6449915476

Committed 08 Oct 2023 08:52PM UTC coverage: 91.697% (+0.005%) from 91.692%

Build # 6449915476

Build Type

push

github

Committed by

web-flow

Commit Message

Merge pull request #3729 from randombit/jack/enum-for-group-params

Wrap TLS::Group_Params enum in a class

Run Details

79979 of 87221 relevant lines covered (91.7%)

8572940.26 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

90.48

/src/lib/tls/tls12/msg_server_kex.cpp

/*
* Server Key Exchange Message
* (C) 2004-2010,2012,2015,2016 Jack Lloyd
*     2017 Harry Reimann, Rohde & Schwarz Cybersecurity
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/tls_messages.h>

#include <botan/credentials_manager.h>
#include <botan/pubkey.h>
#include <botan/tls_extensions.h>
#include <botan/internal/loadstor.h>
#include <botan/internal/tls_handshake_io.h>
#include <botan/internal/tls_handshake_state.h>
#include <botan/internal/tls_reader.h>

#include <botan/dh.h>
#include <botan/dl_group.h>
#include <botan/ecdh.h>

#if defined(BOTAN_HAS_CURVE_25519)
   #include <botan/curve25519.h>
#endif

namespace Botan::TLS {

/**
* Create a new Server Key Exchange message
*/
Server_Key_Exchange::Server_Key_Exchange(Handshake_IO& io,
                                         Handshake_State& state,
                                         const Policy& policy,
                                         Credentials_Manager& creds,
                                         RandomNumberGenerator& rng,
                                         const Private_Key* signing_key) {
   const std::string hostname = state.client_hello()->sni_hostname();
   const Kex_Algo kex_algo = state.ciphersuite().kex_method();

   if(kex_algo == Kex_Algo::PSK || kex_algo == Kex_Algo::ECDHE_PSK) {
      std::string identity_hint = creds.psk_identity_hint("tls-server", hostname);

      append_tls_length_value(m_params, identity_hint, 2);
   }

   if(kex_algo == Kex_Algo::DH) {
      const std::vector<Group_Params> dh_groups = state.client_hello()->supported_dh_groups();

      m_shared_group = Group_Params::NONE;

      /*
      If the client does not send any DH groups that we recognize in
      the supported groups extension, but does offer DH ciphersuites,
      we select a group arbitrarily
      */

      if(dh_groups.empty()) {
         m_shared_group = policy.default_dh_group();
      } else {
         m_shared_group = policy.choose_key_exchange_group(dh_groups, {});
      }

      if(m_shared_group.value() == Group_Params::NONE) {
         throw TLS_Exception(Alert::HandshakeFailure, "Could not agree on a DH group with the client");
      }

      BOTAN_ASSERT(m_shared_group.value().is_dh_named_group(), "DH ciphersuite is using a finite field group");

      // Note: TLS 1.2 allows defining and using arbitrary DH groups (additional
      //       to the named and standardized ones). This API doesn't allow the
      //       server to make use of that at the moment. TLS 1.3 does not
      //       provide this flexibility!
      //
      // A possible implementation strategy in case one would ever need that:
      // `Policy::default_dh_group()` could return a `std::variant<Group_Params,
      // DL_Group>`, allowing it to define arbitrary groups.
      m_kex_key = state.callbacks().tls_generate_ephemeral_key(m_shared_group.value(), rng);
      auto dh = dynamic_cast<DH_PrivateKey*>(m_kex_key.get());
      if(!dh) {
         throw TLS_Exception(Alert::InternalError, "Application did not provide a Diffie-Hellman key");
      }

      append_tls_length_value(m_params, BigInt::encode(dh->get_int_field("p")), 2);
      append_tls_length_value(m_params, BigInt::encode(dh->get_int_field("g")), 2);
      append_tls_length_value(m_params, dh->public_value(), 2);
   } else if(kex_algo == Kex_Algo::ECDH || kex_algo == Kex_Algo::ECDHE_PSK) {
      const std::vector<Group_Params> ec_groups = state.client_hello()->supported_ecc_curves();

      if(ec_groups.empty()) {
         throw Internal_Error("Client sent no ECC extension but we negotiated ECDH");
      }

