Coverage Report

Created: 2020-05-23 13:54

/src/botan/src/lib/tls/tls_handshake_state.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
* TLS Handshaking
3
* (C) 2004-2006,2011,2012,2015,2016 Jack Lloyd
4
*     2017 Harry Reimann, Rohde & Schwarz Cybersecurity
5
*
6
* Botan is released under the Simplified BSD License (see license.txt)
7
*/
8
9
#include <botan/internal/tls_handshake_state.h>
10
#include <botan/internal/tls_record.h>
11
#include <botan/tls_messages.h>
12
#include <botan/kdf.h>
13
#include <sstream>
14
15
namespace Botan {
16
17
namespace TLS {
18
19
std::string Handshake_Message::type_string() const
20
0
   {
21
0
   return handshake_type_to_string(type());
22
0
   }
23
24
const char* handshake_type_to_string(Handshake_Type type)
25
678
   {
26
678
   switch(type)
27
678
      {
28
9
      case HELLO_VERIFY_REQUEST:
29
9
         return "hello_verify_request";
30
0
31
92
      case HELLO_REQUEST:
32
92
         return "hello_request";
33
0
34
154
      case CLIENT_HELLO:
35
154
         return "client_hello";
36
0
37
78
      case SERVER_HELLO:
38
78
         return "server_hello";
39
0
40
18
      case CERTIFICATE:
41
18
         return "certificate";
42
0
43
21
      case CERTIFICATE_URL:
44
21
         return "certificate_url";
45
0
46
8
      case CERTIFICATE_STATUS:
47
8
         return "certificate_status";
48
0
49
24
      case SERVER_KEX:
50
24
         return "server_key_exchange";
51
0
52
12
      case CERTIFICATE_REQUEST:
53
12
         return "certificate_request";
54
0
55
41
      case SERVER_HELLO_DONE:
56
41
         return "server_hello_done";
57
0
58
4
      case CERTIFICATE_VERIFY:
59
4
         return "certificate_verify";
60
0
61
78
      case CLIENT_KEX:
62
78
         return "client_key_exchange";
63
0
64
12
      case NEW_SESSION_TICKET:
65
12
         return "new_session_ticket";
66
0
67
93
      case HANDSHAKE_CCS:
68
93
         return "change_cipher_spec";
69
0
70
34
      case FINISHED:
71
34
         return "finished";
72
0
73
0
      case HANDSHAKE_NONE:
74
0
         return "invalid";
75
0
      }
76
0
77
0
   throw TLS_Exception(Alert::UNEXPECTED_MESSAGE,
78
0
                       "Unknown TLS handshake message type " + std::to_string(type));
79
0
   }
80
81
namespace {
82
83
uint32_t bitmask_for_handshake_type(Handshake_Type type)
84
293k
   {
85
293k
   switch(type)
86
293k
      {
87
339
      case HELLO_VERIFY_REQUEST:
88
339
         return (1 << 0);
89
0
90
422
      case HELLO_REQUEST:
91
422
         return (1 << 1);
92
0
93
68.6k
      case CLIENT_HELLO:
94
68.6k
         return (1 << 2);
95
0
96
10.2k
      case SERVER_HELLO:
97
10.2k
         return (1 << 3);
98
0
99
19.3k
      case CERTIFICATE:
100
19.3k
         return (1 << 4);
101
0
102
351
      case CERTIFICATE_URL:
103
351
         return (1 << 5);
104
0
105
458
      case CERTIFICATE_STATUS:
106
458
         return (1 << 6);
107
0
108
2.58k
      case SERVER_KEX:
109
2.58k
         return (1 << 7);
110
0
111
2.92k
      case CERTIFICATE_REQUEST:
112
2.92k
         return (1 << 8);
113
0
114
2.84k
      case SERVER_HELLO_DONE:
115
2.84k
         return (1 << 9);
116
0
117
334
      case CERTIFICATE_VERIFY:
118
334
         return (1 << 10);
119
0
120
36.4k
      case CLIENT_KEX:
121
36.4k
         return (1 << 11);
122
0
123
377
      case NEW_SESSION_TICKET:
124
377
         return (1 << 12);
125
0
126
145k
      case HANDSHAKE_CCS:
