bool Protocol_Version::operator>(const Protocol_Version& other) const
{
if(this->is_datagram_protocol() != other.is_datagram_protocol())
throw TLS_Exception(Alert::PROTOCOL_VERSION,
"Version comparing " + to_string() +
" with " + other.to_string());
if(this->is_datagram_protocol())
return m_version < other.m_version; // goes backwards
return m_version > other.m_version;
}
/**
* Deserialize a Server Key Exchange message
*/
Server_Key_Exchange::Server_Key_Exchange(const std::vector<byte>& buf,
const std::string& kex_algo,
const std::string& sig_algo,
Protocol_Version version)
{
TLS_Data_Reader reader("ServerKeyExchange", buf);
/*
* Here we are deserializing enough to find out what offset the
* signature is at. All processing is done when the Client Key Exchange
* is prepared.
*/
if(kex_algo == "PSK" || kex_algo == "DHE_PSK" || kex_algo == "ECDHE_PSK")
{
reader.get_string(2, 0, 65535); // identity hint
}
if(kex_algo == "DH" || kex_algo == "DHE_PSK")
{
// 3 bigints, DH p, g, Y
for(size_t i = 0; i != 3; ++i)
{
reader.get_range<byte>(2, 1, 65535);
}
}
else if(kex_algo == "ECDH" || kex_algo == "ECDHE_PSK")
{
reader.get_byte(); // curve type
reader.get_u16bit(); // curve id
reader.get_range<byte>(1, 1, 255); // public key
}
else if(kex_algo == "SRP_SHA")
{
// 2 bigints (N,g) then salt, then server B
reader.get_range<byte>(2, 1, 65535);
reader.get_range<byte>(2, 1, 65535);
reader.get_range<byte>(1, 1, 255);
reader.get_range<byte>(2, 1, 65535);
}
else if(kex_algo != "PSK")
throw Decoding_Error("Server_Key_Exchange: Unsupported kex type " + kex_algo);
m_params.assign(buf.data(), buf.data() + reader.read_so_far());
if(sig_algo != "")
{
if(version.supports_negotiable_signature_algorithms())
{
m_hash_algo = Signature_Algorithms::hash_algo_name(reader.get_byte());
m_sig_algo = Signature_Algorithms::sig_algo_name(reader.get_byte());
}
m_signature = reader.get_range<byte>(2, 0, 65535);
}
reader.assert_done();
}
std::vector<u16bit> Policy::ciphersuite_list(Protocol_Version version,
bool have_srp) const
{
const std::vector<std::string> ciphers = allowed_ciphers();
const std::vector<std::string> macs = allowed_macs();
const std::vector<std::string> kex = allowed_key_exchange_methods();
const std::vector<std::string> sigs = allowed_signature_methods();
std::vector<Ciphersuite> ciphersuites;
for(auto&& suite : Ciphersuite::all_known_ciphersuites())
{
// Can we use it?
if(suite.valid() == false)
continue;
// Is it acceptable to the policy?
if(!this->acceptable_ciphersuite(suite))
continue;
// Are we doing SRP?
if(!have_srp && suite.kex_algo() == "SRP_SHA")
continue;
// Are we doing AEAD in a non-AEAD version
if(!version.supports_aead_modes() && suite.mac_algo() == "AEAD")
continue;
if(!value_exists(kex, suite.kex_algo()))
continue; // unsupported key exchange
if(!value_exists(ciphers, suite.cipher_algo()))
continue; // unsupported cipher
if(!value_exists(macs, suite.mac_algo()))
continue; // unsupported MAC algo
if(!value_exists(sigs, suite.sig_algo()))
{
// allow if it's an empty sig algo and we want to use PSK
if(suite.sig_algo() != "" || !suite.psk_ciphersuite())
continue;
}
// OK, consider it
ciphersuites.push_back(suite);
}
if(ciphersuites.empty())
throw Exception("Policy does not allow any available cipher suite");
Ciphersuite_Preference_Ordering order(ciphers, macs, kex, sigs);
std::sort(ciphersuites.begin(), ciphersuites.end(), order);
std::vector<u16bit> ciphersuite_codes;
for(auto i : ciphersuites)
ciphersuite_codes.push_back(i.ciphersuite_code());
return ciphersuite_codes;
}
/*
* Deserialize a Certificate Verify message
*/
Certificate_Verify::Certificate_Verify(const std::vector<uint8_t>& buf,
Protocol_Version version)
{
TLS_Data_Reader reader("CertificateVerify", buf);
if(version.supports_negotiable_signature_algorithms())
{
m_scheme = static_cast<Signature_Scheme>(reader.get_uint16_t());
}
m_signature = reader.get_range<uint8_t>(2, 0, 65535);
