search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Remove.
[gnutls.git] / lib / gnutls_handshake.c
blob4e2952a405d614ff899af846d0a54907039d928a
1 /*
2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008,
3 * 2009, 2010 Free Software Foundation, Inc.
4 *
5 * Author: Nikos Mavrogiannopoulos
6 *
7 * This file is part of GNUTLS.
8 *
9 * The GNUTLS library is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public License
11 * as published by the Free Software Foundation; either version 2.1 of
12 * the License, or (at your option) any later version.
13 *
14 * This library is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
18 *
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with this library; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
22 * USA
23 *
24 */
25
26 /* Functions that relate to the TLS handshake procedure.
27 */
28
29 #include "gnutls_int.h"
30 #include "gnutls_errors.h"
31 #include "gnutls_dh.h"
32 #include "debug.h"
33 #include "gnutls_algorithms.h"
34 #include "gnutls_compress.h"
35 #include "gnutls_cipher.h"
36 #include "gnutls_buffers.h"
37 #include "gnutls_kx.h"
38 #include "gnutls_handshake.h"
39 #include "gnutls_num.h"
40 #include "gnutls_hash_int.h"
41 #include "gnutls_db.h"
42 #include "gnutls_extensions.h"
43 #include "gnutls_supplemental.h"
44 #include "gnutls_auth.h"
45 #include "gnutls_v2_compat.h"
46 #include "auth_cert.h"
47 #include "gnutls_cert.h"
48 #include "gnutls_constate.h"
49 #include <gnutls_record.h>
50 #include <gnutls_state.h>
51 #include <ext_srp.h>
52 #include <ext_session_ticket.h>
53 #include <ext_safe_renegotiation.h>
54 #include <gnutls_rsa_export.h> /* for gnutls_get_rsa_params() */
55 #include <auth_anon.h> /* for gnutls_anon_server_credentials_t */
56 #include <auth_psk.h> /* for gnutls_psk_server_credentials_t */
57 #include <random.h>
58
59 #ifdef HANDSHAKE_DEBUG
60 #define ERR(x, y) _gnutls_handshake_log("HSK[%p]: %s (%d)\n", session, x,y)
61 #else
62 #define ERR(x, y)
63 #endif
64
65 #define TRUE 1
66 #define FALSE 0
67
68 static int _gnutls_handshake_hash_init (gnutls_session_t session);
69 static int _gnutls_server_select_comp_method (gnutls_session_t session,
70 opaque * data, int datalen);
71 static int
72 _gnutls_handshake_hash_add_recvd (gnutls_session_t session,
73 gnutls_handshake_description_t recv_type,
74 opaque * header, uint16_t header_size,
75 opaque * dataptr, uint32_t datalen);
76
77
78 /* Clears the handshake hash buffers and handles.
79 */
80 void
81 _gnutls_handshake_hash_buffers_clear (gnutls_session_t session)
82 {
83 if (session->security_parameters.handshake_mac_handle_type ==
84 HANDSHAKE_MAC_TYPE_10)
85 {
86 _gnutls_hash_deinit (&session->internals.handshake_mac_handle.tls10.md5,
87 NULL);
88 _gnutls_hash_deinit (&session->internals.handshake_mac_handle.tls10.sha,
89 NULL);
90 }
91 else if (session->security_parameters.handshake_mac_handle_type ==
92 HANDSHAKE_MAC_TYPE_12)
93 {
94 _gnutls_hash_deinit (&session->internals.handshake_mac_handle.
95 tls12.sha256, NULL);
96 _gnutls_hash_deinit (&session->internals.handshake_mac_handle.
97 tls12.sha1, NULL);
98 }
99 session->security_parameters.handshake_mac_handle_type = 0;
100 session->internals.handshake_mac_handle_init = 0;
101 _gnutls_handshake_buffer_clear (session);
102 }
103
104 /* this will copy the required values for resuming to
105 * internals, and to security_parameters.
106 * this will keep as less data to security_parameters.
107 */
108 static void
109 resume_copy_required_values (gnutls_session_t session)
110 {
111 /* get the new random values */
112 memcpy (session->internals.resumed_security_parameters.server_random,
113 session->security_parameters.server_random, GNUTLS_RANDOM_SIZE);
114 memcpy (session->internals.resumed_security_parameters.client_random,
115 session->security_parameters.client_random, GNUTLS_RANDOM_SIZE);
116
117 /* keep the ciphersuite and compression
118 * That is because the client must see these in our
119 * hello message.
120 */
121 memcpy (session->security_parameters.current_cipher_suite.suite,
122 session->internals.resumed_security_parameters.
123 current_cipher_suite.suite, 2);
124
125 session->internals.compression_method =
126 session->internals.resumed_security_parameters.read_compression_algorithm;
127 /* or write_compression_algorithm
128 * they are the same
129 */
130
131 session->security_parameters.entity =
132 session->internals.resumed_security_parameters.entity;
133
134 _gnutls_set_current_version (session,
135 session->internals.
136 resumed_security_parameters.version);
137
138 session->security_parameters.cert_type =
139 session->internals.resumed_security_parameters.cert_type;
140
141 memcpy (session->security_parameters.session_id,
142 session->internals.resumed_security_parameters.session_id,
143 sizeof (session->security_parameters.session_id));
144 session->security_parameters.session_id_size =
145 session->internals.resumed_security_parameters.session_id_size;
146
147 }
148
149 void
150 _gnutls_set_server_random (gnutls_session_t session, uint8_t * rnd)
151 {
152 memcpy (session->security_parameters.server_random, rnd,
153 GNUTLS_RANDOM_SIZE);
154 }
155
156 void
157 _gnutls_set_client_random (gnutls_session_t session, uint8_t * rnd)
158 {
159 memcpy (session->security_parameters.client_random, rnd,
160 GNUTLS_RANDOM_SIZE);
161 }
162
163 /* Calculate The SSL3 Finished message
164 */
165 #define SSL3_CLIENT_MSG "CLNT"
166 #define SSL3_SERVER_MSG "SRVR"
167 #define SSL_MSG_LEN 4
168 static int
169 _gnutls_ssl3_finished (gnutls_session_t session, int type, opaque * ret)
170 {
171 const int siz = SSL_MSG_LEN;
172 digest_hd_st td_md5;
173 digest_hd_st td_sha;
174 const char *mesg;
175 int rc;
176
177 if (session->security_parameters.handshake_mac_handle_type ==
178 HANDSHAKE_MAC_TYPE_10)
179 {
180 rc =
181 _gnutls_hash_copy (&td_md5,
182 &session->internals.handshake_mac_handle.
183 tls10.md5);
184 if (rc < 0)
185 {
186 gnutls_assert ();
187 return rc;
188 }
189
190 rc =
191 _gnutls_hash_copy (&td_sha,
192 &session->internals.handshake_mac_handle.
193 tls10.sha);
194 if (rc < 0)
195 {
196 gnutls_assert ();
197 _gnutls_hash_deinit (&td_md5, NULL);
198 return rc;
199 }
200 }
201 else
202 {
203 gnutls_assert ();
204 return GNUTLS_E_INTERNAL_ERROR;
205 }
206
207 if (type == GNUTLS_SERVER)
208 {
209 mesg = SSL3_SERVER_MSG;
210 }
211 else
212 {
213 mesg = SSL3_CLIENT_MSG;
214 }
215
216 _gnutls_hash (&td_md5, mesg, siz);
217 _gnutls_hash (&td_sha, mesg, siz);
218
219 _gnutls_mac_deinit_ssl3_handshake (&td_md5, ret,
220 session->security_parameters.
221 master_secret, GNUTLS_MASTER_SIZE);
222 _gnutls_mac_deinit_ssl3_handshake (&td_sha, &ret[16],
223 session->security_parameters.
224 master_secret, GNUTLS_MASTER_SIZE);
225
226 return 0;
227 }
228
229 /* Hash the handshake messages as required by TLS 1.0
230 */
231 #define SERVER_MSG "server finished"
232 #define CLIENT_MSG "client finished"
233 #define TLS_MSG_LEN 15
234 static int
235 _gnutls_finished (gnutls_session_t session, int type, void *ret)
236 {
237 const int siz = TLS_MSG_LEN;
238 opaque concat[MAX_HASH_SIZE + 16 /*MD5 */ ];
239 size_t len = 20 + 16;
240 const char *mesg;
241 digest_hd_st td_md5;
242 digest_hd_st td_sha;
243 int rc;
244
245 if (session->security_parameters.handshake_mac_handle_type ==
246 HANDSHAKE_MAC_TYPE_10)
247 {
248 rc =
249 _gnutls_hash_copy (&td_md5,
250 &session->internals.handshake_mac_handle.
251 tls10.md5);
252 if (rc < 0)
253 {
254 gnutls_assert ();
255 return rc;
256 }
257
258 rc =
259 _gnutls_hash_copy (&td_sha,
260 &session->internals.handshake_mac_handle.
261 tls10.sha);
262 if (rc < 0)
263 {
264 gnutls_assert ();
265 _gnutls_hash_deinit (&td_md5, NULL);
266 return rc;
267 }
268
269 _gnutls_hash_deinit (&td_md5, concat);
270 _gnutls_hash_deinit (&td_sha, &concat[16]);
271 }
272 else if (session->security_parameters.handshake_mac_handle_type ==
273 HANDSHAKE_MAC_TYPE_12)
274 {
275 rc =
276 _gnutls_hash_copy (&td_sha,
277 &session->internals.handshake_mac_handle.
278 tls12.sha256);
279 if (rc < 0)
280 {
281 gnutls_assert ();
282 return rc;
283 }
284
285 _gnutls_hash_deinit (&td_sha, concat);
286 len = _gnutls_hash_get_algo_len (td_sha.algorithm);
287 }
288
289 if (type == GNUTLS_SERVER)
290 {
291 mesg = SERVER_MSG;
292 }
293 else
294 {
295 mesg = CLIENT_MSG;
296 }
297
298 return _gnutls_PRF (session, session->security_parameters.master_secret,
299 GNUTLS_MASTER_SIZE, mesg, siz, concat, len, 12, ret);
300 }
301
302 /* this function will produce GNUTLS_RANDOM_SIZE==32 bytes of random data
303 * and put it to dst.
304 */
305 int
306 _gnutls_tls_create_random (opaque * dst)
307 {
308 uint32_t tim;
309 int ret;
310
311 /* Use weak random numbers for the most of the
312 * buffer except for the first 4 that are the
313 * system's time.
314 */
315
316 tim = time (NULL);
317 /* generate server random value */
318 _gnutls_write_uint32 (tim, dst);
319
320 ret = _gnutls_rnd (GNUTLS_RND_NONCE, &dst[4], GNUTLS_RANDOM_SIZE - 4);
321 if (ret < 0)
322 {
323 gnutls_assert ();
324 return ret;
325 }
326
327 return 0;
328 }
329
330 /* returns the 0 on success or a negative value.
331 */
332 int
333 _gnutls_negotiate_version (gnutls_session_t session,
334 gnutls_protocol_t adv_version)
335 {
336 int ret;
337
338 /* if we do not support that version */
339 if (_gnutls_version_is_supported (session, adv_version) == 0)
340 {
341 /* If he requested something we do not support
342 * then we send him the highest we support.
343 */
344 ret = _gnutls_version_max (session);
345 if (ret == GNUTLS_VERSION_UNKNOWN)
346 {
347 /* this check is not really needed.
348 */
349 gnutls_assert ();
350 return GNUTLS_E_UNKNOWN_CIPHER_SUITE;
351 }
352 }
353 else
354 {
355 ret = adv_version;
356 }
357
358 _gnutls_set_current_version (session, ret);
359
360 return ret;
361 }
362
363 int
364 _gnutls_user_hello_func (gnutls_session_t session,
365 gnutls_protocol_t adv_version)
366 {
367 int ret;
368
369 if (session->internals.user_hello_func != NULL)
370 {
371 ret = session->internals.user_hello_func (session);
372 if (ret < 0)
373 {
374 gnutls_assert ();
375 return ret;
376 }
377 /* Here we need to renegotiate the version since the callee might
378 * have disabled some TLS versions.
379 */
380 ret = _gnutls_negotiate_version (session, adv_version);
381 if (ret < 0)
382 {
383 gnutls_assert ();
384 return ret;
385 }
386 }
387 return 0;
388 }
389
390 /* Read a client hello packet.
391 * A client hello must be a known version client hello
392 * or version 2.0 client hello (only for compatibility
393 * since SSL version 2.0 is not supported).
394 */
395 static int
396 _gnutls_read_client_hello (gnutls_session_t session, opaque * data,
397 int datalen)
398 {
399 uint8_t session_id_len;
400 int pos = 0, ret;
401 uint16_t suite_size, comp_size;
402 gnutls_protocol_t adv_version;
403 int neg_version;
404 int len = datalen;
405 opaque rnd[GNUTLS_RANDOM_SIZE], *suite_ptr, *comp_ptr, *session_id;
406
407 if (session->internals.v2_hello != 0)
408 { /* version 2.0 */
409 return _gnutls_read_client_hello_v2 (session, data, datalen);
410 }
411 DECR_LEN (len, 2);
412
413 _gnutls_handshake_log ("HSK[%p]: Client's version: %d.%d\n", session,
414 data[pos], data[pos + 1]);
415
416 adv_version = _gnutls_version_get (data[pos], data[pos + 1]);
417 set_adv_version (session, data[pos], data[pos + 1]);
418 pos += 2;
419
420 neg_version = _gnutls_negotiate_version (session, adv_version);
421 if (neg_version < 0)
422 {
423 gnutls_assert ();
424 return neg_version;
425 }
426
427 /* Read client random value.
428 */
429 DECR_LEN (len, GNUTLS_RANDOM_SIZE);
430 _gnutls_set_client_random (session, &data[pos]);
431 pos += GNUTLS_RANDOM_SIZE;
432
433 _gnutls_tls_create_random (rnd);
434 _gnutls_set_server_random (session, rnd);
435
436 session->security_parameters.timestamp = time (NULL);
437
438 DECR_LEN (len, 1);
439 session_id_len = data[pos++];
440
441 /* RESUME SESSION
442 */
443 if (session_id_len > TLS_MAX_SESSION_ID_SIZE)
444 {
445 gnutls_assert ();
446 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
447 }
448 DECR_LEN (len, session_id_len);
449
450 session_id = &data[pos];
451 ret = _gnutls_server_restore_session (session, session_id, session_id_len);
452 pos += session_id_len;
453
454 if (ret == 0)
455 { /* resumed using default TLS resumption! */
456 /* Parse only the safe renegotiation extension
457 * We don't want to parse any other extensions since
458 * we don't want new extension values to overwrite the
459 * resumed ones.
