search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Add.
[gnutls.git] / lib / gnutls_handshake.c
blobf8d2724ff3d7c92e3f9755ab989b986f9c5802aa
1 /*
2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007 Free Software Foundation
3 *
4 * Author: Nikos Mavroyanopoulos
5 *
6 * This file is part of GNUTLS.
7 *
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
12 *
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
17 *
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
21 * USA
22 *
23 */
24
25 /* Functions that relate to the TLS handshake procedure.
26 */
27
28 #include "gnutls_int.h"
29 #include "gnutls_errors.h"
30 #include "gnutls_dh.h"
31 #include "debug.h"
32 #include "gnutls_algorithms.h"
33 #include "gnutls_compress.h"
34 #include "gnutls_cipher.h"
35 #include "gnutls_buffers.h"
36 #include "gnutls_kx.h"
37 #include "gnutls_handshake.h"
38 #include "gnutls_num.h"
39 #include "gnutls_hash_int.h"
40 #include "gnutls_db.h"
41 #include "gnutls_extensions.h"
42 #include "gnutls_supplemental.h"
43 #include "gnutls_auth_int.h"
44 #include "gnutls_v2_compat.h"
45 #include "auth_cert.h"
46 #include "gnutls_cert.h"
47 #include "gnutls_constate.h"
48 #include <gnutls_record.h>
49 #include <gnutls_state.h>
50 #include <ext_srp.h>
51 #include <gnutls_rsa_export.h> /* for gnutls_get_rsa_params() */
52 #include <auth_anon.h> /* for gnutls_anon_server_credentials_t */
53 #include <auth_psk.h> /* for gnutls_psk_server_credentials_t */
54 #include <gc.h>
55
56 #ifdef HANDSHAKE_DEBUG
57 #define ERR(x, y) _gnutls_handshake_log( "HSK[%x]: %s (%d)\n", session, x,y)
58 #else
59 #define ERR(x, y)
60 #endif
61
62 #define TRUE 1
63 #define FALSE 0
64
65 int _gnutls_server_select_comp_method (gnutls_session_t session,
66 opaque * data, int datalen);
67
68
69 /* Clears the handshake hash buffers and handles.
70 */
71 inline static void
72 _gnutls_handshake_hash_buffers_clear (gnutls_session_t session)
73 {
74 _gnutls_hash_deinit (session->internals.handshake_mac_handle_md5, NULL);
75 _gnutls_hash_deinit (session->internals.handshake_mac_handle_sha, NULL);
76 session->internals.handshake_mac_handle_md5 = NULL;
77 session->internals.handshake_mac_handle_sha = NULL;
78 _gnutls_handshake_buffer_clear (session);
79 }
80
81 /* this will copy the required values for resuming to
82 * internals, and to security_parameters.
83 * this will keep as less data to security_parameters.
84 */
85 static void
86 resume_copy_required_values (gnutls_session_t session)
87 {
88 /* get the new random values */
89 memcpy (session->internals.resumed_security_parameters.
90 server_random,
91 session->security_parameters.server_random, TLS_RANDOM_SIZE);
92 memcpy (session->internals.resumed_security_parameters.
93 client_random,
94 session->security_parameters.client_random, TLS_RANDOM_SIZE);
95
96 /* keep the ciphersuite and compression
97 * That is because the client must see these in our
98 * hello message.
99 */
100 memcpy (session->security_parameters.current_cipher_suite.
101 suite,
102 session->internals.resumed_security_parameters.
103 current_cipher_suite.suite, 2);
104
105 session->internals.compression_method =
106 session->internals.resumed_security_parameters.read_compression_algorithm;
107 /* or write_compression_algorithm
108 * they are the same
109 */
110
111 session->security_parameters.entity =
112 session->internals.resumed_security_parameters.entity;
113
114 _gnutls_set_current_version (session,
115 session->internals.
116 resumed_security_parameters.version);
117
118 session->security_parameters.cert_type =
119 session->internals.resumed_security_parameters.cert_type;
120
121 memcpy (session->security_parameters.session_id,
122 session->internals.resumed_security_parameters.
123 session_id, sizeof (session->security_parameters.session_id));
124 session->security_parameters.session_id_size =
125 session->internals.resumed_security_parameters.session_id_size;
126 }
127
128 void
129 _gnutls_set_server_random (gnutls_session_t session, uint8_t * rnd)
130 {
131 memcpy (session->security_parameters.server_random, rnd, TLS_RANDOM_SIZE);
132 }
133
134 void
135 _gnutls_set_client_random (gnutls_session_t session, uint8_t * rnd)
136 {
137 memcpy (session->security_parameters.client_random, rnd, TLS_RANDOM_SIZE);
138 }
139
140 /* Calculate The SSL3 Finished message
141 */
142 #define SSL3_CLIENT_MSG "CLNT"
143 #define SSL3_SERVER_MSG "SRVR"
144 #define SSL_MSG_LEN 4
145 static int
146 _gnutls_ssl3_finished (gnutls_session_t session, int type, opaque * ret)
147 {
148 const int siz = SSL_MSG_LEN;
149 mac_hd_t td_md5;
150 mac_hd_t td_sha;
151 const char *mesg;
152
153 td_md5 = _gnutls_hash_copy (session->internals.handshake_mac_handle_md5);
154 if (td_md5 == NULL)
155 {
156 gnutls_assert ();
157 return GNUTLS_E_HASH_FAILED;
158 }
159
160 td_sha = _gnutls_hash_copy (session->internals.handshake_mac_handle_sha);
161 if (td_sha == NULL)
162 {
163 gnutls_assert ();
164 _gnutls_hash_deinit (td_md5, NULL);
165 return GNUTLS_E_HASH_FAILED;
166 }
167
168 if (type == GNUTLS_SERVER)
169 {
170 mesg = SSL3_SERVER_MSG;
171 }
172 else
173 {
174 mesg = SSL3_CLIENT_MSG;
175 }
176
177 _gnutls_hash (td_md5, mesg, siz);
178 _gnutls_hash (td_sha, mesg, siz);
179
180 _gnutls_mac_deinit_ssl3_handshake (td_md5, ret,
181 session->security_parameters.
182 master_secret, TLS_MASTER_SIZE);
183 _gnutls_mac_deinit_ssl3_handshake (td_sha, &ret[16],
184 session->security_parameters.
185 master_secret, TLS_MASTER_SIZE);
186
187 return 0;
188 }
189
190 /* Hash the handshake messages as required by TLS 1.0
191 */
192 #define SERVER_MSG "server finished"
193 #define CLIENT_MSG "client finished"
194 #define TLS_MSG_LEN 15
195 int
196 _gnutls_finished (gnutls_session_t session, int type, void *ret)
197 {
198 const int siz = TLS_MSG_LEN;
199 opaque concat[36];
200 size_t len;
201 const char *mesg;
202 mac_hd_t td_md5 = NULL;
203 mac_hd_t td_sha;
204 gnutls_protocol_t ver = gnutls_protocol_get_version (session);
205
206 if (ver < GNUTLS_TLS1_2)
207 {
208 td_md5 = _gnutls_hash_copy (session->internals.handshake_mac_handle_md5);
209 if (td_md5 == NULL)
210 {
211 gnutls_assert ();
212 return GNUTLS_E_HASH_FAILED;
213 }
214 }
215
216 td_sha = _gnutls_hash_copy (session->internals.handshake_mac_handle_sha);
217 if (td_sha == NULL)
218 {
219 gnutls_assert ();
220 _gnutls_hash_deinit (td_md5, NULL);
221 return GNUTLS_E_HASH_FAILED;
222 }
223
224 if (ver < GNUTLS_TLS1_2)
225 {
226 _gnutls_hash_deinit (td_md5, concat);
227 _gnutls_hash_deinit (td_sha, &concat[16]);
228 len = 20 + 16;
229 }
230 else
231 {
232 _gnutls_hash_deinit (td_sha, concat);
233 len = 20;
234 }
235
236 if (type == GNUTLS_SERVER)
237 {
238 mesg = SERVER_MSG;
239 }
240 else
241 {
242 mesg = CLIENT_MSG;
243 }
244
245 return _gnutls_PRF (session, session->security_parameters.master_secret,
246 TLS_MASTER_SIZE, mesg, siz, concat, len, 12, ret);
247 }
248
249 /* this function will produce TLS_RANDOM_SIZE==32 bytes of random data
250 * and put it to dst.
251 */
252 int
253 _gnutls_tls_create_random (opaque * dst)
254 {
255 uint32_t tim;
256
257 /* Use weak random numbers for the most of the
258 * buffer except for the first 4 that are the
259 * system's time.
260 */
261
262 tim = time (NULL);
263 /* generate server random value */
264 _gnutls_write_uint32 (tim, dst);
265
266 if (gc_nonce (&dst[4], TLS_RANDOM_SIZE - 4) != GC_OK)
267 {
268 gnutls_assert ();
269 return GNUTLS_E_RANDOM_FAILED;
270 }
271
272 return 0;
273 }
274
275
276 /* Read a client hello packet.
277 * A client hello must be a known version client hello
278 * or version 2.0 client hello (only for compatibility
279 * since SSL version 2.0 is not supported).
280 */
281 int
282 _gnutls_read_client_hello (gnutls_session_t session, opaque * data,
283 int datalen)
284 {
285 uint8_t session_id_len, z;
286 int pos = 0, ret;
287 uint16_t suite_size;
288 gnutls_protocol_t version;
289 int len = datalen;
290 opaque rnd[TLS_RANDOM_SIZE], *suite_ptr;
291 gnutls_protocol_t ver;
292
293 if (session->internals.v2_hello != 0)
294 { /* version 2.0 */
295 return _gnutls_read_client_hello_v2 (session, data, datalen);
296 }
297 DECR_LEN (len, 2);
298
299 _gnutls_handshake_log ("HSK[%x]: Client's version: %d.%d\n", session,
300 data[pos], data[pos + 1]);
301
302 version = _gnutls_version_get (data[pos], data[pos + 1]);
303 set_adv_version (session, data[pos], data[pos + 1]);
304 pos += 2;
305
306 /* if we do not support that version */
307 if (_gnutls_version_is_supported (session, version) == 0)
308 {
309 /* If he requested something we do not support
310 * then we send him the highest we support.
311 */
312 ver = _gnutls_version_max (session);
313 if (ver == GNUTLS_VERSION_UNKNOWN)
314 {
315 /* this check is not really needed.
316 */
317 gnutls_assert ();
318 return GNUTLS_E_UNKNOWN_CIPHER_SUITE;
319 }
320 }
321 else
322 {
323 ver = version;
324 }
325
326 _gnutls_set_current_version (session, ver);
327
328 /* Read client random value.
329 */
330 DECR_LEN (len, TLS_RANDOM_SIZE);
331 _gnutls_set_client_random (session, &data[pos]);
332 pos += TLS_RANDOM_SIZE;
333
334 _gnutls_tls_create_random (rnd);
335 _gnutls_set_server_random (session, rnd);
336
337 session->security_parameters.timestamp = time (NULL);
338
339 DECR_LEN (len, 1);
340 session_id_len = data[pos++];
341
342 /* RESUME SESSION
343 */
344 if (session_id_len > TLS_MAX_SESSION_ID_SIZE)
345 {
346 gnutls_assert ();
347 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
348 }
349 DECR_LEN (len, session_id_len);
350 ret = _gnutls_server_restore_session (session, &data[pos], session_id_len);
351 pos += session_id_len;
352
353 if (ret == 0)
354 { /* resumed! */
355 resume_copy_required_values (session);
356 session->internals.resumed = RESUME_TRUE;
357 return 0;
358 }
359 else
360 {
361 _gnutls_generate_session_id (session->security_parameters.
362 session_id,
363 &session->security_parameters.
