Botan  2.1.0
Crypto and TLS for C++11
tls_server.cpp
Go to the documentation of this file.
1 /*
2 * TLS Server
3 * (C) 2004-2011,2012,2016 Jack Lloyd
4 * 2016 Matthias Gierlings
5 *
6 * Botan is released under the Simplified BSD License (see license.txt)
7 */
8 
9 #include <botan/tls_server.h>
10 #include <botan/tls_messages.h>
11 #include <botan/internal/tls_handshake_state.h>
12 #include <botan/internal/stl_util.h>
13 #include <botan/tls_magic.h>
14 
15 namespace Botan {
16 
17 namespace TLS {
18 
19 class Server_Handshake_State : public Handshake_State
20  {
21  public:
22  Server_Handshake_State(Handshake_IO* io, Callbacks& cb)
23  : Handshake_State(io, cb) {}
24 
25  Private_Key* server_rsa_kex_key() { return m_server_rsa_kex_key; }
26  void set_server_rsa_kex_key(Private_Key* key)
27  { m_server_rsa_kex_key = key; }
28 
29  bool allow_session_resumption() const
30  { return m_allow_session_resumption; }
31  void set_allow_session_resumption(bool allow_session_resumption)
32  { m_allow_session_resumption = allow_session_resumption; }
33 
34 
35  private:
36  // Used by the server only, in case of RSA key exchange. Not owned
37  Private_Key* m_server_rsa_kex_key = nullptr;
38 
39  /*
40  * Used by the server to know if resumption should be allowed on
41  * a server-initiated renegotiation
42  */
43  bool m_allow_session_resumption = true;
44  };
45 
46 namespace {
47 
48 bool check_for_resume(Session& session_info,
49  Session_Manager& session_manager,
50  Credentials_Manager& credentials,
51  const Client_Hello* client_hello,
52  std::chrono::seconds session_ticket_lifetime)
53  {
54  const std::vector<uint8_t>& client_session_id = client_hello->session_id();
55  const std::vector<uint8_t>& session_ticket = client_hello->session_ticket();
56 
57  if(session_ticket.empty())
58  {
59  if(client_session_id.empty()) // not resuming
60  return false;
61 
62  // not found
63  if(!session_manager.load_from_session_id(client_session_id, session_info))
64  return false;
65  }
66  else
67  {
68  // If a session ticket was sent, ignore client session ID
69  try
70  {
71  session_info = Session::decrypt(
72  session_ticket,
73  credentials.psk("tls-server", "session-ticket", ""));
74 
75  if(session_ticket_lifetime != std::chrono::seconds(0) &&
76  session_info.session_age() > session_ticket_lifetime)
77  return false; // ticket has expired
78  }
79  catch(...)
80  {
81  return false;
82  }
83  }
84 
85  // wrong version
86  if(client_hello->version() != session_info.version())
87  return false;
88 
89  // client didn't send original ciphersuite
90  if(!value_exists(client_hello->ciphersuites(),
91  session_info.ciphersuite_code()))
92  return false;
93 
94  // client didn't send original compression method
95  if(!value_exists(client_hello->compression_methods(),
96  session_info.compression_method()))
97  return false;
98 
99 #if defined(BOTAN_HAS_SRP6)
100  // client sent a different SRP identity
101  if(client_hello->srp_identifier() != "")
102  {
103  if(client_hello->srp_identifier() != session_info.srp_identifier())
104  return false;
105  }
106 #endif
107 
108  // client sent a different SNI hostname
109  if(client_hello->sni_hostname() != "")
110  {
111  if(client_hello->sni_hostname() != session_info.server_info().hostname())
112  return false;
113  }
114 
