prepare TLS 1.2 for addition of TLS 1.3

Co-authored-by: René Meusel <rene.meusel@nexenio.com>
Co-authored-by: Marek Kocik <extern.Marek.Kocik@elektrobit.com>
Co-authored-by: Grzegorz Dulewicz <extern.Grzegorz.Dulewicz@elektrobit.com>
Co-authored-by: Pawel Bazelewski <extern.pawel.bazelewski@elektrobit.com>
Co-authored-by: Pawel Jarosz <extern.pawel.jarosz@elektrobit.com>

doc/authors.txt

@@ -21,6 +21,7 @@ Dan Brown
 Daniel Neus (Rohde & Schwarz Cybersecurity)
 Daniel Seither (Kullo GmbH)
 Daniel Wyatt
+Elektrobit Automotive GmbH
 Eric Cornelius
 Erwan Chaussy
 etcimon
@@ -66,6 +67,7 @@ Matthias Gierlings (Hackmanit GmbH)
 Matt Johnston
 Michael Boric (Rohde & Schwarz Cybersecurity)
 Nathan Hourt
+neXenio GmbH
 Nicolas Sendrier
 Nuno Goncalves
 Ori Peleg

src/bogo_shim/bogo_shim.cpp

@@ -91,7 +91,7 @@ std::string map_to_bogo_error(const std::string& e)
          { "Certificate key type did not match ciphersuite", ":WRONG_CERTIFICATE_TYPE:" },
          { "Certificate usage constraints do not allow this ciphersuite", ":KEY_USAGE_BIT_INCORRECT:" },
          { "Certificate: Message malformed", ":DECODE_ERROR:" },
-         { "Channel::key_material_export cannot export during renegotiation", "failed to export keying material" },
+         { "Channel_Impl_12::key_material_export cannot export during renegotiation", "failed to export keying material" },
          { "Client cert verify failed", ":BAD_SIGNATURE:" },
          { "Client certificate does not support signing", ":KEY_USAGE_BIT_INCORRECT:" },
          { "Client did not offer NULL compression", ":INVALID_COMPRESSION_LIST:" },
@@ -151,6 +151,7 @@ std::string map_to_bogo_error(const std::string& e)
          { "Server downgraded version after renegotiation", ":WRONG_SSL_VERSION:" },
          { "Server policy prohibits renegotiation", ":NO_RENEGOTIATION:" },
          { "Server replied using a ciphersuite not allowed in version it offered", ":WRONG_CIPHER_RETURNED:" },
+         { "Server replied with an invalid version", ":UNSUPPORTED_PROTOCOL:" },
          { "Server replied with DTLS-SRTP alg we did not send", ":BAD_SRTP_PROTECTION_PROFILE_LIST:" },
          { "Server replied with ciphersuite we didn't send", ":WRONG_CIPHER_RETURNED:" },
          { "Server replied with later version than client offered", ":UNSUPPORTED_PROTOCOL:" },

src/configs/pylint.rc

@@ -60,7 +60,7 @@ confidence=
 # no Warning level messages displayed, use"--disable=all --enable=classes
 # --disable=W"
 
-disable=missing-docstring,no-else-return,locally-disabled,import-outside-toplevel,super-with-arguments,raise-missing-from,duplicate-code,consider-using-f-string
+disable=missing-docstring,no-else-return,locally-disabled,import-outside-toplevel,super-with-arguments,raise-missing-from,duplicate-code,consider-using-f-string,fixme
 
 
 [REPORTS]

src/fuzzer/tls_client_hello.cpp

@@ -12,7 +12,7 @@ void fuzz(const uint8_t in[], size_t len)
    try
       {
       std::vector<uint8_t> v(in, in + len);
-      Botan::TLS::Client_Hello ch(v);
+      Botan::TLS::Client_Hello_12 ch(v);  // TODO: We might want to do that for TLS 1.3 as well
       }
    catch(Botan::Exception& e) {}
    }

src/lib/pubkey/pubkey.h

@@ -423,7 +423,7 @@ class BOTAN_PUBLIC_API(2,0) PK_Key_Agreement final
 
       /**
       * Perform Key Agreement Operation
-      * @param key_len the desired key output size
+      * @param key_len the desired key output size (ignored if "Raw" KDF is used)
       * @param in the other parties key
       * @param in_len the length of in in bytes
       * @param params extra derivation params
@@ -437,7 +437,7 @@ class BOTAN_PUBLIC_API(2,0) PK_Key_Agreement final
 
