5123321399

Committed 30 May 2023 04:06PM UTC coverage: 92.213% (+0.004%) from 92.209%

Build # 5123321399

Build Type

Pull #3558

github

Committed by

web-flow

Commit Message

Merge dd72f7389 into 057bcbc35

Pull Request Pull Request #3558: Add braces around all if/else statements

Run Details

75602 of 81986 relevant lines covered (92.21%)

11859779.3 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

99.15

/src/lib/tls/tls_session.cpp

/*
* TLS Session State
* (C) 2011-2012,2015,2019 Jack Lloyd
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/tls_session.h>

#include <botan/aead.h>
#include <botan/asn1_obj.h>
#include <botan/ber_dec.h>
#include <botan/der_enc.h>
#include <botan/mac.h>
#include <botan/pem.h>
#include <botan/rng.h>
#include <botan/internal/loadstor.h>

#include <botan/tls_callbacks.h>
#include <botan/tls_messages.h>

#include <botan/internal/stl_util.h>

#include <utility>

namespace Botan::TLS {

void Session_Handle::validate_constraints() const {
   std::visit(overloaded{
                 [](const Session_ID& id) {
                    // RFC 5246 7.4.1.2
                    //    opaque SessionID<0..32>;
                    BOTAN_ARG_CHECK(!id.empty(), "Session ID must not be empty");
                    BOTAN_ARG_CHECK(id.size() <= 32, "Session ID cannot be longer than 32 bytes");
                 },
                 [](const Session_Ticket& ticket) {
                    BOTAN_ARG_CHECK(!ticket.empty(), "Ticket most not be empty");
                    BOTAN_ARG_CHECK(ticket.size() <= std::numeric_limits<uint16_t>::max(),
                                    "Ticket cannot be longer than 64kB");
                 },
                 [](const Opaque_Session_Handle& handle) {
                    // RFC 8446 4.6.1
                    //    opaque ticket<1..2^16-1>;
                    BOTAN_ARG_CHECK(!handle.empty(), "Opaque session handle must not be empty");
                    BOTAN_ARG_CHECK(handle.size() <= std::numeric_limits<uint16_t>::max(),
                                    "Opaque session handle cannot be longer than 64kB");
                 },
              },
              m_handle);
}

Opaque_Session_Handle Session_Handle::opaque_handle() const {
   // both a Session_ID and a Session_Ticket could be an Opaque_Session_Handle
   return Opaque_Session_Handle(std::visit([](const auto& handle) { return handle.get(); }, m_handle));
}

std::optional<Session_ID> Session_Handle::id() const {
   if(is_id()) {
      return std::get<Session_ID>(m_handle);
   }

   // Opaque handles can mimick as a Session_ID if they are short enough
   if(is_opaque_handle()) {
      const auto& handle = std::get<Opaque_Session_Handle>(m_handle);
      if(handle.size() <= 32) {
         return Session_ID(handle.get());
      }
   }

   return std::nullopt;
}

std::optional<Session_Ticket> Session_Handle::ticket() const {
   if(is_ticket()) {
      return std::get<Session_Ticket>(m_handle);
   }

   // Opaque handles can mimick 'normal' Session_Tickets at any time
   if(is_opaque_handle()) {
      return Session_Ticket(std::get<Opaque_Session_Handle>(m_handle).get());
   }

   return std::nullopt;
}

Ciphersuite Session_Base::ciphersuite() const {
   auto suite = Ciphersuite::by_id(m_ciphersuite);
   if(!suite.has_value()) {
      throw Decoding_Error("Failed to find cipher suite for ID " + std::to_string(m_ciphersuite));
   }
   return suite.value();
}

Session_Summary::Session_Summary(const Session_Base& base, bool was_resumption) : Session_Base(base) {
   BOTAN_ARG_CHECK(version().is_pre_tls_13(), "Instantiated a TLS 1.2 session summary with an newer TLS version");

   const auto cs = ciphersuite();
   m_psk_used = cs.psk_ciphersuite();
   m_kex_algo = cs.kex_algo();
   m_was_resumption = was_resumption;
}

#if defined(BOTAN_HAS_TLS_13)

Session_Summary::Session_Summary(const Server_Hello_13& server_hello,
                                 Connection_Side side,
                                 std::vector<X509_Certificate> peer_certs,
                                 Server_Information server_info,
                                 std::chrono::system_clock::time_point current_timestamp) :
      Session_Base(current_timestamp,
                   server_hello.selected_version(),
                   server_hello.ciphersuite(),
                   side,

                   // TODO: SRTP might become necessary when DTLS 1.3 is being implemented
                   0,

                   // RFC 8446 Appendix D
                   //    Because TLS 1.3 always hashes in the transcript up to the server
                   //    Finished, implementations which support both TLS 1.3 and earlier
                   //    versions SHOULD indicate the use of the Extended Master Secret
                   //    extension in their APIs whenever TLS 1.3 is used.
                   true,

                   // TLS 1.3 uses AEADs, so technically encrypt-then-MAC is not applicable.
                   false,
                   std::move(peer_certs),
                   std::move(server_info)) {
   BOTAN_ARG_CHECK(version().is_tls_13_or_later(), "Instantiated a TLS 1.3 session summary with an older TLS version");
   set_session_id(server_hello.session_id());

   // Currently, we use PSK exclusively for session resumption. Hence, a
   // server hello with a PSK extension indicates a session resumption.
   //
   // TODO: once manually configured PSKs are implemented, this will need
   //       extra consideration to tell PSK usage and resumption apart.
   m_psk_used = server_hello.extensions().has<PSK>();
   m_was_resumption = m_psk_used;

