Coverage Report

Created: 2022-06-23 06:44

/src/botan/src/lib/tls/tls12/tls_channel_impl_12.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
* TLS Channels
3
* (C) 2011,2012,2014,2015,2016 Jack Lloyd
4
*     2016 Matthias Gierlings
5
*
6
* Botan is released under the Simplified BSD License (see license.txt)
7
*/
8
9
#include <botan/tls_policy.h>
10
#include <botan/tls_messages.h>
11
#include <botan/kdf.h>
12
#include <botan/internal/tls_channel_impl_12.h>
13
#include <botan/internal/tls_handshake_state.h>
14
#include <botan/internal/tls_record.h>
15
#include <botan/internal/tls_seq_numbers.h>
16
#include <botan/internal/stl_util.h>
17
#include <botan/internal/loadstor.h>
18
#include <botan/x509cert.h>
19
20
namespace Botan::TLS {
21
22
Channel_Impl_12::Channel_Impl_12(Callbacks& callbacks,
23
                                 Session_Manager& session_manager,
24
                                 RandomNumberGenerator& rng,
25
                                 const Policy& policy,
26
                                 bool is_server,
27
                                 bool is_datagram,
28
                                 size_t reserved_io_buffer_size) :
29
   m_is_server(is_server),
30
   m_is_datagram(is_datagram),
31
   m_callbacks(callbacks),
32
   m_session_manager(session_manager),
33
   m_policy(policy),
34
   m_rng(rng),
35
   m_has_been_closed(false)
36
5.96k
   {
37
   /* epoch 0 is plaintext, thus null cipher state */
38
5.96k
   m_write_cipher_states[0] = nullptr;
39
5.96k
   m_read_cipher_states[0] = nullptr;
40
41
5.96k
   m_writebuf.reserve(reserved_io_buffer_size);
42
5.96k
   m_readbuf.reserve(reserved_io_buffer_size);
43
5.96k
   }
44
45
void Channel_Impl_12::reset_state()
46
3.57k
   {
47
3.57k
   m_active_state.reset();
48
3.57k
   m_pending_state.reset();
49
3.57k
   m_readbuf.clear();
50
3.57k
   m_write_cipher_states.clear();
51
3.57k
   m_read_cipher_states.clear();
52
3.57k
   }
53
54
void Channel_Impl_12::reset_active_association_state()
55
0
   {
56
   // This operation only makes sense for DTLS
57
0
   BOTAN_ASSERT_NOMSG(m_is_datagram);
58
0
   m_active_state.reset();
59
0
   m_read_cipher_states.clear();
60
0
   m_write_cipher_states.clear();
61
62
0
   m_write_cipher_states[0] = nullptr;
63
0
   m_read_cipher_states[0] = nullptr;
64
65
0
   if(m_sequence_numbers)
66
0
      m_sequence_numbers->reset();
67
0
   }
68
69
Channel_Impl_12::~Channel_Impl_12()
70
5.96k
   {
71
   // So unique_ptr destructors run correctly
72
5.96k
   }
73
74
Connection_Sequence_Numbers& Channel_Impl_12::sequence_numbers() const
75
135k
   {
76
135k
   BOTAN_ASSERT(m_sequence_numbers, "Have a sequence numbers object");
77
135k
   return *m_sequence_numbers;
78
135k
   }
79
80
std::shared_ptr<Connection_Cipher_State> Channel_Impl_12::read_cipher_state_epoch(uint16_t epoch) const
81
413
   {
82
413
   auto i = m_read_cipher_states.find(epoch);
83
413
   if(i == m_read_cipher_states.end())
84
92
      { throw Internal_Error("TLS::Channel_Impl_12 No read cipherstate for epoch " + std::to_string(epoch)); }
85
321
   return i->second;
86
413
   }
87
88