364 session_id_size);
365
366 session->internals.resumed = RESUME_FALSE;
367 }
368
369 /* Remember ciphersuites for later
370 */
371 DECR_LEN (len, 2);
372 suite_size = _gnutls_read_uint16 (&data[pos]);
373 pos += 2;
374
375 DECR_LEN (len, suite_size);
376 suite_ptr = &data[pos];
377 pos += suite_size;
378
379 /* Select an appropriate compression method
380 */
381 DECR_LEN (len, 1);
382 z = data[pos++]; /* z is the number of compression methods */
383
384 DECR_LEN (len, z);
385 ret = _gnutls_server_select_comp_method (session, &data[pos], z);
386 pos += z;
387
388 if (ret < 0)
389 {
390 gnutls_assert ();
391 return ret;
392 }
393
394 /* Parse the extensions (if any)
395 */
396 if (ver >= GNUTLS_TLS1)
397 {
398 ret = _gnutls_parse_extensions (session, &data[pos], len); /* len is the rest of the parsed length */
399 if (ret < 0)
400 {
401 gnutls_assert ();
402 return ret;
403 }
404 }
405
406 /* select an appropriate cipher suite
407 */
408 ret = _gnutls_server_select_suite (session, suite_ptr, suite_size);
409 if (ret < 0)
410 {
411 gnutls_assert ();
412 return ret;
413 }
414
415 return 0;
416 }
417
418 /* here we hash all pending data.
419 */
420 inline static int
421 _gnutls_handshake_hash_pending (gnutls_session_t session)
422 {
423 size_t siz;
424 int ret;
425 opaque *data;
426
427 if (session->internals.handshake_mac_handle_sha == NULL ||
428 session->internals.handshake_mac_handle_md5 == NULL)
429 {
430 gnutls_assert ();
431 return GNUTLS_E_INTERNAL_ERROR;
432 }
433
434 /* We check if there are pending data to hash.
435 */
436 if ((ret = _gnutls_handshake_buffer_get_ptr (session, &data, &siz)) < 0)
437 {
438 gnutls_assert ();
439 return ret;
440 }
441
442 if (siz > 0)
443 {
444 _gnutls_hash (session->internals.handshake_mac_handle_sha, data, siz);
445 _gnutls_hash (session->internals.handshake_mac_handle_md5, data, siz);
446 }
447
448 _gnutls_handshake_buffer_empty (session);
449
450 return 0;
451 }
452
453
454 /* This is to be called after sending CHANGE CIPHER SPEC packet
455 * and initializing encryption. This is the first encrypted message
456 * we send.
457 */
458 int
459 _gnutls_send_finished (gnutls_session_t session, int again)
460 {
461 uint8_t data[36];
462 int ret;
463 int data_size = 0;
464
465
466 if (again == 0)
467 {
468
469 /* This is needed in order to hash all the required
470 * messages.
471 */
472 if ((ret = _gnutls_handshake_hash_pending (session)) < 0)
473 {
474 gnutls_assert ();
475 return ret;
476 }
477
478 if (gnutls_protocol_get_version (session) == GNUTLS_SSL3)
479 {
480 ret =
481 _gnutls_ssl3_finished (session,
482 session->security_parameters.entity, data);
483 data_size = 36;
484 }
485 else
486 { /* TLS 1.0 */
487 ret =
488 _gnutls_finished (session,
489 session->security_parameters.entity, data);
490 data_size = 12;
491 }
492
493 if (ret < 0)
494 {
495 gnutls_assert ();
496 return ret;
497 }
498
499 }
500
501 ret =
502 _gnutls_send_handshake (session, data, data_size,
503 GNUTLS_HANDSHAKE_FINISHED);
504
505 return ret;
506 }
507
508 /* This is to be called after sending our finished message. If everything
509 * went fine we have negotiated a secure connection
510 */
511 int
512 _gnutls_recv_finished (gnutls_session_t session)
513 {
514 uint8_t data[36], *vrfy;
515 int data_size;
516 int ret;
517 int vrfysize;
518
519 ret =
520 _gnutls_recv_handshake (session, &vrfy, &vrfysize,
521 GNUTLS_HANDSHAKE_FINISHED, MANDATORY_PACKET);
522 if (ret < 0)
523 {
524 ERR ("recv finished int", ret);
525 gnutls_assert ();
526 return ret;
527 }
528
529
530 if (gnutls_protocol_get_version (session) == GNUTLS_SSL3)
531 {
532 data_size = 36;
533 }
534 else
535 {
536 data_size = 12;
537 }
538
539 if (vrfysize != data_size)
540 {
541 gnutls_assert ();
542 gnutls_free (vrfy);
543 return GNUTLS_E_ERROR_IN_FINISHED_PACKET;
544 }
545
546 if (gnutls_protocol_get_version (session) == GNUTLS_SSL3)
547 {
548 ret =
549 _gnutls_ssl3_finished (session,
550 (session->security_parameters.
551 entity + 1) % 2, data);
552 }
553 else
554 { /* TLS 1.0 */
555 ret =
556 _gnutls_finished (session,
557 (session->security_parameters.entity +
558 1) % 2, data);
559 }
560
561 if (ret < 0)
562 {
563 gnutls_assert ();
564 gnutls_free (vrfy);
565 return ret;
566 }
567
568 if (memcmp (vrfy, data, data_size) != 0)
569 {
570 gnutls_assert ();
571 ret = GNUTLS_E_ERROR_IN_FINISHED_PACKET;
572 }
573 gnutls_free (vrfy);
574
575 return ret;
576 }
577
578 /* returns PK_RSA if the given cipher suite list only supports,
579 * RSA algorithms, PK_DSA if DSS, and PK_ANY for both or PK_NONE for none.
580 */
581 static int
582 _gnutls_server_find_pk_algos_in_ciphersuites (const opaque *
583 data, int datalen)
584 {
585 int j;
586 gnutls_pk_algorithm_t algo = GNUTLS_PK_NONE, prev_algo = 0;
587 gnutls_kx_algorithm_t kx;
588 cipher_suite_st cs;
589
590 if (datalen % 2 != 0)
591 {
592 gnutls_assert ();
593 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
594 }
595
596 for (j = 0; j < datalen; j += 2)
597 {
598 memcpy (&cs.suite, &data[j], 2);
599 kx = _gnutls_cipher_suite_get_kx_algo (&cs);
600
601 if (_gnutls_map_kx_get_cred (kx, 1) == GNUTLS_CRD_CERTIFICATE)
602 {
603 algo = _gnutls_map_pk_get_pk (kx);
604
605 if (algo != prev_algo && prev_algo != 0)
606 return GNUTLS_PK_ANY;
607 prev_algo = algo;
608 }
609 }
610
611 return algo;
612 }
613
614
615 /* This selects the best supported ciphersuite from the given ones. Then
616 * it adds the suite to the session and performs some checks.
617 */
618 int
619 _gnutls_server_select_suite (gnutls_session_t session, opaque * data,
620 int datalen)
621 {
622 int x, i, j;
623 cipher_suite_st *ciphers, cs;
624 int retval, err;
625 gnutls_pk_algorithm_t pk_algo; /* will hold the pk algorithms
626 * supported by the peer.
627 */
628
629 pk_algo = _gnutls_server_find_pk_algos_in_ciphersuites (data, datalen);
630
631 x = _gnutls_supported_ciphersuites (session, &ciphers);
632 if (x < 0)
633 { /* the case x==0 is handled within the function. */
634 gnutls_assert ();
635 return x;
636 }
637
638 /* Here we remove any ciphersuite that does not conform
639 * the certificate requested, or to the
640 * authentication requested (e.g. SRP).
641 */
642 x = _gnutls_remove_unwanted_ciphersuites (session, &ciphers, x, pk_algo);
643 if (x <= 0)
644 {
645 gnutls_assert ();
646 gnutls_free (ciphers);
647 if (x < 0)
648 return x;
649 else
650 return GNUTLS_E_UNKNOWN_CIPHER_SUITE;
651 }
652
653 /* Data length should be zero mod 2 since
654 * every ciphersuite is 2 bytes. (this check is needed
655 * see below).
656 */
657 if (datalen % 2 != 0)
658 {
659 gnutls_assert ();
660 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
661 }
662 #ifdef HANDSHAKE_DEBUG
663
664 _gnutls_handshake_log ("HSK[%x]: Requested cipher suites: \n", session);
665 for (j = 0; j < datalen; j += 2)
666 {
667 memcpy (&cs.suite, &data[j], 2);
668 _gnutls_handshake_log ("\t%s\n", _gnutls_cipher_suite_get_name (&cs));
669 }
670 _gnutls_handshake_log ("HSK[%x]: Supported cipher suites: \n", session);
671 for (j = 0; j < x; j++)
672 _gnutls_handshake_log ("\t%s\n",
673 _gnutls_cipher_suite_get_name (&ciphers[j]));
674 #endif
675 memset (session->security_parameters.current_cipher_suite.suite, '\0', 2);
676
677 retval = GNUTLS_E_UNKNOWN_CIPHER_SUITE;
678
679 for (j = 0; j < datalen; j += 2)
680 {
681 for (i = 0; i < x; i++)
682 {
683 if (memcmp (ciphers[i].suite, &data[j], 2) == 0)
684 {
685 memcpy (&cs.suite, &data[j], 2);
686
687 _gnutls_handshake_log
688 ("HSK[%x]: Selected cipher suite: %s\n", session,
689 _gnutls_cipher_suite_get_name (&cs));
690 memcpy (session->security_parameters.current_cipher_suite.
691 suite, ciphers[i].suite, 2);
692 retval = 0;
693 goto finish;
694 }
695 }
696 }
697
698 finish:
699 gnutls_free (ciphers);
700
701 if (retval != 0)
702 {
703 gnutls_assert ();
704 return retval;
705 }
706
707 /* check if the credentials (username, public key etc.) are ok
708 */
709 if (_gnutls_get_kx_cred
710 (session,
711 _gnutls_cipher_suite_get_kx_algo (&session->security_parameters.
712 current_cipher_suite),
713 &err) == NULL && err != 0)
714 {
715 gnutls_assert ();
716 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
717 }
718
719
720 /* set the mod_auth_st to the appropriate struct
721 * according to the KX algorithm. This is needed since all the
722 * handshake functions are read from there;
723 */
724 session->internals.auth_struct =
725 _gnutls_kx_auth_struct (_gnutls_cipher_suite_get_kx_algo
726 (&session->security_parameters.
727 current_cipher_suite));
728 if (session->internals.auth_struct == NULL)
729 {
730
731 _gnutls_handshake_log
732 ("HSK[%x]: Cannot find the appropriate handler for the KX algorithm\n",
733 session);
734 gnutls_assert ();
735 return GNUTLS_E_INTERNAL_ERROR;
736 }
737
738 return 0;
739
740 }
741
742
743 /* This selects the best supported compression method from the ones provided
744 */
745 int
746 _gnutls_server_select_comp_method (gnutls_session_t session,
747 opaque * data, int datalen)
748 {
749 int x, i, j;
750 uint8_t *comps;
751
752 x = _gnutls_supported_compression_methods (session, &comps);
753 if (x < 0)
754 {
755 gnutls_assert ();
756 return x;
757 }
758
759 memset (&session->internals.compression_method, 0,
760 sizeof (gnutls_compression_method_t));
761
762 for (j = 0; j < datalen; j++)
763 {
764 for (i = 0; i < x; i++)
765 {
766 if (comps[i] == data[j])
767 {
768 gnutls_compression_method_t method =
769 _gnutls_compression_get_id (comps[i]);
770
771 session->internals.compression_method = method;
772 gnutls_free (comps);
773
774 _gnutls_handshake_log
775 ("HSK[%x]: Selected Compression Method: %s\n", session,
776 gnutls_compression_get_name (session->internals.