127
145k
         return (1 << 13);
128
0
129
2.07k
      case FINISHED:
130
2.07k
         return (1 << 14);
131
0
132
0
      // allow explicitly disabling new handshakes
133
378
      case HANDSHAKE_NONE:
134
378
         return 0;
135
59
      }
136
59
137
59
   throw TLS_Exception(Alert::UNEXPECTED_MESSAGE,
138
59
                       "Unknown TLS handshake message type " + std::to_string(type));
139
59
   }
140
141
std::string handshake_mask_to_string(uint32_t mask, char combiner)
142
330
   {
143
330
   const Handshake_Type types[] = {
144
330
      HELLO_VERIFY_REQUEST,
145
330
      HELLO_REQUEST,
146
330
      CLIENT_HELLO,
147
330
      SERVER_HELLO,
148
330
      CERTIFICATE,
149
330
      CERTIFICATE_URL,
150
330
      CERTIFICATE_STATUS,
151
330
      SERVER_KEX,
152
330
      CERTIFICATE_REQUEST,
153
330
      SERVER_HELLO_DONE,
154
330
      CERTIFICATE_VERIFY,
155
330
      CLIENT_KEX,
156
330
      NEW_SESSION_TICKET,
157
330
      HANDSHAKE_CCS,
158
330
      FINISHED
159
330
   };
160
330
161
330
   std::ostringstream o;
162
330
   bool empty = true;
163
330
164
330
   for(auto&& t : types)
165
4.95k
      {
166
4.95k
      if(mask & bitmask_for_handshake_type(t))
167
438
         {
168
438
         if(!empty)
169
108
            o << combiner;
170
438
         o << handshake_type_to_string(t);
171
438
         empty = false;
172
438
         }
173
4.95k
      }
174
330
175
330
   return o.str();
176
330
   }
177
178
}
179
180
/*
181
* Initialize the SSL/TLS Handshake State
182
*/
183
Handshake_State::Handshake_State(Handshake_IO* io, Callbacks& cb) :
184
   m_callbacks(cb),
185
   m_handshake_io(io),
186
   m_version(m_handshake_io->initial_record_version())
187
45.2k
   {
188
45.2k
   }
189
190
void Handshake_State::note_message(const Handshake_Message& msg)
191
125k
   {
192
125k
   m_callbacks.tls_inspect_handshake_msg(msg);
193
125k
   }
194
195
void Handshake_State::hello_verify_request(const Hello_Verify_Request& hello_verify)
196
0
   {
197
0
   note_message(hello_verify);
198
0
199
0
   m_client_hello->update_hello_cookie(hello_verify);
200
0
   hash().reset();
201
0
   hash().update(handshake_io().send(*m_client_hello));
202
0
   note_message(*m_client_hello);
203
0
   }
204
205
void Handshake_State::client_hello(Client_Hello* client_hello)
206
41.8k
   {
207
41.8k
   if(client_hello == nullptr)
208
6.75k
      {
209
6.75k
      m_client_hello.reset();
210
6.75k
      hash().reset();
211
6.75k
      }
212
35.0k
   else
213
35.0k
      {
214
35.0k
      m_client_hello.reset(client_hello);
215
35.0k
      note_message(*m_client_hello);
216
35.0k
      }
217
41.8k
   }
218
219
void Handshake_State::server_hello(Server_Hello* server_hello)
220
26.8k
   {
221
26.8k
   m_server_hello.reset(server_hello);
222
26.8k
   m_ciphersuite = Ciphersuite::by_id(m_server_hello->ciphersuite());
223
26.8k
   note_message(*m_server_hello);
224
26.8k
   }
225
226
void Handshake_State::server_certs(Certificate* server_certs)
227
1.51k
   {
228
1.51k
   m_server_certs.reset(server_certs);
229
1.51k
   note_message(*m_server_certs);
230
1.51k
   }
231
232
void Handshake_State::server_cert_status(Certificate_Status* server_cert_status)
233
1
   {
234
1
   m_server_cert_status.reset(server_cert_status);
235
1
   note_message(*m_server_cert_status);
236
1
   }
237
238
void Handshake_State::server_kex(Server_Key_Exchange* server_kex)
239
23.1k
   {
