9#include <botan/internal/tls_server_impl_12.h>
11#include <botan/ocsp.h>
12#include <botan/tls_magic.h>
13#include <botan/tls_messages.h>
14#include <botan/tls_server.h>
15#include <botan/tls_version.h>
16#include <botan/internal/stl_util.h>
17#include <botan/internal/tls_handshake_state.h>
21class Server_Handshake_State
final :
public Handshake_State {
23 Server_Handshake_State(std::unique_ptr<Handshake_IO> io, Callbacks& cb) :
Handshake_State(std::move(io), cb) {}
25 Private_Key* server_rsa_kex_key() {
return m_server_rsa_kex_key.get(); }
27 void set_server_rsa_kex_key(std::shared_ptr<Private_Key> key) { m_server_rsa_kex_key = std::move(key); }
29 bool allow_session_resumption()
const {
return m_allow_session_resumption; }
31 void set_allow_session_resumption(
bool allow_session_resumption) {
32 m_allow_session_resumption = allow_session_resumption;
35 const std::vector<X509_Certificate>& resume_peer_certs()
const {
return m_resume_peer_certs; }
37 void set_resume_certs(
const std::vector<X509_Certificate>& certs) { m_resume_peer_certs = certs; }
39 void mark_as_resumption() { m_is_a_resumption =
true; }
41 bool is_a_resumption()
const {
return m_is_a_resumption; }
45 std::shared_ptr<Private_Key> m_server_rsa_kex_key;
51 bool m_allow_session_resumption =
true;
53 bool m_is_a_resumption =
false;
55 std::vector<X509_Certificate> m_resume_peer_certs;
60std::optional<Session> check_for_resume(
const Session_Handle& handle_to_resume,
61 Session_Manager& session_manager,
64 const Client_Hello_12* client_hello) {
65 auto session = session_manager.retrieve(handle_to_resume, cb, policy);
66 if(!session.has_value()) {
71 if(client_hello->legacy_version() != session->version()) {
76 if(!
value_exists(client_hello->ciphersuites(), session->ciphersuite_code())) {
81 if(!client_hello->sni_hostname().empty() && client_hello->sni_hostname() != session->server_info().hostname()) {
86 if(client_hello->supports_extended_master_secret() != session->supports_extended_master_secret()) {
87 if(!session->supports_extended_master_secret()) {
94 throw TLS_Exception(Alert::HandshakeFailure,
"Client resumed extended ms session without sending extension");
99 if(!client_hello->supports_encrypt_then_mac() && session->supports_encrypt_then_mac()) {
104 throw TLS_Exception(Alert::HandshakeFailure,
"Client resumed Encrypt-then-MAC session without sending extension");
113uint16_t choose_ciphersuite(
const Policy& policy,
114 Protocol_Version version,
115 const std::map<std::string, std::vector<X509_Certificate>>& cert_chains,
116 const Client_Hello_12& client_hello) {
117 const bool our_choice = policy.server_uses_own_ciphersuite_preferences();
118 const std::vector<uint16_t>& client_suites = client_hello.ciphersuites();
119 const std::vector<uint16_t> server_suites = policy.ciphersuite_list(version);
121 if(server_suites.empty()) {
122 throw TLS_Exception(Alert::HandshakeFailure,
"Policy forbids us from negotiating any ciphersuite");
125 const bool have_shared_ecc_curve =
126 (policy.choose_key_exchange_group(client_hello.supported_ecc_curves(), {}) != Group_Params::NONE);
128 const bool client_supports_ffdhe_groups = !client_hello.supported_dh_groups().empty();
130 const bool have_shared_dh_group =
131 (policy.choose_key_exchange_group(client_hello.supported_dh_groups(), {}) != Group_Params::NONE);
136 std::vector<uint16_t> pref_list = server_suites;
137 std::vector<uint16_t> other_list = client_suites;
140 std::swap(pref_list, other_list);
143 for(
auto suite_id : pref_list) {
150 if(!suite.has_value() || !suite->valid()) {
154 if(have_shared_ecc_curve ==
false && suite->ecc_ciphersuite()) {
158 if(suite->kex_method() ==
Kex_Algo::DH && client_supports_ffdhe_groups && !have_shared_dh_group) {
163 if(suite->signature_used()) {
