2 * Copyright (C) 2000-2012 Free Software Foundation, Inc.
4 * Author: Nikos Mavrogiannopoulos
6 * This file is part of GnuTLS.
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
23 /* Functions that relate to the TLS handshake procedure.
26 #include "gnutls_int.h"
27 #include "gnutls_errors.h"
28 #include "gnutls_dh.h"
30 #include "algorithms.h"
31 #include "gnutls_compress.h"
32 #include "gnutls_cipher.h"
33 #include "gnutls_buffers.h"
34 #include "gnutls_mbuffers.h"
35 #include "gnutls_kx.h"
36 #include "gnutls_handshake.h"
37 #include "gnutls_num.h"
38 #include "gnutls_hash_int.h"
39 #include "gnutls_db.h"
40 #include "gnutls_extensions.h"
41 #include "gnutls_supplemental.h"
42 #include "gnutls_auth.h"
43 #include "gnutls_v2_compat.h"
44 #include <auth/cert.h>
45 #include "gnutls_constate.h"
46 #include <gnutls_record.h>
47 #include <gnutls_state.h>
49 #include <ext/session_ticket.h>
50 #include <ext/safe_renegotiation.h>
51 #include <gnutls_rsa_export.h> /* for gnutls_get_rsa_params() */
52 #include <auth/anon.h> /* for gnutls_anon_server_credentials_t */
53 #include <auth/psk.h> /* for gnutls_psk_server_credentials_t */
55 #include <gnutls_dtls.h>
57 #ifdef HANDSHAKE_DEBUG
58 #define ERR(x, y) _gnutls_handshake_log("HSK[%p]: %s (%d)\n", session, x,y)
66 static int _gnutls_server_select_comp_method (gnutls_session_t session
,
67 uint8_t * data
, int datalen
);
69 _gnutls_remove_unwanted_ciphersuites (gnutls_session_t session
,
70 uint8_t * cipher_suites
,
71 int cipher_suites_size
,
72 gnutls_pk_algorithm_t
*pk_algos
,
73 size_t pk_algos_size
);
75 /* Empties but does not free the buffer
78 _gnutls_handshake_hash_buffer_empty (gnutls_session_t session
)
81 _gnutls_buffers_log ("BUF[HSK]: Emptied buffer\n");
83 session
->internals
.handshake_hash_buffer_prev_len
= 0;
84 session
->internals
.handshake_hash_buffer
.length
= 0;
89 _gnutls_handshake_hash_add_recvd (gnutls_session_t session
,
90 gnutls_handshake_description_t recv_type
,
91 uint8_t * header
, uint16_t header_size
,
92 uint8_t * dataptr
, uint32_t datalen
);
95 _gnutls_handshake_hash_add_sent (gnutls_session_t session
,
96 gnutls_handshake_description_t type
,
97 uint8_t * dataptr
, uint32_t datalen
);
100 _gnutls_recv_hello_verify_request (gnutls_session_t session
,
101 uint8_t * data
, int datalen
);
104 /* Clears the handshake hash buffers and handles.
107 _gnutls_handshake_hash_buffers_clear (gnutls_session_t session
)
109 session
->internals
.handshake_hash_buffer_prev_len
= 0;
110 _gnutls_buffer_clear(&session
->internals
.handshake_hash_buffer
);
113 /* this will copy the required values for resuming to
114 * internals, and to security_parameters.
115 * this will keep as less data to security_parameters.
118 resume_copy_required_values (gnutls_session_t session
)
120 /* get the new random values */
121 memcpy (session
->internals
.resumed_security_parameters
.server_random
,
122 session
->security_parameters
.server_random
, GNUTLS_RANDOM_SIZE
);
123 memcpy (session
->internals
.resumed_security_parameters
.client_random
,
124 session
->security_parameters
.client_random
, GNUTLS_RANDOM_SIZE
);
126 /* keep the ciphersuite and compression
127 * That is because the client must see these in our
130 memcpy (session
->security_parameters
.cipher_suite
,
131 session
->internals
.resumed_security_parameters
.cipher_suite
, 2);
132 session
->security_parameters
.compression_method
= session
->internals
.resumed_security_parameters
.compression_method
;
134 _gnutls_epoch_set_cipher_suite (session
, EPOCH_NEXT
,
136 internals
.resumed_security_parameters
.cipher_suite
);
137 _gnutls_epoch_set_compression (session
, EPOCH_NEXT
,
139 internals
.resumed_security_parameters
.compression_method
);
141 /* or write_compression_algorithm
145 session
->security_parameters
.entity
=
146 session
->internals
.resumed_security_parameters
.entity
;
148 _gnutls_set_current_version (session
,
149 session
->internals
.resumed_security_parameters
.
152 session
->security_parameters
.cert_type
=
153 session
->internals
.resumed_security_parameters
.cert_type
;
155 memcpy (session
->security_parameters
.session_id
,
156 session
->internals
.resumed_security_parameters
.session_id
,
157 sizeof (session
->security_parameters
.session_id
));
158 session
->security_parameters
.session_id_size
=
159 session
->internals
.resumed_security_parameters
.session_id_size
;
164 _gnutls_set_server_random (gnutls_session_t session
, uint8_t * rnd
)
166 memcpy (session
->security_parameters
.server_random
, rnd
,
171 _gnutls_set_client_random (gnutls_session_t session
, uint8_t * rnd
)
173 memcpy (session
->security_parameters
.client_random
, rnd
,
177 /* Calculate The SSL3 Finished message
179 #define SSL3_CLIENT_MSG "CLNT"
180 #define SSL3_SERVER_MSG "SRVR"
181 #define SSL_MSG_LEN 4
183 _gnutls_ssl3_finished (gnutls_session_t session
, int type
, uint8_t * ret
, int sending
)
191 len
= session
->internals
.handshake_hash_buffer
.length
;
193 len
= session
->internals
.handshake_hash_buffer_prev_len
;
195 rc
= _gnutls_hash_init (&td_sha
, GNUTLS_DIG_SHA1
);
197 return gnutls_assert_val(rc
);
199 rc
= _gnutls_hash_init (&td_md5
, GNUTLS_DIG_MD5
);
202 _gnutls_hash_deinit (&td_sha
, NULL
);
203 return gnutls_assert_val(rc
);
206 _gnutls_hash(&td_sha
, session
->internals
.handshake_hash_buffer
.data
, len
);
207 _gnutls_hash(&td_md5
, session
->internals
.handshake_hash_buffer
.data
, len
);
209 if (type
== GNUTLS_SERVER
)
210 mesg
= SSL3_SERVER_MSG
;
212 mesg
= SSL3_CLIENT_MSG
;
214 _gnutls_hash (&td_md5
, mesg
, SSL_MSG_LEN
);
215 _gnutls_hash (&td_sha
, mesg
, SSL_MSG_LEN
);
217 rc
= _gnutls_mac_deinit_ssl3_handshake (&td_md5
, ret
,
219 security_parameters
.master_secret
,
223 _gnutls_hash_deinit (&td_md5
, NULL
);
224 _gnutls_hash_deinit (&td_sha
, NULL
);
225 return gnutls_assert_val(rc
);
228 rc
= _gnutls_mac_deinit_ssl3_handshake (&td_sha
, &ret
[16],
230 security_parameters
.master_secret
,
234 _gnutls_hash_deinit (&td_sha
, NULL
);
235 return gnutls_assert_val(rc
);
241 /* Hash the handshake messages as required by TLS 1.0
243 #define SERVER_MSG "server finished"
244 #define CLIENT_MSG "client finished"
245 #define TLS_MSG_LEN 15
247 _gnutls_finished (gnutls_session_t session
, int type
, void *ret
, int sending
)
249 const int siz
= TLS_MSG_LEN
;
250 uint8_t concat
[MAX_HASH_SIZE
+ 16 /*MD5 */ ];
256 len
= session
->internals
.handshake_hash_buffer
.length
;
258 len
= session
->internals
.handshake_hash_buffer_prev_len
;
260 if (!_gnutls_version_has_selectable_prf (gnutls_protocol_get_version(session
)))
262 rc
= _gnutls_hash_fast( GNUTLS_DIG_SHA1
, session
->internals
.handshake_hash_buffer
.data
, len
, &concat
[16]);
264 return gnutls_assert_val(rc
);
266 rc
= _gnutls_hash_fast( GNUTLS_DIG_MD5
, session
->internals
.handshake_hash_buffer
.data
, len
, concat
);
268 return gnutls_assert_val(rc
);
274 int algorithm
= _gnutls_cipher_suite_get_prf(session
->security_parameters
.cipher_suite
);
276 rc
= _gnutls_hash_fast( algorithm
, session
->internals
.handshake_hash_buffer
.data
, len
, concat
);
278 return gnutls_assert_val(rc
);
280 hash_len
= _gnutls_hash_get_algo_len (algorithm
);
283 if (type
== GNUTLS_SERVER
)
292 return _gnutls_PRF (session
, session
->security_parameters
.master_secret
,
293 GNUTLS_MASTER_SIZE
, mesg
, siz
, concat
, hash_len
, 12, ret
);
296 /* this function will produce GNUTLS_RANDOM_SIZE==32 bytes of random data
300 _gnutls_tls_create_random (uint8_t * dst
)
305 /* Use weak random numbers for the most of the
306 * buffer except for the first 4 that are the
310 tim
= gnutls_time (NULL
);
311 /* generate server random value */
312 _gnutls_write_uint32 (tim
, dst
);
314 ret
= _gnutls_rnd (GNUTLS_RND_NONCE
, &dst
[4], GNUTLS_RANDOM_SIZE
- 4);
324 /* returns the 0 on success or a negative error code.
327 _gnutls_negotiate_version (gnutls_session_t session
,
328 gnutls_protocol_t adv_version
)
332 /* if we do not support that version */
333 if (_gnutls_version_is_supported (session
, adv_version
) == 0)
335 /* If he requested something we do not support
336 * then we send him the highest we support.
338 ret
= _gnutls_version_max (session
);
339 if (ret
== GNUTLS_VERSION_UNKNOWN
)
341 /* this check is not really needed.
344 return GNUTLS_E_UNKNOWN_CIPHER_SUITE
;
352 _gnutls_set_current_version (session
, ret
);
358 _gnutls_user_hello_func (gnutls_session_t session
,
359 gnutls_protocol_t adv_version
)
363 if (session
->internals
.user_hello_func
!= NULL
)
365 ret
= session
->internals
.user_hello_func (session
);
371 /* Here we need to renegotiate the version since the callee might
372 * have disabled some TLS versions.
