2 * Copyright (C) 2002-2012 Free Software Foundation, Inc.
4 * Author: Nikos Mavrogiannopoulos
6 * This file is part of GnuTLS.
8 * The GnuTLS is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU Lesser General Public License
10 * as published by the Free Software Foundation; either version 3 of
11 * the License, or (at your option) any later version.
13 * This library is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 * Lesser General Public License for more details.
18 * You should have received a copy of the GNU Lesser General Public License
19 * along with this program. If not, see <http://www.gnu.org/licenses/>
23 /* Functions to manipulate the session (gnutls_int.h), and some other stuff
24 * are included here. The file's name is traditionally gnutls_state even if the
25 * state has been renamed to session.
28 #include <gnutls_int.h>
29 #include <gnutls_errors.h>
30 #include <gnutls_auth.h>
31 #include <gnutls_num.h>
32 #include <gnutls_datum.h>
33 #include <gnutls_db.h>
34 #include <gnutls_record.h>
35 #include <gnutls_handshake.h>
36 #include <gnutls_dh.h>
37 #include <gnutls_buffers.h>
38 #include <gnutls_mbuffers.h>
39 #include <gnutls_state.h>
40 #include <gnutls_constate.h>
41 #include <auth/cert.h>
42 #include <auth/anon.h>
44 #include <algorithms.h>
45 #include <gnutls_rsa_export.h>
46 #include <gnutls_extensions.h>
48 #include <gnutls/dtls.h>
51 /* These should really be static, but src/tests.c calls them. Make
52 them public functions? */
54 _gnutls_rsa_pms_set_version (gnutls_session_t session
,
55 unsigned char major
, unsigned char minor
);
58 _gnutls_session_cert_type_set (gnutls_session_t session
,
59 gnutls_certificate_type_t ct
)
61 _gnutls_handshake_log("HSK[%p]: Selected certificate type %s (%d)\n", session
,
62 gnutls_certificate_type_get_name(ct
), ct
);
63 session
->security_parameters
.cert_type
= ct
;
67 _gnutls_session_ecc_curve_set (gnutls_session_t session
,
70 _gnutls_handshake_log("HSK[%p]: Selected ECC curve %s (%d)\n", session
, gnutls_ecc_curve_get_name(c
), c
);
71 session
->security_parameters
.ecc_curve
= c
;
76 * @session: is a #gnutls_session_t structure.
78 * Get currently used cipher.
80 * Returns: the currently used cipher, a #gnutls_cipher_algorithm_t
83 gnutls_cipher_algorithm_t
84 gnutls_cipher_get (gnutls_session_t session
)
86 record_parameters_st
*record_params
;
89 ret
= _gnutls_epoch_get (session
, EPOCH_READ_CURRENT
, &record_params
);
91 return gnutls_assert_val(GNUTLS_CIPHER_NULL
);
93 return record_params
->cipher_algorithm
;
97 * gnutls_certificate_type_get:
98 * @session: is a #gnutls_session_t structure.
100 * The certificate type is by default X.509, unless it is negotiated
101 * as a TLS extension.
103 * Returns: the currently used #gnutls_certificate_type_t certificate
106 gnutls_certificate_type_t
107 gnutls_certificate_type_get (gnutls_session_t session
)
109 return session
->security_parameters
.cert_type
;
114 * @session: is a #gnutls_session_t structure.
116 * Get currently used key exchange algorithm.
118 * Returns: the key exchange algorithm used in the last handshake, a
119 * #gnutls_kx_algorithm_t value.
121 gnutls_kx_algorithm_t
122 gnutls_kx_get (gnutls_session_t session
)
124 return session
->security_parameters
.kx_algorithm
;
129 * @session: is a #gnutls_session_t structure.
131 * Get currently used MAC algorithm.
133 * Returns: the currently used mac algorithm, a
134 * #gnutls_mac_algorithm_t value.
136 gnutls_mac_algorithm_t
137 gnutls_mac_get (gnutls_session_t session
)
139 record_parameters_st
*record_params
;
142 ret
= _gnutls_epoch_get (session
, EPOCH_READ_CURRENT
, &record_params
);
144 return gnutls_assert_val(GNUTLS_MAC_NULL
);
146 return record_params
->mac_algorithm
;
150 * gnutls_compression_get:
151 * @session: is a #gnutls_session_t structure.
153 * Get currently used compression algorithm.
155 * Returns: the currently used compression method, a
156 * #gnutls_compression_method_t value.
158 gnutls_compression_method_t
159 gnutls_compression_get (gnutls_session_t session
)
161 record_parameters_st
*record_params
;
164 ret
= _gnutls_epoch_get (session
, EPOCH_READ_CURRENT
, &record_params
);
166 return gnutls_assert_val(GNUTLS_COMP_NULL
);
168 return record_params
->compression_algorithm
;
171 /* Check if the given certificate type is supported.
172 * This means that it is enabled by the priority functions,
173 * and a matching certificate exists.