115  // Checking extended_master_secret on resume (RFC 7627 section 5.3)
116  if(client_hello->supports_extended_master_secret() != session_info.supports_extended_master_secret())
117  {
118  if(!session_info.supports_extended_master_secret())
119  {
120  return false; // force new handshake with extended master secret
121  }
122  else
123  {
124  /*
125  Client previously negotiated session with extended master secret,
126  but has now attempted to resume without the extension: abort
127  */
128  throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
129  "Client resumed extended ms session without sending extension");
130  }
131  }
132 
133  // Checking encrypt_then_mac on resume (RFC 7366 section 3.1)
134  if( !client_hello->supports_encrypt_then_mac() && session_info.supports_encrypt_then_mac())
135  {
136 
137  /*
138  Client previously negotiated session with Encrypt-then-MAC,
139  but has now attempted to resume without the extension: abort
140  */
141  throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
142  "Client resumed Encrypt-then-MAC session without sending extension");
143 
144  }
145 
146  return true;
147  }
148 
149 /*
150 * Choose which ciphersuite to use
151 */
152 uint16_t choose_ciphersuite(
153  const Policy& policy,
154  Protocol_Version version,
155  Credentials_Manager& creds,
156  const std::map<std::string, std::vector<X509_Certificate> >& cert_chains,
157  const Client_Hello& client_hello)
158  {
159  const bool our_choice = policy.server_uses_own_ciphersuite_preferences();
160  const bool have_srp = creds.attempt_srp("tls-server", client_hello.sni_hostname());
161  const std::vector<uint16_t> client_suites = client_hello.ciphersuites();
162  const std::vector<uint16_t> server_suites = policy.ciphersuite_list(version, have_srp);
163 
164  if(server_suites.empty())
165  throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
166  "Policy forbids us from negotiating any ciphersuite");
167 
168  const bool have_shared_ecc_curve =
169  (policy.choose_curve(client_hello.supported_ecc_curves()) != "");
170 
171  /*
172  Walk down one list in preference order
173  */
174 
175  std::vector<uint16_t> pref_list = server_suites;
176  std::vector<uint16_t> other_list = client_suites;
177 
178  if(!our_choice)
179  std::swap(pref_list, other_list);
180 
181  const std::set<std::string> client_sig_algos = client_hello.supported_sig_algos();
182 
183  for(auto suite_id : pref_list)
184  {
185  if(!value_exists(other_list, suite_id))
186  continue;
187 
188  const Ciphersuite suite = Ciphersuite::by_id(suite_id);
189 
190  if(suite.valid() == false)
191  continue;
192 
193  if(suite.ecc_ciphersuite() && have_shared_ecc_curve == false)
194  continue;
195 
196  // For non-anon ciphersuites
197  if(suite.sig_algo() != "")
198  {
199  // Do we have any certificates for this sig?
200  if(cert_chains.count(suite.sig_algo()) == 0)
201  continue;
202 
203  // Client reques
204  if(!client_sig_algos.empty() && client_sig_algos.count(suite.sig_algo()) == 0)
205  continue;
206  }
207 
208 #if defined(BOTAN_HAS_SRP6)
209  /*
210  The client may offer SRP cipher suites in the hello message but
211  omit the SRP extension. If the server would like to select an
212  SRP cipher suite in this case, the server SHOULD return a fatal
213  "unknown_psk_identity" alert immediately after processing the
214  client hello message.
