Coverage Report

Created: 2020-11-21 08:34

/src/botan/src/lib/tls/tls_client.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
* TLS Client
3
* (C) 2004-2011,2012,2015,2016 Jack Lloyd
4
*     2016 Matthias Gierlings
5
*     2017 Harry Reimann, Rohde & Schwarz Cybersecurity
6
*
7
* Botan is released under the Simplified BSD License (see license.txt)
8
*/
9
10
#include <botan/tls_client.h>
11
#include <botan/tls_messages.h>
12
#include <botan/internal/tls_handshake_state.h>
13
#include <botan/internal/stl_util.h>
14
#include <iterator>
15
#include <sstream>
16
17
namespace Botan {
18
19
namespace TLS {
20
21
namespace {
22
23
class Client_Handshake_State final : public Handshake_State
24
   {
25
   public:
26
      Client_Handshake_State(Handshake_IO* io, Callbacks& cb) :
27
         Handshake_State(io, cb),
28
         m_is_reneg(false)
29
14.0k
         {}
30
31
      const Public_Key& get_server_public_key() const
32
247
         {
33
247
         BOTAN_ASSERT(server_public_key, "Server sent us a certificate");
34
247
         return *server_public_key.get();
35
247
         }
36
37
126
      bool is_a_resumption() const { return (resumed_session != nullptr); }
38
39
0
      bool is_a_renegotiation() const { return m_is_reneg; }
40
41
      const secure_vector<uint8_t>& resume_master_secret() const
42
0
         {
43
0
         BOTAN_STATE_CHECK(is_a_resumption());
44
0
         return resumed_session->master_secret();
45
0
         }
46
47
      const std::vector<X509_Certificate>& resume_peer_certs() const
48
0
         {
49
0
         BOTAN_STATE_CHECK(is_a_resumption());
50
0
         return resumed_session->peer_certs();
51
0
         }
52
53
      std::unique_ptr<Public_Key> server_public_key;
54
      // Used during session resumption
55
      std::unique_ptr<Session> resumed_session;
56
      bool m_is_reneg = false;
57
   };
58
59
}
60
61
/*
62
* TLS Client Constructor
63
*/
64
Client::Client(Callbacks& callbacks,
65
               Session_Manager& session_manager,
66
               Credentials_Manager& creds,
67
               const Policy& policy,
68
               RandomNumberGenerator& rng,
69
               const Server_Information& info,
70
               const Protocol_Version& offer_version,
71
               const std::vector<std::string>& next_protocols,
72
               size_t io_buf_sz) :
73
   Channel(callbacks, session_manager, rng, policy,
74
           false, offer_version.is_datagram_protocol(), io_buf_sz),
75
   m_creds(creds),
76
   m_info(info)
77
6.01k
   {
78
6.01k
   const std::string srp_identifier = m_creds.srp_identifier("tls-client", m_info.hostname());
79
80
6.01k
   Handshake_State& state = create_handshake_state(offer_version);
81
6.01k
   send_client_hello(state, false, offer_version,
82
6.01k
                     srp_identifier, next_protocols);
83
6.01k
   }
84
85
Handshake_State* Client::new_handshake_state(Handshake_IO* io)
86
14.0k
   {
87
14.0k
   return new Client_Handshake_State(io, callbacks());
88
14.0k
   }
89
90
std::vector<X509_Certificate>
91
Client::get_peer_cert_chain(const Handshake_State& state) const
92
88
   {
93
88
   const Client_Handshake_State& cstate = dynamic_cast<const Client_Handshake_State&>(state);
94
95
88
   if(cstate.is_a_resumption())
96
0
      return cstate.resume_peer_certs();
97
98
88
   if(state.server_certs())
99
35
      return state.server_certs()->cert_chain();
100
53
   return std::vector<X509_Certificate>();
101
53
   }
102
103
/*
104
* Send a new client hello to renegotiate
105
*/
106
