Botan 3.4.0
Crypto and TLS for C&
tls_server_impl_12.cpp
Go to the documentation of this file.
1/*
2* TLS Server
3* (C) 2004-2011,2012,2016 Jack Lloyd
4* 2016 Matthias Gierlings
5*
6* Botan is released under the Simplified BSD License (see license.txt)
7*/
8
9#include <botan/internal/tls_server_impl_12.h>
10
11#include <botan/ocsp.h>
12#include <botan/tls_magic.h>
13#include <botan/tls_messages.h>
14#include <botan/tls_server.h>
15#include <botan/tls_version.h>
16#include <botan/internal/stl_util.h>
17#include <botan/internal/tls_handshake_state.h>
18
19namespace Botan::TLS {
20
21class Server_Handshake_State final : public Handshake_State {
22 public:
23 Server_Handshake_State(std::unique_ptr<Handshake_IO> io, Callbacks& cb) : Handshake_State(std::move(io), cb) {}
24
25 Private_Key* server_rsa_kex_key() { return m_server_rsa_kex_key.get(); }
26
27 void set_server_rsa_kex_key(std::shared_ptr<Private_Key> key) { m_server_rsa_kex_key = std::move(key); }
28
29 bool allow_session_resumption() const { return m_allow_session_resumption; }
30
31 void set_allow_session_resumption(bool allow_session_resumption) {
32 m_allow_session_resumption = allow_session_resumption;
33 }
34
35 const std::vector<X509_Certificate>& resume_peer_certs() const { return m_resume_peer_certs; }
36
37 void set_resume_certs(const std::vector<X509_Certificate>& certs) { m_resume_peer_certs = certs; }
38
39 void mark_as_resumption() { m_is_a_resumption = true; }
40
41 bool is_a_resumption() const { return m_is_a_resumption; }
42
43 private:
44 // Used by the server only, in case of RSA key exchange.
45 std::shared_ptr<Private_Key> m_server_rsa_kex_key;
46
47 /*
48 * Used by the server to know if resumption should be allowed on
49 * a server-initiated renegotiation
50 */
51 bool m_allow_session_resumption = true;
52
53 bool m_is_a_resumption = false;
54
55 std::vector<X509_Certificate> m_resume_peer_certs;
56};
57
58namespace {
59
60std::optional<Session> check_for_resume(const Session_Handle& handle_to_resume,
61 Session_Manager& session_manager,
62 Callbacks& cb,
63 const Policy& policy,
64 const Client_Hello_12* client_hello) {
65 auto session = session_manager.retrieve(handle_to_resume, cb, policy);
66 if(!session.has_value()) {
67 return std::nullopt;
68 }
69
70 // wrong version
71 if(client_hello->legacy_version() != session->version()) {
72 return std::nullopt;
73 }
74
75 // client didn't send original ciphersuite
76 if(!value_exists(client_hello->ciphersuites(), session->ciphersuite_code())) {
77 return std::nullopt;
78 }
79
80 // client sent a different SNI hostname
81 if(!client_hello->sni_hostname().empty() && client_hello->sni_hostname() != session->server_info().hostname()) {
82 return std::nullopt;
83 }
84
85 // Checking extended_master_secret on resume (RFC 7627 section 5.3)
86 if(client_hello->supports_extended_master_secret() != session->supports_extended_master_secret()) {
87 if(!session->supports_extended_master_secret()) {
88 return std::nullopt; // force new handshake with extended master secret
89 } else {
90 /*
91 Client previously negotiated session with extended master secret,
92 but has now attempted to resume without the extension: abort
93 */
94 throw TLS_Exception(Alert::HandshakeFailure, "Client resumed extended ms session without sending extension");
95 }
96 }
97
98 // Checking encrypt_then_mac on resume (RFC 7366 section 3.1)
99 if(!client_hello->supports_encrypt_then_mac() && session->supports_encrypt_then_mac()) {
100 /*
101 Client previously negotiated session with Encrypt-then-MAC,
102 but has now attempted to resume without the extension: abort
103 */
104 throw TLS_Exception(Alert::HandshakeFailure, "Client resumed Encrypt-then-MAC session without sending extension");
105 }
106
107 return session;
108}
109
110/*
111* Choose which ciphersuite to use
112*/
113uint16_t choose_ciphersuite(const Policy& policy,
114 Protocol_Version version,
115 const std::map<std::string, std::vector<X509_Certificate>>& cert_chains,
116 const Client_Hello_12& client_hello) {
117 const bool our_choice = policy.server_uses_own_ciphersuite_preferences();
118 const std::vector<uint16_t>& client_suites = client_hello.ciphersuites();
119 const std::vector<uint16_t> server_suites = policy.ciphersuite_list(version);
120
121 if(server_suites.empty()) {
122 throw TLS_Exception(Alert::HandshakeFailure, "Policy forbids us from negotiating any ciphersuite");
123 }
124
125 const bool have_shared_ecc_curve =
126 (policy.choose_key_exchange_group(client_hello.supported_ecc_curves(), {}) != Group_Params::NONE);
127
128 const bool client_supports_ffdhe_groups = !client_hello.supported_dh_groups().empty();
129
130 const bool have_shared_dh_group =
131 (policy.choose_key_exchange_group(client_hello.supported_dh_groups(), {}) != Group_Params::NONE);
132
133 /*
134 Walk down one list in preference order
135 */
136 std::vector<uint16_t> pref_list = server_suites;
137 std::vector<uint16_t> other_list = client_suites;
138
139 if(!our_choice) {
140 std::swap(pref_list, other_list);
141 }
142
143 for(auto suite_id : pref_list) {
144 if(!value_exists(other_list, suite_id)) {
145 continue;
146 }
147
148 const auto suite = Ciphersuite::by_id(suite_id);
149
150 if(!suite.has_value() || !suite->valid()) {
151 continue;
152 }
153
154 if(have_shared_ecc_curve == false && suite->ecc_ciphersuite()) {
155 continue;
156 }
157
158 if(suite->kex_method() == Kex_Algo::DH && client_supports_ffdhe_groups && !have_shared_dh_group) {
159 continue;
160 }
161
162 // For non-anon ciphersuites
163 if(suite->signature_used()) {
164 const std::string sig_algo = suite->sig_algo();
165
166 // Do we have any certificates for this sig?
