2 * Copyright (C) 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008,
3 * 2009, 2010 Free Software Foundation, Inc.
5 * Author: Nikos Mavrogiannopoulos
7 * This file is part of GNUTLS.
9 * The GNUTLS library is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU Lesser General Public License
11 * as published by the Free Software Foundation; either version 2.1 of
12 * the License, or (at your option) any later version.
14 * This library is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 * Lesser General Public License for more details.
19 * You should have received a copy of the GNU Lesser General Public
20 * License along with this library; if not, write to the Free Software
21 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301,
46 #include <sys/types.h>
49 #include <sys/socket.h>
52 /* some systems had problems with long long int, thus,
60 #include <gnutls/gnutls.h>
63 * They are not needed any more. You can simply enable
64 * the gnutls_log callback to get error descriptions.
69 #define HANDSHAKE_DEBUG // Prints some information on handshake
70 #define COMPRESSION_DEBUG
74 /* The size of a handshake message should not
75 * be larger than this value.
77 #define MAX_HANDSHAKE_PACKET_SIZE 48*1024
79 #define TLS_MAX_SESSION_ID_SIZE 32
81 /* The maximum digest size of hash algorithms.
83 #define MAX_HASH_SIZE 64
84 #define MAX_CIPHER_BLOCK_SIZE 16
85 #define MAX_CIPHER_KEY_SIZE 32
87 #define MAX_SRP_USERNAME 128
88 #define MAX_SERVER_NAME_SIZE 128
89 #define MAX_SESSION_TICKET_SIZE 65535
91 #define SESSION_TICKET_KEY_NAME_SIZE 16
92 #define SESSION_TICKET_KEY_SIZE 16
93 #define SESSION_TICKET_IV_SIZE 16
94 #define SESSION_TICKET_MAC_SECRET_SIZE 32
96 /* we can receive up to MAX_EXT_TYPES extensions.
98 #define MAX_EXT_TYPES 64
100 /* The initial size of the receive
101 * buffer size. This will grow if larger
102 * packets are received.
104 #define INITIAL_RECV_BUFFER_SIZE 256
106 /* the default for TCP */
107 #define DEFAULT_LOWAT 1
109 /* expire time for resuming sessions */
110 #define DEFAULT_EXPIRE_TIME 3600
112 /* the maximum size of encrypted packets */
113 #define DEFAULT_MAX_RECORD_SIZE 16384
114 #define RECORD_HEADER_SIZE 5
115 #define MAX_RECORD_SEND_SIZE (size_t)session->security_parameters.max_record_send_size
116 #define MAX_RECORD_RECV_SIZE (size_t)session->security_parameters.max_record_recv_size
117 #define MAX_PAD_SIZE 255
118 #define EXTRA_COMP_SIZE 2048
119 #define MAX_RECORD_OVERHEAD MAX_PAD_SIZE+EXTRA_COMP_SIZE
120 #define MAX_RECV_SIZE MAX_RECORD_OVERHEAD+MAX_RECORD_RECV_SIZE+RECORD_HEADER_SIZE
122 #define HANDSHAKE_HEADER_SIZE 4
124 /* defaults for verification functions
126 #define DEFAULT_VERIFY_DEPTH 32
127 #define DEFAULT_VERIFY_BITS 16*1024
129 #include <gnutls_mem.h>
131 #define MEMSUB(x,y) ((ssize_t)((ptrdiff_t)x-(ptrdiff_t)y))
133 #define DECR_LEN(len, x) do { len-=x; if (len<0) {gnutls_assert(); return GNUTLS_E_UNEXPECTED_PACKET_LENGTH;} } while (0)
134 #define DECR_LENGTH_RET(len, x, RET) do { len-=x; if (len<0) {gnutls_assert(); return RET;} } while (0)
135 #define DECR_LENGTH_COM(len, x, COM) do { len-=x; if (len<0) {gnutls_assert(); COM;} } while (0)
137 #define HASH2MAC(x) ((gnutls_mac_algorithm_t)x)
139 #define GNUTLS_POINTER_TO_INT(_) ((int) GNUTLS_POINTER_TO_INT_CAST (_))
140 #define GNUTLS_INT_TO_POINTER(_) ((void*) GNUTLS_POINTER_TO_INT_CAST (_))
142 typedef unsigned char opaque
;
148 #include <gnutls_mpi.h>
150 typedef enum change_cipher_spec_t
151 { GNUTLS_TYPE_CHANGE_CIPHER_SPEC
= 1
152 } change_cipher_spec_t
;
154 typedef enum handshake_state_t
155 { STATE0
= 0, STATE1
, STATE2
,
156 STATE3
, STATE4
, STATE5
,
157 STATE6
, STATE7
, STATE8
, STATE9
, STATE20
= 20, STATE21
,
158 STATE30
= 30, STATE31
, STATE40
= 40, STATE41
, STATE50
= 50,
159 STATE60
= 60, STATE61
, STATE62
, STATE70
, STATE71
162 #include <gnutls_str.h>
164 /* This is the maximum number of algorithms (ciphers or macs etc).