374 ret
= _gnutls_negotiate_version (session
, adv_version
);
384 /* Read a client hello packet.
385 * A client hello must be a known version client hello
386 * or version 2.0 client hello (only for compatibility
387 * since SSL version 2.0 is not supported).
390 _gnutls_read_client_hello (gnutls_session_t session
, uint8_t * data
,
393 uint8_t session_id_len
;
395 uint16_t suite_size
, comp_size
;
396 gnutls_protocol_t adv_version
;
399 uint8_t rnd
[GNUTLS_RANDOM_SIZE
], *suite_ptr
, *comp_ptr
, *session_id
;
403 _gnutls_handshake_log ("HSK[%p]: Client's version: %d.%d\n", session
,
404 data
[pos
], data
[pos
+ 1]);
406 adv_version
= _gnutls_version_get (data
[pos
], data
[pos
+ 1]);
407 set_adv_version (session
, data
[pos
], data
[pos
+ 1]);
410 neg_version
= _gnutls_negotiate_version (session
, adv_version
);
417 /* Read client random value.
419 DECR_LEN (len
, GNUTLS_RANDOM_SIZE
);
420 _gnutls_set_client_random (session
, &data
[pos
]);
421 pos
+= GNUTLS_RANDOM_SIZE
;
423 _gnutls_tls_create_random (rnd
);
424 _gnutls_set_server_random (session
, rnd
);
426 session
->security_parameters
.timestamp
= gnutls_time (NULL
);
429 session_id_len
= data
[pos
++];
433 if (session_id_len
> TLS_MAX_SESSION_ID_SIZE
)
436 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
438 DECR_LEN (len
, session_id_len
);
439 session_id
= &data
[pos
];
440 pos
+= session_id_len
;
442 if (IS_DTLS(session
))
447 cookie_size
= data
[pos
++];
448 DECR_LEN (len
, cookie_size
);
452 ret
= _gnutls_server_restore_session (session
, session_id
, session_id_len
);
454 if (session_id_len
> 0) session
->internals
.resumption_requested
= 1;
457 { /* resumed using default TLS resumption! */
458 /* Parse only the safe renegotiation extension
459 * We don't want to parse any other extensions since
460 * we don't want new extension values to overwrite the
464 /* move forward to extensions */
466 suite_size
= _gnutls_read_uint16 (&data
[pos
]);
469 DECR_LEN (len
, suite_size
);
473 comp_size
= data
[pos
++]; /* z is the number of compression methods */
474 DECR_LEN (len
, comp_size
);
477 ret
= _gnutls_parse_extensions (session
, GNUTLS_EXT_MANDATORY
,
485 resume_copy_required_values (session
);
486 session
->internals
.resumed
= RESUME_TRUE
;
488 return _gnutls_user_hello_func (session
, adv_version
);
492 _gnutls_generate_session_id (session
->security_parameters
.session_id
,
494 security_parameters
.session_id_size
);
496 session
->internals
.resumed
= RESUME_FALSE
;
499 /* Remember ciphersuites for later
502 suite_size
= _gnutls_read_uint16 (&data
[pos
]);
505 DECR_LEN (len
, suite_size
);
506 suite_ptr
= &data
[pos
];
509 /* Point to the compression methods
512 comp_size
= data
[pos
++]; /* z is the number of compression methods */
514 DECR_LEN (len
, comp_size
);
515 comp_ptr
= &data
[pos
];
518 /* Parse the extensions (if any)
520 * Unconditionally try to parse extensions; safe renegotiation uses them in
521 * sslv3 and higher, even though sslv3 doesn't officially support them.
523 ret
= _gnutls_parse_extensions (session
, GNUTLS_EXT_APPLICATION
,
525 /* len is the rest of the parsed length */
532 ret
= _gnutls_user_hello_func (session
, adv_version
);
539 ret
= _gnutls_parse_extensions (session
, GNUTLS_EXT_MANDATORY
,
547 ret
= _gnutls_parse_extensions (session
, GNUTLS_EXT_TLS
, &data
[pos
], len
);
554 /* resumed by session_ticket extension */
555 if (session
->internals
.resumed
!= RESUME_FALSE
)
557 /* to indicate the client that the current session is resumed */
558 memcpy (session
->internals
.resumed_security_parameters
.session_id
,
559 session_id
, session_id_len
);
560 session
->internals
.resumed_security_parameters
.session_id_size
=
563 session
->internals
.resumed_security_parameters
.max_record_recv_size
=
564 session
->security_parameters
.max_record_recv_size
;
565 session
->internals
.resumed_security_parameters
.max_record_send_size
=
566 session
->security_parameters
.max_record_send_size
;
568 resume_copy_required_values (session
);
570 return _gnutls_user_hello_func (session
, adv_version
);
573 /* select an appropriate cipher suite
575 ret
= _gnutls_server_select_suite (session
, suite_ptr
, suite_size
);
582 /* select appropriate compression method */
583 ret
= _gnutls_server_select_comp_method (session
, comp_ptr
, comp_size
);
593 /* This is to be called after sending CHANGE CIPHER SPEC packet
594 * and initializing encryption. This is the first encrypted message
598 _gnutls_send_finished (gnutls_session_t session
, int again
)
603 size_t vdata_size
= 0;
607 bufel
= _gnutls_handshake_alloc (session
, MAX_VERIFY_DATA_SIZE
, MAX_VERIFY_DATA_SIZE
);
611 return GNUTLS_E_MEMORY_ERROR
;
613 data
= _mbuffer_get_udata_ptr (bufel
);
615 if (gnutls_protocol_get_version (session
) == GNUTLS_SSL3
)
618 _gnutls_ssl3_finished (session
,
619 session
->security_parameters
.entity
, data
, 1);
620 _mbuffer_set_udata_size (bufel
, 36);
624 ret
= _gnutls_finished (session
,
625 session
->security_parameters
.entity
, data
, 1);
626 _mbuffer_set_udata_size (bufel
, 12);
635 vdata_size
= _mbuffer_get_udata_size (bufel
);
637 ret
= _gnutls_ext_sr_finished (session
, data
, vdata_size
, 0);
644 if ((session
->internals
.resumed
== RESUME_FALSE
645 && session
->security_parameters
.entity
== GNUTLS_CLIENT
)
646 || (session
->internals
.resumed
!= RESUME_FALSE
647 && session
->security_parameters
.entity
== GNUTLS_SERVER
))
649 /* if we are a client not resuming - or we are a server resuming */
650 _gnutls_handshake_log ("HSK[%p]: recording tls-unique CB (send)\n",
652 memcpy (session
->internals
.cb_tls_unique
, data
, vdata_size
);
653 session
->internals
.cb_tls_unique_len
= vdata_size
;
657 _gnutls_send_handshake (session
, bufel
, GNUTLS_HANDSHAKE_FINISHED
);
661 ret
= _gnutls_send_handshake (session
, NULL
, GNUTLS_HANDSHAKE_FINISHED
);
667 /* This is to be called after sending our finished message. If everything
668 * went fine we have negotiated a secure connection
671 _gnutls_recv_finished (gnutls_session_t session
)
673 uint8_t data
[MAX_VERIFY_DATA_SIZE
], *vrfy
;
674 gnutls_buffer_st buf
;
680 _gnutls_recv_handshake (session
, GNUTLS_HANDSHAKE_FINISHED
,
684 ERR ("recv finished int", ret
);
690 vrfy_size
= buf
.length
;
692 if (gnutls_protocol_get_version (session
) == GNUTLS_SSL3
)
701 if (vrfy_size
!= data_size
)
704 ret
= GNUTLS_E_ERROR_IN_FINISHED_PACKET
;
708 if (gnutls_protocol_get_version (session
) == GNUTLS_SSL3
)
711 _gnutls_ssl3_finished (session
,
712 (session
->security_parameters
.entity
+ 1) % 2,
718 _gnutls_finished (session
,
719 (session
->security_parameters
.entity
+
729 if (memcmp (vrfy
, data
, data_size
) != 0)
732 ret
= GNUTLS_E_ERROR_IN_FINISHED_PACKET
;
736 ret
= _gnutls_ext_sr_finished (session
, data
, data_size
, 1);
743 if ((session
->internals
.resumed
!= RESUME_FALSE
744 && session
->security_parameters
.entity
== GNUTLS_CLIENT
)
745 || (session
->internals
.resumed
== RESUME_FALSE
746 && session
->security_parameters
.entity
== GNUTLS_SERVER
))
748 /* if we are a client resuming - or we are a server not resuming */
749 _gnutls_handshake_log ("HSK[%p]: recording tls-unique CB (recv)\n",
751 memcpy (session
->internals
.cb_tls_unique
, data
, data_size
);
752 session
->internals
.cb_tls_unique_len
= data_size
;
756 session
->internals
.initial_negotiation_completed
= 1;
759 _gnutls_buffer_clear(&buf
);
764 /* returns PK_RSA if the given cipher suite list only supports,
765 * RSA algorithms, PK_DSA if DSS, and PK_ANY for both or PK_NONE for none.
768 server_find_pk_algos_in_ciphersuites (const uint8_t *
769 data
, unsigned int datalen
,
770 gnutls_pk_algorithm_t
* algos
,
774 gnutls_kx_algorithm_t kx
;
775 unsigned int max
= *algos_size
;
777 if (datalen
% 2 != 0)
780 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
784 for (j
= 0; j
< datalen
; j
+= 2)
786 kx
= _gnutls_cipher_suite_get_kx_algo (&data
[j
]);
787 if (_gnutls_map_kx_get_cred (kx
, 1) == GNUTLS_CRD_CERTIFICATE
)
789 algos
[(*algos_size
)++] = _gnutls_map_pk_get_pk (kx
);
791 if ((*algos_size
) >= max
)
799 /* This selects the best supported ciphersuite from the given ones. Then
800 * it adds the suite to the session and performs some checks.
803 _gnutls_server_select_suite (gnutls_session_t session
, uint8_t * data
,
804 unsigned int datalen
)
807 unsigned int i
, j
, cipher_suites_size
;
808 size_t pk_algos_size
;
809 uint8_t cipher_suites
[MAX_CIPHERSUITE_SIZE
];
811 gnutls_pk_algorithm_t pk_algos
[MAX_ALGOS
]; /* will hold the pk algorithms
812 * supported by the peer.
