1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
|
/*
* TLS Callbacks
* (C) 2016 Matthias Gierlings
* 2016 Jack Lloyd
* 2017 Harry Reimann, Rohde & Schwarz Cybersecurity
*
* Botan is released under the Simplified BSD License (see license.txt)
*/
#ifndef BOTAN_TLS_CALLBACKS_H_
#define BOTAN_TLS_CALLBACKS_H_
#include <botan/tls_session.h>
#include <botan/tls_alert.h>
#include <botan/pubkey.h>
#include <botan/ocsp.h>
#include <optional>
#include <chrono>
namespace Botan {
class Certificate_Store;
class X509_Certificate;
namespace OCSP {
class Response;
}
namespace TLS {
class Handshake_Message;
class Policy;
class Extensions;
class Certificate_Status_Request;
/**
* Encapsulates the callbacks that a TLS channel will make which are due to
* channel specific operations.
*/
class BOTAN_PUBLIC_API(2,0) Callbacks
{
public:
virtual ~Callbacks() = default;
/**
* Mandatory callback: output function
* The channel will call this with data which needs to be sent to the peer
* (eg, over a socket or some other form of IPC). The array will be overwritten
* when the function returns so a copy must be made if the data cannot be
* sent immediately.
*
* @param data the vector of data to send
*
* @param size the number of bytes to send
*/
virtual void tls_emit_data(const uint8_t data[], size_t size) = 0;
/**
* Mandatory callback: process application data
* Called when application data record is received from the peer.
* Again the array is overwritten immediately after the function returns.
*
* @param seq_no the underlying TLS/DTLS record sequence number
*
* @param data the vector containing the received record
*
* @param size the length of the received record, in bytes
*/
virtual void tls_record_received(uint64_t seq_no, const uint8_t data[], size_t size) = 0;
/**
* Mandatory callback: alert received
* Called when an alert is received from the peer
* If fatal, the connection is closing. If not fatal, the connection may
* still be closing (depending on the error and the peer).
*
* @param alert the source of the alert
*/
virtual void tls_alert(Alert alert) = 0;
/**
* Mandatory callback: session established
* Called when a session is established. Throw an exception to abort
* the connection.
*
* @param session the session descriptor
*
* @return return false to prevent the session from being cached,
* return true to cache the session in the configured session manager
*/
virtual bool tls_session_established(const Session& session) = 0;
/**
* Optional callback: session activated
* Called when a session is active and can be written to
*/
virtual void tls_session_activated() {}
/**
* Optional callback with default impl: verify cert chain
*
* Default implementation performs a standard PKIX validation
* and initiates network OCSP request for end-entity cert.
* Override to provide different behavior.
*
* Check the certificate chain is valid up to a trusted root, and
* optionally (if hostname != "") that the hostname given is
* consistent with the leaf certificate.
*
* This function should throw an exception derived from
* std::exception with an informative what() result if the
* certificate chain cannot be verified.
*
* @param cert_chain specifies a certificate chain leading to a
* trusted root CA certificate.
* @param ocsp_responses the server may have provided some
* @param trusted_roots the list of trusted certificates
* @param usage what this cert chain is being used for
* Usage_Type::TLS_SERVER_AUTH for server chains,
* Usage_Type::TLS_CLIENT_AUTH for client chains,
* Usage_Type::UNSPECIFIED for other uses
* @param hostname when authenticating a server, this is the hostname
* the client requested (eg via SNI). When authenticating a client,
* this is the server name the client is authenticating *to*.
* Empty in other cases or if no hostname was used.
* @param policy the TLS policy associated with the session being authenticated
* using the certificate chain
*/
virtual void tls_verify_cert_chain(
const std::vector<X509_Certificate>& cert_chain,
const std::vector<std::optional<OCSP::Response>>& ocsp_responses,
const std::vector<Certificate_Store*>& trusted_roots,
Usage_Type usage,
const std::string& hostname,
const TLS::Policy& policy);
/**
* Called by default `tls_verify_cert_chain` to get the timeout to use for OCSP
* requests. Return 0 to disable online OCSP checks.