164 const std::string sig_algo = suite->sig_algo();
167 if(!cert_chains.contains(sig_algo)) {
171 const std::vector<Signature_Scheme> allowed = policy.allowed_signature_schemes();
173 std::vector<Signature_Scheme> client_sig_methods = client_hello.signature_schemes();
180 bool we_support_some_hash_by_client =
false;
182 for(Signature_Scheme scheme : client_sig_methods) {
183 if(!scheme.is_available()) {
187 if(scheme.algorithm_name() == suite->sig_algo() &&
188 policy.allowed_signature_hash(scheme.hash_function_name())) {
189 we_support_some_hash_by_client =
true;
193 if(we_support_some_hash_by_client ==
false) {
194 throw TLS_Exception(Alert::HandshakeFailure,
195 "Policy does not accept any hash function supported by client");
208 if(client_supports_ffdhe_groups && !have_shared_dh_group) {
209 throw TLS_Exception(Alert::InsufficientSecurity,
"Can't agree on a sufficiently strong ciphersuite with client");
212 throw TLS_Exception(Alert::HandshakeFailure,
"Can't agree on a ciphersuite with client");
215std::map<std::string, std::vector<X509_Certificate>> get_server_certs(
216 std::string_view hostname,
const std::vector<Signature_Scheme>& cert_sig_schemes, Credentials_Manager& creds) {
217 const char* cert_types[] = {
"RSA",
"ECDSA",
"DSA",
nullptr};
219 std::map<std::string, std::vector<X509_Certificate>> cert_chains;
221 for(
size_t i = 0; cert_types[i]; ++i) {
222 const std::vector<X509_Certificate> certs = creds.cert_chain_single_type(
226 cert_chains[cert_types[i]] = certs;
236 const std::shared_ptr<Session_Manager>& session_manager,
237 const std::shared_ptr<Credentials_Manager>& creds,
238 const std::shared_ptr<const Policy>& policy,
239 const std::shared_ptr<RandomNumberGenerator>& rng,
242 Channel_Impl_12(callbacks, session_manager, rng, policy, true, is_datagram, io_buf_sz), m_creds(creds) {
248 downgrade_info.session_manager,
250 downgrade_info.policy,
253 downgrade_info.io_buffer_size),
254 m_creds(downgrade_info.creds) {}
256std::unique_ptr<Handshake_State> Server_Impl_12::new_handshake_state(std::unique_ptr<Handshake_IO> io) {
257 auto state = std::make_unique<Server_Handshake_State>(std::move(io),
callbacks());
262std::vector<X509_Certificate> Server_Impl_12::get_peer_cert_chain(
const Handshake_State& state_base)
const {
263 const Server_Handshake_State& state =
dynamic_cast<const Server_Handshake_State&
>(state_base);
264 if(!state.resume_peer_certs().empty()) {
265 return state.resume_peer_certs();
268 if(state.client_certs()) {
269 return state.client_certs()->cert_chain();
271 return std::vector<X509_Certificate>();
277void Server_Impl_12::initiate_handshake(Handshake_State& state,
bool force_full_renegotiation) {
278 dynamic_cast<Server_Handshake_State&
>(state).set_allow_session_resumption(!force_full_renegotiation);
280 Hello_Request hello_req(state.handshake_io());
285Protocol_Version select_version(
const TLS::Policy& policy,
286 Protocol_Version client_offer,
287 Protocol_Version active_version,
288 const std::vector<Protocol_Version>& supported_versions) {
289 const bool is_datagram = client_offer.is_datagram_protocol();
290 const bool initial_handshake = (active_version.valid() ==
false);
292 if(!supported_versions.empty()) {
294 if(policy.allow_dtls12() &&
value_exists(supported_versions, Protocol_Version(Protocol_Version::DTLS_V12))) {
295 return Protocol_Version::DTLS_V12;
297 throw TLS_Exception(Alert::ProtocolVersion,
"No shared DTLS version");
299 if(policy.allow_tls12() &&
value_exists(supported_versions, Protocol_Version(Protocol_Version::TLS_V12))) {
300 return Protocol_Version::TLS_V12;
302 throw TLS_Exception(Alert::ProtocolVersion,
"No shared TLS version");
306 if(!initial_handshake) {
314 if(active_version > client_offer) {
316 Alert::ProtocolVersion,