167 if(!cert_chains.contains(sig_algo)) {
168 continue;
169 }
170
171 const std::vector<Signature_Scheme> allowed = policy.allowed_signature_schemes();
172
173 std::vector<Signature_Scheme> client_sig_methods = client_hello.signature_schemes();
174
175 /*
176 Contrary to the wording of draft-ietf-tls-md5-sha1-deprecate we do
177 not enforce that clients do not offer support SHA-1 or MD5
178 signatures; we just ignore it.
179 */
180 bool we_support_some_hash_by_client = false;
181
182 for(Signature_Scheme scheme : client_sig_methods) {
183 if(!scheme.is_available()) {
184 continue;
185 }
186
187 if(scheme.algorithm_name() == suite->sig_algo() &&
188 policy.allowed_signature_hash(scheme.hash_function_name())) {
189 we_support_some_hash_by_client = true;
190 }
191 }
192
193 if(we_support_some_hash_by_client == false) {
194 throw TLS_Exception(Alert::HandshakeFailure,
195 "Policy does not accept any hash function supported by client");
196 }
197 }
198
199 return suite_id;
200 }
201
202 // RFC 7919 Section 4.
203 // If the [Supported Groups] extension is present
204 // with FFDHE groups, none of the client’s offered groups are acceptable
205 // by the server, and none of the client’s proposed non-FFDHE cipher
206 // suites are acceptable to the server, the server MUST end the
207 // connection with a fatal TLS alert of type insufficient_security(71).
208 if(client_supports_ffdhe_groups && !have_shared_dh_group) {
209 throw TLS_Exception(Alert::InsufficientSecurity, "Can't agree on a sufficiently strong ciphersuite with client");
210 }
211
212 throw TLS_Exception(Alert::HandshakeFailure, "Can't agree on a ciphersuite with client");
213}
214
215std::map<std::string, std::vector<X509_Certificate>> get_server_certs(
216 std::string_view hostname, const std::vector<Signature_Scheme>& cert_sig_schemes, Credentials_Manager& creds) {
217 const char* cert_types[] = {"RSA", "ECDSA", "DSA", nullptr};
218
219 std::map<std::string, std::vector<X509_Certificate>> cert_chains;
220
221 for(size_t i = 0; cert_types[i]; ++i) {
222 const std::vector<X509_Certificate> certs = creds.cert_chain_single_type(
223 cert_types[i], to_algorithm_identifiers(cert_sig_schemes), "tls-server", std::string(hostname));
224
225 if(!certs.empty()) {
226 cert_chains[cert_types[i]] = certs;
227 }
228 }
229
230 return cert_chains;
231}
232
233} // namespace
234
235Server_Impl_12::Server_Impl_12(const std::shared_ptr<Callbacks>& callbacks,
236 const std::shared_ptr<Session_Manager>& session_manager,
237 const std::shared_ptr<Credentials_Manager>& creds,
238 const std::shared_ptr<const Policy>& policy,
239 const std::shared_ptr<RandomNumberGenerator>& rng,
240 bool is_datagram,
241 size_t io_buf_sz) :
242 Channel_Impl_12(callbacks, session_manager, rng, policy, true, is_datagram, io_buf_sz), m_creds(creds) {
243 BOTAN_ASSERT_NONNULL(m_creds);
244}
245
246Server_Impl_12::Server_Impl_12(const Channel_Impl::Downgrade_Information& downgrade_info) :
247 Channel_Impl_12(downgrade_info.callbacks,
248 downgrade_info.session_manager,
249 downgrade_info.rng,
250 downgrade_info.policy,
251 true /* is_server*/,
252 false /* TLS 1.3 does not support DTLS yet */,
253 downgrade_info.io_buffer_size),
254 m_creds(downgrade_info.creds) {}
255
256std::unique_ptr<Handshake_State> Server_Impl_12::new_handshake_state(std::unique_ptr<Handshake_IO> io) {
257 auto state = std::make_unique<Server_Handshake_State>(std::move(io), callbacks());
258 state->set_expected_next(Handshake_Type::ClientHello);
259 return state;
260}
261
262std::vector<X509_Certificate> Server_Impl_12::get_peer_cert_chain(const Handshake_State& state_base) const {
263 const Server_Handshake_State& state = dynamic_cast<const Server_Handshake_State&>(state_base);
264 if(!state.resume_peer_certs().empty()) {
265 return state.resume_peer_certs();
266 }
267
268 if(state.client_certs()) {
269 return state.client_certs()->cert_chain();
270 }
271 return std::vector<X509_Certificate>();
272}
273
274/*
275* Send a hello request to the client
276*/
277void Server_Impl_12::initiate_handshake(Handshake_State& state, bool force_full_renegotiation) {
278 dynamic_cast<Server_Handshake_State&>(state).set_allow_session_resumption(!force_full_renegotiation);
279
280 Hello_Request hello_req(state.handshake_io());
281}
282
283namespace {
284
