9 #include <botan/tls_channel.h>
10 #include <botan/tls_messages.h>
11 #include <botan/internal/tls_handshake_state.h>
12 #include <botan/internal/tls_record.h>
13 #include <botan/internal/tls_seq_numbers.h>
14 #include <botan/internal/rounding.h>
15 #include <botan/internal/stl_util.h>
16 #include <botan/loadstor.h>
29 size_t reserved_io_buffer_size) :
30 m_is_datagram(is_datagram),
31 m_callbacks(callbacks),
32 m_session_manager(session_manager),
36 init(reserved_io_buffer_size);
49 m_is_datagram(is_datagram),
50 m_compat_callbacks(new
Compat_Callbacks(out, app_data_cb, alert_cb, hs_cb, hs_msg_cb)),
51 m_callbacks(*m_compat_callbacks.get()),
52 m_session_manager(session_manager),
59 void Channel::init(
size_t io_buf_sz)
62 m_write_cipher_states[0] =
nullptr;
63 m_read_cipher_states[0] =
nullptr;
65 m_writebuf.reserve(io_buf_sz);
66 m_readbuf.reserve(io_buf_sz);
69 void Channel::reset_state()
71 m_active_state.reset();
72 m_pending_state.reset();
74 m_write_cipher_states.clear();
75 m_read_cipher_states.clear();
85 BOTAN_ASSERT(m_sequence_numbers,
"Have a sequence numbers object");
86 return *m_sequence_numbers;
89 std::shared_ptr<Connection_Cipher_State> Channel::read_cipher_state_epoch(uint16_t epoch)
const
91 auto i = m_read_cipher_states.find(epoch);
92 if(i == m_read_cipher_states.end())
97 std::shared_ptr<Connection_Cipher_State> Channel::write_cipher_state_epoch(uint16_t epoch)
const
99 auto i = m_write_cipher_states.find(epoch);
100 if(i == m_write_cipher_states.end())
101 throw Internal_Error(
"TLS::Channel No write cipherstate for epoch " +
std::to_string(epoch));
107 if(
auto active = active_state())
109 return std::vector<X509_Certificate>();
115 throw Internal_Error(
"create_handshake_state called during handshake");
117 if(
auto active = active_state())
122 throw Exception(
"Active state using version " +
124 " cannot change to " +
129 if(!m_sequence_numbers)
139 std::unique_ptr<Handshake_IO> io;
143 std::bind(&Channel::send_record_under_epoch,
this, _1, _2, _3),
145 static_cast<uint16_t>(m_policy.dtls_default_mtu()),
146 m_policy.dtls_initial_timeout(),
147 m_policy.dtls_maximum_timeout()));
156 if(
auto active = active_state())
157 m_pending_state->set_version(active->version());
159 return *m_pending_state.get();
165 return m_pending_state->handshake_io().timeout_check();
176 if(
auto active = active_state())
178 force_full_renegotiation);
180 throw Exception(
"Cannot renegotiate on inactive connection");
185 auto pending = pending_state();
188 "Have received server hello");
190 if(pending->server_hello()->compression_method() !=
NO_COMPRESSION)
198 "No read cipher state currently set for next epoch");
201 std::shared_ptr<Connection_Cipher_State> read_state(
205 pending->ciphersuite(),
206 pending->session_keys(),
207 pending->server_hello()->supports_encrypt_then_mac()));
209 m_read_cipher_states[epoch] = read_state;
214 auto pending = pending_state();
217 "Have received server hello");
219 if(pending->server_hello()->compression_method() !=
NO_COMPRESSION)
227 "No write cipher state currently set for next epoch");
229 std::shared_ptr<Connection_Cipher_State> write_state(
233 pending->ciphersuite(),
234 pending->session_keys(),
235 pending->server_hello()->supports_encrypt_then_mac()));
237 m_write_cipher_states[epoch] = write_state;
242 return (active_state() !=
nullptr);
247 if(active_state() || pending_state())
256 return (m_sequence_numbers !=
nullptr);
261 std::swap(m_active_state, m_pending_state);
262 m_pending_state.reset();
264 if(!m_active_state->version().is_datagram_protocol())
269 const auto not_current_epoch =
270 [current_epoch](uint16_t epoch) {
return (epoch != current_epoch); };
291 uint64_t record_sequence = 0;
298 Record record(record_data, &record_sequence, &record_version, &record_type);
299 const size_t needed =
303 m_sequence_numbers.get(),
304 std::bind(&TLS::Channel::read_cipher_state_epoch,
this,
305 std::placeholders::_1));
310 "Record reader consumed sane amount");
313 input_size -= consumed;
316 "Got a full record or consumed all input");
318 if(input_size == 0 && needed != 0)
323 "TLS plaintext record is larger than allowed maximum");
327 process_handshake_ccs(record_data, record_sequence, record_type, record_version);