460 */
461
462 /* move forward to extensions */
463 DECR_LEN (len, 2);
464 suite_size = _gnutls_read_uint16 (&data[pos]);
465 pos += 2;
466
467 DECR_LEN (len, suite_size);
468 pos += suite_size;
469
470 DECR_LEN (len, 1);
471 comp_size = data[pos++]; /* z is the number of compression methods */
472 DECR_LEN (len, comp_size);
473 pos += comp_size;
474
475 ret = _gnutls_parse_extensions (session, GNUTLS_EXT_RESUMED,
476 &data[pos], len);
477 if (ret < 0)
478 {
479 gnutls_assert ();
480 return ret;
481 }
482
483 resume_copy_required_values (session);
484 session->internals.resumed = RESUME_TRUE;
485
486 return _gnutls_user_hello_func (session, adv_version);
487 }
488 else
489 {
490 _gnutls_generate_session_id (session->security_parameters.session_id,
491 &session->security_parameters.
492 session_id_size);
493
494 session->internals.resumed = RESUME_FALSE;
495 }
496
497 /* Remember ciphersuites for later
498 */
499 DECR_LEN (len, 2);
500 suite_size = _gnutls_read_uint16 (&data[pos]);
501 pos += 2;
502
503 DECR_LEN (len, suite_size);
504 suite_ptr = &data[pos];
505 pos += suite_size;
506
507 /* Point to the compression methods
508 */
509 DECR_LEN (len, 1);
510 comp_size = data[pos++]; /* z is the number of compression methods */
511
512 DECR_LEN (len, comp_size);
513 comp_ptr = &data[pos];
514 pos += comp_size;
515
516 /* Parse the extensions (if any)
517 *
518 * Unconditionally try to parse extensions; safe renegotiation uses them in
519 * sslv3 and higher, even though sslv3 doesn't officially support them.
520 */
521 ret = _gnutls_parse_extensions (session, GNUTLS_EXT_APPLICATION,
522 &data[pos], len);
523 /* len is the rest of the parsed length */
524 if (ret < 0)
525 {
526 gnutls_assert ();
527 return ret;
528 }
529
530 ret = _gnutls_user_hello_func (session, adv_version);
531 if (ret < 0)
532 {
533 gnutls_assert ();
534 return ret;
535 }
536
537 ret = _gnutls_parse_extensions (session, GNUTLS_EXT_RESUMED,
538 &data[pos], len);
539 if (ret < 0)
540 {
541 gnutls_assert ();
542 return ret;
543 }
544
545 ret = _gnutls_parse_extensions (session, GNUTLS_EXT_TLS,
546 &data[pos], len);
547 if (ret < 0)
548 {
549 gnutls_assert ();
550 return ret;
551 }
552
553 /* resumed by session_ticket extension */
554 if (session->internals.resumed == RESUME_TRUE)
555 {
556 /* to indicate the client that the current session is resumed */
557 memcpy (session->internals.resumed_security_parameters.session_id,
558 session_id, session_id_len);
559 session->internals.resumed_security_parameters.session_id_size =
560 session_id_len;
561
562 session->internals.
563 resumed_security_parameters.max_record_recv_size =
564 session->security_parameters.max_record_recv_size;
565 session->internals.
566 resumed_security_parameters.max_record_send_size =
567 session->security_parameters.max_record_send_size;
568
569 resume_copy_required_values (session);
570
571 return _gnutls_user_hello_func (session, adv_version);
572 }
573
574 /* select an appropriate cipher suite
575 */
576 ret = _gnutls_server_select_suite (session, suite_ptr, suite_size);
577 if (ret < 0)
578 {
579 gnutls_assert ();
580 return ret;
581 }
582
583 /* select appropriate compression method */
584 ret = _gnutls_server_select_comp_method (session, comp_ptr, comp_size);
585 if (ret < 0)
586 {
587 gnutls_assert ();
588 return ret;
589 }
590
591 return 0;
592 }
593
594 /* here we hash all pending data.
595 */
596 inline static int
597 _gnutls_handshake_hash_pending (gnutls_session_t session)
598 {
599 size_t siz;
600 int ret;
601 opaque *data;
602
603 if (session->internals.handshake_mac_handle_init == 0)
604 {
605 gnutls_assert ();
606 return GNUTLS_E_INTERNAL_ERROR;
607 }
608
609 /* We check if there are pending data to hash.
610 */
611 if ((ret = _gnutls_handshake_buffer_get_ptr (session, &data, &siz)) < 0)
612 {
613 gnutls_assert ();
614 return ret;
615 }
616
617 if (siz > 0)
618 {
619 if (session->security_parameters.handshake_mac_handle_type ==
620 HANDSHAKE_MAC_TYPE_10)
621 {
622 _gnutls_hash (&session->internals.handshake_mac_handle.tls10.sha,
623 data, siz);
624 _gnutls_hash (&session->internals.handshake_mac_handle.tls10.md5,
625 data, siz);
626 }
627 else if (session->security_parameters.handshake_mac_handle_type ==
628 HANDSHAKE_MAC_TYPE_12)
629 {
630 _gnutls_hash (&session->internals.handshake_mac_handle.tls12.sha256,
631 data, siz);
632 _gnutls_hash (&session->internals.handshake_mac_handle.tls12.sha1,
633 data, siz);
634 }
635 }
636
637 _gnutls_handshake_buffer_empty (session);
638
639 return 0;
640 }
641
642
643 /* This is to be called after sending CHANGE CIPHER SPEC packet
644 * and initializing encryption. This is the first encrypted message
645 * we send.
646 */
647 static int
648 _gnutls_send_finished (gnutls_session_t session, int again)
649 {
650 uint8_t data[MAX_VERIFY_DATA_SIZE];
651 int ret;
652 int data_size = 0;
653
654
655 if (again == 0)
656 {
657
658 /* This is needed in order to hash all the required
659 * messages.
660 */
661 if ((ret = _gnutls_handshake_hash_pending (session)) < 0)
662 {
663 gnutls_assert ();
664 return ret;
665 }
666
667 if (gnutls_protocol_get_version (session) == GNUTLS_SSL3)
668 {
669 ret =
670 _gnutls_ssl3_finished (session,
671 session->security_parameters.entity, data);
672 data_size = 36;
673 }
674 else
675 { /* TLS 1.0+ */
676 ret = _gnutls_finished (session,
677 session->security_parameters.entity, data);
678 data_size = 12;
679 }
680
681 if (ret < 0)
682 {
683 gnutls_assert ();
684 return ret;
685 }
686
687 if (session->internals.finished_func)
688 session->internals.finished_func (session, data, data_size);
689 }
690
691 /* Save data for safe renegotiation.
692 */
693 if (data_size > MAX_VERIFY_DATA_SIZE)
694 {
695 gnutls_assert ();
696 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
697 }
698
699 if (session->security_parameters.entity == GNUTLS_CLIENT)
700 {
701 session->security_parameters.extensions.client_verify_data_len =
702 data_size;
703
704 memcpy (session->security_parameters.extensions.client_verify_data,
705 data, data_size);
706 }
707 else
708 {
709 session->security_parameters.extensions.server_verify_data_len =
710 data_size;
711
712 memcpy (session->security_parameters.extensions.server_verify_data,
713 data, data_size);
714 }
715
716 ret =
717 _gnutls_send_handshake (session, data_size ? data : NULL, data_size,
718 GNUTLS_HANDSHAKE_FINISHED);
719
720 return ret;
721 }
722
723 /* This is to be called after sending our finished message. If everything
724 * went fine we have negotiated a secure connection
725 */
726 static int
727 _gnutls_recv_finished (gnutls_session_t session)
728 {
729 uint8_t data[MAX_VERIFY_DATA_SIZE], *vrfy;
730 int data_size;
731 int ret;
732 int vrfysize;
733 tls_ext_st *ext;
734
735 ret =
736 _gnutls_recv_handshake (session, &vrfy, &vrfysize,
737 GNUTLS_HANDSHAKE_FINISHED, MANDATORY_PACKET);
738 if (ret < 0)
739 {
740 ERR ("recv finished int", ret);
741 gnutls_assert ();
742 return ret;
743 }
744
745
746 if (gnutls_protocol_get_version (session) == GNUTLS_SSL3)
747 {
748 data_size = 36;
749 }
750 else
751 {
752 data_size = 12;
753 }
754
755 if (vrfysize != data_size)
756 {
757 gnutls_assert ();
758 gnutls_free (vrfy);
759 return GNUTLS_E_ERROR_IN_FINISHED_PACKET;
760 }
761
762 if (gnutls_protocol_get_version (session) == GNUTLS_SSL3)
763 {
764 ret =
765 _gnutls_ssl3_finished (session,
766 (session->security_parameters.entity + 1) % 2,
767 data);
768 }
769 else
770 { /* TLS 1.0 */
771 ret =
772 _gnutls_finished (session,
773 (session->security_parameters.entity +
774 1) % 2, data);
775 }
776
777 if (ret < 0)
778 {
779 gnutls_assert ();
780 gnutls_free (vrfy);
781 return ret;
782 }
783
784 if (memcmp (vrfy, data, data_size) != 0)
785 {
786 gnutls_assert ();
787 ret = GNUTLS_E_ERROR_IN_FINISHED_PACKET;
788 }
789 gnutls_free (vrfy);
790
791 /* Save peer's verify data for safe renegotiation */
792 if (data_size > MAX_VERIFY_DATA_SIZE)
793 {
794 gnutls_assert ();
795 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
796 }
797
798 ext = &session->security_parameters.extensions;
799
800 if (session->security_parameters.entity == GNUTLS_CLIENT)
801 {
802 memcpy (ext->server_verify_data, data, data_size);
803 ext->server_verify_data_len = data_size;
804 }
805 else
806 {
807 memcpy (ext->client_verify_data, data, data_size);
808 ext->client_verify_data_len = data_size;
809 }
810
811 session->internals.initial_negotiation_completed = 1;
812
813 return ret;
814 }
815
816 /* returns PK_RSA if the given cipher suite list only supports,
817 * RSA algorithms, PK_DSA if DSS, and PK_ANY for both or PK_NONE for none.
818 */
819 static int
820 _gnutls_server_find_pk_algos_in_ciphersuites (const opaque *
821 data, unsigned int datalen)
822 {
823 unsigned int j;
824 gnutls_pk_algorithm_t algo = GNUTLS_PK_NONE, prev_algo = 0;
825 gnutls_kx_algorithm_t kx;
826 cipher_suite_st cs;
827
828 if (datalen % 2 != 0)
829 {
830 gnutls_assert ();
831 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
832 }
833
834 for (j = 0; j < datalen; j += 2)
835 {
836 memcpy (&cs.suite, &data[j], 2);
837 kx = _gnutls_cipher_suite_get_kx_algo (&cs);
838
839 if (_gnutls_map_kx_get_cred (kx, 1) == GNUTLS_CRD_CERTIFICATE)
840 {
841 algo = _gnutls_map_pk_get_pk (kx);
842
843 if (algo != prev_algo && prev_algo != 0)
844 return GNUTLS_PK_ANY;
845 prev_algo = algo;
846 }
847 }
848
849 return algo;
850 }
851
852 /* This selects the best supported ciphersuite from the given ones. Then
853 * it adds the suite to the session and performs some checks.
854 */
855 int
856 _gnutls_server_select_suite (gnutls_session_t session, opaque * data,
857 int datalen)
858 {
859 int x, i, j;
860 cipher_suite_st *ciphers, cs;
861 int retval, err;
862 gnutls_pk_algorithm_t pk_algo; /* will hold the pk algorithms
863 * supported by the peer.
864 */
865
866 /* First, check for safe renegotiation SCSV.
867 */
868 {
869 int offset;
870
871 for(offset = 0; offset < datalen; offset += 2)
872 {
873 /* TLS_RENEGO_PROTECTION_REQUEST = { 0x00, 0xff } */
874 if (data[offset] == GNUTLS_RENEGO_PROTECTION_REQUEST_MAJOR &&
875 data[offset+1] == GNUTLS_RENEGO_PROTECTION_REQUEST_MINOR)
876 {
877 _gnutls_handshake_log ("HSK[%p]: Received safe renegotiation CS\n", session);
878 session->internals.safe_renegotiation_received = 1;
879 session->internals.connection_using_safe_renegotiation = 1;
880 break;
881 }
882 }
883 }
884
885 pk_algo = _gnutls_server_find_pk_algos_in_ciphersuites (data, datalen);
886
887 x = _gnutls_supported_ciphersuites (session, &ciphers);
888 if (x < 0)
889 { /* the case x==0 is handled within the function. */
890 gnutls_assert ();
891 return x;
892 }
893
894 /* Here we remove any ciphersuite that does not conform
895 * the certificate requested, or to the
896 * authentication requested (e.g. SRP).
897 */
898 x = _gnutls_remove_unwanted_ciphersuites (session, &ciphers, x, pk_algo);
899 if (x <= 0)
900 {
901 gnutls_assert ();
902 gnutls_free (ciphers);
903 if (x < 0)
904 return x;
905 else
906 return GNUTLS_E_UNKNOWN_CIPHER_SUITE;
907 }
908
909 /* Data length should be zero mod 2 since
910 * every ciphersuite is 2 bytes. (this check is needed
911 * see below).
