12548935066

Committed 30 Dec 2024 04:04PM UTC coverage: 91.262% (+0.05%) from 91.208%

Build # 12548935066

Build Type

Pull #4507

github

Committed by

web-flow

Commit Message

Merge 3aca433ed into 9b8f3cc80

Pull Request Pull Request #4507: Remove support for Kyber r3 key exchange in TLS

Run Details

93394 of 102336 relevant lines covered (91.26%)

11408572.15 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

85.63

/src/lib/tls/tls_callbacks.cpp

/*
* TLS Callbacks
* (C) 2016 Jack Lloyd
*     2017 Harry Reimann, Rohde & Schwarz Cybersecurity
*     2022 René Meusel, Hannes Rantzsch - neXenio GmbH
*     2023 René Meusel - Rohde & Schwarz Cybersecurity
*
* Botan is released under the Simplified BSD License (see license.txt)
*/

#include <botan/tls_callbacks.h>

#include <botan/dh.h>
#include <botan/dl_group.h>
#include <botan/ecdh.h>
#include <botan/ocsp.h>
#include <botan/pk_algs.h>
#include <botan/tls_algos.h>
#include <botan/tls_exceptn.h>
#include <botan/tls_policy.h>
#include <botan/x509path.h>
#include <botan/internal/ct_utils.h>
#include <botan/internal/stl_util.h>

#if defined(BOTAN_HAS_X25519)
   #include <botan/x25519.h>
#endif

#if defined(BOTAN_HAS_X448)
   #include <botan/x448.h>
#endif

#if defined(BOTAN_HAS_ML_KEM)
   #include <botan/ml_kem.h>
#endif

#if defined(BOTAN_HAS_FRODOKEM)
   #include <botan/frodokem.h>
#endif

#if defined(BOTAN_HAS_TLS_13_PQC)
   #include <botan/internal/hybrid_public_key.h>
#endif

namespace Botan {

void TLS::Callbacks::tls_inspect_handshake_msg(const Handshake_Message& /*unused*/) {
   // default is no op
}

std::string TLS::Callbacks::tls_server_choose_app_protocol(const std::vector<std::string>& /*unused*/) {
   return "";
}

std::string TLS::Callbacks::tls_peer_network_identity() {
   return "";
}

std::chrono::system_clock::time_point TLS::Callbacks::tls_current_timestamp() {
   return std::chrono::system_clock::now();
}

void TLS::Callbacks::tls_modify_extensions(Extensions& /*unused*/,
                                           Connection_Side /*unused*/,
                                           Handshake_Type /*unused*/) {}

void TLS::Callbacks::tls_examine_extensions(const Extensions& /*unused*/,
                                            Connection_Side /*unused*/,
                                            Handshake_Type /*unused*/) {}

bool TLS::Callbacks::tls_should_persist_resumption_information(const Session& session) {
   // RFC 5077 3.3
   //    The ticket_lifetime_hint field contains a hint from the server about
   //    how long the ticket should be stored. A value of zero is reserved to
   //    indicate that the lifetime of the ticket is unspecified.
   //
   // RFC 8446 4.6.1
   //    [A ticket_lifetime] of zero indicates that the ticket should be discarded
   //    immediately.
   //
   // By default we opt to keep all sessions, except for TLS 1.3 with a lifetime
   // hint of zero.
   return session.lifetime_hint().count() > 0 || session.version().is_pre_tls_13();
}

void TLS::Callbacks::tls_verify_cert_chain(const std::vector<X509_Certificate>& cert_chain,
                                           const std::vector<std::optional<OCSP::Response>>& ocsp_responses,
                                           const std::vector<Certificate_Store*>& trusted_roots,
                                           Usage_Type usage,
                                           std::string_view hostname,
                                           const TLS::Policy& policy) {
   if(cert_chain.empty()) {
      throw Invalid_Argument("Certificate chain was empty");
   }

   Path_Validation_Restrictions restrictions(policy.require_cert_revocation_info(),
                                             policy.minimum_signature_strength());

