search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
moved ca-certs.
[gnutls.git] / lib / gnutls_handshake.c
blob25520c40b6c432fd0f53d3580317222477a47934
1 /*
2 * Copyright (C) 2000-2012 Free Software Foundation, Inc.
3 *
4 * Author: Nikos Mavrogiannopoulos
5 *
6 * This file is part of GnuTLS.
7 *
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
20 *
21 */
22
23 /* Functions that relate to the TLS handshake procedure.
24 */
25
26 #include "gnutls_int.h"
27 #include "gnutls_errors.h"
28 #include "gnutls_dh.h"
29 #include "debug.h"
30 #include "algorithms.h"
31 #include "gnutls_compress.h"
32 #include "gnutls_cipher.h"
33 #include "gnutls_buffers.h"
34 #include "gnutls_mbuffers.h"
35 #include "gnutls_kx.h"
36 #include "gnutls_handshake.h"
37 #include "gnutls_num.h"
38 #include "gnutls_hash_int.h"
39 #include "gnutls_db.h"
40 #include "gnutls_extensions.h"
41 #include "gnutls_supplemental.h"
42 #include "gnutls_auth.h"
43 #include "gnutls_v2_compat.h"
44 #include <auth/cert.h>
45 #include "gnutls_constate.h"
46 #include <gnutls_record.h>
47 #include <gnutls_state.h>
48 #include <ext/srp.h>
49 #include <ext/session_ticket.h>
50 #include <ext/safe_renegotiation.h>
51 #include <gnutls_rsa_export.h> /* for gnutls_get_rsa_params() */
52 #include <auth/anon.h> /* for gnutls_anon_server_credentials_t */
53 #include <auth/psk.h> /* for gnutls_psk_server_credentials_t */
54 #include <random.h>
55 #include <gnutls_dtls.h>
56
57 #ifdef HANDSHAKE_DEBUG
58 #define ERR(x, y) _gnutls_handshake_log("HSK[%p]: %s (%d)\n", session, x,y)
59 #else
60 #define ERR(x, y)
61 #endif
62
63 #define TRUE 1
64 #define FALSE 0
65
66 static int _gnutls_server_select_comp_method (gnutls_session_t session,
67 uint8_t * data, int datalen);
68 static int
69 _gnutls_remove_unwanted_ciphersuites (gnutls_session_t session,
70 uint8_t * cipher_suites,
71 int cipher_suites_size,
72 gnutls_pk_algorithm_t *pk_algos,
73 size_t pk_algos_size);
74
75 /* Empties but does not free the buffer
76 */
77 static inline void
78 _gnutls_handshake_hash_buffer_empty (gnutls_session_t session)
79 {
80
81 _gnutls_buffers_log ("BUF[HSK]: Emptied buffer\n");
82
83 session->internals.handshake_hash_buffer_prev_len = 0;
84 session->internals.handshake_hash_buffer.length = 0;
85 return;
86 }
87
88 static int
89 _gnutls_handshake_hash_add_recvd (gnutls_session_t session,
90 gnutls_handshake_description_t recv_type,
91 uint8_t * header, uint16_t header_size,
92 uint8_t * dataptr, uint32_t datalen);
93
94 static int
95 _gnutls_handshake_hash_add_sent (gnutls_session_t session,
96 gnutls_handshake_description_t type,
97 uint8_t * dataptr, uint32_t datalen);
98
99 static int
100 _gnutls_recv_hello_verify_request (gnutls_session_t session,
101 uint8_t * data, int datalen);
102
103
104 /* Clears the handshake hash buffers and handles.
105 */
106 void
107 _gnutls_handshake_hash_buffers_clear (gnutls_session_t session)
108 {
109 session->internals.handshake_hash_buffer_prev_len = 0;
110 _gnutls_buffer_clear(&session->internals.handshake_hash_buffer);
111 }
112
113 /* this will copy the required values for resuming to
114 * internals, and to security_parameters.
115 * this will keep as less data to security_parameters.
116 */
117 static void
118 resume_copy_required_values (gnutls_session_t session)
119 {
120 /* get the new random values */
121 memcpy (session->internals.resumed_security_parameters.server_random,
122 session->security_parameters.server_random, GNUTLS_RANDOM_SIZE);
123 memcpy (session->internals.resumed_security_parameters.client_random,
124 session->security_parameters.client_random, GNUTLS_RANDOM_SIZE);
125
126 /* keep the ciphersuite and compression
127 * That is because the client must see these in our
128 * hello message.
129 */
130 memcpy (session->security_parameters.cipher_suite,
131 session->internals.resumed_security_parameters.cipher_suite, 2);
132 session->security_parameters.compression_method = session->internals.resumed_security_parameters.compression_method;
133
134 _gnutls_epoch_set_cipher_suite (session, EPOCH_NEXT,
135 session->
136 internals.resumed_security_parameters.cipher_suite);
137 _gnutls_epoch_set_compression (session, EPOCH_NEXT,
138 session->
139 internals.resumed_security_parameters.compression_method);
140
141 /* or write_compression_algorithm
142 * they are the same
143 */
144
145 session->security_parameters.entity =
146 session->internals.resumed_security_parameters.entity;
147
148 _gnutls_set_current_version (session,
149 session->internals.resumed_security_parameters.
150 version);
151
152 session->security_parameters.cert_type =
153 session->internals.resumed_security_parameters.cert_type;
154
155 memcpy (session->security_parameters.session_id,
156 session->internals.resumed_security_parameters.session_id,
157 sizeof (session->security_parameters.session_id));
158 session->security_parameters.session_id_size =
159 session->internals.resumed_security_parameters.session_id_size;
160
161 }
162
163 void
164 _gnutls_set_server_random (gnutls_session_t session, uint8_t * rnd)
165 {
166 memcpy (session->security_parameters.server_random, rnd,
167 GNUTLS_RANDOM_SIZE);
168 }
169
170 void
171 _gnutls_set_client_random (gnutls_session_t session, uint8_t * rnd)
172 {
173 memcpy (session->security_parameters.client_random, rnd,
174 GNUTLS_RANDOM_SIZE);
175 }
176
177 /* Calculate The SSL3 Finished message
178 */
179 #define SSL3_CLIENT_MSG "CLNT"
180 #define SSL3_SERVER_MSG "SRVR"
181 #define SSL_MSG_LEN 4
182 static int
183 _gnutls_ssl3_finished (gnutls_session_t session, int type, uint8_t * ret, int sending)
184 {
185 digest_hd_st td_md5;
186 digest_hd_st td_sha;
187 const char *mesg;
188 int rc, len;
189
190 if (sending)
191 len = session->internals.handshake_hash_buffer.length;
192 else
193 len = session->internals.handshake_hash_buffer_prev_len;
194
195 rc = _gnutls_hash_init (&td_sha, GNUTLS_DIG_SHA1);
196 if (rc < 0)
197 return gnutls_assert_val(rc);
198
199 rc = _gnutls_hash_init (&td_md5, GNUTLS_DIG_MD5);
200 if (rc < 0)
201 {
202 _gnutls_hash_deinit (&td_sha, NULL);
203 return gnutls_assert_val(rc);
204 }
205
206 _gnutls_hash(&td_sha, session->internals.handshake_hash_buffer.data, len);
207 _gnutls_hash(&td_md5, session->internals.handshake_hash_buffer.data, len);
208
209 if (type == GNUTLS_SERVER)
210 mesg = SSL3_SERVER_MSG;
211 else
212 mesg = SSL3_CLIENT_MSG;
213
214 _gnutls_hash (&td_md5, mesg, SSL_MSG_LEN);
215 _gnutls_hash (&td_sha, mesg, SSL_MSG_LEN);
216
217 rc = _gnutls_mac_deinit_ssl3_handshake (&td_md5, ret,
218 session->
219 security_parameters.master_secret,
220 GNUTLS_MASTER_SIZE);
221 if (rc < 0)
222 {
223 _gnutls_hash_deinit (&td_md5, NULL);
224 _gnutls_hash_deinit (&td_sha, NULL);
225 return gnutls_assert_val(rc);
226 }
227
228 rc = _gnutls_mac_deinit_ssl3_handshake (&td_sha, &ret[16],
229 session->
230 security_parameters.master_secret,
231 GNUTLS_MASTER_SIZE);
232 if (rc < 0)
233 {
234 _gnutls_hash_deinit (&td_sha, NULL);
235 return gnutls_assert_val(rc);
236 }
237
238 return 0;
239 }
240
241 /* Hash the handshake messages as required by TLS 1.0
242 */
243 #define SERVER_MSG "server finished"
244 #define CLIENT_MSG "client finished"
245 #define TLS_MSG_LEN 15
246 static int
247 _gnutls_finished (gnutls_session_t session, int type, void *ret, int sending)
248 {
249 const int siz = TLS_MSG_LEN;
250 uint8_t concat[MAX_HASH_SIZE + 16 /*MD5 */ ];
251 size_t hash_len;
252 const char *mesg;
253 int rc, len;
254
255 if (sending)
256 len = session->internals.handshake_hash_buffer.length;
257 else
258 len = session->internals.handshake_hash_buffer_prev_len;
259
260 if (!_gnutls_version_has_selectable_prf (gnutls_protocol_get_version(session)))
261 {
262 rc = _gnutls_hash_fast( GNUTLS_DIG_SHA1, session->internals.handshake_hash_buffer.data, len, &concat[16]);
263 if (rc < 0)
264 return gnutls_assert_val(rc);
265
266 rc = _gnutls_hash_fast( GNUTLS_DIG_MD5, session->internals.handshake_hash_buffer.data, len, concat);
267 if (rc < 0)
268 return gnutls_assert_val(rc);
269
270 hash_len = 20 + 16;
271 }
272 else
273 {
274 int algorithm = _gnutls_cipher_suite_get_prf(session->security_parameters.cipher_suite);
275
276 rc = _gnutls_hash_fast( algorithm, session->internals.handshake_hash_buffer.data, len, concat);
277 if (rc < 0)
278 return gnutls_assert_val(rc);
279
280 hash_len = _gnutls_hash_get_algo_len (algorithm);
281 }
282
283 if (type == GNUTLS_SERVER)
284 {
285 mesg = SERVER_MSG;
286 }
287 else
288 {
289 mesg = CLIENT_MSG;
290 }
291
292 return _gnutls_PRF (session, session->security_parameters.master_secret,
293 GNUTLS_MASTER_SIZE, mesg, siz, concat, hash_len, 12, ret);
294 }
295
296 /* this function will produce GNUTLS_RANDOM_SIZE==32 bytes of random data
297 * and put it to dst.
298 */
299 int
300 _gnutls_tls_create_random (uint8_t * dst)
301 {
302 uint32_t tim;
303 int ret;
304
305 /* Use weak random numbers for the most of the
306 * buffer except for the first 4 that are the
307 * system's time.
308 */
309
310 tim = gnutls_time (NULL);
311 /* generate server random value */
312 _gnutls_write_uint32 (tim, dst);
313
314 ret = _gnutls_rnd (GNUTLS_RND_NONCE, &dst[4], GNUTLS_RANDOM_SIZE - 4);
315 if (ret < 0)
316 {
317 gnutls_assert ();
318 return ret;
319 }
320
321 return 0;
322 }
323
324 /* returns the 0 on success or a negative error code.
325 */
326 int
327 _gnutls_negotiate_version (gnutls_session_t session,
328 gnutls_protocol_t adv_version)
329 {
330 int ret;
331
332 /* if we do not support that version */
333 if (_gnutls_version_is_supported (session, adv_version) == 0)
334 {
335 /* If he requested something we do not support
336 * then we send him the highest we support.
337 */
338 ret = _gnutls_version_max (session);
339 if (ret == GNUTLS_VERSION_UNKNOWN)
340 {
341 /* this check is not really needed.
342 */
343 gnutls_assert ();
344 return GNUTLS_E_UNKNOWN_CIPHER_SUITE;
345 }
346 }
347 else
348 {
349 ret = adv_version;
350 }
351
352 _gnutls_set_current_version (session, ret);
353
354 return ret;
355 }
356
357 int
358 _gnutls_user_hello_func (gnutls_session_t session,
359 gnutls_protocol_t adv_version)
360 {
361 int ret;
362
363 if (session->internals.user_hello_func != NULL)
364 {
365 ret = session->internals.user_hello_func (session);
366 if (ret < 0)
367 {
368 gnutls_assert ();
369 return ret;
370 }
371 /* Here we need to renegotiate the version since the callee might
372 * have disabled some TLS versions.
373 */
374 ret = _gnutls_negotiate_version (session, adv_version);
375 if (ret < 0)
376 {
377 gnutls_assert ();
378 return ret;
379 }
380 }
381 return 0;
382 }
383
384 /* Read a client hello packet.
385 * A client hello must be a known version client hello
386 * or version 2.0 client hello (only for compatibility
387 * since SSL version 2.0 is not supported).
388 */
389 static int
390 _gnutls_read_client_hello (gnutls_session_t session, uint8_t * data,
391 int datalen)
392 {
393 uint8_t session_id_len;
394 int pos = 0, ret;
395 uint16_t suite_size, comp_size;
396 gnutls_protocol_t adv_version;
397 int neg_version;
398 int len = datalen;
399 uint8_t rnd[GNUTLS_RANDOM_SIZE], *suite_ptr, *comp_ptr, *session_id;
400
401 DECR_LEN (len, 2);
402
403 _gnutls_handshake_log ("HSK[%p]: Client's version: %d.%d\n", session,
404 data[pos], data[pos + 1]);
405
406 adv_version = _gnutls_version_get (data[pos], data[pos + 1]);
407 set_adv_version (session, data[pos], data[pos + 1]);
408 pos += 2;
409
410 neg_version = _gnutls_negotiate_version (session, adv_version);
411 if (neg_version < 0)
412 {
413 gnutls_assert ();
414 return neg_version;
415 }
416
417 /* Read client random value.