}
/*
* Deserialize a Certificate Verify message
*/
Certificate_Verify::Certificate_Verify(const std::vector<uint8_t>& buf,
Protocol_Version version)
{
TLS_Data_Reader reader("CertificateVerify", buf);
if(version.supports_negotiable_signature_algorithms())
{
m_hash_algo = Signature_Algorithms::hash_algo_name(reader.get_byte());
m_sig_algo = Signature_Algorithms::sig_algo_name(reader.get_byte());
}
m_signature = reader.get_range<uint8_t>(2, 0, 65535);
}
/**
* Deserialize a Certificate Request message
*/
Certificate_Req::Certificate_Req(const std::vector<byte>& buf,
Protocol_Version version)
{
if(buf.size() < 4)
throw Decoding_Error("Certificate_Req: Bad certificate request");
TLS_Data_Reader reader("CertificateRequest", buf);
std::vector<byte> cert_type_codes = reader.get_range_vector<byte>(1, 1, 255);
for(size_t i = 0; i != cert_type_codes.size(); ++i)
{
const std::string cert_type_name = cert_type_code_to_name(cert_type_codes[i]);
if(cert_type_name.empty()) // something we don't know
continue;
m_cert_key_types.push_back(cert_type_name);
}
if(version.supports_negotiable_signature_algorithms())
{
std::vector<byte> sig_hash_algs = reader.get_range_vector<byte>(2, 2, 65534);
if(sig_hash_algs.size() % 2 != 0)
throw Decoding_Error("Bad length for signature IDs in certificate request");
for(size_t i = 0; i != sig_hash_algs.size(); i += 2)
{
std::string hash = Signature_Algorithms::hash_algo_name(sig_hash_algs[i]);
std::string sig = Signature_Algorithms::sig_algo_name(sig_hash_algs[i+1]);
m_supported_algos.push_back(std::make_pair(hash, sig));
}
}
const u16bit purported_size = reader.get_u16bit();
if(reader.remaining_bytes() != purported_size)
throw Decoding_Error("Inconsistent length in certificate request");
while(reader.has_remaining())
{
std::vector<byte> name_bits = reader.get_range_vector<byte>(2, 0, 65535);
BER_Decoder decoder(name_bits.data(), name_bits.size());
X509_DN name;
decoder.decode(name);
m_names.push_back(name);
}
}
/**
* Create a new Certificate Request message
*/
Certificate_Req::Certificate_Req(Handshake_IO& io,
Handshake_Hash& hash,
const Policy& policy,
const std::vector<X509_DN>& ca_certs,
Protocol_Version version) :
m_names(ca_certs),
m_cert_key_types({ "RSA", "DSA", "ECDSA" })
{
if(version.supports_negotiable_signature_algorithms())
{
std::vector<std::string> hashes = policy.allowed_signature_hashes();
std::vector<std::string> sigs = policy.allowed_signature_methods();
for(size_t i = 0; i != hashes.size(); ++i)
for(size_t j = 0; j != sigs.size(); ++j)
m_supported_algos.push_back(std::make_pair(hashes[i], sigs[j]));
}
hash.update(io.send(*this));
}
void Channel::process_handshake_ccs(const secure_vector<uint8_t>& record,
uint64_t record_sequence,
Record_Type record_type,
Protocol_Version record_version)
{
if(!m_pending_state)
{
// No pending handshake, possibly new:
if(record_version.is_datagram_protocol())
{
if(m_sequence_numbers)
{
/*
* Might be a peer retransmit under epoch - 1 in which
* case we must retransmit last flight
*/
sequence_numbers().read_accept(record_sequence);
const uint16_t epoch = record_sequence >> 48;
if(epoch == sequence_numbers().current_read_epoch())
{
create_handshake_state(record_version);
}
else if(epoch == sequence_numbers().current_read_epoch() - 1)
{
BOTAN_ASSERT(m_active_state, "Have active state here");
m_active_state->handshake_io().add_record(unlock(record),
record_type,
record_sequence);
}
}
else if(record_sequence == 0)
{
create_handshake_state(record_version);
}
}
else
{
/**
* Deserialize a Server Key Exchange message
*/
Server_Key_Exchange::Server_Key_Exchange(const std::vector<uint8_t>& buf,
const Kex_Algo kex_algo,
const Auth_Method auth_method,
Protocol_Version version)
{
TLS_Data_Reader reader("ServerKeyExchange", buf);
/*
* Here we are deserializing enough to find out what offset the
* signature is at. All processing is done when the Client Key Exchange
* is prepared.
