Coverage Report

Created: 2021-02-21 07:20

/src/botan/src/lib/tls/tls_client.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
* TLS Client
3
* (C) 2004-2011,2012,2015,2016 Jack Lloyd
4
*     2016 Matthias Gierlings
5
*     2017 Harry Reimann, Rohde & Schwarz Cybersecurity
6
*
7
* Botan is released under the Simplified BSD License (see license.txt)
8
*/
9
10
#include <botan/tls_client.h>
11
#include <botan/tls_messages.h>
12
#include <botan/internal/tls_handshake_state.h>
13
#include <botan/internal/stl_util.h>
14
#include <iterator>
15
#include <sstream>
16
17
namespace Botan {
18
19
namespace TLS {
20
21
namespace {
22
23
class Client_Handshake_State final : public Handshake_State
24
   {
25
   public:
26
      Client_Handshake_State(Handshake_IO* io, Callbacks& cb) :
27
         Handshake_State(io, cb),
28
         m_is_reneg(false)
29
14.7k
         {}
30
31
      const Public_Key& get_server_public_key() const
32
301
         {
33
301
         BOTAN_ASSERT(server_public_key, "Server sent us a certificate");
34
301
         return *server_public_key.get();
35
301
         }
36
37
77
      bool is_a_resumption() const { return (resumed_session != nullptr); }
38
39
0
      bool is_a_renegotiation() const { return m_is_reneg; }
40
41
      const secure_vector<uint8_t>& resume_master_secret() const
42
0
         {
43
0
         BOTAN_STATE_CHECK(is_a_resumption());
44
0
         return resumed_session->master_secret();
45
0
         }
46
47
      const std::vector<X509_Certificate>& resume_peer_certs() const
48
0
         {
49
0
         BOTAN_STATE_CHECK(is_a_resumption());
50
0
         return resumed_session->peer_certs();
51
0
         }
52
53
      std::unique_ptr<Public_Key> server_public_key;
54
      // Used during session resumption
55
      std::unique_ptr<Session> resumed_session;
56
      bool m_is_reneg = false;
57
   };
58
59
}
60
61
/*
62
* TLS Client Constructor
63
*/
64
Client::Client(Callbacks& callbacks,
65
               Session_Manager& session_manager,
66
               Credentials_Manager& creds,
67
               const Policy& policy,
68
               RandomNumberGenerator& rng,
69
               const Server_Information& info,
70
               const Protocol_Version& offer_version,
71
               const std::vector<std::string>& next_protocols,
72
               size_t io_buf_sz) :
73
   Channel(callbacks, session_manager, rng, policy,
74
           false, offer_version.is_datagram_protocol(), io_buf_sz),
75
   m_creds(creds),
76
   m_info(info)
77
6.31k
   {
78
6.31k
   Handshake_State& state = create_handshake_state(offer_version);
79
6.31k
   send_client_hello(state, false, offer_version, next_protocols);
80
6.31k
   }
81
82
Handshake_State* Client::new_handshake_state(Handshake_IO* io)
83
14.7k
   {
84
14.7k
   return new Client_Handshake_State(io, callbacks());
85
14.7k
   }
86
87
std::vector<X509_Certificate>
88
Client::get_peer_cert_chain(const Handshake_State& state) const
89
54
   {
90
54
   const Client_Handshake_State& cstate = dynamic_cast<const Client_Handshake_State&>(state);
91
92
54
   if(cstate.is_a_resumption())
93
0
      return cstate.resume_peer_certs();
94
95
54
   if(state.server_certs())
96
23
      return state.server_certs()->cert_chain();
97
31
   return std::vector<X509_Certificate>();
98
31
   }
99
100
/*
101
* Send a new client hello to renegotiate
102
*/
103
void Client::initiate_handshake(Handshake_State& state,
104
                                bool force_full_renegotiation)
105
0
   {
106
0
   send_client_hello(state, force_full_renegotiation,
107
0
                     policy().latest_supported_version(state.version().is_datagram_protocol()));
108
0
   }
109
110
void Client::send_client_hello(Handshake_State& state_base,
111
                               bool force_full_renegotiation,
112
                               Protocol_Version version,
113
                               const std::vector<std::string>& next_protocols)
114
6.31k
   {
115
6.31k
   Client_Handshake_State& state = dynamic_cast<Client_Handshake_State&>(state_base);
116
117
6.31k
   if(state.version().is_datagram_protocol())
118
0
      state.set_expected_next(HELLO_VERIFY_REQUEST); // optional
119
6.31k
   state.set_expected_next(SERVER_HELLO);
120
121
6.31k
   if(!force_full_renegotiation && !m_info.empty())
122
6.31k
      {
123
6.31k