   Path_Validation_Result result = x509_path_validate(cert_chain,
                                                      restrictions,
                                                      trusted_roots,
                                                      hostname,
                                                      usage,
                                                      tls_current_timestamp(),
                                                      tls_verify_cert_chain_ocsp_timeout(),
                                                      ocsp_responses);

   if(!result.successful_validation()) {
      throw TLS_Exception(Alert::BadCertificate, "Certificate validation failure: " + result.result_string());
   }
}

void TLS::Callbacks::tls_verify_raw_public_key(const Public_Key& raw_public_key,
                                               Usage_Type usage,
                                               std::string_view hostname,
                                               const TLS::Policy& policy) {
   BOTAN_UNUSED(raw_public_key, usage, hostname, policy);
   // There is no good default implementation for authenticating raw public key.
   // Applications that wish to use them for authentication, must override this.
   throw TLS_Exception(Alert::CertificateUnknown, "Application did not provide a means to validate the raw public key");
}

std::optional<OCSP::Response> TLS::Callbacks::tls_parse_ocsp_response(const std::vector<uint8_t>& raw_response) {
   try {
      return OCSP::Response(raw_response);
   } catch(const Decoding_Error&) {
      // ignore parsing errors and just ignore the broken OCSP response
      return std::nullopt;
   }
}

std::vector<std::vector<uint8_t>> TLS::Callbacks::tls_provide_cert_chain_status(
   const std::vector<X509_Certificate>& chain, const Certificate_Status_Request& csr) {
   std::vector<std::vector<uint8_t>> result(chain.size());
   if(!chain.empty()) {
      result[0] = tls_provide_cert_status(chain, csr);
   }
   return result;
}

std::vector<uint8_t> TLS::Callbacks::tls_sign_message(const Private_Key& key,
                                                      RandomNumberGenerator& rng,
                                                      std::string_view padding,
                                                      Signature_Format format,
                                                      const std::vector<uint8_t>& msg) {
   PK_Signer signer(key, rng, padding, format);

   return signer.sign_message(msg, rng);
}

bool TLS::Callbacks::tls_verify_message(const Public_Key& key,
                                        std::string_view padding,
                                        Signature_Format format,
                                        const std::vector<uint8_t>& msg,
                                        const std::vector<uint8_t>& sig) {
   PK_Verifier verifier(key, padding, format);

   return verifier.verify_message(msg, sig);
}

namespace {

bool is_dh_group(const std::variant<TLS::Group_Params, DL_Group>& group) {
   return std::holds_alternative<DL_Group>(group) || std::get<TLS::Group_Params>(group).is_dh_named_group();
}

DL_Group get_dl_group(const std::variant<TLS::Group_Params, DL_Group>& group) {
   BOTAN_ASSERT_NOMSG(is_dh_group(group));

   // TLS 1.2 allows specifying arbitrary DL_Group parameters in-lieu of
   // a standardized DH group identifier. TLS 1.3 just offers pre-defined
   // groups.
   return std::visit(
      overloaded{[](const DL_Group& dl_group) { return dl_group; },
                 [&](TLS::Group_Params group_param) { return DL_Group(group_param.to_string().value()); }},
      group);
}

}  // namespace

std::unique_ptr<Public_Key> TLS::Callbacks::tls_deserialize_peer_public_key(
   const std::variant<TLS::Group_Params, DL_Group>& group, std::span<const uint8_t> key_bits) {
   if(is_dh_group(group)) {
      // TLS 1.2 allows specifying arbitrary DL_Group parameters in-lieu of
      // a standardized DH group identifier.
      const auto dl_group = get_dl_group(group);

      auto Y = BigInt::from_bytes(key_bits);

      /*
       * A basic check for key validity. As we do not know q here we
       * cannot check that Y is in the right subgroup. However since
       * our key is ephemeral there does not seem to be any
       * advantage to bogus keys anyway.
       */
      if(Y <= 1 || Y >= dl_group.get_p() - 1) {
         throw Decoding_Error("Server sent bad DH key for DHE exchange");
      }

      return std::make_unique<DH_PublicKey>(dl_group, Y);
   }

   // The special case for TLS 1.2 with an explicit DH group definition is
   // handled above. All other cases are based on the opaque group definition.
   BOTAN_ASSERT_NOMSG(std::holds_alternative<TLS::Group_Params>(group));
   const auto group_params = std::get<TLS::Group_Params>(group);

   if(group_params.is_ecdh_named_curve()) {
      const auto ec_group = EC_Group::from_name(group_params.to_string().value());
      return std::make_unique<ECDH_PublicKey>(ec_group, ec_group.OS2ECP(key_bits));
   }