815 /* First, check for safe renegotiation SCSV.
817 if (session
->internals
.priorities
.sr
!= SR_DISABLED
)
821 for (offset
= 0; offset
< datalen
; offset
+= 2)
823 /* TLS_RENEGO_PROTECTION_REQUEST = { 0x00, 0xff } */
824 if (data
[offset
] == GNUTLS_RENEGO_PROTECTION_REQUEST_MAJOR
&&
825 data
[offset
+ 1] == GNUTLS_RENEGO_PROTECTION_REQUEST_MINOR
)
827 _gnutls_handshake_log
828 ("HSK[%p]: Received safe renegotiation CS\n", session
);
829 retval
= _gnutls_ext_sr_recv_cs (session
);
840 pk_algos_size
= MAX_ALGOS
;
841 ret
= server_find_pk_algos_in_ciphersuites (data
, datalen
, pk_algos
, &pk_algos_size
);
843 return gnutls_assert_val(ret
);
845 ret
= _gnutls_supported_ciphersuites (session
, cipher_suites
, sizeof(cipher_suites
));
847 return gnutls_assert_val(ret
);
849 cipher_suites_size
= ret
;
851 /* Here we remove any ciphersuite that does not conform
852 * the certificate requested, or to the
853 * authentication requested (e.g. SRP).
855 ret
= _gnutls_remove_unwanted_ciphersuites (session
, cipher_suites
, cipher_suites_size
, pk_algos
, pk_algos_size
);
862 return GNUTLS_E_UNKNOWN_CIPHER_SUITE
;
865 cipher_suites_size
= ret
;
867 /* Data length should be zero mod 2 since
868 * every ciphersuite is 2 bytes. (this check is needed
871 if (datalen
% 2 != 0)
874 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
877 memset (session
->security_parameters
.cipher_suite
, 0, 2);
879 retval
= GNUTLS_E_UNKNOWN_CIPHER_SUITE
;
881 _gnutls_handshake_log ("HSK[%p]: Requested cipher suites[size: %d]: \n", session
, (int)datalen
);
883 if (session
->internals
.priorities
.server_precedence
== 0)
885 for (j
= 0; j
< datalen
; j
+= 2)
887 _gnutls_handshake_log ("\t0x%.2x, 0x%.2x %s\n", data
[j
], data
[j
+1], _gnutls_cipher_suite_get_name (&data
[j
]));
888 for (i
= 0; i
< cipher_suites_size
; i
+=2)
890 if (memcmp (&cipher_suites
[i
], &data
[j
], 2) == 0)
892 _gnutls_handshake_log
893 ("HSK[%p]: Selected cipher suite: %s\n", session
,
894 _gnutls_cipher_suite_get_name (&data
[j
]));
895 memcpy (session
->security_parameters
.cipher_suite
,
896 &cipher_suites
[i
], 2);
897 _gnutls_epoch_set_cipher_suite (session
, EPOCH_NEXT
,
899 security_parameters
.cipher_suite
);
908 else /* server selects */
910 for (i
= 0; i
< cipher_suites_size
; i
+=2)
912 for (j
= 0; j
< datalen
; j
+= 2)
914 if (memcmp (&cipher_suites
[i
], &data
[j
], 2) == 0)
916 _gnutls_handshake_log
917 ("HSK[%p]: Selected cipher suite: %s\n", session
,
918 _gnutls_cipher_suite_get_name (&data
[j
]));
919 memcpy (session
->security_parameters
.cipher_suite
,
920 &cipher_suites
[i
], 2);
921 _gnutls_epoch_set_cipher_suite (session
, EPOCH_NEXT
,
923 security_parameters
.cipher_suite
);
940 /* check if the credentials (username, public key etc.) are ok
942 if (_gnutls_get_kx_cred
944 _gnutls_cipher_suite_get_kx_algo (session
->
945 security_parameters
.cipher_suite
),
946 &err
) == NULL
&& err
!= 0)
949 return GNUTLS_E_INSUFFICIENT_CREDENTIALS
;
953 /* set the mod_auth_st to the appropriate struct
954 * according to the KX algorithm. This is needed since all the
955 * handshake functions are read from there;
957 session
->internals
.auth_struct
=
958 _gnutls_kx_auth_struct (_gnutls_cipher_suite_get_kx_algo
960 security_parameters
.cipher_suite
));
961 if (session
->internals
.auth_struct
== NULL
)
964 _gnutls_handshake_log
965 ("HSK[%p]: Cannot find the appropriate handler for the KX algorithm\n",
968 return GNUTLS_E_INTERNAL_ERROR
;
976 /* This selects the best supported compression method from the ones provided
979 _gnutls_server_select_comp_method (gnutls_session_t session
,
980 uint8_t * data
, int datalen
)
983 uint8_t comps
[MAX_ALGOS
];
985 x
= _gnutls_supported_compression_methods (session
, comps
, MAX_ALGOS
);
992 if (session
->internals
.priorities
.server_precedence
== 0)
994 for (j
= 0; j
< datalen
; j
++)
996 for (i
= 0; i
< x
; i
++)
998 if (comps
[i
] == data
[j
])
1000 gnutls_compression_method_t method
=
1001 _gnutls_compression_get_id (comps
[i
]);
1003 _gnutls_epoch_set_compression (session
, EPOCH_NEXT
, method
);
1004 session
->security_parameters
.compression_method
= method
;
1006 _gnutls_handshake_log
1007 ("HSK[%p]: Selected Compression Method: %s\n", session
,
1008 gnutls_compression_get_name (method
));
1016 for (i
= 0; i
< x
; i
++)
1018 for (j
= 0; j
< datalen
; j
++)
1020 if (comps
[i
] == data
[j
])
1022 gnutls_compression_method_t method
=
1023 _gnutls_compression_get_id (comps
[i
]);
1025 _gnutls_epoch_set_compression (session
, EPOCH_NEXT
, method
);
1026 session
->security_parameters
.compression_method
= method
;
1028 _gnutls_handshake_log
1029 ("HSK[%p]: Selected Compression Method: %s\n", session
,
1030 gnutls_compression_get_name (method
));
1037 /* we were not able to find a compatible compression
1041 return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM
;
1045 /* This function sends an empty handshake packet. (like hello request).
1046 * If the previous _gnutls_send_empty_handshake() returned
1047 * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again
1048 * (until it returns ok), with NULL parameters.
1051 _gnutls_send_empty_handshake (gnutls_session_t session
,
1052 gnutls_handshake_description_t type
, int again
)
1058 bufel
= _gnutls_handshake_alloc (session
, 0, 0);
1062 return GNUTLS_E_MEMORY_ERROR
;
1068 return _gnutls_send_handshake (session
, bufel
, type
);
1074 /* This function sends a handshake message of type 'type' containing the
1075 * data specified here. If the previous _gnutls_send_handshake() returned
1076 * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again
1077 * (until it returns ok), with NULL parameters.
1080 _gnutls_send_handshake (gnutls_session_t session
, mbuffer_st
* bufel
,
1081 gnutls_handshake_description_t type
)
1085 uint32_t datasize
, i_datasize
;
1090 /* we are resuming a previously interrupted
1093 ret
= _gnutls_handshake_io_write_flush (session
);
1099 data
= _mbuffer_get_uhead_ptr (bufel
);
1100 i_datasize
= _mbuffer_get_udata_size(bufel
);
1101 datasize
= i_datasize
+ _mbuffer_get_uhead_size (bufel
);
1103 data
[pos
++] = (uint8_t) type
;
1104 _gnutls_write_uint24 (_mbuffer_get_udata_size (bufel
), &data
[pos
]);
1107 /* Add DTLS handshake fragment headers. The message will be
1108 * fragmented later by the fragmentation sub-layer. All fields must
1109 * be set properly for HMAC. The HMAC requires we pretend that the
1110 * message was sent in a single fragment. */
1111 if (IS_DTLS(session
))
1113 _gnutls_write_uint16 (session
->internals
.dtls
.hsk_write_seq
++, &data
[pos
]);
1116 /* Fragment offset */
1117 _gnutls_write_uint24 (0, &data
[pos
]);
1120 /* Fragment length */
1121 _gnutls_write_uint24 (i_datasize
, &data
[pos
]);
1125 _gnutls_handshake_log ("HSK[%p]: %s was queued [%ld bytes]\n",
1126 session
, _gnutls_handshake2str (type
),
1129 /* Here we keep the handshake messages in order to hash them...
1131 if (type
!= GNUTLS_HANDSHAKE_HELLO_REQUEST
)
1133 _gnutls_handshake_hash_add_sent (session
, type
, data
, datasize
)) < 0)
1136 _mbuffer_xfree(&bufel
);
1140 session
->internals
.last_handshake_out
= type
;
1142 ret
= _gnutls_handshake_io_cache_int (session
, type
, bufel
);
1145 _mbuffer_xfree(&bufel
);
1152 case GNUTLS_HANDSHAKE_CERTIFICATE_PKT
: /* this one is followed by ServerHelloDone
1153 * or ClientKeyExchange always.
1155 case GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE
: /* as above */
1156 case GNUTLS_HANDSHAKE_SERVER_HELLO
: /* as above */
1157 case GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST
: /* as above */
1158 case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET
: /* followed by ChangeCipherSpec */
1160 /* now for client Certificate, ClientKeyExchange and
1161 * CertificateVerify are always followed by ChangeCipherSpec
1163 case GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY
:
1164 case GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE
:
1168 /* send cached messages */
1169 ret
= _gnutls_handshake_io_write_flush (session
);
1176 #define CHECK_SIZE(ll) \
1177 if ((session->internals.max_handshake_data_buffer_size > 0) && \
1178 (((ll) + session->internals.handshake_hash_buffer.length) > \
1179 session->internals.max_handshake_data_buffer_size)) \
1180 return gnutls_assert_val(GNUTLS_E_HANDSHAKE_TOO_LARGE)
1182 /* This function add the handshake headers and the
1183 * handshake data to the handshake hash buffers. Needed
1184 * for the finished messages calculations.
