/src/botan/src/lib/tls/tls13/tls_channel_impl_13.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * TLS Channel - implementation for TLS 1.3 |
3 | | * (C) 2022 Jack Lloyd |
4 | | * 2021 Elektrobit Automotive GmbH |
5 | | * 2022 Hannes Rantzsch, René Meusel - neXenio GmbH |
6 | | * |
7 | | * Botan is released under the Simplified BSD License (see license.txt) |
8 | | */ |
9 | | |
10 | | #include <botan/internal/tls_channel_impl_13.h> |
11 | | |
12 | | #include <botan/hash.h> |
13 | | #include <botan/internal/tls_cipher_state.h> |
14 | | #include <botan/internal/tls_handshake_state.h> |
15 | | #include <botan/internal/tls_record.h> |
16 | | #include <botan/internal/tls_seq_numbers.h> |
17 | | #include <botan/internal/stl_util.h> |
18 | | #include <botan/tls_messages.h> |
19 | | |
20 | | namespace { |
21 | | bool is_user_canceled_alert(const Botan::TLS::Alert& alert) |
22 | 0 | { |
23 | 0 | return alert.type() == Botan::TLS::Alert::USER_CANCELED; |
24 | 0 | } |
25 | | |
26 | | bool is_close_notify_alert(const Botan::TLS::Alert& alert) |
27 | 0 | { |
28 | 0 | return alert.type() == Botan::TLS::Alert::CLOSE_NOTIFY; |
29 | 0 | } |
30 | | |
31 | | bool is_error_alert(const Botan::TLS::Alert& alert) |
32 | 0 | { |
33 | | // In TLS 1.3 all alerts except for closure alerts are considered error alerts. |
34 | | // (RFC 8446 6.) |
35 | 0 | return !is_close_notify_alert(alert) && !is_user_canceled_alert(alert); |
36 | 0 | } |
37 | | } |
38 | | |
39 | | namespace Botan::TLS { |
40 | | |
41 | | Channel_Impl_13::Channel_Impl_13(Callbacks& callbacks, |
42 | | Session_Manager& session_manager, |
43 | | Credentials_Manager& credentials_manager, |
44 | | RandomNumberGenerator& rng, |
45 | | const Policy& policy, |
46 | | bool is_server) : |
47 | | m_side(is_server ? Connection_Side::SERVER : Connection_Side::CLIENT), |
48 | | m_callbacks(callbacks), |
49 | | m_session_manager(session_manager), |
50 | | m_credentials_manager(credentials_manager), |
51 | | m_rng(rng), |
52 | | m_policy(policy), |
53 | | m_record_layer(m_side), |
54 | | m_handshake_layer(m_side), |
55 | | m_can_read(true), |
56 | | m_can_write(true), |
57 | | m_opportunistic_key_update(false), |
58 | | m_first_message_sent(false), |
59 | | m_first_message_received(false) |
60 | 0 | { |
61 | 0 | } |
62 | | |
63 | 0 | Channel_Impl_13::~Channel_Impl_13() = default; |
64 | | |
65 | | size_t Channel_Impl_13::received_data(const uint8_t input[], size_t input_size) |
66 | 0 | { |
67 | 0 | BOTAN_STATE_CHECK(!is_downgrading()); |
68 | | |
69 | | // RFC 8446 6.1 |
70 | | // Any data received after a closure alert has been received MUST be ignored. |
71 | 0 | if(!m_can_read) |
72 | 0 | { return 0; } |
73 | | |
74 | 0 | try |
75 | 0 | { |
76 | 0 | if(expects_downgrade()) |
77 | 0 | { preserve_peer_transcript(input, input_size); } |
78 | |
|
79 | 0 | m_record_layer.copy_data(input, input_size); |
80 | |
|
81 | 0 | while(true) |
82 | 0 | { |
83 | | // RFC 8446 6.1 |
84 | | // Any data received after a closure alert has been received MUST be ignored. |
85 | | // |
86 | | // ... this data might already be in the record layer's read buffer. |
87 | 0 | if(!m_can_read) |
