Coverage Report

Created: 2020-06-30 13:58

/src/botan/src/lib/tls/tls_server.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
* TLS Server
3
* (C) 2004-2011,2012,2016 Jack Lloyd
4
*     2016 Matthias Gierlings
5
*
6
* Botan is released under the Simplified BSD License (see license.txt)
7
*/
8
9
#include <botan/tls_server.h>
10
#include <botan/tls_messages.h>
11
#include <botan/internal/tls_handshake_state.h>
12
#include <botan/internal/stl_util.h>
13
#include <botan/tls_magic.h>
14
15
namespace Botan {
16
17
namespace TLS {
18
19
class Server_Handshake_State final : public Handshake_State
20
   {
21
   public:
22
      Server_Handshake_State(Handshake_IO* io, Callbacks& cb)
23
32.9k
         : Handshake_State(io, cb) {}
24
25
14.4k
      Private_Key* server_rsa_kex_key() { return m_server_rsa_kex_key; }
26
      void set_server_rsa_kex_key(Private_Key* key)
27
0
         { m_server_rsa_kex_key = key; }
28
29
      bool allow_session_resumption() const
30
24.7k
         { return m_allow_session_resumption; }
31
      void set_allow_session_resumption(bool allow_session_resumption)
32
0
         { m_allow_session_resumption = allow_session_resumption; }
33
34
      const std::vector<X509_Certificate>& resume_peer_certs() const
35
416
         { return m_resume_peer_certs; }
36
37
      void set_resume_certs(const std::vector<X509_Certificate>& certs)
38
0
         { m_resume_peer_certs = certs; }
39
40
0
      void mark_as_resumption() { m_is_a_resumption = true; }
41
42
3
      bool is_a_resumption() const { return m_is_a_resumption; }
43
44
   private:
45
      // Used by the server only, in case of RSA key exchange. Not owned
46
      Private_Key* m_server_rsa_kex_key = nullptr;
47
48
      /*
49
      * Used by the server to know if resumption should be allowed on
50
      * a server-initiated renegotiation
51
      */
52
      bool m_allow_session_resumption = true;
53
54
      bool m_is_a_resumption = false;
55
56
      std::vector<X509_Certificate> m_resume_peer_certs;
57
   };
58
59
namespace {
60
61
bool check_for_resume(Session& session_info,
62
                      Session_Manager& session_manager,
63
                      Credentials_Manager& credentials,
64
                      const Client_Hello* client_hello,
65
                      std::chrono::seconds session_ticket_lifetime)
66
24.7k
   {
67
24.7k
   const std::vector<uint8_t>& client_session_id = client_hello->session_id();
68
24.7k
   const std::vector<uint8_t>& session_ticket = client_hello->session_ticket();
69
24.7k
70
24.7k
   if(session_ticket.empty())
71
23.8k
      {
72
23.8k
      if(client_session_id.empty()) // not resuming
73
23.6k
         return false;
74
147
75
147
      // not found
76
147
      if(!session_manager.load_from_session_id(client_session_id, session_info))
77
147
         return false;
78
957
      }
79
957
   else
80
957
      {
81
957
      // If a session ticket was sent, ignore client session ID
82
957
      try
83
957
         {
84
957
         session_info = Session::decrypt(
85
957
            session_ticket,
86
957
            credentials.psk("tls-server", "session-ticket", ""));
87
957
88
957
         if(session_ticket_lifetime != std::chrono::seconds(0) &&
89
957
            session_info.session_age() > session_ticket_lifetime)
90
0
            return false; // ticket has expired
91
957
         }
92
957
      catch(...)
93
957
         {
94
957
         return false;
95
957
         }
96
0
      }
97
0
98
0
   // wrong version
99
0
   if(client_hello->version() != session_info.version())
100
0
      return false;
101
0
102
0
   // client didn't send original ciphersuite
103
0
   if(!value_exists(client_hello->ciphersuites(),
104
0
                    session_info.ciphersuite_code()))
105
0
      return false;
106
0
107
0
#if defined(BOTAN_HAS_SRP6)
108
0
   // client sent a different SRP identity
109
0
   if(client_hello->srp_identifier() != "")
110
0
      {
111
0
      if(client_hello->srp_identifier() != session_info.srp_identifier())
112
0
         return false;
113
0
      }
114
0
#endif
115
0
116
0
   // client sent a different SNI hostname
117
0
   if(client_hello->sni_hostname() != "")
118
0
      {
119
0
      if(client_hello->sni_hostname() != session_info.server_info().hostname())
120
0
         return false;
121
0
      }
122
0
123
0
   // Checking extended_master_secret on resume (RFC 7627 section 5.3)
124
0
   if(client_hello->supports_extended_master_secret() != session_info.supports_extended_master_secret())
125
0
      {
126
0
      if(!session_info.supports_extended_master_secret())
127
0
         {
128
0
         return false; // force new handshake with extended master secret
129
0
         }
130
0
      else
131
0
         {
132
0
         /*
133
0
         Client previously negotiated session with extended master secret,
134
0
         but has now attempted to resume without the extension: abort
135
0
         */
136
0
         throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
137
0
                             "Client resumed extended ms session without sending extension");