void Client::initiate_handshake(Handshake_State& state,
107
                                bool force_full_renegotiation)
108
0
   {
109
0
   send_client_hello(state, force_full_renegotiation,
110
0
                     policy().latest_supported_version(state.version().is_datagram_protocol()));
111
0
   }
112
113
void Client::send_client_hello(Handshake_State& state_base,
114
                               bool force_full_renegotiation,
115
                               Protocol_Version version,
116
                               const std::string& srp_identifier,
117
                               const std::vector<std::string>& next_protocols)
118
6.01k
   {
119
6.01k
   Client_Handshake_State& state = dynamic_cast<Client_Handshake_State&>(state_base);
120
121
6.01k
   if(state.version().is_datagram_protocol())
122
0
      state.set_expected_next(HELLO_VERIFY_REQUEST); // optional
123
6.01k
   state.set_expected_next(SERVER_HELLO);
124
125
6.01k
   if(!force_full_renegotiation && !m_info.empty())
126
6.01k
      {
127
6.01k
      std::unique_ptr<Session> session_info(new Session);;
128
6.01k
      if(session_manager().load_from_server_info(m_info, *session_info))
129
0
         {
130
         /*
131
         Ensure that the session protocol cipher and version are acceptable
132
         If not skip the resume and establish a new session
133
         */
134
0
         const bool exact_version = session_info->version() == version;
135
0
         const bool ok_version =
136
0
            (session_info->version().is_datagram_protocol() == version.is_datagram_protocol()) &&
137
0
            policy().acceptable_protocol_version(session_info->version());
138
139
0
         const bool session_version_ok = policy().only_resume_with_exact_version() ? exact_version : ok_version;
140
141
0
         if(policy().acceptable_ciphersuite(session_info->ciphersuite()) && session_version_ok)
142
0
            {
143
0
            if(srp_identifier == "" || session_info->srp_identifier() == srp_identifier)
144
0
               {
145
0
               state.client_hello(
146
0
                  new Client_Hello(state.handshake_io(),
147
0
                                   state.hash(),
148
0
                                   policy(),
149
0
                                   callbacks(),
150
0
                                   rng(),
151
0
                                   secure_renegotiation_data_for_client_hello(),
152
0
                                   *session_info,
153
0
                                   next_protocols));
154
155
0
               state.resumed_session = std::move(session_info);
156
0
               }
157
0
            }
158
0
         }
159
6.01k
      }
160
161
6.01k
   if(!state.client_hello()) // not resuming
162
6.01k
      {
163
6.01k
      Client_Hello::Settings client_settings(version, m_info.hostname(), srp_identifier);
164
6.01k
      state.client_hello(new Client_Hello(
165
6.01k
         state.handshake_io(),
166
6.01k
         state.hash(),
167
6.01k
         policy(),
168
6.01k
         callbacks(),
169
6.01k
         rng(),
170
6.01k
         secure_renegotiation_data_for_client_hello(),
171
6.01k
         client_settings,
172
6.01k
         next_protocols));
173
6.01k
      }
174
175
6.01k
   secure_renegotiation_check(state.client_hello());
176
6.01k
   }
177
178
namespace {
179
180
bool key_usage_matches_ciphersuite(Key_Constraints usage,
181
                                   const Ciphersuite& suite)
182
634
   {
183
634
   if(usage == NO_CONSTRAINTS)
184
619
      return true; // anything goes ...