      std::unique_ptr<Session> session_info(new Session);;
124
6.31k
      if(session_manager().load_from_server_info(m_info, *session_info))
125
0
         {
126
         /*
127
         Ensure that the session protocol cipher and version are acceptable
128
         If not skip the resume and establish a new session
129
         */
130
0
         const bool exact_version = session_info->version() == version;
131
0
         const bool ok_version =
132
0
            (session_info->version().is_datagram_protocol() == version.is_datagram_protocol()) &&
133
0
            policy().acceptable_protocol_version(session_info->version());
134
135
0
         const bool session_version_ok = policy().only_resume_with_exact_version() ? exact_version : ok_version;
136
137
0
         if(policy().acceptable_ciphersuite(session_info->ciphersuite()) && session_version_ok)
138
0
            {
139
0
            state.client_hello(
140
0
               new Client_Hello(state.handshake_io(),
141
0
                                state.hash(),
142
0
                                policy(),
143
0
                                callbacks(),
144
0
                                rng(),
145
0
                                secure_renegotiation_data_for_client_hello(),
146
0
                                *session_info,
147
0
                                next_protocols));
148
149
0
            state.resumed_session = std::move(session_info);
150
0
            }
151
0
         }
152
6.31k
      }
153
154
6.31k
   if(!state.client_hello()) // not resuming
155
6.31k
      {
156
6.31k
      Client_Hello::Settings client_settings(version, m_info.hostname());
157
6.31k
      state.client_hello(new Client_Hello(
158
6.31k
         state.handshake_io(),
159
6.31k
         state.hash(),
160
6.31k
         policy(),
161
6.31k
         callbacks(),
162
6.31k
         rng(),
163
6.31k
         secure_renegotiation_data_for_client_hello(),
164
6.31k
         client_settings,
165
6.31k
         next_protocols));
166
6.31k
      }
167
168
6.31k
   secure_renegotiation_check(state.client_hello());
169
6.31k
   }
170
171
namespace {
172
173
bool key_usage_matches_ciphersuite(Key_Constraints usage,
174
                                   const Ciphersuite& suite)
175
759
   {
176
759
   if(usage == NO_CONSTRAINTS)
177
743
      return true; // anything goes ...
178
179
16
   if(suite.kex_method() == Kex_Algo::STATIC_RSA)
180
1
      {
181
1
      return (usage & KEY_ENCIPHERMENT) | (usage & DATA_ENCIPHERMENT);
182
1
      }
183
15
   else
184
15
      {
185
15
      return (usage & DIGITAL_SIGNATURE) | (usage & NON_REPUDIATION);
186
15
      }
187
16
   }
188
189
}
190
191
/*
192
* Process a handshake message
193
*/
194
void Client::process_handshake_msg(const Handshake_State* active_state,
195
                                   Handshake_State& state_base,
196
                                   Handshake_Type type,
197
                                   const std::vector<uint8_t>& contents,
198
                                   bool epoch0_restart)
199
12.7k
   {
200
12.7k
   BOTAN_ASSERT_NOMSG(epoch0_restart == false); // only happens on server side
201
202
12.7k
   Client_Handshake_State& state = dynamic_cast<Client_Handshake_State&>(state_base);
203
204
12.7k
   if(type == HELLO_REQUEST && active_state)
205
0
      {
206
0
      Hello_Request hello_request(contents);
207
208
0
      if(state.client_hello())
209
0
         {
210
0
         throw TLS_Exception(Alert::HANDSHAKE_FAILURE, "Cannot renegotiate during a handshake");
211
0
         }
212
213
0
      if(policy().allow_server_initiated_renegotiation())
214
0
         {
215
0
         if(secure_renegotiation_supported() || policy().allow_insecure_renegotiation())
216
0
            {
217
0
            state.m_is_reneg = true;
218
0
            this->initiate_handshake(state, true);
219
0
            }
220
0
         else
221
0
            {
222
0
            throw TLS_Exception(Alert::HANDSHAKE_FAILURE, "Client policy prohibits insecure renegotiation");
223
0
            }
224
0
         }
225
0
      else
226
0
         {
227
0
         if(policy().abort_connection_on_undesired_renegotiation())
228
0
            {
229
0
            throw TLS_Exception(Alert::NO_RENEGOTIATION, "Client policy prohibits renegotiation");
230
0
            }
231
0
         else
232
0
            {
233
