bool Protocol_Version::operator>(const Protocol_Version& other) const { if(this->is_datagram_protocol() != other.is_datagram_protocol()) throw TLS_Exception(Alert::PROTOCOL_VERSION, "Version comparing " + to_string() + " with " + other.to_string()); if(this->is_datagram_protocol()) return m_version < other.m_version; // goes backwards return m_version > other.m_version; }
/** * Deserialize a Server Key Exchange message */ Server_Key_Exchange::Server_Key_Exchange(const std::vector<byte>& buf, const std::string& kex_algo, const std::string& sig_algo, Protocol_Version version) { TLS_Data_Reader reader("ServerKeyExchange", buf); /* * Here we are deserializing enough to find out what offset the * signature is at. All processing is done when the Client Key Exchange * is prepared. */ if(kex_algo == "PSK" || kex_algo == "DHE_PSK" || kex_algo == "ECDHE_PSK") { reader.get_string(2, 0, 65535); // identity hint } if(kex_algo == "DH" || kex_algo == "DHE_PSK") { // 3 bigints, DH p, g, Y for(size_t i = 0; i != 3; ++i) { reader.get_range<byte>(2, 1, 65535); } } else if(kex_algo == "ECDH" || kex_algo == "ECDHE_PSK") { reader.get_byte(); // curve type reader.get_u16bit(); // curve id reader.get_range<byte>(1, 1, 255); // public key } else if(kex_algo == "SRP_SHA") { // 2 bigints (N,g) then salt, then server B reader.get_range<byte>(2, 1, 65535); reader.get_range<byte>(2, 1, 65535); reader.get_range<byte>(1, 1, 255); reader.get_range<byte>(2, 1, 65535); } else if(kex_algo != "PSK") throw Decoding_Error("Server_Key_Exchange: Unsupported kex type " + kex_algo); m_params.assign(buf.data(), buf.data() + reader.read_so_far()); if(sig_algo != "") { if(version.supports_negotiable_signature_algorithms()) { m_hash_algo = Signature_Algorithms::hash_algo_name(reader.get_byte()); m_sig_algo = Signature_Algorithms::sig_algo_name(reader.get_byte()); } m_signature = reader.get_range<byte>(2, 0, 65535); } reader.assert_done(); }
std::vector<u16bit> Policy::ciphersuite_list(Protocol_Version version, bool have_srp) const { const std::vector<std::string> ciphers = allowed_ciphers(); const std::vector<std::string> macs = allowed_macs(); const std::vector<std::string> kex = allowed_key_exchange_methods(); const std::vector<std::string> sigs = allowed_signature_methods(); std::vector<Ciphersuite> ciphersuites; for(auto&& suite : Ciphersuite::all_known_ciphersuites()) { // Can we use it? if(suite.valid() == false) continue; // Is it acceptable to the policy? if(!this->acceptable_ciphersuite(suite)) continue; // Are we doing SRP? if(!have_srp && suite.kex_algo() == "SRP_SHA") continue; // Are we doing AEAD in a non-AEAD version if(!version.supports_aead_modes() && suite.mac_algo() == "AEAD") continue; if(!value_exists(kex, suite.kex_algo())) continue; // unsupported key exchange if(!value_exists(ciphers, suite.cipher_algo())) continue; // unsupported cipher if(!value_exists(macs, suite.mac_algo())) continue; // unsupported MAC algo if(!value_exists(sigs, suite.sig_algo())) { // allow if it's an empty sig algo and we want to use PSK if(suite.sig_algo() != "" || !suite.psk_ciphersuite()) continue; } // OK, consider it ciphersuites.push_back(suite); } if(ciphersuites.empty()) throw Exception("Policy does not allow any available cipher suite"); Ciphersuite_Preference_Ordering order(ciphers, macs, kex, sigs); std::sort(ciphersuites.begin(), ciphersuites.end(), order); std::vector<u16bit> ciphersuite_codes; for(auto i : ciphersuites) ciphersuite_codes.push_back(i.ciphersuite_code()); return ciphersuite_codes; }
/* * Deserialize a Certificate Verify message */ Certificate_Verify::Certificate_Verify(const std::vector<uint8_t>& buf, Protocol_Version version) { TLS_Data_Reader reader("CertificateVerify", buf); if(version.supports_negotiable_signature_algorithms()) { m_scheme = static_cast<Signature_Scheme>(reader.get_uint16_t()); } m_signature = reader.get_range<uint8_t>(2, 0, 65535); }