138
0
         }
139
0
      }
140
0
141
0
   // Checking encrypt_then_mac on resume (RFC 7366 section 3.1)
142
0
   if(!client_hello->supports_encrypt_then_mac() && session_info.supports_encrypt_then_mac())
143
0
      {
144
0
      /*
145
0
      Client previously negotiated session with Encrypt-then-MAC,
146
0
      but has now attempted to resume without the extension: abort
147
0
      */
148
0
      throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
149
0
                             "Client resumed Encrypt-then-MAC session without sending extension");
150
0
      }
151
0
152
0
   return true;
153
0
   }
154
155
/*
156
* Choose which ciphersuite to use
157
*/
158
uint16_t choose_ciphersuite(
159
   const Policy& policy,
160
   Protocol_Version version,
161
   Credentials_Manager& creds,
162
   const std::map<std::string, std::vector<X509_Certificate>>& cert_chains,
163
   const Client_Hello& client_hello)
164
24.7k
   {
165
24.7k
   const bool our_choice = policy.server_uses_own_ciphersuite_preferences();
166
24.7k
   const bool have_srp = creds.attempt_srp("tls-server", client_hello.sni_hostname());
167
24.7k
   const std::vector<uint16_t> client_suites = client_hello.ciphersuites();
168
24.7k
   const std::vector<uint16_t> server_suites = policy.ciphersuite_list(version, have_srp);
169
24.7k
170
24.7k
   if(server_suites.empty())
171
0
      throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
172
0
                          "Policy forbids us from negotiating any ciphersuite");
173
24.7k
174
24.7k
   const bool have_shared_ecc_curve =
175
24.7k
      (policy.choose_key_exchange_group(client_hello.supported_ecc_curves()) != Group_Params::NONE);
176
24.7k
177
24.7k
   /*
178
24.7k
   Walk down one list in preference order
179
24.7k
   */
180
24.7k
   std::vector<uint16_t> pref_list = server_suites;
181
24.7k
   std::vector<uint16_t> other_list = client_suites;
182
24.7k
183
24.7k
   if(!our_choice)
184
0
      std::swap(pref_list, other_list);
185
24.7k
186
24.7k
   for(auto suite_id : pref_list)
187
2.70M
      {
188
2.70M
      if(!value_exists(other_list, suite_id))
189
2.67M
         continue;
190
25.1k
191
25.1k
      const Ciphersuite suite = Ciphersuite::by_id(suite_id);
192
25.1k
193
25.1k
      if(suite.valid() == false)
194
0
         {
195
0
         continue;
196
0
         }
197
25.1k
198
25.1k
      if(have_shared_ecc_curve == false && suite.ecc_ciphersuite())
199
56
         {
200
56
         continue;
201
56
         }
202
25.1k
203
25.1k
      // For non-anon ciphersuites
204
25.1k
      if(suite.signature_used())
205
724
         {
206
724
         const std::string sig_algo = suite.sig_algo();
207
724
208
724
         // Do we have any certificates for this sig?
209
724
         if(cert_chains.count(sig_algo) == 0)
210
554
            {
211
554
            continue;
212
554
            }
213
170
214
170
         if(version.supports_negotiable_signature_algorithms())
215
170
            {
216
170
            const std::vector<Signature_Scheme> allowed =
217
170
               policy.allowed_signature_schemes();
218
170
219
170
            std::vector<Signature_Scheme> client_sig_methods =
220
170
               client_hello.signature_schemes();
221
170
222
170
            if(client_sig_methods.empty())
223
39
               {
224
39
               // If empty, then implicit SHA-1 (TLS v1.2 rules)
225
39
               client_sig_methods.push_back(Signature_Scheme::RSA_PKCS1_SHA1);
226
39
               client_sig_methods.push_back(Signature_Scheme::ECDSA_SHA1);
227
39
               client_sig_methods.push_back(Signature_Scheme::DSA_SHA1);
228
39
               }
229
170
230
170
            bool we_support_some_hash_by_client = false;
231
170
232
170
            for(Signature_Scheme scheme : client_sig_methods)
233
7.81k
               {
234
7.81k
               if(signature_scheme_is_known(scheme) == false)
235
5.03k
                  continue;
236
2.77k
237
2.77k
               if(signature_algorithm_of_scheme(scheme) == suite.sig_algo() &&
238
2.77k
                  policy.allowed_signature_hash(hash_function_of_scheme(scheme)))
239
574
                  {
240
574
                  we_support_some_hash_by_client = true;
241
574
                  }
242
2.77k
               }
243
170
244
170
            if(we_support_some_hash_by_client == false)
245
98
               {
246
98
               throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
247
98
                                   "Policy does not accept any hash function supported by client");
248
98
               }
249
24.4k
            }
250
170
         }
251
24.4k
252
24.4k
#if defined(BOTAN_HAS_SRP6)
253
24.4k
      /*
254
24.4k
      The client may offer SRP cipher suites in the hello message but
255
24.4k
      omit the SRP extension.  If the server would like to select an
256
24.4k
      SRP cipher suite in this case, the server SHOULD return a fatal
257
24.4k
      "unknown_psk_identity" alert immediately after processing the
258
24.4k
      client hello message.