            // RFC 5746 section 4.2
234
0
            send_warning_alert(Alert::NO_RENEGOTIATION);
235
0
            }
236
0
         }
237
238
0
      return;
239
12.7k
      }
240
241
12.7k
   state.confirm_transition_to(type);
242
243
12.7k
   if(type != HANDSHAKE_CCS && type != FINISHED && type != HELLO_VERIFY_REQUEST)
244
11.8k
      state.hash().update(state.handshake_io().format(contents, type));
245
246
12.7k
   if(type == HELLO_VERIFY_REQUEST)
247
0
      {
248
0
      state.set_expected_next(SERVER_HELLO);
249
0
      state.set_expected_next(HELLO_VERIFY_REQUEST); // might get it again
250
251
0
      Hello_Verify_Request hello_verify_request(contents);
252
0
      state.hello_verify_request(hello_verify_request);
253
0
      }
254
12.7k
   else if(type == SERVER_HELLO)
255
5.65k
      {
256
5.65k
      state.server_hello(new Server_Hello(contents));
257
258
5.65k
      if(!state.client_hello()->offered_suite(state.server_hello()->ciphersuite()))
259
36
         {
260
36
         throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
261
36
                             "Server replied with ciphersuite we didn't send");
262
36
         }
263
264
5.61k
      if(!Ciphersuite::by_id(state.server_hello()->ciphersuite()).usable_in_version(state.server_hello()->version()))
265
1
         {
266
1
         throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
267
1
                             "Server replied using a ciphersuite not allowed in version it offered");
268
1
         }
269
270
5.61k
      if(Ciphersuite::is_scsv(state.server_hello()->ciphersuite()))
271
0
         {
272
0
         throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
273
0
                             "Server replied with a signaling ciphersuite");
274
0
         }
275
276
5.61k
      if(state.server_hello()->compression_method() != 0)
277
12
         {
278
12
         throw TLS_Exception(Alert::ILLEGAL_PARAMETER,
279
12
                             "Server replied with non-null compression method");
280
12
         }
281
282
5.60k
      if(state.client_hello()->version() > state.server_hello()->version())
283
111
         {
284
111
         if(state.server_hello()->random_signals_downgrade())
285
1
            throw TLS_Exception(Alert::ILLEGAL_PARAMETER, "Downgrade attack detected");
286
5.60k
         }
287
288
5.60k
      auto client_extn = state.client_hello()->extension_types();
289
5.60k
      auto server_extn = state.server_hello()->extension_types();
290
291
5.60k
      std::vector<Handshake_Extension_Type> diff;
292
293
5.60k
      std::set_difference(server_extn.begin(), server_extn.end(),
294
5.60k
                          client_extn.begin(), client_extn.end(),
295
5.60k
                          std::back_inserter(diff));
296
297
5.60k
      if(!diff.empty())
298
80
         {
299
         // Server sent us back an extension we did not send!
300
301
80
         std::ostringstream msg;
302
80
         msg << "Server replied with unsupported extensions:";
303
80
         for(auto&& d : diff)
304
1.13k
            msg << " " << static_cast<int>(d);
305
80
         throw TLS_Exception(Alert::UNSUPPORTED_EXTENSION, msg.str());
306
80
         }
307
308
5.52k
      if(uint16_t srtp = state.server_hello()->srtp_profile())
309
0
         {
310
0
         if(!value_exists(state.client_hello()->srtp_profiles(), srtp))
311
0
            throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
312
0
                                "Server replied with DTLS-SRTP alg we did not send");
313
5.52k
         }
314
315
5.52k
      callbacks().tls_examine_extensions(state.server_hello()->extensions(), SERVER);
316
317
5.52k
      state.set_version(state.server_hello()->version());
318
5.52k
      m_application_protocol = state.server_hello()->next_protocol();
319
320
5.52k
      secure_renegotiation_check(state.server_hello());
321
322
5.52k
      const bool server_returned_same_session_id =
323
5.52k
         !state.server_hello()->session_id().empty() &&
324
1.25k
         (state.server_hello()->session_id() == state.client_hello()->session_id());
325
326
5.52k
      if(server_returned_same_session_id)
327
0
         {
328
         // successful resumption
329
330
         /*
331
         * In this case, we offered the version used in the original
332
         * session, and the server must resume with the same version.
