search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
safe renegotiation tests only run under valgrind in the devel environment.
[gnutls.git] / lib / gnutls_state.c
blobc8773c466f5e7727b73fc5750270379dede54d70
1 /*
2 * Copyright (C) 2002-2012 Free Software Foundation, Inc.
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GnuTLS.
7 *
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
20 *
21 */
22
23 /* Functions to manipulate the session (gnutls_int.h), and some other stuff
24 * are included here. The file's name is traditionally gnutls_state even if the
25 * state has been renamed to session.
26 */
27
28 #include <gnutls_int.h>
29 #include <gnutls_errors.h>
30 #include <gnutls_auth.h>
31 #include <gnutls_num.h>
32 #include <gnutls_datum.h>
33 #include <gnutls_db.h>
34 #include <gnutls_record.h>
35 #include <gnutls_handshake.h>
36 #include <gnutls_dh.h>
37 #include <gnutls_buffers.h>
38 #include <gnutls_mbuffers.h>
39 #include <gnutls_state.h>
40 #include <gnutls_constate.h>
41 #include <auth/cert.h>
42 #include <auth/anon.h>
43 #include <auth/psk.h>
44 #include <algorithms.h>
45 #include <gnutls_rsa_export.h>
46 #include <gnutls_extensions.h>
47 #include <system.h>
48 #include <gnutls/dtls.h>
49 #include <timespec.h>
50
51 /* These should really be static, but src/tests.c calls them. Make
52 them public functions? */
53 void
54 _gnutls_rsa_pms_set_version (gnutls_session_t session,
55 unsigned char major, unsigned char minor);
56
57 void
58 _gnutls_session_cert_type_set (gnutls_session_t session,
59 gnutls_certificate_type_t ct)
60 {
61 _gnutls_handshake_log("HSK[%p]: Selected certificate type %s (%d)\n", session,
62 gnutls_certificate_type_get_name(ct), ct);
63 session->security_parameters.cert_type = ct;
64 }
65
66 void
67 _gnutls_session_ecc_curve_set (gnutls_session_t session,
68 gnutls_ecc_curve_t c)
69 {
70 _gnutls_handshake_log("HSK[%p]: Selected ECC curve (%d)\n", session, c);
71 session->security_parameters.ecc_curve = c;
72 }
73
74 /**
75 * gnutls_cipher_get:
76 * @session: is a #gnutls_session_t structure.
77 *
78 * Get currently used cipher.
79 *
80 * Returns: the currently used cipher, a #gnutls_cipher_algorithm_t
81 * type.
82 **/
83 gnutls_cipher_algorithm_t
84 gnutls_cipher_get (gnutls_session_t session)
85 {
86 record_parameters_st *record_params;
87 int ret;
88
89 ret = _gnutls_epoch_get (session, EPOCH_READ_CURRENT, &record_params);
90 if (ret < 0)
91 return gnutls_assert_val(GNUTLS_CIPHER_NULL);
92
93 return record_params->cipher_algorithm;
94 }
95
96 /**
97 * gnutls_certificate_type_get:
98 * @session: is a #gnutls_session_t structure.
99 *
100 * The certificate type is by default X.509, unless it is negotiated
101 * as a TLS extension.
102 *
103 * Returns: the currently used #gnutls_certificate_type_t certificate
104 * type.
105 **/
106 gnutls_certificate_type_t
107 gnutls_certificate_type_get (gnutls_session_t session)
108 {
109 return session->security_parameters.cert_type;
110 }
111
112 /**
113 * gnutls_kx_get:
114 * @session: is a #gnutls_session_t structure.
115 *
116 * Get currently used key exchange algorithm.
117 *
118 * Returns: the key exchange algorithm used in the last handshake, a
119 * #gnutls_kx_algorithm_t value.
120 **/
121 gnutls_kx_algorithm_t
122 gnutls_kx_get (gnutls_session_t session)
123 {
124 return session->security_parameters.kx_algorithm;
125 }
126
127 /**
128 * gnutls_mac_get:
129 * @session: is a #gnutls_session_t structure.
130 *
131 * Get currently used MAC algorithm.
132 *
133 * Returns: the currently used mac algorithm, a
134 * #gnutls_mac_algorithm_t value.
135 **/
136 gnutls_mac_algorithm_t
137 gnutls_mac_get (gnutls_session_t session)
138 {
139 record_parameters_st *record_params;
140 int ret;
141
142 ret = _gnutls_epoch_get (session, EPOCH_READ_CURRENT, &record_params);
143 if (ret < 0)
144 return gnutls_assert_val(GNUTLS_MAC_NULL);
145
146 return record_params->mac_algorithm;
147 }
148
149 /**
150 * gnutls_compression_get:
151 * @session: is a #gnutls_session_t structure.
152 *
153 * Get currently used compression algorithm.
154 *
155 * Returns: the currently used compression method, a
156 * #gnutls_compression_method_t value.
157 **/
158 gnutls_compression_method_t
159 gnutls_compression_get (gnutls_session_t session)
160 {
161 record_parameters_st *record_params;
162 int ret;
163
164 ret = _gnutls_epoch_get (session, EPOCH_READ_CURRENT, &record_params);
165 if (ret < 0)
166 return gnutls_assert_val(GNUTLS_COMP_NULL);
167
168 return record_params->compression_algorithm;
169 }
170
171 /* Check if the given certificate type is supported.
172 * This means that it is enabled by the priority functions,
173 * and a matching certificate exists.
174 */
175 int
176 _gnutls_session_cert_type_supported (gnutls_session_t session,
177 gnutls_certificate_type_t cert_type)
178 {
179 unsigned i;
180 unsigned cert_found = 0;
181 gnutls_certificate_credentials_t cred;
182
183 if (session->security_parameters.entity == GNUTLS_SERVER)
184 {
185 cred = (gnutls_certificate_credentials_t)
186 _gnutls_get_cred (session->key, GNUTLS_CRD_CERTIFICATE, NULL);
187
188 if (cred == NULL)
189 return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE;
190
191 if (cred->server_get_cert_callback == NULL
192 && cred->get_cert_callback == NULL)
193 {
194 for (i = 0; i < cred->ncerts; i++)
195 {
196 if (cred->certs[i].cert_list[0].type == cert_type)
197 {
198 cert_found = 1;
199 break;
200 }
201 }
202
203 if (cert_found == 0)
204 /* no certificate is of that type.
