Botan
1.11.15
|
00001 /* 00002 * TLS Handshaking 00003 * (C) 2004-2006,2011,2012 Jack Lloyd 00004 * 00005 * Botan is released under the Simplified BSD License (see license.txt) 00006 */ 00007 00008 #include <botan/internal/tls_handshake_state.h> 00009 #include <botan/internal/tls_messages.h> 00010 #include <botan/internal/tls_record.h> 00011 00012 namespace Botan { 00013 00014 namespace TLS { 00015 00016 namespace { 00017 00018 u32bit bitmask_for_handshake_type(Handshake_Type type) 00019 { 00020 switch(type) 00021 { 00022 case HELLO_VERIFY_REQUEST: 00023 return (1 << 0); 00024 00025 case HELLO_REQUEST: 00026 return (1 << 1); 00027 00028 /* 00029 * Same code point for both client hello styles 00030 */ 00031 case CLIENT_HELLO: 00032 return (1 << 2); 00033 00034 case SERVER_HELLO: 00035 return (1 << 3); 00036 00037 case CERTIFICATE: 00038 return (1 << 4); 00039 00040 case CERTIFICATE_URL: 00041 return (1 << 5); 00042 00043 case CERTIFICATE_STATUS: 00044 return (1 << 6); 00045 00046 case SERVER_KEX: 00047 return (1 << 7); 00048 00049 case CERTIFICATE_REQUEST: 00050 return (1 << 8); 00051 00052 case SERVER_HELLO_DONE: 00053 return (1 << 9); 00054 00055 case CERTIFICATE_VERIFY: 00056 return (1 << 10); 00057 00058 case CLIENT_KEX: 00059 return (1 << 11); 00060 00061 case NEXT_PROTOCOL: 00062 return (1 << 12); 00063 00064 case NEW_SESSION_TICKET: 00065 return (1 << 13); 00066 00067 case HANDSHAKE_CCS: 00068 return (1 << 14); 00069 00070 case FINISHED: 00071 return (1 << 15); 00072 00073 // allow explicitly disabling new handshakes 00074 case HANDSHAKE_NONE: 00075 return 0; 00076 } 00077 00078 throw Internal_Error("Unknown handshake type " + std::to_string(type)); 00079 } 00080 00081 } 00082 00083 /* 00084 * Initialize the SSL/TLS Handshake State 00085 */ 00086 Handshake_State::Handshake_State(Handshake_IO* io, hs_msg_cb cb) : 00087 m_msg_callback(cb), 00088 m_handshake_io(io), 00089 m_version(m_handshake_io->initial_record_version()) 00090 { 00091 } 00092 00093 Handshake_State::~Handshake_State() {} 00094 00095 void Handshake_State::hello_verify_request(const Hello_Verify_Request& hello_verify) 00096 { 00097 note_message(hello_verify); 00098 00099 m_client_hello->update_hello_cookie(hello_verify); 00100 hash().reset(); 00101 hash().update(handshake_io().send(*m_client_hello)); 00102 note_message(*m_client_hello); 00103 } 00104 00105 void Handshake_State::client_hello(Client_Hello* client_hello) 00106 { 00107 m_client_hello.reset(client_hello); 00108 note_message(*m_client_hello); 00109 } 00110 00111 void Handshake_State::server_hello(Server_Hello* server_hello) 00112 { 00113 m_server_hello.reset(server_hello); 00114 m_ciphersuite = Ciphersuite::by_id(m_server_hello->ciphersuite()); 00115 note_message(*m_server_hello); 00116 } 00117 00118 void Handshake_State::server_certs(Certificate* server_certs) 00119 { 00120 m_server_certs.reset(server_certs); 00121 note_message(*m_server_certs); 00122 } 00123 00124 void Handshake_State::server_kex(Server_Key_Exchange* server_kex) 00125 { 00126 m_server_kex.reset(server_kex); 00127 note_message(*m_server_kex); 00128 } 00129 00130 void Handshake_State::cert_req(Certificate_Req* cert_req) 00131 { 00132 m_cert_req.reset(cert_req); 00133 note_message(*m_cert_req); 00134 } 00135 00136 void Handshake_State::server_hello_done(Server_Hello_Done* server_hello_done) 00137 { 00138 m_server_hello_done.reset(server_hello_done); 00139 note_message(*m_server_hello_done); 00140 } 00141 00142 void Handshake_State::client_certs(Certificate* client_certs) 00143 { 00144 m_client_certs.reset(client_certs); 00145 note_message(*m_client_certs); 00146 } 00147 00148 void Handshake_State::client_kex(Client_Key_Exchange* client_kex) 00149 { 00150 m_client_kex.reset(client_kex); 00151 note_message(*m_client_kex); 00152 } 00153 00154 void Handshake_State::client_verify(Certificate_Verify* client_verify) 00155 { 00156 m_client_verify.reset(client_verify); 00157 note_message(*m_client_verify); 00158 } 00159 00160 void Handshake_State::next_protocol(Next_Protocol* next_protocol) 00161 { 00162 m_next_protocol.reset(next_protocol); 00163 note_message(*m_next_protocol); 00164 } 00165 00166 void Handshake_State::new_session_ticket(New_Session_Ticket* new_session_ticket) 00167 { 00168 m_new_session_ticket.reset(new_session_ticket); 00169 note_message(*m_new_session_ticket); 00170 } 00171 00172 void Handshake_State::server_finished(Finished* server_finished) 00173 { 00174 m_server_finished.reset(server_finished); 00175 note_message(*m_server_finished); 00176 } 00177 00178 void Handshake_State::client_finished(Finished* client_finished) 00179 { 00180 m_client_finished.reset(client_finished); 00181 note_message(*m_client_finished); 00182 } 00183 00184 void Handshake_State::set_version(const Protocol_Version& version) 00185 { 00186 m_version = version; 00187 } 00188 00189 void Handshake_State::compute_session_keys() 00190 { 00191 m_session_keys = Session_Keys(this, client_kex()->pre_master_secret(), false); 00192 } 00193 00194 void Handshake_State::compute_session_keys(const secure_vector<byte>& resume_master_secret) 00195 { 00196 m_session_keys = Session_Keys(this, resume_master_secret, true); 00197 } 00198 00199 void Handshake_State::confirm_transition_to(Handshake_Type handshake_msg) 00200 { 00201 const u32bit mask = bitmask_for_handshake_type(handshake_msg); 00202 00203 m_hand_received_mask |= mask; 00204 00205 const bool ok = (m_hand_expecting_mask & mask); // overlap? 00206 00207 if(!ok) 00208 throw Unexpected_Message("Unexpected state transition in handshake, got " + 00209 std::to_string(handshake_msg) + 00210 " expected " + std::to_string(m_hand_expecting_mask) + 00211 " received " + std::to_string(m_hand_received_mask)); 00212 00213 /* We don't know what to expect next, so force a call to 00214 set_expected_next; if it doesn't happen, the next transition 00215 check will always fail which is what we want. 00216 */ 00217 m_hand_expecting_mask = 0; 00218 } 00219 00220 void Handshake_State::set_expected_next(Handshake_Type handshake_msg) 00221 { 00222 m_hand_expecting_mask |= bitmask_for_handshake_type(handshake_msg); 00223 } 00224 00225 bool Handshake_State::received_handshake_msg(Handshake_Type handshake_msg) const 00226 { 00227 const u32bit mask = bitmask_for_handshake_type(handshake_msg); 00228 00229 return (m_hand_received_mask & mask); 00230 } 00231 00232 std::pair<Handshake_Type, std::vector<byte>> 00233 Handshake_State::get_next_handshake_msg() 00234 { 00235 const bool expecting_ccs = 00236 (bitmask_for_handshake_type(HANDSHAKE_CCS) & m_hand_expecting_mask); 00237 00238 return m_handshake_io->get_next_record(expecting_ccs); 00239 } 00240 00241 std::string Handshake_State::srp_identifier() const 00242 { 00243 if(ciphersuite().valid() && ciphersuite().kex_algo() == "SRP_SHA") 00244 return client_hello()->srp_identifier(); 00245 00246 return ""; 00247 } 00248 00249 std::vector<byte> Handshake_State::session_ticket() const 00250 { 00251 if(new_session_ticket() && !new_session_ticket()->ticket().empty()) 00252 return new_session_ticket()->ticket(); 00253 00254 return client_hello()->session_ticket(); 00255 } 00256 00257 KDF* Handshake_State::protocol_specific_prf() const 00258 { 00259 if(version().supports_ciphersuite_specific_prf()) 00260 { 00261 const std::string prf_algo = ciphersuite().prf_algo(); 00262 00263 if(prf_algo == "MD5" || prf_algo == "SHA-1") 00264 return get_kdf("TLS-12-PRF(SHA-256)"); 00265 00266 return get_kdf("TLS-12-PRF(" + prf_algo + ")"); 00267 } 00268 00269 // Old PRF used in TLS v1.0, v1.1 and DTLS v1.0 00270 return get_kdf("TLS-PRF"); 00271 } 00272 00273 namespace { 00274 00275 std::string choose_hash(const std::string& sig_algo, 00276 Protocol_Version negotiated_version, 00277 const Policy& policy, 00278 bool for_client_auth, 00279 const Client_Hello* client_hello, 00280 const Certificate_Req* cert_req) 00281 { 00282 if(!negotiated_version.supports_negotiable_signature_algorithms()) 00283 { 00284 if(sig_algo == "RSA") 00285 return "Parallel(MD5,SHA-160)"; 00286 00287 if(sig_algo == "DSA") 00288 return "SHA-1"; 00289 00290 if(sig_algo == "ECDSA") 00291 return "SHA-1"; 00292 00293 throw Internal_Error("Unknown TLS signature algo " + sig_algo); 00294 } 00295 00296 const auto supported_algos = for_client_auth ? 00297 cert_req->supported_algos() : 00298 client_hello->supported_algos(); 00299 00300 if(!supported_algos.empty()) 00301 { 00302 const auto hashes = policy.allowed_signature_hashes(); 00303 00304 /* 00305 * Choose our most preferred hash that the counterparty supports 00306 * in pairing with the signature algorithm we want to use. 00307 */ 00308 for(auto hash : hashes) 00309 { 00310 for(auto algo : supported_algos) 00311 { 00312 if(algo.first == hash && algo.second == sig_algo) 00313 return hash; 00314 } 00315 } 00316 } 00317 00318 // TLS v1.2 default hash if the counterparty sent nothing 00319 return "SHA-1"; 00320 } 00321 00322 } 00323 00324 std::pair<std::string, Signature_Format> 00325 Handshake_State::choose_sig_format(const Private_Key& key, 00326 std::string& hash_algo_out, 00327 std::string& sig_algo_out, 00328 bool for_client_auth, 00329 const Policy& policy) const 00330 { 00331 const std::string sig_algo = key.algo_name(); 00332 00333 const std::string hash_algo = 00334 choose_hash(sig_algo, 00335 this->version(), 00336 policy, 00337 for_client_auth, 00338 client_hello(), 00339 cert_req()); 00340 00341 if(this->version().supports_negotiable_signature_algorithms()) 00342 { 00343 hash_algo_out = hash_algo; 00344 sig_algo_out = sig_algo; 00345 } 00346 00347 if(sig_algo == "RSA") 00348 { 00349 const std::string padding = "EMSA3(" + hash_algo + ")"; 00350 00351 return std::make_pair(padding, IEEE_1363); 00352 } 00353 else if(sig_algo == "DSA" || sig_algo == "ECDSA") 00354 { 00355 const std::string padding = "EMSA1(" + hash_algo + ")"; 00356 00357 return std::make_pair(padding, DER_SEQUENCE); 00358 } 00359 00360 throw Invalid_Argument(sig_algo + " is invalid/unknown for TLS signatures"); 00361 } 00362 00363 std::pair<std::string, Signature_Format> 00364 Handshake_State::understand_sig_format(const Public_Key& key, 00365 std::string hash_algo, 00366 std::string sig_algo) const 00367 { 00368 const std::string algo_name = key.algo_name(); 00369 00370 /* 00371 FIXME: This should check what was sent against the client hello 00372 preferences, or the certificate request, to ensure it was allowed 00373 by those restrictions. 00374 00375 Or not? 00376 */ 00377 00378 if(this->version().supports_negotiable_signature_algorithms()) 00379 { 00380 if(hash_algo == "") 00381 throw Decoding_Error("Counterparty did not send hash/sig IDS"); 00382 00383 if(sig_algo != algo_name) 00384 throw Decoding_Error("Counterparty sent inconsistent key and sig types"); 00385 } 00386 else 00387 { 00388 if(hash_algo != "" || sig_algo != "") 00389 throw Decoding_Error("Counterparty sent hash/sig IDs with old version"); 00390 } 00391 00392 if(algo_name == "RSA") 00393 { 00394 if(!this->version().supports_negotiable_signature_algorithms()) 00395 { 00396 hash_algo = "Parallel(MD5,SHA-160)"; 00397 } 00398 00399 const std::string padding = "EMSA3(" + hash_algo + ")"; 00400 return std::make_pair(padding, IEEE_1363); 00401 } 00402 else if(algo_name == "DSA" || algo_name == "ECDSA") 00403 { 00404 if(!this->version().supports_negotiable_signature_algorithms()) 00405 { 00406 hash_algo = "SHA-1"; 00407 } 00408 00409 const std::string padding = "EMSA1(" + hash_algo + ")"; 00410 00411 return std::make_pair(padding, DER_SEQUENCE); 00412 } 00413 00414 throw Invalid_Argument(algo_name + " is invalid/unknown for TLS signatures"); 00415 } 00416 00417 } 00418 00419 }