search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
simplified handshake states.
[gnutls.git] / lib / gnutls_handshake.c
blob63ba755b6f76a7274db0e53a905829522aaa2428
1 /*
2 * Copyright (C) 2000-2012 Free Software Foundation, Inc.
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GnuTLS.
7 *
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
20 *
21 */
22
23 /* Functions that relate to the TLS handshake procedure.
24 */
25
26 #include "gnutls_int.h"
27 #include "gnutls_errors.h"
28 #include "gnutls_dh.h"
29 #include "debug.h"
30 #include "algorithms.h"
31 #include "gnutls_compress.h"
32 #include "gnutls_cipher.h"
33 #include "gnutls_buffers.h"
34 #include "gnutls_mbuffers.h"
35 #include "gnutls_kx.h"
36 #include "gnutls_handshake.h"
37 #include "gnutls_num.h"
38 #include "gnutls_hash_int.h"
39 #include "gnutls_db.h"
40 #include "gnutls_extensions.h"
41 #include "gnutls_supplemental.h"
42 #include "gnutls_auth.h"
43 #include "gnutls_v2_compat.h"
44 #include <auth/cert.h>
45 #include "gnutls_constate.h"
46 #include <gnutls_record.h>
47 #include <gnutls_state.h>
48 #include <ext/srp.h>
49 #include <ext/session_ticket.h>
50 #include <ext/status_request.h>
51 #include <ext/safe_renegotiation.h>
52 #include <gnutls_rsa_export.h> /* for gnutls_get_rsa_params() */
53 #include <auth/anon.h> /* for gnutls_anon_server_credentials_t */
54 #include <auth/psk.h> /* for gnutls_psk_server_credentials_t */
55 #include <random.h>
56 #include <gnutls_dtls.h>
57
58 #ifdef HANDSHAKE_DEBUG
59 #define ERR(x, y) _gnutls_handshake_log("HSK[%p]: %s (%d)\n", session, x,y)
60 #else
61 #define ERR(x, y)
62 #endif
63
64 #define TRUE 1
65 #define FALSE 0
66
67 static int _gnutls_server_select_comp_method (gnutls_session_t session,
68 uint8_t * data, int datalen);
69 static int
70 _gnutls_remove_unwanted_ciphersuites (gnutls_session_t session,
71 uint8_t * cipher_suites,
72 int cipher_suites_size,
73 gnutls_pk_algorithm_t *pk_algos,
74 size_t pk_algos_size);
75 static int _gnutls_handshake_client (gnutls_session_t session);
76 static int _gnutls_handshake_server (gnutls_session_t session);
77
78 static int
79 _gnutls_recv_handshake_final (gnutls_session_t session, int init);
80 static int
81 _gnutls_send_handshake_final (gnutls_session_t session, int init);
82
83 /* Empties but does not free the buffer
84 */
85 static inline void
86 _gnutls_handshake_hash_buffer_empty (gnutls_session_t session)
87 {
88
89 _gnutls_buffers_log ("BUF[HSK]: Emptied buffer\n");
90
91 session->internals.handshake_hash_buffer_prev_len = 0;
92 session->internals.handshake_hash_buffer.length = 0;
93 return;
94 }
95
96 static int
97 _gnutls_handshake_hash_add_recvd (gnutls_session_t session,
98 gnutls_handshake_description_t recv_type,
99 uint8_t * header, uint16_t header_size,
100 uint8_t * dataptr, uint32_t datalen);
101
102 static int
103 _gnutls_handshake_hash_add_sent (gnutls_session_t session,
104 gnutls_handshake_description_t type,
105 uint8_t * dataptr, uint32_t datalen);
106
107 static int
108 _gnutls_recv_hello_verify_request (gnutls_session_t session,
109 uint8_t * data, int datalen);
110
111
112 /* Clears the handshake hash buffers and handles.
113 */
114 void
115 _gnutls_handshake_hash_buffers_clear (gnutls_session_t session)
116 {
117 session->internals.handshake_hash_buffer_prev_len = 0;
118 _gnutls_buffer_clear(&session->internals.handshake_hash_buffer);
119 }
120
121 /* this will copy the required values for resuming to
122 * internals, and to security_parameters.
123 * this will keep as less data to security_parameters.
124 */
125 static void
126 resume_copy_required_values (gnutls_session_t session)
127 {
128 /* get the new random values */
129 memcpy (session->internals.resumed_security_parameters.server_random,
130 session->security_parameters.server_random, GNUTLS_RANDOM_SIZE);
131 memcpy (session->internals.resumed_security_parameters.client_random,
132 session->security_parameters.client_random, GNUTLS_RANDOM_SIZE);
133
134 /* keep the ciphersuite and compression
135 * That is because the client must see these in our
136 * hello message.
137 */
138 memcpy (session->security_parameters.cipher_suite,
139 session->internals.resumed_security_parameters.cipher_suite, 2);
140 session->security_parameters.compression_method = session->internals.resumed_security_parameters.compression_method;
141
142 _gnutls_epoch_set_cipher_suite (session, EPOCH_NEXT,
143 session->
144 internals.resumed_security_parameters.cipher_suite);
145 _gnutls_epoch_set_compression (session, EPOCH_NEXT,
146 session->
147 internals.resumed_security_parameters.compression_method);
148
149 /* or write_compression_algorithm
150 * they are the same
151 */
152
153 session->security_parameters.entity =
154 session->internals.resumed_security_parameters.entity;
155
156 _gnutls_set_current_version (session,
157 session->internals.resumed_security_parameters.
158 version);
159
160 session->security_parameters.cert_type =
161 session->internals.resumed_security_parameters.cert_type;
162
163 memcpy (session->security_parameters.session_id,
164 session->internals.resumed_security_parameters.session_id,
165 sizeof (session->security_parameters.session_id));
166 session->security_parameters.session_id_size =
167 session->internals.resumed_security_parameters.session_id_size;
168
169 }
170
171 void
172 _gnutls_set_server_random (gnutls_session_t session, uint8_t * rnd)
173 {
174 memcpy (session->security_parameters.server_random, rnd,
175 GNUTLS_RANDOM_SIZE);
176 }
177
178 void
179 _gnutls_set_client_random (gnutls_session_t session, uint8_t * rnd)
180 {
181 memcpy (session->security_parameters.client_random, rnd,
182 GNUTLS_RANDOM_SIZE);
183 }
184
185 /* Calculate The SSL3 Finished message
186 */
187 #define SSL3_CLIENT_MSG "CLNT"
188 #define SSL3_SERVER_MSG "SRVR"
189 #define SSL_MSG_LEN 4
190 static int
191 _gnutls_ssl3_finished (gnutls_session_t session, int type, uint8_t * ret, int sending)
192 {
193 digest_hd_st td_md5;
194 digest_hd_st td_sha;
195 const char *mesg;
196 int rc, len;
197
198 if (sending)
199 len = session->internals.handshake_hash_buffer.length;
200 else
201 len = session->internals.handshake_hash_buffer_prev_len;
202
203 rc = _gnutls_hash_init (&td_sha, GNUTLS_DIG_SHA1);
204 if (rc < 0)
205 return gnutls_assert_val(rc);
206
207 rc = _gnutls_hash_init (&td_md5, GNUTLS_DIG_MD5);
208 if (rc < 0)
209 {
210 _gnutls_hash_deinit (&td_sha, NULL);
211 return gnutls_assert_val(rc);
212 }
213
214 _gnutls_hash(&td_sha, session->internals.handshake_hash_buffer.data, len);
215 _gnutls_hash(&td_md5, session->internals.handshake_hash_buffer.data, len);
216
217 if (type == GNUTLS_SERVER)
218 mesg = SSL3_SERVER_MSG;
219 else
220 mesg = SSL3_CLIENT_MSG;
221
222 _gnutls_hash (&td_md5, mesg, SSL_MSG_LEN);
223 _gnutls_hash (&td_sha, mesg, SSL_MSG_LEN);
224
225 rc = _gnutls_mac_deinit_ssl3_handshake (&td_md5, ret,
226 session->
227 security_parameters.master_secret,
228 GNUTLS_MASTER_SIZE);
229 if (rc < 0)
230 {
231 _gnutls_hash_deinit (&td_md5, NULL);
232 _gnutls_hash_deinit (&td_sha, NULL);
233 return gnutls_assert_val(rc);
234 }
235
236 rc = _gnutls_mac_deinit_ssl3_handshake (&td_sha, &ret[16],
237 session->
238 security_parameters.master_secret,
239 GNUTLS_MASTER_SIZE);
240 if (rc < 0)
241 {
242 _gnutls_hash_deinit (&td_sha, NULL);
243 return gnutls_assert_val(rc);
244 }
245
246 return 0;
247 }
248
249 /* Hash the handshake messages as required by TLS 1.0
250 */
251 #define SERVER_MSG "server finished"
252 #define CLIENT_MSG "client finished"
253 #define TLS_MSG_LEN 15
254 static int
255 _gnutls_finished (gnutls_session_t session, int type, void *ret, int sending)
256 {
257 const int siz = TLS_MSG_LEN;
258 uint8_t concat[MAX_HASH_SIZE + 16 /*MD5 */ ];
259 size_t hash_len;
260 const char *mesg;
261 int rc, len;
262
263 if (sending)
264 len = session->internals.handshake_hash_buffer.length;
265 else
266 len = session->internals.handshake_hash_buffer_prev_len;
267
268 if (!_gnutls_version_has_selectable_prf (gnutls_protocol_get_version(session)))
269 {
270 rc = _gnutls_hash_fast( GNUTLS_DIG_SHA1, session->internals.handshake_hash_buffer.data, len, &concat[16]);
271 if (rc < 0)
272 return gnutls_assert_val(rc);
273
274 rc = _gnutls_hash_fast( GNUTLS_DIG_MD5, session->internals.handshake_hash_buffer.data, len, concat);
275 if (rc < 0)
276 return gnutls_assert_val(rc);
277
278 hash_len = 20 + 16;
279 }
280 else
281 {
282 int algorithm = _gnutls_cipher_suite_get_prf(session->security_parameters.cipher_suite);
283
284 rc = _gnutls_hash_fast( algorithm, session->internals.handshake_hash_buffer.data, len, concat);
285 if (rc < 0)
286 return gnutls_assert_val(rc);
287
288 hash_len = _gnutls_hash_get_algo_len (algorithm);
289 }
290
291 if (type == GNUTLS_SERVER)
292 {
293 mesg = SERVER_MSG;
294 }
295 else
296 {
297 mesg = CLIENT_MSG;
298 }
299
300 return _gnutls_PRF (session, session->security_parameters.master_secret,
301 GNUTLS_MASTER_SIZE, mesg, siz, concat, hash_len, 12, ret);
302 }
303
304 /* this function will produce GNUTLS_RANDOM_SIZE==32 bytes of random data
305 * and put it to dst.
306 */
307 int
308 _gnutls_tls_create_random (uint8_t * dst)
309 {
310 uint32_t tim;
311 int ret;
312
313 /* Use weak random numbers for the most of the
314 * buffer except for the first 4 that are the
315 * system's time.
316 */
317
318 tim = gnutls_time (NULL);
319 /* generate server random value */
320 _gnutls_write_uint32 (tim, dst);
321
322 ret = _gnutls_rnd (GNUTLS_RND_NONCE, &dst[4], GNUTLS_RANDOM_SIZE - 4);
323 if (ret < 0)
324 {
325 gnutls_assert ();
326 return ret;
327 }
328
329 return 0;
330 }
331
332 /* returns the 0 on success or a negative error code.
333 */
334 int
335 _gnutls_negotiate_version (gnutls_session_t session,
336 gnutls_protocol_t adv_version)
337 {
338 int ret;
339
340 /* if we do not support that version */
341 if (_gnutls_version_is_supported (session, adv_version) == 0)
342 {
343 /* If he requested something we do not support
344 * then we send him the highest we support.
345 */
346 ret = _gnutls_version_max (session);
347 if (ret == GNUTLS_VERSION_UNKNOWN)
348 {
349 /* this check is not really needed.
350 */
351 gnutls_assert ();
352 return GNUTLS_E_UNKNOWN_CIPHER_SUITE;
353 }
354 }
355 else
356 {
357 ret = adv_version;
358 }
359
360 _gnutls_set_current_version (session, ret);
361
362 return ret;
363 }
364
365 int
366 _gnutls_user_hello_func (gnutls_session_t session,
367 gnutls_protocol_t adv_version)
368 {
369 int ret;
370
371 if (session->internals.user_hello_func != NULL)
372 {
373 ret = session->internals.user_hello_func (session);
374 if (ret < 0)
375 {
376 gnutls_assert ();
377 return ret;
378 }
379 /* Here we need to renegotiate the version since the callee might
380 * have disabled some TLS versions.
381 */
382 ret = _gnutls_negotiate_version (session, adv_version);
383 if (ret < 0)
384 {
385 gnutls_assert ();
386 return ret;
387 }
388 }
389 return 0;
390 }
391
392 /* Read a client hello packet.
393 * A client hello must be a known version client hello
394 * or version 2.0 client hello (only for compatibility
395 * since SSL version 2.0 is not supported).
396 */
397 static int
398 _gnutls_read_client_hello (gnutls_session_t session, uint8_t * data,
399 int datalen)
400 {
401 uint8_t session_id_len;
402 int pos = 0, ret;
403 uint16_t suite_size, comp_size;
404 gnutls_protocol_t adv_version;
405 int neg_version;
406 int len = datalen;
407 uint8_t rnd[GNUTLS_RANDOM_SIZE], *suite_ptr, *comp_ptr, *session_id;
408
409 DECR_LEN (len, 2);
410
411 _gnutls_handshake_log ("HSK[%p]: Client's version: %d.%d\n", session,
412 data[pos], data[pos + 1]);
413
414 adv_version = _gnutls_version_get (data[pos], data[pos + 1]);
415 set_adv_version (session, data[pos], data[pos + 1]);
416 pos += 2;
417
418 neg_version = _gnutls_negotiate_version (session, adv_version);
419 if (neg_version < 0)
420 {
421 gnutls_assert ();
422 return neg_version;
423 }
424
425 /* Read client random value.