285Protocol_Version select_version(const TLS::Policy& policy,
286 Protocol_Version client_offer,
287 Protocol_Version active_version,
288 const std::vector<Protocol_Version>& supported_versions) {
289 const bool is_datagram = client_offer.is_datagram_protocol();
290 const bool initial_handshake = (active_version.valid() == false);
291
292 if(!supported_versions.empty()) {
293 if(is_datagram) {
294 if(policy.allow_dtls12() && value_exists(supported_versions, Protocol_Version(Protocol_Version::DTLS_V12))) {
295 return Protocol_Version::DTLS_V12;
296 }
297 throw TLS_Exception(Alert::ProtocolVersion, "No shared DTLS version");
298 } else {
299 if(policy.allow_tls12() && value_exists(supported_versions, Protocol_Version(Protocol_Version::TLS_V12))) {
300 return Protocol_Version::TLS_V12;
301 }
302 throw TLS_Exception(Alert::ProtocolVersion, "No shared TLS version");
303 }
304 }
305
306 if(!initial_handshake) {
307 /*
308 * If this is a renegotiation, and the client has offered a
309 * later version than what it initially negotiated, negotiate
310 * the old version. This matches OpenSSL's behavior. If the
311 * client is offering a version earlier than what it initially
312 * negotiated, reject as a probable attack.
313 */
314 if(active_version > client_offer) {
315 throw TLS_Exception(
316 Alert::ProtocolVersion,
317 "Client negotiated " + active_version.to_string() + " then renegotiated with " + client_offer.to_string());
318 } else {
319 return active_version;
320 }
321 }
322
323 if(is_datagram) {
324 if(policy.allow_dtls12() && client_offer >= Protocol_Version::DTLS_V12) {
325 return Protocol_Version::DTLS_V12;
326 }
327 } else {
328 if(policy.allow_tls12() && client_offer >= Protocol_Version::TLS_V12) {
329 return Protocol_Version::TLS_V12;
330 }
331 }
332
333 throw TLS_Exception(Alert::ProtocolVersion,
334 "Client version " + client_offer.to_string() + " is unacceptable by policy");
335}
336} // namespace
337
338/*
339* Process a Client Hello Message
340*/
341void Server_Impl_12::process_client_hello_msg(const Handshake_State* active_state,
342 Server_Handshake_State& pending_state,
343 const std::vector<uint8_t>& contents,
344 bool epoch0_restart) {
345 BOTAN_ASSERT_IMPLICATION(epoch0_restart, active_state != nullptr, "Can't restart with a dead connection");
346
347 const bool initial_handshake = epoch0_restart || !active_state;
348
349 if(initial_handshake == false && policy().allow_client_initiated_renegotiation() == false) {
350 if(policy().abort_connection_on_undesired_renegotiation()) {
351 throw TLS_Exception(Alert::NoRenegotiation, "Server policy prohibits renegotiation");
352 } else {
353 send_warning_alert(Alert::NoRenegotiation);
354 }
355 return;
356 }
357
358 if(!policy().allow_insecure_renegotiation() && !(initial_handshake || secure_renegotiation_supported())) {
359 send_warning_alert(Alert::NoRenegotiation);
360 return;
361 }
362
363 if(pending_state.handshake_io().have_more_data()) {
364 throw TLS_Exception(Alert::UnexpectedMessage, "Have data remaining in buffer after ClientHello");
365 }
366
367 pending_state.client_hello(new Client_Hello_12(contents));
368 const Protocol_Version client_offer = pending_state.client_hello()->legacy_version();
369 const bool datagram = client_offer.is_datagram_protocol();
370
371 if(datagram) {
372 if(client_offer.major_version() == 0xFF) {
373 throw TLS_Exception(Alert::ProtocolVersion, "Client offered DTLS version with major version 0xFF");
374 }
375 } else {
376 if(client_offer.major_version() < 3) {
377 throw TLS_Exception(Alert::ProtocolVersion, "Client offered TLS version with major version under 3");
378 }
379 if(client_offer.major_version() == 3 && client_offer.minor_version() == 0) {
380 throw TLS_Exception(Alert::ProtocolVersion, "Client offered SSLv3 which is not supported");
381 }
382 }
383
384 /*
385 * BoGo test suite expects that we will send the hello verify with a record
386 * version matching the version that is eventually negotiated. This is wrong
387 * but harmless, so go with it. Also doing the version negotiation step first
388 * allows to immediately close the connection with an alert if the client has
389 * offered a version that we are not going to negotiate anyway, instead of
390 * making them first do the cookie exchange and then telling them no.