418 */
419 DECR_LEN (len, GNUTLS_RANDOM_SIZE);
420 _gnutls_set_client_random (session, &data[pos]);
421 pos += GNUTLS_RANDOM_SIZE;
422
423 _gnutls_tls_create_random (rnd);
424 _gnutls_set_server_random (session, rnd);
425
426 session->security_parameters.timestamp = gnutls_time (NULL);
427
428 DECR_LEN (len, 1);
429 session_id_len = data[pos++];
430
431 /* RESUME SESSION
432 */
433 if (session_id_len > TLS_MAX_SESSION_ID_SIZE)
434 {
435 gnutls_assert ();
436 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
437 }
438 DECR_LEN (len, session_id_len);
439 session_id = &data[pos];
440 pos += session_id_len;
441
442 if (IS_DTLS(session))
443 {
444 int cookie_size;
445
446 DECR_LEN (len, 1);
447 cookie_size = data[pos++];
448 DECR_LEN (len, cookie_size);
449 pos+=cookie_size;
450 }
451
452 ret = _gnutls_server_restore_session (session, session_id, session_id_len);
453
454 if (session_id_len > 0) session->internals.resumption_requested = 1;
455
456 if (ret == 0)
457 { /* resumed using default TLS resumption! */
458 /* Parse only the safe renegotiation extension
459 * We don't want to parse any other extensions since
460 * we don't want new extension values to overwrite the
461 * resumed ones.
462 */
463
464 /* move forward to extensions */
465 DECR_LEN (len, 2);
466 suite_size = _gnutls_read_uint16 (&data[pos]);
467 pos += 2;
468
469 DECR_LEN (len, suite_size);
470 pos += suite_size;
471
472 DECR_LEN (len, 1);
473 comp_size = data[pos++]; /* z is the number of compression methods */
474 DECR_LEN (len, comp_size);
475 pos += comp_size;
476
477 ret = _gnutls_parse_extensions (session, GNUTLS_EXT_MANDATORY,
478 &data[pos], len);
479 if (ret < 0)
480 {
481 gnutls_assert ();
482 return ret;
483 }
484
485 resume_copy_required_values (session);
486 session->internals.resumed = RESUME_TRUE;
487
488 return _gnutls_user_hello_func (session, adv_version);
489 }
490 else
491 {
492 _gnutls_generate_session_id (session->security_parameters.session_id,
493 &session->
494 security_parameters.session_id_size);
495
496 session->internals.resumed = RESUME_FALSE;
497 }
498
499 /* Remember ciphersuites for later
500 */
501 DECR_LEN (len, 2);
502 suite_size = _gnutls_read_uint16 (&data[pos]);
503 pos += 2;
504
505 DECR_LEN (len, suite_size);
506 suite_ptr = &data[pos];
507 pos += suite_size;
508
509 /* Point to the compression methods
510 */
511 DECR_LEN (len, 1);
512 comp_size = data[pos++]; /* z is the number of compression methods */
513
514 DECR_LEN (len, comp_size);
515 comp_ptr = &data[pos];
516 pos += comp_size;
517
518 /* Parse the extensions (if any)
519 *
520 * Unconditionally try to parse extensions; safe renegotiation uses them in
521 * sslv3 and higher, even though sslv3 doesn't officially support them.
522 */
523 ret = _gnutls_parse_extensions (session, GNUTLS_EXT_APPLICATION,
524 &data[pos], len);
525 /* len is the rest of the parsed length */
526 if (ret < 0)
527 {
528 gnutls_assert ();
529 return ret;
530 }
531
532 ret = _gnutls_user_hello_func (session, adv_version);
533 if (ret < 0)
534 {
535 gnutls_assert ();
536 return ret;
537 }
538
539 ret = _gnutls_parse_extensions (session, GNUTLS_EXT_MANDATORY,
540 &data[pos], len);
541 if (ret < 0)
542 {
543 gnutls_assert ();
544 return ret;
545 }
546
547 ret = _gnutls_parse_extensions (session, GNUTLS_EXT_TLS, &data[pos], len);
548 if (ret < 0)
549 {
550 gnutls_assert ();
551 return ret;
552 }
553
554 /* resumed by session_ticket extension */
555 if (session->internals.resumed != RESUME_FALSE)
556 {
557 /* to indicate the client that the current session is resumed */
558 memcpy (session->internals.resumed_security_parameters.session_id,
559 session_id, session_id_len);
560 session->internals.resumed_security_parameters.session_id_size =
561 session_id_len;
562
563 session->internals.resumed_security_parameters.max_record_recv_size =
564 session->security_parameters.max_record_recv_size;
565 session->internals.resumed_security_parameters.max_record_send_size =
566 session->security_parameters.max_record_send_size;
567
568 resume_copy_required_values (session);
569
570 return _gnutls_user_hello_func (session, adv_version);
571 }
572
573 /* select an appropriate cipher suite
574 */
575 ret = _gnutls_server_select_suite (session, suite_ptr, suite_size);
576 if (ret < 0)
577 {
578 gnutls_assert ();
579 return ret;
580 }
581
582 /* select appropriate compression method */
583 ret = _gnutls_server_select_comp_method (session, comp_ptr, comp_size);
584 if (ret < 0)
585 {
586 gnutls_assert ();
587 return ret;
588 }
589
590 return 0;
591 }
592
593 /* This is to be called after sending CHANGE CIPHER SPEC packet
594 * and initializing encryption. This is the first encrypted message
595 * we send.
596 */
597 static int
598 _gnutls_send_finished (gnutls_session_t session, int again)
599 {
600 mbuffer_st *bufel;
601 uint8_t *data;
602 int ret;
603 size_t vdata_size = 0;
604
605 if (again == 0)
606 {
607 bufel = _gnutls_handshake_alloc (session, MAX_VERIFY_DATA_SIZE, MAX_VERIFY_DATA_SIZE);
608 if (bufel == NULL)
609 {
610 gnutls_assert ();
611 return GNUTLS_E_MEMORY_ERROR;
612 }
613 data = _mbuffer_get_udata_ptr (bufel);
614
615 if (gnutls_protocol_get_version (session) == GNUTLS_SSL3)
616 {
617 ret =
618 _gnutls_ssl3_finished (session,
619 session->security_parameters.entity, data, 1);
620 _mbuffer_set_udata_size (bufel, 36);
621 }
622 else
623 { /* TLS 1.0+ */
624 ret = _gnutls_finished (session,
625 session->security_parameters.entity, data, 1);
626 _mbuffer_set_udata_size (bufel, 12);
627 }
628
629 if (ret < 0)
630 {
631 gnutls_assert ();
632 return ret;
633 }
634
635 vdata_size = _mbuffer_get_udata_size (bufel);
636
637 ret = _gnutls_ext_sr_finished (session, data, vdata_size, 0);
638 if (ret < 0)
639 {
640 gnutls_assert ();
641 return ret;
642 }
643
644 if ((session->internals.resumed == RESUME_FALSE
645 && session->security_parameters.entity == GNUTLS_CLIENT)
646 || (session->internals.resumed != RESUME_FALSE
647 && session->security_parameters.entity == GNUTLS_SERVER))
648 {
649 /* if we are a client not resuming - or we are a server resuming */
650 _gnutls_handshake_log ("HSK[%p]: recording tls-unique CB (send)\n",
651 session);
652 memcpy (session->internals.cb_tls_unique, data, vdata_size);
653 session->internals.cb_tls_unique_len = vdata_size;
654 }
655
656 ret =
657 _gnutls_send_handshake (session, bufel, GNUTLS_HANDSHAKE_FINISHED);
658 }
659 else
660 {
661 ret = _gnutls_send_handshake (session, NULL, GNUTLS_HANDSHAKE_FINISHED);
662 }
663
664 return ret;
665 }
666
667 /* This is to be called after sending our finished message. If everything
668 * went fine we have negotiated a secure connection
669 */
670 static int
671 _gnutls_recv_finished (gnutls_session_t session)
672 {
673 uint8_t data[MAX_VERIFY_DATA_SIZE], *vrfy;
674 gnutls_buffer_st buf;
675 int data_size;
676 int ret;
677 int vrfy_size;
678
679 ret =
680 _gnutls_recv_handshake (session, GNUTLS_HANDSHAKE_FINISHED,
681 0, &buf);
682 if (ret < 0)
683 {
684 ERR ("recv finished int", ret);
685 gnutls_assert ();
686 return ret;
687 }
688
689 vrfy = buf.data;
690 vrfy_size = buf.length;
691
692 if (gnutls_protocol_get_version (session) == GNUTLS_SSL3)
693 {
694 data_size = 36;
695 }
696 else
697 {
698 data_size = 12;
699 }
700
701 if (vrfy_size != data_size)
702 {
703 gnutls_assert ();
704 ret = GNUTLS_E_ERROR_IN_FINISHED_PACKET;
705 goto cleanup;
706 }
707
708 if (gnutls_protocol_get_version (session) == GNUTLS_SSL3)
709 {
710 ret =
711 _gnutls_ssl3_finished (session,
712 (session->security_parameters.entity + 1) % 2,
713 data, 0);
714 }
715 else
716 { /* TLS 1.0 */
717 ret =
718 _gnutls_finished (session,
719 (session->security_parameters.entity +
720 1) % 2, data, 0);
721 }
722
723 if (ret < 0)
724 {
725 gnutls_assert ();
726 goto cleanup;
727 }
728
729 if (memcmp (vrfy, data, data_size) != 0)
730 {
731 gnutls_assert ();
732 ret = GNUTLS_E_ERROR_IN_FINISHED_PACKET;
733 goto cleanup;
734 }
735
736 ret = _gnutls_ext_sr_finished (session, data, data_size, 1);
737 if (ret < 0)
738 {
739 gnutls_assert ();
740 goto cleanup;
741 }
742
743 if ((session->internals.resumed != RESUME_FALSE
744 && session->security_parameters.entity == GNUTLS_CLIENT)
745 || (session->internals.resumed == RESUME_FALSE
746 && session->security_parameters.entity == GNUTLS_SERVER))
747 {
748 /* if we are a client resuming - or we are a server not resuming */
749 _gnutls_handshake_log ("HSK[%p]: recording tls-unique CB (recv)\n",
750 session);
751 memcpy (session->internals.cb_tls_unique, data, data_size);
752 session->internals.cb_tls_unique_len = data_size;
753 }
754
755
756 session->internals.initial_negotiation_completed = 1;
757
758 cleanup:
759 _gnutls_buffer_clear(&buf);
760
761 return ret;
762 }
763
764 /* returns PK_RSA if the given cipher suite list only supports,
765 * RSA algorithms, PK_DSA if DSS, and PK_ANY for both or PK_NONE for none.
766 */
767 static int
768 server_find_pk_algos_in_ciphersuites (const uint8_t *
769 data, unsigned int datalen,
770 gnutls_pk_algorithm_t * algos,
771 size_t* algos_size)
772 {
773 unsigned int j;
774 gnutls_kx_algorithm_t kx;
775 unsigned int max = *algos_size;
776
777 if (datalen % 2 != 0)
778 {
779 gnutls_assert ();
780 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
781 }
782
783 *algos_size = 0;
784 for (j = 0; j < datalen; j += 2)
785 {
786 kx = _gnutls_cipher_suite_get_kx_algo (&data[j]);
787 if (_gnutls_map_kx_get_cred (kx, 1) == GNUTLS_CRD_CERTIFICATE)
788 {
789 algos[(*algos_size)++] = _gnutls_map_pk_get_pk (kx);
790
791 if ((*algos_size) >= max)
792 return 0;
793 }
794 }
795
796 return 0;
797 }
798
799 /* This selects the best supported ciphersuite from the given ones. Then
800 * it adds the suite to the session and performs some checks.
801 */
802 int
803 _gnutls_server_select_suite (gnutls_session_t session, uint8_t * data,
804 unsigned int datalen)
805 {
806 int ret;
807 unsigned int i, j, cipher_suites_size;
808 size_t pk_algos_size;
809 uint8_t cipher_suites[MAX_CIPHERSUITE_SIZE];
810 int retval, err;
811 gnutls_pk_algorithm_t pk_algos[MAX_ALGOS]; /* will hold the pk algorithms
812 * supported by the peer.
813 */
814
815 /* First, check for safe renegotiation SCSV.
816 */
817 if (session->internals.priorities.sr != SR_DISABLED)
818 {
819 unsigned int offset;
820
821 for (offset = 0; offset < datalen; offset += 2)
822 {
823 /* TLS_RENEGO_PROTECTION_REQUEST = { 0x00, 0xff } */
824 if (data[offset] == GNUTLS_RENEGO_PROTECTION_REQUEST_MAJOR &&
825 data[offset + 1] == GNUTLS_RENEGO_PROTECTION_REQUEST_MINOR)
826 {
827 _gnutls_handshake_log
828 ("HSK[%p]: Received safe renegotiation CS\n", session);
829 retval = _gnutls_ext_sr_recv_cs (session);
830 if (retval < 0)
831 {
832 gnutls_assert ();
833 return retval;
834 }
835 break;
836 }
837 }
838 }
839
840 pk_algos_size = MAX_ALGOS;
841 ret = server_find_pk_algos_in_ciphersuites (data, datalen, pk_algos, &pk_algos_size);
842 if (ret < 0)
843 return gnutls_assert_val(ret);
844
845 ret = _gnutls_supported_ciphersuites (session, cipher_suites, sizeof(cipher_suites));
846 if (ret < 0)
847 return gnutls_assert_val(ret);
848
849 cipher_suites_size = ret;
850
851 /* Here we remove any ciphersuite that does not conform
852 * the certificate requested, or to the
853 * authentication requested (e.g. SRP).