777 compression_method));
778
779
780 return 0;
781 }
782 }
783 }
784
785 /* we were not able to find a compatible compression
786 * algorithm
787 */
788 gnutls_free (comps);
789 gnutls_assert ();
790 return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM;
791
792 }
793
794 /* This function sends an empty handshake packet. (like hello request).
795 * If the previous _gnutls_send_empty_handshake() returned
796 * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again
797 * (until it returns ok), with NULL parameters.
798 */
799 int
800 _gnutls_send_empty_handshake (gnutls_session_t session,
801 gnutls_handshake_description_t type, int again)
802 {
803 opaque data = 0;
804 opaque *ptr;
805
806 if (again == 0)
807 ptr = &data;
808 else
809 ptr = NULL;
810
811 return _gnutls_send_handshake (session, ptr, 0, type);
812 }
813
814
815 /* This function will hash the handshake message we sent.
816 */
817 static int
818 _gnutls_handshake_hash_add_sent (gnutls_session_t session,
819 gnutls_handshake_description_t type,
820 opaque * dataptr, uint32_t datalen)
821 {
822 int ret;
823
824 if ((ret = _gnutls_handshake_hash_pending (session)) < 0)
825 {
826 gnutls_assert ();
827 return ret;
828 }
829
830 if (type != GNUTLS_HANDSHAKE_HELLO_REQUEST)
831 {
832 _gnutls_hash (session->internals.handshake_mac_handle_sha, dataptr,
833 datalen);
834 _gnutls_hash (session->internals.handshake_mac_handle_md5, dataptr,
835 datalen);
836 }
837
838 return 0;
839 }
840
841
842 /* This function sends a handshake message of type 'type' containing the
843 * data specified here. If the previous _gnutls_send_handshake() returned
844 * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again
845 * (until it returns ok), with NULL parameters.
846 */
847 int
848 _gnutls_send_handshake (gnutls_session_t session, void *i_data,
849 uint32_t i_datasize,
850 gnutls_handshake_description_t type)
851 {
852 int ret;
853 uint8_t *data;
854 uint32_t datasize;
855 int pos = 0;
856
857 if (i_data == NULL && i_datasize == 0)
858 {
859 /* we are resuming a previously interrupted
860 * send.
861 */
862 ret = _gnutls_handshake_io_write_flush (session);
863 return ret;
864
865 }
866
867 if (i_data == NULL && i_datasize > 0)
868 {
869 gnutls_assert ();
870 return GNUTLS_E_INVALID_REQUEST;
871 }
872
873 /* first run */
874 datasize = i_datasize + HANDSHAKE_HEADER_SIZE;
875 data = gnutls_alloca (datasize);
876 if (data == NULL)
877 {
878 gnutls_assert ();
879 return GNUTLS_E_MEMORY_ERROR;
880 }
881
882 data[pos++] = (uint8_t) type;
883 _gnutls_write_uint24 (i_datasize, &data[pos]);
884 pos += 3;
885
886 if (i_datasize > 0)
887 memcpy (&data[pos], i_data, i_datasize);
888
889 _gnutls_handshake_log ("HSK[%x]: %s was send [%ld bytes]\n",
890 session, _gnutls_handshake2str (type), datasize);
891
892
893 /* Here we keep the handshake messages in order to hash them...
894 */
895 if (type != GNUTLS_HANDSHAKE_HELLO_REQUEST)
896 if ((ret =
897 _gnutls_handshake_hash_add_sent (session, type, data, datasize)) < 0)
898 {
899 gnutls_assert ();
900 gnutls_afree (data);
901 return ret;
902 }
903
904 session->internals.last_handshake_out = type;
905
906 ret =
907 _gnutls_handshake_io_send_int (session, GNUTLS_HANDSHAKE, type,
908 data, datasize);
909
910 gnutls_afree (data);
911
912 return ret;
913 }
914
915 /* This function will read the handshake header and return it to the caller. If the
916 * received handshake packet is not the one expected then it buffers the header, and
917 * returns UNEXPECTED_HANDSHAKE_PACKET.
918 *
919 * FIXME: This function is complex.
920 */
921 #define SSL2_HEADERS 1
922 static int
923 _gnutls_recv_handshake_header (gnutls_session_t session,
924 gnutls_handshake_description_t type,
925 gnutls_handshake_description_t * recv_type)
926 {
927 int ret;
928 uint32_t length32 = 0;
929 uint8_t *dataptr = NULL; /* for realloc */
930 size_t handshake_header_size = HANDSHAKE_HEADER_SIZE;
931
932 /* if we have data into the buffer then return them, do not read the next packet.
933 * In order to return we need a full TLS handshake header, or in case of a version 2
934 * packet, then we return the first byte.
935 */
936 if (session->internals.handshake_header_buffer.header_size ==
937 handshake_header_size || (session->internals.v2_hello != 0
938 && type == GNUTLS_HANDSHAKE_CLIENT_HELLO
939 && session->internals.
940 handshake_header_buffer.packet_length > 0))
941 {
942
943 *recv_type = session->internals.handshake_header_buffer.recv_type;
944
945 return session->internals.handshake_header_buffer.packet_length;
946 }
947
948 /* Note: SSL2_HEADERS == 1 */
949
950 dataptr = session->internals.handshake_header_buffer.header;
951
952 /* If we haven't already read the handshake headers.
953 */
954 if (session->internals.handshake_header_buffer.header_size < SSL2_HEADERS)
955 {
956 ret =
957 _gnutls_handshake_io_recv_int (session, GNUTLS_HANDSHAKE,
958 type, dataptr, SSL2_HEADERS);
959
960 if (ret < 0)
961 {
962 gnutls_assert ();
963 return ret;
964 }
965
966 /* The case ret==0 is caught here.
967 */
968 if (ret != SSL2_HEADERS)
969 {
970 gnutls_assert ();
971 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
972 }
973 session->internals.handshake_header_buffer.header_size = SSL2_HEADERS;
974 }
975
976 if (session->internals.v2_hello == 0
977 || type != GNUTLS_HANDSHAKE_CLIENT_HELLO)
978 {
979 ret =
980 _gnutls_handshake_io_recv_int (session, GNUTLS_HANDSHAKE,
981 type,
982 &dataptr[session->
983 internals.
984 handshake_header_buffer.
985 header_size],
986 HANDSHAKE_HEADER_SIZE -
987 session->internals.
988 handshake_header_buffer.header_size);
989 if (ret <= 0)
990 {
991 gnutls_assert ();
992 return (ret < 0) ? ret : GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
993 }
994 if ((size_t) ret !=
995 HANDSHAKE_HEADER_SIZE -
996 session->internals.handshake_header_buffer.header_size)
997 {
998 gnutls_assert ();
999 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
1000 }
1001 *recv_type = dataptr[0];
1002
1003 /* we do not use DECR_LEN because we know
1004 * that the packet has enough data.
1005 */
1006 length32 = _gnutls_read_uint24 (&dataptr[1]);
1007 handshake_header_size = HANDSHAKE_HEADER_SIZE;
1008
1009 _gnutls_handshake_log ("HSK[%x]: %s was received [%ld bytes]\n",
1010 session, _gnutls_handshake2str (dataptr[0]),
1011 length32 + HANDSHAKE_HEADER_SIZE);
1012
1013 }
1014 else
1015 { /* v2 hello */
1016 length32 = session->internals.v2_hello - SSL2_HEADERS; /* we've read the first byte */
1017
1018 handshake_header_size = SSL2_HEADERS; /* we've already read one byte */
1019
1020 *recv_type = dataptr[0];
1021
1022 _gnutls_handshake_log ("HSK[%x]: %s(v2) was received [%ld bytes]\n",
1023 session, _gnutls_handshake2str (*recv_type),
1024 length32 + handshake_header_size);
1025
1026 if (*recv_type != GNUTLS_HANDSHAKE_CLIENT_HELLO)
1027 { /* it should be one or nothing */
1028 gnutls_assert ();
1029 return GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET;
1030 }
1031 }
1032
1033 /* put the packet into the buffer */
1034 session->internals.handshake_header_buffer.header_size =
1035 handshake_header_size;
1036 session->internals.handshake_header_buffer.packet_length = length32;
1037 session->internals.handshake_header_buffer.recv_type = *recv_type;
1038
1039 if (*recv_type != type)
1040 {
1041 gnutls_assert ();
1042 return GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET;
1043 }
1044
1045 return length32;
1046 }
1047
1048 #define _gnutls_handshake_header_buffer_clear( session) session->internals.handshake_header_buffer.header_size = 0
1049
1050
1051
1052 /* This function will hash the handshake headers and the
1053 * handshake data.
1054 */
1055 static int
1056 _gnutls_handshake_hash_add_recvd (gnutls_session_t session,
1057 gnutls_handshake_description_t recv_type,
1058 opaque * header, uint16_t header_size,
1059 opaque * dataptr, uint32_t datalen)
1060 {
1061 int ret;
1062
1063 /* The idea here is to hash the previous message we received,
1064 * and add the one we just received into the handshake_hash_buffer.
1065 */
1066
1067 if ((ret = _gnutls_handshake_hash_pending (session)) < 0)
1068 {
1069 gnutls_assert ();
1070 return ret;
1071 }
1072
1073 /* here we buffer the handshake messages - needed at Finished message */
1074 if (recv_type != GNUTLS_HANDSHAKE_HELLO_REQUEST)
1075 {
1076
1077 if ((ret =
1078 _gnutls_handshake_buffer_put (session, header, header_size)) < 0)
1079 {
1080 gnutls_assert ();
1081 return ret;
1082 }
1083
1084 if (datalen > 0)
1085 {
1086 if ((ret =
1087 _gnutls_handshake_buffer_put (session, dataptr, datalen)) < 0)
1088 {
1089 gnutls_assert ();
1090 return ret;
1091 }
1092 }
1093 }
1094
1095 return 0;
1096 }
1097
1098
1099 /* This function will receive handshake messages of the given types,
1100 * and will pass the message to the right place in order to be processed.
1101 * E.g. for the SERVER_HELLO message (if it is expected), it will be
1102 * passed to _gnutls_recv_hello().
1103 */
1104 int
1105 _gnutls_recv_handshake (gnutls_session_t session, uint8_t ** data,
1106 int *datalen, gnutls_handshake_description_t type,
1107 Optional optional)
1108 {
1109 int ret;
1110 uint32_t length32 = 0;
1111 opaque *dataptr = NULL;
1112 gnutls_handshake_description_t recv_type;
1113
1114 ret = _gnutls_recv_handshake_header (session, type, &recv_type);
1115 if (ret < 0)
1116 {
1117
1118 /* In SRP when expecting the server hello we may receive
1119 * an alert instead. Do as the draft demands.
1120 */
1121 if (ret == GNUTLS_E_WARNING_ALERT_RECEIVED &&
1122 gnutls_alert_get (session) == GNUTLS_A_MISSING_SRP_USERNAME &&
1123 type == GNUTLS_HANDSHAKE_SERVER_HELLO)
1124 {
1125 gnutls_assert ();
1126 return GNUTLS_E_INT_HANDSHAKE_AGAIN;
1127 }
1128
1129 if (ret == GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET
1130 && optional == OPTIONAL_PACKET)
1131 {
1132 if (datalen != NULL)
1133 *datalen = 0;
1134 if (data != NULL)
1135 *data = NULL;
1136 return 0; /* ok just ignore the packet */
1137 }
1138
1139 return ret;
1140 }
1141
1142 session->internals.last_handshake_in = recv_type;
1143
1144 length32 = ret;
1145
1146 if (length32 > 0)
1147 dataptr = gnutls_malloc (length32);
1148 else if (recv_type != GNUTLS_HANDSHAKE_SERVER_HELLO_DONE)
1149 {
1150 gnutls_assert ();
1151 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
1152 }
1153
1154 if (dataptr == NULL && length32 > 0)
1155 {
1156 gnutls_assert ();
1157 return GNUTLS_E_MEMORY_ERROR;
1158 }
1159
1160 if (datalen != NULL)
1161 *datalen = length32;
1162
1163 if (length32 > 0)
1164 {
1165 ret =
1166 _gnutls_handshake_io_recv_int (session, GNUTLS_HANDSHAKE,
1167 type, dataptr, length32);
1168 if (ret <= 0)
1169 {
1170 gnutls_assert ();
1171 gnutls_free (dataptr);
1172 return (ret == 0) ? GNUTLS_E_UNEXPECTED_PACKET_LENGTH : ret;
1173 }
1174 }
1175
1176 if (data != NULL && length32 > 0)
1177 *data = dataptr;
1178
1179
1180 ret = _gnutls_handshake_hash_add_recvd (session, recv_type,
1181 session->internals.