391 *
392 * There is no issue with amplification here, since the alert is just 2 bytes.
393 */
394 const Protocol_Version negotiated_version =
395 select_version(policy(),
396 client_offer,
397 active_state ? active_state->version() : Protocol_Version(),
398 pending_state.client_hello()->supported_versions());
399
400 pending_state.set_version(negotiated_version);
401
402 const auto compression_methods = pending_state.client_hello()->compression_methods();
403 if(!value_exists(compression_methods, uint8_t(0))) {
404 throw TLS_Exception(Alert::IllegalParameter, "Client did not offer NULL compression");
405 }
406
407 if(initial_handshake && datagram) {
408 SymmetricKey cookie_secret;
409
410 try {
411 cookie_secret = m_creds->psk("tls-server", "dtls-cookie-secret", "");
412 } catch(...) {}
413
414 if(!cookie_secret.empty()) {
415 const std::string client_identity = callbacks().tls_peer_network_identity();
416 Hello_Verify_Request verify(pending_state.client_hello()->cookie_input_data(), client_identity, cookie_secret);
417
418 if(pending_state.client_hello()->cookie() != verify.cookie()) {
419 if(epoch0_restart) {
420 pending_state.handshake_io().send_under_epoch(verify, 0);
421 } else {
422 pending_state.handshake_io().send(verify);
423 }
424
425 pending_state.client_hello(static_cast<Client_Hello_12*>(nullptr));
426 pending_state.set_expected_next(Handshake_Type::ClientHello);
427 return;
428 }
429 } else if(epoch0_restart) {
430 throw TLS_Exception(Alert::HandshakeFailure, "Reuse of DTLS association requires DTLS cookie secret be set");
431 }
432 }
433
434 if(epoch0_restart) {
435 // If we reached here then we were able to verify the cookie
436 reset_active_association_state();
437 }
438
439 secure_renegotiation_check(pending_state.client_hello());
440
441 callbacks().tls_examine_extensions(
442 pending_state.client_hello()->extensions(), Connection_Side::Client, Handshake_Type::ClientHello);
443
444 const auto session_handle = pending_state.client_hello()->session_handle();
445
446 std::optional<Session> session_info;
447 if(pending_state.allow_session_resumption() && session_handle.has_value()) {
448 session_info = check_for_resume(
449 session_handle.value(), session_manager(), callbacks(), policy(), pending_state.client_hello());
450 }
451
452 m_next_protocol = "";
453 if(pending_state.client_hello()->supports_alpn()) {
454 m_next_protocol = callbacks().tls_server_choose_app_protocol(pending_state.client_hello()->next_protocols());
455 }
456
457 if(session_info.has_value()) {
458 this->session_resume(pending_state, {session_info.value(), session_handle.value()});
459 } else // new session
460 {
461 this->session_create(pending_state);
462 }
463}
464
465void Server_Impl_12::process_certificate_msg(Server_Handshake_State& pending_state,
466 const std::vector<uint8_t>& contents) {
467 pending_state.client_certs(new Certificate_12(contents, policy()));
468
469 // CERTIFICATE_REQUIRED would make more sense but BoGo expects handshake failure alert
470 if(pending_state.client_certs()->empty() && policy().require_client_certificate_authentication()) {
471 throw TLS_Exception(Alert::HandshakeFailure, "Policy requires client send a certificate, but it did not");
472 }
473
474 pending_state.set_expected_next(Handshake_Type::ClientKeyExchange);
475}
476
477void Server_Impl_12::process_client_key_exchange_msg(Server_Handshake_State& pending_state,
478 const std::vector<uint8_t>& contents) {
479 if(pending_state.received_handshake_msg(Handshake_Type::Certificate) && !pending_state.client_certs()->empty()) {
480 pending_state.set_expected_next(Handshake_Type::CertificateVerify);
481 } else {
482 pending_state.set_expected_next(Handshake_Type::HandshakeCCS);
483 }
484
485 pending_state.client_kex(
486 new Client_Key_Exchange(contents, pending_state, pending_state.server_rsa_kex_key(), *m_creds, policy(), rng()));
487
488 pending_state.compute_session_keys();
489}
490
491void Server_Impl_12::process_change_cipher_spec_msg(Server_Handshake_State& pending_state) {
492 pending_state.set_expected_next(Handshake_Type::Finished);
493 change_cipher_spec_reader(Connection_Side::Server);
494}
495
496void Server_Impl_12::process_certificate_verify_msg(Server_Handshake_State& pending_state,
497 Handshake_Type type,
498 const std::vector<uint8_t>& contents) {
499 pending_state.client_verify(new Certificate_Verify_12(contents));
500
501 const std::vector<X509_Certificate>& client_certs = pending_state.client_certs()->cert_chain();
502
503 if(client_certs.empty()) {
504 throw TLS_Exception(Alert::DecodeError, "No client certificate sent");
505 }
506
507 if(!client_certs[0].allowed_usage(Key_Constraints::DigitalSignature)) {
508 throw TLS_Exception(Alert::BadCertificate, "Client certificate does not support signing");
509 }
510
511 const bool sig_valid = pending_state.client_verify()->verify(client_certs[0], pending_state, policy());
512
513 pending_state.hash().update(pending_state.handshake_io().format(contents, type));
514
515 /*
516 * Using DECRYPT_ERROR looks weird here, but per RFC 4346 is for
517 * "A handshake cryptographic operation failed, including being
518 * unable to correctly verify a signature, ..."