#if defined(BOTAN_HAS_X25519)
   if(group_params.is_x25519()) {
      return std::make_unique<X25519_PublicKey>(key_bits);
   }
#endif

#if defined(BOTAN_HAS_X448)
   if(group_params.is_x448()) {
      return std::make_unique<X448_PublicKey>(key_bits);
   }
#endif

#if defined(BOTAN_HAS_TLS_13_PQC)
   if(group_params.is_pqc_hybrid()) {
      return Hybrid_KEM_PublicKey::load_for_group(group_params, key_bits);
   }
#endif

#if defined(BOTAN_HAS_ML_KEM)
   if(group_params.is_pure_ml_kem()) {
      return std::make_unique<ML_KEM_PublicKey>(key_bits, ML_KEM_Mode(group_params.to_string().value()));
   }
#endif

#if defined(BOTAN_HAS_FRODOKEM)
   if(group_params.is_pure_frodokem()) {
      return std::make_unique<FrodoKEM_PublicKey>(key_bits, FrodoKEMMode(group_params.to_string().value()));
   }
#endif

   throw Decoding_Error("cannot create a key offering without a group definition");
}

std::unique_ptr<Private_Key> TLS::Callbacks::tls_kem_generate_key(TLS::Group_Params group, RandomNumberGenerator& rng) {
#if defined(BOTAN_HAS_ML_KEM)
   if(group.is_pure_ml_kem()) {
      return std::make_unique<ML_KEM_PrivateKey>(rng, ML_KEM_Mode(group.to_string().value()));
   }
#endif

#if defined(BOTAN_HAS_FRODOKEM)
   if(group.is_pure_frodokem()) {
      return std::make_unique<FrodoKEM_PrivateKey>(rng, FrodoKEMMode(group.to_string().value()));
   }
#endif

#if defined(BOTAN_HAS_TLS_13_PQC)
   if(group.is_pqc_hybrid()) {
      return Hybrid_KEM_PrivateKey::generate_from_group(group, rng);
   }
#endif

   return tls_generate_ephemeral_key(group, rng);
}

KEM_Encapsulation TLS::Callbacks::tls_kem_encapsulate(TLS::Group_Params group,
                                                      const std::vector<uint8_t>& encoded_public_key,
                                                      RandomNumberGenerator& rng,
                                                      const Policy& policy) {
   if(group.is_kem()) {
      auto kem_pub_key = [&] {
         try {
            return tls_deserialize_peer_public_key(group, encoded_public_key);
         } catch(const Decoding_Error& ex) {
            // This exception means that the public key was invalid. However,
            // TLS' DecodeError would imply that a protocol message was invalid.
            throw TLS_Exception(Alert::IllegalParameter, ex.what());
         }
      }();

      BOTAN_ASSERT_NONNULL(kem_pub_key);
      policy.check_peer_key_acceptable(*kem_pub_key);

      try {
         return PK_KEM_Encryptor(*kem_pub_key, "Raw").encrypt(rng);
      } catch(const Invalid_Argument& ex) {
         throw TLS_Exception(Alert::IllegalParameter, ex.what());
      }
   } else {
      // TODO: We could use the KEX_to_KEM_Adapter to remove the case distinction
      //       of KEM and KEX. However, the workarounds in this adapter class
      //       should first be addressed.
      auto ephemeral_keypair = tls_generate_ephemeral_key(group, rng);
      BOTAN_ASSERT_NONNULL(ephemeral_keypair);
      return {ephemeral_keypair->public_value(),
              tls_ephemeral_key_agreement(group, *ephemeral_keypair, encoded_public_key, rng, policy)};
   }
}

secure_vector<uint8_t> TLS::Callbacks::tls_kem_decapsulate(TLS::Group_Params group,
                                                           const Private_Key& private_key,
                                                           const std::vector<uint8_t>& encapsulated_bytes,
                                                           RandomNumberGenerator& rng,
                                                           const Policy& policy) {
   if(group.is_kem()) {
      PK_KEM_Decryptor kemdec(private_key, rng, "Raw");
      if(encapsulated_bytes.size() != kemdec.encapsulated_key_length()) {
         throw TLS_Exception(Alert::IllegalParameter, "Invalid encapsulated key length");
      }
      return kemdec.decrypt(encapsulated_bytes, 0, {});
   }