912 */
913 if (datalen % 2 != 0)
914 {
915 gnutls_assert ();
916 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
917 }
918 #ifdef HANDSHAKE_DEBUG
919
920 _gnutls_handshake_log ("HSK[%p]: Requested cipher suites: \n", session);
921 for (j = 0; j < datalen; j += 2)
922 {
923 memcpy (&cs.suite, &data[j], 2);
924 _gnutls_handshake_log ("\t%s\n", _gnutls_cipher_suite_get_name (&cs));
925 }
926 _gnutls_handshake_log ("HSK[%p]: Supported cipher suites: \n", session);
927 for (j = 0; j < x; j++)
928 _gnutls_handshake_log ("\t%s\n",
929 _gnutls_cipher_suite_get_name (&ciphers[j]));
930 #endif
931 memset (session->security_parameters.current_cipher_suite.suite, '\0', 2);
932
933 retval = GNUTLS_E_UNKNOWN_CIPHER_SUITE;
934
935 for (j = 0; j < datalen; j += 2)
936 {
937 for (i = 0; i < x; i++)
938 {
939 if (memcmp (ciphers[i].suite, &data[j], 2) == 0)
940 {
941 memcpy (&cs.suite, &data[j], 2);
942
943 _gnutls_handshake_log
944 ("HSK[%p]: Selected cipher suite: %s\n", session,
945 _gnutls_cipher_suite_get_name (&cs));
946 memcpy (session->security_parameters.current_cipher_suite.suite,
947 ciphers[i].suite, 2);
948 retval = 0;
949 goto finish;
950 }
951 }
952 }
953
954 finish:
955 gnutls_free (ciphers);
956
957 if (retval != 0)
958 {
959 gnutls_assert ();
960 return retval;
961 }
962
963 /* check if the credentials (username, public key etc.) are ok
964 */
965 if (_gnutls_get_kx_cred
966 (session,
967 _gnutls_cipher_suite_get_kx_algo (&session->security_parameters.
968 current_cipher_suite), &err) == NULL
969 && err != 0)
970 {
971 gnutls_assert ();
972 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
973 }
974
975
976 /* set the mod_auth_st to the appropriate struct
977 * according to the KX algorithm. This is needed since all the
978 * handshake functions are read from there;
979 */
980 session->internals.auth_struct =
981 _gnutls_kx_auth_struct (_gnutls_cipher_suite_get_kx_algo
982 (&session->security_parameters.
983 current_cipher_suite));
984 if (session->internals.auth_struct == NULL)
985 {
986
987 _gnutls_handshake_log
988 ("HSK[%p]: Cannot find the appropriate handler for the KX algorithm\n",
989 session);
990 gnutls_assert ();
991 return GNUTLS_E_INTERNAL_ERROR;
992 }
993
994 return 0;
995
996 }
997
998
999 /* This selects the best supported compression method from the ones provided
1000 */
1001 static int
1002 _gnutls_server_select_comp_method (gnutls_session_t session,
1003 opaque * data, int datalen)
1004 {
1005 int x, i, j;
1006 uint8_t *comps;
1007
1008 x = _gnutls_supported_compression_methods (session, &comps);
1009 if (x < 0)
1010 {
1011 gnutls_assert ();
1012 return x;
1013 }
1014
1015 memset (&session->internals.compression_method, 0,
1016 sizeof (gnutls_compression_method_t));
1017
1018 for (j = 0; j < datalen; j++)
1019 {
1020 for (i = 0; i < x; i++)
1021 {
1022 if (comps[i] == data[j])
1023 {
1024 gnutls_compression_method_t method =
1025 _gnutls_compression_get_id (comps[i]);
1026
1027 session->internals.compression_method = method;
1028 gnutls_free (comps);
1029
1030 _gnutls_handshake_log
1031 ("HSK[%p]: Selected Compression Method: %s\n", session,
1032 gnutls_compression_get_name (session->internals.
1033 compression_method));
1034
1035
1036 return 0;
1037 }
1038 }
1039 }
1040
1041 /* we were not able to find a compatible compression
1042 * algorithm
1043 */
1044 gnutls_free (comps);
1045 gnutls_assert ();
1046 return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM;
1047
1048 }
1049
1050 /* This function sends an empty handshake packet. (like hello request).
1051 * If the previous _gnutls_send_empty_handshake() returned
1052 * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again
1053 * (until it returns ok), with NULL parameters.
1054 */
1055 static int
1056 _gnutls_send_empty_handshake (gnutls_session_t session,
1057 gnutls_handshake_description_t type, int again)
1058 {
1059 opaque data = 0;
1060 opaque *ptr;
1061
1062 if (again == 0)
1063 ptr = &data;
1064 else
1065 ptr = NULL;
1066
1067 return _gnutls_send_handshake (session, ptr, 0, type);
1068 }
1069
1070
1071 /* This function will hash the handshake message we sent.
1072 */
1073 static int
1074 _gnutls_handshake_hash_add_sent (gnutls_session_t session,
1075 gnutls_handshake_description_t type,
1076 opaque * dataptr, uint32_t datalen)
1077 {
1078 int ret;
1079
1080 if (session->security_parameters.entity == GNUTLS_CLIENT
1081 && type == GNUTLS_HANDSHAKE_CLIENT_HELLO)
1082 {
1083 /* do not hash immediatelly since the hash has not yet been initialized */
1084 if ((ret =
1085 _gnutls_handshake_buffer_put (session, dataptr, datalen)) < 0)
1086 {
1087 gnutls_assert ();
1088 return ret;
1089 }
1090 return 0;
1091 }
1092
1093 if ((ret = _gnutls_handshake_hash_pending (session)) < 0)
1094 {
1095 gnutls_assert ();
1096 return ret;
1097 }
1098
1099 if (type != GNUTLS_HANDSHAKE_HELLO_REQUEST)
1100 {
1101 if (session->security_parameters.handshake_mac_handle_type ==
1102 HANDSHAKE_MAC_TYPE_10)
1103 {
1104 _gnutls_hash (&session->internals.handshake_mac_handle.tls10.sha,
1105 dataptr, datalen);
1106 _gnutls_hash (&session->internals.handshake_mac_handle.tls10.md5,
1107 dataptr, datalen);
1108 }
1109 else if (session->security_parameters.handshake_mac_handle_type ==
1110 HANDSHAKE_MAC_TYPE_12)
1111 {
1112 _gnutls_hash (&session->internals.handshake_mac_handle.tls12.sha256,
1113 dataptr, datalen);
1114 _gnutls_hash (&session->internals.handshake_mac_handle.tls12.sha1,
1115 dataptr, datalen);
1116 }
1117 }
1118
1119 return 0;
1120 }
1121
1122
1123 /* This function sends a handshake message of type 'type' containing the
1124 * data specified here. If the previous _gnutls_send_handshake() returned
1125 * GNUTLS_E_AGAIN or GNUTLS_E_INTERRUPTED, then it must be called again
1126 * (until it returns ok), with NULL parameters.
1127 */
1128 int
1129 _gnutls_send_handshake (gnutls_session_t session, void *i_data,
1130 uint32_t i_datasize,
1131 gnutls_handshake_description_t type)
1132 {
1133 int ret;
1134 uint8_t *data;
1135 uint32_t datasize;
1136 int pos = 0;
1137
1138 if (i_data == NULL && i_datasize == 0)
1139 {
1140 /* we are resuming a previously interrupted
1141 * send.
1142 */
1143 ret = _gnutls_handshake_io_write_flush (session);
1144 return ret;
1145
1146 }
1147
1148 if (i_data == NULL && i_datasize > 0)
1149 {
1150 gnutls_assert ();
1151 return GNUTLS_E_INVALID_REQUEST;
1152 }
1153
1154 /* first run */
1155 datasize = i_datasize + HANDSHAKE_HEADER_SIZE;
1156 data = gnutls_malloc (datasize);
1157 if (data == NULL)
1158 {
1159 gnutls_assert ();
1160 return GNUTLS_E_MEMORY_ERROR;
1161 }
1162
1163 data[pos++] = (uint8_t) type;
1164 _gnutls_write_uint24 (i_datasize, &data[pos]);
1165 pos += 3;
1166
1167 if (i_datasize > 0)
1168 memcpy (&data[pos], i_data, i_datasize);
1169
1170 _gnutls_handshake_log ("HSK[%p]: %s was sent [%ld bytes]\n",
1171 session, _gnutls_handshake2str (type),
1172 (long) datasize);
1173
1174
1175 /* Here we keep the handshake messages in order to hash them...
1176 */
1177 if (type != GNUTLS_HANDSHAKE_HELLO_REQUEST)
1178 if ((ret =
1179 _gnutls_handshake_hash_add_sent (session, type, data, datasize)) < 0)
1180 {
1181 gnutls_assert ();
1182 gnutls_free (data);
1183 return ret;
1184 }
1185
1186 session->internals.last_handshake_out = type;
1187
1188 ret =
1189 _gnutls_handshake_io_send_int (session, GNUTLS_HANDSHAKE, type,
1190 data, datasize);
1191
1192 gnutls_free (data);
1193
1194 return ret;
1195 }
1196
1197 /* This function will read the handshake header and return it to the caller. If the
1198 * received handshake packet is not the one expected then it buffers the header, and
1199 * returns UNEXPECTED_HANDSHAKE_PACKET.
1200 *
1201 * FIXME: This function is complex.
1202 */
1203 #define SSL2_HEADERS 1
1204 static int
1205 _gnutls_recv_handshake_header (gnutls_session_t session,
1206 gnutls_handshake_description_t type,
1207 gnutls_handshake_description_t * recv_type)
1208 {
1209 int ret;
1210 uint32_t length32 = 0;
1211 uint8_t *dataptr = NULL; /* for realloc */
1212 size_t handshake_header_size = HANDSHAKE_HEADER_SIZE;
1213
1214 /* if we have data into the buffer then return them, do not read the next packet.
1215 * In order to return we need a full TLS handshake header, or in case of a version 2
1216 * packet, then we return the first byte.
1217 */
1218 if (session->internals.handshake_header_buffer.header_size ==
1219 handshake_header_size || (session->internals.v2_hello != 0
1220 && type == GNUTLS_HANDSHAKE_CLIENT_HELLO
1221 && session->internals.
1222 handshake_header_buffer.packet_length > 0))
1223 {
1224
1225 *recv_type = session->internals.handshake_header_buffer.recv_type;
1226
1227 if (*recv_type != type)
1228 {
1229 gnutls_assert ();
1230 _gnutls_handshake_log
1231 ("HSK[%p]: Handshake type mismatch (under attack?)\n", session);
1232 return GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET;
1233 }
1234
1235 return session->internals.handshake_header_buffer.packet_length;
1236 }
1237
1238 /* Note: SSL2_HEADERS == 1 */
1239
1240 dataptr = session->internals.handshake_header_buffer.header;
1241
1242 /* If we haven't already read the handshake headers.
1243 */
1244 if (session->internals.handshake_header_buffer.header_size < SSL2_HEADERS)
1245 {
1246 ret =
1247 _gnutls_handshake_io_recv_int (session, GNUTLS_HANDSHAKE,
1248 type, dataptr, SSL2_HEADERS);
1249
1250 if (ret < 0)
1251 {
1252 return ret;
1253 }
1254
1255 /* The case ret==0 is caught here.
1256 */
1257 if (ret != SSL2_HEADERS)
1258 {
1259 gnutls_assert ();
1260 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
1261 }
1262 session->internals.handshake_header_buffer.header_size = SSL2_HEADERS;
1263 }
1264
1265 if (session->internals.v2_hello == 0
1266 || type != GNUTLS_HANDSHAKE_CLIENT_HELLO)
1267 {
1268 ret =
1269 _gnutls_handshake_io_recv_int (session, GNUTLS_HANDSHAKE,
1270 type,
1271 &dataptr
1272 [session->internals.
1273 handshake_header_buffer.header_size],
1274 HANDSHAKE_HEADER_SIZE -
1275 session->internals.
1276 handshake_header_buffer.header_size);
1277 if (ret <= 0)
1278 {
1279 gnutls_assert ();
1280 return (ret < 0) ? ret : GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
1281 }
1282 if ((size_t) ret !=
1283 HANDSHAKE_HEADER_SIZE -
1284 session->internals.handshake_header_buffer.header_size)
1285 {
1286 gnutls_assert ();
1287 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
1288 }
1289 *recv_type = dataptr[0];
1290
1291 /* we do not use DECR_LEN because we know
1292 * that the packet has enough data.
1293 */
1294 length32 = _gnutls_read_uint24 (&dataptr[1]);
1295 handshake_header_size = HANDSHAKE_HEADER_SIZE;
1296
1297 _gnutls_handshake_log ("HSK[%p]: %s was received [%ld bytes]\n",
1298 session, _gnutls_handshake2str (dataptr[0]),
1299 (long int) (length32 + HANDSHAKE_HEADER_SIZE));
1300
1301 }
1302 else
1303 { /* v2 hello */
1304 length32 = session->internals.v2_hello - SSL2_HEADERS; /* we've read the first byte */
1305
1306 handshake_header_size = SSL2_HEADERS; /* we've already read one byte */
1307
1308 *recv_type = dataptr[0];
1309
1310 _gnutls_handshake_log ("HSK[%p]: %s(v2) was received [%ld bytes]\n",
1311 session, _gnutls_handshake2str (*recv_type),
1312 (long int) (length32 + handshake_header_size));
1313
1314 if (*recv_type != GNUTLS_HANDSHAKE_CLIENT_HELLO)
1315 { /* it should be one or nothing */
1316 gnutls_assert ();
1317 return GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET;
1318 }
1319 }
1320
1321 /* put the packet into the buffer */
1322 session->internals.handshake_header_buffer.header_size =
1323 handshake_header_size;
1324 session->internals.handshake_header_buffer.packet_length = length32;
1325 session->internals.handshake_header_buffer.recv_type = *recv_type;
1326
1327 if (*recv_type != type)
1328 {
1329 gnutls_assert ();
1330 return GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET;
1331 }
1332
1333 return length32;
1334 }
1335
1336 #define _gnutls_handshake_header_buffer_clear( session) session->internals.handshake_header_buffer.header_size = 0
1337
1338
1339
1340 /* This function will hash the handshake headers and the
1341 * handshake data.
1342 */
1343 static int
1344 _gnutls_handshake_hash_add_recvd (gnutls_session_t session,
1345 gnutls_handshake_description_t recv_type,
1346 opaque * header, uint16_t header_size,
1347 opaque * dataptr, uint32_t datalen)
1348 {
1349 int ret;
1350
1351 /* The idea here is to hash the previous message we received,
1352 * and add the one we just received into the handshake_hash_buffer.
1353 */
1354 if ((session->security_parameters.entity == GNUTLS_SERVER
1355 || recv_type != GNUTLS_HANDSHAKE_SERVER_HELLO)
1356 && (session->security_parameters.entity == GNUTLS_CLIENT
1357 || recv_type != GNUTLS_HANDSHAKE_CLIENT_HELLO))
1358 {
1359 if ((ret = _gnutls_handshake_hash_pending (session)) < 0)
1360 {
1361 gnutls_assert ();
1362 return ret;
1363 }
1364 }
1365
1366 /* here we buffer the handshake messages - needed at Finished message */
1367 if (recv_type != GNUTLS_HANDSHAKE_HELLO_REQUEST)
1368 {
1369
1370 if ((ret =
1371 _gnutls_handshake_buffer_put (session, header, header_size)) < 0)
1372 {
1373 gnutls_assert ();
1374 return ret;
1375 }
1376
1377 if (datalen > 0)
1378 {
1379 if ((ret =
1380 _gnutls_handshake_buffer_put (session, dataptr, datalen)) < 0)
1381 {
1382 gnutls_assert ();
1383 return ret;
1384 }
1385 }
1386 }
1387
1388 return 0;
1389 }
1390
1391
1392 /* This function will receive handshake messages of the given types,
1393 * and will pass the message to the right place in order to be processed.
