Coverage Report

Created: 2021-02-21 07:20

/src/botan/src/lib/tls/tls_handshake_state.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
* TLS Handshaking
3
* (C) 2004-2006,2011,2012,2015,2016 Jack Lloyd
4
*     2017 Harry Reimann, Rohde & Schwarz Cybersecurity
5
*
6
* Botan is released under the Simplified BSD License (see license.txt)
7
*/
8
9
#include <botan/internal/tls_handshake_state.h>
10
#include <botan/internal/tls_record.h>
11
#include <botan/tls_messages.h>
12
#include <botan/kdf.h>
13
#include <sstream>
14
15
namespace Botan {
16
17
namespace TLS {
18
19
std::string Handshake_Message::type_string() const
20
0
   {
21
0
   return handshake_type_to_string(type());
22
0
   }
23
24
const char* handshake_type_to_string(Handshake_Type type)
25
645
   {
26
645
   switch(type)
27
645
      {
28
12
      case HELLO_VERIFY_REQUEST:
29
12
         return "hello_verify_request";
30
31
73
      case HELLO_REQUEST:
32
73
         return "hello_request";
33
34
158
      case CLIENT_HELLO:
35
158
         return "client_hello";
36
37
98
      case SERVER_HELLO:
38
98
         return "server_hello";
39
40
17
      case CERTIFICATE:
41
17
         return "certificate";
42
43
4
      case CERTIFICATE_URL:
44
4
         return "certificate_url";
45
46
7
      case CERTIFICATE_STATUS:
47
7
         return "certificate_status";
48
49
31
      case SERVER_KEX:
50
31
         return "server_key_exchange";
51
52
8
      case CERTIFICATE_REQUEST:
53
8
         return "certificate_request";
54
55
30
      case SERVER_HELLO_DONE:
56
30
         return "server_hello_done";
57
58
12
      case CERTIFICATE_VERIFY:
59
12
         return "certificate_verify";
60
61
58
      case CLIENT_KEX:
62
58
         return "client_key_exchange";
63
64
12
      case NEW_SESSION_TICKET:
65
12
         return "new_session_ticket";
66
67
101
      case HANDSHAKE_CCS:
68
101
         return "change_cipher_spec";
69
70
24
      case FINISHED:
71
24
         return "finished";
72
73
0
      case HANDSHAKE_NONE:
74
0
         return "invalid";
75
0
      }
76
77
0
   throw TLS_Exception(Alert::UNEXPECTED_MESSAGE,
78
0
                       "Unknown TLS handshake message type " + std::to_string(type));
79
0
   }
80
81
namespace {
82
83
uint32_t bitmask_for_handshake_type(Handshake_Type type)
84
294k
   {
85
294k
   switch(type)
86
294k
      {
87
316
      case HELLO_VERIFY_REQUEST:
88
316
         return (1 << 0);
89
90
377
      case HELLO_REQUEST:
91
377
         return (1 << 1);
92
93
69.6k
      case CLIENT_HELLO:
94
69.6k
         return (1 << 2);
95
96
12.2k
      case SERVER_HELLO:
97
12.2k
         return (1 << 3);
98
99
16.7k
      case CERTIFICATE:
100
16.7k
         return (1 << 4);
101
102
308
      case CERTIFICATE_URL:
103
308
         return (1 << 5);
104
105
552
      case CERTIFICATE_STATUS:
106
552
         return (1 << 6);
107
108
3.69k
      case SERVER_KEX:
109
3.69k
         return (1 << 7);
110
111
3.37k
      case CERTIFICATE_REQUEST:
112
3.37k
         return (1 << 8);
113
114
3.87k
      case SERVER_HELLO_DONE:
115
3.87k
         return (1 << 9);
116
117
316
      case CERTIFICATE_VERIFY:
118
316
         return (1 << 10);
119
120
31.4k
      case CLIENT_KEX:
121
31.4k
         return (1 << 11);
122
123
327
      case NEW_SESSION_TICKET:
124
327
         return (1 << 12);
125
126
149k
      case HANDSHAKE_CCS:
127
149k