854 */
855 ret = _gnutls_remove_unwanted_ciphersuites (session, cipher_suites, cipher_suites_size, pk_algos, pk_algos_size);
856 if (ret <= 0)
857 {
858 gnutls_assert ();
859 if (ret < 0)
860 return ret;
861 else
862 return GNUTLS_E_UNKNOWN_CIPHER_SUITE;
863 }
864
865 cipher_suites_size = ret;
866
867 /* Data length should be zero mod 2 since
868 * every ciphersuite is 2 bytes. (this check is needed
869 * see below).
870 */
871 if (datalen % 2 != 0)
872 {
873 gnutls_assert ();
874 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
875 }
876
877 memset (session->security_parameters.cipher_suite, 0, 2);
878
879 retval = GNUTLS_E_UNKNOWN_CIPHER_SUITE;
880
881 _gnutls_handshake_log ("HSK[%p]: Requested cipher suites[size: %d]: \n", session, (int)datalen);
882
883 if (session->internals.priorities.server_precedence == 0)
884 {
885 for (j = 0; j < datalen; j += 2)
886 {
887 _gnutls_handshake_log ("\t0x%.2x, 0x%.2x %s\n", data[j], data[j+1], _gnutls_cipher_suite_get_name (&data[j]));
888 for (i = 0; i < cipher_suites_size; i+=2)
889 {
890 if (memcmp (&cipher_suites[i], &data[j], 2) == 0)
891 {
892 _gnutls_handshake_log
893 ("HSK[%p]: Selected cipher suite: %s\n", session,
894 _gnutls_cipher_suite_get_name (&data[j]));
895 memcpy (session->security_parameters.cipher_suite,
896 &cipher_suites[i], 2);
897 _gnutls_epoch_set_cipher_suite (session, EPOCH_NEXT,
898 session->
899 security_parameters.cipher_suite);
900
901
902 retval = 0;
903 goto finish;
904 }
905 }
906 }
907 }
908 else /* server selects */
909 {
910 for (i = 0; i < cipher_suites_size; i+=2)
911 {
912 for (j = 0; j < datalen; j += 2)
913 {
914 if (memcmp (&cipher_suites[i], &data[j], 2) == 0)
915 {
916 _gnutls_handshake_log
917 ("HSK[%p]: Selected cipher suite: %s\n", session,
918 _gnutls_cipher_suite_get_name (&data[j]));
919 memcpy (session->security_parameters.cipher_suite,
920 &cipher_suites[i], 2);
921 _gnutls_epoch_set_cipher_suite (session, EPOCH_NEXT,
922 session->
923 security_parameters.cipher_suite);
924
925
926 retval = 0;
927 goto finish;
928 }
929 }
930 }
931 }
932 finish:
933
934 if (retval != 0)
935 {
936 gnutls_assert ();
937 return retval;
938 }
939
940 /* check if the credentials (username, public key etc.) are ok
941 */
942 if (_gnutls_get_kx_cred
943 (session,
944 _gnutls_cipher_suite_get_kx_algo (session->
945 security_parameters.cipher_suite),
946 &err) == NULL && err != 0)
947 {
948 gnutls_assert ();
949 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
950 }
951
952
953 /* set the mod_auth_st to the appropriate struct
954 * according to the KX algorithm. This is needed since all the
955 * handshake functions are read from there;
956 */
957 session->internals.auth_struct =
958 _gnutls_kx_auth_struct (_gnutls_cipher_suite_get_kx_algo
959 (session->
960 security_parameters.cipher_suite));
961 if (session->internals.auth_struct == NULL)
962 {
963
964 _gnutls_handshake_log
965 ("HSK[%p]: Cannot find the appropriate handler for the KX algorithm\n",
966 session);
967 gnutls_assert ();
968 return GNUTLS_E_INTERNAL_ERROR;
969 }
970
971 return 0;
972
973 }
974
975
976 /* This selects the best supported compression method from the ones provided
977 */
978 static int
979 _gnutls_server_select_comp_method (gnutls_session_t session,
980 uint8_t * data, int datalen)
981 {
982 int x, i, j;
983 uint8_t comps[MAX_ALGOS];
984
985 x = _gnutls_supported_compression_methods (session, comps, MAX_ALGOS);
986 if (x < 0)
987 {
988 gnutls_assert ();
989 return x;
990 }
991
992 if (session->internals.priorities.server_precedence == 0)
993 {
994 for (j = 0; j < datalen; j++)
995 {
996 for (i = 0; i < x; i++)
997 {
998 if (comps[i] == data[j])
999 {
1000 gnutls_compression_method_t method =
1001 _gnutls_compression_get_id (comps[i]);
1002
1003 _gnutls_epoch_set_compression (session, EPOCH_NEXT, method);
1004 session->security_parameters.compression_method = method;
1005
1006 _gnutls_handshake_log
1007 ("HSK[%p]: Selected Compression Method: %s\n", session,
1008 gnutls_compression_get_name (method));
1009 return 0;
1010 }
1011 }
1012 }
1013 }
1014 else
1015 {
1016 for (i = 0; i < x; i++)
1017 {
1018 for (j = 0; j < datalen; j++)
1019 {
1020 if (comps[i] == data[j])
1021 {
1022 gnutls_compression_method_t method =
1023 _gnutls_compression_get_id (comps[i]);
1024
1025 _gnutls_epoch_set_compression (session, EPOCH_NEXT, method);
1026 session->security_parameters.compression_method = method;
1027
1028 _gnutls_handshake_log
1029 ("HSK[%p]: Selected Compression Method: %s\n", session,
1030 gnutls_compression_get_name (method));
1031 return 0;
1032 }
1033 }
1034 }
1035 }
1036
1037 /* we were not able to find a compatible compression
1038 * algorithm
1039 */
1040 gnutls_assert ();
1041 return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM;
1042
1043 }
1044
1045 /* This function sends an empty handshake packet. (like hello request).
1046 * If the previous _gnutls_send_empty_handshake() returned
1047 * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again
1048 * (until it returns ok), with NULL parameters.
1049 */
1050 static int
1051 _gnutls_send_empty_handshake (gnutls_session_t session,
1052 gnutls_handshake_description_t type, int again)
1053 {
1054 mbuffer_st *bufel;
1055
1056 if (again == 0)
1057 {
1058 bufel = _gnutls_handshake_alloc (session, 0, 0);
1059 if (bufel == NULL)
1060 {
1061 gnutls_assert ();
1062 return GNUTLS_E_MEMORY_ERROR;
1063 }
1064 }
1065 else
1066 bufel = NULL;
1067
1068 return _gnutls_send_handshake (session, bufel, type);
1069 }
1070
1071
1072
1073
1074 /* This function sends a handshake message of type 'type' containing the
1075 * data specified here. If the previous _gnutls_send_handshake() returned
1076 * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again
1077 * (until it returns ok), with NULL parameters.
1078 */
1079 int
1080 _gnutls_send_handshake (gnutls_session_t session, mbuffer_st * bufel,
1081 gnutls_handshake_description_t type)
1082 {
1083 int ret;
1084 uint8_t *data;
1085 uint32_t datasize, i_datasize;
1086 int pos = 0;
1087
1088 if (bufel == NULL)
1089 {
1090 /* we are resuming a previously interrupted
1091 * send.
1092 */
1093 ret = _gnutls_handshake_io_write_flush (session);
1094 return ret;
1095
1096 }
1097
1098 /* first run */
1099 data = _mbuffer_get_uhead_ptr (bufel);
1100 i_datasize = _mbuffer_get_udata_size(bufel);
1101 datasize = i_datasize + _mbuffer_get_uhead_size (bufel);
1102
1103 data[pos++] = (uint8_t) type;
1104 _gnutls_write_uint24 (_mbuffer_get_udata_size (bufel), &data[pos]);
1105 pos += 3;
1106
1107 /* Add DTLS handshake fragment headers. The message will be
1108 * fragmented later by the fragmentation sub-layer. All fields must
1109 * be set properly for HMAC. The HMAC requires we pretend that the
1110 * message was sent in a single fragment. */
1111 if (IS_DTLS(session))
1112 {
1113 _gnutls_write_uint16 (session->internals.dtls.hsk_write_seq++, &data[pos]);
1114 pos += 2;
1115
1116 /* Fragment offset */
1117 _gnutls_write_uint24 (0, &data[pos]);
1118 pos += 3;
1119
1120 /* Fragment length */
1121 _gnutls_write_uint24 (i_datasize, &data[pos]);
1122 pos += 3;
1123 }
1124
1125 _gnutls_handshake_log ("HSK[%p]: %s was queued [%ld bytes]\n",
1126 session, _gnutls_handshake2str (type),
1127 (long) datasize);
1128
1129 /* Here we keep the handshake messages in order to hash them...
1130 */
1131 if (type != GNUTLS_HANDSHAKE_HELLO_REQUEST)
1132 if ((ret =
1133 _gnutls_handshake_hash_add_sent (session, type, data, datasize)) < 0)
1134 {
1135 gnutls_assert ();
1136 _mbuffer_xfree(&bufel);
1137 return ret;
1138 }
1139
1140 session->internals.last_handshake_out = type;
1141
1142 ret = _gnutls_handshake_io_cache_int (session, type, bufel);
1143 if (ret < 0)
1144 {
1145 _mbuffer_xfree(&bufel);
1146 gnutls_assert();
1147 return ret;
1148 }
1149
1150 switch (type)
1151 {
1152 case GNUTLS_HANDSHAKE_CERTIFICATE_PKT: /* this one is followed by ServerHelloDone
1153 * or ClientKeyExchange always.
1154 */
1155 case GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE: /* as above */
1156 case GNUTLS_HANDSHAKE_SERVER_HELLO: /* as above */
1157 case GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST: /* as above */
1158 case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET: /* followed by ChangeCipherSpec */
1159
1160 /* now for client Certificate, ClientKeyExchange and
1161 * CertificateVerify are always followed by ChangeCipherSpec
1162 */
1163 case GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY:
1164 case GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE:
1165 ret = 0;
1166 break;
1167 default:
1168 /* send cached messages */
1169 ret = _gnutls_handshake_io_write_flush (session);
1170 break;
1171 }
1172
1173 return ret;
1174 }
1175
1176 #define CHECK_SIZE(ll) \
1177 if ((session->internals.max_handshake_data_buffer_size > 0) && \
1178 (((ll) + session->internals.handshake_hash_buffer.length) > \
1179 session->internals.max_handshake_data_buffer_size)) \
1180 return gnutls_assert_val(GNUTLS_E_HANDSHAKE_TOO_LARGE)
1181
1182 /* This function add the handshake headers and the
1183 * handshake data to the handshake hash buffers. Needed
1184 * for the finished messages calculations.
1185 */
1186 static int
1187 _gnutls_handshake_hash_add_recvd (gnutls_session_t session,
1188 gnutls_handshake_description_t recv_type,
1189 uint8_t * header, uint16_t header_size,
1190 uint8_t * dataptr, uint32_t datalen)
1191 {
1192 int ret;
1193
1194 if (recv_type == GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST ||
1195 recv_type == GNUTLS_HANDSHAKE_HELLO_REQUEST)
1196 return 0;
1197
1198 CHECK_SIZE(header_size + datalen);
1199
1200 session->internals.handshake_hash_buffer_prev_len = session->internals.handshake_hash_buffer.length;
1201
1202 ret = _gnutls_buffer_append_data(&session->internals.handshake_hash_buffer,
1203 header, header_size);
1204 if (ret < 0)
1205 return gnutls_assert_val(ret);
1206
1207 if (datalen > 0)
1208 {
1209 ret = _gnutls_buffer_append_data(&session->internals.handshake_hash_buffer,
1210 dataptr, datalen);
1211 if (ret < 0)
1212 return gnutls_assert_val(ret);
1213 }
1214
1215 return 0;
1216 }
1217
1218 /* This function will store the handshake message we sent.
1219 */
1220 static int
1221 _gnutls_handshake_hash_add_sent (gnutls_session_t session,
1222 gnutls_handshake_description_t type,
1223 uint8_t * dataptr, uint32_t datalen)
1224 {
1225 int ret;
1226
1227 /* We don't check for GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST because it
1228 * is not sent via that channel.
1229 */
1230 if (type != GNUTLS_HANDSHAKE_HELLO_REQUEST)
1231 {
1232 CHECK_SIZE(datalen);
1233
1234 ret = _gnutls_buffer_append_data(&session->internals.handshake_hash_buffer,
1235 dataptr, datalen);
1236 if (ret < 0)
1237 return gnutls_assert_val(ret);
1238
1239 return 0;
1240 }
1241
1242 return 0;
1243 }
1244
1245
1246 /* This function will receive handshake messages of the given types,
1247 * and will pass the message to the right place in order to be processed.
1248 * E.g. for the SERVER_HELLO message (if it is expected), it will be
1249 * passed to _gnutls_recv_hello().
