Coverage Report

Created: 2021-05-04 09:02

/src/botan/src/lib/tls/tls_handshake_state.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
* TLS Handshaking
3
* (C) 2004-2006,2011,2012,2015,2016 Jack Lloyd
4
*     2017 Harry Reimann, Rohde & Schwarz Cybersecurity
5
*
6
* Botan is released under the Simplified BSD License (see license.txt)
7
*/
8
9
#include <botan/internal/tls_handshake_state.h>
10
#include <botan/internal/tls_record.h>
11
#include <botan/tls_messages.h>
12
#include <botan/kdf.h>
13
#include <sstream>
14
15
namespace Botan {
16
17
namespace TLS {
18
19
std::string Handshake_Message::type_string() const
20
0
   {
21
0
   return handshake_type_to_string(type());
22
0
   }
23
24
const char* handshake_type_to_string(Handshake_Type type)
25
573
   {
26
573
   switch(type)
27
573
      {
28
6
      case HELLO_VERIFY_REQUEST:
29
6
         return "hello_verify_request";
30
31
84
      case HELLO_REQUEST:
32
84
         return "hello_request";
33
34
171
      case CLIENT_HELLO:
35
171
         return "client_hello";
36
37
65
      case SERVER_HELLO:
38
65
         return "server_hello";
39
40
8
      case CERTIFICATE:
41
8
         return "certificate";
42
43
8
      case CERTIFICATE_URL:
44
8
         return "certificate_url";
45
46
9
      case CERTIFICATE_STATUS:
47
9
         return "certificate_status";
48
49
6
      case SERVER_KEX:
50
6
         return "server_key_exchange";
51
52
5
      case CERTIFICATE_REQUEST:
53
5
         return "certificate_request";
54
55
7
      case SERVER_HELLO_DONE:
56
7
         return "server_hello_done";
57
58
10
      case CERTIFICATE_VERIFY:
59
10
         return "certificate_verify";
60
61
59
      case CLIENT_KEX:
62
59
         return "client_key_exchange";
63
64
10
      case NEW_SESSION_TICKET:
65
10
         return "new_session_ticket";
66
67
101
      case HANDSHAKE_CCS:
68
101
         return "change_cipher_spec";
69
70
24
      case FINISHED:
71
24
         return "finished";
72
73
0
      case HANDSHAKE_NONE:
74
0
         return "invalid";
75
0
      }
76
77
0
   throw TLS_Exception(Alert::UNEXPECTED_MESSAGE,
78
0
                       "Unknown TLS handshake message type " + std::to_string(type));
79
0
   }
80
81
namespace {
82
83
uint32_t bitmask_for_handshake_type(Handshake_Type type)
84
285k
   {
85
285k
   switch(type)
86
285k
      {
87
279
      case HELLO_VERIFY_REQUEST:
88
279
         return (1 << 0);
89
90
357
      case HELLO_REQUEST:
91
357
         return (1 << 1);
92
93
76.0k
      case CLIENT_HELLO:
94
76.0k
         return (1 << 2);
95
96
3.45k
      case SERVER_HELLO:
97
3.45k
         return (1 << 3);
98
99
11.2k
      case CERTIFICATE:
100
11.2k
         return (1 << 4);
101
102
281
      case CERTIFICATE_URL:
103
281
         return (1 << 5);
104
105
282
      case CERTIFICATE_STATUS:
106
282
         return (1 << 6);
107
108
279
      case SERVER_KEX:
109
279
         return (1 << 7);
110
111
278
      case CERTIFICATE_REQUEST:
112
278
         return (1 << 8);
113
114
280
      case SERVER_HELLO_DONE:
115
280
         return (1 << 9);
116
117
283
      case CERTIFICATE_VERIFY:
118
283
         return (1 << 10);
119
120
33.4k
      case CLIENT_KEX:
121
33.4k
         return (1 << 11);
122
123
283
      case NEW_SESSION_TICKET:
124
283
         return (1 << 12);
125
126
156k
      case HANDSHAKE_CCS:
127
156k
         return (1 << 13);
128
129
1.63k
      case FINISHED:
130
1.63k
         return (1 << 14);
131
132
      // allow explicitly disabling new handshakes
133
558
      case HANDSHAKE_NONE:
134
558
         return 0;
135
66
      }
136
137
66
   throw TLS_Exception(Alert::UNEXPECTED_MESSAGE,
138
66
                       "Unknown TLS handshake message type " + std::to_string(type));
139
66
   }
140
141
std::string handshake_mask_to_string(uint32_t mask, char combiner)
142
273
   {
143
273
   const Handshake_Type types[] = {
144
273
      HELLO_VERIFY_REQUEST,
145
273
      HELLO_REQUEST,
146
273
      CLIENT_HELLO,
147
273
      SERVER_HELLO,
148
273
      CERTIFICATE,
149
273
      CERTIFICATE_URL,
150
273
      CERTIFICATE_STATUS,
151
273
      SERVER_KEX,
152
273
      CERTIFICATE_REQUEST,