   try {
      auto& key_agreement_key = dynamic_cast<const PK_Key_Agreement_Key&>(private_key);
      return tls_ephemeral_key_agreement(group, key_agreement_key, encapsulated_bytes, rng, policy);
   } catch(const std::bad_cast&) {
      throw Invalid_Argument("provided ephemeral key is not a PK_Key_Agreement_Key");
   }
}

std::unique_ptr<PK_Key_Agreement_Key> TLS::Callbacks::tls_generate_ephemeral_key(
   const std::variant<TLS::Group_Params, DL_Group>& group, RandomNumberGenerator& rng) {
   if(is_dh_group(group)) {
      const DL_Group dl_group = get_dl_group(group);
      return std::make_unique<DH_PrivateKey>(rng, dl_group);
   }

   BOTAN_ASSERT_NOMSG(std::holds_alternative<TLS::Group_Params>(group));
   const auto group_params = std::get<TLS::Group_Params>(group);

   if(group_params.is_ecdh_named_curve()) {
      const auto ec_group = EC_Group::from_name(group_params.to_string().value());
      return std::make_unique<ECDH_PrivateKey>(rng, ec_group);
   }

#if defined(BOTAN_HAS_X25519)
   if(group_params.is_x25519()) {
      return std::make_unique<X25519_PrivateKey>(rng);
   }
#endif

#if defined(BOTAN_HAS_X448)
   if(group_params.is_x448()) {
      return std::make_unique<X448_PrivateKey>(rng);
   }
#endif

   if(group_params.is_kem()) {
      throw TLS_Exception(Alert::IllegalParameter, "cannot generate an ephemeral KEX key for a KEM");
   }

   throw TLS_Exception(Alert::DecodeError, "cannot create a key offering without a group definition");
}

secure_vector<uint8_t> TLS::Callbacks::tls_ephemeral_key_agreement(
   const std::variant<TLS::Group_Params, DL_Group>& group,
   const PK_Key_Agreement_Key& private_key,
   const std::vector<uint8_t>& public_value,
   RandomNumberGenerator& rng,
   const Policy& policy) {
   const auto kex_pub_key = [&]() {
      try {
         return tls_deserialize_peer_public_key(group, public_value);
      } catch(const Decoding_Error& ex) {
         // This exception means that the public key was invalid. However,
         // TLS' DecodeError would imply that a protocol message was invalid.
         throw TLS_Exception(Alert::IllegalParameter, ex.what());
      }
   }();

   BOTAN_ASSERT_NONNULL(kex_pub_key);
   policy.check_peer_key_acceptable(*kex_pub_key);

   // RFC 8422 - 5.11.
   //   With X25519 and X448, a receiving party MUST check whether the
   //   computed premaster secret is the all-zero value and abort the
   //   handshake if so, as described in Section 6 of [RFC7748].
   //
   // This is done within the key agreement operation and throws
   // an Invalid_Argument exception if the shared secret is all-zero.
   try {
      PK_Key_Agreement ka(private_key, rng, "Raw");
      return ka.derive_key(0, kex_pub_key->raw_public_key_bits()).bits_of();
   } catch(const Invalid_Argument& ex) {
      throw TLS_Exception(Alert::IllegalParameter, ex.what());
   }
}