176 _gnutls_session_cert_type_supported (gnutls_session_t session
,
177 gnutls_certificate_type_t cert_type
)
180 unsigned cert_found
= 0;
181 gnutls_certificate_credentials_t cred
;
183 if (session
->security_parameters
.entity
== GNUTLS_SERVER
)
185 cred
= (gnutls_certificate_credentials_t
)
186 _gnutls_get_cred (session
->key
, GNUTLS_CRD_CERTIFICATE
, NULL
);
189 return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE
;
191 if (cred
->server_get_cert_callback
== NULL
192 && cred
->get_cert_callback
== NULL
)
194 for (i
= 0; i
< cred
->ncerts
; i
++)
196 if (cred
->certs
[i
].cert_list
[0].type
== cert_type
)
204 /* no certificate is of that type.
206 return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE
;
210 if (session
->internals
.priorities
.cert_type
.algorithms
== 0
211 && cert_type
== DEFAULT_CERT_TYPE
)
214 for (i
= 0; i
< session
->internals
.priorities
.cert_type
.algorithms
; i
++)
216 if (session
->internals
.priorities
.cert_type
.priority
[i
] == cert_type
)
222 return GNUTLS_E_UNSUPPORTED_CERTIFICATE_TYPE
;
226 /* this function deinitializes all the internal parameters stored
227 * in a session struct.
230 deinit_internal_params (gnutls_session_t session
)
232 if (session
->internals
.params
.free_dh_params
)
233 gnutls_dh_params_deinit (session
->internals
.params
.dh_params
);
235 if (session
->internals
.params
.free_rsa_params
)
236 gnutls_rsa_params_deinit (session
->internals
.params
.rsa_params
);
238 _gnutls_handshake_hash_buffers_clear (session
);
240 memset (&session
->internals
.params
, 0, sizeof (session
->internals
.params
));
243 /* This function will clear all the variables in internals
244 * structure within the session, which depend on the current handshake.
245 * This is used to allow further handshakes.
248 _gnutls_handshake_internal_state_init (gnutls_session_t session
)
250 session
->internals
.extensions_sent_size
= 0;
252 /* by default no selected certificate */
253 session
->internals
.adv_version_major
= 0;
254 session
->internals
.adv_version_minor
= 0;
255 session
->internals
.direction
= 0;
257 /* use out of band data for the last
258 * handshake messages received.
260 session
->internals
.last_handshake_in
= -1;
261 session
->internals
.last_handshake_out
= -1;
263 session
->internals
.resumable
= RESUME_TRUE
;
265 session
->internals
.dtls
.hsk_read_seq
= 0;
266 session
->internals
.dtls
.hsk_write_seq
= 0;
267 gettime(&session
->internals
.dtls
.handshake_start_time
);
271 _gnutls_handshake_internal_state_clear (gnutls_session_t session
)
273 _gnutls_handshake_internal_state_init (session
);
275 deinit_internal_params (session
);
277 _gnutls_epoch_gc(session
);
280 #define MIN_DH_BITS 727
283 * @session: is a pointer to a #gnutls_session_t structure.
284 * @flags: indicate if this session is to be used for server or client.
286 * This function initializes the current session to null. Every
287 * session must be initialized before use, so internal structures can
288 * be allocated. This function allocates structures which can only
289 * be free'd by calling gnutls_deinit(). Returns %GNUTLS_E_SUCCESS (0) on success.
291 * @flags can be one of %GNUTLS_CLIENT and %GNUTLS_SERVER. For a DTLS
292 * entity, the flags %GNUTLS_DATAGRAM and %GNUTLS_NONBLOCK are
293 * also available. The latter flag will enable a non-blocking
294 * operation of the DTLS timers.
296 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
299 gnutls_init (gnutls_session_t
* session
, unsigned int flags
)
302 record_parameters_st
*epoch
;
304 *session
= gnutls_calloc (1, sizeof (struct gnutls_session_int
));
305 if (*session
== NULL
)
306 return GNUTLS_E_MEMORY_ERROR
;
308 ret
= _gnutls_epoch_alloc (*session
, 0, &epoch
);
312 return GNUTLS_E_MEMORY_ERROR
;
315 /* Set all NULL algos on epoch 0 */
316 _gnutls_epoch_set_null_algos (*session
, epoch
);
318 (*session
)->security_parameters
.epoch_next
= 1;
320 (*session
)->security_parameters
.entity
= (flags
&GNUTLS_SERVER
?GNUTLS_SERVER
:GNUTLS_CLIENT
);
322 /* the default certificate type for TLS */
323 (*session
)->security_parameters
.cert_type
= DEFAULT_CERT_TYPE
;
325 /* Initialize buffers */
326 _gnutls_buffer_init (&(*session
)->internals
.handshake_hash_buffer
);
328 _mbuffer_head_init (&(*session
)->internals
.record_buffer
);
329 _mbuffer_head_init (&(*session
)->internals
.record_send_buffer
);
330 _mbuffer_head_init (&(*session
)->internals
.record_recv_buffer
);
332 _mbuffer_head_init (&(*session
)->internals
.handshake_send_buffer
);
333 _gnutls_handshake_recv_buffer_init(*session
);
335 (*session
)->key
= gnutls_calloc (1, sizeof (struct gnutls_key_st
));
336 if ((*session
)->key
== NULL
)
338 gnutls_free (*session
);
340 return GNUTLS_E_MEMORY_ERROR
;
343 (*session
)->internals
.expire_time
= DEFAULT_EXPIRE_TIME
; /* one hour default */
345 gnutls_dh_set_prime_bits ((*session
), MIN_DH_BITS
);
347 gnutls_handshake_set_max_packet_length ((*session
),
348 MAX_HANDSHAKE_PACKET_SIZE
);
350 /* set the socket pointers to -1;
352 (*session
)->internals
.transport_recv_ptr
= (gnutls_transport_ptr_t
) - 1;
353 (*session
)->internals
.transport_send_ptr
= (gnutls_transport_ptr_t
) - 1;
355 /* set the default maximum record size for TLS
357 (*session
)->security_parameters
.max_record_recv_size
=
358 DEFAULT_MAX_RECORD_SIZE
;
359 (*session
)->security_parameters
.max_record_send_size
=
360 DEFAULT_MAX_RECORD_SIZE
;
362 /* everything else not initialized here is initialized
363 * as NULL or 0. This is why calloc is used.
