1 /** 2 * TLS Client 3 * 4 * Copyright: 5 * (C) 2004-2011,2015 Jack Lloyd 6 * (C) 2014-2015 Etienne Cimon 7 * 8 * License: 9 * Botan is released under the Simplified BSD License (see LICENSE.md) 10 */ 11 module botan.tls.client; 12 13 import botan.constants; 14 static if (BOTAN_HAS_TLS): 15 16 public import botan.tls.channel; 17 public import botan.tls.credentials_manager; 18 public import botan.tls.server_info; 19 public import botan.rng.rng; 20 import botan.tls.handshake_state; 21 import botan.tls.messages; 22 import memutils.dictionarylist; 23 import botan.utils.types; 24 25 /** 26 * TLS Client 27 */ 28 final class TLSClient : TLSChannel 29 { 30 public: 31 /** 32 * Set up a new TLS client session 33 * 34 * Params: 35 * socket_output_fn = is called with data for the outbound socket 36 * proc_cb = is called when new application data is received 37 * alert_cb = is called when a TLS alert is received 38 * handshake_cb = is called when a handshake is completed 39 * session_manager = manages session state 40 * creds = manages application/user credentials 41 * policy = specifies other connection policy information 42 * rng = a random number generator 43 * server_info = is identifying information about the TLS server 44 * offer_version = specifies which version we will offer 45 * to the TLS server. 46 * next_protocols = specifies protocols to advertise with ALPN 47 * reserved_io_buffer_size = This many bytes of memory will 48 * be preallocated for the read and write buffers. Smaller 49 * values just mean reallocations and copies are more likely. 50 */ 51 this(void delegate(in ubyte[]) socket_output_fn, 52 void delegate(in ubyte[]) proc_cb, 53 void delegate(in TLSAlert, in ubyte[]) alert_cb, 54 bool delegate(in TLSSession) handshake_cb, 55 TLSSessionManager session_manager, 56 TLSCredentialsManager creds, 57 in TLSPolicy policy, 58 RandomNumberGenerator rng, 59 in TLSServerInformation server_info = TLSServerInformation(), 60 in TLSProtocolVersion offer_version = TLSProtocolVersion.latestTlsVersion(), 61 Vector!string next_protocols = Vector!string(), 62 size_t reserved_io_buffer_size = 16*1024) 63 { 64 super(socket_output_fn, proc_cb, alert_cb, handshake_cb, session_manager, rng, offer_version.isDatagramProtocol(), reserved_io_buffer_size); 65 m_policy = policy; 66 m_creds = creds; 67 m_info = server_info; 68 const string srp_identifier = m_creds.srpIdentifier("tls-client", m_info.hostname()); 69 HandshakeState state = createHandshakeState(offer_version); 70 sendClientHello(state, false, offer_version, srp_identifier, next_protocols.move()); 71 } 72 73 protected: 74 override Vector!X509Certificate getPeerCertChain(in HandshakeState state) const 75 { 76 if (state.serverCerts()) 77 return state.serverCerts().certChain().dup; 78 return Vector!X509Certificate(); 79 } 80 81 /** 82 * Send a new client hello to renegotiate 83 */ 84 override void initiateHandshake(HandshakeState state, bool force_full_renegotiation) 85 { 86 sendClientHello(state, force_full_renegotiation, state.Version()); 87 } 88 89 void sendClientHello(HandshakeState state_base, 90 bool force_full_renegotiation, 91 TLSProtocolVersion _version, 92 in string srp_identifier = "", 93 Vector!string next_protocols = Vector!string()) 94 { 95 ClientHandshakeState state = cast(ClientHandshakeState)(state_base); 96 if (state.Version().isDatagramProtocol()) 97 state.setExpectedNext(HELLO_VERIFY_REQUEST); // optional 98 state.setExpectedNext(SERVER_HELLO); 99 100 if (!force_full_renegotiation && !m_info.empty) 101 { 102 TLSSession session_info; 103 if (sessionManager().loadFromServerInfo(m_info, session_info)) 104 { 105 if (srp_identifier == "" || session_info.srpIdentifier() == srp_identifier) 106 { 107 state.clientHello(new ClientHello( 108 state.handshakeIo(), 109 state.hash(), 110 m_policy, 111 rng(), 112 secureRenegotiationDataForClientHello().dup, 113 session_info, 114 next_protocols.move)); 115 116 state.resume_master_secret = session_info.masterSecret().dup; 117 } 118 } 119 } 120 121 if (!state.clientHello()) // not