317 "Client negotiated " + active_version.to_string() +
" then renegotiated with " + client_offer.to_string());
319 return active_version;
324 if(policy.allow_dtls12() && client_offer >= Protocol_Version::DTLS_V12) {
325 return Protocol_Version::DTLS_V12;
328 if(policy.allow_tls12() && client_offer >= Protocol_Version::TLS_V12) {
329 return Protocol_Version::TLS_V12;
333 throw TLS_Exception(Alert::ProtocolVersion,
334 "Client version " + client_offer.to_string() +
" is unacceptable by policy");
341void Server_Impl_12::process_client_hello_msg(
const Handshake_State* active_state,
342 Server_Handshake_State& pending_state,
343 const std::vector<uint8_t>& contents,
344 bool epoch0_restart) {
347 const bool initial_handshake = epoch0_restart || !active_state;
349 if(initial_handshake ==
false &&
policy().allow_client_initiated_renegotiation() ==
false) {
350 if(
policy().abort_connection_on_undesired_renegotiation()) {
351 throw TLS_Exception(Alert::NoRenegotiation,
"Server policy prohibits renegotiation");
363 if(pending_state.handshake_io().have_more_data()) {
364 throw TLS_Exception(Alert::UnexpectedMessage,
"Have data remaining in buffer after ClientHello");
367 pending_state.client_hello(
new Client_Hello_12(contents));
368 const Protocol_Version client_offer = pending_state.client_hello()->legacy_version();
369 const bool datagram = client_offer.is_datagram_protocol();
372 if(client_offer.major_version() == 0xFF) {
373 throw TLS_Exception(Alert::ProtocolVersion,
"Client offered DTLS version with major version 0xFF");
376 if(client_offer.major_version() < 3) {
377 throw TLS_Exception(Alert::ProtocolVersion,
"Client offered TLS version with major version under 3");
379 if(client_offer.major_version() == 3 && client_offer.minor_version() == 0) {
380 throw TLS_Exception(Alert::ProtocolVersion,
"Client offered SSLv3 which is not supported");
394 const Protocol_Version negotiated_version =
397 active_state ? active_state->version() : Protocol_Version(),
398 pending_state.client_hello()->supported_versions());
400 pending_state.set_version(negotiated_version);
402 const auto compression_methods = pending_state.client_hello()->compression_methods();
404 throw TLS_Exception(Alert::IllegalParameter,
"Client did not offer NULL compression");
407 if(initial_handshake && datagram) {
411 cookie_secret = m_creds->psk(
"tls-server",
"dtls-cookie-secret",
"");
414 if(!cookie_secret.empty()) {
416 Hello_Verify_Request verify(pending_state.client_hello()->cookie_input_data(), client_identity, cookie_secret);
418 if(pending_state.client_hello()->cookie() != verify.cookie()) {
420 pending_state.handshake_io().send_under_epoch(verify, 0);
422 pending_state.handshake_io().send(verify);
425 pending_state.client_hello(
static_cast<Client_Hello_12*
>(
nullptr));
429 }
else if(epoch0_restart) {
430 throw TLS_Exception(Alert::HandshakeFailure,
"Reuse of DTLS association requires DTLS cookie secret be set");
444 const auto session_handle = pending_state.client_hello()->session_handle();
446 std::optional<Session> session_info;
447 if(pending_state.allow_session_resumption() && session_handle.has_value()) {
448 session_info = check_for_resume(
452 m_next_protocol =
"";
453 if(pending_state.client_hello()->supports_alpn()) {
457 if(session_info.has_value()) {
458 this->session_resume(pending_state, {session_info.value(), session_handle.value()});
461 this->session_create(pending_state);
465void Server_Impl_12::process_certificate_msg(Server_Handshake_State& pending_state,
466 const std::vector<uint8_t>& contents) {
467 pending_state.client_certs(
new Certificate_12(contents,
policy()));
470 if(pending_state.client_certs()->empty() &&
policy().require_client_certificate_authentication()) {
471 throw TLS_Exception(Alert::HandshakeFailure,