         return (1 << 13);
128
129
1.87k
      case FINISHED:
130
1.87k
         return (1 << 14);
131
132
      // allow explicitly disabling new handshakes
133
293
      case HANDSHAKE_NONE:
134
293
         return 0;
135
50
      }
136
137
50
   throw TLS_Exception(Alert::UNEXPECTED_MESSAGE,
138
50
                       "Unknown TLS handshake message type " + std::to_string(type));
139
50
   }
140
141
std::string handshake_mask_to_string(uint32_t mask, char combiner)
142
304
   {
143
304
   const Handshake_Type types[] = {
144
304
      HELLO_VERIFY_REQUEST,
145
304
      HELLO_REQUEST,
146
304
      CLIENT_HELLO,
147
304
      SERVER_HELLO,
148
304
      CERTIFICATE,
149
304
      CERTIFICATE_URL,
150
304
      CERTIFICATE_STATUS,
151
304
      SERVER_KEX,
152
304
      CERTIFICATE_REQUEST,
153
304
      SERVER_HELLO_DONE,
154
304
      CERTIFICATE_VERIFY,
155
304
      CLIENT_KEX,
156
304
      NEW_SESSION_TICKET,
157
304
      HANDSHAKE_CCS,
158
304
      FINISHED
159
304
   };
160
161
304
   std::ostringstream o;
162
304
   bool empty = true;
163
164
304
   for(auto&& t : types)
165
4.56k
      {
166
4.56k
      if(mask & bitmask_for_handshake_type(t))
167
410
         {
168
410
         if(!empty)
169
106
            o << combiner;
170
410
         o << handshake_type_to_string(t);
171
410
         empty = false;
172
410
         }
173
4.56k
      }
174
175
304
   return o.str();
176
304
   }
177
178
}
179
180
/*
181
* Initialize the SSL/TLS Handshake State
182
*/
183
Handshake_State::Handshake_State(Handshake_IO* io, Callbacks& cb) :
184
   m_callbacks(cb),
185
   m_handshake_io(io),
186
   m_version(m_handshake_io->initial_record_version())
187
44.7k
   {
188
44.7k
   }
189
190
void Handshake_State::note_message(const Handshake_Message& msg)
191
122k
   {
192
122k
   m_callbacks.tls_inspect_handshake_msg(msg);
193
122k
   }
194
195
void Handshake_State::hello_verify_request(const Hello_Verify_Request& hello_verify)
196
0
   {
197
0
   note_message(hello_verify);
198
199
0
   m_client_hello->update_hello_cookie(hello_verify);
200
0
   hash().reset();
201
0
   hash().update(handshake_io().send(*m_client_hello));
202
0
   note_message(*m_client_hello);
203
0
   }
204
205
void Handshake_State::client_hello(Client_Hello* client_hello)
206
45.0k
   {
207
45.0k
   if(client_hello == nullptr)
208
8.34k
      {
209
8.34k
      m_client_hello.reset();
210
8.34k
      hash().reset();
211
8.34k
      }
212
36.6k
   else
213
36.6k
      {
214
36.6k
      m_client_hello.reset(client_hello);
215
36.6k
      note_message(*m_client_hello);
216
36.6k
      }
217
45.0k
   }
218
219
void Handshake_State::server_hello(Server_Hello* server_hello)
220
26.5k
   {
221
26.5k
   m_server_hello.reset(server_hello);
222
26.5k
   m_ciphersuite = Ciphersuite::by_id(m_server_hello->ciphersuite());
223
26.5k
   note_message(*m_server_hello);
224
26.5k
   }
225
226
void Handshake_State::server_certs(Certificate* server_certs)
227
1.69k
   {
228
1.69k
   m_server_certs.reset(server_certs);
229
1.69k
   note_message(*m_server_certs);
230
1.69k
   }
231
232
void Handshake_State::server_cert_status(Certificate_Status* server_cert_status)
233
2
   {
234
2
   m_server_cert_status.reset(server_cert_status);
235
2
   note_message(*m_server_cert_status);
236
2
   }
237
238
void Handshake_State::server_kex(Server_Key_Exchange* server_kex)