   // In TLS 1.3 the key exchange algorithm is not negotiated in the ciphersuite
   // anymore. This provides a compatible identifier for applications to use.
   m_kex_algo = kex_method_to_string([&] {
      if(m_psk_used) {
         if(const auto keyshare = server_hello.extensions().get<Key_Share>()) {
            const auto group = keyshare->selected_group();
            if(is_dh(group)) {
               return Kex_Algo::DHE_PSK;
            } else if(is_ecdh(group) || is_x25519(group)) {
               return Kex_Algo::ECDHE_PSK;
            }
         } else {
            return Kex_Algo::PSK;
         }
      } else {
         const auto keyshare = server_hello.extensions().get<Key_Share>();
         BOTAN_ASSERT_NONNULL(keyshare);
         const auto group = keyshare->selected_group();
         if(is_dh(group)) {
            return Kex_Algo::DH;
         } else if(is_ecdh(group) || is_x25519(group)) {
            return Kex_Algo::ECDH;
         }
      }

      return Kex_Algo::UNDEFINED;
   }());
}

#endif

Session::Session(const secure_vector<uint8_t>& master_secret,
                 Protocol_Version version,
                 uint16_t ciphersuite,
                 Connection_Side side,
                 bool extended_master_secret,
                 bool encrypt_then_mac,
                 const std::vector<X509_Certificate>& certs,
                 const Server_Information& server_info,
                 uint16_t srtp_profile,
                 std::chrono::system_clock::time_point current_timestamp,
                 std::chrono::seconds lifetime_hint) :
      Session_Base(current_timestamp,
                   version,
                   ciphersuite,
                   side,
                   srtp_profile,
                   extended_master_secret,
                   encrypt_then_mac,
                   certs,
                   server_info),
      m_master_secret(master_secret),
      m_early_data_allowed(false),
      m_max_early_data_bytes(0),
      m_ticket_age_add(0),
      m_lifetime_hint(lifetime_hint) {
   BOTAN_ARG_CHECK(version.is_pre_tls_13(), "Instantiated a TLS 1.2 session object with a TLS version newer than 1.2");
}

#if defined(BOTAN_HAS_TLS_13)

Session::Session(const secure_vector<uint8_t>& session_psk,
                 const std::optional<uint32_t>& max_early_data_bytes,
                 uint32_t ticket_age_add,
                 std::chrono::seconds lifetime_hint,
                 Protocol_Version version,
                 uint16_t ciphersuite,
                 Connection_Side side,
                 const std::vector<X509_Certificate>& peer_certs,
                 const Server_Information& server_info,
                 std::chrono::system_clock::time_point current_timestamp) :
      Session_Base(current_timestamp,
                   version,
                   ciphersuite,
                   side,

                   // TODO: SRTP might become necessary when DTLS 1.3 is being implemented
                   0,

                   // RFC 8446 Appendix D
                   //    Because TLS 1.3 always hashes in the transcript up to the server
                   //    Finished, implementations which support both TLS 1.3 and earlier
                   //    versions SHOULD indicate the use of the Extended Master Secret
                   //    extension in their APIs whenever TLS 1.3 is used.
                   true,

                   // TLS 1.3 uses AEADs, so technically encrypt-then-MAC is not applicable.
                   false,
                   peer_certs,
                   server_info),
      m_master_secret(session_psk),
      m_early_data_allowed(max_early_data_bytes.has_value()),
      m_max_early_data_bytes(max_early_data_bytes.value_or(0)),
      m_ticket_age_add(ticket_age_add),
      m_lifetime_hint(lifetime_hint) {
   BOTAN_ARG_CHECK(!version.is_pre_tls_13(), "Instantiated a TLS 1.3 session object with a TLS version older than 1.3");
}

Session::Session(secure_vector<uint8_t>&& session_psk,
                 const std::optional<uint32_t>& max_early_data_bytes,
                 std::chrono::seconds lifetime_hint,
                 const std::vector<X509_Certificate>& peer_certs,
                 const Client_Hello_13& client_hello,
                 const Server_Hello_13& server_hello,
                 Callbacks& callbacks,
                 RandomNumberGenerator& rng) :
      Session_Base(callbacks.tls_current_timestamp(),
                   server_hello.selected_version(),
                   server_hello.ciphersuite(),
                   Connection_Side::Server,
                   0,
                   true,
                   false,  // see constructor above for rationales
                   peer_certs,
                   Server_Information(client_hello.sni_hostname())),
      m_master_secret(std::move(session_psk)),
      m_early_data_allowed(max_early_data_bytes.has_value()),
      m_max_early_data_bytes(max_early_data_bytes.value_or(0)),
      m_ticket_age_add(load_be<uint32_t>(rng.random_vec(4).data(), 0)),
      m_lifetime_hint(lifetime_hint) {
   BOTAN_ARG_CHECK(!m_version.is_pre_tls_13(),
                   "Instantiated a TLS 1.3 session object with a TLS version older than 1.3");
}

#endif

Session::Session(std::string_view pem) : Session(PEM_Code::decode_check_label(pem, "TLS SESSION")) {}

Session::Session(std::span<const uint8_t> ber_data) {
   uint8_t side_code = 0;

   ASN1_String server_hostname;
   ASN1_String server_service;
   size_t server_port;

   uint8_t major_version = 0, minor_version = 0;

   size_t start_time = 0;
   size_t srtp_profile = 0;
   uint16_t ciphersuite_code = 0;
   uint64_t lifetime_hint = 0;