"Policy requires client send a certificate, but it did not");
477void Server_Impl_12::process_client_key_exchange_msg(Server_Handshake_State& pending_state,
478 const std::vector<uint8_t>& contents) {
485 pending_state.client_kex(
486 new Client_Key_Exchange(contents, pending_state, pending_state.server_rsa_kex_key(), *m_creds,
policy(),
rng()));
488 pending_state.compute_session_keys();
491void Server_Impl_12::process_change_cipher_spec_msg(Server_Handshake_State& pending_state) {
496void Server_Impl_12::process_certificate_verify_msg(Server_Handshake_State& pending_state,
498 const std::vector<uint8_t>& contents) {
499 pending_state.client_verify(
new Certificate_Verify_12(contents));
501 const std::vector<X509_Certificate>& client_certs = pending_state.client_certs()->cert_chain();
503 if(client_certs.empty()) {
504 throw TLS_Exception(Alert::DecodeError,
"No client certificate sent");
508 throw TLS_Exception(Alert::BadCertificate,
"Client certificate does not support signing");
511 const bool sig_valid = pending_state.client_verify()->verify(client_certs[0], pending_state,
policy());
513 pending_state.hash().update(pending_state.handshake_io().format(contents, type));
521 throw TLS_Exception(Alert::DecryptError,
"Client cert verify failed");
525 const std::string sni_hostname = pending_state.client_hello()->sni_hostname();
526 auto trusted_CAs = m_creds->trusted_certificate_authorities(
"tls-server", sni_hostname);
534 }
catch(std::exception& e) {
535 throw TLS_Exception(Alert::BadCertificate, e.what());
541void Server_Impl_12::process_finished_msg(Server_Handshake_State& pending_state,
543 const std::vector<uint8_t>& contents) {
546 if(pending_state.handshake_io().have_more_data()) {
547 throw TLS_Exception(Alert::UnexpectedMessage,
"Have data remaining in buffer after Finished");
550 pending_state.client_finished(
new Finished_12(contents));
553 throw TLS_Exception(Alert::DecryptError,
"Finished message didn't verify");
556 if(!pending_state.server_finished()) {
559 pending_state.hash().update(pending_state.handshake_io().format(contents, type));
561 Session session_info(pending_state.session_keys().master_secret(),
562 pending_state.server_hello()->legacy_version(),
563 pending_state.server_hello()->ciphersuite(),
565 pending_state.server_hello()->supports_extended_master_secret(),
566 pending_state.server_hello()->supports_encrypt_then_mac(),
567 get_peer_cert_chain(pending_state),
568 Server_Information(pending_state.client_hello()->sni_hostname()),
569 pending_state.server_hello()->srtp_profile(),
576 summary.set_session_id(pending_state.server_hello()->session_id());
582 pending_state.server_hello()->session_id(),
583 !pending_state.server_hello()->supports_session_ticket());
585 if(pending_state.server_hello()->supports_session_ticket() && handle.has_value() && handle->is_ticket()) {
586 pending_state.new_session_ticket(
new New_Session_Ticket_12(pending_state.handshake_io(),
587 pending_state.hash(),
588 handle->ticket().value(),
589 policy().session_ticket_lifetime()));
593 if(!pending_state.new_session_ticket() && pending_state.server_hello()->supports_session_ticket()) {
594 pending_state.new_session_ticket(
595 new New_Session_Ticket_12(pending_state.handshake_io(), pending_state.hash()));
598 pending_state.handshake_io().send(Change_Cipher_Spec());
602 pending_state.server_finished(
612void Server_Impl_12::process_handshake_msg(
const Handshake_State* active_state,
613 Handshake_State& state_base,
615 const std::vector<uint8_t>& contents,
616 bool epoch0_restart) {
617 Server_Handshake_State& state =
dynamic_cast<Server_Handshake_State&
>(state_base);
618 state.confirm_transition_to(type);
629 state.hash().update(state.handshake_io().format(contents, type));
