9 #include <botan/tls_server.h>
10 #include <botan/tls_messages.h>
11 #include <botan/internal/tls_handshake_state.h>
12 #include <botan/internal/stl_util.h>
13 #include <botan/tls_magic.h>
19 class Server_Handshake_State :
public Handshake_State
22 Server_Handshake_State(Handshake_IO* io, Callbacks& cb)
25 Private_Key* server_rsa_kex_key() {
return m_server_rsa_kex_key; }
26 void set_server_rsa_kex_key(Private_Key* key)
27 { m_server_rsa_kex_key = key; }
29 bool allow_session_resumption()
const
30 {
return m_allow_session_resumption; }
31 void set_allow_session_resumption(
bool allow_session_resumption)
32 { m_allow_session_resumption = allow_session_resumption; }
37 Private_Key* m_server_rsa_kex_key =
nullptr;
43 bool m_allow_session_resumption =
true;
48 bool check_for_resume(Session& session_info,
49 Session_Manager& session_manager,
50 Credentials_Manager& credentials,
51 const Client_Hello* client_hello,
52 std::chrono::seconds session_ticket_lifetime)
54 const std::vector<uint8_t>& client_session_id = client_hello->session_id();
55 const std::vector<uint8_t>& session_ticket = client_hello->session_ticket();
57 if(session_ticket.empty())
59 if(client_session_id.empty())
63 if(!session_manager.load_from_session_id(client_session_id, session_info))
73 credentials.psk(
"tls-server",
"session-ticket",
""));
75 if(session_ticket_lifetime != std::chrono::seconds(0) &&
76 session_info.session_age() > session_ticket_lifetime)
86 if(client_hello->version() != session_info.version())
91 session_info.ciphersuite_code()))
96 session_info.compression_method()))
99 #if defined(BOTAN_HAS_SRP6)
101 if(client_hello->srp_identifier() !=
"")
103 if(client_hello->srp_identifier() != session_info.srp_identifier())
109 if(client_hello->sni_hostname() !=
"")
111 if(client_hello->sni_hostname() != session_info.server_info().hostname())
116 if(client_hello->supports_extended_master_secret() != session_info.supports_extended_master_secret())
118 if(!session_info.supports_extended_master_secret())
129 "Client resumed extended ms session without sending extension");
134 if( !client_hello->supports_encrypt_then_mac() && session_info.supports_encrypt_then_mac())
142 "Client resumed Encrypt-then-MAC session without sending extension");
152 uint16_t choose_ciphersuite(
153 const Policy& policy,
154 Protocol_Version version,
155 Credentials_Manager& creds,
156 const std::map<std::string, std::vector<X509_Certificate> >& cert_chains,
157 const Client_Hello& client_hello)
159 const bool our_choice = policy.server_uses_own_ciphersuite_preferences();
160 const bool have_srp = creds.attempt_srp(
"tls-server", client_hello.sni_hostname());
161 const std::vector<uint16_t> client_suites = client_hello.ciphersuites();
162 const std::vector<uint16_t> server_suites = policy.ciphersuite_list(version, have_srp);
164 if(server_suites.empty())
166 "Policy forbids us from negotiating any ciphersuite");
168 const bool have_shared_ecc_curve =
169 (policy.choose_curve(client_hello.supported_ecc_curves()) !=
"");
175 std::vector<uint16_t> pref_list = server_suites;
176 std::vector<uint16_t> other_list = client_suites;
179 std::swap(pref_list, other_list);
181 const std::set<std::string> client_sig_algos = client_hello.supported_sig_algos();
183 for(
auto suite_id : pref_list)
190 if(suite.valid() ==
false)
193 if(suite.ecc_ciphersuite() && have_shared_ecc_curve ==
false)
197 if(suite.sig_algo() !=
"")
200 if(cert_chains.count(suite.sig_algo()) == 0)
204 if(!client_sig_algos.empty() && client_sig_algos.count(suite.sig_algo()) == 0)
208 #if defined(BOTAN_HAS_SRP6)
217 if(suite.kex_algo() ==
"SRP_SHA" && client_hello.srp_identifier() ==
"")
219 "Client wanted SRP but did not send username");
226 "Can't agree on a ciphersuite with client");
233 uint8_t choose_compression(
const Policy& policy,
234 const std::vector<uint8_t>& c_comp)
236 std::vector<uint8_t> s_comp = policy.compression();
238 for(
size_t i = 0; i != s_comp.size(); ++i)
239 for(
size_t j = 0; j != c_comp.size(); ++j)
240 if(s_comp[i] == c_comp[j])
246 std::map<std::string, std::vector<X509_Certificate> >
247 get_server_certs(
const std::string& hostname,
248 Credentials_Manager& creds)
250 const char* cert_types[] = {
"RSA",
"DSA",
"ECDSA",
nullptr };
252 std::map<std::string, std::vector<X509_Certificate> > cert_chains;
254 for(
size_t i = 0; cert_types[i]; ++i)
256 std::vector<X509_Certificate> certs =
257 creds.cert_chain_single_type(cert_types[i],
"tls-server", hostname);
260 cert_chains[cert_types[i]] = certs;
278 Channel(callbacks, session_manager, rng, policy,
279 is_datagram, io_buf_sz),
295 Channel(output, data_cb, alert_cb, handshake_cb,
297 rng, policy, is_datagram, io_buf_sz),
299 m_choose_next_protocol(next_proto)
315 Channel(output, data_cb, alert_cb, handshake_cb, hs_msg_cb,
316 session_manager, rng, policy, is_datagram),
318 m_choose_next_protocol(next_proto)
324 std::unique_ptr<Handshake_State> state(
new Server_Handshake_State(io,
callbacks()));
327 return state.release();
330 std::vector<X509_Certificate>
331 Server::get_peer_cert_chain(
const Handshake_State& state)
const
333 if(state.client_certs())
334 return state.client_certs()->cert_chain();
335 return std::vector<X509_Certificate>();
341 void Server::initiate_handshake(Handshake_State& state,
342 bool force_full_renegotiation)
344 dynamic_cast<Server_Handshake_State&
>(state).