215  - RFC 5054 section 2.5.1.2
216  */
217  if(suite.kex_algo() == "SRP_SHA" && client_hello.srp_identifier() == "")
218  throw TLS_Exception(Alert::UNKNOWN_PSK_IDENTITY,
219  "Client wanted SRP but did not send username");
220 #endif
221 
222  return suite_id;
223  }
224 
225  throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
226  "Can't agree on a ciphersuite with client");
227  }
228 
229 
230 /*
231 * Choose which compression algorithm to use
232 */
233 uint8_t choose_compression(const Policy& policy,
234  const std::vector<uint8_t>& c_comp)
235  {
236  std::vector<uint8_t> s_comp = policy.compression();
237 
238  for(size_t i = 0; i != s_comp.size(); ++i)
239  for(size_t j = 0; j != c_comp.size(); ++j)
240  if(s_comp[i] == c_comp[j])
241  return s_comp[i];
242 
243  return NO_COMPRESSION;
244  }
245 
246 std::map<std::string, std::vector<X509_Certificate> >
247 get_server_certs(const std::string& hostname,
248  Credentials_Manager& creds)
249  {
250  const char* cert_types[] = { "RSA", "DSA", "ECDSA", nullptr };
251 
252  std::map<std::string, std::vector<X509_Certificate> > cert_chains;
253 
254  for(size_t i = 0; cert_types[i]; ++i)
255  {
256  std::vector<X509_Certificate> certs =
257  creds.cert_chain_single_type(cert_types[i], "tls-server", hostname);
258 
259  if(!certs.empty())
260  cert_chains[cert_types[i]] = certs;
261  }
262 
263  return cert_chains;
264  }
265 
266 }
267 
268 /*
269 * TLS Server Constructor
270 */
272  Session_Manager& session_manager,
273  Credentials_Manager& creds,
274  const Policy& policy,
276  bool is_datagram,
277  size_t io_buf_sz) :
278  Channel(callbacks, session_manager, rng, policy,
279  is_datagram, io_buf_sz),
280  m_creds(creds)
281  {
282  }
283 
288  Session_Manager& session_manager,
289  Credentials_Manager& creds,
290  const Policy& policy,
292  next_protocol_fn next_proto,
293  bool is_datagram,
294  size_t io_buf_sz) :
295  Channel(output, data_cb, alert_cb, handshake_cb,
296  Channel::handshake_msg_cb(), session_manager,
297  rng, policy, is_datagram, io_buf_sz),
298  m_creds(creds),
299  m_choose_next_protocol(next_proto)
300  {
301  }
302 
303 
308  handshake_msg_cb hs_msg_cb,
309  Session_Manager& session_manager,
310  Credentials_Manager& creds,
311  const Policy& policy,
313  next_protocol_fn next_proto,
314  bool is_datagram) :
315  Channel(output, data_cb, alert_cb, handshake_cb, hs_msg_cb,
316  session_manager, rng, policy, is_datagram),
317  m_creds(creds),
318  m_choose_next_protocol(next_proto)
319  {
320  }
321 
322 Handshake_State* Server::new_handshake_state(Handshake_IO* io)
323  {
324  std::unique_ptr<Handshake_State> state(new Server_Handshake_State(io, callbacks()));
325 
326  state->set_expected_next(CLIENT_HELLO);
327  return state.release();
328  }
329 
330 std::vector<X509_Certificate>
331 Server::get_peer_cert_chain(const Handshake_State& state) const
332  {
333  if(state.client_certs())
334  return state.client_certs()->cert_chain();
335  return std::vector<X509_Certificate>();
336  }
337 
338 /*
339 * Send a hello request to the client
340 */
341 void Server::initiate_handshake(Handshake_State& state,
342  bool force_full_renegotiation)
343  {
344  dynamic_cast<Server_Handshake_State&>(state).
345  set_allow_session_resumption(!force_full_renegotiation);
346 
347  Hello_Request hello_req(state.handshake_io());
348  }
349 
350 /*
351 * Process a CLIENT HELLO Message
352 */
353 void Server::process_client_hello_msg(const Handshake_State* active_state,
354  Server_Handshake_State& pending_state,
355  const std::vector<uint8_t>& contents)
356 {
357  const bool initial_handshake = !active_state;
358 
359  if(!policy().allow_insecure_renegotiation() &&
360  !(initial_handshake || secure_renegotiation_supported()))
361  {
363  return;
364  }
365 
366  pending_state.client_hello(new Client_Hello(contents));
367  const Protocol_Version client_version = pending_state.client_hello()->version();
368 
369  Protocol_Version negotiated_version;
370 
371  const Protocol_Version latest_supported =
372  policy().latest_supported_version(client_version.is_datagram_protocol());
373 
374  if((initial_handshake && client_version.known_version()) ||
375  (!initial_handshake && client_version == active_state->version()))
376  {
377  /*
378  Common cases: new client hello with some known version, or a
379  renegotiation using the same version as previously
380  negotiated.
