doxygen/tls__session_8cpp_source.html

/*

* TLS Session State

* (C) 2011-2012,2015,2019 Jack Lloyd

*

* Botan is released under the Simplified BSD License (see license.txt)

*/


#include <botan/tls_session.h>

#include <botan/loadstor.h>

#include <botan/der_enc.h>

#include <botan/ber_dec.h>

#include <botan/asn1_obj.h>

#include <botan/pem.h>

#include <botan/aead.h>

#include <botan/mac.h>

#include <botan/rng.h>


namespace Botan {


namespace TLS {


Session::Session(const std::vector<uint8_t>& session_identifier,

                 const secure_vector<uint8_t>& master_secret,

                 Protocol_Version version,

                 uint16_t ciphersuite,

                 Connection_Side side,

                 bool extended_master_secret,

                 bool encrypt_then_mac,

                 const std::vector<X509_Certificate>& certs,

                 const std::vector<uint8_t>& ticket,

                 const Server_Information& server_info,

                 const std::string& srp_identifier,

                 uint16_t srtp_profile) :

   m_start_time(std::chrono::system_clock::now()),

   m_identifier(session_identifier),

   m_session_ticket(ticket),

   m_master_secret(master_secret),

   m_version(version),

   m_ciphersuite(ciphersuite),

   m_connection_side(side),

   m_srtp_profile(srtp_profile),

   m_extended_master_secret(extended_master_secret),

   m_encrypt_then_mac(encrypt_then_mac),

   m_peer_certs(certs),

   m_server_info(server_info),

   m_srp_identifier(srp_identifier)

   {

   }


Session::Session(const std::string& pem)

   {

   secure_vector<uint8_t> der = PEM_Code::decode_check_label(pem, "TLS SESSION");


   *this = Session(der.data(), der.size());

   }


Session::Session(const uint8_t ber[], size_t ber_len)

   {

   uint8_t side_code = 0;


   ASN1_String server_hostname;

   ASN1_String server_service;

   size_t server_port;


   ASN1_String srp_identifier_str;


   uint8_t major_version = 0, minor_version = 0;

   std::vector<uint8_t> peer_cert_bits;


   size_t start_time = 0;

   size_t srtp_profile = 0;

   size_t fragment_size = 0;

   size_t compression_method = 0;


   BER_Decoder(ber, ber_len)

      .start_cons(SEQUENCE)

        .decode_and_check(static_cast<size_t>(TLS_SESSION_PARAM_STRUCT_VERSION),

                          "Unknown version in serialized TLS session")

        .decode_integer_type(start_time)

        .decode_integer_type(major_version)

        .decode_integer_type(minor_version)

        .decode(m_identifier, OCTET_STRING)

        .decode(m_session_ticket, OCTET_STRING)

        .decode_integer_type(m_ciphersuite)

        .decode_integer_type(compression_method)

        .decode_integer_type(side_code)

        .decode_integer_type(fragment_size)

        .decode(m_extended_master_secret)

        .decode(m_encrypt_then_mac)

        .decode(m_master_secret, OCTET_STRING)

        .decode(peer_cert_bits, OCTET_STRING)

        .decode(server_hostname)

        .decode(server_service)

        .decode(server_port)

        .decode(srp_identifier_str)

        .decode(srtp_profile)

      .end_cons()

      .verify_end();


   /*

   * Compression is not supported and must be zero

   */

   if(compression_method != 0)

      {

      throw Decoding_Error("Serialized TLS session contains non-null compression method");

      }


   /*

   Fragment size is not supported anymore, but the field is still

   set in the session object.

   */

   if(fragment_size != 0)

      {

      throw Decoding_Error("Serialized TLS session used maximum fragment length which is "

                           " no longer supported");

      }


   m_version = Protocol_Version(major_version, minor_version);

   m_start_time = std::chrono::system_clock::from_time_t(start_time);

   m_connection_side = static_cast<Connection_Side>(side_code);

   m_srtp_profile = static_cast<uint16_t>(srtp_profile);


   m_server_info = Server_Information(server_hostname.value(),

                                      server_service.value(),

                                      static_cast<uint16_t>(server_port));


   m_srp_identifier = srp_identifier_str.value();


   if(!peer_cert_bits.empty())

      {

      DataSource_Memory certs(peer_cert_bits.data(), peer_cert_bits.size());


      while(!certs.end_of_data())

         m_peer_certs.push_back(X509_Certificate(certs));

      }

   }


secure_vector<uint8_t> Session::DER_encode() const

   {

   std::vector<uint8_t> peer_cert_bits;

   for(size_t i = 0; i != m_peer_certs.size(); ++i)

      peer_cert_bits += m_peer_certs[i].BER_encode();


   return DER_Encoder()