345 set_allow_session_resumption(!force_full_renegotiation);
347 Hello_Request hello_req(state.handshake_io());
353 void Server::process_client_hello_msg(
const Handshake_State* active_state,
354 Server_Handshake_State& pending_state,
355 const std::vector<uint8_t>& contents)
357 const bool initial_handshake = !active_state;
359 if(!
policy().allow_insecure_renegotiation() &&
366 pending_state.client_hello(
new Client_Hello(contents));
367 const Protocol_Version client_version = pending_state.client_hello()->version();
369 Protocol_Version negotiated_version;
371 const Protocol_Version latest_supported =
374 if((initial_handshake && client_version.known_version()) ||
375 (!initial_handshake && client_version == active_state->version()))
383 negotiated_version = client_version;
385 else if(!initial_handshake && (client_version != active_state->version()))
394 if(active_state->version() > client_version)
397 "Client negotiated " +
398 active_state->version().to_string() +
399 " then renegotiated with " +
400 client_version.to_string());
403 negotiated_version = active_state->version();
411 negotiated_version = latest_supported;
414 if(!
policy().acceptable_protocol_version(negotiated_version))
417 "Client version " + negotiated_version.to_string() +
418 " is unacceptable by policy");
421 if(pending_state.client_hello()->sent_fallback_scsv())
423 if(latest_supported > client_version)
425 "Client signalled fallback SCSV, possible attack");
430 pending_state.set_version(negotiated_version);
432 Session session_info;
433 const bool resuming =
434 pending_state.allow_session_resumption() &&
435 check_for_resume(session_info,
438 pending_state.client_hello(),
439 std::chrono::seconds(
policy().session_ticket_lifetime()));
441 bool have_session_ticket_key =
false;
445 have_session_ticket_key =
446 m_creds.
psk(
"tls-server",
"session-ticket",
"").
length() > 0;
450 m_next_protocol =
"";
451 if(pending_state.client_hello()->supports_alpn())
456 if(m_next_protocol.empty() && m_choose_next_protocol)
458 m_next_protocol = m_choose_next_protocol(pending_state.client_hello()->next_protocols());
464 this->session_resume(pending_state, have_session_ticket_key, session_info);
468 this->session_create(pending_state, have_session_ticket_key);
472 void Server::process_certificate_msg(Server_Handshake_State& pending_state,
473 const std::vector<uint8_t>& contents)
479 void Server::process_client_key_exchange_msg(Server_Handshake_State& pending_state,
480 const std::vector<uint8_t>& contents)
482 if(pending_state.received_handshake_msg(
CERTIFICATE) && !pending_state.client_certs()->empty())
487 pending_state.client_kex(
488 new Client_Key_Exchange(contents, pending_state,
489 pending_state.server_rsa_kex_key(),
493 pending_state.compute_session_keys();
496 void Server::process_change_cipher_spec_msg(Server_Handshake_State& pending_state)
498 pending_state.set_expected_next(
FINISHED);
502 void Server::process_certificate_verify_msg(Server_Handshake_State& pending_state,
504 const std::vector<uint8_t>& contents)
506 pending_state.client_verify (
new Certificate_Verify ( contents, pending_state.version() ) );
508 const std::vector<X509_Certificate>& client_certs =
509 pending_state.client_certs()->cert_chain();
511 const bool sig_valid =
512 pending_state.client_verify()->verify ( client_certs[0], pending_state,
policy() );
514 pending_state.hash().update ( pending_state.handshake_io().format ( contents, type ) );
526 const std::string sni_hostname = pending_state.client_hello()->sni_hostname();
536 catch ( std::exception& e )
544 void Server::process_finished_msg(Server_Handshake_State& pending_state,
546 const std::vector<uint8_t>& contents)
550 pending_state.client_finished (
new Finished ( contents ) );
552 if ( !pending_state.client_finished()->verify ( pending_state,
CLIENT ) )
554 "Finished message didn't verify" );
556 if ( !pending_state.server_finished() )
560 pending_state.hash().update ( pending_state.handshake_io().format ( contents, type ) );
562 Session session_info(
563 pending_state.server_hello()->session_id(),
564 pending_state.session_keys().master_secret(),
565 pending_state.server_hello()->version(),
566 pending_state.server_hello()->ciphersuite(),
567 pending_state.server_hello()->compression_method(),
569 pending_state.server_hello()->supports_extended_master_secret(),
570 pending_state.server_hello()->supports_encrypt_then_mac(),
571 get_peer_cert_chain ( pending_state ),
572 std::vector<uint8_t>(),
573 Server_Information(pending_state.client_hello()->sni_hostname()),
574 pending_state.srp_identifier(),
575 pending_state.server_hello()->srtp_profile()
580 if ( pending_state.server_hello()->supports_session_ticket() )
584 const SymmetricKey ticket_key = m_creds.
psk (
"tls-server",
"session-ticket",
"" );
586 pending_state.new_session_ticket (
587 new New_Session_Ticket ( pending_state.handshake_io(),
588 pending_state.hash(),
589 session_info.encrypt ( ticket_key,
rng() ),
599 if ( !pending_state.new_session_ticket() &&
600 pending_state.server_hello()->supports_session_ticket() )
602 pending_state.new_session_ticket (
603 new New_Session_Ticket ( pending_state.handshake_io(), pending_state.hash() )
607 pending_state.handshake_io().send ( Change_Cipher_Spec() );
611 pending_state.server_finished (
new Finished ( pending_state.handshake_io(), pending_state,
SERVER ) );
621 void Server::process_handshake_msg(
const Handshake_State* active_state,
622 Handshake_State& state_base,
624 const std::vector<uint8_t>& contents)
626 Server_Handshake_State& state =
dynamic_cast<Server_Handshake_State&
>(state_base);
627 state.confirm_transition_to(type);
638 state.hash().update(state.handshake_io().format(contents, type));
644 return this->process_client_hello_msg(active_state, state, contents);
647 return this->process_certificate_msg(state, contents);
650 return this->process_client_key_exchange_msg(state, contents);
653 return this->process_certificate_verify_msg(state, type, contents);
656 return this->process_change_cipher_spec_msg(state);
659 return this->process_finished_msg(state, type, contents);
662 throw Unexpected_Message(
"Unknown handshake message received");
666 void Server::session_resume(Server_Handshake_State& pending_state,
667 bool have_session_ticket_key,
668 Session& session_info)
673 const bool offer_new_session_ticket =
674 (pending_state.client_hello()->supports_session_ticket() &&
675 pending_state.client_hello()->session_ticket().empty() &&
676 have_session_ticket_key);
678 pending_state.server_hello(
new Server_Hello(
679 pending_state.handshake_io(),
680 pending_state.hash(),
684 *pending_state.client_hello(),
686 offer_new_session_ticket,
692 pending_state.compute_session_keys(session_info.master_secret());
698 if(pending_state.server_hello()->supports_session_ticket())
700 pending_state.new_session_ticket(
701 new New_Session_Ticket(pending_state.handshake_io(),
702 pending_state.hash())
707 if(pending_state.server_hello()->supports_session_ticket() && !pending_state.new_session_ticket())
711 const SymmetricKey ticket_key = m_creds.
