Coverage Report

Created: 2020-06-30 13:58

/src/botan/src/lib/tls/tls_handshake_state.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
* TLS Handshaking
3
* (C) 2004-2006,2011,2012,2015,2016 Jack Lloyd
4
*     2017 Harry Reimann, Rohde & Schwarz Cybersecurity
5
*
6
* Botan is released under the Simplified BSD License (see license.txt)
7
*/
8
9
#include <botan/internal/tls_handshake_state.h>
10
#include <botan/internal/tls_record.h>
11
#include <botan/tls_messages.h>
12
#include <botan/kdf.h>
13
#include <sstream>
14
15
namespace Botan {
16
17
namespace TLS {
18
19
std::string Handshake_Message::type_string() const
20
0
   {
21
0
   return handshake_type_to_string(type());
22
0
   }
23
24
const char* handshake_type_to_string(Handshake_Type type)
25
780
   {
26
780
   switch(type)
27
780
      {
28
15
      case HELLO_VERIFY_REQUEST:
29
15
         return "hello_verify_request";
30
0
31
99
      case HELLO_REQUEST:
32
99
         return "hello_request";
33
0
34
172
      case CLIENT_HELLO:
35
172
         return "client_hello";
36
0
37
94
      case SERVER_HELLO:
38
94
         return "server_hello";
39
0
40
19
      case CERTIFICATE:
41
19
         return "certificate";
42
0
43
27
      case CERTIFICATE_URL:
44
27
         return "certificate_url";
45
0
46
8
      case CERTIFICATE_STATUS:
47
8
         return "certificate_status";
48
0
49
29
      case SERVER_KEX:
50
29
         return "server_key_exchange";
51
0
52
10
      case CERTIFICATE_REQUEST:
53
10
         return "certificate_request";
54
0
55
42
      case SERVER_HELLO_DONE:
56
42
         return "server_hello_done";
57
0
58
5
      case CERTIFICATE_VERIFY:
59
5
         return "certificate_verify";
60
0
61
93
      case CLIENT_KEX:
62
93
         return "client_key_exchange";
63
0
64
12
      case NEW_SESSION_TICKET:
65
12
         return "new_session_ticket";
66
0
67
116
      case HANDSHAKE_CCS:
68
116
         return "change_cipher_spec";
69
0
70
39
      case FINISHED:
71
39
         return "finished";
72
0
73
0
      case HANDSHAKE_NONE:
74
0
         return "invalid";
75
0
      }
76
0
77
0
   throw TLS_Exception(Alert::UNEXPECTED_MESSAGE,
78
0
                       "Unknown TLS handshake message type " + std::to_string(type));
79
0
   }
80
81
namespace {
82
83
uint32_t bitmask_for_handshake_type(Handshake_Type type)
84
310k
   {
85
310k
   switch(type)
86
310k
      {
87
391
      case HELLO_VERIFY_REQUEST:
88
391
         return (1 << 0);
89
0
90
475
      case HELLO_REQUEST:
91
475
         return (1 << 1);
92
0
93
72.2k
      case CLIENT_HELLO:
94
72.2k
         return (1 << 2);
95
0
96
11.2k
      case SERVER_HELLO:
97
11.2k
         return (1 << 3);
98
0
99
21.2k
      case CERTIFICATE:
100
21.2k
         return (1 << 4);
101
0
102
403
      case CERTIFICATE_URL:
103
403
         return (1 << 5);
104
0
105
514
      case CERTIFICATE_STATUS:
106
514
         return (1 << 6);
107
0
108
2.86k
      case SERVER_KEX:
109
2.86k
         return (1 << 7);
110
0
111
3.35k
      case CERTIFICATE_REQUEST:
112
3.35k
         return (1 << 8);
113
0
114
3.17k
      case SERVER_HELLO_DONE:
115
3.17k
         return (1 << 9);
116
0
117
381
      case CERTIFICATE_VERIFY:
118
381
         return (1 << 10);
119
0
120
39.2k
      case CLIENT_KEX:
121
39.2k
         return (1 << 11);
122
0
123
447
      case NEW_SESSION_TICKET:
124
447
         return (1 << 12);
125
0
126
151k
      case HANDSHAKE_CCS:
