Coverage Report

Created: 2020-05-23 13:54

/src/botan/src/lib/tls/msg_client_hello.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
* TLS Hello Request and Client Hello Messages
3
* (C) 2004-2011,2015,2016 Jack Lloyd
4
*     2016 Matthias Gierlings
5
*     2017 Harry Reimann, Rohde & Schwarz Cybersecurity
6
*
7
* Botan is released under the Simplified BSD License (see license.txt)
8
*/
9
10
#include <botan/tls_messages.h>
11
#include <botan/tls_alert.h>
12
#include <botan/tls_exceptn.h>
13
#include <botan/tls_callbacks.h>
14
#include <botan/rng.h>
15
#include <botan/hash.h>
16
17
#include <botan/internal/tls_reader.h>
18
#include <botan/internal/tls_session_key.h>
19
#include <botan/internal/tls_handshake_io.h>
20
#include <botan/internal/tls_handshake_hash.h>
21
#include <botan/internal/stl_util.h>
22
#include <chrono>
23
24
namespace Botan {
25
26
namespace TLS {
27
28
enum {
29
   TLS_EMPTY_RENEGOTIATION_INFO_SCSV        = 0x00FF,
30
   TLS_FALLBACK_SCSV                        = 0x5600
31
};
32
33
std::vector<uint8_t> make_hello_random(RandomNumberGenerator& rng,
34
                                       const Policy& policy)
35
50.7k
   {
36
50.7k
   std::vector<uint8_t> buf(32);
37
50.7k
   rng.randomize(buf.data(), buf.size());
38
50.7k
39
50.7k
   std::unique_ptr<HashFunction> sha256 = HashFunction::create_or_throw("SHA-256");
40
50.7k
   sha256->update(buf);
41
50.7k
   sha256->final(buf);
42
50.7k
43
50.7k
   if(policy.include_time_in_hello_random())
44
50.7k
      {
45
50.7k
      const uint32_t time32 = static_cast<uint32_t>(
46
50.7k
         std::chrono::system_clock::to_time_t(std::chrono::system_clock::now()));
47
50.7k
48
50.7k
      store_be(time32, buf.data());
49
50.7k
      }
50
50.7k
51
50.7k
   return buf;
52
50.7k
   }
53
54
/*
55
* Create a new Hello Request message
56
*/
57
Hello_Request::Hello_Request(Handshake_IO& io)
58
0
   {
59
0
   io.send(*this);
60
0
   }
61
62
/*
63
* Deserialize a Hello Request message
64
*/
65
Hello_Request::Hello_Request(const std::vector<uint8_t>& buf)
66
0
   {
67
0
   if(buf.size())
68
0
      throw Decoding_Error("Bad Hello_Request, has non-zero size");
69
0
   }
70
71
/*
72
* Serialize a Hello Request message
73
*/
74
std::vector<uint8_t> Hello_Request::serialize() const
75
0
   {
76
0
   return std::vector<uint8_t>();
77
0
   }
78
79
/*
80
* Create a new Client Hello message
81
*/
82
Client_Hello::Client_Hello(Handshake_IO& io,
83
                           Handshake_Hash& hash,
84
                           const Policy& policy,
85
                           Callbacks& cb,
86
                           RandomNumberGenerator& rng,
87
                           const std::vector<uint8_t>& reneg_info,
88
                           const Client_Hello::Settings& client_settings,
89
                           const std::vector<std::string>& next_protocols) :
90
   m_version(client_settings.protocol_version()),
91
   m_random(make_hello_random(rng, policy)),
92
   m_suites(policy.ciphersuite_list(m_version, !client_settings.srp_identifier().empty())),
93
   m_comp_methods(1)
94
5.24k
   {
95
5.24k
   if(!policy.acceptable_protocol_version(m_version))
96
0
      throw Internal_Error("Offering " + m_version.to_string() +
97
0
                           " but our own policy does not accept it");
98
5.24k
99
5.24k
   /*
100
5.24k
   * Place all empty extensions in front to avoid a bug in some systems
101
5.24k
   * which reject hellos when the last extension in the list is empty.