1182 handshake_header_buffer.header,
1183 session->internals.
1184 handshake_header_buffer.
1185 header_size, dataptr, length32);
1186 if (ret < 0)
1187 {
1188 gnutls_assert ();
1189 _gnutls_handshake_header_buffer_clear (session);
1190 return ret;
1191 }
1192
1193 /* If we fail before this then we will reuse the handshake header
1194 * have have received above. if we get here the we clear the handshake
1195 * header we received.
1196 */
1197 _gnutls_handshake_header_buffer_clear (session);
1198
1199 switch (recv_type)
1200 {
1201 case GNUTLS_HANDSHAKE_CLIENT_HELLO:
1202 case GNUTLS_HANDSHAKE_SERVER_HELLO:
1203 ret = _gnutls_recv_hello (session, dataptr, length32);
1204 /* dataptr is freed because the caller does not
1205 * need it */
1206 gnutls_free (dataptr);
1207 if (data != NULL)
1208 *data = NULL;
1209 break;
1210 case GNUTLS_HANDSHAKE_SERVER_HELLO_DONE:
1211 if (length32 == 0)
1212 ret = 0;
1213 else
1214 ret = GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
1215 break;
1216 case GNUTLS_HANDSHAKE_CERTIFICATE_PKT:
1217 case GNUTLS_HANDSHAKE_FINISHED:
1218 case GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE:
1219 case GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE:
1220 case GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST:
1221 case GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY:
1222 case GNUTLS_HANDSHAKE_SUPPLEMENTAL:
1223 ret = length32;
1224 break;
1225 default:
1226 gnutls_assert ();
1227 gnutls_free (dataptr);
1228 if (data != NULL)
1229 *data = NULL;
1230 ret = GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET;
1231 }
1232
1233 return ret;
1234 }
1235
1236 /* This function checks if the given cipher suite is supported, and sets it
1237 * to the session;
1238 */
1239 static int
1240 _gnutls_client_set_ciphersuite (gnutls_session_t session, opaque suite[2])
1241 {
1242 uint8_t z;
1243 cipher_suite_st *cipher_suites;
1244 int cipher_suite_num;
1245 int i, err;
1246
1247 z = 1;
1248 cipher_suite_num = _gnutls_supported_ciphersuites (session, &cipher_suites);
1249 if (cipher_suite_num < 0)
1250 {
1251 gnutls_assert ();
1252 return cipher_suite_num;
1253 }
1254
1255 for (i = 0; i < cipher_suite_num; i++)
1256 {
1257 if (memcmp (&cipher_suites[i], suite, 2) == 0)
1258 {
1259 z = 0;
1260 break;
1261 }
1262 }
1263
1264 gnutls_free (cipher_suites);
1265
1266 if (z != 0)
1267 {
1268 gnutls_assert ();
1269 return GNUTLS_E_UNKNOWN_CIPHER_SUITE;
1270 }
1271
1272 memcpy (session->security_parameters.current_cipher_suite.suite, suite, 2);
1273
1274 _gnutls_handshake_log ("HSK[%x]: Selected cipher suite: %s\n", session,
1275 _gnutls_cipher_suite_get_name (&session->
1276 security_parameters.
1277 current_cipher_suite));
1278
1279
1280 /* check if the credentials (username, public key etc.) are ok.
1281 * Actually checks if they exist.
1282 */
1283 if (_gnutls_get_kx_cred
1284 (session, _gnutls_cipher_suite_get_kx_algo (&session->
1285 security_parameters.
1286 current_cipher_suite),
1287 &err) == NULL && err != 0)
1288 {
1289 gnutls_assert ();
1290 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
1291 }
1292
1293
1294 /* set the mod_auth_st to the appropriate struct
1295 * according to the KX algorithm. This is needed since all the
1296 * handshake functions are read from there;
1297 */
1298 session->internals.auth_struct =
1299 _gnutls_kx_auth_struct (_gnutls_cipher_suite_get_kx_algo
1300 (&session->security_parameters.
1301 current_cipher_suite));
1302
1303 if (session->internals.auth_struct == NULL)
1304 {
1305
1306 _gnutls_handshake_log
1307 ("HSK[%x]: Cannot find the appropriate handler for the KX algorithm\n",
1308 session);
1309 gnutls_assert ();
1310 return GNUTLS_E_INTERNAL_ERROR;
1311 }
1312
1313
1314 return 0;
1315 }
1316
1317 /* This function sets the given comp method to the session.
1318 */
1319 static int
1320 _gnutls_client_set_comp_method (gnutls_session_t session, opaque comp_method)
1321 {
1322 int comp_methods_num;
1323 uint8_t *compression_methods;
1324 int i;
1325
1326 comp_methods_num = _gnutls_supported_compression_methods (session,
1327 &compression_methods);
1328 if (comp_methods_num < 0)
1329 {
1330 gnutls_assert ();
1331 return comp_methods_num;
1332 }
1333
1334 for (i = 0; i < comp_methods_num; i++)
1335 {
1336 if (compression_methods[i] == comp_method)
1337 {
1338 comp_methods_num = 0;
1339 break;
1340 }
1341 }
1342
1343 gnutls_free (compression_methods);
1344
1345 if (comp_methods_num != 0)
1346 {
1347 gnutls_assert ();
1348 return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM;
1349 }
1350
1351 session->internals.compression_method =
1352 _gnutls_compression_get_id (comp_method);
1353
1354
1355 return 0;
1356 }
1357
1358 /* This function returns 0 if we are resuming a session or -1 otherwise.
1359 * This also sets the variables in the session. Used only while reading a server
1360 * hello.
1361 */
1362 static int
1363 _gnutls_client_check_if_resuming (gnutls_session_t session,
1364 opaque * session_id, int session_id_len)
1365 {
1366 opaque buf[2 * TLS_MAX_SESSION_ID_SIZE + 1];
1367
1368 _gnutls_handshake_log ("HSK[%x]: SessionID length: %d\n", session,
1369 session_id_len);
1370 _gnutls_handshake_log ("HSK[%x]: SessionID: %s\n", session,
1371 _gnutls_bin2hex (session_id, session_id_len, buf,
1372 sizeof (buf)));
1373
1374 if (session_id_len > 0 &&
1375 session->internals.resumed_security_parameters.session_id_size ==
1376 session_id_len
1377 && memcmp (session_id,
1378 session->internals.resumed_security_parameters.
1379 session_id, session_id_len) == 0)
1380 {
1381 /* resume session */
1382 memcpy (session->internals.
1383 resumed_security_parameters.server_random,
1384 session->security_parameters.server_random, TLS_RANDOM_SIZE);
1385 memcpy (session->internals.
1386 resumed_security_parameters.client_random,
1387 session->security_parameters.client_random, TLS_RANDOM_SIZE);
1388 session->internals.resumed = RESUME_TRUE; /* we are resuming */
1389
1390 return 0;
1391 }
1392 else
1393 {
1394 /* keep the new session id */
1395 session->internals.resumed = RESUME_FALSE; /* we are not resuming */
1396 session->security_parameters.session_id_size = session_id_len;
1397 memcpy (session->security_parameters.session_id,
1398 session_id, session_id_len);
1399
1400 return -1;
1401 }
1402 }
1403
1404
1405 /* This function reads and parses the server hello handshake message.
1406 * This function also restores resumed parameters if we are resuming a
1407 * session.
1408 */
1409 static int
1410 _gnutls_read_server_hello (gnutls_session_t session,
1411 opaque * data, int datalen)
1412 {
1413 uint8_t session_id_len = 0;
1414 int pos = 0;
1415 int ret = 0;
1416 gnutls_protocol_t version;
1417 int len = datalen;
1418
1419 if (datalen < 38)
1420 {
1421 gnutls_assert ();
1422 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
1423 }
1424
1425 _gnutls_handshake_log ("HSK[%x]: Server's version: %d.%d\n",
1426 session, data[pos], data[pos + 1]);
1427
1428 DECR_LEN (len, 2);
1429 version = _gnutls_version_get (data[pos], data[pos + 1]);
1430 if (_gnutls_version_is_supported (session, version) == 0)
1431 {
1432 gnutls_assert ();
1433 return GNUTLS_E_UNSUPPORTED_VERSION_PACKET;
1434 }
1435 else
1436 {
1437 _gnutls_set_current_version (session, version);
1438 }
1439
1440 pos += 2;
1441
1442 DECR_LEN (len, TLS_RANDOM_SIZE);
1443 _gnutls_set_server_random (session, &data[pos]);
1444 pos += TLS_RANDOM_SIZE;
1445
1446
1447 /* Read session ID
1448 */
1449 DECR_LEN (len, 1);
1450 session_id_len = data[pos++];
1451
1452 if (len < session_id_len)
1453 {
1454 gnutls_assert ();
1455 return GNUTLS_E_UNSUPPORTED_VERSION_PACKET;
1456 }
1457 DECR_LEN (len, session_id_len);
1458
1459
1460 /* check if we are resuming and set the appropriate
1461 * values;
1462 */
1463 if (_gnutls_client_check_if_resuming
1464 (session, &data[pos], session_id_len) == 0)
1465 return 0;
1466 pos += session_id_len;
1467
1468
1469 /* Check if the given cipher suite is supported and copy
1470 * it to the session.
1471 */
1472
1473 DECR_LEN (len, 2);
1474 ret = _gnutls_client_set_ciphersuite (session, &data[pos]);
1475 if (ret < 0)
1476 {
1477 gnutls_assert ();
1478 return ret;
1479 }
1480 pos += 2;
1481
1482
1483
1484 /* move to compression
1485 */
1486 DECR_LEN (len, 1);
1487
1488 ret = _gnutls_client_set_comp_method (session, data[pos++]);
1489 if (ret < 0)
1490 {
1491 gnutls_assert ();
1492 return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM;
1493 }
1494
1495 /* Parse extensions.
1496 */
1497 if (version >= GNUTLS_TLS1)
1498 {
1499 ret = _gnutls_parse_extensions (session, &data[pos], len); /* len is the rest of the parsed length */
1500 if (ret < 0)
1501 {
1502 gnutls_assert ();
1503 return ret;
1504 }
1505 }
1506 return ret;
1507 }
1508
1509
1510 /* This function copies the appropriate ciphersuites to a locally allocated buffer
1511 * Needed in client hello messages. Returns the new data length.
1512 */
1513 static int
1514 _gnutls_copy_ciphersuites (gnutls_session_t session,
1515 opaque * ret_data, size_t ret_data_size)
1516 {
1517 int ret, i;
1518 cipher_suite_st *cipher_suites;
1519 uint16_t cipher_num;
1520 int datalen, pos;
1521
1522 ret = _gnutls_supported_ciphersuites_sorted (session, &cipher_suites);
1523 if (ret < 0)
1524 {
1525 gnutls_assert ();
1526 return ret;
1527 }
1528
1529 /* Here we remove any ciphersuite that does not conform
1530 * the certificate requested, or to the
1531 * authentication requested (eg SRP).