426 */
427 DECR_LEN (len, GNUTLS_RANDOM_SIZE);
428 _gnutls_set_client_random (session, &data[pos]);
429 pos += GNUTLS_RANDOM_SIZE;
430
431 _gnutls_tls_create_random (rnd);
432 _gnutls_set_server_random (session, rnd);
433
434 session->security_parameters.timestamp = gnutls_time (NULL);
435
436 DECR_LEN (len, 1);
437 session_id_len = data[pos++];
438
439 /* RESUME SESSION
440 */
441 if (session_id_len > TLS_MAX_SESSION_ID_SIZE)
442 {
443 gnutls_assert ();
444 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
445 }
446 DECR_LEN (len, session_id_len);
447 session_id = &data[pos];
448 pos += session_id_len;
449
450 if (IS_DTLS(session))
451 {
452 int cookie_size;
453
454 DECR_LEN (len, 1);
455 cookie_size = data[pos++];
456 DECR_LEN (len, cookie_size);
457 pos+=cookie_size;
458 }
459
460 ret = _gnutls_server_restore_session (session, session_id, session_id_len);
461
462 if (session_id_len > 0) session->internals.resumption_requested = 1;
463
464 if (ret == 0)
465 { /* resumed using default TLS resumption! */
466 /* Parse only the safe renegotiation extension
467 * We don't want to parse any other extensions since
468 * we don't want new extension values to overwrite the
469 * resumed ones.
470 */
471
472 /* move forward to extensions */
473 DECR_LEN (len, 2);
474 suite_size = _gnutls_read_uint16 (&data[pos]);
475 pos += 2;
476
477 DECR_LEN (len, suite_size);
478 pos += suite_size;
479
480 DECR_LEN (len, 1);
481 comp_size = data[pos++]; /* z is the number of compression methods */
482 DECR_LEN (len, comp_size);
483 pos += comp_size;
484
485 ret = _gnutls_parse_extensions (session, GNUTLS_EXT_MANDATORY,
486 &data[pos], len);
487 if (ret < 0)
488 {
489 gnutls_assert ();
490 return ret;
491 }
492
493 resume_copy_required_values (session);
494 session->internals.resumed = RESUME_TRUE;
495
496 return _gnutls_user_hello_func (session, adv_version);
497 }
498 else
499 {
500 _gnutls_generate_session_id (session->security_parameters.session_id,
501 &session->
502 security_parameters.session_id_size);
503
504 session->internals.resumed = RESUME_FALSE;
505 }
506
507 /* Remember ciphersuites for later
508 */
509 DECR_LEN (len, 2);
510 suite_size = _gnutls_read_uint16 (&data[pos]);
511 pos += 2;
512
513 DECR_LEN (len, suite_size);
514 suite_ptr = &data[pos];
515 pos += suite_size;
516
517 /* Point to the compression methods
518 */
519 DECR_LEN (len, 1);
520 comp_size = data[pos++]; /* z is the number of compression methods */
521
522 DECR_LEN (len, comp_size);
523 comp_ptr = &data[pos];
524 pos += comp_size;
525
526 /* Parse the extensions (if any)
527 *
528 * Unconditionally try to parse extensions; safe renegotiation uses them in
529 * sslv3 and higher, even though sslv3 doesn't officially support them.
530 */
531 ret = _gnutls_parse_extensions (session, GNUTLS_EXT_APPLICATION,
532 &data[pos], len);
533 /* len is the rest of the parsed length */
534 if (ret < 0)
535 {
536 gnutls_assert ();
537 return ret;
538 }
539
540 ret = _gnutls_user_hello_func (session, adv_version);
541 if (ret < 0)
542 {
543 gnutls_assert ();
544 return ret;
545 }
546
547 ret = _gnutls_parse_extensions (session, GNUTLS_EXT_MANDATORY,
548 &data[pos], len);
549 if (ret < 0)
550 {
551 gnutls_assert ();
552 return ret;
553 }
554
555 ret = _gnutls_parse_extensions (session, GNUTLS_EXT_TLS, &data[pos], len);
556 if (ret < 0)
557 {
558 gnutls_assert ();
559 return ret;
560 }
561
562 /* resumed by session_ticket extension */
563 if (session->internals.resumed != RESUME_FALSE)
564 {
565 /* to indicate the client that the current session is resumed */
566 memcpy (session->internals.resumed_security_parameters.session_id,
567 session_id, session_id_len);
568 session->internals.resumed_security_parameters.session_id_size =
569 session_id_len;
570
571 session->internals.resumed_security_parameters.max_record_recv_size =
572 session->security_parameters.max_record_recv_size;
573 session->internals.resumed_security_parameters.max_record_send_size =
574 session->security_parameters.max_record_send_size;
575
576 resume_copy_required_values (session);
577
578 return _gnutls_user_hello_func (session, adv_version);
579 }
580
581 /* select an appropriate cipher suite
582 */
583 ret = _gnutls_server_select_suite (session, suite_ptr, suite_size);
584 if (ret < 0)
585 {
586 gnutls_assert ();
587 return ret;
588 }
589
590 /* select appropriate compression method */
591 ret = _gnutls_server_select_comp_method (session, comp_ptr, comp_size);
592 if (ret < 0)
593 {
594 gnutls_assert ();
595 return ret;
596 }
597
598 return 0;
599 }
600
601 /* This is to be called after sending CHANGE CIPHER SPEC packet
602 * and initializing encryption. This is the first encrypted message
603 * we send.
604 */
605 static int
606 _gnutls_send_finished (gnutls_session_t session, int again)
607 {
608 mbuffer_st *bufel;
609 uint8_t *data;
610 int ret;
611 size_t vdata_size = 0;
612
613 if (again == 0)
614 {
615 bufel = _gnutls_handshake_alloc (session, MAX_VERIFY_DATA_SIZE, MAX_VERIFY_DATA_SIZE);
616 if (bufel == NULL)
617 {
618 gnutls_assert ();
619 return GNUTLS_E_MEMORY_ERROR;
620 }
621 data = _mbuffer_get_udata_ptr (bufel);
622
623 if (gnutls_protocol_get_version (session) == GNUTLS_SSL3)
624 {
625 ret =
626 _gnutls_ssl3_finished (session,
627 session->security_parameters.entity, data, 1);
628 _mbuffer_set_udata_size (bufel, 36);
629 }
630 else
631 { /* TLS 1.0+ */
632 ret = _gnutls_finished (session,
633 session->security_parameters.entity, data, 1);
634 _mbuffer_set_udata_size (bufel, 12);
635 }
636
637 if (ret < 0)
638 {
639 gnutls_assert ();
640 return ret;
641 }
642
643 vdata_size = _mbuffer_get_udata_size (bufel);
644
645 ret = _gnutls_ext_sr_finished (session, data, vdata_size, 0);
646 if (ret < 0)
647 {
648 gnutls_assert ();
649 return ret;
650 }
651
652 if ((session->internals.resumed == RESUME_FALSE
653 && session->security_parameters.entity == GNUTLS_CLIENT)
654 || (session->internals.resumed != RESUME_FALSE
655 && session->security_parameters.entity == GNUTLS_SERVER))
656 {
657 /* if we are a client not resuming - or we are a server resuming */
658 _gnutls_handshake_log ("HSK[%p]: recording tls-unique CB (send)\n",
659 session);
660 memcpy (session->internals.cb_tls_unique, data, vdata_size);
661 session->internals.cb_tls_unique_len = vdata_size;
662 }
663
664 ret =
665 _gnutls_send_handshake (session, bufel, GNUTLS_HANDSHAKE_FINISHED);
666 }
667 else
668 {
669 ret = _gnutls_send_handshake (session, NULL, GNUTLS_HANDSHAKE_FINISHED);
670 }
671
672 return ret;
673 }
674
675 /* This is to be called after sending our finished message. If everything
676 * went fine we have negotiated a secure connection
677 */
678 static int
679 _gnutls_recv_finished (gnutls_session_t session)
680 {
681 uint8_t data[MAX_VERIFY_DATA_SIZE], *vrfy;
682 gnutls_buffer_st buf;
683 int data_size;
684 int ret;
685 int vrfy_size;
686
687 ret =
688 _gnutls_recv_handshake (session, GNUTLS_HANDSHAKE_FINISHED,
689 0, &buf);
690 if (ret < 0)
691 {
692 ERR ("recv finished int", ret);
693 gnutls_assert ();
694 return ret;
695 }
696
697 vrfy = buf.data;
698 vrfy_size = buf.length;
699
700 if (gnutls_protocol_get_version (session) == GNUTLS_SSL3)
701 {
702 data_size = 36;
703 }
704 else
705 {
706 data_size = 12;
707 }
708
709 if (vrfy_size != data_size)
710 {
711 gnutls_assert ();
712 ret = GNUTLS_E_ERROR_IN_FINISHED_PACKET;
713 goto cleanup;
714 }
715
716 if (gnutls_protocol_get_version (session) == GNUTLS_SSL3)
717 {
718 ret =
719 _gnutls_ssl3_finished (session,
720 (session->security_parameters.entity + 1) % 2,
721 data, 0);
722 }
723 else
724 { /* TLS 1.0 */
725 ret =
726 _gnutls_finished (session,
727 (session->security_parameters.entity +
728 1) % 2, data, 0);
729 }
730
731 if (ret < 0)
732 {
733 gnutls_assert ();
734 goto cleanup;
735 }
736
737 if (memcmp (vrfy, data, data_size) != 0)
738 {
739 gnutls_assert ();
740 ret = GNUTLS_E_ERROR_IN_FINISHED_PACKET;
741 goto cleanup;
742 }
743
744 ret = _gnutls_ext_sr_finished (session, data, data_size, 1);
745 if (ret < 0)
746 {
747 gnutls_assert ();
748 goto cleanup;
749 }
750
751 if ((session->internals.resumed != RESUME_FALSE
752 && session->security_parameters.entity == GNUTLS_CLIENT)
753 || (session->internals.resumed == RESUME_FALSE
754 && session->security_parameters.entity == GNUTLS_SERVER))
755 {
756 /* if we are a client resuming - or we are a server not resuming */
757 _gnutls_handshake_log ("HSK[%p]: recording tls-unique CB (recv)\n",
758 session);
759 memcpy (session->internals.cb_tls_unique, data, data_size);
760 session->internals.cb_tls_unique_len = data_size;
761 }
762
763
764 session->internals.initial_negotiation_completed = 1;
765
766 cleanup:
767 _gnutls_buffer_clear(&buf);
768
769 return ret;
770 }
771
772 /* returns PK_RSA if the given cipher suite list only supports,
773 * RSA algorithms, PK_DSA if DSS, and PK_ANY for both or PK_NONE for none.
774 */
775 static int
776 server_find_pk_algos_in_ciphersuites (const uint8_t *
777 data, unsigned int datalen,
778 gnutls_pk_algorithm_t * algos,
779 size_t* algos_size)
780 {
781 unsigned int j;
782 gnutls_kx_algorithm_t kx;
783 unsigned int max = *algos_size;
784
785 if (datalen % 2 != 0)
786 {
787 gnutls_assert ();
788 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
789 }
790
791 *algos_size = 0;
792 for (j = 0; j < datalen; j += 2)
793 {
794 kx = _gnutls_cipher_suite_get_kx_algo (&data[j]);
795 if (_gnutls_map_kx_get_cred (kx, 1) == GNUTLS_CRD_CERTIFICATE)
796 {
797 algos[(*algos_size)++] = _gnutls_map_pk_get_pk (kx);
798
799 if ((*algos_size) >= max)
800 return 0;
801 }
802 }
803
804 return 0;
805 }
806
807 /* This selects the best supported ciphersuite from the given ones. Then
808 * it adds the suite to the session and performs some checks.
809 */
810 int
811 _gnutls_server_select_suite (gnutls_session_t session, uint8_t * data,
812 unsigned int datalen)
813 {
814 int ret;
815 unsigned int i, j, cipher_suites_size;
816 size_t pk_algos_size;
817 uint8_t cipher_suites[MAX_CIPHERSUITE_SIZE];
818 int retval, err;
819 gnutls_pk_algorithm_t pk_algos[MAX_ALGOS]; /* will hold the pk algorithms
820 * supported by the peer.
821 */
822
823 /* First, check for safe renegotiation SCSV.
824 */
825 if (session->internals.priorities.sr != SR_DISABLED)
826 {
827 unsigned int offset;
828
829 for (offset = 0; offset < datalen; offset += 2)
830 {
831 /* TLS_RENEGO_PROTECTION_REQUEST = { 0x00, 0xff } */
832 if (data[offset] == GNUTLS_RENEGO_PROTECTION_REQUEST_MAJOR &&
833 data[offset + 1] == GNUTLS_RENEGO_PROTECTION_REQUEST_MINOR)
834 {
835 _gnutls_handshake_log
836 ("HSK[%p]: Received safe renegotiation CS\n", session);
837 retval = _gnutls_ext_sr_recv_cs (session);
838 if (retval < 0)
839 {
840 gnutls_assert ();
841 return retval;
842 }
843 break;
844 }
845 }
846 }
847
848 pk_algos_size = MAX_ALGOS;
849 ret = server_find_pk_algos_in_ciphersuites (data, datalen, pk_algos, &pk_algos_size);
850 if (ret < 0)
851 return gnutls_assert_val(ret);
852
853 ret = _gnutls_supported_ciphersuites (session, cipher_suites, sizeof(cipher_suites));
854 if (ret < 0)
855 return gnutls_assert_val(ret);
856
857 cipher_suites_size = ret;
858
859 /* Here we remove any ciphersuite that does not conform
860 * the certificate requested, or to the
861 * authentication requested (e.g. SRP).
862 */
863 ret = _gnutls_remove_unwanted_ciphersuites (session, cipher_suites, cipher_suites_size, pk_algos, pk_algos_size);
864 if (ret <= 0)
865 {
866 gnutls_assert ();
867 if (ret < 0)
868 return ret;
869 else
870 return GNUTLS_E_UNKNOWN_CIPHER_SUITE;
871 }
872
873 cipher_suites_size = ret;
874
875 /* Data length should be zero mod 2 since
876 * every ciphersuite is 2 bytes. (this check is needed
877 * see below).