   BER_Decoder(ber_data.data(), ber_data.size())
      .start_sequence()
      .decode_and_check(static_cast<size_t>(TLS_SESSION_PARAM_STRUCT_VERSION),
                        "Unknown version in serialized TLS session")
      .decode_integer_type(start_time)
      .decode_integer_type(major_version)
      .decode_integer_type(minor_version)
      .decode_integer_type(ciphersuite_code)
      .decode_integer_type(side_code)
      .decode(m_extended_master_secret)
      .decode(m_encrypt_then_mac)
      .decode(m_master_secret, ASN1_Type::OctetString)
      .decode_list<X509_Certificate>(m_peer_certs)
      .decode(server_hostname)
      .decode(server_service)
      .decode(server_port)
      .decode(srtp_profile)
      .decode(m_early_data_allowed)
      .decode_integer_type(m_max_early_data_bytes)
      .decode_integer_type(m_ticket_age_add)
      .decode_integer_type(lifetime_hint)
      .end_cons()
      .verify_end();

   if(!Ciphersuite::by_id(ciphersuite_code)) {
      throw Decoding_Error(
         "Serialized TLS session contains unknown cipher suite "
         "(" +
         std::to_string(ciphersuite_code) + ")");
   }

   m_ciphersuite = ciphersuite_code;
   m_version = Protocol_Version(major_version, minor_version);
   m_start_time = std::chrono::system_clock::from_time_t(start_time);
   m_connection_side = static_cast<Connection_Side>(side_code);
   m_srtp_profile = static_cast<uint16_t>(srtp_profile);

   m_server_info =
      Server_Information(server_hostname.value(), server_service.value(), static_cast<uint16_t>(server_port));

   m_lifetime_hint = std::chrono::seconds(lifetime_hint);
}

secure_vector<uint8_t> Session::DER_encode() const {
   return DER_Encoder()
      .start_sequence()
      .encode(static_cast<size_t>(TLS_SESSION_PARAM_STRUCT_VERSION))
      .encode(static_cast<size_t>(std::chrono::system_clock::to_time_t(m_start_time)))
      .encode(static_cast<size_t>(m_version.major_version()))
      .encode(static_cast<size_t>(m_version.minor_version()))
      .encode(static_cast<size_t>(m_ciphersuite))
      .encode(static_cast<size_t>(m_connection_side))
      .encode(m_extended_master_secret)
      .encode(m_encrypt_then_mac)
      .encode(m_master_secret, ASN1_Type::OctetString)
      .start_sequence()
      .encode_list(m_peer_certs)
      .end_cons()
      .encode(ASN1_String(m_server_info.hostname(), ASN1_Type::Utf8String))
      .encode(ASN1_String(m_server_info.service(), ASN1_Type::Utf8String))
      .encode(static_cast<size_t>(m_server_info.port()))
      .encode(static_cast<size_t>(m_srtp_profile))

      // the fields below were introduced for TLS 1.3 session tickets
      .encode(m_early_data_allowed)
      .encode(static_cast<size_t>(m_max_early_data_bytes))
      .encode(static_cast<size_t>(m_ticket_age_add))
      .encode(static_cast<size_t>(m_lifetime_hint.count()))
      .end_cons()
      .get_contents();
}

std::string Session::PEM_encode() const { return PEM_Code::encode(this->DER_encode(), "TLS SESSION"); }

secure_vector<uint8_t> Session::extract_master_secret() {
   BOTAN_STATE_CHECK(!m_master_secret.empty());
   return std::exchange(m_master_secret, {});
}

namespace {

// The output length of the HMAC must be a valid keylength for the AEAD
const char* const TLS_SESSION_CRYPT_HMAC = "HMAC(SHA-512-256)";
// SIV would be better, but we can't assume it is available
const char* const TLS_SESSION_CRYPT_AEAD = "AES-256/GCM";
const char* const TLS_SESSION_CRYPT_KEY_NAME = "BOTAN TLS SESSION KEY NAME";
const uint64_t TLS_SESSION_CRYPT_MAGIC = 0x068B5A9D396C0000;
const size_t TLS_SESSION_CRYPT_MAGIC_LEN = 8;
const size_t TLS_SESSION_CRYPT_KEY_NAME_LEN = 4;
const size_t TLS_SESSION_CRYPT_AEAD_NONCE_LEN = 12;
const size_t TLS_SESSION_CRYPT_AEAD_KEY_SEED_LEN = 16;
const size_t TLS_SESSION_CRYPT_AEAD_TAG_SIZE = 16;

const size_t TLS_SESSION_CRYPT_HDR_LEN = TLS_SESSION_CRYPT_MAGIC_LEN + TLS_SESSION_CRYPT_KEY_NAME_LEN +
                                         TLS_SESSION_CRYPT_AEAD_NONCE_LEN + TLS_SESSION_CRYPT_AEAD_KEY_SEED_LEN;

const size_t TLS_SESSION_CRYPT_OVERHEAD = TLS_SESSION_CRYPT_HDR_LEN + TLS_SESSION_CRYPT_AEAD_TAG_SIZE;

}  // namespace

std::vector<uint8_t> Session::encrypt(const SymmetricKey& key, RandomNumberGenerator& rng) const {
   auto hmac = MessageAuthenticationCode::create_or_throw(TLS_SESSION_CRYPT_HMAC);
   hmac->set_key(key);

   // First derive the "key name"
   std::vector<uint8_t> key_name(hmac->output_length());
   hmac->update(TLS_SESSION_CRYPT_KEY_NAME);
   hmac->final(key_name.data());
   key_name.resize(TLS_SESSION_CRYPT_KEY_NAME_LEN);

   std::vector<uint8_t> aead_nonce;
   std::vector<uint8_t> key_seed;

   rng.random_vec(aead_nonce, TLS_SESSION_CRYPT_AEAD_NONCE_LEN);
   rng.random_vec(key_seed, TLS_SESSION_CRYPT_AEAD_KEY_SEED_LEN);

   hmac->update(key_seed);
   const secure_vector<uint8_t> aead_key = hmac->final();

   secure_vector<uint8_t> bits = this->DER_encode();