1532 */
1533 ret =
1534 _gnutls_remove_unwanted_ciphersuites (session, &cipher_suites, ret, -1);
1535 if (ret < 0)
1536 {
1537 gnutls_assert ();
1538 gnutls_free (cipher_suites);
1539 return ret;
1540 }
1541
1542 /* If no cipher suites were enabled.
1543 */
1544 if (ret == 0)
1545 {
1546 gnutls_assert ();
1547 gnutls_free (cipher_suites);
1548 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
1549 }
1550
1551 cipher_num = ret;
1552
1553 cipher_num *= sizeof (uint16_t); /* in order to get bytes */
1554
1555 datalen = pos = 0;
1556
1557 datalen += sizeof (uint16_t) + cipher_num;
1558
1559 if ((size_t) datalen > ret_data_size)
1560 {
1561 gnutls_assert ();
1562 return GNUTLS_E_INTERNAL_ERROR;
1563 }
1564
1565 _gnutls_write_uint16 (cipher_num, ret_data);
1566 pos += 2;
1567
1568 for (i = 0; i < (cipher_num / 2); i++)
1569 {
1570 memcpy (&ret_data[pos], cipher_suites[i].suite, 2);
1571 pos += 2;
1572 }
1573 gnutls_free (cipher_suites);
1574
1575 return datalen;
1576 }
1577
1578
1579 /* This function copies the appropriate compression methods, to a locally allocated buffer
1580 * Needed in hello messages. Returns the new data length.
1581 */
1582 static int
1583 _gnutls_copy_comp_methods (gnutls_session_t session,
1584 opaque * ret_data, size_t ret_data_size)
1585 {
1586 int ret, i;
1587 uint8_t *compression_methods, comp_num;
1588 int datalen, pos;
1589
1590 ret = _gnutls_supported_compression_methods (session, &compression_methods);
1591 if (ret < 0)
1592 {
1593 gnutls_assert ();
1594 return ret;
1595 }
1596
1597 comp_num = ret;
1598
1599 datalen = pos = 0;
1600 datalen += comp_num + 1;
1601
1602 if ((size_t) datalen > ret_data_size)
1603 {
1604 gnutls_assert ();
1605 return GNUTLS_E_INTERNAL_ERROR;
1606 }
1607
1608 ret_data[pos++] = comp_num; /* put the number of compression methods */
1609
1610 for (i = 0; i < comp_num; i++)
1611 {
1612 ret_data[pos++] = compression_methods[i];
1613 }
1614
1615 gnutls_free (compression_methods);
1616
1617 return datalen;
1618 }
1619
1620 /* This should be sufficient by now. It should hold all the extensions
1621 * plus the headers in a hello message.
1622 */
1623 #define MAX_EXT_DATA_LENGTH 1024
1624
1625 /* This function sends the client hello handshake message.
1626 */
1627 static int
1628 _gnutls_send_client_hello (gnutls_session_t session, int again)
1629 {
1630 opaque *data = NULL;
1631 int extdatalen;
1632 int pos = 0;
1633 int datalen = 0, ret = 0;
1634 opaque rnd[TLS_RANDOM_SIZE];
1635 gnutls_protocol_t hver;
1636 opaque extdata[MAX_EXT_DATA_LENGTH];
1637
1638 opaque *SessionID =
1639 session->internals.resumed_security_parameters.session_id;
1640 uint8_t session_id_len =
1641 session->internals.resumed_security_parameters.session_id_size;
1642
1643 if (SessionID == NULL)
1644 session_id_len = 0;
1645 else if (session_id_len == 0)
1646 SessionID = NULL;
1647
1648 if (again == 0)
1649 {
1650
1651 datalen = 2 + (session_id_len + 1) + TLS_RANDOM_SIZE;
1652 /* 2 for version, (4 for unix time + 28 for random bytes==TLS_RANDOM_SIZE)
1653 */
1654
1655 data = gnutls_malloc (datalen);
1656 if (data == NULL)
1657 {
1658 gnutls_assert ();
1659 return GNUTLS_E_MEMORY_ERROR;
1660 }
1661
1662 /* if we are resuming a session then we set the
1663 * version number to the previously established.
1664 */
1665 if (SessionID == NULL)
1666 hver = _gnutls_version_max (session);
1667 else
1668 { /* we are resuming a session */
1669 hver = session->internals.resumed_security_parameters.version;
1670 }
1671
1672 if (hver == GNUTLS_VERSION_UNKNOWN || hver == 0)
1673 {
1674 gnutls_assert ();
1675 gnutls_free (data);
1676 return GNUTLS_E_INTERNAL_ERROR;
1677 }
1678
1679 data[pos++] = _gnutls_version_get_major (hver);
1680 data[pos++] = _gnutls_version_get_minor (hver);
1681
1682 /* Set the version we advertized as maximum
1683 * (RSA uses it).
1684 */
1685 _gnutls_set_adv_version (session, hver);
1686
1687 /* Some old implementations do not interoperate if we send a
1688 * different version in the record layer.
1689 * It seems they prefer to read the record's version
1690 * as the one we actually requested.
1691 * The proper behaviour is to use the one in the client hello
1692 * handshake packet and ignore the one in the packet's record
1693 * header.
1694 */
1695 _gnutls_set_current_version (session, hver);
1696
1697 /* In order to know when this session was initiated.
1698 */
1699 session->security_parameters.timestamp = time (NULL);
1700
1701 /* Generate random data
1702 */
1703 _gnutls_tls_create_random (rnd);
1704 _gnutls_set_client_random (session, rnd);
1705
1706 memcpy (&data[pos], rnd, TLS_RANDOM_SIZE);
1707 pos += TLS_RANDOM_SIZE;
1708
1709 /* Copy the Session ID
1710 */
1711 data[pos++] = session_id_len;
1712
1713 if (session_id_len > 0)
1714 {
1715 memcpy (&data[pos], SessionID, session_id_len);
1716 pos += session_id_len;
1717 }
1718
1719
1720 /* Copy the ciphersuites.
1721 */
1722 extdatalen =
1723 _gnutls_copy_ciphersuites (session, extdata, sizeof (extdata));
1724 if (extdatalen > 0)
1725 {
1726 datalen += extdatalen;
1727 data = gnutls_realloc_fast (data, datalen);
1728 if (data == NULL)
1729 {
1730 gnutls_assert ();
1731 return GNUTLS_E_MEMORY_ERROR;
1732 }
1733
1734 memcpy (&data[pos], extdata, extdatalen);
1735 pos += extdatalen;
1736
1737 }
1738 else
1739 {
1740 if (extdatalen == 0)
1741 extdatalen = GNUTLS_E_INTERNAL_ERROR;
1742 gnutls_free (data);
1743 gnutls_assert ();
1744 return extdatalen;
1745 }
1746
1747
1748 /* Copy the compression methods.
1749 */
1750 extdatalen =
1751 _gnutls_copy_comp_methods (session, extdata, sizeof (extdata));
1752 if (extdatalen > 0)
1753 {
1754 datalen += extdatalen;
1755 data = gnutls_realloc_fast (data, datalen);
1756 if (data == NULL)
1757 {
1758 gnutls_assert ();
1759 return GNUTLS_E_MEMORY_ERROR;
1760 }
1761
1762 memcpy (&data[pos], extdata, extdatalen);
1763 pos += extdatalen;
1764
1765 }
1766 else
1767 {
1768 if (extdatalen == 0)
1769 extdatalen = GNUTLS_E_INTERNAL_ERROR;
1770 gnutls_free (data);
1771 gnutls_assert ();
1772 return extdatalen;
1773 }
1774
1775 /* Generate and copy TLS extensions.
1776 */
1777 if (hver >= GNUTLS_TLS1)
1778 {
1779 extdatalen =
1780 _gnutls_gen_extensions (session, extdata, sizeof (extdata));
1781
1782 if (extdatalen > 0)
1783 {
1784 datalen += extdatalen;
1785 data = gnutls_realloc_fast (data, datalen);
1786 if (data == NULL)
1787 {
1788 gnutls_assert ();
1789 return GNUTLS_E_MEMORY_ERROR;
1790 }
1791
1792 memcpy (&data[pos], extdata, extdatalen);
1793 }
1794 else if (extdatalen < 0)
1795 {
1796 gnutls_assert ();
1797 gnutls_free (data);
1798 return extdatalen;
1799 }
1800 }
1801 }
1802
1803 ret =
1804 _gnutls_send_handshake (session, data, datalen,
1805 GNUTLS_HANDSHAKE_CLIENT_HELLO);
1806 gnutls_free (data);
1807
1808 return ret;
1809 }
1810
1811 static int
1812 _gnutls_send_server_hello (gnutls_session_t session, int again)
1813 {
1814 opaque *data = NULL;
1815 opaque extdata[MAX_EXT_DATA_LENGTH];
1816 int extdatalen;
1817 int pos = 0;
1818 int datalen, ret = 0;
1819 uint8_t comp;
1820 opaque *SessionID = session->security_parameters.session_id;
1821 uint8_t session_id_len = session->security_parameters.session_id_size;
1822 opaque buf[2 * TLS_MAX_SESSION_ID_SIZE + 1];
1823
1824 if (SessionID == NULL)
1825 session_id_len = 0;
1826
1827 datalen = 0;
1828
1829 #ifdef ENABLE_SRP
1830 if (IS_SRP_KX
1831 (_gnutls_cipher_suite_get_kx_algo
1832 (&session->security_parameters.current_cipher_suite)))
1833 {
1834 /* While resuming we cannot check the username extension since it is
1835 * not available at this point. It will be copied on connection
1836 * state activation.
1837 */
1838 if (session->internals.resumed == RESUME_FALSE &&
1839 session->security_parameters.extensions.srp_username[0] == 0)
1840 {
1841 /* The peer didn't send a valid SRP extension with the
1842 * SRP username. The draft requires that we send an
1843 * alert and start the handshake again.
1844 */
1845 gnutls_assert ();
1846 ret = gnutls_alert_send (session, GNUTLS_AL_WARNING,
1847 GNUTLS_A_MISSING_SRP_USERNAME);
1848 if (ret < 0)
1849 {
1850 gnutls_assert ();
1851 return ret;
1852 }
1853
1854 return GNUTLS_E_INT_HANDSHAKE_AGAIN;
1855 }
1856 }
1857 #endif
1858
1859 if (again == 0)
1860 {
1861 datalen = 2 + session_id_len + 1 + TLS_RANDOM_SIZE + 3;
1862 extdatalen =
1863 _gnutls_gen_extensions (session, extdata, sizeof (extdata));
1864
1865 if (extdatalen < 0)
1866 {
1867 gnutls_assert ();
1868 return extdatalen;
1869 }
1870
1871 data = gnutls_alloca (datalen + extdatalen);
1872 if (data == NULL)
1873 {
1874 gnutls_assert ();
1875 return GNUTLS_E_MEMORY_ERROR;
1876 }
1877
1878 data[pos++] =
1879 _gnutls_version_get_major (session->security_parameters.version);
1880 data[pos++] =
1881 _gnutls_version_get_minor (session->security_parameters.version);
1882
1883 memcpy (&data[pos],
1884 session->security_parameters.server_random, TLS_RANDOM_SIZE);
1885 pos += TLS_RANDOM_SIZE;
1886
1887 data[pos++] = session_id_len;
1888 if (session_id_len > 0)
1889 {
1890 memcpy (&data[pos], SessionID, session_id_len);
1891 }
1892 pos += session_id_len;
1893
1894 _gnutls_handshake_log ("HSK[%x]: SessionID: %s\n", session,
1895 _gnutls_bin2hex (SessionID, session_id_len,
1896 buf, sizeof (buf)));
1897
1898 memcpy (&data[pos],
1899 session->security_parameters.current_cipher_suite.suite, 2);
1900 pos += 2;
1901
1902 comp =
1903 (uint8_t) _gnutls_compression_get_num (session->
1904 internals.compression_method);
1905 data[pos++] = comp;
1906
1907
1908 if (extdatalen > 0)
1909 {
1910 datalen += extdatalen;
1911
1912 memcpy (&data[pos], extdata, extdatalen);
1913 }
1914 }
1915
1916 ret =
1917 _gnutls_send_handshake (session, data, datalen,
1918 GNUTLS_HANDSHAKE_SERVER_HELLO);
1919 gnutls_afree (data);
1920
1921 return ret;
1922 }
1923
1924 int
1925 _gnutls_send_hello (gnutls_session_t session, int again)
1926 {
1927 int ret;
1928
1929 if (session->security_parameters.entity == GNUTLS_CLIENT)
1930 {
1931 ret = _gnutls_send_client_hello (session, again);
1932
1933 }
1934 else
1935 { /* SERVER */
1936 ret = _gnutls_send_server_hello (session, again);
1937 }
1938
1939 return ret;
1940 }
1941
1942 /* RECEIVE A HELLO MESSAGE. This should be called from gnutls_recv_handshake_int only if a
1943 * hello message is expected. It uses the security_parameters.current_cipher_suite
1944 * and internals.compression_method.