      m_shared_group = policy.choose_key_exchange_group(ec_groups, {});

      if(m_shared_group.value() == Group_Params::NONE) {
         throw TLS_Exception(Alert::HandshakeFailure, "No shared ECC group with client");
      }

      std::vector<uint8_t> ecdh_public_val;

      if(m_shared_group.value() == Group_Params::X25519) {
         m_kex_key = state.callbacks().tls_generate_ephemeral_key(m_shared_group.value(), rng);
         if(!m_kex_key) {
            throw TLS_Exception(Alert::InternalError, "Application did not provide a X25519 key");
         }
         ecdh_public_val = m_kex_key->public_value();
      } else {
         m_kex_key = state.callbacks().tls_generate_ephemeral_key(m_shared_group.value(), rng);
         auto ecdh = dynamic_cast<ECDH_PrivateKey*>(m_kex_key.get());
         if(!ecdh) {
            throw TLS_Exception(Alert::InternalError, "Application did not provide a EC-Diffie-Hellman key");
         }

         // follow client's preference for point compression
         ecdh_public_val =
            ecdh->public_value(state.client_hello()->prefers_compressed_ec_points() ? EC_Point_Format::Compressed
                                                                                    : EC_Point_Format::Uncompressed);
      }

      const uint16_t named_curve_id = m_shared_group.value().wire_code();
      m_params.push_back(3);  // named curve
      m_params.push_back(get_byte<0>(named_curve_id));
      m_params.push_back(get_byte<1>(named_curve_id));

      append_tls_length_value(m_params, ecdh_public_val, 1);
   } else if(kex_algo != Kex_Algo::PSK) {
      throw Internal_Error("Server_Key_Exchange: Unknown kex type " + kex_method_to_string(kex_algo));
   }

   if(state.ciphersuite().signature_used()) {
      BOTAN_ASSERT(signing_key, "Signing key was set");

      std::pair<std::string, Signature_Format> format = state.choose_sig_format(*signing_key, m_scheme, false, policy);

      std::vector<uint8_t> buf = state.client_hello()->random();

      buf += state.server_hello()->random();
      buf += params();

      m_signature = state.callbacks().tls_sign_message(*signing_key, rng, format.first, format.second, buf);
   }

   state.hash().update(io.send(*this));
}

/**
* Deserialize a Server Key Exchange message
*/
Server_Key_Exchange::Server_Key_Exchange(const std::vector<uint8_t>& buf,
                                         const Kex_Algo kex_algo,
                                         const Auth_Method auth_method,
                                         Protocol_Version version) {
   BOTAN_UNUSED(version);  // remove this
   TLS_Data_Reader reader("ServerKeyExchange", buf);

   /*
   * Here we are deserializing enough to find out what offset the
   * signature is at. All processing is done when the Client Key Exchange
   * is prepared.
   */

   if(kex_algo == Kex_Algo::PSK || kex_algo == Kex_Algo::ECDHE_PSK) {
      reader.get_string(2, 0, 65535);  // identity hint
   }

   if(kex_algo == Kex_Algo::DH) {
      // 3 bigints, DH p, g, Y

      for(size_t i = 0; i != 3; ++i) {
         reader.get_range<uint8_t>(2, 1, 65535);
      }
   } else if(kex_algo == Kex_Algo::ECDH || kex_algo == Kex_Algo::ECDHE_PSK) {
      reader.get_byte();                     // curve type
      reader.get_uint16_t();                 // curve id
      reader.get_range<uint8_t>(1, 1, 255);  // public key
   } else if(kex_algo != Kex_Algo::PSK) {
      throw Decoding_Error("Server_Key_Exchange: Unsupported kex type " + kex_method_to_string(kex_algo));
   }

   m_params.assign(buf.data(), buf.data() + reader.read_so_far());

   if(auth_method != Auth_Method::IMPLICIT) {
      m_scheme = Signature_Scheme(reader.get_uint16_t());
      m_signature = reader.get_range<uint8_t>(2, 0, 65535);
   }

   reader.assert_done();
}

/**
* Serialize a Server Key Exchange message
*/
std::vector<uint8_t> Server_Key_Exchange::serialize() const {
   std::vector<uint8_t> buf = params();

