Botan  1.11.15
src/lib/tls/tls_handshake_state.cpp
Go to the documentation of this file.
00001 /*
00002 * TLS Handshaking
00003 * (C) 2004-2006,2011,2012 Jack Lloyd
00004 *
00005 * Botan is released under the Simplified BSD License (see license.txt)
00006 */
00007 
00008 #include <botan/internal/tls_handshake_state.h>
00009 #include <botan/internal/tls_messages.h>
00010 #include <botan/internal/tls_record.h>
00011 
00012 namespace Botan {
00013 
00014 namespace TLS {
00015 
00016 namespace {
00017 
00018 u32bit bitmask_for_handshake_type(Handshake_Type type)
00019    {
00020    switch(type)
00021       {
00022       case HELLO_VERIFY_REQUEST:
00023          return (1 << 0);
00024 
00025       case HELLO_REQUEST:
00026          return (1 << 1);
00027 
00028       /*
00029       * Same code point for both client hello styles
00030       */
00031       case CLIENT_HELLO:
00032          return (1 << 2);
00033 
00034       case SERVER_HELLO:
00035          return (1 << 3);
00036 
00037       case CERTIFICATE:
00038          return (1 << 4);
00039 
00040       case CERTIFICATE_URL:
00041          return (1 << 5);
00042 
00043       case CERTIFICATE_STATUS:
00044          return (1 << 6);
00045 
00046       case SERVER_KEX:
00047          return (1 << 7);
00048 
00049       case CERTIFICATE_REQUEST:
00050          return (1 << 8);
00051 
00052       case SERVER_HELLO_DONE:
00053          return (1 << 9);
00054 
00055       case CERTIFICATE_VERIFY:
00056          return (1 << 10);
00057 
00058       case CLIENT_KEX:
00059          return (1 << 11);
00060 
00061       case NEXT_PROTOCOL:
00062          return (1 << 12);
00063 
00064       case NEW_SESSION_TICKET:
00065          return (1 << 13);
00066 
00067       case HANDSHAKE_CCS:
00068          return (1 << 14);
00069 
00070       case FINISHED:
00071          return (1 << 15);
00072 
00073       // allow explicitly disabling new handshakes
00074       case HANDSHAKE_NONE:
00075          return 0;
00076       }
00077 
00078    throw Internal_Error("Unknown handshake type " + std::to_string(type));
00079    }
00080 
00081 }
00082 
00083 /*
00084 * Initialize the SSL/TLS Handshake State
00085 */
00086 Handshake_State::Handshake_State(Handshake_IO* io, hs_msg_cb cb) :
00087    m_msg_callback(cb),
00088    m_handshake_io(io),
00089    m_version(m_handshake_io->initial_record_version())
00090    {
00091    }
00092 
00093 Handshake_State::~Handshake_State() {}
00094 
00095 void Handshake_State::hello_verify_request(const Hello_Verify_Request& hello_verify)
00096    {
00097    note_message(hello_verify);
00098 
00099    m_client_hello->update_hello_cookie(hello_verify);
00100    hash().reset();
00101    hash().update(handshake_io().send(*m_client_hello));
00102    note_message(*m_client_hello);
00103    }
00104 
00105 void Handshake_State::client_hello(Client_Hello* client_hello)
00106    {
00107    m_client_hello.reset(client_hello);
00108    note_message(*m_client_hello);
00109    }
00110 
00111 void Handshake_State::server_hello(Server_Hello* server_hello)
00112    {
00113    m_server_hello.reset(server_hello);
00114    m_ciphersuite = Ciphersuite::by_id(m_server_hello->ciphersuite());
00115    note_message(*m_server_hello);
00116    }
00117 
00118 void Handshake_State::server_certs(Certificate* server_certs)
00119    {
00120    m_server_certs.reset(server_certs);
00121    note_message(*m_server_certs);
00122    }
00123 
00124 void Handshake_State::server_kex(Server_Key_Exchange* server_kex)
00125    {
00126    m_server_kex.reset(server_kex);
00127    note_message(*m_server_kex);
00128    }
00129 
00130 void Handshake_State::cert_req(Certificate_Req* cert_req)
00131    {
00132    m_cert_req.reset(cert_req);
00133    note_message(*m_cert_req);
00134    }
00135 
00136 void Handshake_State::server_hello_done(Server_Hello_Done* server_hello_done)
00137    {
00138    m_server_hello_done.reset(server_hello_done);
00139    note_message(*m_server_hello_done);
00140    }
00141 
00142 void Handshake_State::client_certs(Certificate* client_certs)
00143    {
00144    m_client_certs.reset(client_certs);
00145    note_message(*m_client_certs);
00146    }
00147 
00148 void Handshake_State::client_kex(Client_Key_Exchange* client_kex)
00149    {
00150    m_client_kex.reset(client_kex);
00151    note_message(*m_client_kex);
00152    }
00153 
00154 void Handshake_State::client_verify(Certificate_Verify* client_verify)
00155    {
00156    m_client_verify.reset(client_verify);
00157    note_message(*m_client_verify);
00158    }
00159 
00160 void Handshake_State::next_protocol(Next_Protocol* next_protocol)
00161    {
00162    m_next_protocol.reset(next_protocol);
00163    note_message(*m_next_protocol);