185
186
15
   if(suite.kex_method() == Kex_Algo::STATIC_RSA)
187
1
      {
188
1
      return (usage & KEY_ENCIPHERMENT) | (usage & DATA_ENCIPHERMENT);
189
1
      }
190
14
   else
191
14
      {
192
14
      return (usage & DIGITAL_SIGNATURE) | (usage & NON_REPUDIATION);
193
14
      }
194
15
   }
195
196
}
197
198
/*
199
* Process a handshake message
200
*/
201
void Client::process_handshake_msg(const Handshake_State* active_state,
202
                                   Handshake_State& state_base,
203
                                   Handshake_Type type,
204
                                   const std::vector<uint8_t>& contents,
205
                                   bool epoch0_restart)
206
12.0k
   {
207
12.0k
   BOTAN_ASSERT_NOMSG(epoch0_restart == false); // only happens on server side
208
209
12.0k
   Client_Handshake_State& state = dynamic_cast<Client_Handshake_State&>(state_base);
210
211
12.0k
   if(type == HELLO_REQUEST && active_state)
212
0
      {
213
0
      Hello_Request hello_request(contents);
214
215
0
      if(state.client_hello())
216
0
         {
217
0
         throw TLS_Exception(Alert::HANDSHAKE_FAILURE, "Cannot renegotiate during a handshake");
218
0
         }
219
220
0
      if(policy().allow_server_initiated_renegotiation())
221
0
         {
222
0
         if(secure_renegotiation_supported() || policy().allow_insecure_renegotiation())
223
0
            {
224
0
            state.m_is_reneg = true;
225
0
            this->initiate_handshake(state, true);
226
0
            }
227
0
         else
228
0
            {
229
0
            throw TLS_Exception(Alert::HANDSHAKE_FAILURE, "Client policy prohibits insecure renegotiation");
230
0
            }
231
0
         }
232
0
      else
233
0
         {
234
0
         if(policy().abort_connection_on_undesired_renegotiation())
235
0
            {
236
0
            throw TLS_Exception(Alert::NO_RENEGOTIATION, "Client policy prohibits renegotiation");
237
0
            }
238
0
         else
239
0
            {
240
            // RFC 5746 section 4.2
241
0
            send_warning_alert(Alert::NO_RENEGOTIATION);
242
0
            }
243
0
         }
244
245
0
      return;
246
12.0k
      }
247
248
12.0k
   state.confirm_transition_to(type);
249
250
12.0k
   if(type != HANDSHAKE_CCS && type != FINISHED && type != HELLO_VERIFY_REQUEST)
251
11.2k
      state.hash().update(state.handshake_io().format(contents, type));
252
253
12.0k
   if(type == HELLO_VERIFY_REQUEST)
254
0
      {
255
0
      state.set_expected_next(SERVER_HELLO);
256
0
      state.set_expected_next(HELLO_VERIFY_REQUEST); // might get it again
257
258
0
      Hello_Verify_Request hello_verify_request(contents);
259
0
      state.hello_verify_request(hello_verify_request);
260
0
      }
261
12.0k
   else if(type == SERVER_HELLO)
262
5.37k
      {
263
5.37k
      state.server_hello(new Server_Hello(contents));
264
265
5.37k
      if(!state.client_hello()->offered_suite(state.server_hello()->ciphersuite()))
266
43
         {
267
43
         throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
268
43
                             "Server replied with ciphersuite we didn't send");
269
43
         }
270
271
5.32k
      if(!Ciphersuite::by_id(state.server_hello()->ciphersuite()).usable_in_version(state.server_hello()->version()))
272
1
         {
273
1
         throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
274
1
                             "Server replied using a ciphersuite not allowed in version it offered");
275
1
         }
276
277
5.32k
      if(Ciphersuite::is_scsv(state.server_hello()->ciphersuite()))
278
0
         {
279
0
         throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
280
0
                             "Server replied with a signaling ciphersuite");
281
0
         }
282
283
5.32k
      if(state.server_hello()->compression_method() != 0)
284
13
         {
285
13
         throw TLS_Exception(Alert::ILLEGAL_PARAMETER,
286
13
                             "Server replied with non-null compression method");
287
13
         }
288
289
5.31k
      if(state.client_hello()->version() > state.server_hello()->version())
290
110
         {
291
110
         if(state.server_hello()->random_signals_downgrade())
292
1
            throw TLS_Exception(Alert::ILLEGAL_PARAMETER, "Downgrade attack detected");
293
5.31k
         }
294
295
5.31k
      auto client_extn = state.client_hello()->extension_types();
296
5.31k
      auto server_extn = state.server_hello()->extension_types();
297
298
5.31k
      std::vector<Handshake_Extension_Type> diff;
299
300
5.31k
      std::set_difference(server_extn.begin(), server_extn.end(),
301
5.31k
                          client_extn.begin(), client_extn.end(),
302
5.31k
                          std::back_inserter(diff));
303
304
5.31k
      if(!diff.empty())
305
55
         {
306
         // Server sent us back an extension we did not send!