std::shared_ptr<Connection_Cipher_State> Channel_Impl_12::write_cipher_state_epoch(uint16_t epoch) const
89
66.1k
   {
90
66.1k
   auto i = m_write_cipher_states.find(epoch);
91
66.1k
   if(i == m_write_cipher_states.end())
92
0
      { throw Internal_Error("TLS::Channel_Impl_12 No write cipherstate for epoch " + std::to_string(epoch)); }
93
66.1k
   return i->second;
94
66.1k
   }
95
96
std::vector<X509_Certificate> Channel_Impl_12::peer_cert_chain() const
97
0
   {
98
0
   if(auto active = active_state())
99
0
      return get_peer_cert_chain(*active);
100
0
   return std::vector<X509_Certificate>();
101
0
   }
102
103
bool Channel_Impl_12::save_session(const Session& session)
104
308
   {
105
308
   return callbacks().tls_session_established(session);
106
308
   }
107
108
Handshake_State& Channel_Impl_12::create_handshake_state(Protocol_Version version)
109
24.9k
   {
110
24.9k
   if(pending_state())
111
0
      throw Internal_Error("create_handshake_state called during handshake");
112
113
24.9k
   if(auto active = active_state())
114
0
      {
115
0
      Protocol_Version active_version = active->version();
116
117
0
      if(active_version.is_datagram_protocol() != version.is_datagram_protocol())
118
0
         {
119
0
         throw TLS_Exception(Alert::PROTOCOL_VERSION,
120
0
                             "Active state using version " + active_version.to_string() +
121
0
                             " cannot change to " + version.to_string() + " in pending");
122
0
         }
123
0
      }
124
125
24.9k
   if(!m_sequence_numbers)
126
5.67k
      {
127
5.67k
      if(version.is_datagram_protocol())
128
680
         m_sequence_numbers.reset(new Datagram_Sequence_Numbers);
129
4.99k
      else
130
4.99k
         m_sequence_numbers.reset(new Stream_Sequence_Numbers);
131
5.67k
      }
132
133
24.9k
   using namespace std::placeholders;
134
135
24.9k
   std::unique_ptr<Handshake_IO> io;
136
24.9k
   if(version.is_datagram_protocol())
137
680
      {
138
680
      io.reset(new Datagram_Handshake_IO(
139
680
                  std::bind(&Channel_Impl_12::send_record_under_epoch, this, _1, _2, _3),
140
680
                  sequence_numbers(),
141
680
                  static_cast<uint16_t>(m_policy.dtls_default_mtu()),
142
680
                  m_policy.dtls_initial_timeout(),
143
680
                  m_policy.dtls_maximum_timeout()));
144
680
      }
145
24.3k
   else
146
24.3k
      {
147
24.3k
      io.reset(new Stream_Handshake_IO(std::bind(&Channel_Impl_12::send_record, this, _1, _2)));
148
24.3k
      }
149
150
24.9k
   m_pending_state = new_handshake_state(std::move(io));
151
152
24.9k
   if(auto active = active_state())
153
0
      m_pending_state->set_version(active->version());
154
155
24.9k
   return *m_pending_state.get();
156
24.9k
   }
157
158
bool Channel_Impl_12::timeout_check()
159
0
   {
160
0
   if(m_pending_state)
161
0
      return m_pending_state->handshake_io().timeout_check();
162
163
   //FIXME: scan cipher suites and remove epochs older than 2*MSL
164
0
   return false;
165
0
   }
166
167
void Channel_Impl_12::renegotiate(bool force_full_renegotiation)
168
0
   {
169
0
   if(pending_state()) // currently in handshake?