127
151k
         return (1 << 13);
128
0
129
2.26k
      case FINISHED:
130
2.26k
         return (1 << 14);
131
0
132
0
      // allow explicitly disabling new handshakes
133
416
      case HANDSHAKE_NONE:
134
416
         return 0;
135
62
      }
136
62
137
62
   throw TLS_Exception(Alert::UNEXPECTED_MESSAGE,
138
62
                       "Unknown TLS handshake message type " + std::to_string(type));
139
62
   }
140
141
std::string handshake_mask_to_string(uint32_t mask, char combiner)
142
376
   {
143
376
   const Handshake_Type types[] = {
144
376
      HELLO_VERIFY_REQUEST,
145
376
      HELLO_REQUEST,
146
376
      CLIENT_HELLO,
147
376
      SERVER_HELLO,
148
376
      CERTIFICATE,
149
376
      CERTIFICATE_URL,
150
376
      CERTIFICATE_STATUS,
151
376
      SERVER_KEX,
152
376
      CERTIFICATE_REQUEST,
153
376
      SERVER_HELLO_DONE,
154
376
      CERTIFICATE_VERIFY,
155
376
      CLIENT_KEX,
156
376
      NEW_SESSION_TICKET,
157
376
      HANDSHAKE_CCS,
158
376
      FINISHED
159
376
   };
160
376
161
376
   std::ostringstream o;
162
376
   bool empty = true;
163
376
164
376
   for(auto&& t : types)
165
5.64k
      {
166
5.64k
      if(mask & bitmask_for_handshake_type(t))
167
506
         {
168
506
         if(!empty)
169
130
            o << combiner;
170
506
         o << handshake_type_to_string(t);
171
506
         empty = false;
172
506
         }
173
5.64k
      }
174
376
175
376
   return o.str();
176
376
   }
177
178
}
179
180
/*
181
* Initialize the SSL/TLS Handshake State
182
*/
183
Handshake_State::Handshake_State(Handshake_IO* io, Callbacks& cb) :
184
   m_callbacks(cb),
185
   m_handshake_io(io),
186
   m_version(m_handshake_io->initial_record_version())
187
47.5k
   {
188
47.5k
   }
189
190
void Handshake_State::note_message(const Handshake_Message& msg)
191
135k
   {
192
135k
   m_callbacks.tls_inspect_handshake_msg(msg);
193
135k
   }
194
195
void Handshake_State::hello_verify_request(const Hello_Verify_Request& hello_verify)
196
0
   {
197
0
   note_message(hello_verify);
198
0
199
0
   m_client_hello->update_hello_cookie(hello_verify);
200
0
   hash().reset();
201
0
   hash().update(handshake_io().send(*m_client_hello));
202
0
   note_message(*m_client_hello);
203
0
   }
204
205
void Handshake_State::client_hello(Client_Hello* client_hello)
206
43.8k
   {
207
43.8k
   if(client_hello == nullptr)
208
6.67k
      {
209
6.67k
      m_client_hello.reset();
210
6.67k
      hash().reset();
211
6.67k
      }
212
37.2k
   else
213
37.2k
      {
214
37.2k
      m_client_hello.reset(client_hello);
215
37.2k
      note_message(*m_client_hello);
216
37.2k
      }
217
43.8k
   }
218
219
void Handshake_State::server_hello(Server_Hello* server_hello)
220
28.9k
   {
221
28.9k
   m_server_hello.reset(server_hello);
222
28.9k
   m_ciphersuite = Ciphersuite::by_id(m_server_hello->ciphersuite());
223
28.9k
   note_message(*m_server_hello);
224
28.9k
   }
225
226
void Handshake_State::server_certs(Certificate* server_certs)
227
1.60k
   {
228
1.60k
   m_server_certs.reset(server_certs);
229
1.60k
   note_message(*m_server_certs);
230
1.60k
   }
231
232
void Handshake_State::server_cert_status(Certificate_Status* server_cert_status)
233
1
   {
234
1
   m_server_cert_status.reset(server_cert_status);
235
1
   note_message(*m_server_cert_status);
236
1
   }
237
238
void Handshake_State::server_kex(Server_Key_Exchange* server_kex)
239
25.0k
   {
240