   // create the header
   std::vector<uint8_t> buf;
   buf.reserve(TLS_SESSION_CRYPT_OVERHEAD + bits.size());
   buf.resize(TLS_SESSION_CRYPT_MAGIC_LEN);
   store_be(TLS_SESSION_CRYPT_MAGIC, &buf[0]);
   buf += key_name;
   buf += key_seed;
   buf += aead_nonce;

   auto aead = AEAD_Mode::create_or_throw(TLS_SESSION_CRYPT_AEAD, Cipher_Dir::Encryption);
   BOTAN_ASSERT_NOMSG(aead->valid_nonce_length(TLS_SESSION_CRYPT_AEAD_NONCE_LEN));
   BOTAN_ASSERT_NOMSG(aead->tag_size() == TLS_SESSION_CRYPT_AEAD_TAG_SIZE);
   aead->set_key(aead_key);
   aead->set_associated_data(buf);
   aead->start(aead_nonce);
   aead->finish(bits, 0);

   // append the ciphertext
   buf += bits;
   return buf;
}

Session Session::decrypt(std::span<const uint8_t> in, const SymmetricKey& key) {
   try {
      const size_t min_session_size = 48 + 4;  // serious under-estimate
      if(in.size() < TLS_SESSION_CRYPT_OVERHEAD + min_session_size) {
         throw Decoding_Error("Encrypted session too short to be valid");
      }

      // TODO: replace those raw pointers with sub-spans into `in`
      const uint8_t* magic = in.data();
      const uint8_t* key_name = magic + TLS_SESSION_CRYPT_MAGIC_LEN;
      const uint8_t* key_seed = key_name + TLS_SESSION_CRYPT_KEY_NAME_LEN;
      const uint8_t* aead_nonce = key_seed + TLS_SESSION_CRYPT_AEAD_KEY_SEED_LEN;
      const uint8_t* ctext = aead_nonce + TLS_SESSION_CRYPT_AEAD_NONCE_LEN;
      const size_t ctext_len = in.size() - TLS_SESSION_CRYPT_HDR_LEN;  // includes the tag

      if(load_be<uint64_t>(magic, 0) != TLS_SESSION_CRYPT_MAGIC) {
         throw Decoding_Error("Missing expected magic numbers");
      }

      auto hmac = MessageAuthenticationCode::create_or_throw(TLS_SESSION_CRYPT_HMAC);
      hmac->set_key(key);

      // First derive and check the "key name"
      std::vector<uint8_t> cmp_key_name(hmac->output_length());
      hmac->update(TLS_SESSION_CRYPT_KEY_NAME);
      hmac->final(cmp_key_name.data());

      if(same_mem(cmp_key_name.data(), key_name, TLS_SESSION_CRYPT_KEY_NAME_LEN) == false) {
         throw Decoding_Error("Wrong key name for encrypted session");
      }

      hmac->update(key_seed, TLS_SESSION_CRYPT_AEAD_KEY_SEED_LEN);
      const secure_vector<uint8_t> aead_key = hmac->final();

      auto aead = AEAD_Mode::create_or_throw(TLS_SESSION_CRYPT_AEAD, Cipher_Dir::Decryption);
      aead->set_key(aead_key);
      aead->set_associated_data(in.data(), TLS_SESSION_CRYPT_HDR_LEN);
      aead->start(aead_nonce, TLS_SESSION_CRYPT_AEAD_NONCE_LEN);
      secure_vector<uint8_t> buf(ctext, ctext + ctext_len);
      aead->finish(buf, 0);
      return Session(buf);
   } catch(std::exception& e) {
      throw Decoding_Error("Failed to decrypt serialized TLS session: " + std::string(e.what()));
   }
}