878 */
879 if (datalen % 2 != 0)
880 {
881 gnutls_assert ();
882 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
883 }
884
885 memset (session->security_parameters.cipher_suite, 0, 2);
886
887 retval = GNUTLS_E_UNKNOWN_CIPHER_SUITE;
888
889 _gnutls_handshake_log ("HSK[%p]: Requested cipher suites[size: %d]: \n", session, (int)datalen);
890
891 if (session->internals.priorities.server_precedence == 0)
892 {
893 for (j = 0; j < datalen; j += 2)
894 {
895 _gnutls_handshake_log ("\t0x%.2x, 0x%.2x %s\n", data[j], data[j+1], _gnutls_cipher_suite_get_name (&data[j]));
896 for (i = 0; i < cipher_suites_size; i+=2)
897 {
898 if (memcmp (&cipher_suites[i], &data[j], 2) == 0)
899 {
900 _gnutls_handshake_log
901 ("HSK[%p]: Selected cipher suite: %s\n", session,
902 _gnutls_cipher_suite_get_name (&data[j]));
903 memcpy (session->security_parameters.cipher_suite,
904 &cipher_suites[i], 2);
905 _gnutls_epoch_set_cipher_suite (session, EPOCH_NEXT,
906 session->
907 security_parameters.cipher_suite);
908
909
910 retval = 0;
911 goto finish;
912 }
913 }
914 }
915 }
916 else /* server selects */
917 {
918 for (i = 0; i < cipher_suites_size; i+=2)
919 {
920 for (j = 0; j < datalen; j += 2)
921 {
922 if (memcmp (&cipher_suites[i], &data[j], 2) == 0)
923 {
924 _gnutls_handshake_log
925 ("HSK[%p]: Selected cipher suite: %s\n", session,
926 _gnutls_cipher_suite_get_name (&data[j]));
927 memcpy (session->security_parameters.cipher_suite,
928 &cipher_suites[i], 2);
929 _gnutls_epoch_set_cipher_suite (session, EPOCH_NEXT,
930 session->
931 security_parameters.cipher_suite);
932
933
934 retval = 0;
935 goto finish;
936 }
937 }
938 }
939 }
940 finish:
941
942 if (retval != 0)
943 {
944 gnutls_assert ();
945 return retval;
946 }
947
948 /* check if the credentials (username, public key etc.) are ok
949 */
950 if (_gnutls_get_kx_cred
951 (session,
952 _gnutls_cipher_suite_get_kx_algo (session->
953 security_parameters.cipher_suite),
954 &err) == NULL && err != 0)
955 {
956 gnutls_assert ();
957 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
958 }
959
960
961 /* set the mod_auth_st to the appropriate struct
962 * according to the KX algorithm. This is needed since all the
963 * handshake functions are read from there;
964 */
965 session->internals.auth_struct =
966 _gnutls_kx_auth_struct (_gnutls_cipher_suite_get_kx_algo
967 (session->
968 security_parameters.cipher_suite));
969 if (session->internals.auth_struct == NULL)
970 {
971
972 _gnutls_handshake_log
973 ("HSK[%p]: Cannot find the appropriate handler for the KX algorithm\n",
974 session);
975 gnutls_assert ();
976 return GNUTLS_E_INTERNAL_ERROR;
977 }
978
979 return 0;
980
981 }
982
983
984 /* This selects the best supported compression method from the ones provided
985 */
986 static int
987 _gnutls_server_select_comp_method (gnutls_session_t session,
988 uint8_t * data, int datalen)
989 {
990 int x, i, j;
991 uint8_t comps[MAX_ALGOS];
992
993 x = _gnutls_supported_compression_methods (session, comps, MAX_ALGOS);
994 if (x < 0)
995 {
996 gnutls_assert ();
997 return x;
998 }
999
1000 if (session->internals.priorities.server_precedence == 0)
1001 {
1002 for (j = 0; j < datalen; j++)
1003 {
1004 for (i = 0; i < x; i++)
1005 {
1006 if (comps[i] == data[j])
1007 {
1008 gnutls_compression_method_t method =
1009 _gnutls_compression_get_id (comps[i]);
1010
1011 _gnutls_epoch_set_compression (session, EPOCH_NEXT, method);
1012 session->security_parameters.compression_method = method;
1013
1014 _gnutls_handshake_log
1015 ("HSK[%p]: Selected Compression Method: %s\n", session,
1016 gnutls_compression_get_name (method));
1017 return 0;
1018 }
1019 }
1020 }
1021 }
1022 else
1023 {
1024 for (i = 0; i < x; i++)
1025 {
1026 for (j = 0; j < datalen; j++)
1027 {
1028 if (comps[i] == data[j])
1029 {
1030 gnutls_compression_method_t method =
1031 _gnutls_compression_get_id (comps[i]);
1032
1033 _gnutls_epoch_set_compression (session, EPOCH_NEXT, method);
1034 session->security_parameters.compression_method = method;
1035
1036 _gnutls_handshake_log
1037 ("HSK[%p]: Selected Compression Method: %s\n", session,
1038 gnutls_compression_get_name (method));
1039 return 0;
1040 }
1041 }
1042 }
1043 }
1044
1045 /* we were not able to find a compatible compression
1046 * algorithm
1047 */
1048 gnutls_assert ();
1049 return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM;
1050
1051 }
1052
1053 /* This function sends an empty handshake packet. (like hello request).
1054 * If the previous _gnutls_send_empty_handshake() returned
1055 * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again
1056 * (until it returns ok), with NULL parameters.
1057 */
1058 static int
1059 _gnutls_send_empty_handshake (gnutls_session_t session,
1060 gnutls_handshake_description_t type, int again)
1061 {
1062 mbuffer_st *bufel;
1063
1064 if (again == 0)
1065 {
1066 bufel = _gnutls_handshake_alloc (session, 0, 0);
1067 if (bufel == NULL)
1068 {
1069 gnutls_assert ();
1070 return GNUTLS_E_MEMORY_ERROR;
1071 }
1072 }
1073 else
1074 bufel = NULL;
1075
1076 return _gnutls_send_handshake (session, bufel, type);
1077 }
1078
1079
1080
1081
1082 /* This function sends a handshake message of type 'type' containing the
1083 * data specified here. If the previous _gnutls_send_handshake() returned
1084 * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again
1085 * (until it returns ok), with NULL parameters.
1086 */
1087 int
1088 _gnutls_send_handshake (gnutls_session_t session, mbuffer_st * bufel,
1089 gnutls_handshake_description_t type)
1090 {
1091 int ret;
1092 uint8_t *data;
1093 uint32_t datasize, i_datasize;
1094 int pos = 0;
1095
1096 if (bufel == NULL)
1097 {
1098 /* we are resuming a previously interrupted
1099 * send.
1100 */
1101 ret = _gnutls_handshake_io_write_flush (session);
1102 return ret;
1103
1104 }
1105
1106 /* first run */
1107 data = _mbuffer_get_uhead_ptr (bufel);
1108 i_datasize = _mbuffer_get_udata_size(bufel);
1109 datasize = i_datasize + _mbuffer_get_uhead_size (bufel);
1110
1111 data[pos++] = (uint8_t) type;
1112 _gnutls_write_uint24 (_mbuffer_get_udata_size (bufel), &data[pos]);
1113 pos += 3;
1114
1115 /* Add DTLS handshake fragment headers. The message will be
1116 * fragmented later by the fragmentation sub-layer. All fields must
1117 * be set properly for HMAC. The HMAC requires we pretend that the
1118 * message was sent in a single fragment. */
1119 if (IS_DTLS(session))
1120 {
1121 _gnutls_write_uint16 (session->internals.dtls.hsk_write_seq++, &data[pos]);
1122 pos += 2;
1123
1124 /* Fragment offset */
1125 _gnutls_write_uint24 (0, &data[pos]);
1126 pos += 3;
1127
1128 /* Fragment length */
1129 _gnutls_write_uint24 (i_datasize, &data[pos]);
1130 /* pos += 3; */
1131 }
1132
1133 _gnutls_handshake_log ("HSK[%p]: %s was queued [%ld bytes]\n",
1134 session, _gnutls_handshake2str (type),
1135 (long) datasize);
1136
1137 /* Here we keep the handshake messages in order to hash them...
1138 */
1139 if (type != GNUTLS_HANDSHAKE_HELLO_REQUEST)
1140 if ((ret =
1141 _gnutls_handshake_hash_add_sent (session, type, data, datasize)) < 0)
1142 {
1143 gnutls_assert ();
1144 _mbuffer_xfree(&bufel);
1145 return ret;
1146 }
1147
1148 session->internals.last_handshake_out = type;
1149
1150 ret = _gnutls_handshake_io_cache_int (session, type, bufel);
1151 if (ret < 0)
1152 {
1153 _mbuffer_xfree(&bufel);
1154 gnutls_assert();
1155 return ret;
1156 }
1157
1158 switch (type)
1159 {
1160 case GNUTLS_HANDSHAKE_CERTIFICATE_PKT: /* this one is followed by ServerHelloDone
1161 * or ClientKeyExchange always.
1162 */
1163 case GNUTLS_HANDSHAKE_CERTIFICATE_STATUS:
1164 case GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE: /* as above */
1165 case GNUTLS_HANDSHAKE_SERVER_HELLO: /* as above */
1166 case GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST: /* as above */
1167 case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET: /* followed by ChangeCipherSpec */
1168
1169 /* now for client Certificate, ClientKeyExchange and
1170 * CertificateVerify are always followed by ChangeCipherSpec
1171 */
1172 case GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY:
1173 case GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE:
1174 ret = 0;
1175 break;
1176 default:
1177 /* send cached messages */
1178 ret = _gnutls_handshake_io_write_flush (session);
1179 break;
1180 }
1181
1182 return ret;
1183 }
1184
1185 #define CHECK_SIZE(ll) \
1186 if ((session->internals.max_handshake_data_buffer_size > 0) && \
1187 (((ll) + session->internals.handshake_hash_buffer.length) > \
1188 session->internals.max_handshake_data_buffer_size)) \
1189 return gnutls_assert_val(GNUTLS_E_HANDSHAKE_TOO_LARGE)
1190
1191 /* This function add the handshake headers and the
1192 * handshake data to the handshake hash buffers. Needed
1193 * for the finished messages calculations.
1194 */
1195 static int
1196 _gnutls_handshake_hash_add_recvd (gnutls_session_t session,
1197 gnutls_handshake_description_t recv_type,
1198 uint8_t * header, uint16_t header_size,
1199 uint8_t * dataptr, uint32_t datalen)
1200 {
1201 int ret;
1202
1203 if ((gnutls_protocol_get_version (session) != GNUTLS_DTLS0_9 &&
1204 recv_type == GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST) ||
1205 recv_type == GNUTLS_HANDSHAKE_HELLO_REQUEST)
1206 return 0;
1207
1208 CHECK_SIZE(header_size + datalen);
1209
1210 session->internals.handshake_hash_buffer_prev_len = session->internals.handshake_hash_buffer.length;
1211
1212 if (gnutls_protocol_get_version (session) != GNUTLS_DTLS0_9)
1213 {
1214 ret = _gnutls_buffer_append_data(&session->internals.handshake_hash_buffer,
1215 header, header_size);
1216 if (ret < 0)
1217 return gnutls_assert_val(ret);
1218 }
1219 if (datalen > 0)
1220 {
1221 ret = _gnutls_buffer_append_data(&session->internals.handshake_hash_buffer,
1222 dataptr, datalen);
1223 if (ret < 0)
1224 return gnutls_assert_val(ret);
1225 }
1226
1227 return 0;
1228 }
1229
1230 /* This function will store the handshake message we sent.
1231 */
1232 static int
1233 _gnutls_handshake_hash_add_sent (gnutls_session_t session,
1234 gnutls_handshake_description_t type,
1235 uint8_t * dataptr, uint32_t datalen)
1236 {
1237 int ret;
1238
1239 /* We don't check for GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST because it
1240 * is not sent via that channel.
1241 */
1242 if (type != GNUTLS_HANDSHAKE_HELLO_REQUEST)
1243 {
1244 CHECK_SIZE(datalen);
1245
1246 if (gnutls_protocol_get_version (session) == GNUTLS_DTLS0_9)
1247 {
1248 /* Old DTLS doesn't include the header in the MAC */
1249 if (datalen <= 12)
1250 {
1251 gnutls_assert ();
1252 return GNUTLS_E_INVALID_REQUEST;
1253 }
1254 dataptr += 12;
1255 datalen -= 12;
1256 }
1257
1258 ret = _gnutls_buffer_append_data(&session->internals.handshake_hash_buffer,
1259 dataptr, datalen);
1260 if (ret < 0)
1261 return gnutls_assert_val(ret);
1262
1263 return 0;
1264 }
1265
1266 return 0;
1267 }
1268
1269
1270 /* This function will receive handshake messages of the given types,
1271 * and will pass the message to the right place in order to be processed.
1272 * E.g. for the SERVER_HELLO message (if it is expected), it will be
1273 * passed to _gnutls_recv_hello().