       /**
       * Perform Key Agreement Operation
-      * @param key_len the desired key output size
+      * @param key_len the desired key output size (ignored if "Raw" KDF is used)
       * @param in the other parties key
       * @param params extra derivation params
       * @param params_len the length of params in bytes
@@ -453,7 +453,7 @@ class BOTAN_PUBLIC_API(2,0) PK_Key_Agreement final
 
       /**
       * Perform Key Agreement Operation
-      * @param key_len the desired key output size
+      * @param key_len the desired key output size (ignored if "Raw" KDF is used)
       * @param in the other parties key
       * @param in_len the length of in in bytes
       * @param params extra derivation params
@@ -469,7 +469,7 @@ class BOTAN_PUBLIC_API(2,0) PK_Key_Agreement final
 
       /**
       * Perform Key Agreement Operation
-      * @param key_len the desired key output size
+      * @param key_len the desired key output size (ignored if "Raw" KDF is used)
       * @param in the other parties key
       * @param params extra derivation params
       */

src/lib/tls/info.txt

@@ -24,13 +24,10 @@ tls_version.h
 </header:public>
 
 <header:internal>
-tls_handshake_hash.h
-tls_handshake_io.h
-tls_handshake_state.h
+tls_channel_impl.h
+tls_handshake_transitions.h
 tls_reader.h
-tls_record.h
-tls_seq_numbers.h
-tls_session_key.h
+tls_server_impl.h
 </header:internal>
 
 <requires>
@@ -44,10 +41,10 @@ eme_pkcs1
 emsa_pkcs1
 gcm
 hmac
-prf_tls
 rng
 rsa
 sha2_32
 sha2_64
+tls12
 x509
 </requires>

src/lib/tls/msg_cert_req.cpp

@@ -1,6 +1,8 @@
 /*
 * Certificate Request Message
 * (C) 2004-2006,2012 Jack Lloyd
+*     2021 Elektrobit Automotive GmbH
+*     2022 René Meusel, Hannes Rantzsch - neXenio GmbH
 *
 * Botan is released under the Simplified BSD License (see license.txt)
 */
@@ -15,6 +17,11 @@
 
 namespace Botan::TLS {
 
+Handshake_Type Certificate_Req::type() const
+   {
+   return CERTIFICATE_REQUEST;
+   }
+
 namespace {
 
 std::string cert_type_code_to_name(uint8_t code)
@@ -108,6 +115,21 @@ Certificate_Req::Certificate_Req(const std::vector<uint8_t>& buf)
       }
    }
 
+const std::vector<std::string>& Certificate_Req::acceptable_cert_types() const
+   {
+   return m_cert_key_types;
+   }
+
+const std::vector<X509_DN>& Certificate_Req::acceptable_CAs() const
+   {
+   return m_names;
+   }
+
+const std::vector<Signature_Scheme>& Certificate_Req::signature_schemes() const
+   {
+   return m_schemes;
+   }
+
 /**
 * Serialize a Certificate Request message
 */
@@ -131,12 +153,12 @@ std::vector<uint8_t> Certificate_Req::serialize() const
       {
       DER_Encoder encoder;
       encoder.encode(name);
+
       append_tls_length_value(encoded_names, encoder.get_contents(), 2);
       }
 
    append_tls_length_value(buf, encoded_names, 2);
 
    return buf;
    }
-
 }

src/lib/tls/msg_cert_verify.cpp

@@ -2,15 +2,19 @@
 * Certificate Verify Message
 * (C) 2004,2006,2011,2012 Jack Lloyd
 *     2017 Harry Reimann, Rohde & Schwarz Cybersecurity
+*     2021 Elektrobit Automotive GmbH
+*     2022 René Meusel, Hannes Rantzsch - neXenio GmbH
 *
 * Botan is released under the Simplified BSD License (see license.txt)
 */
 
-#include <botan/tls_messages.h>
-#include <botan/tls_extensions.h>
-#include <botan/internal/tls_reader.h>
 #include <botan/internal/tls_handshake_io.h>
 #include <botan/internal/tls_handshake_state.h>
+#include <botan/internal/tls_reader.h>
+#include <botan/pk_keys.h>
+#include <botan/tls_algos.h>
+#include <botan/tls_extensions.h>
+#include <botan/tls_messages.h>
 
 namespace Botan::TLS {
 
@@ -45,6 +49,10 @@ Certificate_Verify::Certificate_Verify(const std::vector<uint8_t>& buf)
    m_scheme = static_cast<Signature_Scheme>(reader.get_uint16_t());
    m_signature = reader.get_range<uint8_t>(2, 0, 65535);
    reader.assert_done();
+
+   if(m_scheme == Signature_Scheme::NONE)
+      { throw Decoding_Error("Counterparty did not send hash/sig IDS"); }
+
    }
 
 /*
@@ -62,7 +70,7 @@ std::vector<uint8_t> Certificate_Verify::serialize() const
       }
 
    if(m_signature.size() > 0xFFFF)
-      throw Encoding_Error("Certificate_Verify signature too long to encode");
+      { throw Encoding_Error("Certificate_Verify signature too long to encode"); }
 
    const uint16_t sig_len = static_cast<uint16_t>(m_signature.size());
    buf.push_back(get_byte<0>(sig_len));
@@ -72,19 +80,17 @@ std::vector<uint8_t> Certificate_Verify::serialize() const
    return buf;
    }
 
-/*
-* Verify a Certificate Verify message
-*/
-bool Certificate_Verify::verify(const X509_Certificate& cert,
-                                const Handshake_State& state,
-                                const Policy& policy) const
+
+bool Certificate_Verify_12::verify(const X509_Certificate& cert,
+                                   const Handshake_State& state,
+                                   const Policy& policy) const
    {
    std::unique_ptr<Public_Key> key(cert.subject_public_key());
 
    policy.check_peer_key_acceptable(*key);
 
    std::pair<std::string, Signature_Format> format =
-      state.parse_sig_format(*key.get(), m_scheme, true, policy);
+      state.parse_sig_format(*key.get(), m_scheme, state.client_hello()->signature_schemes(), true, policy);
 
    const bool signature_valid =
       state.callbacks().tls_verify_message(*key, format.first, format.second,

src/lib/tls/msg_certificate.cpp → src/lib/tls/msg_certificate_12.cpp

@@ -20,9 +20,9 @@ namespace Botan::TLS {
 /**
 * Create a new Certificate message
 */
-Certificate::Certificate(Handshake_IO& io,
-                         Handshake_Hash& hash,
-                         const std::vector<X509_Certificate>& cert_list) :
+Certificate_12::Certificate_12(Handshake_IO& io,
+                               Handshake_Hash& hash,
+                               const std::vector<X509_Certificate>& cert_list) :
    m_certs(cert_list)
    {
    hash.update(io.send(*this));
@@ -31,7 +31,7 @@ Certificate::Certificate(Handshake_IO& io,
 /**
 * Deserialize a Certificate message
 */
-Certificate::Certificate(const std::vector<uint8_t>& buf, const Policy& policy)
+Certificate_12::Certificate_12(const std::vector<uint8_t>& buf, const Policy& policy)
    {
    if(buf.size() < 3)
       throw Decoding_Error("Certificate: Message malformed");
@@ -80,7 +80,7 @@ Certificate::Certificate(const std::vector<uint8_t>& buf, const Policy& policy)
 /**
 * Serialize a Certificate message
 */
-std::vector<uint8_t> Certificate::serialize() const
+std::vector<uint8_t> Certificate_12::serialize() const
    {
    std::vector<uint8_t> buf(3);