resuming 122 { 123 state.clientHello(new ClientHello(state.handshakeIo(), 124 state.hash(), 125 _version, 126 m_policy, 127 rng(), 128 secureRenegotiationDataForClientHello().dup, 129 next_protocols.move, 130 m_info.hostname(), 131 srp_identifier)); 132 } 133 134 secureRenegotiationCheck(state.clientHello()); 135 } 136 137 /** 138 * Process a handshake message 139 */ 140 override void processHandshakeMsg(in HandshakeState active_state, 141 HandshakeState state_base, 142 HandshakeType type, 143 const ref Vector!ubyte contents) 144 { 145 ClientHandshakeState state = cast(ClientHandshakeState)(state_base); 146 147 if (type == HELLO_REQUEST && active_state) 148 { 149 auto hello_request = scoped!HelloRequest(contents); 150 151 // Ignore request entirely if we are currently negotiating a handshake 152 if (state.clientHello()) 153 return; 154 155 if (!m_policy.allowServerInitiatedRenegotiation() || 156 (!m_policy.allowInsecureRenegotiation() && !secureRenegotiationSupported())) 157 { 158 // RFC 5746 section 4.2 159 sendWarningAlert(TLSAlert.NO_RENEGOTIATION); 160 return; 161 } 162 163 this.initiateHandshake(state, false); 164 165 return; 166 } 167 168 state.confirmTransitionTo(type); 169 170 if (type != HANDSHAKE_CCS && type != FINISHED && type != HELLO_VERIFY_REQUEST) 171 state.hash().update(state.handshakeIo().format(contents, type)); 172 173 if (type == HELLO_VERIFY_REQUEST) 174 { 175 state.setExpectedNext(SERVER_HELLO); 176 state.setExpectedNext(HELLO_VERIFY_REQUEST); // might get it again 177 178 auto hello_verify_request = scoped!HelloVerifyRequest(contents); 179 180 state.helloVerifyRequest(hello_verify_request.Scoped_payload); 181 } 182 else if (type == SERVER_HELLO) 183 { 184 state.serverHello(new ServerHello(contents)); 185 186 if (!state.clientHello().offeredSuite(state.serverHello().ciphersuite())) 187 { 188 throw new TLSException(TLSAlert.HANDSHAKE_FAILURE, "TLSServer replied with ciphersuite we didn't send"); 189 } 190 191 if (!valueExists(state.clientHello().compressionMethods(), 192 state.serverHello().compressionMethod())) 193 { 194 throw new TLSException(TLSAlert.HANDSHAKE_FAILURE, "TLSServer replied with compression method we didn't send"); 195 } 196 197 auto client_extn = state.clientHello().extensionTypes(); 198 auto server_extn = state.serverHello().extensionTypes(); 199 200 import std.algorithm : setDifference; 201 import std.range : empty, array; 202 auto diff = setDifference(server_extn[].sort(), client_extn[].sort()); 203 if (!diff.empty) 204 { 205 throw new TLSException(TLSAlert.HANDSHAKE_FAILURE, 206 "TLSServer sent extension(s) " ~ diff.array.to!(string[]).joiner(", ").to!string ~ " but we did not request it"); 207 } 208 209 state.setVersion(state.serverHello().Version()); 210 m_application_protocol = state.serverHello().nextProtocol(); 211 212 secureRenegotiationCheck(state.serverHello()); 213 214 const bool server_returned_same_session_id = !state.serverHello().sessionId().empty && 215 (state.serverHello().sessionId() == state.clientHello().sessionId()); 216 217 if (server_returned_same_session_id) 218 { 219 // successful resumption 220 221 /* 222 * In this case, we offered the version used in the original 223 * session, and the server must resume with the same version. 224 */ 225 if (state.serverHello().Version() != state.clientHello().Version()) 226 throw new TLSException(TLSAlert.HANDSHAKE_FAILURE, "TLSServer resumed session but with wrong version"); 227 228 state.computeSessionKeys(state.resume_master_secret); 229 230 if (state.serverHello().supportsSessionTicket()) 231 state.setExpectedNext(NEW_SESSION_TICKET); 232 else 233 state.setExpectedNext(HANDSHAKE_CCS); 234 } 235 else 236 { 237 // new session 238 239 if (state.clientHello().Version().isDatagramProtocol() != 240 state.serverHello().Version().isDatagramProtocol()) 241 { 242 throw new TLSException(TLSAlert.PROTOCOL_VERSION, "TLSServer replied with different protocol type than we offered"); 243 } 244 245 if (state.Version() > state.clientHello().Version()) 246 { 247 throw new TLSException(TLSAlert.HANDSHAKE_FAILURE, "TLSServer replied with later version than in hello"); 248 } 249 250 if (!m_policy.acceptableProtocolVersion(state.Version())) 251 { 252 throw new TLSException(TLSAlert.PROTOCOL_VERSION, "TLSServer version " ~ state.Version().toString() ~ " is unacceptable by policy"); 253 } 254 255 if (state.ciphersuite().sigAlgo() != "") 256 { 257 state.setExpectedNext(CERTIFICATE); 258 } 259 else if (state.ciphersuite().kexAlgo() == "PSK") 260 { 261 /* PSK is anonymous so no certificate/cert req message is 262 ever sent. The server may or may not send a server kex, 263 depending on if it has an identity hint for us. 264 265 (EC)DHE_PSK always sends a server key exchange for the 266 DH exchange portion. 267 */ 268 269 state.setExpectedNext(SERVER_KEX); 270 state.setExpectedNext(SERVER_HELLO_DONE); 271 } 272 else if (state.ciphersuite().kexAlgo() != "RSA") 273 { 274 state.setExpectedNext(SERVER_KEX); 275 } 276 else 277 { 278 state.setExpectedNext(CERTIFICATE_REQUEST); // optional 279 state.setExpectedNext(SERVER_HELLO_DONE); 280 } 281 } 282 } 283 else if (type == CERTIFICATE) 284 { 285 if (state.ciphersuite().kexAlgo() != "RSA") 286 { 287 state.setExpectedNext(SERVER_KEX); 288 } 289 else 290 { 291 state.setExpectedNext(CERTIFICATE_REQUEST); // optional 292 state.setExpectedNext(SERVER_HELLO_DONE); 293 } 294 295 state.serverCerts(new Certificate(contents)); 296 297 const Vector!X509Certificate* server_certs = &state.serverCerts().certChain(); 298 299 if (server_certs.empty) 300 throw new TLSException(TLSAlert.HANDSHAKE_FAILURE, "TLSClient: No certificates sent by server"); 301 302 try 303 { 304 m_creds.verifyCertificateChain("tls-client", m_info.hostname(), *server_certs); 305 } 306 catch(Exception e) 307 { 308 throw new TLSException(TLSAlert.BAD_CERTIFICATE, e.msg); 309 } 310 311 PublicKey peer_key = (*server_certs)[0].subjectPublicKey(); 312 313 if (peer_key.algoName != state.ciphersuite().sigAlgo()) 314 throw new TLSException(TLSAlert.ILLEGAL_PARAMETER, "Certificate key type did not match ciphersuite"); 315 316 state.server_public_key = peer_key; 317 } 318 else if (type == SERVER_KEX) 319 { 320 state.setExpectedNext(CERTIFICATE_REQUEST); // optional 321 state.setExpectedNext(SERVER_HELLO_DONE); 322 323 state.serverKex(new ServerKeyExchange(contents, 324 state.ciphersuite().kexAlgo(), 325 state.ciphersuite().sigAlgo(), 326 state.Version())); 327 328 if (state.ciphersuite().sigAlgo() != "") 329 { 330 const PublicKey server_key = state.getServerPublicKey(); 331 if (!state.serverKex().verify(server_key, state)) 332 { 333 throw new TLSException(TLSAlert.DECRYPT_ERROR, "Bad signature on server key exchange"); 334 } 335 } 336 } 337 else if (type == CERTIFICATE_REQUEST) 338 { 339 state.setExpectedNext(SERVER_HELLO_DONE); 340 state.certReq(new CertificateReq(contents, state.Version())); 341 } 342 else if (type == SERVER_HELLO_DONE) 343 { 344 state.serverHelloDone(new ServerHelloDone(contents)); 345 346 if (state.receivedHandshakeMsg(CERTIFICATE_REQUEST)) 347 { 348 const(Vector!string)* types = &state.certReq().acceptableCertTypes(); 349 350 Vector!X509Certificate client_certs = m_creds.certChain(*types, "tls-client", m_info.hostname()); 351 352 state.clientCerts(new Certificate(state.handshakeIo(), state.hash(), client_certs)); 353 } 354 355 state.clientKex(new ClientKeyExchange(state.handshakeIo(), 356 state, 357 m_policy, 358 m_creds, 359 state.server_public_key.get(), 360 m_info.hostname(), 361 rng())); 362 363 state.computeSessionKeys(); 364 365 if (state.receivedHandshakeMsg(CERTIFICATE_REQUEST) && !state.clientCerts().empty) 366 { 367 PrivateKey priv_key = m_creds.privateKeyFor(state.clientCerts().certChain()[0], "tls-client", m_info.hostname()); 368 369 state.clientVerify(new CertificateVerify(state.handshakeIo(), 370 state, 371 m_policy, 372 rng(), 373 priv_key)); 374 } 375 376 state.handshakeIo().send(scoped!ChangeCipherSpec()); 377 378 changeCipherSpecWriter(CLIENT); 379 380 // Setup channelID 381 bool supports_channel_id = state.clientHello().supportsChannelID() && state.serverHello().supportsChannelID(); 382 if (supports_channel_id) { 383 state.channelID(new ChannelID(state.handshakeIo(), 384 state.hash(), 385 m_creds, 386 m_info.hostname, 387 state.hash().flushInto(state.Version(), state.ciphersuite().prfAlgo()) 388 )); 389 } 390 391 state.clientFinished(new Finished(state.handshakeIo(), state, CLIENT)); 392 393 if (supports_channel_id) 394 state.setOriginalHandshakeHash(state.hash().flushInto(state.Version(), state.ciphersuite().prfAlgo())); 395 396 if (state.serverHello().supportsSessionTicket()) 397 state.setExpectedNext(NEW_SESSION_TICKET); 398 else 399 state.setExpectedNext(HANDSHAKE_CCS); 400 } 401 else if (type == NEW_SESSION_TICKET) 402 { 403 state.newSessionTicket(new NewSessionTicket(contents)); 404 405 state.setExpectedNext(HANDSHAKE_CCS); 406 } 407 else if (type == HANDSHAKE_CCS) 408 { 409 state.setExpectedNext(FINISHED); 410 411 changeCipherSpecReader(CLIENT); 412 413 } 414 else if (type == FINISHED) 415 { 416 state.serverFinished(new Finished(contents.dup)); 417 418 if (!state.serverFinished().verify(state, SERVER)) 419 throw new TLSException(TLSAlert.DECRYPT_ERROR, "Finished message didn't verify"); 420 421 state.hash().update(state.handshakeIo().format(contents, type)); 422 423 if (!state.clientFinished()) // session resume case 424 { 425 state.handshakeIo().send(scoped!ChangeCipherSpec()); 426 427 changeCipherSpecWriter(CLIENT); 428 429 // Setup Resumption ChannelID 430 if (state.clientHello().supportsChannelID() && state.serverHello().supportsChannelID()) 431 { 432 TLSSession sess; 433 scope(exit) if (sess) sess.destroy(); 434 if (sessionManager() && sessionManager().loadFromSessionId(state.serverHello().sessionId(), sess)) 435 { 436 state.setOriginalHandshakeHash(sess.originalHandshakeHash().dup()); 437 state.channelID(new ChannelID(state.handshakeIo(), 438 state.hash(), 439 m_creds, 440 m_info.hostname, 441 state.hash().flushInto(state.Version(), state.ciphersuite().prfAlgo()), 442 state.originalHandshakeHash().dup 443 )); 444 } 445 } 446 // todo: Else if the session was supposed to use it, fail? 447 state.clientFinished(new Finished(state.handshakeIo(), state, CLIENT)); 448 } 449 450 Vector!ubyte session_id = state.serverHello().sessionId().dup; 451 452 Vector!ubyte session_ticket = state.sessionTicket(); 453 454 if (session_id.empty && !session_ticket.empty) 455 session_id = makeHelloRandom(rng(), m_policy); 456 457 auto session_info = new TLSSession(session_id.dup, 458 state.sessionKeys().masterSecret().dup, 459 state.originalHandshakeHash().dup(), 460 state.serverHello().Version(), 461 state.serverHello().ciphersuite(), 462 state.serverHello().compressionMethod(), 463 CLIENT, 464 state.serverHello().fragmentSize(), 465 state.serverHello().supportsExtendedMasterSecret(), 466 getPeerCertChain(state), 467 session_ticket.move(), 468 m_info, 469 ""); 470 scope(exit) destroy(session_info); 471 const bool should_save = saveSession(session_info); 472 473 if (!session_id.empty) 474 { 475 if (should_save) 476 sessionManager().save(session_info); 477 else { 478 auto entry = &session_info.sessionId(); 479 sessionManager().removeEntry(*entry); 480 } 481 } 482 483 activateSession(); 484 } 485 else 486 throw new TLSUnexpectedMessage("Unknown handshake message received"); 487 } 488 489 override HandshakeState newHandshakeState(HandshakeIO io) 490 { 491 return new ClientHandshakeState(io); 492 } 493 494 private: 495 const TLSPolicy m_policy; 496 TLSCredentialsManager m_creds; 497 const TLSServerInformation m_info; 498 } 499 500 501 private final class ClientHandshakeState : HandshakeState 502 { 503 public: 504 505 this(HandshakeIO io, void delegate(in HandshakeMessage) msg_callback = null) 506 { 507 super(io, msg_callback); 508 } 509 510 const(PublicKey) getServerPublicKey() const 511 { 512 assert(server_public_key, "TLSServer sent us a certificate"); 513 return *server_public_key; 514 } 515 516 // Used during session resumption 517 SecureVector!ubyte resume_master_secret; 518 Unique!PublicKey server_public_key; 519 }