1274 */
1275 int
1276 _gnutls_recv_handshake (gnutls_session_t session,
1277 gnutls_handshake_description_t type,
1278 unsigned int optional, gnutls_buffer_st* buf)
1279 {
1280 int ret;
1281 handshake_buffer_st hsk;
1282
1283 ret =
1284 _gnutls_handshake_io_recv_int (session, type, &hsk, optional);
1285 if (ret < 0)
1286 {
1287 if (optional != 0 && ret == GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET)
1288 {
1289 if (buf) _gnutls_buffer_init(buf);
1290 return 0;
1291 }
1292
1293 return gnutls_assert_val_fatal(ret);
1294 }
1295
1296 ret = _gnutls_handshake_hash_add_recvd (session, hsk.htype,
1297 hsk.header, hsk.header_size,
1298 hsk.data.data, hsk.data.length);
1299 if (ret < 0)
1300 {
1301 gnutls_assert ();
1302 goto cleanup;
1303 }
1304
1305 switch (hsk.htype)
1306 {
1307 case GNUTLS_HANDSHAKE_CLIENT_HELLO_V2:
1308 case GNUTLS_HANDSHAKE_CLIENT_HELLO:
1309 case GNUTLS_HANDSHAKE_SERVER_HELLO:
1310 if (hsk.htype == GNUTLS_HANDSHAKE_CLIENT_HELLO_V2)
1311 ret = _gnutls_read_client_hello_v2 (session, hsk.data.data, hsk.data.length);
1312 else
1313 ret = _gnutls_recv_hello (session, hsk.data.data, hsk.data.length);
1314
1315 if (ret < 0)
1316 {
1317 gnutls_assert();
1318 goto cleanup;
1319 }
1320
1321 goto cleanup; /* caller doesn't need dataptr */
1322
1323 break;
1324 case GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST:
1325 ret = _gnutls_recv_hello_verify_request (session, hsk.data.data, hsk.data.length);
1326 if (ret < 0)
1327 {
1328 gnutls_assert();
1329 goto cleanup;
1330 }
1331 else
1332 /* Signal our caller we have received a verification cookie
1333 and ClientHello needs to be sent again. */
1334 ret = 1;
1335
1336 goto cleanup; /* caller doesn't need dataptr */
1337
1338 break;
1339 case GNUTLS_HANDSHAKE_SERVER_HELLO_DONE:
1340 if (hsk.data.length == 0)
1341 ret = 0;
1342 else
1343 {
1344 gnutls_assert();
1345 ret = GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
1346 goto cleanup;
1347 }
1348 break;
1349 case GNUTLS_HANDSHAKE_CERTIFICATE_PKT:
1350 case GNUTLS_HANDSHAKE_CERTIFICATE_STATUS:
1351 case GNUTLS_HANDSHAKE_FINISHED:
1352 case GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE:
1353 case GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE:
1354 case GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST:
1355 case GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY:
1356 case GNUTLS_HANDSHAKE_SUPPLEMENTAL:
1357 case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET:
1358 ret = hsk.data.length;
1359 break;
1360 default:
1361 gnutls_assert ();
1362 /* we shouldn't actually arrive here in any case .
1363 * unexpected messages should be catched after _gnutls_handshake_io_recv_int()
1364 */
1365 ret = GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET;
1366 goto cleanup;
1367 }
1368
1369 if (buf)
1370 {
1371 *buf = hsk.data;
1372 return ret;
1373 }
1374
1375 cleanup:
1376 _gnutls_handshake_buffer_clear (&hsk);
1377 return ret;
1378 }
1379
1380 /* This function checks if the given cipher suite is supported, and sets it
1381 * to the session;
1382 */
1383 static int
1384 _gnutls_client_set_ciphersuite (gnutls_session_t session, uint8_t suite[2])
1385 {
1386 uint8_t z;
1387 uint8_t cipher_suites[MAX_CIPHERSUITE_SIZE];
1388 int cipher_suite_size;
1389 int i, err;
1390
1391 z = 1;
1392 cipher_suite_size = _gnutls_supported_ciphersuites (session, cipher_suites, sizeof(cipher_suites));
1393 if (cipher_suite_size < 0)
1394 {
1395 gnutls_assert ();
1396 return cipher_suite_size;
1397 }
1398
1399 for (i = 0; i < cipher_suite_size; i+=2)
1400 {
1401 if (memcmp (&cipher_suites[i], suite, 2) == 0)
1402 {
1403 z = 0;
1404 break;
1405 }
1406 }
1407
1408 if (z != 0)
1409 {
1410 gnutls_assert ();
1411 _gnutls_handshake_log("HSK[%p]: unsupported cipher suite %.2X.%.2X\n", session,
1412 (unsigned int)suite[0], (unsigned int)suite[1]);
1413 return GNUTLS_E_UNKNOWN_CIPHER_SUITE;
1414 }
1415
1416 memcpy (session->security_parameters.cipher_suite, suite, 2);
1417 _gnutls_epoch_set_cipher_suite (session, EPOCH_NEXT,
1418 session->
1419 security_parameters.cipher_suite);
1420
1421 _gnutls_handshake_log ("HSK[%p]: Selected cipher suite: %s\n", session,
1422 _gnutls_cipher_suite_get_name
1423 (session->
1424 security_parameters.cipher_suite));
1425
1426
1427 /* check if the credentials (username, public key etc.) are ok.
1428 * Actually checks if they exist.
1429 */
1430 if (!session->internals.premaster_set &&
1431 _gnutls_get_kx_cred
1432 (session,
1433 _gnutls_cipher_suite_get_kx_algo
1434 (session->security_parameters.cipher_suite), &err) == NULL
1435 && err != 0)
1436 {
1437 gnutls_assert ();
1438 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
1439 }
1440
1441
1442 /* set the mod_auth_st to the appropriate struct
1443 * according to the KX algorithm. This is needed since all the
1444 * handshake functions are read from there;
1445 */
1446 session->internals.auth_struct =
1447 _gnutls_kx_auth_struct (_gnutls_cipher_suite_get_kx_algo
1448 (session->
1449 security_parameters.cipher_suite));
1450
1451 if (session->internals.auth_struct == NULL)
1452 {
1453
1454 _gnutls_handshake_log
1455 ("HSK[%p]: Cannot find the appropriate handler for the KX algorithm\n",
1456 session);
1457 gnutls_assert ();
1458 return GNUTLS_E_INTERNAL_ERROR;
1459 }
1460
1461
1462 return 0;
1463 }
1464
1465 /* This function sets the given comp method to the session.
1466 */
1467 static int
1468 _gnutls_client_set_comp_method (gnutls_session_t session, uint8_t comp_method)
1469 {
1470 int comp_methods_num;
1471 uint8_t compression_methods[MAX_ALGOS];
1472 int id = _gnutls_compression_get_id(comp_method);
1473 int i;
1474
1475 _gnutls_handshake_log ("HSK[%p]: Selected compression method: %s (%d)\n", session,
1476 gnutls_compression_get_name(id), (int)comp_method);
1477
1478 comp_methods_num = _gnutls_supported_compression_methods (session,
1479 compression_methods, MAX_ALGOS);
1480 if (comp_methods_num < 0)
1481 {
1482 gnutls_assert ();
1483 return comp_methods_num;
1484 }
1485
1486 for (i = 0; i < comp_methods_num; i++)
1487 {
1488 if (compression_methods[i] == comp_method)
1489 {
1490 comp_methods_num = 0;
1491 break;
1492 }
1493 }
1494
1495 if (comp_methods_num != 0)
1496 {
1497 gnutls_assert ();
1498 return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM;
1499 }
1500
1501 session->security_parameters.compression_method = id;
1502 _gnutls_epoch_set_compression (session, EPOCH_NEXT, id);
1503
1504 return 0;
1505 }
1506
1507 /* This function returns 0 if we are resuming a session or -1 otherwise.
1508 * This also sets the variables in the session. Used only while reading a server
1509 * hello.
1510 */
1511 static int
1512 _gnutls_client_check_if_resuming (gnutls_session_t session,
1513 uint8_t * session_id, int session_id_len)
1514 {
1515 char buf[2 * TLS_MAX_SESSION_ID_SIZE + 1];
1516
1517 _gnutls_handshake_log ("HSK[%p]: SessionID length: %d\n", session,
1518 session_id_len);
1519 _gnutls_handshake_log ("HSK[%p]: SessionID: %s\n", session,
1520 _gnutls_bin2hex (session_id, session_id_len, buf,
1521 sizeof (buf), NULL));
1522
1523 if (session_id_len > 0 &&
1524 session->internals.resumed_security_parameters.session_id_size ==
1525 session_id_len
1526 && memcmp (session_id,
1527 session->internals.resumed_security_parameters.session_id,
1528 session_id_len) == 0)
1529 {
1530 /* resume session */
1531 memcpy (session->internals.resumed_security_parameters.server_random,
1532 session->security_parameters.server_random, GNUTLS_RANDOM_SIZE);
1533 memcpy (session->internals.resumed_security_parameters.client_random,
1534 session->security_parameters.client_random, GNUTLS_RANDOM_SIZE);
1535
1536 _gnutls_epoch_set_cipher_suite
1537 (session, EPOCH_NEXT,
1538 session->internals.
1539 resumed_security_parameters.cipher_suite);
1540 _gnutls_epoch_set_compression (session, EPOCH_NEXT,
1541 session->
1542 internals.resumed_security_parameters.compression_method);
1543
1544 session->internals.resumed = RESUME_TRUE; /* we are resuming */
1545
1546 return 0;
1547 }
1548 else
1549 {
1550 /* keep the new session id */
1551 session->internals.resumed = RESUME_FALSE; /* we are not resuming */
1552 session->security_parameters.session_id_size = session_id_len;
1553 memcpy (session->security_parameters.session_id,
1554 session_id, session_id_len);
1555
1556 return -1;
1557 }
1558 }
1559
1560
1561 /* This function reads and parses the server hello handshake message.
1562 * This function also restores resumed parameters if we are resuming a
1563 * session.
1564 */
1565 static int
1566 _gnutls_read_server_hello (gnutls_session_t session,
1567 uint8_t * data, int datalen)
1568 {
1569 uint8_t session_id_len = 0;
1570 int pos = 0;
1571 int ret = 0;
1572 gnutls_protocol_t version;
1573 int len = datalen;
1574
1575 if (datalen < 38)
1576 {
1577 gnutls_assert ();
1578 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
1579 }
1580
1581 _gnutls_handshake_log ("HSK[%p]: Server's version: %d.%d\n",
1582 session, data[pos], data[pos + 1]);
1583
1584 DECR_LEN (len, 2);
1585 version = _gnutls_version_get (data[pos], data[pos + 1]);
1586 if (_gnutls_version_is_supported (session, version) == 0)
1587 {
1588 gnutls_assert ();
1589 return GNUTLS_E_UNSUPPORTED_VERSION_PACKET;
1590 }
1591 else
1592 {
1593 _gnutls_set_current_version (session, version);
1594 }
1595
1596 pos += 2;
1597
1598 DECR_LEN (len, GNUTLS_RANDOM_SIZE);
1599 _gnutls_set_server_random (session, &data[pos]);
1600 pos += GNUTLS_RANDOM_SIZE;
1601
1602
1603 /* Read session ID
1604 */
1605 DECR_LEN (len, 1);
1606 session_id_len = data[pos++];
1607
1608 if (len < session_id_len)
1609 {
1610 gnutls_assert ();
1611 return GNUTLS_E_UNSUPPORTED_VERSION_PACKET;
1612 }
1613 DECR_LEN (len, session_id_len);
1614
1615 /* check if we are resuming and set the appropriate
1616 * values;
1617 */
1618 if (_gnutls_client_check_if_resuming
1619 (session, &data[pos], session_id_len) == 0)
1620 {
1621 pos += session_id_len + 2 + 1;
1622 DECR_LEN (len, 2 + 1);
1623
1624 ret = _gnutls_parse_extensions (session, GNUTLS_EXT_MANDATORY,
1625 &data[pos], len);
1626 if (ret < 0)
1627 {
1628 gnutls_assert ();
1629 return ret;
1630 }
1631 return 0;
1632 }
1633
1634 pos += session_id_len;
1635
1636 /* Check if the given cipher suite is supported and copy
1637 * it to the session.
1638 */
1639
1640 DECR_LEN (len, 2);
1641 ret = _gnutls_client_set_ciphersuite (session, &data[pos]);
1642 if (ret < 0)
1643 {
1644 gnutls_assert ();
1645 return ret;
1646 }
1647 pos += 2;
1648
1649 /* move to compression
1650 */
1651 DECR_LEN (len, 1);
1652
1653 ret = _gnutls_client_set_comp_method (session, data[pos++]);
1654 if (ret < 0)
1655 {
1656 gnutls_assert ();
1657 return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM;
1658 }
1659
1660 /* Parse extensions.
1661 */
1662 ret = _gnutls_parse_extensions (session, GNUTLS_EXT_ANY, &data[pos], len);
1663 if (ret < 0)
1664 {
1665 gnutls_assert ();
1666 return ret;
1667 }
1668
1669 return ret;
1670 }
1671
1672
1673 /* This function copies the appropriate ciphersuites to a locally allocated buffer
1674 * Needed in client hello messages. Returns the new data length. If add_scsv is
1675 * true, add the special safe renegotiation CS.
1676 */
1677 static int
1678 _gnutls_copy_ciphersuites (gnutls_session_t session,
1679 gnutls_buffer_st * cdata,
1680 int add_scsv)
1681 {
1682 int ret;
1683 uint8_t cipher_suites[MAX_CIPHERSUITE_SIZE+2];
1684 int cipher_suites_size;
1685 size_t init_length = cdata->length;
1686
1687 ret = _gnutls_supported_ciphersuites (session, cipher_suites, sizeof(cipher_suites)-2);
1688 if (ret < 0)
1689 return gnutls_assert_val(ret);
1690
1691 /* Here we remove any ciphersuite that does not conform
1692 * the certificate requested, or to the
1693 * authentication requested (eg SRP).
1694 */
1695 ret =
1696 _gnutls_remove_unwanted_ciphersuites (session, cipher_suites, ret, NULL, 0);
1697 if (ret < 0)
1698 return gnutls_assert_val(ret);
1699
1700 /* If no cipher suites were enabled.
1701 */
1702 if (ret == 0)
1703 return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_CREDENTIALS);
1704
1705 cipher_suites_size = ret;
1706 if (add_scsv)
1707 {
1708 cipher_suites[cipher_suites_size] = 0x00;
1709 cipher_suites[cipher_suites_size+1] = 0xff;
1710 cipher_suites_size += 2;
1711
1712 ret = _gnutls_ext_sr_send_cs (session);
1713 if (ret < 0)
1714 return gnutls_assert_val(ret);
1715 }
1716
1717 ret = _gnutls_buffer_append_data_prefix(cdata, 16, cipher_suites, cipher_suites_size);
1718 if (ret < 0)
1719 return gnutls_assert_val(ret);
1720
1721 ret = cdata->length - init_length;
1722
1723 return ret;
1724 }
1725
1726
1727 /* This function copies the appropriate compression methods, to a locally allocated buffer
1728 * Needed in hello messages. Returns the new data length.