307
308
55
         std::ostringstream msg;
309
55
         msg << "Server replied with unsupported extensions:";
310
55
         for(auto&& d : diff)
311
730
            msg << " " << static_cast<int>(d);
312
55
         throw TLS_Exception(Alert::UNSUPPORTED_EXTENSION, msg.str());
313
55
         }
314
315
5.25k
      if(uint16_t srtp = state.server_hello()->srtp_profile())
316
0
         {
317
0
         if(!value_exists(state.client_hello()->srtp_profiles(), srtp))
318
0
            throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
319
0
                                "Server replied with DTLS-SRTP alg we did not send");
320
5.25k
         }
321
322
5.25k
      callbacks().tls_examine_extensions(state.server_hello()->extensions(), SERVER);
323
324
5.25k
      state.set_version(state.server_hello()->version());
325
5.25k
      m_application_protocol = state.server_hello()->next_protocol();
326
327
5.25k
      secure_renegotiation_check(state.server_hello());
328
329
5.25k
      const bool server_returned_same_session_id =
330
5.25k
         !state.server_hello()->session_id().empty() &&
331
777
         (state.server_hello()->session_id() == state.client_hello()->session_id());
332
333
5.25k
      if(server_returned_same_session_id)
334
0
         {
335
         // successful resumption
336
337
         /*
338
         * In this case, we offered the version used in the original
339
         * session, and the server must resume with the same version.
340
         */
341
0
         if(state.server_hello()->version() != state.client_hello()->version())
342
0
            throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
343
0
                                "Server resumed session but with wrong version");
344
345
0
         if(state.server_hello()->supports_extended_master_secret() &&
346
0
            !state.resumed_session->supports_extended_master_secret())
347
0
            {
348
0
            throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
349
0
                                "Server resumed session but added extended master secret");
350
0
            }
351
352
0
         if(!state.server_hello()->supports_extended_master_secret() &&
353
0
            state.resumed_session->supports_extended_master_secret())
354
0
            {
355
0
            throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
356
0
                                "Server resumed session and removed extended master secret");
357
0
            }
358
359
0
         state.compute_session_keys(state.resume_master_secret());
360
361
0
         if(state.server_hello()->supports_session_ticket())
362
0
            {
363
0
            state.set_expected_next(NEW_SESSION_TICKET);
364
0
            }
365
0
         else
366
0
            {
367
0
            state.set_expected_next(HANDSHAKE_CCS);
368
0
            }
369
0
         }
370
5.25k
      else
371
5.25k
         {
372
         // new session
373
374
5.25k
         if(active_state)
375
0
            {
376
            // Here we are testing things that should not change during a renegotation,
377
            // even if the server creates a new session. Howerver they might change
378
            // in a resumption scenario.
379
380
0
            if(active_state->version() != state.server_hello()->version())
381
0
               throw TLS_Exception(Alert::PROTOCOL_VERSION,
382
0
                                   "Server changed version after renegotiation");
383
384
0
            if(state.server_hello()->supports_extended_master_secret() !=
385
0
               active_state->server_hello()->supports_extended_master_secret())
386
0
               {
387
0
               throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
388
0
                                   "Server changed its mind about extended master secret");
389
0
               }
390
5.25k
            }
391
392
5.25k
         state.resumed_session.reset(); // non-null if we were attempting a resumption
393
394
5.25k
         if(state.client_hello()->version().is_datagram_protocol() !=
395
5.25k
            state.server_hello()->version().is_datagram_protocol())
396
0
            {
397
0
            throw TLS_Exception(Alert::PROTOCOL_VERSION,
398
0
                                "Server replied with different protocol type than we offered");
399
0
            }
400
401
5.25k
         if(state.version() > state.client_hello()->version())
402
15
            {
403
15
            throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
404
15
                                "Server replied with later version than client offered");
405
15
            }
406
407
5.24k
         if(state.version().major_version() == 3 && state.version().minor_version() == 0)
408
2
            {
409
2
            throw TLS_Exception(Alert::PROTOCOL_VERSION,
410
2
                                "Server attempting to negotiate SSLv3 which is not supported");
411
2
            }
412
413
5.24k
         if(!policy().acceptable_protocol_version(state.version()))
414
102
            {
415
102
            throw TLS_Exception(Alert::PROTOCOL_VERSION,
416
102
                                "Server version " + state.version().to_string() +
417
102
                                " is unacceptable by policy");
418
102
            }
419
420
5.14k
         if(state.ciphersuite().signature_used() || state.ciphersuite().kex_method() == Kex_Algo::STATIC_RSA)
421
2.93k
            {
422
2.93k
            state.set_expected_next(CERTIFICATE);
423
2.93k
            }
424
2.20k
         else if(state.ciphersuite().kex_method() == Kex_Algo::PSK)
425
613
            {
426
            /* PSK is anonymous so no certificate/cert req message is
427
               ever sent. The server may or may not send a server kex,
428
               depending on if it has an identity hint for us.