1250 */
1251 int
1252 _gnutls_recv_handshake (gnutls_session_t session,
1253 gnutls_handshake_description_t type,
1254 unsigned int optional, gnutls_buffer_st* buf)
1255 {
1256 int ret;
1257 handshake_buffer_st hsk;
1258
1259 ret =
1260 _gnutls_handshake_io_recv_int (session, type, &hsk, optional);
1261 if (ret < 0)
1262 {
1263 if (optional != 0 && ret == GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET)
1264 {
1265 if (buf) _gnutls_buffer_init(buf);
1266 return 0;
1267 }
1268
1269 return gnutls_assert_val_fatal(ret);
1270 }
1271
1272 ret = _gnutls_handshake_hash_add_recvd (session, hsk.htype,
1273 hsk.header, hsk.header_size,
1274 hsk.data.data, hsk.data.length);
1275 if (ret < 0)
1276 {
1277 gnutls_assert ();
1278 goto cleanup;
1279 }
1280
1281 switch (hsk.htype)
1282 {
1283 case GNUTLS_HANDSHAKE_CLIENT_HELLO_V2:
1284 case GNUTLS_HANDSHAKE_CLIENT_HELLO:
1285 case GNUTLS_HANDSHAKE_SERVER_HELLO:
1286 if (hsk.htype == GNUTLS_HANDSHAKE_CLIENT_HELLO_V2)
1287 ret = _gnutls_read_client_hello_v2 (session, hsk.data.data, hsk.data.length);
1288 else
1289 ret = _gnutls_recv_hello (session, hsk.data.data, hsk.data.length);
1290
1291 if (ret < 0)
1292 {
1293 gnutls_assert();
1294 goto cleanup;
1295 }
1296
1297 goto cleanup; /* caller doesn't need dataptr */
1298
1299 break;
1300 case GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST:
1301 ret = _gnutls_recv_hello_verify_request (session, hsk.data.data, hsk.data.length);
1302 if (ret < 0)
1303 {
1304 gnutls_assert();
1305 goto cleanup;
1306 }
1307 else
1308 /* Signal our caller we have received a verification cookie
1309 and ClientHello needs to be sent again. */
1310 ret = 1;
1311
1312 goto cleanup; /* caller doesn't need dataptr */
1313
1314 break;
1315 case GNUTLS_HANDSHAKE_SERVER_HELLO_DONE:
1316 if (hsk.data.length == 0)
1317 ret = 0;
1318 else
1319 {
1320 gnutls_assert();
1321 ret = GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
1322 goto cleanup;
1323 }
1324 break;
1325 case GNUTLS_HANDSHAKE_CERTIFICATE_PKT:
1326 case GNUTLS_HANDSHAKE_FINISHED:
1327 case GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE:
1328 case GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE:
1329 case GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST:
1330 case GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY:
1331 case GNUTLS_HANDSHAKE_SUPPLEMENTAL:
1332 case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET:
1333 ret = hsk.data.length;
1334 break;
1335 default:
1336 gnutls_assert ();
1337 /* we shouldn't actually arrive here in any case .
1338 * unexpected messages should be catched after _gnutls_handshake_io_recv_int()
1339 */
1340 ret = GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET;
1341 goto cleanup;
1342 }
1343
1344 if (buf)
1345 {
1346 *buf = hsk.data;
1347 return ret;
1348 }
1349
1350 cleanup:
1351 _gnutls_handshake_buffer_clear (&hsk);
1352 return ret;
1353 }
1354
1355 /* This function checks if the given cipher suite is supported, and sets it
1356 * to the session;
1357 */
1358 static int
1359 _gnutls_client_set_ciphersuite (gnutls_session_t session, uint8_t suite[2])
1360 {
1361 uint8_t z;
1362 uint8_t cipher_suites[MAX_CIPHERSUITE_SIZE];
1363 int cipher_suite_size;
1364 int i, err;
1365
1366 z = 1;
1367 cipher_suite_size = _gnutls_supported_ciphersuites (session, cipher_suites, sizeof(cipher_suites));
1368 if (cipher_suite_size < 0)
1369 {
1370 gnutls_assert ();
1371 return cipher_suite_size;
1372 }
1373
1374 for (i = 0; i < cipher_suite_size; i+=2)
1375 {
1376 if (memcmp (&cipher_suites[i], suite, 2) == 0)
1377 {
1378 z = 0;
1379 break;
1380 }
1381 }
1382
1383 if (z != 0)
1384 {
1385 gnutls_assert ();
1386 _gnutls_handshake_log("HSK[%p]: unsupported cipher suite %.2X.%.2X\n", session,
1387 (unsigned int)suite[0], (unsigned int)suite[1]);
1388 return GNUTLS_E_UNKNOWN_CIPHER_SUITE;
1389 }
1390
1391 memcpy (session->security_parameters.cipher_suite, suite, 2);
1392 _gnutls_epoch_set_cipher_suite (session, EPOCH_NEXT,
1393 session->
1394 security_parameters.cipher_suite);
1395
1396 _gnutls_handshake_log ("HSK[%p]: Selected cipher suite: %s\n", session,
1397 _gnutls_cipher_suite_get_name
1398 (session->
1399 security_parameters.cipher_suite));
1400
1401
1402 /* check if the credentials (username, public key etc.) are ok.
1403 * Actually checks if they exist.
1404 */
1405 if (_gnutls_get_kx_cred
1406 (session,
1407 _gnutls_cipher_suite_get_kx_algo
1408 (session->security_parameters.cipher_suite), &err) == NULL
1409 && err != 0)
1410 {
1411 gnutls_assert ();
1412 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
1413 }
1414
1415
1416 /* set the mod_auth_st to the appropriate struct
1417 * according to the KX algorithm. This is needed since all the
1418 * handshake functions are read from there;
1419 */
1420 session->internals.auth_struct =
1421 _gnutls_kx_auth_struct (_gnutls_cipher_suite_get_kx_algo
1422 (session->
1423 security_parameters.cipher_suite));
1424
1425 if (session->internals.auth_struct == NULL)
1426 {
1427
1428 _gnutls_handshake_log
1429 ("HSK[%p]: Cannot find the appropriate handler for the KX algorithm\n",
1430 session);
1431 gnutls_assert ();
1432 return GNUTLS_E_INTERNAL_ERROR;
1433 }
1434
1435
1436 return 0;
1437 }
1438
1439 /* This function sets the given comp method to the session.
1440 */
1441 static int
1442 _gnutls_client_set_comp_method (gnutls_session_t session, uint8_t comp_method)
1443 {
1444 int comp_methods_num;
1445 uint8_t compression_methods[MAX_ALGOS];
1446 int id = _gnutls_compression_get_id(comp_method);
1447 int i;
1448
1449 _gnutls_handshake_log ("HSK[%p]: Selected compression method: %s (%d)\n", session,
1450 gnutls_compression_get_name(id), (int)comp_method);
1451
1452 comp_methods_num = _gnutls_supported_compression_methods (session,
1453 compression_methods, MAX_ALGOS);
1454 if (comp_methods_num < 0)
1455 {
1456 gnutls_assert ();
1457 return comp_methods_num;
1458 }
1459
1460 for (i = 0; i < comp_methods_num; i++)
1461 {
1462 if (compression_methods[i] == comp_method)
1463 {
1464 comp_methods_num = 0;
1465 break;
1466 }
1467 }
1468
1469 if (comp_methods_num != 0)
1470 {
1471 gnutls_assert ();
1472 return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM;
1473 }
1474
1475 session->security_parameters.compression_method = id;
1476 _gnutls_epoch_set_compression (session, EPOCH_NEXT, id);
1477
1478 return 0;
1479 }
1480
1481 /* This function returns 0 if we are resuming a session or -1 otherwise.
1482 * This also sets the variables in the session. Used only while reading a server
1483 * hello.
1484 */
1485 static int
1486 _gnutls_client_check_if_resuming (gnutls_session_t session,
1487 uint8_t * session_id, int session_id_len)
1488 {
1489 char buf[2 * TLS_MAX_SESSION_ID_SIZE + 1];
1490
1491 _gnutls_handshake_log ("HSK[%p]: SessionID length: %d\n", session,
1492 session_id_len);
1493 _gnutls_handshake_log ("HSK[%p]: SessionID: %s\n", session,
1494 _gnutls_bin2hex (session_id, session_id_len, buf,
1495 sizeof (buf), NULL));
1496
1497 if (session_id_len > 0 &&
1498 session->internals.resumed_security_parameters.session_id_size ==
1499 session_id_len
1500 && memcmp (session_id,
1501 session->internals.resumed_security_parameters.session_id,
1502 session_id_len) == 0)
1503 {
1504 /* resume session */
1505 memcpy (session->internals.resumed_security_parameters.server_random,
1506 session->security_parameters.server_random, GNUTLS_RANDOM_SIZE);
1507 memcpy (session->internals.resumed_security_parameters.client_random,
1508 session->security_parameters.client_random, GNUTLS_RANDOM_SIZE);
1509
1510 _gnutls_epoch_set_cipher_suite
1511 (session, EPOCH_NEXT,
1512 session->internals.
1513 resumed_security_parameters.cipher_suite);
1514 _gnutls_epoch_set_compression (session, EPOCH_NEXT,
1515 session->
1516 internals.resumed_security_parameters.compression_method);
1517
1518 session->internals.resumed = RESUME_TRUE; /* we are resuming */
1519
1520 return 0;
1521 }
1522 else
1523 {
1524 /* keep the new session id */
1525 session->internals.resumed = RESUME_FALSE; /* we are not resuming */
1526 session->security_parameters.session_id_size = session_id_len;
1527 memcpy (session->security_parameters.session_id,
1528 session_id, session_id_len);
1529
1530 return -1;
1531 }
1532 }
1533
1534
1535 /* This function reads and parses the server hello handshake message.
1536 * This function also restores resumed parameters if we are resuming a
1537 * session.
1538 */
1539 static int
1540 _gnutls_read_server_hello (gnutls_session_t session,
1541 uint8_t * data, int datalen)
1542 {
1543 uint8_t session_id_len = 0;
1544 int pos = 0;
1545 int ret = 0;
1546 gnutls_protocol_t version;
1547 int len = datalen;
1548
1549 if (datalen < 38)
1550 {
1551 gnutls_assert ();
1552 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
1553 }
1554
1555 _gnutls_handshake_log ("HSK[%p]: Server's version: %d.%d\n",
1556 session, data[pos], data[pos + 1]);
1557
1558 DECR_LEN (len, 2);
1559 version = _gnutls_version_get (data[pos], data[pos + 1]);
1560 if (_gnutls_version_is_supported (session, version) == 0)
1561 {
1562 gnutls_assert ();
1563 return GNUTLS_E_UNSUPPORTED_VERSION_PACKET;
1564 }
1565 else
1566 {
1567 _gnutls_set_current_version (session, version);
1568 }
1569
1570 pos += 2;
1571
1572 DECR_LEN (len, GNUTLS_RANDOM_SIZE);
1573 _gnutls_set_server_random (session, &data[pos]);
1574 pos += GNUTLS_RANDOM_SIZE;
1575
1576
1577 /* Read session ID
1578 */
1579 DECR_LEN (len, 1);
1580 session_id_len = data[pos++];
1581
1582 if (len < session_id_len)
1583 {
1584 gnutls_assert ();
1585 return GNUTLS_E_UNSUPPORTED_VERSION_PACKET;
1586 }
1587 DECR_LEN (len, session_id_len);
1588
1589 /* check if we are resuming and set the appropriate
1590 * values;
1591 */
1592 if (_gnutls_client_check_if_resuming
1593 (session, &data[pos], session_id_len) == 0)
1594 {
1595 pos += session_id_len + 2 + 1;
1596 DECR_LEN (len, 2 + 1);
1597
1598 ret = _gnutls_parse_extensions (session, GNUTLS_EXT_MANDATORY,
1599 &data[pos], len);
1600 if (ret < 0)
1601 {
1602 gnutls_assert ();
1603 return ret;
1604 }
1605 return 0;
1606 }
1607
1608 pos += session_id_len;
1609
1610 /* Check if the given cipher suite is supported and copy
1611 * it to the session.
1612 */
1613
1614 DECR_LEN (len, 2);
1615 ret = _gnutls_client_set_ciphersuite (session, &data[pos]);
1616 if (ret < 0)
1617 {
1618 gnutls_assert ();
1619 return ret;
1620 }
1621 pos += 2;
1622
1623 /* move to compression
1624 */
1625 DECR_LEN (len, 1);
1626
1627 ret = _gnutls_client_set_comp_method (session, data[pos++]);
1628 if (ret < 0)
1629 {
1630 gnutls_assert ();
1631 return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM;
1632 }
1633
1634 /* Parse extensions.
1635 */
1636 ret = _gnutls_parse_extensions (session, GNUTLS_EXT_ANY, &data[pos], len);
1637 if (ret < 0)
1638 {
1639 gnutls_assert ();
1640 return ret;
1641 }
1642
1643 return ret;
1644 }
1645
1646
1647 /* This function copies the appropriate ciphersuites to a locally allocated buffer
1648 * Needed in client hello messages. Returns the new data length. If add_scsv is
1649 * true, add the special safe renegotiation CS.
1650 */
1651 static int
1652 _gnutls_copy_ciphersuites (gnutls_session_t session,
1653 gnutls_buffer_st * cdata,
1654 int add_scsv)
1655 {
1656 int ret;
1657 uint8_t cipher_suites[MAX_CIPHERSUITE_SIZE+2];
1658 int cipher_suites_size;
1659 size_t init_length = cdata->length;
1660
1661 ret = _gnutls_supported_ciphersuites (session, cipher_suites, sizeof(cipher_suites)-2);
1662 if (ret < 0)
1663 return gnutls_assert_val(ret);
1664
1665 /* Here we remove any ciphersuite that does not conform
1666 * the certificate requested, or to the
1667 * authentication requested (eg SRP).
