Coverage Report

Created: 2020-05-23 13:54

/src/botan/src/lib/tls/tls_client.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
* TLS Client
3
* (C) 2004-2011,2012,2015,2016 Jack Lloyd
4
*     2016 Matthias Gierlings
5
*     2017 Harry Reimann, Rohde & Schwarz Cybersecurity
6
*
7
* Botan is released under the Simplified BSD License (see license.txt)
8
*/
9
10
#include <botan/tls_client.h>
11
#include <botan/tls_messages.h>
12
#include <botan/internal/tls_handshake_state.h>
13
#include <botan/internal/stl_util.h>
14
#include <iterator>
15
#include <sstream>
16
17
namespace Botan {
18
19
namespace TLS {
20
21
namespace {
22
23
class Client_Handshake_State final : public Handshake_State
24
   {
25
   public:
26
      Client_Handshake_State(Handshake_IO* io, Callbacks& cb) :
27
         Handshake_State(io, cb),
28
         m_is_reneg(false)
29
14.1k
         {}
30
31
      const Public_Key& get_server_public_key() const
32
269
         {
33
269
         BOTAN_ASSERT(server_public_key, "Server sent us a certificate");
34
269
         return *server_public_key.get();
35
269
         }
36
37
114
      bool is_a_resumption() const { return (resumed_session != nullptr); }
38
39
0
      bool is_a_renegotiation() const { return m_is_reneg; }
40
41
      const secure_vector<uint8_t>& resume_master_secret() const
42
0
         {
43
0
         BOTAN_STATE_CHECK(is_a_resumption());
44
0
         return resumed_session->master_secret();
45
0
         }
46
47
      const std::vector<X509_Certificate>& resume_peer_certs() const
48
0
         {
49
0
         BOTAN_STATE_CHECK(is_a_resumption());
50
0
         return resumed_session->peer_certs();
51
0
         }
52
53
      std::unique_ptr<Public_Key> server_public_key;
54
      // Used during session resumption
55
      std::unique_ptr<Session> resumed_session;
56
      bool m_is_reneg = false;
57
   };
58
59
}
60
61
/*
62
* TLS Client Constructor
63
*/
64
Client::Client(Callbacks& callbacks,
65
               Session_Manager& session_manager,
66
               Credentials_Manager& creds,
67
               const Policy& policy,
68
               RandomNumberGenerator& rng,
69
               const Server_Information& info,
70
               const Protocol_Version& offer_version,
71
               const std::vector<std::string>& next_protos,
72
               size_t io_buf_sz) :
73
   Channel(callbacks, session_manager, rng, policy,
74
           false, offer_version.is_datagram_protocol(), io_buf_sz),
75
   m_creds(creds),
76
   m_info(info)
77
5.24k
   {
78
5.24k
   init(offer_version, next_protos);
79
5.24k
   }
80
81
Client::Client(output_fn data_output_fn,
82
               data_cb proc_cb,
83
               alert_cb recv_alert_cb,
84
               handshake_cb hs_cb,
85
               Session_Manager& session_manager,
86
               Credentials_Manager& creds,
87
               const Policy& policy,
88
               RandomNumberGenerator& rng,
89
               const Server_Information& info,
90
               const Protocol_Version& offer_version,
91
               const std::vector<std::string>& next_protos,
92
               size_t io_buf_sz) :
93
   Channel(data_output_fn, proc_cb, recv_alert_cb, hs_cb, Channel::handshake_msg_cb(),
94
           session_manager, rng, policy, false, offer_version.is_datagram_protocol(), io_buf_sz),
95
   m_creds(creds),
96
   m_info(info)
97
0
   {
98
0
   init(offer_version, next_protos);
99
0
   }
100
101
Client::Client(output_fn data_output_fn,
102
               data_cb proc_cb,
103
               alert_cb recv_alert_cb,
104
               handshake_cb hs_cb,
105
               handshake_msg_cb hs_msg_cb,
106
               Session_Manager& session_manager,
107
               Credentials_Manager& creds,
108