381  */
382 
383  negotiated_version = client_version;
384  }
385  else if(!initial_handshake && (client_version != active_state->version()))
386  {
387  /*
388  * If this is a renegotiation, and the client has offered a
389  * later version than what it initially negotiated, negotiate
390  * the old version. This matches OpenSSL's behavior. If the
391  * client is offering a version earlier than what it initially
392  * negotiated, reject as a probable attack.
393  */
394  if(active_state->version() > client_version)
395  {
396  throw TLS_Exception(Alert::PROTOCOL_VERSION,
397  "Client negotiated " +
398  active_state->version().to_string() +
399  " then renegotiated with " +
400  client_version.to_string());
401  }
402  else
403  negotiated_version = active_state->version();
404  }
405  else
406  {
407  /*
408  New negotiation using a version we don't know. Offer them the
409  best we currently know and support
410  */
411  negotiated_version = latest_supported;
412  }
413 
414  if(!policy().acceptable_protocol_version(negotiated_version))
415  {
416  throw TLS_Exception(Alert::PROTOCOL_VERSION,
417  "Client version " + negotiated_version.to_string() +
418  " is unacceptable by policy");
419  }
420 
421  if(pending_state.client_hello()->sent_fallback_scsv())
422  {
423  if(latest_supported > client_version)
424  throw TLS_Exception(Alert::INAPPROPRIATE_FALLBACK,
425  "Client signalled fallback SCSV, possible attack");
426  }
427 
428  secure_renegotiation_check(pending_state.client_hello());
429 
430  pending_state.set_version(negotiated_version);
431 
432  Session session_info;
433  const bool resuming =
434  pending_state.allow_session_resumption() &&
435  check_for_resume(session_info,
436  session_manager(),
437  m_creds,
438  pending_state.client_hello(),
439  std::chrono::seconds(policy().session_ticket_lifetime()));
440 
441  bool have_session_ticket_key = false;
442 
443  try
444  {
445  have_session_ticket_key =
446  m_creds.psk("tls-server", "session-ticket", "").length() > 0;
447  }
448  catch(...) {}
449 
450  m_next_protocol = "";
451  if(pending_state.client_hello()->supports_alpn())
452  {
453  m_next_protocol = callbacks().tls_server_choose_app_protocol(pending_state.client_hello()->next_protocols());
454 
455  // if the callback return was empty, fall back to the (deprecated) std::function
456  if(m_next_protocol.empty() && m_choose_next_protocol)
457  {
458  m_next_protocol = m_choose_next_protocol(pending_state.client_hello()->next_protocols());
459  }
460  }
461 
462  if(resuming)
463  {
464  this->session_resume(pending_state, have_session_ticket_key, session_info);
465  }
466  else // new session
467  {
468  this->session_create(pending_state, have_session_ticket_key);
469  }
470 }
471 
472 void Server::process_certificate_msg(Server_Handshake_State& pending_state,
473  const std::vector<uint8_t>& contents)
474 {
475  pending_state.client_certs(new Certificate(contents, policy()));
476  pending_state.set_expected_next(CLIENT_KEX);
477 }
478 
479 void Server::process_client_key_exchange_msg(Server_Handshake_State& pending_state,
480  const std::vector<uint8_t>& contents)
481 {
482  if(pending_state.received_handshake_msg(CERTIFICATE) && !pending_state.client_certs()->empty())
483  pending_state.set_expected_next(CERTIFICATE_VERIFY);
484  else
485  pending_state.set_expected_next(HANDSHAKE_CCS);
486 
487  pending_state.client_kex(
488  new Client_Key_Exchange(contents, pending_state,
489  pending_state.server_rsa_kex_key(),
490  m_creds, policy(), rng())
491  );
492 
493  pending_state.compute_session_keys();
494 }
495 
496 void Server::process_change_cipher_spec_msg(Server_Handshake_State& pending_state)
497 {
498  pending_state.set_expected_next(FINISHED);
500 }
501 
502 void Server::process_certificate_verify_msg(Server_Handshake_State& pending_state,
504  const std::vector<uint8_t>& contents)
505 {
506  pending_state.client_verify ( new Certificate_Verify ( contents, pending_state.version() ) );
507 
508  const std::vector<X509_Certificate>& client_certs =
509  pending_state.client_certs()->cert_chain();
510 
511  const bool sig_valid =
512  pending_state.client_verify()->verify ( client_certs[0], pending_state, policy() );
513 
514  pending_state.hash().update ( pending_state.handshake_io().format ( contents, type ) );
515 
516  /*
517  * Using DECRYPT_ERROR looks weird here, but per RFC 4346 is for
518  * "A handshake cryptographic operation failed, including being
519  * unable to correctly verify a signature, ..."