366 _gnutls_handshake_internal_state_init (*session
);
368 /* emulate old gnutls behavior for old applications that do not use the priority_*
371 (*session
)->internals
.priorities
.sr
= SR_PARTIAL
;
374 gnutls_transport_set_vec_push_function (*session
, system_writev
);
376 gnutls_transport_set_push_function (*session
, system_write
);
378 gnutls_transport_set_pull_function (*session
, system_read
);
379 gnutls_transport_set_errno_function (*session
, system_errno
);
380 gnutls_transport_set_pull_timeout_function (*session
, system_recv_timeout
);
382 if (flags
& GNUTLS_DATAGRAM
)
384 (*session
)->internals
.dtls
.mtu
= DTLS_DEFAULT_MTU
;
385 (*session
)->internals
.transport
= GNUTLS_DGRAM
;
387 (*session
)->internals
.dtls
.retrans_timeout_ms
= 1000;
388 (*session
)->internals
.dtls
.total_timeout_ms
= 60000;
391 (*session
)->internals
.transport
= GNUTLS_STREAM
;
393 if (flags
& GNUTLS_NONBLOCK
)
394 (*session
)->internals
.dtls
.blocking
= 0;
396 (*session
)->internals
.dtls
.blocking
= 1;
401 /* returns RESUME_FALSE or RESUME_TRUE.
404 _gnutls_session_is_resumable (gnutls_session_t session
)
406 return session
->internals
.resumable
;
412 * @session: is a #gnutls_session_t structure.
414 * This function clears all buffers associated with the @session.
415 * This function will also remove session data from the session
416 * database if the session was terminated abnormally.
419 gnutls_deinit (gnutls_session_t session
)
426 /* remove auth info firstly */
427 _gnutls_free_auth_info (session
);
429 _gnutls_handshake_internal_state_clear (session
);
430 _gnutls_handshake_io_buffer_clear (session
);
431 _gnutls_ext_free_session_data (session
);
433 for (i
= 0; i
< MAX_EPOCH_INDEX
; i
++)
434 if (session
->record_parameters
[i
] != NULL
)
436 _gnutls_epoch_free (session
, session
->record_parameters
[i
]);
437 session
->record_parameters
[i
] = NULL
;
440 _gnutls_buffer_clear (&session
->internals
.handshake_hash_buffer
);
441 _mbuffer_head_clear (&session
->internals
.record_buffer
);
442 _mbuffer_head_clear (&session
->internals
.record_recv_buffer
);
443 _mbuffer_head_clear (&session
->internals
.record_send_buffer
);
445 gnutls_credentials_clear (session
);
446 _gnutls_selected_certs_deinit (session
);
448 if (session
->key
!= NULL
)
450 gnutls_pk_params_release(&session
->key
->ecdh_params
);
451 _gnutls_mpi_release (&session
->key
->ecdh_x
);
452 _gnutls_mpi_release (&session
->key
->ecdh_y
);
454 _gnutls_mpi_release (&session
->key
->KEY
);
455 _gnutls_mpi_release (&session
->key
->client_Y
);
456 _gnutls_mpi_release (&session
->key
->client_p
);
457 _gnutls_mpi_release (&session
->key
->client_g
);
459 _gnutls_mpi_release (&session
->key
->u
);
460 _gnutls_mpi_release (&session
->key
->a
);
461 _gnutls_mpi_release (&session
->key
->x
);
462 _gnutls_mpi_release (&session
->key
->A
);
463 _gnutls_mpi_release (&session
->key
->B
);
464 _gnutls_mpi_release (&session
->key
->b
);
467 _gnutls_mpi_release (&session
->key
->rsa
[0]);
468 _gnutls_mpi_release (&session
->key
->rsa
[1]);
470 _gnutls_mpi_release (&session
->key
->dh_secret
);
471 gnutls_free (session
->key
);
476 memset (session
, 0, sizeof (struct gnutls_session_int
));
477 gnutls_free (session
);
480 /* Returns the minimum prime bits that are acceptable.