}  // namespace Botan

1	/*
2	* TLS Callbacks
3	* (C) 2016 Jack Lloyd
4	* 2017 Harry Reimann, Rohde & Schwarz Cybersecurity
5	* 2022 René Meusel, Hannes Rantzsch - neXenio GmbH
6	* 2023 René Meusel - Rohde & Schwarz Cybersecurity
7	*
8	* Botan is released under the Simplified BSD License (see license.txt)
9	*/
10
11	#include <botan/tls_callbacks.h>
12
13	#include <botan/dh.h>
14	#include <botan/dl_group.h>
15	#include <botan/ecdh.h>
16	#include <botan/ocsp.h>
17	#include <botan/pk_algs.h>
18	#include <botan/tls_algos.h>
19	#include <botan/tls_exceptn.h>
20	#include <botan/tls_policy.h>
21	#include <botan/x509path.h>
22	#include <botan/internal/ct_utils.h>
23	#include <botan/internal/stl_util.h>
24
25	#if defined(BOTAN_HAS_X25519)
26	#include <botan/x25519.h>
27	#endif
28
29	#if defined(BOTAN_HAS_X448)
30	#include <botan/x448.h>
31	#endif
32
33	#if defined(BOTAN_HAS_ML_KEM)
34	#include <botan/ml_kem.h>
35	#endif
36
37	#if defined(BOTAN_HAS_FRODOKEM)
38	#include <botan/frodokem.h>
39	#endif
40
41	#if defined(BOTAN_HAS_TLS_13_PQC)
42	#include <botan/internal/hybrid_public_key.h>
43	#endif
44
45	namespace Botan {
46
47	void TLS::Callbacks::tls_inspect_handshake_msg(const Handshake_Message& /unused/) {	5,830✔
48	// default is no op
49	}	5,830✔
50
51	std::string TLS::Callbacks::tls_server_choose_app_protocol(const std::vector<std::string>& /unused/) {	×
52	return "";	×
53	}
54
55	std::string TLS::Callbacks::tls_peer_network_identity() {	786✔
56	return "";	786✔
57	}
58
59	std::chrono::system_clock::time_point TLS::Callbacks::tls_current_timestamp() {	5,124✔
60	return std::chrono::system_clock::now();	5,124✔
61	}
62
63	void TLS::Callbacks::tls_modify_extensions(Extensions& /unused/,	2,184✔
64	Connection_Side /unused/,
65	Handshake_Type /unused/) {}	2,184✔
66
67	void TLS::Callbacks::tls_examine_extensions(const Extensions& /unused/,	4,306✔
68	Connection_Side /unused/,
69	Handshake_Type /unused/) {}	4,306✔
70
71	bool TLS::Callbacks::tls_should_persist_resumption_information(const Session& session) {	2,600✔
72	// RFC 5077 3.3
73	// The ticket_lifetime_hint field contains a hint from the server about
74	// how long the ticket should be stored. A value of zero is reserved to
75	// indicate that the lifetime of the ticket is unspecified.
76	//
77	// RFC 8446 4.6.1
78	// [A ticket_lifetime] of zero indicates that the ticket should be discarded
79	// immediately.
80	//
81	// By default we opt to keep all sessions, except for TLS 1.3 with a lifetime
82	// hint of zero.
83	return session.lifetime_hint().count() > 0 \|\| session.version().is_pre_tls_13();	2,600✔
84	}
85
86	void TLS::Callbacks::tls_verify_cert_chain(const std::vector<X509_Certificate>& cert_chain,	110✔
87	const std::vector<std::optional<OCSP::Response>>& ocsp_responses,
88	const std::vector<Certificate_Store*>& trusted_roots,
89	Usage_Type usage,
90	std::string_view hostname,
91	const TLS::Policy& policy) {
92	if(cert_chain.empty()) {	110✔
93	throw Invalid_Argument("Certificate chain was empty");	×
94	}
95
96	Path_Validation_Restrictions restrictions(policy.require_cert_revocation_info(),	110✔
97	policy.minimum_signature_strength());	330✔
98
99	Path_Validation_Result result = x509_path_validate(cert_chain,	110✔
100	restrictions,
101	trusted_roots,
102	hostname,
103	usage,
104	tls_current_timestamp(),	110✔
105	tls_verify_cert_chain_ocsp_timeout(),	110✔
106	ocsp_responses);	110✔
107
108	if(!result.successful_validation()) {	110✔
109	throw TLS_Exception(Alert::BadCertificate, "Certificate validation failure: " + result.result_string());	×
110	}
111	}	110✔
112
113	void TLS::Callbacks::tls_verify_raw_public_key(const Public_Key& raw_public_key,	×
114	Usage_Type usage,