239
22.8k
   {
240
22.8k
   m_server_kex.reset(server_kex);
241
22.8k
   note_message(*m_server_kex);
242
22.8k
   }
243
244
void Handshake_State::cert_req(Certificate_Req* cert_req)
245
6
   {
246
6
   m_cert_req.reset(cert_req);
247
6
   note_message(*m_cert_req);
248
6
   }
249
250
void Handshake_State::server_hello_done(Server_Hello_Done* server_hello_done)
251
22.8k
   {
252
22.8k
   m_server_hello_done.reset(server_hello_done);
253
22.8k
   note_message(*m_server_hello_done);
254
22.8k
   }
255
256
void Handshake_State::client_certs(Certificate* client_certs)
257
0
   {
258
0
   m_client_certs.reset(client_certs);
259
0
   note_message(*m_client_certs);
260
0
   }
261
262
void Handshake_State::client_kex(Client_Key_Exchange* client_kex)
263
10.1k
   {
264
10.1k
   m_client_kex.reset(client_kex);
265
10.1k
   note_message(*m_client_kex);
266
10.1k
   }
267
268
void Handshake_State::client_verify(Certificate_Verify* client_verify)
269
0
   {
270
0
   m_client_verify.reset(client_verify);
271
0
   note_message(*m_client_verify);
272
0
   }
273
274
void Handshake_State::new_session_ticket(New_Session_Ticket* new_session_ticket)
275
157
   {
276
157
   m_new_session_ticket.reset(new_session_ticket);
277
157
   note_message(*m_new_session_ticket);
278
157
   }
279
280
void Handshake_State::server_finished(Finished* server_finished)
281
342
   {
282
342
   m_server_finished.reset(server_finished);
283
342
   note_message(*m_server_finished);
284
342
   }
285
286
void Handshake_State::client_finished(Finished* client_finished)
287
1.48k
   {
288
1.48k
   m_client_finished.reset(client_finished);
289
1.48k
   note_message(*m_client_finished);
290
1.48k
   }
291
292
void Handshake_State::set_version(const Protocol_Version& version)
293
35.1k
   {
294
35.1k
   m_version = version;
295
35.1k
   }
296
297
void Handshake_State::compute_session_keys()
298
10.1k
   {
299
10.1k
   m_session_keys = Session_Keys(this, client_kex()->pre_master_secret(), false);
300
10.1k
   }
301
302
void Handshake_State::compute_session_keys(const secure_vector<uint8_t>& resume_master_secret)
303
0
   {
304
0
   m_session_keys = Session_Keys(this, resume_master_secret, true);
305
0
   }
306
307
void Handshake_State::confirm_transition_to(Handshake_Type handshake_msg)
308
54.4k
   {
309
54.4k
   const uint32_t mask = bitmask_for_handshake_type(handshake_msg);
310
311
54.4k
   m_hand_received_mask |= mask;
312
313
54.4k
   const bool ok = (m_hand_expecting_mask & mask) != 0; // overlap?
314
315
54.4k
   if(!ok)
316
235
      {
317
235
      const uint32_t seen_so_far = m_hand_received_mask & ~mask;
318
319
235
      std::ostringstream msg;
320
321
235
      msg << "Unexpected state transition in handshake got a " << handshake_type_to_string(handshake_msg);
322
323
235
      if(m_hand_expecting_mask == 0)
324
19
         msg << " not expecting messages";
325
216
      else
326
216
         msg << " expected " << handshake_mask_to_string(m_hand_expecting_mask, '|');
327
328
235
      if(seen_so_far != 0)
329
88
         msg << " seen " << handshake_mask_to_string(seen_so_far, '+');
330
331
235
      throw Unexpected_Message(msg.str());
332
235
      }
333
334
   /* We don't know what to expect next, so force a call to
335
      set_expected_next; if it doesn't happen, the next transition
336
      check will always fail which is what we want.