205 */
206 return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE;
207 }
208 }
209
210 if (session->internals.priorities.cert_type.algorithms == 0
211 && cert_type == DEFAULT_CERT_TYPE)
212 return 0;
213
214 for (i = 0; i < session->internals.priorities.cert_type.algorithms; i++)
215 {
216 if (session->internals.priorities.cert_type.priority[i] == cert_type)
217 {
218 return 0; /* ok */
219 }
220 }
221
222 return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE;
223 }
224
225
226 /* this function deinitializes all the internal parameters stored
227 * in a session struct.
228 */
229 inline static void
230 deinit_internal_params (gnutls_session_t session)
231 {
232 if (session->internals.params.free_dh_params)
233 gnutls_dh_params_deinit (session->internals.params.dh_params);
234
235 if (session->internals.params.free_rsa_params)
236 gnutls_rsa_params_deinit (session->internals.params.rsa_params);
237
238 _gnutls_handshake_hash_buffers_clear (session);
239
240 memset (&session->internals.params, 0, sizeof (session->internals.params));
241 }
242
243 /* This function will clear all the variables in internals
244 * structure within the session, which depend on the current handshake.
245 * This is used to allow further handshakes.
246 */
247 static void
248 _gnutls_handshake_internal_state_init (gnutls_session_t session)
249 {
250 session->internals.extensions_sent_size = 0;
251
252 /* by default no selected certificate */
253 session->internals.adv_version_major = 0;
254 session->internals.adv_version_minor = 0;
255 session->internals.direction = 0;
256
257 /* use out of band data for the last
258 * handshake messages received.
259 */
260 session->internals.last_handshake_in = -1;
261 session->internals.last_handshake_out = -1;
262
263 session->internals.resumable = RESUME_TRUE;
264
265 session->internals.dtls.hsk_read_seq = 0;
266 session->internals.dtls.hsk_write_seq = 0;
267 gettime(&session->internals.dtls.handshake_start_time);
268 }
269
270 void
271 _gnutls_handshake_internal_state_clear (gnutls_session_t session)
272 {
273 _gnutls_handshake_internal_state_init (session);
274
275 deinit_internal_params (session);
276
277 _gnutls_epoch_gc(session);
278 }
279
280 #define MIN_DH_BITS 727
281 /**
282 * gnutls_init:
283 * @session: is a pointer to a #gnutls_session_t structure.
284 * @flags: indicate if this session is to be used for server or client.
285 *
286 * This function initializes the current session to null. Every
287 * session must be initialized before use, so internal structures can
288 * be allocated. This function allocates structures which can only
289 * be free'd by calling gnutls_deinit(). Returns %GNUTLS_E_SUCCESS (0) on success.
290 *
291 * @flags can be one of %GNUTLS_CLIENT and %GNUTLS_SERVER. For a DTLS
292 * entity, the flags %GNUTLS_DATAGRAM and %GNUTLS_NONBLOCK are
293 * also available. The latter flag will enable a non-blocking
294 * operation of the DTLS timers.
295 *
296 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
297 **/
298 int
299 gnutls_init (gnutls_session_t * session, unsigned int flags)
300 {
301 int ret;
302 record_parameters_st *epoch;
303
304 *session = gnutls_calloc (1, sizeof (struct gnutls_session_int));
305 if (*session == NULL)
306 return GNUTLS_E_MEMORY_ERROR;
307
308 ret = _gnutls_epoch_alloc (*session, 0, &epoch);
309 if (ret < 0)
310 {
311 gnutls_assert ();
312 return GNUTLS_E_MEMORY_ERROR;
313 }
314
315 /* Set all NULL algos on epoch 0 */
316 _gnutls_epoch_set_null_algos (*session, epoch);
317
318 (*session)->security_parameters.epoch_next = 1;
319
320 (*session)->security_parameters.entity = (flags&GNUTLS_SERVER?GNUTLS_SERVER:GNUTLS_CLIENT);
321
322 /* the default certificate type for TLS */
323 (*session)->security_parameters.cert_type = DEFAULT_CERT_TYPE;
324
325 /* Initialize buffers */
326 _gnutls_buffer_init (&(*session)->internals.handshake_hash_buffer);
327
328 _mbuffer_head_init (&(*session)->internals.record_buffer);
329 _mbuffer_head_init (&(*session)->internals.record_send_buffer);
330 _mbuffer_head_init (&(*session)->internals.record_recv_buffer);
331
332 _mbuffer_head_init (&(*session)->internals.handshake_send_buffer);
333 _gnutls_handshake_recv_buffer_init(*session);
334
335 (*session)->key = gnutls_calloc (1, sizeof (struct gnutls_key_st));
336 if ((*session)->key == NULL)
337 {
338 gnutls_free (*session);
339 *session = NULL;
340 return GNUTLS_E_MEMORY_ERROR;
341 }
342
343 (*session)->internals.expire_time = DEFAULT_EXPIRE_TIME; /* one hour default */
344
345 gnutls_dh_set_prime_bits ((*session), MIN_DH_BITS);
346
347 gnutls_handshake_set_max_packet_length ((*session),
348 MAX_HANDSHAKE_PACKET_SIZE);
349
350 /* set the socket pointers to -1;
351 */
352 (*session)->internals.transport_recv_ptr = (gnutls_transport_ptr_t) - 1;
353 (*session)->internals.transport_send_ptr = (gnutls_transport_ptr_t) - 1;
354
355 /* set the default maximum record size for TLS
356 */
357 (*session)->security_parameters.max_record_recv_size =
358 DEFAULT_MAX_RECORD_SIZE;
359 (*session)->security_parameters.max_record_send_size =
360 DEFAULT_MAX_RECORD_SIZE;
361
362 /* everything else not initialized here is initialized
363 * as NULL or 0. This is why calloc is used.