153
273
      SERVER_HELLO_DONE,
154
273
      CERTIFICATE_VERIFY,
155
273
      CLIENT_KEX,
156
273
      NEW_SESSION_TICKET,
157
273
      HANDSHAKE_CCS,
158
273
      FINISHED
159
273
   };
160
161
273
   std::ostringstream o;
162
273
   bool empty = true;
163
164
273
   for(auto&& t : types)
165
4.09k
      {
166
4.09k
      if(mask & bitmask_for_handshake_type(t))
167
323
         {
168
323
         if(!empty)
169
50
            o << combiner;
170
323
         o << handshake_type_to_string(t);
171
323
         empty = false;
172
323
         }
173
4.09k
      }
174
175
273
   return o.str();
176
273
   }
177
178
}
179
180
/*
181
* Initialize the SSL/TLS Handshake State
182
*/
183
Handshake_State::Handshake_State(std::unique_ptr<Handshake_IO> io, Callbacks& cb) :
184
   m_callbacks(cb),
185
   m_handshake_io(std::move(io)),
186
   m_version(m_handshake_io->initial_record_version())
187
47.8k
   {
188
47.8k
   }
189
190
void Handshake_State::note_message(const Handshake_Message& msg)
191
114k
   {
192
114k
   m_callbacks.tls_inspect_handshake_msg(msg);
193
114k
   }
194
195
void Handshake_State::hello_verify_request(const Hello_Verify_Request& hello_verify)
196
0
   {
197
0
   note_message(hello_verify);
198
199
0
   m_client_hello->update_hello_cookie(hello_verify);
200
0
   hash().reset();
201
0
   hash().update(handshake_io().send(*m_client_hello));
202
0
   note_message(*m_client_hello);
203
0
   }
204
205
void Handshake_State::client_hello(Client_Hello* client_hello)
206
46.1k
   {
207
46.1k
   if(client_hello == nullptr)
208
10.6k
      {
209
10.6k
      m_client_hello.reset();
210
10.6k
      hash().reset();
211
10.6k
      }
212
35.4k
   else
213
35.4k
      {
214
35.4k
      m_client_hello.reset(client_hello);
215
35.4k
      note_message(*m_client_hello);
216
35.4k
      }
217
46.1k
   }
218
219
void Handshake_State::server_hello(Server_Hello* server_hello)
220
22.4k
   {
221
22.4k
   m_server_hello.reset(server_hello);
222
22.4k
   m_ciphersuite = Ciphersuite::by_id(m_server_hello->ciphersuite());
223
22.4k
   note_message(*m_server_hello);
224
22.4k
   }
225
226
void Handshake_State::server_certs(Certificate* server_certs)
227
161
   {
228
161
   m_server_certs.reset(server_certs);
229
161
   note_message(*m_server_certs);
230
161
   }
231
232
void Handshake_State::server_cert_status(Certificate_Status* server_cert_status)
233
0
   {
234
0
   m_server_cert_status.reset(server_cert_status);
235
0
   note_message(*m_server_cert_status);
236
0
   }
237
238
void Handshake_State::server_kex(Server_Key_Exchange* server_kex)
239
22.1k
   {
240
22.1k
   m_server_kex.reset(server_kex);
241
22.1k
   note_message(*m_server_kex);
242
22.1k
   }
243
244
void Handshake_State::cert_req(Certificate_Req* cert_req)
245
0
   {
246
0
   m_cert_req.reset(cert_req);
247
0
   note_message(*m_cert_req);
248
0
   }
249
250
void Handshake_State::server_hello_done(Server_Hello_Done* server_hello_done)
251
22.1k
   {
252
22.1k
   m_server_hello_done.reset(server_hello_done);
253
22.1k
   note_message(*m_server_hello_done);
254
22.1k
   }
255
256
void Handshake_State::client_certs(Certificate* client_certs)
257
0
   {
258
0
   m_client_certs.reset(client_certs);
259
0
   note_message(*m_client_certs);
260
0
   }
261
262
void Handshake_State::client_kex(Client_Key_Exchange* client_kex)
263
10.2k
   {
264
10.2k
   m_client_kex.reset(client_kex);
265
10.2k
   note_message(*m_client_kex);
266
10.2k
   }
267
268
void Handshake_State::client_verify(Certificate_Verify* client_verify)
269
0
   {
270
0
   m_client_verify.reset(client_verify);
271
0
   note_message(*m_client_verify);
272
0
   }
273
274
void Handshake_State::new_session_ticket(New_Session_Ticket* new_session_ticket)
275
357
   {
276
357
   m_new_session_ticket.reset(new_session_ticket);
277
357
   note_message(*m_new_session_ticket);
278
357
   }
279
280
void Handshake_State::server_finished(Finished* server_finished)
281
553
   {
282
553
   m_server_finished.reset(server_finished);
283
553
   note_message(*m_server_finished);
284
553
   }
285
286
void Handshake_State::client_finished(Finished* client_finished)
287
553
   {
288
553
   m_client_finished.reset(client_finished);
289
553
   note_message(*m_client_finished);
290
553
   }
291
292
void Handshake_State::set_version(const Protocol_Version& version)
293
33.4k
   {
294
33.4k
   m_version = version;
295
33.4k
   }
296
297
void Handshake_State::compute_session_keys()
298
10.2k
   {
299
10.2k
   m_session_keys = Session_Keys(this, client_kex()->pre_master_secret(), false);
300
10.2k
   }
301
302
void Handshake_State::compute_session_keys(const secure_vector<uint8_t>& resume_master_secret)
303
0
   {
304
0
   m_session_keys = Session_Keys(this, resume_master_secret, true);
305
0
   }
306
307
void Handshake_State::confirm_transition_to(Handshake_Type handshake_msg)
308
47.8k
   {
309
47.8k
   const uint32_t mask = bitmask_for_handshake_type(handshake_msg);
310
311
47.8k
   m_hand_received_mask |= mask;
312
313
47.8k
   const bool ok = (m_hand_expecting_mask & mask) != 0; // overlap?
314
315
47.8k
   if(!ok)
316
250
      {
317
250
      const uint32_t seen_so_far = m_hand_received_mask & ~mask;
318
319
250
      std::ostringstream msg;
320
321
250
      msg << "Unexpected state transition in handshake got a " << handshake_type_to_string(handshake_msg);
322
323
250
      if(m_hand_expecting_mask == 0)
324
34
         msg << " not expecting messages";
325
216
      else
326
216
         msg << " expected " << handshake_mask_to_string(m_hand_expecting_mask, '|');
327
328
250
      if(seen_so_far != 0)
329
57
         msg << " seen " << handshake_mask_to_string(seen_so_far, '+');
330
331
250
      throw Unexpected_Message(msg.str());
332
250
      }
333
334
   /* We don't know what to expect next, so force a call to
335
      set_expected_next; if it doesn't happen, the next transition
336
      check will always fail which is what we want.
337
   */
338
47.5k
   m_hand_expecting_mask = 0;
339
47.5k
   }
340
341
void Handshake_State::set_expected_next(Handshake_Type handshake_msg)
342
78.1k
   {
343
78.1k
   m_hand_expecting_mask |= bitmask_for_handshake_type(handshake_msg);
344
78.1k
   }
345
346
bool Handshake_State::received_handshake_msg(Handshake_Type handshake_msg) const
347
10.9k
   {
348
10.9k
   const uint32_t mask = bitmask_for_handshake_type(handshake_msg);
349
350
10.9k
   return (m_hand_received_mask & mask) != 0;
351
10.9k
   }
352
353
std::pair<Handshake_Type, std::vector<uint8_t>>
354
Handshake_State::get_next_handshake_msg()
355
144k
   {
356
144k
   const bool expecting_ccs =
357
144k
      (bitmask_for_handshake_type(HANDSHAKE_CCS) & m_hand_expecting_mask) != 0;
358
359
144k
   return m_handshake_io->get_next_record(expecting_ccs);
360
144k
   }
361
362
std::vector<uint8_t> Handshake_State::session_ticket() const
363
0
   {
364
0
   if(new_session_ticket() && !new_session_ticket()->ticket().empty())
365
0
      return new_session_ticket()->ticket();
366
367
0
   return client_hello()->session_ticket();
368
0
   }
369
370
std::unique_ptr<KDF> Handshake_State::protocol_specific_prf() const
371
11.3k
   {
372
11.3k
   const std::string prf_algo = ciphersuite().prf_algo();
373
374
11.3k
   if(prf_algo == "MD5" || prf_algo == "SHA-1")
375
2.91k
      return KDF::create_or_throw("TLS-12-PRF(SHA-256)");
376
377
8.41k
   return KDF::create_or_throw("TLS-12-PRF(" + prf_algo + ")");
378
8.41k
   }
379
380
std::pair<std::string, Signature_Format>
381
Handshake_State::choose_sig_format(const Private_Key& key,
382
                                   Signature_Scheme& chosen_scheme,
383
                                   bool for_client_auth,
384
                                   const Policy& policy) const
385
0
   {
386
0
   const std::string sig_algo = key.algo_name();
387
388
0
      const std::vector<Signature_Scheme> allowed = policy.allowed_signature_schemes();
389
390
0
      std::vector<Signature_Scheme> requested =
391
0
         (for_client_auth) ? cert_req()->signature_schemes() : client_hello()->signature_schemes();
392
393
0
      for(Signature_Scheme scheme : allowed)
394
0
         {
395
0
         if(signature_scheme_is_known(scheme) == false)
396
0
            {
397
0
            continue;
398
0
            }
399
400
0
         if(signature_algorithm_of_scheme(scheme) == sig_algo)
401
0
            {
402
0
            if(std::find(requested.begin(), requested.end(), scheme) != requested.end())
403
0
               {
404
0
               chosen_scheme = scheme;
405
0
               break;
406
0
               }
407
0
            }
408
0
         }
409
410
0
      const std::string hash = hash_function_of_scheme(chosen_scheme);
411
412
0
      if(!policy.allowed_signature_hash(hash))
413
0
         {
414
0
         throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
415
0
                             "Policy refuses to accept signing with any hash supported by peer");
416
0
         }
417
418
0
      if(sig_algo == "RSA")
419
0
         {
420
0
         return std::make_pair(padding_string_for_scheme(chosen_scheme), IEEE_1363);
421
0
         }
422
0
      else if(sig_algo == "DSA" || sig_algo == "ECDSA")
423
0
         {
424
0
         return std::make_pair(padding_string_for_scheme(chosen_scheme), DER_SEQUENCE);
425
0
         }
426
427
0
   throw Invalid_Argument(sig_algo + " is invalid/unknown for TLS signatures");
428
0
   }
429
430
namespace {
431
432
bool supported_algos_include(
433
   const std::vector<Signature_Scheme>& schemes,
434
   const std::string& key_type,
435
   const std::string& hash_type)
436
0
   {
437
0
   for(Signature_Scheme scheme : schemes)
438
0
      {
439
0
      if(signature_scheme_is_known(scheme) &&
440
0
         hash_function_of_scheme(scheme) == hash_type &&
441
0
         signature_algorithm_of_scheme(scheme) == key_type)
442
0
         {
443
0
         return true;
444
0
         }
445
0
      }
446
447
0
   return false;
448
0
   }
449
450
}
451
452
std::pair<std::string, Signature_Format>
453
Handshake_State::parse_sig_format(const Public_Key& key,
454
                                  Signature_Scheme scheme,
455
                                  bool for_client_auth,
456
                                  const Policy& policy) const
457
0
   {
458
0
   const std::string key_type = key.algo_name();
459
460
0
   if(!policy.allowed_signature_method(key_type))
461
0
      {
462
0
      throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
463
0
                          "Rejecting " + key_type + " signature");
464
0
      }
465
466
0
   if(scheme == Signature_Scheme::NONE)
467
0
      throw Decoding_Error("Counterparty did not send hash/sig IDS");
468
469
0
   if(key_type != signature_algorithm_of_scheme(scheme))
470
0
      throw Decoding_Error("Counterparty sent inconsistent key and sig types");
471
472
0
   if(for_client_auth && !cert_req())
473
0
      {
474
0
      throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
475
0
                          "No certificate verify set");
476
0
      }
477
478
   /*
479
   Confirm the signature type we just received against the
480
   supported_algos list that we sent; it better be there.
481
   */
482
483
0
   const std::vector<Signature_Scheme> supported_algos =
484
0
      for_client_auth ? cert_req()->signature_schemes() :
485
0
      client_hello()->signature_schemes();
486
487
0
   if(!signature_scheme_is_known(scheme))
488
0
      throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
489
0
                          "Peer sent unknown signature scheme");
490
491
0
   const std::string hash_algo = hash_function_of_scheme(scheme);
492
493
0
   if(!supported_algos_include(supported_algos, key_type, hash_algo))
494
0
      {
495
0
      throw TLS_Exception(Alert::ILLEGAL_PARAMETER,
496
0
                          "TLS signature extension did not allow for " +
497
0
                          key_type + "/" + hash_algo + " signature");
498
0
      }
499
500
0
   if(key_type == "RSA")
501
0
      {
502
0
      return std::make_pair(padding_string_for_scheme(scheme), IEEE_1363);
503
0
      }
504
0
   else if(key_type == "DSA" || key_type == "ECDSA")
505
0
      {
506
0
      return std::make_pair(padding_string_for_scheme(scheme), DER_SEQUENCE);
507
0
      }
508
509
0
   throw Invalid_Argument(key_type + " is invalid/unknown for TLS signatures");
510
0
   }
511
512
}
513
514
}