00164    }
00165 
00166 void Handshake_State::new_session_ticket(New_Session_Ticket* new_session_ticket)
00167    {
00168    m_new_session_ticket.reset(new_session_ticket);
00169    note_message(*m_new_session_ticket);
00170    }
00171 
00172 void Handshake_State::server_finished(Finished* server_finished)
00173    {
00174    m_server_finished.reset(server_finished);
00175    note_message(*m_server_finished);
00176    }
00177 
00178 void Handshake_State::client_finished(Finished* client_finished)
00179    {
00180    m_client_finished.reset(client_finished);
00181    note_message(*m_client_finished);
00182    }
00183 
00184 void Handshake_State::set_version(const Protocol_Version& version)
00185    {
00186    m_version = version;
00187    }
00188 
00189 void Handshake_State::compute_session_keys()
00190    {
00191    m_session_keys = Session_Keys(this, client_kex()->pre_master_secret(), false);
00192    }
00193 
00194 void Handshake_State::compute_session_keys(const secure_vector<byte>& resume_master_secret)
00195    {
00196    m_session_keys = Session_Keys(this, resume_master_secret, true);
00197    }
00198 
00199 void Handshake_State::confirm_transition_to(Handshake_Type handshake_msg)
00200    {
00201    const u32bit mask = bitmask_for_handshake_type(handshake_msg);
00202 
00203    m_hand_received_mask |= mask;
00204 
00205    const bool ok = (m_hand_expecting_mask & mask); // overlap?
00206 
00207    if(!ok)
00208       throw Unexpected_Message("Unexpected state transition in handshake, got " +
00209                                std::to_string(handshake_msg) +
00210                                " expected " + std::to_string(m_hand_expecting_mask) +
00211                                " received " + std::to_string(m_hand_received_mask));
00212 
00213    /* We don't know what to expect next, so force a call to
00214       set_expected_next; if it doesn't happen, the next transition
00215       check will always fail which is what we want.
00216    */
00217    m_hand_expecting_mask = 0;
00218    }
00219 
00220 void Handshake_State::set_expected_next(Handshake_Type handshake_msg)
00221    {
00222    m_hand_expecting_mask |= bitmask_for_handshake_type(handshake_msg);
00223    }
00224 
00225 bool Handshake_State::received_handshake_msg(Handshake_Type handshake_msg) const
00226    {
00227    const u32bit mask = bitmask_for_handshake_type(handshake_msg);
00228 
00229    return (m_hand_received_mask & mask);
00230    }
00231 
00232 std::pair<Handshake_Type, std::vector<byte>>
00233 Handshake_State::get_next_handshake_msg()
00234    {
00235    const bool expecting_ccs =
00236       (bitmask_for_handshake_type(HANDSHAKE_CCS) & m_hand_expecting_mask);
00237 
00238    return m_handshake_io->get_next_record(expecting_ccs);
00239    }
00240 
00241 std::string Handshake_State::srp_identifier() const
00242    {
00243    if(ciphersuite().valid() && ciphersuite().kex_algo() == "SRP_SHA")
00244       return client_hello()->srp_identifier();
00245 
00246    return "";
00247    }
00248 
00249 std::vector<byte> Handshake_State::session_ticket() const
00250    {
00251    if(new_session_ticket() && !new_session_ticket()->ticket().empty())
00252       return new_session_ticket()->ticket();
00253 
00254    return client_hello()->session_ticket();
00255    }
00256 
00257 KDF* Handshake_State::protocol_specific_prf() const
00258    {
00259    if(version().supports_ciphersuite_specific_prf())
00260       {
00261       const std::string prf_algo = ciphersuite().prf_algo();
00262 
00263       if(prf_algo == "MD5" || prf_algo == "SHA-1")
00264          return get_kdf("TLS-12-PRF(SHA-256)");
00265 
00266       return get_kdf("TLS-12-PRF(" + prf_algo + ")");
00267       }
00268 
00269    // Old PRF used in TLS v1.0, v1.1 and DTLS v1.0
00270    return get_kdf("TLS-PRF");
00271    }
00272 
00273 namespace {
00274 
00275 std::string choose_hash(const std::string& sig_algo,
00276                         Protocol_Version negotiated_version,
00277                         const Policy& policy,
00278                         bool for_client_auth,
00279                         const Client_Hello* client_hello,
00280                         const Certificate_Req* cert_req)
00281    {
00282    if(!negotiated_version.supports_negotiable_signature_algorithms())
00283       {
00284       if(sig_algo == "RSA")
00285          return "Parallel(MD5,SHA-160)";
00286 
00287       if(sig_algo == "DSA")
00288          return "SHA-1";
00289 
00290       if(sig_algo == "ECDSA")
00291          return "SHA-1";
00292 
00293       throw Internal_Error("Unknown TLS signature algo " + sig_algo);
00294       }
00295 
00296    const auto supported_algos = for_client_auth ?
00297       cert_req->supported_algos() :
00298       client_hello->supported_algos();
00299 
00300    if(!supported_algos.empty())
00301       {
00302       const auto hashes = policy.allowed_signature_hashes();
00303 
00304       /*
00305       * Choose our most preferred hash that the counterparty supports
00306       * in pairing with the signature algorithm we want to use.
00307       */
00308       for(auto hash : hashes)
00309          {
00310          for(auto algo : supported_algos)
00311             {
00312             if(algo.first == hash && algo.second == sig_algo)
00313                return hash;
00314             }
00315          }
00316       }
00317 
00318    // TLS v1.2 default hash if the counterparty sent nothing
00319    return "SHA-1";
00320    }
00321 
00322 }
00323 
00324 std::pair<std::string, Signature_Format>
00325 Handshake_State::choose_sig_format(const Private_Key& key,
00326                                    std::string& hash_algo_out,
00327                                    std::string& sig_algo_out,
00328                                    bool for_client_auth,
00329                                    const Policy& policy) const
00330    {
00331    const std::string sig_algo = key.algo_name();
00332 
00333    const std::string hash_algo =
00334       choose_hash(sig_algo,
00335                   this->version(),
00336                   policy,
00337                   for_client_auth,
00338                   client_hello(),
00339                   cert_req());
00340 
00341    if(this->version().supports_negotiable_signature_algorithms())
00342       {
00343       hash_algo_out = hash_algo;
00344       sig_algo_out = sig_algo;
00345       }
00346 
00347    if(sig_algo == "RSA")
00348       {
00349       const std::string padding = "EMSA3(" + hash_algo + ")";
00350 
00351       return std::make_pair(padding, IEEE_1363);
00352       }
00353    else if(sig_algo == "DSA" || sig_algo == "ECDSA")
00354       {
00355       const std::string padding = "EMSA1(" + hash_algo + ")";
00356 
00357       return std::make_pair(padding, DER_SEQUENCE);
00358       }
00359 
00360    throw Invalid_Argument(sig_algo + " is invalid/unknown for TLS signatures");
00361    }
00362 
00363 std::pair<std::string, Signature_Format>
00364 Handshake_State::understand_sig_format(const Public_Key& key,
00365                                        std::string hash_algo,
00366                                        std::string sig_algo) const
00367    {
00368    const std::string algo_name = key.algo_name();
00369 
00370    /*
00371    FIXME: This should check what was sent against the client hello
00372    preferences, or the certificate request, to ensure it was allowed
00373    by those restrictions.
00374 
00375    Or not?
00376    */
00377 
00378    if(this->version().supports_negotiable_signature_algorithms())
00379       {
00380       if(hash_algo == "")
00381          throw Decoding_Error("Counterparty did not send hash/sig IDS");
00382 
00383       if(sig_algo != algo_name)
00384          throw Decoding_Error("Counterparty sent inconsistent key and sig types");
00385       }
00386    else
00387       {
00388       if(hash_algo != "" || sig_algo != "")
00389          throw Decoding_Error("Counterparty sent hash/sig IDs with old version");
00390       }
00391 
00392    if(algo_name == "RSA")
00393       {
00394       if(!this->version().supports_negotiable_signature_algorithms())
00395          {
00396          hash_algo = "Parallel(MD5,SHA-160)";
00397          }
00398 
00399       const std::string padding = "EMSA3(" + hash_algo + ")";
00400       return std::make_pair(padding, IEEE_1363);
00401       }
00402    else if(algo_name == "DSA" || algo_name == "ECDSA")
00403       {
00404       if(!this->version().supports_negotiable_signature_algorithms())
00405          {
00406          hash_algo = "SHA-1";
00407          }
00408 
00409       const std::string padding = "EMSA1(" + hash_algo + ")";
00410 
00411       return std::make_pair(padding, DER_SEQUENCE);
00412       }
00413 
00414    throw Invalid_Argument(algo_name + " is invalid/unknown for TLS signatures");
00415    }
00416 
00417 }
00418 
00419 }