88 | 0 | { return 0; } |
89 | | |
90 | 0 | auto result = m_record_layer.next_record(m_cipher_state.get()); |
91 | |
|
92 | 0 | if(std::holds_alternative<BytesNeeded>(result)) |
93 | 0 | { return std::get<BytesNeeded>(result); } |
94 | | |
95 | 0 | const auto& record = std::get<Record>(result); |
96 | | |
97 | | // RFC 8446 5.1 |
98 | | // Handshake messages MUST NOT be interleaved with other record types. |
99 | 0 | if(record.type != HANDSHAKE && m_handshake_layer.has_pending_data()) |
100 | 0 | { throw Unexpected_Message("Expected remainder of a handshake message"); } |
101 | | |
102 | 0 | if(record.type == HANDSHAKE) |
103 | 0 | { |
104 | 0 | m_handshake_layer.copy_data(record.fragment); |
105 | |
|
106 | 0 | if(!handshake_finished()) |
107 | 0 | { |
108 | 0 | while(auto handshake_msg = m_handshake_layer.next_message(policy(), m_transcript_hash)) |
109 | 0 | { |
110 | | // RFC 8446 5.1 |
111 | | // Handshake messages MUST NOT span key changes. Implementations |
112 | | // MUST verify that all messages immediately preceding a key change |
113 | | // align with a record boundary; if not, then they MUST terminate the |
114 | | // connection with an "unexpected_message" alert. Because the |
115 | | // ClientHello, EndOfEarlyData, ServerHello, Finished, and KeyUpdate |
116 | | // messages can immediately precede a key change, implementations |
117 | | // MUST send these messages in alignment with a record boundary. |
118 | | // |
119 | | // Note: Hello_Retry_Request was added to the list below although it cannot immediately precede a key change. |
120 | | // However, there cannot be any further sensible messages in the record after HRR. |
121 | | // |
122 | | // Note: Server_Hello_12 was deliberately not included in the check below because in TLS 1.2 Server Hello and |
123 | | // other handshake messages can be legally coalesced in a single record. |
124 | | // |
125 | 0 | if(holds_any_of<Client_Hello_13/*, EndOfEarlyData,*/, Server_Hello_13, Hello_Retry_Request, Finished_13> |
126 | 0 | (handshake_msg.value()) |
127 | 0 | && m_handshake_layer.has_pending_data()) |
128 | 0 | { throw Unexpected_Message("Unexpected additional handshake message data found in record"); } |
129 | | |
130 | 0 | const bool downgrade_requested = std::holds_alternative<Server_Hello_12>(handshake_msg.value()); |
131 | |
|
132 | 0 | process_handshake_msg(std::move(handshake_msg.value())); |
133 | |
|
134 | 0 | if(downgrade_requested) |
135 | 0 | { |
136 | | // Downgrade to TLS 1.2 was detected. Stop everything we do and await being replaced by a 1.2 implementation. |
137 | 0 | BOTAN_STATE_CHECK(m_downgrade_info); |
138 | 0 | m_downgrade_info->will_downgrade = true; |
139 | 0 | return 0; |
140 | 0 | } |
141 | 0 | else if(m_downgrade_info != nullptr) |
142 | 0 | { |
143 | | // We received a TLS 1.3 error alert that could have been a TLS 1.2 warning alert. |
144 | | // Now that we know that we are talking to a TLS 1.3 server, shut down. |
145 | 0 | if(m_downgrade_info->received_tls_13_error_alert) |
146 | 0 | shutdown(); |
147 | | |
148 | | // Downgrade can only happen if the first received message is a Server_Hello_12. This was not the case. |