165 * keep it synced with GNUTLS_MAX_ALGORITHM_NUM in gnutls.h
169 #define MAX_CIPHERSUITES 256
171 typedef enum extensions_t
172 { GNUTLS_EXTENSION_SERVER_NAME
= 0,
173 GNUTLS_EXTENSION_MAX_RECORD_SIZE
= 1,
174 GNUTLS_EXTENSION_CERT_TYPE
= 9,
176 GNUTLS_EXTENSION_OPAQUE_PRF_INPUT
= ENABLE_OPRFI
,
178 GNUTLS_EXTENSION_SRP
= 12,
179 GNUTLS_EXTENSION_SIGNATURE_ALGORITHMS
= 13,
180 GNUTLS_EXTENSION_SESSION_TICKET
= 35,
181 GNUTLS_EXTENSION_INNER_APPLICATION
= 37703,
182 GNUTLS_EXTENSION_SAFE_RENEGOTIATION
= 65281, /* aka: 0xff01 */
186 { CIPHER_STREAM
, CIPHER_BLOCK
} cipher_type_t
;
188 typedef enum valid_session_t
189 { VALID_TRUE
, VALID_FALSE
} valid_session_t
;
190 typedef enum resumable_session_t
193 } resumable_session_t
;
195 /* Record Protocol */
196 typedef enum content_type_t
198 GNUTLS_CHANGE_CIPHER_SPEC
= 20, GNUTLS_ALERT
,
199 GNUTLS_HANDSHAKE
, GNUTLS_APPLICATION_DATA
,
200 GNUTLS_INNER_APPLICATION
= 24
203 #define GNUTLS_PK_ANY (gnutls_pk_algorithm_t)-1
204 #define GNUTLS_PK_NONE (gnutls_pk_algorithm_t)-2
208 HANDSHAKE_MAC_TYPE_10
= 1,
209 HANDSHAKE_MAC_TYPE_12
210 } handshake_mac_type_t
;
212 /* Store & Retrieve functions defines:
215 typedef struct auth_cred_st
217 gnutls_credentials_type_t algorithm
;
219 /* the type of credentials depends on algorithm
222 struct auth_cred_st
*next
;
245 /* this is used to hold the peers authentication data
247 /* auth_info_t structures SHOULD NOT contain malloced
248 * elements. Check gnutls_session_pack.c, and gnutls_auth.c.
249 * Rememember that this should be calloced!
252 gnutls_credentials_type_t auth_info_type
;
253 int auth_info_size
; /* needed in order to store to db for restoring
257 auth_cred_st
*cred
; /* used to specify keys/certificates etc */
259 int certificate_requested
;
260 /* some ciphersuites use this
261 * to provide client authentication.