115	std::string_view hostname,
116	const TLS::Policy& policy) {
117	BOTAN_UNUSED(raw_public_key, usage, hostname, policy);	×
118	// There is no good default implementation for authenticating raw public key.
119	// Applications that wish to use them for authentication, must override this.
120	throw TLS_Exception(Alert::CertificateUnknown, "Application did not provide a means to validate the raw public key");	×
121	}
122
123	std::optional<OCSP::Response> TLS::Callbacks::tls_parse_ocsp_response(const std::vector<uint8_t>& raw_response) {	×
124	try {	×
125	return OCSP::Response(raw_response);	×
126	} catch(const Decoding_Error&) {	×
127	// ignore parsing errors and just ignore the broken OCSP response
128	return std::nullopt;	×
129	}	×
130	}
131
132	std::vector<std::vector<uint8_t>> TLS::Callbacks::tls_provide_cert_chain_status(	254✔
133	const std::vector<X509_Certificate>& chain, const Certificate_Status_Request& csr) {
134	std::vector<std::vector<uint8_t>> result(chain.size());	254✔
135	if(!chain.empty()) {	254✔
136	result[0] = tls_provide_cert_status(chain, csr);	254✔
137	}
138	return result;	246✔
139	}	8✔
140
141	std::vector<uint8_t> TLS::Callbacks::tls_sign_message(const Private_Key& key,	986✔
142	RandomNumberGenerator& rng,
143	std::string_view padding,
144	Signature_Format format,
145	const std::vector<uint8_t>& msg) {
146	PK_Signer signer(key, rng, padding, format);	986✔
147
148	return signer.sign_message(msg, rng);	1,971✔
149	}	986✔
150
151	bool TLS::Callbacks::tls_verify_message(const Public_Key& key,	1,229✔
152	std::string_view padding,
153	Signature_Format format,
154	const std::vector<uint8_t>& msg,
155	const std::vector<uint8_t>& sig) {
156	PK_Verifier verifier(key, padding, format);	1,229✔
157
158	return verifier.verify_message(msg, sig);	2,458✔
159	}	1,229✔
160
161	namespace {
162
163	bool is_dh_group(const std::variant<TLS::Group_Params, DL_Group>& group) {	4,848✔
164	return std::holds_alternative<DL_Group>(group) \|\| std::get<TLS::Group_Params>(group).is_dh_named_group();	9,672✔
165	}
166
167	DL_Group get_dl_group(const std::variant<TLS::Group_Params, DL_Group>& group) {	28✔
168	BOTAN_ASSERT_NOMSG(is_dh_group(group));	28✔
169
170	// TLS 1.2 allows specifying arbitrary DL_Group parameters in-lieu of
171	// a standardized DH group identifier. TLS 1.3 just offers pre-defined
172	// groups.
173	return std::visit(	28✔
174	overloaded{[](const DL_Group& dl_group) { return dl_group; },	12✔
175	[&](TLS::Group_Params group_param) { return DL_Group(group_param.to_string().value()); }},	48✔
176	group);	28✔
177	}
178
179	} // namespace
180
181	std::unique_ptr<Public_Key> TLS::Callbacks::tls_deserialize_peer_public_key(	2,104✔
182	const std::variant<TLS::Group_Params, DL_Group>& group, std::span<const uint8_t> key_bits) {
183	if(is_dh_group(group)) {	2,104✔
184	// TLS 1.2 allows specifying arbitrary DL_Group parameters in-lieu of
185	// a standardized DH group identifier.
186	const auto dl_group = get_dl_group(group);	12✔
187
188	auto Y = BigInt::from_bytes(key_bits);	12✔
189
190	/*
191	* A basic check for key validity. As we do not know q here we
192	* cannot check that Y is in the right subgroup. However since
193	* our key is ephemeral there does not seem to be any
194	* advantage to bogus keys anyway.
195	*/
196	if(Y <= 1 \|\| Y >= dl_group.get_p() - 1) {	24✔
197	throw Decoding_Error("Server sent bad DH key for DHE exchange");	×
198	}
199
200	return std::make_unique<DH_PublicKey>(dl_group, Y);	24✔
201	}	24✔
202
203	// The special case for TLS 1.2 with an explicit DH group definition is
204	// handled above. All other cases are based on the opaque group definition.