149 | 0 | m_downgrade_info.reset(); |
150 | 0 | } |
151 | | |
152 | | // After the initial handshake message is received, the record |
153 | | // layer must be more restrictive. |
154 | | // See RFC 8446 5.1 regarding "legacy_record_version" |
155 | 0 | if(!m_first_message_received) |
156 | 0 | { |
157 | 0 | m_record_layer.disable_receiving_compat_mode(); |
158 | 0 | m_first_message_received = true; |
159 | 0 | } |
160 | 0 | } |
161 | 0 | } |
162 | 0 | else |
163 | 0 | { |
164 | 0 | while(auto handshake_msg = m_handshake_layer.next_post_handshake_message(policy())) |
165 | 0 | { |
166 | | // make sure Key_Update appears only at the end of a record; see description above |
167 | 0 | if(std::holds_alternative<Key_Update>(handshake_msg.value()) && m_handshake_layer.has_pending_data()) |
168 | 0 | { throw Unexpected_Message("Unexpected additional post-handshake message data found in record"); } |
169 | | |
170 | 0 | process_post_handshake_msg(std::move(handshake_msg.value())); |
171 | 0 | } |
172 | 0 | } |
173 | 0 | } |
174 | 0 | else if(record.type == CHANGE_CIPHER_SPEC) |
175 | 0 | { |
176 | 0 | process_dummy_change_cipher_spec(); |
177 | 0 | } |
178 | 0 | else if(record.type == APPLICATION_DATA) |
179 | 0 | { |
180 | 0 | BOTAN_ASSERT(record.seq_no.has_value(), "decrypted application traffic had a sequence number"); |
181 | 0 | callbacks().tls_record_received(record.seq_no.value(), record.fragment.data(), record.fragment.size()); |
182 | 0 | } |
183 | 0 | else if(record.type == ALERT) |
184 | 0 | { |
185 | 0 | process_alert(record.fragment); |
186 | 0 | } |
187 | 0 | else |
188 | 0 | { throw Unexpected_Message("Unexpected record type " + std::to_string(record.type) + " from counterparty"); } |
189 | 0 | } |
190 | 0 | } |
191 | 0 | catch(TLS_Exception& e) |
192 | 0 | { |
193 | 0 | send_fatal_alert(e.type()); |
194 | 0 | throw; |
195 | 0 | } |
196 | 0 | catch(Invalid_Authentication_Tag&) |
197 | 0 | { |
198 | | // RFC 8446 5.2 |
199 | | // If the decryption fails, the receiver MUST terminate the connection |
200 | | // with a "bad_record_mac" alert. |
201 | 0 | send_fatal_alert(Alert::BAD_RECORD_MAC); |
202 | 0 | throw; |
203 | 0 | } |
204 | 0 | catch(Decoding_Error&) |
205 | 0 | { |
206 | 0 | send_fatal_alert(Alert::DECODE_ERROR); |
207 | 0 | throw; |
208 | 0 | } |
209 | 0 | catch(...) |
210 | 0 | { |
211 | 0 | send_fatal_alert(Alert::INTERNAL_ERROR); |
212 | 0 | throw; |
213 | 0 | } |
214 | 0 | } |
215 | | |
216 | | |
217 | | Channel_Impl_13::AggregatedMessages::AggregatedMessages(Channel_Impl_13& channel, |
218 | | Handshake_Layer& handshake_layer, |
219 | | Transcript_Hash_State& transcript_hash) |
220 | | : m_channel(channel) |
221 | | , m_handshake_layer(handshake_layer) |
222 | | , m_transcript_hash(transcript_hash) |
223 | 0 | {} |
224 | | |
225 | | Channel_Impl_13::AggregatedMessages& |
226 | | Channel_Impl_13::AggregatedMessages::add(const Handshake_Message_13_Ref message) |
227 | 0 | { |
228 | 0 | std::visit([&](const auto msg) { m_channel.callbacks().tls_inspect_handshake_msg(msg.get()); }, message); Unexecuted instantiation: tls_channel_impl_13.cpp:auto Botan::TLS::Channel_Impl_13::AggregatedMessages::add(std::__1::variant<std::__1::reference_wrapper<Botan::TLS::Client_Hello_13>, std::__1::reference_wrapper<Botan::TLS::Server_Hello_13>, std::__1::reference_wrapper<Botan::TLS::Server_Hello_12>, std::__1::reference_wrapper<Botan::TLS::Hello_Retry_Request>, std::__1::reference_wrapper<Botan::TLS::Encrypted_Extensions>, std::__1::reference_wrapper<Botan::TLS::Certificate_13>, std::__1::reference_wrapper<Botan::TLS::Certificate_Request_13>, std::__1::reference_wrapper<Botan::TLS::Certificate_Verify_13>, std::__1::reference_wrapper<Botan::TLS::Finished_13> >)::$_0::operator()<std::__1::reference_wrapper<Botan::TLS::Client_Hello_13> >(std::__1::reference_wrapper<Botan::TLS::Client_Hello_13>) const Unexecuted instantiation: tls_channel_impl_13.cpp:auto Botan::TLS::Channel_Impl_13::AggregatedMessages::add(std::__1::variant<std::__1::reference_wrapper<Botan::TLS::Client_Hello_13>, std::__1::reference_wrapper<Botan::TLS::Server_Hello_13>, std::__1::reference_wrapper<Botan::TLS::Server_Hello_12>, std::__1::reference_wrapper<Botan::TLS::Hello_Retry_Request>, std::__1::reference_wrapper<Botan::TLS::Encrypted_Extensions>, std::__1::reference_wrapper<Botan::TLS::Certificate_13>, std::__1::reference_wrapper<Botan::TLS::Certificate_Request_13>, std::__1::reference_wrapper<Botan::TLS::Certificate_Verify_13>, std::__1::reference_wrapper<Botan::TLS::Finished_13> >)::$_0::operator()<std::__1::reference_wrapper<Botan::TLS::Server_Hello_13> >(std::__1::reference_wrapper<Botan::TLS::Server_Hello_13>) const Unexecuted instantiation: tls_channel_impl_13.cpp:auto Botan::TLS::Channel_Impl_13::AggregatedMessages::add(std::__1::variant<std::__1::reference_wrapper<Botan::TLS::Client_Hello_13>, std::__1::reference_wrapper<Botan::TLS::Server_Hello_13>, std::__1::reference_wrapper<Botan::TLS::Server_Hello_12>, std::__1::reference_wrapper<Botan::TLS::Hello_Retry_Request>, std::__1::reference_wrapper<Botan::TLS::Encrypted_Extensions>, std::__1::reference_wrapper<Botan::TLS::Certificate_13>, std::__1::reference_wrapper<Botan::TLS::Certificate_Request_13>, std::__1::reference_wrapper<Botan::TLS::Certificate_Verify_13>, std::__1::reference_wrapper<Botan::TLS::Finished_13> >)::$_0::operator()<std::__1::reference_wrapper<Botan::TLS::Server_Hello_12> >(std::__1::reference_wrapper<Botan::TLS::Server_Hello_12>) const Unexecuted instantiation: tls_channel_impl_13.cpp:auto Botan::TLS::Channel_Impl_13::AggregatedMessages::add(std::__1::variant<std::__1::reference_wrapper<Botan::TLS::Client_Hello_13>, std::__1::reference_wrapper<Botan::TLS::Server_Hello_13>, std::__1::reference_wrapper<Botan::TLS::Server_Hello_12>, std::__1::reference_wrapper<Botan::TLS::Hello_Retry_Request>, std::__1::reference_wrapper<Botan::TLS::Encrypted_Extensions>, std::__1::reference_wrapper<Botan::TLS::Certificate_13>, std::__1::reference_wrapper<Botan::TLS::Certificate_Request_13>, std::__1::reference_wrapper<Botan::TLS::Certificate_Verify_13>, std::__1::reference_wrapper<Botan::TLS::Finished_13> >)::$_0::operator()<std::__1::reference_wrapper<Botan::TLS::Hello_Retry_Request> >(std::__1::reference_wrapper<Botan::TLS::Hello_Retry_Request>) const Unexecuted instantiation: tls_channel_impl_13.cpp:auto Botan::TLS::Channel_Impl_13::AggregatedMessages::add(std::__1::variant<std::__1::reference_wrapper<Botan::TLS::Client_Hello_13>, std::__1::reference_wrapper<Botan::TLS::Server_Hello_13>, std::__1::reference_wrapper<Botan::TLS::Server_Hello_12>, std::__1::reference_wrapper<Botan::TLS::Hello_Retry_Request>, std::__1::reference_wrapper<Botan::TLS::Encrypted_Extensions>, std::__1::reference_wrapper<Botan::TLS::Certificate_13>, std::__1::reference_wrapper<Botan::TLS::Certificate_Request_13>, std::__1::reference_wrapper<Botan::TLS::Certificate_Verify_13>, std::__1::reference_wrapper<Botan::TLS::Finished_13> >)::$_0::operator()<std::__1::reference_wrapper<Botan::TLS::Encrypted_Extensions> >(std::__1::reference_wrapper<Botan::TLS::Encrypted_Extensions>) const Unexecuted instantiation: tls_channel_impl_13.cpp:auto Botan::TLS::Channel_Impl_13::AggregatedMessages::add(std::__1::variant<std::__1::reference_wrapper<Botan::TLS::Client_Hello_13>, std::__1::reference_wrapper<Botan::TLS::Server_Hello_13>, std::__1::reference_wrapper<Botan::TLS::Server_Hello_12>, std::__1::reference_wrapper<Botan::TLS::Hello_Retry_Request>, std::__1::reference_wrapper<Botan::TLS::Encrypted_Extensions>, std::__1::reference_wrapper<Botan::TLS::Certificate_13>, std::__1::reference_wrapper<Botan::TLS::Certificate_Request_13>, std::__1::reference_wrapper<Botan::TLS::Certificate_Verify_13>, std::__1::reference_wrapper<Botan::TLS::Finished_13> >)::$_0::operator()<std::__1::reference_wrapper<Botan::TLS::Certificate_13> >(std::__1::reference_wrapper<Botan::TLS::Certificate_13>) const Unexecuted instantiation: tls_channel_impl_13.cpp:auto Botan::TLS::Channel_Impl_13::AggregatedMessages::add(std::__1::variant<std::__1::reference_wrapper<Botan::TLS::Client_Hello_13>, std::__1::reference_wrapper<Botan::TLS::Server_Hello_13>, std::__1::reference_wrapper<Botan::TLS::Server_Hello_12>, std::__1::reference_wrapper<Botan::TLS::Hello_Retry_Request>, std::__1::reference_wrapper<Botan::TLS::Encrypted_Extensions>, std::__1::reference_wrapper<Botan::TLS::Certificate_13>, std::__1::reference_wrapper<Botan::TLS::Certificate_Request_13>, std::__1::reference_wrapper<Botan::TLS::Certificate_Verify_13>, std::__1::reference_wrapper<Botan::TLS::Finished_13> >)::$_0::operator()<std::__1::reference_wrapper<Botan::TLS::Certificate_Request_13> >(std::__1::reference_wrapper<Botan::TLS::Certificate_Request_13>) const Unexecuted instantiation: tls_channel_impl_13.cpp:auto Botan::TLS::Channel_Impl_13::AggregatedMessages::add(std::__1::variant<std::__1::reference_wrapper<Botan::TLS::Client_Hello_13>, std::__1::reference_wrapper<Botan::TLS::Server_Hello_13>, std::__1::reference_wrapper<Botan::TLS::Server_Hello_12>, std::__1::reference_wrapper<Botan::TLS::Hello_Retry_Request>, std::__1::reference_wrapper<Botan::TLS::Encrypted_Extensions>, std::__1::reference_wrapper<Botan::TLS::Certificate_13>, std::__1::reference_wrapper<Botan::TLS::Certificate_Request_13>, std::__1::reference_wrapper<Botan::TLS::Certificate_Verify_13>, std::__1::reference_wrapper<Botan::TLS::Finished_13> >)::$_0::operator()<std::__1::reference_wrapper<Botan::TLS::Certificate_Verify_13> >(std::__1::reference_wrapper<Botan::TLS::Certificate_Verify_13>) const Unexecuted instantiation: tls_channel_impl_13.cpp:auto Botan::TLS::Channel_Impl_13::AggregatedMessages::add(std::__1::variant<std::__1::reference_wrapper<Botan::TLS::Client_Hello_13>, std::__1::reference_wrapper<Botan::TLS::Server_Hello_13>, std::__1::reference_wrapper<Botan::TLS::Server_Hello_12>, std::__1::reference_wrapper<Botan::TLS::Hello_Retry_Request>, std::__1::reference_wrapper<Botan::TLS::Encrypted_Extensions>, std::__1::reference_wrapper<Botan::TLS::Certificate_13>, std::__1::reference_wrapper<Botan::TLS::Certificate_Request_13>, std::__1::reference_wrapper<Botan::TLS::Certificate_Verify_13>, std::__1::reference_wrapper<Botan::TLS::Finished_13> >)::$_0::operator()<std::__1::reference_wrapper<Botan::TLS::Finished_13> >(std::__1::reference_wrapper<Botan::TLS::Finished_13>) const |
229 | 0 | m_message_buffer += m_handshake_layer.prepare_message(message, m_transcript_hash); |
230 | 0 | return *this; |
231 | 0 | } |
232 | | |
233 | | std::vector<uint8_t> Channel_Impl_13::AggregatedMessages::send() |
234 | 0 | { |
235 | 0 | BOTAN_STATE_CHECK(!m_message_buffer.empty()); |
236 | 0 | m_channel.send_record(Record_Type::HANDSHAKE, m_message_buffer); |
237 | 0 | return std::exchange(m_message_buffer, {}); |
238 | 0 | } |
239 | | |
240 | | void Channel_Impl_13::send_post_handshake_message(const Post_Handshake_Message_13 message) |
241 | 0 | { |
242 | 0 | send_record(Record_Type::HANDSHAKE, m_handshake_layer.prepare_post_handshake_message(message)); |
243 | 0 | } |
244 | | |
245 | | void Channel_Impl_13::send_dummy_change_cipher_spec() |
246 | 0 | { |
247 | | // RFC 8446 5. |
248 | | // The change_cipher_spec record is used only for compatibility purposes |
249 | | // (see Appendix D.4). |
250 | | // |
251 | | // The only allowed CCS message content is 0x01, all other CCS records MUST |
252 | | // be rejected by TLS 1.3 implementations. |
253 | 0 | send_record(Record_Type::CHANGE_CIPHER_SPEC, {0x01}); |
254 | 0 | } |
255 | | |
256 | | void Channel_Impl_13::send(const uint8_t buf[], size_t buf_size) |
257 | 0 | { |
258 | 0 | if(!is_active()) |
259 | 0 | { throw Invalid_State("Data cannot be sent on inactive TLS connection"); } |
260 | | |
261 | | // RFC 8446 4.6.3 |
262 | | // If the request_update field [of a received KeyUpdate] is set to |
263 | | // "update_requested", then the receiver MUST send a KeyUpdate of its own |
264 | | // with request_update set to "update_not_requested" prior to sending its |
265 | | // next Application Data record. |
266 | | // This mechanism allows either side to force an update to the entire |
267 | | // connection, but causes an implementation which receives multiple |
268 | | // KeyUpdates while it is silent to respond with a single update. |
269 | 0 | if(m_opportunistic_key_update) |
270 | 0 | { |
271 | 0 | update_traffic_keys(false /* update_requested */); |
272 | 0 | m_opportunistic_key_update = false; |
273 | 0 | } |
274 | |
|
275 | 0 | send_record(Record_Type::APPLICATION_DATA, {buf, buf+buf_size}); |
276 | 0 | } |
277 | | |
278 | | void Channel_Impl_13::send_alert(const Alert& alert) |
279 | 0 | { |
280 | 0 | if(alert.is_valid() && m_can_write) |
281 | 0 | { |
282 | 0 | try |
283 | 0 | { |
284 | 0 | send_record(Record_Type::ALERT, alert.serialize()); |
285 | 0 | } |
286 | 0 | catch(...) { /* swallow it */ } |
287 | 0 | } |
288 | | |
289 | | // Note: In TLS 1.3 sending a CLOSE_NOTIFY must not immediately lead to closing the reading end. |
290 | | // RFC 8446 6.1 |
291 | | // Each party MUST send a "close_notify" alert before closing its write |
292 | | // side of the connection, unless it has already sent some error alert. |
293 | | // This does not have any effect on its read side of the connection. |
294 | 0 | if(is_close_notify_alert(alert) && m_can_write) |
295 | 0 | { |
296 | 0 | BOTAN_ASSERT_NONNULL(m_cipher_state); |
297 | 0 | m_can_write = false; |
298 | 0 | m_cipher_state->clear_write_keys(); |
299 | 0 | } |
300 | |
|
301 | 0 | if(is_error_alert(alert)) |
302 | 0 | { shutdown(); } |
303 | 0 | } |
304 | | |
305 | | bool Channel_Impl_13::is_active() const |
306 | 0 | { |
307 | 0 | return |
308 | 0 | m_cipher_state != nullptr && m_cipher_state->can_encrypt_application_traffic() // handshake done |
309 | 0 | && m_can_write; // close() hasn't been called |
310 | 0 | } |
311 | | |
312 | | SymmetricKey Channel_Impl_13::key_material_export(const std::string& label, |
313 | | const std::string& context, |
314 | | size_t length) const |
315 | 0 | { |
316 | 0 | BOTAN_STATE_CHECK(!is_downgrading()); |
317 | 0 | BOTAN_STATE_CHECK(m_cipher_state != nullptr && m_cipher_state->can_export_keys()); |
318 | 0 | return m_cipher_state->export_key(label, context, length); |
319 | 0 | } |
320 | | |
321 | | void Channel_Impl_13::update_traffic_keys(bool request_peer_update) |
322 | 0 | { |
323 | 0 | BOTAN_STATE_CHECK(!is_downgrading()); |
324 | 0 | BOTAN_STATE_CHECK(handshake_finished()); |
325 | 0 | BOTAN_ASSERT_NONNULL(m_cipher_state); |
326 | 0 | send_post_handshake_message(Key_Update(request_peer_update)); |
327 | 0 | m_cipher_state->update_write_keys(); |
328 | 0 | } |
329 | | |
330 | | void Channel_Impl_13::send_record(uint8_t record_type, const std::vector<uint8_t>& record) |
331 | 0 | { |
332 | 0 | BOTAN_STATE_CHECK(!is_downgrading()); |
333 | 0 | BOTAN_STATE_CHECK(m_can_write); |
334 | |
|
335 | 0 | const auto type = static_cast<Record_Type>(record_type); |
336 | 0 | auto to_write = m_record_layer.prepare_records(type, record, m_cipher_state.get()); |
337 | | |
338 | | // After the initial handshake message is sent, the record layer must |
339 | | // adhere to a more strict record specification. Note that for the |
340 | | // server case this is a NOOP. |
341 | | // See (RFC 8446 5.1. regarding "legacy_record_version") |
342 | 0 | if(!m_first_message_sent && type == Record_Type::HANDSHAKE) |
343 | 0 | { |
344 | 0 | m_record_layer.disable_sending_compat_mode(); |
345 | 0 | m_first_message_sent = true; |
346 | 0 | } |
347 | | |
348 | | // The dummy CCS must not be prepended if the following record is |
349 | | // an unprotected Alert record. |
350 | 0 | if(prepend_ccs() && (m_cipher_state || record_type != Record_Type::ALERT)) |
351 | 0 | { |
352 | 0 | const auto ccs = m_record_layer.prepare_records(Record_Type::CHANGE_CIPHER_SPEC, {0x01}, m_cipher_state.get()); |
353 | 0 | to_write = concat(ccs, to_write); |
354 | 0 | } |
355 | |
|
356 | 0 | callbacks().tls_emit_data(to_write.data(), to_write.size()); |
357 | 0 | } |
358 | | |
359 | | void Channel_Impl_13::process_alert(const secure_vector<uint8_t>& record) |
360 | 0 | { |
361 | 0 | Alert alert(record); |
362 | |
|
363 | 0 | if(is_close_notify_alert(alert)) |
364 | 0 | { |
365 | 0 | m_can_read = false; |
366 | 0 | if(m_cipher_state) |
367 | 0 | m_cipher_state->clear_read_keys(); |
368 | 0 | m_record_layer.clear_read_buffer(); |
369 | 0 | } |
370 | | |
371 | | // user canceled alerts are ignored |
372 | | |
373 | | // TODO: the server doesn't have to expect downgrading; move this to the client |
374 | 0 | if(!expects_downgrade()) |
375 | 0 | { |
376 | | // RFC 8446 5. |
377 | | // All the alerts listed in Section 6.2 MUST be sent with |
378 | | // AlertLevel=fatal and MUST be treated as error alerts when received |
379 | | // regardless of the AlertLevel in the message. Unknown Alert types |
380 | | // MUST be treated as error alerts. |
381 | 0 | if(is_error_alert(alert) && !alert.is_fatal()) |
382 | 0 | { |
383 | 0 | throw TLS_Exception(Alert::DECODE_ERROR, "Error alert not marked fatal"); // will shutdown in send_alert |
384 | 0 | } |
385 | 0 | } |
386 | 0 | else |
387 | 0 | { |
388 | | // Don't immediately shut down in case we might be dealing with a TLS 1.2 server. In this case, |
389 | | // we cannot immediately shut down on alerts that are warnings in TLS 1.2. |
390 | | // However, if the server turns out to _not_ downgrade, treat this as an error and do shut down. |
391 | | // Note that this should not happen with a valid implementation, as the TLS 1.3 server shouldn't |
392 | | // send a SERVER HELLO after the alert. |
393 | 0 | if(is_error_alert(alert)) |
394 | 0 | m_downgrade_info->received_tls_13_error_alert = true; |
395 | 0 | } |
396 | | |
397 | 0 | if(alert.is_fatal()) |
398 | 0 | shutdown(); |
399 | |
|
400 | 0 | callbacks().tls_alert(alert); |
401 | 0 | } |
402 | | |
403 | | void Channel_Impl_13::shutdown() |
404 | 0 | { |
405 | | // RFC 8446 6.2 |
406 | | // Upon transmission or receipt of a fatal alert message, both |
407 | | // parties MUST immediately close the connection. |
408 | 0 | m_can_read = false; |
409 | 0 | m_can_write = false; |
410 | 0 | m_cipher_state.reset(); |
411 | 0 | } |
412 | | |
413 | | void Channel_Impl_13::expect_downgrade(const Server_Information& server_info) |
414 | 0 | { |
415 | 0 | Downgrade_Information di |
416 | 0 | { |
417 | 0 | {}, |
418 | 0 | {}, |
419 | 0 | server_info, |
420 | 0 | callbacks(), |
421 | 0 | session_manager(), |
422 | 0 | credentials_manager(), |
423 | 0 | rng(), |
424 | 0 | policy(), |
425 | 0 | false, // received_tls_13_error_alert |
426 | 0 | false // will_downgrade |
427 | 0 | }; |
428 | 0 | m_downgrade_info = std::make_unique<Downgrade_Information>(std::move(di)); |
429 | 0 | } |
430 | | |
431 | | void Channel_Impl_13::set_record_size_limits(const uint16_t outgoing_limit, |
432 | | const uint16_t incoming_limit) |
433 | 0 | { |
434 | 0 | m_record_layer.set_record_size_limits(outgoing_limit, incoming_limit); |
435 | 0 | } |
436 | | |
437 | | } |