2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007 Free Software Foundation
4 * Author: Nikos Mavroyanopoulos
6 * This file is part of GNUTLS.
8 * The GNUTLS library is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 2.1 of
11 * the License, or (at your option) any later version.
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
18 * You should have received a copy of the GNU Lesser General Public
19 * License along with this library; if not, write to the Free Software
20 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
25 /* Functions that relate to the TLS handshake procedure.
28 #include "gnutls_int.h"
29 #include "gnutls_errors.h"
30 #include "gnutls_dh.h"
32 #include "gnutls_algorithms.h"
33 #include "gnutls_compress.h"
34 #include "gnutls_cipher.h"
35 #include "gnutls_buffers.h"
36 #include "gnutls_kx.h"
37 #include "gnutls_handshake.h"
38 #include "gnutls_num.h"
39 #include "gnutls_hash_int.h"
40 #include "gnutls_db.h"
41 #include "gnutls_extensions.h"
42 #include "gnutls_supplemental.h"
43 #include "gnutls_auth_int.h"
44 #include "gnutls_v2_compat.h"
45 #include "auth_cert.h"
46 #include "gnutls_cert.h"
47 #include "gnutls_constate.h"
48 #include <gnutls_record.h>
49 #include <gnutls_state.h>
51 #include <gnutls_rsa_export.h> /* for gnutls_get_rsa_params() */
52 #include <auth_anon.h> /* for gnutls_anon_server_credentials_t */
53 #include <auth_psk.h> /* for gnutls_psk_server_credentials_t */
56 #ifdef HANDSHAKE_DEBUG
57 #define ERR(x, y) _gnutls_handshake_log( "HSK[%x]: %s (%d)\n", session, x,y)
65 int _gnutls_server_select_comp_method (gnutls_session_t session
,
66 opaque
* data
, int datalen
);
69 /* Clears the handshake hash buffers and handles.
72 _gnutls_handshake_hash_buffers_clear (gnutls_session_t session
)
74 _gnutls_hash_deinit (session
->internals
.handshake_mac_handle_md5
, NULL
);
75 _gnutls_hash_deinit (session
->internals
.handshake_mac_handle_sha
, NULL
);
76 session
->internals
.handshake_mac_handle_md5
= NULL
;
77 session
->internals
.handshake_mac_handle_sha
= NULL
;
78 _gnutls_handshake_buffer_clear (session
);
81 /* this will copy the required values for resuming to
82 * internals, and to security_parameters.
83 * this will keep as less data to security_parameters.
86 resume_copy_required_values (gnutls_session_t session
)
88 /* get the new random values */
89 memcpy (session
->internals
.resumed_security_parameters
.
91 session
->security_parameters
.server_random
, TLS_RANDOM_SIZE
);
92 memcpy (session
->internals
.resumed_security_parameters
.
94 session
->security_parameters
.client_random
, TLS_RANDOM_SIZE
);
96 /* keep the ciphersuite and compression
97 * That is because the client must see these in our
100 memcpy (session
->security_parameters
.current_cipher_suite
.
102 session
->internals
.resumed_security_parameters
.
103 current_cipher_suite
.suite
, 2);
105 session
->internals
.compression_method
=
106 session
->internals
.resumed_security_parameters
.read_compression_algorithm
;
107 /* or write_compression_algorithm
111 session
->security_parameters
.entity
=
112 session
->internals
.resumed_security_parameters
.entity
;
114 _gnutls_set_current_version (session
,
116 resumed_security_parameters
.version
);
118 session
->security_parameters
.cert_type
=
119 session
->internals
.resumed_security_parameters
.cert_type
;
121 memcpy (session
->security_parameters
.session_id
,
122 session
->internals
.resumed_security_parameters
.
123 session_id
, sizeof (session
->security_parameters
.session_id
));
124 session
->security_parameters
.session_id_size
=
125 session
->internals
.resumed_security_parameters
.session_id_size
;
129 _gnutls_set_server_random (gnutls_session_t session
, uint8_t * rnd
)
131 memcpy (session
->security_parameters
.server_random
, rnd
, TLS_RANDOM_SIZE
);
135 _gnutls_set_client_random (gnutls_session_t session
, uint8_t * rnd
)
137 memcpy (session
->security_parameters
.client_random
, rnd
, TLS_RANDOM_SIZE
);
140 /* Calculate The SSL3 Finished message
142 #define SSL3_CLIENT_MSG "CLNT"
143 #define SSL3_SERVER_MSG "SRVR"
144 #define SSL_MSG_LEN 4
146 _gnutls_ssl3_finished (gnutls_session_t session
, int type
, opaque
* ret
)
148 const int siz
= SSL_MSG_LEN
;
153 td_md5
= _gnutls_hash_copy (session
->internals
.handshake_mac_handle_md5
);
157 return GNUTLS_E_HASH_FAILED
;
160 td_sha
= _gnutls_hash_copy (session
->internals
.handshake_mac_handle_sha
);
164 _gnutls_hash_deinit (td_md5
, NULL
);
165 return GNUTLS_E_HASH_FAILED
;
168 if (type
== GNUTLS_SERVER
)
170 mesg
= SSL3_SERVER_MSG
;
174 mesg
= SSL3_CLIENT_MSG
;
177 _gnutls_hash (td_md5
, mesg
, siz
);
178 _gnutls_hash (td_sha
, mesg
, siz
);
180 _gnutls_mac_deinit_ssl3_handshake (td_md5
, ret
,
181 session
->security_parameters
.
182 master_secret
, TLS_MASTER_SIZE
);
183 _gnutls_mac_deinit_ssl3_handshake (td_sha
, &ret
[16],
184 session
->security_parameters
.
185 master_secret
, TLS_MASTER_SIZE
);
190 /* Hash the handshake messages as required by TLS 1.0
192 #define SERVER_MSG "server finished"
193 #define CLIENT_MSG "client finished"
194 #define TLS_MSG_LEN 15
196 _gnutls_finished (gnutls_session_t session
, int type
, void *ret
)
198 const int siz
= TLS_MSG_LEN
;
202 mac_hd_t td_md5
= NULL
;
204 gnutls_protocol_t ver
= gnutls_protocol_get_version (session
);
206 if (ver
< GNUTLS_TLS1_2
)
208 td_md5
= _gnutls_hash_copy (session
->internals
.handshake_mac_handle_md5
);
212 return GNUTLS_E_HASH_FAILED
;
216 td_sha
= _gnutls_hash_copy (session
->internals
.handshake_mac_handle_sha
);
220 _gnutls_hash_deinit (td_md5
, NULL
);
221 return GNUTLS_E_HASH_FAILED
;
224 if (ver
< GNUTLS_TLS1_2
)
226 _gnutls_hash_deinit (td_md5
, concat
);
227 _gnutls_hash_deinit (td_sha
, &concat
[16]);
232 _gnutls_hash_deinit (td_sha
, concat
);
236 if (type
== GNUTLS_SERVER
)
245 return _gnutls_PRF (session
, session
->security_parameters
.master_secret
,
246 TLS_MASTER_SIZE
, mesg
, siz
, concat
, len
, 12, ret
);
249 /* this function will produce TLS_RANDOM_SIZE==32 bytes of random data
253 _gnutls_tls_create_random (opaque
* dst
)
257 /* Use weak random numbers for the most of the
258 * buffer except for the first 4 that are the
263 /* generate server random value */
264 _gnutls_write_uint32 (tim
, dst
);
266 if (gc_nonce (&dst
[4], TLS_RANDOM_SIZE
- 4) != GC_OK
)
269 return GNUTLS_E_RANDOM_FAILED
;
276 /* Read a client hello packet.
277 * A client hello must be a known version client hello
278 * or version 2.0 client hello (only for compatibility
279 * since SSL version 2.0 is not supported).
282 _gnutls_read_client_hello (gnutls_session_t session
, opaque
* data
,
285 uint8_t session_id_len
, z
;
288 gnutls_protocol_t version
;
290 opaque rnd
[TLS_RANDOM_SIZE
], *suite_ptr
;
291 gnutls_protocol_t ver
;
293 if (session
->internals
.v2_hello
!= 0)
295 return _gnutls_read_client_hello_v2 (session
, data
, datalen
);
299 _gnutls_handshake_log ("HSK[%x]: Client's version: %d.%d\n", session
,
300 data
[pos
], data
[pos
+ 1]);
302 version
= _gnutls_version_get (data
[pos
], data
[pos
+ 1]);
303 set_adv_version (session
, data
[pos
], data
[pos
+ 1]);
306 /* if we do not support that version */
307 if (_gnutls_version_is_supported (session
, version
) == 0)
309 /* If he requested something we do not support
310 * then we send him the highest we support.
312 ver
= _gnutls_version_max (session
);
313 if (ver
== GNUTLS_VERSION_UNKNOWN
)
315 /* this check is not really needed.