634 return this->process_client_hello_msg(active_state, state, contents, epoch0_restart);
637 return this->process_certificate_msg(state, contents);
640 return this->process_client_key_exchange_msg(state, contents);
643 return this->process_certificate_verify_msg(state, type, contents);
646 return this->process_change_cipher_spec_msg(state);
649 return this->process_finished_msg(state, type, contents);
652 throw Unexpected_Message(
"Unknown handshake message received");
656void Server_Impl_12::session_resume(Server_Handshake_State& pending_state,
const Session_with_Handle& session) {
660 const bool offer_new_session_ticket = pending_state.client_hello()->supports_session_ticket() &&
661 pending_state.client_hello()->session_ticket().empty() &&
664 pending_state.server_hello(
new Server_Hello_12(pending_state.handshake_io(),
665 pending_state.hash(),
670 *pending_state.client_hello(),
672 offer_new_session_ticket,
677 pending_state.mark_as_resumption();
678 pending_state.compute_session_keys(session.session.master_secret());
679 pending_state.set_resume_certs(session.session.peer_certs());
685 summary.set_session_id(pending_state.server_hello()->session_id());
686 if(
auto ticket = session.handle.ticket()) {
687 summary.set_session_ticket(std::move(ticket.value()));
692 auto new_handle = [&,
this]() -> std::optional<Session_Handle> {
701 if(pending_state.server_hello()->supports_session_ticket()) {
702 if(new_handle.has_value() && new_handle->is_ticket()) {
703 pending_state.new_session_ticket(
new New_Session_Ticket_12(pending_state.handshake_io(),
704 pending_state.hash(),
705 new_handle->ticket().value(),
706 policy().session_ticket_lifetime()));
708 pending_state.new_session_ticket(
709 new New_Session_Ticket_12(pending_state.handshake_io(), pending_state.hash()));
713 pending_state.handshake_io().send(Change_Cipher_Spec());
717 pending_state.server_finished(
new Finished_12(pending_state.handshake_io(), pending_state,
Connection_Side::Server));
721void Server_Impl_12::session_create(Server_Handshake_State& pending_state) {
722 std::map<std::string, std::vector<X509_Certificate>> cert_chains;
724 const std::string sni_hostname = pending_state.client_hello()->sni_hostname();
732 const auto cert_signature_schemes = pending_state.client_hello()->certificate_signature_schemes();
733 cert_chains = get_server_certs(sni_hostname, cert_signature_schemes, *m_creds);
735 if(!sni_hostname.empty() && cert_chains.empty()) {
736 cert_chains = get_server_certs(
"", cert_signature_schemes, *m_creds);
745 if(!cert_chains.empty()) {
750 const uint16_t ciphersuite =
751 choose_ciphersuite(
policy(), pending_state.version(), cert_chains, *pending_state.client_hello());
754 pending_state.version(),
758 pending_state.server_hello(
new Server_Hello_12(pending_state.handshake_io(),
759 pending_state.hash(),
764 *pending_state.client_hello(),
770 const Ciphersuite& pending_suite = pending_state.ciphersuite();
772 std::shared_ptr<Private_Key> private_key;
775 const std::string algo_used = pending_suite.signature_used() ? pending_suite.sig_algo() :
"RSA";
777 BOTAN_ASSERT(!cert_chains[algo_used].empty(),
"Attempting to send empty certificate chain");
779 pending_state.server_certs(
780 new Certificate_12(pending_state.handshake_io(), pending_state.hash(), cert_chains[algo_used]));
782 if(pending_state.client_hello()->supports_cert_status_message() && pending_state.is_a_resumption() ==
false) {
783 auto* csr = pending_state.client_hello()->extensions().get<Certificate_Status_Request>();
787 if(!resp_bytes.empty()) {
788 pending_state.server_cert_status(
789 new Certificate_Status(pending_state.handshake_io(), pending_state.hash(), resp_bytes));
793 private_key = m_creds->private_key_for(pending_state.server_certs()->cert_chain()[0],
"tls-server", sni_hostname);