               const Policy& policy,
109
               RandomNumberGenerator& rng,
110
               const Server_Information& info,
111
               const Protocol_Version& offer_version,
112
               const std::vector<std::string>& next_protos) :
113
   Channel(data_output_fn, proc_cb, recv_alert_cb, hs_cb, hs_msg_cb,
114
           session_manager, rng, policy, false, offer_version.is_datagram_protocol()),
115
   m_creds(creds),
116
   m_info(info)
117
0
   {
118
0
   init(offer_version, next_protos);
119
0
   }
120
121
void Client::init(const Protocol_Version& protocol_version,
122
                  const std::vector<std::string>& next_protocols)
123
5.24k
   {
124
5.24k
   const std::string srp_identifier = m_creds.srp_identifier("tls-client", m_info.hostname());
125
5.24k
126
5.24k
   Handshake_State& state = create_handshake_state(protocol_version);
127
5.24k
   send_client_hello(state, false, protocol_version,
128
5.24k
                     srp_identifier, next_protocols);
129
5.24k
   }
130
131
Handshake_State* Client::new_handshake_state(Handshake_IO* io)
132
14.1k
   {
133
14.1k
   return new Client_Handshake_State(io, callbacks());
134
14.1k
   }
135
136
std::vector<X509_Certificate>
137
Client::get_peer_cert_chain(const Handshake_State& state) const
138
79
   {
139
79
   const Client_Handshake_State& cstate = dynamic_cast<const Client_Handshake_State&>(state);
140
79
141
79
   if(cstate.is_a_resumption())
142
0
      return cstate.resume_peer_certs();
143
79
144
79
   if(state.server_certs())
145
30
      return state.server_certs()->cert_chain();
146
49
   return std::vector<X509_Certificate>();
147
49
   }
148
149
/*
150
* Send a new client hello to renegotiate
151
*/
152
void Client::initiate_handshake(Handshake_State& state,
153
                                bool force_full_renegotiation)
154
0
   {
155
0
   send_client_hello(state, force_full_renegotiation,
156
0
                     policy().latest_supported_version(state.version().is_datagram_protocol()));
157
0
   }
158
159
void Client::send_client_hello(Handshake_State& state_base,
160
                               bool force_full_renegotiation,
161
                               Protocol_Version version,
162
                               const std::string& srp_identifier,
163
                               const std::vector<std::string>& next_protocols)
164
5.24k
   {
165
5.24k
   Client_Handshake_State& state = dynamic_cast<Client_Handshake_State&>(state_base);
166
5.24k
167
5.24k
   if(state.version().is_datagram_protocol())
168
0
      state.set_expected_next(HELLO_VERIFY_REQUEST); // optional
169
5.24k
   state.set_expected_next(SERVER_HELLO);
170
5.24k
171
5.24k
   if(!force_full_renegotiation && !m_info.empty())
172
5.24k
      {
173
5.24k
      std::unique_ptr<Session> session_info(new Session);;
174
5.24k
      if(session_manager().load_from_server_info(m_info, *session_info))
175
0
         {
176
0
         /*
177
0
         Ensure that the session protocol cipher and version are acceptable
178
0
         If not skip the resume and establish a new session
179
0
         */
180
0
         const bool exact_version = session_info->version() == version;
181
0
         const bool ok_version =
182
0
            (session_info->version().is_datagram_protocol() == version.is_datagram_protocol()) &&
183
0
            policy().acceptable_protocol_version(session_info->version());
184
0
185
0
         const bool session_version_ok = policy().only_resume_with_exact_version() ? exact_version : ok_version;
186
0
187
0
         if(policy().acceptable_ciphersuite(session_info->ciphersuite()) && session_version_ok)
188
0
            {
189
0
            if(srp_identifier == "" || session_info->srp_identifier() == srp_identifier)
190
0
               {