1394 * E.g. for the SERVER_HELLO message (if it is expected), it will be
1395 * passed to _gnutls_recv_hello().
1396 */
1397 int
1398 _gnutls_recv_handshake (gnutls_session_t session, uint8_t ** data,
1399 int *datalen, gnutls_handshake_description_t type,
1400 Optional optional)
1401 {
1402 int ret;
1403 uint32_t length32 = 0;
1404 opaque *dataptr = NULL;
1405 gnutls_handshake_description_t recv_type;
1406
1407 ret = _gnutls_recv_handshake_header (session, type, &recv_type);
1408 if (ret < 0)
1409 {
1410
1411 if (ret == GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET
1412 && optional == OPTIONAL_PACKET)
1413 {
1414 if (datalen != NULL)
1415 *datalen = 0;
1416 if (data != NULL)
1417 *data = NULL;
1418 return 0; /* ok just ignore the packet */
1419 }
1420
1421 return ret;
1422 }
1423
1424 session->internals.last_handshake_in = recv_type;
1425
1426 length32 = ret;
1427
1428 if (length32 > 0)
1429 dataptr = gnutls_malloc (length32);
1430 else if (recv_type != GNUTLS_HANDSHAKE_SERVER_HELLO_DONE)
1431 {
1432 gnutls_assert ();
1433 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
1434 }
1435
1436 if (dataptr == NULL && length32 > 0)
1437 {
1438 gnutls_assert ();
1439 return GNUTLS_E_MEMORY_ERROR;
1440 }
1441
1442 if (datalen != NULL)
1443 *datalen = length32;
1444
1445 if (length32 > 0)
1446 {
1447 ret =
1448 _gnutls_handshake_io_recv_int (session, GNUTLS_HANDSHAKE,
1449 type, dataptr, length32);
1450 if (ret <= 0)
1451 {
1452 gnutls_assert ();
1453 gnutls_free (dataptr);
1454 return (ret == 0) ? GNUTLS_E_UNEXPECTED_PACKET_LENGTH : ret;
1455 }
1456 }
1457
1458 if (data != NULL && length32 > 0)
1459 *data = dataptr;
1460
1461
1462 ret = _gnutls_handshake_hash_add_recvd (session, recv_type,
1463 session->internals.
1464 handshake_header_buffer.header,
1465 session->internals.
1466 handshake_header_buffer.header_size,
1467 dataptr, length32);
1468 if (ret < 0)
1469 {
1470 gnutls_assert ();
1471 _gnutls_handshake_header_buffer_clear (session);
1472 return ret;
1473 }
1474
1475 /* If we fail before this then we will reuse the handshake header
1476 * have have received above. if we get here the we clear the handshake
1477 * header we received.
1478 */
1479 _gnutls_handshake_header_buffer_clear (session);
1480
1481 switch (recv_type)
1482 {
1483 case GNUTLS_HANDSHAKE_CLIENT_HELLO:
1484 case GNUTLS_HANDSHAKE_SERVER_HELLO:
1485 ret = _gnutls_recv_hello (session, dataptr, length32);
1486
1487 /* dataptr is freed because the caller does not
1488 * need it */
1489 gnutls_free (dataptr);
1490 if (data != NULL)
1491 *data = NULL;
1492
1493 if (ret < 0)
1494 break;
1495
1496 /* initialize the hashes for both - (client will know server's version
1497 * and server as well at this point) */
1498 if ((ret = _gnutls_handshake_hash_init (session)) < 0)
1499 {
1500 gnutls_assert ();
1501 return ret;
1502 }
1503
1504 break;
1505 case GNUTLS_HANDSHAKE_SERVER_HELLO_DONE:
1506 if (length32 == 0)
1507 ret = 0;
1508 else
1509 ret = GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
1510 break;
1511 case GNUTLS_HANDSHAKE_CERTIFICATE_PKT:
1512 case GNUTLS_HANDSHAKE_FINISHED:
1513 case GNUTLS_HANDSHAKE_SERVER_KEY_EXCHANGE:
1514 case GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE:
1515 case GNUTLS_HANDSHAKE_CERTIFICATE_REQUEST:
1516 case GNUTLS_HANDSHAKE_CERTIFICATE_VERIFY:
1517 case GNUTLS_HANDSHAKE_SUPPLEMENTAL:
1518 case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET:
1519 ret = length32;
1520 break;
1521 default:
1522 gnutls_assert ();
1523 gnutls_free (dataptr);
1524 if (data != NULL)
1525 *data = NULL;
1526 ret = GNUTLS_E_UNEXPECTED_HANDSHAKE_PACKET;
1527 }
1528
1529 return ret;
1530 }
1531
1532 /* This function checks if the given cipher suite is supported, and sets it
1533 * to the session;
1534 */
1535 static int
1536 _gnutls_client_set_ciphersuite (gnutls_session_t session, opaque suite[2])
1537 {
1538 uint8_t z;
1539 cipher_suite_st *cipher_suites;
1540 int cipher_suite_num;
1541 int i, err;
1542
1543 z = 1;
1544 cipher_suite_num = _gnutls_supported_ciphersuites (session, &cipher_suites);
1545 if (cipher_suite_num < 0)
1546 {
1547 gnutls_assert ();
1548 return cipher_suite_num;
1549 }
1550
1551 for (i = 0; i < cipher_suite_num; i++)
1552 {
1553 if (memcmp (&cipher_suites[i], suite, 2) == 0)
1554 {
1555 z = 0;
1556 break;
1557 }
1558 }
1559
1560 gnutls_free (cipher_suites);
1561
1562 if (z != 0)
1563 {
1564 gnutls_assert ();
1565 return GNUTLS_E_UNKNOWN_CIPHER_SUITE;
1566 }
1567
1568 memcpy (session->security_parameters.current_cipher_suite.suite, suite, 2);
1569
1570 _gnutls_handshake_log ("HSK[%p]: Selected cipher suite: %s\n", session,
1571 _gnutls_cipher_suite_get_name
1572 (&session->security_parameters.
1573 current_cipher_suite));
1574
1575
1576 /* check if the credentials (username, public key etc.) are ok.
1577 * Actually checks if they exist.
1578 */
1579 if (_gnutls_get_kx_cred
1580 (session,
1581 _gnutls_cipher_suite_get_kx_algo
1582 (&session->security_parameters.current_cipher_suite), &err) == NULL
1583 && err != 0)
1584 {
1585 gnutls_assert ();
1586 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
1587 }
1588
1589
1590 /* set the mod_auth_st to the appropriate struct
1591 * according to the KX algorithm. This is needed since all the
1592 * handshake functions are read from there;
1593 */
1594 session->internals.auth_struct =
1595 _gnutls_kx_auth_struct (_gnutls_cipher_suite_get_kx_algo
1596 (&session->security_parameters.
1597 current_cipher_suite));
1598
1599 if (session->internals.auth_struct == NULL)
1600 {
1601
1602 _gnutls_handshake_log
1603 ("HSK[%p]: Cannot find the appropriate handler for the KX algorithm\n",
1604 session);
1605 gnutls_assert ();
1606 return GNUTLS_E_INTERNAL_ERROR;
1607 }
1608
1609
1610 return 0;
1611 }
1612
1613 /* This function sets the given comp method to the session.
1614 */
1615 static int
1616 _gnutls_client_set_comp_method (gnutls_session_t session, opaque comp_method)
1617 {
1618 int comp_methods_num;
1619 uint8_t *compression_methods;
1620 int i;
1621
1622 comp_methods_num = _gnutls_supported_compression_methods (session,
1623 &compression_methods);
1624 if (comp_methods_num < 0)
1625 {
1626 gnutls_assert ();
1627 return comp_methods_num;
1628 }
1629
1630 for (i = 0; i < comp_methods_num; i++)
1631 {
1632 if (compression_methods[i] == comp_method)
1633 {
1634 comp_methods_num = 0;
1635 break;
1636 }
1637 }
1638
1639 gnutls_free (compression_methods);
1640
1641 if (comp_methods_num != 0)
1642 {
1643 gnutls_assert ();
1644 return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM;
1645 }
1646
1647 session->internals.compression_method =
1648 _gnutls_compression_get_id (comp_method);
1649
1650
1651 return 0;
1652 }
1653
1654 /* This function returns 0 if we are resuming a session or -1 otherwise.
1655 * This also sets the variables in the session. Used only while reading a server
1656 * hello.
1657 */
1658 static int
1659 _gnutls_client_check_if_resuming (gnutls_session_t session,
1660 opaque * session_id, int session_id_len)
1661 {
1662 opaque buf[2 * TLS_MAX_SESSION_ID_SIZE + 1];
1663
1664 _gnutls_handshake_log ("HSK[%p]: SessionID length: %d\n", session,
1665 session_id_len);
1666 _gnutls_handshake_log ("HSK[%p]: SessionID: %s\n", session,
1667 _gnutls_bin2hex (session_id, session_id_len, buf,
1668 sizeof (buf)));
1669
1670 if (session_id_len > 0 &&
1671 session->internals.resumed_security_parameters.session_id_size ==
1672 session_id_len
1673 && memcmp (session_id,
1674 session->internals.resumed_security_parameters.session_id,
1675 session_id_len) == 0)
1676 {
1677 /* resume session */
1678 memcpy (session->internals.resumed_security_parameters.server_random,
1679 session->security_parameters.server_random, GNUTLS_RANDOM_SIZE);
1680 memcpy (session->internals.resumed_security_parameters.client_random,
1681 session->security_parameters.client_random, GNUTLS_RANDOM_SIZE);
1682 session->internals.resumed = RESUME_TRUE; /* we are resuming */
1683
1684 return 0;
1685 }
1686 else
1687 {
1688 /* keep the new session id */
1689 session->internals.resumed = RESUME_FALSE; /* we are not resuming */
1690 session->security_parameters.session_id_size = session_id_len;
1691 memcpy (session->security_parameters.session_id,
1692 session_id, session_id_len);
1693
1694 return -1;
1695 }
1696 }
1697
1698
1699 /* This function reads and parses the server hello handshake message.
1700 * This function also restores resumed parameters if we are resuming a
1701 * session.
1702 */
1703 static int
1704 _gnutls_read_server_hello (gnutls_session_t session,
1705 opaque * data, int datalen)
1706 {
1707 uint8_t session_id_len = 0;
1708 int pos = 0;
1709 int ret = 0;
1710 gnutls_protocol_t version;
1711 int len = datalen;
1712
1713 if (datalen < 38)
1714 {
1715 gnutls_assert ();
1716 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
1717 }
1718
1719 _gnutls_handshake_log ("HSK[%p]: Server's version: %d.%d\n",
1720 session, data[pos], data[pos + 1]);
1721
1722 DECR_LEN (len, 2);
1723 version = _gnutls_version_get (data[pos], data[pos + 1]);
1724 if (_gnutls_version_is_supported (session, version) == 0)
1725 {
1726 gnutls_assert ();
1727 return GNUTLS_E_UNSUPPORTED_VERSION_PACKET;
1728 }
1729 else
1730 {
1731 _gnutls_set_current_version (session, version);
1732 }
1733
1734 pos += 2;
1735
1736 DECR_LEN (len, GNUTLS_RANDOM_SIZE);
1737 _gnutls_set_server_random (session, &data[pos]);
1738 pos += GNUTLS_RANDOM_SIZE;
1739
1740
1741 /* Read session ID
1742 */
1743 DECR_LEN (len, 1);
1744 session_id_len = data[pos++];
1745
1746 if (len < session_id_len)
1747 {
1748 gnutls_assert ();
1749 return GNUTLS_E_UNSUPPORTED_VERSION_PACKET;
1750 }
1751 DECR_LEN (len, session_id_len);
1752
1753 /* check if we are resuming and set the appropriate
1754 * values;
1755 */
1756 if (_gnutls_client_check_if_resuming
1757 (session, &data[pos], session_id_len) == 0)
1758 {
1759 pos += session_id_len + 2 + 1;
1760 DECR_LEN (len, 2+1);
1761
1762 ret = _gnutls_parse_extensions (session, GNUTLS_EXT_RESUMED,
1763 &data[pos], len);
1764 if (ret < 0)
1765 {
1766 gnutls_assert ();
1767 return ret;
1768 }
1769 return 0;
1770 }
1771
1772 pos += session_id_len;
1773
1774 /* Check if the given cipher suite is supported and copy
1775 * it to the session.
1776 */
1777
1778 DECR_LEN (len, 2);
1779 ret = _gnutls_client_set_ciphersuite (session, &data[pos]);
1780 if (ret < 0)
1781 {
1782 gnutls_assert ();
1783 return ret;
1784 }
1785 pos += 2;
1786
1787 /* move to compression
1788 */
1789 DECR_LEN (len, 1);
1790
1791 ret = _gnutls_client_set_comp_method (session, data[pos++]);
1792 if (ret < 0)
1793 {
1794 gnutls_assert ();
1795 return GNUTLS_E_UNKNOWN_COMPRESSION_ALGORITHM;
1796 }
1797
1798 /* Parse extensions.
1799 */
1800 ret = _gnutls_parse_extensions (session, GNUTLS_EXT_ANY,
1801 &data[pos], len);
1802 if (ret < 0)
1803 {
1804 gnutls_assert ();
1805 return ret;
1806 }
1807
1808 return ret;
1809 }
1810
1811
1812 /* This function copies the appropriate ciphersuites to a locally allocated buffer
1813 * Needed in client hello messages. Returns the new data length. If add_scsv is
1814 * true, add the special safe renegotiation CS.