102
5.24k
   */
103
5.24k
   m_extensions.add(new Extended_Master_Secret);
104
5.24k
   m_extensions.add(new Session_Ticket());
105
5.24k
106
5.24k
   if(policy.negotiate_encrypt_then_mac())
107
5.24k
      m_extensions.add(new Encrypt_then_MAC);
108
5.24k
109
5.24k
   m_extensions.add(new Renegotiation_Extension(reneg_info));
110
5.24k
111
5.24k
   m_extensions.add(new Supported_Versions(m_version, policy));
112
5.24k
113
5.24k
   if(client_settings.hostname() != "")
114
5.24k
      m_extensions.add(new Server_Name_Indicator(client_settings.hostname()));
115
5.24k
116
5.24k
   if(policy.support_cert_status_message())
117
5.24k
      m_extensions.add(new Certificate_Status_Request({}, {}));
118
5.24k
119
5.24k
   if(reneg_info.empty() && !next_protocols.empty())
120
0
      m_extensions.add(new Application_Layer_Protocol_Notification(next_protocols));
121
5.24k
122
5.24k
   if(m_version.supports_negotiable_signature_algorithms())
123
5.24k
      m_extensions.add(new Signature_Algorithms(policy.allowed_signature_schemes()));
124
5.24k
125
5.24k
   if(m_version.is_datagram_protocol())
126
0
      m_extensions.add(new SRTP_Protection_Profiles(policy.srtp_profiles()));
127
5.24k
128
5.24k
#if defined(BOTAN_HAS_SRP6)
129
5.24k
   m_extensions.add(new SRP_Identifier(client_settings.srp_identifier()));
130
#else
131
   if(!client_settings.srp_identifier().empty())
132
      {
133
      throw Invalid_State("Attempting to initiate SRP session but TLS-SRP support disabled");
134
      }
135
#endif
136
137
5.24k
   std::unique_ptr<Supported_Groups> supported_groups(new Supported_Groups(policy.key_exchange_groups()));
138
5.24k
139
5.24k
   if(supported_groups->ec_groups().size() > 0)
140
5.24k
      {
141
5.24k
      m_extensions.add(new Supported_Point_Formats(policy.use_ecc_point_compression()));
142
5.24k
      }
143
5.24k
144
5.24k
   m_extensions.add(supported_groups.release());
145
5.24k
146
5.24k
   cb.tls_modify_extensions(m_extensions, CLIENT);
147
5.24k
148
5.24k
   if(policy.send_fallback_scsv(client_settings.protocol_version()))
149
0
      m_suites.push_back(TLS_FALLBACK_SCSV);
150
5.24k
151
5.24k
   hash.update(io.send(*this));
152
5.24k
   }
153
154
/*
155
* Create a new Client Hello message (session resumption case)
156
*/
157
Client_Hello::Client_Hello(Handshake_IO& io,
158
                           Handshake_Hash& hash,
159
                           const Policy& policy,
160
                           Callbacks& cb,
161
                           RandomNumberGenerator& rng,
162
                           const std::vector<uint8_t>& reneg_info,
163
                           const Session& session,
164
                           const std::vector<std::string>& next_protocols) :
165
   m_version(session.version()),
166
   m_session_id(session.session_id()),
167
   m_random(make_hello_random(rng, policy)),
168
   m_suites(policy.ciphersuite_list(m_version, (session.srp_identifier() != ""))),
169
   m_comp_methods(1)
170
0
   {
171
0
   if(!policy.acceptable_protocol_version(m_version))
172
0
      throw Internal_Error("Offering " + m_version.to_string() +
173
0
                           " but our own policy does not accept it");
174
0
175
0
   if(!value_exists(m_suites, session.ciphersuite_code()))
176
0
      m_suites.push_back(session.ciphersuite_code());
177
0
178
0
   /*
179
0
   We always add the EMS extension, even if not used in the original session.
180
0
   If the server understands it and follows the RFC it should reject our resume
181
0
   attempt and upgrade us to a new session with the EMS protection.