1945 */
1946 int
1947 _gnutls_recv_hello (gnutls_session_t session, opaque * data, int datalen)
1948 {
1949 int ret;
1950
1951 if (session->security_parameters.entity == GNUTLS_CLIENT)
1952 {
1953 ret = _gnutls_read_server_hello (session, data, datalen);
1954 if (ret < 0)
1955 {
1956 gnutls_assert ();
1957 return ret;
1958 }
1959 }
1960 else
1961 { /* Server side reading a client hello */
1962
1963 ret = _gnutls_read_client_hello (session, data, datalen);
1964 if (ret < 0)
1965 {
1966 gnutls_assert ();
1967 return ret;
1968 }
1969 }
1970
1971 return ret;
1972 }
1973
1974 /* The packets in gnutls_handshake (it's more broad than original TLS handshake)
1975 *
1976 * Client Server
1977 *
1978 * ClientHello -------->
1979 * <-------- ServerHello
1980 *
1981 * Certificate*
1982 * ServerKeyExchange*
1983 * <-------- CertificateRequest*
1984 *
1985 * <-------- ServerHelloDone
1986 * Certificate*
1987 * ClientKeyExchange
1988 * CertificateVerify*
1989 * [ChangeCipherSpec]
1990 * Finished -------->
1991 * [ChangeCipherSpec]
1992 * <-------- Finished
1993 *
1994 * (*): means optional packet.
1995 */
1996
1997 /**
1998 * gnutls_rehandshake - This function will renegotiate security parameters
1999 * @session: is a #gnutls_session_t structure.
2000 *
2001 * This function will renegotiate security parameters with the
2002 * client. This should only be called in case of a server.
2003 *
2004 * This message informs the peer that we want to renegotiate
2005 * parameters (perform a handshake).
2006 *
2007 * If this function succeeds (returns 0), you must call
2008 * the gnutls_handshake() function in order to negotiate
2009 * the new parameters.
2010 *
2011 * If the client does not wish to renegotiate parameters he
2012 * will should with an alert message, thus the return code will be
2013 * GNUTLS_E_WARNING_ALERT_RECEIVED and the alert will be
2014 * GNUTLS_A_NO_RENEGOTIATION. A client may also choose to ignore
2015 * this message.
2016 *
2017 **/
2018 int
2019 gnutls_rehandshake (gnutls_session_t session)
2020 {
2021 int ret;
2022
2023 /* only server sends that handshake packet */
2024 if (session->security_parameters.entity == GNUTLS_CLIENT)
2025 return GNUTLS_E_INVALID_REQUEST;
2026
2027 ret =
2028 _gnutls_send_empty_handshake (session, GNUTLS_HANDSHAKE_HELLO_REQUEST,
2029 AGAIN (STATE50));
2030 STATE = STATE50;
2031
2032 if (ret < 0)
2033 {
2034 gnutls_assert ();
2035 return ret;
2036 }
2037 STATE = STATE0;
2038
2039 return 0;
2040 }
2041
2042 inline static int
2043 _gnutls_abort_handshake (gnutls_session_t session, int ret)
2044 {
2045 if (((ret == GNUTLS_E_WARNING_ALERT_RECEIVED) &&
2046 (gnutls_alert_get (session) == GNUTLS_A_NO_RENEGOTIATION))
2047 || ret == GNUTLS_E_GOT_APPLICATION_DATA)
2048 return 0;
2049
2050 /* this doesn't matter */
2051 return GNUTLS_E_INTERNAL_ERROR;
2052 }
2053
2054
2055 /* This function initialized the handshake hash session.
2056 * required for finished messages.
2057 */
2058 inline static int
2059 _gnutls_handshake_hash_init (gnutls_session_t session)
2060 {
2061
2062 if (session->internals.handshake_mac_handle_md5 == NULL)
2063 {
2064 session->internals.handshake_mac_handle_md5 =
2065 _gnutls_hash_init (GNUTLS_MAC_MD5);
2066
2067 if (session->internals.handshake_mac_handle_md5 == GNUTLS_HASH_FAILED)
2068 {
2069 gnutls_assert ();
2070 return GNUTLS_E_MEMORY_ERROR;
2071 }
2072 }
2073
2074 if (session->internals.handshake_mac_handle_sha == NULL)
2075 {
2076 session->internals.handshake_mac_handle_sha =
2077 _gnutls_hash_init (GNUTLS_MAC_SHA1);
2078 if (session->internals.handshake_mac_handle_sha == GNUTLS_HASH_FAILED)
2079 {
2080 gnutls_assert ();
2081 return GNUTLS_E_MEMORY_ERROR;
2082 }
2083 }
2084
2085 return 0;
2086 }
2087
2088 int
2089 _gnutls_send_supplemental (gnutls_session_t session, int again)
2090 {
2091 int ret = 0;
2092
2093 _gnutls_debug_log ("EXT[%x]: Sending supplemental data\n", session);
2094
2095 if (again)
2096 ret = _gnutls_send_handshake (session, NULL, 0,
2097 GNUTLS_HANDSHAKE_SUPPLEMENTAL);
2098 else
2099 {
2100 gnutls_buffer buf;
2101 _gnutls_buffer_init (&buf);
2102
2103 ret = _gnutls_gen_supplemental (session, &buf);
2104 if (ret < 0)
2105 {
2106 gnutls_assert ();
2107 return ret;
2108 }
2109
2110 ret = _gnutls_send_handshake (session, buf.data, buf.length,
2111 GNUTLS_HANDSHAKE_SUPPLEMENTAL);
2112 _gnutls_buffer_clear (&buf);
2113 }
2114
2115 return ret;
2116 }
2117
2118 int
2119 _gnutls_recv_supplemental (gnutls_session_t session)
2120 {
2121 uint8_t *data = NULL;
2122 int datalen = 0;
2123 int ret;
2124
2125 _gnutls_debug_log ("EXT[%x]: Expecting supplemental data\n", session);
2126
2127 ret = _gnutls_recv_handshake (session, &data, &datalen,
2128 GNUTLS_HANDSHAKE_SUPPLEMENTAL,
2129 OPTIONAL_PACKET);
2130 if (ret < 0)
2131 {
2132 gnutls_assert ();
2133 return ret;
2134 }
2135
2136 ret = _gnutls_parse_supplemental (session, data, datalen);
2137 if (ret < 0)
2138 {
2139 gnutls_assert ();
2140 return ret;
2141 }
2142
2143 gnutls_free (data);
2144
2145 return ret;
2146 }
2147
2148 /**
2149 * gnutls_handshake - This is the main function in the handshake protocol.
2150 * @session: is a #gnutls_session_t structure.
2151 *
2152 * This function does the handshake of the TLS/SSL protocol,
2153 * and initializes the TLS connection.
2154 *
2155 * This function will fail if any problem is encountered,
2156 * and will return a negative error code. In case of a client,
2157 * if the client has asked to resume a session, but the server couldn't,
2158 * then a full handshake will be performed.
2159 *
2160 * The non-fatal errors such as GNUTLS_E_AGAIN and GNUTLS_E_INTERRUPTED
2161 * interrupt the handshake procedure, which should be later be resumed.
2162 * Call this function again, until it returns 0; cf.
2163 * gnutls_record_get_direction() and gnutls_error_is_fatal().
2164 *
2165 * If this function is called by a server after a rehandshake request then
2166 * GNUTLS_E_GOT_APPLICATION_DATA or GNUTLS_E_WARNING_ALERT_RECEIVED
2167 * may be returned. Note that these are non fatal errors, only in the
2168 * specific case of a rehandshake. Their meaning is that the client
2169 * rejected the rehandshake request.
2170 *
2171 **/
2172 int
2173 gnutls_handshake (gnutls_session_t session)
2174 {
2175 int ret;
2176
2177 if ((ret = _gnutls_handshake_hash_init (session)) < 0)
2178 {
2179 gnutls_assert ();
2180 return ret;
2181 }
2182
2183 if (session->security_parameters.entity == GNUTLS_CLIENT)
2184 {
2185 ret = _gnutls_handshake_client (session);
2186 }
2187 else
2188 {
2189 ret = _gnutls_handshake_server (session);
2190 }
2191 if (ret < 0)
2192 {
2193 /* In the case of a rehandshake abort
2194 * we should reset the handshake's internal state.
2195 */
2196 if (_gnutls_abort_handshake (session, ret) == 0)
2197 STATE = STATE0;
2198
2199 return ret;
2200 }
2201
2202 ret = _gnutls_handshake_common (session);
2203
2204 if (ret < 0)
2205 {
2206 if (_gnutls_abort_handshake (session, ret) == 0)
2207 STATE = STATE0;
2208
2209 return ret;
2210 }
2211
2212 STATE = STATE0;
2213
2214 _gnutls_handshake_io_buffer_clear (session);
2215 _gnutls_handshake_internal_state_clear (session);
2216
2217 return 0;
2218 }
2219
2220 /* Here if GNUTLS_E_INT_HANDSHAKE_AGAIN is received we go to
2221 * restart. This works because this error code may only be
2222 * received on the first 2 handshake packets. If for some reason
2223 * this changes we should return GNUTLS_E_AGAIN.
2224 */
2225 #define IMED_RET( str, ret) do { \
2226 if (ret < 0) { \
2227 if (ret == GNUTLS_E_INT_HANDSHAKE_AGAIN && \
2228 session->internals.handshake_restarted == 1) \
2229 ret = GNUTLS_E_INTERNAL_ERROR; \
2230 if (ret == GNUTLS_E_INT_HANDSHAKE_AGAIN) { \
2231 STATE = STATE0; \
2232 session->internals.handshake_restarted = 1; \
2233 goto restart; \
2234 } \
2235 if (gnutls_error_is_fatal(ret)==0) return ret; \
2236 gnutls_assert(); \
2237 ERR( str, ret); \
2238 _gnutls_handshake_hash_buffers_clear(session); \
2239 return ret; \
2240 } } while (0)
2241
2242
2243
2244 /*
2245 * _gnutls_handshake_client
2246 * This function performs the client side of the handshake of the TLS/SSL protocol.
2247 */
2248 int
2249 _gnutls_handshake_client (gnutls_session_t session)
2250 {
2251 int ret = 0;
2252
2253 #ifdef HANDSHAKE_DEBUG
2254 char buf[64];
2255
2256 if (session->internals.resumed_security_parameters.session_id_size > 0)
2257 _gnutls_handshake_log ("HSK[%x]: Ask to resume: %s\n", session,
2258 _gnutls_bin2hex (session->internals.