429
430
               (EC)DHE_PSK always sends a server key exchange for the
431
               DH exchange portion, and is covered by block below
432
            */
433
434
613
            state.set_expected_next(SERVER_KEX);
435
613
            state.set_expected_next(SERVER_HELLO_DONE);
436
613
            }
437
1.59k
         else if(state.ciphersuite().kex_method() != Kex_Algo::STATIC_RSA)
438
937
            {
439
937
            state.set_expected_next(SERVER_KEX);
440
937
            }
441
658
         else
442
658
            {
443
658
            state.set_expected_next(CERTIFICATE_REQUEST); // optional
444
658
            state.set_expected_next(SERVER_HELLO_DONE);
445
658
            }
446
5.14k
         }
447
5.25k
      }
448
6.69k
   else if(type == CERTIFICATE)
449
2.90k
      {
450
2.90k
      state.server_certs(new Certificate(contents, policy()));
451
452
2.90k
      const std::vector<X509_Certificate>& server_certs =
453
2.90k
         state.server_certs()->cert_chain();
454
455
2.90k
      if(server_certs.empty())
456
1
         throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
457
1
                             "Client: No certificates sent by server");
458
459
      /*
460
      If the server supports certificate status messages,
461
      certificate verification happens after we receive the server hello done,
462
      in case an OCSP response was also available
463
      */
464
465
2.90k
      X509_Certificate server_cert = server_certs[0];
466
467
2.90k
      if(active_state && active_state->server_certs())
468
0
         {
469
0
         X509_Certificate current_cert = active_state->server_certs()->cert_chain().at(0);
470
471
0
         if(current_cert != server_cert)
472
0
            throw TLS_Exception(Alert::BAD_CERTIFICATE, "Server certificate changed during renegotiation");
473
2.90k
         }
474
475
2.90k
      std::unique_ptr<Public_Key> peer_key(server_cert.subject_public_key());
476
477
2.90k
      const std::string expected_key_type =
478
2.22k
         state.ciphersuite().signature_used() ? state.ciphersuite().sig_algo() : "RSA";
479
480
2.90k
      if(peer_key->algo_name() != expected_key_type)
481
122
         throw TLS_Exception(Alert::ILLEGAL_PARAMETER,
482
122
                             "Certificate key type did not match ciphersuite");
483
484
2.78k
      if(!key_usage_matches_ciphersuite(server_cert.constraints(), state.ciphersuite()))
485
2
         throw TLS_Exception(Alert::BAD_CERTIFICATE,
486
2
                             "Certificate usage constraints do not allow this ciphersuite");
487
488
2.78k
      state.server_public_key.reset(peer_key.release());
489
490
2.78k
      if(state.ciphersuite().kex_method() != Kex_Algo::STATIC_RSA)
491
562
         {
492
562
         state.set_expected_next(SERVER_KEX);
493
562
         }
494
2.21k
      else
495
2.21k
         {
496
2.21k
         state.set_expected_next(CERTIFICATE_REQUEST); // optional
497
2.21k
         state.set_expected_next(SERVER_HELLO_DONE);
498
2.21k
         }
499
500
2.78k
      if(state.server_hello()->supports_certificate_status_message())
501
128
         {
502
128
         state.set_expected_next(CERTIFICATE_STATUS); // optional
503
128
         }
504
2.65k
      else
505
2.65k
         {
506
2.65k
         try
507
2.65k
            {
508
2.65k
            auto trusted_CAs = m_creds.trusted_certificate_authorities("tls-client", m_info.hostname());
509
510
2.65k
            callbacks().tls_verify_cert_chain(server_certs,
511
2.65k
                                              {},
512
2.65k
                                              trusted_CAs,
513
2.65k
                                              Usage_Type::TLS_SERVER_AUTH,
514
2.65k
                                              m_info.hostname(),
515
2.65k
                                              policy());
516
2.65k
            }
517
2.65k
         catch(TLS_Exception&)
518
0
            {
519
0
            throw;
520
0
            }
521
0
         catch(std::exception& e)
522
0
            {
523
0
            throw TLS_Exception(Alert::INTERNAL_ERROR, e.what());
524
0
            }
525
3.79k
         }
526
3.79k