   if(!m_signature.empty()) {
      if(m_scheme.is_set()) {
         buf.push_back(get_byte<0>(m_scheme.wire_code()));
         buf.push_back(get_byte<1>(m_scheme.wire_code()));
      }

      append_tls_length_value(buf, m_signature, 2);
   }

   return buf;
}

/**
* Verify a Server Key Exchange message
*/
bool Server_Key_Exchange::verify(const Public_Key& server_key,
                                 const Handshake_State& state,
                                 const Policy& policy) const {
   policy.check_peer_key_acceptable(server_key);

   std::pair<std::string, Signature_Format> format =
      state.parse_sig_format(server_key, m_scheme, state.client_hello()->signature_schemes(), false, policy);

   std::vector<uint8_t> buf = state.client_hello()->random();

   buf += state.server_hello()->random();
   buf += params();

   const bool signature_valid =
      state.callbacks().tls_verify_message(server_key, format.first, format.second, buf, m_signature);

#if defined(BOTAN_UNSAFE_FUZZER_MODE)
   BOTAN_UNUSED(signature_valid);
   return true;
#else
   return signature_valid;
#endif
}

const PK_Key_Agreement_Key& Server_Key_Exchange::server_kex_key() const {
   BOTAN_ASSERT_NONNULL(m_kex_key);
   return *m_kex_key;
}