191
0
               state.client_hello(
192
0
                  new Client_Hello(state.handshake_io(),
193
0
                                   state.hash(),
194
0
                                   policy(),
195
0
                                   callbacks(),
196
0
                                   rng(),
197
0
                                   secure_renegotiation_data_for_client_hello(),
198
0
                                   *session_info,
199
0
                                   next_protocols));
200
0
201
0
               state.resumed_session = std::move(session_info);
202
0
               }
203
0
            }
204
0
         }
205
5.24k
      }
206
5.24k
207
5.24k
   if(!state.client_hello()) // not resuming
208
5.24k
      {
209
5.24k
      Client_Hello::Settings client_settings(version, m_info.hostname(), srp_identifier);
210
5.24k
      state.client_hello(new Client_Hello(
211
5.24k
         state.handshake_io(),
212
5.24k
         state.hash(),
213
5.24k
         policy(),
214
5.24k
         callbacks(),
215
5.24k
         rng(),
216
5.24k
         secure_renegotiation_data_for_client_hello(),
217
5.24k
         client_settings,
218
5.24k
         next_protocols));
219
5.24k
      }
220
5.24k
221
5.24k
   secure_renegotiation_check(state.client_hello());
222
5.24k
   }
223
224
/*
225
* Process a handshake message
226
*/
227
void Client::process_handshake_msg(const Handshake_State* active_state,
228
                                   Handshake_State& state_base,
229
                                   Handshake_Type type,
230
                                   const std::vector<uint8_t>& contents,
231
                                   bool epoch0_restart)
232
10.0k
   {
233
10.0k
   BOTAN_ASSERT_NOMSG(epoch0_restart == false); // only happens on server side
234
10.0k
235
10.0k
   Client_Handshake_State& state = dynamic_cast<Client_Handshake_State&>(state_base);
236
10.0k
237
10.0k
   if(type == HELLO_REQUEST && active_state)
238
0
      {
239
0
      Hello_Request hello_request(contents);
240
0
241
0
      if(state.client_hello())
242
0
         {
243
0
         throw TLS_Exception(Alert::HANDSHAKE_FAILURE, "Cannot renegotiate during a handshake");
244
0
         }
245
0
246
0
      if(policy().allow_server_initiated_renegotiation())
247
0
         {
248
0
         if(secure_renegotiation_supported() || policy().allow_insecure_renegotiation())
249
0
            {
250
0
            state.m_is_reneg = true;
251
0
            this->initiate_handshake(state, true);
252
0
            }
253
0
         else
254
0
            {
255
0
            throw TLS_Exception(Alert::HANDSHAKE_FAILURE, "Client policy prohibits insecure renegotiation");
256
0
            }
257
0
         }
258
0
      else
259
0
         {
260
0
         if(policy().abort_connection_on_undesired_renegotiation())
261
0
            {
262
0
            throw TLS_Exception(Alert::NO_RENEGOTIATION, "Client policy prohibits renegotiation");
263
0
            }
264
0
         else
265
0
            {
266
0
            // RFC 5746 section 4.2
267
0
            send_warning_alert(Alert::NO_RENEGOTIATION);
268
0
            }
269
0
         }
270
0
271
0
      return;
272
10.0k
      }
273
10.0k
274
10.0k
   state.confirm_transition_to(type);
275
10.0k
276
10.0k
   if(type != HANDSHAKE_CCS && type != FINISHED && type != HELLO_VERIFY_REQUEST)
277
9.20k
      state.hash().update(state.handshake_io().format(contents, type));
278
10.0k
279
10.0k
   if(type == HELLO_VERIFY_REQUEST)
280
0
      {
281
0
      state.set_expected_next(SERVER_HELLO);
282
0
      state.set_expected_next(HELLO_VERIFY_REQUEST); // might get it again
283
0
284
0
      Hello_Verify_Request hello_verify_request(contents);
285
0
      state.hello_verify_request(hello_verify_request);