259
24.4k
       - RFC 5054 section 2.5.1.2
260
24.4k
      */
261
24.4k
      if(suite.kex_method() == Kex_Algo::SRP_SHA && client_hello.srp_identifier() == "")
262
0
         throw TLS_Exception(Alert::UNKNOWN_PSK_IDENTITY,
263
0
                             "Client wanted SRP but did not send username");
264
24.4k
#endif
265
24.4k
266
24.4k
      return suite_id;
267
24.4k
      }
268
24.7k
269
24.7k
   throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
270
178
                       "Can't agree on a ciphersuite with client");
271
24.7k
   }
272
273
std::map<std::string, std::vector<X509_Certificate>>
274
get_server_certs(const std::string& hostname,
275
                 Credentials_Manager& creds)
276
24.7k
   {
277
24.7k
   const char* cert_types[] = { "RSA", "ECDSA", "DSA", nullptr };
278
24.7k
279
24.7k
   std::map<std::string, std::vector<X509_Certificate>> cert_chains;
280
24.7k
281
99.0k
   for(size_t i = 0; cert_types[i]; ++i)
282
74.2k
      {
283
74.2k
      const std::vector<X509_Certificate> certs =
284
74.2k
         creds.cert_chain_single_type(cert_types[i], "tls-server", hostname);
285
74.2k
286
74.2k
      if(!certs.empty())
287
24.7k
         cert_chains[cert_types[i]] = certs;
288
74.2k
      }
289
24.7k
290
24.7k
   return cert_chains;
291
24.7k
   }
292
293
}
294
295
/*
296
* TLS Server Constructor
297
*/
298
Server::Server(Callbacks& callbacks,
299
               Session_Manager& session_manager,
300
               Credentials_Manager& creds,
301
               const Policy& policy,
302
               RandomNumberGenerator& rng,
303
               bool is_datagram,
304
               size_t io_buf_sz) :
305
   Channel(callbacks, session_manager, rng, policy,
306
           true, is_datagram, io_buf_sz),
307
   m_creds(creds)
308
5.47k
   {
309
5.47k
   }
310
311
Server::Server(output_fn output,
312
               data_cb got_data_cb,
313
               alert_cb recv_alert_cb,
314
               handshake_cb hs_cb,
315
               Session_Manager& session_manager,
316
               Credentials_Manager& creds,
317
               const Policy& policy,
318
               RandomNumberGenerator& rng,
319
               next_protocol_fn next_proto,
320
               bool is_datagram,
321
               size_t io_buf_sz) :
322
   Channel(output, got_data_cb, recv_alert_cb, hs_cb,
323
           Channel::handshake_msg_cb(), session_manager,
324
           rng, policy, true, is_datagram, io_buf_sz),
325
   m_creds(creds),
326
   m_choose_next_protocol(next_proto)
327
0
   {
328
0
   }
329
330
Server::Server(output_fn output,
331
               data_cb got_data_cb,
332
               alert_cb recv_alert_cb,
333
               handshake_cb hs_cb,
334
               handshake_msg_cb hs_msg_cb,
335
               Session_Manager& session_manager,
336
               Credentials_Manager& creds,
337
               const Policy& policy,
338
               RandomNumberGenerator& rng,
339
               next_protocol_fn next_proto,
340
               bool is_datagram) :
341
   Channel(output, got_data_cb, recv_alert_cb, hs_cb, hs_msg_cb,
342
           session_manager, rng, policy, true, is_datagram),
343
   m_creds(creds),
344
   m_choose_next_protocol(next_proto)
345
0
   {
346
0
   }
347
348
Handshake_State* Server::new_handshake_state(Handshake_IO* io)
349
32.9k
   {
350
32.9k
   std::unique_ptr<Handshake_State> state(new Server_Handshake_State(io, callbacks()));
351
32.9k
352
32.9k
   state->set_expected_next(CLIENT_HELLO);
353
32.9k
   return state.release();
354
32.9k
   }
355
356
std::vector<X509_Certificate>
357
Server::get_peer_cert_chain(const Handshake_State& state_base) const
358
416
   {
359
416
   const Server_Handshake_State& state = dynamic_cast<const Server_Handshake_State&>(state_base);
360
416
   if(state.resume_peer_certs().size() > 0)
361
0
      return state.resume_peer_certs();
362
416
363
416
   if(state.client_certs())
364
0
      return state.client_certs()->cert_chain();
365
416
   return std::vector<X509_Certificate>();
366
416
   }
367
368
/*
369
* Send a hello request to the client
370
*/
371
void Server::initiate_handshake(Handshake_State& state,
372
                                bool force_full_renegotiation)
373
0
   {
374
0
   dynamic_cast<Server_Handshake_State&>(state).
375
0
       set_allow_session_resumption(!force_full_renegotiation);
376
0
377
0
   Hello_Request hello_req(state.handshake_io());
378
0
   }
379
380
namespace {
381
382
Protocol_Version select_version(const Botan::TLS::Policy& policy,
383
                                Protocol_Version client_offer,
384
                                Protocol_Version active_version,
385
                                bool is_fallback,
386
                                const std::vector<Protocol_Version>& supported_versions)
387
31.4k
   {
388
31.4k
   const bool is_datagram = client_offer.is_datagram_protocol();
389
31.4k
   const bool initial_handshake = (active_version.valid() == false);
390
31.4k
391
31.4k
   const Protocol_Version latest_supported = policy.latest_supported_version(is_datagram);
392
31.4k
393
31.4k
   if(is_fallback)
394
100
      {
395
100
      if(latest_supported > client_offer)
396
1
         throw TLS_Exception(Alert::INAPPROPRIATE_FALLBACK,
397
1
                              "Client signalled fallback SCSV, possible attack");
398
31.4k
      }
399
31.4k
400
31.4k
   if(supported_versions.size() > 0)
401
10
      {
402
10
      if(is_datagram)
403
1
         {
404
1
         if(policy.allow_dtls12() && value_exists(supported_versions, Protocol_Version(Protocol_Version::DTLS_V12)))
405
0
            return Protocol_Version::DTLS_V12;
406
1
#if defined(BOTAN_HAS_TLS_V10)
407
1
         if(policy.allow_dtls10() && value_exists(supported_versions, Protocol_Version(Protocol_Version::DTLS_V10)))
408
0
            return Protocol_Version::DTLS_V10;
409
1
#endif
410
1
         throw TLS_Exception(Alert::PROTOCOL_VERSION, "No shared DTLS version");
411
1
         }
412
9
      else
413
9
         {
414
9
         if(policy.allow_tls12() && value_exists(supported_versions, Protocol_Version(Protocol_Version::TLS_V12)))
415
7
            return Protocol_Version::TLS_V12;
416
2
#if defined(BOTAN_HAS_TLS_V10)
417
2
         if(policy.allow_tls11() && value_exists(supported_versions, Protocol_Version(Protocol_Version::TLS_V11)))
418
0
            return Protocol_Version::TLS_V11;
419
2
         if(policy.allow_tls10() && value_exists(supported_versions, Protocol_Version(Protocol_Version::TLS_V10)))
420
0
            return Protocol_Version::TLS_V10;
421
2
#endif
422
2
         throw TLS_Exception(Alert::PROTOCOL_VERSION, "No shared TLS version");
423
2
         }
424
10
      }
425
31.4k
426
31.4k
   const bool client_offer_acceptable =
427
31.4k
      client_offer.known_version() && policy.acceptable_protocol_version(client_offer);
428
31.4k
429
31.4k
   if(!initial_handshake)
430
0
      {
431
0
      /*
432
0
      * If this is a renegotiation, and the client has offered a
433
0
      * later version than what it initially negotiated, negotiate
434
0
      * the old version. This matches OpenSSL's behavior. If the
435
0
      * client is offering a version earlier than what it initially
436
0
      * negotiated, reject as a probable attack.