1187 _gnutls_handshake_hash_add_recvd (gnutls_session_t session
,
1188 gnutls_handshake_description_t recv_type
,
1189 uint8_t * header
, uint16_t header_size
,
1190 uint8_t * dataptr
, uint32_t datalen
)
1194 if (recv_type
== GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST
||
1195 recv_type
== GNUTLS_HANDSHAKE_HELLO_REQUEST
)
1198 CHECK_SIZE(header_size
+ datalen
);
1200 session
->internals
.handshake_hash_buffer_prev_len
= session
->internals
.handshake_hash_buffer
.length
;
1202 ret
= _gnutls_buffer_append_data(&session
->internals
.handshake_hash_buffer
,
1203 header
, header_size
);
1205 return gnutls_assert_val(ret
);
1209 ret
= _gnutls_buffer_append_data(&session
->internals
.handshake_hash_buffer
,
1212 return gnutls_assert_val(ret
);
1218 /* This function will store the handshake message we sent.
1221 _gnutls_handshake_hash_add_sent (gnutls_session_t session
,
1222 gnutls_handshake_description_t type
,
1223 uint8_t * dataptr
, uint32_t datalen
)
1227 /* We don't check for GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST because it
1228 * is not sent via that channel.
1230 if (type
!= GNUTLS_HANDSHAKE_HELLO_REQUEST
)
1232 CHECK_SIZE(datalen
);
1234 ret
= _gnutls_buffer_append_data(&session
->internals
.handshake_hash_buffer
,
1237 return gnutls_assert_val(ret
);
1246 /* This function will receive handshake messages of the given types,
1247 * and will pass the message to the right place in order to be processed.
1248 * E.g. for the SERVER_HELLO message (if it is expected), it will be
1249 * passed to _gnutls_recv_hello().
1252 _gnutls_recv_handshake (gnutls_session_t session
,
1253 gnutls_handshake_description_t type
,
1254 unsigned int optional
, gnutls_buffer_st
* buf
)
1257 handshake_buffer_st hsk
;
1260 _gnutls_handshake_io_recv_int (session
, type
, &hsk
, optional
);
1263 if (optional
!= 0 && ret
== GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET
)
1265 if (buf
) _gnutls_buffer_init(buf
);
1269 return gnutls_assert_val_fatal(ret
);
1272 ret
= _gnutls_handshake_hash_add_recvd (session
, hsk
.htype
,
1273 hsk
.header
, hsk
.header_size
,
1274 hsk
.data
.data
, hsk
.data
.length
);
1283 case GNUTLS_HANDSHAKE_CLIENT_HELLO_V2
:
1284 case GNUTLS_HANDSHAKE_CLIENT_HELLO
:
1285 case GNUTLS_HANDSHAKE_SERVER_HELLO
:
1286 if (hsk
.htype
== GNUTLS_HANDSHAKE_CLIENT_HELLO_V2
)
1287 ret
= _gnutls_read_client_hello_v2 (session
, hsk
.data
.data
, hsk
.data
.length
);
1289 ret
= _gnutls_recv_hello (session
, hsk
.data
.data
, hsk
.data
.length
);
1297 goto cleanup
; /* caller doesn't need dataptr */
1300 case GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST
:
1301 ret
= _gnutls_recv_hello_verify_request (session
, hsk
.data
.data
, hsk
.data
.length
);
1308 /* Signal our caller we have received a verification cookie
1309 and ClientHello needs to be sent again. */
1312 goto cleanup
; /* caller doesn't need dataptr */
1315 case GNUTLS_HANDSHAKE_SERVER_HELLO_DONE
:
1316 if (hsk
.data
.length
== 0)
1321 ret
= GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
1325 case GNUTLS_HANDSHAKE_CERTIFICATE_PKT
:
1326 case GNUTLS_HANDSHAKE_FINISHED
:
1327 case GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE
:
1328 case GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE
:
1329 case GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST
:
1330 case GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY
:
1331 case GNUTLS_HANDSHAKE_SUPPLEMENTAL
:
1332 case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET
:
1333 ret
= hsk
.data
.length
;
1337 /* we shouldn't actually arrive here in any case .
1338 * unexpected messages should be catched after _gnutls_handshake_io_recv_int()
1340 ret
= GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET
;
1351 _gnutls_handshake_buffer_clear (&hsk
);
1355 /* This function checks if the given cipher suite is supported, and sets it
1359 _gnutls_client_set_ciphersuite (gnutls_session_t session
, uint8_t suite
[2])
1362 uint8_t cipher_suites
[MAX_CIPHERSUITE_SIZE
];
1363 int cipher_suite_size
;
1367 cipher_suite_size
= _gnutls_supported_ciphersuites (session
, cipher_suites
, sizeof(cipher_suites
));
1368 if (cipher_suite_size
< 0)
1371 return cipher_suite_size
;
1374 for (i
= 0; i
< cipher_suite_size
; i
+=2)
1376 if (memcmp (&cipher_suites
[i
], suite
, 2) == 0)
1386 _gnutls_handshake_log("HSK[%p]: unsupported cipher suite %.2X.%.2X\n", session
,
1387 (unsigned int)suite
[0], (unsigned int)suite
[1]);
1388 return GNUTLS_E_UNKNOWN_CIPHER_SUITE
;
1391 memcpy (session
->security_parameters
.cipher_suite
, suite
, 2);
1392 _gnutls_epoch_set_cipher_suite (session
, EPOCH_NEXT
,
1394 security_parameters
.cipher_suite
);
1396 _gnutls_handshake_log ("HSK[%p]: Selected cipher suite: %s\n", session
,
1397 _gnutls_cipher_suite_get_name
1399 security_parameters
.cipher_suite
));
1402 /* check if the credentials (username, public key etc.) are ok.
1403 * Actually checks if they exist.
1405 if (_gnutls_get_kx_cred
1407 _gnutls_cipher_suite_get_kx_algo
1408 (session
->security_parameters
.cipher_suite
), &err
) == NULL
1412 return GNUTLS_E_INSUFFICIENT_CREDENTIALS
;
1416 /* set the mod_auth_st to the appropriate struct
1417 * according to the KX algorithm. This is needed since all the
1418 * handshake functions are read from there;
1420 session
->internals
.auth_struct
=
1421 _gnutls_kx_auth_struct (_gnutls_cipher_suite_get_kx_algo
1423 security_parameters
.cipher_suite
));
1425 if (session
->internals
.auth_struct
== NULL
)
1428 _gnutls_handshake_log
1429 ("HSK[%p]: Cannot find the appropriate handler for the KX algorithm\n",
1432 return GNUTLS_E_INTERNAL_ERROR
;
1439 /* This function sets the given comp method to the session.
1442 _gnutls_client_set_comp_method (gnutls_session_t session
, uint8_t comp_method
)
1444 int comp_methods_num
;
1445 uint8_t compression_methods
[MAX_ALGOS
];
1446 int id
= _gnutls_compression_get_id(comp_method
);
1449 _gnutls_handshake_log ("HSK[%p]: Selected compression method: %s (%d)\n", session
,
1450 gnutls_compression_get_name(id
), (int)comp_method
);
1452 comp_methods_num
= _gnutls_supported_compression_methods (session
,
1453 compression_methods
, MAX_ALGOS
);
1454 if (comp_methods_num
< 0)
1457 return comp_methods_num
;
1460 for (i
= 0; i
< comp_methods_num
; i
++)
1462 if (compression_methods
[i
] == comp_method
)
1464 comp_methods_num
= 0;
1469 if (comp_methods_num
!= 0)
1472 return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM
;
1475 session
->security_parameters
.compression_method
= id
;
1476 _gnutls_epoch_set_compression (session
, EPOCH_NEXT
, id
);
1481 /* This function returns 0 if we are resuming a session or -1 otherwise.
1482 * This also sets the variables in the session. Used only while reading a server
1486 _gnutls_client_check_if_resuming (gnutls_session_t session
,
1487 uint8_t * session_id
, int session_id_len
)
1489 char buf
[2 * TLS_MAX_SESSION_ID_SIZE
+ 1];
1491 _gnutls_handshake_log ("HSK[%p]: SessionID length: %d\n", session
,
1493 _gnutls_handshake_log ("HSK[%p]: SessionID: %s\n", session
,
1494 _gnutls_bin2hex (session_id
, session_id_len
, buf
,
1495 sizeof (buf
), NULL
));
1497 if (session_id_len
> 0 &&
1498 session
->internals
.resumed_security_parameters
.session_id_size
==
1500 && memcmp (session_id
,
1501 session
->internals
.resumed_security_parameters
.session_id
,
1502 session_id_len
) == 0)
1504 /* resume session */
1505 memcpy (session
->internals
.resumed_security_parameters
.server_random
,
1506 session
->security_parameters
.server_random
, GNUTLS_RANDOM_SIZE
);
1507 memcpy (session
->internals
.resumed_security_parameters
.client_random
,
1508 session
->security_parameters
.client_random
, GNUTLS_RANDOM_SIZE
);
1510 _gnutls_epoch_set_cipher_suite
1511 (session
, EPOCH_NEXT
,
1513 resumed_security_parameters
.cipher_suite
);
1514 _gnutls_epoch_set_compression (session
, EPOCH_NEXT
,
1516 internals
.resumed_security_parameters
.compression_method
);
1518 session
->internals
.resumed
= RESUME_TRUE
; /* we are resuming */
1524 /* keep the new session id */
1525 session
->internals
.resumed
= RESUME_FALSE
; /* we are not resuming */
1526 session
->security_parameters
.session_id_size
= session_id_len
;
1527 memcpy (session
->security_parameters
.session_id
,
1528 session_id
, session_id_len
);
1535 /* This function reads and parses the server hello handshake message.
1536 * This function also restores resumed parameters if we are resuming a
1540 _gnutls_read_server_hello (gnutls_session_t session
,
1541 uint8_t * data
, int datalen
)
1543 uint8_t session_id_len
= 0;
1546 gnutls_protocol_t version
;
1552 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
1555 _gnutls_handshake_log ("HSK[%p]: Server's version: %d.%d\n",
1556 session
, data
[pos
], data
[pos
+ 1]);
1559 version
= _gnutls_version_get (data
[pos
], data
[pos
+ 1]);
1560 if (_gnutls_version_is_supported (session
, version
) == 0)
1563 return GNUTLS_E_UNSUPPORTED_VERSION_PACKET
;
1567 _gnutls_set_current_version (session
, version
);
1572 DECR_LEN (len
, GNUTLS_RANDOM_SIZE
);
1573 _gnutls_set_server_random (session
, &data
[pos
]);
1574 pos
+= GNUTLS_RANDOM_SIZE
;
1580 session_id_len
= data
[pos
++];
1582 if (len
< session_id_len
)
1585 return GNUTLS_E_UNSUPPORTED_VERSION_PACKET
;
1587 DECR_LEN (len
, session_id_len
);
1589 /* check if we are resuming and set the appropriate
1592 if (_gnutls_client_check_if_resuming
1593 (session
, &data
[pos
], session_id_len
) == 0)
1595 pos
+= session_id_len
+ 2 + 1;
1596 DECR_LEN (len
, 2 + 1);
1598 ret
= _gnutls_parse_extensions (session
, GNUTLS_EXT_MANDATORY
,
1608 pos
+= session_id_len
;
1610 /* Check if the given cipher suite is supported and copy
1611 * it to the session.