333
         */
334
0
         if(state.server_hello()->version() != state.client_hello()->version())
335
0
            throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
336
0
                                "Server resumed session but with wrong version");
337
338
0
         if(state.server_hello()->supports_extended_master_secret() &&
339
0
            !state.resumed_session->supports_extended_master_secret())
340
0
            {
341
0
            throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
342
0
                                "Server resumed session but added extended master secret");
343
0
            }
344
345
0
         if(!state.server_hello()->supports_extended_master_secret() &&
346
0
            state.resumed_session->supports_extended_master_secret())
347
0
            {
348
0
            throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
349
0
                                "Server resumed session and removed extended master secret");
350
0
            }
351
352
0
         state.compute_session_keys(state.resume_master_secret());
353
354
0
         if(state.server_hello()->supports_session_ticket())
355
0
            {
356
0
            state.set_expected_next(NEW_SESSION_TICKET);
357
0
            }
358
0
         else
359
0
            {
360
0
            state.set_expected_next(HANDSHAKE_CCS);
361
0
            }
362
0
         }
363
5.52k
      else
364
5.52k
         {
365
         // new session
366
367
5.52k
         if(active_state)
368
0
            {
369
            // Here we are testing things that should not change during a renegotation,
370
            // even if the server creates a new session. Howerver they might change
371
            // in a resumption scenario.
372
373
0
            if(active_state->version() != state.server_hello()->version())
374
0
               throw TLS_Exception(Alert::PROTOCOL_VERSION,
375
0
                                   "Server changed version after renegotiation");
376
377
0
            if(state.server_hello()->supports_extended_master_secret() !=
378
0
               active_state->server_hello()->supports_extended_master_secret())
379
0
               {
380
0
               throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
381
0
                                   "Server changed its mind about extended master secret");
382
0
               }
383
5.52k
            }
384
385
5.52k
         state.resumed_session.reset(); // non-null if we were attempting a resumption
386
387
5.52k
         if(state.client_hello()->version().is_datagram_protocol() !=
388
5.52k
            state.server_hello()->version().is_datagram_protocol())
389
0
            {
390
0
            throw TLS_Exception(Alert::PROTOCOL_VERSION,
391
0
                                "Server replied with different protocol type than we offered");
392
0
            }
393
394
5.52k
         if(state.version() > state.client_hello()->version())
395
18
            {
396
18
            throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
397
18
                                "Server replied with later version than client offered");
398
18
            }
399
400
5.50k
         if(state.version().major_version() == 3 && state.version().minor_version() == 0)
401
30
            {
402
30
            throw TLS_Exception(Alert::PROTOCOL_VERSION,
403
30
                                "Server attempting to negotiate SSLv3 which is not supported");
404
30
            }
405
406
5.47k
         if(!policy().acceptable_protocol_version(state.version()))
407
79
            {
408
79
            throw TLS_Exception(Alert::PROTOCOL_VERSION,
409
79
                                "Server version " + state.version().to_string() +
410
79
                                " is unacceptable by policy");
411
79
            }
412
413
5.39k
         if(state.ciphersuite().signature_used() || state.ciphersuite().kex_method() == Kex_Algo::STATIC_RSA)
414
3.36k
            {
415
3.36k
            state.set_expected_next(CERTIFICATE);
416
3.36k
            }
417
2.03k
         else if(state.ciphersuite().kex_method() == Kex_Algo::PSK)
418
575
            {
419
            /* PSK is anonymous so no certificate/cert req message is
420
               ever sent. The server may or may not send a server kex,
421
               depending on if it has an identity hint for us.
