9#include <botan/tls_server.h>
10#include <botan/tls_messages.h>
11#include <botan/internal/tls_handshake_state.h>
12#include <botan/internal/stl_util.h>
13#include <botan/tls_magic.h>
19class Server_Handshake_State
final :
public Handshake_State
22 Server_Handshake_State(Handshake_IO* io, Callbacks& cb)
25 Private_Key* server_rsa_kex_key() {
return m_server_rsa_kex_key; }
26 void set_server_rsa_kex_key(Private_Key* key)
27 { m_server_rsa_kex_key = key; }
29 bool allow_session_resumption()
const
30 {
return m_allow_session_resumption; }
31 void set_allow_session_resumption(
bool allow_session_resumption)
32 { m_allow_session_resumption = allow_session_resumption; }
34 const std::vector<X509_Certificate>& resume_peer_certs()
const
35 {
return m_resume_peer_certs; }
37 void set_resume_certs(
const std::vector<X509_Certificate>& certs)
38 { m_resume_peer_certs = certs; }
40 void mark_as_resumption() { m_is_a_resumption =
true; }
42 bool is_a_resumption()
const {
return m_is_a_resumption; }
46 Private_Key* m_server_rsa_kex_key =
nullptr;
52 bool m_allow_session_resumption =
true;
54 bool m_is_a_resumption =
false;
56 std::vector<X509_Certificate> m_resume_peer_certs;
61bool check_for_resume(Session& session_info,
62 Session_Manager& session_manager,
63 Credentials_Manager& credentials,
64 const Client_Hello* client_hello,
65 std::chrono::seconds session_ticket_lifetime)
67 const std::vector<uint8_t>& client_session_id = client_hello->session_id();
68 const std::vector<uint8_t>& session_ticket = client_hello->session_ticket();
70 if(session_ticket.empty())
72 if(client_session_id.empty())
76 if(!session_manager.load_from_session_id(client_session_id, session_info))
86 credentials.psk(
"tls-server",
"session-ticket",
""));
88 if(session_ticket_lifetime != std::chrono::seconds(0) &&
89 session_info.session_age() > session_ticket_lifetime)
99 if(client_hello->version() != session_info.version())
104 session_info.ciphersuite_code()))
107#if defined(BOTAN_HAS_SRP6)
109 if(client_hello->srp_identifier() !=
"")
111 if(client_hello->srp_identifier() != session_info.srp_identifier())
117 if(client_hello->sni_hostname() !=
"")
119 if(client_hello->sni_hostname() != session_info.server_info().hostname())
124 if(client_hello->supports_extended_master_secret() != session_info.supports_extended_master_secret())
126 if(!session_info.supports_extended_master_secret())
137 "Client resumed extended ms session without sending extension");
142 if(!client_hello->supports_encrypt_then_mac() && session_info.supports_encrypt_then_mac())
149 "Client resumed Encrypt-then-MAC session without sending extension");
158uint16_t choose_ciphersuite(
159 const Policy& policy,
160 Protocol_Version version,
161 Credentials_Manager& creds,
162 const std::map<std::string, std::vector<X509_Certificate>>& cert_chains,
163 const Client_Hello& client_hello)
165 const bool our_choice = policy.server_uses_own_ciphersuite_preferences();
166 const bool have_srp = creds.attempt_srp(
"tls-server", client_hello.sni_hostname());
167 const std::vector<uint16_t> client_suites = client_hello.ciphersuites();
168 const std::vector<uint16_t> server_suites = policy.ciphersuite_list(version, have_srp);
170 if(server_suites.empty())
172 "Policy forbids us from negotiating any ciphersuite");
174 const bool have_shared_ecc_curve =
175 (policy.choose_key_exchange_group(client_hello.supported_ecc_curves()) !=
Group_Params::NONE);
180 std::vector<uint16_t> pref_list = server_suites;
181 std::vector<uint16_t> other_list = client_suites;
184 std::swap(pref_list, other_list);
186 for(
auto suite_id : pref_list)
193 if(suite.valid() ==
false)
198 if(have_shared_ecc_curve ==
false && suite.ecc_ciphersuite())
204 if(suite.signature_used())
206 const std::string sig_algo = suite.sig_algo();
209 if(cert_chains.count(sig_algo) == 0)
214 if(version.supports_negotiable_signature_algorithms())
216 const std::vector<Signature_Scheme> allowed =
217 policy.allowed_signature_schemes();
219 std::vector<Signature_Scheme> client_sig_methods =
220 client_hello.signature_schemes();
222 if(client_sig_methods.empty())
230 bool we_support_some_hash_by_client =
false;
240 we_support_some_hash_by_client =
true;
244 if(we_support_some_hash_by_client ==