/* * Deserialize a Certificate Verify message */ Certificate_Verify::Certificate_Verify(const std::vector<uint8_t>& buf, Protocol_Version version) { TLS_Data_Reader reader("CertificateVerify", buf); if(version.supports_negotiable_signature_algorithms()) { m_hash_algo = Signature_Algorithms::hash_algo_name(reader.get_byte()); m_sig_algo = Signature_Algorithms::sig_algo_name(reader.get_byte()); } m_signature = reader.get_range<uint8_t>(2, 0, 65535); }
/** * Deserialize a Certificate Request message */ Certificate_Req::Certificate_Req(const std::vector<byte>& buf, Protocol_Version version) { if(buf.size() < 4) throw Decoding_Error("Certificate_Req: Bad certificate request"); TLS_Data_Reader reader("CertificateRequest", buf); std::vector<byte> cert_type_codes = reader.get_range_vector<byte>(1, 1, 255); for(size_t i = 0; i != cert_type_codes.size(); ++i) { const std::string cert_type_name = cert_type_code_to_name(cert_type_codes[i]); if(cert_type_name.empty()) // something we don't know continue; m_cert_key_types.push_back(cert_type_name); } if(version.supports_negotiable_signature_algorithms()) { std::vector<byte> sig_hash_algs = reader.get_range_vector<byte>(2, 2, 65534); if(sig_hash_algs.size() % 2 != 0) throw Decoding_Error("Bad length for signature IDs in certificate request"); for(size_t i = 0; i != sig_hash_algs.size(); i += 2) { std::string hash = Signature_Algorithms::hash_algo_name(sig_hash_algs[i]); std::string sig = Signature_Algorithms::sig_algo_name(sig_hash_algs[i+1]); m_supported_algos.push_back(std::make_pair(hash, sig)); } } const u16bit purported_size = reader.get_u16bit(); if(reader.remaining_bytes() != purported_size) throw Decoding_Error("Inconsistent length in certificate request"); while(reader.has_remaining()) { std::vector<byte> name_bits = reader.get_range_vector<byte>(2, 0, 65535); BER_Decoder decoder(name_bits.data(), name_bits.size()); X509_DN name; decoder.decode(name); m_names.push_back(name); } }
/** * Create a new Certificate Request message */ Certificate_Req::Certificate_Req(Handshake_IO& io, Handshake_Hash& hash, const Policy& policy, const std::vector<X509_DN>& ca_certs, Protocol_Version version) : m_names(ca_certs), m_cert_key_types({ "RSA", "DSA", "ECDSA" }) { if(version.supports_negotiable_signature_algorithms()) { std::vector<std::string> hashes = policy.allowed_signature_hashes(); std::vector<std::string> sigs = policy.allowed_signature_methods(); for(size_t i = 0; i != hashes.size(); ++i) for(size_t j = 0; j != sigs.size(); ++j) m_supported_algos.push_back(std::make_pair(hashes[i], sigs[j])); } hash.update(io.send(*this)); }
void Channel::process_handshake_ccs(const secure_vector<uint8_t>& record, uint64_t record_sequence, Record_Type record_type, Protocol_Version record_version) { if(!m_pending_state) { // No pending handshake, possibly new: if(record_version.is_datagram_protocol()) { if(m_sequence_numbers) { /* * Might be a peer retransmit under epoch - 1 in which * case we must retransmit last flight */ sequence_numbers().read_accept(record_sequence); const uint16_t epoch = record_sequence >> 48; if(epoch == sequence_numbers().current_read_epoch()) { create_handshake_state(record_version); } else if(epoch == sequence_numbers().current_read_epoch() - 1) { BOTAN_ASSERT(m_active_state, "Have active state here"); m_active_state->handshake_io().add_record(unlock(record), record_type, record_sequence); } } else if(record_sequence == 0) { create_handshake_state(record_version); } } else {