      }
527
3.79k
   else if(type == CERTIFICATE_STATUS)
528
16
      {
529
16
      state.server_cert_status(new Certificate_Status(contents));
530
531
16
      if(state.ciphersuite().kex_method() != Kex_Algo::STATIC_RSA)
532
1
         {
533
1
         state.set_expected_next(SERVER_KEX);
534
1
         }
535
15
      else
536
15
         {
537
15
         state.set_expected_next(CERTIFICATE_REQUEST); // optional
538
15
         state.set_expected_next(SERVER_HELLO_DONE);
539
15
         }
540
16
      }
541
3.77k
   else if(type == SERVER_KEX)
542
1.17k
      {
543
1.17k
      if(state.ciphersuite().psk_ciphersuite() == false)
544
1.16k
         state.set_expected_next(CERTIFICATE_REQUEST); // optional
545
1.17k
      state.set_expected_next(SERVER_HELLO_DONE);
546
547
1.17k
      state.server_kex(
548
1.17k
         new Server_Key_Exchange(contents,
549
1.17k
                                 state.ciphersuite().kex_method(),
550
1.17k
                                 state.ciphersuite().auth_method(),
551
1.17k
                                 state.version())
552
1.17k
         );
553
554
1.17k
      if(state.ciphersuite().signature_used())
555
247
         {
556
247
         const Public_Key& server_key = state.get_server_public_key();
557
558
247
         if(!state.server_kex()->verify(server_key, state, policy()))
559
0
            {
560
0
            throw TLS_Exception(Alert::DECRYPT_ERROR,
561
0
                                "Bad signature on server key exchange");
562
0
            }
563
2.59k
         }
564
2.59k
      }
565
2.59k
   else if(type == CERTIFICATE_REQUEST)
566
161
      {
567
161
      state.set_expected_next(SERVER_HELLO_DONE);
568
161
      state.cert_req(new Certificate_Req(contents, state.version()));
569
161
      }
570
2.43k
   else if(type == SERVER_HELLO_DONE)
571
1.56k
      {
572
1.56k
      state.server_hello_done(new Server_Hello_Done(contents));
573
574
1.56k
      if(state.server_certs() != nullptr &&
575
185
         state.server_hello()->supports_certificate_status_message())
576
22
         {
577
22
         try
578
22
            {
579
22
            auto trusted_CAs = m_creds.trusted_certificate_authorities("tls-client", m_info.hostname());
580
581
22
            std::vector<std::shared_ptr<const OCSP::Response>> ocsp;
582
22
            if(state.server_cert_status() != nullptr)
583
0
               {
584
0
               try {
585
0
                   ocsp.push_back(std::make_shared<OCSP::Response>(state.server_cert_status()->response()));
586
0
               }
587
0
               catch(Decoding_Error&)
588
0
                  {
589
                  // ignore it here because it might be our fault
590
0
                  }
591
0
               }
592
593
22
            callbacks().tls_verify_cert_chain(state.server_certs()->cert_chain(),
594
22
                                              ocsp,
595
22
                                              trusted_CAs,
596
22
                                              Usage_Type::TLS_SERVER_AUTH,
597
22
                                              m_info.hostname(),
598
22
                                              policy());
599
22
            }
600
22
         catch(TLS_Exception&)
601
0
            {
602
0
            throw;
603
0
            }
604
0
         catch(std::exception& e)
605
0
            {
606
0
            throw TLS_Exception(Alert::INTERNAL_ERROR, e.what());
607
0
            }
608
1.56k
         }
609
610
1.56k
      if(state.received_handshake_msg(CERTIFICATE_REQUEST))
611
6
         {
612
6
         const auto& types = state.cert_req()->acceptable_cert_types();
613
614
6
         std::vector<X509_Certificate> client_certs =
615
6
            m_creds.find_cert_chain(types,
616
6
                                    state.cert_req()->acceptable_CAs(),
617
6
                                    "tls-client",
618
6
                                    m_info.hostname());
619
620
6
         state.client_certs(new Certificate(state.handshake_io(),
621
6
                                            state.hash(),
622
6
                                            client_certs));
623
6
         }
624
625
1.56k