1668 */
1669 ret =
1670 _gnutls_remove_unwanted_ciphersuites (session, cipher_suites, ret, NULL, 0);
1671 if (ret < 0)
1672 return gnutls_assert_val(ret);
1673
1674 /* If no cipher suites were enabled.
1675 */
1676 if (ret == 0)
1677 return gnutls_assert_val(GNUTLS_E_INSUFFICIENT_CREDENTIALS);
1678
1679 cipher_suites_size = ret;
1680 if (add_scsv)
1681 {
1682 cipher_suites[cipher_suites_size] = 0x00;
1683 cipher_suites[cipher_suites_size+1] = 0xff;
1684 cipher_suites_size += 2;
1685
1686 ret = _gnutls_ext_sr_send_cs (session);
1687 if (ret < 0)
1688 return gnutls_assert_val(ret);
1689 }
1690
1691 ret = _gnutls_buffer_append_data_prefix(cdata, 16, cipher_suites, cipher_suites_size);
1692 if (ret < 0)
1693 return gnutls_assert_val(ret);
1694
1695 ret = cdata->length - init_length;
1696
1697 return ret;
1698 }
1699
1700
1701 /* This function copies the appropriate compression methods, to a locally allocated buffer
1702 * Needed in hello messages. Returns the new data length.
1703 */
1704 static int
1705 _gnutls_copy_comp_methods (gnutls_session_t session,
1706 gnutls_buffer_st * cdata)
1707 {
1708 int ret;
1709 uint8_t compression_methods[MAX_ALGOS], comp_num;
1710 size_t init_length = cdata->length;
1711
1712 ret = _gnutls_supported_compression_methods (session, compression_methods, MAX_ALGOS);
1713 if (ret < 0)
1714 return gnutls_assert_val(ret);
1715
1716 comp_num = ret;
1717
1718 /* put the number of compression methods */
1719 ret = _gnutls_buffer_append_prefix(cdata, 8, comp_num);
1720 if (ret < 0)
1721 return gnutls_assert_val(ret);
1722
1723 ret = _gnutls_buffer_append_data(cdata, compression_methods, comp_num);
1724 if (ret < 0)
1725 return gnutls_assert_val(ret);
1726
1727 ret = cdata->length - init_length;
1728
1729 return ret;
1730 }
1731
1732 /* This should be sufficient by now. It should hold all the extensions
1733 * plus the headers in a hello message.
1734 */
1735 #define MAX_EXT_DATA_LENGTH 32*1024
1736
1737 /* This function sends the client hello handshake message.
1738 */
1739 static int
1740 _gnutls_send_client_hello (gnutls_session_t session, int again)
1741 {
1742 mbuffer_st *bufel = NULL;
1743 uint8_t *data = NULL;
1744 int pos = 0, type;
1745 int datalen = 0, ret = 0;
1746 uint8_t rnd[GNUTLS_RANDOM_SIZE];
1747 gnutls_protocol_t hver;
1748 gnutls_buffer_st extdata;
1749 int rehandshake = 0;
1750 uint8_t session_id_len =
1751 session->internals.resumed_security_parameters.session_id_size;
1752 uint8_t cookie_len;
1753
1754 _gnutls_buffer_init(&extdata);
1755
1756 /* note that rehandshake is different than resuming
1757 */
1758 if (session->security_parameters.session_id_size)
1759 rehandshake = 1;
1760
1761 if (again == 0)
1762 {
1763 if(IS_DTLS(session))
1764 {
1765 cookie_len = session->internals.dtls.cookie_len + 1;
1766 }
1767 else
1768 {
1769 cookie_len = 0;
1770 }
1771
1772 datalen = 2 + (session_id_len + 1) + GNUTLS_RANDOM_SIZE + cookie_len;
1773 /* 2 for version, (4 for unix time + 28 for random bytes==GNUTLS_RANDOM_SIZE)
1774 */
1775
1776 bufel = _gnutls_handshake_alloc (session, datalen, datalen+MAX_EXT_DATA_LENGTH);
1777 if (bufel == NULL)
1778 {
1779 gnutls_assert ();
1780 return GNUTLS_E_MEMORY_ERROR;
1781 }
1782 data = _mbuffer_get_udata_ptr (bufel);
1783
1784 /* if we are resuming a session then we set the
1785 * version number to the previously established.
1786 */
1787 if (session_id_len == 0)
1788 {
1789 if (rehandshake) /* already negotiated version thus version_max == negotiated version */
1790 hver = session->security_parameters.version;
1791 else /* new handshake. just get the max */
1792 hver = _gnutls_version_max (session);
1793 }
1794 else
1795 {
1796 /* we are resuming a session */
1797 hver = session->internals.resumed_security_parameters.version;
1798 }
1799
1800 if (hver == GNUTLS_VERSION_UNKNOWN || hver == 0)
1801 {
1802 gnutls_assert ();
1803 gnutls_free (bufel);
1804 return GNUTLS_E_INTERNAL_ERROR;
1805 }
1806
1807 data[pos++] = _gnutls_version_get_major (hver);
1808 data[pos++] = _gnutls_version_get_minor (hver);
1809
1810 /* Set the version we advertized as maximum
1811 * (RSA uses it).
1812 */
1813 _gnutls_set_adv_version (session, hver);
1814 _gnutls_set_current_version (session, hver);
1815
1816 if (session->internals.priorities.ssl3_record_version != 0)
1817 {
1818 /* Advertize the SSL 3.0 record packet version in
1819 * record packets during the handshake.
1820 * That is to avoid confusing implementations
1821 * that do not support TLS 1.2 and don't know
1822 * how 3,3 version of record packets look like.
1823 */
1824 if (!IS_DTLS(session))
1825 _gnutls_record_set_default_version (session, 3, 0);
1826 else
1827 _gnutls_record_set_default_version (session, 254, 255);
1828 }
1829
1830 /* In order to know when this session was initiated.
1831 */
1832 session->security_parameters.timestamp = gnutls_time (NULL);
1833
1834 /* Generate random data
1835 */
1836 if (!IS_DTLS (session)
1837 || session->internals.dtls.hsk_hello_verify_requests == 0)
1838 {
1839 _gnutls_tls_create_random (rnd);
1840 _gnutls_set_client_random (session, rnd);
1841
1842 memcpy (&data[pos], rnd, GNUTLS_RANDOM_SIZE);
1843 }
1844 else
1845 memcpy (&data[pos], session->security_parameters.client_random, GNUTLS_RANDOM_SIZE);
1846
1847 pos += GNUTLS_RANDOM_SIZE;
1848
1849 /* Copy the Session ID
1850 */
1851 data[pos++] = session_id_len;
1852
1853 if (session_id_len > 0)
1854 {
1855 memcpy (&data[pos],
1856 session->internals.resumed_security_parameters.session_id,
1857 session_id_len);
1858 pos += session_id_len;
1859 }
1860
1861 /* Copy the DTLS cookie
1862 */
1863 if (IS_DTLS(session))
1864 {
1865 data[pos++] = session->internals.dtls.cookie_len;
1866 memcpy(&data[pos], &session->internals.dtls.cookie, session->internals.dtls.cookie_len);
1867 pos += session->internals.dtls.cookie_len;
1868 }
1869
1870 /* Copy the ciphersuites.
1871 *
1872 * If using SSLv3 Send TLS_RENEGO_PROTECTION_REQUEST SCSV for MITM
1873 * prevention on initial negotiation (but not renegotiation; that's
1874 * handled with the RI extension below).
1875 */
1876 if (!session->internals.initial_negotiation_completed &&
1877 session->security_parameters.entity == GNUTLS_CLIENT &&
1878 (gnutls_protocol_get_version (session) == GNUTLS_SSL3 ||
1879 session->internals.priorities.no_extensions != 0))
1880 {
1881 ret =
1882 _gnutls_copy_ciphersuites (session, &extdata, TRUE);
1883 _gnutls_extension_list_add (session,
1884 GNUTLS_EXTENSION_SAFE_RENEGOTIATION);
1885 }
1886 else
1887 ret = _gnutls_copy_ciphersuites (session, &extdata, FALSE);
1888
1889 if (ret < 0)
1890 {
1891 gnutls_assert();
1892 goto cleanup;
1893 }
1894
1895 /* Copy the compression methods.
1896 */
1897 ret = _gnutls_copy_comp_methods (session, &extdata);
1898 if (ret < 0)
1899 {
1900 gnutls_assert();
1901 goto cleanup;
1902 }
1903
1904 /* Generate and copy TLS extensions.
1905 */
1906 if (session->internals.priorities.no_extensions == 0)
1907 {
1908 if (_gnutls_version_has_extensions (hver))
1909 type = GNUTLS_EXT_ANY;
1910 else
1911 {
1912 if (session->internals.initial_negotiation_completed != 0)
1913 type = GNUTLS_EXT_MANDATORY;
1914 else
1915 type = GNUTLS_EXT_NONE;
1916 }
1917
1918 ret = _gnutls_gen_extensions (session, &extdata, type);
1919 if (ret < 0)
1920 {
1921 gnutls_assert();
1922 goto cleanup;
1923 }
1924
1925 }
1926
1927 ret = _mbuffer_append_data (bufel, extdata.data, extdata.length);
1928 if (ret < 0)
1929 {
1930 gnutls_assert ();
1931 goto cleanup;
1932 }
1933 }
1934
1935 _gnutls_buffer_clear(&extdata);
1936
1937 return
1938 _gnutls_send_handshake (session, bufel, GNUTLS_HANDSHAKE_CLIENT_HELLO);
1939
1940 cleanup:
1941 _mbuffer_xfree(&bufel);
1942 _gnutls_buffer_clear(&extdata);
1943 return ret;
1944 }
1945
1946 static int
1947 _gnutls_send_server_hello (gnutls_session_t session, int again)
1948 {
1949 mbuffer_st *bufel = NULL;
1950 uint8_t *data = NULL;
1951 gnutls_buffer_st extdata;
1952 int pos = 0;
1953 int datalen, ret = 0;
1954 uint8_t comp;
1955 uint8_t session_id_len = session->security_parameters.session_id_size;
1956 char buf[2 * TLS_MAX_SESSION_ID_SIZE + 1];
1957
1958 datalen = 0;
1959
1960 _gnutls_buffer_init(&extdata);
1961
1962 if (again == 0)
1963 {
1964 datalen = 2 + session_id_len + 1 + GNUTLS_RANDOM_SIZE + 3;
1965 ret =
1966 _gnutls_gen_extensions (session, &extdata, GNUTLS_EXT_ANY);
1967 if (ret < 0)
1968 {
1969 gnutls_assert ();
1970 goto fail;
1971 }
1972
1973 bufel = _gnutls_handshake_alloc (session, datalen + extdata.length, datalen + extdata.length);
1974 if (bufel == NULL)
1975 {
1976 gnutls_assert ();
1977 ret = GNUTLS_E_MEMORY_ERROR;
1978 goto fail;
1979 }
1980 data = _mbuffer_get_udata_ptr (bufel);
1981
1982 data[pos++] =
1983 _gnutls_version_get_major (session->security_parameters.version);
1984 data[pos++] =
1985 _gnutls_version_get_minor (session->security_parameters.version);
1986
1987 memcpy (&data[pos],
1988 session->security_parameters.server_random, GNUTLS_RANDOM_SIZE);
1989 pos += GNUTLS_RANDOM_SIZE;
1990
1991 data[pos++] = session_id_len;
1992 if (session_id_len > 0)
1993 {
1994 memcpy (&data[pos], session->security_parameters.session_id,
1995 session_id_len);
1996 }
1997 pos += session_id_len;
1998
1999 _gnutls_handshake_log ("HSK[%p]: SessionID: %s\n", session,
2000 _gnutls_bin2hex (session->security_parameters.
2001 session_id, session_id_len, buf,
2002 sizeof (buf), NULL));
2003
2004 memcpy (&data[pos],
2005 session->security_parameters.cipher_suite, 2);
2006 pos += 2;
2007
2008 comp = _gnutls_compression_get_num ( session->security_parameters.compression_method);
2009 data[pos++] = comp;
2010
2011 if (extdata.length > 0)
2012 {
2013 datalen += extdata.length;
2014 memcpy (&data[pos], extdata.data, extdata.length);
2015 }
2016 }
2017
2018 ret =
2019 _gnutls_send_handshake (session, bufel, GNUTLS_HANDSHAKE_SERVER_HELLO);
2020
2021 fail:
2022 _gnutls_buffer_clear(&extdata);
2023 return ret;
2024 }
2025
2026 int
2027 _gnutls_send_hello (gnutls_session_t session, int again)
2028 {
2029 int ret;
2030
2031 if (session->security_parameters.entity == GNUTLS_CLIENT)
2032 {
2033 ret = _gnutls_send_client_hello (session, again);
2034
2035 }
2036 else
2037 { /* SERVER */
2038 ret = _gnutls_send_server_hello (session, again);
2039 }
2040
2041 return ret;
2042 }
2043
2044 /* RECEIVE A HELLO MESSAGE. This should be called from gnutls_recv_handshake_int only if a
2045 * hello message is expected. It uses the security_parameters.cipher_suite
2046 * and internals.compression_method.