1615 ret
= _gnutls_client_set_ciphersuite (session
, &data
[pos
]);
1623 /* move to compression
1627 ret
= _gnutls_client_set_comp_method (session
, data
[pos
++]);
1631 return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM
;
1634 /* Parse extensions.
1636 ret
= _gnutls_parse_extensions (session
, GNUTLS_EXT_ANY
, &data
[pos
], len
);
1647 /* This function copies the appropriate ciphersuites to a locally allocated buffer
1648 * Needed in client hello messages. Returns the new data length. If add_scsv is
1649 * true, add the special safe renegotiation CS.
1652 _gnutls_copy_ciphersuites (gnutls_session_t session
,
1653 gnutls_buffer_st
* cdata
,
1657 uint8_t cipher_suites
[MAX_CIPHERSUITE_SIZE
+2];
1658 int cipher_suites_size
;
1659 size_t init_length
= cdata
->length
;
1661 ret
= _gnutls_supported_ciphersuites (session
, cipher_suites
, sizeof(cipher_suites
)-2);
1663 return gnutls_assert_val(ret
);
1665 /* Here we remove any ciphersuite that does not conform
1666 * the certificate requested, or to the
1667 * authentication requested (eg SRP).
1670 _gnutls_remove_unwanted_ciphersuites (session
, cipher_suites
, ret
, NULL
, 0);
1672 return gnutls_assert_val(ret
);
1674 /* If no cipher suites were enabled.
1677 return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_CREDENTIALS
);
1679 cipher_suites_size
= ret
;
1682 cipher_suites
[cipher_suites_size
] = 0x00;
1683 cipher_suites
[cipher_suites_size
+1] = 0xff;
1684 cipher_suites_size
+= 2;
1686 ret
= _gnutls_ext_sr_send_cs (session
);
1688 return gnutls_assert_val(ret
);
1691 ret
= _gnutls_buffer_append_data_prefix(cdata
, 16, cipher_suites
, cipher_suites_size
);
1693 return gnutls_assert_val(ret
);
1695 ret
= cdata
->length
- init_length
;
1701 /* This function copies the appropriate compression methods, to a locally allocated buffer
1702 * Needed in hello messages. Returns the new data length.
1705 _gnutls_copy_comp_methods (gnutls_session_t session
,
1706 gnutls_buffer_st
* cdata
)
1709 uint8_t compression_methods
[MAX_ALGOS
], comp_num
;
1710 size_t init_length
= cdata
->length
;
1712 ret
= _gnutls_supported_compression_methods (session
, compression_methods
, MAX_ALGOS
);
1714 return gnutls_assert_val(ret
);
1718 /* put the number of compression methods */
1719 ret
= _gnutls_buffer_append_prefix(cdata
, 8, comp_num
);
1721 return gnutls_assert_val(ret
);
1723 ret
= _gnutls_buffer_append_data(cdata
, compression_methods
, comp_num
);
1725 return gnutls_assert_val(ret
);
1727 ret
= cdata
->length
- init_length
;
1732 /* This should be sufficient by now. It should hold all the extensions
1733 * plus the headers in a hello message.
1735 #define MAX_EXT_DATA_LENGTH 32*1024
1737 /* This function sends the client hello handshake message.
1740 _gnutls_send_client_hello (gnutls_session_t session
, int again
)
1742 mbuffer_st
*bufel
= NULL
;
1743 uint8_t *data
= NULL
;
1745 int datalen
= 0, ret
= 0;
1746 uint8_t rnd
[GNUTLS_RANDOM_SIZE
];
1747 gnutls_protocol_t hver
;
1748 gnutls_buffer_st extdata
;
1749 int rehandshake
= 0;
1750 uint8_t session_id_len
=
1751 session
->internals
.resumed_security_parameters
.session_id_size
;
1754 _gnutls_buffer_init(&extdata
);
1756 /* note that rehandshake is different than resuming
1758 if (session
->security_parameters
.session_id_size
)
1763 if(IS_DTLS(session
))
1765 cookie_len
= session
->internals
.dtls
.cookie_len
+ 1;
1772 datalen
= 2 + (session_id_len
+ 1) + GNUTLS_RANDOM_SIZE
+ cookie_len
;
1773 /* 2 for version, (4 for unix time + 28 for random bytes==GNUTLS_RANDOM_SIZE)
1776 bufel
= _gnutls_handshake_alloc (session
, datalen
, datalen
+MAX_EXT_DATA_LENGTH
);
1780 return GNUTLS_E_MEMORY_ERROR
;
1782 data
= _mbuffer_get_udata_ptr (bufel
);
1784 /* if we are resuming a session then we set the
1785 * version number to the previously established.
1787 if (session_id_len
== 0)
1789 if (rehandshake
) /* already negotiated version thus version_max == negotiated version */
1790 hver
= session
->security_parameters
.version
;
1791 else /* new handshake. just get the max */
1792 hver
= _gnutls_version_max (session
);
1796 /* we are resuming a session */
1797 hver
= session
->internals
.resumed_security_parameters
.version
;
1800 if (hver
== GNUTLS_VERSION_UNKNOWN
|| hver
== 0)
1803 gnutls_free (bufel
);
1804 return GNUTLS_E_INTERNAL_ERROR
;
1807 data
[pos
++] = _gnutls_version_get_major (hver
);
1808 data
[pos
++] = _gnutls_version_get_minor (hver
);
1810 /* Set the version we advertized as maximum
1813 _gnutls_set_adv_version (session
, hver
);
1814 _gnutls_set_current_version (session
, hver
);
1816 if (session
->internals
.priorities
.ssl3_record_version
!= 0)
1818 /* Advertize the SSL 3.0 record packet version in
1819 * record packets during the handshake.
1820 * That is to avoid confusing implementations
1821 * that do not support TLS 1.2 and don't know
1822 * how 3,3 version of record packets look like.
1824 if (!IS_DTLS(session
))
1825 _gnutls_record_set_default_version (session
, 3, 0);
1827 _gnutls_record_set_default_version (session
, 254, 255);
1830 /* In order to know when this session was initiated.
1832 session
->security_parameters
.timestamp
= gnutls_time (NULL
);
1834 /* Generate random data
1836 if (!IS_DTLS (session
)
1837 || session
->internals
.dtls
.hsk_hello_verify_requests
== 0)
1839 _gnutls_tls_create_random (rnd
);
1840 _gnutls_set_client_random (session
, rnd
);
1842 memcpy (&data
[pos
], rnd
, GNUTLS_RANDOM_SIZE
);
1845 memcpy (&data
[pos
], session
->security_parameters
.client_random
, GNUTLS_RANDOM_SIZE
);
1847 pos
+= GNUTLS_RANDOM_SIZE
;
1849 /* Copy the Session ID
1851 data
[pos
++] = session_id_len
;
1853 if (session_id_len
> 0)
1856 session
->internals
.resumed_security_parameters
.session_id
,
1858 pos
+= session_id_len
;
1861 /* Copy the DTLS cookie
1863 if (IS_DTLS(session
))
1865 data
[pos
++] = session
->internals
.dtls
.cookie_len
;
1866 memcpy(&data
[pos
], &session
->internals
.dtls
.cookie
, session
->internals
.dtls
.cookie_len
);
1867 pos
+= session
->internals
.dtls
.cookie_len
;
1870 /* Copy the ciphersuites.
1872 * If using SSLv3 Send TLS_RENEGO_PROTECTION_REQUEST SCSV for MITM
1873 * prevention on initial negotiation (but not renegotiation; that's
1874 * handled with the RI extension below).
1876 if (!session
->internals
.initial_negotiation_completed
&&
1877 session
->security_parameters
.entity
== GNUTLS_CLIENT
&&
1878 (gnutls_protocol_get_version (session
) == GNUTLS_SSL3
||
1879 session
->internals
.priorities
.no_extensions
!= 0))
1882 _gnutls_copy_ciphersuites (session
, &extdata
, TRUE
);
1883 _gnutls_extension_list_add (session
,
1884 GNUTLS_EXTENSION_SAFE_RENEGOTIATION
);
1887 ret
= _gnutls_copy_ciphersuites (session
, &extdata
, FALSE
);
1895 /* Copy the compression methods.
1897 ret
= _gnutls_copy_comp_methods (session
, &extdata
);
1904 /* Generate and copy TLS extensions.
1906 if (session
->internals
.priorities
.no_extensions
== 0)
1908 if (_gnutls_version_has_extensions (hver
))
1909 type
= GNUTLS_EXT_ANY
;
1912 if (session
->internals
.initial_negotiation_completed
!= 0)
1913 type
= GNUTLS_EXT_MANDATORY
;
1915 type
= GNUTLS_EXT_NONE
;
1918 ret
= _gnutls_gen_extensions (session
, &extdata
, type
);
1927 ret
= _mbuffer_append_data (bufel
, extdata
.data
, extdata
.length
);
1935 _gnutls_buffer_clear(&extdata
);
1938 _gnutls_send_handshake (session
, bufel
, GNUTLS_HANDSHAKE_CLIENT_HELLO
);
1941 _mbuffer_xfree(&bufel
);
1942 _gnutls_buffer_clear(&extdata
);
1947 _gnutls_send_server_hello (gnutls_session_t session
, int again
)
1949 mbuffer_st
*bufel
= NULL
;
1950 uint8_t *data
= NULL
;
1951 gnutls_buffer_st extdata
;
1953 int datalen
, ret
= 0;
1955 uint8_t session_id_len
= session
->security_parameters
.session_id_size
;
1956 char buf
[2 * TLS_MAX_SESSION_ID_SIZE
+ 1];
1960 _gnutls_buffer_init(&extdata
);
1964 datalen
= 2 + session_id_len
+ 1 + GNUTLS_RANDOM_SIZE
+ 3;
1966 _gnutls_gen_extensions (session
, &extdata
, GNUTLS_EXT_ANY
);
1973 bufel
= _gnutls_handshake_alloc (session
, datalen
+ extdata
.length
, datalen
+ extdata
.length
);
1977 ret
= GNUTLS_E_MEMORY_ERROR
;
1980 data
= _mbuffer_get_udata_ptr (bufel
);
1983 _gnutls_version_get_major (session
->security_parameters
.version
);
1985 _gnutls_version_get_minor (session
->security_parameters
.version
);
1988 session
->security_parameters
.server_random
, GNUTLS_RANDOM_SIZE
);
1989 pos
+= GNUTLS_RANDOM_SIZE
;
1991 data
[pos
++] = session_id_len
;
1992 if (session_id_len
> 0)
1994 memcpy (&data
[pos
], session
->security_parameters
.session_id
,
1997 pos
+= session_id_len
;
1999 _gnutls_handshake_log ("HSK[%p]: SessionID: %s\n", session
,
2000 _gnutls_bin2hex (session
->security_parameters
.