240
23.1k
   m_server_kex.reset(server_kex);
241
23.1k
   note_message(*m_server_kex);
242
23.1k
   }
243
244
void Handshake_State::cert_req(Certificate_Req* cert_req)
245
5
   {
246
5
   m_cert_req.reset(cert_req);
247
5
   note_message(*m_cert_req);
248
5
   }
249
250
void Handshake_State::server_hello_done(Server_Hello_Done* server_hello_done)
251
23.6k
   {
252
23.6k
   m_server_hello_done.reset(server_hello_done);
253
23.6k
   note_message(*m_server_hello_done);
254
23.6k
   }
255
256
void Handshake_State::client_certs(Certificate* client_certs)
257
2
   {
258
2
   m_client_certs.reset(client_certs);
259
2
   note_message(*m_client_certs);
260
2
   }
261
262
void Handshake_State::client_kex(Client_Key_Exchange* client_kex)
263
13.8k
   {
264
13.8k
   m_client_kex.reset(client_kex);
265
13.8k
   note_message(*m_client_kex);
266
13.8k
   }
267
268
void Handshake_State::client_verify(Certificate_Verify* client_verify)
269
0
   {
270
0
   m_client_verify.reset(client_verify);
271
0
   note_message(*m_client_verify);
272
0
   }
273
274
void Handshake_State::new_session_ticket(New_Session_Ticket* new_session_ticket)
275
261
   {
276
261
   m_new_session_ticket.reset(new_session_ticket);
277
261
   note_message(*m_new_session_ticket);
278
261
   }
279
280
void Handshake_State::server_finished(Finished* server_finished)
281
457
   {
282
457
   m_server_finished.reset(server_finished);
283
457
   note_message(*m_server_finished);
284
457
   }
285
286
void Handshake_State::client_finished(Finished* client_finished)
287
1.20k
   {
288
1.20k
   m_client_finished.reset(client_finished);
289
1.20k
   note_message(*m_client_finished);
290
1.20k
   }
291
292
void Handshake_State::set_version(const Protocol_Version& version)
293
33.7k
   {
294
33.7k
   m_version = version;
295
33.7k
   }
296
297
void Handshake_State::compute_session_keys()
298
13.8k
   {
299
13.8k
   m_session_keys = Session_Keys(this, client_kex()->pre_master_secret(), false);
300
13.8k
   }
301
302
void Handshake_State::compute_session_keys(const secure_vector<uint8_t>& resume_master_secret)
303
0
   {
304
0
   m_session_keys = Session_Keys(this, resume_master_secret, true);
305
0
   }
306
307
void Handshake_State::confirm_transition_to(Handshake_Type handshake_msg)
308
55.2k
   {
309
55.2k
   const uint32_t mask = bitmask_for_handshake_type(handshake_msg);
310
55.2k
311
55.2k
   m_hand_received_mask |= mask;
312
55.2k
313
55.2k
   const bool ok = (m_hand_expecting_mask & mask) != 0; // overlap?
314
55.2k
315
55.2k
   if(!ok)
316
240
      {
317
240
      const uint32_t seen_so_far = m_hand_received_mask & ~mask;
318
240
319
240
      std::ostringstream msg;
320
240
321
240
      msg << "Unexpected state transition in handshake got a " << handshake_type_to_string(handshake_msg);
322
240
323
240
      if(m_hand_expecting_mask == 0)
324
23
         msg << " not expecting messages";
325
217
      else
326
217
         msg << " expected " << handshake_mask_to_string(m_hand_expecting_mask, '|');
327
240
328
240
      if(seen_so_far != 0)
329
113
         msg << " seen " << handshake_mask_to_string(seen_so_far, '+');
330
240
331
240
      throw Unexpected_Message(msg.str());
332
240
      }
333
54.9k
334
54.9k
   /* We don't know what to expect next, so force a call to
335
54.9k
      set_expected_next; if it doesn't happen, the next transition
336
54.9k
      check will always fail which is what we want.