262 * 1 if client auth was requested
263 * by the peer, 0 otherwise
264 *** In case of a server this
265 * holds 1 if we should wait
266 * for a client certificate verify
269 typedef struct gnutls_key_st
*gnutls_key_st
;
274 #include <gnutls_hash_int.h>
275 #include <gnutls_cipher_int.h>
276 #include <gnutls_compress.h>
277 #include <gnutls_cert.h>
286 uint8_t hash_algorithm
;
287 uint8_t sign_algorithm
; /* pk algorithm actually */
290 /* This structure holds parameters got from TLS extension
291 * mechanism. (some extensions may hold parameters in auth_info_t
292 * structures also - see SRP).
297 opaque name
[MAX_SERVER_NAME_SIZE
];
298 unsigned name_length
;
299 gnutls_server_name_type_t type
;
302 #define MAX_SERVER_NAME_EXTENSIONS 3
303 #define MAX_SIGNATURE_ALGORITHMS 16
305 struct gnutls_session_ticket_key_st
307 opaque key_name
[SESSION_TICKET_KEY_NAME_SIZE
];
308 opaque key
[SESSION_TICKET_KEY_SIZE
];
309 opaque mac_secret
[SESSION_TICKET_MAC_SECRET_SIZE
];
312 #define MAX_VERIFY_DATA_SIZE 36 /* in SSL 3.0, 12 in TLS 1.0 */
314 /* If you want the extension data to be kept across resuming sessions
315 * then modify CPY_EXTENSIONS in gnutls_constate.c
319 server_name_st server_names
[MAX_SERVER_NAME_EXTENSIONS
];
320 /* limit server_name extensions */
321 unsigned server_names_size
;
323 opaque srp_username
[MAX_SRP_USERNAME
+ 1];
325 /* TLS 1.2 signature algorithms */
326 gnutls_sign_algorithm_t sign_algorithms
[MAX_SIGNATURE_ALGORITHMS
];
327 uint16_t sign_algorithms_size
;
330 int gnutls_ia_enable
, gnutls_ia_peer_enable
;
331 int gnutls_ia_allowskip
, gnutls_ia_peer_allowskip
;
333 /* Used by extensions that enable supplemental data. */
334 int do_recv_supplemental
, do_send_supplemental
;
336 opaque
*session_ticket
;
337 uint16_t session_ticket_len
;
339 /*** Those below do not get copied when resuming session
342 /* Opaque PRF input. */
343 opaque
*oprfi_client
;
344 uint16_t oprfi_client_len
;
345 opaque
*oprfi_server
;
346 uint16_t oprfi_server_len
;
348 /* Safe renegotiation. */
349 uint8_t client_verify_data
[MAX_VERIFY_DATA_SIZE
];
350 size_t client_verify_data_len
;
351 uint8_t server_verify_data
[MAX_VERIFY_DATA_SIZE
];
352 size_t server_verify_data_len
;
353 uint8_t ri_extension_data
[MAX_VERIFY_DATA_SIZE
* 2]; /* max signal is 72 bytes in s->c sslv3 */
354 size_t ri_extension_data_len
;
358 /* auth_info_t structures now MAY contain malloced
362 /* This structure and auth_info_t, are stored in the resume database,
363 * and are restored, in case of resume.
364 * Holds all the required parameters to resume the current
368 /* if you add anything in Security_Parameters struct, then
369 * also modify CPY_COMMON in gnutls_constate.c.
372 /* Note that the security parameters structure is set up after the
373 * handshake has finished. The only value you may depend on while
374 * the handshake is in progress is the cipher suite value.