318 return GNUTLS_E_UNKNOWN_CIPHER_SUITE
;
326 _gnutls_set_current_version (session
, ver
);
328 /* Read client random value.
330 DECR_LEN (len
, TLS_RANDOM_SIZE
);
331 _gnutls_set_client_random (session
, &data
[pos
]);
332 pos
+= TLS_RANDOM_SIZE
;
334 _gnutls_tls_create_random (rnd
);
335 _gnutls_set_server_random (session
, rnd
);
337 session
->security_parameters
.timestamp
= time (NULL
);
340 session_id_len
= data
[pos
++];
344 if (session_id_len
> TLS_MAX_SESSION_ID_SIZE
)
347 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
349 DECR_LEN (len
, session_id_len
);
350 ret
= _gnutls_server_restore_session (session
, &data
[pos
], session_id_len
);
351 pos
+= session_id_len
;
355 resume_copy_required_values (session
);
356 session
->internals
.resumed
= RESUME_TRUE
;
361 _gnutls_generate_session_id (session
->security_parameters
.
363 &session
->security_parameters
.
366 session
->internals
.resumed
= RESUME_FALSE
;
369 /* Remember ciphersuites for later
372 suite_size
= _gnutls_read_uint16 (&data
[pos
]);
375 DECR_LEN (len
, suite_size
);
376 suite_ptr
= &data
[pos
];
379 /* Select an appropriate compression method
382 z
= data
[pos
++]; /* z is the number of compression methods */
385 ret
= _gnutls_server_select_comp_method (session
, &data
[pos
], z
);
394 /* Parse the extensions (if any)
396 if (ver
>= GNUTLS_TLS1
)
398 ret
= _gnutls_parse_extensions (session
, &data
[pos
], len
); /* len is the rest of the parsed length */
406 /* select an appropriate cipher suite
408 ret
= _gnutls_server_select_suite (session
, suite_ptr
, suite_size
);
418 /* here we hash all pending data.
421 _gnutls_handshake_hash_pending (gnutls_session_t session
)
427 if (session
->internals
.handshake_mac_handle_sha
== NULL
||
428 session
->internals
.handshake_mac_handle_md5
== NULL
)
431 return GNUTLS_E_INTERNAL_ERROR
;
434 /* We check if there are pending data to hash.
436 if ((ret
= _gnutls_handshake_buffer_get_ptr (session
, &data
, &siz
)) < 0)
444 _gnutls_hash (session
->internals
.handshake_mac_handle_sha
, data
, siz
);
445 _gnutls_hash (session
->internals
.handshake_mac_handle_md5
, data
, siz
);
448 _gnutls_handshake_buffer_empty (session
);
454 /* This is to be called after sending CHANGE CIPHER SPEC packet
455 * and initializing encryption. This is the first encrypted message
459 _gnutls_send_finished (gnutls_session_t session
, int again
)
469 /* This is needed in order to hash all the required
472 if ((ret
= _gnutls_handshake_hash_pending (session
)) < 0)
478 if (gnutls_protocol_get_version (session
) == GNUTLS_SSL3
)
481 _gnutls_ssl3_finished (session
,
482 session
->security_parameters
.entity
, data
);
488 _gnutls_finished (session
,
489 session
->security_parameters
.entity
, data
);
502 _gnutls_send_handshake (session
, data
, data_size
,
503 GNUTLS_HANDSHAKE_FINISHED
);
508 /* This is to be called after sending our finished message. If everything
509 * went fine we have negotiated a secure connection
512 _gnutls_recv_finished (gnutls_session_t session
)
514 uint8_t data
[36], *vrfy
;
520 _gnutls_recv_handshake (session
, &vrfy
, &vrfysize
,
521 GNUTLS_HANDSHAKE_FINISHED
, MANDATORY_PACKET
);
524 ERR ("recv finished int", ret
);
530 if (gnutls_protocol_get_version (session
) == GNUTLS_SSL3
)
539 if (vrfysize
!= data_size
)
543 return GNUTLS_E_ERROR_IN_FINISHED_PACKET
;
546 if (gnutls_protocol_get_version (session
) == GNUTLS_SSL3
)
549 _gnutls_ssl3_finished (session
,
550 (session
->security_parameters
.
551 entity
+ 1) % 2, data
);
556 _gnutls_finished (session
,
557 (session
->security_parameters
.entity
+
568 if (memcmp (vrfy
, data
, data_size
) != 0)
571 ret
= GNUTLS_E_ERROR_IN_FINISHED_PACKET
;
578 /* returns PK_RSA if the given cipher suite list only supports,
579 * RSA algorithms, PK_DSA if DSS, and PK_ANY for both or PK_NONE for none.
582 _gnutls_server_find_pk_algos_in_ciphersuites (const opaque
*
586 gnutls_pk_algorithm_t algo
= GNUTLS_PK_NONE
, prev_algo
= 0;
587 gnutls_kx_algorithm_t kx
;
590 if (datalen
% 2 != 0)
593 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
596 for (j
= 0; j
< datalen
; j
+= 2)
598 memcpy (&cs
.suite
, &data
[j
], 2);
599 kx
= _gnutls_cipher_suite_get_kx_algo (&cs
);
601 if (_gnutls_map_kx_get_cred (kx
, 1) == GNUTLS_CRD_CERTIFICATE
)
603 algo
= _gnutls_map_pk_get_pk (kx
);
605 if (algo
!= prev_algo
&& prev_algo
!= 0)
606 return GNUTLS_PK_ANY
;
615 /* This selects the best supported ciphersuite from the given ones. Then
616 * it adds the suite to the session and performs some checks.
619 _gnutls_server_select_suite (gnutls_session_t session
, opaque
* data
,
623 cipher_suite_st
*ciphers
, cs
;
625 gnutls_pk_algorithm_t pk_algo
; /* will hold the pk algorithms
626 * supported by the peer.
629 pk_algo
= _gnutls_server_find_pk_algos_in_ciphersuites (data
, datalen
);
631 x
= _gnutls_supported_ciphersuites (session
, &ciphers
);
633 { /* the case x==0 is handled within the function. */
638 /* Here we remove any ciphersuite that does not conform
639 * the certificate requested, or to the
640 * authentication requested (e.g. SRP).
642 x
= _gnutls_remove_unwanted_ciphersuites (session
, &ciphers
, x
, pk_algo
);
646 gnutls_free (ciphers
);
650 return GNUTLS_E_UNKNOWN_CIPHER_SUITE
;
653 /* Data length should be zero mod 2 since
654 * every ciphersuite is 2 bytes. (this check is needed
657 if (datalen
% 2 != 0)
660 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
662 #ifdef HANDSHAKE_DEBUG
664 _gnutls_handshake_log ("HSK[%x]: Requested cipher suites: \n", session
);
665 for (j
= 0; j
< datalen
; j
+= 2)
667 memcpy (&cs
.suite
, &data
[j
], 2);
668 _gnutls_handshake_log ("\t%s\n", _gnutls_cipher_suite_get_name (&cs
));
670 _gnutls_handshake_log ("HSK[%x]: Supported cipher suites: \n", session
);
671 for (j
= 0; j
< x
; j
++)
672 _gnutls_handshake_log ("\t%s\n",
673 _gnutls_cipher_suite_get_name (&ciphers
[j
]));
675 memset (session
->security_parameters
.current_cipher_suite
.suite
, '\0', 2);
677 retval
= GNUTLS_E_UNKNOWN_CIPHER_SUITE
;
679 for (j
= 0; j
< datalen
; j
+= 2)
681 for (i
= 0; i
< x
; i
++)
683 if (memcmp (ciphers
[i
].suite
, &data
[j
], 2) == 0)
685 memcpy (&cs
.suite
, &data
[j
], 2);
687 _gnutls_handshake_log
688 ("HSK[%x]: Selected cipher suite: %s\n", session
,
689 _gnutls_cipher_suite_get_name (&cs
));
690 memcpy (session
->security_parameters
.current_cipher_suite
.
691 suite
, ciphers
[i
].suite
, 2);
699 gnutls_free (ciphers
);
707 /* check if the credentials (username, public key etc.) are ok
709 if (_gnutls_get_kx_cred
711 _gnutls_cipher_suite_get_kx_algo (&session
->security_parameters
.
712 current_cipher_suite
),
713 &err
) == NULL
&& err
!= 0)
716 return GNUTLS_E_INSUFFICIENT_CREDENTIALS
;
720 /* set the mod_auth_st to the appropriate struct
721 * according to the KX algorithm. This is needed since all the
722 * handshake functions are read from there;
724 session
->internals
.auth_struct
=
725 _gnutls_kx_auth_struct (_gnutls_cipher_suite_get_kx_algo
726 (&session
->security_parameters
.