      .start_cons(SEQUENCE)

         .encode(static_cast<size_t>(TLS_SESSION_PARAM_STRUCT_VERSION))

         .encode(static_cast<size_t>(std::chrono::system_clock::to_time_t(m_start_time)))

         .encode(static_cast<size_t>(m_version.major_version()))

         .encode(static_cast<size_t>(m_version.minor_version()))

         .encode(m_identifier, OCTET_STRING)

         .encode(m_session_ticket, OCTET_STRING)

         .encode(static_cast<size_t>(m_ciphersuite))

         .encode(static_cast<size_t>(/*old compression method*/0))

         .encode(static_cast<size_t>(m_connection_side))

         .encode(static_cast<size_t>(/*old fragment size*/0))

         .encode(m_extended_master_secret)

         .encode(m_encrypt_then_mac)

         .encode(m_master_secret, OCTET_STRING)

         .encode(peer_cert_bits, OCTET_STRING)

         .encode(ASN1_String(m_server_info.hostname(), UTF8_STRING))

         .encode(ASN1_String(m_server_info.service(), UTF8_STRING))

         .encode(static_cast<size_t>(m_server_info.port()))

         .encode(ASN1_String(m_srp_identifier, UTF8_STRING))

         .encode(static_cast<size_t>(m_srtp_profile))

      .end_cons()

   .get_contents();

   }


std::string Session::PEM_encode() const

   {

   return PEM_Code::encode(this->DER_encode(), "TLS SESSION");

   }


std::chrono::seconds Session::session_age() const

   {

   return std::chrono::duration_cast<std::chrono::seconds>(

      std::chrono::system_clock::now() - m_start_time);

   }


namespace {


// The output length of the HMAC must be a valid keylength for the AEAD

const char* TLS_SESSION_CRYPT_HMAC = "HMAC(SHA-512-256)";

// SIV would be better, but we can't assume it is available

const char* TLS_SESSION_CRYPT_AEAD = "AES-256/GCM";

const char* TLS_SESSION_CRYPT_KEY_NAME = "BOTAN TLS SESSION KEY NAME";

const uint64_t TLS_SESSION_CRYPT_MAGIC = 0x068B5A9D396C0000;

const size_t TLS_SESSION_CRYPT_MAGIC_LEN = 8;

const size_t TLS_SESSION_CRYPT_KEY_NAME_LEN = 4;

const size_t TLS_SESSION_CRYPT_AEAD_NONCE_LEN = 12;

const size_t TLS_SESSION_CRYPT_AEAD_KEY_SEED_LEN = 16;

const size_t TLS_SESSION_CRYPT_AEAD_TAG_SIZE = 16;


const size_t TLS_SESSION_CRYPT_HDR_LEN =

   TLS_SESSION_CRYPT_MAGIC_LEN +

   TLS_SESSION_CRYPT_KEY_NAME_LEN +

   TLS_SESSION_CRYPT_AEAD_NONCE_LEN +

   TLS_SESSION_CRYPT_AEAD_KEY_SEED_LEN;


const size_t TLS_SESSION_CRYPT_OVERHEAD =

   TLS_SESSION_CRYPT_HDR_LEN + TLS_SESSION_CRYPT_AEAD_TAG_SIZE;


}


std::vector<uint8_t>

Session::encrypt(const SymmetricKey& key, RandomNumberGenerator& rng) const

   {

   auto hmac = MessageAuthenticationCode::create_or_throw(TLS_SESSION_CRYPT_HMAC);

   hmac->set_key(key);


   // First derive the "key name"

   std::vector<uint8_t> key_name(hmac->output_length());

   hmac->update(TLS_SESSION_CRYPT_KEY_NAME);

   hmac->final(key_name.data());

   key_name.resize(TLS_SESSION_CRYPT_KEY_NAME_LEN);


   std::vector<uint8_t> aead_nonce;

   std::vector<uint8_t> key_seed;


   rng.random_vec(aead_nonce, TLS_SESSION_CRYPT_AEAD_NONCE_LEN);

   rng.random_vec(key_seed, TLS_SESSION_CRYPT_AEAD_KEY_SEED_LEN);


   hmac->update(key_seed);

   const secure_vector<uint8_t> aead_key = hmac->final();


   secure_vector<uint8_t> bits = this->DER_encode();


   // create the header

   std::vector<uint8_t> buf;

   buf.reserve(TLS_SESSION_CRYPT_OVERHEAD + bits.size());

   buf.resize(TLS_SESSION_CRYPT_MAGIC_LEN);

   store_be(TLS_SESSION_CRYPT_MAGIC, &buf[0]);

   buf += key_name;

   buf += key_seed;

   buf += aead_nonce;


   std::unique_ptr<AEAD_Mode> aead = AEAD_Mode::create_or_throw(TLS_SESSION_CRYPT_AEAD, ENCRYPTION);