519 */
520 if(!sig_valid) {
521 throw TLS_Exception(Alert::DecryptError, "Client cert verify failed");
522 }
523
524 try {
525 const std::string sni_hostname = pending_state.client_hello()->sni_hostname();
526 auto trusted_CAs = m_creds->trusted_certificate_authorities("tls-server", sni_hostname);
527
528 callbacks().tls_verify_cert_chain(client_certs,
529 {}, // ocsp
530 trusted_CAs,
531 Usage_Type::TLS_CLIENT_AUTH,
532 sni_hostname,
533 policy());
534 } catch(std::exception& e) {
535 throw TLS_Exception(Alert::BadCertificate, e.what());
536 }
537
538 pending_state.set_expected_next(Handshake_Type::HandshakeCCS);
539}
540
541void Server_Impl_12::process_finished_msg(Server_Handshake_State& pending_state,
542 Handshake_Type type,
543 const std::vector<uint8_t>& contents) {
544 pending_state.set_expected_next(Handshake_Type::None);
545
546 if(pending_state.handshake_io().have_more_data()) {
547 throw TLS_Exception(Alert::UnexpectedMessage, "Have data remaining in buffer after Finished");
548 }
549
550 pending_state.client_finished(new Finished_12(contents));
551
552 if(!pending_state.client_finished()->verify(pending_state, Connection_Side::Client)) {
553 throw TLS_Exception(Alert::DecryptError, "Finished message didn't verify");
554 }
555
556 if(!pending_state.server_finished()) {
557 // already sent finished if resuming, so this is a new session
558
559 pending_state.hash().update(pending_state.handshake_io().format(contents, type));
560
561 Session session_info(pending_state.session_keys().master_secret(),
562 pending_state.server_hello()->legacy_version(),
563 pending_state.server_hello()->ciphersuite(),
564 Connection_Side::Server,
565 pending_state.server_hello()->supports_extended_master_secret(),
566 pending_state.server_hello()->supports_encrypt_then_mac(),
567 get_peer_cert_chain(pending_state),
568 Server_Information(pending_state.client_hello()->sni_hostname()),
569 pending_state.server_hello()->srtp_profile(),
570 callbacks().tls_current_timestamp());
571
572 // Give the application a chance for a final veto before fully
573 // establishing the connection.
574 callbacks().tls_session_established([&, this] {
575 Session_Summary summary(session_info, pending_state.is_a_resumption(), external_psk_identity());
576 summary.set_session_id(pending_state.server_hello()->session_id());
577 return summary;
578 }());
579
580 if(callbacks().tls_should_persist_resumption_information(session_info)) {
581 auto handle = session_manager().establish(session_info,
582 pending_state.server_hello()->session_id(),
583 !pending_state.server_hello()->supports_session_ticket());
584
585 if(pending_state.server_hello()->supports_session_ticket() && handle.has_value() && handle->is_ticket()) {
586 pending_state.new_session_ticket(new New_Session_Ticket_12(pending_state.handshake_io(),
587 pending_state.hash(),
588 handle->ticket().value(),
589 policy().session_ticket_lifetime()));
590 }
591 }
592
593 if(!pending_state.new_session_ticket() && pending_state.server_hello()->supports_session_ticket()) {
594 pending_state.new_session_ticket(
595 new New_Session_Ticket_12(pending_state.handshake_io(), pending_state.hash()));
596 }
597
598 pending_state.handshake_io().send(Change_Cipher_Spec());
599
600 change_cipher_spec_writer(Connection_Side::Server);
601
602 pending_state.server_finished(
603 new Finished_12(pending_state.handshake_io(), pending_state, Connection_Side::Server));
604 }
605
606 activate_session();
607}
608
609/*
610* Process a handshake message
611*/
612void Server_Impl_12::process_handshake_msg(const Handshake_State* active_state,
613 Handshake_State& state_base,
614 Handshake_Type type,
615 const std::vector<uint8_t>& contents,
616 bool epoch0_restart) {
617 Server_Handshake_State& state = dynamic_cast<Server_Handshake_State&>(state_base);
618 state.confirm_transition_to(type);
619
620 /*
621 * The change cipher spec message isn't technically a handshake
622 * message so it's not included in the hash. The finished and
623 * certificate verify messages are verified based on the current
624 * state of the hash *before* this message so we delay adding them
625 * to the hash computation until we've processed them below.