1815 */
1816 static int
1817 _gnutls_copy_ciphersuites (gnutls_session_t session,
1818 opaque * ret_data, size_t ret_data_size,
1819 int add_scsv)
1820 {
1821 int ret, i;
1822 cipher_suite_st *cipher_suites;
1823 uint16_t cipher_num;
1824 int datalen, pos;
1825 uint16_t loop_max;
1826
1827 ret = _gnutls_supported_ciphersuites_sorted (session, &cipher_suites);
1828 if (ret < 0)
1829 {
1830 gnutls_assert ();
1831 return ret;
1832 }
1833
1834 /* Here we remove any ciphersuite that does not conform
1835 * the certificate requested, or to the
1836 * authentication requested (eg SRP).
1837 */
1838 ret =
1839 _gnutls_remove_unwanted_ciphersuites (session, &cipher_suites, ret, -1);
1840 if (ret < 0)
1841 {
1842 gnutls_assert ();
1843 gnutls_free (cipher_suites);
1844 return ret;
1845 }
1846
1847 /* If no cipher suites were enabled.
1848 */
1849 if (ret == 0)
1850 {
1851 gnutls_assert ();
1852 gnutls_free (cipher_suites);
1853 return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
1854 }
1855
1856 if (add_scsv)
1857 ++ret;
1858
1859 cipher_num = ret;
1860
1861 cipher_num *= sizeof (uint16_t); /* in order to get bytes */
1862
1863 datalen = pos = 0;
1864
1865 datalen += sizeof (uint16_t) + cipher_num;
1866
1867 if ((size_t) datalen > ret_data_size)
1868 {
1869 gnutls_assert ();
1870 return GNUTLS_E_INTERNAL_ERROR;
1871 }
1872
1873 _gnutls_write_uint16 (cipher_num, ret_data);
1874 pos += 2;
1875
1876 loop_max = add_scsv ? cipher_num - 2 : cipher_num;
1877
1878 for (i = 0; i < (loop_max / 2); i++)
1879 {
1880 memcpy (&ret_data[pos], cipher_suites[i].suite, 2);
1881 pos += 2;
1882 }
1883
1884 if (add_scsv)
1885 {
1886 /* Safe renegotiation signalling CS value is { 0x00, 0xff } */
1887 ret_data[pos++] = 0x00;
1888 ret_data[pos++] = 0xff;
1889 }
1890
1891 gnutls_free (cipher_suites);
1892
1893 return datalen;
1894 }
1895
1896
1897 /* This function copies the appropriate compression methods, to a locally allocated buffer
1898 * Needed in hello messages. Returns the new data length.
1899 */
1900 static int
1901 _gnutls_copy_comp_methods (gnutls_session_t session,
1902 opaque * ret_data, size_t ret_data_size)
1903 {
1904 int ret, i;
1905 uint8_t *compression_methods, comp_num;
1906 int datalen, pos;
1907
1908 ret = _gnutls_supported_compression_methods (session, &compression_methods);
1909 if (ret < 0)
1910 {
1911 gnutls_assert ();
1912 return ret;
1913 }
1914
1915 comp_num = ret;
1916
1917 datalen = pos = 0;
1918 datalen += comp_num + 1;
1919
1920 if ((size_t) datalen > ret_data_size)
1921 {
1922 gnutls_assert ();
1923 return GNUTLS_E_INTERNAL_ERROR;
1924 }
1925
1926 ret_data[pos++] = comp_num; /* put the number of compression methods */
1927
1928 for (i = 0; i < comp_num; i++)
1929 {
1930 ret_data[pos++] = compression_methods[i];
1931 }
1932
1933 gnutls_free (compression_methods);
1934
1935 return datalen;
1936 }
1937
1938 /* This should be sufficient by now. It should hold all the extensions
1939 * plus the headers in a hello message.
1940 */
1941 #define MAX_EXT_DATA_LENGTH 1024
1942
1943 /* This function sends the client hello handshake message.
1944 */
1945 static int
1946 _gnutls_send_client_hello (gnutls_session_t session, int again)
1947 {
1948 opaque *data = NULL;
1949 int extdatalen;
1950 int pos = 0;
1951 int datalen = 0, ret = 0;
1952 opaque rnd[GNUTLS_RANDOM_SIZE];
1953 gnutls_protocol_t hver;
1954 opaque *extdata = NULL;
1955 int rehandshake = 0;
1956 uint8_t session_id_len =
1957 session->internals.resumed_security_parameters.session_id_size;
1958
1959 /* note that rehandshake is different than resuming
1960 */
1961 if (session->security_parameters.session_id_size)
1962 rehandshake = 1;
1963
1964 if (again == 0)
1965 {
1966
1967 datalen = 2 + (session_id_len + 1) + GNUTLS_RANDOM_SIZE;
1968 /* 2 for version, (4 for unix time + 28 for random bytes==GNUTLS_RANDOM_SIZE)
1969 */
1970
1971 data = gnutls_malloc (datalen);
1972 if (data == NULL)
1973 {
1974 gnutls_assert ();
1975 return GNUTLS_E_MEMORY_ERROR;
1976 }
1977
1978 extdatalen = MAX_EXT_DATA_LENGTH
1979 +
1980 session->internals.resumed_security_parameters.extensions.
1981 session_ticket_len;
1982 extdata = gnutls_malloc (extdatalen);
1983 if (extdata == NULL)
1984 {
1985 gnutls_assert ();
1986 gnutls_free (data);
1987 return GNUTLS_E_MEMORY_ERROR;
1988 }
1989
1990 /* if we are resuming a session then we set the
1991 * version number to the previously established.
1992 */
1993 if (session_id_len == 0)
1994 {
1995 if (rehandshake) /* already negotiated version thus version_max == negotiated version */
1996 hver = session->security_parameters.version;
1997 else /* new handshake. just get the max */
1998 hver = _gnutls_version_max (session);
1999 }
2000 else
2001 {
2002 /* we are resuming a session */
2003 hver = session->internals.resumed_security_parameters.version;
2004 }
2005
2006 if (hver == GNUTLS_VERSION_UNKNOWN || hver == 0)
2007 {
2008 gnutls_assert ();
2009 gnutls_free (data);
2010 gnutls_free (extdata);
2011 return GNUTLS_E_INTERNAL_ERROR;
2012 }
2013
2014 data[pos++] = _gnutls_version_get_major (hver);
2015 data[pos++] = _gnutls_version_get_minor (hver);
2016
2017 /* Set the version we advertized as maximum
2018 * (RSA uses it).
2019 */
2020 _gnutls_set_adv_version (session, hver);
2021
2022 if (session->internals.priorities.ssl3_record_version)
2023 {
2024 /* Honor the SSL3_RECORD_VERSION option
2025 */
2026 _gnutls_set_current_version (session, GNUTLS_SSL3);
2027 }
2028 else
2029 {
2030 /* Some old implementations do not interoperate if we send a
2031 * different version in the record layer.
2032 * It seems they prefer to read the record's version
2033 * as the one we actually requested.
2034 * The proper behaviour is to use the one in the client hello
2035 * handshake packet and ignore the one in the packet's record
2036 * header.
2037 */
2038 _gnutls_set_current_version (session, hver);
2039 }
2040
2041 /* In order to know when this session was initiated.
2042 */
2043 session->security_parameters.timestamp = time (NULL);
2044
2045 /* Generate random data
2046 */
2047 _gnutls_tls_create_random (rnd);
2048 _gnutls_set_client_random (session, rnd);
2049
2050 memcpy (&data[pos], rnd, GNUTLS_RANDOM_SIZE);
2051 pos += GNUTLS_RANDOM_SIZE;
2052
2053 /* Copy the Session ID
2054 */
2055 data[pos++] = session_id_len;
2056
2057 if (session_id_len > 0)
2058 {
2059 memcpy (&data[pos], session->internals.resumed_security_parameters.session_id, session_id_len);
2060 pos += session_id_len;
2061 }
2062
2063
2064 /* Copy the ciphersuites.
2065 *
2066 * If using SSLv3 Send TLS_RENEGO_PROTECTION_REQUEST SCSV for MITM
2067 * prevention on initial negotiation (but not renegotiation; that's
2068 * handled with the RI extension below).
2069 */
2070 if(!session->internals.initial_negotiation_completed &&
2071 session->security_parameters.entity == GNUTLS_CLIENT &&
2072 gnutls_protocol_get_version (session) == GNUTLS_SSL3)
2073 {
2074 ret = _gnutls_copy_ciphersuites (session, extdata, extdatalen, TRUE);
2075 _gnutls_extension_list_add (session, GNUTLS_EXTENSION_SAFE_RENEGOTIATION);
2076 }
2077 else
2078 ret = _gnutls_copy_ciphersuites (session, extdata, extdatalen, FALSE);
2079
2080 if (ret > 0)
2081 {
2082 datalen += ret;
2083 data = gnutls_realloc_fast (data, datalen);
2084 if (data == NULL)
2085 {
2086 gnutls_assert ();
2087 gnutls_free (extdata);
2088 return GNUTLS_E_MEMORY_ERROR;
2089 }
2090
2091 memcpy (&data[pos], extdata, ret);
2092 pos += ret;
2093
2094 }
2095 else
2096 {
2097 if (ret == 0)
2098 ret = GNUTLS_E_INTERNAL_ERROR;
2099 gnutls_free (data);
2100 gnutls_free (extdata);
2101 gnutls_assert ();
2102 return ret;
2103 }
2104
2105
2106 /* Copy the compression methods.
2107 */
2108 ret = _gnutls_copy_comp_methods (session, extdata, extdatalen);
2109 if (ret > 0)
2110 {
2111 datalen += ret;
2112 data = gnutls_realloc_fast (data, datalen);
2113 if (data == NULL)
2114 {
2115 gnutls_assert ();
2116 gnutls_free (extdata);
2117 return GNUTLS_E_MEMORY_ERROR;
2118 }
2119
2120 memcpy (&data[pos], extdata, ret);
2121 pos += ret;
2122
2123 }
2124 else
2125 {
2126 if (ret == 0)
2127 ret = GNUTLS_E_INTERNAL_ERROR;
2128 gnutls_free (data);
2129 gnutls_free (extdata);
2130 gnutls_assert ();
2131 return ret;
2132 }
2133
2134 /* Generate and copy TLS extensions.
2135 */
2136 if (_gnutls_version_has_extensions (hver))
2137 {
2138 ret = _gnutls_gen_extensions (session, extdata, extdatalen);
2139
2140 if (ret > 0)
2141 {
2142 datalen += ret;
2143 data = gnutls_realloc_fast (data, datalen);
2144 if (data == NULL)
2145 {
2146 gnutls_assert ();
2147 gnutls_free (extdata);
2148 return GNUTLS_E_MEMORY_ERROR;
2149 }
2150
2151 memcpy (&data[pos], extdata, ret);
2152 }
2153 else if (ret < 0)
2154 {
2155 gnutls_assert ();
2156 gnutls_free (data);
2157 gnutls_free (extdata);
2158 return ret;
2159 }
2160 }
2161 else if(session->internals.initial_negotiation_completed != 0)
2162 {
2163 opaque buf[256]; /* opaque renegotiated_connection<0..255> */
2164
2165 /* For SSLv3 only, we will (only) to send the RI extension; we must
2166 * send it every time we renegotiate. We don't want to send anything
2167 * else, out of concern for interoperability.
2168 *
2169 * If this is an initial negotiation, we already sent SCSV above.
2170 */
2171
2172 ret = _gnutls_safe_renegotiation_send_params (session, buf, sizeof(buf));
2173
2174 if (ret < 0)
2175 {
2176 gnutls_assert ();
2177 gnutls_free (data);
2178 gnutls_free (extdata);
2179 return ret;
2180 }
2181
2182 datalen += ret + 6; /* extlen(2) + type(2) + len(2) + ret */
2183
2184 data = gnutls_realloc_fast (data, datalen);
2185 if (data == NULL)
2186 {
2187 gnutls_assert ();
2188 gnutls_free (extdata);
2189 return GNUTLS_E_MEMORY_ERROR;
2190 }
2191
2192 /* total extensions length (one extension, with type(2) + len(2)) */
2193 _gnutls_write_uint16 (4 + ret, &data[pos]);
2194 pos += 2;
2195
2196 /* TLS RI extension type is 0xff01 */
2197 data[pos++] = 0xff;
2198 data[pos++] = 0x01;
2199
2200 _gnutls_write_uint16 (ret, &data[pos]);
2201 pos += 2;
2202
2203 memcpy(&data[pos], buf, ret);
2204 pos += ret;
2205
2206 _gnutls_debug_log ("EXT[%p]: Sending extension safe renegotiation (SSLv3)\n",
2207 session);
2208 }
2209 gnutls_free (extdata);
2210 }
2211
2212 ret =
2213 _gnutls_send_handshake (session, data, datalen,
2214 GNUTLS_HANDSHAKE_CLIENT_HELLO);
2215 gnutls_free (data);
2216
2217 return ret;
2218 }
2219
2220 static int
2221 _gnutls_send_server_hello (gnutls_session_t session, int again)
2222 {
2223 opaque *data = NULL;
2224 opaque extdata[MAX_EXT_DATA_LENGTH];
2225 int extdatalen;
2226 int pos = 0;
2227 int datalen, ret = 0;
2228 uint8_t comp;
2229 uint8_t session_id_len = session->security_parameters.session_id_size;
2230 opaque buf[2 * TLS_MAX_SESSION_ID_SIZE + 1];
2231
2232 datalen = 0;
2233
2234 #ifdef ENABLE_SRP
2235 if (IS_SRP_KX
2236 (_gnutls_cipher_suite_get_kx_algo
2237 (&session->security_parameters.current_cipher_suite)))
2238 {
2239 /* While resuming we cannot check the username extension since it is
2240 * not available at this point. It will be copied on connection
2241 * state activation.
2242 */
2243 if (session->internals.resumed == RESUME_FALSE &&
2244 session->security_parameters.extensions.srp_username[0] == 0)
2245 {
2246 /* The peer didn't send a valid SRP extension with the
2247 * SRP username. The draft requires that we send a fatal
2248 * alert and abort.