331 process_application_data(record_sequence, record_data);
333 else if(record_type ==
ALERT)
335 process_alert(record_data);
340 " from counterparty");
368 uint64_t record_sequence,
377 if(m_sequence_numbers)
385 const uint16_t epoch = record_sequence >> 48;
387 if(epoch == sequence_numbers().current_read_epoch())
391 else if(epoch == sequence_numbers().current_read_epoch() - 1)
394 m_active_state->handshake_io().add_record(
unlock(record),
399 else if(record_sequence == 0)
413 m_pending_state->handshake_io().add_record(
unlock(record),
417 while(
auto pending = m_pending_state.get())
419 auto msg = pending->get_next_handshake_msg();
425 msg.first, msg.second);
430 void Channel::process_application_data(uint64_t seq_no,
const secure_vector<uint8_t>& record)
433 throw Unexpected_Message(
"Application data before handshake done");
440 if(record.size() > 0)
444 void Channel::process_alert(
const secure_vector<uint8_t>& record)
446 Alert alert_msg(record);
449 m_pending_state.reset();
453 if(alert_msg.is_fatal())
455 if(
auto active = active_state())
456 m_session_manager.
remove_entry(active->server_hello()->session_id());
469 void Channel::write_record(Connection_Cipher_State* cipher_state, uint16_t epoch,
470 uint8_t record_type,
const uint8_t input[],
size_t length)
472 BOTAN_ASSERT(m_pending_state || m_active_state,
"Some connection state exists");
474 Protocol_Version record_version =
475 (m_pending_state) ? (m_pending_state->version()) : (m_active_state->version());
477 Record_Message record_message(record_type, 0, input, length);
482 sequence_numbers().next_write_sequence(epoch),
489 void Channel::send_record_array(uint16_t epoch, uint8_t
type,
const uint8_t input[],
size_t length)
507 auto cipher_state = write_cipher_state_epoch(epoch);
509 if(type ==
APPLICATION_DATA && m_active_state->version().supports_explicit_cbc_ivs() ==
false)
511 write_record(cipher_state.get(), epoch,
type, input, 1);
519 write_record(cipher_state.get(), epoch,
type, input, sending);
526 void Channel::send_record(uint8_t record_type,
const std::vector<uint8_t>& record)
528 send_record_array(sequence_numbers().current_write_epoch(),
529 record_type, record.data(), record.size());
532 void Channel::send_record_under_epoch(uint16_t epoch, uint8_t record_type,
533 const std::vector<uint8_t>& record)
535 send_record_array(epoch, record_type, record.data(), record.size());
541 throw Exception(
"Data cannot be sent on inactive TLS connection");
543 send_record_array(sequence_numbers().current_write_epoch(),
549 this->
send(reinterpret_cast<const uint8_t*>(
string.c_str()),
string.size());
564 m_pending_state.reset();
567 if(
auto active = active_state())
568 m_session_manager.
remove_entry(active->server_hello()->session_id());
578 if(
auto active = active_state())
580 const bool active_sr = active->client_hello()->secure_renegotiation();
582 if(active_sr != secure_renegotiation)
584 "Client changed its mind about secure renegotiation");
587 if(secure_renegotiation)
593 "Client sent bad values for secure renegotiation");
601 if(
auto active = active_state())
603 const bool active_sr = active->client_hello()->secure_renegotiation();
605 if(active_sr != secure_renegotiation)
607 "Server changed its mind about secure renegotiation");
610 if(secure_renegotiation)
616 "Server sent bad values for secure renegotiation");
622 if(
auto active = active_state())
623 return active->client_finished()->verify_data();
624 return std::vector<uint8_t>();
629 if(
auto active = active_state())
631 std::vector<uint8_t> buf = active->client_finished()->verify_data();
632 buf += active->server_finished()->verify_data();
636 return std::vector<uint8_t>();
641 if(
auto active = active_state())
642 return active->server_hello()->secure_renegotiation();
644 if(
auto pending = pending_state())
645 if(
auto hello = pending->server_hello())
646 return hello->secure_renegotiation();
652 const std::string& context,
655 if(
auto active = active_state())
657 std::unique_ptr<KDF> prf(active->protocol_specific_prf());
660 active->session_keys().master_secret();
662 std::vector<uint8_t> salt;
663 salt += active->client_hello()->random();
664 salt += active->server_hello()->random();
668 size_t context_size = context.