626 */
627 if(type != Handshake_Type::HandshakeCCS && type != Handshake_Type::Finished &&
628 type != Handshake_Type::CertificateVerify) {
629 state.hash().update(state.handshake_io().format(contents, type));
630 }
631
632 switch(type) {
633 case Handshake_Type::ClientHello:
634 return this->process_client_hello_msg(active_state, state, contents, epoch0_restart);
635
636 case Handshake_Type::Certificate:
637 return this->process_certificate_msg(state, contents);
638
639 case Handshake_Type::ClientKeyExchange:
640 return this->process_client_key_exchange_msg(state, contents);
641
642 case Handshake_Type::CertificateVerify:
643 return this->process_certificate_verify_msg(state, type, contents);
644
645 case Handshake_Type::HandshakeCCS:
646 return this->process_change_cipher_spec_msg(state);
647
648 case Handshake_Type::Finished:
649 return this->process_finished_msg(state, type, contents);
650
651 default:
652 throw Unexpected_Message("Unknown handshake message received");
653 }
654}
655
656void Server_Impl_12::session_resume(Server_Handshake_State& pending_state, const Session_with_Handle& session) {
657 // Only offer a resuming client a new ticket if they didn't send one this time,
658 // ie, resumed via server-side resumption. TODO: also send one if expiring soon?
659
660 const bool offer_new_session_ticket = pending_state.client_hello()->supports_session_ticket() &&
661 pending_state.client_hello()->session_ticket().empty() &&
662 session_manager().emits_session_tickets();
663
664 pending_state.server_hello(new Server_Hello_12(pending_state.handshake_io(),
665 pending_state.hash(),
666 policy(),
667 callbacks(),
668 rng(),
669 secure_renegotiation_data_for_server_hello(),
670 *pending_state.client_hello(),
671 session.session,
672 offer_new_session_ticket,
673 m_next_protocol));
674
675 secure_renegotiation_check(pending_state.server_hello());
676
677 pending_state.mark_as_resumption();
678 pending_state.compute_session_keys(session.session.master_secret());
679 pending_state.set_resume_certs(session.session.peer_certs());
680
681 // Give the application a chance for a final veto before fully
682 // establishing the connection.
683 callbacks().tls_session_established([&, this] {
684 Session_Summary summary(session.session, pending_state.is_a_resumption(), external_psk_identity());
685 summary.set_session_id(pending_state.server_hello()->session_id());
686 if(auto ticket = session.handle.ticket()) {
687 summary.set_session_ticket(std::move(ticket.value()));
688 }
689 return summary;
690 }());
691
692 auto new_handle = [&, this]() -> std::optional<Session_Handle> {
693 if(!callbacks().tls_should_persist_resumption_information(session.session)) {
694 session_manager().remove(session.handle);
695 return std::nullopt;
696 } else {
697 return session_manager().establish(session.session, session.handle.id());
698 }
699 }();
700
701 if(pending_state.server_hello()->supports_session_ticket()) {
702 if(new_handle.has_value() && new_handle->is_ticket()) {
703 pending_state.new_session_ticket(new New_Session_Ticket_12(pending_state.handshake_io(),
704 pending_state.hash(),
705 new_handle->ticket().value(),
706 policy().session_ticket_lifetime()));
707 } else {
708 pending_state.new_session_ticket(
709 new New_Session_Ticket_12(pending_state.handshake_io(), pending_state.hash()));
710 }
711 }
712
713 pending_state.handshake_io().send(Change_Cipher_Spec());
714
715 change_cipher_spec_writer(Connection_Side::Server);
716
717 pending_state.server_finished(new Finished_12(pending_state.handshake_io(), pending_state, Connection_Side::Server));
718 pending_state.set_expected_next(Handshake_Type::HandshakeCCS);
719}
720
721void Server_Impl_12::session_create(Server_Handshake_State& pending_state) {
722 std::map<std::string, std::vector<X509_Certificate>> cert_chains;
723
724 const std::string sni_hostname = pending_state.client_hello()->sni_hostname();
725
726 // RFC 8446 1.3
727 // The "signature_algorithms_cert" extension allows a client to indicate
728 // which signature algorithms it can validate in X.509 certificates.
729 //
730 // RFC 8446 4.2.3
731 // TLS 1.2 implementations SHOULD also process this extension.
732 const auto cert_signature_schemes = pending_state.client_hello()->certificate_signature_schemes();
733 cert_chains = get_server_certs(sni_hostname, cert_signature_schemes, *m_creds);
734
735 if(!sni_hostname.empty() && cert_chains.empty()) {
736 cert_chains = get_server_certs("", cert_signature_schemes, *m_creds);
737
738 /*
739 * Only send the unrecognized_name alert if we couldn't
740 * find any certs for the requested name but did find at
741 * least one cert to use in general. That avoids sending an
742 * unrecognized_name when a server is configured for purely
743 * anonymous/PSK operation.
