Coverage Report

Created: 2020-05-23 13:54

/src/botan/src/lib/tls/tls_channel.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
* TLS Channels
3
* (C) 2011,2012,2014,2015,2016 Jack Lloyd
4
*     2016 Matthias Gierlings
5
*
6
* Botan is released under the Simplified BSD License (see license.txt)
7
*/
8
9
#include <botan/tls_channel.h>
10
#include <botan/tls_policy.h>
11
#include <botan/tls_messages.h>
12
#include <botan/kdf.h>
13
#include <botan/internal/tls_handshake_state.h>
14
#include <botan/internal/tls_record.h>
15
#include <botan/internal/tls_seq_numbers.h>
16
#include <botan/internal/rounding.h>
17
#include <botan/internal/stl_util.h>
18
#include <botan/loadstor.h>
19
20
namespace Botan {
21
22
namespace TLS {
23
24
size_t TLS::Channel::IO_BUF_DEFAULT_SIZE = 10*1024;
25
26
Channel::Channel(Callbacks& callbacks,
27
                 Session_Manager& session_manager,
28
                 RandomNumberGenerator& rng,
29
                 const Policy& policy,
30
                 bool is_server,
31
                 bool is_datagram,
32
                 size_t reserved_io_buffer_size) :
33
   m_is_server(is_server),
34
   m_is_datagram(is_datagram),
35
   m_callbacks(callbacks),
36
   m_session_manager(session_manager),
37
   m_policy(policy),
38
   m_rng(rng),
39
   m_has_been_closed(false)
40
10.1k
   {
41
10.1k
   init(reserved_io_buffer_size);
42
10.1k
   }
43
44
Channel::Channel(output_fn out,
45
                 data_cb app_data_cb,
46
                 alert_cb recv_alert_cb,
47
                 handshake_cb hs_cb,
48
                 handshake_msg_cb hs_msg_cb,
49
                 Session_Manager& session_manager,
50
                 RandomNumberGenerator& rng,
51
                 const Policy& policy,
52
                 bool is_server,
53
                 bool is_datagram,
54
                 size_t io_buf_sz) :
55
    m_is_server(is_server),
56
    m_is_datagram(is_datagram),
57
    m_compat_callbacks(new Compat_Callbacks(
58
                          /*
59
                          this Channel constructor is also deprecated so its ok that it
60
                          relies on a deprecated API
61
                          */
62
                          Compat_Callbacks::SILENCE_DEPRECATION_WARNING::PLEASE,
63
                          out, app_data_cb, recv_alert_cb, hs_cb, hs_msg_cb)),
64
    m_callbacks(*m_compat_callbacks.get()),
65
    m_session_manager(session_manager),
66
    m_policy(policy),
67
    m_rng(rng),
68
    m_has_been_closed(false)
69
0
    {
70
0
    init(io_buf_sz);
71
0
    }
72
73
void Channel::init(size_t io_buf_sz)
74
10.1k
   {
75
10.1k
   /* epoch 0 is plaintext, thus null cipher state */
76
10.1k
   m_write_cipher_states[0] = nullptr;
77
10.1k
   m_read_cipher_states[0] = nullptr;
78
10.1k
79
10.1k
   m_writebuf.reserve(io_buf_sz);
80
10.1k
   m_readbuf.reserve(io_buf_sz);
81
10.1k
   }
82
83
void Channel::reset_state()
84
7.21k
   {
85
7.21k
   m_active_state.reset();
86
7.21k
   m_pending_state.reset();
87
7.21k
   m_readbuf.clear();
88
7.21k
   m_write_cipher_states.clear();
89
7.21k
   m_read_cipher_states.clear();
90
7.21k
   }
91
92
void Channel::reset_active_association_state()
93
0
   {
94
0
   // This operation only makes sense for DTLS
95
0
   BOTAN_ASSERT_NOMSG(m_is_datagram);
96
0
   m_active_state.reset();
97
0
   m_read_cipher_states.clear();
98
0
   m_write_cipher_states.clear();
99
0
100
0
   m_write_cipher_states[0] = nullptr;
101
0
   m_read_cipher_states[0] = nullptr;
102
0
103
0
   if(m_sequence_numbers)
104
0
      m_sequence_numbers->reset();
105
0
   }
106
107
Channel::~Channel()
108
10.1k
   {
109
10.1k
   // So unique_ptr destructors run correctly
110
10.1k
   }
111
112
Connection_Sequence_Numbers& Channel::sequence_numbers() const