*/
if(kex_algo == Kex_Algo::PSK || kex_algo == Kex_Algo::DHE_PSK || kex_algo == Kex_Algo::ECDHE_PSK)
{
reader.get_string(2, 0, 65535); // identity hint
}
if(kex_algo == Kex_Algo::DH || kex_algo == Kex_Algo::DHE_PSK)
{
// 3 bigints, DH p, g, Y
for(size_t i = 0; i != 3; ++i)
{
reader.get_range<uint8_t>(2, 1, 65535);
}
}
else if(kex_algo == Kex_Algo::ECDH || kex_algo == Kex_Algo::ECDHE_PSK)
{
reader.get_byte(); // curve type
reader.get_uint16_t(); // curve id
reader.get_range<uint8_t>(1, 1, 255); // public key
}
else if(kex_algo == Kex_Algo::SRP_SHA)
{
// 2 bigints (N,g) then salt, then server B
reader.get_range<uint8_t>(2, 1, 65535);
reader.get_range<uint8_t>(2, 1, 65535);
reader.get_range<uint8_t>(1, 1, 255);
reader.get_range<uint8_t>(2, 1, 65535);
}
else if(kex_algo == Kex_Algo::CECPQ1)
{
// u16 blob
reader.get_range<uint8_t>(2, 1, 65535);
}
else if(kex_algo != Kex_Algo::PSK)
throw Decoding_Error("Server_Key_Exchange: Unsupported kex type " +
kex_method_to_string(kex_algo));
m_params.assign(buf.data(), buf.data() + reader.read_so_far());
if(auth_method != Auth_Method::ANONYMOUS && auth_method != Auth_Method::IMPLICIT)
{
if(version.supports_negotiable_signature_algorithms())
{
m_scheme = static_cast<Signature_Scheme>(reader.get_uint16_t());
}
m_signature = reader.get_range<uint8_t>(2, 0, 65535);
}
reader.assert_done();
}
/*
* Create a new Client Key Exchange message
*/
Client_Key_Exchange::Client_Key_Exchange(Handshake_IO& io,
Handshake_State& state,
const Policy& policy,
Credentials_Manager& creds,
const Public_Key* server_public_key,
const std::string& hostname,
RandomNumberGenerator& rng)
{
const std::string kex_algo = state.ciphersuite().kex_algo();
if(kex_algo == "PSK")
{
std::string identity_hint = "";
if(state.server_kex())
{
TLS_Data_Reader reader("ClientKeyExchange", state.server_kex()->params());
identity_hint = reader.get_string(2, 0, 65535);
}
const std::string psk_identity = creds.psk_identity("tls-client",
hostname,
identity_hint);
append_tls_length_value(m_key_material, psk_identity, 2);
SymmetricKey psk = creds.psk("tls-client", hostname, psk_identity);
std::vector<byte> zeros(psk.length());
append_tls_length_value(m_pre_master, zeros, 2);
append_tls_length_value(m_pre_master, psk.bits_of(), 2);
}
else if(state.server_kex())
{
TLS_Data_Reader reader("ClientKeyExchange", state.server_kex()->params());
SymmetricKey psk;
if(kex_algo == "DHE_PSK" || kex_algo == "ECDHE_PSK")
{
std::string identity_hint = reader.get_string(2, 0, 65535);
const std::string psk_identity = creds.psk_identity("tls-client",
hostname,
identity_hint);
append_tls_length_value(m_key_material, psk_identity, 2);
psk = creds.psk("tls-client", hostname, psk_identity);
}
if(kex_algo == "DH" || kex_algo == "DHE_PSK")
{
BigInt p = BigInt::decode(reader.get_range<byte>(2, 1, 65535));
BigInt g = BigInt::decode(reader.get_range<byte>(2, 1, 65535));
BigInt Y = BigInt::decode(reader.get_range<byte>(2, 1, 65535));
if(reader.remaining_bytes())
throw Decoding_Error("Bad params size for DH key exchange");
if(p.bits() < policy.minimum_dh_group_size())
throw TLS_Exception(Alert::INSUFFICIENT_SECURITY,
"Server sent DH group of " +
std::to_string(p.bits()) +
" bits, policy requires at least " +
std::to_string(policy.minimum_dh_group_size()));
/*
* A basic check for key validity. As we do not know q here we
* cannot check that Y is in the right subgroup. However since
* our key is ephemeral there does not seem to be any
* advantage to bogus keys anyway.