286
0
      }
287
10.0k
   else if(type == SERVER_HELLO)
288
4.67k
      {
289
4.67k
      state.server_hello(new Server_Hello(contents));
290
4.67k
291
4.67k
      if(!state.client_hello()->offered_suite(state.server_hello()->ciphersuite()))
292
32
         {
293
32
         throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
294
32
                             "Server replied with ciphersuite we didn't send");
295
32
         }
296
4.63k
297
4.63k
      if(!Ciphersuite::by_id(state.server_hello()->ciphersuite()).usable_in_version(state.server_hello()->version()))
298
1
         {
299
1
         throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
300
1
                             "Server replied using a ciphersuite not allowed in version it offered");
301
1
         }
302
4.63k
303
4.63k
      if(Ciphersuite::is_scsv(state.server_hello()->ciphersuite()))
304
0
         {
305
0
         throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
306
0
                             "Server replied with a signaling ciphersuite");
307
0
         }
308
4.63k
309
4.63k
      if(state.server_hello()->compression_method() != 0)
310
13
         {
311
13
         throw TLS_Exception(Alert::ILLEGAL_PARAMETER,
312
13
                             "Server replied with non-null compression method");
313
13
         }
314
4.62k
315
4.62k
      if(state.client_hello()->version() > state.server_hello()->version())
316
107
         {
317
107
         if(state.server_hello()->random_signals_downgrade())
318
1
            throw TLS_Exception(Alert::ILLEGAL_PARAMETER, "Downgrade attack detected");
319
4.62k
         }
320
4.62k
321
4.62k
      auto client_extn = state.client_hello()->extension_types();
322
4.62k
      auto server_extn = state.server_hello()->extension_types();
323
4.62k
324
4.62k
      std::vector<Handshake_Extension_Type> diff;
325
4.62k
326
4.62k
      std::set_difference(server_extn.begin(), server_extn.end(),
327
4.62k
                          client_extn.begin(), client_extn.end(),
328
4.62k
                          std::back_inserter(diff));
329
4.62k
330
4.62k
      if(!diff.empty())
331
54
         {
332
54
         // Server sent us back an extension we did not send!
333
54
334
54
         std::ostringstream msg;
335
54
         msg << "Server replied with unsupported extensions:";
336
54
         for(auto&& d : diff)
337
762
            msg << " " << static_cast<int>(d);
338
54
         throw TLS_Exception(Alert::UNSUPPORTED_EXTENSION, msg.str());
339
54
         }
340
4.56k
341
4.56k
      if(uint16_t srtp = state.server_hello()->srtp_profile())
342
0
         {
343
0
         if(!value_exists(state.client_hello()->srtp_profiles(), srtp))
344
0
            throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
345
0
                                "Server replied with DTLS-SRTP alg we did not send");
346
4.56k
         }
347
4.56k
348
4.56k
      callbacks().tls_examine_extensions(state.server_hello()->extensions(), SERVER);
349
4.56k
350
4.56k
      state.set_version(state.server_hello()->version());
351
4.56k
      m_application_protocol = state.server_hello()->next_protocol();
352
4.56k
353
4.56k
      secure_renegotiation_check(state.server_hello());
354
4.56k
355
4.56k
      const bool server_returned_same_session_id =
356
4.56k
         !state.server_hello()->session_id().empty() &&
357
4.56k
         (state.server_hello()->session_id() == state.client_hello()->session_id());
358
4.56k
359
4.56k
      if(server_returned_same_session_id)
360
0
         {
361
0
         // successful resumption
362
0
363
0
         /*
364
0
         * In this case, we offered the version used in the original
365
0
         * session, and the server must resume with the same version.