113
187k
   {
114
187k
   BOTAN_ASSERT(m_sequence_numbers, "Have a sequence numbers object");
115
187k
   return *m_sequence_numbers;
116
187k
   }
117
118
std::shared_ptr<Connection_Cipher_State> Channel::read_cipher_state_epoch(uint16_t epoch) const
119
1.00k
   {
120
1.00k
   auto i = m_read_cipher_states.find(epoch);
121
1.00k
   if(i == m_read_cipher_states.end())
122
74
      throw Internal_Error("TLS::Channel No read cipherstate for epoch " + std::to_string(epoch));
123
930
   return i->second;
124
930
   }
125
126
std::shared_ptr<Connection_Cipher_State> Channel::write_cipher_state_epoch(uint16_t epoch) const
127
90.7k
   {
128
90.7k
   auto i = m_write_cipher_states.find(epoch);
129
90.7k
   if(i == m_write_cipher_states.end())
130
0
      throw Internal_Error("TLS::Channel No write cipherstate for epoch " + std::to_string(epoch));
131
90.7k
   return i->second;
132
90.7k
   }
133
134
std::vector<X509_Certificate> Channel::peer_cert_chain() const
135
0
   {
136
0
   if(auto active = active_state())
137
0
      return get_peer_cert_chain(*active);
138
0
   return std::vector<X509_Certificate>();
139
0
   }
140
141
bool Channel::save_session(const Session& session)
142
457
   {
143
457
   return callbacks().tls_session_established(session);
144
457
   }
145
146
Handshake_State& Channel::create_handshake_state(Protocol_Version version)
147
45.2k
   {
148
45.2k
   if(pending_state())
149
0
      throw Internal_Error("create_handshake_state called during handshake");
150
45.2k
151
45.2k
   if(auto active = active_state())
152
0
      {
153
0
      Protocol_Version active_version = active->version();
154
0
155
0
      if(active_version.is_datagram_protocol() != version.is_datagram_protocol())
156
0
         {
157
0
         throw TLS_Exception(Alert::PROTOCOL_VERSION,
158
0
                             "Active state using version " + active_version.to_string() +
159
0
                             " cannot change to " + version.to_string() + " in pending");
160
0
         }
161
45.2k
      }
162
45.2k
163
45.2k
   if(!m_sequence_numbers)
164
9.98k
      {
165
9.98k
      if(version.is_datagram_protocol())
166
569
         m_sequence_numbers.reset(new Datagram_Sequence_Numbers);
167
9.41k
      else
168
9.41k
         m_sequence_numbers.reset(new Stream_Sequence_Numbers);
169
9.98k
      }
170
45.2k
171
45.2k
   using namespace std::placeholders;
172
45.2k
173
45.2k
   std::unique_ptr<Handshake_IO> io;
174
45.2k
   if(version.is_datagram_protocol())
175
569
      {
176
569
      io.reset(new Datagram_Handshake_IO(
177
569
                  std::bind(&Channel::send_record_under_epoch, this, _1, _2, _3),
178
569
                  sequence_numbers(),
179
569
                  static_cast<uint16_t>(m_policy.dtls_default_mtu()),
180
569
                  m_policy.dtls_initial_timeout(),
181
569
                  m_policy.dtls_maximum_timeout()));
182
569
      }
183
44.6k
   else
184
44.6k
      {
185
44.6k
      io.reset(new Stream_Handshake_IO(std::bind(&Channel::send_record, this, _1, _2)));
186
44.6k
      }
187
45.2k
188
45.2k
   m_pending_state.reset(new_handshake_state(io.release()));
189
45.2k
190
45.2k
   if(auto active = active_state())
191
0
      m_pending_state->set_version(active->version());
192
45.2k
193
45.2k
   return *m_pending_state.get();
194
45.2k
   }
195
196
bool Channel::timeout_check()
197
0
   {
198
0
   if(m_pending_state)
199
0
      return m_pending_state->handshake_io().timeout_check();
200
0
201
0
   //FIXME: scan cipher suites and remove epochs older than 2*MSL
202
0
   return false;
203
0
   }
204
205
void Channel::renegotiate(bool force_full_renegotiation)
206
0
   {
207
0
   if(pending_state()) // currently in handshake?