744 */
745 if(!cert_chains.empty()) {
746 send_warning_alert(Alert::UnrecognizedName);
747 }
748 }
749
750 const uint16_t ciphersuite =
751 choose_ciphersuite(policy(), pending_state.version(), cert_chains, *pending_state.client_hello());
752
753 Server_Hello_12::Settings srv_settings(Session_ID(make_hello_random(rng(), callbacks(), policy())),
754 pending_state.version(),
755 ciphersuite,
756 session_manager().emits_session_tickets());
757
758 pending_state.server_hello(new Server_Hello_12(pending_state.handshake_io(),
759 pending_state.hash(),
760 policy(),
761 callbacks(),
762 rng(),
763 secure_renegotiation_data_for_server_hello(),
764 *pending_state.client_hello(),
765 srv_settings,
766 m_next_protocol));
767
768 secure_renegotiation_check(pending_state.server_hello());
769
770 const Ciphersuite& pending_suite = pending_state.ciphersuite();
771
772 std::shared_ptr<Private_Key> private_key;
773
774 if(pending_suite.signature_used() || pending_suite.kex_method() == Kex_Algo::STATIC_RSA) {
775 const std::string algo_used = pending_suite.signature_used() ? pending_suite.sig_algo() : "RSA";
776
777 BOTAN_ASSERT(!cert_chains[algo_used].empty(), "Attempting to send empty certificate chain");
778
779 pending_state.server_certs(
780 new Certificate_12(pending_state.handshake_io(), pending_state.hash(), cert_chains[algo_used]));
781
782 if(pending_state.client_hello()->supports_cert_status_message() && pending_state.is_a_resumption() == false) {
783 auto* csr = pending_state.client_hello()->extensions().get<Certificate_Status_Request>();
784 // csr is non-null if client_hello()->supports_cert_status_message()
785 BOTAN_ASSERT_NOMSG(csr != nullptr);
786 const auto resp_bytes = callbacks().tls_provide_cert_status(cert_chains[algo_used], *csr);
787 if(!resp_bytes.empty()) {
788 pending_state.server_cert_status(
789 new Certificate_Status(pending_state.handshake_io(), pending_state.hash(), resp_bytes));
790 }
791 }
792
793 private_key = m_creds->private_key_for(pending_state.server_certs()->cert_chain()[0], "tls-server", sni_hostname);
794
795 if(!private_key) {
796 throw Internal_Error("No private key located for associated server cert");
797 }
798 }
799
800 if(pending_suite.kex_method() == Kex_Algo::STATIC_RSA) {
801 pending_state.set_server_rsa_kex_key(private_key);
802 } else {
803 pending_state.server_kex(new Server_Key_Exchange(
804 pending_state.handshake_io(), pending_state, policy(), *m_creds, rng(), private_key.get()));
805 }
806
807 auto trusted_CAs = m_creds->trusted_certificate_authorities("tls-server", sni_hostname);
808
809 std::vector<X509_DN> client_auth_CAs;
810
811 for(auto* store : trusted_CAs) {
812 auto subjects = store->all_subjects();
813 client_auth_CAs.insert(client_auth_CAs.end(), subjects.begin(), subjects.end());
814 }
815
816 const bool request_cert = (client_auth_CAs.empty() == false) || policy().request_client_certificate_authentication();
817
818 if(request_cert && pending_state.ciphersuite().signature_used()) {
819 pending_state.cert_req(
820 new Certificate_Request_12(pending_state.handshake_io(), pending_state.hash(), policy(), client_auth_CAs));
821
822 /*
823 SSLv3 allowed clients to skip the Certificate message entirely
824 if they wanted. In TLS v1.0 and later clients must send a
825 (possibly empty) Certificate message
826 */
827 pending_state.set_expected_next(Handshake_Type::Certificate);
828 } else {
829 pending_state.set_expected_next(Handshake_Type::ClientKeyExchange);
830 }
831
832 pending_state.server_hello_done(new Server_Hello_Done(pending_state.handshake_io(), pending_state.hash()));
833}
834} // namespace Botan::TLS
BOTAN_ASSERT_NOMSG
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:59
BOTAN_ASSERT_NONNULL
#define BOTAN_ASSERT_NONNULL(ptr)
Definition assert.h:86
BOTAN_ASSERT_IMPLICATION
#define BOTAN_ASSERT_IMPLICATION(expr1, expr2, msg)
Definition assert.h:77
BOTAN_ASSERT
#define BOTAN_ASSERT(expr, assertion_made)
Definition assert.h:50
Botan::Key_Constraints::DigitalSignature
@ DigitalSignature
Definition pkix_enums.h:112
Botan::TLS::Callbacks::tls_provide_cert_status
virtual std::vector< uint8_t > tls_provide_cert_status(const std::vector< X509_Certificate > &chain, const Certificate_Status_Request &csr)
Definition tls_callbacks.h:226
Botan::TLS::Callbacks::tls_session_established
virtual void tls_session_established(const Session_Summary &session)
Definition tls_callbacks.h:87
Botan::TLS::Callbacks::tls_peer_network_identity
virtual std::string tls_peer_network_identity()
Definition tls_callbacks.cpp:55
Botan::TLS::Callbacks::tls_server_choose_app_protocol
virtual std::string tls_server_choose_app_protocol(const std::vector< std::string > &client_protos)
Definition tls_callbacks.cpp:51
Botan::TLS::Callbacks::tls_examine_extensions