2249 */
2250 gnutls_assert ();
2251 ret = gnutls_alert_send (session, GNUTLS_AL_FATAL,
2252 GNUTLS_A_UNKNOWN_PSK_IDENTITY);
2253 if (ret < 0)
2254 {
2255 gnutls_assert ();
2256 return ret;
2257 }
2258
2259 return GNUTLS_E_ILLEGAL_SRP_USERNAME;
2260 }
2261 }
2262 #endif
2263
2264 if (again == 0)
2265 {
2266 datalen = 2 + session_id_len + 1 + GNUTLS_RANDOM_SIZE + 3;
2267 extdatalen =
2268 _gnutls_gen_extensions (session, extdata, sizeof (extdata));
2269
2270 if (extdatalen < 0)
2271 {
2272 gnutls_assert ();
2273 return extdatalen;
2274 }
2275
2276 data = gnutls_malloc (datalen + extdatalen);
2277 if (data == NULL)
2278 {
2279 gnutls_assert ();
2280 return GNUTLS_E_MEMORY_ERROR;
2281 }
2282
2283 data[pos++] =
2284 _gnutls_version_get_major (session->security_parameters.version);
2285 data[pos++] =
2286 _gnutls_version_get_minor (session->security_parameters.version);
2287
2288 memcpy (&data[pos],
2289 session->security_parameters.server_random, GNUTLS_RANDOM_SIZE);
2290 pos += GNUTLS_RANDOM_SIZE;
2291
2292 data[pos++] = session_id_len;
2293 if (session_id_len > 0)
2294 {
2295 memcpy (&data[pos], session->security_parameters.session_id, session_id_len);
2296 }
2297 pos += session_id_len;
2298
2299 _gnutls_handshake_log ("HSK[%p]: SessionID: %s\n", session,
2300 _gnutls_bin2hex (session->security_parameters.session_id, session_id_len,
2301 buf, sizeof (buf)));
2302
2303 memcpy (&data[pos],
2304 session->security_parameters.current_cipher_suite.suite, 2);
2305 pos += 2;
2306
2307 comp =
2308 (uint8_t) _gnutls_compression_get_num (session->
2309 internals.compression_method);
2310 data[pos++] = comp;
2311
2312
2313 if (extdatalen > 0)
2314 {
2315 datalen += extdatalen;
2316
2317 memcpy (&data[pos], extdata, extdatalen);
2318 }
2319 }
2320
2321 ret =
2322 _gnutls_send_handshake (session, data, datalen,
2323 GNUTLS_HANDSHAKE_SERVER_HELLO);
2324 gnutls_free (data);
2325
2326 return ret;
2327 }
2328
2329 int
2330 _gnutls_send_hello (gnutls_session_t session, int again)
2331 {
2332 int ret;
2333
2334 session->internals.safe_renegotiation_received = 0;
2335
2336 if (session->security_parameters.entity == GNUTLS_CLIENT)
2337 {
2338 ret = _gnutls_send_client_hello (session, again);
2339
2340 }
2341 else
2342 { /* SERVER */
2343 ret = _gnutls_send_server_hello (session, again);
2344 }
2345
2346 return ret;
2347 }
2348
2349 /* RECEIVE A HELLO MESSAGE. This should be called from gnutls_recv_handshake_int only if a
2350 * hello message is expected. It uses the security_parameters.current_cipher_suite
2351 * and internals.compression_method.
2352 */
2353 int
2354 _gnutls_recv_hello (gnutls_session_t session, opaque * data, int datalen)
2355 {
2356 int ret;
2357 tls_ext_st *ext;
2358
2359 if (session->security_parameters.entity == GNUTLS_CLIENT)
2360 {
2361 ret = _gnutls_read_server_hello (session, data, datalen);
2362 if (ret < 0)
2363 {
2364 gnutls_assert ();
2365 return ret;
2366 }
2367 }
2368 else
2369 { /* Server side reading a client hello */
2370
2371 ret = _gnutls_read_client_hello (session, data, datalen);
2372 if (ret < 0)
2373 {
2374 gnutls_assert ();
2375 return ret;
2376 }
2377 }
2378
2379 if (session->internals.priorities.disable_safe_renegotiation != 0)
2380 {
2381 gnutls_assert();
2382 return ret;
2383 }
2384
2385 /* Safe renegotiation */
2386 ext = &session->security_parameters.extensions;
2387
2388 if (session->internals.safe_renegotiation_received)
2389 {
2390 if ((ext->ri_extension_data_len < ext->client_verify_data_len) ||
2391 (memcmp (ext->ri_extension_data,
2392 ext->client_verify_data,
2393 ext->client_verify_data_len)))
2394 {
2395 gnutls_assert();
2396 _gnutls_handshake_log ("Safe renegotiation failed [1]\n");
2397 return GNUTLS_E_SAFE_RENEGOTIATION_FAILED;
2398 }
2399 if (session->security_parameters.entity == GNUTLS_CLIENT)
2400 {
2401 if ((ext->ri_extension_data_len !=
2402 ext->client_verify_data_len + ext->server_verify_data_len) ||
2403 memcmp (ext->ri_extension_data + ext->client_verify_data_len,
2404 ext->server_verify_data, ext->server_verify_data_len) != 0)
2405 {
2406 gnutls_assert();
2407 _gnutls_handshake_log ("Safe renegotiation failed [2]\n");
2408 return GNUTLS_E_SAFE_RENEGOTIATION_FAILED;
2409 }
2410 }
2411 else /* Make sure there are 0 extra bytes */
2412 {
2413 if (ext->ri_extension_data_len != ext->client_verify_data_len)
2414 {
2415 gnutls_assert();
2416 _gnutls_handshake_log ("Safe renegotiation failed [3]\n");
2417 return GNUTLS_E_SAFE_RENEGOTIATION_FAILED;
2418 }
2419 }
2420
2421 _gnutls_handshake_log ("Safe renegotiation succeeded.\n");
2422 }
2423 else /* safe renegotiation not received... */
2424 {
2425 if (session->internals.connection_using_safe_renegotiation)
2426 {
2427 gnutls_assert();
2428 _gnutls_handshake_log ("Peer previously asked for safe renegotiation!\n");
2429 return GNUTLS_E_SAFE_RENEGOTIATION_FAILED;
2430 }
2431
2432 /* Clients can't tell if it's an initial negotiation */
2433 if (session->internals.initial_negotiation_completed ||
2434 session->security_parameters.entity == GNUTLS_CLIENT)
2435 {
2436 if (session->internals.priorities.unsafe_renegotiation != 0)
2437 {
2438 _gnutls_handshake_log ("Allowing unsafe renegotiation!\n");
2439 }
2440 else
2441 {
2442 gnutls_assert();
2443 _gnutls_handshake_log ("Denying unsafe renegotiation.\n");
2444 ret = gnutls_alert_send (session, GNUTLS_AL_WARNING,
2445 GNUTLS_A_NO_RENEGOTIATION);
2446
2447 if (ret < 0)
2448 {
2449 gnutls_assert ();
2450 return ret;
2451 }
2452
2453 return GNUTLS_E_SAFE_RENEGOTIATION_FAILED;
2454 }
2455 }
2456 else
2457 {
2458 if (session->internals.priorities.initial_safe_renegotiation==0)
2459 {
2460 _gnutls_handshake_log ("Allowing unsafe initial negotiation!\n");
2461 }
2462 else
2463 {
2464 gnutls_assert();
2465 _gnutls_handshake_log ("Denying unsafe initial negotiation.\n");
2466 return GNUTLS_E_SAFE_RENEGOTIATION_FAILED;
2467 }
2468 }
2469 }
2470
2471 return ret;
2472 }
2473
2474 /* The packets in gnutls_handshake (it's more broad than original TLS handshake)
2475 *
2476 * Client Server
2477 *
2478 * ClientHello -------->
2479 * <-------- ServerHello
2480 *
2481 * Certificate*
2482 * ServerKeyExchange*
2483 * <-------- CertificateRequest*
2484 *
2485 * <-------- ServerHelloDone
2486 * Certificate*
2487 * ClientKeyExchange
2488 * CertificateVerify*
2489 * [ChangeCipherSpec]
2490 * Finished -------->
2491 * [ChangeCipherSpec]
2492 * <-------- Finished
2493 *
2494 * (*): means optional packet.
2495 */
2496
2497 /**
2498 * gnutls_rehandshake:
2499 * @session: is a #gnutls_session_t structure.
2500 *
2501 * This function will renegotiate security parameters with the
2502 * client. This should only be called in case of a server.
2503 *
2504 * This message informs the peer that we want to renegotiate
2505 * parameters (perform a handshake).
2506 *
2507 * If this function succeeds (returns 0), you must call the
2508 * gnutls_handshake() function in order to negotiate the new
2509 * parameters.
2510 *
2511 * Since TLS is full duplex some application data might have been
2512 * sent during peer's processing of this message. In that case
2513 * one should call gnutls_record_recv() until GNUTLS_E_REHANDSHAKE
2514 * is returned to clear any pending data. Care must be taken if
2515 * rehandshake is mandatory to terminate if it does not start after
2516 * some threshold.
2517 *
2518 * If the client does not wish to renegotiate parameters he will
2519 * should with an alert message, thus the return code will be
2520 * %GNUTLS_E_WARNING_ALERT_RECEIVED and the alert will be
2521 * %GNUTLS_A_NO_RENEGOTIATION. A client may also choose to ignore
2522 * this message.
2523 *
2524 * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
2525 **/
2526 int
2527 gnutls_rehandshake (gnutls_session_t session)
2528 {
2529 int ret;
2530
2531 /* only server sends that handshake packet */
2532 if (session->security_parameters.entity == GNUTLS_CLIENT)
2533 return GNUTLS_E_INVALID_REQUEST;
2534
2535 ret =
2536 _gnutls_send_empty_handshake (session, GNUTLS_HANDSHAKE_HELLO_REQUEST,
2537 AGAIN (STATE50));
2538 STATE = STATE50;
2539
2540 if (ret < 0)
2541 {
2542 gnutls_assert ();
2543 return ret;
2544 }
2545 STATE = STATE0;
2546
2547 return 0;
2548 }
2549
2550 inline static int
2551 _gnutls_abort_handshake (gnutls_session_t session, int ret)
2552 {
2553 if (((ret == GNUTLS_E_WARNING_ALERT_RECEIVED) &&
2554 (gnutls_alert_get (session) == GNUTLS_A_NO_RENEGOTIATION))
2555 || ret == GNUTLS_E_GOT_APPLICATION_DATA)
2556 return 0;
2557
2558 /* this doesn't matter */
2559 return GNUTLS_E_INTERNAL_ERROR;
2560 }
2561
2562
2563 /* This function initialized the handshake hash session.
2564 * required for finished messages.
2565 */
2566 static int
2567 _gnutls_handshake_hash_init (gnutls_session_t session)
2568 {
2569 gnutls_protocol_t ver = gnutls_protocol_get_version (session);
2570
2571 if (session->internals.handshake_mac_handle_init == 0)
2572 {
2573 int ret;
2574
2575 /* set the hash type for handshake message hashing */
2576 if (_gnutls_version_has_selectable_prf (ver))
2577 session->security_parameters.handshake_mac_handle_type =
2578 HANDSHAKE_MAC_TYPE_12;
2579 else
2580 session->security_parameters.handshake_mac_handle_type =
2581 HANDSHAKE_MAC_TYPE_10;
2582
2583
2584 if (session->security_parameters.handshake_mac_handle_type ==
2585 HANDSHAKE_MAC_TYPE_10)
2586 {
2587 ret =
2588 _gnutls_hash_init (&session->internals.handshake_mac_handle.
2589 tls10.md5, GNUTLS_MAC_MD5);
2590
2591 if (ret < 0)
2592 {
2593 gnutls_assert ();
2594 return ret;
2595 }
2596
2597 ret =
2598 _gnutls_hash_init (&session->internals.handshake_mac_handle.
2599 tls10.sha, GNUTLS_MAC_SHA1);
2600 if (ret < 0)
2601 {
2602 gnutls_assert ();
2603 _gnutls_hash_deinit (&session->internals.
2604 handshake_mac_handle.tls10.md5, NULL);
2605 return GNUTLS_E_MEMORY_ERROR;
2606 }
2607 }
2608 else if (session->security_parameters.handshake_mac_handle_type ==
2609 HANDSHAKE_MAC_TYPE_12)
2610 {
2611 /* The algorithm to compute hash over handshake messages must be
2612 same as the one used as the basis for PRF. By now we use
2613 SHA256. */
2614 ret =
2615 _gnutls_hash_init (&session->internals.handshake_mac_handle.
2616 tls12.sha256, GNUTLS_DIG_SHA256);
2617 if (ret < 0)
2618 {
2619 gnutls_assert ();
2620 return GNUTLS_E_MEMORY_ERROR;
2621 }
2622
2623 ret =
2624 _gnutls_hash_init (&session->internals.handshake_mac_handle.
2625 tls12.sha1, GNUTLS_DIG_SHA1);
2626 if (ret < 0)
2627 {
2628 gnutls_assert ();
2629 _gnutls_hash_deinit (&session->internals.
2630 handshake_mac_handle.tls12.sha256, NULL);
2631 return GNUTLS_E_MEMORY_ERROR;
2632 }
2633 }
2634
2635 session->internals.handshake_mac_handle_init = 1;
2636 }
2637
2638 return 0;
2639 }
2640
2641 static int
2642 _gnutls_send_supplemental (gnutls_session_t session, int again)
2643 {
2644 int ret = 0;
2645
2646 _gnutls_debug_log ("EXT[%p]: Sending supplemental data\n", session);
2647
2648 if (again)
2649 ret = _gnutls_send_handshake (session, NULL, 0,
2650 GNUTLS_HANDSHAKE_SUPPLEMENTAL);
2651 else
2652 {
2653 gnutls_buffer buf;
2654 _gnutls_buffer_init (&buf);
2655
2656 ret = _gnutls_gen_supplemental (session, &buf);
2657 if (ret < 0)
2658 {
2659 gnutls_assert ();
2660 return ret;
2661 }
2662
2663 ret = _gnutls_send_handshake (session, buf.data, buf.length,
2664 GNUTLS_HANDSHAKE_SUPPLEMENTAL);
2665 _gnutls_buffer_clear (&buf);
2666 }
2667
2668 return ret;
2669 }
2670
2671 static int
2672 _gnutls_recv_supplemental (gnutls_session_t session)
2673 {
2674 uint8_t *data = NULL;
2675 int datalen = 0;
2676 int ret;
2677
2678 _gnutls_debug_log ("EXT[%p]: Expecting supplemental data\n", session);
2679
2680 ret = _gnutls_recv_handshake (session, &data, &datalen,
2681 GNUTLS_HANDSHAKE_SUPPLEMENTAL,
2682 OPTIONAL_PACKET);
2683 if (ret < 0)
2684 {
2685 gnutls_assert ();
2686 return ret;
2687 }
2688
2689 ret = _gnutls_parse_supplemental (session, data, datalen);
2690 if (ret < 0)
2691 {
2692 gnutls_assert ();
2693 return ret;
2694 }
2695
2696 gnutls_free (data);
2697
2698 return ret;
2699 }
2700
2701 /**
2702 * gnutls_handshake:
2703 * @session: is a #gnutls_session_t structure.