208
0
      return;
209
0
210
0
   if(auto active = active_state())
211
0
      {
212
0
      if(force_full_renegotiation == false)
213
0
         force_full_renegotiation = !policy().allow_resumption_for_renegotiation();
214
0
215
0
      initiate_handshake(create_handshake_state(active->version()),
216
0
                         force_full_renegotiation);
217
0
      }
218
0
   else
219
0
      throw Invalid_State("Cannot renegotiate on inactive connection");
220
0
   }
221
222
void Channel::change_cipher_spec_reader(Connection_Side side)
223
1.28k
   {
224
1.28k
   auto pending = pending_state();
225
1.28k
226
1.28k
   BOTAN_ASSERT(pending && pending->server_hello(),
227
1.28k
                "Have received server hello");
228
1.28k
229
1.28k
   if(pending->server_hello()->compression_method() != 0)
230
0
      throw Internal_Error("Negotiated unknown compression algorithm");
231
1.28k
232
1.28k
   sequence_numbers().new_read_cipher_state();
233
1.28k
234
1.28k
   const uint16_t epoch = sequence_numbers().current_read_epoch();
235
1.28k
236
1.28k
   BOTAN_ASSERT(m_read_cipher_states.count(epoch) == 0,
237
1.28k
                "No read cipher state currently set for next epoch");
238
1.28k
239
1.28k
   // flip side as we are reading
240
1.28k
   std::shared_ptr<Connection_Cipher_State> read_state(
241
1.28k
      new Connection_Cipher_State(pending->version(),
242
1.28k
                                  (side == CLIENT) ? SERVER : CLIENT,
243
1.28k
                                  false,
244
1.28k
                                  pending->ciphersuite(),
245
1.28k
                                  pending->session_keys(),
246
1.28k
                                  pending->server_hello()->supports_encrypt_then_mac()));
247
1.28k
248
1.28k
   m_read_cipher_states[epoch] = read_state;
249
1.28k
   }
250
251
void Channel::change_cipher_spec_writer(Connection_Side side)
252
1.20k
   {
253
1.20k
   auto pending = pending_state();
254
1.20k
255
1.20k
   BOTAN_ASSERT(pending && pending->server_hello(),
256
1.20k
                "Have received server hello");
257
1.20k
258
1.20k
   if(pending->server_hello()->compression_method() != 0)
259
0
      throw Internal_Error("Negotiated unknown compression algorithm");
260
1.20k
261
1.20k
   sequence_numbers().new_write_cipher_state();
262
1.20k
263
1.20k
   const uint16_t epoch = sequence_numbers().current_write_epoch();
264
1.20k
265
1.20k
   BOTAN_ASSERT(m_write_cipher_states.count(epoch) == 0,
266
1.20k
                "No write cipher state currently set for next epoch");
267
1.20k
268
1.20k
   std::shared_ptr<Connection_Cipher_State> write_state(
269
1.20k
      new Connection_Cipher_State(pending->version(),
270
1.20k
                                  side,
271
1.20k
                                  true,
272
1.20k
                                  pending->ciphersuite(),
273
1.20k
                                  pending->session_keys(),
274
1.20k
                                  pending->server_hello()->supports_encrypt_then_mac()));
275
1.20k
276
1.20k
   m_write_cipher_states[epoch] = write_state;
277
1.20k
   }
278
279
bool Channel::is_active() const
280
0
   {
281
0
   if(is_closed())
282
0
      return false;
283
0
   return (active_state() != nullptr);
284
0
   }
285
286
bool Channel::is_closed() const
287
9.62k
   {
288
9.62k
   return m_has_been_closed;
289
9.62k
   }
290
291
void Channel::activate_session()
292
457
   {
293
457
   std::swap(m_active_state, m_pending_state);
294
457
   m_pending_state.reset();
295
457
296
457
   if(!m_active_state->version().is_datagram_protocol())
297
457
      {
298
457
      // TLS is easy just remove all but the current state
299
457
      const uint16_t current_epoch = sequence_numbers().current_write_epoch();
300
457
301
457
      const auto not_current_epoch =
302
1.82k
         [current_epoch](uint16_t epoch) { return (epoch != current_epoch); };
303
457
304
457
      map_remove_if(not_current_epoch, m_write_cipher_states);