422
423
               (EC)DHE_PSK always sends a server key exchange for the
424
               DH exchange portion, and is covered by block below
425
            */
426
427
575
            state.set_expected_next(SERVER_KEX);
428
575
            state.set_expected_next(SERVER_HELLO_DONE);
429
575
            }
430
1.45k
         else if(state.ciphersuite().kex_method() != Kex_Algo::STATIC_RSA)
431
738
            {
432
738
            state.set_expected_next(SERVER_KEX);
433
738
            }
434
718
         else
435
718
            {
436
718
            state.set_expected_next(CERTIFICATE_REQUEST); // optional
437
718
            state.set_expected_next(SERVER_HELLO_DONE);
438
718
            }
439
5.39k
         }
440
5.52k
      }
441
7.04k
   else if(type == CERTIFICATE)
442
3.34k
      {
443
3.34k
      state.server_certs(new Certificate(contents, policy()));
444
445
3.34k
      const std::vector<X509_Certificate>& server_certs =
446
3.34k
         state.server_certs()->cert_chain();
447
448
3.34k
      if(server_certs.empty())
449
1
         throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
450
1
                             "Client: No certificates sent by server");
451
452
      /*
453
      If the server supports certificate status messages,
454
      certificate verification happens after we receive the server hello done,
455
      in case an OCSP response was also available
456
      */
457
458
3.34k
      X509_Certificate server_cert = server_certs[0];
459
460
3.34k
      if(active_state && active_state->server_certs())
461
0
         {
462
0
         X509_Certificate current_cert = active_state->server_certs()->cert_chain().at(0);
463
464
0
         if(current_cert != server_cert)
465
0
            throw TLS_Exception(Alert::BAD_CERTIFICATE, "Server certificate changed during renegotiation");
466
3.34k
         }
467
468
3.34k
      std::unique_ptr<Public_Key> peer_key(server_cert.subject_public_key());
469
470
3.34k
      const std::string expected_key_type =
471
2.55k
         state.ciphersuite().signature_used() ? state.ciphersuite().sig_algo() : "RSA";
472
473
3.34k
      if(peer_key->algo_name() != expected_key_type)
474
131
         throw TLS_Exception(Alert::ILLEGAL_PARAMETER,
475
131
                             "Certificate key type did not match ciphersuite");
476
477
3.20k
      if(!key_usage_matches_ciphersuite(server_cert.constraints(), state.ciphersuite()))
478
4
         throw TLS_Exception(Alert::BAD_CERTIFICATE,
479
4
                             "Certificate usage constraints do not allow this ciphersuite");
480
481
3.20k
      state.server_public_key.reset(peer_key.release());
482
483
3.20k
      if(state.ciphersuite().kex_method() != Kex_Algo::STATIC_RSA)
484
659
         {
485
659
         state.set_expected_next(SERVER_KEX);
486
659
         }
487
2.54k
      else
488
2.54k
         {
489
2.54k
         state.set_expected_next(CERTIFICATE_REQUEST); // optional
490
2.54k
         state.set_expected_next(SERVER_HELLO_DONE);
491
2.54k
         }
492
493
3.20k
      if(state.server_hello()->supports_certificate_status_message())
494
236
         {
495
236
         state.set_expected_next(CERTIFICATE_STATUS); // optional
496
236
         }
497
2.96k
      else
498
2.96k
         {
499
2.96k
         try
500
2.96k
            {
501
2.96k
            auto trusted_CAs = m_creds.trusted_certificate_authorities("tls-client", m_info.hostname());
502
503
2.96k
            callbacks().tls_verify_cert_chain(server_certs,
504
2.96k
                                              {},
505
2.96k
                                              trusted_CAs,
506
2.96k
                                              Usage_Type::TLS_SERVER_AUTH,
507
2.96k
                                              m_info.hostname(),
508
2.96k
                                              policy());
509
2.96k
            }
510
2.96k
         catch(TLS_Exception&)
511
0
            {
512
0
            throw;
513
0
            }
514
0
         catch(std::exception& e)
515
0
            {
516
0
            throw TLS_Exception(Alert::INTERNAL_ERROR, e.what());
517
0
            }
518
3.70k
         }
519
3.70k
      }
520
3.70k
   else if(type == CERTIFICATE_STATUS)
521
8
      {
522
8
      state.server_cert_status(new Certificate_Status(contents));