/** * Deserialize a Server Key Exchange message */ Server_Key_Exchange::Server_Key_Exchange(const std::vector<uint8_t>& buf, const Kex_Algo kex_algo, const Auth_Method auth_method, Protocol_Version version) { TLS_Data_Reader reader("ServerKeyExchange", buf); /* * Here we are deserializing enough to find out what offset the * signature is at. All processing is done when the Client Key Exchange * is prepared. */ if(kex_algo == Kex_Algo::PSK || kex_algo == Kex_Algo::DHE_PSK || kex_algo == Kex_Algo::ECDHE_PSK) { reader.get_string(2, 0, 65535); // identity hint } if(kex_algo == Kex_Algo::DH || kex_algo == Kex_Algo::DHE_PSK) { // 3 bigints, DH p, g, Y for(size_t i = 0; i != 3; ++i) { reader.get_range<uint8_t>(2, 1, 65535); } } else if(kex_algo == Kex_Algo::ECDH || kex_algo == Kex_Algo::ECDHE_PSK) { reader.get_byte(); // curve type reader.get_uint16_t(); // curve id reader.get_range<uint8_t>(1, 1, 255); // public key } else if(kex_algo == Kex_Algo::SRP_SHA) { // 2 bigints (N,g) then salt, then server B reader.get_range<uint8_t>(2, 1, 65535); reader.get_range<uint8_t>(2, 1, 65535); reader.get_range<uint8_t>(1, 1, 255); reader.get_range<uint8_t>(2, 1, 65535); } else if(kex_algo == Kex_Algo::CECPQ1) { // u16 blob reader.get_range<uint8_t>(2, 1, 65535); } else if(kex_algo != Kex_Algo::PSK) throw Decoding_Error("Server_Key_Exchange: Unsupported kex type " + kex_method_to_string(kex_algo)); m_params.assign(buf.data(), buf.data() + reader.read_so_far()); if(auth_method != Auth_Method::ANONYMOUS && auth_method != Auth_Method::IMPLICIT) { if(version.supports_negotiable_signature_algorithms()) { m_scheme = static_cast<Signature_Scheme>(reader.get_uint16_t()); } m_signature = reader.get_range<uint8_t>(2, 0, 65535); } reader.assert_done(); }
/* * Create a new Client Key Exchange message */ Client_Key_Exchange::Client_Key_Exchange(Handshake_IO& io, Handshake_State& state, const Policy& policy, Credentials_Manager& creds, const Public_Key* server_public_key, const std::string& hostname, RandomNumberGenerator& rng) { const std::string kex_algo = state.ciphersuite().kex_algo(); if(kex_algo == "PSK") { std::string identity_hint = ""; if(state.server_kex()) { TLS_Data_Reader reader("ClientKeyExchange", state.server_kex()->params()); identity_hint = reader.get_string(2, 0, 65535); } const std::string psk_identity = creds.psk_identity("tls-client", hostname, identity_hint); append_tls_length_value(m_key_material, psk_identity, 2); SymmetricKey psk = creds.psk("tls-client", hostname, psk_identity); std::vector<byte> zeros(psk.length()); append_tls_length_value(m_pre_master, zeros, 2); append_tls_length_value(m_pre_master, psk.bits_of(), 2); } else if(state.server_kex()) { TLS_Data_Reader reader("ClientKeyExchange", state.server_kex()->params()); SymmetricKey psk; if(kex_algo == "DHE_PSK" || kex_algo == "ECDHE_PSK") { std::string identity_hint = reader.get_string(2, 0, 65535); const std::string psk_identity = creds.psk_identity("tls-client", hostname, identity_hint); append_tls_length_value(m_key_material, psk_identity, 2); psk = creds.psk("tls-client", hostname, psk_identity); } if(kex_algo == "DH" || kex_algo == "DHE_PSK") { BigInt p = BigInt::decode(reader.get_range<byte>(2, 1, 65535)); BigInt g = BigInt::decode(reader.get_range<byte>(2, 1, 65535)); BigInt Y = BigInt::decode(reader.get_range<byte>(2, 1, 65535)); if(reader.remaining_bytes()) throw Decoding_Error("Bad params size for DH key exchange"); if(p.bits() < policy.minimum_dh_group_size()) throw TLS_Exception(Alert::INSUFFICIENT_SECURITY, "Server sent DH group of " + std::to_string(p.bits()) + " bits, policy requires at least " + std::to_string(policy.minimum_dh_group_size())); /* * A basic check for key validity. As we do not know q here we * cannot check that Y is in the right subgroup. However since * our key is ephemeral