378 gnutls_connection_end_t entity
;
379 gnutls_kx_algorithm_t kx_algorithm
;
380 /* we've got separate write/read bulk/macs because
381 * there is a time in handshake where the peer has
382 * null cipher and we don't
384 gnutls_cipher_algorithm_t read_bulk_cipher_algorithm
;
385 gnutls_mac_algorithm_t read_mac_algorithm
;
386 gnutls_compression_method_t read_compression_algorithm
;
388 gnutls_cipher_algorithm_t write_bulk_cipher_algorithm
;
389 gnutls_mac_algorithm_t write_mac_algorithm
;
390 gnutls_compression_method_t write_compression_algorithm
;
391 handshake_mac_type_t handshake_mac_handle_type
; /* one of HANDSHAKE_TYPE_10 and HANDSHAKE_TYPE_12 */
393 /* this is the ciphersuite we are going to use
394 * moved here from internals in order to be restored
397 cipher_suite_st current_cipher_suite
;
398 opaque master_secret
[GNUTLS_MASTER_SIZE
];
399 opaque client_random
[GNUTLS_RANDOM_SIZE
];
400 opaque server_random
[GNUTLS_RANDOM_SIZE
];
401 opaque session_id
[TLS_MAX_SESSION_ID_SIZE
];
402 uint8_t session_id_size
;
404 tls_ext_st extensions
;
406 /* The send size is the one requested by the programmer.
407 * The recv size is the one negotiated with the peer.
409 uint16_t max_record_send_size
;
410 uint16_t max_record_recv_size
;
411 /* holds the negotiated certificate type */
412 gnutls_certificate_type_t cert_type
;
413 gnutls_protocol_t version
; /* moved here */
415 /* For TLS/IA. XXX: Move to IA credential? */
416 opaque inner_secret
[GNUTLS_MASTER_SIZE
];
417 } security_parameters_st
;
419 /* This structure holds the generated keys
423 gnutls_datum_t server_write_mac_secret
;
424 gnutls_datum_t client_write_mac_secret
;
425 gnutls_datum_t server_write_IV
;
426 gnutls_datum_t client_write_IV
;
427 gnutls_datum_t server_write_key
;
428 gnutls_datum_t client_write_key
;
429 int generated_keys
; /* zero if keys have not
430 * been generated. Non zero
438 cipher_hd_st write_cipher_state
;
439 cipher_hd_st read_cipher_state
;
440 comp_hd_t read_compression_state
;
441 comp_hd_t write_compression_state
;
442 gnutls_datum_t read_mac_secret
;
443 gnutls_datum_t write_mac_secret
;
444 uint64 read_sequence_number
;
445 uint64 write_sequence_number
;
450 unsigned int priority
[MAX_ALGOS
];
451 unsigned int algorithms
;
454 /* For the external api */
455 struct gnutls_priority_st
460 priority_st compression
;
461 priority_st protocol
;
462 priority_st cert_type
;
463 priority_st sign_algo
;
465 /* to disable record padding */
467 int unsafe_renegotiation
:1;
468 int initial_safe_renegotiation
:1;
469 int disable_safe_renegotiation
:1;
470 int ssl3_record_version
;
471 int additional_verify_flags
;
475 /* DH and RSA parameters types.
477 typedef struct gnutls_dh_params_int
479 /* [0] is the prime, [1] is the generator.
486 gnutls_dh_params_t dh_params
;
488 gnutls_rsa_params_t rsa_params
;
490 } internal_params_st
;
496 opaque header
[HANDSHAKE_HEADER_SIZE
];
497 /* this holds the number of bytes in the handshake_header[] */
499 /* this holds the length of the handshake packet */
500 size_t packet_length
;
501 gnutls_handshake_description_t recv_type
;
502 } handshake_header_buffer_st
;
507 gnutls_buffer application_data_buffer
; /* holds data to be delivered to application layer */
508 gnutls_buffer handshake_hash_buffer
; /* used to keep the last received handshake
514 digest_hd_st sha
; /* hash of the handshake messages */
515 digest_hd_st md5
; /* hash of the handshake messages */
519 digest_hd_st sha1
; /* hash of the handshake messages for TLS 1.2+ */
520 digest_hd_st sha256
; /* hash of the handshake messages for TLS 1.2+ */
522 } handshake_mac_handle
;
523 int handshake_mac_handle_init
; /* 1 when the previous union and type were initialized */
525 gnutls_buffer handshake_data_buffer
; /* this is a buffer that holds the current handshake message */
526 gnutls_buffer ia_data_buffer
; /* holds inner application data (TLS/IA) */
527 resumable_session_t resumable
; /* TRUE or FALSE - if we can resume that session */
528 handshake_state_t handshake_state
; /* holds
529 * a number which indicates where
530 * the handshake procedure has been
531 * interrupted. If it is 0 then
532 * no interruption has happened.