337
   */
338
54.2k
   m_hand_expecting_mask = 0;
339
54.2k
   }
340
341
void Handshake_State::set_expected_next(Handshake_Type handshake_msg)
342
86.6k
   {
343
86.6k
   m_hand_expecting_mask |= bitmask_for_handshake_type(handshake_msg);
344
86.6k
   }
345
346
bool Handshake_State::received_handshake_msg(Handshake_Type handshake_msg) const
347
12.2k
   {
348
12.2k
   const uint32_t mask = bitmask_for_handshake_type(handshake_msg);
349
350
12.2k
   return (m_hand_received_mask & mask) != 0;
351
12.2k
   }
352
353
std::pair<Handshake_Type, std::vector<uint8_t>>
354
Handshake_State::get_next_handshake_msg()
355
136k
   {
356
136k
   const bool expecting_ccs =
357
136k
      (bitmask_for_handshake_type(HANDSHAKE_CCS) & m_hand_expecting_mask) != 0;
358
359
136k
   return m_handshake_io->get_next_record(expecting_ccs);
360
136k
   }
361
362
std::vector<uint8_t> Handshake_State::session_ticket() const
363
54
   {
364
54
   if(new_session_ticket() && !new_session_ticket()->ticket().empty())
365
0
      return new_session_ticket()->ticket();
366
367
54
   return client_hello()->session_ticket();
368
54
   }
369
370
KDF* Handshake_State::protocol_specific_prf() const
371
12.0k
   {
372
12.0k
   if(version().supports_ciphersuite_specific_prf())
373
12.0k
      {
374
12.0k
      const std::string prf_algo = ciphersuite().prf_algo();
375
376
12.0k
      if(prf_algo == "MD5" || prf_algo == "SHA-1")
377
2.12k
         return get_kdf("TLS-12-PRF(SHA-256)");
378
379
9.89k
      return get_kdf("TLS-12-PRF(" + prf_algo + ")");
380
9.89k
      }
381
382
   // Old PRF used in TLS v1.0, v1.1 and DTLS v1.0
383
0
   return get_kdf("TLS-PRF");
384
0
   }
385
386
std::pair<std::string, Signature_Format>
387
Handshake_State::choose_sig_format(const Private_Key& key,
388
                                   Signature_Scheme& chosen_scheme,
389
                                   bool for_client_auth,
390
                                   const Policy& policy) const
391
0
   {
392
0
   const std::string sig_algo = key.algo_name();
393
394
0
   if(this->version().supports_negotiable_signature_algorithms())
395
0
      {
396
0
      const std::vector<Signature_Scheme> allowed = policy.allowed_signature_schemes();
397
398
0
      std::vector<Signature_Scheme> requested =
399
0
         (for_client_auth) ? cert_req()->signature_schemes() : client_hello()->signature_schemes();
400
401
0
      for(Signature_Scheme scheme : allowed)
402
0
         {
403
0
         if(signature_scheme_is_known(scheme) == false)
404
0
            {
405
0
            continue;
406
0
            }
407
408
0
         if(signature_algorithm_of_scheme(scheme) == sig_algo)
409
0
            {
410
0
            if(std::find(requested.begin(), requested.end(), scheme) != requested.end())
411
0
               {
412
0
               chosen_scheme = scheme;
413
0
               break;
414
0
               }
415
0
            }
416
0
         }
417
418
0
      const std::string hash = hash_function_of_scheme(chosen_scheme);
419
420
0
      if(!policy.allowed_signature_hash(hash))
421
0
         {
422
0
         throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
423
0
                             "Policy refuses to accept signing with any hash supported by peer");
424
0
         }
425
426
0
      if(sig_algo == "RSA")
427
0
         {
428
0
         return std::make_pair(padding_string_for_scheme(chosen_scheme), IEEE_1363);
429
0
         }
430
0
      else if(sig_algo == "DSA" || sig_algo == "ECDSA")
431
0
         {
432
0
         return std::make_pair(padding_string_for_scheme(chosen_scheme), DER_SEQUENCE);
433
0
         }
434
0
      }
435
0
   else
436
0
      {
437
0
      if(sig_algo == "RSA")
438
0
         {
439
0
         const std::string padding = "PKCS1v15(Parallel(MD5,SHA-160))";
440
0
         return std::make_pair(padding, IEEE_1363);
441
0
         }
442
0
      else if(sig_algo == "DSA" || sig_algo == "ECDSA")
443
0
         {
444
0
         const std::string padding = "EMSA1(SHA-1)";
445
0
         return std::make_pair(padding, DER_SEQUENCE);
446
0
         }
447
0
      }
448