1729 */
1730 static int
1731 _gnutls_copy_comp_methods (gnutls_session_t session,
1732 gnutls_buffer_st * cdata)
1733 {
1734 int ret;
1735 uint8_t compression_methods[MAX_ALGOS], comp_num;
1736 size_t init_length = cdata->length;
1737
1738 ret = _gnutls_supported_compression_methods (session, compression_methods, MAX_ALGOS);
1739 if (ret < 0)
1740 return gnutls_assert_val(ret);
1741
1742 comp_num = ret;
1743
1744 /* put the number of compression methods */
1745 ret = _gnutls_buffer_append_prefix(cdata, 8, comp_num);
1746 if (ret < 0)
1747 return gnutls_assert_val(ret);
1748
1749 ret = _gnutls_buffer_append_data(cdata, compression_methods, comp_num);
1750 if (ret < 0)
1751 return gnutls_assert_val(ret);
1752
1753 ret = cdata->length - init_length;
1754
1755 return ret;
1756 }
1757
1758 /* This should be sufficient by now. It should hold all the extensions
1759 * plus the headers in a hello message.
1760 */
1761 #define MAX_EXT_DATA_LENGTH 32*1024
1762
1763 /* This function sends the client hello handshake message.
1764 */
1765 static int
1766 _gnutls_send_client_hello (gnutls_session_t session, int again)
1767 {
1768 mbuffer_st *bufel = NULL;
1769 uint8_t *data = NULL;
1770 int pos = 0, type;
1771 int datalen = 0, ret = 0;
1772 uint8_t rnd[GNUTLS_RANDOM_SIZE];
1773 gnutls_protocol_t hver;
1774 gnutls_buffer_st extdata;
1775 int rehandshake = 0;
1776 uint8_t session_id_len =
1777 session->internals.resumed_security_parameters.session_id_size;
1778 uint8_t cookie_len;
1779
1780 _gnutls_buffer_init(&extdata);
1781
1782 /* note that rehandshake is different than resuming
1783 */
1784 if (session->security_parameters.session_id_size)
1785 rehandshake = 1;
1786
1787 if (again == 0)
1788 {
1789 if(IS_DTLS(session))
1790 {
1791 cookie_len = session->internals.dtls.cookie_len + 1;
1792 }
1793 else
1794 {
1795 cookie_len = 0;
1796 }
1797
1798 datalen = 2 + (session_id_len + 1) + GNUTLS_RANDOM_SIZE + cookie_len;
1799 /* 2 for version, (4 for unix time + 28 for random bytes==GNUTLS_RANDOM_SIZE)
1800 */
1801
1802 bufel = _gnutls_handshake_alloc (session, datalen, datalen+MAX_EXT_DATA_LENGTH);
1803 if (bufel == NULL)
1804 {
1805 gnutls_assert ();
1806 return GNUTLS_E_MEMORY_ERROR;
1807 }
1808 data = _mbuffer_get_udata_ptr (bufel);
1809
1810 /* if we are resuming a session then we set the
1811 * version number to the previously established.
1812 */
1813 if (session_id_len == 0)
1814 {
1815 if (rehandshake) /* already negotiated version thus version_max == negotiated version */
1816 hver = session->security_parameters.version;
1817 else /* new handshake. just get the max */
1818 hver = _gnutls_version_max (session);
1819 }
1820 else
1821 {
1822 /* we are resuming a session */
1823 hver = session->internals.resumed_security_parameters.version;
1824 }
1825
1826 if (hver == GNUTLS_VERSION_UNKNOWN || hver == 0)
1827 {
1828 gnutls_assert ();
1829 gnutls_free (bufel);
1830 return GNUTLS_E_INTERNAL_ERROR;
1831 }
1832
1833 data[pos++] = _gnutls_version_get_major (hver);
1834 data[pos++] = _gnutls_version_get_minor (hver);
1835
1836 /* Set the version we advertized as maximum
1837 * (RSA uses it).
1838 */
1839 _gnutls_set_adv_version (session, hver);
1840 _gnutls_set_current_version (session, hver);
1841
1842 if (session->internals.priorities.ssl3_record_version != 0)
1843 {
1844 /* Advertize the SSL 3.0 record packet version in
1845 * record packets during the handshake.
1846 * That is to avoid confusing implementations
1847 * that do not support TLS 1.2 and don't know
1848 * how 3,3 version of record packets look like.
1849 */
1850 if (!IS_DTLS(session))
1851 _gnutls_record_set_default_version (session, 3, 0);
1852 else if (gnutls_protocol_get_version (session) == GNUTLS_DTLS0_9)
1853 _gnutls_record_set_default_version (session, 1, 0);
1854 else
1855 _gnutls_record_set_default_version (session, 254, 255);
1856 }
1857
1858 /* In order to know when this session was initiated.
1859 */
1860 session->security_parameters.timestamp = gnutls_time (NULL);
1861
1862 /* Generate random data
1863 */
1864 if (!IS_DTLS (session)
1865 || session->internals.dtls.hsk_hello_verify_requests == 0)
1866 {
1867 _gnutls_tls_create_random (rnd);
1868 _gnutls_set_client_random (session, rnd);
1869
1870 memcpy (&data[pos], rnd, GNUTLS_RANDOM_SIZE);
1871 }
1872 else
1873 memcpy (&data[pos], session->security_parameters.client_random, GNUTLS_RANDOM_SIZE);
1874
1875 pos += GNUTLS_RANDOM_SIZE;
1876
1877 /* Copy the Session ID
1878 */
1879 data[pos++] = session_id_len;
1880
1881 if (session_id_len > 0)
1882 {
1883 memcpy (&data[pos],
1884 session->internals.resumed_security_parameters.session_id,
1885 session_id_len);
1886 pos += session_id_len;
1887 }
1888
1889 /* Copy the DTLS cookie
1890 */
1891 if (IS_DTLS(session))
1892 {
1893 data[pos++] = session->internals.dtls.cookie_len;
1894 memcpy(&data[pos], &session->internals.dtls.cookie, session->internals.dtls.cookie_len);
1895 /* pos += session->internals.dtls.cookie_len; */
1896 }
1897
1898 /* Copy the ciphersuites.
1899 *
1900 * If using SSLv3 Send TLS_RENEGO_PROTECTION_REQUEST SCSV for MITM
1901 * prevention on initial negotiation (but not renegotiation; that's
1902 * handled with the RI extension below).
1903 */
1904 if (!session->internals.initial_negotiation_completed &&
1905 session->security_parameters.entity == GNUTLS_CLIENT &&
1906 (gnutls_protocol_get_version (session) == GNUTLS_SSL3 ||
1907 session->internals.priorities.no_extensions != 0))
1908 {
1909 ret =
1910 _gnutls_copy_ciphersuites (session, &extdata, TRUE);
1911 _gnutls_extension_list_add (session,
1912 GNUTLS_EXTENSION_SAFE_RENEGOTIATION);
1913 }
1914 else
1915 ret = _gnutls_copy_ciphersuites (session, &extdata, FALSE);
1916
1917 if (ret < 0)
1918 {
1919 gnutls_assert();
1920 goto cleanup;
1921 }
1922
1923 /* Copy the compression methods.
1924 */
1925 ret = _gnutls_copy_comp_methods (session, &extdata);
1926 if (ret < 0)
1927 {
1928 gnutls_assert();
1929 goto cleanup;
1930 }
1931
1932 /* Generate and copy TLS extensions.
1933 */
1934 if (session->internals.priorities.no_extensions == 0)
1935 {
1936 if (_gnutls_version_has_extensions (hver))
1937 type = GNUTLS_EXT_ANY;
1938 else
1939 {
1940 if (session->internals.initial_negotiation_completed != 0)
1941 type = GNUTLS_EXT_MANDATORY;
1942 else
1943 type = GNUTLS_EXT_NONE;
1944 }
1945
1946 ret = _gnutls_gen_extensions (session, &extdata, type);
1947 if (ret < 0)
1948 {
1949 gnutls_assert();
1950 goto cleanup;
1951 }
1952
1953 }
1954
1955 ret = _mbuffer_append_data (bufel, extdata.data, extdata.length);
1956 if (ret < 0)
1957 {
1958 gnutls_assert ();
1959 goto cleanup;
1960 }
1961 }
1962
1963 _gnutls_buffer_clear(&extdata);
1964
1965 return
1966 _gnutls_send_handshake (session, bufel, GNUTLS_HANDSHAKE_CLIENT_HELLO);
1967
1968 cleanup:
1969 _mbuffer_xfree(&bufel);
1970 _gnutls_buffer_clear(&extdata);
1971 return ret;
1972 }
1973
1974 static int
1975 _gnutls_send_server_hello (gnutls_session_t session, int again)
1976 {
1977 mbuffer_st *bufel = NULL;
1978 uint8_t *data = NULL;
1979 gnutls_buffer_st extdata;
1980 int pos = 0;
1981 int datalen, ret = 0;
1982 uint8_t comp;
1983 uint8_t session_id_len = session->security_parameters.session_id_size;
1984 char buf[2 * TLS_MAX_SESSION_ID_SIZE + 1];
1985
1986 _gnutls_buffer_init(&extdata);
1987
1988 if (again == 0)
1989 {
1990 datalen = 2 + session_id_len + 1 + GNUTLS_RANDOM_SIZE + 3;
1991 ret =
1992 _gnutls_gen_extensions (session, &extdata, GNUTLS_EXT_ANY);
1993 if (ret < 0)
1994 {
1995 gnutls_assert ();
1996 goto fail;
1997 }
1998
1999 bufel = _gnutls_handshake_alloc (session, datalen + extdata.length, datalen + extdata.length);
2000 if (bufel == NULL)
2001 {
2002 gnutls_assert ();
2003 ret = GNUTLS_E_MEMORY_ERROR;
2004 goto fail;
2005 }
2006 data = _mbuffer_get_udata_ptr (bufel);
2007
2008 data[pos++] =
2009 _gnutls_version_get_major (session->security_parameters.version);
2010 data[pos++] =
2011 _gnutls_version_get_minor (session->security_parameters.version);
2012
2013 memcpy (&data[pos],
2014 session->security_parameters.server_random, GNUTLS_RANDOM_SIZE);
2015 pos += GNUTLS_RANDOM_SIZE;
2016
2017 data[pos++] = session_id_len;
2018 if (session_id_len > 0)
2019 {
2020 memcpy (&data[pos], session->security_parameters.session_id,
2021 session_id_len);
2022 }
2023 pos += session_id_len;
2024
2025 _gnutls_handshake_log ("HSK[%p]: SessionID: %s\n", session,
2026 _gnutls_bin2hex (session->security_parameters.
2027 session_id, session_id_len, buf,
2028 sizeof (buf), NULL));
2029
2030 memcpy (&data[pos],
2031 session->security_parameters.cipher_suite, 2);
2032 pos += 2;
2033
2034 comp = _gnutls_compression_get_num ( session->security_parameters.compression_method);
2035 data[pos++] = comp;
2036
2037 if (extdata.length > 0)
2038 {
2039 memcpy (&data[pos], extdata.data, extdata.length);
2040 }
2041 }
2042
2043 ret =
2044 _gnutls_send_handshake (session, bufel, GNUTLS_HANDSHAKE_SERVER_HELLO);
2045
2046 fail:
2047 _gnutls_buffer_clear(&extdata);
2048 return ret;
2049 }
2050
2051 int
2052 _gnutls_send_hello (gnutls_session_t session, int again)
2053 {
2054 int ret;
2055
2056 if (session->security_parameters.entity == GNUTLS_CLIENT)
2057 {
2058 ret = _gnutls_send_client_hello (session, again);
2059
2060 }
2061 else
2062 { /* SERVER */
2063 ret = _gnutls_send_server_hello (session, again);
2064 }
2065
2066 return ret;
2067 }
2068
2069 /* RECEIVE A HELLO MESSAGE. This should be called from gnutls_recv_handshake_int only if a
2070 * hello message is expected. It uses the security_parameters.cipher_suite
2071 * and internals.compression_method.
2072 */
2073 int
2074 _gnutls_recv_hello (gnutls_session_t session, uint8_t * data, int datalen)
2075 {
2076 int ret;
2077
2078 if (session->security_parameters.entity == GNUTLS_CLIENT)
2079 {
2080 ret = _gnutls_read_server_hello (session, data, datalen);
2081 if (ret < 0)
2082 {
2083 gnutls_assert ();
2084 return ret;
2085 }
2086 }
2087 else
2088 { /* Server side reading a client hello */
2089
2090 ret = _gnutls_read_client_hello (session, data, datalen);
2091 if (ret < 0)
2092 {
2093 gnutls_assert ();
2094 return ret;
2095 }
2096 }
2097
2098 ret = _gnutls_ext_sr_verify (session);
2099 if (ret < 0)
2100 {
2101 gnutls_assert ();
2102 return ret;
2103 }
2104
2105 return 0;
2106 }
2107
2108 static int
2109 _gnutls_recv_hello_verify_request (gnutls_session_t session,
2110 uint8_t * data, int datalen)
2111 {
2112 ssize_t len = datalen;
2113 size_t pos = 0;
2114 uint8_t cookie_len;
2115 unsigned int nb_verifs;
2116
2117 if (!IS_DTLS (session)
2118 || session->security_parameters.entity == GNUTLS_SERVER)
2119 {
2120 gnutls_assert ();
2121 return GNUTLS_E_INTERNAL_ERROR;
2122 }
2123
2124 nb_verifs = ++session->internals.dtls.hsk_hello_verify_requests;
2125 if (nb_verifs >= MAX_HANDSHAKE_HELLO_VERIFY_REQUESTS)
2126 {
2127 /* The server is either buggy, malicious or changing cookie
2128 secrets _way_ too fast. */
2129 gnutls_assert ();
2130 return GNUTLS_E_UNEXPECTED_PACKET;
2131 }
2132
2133 /* TODO: determine if we need to do anything with the server version field */
2134 DECR_LEN (len, 2);
2135 pos += 2;
2136
2137 DECR_LEN (len, 1);
2138 cookie_len = data[pos];
2139 pos++;
2140
2141 if (cookie_len > DTLS_MAX_COOKIE_SIZE)
2142 {
2143 gnutls_assert ();
2144 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
2145 }
2146
2147 DECR_LEN (len, cookie_len);
2148
2149 session->internals.dtls.cookie_len = cookie_len;
2150 memcpy (session->internals.dtls.cookie, &data[pos], cookie_len);
2151
2152 if (len != 0)
2153 {
2154 gnutls_assert ();
2155 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
2156 }
2157
2158 /* reset handshake hash buffers */
2159 _gnutls_handshake_hash_buffer_empty (session);
2160
2161 return 0;
2162 }
2163
2164 /* The packets in gnutls_handshake (it's more broad than original TLS handshake)
2165 *
2166 * Client Server
2167 *
2168 * ClientHello -------->
2169 * <-------- ServerHello
2170 *
2171 * Certificate*
2172 * ServerKeyExchange*
2173 * <-------- CertificateRequest*
2174 *
2175 * <-------- ServerHelloDone
2176 * Certificate*
2177 * ClientKeyExchange
2178 * CertificateVerify*
2179 * [ChangeCipherSpec]
2180 * Finished -------->
2181 * NewSessionTicket
2182 * [ChangeCipherSpec]
2183 * <-------- Finished
2184 *
2185 * (*): means optional packet.