virtual void tls_examine_extensions(const Extensions &extn, Connection_Side which_side, Handshake_Type which_message)
Definition tls_callbacks.cpp:67
Botan::TLS::Callbacks::tls_should_persist_resumption_information
virtual bool tls_should_persist_resumption_information(const Session &session)
Definition tls_callbacks.cpp:71
Botan::TLS::Callbacks::tls_verify_cert_chain
virtual void tls_verify_cert_chain(const std::vector< X509_Certificate > &cert_chain, const std::vector< std::optional< OCSP::Response > > &ocsp_responses, const std::vector< Certificate_Store * > &trusted_roots, Usage_Type usage, std::string_view hostname, const TLS::Policy &policy)
Definition tls_callbacks.cpp:86
Botan::TLS::Channel_Impl_12
Definition tls_channel_impl_12.h:40
Botan::TLS::Channel_Impl_12::rng
RandomNumberGenerator & rng()
Definition tls_channel_impl_12.h:184
Botan::TLS::Channel_Impl_12::activate_session
void activate_session()
Definition tls_channel_impl_12.cpp:252
Botan::TLS::Channel_Impl_12::change_cipher_spec_reader
void change_cipher_spec_reader(Connection_Side side)
Definition tls_channel_impl_12.cpp:187
Botan::TLS::Channel_Impl_12::secure_renegotiation_data_for_server_hello
std::vector< uint8_t > secure_renegotiation_data_for_server_hello() const
Definition tls_channel_impl_12.cpp:593
Botan::TLS::Channel_Impl_12::callbacks
Callbacks & callbacks() const
Definition tls_channel_impl_12.h:190
Botan::TLS::Channel_Impl_12::secure_renegotiation_check
void secure_renegotiation_check(const Client_Hello_12 *client_hello)
Definition tls_channel_impl_12.cpp:546
Botan::TLS::Channel_Impl_12::session_manager
Session_Manager & session_manager()
Definition tls_channel_impl_12.h:186
Botan::TLS::Channel_Impl_12::policy
const Policy & policy() const
Definition tls_channel_impl_12.h:188
Botan::TLS::Channel_Impl_12::change_cipher_spec_writer
void change_cipher_spec_writer(Connection_Side side)
Definition tls_channel_impl_12.cpp:214
Botan::TLS::Channel_Impl_12::external_psk_identity
std::optional< std::string > external_psk_identity() const override
Definition tls_channel_impl_12.cpp:103
Botan::TLS::Channel_Impl_12::reset_active_association_state
void reset_active_association_state()
Definition tls_channel_impl_12.cpp:58
Botan::TLS::Channel_Impl_12::secure_renegotiation_supported
bool secure_renegotiation_supported() const override
Definition tls_channel_impl_12.cpp:603
Botan::TLS::Channel_Impl::send_warning_alert
void send_warning_alert(Alert::Type type)
Definition tls_channel_impl.h:70
Botan::TLS::Ciphersuite::by_id
static std::optional< Ciphersuite > by_id(uint16_t suite)
Definition tls_ciphersuite.cpp:90
Botan::TLS::Handshake_State::Handshake_State
Handshake_State(std::unique_ptr< Handshake_IO > io, Callbacks &callbacks)
Definition tls_handshake_state.cpp:95
Botan::TLS::Policy::request_client_certificate_authentication
virtual bool request_client_certificate_authentication() const
Definition tls_policy.cpp:385
Botan::TLS::Server_Impl_12::Server_Impl_12
Server_Impl_12(const std::shared_ptr< Callbacks > &callbacks, const std::shared_ptr< Session_Manager > &session_manager, const std::shared_ptr< Credentials_Manager > &creds, const std::shared_ptr< const Policy > &policy, const std::shared_ptr< RandomNumberGenerator > &rng, bool is_datagram=false, size_t reserved_io_buffer_size=TLS::Channel::IO_BUF_DEFAULT_SIZE)
Definition tls_server_impl_12.cpp:235
Botan::TLS::Session_Manager::remove
virtual size_t remove(const Session_Handle &handle)=0
Botan::TLS::Session_Manager::establish
virtual std::optional< Session_Handle > establish(const Session &session, const std::optional< Session_ID > &id=std::nullopt, bool tls12_no_ticket=false)
Save a new Session and assign a Session_Handle (TLS Server)
Definition tls_session_manager.cpp:21
Botan::TLS::Session_Manager::emits_session_tickets
virtual bool emits_session_tickets()
Definition tls_session_manager.h:214
final
int(* final)(unsigned char *, CTX *)
Definition commoncrypto_hash.cpp:29
Botan::TLS::to_algorithm_identifiers
std::vector< AlgorithmIdentifier > to_algorithm_identifiers(const std::vector< Signature_Scheme > &schemes)
Definition tls_signature_scheme.cpp:332
Botan::TLS::make_hello_random
std::vector< uint8_t > make_hello_random(RandomNumberGenerator &rng, Callbacks &cb, const Policy &policy)
Definition msg_client_hello.cpp:41
Botan::TLS::Session_ID
Strong< std::vector< uint8_t >, struct Session_ID_ > Session_ID
holds a TLS 1.2 session ID for stateful resumption
Definition tls_session.h:32
Botan::SymmetricKey
OctetString SymmetricKey
Definition symkey.h:141
Botan::value_exists
bool value_exists(const std::vector< T > &vec, const OT &val)
Definition stl_util.h:118
Botan::TLS::Channel_Impl::Downgrade_Information
Definition tls_channel_impl.h:199
Generated by doxygen 1.10.0