727 current_cipher_suite
));
728 if (session
->internals
.auth_struct
== NULL
)
731 _gnutls_handshake_log
732 ("HSK[%x]: Cannot find the appropriate handler for the KX algorithm\n",
735 return GNUTLS_E_INTERNAL_ERROR
;
743 /* This selects the best supported compression method from the ones provided
746 _gnutls_server_select_comp_method (gnutls_session_t session
,
747 opaque
* data
, int datalen
)
752 x
= _gnutls_supported_compression_methods (session
, &comps
);
759 memset (&session
->internals
.compression_method
, 0,
760 sizeof (gnutls_compression_method_t
));
762 for (j
= 0; j
< datalen
; j
++)
764 for (i
= 0; i
< x
; i
++)
766 if (comps
[i
] == data
[j
])
768 gnutls_compression_method_t method
=
769 _gnutls_compression_get_id (comps
[i
]);
771 session
->internals
.compression_method
= method
;
774 _gnutls_handshake_log
775 ("HSK[%x]: Selected Compression Method: %s\n", session
,
776 gnutls_compression_get_name (session
->internals
.
777 compression_method
));
785 /* we were not able to find a compatible compression
790 return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM
;
794 /* This function sends an empty handshake packet. (like hello request).
795 * If the previous _gnutls_send_empty_handshake() returned
796 * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again
797 * (until it returns ok), with NULL parameters.
800 _gnutls_send_empty_handshake (gnutls_session_t session
,
801 gnutls_handshake_description_t type
, int again
)
811 return _gnutls_send_handshake (session
, ptr
, 0, type
);
815 /* This function will hash the handshake message we sent.
818 _gnutls_handshake_hash_add_sent (gnutls_session_t session
,
819 gnutls_handshake_description_t type
,
820 opaque
* dataptr
, uint32_t datalen
)
824 if ((ret
= _gnutls_handshake_hash_pending (session
)) < 0)
830 if (type
!= GNUTLS_HANDSHAKE_HELLO_REQUEST
)
832 _gnutls_hash (session
->internals
.handshake_mac_handle_sha
, dataptr
,
834 _gnutls_hash (session
->internals
.handshake_mac_handle_md5
, dataptr
,
842 /* This function sends a handshake message of type 'type' containing the
843 * data specified here. If the previous _gnutls_send_handshake() returned
844 * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again
845 * (until it returns ok), with NULL parameters.
848 _gnutls_send_handshake (gnutls_session_t session
, void *i_data
,
850 gnutls_handshake_description_t type
)
857 if (i_data
== NULL
&& i_datasize
== 0)
859 /* we are resuming a previously interrupted
862 ret
= _gnutls_handshake_io_write_flush (session
);
867 if (i_data
== NULL
&& i_datasize
> 0)
870 return GNUTLS_E_INVALID_REQUEST
;
874 datasize
= i_datasize
+ HANDSHAKE_HEADER_SIZE
;
875 data
= gnutls_alloca (datasize
);
879 return GNUTLS_E_MEMORY_ERROR
;
882 data
[pos
++] = (uint8_t) type
;
883 _gnutls_write_uint24 (i_datasize
, &data
[pos
]);
887 memcpy (&data
[pos
], i_data
, i_datasize
);
889 _gnutls_handshake_log ("HSK[%x]: %s was send [%ld bytes]\n",
890 session
, _gnutls_handshake2str (type
), datasize
);
893 /* Here we keep the handshake messages in order to hash them...
895 if (type
!= GNUTLS_HANDSHAKE_HELLO_REQUEST
)
897 _gnutls_handshake_hash_add_sent (session
, type
, data
, datasize
)) < 0)
904 session
->internals
.last_handshake_out
= type
;
907 _gnutls_handshake_io_send_int (session
, GNUTLS_HANDSHAKE
, type
,
915 /* This function will read the handshake header and return it to the caller. If the
916 * received handshake packet is not the one expected then it buffers the header, and
917 * returns UNEXPECTED_HANDSHAKE_PACKET.
919 * FIXME: This function is complex.
921 #define SSL2_HEADERS 1
923 _gnutls_recv_handshake_header (gnutls_session_t session
,
924 gnutls_handshake_description_t type
,
925 gnutls_handshake_description_t
* recv_type
)
928 uint32_t length32
= 0;
929 uint8_t *dataptr
= NULL
; /* for realloc */
930 size_t handshake_header_size
= HANDSHAKE_HEADER_SIZE
;
932 /* if we have data into the buffer then return them, do not read the next packet.
933 * In order to return we need a full TLS handshake header, or in case of a version 2
934 * packet, then we return the first byte.
936 if (session
->internals
.handshake_header_buffer
.header_size
==
937 handshake_header_size
|| (session
->internals
.v2_hello
!= 0
938 && type
== GNUTLS_HANDSHAKE_CLIENT_HELLO
939 && session
->internals
.
940 handshake_header_buffer
.packet_length
> 0))
943 *recv_type
= session
->internals
.handshake_header_buffer
.recv_type
;
945 return session
->internals
.handshake_header_buffer
.packet_length
;
948 /* Note: SSL2_HEADERS == 1 */
950 dataptr
= session
->internals
.handshake_header_buffer
.header
;
952 /* If we haven't already read the handshake headers.
954 if (session
->internals
.handshake_header_buffer
.header_size
< SSL2_HEADERS
)
957 _gnutls_handshake_io_recv_int (session
, GNUTLS_HANDSHAKE
,
958 type
, dataptr
, SSL2_HEADERS
);
966 /* The case ret==0 is caught here.
968 if (ret
!= SSL2_HEADERS
)
971 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
973 session
->internals
.handshake_header_buffer
.header_size
= SSL2_HEADERS
;
976 if (session
->internals
.v2_hello
== 0
977 || type
!= GNUTLS_HANDSHAKE_CLIENT_HELLO
)
980 _gnutls_handshake_io_recv_int (session
, GNUTLS_HANDSHAKE
,
984 handshake_header_buffer
.
986 HANDSHAKE_HEADER_SIZE
-
988 handshake_header_buffer
.header_size
);
992 return (ret
< 0) ? ret
: GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
995 HANDSHAKE_HEADER_SIZE
-
996 session
->internals
.handshake_header_buffer
.header_size
)
999 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
1001 *recv_type
= dataptr
[0];
1003 /* we do not use DECR_LEN because we know
1004 * that the packet has enough data.
1006 length32
= _gnutls_read_uint24 (&dataptr
[1]);
1007 handshake_header_size
= HANDSHAKE_HEADER_SIZE
;
1009 _gnutls_handshake_log ("HSK[%x]: %s was received [%ld bytes]\n",
1010 session
, _gnutls_handshake2str (dataptr
[0]),
1011 length32
+ HANDSHAKE_HEADER_SIZE
);
1016 length32
= session
->internals
.v2_hello
- SSL2_HEADERS
; /* we've read the first byte */
1018 handshake_header_size
= SSL2_HEADERS
; /* we've already read one byte */
1020 *recv_type
= dataptr
[0];
1022 _gnutls_handshake_log ("HSK[%x]: %s(v2) was received [%ld bytes]\n",
1023 session
, _gnutls_handshake2str (*recv_type
),
1024 length32
+ handshake_header_size
);
1026 if (*recv_type
!= GNUTLS_HANDSHAKE_CLIENT_HELLO
)
1027 { /* it should be one or nothing */
1029 return GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET
;
1033 /* put the packet into the buffer */
1034 session
->internals
.handshake_header_buffer
.header_size
=
1035 handshake_header_size
;
1036 session
->internals
.handshake_header_buffer
.packet_length
= length32
;
1037 session
->internals
.handshake_header_buffer
.recv_type
= *recv_type
;
1039 if (*recv_type
!= type
)
1042 return GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET
;
1048 #define _gnutls_handshake_header_buffer_clear( session) session->internals.handshake_header_buffer.header_size = 0
1052 /* This function will hash the handshake headers and the
1056 _gnutls_handshake_hash_add_recvd (gnutls_session_t session
,
1057 gnutls_handshake_description_t recv_type
,
1058 opaque
* header
, uint16_t header_size
,
1059 opaque
* dataptr
, uint32_t datalen
)
1063 /* The idea here is to hash the previous message we received,
1064 * and add the one we just received into the handshake_hash_buffer.
1067 if ((ret
= _gnutls_handshake_hash_pending (session
)) < 0)
1073 /* here we buffer the handshake messages - needed at Finished message */
1074 if (recv_type
!= GNUTLS_HANDSHAKE_HELLO_REQUEST
)
1078 _gnutls_handshake_buffer_put (session
, header
, header_size
)) < 0)
1087 _gnutls_handshake_buffer_put (session
, dataptr
, datalen
)) < 0)
1099 /* This function will receive handshake messages of the given types,
1100 * and will pass the message to the right place in order to be processed.
1101 * E.g. for the SERVER_HELLO message (if it is expected), it will be
1102 * passed to _gnutls_recv_hello().