337
54.9k
   */
338
54.9k
   m_hand_expecting_mask = 0;
339
54.9k
   }
340
341
void Handshake_State::set_expected_next(Handshake_Type handshake_msg)
342
88.3k
   {
343
88.3k
   m_hand_expecting_mask |= bitmask_for_handshake_type(handshake_msg);
344
88.3k
   }
345
346
bool Handshake_State::received_handshake_msg(Handshake_Type handshake_msg) const
347
15.3k
   {
348
15.3k
   const uint32_t mask = bitmask_for_handshake_type(handshake_msg);
349
15.3k
350
15.3k
   return (m_hand_received_mask & mask) != 0;
351
15.3k
   }
352
353
std::pair<Handshake_Type, std::vector<uint8_t>>
354
Handshake_State::get_next_handshake_msg()
355
129k
   {
356
129k
   const bool expecting_ccs =
357
129k
      (bitmask_for_handshake_type(HANDSHAKE_CCS) & m_hand_expecting_mask) != 0;
358
129k
359
129k
   return m_handshake_io->get_next_record(expecting_ccs);
360
129k
   }
361
362
std::string Handshake_State::srp_identifier() const
363
378
   {
364
378
#if defined(BOTAN_HAS_SRP6)
365
378
   // Authenticated via the successful key exchange
366
378
   if(ciphersuite().valid() && ciphersuite().kex_method() == Kex_Algo::SRP_SHA)
367
0
      return client_hello()->srp_identifier();
368
378
#endif
369
378
370
378
   return "";
371
378
   }
372
373
374
std::vector<uint8_t> Handshake_State::session_ticket() const
375
79
   {
376
79
   if(new_session_ticket() && !new_session_ticket()->ticket().empty())
377
0
      return new_session_ticket()->ticket();
378
79
379
79
   return client_hello()->session_ticket();
380
79
   }
381
382
KDF* Handshake_State::protocol_specific_prf() const
383
15.5k
   {
384
15.5k
   if(version().supports_ciphersuite_specific_prf())
385
15.5k
      {
386
15.5k
      const std::string prf_algo = ciphersuite().prf_algo();
387
15.5k
388
15.5k
      if(prf_algo == "MD5" || prf_algo == "SHA-1")
389
4.42k
         return get_kdf("TLS-12-PRF(SHA-256)");
390
11.1k
391
11.1k
      return get_kdf("TLS-12-PRF(" + prf_algo + ")");
392
11.1k
      }
393
0
394
0
   // Old PRF used in TLS v1.0, v1.1 and DTLS v1.0
395
0
   return get_kdf("TLS-PRF");
396
0
   }
397
398
std::pair<std::string, Signature_Format>
399
Handshake_State::choose_sig_format(const Private_Key& key,
400
                                   Signature_Scheme& chosen_scheme,
401
                                   bool for_client_auth,
402
                                   const Policy& policy) const
403
0
   {
404
0
   const std::string sig_algo = key.algo_name();
405
0
406
0
   if(this->version().supports_negotiable_signature_algorithms())
407
0
      {
408
0
      const std::vector<Signature_Scheme> allowed = policy.allowed_signature_schemes();
409
0
410
0
      std::vector<Signature_Scheme> requested =
411
0
         (for_client_auth) ? cert_req()->signature_schemes() : client_hello()->signature_schemes();
412
0
413
0
      if(requested.empty())
414
0
         {
415
0
         // Implicit SHA-1
416
0
         requested.push_back(Signature_Scheme::RSA_PKCS1_SHA1);
417
0
         requested.push_back(Signature_Scheme::ECDSA_SHA1);
418
0
         requested.push_back(Signature_Scheme::DSA_SHA1);
419
0
         }
420
0
421
0
      for(Signature_Scheme scheme : allowed)
422
0
         {
423
0
         if(signature_scheme_is_known(scheme) == false)
424
0
            {
425
0
            continue;
426
0
            }
427
0
428
0
         if(signature_algorithm_of_scheme(scheme) == sig_algo)
429
0
            {
430
0
            if(std::find(requested.begin(), requested.end(), scheme) != requested.end())
431
0
               {
432
0
               chosen_scheme = scheme;
433
0
               break;
434
0
               }
435
0
            }
436
0
         }
437
0
438
0
      const std::string hash = hash_function_of_scheme(chosen_scheme);
439
0
440
0
      if(!policy.allowed_signature_hash(hash))
441
0
         {
442
0
         throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
443
0
                             "Policy refuses to accept signing with any hash supported by peer");
444
0
         }
445
0
446
0
      if(sig_algo == "RSA")
447
0
         {
448
0
         return std::make_pair(padding_string_for_scheme(chosen_scheme), IEEE_1363);
449
0
         }
450
0
      else if(sig_algo == "DSA" || sig_algo == "ECDSA")
451
0
         {
452
0
         return std::make_pair(padding_string_for_scheme(chosen_scheme), DER_SEQUENCE);
453
0
         }
454
0
      }
455
0
   else
456
0
      {
457
0
      if(sig_algo == "RSA")
458
0
         {
459
0
         const std::string padding = "PKCS1v15(Parallel(MD5,SHA-160))";