2047 */
2048 int
2049 _gnutls_recv_hello (gnutls_session_t session, uint8_t * data, int datalen)
2050 {
2051 int ret;
2052
2053 if (session->security_parameters.entity == GNUTLS_CLIENT)
2054 {
2055 ret = _gnutls_read_server_hello (session, data, datalen);
2056 if (ret < 0)
2057 {
2058 gnutls_assert ();
2059 return ret;
2060 }
2061 }
2062 else
2063 { /* Server side reading a client hello */
2064
2065 ret = _gnutls_read_client_hello (session, data, datalen);
2066 if (ret < 0)
2067 {
2068 gnutls_assert ();
2069 return ret;
2070 }
2071 }
2072
2073 ret = _gnutls_ext_sr_verify (session);
2074 if (ret < 0)
2075 {
2076 gnutls_assert ();
2077 return ret;
2078 }
2079
2080 return 0;
2081 }
2082
2083 static int
2084 _gnutls_recv_hello_verify_request (gnutls_session_t session,
2085 uint8_t * data, int datalen)
2086 {
2087 ssize_t len = datalen;
2088 size_t pos = 0;
2089 uint8_t cookie_len;
2090 unsigned int nb_verifs;
2091
2092 if (!IS_DTLS (session)
2093 || session->security_parameters.entity == GNUTLS_SERVER)
2094 {
2095 gnutls_assert ();
2096 return GNUTLS_E_INTERNAL_ERROR;
2097 }
2098
2099 nb_verifs = ++session->internals.dtls.hsk_hello_verify_requests;
2100 if (nb_verifs >= MAX_HANDSHAKE_HELLO_VERIFY_REQUESTS)
2101 {
2102 /* The server is either buggy, malicious or changing cookie
2103 secrets _way_ too fast. */
2104 gnutls_assert ();
2105 return GNUTLS_E_UNEXPECTED_PACKET;
2106 }
2107
2108 /* TODO: determine if we need to do anything with the server version field */
2109 DECR_LEN (len, 2);
2110 pos += 2;
2111
2112 DECR_LEN (len, 1);
2113 cookie_len = data[pos];
2114 pos++;
2115
2116 if (cookie_len > DTLS_MAX_COOKIE_SIZE)
2117 {
2118 gnutls_assert ();
2119 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
2120 }
2121
2122 DECR_LEN (len, cookie_len);
2123
2124 session->internals.dtls.cookie_len = cookie_len;
2125 memcpy (session->internals.dtls.cookie, &data[pos], cookie_len);
2126
2127 pos += cookie_len;
2128
2129 if (len != 0)
2130 {
2131 gnutls_assert ();
2132 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
2133 }
2134
2135 /* reset handshake hash buffers */
2136 _gnutls_handshake_hash_buffer_empty (session);
2137
2138 return 0;
2139 }
2140
2141 /* The packets in gnutls_handshake (it's more broad than original TLS handshake)
2142 *
2143 * Client Server
2144 *
2145 * ClientHello -------->
2146 * <-------- ServerHello
2147 *
2148 * Certificate*
2149 * ServerKeyExchange*
2150 * <-------- CertificateRequest*
2151 *
2152 * <-------- ServerHelloDone
2153 * Certificate*
2154 * ClientKeyExchange
2155 * CertificateVerify*
2156 * [ChangeCipherSpec]
2157 * Finished -------->
2158 * NewSessionTicket
2159 * [ChangeCipherSpec]
2160 * <-------- Finished
2161 *
2162 * (*): means optional packet.
2163 */
2164
2165 /* Handshake when resumming session:
2166 * Client Server
2167 *
2168 * ClientHello -------->
2169 * ServerHello
2170 * [ChangeCipherSpec]
2171 * <-------- Finished
2172 * [ChangeCipherSpec]
2173 * Finished -------->
2174 *
2175 */
2176
2177 /**
2178 * gnutls_rehandshake:
2179 * @session: is a #gnutls_session_t structure.
2180 *
2181 * This function will renegotiate security parameters with the
2182 * client. This should only be called in case of a server.
2183 *
2184 * This message informs the peer that we want to renegotiate
2185 * parameters (perform a handshake).
2186 *
2187 * If this function succeeds (returns 0), you must call the
2188 * gnutls_handshake() function in order to negotiate the new
2189 * parameters.
2190 *
2191 * Since TLS is full duplex some application data might have been
2192 * sent during peer's processing of this message. In that case
2193 * one should call gnutls_record_recv() until GNUTLS_E_REHANDSHAKE
2194 * is returned to clear any pending data. Care must be taken if
2195 * rehandshake is mandatory to terminate if it does not start after
2196 * some threshold.
2197 *
2198 * If the client does not wish to renegotiate parameters he will
2199 * should with an alert message, thus the return code will be
2200 * %GNUTLS_E_WARNING_ALERT_RECEIVED and the alert will be
2201 * %GNUTLS_A_NO_RENEGOTIATION. A client may also choose to ignore
2202 * this message.
2203 *
2204 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
2205 **/
2206 int
2207 gnutls_rehandshake (gnutls_session_t session)
2208 {
2209 int ret;
2210
2211 /* only server sends that handshake packet */
2212 if (session->security_parameters.entity == GNUTLS_CLIENT)
2213 return GNUTLS_E_INVALID_REQUEST;
2214
2215 _dtls_async_timer_delete(session);
2216
2217 ret =
2218 _gnutls_send_empty_handshake (session, GNUTLS_HANDSHAKE_HELLO_REQUEST,
2219 AGAIN (STATE50));
2220 STATE = STATE50;
2221
2222 if (ret < 0)
2223 {
2224 gnutls_assert ();
2225 return ret;
2226 }
2227 STATE = STATE0;
2228
2229 return 0;
2230 }
2231
2232 inline static int
2233 _gnutls_abort_handshake (gnutls_session_t session, int ret)
2234 {
2235 if (((ret == GNUTLS_E_WARNING_ALERT_RECEIVED) &&
2236 (gnutls_alert_get (session) == GNUTLS_A_NO_RENEGOTIATION))
2237 || ret == GNUTLS_E_GOT_APPLICATION_DATA)
2238 return 0;
2239
2240 /* this doesn't matter */
2241 return GNUTLS_E_INTERNAL_ERROR;
2242 }
2243
2244
2245
2246 static int
2247 _gnutls_send_supplemental (gnutls_session_t session, int again)
2248 {
2249 mbuffer_st *bufel;
2250 int ret = 0;
2251
2252 _gnutls_debug_log ("EXT[%p]: Sending supplemental data\n", session);
2253
2254 if (again)
2255 ret =
2256 _gnutls_send_handshake (session, NULL, GNUTLS_HANDSHAKE_SUPPLEMENTAL);
2257 else
2258 {
2259 gnutls_buffer_st buf;
2260 _gnutls_buffer_init (&buf);
2261
2262 ret = _gnutls_gen_supplemental (session, &buf);
2263 if (ret < 0)
2264 {
2265 gnutls_assert ();
2266 return ret;
2267 }
2268
2269 bufel = _gnutls_handshake_alloc(session, buf.length, buf.length);
2270 if (bufel == NULL)
2271 {
2272 gnutls_assert ();
2273 return GNUTLS_E_MEMORY_ERROR;
2274 }
2275
2276 _mbuffer_set_udata (bufel, buf.data, buf.length);
2277 _gnutls_buffer_clear (&buf);
2278
2279 ret = _gnutls_send_handshake (session, bufel,
2280 GNUTLS_HANDSHAKE_SUPPLEMENTAL);
2281 }
2282
2283 return ret;
2284 }
2285
2286 static int
2287 _gnutls_recv_supplemental (gnutls_session_t session)
2288 {
2289 gnutls_buffer_st buf;
2290 int ret;
2291
2292 _gnutls_debug_log ("EXT[%p]: Expecting supplemental data\n", session);
2293
2294 ret = _gnutls_recv_handshake (session, GNUTLS_HANDSHAKE_SUPPLEMENTAL,
2295 1, &buf);
2296 if (ret < 0)
2297 {
2298 gnutls_assert ();
2299 return ret;
2300 }
2301
2302 ret = _gnutls_parse_supplemental (session, buf.data, buf.length);
2303 if (ret < 0)
2304 {
2305 gnutls_assert ();
2306 goto cleanup;
2307 }
2308
2309 cleanup:
2310 _gnutls_buffer_clear(&buf);
2311
2312 return ret;
2313 }
2314
2315 /**
2316 * gnutls_handshake:
2317 * @session: is a #gnutls_session_t structure.
2318 *
2319 * This function does the handshake of the TLS/SSL protocol, and
2320 * initializes the TLS connection.
2321 *
2322 * This function will fail if any problem is encountered, and will
2323 * return a negative error code. In case of a client, if the client
2324 * has asked to resume a session, but the server couldn't, then a
2325 * full handshake will be performed.
2326 *
2327 * The non-fatal errors such as %GNUTLS_E_AGAIN and
2328 * %GNUTLS_E_INTERRUPTED interrupt the handshake procedure, which
2329 * should be resumed later. Call this function again, until it
2330 * returns 0; cf. gnutls_record_get_direction() and
2331 * gnutls_error_is_fatal().
2332 *
2333 * If this function is called by a server after a rehandshake request
2334 * then %GNUTLS_E_GOT_APPLICATION_DATA or
2335 * %GNUTLS_E_WARNING_ALERT_RECEIVED may be returned. Note that these
2336 * are non fatal errors, only in the specific case of a rehandshake.
2337 * Their meaning is that the client rejected the rehandshake request or
2338 * in the case of %GNUTLS_E_GOT_APPLICATION_DATA it might also mean that
2339 * some data were pending.
2340 *
2341 * Returns: %GNUTLS_E_SUCCESS on success, otherwise a negative error code.
2342 **/
2343 int
2344 gnutls_handshake (gnutls_session_t session)
2345 {
2346 int ret;
2347 record_parameters_st *params;
2348
2349 /* sanity check. Verify that there are priorities setup.
2350 */
2351 if (session->internals.priorities.protocol.algorithms == 0)
2352 return gnutls_assert_val(GNUTLS_E_NO_PRIORITIES_WERE_SET);
2353
2354 ret = _gnutls_epoch_get (session, session->security_parameters.epoch_next,
2355 &params);
2356 if (ret < 0)
2357 {
2358 /* We assume the epoch is not allocated if _gnutls_epoch_get fails. */
2359 ret =
2360 _gnutls_epoch_alloc (session, session->security_parameters.epoch_next,
2361 NULL);
2362 if (ret < 0)
2363 return gnutls_assert_val(ret);
2364 }
2365
2366 if (session->security_parameters.entity == GNUTLS_CLIENT)
2367 {
2368 do
2369 {
2370 ret = _gnutls_handshake_client (session);
2371 } while (ret == 1);
2372 }
2373 else
2374 {
2375 ret = _gnutls_handshake_server (session);
2376 }
2377 if (ret < 0)
2378 {
2379 /* In the case of a rehandshake abort
2380 * we should reset the handshake's internal state.
2381 */
2382 if (_gnutls_abort_handshake (session, ret) == 0)
2383 STATE = STATE0;
2384
2385 return ret;
2386 }
2387
2388 ret = _gnutls_handshake_common (session);
2389
2390 if (ret < 0)
2391 {
2392 if (_gnutls_abort_handshake (session, ret) == 0)
2393 STATE = STATE0;
2394
2395 return ret;
2396 }
2397
2398 STATE = STATE0;
2399
2400 if (IS_DTLS(session)==0)
2401 {
2402 _gnutls_handshake_io_buffer_clear (session);
2403 }
2404 else
2405 {
2406 _dtls_async_timer_init(session);
2407 }
2408
2409 _gnutls_handshake_internal_state_clear (session);
2410
2411 session->security_parameters.epoch_next++;
2412
2413 return 0;
2414 }
2415
2416
2417 #define IMED_RET( str, ret, allow_alert) do { \
2418 if (ret < 0) { \
2419 /* EAGAIN and INTERRUPTED are always non-fatal */ \
2420 if (ret == GNUTLS_E_AGAIN || ret == GNUTLS_E_INTERRUPTED) \
2421 return ret; \
2422 /* a warning alert might interrupt handshake */ \
2423 if (allow_alert != 0 && ret==GNUTLS_E_WARNING_ALERT_RECEIVED) return ret; \
2424 gnutls_assert(); \
2425 ERR( str, ret); \
2426 _gnutls_handshake_hash_buffers_clear(session); \
2427 return ret; \
2428 } } while (0)
2429
2430
2431
2432 /*
2433 * _gnutls_handshake_client
2434 * This function performs the client side of the handshake of the TLS/SSL protocol.