364 */
365
366 _gnutls_handshake_internal_state_init (*session);
367
368 /* emulate old gnutls behavior for old applications that do not use the priority_*
369 * functions.
370 */
371 (*session)->internals.priorities.sr = SR_PARTIAL;
372
373 #ifdef HAVE_WRITEV
374 gnutls_transport_set_vec_push_function (*session, system_writev);
375 #else
376 gnutls_transport_set_push_function (*session, system_write);
377 #endif
378 gnutls_transport_set_pull_function (*session, system_read);
379 gnutls_transport_set_errno_function (*session, system_errno);
380 gnutls_transport_set_pull_timeout_function (*session, system_recv_timeout);
381
382 if (flags & GNUTLS_DATAGRAM)
383 {
384 (*session)->internals.dtls.mtu = DTLS_DEFAULT_MTU;
385 (*session)->internals.transport = GNUTLS_DGRAM;
386
387 (*session)->internals.dtls.retrans_timeout_ms = 1000;
388 (*session)->internals.dtls.total_timeout_ms = 60000;
389 }
390 else
391 (*session)->internals.transport = GNUTLS_STREAM;
392
393 if (flags & GNUTLS_NONBLOCK)
394 (*session)->internals.dtls.blocking = 0;
395 else
396 (*session)->internals.dtls.blocking = 1;
397
398 return 0;
399 }
400
401 /* returns RESUME_FALSE or RESUME_TRUE.
402 */
403 int
404 _gnutls_session_is_resumable (gnutls_session_t session)
405 {
406 return session->internals.resumable;
407 }
408
409
410 /**
411 * gnutls_deinit:
412 * @session: is a #gnutls_session_t structure.
413 *
414 * This function clears all buffers associated with the @session.
415 * This function will also remove session data from the session
416 * database if the session was terminated abnormally.
417 **/
418 void
419 gnutls_deinit (gnutls_session_t session)
420 {
421 unsigned int i;
422
423 if (session == NULL)
424 return;
425
426 /* remove auth info firstly */
427 _gnutls_free_auth_info (session);
428
429 _gnutls_handshake_internal_state_clear (session);
430 _gnutls_handshake_io_buffer_clear (session);
431 _gnutls_ext_free_session_data (session);
432
433 for (i = 0; i < MAX_EPOCH_INDEX; i++)
434 if (session->record_parameters[i] != NULL)
435 {
436 _gnutls_epoch_free (session, session->record_parameters[i]);
437 session->record_parameters[i] = NULL;
438 }
439
440 _gnutls_buffer_clear (&session->internals.handshake_hash_buffer);
441 _mbuffer_head_clear (&session->internals.record_buffer);
442 _mbuffer_head_clear (&session->internals.record_recv_buffer);
443 _mbuffer_head_clear (&session->internals.record_send_buffer);
444
445 gnutls_credentials_clear (session);
446 _gnutls_selected_certs_deinit (session);
447
448 if (session->key != NULL)
449 {
450 gnutls_pk_params_release(&session->key->ecdh_params);
451 _gnutls_mpi_release (&session->key->ecdh_x);
452 _gnutls_mpi_release (&session->key->ecdh_y);
453
454 _gnutls_mpi_release (&session->key->KEY);
455 _gnutls_mpi_release (&session->key->client_Y);
456 _gnutls_mpi_release (&session->key->client_p);
457 _gnutls_mpi_release (&session->key->client_g);
458
459 _gnutls_mpi_release (&session->key->u);
460 _gnutls_mpi_release (&session->key->a);
461 _gnutls_mpi_release (&session->key->x);
462 _gnutls_mpi_release (&session->key->A);
463 _gnutls_mpi_release (&session->key->B);
464 _gnutls_mpi_release (&session->key->b);
465
466 /* RSA */
467 _gnutls_mpi_release (&session->key->rsa[0]);
468 _gnutls_mpi_release (&session->key->rsa[1]);
469
470 _gnutls_mpi_release (&session->key->dh_secret);
471 gnutls_free (session->key);
472
473 session->key = NULL;
474 }
475
476 memset (session, 0, sizeof (struct gnutls_session_int));
477 gnutls_free (session);
478 }
479
480 /* Returns the minimum prime bits that are acceptable.
481 */
482 int
483 _gnutls_dh_get_allowed_prime_bits (gnutls_session_t session)
484 {
485 return session->internals.dh_prime_bits;
486 }
487
488 int
489 _gnutls_dh_set_peer_public (gnutls_session_t session, bigint_t public)
490 {
491 dh_info_st *dh;
492 int ret;
493
494 switch (gnutls_auth_get_type (session))
495 {
496 case GNUTLS_CRD_ANON:
497 {
498 anon_auth_info_t info;
499 info = _gnutls_get_auth_info (session);
500 if (info == NULL)
501 return GNUTLS_E_INTERNAL_ERROR;
502
503 dh = &info->dh;
504 break;
505 }
506 case GNUTLS_CRD_PSK:
507 {
508 psk_auth_info_t info;
509 info = _gnutls_get_auth_info (session);
510 if (info == NULL)
511 return GNUTLS_E_INTERNAL_ERROR;
512
513 dh = &info->dh;
514 break;
515 }
516 case GNUTLS_CRD_CERTIFICATE:
517 {
518 cert_auth_info_t info;
519
520 info = _gnutls_get_auth_info (session);
521 if (info == NULL)
522 return GNUTLS_E_INTERNAL_ERROR;
523
524 dh = &info->dh;
525 break;
526 }
527 default:
528 gnutls_assert ();
529 return GNUTLS_E_INTERNAL_ERROR;
530 }
531
532 if (dh->public_key.data)
533 _gnutls_free_datum (&dh->public_key);
534
535 ret = _gnutls_mpi_dprint_lz (public, &dh->public_key);
536 if (ret < 0)
537 {
538 gnutls_assert ();
539 return ret;
540 }
541
542 return 0;
543 }
544
545 int
546 _gnutls_dh_set_secret_bits (gnutls_session_t session, unsigned bits)
547 {
548 switch (gnutls_auth_get_type (session))
549 {
550 case GNUTLS_CRD_ANON:
551 {
552 anon_auth_info_t info;
553 info = _gnutls_get_auth_info (session);
554 if (info == NULL)
555 return GNUTLS_E_INTERNAL_ERROR;
556 info->dh.secret_bits = bits;
557 break;
558 }
559 case GNUTLS_CRD_PSK:
560 {
561 psk_auth_info_t info;
562 info = _gnutls_get_auth_info (session);
563 if (info == NULL)
564 return GNUTLS_E_INTERNAL_ERROR;
565 info->dh.secret_bits = bits;
566 break;
567 }
568 case GNUTLS_CRD_CERTIFICATE:
569 {
570 cert_auth_info_t info;
571
572 info = _gnutls_get_auth_info (session);
573 if (info == NULL)
574 return GNUTLS_E_INTERNAL_ERROR;
575
576 info->dh.secret_bits = bits;
577 break;
578 default:
579 gnutls_assert ();
580 return GNUTLS_E_INTERNAL_ERROR;
581 }
582 }
583
584 return 0;
585 }
586
587 /* This function will set in the auth info structure the
588 * RSA exponent and the modulus.