520  */
521  if ( !sig_valid )
522  throw TLS_Exception ( Alert::DECRYPT_ERROR, "Client cert verify failed" );
523 
524  try
525  {
526  const std::string sni_hostname = pending_state.client_hello()->sni_hostname();
527  auto trusted_CAs = m_creds.trusted_certificate_authorities("tls-server", sni_hostname);
528 
529  callbacks().tls_verify_cert_chain(client_certs,
530  {}, // ocsp
531  trusted_CAs,
533  sni_hostname,
534  policy());
535  }
536  catch ( std::exception& e )
537  {
538  throw TLS_Exception ( Alert::BAD_CERTIFICATE, e.what() );
539  }
540 
541  pending_state.set_expected_next ( HANDSHAKE_CCS );
542 }
543 
544 void Server::process_finished_msg(Server_Handshake_State& pending_state,
545  Handshake_Type type,
546  const std::vector<uint8_t>& contents)
547 {
548  pending_state.set_expected_next ( HANDSHAKE_NONE );
549 
550  pending_state.client_finished ( new Finished ( contents ) );
551 
552  if ( !pending_state.client_finished()->verify ( pending_state, CLIENT ) )
553  throw TLS_Exception ( Alert::DECRYPT_ERROR,
554  "Finished message didn't verify" );
555 
556  if ( !pending_state.server_finished() )
557  {
558  // already sent finished if resuming, so this is a new session
559 
560  pending_state.hash().update ( pending_state.handshake_io().format ( contents, type ) );
561 
562  Session session_info(
563  pending_state.server_hello()->session_id(),
564  pending_state.session_keys().master_secret(),
565  pending_state.server_hello()->version(),
566  pending_state.server_hello()->ciphersuite(),
567  pending_state.server_hello()->compression_method(),
568  SERVER,
569  pending_state.server_hello()->supports_extended_master_secret(),
570  pending_state.server_hello()->supports_encrypt_then_mac(),
571  get_peer_cert_chain ( pending_state ),
572  std::vector<uint8_t>(),
573  Server_Information(pending_state.client_hello()->sni_hostname()),
574  pending_state.srp_identifier(),
575  pending_state.server_hello()->srtp_profile()
576  );
577 
578  if ( save_session ( session_info ) )
579  {
580  if ( pending_state.server_hello()->supports_session_ticket() )
581  {
582  try
583  {
584  const SymmetricKey ticket_key = m_creds.psk ( "tls-server", "session-ticket", "" );
585 
586  pending_state.new_session_ticket (
587  new New_Session_Ticket ( pending_state.handshake_io(),
588  pending_state.hash(),
589  session_info.encrypt ( ticket_key, rng() ),
591  );
592  }
593  catch ( ... ) {}
594  }
595  else
596  session_manager().save ( session_info );
597  }
598 
599  if ( !pending_state.new_session_ticket() &&
600  pending_state.server_hello()->supports_session_ticket() )
601  {
602  pending_state.new_session_ticket (
603  new New_Session_Ticket ( pending_state.handshake_io(), pending_state.hash() )
604  );
605  }
606 
607  pending_state.handshake_io().send ( Change_Cipher_Spec() );
608 
610 
611  pending_state.server_finished ( new Finished ( pending_state.handshake_io(), pending_state, SERVER ) );
612  }
613 
615 
616 }
617 
618 /*
619 * Process a handshake message
620 */
621 void Server::process_handshake_msg(const Handshake_State* active_state,
622  Handshake_State& state_base,
623  Handshake_Type type,
624  const std::vector<uint8_t>& contents)
625  {
626  Server_Handshake_State& state = dynamic_cast<Server_Handshake_State&>(state_base);
627  state.confirm_transition_to(type);
628 
629  /*
630  * The change cipher spec message isn't technically a handshake
631  * message so it's not included in the hash. The finished and
632  * certificate verify messages are verified based on the current
633  * state of the hash *before* this message so we delay adding them
634  * to the hash computation until we've processed them below.