2704 *
2705 * This function does the handshake of the TLS/SSL protocol, and
2706 * initializes the TLS connection.
2707 *
2708 * This function will fail if any problem is encountered, and will
2709 * return a negative error code. In case of a client, if the client
2710 * has asked to resume a session, but the server couldn't, then a
2711 * full handshake will be performed.
2712 *
2713 * The non-fatal errors such as %GNUTLS_E_AGAIN and
2714 * %GNUTLS_E_INTERRUPTED interrupt the handshake procedure, which
2715 * should be later be resumed. Call this function again, until it
2716 * returns 0; cf. gnutls_record_get_direction() and
2717 * gnutls_error_is_fatal().
2718 *
2719 * If this function is called by a server after a rehandshake request
2720 * then %GNUTLS_E_GOT_APPLICATION_DATA or
2721 * %GNUTLS_E_WARNING_ALERT_RECEIVED may be returned. Note that these
2722 * are non fatal errors, only in the specific case of a rehandshake.
2723 * Their meaning is that the client rejected the rehandshake request or
2724 * in the case of %GNUTLS_E_GOT_APPLICATION_DATA it might also mean that
2725 * some data were pending.
2726 *
2727 * Returns: %GNUTLS_E_SUCCESS on success, otherwise an error.
2728 **/
2729 int
2730 gnutls_handshake (gnutls_session_t session)
2731 {
2732 int ret;
2733
2734 if (session->security_parameters.entity == GNUTLS_CLIENT)
2735 {
2736 ret = _gnutls_handshake_client (session);
2737 }
2738 else
2739 {
2740 ret = _gnutls_handshake_server (session);
2741 }
2742 if (ret < 0)
2743 {
2744 /* In the case of a rehandshake abort
2745 * we should reset the handshake's internal state.
2746 */
2747 if (_gnutls_abort_handshake (session, ret) == 0)
2748 STATE = STATE0;
2749
2750 return ret;
2751 }
2752
2753 ret = _gnutls_handshake_common (session);
2754
2755 if (ret < 0)
2756 {
2757 if (_gnutls_abort_handshake (session, ret) == 0)
2758 STATE = STATE0;
2759
2760 return ret;
2761 }
2762
2763 STATE = STATE0;
2764
2765 _gnutls_handshake_io_buffer_clear (session);
2766 _gnutls_handshake_internal_state_clear (session);
2767
2768 return 0;
2769 }
2770
2771 #define IMED_RET( str, ret, check_fatal) do { \
2772 if (ret < 0) { \
2773 if (check_fatal != 0 && gnutls_error_is_fatal(ret)==0) return ret; \
2774 gnutls_assert(); \
2775 ERR( str, ret); \
2776 _gnutls_handshake_hash_buffers_clear(session); \
2777 return ret; \
2778 } } while (0)
2779
2780
2781
2782 /*
2783 * _gnutls_handshake_client
2784 * This function performs the client side of the handshake of the TLS/SSL protocol.
2785 */
2786 int
2787 _gnutls_handshake_client (gnutls_session_t session)
2788 {
2789 int ret = 0;
2790
2791 #ifdef HANDSHAKE_DEBUG
2792 char buf[64];
2793
2794 if (session->internals.resumed_security_parameters.session_id_size > 0)
2795 _gnutls_handshake_log ("HSK[%p]: Ask to resume: %s\n", session,
2796 _gnutls_bin2hex (session->internals.
2797 resumed_security_parameters.
2798 session_id,
2799 session->internals.
2800 resumed_security_parameters.
2801 session_id_size, buf,
2802 sizeof (buf)));
2803 #endif
2804
2805 switch (STATE)
2806 {
2807 case STATE0:
2808 case STATE1:
2809 ret = _gnutls_send_hello (session, AGAIN (STATE1));
2810 STATE = STATE1;
2811 IMED_RET ("send hello", ret, 0);
2812
2813 case STATE2:
2814 /* receive the server hello */
2815 ret =
2816 _gnutls_recv_handshake (session, NULL, NULL,
2817 GNUTLS_HANDSHAKE_SERVER_HELLO,
2818 MANDATORY_PACKET);
2819 STATE = STATE2;
2820 IMED_RET ("recv hello", ret, 1);
2821
2822 case STATE70:
2823 if (session->security_parameters.extensions.do_recv_supplemental)
2824 {
2825 ret = _gnutls_recv_supplemental (session);
2826 STATE = STATE70;
2827 IMED_RET ("recv supplemental", ret, 1);
2828 }
2829
2830 case STATE3:
2831 /* RECV CERTIFICATE */
2832 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2833 ret = _gnutls_recv_server_certificate (session);
2834 STATE = STATE3;
2835 IMED_RET ("recv server certificate", ret, 1);
2836
2837 case STATE4:
2838 /* receive the server key exchange */
2839 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2840 ret = _gnutls_recv_server_kx_message (session);
2841 STATE = STATE4;
2842 IMED_RET ("recv server kx message", ret, 1);
2843
2844 case STATE5:
2845 /* receive the server certificate request - if any
2846 */
2847
2848 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2849 ret = _gnutls_recv_server_certificate_request (session);
2850 STATE = STATE5;
2851 IMED_RET ("recv server certificate request message", ret, 1);
2852
2853 case STATE6:
2854 /* receive the server hello done */
2855 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2856 ret =
2857 _gnutls_recv_handshake (session, NULL, NULL,
2858 GNUTLS_HANDSHAKE_SERVER_HELLO_DONE,
2859 MANDATORY_PACKET);
2860 STATE = STATE6;
2861 IMED_RET ("recv server hello done", ret, 1);
2862
2863 case STATE71:
2864 if (session->security_parameters.extensions.do_send_supplemental)
2865 {
2866 ret = _gnutls_send_supplemental (session, AGAIN (STATE71));
2867 STATE = STATE71;
2868 IMED_RET ("send supplemental", ret, 0);
2869 }
2870
2871 case STATE7:
2872 /* send our certificate - if any and if requested
2873 */
2874 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2875 ret = _gnutls_send_client_certificate (session, AGAIN (STATE7));
2876 STATE = STATE7;
2877 IMED_RET ("send client certificate", ret, 0);
2878
2879 case STATE8:
2880 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2881 ret = _gnutls_send_client_kx_message (session, AGAIN (STATE8));
2882 STATE = STATE8;
2883 IMED_RET ("send client kx", ret, 0);
2884
2885 case STATE9:
2886 /* send client certificate verify */
2887 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
2888 ret =
2889 _gnutls_send_client_certificate_verify (session, AGAIN (STATE9));
2890 STATE = STATE9;
2891 IMED_RET ("send client certificate verify", ret, 0);
2892
2893 STATE = STATE0;
2894 default:
2895 break;
2896 }
2897
2898
2899 return 0;
2900 }
2901
2902 /* This function sends the final handshake packets and initializes connection
2903 */
2904 static int
2905 _gnutls_send_handshake_final (gnutls_session_t session, int init)
2906 {
2907 int ret = 0;
2908
2909 /* Send the CHANGE CIPHER SPEC PACKET */
2910
2911 switch (STATE)
2912 {
2913 case STATE0:
2914 case STATE20:
2915 ret = _gnutls_send_change_cipher_spec (session, AGAIN (STATE20));
2916 STATE = STATE20;
2917 if (ret < 0)
2918 {
2919 ERR ("send ChangeCipherSpec", ret);
2920 gnutls_assert ();
2921 return ret;
2922 }
2923
2924 /* Initialize the connection session (start encryption) - in case of client
2925 */
2926 if (init == TRUE)
2927 {
2928 ret = _gnutls_connection_state_init (session);
2929 if (ret < 0)
2930 {
2931 gnutls_assert ();
2932 return ret;
2933 }
2934 }
2935
2936 ret = _gnutls_write_connection_state_init (session);
2937 if (ret < 0)
2938 {
2939 gnutls_assert ();
2940 return ret;
2941 }
2942
2943 case STATE21:
2944 /* send the finished message */
2945 ret = _gnutls_send_finished (session, AGAIN (STATE21));
2946 STATE = STATE21;
2947 if (ret < 0)
2948 {
2949 ERR ("send Finished", ret);
2950 gnutls_assert ();
2951 return ret;
2952 }
2953
2954 STATE = STATE0;
2955 default:
2956 break;
2957 }
2958
2959 return 0;
2960 }
2961
2962 /* This function receives the final handshake packets
2963 * And executes the appropriate function to initialize the
2964 * read session.
2965 */
2966 static int
2967 _gnutls_recv_handshake_final (gnutls_session_t session, int init)
2968 {
2969 int ret = 0;
2970 uint8_t ch;
2971
2972 switch (STATE)
2973 {
2974 case STATE0:
2975 case STATE30:
2976 ret = _gnutls_recv_int (session, GNUTLS_CHANGE_CIPHER_SPEC, -1, &ch, 1);
2977 STATE = STATE30;
2978 if (ret <= 0)
2979 {
2980 ERR ("recv ChangeCipherSpec", ret);
2981 gnutls_assert ();
2982 return (ret < 0) ? ret : GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
2983 }
2984
2985 /* Initialize the connection session (start encryption) - in case of server */
2986 if (init == TRUE)
2987 {
2988 ret = _gnutls_connection_state_init (session);
2989 if (ret < 0)
2990 {
2991 gnutls_assert ();
2992 return ret;
2993 }
2994 }
2995
2996 ret = _gnutls_read_connection_state_init (session);
2997 if (ret < 0)
2998 {
2999 gnutls_assert ();
3000 return ret;
3001 }
3002
3003 case STATE31:
3004 ret = _gnutls_recv_finished (session);
3005 STATE = STATE31;
3006 if (ret < 0)
3007 {
3008 ERR ("recv finished", ret);
3009 gnutls_assert ();
3010 return ret;
3011 }
3012 STATE = STATE0;
3013 default:
3014 break;
3015 }
3016
3017
3018 return 0;
3019 }
3020
3021 /*
3022 * _gnutls_handshake_server
3023 * This function does the server stuff of the handshake protocol.
3024 */
3025 int
3026 _gnutls_handshake_server (gnutls_session_t session)
3027 {
3028 int ret = 0;
3029
3030 switch (STATE)
3031 {
3032 case STATE0:
3033 case STATE1:
3034 ret =
3035 _gnutls_recv_handshake (session, NULL, NULL,
3036 GNUTLS_HANDSHAKE_CLIENT_HELLO,
3037 MANDATORY_PACKET);
3038 STATE = STATE1;
3039 IMED_RET ("recv hello", ret, 1);
3040
3041 case STATE2:
3042 ret = _gnutls_send_hello (session, AGAIN (STATE2));
3043 STATE = STATE2;
3044 IMED_RET ("send hello", ret, 0);
3045
3046 case STATE70:
3047 if (session->security_parameters.extensions.do_send_supplemental)
3048 {
3049 ret = _gnutls_send_supplemental (session, AGAIN (STATE70));
3050 STATE = STATE70;
3051 IMED_RET ("send supplemental data", ret, 0);
3052 }
3053
3054 /* SEND CERTIFICATE + KEYEXCHANGE + CERTIFICATE_REQUEST */
3055 case STATE3:
3056 /* NOTE: these should not be send if we are resuming */
3057
3058 if (session->internals.resumed == RESUME_FALSE)
3059 ret = _gnutls_send_server_certificate (session, AGAIN (STATE3));
3060 STATE = STATE3;
3061 IMED_RET ("send server certificate", ret, 0);
3062
3063 case STATE4:
3064 /* send server key exchange (A) */
3065 if (session->internals.resumed == RESUME_FALSE)
3066 ret = _gnutls_send_server_kx_message (session, AGAIN (STATE4));
3067 STATE = STATE4;
3068 IMED_RET ("send server kx", ret, 0);
3069
3070 case STATE5:
3071 /* Send certificate request - if requested to */
3072 if (session->internals.resumed == RESUME_FALSE)
3073 ret =
3074 _gnutls_send_server_certificate_request (session, AGAIN (STATE5));
3075 STATE = STATE5;
3076 IMED_RET ("send server cert request", ret, 0);
3077
3078 case STATE6:
3079 /* send the server hello done */
3080 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
3081 ret =
3082 _gnutls_send_empty_handshake (session,
3083 GNUTLS_HANDSHAKE_SERVER_HELLO_DONE,
3084 AGAIN (STATE6));
3085 STATE = STATE6;
3086 IMED_RET ("send server hello done", ret, 0);
3087
3088 case STATE71:
3089 if (session->security_parameters.extensions.do_recv_supplemental)
3090 {
3091 ret = _gnutls_recv_supplemental (session);
3092 STATE = STATE71;
3093 IMED_RET ("recv client supplemental", ret, 1);
3094 }
3095
3096 /* RECV CERTIFICATE + KEYEXCHANGE + CERTIFICATE_VERIFY */
3097 case STATE7:
3098 /* receive the client certificate message */
3099 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
3100 ret = _gnutls_recv_client_certificate (session);
3101 STATE = STATE7;
3102 IMED_RET ("recv client certificate", ret, 1);
3103
3104 case STATE8:
3105 /* receive the client key exchange message */
3106 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
3107 ret = _gnutls_recv_client_kx_message (session);
3108 STATE = STATE8;
3109 IMED_RET ("recv client kx", ret, 1);
3110
3111 case STATE9:
3112 /* receive the client certificate verify message */
3113 if (session->internals.resumed == RESUME_FALSE) /* if we are not resuming */
3114 ret = _gnutls_recv_client_certificate_verify_message (session);
3115 STATE = STATE9;
3116 IMED_RET ("recv client certificate verify", ret, 1);
3117
3118 STATE = STATE0; /* finished thus clear session */
3119 default:
3120 break;
3121 }
3122
3123 return 0;
3124 }
3125
3126 int
3127 _gnutls_handshake_common (gnutls_session_t session)
3128 {
3129 int ret = 0;
3130
3131 /* send and recv the change cipher spec and finished messages */
3132 if ((session->internals.resumed == RESUME_TRUE
3133 && session->security_parameters.entity == GNUTLS_CLIENT)
3134 || (session->internals.resumed == RESUME_FALSE
3135 && session->security_parameters.entity == GNUTLS_SERVER))
3136 {
3137 /* if we are a client resuming - or we are a server not resuming */
3138
3139 ret = _gnutls_recv_handshake_final (session, TRUE);
3140 IMED_RET ("recv handshake final", ret, 1);
3141
3142 #ifdef ENABLE_SESSION_TICKET
3143 switch (STATE)
3144 {
3145 case STATE0:
3146 case STATE40:
3147 if (session->internals.session_ticket_renew)
3148 {
3149 ret =
3150 _gnutls_send_new_session_ticket (session, AGAIN (STATE40));
3151 STATE = STATE40;
3152 IMED_RET ("send handshake new session ticket", ret, 0);
3153 }
3154 STATE = STATE0;
3155 default:
3156 break;
3157 }
3158 #endif
3159
3160 ret = _gnutls_send_handshake_final (session, FALSE);
3161 IMED_RET ("send handshake final", ret, 0);
3162
3163 /* only store if we are not resuming */
3164 if (session->security_parameters.entity == GNUTLS_SERVER)
3165 {
3166 /* in order to support session resuming */
3167 _gnutls_server_register_current_session (session);
3168 }
3169 }
3170 else
3171 { /* if we are a client not resuming - or we are a server resuming */
3172
3173 ret = _gnutls_send_handshake_final (session, TRUE);
3174 IMED_RET ("send handshake final 2", ret, 0);
3175
3176 #ifdef ENABLE_SESSION_TICKET
3177 switch (STATE)
3178 {
3179 case STATE0:
3180 case STATE41:
3181 if (session->internals.session_ticket_renew)
3182 {
3183 ret = _gnutls_recv_new_session_ticket (session);
3184 STATE = STATE41;
3185 IMED_RET ("recv handshake new session ticket", ret, 1);
3186 }
3187 STATE = STATE0;
3188 default:
3189 break;
3190 }
3191 #endif
3192
3193 ret = _gnutls_recv_handshake_final (session, FALSE);
3194 IMED_RET ("recv handshake final 2", ret, 1);
3195
3196 }
3197
3198
3199 /* clear handshake buffer */
3200 _gnutls_handshake_hash_buffers_clear (session);
3201 return ret;
3202
3203 }
3204
3205 int
3206 _gnutls_generate_session_id (opaque * session_id, uint8_t * len)
3207 {
3208 int ret;
3209
3210 *len = TLS_MAX_SESSION_ID_SIZE;
3211
3212 ret = _gnutls_rnd (GNUTLS_RND_NONCE, session_id, *len);
3213 if (ret < 0)
3214 {
3215 gnutls_assert ();
3216 return ret;
3217 }
3218
3219 return 0;
3220 }
3221
3222 int
3223 _gnutls_recv_hello_request (gnutls_session_t session, void *data,
3224 uint32_t data_size)
3225 {
3226 uint8_t type;
3227
3228 if (session->security_parameters.entity == GNUTLS_SERVER)
3229 {
3230 gnutls_assert ();
3231 return GNUTLS_E_UNEXPECTED_PACKET;
3232 }
3233 if (data_size < 1)
3234 {
3235 gnutls_assert ();
3236 return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;
3237 }
3238 type = ((uint8_t *) data)[0];
3239 if (type == GNUTLS_HANDSHAKE_HELLO_REQUEST)
3240 return GNUTLS_E_REHANDSHAKE;
3241 else
3242 {
3243 gnutls_assert ();
3244 return GNUTLS_E_UNEXPECTED_PACKET;
3245 }
3246 }
3247
3248 /* Returns 1 if the given KX has not the corresponding parameters
3249 * (DH or RSA) set up. Otherwise returns 0.
