Botan  2.1.0
Crypto and TLS for C++11
tls_handshake_state.cpp
Go to the documentation of this file.
1 /*
2 * TLS Handshaking
3 * (C) 2004-2006,2011,2012,2015,2016 Jack Lloyd
4 *
5 * Botan is released under the Simplified BSD License (see license.txt)
6 */
7 
8 #include <botan/internal/tls_handshake_state.h>
9 #include <botan/internal/tls_record.h>
10 #include <botan/tls_messages.h>
11 #include <botan/tls_callbacks.h>
12 
13 namespace Botan {
14 
15 namespace TLS {
16 
17 std::string Handshake_Message::type_string() const
18  {
20  }
21 
23  {
24  switch(type)
25  {
27  return "hello_verify_request";
28 
29  case HELLO_REQUEST:
30  return "hello_request";
31 
32  case CLIENT_HELLO:
33  return "client_hello";
34 
35  case SERVER_HELLO:
36  return "server_hello";
37 
38  case CERTIFICATE:
39  return "certificate";
40 
41  case CERTIFICATE_URL:
42  return "certificate_url";
43 
44  case CERTIFICATE_STATUS:
45  return "certificate_status";
46 
47  case SERVER_KEX:
48  return "server_key_exchange";
49 
51  return "certificate_request";
52 
53  case SERVER_HELLO_DONE:
54  return "server_hello_done";
55 
56  case CERTIFICATE_VERIFY:
57  return "certificate_verify";
58 
59  case CLIENT_KEX:
60  return "client_key_exchange";
61 
62  case NEW_SESSION_TICKET:
63  return "new_session_ticket";
64 
65  case HANDSHAKE_CCS:
66  return "change_cipher_spec";
67 
68  case FINISHED:
69  return "finished";
70 
71  case HANDSHAKE_NONE:
72  return "invalid";
73  }
74 
75  throw Internal_Error("Unknown TLS handshake message type " + std::to_string(type));
76  }
77 
78 namespace {
79 
80 uint32_t bitmask_for_handshake_type(Handshake_Type type)
81  {
82  switch(type)
83  {
85  return (1 << 0);
86 
87  case HELLO_REQUEST:
88  return (1 << 1);
89 
90  case CLIENT_HELLO:
91  return (1 << 2);
92 
93  case SERVER_HELLO:
94  return (1 << 3);
95 
96  case CERTIFICATE:
97  return (1 << 4);
98 
99  case CERTIFICATE_URL:
100  return (1 << 5);
101 
102  case CERTIFICATE_STATUS:
103  return (1 << 6);
104 
105  case SERVER_KEX:
106  return (1 << 7);
107 
108  case CERTIFICATE_REQUEST:
109  return (1 << 8);
110 
111  case SERVER_HELLO_DONE:
112  return (1 << 9);
113 
114  case CERTIFICATE_VERIFY:
115  return (1 << 10);
116 
117  case CLIENT_KEX:
118  return (1 << 11);
119 
120  case NEW_SESSION_TICKET:
121  return (1 << 12);
122 
123  case HANDSHAKE_CCS:
124  return (1 << 13);
125 
126  case FINISHED:
127  return (1 << 14);
128 
129  // allow explicitly disabling new handshakes
130  case HANDSHAKE_NONE:
131  return 0;
132  }
133 
134  throw Internal_Error("Unknown handshake type " + std::to_string(type));
135  }
136 
137 std::string handshake_mask_to_string(uint32_t mask)
138  {
139  const Handshake_Type types[] = {
142  CLIENT_HELLO,
143  CERTIFICATE,
146  SERVER_KEX,
150  CLIENT_KEX,
153  FINISHED
154  };
155 
156  std::ostringstream o;
157  bool empty = true;
158 
159  for(auto&& t : types)
160  {
161  if(mask & bitmask_for_handshake_type(t))
162  {
163  if(!empty)
164  o << ",";
165  o << handshake_type_to_string(t);
166  empty = false;
167  }
168  }
169 
170  return o.str();
171  }
172 
173 }
174 
175 /*
176 * Initialize the SSL/TLS Handshake State
177 */
179  m_callbacks(cb),
180  m_handshake_io(io),
181  m_version(m_handshake_io->initial_record_version())
182  {
183  }
184 
186  {
187  m_callbacks.tls_inspect_handshake_msg(msg);
188  }
189 
191  {
192  note_message(hello_verify);
193 
194  m_client_hello->update_hello_cookie(hello_verify);
195  hash().reset();
196  hash().update(handshake_io().send(*m_client_hello));
197  note_message(*m_client_hello);
198  }
199 
201  {
202  m_client_hello.reset(client_hello);
203  note_message(*m_client_hello);
204  }
205 
207  {
208  m_server_hello.reset(server_hello);
209  m_ciphersuite = Ciphersuite::by_id(m_server_hello->ciphersuite());
210  note_message(*m_server_hello);
211  }
212 
214  {
215  m_server_certs.reset(server_certs);
216  note_message(*m_server_certs);
217  }
218 
220  {