535 valid_session_t valid_connection
; /* true or FALSE - if this session is valid */
537 int may_not_read
; /* if it's 0 then we can read/write, otherwise it's forbiden to read/write
540 int read_eof
; /* non-zero if we have received a closure alert. */
542 int last_alert
; /* last alert received */
544 /* The last handshake messages sent or received.
546 int last_handshake_in
;
547 int last_handshake_out
;
549 /* this is the compression method we are going to use */
550 gnutls_compression_method_t compression_method
;
553 struct gnutls_priority_st priorities
;
555 /* resumed session */
556 resumable_session_t resumed
; /* RESUME_TRUE or FALSE - if we are resuming a session */
557 security_parameters_st resumed_security_parameters
;
559 /* sockets internals */
562 /* These buffers are used in the handshake
563 * protocol only. freed using _gnutls_handshake_io_buffer_clear();
565 gnutls_buffer handshake_send_buffer
;
566 size_t handshake_send_buffer_prev_size
;
567 content_type_t handshake_send_buffer_type
;
568 gnutls_handshake_description_t handshake_send_buffer_htype
;
569 content_type_t handshake_recv_buffer_type
;
570 gnutls_handshake_description_t handshake_recv_buffer_htype
;
571 gnutls_buffer handshake_recv_buffer
;
573 /* this buffer holds a record packet -mostly used for
576 gnutls_buffer record_recv_buffer
;
577 gnutls_buffer record_send_buffer
; /* holds cached data
578 * for the gnutls_io_write_buffered()
581 size_t record_send_buffer_prev_size
; /* holds the
582 * data written in the previous runs.
584 size_t record_send_buffer_user_size
; /* holds the
585 * size of the user specified data to
589 /* 0 if no peeked data was kept, 1 otherwise.
591 int have_peeked_data
;
593 int expire_time
; /* after expire_time seconds this session will expire */
594 struct mod_auth_st_int
*auth_struct
; /* used in handshake packets and KX algorithms */
595 int v2_hello
; /* 0 if the client hello is v3+.
596 * non-zero if we got a v2 hello.
598 /* keeps the headers of the handshake packet
600 handshake_header_buffer_st handshake_header_buffer
;
602 /* this is the highest version available
603 * to the peer. (advertized version).
604 * This is obtained by the Handshake Client Hello
605 * message. (some implementations read the Record version)
607 uint8_t adv_version_major
;
608 uint8_t adv_version_minor
;
610 /* if this is non zero a certificate request message
611 * will be sent to the client. - only if the ciphersuite
616 /* bits to use for DHE and DHA
617 * use _gnutls_dh_get_prime_bits() and gnutls_dh_set_prime_bits()
620 uint16_t dh_prime_bits
;
622 size_t max_handshake_data_buffer_size
;
624 /* PUSH & PULL functions.
626 gnutls_pull_func _gnutls_pull_func
;
627 gnutls_push_func _gnutls_push_func
;
628 /* Holds the first argument of PUSH and PULL
631 gnutls_transport_ptr_t transport_recv_ptr
;
632 gnutls_transport_ptr_t transport_send_ptr
;
634 /* STORE & RETRIEVE functions. Only used if other
635 * backend than gdbm is used.
637 gnutls_db_store_func db_store_func
;
638 gnutls_db_retr_func db_retrieve_func
;
639 gnutls_db_remove_func db_remove_func
;
642 /* post client hello callback (server side only)
644 gnutls_handshake_post_client_hello_func user_hello_func
;
646 /* Holds the record size requested by the
649 uint16_t proposed_record_size
;
651 /* holds the selected certificate and key.