   BOTAN_ASSERT_NOMSG(aead->valid_nonce_length(TLS_SESSION_CRYPT_AEAD_NONCE_LEN));

   BOTAN_ASSERT_NOMSG(aead->tag_size() == TLS_SESSION_CRYPT_AEAD_TAG_SIZE);

   aead->set_key(aead_key);

   aead->set_associated_data_vec(buf);

   aead->start(aead_nonce);

   aead->finish(bits, 0);


   // append the ciphertext

   buf += bits;

   return buf;

   }


Session Session::decrypt(const uint8_t in[], size_t in_len, const SymmetricKey& key)

   {

   try

      {

      const size_t min_session_size = 48 + 4; // serious under-estimate

      if(in_len < TLS_SESSION_CRYPT_OVERHEAD + min_session_size)

         throw Decoding_Error("Encrypted session too short to be valid");


      const uint8_t* magic = &in[0];

      const uint8_t* key_name = magic + TLS_SESSION_CRYPT_MAGIC_LEN;

      const uint8_t* key_seed = key_name + TLS_SESSION_CRYPT_KEY_NAME_LEN;

      const uint8_t* aead_nonce = key_seed + TLS_SESSION_CRYPT_AEAD_KEY_SEED_LEN;

      const uint8_t* ctext = aead_nonce + TLS_SESSION_CRYPT_AEAD_NONCE_LEN;

      const size_t ctext_len = in_len - TLS_SESSION_CRYPT_HDR_LEN; // includes the tag


      if(load_be<uint64_t>(magic, 0) != TLS_SESSION_CRYPT_MAGIC)

         throw Decoding_Error("Missing expected magic numbers");


      auto hmac = MessageAuthenticationCode::create_or_throw(TLS_SESSION_CRYPT_HMAC);

      hmac->set_key(key);


      // First derive and check the "key name"

      std::vector<uint8_t> cmp_key_name(hmac->output_length());

      hmac->update(TLS_SESSION_CRYPT_KEY_NAME);

      hmac->final(cmp_key_name.data());


      if(same_mem(cmp_key_name.data(), key_name, TLS_SESSION_CRYPT_KEY_NAME_LEN) == false)

         throw Decoding_Error("Wrong key name for encrypted session");


      hmac->update(key_seed, TLS_SESSION_CRYPT_AEAD_KEY_SEED_LEN);

      const secure_vector<uint8_t> aead_key = hmac->final();


      auto aead = AEAD_Mode::create_or_throw(TLS_SESSION_CRYPT_AEAD, DECRYPTION);

      aead->set_key(aead_key);

      aead->set_associated_data(in, TLS_SESSION_CRYPT_HDR_LEN);

      aead->start(aead_nonce, TLS_SESSION_CRYPT_AEAD_NONCE_LEN);

      secure_vector<uint8_t> buf(ctext, ctext + ctext_len);

      aead->finish(buf, 0);

      return Session(buf.data(), buf.size());

      }

   catch(std::exception& e)

      {

      throw Decoding_Error("Failed to decrypt serialized TLS session: " +

                           std::string(e.what()));

      }

   }


}


}

BOTAN_ASSERT_NOMSG
#define BOTAN_ASSERT_NOMSG(expr)
Definition: assert.h:68

Botan::AEAD_Mode::create_or_throw
static std::unique_ptr< AEAD_Mode > create_or_throw(const std::string &algo, Cipher_Dir direction, const std::string &provider="")
Definition: aead.cpp:50

Botan::ASN1_String
Definition: asn1_obj.h:393

Botan::ASN1_String::value
const std::string & value() const
Definition: asn1_obj.h:400

Botan::BER_Decoder
Definition: ber_dec.h:22

Botan::BER_Decoder::start_cons
BER_Decoder start_cons(ASN1_Tag type_tag, ASN1_Tag class_tag=UNIVERSAL)
Definition: ber_dec.cpp:290

Botan::BER_Decoder::decode
BER_Decoder & decode(bool &out)
Definition: ber_dec.h:170

Botan::BER_Decoder::decode_and_check
BER_Decoder & decode_and_check(const T &expected, const std::string &error_msg)
Definition: ber_dec.h:277

Botan::BER_Decoder::verify_end
BER_Decoder & verify_end()
Definition: ber_dec.cpp:208

Botan::BER_Decoder::end_cons
BER_Decoder & end_cons()
Definition: ber_dec.cpp:300