460
0
         return std::make_pair(padding, IEEE_1363);
461
0
         }
462
0
      else if(sig_algo == "DSA" || sig_algo == "ECDSA")
463
0
         {
464
0
         const std::string padding = "EMSA1(SHA-1)";
465
0
         return std::make_pair(padding, DER_SEQUENCE);
466
0
         }
467
0
      }
468
0
469
0
   throw Invalid_Argument(sig_algo + " is invalid/unknown for TLS signatures");
470
0
   }
471
472
namespace {
473
474
bool supported_algos_include(
475
   const std::vector<Signature_Scheme>& schemes,
476
   const std::string& key_type,
477
   const std::string& hash_type)
478
210
   {
479
210
   for(Signature_Scheme scheme : schemes)
480
1.56k
      {
481
1.56k
      if(signature_scheme_is_known(scheme) &&
482
1.56k
         hash_function_of_scheme(scheme) == hash_type &&
483
1.56k
         signature_algorithm_of_scheme(scheme) == key_type)
484
208
         {
485
208
         return true;
486
208
         }
487
1.56k
      }
488
210
489
210
   return false;
490
210
   }
491
492
}
493
494
std::pair<std::string, Signature_Format>
495
Handshake_State::parse_sig_format(const Public_Key& key,
496
                                  Signature_Scheme scheme,
497
                                  bool for_client_auth,
498
                                  const Policy& policy) const
499
267
   {
500
267
   const std::string key_type = key.algo_name();
501
267
502
267
   if(!policy.allowed_signature_method(key_type))
503
0
      {
504
0
      throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
505
0
                          "Rejecting " + key_type + " signature");
506
0
      }
507
267
508
267
   if(this->version().supports_negotiable_signature_algorithms() == false)
509
0
      {
510
0
      if(scheme != Signature_Scheme::NONE)
511
0
         throw Decoding_Error("Counterparty sent hash/sig IDs with old version");
512
0
513
0
      /*
514
0
      There is no check on the acceptability of a v1.0/v1.1 hash type,
515
0
      since it's implicit with use of the protocol
516
0
      */
517
0
518
0
      if(key_type == "RSA")
519
0
         {
520
0
         const std::string padding = "PKCS1v15(Parallel(MD5,SHA-160))";
521
0
         return std::make_pair(padding, IEEE_1363);
522
0
         }
523
0
      else if(key_type == "DSA" || key_type == "ECDSA")
524
0
         {
525
0
         const std::string padding = "EMSA1(SHA-1)";
526
0
         return std::make_pair(padding, DER_SEQUENCE);
527
0
         }
528
0
      else
529
0
         throw Invalid_Argument(key_type + " is invalid/unknown for TLS signatures");
530
267
      }
531
267
532
267
   if(scheme == Signature_Scheme::NONE)
533
1
      throw Decoding_Error("Counterparty did not send hash/sig IDS");
534
266
535
266
   if(key_type != signature_algorithm_of_scheme(scheme))
536
10
      throw Decoding_Error("Counterparty sent inconsistent key and sig types");
537
256
538
256
   if(for_client_auth && !cert_req())
539
0
      {
540
0
      throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
541
0
                          "No certificate verify set");
542
0
      }
543
256
544
256
   /*
545
256
   Confirm the signature type we just received against the
546
256
   supported_algos list that we sent; it better be there.
547
256
   */
548
256
549
256
   const std::vector<Signature_Scheme> supported_algos =
550
256
      for_client_auth ? cert_req()->signature_schemes() :
551
256
      client_hello()->signature_schemes();
552
256
553
256
   if(!signature_scheme_is_known(scheme))
554
0
      throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
555
0
                          "Peer sent unknown signature scheme");
556
256
557
256
   const std::string hash_algo = hash_function_of_scheme(scheme);
558
256
559
256
   if(!supported_algos_include(supported_algos, key_type, hash_algo))
560
2
      {
561
2
      throw TLS_Exception(Alert::ILLEGAL_PARAMETER,
562
2
                          "TLS signature extension did not allow for " +
563
2
                          key_type + "/" + hash_algo + " signature");
564
2
      }
565
254
566
254
   if(key_type == "RSA")
567
33
      {
568
33
      return std::make_pair(padding_string_for_scheme(scheme), IEEE_1363);
569
33
      }
570
221
   else if(key_type == "DSA" || key_type == "ECDSA")
571
175
      {
572
175
      return std::make_pair(padding_string_for_scheme(scheme), DER_SEQUENCE);
573
175
      }
574
46
575
46
   throw Invalid_Argument(key_type + " is invalid/unknown for TLS signatures");
576
46
   }
577
578
}
579
580
}