635  */
636  if(type != HANDSHAKE_CCS && type != FINISHED && type != CERTIFICATE_VERIFY)
637  {
638  state.hash().update(state.handshake_io().format(contents, type));
639  }
640 
641  switch(type)
642  {
643  case CLIENT_HELLO:
644  return this->process_client_hello_msg(active_state, state, contents);
645 
646  case CERTIFICATE:
647  return this->process_certificate_msg(state, contents);
648 
649  case CLIENT_KEX:
650  return this->process_client_key_exchange_msg(state, contents);
651 
652  case CERTIFICATE_VERIFY:
653  return this->process_certificate_verify_msg(state, type, contents);
654 
655  case HANDSHAKE_CCS:
656  return this->process_change_cipher_spec_msg(state);
657 
658  case FINISHED:
659  return this->process_finished_msg(state, type, contents);
660 
661  default:
662  throw Unexpected_Message("Unknown handshake message received");
663  }
664  }
665 
666 void Server::session_resume(Server_Handshake_State& pending_state,
667  bool have_session_ticket_key,
668  Session& session_info)
669  {
670  // Only offer a resuming client a new ticket if they didn't send one this time,
671  // ie, resumed via server-side resumption. TODO: also send one if expiring soon?
672 
673  const bool offer_new_session_ticket =
674  (pending_state.client_hello()->supports_session_ticket() &&
675  pending_state.client_hello()->session_ticket().empty() &&
676  have_session_ticket_key);
677 
678  pending_state.server_hello(new Server_Hello(
679  pending_state.handshake_io(),
680  pending_state.hash(),
681  policy(),
682  rng(),
684  *pending_state.client_hello(),
685  session_info,
686  offer_new_session_ticket,
687  m_next_protocol
688  ));
689 
690  secure_renegotiation_check(pending_state.server_hello());
691 
692  pending_state.compute_session_keys(session_info.master_secret());
693 
694  if(!save_session(session_info))
695  {
696  session_manager().remove_entry(session_info.session_id());
697 
698  if(pending_state.server_hello()->supports_session_ticket()) // send an empty ticket
699  {
700  pending_state.new_session_ticket(
701  new New_Session_Ticket(pending_state.handshake_io(),
702  pending_state.hash())
703  );
704  }
705  }
706 
707  if(pending_state.server_hello()->supports_session_ticket() && !pending_state.new_session_ticket())
708  {
709  try
710  {
711  const SymmetricKey ticket_key = m_creds.psk("tls-server", "session-ticket", "");
712 
713  pending_state.new_session_ticket(
714  new New_Session_Ticket(pending_state.handshake_io(),
715  pending_state.hash(),
716  session_info.encrypt(ticket_key, rng()),
718  );
719  }
720  catch(...) {}
721 
722  if(!pending_state.new_session_ticket())
723  {
724  pending_state.new_session_ticket(
725  new New_Session_Ticket(pending_state.handshake_io(), pending_state.hash())
726  );
727  }
728  }
729 
730  pending_state.handshake_io().send(Change_Cipher_Spec());
731 
733 
734  pending_state.server_finished(new Finished(pending_state.handshake_io(), pending_state, SERVER));
735  pending_state.set_expected_next(HANDSHAKE_CCS);
736  }
737 
738 void Server::session_create(Server_Handshake_State& pending_state,
739  bool have_session_ticket_key)
740  {
741  std::map<std::string, std::vector<X509_Certificate> > cert_chains;
742 