psk(
"tls-server",
"session-ticket",
"");
713 pending_state.new_session_ticket(
714 new New_Session_Ticket(pending_state.handshake_io(),
715 pending_state.hash(),
716 session_info.encrypt(ticket_key,
rng()),
722 if(!pending_state.new_session_ticket())
724 pending_state.new_session_ticket(
725 new New_Session_Ticket(pending_state.handshake_io(), pending_state.hash())
730 pending_state.handshake_io().send(Change_Cipher_Spec());
734 pending_state.server_finished(
new Finished(pending_state.handshake_io(), pending_state,
SERVER));
738 void Server::session_create(Server_Handshake_State& pending_state,
739 bool have_session_ticket_key)
741 std::map<std::string, std::vector<X509_Certificate> > cert_chains;
743 const std::string sni_hostname = pending_state.client_hello()->sni_hostname();
745 cert_chains = get_server_certs(sni_hostname, m_creds);
747 if(sni_hostname !=
"" && cert_chains.empty())
749 cert_chains = get_server_certs(
"", m_creds);
758 if(!cert_chains.empty())
762 Server_Hello::Settings srv_settings(
764 pending_state.version(),
765 choose_ciphersuite(
policy(),
766 pending_state.version(),
769 *pending_state.client_hello()),
770 choose_compression(
policy(),
771 pending_state.client_hello()->compression_methods()),
772 have_session_ticket_key);
774 pending_state.server_hello(
new Server_Hello(
775 pending_state.handshake_io(),
776 pending_state.hash(),
780 *pending_state.client_hello(),
787 const std::string sig_algo = pending_state.ciphersuite().sig_algo();
788 const std::string kex_algo = pending_state.ciphersuite().kex_algo();
793 "Attempting to send empty certificate chain");
795 pending_state.server_certs(
new Certificate(pending_state.handshake_io(),
796 pending_state.hash(),
797 cert_chains[sig_algo]));
800 Private_Key* private_key =
nullptr;
802 if(kex_algo ==
"RSA" || sig_algo !=
"")
805 pending_state.server_certs()->cert_chain()[0],
810 throw Internal_Error(
"No private key located for associated server cert");
813 if(kex_algo ==
"RSA")
815 pending_state.set_server_rsa_kex_key(private_key);
819 pending_state.server_kex(
new Server_Key_Exchange(pending_state.handshake_io(),
821 m_creds,
rng(), private_key));
826 std::vector<X509_DN> client_auth_CAs;
828 for(
auto store : trusted_CAs)
830 auto subjects = store->all_subjects();
831 client_auth_CAs.insert(client_auth_CAs.end(), subjects.begin(), subjects.end());
834 if(!client_auth_CAs.empty() && pending_state.ciphersuite().sig_algo() !=
"")
836 pending_state.cert_req(
837 new Certificate_Req(pending_state.handshake_io(),
838 pending_state.hash(),
841 pending_state.version()));
855 pending_state.server_hello_done(
new Server_Hello_Done(pending_state.handshake_io(), pending_state.hash()));
std::vector< uint8_t > secure_renegotiation_data_for_server_hello() const
Callbacks & callbacks() const
static Session decrypt(const uint8_t ctext[], size_t ctext_size, const SymmetricKey &key)
virtual void remove_entry(const std::vector< uint8_t > &session_id)=0
virtual std::string tls_server_choose_app_protocol(const std::vector< std::string > &client_protos)
std::function< void(Alert, const uint8_t[], size_t)> alert_cb
void change_cipher_spec_reader(Connection_Side side)
bool save_session(const Session &session) const
void change_cipher_spec_writer(Connection_Side side)
void send_warning_alert(Alert::Type type)
std::function< void(const uint8_t[], size_t)> output_fn
RandomNumberGenerator & rng()
Handshake_State(Handshake_IO *io, Callbacks &callbacks)
virtual void tls_verify_cert_chain(const std::vector< X509_Certificate > &cert_chain, const std::vector< std::shared_ptr< const OCSP::Response >> &ocsp_responses, const std::vector< Certificate_Store * > &trusted_roots, Usage_Type usage, const std::string &hostname, const TLS::Policy &policy)
#define BOTAN_ASSERT(expr, assertion_made)
void send_alert(const Alert &alert)
std::function< bool(const Session &)> handshake_cb
bool secure_renegotiation_supported() const
std::function< std::string(std::vector< std::string >)> next_protocol_fn
void secure_renegotiation_check(const Client_Hello *client_hello)
std::vector< uint8_t > make_hello_random(RandomNumberGenerator &rng, const Policy &policy)
virtual SymmetricKey psk(const std::string &type, const std::string &context, const std::string &identity)
std::function< void(const uint8_t[], size_t)> data_cb
virtual uint32_t session_ticket_lifetime() const
bool value_exists(const std::vector< T > &vec, const T &val)
static Ciphersuite by_id(uint16_t suite)
virtual std::vector< Certificate_Store * > trusted_certificate_authorities(const std::string &type, const std::string &context)
Server(Callbacks &callbacks, Session_Manager &session_manager, Credentials_Manager &creds, const Policy &policy, RandomNumberGenerator &rng, bool is_datagram=false, size_t reserved_io_buffer_size=TLS::Server::IO_BUF_DEFAULT_SIZE)
virtual void save(const Session &session)=0
virtual Protocol_Version latest_supported_version(bool datagram) const
const Policy & policy() const
Session_Manager & session_manager()
std::function< void(const Handshake_Message &)> handshake_msg_cb
virtual Private_Key * private_key_for(const X509_Certificate &cert, const std::string &type, const std::string &context)