1105 _gnutls_recv_handshake (gnutls_session_t session
, uint8_t ** data
,
1106 int *datalen
, gnutls_handshake_description_t type
,
1110 uint32_t length32
= 0;
1111 opaque
*dataptr
= NULL
;
1112 gnutls_handshake_description_t recv_type
;
1114 ret
= _gnutls_recv_handshake_header (session
, type
, &recv_type
);
1118 /* In SRP when expecting the server hello we may receive
1119 * an alert instead. Do as the draft demands.
1121 if (ret
== GNUTLS_E_WARNING_ALERT_RECEIVED
&&
1122 gnutls_alert_get (session
) == GNUTLS_A_MISSING_SRP_USERNAME
&&
1123 type
== GNUTLS_HANDSHAKE_SERVER_HELLO
)
1126 return GNUTLS_E_INT_HANDSHAKE_AGAIN
;
1129 if (ret
== GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET
1130 && optional
== OPTIONAL_PACKET
)
1132 if (datalen
!= NULL
)
1136 return 0; /* ok just ignore the packet */
1142 session
->internals
.last_handshake_in
= recv_type
;
1147 dataptr
= gnutls_malloc (length32
);
1148 else if (recv_type
!= GNUTLS_HANDSHAKE_SERVER_HELLO_DONE
)
1151 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
1154 if (dataptr
== NULL
&& length32
> 0)
1157 return GNUTLS_E_MEMORY_ERROR
;
1160 if (datalen
!= NULL
)
1161 *datalen
= length32
;
1166 _gnutls_handshake_io_recv_int (session
, GNUTLS_HANDSHAKE
,
1167 type
, dataptr
, length32
);
1171 gnutls_free (dataptr
);
1172 return (ret
== 0) ? GNUTLS_E_UNEXPECTED_PACKET_LENGTH
: ret
;
1176 if (data
!= NULL
&& length32
> 0)
1180 ret
= _gnutls_handshake_hash_add_recvd (session
, recv_type
,
1182 handshake_header_buffer
.header
,
1184 handshake_header_buffer
.
1185 header_size
, dataptr
, length32
);
1189 _gnutls_handshake_header_buffer_clear (session
);
1193 /* If we fail before this then we will reuse the handshake header
1194 * have have received above. if we get here the we clear the handshake
1195 * header we received.
1197 _gnutls_handshake_header_buffer_clear (session
);
1201 case GNUTLS_HANDSHAKE_CLIENT_HELLO
:
1202 case GNUTLS_HANDSHAKE_SERVER_HELLO
:
1203 ret
= _gnutls_recv_hello (session
, dataptr
, length32
);
1204 /* dataptr is freed because the caller does not
1206 gnutls_free (dataptr
);
1210 case GNUTLS_HANDSHAKE_SERVER_HELLO_DONE
:
1214 ret
= GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
1216 case GNUTLS_HANDSHAKE_CERTIFICATE_PKT
:
1217 case GNUTLS_HANDSHAKE_FINISHED
:
1218 case GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE
:
1219 case GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE
:
1220 case GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST
:
1221 case GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY
:
1222 case GNUTLS_HANDSHAKE_SUPPLEMENTAL
:
1227 gnutls_free (dataptr
);
1230 ret
= GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET
;
1236 /* This function checks if the given cipher suite is supported, and sets it
1240 _gnutls_client_set_ciphersuite (gnutls_session_t session
, opaque suite
[2])
1243 cipher_suite_st
*cipher_suites
;
1244 int cipher_suite_num
;
1248 cipher_suite_num
= _gnutls_supported_ciphersuites (session
, &cipher_suites
);
1249 if (cipher_suite_num
< 0)
1252 return cipher_suite_num
;
1255 for (i
= 0; i
< cipher_suite_num
; i
++)
1257 if (memcmp (&cipher_suites
[i
], suite
, 2) == 0)
1264 gnutls_free (cipher_suites
);
1269 return GNUTLS_E_UNKNOWN_CIPHER_SUITE
;
1272 memcpy (session
->security_parameters
.current_cipher_suite
.suite
, suite
, 2);
1274 _gnutls_handshake_log ("HSK[%x]: Selected cipher suite: %s\n", session
,
1275 _gnutls_cipher_suite_get_name (&session
->
1276 security_parameters
.
1277 current_cipher_suite
));
1280 /* check if the credentials (username, public key etc.) are ok.
1281 * Actually checks if they exist.
1283 if (_gnutls_get_kx_cred
1284 (session
, _gnutls_cipher_suite_get_kx_algo (&session
->
1285 security_parameters
.
1286 current_cipher_suite
),
1287 &err
) == NULL
&& err
!= 0)
1290 return GNUTLS_E_INSUFFICIENT_CREDENTIALS
;
1294 /* set the mod_auth_st to the appropriate struct
1295 * according to the KX algorithm. This is needed since all the
1296 * handshake functions are read from there;
1298 session
->internals
.auth_struct
=
1299 _gnutls_kx_auth_struct (_gnutls_cipher_suite_get_kx_algo
1300 (&session
->security_parameters
.
1301 current_cipher_suite
));
1303 if (session
->internals
.auth_struct
== NULL
)
1306 _gnutls_handshake_log
1307 ("HSK[%x]: Cannot find the appropriate handler for the KX algorithm\n",
1310 return GNUTLS_E_INTERNAL_ERROR
;
1317 /* This function sets the given comp method to the session.
1320 _gnutls_client_set_comp_method (gnutls_session_t session
, opaque comp_method
)
1322 int comp_methods_num
;
1323 uint8_t *compression_methods
;
1326 comp_methods_num
= _gnutls_supported_compression_methods (session
,
1327 &compression_methods
);
1328 if (comp_methods_num
< 0)
1331 return comp_methods_num
;
1334 for (i
= 0; i
< comp_methods_num
; i
++)
1336 if (compression_methods
[i
] == comp_method
)
1338 comp_methods_num
= 0;
1343 gnutls_free (compression_methods
);
1345 if (comp_methods_num
!= 0)
1348 return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM
;
1351 session
->internals
.compression_method
=
1352 _gnutls_compression_get_id (comp_method
);
1358 /* This function returns 0 if we are resuming a session or -1 otherwise.
1359 * This also sets the variables in the session. Used only while reading a server
1363 _gnutls_client_check_if_resuming (gnutls_session_t session
,
1364 opaque
* session_id
, int session_id_len
)
1366 opaque buf
[2 * TLS_MAX_SESSION_ID_SIZE
+ 1];
1368 _gnutls_handshake_log ("HSK[%x]: SessionID length: %d\n", session
,
1370 _gnutls_handshake_log ("HSK[%x]: SessionID: %s\n", session
,
1371 _gnutls_bin2hex (session_id
, session_id_len
, buf
,
1374 if (session_id_len
> 0 &&
1375 session
->internals
.resumed_security_parameters
.session_id_size
==
1377 && memcmp (session_id
,
1378 session
->internals
.resumed_security_parameters
.
1379 session_id
, session_id_len
) == 0)
1381 /* resume session */
1382 memcpy (session
->internals
.
1383 resumed_security_parameters
.server_random
,
1384 session
->security_parameters
.server_random
, TLS_RANDOM_SIZE
);
1385 memcpy (session
->internals
.
1386 resumed_security_parameters
.client_random
,
1387 session
->security_parameters
.client_random
, TLS_RANDOM_SIZE
);
1388 session
->internals
.resumed
= RESUME_TRUE
; /* we are resuming */
1394 /* keep the new session id */
1395 session
->internals
.resumed
= RESUME_FALSE
; /* we are not resuming */
1396 session
->security_parameters
.session_id_size
= session_id_len
;
1397 memcpy (session
->security_parameters
.session_id
,
1398 session_id
, session_id_len
);
1405 /* This function reads and parses the server hello handshake message.
1406 * This function also restores resumed parameters if we are resuming a
1410 _gnutls_read_server_hello (gnutls_session_t session
,
1411 opaque
* data
, int datalen
)
1413 uint8_t session_id_len
= 0;
1416 gnutls_protocol_t version
;
1422 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
1425 _gnutls_handshake_log ("HSK[%x]: Server's version: %d.%d\n",
1426 session
, data
[pos
], data
[pos
+ 1]);
1429 version
= _gnutls_version_get (data
[pos
], data
[pos
+ 1]);
1430 if (_gnutls_version_is_supported (session
, version
) == 0)
1433 return GNUTLS_E_UNSUPPORTED_VERSION_PACKET
;
1437 _gnutls_set_current_version (session
, version
);
1442 DECR_LEN (len
, TLS_RANDOM_SIZE
);
1443 _gnutls_set_server_random (session
, &data
[pos
]);
1444 pos
+= TLS_RANDOM_SIZE
;
1450 session_id_len
= data
[pos
++];
1452 if (len
< session_id_len
)
1455 return GNUTLS_E_UNSUPPORTED_VERSION_PACKET
;
1457 DECR_LEN (len
, session_id_len
);
1460 /* check if we are resuming and set the appropriate
1463 if (_gnutls_client_check_if_resuming
1464 (session
, &data
[pos
], session_id_len
) == 0)
1466 pos
+= session_id_len
;
1469 /* Check if the given cipher suite is supported and copy
1470 * it to the session.