366
0
         */
367
0
         if(state.server_hello()->version() != state.client_hello()->version())
368
0
            throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
369
0
                                "Server resumed session but with wrong version");
370
0
371
0
         if(state.server_hello()->supports_extended_master_secret() &&
372
0
            !state.resumed_session->supports_extended_master_secret())
373
0
            {
374
0
            throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
375
0
                                "Server resumed session but added extended master secret");
376
0
            }
377
0
378
0
         if(!state.server_hello()->supports_extended_master_secret() &&
379
0
            state.resumed_session->supports_extended_master_secret())
380
0
            {
381
0
            throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
382
0
                                "Server resumed session and removed extended master secret");
383
0
            }
384
0
385
0
         state.compute_session_keys(state.resume_master_secret());
386
0
387
0
         if(state.server_hello()->supports_session_ticket())
388
0
            {
389
0
            state.set_expected_next(NEW_SESSION_TICKET);
390
0
            }
391
0
         else
392
0
            {
393
0
            state.set_expected_next(HANDSHAKE_CCS);
394
0
            }
395
0
         }
396
4.56k
      else
397
4.56k
         {
398
4.56k
         // new session
399
4.56k
400
4.56k
         if(active_state)
401
0
            {
402
0
            // Here we are testing things that should not change during a renegotation,
403
0
            // even if the server creates a new session. Howerver they might change
404
0
            // in a resumption scenario.
405
0
406
0
            if(active_state->version() != state.server_hello()->version())
407
0
               throw TLS_Exception(Alert::PROTOCOL_VERSION,
408
0
                                   "Server changed version after renegotiation");
409
0
410
0
            if(state.server_hello()->supports_extended_master_secret() !=
411
0
               active_state->server_hello()->supports_extended_master_secret())
412
0
               {
413
0
               throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
414
0
                                   "Server changed its mind about extended master secret");
415
0
               }
416
4.56k
            }
417
4.56k
418
4.56k
         state.resumed_session.reset(); // non-null if we were attempting a resumption
419
4.56k
420
4.56k
         if(state.client_hello()->version().is_datagram_protocol() !=
421
4.56k
            state.server_hello()->version().is_datagram_protocol())
422
0
            {
423
0
            throw TLS_Exception(Alert::PROTOCOL_VERSION,
424
0
                                "Server replied with different protocol type than we offered");
425
0
            }
426
4.56k
427
4.56k
         if(state.version() > state.client_hello()->version())
428
15
            {
429
15
            throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
430
15
                                "Server replied with later version than client offered");
431
15
            }
432
4.55k
433
4.55k
         if(state.version().major_version() == 3 && state.version().minor_version() == 0)
434
3
            {
435
3
            throw TLS_Exception(Alert::PROTOCOL_VERSION,
436
3
                                "Server attempting to negotiate SSLv3 which is not supported");
437
3
            }
438
4.55k
439
4.55k
         if(!policy().acceptable_protocol_version(state.version()))
440
94
            {
441
94
            throw TLS_Exception(Alert::PROTOCOL_VERSION,
442
94
                                "Server version " + state.version().to_string() +
443
94
                                " is unacceptable by policy");
444
94
            }
445
4.45k
446
4.45k
         if(state.ciphersuite().signature_used() || state.ciphersuite().kex_method() == Kex_Algo::STATIC_RSA)
447
2.79k
            {
448
2.79k
            state.set_expected_next(CERTIFICATE);
449
2.79k
            }
450
1.65k
         else if(state.ciphersuite().kex_method() == Kex_Algo::PSK)
451
697
            {
452
697
            /* PSK is anonymous so no certificate/cert req message is
453
697
               ever sent. The server may or may not send a server kex,
454
697
               depending on if it has an identity hint for us.
455
697
456
697
               (EC)DHE_PSK always sends a server key exchange for the
457
697
               DH exchange portion, and is covered by block below
458
697
            */
459
697
460
697
            state.set_expected_next(SERVER_KEX);
461
697
            state.set_expected_next(SERVER_HELLO_DONE);
462
697
            }
463
962
         else if(state.ciphersuite().kex_method() != Kex_Algo::STATIC_RSA)
464
305
            {
465
305
            state.set_expected_next(SERVER_KEX);
466
305
            }
467
657
         else
468
657
            {
469
657
            state.set_expected_next(CERTIFICATE_REQUEST); // optional
470
657
            state.set_expected_next(SERVER_HELLO_DONE);
471
657
            }
472
4.45k
         }
473
4.56k
      }
474
5.36k
   else if(type == CERTIFICATE)
475
2.75k
      {
476
2.75k
      state.server_certs(new Certificate(contents, policy()));
477
2.75k
478
2.75k
      const std::vector<X509_Certificate>& server_certs =
479
2.75k
         state.server_certs()->cert_chain();
480
2.75k
481
2.75k
      if(server_certs.empty())
482
1
         throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
483
1
                             "Client: No certificates sent by server");
484
2.75k
485
2.75k
      /*
486
2.75k
      If the server supports certificate status messages,
487
2.75k
      certificate verification happens after we receive the server hello done,
488
2.75k
      in case an OCSP response was also available
489
2.75k
      */
490
2.75k
491
2.75k
      X509_Certificate server_cert = server_certs[0];
492
2.75k
493
2.75k
      if(active_state && active_state->server_certs())
494
0
         {
495
0
         X509_Certificate current_cert = active_state->server_certs()->cert_chain().at(0);
496
0
497
0
         if(current_cert != server_cert)
498
0
            throw TLS_Exception(Alert::BAD_CERTIFICATE, "Server certificate changed during renegotiation");
499
2.75k
         }
500
2.75k
501
2.75k
      std::unique_ptr<Public_Key> peer_key(server_cert.subject_public_key());
502
2.75k
503
2.75k
      const std::string expected_key_type =
504
2.75k
         state.ciphersuite().signature_used() ? state.ciphersuite().sig_algo() : "RSA";
505
2.75k
506
2.75k
      if(peer_key->algo_name() != expected_key_type)
507
103
         throw TLS_Exception(Alert::ILLEGAL_PARAMETER,
508
103
                             "Certificate key type did not match ciphersuite");
509
2.65k
510
2.65k
      state.server_public_key.reset(peer_key.release());
511
2.65k
512
2.65k
      if(state.ciphersuite().kex_method() != Kex_Algo::STATIC_RSA)
513
657
         {
514
657
         state.set_expected_next(SERVER_KEX);
515
657
         }
516
1.99k
      else
517
1.99k
         {
518
1.99k
         state.set_expected_next(CERTIFICATE_REQUEST); // optional
519
1.99k
         state.set_expected_next(SERVER_HELLO_DONE);
520
1.99k
         }
521
2.65k
522
2.65k
      if(state.server_hello()->supports_certificate_status_message())
523
101
         {
524
101
         state.set_expected_next(CERTIFICATE_STATUS); // optional
525
101
         }
526
2.55k
      else
527
2.55k
         {
528
2.55k
         try
529
2.55k
            {
530
2.55k
            auto trusted_CAs = m_creds.trusted_certificate_authorities("tls-client", m_info.hostname());
531
2.55k
532
2.55k
            callbacks().tls_verify_cert_chain(server_certs,
533
2.55k
                                              {},
534
2.55k
                                              trusted_CAs,
535
2.55k
                                              Usage_Type::TLS_SERVER_AUTH,
536
2.55k
                                              m_info.hostname(),
537
2.55k
                                              policy());
538
2.55k
            }
539
2.55k
         catch(TLS_Exception&)
540
2.55k
            {
541
0
            throw;
542
0
            }
543
0
         catch(std::exception& e)
544
0
            {
545
0
            throw TLS_Exception(Alert::INTERNAL_ERROR, e.what());
546
0
            }
547
2.60k
         }
548
2.60k
      }
549
2.60k
   else if(type == CERTIFICATE_STATUS)
550
19
      {
551
19
      state.server_cert_status(new Certificate_Status(contents));