170
0
      return;
171
172
0
   if(auto active = active_state())
173
0
      {
174
0
      if(force_full_renegotiation == false)
175
0
         force_full_renegotiation = !policy().allow_resumption_for_renegotiation();
176
177
0
      initiate_handshake(create_handshake_state(active->version()),
178
0
                         force_full_renegotiation);
179
0
      }
180
0
   else
181
0
      throw Invalid_State("Cannot renegotiate on inactive connection");
182
0
   }
183
184
void Channel_Impl_12::change_cipher_spec_reader(Connection_Side side)
185
549
   {
186
549
   auto pending = pending_state();
187
188
549
   BOTAN_ASSERT(pending && pending->server_hello(),
189
549
                "Have received server hello");
190
191
549
   if(pending->server_hello()->compression_method() != 0)
192
0
      throw Internal_Error("Negotiated unknown compression algorithm");
193
194
549
   sequence_numbers().new_read_cipher_state();
195
196
549
   const uint16_t epoch = sequence_numbers().current_read_epoch();
197
198
549
   BOTAN_ASSERT(m_read_cipher_states.count(epoch) == 0,
199
549
                "No read cipher state currently set for next epoch");
200
201
   // flip side as we are reading
202
549
   std::shared_ptr<Connection_Cipher_State> read_state(
203
549
      new Connection_Cipher_State(pending->version(),
204
549
                                  (side == CLIENT) ? SERVER : CLIENT,
205
549
                                  false,
206
549
                                  pending->ciphersuite(),
207
549
                                  pending->session_keys(),
208
549
                                  pending->server_hello()->supports_encrypt_then_mac()));
209
210
549
   m_read_cipher_states[epoch] = read_state;
211
549
   }
212
213
void Channel_Impl_12::change_cipher_spec_writer(Connection_Side side)
214
308
   {
215
308
   auto pending = pending_state();
216
217
308
   BOTAN_ASSERT(pending && pending->server_hello(),
218
308
                "Have received server hello");
219
220
308
   if(pending->server_hello()->compression_method() != 0)
221
0
      throw Internal_Error("Negotiated unknown compression algorithm");
222
223
308
   sequence_numbers().new_write_cipher_state();
224
225
308
   const uint16_t epoch = sequence_numbers().current_write_epoch();
226
227
308
   BOTAN_ASSERT(m_write_cipher_states.count(epoch) == 0,
228
308
                "No write cipher state currently set for next epoch");
229
230
308
   std::shared_ptr<Connection_Cipher_State> write_state(
231
308
      new Connection_Cipher_State(pending->version(),
232
308
                                  side,
233
308
                                  true,
234
308
                                  pending->ciphersuite(),
235
308
                                  pending->session_keys(),
236
308
                                  pending->server_hello()->supports_encrypt_then_mac()));
237
238
308
   m_write_cipher_states[epoch] = write_state;
239
308
   }
240
241
bool Channel_Impl_12::is_active() const
242
0
   {
243
0
   if(is_closed())
244
0
      return false;
245
0
   return (active_state() != nullptr);
246
0
   }
247
248
bool Channel_Impl_12::is_closed() const
249
4.68k
   {
250
4.68k
   return m_has_been_closed;
251
4.68k
   }
252
253
void Channel_Impl_12::activate_session()
254
308
   {
255
308
   std::swap(m_active_state, m_pending_state);
256
308
   m_pending_state.reset();
257
258
308
   if(!m_active_state->version().is_datagram_protocol())
259
308
      {
260
      // TLS is easy just remove all but the current state
261
308
      const uint16_t current_epoch = sequence_numbers().current_write_epoch();
262
263
308
      const auto not_current_epoch =
264
1.23k
         [current_epoch](uint16_t epoch) { return (epoch != current_epoch); };
265
266
308
      map_remove_if(not_current_epoch, m_write_cipher_states);
267
308
      map_remove_if(not_current_epoch, m_read_cipher_states);
268
308
      }
269
270
308
   callbacks().tls_session_activated();
271
308
   }
272
273
size_t Channel_Impl_12::received_data(const uint8_t input[], size_t input_size)
274
5.96k
   {
275
5.96k
   const bool allow_epoch0_restart = m_is_datagram && m_is_server && policy().allow_dtls_epoch0_restart();
276
277
5.96k
   try
278
5.96k
      {
279
73.6k
      while(input_size)
280
68.5k
         {
281
68.5k
         size_t consumed = 0;
282
283
68.5k
         auto get_epoch = [this](uint16_t epoch) { return read_cipher_state_epoch(epoch); };
284
285
68.5k
         const Record_Header record =
286
68.5k
            read_record(m_is_datagram,
287
68.5k
                        m_readbuf,
288
68.5k
                        input,
289
68.5k
                        input_size,
290
68.5k
                        consumed,
291
68.5k
                        m_record_buf,
292
68.5k
                        m_sequence_numbers.get(),
293
68.5k
                        get_epoch,
294
68.5k
                        allow_epoch0_restart);
295
296
68.5k
         const size_t needed = record.needed();
297
298
68.5k
         BOTAN_ASSERT(consumed > 0, "Got to eat something");
299
300
68.5k
         BOTAN_ASSERT(consumed <= input_size,
301
68.5k
                      "Record reader consumed sane amount");
302
303
68.5k
         input += consumed;
304
68.5k
         input_size -= consumed;
305
306
68.5k
         BOTAN_ASSERT(input_size == 0 || needed == 0,
307
68.5k
                      "Got a full record or consumed all input");
308
309
68.5k
         if(input_size == 0 && needed != 0)
310
479
            return needed; // need more data to complete record
311
312
         // Ignore invalid records in DTLS
313
68.0k
         if(m_is_datagram && record.type() == NO_RECORD)
314
234
            {
315
234
            return 0;
316
234
            }
317
318
67.8k
         if(m_record_buf.size() > MAX_PLAINTEXT_SIZE)
319
0
            throw TLS_Exception(Alert::RECORD_OVERFLOW,
320
0
                                "TLS plaintext record is larger than allowed maximum");
321
322
323
67.8k
         const bool epoch0_restart = m_is_datagram && record.epoch() == 0 && active_state();
324
67.8k
         BOTAN_ASSERT_IMPLICATION(epoch0_restart, allow_epoch0_restart, "Allowed state");
325
326
67.8k
         const bool initial_record = epoch0_restart || (!pending_state() && !active_state());
327
328
67.8k
         if(record.type() != ALERT)
329
45.1k
            {
330
45.1k
            if(initial_record)
331
23.6k
               {
332
               // For initial records just check for basic sanity
333
23.6k
               if(record.version().major_version() != 3 &&
334
23.6k
                  record.version().major_version() != 0xFE)
335
12
                  {
336
12
                  throw TLS_Exception(Alert::PROTOCOL_VERSION,
337
12
                                      "Received unexpected record version in initial record");
338
12
                  }
339
23.6k
               }
340
21.5k
            else if(auto pending = pending_state())
341
21.5k
               {
342
21.5k
               if(pending->server_hello() != nullptr && record.version() != pending->version())
343
2
                  {
344
2
                  throw TLS_Exception(Alert::PROTOCOL_VERSION,
345
2
                                         "Received unexpected record version");
346
2
                  }
347
21.5k
               }
348
0
            else if(auto active = active_state())
349
0
               {
350
0
               if(record.version() != active->version())
351
0
                  {
352
0
                  throw TLS_Exception(Alert::PROTOCOL_VERSION,
353
0
                                      "Received unexpected record version");
354
0
                  }
355
0
               }
356
45.1k
            }
357
358
67.7k
         if(record.type() == HANDSHAKE || record.type() == CHANGE_CIPHER_SPEC)
359
45.0k
            {
360
45.0k
            if(m_has_been_closed)
361
2
               throw TLS_Exception(Alert::UNEXPECTED_MESSAGE, "Received handshake data after connection closure");
362
45.0k
            process_handshake_ccs(m_record_buf, record.sequence(), record.type(), record.version(), epoch0_restart);
363
45.0k
            }
364
22.7k
         else if(record.type() == APPLICATION_DATA)
365
12
            {
366
12
            if(m_has_been_closed)
367
2
               throw TLS_Exception(Alert::UNEXPECTED_MESSAGE, "Received application data after connection closure");
368
10
            if(pending_state() != nullptr)
369
4
               throw TLS_Exception(Alert::UNEXPECTED_MESSAGE, "Can't interleave application and handshake data");
370
6
            process_application_data(record.sequence(), m_record_buf);
371
6
            }
372
22.6k
         else if(record.type() == ALERT)
373
21.9k
            {
374
21.9k
            process_alert(m_record_buf);
375
21.9k
            }
376
787
         else if(record.type() != NO_RECORD)
377
73
            throw Unexpected_Message("Unexpected record type " +
378
73
                                     std::to_string(record.type()) +
379
73
                                     " from counterparty");
380
67.7k
         }
381
382
5.15k
      return 0; // on a record boundary
383
5.96k
      }
384
5.96k
   catch(TLS_Exception& e)
385
5.96k
      {
386
1.35k
      send_fatal_alert(e.type());
387
1.35k
      throw;
388
1.35k
      }
389
5.96k
   catch(Invalid_Authentication_Tag&)
390
5.96k
      {
391
216
      send_fatal_alert(Alert::BAD_RECORD_MAC);
392
216
      throw;
393
216
      }
394
5.96k
   catch(Decoding_Error&)
395
5.96k
      {
396
1.91k
      send_fatal_alert(Alert::DECODE_ERROR);
397
1.91k
      throw;
398
1.91k
      }
399
5.96k
   catch(...)
400
5.96k
      {
401
91
      send_fatal_alert(Alert::INTERNAL_ERROR);
402
91
      throw;
403
91
      }
404
5.96k
   }
405
406
void Channel_Impl_12::process_handshake_ccs(const secure_vector<uint8_t>& record,
407
      uint64_t record_sequence,
408
      Record_Type record_type,
409
      Protocol_Version record_version,
410
      bool epoch0_restart)
411
45.0k
   {
412
45.0k
   if(!m_pending_state)
413
23.5k
      {
414
      // No pending handshake, possibly new:
415
23.5k
      if(record_version.is_datagram_protocol() && !epoch0_restart)
416
680
         {
417
680
         if(m_sequence_numbers)
418
0
            {
419
            /*
420
            * Might be a peer retransmit under epoch - 1 in which
421
            * case we must retransmit last flight
422
            */
423
0
            sequence_numbers().read_accept(record_sequence);
424
425
0
            const uint16_t epoch = record_sequence >> 48;
426
427
0
            if(epoch == sequence_numbers().current_read_epoch())
428
0
               {
429
0
               create_handshake_state(record_version);
430
0
               }
431
0
            else if(epoch == sequence_numbers().current_read_epoch() - 1)
432
0
               {
433
0
               BOTAN_ASSERT(m_active_state, "Have active state here");
434
0
               m_active_state->handshake_io().add_record(record.data(),
435
0
                                                         record.size(),
436
0
                                                         record_type,
437
0
                                                         record_sequence);
438
0
               }
439
0
            }
440
680
         else
441
680
            {
442
680
            create_handshake_state(record_version);
443
680
            }
444
680
         }
445
22.8k
      else
446
22.8k
         {
447
22.8k
         create_handshake_state(record_version);
448
22.8k
         }
449
23.5k
      }
450
451
   // May have been created in above conditional
452
45.0k
   if(m_pending_state)
453
45.0k
      {
454
45.0k
      m_pending_state->handshake_io().add_record(record.data(),
455
45.0k
                                                 record.size(),
456
45.0k
                                                 record_type,
457
45.0k
                                                 record_sequence);
458
459
82.5k
      while(auto pending = m_pending_state.get())
460
79.8k
         {
461
79.8k
         auto msg = pending->get_next_handshake_msg();
462
463
79.8k
         if(msg.first == HANDSHAKE_NONE) // no full handshake yet
464
42.0k
            break;
465
466
37.7k
         process_handshake_msg(active_state(), *pending,
467
37.7k
                               msg.first, msg.second, epoch0_restart);
468
469
37.7k
         if(!m_pending_state)
470
308
            break;
471
37.7k
         }
472
45.0k
      }
473
45.0k
   }
474
475
void Channel_Impl_12::process_application_data(uint64_t seq_no, const secure_vector<uint8_t>& record)
476
6
   {
477
6
   if(!active_state())
478
6
      throw Unexpected_Message("Application data before handshake done");
479
480
0
   callbacks().tls_record_received(seq_no, record.data(), record.size());
481
0
   }
482
483
void Channel_Impl_12::process_alert(const secure_vector<uint8_t>& record)
484
21.9k
    {
485
21.9k
    Alert alert_msg(record);
486
487
21.9k
    if(alert_msg.type() == Alert::NO_RENEGOTIATION)
488
20.3k
       m_pending_state.reset();
489
490
21.9k
    callbacks().tls_alert(alert_msg);
491
492
21.9k
    if(alert_msg.is_fatal())
493
1.46k
       {
494
1.46k
       if(auto active = active_state())
495
0
          m_session_manager.remove_entry(active->server_hello()->session_id());
496
1.46k
       }
497
498
21.9k
    if(alert_msg.type() == Alert::CLOSE_NOTIFY)
499
1.11k
       send_warning_alert(Alert::CLOSE_NOTIFY); // reply in kind
500
501
21.9k
    if(alert_msg.type() == Alert::CLOSE_NOTIFY || alert_msg.is_fatal())
502
1.58k
       {
503
1.58k
       m_has_been_closed = true;
504
1.58k
       }
505
21.9k
    }
506
507
void Channel_Impl_12::write_record(Connection_Cipher_State* cipher_state, uint16_t epoch,
508
                                   uint8_t record_type, const uint8_t input[], size_t length)
509
66.1k
   {
510
66.1k
   BOTAN_ASSERT(m_pending_state || m_active_state, "Some connection state exists");
511
512
66.1k
   const Protocol_Version record_version =
513
66.1k
      (m_pending_state) ? (m_pending_state->version()) : (m_active_state->version());
514
515
66.1k
   const uint64_t next_seq = sequence_numbers().next_write_sequence(epoch);
516
517
66.1k
   if(cipher_state == nullptr)
518
65.6k
      {
519
65.6k
      TLS::write_unencrypted_record(m_writebuf, record_type, record_version, next_seq,
520
65.6k
                                    input, length);
521
65.6k
      }
522
473
   else
523
473
      {
524
473
      TLS::write_record(m_writebuf, record_type, record_version, next_seq,
525
473
                        input, length, *cipher_state, m_rng);
526
473
      }
527
528
66.1k
   callbacks().tls_emit_data(m_writebuf.data(), m_writebuf.size());
529
66.1k
   }
530
531
void Channel_Impl_12::send_record_array(uint16_t epoch, uint8_t type, const uint8_t input[], size_t length)
532
66.1k
   {
533
66.1k
   if(length == 0)
534
0
      return;
535
536
66.1k
   auto cipher_state = write_cipher_state_epoch(epoch);
537
538
132k
   while(length)
539
66.1k
      {
540
66.1k
      const size_t sending = std::min<size_t>(length, MAX_PLAINTEXT_SIZE);
541
66.1k
      write_record(cipher_state.get(), epoch, type, input, sending);
542
543
66.1k
      input += sending;
544
66.1k
      length -= sending;
545
66.1k
      }
546
66.1k
   }
547
548
void Channel_Impl_12::send_record(uint8_t record_type, const std::vector<uint8_t>& record)
549
66.2k
   {
550
66.2k
   send_record_array(sequence_numbers().current_write_epoch(),
551
66.2k
                     record_type, record.data(), record.size());
552
66.2k
   }
553
554
void Channel_Impl_12::send_record_under_epoch(uint16_t epoch, uint8_t record_type,
555
      const std::vector<uint8_t>& record)
556
25
   {
557
25
   send_record_array(epoch, record_type, record.data(), record.size());
558
25
   }
559
560
void Channel_Impl_12::send(const uint8_t buf[], size_t buf_size)
561
0
   {
562
0
   if(!is_active())
563
0
      throw Invalid_State("Data cannot be sent on inactive TLS connection");
564
565
0
   send_record_array(sequence_numbers().current_write_epoch(),
566
0
                     APPLICATION_DATA, buf, buf_size);
567
0
   }
568
569
void Channel_Impl_12::send_alert(const Alert& alert)
570
4.68k
   {
571
4.68k
   if(alert.is_valid() && !is_closed())
572
3.59k
      {
573
3.59k
      try
574
3.59k
         {
575
3.59k
         send_record(ALERT, alert.serialize());
576
3.59k
         }
577
3.59k
      catch(...) { /* swallow it */ }
578
3.59k
      }
579
580
4.68k
   if(alert.type() == Alert::NO_RENEGOTIATION)
581
0
      m_pending_state.reset();
582
583
4.68k
   if(alert.is_fatal())
584
3.57k
   {
585
3.57k
      if(auto active = active_state())
586
143
      {
587
143
         m_session_manager.remove_entry(active->server_hello()->session_id());
588
143
      }
589
3.57k
      reset_state();
590
3.57k
   }
591
592
4.68k
   if(alert.type() == Alert::CLOSE_NOTIFY || alert.is_fatal())
593
4.68k
      {
594
4.68k
      m_has_been_closed = true;
595
4.68k
      }
596
4.68k
   }
597
598
void Channel_Impl_12::secure_renegotiation_check(const Client_Hello_12* client_hello)
599
21.3k
   {
600
21.3k
   const bool secure_renegotiation = client_hello->secure_renegotiation();
601
602
21.3k
   if(auto active = active_state())
603
0
      {
604
0
      const bool active_sr = active->client_hello()->secure_renegotiation();
605
606
0
      if(active_sr != secure_renegotiation)
607
0
         throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
608
0
                             "Client changed its mind about secure renegotiation");
609
0
      }
610
611
21.3k
   if(secure_renegotiation)
612
12.5k
      {
613
12.5k
      const std::vector<uint8_t>& data = client_hello->renegotiation_info();
614
615
12.5k
      if(data != secure_renegotiation_data_for_client_hello())
616
2
         throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
617
2
                             "Client sent bad values for secure renegotiation");
618
12.5k
      }
619
21.3k
   }
620
621
void Channel_Impl_12::secure_renegotiation_check(const Server_Hello_12* server_hello)
622
19.7k
   {
623
19.7k
   const bool secure_renegotiation = server_hello->secure_renegotiation();
624
625
19.7k
   if(auto active = active_state())
626
0
      {
627
0
      const bool active_sr = active->server_hello()->secure_renegotiation();
628
629
0
      if(active_sr != secure_renegotiation)
630
0
         throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
631
0
                             "Server changed its mind about secure renegotiation");
632
0
      }
633
634
19.7k
   if(secure_renegotiation)
635
11.0k
      {
636
11.0k
      const std::vector<uint8_t>& data = server_hello->renegotiation_info();
637
638
11.0k
      if(data != secure_renegotiation_data_for_server_hello())
639
0
         throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
640
0
                             "Server sent bad values for secure renegotiation");
641
11.0k
      }
642
19.7k
   }
643
644
std::vector<uint8_t> Channel_Impl_12::secure_renegotiation_data_for_client_hello() const
645
13.9k
   {
646
13.9k
   if(auto active = active_state())
647
0
      return active->client_finished()->verify_data();
648
13.9k
   return std::vector<uint8_t>();
649
13.9k
   }
650
651
std::vector<uint8_t> Channel_Impl_12::secure_renegotiation_data_for_server_hello() const
652
30.8k
   {
653
30.8k
   if(auto active = active_state())
654
0
      {
655
0
      std::vector<uint8_t> buf = active->client_finished()->verify_data();
656
0
      buf += active->server_finished()->verify_data();
657
0
      return buf;
658
0
      }
659
660
30.8k
   return std::vector<uint8_t>();
661
30.8k
   }
662
663
bool Channel_Impl_12::secure_renegotiation_supported() const
664
0
   {
665
0
   if(auto active = active_state())
666
0
      return active->server_hello()->secure_renegotiation();
667
668
0
   if(auto pending = pending_state())
669
0
      if(auto hello = pending->server_hello())
670
0
         return hello->secure_renegotiation();
671
672
0
   return false;
673
0
   }
674
675
SymmetricKey Channel_Impl_12::key_material_export(const std::string& label,
676
      const std::string& context,
677
      size_t length) const
678
0
   {
679
0
   if(auto active = active_state())
680
0
      {
681
0
      if(pending_state() != nullptr)
682
0
         { throw Invalid_State("Channel_Impl_12::key_material_export cannot export during renegotiation"); }
683
684
0
      auto prf = active->protocol_specific_prf();
685
686
0
      const secure_vector<uint8_t>& master_secret =
687
0
         active->session_keys().master_secret();
688
689
0
      std::vector<uint8_t> salt;
690
0
      salt += active->client_hello()->random();
691
0
      salt += active->server_hello()->random();
692
693
0
      if(!context.empty())
694
0
         {
695
0
         size_t context_size = context.length();
696
0
         if(context_size > 0xFFFF)
697
0
            throw Invalid_Argument("key_material_export context is too long");
698
0
         salt.push_back(get_byte<0>(static_cast<uint16_t>(context_size)));
699
0
         salt.push_back(get_byte<1>(static_cast<uint16_t>(context_size)));
700
0
         salt += to_byte_vector(context);
701
0
         }
702
703
0
      return prf->derive_key(length, master_secret, salt, to_byte_vector(label));
704
0
      }
705
0
   else
706
0
      {
707
0
      throw Invalid_State("Channel_Impl_12::key_material_export connection not active");
708
0
      }
709
0
   }
710
711
}