2186 */
2187
2188 /* Handshake when resumming session:
2189 * Client Server
2190 *
2191 * ClientHello -------->
2192 * ServerHello
2193 * [ChangeCipherSpec]
2194 * <-------- Finished
2195 * [ChangeCipherSpec]
2196 * Finished -------->
2197 *
2198 */
2199
2200 /**
2201 * gnutls_rehandshake:
2202 * @session: is a #gnutls_session_t structure.
2203 *
2204 * This function will renegotiate security parameters with the
2205 * client. This should only be called in case of a server.
2206 *
2207 * This message informs the peer that we want to renegotiate
2208 * parameters (perform a handshake).
2209 *
2210 * If this function succeeds (returns 0), you must call the
2211 * gnutls_handshake() function in order to negotiate the new
2212 * parameters.
2213 *
2214 * Since TLS is full duplex some application data might have been
2215 * sent during peer's processing of this message. In that case
2216 * one should call gnutls_record_recv() until GNUTLS_E_REHANDSHAKE
2217 * is returned to clear any pending data. Care must be taken if
2218 * rehandshake is mandatory to terminate if it does not start after
2219 * some threshold.
2220 *
2221 * If the client does not wish to renegotiate parameters he will
2222 * should with an alert message, thus the return code will be
2223 * %GNUTLS_E_WARNING_ALERT_RECEIVED and the alert will be
2224 * %GNUTLS_A_NO_RENEGOTIATION. A client may also choose to ignore
2225 * this message.
2226 *
2227 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
2228 **/
2229 int
2230 gnutls_rehandshake (gnutls_session_t session)
2231 {
2232 int ret;
2233
2234 /* only server sends that handshake packet */
2235 if (session->security_parameters.entity == GNUTLS_CLIENT)
2236 return GNUTLS_E_INVALID_REQUEST;
2237
2238 _dtls_async_timer_delete(session);
2239
2240 ret =
2241 _gnutls_send_empty_handshake (session, GNUTLS_HANDSHAKE_HELLO_REQUEST,
2242 AGAIN (STATE50));
2243 STATE = STATE50;
2244
2245 if (ret < 0)
2246 {
2247 gnutls_assert ();
2248 return ret;
2249 }
2250 STATE = STATE0;
2251
2252 return 0;
2253 }
2254
2255 inline static int
2256 _gnutls_abort_handshake (gnutls_session_t session, int ret)
2257 {
2258 if (((ret == GNUTLS_E_WARNING_ALERT_RECEIVED) &&
2259 (gnutls_alert_get (session) == GNUTLS_A_NO_RENEGOTIATION))
2260 || ret == GNUTLS_E_GOT_APPLICATION_DATA)
2261 return 0;
2262
2263 /* this doesn't matter */
2264 return GNUTLS_E_INTERNAL_ERROR;
2265 }
2266
2267
2268
2269 static int
2270 _gnutls_send_supplemental (gnutls_session_t session, int again)
2271 {
2272 mbuffer_st *bufel;
2273 int ret = 0;
2274
2275 _gnutls_debug_log ("EXT[%p]: Sending supplemental data\n", session);
2276
2277 if (again)
2278 ret =
2279 _gnutls_send_handshake (session, NULL, GNUTLS_HANDSHAKE_SUPPLEMENTAL);
2280 else
2281 {
2282 gnutls_buffer_st buf;
2283 _gnutls_buffer_init (&buf);
2284
2285 ret = _gnutls_gen_supplemental (session, &buf);
2286 if (ret < 0)
2287 {
2288 gnutls_assert ();
2289 return ret;
2290 }
2291
2292 bufel = _gnutls_handshake_alloc(session, buf.length, buf.length);
2293 if (bufel == NULL)
2294 {
2295 gnutls_assert ();
2296 return GNUTLS_E_MEMORY_ERROR;
2297 }
2298
2299 _mbuffer_set_udata (bufel, buf.data, buf.length);
2300 _gnutls_buffer_clear (&buf);
2301
2302 ret = _gnutls_send_handshake (session, bufel,
2303 GNUTLS_HANDSHAKE_SUPPLEMENTAL);
2304 }
2305
2306 return ret;
2307 }
2308
2309 static int
2310 _gnutls_recv_supplemental (gnutls_session_t session)
2311 {
2312 gnutls_buffer_st buf;
2313 int ret;
2314
2315 _gnutls_debug_log ("EXT[%p]: Expecting supplemental data\n", session);
2316
2317 ret = _gnutls_recv_handshake (session, GNUTLS_HANDSHAKE_SUPPLEMENTAL,
2318 1, &buf);
2319 if (ret < 0)
2320 {
2321 gnutls_assert ();
2322 return ret;
2323 }
2324
2325 ret = _gnutls_parse_supplemental (session, buf.data, buf.length);
2326 if (ret < 0)
2327 {
2328 gnutls_assert ();
2329 goto cleanup;
2330 }
2331
2332 cleanup:
2333 _gnutls_buffer_clear(&buf);
2334
2335 return ret;
2336 }
2337
2338 /**
2339 * gnutls_handshake:
2340 * @session: is a #gnutls_session_t structure.
2341 *
2342 * This function does the handshake of the TLS/SSL protocol, and
2343 * initializes the TLS connection.
2344 *
2345 * This function will fail if any problem is encountered, and will
2346 * return a negative error code. In case of a client, if the client
2347 * has asked to resume a session, but the server couldn't, then a
2348 * full handshake will be performed.
2349 *
2350 * The non-fatal errors such as %GNUTLS_E_AGAIN and
2351 * %GNUTLS_E_INTERRUPTED interrupt the handshake procedure, which
2352 * should be resumed later. Call this function again, until it
2353 * returns 0; cf. gnutls_record_get_direction() and
2354 * gnutls_error_is_fatal().
2355 *
2356 * If this function is called by a server after a rehandshake request
2357 * then %GNUTLS_E_GOT_APPLICATION_DATA or
2358 * %GNUTLS_E_WARNING_ALERT_RECEIVED may be returned. Note that these
2359 * are non fatal errors, only in the specific case of a rehandshake.
2360 * Their meaning is that the client rejected the rehandshake request or
2361 * in the case of %GNUTLS_E_GOT_APPLICATION_DATA it might also mean that
2362 * some data were pending.
2363 *
2364 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
2365 **/
2366 int
2367 gnutls_handshake (gnutls_session_t session)
2368 {
2369 int ret;
2370 record_parameters_st *params;
2371
2372 /* sanity check. Verify that there are priorities setup.
2373 */
2374 if (session->internals.priorities.protocol.algorithms == 0)
2375 return gnutls_assert_val(GNUTLS_E_NO_PRIORITIES_WERE_SET);
2376
2377 if (session->internals.handshake_timeout_ms &&
2378 session->internals.handshake_endtime == 0)
2379 session->internals.handshake_endtime = gnutls_time(0) +
2380 session->internals.handshake_timeout_ms / 1000;
2381
2382 ret = _gnutls_epoch_get (session, session->security_parameters.epoch_next,
2383 &params);
2384 if (ret < 0)
2385 {
2386 /* We assume the epoch is not allocated if _gnutls_epoch_get fails. */
2387 ret =
2388 _gnutls_epoch_alloc (session, session->security_parameters.epoch_next,
2389 NULL);
2390 if (ret < 0)
2391 return gnutls_assert_val(ret);
2392 }
2393
2394 if (session->security_parameters.entity == GNUTLS_CLIENT)
2395 {
2396 do
2397 {
2398 ret = _gnutls_handshake_client (session);
2399 } while (ret == 1);
2400 }
2401 else
2402 {
2403 ret = _gnutls_handshake_server (session);
2404 }
2405 if (ret < 0)
2406 {
2407 /* In the case of a rehandshake abort
2408 * we should reset the handshake's internal state.
2409 */
2410 if (_gnutls_abort_handshake (session, ret) == 0)
2411 STATE = STATE0;
2412
2413 return ret;
2414 }
2415
2416 /* clear handshake buffer */
2417 _gnutls_handshake_hash_buffers_clear (session);
2418
2419 if (IS_DTLS(session)==0)
2420 {
2421 _gnutls_handshake_io_buffer_clear (session);
2422 }
2423 else
2424 {
2425 _dtls_async_timer_init(session);
2426 }
2427
2428 _gnutls_handshake_internal_state_clear (session);
2429
2430 session->security_parameters.epoch_next++;
2431
2432 return 0;
2433 }
2434
2435 /**
2436 * gnutls_handshake_set_timeout:
2437 * @session: is a #gnutls_session_t structure.
2438 * @ms: is a timeout value in milliseconds
2439 *
2440 * This function sets the timeout for the handshake process
2441 * to the provided value. Use an @ms value of zero to disable
2442 * timeout.
2443 *
2444 * Note that in order for the timeout to be enforced
2445 * gnutls_transport_set_pull_timeout_function() must be set.
2446 *
2447 **/
2448 void
2449 gnutls_handshake_set_timeout (gnutls_session_t session, unsigned int ms)
2450 {
2451 if (ms == GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT)
2452 ms = 40*1000;
2453 session->internals.handshake_timeout_ms = ms;
2454 }
2455
2456
2457 #define IMED_RET( str, ret, allow_alert) do { \
2458 if (ret < 0) { \
2459 /* EAGAIN and INTERRUPTED are always non-fatal */ \
2460 if (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED) \
2461 return ret; \
2462 /* a warning alert might interrupt handshake */ \
2463 if (allow_alert != 0 && ret==GNUTLS_E_WARNING_ALERT_RECEIVED) return ret; \
2464 gnutls_assert(); \
2465 ERR( str, ret); \
2466 _gnutls_handshake_hash_buffers_clear(session); \
2467 return ret; \
2468 } } while (0)
2469
2470
2471 /* Runs the certificate verification callback.
2472 * side is either GNUTLS_CLIENT or GNUTLS_SERVER.
2473 */
2474 static int run_verify_callback(gnutls_session_t session, unsigned int side)
2475 {
2476 gnutls_certificate_credentials_t cred;
2477 int ret, type;
2478
2479 cred =
2480 (gnutls_certificate_credentials_t) _gnutls_get_cred (session->key,
2481 GNUTLS_CRD_CERTIFICATE,
2482 NULL);
2483
2484 if (side == GNUTLS_CLIENT)
2485 type = gnutls_auth_server_get_type(session);
2486 else
2487 type = gnutls_auth_client_get_type(session);
2488
2489 if (type != GNUTLS_CRD_CERTIFICATE)
2490 return 0;
2491
2492 if (cred != NULL && cred->verify_callback != NULL)
2493 {
2494 ret = cred->verify_callback (session);
2495 if (ret != 0)
2496 return GNUTLS_E_CERTIFICATE_ERROR;
2497 }
2498
2499 return 0;
2500 }
2501
2502 /*
2503 * _gnutls_handshake_client
2504 * This function performs the client side of the handshake of the TLS/SSL protocol.