25.0k
   m_server_kex.reset(server_kex);
241
25.0k
   note_message(*m_server_kex);
242
25.0k
   }
243
244
void Handshake_State::cert_req(Certificate_Req* cert_req)
245
12
   {
246
12
   m_cert_req.reset(cert_req);
247
12
   note_message(*m_cert_req);
248
12
   }
249
250
void Handshake_State::server_hello_done(Server_Hello_Done* server_hello_done)
251
25.4k
   {
252
25.4k
   m_server_hello_done.reset(server_hello_done);
253
25.4k
   note_message(*m_server_hello_done);
254
25.4k
   }
255
256
void Handshake_State::client_certs(Certificate* client_certs)
257
7
   {
258
7
   m_client_certs.reset(client_certs);
259
7
   note_message(*m_client_certs);
260
7
   }
261
262
void Handshake_State::client_kex(Client_Key_Exchange* client_kex)
263
14.8k
   {
264
14.8k
   m_client_kex.reset(client_kex);
265
14.8k
   note_message(*m_client_kex);
266
14.8k
   }
267
268
void Handshake_State::client_verify(Certificate_Verify* client_verify)
269
0
   {
270
0
   m_client_verify.reset(client_verify);
271
0
   note_message(*m_client_verify);
272
0
   }
273
274
void Handshake_State::new_session_ticket(New_Session_Ticket* new_session_ticket)
275
291
   {
276
291
   m_new_session_ticket.reset(new_session_ticket);
277
291
   note_message(*m_new_session_ticket);
278
291
   }
279
280
void Handshake_State::server_finished(Finished* server_finished)
281
516
   {
282
516
   m_server_finished.reset(server_finished);
283
516
   note_message(*m_server_finished);
284
516
   }
285
286
void Handshake_State::client_finished(Finished* client_finished)
287
1.31k
   {
288
1.31k
   m_client_finished.reset(client_finished);
289
1.31k
   note_message(*m_client_finished);
290
1.31k
   }
291
292
void Handshake_State::set_version(const Protocol_Version& version)
293
35.8k
   {
294
35.8k
   m_version = version;
295
35.8k
   }
296
297
void Handshake_State::compute_session_keys()
298
14.8k
   {
299
14.8k
   m_session_keys = Session_Keys(this, client_kex()->pre_master_secret(), false);
300
14.8k
   }
301
302
void Handshake_State::compute_session_keys(const secure_vector<uint8_t>& resume_master_secret)
303
0
   {
304
0
   m_session_keys = Session_Keys(this, resume_master_secret, true);
305
0
   }
306
307
void Handshake_State::confirm_transition_to(Handshake_Type handshake_msg)
308
59.2k
   {
309
59.2k
   const uint32_t mask = bitmask_for_handshake_type(handshake_msg);
310
59.2k
311
59.2k
   m_hand_received_mask |= mask;
312
59.2k
313
59.2k
   const bool ok = (m_hand_expecting_mask & mask) != 0; // overlap?
314
59.2k
315
59.2k
   if(!ok)
316
274
      {
317
274
      const uint32_t seen_so_far = m_hand_received_mask & ~mask;
318
274
319
274
      std::ostringstream msg;
320
274
321
274
      msg << "Unexpected state transition in handshake got a " << handshake_type_to_string(handshake_msg);
322
274
323
274
      if(m_hand_expecting_mask == 0)
324
27
         msg << " not expecting messages";
325
247
      else
326
247
         msg << " expected " << handshake_mask_to_string(m_hand_expecting_mask, '|');
327
274
328
274
      if(seen_so_far != 0)
329
129
         msg << " seen " << handshake_mask_to_string(seen_so_far, '+');
330
274
331
274
      throw Unexpected_Message(msg.str());
332
274
      }
333
58.9k
334
58.9k
   /* We don't know what to expect next, so force a call to
335
58.9k
      set_expected_next; if it doesn't happen, the next transition
336
58.9k
      check will always fail which is what we want.