305
457
      map_remove_if(not_current_epoch, m_read_cipher_states);
306
457
      }
307
457
308
457
   callbacks().tls_session_activated();
309
457
   }
310
311
size_t Channel::received_data(const std::vector<uint8_t>& buf)
312
0
   {
313
0
   return this->received_data(buf.data(), buf.size());
314
0
   }
315
316
size_t Channel::received_data(const uint8_t input[], size_t input_size)
317
10.1k
   {
318
10.1k
   const bool allow_epoch0_restart = m_is_datagram && m_is_server && policy().allow_dtls_epoch0_restart();
319
10.1k
320
10.1k
   try
321
10.1k
      {
322
154k
      while(input_size)
323
145k
         {
324
145k
         size_t consumed = 0;
325
145k
326
145k
         auto get_epoch = [this](uint16_t epoch) { return read_cipher_state_epoch(epoch); };
327
145k
328
145k
         const Record_Header record =
329
145k
            read_record(m_is_datagram,
330
145k
                        m_readbuf,
331
145k
                        input,
332
145k
                        input_size,
333
145k
                        consumed,
334
145k
                        m_record_buf,
335
145k
                        m_sequence_numbers.get(),
336
145k
                        get_epoch,
337
145k
                        allow_epoch0_restart);
338
145k
339
145k
         const size_t needed = record.needed();
340
145k
341
145k
         BOTAN_ASSERT(consumed > 0, "Got to eat something");
342
145k
343
145k
         BOTAN_ASSERT(consumed <= input_size,
344
145k
                      "Record reader consumed sane amount");
345
145k
346
145k
         input += consumed;
347
145k
         input_size -= consumed;
348
145k
349
145k
         BOTAN_ASSERT(input_size == 0 || needed == 0,
350
145k
                      "Got a full record or consumed all input");
351
145k
352
145k
         if(input_size == 0 && needed != 0)
353
1.03k
            return needed; // need more data to complete record
354
144k
355
144k
         // Ignore invalid records in DTLS
356
144k
         if(m_is_datagram && record.type() == NO_RECORD)
357
171
            {
358
171
            return 0;
359
171
            }
360
144k
361
144k
         if(m_record_buf.size() > MAX_PLAINTEXT_SIZE)
362
0
            throw TLS_Exception(Alert::RECORD_OVERFLOW,
363
0
                                "TLS plaintext record is larger than allowed maximum");
364
144k
365
144k
366
144k
         const bool epoch0_restart = m_is_datagram && record.epoch() == 0 && active_state();
367
144k
         BOTAN_ASSERT_IMPLICATION(epoch0_restart, allow_epoch0_restart, "Allowed state");
368
144k
369
144k
         const bool initial_record = epoch0_restart || (!pending_state() && !active_state());
370
144k
371
144k
         if(record.type() != ALERT)
372
80.1k
            {
373
80.1k
            if(initial_record)
374
40.0k
               {
375
40.0k
               // For initial records just check for basic sanity
376
40.0k
               if(record.version().major_version() != 3 &&
377
40.0k
                  record.version().major_version() != 0xFE)
378
30
                  {
379
30
                  throw TLS_Exception(Alert::PROTOCOL_VERSION,
380
30
                                      "Received unexpected record version in initial record");
381
30
                  }
382
40.0k
               }
383
40.0k
            else if(auto pending = pending_state())
384
40.0k
               {
385
40.0k
               if(pending->server_hello() != nullptr && record.version() != pending->version())
386
78
                  {
387
78
                  if(record.version() != pending->version())
388
78
                     {
389
78
                     throw TLS_Exception(Alert::PROTOCOL_VERSION,
390
78
                                         "Received unexpected record version");
391
78
                     }
392
0
                  }
393
0
               }
394
0
            else if(auto active = active_state())
395
0
               {
396
0
               if(record.version() != active->version())