221  m_server_cert_status.reset(server_cert_status);
222  note_message(*m_server_cert_status);
223  }
224 
226  {
227  m_server_kex.reset(server_kex);
228  note_message(*m_server_kex);
229  }
230 
232  {
233  m_cert_req.reset(cert_req);
234  note_message(*m_cert_req);
235  }
236 
238  {
239  m_server_hello_done.reset(server_hello_done);
240  note_message(*m_server_hello_done);
241  }
242 
244  {
245  m_client_certs.reset(client_certs);
246  note_message(*m_client_certs);
247  }
248 
250  {
251  m_client_kex.reset(client_kex);
252  note_message(*m_client_kex);
253  }
254 
256  {
257  m_client_verify.reset(client_verify);
258  note_message(*m_client_verify);
259  }
260 
262  {
263  m_new_session_ticket.reset(new_session_ticket);
264  note_message(*m_new_session_ticket);
265  }
266 
268  {
269  m_server_finished.reset(server_finished);
270  note_message(*m_server_finished);
271  }
272 
274  {
275  m_client_finished.reset(client_finished);
276  note_message(*m_client_finished);
277  }
278 
280  {
281  m_version = version;
282  }
283 
285  {
286  m_session_keys = Session_Keys(this, client_kex()->pre_master_secret(), false);
287  }
288 
290  {
291  m_session_keys = Session_Keys(this, resume_master_secret, true);
292  }
293 
295  {
296  const uint32_t mask = bitmask_for_handshake_type(handshake_msg);
297 
298  m_hand_received_mask |= mask;
299 
300  const bool ok = (m_hand_expecting_mask & mask) != 0; // overlap?
301 
302  if(!ok)
303  throw Unexpected_Message("Unexpected state transition in handshake, got type " +
304  std::to_string(handshake_msg) +
305  " expected " + handshake_mask_to_string(m_hand_expecting_mask) +
306  " received " + handshake_mask_to_string(m_hand_received_mask));
307 
308  /* We don't know what to expect next, so force a call to
309  set_expected_next; if it doesn't happen, the next transition
310  check will always fail which is what we want.
311  */
312  m_hand_expecting_mask = 0;
313  }
314 
316  {
317  m_hand_expecting_mask |= bitmask_for_handshake_type(handshake_msg);
318  }
319 
321  {
322  const uint32_t mask = bitmask_for_handshake_type(handshake_msg);
323 
324  return (m_hand_received_mask & mask) != 0;
325  }
326 
327 std::pair<Handshake_Type, std::vector<uint8_t>>
329  {
330  const bool expecting_ccs =
331  (bitmask_for_handshake_type(HANDSHAKE_CCS) & m_hand_expecting_mask) != 0;
332 
333  return m_handshake_io->get_next_record(expecting_ccs);
334  }
335 
337  {
338 #if defined(BOTAN_HAS_SRP6)
339  // Authenticated via the successful key exchange
340  if(ciphersuite().valid() && ciphersuite().kex_algo() == "SRP_SHA")
341  return client_hello()->srp_identifier();
342 #endif
343 
344  return "";
345  }
346 
347 
348 std::vector<uint8_t> Handshake_State::session_ticket() const
349  {
350  if(new_session_ticket() && !new_session_ticket()->ticket().empty())
351  return new_session_ticket()->ticket();
352 
353  return client_hello()->session_ticket();
354  }
355 
357  {
358  if(version().supports_ciphersuite_specific_prf())
359  {
360  const std::string prf_algo = ciphersuite().prf_algo();
361 
362  if(prf_algo == "MD5" || prf_algo == "SHA-1")
363  return get_kdf("TLS-12-PRF(SHA-256)");
364 
365  return get_kdf("TLS-12-PRF(" + prf_algo + ")");
366  }
367 
368  // Old PRF used in TLS v1.0, v1.1 and DTLS v1.0
369  return get_kdf("TLS-PRF");
370  }
371 
372 namespace {
373 
374 std::string choose_hash(const std::string& sig_algo,
375  Protocol_Version negotiated_version,
376  const Policy& policy,
377  bool for_client_auth,
378  const Client_Hello* client_hello,
379  const Certificate_Req* cert_req)
380  {
381  if(!negotiated_version.supports_negotiable_signature_algorithms())
382  {
383  if(sig_algo == "RSA")
384  return "Parallel(MD5,SHA-160)";
385 
386  if(sig_algo == "DSA")
387  return "SHA-1";
388 
389  if(sig_algo == "ECDSA")
390  return "SHA-1";
391 
392  throw Internal_Error("Unknown TLS signature algo " + sig_algo);
393  }
394 
395  const auto supported_algos = for_client_auth ?