2435 */
2436 int
2437 _gnutls_handshake_client (gnutls_session_t session)
2438 {
2439 int ret = 0;
2440
2441 #ifdef HANDSHAKE_DEBUG
2442 char buf[64];
2443
2444 if (session->internals.resumed_security_parameters.session_id_size > 0)
2445 _gnutls_handshake_log ("HSK[%p]: Ask to resume: %s\n", session,
2446 _gnutls_bin2hex (session->
2447 internals.resumed_security_parameters.session_id,
2448 session->
2449 internals.resumed_security_parameters.session_id_size,
2450 buf, sizeof (buf), NULL));
2451 #endif
2452
2453 switch (STATE)
2454 {
2455 case STATE0:
2456 case STATE1:
2457 ret = _gnutls_send_hello (session, AGAIN (STATE1));
2458 STATE = STATE1;
2459 IMED_RET ("send hello", ret, 1);
2460
2461 case STATE11:
2462 if (IS_DTLS (session))
2463 {
2464 ret =
2465 _gnutls_recv_handshake (session,
2466 GNUTLS_HANDSHAKE_HELLO_VERIFY_REQUEST,
2467 1, NULL);
2468 STATE = STATE11;
2469 IMED_RET ("recv hello verify", ret, 1);
2470
2471 if (ret == 1)
2472 {
2473 STATE = STATE0;
2474 return 1;
2475 }
2476 }
2477 case STATE2:
2478 /* receive the server hello */
2479 ret =
2480 _gnutls_recv_handshake (session,
2481 GNUTLS_HANDSHAKE_SERVER_HELLO,
2482 0, NULL);
2483 STATE = STATE2;
2484 IMED_RET ("recv hello", ret, 1);
2485
2486 case STATE70:
2487 if (session->security_parameters.do_recv_supplemental)
2488 {
2489 ret = _gnutls_recv_supplemental (session);
2490 STATE = STATE70;
2491 IMED_RET ("recv supplemental", ret, 1);
2492 }
2493
2494 case STATE3:
2495 /* RECV CERTIFICATE */
2496 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2497 ret = _gnutls_recv_server_certificate (session);
2498 STATE = STATE3;
2499 IMED_RET ("recv server certificate", ret, 1);
2500
2501 case STATE4:
2502 /* receive the server key exchange */
2503 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2504 ret = _gnutls_recv_server_kx_message (session);
2505 STATE = STATE4;
2506 IMED_RET ("recv server kx message", ret, 1);
2507
2508 case STATE5:
2509 /* receive the server certificate request - if any
2510 */
2511
2512 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2513 ret = _gnutls_recv_server_crt_request (session);
2514 STATE = STATE5;
2515 IMED_RET ("recv server certificate request message", ret, 1);
2516
2517 case STATE6:
2518 /* receive the server hello done */
2519 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2520 ret =
2521 _gnutls_recv_handshake (session,
2522 GNUTLS_HANDSHAKE_SERVER_HELLO_DONE,
2523 0, NULL);
2524 STATE = STATE6;
2525 IMED_RET ("recv server hello done", ret, 1);
2526 case STATE71:
2527 if (session->security_parameters.do_send_supplemental)
2528 {
2529 ret = _gnutls_send_supplemental (session, AGAIN (STATE71));
2530 STATE = STATE71;
2531 IMED_RET ("send supplemental", ret, 0);
2532 }
2533
2534 case STATE7:
2535 /* send our certificate - if any and if requested
2536 */
2537 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2538 ret = _gnutls_send_client_certificate (session, AGAIN (STATE7));
2539 STATE = STATE7;
2540 IMED_RET ("send client certificate", ret, 0);
2541
2542 case STATE8:
2543 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2544 ret = _gnutls_send_client_kx_message (session, AGAIN (STATE8));
2545 STATE = STATE8;
2546 IMED_RET ("send client kx", ret, 0);
2547
2548 case STATE9:
2549 /* send client certificate verify */
2550 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2551 ret =
2552 _gnutls_send_client_certificate_verify (session, AGAIN (STATE9));
2553 STATE = STATE9;
2554 IMED_RET ("send client certificate verify", ret, 1);
2555
2556 STATE = STATE0;
2557 default:
2558 break;
2559 }
2560
2561
2562 return 0;
2563 }
2564
2565
2566
2567 /* This function is to be called if the handshake was successfully
2568 * completed. This sends a Change Cipher Spec packet to the peer.
2569 */
2570 static ssize_t
2571 send_change_cipher_spec (gnutls_session_t session, int again)
2572 {
2573 uint8_t* data;
2574 mbuffer_st * bufel;
2575 int ret;
2576
2577 if (again == 0)
2578 {
2579 bufel = _gnutls_handshake_alloc (session, 1, 1);
2580 if (bufel == NULL)
2581 return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
2582
2583 _mbuffer_set_uhead_size(bufel, 1);
2584 _mbuffer_set_udata_size(bufel, 0);
2585
2586 data = _mbuffer_get_uhead_ptr (bufel);
2587
2588 data[0] = 1;
2589
2590 ret = _gnutls_handshake_io_cache_int (session, GNUTLS_HANDSHAKE_CHANGE_CIPHER_SPEC, bufel);
2591 if (ret < 0)
2592 {
2593 _mbuffer_xfree(&bufel);
2594 return gnutls_assert_val(ret);
2595 }
2596
2597 _gnutls_handshake_log ("REC[%p]: Sent ChangeCipherSpec\n", session);
2598 }
2599
2600 return 0;
2601 }
2602
2603 /* This function sends the final handshake packets and initializes connection
2604 */
2605 static int
2606 _gnutls_send_handshake_final (gnutls_session_t session, int init)
2607 {
2608 int ret = 0;
2609
2610 /* Send the CHANGE CIPHER SPEC PACKET */
2611
2612 switch (STATE)
2613 {
2614 case STATE0:
2615 case STATE20:
2616 ret = send_change_cipher_spec (session, AGAIN (STATE20));
2617 STATE = STATE0;
2618
2619 if (ret < 0)
2620 {
2621 ERR ("send ChangeCipherSpec", ret);
2622 gnutls_assert ();
2623 return ret;
2624 }
2625 /* Initialize the connection session (start encryption) - in case of client
2626 */
2627 if (init == TRUE)
2628 {
2629 ret = _gnutls_connection_state_init (session);
2630 if (ret < 0)
2631 {
2632 gnutls_assert ();
2633 return ret;
2634 }
2635 }
2636
2637 ret = _gnutls_write_connection_state_init (session);
2638 if (ret < 0)
2639 {
2640 gnutls_assert ();
2641 return ret;
2642 }
2643
2644 case STATE21:
2645 /* send the finished message */
2646 ret = _gnutls_send_finished (session, AGAIN (STATE21));
2647 STATE = STATE21;
2648 if (ret < 0)
2649 {
2650 ERR ("send Finished", ret);
2651 gnutls_assert ();
2652 return ret;
2653 }
2654
2655 STATE = STATE0;
2656 default:
2657 break;
2658 }
2659
2660 return 0;
2661 }
2662
2663 /* This function receives the final handshake packets
2664 * And executes the appropriate function to initialize the
2665 * read session.
2666 */
2667 static int
2668 _gnutls_recv_handshake_final (gnutls_session_t session, int init)
2669 {
2670 int ret = 0;
2671 uint8_t ch;
2672
2673
2674 switch (STATE)
2675 {
2676 case STATE0:
2677 case STATE30:
2678 STATE = STATE30;
2679
2680 /* This is the last flight and peer cannot be sure
2681 * we have received it unless we notify him. So we
2682 * wait for a message and retransmit if needed. */
2683 if (IS_DTLS(session) && !_dtls_is_async(session) &&
2684 (gnutls_record_check_pending (session) +
2685 record_check_unprocessed (session)) == 0)
2686 {
2687 ret = _dtls_wait_and_retransmit(session);
2688 if (ret < 0)
2689 return gnutls_assert_val(ret);
2690 }
2691
2692 ret = _gnutls_recv_int (session, GNUTLS_CHANGE_CIPHER_SPEC, -1, &ch, 1, NULL);
2693 if (ret <= 0)
2694 {
2695 ERR ("recv ChangeCipherSpec", ret);
2696 gnutls_assert ();
2697 return (ret < 0) ? ret : GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
2698 }
2699
2700 /* Initialize the connection session (start encryption) - in case of server */
2701 if (init == TRUE)
2702 {
2703 ret = _gnutls_connection_state_init (session);
2704 if (ret < 0)
2705 {
2706 gnutls_assert ();
2707 return ret;
2708 }
2709 }
2710
2711 ret = _gnutls_read_connection_state_init (session);
2712 if (ret < 0)
2713 {
2714 gnutls_assert ();
2715 return ret;
2716 }
2717
2718 case STATE31:
2719 STATE = STATE31;
2720
2721 if (IS_DTLS(session) && !_dtls_is_async(session) &&
2722 (gnutls_record_check_pending( session) +
2723 record_check_unprocessed (session)) == 0)
2724 {
2725 ret = _dtls_wait_and_retransmit(session);
2726 if (ret < 0)
2727 return gnutls_assert_val(ret);
2728 }
2729
2730 ret = _gnutls_recv_finished (session);
2731 if (ret < 0)
2732 {
2733 ERR ("recv finished", ret);
2734 gnutls_assert ();
2735 return ret;
2736 }
2737 STATE = STATE0;
2738 default:
2739 break;
2740 }
2741
2742
2743 return 0;
2744 }
2745
2746 /*
2747 * _gnutls_handshake_server
2748 * This function does the server stuff of the handshake protocol.
2749 */
2750 int
2751 _gnutls_handshake_server (gnutls_session_t session)
2752 {
2753 int ret = 0;
2754
2755 switch (STATE)
2756 {
2757 case STATE0:
2758 case STATE1:
2759 ret =
2760 _gnutls_recv_handshake (session,
2761 GNUTLS_HANDSHAKE_CLIENT_HELLO,
2762 0, NULL);
2763 STATE = STATE1;
2764 IMED_RET ("recv hello", ret, 1);
2765
2766 case STATE2:
2767 ret = _gnutls_send_hello (session, AGAIN (STATE2));
2768 STATE = STATE2;
2769 IMED_RET ("send hello", ret, 1);
2770
2771 case STATE70:
2772 if (session->security_parameters.do_send_supplemental)
2773 {
2774 ret = _gnutls_send_supplemental (session, AGAIN (STATE70));
2775 STATE = STATE70;
2776 IMED_RET ("send supplemental data", ret, 0);
2777 }
2778
2779 /* SEND CERTIFICATE + KEYEXCHANGE + CERTIFICATE_REQUEST */
2780 case STATE3:
2781 /* NOTE: these should not be send if we are resuming */
2782
2783 if (session->internals.resumed == RESUME_FALSE)
2784 ret = _gnutls_send_server_certificate (session, AGAIN (STATE3));
2785 STATE = STATE3;
2786 IMED_RET ("send server certificate", ret, 0);
2787
2788 case STATE4:
2789 /* send server key exchange (A) */
2790 if (session->internals.resumed == RESUME_FALSE)
2791 ret = _gnutls_send_server_kx_message (session, AGAIN (STATE4));
2792 STATE = STATE4;
2793 IMED_RET ("send server kx", ret, 0);
2794
2795 case STATE5:
2796 /* Send certificate request - if requested to */
2797 if (session->internals.resumed == RESUME_FALSE)
2798 ret =
2799 _gnutls_send_server_crt_request (session, AGAIN (STATE5));
2800 STATE = STATE5;
2801 IMED_RET ("send server cert request", ret, 0);
2802
2803 case STATE6:
2804 /* send the server hello done */
2805 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2806 ret =
2807 _gnutls_send_empty_handshake (session,
2808 GNUTLS_HANDSHAKE_SERVER_HELLO_DONE,
2809 AGAIN (STATE6));
2810 STATE = STATE6;
2811 IMED_RET ("send server hello done", ret, 1);
2812
2813 case STATE71:
2814 if (session->security_parameters.do_recv_supplemental)
2815 {
2816 ret = _gnutls_recv_supplemental (session);
2817 STATE = STATE71;
2818 IMED_RET ("recv client supplemental", ret, 1);
2819 }
2820
2821 /* RECV CERTIFICATE + KEYEXCHANGE + CERTIFICATE_VERIFY */
2822 case STATE7:
2823 /* receive the client certificate message */
2824 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2825 ret = _gnutls_recv_client_certificate (session);
2826 STATE = STATE7;
2827 IMED_RET ("recv client certificate", ret, 1);
2828
2829 case STATE8:
2830 /* receive the client key exchange message */
2831 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2832 ret = _gnutls_recv_client_kx_message (session);
2833 STATE = STATE8;
2834 IMED_RET ("recv client kx", ret, 1);
2835
2836 case STATE9:
2837 /* receive the client certificate verify message */
2838 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2839 ret = _gnutls_recv_client_certificate_verify_message (session);
2840 STATE = STATE9;
2841 IMED_RET ("recv client certificate verify", ret, 1);
2842
2843 STATE = STATE0; /* finished thus clear session */
2844 default:
2845 break;
2846 }
2847
2848 return 0;
2849 }
2850
2851 int
2852 _gnutls_handshake_common (gnutls_session_t session)
2853 {
2854 int ret = 0;
2855
2856 /* send and recv the change cipher spec and finished messages */
2857 if ((session->internals.resumed != RESUME_FALSE
2858 && session->security_parameters.entity == GNUTLS_CLIENT)
2859 || (session->internals.resumed == RESUME_FALSE
2860 && session->security_parameters.entity == GNUTLS_SERVER))
2861 {
2862 /* if we are a client resuming - or we are a server not resuming */
2863 ret = _gnutls_recv_handshake_final (session, TRUE);
2864 IMED_RET ("recv handshake final", ret, 1);
2865
2866 switch (STATE)
2867 {
2868 case STATE0:
2869 case STATE40:
2870 ret = _gnutls_send_new_session_ticket (session, AGAIN (STATE40));
2871 STATE = STATE40;
2872 IMED_RET ("send handshake new session ticket", ret, 0);
2873 STATE = STATE0;
2874 default:
2875 break;
2876 }
2877
2878 ret = _gnutls_send_handshake_final (session, FALSE);
2879 IMED_RET ("send handshake final", ret, 1);
2880
2881 /* only store if we are not resuming a session and we didn't previously send a ticket
2882 */
2883 if (session->security_parameters.entity == GNUTLS_SERVER && session->internals.ticket_sent == 0)
2884 {
2885 /* in order to support session resuming */
2886 _gnutls_server_register_current_session (session);
2887 }
2888 }
2889 else
2890 { /* if we are a client not resuming - or we are a server resuming */
2891
2892 ret = _gnutls_send_handshake_final (session, TRUE);
2893 IMED_RET ("send handshake final 2", ret, 1);
2894
2895 switch (STATE)
2896 {
2897 case STATE0:
2898 case STATE41:
2899 ret = _gnutls_recv_new_session_ticket (session);
2900 STATE = STATE41;
2901 IMED_RET ("recv handshake new session ticket", ret, 1);
2902 STATE = STATE0;
2903 default:
2904 break;
2905 }
2906
2907 ret = _gnutls_recv_handshake_final (session, FALSE);
2908 IMED_RET ("recv handshake final 2", ret, 1);
2909
2910 }
2911
2912
2913 /* clear handshake buffer */
2914 _gnutls_handshake_hash_buffers_clear (session);
2915 return ret;
2916
2917 }
2918
2919 int
2920 _gnutls_generate_session_id (uint8_t * session_id, uint8_t * len)
2921 {
2922 int ret;
2923
2924 *len = TLS_MAX_SESSION_ID_SIZE;
2925
2926 ret = _gnutls_rnd (GNUTLS_RND_NONCE, session_id, *len);
2927 if (ret < 0)
2928 {
2929 gnutls_assert ();
2930 return ret;
2931 }
2932
2933 return 0;
2934 }
2935
2936 int
2937 _gnutls_recv_hello_request (gnutls_session_t session, void *data,
2938 uint32_t data_size)
2939 {
2940 uint8_t type;
2941
2942 if (session->security_parameters.entity == GNUTLS_SERVER)
2943 {
2944 gnutls_assert ();
2945 return GNUTLS_E_UNEXPECTED_PACKET;
2946 }
2947 if (data_size < 1)
2948 {
2949 gnutls_assert ();
2950 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
2951 }
2952 type = ((uint8_t *) data)[0];
2953 if (type == GNUTLS_HANDSHAKE_HELLO_REQUEST)
2954 {
2955 if (IS_DTLS(session))
2956 session->internals.dtls.hsk_read_seq++;
2957 return GNUTLS_E_REHANDSHAKE;
2958 }
2959 else
2960 {
2961 gnutls_assert ();
2962 return GNUTLS_E_UNEXPECTED_PACKET;
2963 }
2964 }
2965
2966 /* Returns 1 if the given KX has not the corresponding parameters
2967 * (DH or RSA) set up. Otherwise returns 0.