523
524
8
      if(state.ciphersuite().kex_method() != Kex_Algo::STATIC_RSA)
525
2
         {
526
2
         state.set_expected_next(SERVER_KEX);
527
2
         }
528
6
      else
529
6
         {
530
6
         state.set_expected_next(CERTIFICATE_REQUEST); // optional
531
6
         state.set_expected_next(SERVER_HELLO_DONE);
532
6
         }
533
8
      }
534
3.69k
   else if(type == SERVER_KEX)
535
1.40k
      {
536
1.40k
      if(state.ciphersuite().psk_ciphersuite() == false)
537
306
         state.set_expected_next(CERTIFICATE_REQUEST); // optional
538
1.40k
      state.set_expected_next(SERVER_HELLO_DONE);
539
540
1.40k
      state.server_kex(
541
1.40k
         new Server_Key_Exchange(contents,
542
1.40k
                                 state.ciphersuite().kex_method(),
543
1.40k
                                 state.ciphersuite().auth_method(),
544
1.40k
                                 state.version())
545
1.40k
         );
546
547
1.40k
      if(state.ciphersuite().signature_used())
548
301
         {
549
301
         const Public_Key& server_key = state.get_server_public_key();
550
551
301
         if(!state.server_kex()->verify(server_key, state, policy()))
552
0
            {
553
0
            throw TLS_Exception(Alert::DECRYPT_ERROR,
554
0
                                "Bad signature on server key exchange");
555
0
            }
556
2.29k
         }
557
2.29k
      }
558
2.29k
   else if(type == CERTIFICATE_REQUEST)
559
123
      {
560
123
      state.set_expected_next(SERVER_HELLO_DONE);
561
123
      state.cert_req(new Certificate_Req(contents, state.version()));
562
123
      }
563
2.16k
   else if(type == SERVER_HELLO_DONE)
564
1.36k
      {
565
1.36k
      state.server_hello_done(new Server_Hello_Done(contents));
566
567
1.36k
      if(state.handshake_io().have_more_data())
568
9
         throw TLS_Exception(Alert::UNEXPECTED_MESSAGE,
569
9
                             "Have data remaining in buffer after ServerHelloDone");
570
571
572
1.35k
      if(state.server_certs() != nullptr &&
573
124
         state.server_hello()->supports_certificate_status_message())
574
56
         {
575
56
         try
576
56
            {
577
56
            auto trusted_CAs = m_creds.trusted_certificate_authorities("tls-client", m_info.hostname());
578
579
56
            std::vector<std::optional<OCSP::Response>> ocsp;
580
56
            if(state.server_cert_status() != nullptr)
581
0
               {
582
0
               try {
583
0
                  ocsp.push_back(OCSP::Response(state.server_cert_status()->response()));
584
0
               }
585
0
               catch(Decoding_Error&)
586
0
                  {
587
                  // ignore it here because it might be our fault
588
0
                  }
589
0
               }
590
591
56
            callbacks().tls_verify_cert_chain(state.server_certs()->cert_chain(),
592
56
                                              ocsp,
593
56
                                              trusted_CAs,
594
56
                                              Usage_Type::TLS_SERVER_AUTH,
595
56
                                              m_info.hostname(),
596
56
                                              policy());
597
56
            }
598
56
         catch(TLS_Exception&)
599
0
            {
600
0
            throw;
601
0
            }
602
0
         catch(std::exception& e)
603
0
            {
604
0
            throw TLS_Exception(Alert::INTERNAL_ERROR, e.what());
605
0
            }
606
1.35k
         }
607
608
1.35k
      if(state.received_handshake_msg(CERTIFICATE_REQUEST))
609
0
         {
610
0
         const auto& types = state.cert_req()->acceptable_cert_types();
611
612
0
         std::vector<X509_Certificate> client_certs =
613
0
            m_creds.find_cert_chain(types,
614
0
                                    state.cert_req()->acceptable_CAs(),
615
0
                                    "tls-client",
616
0
                                    m_info.hostname());
617
618
0
         state.client_certs(new Certificate(state.handshake_io(),
619
0
                                            state.hash(),
620
0
                                            client_certs));
621
0
         }
622
623
1.35k
      state.client_kex(
624
1.35k
         new Client_Key_Exchange(state.handshake_io(),