437
0
      */
438
0
      if(active_version > client_offer)
439
0
         {
440
0
         throw TLS_Exception(Alert::PROTOCOL_VERSION,
441
0
                              "Client negotiated " +
442
0
                              active_version.to_string() +
443
0
                              " then renegotiated with " +
444
0
                              client_offer.to_string());
445
0
         }
446
0
      else
447
0
         {
448
0
         return active_version;
449
0
         }
450
31.4k
      }
451
31.4k
   else if(client_offer_acceptable)
452
6.38k
      {
453
6.38k
      return client_offer;
454
6.38k
      }
455
25.0k
   else if(!client_offer.known_version() || client_offer > latest_supported)
456
25.0k
      {
457
25.0k
      /*
458
25.0k
      The client offered some version newer than the latest we
459
25.0k
      support.  Offer them the best we know.
460
25.0k
      */
461
25.0k
      return latest_supported;
462
25.0k
      }
463
6
   else
464
6
      {
465
6
      throw TLS_Exception(Alert::PROTOCOL_VERSION,
466
6
                           "Client version " + client_offer.to_string() +
467
6
                           " is unacceptable by policy");
468
6
      }
469
31.4k
   }
470
471
}
472
473
/*
474
* Process a CLIENT HELLO Message
475
*/
476
void Server::process_client_hello_msg(const Handshake_State* active_state,
477
                                      Server_Handshake_State& pending_state,
478
                                      const std::vector<uint8_t>& contents,
479
                                      bool epoch0_restart)
480
32.1k
   {
481
32.1k
   BOTAN_ASSERT_IMPLICATION(epoch0_restart, active_state != nullptr, "Can't restart with a dead connection");
482
32.1k
483
32.1k
   const bool initial_handshake = epoch0_restart || !active_state;
484
32.1k
485
32.1k
   if(initial_handshake == false && policy().allow_client_initiated_renegotiation() == false)
486
0
      {
487
0
      if(policy().abort_connection_on_undesired_renegotiation())
488
0
         throw TLS_Exception(Alert::NO_RENEGOTIATION, "Server policy prohibits renegotiation");
489
0
      else
490
0
         send_warning_alert(Alert::NO_RENEGOTIATION);
491
0
      return;
492
32.1k
      }
493
32.1k
494
32.1k
   if(!policy().allow_insecure_renegotiation() &&
495
32.1k
      !(initial_handshake || secure_renegotiation_supported()))
496
0
      {
497
0
      send_warning_alert(Alert::NO_RENEGOTIATION);
498
0
      return;
499
0
      }
500
32.1k
501
32.1k
   pending_state.client_hello(new Client_Hello(contents));
502
32.1k
   const Protocol_Version client_offer = pending_state.client_hello()->version();
503
32.1k
   const bool datagram = client_offer.is_datagram_protocol();
504
32.1k
505
32.1k
   if(datagram)
506
6.69k
      {
507
6.69k
      if(client_offer.major_version() == 0xFF)
508
3
         throw TLS_Exception(Alert::PROTOCOL_VERSION, "Client offered DTLS version with major version 0xFF");
509
25.4k
      }
510
25.4k
   else
511
25.4k
      {
512
25.4k
      if(client_offer.major_version() < 3)
513
6
         throw TLS_Exception(Alert::PROTOCOL_VERSION, "Client offered TLS version with major version under 3");
514
25.4k
      if(client_offer.major_version() == 3 && client_offer.minor_version() == 0)
515
2
         throw TLS_Exception(Alert::PROTOCOL_VERSION, "SSLv3 is not supported");
516
32.1k
      }
517
32.1k
518
32.1k
   /*
519
32.1k
   * BoGo test suite expects that we will send the hello verify with a record
520
32.1k
   * version matching the version that is eventually negotiated. This is wrong
521
32.1k
   * but harmless, so go with it. Also doing the version negotiation step first
522
32.1k
   * allows to immediately close the connection with an alert if the client has
523
32.1k
   * offered a version that we are not going to negotiate anyway, instead of
524
32.1k
   * making them first do the cookie exchange and then telling them no.
525
32.1k
   *
526
32.1k
   * There is no issue with amplification here, since the alert is just 2 bytes.