552
19
553
19
      if(state.ciphersuite().kex_method() != Kex_Algo::STATIC_RSA)
554
1
         {
555
1
         state.set_expected_next(SERVER_KEX);
556
1
         }
557
18
      else
558
18
         {
559
18
         state.set_expected_next(CERTIFICATE_REQUEST); // optional
560
18
         state.set_expected_next(SERVER_HELLO_DONE);
561
18
         }
562
19
      }
563
2.58k
   else if(type == SERVER_KEX)
564
590
      {
565
590
      if(state.ciphersuite().psk_ciphersuite() == false)
566
553
         state.set_expected_next(CERTIFICATE_REQUEST); // optional
567
590
      state.set_expected_next(SERVER_HELLO_DONE);
568
590
569
590
      state.server_kex(
570
590
         new Server_Key_Exchange(contents,
571
590
                                 state.ciphersuite().kex_method(),
572
590
                                 state.ciphersuite().auth_method(),
573
590
                                 state.version())
574
590
         );
575
590
576
590
      if(state.ciphersuite().signature_used())
577
269
         {
578
269
         const Public_Key& server_key = state.get_server_public_key();
579
269
580
269
         if(!state.server_kex()->verify(server_key, state, policy()))
581
0
            {
582
0
            throw TLS_Exception(Alert::DECRYPT_ERROR,
583
0
                                "Bad signature on server key exchange");
584
0
            }
585
1.99k
         }
586
1.99k
      }
587
1.99k
   else if(type == CERTIFICATE_REQUEST)
588
141
      {
589
141
      state.set_expected_next(SERVER_HELLO_DONE);
590
141
      state.cert_req(new Certificate_Req(contents, state.version()));
591
141
      }
592
1.85k
   else if(type == SERVER_HELLO_DONE)
593
1.01k
      {
594
1.01k
      state.server_hello_done(new Server_Hello_Done(contents));
595
1.01k
596
1.01k
      if(state.server_certs() != nullptr &&
597
1.01k
         state.server_hello()->supports_certificate_status_message())
598
9
         {
599
9
         try
600
9
            {
601
9
            auto trusted_CAs = m_creds.trusted_certificate_authorities("tls-client", m_info.hostname());
602
9
603
9
            std::vector<std::shared_ptr<const OCSP::Response>> ocsp;
604
9
            if(state.server_cert_status() != nullptr)
605
0
               {
606
0
               try {
607
0
                   ocsp.push_back(std::make_shared<OCSP::Response>(state.server_cert_status()->response()));
608
0
               }
609
0
               catch(Decoding_Error&)
610
0
                  {
611
0
                  // ignore it here because it might be our fault
612
0
                  }
613
0
               }
614
9
615
9
            callbacks().tls_verify_cert_chain(state.server_certs()->cert_chain(),
616
9
                                              ocsp,
617
9
                                              trusted_CAs,
618
9
                                              Usage_Type::TLS_SERVER_AUTH,
619
9
                                              m_info.hostname(),
620
9
                                              policy());
621
9
            }
622
9
         catch(TLS_Exception&)
623
9
            {
624
0
            throw;
625
0
            }
626
0
         catch(std::exception& e)
627
0
            {
628
0
            throw TLS_Exception(Alert::INTERNAL_ERROR, e.what());
629
0
            }
630
1.01k
         }
631
1.01k
632
1.01k
      if(state.received_handshake_msg(CERTIFICATE_REQUEST))
633
2
         {
634
2
         const auto& types = state.cert_req()->acceptable_cert_types();
635
2
636
2
         std::vector<X509_Certificate> client_certs =
637
2
            m_creds.find_cert_chain(types,
638
2
                                    state.cert_req()->acceptable_CAs(),
639
2
                                    "tls-client",
640
2
                                    m_info.hostname());
641
2
642
2
         state.client_certs(new Certificate(state.handshake_io(),
643
2
                                            state.hash(),
644
2
                                            client_certs));
645
2
         }
646
1.01k
647
1.01k
      state.client_kex(
648
1.01k
         new Client_Key_Exchange(state.handshake_io(),