625
1.35k
                                 state,
626
1.35k
                                 policy(),
627
1.35k
                                 m_creds,
628
1.35k
                                 state.server_public_key.get(),
629
1.35k
                                 m_info.hostname(),
630
1.35k
                                 rng())
631
1.35k
         );
632
633
1.35k
      state.compute_session_keys();
634
635
1.35k
      if(state.received_handshake_msg(CERTIFICATE_REQUEST) &&
636
0
         !state.client_certs()->empty())
637
0
         {
638
0
         Private_Key* private_key =
639
0
            m_creds.private_key_for(state.client_certs()->cert_chain()[0],
640
0
                                    "tls-client",
641
0
                                    m_info.hostname());
642
643
0
         state.client_verify(
644
0
            new Certificate_Verify(state.handshake_io(),
645
0
                                   state,
646
0
                                   policy(),
647
0
                                   rng(),
648
0
                                   private_key)
649
0
            );
650
0
         }
651
652
1.35k
      state.handshake_io().send(Change_Cipher_Spec());
653
654
1.35k
      change_cipher_spec_writer(CLIENT);
655
656
1.35k
      state.client_finished(new Finished(state.handshake_io(), state, CLIENT));
657
658
1.35k
      if(state.server_hello()->supports_session_ticket())
659
11
         state.set_expected_next(NEW_SESSION_TICKET);
660
1.34k
      else
661
1.34k
         state.set_expected_next(HANDSHAKE_CCS);
662
1.35k
      }
663
807
   else if(type == NEW_SESSION_TICKET)
664
0
      {
665
0
      state.new_session_ticket(new New_Session_Ticket(contents));
666
667
0
      state.set_expected_next(HANDSHAKE_CCS);
668
0
      }
669
807
   else if(type == HANDSHAKE_CCS)
670
633
      {
671
633
      state.set_expected_next(FINISHED);
672
673
633
      change_cipher_spec_reader(CLIENT);
674
633
      }
675
174
   else if(type == FINISHED)
676
55
      {
677
55
      if(state.handshake_io().have_more_data())
678
1
         throw TLS_Exception(Alert::UNEXPECTED_MESSAGE,
679
1
                             "Have data remaining in buffer after Finished");
680
681
54
      state.server_finished(new Finished(contents));
682
683
54
      if(!state.server_finished()->verify(state, SERVER))
684
0
         throw TLS_Exception(Alert::DECRYPT_ERROR,
685
0
                             "Finished message didn't verify");
686
687
54
      state.hash().update(state.handshake_io().format(contents, type));
688
689
54
      if(!state.client_finished())
690
0
         {
691
         // session resume case
692
0
         state.handshake_io().send(Change_Cipher_Spec());
693
0
         change_cipher_spec_writer(CLIENT);
694
0
         state.client_finished(new Finished(state.handshake_io(), state, CLIENT));
695
0
         }
696
697
54
      std::vector<uint8_t> session_id = state.server_hello()->session_id();
698
699
54
      const std::vector<uint8_t>& session_ticket = state.session_ticket();
700
701
54
      if(session_id.empty() && !session_ticket.empty())
702
0
         session_id = make_hello_random(rng(), policy());
703
704
54
      Session session_info(
705
54
         session_id,
706
54
         state.session_keys().master_secret(),
707
54
         state.server_hello()->version(),
708
54
         state.server_hello()->ciphersuite(),
709
54
         CLIENT,
710
54
         state.server_hello()->supports_extended_master_secret(),
711
54
         state.server_hello()->supports_encrypt_then_mac(),
712
54
         get_peer_cert_chain(state),
713
54
         session_ticket,
714
54
         m_info,
715
54
         state.server_hello()->srtp_profile()
716
54
         );
717
718
54
      const bool should_save = save_session(session_info);
719
720
54
      if(session_id.size() > 0 && state.is_a_resumption() == false)
721
23
         {
722
23
         if(should_save)
723
23
            session_manager().save(session_info);
724
0
         else
725
0
            session_manager().remove_entry(session_info.session_id());
726
23
         }
727
728
54
      activate_session();
729
54
      }
730
119
   else
731
119
      throw Unexpected_Message("Unknown handshake message received");
732
12.7k
   }
733
734
}
735
736
}