205	BOTAN_ASSERT_NOMSG(std::holds_alternative<TLS::Group_Params>(group));	2,092✔
206	const auto group_params = std::get<TLS::Group_Params>(group);	2,092✔
207
208	if(group_params.is_ecdh_named_curve()) {	2,092✔
209	const auto ec_group = EC_Group::from_name(group_params.to_string().value());	192✔
210	return std::make_unique<ECDH_PublicKey>(ec_group, ec_group.OS2ECP(key_bits));	156✔
211	}	96✔
212
213	#if defined(BOTAN_HAS_X25519)
214	if(group_params.is_x25519()) {	1,996✔
215	return std::make_unique<X25519_PublicKey>(key_bits);	3,934✔
216	}
217	#endif
218
219	#if defined(BOTAN_HAS_X448)
220	if(group_params.is_x448()) {	25✔
221	return std::make_unique<X448_PublicKey>(key_bits);	8✔
222	}
223	#endif
224
225	#if defined(BOTAN_HAS_TLS_13_PQC)
226	if(group_params.is_pqc_hybrid()) {	21✔
227	return Hybrid_KEM_PublicKey::load_for_group(group_params, key_bits);	37✔
228	}
229	#endif
230
231	#if defined(BOTAN_HAS_ML_KEM)
232	if(group_params.is_pure_ml_kem()) {	1✔
233	return std::make_unique<ML_KEM_PublicKey>(key_bits, ML_KEM_Mode(group_params.to_string().value()));	4✔
234	}
235	#endif
236
237	#if defined(BOTAN_HAS_FRODOKEM)
238	if(group_params.is_pure_frodokem()) {	×
239	return std::make_unique<FrodoKEM_PublicKey>(key_bits, FrodoKEMMode(group_params.to_string().value()));	×
240	}
241	#endif
242
243	throw Decoding_Error("cannot create a key offering without a group definition");	×
244	}
245
246	std::unique_ptr<Private_Key> TLS::Callbacks::tls_kem_generate_key(TLS::Group_Params group, RandomNumberGenerator& rng) {	1,060✔
247	#if defined(BOTAN_HAS_ML_KEM)
248	if(group.is_pure_ml_kem()) {	1,060✔
249	return std::make_unique<ML_KEM_PrivateKey>(rng, ML_KEM_Mode(group.to_string().value()));	3✔
250	}
251	#endif
252
253	#if defined(BOTAN_HAS_FRODOKEM)
254	if(group.is_pure_frodokem()) {	1,059✔
255	return std::make_unique<FrodoKEM_PrivateKey>(rng, FrodoKEMMode(group.to_string().value()));	×
256	}
257	#endif
258
259	#if defined(BOTAN_HAS_TLS_13_PQC)
260	if(group.is_pqc_hybrid()) {	1,059✔
261	return Hybrid_KEM_PrivateKey::generate_from_group(group, rng);	21✔
262	}
263	#endif
264
265	return tls_generate_ephemeral_key(group, rng);	3,114✔
266	}
267
268	KEM_Encapsulation TLS::Callbacks::tls_kem_encapsulate(TLS::Group_Params group,	383✔
269	const std::vector<uint8_t>& encoded_public_key,
270	RandomNumberGenerator& rng,
271	const Policy& policy) {
272	if(group.is_kem()) {	383✔
273	auto kem_pub_key = [&] {	60✔
274	try {	21✔
275	return tls_deserialize_peer_public_key(group, encoded_public_key);	42✔
276	} catch(const Decoding_Error& ex) {	3✔
277	// This exception means that the public key was invalid. However,
278	// TLS' DecodeError would imply that a protocol message was invalid.
279	throw TLS_Exception(Alert::IllegalParameter, ex.what());	3✔
280	}	3✔
281	}();	21✔
282
283	BOTAN_ASSERT_NONNULL(kem_pub_key);	18✔
284	policy.check_peer_key_acceptable(*kem_pub_key);	18✔
285
286	try {	18✔
287	return PK_KEM_Encryptor(*kem_pub_key, "Raw").encrypt(rng);	18✔
288	} catch(const Invalid_Argument& ex) {	1✔
289	throw TLS_Exception(Alert::IllegalParameter, ex.what());	1✔
290	}	1✔
291	} else {	18✔
292	// TODO: We could use the KEX_to_KEM_Adapter to remove the case distinction
293	// of KEM and KEX. However, the workarounds in this adapter class
294	// should first be addressed.
295	auto ephemeral_keypair = tls_generate_ephemeral_key(group, rng);	362✔
296	BOTAN_ASSERT_NONNULL(ephemeral_keypair);	362✔
297	return {ephemeral_keypair->public_value(),	724✔
298	tls_ephemeral_key_agreement(group, *ephemeral_keypair, encoded_public_key, rng, policy)};	724✔
299	}	350✔
300	}
301
302	secure_vector<uint8_t> TLS::Callbacks::tls_kem_decapsulate(TLS::Group_Params group,	442✔
303	const Private_Key& private_key,