false)
247 "Policy does not accept any hash function supported by client");
252#if defined(BOTAN_HAS_SRP6)
261 if(suite.kex_method() ==
Kex_Algo::SRP_SHA && client_hello.srp_identifier() ==
"")
263 "Client wanted SRP but did not send username");
270 "Can't agree on a ciphersuite with client");
273std::map<std::string, std::vector<X509_Certificate>>
274get_server_certs(
const std::string& hostname,
275 Credentials_Manager& creds)
277 const char* cert_types[] = {
"RSA",
"ECDSA",
"DSA",
nullptr };
279 std::map<std::string, std::vector<X509_Certificate>> cert_chains;
281 for(
size_t i = 0; cert_types[i]; ++i)
283 const std::vector<X509_Certificate> certs =
284 creds.cert_chain_single_type(cert_types[i],
"tls-server", hostname);
287 cert_chains[cert_types[i]] = certs;
305 Channel(callbacks, session_manager, rng, policy,
306 true, is_datagram, io_buf_sz),
322 Channel(output, got_data_cb, recv_alert_cb, hs_cb,
324 rng, policy, true, is_datagram, io_buf_sz),
326 m_choose_next_protocol(next_proto)
341 Channel(output, got_data_cb, recv_alert_cb, hs_cb, hs_msg_cb,
342 session_manager, rng, policy, true, is_datagram),
344 m_choose_next_protocol(next_proto)
350 std::unique_ptr<Handshake_State> state(
new Server_Handshake_State(io,
callbacks()));
353 return state.release();
356std::vector<X509_Certificate>
357Server::get_peer_cert_chain(
const Handshake_State& state_base)
const
359 const Server_Handshake_State& state =
dynamic_cast<const Server_Handshake_State&
>(state_base);
360 if(state.resume_peer_certs().size() > 0)
361 return state.resume_peer_certs();
363 if(state.client_certs())
364 return state.client_certs()->cert_chain();
365 return std::vector<X509_Certificate>();
371void Server::initiate_handshake(Handshake_State& state,
372 bool force_full_renegotiation)
374 dynamic_cast<Server_Handshake_State&
>(state).
375 set_allow_session_resumption(!force_full_renegotiation);
377 Hello_Request hello_req(state.handshake_io());
383 Protocol_Version client_offer,
384 Protocol_Version active_version,
386 const std::vector<Protocol_Version>& supported_versions)
388 const bool is_datagram = client_offer.is_datagram_protocol();
389 const bool initial_handshake = (active_version.valid() ==
false);
395 if(latest_supported > client_offer)
397 "Client signalled fallback SCSV, possible attack");
400 if(supported_versions.size() > 0)
406#if defined(BOTAN_HAS_TLS_V10)
416#if defined(BOTAN_HAS_TLS_V10)
426 const bool client_offer_acceptable =
429 if(!initial_handshake)
438 if(active_version > client_offer)
441 "Client negotiated " +
442 active_version.to_string() +
443 " then renegotiated with " +
444 client_offer.to_string());
448 return active_version;
451 else if(client_offer_acceptable)
455 else if(!client_offer.known_version() || client_offer > latest_supported)
461 return latest_supported;
466 "Client version " + client_offer.to_string() +
467 " is unacceptable by policy");
476void Server::process_client_hello_msg(
const Handshake_State* active_state,
477 Server_Handshake_State& pending_state,
478 const std::vector<uint8_t>& contents,
483 const bool initial_handshake = epoch0_restart || !active_state;
485 if(initial_handshake ==
false &&
policy().allow_client_initiated_renegotiation() ==
false)
487 if(
policy().abort_connection_on_undesired_renegotiation())
494 if(!
policy().allow_insecure_renegotiation() &&
501 pending_state.client_hello(
new Client_Hello(contents));
502 const Protocol_Version client_offer = pending_state.client_hello()->version();
503 const bool datagram = client_offer.is_datagram_protocol();
507 if(client_offer.major_version() == 0xFF)
512 if(client_offer.major_version() < 3)
514 if(client_offer.major_version() == 3 && client_offer.minor_version() == 0)
528 const Protocol_Version negotiated_version =
529 select_version(
policy(), client_offer,
530 active_state ? active_state->version() : Protocol_Version(),
531 pending_state.client_hello()->sent_fallback_scsv(),
532 pending_state.client_hello()->supported_versions());
534 pending_state.set_version(negotiated_version);
536 const auto compression_methods = pending_state.client_hello()->compression_methods();
540 if(initial_handshake && datagram)
546 cookie_secret = m_creds.
psk(
"tls-server",
"dtls-cookie-secret",
"");
550 if(cookie_secret.size() > 0)
553 Hello_Verify_Request verify(pending_state.client_hello()->cookie_input_data(), client_identity, cookie_secret);
555 if(pending_state.client_hello()->cookie() != verify.cookie())
558 pending_state.handshake_io().send_under_epoch(verify, 0);
560 pending_state.handshake_io().send(verify);
562 pending_state.client_hello(
nullptr);
567 else if(epoch0_restart)
583 Session session_info;
584 const bool resuming =
585 pending_state.allow_session_resumption() &&
586 check_for_resume(session_info,
589 pending_state.client_hello(),
590 std::chrono::seconds(
policy().session_ticket_lifetime()));
592 bool have_session_ticket_key =
false;
596 have_session_ticket_key =
597 m_creds.
psk(
"tls-server",
"session-ticket",
"").
length() > 0;
601 m_next_protocol =
"";
602 if(pending_state.client_hello()->supports_alpn())
607 if(m_next_protocol.empty() && m_choose_next_protocol)
609 m_next_protocol = m_choose_next_protocol(pending_state.client_hello()->next_protocols());
615 this->session_resume(pending_state, have_session_ticket_key, session_info);
619 this->session_create(pending_state, have_session_ticket_key);
623void Server::process_certificate_msg(Server_Handshake_State& pending_state,
624 const std::vector<uint8_t>& contents)
629 if(pending_state.client_certs()->empty() &&
policy().require_client_certificate_authentication())
635void Server::process_client_key_exchange_msg(Server_Handshake_State& pending_state,
636 const std::vector<uint8_t>& contents)
638 if(pending_state.received_handshake_msg(
CERTIFICATE) && !pending_state.client_certs()->empty())
643 pending_state.client_kex(
new Client_Key_Exchange(contents, pending_state,
644 pending_state.server_rsa_kex_key(),
647 pending_state.compute_session_keys();
650void Server::process_change_cipher_spec_msg(Server_Handshake_State& pending_state)
652 pending_state.set_expected_next(
FINISHED);
656void Server::process_certificate_verify_msg(Server_Handshake_State& pending_state,
658 const std::vector<uint8_t>& contents)
660 pending_state.client_verify(
new Certificate_Verify(contents, pending_state.version()));
662 const std::vector<X509_Certificate>& client_certs =
663 pending_state.client_certs()->cert_chain();
665 const bool sig_valid =
666 pending_state.client_verify()->verify(client_certs[0], pending_state,
policy());
668 pending_state.hash().update(pending_state.handshake_io().format(contents,
type));
680 const std::string sni_hostname = pending_state.client_hello()->sni_hostname();
690 catch(std::exception& e)
698void Server::process_finished_msg(Server_Handshake_State& pending_state,
700 const std::vector<uint8_t>& contents)
704 pending_state.client_finished(
new Finished(contents));
706 if(!pending_state.client_finished()->verify(pending_state,
CLIENT))
708 "Finished message didn't verify");
710 if(!pending_state.server_finished())
714 pending_state.hash().update(pending_state.handshake_io().format(contents,
type));
716 Session session_info(
717 pending_state.server_hello()->session_id(),
718 pending_state.session_keys().master_secret(),
719 pending_state.server_hello()->version(),
720 pending_state.server_hello()->ciphersuite(),
722 pending_state.server_hello()->supports_extended_master_secret(),
723 pending_state.server_hello()->supports_encrypt_then_mac(),
724 get_peer_cert_chain(pending_state),
725 std::vector<uint8_t>(),
726 Server_Information(pending_state.client_hello()->sni_hostname()),
727 pending_state.srp_identifier(),
728 pending_state.server_hello()->srtp_profile());
732 if(pending_state.server_hello()->supports_session_ticket())
736 const SymmetricKey ticket_key = m_creds.
psk(
"tls-server",
"session-ticket",
"");
738 pending_state.new_session_ticket(
739 new New_Session_Ticket(pending_state.handshake_io(),
740 pending_state.hash(),
741 session_info.encrypt(ticket_key,
rng()),
742 policy().session_ticket_lifetime()));
750 if(!pending_state.new_session_ticket() &&
751 pending_state.server_hello()->supports_session_ticket())
753 pending_state.new_session_ticket(
754 new New_Session_Ticket(pending_state.handshake_io(), pending_state.hash()));
757 pending_state.handshake_io().send(Change_Cipher_Spec());
761 pending_state.server_finished(
new Finished(pending_state.handshake_io(), pending_state,
SERVER));
770void Server::process_handshake_msg(
const Handshake_State* active_state,
771 Handshake_State& state_base,
773 const std::vector<uint8_t>& contents,
776 Server_Handshake_State& state =
dynamic_cast<Server_Handshake_State&
>(state_base);
777 state.confirm_transition_to(
type);
788 state.hash().update(state.handshake_io().format(contents,
type));
794 return this->process_client_hello_msg(active_state, state, contents, epoch0_restart);
797 return this->process_certificate_msg(state, contents);
800 return this->process_client_key_exchange_msg(state, contents);
803 return this->process_certificate_verify_msg(state,
type, contents);
806 return this->process_change_cipher_spec_msg(state);
809 return this->process_finished_msg(state,
type, contents);
812 throw Unexpected_Message(
"Unknown handshake message received");
816void Server::session_resume(Server_Handshake_State& pending_state,
817 bool have_session_ticket_key,
818 Session& session_info)
823 const bool offer_new_session_ticket =
824 (pending_state.client_hello()->supports_session_ticket() &&
825 pending_state.client_hello()->session_ticket().empty() &&
826 have_session_ticket_key);
828 pending_state.server_hello(
new Server_Hello(
829 pending_state.handshake_io(),
830 pending_state.hash(),
835 *pending_state.client_hello(),
837 offer_new_session_ticket,
842 pending_state.mark_as_resumption();
843 pending_state.compute_session_keys(session_info.master_secret());
844 pending_state.set_resume_certs(session_info.peer_certs());
850 if(pending_state.server_hello()->supports_session_ticket())
852 pending_state.new_session_ticket(
853 new New_Session_Ticket(pending_state.handshake_io(),
854 pending_state.hash()));
858 if(pending_state.server_hello()->supports_session_ticket() && !pending_state.new_session_ticket())
862 const SymmetricKey ticket_key = m_creds.
psk(
"tls-server",
"session-ticket",
"");
864 pending_state.new_session_ticket(
865 new New_Session_Ticket(pending_state.handshake_io(),
866 pending_state.hash(),
867 session_info.encrypt(ticket_key,
rng()),
868 policy().session_ticket_lifetime()));
872 if(!pending_state.new_session_ticket())
874 pending_state.new_session_ticket(
875 new New_Session_Ticket(pending_state.handshake_io(), pending_state.hash()));
879 pending_state.handshake_io().send(Change_Cipher_Spec());
883 pending_state.server_finished(
new Finished(pending_state.handshake_io(), pending_state,
SERVER));
887void Server::session_create(Server_Handshake_State& pending_state,
888 bool have_session_ticket_key)
890 std::map<std::string, std::vector<X509_Certificate>> cert_chains;
892 const std::string sni_hostname = pending_state.client_hello()->sni_hostname();
894 cert_chains = get_server_certs(sni_hostname, m_creds);
896 if(sni_hostname !=
"" && cert_chains.empty())
898 cert_chains = get_server_certs(
"", m_creds);
907 if(!cert_chains.empty())
911 const uint16_t ciphersuite = choose_ciphersuite(
policy(), pending_state.version(),
912 m_creds, cert_chains,
913 *pending_state.client_hello());
915 Server_Hello::Settings srv_settings(
917 pending_state.version(),
919 have_session_ticket_key);
921 pending_state.server_hello(
new Server_Hello(
922 pending_state.handshake_io(),
923 pending_state.hash(),
928 *pending_state.client_hello(),
934 const Ciphersuite& pending_suite = pending_state.ciphersuite();
936 Private_Key* private_key =
nullptr;
940 const std::string algo_used =
941 pending_suite.signature_used() ? pending_suite.sig_algo() :
"RSA";
944 "Attempting to send empty certificate chain");
946 pending_state.server_certs(
new Certificate(pending_state.handshake_io(),
947 pending_state.hash(),
948 cert_chains[algo_used]));
950 if(pending_state.client_hello()->supports_cert_status_message() && pending_state.is_a_resumption() ==
false)