527
32.1k
   */
528
32.1k
   const Protocol_Version negotiated_version =
529
32.1k
      select_version(policy(), client_offer,
530
32.1k
                     active_state ? active_state->version() : Protocol_Version(),
531
32.1k
                     pending_state.client_hello()->sent_fallback_scsv(),
532
32.1k
                     pending_state.client_hello()->supported_versions());
533
32.1k
534
32.1k
   pending_state.set_version(negotiated_version);
535
32.1k
536
32.1k
   const auto compression_methods = pending_state.client_hello()->compression_methods();
537
32.1k
   if(!value_exists(compression_methods, uint8_t(0)))
538
35
      throw TLS_Exception(Alert::ILLEGAL_PARAMETER, "Client did not offer NULL compression");
539
32.1k
540
32.1k
   if(initial_handshake && datagram)
541
6.67k
      {
542
6.67k
      SymmetricKey cookie_secret;
543
6.67k
544
6.67k
      try
545
6.67k
         {
546
6.67k
         cookie_secret = m_creds.psk("tls-server", "dtls-cookie-secret", "");
547
6.67k
         }
548
6.67k
      catch(...) {}
549
6.67k
550
6.67k
      if(cookie_secret.size() > 0)
551
6.67k
         {
552
6.67k
         const std::string client_identity = callbacks().tls_peer_network_identity();
553
6.67k
         Hello_Verify_Request verify(pending_state.client_hello()->cookie_input_data(), client_identity, cookie_secret);
554
6.67k
555
6.67k
         if(pending_state.client_hello()->cookie() != verify.cookie())
556
6.67k
            {
557
6.67k
            if(epoch0_restart)
558
0
               pending_state.handshake_io().send_under_epoch(verify, 0);
559
6.67k
            else
560
6.67k
               pending_state.handshake_io().send(verify);
561
6.67k
562
6.67k
            pending_state.client_hello(nullptr);
563
6.67k
            pending_state.set_expected_next(CLIENT_HELLO);
564
6.67k
            return;
565
6.67k
            }
566
0
         }
567
0
      else if(epoch0_restart)
568
0
         {
569
0
         throw TLS_Exception(Alert::HANDSHAKE_FAILURE, "Reuse of DTLS association requires DTLS cookie secret be set");
570
0
         }
571
25.4k
      }
572
25.4k
573
25.4k
   if(epoch0_restart)
574
0
      {
575
0
      // If we reached here then we were able to verify the cookie
576
0
      reset_active_association_state();
577
0
      }
578
25.4k
579
25.4k
   secure_renegotiation_check(pending_state.client_hello());
580
25.4k
581
25.4k
   callbacks().tls_examine_extensions(pending_state.client_hello()->extensions(), CLIENT);
582
25.4k
583
25.4k
   Session session_info;
584
25.4k
   const bool resuming =
585
25.4k
      pending_state.allow_session_resumption() &&
586
25.4k
      check_for_resume(session_info,
587
24.7k
                       session_manager(),
588
24.7k
                       m_creds,
589
24.7k
                       pending_state.client_hello(),
590
24.7k
                       std::chrono::seconds(policy().session_ticket_lifetime()));
591
25.4k
592
25.4k
   bool have_session_ticket_key = false;
593
25.4k
594
25.4k
   try
595
25.4k
      {
596
25.4k
      have_session_ticket_key =
597
25.4k
         m_creds.psk("tls-server", "session-ticket", "").length() > 0;
598
25.4k
      }
599
25.4k
   catch(...) {}
600
25.4k
601
25.4k
   m_next_protocol = "";
602
24.7k
   if(pending_state.client_hello()->supports_alpn())
603
5.93k
      {
604
5.93k
      m_next_protocol = callbacks().tls_server_choose_app_protocol(pending_state.client_hello()->next_protocols());
605
5.93k
606
5.93k
      // if the callback return was empty, fall back to the (deprecated) std::function
607
5.93k
      if(m_next_protocol.empty() && m_choose_next_protocol)
608
0
         {
609
0
         m_next_protocol = m_choose_next_protocol(pending_state.client_hello()->next_protocols());
610
0
         }
611
5.93k
      }
612
24.7k
613
24.7k
   if(resuming)
614
0
      {
615
0
      this->session_resume(pending_state, have_session_ticket_key, session_info);
616
0
      }
617
24.7k
   else // new session
618
24.7k
      {
619
24.7k
      this->session_create(pending_state, have_session_ticket_key);
620
24.7k
      }
621
24.7k
   }
622
623
void Server::process_certificate_msg(Server_Handshake_State& pending_state,
624
                                     const std::vector<uint8_t>& contents)
625
0
   {
626
0
   pending_state.client_certs(new Certificate(contents, policy()));
627
0
628
0
   // CERTIFICATE_REQUIRED would make more sense but BoGo expects handshake failure alert
629
0
   if(pending_state.client_certs()->empty() && policy().require_client_certificate_authentication())
630
0
      throw TLS_Exception(Alert::HANDSHAKE_FAILURE, "Policy requires client send a certificate, but it did not");
631
0
632
0
   pending_state.set_expected_next(CLIENT_KEX);
633
0
   }
634
635
void Server::process_client_key_exchange_msg(Server_Handshake_State& pending_state,
636
                                             const std::vector<uint8_t>& contents)
637
14.4k
   {
638
14.4k
   if(pending_state.received_handshake_msg(CERTIFICATE) && !pending_state.client_certs()->empty())
639
0
      pending_state.set_expected_next(CERTIFICATE_VERIFY);
640
14.4k
   else
641
14.4k
      pending_state.set_expected_next(HANDSHAKE_CCS);
642
14.4k
643
14.4k
   pending_state.client_kex(new Client_Key_Exchange(contents, pending_state,
644
14.4k
                                                    pending_state.server_rsa_kex_key(),
645
14.4k
                                                    m_creds, policy(), rng()));
646
14.4k
647
14.4k
   pending_state.compute_session_keys();
648
14.4k
   }
649
650
void Server::process_change_cipher_spec_msg(Server_Handshake_State& pending_state)
651
708
   {
652
708
   pending_state.set_expected_next(FINISHED);
653
708
   change_cipher_spec_reader(SERVER);
654
708
   }
655
656
void Server::process_certificate_verify_msg(Server_Handshake_State& pending_state,
657
                                            Handshake_Type type,
658
                                            const std::vector<uint8_t>& contents)
659
0
   {
660
0
   pending_state.client_verify(new Certificate_Verify(contents, pending_state.version()));
661
0
662
0
   const std::vector<X509_Certificate>& client_certs =
663
0
      pending_state.client_certs()->cert_chain();
664
0
665
0
   const bool sig_valid =
666
0
      pending_state.client_verify()->verify(client_certs[0], pending_state, policy());
667
0
668
0
   pending_state.hash().update(pending_state.handshake_io().format(contents, type));
669
0
670
0
   /*
671
0
   * Using DECRYPT_ERROR looks weird here, but per RFC 4346 is for
672
0
   * "A handshake cryptographic operation failed, including being
673
0
   * unable to correctly verify a signature, ..."