589 */
590 int
591 _gnutls_rsa_export_set_pubkey (gnutls_session_t session,
592 bigint_t exponent, bigint_t modulus)
593 {
594 cert_auth_info_t info;
595 int ret;
596
597 info = _gnutls_get_auth_info (session);
598 if (info == NULL)
599 return GNUTLS_E_INTERNAL_ERROR;
600
601 if (info->rsa_export.modulus.data)
602 _gnutls_free_datum (&info->rsa_export.modulus);
603
604 if (info->rsa_export.exponent.data)
605 _gnutls_free_datum (&info->rsa_export.exponent);
606
607 ret = _gnutls_mpi_dprint_lz (modulus, &info->rsa_export.modulus);
608 if (ret < 0)
609 {
610 gnutls_assert ();
611 return ret;
612 }
613
614 ret = _gnutls_mpi_dprint_lz (exponent, &info->rsa_export.exponent);
615 if (ret < 0)
616 {
617 gnutls_assert ();
618 _gnutls_free_datum (&info->rsa_export.modulus);
619 return ret;
620 }
621
622 return 0;
623 }
624
625
626 /* Sets the prime and the generator in the auth info structure.
627 */
628 int
629 _gnutls_dh_set_group (gnutls_session_t session, bigint_t gen, bigint_t prime)
630 {
631 dh_info_st *dh;
632 int ret;
633
634 switch (gnutls_auth_get_type (session))
635 {
636 case GNUTLS_CRD_ANON:
637 {
638 anon_auth_info_t info;
639 info = _gnutls_get_auth_info (session);
640 if (info == NULL)
641 return GNUTLS_E_INTERNAL_ERROR;
642
643 dh = &info->dh;
644 break;
645 }
646 case GNUTLS_CRD_PSK:
647 {
648 psk_auth_info_t info;
649 info = _gnutls_get_auth_info (session);
650 if (info == NULL)
651 return GNUTLS_E_INTERNAL_ERROR;
652
653 dh = &info->dh;
654 break;
655 }
656 case GNUTLS_CRD_CERTIFICATE:
657 {
658 cert_auth_info_t info;
659
660 info = _gnutls_get_auth_info (session);
661 if (info == NULL)
662 return GNUTLS_E_INTERNAL_ERROR;
663
664 dh = &info->dh;
665 break;
666 }
667 default:
668 gnutls_assert ();
669 return GNUTLS_E_INTERNAL_ERROR;
670 }
671
672 if (dh->prime.data)
673 _gnutls_free_datum (&dh->prime);
674
675 if (dh->generator.data)
676 _gnutls_free_datum (&dh->generator);
677
678 /* prime
679 */
680 ret = _gnutls_mpi_dprint_lz (prime, &dh->prime);
681 if (ret < 0)
682 {
683 gnutls_assert ();
684 return ret;
685 }
686
687 /* generator
688 */
689 ret = _gnutls_mpi_dprint_lz (gen, &dh->generator);
690 if (ret < 0)
691 {
692 gnutls_assert ();
693 _gnutls_free_datum (&dh->prime);
694 return ret;
695 }
696
697 return 0;
698 }
699
700 #ifdef ENABLE_OPENPGP
701 /**
702 * gnutls_openpgp_send_cert:
703 * @session: is a pointer to a #gnutls_session_t structure.
704 * @status: is one of GNUTLS_OPENPGP_CERT, or GNUTLS_OPENPGP_CERT_FINGERPRINT
705 *
706 * This function will order gnutls to send the key fingerprint
707 * instead of the key in the initial handshake procedure. This should
708 * be used with care and only when there is indication or knowledge
709 * that the server can obtain the client's key.
710 **/
711 void
712 gnutls_openpgp_send_cert (gnutls_session_t session,
713 gnutls_openpgp_crt_status_t status)
714 {
715 session->internals.pgp_fingerprint = status;
716 }
717 #endif
718
719 /**
720 * gnutls_certificate_send_x509_rdn_sequence:
721 * @session: is a pointer to a #gnutls_session_t structure.
722 * @status: is 0 or 1
723 *
724 * If status is non zero, this function will order gnutls not to send
725 * the rdnSequence in the certificate request message. That is the
726 * server will not advertise its trusted CAs to the peer. If status
727 * is zero then the default behaviour will take effect, which is to
728 * advertise the server's trusted CAs.
729 *
730 * This function has no effect in clients, and in authentication
731 * methods other than certificate with X.509 certificates.