483 _gnutls_dh_get_allowed_prime_bits (gnutls_session_t session
)
485 return session
->internals
.dh_prime_bits
;
489 _gnutls_dh_set_peer_public (gnutls_session_t session
, bigint_t
public)
494 switch (gnutls_auth_get_type (session
))
496 case GNUTLS_CRD_ANON
:
498 anon_auth_info_t info
;
499 info
= _gnutls_get_auth_info (session
);
501 return GNUTLS_E_INTERNAL_ERROR
;
508 psk_auth_info_t info
;
509 info
= _gnutls_get_auth_info (session
);
511 return GNUTLS_E_INTERNAL_ERROR
;
516 case GNUTLS_CRD_CERTIFICATE
:
518 cert_auth_info_t info
;
520 info
= _gnutls_get_auth_info (session
);
522 return GNUTLS_E_INTERNAL_ERROR
;
529 return GNUTLS_E_INTERNAL_ERROR
;
532 if (dh
->public_key
.data
)
533 _gnutls_free_datum (&dh
->public_key
);
535 ret
= _gnutls_mpi_dprint_lz (public, &dh
->public_key
);
546 _gnutls_dh_set_secret_bits (gnutls_session_t session
, unsigned bits
)
548 switch (gnutls_auth_get_type (session
))
550 case GNUTLS_CRD_ANON
:
552 anon_auth_info_t info
;
553 info
= _gnutls_get_auth_info (session
);
555 return GNUTLS_E_INTERNAL_ERROR
;
556 info
->dh
.secret_bits
= bits
;
561 psk_auth_info_t info
;
562 info
= _gnutls_get_auth_info (session
);
564 return GNUTLS_E_INTERNAL_ERROR
;
565 info
->dh
.secret_bits
= bits
;
568 case GNUTLS_CRD_CERTIFICATE
:
570 cert_auth_info_t info
;
572 info
= _gnutls_get_auth_info (session
);
574 return GNUTLS_E_INTERNAL_ERROR
;
576 info
->dh
.secret_bits
= bits
;
580 return GNUTLS_E_INTERNAL_ERROR
;
587 /* This function will set in the auth info structure the
588 * RSA exponent and the modulus.
591 _gnutls_rsa_export_set_pubkey (gnutls_session_t session
,
592 bigint_t exponent
, bigint_t modulus
)
594 cert_auth_info_t info
;
597 info
= _gnutls_get_auth_info (session
);
599 return GNUTLS_E_INTERNAL_ERROR
;
601 if (info
->rsa_export
.modulus
.data
)
602 _gnutls_free_datum (&info
->rsa_export
.modulus
);
604 if (info
->rsa_export
.exponent
.data
)
605 _gnutls_free_datum (&info
->rsa_export
.exponent
);
607 ret
= _gnutls_mpi_dprint_lz (modulus
, &info
->rsa_export
.modulus
);
614 ret
= _gnutls_mpi_dprint_lz (exponent
, &info
->rsa_export
.exponent
);
618 _gnutls_free_datum (&info
->rsa_export
.modulus
);
626 /* Sets the prime and the generator in the auth info structure.
629 _gnutls_dh_set_group (gnutls_session_t session
, bigint_t gen
, bigint_t prime
)
634 switch (gnutls_auth_get_type (session
))
636 case GNUTLS_CRD_ANON
:
638 anon_auth_info_t info
;
639 info
= _gnutls_get_auth_info (session
);
641 return GNUTLS_E_INTERNAL_ERROR
;
648 psk_auth_info_t info
;
649 info
= _gnutls_get_auth_info (session
);
651 return GNUTLS_E_INTERNAL_ERROR
;
656 case GNUTLS_CRD_CERTIFICATE
:
658 cert_auth_info_t info
;
660 info
= _gnutls_get_auth_info (session
);
662 return GNUTLS_E_INTERNAL_ERROR
;
669 return GNUTLS_E_INTERNAL_ERROR
;
673 _gnutls_free_datum (&dh
->prime
);
675 if (dh
->generator
.data
)
676 _gnutls_free_datum (&dh
->generator
);
680 ret
= _gnutls_mpi_dprint_lz (prime
, &dh
->prime
);
689 ret
= _gnutls_mpi_dprint_lz (gen
, &dh
->generator
);
693 _gnutls_free_datum (&dh
->prime
);
700 #ifdef ENABLE_OPENPGP
702 * gnutls_openpgp_send_cert:
703 * @session: is a pointer to a #gnutls_session_t structure.
704 * @status: is one of GNUTLS_OPENPGP_CERT, or GNUTLS_OPENPGP_CERT_FINGERPRINT
706 * This function will order gnutls to send the key fingerprint
707 * instead of the key in the initial handshake procedure. This should
708 * be used with care and only when there is indication or knowledge
709 * that the server can obtain the client's key.
712 gnutls_openpgp_send_cert (gnutls_session_t session
,
713 gnutls_openpgp_crt_status_t status
)
715 session
->internals
.pgp_fingerprint
= status
;
720 * gnutls_certificate_send_x509_rdn_sequence:
721 * @session: is a pointer to a #gnutls_session_t structure.
724 * If status is non zero, this function will order gnutls not to send
725 * the rdnSequence in the certificate request message. That is the
726 * server will not advertise its trusted CAs to the peer. If status
727 * is zero then the default behaviour will take effect, which is to
728 * advertise the server's trusted CAs.
730 * This function has no effect in clients, and in authentication
731 * methods other than certificate with X.509 certificates.