674
0
   */
675
0
   if(!sig_valid)
676
0
      throw TLS_Exception(Alert::DECRYPT_ERROR, "Client cert verify failed");
677
0
678
0
   try
679
0
      {
680
0
      const std::string sni_hostname = pending_state.client_hello()->sni_hostname();
681
0
      auto trusted_CAs = m_creds.trusted_certificate_authorities("tls-server", sni_hostname);
682
0
683
0
      callbacks().tls_verify_cert_chain(client_certs,
684
0
                                        {}, // ocsp
685
0
                                        trusted_CAs,
686
0
                                        Usage_Type::TLS_CLIENT_AUTH,
687
0
                                        sni_hostname,
688
0
                                        policy());
689
0
      }
690
0
   catch(std::exception& e)
691
0
      {
692
0
      throw TLS_Exception(Alert::BAD_CERTIFICATE, e.what());
693
0
      }
694
0
695
0
   pending_state.set_expected_next(HANDSHAKE_CCS);
696
0
   }
697
698
void Server::process_finished_msg(Server_Handshake_State& pending_state,
699
                                  Handshake_Type type,
700
                                  const std::vector<uint8_t>& contents)
701
416
   {
702
416
   pending_state.set_expected_next(HANDSHAKE_NONE);
703
416
704
416
   pending_state.client_finished(new Finished(contents));
705
416
706
416
   if(!pending_state.client_finished()->verify(pending_state, CLIENT))
707
0
      throw TLS_Exception(Alert::DECRYPT_ERROR,
708
0
                          "Finished message didn't verify");
709
416
710
416
   if(!pending_state.server_finished())
711
416
      {
712
416
      // already sent finished if resuming, so this is a new session
713
416
714
416
      pending_state.hash().update(pending_state.handshake_io().format(contents, type));
715
416
716
416
      Session session_info(
717
416
         pending_state.server_hello()->session_id(),
718
416
         pending_state.session_keys().master_secret(),
719
416
         pending_state.server_hello()->version(),
720
416
         pending_state.server_hello()->ciphersuite(),
721
416
         SERVER,
722
416
         pending_state.server_hello()->supports_extended_master_secret(),
723
416
         pending_state.server_hello()->supports_encrypt_then_mac(),
724
416
         get_peer_cert_chain(pending_state),
725
416
         std::vector<uint8_t>(),
726
416
         Server_Information(pending_state.client_hello()->sni_hostname()),
727
416
         pending_state.srp_identifier(),
728
416
         pending_state.server_hello()->srtp_profile());
729
416
730
416
      if(save_session(session_info))
731
416
         {
732
416
         if(pending_state.server_hello()->supports_session_ticket())
733
288
            {
734
288
            try
735
288
               {
736
288
               const SymmetricKey ticket_key = m_creds.psk("tls-server", "session-ticket", "");
737
288
738
288
               pending_state.new_session_ticket(
739
288
                  new New_Session_Ticket(pending_state.handshake_io(),
740
288
                                         pending_state.hash(),
741
288
                                         session_info.encrypt(ticket_key, rng()),
742
288
                                         policy().session_ticket_lifetime()));
743
288
               }
744
288
            catch(...) {}
745
288
            }
746
128
         else
747
128
            session_manager().save(session_info);
748
416
         }
749
416
750
416
      if(!pending_state.new_session_ticket() &&
751
416
         pending_state.server_hello()->supports_session_ticket())
752
0
         {
753
0
         pending_state.new_session_ticket(
754
0
            new New_Session_Ticket(pending_state.handshake_io(), pending_state.hash()));
755
0
         }
756
416
757
416
      pending_state.handshake_io().send(Change_Cipher_Spec());
758
416
759
416
      change_cipher_spec_writer(SERVER);
760
416
761
416
      pending_state.server_finished(new Finished(pending_state.handshake_io(), pending_state, SERVER));
762
416
      }
763
416
764
416
   activate_session();
765
416
   }
766
767
/*
768
* Process a handshake message
769
*/
770
void Server::process_handshake_msg(const Handshake_State* active_state,
771
                                   Handshake_State& state_base,
772
                                   Handshake_Type type,
773
                                   const std::vector<uint8_t>& contents,
774
                                   bool epoch0_restart)
775
48.0k
   {
776
48.0k
   Server_Handshake_State& state = dynamic_cast<Server_Handshake_State&>(state_base);
777
48.0k
   state.confirm_transition_to(type);
778
48.0k
779
48.0k
   /*
780
48.0k
   * The change cipher spec message isn't technically a handshake
781
48.0k
   * message so it's not included in the hash. The finished and
782
48.0k
   * certificate verify messages are verified based on the current
783
48.0k
   * state of the hash *before* this message so we delay adding them
784
48.0k
   * to the hash computation until we've processed them below.