732 **/
733 void
734 gnutls_certificate_send_x509_rdn_sequence (gnutls_session_t session,
735 int status)
736 {
737 session->internals.ignore_rdn_sequence = status;
738 }
739
740 #ifdef ENABLE_OPENPGP
741 int
742 _gnutls_openpgp_send_fingerprint (gnutls_session_t session)
743 {
744 return session->internals.pgp_fingerprint;
745 }
746 #endif
747
748 /*-
749 * _gnutls_record_set_default_version - Used to set the default version for the first record packet
750 * @session: is a #gnutls_session_t structure.
751 * @major: is a tls major version
752 * @minor: is a tls minor version
753 *
754 * This function sets the default version that we will use in the first
755 * record packet (client hello). This function is only useful to people
756 * that know TLS internals and want to debug other implementations.
757 -*/
758 void
759 _gnutls_record_set_default_version (gnutls_session_t session,
760 unsigned char major, unsigned char minor)
761 {
762 session->internals.default_record_version[0] = major;
763 session->internals.default_record_version[1] = minor;
764 }
765
766 /**
767 * gnutls_handshake_set_private_extensions:
768 * @session: is a #gnutls_session_t structure.
769 * @allow: is an integer (0 or 1)
770 *
771 * This function will enable or disable the use of private cipher
772 * suites (the ones that start with 0xFF). By default or if @allow
773 * is 0 then these cipher suites will not be advertized nor used.
774 *
775 * Currently GnuTLS does not include such cipher-suites or
776 * compression algorithms.
777 *
778 * Enabling the private ciphersuites when talking to other than
779 * gnutls servers and clients may cause interoperability problems.
780 **/
781 void
782 gnutls_handshake_set_private_extensions (gnutls_session_t session, int allow)
783 {
784 session->internals.enable_private = allow;
785 }
786
787 inline static int
788 _gnutls_cal_PRF_A (gnutls_mac_algorithm_t algorithm,
789 const void *secret, int secret_size,
790 const void *seed, int seed_size, void *result)
791 {
792 int ret;
793
794 ret = _gnutls_hmac_fast (algorithm, secret, secret_size, seed, seed_size, result);
795 if (ret < 0)
796 return gnutls_assert_val(ret);
797
798 return 0;
799 }
800
801 #define MAX_SEED_SIZE 200
802
803 /* Produces "total_bytes" bytes using the hash algorithm specified.
804 * (used in the PRF function)
805 */
806 static int
807 P_hash (gnutls_mac_algorithm_t algorithm,
808 const uint8_t * secret, int secret_size,
809 const uint8_t * seed, int seed_size,
810 int total_bytes, uint8_t * ret)
811 {
812
813 digest_hd_st td2;
814 int i, times, how, blocksize, A_size;
815 uint8_t final[MAX_HASH_SIZE], Atmp[MAX_SEED_SIZE];
816 int output_bytes, result;
817
818 if (seed_size > MAX_SEED_SIZE || total_bytes <= 0)
819 {
820 gnutls_assert ();
821 return GNUTLS_E_INTERNAL_ERROR;
822 }
823
824 blocksize = _gnutls_hmac_get_algo_len (algorithm);
825
826 output_bytes = 0;
827 do
828 {
829 output_bytes += blocksize;
830 }
831 while (output_bytes < total_bytes);
832
833 /* calculate A(0) */
834
835 memcpy (Atmp, seed, seed_size);
836 A_size = seed_size;
837
838 times = output_bytes / blocksize;
839
840 for (i = 0; i < times; i++)
841 {
842 result = _gnutls_hmac_init (&td2, algorithm, secret, secret_size);
843 if (result < 0)
844 {
845 gnutls_assert ();
846 return result;
847 }
848
849 /* here we calculate A(i+1) */
850 if ((result =
851 _gnutls_cal_PRF_A (algorithm, secret, secret_size, Atmp,
852 A_size, Atmp)) < 0)
853 {
854 gnutls_assert ();
855 _gnutls_hmac_deinit (&td2, final);
856 return result;
857 }
858
859 A_size = blocksize;
860
861 _gnutls_hmac (&td2, Atmp, A_size);
862 _gnutls_hmac (&td2, seed, seed_size);
863 _gnutls_hmac_deinit (&td2, final);
864
865 if ((1 + i) * blocksize < total_bytes)
866 {
867 how = blocksize;
868 }
869 else
870 {
871 how = total_bytes - (i) * blocksize;
872 }
873
874 if (how > 0)
875 {
876 memcpy (&ret[i * blocksize], final, how);
877 }
878 }
879
880 return 0;
881 }
882
883 #define MAX_PRF_BYTES 200
884
885 /* The PRF function expands a given secret
886 * needed by the TLS specification. ret must have a least total_bytes
887 * available.
888 */
889 int
890 _gnutls_PRF (gnutls_session_t session,
891 const uint8_t * secret, unsigned int secret_size, const char *label,
892 int label_size, const uint8_t * seed, int seed_size,
893 int total_bytes, void *ret)
894 {
895 int l_s, s_seed_size;
896 const uint8_t *s1, *s2;
897 uint8_t s_seed[MAX_SEED_SIZE];
898 uint8_t o1[MAX_PRF_BYTES], o2[MAX_PRF_BYTES];
899 int result;
900 gnutls_protocol_t ver = gnutls_protocol_get_version (session);
901
902 if (total_bytes > MAX_PRF_BYTES)
903 {
904 gnutls_assert ();
905 return GNUTLS_E_INTERNAL_ERROR;
906 }
907 /* label+seed = s_seed */
908 s_seed_size = seed_size + label_size;
909
910 if (s_seed_size > MAX_SEED_SIZE)
911 {
912 gnutls_assert ();
913 return GNUTLS_E_INTERNAL_ERROR;
914 }
915
916 memcpy (s_seed, label, label_size);
917 memcpy (&s_seed[label_size], seed, seed_size);
918
919 if (_gnutls_version_has_selectable_prf (ver))
920 {
921 result =
922 P_hash (_gnutls_cipher_suite_get_prf(session->security_parameters.cipher_suite),
923 secret, secret_size,
924 s_seed, s_seed_size, total_bytes, ret);
925 if (result < 0)
926 {
927 gnutls_assert ();
928 return result;
929 }
930 }
931 else
932 {
933 l_s = secret_size / 2;
934
935 s1 = &secret[0];
936 s2 = &secret[l_s];
937
938 if (secret_size % 2 != 0)
939 {
940 l_s++;
941 }
942
943 result =
944 P_hash (GNUTLS_MAC_MD5, s1, l_s, s_seed, s_seed_size,
945 total_bytes, o1);
946 if (result < 0)
947 {
948 gnutls_assert ();
949 return result;
950 }
951
952 result =
953 P_hash (GNUTLS_MAC_SHA1, s2, l_s, s_seed, s_seed_size,
954 total_bytes, o2);
955 if (result < 0)
956 {
957 gnutls_assert ();
958 return result;
959 }
960
961 memxor (o1, o2, total_bytes);
962
963 memcpy (ret, o1, total_bytes);
964 }
965
966 return 0; /* ok */
967
968 }
969
970 /**
971 * gnutls_prf_raw:
972 * @session: is a #gnutls_session_t structure.