652 * use _gnutls_selected_certs_deinit() and _gnutls_selected_certs_set()
655 gnutls_cert
*selected_cert_list
;
656 int selected_cert_list_length
;
657 gnutls_privkey
*selected_key
;
658 int selected_need_free
;
660 /* holds the extensions we sent to the peer
661 * (in case of a client)
663 uint16_t extensions_sent
[MAX_EXT_TYPES
];
664 uint16_t extensions_sent_size
;
666 /* is 0 if we are to send the whole PGP key, or non zero
667 * if the fingerprint is to be sent.
671 /* This holds the default version that our first
672 * record packet will have. */
673 opaque default_record_version
[2];
675 int cbc_protection_hack
;
679 int enable_private
; /* non zero to
680 * enable cipher suites
681 * which have 0xFF status.
684 /* Holds 0 if the last called function was interrupted while
685 * receiving, and non zero otherwise.
689 /* This callback will be used (if set) to receive an
690 * openpgp key. (if the peer sends a fingerprint)
692 gnutls_openpgp_recv_key_func openpgp_recv_key_func
;
694 /* If non zero the server will not advertize the CA's he
695 * trusts (do not send an RDN sequence).
697 int ignore_rdn_sequence
;
699 /* This is used to set an arbitary version in the RSA
700 * PMS secret. Can be used by clients to test whether the
701 * server checks that version. (** only used in gnutls-cli-debug)
703 opaque rsa_pms_version
[2];
708 /* Here we cache the DH or RSA parameters got from the
709 * credentials structure, or from a callback. That is to
710 * minimize external calls.
712 internal_params_st params
;
714 /* This buffer is used by the record recv functions,
715 * as a temporary store buffer.
717 gnutls_datum_t recv_buffer
;
719 /* To avoid using global variables, and especially on Windows where
720 * the application may use a different errno variable than GnuTLS,
721 * it is possible to use gnutls_transport_set_errno to set a
722 * session-specific errno variable in the user-replaceable push/pull
723 * functions. This value is used by the send/recv functions. (The
724 * strange name of this variable is because 'errno' is typically
729 /* Function used to perform public-key signing operation during
730 handshake. Used by gnutls_sig.c:_gnutls_tls_sign(), see also
731 gnutls_sign_callback_set(). */
732 gnutls_sign_func sign_func
;
733 void *sign_func_userdata
;
735 /* Callback to extract TLS Finished message. */
736 gnutls_finished_callback_func finished_func
;
738 /* minimum bits to allow for SRP
739 * use gnutls_srp_set_prime_bits() to adjust it.
741 uint16_t srp_prime_bits
;
743 int session_ticket_enable
, session_ticket_renew
;
745 int safe_renegotiation_received
:1;
746 int initial_negotiation_completed
:1;
747 int connection_using_safe_renegotiation
:1;
750 gnutls_oprfi_callback_func oprfi_cb
;
751 const void *oprfi_userdata
;
754 struct gnutls_session_ticket_key_st
*session_ticket_key
;
755 opaque session_ticket_IV
[SESSION_TICKET_IV_SIZE
];
757 /* If you add anything here, check _gnutls_handshake_internal_state_clear().
761 struct gnutls_session_int
763 security_parameters_st security_parameters
;
764 cipher_specs_st cipher_specs
;
765 conn_stat_st connection_state
;
766 internals_st internals
;
774 void _gnutls_set_current_version (gnutls_session_t session
,
775 gnutls_protocol_t version
);
776 void _gnutls_free_auth_info (gnutls_session_t session
);
778 /* These two macros return the advertized TLS version of
781 #define _gnutls_get_adv_version_major( session) \
782 session->internals.adv_version_major
784 #define _gnutls_get_adv_version_minor( session) \
785 session->internals.adv_version_minor
787 #define set_adv_version( session, major, minor) \
788 session->internals.adv_version_major = major; \
789 session->internals.adv_version_minor = minor
791 void _gnutls_set_adv_version (gnutls_session_t
, gnutls_protocol_t
);
792 gnutls_protocol_t
_gnutls_get_adv_version (gnutls_session_t
);
794 int _gnutls_is_secure_mem_null (const void *);
796 #endif /* GNUTLS_INT_H */