Handshake.h

Go to the documentation of this file.

/*
 * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */
 
#ifndef SQUID_SECURITY_HANDSHAKE_H
#define SQUID_SECURITY_HANDSHAKE_H
 
#include "anyp/ProtocolVersion.h"
#include "base/YesNoNone.h"
#include "parser/BinaryTokenizer.h"
#include "security/forward.h"
 
#include <unordered_set>
 
namespace Security
{
 
class TlsDetails: public RefCountable
{
public:
    typedef RefCount<TlsDetails> Pointer;
 
    TlsDetails();
    std::ostream & print(std::ostream &os) const;
 
    AnyP::ProtocolVersion tlsVersion; 
 
    AnyP::ProtocolVersion tlsSupportedVersion;
 
    bool compressionSupported; 
    SBuf serverName; 
    bool doHeartBeats;
    bool tlsTicketsExtension; 
    bool hasTlsTicket; 
    bool tlsStatusRequest; 
    bool unsupportedExtensions; 
    SBuf tlsAppLayerProtoNeg; 
    SBuf clientRandom;
    SBuf sessionId;
 
    typedef std::unordered_set<uint16_t> Ciphers;
    Ciphers ciphers;
};
 
inline std::ostream &
operator <<(std::ostream &os, const TlsDetails &details)
{
    return details.print(os);
}
 
class HandshakeParser
{
public:
    typedef enum { atHelloNone = 0, atHelloStarted, atHelloReceived, atHelloDoneReceived, atNstReceived, atCcsReceived, atFinishReceived } ParserState;
 
    typedef enum { fromClient = 0, fromServer } MessageSource;
 
    explicit HandshakeParser(MessageSource);
 
    bool parseHello(const SBuf &data);
 
    TlsDetails::Pointer details; 
 
    ParserState state; 
 
    bool resumingSession; 
 
    MessageSource messageSource;
 
private:
    bool isSslv2Record(const SBuf &raw) const;
    void parseRecord();
    void parseModernRecord();
    void parseVersion2Record();
    void parseMessages();
 
    void parseChangeCipherCpecMessage();
    void parseAlertMessage();
    void parseHandshakeMessage();
    void parseApplicationDataMessage();
    void skipMessage(const char *msgType);
 
    bool parseRecordVersion2Try();
    void parseVersion2HandshakeMessage(const SBuf &raw);
    void parseClientHelloHandshakeMessage(const SBuf &raw);
    void parseServerHelloHandshakeMessage(const SBuf &raw);
 
    bool parseCompressionMethods(const SBuf &raw);
    void parseExtensions(const SBuf &raw);
    SBuf parseSniExtension(const SBuf &extensionData) const;
    void parseSupportedVersionsExtension(const SBuf &extensionData) const;
 
    void parseCiphers(const SBuf &raw);
    void parseV23Ciphers(const SBuf &raw);
 
    void parseServerCertificates(const SBuf &raw);
 
    unsigned int currentContentType; 
 
    const char *done; 
 
    SBuf fragments;
 
    Parser::BinaryTokenizer tkRecords;
 
    Parser::BinaryTokenizer tkMessages;
 
    YesNoNone expectingModernRecords;
};
 
inline bool
TlsFamilyProtocol(const AnyP::ProtocolVersion &version)
{
    return (version.protocol == AnyP::PROTO_TLS || version.protocol == AnyP::PROTO_SSL);
}
 
inline bool
TlsVersionEarlierThan(const AnyP::ProtocolVersion &a, const AnyP::ProtocolVersion &b)
{
    Must(TlsFamilyProtocol(a));
    Must(TlsFamilyProtocol(b));
 
    if (a.protocol == b.protocol)
        return a < b;
 
    return a.protocol == AnyP::PROTO_SSL; // implies that b is TLS
}
 
inline bool
Tls1p2orEarlier(const AnyP::ProtocolVersion &p)
{
    return TlsVersionEarlierThan(p, AnyP::ProtocolVersion(AnyP::PROTO_TLS, 1, 3));
}
 
inline bool
Tls1p3orLater(const AnyP::ProtocolVersion &p)
{
    return !Tls1p2orEarlier(p);
}
 
}
 
#endif // SQUID_SECURITY_HANDSHAKE_H