there does not seem to be any * advantage to bogus keys anyway. */ if(Y <= 1 || Y >= p - 1) throw TLS_Exception(Alert::INSUFFICIENT_SECURITY, "Server sent bad DH key for DHE exchange"); DL_Group group(p, g); if(!group.verify_group(rng, false)) throw TLS_Exception(Alert::INSUFFICIENT_SECURITY, "DH group validation failed"); DH_PublicKey counterparty_key(group, Y); DH_PrivateKey priv_key(rng, group); PK_Key_Agreement ka(priv_key, "Raw"); secure_vector<byte> dh_secret = CT::strip_leading_zeros( ka.derive_key(0, counterparty_key.public_value()).bits_of()); if(kex_algo == "DH") m_pre_master = dh_secret; else { append_tls_length_value(m_pre_master, dh_secret, 2); append_tls_length_value(m_pre_master, psk.bits_of(), 2); } append_tls_length_value(m_key_material, priv_key.public_value(), 2); } else if(kex_algo == "ECDH" || kex_algo == "ECDHE_PSK") { const byte curve_type = reader.get_byte(); if(curve_type != 3) throw Decoding_Error("Server sent non-named ECC curve"); const u16bit curve_id = reader.get_u16bit(); const std::string name = Supported_Elliptic_Curves::curve_id_to_name(curve_id); if(name == "") throw Decoding_Error("Server sent unknown named curve " + std::to_string(curve_id)); EC_Group group(name); std::vector<byte> ecdh_key = reader.get_range<byte>(1, 1, 255); ECDH_PublicKey counterparty_key(group, OS2ECP(ecdh_key, group.get_curve())); ECDH_PrivateKey priv_key(rng, group); PK_Key_Agreement ka(priv_key, "Raw"); secure_vector<byte> ecdh_secret = ka.derive_key(0, counterparty_key.public_value()).bits_of(); if(kex_algo == "ECDH") m_pre_master = ecdh_secret; else { append_tls_length_value(m_pre_master, ecdh_secret, 2); append_tls_length_value(m_pre_master, psk.bits_of(), 2); } append_tls_length_value(m_key_material, priv_key.public_value(), 1); } #if defined(BOTAN_HAS_SRP6) else if(kex_algo == "SRP_SHA") { const BigInt N = BigInt::decode(reader.get_range<byte>(2, 1, 65535)); const BigInt g = BigInt::decode(reader.get_range<byte>(2, 1, 65535)); std::vector<byte> salt = reader.get_range<byte>(1, 1, 255); const BigInt B = BigInt::decode(reader.get_range<byte>(2, 1, 65535)); const std::string srp_group = srp6_group_identifier(N, g); const std::string srp_identifier = creds.srp_identifier("tls-client", hostname); const std::string srp_password = creds.srp_password("tls-client", hostname, srp_identifier); std::pair<BigInt, SymmetricKey> srp_vals = srp6_client_agree(srp_identifier, srp_password, srp_group, "SHA-1", salt, B, rng); append_tls_length_value(m_key_material, BigInt::encode(srp_vals.first), 2); m_pre_master = srp_vals.second.bits_of(); } #endif else { throw Internal_Error("Client_Key_Exchange: Unknown kex " + kex_algo); } reader.assert_done(); } else { // No server key exchange msg better mean RSA kex + RSA key in cert if(kex_algo != "RSA") throw Unexpected_Message("No server kex but negotiated kex " + kex_algo); if(!server_public_key) throw Internal_Error("No server public key for RSA exchange"); if(auto rsa_pub = dynamic_cast<const RSA_PublicKey*>(server_public_key)) { const Protocol_Version offered_version = state.client_hello()->version(); m_pre_master = rng.random_vec(48); m_pre_master[0] = offered_version.major_version(); m_pre_master[1] = offered_version.minor_version(); PK_Encryptor_EME encryptor(*rsa_pub, "PKCS1v15"); const std::vector<byte> encrypted_key = encryptor.encrypt(m_pre_master, rng); append_tls_length_value(m_key_material, encrypted_key, 2); } else throw TLS_Exception(Alert::HANDSHAKE_FAILURE, "Expected a RSA key in server cert but got " + server_public_key->algo_name()); } state.hash().update(io.send(*this)); }
bool Policy::send_fallback_scsv(Protocol_Version version) const { return version != latest_supported_version(version.is_datagram_protocol()); }