973 * @label_size: length of the @label variable.
974 * @label: label used in PRF computation, typically a short string.
975 * @seed_size: length of the @seed variable.
976 * @seed: optional extra data to seed the PRF with.
977 * @outsize: size of pre-allocated output buffer to hold the output.
978 * @out: pre-allocate buffer to hold the generated data.
979 *
980 * Apply the TLS Pseudo-Random-Function (PRF) on the master secret
981 * and the provided data.
982 *
983 * The @label variable usually contain a string denoting the purpose
984 * for the generated data. The @seed usually contain data such as the
985 * client and server random, perhaps together with some additional
986 * data that is added to guarantee uniqueness of the output for a
987 * particular purpose.
988 *
989 * Because the output is not guaranteed to be unique for a particular
990 * session unless @seed include the client random and server random
991 * fields (the PRF would output the same data on another connection
992 * resumed from the first one), it is not recommended to use this
993 * function directly. The gnutls_prf() function seed the PRF with the
994 * client and server random fields directly, and is recommended if you
995 * want to generate pseudo random data unique for each session.
996 *
997 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
998 **/
999 int
1000 gnutls_prf_raw (gnutls_session_t session,
1001 size_t label_size,
1002 const char *label,
1003 size_t seed_size, const char *seed, size_t outsize, char *out)
1004 {
1005 int ret;
1006
1007 ret = _gnutls_PRF (session,
1008 session->security_parameters.master_secret,
1009 GNUTLS_MASTER_SIZE,
1010 label,
1011 label_size, (uint8_t *) seed, seed_size, outsize, out);
1012
1013 return ret;
1014 }
1015
1016 /**
1017 * gnutls_prf:
1018 * @session: is a #gnutls_session_t structure.
1019 * @label_size: length of the @label variable.
1020 * @label: label used in PRF computation, typically a short string.
1021 * @server_random_first: non-0 if server random field should be first in seed
1022 * @extra_size: length of the @extra variable.
1023 * @extra: optional extra data to seed the PRF with.
1024 * @outsize: size of pre-allocated output buffer to hold the output.
1025 * @out: pre-allocate buffer to hold the generated data.
1026 *
1027 * Apply the TLS Pseudo-Random-Function (PRF) on the master secret
1028 * and the provided data, seeded with the client and server random fields.
1029 *
1030 * The @label variable usually contain a string denoting the purpose
1031 * for the generated data. The @server_random_first indicate whether
1032 * the client random field or the server random field should be first
1033 * in the seed. Non-0 indicate that the server random field is first,
1034 * 0 that the client random field is first.
1035 *
1036 * The @extra variable can be used to add more data to the seed, after
1037 * the random variables. It can be used to tie make sure the
1038 * generated output is strongly connected to some additional data
1039 * (e.g., a string used in user authentication).
1040 *
1041 * The output is placed in @out, which must be pre-allocated.
1042 *
1043 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
1044 **/
1045 int
1046 gnutls_prf (gnutls_session_t session,
1047 size_t label_size,
1048 const char *label,
1049 int server_random_first,
1050 size_t extra_size, const char *extra, size_t outsize, char *out)
1051 {
1052 int ret;
1053 uint8_t *seed;
1054 size_t seedsize = 2 * GNUTLS_RANDOM_SIZE + extra_size;
1055
1056 seed = gnutls_malloc (seedsize);
1057 if (!seed)
1058 {
1059 gnutls_assert ();
1060 return GNUTLS_E_MEMORY_ERROR;
1061 }
1062
1063 memcpy (seed, server_random_first ?
1064 session->security_parameters.server_random :
1065 session->security_parameters.client_random, GNUTLS_RANDOM_SIZE);
1066 memcpy (seed + GNUTLS_RANDOM_SIZE, server_random_first ?
1067 session->security_parameters.client_random :
1068 session->security_parameters.server_random, GNUTLS_RANDOM_SIZE);
1069
1070 memcpy (seed + 2 * GNUTLS_RANDOM_SIZE, extra, extra_size);
1071
1072 ret = _gnutls_PRF (session, session->security_parameters.master_secret,
1073 GNUTLS_MASTER_SIZE,
1074 label, label_size, seed, seedsize, outsize, out);
1075
1076 gnutls_free (seed);
1077
1078 return ret;
1079 }
1080
1081 /**
1082 * gnutls_session_is_resumed:
1083 * @session: is a #gnutls_session_t structure.
1084 *
1085 * Check whether session is resumed or not.
1086 *
1087 * Returns: non zero if this session is resumed, or a zero if this is
1088 * a new session.
1089 **/
1090 int
1091 gnutls_session_is_resumed (gnutls_session_t session)
1092 {
1093 if (session->security_parameters.entity == GNUTLS_CLIENT)
1094 {
1095 if (session->security_parameters.session_id_size > 0 &&
1096 session->security_parameters.session_id_size ==
1097 session->internals.resumed_security_parameters.session_id_size
1098 && memcmp (session->security_parameters.session_id,
1099 session->internals.