734 gnutls_certificate_send_x509_rdn_sequence (gnutls_session_t session
,
737 session
->internals
.ignore_rdn_sequence
= status
;
740 #ifdef ENABLE_OPENPGP
742 _gnutls_openpgp_send_fingerprint (gnutls_session_t session
)
744 return session
->internals
.pgp_fingerprint
;
749 * _gnutls_record_set_default_version - Used to set the default version for the first record packet
750 * @session: is a #gnutls_session_t structure.
751 * @major: is a tls major version
752 * @minor: is a tls minor version
754 * This function sets the default version that we will use in the first
755 * record packet (client hello). This function is only useful to people
756 * that know TLS internals and want to debug other implementations.
759 _gnutls_record_set_default_version (gnutls_session_t session
,
760 unsigned char major
, unsigned char minor
)
762 session
->internals
.default_record_version
[0] = major
;
763 session
->internals
.default_record_version
[1] = minor
;
767 * gnutls_handshake_set_private_extensions:
768 * @session: is a #gnutls_session_t structure.
769 * @allow: is an integer (0 or 1)
771 * This function will enable or disable the use of private cipher
772 * suites (the ones that start with 0xFF). By default or if @allow
773 * is 0 then these cipher suites will not be advertized nor used.
775 * Currently GnuTLS does not include such cipher-suites or
776 * compression algorithms.
778 * Enabling the private ciphersuites when talking to other than
779 * gnutls servers and clients may cause interoperability problems.
782 gnutls_handshake_set_private_extensions (gnutls_session_t session
, int allow
)
784 session
->internals
.enable_private
= allow
;
788 _gnutls_cal_PRF_A (gnutls_mac_algorithm_t algorithm
,
789 const void *secret
, int secret_size
,
790 const void *seed
, int seed_size
, void *result
)
794 ret
= _gnutls_hmac_fast (algorithm
, secret
, secret_size
, seed
, seed_size
, result
);
796 return gnutls_assert_val(ret
);
801 #define MAX_SEED_SIZE 200
803 /* Produces "total_bytes" bytes using the hash algorithm specified.
804 * (used in the PRF function)
807 P_hash (gnutls_mac_algorithm_t algorithm
,
808 const uint8_t * secret
, int secret_size
,
809 const uint8_t * seed
, int seed_size
,
810 int total_bytes
, uint8_t * ret
)
814 int i
, times
, how
, blocksize
, A_size
;
815 uint8_t final
[MAX_HASH_SIZE
], Atmp
[MAX_SEED_SIZE
];
816 int output_bytes
, result
;
818 if (seed_size
> MAX_SEED_SIZE
|| total_bytes
<= 0)
821 return GNUTLS_E_INTERNAL_ERROR
;
824 blocksize
= _gnutls_hmac_get_algo_len (algorithm
);
829 output_bytes
+= blocksize
;
831 while (output_bytes
< total_bytes
);
835 memcpy (Atmp
, seed
, seed_size
);
838 times
= output_bytes
/ blocksize
;
840 for (i
= 0; i
< times
; i
++)
842 result
= _gnutls_hmac_init (&td2
, algorithm
, secret
, secret_size
);
849 /* here we calculate A(i+1) */
851 _gnutls_cal_PRF_A (algorithm
, secret
, secret_size
, Atmp
,
855 _gnutls_hmac_deinit (&td2
, final
);
861 _gnutls_hmac (&td2
, Atmp
, A_size
);
862 _gnutls_hmac (&td2
, seed
, seed_size
);
863 _gnutls_hmac_deinit (&td2
, final
);
865 if ((1 + i
) * blocksize
< total_bytes
)
871 how
= total_bytes
- (i
) * blocksize
;
876 memcpy (&ret
[i
* blocksize
], final
, how
);
883 #define MAX_PRF_BYTES 200
885 /* The PRF function expands a given secret
886 * needed by the TLS specification. ret must have a least total_bytes
890 _gnutls_PRF (gnutls_session_t session
,
891 const uint8_t * secret
, unsigned int secret_size
, const char *label
,
892 int label_size
, const uint8_t * seed
, int seed_size
,
893 int total_bytes
, void *ret
)
895 int l_s
, s_seed_size
;
896 const uint8_t *s1
, *s2
;
897 uint8_t s_seed
[MAX_SEED_SIZE
];
898 uint8_t o1
[MAX_PRF_BYTES
], o2
[MAX_PRF_BYTES
];
900 gnutls_protocol_t ver
= gnutls_protocol_get_version (session
);
902 if (total_bytes
> MAX_PRF_BYTES
)
905 return GNUTLS_E_INTERNAL_ERROR
;
907 /* label+seed = s_seed */
908 s_seed_size
= seed_size
+ label_size
;
910 if (s_seed_size
> MAX_SEED_SIZE
)
913 return GNUTLS_E_INTERNAL_ERROR
;
916 memcpy (s_seed
, label
, label_size
);
917 memcpy (&s_seed
[label_size
], seed
, seed_size
);
919 if (_gnutls_version_has_selectable_prf (ver
))
922 P_hash (_gnutls_cipher_suite_get_prf(session
->security_parameters
.cipher_suite
),
924 s_seed
, s_seed_size
, total_bytes
, ret
);
933 l_s
= secret_size
/ 2;
938 if (secret_size
% 2 != 0)
944 P_hash (GNUTLS_MAC_MD5
, s1
, l_s
, s_seed
, s_seed_size
,
953 P_hash (GNUTLS_MAC_SHA1
, s2
, l_s
, s_seed
, s_seed_size
,
961 memxor (o1
, o2
, total_bytes
);
963 memcpy (ret
, o1
, total_bytes
);
972 * @session: is a #gnutls_session_t structure.