785
48.0k
   */
786
48.0k
   if(type != HANDSHAKE_CCS && type != FINISHED && type != CERTIFICATE_VERIFY)
787
46.6k
      {
788
46.6k
      state.hash().update(state.handshake_io().format(contents, type));
789
46.6k
      }
790
48.0k
791
48.0k
   switch(type)
792
48.0k
      {
793
32.1k
      case CLIENT_HELLO:
794
32.1k
         return this->process_client_hello_msg(active_state, state, contents, epoch0_restart);
795
0
796
0
      case CERTIFICATE:
797
0
         return this->process_certificate_msg(state, contents);
798
0
799
14.4k
      case CLIENT_KEX:
800
14.4k
         return this->process_client_key_exchange_msg(state, contents);
801
0
802
0
      case CERTIFICATE_VERIFY:
803
0
         return this->process_certificate_verify_msg(state, type, contents);
804
0
805
708
      case HANDSHAKE_CCS:
806
708
         return this->process_change_cipher_spec_msg(state);
807
0
808
416
      case FINISHED:
809
416
         return this->process_finished_msg(state, type, contents);
810
0
811
0
      default:
812
0
         throw Unexpected_Message("Unknown handshake message received");
813
48.0k
      }
814
48.0k
   }
815
816
void Server::session_resume(Server_Handshake_State& pending_state,
817
                            bool have_session_ticket_key,
818
                            Session& session_info)
819
0
   {
820
0
   // Only offer a resuming client a new ticket if they didn't send one this time,
821
0
   // ie, resumed via server-side resumption. TODO: also send one if expiring soon?
822
0
823
0
   const bool offer_new_session_ticket =
824
0
      (pending_state.client_hello()->supports_session_ticket() &&
825
0
       pending_state.client_hello()->session_ticket().empty() &&
826
0
       have_session_ticket_key);
827
0
828
0
   pending_state.server_hello(new Server_Hello(
829
0
                                 pending_state.handshake_io(),
830
0
                                 pending_state.hash(),
831
0
                                 policy(),
832
0
                                 callbacks(),
833
0
                                 rng(),
834
0
                                 secure_renegotiation_data_for_server_hello(),
835
0
                                 *pending_state.client_hello(),
836
0
                                 session_info,
837
0
                                 offer_new_session_ticket,
838
0
                                 m_next_protocol));
839
0
840
0
   secure_renegotiation_check(pending_state.server_hello());
841
0
842
0
   pending_state.mark_as_resumption();
843
0
   pending_state.compute_session_keys(session_info.master_secret());
844
0
   pending_state.set_resume_certs(session_info.peer_certs());
845
0
846
0
   if(!save_session(session_info))
847
0
      {
848
0
      session_manager().remove_entry(session_info.session_id());
849
0
850
0
      if(pending_state.server_hello()->supports_session_ticket()) // send an empty ticket
851
0
         {
852
0
         pending_state.new_session_ticket(
853
0
            new New_Session_Ticket(pending_state.handshake_io(),
854
0
                                   pending_state.hash()));
855
0
         }
856
0
      }
857
0
858
0
   if(pending_state.server_hello()->supports_session_ticket() && !pending_state.new_session_ticket())
859
0
      {
860
0
      try
861
0
         {
862
0
         const SymmetricKey ticket_key = m_creds.psk("tls-server", "session-ticket", "");
863
0
864
0
         pending_state.new_session_ticket(
865
0
            new New_Session_Ticket(pending_state.handshake_io(),
866
0
                                   pending_state.hash(),
867
0
                                   session_info.encrypt(ticket_key, rng()),
868
0
                                   policy().session_ticket_lifetime()));
869
0
         }
870
0
      catch(...) {}
871
0
872
0
      if(!pending_state.new_session_ticket())
873
0
         {
874
0
         pending_state.new_session_ticket(
875
0
            new New_Session_Ticket(pending_state.handshake_io(), pending_state.hash()));
876
0
         }
877
0
      }
878
0
879
0
   pending_state.handshake_io().send(Change_Cipher_Spec());
880
0
881
0
   change_cipher_spec_writer(SERVER);
882
0
883
0
   pending_state.server_finished(new Finished(pending_state.handshake_io(), pending_state, SERVER));
884
0
   pending_state.set_expected_next(HANDSHAKE_CCS);
885
0
   }
886
887
void Server::session_create(Server_Handshake_State& pending_state,
888
                            bool have_session_ticket_key)
889
24.7k
   {
890
24.7k
   std::map<std::string, std::vector<X509_Certificate>> cert_chains;
891
24.7k
892
24.7k
   const std::string sni_hostname = pending_state.client_hello()->sni_hostname();
893
24.7k
894
24.7k
   cert_chains = get_server_certs(sni_hostname, m_creds);
895
24.7k
896
24.7k
   if(sni_hostname != "" && cert_chains.empty())
897
0
      {
898
0
      cert_chains = get_server_certs("", m_creds);
899
0
900
0
      /*
901
0
      * Only send the unrecognized_name alert if we couldn't
902
0
      * find any certs for the requested name but did find at
903
0
      * least one cert to use in general. That avoids sending an
904
0
      * unrecognized_name when a server is configured for purely
905
0
      * anonymous/PSK operation.