}  // namespace Botan::TLS

1	/*
2	* TLS Session State
3	* (C) 2011-2012,2015,2019 Jack Lloyd
4	*
5	* Botan is released under the Simplified BSD License (see license.txt)
6	*/
7
8	#include <botan/tls_session.h>
9
10	#include <botan/aead.h>
11	#include <botan/asn1_obj.h>
12	#include <botan/ber_dec.h>
13	#include <botan/der_enc.h>
14	#include <botan/mac.h>
15	#include <botan/pem.h>
16	#include <botan/rng.h>
17	#include <botan/internal/loadstor.h>
18
19	#include <botan/tls_callbacks.h>
20	#include <botan/tls_messages.h>
21
22	#include <botan/internal/stl_util.h>
23
24	#include <utility>
25
26	namespace Botan::TLS {
27
28	void Session_Handle::validate_constraints() const {	3,433✔
29	std::visit(overloaded{	6,866✔
30	[](const Session_ID& id) {	642✔
31	// RFC 5246 7.4.1.2
32	// opaque SessionID<0..32>;
33	BOTAN_ARG_CHECK(!id.empty(), "Session ID must not be empty");	642✔
34	BOTAN_ARG_CHECK(id.size() <= 32, "Session ID cannot be longer than 32 bytes");	642✔
35	},	642✔
36	[](const Session_Ticket& ticket) {	2,113✔
37	BOTAN_ARG_CHECK(!ticket.empty(), "Ticket most not be empty");	2,113✔
38	BOTAN_ARG_CHECK(ticket.size() <= std::numeric_limits<uint16_t>::max(),	2,113✔
39	"Ticket cannot be longer than 64kB");
40	},	2,113✔
41	[](const Opaque_Session_Handle& handle) {	678✔
42	// RFC 8446 4.6.1
43	// opaque ticket<1..2^16-1>;
44	BOTAN_ARG_CHECK(!handle.empty(), "Opaque session handle must not be empty");	678✔
45	BOTAN_ARG_CHECK(handle.size() <= std::numeric_limits<uint16_t>::max(),	678✔
46	"Opaque session handle cannot be longer than 64kB");
47	},	678✔
48	},
49	m_handle);	3,433✔
50	}	3,433✔
51
52	Opaque_Session_Handle Session_Handle::opaque_handle() const {	361✔
53	// both a Session_ID and a Session_Ticket could be an Opaque_Session_Handle
54	return Opaque_Session_Handle(std::visit([](const auto& handle) { return handle.get(); }, m_handle));	722✔
55	}
56
57	std::optional<Session_ID> Session_Handle::id() const {	2,379✔
58	if(is_id()) {	2,379✔
59	return std::get<Session_ID>(m_handle);	588✔
60	}
61
62	// Opaque handles can mimick as a Session_ID if they are short enough
63	if(is_opaque_handle()) {	1,791✔
64	const auto& handle = std::get<Opaque_Session_Handle>(m_handle);	670✔
65	if(handle.size() <= 32) {	670✔
66	return Session_ID(handle.get());	22✔
67	}
68	}
69
70	return std::nullopt;	1,769✔
71	}
72
73	std::optional<Session_Ticket> Session_Handle::ticket() const {	1,701✔
74	if(is_ticket()) {	1,701✔
75	return std::get<Session_Ticket>(m_handle);	1,195✔
76	}
77
78	// Opaque handles can mimick 'normal' Session_Tickets at any time
79	if(is_opaque_handle()) {	506✔
80	return Session_Ticket(std::get<Opaque_Session_Handle>(m_handle).get());	216✔
81	}
82
83	return std::nullopt;	290✔
84	}
85
86	Ciphersuite Session_Base::ciphersuite() const {	4,784✔
87	auto suite = Ciphersuite::by_id(m_ciphersuite);	4,784✔
88	if(!suite.has_value()) {	4,784✔
89	throw Decoding_Error("Failed to find cipher suite for ID " + std::to_string(m_ciphersuite));	×
90	}
91	return suite.value();	4,784✔
92	}
93
94	Session_Summary::Session_Summary(const Session_Base& base, bool was_resumption) : Session_Base(base) {	1,729✔
95	BOTAN_ARG_CHECK(version().is_pre_tls_13(), "Instantiated a TLS 1.2 session summary with an newer TLS version");	1,729✔
96
97	const auto cs = ciphersuite();	1,729✔
98	m_psk_used = cs.psk_ciphersuite();	1,729✔
99	m_kex_algo = cs.kex_algo();	1,729✔
100	m_was_resumption = was_resumption;	1,729✔
101	}	1,729✔
102
103	#if defined(BOTAN_HAS_TLS_13)
104
105	Session_Summary::Session_Summary(const Server_Hello_13& server_hello,	587✔
106	Connection_Side side,
107	std::vector<X509_Certificate> peer_certs,
108	Server_Information server_info,
109	std::chrono::system_clock::time_point current_timestamp) :	587✔
110	Session_Base(current_timestamp,
111	server_hello.selected_version(),
112	server_hello.ciphersuite(),	587✔
113	side,
114
115	// TODO: SRTP might become necessary when DTLS 1.3 is being implemented
116	0,
117
118	// RFC 8446 Appendix D
119	// Because TLS 1.3 always hashes in the transcript up to the server
120	// Finished, implementations which support both TLS 1.3 and earlier
121	// versions SHOULD indicate the use of the Extended Master Secret
122	// extension in their APIs whenever TLS 1.3 is used.
123	true,
124
125	// TLS 1.3 uses AEADs, so technically encrypt-then-MAC is not applicable.
126	false,
127	std::move(peer_certs),	587✔
128	std::move(server_info)) {	1,174✔
129	BOTAN_ARG_CHECK(version().is_tls_13_or_later(), "Instantiated a TLS 1.3 session summary with an older TLS version");	587✔
130	set_session_id(server_hello.session_id());	1,174✔
131
132	// Currently, we use PSK exclusively for session resumption. Hence, a