449
0
   throw Invalid_Argument(sig_algo + " is invalid/unknown for TLS signatures");
450
0
   }
451
452
namespace {
453
454
bool supported_algos_include(
455
   const std::vector<Signature_Scheme>& schemes,
456
   const std::string& key_type,
457
   const std::string& hash_type)
458
229
   {
459
229
   for(Signature_Scheme scheme : schemes)
460
1.69k
      {
461
1.69k
      if(signature_scheme_is_known(scheme) &&
462
1.69k
         hash_function_of_scheme(scheme) == hash_type &&
463
625
         signature_algorithm_of_scheme(scheme) == key_type)
464
229
         {
465
229
         return true;
466
229
         }
467
1.69k
      }
468
469
0
   return false;
470
229
   }
471
472
}
473
474
std::pair<std::string, Signature_Format>
475
Handshake_State::parse_sig_format(const Public_Key& key,
476
                                  Signature_Scheme scheme,
477
                                  bool for_client_auth,
478
                                  const Policy& policy) const
479
298
   {
480
298
   const std::string key_type = key.algo_name();
481
482
298
   if(!policy.allowed_signature_method(key_type))
483
0
      {
484
0
      throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
485
0
                          "Rejecting " + key_type + " signature");
486
0
      }
487
488
298
   if(this->version().supports_negotiable_signature_algorithms() == false)
489
0
      {
490
0
      if(scheme != Signature_Scheme::NONE)
491
0
         throw Decoding_Error("Counterparty sent hash/sig IDs with old version");
492
493
      /*
494
      There is no check on the acceptability of a v1.0/v1.1 hash type,
495
      since it's implicit with use of the protocol
496
      */
497
498
0
      if(key_type == "RSA")
499
0
         {
500
0
         const std::string padding = "PKCS1v15(Parallel(MD5,SHA-160))";
501
0
         return std::make_pair(padding, IEEE_1363);
502
0
         }
503
0
      else if(key_type == "DSA" || key_type == "ECDSA")
504
0
         {
505
0
         const std::string padding = "EMSA1(SHA-1)";
506
0
         return std::make_pair(padding, DER_SEQUENCE);
507
0
         }
508
0
      else
509
0
         throw Invalid_Argument(key_type + " is invalid/unknown for TLS signatures");
510
298
      }
511
512
298
   if(scheme == Signature_Scheme::NONE)
513
1
      throw Decoding_Error("Counterparty did not send hash/sig IDS");
514
515
297
   if(key_type != signature_algorithm_of_scheme(scheme))
516
5
      throw Decoding_Error("Counterparty sent inconsistent key and sig types");
517
518
292
   if(for_client_auth && !cert_req())
519
0
      {
520
0
      throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
521
0
                          "No certificate verify set");
522
0
      }
523
524
   /*
525
   Confirm the signature type we just received against the
526
   supported_algos list that we sent; it better be there.
527
   */
528
529
292
   const std::vector<Signature_Scheme> supported_algos =
530
0
      for_client_auth ? cert_req()->signature_schemes() :
531
292
      client_hello()->signature_schemes();
532
533
292
   if(!signature_scheme_is_known(scheme))
534
0
      throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
535
0
                          "Peer sent unknown signature scheme");
536
537
292
   const std::string hash_algo = hash_function_of_scheme(scheme);
538
539
292
   if(!supported_algos_include(supported_algos, key_type, hash_algo))
540
0
      {
541
0
      throw TLS_Exception(Alert::ILLEGAL_PARAMETER,
542
0
                          "TLS signature extension did not allow for " +
543
0
                          key_type + "/" + hash_algo + " signature");
544
0
      }
545
546
292
   if(key_type == "RSA")
547
31
      {
548
31
      return std::make_pair(padding_string_for_scheme(scheme), IEEE_1363);
549
31
      }
550
261
   else if(key_type == "DSA" || key_type == "ECDSA")
551
198
      {
552
198
      return std::make_pair(padding_string_for_scheme(scheme), DER_SEQUENCE);
553
198
      }
554
555
63
   throw Invalid_Argument(key_type + " is invalid/unknown for TLS signatures");
556
63
   }
557
558
}
559
560
}