649
1.01k
                                 state,
650
1.01k
                                 policy(),
651
1.01k
                                 m_creds,
652
1.01k
                                 state.server_public_key.get(),
653
1.01k
                                 m_info.hostname(),
654
1.01k
                                 rng())
655
1.01k
         );
656
1.01k
657
1.01k
      state.compute_session_keys();
658
1.01k
659
1.01k
      if(state.received_handshake_msg(CERTIFICATE_REQUEST) &&
660
1.01k
         !state.client_certs()->empty())
661
0
         {
662
0
         Private_Key* private_key =
663
0
            m_creds.private_key_for(state.client_certs()->cert_chain()[0],
664
0
                                    "tls-client",
665
0
                                    m_info.hostname());
666
0
667
0
         state.client_verify(
668
0
            new Certificate_Verify(state.handshake_io(),
669
0
                                   state,
670
0
                                   policy(),
671
0
                                   rng(),
672
0
                                   private_key)
673
0
            );
674
0
         }
675
1.01k
676
1.01k
      state.handshake_io().send(Change_Cipher_Spec());
677
1.01k
678
1.01k
      change_cipher_spec_writer(CLIENT);
679
1.01k
680
1.01k
      state.client_finished(new Finished(state.handshake_io(), state, CLIENT));
681
1.01k
682
1.01k
      if(state.server_hello()->supports_session_ticket())
683
30
         state.set_expected_next(NEW_SESSION_TICKET);
684
989
      else
685
989
         state.set_expected_next(HANDSHAKE_CCS);
686
1.01k
      }
687
839
   else if(type == NEW_SESSION_TICKET)
688
6
      {
689
6
      state.new_session_ticket(new New_Session_Ticket(contents));
690
6
691
6
      state.set_expected_next(HANDSHAKE_CCS);
692
6
      }
693
833
   else if(type == HANDSHAKE_CCS)
694
630
      {
695
630
      state.set_expected_next(FINISHED);
696
630
697
630
      change_cipher_spec_reader(CLIENT);
698
630
      }
699
203
   else if(type == FINISHED)
700
79
      {
701
79
      state.server_finished(new Finished(contents));
702
79
703
79
      if(!state.server_finished()->verify(state, SERVER))
704
0
         throw TLS_Exception(Alert::DECRYPT_ERROR,
705
0
                             "Finished message didn't verify");
706
79
707
79
      state.hash().update(state.handshake_io().format(contents, type));
708
79
709
79
      if(!state.client_finished()) // session resume case
710
0
         {
711
0
         state.handshake_io().send(Change_Cipher_Spec());
712
0
         change_cipher_spec_writer(CLIENT);
713
0
         state.client_finished(new Finished(state.handshake_io(), state, CLIENT));
714
0
         }
715
79
716
79
      std::vector<uint8_t> session_id = state.server_hello()->session_id();
717
79
718
79
      const std::vector<uint8_t>& session_ticket = state.session_ticket();
719
79
720
79
      if(session_id.empty() && !session_ticket.empty())
721
0
         session_id = make_hello_random(rng(), policy());
722
79
723
79
      Session session_info(
724
79
         session_id,
725
79
         state.session_keys().master_secret(),
726
79
         state.server_hello()->version(),
727
79
         state.server_hello()->ciphersuite(),
728
79
         CLIENT,
729
79
         state.server_hello()->supports_extended_master_secret(),
730
79
         state.server_hello()->supports_encrypt_then_mac(),
731
79
         get_peer_cert_chain(state),
732
79
         session_ticket,
733
79
         m_info,
734
79
         "",
735
79
         state.server_hello()->srtp_profile()
736
79
         );
737
79
738
79
      const bool should_save = save_session(session_info);
739
79
740
79
      if(session_id.size() > 0 && state.is_a_resumption() == false)
741
35
         {
742
35
         if(should_save)
743
35
            session_manager().save(session_info);
744
0
         else
745
0
            session_manager().remove_entry(session_info.session_id());
746
35
         }
747
79
748
79
      activate_session();
749
79
      }
750
124
   else
751
124
      throw Unexpected_Message("Unknown handshake message received");
752
10.0k
   }
753
754
}
755
756
}