133	// server hello with a PSK extension indicates a session resumption.
134	//
135	// TODO: once manually configured PSKs are implemented, this will need
136	// extra consideration to tell PSK usage and resumption apart.
137	m_psk_used = server_hello.extensions().has<PSK>();	587✔
138	m_was_resumption = m_psk_used;	587✔
139
140	// In TLS 1.3 the key exchange algorithm is not negotiated in the ciphersuite
141	// anymore. This provides a compatible identifier for applications to use.
142	m_kex_algo = kex_method_to_string([&] {	587✔
143	if(m_psk_used) {	587✔
144	if(const auto keyshare = server_hello.extensions().get<Key_Share>()) {	161✔
145	const auto group = keyshare->selected_group();	161✔
146	if(is_dh(group)) {	161✔
147	return Kex_Algo::DHE_PSK;
148	} else if(is_ecdh(group) \|\| is_x25519(group)) {	161✔
149	return Kex_Algo::ECDHE_PSK;	161✔
150	}
151	} else {
152	return Kex_Algo::PSK;
153	}
154	} else {
155	const auto keyshare = server_hello.extensions().get<Key_Share>();	426✔
156	BOTAN_ASSERT_NONNULL(keyshare);	426✔
157	const auto group = keyshare->selected_group();	426✔
158	if(is_dh(group)) {	426✔
159	return Kex_Algo::DH;
160	} else if(is_ecdh(group) \|\| is_x25519(group)) {	426✔
161	return Kex_Algo::ECDH;	426✔
162	}
163	}
164
165	return Kex_Algo::UNDEFINED;
166	}());	587✔
167	}	587✔
168
169	#endif
170
171	Session::Session(const secure_vector<uint8_t>& master_secret,	1,610✔
172	Protocol_Version version,
173	uint16_t ciphersuite,
174	Connection_Side side,
175	bool extended_master_secret,
176	bool encrypt_then_mac,
177	const std::vector<X509_Certificate>& certs,
178	const Server_Information& server_info,
179	uint16_t srtp_profile,
180	std::chrono::system_clock::time_point current_timestamp,
181	std::chrono::seconds lifetime_hint) :	1,610✔
182	Session_Base(current_timestamp,
183	version,
184	ciphersuite,
185	side,
186	srtp_profile,
187	extended_master_secret,
188	encrypt_then_mac,
189	certs,
190	server_info),
191	m_master_secret(master_secret),	1,610✔
192	m_early_data_allowed(false),	1,610✔
193	m_max_early_data_bytes(0),	1,610✔
194	m_ticket_age_add(0),	1,610✔
195	m_lifetime_hint(lifetime_hint) {	1,610✔
196	BOTAN_ARG_CHECK(version.is_pre_tls_13(), "Instantiated a TLS 1.2 session object with a TLS version newer than 1.2");	1,610✔
197	}	1,610✔
198
199	#if defined(BOTAN_HAS_TLS_13)
200
201	Session::Session(const secure_vector<uint8_t>& session_psk,	566✔
202	const std::optional<uint32_t>& max_early_data_bytes,
203	uint32_t ticket_age_add,
204	std::chrono::seconds lifetime_hint,
205	Protocol_Version version,
206	uint16_t ciphersuite,
207	Connection_Side side,
208	const std::vector<X509_Certificate>& peer_certs,
209	const Server_Information& server_info,
210	std::chrono::system_clock::time_point current_timestamp) :	566✔
211	Session_Base(current_timestamp,
212	version,
213	ciphersuite,
214	side,
215
216	// TODO: SRTP might become necessary when DTLS 1.3 is being implemented
217	0,
218
219	// RFC 8446 Appendix D
220	// Because TLS 1.3 always hashes in the transcript up to the server
221	// Finished, implementations which support both TLS 1.3 and earlier
222	// versions SHOULD indicate the use of the Extended Master Secret
223	// extension in their APIs whenever TLS 1.3 is used.
224	true,
225
226	// TLS 1.3 uses AEADs, so technically encrypt-then-MAC is not applicable.
227	false,
228	peer_certs,
229	server_info),
230	m_master_secret(session_psk),	566✔
231	m_early_data_allowed(max_early_data_bytes.has_value()),	566✔
232	m_max_early_data_bytes(max_early_data_bytes.value_or(0)),	566✔
233	m_ticket_age_add(ticket_age_add),	566✔
234	m_lifetime_hint(lifetime_hint) {	566✔
235	BOTAN_ARG_CHECK(!version.is_pre_tls_13(), "Instantiated a TLS 1.3 session object with a TLS version older than 1.3");	566✔
236	}	566✔
237
238	Session::Session(secure_vector<uint8_t>&& session_psk,	275✔
239	const std::optional<uint32_t>& max_early_data_bytes,
240	std::chrono::seconds lifetime_hint,
241	const std::vector<X509_Certificate>& peer_certs,
242	const Client_Hello_13& client_hello,
243	const Server_Hello_13& server_hello,
244	Callbacks& callbacks,
245	RandomNumberGenerator& rng) :	275✔
246	Session_Base(callbacks.tls_current_timestamp(),	275✔
247	server_hello.selected_version(),
248	server_hello.ciphersuite(),	275✔
249	Connection_Side::Server,
250	0,
251	true,
252	false, // see constructor above for rationales
253	peer_certs,
254	Server_Information(client_hello.sni_hostname())),	550✔
255	m_master_secret(std::move(session_psk)),	275✔
256	m_early_data_allowed(max_early_data_bytes.has_value()),	275✔
257	m_max_early_data_bytes(max_early_data_bytes.value_or(0)),	275✔
258	m_ticket_age_add(load_be<uint32_t>(rng.random_vec(4).data(), 0)),	275✔