2259 resumed_security_parameters.
2260 session_id,
2261 session->internals.
2262 resumed_security_parameters.
2263 session_id_size, buf,
2264 sizeof (buf)));
2265 #endif
2266 restart:
2267
2268 switch (STATE)
2269 {
2270 case STATE0:
2271 case STATE1:
2272 ret = _gnutls_send_hello (session, AGAIN (STATE1));
2273 STATE = STATE1;
2274 IMED_RET ("send hello", ret);
2275
2276 case STATE2:
2277 /* receive the server hello */
2278 ret =
2279 _gnutls_recv_handshake (session, NULL, NULL,
2280 GNUTLS_HANDSHAKE_SERVER_HELLO,
2281 MANDATORY_PACKET);
2282 STATE = STATE2;
2283 IMED_RET ("recv hello", ret);
2284
2285 case STATE70:
2286 if (session->security_parameters.extensions.do_recv_supplemental)
2287 {
2288 ret = _gnutls_recv_supplemental (session);
2289 STATE = STATE70;
2290 IMED_RET ("recv supplemental", ret);
2291 }
2292
2293 case STATE3:
2294 /* RECV CERTIFICATE */
2295 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2296 ret = _gnutls_recv_server_certificate (session);
2297 STATE = STATE3;
2298 IMED_RET ("recv server certificate", ret);
2299
2300 case STATE4:
2301 /* receive the server key exchange */
2302 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2303 ret = _gnutls_recv_server_kx_message (session);
2304 STATE = STATE4;
2305 IMED_RET ("recv server kx message", ret);
2306
2307 case STATE5:
2308 /* receive the server certificate request - if any
2309 */
2310
2311 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2312 ret = _gnutls_recv_server_certificate_request (session);
2313 STATE = STATE5;
2314 IMED_RET ("recv server certificate request message", ret);
2315
2316 case STATE6:
2317 /* receive the server hello done */
2318 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2319 ret =
2320 _gnutls_recv_handshake (session, NULL, NULL,
2321 GNUTLS_HANDSHAKE_SERVER_HELLO_DONE,
2322 MANDATORY_PACKET);
2323 STATE = STATE6;
2324 IMED_RET ("recv server hello done", ret);
2325
2326 case STATE71:
2327 if (session->security_parameters.extensions.do_send_supplemental)
2328 {
2329 ret = _gnutls_send_supplemental (session, AGAIN (STATE71));
2330 STATE = STATE71;
2331 IMED_RET ("send supplemental", ret);
2332 }
2333
2334 case STATE7:
2335 /* send our certificate - if any and if requested
2336 */
2337 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2338 ret = _gnutls_send_client_certificate (session, AGAIN (STATE7));
2339 STATE = STATE7;
2340 IMED_RET ("send client certificate", ret);
2341
2342 case STATE8:
2343 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2344 ret = _gnutls_send_client_kx_message (session, AGAIN (STATE8));
2345 STATE = STATE8;
2346 IMED_RET ("send client kx", ret);
2347
2348 case STATE9:
2349 /* send client certificate verify */
2350 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2351 ret =
2352 _gnutls_send_client_certificate_verify (session, AGAIN (STATE9));
2353 STATE = STATE9;
2354 IMED_RET ("send client certificate verify", ret);
2355
2356 STATE = STATE0;
2357 default:
2358 break;
2359 }
2360
2361
2362 return 0;
2363 }
2364
2365 /* This function sends the final handshake packets and initializes connection
2366 */
2367 static int
2368 _gnutls_send_handshake_final (gnutls_session_t session, int init)
2369 {
2370 int ret = 0;
2371
2372 /* Send the CHANGE CIPHER SPEC PACKET */
2373
2374 switch (STATE)
2375 {
2376 case STATE0:
2377 case STATE20:
2378 ret = _gnutls_send_change_cipher_spec (session, AGAIN (STATE20));
2379 STATE = STATE20;
2380 if (ret < 0)
2381 {
2382 ERR ("send ChangeCipherSpec", ret);
2383 gnutls_assert ();
2384 return ret;
2385 }
2386
2387 /* Initialize the connection session (start encryption) - in case of client
2388 */
2389 if (init == TRUE)
2390 {
2391 ret = _gnutls_connection_state_init (session);
2392 if (ret < 0)
2393 {
2394 gnutls_assert ();
2395 return ret;
2396 }
2397 }
2398
2399 ret = _gnutls_write_connection_state_init (session);
2400 if (ret < 0)
2401 {
2402 gnutls_assert ();
2403 return ret;
2404 }
2405
2406 case STATE21:
2407 /* send the finished message */
2408 ret = _gnutls_send_finished (session, AGAIN (STATE21));
2409 STATE = STATE21;
2410 if (ret < 0)
2411 {
2412 ERR ("send Finished", ret);
2413 gnutls_assert ();
2414 return ret;
2415 }
2416
2417 STATE = STATE0;
2418 default:
2419 break;
2420 }
2421
2422 return 0;
2423 }
2424
2425 /* This function receives the final handshake packets
2426 * And executes the appropriate function to initialize the
2427 * read session.
2428 */
2429 static int
2430 _gnutls_recv_handshake_final (gnutls_session_t session, int init)
2431 {
2432 int ret = 0;
2433 uint8_t ch;
2434
2435 switch (STATE)
2436 {
2437 case STATE0:
2438 case STATE30:
2439 ret = _gnutls_recv_int (session, GNUTLS_CHANGE_CIPHER_SPEC, -1, &ch, 1);
2440 STATE = STATE30;
2441 if (ret <= 0)
2442 {
2443 ERR ("recv ChangeCipherSpec", ret);
2444 gnutls_assert ();
2445 return (ret < 0) ? ret : GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
2446 }
2447
2448 /* Initialize the connection session (start encryption) - in case of server */
2449 if (init == TRUE)
2450 {
2451 ret = _gnutls_connection_state_init (session);
2452 if (ret < 0)
2453 {
2454 gnutls_assert ();
2455 return ret;
2456 }
2457 }
2458
2459 ret = _gnutls_read_connection_state_init (session);
2460 if (ret < 0)
2461 {
2462 gnutls_assert ();
2463 return ret;
2464 }
2465
2466 case STATE31:
2467 ret = _gnutls_recv_finished (session);
2468 STATE = STATE31;
2469 if (ret < 0)
2470 {
2471 ERR ("recv finished", ret);
2472 gnutls_assert ();
2473 return ret;
2474 }
2475 STATE = STATE0;
2476 default:
2477 break;
2478 }
2479
2480
2481 return 0;
2482 }
2483
2484 /*
2485 * _gnutls_handshake_server
2486 * This function does the server stuff of the handshake protocol.
2487 */
2488
2489 int
2490 _gnutls_handshake_server (gnutls_session_t session)
2491 {
2492 int ret = 0;
2493
2494 restart:
2495
2496 switch (STATE)
2497 {
2498 case STATE0:
2499 case STATE1:
2500 ret =
2501 _gnutls_recv_handshake (session, NULL, NULL,
2502 GNUTLS_HANDSHAKE_CLIENT_HELLO,
2503 MANDATORY_PACKET);
2504 STATE = STATE1;
2505 IMED_RET ("recv hello", ret);
2506
2507 case STATE2:
2508 ret = _gnutls_send_hello (session, AGAIN (STATE2));
2509 STATE = STATE2;
2510 IMED_RET ("send hello", ret);
2511
2512 case STATE70:
2513 if (session->security_parameters.extensions.do_send_supplemental)
2514 {
2515 ret = _gnutls_send_supplemental (session, AGAIN (STATE70));
2516 STATE = STATE70;
2517 IMED_RET ("send supplemental data", ret);
2518 }
2519
2520 /* SEND CERTIFICATE + KEYEXCHANGE + CERTIFICATE_REQUEST */
2521 case STATE3:
2522 /* NOTE: these should not be send if we are resuming */
2523
2524 if (session->internals.resumed == RESUME_FALSE)
2525 ret = _gnutls_send_server_certificate (session, AGAIN (STATE3));
2526 STATE = STATE3;
2527 IMED_RET ("send server certificate", ret);
2528
2529 case STATE4:
2530 /* send server key exchange (A) */
2531 if (session->internals.resumed == RESUME_FALSE)
2532 ret = _gnutls_send_server_kx_message (session, AGAIN (STATE4));
2533 STATE = STATE4;
2534 IMED_RET ("send server kx", ret);
2535
2536 case STATE5:
2537 /* Send certificate request - if requested to */
2538 if (session->internals.resumed == RESUME_FALSE)
2539 ret =
2540 _gnutls_send_server_certificate_request (session, AGAIN (STATE5));
2541 STATE = STATE5;
2542 IMED_RET ("send server cert request", ret);
2543
2544 case STATE6:
2545 /* send the server hello done */
2546 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2547 ret =
2548 _gnutls_send_empty_handshake (session,
2549 GNUTLS_HANDSHAKE_SERVER_HELLO_DONE,
2550 AGAIN (STATE6));
2551 STATE = STATE6;
2552 IMED_RET ("send server hello done", ret);
2553
2554 case STATE71:
2555 if (session->security_parameters.extensions.do_recv_supplemental)
2556 {
2557 ret = _gnutls_recv_supplemental (session);
2558 STATE = STATE71;
2559 IMED_RET ("recv client supplemental", ret);
2560 }
2561
2562 /* RECV CERTIFICATE + KEYEXCHANGE + CERTIFICATE_VERIFY */
2563 case STATE7:
2564 /* receive the client certificate message */
2565 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2566 ret = _gnutls_recv_client_certificate (session);
2567 STATE = STATE7;
2568 IMED_RET ("recv client certificate", ret);
2569
2570 case STATE8:
2571 /* receive the client key exchange message */
2572 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2573 ret = _gnutls_recv_client_kx_message (session);
2574 STATE = STATE8;
2575 IMED_RET ("recv client kx", ret);
2576
2577 case STATE9:
2578 /* receive the client certificate verify message */
2579 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2580 ret = _gnutls_recv_client_certificate_verify_message (session);
2581 STATE = STATE9;
2582 IMED_RET ("recv client certificate verify", ret);
2583
2584 STATE = STATE0; /* finished thus clear session */
2585 default:
2586 break;
2587 }
2588
2589 return 0;
2590 }
2591
2592 int
2593 _gnutls_handshake_common (gnutls_session_t session)
2594 {
2595 int ret = 0;
2596
2597 restart:
2598
2599 /* send and recv the change cipher spec and finished messages */
2600 if ((session->internals.resumed == RESUME_TRUE
2601 && session->security_parameters.entity == GNUTLS_CLIENT)
2602 || (session->internals.resumed == RESUME_FALSE
2603 && session->security_parameters.entity == GNUTLS_SERVER))
2604 {
2605 /* if we are a client resuming - or we are a server not resuming */
2606
2607 ret = _gnutls_recv_handshake_final (session, TRUE);
2608 IMED_RET ("recv handshake final", ret);
2609
2610 ret = _gnutls_send_handshake_final (session, FALSE);
2611 IMED_RET ("send handshake final", ret);
2612 }
2613 else
2614 { /* if we are a client not resuming - or we are a server resuming */
2615
2616 ret = _gnutls_send_handshake_final (session, TRUE);
2617 IMED_RET ("send handshake final 2", ret);
2618
2619 ret = _gnutls_recv_handshake_final (session, FALSE);
2620 IMED_RET ("recv handshake final 2", ret);
2621 }
2622
2623 if (session->security_parameters.entity == GNUTLS_SERVER)
2624 {
2625 /* in order to support session resuming */
2626 _gnutls_server_register_current_session (session);
2627 }
2628
2629 /* clear handshake buffer */
2630 _gnutls_handshake_hash_buffers_clear (session);
2631 return ret;
2632
2633 }
2634
2635 int
2636 _gnutls_generate_session_id (opaque * session_id, uint8_t * len)
2637 {
2638 *len = TLS_MAX_SESSION_ID_SIZE;
2639
2640 if (gc_nonce (session_id, *len) != GC_OK)
2641 {
2642 gnutls_assert ();
2643 return GNUTLS_E_RANDOM_FAILED;
2644 }
2645
2646 return 0;
2647 }
2648
2649 int
2650 _gnutls_recv_hello_request (gnutls_session_t session, void *data,
2651 uint32_t data_size)
2652 {
2653 uint8_t type;
2654
2655 if (session->security_parameters.entity == GNUTLS_SERVER)
2656 {
2657 gnutls_assert ();
2658 return GNUTLS_E_UNEXPECTED_PACKET;
2659 }
2660 if (data_size < 1)
2661 {
2662 gnutls_assert ();
2663 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
2664 }
2665 type = ((uint8_t *) data)[0];
2666 if (type == GNUTLS_HANDSHAKE_HELLO_REQUEST)
2667 return GNUTLS_E_REHANDSHAKE;
2668 else
2669 {
2670 gnutls_assert ();
2671 return GNUTLS_E_UNEXPECTED_PACKET;
2672 }
2673 }
2674
2675 /* Returns 1 if the given KX has not the corresponding parameters
2676 * (DH or RSA) set up. Otherwise returns 0.
2677 */
2678 inline static int
2679 check_server_params (gnutls_session_t session,
2680 gnutls_kx_algorithm_t kx,
2681 gnutls_kx_algorithm_t * alg, int alg_size)
2682 {
2683 int cred_type;
2684 gnutls_dh_params_t dh_params = NULL;
2685 gnutls_rsa_params_t rsa_params = NULL;
2686 int j;
2687
2688 cred_type = _gnutls_map_kx_get_cred (kx, 1);
2689
2690 /* Read the Diffie Hellman parameters, if any.
2691 */
2692 if (cred_type == GNUTLS_CRD_CERTIFICATE)
2693 {
2694 int delete;
2695 gnutls_certificate_credentials_t x509_cred =
2696 (gnutls_certificate_credentials_t) _gnutls_get_cred (session->key,
2697 cred_type, NULL);
2698
2699 if (x509_cred != NULL)
2700 {
2701 dh_params =
2702 _gnutls_get_dh_params (x509_cred->dh_params,
2703 x509_cred->params_func, session);
2704 rsa_params =
2705 _gnutls_certificate_get_rsa_params (x509_cred->rsa_params,
2706 x509_cred->params_func,
2707 session);
2708 }
2709
2710 /* Check also if the certificate supports the
2711 * KX method.
2712 */
2713 delete = 1;
2714 for (j = 0; j < alg_size; j++)
2715 {
2716 if (alg[j] == kx)
2717 {
2718 delete = 0;
2719 break;
2720 }
2721 }
2722
2723 if (delete == 1)
2724 return 1;
2725
2726 #ifdef ENABLE_ANON
2727 }
2728 else if (cred_type == GNUTLS_CRD_ANON)
2729 {
2730 gnutls_anon_server_credentials_t anon_cred =
2731 (gnutls_anon_server_credentials_t) _gnutls_get_cred (session->key,
2732 cred_type, NULL);
2733
2734 if (anon_cred != NULL)
2735 {
2736 dh_params =
2737 _gnutls_get_dh_params (anon_cred->dh_params,
2738 anon_cred->params_func, session);
2739 }
2740 #endif
2741 #ifdef ENABLE_PSK
2742 }
2743 else if (cred_type == GNUTLS_CRD_PSK)
2744 {
2745 gnutls_psk_server_credentials_t psk_cred =
2746 (gnutls_psk_server_credentials_t) _gnutls_get_cred (session->key,
2747 cred_type, NULL);
2748
2749 if (psk_cred != NULL)
2750 {
2751 dh_params =
2752 _gnutls_get_dh_params (psk_cred->dh_params, psk_cred->params_func,
2753 session);
2754 }
2755 #endif
2756 }
2757 else
2758 return 0; /* no need for params */
2759
2760
2761 /* If the key exchange method needs RSA or DH params,
2762 * but they are not set then remove it.
2763 */
2764 if (_gnutls_kx_needs_rsa_params (kx) != 0)
2765 {
2766 /* needs rsa params. */
2767 if (_gnutls_rsa_params_to_mpi (rsa_params) == NULL)
2768 {
2769 gnutls_assert ();
2770 return 1;
2771 }
2772 }
2773
2774 if (_gnutls_kx_needs_dh_params (kx) != 0)
2775 {
2776 /* needs DH params. */
2777 if (_gnutls_dh_params_to_mpi (dh_params) == NULL)
2778 {
2779 gnutls_assert ();
2780 return 1;
2781 }
2782 }
2783
2784 return 0;
2785 }
2786
2787 /* This function will remove algorithms that are not supported by
2788 * the requested authentication method. We remove an algorithm if
2789 * we have a certificate with keyUsage bits set.
2790 *
2791 * This does a more high level check than gnutls_supported_ciphersuites(),
2792 * by checking certificates etc.
2793 */
2794 int
2795 _gnutls_remove_unwanted_ciphersuites (gnutls_session_t session,
2796 cipher_suite_st ** cipherSuites,
2797 int numCipherSuites,
2798 gnutls_pk_algorithm_t requested_pk_algo)
2799 {
2800
2801 int ret = 0;
2802 cipher_suite_st *newSuite, cs;
2803 int newSuiteSize = 0, i;
2804 gnutls_certificate_credentials_t x509_cred;
2805 gnutls_kx_algorithm_t kx;
2806 int server = session->security_parameters.entity == GNUTLS_SERVER ? 1 : 0;
2807 gnutls_kx_algorithm_t *alg;
2808 int alg_size;
2809
2810 /* if we should use a specific certificate,
2811 * we should remove all algorithms that are not supported
2812 * by that certificate and are on the same authentication
2813 * method (CERTIFICATE).
2814 */
2815
2816 x509_cred =
2817 (gnutls_certificate_credentials_t) _gnutls_get_cred (session->key,
2818 GNUTLS_CRD_CERTIFICATE,
2819 NULL);
2820
2821 /* if x509_cred==NULL we should remove all X509 ciphersuites
2822 */
2823
2824 if (session->security_parameters.entity == GNUTLS_SERVER
2825 && x509_cred != NULL)
2826 {
2827 ret = _gnutls_server_select_cert (session, requested_pk_algo);
2828 if (ret < 0)
2829 {
2830 gnutls_assert ();
2831 return ret;
2832 }
2833 }
2834
2835 /* get all the key exchange algorithms that are
2836 * supported by the X509 certificate parameters.
2837 */
2838 if ((ret =
2839 _gnutls_selected_cert_supported_kx (session, &alg, &alg_size)) < 0)
2840 {
2841 gnutls_assert ();
2842 return ret;
2843 }
2844
2845 newSuite = gnutls_malloc (numCipherSuites * sizeof (cipher_suite_st));
2846 if (newSuite == NULL)
2847 {
2848 gnutls_assert ();
2849 gnutls_free (alg);
2850 return GNUTLS_E_MEMORY_ERROR;
2851 }
2852
2853 /* now removes ciphersuites based on the KX algorithm
2854 */
2855 for (i = 0; i < numCipherSuites; i++)
2856 {
2857 int delete = 0;
2858
2859 /* finds the key exchange algorithm in
2860 * the ciphersuite
2861 */
2862 kx = _gnutls_cipher_suite_get_kx_algo (&(*cipherSuites)[i]);
2863
2864 /* if it is defined but had no credentials
2865 */
2866 if (_gnutls_get_kx_cred (session, kx, NULL) == NULL)
2867 {
2868 delete = 1;
2869 }
2870 else
2871 {
2872 delete = 0;
2873
2874 if (server)
2875 delete = check_server_params (session, kx, alg, alg_size);
2876 }
2877
2878 /* These two SRP kx's are marked to require a CRD_CERTIFICATE,
2879 (see cred_mappings in gnutls_algorithms.c), but it also
2880 requires a SRP credential. Don't use SRP kx unless we have a
2881 SRP credential too. */
2882 if (kx == GNUTLS_KX_SRP_RSA || kx == GNUTLS_KX_SRP_DSS)
2883 {
2884 if (!_gnutls_get_cred (session->key, GNUTLS_CRD_SRP, NULL))
2885 delete = 1;
2886 }
2887
2888 memcpy (&cs.suite, &(*cipherSuites)[i].suite, 2);
2889
2890 if (delete == 0)
2891 {
2892
2893 _gnutls_handshake_log ("HSK[%x]: Keeping ciphersuite: %s\n",
2894 session,
2895 _gnutls_cipher_suite_get_name (&cs));
2896
2897 memcpy (newSuite[newSuiteSize].suite, (*cipherSuites)[i].suite, 2);
2898 newSuiteSize++;
2899 }
2900 else
2901 {
2902 _gnutls_handshake_log ("HSK[%x]: Removing ciphersuite: %s\n",
2903 session,
2904 _gnutls_cipher_suite_get_name (&cs));
2905
2906 }
2907 }
2908
2909 gnutls_free (alg);
2910 gnutls_free (*cipherSuites);
2911 *cipherSuites = newSuite;
2912
2913 ret = newSuiteSize;
2914
2915 return ret;
2916
2917 }
2918
2919 /**
2920 * gnutls_handshake_set_max_packet_length - This function will set the maximum length of a handshake message
2921 * @session: is a #gnutls_session_t structure.
2922 * @max: is the maximum number.
2923 *
2924 * This function will set the maximum size of a handshake message.
2925 * Handshake messages over this size are rejected.
2926 * The default value is 16kb which is large enough. Set this to 0 if you do not want
2927 * to set an upper limit.
2928 *
2929 **/
2930 void
2931 gnutls_handshake_set_max_packet_length (gnutls_session_t session, size_t max)
2932 {
2933 session->internals.max_handshake_data_buffer_size = max;
2934 }
2935
2936 void
2937 _gnutls_set_adv_version (gnutls_session_t session, gnutls_protocol_t ver)
2938 {
2939 set_adv_version (session, _gnutls_version_get_major (ver),
2940 _gnutls_version_get_minor (ver));
2941 }
2942
2943 gnutls_protocol_t
2944 _gnutls_get_adv_version (gnutls_session_t session)
2945 {
2946 return _gnutls_version_get (_gnutls_get_adv_version_major (session),
2947 _gnutls_get_adv_version_minor (session));
2948 }
2949
2950 /**
2951 * gnutls_handshake_get_last_in - Returns the last handshake message received.
2952 * @session: is a #gnutls_session_t structure.
2953 *
2954 * Returns the last handshake message received. This function is only useful
2955 * to check where the last performed handshake failed. If the previous handshake
2956 * succeed or was not performed at all then no meaningful value will be returned.
2957 *
2958 * Check gnutls.h for the available handshake descriptions.
2959 **/
2960 gnutls_handshake_description_t
2961 gnutls_handshake_get_last_in (gnutls_session_t session)
2962 {
2963 return session->internals.last_handshake_in;
2964 }
2965
2966 /**
2967 * gnutls_handshake_get_last_out - Returns the last handshake message sent.
2968 * @session: is a #gnutls_session_t structure.
2969 *
2970 * Returns the last handshake message sent. This function is only useful
2971 * to check where the last performed handshake failed. If the previous handshake
2972 * succeed or was not performed at all then no meaningful value will be returned.
2973 *
2974 * Check gnutls.h for the available handshake descriptions.
2975 *
2976 **/
2977 gnutls_handshake_description_t
2978 gnutls_handshake_get_last_out (gnutls_session_t session)
2979 {
2980 return session->internals.last_handshake_out;
2981 }
Implementation of the SSL/TLS protocol