973 * @label_size: length of the @label variable.
974 * @label: label used in PRF computation, typically a short string.
975 * @seed_size: length of the @seed variable.
976 * @seed: optional extra data to seed the PRF with.
977 * @outsize: size of pre-allocated output buffer to hold the output.
978 * @out: pre-allocate buffer to hold the generated data.
980 * Apply the TLS Pseudo-Random-Function (PRF) on the master secret
981 * and the provided data.
983 * The @label variable usually contains a string denoting the purpose
984 * for the generated data. The @seed usually contains data such as the
985 * client and server random, perhaps together with some additional
986 * data that is added to guarantee uniqueness of the output for a
987 * particular purpose.
989 * Because the output is not guaranteed to be unique for a particular
990 * session unless @seed includes the client random and server random
991 * fields (the PRF would output the same data on another connection
992 * resumed from the first one), it is not recommended to use this
993 * function directly. The gnutls_prf() function seeds the PRF with the
994 * client and server random fields directly, and is recommended if you
995 * want to generate pseudo random data unique for each session.
997 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
1000 gnutls_prf_raw (gnutls_session_t session
,
1003 size_t seed_size
, const char *seed
, size_t outsize
, char *out
)
1007 ret
= _gnutls_PRF (session
,
1008 session
->security_parameters
.master_secret
,
1011 label_size
, (uint8_t *) seed
, seed_size
, outsize
, out
);
1018 * @session: is a #gnutls_session_t structure.
1019 * @label_size: length of the @label variable.
1020 * @label: label used in PRF computation, typically a short string.
1021 * @server_random_first: non-0 if server random field should be first in seed
1022 * @extra_size: length of the @extra variable.
1023 * @extra: optional extra data to seed the PRF with.
1024 * @outsize: size of pre-allocated output buffer to hold the output.
1025 * @out: pre-allocate buffer to hold the generated data.
1027 * Apply the TLS Pseudo-Random-Function (PRF) on the master secret
1028 * and the provided data, seeded with the client and server random fields.
1030 * The @label variable usually contains a string denoting the purpose
1031 * for the generated data. The @server_random_first indicates whether
1032 * the client random field or the server random field should be first
1033 * in the seed. Non-0 indicates that the server random field is first,
1034 * 0 that the client random field is first.
1036 * The @extra variable can be used to add more data to the seed, after
1037 * the random variables. It can be used to make sure the
1038 * generated output is strongly connected to some additional data
1039 * (e.g., a string used in user authentication).
1041 * The output is placed in @out, which must be pre-allocated.
1043 * Returns: %GNUTLS_E_SUCCESS on success, or an error code.
1046 gnutls_prf (gnutls_session_t session
,
1049 int server_random_first
,
1050 size_t extra_size
, const char *extra
, size_t outsize
, char *out
)
1054 size_t seedsize
= 2 * GNUTLS_RANDOM_SIZE
+ extra_size
;
1056 seed
= gnutls_malloc (seedsize
);
1060 return GNUTLS_E_MEMORY_ERROR
;
1063 memcpy (seed
, server_random_first
?
1064 session
->security_parameters
.server_random
:
1065 session
->security_parameters
.client_random
, GNUTLS_RANDOM_SIZE
);
1066 memcpy (seed
+ GNUTLS_RANDOM_SIZE
, server_random_first
?
1067 session
->security_parameters
.client_random
:
1068 session
->security_parameters
.server_random
, GNUTLS_RANDOM_SIZE
);
1070 memcpy (seed
+ 2 * GNUTLS_RANDOM_SIZE
, extra
, extra_size
);
1072 ret
= _gnutls_PRF (session
, session
->security_parameters
.master_secret
,
1074 label
, label_size
, seed
, seedsize
, outsize
, out
);
1082 * gnutls_session_is_resumed:
1083 * @session: is a #gnutls_session_t structure.
1085 * Check whether session is resumed or not.
1087 * Returns: non zero if this session is resumed, or a zero if this is
1091 gnutls_session_is_resumed (gnutls_session_t session
)
1093 if (session
->security_parameters
.entity
== GNUTLS_CLIENT
)
1095 if (session
->security_parameters
.session_id_size
> 0 &&
1096 session
->security_parameters
.session_id_size
==
1097 session
->internals
.resumed_security_parameters
.session_id_size
1098 && memcmp (session
->security_parameters
.session_id
,
1100 resumed_security_parameters
.session_id
,
1101 session
->security_parameters
.session_id_size
) == 0)
1106 if (session
->internals
.resumed
!= RESUME_FALSE
)
1114 * gnutls_session_resumption_requested:
1115 * @session: is a #gnutls_session_t structure.
1117 * Check whether the client has asked for session resumption.
1118 * This function is valid only on server side.
1120 * Returns: non zero if session resumption was asked, or a zero if not.
1123 gnutls_session_resumption_requested(gnutls_session_t session
)
1125 if (session
->security_parameters
.entity
== GNUTLS_CLIENT
)
1131 return session
->internals
.resumption_requested
;
1136 * _gnutls_session_is_export - Used to check whether this session is of export grade
1137 * @session: is a #gnutls_session_t structure.
1139 * This function will return non zero if this session is of export grade.
1142 _gnutls_session_is_export (gnutls_session_t session
)
1144 gnutls_cipher_algorithm_t cipher
;
1147 _gnutls_cipher_suite_get_cipher_algo (session
->
1148 security_parameters
.cipher_suite
);
1150 if (_gnutls_cipher_get_export_flag (cipher
) != 0)
1157 * _gnutls_session_is_psk - Used to check whether this session uses PSK kx
1158 * @session: is a #gnutls_session_t structure.
1160 * This function will return non zero if this session uses a PSK key
1161 * exchange algorithm.
1164 _gnutls_session_is_psk (gnutls_session_t session
)
1166 gnutls_kx_algorithm_t kx
;
1169 _gnutls_cipher_suite_get_kx_algo (session
->
1170 security_parameters
.cipher_suite
);
1171 if (kx
== GNUTLS_KX_PSK
|| kx
== GNUTLS_KX_DHE_PSK
)
1178 * _gnutls_session_is_ecc - Used to check whether this session uses ECC kx
1179 * @session: is a #gnutls_session_t structure.
1181 * This function will return non zero if this session uses an elliptic
1182 * curves key exchange exchange algorithm.
1185 _gnutls_session_is_ecc (gnutls_session_t session
)
1187 gnutls_kx_algorithm_t kx
;
1189 /* We get the key exchange algorithm through the ciphersuite because
1190 * the negotiated key exchange might not have been set yet.
1193 _gnutls_cipher_suite_get_kx_algo (session
->
1194 security_parameters
.cipher_suite
);
1196 return _gnutls_kx_is_ecc(kx
);
1200 * gnutls_session_get_ptr:
1201 * @session: is a #gnutls_session_t structure.
1203 * Get user pointer for session. Useful in callbacks. This is the
1204 * pointer set with gnutls_session_set_ptr().
1206 * Returns: the user given pointer from the session structure, or
1207 * %NULL if it was never set.
1210 gnutls_session_get_ptr (gnutls_session_t session
)
1212 return session
->internals
.user_ptr
;
1216 * gnutls_session_set_ptr:
1217 * @session: is a #gnutls_session_t structure.
1218 * @ptr: is the user pointer
1220 * This function will set (associate) the user given pointer @ptr to
1221 * the session structure. This pointer can be accessed with
1222 * gnutls_session_get_ptr().
1225 gnutls_session_set_ptr (gnutls_session_t session
, void *ptr
)
1227 session
->internals
.user_ptr
= ptr
;
1232 * gnutls_record_get_direction:
1233 * @session: is a #gnutls_session_t structure.
1235 * This function provides information about the internals of the
1236 * record protocol and is only useful if a prior gnutls function call
1237 * (e.g. gnutls_handshake()) was interrupted for some reason, that
1238 * is, if a function returned %GNUTLS_E_INTERRUPTED or
1239 * %GNUTLS_E_AGAIN. In such a case, you might want to call select()
1240 * or poll() before calling the interrupted gnutls function again. To
1241 * tell you whether a file descriptor should be selected for either
1242 * reading or writing, gnutls_record_get_direction() returns 0 if the
1243 * interrupted function was trying to read data, and 1 if it was
1244 * trying to write data.
1246 * Returns: 0 if trying to read data, 1 if trying to write data.
1249 gnutls_record_get_direction (gnutls_session_t session
)
1251 return session
->internals
.direction
;
1255 * _gnutls_rsa_pms_set_version - Sets a version to be used at the RSA PMS
1256 * @session: is a #gnutls_session_t structure.
1257 * @major: is the major version to use
1258 * @minor: is the minor version to use
1260 * This function will set the given version number to be used at the
1261 * RSA PMS secret. This is only useful to clients, which want to
1262 * test server's capabilities.
1265 _gnutls_rsa_pms_set_version (gnutls_session_t session
,
1266 unsigned char major
, unsigned char minor
)
1268 session
->internals
.rsa_pms_version
[0] = major
;
1269 session
->internals
.rsa_pms_version
[1] = minor
;
1273 * gnutls_handshake_set_post_client_hello_function:
1274 * @session: is a #gnutls_session_t structure.
1275 * @func: is the function to be called
1277 * This function will set a callback to be called after the client
1278 * hello has been received (callback valid in server side only). This
1279 * allows the server to adjust settings based on received extensions.
1281 * Those settings could be ciphersuites, requesting certificate, or
1282 * anything else except for version negotiation (this is done before
1283 * the hello message is parsed).
1285 * This callback must return 0 on success or a gnutls error code to
1286 * terminate the handshake.
1288 * Warning: You should not use this function to terminate the
1289 * handshake based on client input unless you know what you are
1290 * doing. Before the handshake is finished there is no way to know if
1291 * there is a man-in-the-middle attack being performed.
1294 gnutls_handshake_set_post_client_hello_function (gnutls_session_t session
,
1295 gnutls_handshake_post_client_hello_func
1298 session
->internals
.user_hello_func
= func
;
1302 * gnutls_session_enable_compatibility_mode:
1303 * @session: is a #gnutls_session_t structure.
1305 * This function can be used to disable certain (security) features in
1306 * TLS in order to maintain maximum compatibility with buggy
1307 * clients. It is equivalent to calling:
1308 * gnutls_record_disable_padding()
1310 * Normally only servers that require maximum compatibility with
1311 * everything out there, need to call this function.
1314 gnutls_session_enable_compatibility_mode (gnutls_session_t session
)
1316 gnutls_record_disable_padding (session
);
1320 * gnutls_session_channel_binding:
1321 * @session: is a #gnutls_session_t structure.
1322 * @cbtype: an #gnutls_channel_binding_t enumeration type
1323 * @cb: output buffer array with data
1325 * Extract given channel binding data of the @cbtype (e.g.,
1326 * %GNUTLS_CB_TLS_UNIQUE) type.
1328 * Returns: %GNUTLS_E_SUCCESS on success,
1329 * %GNUTLS_E_UNIMPLEMENTED_FEATURE if the @cbtype is unsupported,
1330 * %GNUTLS_E_CHANNEL_BINDING_NOT_AVAILABLE if the data is not
1331 * currently available, or an error code.
1336 gnutls_session_channel_binding (gnutls_session_t session
,
1337 gnutls_channel_binding_t cbtype
,
1338 gnutls_datum_t
* cb
)
1340 if (cbtype
!= GNUTLS_CB_TLS_UNIQUE
)
1341 return GNUTLS_E_UNIMPLEMENTED_FEATURE
;
1343 if (!session
->internals
.initial_negotiation_completed
)
1344 return GNUTLS_E_CHANNEL_BINDING_NOT_AVAILABLE
;
1346 cb
->size
= session
->internals
.cb_tls_unique_len
;
1347 cb
->data
= gnutls_malloc (cb
->size
);
1348 if (cb
->data
== NULL
)
1349 return GNUTLS_E_MEMORY_ERROR
;
1351 memcpy (cb
->data
, session
->internals
.cb_tls_unique
, cb
->size
);
1356 /* returns overhead imposed by the record layer (encryption/compression)
1357 * etc. It does include the record layer headers.
1359 * It may return a negative error code on error.
1361 int _gnutls_record_overhead_rt(gnutls_session_t session
)
1363 record_parameters_st
*params
;
1364 int total
= 0, ret
, iv_size
;
1366 if (session
->internals
.initial_negotiation_completed
== 0)
1367 return RECORD_HEADER_SIZE(session
);
1369 ret
= _gnutls_epoch_get (session
, EPOCH_WRITE_CURRENT
, ¶ms
);
1371 return gnutls_assert_val(ret
);
1373 /* requires padding */
1374 iv_size
= _gnutls_cipher_get_iv_size(params
->cipher_algorithm
);
1377 if (_gnutls_cipher_is_block (params
->cipher_algorithm
) == CIPHER_BLOCK
)
1379 if (!IS_DTLS(session
))
1380 total
+= MAX_PAD_SIZE
;
1382 total
+= iv_size
; /* iv_size == block_size */
1385 if (params
->mac_algorithm
== GNUTLS_MAC_AEAD
)
1386 total
+= _gnutls_cipher_get_tag_size(params
->cipher_algorithm
);
1389 ret
= _gnutls_hmac_get_algo_len(params
->mac_algorithm
);
1391 return gnutls_assert_val(ret
);
1395 if (params
->compression_algorithm
!= GNUTLS_COMP_NULL
)
1396 total
+= EXTRA_COMP_SIZE
;
1398 total
+= RECORD_HEADER_SIZE(session
);
1404 * gnutls_ecc_curve_get:
1405 * @session: is a #gnutls_session_t structure.
1407 * Returns the currently used elliptic curve. Only valid
1408 * when using an elliptic curve ciphersuite.
1410 * Returns: the currently used curve, a #gnutls_ecc_curve_t
1415 gnutls_ecc_curve_t
gnutls_ecc_curve_get(gnutls_session_t session
)
1417 return _gnutls_session_ecc_curve_get(session
);
1420 #undef gnutls_protocol_get_version
1422 * gnutls_protocol_get_version:
1423 * @session: is a #gnutls_session_t structure.
1425 * Get TLS version, a #gnutls_protocol_t value.
1427 * Returns: The version of the currently used protocol.
1430 gnutls_protocol_get_version (gnutls_session_t session
)
1432 return _gnutls_protocol_get_version(session
);
1436 * gnutls_session_get_random:
1437 * @session: is a #gnutls_session_t structure.
1438 * @client: the client part of the random
1439 * @server: the server part of the random
1441 * This function returns pointers to the client and server
1442 * random fields used in the TLS handshake. The pointers are
1443 * not to be modified or deallocated.
1445 * If a client random value has not yet been established, the output
1451 gnutls_session_get_random (gnutls_session_t session
, gnutls_datum_t
* client
, gnutls_datum_t
* server
)
1455 client
->data
= session
->security_parameters
.client_random
;
1456 client
->size
= sizeof(session
->security_parameters
.client_random
);
1461 server
->data
= session
->security_parameters
.server_random
;
1462 server
->size
= sizeof(session
->security_parameters
.server_random
);