796 throw Internal_Error(
"No private key located for associated server cert");
801 pending_state.set_server_rsa_kex_key(private_key);
803 pending_state.server_kex(
new Server_Key_Exchange(
804 pending_state.handshake_io(), pending_state,
policy(), *m_creds,
rng(), private_key.get()));
807 auto trusted_CAs = m_creds->trusted_certificate_authorities(
"tls-server", sni_hostname);
809 std::vector<X509_DN> client_auth_CAs;
811 for(
auto* store : trusted_CAs) {
812 auto subjects = store->all_subjects();
813 client_auth_CAs.insert(client_auth_CAs.end(), subjects.begin(), subjects.end());
818 if(request_cert && pending_state.ciphersuite().signature_used()) {
819 pending_state.cert_req(
820 new Certificate_Request_12(pending_state.handshake_io(), pending_state.hash(),
policy(), client_auth_CAs));
832 pending_state.server_hello_done(
new Server_Hello_Done(pending_state.handshake_io(), pending_state.hash()));
#define BOTAN_ASSERT_NOMSG(expr)
#define BOTAN_ASSERT_NONNULL(ptr)
#define BOTAN_ASSERT_IMPLICATION(expr1, expr2, msg)
#define BOTAN_ASSERT(expr, assertion_made)
virtual std::vector< uint8_t > tls_provide_cert_status(const std::vector< X509_Certificate > &chain, const Certificate_Status_Request &csr)
virtual void tls_session_established(const Session_Summary &session)
virtual std::string tls_peer_network_identity()
virtual std::string tls_server_choose_app_protocol(const std::vector< std::string > &client_protos)
virtual void tls_examine_extensions(const Extensions &extn, Connection_Side which_side, Handshake_Type which_message)
virtual bool tls_should_persist_resumption_information(const Session &session)
virtual void tls_verify_cert_chain(const std::vector< X509_Certificate > &cert_chain, const std::vector< std::optional< OCSP::Response > > &ocsp_responses, const std::vector< Certificate_Store * > &trusted_roots, Usage_Type usage, std::string_view hostname, const TLS::Policy &policy)
RandomNumberGenerator & rng()
void change_cipher_spec_reader(Connection_Side side)
std::vector< uint8_t > secure_renegotiation_data_for_server_hello() const
Callbacks & callbacks() const
void secure_renegotiation_check(const Client_Hello_12 *client_hello)
Session_Manager & session_manager()
const Policy & policy() const
void change_cipher_spec_writer(Connection_Side side)
std::optional< std::string > external_psk_identity() const override
void reset_active_association_state()
bool secure_renegotiation_supported() const override
void send_warning_alert(Alert::Type type)
static std::optional< Ciphersuite > by_id(uint16_t suite)
Handshake_State(std::unique_ptr< Handshake_IO > io, Callbacks &callbacks)
virtual bool request_client_certificate_authentication() const
Server_Impl_12(const std::shared_ptr< Callbacks > &callbacks, const std::shared_ptr< Session_Manager > &session_manager, const std::shared_ptr< Credentials_Manager > &creds, const std::shared_ptr< const Policy > &policy, const std::shared_ptr< RandomNumberGenerator > &rng, bool is_datagram=false, size_t reserved_io_buffer_size=TLS::Channel::IO_BUF_DEFAULT_SIZE)
virtual size_t remove(const Session_Handle &handle)=0
virtual std::optional< Session_Handle > establish(const Session &session, const std::optional< Session_ID > &id=std::nullopt, bool tls12_no_ticket=false)
Save a new Session and assign a Session_Handle (TLS Server)
virtual bool emits_session_tickets()
int(* final)(unsigned char *, CTX *)
std::vector< AlgorithmIdentifier > to_algorithm_identifiers(const std::vector< Signature_Scheme > &schemes)
std::vector< uint8_t > make_hello_random(RandomNumberGenerator &rng, Callbacks &cb, const Policy &policy)
Strong< std::vector< uint8_t >, struct Session_ID_ > Session_ID
holds a TLS 1.2 session ID for stateful resumption
bool value_exists(const std::vector< T > &vec, const OT &val)