}  // namespace Botan::TLS

1	/*
2	* Server Key Exchange Message
3	* (C) 2004-2010,2012,2015,2016 Jack Lloyd
4	* 2017 Harry Reimann, Rohde & Schwarz Cybersecurity
5	*
6	* Botan is released under the Simplified BSD License (see license.txt)
7	*/
8
9	#include <botan/tls_messages.h>
10
11	#include <botan/credentials_manager.h>
12	#include <botan/pubkey.h>
13	#include <botan/tls_extensions.h>
14	#include <botan/internal/loadstor.h>
15	#include <botan/internal/tls_handshake_io.h>
16	#include <botan/internal/tls_handshake_state.h>
17	#include <botan/internal/tls_reader.h>
18
19	#include <botan/dh.h>
20	#include <botan/dl_group.h>
21	#include <botan/ecdh.h>
22
23	#if defined(BOTAN_HAS_CURVE_25519)
24	#include <botan/curve25519.h>
25	#endif
26
27	namespace Botan::TLS {
28
29	/**
30	* Create a new Server Key Exchange message
31	*/
32	Server_Key_Exchange::Server_Key_Exchange(Handshake_IO& io,	596✔
33	Handshake_State& state,
34	const Policy& policy,
35	Credentials_Manager& creds,
36	RandomNumberGenerator& rng,
37	const Private_Key* signing_key) {	596✔
38	const std::string hostname = state.client_hello()->sni_hostname();	596✔
39	const Kex_Algo kex_algo = state.ciphersuite().kex_method();	596✔
40
41	if(kex_algo == Kex_Algo::PSK \|\| kex_algo == Kex_Algo::ECDHE_PSK) {	596✔
42	std::string identity_hint = creds.psk_identity_hint("tls-server", hostname);	44✔
43
44	append_tls_length_value(m_params, identity_hint, 2);	88✔
45	}	44✔
46
47	if(kex_algo == Kex_Algo::DH) {	596✔
48	const std::vector<Group_Params> dh_groups = state.client_hello()->supported_dh_groups();	4✔
49
50	m_shared_group = Group_Params::NONE;	4✔
51
52	/*
53	If the client does not send any DH groups that we recognize in
54	the supported groups extension, but does offer DH ciphersuites,
55	we select a group arbitrarily
56	*/
57
58	if(dh_groups.empty()) {	4✔
59	m_shared_group = policy.default_dh_group();	×
60	} else {
61	m_shared_group = policy.choose_key_exchange_group(dh_groups, {});	8✔
62	}
63
64	if(m_shared_group.value() == Group_Params::NONE) {	4✔
65	throw TLS_Exception(Alert::HandshakeFailure, "Could not agree on a DH group with the client");	×
66	}
67
68	BOTAN_ASSERT(m_shared_group.value().is_dh_named_group(), "DH ciphersuite is using a finite field group");	4✔
69
70	// Note: TLS 1.2 allows defining and using arbitrary DH groups (additional
71	// to the named and standardized ones). This API doesn't allow the
72	// server to make use of that at the moment. TLS 1.3 does not
73	// provide this flexibility!
74	//
75	// A possible implementation strategy in case one would ever need that:
76	// `Policy::default_dh_group()` could return a `std::variant<Group_Params,
77	// DL_Group>`, allowing it to define arbitrary groups.
78	m_kex_key = state.callbacks().tls_generate_ephemeral_key(m_shared_group.value(), rng);	4✔
79	auto dh = dynamic_cast<DH_PrivateKey*>(m_kex_key.get());	4✔
80	if(!dh) {	4✔
81	throw TLS_Exception(Alert::InternalError, "Application did not provide a Diffie-Hellman key");	×
82	}
83
84	append_tls_length_value(m_params, BigInt::encode(dh->get_int_field("p")), 2);	8✔
85	append_tls_length_value(m_params, BigInt::encode(dh->get_int_field("g")), 2);	8✔
86	append_tls_length_value(m_params, dh->public_value(), 2);	12✔
87	} else if(kex_algo == Kex_Algo::ECDH \|\| kex_algo == Kex_Algo::ECDHE_PSK) {	596✔
88	const std::vector<Group_Params> ec_groups = state.client_hello()->supported_ecc_curves();	559✔
89
90	if(ec_groups.empty()) {	559✔
91	throw Internal_Error("Client sent no ECC extension but we negotiated ECDH");	×
92	}
93
94	m_shared_group = policy.choose_key_exchange_group(ec_groups, {});	1,118✔
95
96	if(m_shared_group.value() == Group_Params::NONE) {	559✔
97	throw TLS_Exception(Alert::HandshakeFailure, "No shared ECC group with client");	×
98	}
99
100	std::vector<uint8_t> ecdh_public_val;	559✔
101
102	if(m_shared_group.value() == Group_Params::X25519) {	559✔
103	m_kex_key = state.callbacks().tls_generate_ephemeral_key(m_shared_group.value(), rng);	546✔
104	if(!m_kex_key) {	546✔
105	throw TLS_Exception(Alert::InternalError, "Application did not provide a X25519 key");	×
106	}
107	ecdh_public_val = m_kex_key->public_value();	1,092✔
108	} else {
109	m_kex_key = state.callbacks().tls_generate_ephemeral_key(m_shared_group.value(), rng);	13✔
110	auto ecdh = dynamic_cast<ECDH_PrivateKey*>(m_kex_key.get());	13✔
111	if(!ecdh) {	13✔
112	throw TLS_Exception(Alert::InternalError, "Application did not provide a EC-Diffie-Hellman key");	×
113	}
114