259	m_lifetime_hint(lifetime_hint) {	825✔
260	BOTAN_ARG_CHECK(!m_version.is_pre_tls_13(),	275✔
261	"Instantiated a TLS 1.3 session object with a TLS version older than 1.3");
262	}	275✔
263
264	#endif
265
266	Session::Session(std::string_view pem) : Session(PEM_Code::decode_check_label(pem, "TLS SESSION")) {}	3✔
267
268	Session::Session(std::span<const uint8_t> ber_data) {	452✔
269	uint8_t side_code = 0;	452✔
270
271	ASN1_String server_hostname;	452✔
272	ASN1_String server_service;	452✔
273	size_t server_port;	452✔
274
275	uint8_t major_version = 0, minor_version = 0;	452✔
276
277	size_t start_time = 0;	452✔
278	size_t srtp_profile = 0;	452✔
279	uint16_t ciphersuite_code = 0;	452✔
280	uint64_t lifetime_hint = 0;	452✔
281
282	BER_Decoder(ber_data.data(), ber_data.size())	452✔
283	.start_sequence()	904✔
284	.decode_and_check(static_cast<size_t>(TLS_SESSION_PARAM_STRUCT_VERSION),	904✔
285	"Unknown version in serialized TLS session")
286	.decode_integer_type(start_time)	452✔
287	.decode_integer_type(major_version)	452✔
288	.decode_integer_type(minor_version)	452✔
289	.decode_integer_type(ciphersuite_code)	452✔
290	.decode_integer_type(side_code)	452✔
291	.decode(m_extended_master_secret)	452✔
292	.decode(m_encrypt_then_mac)	452✔
293	.decode(m_master_secret, ASN1_Type::OctetString)	452✔
294	.decode_list<X509_Certificate>(m_peer_certs)	452✔
295	.decode(server_hostname)	452✔
296	.decode(server_service)	452✔
297	.decode(server_port)	452✔
298	.decode(srtp_profile)	452✔
299	.decode(m_early_data_allowed)	452✔
300	.decode_integer_type(m_max_early_data_bytes)	452✔
301	.decode_integer_type(m_ticket_age_add)	452✔
302	.decode_integer_type(lifetime_hint)	452✔
303	.end_cons()	452✔
304	.verify_end();	452✔
305
306	if(!Ciphersuite::by_id(ciphersuite_code)) {	452✔
307	throw Decoding_Error(	1✔
308	"Serialized TLS session contains unknown cipher suite "
309	"(" +	2✔
310	std::to_string(ciphersuite_code) + ")");	4✔
311	}
312
313	m_ciphersuite = ciphersuite_code;	451✔
314	m_version = Protocol_Version(major_version, minor_version);	451✔
315	m_start_time = std::chrono::system_clock::from_time_t(start_time);	451✔
316	m_connection_side = static_cast<Connection_Side>(side_code);	451✔
317	m_srtp_profile = static_cast<uint16_t>(srtp_profile);	451✔
318
319	m_server_info =	451✔
320	Server_Information(server_hostname.value(), server_service.value(), static_cast<uint16_t>(server_port));	902✔
321
322	m_lifetime_hint = std::chrono::seconds(lifetime_hint);	451✔
323	}	455✔
324
325	secure_vector<uint8_t> Session::DER_encode() const {	1,121✔
326	return DER_Encoder()	1,121✔
327	.start_sequence()	1,121✔
328	.encode(static_cast<size_t>(TLS_SESSION_PARAM_STRUCT_VERSION))	1,121✔
329	.encode(static_cast<size_t>(std::chrono::system_clock::to_time_t(m_start_time)))	1,121✔
330	.encode(static_cast<size_t>(m_version.major_version()))	1,121✔
331	.encode(static_cast<size_t>(m_version.minor_version()))	1,121✔
332	.encode(static_cast<size_t>(m_ciphersuite))	1,121✔
333	.encode(static_cast<size_t>(m_connection_side))	1,121✔
334	.encode(m_extended_master_secret)	1,121✔
335	.encode(m_encrypt_then_mac)	1,121✔
336	.encode(m_master_secret, ASN1_Type::OctetString)	1,121✔
337	.start_sequence()	1,491✔
338	.encode_list(m_peer_certs)	1,121✔
339	.end_cons()	1,121✔
340	.encode(ASN1_String(m_server_info.hostname(), ASN1_Type::Utf8String))	3,610✔
341	.encode(ASN1_String(m_server_info.service(), ASN1_Type::Utf8String))	3,363✔
342	.encode(static_cast<size_t>(m_server_info.port()))	1,121✔
343	.encode(static_cast<size_t>(m_srtp_profile))	1,121✔
344
345	// the fields below were introduced for TLS 1.3 session tickets
346	.encode(m_early_data_allowed)	1,121✔
347	.encode(static_cast<size_t>(m_max_early_data_bytes))	1,121✔
348	.encode(static_cast<size_t>(m_ticket_age_add))	1,121✔
349	.encode(static_cast<size_t>(m_lifetime_hint.count()))	1,121✔
350	.end_cons()	1,121✔
351	.get_contents();	2,242✔
352	}
353
354	std::string Session::PEM_encode() const { return PEM_Code::encode(this->DER_encode(), "TLS SESSION"); }	6✔
355
356	secure_vector<uint8_t> Session::extract_master_secret() {	177✔
357	BOTAN_STATE_CHECK(!m_master_secret.empty());	177✔
358	return std::exchange(m_master_secret, {});	177✔
359	}
360
361	namespace {
362
363	// The output length of the HMAC must be a valid keylength for the AEAD
364	const char* const TLS_SESSION_CRYPT_HMAC = "HMAC(SHA-512-256)";
365	// SIV would be better, but we can't assume it is available
366	const char* const TLS_SESSION_CRYPT_AEAD = "AES-256/GCM";
367	const char* const TLS_SESSION_CRYPT_KEY_NAME = "BOTAN TLS SESSION KEY NAME";
368	const uint64_t TLS_SESSION_CRYPT_MAGIC = 0x068B5A9D396C0000;