337
58.9k
   */
338
58.9k
   m_hand_expecting_mask = 0;
339
58.9k
   }
340
341
void Handshake_State::set_expected_next(Handshake_Type handshake_msg)
342
94.3k
   {
343
94.3k
   m_hand_expecting_mask |= bitmask_for_handshake_type(handshake_msg);
344
94.3k
   }
345
346
bool Handshake_State::received_handshake_msg(Handshake_Type handshake_msg) const
347
16.5k
   {
348
16.5k
   const uint32_t mask = bitmask_for_handshake_type(handshake_msg);
349
16.5k
350
16.5k
   return (m_hand_received_mask & mask) != 0;
351
16.5k
   }
352
353
std::pair<Handshake_Type, std::vector<uint8_t>>
354
Handshake_State::get_next_handshake_msg()
355
134k
   {
356
134k
   const bool expecting_ccs =
357
134k
      (bitmask_for_handshake_type(HANDSHAKE_CCS) & m_hand_expecting_mask) != 0;
358
134k
359
134k
   return m_handshake_io->get_next_record(expecting_ccs);
360
134k
   }
361
362
std::string Handshake_State::srp_identifier() const
363
416
   {
364
416
#if defined(BOTAN_HAS_SRP6)
365
416
   // Authenticated via the successful key exchange
366
416
   if(ciphersuite().valid() && ciphersuite().kex_method() == Kex_Algo::SRP_SHA)
367
0
      return client_hello()->srp_identifier();
368
416
#endif
369
416
370
416
   return "";
371
416
   }
372
373
374
std::vector<uint8_t> Handshake_State::session_ticket() const
375
100
   {
376
100
   if(new_session_ticket() && !new_session_ticket()->ticket().empty())
377
0
      return new_session_ticket()->ticket();
378
100
379
100
   return client_hello()->session_ticket();
380
100
   }
381
382
KDF* Handshake_State::protocol_specific_prf() const
383
16.7k
   {
384
16.7k
   if(version().supports_ciphersuite_specific_prf())
385
16.7k
      {
386
16.7k
      const std::string prf_algo = ciphersuite().prf_algo();
387
16.7k
388
16.7k
      if(prf_algo == "MD5" || prf_algo == "SHA-1")
389
5.00k
         return get_kdf("TLS-12-PRF(SHA-256)");
390
11.6k
391
11.6k
      return get_kdf("TLS-12-PRF(" + prf_algo + ")");
392
11.6k
      }
393
0
394
0
   // Old PRF used in TLS v1.0, v1.1 and DTLS v1.0
395
0
   return get_kdf("TLS-PRF");
396
0
   }
397
398
std::pair<std::string, Signature_Format>
399
Handshake_State::choose_sig_format(const Private_Key& key,
400
                                   Signature_Scheme& chosen_scheme,
401
                                   bool for_client_auth,
402
                                   const Policy& policy) const
403
0
   {
404
0
   const std::string sig_algo = key.algo_name();
405
0
406
0
   if(this->version().supports_negotiable_signature_algorithms())
407
0
      {
408
0
      const std::vector<Signature_Scheme> allowed = policy.allowed_signature_schemes();
409
0
410
0
      std::vector<Signature_Scheme> requested =
411
0
         (for_client_auth) ? cert_req()->signature_schemes() : client_hello()->signature_schemes();
412
0
413
0
      if(requested.empty())
414
0
         {
415
0
         // Implicit SHA-1
416
0
         requested.push_back(Signature_Scheme::RSA_PKCS1_SHA1);
417
0
         requested.push_back(Signature_Scheme::ECDSA_SHA1);
418
0
         requested.push_back(Signature_Scheme::DSA_SHA1);
419
0
         }
420
0
421
0
      for(Signature_Scheme scheme : allowed)
422
0
         {
423
0
         if(signature_scheme_is_known(scheme) == false)
424
0
            {
425
0
            continue;
426
0
            }
427
0
428
0
         if(signature_algorithm_of_scheme(scheme) == sig_algo)
429
0
            {
430
0
            if(std::find(requested.begin(), requested.end(), scheme) != requested.end())
431
0
               {
432
0
               chosen_scheme = scheme;
433
0
               break;
434
0
               }
435
0
            }
436
0
         }
437
0
438
0
      const std::string hash = hash_function_of_scheme(chosen_scheme);
439
0
440
0
      if(!policy.allowed_signature_hash(hash))
441
0
         {
442
0
         throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
443
0
                             "Policy refuses to accept signing with any hash supported by peer");
444
0
         }
445
0
446
0
      if(sig_algo == "RSA")
447
0
         {
448
0
         return std::make_pair(padding_string_for_scheme(chosen_scheme), IEEE_1363);
449
0
         }
450
0
      else if(sig_algo == "DSA" || sig_algo == "ECDSA")
451
0
         {
452
0
         return std::make_pair(padding_string_for_scheme(chosen_scheme), DER_SEQUENCE);
453
0
         }
454
0
      }
455
0
   else
456
0
      {
457
0
      if(sig_algo == "RSA")
458
0
         {
459
0
         const std::string padding = "PKCS1v15(Parallel(MD5,SHA-160))";