906
0
      */
907
0
      if(!cert_chains.empty())
908
0
         send_warning_alert(Alert::UNRECOGNIZED_NAME);
909
0
      }
910
24.7k
911
24.7k
   const uint16_t ciphersuite = choose_ciphersuite(policy(), pending_state.version(),
912
24.7k
                                                   m_creds, cert_chains,
913
24.7k
                                                   *pending_state.client_hello());
914
24.7k
915
24.7k
   Server_Hello::Settings srv_settings(
916
24.7k
      make_hello_random(rng(), policy()), // new session ID
917
24.7k
      pending_state.version(),
918
24.7k
      ciphersuite,
919
24.7k
      have_session_ticket_key);
920
24.7k
921
24.7k
   pending_state.server_hello(new Server_Hello(
922
24.7k
                                 pending_state.handshake_io(),
923
24.7k
                                 pending_state.hash(),
924
24.7k
                                 policy(),
925
24.7k
                                 callbacks(),
926
24.7k
                                 rng(),
927
24.7k
                                 secure_renegotiation_data_for_server_hello(),
928
24.7k
                                 *pending_state.client_hello(),
929
24.7k
                                 srv_settings,
930
24.7k
                                 m_next_protocol));
931
24.7k
932
24.7k
   secure_renegotiation_check(pending_state.server_hello());
933
24.7k
934
24.7k
   const Ciphersuite& pending_suite = pending_state.ciphersuite();
935
24.7k
936
24.7k
   Private_Key* private_key = nullptr;
937
24.7k
938
24.7k
   if(pending_suite.signature_used() || pending_suite.kex_method() == Kex_Algo::STATIC_RSA)
939
143
      {
940
143
      const std::string algo_used =
941
143
         pending_suite.signature_used() ? pending_suite.sig_algo() : "RSA";
942
143
943
143
      BOTAN_ASSERT(!cert_chains[algo_used].empty(),
944
143
                     "Attempting to send empty certificate chain");
945
143
946
143
      pending_state.server_certs(new Certificate(pending_state.handshake_io(),
947
143
                                                 pending_state.hash(),
948
143
                                                 cert_chains[algo_used]));
949
143
950
143
      if(pending_state.client_hello()->supports_cert_status_message() && pending_state.is_a_resumption() == false)
951
3
         {
952
3
         auto csr = pending_state.client_hello()->extensions().get<Certificate_Status_Request>();
953
3
         // csr is non-null if client_hello()->supports_cert_status_message()
954
3
         BOTAN_ASSERT_NOMSG(csr != nullptr);
955
3
         const auto resp_bytes = callbacks().tls_provide_cert_status(cert_chains[algo_used], *csr);
956
3
         if(resp_bytes.size() > 0)
957
0
            {
958
0
            pending_state.server_cert_status(new Certificate_Status(
959
0
                                                pending_state.handshake_io(),
960
0
                                                pending_state.hash(),
961
0
                                                resp_bytes
962
0
                                                ));
963
0
            }
964
3
         }
965
143
966
143
      private_key = m_creds.private_key_for(
967
143
         pending_state.server_certs()->cert_chain()[0],
968
143
         "tls-server",
969
143
         sni_hostname);
970
143
971
143
      if(!private_key)
972
143
         throw Internal_Error("No private key located for associated server cert");
973
24.6k
      }
974
24.6k
975
24.6k
   if(pending_suite.kex_method() == Kex_Algo::STATIC_RSA)
976
0
      {
977
0
      pending_state.set_server_rsa_kex_key(private_key);
978
0
      }
979
24.6k
   else
980
24.6k
      {
981
24.6k
      pending_state.server_kex(new Server_Key_Exchange(pending_state.handshake_io(),
982
24.6k
                                                       pending_state, policy(),
983
24.6k
                                                       m_creds, rng(), private_key));
984
24.6k
      }
985
24.6k
986
24.6k
   auto trusted_CAs = m_creds.trusted_certificate_authorities("tls-server", sni_hostname);
987
24.6k
988
24.6k
   std::vector<X509_DN> client_auth_CAs;
989
24.6k
990
24.6k
   for(auto store : trusted_CAs)
991
0
      {
992
0
      auto subjects = store->all_subjects();
993
0
      client_auth_CAs.insert(client_auth_CAs.end(), subjects.begin(), subjects.end());
994
0
      }
995
24.6k
996
24.6k
   const bool request_cert =
997
24.6k
      (client_auth_CAs.empty() == false) ||
998
24.6k
      policy().request_client_certificate_authentication();
999
24.6k
1000
24.6k
   if(request_cert && pending_state.ciphersuite().signature_used())
1001
0
      {
1002
0
      pending_state.cert_req(
1003
0
         new Certificate_Req(pending_state.handshake_io(),
1004
0
                             pending_state.hash(),
1005
0
                             policy(),
1006
0
                             client_auth_CAs,
1007
0
                             pending_state.version()));
1008
0
1009
0
      /*
1010
0
      SSLv3 allowed clients to skip the Certificate message entirely
1011
0
      if they wanted. In TLS v1.0 and later clients must send a
1012
0
      (possibly empty) Certificate message
1013
0
      */
1014
0
      pending_state.set_expected_next(CERTIFICATE);
1015
0
      }
1016
24.6k
   else
1017
24.6k
      {
1018
24.6k
      pending_state.set_expected_next(CLIENT_KEX);
1019
24.6k
      }
1020
24.6k
1021
24.6k
   pending_state.server_hello_done(new Server_Hello_Done(pending_state.handshake_io(), pending_state.hash()));
1022
24.6k
   }
1023
}
1024
1025
}