396  cert_req->supported_algos() :
397  client_hello->supported_algos();
398 
399  if(!supported_algos.empty())
400  {
401  const auto hashes = policy.allowed_signature_hashes();
402 
403  /*
404  * Choose our most preferred hash that the counterparty supports
405  * in pairing with the signature algorithm we want to use.
406  */
407  for(auto hash : hashes)
408  {
409  for(auto algo : supported_algos)
410  {
411  if(algo.first == hash && algo.second == sig_algo)
412  return hash;
413  }
414  }
415  }
416 
417  // TLS v1.2 default hash if the counterparty sent nothing
418  return "SHA-1";
419  }
420 
421 }
422 
423 std::pair<std::string, Signature_Format>
425  std::string& hash_algo_out,
426  std::string& sig_algo_out,
427  bool for_client_auth,
428  const Policy& policy) const
429  {
430  const std::string sig_algo = key.algo_name();
431 
432  const std::string hash_algo =
433  choose_hash(sig_algo,
434  this->version(),
435  policy,
436  for_client_auth,
437  client_hello(),
438  cert_req());
439 
440  if(this->version().supports_negotiable_signature_algorithms())
441  {
442  hash_algo_out = hash_algo;
443  sig_algo_out = sig_algo;
444  }
445 
446  if(sig_algo == "RSA")
447  {
448  const std::string padding = "EMSA3(" + hash_algo + ")";
449 
450  return std::make_pair(padding, IEEE_1363);
451  }
452  else if(sig_algo == "DSA" || sig_algo == "ECDSA")
453  {
454  const std::string padding = "EMSA1(" + hash_algo + ")";
455 
456  return std::make_pair(padding, DER_SEQUENCE);
457  }
458 
459  throw Invalid_Argument(sig_algo + " is invalid/unknown for TLS signatures");
460  }
461 
462 namespace {
463 
464 bool supported_algos_include(
465  const std::vector<std::pair<std::string, std::string>>& algos,
466  const std::string& key_type,
467  const std::string& hash_type)
468  {
469  for(auto&& algo : algos)
470  {
471  if(algo.first == hash_type && algo.second == key_type)
472  {
473  return true;
474  }
475  }
476 
477  return false;
478  }
479 
480 }
481 
482 std::pair<std::string, Signature_Format>
484  const std::string& input_hash_algo,
485  const std::string& input_sig_algo,
486  bool for_client_auth,
487  const Policy& policy) const
488  {
489  const std::string key_type = key.algo_name();
490 
491  if(!policy.allowed_signature_method(key_type))
492  {
494  "Rejecting " + key_type + " signature");
495  }
496 
497  std::string hash_algo;
498 
499  if(this->version().supports_negotiable_signature_algorithms())
500  {
501  if(input_sig_algo != key_type)
502  throw Decoding_Error("Counterparty sent inconsistent key and sig types");
503 
504  if(input_hash_algo == "")
505  throw Decoding_Error("Counterparty did not send hash/sig IDS");
506 
507  hash_algo = input_hash_algo;
508 
509  if(for_client_auth && !cert_req())
510  {
512  "No certificate verify set");
513  }
514 
515  /*
516  Confirm the signature type we just received against the
517  supported_algos list that we sent; it better be there.