743  const std::string sni_hostname = pending_state.client_hello()->sni_hostname();
744 
745  cert_chains = get_server_certs(sni_hostname, m_creds);
746 
747  if(sni_hostname != "" && cert_chains.empty())
748  {
749  cert_chains = get_server_certs("", m_creds);
750 
751  /*
752  * Only send the unrecognized_name alert if we couldn't
753  * find any certs for the requested name but did find at
754  * least one cert to use in general. That avoids sending an
755  * unrecognized_name when a server is configured for purely
756  * anonymous operation.
757  */
758  if(!cert_chains.empty())
760  }
761 
762  Server_Hello::Settings srv_settings(
763  make_hello_random(rng(), policy()), // new session ID
764  pending_state.version(),
765  choose_ciphersuite(policy(),
766  pending_state.version(),
767  m_creds,
768  cert_chains,
769  *pending_state.client_hello()),
770  choose_compression(policy(),
771  pending_state.client_hello()->compression_methods()),
772  have_session_ticket_key);
773 
774  pending_state.server_hello(new Server_Hello(
775  pending_state.handshake_io(),
776  pending_state.hash(),
777  policy(),
778  rng(),
780  *pending_state.client_hello(),
781  srv_settings,
782  m_next_protocol)
783  );
784 
785  secure_renegotiation_check(pending_state.server_hello());
786 
787  const std::string sig_algo = pending_state.ciphersuite().sig_algo();
788  const std::string kex_algo = pending_state.ciphersuite().kex_algo();
789 
790  if(sig_algo != "")
791  {
792  BOTAN_ASSERT(!cert_chains[sig_algo].empty(),
793  "Attempting to send empty certificate chain");
794 
795  pending_state.server_certs(new Certificate(pending_state.handshake_io(),
796  pending_state.hash(),
797  cert_chains[sig_algo]));
798  }
799 
800  Private_Key* private_key = nullptr;
801 
802  if(kex_algo == "RSA" || sig_algo != "")
803  {
804  private_key = m_creds.private_key_for(
805  pending_state.server_certs()->cert_chain()[0],
806  "tls-server",
807  sni_hostname);
808 
809  if(!private_key)
810  throw Internal_Error("No private key located for associated server cert");
811  }
812 
813  if(kex_algo == "RSA")
814  {
815  pending_state.set_server_rsa_kex_key(private_key);
816  }
817  else
818  {
819  pending_state.server_kex(new Server_Key_Exchange(pending_state.handshake_io(),
820  pending_state, policy(),
821  m_creds, rng(), private_key));
822  }
823 
824  auto trusted_CAs = m_creds.trusted_certificate_authorities("tls-server", sni_hostname);
825 
826  std::vector<X509_DN> client_auth_CAs;
827 
828  for(auto store : trusted_CAs)
829  {
830  auto subjects = store->all_subjects();
831  client_auth_CAs.insert(client_auth_CAs.end(), subjects.begin(), subjects.end());
832  }
833 
834  if(!client_auth_CAs.empty() && pending_state.ciphersuite().sig_algo() != "")
835  {
836  pending_state.cert_req(
837  new Certificate_Req(pending_state.handshake_io(),
838  pending_state.hash(),
839  policy(),
840  client_auth_CAs,
841  pending_state.version()));
842 
843  /*
844  SSLv3 allowed clients to skip the Certificate message entirely
845  if they wanted. In TLS v1.0 and later clients must send a
846  (possibly empty) Certificate message
847  */
848  pending_state.set_expected_next(CERTIFICATE);
849  }
850  else
851  {
852  pending_state.set_expected_next(CLIENT_KEX);
853  }
854 