*
* This function should not be "const" since the implementation might need
* to perform some side effecting operation to compute the result.
*/
virtual std::chrono::milliseconds tls_verify_cert_chain_ocsp_timeout() const
{
return std::chrono::milliseconds(0);
}
/**
* Called by the TLS server whenever the client included the
* status_request extension (see RFC 6066, a.k.a OCSP stapling)
* in the ClientHello.
*
* @return the encoded OCSP response to be sent to the client which
* indicates the revocation status of the server certificate. Return an
* empty vector to indicate that no response is available, and thus
* suppress the Certificate_Status message.
*/
virtual std::vector<uint8_t> tls_provide_cert_status(const std::vector<X509_Certificate>& chain,
const Certificate_Status_Request& csr)
{
BOTAN_UNUSED(chain);
BOTAN_UNUSED(csr);
return std::vector<uint8_t>();
}
/**
* Optional callback with default impl: sign a message
*
* Default implementation uses PK_Signer::sign_message().
* Override to provide a different approach, e.g. using an external device.
*
* @param key the private key of the signer
* @param rng a random number generator
* @param emsa the encoding method to be applied to the message
* @param format the signature format
* @param msg the input data for the signature
*
* @return the signature
*/
virtual std::vector<uint8_t> tls_sign_message(
const Private_Key& key,
RandomNumberGenerator& rng,
const std::string& emsa,
Signature_Format format,
const std::vector<uint8_t>& msg);
/**
* Optional callback with default impl: verify a message signature
*
* Default implementation uses PK_Verifier::verify_message().
* Override to provide a different approach, e.g. using an external device.
*
* @param key the public key of the signer
* @param emsa the encoding method to be applied to the message
* @param format the signature format
* @param msg the input data for the signature
* @param sig the signature to be checked
*
* @return true if the signature is valid, false otherwise
*/
virtual bool tls_verify_message(
const Public_Key& key,
const std::string& emsa,
Signature_Format format,
const std::vector<uint8_t>& msg,
const std::vector<uint8_t>& sig);
/**
* Optional callback with default impl: client side DH agreement
*
* Default implementation uses PK_Key_Agreement::derive_key().
* Override to provide a different approach, e.g. using an external device.
*
* @param modulus the modulus p of the discrete logarithm group
* @param generator the generator of the DH subgroup
* @param peer_public_value the public value of the peer
* @param policy the TLS policy associated with the session being established
* @param rng a random number generator
*
* @return a pair consisting of the agreed raw secret and our public value
*/
virtual std::pair<secure_vector<uint8_t>, std::vector<uint8_t>> tls_dh_agree(
const std::vector<uint8_t>& modulus,
const std::vector<uint8_t>& generator,
const std::vector<uint8_t>& peer_public_value,
const Policy& policy,
RandomNumberGenerator& rng);
/**
* Optional callback with default impl: client side ECDH agreement
*
* Default implementation uses PK_Key_Agreement::derive_key().
* Override to provide a different approach, e.g. using an external device.
*
* @param curve_name the name of the elliptic curve
* @param peer_public_value the public value of the peer
* @param policy the TLS policy associated with the session being established
* @param rng a random number generator
* @param compressed the compression preference for our public value
*
* @return a pair consisting of the agreed raw secret and our public value
*/
virtual std::pair<secure_vector<uint8_t>, std::vector<uint8_t>> tls_ecdh_agree(
const std::string& curve_name,
const std::vector<uint8_t>& peer_public_value,
const Policy& policy,
RandomNumberGenerator& rng,
bool compressed);
/**
* Optional callback: inspect handshake message
* Throw an exception to abort the handshake.
* Default simply ignores the message.
*
* @param message the handshake message
*/
virtual void tls_inspect_handshake_msg(const Handshake_Message& message);
/**
* Optional callback for server: choose ALPN protocol
*
* ALPN (RFC 7301) works by the client sending a list of application
* protocols it is willing to negotiate. The server then selects which
* protocol to use. RFC 7301 requires that if the server does not support
* any protocols offered by the client, then it should close the connection
* with an alert of no_application_protocol. Within this callback this would
* be done by throwing a TLS_Exception(Alert::NO_APPLICATION_PROTOCOL)
*
* @param client_protos the vector of protocols the client is willing to negotiate
*
* @return the protocol selected by the server; if the empty string is
* returned, the server does not reply to the client ALPN extension.