518  */
519 
520  const auto supported_algos =
521  for_client_auth ? cert_req()->supported_algos() :
523 
524  if(!supported_algos_include(supported_algos, key_type, hash_algo))
525  {
527  "TLS signature extension did not allow for " +
528  key_type + "/" + hash_algo + " signature");
529  }
530  }
531  else
532  {
533  if(input_hash_algo != "" || input_sig_algo != "")
534  throw Decoding_Error("Counterparty sent hash/sig IDs with old version");
535 
536  if(key_type == "RSA")
537  {
538  hash_algo = "Parallel(MD5,SHA-160)";
539  }
540  else if(key_type == "DSA" || key_type == "ECDSA")
541  {
542  hash_algo = "SHA-1";
543  }
544  else
545  {
546  throw Invalid_Argument(key_type + " is invalid/unknown for TLS signatures");
547  }
548 
549  /*
550  There is no check on the acceptability of a v1.0/v1.1 hash type,
551  since it's implicit with use of the protocol
552  */
553  }
554 
555  if(key_type == "RSA")
556  {
557  const std::string padding = "EMSA3(" + hash_algo + ")";
558  return std::make_pair(padding, IEEE_1363);
559  }
560  else if(key_type == "DSA" || key_type == "ECDSA")
561  {
562  const std::string padding = "EMSA1(" + hash_algo + ")";
563  return std::make_pair(padding, DER_SEQUENCE);
564  }
565 
566  throw Invalid_Argument(key_type + " is invalid/unknown for TLS signatures");
567  }
568 
569 }
570 
571 }
std::pair< std::string, Signature_Format > parse_sig_format(const Public_Key &key, const std::string &hash_algo, const std::string &sig_algo, bool for_client_auth, const Policy &policy) const
const Server_Hello_Done * server_hello_done() const
const Finished * client_finished() const
const Server_Hello * server_hello() const
std::vector< std::pair< std::string, std::string > > supported_algos() const
Definition: tls_messages.h:106
const Finished * server_finished() const
bool allowed_signature_method(const std::string &sig_method) const
Definition: tls_policy.cpp:91
const std::vector< uint8_t > & ticket() const
Definition: tls_messages.h:669
virtual std::string algo_name() const =0
const Certificate * server_certs() const
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:47
Handshake_State(Handshake_IO *io, Callbacks &callbacks)
const Certificate_Status * server_cert_status() const
MechanismType type
void set_version(const Protocol_Version &version)
const Server_Key_Exchange * server_kex() const
std::string prf_algo() const
std::vector< T, secure_allocator< T >> secure_vector
Definition: secmem.h:121
std::pair< Handshake_Type, std::vector< uint8_t > > get_next_handshake_msg()
const Certificate_Verify * client_verify() const
void update(const uint8_t in[], size_t length)
virtual std::vector< std::string > allowed_signature_hashes() const
Definition: tls_policy.cpp:42
Definition: alg_id.cpp:13
void confirm_transition_to(Handshake_Type msg_type)
std::vector< uint8_t > session_ticket() const
secure_vector< uint8_t > resume_master_secret
Definition: tls_client.cpp:38
virtual Handshake_Type type() const =0
void note_message(const Handshake_Message &msg)
Definition: kdf.h:20
static Ciphersuite by_id(uint16_t suite)
void hello_verify_request(const Hello_Verify_Request &hello_verify)
std::string srp_identifier() const
std::vector< std::pair< std::string, std::string > > supported_algos() const
Definition: tls_messages.h:485
std::pair< std::string, Signature_Format > choose_sig_format(const Private_Key &key, std::string &hash_algo, std::string &sig_algo, bool for_client_auth, const Policy &policy) const
virtual void tls_inspect_handshake_msg(const Handshake_Message &message)
const New_Session_Ticket * new_session_ticket() const
bool supports_negotiable_signature_algorithms() const
Definition: tls_version.cpp:61
const Ciphersuite & ciphersuite() const
bool received_handshake_msg(Handshake_Type msg_type) const
const Certificate * client_certs() const
KDF * get_kdf(const std::string &algo_spec)
Definition: kdf.cpp:226
const char * handshake_type_to_string(Handshake_Type type)
void set_expected_next(Handshake_Type msg_type)
const Certificate_Req * cert_req() const
Protocol_Version version() const
const Client_Hello * client_hello() const
MechanismType hash
const Client_Key_Exchange * client_kex() const
std::vector< uint8_t > session_ticket() const
Definition: tls_messages.h:170