2001 session_id
, session_id_len
, buf
,
2002 sizeof (buf
), NULL
));
2005 session
->security_parameters
.cipher_suite
, 2);
2008 comp
= _gnutls_compression_get_num ( session
->security_parameters
.compression_method
);
2011 if (extdata
.length
> 0)
2013 datalen
+= extdata
.length
;
2014 memcpy (&data
[pos
], extdata
.data
, extdata
.length
);
2019 _gnutls_send_handshake (session
, bufel
, GNUTLS_HANDSHAKE_SERVER_HELLO
);
2022 _gnutls_buffer_clear(&extdata
);
2027 _gnutls_send_hello (gnutls_session_t session
, int again
)
2031 if (session
->security_parameters
.entity
== GNUTLS_CLIENT
)
2033 ret
= _gnutls_send_client_hello (session
, again
);
2038 ret
= _gnutls_send_server_hello (session
, again
);
2044 /* RECEIVE A HELLO MESSAGE. This should be called from gnutls_recv_handshake_int only if a
2045 * hello message is expected. It uses the security_parameters.cipher_suite
2046 * and internals.compression_method.
2049 _gnutls_recv_hello (gnutls_session_t session
, uint8_t * data
, int datalen
)
2053 if (session
->security_parameters
.entity
== GNUTLS_CLIENT
)
2055 ret
= _gnutls_read_server_hello (session
, data
, datalen
);
2063 { /* Server side reading a client hello */
2065 ret
= _gnutls_read_client_hello (session
, data
, datalen
);
2073 ret
= _gnutls_ext_sr_verify (session
);
2084 _gnutls_recv_hello_verify_request (gnutls_session_t session
,
2085 uint8_t * data
, int datalen
)
2087 ssize_t len
= datalen
;
2090 unsigned int nb_verifs
;
2092 if (!IS_DTLS (session
)
2093 || session
->security_parameters
.entity
== GNUTLS_SERVER
)
2096 return GNUTLS_E_INTERNAL_ERROR
;
2099 nb_verifs
= ++session
->internals
.dtls
.hsk_hello_verify_requests
;
2100 if (nb_verifs
>= MAX_HANDSHAKE_HELLO_VERIFY_REQUESTS
)
2102 /* The server is either buggy, malicious or changing cookie
2103 secrets _way_ too fast. */
2105 return GNUTLS_E_UNEXPECTED_PACKET
;
2108 /* TODO: determine if we need to do anything with the server version field */
2113 cookie_len
= data
[pos
];
2116 if (cookie_len
> DTLS_MAX_COOKIE_SIZE
)
2119 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
2122 DECR_LEN (len
, cookie_len
);
2124 session
->internals
.dtls
.cookie_len
= cookie_len
;
2125 memcpy (session
->internals
.dtls
.cookie
, &data
[pos
], cookie_len
);
2132 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
2135 /* reset handshake hash buffers */
2136 _gnutls_handshake_hash_buffer_empty (session
);
2141 /* The packets in gnutls_handshake (it's more broad than original TLS handshake)
2145 * ClientHello -------->
2146 * <-------- ServerHello
2149 * ServerKeyExchange*
2150 * <-------- CertificateRequest*
2152 * <-------- ServerHelloDone
2155 * CertificateVerify*
2156 * [ChangeCipherSpec]
2157 * Finished -------->
2159 * [ChangeCipherSpec]
2160 * <-------- Finished
2162 * (*): means optional packet.
2165 /* Handshake when resumming session:
2168 * ClientHello -------->
2170 * [ChangeCipherSpec]
2171 * <-------- Finished
2172 * [ChangeCipherSpec]
2173 * Finished -------->
2178 * gnutls_rehandshake:
2179 * @session: is a #gnutls_session_t structure.
2181 * This function will renegotiate security parameters with the
2182 * client. This should only be called in case of a server.
2184 * This message informs the peer that we want to renegotiate
2185 * parameters (perform a handshake).
2187 * If this function succeeds (returns 0), you must call the
2188 * gnutls_handshake() function in order to negotiate the new
2191 * Since TLS is full duplex some application data might have been
2192 * sent during peer's processing of this message. In that case
2193 * one should call gnutls_record_recv() until GNUTLS_E_REHANDSHAKE
2194 * is returned to clear any pending data. Care must be taken if
2195 * rehandshake is mandatory to terminate if it does not start after
2198 * If the client does not wish to renegotiate parameters he will
2199 * should with an alert message, thus the return code will be
2200 * %GNUTLS_E_WARNING_ALERT_RECEIVED and the alert will be
2201 * %GNUTLS_A_NO_RENEGOTIATION. A client may also choose to ignore
2204 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
2207 gnutls_rehandshake (gnutls_session_t session
)
2211 /* only server sends that handshake packet */
2212 if (session
->security_parameters
.entity
== GNUTLS_CLIENT
)
2213 return GNUTLS_E_INVALID_REQUEST
;
2215 _dtls_async_timer_delete(session
);
2218 _gnutls_send_empty_handshake (session
, GNUTLS_HANDSHAKE_HELLO_REQUEST
,
2233 _gnutls_abort_handshake (gnutls_session_t session
, int ret
)
2235 if (((ret
== GNUTLS_E_WARNING_ALERT_RECEIVED
) &&
2236 (gnutls_alert_get (session
) == GNUTLS_A_NO_RENEGOTIATION
))
2237 || ret
== GNUTLS_E_GOT_APPLICATION_DATA
)
2240 /* this doesn't matter */
2241 return GNUTLS_E_INTERNAL_ERROR
;
2247 _gnutls_send_supplemental (gnutls_session_t session
, int again
)
2252 _gnutls_debug_log ("EXT[%p]: Sending supplemental data\n", session
);
2256 _gnutls_send_handshake (session
, NULL
, GNUTLS_HANDSHAKE_SUPPLEMENTAL
);
2259 gnutls_buffer_st buf
;
2260 _gnutls_buffer_init (&buf
);
2262 ret
= _gnutls_gen_supplemental (session
, &buf
);
2269 bufel
= _gnutls_handshake_alloc(session
, buf
.length
, buf
.length
);
2273 return GNUTLS_E_MEMORY_ERROR
;
2276 _mbuffer_set_udata (bufel
, buf
.data
, buf
.length
);
2277 _gnutls_buffer_clear (&buf
);
2279 ret
= _gnutls_send_handshake (session
, bufel
,
2280 GNUTLS_HANDSHAKE_SUPPLEMENTAL
);
2287 _gnutls_recv_supplemental (gnutls_session_t session
)
2289 gnutls_buffer_st buf
;
2292 _gnutls_debug_log ("EXT[%p]: Expecting supplemental data\n", session
);
2294 ret
= _gnutls_recv_handshake (session
, GNUTLS_HANDSHAKE_SUPPLEMENTAL
,
2302 ret
= _gnutls_parse_supplemental (session
, buf
.data
, buf
.length
);
2310 _gnutls_buffer_clear(&buf
);
2317 * @session: is a #gnutls_session_t structure.
2319 * This function does the handshake of the TLS/SSL protocol, and
2320 * initializes the TLS connection.
2322 * This function will fail if any problem is encountered, and will
2323 * return a negative error code. In case of a client, if the client
2324 * has asked to resume a session, but the server couldn't, then a
2325 * full handshake will be performed.
2327 * The non-fatal errors such as %GNUTLS_E_AGAIN and
2328 * %GNUTLS_E_INTERRUPTED interrupt the handshake procedure, which
2329 * should be resumed later. Call this function again, until it
2330 * returns 0; cf. gnutls_record_get_direction() and
2331 * gnutls_error_is_fatal().
2333 * If this function is called by a server after a rehandshake request
2334 * then %GNUTLS_E_GOT_APPLICATION_DATA or
2335 * %GNUTLS_E_WARNING_ALERT_RECEIVED may be returned. Note that these
2336 * are non fatal errors, only in the specific case of a rehandshake.
2337 * Their meaning is that the client rejected the rehandshake request or
2338 * in the case of %GNUTLS_E_GOT_APPLICATION_DATA it might also mean that
2339 * some data were pending.
2341 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
2344 gnutls_handshake (gnutls_session_t session
)
2347 record_parameters_st
*params
;
2349 /* sanity check. Verify that there are priorities setup.
2351 if (session
->internals
.priorities
.protocol
.algorithms
== 0)
2352 return gnutls_assert_val(GNUTLS_E_NO_PRIORITIES_WERE_SET
);
2354 ret
= _gnutls_epoch_get (session
, session
->security_parameters
.epoch_next
,
2358 /* We assume the epoch is not allocated if _gnutls_epoch_get fails. */
2360 _gnutls_epoch_alloc (session
, session
->security_parameters
.epoch_next
,
2363 return gnutls_assert_val(ret
);
2366 if (session
->security_parameters
.entity
== GNUTLS_CLIENT
)
2370 ret
= _gnutls_handshake_client (session
);
2375 ret
= _gnutls_handshake_server (session
);
2379 /* In the case of a rehandshake abort
2380 * we should reset the handshake's internal state.