397
0
                  {
398
0
                  throw TLS_Exception(Alert::PROTOCOL_VERSION,
399
0
                                      "Received unexpected record version");
400
0
                  }
401
144k
               }
402
80.1k
            }
403
144k
404
144k
         if(record.type() == HANDSHAKE || record.type() == CHANGE_CIPHER_SPEC)
405
79.8k
            {
406
79.8k
            if(m_has_been_closed)
407
3
               throw TLS_Exception(Alert::UNEXPECTED_MESSAGE, "Received handshake data after connection closure");
408
79.8k
            process_handshake_ccs(m_record_buf, record.sequence(), record.type(), record.version(), epoch0_restart);
409
79.8k
            }
410
64.4k
         else if(record.type() == APPLICATION_DATA)
411
13
            {
412
13
            if(m_has_been_closed)
413
2
               throw TLS_Exception(Alert::UNEXPECTED_MESSAGE, "Received application data after connection closure");
414
11
            if(pending_state() != nullptr)
415
7
               throw TLS_Exception(Alert::UNEXPECTED_MESSAGE, "Can't interleave application and handshake data");
416
4
            process_application_data(record.sequence(), m_record_buf);
417
4
            }
418
64.3k
         else if(record.type() == ALERT)
419
62.8k
            {
420
62.8k
            process_alert(m_record_buf);
421
62.8k
            }
422
1.51k
         else if(record.type() != NO_RECORD)
423
102
            throw Unexpected_Message("Unexpected record type " +
424
102
                                     std::to_string(record.type()) +
425
102
                                     " from counterparty");
426
144k
         }
427
10.1k
428
10.1k
      return 0; // on a record boundary
429
2.52k
      }
430
2.52k
   catch(TLS_Exception& e)
431
2.52k
      {
432
2.52k
      send_fatal_alert(e.type());
433
2.52k
      throw;
434
2.52k
      }
435
576
   catch(Invalid_Authentication_Tag&)
436
576
      {
437
576
      send_fatal_alert(Alert::BAD_RECORD_MAC);
438
576
      throw;
439
576
      }
440
3.76k
   catch(Decoding_Error&)
441
3.76k
      {
442
3.76k
      send_fatal_alert(Alert::DECODE_ERROR);
443
3.76k
      throw;
444
3.76k
      }
445
357
   catch(...)
446
357
      {
447
357
      send_fatal_alert(Alert::INTERNAL_ERROR);
448
357
      throw;
449
357
      }
450
10.1k
   }
451
452
void Channel::process_handshake_ccs(const secure_vector<uint8_t>& record,
453
                                    uint64_t record_sequence,
454
                                    Record_Type record_type,
455
                                    Protocol_Version record_version,
456
                                    bool epoch0_restart)
457
79.8k
   {
458
79.8k
   if(!m_pending_state)
459
39.9k
      {
460
39.9k
      // No pending handshake, possibly new:
461
39.9k
      if(record_version.is_datagram_protocol() && !epoch0_restart)
462
569
         {
463
569
         if(m_sequence_numbers)
464
0
            {
465
0
            /*
466
0
            * Might be a peer retransmit under epoch - 1 in which
467
0
            * case we must retransmit last flight
468
0
            */
469
0
            sequence_numbers().read_accept(record_sequence);
470
0
471
0
            const uint16_t epoch = record_sequence >> 48;
472
0
473
0
            if(epoch == sequence_numbers().current_read_epoch())
474
0
               {
475
0
               create_handshake_state(record_version);
476
0
               }
477
0
            else if(epoch == sequence_numbers().current_read_epoch() - 1)
478
0
               {
479
0
               BOTAN_ASSERT(m_active_state, "Have active state here");
480
0
               m_active_state->handshake_io().add_record(record.data(),
481
0
                                                         record.size(),
482
0
                                                         record_type,
483
0
                                                         record_sequence);
484
0
               }
485
0