460
0
         return std::make_pair(padding, IEEE_1363);
461
0
         }
462
0
      else if(sig_algo == "DSA" || sig_algo == "ECDSA")
463
0
         {
464
0
         const std::string padding = "EMSA1(SHA-1)";
465
0
         return std::make_pair(padding, DER_SEQUENCE);
466
0
         }
467
0
      }
468
0
469
0
   throw Invalid_Argument(sig_algo + " is invalid/unknown for TLS signatures");
470
0
   }
471
472
namespace {
473
474
bool supported_algos_include(
475
   const std::vector<Signature_Scheme>& schemes,
476
   const std::string& key_type,
477
   const std::string& hash_type)
478
297
   {
479
297
   for(Signature_Scheme scheme : schemes)
480
2.30k
      {
481
2.30k
      if(signature_scheme_is_known(scheme) &&
482
2.30k
         hash_function_of_scheme(scheme) == hash_type &&
483
2.30k
         signature_algorithm_of_scheme(scheme) == key_type)
484
295
         {
485
295
         return true;
486
295
         }
487
2.30k
      }
488
297
489
297
   return false;
490
297
   }
491
492
}
493
494
std::pair<std::string, Signature_Format>
495
Handshake_State::parse_sig_format(const Public_Key& key,
496
                                  Signature_Scheme scheme,
497
                                  bool for_client_auth,
498
                                  const Policy& policy) const
499
367
   {
500
367
   const std::string key_type = key.algo_name();
501
367
502
367
   if(!policy.allowed_signature_method(key_type))
503
0
      {
504
0
      throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
505
0
                          "Rejecting " + key_type + " signature");
506
0
      }
507
367
508
367
   if(this->version().supports_negotiable_signature_algorithms() == false)
509
0
      {
510
0
      if(scheme != Signature_Scheme::NONE)
511
0
         throw Decoding_Error("Counterparty sent hash/sig IDs with old version");
512
0
513
0
      /*
514
0
      There is no check on the acceptability of a v1.0/v1.1 hash type,
515
0
      since it's implicit with use of the protocol
516
0
      */
517
0
518
0
      if(key_type == "RSA")
519
0
         {
520
0
         const std::string padding = "PKCS1v15(Parallel(MD5,SHA-160))";
521
0
         return std::make_pair(padding, IEEE_1363);
522
0
         }
523
0
      else if(key_type == "DSA" || key_type == "ECDSA")
524
0
         {
525
0
         const std::string padding = "EMSA1(SHA-1)";
526
0
         return std::make_pair(padding, DER_SEQUENCE);
527
0
         }
528
0
      else
529
0
         throw Invalid_Argument(key_type + " is invalid/unknown for TLS signatures");
530
367
      }
531
367
532
367
   if(scheme == Signature_Scheme::NONE)
533
1
      throw Decoding_Error("Counterparty did not send hash/sig IDS");
534
366
535
366
   if(key_type != signature_algorithm_of_scheme(scheme))
536
9
      throw Decoding_Error("Counterparty sent inconsistent key and sig types");
537
357
538
357
   if(for_client_auth && !cert_req())
539
0
      {
540
0
      throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
541
0
                          "No certificate verify set");
542
0
      }
543
357
544
357
   /*
545
357
   Confirm the signature type we just received against the
546
357
   supported_algos list that we sent; it better be there.
547
357
   */
548
357
549
357
   const std::vector<Signature_Scheme> supported_algos =
550
357
      for_client_auth ? cert_req()->signature_schemes() :
551
357
      client_hello()->signature_schemes();
552
357
553
357
   if(!signature_scheme_is_known(scheme))
554
0
      throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
555
0
                          "Peer sent unknown signature scheme");
556
357
557
357
   const std::string hash_algo = hash_function_of_scheme(scheme);
558
357
559
357
   if(!supported_algos_include(supported_algos, key_type, hash_algo))
560
2
      {
561
2
      throw TLS_Exception(Alert::ILLEGAL_PARAMETER,
562
2
                          "TLS signature extension did not allow for " +
563
2
                          key_type + "/" + hash_algo + " signature");
564
2
      }
565
355
566
355
   if(key_type == "RSA")
567
32
      {
568
32
      return std::make_pair(padding_string_for_scheme(scheme), IEEE_1363);
569
32
      }
570
323
   else if(key_type == "DSA" || key_type == "ECDSA")
571
263
      {
572
263
      return std::make_pair(padding_string_for_scheme(scheme), DER_SEQUENCE);
573
263
      }
574
60
575
60
   throw Invalid_Argument(key_type + " is invalid/unknown for TLS signatures");
576
60
   }
577
578
}
579
580
}