2382 if (_gnutls_abort_handshake (session
, ret
) == 0)
2388 ret
= _gnutls_handshake_common (session
);
2392 if (_gnutls_abort_handshake (session
, ret
) == 0)
2400 if (IS_DTLS(session
)==0)
2402 _gnutls_handshake_io_buffer_clear (session
);
2406 _dtls_async_timer_init(session
);
2409 _gnutls_handshake_internal_state_clear (session
);
2411 session
->security_parameters
.epoch_next
++;
2417 #define IMED_RET( str, ret, allow_alert) do { \
2419 /* EAGAIN and INTERRUPTED are always non-fatal */ \
2420 if (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED) \
2422 /* a warning alert might interrupt handshake */ \
2423 if (allow_alert != 0 && ret==GNUTLS_E_WARNING_ALERT_RECEIVED) return ret; \
2426 _gnutls_handshake_hash_buffers_clear(session); \
2433 * _gnutls_handshake_client
2434 * This function performs the client side of the handshake of the TLS/SSL protocol.
2437 _gnutls_handshake_client (gnutls_session_t session
)
2441 #ifdef HANDSHAKE_DEBUG
2444 if (session
->internals
.resumed_security_parameters
.session_id_size
> 0)
2445 _gnutls_handshake_log ("HSK[%p]: Ask to resume: %s\n", session
,
2446 _gnutls_bin2hex (session
->
2447 internals
.resumed_security_parameters
.session_id
,
2449 internals
.resumed_security_parameters
.session_id_size
,
2450 buf
, sizeof (buf
), NULL
));
2457 ret
= _gnutls_send_hello (session
, AGAIN (STATE1
));
2459 IMED_RET ("send hello", ret
, 1);
2462 if (IS_DTLS (session
))
2465 _gnutls_recv_handshake (session
,
2466 GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST
,
2469 IMED_RET ("recv hello verify", ret
, 1);
2478 /* receive the server hello */
2480 _gnutls_recv_handshake (session
,
2481 GNUTLS_HANDSHAKE_SERVER_HELLO
,
2484 IMED_RET ("recv hello", ret
, 1);
2487 if (session
->security_parameters
.do_recv_supplemental
)
2489 ret
= _gnutls_recv_supplemental (session
);
2491 IMED_RET ("recv supplemental", ret
, 1);
2495 /* RECV CERTIFICATE */
2496 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
2497 ret
= _gnutls_recv_server_certificate (session
);
2499 IMED_RET ("recv server certificate", ret
, 1);
2502 /* receive the server key exchange */
2503 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
2504 ret
= _gnutls_recv_server_kx_message (session
);
2506 IMED_RET ("recv server kx message", ret
, 1);
2509 /* receive the server certificate request - if any
2512 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
2513 ret
= _gnutls_recv_server_crt_request (session
);
2515 IMED_RET ("recv server certificate request message", ret
, 1);
2518 /* receive the server hello done */
2519 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
2521 _gnutls_recv_handshake (session
,
2522 GNUTLS_HANDSHAKE_SERVER_HELLO_DONE
,
2525 IMED_RET ("recv server hello done", ret
, 1);
2527 if (session
->security_parameters
.do_send_supplemental
)
2529 ret
= _gnutls_send_supplemental (session
, AGAIN (STATE71
));
2531 IMED_RET ("send supplemental", ret
, 0);
2535 /* send our certificate - if any and if requested
2537 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
2538 ret
= _gnutls_send_client_certificate (session
, AGAIN (STATE7
));
2540 IMED_RET ("send client certificate", ret
, 0);
2543 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
2544 ret
= _gnutls_send_client_kx_message (session
, AGAIN (STATE8
));
2546 IMED_RET ("send client kx", ret
, 0);
2549 /* send client certificate verify */
2550 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
2552 _gnutls_send_client_certificate_verify (session
, AGAIN (STATE9
));
2554 IMED_RET ("send client certificate verify", ret
, 1);
2567 /* This function is to be called if the handshake was successfully
2568 * completed. This sends a Change Cipher Spec packet to the peer.
2571 send_change_cipher_spec (gnutls_session_t session
, int again
)
2579 bufel
= _gnutls_handshake_alloc (session
, 1, 1);
2581 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR
);
2583 _mbuffer_set_uhead_size(bufel
, 1);
2584 _mbuffer_set_udata_size(bufel
, 0);
2586 data
= _mbuffer_get_uhead_ptr (bufel
);
2590 ret
= _gnutls_handshake_io_cache_int (session
, GNUTLS_HANDSHAKE_CHANGE_CIPHER_SPEC
, bufel
);
2593 _mbuffer_xfree(&bufel
);
2594 return gnutls_assert_val(ret
);
2597 _gnutls_handshake_log ("REC[%p]: Sent ChangeCipherSpec\n", session
);
2603 /* This function sends the final handshake packets and initializes connection
2606 _gnutls_send_handshake_final (gnutls_session_t session
, int init
)
2610 /* Send the CHANGE CIPHER SPEC PACKET */
2616 ret
= send_change_cipher_spec (session
, AGAIN (STATE20
));
2621 ERR ("send ChangeCipherSpec", ret
);
2625 /* Initialize the connection session (start encryption) - in case of client
2629 ret
= _gnutls_connection_state_init (session
);
2637 ret
= _gnutls_write_connection_state_init (session
);
2645 /* send the finished message */
2646 ret
= _gnutls_send_finished (session
, AGAIN (STATE21
));
2650 ERR ("send Finished", ret
);
2663 /* This function receives the final handshake packets
2664 * And executes the appropriate function to initialize the
2668 _gnutls_recv_handshake_final (gnutls_session_t session
, int init
)
2680 /* This is the last flight and peer cannot be sure
2681 * we have received it unless we notify him. So we
2682 * wait for a message and retransmit if needed. */
2683 if (IS_DTLS(session
) && !_dtls_is_async(session
) &&
2684 (gnutls_record_check_pending (session
) +
2685 record_check_unprocessed (session
)) == 0)
2687 ret
= _dtls_wait_and_retransmit(session
);
2689 return gnutls_assert_val(ret
);
2692 ret
= _gnutls_recv_int (session
, GNUTLS_CHANGE_CIPHER_SPEC
, -1, &ch
, 1, NULL
);
2695 ERR ("recv ChangeCipherSpec", ret
);
2697 return (ret
< 0) ? ret
: GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
2700 /* Initialize the connection session (start encryption) - in case of server */
2703 ret
= _gnutls_connection_state_init (session
);
2711 ret
= _gnutls_read_connection_state_init (session
);
2721 if (IS_DTLS(session
) && !_dtls_is_async(session
) &&
2722 (gnutls_record_check_pending( session
) +
2723 record_check_unprocessed (session
)) == 0)
2725 ret
= _dtls_wait_and_retransmit(session
);
2727 return gnutls_assert_val(ret
);
2730 ret
= _gnutls_recv_finished (session
);
2733 ERR ("recv finished", ret
);
2747 * _gnutls_handshake_server
2748 * This function does the server stuff of the handshake protocol.
2751 _gnutls_handshake_server (gnutls_session_t session
)
2760 _gnutls_recv_handshake (session
,
2761 GNUTLS_HANDSHAKE_CLIENT_HELLO
,
2764 IMED_RET ("recv hello", ret
, 1);
2767 ret
= _gnutls_send_hello (session
, AGAIN (STATE2
));
2769 IMED_RET ("send hello", ret
, 1);
2772 if (session
->security_parameters
.do_send_supplemental
)
2774 ret
= _gnutls_send_supplemental (session
, AGAIN (STATE70
));
2776 IMED_RET ("send supplemental data", ret
, 0);
2779 /* SEND CERTIFICATE + KEYEXCHANGE + CERTIFICATE_REQUEST */
2781 /* NOTE: these should not be send if we are resuming */
2783 if (session
->internals
.resumed
== RESUME_FALSE
)
2784 ret
= _gnutls_send_server_certificate (session
, AGAIN (STATE3
));
2786 IMED_RET ("send server certificate", ret
, 0);
2789 /* send server key exchange (A) */
2790 if (session
->internals
.resumed
== RESUME_FALSE
)
2791 ret
= _gnutls_send_server_kx_message (session
, AGAIN (STATE4
));
2793 IMED_RET ("send server kx", ret
, 0);
2796 /* Send certificate request - if requested to */
2797 if (session
->internals
.resumed
== RESUME_FALSE
)
2799 _gnutls_send_server_crt_request (session
, AGAIN (STATE5
));
2801 IMED_RET ("send server cert request", ret
, 0);
2804 /* send the server hello done */
2805 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
2807 _gnutls_send_empty_handshake (session
,
2808 GNUTLS_HANDSHAKE_SERVER_HELLO_DONE
,
2811 IMED_RET ("send server hello done", ret
, 1);
2814 if (session
->security_parameters
.do_recv_supplemental
)
2816 ret
= _gnutls_recv_supplemental (session
);
2818 IMED_RET ("recv client supplemental", ret
, 1);
2821 /* RECV CERTIFICATE + KEYEXCHANGE + CERTIFICATE_VERIFY */
2823 /* receive the client certificate message */
2824 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
2825 ret
= _gnutls_recv_client_certificate (session
);
2827 IMED_RET ("recv client certificate", ret
, 1);
2830 /* receive the client key exchange message */
2831 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
2832 ret
= _gnutls_recv_client_kx_message (session
);
2834 IMED_RET ("recv client kx", ret
, 1);
2837 /* receive the client certificate verify message */
2838 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
2839 ret
= _gnutls_recv_client_certificate_verify_message (session
);
2841 IMED_RET ("recv client certificate verify", ret
, 1);
2843 STATE
= STATE0
; /* finished thus clear session */
2852 _gnutls_handshake_common (gnutls_session_t session
)
2856 /* send and recv the change cipher spec and finished messages */
2857 if ((session
->internals
.resumed
!= RESUME_FALSE
2858 && session
->security_parameters
.entity
== GNUTLS_CLIENT
)
2859 || (session
->internals
.resumed
== RESUME_FALSE
2860 && session
->security_parameters
.entity
== GNUTLS_SERVER
))
2862 /* if we are a client resuming - or we are a server not resuming */
2863 ret
= _gnutls_recv_handshake_final (session
, TRUE
);
2864 IMED_RET ("recv handshake final", ret
, 1);
2870 ret
= _gnutls_send_new_session_ticket (session
, AGAIN (STATE40
));
2872 IMED_RET ("send handshake new session ticket", ret
, 0);
2878 ret
= _gnutls_send_handshake_final (session
, FALSE
);
2879 IMED_RET ("send handshake final", ret
, 1);
2881 /* only store if we are not resuming a session and we didn't previously send a ticket
2883 if (session
->security_parameters
.entity
== GNUTLS_SERVER
&& session
->internals
.ticket_sent
== 0)
2885 /* in order to support session resuming */
2886 _gnutls_server_register_current_session (session
);
2890 { /* if we are a client not resuming - or we are a server resuming */
2892 ret
= _gnutls_send_handshake_final (session
, TRUE
);
2893 IMED_RET ("send handshake final 2", ret
, 1);
2899 ret
= _gnutls_recv_new_session_ticket (session
);
2901 IMED_RET ("recv handshake new session ticket", ret
, 1);
2907 ret
= _gnutls_recv_handshake_final (session
, FALSE
);
2908 IMED_RET ("recv handshake final 2", ret
, 1);
2913 /* clear handshake buffer */
2914 _gnutls_handshake_hash_buffers_clear (session
);
2920 _gnutls_generate_session_id (uint8_t * session_id
, uint8_t * len
)
2924 *len
= TLS_MAX_SESSION_ID_SIZE
;
2926 ret
= _gnutls_rnd (GNUTLS_RND_NONCE
, session_id
, *len
);
2937 _gnutls_recv_hello_request (gnutls_session_t session
, void *data
,
2942 if (session
->security_parameters
.entity
== GNUTLS_SERVER
)
2945 return GNUTLS_E_UNEXPECTED_PACKET
;
2950 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
2952 type
= ((uint8_t *) data
)[0];
2953 if (type
== GNUTLS_HANDSHAKE_HELLO_REQUEST
)
2955 if (IS_DTLS(session
))
2956 session
->internals
.dtls
.hsk_read_seq
++;
2957 return GNUTLS_E_REHANDSHAKE
;
2962 return GNUTLS_E_UNEXPECTED_PACKET
;
2966 /* Returns 1 if the given KX has not the corresponding parameters
2967 * (DH or RSA) set up. Otherwise returns 0.
2970 check_server_params (gnutls_session_t session
,
2971 gnutls_kx_algorithm_t kx
,
2972 gnutls_kx_algorithm_t
* alg
, int alg_size
)
2975 gnutls_dh_params_t dh_params
= NULL
;
2976 gnutls_rsa_params_t rsa_params
= NULL
;
2979 cred_type
= _gnutls_map_kx_get_cred (kx
, 1);
2981 /* Read the Diffie-Hellman parameters, if any.
2983 if (cred_type
== GNUTLS_CRD_CERTIFICATE
)
2986 gnutls_certificate_credentials_t x509_cred
=
2987 (gnutls_certificate_credentials_t
) _gnutls_get_cred (session
->key
,
2990 if (x509_cred
!= NULL
)
2993 _gnutls_get_dh_params (x509_cred
->dh_params
,
2994 x509_cred
->params_func
, session
);
2996 _gnutls_certificate_get_rsa_params (x509_cred
->rsa_params
,
2997 x509_cred
->params_func
,
3001 /* Check also if the certificate supports the
3005 for (j
= 0; j
< alg_size
; j
++)
3019 else if (cred_type
== GNUTLS_CRD_ANON
)
3021 gnutls_anon_server_credentials_t anon_cred
=
3022 (gnutls_anon_server_credentials_t
) _gnutls_get_cred (session
->key
,
3025 if (anon_cred
!= NULL
)
3028 _gnutls_get_dh_params (anon_cred
->dh_params
,
3029 anon_cred
->params_func
, session
);
3034 else if (cred_type
== GNUTLS_CRD_PSK
)
3036 gnutls_psk_server_credentials_t psk_cred
=
3037 (gnutls_psk_server_credentials_t
) _gnutls_get_cred (session
->key
,
3040 if (psk_cred
!= NULL
)
3043 _gnutls_get_dh_params (psk_cred
->dh_params
, psk_cred
->params_func
,
3049 return 0; /* no need for params */
3052 /* If the key exchange method needs RSA or DH params,
3053 * but they are not set then remove it.
3055 if (_gnutls_kx_needs_rsa_params (kx
) != 0)
3057 /* needs rsa params. */
3058 if (_gnutls_rsa_params_to_mpi (rsa_params
) == NULL
)
3065 if (_gnutls_kx_needs_dh_params (kx
) != 0)
3067 /* needs DH params. */
3068 if (_gnutls_dh_params_to_mpi (dh_params
) == NULL
)
3078 /* This function will remove algorithms that are not supported by
3079 * the requested authentication method. We remove an algorithm if
3080 * we have a certificate with keyUsage bits set.
3082 * This does a more high level check than gnutls_supported_ciphersuites(),
3083 * by checking certificates etc.
3086 _gnutls_remove_unwanted_ciphersuites (gnutls_session_t session
,
3087 uint8_t * cipher_suites
,
3088 int cipher_suites_size
,
3089 gnutls_pk_algorithm_t
*pk_algos
,
3090 size_t pk_algos_size
)
3094 int i
, new_suites_size
;
3095 gnutls_certificate_credentials_t cert_cred
;
3096 gnutls_kx_algorithm_t kx
;
3097 int server
= session
->security_parameters
.entity
== GNUTLS_SERVER
? 1 : 0;
3098 gnutls_kx_algorithm_t alg
[MAX_ALGOS
];
3099 int alg_size
= MAX_ALGOS
;
3101 /* if we should use a specific certificate,
3102 * we should remove all algorithms that are not supported
3103 * by that certificate and are on the same authentication
3104 * method (CERTIFICATE).
3108 (gnutls_certificate_credentials_t
) _gnutls_get_cred (session
->key
,
3109 GNUTLS_CRD_CERTIFICATE
,
3112 /* If there are certificate credentials, find an appropriate certificate
3115 if (session
->security_parameters
.entity
== GNUTLS_SERVER
3116 && cert_cred
!= NULL
&& pk_algos_size
> 0)
3118 ret
= _gnutls_server_select_cert (session
, pk_algos
, pk_algos_size
);
3122 _gnutls_debug_log ("Could not find an appropriate certificate: %s\n",
3123 gnutls_strerror (ret
));
3127 /* get all the key exchange algorithms that are
3128 * supported by the X509 certificate parameters.
3131 _gnutls_selected_cert_supported_kx (session
, alg
, &alg_size
)) < 0)
3137 new_suites_size
= 0;
3139 /* now removes ciphersuites based on the KX algorithm
3141 for (i
= 0; i
< cipher_suites_size
; i
+=2)
3145 /* finds the key exchange algorithm in
3148 kx
= _gnutls_cipher_suite_get_kx_algo (&cipher_suites
[i
]);
3150 /* if it is defined but had no credentials
3152 if (_gnutls_get_kx_cred (session
, kx
, NULL
) == NULL
)
3161 delete = check_server_params (session
, kx
, alg
, alg_size
);
3164 /* If we have not agreed to a common curve with the peer don't bother
3167 if (server
!= 0 && _gnutls_kx_is_ecc(kx
))
3169 if (_gnutls_session_ecc_curve_get(session
) == GNUTLS_ECC_CURVE_INVALID
)
3175 /* These two SRP kx's are marked to require a CRD_CERTIFICATE,
3176 (see cred_mappings in gnutls_algorithms.c), but it also
3177 requires a SRP credential. Don't use SRP kx unless we have a
3178 SRP credential too. */
3179 if (kx
== GNUTLS_KX_SRP_RSA
|| kx
== GNUTLS_KX_SRP_DSS
)
3181 if (!_gnutls_get_cred (session
->key
, GNUTLS_CRD_SRP
, NULL
))
3190 _gnutls_handshake_log ("HSK[%p]: Keeping ciphersuite: %s (%.2X.%.2X)\n",
3192 _gnutls_cipher_suite_get_name (&cipher_suites
[i
]),
3193 cipher_suites
[i
], cipher_suites
[i
+1]);
3195 if (i
!= new_suites_size
)
3196 memmove( &cipher_suites
[new_suites_size
], &cipher_suites
[i
], 2);
3201 _gnutls_handshake_log ("HSK[%p]: Removing ciphersuite: %s\n",
3203 _gnutls_cipher_suite_get_name (&cipher_suites
[i
]));
3208 ret
= new_suites_size
;
3215 * gnutls_handshake_set_max_packet_length:
3216 * @session: is a #gnutls_session_t structure.
3217 * @max: is the maximum number.
3219 * This function will set the maximum size of all handshake messages.
3220 * Handshakes over this size are rejected with
3221 * %GNUTLS_E_HANDSHAKE_TOO_LARGE error code. The default value is
3222 * 48kb which is typically large enough. Set this to 0 if you do not
3223 * want to set an upper limit.
3225 * The reason for restricting the handshake message sizes are to
3226 * limit Denial of Service attacks.
3229 gnutls_handshake_set_max_packet_length (gnutls_session_t session
, size_t max
)
3231 session
->internals
.max_handshake_data_buffer_size
= max
;
3235 _gnutls_set_adv_version (gnutls_session_t session
, gnutls_protocol_t ver
)
3237 set_adv_version (session
, _gnutls_version_get_major (ver
),
3238 _gnutls_version_get_minor (ver
));
3242 _gnutls_get_adv_version (gnutls_session_t session
)
3244 return _gnutls_version_get (_gnutls_get_adv_version_major (session
),
3245 _gnutls_get_adv_version_minor (session
));
3249 * gnutls_handshake_get_last_in:
3250 * @session: is a #gnutls_session_t structure.
3252 * This function is only useful to check where the last performed
3253 * handshake failed. If the previous handshake succeed or was not
3254 * performed at all then no meaningful value will be returned.
3256 * Check %gnutls_handshake_description_t in gnutls.h for the
3257 * available handshake descriptions.
3259 * Returns: the last handshake message type received, a
3260 * %gnutls_handshake_description_t.
3262 gnutls_handshake_description_t
3263 gnutls_handshake_get_last_in (gnutls_session_t session
)
3265 return session
->internals
.last_handshake_in
;
3269 * gnutls_handshake_get_last_out:
3270 * @session: is a #gnutls_session_t structure.
3272 * This function is only useful to check where the last performed
3273 * handshake failed. If the previous handshake succeed or was not
3274 * performed at all then no meaningful value will be returned.
3276 * Check %gnutls_handshake_description_t in gnutls.h for the
3277 * available handshake descriptions.
3279 * Returns: the last handshake message type sent, a
3280 * %gnutls_handshake_description_t.
3282 gnutls_handshake_description_t
3283 gnutls_handshake_get_last_out (gnutls_session_t session
)
3285 return session
->internals
.last_handshake_out
;