            }
486
569
         else
487
569
            {
488
569
            create_handshake_state(record_version);
489
569
            }
490
569
         }
491
39.4k
      else
492
39.4k
         {
493
39.4k
         create_handshake_state(record_version);
494
39.4k
         }
495
39.9k
      }
496
79.8k
497
79.8k
   // May have been created in above conditional
498
79.8k
   if(m_pending_state)
499
79.8k
      {
500
79.8k
      m_pending_state->handshake_io().add_record(record.data(),
501
79.8k
                                                 record.size(),
502
79.8k
                                                 record_type,
503
79.8k
                                                 record_sequence);
504
79.8k
505
134k
      while(auto pending = m_pending_state.get())
506
129k
         {
507
129k
         auto msg = pending->get_next_handshake_msg();
508
129k
509
129k
         if(msg.first == HANDSHAKE_NONE) // no full handshake yet
510
73.9k
            break;
511
55.2k
512
55.2k
         process_handshake_msg(active_state(), *pending,
513
55.2k
                               msg.first, msg.second, epoch0_restart);
514
55.2k
515
55.2k
         if(!m_pending_state)
516
457
            break;
517
55.2k
         }
518
79.8k
      }
519
79.8k
   }
520
521
void Channel::process_application_data(uint64_t seq_no, const secure_vector<uint8_t>& record)
522
4
   {
523
4
   if(!active_state())
524
4
      throw Unexpected_Message("Application data before handshake done");
525
0
526
0
   callbacks().tls_record_received(seq_no, record.data(), record.size());
527
0
   }
528
529
void Channel::process_alert(const secure_vector<uint8_t>& record)
530
62.8k
    {
531
62.8k
    Alert alert_msg(record);
532
62.8k
533
62.8k
    if(alert_msg.type() == Alert::NO_RENEGOTIATION)
534
40.1k
       m_pending_state.reset();
535
62.8k
536
62.8k
    callbacks().tls_alert(alert_msg);
537
62.8k
538
62.8k
    if(alert_msg.is_fatal())
539
2.11k
       {
540
2.11k
       if(auto active = active_state())
541
0
          m_session_manager.remove_entry(active->server_hello()->session_id());
542
2.11k
       }
543
62.8k
544
62.8k
    if(alert_msg.type() == Alert::CLOSE_NOTIFY)
545
2.40k
       send_warning_alert(Alert::CLOSE_NOTIFY); // reply in kind
546
62.8k
547
62.8k
    if(alert_msg.type() == Alert::CLOSE_NOTIFY || alert_msg.is_fatal())
548
2.91k
       {
549
2.91k
       m_has_been_closed = true;
550
2.91k
       }
551
62.8k
    }
552
553
void Channel::write_record(Connection_Cipher_State* cipher_state, uint16_t epoch,
554
                           uint8_t record_type, const uint8_t input[], size_t length)
555
90.7k
   {
556
90.7k
   BOTAN_ASSERT(m_pending_state || m_active_state, "Some connection state exists");
557
90.7k
558
90.7k
   const Protocol_Version record_version =
559
90.7k
      (m_pending_state) ? (m_pending_state->version()) : (m_active_state->version());
560
90.7k
561
90.7k
   const uint64_t next_seq = sequence_numbers().next_write_sequence(epoch);
562
90.7k
563
90.7k
   if(cipher_state == nullptr)
564
88.6k
      {
565
88.6k
      TLS::write_unencrypted_record(m_writebuf, record_type, record_version, next_seq,
566
88.6k
                                    input, length);
567
88.6k
      }
568
2.08k
   else
569
2.08k
      {
570
2.08k
      TLS::write_record(m_writebuf, record_type, record_version, next_seq,
571
2.08k
                        input, length, *cipher_state, m_rng);
572
2.08k
      }
573
90.7k
574
90.7k
   callbacks().tls_emit_data(m_writebuf.data(), m_writebuf.size());
575
90.7k
   }
576
577
void Channel::send_record_array(uint16_t epoch, uint8_t type, const uint8_t input[], size_t length)
578
90.7k
   {
579
90.7k
   if(length == 0)
580
0
      return;
581
90.7k
582
90.7k
   /*
583
90.7k
   * In versions without an explicit IV field (only TLS v1.0 now that
584
90.7k
   * SSLv3 has been removed) send a single byte record first to randomize
585
90.7k
   * the following (implicit) IV of the following record.