      state.client_kex(
626
1.56k
         new Client_Key_Exchange(state.handshake_io(),
627
1.56k
                                 state,
628
1.56k
                                 policy(),
629
1.56k
                                 m_creds,
630
1.56k
                                 state.server_public_key.get(),
631
1.56k
                                 m_info.hostname(),
632
1.56k
                                 rng())
633
1.56k
         );
634
635
1.56k
      state.compute_session_keys();
636
637
1.56k
      if(state.received_handshake_msg(CERTIFICATE_REQUEST) &&
638
5
         !state.client_certs()->empty())
639
0
         {
640
0
         Private_Key* private_key =
641
0
            m_creds.private_key_for(state.client_certs()->cert_chain()[0],
642
0
                                    "tls-client",
643
0
                                    m_info.hostname());
644
645
0
         state.client_verify(
646
0
            new Certificate_Verify(state.handshake_io(),
647
0
                                   state,
648
0
                                   policy(),
649
0
                                   rng(),
650
0
                                   private_key)
651
0
            );
652
0
         }
653
654
1.56k
      state.handshake_io().send(Change_Cipher_Spec());
655
656
1.56k
      change_cipher_spec_writer(CLIENT);
657
658
1.56k
      state.client_finished(new Finished(state.handshake_io(), state, CLIENT));
659
660
1.56k
      if(state.server_hello()->supports_session_ticket())
661
50
         state.set_expected_next(NEW_SESSION_TICKET);
662
1.51k
      else
663
1.51k
         state.set_expected_next(HANDSHAKE_CCS);
664
1.56k
      }
665
868
   else if(type == NEW_SESSION_TICKET)
666
14
      {
667
14
      state.new_session_ticket(new New_Session_Ticket(contents));
668
669
14
      state.set_expected_next(HANDSHAKE_CCS);
670
14
      }
671
854
   else if(type == HANDSHAKE_CCS)
672
622
      {
673
622
      state.set_expected_next(FINISHED);
674
675
622
      change_cipher_spec_reader(CLIENT);
676
622
      }
677
232
   else if(type == FINISHED)
678
88
      {
679
88
      state.server_finished(new Finished(contents));
680
681
88
      if(!state.server_finished()->verify(state, SERVER))
682
0
         throw TLS_Exception(Alert::DECRYPT_ERROR,
683
0
                             "Finished message didn't verify");
684
685
88
      state.hash().update(state.handshake_io().format(contents, type));
686
687
88
      if(!state.client_finished()) // session resume case
688
0
         {
689
0
         state.handshake_io().send(Change_Cipher_Spec());
690
0
         change_cipher_spec_writer(CLIENT);
691
0
         state.client_finished(new Finished(state.handshake_io(), state, CLIENT));
692
0
         }
693
694
88
      std::vector<uint8_t> session_id = state.server_hello()->session_id();
695
696
88
      const std::vector<uint8_t>& session_ticket = state.session_ticket();
697
698
88
      if(session_id.empty() && !session_ticket.empty())
699
7
         session_id = make_hello_random(rng(), policy());
700
701
88
      Session session_info(
702
88
         session_id,
703
88
         state.session_keys().master_secret(),
704
88
         state.server_hello()->version(),
705
88
         state.server_hello()->ciphersuite(),
706
88
         CLIENT,
707
88
         state.server_hello()->supports_extended_master_secret(),
708
88
         state.server_hello()->supports_encrypt_then_mac(),
709
88
         get_peer_cert_chain(state),
710
88
         session_ticket,
711
88
         m_info,
712
88
         "",
713
88
         state.server_hello()->srtp_profile()
714
88
         );
715
716
88
      const bool should_save = save_session(session_info);
717
718
88
      if(session_id.size() > 0 && state.is_a_resumption() == false)
719
38
         {
720
38
         if(should_save)
721
38
            session_manager().save(session_info);
722
0
         else
723
0
            session_manager().remove_entry(session_info.session_id());
724
38
         }
725
726
88
      activate_session();
727
88
      }
728
144
   else
729
144
      throw Unexpected_Message("Unknown handshake message received");
730
12.0k
   }
731
732
}
733
734
}