2968 */
2969 inline static int
2970 check_server_params (gnutls_session_t session,
2971 gnutls_kx_algorithm_t kx,
2972 gnutls_kx_algorithm_t * alg, int alg_size)
2973 {
2974 int cred_type;
2975 gnutls_dh_params_t dh_params = NULL;
2976 gnutls_rsa_params_t rsa_params = NULL;
2977 int j;
2978
2979 cred_type = _gnutls_map_kx_get_cred (kx, 1);
2980
2981 /* Read the Diffie-Hellman parameters, if any.
2982 */
2983 if (cred_type == GNUTLS_CRD_CERTIFICATE)
2984 {
2985 int delete;
2986 gnutls_certificate_credentials_t x509_cred =
2987 (gnutls_certificate_credentials_t) _gnutls_get_cred (session->key,
2988 cred_type, NULL);
2989
2990 if (x509_cred != NULL)
2991 {
2992 dh_params =
2993 _gnutls_get_dh_params (x509_cred->dh_params,
2994 x509_cred->params_func, session);
2995 rsa_params =
2996 _gnutls_certificate_get_rsa_params (x509_cred->rsa_params,
2997 x509_cred->params_func,
2998 session);
2999 }
3000
3001 /* Check also if the certificate supports the
3002 * KX method.
3003 */
3004 delete = 1;
3005 for (j = 0; j < alg_size; j++)
3006 {
3007 if (alg[j] == kx)
3008 {
3009 delete = 0;
3010 break;
3011 }
3012 }
3013
3014 if (delete == 1)
3015 return 1;
3016
3017 #ifdef ENABLE_ANON
3018 }
3019 else if (cred_type == GNUTLS_CRD_ANON)
3020 {
3021 gnutls_anon_server_credentials_t anon_cred =
3022 (gnutls_anon_server_credentials_t) _gnutls_get_cred (session->key,
3023 cred_type, NULL);
3024
3025 if (anon_cred != NULL)
3026 {
3027 dh_params =
3028 _gnutls_get_dh_params (anon_cred->dh_params,
3029 anon_cred->params_func, session);
3030 }
3031 #endif
3032 #ifdef ENABLE_PSK
3033 }
3034 else if (cred_type == GNUTLS_CRD_PSK)
3035 {
3036 gnutls_psk_server_credentials_t psk_cred =
3037 (gnutls_psk_server_credentials_t) _gnutls_get_cred (session->key,
3038 cred_type, NULL);
3039
3040 if (psk_cred != NULL)
3041 {
3042 dh_params =
3043 _gnutls_get_dh_params (psk_cred->dh_params, psk_cred->params_func,
3044 session);
3045 }
3046 #endif
3047 }
3048 else
3049 return 0; /* no need for params */
3050
3051
3052 /* If the key exchange method needs RSA or DH params,
3053 * but they are not set then remove it.
3054 */
3055 if (_gnutls_kx_needs_rsa_params (kx) != 0)
3056 {
3057 /* needs rsa params. */
3058 if (_gnutls_rsa_params_to_mpi (rsa_params) == NULL)
3059 {
3060 gnutls_assert ();
3061 return 1;
3062 }
3063 }
3064
3065 if (_gnutls_kx_needs_dh_params (kx) != 0)
3066 {
3067 /* needs DH params. */
3068 if (_gnutls_dh_params_to_mpi (dh_params) == NULL)
3069 {
3070 gnutls_assert ();
3071 return 1;
3072 }
3073 }
3074
3075 return 0;
3076 }
3077
3078 /* This function will remove algorithms that are not supported by
3079 * the requested authentication method. We remove an algorithm if
3080 * we have a certificate with keyUsage bits set.
3081 *
3082 * This does a more high level check than gnutls_supported_ciphersuites(),
3083 * by checking certificates etc.
3084 */
3085 static int
3086 _gnutls_remove_unwanted_ciphersuites (gnutls_session_t session,
3087 uint8_t * cipher_suites,
3088 int cipher_suites_size,
3089 gnutls_pk_algorithm_t *pk_algos,
3090 size_t pk_algos_size)
3091 {
3092
3093 int ret = 0;
3094 int i, new_suites_size;
3095 gnutls_certificate_credentials_t cert_cred;
3096 gnutls_kx_algorithm_t kx;
3097 int server = session->security_parameters.entity == GNUTLS_SERVER ? 1 : 0;
3098 gnutls_kx_algorithm_t alg[MAX_ALGOS];
3099 int alg_size = MAX_ALGOS;
3100
3101 /* if we should use a specific certificate,
3102 * we should remove all algorithms that are not supported
3103 * by that certificate and are on the same authentication
3104 * method (CERTIFICATE).
3105 */
3106
3107 cert_cred =
3108 (gnutls_certificate_credentials_t) _gnutls_get_cred (session->key,
3109 GNUTLS_CRD_CERTIFICATE,
3110 NULL);
3111
3112 /* If there are certificate credentials, find an appropriate certificate
3113 * or disable them;
3114 */
3115 if (session->security_parameters.entity == GNUTLS_SERVER
3116 && cert_cred != NULL && pk_algos_size > 0)
3117 {
3118 ret = _gnutls_server_select_cert (session, pk_algos, pk_algos_size);
3119 if (ret < 0)
3120 {
3121 gnutls_assert ();
3122 _gnutls_debug_log ("Could not find an appropriate certificate: %s\n",
3123 gnutls_strerror (ret));
3124 }
3125 }
3126
3127 /* get all the key exchange algorithms that are
3128 * supported by the X509 certificate parameters.
3129 */
3130 if ((ret =
3131 _gnutls_selected_cert_supported_kx (session, alg, &alg_size)) < 0)
3132 {
3133 gnutls_assert ();
3134 return ret;
3135 }
3136
3137 new_suites_size = 0;
3138
3139 /* now removes ciphersuites based on the KX algorithm
3140 */
3141 for (i = 0; i < cipher_suites_size; i+=2)
3142 {
3143 int delete = 0;
3144
3145 /* finds the key exchange algorithm in
3146 * the ciphersuite
3147 */
3148 kx = _gnutls_cipher_suite_get_kx_algo (&cipher_suites[i]);
3149
3150 /* if it is defined but had no credentials
3151 */
3152 if (_gnutls_get_kx_cred (session, kx, NULL) == NULL)
3153 {
3154 delete = 1;
3155 }
3156 else
3157 {
3158 delete = 0;
3159
3160 if (server)
3161 delete = check_server_params (session, kx, alg, alg_size);
3162 }
3163
3164 /* If we have not agreed to a common curve with the peer don't bother
3165 * negotiating ECDH.
3166 */
3167 if (server != 0 && _gnutls_kx_is_ecc(kx))
3168 {
3169 if (_gnutls_session_ecc_curve_get(session) == GNUTLS_ECC_CURVE_INVALID)
3170 {
3171 delete = 1;
3172 }
3173 }
3174
3175 /* These two SRP kx's are marked to require a CRD_CERTIFICATE,
3176 (see cred_mappings in gnutls_algorithms.c), but it also
3177 requires a SRP credential. Don't use SRP kx unless we have a
3178 SRP credential too. */
3179 if (kx == GNUTLS_KX_SRP_RSA || kx == GNUTLS_KX_SRP_DSS)
3180 {
3181 if (!_gnutls_get_cred (session->key, GNUTLS_CRD_SRP, NULL))
3182 {
3183 delete = 1;
3184 }
3185 }
3186
3187 if (delete == 0)
3188 {
3189
3190 _gnutls_handshake_log ("HSK[%p]: Keeping ciphersuite: %s (%.2X.%.2X)\n",
3191 session,
3192 _gnutls_cipher_suite_get_name (&cipher_suites[i]),
3193 cipher_suites[i], cipher_suites[i+1]);
3194
3195 if (i != new_suites_size)
3196 memmove( &cipher_suites[new_suites_size], &cipher_suites[i], 2);
3197 new_suites_size+=2;
3198 }
3199 else
3200 {
3201 _gnutls_handshake_log ("HSK[%p]: Removing ciphersuite: %s\n",
3202 session,
3203 _gnutls_cipher_suite_get_name (&cipher_suites[i]));
3204
3205 }
3206 }
3207
3208 ret = new_suites_size;
3209
3210 return ret;
3211
3212 }
3213
3214 /**
3215 * gnutls_handshake_set_max_packet_length:
3216 * @session: is a #gnutls_session_t structure.
3217 * @max: is the maximum number.
3218 *
3219 * This function will set the maximum size of all handshake messages.
3220 * Handshakes over this size are rejected with
3221 * %GNUTLS_E_HANDSHAKE_TOO_LARGE error code. The default value is
3222 * 48kb which is typically large enough. Set this to 0 if you do not
3223 * want to set an upper limit.
3224 *
3225 * The reason for restricting the handshake message sizes are to
3226 * limit Denial of Service attacks.
3227 **/
3228 void
3229 gnutls_handshake_set_max_packet_length (gnutls_session_t session, size_t max)
3230 {
3231 session->internals.max_handshake_data_buffer_size = max;
3232 }
3233
3234 void
3235 _gnutls_set_adv_version (gnutls_session_t session, gnutls_protocol_t ver)
3236 {
3237 set_adv_version (session, _gnutls_version_get_major (ver),
3238 _gnutls_version_get_minor (ver));
3239 }
3240
3241 gnutls_protocol_t
3242 _gnutls_get_adv_version (gnutls_session_t session)
3243 {
3244 return _gnutls_version_get (_gnutls_get_adv_version_major (session),
3245 _gnutls_get_adv_version_minor (session));
3246 }
3247
3248 /**
3249 * gnutls_handshake_get_last_in:
3250 * @session: is a #gnutls_session_t structure.
3251 *
3252 * This function is only useful to check where the last performed
3253 * handshake failed. If the previous handshake succeed or was not
3254 * performed at all then no meaningful value will be returned.
3255 *
3256 * Check %gnutls_handshake_description_t in gnutls.h for the
3257 * available handshake descriptions.
3258 *
3259 * Returns: the last handshake message type received, a
3260 * %gnutls_handshake_description_t.
3261 **/
3262 gnutls_handshake_description_t
3263 gnutls_handshake_get_last_in (gnutls_session_t session)
3264 {
3265 return session->internals.last_handshake_in;
3266 }
3267
3268 /**
3269 * gnutls_handshake_get_last_out:
3270 * @session: is a #gnutls_session_t structure.
3271 *
3272 * This function is only useful to check where the last performed
3273 * handshake failed. If the previous handshake succeed or was not
3274 * performed at all then no meaningful value will be returned.
3275 *
3276 * Check %gnutls_handshake_description_t in gnutls.h for the
3277 * available handshake descriptions.
3278 *
3279 * Returns: the last handshake message type sent, a
3280 * %gnutls_handshake_description_t.
3281 **/
3282 gnutls_handshake_description_t
3283 gnutls_handshake_get_last_out (gnutls_session_t session)
3284 {
3285 return session->internals.last_handshake_out;
3286 }
Implementation of the SSL/TLS protocol