855  pending_state.server_hello_done(new Server_Hello_Done(pending_state.handshake_io(), pending_state.hash()));
856  }
857 }
858 
859 }
std::vector< uint8_t > secure_renegotiation_data_for_server_hello() const
Callbacks & callbacks() const
Definition: tls_channel.h:241
static Session decrypt(const uint8_t ctext[], size_t ctext_size, const SymmetricKey &key)
virtual void remove_entry(const std::vector< uint8_t > &session_id)=0
virtual std::string tls_server_choose_app_protocol(const std::vector< std::string > &client_protos)
std::function< void(Alert, const uint8_t[], size_t)> alert_cb
Definition: tls_channel.h:41
void change_cipher_spec_reader(Connection_Side side)
bool save_session(const Session &session) const
Definition: tls_channel.h:239
void change_cipher_spec_writer(Connection_Side side)
void send_warning_alert(Alert::Type type)
Definition: tls_channel.h:140
std::function< void(const uint8_t[], size_t)> output_fn
Definition: tls_channel.h:39
RandomNumberGenerator & rng()
Definition: tls_channel.h:233
Handshake_State(Handshake_IO *io, Callbacks &callbacks)
MechanismType type
virtual void tls_verify_cert_chain(const std::vector< X509_Certificate > &cert_chain, const std::vector< std::shared_ptr< const OCSP::Response >> &ocsp_responses, const std::vector< Certificate_Store * > &trusted_roots, Usage_Type usage, const std::string &hostname, const TLS::Policy &policy)
size_t length() const
Definition: symkey.h:25
#define BOTAN_ASSERT(expr, assertion_made)
Definition: assert.h:27
void send_alert(const Alert &alert)
std::function< bool(const Session &)> handshake_cb
Definition: tls_channel.h:42
bool secure_renegotiation_supported() const
std::function< std::string(std::vector< std::string >)> next_protocol_fn
Definition: tls_server.h:29
Definition: alg_id.cpp:13
OctetString SymmetricKey
Definition: symkey.h:136
void secure_renegotiation_check(const Client_Hello *client_hello)
std::vector< uint8_t > make_hello_random(RandomNumberGenerator &rng, const Policy &policy)
virtual SymmetricKey psk(const std::string &type, const std::string &context, const std::string &identity)
std::function< void(const uint8_t[], size_t)> data_cb
Definition: tls_channel.h:40
virtual uint32_t session_ticket_lifetime() const
Definition: tls_policy.cpp:231
bool value_exists(const std::vector< T > &vec, const T &val)
Definition: stl_util.h:86
static Ciphersuite by_id(uint16_t suite)
virtual std::vector< Certificate_Store * > trusted_certificate_authorities(const std::string &type, const std::string &context)
Server(Callbacks &callbacks, Session_Manager &session_manager, Credentials_Manager &creds, const Policy &policy, RandomNumberGenerator &rng, bool is_datagram=false, size_t reserved_io_buffer_size=TLS::Server::IO_BUF_DEFAULT_SIZE)
Definition: tls_server.cpp:271
virtual void save(const Session &session)=0
virtual Protocol_Version latest_supported_version(bool datagram) const
Definition: tls_policy.cpp:256
const Policy & policy() const
Definition: tls_channel.h:237
Session_Manager & session_manager()
Definition: tls_channel.h:235
std::function< void(const Handshake_Message &)> handshake_msg_cb
Definition: tls_channel.h:43
virtual Private_Key * private_key_for(const X509_Certificate &cert, const std::string &type, const std::string &context)