/src/botan/src/lib/tls/tls_callbacks.cpp

Source (jump to first uncovered line)
/*
* TLS Callbacks
* (C) 2016 Jack Lloyd
*     2017 Harry Reimann, Rohde & Schwarz Cybersecurity
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/tls_callbacks.h>
#include <botan/tls_policy.h>
#include <botan/tls_algos.h>
#include <botan/x509path.h>
#include <botan/ocsp.h>
#include <botan/dh.h>
#include <botan/ecdh.h>
#include <botan/tls_exceptn.h>
#include <botan/internal/ct_utils.h>

#if defined(BOTAN_HAS_CURVE_25519)
  #include <botan/curve25519.h>
#endif

namespace Botan {

void TLS::Callbacks::tls_inspect_handshake_msg(const Handshake_Message&)
   {
   // default is no op
   }

std::string TLS::Callbacks::tls_server_choose_app_protocol(const std::vector<std::string>&)
   {
   return "";
   }

std::string TLS::Callbacks::tls_peer_network_identity()
   {
   return "";
   }

void TLS::Callbacks::tls_modify_extensions(Extensions&, Connection_Side)
   {
   }

void TLS::Callbacks::tls_examine_extensions(const Extensions&, Connection_Side)
   {
   }

std::string TLS::Callbacks::tls_decode_group_param(Group_Params group_param)
   {
   return group_param_to_string(group_param);
   }

void TLS::Callbacks::tls_verify_cert_chain(
   const std::vector<X509_Certificate>& cert_chain,
   const std::vector<std::optional<OCSP::Response>>& ocsp_responses,
   const std::vector<Certificate_Store*>& trusted_roots,
   Usage_Type usage,
   const std::string& hostname,
   const TLS::Policy& policy)
   {
   if(cert_chain.empty())
      throw Invalid_Argument("Certificate chain was empty");

   Path_Validation_Restrictions restrictions(policy.require_cert_revocation_info(),
                                             policy.minimum_signature_strength());

   Path_Validation_Result result =
      x509_path_validate(cert_chain,
                         restrictions,
                         trusted_roots,
                         (usage == Usage_Type::TLS_SERVER_AUTH ? hostname : ""),
                         usage,
                         std::chrono::system_clock::now(),
                         tls_verify_cert_chain_ocsp_timeout(),
                         ocsp_responses);

   if(!result.successful_validation())
      {
      throw TLS_Exception(Alert::BAD_CERTIFICATE,
                          "Certificate validation failure: " + result.result_string());
      }
   }

std::vector<uint8_t> TLS::Callbacks::tls_sign_message(
   const Private_Key& key,
   RandomNumberGenerator& rng,
   const std::string& emsa,
   Signature_Format format,
   const std::vector<uint8_t>& msg)
   {
   PK_Signer signer(key, rng, emsa, format);

   return signer.sign_message(msg, rng);
   }

bool TLS::Callbacks::tls_verify_message(
   const Public_Key& key,
   const std::string& emsa,
   Signature_Format format,
   const std::vector<uint8_t>& msg,
   const std::vector<uint8_t>& sig)
   {
   PK_Verifier verifier(key, emsa, format);

   return verifier.verify_message(msg, sig);
   }

std::pair<secure_vector<uint8_t>, std::vector<uint8_t>> TLS::Callbacks::tls_dh_agree(
   const std::vector<uint8_t>& modulus,
   const std::vector<uint8_t>& generator,
   const std::vector<uint8_t>& peer_public_value,
   const Policy& policy,
   RandomNumberGenerator& rng)
   {
   BigInt p = BigInt::decode(modulus);
   BigInt g = BigInt::decode(generator);
   BigInt Y = BigInt::decode(peer_public_value);

   /*
    * A basic check for key validity. As we do not know q here we
    * cannot check that Y is in the right subgroup. However since
    * our key is ephemeral there does not seem to be any
    * advantage to bogus keys anyway.
    */
   if(Y <= 1 || Y >= p - 1)
      throw TLS_Exception(Alert::ILLEGAL_PARAMETER,
                          "Server sent bad DH key for DHE exchange");

   DL_Group group(p, g);

   if(!group.verify_group(rng, false))
      throw TLS_Exception(Alert::INSUFFICIENT_SECURITY,
                          "DH group validation failed");

   DH_PublicKey peer_key(group, Y);

   policy.check_peer_key_acceptable(peer_key);

   DH_PrivateKey priv_key(rng, group);
   PK_Key_Agreement ka(priv_key, rng, "Raw");
   secure_vector<uint8_t> dh_secret = CT::strip_leading_zeros(
      ka.derive_key(0, peer_key.public_value()).bits_of());

   return std::make_pair(dh_secret, priv_key.public_value());
   }

std::pair<secure_vector<uint8_t>, std::vector<uint8_t>> TLS::Callbacks::tls_ecdh_agree(
   const std::string& curve_name,
   const std::vector<uint8_t>& peer_public_value,
   const Policy& policy,
   RandomNumberGenerator& rng,
   bool compressed)
   {
   secure_vector<uint8_t> ecdh_secret;
   std::vector<uint8_t> our_public_value;

   if(curve_name == "x25519")
      {
#if defined(BOTAN_HAS_CURVE_25519)
      if(peer_public_value.size() != 32)
         {
         throw TLS_Exception(Alert::HANDSHAKE_FAILURE, "Invalid X25519 key size");
         }

      Curve25519_PublicKey peer_key(peer_public_value);
      policy.check_peer_key_acceptable(peer_key);
      Curve25519_PrivateKey priv_key(rng);
      PK_Key_Agreement ka(priv_key, rng, "Raw");
      ecdh_secret = ka.derive_key(0, peer_key.public_value()).bits_of();

      // X25519 is always compressed but sent as "uncompressed" in TLS
      our_public_value = priv_key.public_value();
#else
      throw Internal_Error("Negotiated X25519 somehow, but it is disabled");
#endif
      }
   else
      {
      EC_Group group(OID::from_string(curve_name));
      ECDH_PublicKey peer_key(group, group.OS2ECP(peer_public_value));
      policy.check_peer_key_acceptable(peer_key);
      ECDH_PrivateKey priv_key(rng, group);
      PK_Key_Agreement ka(priv_key, rng, "Raw");
      ecdh_secret = ka.derive_key(0, peer_key.public_value()).bits_of();
      our_public_value = priv_key.public_value(compressed ? PointGFp::COMPRESSED : PointGFp::UNCOMPRESSED);
      }

   return std::make_pair(ecdh_secret, our_public_value);
   }

}

Line	Count	Source (jump to first uncovered line)
1		/*
2		* TLS Callbacks
3		* (C) 2016 Jack Lloyd
4		* 2017 Harry Reimann, Rohde & Schwarz Cybersecurity
5		*
6		* Botan is released under the Simplified BSD License (see license.txt)
7		*/
8
9		#include <botan/tls_callbacks.h>
10		#include <botan/tls_policy.h>
11		#include <botan/tls_algos.h>
12		#include <botan/x509path.h>
13		#include <botan/ocsp.h>
14		#include <botan/dh.h>
15		#include <botan/ecdh.h>
16		#include <botan/tls_exceptn.h>
17		#include <botan/internal/ct_utils.h>
18
19		#if defined(BOTAN_HAS_CURVE_25519)
20		#include <botan/curve25519.h>
21		#endif
22
23		namespace Botan {
24
25		void TLS::Callbacks::tls_inspect_handshake_msg(const Handshake_Message&)
26	107k	{
27		// default is no op
28	107k	}
29
30		std::string TLS::Callbacks::tls_server_choose_app_protocol(const std::vector<std::string>&)
31	0	{
32	0	return "";
33	0	}
34
35		std::string TLS::Callbacks::tls_peer_network_identity()
36	7.48k	{
37	7.48k	return "";
38	7.48k	}
39
40		void TLS::Callbacks::tls_modify_extensions(Extensions&, Connection_Side)
41	23.5k	{
42	23.5k	}
43
44		void TLS::Callbacks::tls_examine_extensions(const Extensions&, Connection_Side)
45	21.8k	{
46	21.8k	}
47
48		std::string TLS::Callbacks::tls_decode_group_param(Group_Params group_param)
49	20.4k	{
50	20.4k	return group_param_to_string(group_param);
51	20.4k	}
52
53		void TLS::Callbacks::tls_verify_cert_chain(
54		const std::vector<X509_Certificate>& cert_chain,
55		const std::vector<std::optional<OCSP::Response>>& ocsp_responses,
56		const std::vector<Certificate_Store*>& trusted_roots,
57		Usage_Type usage,
58		const std::string& hostname,
59		const TLS::Policy& policy)
60	0	{
61	0	if(cert_chain.empty())
62	0	throw Invalid_Argument("Certificate chain was empty");
63
64	0	Path_Validation_Restrictions restrictions(policy.require_cert_revocation_info(),
65	0	policy.minimum_signature_strength());
66
67	0	Path_Validation_Result result =
68	0	x509_path_validate(cert_chain,
69	0	restrictions,
70	0	trusted_roots,
71	0	(usage == Usage_Type::TLS_SERVER_AUTH ? hostname : ""),
72	0	usage,
73	0	std::chrono::system_clock::now(),
74	0	tls_verify_cert_chain_ocsp_timeout(),
75	0	ocsp_responses);
76
77	0	if(!result.successful_validation())
78	0	{
79	0	throw TLS_Exception(Alert::BAD_CERTIFICATE,
80	0	"Certificate validation failure: " + result.result_string());
81	0	}
82	0	}
83
84		std::vector<uint8_t> TLS::Callbacks::tls_sign_message(
85		const Private_Key& key,
86		RandomNumberGenerator& rng,
87		const std::string& emsa,
88		Signature_Format format,
89		const std::vector<uint8_t>& msg)
90	0	{
91	0	PK_Signer signer(key, rng, emsa, format);
92
93	0	return signer.sign_message(msg, rng);
94	0	}
95
96		bool TLS::Callbacks::tls_verify_message(
97		const Public_Key& key,
98		const std::string& emsa,
99		Signature_Format format,
100		const std::vector<uint8_t>& msg,
101		const std::vector<uint8_t>& sig)
102	0	{
103	0	PK_Verifier verifier(key, emsa, format);
104
105	0	return verifier.verify_message(msg, sig);
106	0	}
107
108		std::pair<secure_vector<uint8_t>, std::vector<uint8_t>> TLS::Callbacks::tls_dh_agree(
109		const std::vector<uint8_t>& modulus,
110		const std::vector<uint8_t>& generator,
111		const std::vector<uint8_t>& peer_public_value,
112		const Policy& policy,
113		RandomNumberGenerator& rng)
114	0	{
115	0	BigInt p = BigInt::decode(modulus);
116	0	BigInt g = BigInt::decode(generator);
117	0	BigInt Y = BigInt::decode(peer_public_value);
118
119		/*
120		* A basic check for key validity. As we do not know q here we
121		* cannot check that Y is in the right subgroup. However since
122		* our key is ephemeral there does not seem to be any
123		* advantage to bogus keys anyway.
124		*/
125	0	if(Y <= 1 \|\| Y >= p - 1)
126	0	throw TLS_Exception(Alert::ILLEGAL_PARAMETER,
127	0	"Server sent bad DH key for DHE exchange");
128
129	0	DL_Group group(p, g);
130
131	0	if(!group.verify_group(rng, false))
132	0	throw TLS_Exception(Alert::INSUFFICIENT_SECURITY,
133	0	"DH group validation failed");
134
135	0	DH_PublicKey peer_key(group, Y);
136
137	0	policy.check_peer_key_acceptable(peer_key);
138
139	0	DH_PrivateKey priv_key(rng, group);
140	0	PK_Key_Agreement ka(priv_key, rng, "Raw");
141	0	secure_vector<uint8_t> dh_secret = CT::strip_leading_zeros(
142	0	ka.derive_key(0, peer_key.public_value()).bits_of());
143
144	0	return std::make_pair(dh_secret, priv_key.public_value());
145	0	}
146
147		std::pair<secure_vector<uint8_t>, std::vector<uint8_t>> TLS::Callbacks::tls_ecdh_agree(
148		const std::string& curve_name,
149		const std::vector<uint8_t>& peer_public_value,
150		const Policy& policy,
151		RandomNumberGenerator& rng,
152		bool compressed)
153	0	{
154	0	secure_vector<uint8_t> ecdh_secret;
155	0	std::vector<uint8_t> our_public_value;
156
157	0	if(curve_name == "x25519")
158	0	{
159	0	#if defined(BOTAN_HAS_CURVE_25519)
160	0	if(peer_public_value.size() != 32)
161	0	{
162	0	throw TLS_Exception(Alert::HANDSHAKE_FAILURE, "Invalid X25519 key size");
163	0	}
164
165	0	Curve25519_PublicKey peer_key(peer_public_value);
166	0	policy.check_peer_key_acceptable(peer_key);
167	0	Curve25519_PrivateKey priv_key(rng);
168	0	PK_Key_Agreement ka(priv_key, rng, "Raw");
169	0	ecdh_secret = ka.derive_key(0, peer_key.public_value()).bits_of();
170
171		// X25519 is always compressed but sent as "uncompressed" in TLS
172	0	our_public_value = priv_key.public_value();
173		#else
174		throw Internal_Error("Negotiated X25519 somehow, but it is disabled");
175		#endif
176	0	}
177	0	else
178	0	{
179	0	EC_Group group(OID::from_string(curve_name));
180	0	ECDH_PublicKey peer_key(group, group.OS2ECP(peer_public_value));
181	0	policy.check_peer_key_acceptable(peer_key);
182	0	ECDH_PrivateKey priv_key(rng, group);
183	0	PK_Key_Agreement ka(priv_key, rng, "Raw");
184	0	ecdh_secret = ka.derive_key(0, peer_key.public_value()).bits_of();
185	0	our_public_value = priv_key.public_value(compressed ? PointGFp::COMPRESSED : PointGFp::UNCOMPRESSED);
186	0	}
187
188	0	return std::make_pair(ecdh_secret, our_public_value);
189	0	}
190
191		}

Coverage Report

Created: 2021-04-07 06:07