952 auto csr = pending_state.client_hello()->extensions().get<Certificate_Status_Request>();
956 if(resp_bytes.size() > 0)
958 pending_state.server_cert_status(
new Certificate_Status(
959 pending_state.handshake_io(),
960 pending_state.hash(),
967 pending_state.server_certs()->cert_chain()[0],
972 throw Internal_Error(
"No private key located for associated server cert");
977 pending_state.set_server_rsa_kex_key(private_key);
981 pending_state.server_kex(
new Server_Key_Exchange(pending_state.handshake_io(),
983 m_creds,
rng(), private_key));
988 std::vector<X509_DN> client_auth_CAs;
990 for(
auto store : trusted_CAs)
992 auto subjects = store->all_subjects();
993 client_auth_CAs.insert(client_auth_CAs.end(), subjects.begin(), subjects.end());
996 const bool request_cert =
997 (client_auth_CAs.empty() ==
false) ||
1000 if(request_cert && pending_state.ciphersuite().signature_used())
1002 pending_state.cert_req(
1003 new Certificate_Req(pending_state.handshake_io(),
1004 pending_state.hash(),
1007 pending_state.version()));
1021 pending_state.server_hello_done(
new Server_Hello_Done(pending_state.handshake_io(), pending_state.hash()));
#define BOTAN_ASSERT_NOMSG(expr)
#define BOTAN_ASSERT_IMPLICATION(expr1, expr2, msg)
#define BOTAN_ASSERT(expr, assertion_made)
virtual Private_Key * private_key_for(const X509_Certificate &cert, const std::string &type, const std::string &context)
virtual std::vector< Certificate_Store * > trusted_certificate_authorities(const std::string &type, const std::string &context)
virtual SymmetricKey psk(const std::string &type, const std::string &context, const std::string &identity)
virtual std::vector< uint8_t > tls_provide_cert_status(const std::vector< X509_Certificate > &chain, const Certificate_Status_Request &csr)
virtual std::string tls_peer_network_identity()
virtual void tls_examine_extensions(const Extensions &extn, Connection_Side which_side)
virtual std::string tls_server_choose_app_protocol(const std::vector< std::string > &client_protos)
virtual void tls_verify_cert_chain(const std::vector< X509_Certificate > &cert_chain, const std::vector< std::shared_ptr< const OCSP::Response > > &ocsp_responses, const std::vector< Certificate_Store * > &trusted_roots, Usage_Type usage, const std::string &hostname, const TLS::Policy &policy)
bool secure_renegotiation_supported() const
void send_warning_alert(Alert::Type type)
Callbacks & callbacks() const
std::vector< uint8_t > secure_renegotiation_data_for_server_hello() const
bool save_session(const Session &session)
std::function< bool(const Session &)> handshake_cb
void change_cipher_spec_writer(Connection_Side side)
std::function< void(Alert, const uint8_t[], size_t)> alert_cb
Session_Manager & session_manager()
std::function< void(const Handshake_Message &)> handshake_msg_cb
const Policy & policy() const
RandomNumberGenerator & rng()
void reset_active_association_state()
void change_cipher_spec_reader(Connection_Side side)
std::function< void(const uint8_t[], size_t)> output_fn
void secure_renegotiation_check(const Client_Hello *client_hello)
std::function< void(const uint8_t[], size_t)> data_cb
static Ciphersuite by_id(uint16_t suite)
Handshake_State(Handshake_IO *io, Callbacks &callbacks)
virtual bool allow_tls12() const
virtual bool allow_dtls10() const
virtual bool request_client_certificate_authentication() const
virtual bool allow_tls10() const
virtual Protocol_Version latest_supported_version(bool datagram) const
virtual bool acceptable_protocol_version(Protocol_Version version) const
virtual bool allow_tls11() const
virtual bool allow_dtls12() const
Server(Callbacks &callbacks, Session_Manager &session_manager, Credentials_Manager &creds, const Policy &policy, RandomNumberGenerator &rng, bool is_datagram=false, size_t reserved_io_buffer_size=TLS::Server::IO_BUF_DEFAULT_SIZE)
std::function< std::string(std::vector< std::string >)> next_protocol_fn
virtual void remove_entry(const std::vector< uint8_t > &session_id)=0
virtual void save(const Session &session)=0
static Session decrypt(const uint8_t ctext[], size_t ctext_size, const SymmetricKey &key)
int(* final)(unsigned char *, CTX *)
bool signature_scheme_is_known(Signature_Scheme scheme)
std::vector< uint8_t > make_hello_random(RandomNumberGenerator &rng, const Policy &policy)
std::string hash_function_of_scheme(Signature_Scheme scheme)
std::string signature_algorithm_of_scheme(Signature_Scheme scheme)
bool value_exists(const std::vector< T > &vec, const T &val)