Botan::BER_Decoder::decode_integer_type
BER_Decoder & decode_integer_type(T &out)
Definition: ber_dec.h:242

Botan::DER_Encoder
Definition: der_enc.h:23

Botan::DER_Encoder::get_contents
secure_vector< uint8_t > get_contents()
Definition: der_enc.cpp:152

Botan::DER_Encoder::start_cons
DER_Encoder & start_cons(ASN1_Tag type_tag, ASN1_Tag class_tag=UNIVERSAL)
Definition: der_enc.cpp:181

Botan::DER_Encoder::end_cons
DER_Encoder & end_cons()
Definition: der_enc.cpp:191

Botan::DER_Encoder::encode
DER_Encoder & encode(bool b)
Definition: der_enc.cpp:285

Botan::DataSource_Memory
Definition: data_src.h:99

Botan::DataSource_Memory::end_of_data
bool end_of_data() const override
Definition: data_src.cpp:90

Botan::Decoding_Error
Definition: exceptn.h:200

Botan::MessageAuthenticationCode::create_or_throw
static std::unique_ptr< MessageAuthenticationCode > create_or_throw(const std::string &algo_spec, const std::string &provider="")
Definition: mac.cpp:141

Botan::OctetString
Definition: symkey.h:20

Botan::RandomNumberGenerator
Definition: rng.h:26

Botan::RandomNumberGenerator::random_vec
secure_vector< uint8_t > random_vec(size_t bytes)
Definition: rng.h:143

Botan::TLS::Protocol_Version
Definition: tls_version.h:22

Botan::TLS::Protocol_Version::major_version
uint8_t major_version() const
Definition: tls_version.h:79

Botan::TLS::Protocol_Version::minor_version
uint8_t minor_version() const
Definition: tls_version.h:84

Botan::TLS::Server_Information
Definition: tls_server_info.h:22

Botan::TLS::Server_Information::port
uint16_t port() const
Definition: tls_server_info.h:64

Botan::TLS::Server_Information::service
std::string service() const
Definition: tls_server_info.h:59

Botan::TLS::Server_Information::hostname
std::string hostname() const
Definition: tls_server_info.h:53

Botan::TLS::Session
Definition: tls_session.h:28

Botan::TLS::Session::DER_encode
secure_vector< uint8_t > DER_encode() const
Definition: tls_session.cpp:138

Botan::TLS::Session::encrypt
std::vector< uint8_t > encrypt(const SymmetricKey &key, RandomNumberGenerator &rng) const
Definition: tls_session.cpp:206

Botan::TLS::Session::PEM_encode
std::string PEM_encode() const
Definition: tls_session.cpp:169

Botan::TLS::Session::start_time
std::chrono::system_clock::time_point start_time() const
Definition: tls_session.h:168

Botan::TLS::Session::session_age
std::chrono::seconds session_age() const
Definition: tls_session.cpp:174

Botan::TLS::Session::Session
Session()
Definition: tls_session.h:34

Botan::TLS::Session::decrypt
static Session decrypt(const uint8_t ctext[], size_t ctext_size, const SymmetricKey &key)
Definition: tls_session.cpp:250

Botan::X509_Certificate
Definition: x509cert.h:38

Botan::PEM_Code::encode
std::string encode(const uint8_t der[], size_t length, const std::string &label, size_t width)
Definition: pem.cpp:43

Botan::PEM_Code::decode_check_label
secure_vector< uint8_t > decode_check_label(DataSource &source, const std::string &label_want)
Definition: pem.cpp:54

Botan::PKCS8::BER_encode
secure_vector< uint8_t > BER_encode(const Private_Key &key)
Definition: pkcs8.cpp:139

Botan::TLS::Connection_Side
Connection_Side
Definition: tls_magic.h:32

Botan
Definition: alg_id.cpp:13

Botan::store_be
void store_be(uint16_t in, uint8_t out[2])
Definition: loadstor.h:438

Botan::DECRYPTION
@ DECRYPTION
Definition: cipher_mode.h:23

Botan::ENCRYPTION
@ ENCRYPTION
Definition: cipher_mode.h:23

Botan::load_be< uint64_t >
uint64_t load_be< uint64_t >(const uint8_t in[], size_t off)
Definition: loadstor.h:217

Botan::same_mem
bool same_mem(const T *p1, const T *p2, size_t n)
Definition: mem_ops.h:217

Botan::UTF8_STRING
@ UTF8_STRING
Definition: asn1_obj.h:45

Botan::SEQUENCE
@ SEQUENCE
Definition: asn1_obj.h:42

Botan::OCTET_STRING
@ OCTET_STRING
Definition: asn1_obj.h:38

Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition: secmem.h:65

std
Definition: bigint.h:1143