2505 */
2506 static int
2507 _gnutls_handshake_client (gnutls_session_t session)
2508 {
2509 int ret = 0;
2510
2511 #ifdef HANDSHAKE_DEBUG
2512 char buf[64];
2513
2514 if (session->internals.resumed_security_parameters.session_id_size > 0)
2515 _gnutls_handshake_log ("HSK[%p]: Ask to resume: %s\n", session,
2516 _gnutls_bin2hex (session->
2517 internals.resumed_security_parameters.session_id,
2518 session->
2519 internals.resumed_security_parameters.session_id_size,
2520 buf, sizeof (buf), NULL));
2521 #endif
2522
2523 switch (STATE)
2524 {
2525 case STATE0:
2526 case STATE1:
2527 ret = _gnutls_send_hello (session, AGAIN (STATE1));
2528 STATE = STATE1;
2529 IMED_RET ("send hello", ret, 1);
2530
2531 case STATE2:
2532 if (IS_DTLS (session))
2533 {
2534 ret =
2535 _gnutls_recv_handshake (session,
2536 GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST,
2537 1, NULL);
2538 STATE = STATE2;
2539 IMED_RET ("recv hello verify", ret, 1);
2540
2541 if (ret == 1)
2542 {
2543 STATE = STATE0;
2544 return 1;
2545 }
2546 }
2547 case STATE3:
2548 /* receive the server hello */
2549 ret =
2550 _gnutls_recv_handshake (session,
2551 GNUTLS_HANDSHAKE_SERVER_HELLO,
2552 0, NULL);
2553 STATE = STATE3;
2554 IMED_RET ("recv hello", ret, 1);
2555
2556 case STATE4:
2557 if (session->security_parameters.do_recv_supplemental)
2558 {
2559 ret = _gnutls_recv_supplemental (session);
2560 STATE = STATE4;
2561 IMED_RET ("recv supplemental", ret, 1);
2562 }
2563
2564 case STATE5:
2565 /* RECV CERTIFICATE */
2566 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2567 ret = _gnutls_recv_server_certificate (session);
2568 STATE = STATE5;
2569 IMED_RET ("recv server certificate", ret, 1);
2570
2571 case STATE6:
2572 /* RECV CERTIFICATE STATUS */
2573 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2574 ret = _gnutls_recv_server_certificate_status (session);
2575 STATE = STATE6;
2576 IMED_RET ("recv server certificate", ret, 1);
2577
2578 case STATE7:
2579 ret = run_verify_callback(session, GNUTLS_CLIENT);
2580 STATE = STATE7;
2581 if (ret < 0)
2582 return gnutls_assert_val(ret);
2583 case STATE8:
2584 /* receive the server key exchange */
2585 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2586 ret = _gnutls_recv_server_kx_message (session);
2587 STATE = STATE8;
2588 IMED_RET ("recv server kx message", ret, 1);
2589
2590 case STATE9:
2591 /* receive the server certificate request - if any
2592 */
2593
2594 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2595 ret = _gnutls_recv_server_crt_request (session);
2596 STATE = STATE9;
2597 IMED_RET ("recv server certificate request message", ret, 1);
2598
2599 case STATE10:
2600 /* receive the server hello done */
2601 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2602 ret =
2603 _gnutls_recv_handshake (session,
2604 GNUTLS_HANDSHAKE_SERVER_HELLO_DONE,
2605 0, NULL);
2606 STATE = STATE10;
2607 IMED_RET ("recv server hello done", ret, 1);
2608
2609 case STATE11:
2610 if (session->security_parameters.do_send_supplemental)
2611 {
2612 ret = _gnutls_send_supplemental (session, AGAIN (STATE11));
2613 STATE = STATE11;
2614 IMED_RET ("send supplemental", ret, 0);
2615 }
2616
2617 case STATE12:
2618 /* send our certificate - if any and if requested
2619 */
2620 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2621 ret = _gnutls_send_client_certificate (session, AGAIN (STATE12));
2622 STATE = STATE12;
2623 IMED_RET ("send client certificate", ret, 0);
2624
2625 case STATE13:
2626 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2627 ret = _gnutls_send_client_kx_message (session, AGAIN (STATE13));
2628 STATE = STATE13;
2629 IMED_RET ("send client kx", ret, 0);
2630
2631 case STATE14:
2632 /* send client certificate verify */
2633 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2634 ret =
2635 _gnutls_send_client_certificate_verify (session, AGAIN (STATE14));
2636 STATE = STATE14;
2637 IMED_RET ("send client certificate verify", ret, 1);
2638
2639 case STATE15:
2640 STATE = STATE15;
2641 if (session->internals.resumed == RESUME_FALSE)
2642 {
2643 ret = _gnutls_send_handshake_final (session, TRUE);
2644 IMED_RET ("send handshake final 2", ret, 1);
2645 }
2646 else
2647 {
2648 ret = _gnutls_recv_handshake_final (session, TRUE);
2649 IMED_RET ("recv handshake final", ret, 1);
2650 }
2651
2652 case STATE16:
2653 ret = _gnutls_recv_new_session_ticket (session);
2654 STATE = STATE16;
2655 IMED_RET ("recv handshake new session ticket", ret, 1);
2656
2657 case STATE17:
2658 STATE = STATE17;
2659 if (session->internals.resumed == RESUME_FALSE)
2660 {
2661 ret = _gnutls_recv_handshake_final (session, FALSE);
2662 IMED_RET ("recv handshake final 2", ret, 1);
2663 }
2664 else
2665 {
2666 ret = _gnutls_send_handshake_final (session, FALSE);
2667 IMED_RET ("send handshake final", ret, 1);
2668 }
2669
2670 STATE = STATE0;
2671 default:
2672 break;
2673 }
2674
2675 return 0;
2676 }
2677
2678
2679
2680 /* This function is to be called if the handshake was successfully
2681 * completed. This sends a Change Cipher Spec packet to the peer.
2682 */
2683 static ssize_t
2684 send_change_cipher_spec (gnutls_session_t session, int again)
2685 {
2686 uint8_t* data;
2687 mbuffer_st * bufel;
2688 int ret;
2689
2690 if (again == 0)
2691 {
2692 bufel = _gnutls_handshake_alloc (session, 1, 1);
2693 if (bufel == NULL)
2694 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
2695
2696 if (gnutls_protocol_get_version (session) == GNUTLS_DTLS0_9)
2697 _mbuffer_set_uhead_size(bufel, 3);
2698 else
2699 _mbuffer_set_uhead_size(bufel, 1);
2700 _mbuffer_set_udata_size(bufel, 0);
2701
2702 data = _mbuffer_get_uhead_ptr (bufel);
2703
2704 data[0] = 1;
2705 if (gnutls_protocol_get_version (session) == GNUTLS_DTLS0_9)
2706 {
2707 _gnutls_write_uint16 (session->internals.dtls.hsk_write_seq, &data[1]);
2708 session->internals.dtls.hsk_write_seq++;
2709 }
2710
2711 ret = _gnutls_handshake_io_cache_int (session, GNUTLS_HANDSHAKE_CHANGE_CIPHER_SPEC, bufel);
2712 if (ret < 0)
2713 {
2714 _mbuffer_xfree(&bufel);
2715 return gnutls_assert_val(ret);
2716 }
2717
2718 _gnutls_handshake_log ("REC[%p]: Sent ChangeCipherSpec\n", session);
2719 }
2720
2721 return 0;
2722 }
2723
2724 /* This function sends the final handshake packets and initializes connection
2725 */
2726 static int
2727 _gnutls_send_handshake_final (gnutls_session_t session, int init)
2728 {
2729 int ret = 0;
2730
2731 /* Send the CHANGE CIPHER SPEC PACKET */
2732
2733 switch (FINAL_STATE)
2734 {
2735 case STATE0:
2736 case STATE1:
2737 ret = send_change_cipher_spec (session, FAGAIN (STATE1));
2738 FINAL_STATE = STATE0;
2739
2740 if (ret < 0)
2741 {
2742 ERR ("send ChangeCipherSpec", ret);
2743 gnutls_assert ();
2744 return ret;
2745 }
2746 /* Initialize the connection session (start encryption) - in case of client
2747 */
2748 if (init == TRUE)
2749 {
2750 ret = _gnutls_connection_state_init (session);
2751 if (ret < 0)
2752 {
2753 gnutls_assert ();
2754 return ret;
2755 }
2756 }
2757
2758 ret = _gnutls_write_connection_state_init (session);
2759 if (ret < 0)
2760 {
2761 gnutls_assert ();
2762 return ret;
2763 }
2764
2765 case STATE2:
2766 /* send the finished message */
2767 ret = _gnutls_send_finished (session, FAGAIN (STATE2));
2768 FINAL_STATE = STATE2;
2769 if (ret < 0)
2770 {
2771 ERR ("send Finished", ret);
2772 gnutls_assert ();
2773 return ret;
2774 }
2775
2776 FINAL_STATE = STATE0;
2777 default:
2778 break;
2779 }
2780
2781 return 0;
2782 }
2783
2784 /* This function receives the final handshake packets
2785 * And executes the appropriate function to initialize the
2786 * read session.
2787 */
2788 static int
2789 _gnutls_recv_handshake_final (gnutls_session_t session, int init)
2790 {
2791 int ret = 0;
2792 uint8_t ch;
2793 unsigned int ccs_len = 1;
2794 unsigned int tleft;
2795
2796 ret = handshake_remaining_time(session);
2797 if (ret < 0)
2798 return gnutls_assert_val(ret);
2799 tleft = ret;
2800
2801 switch (FINAL_STATE)
2802 {
2803 case STATE0:
2804 case STATE30:
2805 FINAL_STATE = STATE30;
2806
2807 /* This is the last flight and peer cannot be sure
2808 * we have received it unless we notify him. So we
2809 * wait for a message and retransmit if needed. */
2810 if (IS_DTLS(session) && !_dtls_is_async(session) &&
2811 (gnutls_record_check_pending (session) +
2812 record_check_unprocessed (session)) == 0)
2813 {
2814 ret = _dtls_wait_and_retransmit(session);
2815 if (ret < 0)
2816 return gnutls_assert_val(ret);
2817 }
2818
2819 if (gnutls_protocol_get_version (session) == GNUTLS_DTLS0_9)
2820 ccs_len = 3;
2821
2822 ret = _gnutls_recv_int (session, GNUTLS_CHANGE_CIPHER_SPEC, -1, &ch, ccs_len, NULL,
2823 tleft);
2824 if (ret <= 0)
2825 {
2826 ERR ("recv ChangeCipherSpec", ret);
2827 gnutls_assert ();
2828 return (ret < 0) ? ret : GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
2829 }
2830
2831 if (gnutls_protocol_get_version (session) == GNUTLS_DTLS0_9)
2832 session->internals.dtls.hsk_read_seq++;
2833
2834 /* Initialize the connection session (start encryption) - in case of server */
2835 if (init == TRUE)
2836 {
2837 ret = _gnutls_connection_state_init (session);
2838 if (ret < 0)
2839 {
2840 gnutls_assert ();
2841 return ret;
2842 }
2843 }
2844
2845 ret = _gnutls_read_connection_state_init (session);
2846 if (ret < 0)
2847 {
2848 gnutls_assert ();
2849 return ret;
2850 }
2851
2852 case STATE31:
2853 FINAL_STATE = STATE31;
2854
2855 if (IS_DTLS(session) && !_dtls_is_async(session) &&
2856 (gnutls_record_check_pending( session) +
2857 record_check_unprocessed (session)) == 0)
2858 {
2859 ret = _dtls_wait_and_retransmit(session);
2860 if (ret < 0)
2861 return gnutls_assert_val(ret);
2862 }
2863
2864 ret = _gnutls_recv_finished (session);
2865 if (ret < 0)
2866 {
2867 ERR ("recv finished", ret);
2868 gnutls_assert ();
2869 return ret;
2870 }
2871 FINAL_STATE = STATE0;
2872 default:
2873 break;
2874 }
2875
2876
2877 return 0;
2878 }
2879
2880 /*
2881 * _gnutls_handshake_server
2882 * This function does the server stuff of the handshake protocol.
2883 */
2884 static int
2885 _gnutls_handshake_server (gnutls_session_t session)
2886 {
2887 int ret = 0;
2888
2889 switch (STATE)
2890 {
2891 case STATE0:
2892 case STATE1:
2893 ret =
2894 _gnutls_recv_handshake (session,
2895 GNUTLS_HANDSHAKE_CLIENT_HELLO,
2896 0, NULL);
2897 STATE = STATE1;
2898 IMED_RET ("recv hello", ret, 1);
2899
2900 case STATE2:
2901 ret = _gnutls_send_hello (session, AGAIN (STATE2));
2902 STATE = STATE2;
2903 IMED_RET ("send hello", ret, 1);
2904
2905 case STATE70:
2906 if (session->security_parameters.do_send_supplemental)
2907 {
2908 ret = _gnutls_send_supplemental (session, AGAIN (STATE70));
2909 STATE = STATE70;
2910 IMED_RET ("send supplemental data", ret, 0);
2911 }
2912
2913 /* SEND CERTIFICATE + KEYEXCHANGE + CERTIFICATE_REQUEST */
2914 case STATE3:
2915 /* NOTE: these should not be send if we are resuming */
2916
2917 if (session->internals.resumed == RESUME_FALSE)
2918 ret = _gnutls_send_server_certificate (session, AGAIN (STATE3));
2919 STATE = STATE3;
2920 IMED_RET ("send server certificate", ret, 0);
2921
2922 case STATE4:
2923 if (session->internals.resumed == RESUME_FALSE)
2924 ret = _gnutls_send_server_certificate_status (session, AGAIN (STATE4));
2925 STATE = STATE4;
2926 IMED_RET ("send server certificate status", ret, 0);
2927
2928 case STATE5:
2929 /* send server key exchange (A) */
2930 if (session->internals.resumed == RESUME_FALSE)
2931 ret = _gnutls_send_server_kx_message (session, AGAIN (STATE5));
2932 STATE = STATE5;
2933 IMED_RET ("send server kx", ret, 0);
2934
2935 case STATE6:
2936 /* Send certificate request - if requested to */
2937 if (session->internals.resumed == RESUME_FALSE)
2938 ret =
2939 _gnutls_send_server_crt_request (session, AGAIN (STATE6));
2940 STATE = STATE6;
2941 IMED_RET ("send server cert request", ret, 0);
2942
2943 case STATE7:
2944 /* send the server hello done */
2945 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2946 ret =
2947 _gnutls_send_empty_handshake (session,
2948 GNUTLS_HANDSHAKE_SERVER_HELLO_DONE,
2949 AGAIN (STATE7));
2950 STATE = STATE7;
2951 IMED_RET ("send server hello done", ret, 1);
2952
2953 case STATE71:
2954 if (session->security_parameters.do_recv_supplemental)
2955 {
2956 ret = _gnutls_recv_supplemental (session);
2957 STATE = STATE71;
2958 IMED_RET ("recv client supplemental", ret, 1);
2959 }
2960
2961 /* RECV CERTIFICATE + KEYEXCHANGE + CERTIFICATE_VERIFY */
2962 case STATE8:
2963 /* receive the client certificate message */
2964 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2965 ret = _gnutls_recv_client_certificate (session);
2966 STATE = STATE8;
2967 IMED_RET ("recv client certificate", ret, 1);
2968
2969 case STATE9:
2970 ret = run_verify_callback(session, GNUTLS_SERVER);
2971 STATE = STATE9;
2972 if (ret < 0)
2973 return gnutls_assert_val(ret);
2974
2975 case STATE10:
2976 /* receive the client key exchange message */
2977 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2978 ret = _gnutls_recv_client_kx_message (session);
2979 STATE = STATE10;
2980 IMED_RET ("recv client kx", ret, 1);
2981
2982 case STATE11:
2983 /* receive the client certificate verify message */
2984 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2985 ret = _gnutls_recv_client_certificate_verify_message (session);
2986 STATE = STATE11;
2987 IMED_RET ("recv client certificate verify", ret, 1);
2988
2989 case STATE12:
2990 STATE = STATE12;
2991 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2992 {
2993 ret = _gnutls_recv_handshake_final (session, TRUE);
2994 IMED_RET ("recv handshake final", ret, 1);
2995 }
2996 else
2997 {
2998 ret = _gnutls_send_handshake_final (session, TRUE);
2999 IMED_RET ("send handshake final 2", ret, 1);
3000 }
3001
3002 case STATE13:
3003 ret = _gnutls_send_new_session_ticket (session, AGAIN (STATE13));
3004 STATE = STATE13;
3005 IMED_RET ("send handshake new session ticket", ret, 0);
3006
3007 case STATE14:
3008 STATE = STATE14;
3009 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
3010 {
3011 ret = _gnutls_send_handshake_final (session, FALSE);
3012 IMED_RET ("send handshake final", ret, 1);
3013 }
3014 else
3015 {
3016 ret = _gnutls_recv_handshake_final (session, FALSE);
3017 IMED_RET ("recv handshake final 2", ret, 1);
3018 }
3019
3020 if (session->security_parameters.entity == GNUTLS_SERVER && session->internals.ticket_sent == 0)
3021 {
3022 /* if no ticket, save session data */
3023 _gnutls_server_register_current_session (session);
3024 }
3025
3026 STATE = STATE0;
3027 default:
3028 break;
3029 }
3030
3031 return 0;
3032 }
3033
3034
3035 int
3036 _gnutls_generate_session_id (uint8_t * session_id, uint8_t * len)
3037 {
3038 int ret;
3039
3040 *len = TLS_MAX_SESSION_ID_SIZE;
3041
3042 ret = _gnutls_rnd (GNUTLS_RND_NONCE, session_id, *len);
3043 if (ret < 0)
3044 {
3045 gnutls_assert ();
3046 return ret;
3047 }
3048
3049 return 0;
3050 }
3051
3052 int
3053 _gnutls_recv_hello_request (gnutls_session_t session, void *data,
3054 uint32_t data_size)
3055 {
3056 uint8_t type;
3057
3058 if (session->security_parameters.entity == GNUTLS_SERVER)
3059 {
3060 gnutls_assert ();
3061 return GNUTLS_E_UNEXPECTED_PACKET;
3062 }
3063 if (data_size < 1)
3064 {
3065 gnutls_assert ();
3066 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
3067 }
3068 type = ((uint8_t *) data)[0];
3069 if (type == GNUTLS_HANDSHAKE_HELLO_REQUEST)
3070 {
3071 if (IS_DTLS(session))
3072 session->internals.dtls.hsk_read_seq++;
3073 return GNUTLS_E_REHANDSHAKE;
3074 }
3075 else
3076 {
3077 gnutls_assert ();
3078 return GNUTLS_E_UNEXPECTED_PACKET;
3079 }
3080 }
3081
3082 /* Returns 1 if the given KX has not the corresponding parameters
3083 * (DH or RSA) set up. Otherwise returns 0.