1100 resumed_security_parameters.session_id,
1101 session->security_parameters.session_id_size) == 0)
1102 return 1;
1103 }
1104 else
1105 {
1106 if (session->internals.resumed != RESUME_FALSE)
1107 return 1;
1108 }
1109
1110 return 0;
1111 }
1112
1113 /**
1114 * gnutls_session_resumption_requested:
1115 * @session: is a #gnutls_session_t structure.
1116 *
1117 * Check whether the client has asked for session resumption.
1118 * This function is valid only on server side.
1119 *
1120 * Returns: non zero if session resumption was asked, or a zero if not.
1121 **/
1122 int
1123 gnutls_session_resumption_requested(gnutls_session_t session)
1124 {
1125 if (session->security_parameters.entity == GNUTLS_CLIENT)
1126 {
1127 return 0;
1128 }
1129 else
1130 {
1131 return session->internals.resumption_requested;
1132 }
1133 }
1134
1135 /*-
1136 * _gnutls_session_is_export - Used to check whether this session is of export grade
1137 * @session: is a #gnutls_session_t structure.
1138 *
1139 * This function will return non zero if this session is of export grade.
1140 -*/
1141 int
1142 _gnutls_session_is_export (gnutls_session_t session)
1143 {
1144 gnutls_cipher_algorithm_t cipher;
1145
1146 cipher =
1147 _gnutls_cipher_suite_get_cipher_algo (session->
1148 security_parameters.cipher_suite);
1149
1150 if (_gnutls_cipher_get_export_flag (cipher) != 0)
1151 return 1;
1152
1153 return 0;
1154 }
1155
1156 /*-
1157 * _gnutls_session_is_psk - Used to check whether this session uses PSK kx
1158 * @session: is a #gnutls_session_t structure.
1159 *
1160 * This function will return non zero if this session uses a PSK key
1161 * exchange algorithm.
1162 -*/
1163 int
1164 _gnutls_session_is_psk (gnutls_session_t session)
1165 {
1166 gnutls_kx_algorithm_t kx;
1167
1168 kx =
1169 _gnutls_cipher_suite_get_kx_algo (session->
1170 security_parameters.cipher_suite);
1171 if (kx == GNUTLS_KX_PSK || kx == GNUTLS_KX_DHE_PSK)
1172 return 1;
1173
1174 return 0;
1175 }
1176
1177 /*-
1178 * _gnutls_session_is_ecc - Used to check whether this session uses ECC kx
1179 * @session: is a #gnutls_session_t structure.
1180 *
1181 * This function will return non zero if this session uses an elliptic
1182 * curves key exchange exchange algorithm.
1183 -*/
1184 int
1185 _gnutls_session_is_ecc (gnutls_session_t session)
1186 {
1187 gnutls_kx_algorithm_t kx;
1188
1189 /* We get the key exchange algorithm through the ciphersuite because
1190 * the negotiated key exchange might not have been set yet.
1191 */
1192 kx =
1193 _gnutls_cipher_suite_get_kx_algo (session->
1194 security_parameters.cipher_suite);
1195
1196 return _gnutls_kx_is_ecc(kx);
1197 }
1198
1199 /**
1200 * gnutls_session_get_ptr:
1201 * @session: is a #gnutls_session_t structure.
1202 *
1203 * Get user pointer for session. Useful in callbacks. This is the
1204 * pointer set with gnutls_session_set_ptr().
1205 *
1206 * Returns: the user given pointer from the session structure, or
1207 * %NULL if it was never set.
1208 **/
1209 void *
1210 gnutls_session_get_ptr (gnutls_session_t session)
1211 {
1212 return session->internals.user_ptr;
1213 }
1214
1215 /**
1216 * gnutls_session_set_ptr:
1217 * @session: is a #gnutls_session_t structure.
1218 * @ptr: is the user pointer
1219 *
1220 * This function will set (associate) the user given pointer @ptr to
1221 * the session structure. This is pointer can be accessed with
1222 * gnutls_session_get_ptr().
1223 **/
1224 void
1225 gnutls_session_set_ptr (gnutls_session_t session, void *ptr)
1226 {
1227 session->internals.user_ptr = ptr;
1228 }
1229
1230
1231 /**
1232 * gnutls_record_get_direction:
1233 * @session: is a #gnutls_session_t structure.
1234 *
1235 * This function provides information about the internals of the
1236 * record protocol and is only useful if a prior gnutls function call
1237 * (e.g. gnutls_handshake()) was interrupted for some reason, that
1238 * is, if a function returned %GNUTLS_E_INTERRUPTED or
1239 * %GNUTLS_E_AGAIN. In such a case, you might want to call select()
1240 * or poll() before calling the interrupted gnutls function again. To
1241 * tell you whether a file descriptor should be selected for either
1242 * reading or writing, gnutls_record_get_direction() returns 0 if the
1243 * interrupted function was trying to read data, and 1 if it was
1244 * trying to write data.
1245 *
1246 * Returns: 0 if trying to read data, 1 if trying to write data.
1247 **/
1248 int
1249 gnutls_record_get_direction (gnutls_session_t session)
1250 {
1251 return session->internals.direction;
1252 }
1253
1254 /*-
1255 * _gnutls_rsa_pms_set_version - Sets a version to be used at the RSA PMS
1256 * @session: is a #gnutls_session_t structure.
1257 * @major: is the major version to use
1258 * @minor: is the minor version to use
1259 *
1260 * This function will set the given version number to be used at the
1261 * RSA PMS secret. This is only useful to clients, which want to
1262 * test server's capabilities.
1263 -*/
1264 void
1265 _gnutls_rsa_pms_set_version (gnutls_session_t session,
1266 unsigned char major, unsigned char minor)
1267 {
1268 session->internals.rsa_pms_version[0] = major;
1269 session->internals.rsa_pms_version[1] = minor;
1270 }
1271
1272 /**
1273 * gnutls_handshake_set_post_client_hello_function:
1274 * @session: is a #gnutls_session_t structure.
1275 * @func: is the function to be called
1276 *
1277 * This function will set a callback to be called after the client
1278 * hello has been received (callback valid in server side only). This
1279 * allows the server to adjust settings based on received extensions.