182
0
   */
183
0
   m_extensions.add(new Extended_Master_Secret);
184
0
185
0
   m_extensions.add(new Renegotiation_Extension(reneg_info));
186
0
   m_extensions.add(new Server_Name_Indicator(session.server_info().hostname()));
187
0
   m_extensions.add(new Session_Ticket(session.session_ticket()));
188
0
189
0
   if(policy.support_cert_status_message())
190
0
      m_extensions.add(new Certificate_Status_Request({}, {}));
191
0
192
0
   std::unique_ptr<Supported_Groups> supported_groups(new Supported_Groups(policy.key_exchange_groups()));
193
0
194
0
   if(supported_groups->ec_groups().size() > 0)
195
0
      {
196
0
      m_extensions.add(new Supported_Point_Formats(policy.use_ecc_point_compression()));
197
0
      }
198
0
199
0
   m_extensions.add(supported_groups.release());
200
0
201
0
   if(session.supports_encrypt_then_mac())
202
0
      m_extensions.add(new Encrypt_then_MAC);
203
0
204
0
#if defined(BOTAN_HAS_SRP6)
205
0
   m_extensions.add(new SRP_Identifier(session.srp_identifier()));
206
#else
207
   if(!session.srp_identifier().empty())
208
      {
209
      throw Invalid_State("Attempting to resume SRP session but TLS-SRP support disabled");
210
      }
211
#endif
212
213
0
   if(m_version.supports_negotiable_signature_algorithms())
214
0
      m_extensions.add(new Signature_Algorithms(policy.allowed_signature_schemes()));
215
0
216
0
   if(reneg_info.empty() && !next_protocols.empty())
217
0
      m_extensions.add(new Application_Layer_Protocol_Notification(next_protocols));
218
0
219
0
   cb.tls_modify_extensions(m_extensions, CLIENT);
220
0
221
0
   hash.update(io.send(*this));
222
0
   }
223
224
void Client_Hello::update_hello_cookie(const Hello_Verify_Request& hello_verify)
225
0
   {
226
0
   if(!m_version.is_datagram_protocol())
227
0
      throw Invalid_State("Cannot use hello cookie with stream protocol");
228
0
229
0
   m_hello_cookie = hello_verify.cookie();
230
0
   }
231
232
/*
233
* Serialize a Client Hello message
234
*/
235
std::vector<uint8_t> Client_Hello::serialize() const
236
5.24k
   {
237
5.24k
   std::vector<uint8_t> buf;
238
5.24k
239
5.24k
   buf.push_back(m_version.major_version());
240
5.24k
   buf.push_back(m_version.minor_version());
241
5.24k
   buf += m_random;
242
5.24k
243
5.24k
   append_tls_length_value(buf, m_session_id, 1);
244
5.24k
245
5.24k
   if(m_version.is_datagram_protocol())
246
0
      append_tls_length_value(buf, m_hello_cookie, 1);
247
5.24k
248
5.24k
   append_tls_length_value(buf, m_suites, 2);
249
5.24k
   append_tls_length_value(buf, m_comp_methods, 1);
250
5.24k
251
5.24k
   /*
252
5.24k
   * May not want to send extensions at all in some cases. If so,
253
5.24k
   * should include SCSV value (if reneg info is empty, if not we are
254
5.24k
   * renegotiating with a modern server)
255
5.24k
   */
256
5.24k
257
5.24k
   buf += m_extensions.serialize(Connection_Side::CLIENT);
258
5.24k
259
5.24k
   return buf;
260
5.24k
   }
261
262
std::vector<uint8_t> Client_Hello::cookie_input_data() const
263
6.75k
   {
264
6.75k
   std::vector<uint8_t> buf;
265
6.75k
266
6.75k
   buf.push_back(m_version.major_version());
267
6.75k
   buf.push_back(m_version.minor_version());
268
6.75k
   buf += m_random;
269
6.75k
270
6.75k
   append_tls_length_value(buf, m_session_id, 1);
271
6.75k
272
6.75k
   append_tls_length_value(buf, m_suites, 2);
273
6.75k
   append_tls_length_value(buf, m_comp_methods, 1);
274
6.75k
275
6.75k
   // Here we don't serialize the extensions since the client extensions
276
6.75k
   // may contain values we don't know how to serialize back.