304	const std::vector<uint8_t>& encapsulated_bytes,
305	RandomNumberGenerator& rng,
306	const Policy& policy) {
307	if(group.is_kem()) {	442✔
308	PK_KEM_Decryptor kemdec(private_key, rng, "Raw");	22✔
309	if(encapsulated_bytes.size() != kemdec.encapsulated_key_length()) {	22✔
310	throw TLS_Exception(Alert::IllegalParameter, "Invalid encapsulated key length");	2✔
311	}
312	return kemdec.decrypt(encapsulated_bytes, 0, {});	20✔
313	}	22✔
314
315	try {	420✔
316	auto& key_agreement_key = dynamic_cast<const PK_Key_Agreement_Key&>(private_key);	420✔
317	return tls_ephemeral_key_agreement(group, key_agreement_key, encapsulated_bytes, rng, policy);	840✔
318	} catch(const std::bad_cast&) {	12✔
319	throw Invalid_Argument("provided ephemeral key is not a PK_Key_Agreement_Key");	×
320	}	×
321	}
322
323	std::unique_ptr<PK_Key_Agreement_Key> TLS::Callbacks::tls_generate_ephemeral_key(	2,716✔
324	const std::variant<TLS::Group_Params, DL_Group>& group, RandomNumberGenerator& rng) {
325	if(is_dh_group(group)) {	2,716✔
326	const DL_Group dl_group = get_dl_group(group);	16✔
327	return std::make_unique<DH_PrivateKey>(rng, dl_group);	32✔
328	}	16✔
329
330	BOTAN_ASSERT_NOMSG(std::holds_alternative<TLS::Group_Params>(group));	2,700✔
331	const auto group_params = std::get<TLS::Group_Params>(group);	2,700✔
332
333	if(group_params.is_ecdh_named_curve()) {	2,700✔
334	const auto ec_group = EC_Group::from_name(group_params.to_string().value());	290✔
335	return std::make_unique<ECDH_PrivateKey>(rng, ec_group);	290✔
336	}	145✔
337
338	#if defined(BOTAN_HAS_X25519)
339	if(group_params.is_x25519()) {	2,555✔
340	return std::make_unique<X25519_PrivateKey>(rng);	5,102✔
341	}
342	#endif
343
344	#if defined(BOTAN_HAS_X448)
345	if(group_params.is_x448()) {	4✔
346	return std::make_unique<X448_PrivateKey>(rng);	8✔
347	}
348	#endif
349
350	if(group_params.is_kem()) {	×
351	throw TLS_Exception(Alert::IllegalParameter, "cannot generate an ephemeral KEX key for a KEM");	×
352	}
353
354	throw TLS_Exception(Alert::DecodeError, "cannot create a key offering without a group definition");	×
355	}
356
357	secure_vector<uint8_t> TLS::Callbacks::tls_ephemeral_key_agreement(	2,083✔
358	const std::variant<TLS::Group_Params, DL_Group>& group,
359	const PK_Key_Agreement_Key& private_key,
360	const std::vector<uint8_t>& public_value,
361	RandomNumberGenerator& rng,
362	const Policy& policy) {
363	const auto kex_pub_key = [&]() {	6,205✔
364	try {	2,083✔
365	return tls_deserialize_peer_public_key(group, public_value);	2,083✔
366	} catch(const Decoding_Error& ex) {	44✔
367	// This exception means that the public key was invalid. However,
368	// TLS' DecodeError would imply that a protocol message was invalid.
369	throw TLS_Exception(Alert::IllegalParameter, ex.what());	44✔
370	}	44✔
371	}();	2,083✔
372
373	BOTAN_ASSERT_NONNULL(kex_pub_key);	2,039✔
374	policy.check_peer_key_acceptable(*kex_pub_key);	2,039✔
375
376	// RFC 8422 - 5.11.
377	// With X25519 and X448, a receiving party MUST check whether the
378	// computed premaster secret is the all-zero value and abort the
379	// handshake if so, as described in Section 6 of [RFC7748].
380	//
381	// This is done within the key agreement operation and throws
382	// an Invalid_Argument exception if the shared secret is all-zero.
383	try {	2,039✔
384	PK_Key_Agreement ka(private_key, rng, "Raw");	2,039✔
385	return ka.derive_key(0, kex_pub_key->raw_public_key_bits()).bits_of();	6,113✔
386	} catch(const Invalid_Argument& ex) {	2,043✔
387	throw TLS_Exception(Alert::IllegalParameter, ex.what());	4✔
388	}	4✔
389	}	2,035✔
390
391	} // namespace Botan

randombit / botan / 12548935066

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous