_certs(
new Certificate_12(contents,
policy()));
470 if(pending_state.client_certs()->empty() &&
policy().require_client_certificate_authentication()) {
471 throw TLS_Exception(Alert::HandshakeFailure,
"Policy requires client send a certificate, but it did not");
477void Server_Impl_12::process_client_key_exchange_msg(Server_Handshake_State& pending_state,
478 const std::vector<uint8_t>& contents) {
485 pending_state.client_kex(
486 new Client_Key_Exchange(contents, pending_state, pending_state.server_rsa_kex_key(), *m_creds,
policy(),
rng()));
488 pending_state.compute_session_keys();
489 if(
policy().allow_ssl_key_log_file()) {
495 "CLIENT_RANDOM", pending_state.client_hello()->random(), pending_state.session_keys().master_secret());
499void Server_Impl_12::process_change_cipher_spec_msg(Server_Handshake_State& pending_state) {
504void Server_Impl_12::process_certificate_verify_msg(Server_Handshake_State& pending_state,
506 const std::vector<uint8_t>& contents) {
507 pending_state.client_verify(
new Certificate_Verify_12(contents));
509 const std::vector<X509_Certificate>& client_certs = pending_state.client_certs()->cert_chain();
511 if(client_certs.empty()) {
512 throw TLS_Exception(Alert::DecodeError,
"No client certificate sent");
516 throw TLS_Exception(Alert::BadCertificate,
"Client certificate does not support signing");
519 const bool sig_valid = pending_state.client_verify()->verify(client_certs[0], pending_state,
policy());
521 pending_state.hash().update(pending_state.handshake_io().format(contents, type));
529 throw TLS_Exception(Alert::DecryptError,
"Client cert verify failed");
533 const std::string sni_hostname = pending_state.client_hello()->sni_hostname();
534 auto trusted_CAs = m_creds->trusted_certificate_authorities(
"tls-server", sni_hostname);
542 }
catch(std::exception& e) {
543 throw TLS_Exception(Alert::BadCertificate, e.what());
549void Server_Impl_12::process_finished_msg(Server_Handshake_State& pending_state,
551 const std::vector<uint8_t>& contents) {
554 if(pending_state.handshake_io().have_more_data()) {
555 throw TLS_Exception(Alert::UnexpectedMessage,
"Have data remaining in buffer after Finished");
558 pending_state.client_finished(
new Finished_12(contents));
561 throw TLS_Exception(Alert::DecryptError,
"Finished message didn't verify");
564 if(!pending_state.server_finished()) {
567 pending_state.hash().update(pending_state.handshake_io().format(contents, type));
569 Session session_info(pending_state.session_keys().master_secret(),
570 pending_state.server_hello()->legacy_version(),
571 pending_state.server_hello()->ciphersuite(),
573 pending_state.server_hello()->supports_extended_master_secret(),
574 pending_state.server_hello()->supports_encrypt_then_mac(),
575 get_peer_cert_chain(pending_state),
576 Server_Information(pending_state.client_hello()->sni_hostname()),
577 pending_state.server_hello()->srtp_profile(),
584 summary.set_session_id(pending_state.server_hello()->session_id());
590 pending_state.server_hello()->session_id(),
591 !pending_state.server_hello()->supports_session_ticket());
593 if(pending_state.server_hello()->supports_session_ticket() && handle.has_value() && handle->is_ticket()) {
594 pending_state.new_session_ticket(
new New_Session_Ticket_12(pending_state.handshake_io(),
595 pending_state.hash(),
596 handle->ticket().value(),
597 policy().session_ticket_lifetime()));
601 if(!pending_state.new_session_ticket() && pending_state.server_hello()->supports_session_ticket()) {
602 pending_state.new_session_ticket(
603 new New_Session_Ticket_12(pending_state.handshake_io(), pending_state.hash()));
606 pending_state.handshake_io().send(Change_Cipher_Spec());
610 pending_state.server_finished(
620void Server_Impl_12::process_handshake_msg(
const Handshake_State* active_state,
621 Handshake_State& state_base,
623 const std::vector<uint8_t>& contents,
624 bool epoch0_restart) {
625 Server_Handshake_State& state =
dynamic_cast<Server_Handshake_State&
>(state_base);
626 state.confirm_transition_to(type);
637 state.hash().update(state.handshake_io().format(contents, type));
642 return this->process_client_hello_msg(active_state, state, contents, epoch0_restart);
645 return this->process_certificate_msg(state, contents);
648 return this->process_client_key_exchange_msg(state, contents);
651 return this->process_certificate_verify_msg(state, type, contents);
654 return this->process_change_cipher_spec_msg(state);
657 return this->process_finished_msg(state, type, contents);
660 throw Unexpected_Message(
"Unknown handshake message received");
664void Server_Impl_12::session_resume(Server_Handshake_State& pending_state,
const Session_with_Handle& session) {
668 const bool offer_new_session_ticket = pending_state.client_hello()->supports_session_ticket() &&
669 pending_state.client_hello()->session_ticket().empty() &&
672 pending_state.server_hello(
new Server_Hello_12(pending_state.handshake_io(),
673 pending_state.hash(),
678 *pending_state.client_hello(),
680 offer_new_session_ticket,
685 pending_state.mark_as_resumption();
686 pending_state.compute_session_keys(session.session.master_secret());
687 if(
policy().allow_ssl_key_log_file()) {
693 "CLIENT_RANDOM", pending_state.client_hello()->random(), pending_state.session_keys().master_secret());
695 pending_state.set_resume_certs(session.session.peer_certs());
701 summary.set_session_id(pending_state.server_hello()->session_id());
702 if(
auto ticket = session.handle.ticket()) {
703 summary.set_session_ticket(std::move(ticket.value()));
708 auto new_handle = [&,
this]() -> std::optional<Session_Handle> {
717 if(pending_state.server_hello()->supports_session_ticket()) {
718 if(new_handle.has_value() && new_handle->is_ticket()) {
719 pending_state.new_session_ticket(
new New_Session_Ticket_12(pending_state.handshake_io(),
720 pending_state.hash(),
721 new_handle->ticket().value(),
722 policy().session_ticket_lifetime()));
724 pending_state.new_session_ticket(
725 new New_Session_Ticket_12(pending_state.handshake_io(), pending_state.hash()));
729 pending_state.handshake_io().send(Change_Cipher_Spec());
733 pending_state.server_finished(
new Finished_12(pending_state.handshake_io(), pending_state,
Connection_Side::Server));
737void Server_Impl_12::session_create(Server_Handshake_State& pending_state) {
738 std::map<std::string, std::vector<X509_Certificate>> cert_chains;
740 const std::string sni_hostname = pending_state.client_hello()->sni_hostname();
748 const auto cert_signature_schemes = pending_state.client_hello()->certificate_signature_schemes();
749 cert_chains = get_server_certs(sni_hostname, cert_signature_schemes, *m_creds);
751 if(!sni_hostname.empty() && cert_chains.empty()) {
752 cert_chains = get_server_certs(
"", cert_signature_schemes, *m_creds);
761 if(!cert_chains.empty()) {
766 const uint16_t ciphersuite =
767 choose_ciphersuite(
policy(), pending_state.version(), cert_chains, *pending_state.client_hello());
770 pending_state.version(),
774 pending_state.server_hello(
new Server_Hello_12(pending_state.handshake_io(),
775 pending_state.hash(),
780 *pending_state.client_hello(),
786 const Ciphersuite& pending_suite = pending_state.ciphersuite();
788 std::shared_ptr<Private_Key> private_key;
791 const std::string algo_used = pending_suite.signature_used() ? pending_suite.sig_algo() :
"RSA";
793 BOTAN_ASSERT(!cert_chains[algo_used].empty(),
"Attempting to send empty certificate chain");
795 pending_state.server_certs(
796 new Certificate_12(pending_state.handshake_io(), pending_state.hash(), cert_chains[algo_used]));
798 if(pending_state.client_hello()->supports_cert_status_message() && pending_state.is_a_resumption() ==
false) {
799 auto* csr = pending_state.client_hello()->extensions().get<Certificate_Status_Request>();
803 if(!resp_bytes.empty()) {
804 pending_state.server_cert_status(
805 new Certificate_Status(pending_state.handshake_io(), pending_state.hash(), resp_bytes));
809 private_key = m_creds->private_key_for(pending_state.server_certs()->cert_chain()[0],