586
90.7k
   *
587
90.7k
   * This isn't needed in TLS v1.1 or higher.
588
90.7k
   *
589
90.7k
   * An empty record also works but apparently some implementations do
590
90.7k
   * not like this (https://bugzilla.mozilla.org/show_bug.cgi?id=665814)
591
90.7k
   *
592
90.7k
   * See https://www.openssl.org/~bodo/tls-cbc.txt for background.
593
90.7k
   */
594
90.7k
595
90.7k
   auto cipher_state = write_cipher_state_epoch(epoch);
596
90.7k
597
90.7k
   if(type == APPLICATION_DATA && m_active_state->version().supports_explicit_cbc_ivs() == false)
598
0
      {
599
0
      while(length)
600
0
         {
601
0
         write_record(cipher_state.get(), epoch, type, input, 1);
602
0
         input += 1;
603
0
         length -= 1;
604
0
605
0
         const size_t sending = std::min<size_t>(length, MAX_PLAINTEXT_SIZE);
606
0
         write_record(cipher_state.get(), epoch, type, input, sending);
607
0
608
0
         input += sending;
609
0
         length -= sending;
610
0
         }
611
0
      }
612
90.7k
   else
613
90.7k
      {
614
181k
      while(length)
615
90.7k
         {
616
90.7k
         const size_t sending = std::min<size_t>(length, MAX_PLAINTEXT_SIZE);
617
90.7k
         write_record(cipher_state.get(), epoch, type, input, sending);
618
90.7k
619
90.7k
         input += sending;
620
90.7k
         length -= sending;
621
90.7k
         }
622
90.7k
      }
623
90.7k
   }
624
625
void Channel::send_record(uint8_t record_type, const std::vector<uint8_t>& record)
626
90.8k
   {
627
90.8k
   send_record_array(sequence_numbers().current_write_epoch(),
628
90.8k
                     record_type, record.data(), record.size());
629
90.8k
   }
630
631
void Channel::send_record_under_epoch(uint16_t epoch, uint8_t record_type,
632
                                      const std::vector<uint8_t>& record)
633
0
   {
634
0
   send_record_array(epoch, record_type, record.data(), record.size());
635
0
   }
636
637
void Channel::send(const uint8_t buf[], size_t buf_size)
638
0
   {
639
0
   if(!is_active())
640
0
      throw Invalid_State("Data cannot be sent on inactive TLS connection");
641
0
642
0
   send_record_array(sequence_numbers().current_write_epoch(),
643
0
                     APPLICATION_DATA, buf, buf_size);
644
0
   }
645
646
void Channel::send(const std::string& string)
647
0
   {
648
0
   this->send(cast_char_ptr_to_uint8(string.data()), string.size());
649
0
   }
650
651
void Channel::send_alert(const Alert& alert)
652
9.62k
   {
653
9.62k
   if(alert.is_valid() && !is_closed())
654
7.24k
      {
655
7.24k
      try
656
7.24k
         {
657
7.24k
         send_record(ALERT, alert.serialize());
658
7.24k
         }
659
7.24k
      catch(...) { /* swallow it */ }
660
7.24k
      }
661
9.62k
662
9.62k
   if(alert.type() == Alert::NO_RENEGOTIATION)
663
0
      m_pending_state.reset();
664
9.62k
665
9.62k
   if(alert.is_fatal())
666
7.21k
      if(auto active = active_state())
667
273
         m_session_manager.remove_entry(active->server_hello()->session_id());
668
9.62k
669
9.62k
   if(alert.is_fatal())
670
7.21k
      reset_state();
671
9.62k
672
9.62k
   if(alert.type() == Alert::CLOSE_NOTIFY || alert.is_fatal())
673
9.62k
      {
674
9.62k
      m_has_been_closed = true;
675
9.62k
      }
676
9.62k
   }
677
678
void Channel::secure_renegotiation_check(const Client_Hello* client_hello)
679
28.2k
   {
680
28.2k
   const bool secure_renegotiation = client_hello->secure_renegotiation();
681
28.2k
682
28.2k
   if(auto active = active_state())
683
0
      {
684
0
      const bool active_sr = active->client_hello()->secure_renegotiation();
685
0
686
0
      if(active_sr != secure_renegotiation)
687
0
         throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
688
0
                             "Client changed its mind about secure renegotiation");
689
28.2k
      }
690
28.2k
691
28.2k
   if(secure_renegotiation)
692
10.1k
      {
693
10.1k