277
6.75k
278
6.75k
   return buf;
279
6.75k
   }
280
281
/*
282
* Read a counterparty client hello
283
*/
284
Client_Hello::Client_Hello(const std::vector<uint8_t>& buf)
285
31.6k
   {
286
31.6k
   if(buf.size() < 41)
287
76
      throw Decoding_Error("Client_Hello: Packet corrupted");
288
31.5k
289
31.5k
   TLS_Data_Reader reader("ClientHello", buf);
290
31.5k
291
31.5k
   const uint8_t major_version = reader.get_byte();
292
31.5k
   const uint8_t minor_version = reader.get_byte();
293
31.5k
294
31.5k
   m_version = Protocol_Version(major_version, minor_version);
295
31.5k
296
31.5k
   m_random = reader.get_fixed<uint8_t>(32);
297
31.5k
298
31.5k
   m_session_id = reader.get_range<uint8_t>(1, 0, 32);
299
31.5k
300
31.5k
   if(m_version.is_datagram_protocol())
301
7.06k
      m_hello_cookie = reader.get_range<uint8_t>(1, 0, 255);
302
31.5k
303
31.5k
   m_suites = reader.get_range_vector<uint16_t>(2, 1, 32767);
304
31.5k
305
31.5k
   m_comp_methods = reader.get_range_vector<uint8_t>(1, 1, 255);
306
31.5k
307
31.5k
   m_extensions.deserialize(reader, Connection_Side::CLIENT);
308
31.5k
309
31.5k
   if(offered_suite(static_cast<uint16_t>(TLS_EMPTY_RENEGOTIATION_INFO_SCSV)))
310
3.92k
      {
311
3.92k
      if(Renegotiation_Extension* reneg = m_extensions.get<Renegotiation_Extension>())
312
29
         {
313
29
         if(!reneg->renegotiation_info().empty())
314
2
            throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
315
2
                                "Client sent renegotiation SCSV and non-empty extension");
316
3.89k
         }
317
3.89k
      else
318
3.89k
         {
319
3.89k
         // add fake extension
320
3.89k
         m_extensions.add(new Renegotiation_Extension());
321
3.89k
         }
322
3.92k
      }
323
31.5k
   }
324
325
bool Client_Hello::sent_fallback_scsv() const
326
29.8k
   {
327
29.8k
   return offered_suite(static_cast<uint16_t>(TLS_FALLBACK_SCSV));
328
29.8k
   }
329
330
/*
331
* Check if we offered this ciphersuite
332
*/
333
bool Client_Hello::offered_suite(uint16_t ciphersuite) const
334
63.8k
   {
335
530k
   for(size_t i = 0; i != m_suites.size(); ++i)
336
474k
      if(m_suites[i] == ciphersuite)
337
8.04k
         return true;
338
63.8k
   return false;
339
63.8k
   }
340
341
std::vector<Signature_Scheme> Client_Hello::signature_schemes() const
342
363
   {
343
363
   std::vector<Signature_Scheme> schemes;
344
363
345
363
   if(Signature_Algorithms* sigs = m_extensions.get<Signature_Algorithms>())
346
325
      {
347
325
      schemes = sigs->supported_schemes();
348
325
      }
349
363
350
363
   return schemes;
351
363
   }
352
353
std::vector<Group_Params> Client_Hello::supported_ecc_curves() const
354
39.2k
   {
355
39.2k
   if(Supported_Groups* groups = m_extensions.get<Supported_Groups>())
356
34.5k
      return groups->ec_groups();
357
4.70k
   return std::vector<Group_Params>();
358
4.70k
   }
359
360
std::vector<Group_Params> Client_Hello::supported_dh_groups() const
361
5.87k
   {
362
5.87k
   if(Supported_Groups* groups = m_extensions.get<Supported_Groups>())
363
1.82k
      return groups->dh_groups();
364
4.05k
   return std::vector<Group_Params>();
365
4.05k
   }
366
367