1280 *
1281 * Those settings could be ciphersuites, requesting certificate, or
1282 * anything else except for version negotiation (this is done before
1283 * the hello message is parsed).
1284 *
1285 * This callback must return 0 on success or a gnutls error code to
1286 * terminate the handshake.
1287 *
1288 * Warning: You should not use this function to terminate the
1289 * handshake based on client input unless you know what you are
1290 * doing. Before the handshake is finished there is no way to know if
1291 * there is a man-in-the-middle attack being performed.
1292 **/
1293 void
1294 gnutls_handshake_set_post_client_hello_function (gnutls_session_t session,
1295 gnutls_handshake_post_client_hello_func
1296 func)
1297 {
1298 session->internals.user_hello_func = func;
1299 }
1300
1301 /**
1302 * gnutls_session_enable_compatibility_mode:
1303 * @session: is a #gnutls_session_t structure.
1304 *
1305 * This function can be used to disable certain (security) features in
1306 * TLS in order to maintain maximum compatibility with buggy
1307 * clients. It is equivalent to calling:
1308 * gnutls_record_disable_padding()
1309 *
1310 * Normally only servers that require maximum compatibility with
1311 * everything out there, need to call this function.
1312 **/
1313 void
1314 gnutls_session_enable_compatibility_mode (gnutls_session_t session)
1315 {
1316 gnutls_record_disable_padding (session);
1317 }
1318
1319 /**
1320 * gnutls_session_channel_binding:
1321 * @session: is a #gnutls_session_t structure.
1322 * @cbtype: an #gnutls_channel_binding_t enumeration type
1323 * @cb: output buffer array with data
1324 *
1325 * Extract given channel binding data of the @cbtype (e.g.,
1326 * %GNUTLS_CB_TLS_UNIQUE) type.
1327 *
1328 * Returns: %GNUTLS_E_SUCCESS on success,
1329 * %GNUTLS_E_UNIMPLEMENTED_FEATURE if the @cbtype is unsupported,
1330 * %GNUTLS_E_CHANNEL_BINDING_NOT_AVAILABLE if the data is not
1331 * currently available, or an error code.
1332 *
1333 * Since: 2.12.0
1334 **/
1335 int
1336 gnutls_session_channel_binding (gnutls_session_t session,
1337 gnutls_channel_binding_t cbtype,
1338 gnutls_datum_t * cb)
1339 {
1340 if (cbtype != GNUTLS_CB_TLS_UNIQUE)
1341 return GNUTLS_E_UNIMPLEMENTED_FEATURE;
1342
1343 if (!session->internals.initial_negotiation_completed)
1344 return GNUTLS_E_CHANNEL_BINDING_NOT_AVAILABLE;
1345
1346 cb->size = session->internals.cb_tls_unique_len;
1347 cb->data = gnutls_malloc (cb->size);
1348 if (cb->data == NULL)
1349 return GNUTLS_E_MEMORY_ERROR;
1350
1351 memcpy (cb->data, session->internals.cb_tls_unique, cb->size);
1352
1353 return 0;
1354 }
1355
1356 /* returns overhead imposed by the record layer (encryption/compression)
1357 * etc. It does include the record layer headers.
1358 *
1359 * It may return a negative error code on error.
1360 */
1361 int _gnutls_record_overhead_rt(gnutls_session_t session)
1362 {
1363 record_parameters_st *params;
1364 int total = 0, ret, iv_size;
1365
1366 if (session->internals.initial_negotiation_completed == 0)
1367 return RECORD_HEADER_SIZE(session);
1368
1369 ret = _gnutls_epoch_get (session, EPOCH_WRITE_CURRENT, &params);
1370 if (ret < 0)
1371 return gnutls_assert_val(ret);
1372
1373 /* requires padding */
1374 iv_size = _gnutls_cipher_get_iv_size(params->cipher_algorithm);
1375 total += iv_size;
1376
1377 if (_gnutls_cipher_is_block (params->cipher_algorithm) == CIPHER_BLOCK)
1378 {
1379 if (!IS_DTLS(session))
1380 total += MAX_PAD_SIZE;
1381 else
1382 total += iv_size; /* iv_size == block_size */
1383 }
1384
1385 if (params->mac_algorithm == GNUTLS_MAC_AEAD)
1386 total += _gnutls_cipher_get_tag_size(params->cipher_algorithm);
1387 else
1388 {
1389 ret = _gnutls_hmac_get_algo_len(params->mac_algorithm);
1390 if (ret < 0)
1391 return gnutls_assert_val(ret);
1392 total+=ret;
1393 }
1394
1395 if (params->compression_algorithm != GNUTLS_COMP_NULL)
1396 total += EXTRA_COMP_SIZE;
1397
1398 total += RECORD_HEADER_SIZE(session);
1399
1400 return total;
1401 }
1402
1403 /**
1404 * gnutls_ecc_curve_get:
1405 * @session: is a #gnutls_session_t structure.
1406 *
1407 * Returns the currently used elliptic curve. Only valid
1408 * when using an elliptic curve ciphersuite.
1409 *
1410 * Returns: the currently used curve, a #gnutls_ecc_curve_t
1411 * type.
1412 *
1413 * Since: 3.0
1414 **/
1415 gnutls_ecc_curve_t gnutls_ecc_curve_get(gnutls_session_t session)
1416 {
1417 return _gnutls_session_ecc_curve_get(session);
1418 }
1419
1420 #undef gnutls_protocol_get_version
1421 /**
1422 * gnutls_protocol_get_version:
1423 * @session: is a #gnutls_session_t structure.
1424 *
1425 * Get TLS version, a #gnutls_protocol_t value.
1426 *
1427 * Returns: The version of the currently used protocol.
1428 **/
1429 gnutls_protocol_t
1430 gnutls_protocol_get_version (gnutls_session_t session)
1431 {
1432 return _gnutls_protocol_get_version(session);
1433 }
Implementation of the SSL/TLS protocol