      const std::vector<uint8_t>& data = client_hello->renegotiation_info();
694
10.1k
695
10.1k
      if(data != secure_renegotiation_data_for_client_hello())
696
1
         throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
697
1
                             "Client sent bad values for secure renegotiation");
698
10.1k
      }
699
28.2k
   }
700
701
void Channel::secure_renegotiation_check(const Server_Hello* server_hello)
702
26.6k
   {
703
26.6k
   const bool secure_renegotiation = server_hello->secure_renegotiation();
704
26.6k
705
26.6k
   if(auto active = active_state())
706
0
      {
707
0
      const bool active_sr = active->server_hello()->secure_renegotiation();
708
0
709
0
      if(active_sr != secure_renegotiation)
710
0
         throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
711
0
                             "Server changed its mind about secure renegotiation");
712
26.6k
      }
713
26.6k
714
26.6k
   if(secure_renegotiation)
715
7.64k
      {
716
7.64k
      const std::vector<uint8_t>& data = server_hello->renegotiation_info();
717
7.64k
718
7.64k
      if(data != secure_renegotiation_data_for_server_hello())
719
1
         throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
720
1
                             "Server sent bad values for secure renegotiation");
721
7.64k
      }
722
26.6k
   }
723
724
std::vector<uint8_t> Channel::secure_renegotiation_data_for_client_hello() const
725
15.4k
   {
726
15.4k
   if(auto active = active_state())
727
0
      return active->client_finished()->verify_data();
728
15.4k
   return std::vector<uint8_t>();
729
15.4k
   }
730
731
std::vector<uint8_t> Channel::secure_renegotiation_data_for_server_hello() const
732
30.4k
   {
733
30.4k
   if(auto active = active_state())
734
0
      {
735
0
      std::vector<uint8_t> buf = active->client_finished()->verify_data();
736
0
      buf += active->server_finished()->verify_data();
737
0
      return buf;
738
0
      }
739
30.4k
740
30.4k
   return std::vector<uint8_t>();
741
30.4k
   }
742
743
bool Channel::secure_renegotiation_supported() const
744
0
   {
745
0
   if(auto active = active_state())
746
0
      return active->server_hello()->secure_renegotiation();
747
0
748
0
   if(auto pending = pending_state())
749
0
      if(auto hello = pending->server_hello())
750
0
         return hello->secure_renegotiation();
751
0
752
0
   return false;
753
0
   }
754
755
SymmetricKey Channel::key_material_export(const std::string& label,
756
                                          const std::string& context,
757
                                          size_t length) const
758
0
   {
759
0
   if(auto active = active_state())
760
0
      {
761
0
      if(pending_state() != nullptr)
762
0
         throw Invalid_State("Channel::key_material_export cannot export during renegotiation");
763
0
764
0
      std::unique_ptr<KDF> prf(active->protocol_specific_prf());
765
0
766
0
      const secure_vector<uint8_t>& master_secret =
767
0
         active->session_keys().master_secret();
768
0
769
0
      std::vector<uint8_t> salt;
770
0
      salt += active->client_hello()->random();
771
0
      salt += active->server_hello()->random();
772
0
773
0
      if(context != "")
774
0
         {
775
0
         size_t context_size = context.length();
776
0
         if(context_size > 0xFFFF)
777
0
            throw Invalid_Argument("key_material_export context is too long");
778
0
         salt.push_back(get_byte(0, static_cast<uint16_t>(context_size)));
779
0
         salt.push_back(get_byte(1, static_cast<uint16_t>(context_size)));
780
0
         salt += to_byte_vector(context);
781
0
         }
782
0
783
0
      return prf->derive_key(length, master_secret, salt, to_byte_vector(label));
784
0
      }
785
0
   else
786
0
      {
787
0
      throw Invalid_State("Channel::key_material_export connection not active");
788
0
      }
789
0
   }
790
791
}
792
793
}