3250 */
3251 inline static int
3252 check_server_params (gnutls_session_t session,
3253 gnutls_kx_algorithm_t kx,
3254 gnutls_kx_algorithm_t * alg, int alg_size)
3255 {
3256 int cred_type;
3257 gnutls_dh_params_t dh_params = NULL;
3258 gnutls_rsa_params_t rsa_params = NULL;
3259 int j;
3260
3261 cred_type = _gnutls_map_kx_get_cred (kx, 1);
3262
3263 /* Read the Diffie-Hellman parameters, if any.
3264 */
3265 if (cred_type == GNUTLS_CRD_CERTIFICATE)
3266 {
3267 int delete;
3268 gnutls_certificate_credentials_t x509_cred =
3269 (gnutls_certificate_credentials_t) _gnutls_get_cred (session->key,
3270 cred_type, NULL);
3271
3272 if (x509_cred != NULL)
3273 {
3274 dh_params =
3275 _gnutls_get_dh_params (x509_cred->dh_params,
3276 x509_cred->params_func, session);
3277 rsa_params =
3278 _gnutls_certificate_get_rsa_params (x509_cred->rsa_params,
3279 x509_cred->params_func,
3280 session);
3281 }
3282
3283 /* Check also if the certificate supports the
3284 * KX method.
3285 */
3286 delete = 1;
3287 for (j = 0; j < alg_size; j++)
3288 {
3289 if (alg[j] == kx)
3290 {
3291 delete = 0;
3292 break;
3293 }
3294 }
3295
3296 if (delete == 1)
3297 return 1;
3298
3299 #ifdef ENABLE_ANON
3300 }
3301 else if (cred_type == GNUTLS_CRD_ANON)
3302 {
3303 gnutls_anon_server_credentials_t anon_cred =
3304 (gnutls_anon_server_credentials_t) _gnutls_get_cred (session->key,
3305 cred_type, NULL);
3306
3307 if (anon_cred != NULL)
3308 {
3309 dh_params =
3310 _gnutls_get_dh_params (anon_cred->dh_params,
3311 anon_cred->params_func, session);
3312 }
3313 #endif
3314 #ifdef ENABLE_PSK
3315 }
3316 else if (cred_type == GNUTLS_CRD_PSK)
3317 {
3318 gnutls_psk_server_credentials_t psk_cred =
3319 (gnutls_psk_server_credentials_t) _gnutls_get_cred (session->key,
3320 cred_type, NULL);
3321
3322 if (psk_cred != NULL)
3323 {
3324 dh_params =
3325 _gnutls_get_dh_params (psk_cred->dh_params, psk_cred->params_func,
3326 session);
3327 }
3328 #endif
3329 }
3330 else
3331 return 0; /* no need for params */
3332
3333
3334 /* If the key exchange method needs RSA or DH params,
3335 * but they are not set then remove it.
3336 */
3337 if (_gnutls_kx_needs_rsa_params (kx) != 0)
3338 {
3339 /* needs rsa params. */
3340 if (_gnutls_rsa_params_to_mpi (rsa_params) == NULL)
3341 {
3342 gnutls_assert ();
3343 return 1;
3344 }
3345 }
3346
3347 if (_gnutls_kx_needs_dh_params (kx) != 0)
3348 {
3349 /* needs DH params. */
3350 if (_gnutls_dh_params_to_mpi (dh_params) == NULL)
3351 {
3352 gnutls_assert ();
3353 return 1;
3354 }
3355 }
3356
3357 return 0;
3358 }
3359
3360 /* This function will remove algorithms that are not supported by
3361 * the requested authentication method. We remove an algorithm if
3362 * we have a certificate with keyUsage bits set.
3363 *
3364 * This does a more high level check than gnutls_supported_ciphersuites(),
3365 * by checking certificates etc.
3366 */
3367 int
3368 _gnutls_remove_unwanted_ciphersuites (gnutls_session_t session,
3369 cipher_suite_st ** cipherSuites,
3370 int numCipherSuites,
3371 gnutls_pk_algorithm_t requested_pk_algo)
3372 {
3373
3374 int ret = 0;
3375 cipher_suite_st *newSuite, cs;
3376 int newSuiteSize = 0, i;
3377 gnutls_certificate_credentials_t cert_cred;
3378 gnutls_kx_algorithm_t kx;
3379 int server = session->security_parameters.entity == GNUTLS_SERVER ? 1 : 0;
3380 gnutls_kx_algorithm_t *alg = NULL;
3381 int alg_size = 0;
3382
3383 /* if we should use a specific certificate,
3384 * we should remove all algorithms that are not supported
3385 * by that certificate and are on the same authentication
3386 * method (CERTIFICATE).
3387 */
3388
3389 cert_cred =
3390 (gnutls_certificate_credentials_t) _gnutls_get_cred (session->key,
3391 GNUTLS_CRD_CERTIFICATE,
3392 NULL);
3393
3394 /* If there are certificate credentials, find an appropriate certificate
3395 * or disable them;
3396 */
3397 if (session->security_parameters.entity == GNUTLS_SERVER
3398 && cert_cred != NULL)
3399 {
3400 ret = _gnutls_server_select_cert (session, requested_pk_algo);
3401 if (ret < 0)
3402 {
3403 gnutls_assert ();
3404 _gnutls_x509_log ("Could not find an appropriate certificate: %s\n",
3405 gnutls_strerror (ret));
3406 cert_cred = NULL;
3407 }
3408 }
3409
3410 /* get all the key exchange algorithms that are
3411 * supported by the X509 certificate parameters.
3412 */
3413 if ((ret =
3414 _gnutls_selected_cert_supported_kx (session, &alg, &alg_size)) < 0)
3415 {
3416 gnutls_assert ();
3417 return ret;
3418 }
3419
3420 newSuite = gnutls_malloc (numCipherSuites * sizeof (cipher_suite_st));
3421 if (newSuite == NULL)
3422 {
3423 gnutls_assert ();
3424 gnutls_free (alg);
3425 return GNUTLS_E_MEMORY_ERROR;
3426 }
3427
3428 /* now removes ciphersuites based on the KX algorithm
3429 */
3430 for (i = 0; i < numCipherSuites; i++)
3431 {
3432 int delete = 0;
3433
3434 /* finds the key exchange algorithm in
3435 * the ciphersuite
3436 */
3437 kx = _gnutls_cipher_suite_get_kx_algo (&(*cipherSuites)[i]);
3438
3439 /* if it is defined but had no credentials
3440 */
3441 if (_gnutls_get_kx_cred (session, kx, NULL) == NULL)
3442 {
3443 delete = 1;
3444 }
3445 else
3446 {
3447 delete = 0;
3448
3449 if (server)
3450 delete = check_server_params (session, kx, alg, alg_size);
3451 }
3452
3453 /* These two SRP kx's are marked to require a CRD_CERTIFICATE,
3454 (see cred_mappings in gnutls_algorithms.c), but it also
3455 requires a SRP credential. Don't use SRP kx unless we have a
3456 SRP credential too. */
3457 if (kx == GNUTLS_KX_SRP_RSA || kx == GNUTLS_KX_SRP_DSS)
3458 {
3459 if (!_gnutls_get_cred (session->key, GNUTLS_CRD_SRP, NULL))
3460 delete = 1;
3461 }
3462
3463 memcpy (&cs.suite, &(*cipherSuites)[i].suite, 2);
3464
3465 if (delete == 0)
3466 {
3467
3468 _gnutls_handshake_log ("HSK[%p]: Keeping ciphersuite: %s\n",
3469 session,
3470 _gnutls_cipher_suite_get_name (&cs));
3471
3472 memcpy (newSuite[newSuiteSize].suite, (*cipherSuites)[i].suite, 2);
3473 newSuiteSize++;
3474 }
3475 else
3476 {
3477 _gnutls_handshake_log ("HSK[%p]: Removing ciphersuite: %s\n",
3478 session,
3479 _gnutls_cipher_suite_get_name (&cs));
3480
3481 }
3482 }
3483
3484 gnutls_free (alg);
3485 gnutls_free (*cipherSuites);
3486 *cipherSuites = newSuite;
3487
3488 ret = newSuiteSize;
3489
3490 return ret;
3491
3492 }
3493
3494 /**
3495 * gnutls_handshake_set_max_packet_length:
3496 * @session: is a #gnutls_session_t structure.
3497 * @max: is the maximum number.
3498 *
3499 * This function will set the maximum size of all handshake messages.
3500 * Handshakes over this size are rejected with
3501 * %GNUTLS_E_HANDSHAKE_TOO_LARGE error code. The default value is
3502 * 48kb which is typically large enough. Set this to 0 if you do not
3503 * want to set an upper limit.
3504 *
3505 * The reason for restricting the handshake message sizes are to
3506 * limit Denial of Service attacks.
3507 **/
3508 void
3509 gnutls_handshake_set_max_packet_length (gnutls_session_t session, size_t max)
3510 {
3511 session->internals.max_handshake_data_buffer_size = max;
3512 }
3513
3514 void
3515 _gnutls_set_adv_version (gnutls_session_t session, gnutls_protocol_t ver)
3516 {
3517 set_adv_version (session, _gnutls_version_get_major (ver),
3518 _gnutls_version_get_minor (ver));
3519 }
3520
3521 gnutls_protocol_t
3522 _gnutls_get_adv_version (gnutls_session_t session)
3523 {
3524 return _gnutls_version_get (_gnutls_get_adv_version_major (session),
3525 _gnutls_get_adv_version_minor (session));
3526 }
3527
3528 /**
3529 * gnutls_handshake_get_last_in:
3530 * @session: is a #gnutls_session_t structure.
3531 *
3532 * This function is only useful to check where the last performed
3533 * handshake failed. If the previous handshake succeed or was not
3534 * performed at all then no meaningful value will be returned.
3535 *
3536 * Check %gnutls_handshake_description_t in gnutls.h for the
3537 * available handshake descriptions.
3538 *
3539 * Returns: the last handshake message type received, a
3540 * %gnutls_handshake_description_t.
3541 **/
3542 gnutls_handshake_description_t
3543 gnutls_handshake_get_last_in (gnutls_session_t session)
3544 {
3545 return session->internals.last_handshake_in;
3546 }
3547
3548 /**
3549 * gnutls_handshake_get_last_out:
3550 * @session: is a #gnutls_session_t structure.
3551 *
3552 * This function is only useful to check where the last performed
3553 * handshake failed. If the previous handshake succeed or was not
3554 * performed at all then no meaningful value will be returned.
3555 *
3556 * Check %gnutls_handshake_description_t in gnutls.h for the
3557 * available handshake descriptions.
3558 *
3559 * Returns: the last handshake message type sent, a
3560 * %gnutls_handshake_description_t.
3561 **/
3562 gnutls_handshake_description_t
3563 gnutls_handshake_get_last_out (gnutls_session_t session)
3564 {
3565 return session->internals.last_handshake_out;
3566 }
Implementation of the SSL/TLS protocol