Coverage Report

Created: 2020-02-14 15:38

/src/botan/src/lib/tls/tls_client.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
* TLS Client
3
* (C) 2004-2011,2012,2015,2016 Jack Lloyd
4
*     2016 Matthias Gierlings
5
*     2017 Harry Reimann, Rohde & Schwarz Cybersecurity
6
*
7
* Botan is released under the Simplified BSD License (see license.txt)
8
*/
9
10
#include <botan/tls_client.h>
11
#include <botan/tls_messages.h>
12
#include <botan/internal/tls_handshake_state.h>
13
#include <botan/internal/stl_util.h>
14
#include <iterator>
15
#include <sstream>
16
17
namespace Botan {
18
19
namespace TLS {
20
21
namespace {
22
23
class Client_Handshake_State final : public Handshake_State
24
   {
25
   public:
26
      Client_Handshake_State(Handshake_IO* io, Callbacks& cb) :
27
         Handshake_State(io, cb),
28
         m_is_reneg(false)
29
14.8k
         {}
30
31
      const Public_Key& get_server_public_key() const
32
362
         {
33
362
         BOTAN_ASSERT(server_public_key, "Server sent us a certificate");
34
362
         return *server_public_key.get();
35
362
         }
36
37
153
      bool is_a_resumption() const { return (resumed_session != nullptr); }
38
39
0
      bool is_a_renegotiation() const { return m_is_reneg; }
40
41
      const secure_vector<uint8_t>& resume_master_secret() const
42
0
         {
43
0
         BOTAN_STATE_CHECK(is_a_resumption());
44
0
         return resumed_session->master_secret();
45
0
         }
46
47
      const std::vector<X509_Certificate>& resume_peer_certs() const
48
0
         {
49
0
         BOTAN_STATE_CHECK(is_a_resumption());
50
0
         return resumed_session->peer_certs();
51
0
         }
52
53
      std::unique_ptr<Public_Key> server_public_key;
54
      // Used during session resumption
55
      std::unique_ptr<Session> resumed_session;
56
      bool m_is_reneg = false;
57
   };
58
59
}
60
61
/*
62
* TLS Client Constructor
63
*/
64
Client::Client(Callbacks& callbacks,
65
               Session_Manager& session_manager,
66
               Credentials_Manager& creds,
67
               const Policy& policy,
68
               RandomNumberGenerator& rng,
69
               const Server_Information& info,
70
               const Protocol_Version& offer_version,
71
               const std::vector<std::string>& next_protos,
72
               size_t io_buf_sz) :
73
   Channel(callbacks, session_manager, rng, policy,
74
           false, offer_version.is_datagram_protocol(), io_buf_sz),
75
   m_creds(creds),
76
   m_info(info)
77
5.89k
   {
78
5.89k
   init(offer_version, next_protos);
79
5.89k
   }
80
81
Client::Client(output_fn data_output_fn,
82
               data_cb proc_cb,
83
               alert_cb recv_alert_cb,
84
               handshake_cb hs_cb,
85
               Session_Manager& session_manager,
86
               Credentials_Manager& creds,
87
               const Policy& policy,
88
               RandomNumberGenerator& rng,
89
               const Server_Information& info,
90
               const Protocol_Version& offer_version,
91
               const std::vector<std::string>& next_protos,
92
               size_t io_buf_sz) :
93
   Channel(data_output_fn, proc_cb, recv_alert_cb, hs_cb, Channel::handshake_msg_cb(),
94
           session_manager, rng, policy, false, offer_version.is_datagram_protocol(), io_buf_sz),
95
   m_creds(creds),
96
   m_info(info)
97
0
   {
98
0
   init(offer_version, next_protos);
99
0
   }
100
101
Client::Client(output_fn data_output_fn,
102
               data_cb proc_cb,
103
               alert_cb recv_alert_cb,
104
               handshake_cb hs_cb,
105
               handshake_msg_cb hs_msg_cb,
106
               Session_Manager& session_manager,
107
               Credentials_Manager& creds,
108
               const Policy& policy,
109
               RandomNumberGenerator& rng,
110
               const Server_Information& info,
111
               const Protocol_Version& offer_version,
112
               const std::vector<std::string>& next_protos) :
113
   Channel(data_output_fn, proc_cb, recv_alert_cb, hs_cb, hs_msg_cb,
114
           session_manager, rng, policy, false, offer_version.is_datagram_protocol()),
115
   m_creds(creds),
116
   m_info(info)
117
0
   {
118
0
   init(offer_version, next_protos);
119
0
   }
120
121
void Client::init(const Protocol_Version& protocol_version,
122
                  const std::vector<std::string>& next_protocols)
123
5.89k
   {
124
5.89k
   const std::string srp_identifier = m_creds.srp_identifier("tls-client", m_info.hostname());
125
5.89k
126
5.89k
   Handshake_State& state = create_handshake_state(protocol_version);
127
5.89k
   send_client_hello(state, false, protocol_version,
128
5.89k
                     srp_identifier, next_protocols);
129
5.89k
   }
130
131
Handshake_State* Client::new_handshake_state(Handshake_IO* io)
132
14.8k
   {
133
14.8k
   return new Client_Handshake_State(io, callbacks());
134
14.8k
   }
135
136
std::vector<X509_Certificate>
137
Client::get_peer_cert_chain(const Handshake_State& state) const
138
105
   {
139
105
   const Client_Handshake_State& cstate = dynamic_cast<const Client_Handshake_State&>(state);
140
105
141
105
   if(cstate.is_a_resumption())
142
0
      return cstate.resume_peer_certs();
143
105
144
105
   if(state.server_certs())
145
50
      return state.server_certs()->cert_chain();
146
55
   return std::vector<X509_Certificate>();
147
55
   }
148
149
/*
150
* Send a new client hello to renegotiate
151
*/
152
void Client::initiate_handshake(Handshake_State& state,
153
                                bool force_full_renegotiation)
154
0
   {
155
0
   send_client_hello(state, force_full_renegotiation,
156
0
                     policy().latest_supported_version(state.version().is_datagram_protocol()));
157
0
   }
158
159
void Client::send_client_hello(Handshake_State& state_base,
160
                               bool force_full_renegotiation,
161
                               Protocol_Version version,
162
                               const std::string& srp_identifier,
163
                               const std::vector<std::string>& next_protocols)
164
5.89k
   {
165
5.89k
   Client_Handshake_State& state = dynamic_cast<Client_Handshake_State&>(state_base);
166
5.89k
167
5.89k
   if(state.version().is_datagram_protocol())
168
0
      state.set_expected_next(HELLO_VERIFY_REQUEST); // optional
169
5.89k
   state.set_expected_next(SERVER_HELLO);
170
5.89k
171
5.89k
   if(!force_full_renegotiation && !m_info.empty())
172
5.89k
      {
173
5.89k
      std::unique_ptr<Session> session_info(new Session);;
174
5.89k
      if(session_manager().load_from_server_info(m_info, *session_info))
175
0
         {
176
0
         /*
177
0
         Ensure that the session protocol cipher and version are acceptable
178
0
         If not skip the resume and establish a new session
179
0
         */
180
0
         const bool exact_version = session_info->version() == version;
181
0
         const bool ok_version =
182
0
            (session_info->version().is_datagram_protocol() == version.is_datagram_protocol()) &&
183
0
            policy().acceptable_protocol_version(session_info->version());
184
0
185
0
         const bool session_version_ok = policy().only_resume_with_exact_version() ? exact_version : ok_version;
186
0
187
0
         if(policy().acceptable_ciphersuite(session_info->ciphersuite()) && session_version_ok)
188
0
            {
189
0
            if(srp_identifier == "" || session_info->srp_identifier() == srp_identifier)
190
0
               {
191
0
               state.client_hello(
192
0
                  new Client_Hello(state.handshake_io(),
193
0
                                   state.hash(),
194
0
                                   policy(),
195
0
                                   callbacks(),
196
0
                                   rng(),
197
0
                                   secure_renegotiation_data_for_client_hello(),
198
0
                                   *session_info,
199
0
                                   next_protocols));
200
0
201
0
               state.resumed_session = std::move(session_info);
202
0
               }
203
0
            }
204
0
         }
205
5.89k
      }
206
5.89k
207
5.89k
   if(!state.client_hello()) // not resuming
208
5.89k
      {
209
5.89k
      Client_Hello::Settings client_settings(version, m_info.hostname(), srp_identifier);
210
5.89k
      state.client_hello(new Client_Hello(
211
5.89k
         state.handshake_io(),
212
5.89k
         state.hash(),
213
5.89k
         policy(),
214
5.89k
         callbacks(),
215
5.89k
         rng(),
216
5.89k
         secure_renegotiation_data_for_client_hello(),
217
5.89k
         client_settings,
218
5.89k
         next_protocols));
219
5.89k
      }
220
5.89k
221
5.89k
   secure_renegotiation_check(state.client_hello());
222
5.89k
   }
223
224
/*
225
* Process a handshake message
226
*/
227
void Client::process_handshake_msg(const Handshake_State* active_state,
228
                                   Handshake_State& state_base,
229
                                   Handshake_Type type,
230
                                   const std::vector<uint8_t>& contents,
231
                                   bool epoch0_restart)
232
11.4k
   {
233
11.4k
   BOTAN_ASSERT_NOMSG(epoch0_restart == false); // only happens on server side
234
11.4k
235
11.4k
   Client_Handshake_State& state = dynamic_cast<Client_Handshake_State&>(state_base);
236
11.4k
237
11.4k
   if(type == HELLO_REQUEST && active_state)
238
0
      {
239
0
      Hello_Request hello_request(contents);
240
0
241
0
      if(state.client_hello())
242
0
         {
243
0
         throw TLS_Exception(Alert::HANDSHAKE_FAILURE, "Cannot renegotiate during a handshake");
244
0
         }
245
0
246
0
      if(policy().allow_server_initiated_renegotiation())
247
0
         {
248
0
         if(secure_renegotiation_supported() || policy().allow_insecure_renegotiation())
249
0
            {
250
0
            state.m_is_reneg = true;
251
0
            this->initiate_handshake(state, true);
252
0
            }
253
0
         else
254
0
            {
255
0
            throw TLS_Exception(Alert::HANDSHAKE_FAILURE, "Client policy prohibits insecure renegotiation");
256
0
            }
257
0
         }
258
0
      else
259
0
         {
260
0
         if(policy().abort_connection_on_undesired_renegotiation())
261
0
            {
262
0
            throw TLS_Exception(Alert::NO_RENEGOTIATION, "Client policy prohibits renegotiation");
263
0
            }
264
0
         else
265
0
            {
266
0
            // RFC 5746 section 4.2
267
0
            send_warning_alert(Alert::NO_RENEGOTIATION);
268
0
            }
269
0
         }
270
0
271
0
      return;
272
11.4k
      }
273
11.4k
274
11.4k
   state.confirm_transition_to(type);
275
11.4k
276
11.4k
   if(type != HANDSHAKE_CCS && type != FINISHED && type != HELLO_VERIFY_REQUEST)
277
10.5k
      state.hash().update(state.handshake_io().format(contents, type));
278
11.4k
279
11.4k
   if(type == HELLO_VERIFY_REQUEST)
280
0
      {
281
0
      state.set_expected_next(SERVER_HELLO);
282
0
      state.set_expected_next(HELLO_VERIFY_REQUEST); // might get it again
283
0
284
0
      Hello_Verify_Request hello_verify_request(contents);
285
0
      state.hello_verify_request(hello_verify_request);
286
0
      }
287
11.4k
   else if(type == SERVER_HELLO)
288
5.26k
      {
289
5.26k
      state.server_hello(new Server_Hello(contents));
290
5.26k
291
5.26k
      if(!state.client_hello()->offered_suite(state.server_hello()->ciphersuite()))
292
34
         {
293
34
         throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
294
34
                             "Server replied with ciphersuite we didn't send");
295
34
         }
296
5.23k
297
5.23k
      if(!Ciphersuite::by_id(state.server_hello()->ciphersuite()).usable_in_version(state.server_hello()->version()))
298
1
         {
299
1
         throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
300
1
                             "Server replied using a ciphersuite not allowed in version it offered");
301
1
         }
302
5.23k
303
5.23k
      if(Ciphersuite::is_scsv(state.server_hello()->ciphersuite()))
304
0
         {
305
0
         throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
306
0
                             "Server replied with a signaling ciphersuite");
307
0
         }
308
5.23k
309
5.23k
      if(state.server_hello()->compression_method() != 0)
310
18
         {
311
18
         throw TLS_Exception(Alert::ILLEGAL_PARAMETER,
312
18
                             "Server replied with non-null compression method");
313
18
         }
314
5.21k
315
5.21k
      if(state.client_hello()->version() > state.server_hello()->version())
316
119
         {
317
119
         if(state.server_hello()->random_signals_downgrade())
318
1
            throw TLS_Exception(Alert::ILLEGAL_PARAMETER, "Downgrade attack detected");
319
5.21k
         }
320
5.21k
321
5.21k
      auto client_extn = state.client_hello()->extension_types();
322
5.21k
      auto server_extn = state.server_hello()->extension_types();
323
5.21k
324
5.21k
      std::vector<Handshake_Extension_Type> diff;
325
5.21k
326
5.21k
      std::set_difference(server_extn.begin(), server_extn.end(),
327
5.21k
                          client_extn.begin(), client_extn.end(),
328
5.21k
                          std::back_inserter(diff));
329
5.21k
330
5.21k
      if(!diff.empty())
331
61
         {
332
61
         // Server sent us back an extension we did not send!
333
61
334
61
         std::ostringstream msg;
335
61
         msg << "Server replied with unsupported extensions:";
336
61
         for(auto&& d : diff)
337
784
            msg << " " << static_cast<int>(d);
338
61
         throw TLS_Exception(Alert::UNSUPPORTED_EXTENSION, msg.str());
339
61
         }
340
5.15k
341
5.15k
      if(uint16_t srtp = state.server_hello()->srtp_profile())
342
0
         {
343
0
         if(!value_exists(state.client_hello()->srtp_profiles(), srtp))
344
0
            throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
345
0
                                "Server replied with DTLS-SRTP alg we did not send");
346
5.15k
         }
347
5.15k
348
5.15k
      callbacks().tls_examine_extensions(state.server_hello()->extensions(), SERVER);
349
5.15k
350
5.15k
      state.set_version(state.server_hello()->version());
351
5.15k
      m_application_protocol = state.server_hello()->next_protocol();
352
5.15k
353
5.15k
      secure_renegotiation_check(state.server_hello());
354
5.15k
355
5.15k
      const bool server_returned_same_session_id =
356
5.15k
         !state.server_hello()->session_id().empty() &&
357
5.15k
         (state.server_hello()->session_id() == state.client_hello()->session_id());
358
5.15k
359
5.15k
      if(server_returned_same_session_id)
360
0
         {
361
0
         // successful resumption
362
0
363
0
         /*
364
0
         * In this case, we offered the version used in the original
365
0
         * session, and the server must resume with the same version.
366
0
         */
367
0
         if(state.server_hello()->version() != state.client_hello()->version())
368
0
            throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
369
0
                                "Server resumed session but with wrong version");
370
0
371
0
         if(state.server_hello()->supports_extended_master_secret() &&
372
0
            !state.resumed_session->supports_extended_master_secret())
373
0
            {
374
0
            throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
375
0
                                "Server resumed session but added extended master secret");
376
0
            }
377
0
378
0
         if(!state.server_hello()->supports_extended_master_secret() &&
379
0
            state.resumed_session->supports_extended_master_secret())
380
0
            {
381
0
            throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
382
0
                                "Server resumed session and removed extended master secret");
383
0
            }
384
0
385
0
         state.compute_session_keys(state.resume_master_secret());
386
0
387
0
         if(state.server_hello()->supports_session_ticket())
388
0
            {
389
0
            state.set_expected_next(NEW_SESSION_TICKET);
390
0
            }
391
0
         else
392
0
            {
393
0
            state.set_expected_next(HANDSHAKE_CCS);
394
0
            }
395
0
         }
396
5.15k
      else
397
5.15k
         {
398
5.15k
         // new session
399
5.15k
400
5.15k
         if(active_state)
401
0
            {
402
0
            // Here we are testing things that should not change during a renegotation,
403
0
            // even if the server creates a new session. Howerver they might change
404
0
            // in a resumption scenario.
405
0
406
0
            if(active_state->version() != state.server_hello()->version())
407
0
               throw TLS_Exception(Alert::PROTOCOL_VERSION,
408
0
                                   "Server changed version after renegotiation");
409
0
410
0
            if(state.server_hello()->supports_extended_master_secret() !=
411
0
               active_state->server_hello()->supports_extended_master_secret())
412
0
               {
413
0
               throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
414
0
                                   "Server changed its mind about extended master secret");
415
0
               }
416
5.15k
            }
417
5.15k
418
5.15k
         state.resumed_session.reset(); // non-null if we were attempting a resumption
419
5.15k
420
5.15k
         if(state.client_hello()->version().is_datagram_protocol() !=
421
5.15k
            state.server_hello()->version().is_datagram_protocol())
422
0
            {
423
0
            throw TLS_Exception(Alert::PROTOCOL_VERSION,
424
0
                                "Server replied with different protocol type than we offered");
425
0
            }
426
5.15k
427
5.15k
         if(state.version() > state.client_hello()->version())
428
16
            {
429
16
            throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
430
16
                                "Server replied with later version than client offered");
431
16
            }
432
5.13k
433
5.13k
         if(state.version().major_version() == 3 && state.version().minor_version() == 0)
434
5
            {
435
5
            throw TLS_Exception(Alert::PROTOCOL_VERSION,
436
5
                                "Server attempting to negotiate SSLv3 which is not supported");
437
5
            }
438
5.13k
439
5.13k
         if(!policy().acceptable_protocol_version(state.version()))
440
104
            {
441
104
            throw TLS_Exception(Alert::PROTOCOL_VERSION,
442
104
                                "Server version " + state.version().to_string() +
443
104
                                " is unacceptable by policy");
444
104
            }
445
5.02k
446
5.02k
         if(state.ciphersuite().signature_used() || state.ciphersuite().kex_method() == Kex_Algo::STATIC_RSA)
447
3.24k
            {
448
3.24k
            state.set_expected_next(CERTIFICATE);
449
3.24k
            }
450
1.78k
         else if(state.ciphersuite().kex_method() == Kex_Algo::PSK)
451
752
            {
452
752
            /* PSK is anonymous so no certificate/cert req message is
453
752
               ever sent. The server may or may not send a server kex,
454
752
               depending on if it has an identity hint for us.
455
752
456
752
               (EC)DHE_PSK always sends a server key exchange for the
457
752
               DH exchange portion, and is covered by block below
458
752
            */
459
752
460
752
            state.set_expected_next(SERVER_KEX);
461
752
            state.set_expected_next(SERVER_HELLO_DONE);
462
752
            }
463
1.03k
         else if(state.ciphersuite().kex_method() != Kex_Algo::STATIC_RSA)
464
335
            {
465
335
            state.set_expected_next(SERVER_KEX);
466
335
            }
467
700
         else
468
700
            {
469
700
            state.set_expected_next(CERTIFICATE_REQUEST); // optional
470
700
            state.set_expected_next(SERVER_HELLO_DONE);
471
700
            }
472
5.02k
         }
473
5.15k
      }
474
6.20k
   else if(type == CERTIFICATE)
475
3.21k
      {
476
3.21k
      state.server_certs(new Certificate(contents, policy()));
477
3.21k
478
3.21k
      const std::vector<X509_Certificate>& server_certs =
479
3.21k
         state.server_certs()->cert_chain();
480
3.21k
481
3.21k
      if(server_certs.empty())
482
1
         throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
483
1
                             "Client: No certificates sent by server");
484
3.21k
485
3.21k
      /*
486
3.21k
      If the server supports certificate status messages,
487
3.21k
      certificate verification happens after we receive the server hello done,
488
3.21k
      in case an OCSP response was also available
489
3.21k
      */
490
3.21k
491
3.21k
      X509_Certificate server_cert = server_certs[0];
492
3.21k
493
3.21k
      if(active_state && active_state->server_certs())
494
0
         {
495
0
         X509_Certificate current_cert = active_state->server_certs()->cert_chain().at(0);
496
0
497
0
         if(current_cert != server_cert)
498
0
            throw TLS_Exception(Alert::BAD_CERTIFICATE, "Server certificate changed during renegotiation");
499
3.21k
         }
500
3.21k
501
3.21k
      std::unique_ptr<Public_Key> peer_key(server_cert.subject_public_key());
502
3.21k
503
3.21k
      const std::string expected_key_type =
504
3.21k
         state.ciphersuite().signature_used() ? state.ciphersuite().sig_algo() : "RSA";
505
3.21k
506
3.21k
      if(peer_key->algo_name() != expected_key_type)
507
164
         throw TLS_Exception(Alert::ILLEGAL_PARAMETER,
508
164
                             "Certificate key type did not match ciphersuite");
509
3.04k
510
3.04k
      state.server_public_key.reset(peer_key.release());
511
3.04k
512
3.04k
      if(state.ciphersuite().kex_method() != Kex_Algo::STATIC_RSA)
513
799
         {
514
799
         state.set_expected_next(SERVER_KEX);
515
799
         }
516
2.24k
      else
517
2.24k
         {
518
2.24k
         state.set_expected_next(CERTIFICATE_REQUEST); // optional
519
2.24k
         state.set_expected_next(SERVER_HELLO_DONE);
520
2.24k
         }
521
3.04k
522
3.04k
      if(state.server_hello()->supports_certificate_status_message())
523
109
         {
524
109
         state.set_expected_next(CERTIFICATE_STATUS); // optional
525
109
         }
526
2.93k
      else
527
2.93k
         {
528
2.93k
         try
529
2.93k
            {
530
2.93k
            auto trusted_CAs = m_creds.trusted_certificate_authorities("tls-client", m_info.hostname());
531
2.93k
532
2.93k
            callbacks().tls_verify_cert_chain(server_certs,
533
2.93k
                                              {},
534
2.93k
                                              trusted_CAs,
535
2.93k
                                              Usage_Type::TLS_SERVER_AUTH,
536
2.93k
                                              m_info.hostname(),
537
2.93k
                                              policy());
538
2.93k
            }
539
2.93k
         catch(TLS_Exception&)
540
2.93k
            {
541
0
            throw;
542
0
            }
543
0
         catch(std::exception& e)
544
0
            {
545
0
            throw TLS_Exception(Alert::INTERNAL_ERROR, e.what());
546
0
            }
547
2.98k
         }
548
2.98k
      }
549
2.98k
   else if(type == CERTIFICATE_STATUS)
550
15
      {
551
15
      state.server_cert_status(new Certificate_Status(contents));
552
15
553
15
      if(state.ciphersuite().kex_method() != Kex_Algo::STATIC_RSA)
554
1
         {
555
1
         state.set_expected_next(SERVER_KEX);
556
1
         }
557
14
      else
558
14
         {
559
14
         state.set_expected_next(CERTIFICATE_REQUEST); // optional
560
14
         state.set_expected_next(SERVER_HELLO_DONE);
561
14
         }
562
15
      }
563
2.97k
   else if(type == SERVER_KEX)
564
710
      {
565
710
      if(state.ciphersuite().psk_ciphersuite() == false)
566
676
         state.set_expected_next(CERTIFICATE_REQUEST); // optional
567
710
      state.set_expected_next(SERVER_HELLO_DONE);
568
710
569
710
      state.server_kex(
570
710
         new Server_Key_Exchange(contents,
571
710
                                 state.ciphersuite().kex_method(),
572
710
                                 state.ciphersuite().auth_method(),
573
710
                                 state.version())
574
710
         );
575
710
576
710
      if(state.ciphersuite().signature_used())
577
362
         {
578
362
         const Public_Key& server_key = state.get_server_public_key();
579
362
580
362
         if(!state.server_kex()->verify(server_key, state, policy()))
581
0
            {
582
0
            throw TLS_Exception(Alert::DECRYPT_ERROR,
583
0
                                "Bad signature on server key exchange");
584
0
            }
585
2.26k
         }
586
2.26k
      }
587
2.26k
   else if(type == CERTIFICATE_REQUEST)
588
130
      {
589
130
      state.set_expected_next(SERVER_HELLO_DONE);
590
130
      state.cert_req(new Certificate_Req(contents, state.version()));
591
130
      }
592
2.13k
   else if(type == SERVER_HELLO_DONE)
593
1.18k
      {
594
1.18k
      state.server_hello_done(new Server_Hello_Done(contents));
595
1.18k
596
1.18k
      if(state.server_certs() != nullptr &&
597
1.18k
         state.server_hello()->supports_certificate_status_message())
598
14
         {
599
14
         try
600
14
            {
601
14
            auto trusted_CAs = m_creds.trusted_certificate_authorities("tls-client", m_info.hostname());
602
14
603
14
            std::vector<std::shared_ptr<const OCSP::Response>> ocsp;
604
14
            if(state.server_cert_status() != nullptr)
605
0
               {
606
0
               try {
607
0
                   ocsp.push_back(std::make_shared<OCSP::Response>(state.server_cert_status()->response()));
608
0
               }
609
0
               catch(Decoding_Error&)
610
0
                  {
611
0
                  // ignore it here because it might be our fault
612
0
                  }
613
0
               }
614
14
615
14
            callbacks().tls_verify_cert_chain(state.server_certs()->cert_chain(),
616
14
                                              ocsp,
617
14
                                              trusted_CAs,
618
14
                                              Usage_Type::TLS_SERVER_AUTH,
619
14
                                              m_info.hostname(),
620
14
                                              policy());
621
14
            }
622
14
         catch(TLS_Exception&)
623
14
            {
624
0
            throw;
625
0
            }
626
0
         catch(std::exception& e)
627
0
            {
628
0
            throw TLS_Exception(Alert::INTERNAL_ERROR, e.what());
629
0
            }
630
1.18k
         }
631
1.18k
632
1.18k
      if(state.received_handshake_msg(CERTIFICATE_REQUEST))
633
2
         {
634
2
         const auto& types = state.cert_req()->acceptable_cert_types();
635
2
636
2
         std::vector<X509_Certificate> client_certs =
637
2
            m_creds.find_cert_chain(types,
638
2
                                    state.cert_req()->acceptable_CAs(),
639
2
                                    "tls-client",
640
2
                                    m_info.hostname());
641
2
642
2
         state.client_certs(new Certificate(state.handshake_io(),
643
2
                                            state.hash(),
644
2
                                            client_certs));
645
2
         }
646
1.18k
647
1.18k
      state.client_kex(
648
1.18k
         new Client_Key_Exchange(state.handshake_io(),
649
1.18k
                                 state,
650
1.18k
                                 policy(),
651
1.18k
                                 m_creds,
652
1.18k
                                 state.server_public_key.get(),
653
1.18k
                                 m_info.hostname(),
654
1.18k
                                 rng())
655
1.18k
         );
656
1.18k
657
1.18k
      state.compute_session_keys();
658
1.18k
659
1.18k
      if(state.received_handshake_msg(CERTIFICATE_REQUEST) &&
660
1.18k
         !state.client_certs()->empty())
661
0
         {
662
0
         Private_Key* private_key =
663
0
            m_creds.private_key_for(state.client_certs()->cert_chain()[0],
664
0
                                    "tls-client",
665
0
                                    m_info.hostname());
666
0
667
0
         state.client_verify(
668
0
            new Certificate_Verify(state.handshake_io(),
669
0
                                   state,
670
0
                                   policy(),
671
0
                                   rng(),
672
0
                                   private_key)
673
0
            );
674
0
         }
675
1.18k
676
1.18k
      state.handshake_io().send(Change_Cipher_Spec());
677
1.18k
678
1.18k
      change_cipher_spec_writer(CLIENT);
679
1.18k
680
1.18k
      state.client_finished(new Finished(state.handshake_io(), state, CLIENT));
681
1.18k
682
1.18k
      if(state.server_hello()->supports_session_ticket())
683
43
         state.set_expected_next(NEW_SESSION_TICKET);
684
1.14k
      else
685
1.14k
         state.set_expected_next(HANDSHAKE_CCS);
686
1.18k
      }
687
950
   else if(type == NEW_SESSION_TICKET)
688
8
      {
689
8
      state.new_session_ticket(new New_Session_Ticket(contents));
690
8
691
8
      state.set_expected_next(HANDSHAKE_CCS);
692
8
      }
693
942
   else if(type == HANDSHAKE_CCS)
694
708
      {
695
708
      state.set_expected_next(FINISHED);
696
708
697
708
      change_cipher_spec_reader(CLIENT);
698
708
      }
699
234
   else if(type == FINISHED)
700
105
      {
701
105
      state.server_finished(new Finished(contents));
702
105
703
105
      if(!state.server_finished()->verify(state, SERVER))
704
0
         throw TLS_Exception(Alert::DECRYPT_ERROR,
705
0
                             "Finished message didn't verify");
706
105
707
105
      state.hash().update(state.handshake_io().format(contents, type));
708
105
709
105
      if(!state.client_finished()) // session resume case
710
0
         {
711
0
         state.handshake_io().send(Change_Cipher_Spec());
712
0
         change_cipher_spec_writer(CLIENT);
713
0
         state.client_finished(new Finished(state.handshake_io(), state, CLIENT));
714
0
         }
715
105
716
105
      std::vector<uint8_t> session_id = state.server_hello()->session_id();
717
105
718
105
      const std::vector<uint8_t>& session_ticket = state.session_ticket();
719
105
720
105
      if(session_id.empty() && !session_ticket.empty())
721
0
         session_id = make_hello_random(rng(), policy());
722
105
723
105
      Session session_info(
724
105
         session_id,
725
105
         state.session_keys().master_secret(),
726
105
         state.server_hello()->version(),
727
105
         state.server_hello()->ciphersuite(),
728
105
         CLIENT,
729
105
         state.server_hello()->supports_extended_master_secret(),
730
105
         state.server_hello()->supports_encrypt_then_mac(),
731
105
         get_peer_cert_chain(state),
732
105
         session_ticket,
733
105
         m_info,
734
105
         "",
735
105
         state.server_hello()->srtp_profile()
736
105
         );
737
105
738
105
      const bool should_save = save_session(session_info);
739
105
740
105
      if(session_id.size() > 0 && state.is_a_resumption() == false)
741
48
         {
742
48
         if(should_save)
743
48
            session_manager().save(session_info);
744
0
         else
745
0
            session_manager().remove_entry(session_info.session_id());
746
48
         }
747
105
748
105
      activate_session();
749
105
      }
750
129
   else
751
129
      throw Unexpected_Message("Unknown handshake message received");
752
11.4k
   }
753
754
}
755
756
}