*
* The default implementation returns the empty string, causing client
* ALPN to be ignored.
*
* It is highly recommended to support ALPN whenever possible to avoid
* cross-protocol attacks.
*/
virtual std::string tls_server_choose_app_protocol(const std::vector<std::string>& client_protos);
/**
* Optional callback: examine/modify Extensions before sending.
*
* Both client and server will call this callback on the Extensions object
* before serializing it in the client/server hellos. This allows an
* application to modify which extensions are sent during the
* handshake.
*
* Default implementation does nothing.
*
* @param extn the extensions
* @param which_side will be CLIENT or SERVER which is the current
* applications role in the exchange.
*/
virtual void tls_modify_extensions(Extensions& extn, Connection_Side which_side);
/**
* Optional callback: examine peer extensions.
*
* Both client and server will call this callback with the Extensions
* object after receiving it from the peer. This allows examining the
* Extensions, for example to implement a custom extension. It also allows
* an application to require that a particular extension be implemented;
* throw an exception from this function to abort the handshake.
*
* Default implementation does nothing.
*
* @param extn the extensions
* @param which_side will be CLIENT if these are are the clients extensions (ie we are
* the server) or SERVER if these are the server extensions (we are the client).
*/
virtual void tls_examine_extensions(const Extensions& extn, Connection_Side which_side);
/**
* Optional callback: decode TLS group ID
*
* TLS uses a 16-bit field to identify ECC and DH groups. This callback
* handles the decoding. You only need to implement this if you are using
* a custom ECC or DH group (this is extremely uncommon).
*
* Default implementation uses the standard (IETF-defined) mappings.
*
* TODO: reconsider this callback together with `tls_dh_agree` and `tls_ecdh_agree`.
*/
virtual std::string tls_decode_group_param(Group_Params group_param);
/**
* Optional callback: parse a single OCSP Response
*
* Note: Typically a user of the library would not want to override this
* callback. We provide this callback to be able to support OCSP
* related tests from BoringSSL's BoGo tests that provide unparsable
* responses.
*
* Default implementation tries to parse the provided raw OCSP response.
*
* This function should not throw an exception but return a std::nullopt
* if the OCSP response cannot be parsed.
*
* @param raw_response raw OCSP response buffer
* @returns the parsed OCSP response or std::nullopt on error
*/
virtual std::optional<OCSP::Response> tls_parse_ocsp_response(const std::vector<uint8_t>& raw_response);
/**
* Optional callback: return peer network identity
*
* There is no expected or specified format. The only expectation is this
* function will return a unique value. For example returning the peer
* host IP and port.
*
* This is used to bind the DTLS cookie to a particular network identity.
* It is only called if the dtls-cookie-secret PSK is also defined.
*/
virtual std::string tls_peer_network_identity();
/**
* Optional callback: return a custom time stamp value
*
* This allows the library user to specify a custom "now" timestamp when
* needed. By default it will use the current system clock time.
*
* Note that typical usages will not need to override this callback but it
* is useful for testing purposes to allow for deterministic test outcomes.
*/
virtual std::chrono::system_clock::time_point tls_current_timestamp();
/**
* Optional callback: error logging. (not currently called)
* @param err An error message related to this connection.
*/
virtual void tls_log_error(const char* err)
{
BOTAN_UNUSED(err);
}
/**
* Optional callback: debug logging. (not currently called)
* @param what Some hopefully informative string
*/
virtual void tls_log_debug(const char* what)
{
BOTAN_UNUSED(what);
}
/**
* Optional callback: debug logging taking a buffer. (not currently called)
* @param descr What this buffer is
* @param val the bytes
* @param val_len length of val
*/
virtual void tls_log_debug_bin(const char* descr, const uint8_t val[], size_t val_len)
{
BOTAN_UNUSED(descr, val, val_len);
}
};
}
}
#endif
|