*/
if(Y <= 1 || Y >= p - 1)
throw TLS_Exception(Alert::INSUFFICIENT_SECURITY,
"Server sent bad DH key for DHE exchange");
DL_Group group(p, g);
if(!group.verify_group(rng, false))
throw TLS_Exception(Alert::INSUFFICIENT_SECURITY,
"DH group validation failed");
DH_PublicKey counterparty_key(group, Y);
DH_PrivateKey priv_key(rng, group);
PK_Key_Agreement ka(priv_key, "Raw");
secure_vector<byte> dh_secret = CT::strip_leading_zeros(
ka.derive_key(0, counterparty_key.public_value()).bits_of());
if(kex_algo == "DH")
m_pre_master = dh_secret;
else
{
append_tls_length_value(m_pre_master, dh_secret, 2);
append_tls_length_value(m_pre_master, psk.bits_of(), 2);
}
append_tls_length_value(m_key_material, priv_key.public_value(), 2);
}
else if(kex_algo == "ECDH" || kex_algo == "ECDHE_PSK")
{
const byte curve_type = reader.get_byte();
if(curve_type != 3)
throw Decoding_Error("Server sent non-named ECC curve");
const u16bit curve_id = reader.get_u16bit();
const std::string name = Supported_Elliptic_Curves::curve_id_to_name(curve_id);
if(name == "")
throw Decoding_Error("Server sent unknown named curve " + std::to_string(curve_id));
EC_Group group(name);
std::vector<byte> ecdh_key = reader.get_range<byte>(1, 1, 255);
ECDH_PublicKey counterparty_key(group, OS2ECP(ecdh_key, group.get_curve()));
ECDH_PrivateKey priv_key(rng, group);
PK_Key_Agreement ka(priv_key, "Raw");
secure_vector<byte> ecdh_secret =
ka.derive_key(0, counterparty_key.public_value()).bits_of();
if(kex_algo == "ECDH")
m_pre_master = ecdh_secret;
else
{
append_tls_length_value(m_pre_master, ecdh_secret, 2);
append_tls_length_value(m_pre_master, psk.bits_of(), 2);
}
append_tls_length_value(m_key_material, priv_key.public_value(), 1);
}
#if defined(BOTAN_HAS_SRP6)
else if(kex_algo == "SRP_SHA")
{
const BigInt N = BigInt::decode(reader.get_range<byte>(2, 1, 65535));
const BigInt g = BigInt::decode(reader.get_range<byte>(2, 1, 65535));
std::vector<byte> salt = reader.get_range<byte>(1, 1, 255);
const BigInt B = BigInt::decode(reader.get_range<byte>(2, 1, 65535));
const std::string srp_group = srp6_group_identifier(N, g);
const std::string srp_identifier =
creds.srp_identifier("tls-client", hostname);
const std::string srp_password =
creds.srp_password("tls-client", hostname, srp_identifier);
std::pair<BigInt, SymmetricKey> srp_vals =
srp6_client_agree(srp_identifier,
srp_password,
srp_group,
"SHA-1",
salt,
B,
rng);
append_tls_length_value(m_key_material, BigInt::encode(srp_vals.first), 2);
m_pre_master = srp_vals.second.bits_of();
}
#endif
else
{
throw Internal_Error("Client_Key_Exchange: Unknown kex " +
kex_algo);
}
reader.assert_done();
}
else
{
// No server key exchange msg better mean RSA kex + RSA key in cert
if(kex_algo != "RSA")
throw Unexpected_Message("No server kex but negotiated kex " + kex_algo);
if(!server_public_key)
throw Internal_Error("No server public key for RSA exchange");
if(auto rsa_pub = dynamic_cast<const RSA_PublicKey*>(server_public_key))
{
const Protocol_Version offered_version = state.client_hello()->version();
m_pre_master = rng.random_vec(48);
m_pre_master[0] = offered_version.major_version();
m_pre_master[1] = offered_version.minor_version();
PK_Encryptor_EME encryptor(*rsa_pub, "PKCS1v15");
const std::vector<byte> encrypted_key = encryptor.encrypt(m_pre_master, rng);
append_tls_length_value(m_key_material, encrypted_key, 2);
}
else
throw TLS_Exception(Alert::HANDSHAKE_FAILURE,
"Expected a RSA key in server cert but got " +
server_public_key->algo_name());
}
state.hash().update(io.send(*this));
}
bool Policy::send_fallback_scsv(Protocol_Version version) const
{
return version != latest_supported_version(version.is_datagram_protocol());
}