length();
669 if(context_size > 0xFFFF)
670 throw Exception(
"key_material_export context is too long");
671 salt.push_back(
get_byte(0, static_cast<uint16_t>(context_size)));
672 salt.push_back(
get_byte(1, static_cast<uint16_t>(context_size)));
676 return prf->derive_key(length, master_secret, salt,
to_byte_vector(label));
679 throw Exception(
"Channel::key_material_export connection not active");
SymmetricKey key_material_export(const std::string &label, const std::string &context, size_t length) const
std::vector< uint8_t > secure_renegotiation_data_for_server_hello() const
virtual std::vector< X509_Certificate > get_peer_cert_chain(const Handshake_State &state) const =0
std::vector< X509_Certificate > peer_cert_chain() const
Callbacks & callbacks() const
virtual void remove_entry(const std::vector< uint8_t > &session_id)=0
std::vector< uint8_t > secure_renegotiation_data_for_client_hello() const
std::function< void(Alert, const uint8_t[], size_t)> alert_cb
void change_cipher_spec_reader(Connection_Side side)
size_t read_record(secure_vector< uint8_t > &readbuf, Record_Raw_Input &raw_input, Record &rec, Connection_Sequence_Numbers *sequence_numbers, get_cipherstate_fn get_cipherstate)
void change_cipher_spec_writer(Connection_Side side)
void send_warning_alert(Alert::Type type)
std::function< void(const uint8_t[], size_t)> output_fn
std::string to_string() const
virtual void tls_alert(Alert alert)=0
Handshake_State & create_handshake_state(Protocol_Version version)
std::string to_string(const BER_Object &obj)
#define BOTAN_ASSERT(expr, assertion_made)
void send_alert(const Alert &alert)
std::vector< uint8_t > renegotiation_info() const
virtual void tls_record_received(uint64_t seq_no, const uint8_t data[], size_t size)=0
std::vector< T, secure_allocator< T >> secure_vector
virtual void new_read_cipher_state()=0
std::function< bool(const Session &)> handshake_cb
void send(const uint8_t buf[], size_t buf_size)
bool secure_renegotiation_supported() const
static size_t IO_BUF_DEFAULT_SIZE
virtual Handshake_State * new_handshake_state(class Handshake_IO *io)=0
std::vector< uint8_t > to_byte_vector(const std::string &s)
void send_fatal_alert(Alert::Type type)
void secure_renegotiation_check(const Client_Hello *client_hello)
RandomNumberGenerator & m_rng
size_t received_data(const uint8_t buf[], size_t buf_size)
std::function< void(const uint8_t[], size_t)> data_cb
virtual void tls_session_activated()
std::vector< T > unlock(const secure_vector< T > &in)
void map_remove_if(Pred pred, T &assoc)
Channel(Callbacks &callbacks, Session_Manager &session_manager, RandomNumberGenerator &rng, const Policy &policy, bool is_datagram, size_t io_buf_sz=IO_BUF_DEFAULT_SIZE)
virtual uint16_t current_write_epoch() const =0
virtual void tls_emit_data(const uint8_t data[], size_t size)=0
void renegotiate(bool force_full_renegotiation=false)
void write_record(secure_vector< uint8_t > &output, Record_Message msg, Protocol_Version version, uint64_t seq, Connection_Cipher_State *cs, RandomNumberGenerator &rng)
uint8_t get_byte(size_t byte_num, T input)
bool secure_renegotiation() const
std::vector< uint8_t > renegotiation_info() const
virtual void read_accept(uint64_t seq)=0
virtual void process_handshake_msg(const Handshake_State *active_state, Handshake_State &pending_state, Handshake_Type type, const std::vector< uint8_t > &contents)=0
virtual uint16_t current_read_epoch() const =0
virtual void new_write_cipher_state()=0
bool is_datagram_protocol() const
bool secure_renegotiation() const
std::function< void(const Handshake_Message &)> handshake_msg_cb
std::vector< uint8_t > serialize() const
virtual void initiate_handshake(Handshake_State &state, bool force_full_renegotiation)=0