1474 ret
= _gnutls_client_set_ciphersuite (session
, &data
[pos
]);
1484 /* move to compression
1488 ret
= _gnutls_client_set_comp_method (session
, data
[pos
++]);
1492 return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM
;
1495 /* Parse extensions.
1497 if (version
>= GNUTLS_TLS1
)
1499 ret
= _gnutls_parse_extensions (session
, &data
[pos
], len
); /* len is the rest of the parsed length */
1510 /* This function copies the appropriate ciphersuites to a locally allocated buffer
1511 * Needed in client hello messages. Returns the new data length.
1514 _gnutls_copy_ciphersuites (gnutls_session_t session
,
1515 opaque
* ret_data
, size_t ret_data_size
)
1518 cipher_suite_st
*cipher_suites
;
1519 uint16_t cipher_num
;
1522 ret
= _gnutls_supported_ciphersuites_sorted (session
, &cipher_suites
);
1529 /* Here we remove any ciphersuite that does not conform
1530 * the certificate requested, or to the
1531 * authentication requested (eg SRP).
1534 _gnutls_remove_unwanted_ciphersuites (session
, &cipher_suites
, ret
, -1);
1538 gnutls_free (cipher_suites
);
1542 /* If no cipher suites were enabled.
1547 gnutls_free (cipher_suites
);
1548 return GNUTLS_E_INSUFFICIENT_CREDENTIALS
;
1553 cipher_num
*= sizeof (uint16_t); /* in order to get bytes */
1557 datalen
+= sizeof (uint16_t) + cipher_num
;
1559 if ((size_t) datalen
> ret_data_size
)
1562 return GNUTLS_E_INTERNAL_ERROR
;
1565 _gnutls_write_uint16 (cipher_num
, ret_data
);
1568 for (i
= 0; i
< (cipher_num
/ 2); i
++)
1570 memcpy (&ret_data
[pos
], cipher_suites
[i
].suite
, 2);
1573 gnutls_free (cipher_suites
);
1579 /* This function copies the appropriate compression methods, to a locally allocated buffer
1580 * Needed in hello messages. Returns the new data length.
1583 _gnutls_copy_comp_methods (gnutls_session_t session
,
1584 opaque
* ret_data
, size_t ret_data_size
)
1587 uint8_t *compression_methods
, comp_num
;
1590 ret
= _gnutls_supported_compression_methods (session
, &compression_methods
);
1600 datalen
+= comp_num
+ 1;
1602 if ((size_t) datalen
> ret_data_size
)
1605 return GNUTLS_E_INTERNAL_ERROR
;
1608 ret_data
[pos
++] = comp_num
; /* put the number of compression methods */
1610 for (i
= 0; i
< comp_num
; i
++)
1612 ret_data
[pos
++] = compression_methods
[i
];
1615 gnutls_free (compression_methods
);
1620 /* This should be sufficient by now. It should hold all the extensions
1621 * plus the headers in a hello message.
1623 #define MAX_EXT_DATA_LENGTH 1024
1625 /* This function sends the client hello handshake message.
1628 _gnutls_send_client_hello (gnutls_session_t session
, int again
)
1630 opaque
*data
= NULL
;
1633 int datalen
= 0, ret
= 0;
1634 opaque rnd
[TLS_RANDOM_SIZE
];
1635 gnutls_protocol_t hver
;
1636 opaque extdata
[MAX_EXT_DATA_LENGTH
];
1639 session
->internals
.resumed_security_parameters
.session_id
;
1640 uint8_t session_id_len
=
1641 session
->internals
.resumed_security_parameters
.session_id_size
;
1643 if (SessionID
== NULL
)
1645 else if (session_id_len
== 0)
1651 datalen
= 2 + (session_id_len
+ 1) + TLS_RANDOM_SIZE
;
1652 /* 2 for version, (4 for unix time + 28 for random bytes==TLS_RANDOM_SIZE)
1655 data
= gnutls_malloc (datalen
);
1659 return GNUTLS_E_MEMORY_ERROR
;
1662 /* if we are resuming a session then we set the
1663 * version number to the previously established.
1665 if (SessionID
== NULL
)
1666 hver
= _gnutls_version_max (session
);
1668 { /* we are resuming a session */
1669 hver
= session
->internals
.resumed_security_parameters
.version
;
1672 if (hver
== GNUTLS_VERSION_UNKNOWN
|| hver
== 0)
1676 return GNUTLS_E_INTERNAL_ERROR
;
1679 data
[pos
++] = _gnutls_version_get_major (hver
);
1680 data
[pos
++] = _gnutls_version_get_minor (hver
);
1682 /* Set the version we advertized as maximum
1685 _gnutls_set_adv_version (session
, hver
);
1687 /* Some old implementations do not interoperate if we send a
1688 * different version in the record layer.
1689 * It seems they prefer to read the record's version
1690 * as the one we actually requested.
1691 * The proper behaviour is to use the one in the client hello
1692 * handshake packet and ignore the one in the packet's record
1695 _gnutls_set_current_version (session
, hver
);
1697 /* In order to know when this session was initiated.
1699 session
->security_parameters
.timestamp
= time (NULL
);
1701 /* Generate random data
1703 _gnutls_tls_create_random (rnd
);
1704 _gnutls_set_client_random (session
, rnd
);
1706 memcpy (&data
[pos
], rnd
, TLS_RANDOM_SIZE
);
1707 pos
+= TLS_RANDOM_SIZE
;
1709 /* Copy the Session ID
1711 data
[pos
++] = session_id_len
;
1713 if (session_id_len
> 0)
1715 memcpy (&data
[pos
], SessionID
, session_id_len
);
1716 pos
+= session_id_len
;
1720 /* Copy the ciphersuites.
1723 _gnutls_copy_ciphersuites (session
, extdata
, sizeof (extdata
));
1726 datalen
+= extdatalen
;
1727 data
= gnutls_realloc_fast (data
, datalen
);
1731 return GNUTLS_E_MEMORY_ERROR
;
1734 memcpy (&data
[pos
], extdata
, extdatalen
);
1740 if (extdatalen
== 0)
1741 extdatalen
= GNUTLS_E_INTERNAL_ERROR
;
1748 /* Copy the compression methods.
1751 _gnutls_copy_comp_methods (session
, extdata
, sizeof (extdata
));
1754 datalen
+= extdatalen
;
1755 data
= gnutls_realloc_fast (data
, datalen
);
1759 return GNUTLS_E_MEMORY_ERROR
;
1762 memcpy (&data
[pos
], extdata
, extdatalen
);
1768 if (extdatalen
== 0)
1769 extdatalen
= GNUTLS_E_INTERNAL_ERROR
;
1775 /* Generate and copy TLS extensions.
1777 if (hver
>= GNUTLS_TLS1
)
1780 _gnutls_gen_extensions (session
, extdata
, sizeof (extdata
));
1784 datalen
+= extdatalen
;
1785 data
= gnutls_realloc_fast (data
, datalen
);
1789 return GNUTLS_E_MEMORY_ERROR
;
1792 memcpy (&data
[pos
], extdata
, extdatalen
);
1794 else if (extdatalen
< 0)
1804 _gnutls_send_handshake (session
, data
, datalen
,
1805 GNUTLS_HANDSHAKE_CLIENT_HELLO
);
1812 _gnutls_send_server_hello (gnutls_session_t session
, int again
)
1814 opaque
*data
= NULL
;
1815 opaque extdata
[MAX_EXT_DATA_LENGTH
];
1818 int datalen
, ret
= 0;
1820 opaque
*SessionID
= session
->security_parameters
.session_id
;
1821 uint8_t session_id_len
= session
->security_parameters
.session_id_size
;
1822 opaque buf
[2 * TLS_MAX_SESSION_ID_SIZE
+ 1];
1824 if (SessionID
== NULL
)
1831 (_gnutls_cipher_suite_get_kx_algo
1832 (&session
->security_parameters
.current_cipher_suite
)))
1834 /* While resuming we cannot check the username extension since it is
1835 * not available at this point. It will be copied on connection
1838 if (session
->internals
.resumed
== RESUME_FALSE
&&
1839 session
->security_parameters
.extensions
.srp_username
[0] == 0)
1841 /* The peer didn't send a valid SRP extension with the
1842 * SRP username. The draft requires that we send an
1843 * alert and start the handshake again.
1846 ret
= gnutls_alert_send (session
, GNUTLS_AL_WARNING
,
1847 GNUTLS_A_MISSING_SRP_USERNAME
);
1854 return GNUTLS_E_INT_HANDSHAKE_AGAIN
;
1861 datalen
= 2 + session_id_len
+ 1 + TLS_RANDOM_SIZE
+ 3;
1863 _gnutls_gen_extensions (session
, extdata
, sizeof (extdata
));
1871 data
= gnutls_alloca (datalen
+ extdatalen
);
1875 return GNUTLS_E_MEMORY_ERROR
;
1879 _gnutls_version_get_major (session
->security_parameters
.version
);
1881 _gnutls_version_get_minor (session
->security_parameters
.version
);
1884 session
->security_parameters
.server_random
, TLS_RANDOM_SIZE
);
1885 pos
+= TLS_RANDOM_SIZE
;
1887 data
[pos
++] = session_id_len
;
1888 if (session_id_len
> 0)
1890 memcpy (&data
[pos
], SessionID
, session_id_len
);
1892 pos
+= session_id_len
;
1894 _gnutls_handshake_log ("HSK[%x]: SessionID: %s\n", session
,
1895 _gnutls_bin2hex (SessionID
, session_id_len
,
1896 buf
, sizeof (buf
)));
1899 session
->security_parameters
.current_cipher_suite
.suite
, 2);
1903 (uint8_t) _gnutls_compression_get_num (session
->
1904 internals
.compression_method
);
1910 datalen
+= extdatalen
;
1912 memcpy (&data
[pos
], extdata
, extdatalen
);
1917 _gnutls_send_handshake (session
, data
, datalen
,
1918 GNUTLS_HANDSHAKE_SERVER_HELLO
);
1919 gnutls_afree (data
);
1925 _gnutls_send_hello (gnutls_session_t session
, int again
)
1929 if (session
->security_parameters
.entity
== GNUTLS_CLIENT
)
1931 ret
= _gnutls_send_client_hello (session
, again
);
1936 ret
= _gnutls_send_server_hello (session
, again
);
1942 /* RECEIVE A HELLO MESSAGE. This should be called from gnutls_recv_handshake_int only if a
1943 * hello message is expected. It uses the security_parameters.current_cipher_suite
1944 * and internals.compression_method.
1947 _gnutls_recv_hello (gnutls_session_t session
, opaque
* data
, int datalen
)
1951 if (session
->security_parameters
.entity
== GNUTLS_CLIENT
)
1953 ret
= _gnutls_read_server_hello (session
, data
, datalen
);
1961 { /* Server side reading a client hello */
1963 ret
= _gnutls_read_client_hello (session
, data
, datalen
);
1974 /* The packets in gnutls_handshake (it's more broad than original TLS handshake)
1978 * ClientHello -------->
1979 * <-------- ServerHello
1982 * ServerKeyExchange*
1983 * <-------- CertificateRequest*
1985 * <-------- ServerHelloDone
1988 * CertificateVerify*
1989 * [ChangeCipherSpec]
1990 * Finished -------->
1991 * [ChangeCipherSpec]
1992 * <-------- Finished
1994 * (*): means optional packet.
1998 * gnutls_rehandshake - This function will renegotiate security parameters
1999 * @session: is a #gnutls_session_t structure.
2001 * This function will renegotiate security parameters with the
2002 * client. This should only be called in case of a server.
2004 * This message informs the peer that we want to renegotiate
2005 * parameters (perform a handshake).
2007 * If this function succeeds (returns 0), you must call
2008 * the gnutls_handshake() function in order to negotiate
2009 * the new parameters.
2011 * If the client does not wish to renegotiate parameters he
2012 * will should with an alert message, thus the return code will be
2013 * GNUTLS_E_WARNING_ALERT_RECEIVED and the alert will be
2014 * GNUTLS_A_NO_RENEGOTIATION. A client may also choose to ignore
2019 gnutls_rehandshake (gnutls_session_t session
)
2023 /* only server sends that handshake packet */
2024 if (session
->security_parameters
.entity
== GNUTLS_CLIENT
)
2025 return GNUTLS_E_INVALID_REQUEST
;
2028 _gnutls_send_empty_handshake (session
, GNUTLS_HANDSHAKE_HELLO_REQUEST
,
2043 _gnutls_abort_handshake (gnutls_session_t session
, int ret
)
2045 if (((ret
== GNUTLS_E_WARNING_ALERT_RECEIVED
) &&
2046 (gnutls_alert_get (session
) == GNUTLS_A_NO_RENEGOTIATION
))
2047 || ret
== GNUTLS_E_GOT_APPLICATION_DATA
)
2050 /* this doesn't matter */
2051 return GNUTLS_E_INTERNAL_ERROR
;
2055 /* This function initialized the handshake hash session.
2056 * required for finished messages.
2059 _gnutls_handshake_hash_init (gnutls_session_t session
)
2062 if (session
->internals
.handshake_mac_handle_md5
== NULL
)
2064 session
->internals
.handshake_mac_handle_md5
=
2065 _gnutls_hash_init (GNUTLS_MAC_MD5
);
2067 if (session
->internals
.handshake_mac_handle_md5
== GNUTLS_HASH_FAILED
)
2070 return GNUTLS_E_MEMORY_ERROR
;
2074 if (session
->internals
.handshake_mac_handle_sha
== NULL
)
2076 session
->internals
.handshake_mac_handle_sha
=
2077 _gnutls_hash_init (GNUTLS_MAC_SHA1
);
2078 if (session
->internals
.handshake_mac_handle_sha
== GNUTLS_HASH_FAILED
)
2081 return GNUTLS_E_MEMORY_ERROR
;
2089 _gnutls_send_supplemental (gnutls_session_t session
, int again
)
2093 _gnutls_debug_log ("EXT[%x]: Sending supplemental data\n", session
);
2096 ret
= _gnutls_send_handshake (session
, NULL
, 0,
2097 GNUTLS_HANDSHAKE_SUPPLEMENTAL
);
2101 _gnutls_buffer_init (&buf
);
2103 ret
= _gnutls_gen_supplemental (session
, &buf
);
2110 ret
= _gnutls_send_handshake (session
, buf
.data
, buf
.length
,
2111 GNUTLS_HANDSHAKE_SUPPLEMENTAL
);
2112 _gnutls_buffer_clear (&buf
);
2119 _gnutls_recv_supplemental (gnutls_session_t session
)
2121 uint8_t *data
= NULL
;
2125 _gnutls_debug_log ("EXT[%x]: Expecting supplemental data\n", session
);
2127 ret
= _gnutls_recv_handshake (session
, &data
, &datalen
,
2128 GNUTLS_HANDSHAKE_SUPPLEMENTAL
,
2136 ret
= _gnutls_parse_supplemental (session
, data
, datalen
);
2149 * gnutls_handshake - This is the main function in the handshake protocol.
2150 * @session: is a #gnutls_session_t structure.
2152 * This function does the handshake of the TLS/SSL protocol,
2153 * and initializes the TLS connection.
2155 * This function will fail if any problem is encountered,
2156 * and will return a negative error code. In case of a client,
2157 * if the client has asked to resume a session, but the server couldn't,
2158 * then a full handshake will be performed.
2160 * The non-fatal errors such as GNUTLS_E_AGAIN and GNUTLS_E_INTERRUPTED
2161 * interrupt the handshake procedure, which should be later be resumed.
2162 * Call this function again, until it returns 0; cf.
2163 * gnutls_record_get_direction() and gnutls_error_is_fatal().
2165 * If this function is called by a server after a rehandshake request then
2166 * GNUTLS_E_GOT_APPLICATION_DATA or GNUTLS_E_WARNING_ALERT_RECEIVED
2167 * may be returned. Note that these are non fatal errors, only in the
2168 * specific case of a rehandshake. Their meaning is that the client
2169 * rejected the rehandshake request.
2173 gnutls_handshake (gnutls_session_t session
)
2177 if ((ret
= _gnutls_handshake_hash_init (session
)) < 0)
2183 if (session
->security_parameters
.entity
== GNUTLS_CLIENT
)
2185 ret
= _gnutls_handshake_client (session
);
2189 ret
= _gnutls_handshake_server (session
);
2193 /* In the case of a rehandshake abort
2194 * we should reset the handshake's internal state.
2196 if (_gnutls_abort_handshake (session
, ret
) == 0)
2202 ret
= _gnutls_handshake_common (session
);
2206 if (_gnutls_abort_handshake (session
, ret
) == 0)
2214 _gnutls_handshake_io_buffer_clear (session
);
2215 _gnutls_handshake_internal_state_clear (session
);
2220 /* Here if GNUTLS_E_INT_HANDSHAKE_AGAIN is received we go to
2221 * restart. This works because this error code may only be
2222 * received on the first 2 handshake packets. If for some reason
2223 * this changes we should return GNUTLS_E_AGAIN.
2225 #define IMED_RET( str, ret) do { \
2227 if (ret == GNUTLS_E_INT_HANDSHAKE_AGAIN && \
2228 session->internals.handshake_restarted == 1) \
2229 ret = GNUTLS_E_INTERNAL_ERROR; \
2230 if (ret == GNUTLS_E_INT_HANDSHAKE_AGAIN) { \
2232 session->internals.handshake_restarted = 1; \
2235 if (gnutls_error_is_fatal(ret)==0) return ret; \
2238 _gnutls_handshake_hash_buffers_clear(session); \
2245 * _gnutls_handshake_client
2246 * This function performs the client side of the handshake of the TLS/SSL protocol.
2249 _gnutls_handshake_client (gnutls_session_t session
)
2253 #ifdef HANDSHAKE_DEBUG
2256 if (session
->internals
.resumed_security_parameters
.session_id_size
> 0)
2257 _gnutls_handshake_log ("HSK[%x]: Ask to resume: %s\n", session
,
2258 _gnutls_bin2hex (session
->internals
.
2259 resumed_security_parameters
.
2262 resumed_security_parameters
.
2263 session_id_size
, buf
,
2272 ret
= _gnutls_send_hello (session
, AGAIN (STATE1
));
2274 IMED_RET ("send hello", ret
);
2277 /* receive the server hello */
2279 _gnutls_recv_handshake (session
, NULL
, NULL
,
2280 GNUTLS_HANDSHAKE_SERVER_HELLO
,
2283 IMED_RET ("recv hello", ret
);
2286 if (session
->security_parameters
.extensions
.do_recv_supplemental
)
2288 ret
= _gnutls_recv_supplemental (session
);
2290 IMED_RET ("recv supplemental", ret
);
2294 /* RECV CERTIFICATE */
2295 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
2296 ret
= _gnutls_recv_server_certificate (session
);
2298 IMED_RET ("recv server certificate", ret
);
2301 /* receive the server key exchange */
2302 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
2303 ret
= _gnutls_recv_server_kx_message (session
);
2305 IMED_RET ("recv server kx message", ret
);
2308 /* receive the server certificate request - if any
2311 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
2312 ret
= _gnutls_recv_server_certificate_request (session
);
2314 IMED_RET ("recv server certificate request message", ret
);
2317 /* receive the server hello done */
2318 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
2320 _gnutls_recv_handshake (session
, NULL
, NULL
,
2321 GNUTLS_HANDSHAKE_SERVER_HELLO_DONE
,
2324 IMED_RET ("recv server hello done", ret
);
2327 if (session
->security_parameters
.extensions
.do_send_supplemental
)
2329 ret
= _gnutls_send_supplemental (session
, AGAIN (STATE71
));
2331 IMED_RET ("send supplemental", ret
);
2335 /* send our certificate - if any and if requested
2337 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
2338 ret
= _gnutls_send_client_certificate (session
, AGAIN (STATE7
));
2340 IMED_RET ("send client certificate", ret
);
2343 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
2344 ret
= _gnutls_send_client_kx_message (session
, AGAIN (STATE8
));
2346 IMED_RET ("send client kx", ret
);
2349 /* send client certificate verify */
2350 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
2352 _gnutls_send_client_certificate_verify (session
, AGAIN (STATE9
));
2354 IMED_RET ("send client certificate verify", ret
);
2365 /* This function sends the final handshake packets and initializes connection
2368 _gnutls_send_handshake_final (gnutls_session_t session
, int init
)
2372 /* Send the CHANGE CIPHER SPEC PACKET */
2378 ret
= _gnutls_send_change_cipher_spec (session
, AGAIN (STATE20
));
2382 ERR ("send ChangeCipherSpec", ret
);
2387 /* Initialize the connection session (start encryption) - in case of client
2391 ret
= _gnutls_connection_state_init (session
);
2399 ret
= _gnutls_write_connection_state_init (session
);
2407 /* send the finished message */
2408 ret
= _gnutls_send_finished (session
, AGAIN (STATE21
));
2412 ERR ("send Finished", ret
);
2425 /* This function receives the final handshake packets
2426 * And executes the appropriate function to initialize the
2430 _gnutls_recv_handshake_final (gnutls_session_t session
, int init
)
2439 ret
= _gnutls_recv_int (session
, GNUTLS_CHANGE_CIPHER_SPEC
, -1, &ch
, 1);
2443 ERR ("recv ChangeCipherSpec", ret
);
2445 return (ret
< 0) ? ret
: GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
2448 /* Initialize the connection session (start encryption) - in case of server */
2451 ret
= _gnutls_connection_state_init (session
);
2459 ret
= _gnutls_read_connection_state_init (session
);
2467 ret
= _gnutls_recv_finished (session
);
2471 ERR ("recv finished", ret
);
2485 * _gnutls_handshake_server
2486 * This function does the server stuff of the handshake protocol.
2490 _gnutls_handshake_server (gnutls_session_t session
)
2501 _gnutls_recv_handshake (session
, NULL
, NULL
,
2502 GNUTLS_HANDSHAKE_CLIENT_HELLO
,
2505 IMED_RET ("recv hello", ret
);
2508 ret
= _gnutls_send_hello (session
, AGAIN (STATE2
));
2510 IMED_RET ("send hello", ret
);
2513 if (session
->security_parameters
.extensions
.do_send_supplemental
)
2515 ret
= _gnutls_send_supplemental (session
, AGAIN (STATE70
));
2517 IMED_RET ("send supplemental data", ret
);
2520 /* SEND CERTIFICATE + KEYEXCHANGE + CERTIFICATE_REQUEST */
2522 /* NOTE: these should not be send if we are resuming */
2524 if (session
->internals
.resumed
== RESUME_FALSE
)
2525 ret
= _gnutls_send_server_certificate (session
, AGAIN (STATE3
));
2527 IMED_RET ("send server certificate", ret
);
2530 /* send server key exchange (A) */
2531 if (session
->internals
.resumed
== RESUME_FALSE
)
2532 ret
= _gnutls_send_server_kx_message (session
, AGAIN (STATE4
));
2534 IMED_RET ("send server kx", ret
);
2537 /* Send certificate request - if requested to */
2538 if (session
->internals
.resumed
== RESUME_FALSE
)
2540 _gnutls_send_server_certificate_request (session
, AGAIN (STATE5
));
2542 IMED_RET ("send server cert request", ret
);
2545 /* send the server hello done */
2546 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
2548 _gnutls_send_empty_handshake (session
,
2549 GNUTLS_HANDSHAKE_SERVER_HELLO_DONE
,
2552 IMED_RET ("send server hello done", ret
);
2555 if (session
->security_parameters
.extensions
.do_recv_supplemental
)
2557 ret
= _gnutls_recv_supplemental (session
);
2559 IMED_RET ("recv client supplemental", ret
);
2562 /* RECV CERTIFICATE + KEYEXCHANGE + CERTIFICATE_VERIFY */
2564 /* receive the client certificate message */
2565 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
2566 ret
= _gnutls_recv_client_certificate (session
);
2568 IMED_RET ("recv client certificate", ret
);
2571 /* receive the client key exchange message */
2572 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
2573 ret
= _gnutls_recv_client_kx_message (session
);
2575 IMED_RET ("recv client kx", ret
);
2578 /* receive the client certificate verify message */
2579 if (session
->internals
.resumed
== RESUME_FALSE
) /* if we are not resuming */
2580 ret
= _gnutls_recv_client_certificate_verify_message (session
);
2582 IMED_RET ("recv client certificate verify", ret
);
2584 STATE
= STATE0
; /* finished thus clear session */
2593 _gnutls_handshake_common (gnutls_session_t session
)
2599 /* send and recv the change cipher spec and finished messages */
2600 if ((session
->internals
.resumed
== RESUME_TRUE
2601 && session
->security_parameters
.entity
== GNUTLS_CLIENT
)
2602 || (session
->internals
.resumed
== RESUME_FALSE
2603 && session
->security_parameters
.entity
== GNUTLS_SERVER
))
2605 /* if we are a client resuming - or we are a server not resuming */
2607 ret
= _gnutls_recv_handshake_final (session
, TRUE
);
2608 IMED_RET ("recv handshake final", ret
);
2610 ret
= _gnutls_send_handshake_final (session
, FALSE
);
2611 IMED_RET ("send handshake final", ret
);
2614 { /* if we are a client not resuming - or we are a server resuming */
2616 ret
= _gnutls_send_handshake_final (session
, TRUE
);
2617 IMED_RET ("send handshake final 2", ret
);
2619 ret
= _gnutls_recv_handshake_final (session
, FALSE
);
2620 IMED_RET ("recv handshake final 2", ret
);
2623 if (session
->security_parameters
.entity
== GNUTLS_SERVER
)
2625 /* in order to support session resuming */
2626 _gnutls_server_register_current_session (session
);
2629 /* clear handshake buffer */
2630 _gnutls_handshake_hash_buffers_clear (session
);
2636 _gnutls_generate_session_id (opaque
* session_id
, uint8_t * len
)
2638 *len
= TLS_MAX_SESSION_ID_SIZE
;
2640 if (gc_nonce (session_id
, *len
) != GC_OK
)
2643 return GNUTLS_E_RANDOM_FAILED
;
2650 _gnutls_recv_hello_request (gnutls_session_t session
, void *data
,
2655 if (session
->security_parameters
.entity
== GNUTLS_SERVER
)
2658 return GNUTLS_E_UNEXPECTED_PACKET
;
2663 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH
;
2665 type
= ((uint8_t *) data
)[0];
2666 if (type
== GNUTLS_HANDSHAKE_HELLO_REQUEST
)
2667 return GNUTLS_E_REHANDSHAKE
;
2671 return GNUTLS_E_UNEXPECTED_PACKET
;
2675 /* Returns 1 if the given KX has not the corresponding parameters
2676 * (DH or RSA) set up. Otherwise returns 0.
2679 check_server_params (gnutls_session_t session
,
2680 gnutls_kx_algorithm_t kx
,
2681 gnutls_kx_algorithm_t
* alg
, int alg_size
)
2684 gnutls_dh_params_t dh_params
= NULL
;
2685 gnutls_rsa_params_t rsa_params
= NULL
;
2688 cred_type
= _gnutls_map_kx_get_cred (kx
, 1);
2690 /* Read the Diffie Hellman parameters, if any.
2692 if (cred_type
== GNUTLS_CRD_CERTIFICATE
)
2695 gnutls_certificate_credentials_t x509_cred
=
2696 (gnutls_certificate_credentials_t
) _gnutls_get_cred (session
->key
,
2699 if (x509_cred
!= NULL
)
2702 _gnutls_get_dh_params (x509_cred
->dh_params
,
2703 x509_cred
->params_func
, session
);
2705 _gnutls_certificate_get_rsa_params (x509_cred
->rsa_params
,
2706 x509_cred
->params_func
,
2710 /* Check also if the certificate supports the
2714 for (j
= 0; j
< alg_size
; j
++)
2728 else if (cred_type
== GNUTLS_CRD_ANON
)
2730 gnutls_anon_server_credentials_t anon_cred
=
2731 (gnutls_anon_server_credentials_t
) _gnutls_get_cred (session
->key
,
2734 if (anon_cred
!= NULL
)
2737 _gnutls_get_dh_params (anon_cred
->dh_params
,
2738 anon_cred
->params_func
, session
);
2743 else if (cred_type
== GNUTLS_CRD_PSK
)
2745 gnutls_psk_server_credentials_t psk_cred
=
2746 (gnutls_psk_server_credentials_t
) _gnutls_get_cred (session
->key
,
2749 if (psk_cred
!= NULL
)
2752 _gnutls_get_dh_params (psk_cred
->dh_params
, psk_cred
->params_func
,
2758 return 0; /* no need for params */
2761 /* If the key exchange method needs RSA or DH params,
2762 * but they are not set then remove it.
2764 if (_gnutls_kx_needs_rsa_params (kx
) != 0)
2766 /* needs rsa params. */
2767 if (_gnutls_rsa_params_to_mpi (rsa_params
) == NULL
)
2774 if (_gnutls_kx_needs_dh_params (kx
) != 0)
2776 /* needs DH params. */
2777 if (_gnutls_dh_params_to_mpi (dh_params
) == NULL
)
2787 /* This function will remove algorithms that are not supported by
2788 * the requested authentication method. We remove an algorithm if
2789 * we have a certificate with keyUsage bits set.
2791 * This does a more high level check than gnutls_supported_ciphersuites(),
2792 * by checking certificates etc.
2795 _gnutls_remove_unwanted_ciphersuites (gnutls_session_t session
,
2796 cipher_suite_st
** cipherSuites
,
2797 int numCipherSuites
,
2798 gnutls_pk_algorithm_t requested_pk_algo
)
2802 cipher_suite_st
*newSuite
, cs
;
2803 int newSuiteSize
= 0, i
;
2804 gnutls_certificate_credentials_t x509_cred
;
2805 gnutls_kx_algorithm_t kx
;
2806 int server
= session
->security_parameters
.entity
== GNUTLS_SERVER
? 1 : 0;
2807 gnutls_kx_algorithm_t
*alg
;
2810 /* if we should use a specific certificate,
2811 * we should remove all algorithms that are not supported
2812 * by that certificate and are on the same authentication
2813 * method (CERTIFICATE).
2817 (gnutls_certificate_credentials_t
) _gnutls_get_cred (session
->key
,
2818 GNUTLS_CRD_CERTIFICATE
,
2821 /* if x509_cred==NULL we should remove all X509 ciphersuites
2824 if (session
->security_parameters
.entity
== GNUTLS_SERVER
2825 && x509_cred
!= NULL
)
2827 ret
= _gnutls_server_select_cert (session
, requested_pk_algo
);
2835 /* get all the key exchange algorithms that are
2836 * supported by the X509 certificate parameters.
2839 _gnutls_selected_cert_supported_kx (session
, &alg
, &alg_size
)) < 0)
2845 newSuite
= gnutls_malloc (numCipherSuites
* sizeof (cipher_suite_st
));
2846 if (newSuite
== NULL
)
2850 return GNUTLS_E_MEMORY_ERROR
;
2853 /* now removes ciphersuites based on the KX algorithm
2855 for (i
= 0; i
< numCipherSuites
; i
++)
2859 /* finds the key exchange algorithm in
2862 kx
= _gnutls_cipher_suite_get_kx_algo (&(*cipherSuites
)[i
]);
2864 /* if it is defined but had no credentials
2866 if (_gnutls_get_kx_cred (session
, kx
, NULL
) == NULL
)
2875 delete = check_server_params (session
, kx
, alg
, alg_size
);
2878 /* These two SRP kx's are marked to require a CRD_CERTIFICATE,
2879 (see cred_mappings in gnutls_algorithms.c), but it also
2880 requires a SRP credential. Don't use SRP kx unless we have a
2881 SRP credential too. */
2882 if (kx
== GNUTLS_KX_SRP_RSA
|| kx
== GNUTLS_KX_SRP_DSS
)
2884 if (!_gnutls_get_cred (session
->key
, GNUTLS_CRD_SRP
, NULL
))
2888 memcpy (&cs
.suite
, &(*cipherSuites
)[i
].suite
, 2);
2893 _gnutls_handshake_log ("HSK[%x]: Keeping ciphersuite: %s\n",
2895 _gnutls_cipher_suite_get_name (&cs
));
2897 memcpy (newSuite
[newSuiteSize
].suite
, (*cipherSuites
)[i
].suite
, 2);
2902 _gnutls_handshake_log ("HSK[%x]: Removing ciphersuite: %s\n",
2904 _gnutls_cipher_suite_get_name (&cs
));
2910 gnutls_free (*cipherSuites
);
2911 *cipherSuites
= newSuite
;
2920 * gnutls_handshake_set_max_packet_length - This function will set the maximum length of a handshake message
2921 * @session: is a #gnutls_session_t structure.
2922 * @max: is the maximum number.
2924 * This function will set the maximum size of a handshake message.
2925 * Handshake messages over this size are rejected.
2926 * The default value is 16kb which is large enough. Set this to 0 if you do not want
2927 * to set an upper limit.
2931 gnutls_handshake_set_max_packet_length (gnutls_session_t session
, size_t max
)
2933 session
->internals
.max_handshake_data_buffer_size
= max
;
2937 _gnutls_set_adv_version (gnutls_session_t session
, gnutls_protocol_t ver
)
2939 set_adv_version (session
, _gnutls_version_get_major (ver
),
2940 _gnutls_version_get_minor (ver
));
2944 _gnutls_get_adv_version (gnutls_session_t session
)
2946 return _gnutls_version_get (_gnutls_get_adv_version_major (session
),
2947 _gnutls_get_adv_version_minor (session
));
2951 * gnutls_handshake_get_last_in - Returns the last handshake message received.
2952 * @session: is a #gnutls_session_t structure.
2954 * Returns the last handshake message received. This function is only useful
2955 * to check where the last performed handshake failed. If the previous handshake
2956 * succeed or was not performed at all then no meaningful value will be returned.
2958 * Check gnutls.h for the available handshake descriptions.
2960 gnutls_handshake_description_t
2961 gnutls_handshake_get_last_in (gnutls_session_t session
)
2963 return session
->internals
.last_handshake_in
;
2967 * gnutls_handshake_get_last_out - Returns the last handshake message sent.
2968 * @session: is a #gnutls_session_t structure.
2970 * Returns the last handshake message sent. This function is only useful
2971 * to check where the last performed handshake failed. If the previous handshake
2972 * succeed or was not performed at all then no meaningful value will be returned.
2974 * Check gnutls.h for the available handshake descriptions.
2977 gnutls_handshake_description_t
2978 gnutls_handshake_get_last_out (gnutls_session_t session
)
2980 return session
->internals
.last_handshake_out
;