3084 */
3085 inline static int
3086 check_server_params (gnutls_session_t session,
3087 gnutls_kx_algorithm_t kx,
3088 gnutls_kx_algorithm_t * alg, int alg_size)
3089 {
3090 int cred_type;
3091 gnutls_dh_params_t dh_params = NULL;
3092 gnutls_rsa_params_t rsa_params = NULL;
3093 int j;
3094
3095 cred_type = _gnutls_map_kx_get_cred (kx, 1);
3096
3097 /* Read the Diffie-Hellman parameters, if any.
3098 */
3099 if (cred_type == GNUTLS_CRD_CERTIFICATE)
3100 {
3101 int delete;
3102 gnutls_certificate_credentials_t x509_cred =
3103 (gnutls_certificate_credentials_t) _gnutls_get_cred (session->key,
3104 cred_type, NULL);
3105
3106 if (x509_cred != NULL)
3107 {
3108 dh_params =
3109 _gnutls_get_dh_params (x509_cred->dh_params,
3110 x509_cred->params_func, session);
3111 rsa_params =
3112 _gnutls_certificate_get_rsa_params (x509_cred->rsa_params,
3113 x509_cred->params_func,
3114 session);
3115 }
3116
3117 /* Check also if the certificate supports the
3118 * KX method.
3119 */
3120 delete = 1;
3121 for (j = 0; j < alg_size; j++)
3122 {
3123 if (alg[j] == kx)
3124 {
3125 delete = 0;
3126 break;
3127 }
3128 }
3129
3130 if (delete == 1)
3131 return 1;
3132
3133 #ifdef ENABLE_ANON
3134 }
3135 else if (cred_type == GNUTLS_CRD_ANON)
3136 {
3137 gnutls_anon_server_credentials_t anon_cred =
3138 (gnutls_anon_server_credentials_t) _gnutls_get_cred (session->key,
3139 cred_type, NULL);
3140
3141 if (anon_cred != NULL)
3142 {
3143 dh_params =
3144 _gnutls_get_dh_params (anon_cred->dh_params,
3145 anon_cred->params_func, session);
3146 }
3147 #endif
3148 #ifdef ENABLE_PSK
3149 }
3150 else if (cred_type == GNUTLS_CRD_PSK)
3151 {
3152 gnutls_psk_server_credentials_t psk_cred =
3153 (gnutls_psk_server_credentials_t) _gnutls_get_cred (session->key,
3154 cred_type, NULL);
3155
3156 if (psk_cred != NULL)
3157 {
3158 dh_params =
3159 _gnutls_get_dh_params (psk_cred->dh_params, psk_cred->params_func,
3160 session);
3161 }
3162 #endif
3163 }
3164 else
3165 return 0; /* no need for params */
3166
3167
3168 /* If the key exchange method needs RSA or DH params,
3169 * but they are not set then remove it.
3170 */
3171 if (_gnutls_kx_needs_rsa_params (kx) != 0)
3172 {
3173 /* needs rsa params. */
3174 if (_gnutls_rsa_params_to_mpi (rsa_params) == NULL)
3175 {
3176 gnutls_assert ();
3177 return 1;
3178 }
3179 }
3180
3181 if (_gnutls_kx_needs_dh_params (kx) != 0)
3182 {
3183 /* needs DH params. */
3184 if (_gnutls_dh_params_to_mpi (dh_params) == NULL)
3185 {
3186 gnutls_assert ();
3187 return 1;
3188 }
3189 }
3190
3191 return 0;
3192 }
3193
3194 /* This function will remove algorithms that are not supported by
3195 * the requested authentication method. We remove an algorithm if
3196 * we have a certificate with keyUsage bits set.
3197 *
3198 * This does a more high level check than gnutls_supported_ciphersuites(),
3199 * by checking certificates etc.
3200 */
3201 static int
3202 _gnutls_remove_unwanted_ciphersuites (gnutls_session_t session,
3203 uint8_t * cipher_suites,
3204 int cipher_suites_size,
3205 gnutls_pk_algorithm_t *pk_algos,
3206 size_t pk_algos_size)
3207 {
3208
3209 int ret = 0;
3210 int i, new_suites_size;
3211 gnutls_certificate_credentials_t cert_cred;
3212 gnutls_kx_algorithm_t kx;
3213 int server = session->security_parameters.entity == GNUTLS_SERVER ? 1 : 0;
3214 gnutls_kx_algorithm_t alg[MAX_ALGOS];
3215 int alg_size = MAX_ALGOS;
3216
3217 /* if we should use a specific certificate,
3218 * we should remove all algorithms that are not supported
3219 * by that certificate and are on the same authentication
3220 * method (CERTIFICATE).
3221 */
3222
3223 cert_cred =
3224 (gnutls_certificate_credentials_t) _gnutls_get_cred (session->key,
3225 GNUTLS_CRD_CERTIFICATE,
3226 NULL);
3227
3228 /* If there are certificate credentials, find an appropriate certificate
3229 * or disable them;
3230 */
3231 if (session->security_parameters.entity == GNUTLS_SERVER
3232 && cert_cred != NULL && pk_algos_size > 0)
3233 {
3234 ret = _gnutls_server_select_cert (session, pk_algos, pk_algos_size);
3235 if (ret < 0)
3236 {
3237 gnutls_assert ();
3238 _gnutls_debug_log ("Could not find an appropriate certificate: %s\n",
3239 gnutls_strerror (ret));
3240 }
3241 }
3242
3243 /* get all the key exchange algorithms that are
3244 * supported by the X509 certificate parameters.
3245 */
3246 if ((ret =
3247 _gnutls_selected_cert_supported_kx (session, alg, &alg_size)) < 0)
3248 {
3249 gnutls_assert ();
3250 return ret;
3251 }
3252
3253 new_suites_size = 0;
3254
3255 /* now removes ciphersuites based on the KX algorithm
3256 */
3257 for (i = 0; i < cipher_suites_size; i+=2)
3258 {
3259 int delete = 0;
3260
3261 /* finds the key exchange algorithm in
3262 * the ciphersuite
3263 */
3264 kx = _gnutls_cipher_suite_get_kx_algo (&cipher_suites[i]);
3265
3266 /* if it is defined but had no credentials
3267 */
3268 if (!session->internals.premaster_set &&
3269 _gnutls_get_kx_cred (session, kx, NULL) == NULL)
3270 {
3271 delete = 1;
3272 }
3273 else
3274 {
3275 delete = 0;
3276
3277 if (server)
3278 delete = check_server_params (session, kx, alg, alg_size);
3279 }
3280
3281 /* If we have not agreed to a common curve with the peer don't bother
3282 * negotiating ECDH.
3283 */
3284 if (server != 0 && _gnutls_kx_is_ecc(kx))
3285 {
3286 if (_gnutls_session_ecc_curve_get(session) == GNUTLS_ECC_CURVE_INVALID)
3287 {
3288 delete = 1;
3289 }
3290 }
3291
3292 /* These two SRP kx's are marked to require a CRD_CERTIFICATE,
3293 (see cred_mappings in gnutls_algorithms.c), but it also
3294 requires a SRP credential. Don't use SRP kx unless we have a
3295 SRP credential too. */
3296 if (kx == GNUTLS_KX_SRP_RSA || kx == GNUTLS_KX_SRP_DSS)
3297 {
3298 if (!_gnutls_get_cred (session->key, GNUTLS_CRD_SRP, NULL))
3299 {
3300 delete = 1;
3301 }
3302 }
3303
3304 if (delete == 0)
3305 {
3306
3307 _gnutls_handshake_log ("HSK[%p]: Keeping ciphersuite: %s (%.2X.%.2X)\n",
3308 session,
3309 _gnutls_cipher_suite_get_name (&cipher_suites[i]),
3310 cipher_suites[i], cipher_suites[i+1]);
3311
3312 if (i != new_suites_size)
3313 memmove( &cipher_suites[new_suites_size], &cipher_suites[i], 2);
3314 new_suites_size+=2;
3315 }
3316 else
3317 {
3318 _gnutls_handshake_log ("HSK[%p]: Removing ciphersuite: %s\n",
3319 session,
3320 _gnutls_cipher_suite_get_name (&cipher_suites[i]));
3321
3322 }
3323 }
3324
3325 ret = new_suites_size;
3326
3327 return ret;
3328
3329 }
3330
3331 /**
3332 * gnutls_handshake_set_max_packet_length:
3333 * @session: is a #gnutls_session_t structure.
3334 * @max: is the maximum number.
3335 *
3336 * This function will set the maximum size of all handshake messages.
3337 * Handshakes over this size are rejected with
3338 * %GNUTLS_E_HANDSHAKE_TOO_LARGE error code. The default value is
3339 * 48kb which is typically large enough. Set this to 0 if you do not
3340 * want to set an upper limit.
3341 *
3342 * The reason for restricting the handshake message sizes are to
3343 * limit Denial of Service attacks.
3344 **/
3345 void
3346 gnutls_handshake_set_max_packet_length (gnutls_session_t session, size_t max)
3347 {
3348 session->internals.max_handshake_data_buffer_size = max;
3349 }
3350
3351 void
3352 _gnutls_set_adv_version (gnutls_session_t session, gnutls_protocol_t ver)
3353 {
3354 set_adv_version (session, _gnutls_version_get_major (ver),
3355 _gnutls_version_get_minor (ver));
3356 }
3357
3358 gnutls_protocol_t
3359 _gnutls_get_adv_version (gnutls_session_t session)
3360 {
3361 return _gnutls_version_get (_gnutls_get_adv_version_major (session),
3362 _gnutls_get_adv_version_minor (session));
3363 }
3364
3365 /**
3366 * gnutls_handshake_get_last_in:
3367 * @session: is a #gnutls_session_t structure.
3368 *
3369 * This function is only useful to check where the last performed
3370 * handshake failed. If the previous handshake succeed or was not
3371 * performed at all then no meaningful value will be returned.
3372 *
3373 * Check %gnutls_handshake_description_t in gnutls.h for the
3374 * available handshake descriptions.
3375 *
3376 * Returns: the last handshake message type received, a
3377 * %gnutls_handshake_description_t.
3378 **/
3379 gnutls_handshake_description_t
3380 gnutls_handshake_get_last_in (gnutls_session_t session)
3381 {
3382 return session->internals.last_handshake_in;
3383 }
3384
3385 /**
3386 * gnutls_handshake_get_last_out:
3387 * @session: is a #gnutls_session_t structure.
3388 *
3389 * This function is only useful to check where the last performed
3390 * handshake failed. If the previous handshake succeed or was not
3391 * performed at all then no meaningful value will be returned.
3392 *
3393 * Check %gnutls_handshake_description_t in gnutls.h for the
3394 * available handshake descriptions.
3395 *
3396 * Returns: the last handshake message type sent, a
3397 * %gnutls_handshake_description_t.
3398 **/
3399 gnutls_handshake_description_t
3400 gnutls_handshake_get_last_out (gnutls_session_t session)
3401 {
3402 return session->internals.last_handshake_out;
3403 }
Implementation of the SSL/TLS protocol