bool Client_Hello::prefers_compressed_ec_points() const
368
15.8k
   {
369
15.8k
   if(Supported_Point_Formats* ecc_formats = m_extensions.get<Supported_Point_Formats>())
370
568
      {
371
568
      return ecc_formats->prefers_compressed();
372
568
      }
373
15.2k
   return false;
374
15.2k
   }
375
376
std::string Client_Hello::sni_hostname() const
377
82.5k
   {
378
82.5k
   if(Server_Name_Indicator* sni = m_extensions.get<Server_Name_Indicator>())
379
18.0k
      return sni->host_name();
380
64.4k
   return "";
381
64.4k
   }
382
383
#if defined(BOTAN_HAS_SRP6)
384
std::string Client_Hello::srp_identifier() const
385
0
   {
386
0
   if(SRP_Identifier* srp = m_extensions.get<SRP_Identifier>())
387
0
      return srp->identifier();
388
0
   return "";
389
0
   }
390
#endif
391
392
bool Client_Hello::secure_renegotiation() const
393
51.0k
   {
394
51.0k
   return m_extensions.has<Renegotiation_Extension>();
395
51.0k
   }
396
397
std::vector<uint8_t> Client_Hello::renegotiation_info() const
398
10.1k
   {
399
10.1k
   if(Renegotiation_Extension* reneg = m_extensions.get<Renegotiation_Extension>())
400
10.1k
      return reneg->renegotiation_info();
401
0
   return std::vector<uint8_t>();
402
0
   }
403
404
std::vector<Protocol_Version> Client_Hello::supported_versions() const
405
29.8k
   {
406
29.8k
   if(Supported_Versions* versions = m_extensions.get<Supported_Versions>())
407
9
      return versions->versions();
408
29.8k
   return {};
409
29.8k
   }
410
411
bool Client_Hello::supports_session_ticket() const
412
22.7k
   {
413
22.7k
   return m_extensions.has<Session_Ticket>();
414
22.7k
   }
415
416
std::vector<uint8_t> Client_Hello::session_ticket() const
417
23.0k
   {
418
23.0k
   if(Session_Ticket* ticket = m_extensions.get<Session_Ticket>())
419
956
      return ticket->contents();
420
22.1k
   return std::vector<uint8_t>();
421
22.1k
   }
422
423
bool Client_Hello::supports_alpn() const
424
28.1k
   {
425
28.1k
   return m_extensions.has<Application_Layer_Protocol_Notification>();
426
28.1k
   }
427
428
bool Client_Hello::supports_extended_master_secret() const
429
22.7k
   {
430
22.7k
   return m_extensions.has<Extended_Master_Secret>();
431
22.7k
   }
432
433
bool Client_Hello::supports_cert_status_message() const
434
22.9k
   {
435
22.9k
   return m_extensions.has<Certificate_Status_Request>();
436
22.9k
   }
437
438
bool Client_Hello::supports_encrypt_then_mac() const
439
13.4k
   {
440
13.4k
   return m_extensions.has<Encrypt_then_MAC>();
441
13.4k
   }
442
443
bool Client_Hello::sent_signature_algorithms() const
444
0
   {
445
0
   return m_extensions.has<Signature_Algorithms>();
446
0
   }
447
448
std::vector<std::string> Client_Hello::next_protocols() const
449
5.17k
   {
450
5.17k
   if(auto alpn = m_extensions.get<Application_Layer_Protocol_Notification>())
451
5.17k
      return alpn->protocols();
452
0
   return std::vector<std::string>();
453
0
   }
454
455
std::vector<uint16_t> Client_Hello::srtp_profiles() const
456
0
   {
457
0
   if(SRTP_Protection_Profiles* srtp = m_extensions.get<SRTP_Protection_Profiles>())
458
0
      return srtp->profiles();
459
0
   return std::vector<uint16_t>();
460
0
   }
461
462
463
}
464
465
}