115	// follow client's preference for point compression
116	ecdh_public_val =	13✔
117	ecdh->public_value(state.client_hello()->prefers_compressed_ec_points() ? EC_Point_Format::Compressed	39✔
118	: EC_Point_Format::Uncompressed);	13✔
119	}
120
121	const uint16_t named_curve_id = m_shared_group.value().wire_code();	559✔
122	m_params.push_back(3); // named curve	559✔
123	m_params.push_back(get_byte<0>(named_curve_id));	559✔
124	m_params.push_back(get_byte<1>(named_curve_id));	559✔
125
126	append_tls_length_value(m_params, ecdh_public_val, 1);	1,118✔
127	} else if(kex_algo != Kex_Algo::PSK) {	1,151✔
128	throw Internal_Error("Server_Key_Exchange: Unknown kex type " + kex_method_to_string(kex_algo));	×
129	}
130
131	if(state.ciphersuite().signature_used()) {	596✔
132	BOTAN_ASSERT(signing_key, "Signing key was set");	552✔
133
134	std::pair<std::string, Signature_Format> format = state.choose_sig_format(*signing_key, m_scheme, false, policy);	552✔
135
136	std::vector<uint8_t> buf = state.client_hello()->random();	552✔
137
138	buf += state.server_hello()->random();	552✔
139	buf += params();	552✔
140
141	m_signature = state.callbacks().tls_sign_message(*signing_key, rng, format.first, format.second, buf);	552✔
142	}	1,003✔
143
144	state.hash().update(io.send(*this));	1,786✔
145	}	598✔
146
147	/**
148	* Deserialize a Server Key Exchange message
149	*/
150	Server_Key_Exchange::Server_Key_Exchange(const std::vector<uint8_t>& buf,	743✔
151	const Kex_Algo kex_algo,
152	const Auth_Method auth_method,
153	Protocol_Version version) {	743✔
154	BOTAN_UNUSED(version); // remove this	743✔
155	TLS_Data_Reader reader("ServerKeyExchange", buf);	743✔
156
157	/*
158	* Here we are deserializing enough to find out what offset the
159	* signature is at. All processing is done when the Client Key Exchange
160	* is prepared.
161	*/
162
163	if(kex_algo == Kex_Algo::PSK \|\| kex_algo == Kex_Algo::ECDHE_PSK) {	743✔
164	reader.get_string(2, 0, 65535); // identity hint	102✔
165	}
166
167	if(kex_algo == Kex_Algo::DH) {	743✔
168	// 3 bigints, DH p, g, Y
169
170	for(size_t i = 0; i != 3; ++i) {	16✔
171	reader.get_range<uint8_t>(2, 1, 65535);	24✔
172	}
173	} else if(kex_algo == Kex_Algo::ECDH \|\| kex_algo == Kex_Algo::ECDHE_PSK) {	739✔
174	reader.get_byte(); // curve type	713✔
175	reader.get_uint16_t(); // curve id	713✔
176	reader.get_range<uint8_t>(1, 1, 255); // public key	1,426✔
177	} else if(kex_algo != Kex_Algo::PSK) {	26✔
178	throw Decoding_Error("Server_Key_Exchange: Unsupported kex type " + kex_method_to_string(kex_algo));	×
179	}
180
181	m_params.assign(buf.data(), buf.data() + reader.read_so_far());	743✔
182
183	if(auth_method != Auth_Method::IMPLICIT) {	743✔
184	m_scheme = Signature_Scheme(reader.get_uint16_t());	692✔
185	m_signature = reader.get_range<uint8_t>(2, 0, 65535);	692✔
186	}
187
188	reader.assert_done();	743✔
189	}	747✔
190
191	/**
192	* Serialize a Server Key Exchange message
193	*/
194	std::vector<uint8_t> Server_Key_Exchange::serialize() const {	596✔
195	std::vector<uint8_t> buf = params();	596✔
196
197	if(!m_signature.empty()) {	596✔
198	if(m_scheme.is_set()) {	552✔
199	buf.push_back(get_byte<0>(m_scheme.wire_code()));	552✔
200	buf.push_back(get_byte<1>(m_scheme.wire_code()));	552✔
201	}
202
203	append_tls_length_value(buf, m_signature, 2);	552✔
204	}
205
206	return buf;	596✔
207	}	×
208
209	/**
210	* Verify a Server Key Exchange message
211	*/
212	bool Server_Key_Exchange::verify(const Public_Key& server_key,	690✔
213	const Handshake_State& state,
214	const Policy& policy) const {
215	policy.check_peer_key_acceptable(server_key);	690✔
216
217	std::pair<std::string, Signature_Format> format =	690✔
218	state.parse_sig_format(server_key, m_scheme, state.client_hello()->signature_schemes(), false, policy);	690✔
219
220	std::vector<uint8_t> buf = state.client_hello()->random();	688✔
221
222	buf += state.server_hello()->random();	688✔
223	buf += params();	688✔
224
225	const bool signature_valid =	688✔
226	state.callbacks().tls_verify_message(server_key, format.first, format.second, buf, m_signature);	688✔
227
228	#if defined(BOTAN_UNSAFE_FUZZER_MODE)
229	BOTAN_UNUSED(signature_valid);
230	return true;
231	#else
232	return signature_valid;	688✔
233	#endif
234	}	1,253✔
235
236	const PK_Key_Agreement_Key& Server_Key_Exchange::server_kex_key() const {	548✔
237	BOTAN_ASSERT_NONNULL(m_kex_key);	548✔
238	return *m_kex_key;	548✔
239	}
240
241	} // namespace Botan::TLS

randombit / botan / 6449915476

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous