Coverage Report

Created: 2020-02-14 15:38

/src/botan/src/lib/tls/tls_handshake_state.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
* TLS Handshaking
3
* (C) 2004-2006,2011,2012,2015,2016 Jack Lloyd
4
*     2017 Harry Reimann, Rohde & Schwarz Cybersecurity
5
*
6
* Botan is released under the Simplified BSD License (see license.txt)
7
*/
8
9
#include <botan/internal/tls_handshake_state.h>
10
#include <botan/internal/tls_record.h>
11
#include <botan/tls_messages.h>
12
#include <botan/kdf.h>
13
#include <sstream>
14
15
namespace Botan {
16
17
namespace TLS {
18
19
std::string Handshake_Message::type_string() const
20
0
   {
21
0
   return handshake_type_to_string(type());
22
0
   }
23
24
const char* handshake_type_to_string(Handshake_Type type)
25
707
   {
26
707
   switch(type)
27
707
      {
28
707
      case HELLO_VERIFY_REQUEST:
29
8
         return "hello_verify_request";
30
707
31
707
      case HELLO_REQUEST:
32
104
         return "hello_request";
33
707
34
707
      case CLIENT_HELLO:
35
155
         return "client_hello";
36
707
37
707
      case SERVER_HELLO:
38
85
         return "server_hello";
39
707
40
707
      case CERTIFICATE:
41
21
         return "certificate";
42
707
43
707
      case CERTIFICATE_URL:
44
20
         return "certificate_url";
45
707
46
707
      case CERTIFICATE_STATUS:
47
11
         return "certificate_status";
48
707
49
707
      case SERVER_KEX:
50
26
         return "server_key_exchange";
51
707
52
707
      case CERTIFICATE_REQUEST:
53
13
         return "certificate_request";
54
707
55
707
      case SERVER_HELLO_DONE:
56
45
         return "server_hello_done";
57
707
58
707
      case CERTIFICATE_VERIFY:
59
5
         return "certificate_verify";
60
707
61
707
      case CLIENT_KEX:
62
77
         return "client_key_exchange";
63
707
64
707
      case NEW_SESSION_TICKET:
65
15
         return "new_session_ticket";
66
707
67
707
      case HANDSHAKE_CCS:
68
88
         return "change_cipher_spec";
69
707
70
707
      case FINISHED:
71
34
         return "finished";
72
707
73
707
      case HANDSHAKE_NONE:
74
0
         return "invalid";
75
0
      }
76
0
77
0
   throw TLS_Exception(Alert::UNEXPECTED_MESSAGE,
78
0
                       "Unknown TLS handshake message type " + std::to_string(type));
79
0
   }
80
81
namespace {
82
83
uint32_t bitmask_for_handshake_type(Handshake_Type type)
84
306k
   {
85
306k
   switch(type)
86
306k
      {
87
306k
      case HELLO_VERIFY_REQUEST:
88
350
         return (1 << 0);
89
306k
90
306k
      case HELLO_REQUEST:
91
446
         return (1 << 1);
92
306k
93
306k
      case CLIENT_HELLO:
94
69.6k
         return (1 << 2);
95
306k
96
306k
      case SERVER_HELLO:
97
11.5k
         return (1 << 3);
98
306k
99
306k
      case CERTIFICATE:
100
21.3k
         return (1 << 4);
101
306k
102
306k
      case CERTIFICATE_URL:
103
362
         return (1 << 5);
104
306k
105
306k
      case CERTIFICATE_STATUS:
106
477
         return (1 << 6);
107
306k
108
306k
      case SERVER_KEX:
109
2.94k
         return (1 << 7);
110
306k
111
306k
      case CERTIFICATE_REQUEST:
112
3.33k
         return (1 << 8);
113
306k
114
306k
      case SERVER_HELLO_DONE:
115
3.19k
         return (1 << 9);
116
306k
117
306k
      case CERTIFICATE_VERIFY:
118
347
         return (1 << 10);
119
306k
120
306k
      case CLIENT_KEX:
121
38.1k
         return (1 << 11);
122
306k
123
306k
      case NEW_SESSION_TICKET:
124
406
         return (1 << 12);
125
306k
126
306k
      case HANDSHAKE_CCS:
127
151k
         return (1 << 13);
128
306k
129
306k
      case FINISHED:
130
2.18k
         return (1 << 14);
131
306k
132
306k
      // allow explicitly disabling new handshakes
133
306k
      case HANDSHAKE_NONE:
134
356
         return 0;
135
74
      }
136
74
137
74
   throw TLS_Exception(Alert::UNEXPECTED_MESSAGE,
138
74
                       "Unknown TLS handshake message type " + std::to_string(type));
139
74
   }
140
141
std::string handshake_mask_to_string(uint32_t mask, char combiner)
142
342
   {
143
342
   const Handshake_Type types[] = {
144
342
      HELLO_VERIFY_REQUEST,
145
342
      HELLO_REQUEST,
146
342
      CLIENT_HELLO,
147
342
      SERVER_HELLO,
148
342
      CERTIFICATE,
149
342
      CERTIFICATE_URL,
150
342
      CERTIFICATE_STATUS,
151
342
      SERVER_KEX,
152
342
      CERTIFICATE_REQUEST,
153
342
      SERVER_HELLO_DONE,
154
342
      CERTIFICATE_VERIFY,
155
342
      CLIENT_KEX,
156
342
      NEW_SESSION_TICKET,
157
342
      HANDSHAKE_CCS,
158
342
      FINISHED
159
342
   };
160
342
161
342
   std::ostringstream o;
162
342
   bool empty = true;
163
342
164
342
   for(auto&& t : types)
165
5.13k
      {
166
5.13k
      if(mask & bitmask_for_handshake_type(t))
167
461
         {
168
461
         if(!empty)
169
119
            o << combiner;
170
461
         o << handshake_type_to_string(t);
171
461
         empty = false;
172
461
         }
173
5.13k
      }
174
342
175
342
   return o.str();
176
342
   }
177
178
}
179
180
/*
181
* Initialize the SSL/TLS Handshake State
182
*/
183
Handshake_State::Handshake_State(Handshake_IO* io, Callbacks& cb) :
184
   m_callbacks(cb),
185
   m_handshake_io(io),
186
   m_version(m_handshake_io->initial_record_version())
187
46.3k
   {
188
46.3k
   }
189
190
void Handshake_State::note_message(const Handshake_Message& msg)
191
131k
   {
192
131k
   m_callbacks.tls_inspect_handshake_msg(msg);
193
131k
   }
194
195
void Handshake_State::hello_verify_request(const Hello_Verify_Request& hello_verify)
196
0
   {
197
0
   note_message(hello_verify);
198
0
199
0
   m_client_hello->update_hello_cookie(hello_verify);
200
0
   hash().reset();
201
0
   hash().update(handshake_io().send(*m_client_hello));
202
0
   note_message(*m_client_hello);
203
0
   }
204
205
void Handshake_State::client_hello(Client_Hello* client_hello)
206
42.9k
   {
207
42.9k
   if(client_hello == nullptr)
208
6.65k
      {
209
6.65k
      m_client_hello.reset();
210
6.65k
      hash().reset();
211
6.65k
      }
212
36.2k
   else
213
36.2k
      {
214
36.2k
      m_client_hello.reset(client_hello);
215
36.2k
      note_message(*m_client_hello);
216
36.2k
      }
217
42.9k
   }
218
219
void Handshake_State::server_hello(Server_Hello* server_hello)
220
27.9k
   {
221
27.9k
   m_server_hello.reset(server_hello);
222
27.9k
   m_ciphersuite = Ciphersuite::by_id(m_server_hello->ciphersuite());
223
27.9k
   note_message(*m_server_hello);
224
27.9k
   }
225
226
void Handshake_State::server_certs(Certificate* server_certs)
227
1.81k
   {
228
1.81k
   m_server_certs.reset(server_certs);
229
1.81k
   note_message(*m_server_certs);
230
1.81k
   }
231
232
void Handshake_State::server_cert_status(Certificate_Status* server_cert_status)
233
1
   {
234
1
   m_server_cert_status.reset(server_cert_status);
235
1
   note_message(*m_server_cert_status);
236
1
   }
237
238
void Handshake_State::server_kex(Server_Key_Exchange* server_kex)
239
23.9k
   {
240
23.9k
   m_server_kex.reset(server_kex);
241
23.9k
   note_message(*m_server_kex);
242
23.9k
   }
243
244
void Handshake_State::cert_req(Certificate_Req* cert_req)
245
5
   {
246
5
   m_cert_req.reset(cert_req);
247
5
   note_message(*m_cert_req);
248
5
   }
249
250
void Handshake_State::server_hello_done(Server_Hello_Done* server_hello_done)
251
24.4k
   {
252
24.4k
   m_server_hello_done.reset(server_hello_done);
253
24.4k
   note_message(*m_server_hello_done);
254
24.4k
   }
255
256
void Handshake_State::client_certs(Certificate* client_certs)
257
2
   {
258
2
   m_client_certs.reset(client_certs);
259
2
   note_message(*m_client_certs);
260
2
   }
261
262
void Handshake_State::client_kex(Client_Key_Exchange* client_kex)
263
14.9k
   {
264
14.9k
   m_client_kex.reset(client_kex);
265
14.9k
   note_message(*m_client_kex);
266
14.9k
   }
267
268
void Handshake_State::client_verify(Certificate_Verify* client_verify)
269
0
   {
270
0
   m_client_verify.reset(client_verify);
271
0
   note_message(*m_client_verify);
272
0
   }
273
274
void Handshake_State::new_session_ticket(New_Session_Ticket* new_session_ticket)
275
250
   {
276
250
   m_new_session_ticket.reset(new_session_ticket);
277
250
   note_message(*m_new_session_ticket);
278
250
   }
279
280
void Handshake_State::server_finished(Finished* server_finished)
281
461
   {
282
461
   m_server_finished.reset(server_finished);
283
461
   note_message(*m_server_finished);
284
461
   }
285
286
void Handshake_State::client_finished(Finished* client_finished)
287
1.29k
   {
288
1.29k
   m_client_finished.reset(client_finished);
289
1.29k
   note_message(*m_client_finished);
290
1.29k
   }
291
292
void Handshake_State::set_version(const Protocol_Version& version)
293
34.8k
   {
294
34.8k
   m_version = version;
295
34.8k
   }
296
297
void Handshake_State::compute_session_keys()
298
14.9k
   {
299
14.9k
   m_session_keys = Session_Keys(this, client_kex()->pre_master_secret(), false);
300
14.9k
   }
301
302
void Handshake_State::compute_session_keys(const secure_vector<uint8_t>& resume_master_secret)
303
0
   {
304
0
   m_session_keys = Session_Keys(this, resume_master_secret, true);
305
0
   }
306
307
void Handshake_State::confirm_transition_to(Handshake_Type handshake_msg)
308
58.3k
   {
309
58.3k
   const uint32_t mask = bitmask_for_handshake_type(handshake_msg);
310
58.3k
311
58.3k
   m_hand_received_mask |= mask;
312
58.3k
313
58.3k
   const bool ok = (m_hand_expecting_mask & mask) != 0; // overlap?
314
58.3k
315
58.3k
   if(!ok)
316
246
      {
317
246
      const uint32_t seen_so_far = m_hand_received_mask & ~mask;
318
246
319
246
      std::ostringstream msg;
320
246
321
246
      msg << "Unexpected state transition in handshake got a " << handshake_type_to_string(handshake_msg);
322
246
323
246
      if(m_hand_expecting_mask == 0)
324
22
         msg << " not expecting messages";
325
224
      else
326
224
         msg << " expected " << handshake_mask_to_string(m_hand_expecting_mask, '|');
327
246
328
246
      if(seen_so_far != 0)
329
118
         msg << " seen " << handshake_mask_to_string(seen_so_far, '+');
330
246
331
246
      throw Unexpected_Message(msg.str());
332
246
      }
333
58.0k
334
58.0k
   /* We don't know what to expect next, so force a call to
335
58.0k
      set_expected_next; if it doesn't happen, the next transition
336
58.0k
      check will always fail which is what we want.
337
58.0k
   */
338
58.0k
   m_hand_expecting_mask = 0;
339
58.0k
   }
340
341
void Handshake_State::set_expected_next(Handshake_Type handshake_msg)
342
92.2k
   {
343
92.2k
   m_hand_expecting_mask |= bitmask_for_handshake_type(handshake_msg);
344
92.2k
   }
345
346
bool Handshake_State::received_handshake_msg(Handshake_Type handshake_msg) const
347
16.6k
   {
348
16.6k
   const uint32_t mask = bitmask_for_handshake_type(handshake_msg);
349
16.6k
350
16.6k
   return (m_hand_received_mask & mask) != 0;
351
16.6k
   }
352
353
std::pair<Handshake_Type, std::vector<uint8_t>>
354
Handshake_State::get_next_handshake_msg()
355
133k
   {
356
133k
   const bool expecting_ccs =
357
133k
      (bitmask_for_handshake_type(HANDSHAKE_CCS) & m_hand_expecting_mask) != 0;
358
133k
359
133k
   return m_handshake_io->get_next_record(expecting_ccs);
360
133k
   }
361
362
std::string Handshake_State::srp_identifier() const
363
356
   {
364
356
#if defined(BOTAN_HAS_SRP6)
365
356
   // Authenticated via the successful key exchange
366
356
   if(ciphersuite().valid() && ciphersuite().kex_method() == Kex_Algo::SRP_SHA)
367
0
      return client_hello()->srp_identifier();
368
356
#endif
369
356
370
356
   return "";
371
356
   }
372
373
374
std::vector<uint8_t> Handshake_State::session_ticket() const
375
105
   {
376
105
   if(new_session_ticket() && !new_session_ticket()->ticket().empty())
377
0
      return new_session_ticket()->ticket();
378
105
379
105
   return client_hello()->session_ticket();
380
105
   }
381
382
KDF* Handshake_State::protocol_specific_prf() const
383
16.7k
   {
384
16.7k
   if(version().supports_ciphersuite_specific_prf())
385
16.7k
      {
386
16.7k
      const std::string prf_algo = ciphersuite().prf_algo();
387
16.7k
388
16.7k
      if(prf_algo == "MD5" || prf_algo == "SHA-1")
389
4.36k
         return get_kdf("TLS-12-PRF(SHA-256)");
390
12.3k
391
12.3k
      return get_kdf("TLS-12-PRF(" + prf_algo + ")");
392
12.3k
      }
393
0
394
0
   // Old PRF used in TLS v1.0, v1.1 and DTLS v1.0
395
0
   return get_kdf("TLS-PRF");
396
0
   }
397
398
std::pair<std::string, Signature_Format>
399
Handshake_State::choose_sig_format(const Private_Key& key,
400
                                   Signature_Scheme& chosen_scheme,
401
                                   bool for_client_auth,
402
                                   const Policy& policy) const
403
0
   {
404
0
   const std::string sig_algo = key.algo_name();
405
0
406
0
   if(this->version().supports_negotiable_signature_algorithms())
407
0
      {
408
0
      const std::vector<Signature_Scheme> allowed = policy.allowed_signature_schemes();
409
0
410
0
      std::vector<Signature_Scheme> requested =
411
0
         (for_client_auth) ? cert_req()->signature_schemes() : client_hello()->signature_schemes();
412
0
413
0
      if(requested.empty())
414
0
         {
415
0
         // Implicit SHA-1
416
0
         requested.push_back(Signature_Scheme::RSA_PKCS1_SHA1);
417
0
         requested.push_back(Signature_Scheme::ECDSA_SHA1);
418
0
         requested.push_back(Signature_Scheme::DSA_SHA1);
419
0
         }
420
0
421
0
      for(Signature_Scheme scheme : allowed)
422
0
         {
423
0
         if(signature_scheme_is_known(scheme) == false)
424
0
            {
425
0
            continue;
426
0
            }
427
0
428
0
         if(signature_algorithm_of_scheme(scheme) == sig_algo)
429
0
            {
430
0
            if(std::find(requested.begin(), requested.end(), scheme) != requested.end())
431
0
               {
432
0
               chosen_scheme = scheme;
433
0
               break;
434
0
               }
435
0
            }
436
0
         }
437
0
438
0
      const std::string hash = hash_function_of_scheme(chosen_scheme);
439
0
440
0
      if(!policy.allowed_signature_hash(hash))
441
0
         {
442
0
         throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
443
0
                             "Policy refuses to accept signing with any hash supported by peer");
444
0
         }
445
0
446
0
      if(sig_algo == "RSA")
447
0
         {
448
0
         return std::make_pair(padding_string_for_scheme(chosen_scheme), IEEE_1363);
449
0
         }
450
0
      else if(sig_algo == "DSA" || sig_algo == "ECDSA")
451
0
         {
452
0
         return std::make_pair(padding_string_for_scheme(chosen_scheme), DER_SEQUENCE);
453
0
         }
454
0
      }
455
0
   else
456
0
      {
457
0
      if(sig_algo == "RSA")
458
0
         {
459
0
         const std::string padding = "PKCS1v15(Parallel(MD5,SHA-160))";
460
0
         return std::make_pair(padding, IEEE_1363);
461
0
         }
462
0
      else if(sig_algo == "DSA" || sig_algo == "ECDSA")
463
0
         {
464
0
         const std::string padding = "EMSA1(SHA-1)";
465
0
         return std::make_pair(padding, DER_SEQUENCE);
466
0
         }
467
0
      }
468
0
469
0
   throw Invalid_Argument(sig_algo + " is invalid/unknown for TLS signatures");
470
0
   }
471
472
namespace {
473
474
bool supported_algos_include(
475
   const std::vector<Signature_Scheme>& schemes,
476
   const std::string& key_type,
477
   const std::string& hash_type)
478
282
   {
479
282
   for(Signature_Scheme scheme : schemes)
480
2.12k
      {
481
2.12k
      if(signature_scheme_is_known(scheme) &&
482
2.12k
         hash_function_of_scheme(scheme) == hash_type &&
483
2.12k
         signature_algorithm_of_scheme(scheme) == key_type)
484
280
         {
485
280
         return true;
486
280
         }
487
2.12k
      }
488
282
489
282
   return false;
490
282
   }
491
492
}
493
494
std::pair<std::string, Signature_Format>
495
Handshake_State::parse_sig_format(const Public_Key& key,
496
                                  Signature_Scheme scheme,
497
                                  bool for_client_auth,
498
                                  const Policy& policy) const
499
361
   {
500
361
   const std::string key_type = key.algo_name();
501
361
502
361
   if(!policy.allowed_signature_method(key_type))
503
0
      {
504
0
      throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
505
0
                          "Rejecting " + key_type + " signature");
506
0
      }
507
361
508
361
   if(this->version().supports_negotiable_signature_algorithms() == false)
509
0
      {
510
0
      if(scheme != Signature_Scheme::NONE)
511
0
         throw Decoding_Error("Counterparty sent hash/sig IDs with old version");
512
0
513
0
      /*
514
0
      There is no check on the acceptability of a v1.0/v1.1 hash type,
515
0
      since it's implicit with use of the protocol
516
0
      */
517
0
518
0
      if(key_type == "RSA")
519
0
         {
520
0
         const std::string padding = "PKCS1v15(Parallel(MD5,SHA-160))";
521
0
         return std::make_pair(padding, IEEE_1363);
522
0
         }
523
0
      else if(key_type == "DSA" || key_type == "ECDSA")
524
0
         {
525
0
         const std::string padding = "EMSA1(SHA-1)";
526
0
         return std::make_pair(padding, DER_SEQUENCE);
527
0
         }
528
0
      else
529
0
         throw Invalid_Argument(key_type + " is invalid/unknown for TLS signatures");
530
361
      }
531
361
532
361
   if(scheme == Signature_Scheme::NONE)
533
1
      throw Decoding_Error("Counterparty did not send hash/sig IDS");
534
360
535
360
   if(key_type != signature_algorithm_of_scheme(scheme))
536
10
      throw Decoding_Error("Counterparty sent inconsistent key and sig types");
537
350
538
350
   if(for_client_auth && !cert_req())
539
0
      {
540
0
      throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
541
0
                          "No certificate verify set");
542
0
      }
543
350
544
350
   /*
545
350
   Confirm the signature type we just received against the
546
350
   supported_algos list that we sent; it better be there.
547
350
   */
548
350
549
350
   const std::vector<Signature_Scheme> supported_algos =
550
350
      for_client_auth ? cert_req()->signature_schemes() :
551
350
      client_hello()->signature_schemes();
552
350
553
350
   if(!signature_scheme_is_known(scheme))
554
0
      throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
555
0
                          "Peer sent unknown signature scheme");
556
350
557
350
   const std::string hash_algo = hash_function_of_scheme(scheme);
558
350
559
350
   if(!supported_algos_include(supported_algos, key_type, hash_algo))
560
2
      {
561
2
      throw TLS_Exception(Alert::ILLEGAL_PARAMETER,
562
2
                          "TLS signature extension did not allow for " +
563
2
                          key_type + "/" + hash_algo + " signature");
564
2
      }
565
348
566
348
   if(key_type == "RSA")
567
44
      {
568
44
      return std::make_pair(padding_string_for_scheme(scheme), IEEE_1363);
569
44
      }
570
304
   else if(key_type == "DSA" || key_type == "ECDSA")
571
236
      {
572
236
      return std::make_pair(padding_string_for_scheme(scheme), DER_SEQUENCE);
573
236
      }
574
68
575
68
   throw Invalid_Argument(key_type + " is invalid/unknown for TLS signatures");
576
68
   }
577
578
}
579
580
}