"tls-server", sni_hostname);
812 throw Internal_Error(
"No private key located for associated server cert");
817 pending_state.set_server_rsa_kex_key(private_key);
819 pending_state.server_kex(
new Server_Key_Exchange(
820 pending_state.handshake_io(), pending_state,
policy(), *m_creds,
rng(), private_key.get()));
823 auto trusted_CAs = m_creds->trusted_certificate_authorities(
"tls-server", sni_hostname);
825 std::vector<X509_DN> client_auth_CAs;
827 for(
auto* store : trusted_CAs) {
828 auto subjects = store->all_subjects();
829 client_auth_CAs.insert(client_auth_CAs.end(), subjects.begin(), subjects.end());
834 if(request_cert && pending_state.ciphersuite().signature_used()) {
835 pending_state.cert_req(
836 new Certificate_Request_12(pending_state.handshake_io(), pending_state.hash(),
policy(), client_auth_CAs));
848 pending_state.server_hello_done(
new Server_Hello_Done(pending_state.handshake_io(), pending_state.hash()));
#define BOTAN_ASSERT_NOMSG(expr)
#define BOTAN_ASSERT_NONNULL(ptr)
#define BOTAN_ASSERT_IMPLICATION(expr1, expr2, msg)
#define BOTAN_ASSERT(expr, assertion_made)
virtual std::vector< uint8_t > tls_provide_cert_status(const std::vector< X509_Certificate > &chain, const Certificate_Status_Request &csr)
virtual void tls_session_established(const Session_Summary &session)
virtual std::string tls_peer_network_identity()
virtual void tls_ssl_key_log_data(std::string_view label, std::span< const uint8_t > client_random, std::span< const uint8_t > secret) const
virtual std::string tls_server_choose_app_protocol(const std::vector< std::string > &client_protos)
virtual void tls_examine_extensions(const Extensions &extn, Connection_Side which_side, Handshake_Type which_message)
virtual bool tls_should_persist_resumption_information(const Session &session)
virtual void tls_verify_cert_chain(const std::vector< X509_Certificate > &cert_chain, const std::vector< std::optional< OCSP::Response > > &ocsp_responses, const std::vector< Certificate_Store * > &trusted_roots, Usage_Type usage, std::string_view hostname, const TLS::Policy &policy)
RandomNumberGenerator & rng()
void change_cipher_spec_reader(Connection_Side side)
std::vector< uint8_t > secure_renegotiation_data_for_server_hello() const
Callbacks & callbacks() const
void secure_renegotiation_check(const Client_Hello_12 *client_hello)
Session_Manager & session_manager()
const Policy & policy() const
void change_cipher_spec_writer(Connection_Side side)
std::optional< std::string > external_psk_identity() const override
void reset_active_association_state()
bool secure_renegotiation_supported() const override
void send_warning_alert(Alert::Type type)
static std::optional< Ciphersuite > by_id(uint16_t suite)
Handshake_State(std::unique_ptr< Handshake_IO > io, Callbacks &callbacks)
virtual bool request_client_certificate_authentication() const
Server_Impl_12(const std::shared_ptr< Callbacks > &callbacks, const std::shared_ptr< Session_Manager > &session_manager, const std::shared_ptr< Credentials_Manager > &creds, const std::shared_ptr< const Policy > &policy, const std::shared_ptr< RandomNumberGenerator > &rng, bool is_datagram=false, size_t reserved_io_buffer_size=TLS::Channel::IO_BUF_DEFAULT_SIZE)
virtual size_t remove(const Session_Handle &handle)=0
virtual std::optional< Session_Handle > establish(const Session &session, const std::optional< Session_ID > &id=std::nullopt, bool tls12_no_ticket=false)
Save a new Session and assign a Session_Handle (TLS Server)
virtual bool emits_session_tickets()
int(* final)(unsigned char *, CTX *)
std::vector< AlgorithmIdentifier > to_algorithm_identifiers(const std::vector< Signature_Scheme > &schemes)
std::vector< uint8_t > make_hello_random(RandomNumberGenerator &rng, Callbacks &cb, const Policy &policy)
Strong< std::vector< uint8_t >, struct Session_ID_ > Session_ID
holds a TLS 1.2 session ID for stateful resumption
bool value_exists(const std::vector< T > &vec, const OT &val)