369	const size_t TLS_SESSION_CRYPT_MAGIC_LEN = 8;
370	const size_t TLS_SESSION_CRYPT_KEY_NAME_LEN = 4;
371	const size_t TLS_SESSION_CRYPT_AEAD_NONCE_LEN = 12;
372	const size_t TLS_SESSION_CRYPT_AEAD_KEY_SEED_LEN = 16;
373	const size_t TLS_SESSION_CRYPT_AEAD_TAG_SIZE = 16;
374
375	const size_t TLS_SESSION_CRYPT_HDR_LEN = TLS_SESSION_CRYPT_MAGIC_LEN + TLS_SESSION_CRYPT_KEY_NAME_LEN +
376	TLS_SESSION_CRYPT_AEAD_NONCE_LEN + TLS_SESSION_CRYPT_AEAD_KEY_SEED_LEN;
377
378	const size_t TLS_SESSION_CRYPT_OVERHEAD = TLS_SESSION_CRYPT_HDR_LEN + TLS_SESSION_CRYPT_AEAD_TAG_SIZE;
379
380	} // namespace
381
382	std::vector<uint8_t> Session::encrypt(const SymmetricKey& key, RandomNumberGenerator& rng) const {	1,113✔
383	auto hmac = MessageAuthenticationCode::create_or_throw(TLS_SESSION_CRYPT_HMAC);	1,113✔
384	hmac->set_key(key);	1,113✔
385
386	// First derive the "key name"
387	std::vector<uint8_t> key_name(hmac->output_length());	1,113✔
388	hmac->update(TLS_SESSION_CRYPT_KEY_NAME);	1,113✔
389	hmac->final(key_name.data());	1,113✔
390	key_name.resize(TLS_SESSION_CRYPT_KEY_NAME_LEN);	1,113✔
391
392	std::vector<uint8_t> aead_nonce;	1,113✔
393	std::vector<uint8_t> key_seed;	1,113✔
394
395	rng.random_vec(aead_nonce, TLS_SESSION_CRYPT_AEAD_NONCE_LEN);	1,113✔
396	rng.random_vec(key_seed, TLS_SESSION_CRYPT_AEAD_KEY_SEED_LEN);	1,113✔
397
398	hmac->update(key_seed);	1,113✔
399	const secure_vector<uint8_t> aead_key = hmac->final();	1,113✔
400
401	secure_vector<uint8_t> bits = this->DER_encode();	1,113✔
402
403	// create the header
404	std::vector<uint8_t> buf;	1,113✔
405	buf.reserve(TLS_SESSION_CRYPT_OVERHEAD + bits.size());	1,113✔
406	buf.resize(TLS_SESSION_CRYPT_MAGIC_LEN);	1,113✔
407	store_be(TLS_SESSION_CRYPT_MAGIC, &buf[0]);	1,113✔
408	buf += key_name;	1,113✔
409	buf += key_seed;	1,113✔
410	buf += aead_nonce;	1,113✔
411
412	auto aead = AEAD_Mode::create_or_throw(TLS_SESSION_CRYPT_AEAD, Cipher_Dir::Encryption);	1,113✔
413	BOTAN_ASSERT_NOMSG(aead->valid_nonce_length(TLS_SESSION_CRYPT_AEAD_NONCE_LEN));	1,113✔
414	BOTAN_ASSERT_NOMSG(aead->tag_size() == TLS_SESSION_CRYPT_AEAD_TAG_SIZE);	1,113✔
415	aead->set_key(aead_key);	1,113✔
416	aead->set_associated_data(buf);	1,113✔
417	aead->start(aead_nonce);	1,113✔
418	aead->finish(bits, 0);	1,113✔
419
420	// append the ciphertext
421	buf += bits;	1,113✔
422	return buf;	1,113✔
423	}	7,791✔
424
425	Session Session::decrypt(std::span<const uint8_t> in, const SymmetricKey& key) {	453✔
426	try {	453✔
427	const size_t min_session_size = 48 + 4; // serious under-estimate	453✔
428	if(in.size() < TLS_SESSION_CRYPT_OVERHEAD + min_session_size) {	453✔
429	throw Decoding_Error("Encrypted session too short to be valid");	3✔
430	}
431
432	// TODO: replace those raw pointers with sub-spans into `in`
433	const uint8_t* magic = in.data();	450✔
434	const uint8_t* key_name = magic + TLS_SESSION_CRYPT_MAGIC_LEN;	450✔
435	const uint8_t* key_seed = key_name + TLS_SESSION_CRYPT_KEY_NAME_LEN;	450✔
436	const uint8_t* aead_nonce = key_seed + TLS_SESSION_CRYPT_AEAD_KEY_SEED_LEN;	450✔
437	const uint8_t* ctext = aead_nonce + TLS_SESSION_CRYPT_AEAD_NONCE_LEN;	450✔
438	const size_t ctext_len = in.size() - TLS_SESSION_CRYPT_HDR_LEN; // includes the tag	450✔
439
440	if(load_be<uint64_t>(magic, 0) != TLS_SESSION_CRYPT_MAGIC) {	450✔
441	throw Decoding_Error("Missing expected magic numbers");	×
442	}
443
444	auto hmac = MessageAuthenticationCode::create_or_throw(TLS_SESSION_CRYPT_HMAC);	450✔
445	hmac->set_key(key);	450✔
446
447	// First derive and check the "key name"
448	std::vector<uint8_t> cmp_key_name(hmac->output_length());	454✔
449	hmac->update(TLS_SESSION_CRYPT_KEY_NAME);	450✔
450	hmac->final(cmp_key_name.data());	450✔
451
452	if(same_mem(cmp_key_name.data(), key_name, TLS_SESSION_CRYPT_KEY_NAME_LEN) == false) {	900✔
453	throw Decoding_Error("Wrong key name for encrypted session");	1✔
454	}
455
456	hmac->update(key_seed, TLS_SESSION_CRYPT_AEAD_KEY_SEED_LEN);	449✔
457	const secure_vector<uint8_t> aead_key = hmac->final();	449✔
458
459	auto aead = AEAD_Mode::create_or_throw(TLS_SESSION_CRYPT_AEAD, Cipher_Dir::Decryption);	452✔
460	aead->set_key(aead_key);	449✔
461	aead->set_associated_data(in.data(), TLS_SESSION_CRYPT_HDR_LEN);	449✔
462	aead->start(aead_nonce, TLS_SESSION_CRYPT_AEAD_NONCE_LEN);	449✔
463	secure_vector<uint8_t> buf(ctext, ctext + ctext_len);	452✔
464	aead->finish(buf, 0);	449✔
465	return Session(buf);	449✔
466	} catch(std::exception& e) {	2,250✔
467	throw Decoding_Error("Failed to decrypt serialized TLS session: " + std::string(e.what()));	14✔
468	}	7✔
469	}
470
471	} // namespace Botan::TLS

randombit / botan / 5123321399

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous